Eric Lee / smarc-fsl-linux-kernel

10 Sep, 2016

1 commit

11 May, 2015

1 commit

03 Mar, 2015

1 commit

  • 1b7841404   net: Remove iocb argument from sendmsg and recvmsg ... Browse Code »

    After TIPC doesn't depend on iocb argument in its internal
    implementations of sendmsg() and recvmsg() hooks defined in proto
    structure, no any user is using iocb argument in them at all now.
    Then we can drop the redundant iocb argument completely from kinds of
    implementations of both sendmsg() and recvmsg() in the entire
    networking stack.

    Cc: Christoph Hellwig
    Suggested-by: Al Viro
    Signed-off-by: Ying Xue
    Signed-off-by: David S. Miller

    Ying Xue
     

24 Nov, 2014

1 commit

06 Nov, 2014

1 commit

  • 51f3d02b9   net: Add and use skb_copy_datagram_msg() helper. ... Browse Code »

    This encapsulates all of the skb_copy_datagram_iovec() callers
    with call argument signature "skb, offset, msghdr->msg_iov, length".

    When we move to iov_iters in the networking, the iov_iter object will
    sit in the msghdr.

    Having a helper like this means there will be less places to touch
    during that transformation.

    Based upon descriptions and patch from Al Viro.

    Signed-off-by: David S. Miller

    David S. Miller
     

12 Apr, 2014

1 commit

  • 676d23690   net: Fix use after free by removing length arg from sk_data_ready callbacks. ... Browse Code »

    Several spots in the kernel perform a sequence like:

    skb_queue_tail(&sk->s_receive_queue, skb);
    sk->sk_data_ready(sk, skb->len);

    But at the moment we place the SKB onto the socket receive queue it
    can be consumed and freed up. So this skb->len access is potentially
    to freed up memory.

    Furthermore, the skb->len can be modified by the consumer so it is
    possible that the value isn't accurate.

    And finally, no actual implementation of this callback actually uses
    the length argument. And since nobody actually cared about it's
    value, lots of call sites pass arbitrary values in such as '0' and
    even '1'.

    So just remove the length argument from the callback, that way there
    is no confusion whatsoever and all of these use-after-free cases get
    fixed as a side effect.

    Based upon a patch by Eric Dumazet and his suggestion to audit this
    issue tree-wide.

    Signed-off-by: David S. Miller

    David S. Miller
     

19 Jan, 2014

1 commit

  • 342dfc306   net: add build-time checks for msg->msg_name size ... Browse Code »

    This is a follow-up patch to f3d3342602f8bc ("net: rework recvmsg
    handler msg_name and msg_namelen logic").

    DECLARE_SOCKADDR validates that the structure we use for writing the
    name information to is not larger than the buffer which is reserved
    for msg->msg_name (which is 128 bytes). Also use DECLARE_SOCKADDR
    consistently in sendmsg code paths.

    Signed-off-by: Steffen Hurrle
    Suggested-by: Hannes Frederic Sowa
    Acked-by: Hannes Frederic Sowa
    Signed-off-by: David S. Miller

    Steffen Hurrle
     

10 Dec, 2013

1 commit

21 Nov, 2013

1 commit

02 Jul, 2013

1 commit

  • 4ccb93ce7   x25: Fix broken locking in ioctl error paths. ... Browse Code »

    Two of the x25 ioctl cases have error paths that break out of the function without
    unlocking the socket, leading to this warning:

    ================================================
    [ BUG: lock held when returning to user space! ]
    3.10.0-rc7+ #36 Not tainted
    ------------------------------------------------
    trinity-child2/31407 is leaving the kernel with locks still held!
    1 lock held by trinity-child2/31407:
    #0: (sk_lock-AF_X25){+.+.+.}, at: [] x25_ioctl+0x8a/0x740 [x25]

    Signed-off-by: Dave Jones
    Signed-off-by: David S. Miller

    Dave Jones
     

29 May, 2013

1 commit

  • 351638e7d   net: pass info struct via netdevice notifier ... Browse Code »

    So far, only net_device * could be passed along with netdevice notifier
    event. This patch provides a possibility to pass custom structure
    able to provide info that event listener needs to know.

    Signed-off-by: Jiri Pirko

    v2->v3: fix typo on simeth
    shortened dev_getter
    shortened notifier_info struct name
    v1->v2: fix notifier_call parameter in call_netdevice_notifier()
    Signed-off-by: David S. Miller

    Jiri Pirko
     

28 Feb, 2013

1 commit

  • b67bfe0d4   hlist: drop the node parameter from iterators ... Browse Code »

    I'm not sure why, but the hlist for each entry iterators were conceived

    list_for_each_entry(pos, head, member)

    The hlist ones were greedy and wanted an extra parameter:

    hlist_for_each_entry(tpos, pos, head, member)

    Why did they need an extra pos parameter? I'm not quite sure. Not only
    they don't really need it, it also prevents the iterator from looking
    exactly like the list iterator, which is unfortunate.

    Besides the semantic patch, there was some manual work required:

    - Fix up the actual hlist iterators in linux/list.h
    - Fix up the declaration of other iterators based on the hlist ones.
    - A very small amount of places were using the 'node' parameter, this
    was modified to use 'obj->member' instead.
    - Coccinelle didn't handle the hlist_for_each_entry_safe iterator
    properly, so those had to be fixed up manually.

    The semantic patch which is mostly the work of Peter Senna Tschudin is here:

    @@
    iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;

    type T;
    expression a,c,d,e;
    identifier b;
    statement S;
    @@

    -T b;

    [akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
    [akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
    [akpm@linux-foundation.org: checkpatch fixes]
    [akpm@linux-foundation.org: fix warnings]
    [akpm@linux-foudnation.org: redo intrusive kvm changes]
    Tested-by: Peter Senna Tschudin
    Acked-by: Paul E. McKenney
    Signed-off-by: Sasha Levin
    Cc: Wu Fengguang
    Cc: Marcelo Tosatti
    Cc: Gleb Natapov
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Sasha Levin
     

17 Dec, 2011

1 commit

02 Nov, 2011

1 commit

  • 501e89d3a   x25: Fix NULL dereference in x25_recvmsg ... Browse Code »

    commit cb101ed2 in 3.0 introduced a bug in x25_recvmsg()
    When passed bogus junk from userspace, x25->neighbour can be NULL,
    as shown in this oops..

    BUG: unable to handle kernel NULL pointer dereference at 000000000000001c
    IP: [] x25_recvmsg+0x4d/0x280 [x25]
    PGD 1015f3067 PUD 105072067 PMD 0
    Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
    CPU 0
    Pid: 27928, comm: iknowthis Not tainted 3.1.0+ #2 Gigabyte Technology Co., Ltd. GA-MA78GM-S2H/GA-MA78GM-S2H
    RIP: 0010:[] [] x25_recvmsg+0x4d/0x280 [x25]
    RSP: 0018:ffff88010c0b7cc8 EFLAGS: 00010282
    RAX: 0000000000000000 RBX: ffff88010c0b7d78 RCX: 0000000000000c02
    RDX: ffff88010c0b7d78 RSI: ffff88011c93dc00 RDI: ffff880103f667b0
    RBP: ffff88010c0b7d18 R08: 0000000000000000 R09: 0000000000000000
    R10: 0000000000000000 R11: 0000000000000000 R12: ffff880103f667b0
    R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
    FS: 00007f479ce7f700(0000) GS:ffff88012a600000(0000) knlGS:0000000000000000
    CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
    CR2: 000000000000001c CR3: 000000010529e000 CR4: 00000000000006f0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
    Process iknowthis (pid: 27928, threadinfo ffff88010c0b6000, task ffff880103faa4f0)
    Stack:
    0000000000000c02 0000000000000c02 ffff88010c0b7d18 ffffff958153cb37
    ffffffff8153cb60 0000000000000c02 ffff88011c93dc00 0000000000000000
    0000000000000c02 ffff88010c0b7e10 ffff88010c0b7de8 ffffffff815372c2
    Call Trace:
    [] ? sock_update_classid+0xb0/0x180
    [] sock_aio_read.part.10+0x142/0x150
    [] ? inode_has_perm+0x62/0xa0
    [] sock_aio_read+0x2d/0x40
    [] do_sync_read+0xd2/0x110
    [] ? security_file_permission+0x96/0xb0
    [] ? rw_verify_area+0x61/0x100
    [] vfs_read+0x16d/0x180
    [] sys_read+0x4d/0x90
    [] system_call_fastpath+0x16/0x1b
    Code: 8b 66 20 4c 8b 32 48 89 d3 48 89 4d b8 45 89 c7 c7 45 cc 95 ff ff ff 4d 85 e4 0f 84 ed 01 00 00 49 8b 84 24 18 05 00 00 4c 89 e7
    78 1c 01 45 19 ed 31 f6 e8 d5 37 ff e0 41 0f b6 44 24 0e 41

    Signed-off-by: Dave Jones
    Acked-by: Eric Dumazet
    Signed-off-by: David S. Miller

    Dave Jones
     

18 Oct, 2011

3 commits

  • 7f81e25be   x25: Prevent skb overreads when checking call user data ... Browse Code »
    1

    x25_find_listener does not check that the amount of call user data given
    in the skb is big enough in per-socket comparisons, hence buffer
    overreads may occur. Fix this by adding a check.

    Signed-off-by: Matthew Daley
    Cc: Eric Dumazet
    Cc: Andrew Hendry
    Cc: stable
    Acked-by: Andrew Hendry
    Signed-off-by: David S. Miller

    Matthew Daley
     
  • cb101ed2c   x25: Handle undersized/fragmented skbs ... Browse Code »

    There are multiple locations in the X.25 packet layer where a skb is
    assumed to be of at least a certain size and that all its data is
    currently available at skb->data. These assumptions are not checked,
    hence buffer overreads may occur. Use pskb_may_pull to check these
    minimal size assumptions and ensure that data is available at skb->data
    when necessary, as well as use skb_copy_bits where needed.

    Signed-off-by: Matthew Daley
    Cc: Eric Dumazet
    Cc: Andrew Hendry
    Cc: stable
    Acked-by: Andrew Hendry
    Signed-off-by: David S. Miller

    Matthew Daley
     
  • c7fd0d48b   x25: Validate incoming call user data lengths ... Browse Code »

    X.25 call user data is being copied in its entirety from incoming messages
    without consideration to the size of the destination buffers, leading to
    possible buffer overflows. Validate incoming call user data lengths before
    these copies are performed.

    It appears this issue was noticed some time ago, however nothing seemed to
    come of it: see http://www.spinics.net/lists/linux-x25/msg00043.html and
    commit 8db09f26f912f7c90c764806e804b558da520d4f.

    Signed-off-by: Matthew Daley
    Acked-by: Eric Dumazet
    Tested-by: Andrew Hendry
    Cc: stable
    Signed-off-by: David S. Miller

    Matthew Daley
     

02 Jul, 2011

1 commit

05 Mar, 2011

1 commit

  • 77b228360   x25: remove the BKL ... Browse Code »

    This replaces all instances of lock_kernel in x25
    with lock_sock, taking care to release the socket
    lock around sleeping functions (sock_alloc_send_skb
    and skb_recv_datagram). It is not clear whether
    this is a correct solution, but it seem to be what
    other protocols do in the same situation.

    Includes a fix suggested by Eric Dumazet.

    Signed-off-by: Arnd Bergmann
    Acked-by: David S. Miller
    Tested-by: Andrew Hendry
    Cc: linux-x25@vger.kernel.org
    Cc: netdev@vger.kernel.org
    Cc: Eric Dumazet

    Arnd Bergmann
     

29 Nov, 2010

5 commits

20 Nov, 2010

4 commits

23 Sep, 2010

2 commits

15 Sep, 2010

4 commits

18 May, 2010

4 commits

28 Apr, 2010

1 commit

22 Apr, 2010

1 commit

  • 2cec6b014   X25 fix dead unaccepted sockets ... Browse Code »

    1, An X25 program binds and listens
    2, calls arrive waiting to be accepted
    3, Program exits without accepting
    4, Sockets time out but don't get correctly cleaned up
    5, cat /proc/net/x25/socket shows the dead sockets with bad inode fields.

    This line borrowed from AX25 sets the dying socket so the timers clean up later.

    Signed-off-by: Andrew Hendry
    Signed-off-by: David S. Miller

    andrew hendry