Eric Lee / smarc-fsl-linux-kernel

17 Dec, 2011

1 commit

02 Nov, 2011

1 commit

  • 501e89d3a   x25: Fix NULL dereference in x25_recvmsg ... Browse Code »

    commit cb101ed2 in 3.0 introduced a bug in x25_recvmsg()
    When passed bogus junk from userspace, x25->neighbour can be NULL,
    as shown in this oops..

    BUG: unable to handle kernel NULL pointer dereference at 000000000000001c
    IP: [] x25_recvmsg+0x4d/0x280 [x25]
    PGD 1015f3067 PUD 105072067 PMD 0
    Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
    CPU 0
    Pid: 27928, comm: iknowthis Not tainted 3.1.0+ #2 Gigabyte Technology Co., Ltd. GA-MA78GM-S2H/GA-MA78GM-S2H
    RIP: 0010:[] [] x25_recvmsg+0x4d/0x280 [x25]
    RSP: 0018:ffff88010c0b7cc8 EFLAGS: 00010282
    RAX: 0000000000000000 RBX: ffff88010c0b7d78 RCX: 0000000000000c02
    RDX: ffff88010c0b7d78 RSI: ffff88011c93dc00 RDI: ffff880103f667b0
    RBP: ffff88010c0b7d18 R08: 0000000000000000 R09: 0000000000000000
    R10: 0000000000000000 R11: 0000000000000000 R12: ffff880103f667b0
    R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
    FS: 00007f479ce7f700(0000) GS:ffff88012a600000(0000) knlGS:0000000000000000
    CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
    CR2: 000000000000001c CR3: 000000010529e000 CR4: 00000000000006f0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
    Process iknowthis (pid: 27928, threadinfo ffff88010c0b6000, task ffff880103faa4f0)
    Stack:
    0000000000000c02 0000000000000c02 ffff88010c0b7d18 ffffff958153cb37
    ffffffff8153cb60 0000000000000c02 ffff88011c93dc00 0000000000000000
    0000000000000c02 ffff88010c0b7e10 ffff88010c0b7de8 ffffffff815372c2
    Call Trace:
    [] ? sock_update_classid+0xb0/0x180
    [] sock_aio_read.part.10+0x142/0x150
    [] ? inode_has_perm+0x62/0xa0
    [] sock_aio_read+0x2d/0x40
    [] do_sync_read+0xd2/0x110
    [] ? security_file_permission+0x96/0xb0
    [] ? rw_verify_area+0x61/0x100
    [] vfs_read+0x16d/0x180
    [] sys_read+0x4d/0x90
    [] system_call_fastpath+0x16/0x1b
    Code: 8b 66 20 4c 8b 32 48 89 d3 48 89 4d b8 45 89 c7 c7 45 cc 95 ff ff ff 4d 85 e4 0f 84 ed 01 00 00 49 8b 84 24 18 05 00 00 4c 89 e7
    78 1c 01 45 19 ed 31 f6 e8 d5 37 ff e0 41 0f b6 44 24 0e 41

    Signed-off-by: Dave Jones
    Acked-by: Eric Dumazet
    Signed-off-by: David S. Miller

    Dave Jones
     

18 Oct, 2011

3 commits

  • 7f81e25be   x25: Prevent skb overreads when checking call user data ... Browse Code »
    1

    x25_find_listener does not check that the amount of call user data given
    in the skb is big enough in per-socket comparisons, hence buffer
    overreads may occur. Fix this by adding a check.

    Signed-off-by: Matthew Daley
    Cc: Eric Dumazet
    Cc: Andrew Hendry
    Cc: stable
    Acked-by: Andrew Hendry
    Signed-off-by: David S. Miller

    Matthew Daley
     
  • cb101ed2c   x25: Handle undersized/fragmented skbs ... Browse Code »

    There are multiple locations in the X.25 packet layer where a skb is
    assumed to be of at least a certain size and that all its data is
    currently available at skb->data. These assumptions are not checked,
    hence buffer overreads may occur. Use pskb_may_pull to check these
    minimal size assumptions and ensure that data is available at skb->data
    when necessary, as well as use skb_copy_bits where needed.

    Signed-off-by: Matthew Daley
    Cc: Eric Dumazet
    Cc: Andrew Hendry
    Cc: stable
    Acked-by: Andrew Hendry
    Signed-off-by: David S. Miller

    Matthew Daley
     
  • c7fd0d48b   x25: Validate incoming call user data lengths ... Browse Code »

    X.25 call user data is being copied in its entirety from incoming messages
    without consideration to the size of the destination buffers, leading to
    possible buffer overflows. Validate incoming call user data lengths before
    these copies are performed.

    It appears this issue was noticed some time ago, however nothing seemed to
    come of it: see http://www.spinics.net/lists/linux-x25/msg00043.html and
    commit 8db09f26f912f7c90c764806e804b558da520d4f.

    Signed-off-by: Matthew Daley
    Acked-by: Eric Dumazet
    Tested-by: Andrew Hendry
    Cc: stable
    Signed-off-by: David S. Miller

    Matthew Daley
     

02 Jul, 2011

1 commit

05 Mar, 2011

1 commit

  • 77b228360   x25: remove the BKL ... Browse Code »

    This replaces all instances of lock_kernel in x25
    with lock_sock, taking care to release the socket
    lock around sleeping functions (sock_alloc_send_skb
    and skb_recv_datagram). It is not clear whether
    this is a correct solution, but it seem to be what
    other protocols do in the same situation.

    Includes a fix suggested by Eric Dumazet.

    Signed-off-by: Arnd Bergmann
    Acked-by: David S. Miller
    Tested-by: Andrew Hendry
    Cc: linux-x25@vger.kernel.org
    Cc: netdev@vger.kernel.org
    Cc: Eric Dumazet

    Arnd Bergmann
     

29 Nov, 2010

5 commits

20 Nov, 2010

4 commits

23 Sep, 2010

2 commits

15 Sep, 2010

4 commits

18 May, 2010

4 commits

28 Apr, 2010

1 commit

22 Apr, 2010

1 commit

  • 2cec6b014   X25 fix dead unaccepted sockets ... Browse Code »

    1, An X25 program binds and listens
    2, calls arrive waiting to be accepted
    3, Program exits without accepting
    4, Sockets time out but don't get correctly cleaned up
    5, cat /proc/net/x25/socket shows the dead sockets with bad inode fields.

    This line borrowed from AX25 sets the dying socket so the timers clean up later.

    Signed-off-by: Andrew Hendry
    Signed-off-by: David S. Miller

    andrew hendry
     

21 Apr, 2010

1 commit

  • aa3951451   net: sk_sleep() helper ... Browse Code »

    Define a new function to return the waitqueue of a "struct sock".

    static inline wait_queue_head_t *sk_sleep(struct sock *sk)
    {
    return sk->sk_sleep;
    }

    Change all read occurrences of sk_sleep by a call to this function.

    Needed for a future RCU conversion. sk_sleep wont be a field directly
    available.

    Signed-off-by: Eric Dumazet
    Signed-off-by: David S. Miller

    Eric Dumazet
     

11 Apr, 2010

1 commit

08 Apr, 2010

2 commits

  • ddd0451fc   x.25 attempts to negotiate invalid throughput ... Browse Code »

    The current X.25 code has some bugs in throughput negotiation:

    1. It does negotiation in all cases, usually there is no need
    2. It incorrectly attempts to negotiate the throughput class in one
    direction only. There are separate throughput classes for input
    and output and if either is negotiated both mist be negotiates.

    This is bug https://bugzilla.kernel.org/show_bug.cgi?id=15681

    This bug was first reported by Daniel Ferenci to the linux-x25 mailing
    list on 6/8/2004, but is still present.

    The current (2.6.34) x.25 code doesn't seem to know that the X.25
    throughput facility includes two values, one for the required
    throughput outbound, one for inbound.

    This causes it to attempt to negotiate throughput 0x0A, which is
    throughput 9600 inbound and the illegal value "0" for inbound
    throughput.

    Because of this some X.25 devices (e.g. Cisco 1600) refuse to connect
    to Linux X.25.

    The following patch fixes this behaviour. Unless the user specifies a
    required throughput it does not attempt to negotiate. If the user
    does not specify a throughput it accepts the suggestion of the remote
    X.25 system. If the user requests a throughput then it validates both
    the input and output throughputs and correctly negotiates them with
    the remote end.

    Signed-off-by: John Hughes
    Tested-by: Andrew Hendry
    Signed-off-by: David S. Miller

    John Hughes
     
  • f5eb917b8   x25: Patch to fix bug 15678 - x25 accesses fields beyond end of packet. ... Browse Code »

    Here is a patch to stop X.25 examining fields beyond the end of the packet.

    For example, when a simple CALL ACCEPTED was received:

    10 10 0f

    x25_parse_facilities was attempting to decode the FACILITIES field, but this
    packet contains no facilities field.

    Signed-off-by: John Hughes
    Signed-off-by: David S. Miller

    John Hughes
     

30 Mar, 2010

1 commit

  • 5a0e3ad6a   include cleanup: Update gfp.h and slab.h includes to prepare for breaking implic… ... Browse Code »

    …it slab.h inclusion from percpu.h

    percpu.h is included by sched.h and module.h and thus ends up being
    included when building most .c files. percpu.h includes slab.h which
    in turn includes gfp.h making everything defined by the two files
    universally available and complicating inclusion dependencies.

    percpu.h -> slab.h dependency is about to be removed. Prepare for
    this change by updating users of gfp and slab facilities include those
    headers directly instead of assuming availability. As this conversion
    needs to touch large number of source files, the following script is
    used as the basis of conversion.

    http://userweb.kernel.org/~tj/misc/slabh-sweep.py

    The script does the followings.

    * Scan files for gfp and slab usages and update includes such that
    only the necessary includes are there. ie. if only gfp is used,
    gfp.h, if slab is used, slab.h.

    * When the script inserts a new include, it looks at the include
    blocks and try to put the new include such that its order conforms
    to its surrounding. It's put in the include block which contains
    core kernel includes, in the same order that the rest are ordered -
    alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
    doesn't seem to be any matching order.

    * If the script can't find a place to put a new include (mostly
    because the file doesn't have fitting include block), it prints out
    an error message indicating which .h file needs to be added to the
    file.

    The conversion was done in the following steps.

    1. The initial automatic conversion of all .c files updated slightly
    over 4000 files, deleting around 700 includes and adding ~480 gfp.h
    and ~3000 slab.h inclusions. The script emitted errors for ~400
    files.

    2. Each error was manually checked. Some didn't need the inclusion,
    some needed manual addition while adding it to implementation .h or
    embedding .c file was more appropriate for others. This step added
    inclusions to around 150 files.

    3. The script was run again and the output was compared to the edits
    from #2 to make sure no file was left behind.

    4. Several build tests were done and a couple of problems were fixed.
    e.g. lib/decompress_*.c used malloc/free() wrappers around slab
    APIs requiring slab.h to be added manually.

    5. The script was run on all .h files but without automatically
    editing them as sprinkling gfp.h and slab.h inclusions around .h
    files could easily lead to inclusion dependency hell. Most gfp.h
    inclusion directives were ignored as stuff from gfp.h was usually
    wildly available and often used in preprocessor macros. Each
    slab.h inclusion directive was examined and added manually as
    necessary.

    6. percpu.h was updated not to include slab.h.

    7. Build test were done on the following configurations and failures
    were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
    distributed build env didn't work with gcov compiles) and a few
    more options had to be turned off depending on archs to make things
    build (like ipr on powerpc/64 which failed due to missing writeq).

    * x86 and x86_64 UP and SMP allmodconfig and a custom test config.
    * powerpc and powerpc64 SMP allmodconfig
    * sparc and sparc64 SMP allmodconfig
    * ia64 SMP allmodconfig
    * s390 SMP allmodconfig
    * alpha SMP allmodconfig
    * um on x86_64 SMP allmodconfig

    8. percpu.h modifications were reverted so that it could be applied as
    a separate patch and serve as bisection point.

    Given the fact that I had only a couple of failures from tests on step
    6, I'm fairly confident about the coverage of this conversion patch.
    If there is a breakage, it's likely to be something in one of the arch
    headers which should be easily discoverable easily on most builds of
    the specific arch.

    Signed-off-by: Tejun Heo <tj@kernel.org>
    Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
    Cc: Ingo Molnar <mingo@redhat.com>
    Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>

    Tejun Heo
     

16 Feb, 2010

2 commits

29 Nov, 2009

2 commits

26 Nov, 2009

1 commit

  • 09ad9bc75   net: use net_eq to compare nets ... Browse Code »

    Generated with the following semantic patch

    @@
    struct net *n1;
    struct net *n2;
    @@
    - n1 == n2
    + net_eq(n1, n2)

    @@
    struct net *n1;
    struct net *n2;
    @@
    - n1 != n2
    + !net_eq(n1, n2)

    applied over {include,net,drivers/net}.

    Signed-off-by: Octavian Purdila
    Signed-off-by: David S. Miller

    Octavian Purdila
     

19 Nov, 2009

1 commit

07 Nov, 2009

1 commit

  • 91774904f   net/x25: push BKL usage into x25_proto ... Browse Code »

    The x25 driver uses lock_kernel() implicitly through
    its proto_ops wrapper. The makes the usage explicit
    in order to get rid of that wrapper and to better document
    the usage of the BKL.

    The next step should be to get rid of the usage of the BKL
    in x25 entirely, which requires understanding what data
    structures need serialized accesses.

    Cc: Henner Eisen
    Cc: David S. Miller
    Cc: linux-x25@vger.kernel.org
    Cc: netdev@vger.kernel.org
    Signed-off-by: Arnd Bergmann
    Signed-off-by: David S. Miller

    Arnd Bergmann