1. 13 Nov, 2014 25 commits
    • Dan Williams's avatar
      USB: option: add Haier CE81B CDMA modem · d1440093
      Dan Williams authored
      commit 012eee15 upstream.
      
      Port layout:
      
      0: QCDM/DIAG
      1: NMEA
      2: AT
      3: AT/PPP
      Signed-off-by: default avatarDan Williams <dcbw@redhat.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      d1440093
    • Daniele Palmas's avatar
      usb: option: add support for Telit LE910 · 3851b0d5
      Daniele Palmas authored
      commit 2d0eb862 upstream.
      
      Add VID/PID for Telit LE910 modem. Interfaces description is almost the
      same than LE920, except that the qmi interface is number 2 (instead than
      5).
      Signed-off-by: default avatarDaniele Palmas <dnlplm@gmail.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      3851b0d5
    • Frans Klaver's avatar
      usb: serial: ftdi_sio: add Awinda Station and Dongle products · c6cfafe5
      Frans Klaver authored
      commit edd74ffa upstream.
      
      Add new IDs for the Xsens Awinda Station and Awinda Dongle.
      
      While at it, order the definitions by PID and add a logical separation
      between devices using Xsens' VID and those using FTDI's VID.
      Signed-off-by: default avatarFrans Klaver <frans.klaver@xsens.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      c6cfafe5
    • Nathaniel Ting's avatar
      USB: serial: cp210x: add Silicon Labs 358x VID and PID · 48d4bf3b
      Nathaniel Ting authored
      commit 35cc83ea upstream.
      
      Enable Silicon Labs Ember VID chips to enumerate with the cp210x usb serial
      driver. EM358x devices operating with the Ember Z-Net 5.1.2 stack may now
      connect to host PCs over a USB serial link.
      Signed-off-by: default avatarNathaniel Ting <nathaniel.ting@silabs.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      48d4bf3b
    • Jan Kara's avatar
      quota: Properly return errors from dquot_writeback_dquots() · 8d8926d3
      Jan Kara authored
      commit 474d2605 upstream.
      
      Due to a switched left and right side of an assignment,
      dquot_writeback_dquots() never returned error. This could result in
      errors during quota writeback to not be reported to userspace properly.
      Fix it.
      
      Coverity-id: 1226884
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      8d8926d3
    • Jan Kara's avatar
      ext3: Don't check quota format when there are no quota files · 8cad7b8f
      Jan Kara authored
      commit 7938db44 upstream.
      
      The check whether quota format is set even though there are no
      quota files with journalled quota is pointless and it actually
      makes it impossible to turn off journalled quotas (as there's
      no way to unset journalled quota format). Just remove the check.
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      8cad7b8f
    • Ben Hutchings's avatar
      mtd: m25p80,spi-nor: Fix module aliases for m25p80 · ff87cb9d
      Ben Hutchings authored
      commit a5b7616c upstream.
      
      m25p80's device ID table is now spi_nor_ids, defined in spi-nor.  The
      MODULE_DEVICE_TABLE() macro doesn't work with extern definitions, but
      its use was also removed at the same time.  Now if m25p80 is built as
      a module it doesn't get the necessary aliases to be loaded
      automatically.
      
      A clean solution to this will involve defining the list of device
      IDs in spi-nor.h and removing struct spi_device_id from the spi-nor
      API, but this is quite a large change.
      
      As a quick fix suitable for stable, copy the device IDs back into
      m25p80.
      
      Fixes: 03e296f6 ("mtd: m25p80: use the SPI nor framework")
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Signed-off-by: default avatarBrian Norris <computersforpeace@gmail.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      ff87cb9d
    • Ben Hutchings's avatar
      mtd: spi-nor: make spi_nor_scan() take a chip type name, not spi_device_id · 5a8f0310
      Ben Hutchings authored
      commit 70f3ce05 upstream.
      
      Drivers currently call spi_nor_match_id() and then spi_nor_scan().
      This adds a dependency on struct spi_device_id which we want to
      avoid.  Make spi_nor_scan() do it for them.
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Signed-off-by: default avatarRafał Miłecki <zajec5@gmail.com>
      Signed-off-by: default avatarBrian Norris <computersforpeace@gmail.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      5a8f0310
    • Rafał Miłecki's avatar
      mtd: m25p80: get rid of spi_get_device_id · 7692c02e
      Rafał Miłecki authored
      commit 90e55b38 upstream.
      
      This simplifies the way we use spi_nor framework and will allow us to
      drop spi_nor_match_id.
      Signed-off-by: default avatarRafał Miłecki <zajec5@gmail.com>
      Signed-off-by: default avatarBrian Norris <computersforpeace@gmail.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      7692c02e
    • Rafał Miłecki's avatar
      mtd: move support for struct flash_platform_data into m25p80 · cdd8ac40
      Rafał Miłecki authored
      commit 32f1b7c8 upstream.
      
      This "type" seems to be an extra hint for m25p80 about the flash. Some
      archs register flash_platform_data with "name" set to "m25p80" and then
      with a real flash name set in "type". It seems to be a trick specific
      to the m25p80 so let's move it out of spi-nor.
      Btw switch to the spi_nor_match_id instead of iterating spi_nor_ids.
      Signed-off-by: default avatarRafał Miłecki <zajec5@gmail.com>
      Signed-off-by: default avatarBrian Norris <computersforpeace@gmail.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      cdd8ac40
    • J. Bruce Fields's avatar
      nfsd4: fix response size estimation for OP_SEQUENCE · d1967de2
      J. Bruce Fields authored
      commit d1d84c96 upstream.
      
      We added this new estimator function but forgot to hook it up.  The
      effect is that NFSv4.1 (and greater) won't do zero-copy reads.
      
      The estimate was also wrong by 8 bytes.
      
      Fixes: ccae70a9 "nfsd4: estimate sequence response size"
      Reported-by: default avatarChuck Lever <chucklever@gmail.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      d1967de2
    • Felipe Balbi's avatar
      usb: gadget: function: acm: make f_acm pass USB20CV Chapter9 · c06eb647
      Felipe Balbi authored
      commit 52ec49a5 upstream.
      
      During Halt Endpoint Test, our interrupt endpoint
      will be disabled, which will clear out ep->desc
      to NULL. Unless we call config_ep_by_speed() again,
      we will not be able to enable this endpoint which
      will make us fail that test.
      
      Fixes: f9c56cdd (usb: gadget: Clear usb_endpoint_descriptor
      	inside the struct usb_ep on disable)
      Signed-off-by: default avatarFelipe Balbi <balbi@ti.com>
      [ luis: backported to 3.16: adjusted context ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      c06eb647
    • Felipe Balbi's avatar
      usb: dwc3: gadget: fix set_halt() bug with pending transfers · 923b0ef5
      Felipe Balbi authored
      commit 7a608559 upstream.
      
      According to our Gadget Framework API documentation,
      ->set_halt() *must* return -EAGAIN if we have pending
      transfers (on either direction) or FIFO isn't empty (on
      TX endpoints).
      
      Fix this bug so that the mass storage gadget can be used
      without stall=0 parameter.
      
      This patch should be backported to all kernels since v3.2.
      Suggested-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarFelipe Balbi <balbi@ti.com>
      [ kamal: backport to 3.13-stable: omitted ep_set_wedge() change ]
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      923b0ef5
    • Ian Abbott's avatar
      staging: comedi: (regression) channel list must be set for COMEDI_CMD ioctl · 364c5ea5
      Ian Abbott authored
      commit 6cab7a37 upstream.
      
      `do_cmd_ioctl()`, the handler for the `COMEDI_CMD` ioctl can incorrectly
      call the Comedi subdevice's `do_cmd()` handler with a NULL channel list
      pointer.  This is a regression as the `do_cmd()` handler has never been
      expected to deal with that, leading to a kernel OOPS when it tries to
      dereference it.
      
      A NULL channel list pointer is allowed for the `COMEDI_CMDTEST` ioctl,
      handled by `do_cmdtest_ioctl()` and the subdevice's `do_cmdtest()`
      handler, but not for the `COMEDI_CMD` ioctl and its handlers.
      
      Both `do_cmd_ioctl()` and `do_cmdtest_ioctl()` call
      `__comedi_get_user_chanlist()` to copy the channel list from user memory
      into dynamically allocated kernel memory and check it for consistency.
      That function currently returns 0 if the `user_chanlist` parameter
      (pointing to the channel list in user memory) is NULL.  That's fine for
      `do_cmdtest_ioctl()`, but `do_cmd_ioctl()` incorrectly assumes the
      kernel copy of the channel list has been set-up correctly.
      
      Fix it by not allowing the `user_chanlist` parameter to be NULL in
      `__comedi_get_user_chanlist()`, and only calling it from
      `do_cmdtest_ioctl()` if the parameter is non-NULL.
      
      Thanks to Bernd Porr for reporting the bug via an initial patch sent
      privately.
      
      Fixes: c6cd0eef ("staging: comedi: comedi_fops: introduce __comedi_get_user_chanlist()")
      Reported-by: default avatarBernd Porr <mail@berndporr.me.uk>
      Signed-off-by: default avatarIan Abbott <abbotti@mev.co.uk>
      Reviewed-by: default avatarH Hartley Sweeten <hsweeten@visionengravers.com>
      Cc: Bernd Porr <mail@berndporr.me.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      364c5ea5
    • Liam Girdwood's avatar
      ASoC: Intel: HSW/BDW only support S16 and S24 formats. · 3f6ef7f5
      Liam Girdwood authored
      commit 2ccf3bd4 upstream.
      
      Fix driver with correct formats.
      Signed-off-by: default avatarLiam Girdwood <liam.r.girdwood@linux.intel.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      3f6ef7f5
    • Karl Beldan's avatar
      mac80211: fix typo in starting baserate for rts_cts_rate_idx · c1d5fa2d
      Karl Beldan authored
      commit c7abf25a upstream.
      
      It affects non-(V)HT rates and can lead to selecting an rts_cts rate
      that is not a basic rate or way superior to the reference rate (ATM
      rates[0] used for the 1st attempt of the protected frame data).
      
      E.g, assuming drivers register growing (bitrate) sorted tables of
      ieee80211_rate-s, having :
      - rates[0].idx == d'2 and basic_rates == b'10100
      will select rts_cts idx b'10011 & ~d'(BIT(2)-1), i.e. 1, likewise
      - rates[0].idx == d'2 and basic_rates == b'10001
      will select rts_cts idx b'10000
      The first is not a basic rate and the second is > rates[0].
      
      Also, wrt severity of the addressed misbehavior, ATM we only have one
      rts_cts_rate_idx rather than one per rate table entry, so this idx might
      still point to bitrates > rates[1..MAX_RATES].
      
      Fixes: 5253ffb8 ("mac80211: always pick a basic rate to tx RTS/CTS for pre-HT rates")
      Signed-off-by: default avatarKarl Beldan <karl.beldan@rivierawaves.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      c1d5fa2d
    • Ray Jui's avatar
      spi: pl022: Fix incorrect dma_unmap_sg · 2338c76a
      Ray Jui authored
      commit 3ffa6158 upstream.
      
      When mapped RX DMA entries are unmapped in an error condition when DMA
      is firstly configured in the driver, the number of TX DMA entries was
      passed in, which is incorrect
      Signed-off-by: default avatarRay Jui <rjui@broadcom.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      2338c76a
    • Fabio Estevam's avatar
      iio: adc: mxs-lradc: Disable the clock on probe failure · 34a01d86
      Fabio Estevam authored
      commit 75d7ed3b upstream.
      
      We should disable lradc->clk in the case of errors in the probe function.
      Signed-off-by: default avatarFabio Estevam <fabio.estevam@freescale.com>
      Reviewed-by: default avatarMarek Vasut <marex@denx.de>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      34a01d86
    • Robin van der Gracht's avatar
      iio: st_sensors: Fix buffer copy · 138d2d88
      Robin van der Gracht authored
      commit 4250c90b upstream.
      
      Use byte_for_channel as iterator to properly initialize the buffer.
      Signed-off-by: default avatarRobin van der Gracht <robin@protonic.nl>
      Acked-by: default avatarDenis Ciocca <denis.ciocca@st.com>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      138d2d88
    • Lars-Peter Clausen's avatar
      staging:iio:ad5933: Drop "raw" from channel names · f0903fbf
      Lars-Peter Clausen authored
      commit 6822ee34 upstream.
      
      "raw" is the name of a channel property, but should not be part of the
      channel name itself.
      Signed-off-by: default avatarLars-Peter Clausen <lars@metafoo.de>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      f0903fbf
    • Lars-Peter Clausen's avatar
      staging:iio:ad5933: Fix NULL pointer deref when enabling buffer · e72b6917
      Lars-Peter Clausen authored
      commit 824269c5 upstream.
      
      In older versions of the IIO framework it was possible to pass a
      completely different set of channels to iio_buffer_register() as the one
      that is assigned to the IIO device. Commit 959d2952 ("staging:iio: make
      iio_sw_buffer_preenable much more general.") introduced a restriction that
      requires that the set of channels that is passed to iio_buffer_register() is
      a subset of the channels assigned to the IIO device as the IIO core will use
      the list of channels that is assigned to the device to lookup a channel by
      scan index in iio_compute_scan_bytes(). If it can not find the channel the
      function will crash. This patch fixes the issue by making sure that the same
      set of channels is assigned to the IIO device and passed to
      iio_buffer_register().
      
      Fixes the follow NULL pointer derefernce kernel crash:
      	Unable to handle kernel NULL pointer dereference at virtual address 00000016
      	pgd = d53d0000
      	[00000016] *pgd=1534e831, *pte=00000000, *ppte=00000000
      	Internal error: Oops: 17 [#1] PREEMPT SMP ARM
      	Modules linked in:
      	CPU: 1 PID: 1626 Comm: bash Not tainted 3.15.0-19969-g2a180eb-dirty #9545
      	task: d6c124c0 ti: d539a000 task.ti: d539a000
      	PC is at iio_compute_scan_bytes+0x34/0xa8
      	LR is at iio_compute_scan_bytes+0x34/0xa8
      	pc : [<c03052e4>]    lr : [<c03052e4>]    psr: 60070013
      	sp : d539beb8  ip : 00000001  fp : 00000000
      	r10: 00000002  r9 : 00000000  r8 : 00000001
      	r7 : 00000000  r6 : d6dc8800  r5 : d7571000  r4 : 00000002
      	r3 : d7571000  r2 : 00000044  r1 : 00000001  r0 : 00000000
      	Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
      	Control: 18c5387d  Table: 153d004a  DAC: 00000015
      	Process bash (pid: 1626, stack limit = 0xd539a240)
      	Stack: (0xd539beb8 to 0xd539c000)
      	bea0:                                                       c02fc0e4 d7571000
      	bec0: d76c1640 d6dc8800 d757117c 00000000 d757112c c0305b04 d76c1690 d76c1640
      	bee0: d7571188 00000002 00000000 d7571000 d539a000 00000000 000dd1c8 c0305d54
      	bf00: d7571010 0160b868 00000002 c69d3900 d7573278 d7573308 c69d3900 c01ece90
      	bf20: 00000002 c0103fac c0103f6c d539bf88 00000002 c69d3b00 c69d3b0c c0103468
      	bf40: 00000000 00000000 d7694a00 00000002 000af408 d539bf88 c000dd84 c00b2f94
      	bf60: d7694a00 000af408 00000002 d7694a00 d7694a00 00000002 000af408 c000dd84
      	bf80: 00000000 c00b32d0 00000000 00000000 00000002 b6f1aa78 00000002 000af408
      	bfa0: 00000004 c000dc00 b6f1aa78 00000002 00000001 000af408 00000002 00000000
      	bfc0: b6f1aa78 00000002 000af408 00000004 be806a4c 000a6094 00000000 000dd1c8
      	bfe0: 00000000 be8069cc b6e8ab77 b6ec125c 40070010 00000001 22940489 154a5007
      	[<c03052e4>] (iio_compute_scan_bytes) from [<c0305b04>] (__iio_update_buffers+0x248/0x438)
      	[<c0305b04>] (__iio_update_buffers) from [<c0305d54>] (iio_buffer_store_enable+0x60/0x7c)
      	[<c0305d54>] (iio_buffer_store_enable) from [<c01ece90>] (dev_attr_store+0x18/0x24)
      	[<c01ece90>] (dev_attr_store) from [<c0103fac>] (sysfs_kf_write+0x40/0x4c)
      	[<c0103fac>] (sysfs_kf_write) from [<c0103468>] (kernfs_fop_write+0x110/0x154)
      	[<c0103468>] (kernfs_fop_write) from [<c00b2f94>] (vfs_write+0xd0/0x160)
      	[<c00b2f94>] (vfs_write) from [<c00b32d0>] (SyS_write+0x40/0x78)
      	[<c00b32d0>] (SyS_write) from [<c000dc00>] (ret_fast_syscall+0x0/0x30)
      	Code: ea00000e e1a01008 e1a00005 ebfff6fc (e5d0a016)
      
      Fixes: 959d2952 ("staging:iio: make iio_sw_buffer_preenable much more general.")
      Signed-off-by: default avatarLars-Peter Clausen <lars@metafoo.de>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      e72b6917
    • Daniel Borkmann's avatar
      net: sctp: fix remote memory pressure from excessive queueing · 565d3c2b
      Daniel Borkmann authored
      commit 26b87c78 upstream.
      
      This scenario is not limited to ASCONF, just taken as one
      example triggering the issue. When receiving ASCONF probes
      in the form of ...
      
        -------------- INIT[ASCONF; ASCONF_ACK] ------------->
        <----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
        -------------------- COOKIE-ECHO -------------------->
        <-------------------- COOKIE-ACK ---------------------
        ---- ASCONF_a; [ASCONF_b; ...; ASCONF_n;] JUNK ------>
        [...]
        ---- ASCONF_m; [ASCONF_o; ...; ASCONF_z;] JUNK ------>
      
      ... where ASCONF_a, ASCONF_b, ..., ASCONF_z are good-formed
      ASCONFs and have increasing serial numbers, we process such
      ASCONF chunk(s) marked with !end_of_packet and !singleton,
      since we have not yet reached the SCTP packet end. SCTP does
      only do verification on a chunk by chunk basis, as an SCTP
      packet is nothing more than just a container of a stream of
      chunks which it eats up one by one.
      
      We could run into the case that we receive a packet with a
      malformed tail, above marked as trailing JUNK. All previous
      chunks are here goodformed, so the stack will eat up all
      previous chunks up to this point. In case JUNK does not fit
      into a chunk header and there are no more other chunks in
      the input queue, or in case JUNK contains a garbage chunk
      header, but the encoded chunk length would exceed the skb
      tail, or we came here from an entirely different scenario
      and the chunk has pdiscard=1 mark (without having had a flush
      point), it will happen, that we will excessively queue up
      the association's output queue (a correct final chunk may
      then turn it into a response flood when flushing the
      queue ;)): I ran a simple script with incremental ASCONF
      serial numbers and could see the server side consuming
      excessive amount of RAM [before/after: up to 2GB and more].
      
      The issue at heart is that the chunk train basically ends
      with !end_of_packet and !singleton markers and since commit
      2e3216cd ("sctp: Follow security requirement of responding
      with 1 packet") therefore preventing an output queue flush
      point in sctp_do_sm() -> sctp_cmd_interpreter() on the input
      chunk (chunk = event_arg) even though local_cork is set,
      but its precedence has changed since then. In the normal
      case, the last chunk with end_of_packet=1 would trigger the
      queue flush to accommodate possible outgoing bundling.
      
      In the input queue, sctp_inq_pop() seems to do the right thing
      in terms of discarding invalid chunks. So, above JUNK will
      not enter the state machine and instead be released and exit
      the sctp_assoc_bh_rcv() chunk processing loop. It's simply
      the flush point being missing at loop exit. Adding a try-flush
      approach on the output queue might not work as the underlying
      infrastructure might be long gone at this point due to the
      side-effect interpreter run.
      
      One possibility, albeit a bit of a kludge, would be to defer
      invalid chunk freeing into the state machine in order to
      possibly trigger packet discards and thus indirectly a queue
      flush on error. It would surely be better to discard chunks
      as in the current, perhaps better controlled environment, but
      going back and forth, it's simply architecturally not possible.
      I tried various trailing JUNK attack cases and it seems to
      look good now.
      
      Joint work with Vlad Yasevich.
      
      Fixes: 2e3216cd ("sctp: Follow security requirement of responding with 1 packet")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Signed-off-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      565d3c2b
    • Daniel Borkmann's avatar
      net: sctp: fix panic on duplicate ASCONF chunks · 790395f9
      Daniel Borkmann authored
      commit b69040d8 upstream.
      
      When receiving a e.g. semi-good formed connection scan in the
      form of ...
      
        -------------- INIT[ASCONF; ASCONF_ACK] ------------->
        <----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
        -------------------- COOKIE-ECHO -------------------->
        <-------------------- COOKIE-ACK ---------------------
        ---------------- ASCONF_a; ASCONF_b ----------------->
      
      ... where ASCONF_a equals ASCONF_b chunk (at least both serials
      need to be equal), we panic an SCTP server!
      
      The problem is that good-formed ASCONF chunks that we reply with
      ASCONF_ACK chunks are cached per serial. Thus, when we receive a
      same ASCONF chunk twice (e.g. through a lost ASCONF_ACK), we do
      not need to process them again on the server side (that was the
      idea, also proposed in the RFC). Instead, we know it was cached
      and we just resend the cached chunk instead. So far, so good.
      
      Where things get nasty is in SCTP's side effect interpreter, that
      is, sctp_cmd_interpreter():
      
      While incoming ASCONF_a (chunk = event_arg) is being marked
      !end_of_packet and !singleton, and we have an association context,
      we do not flush the outqueue the first time after processing the
      ASCONF_ACK singleton chunk via SCTP_CMD_REPLY. Instead, we keep it
      queued up, although we set local_cork to 1. Commit 2e3216cd
      changed the precedence, so that as long as we get bundled, incoming
      chunks we try possible bundling on outgoing queue as well. Before
      this commit, we would just flush the output queue.
      
      Now, while ASCONF_a's ASCONF_ACK sits in the corked outq, we
      continue to process the same ASCONF_b chunk from the packet. As
      we have cached the previous ASCONF_ACK, we find it, grab it and
      do another SCTP_CMD_REPLY command on it. So, effectively, we rip
      the chunk->list pointers and requeue the same ASCONF_ACK chunk
      another time. Since we process ASCONF_b, it's correctly marked
      with end_of_packet and we enforce an uncork, and thus flush, thus
      crashing the kernel.
      
      Fix it by testing if the ASCONF_ACK is currently pending and if
      that is the case, do not requeue it. When flushing the output
      queue we may relink the chunk for preparing an outgoing packet,
      but eventually unlink it when it's copied into the skb right
      before transmission.
      
      Joint work with Vlad Yasevich.
      
      Fixes: 2e3216cd ("sctp: Follow security requirement of responding with 1 packet")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Signed-off-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      790395f9
    • Daniel Borkmann's avatar
      net: sctp: fix skb_over_panic when receiving malformed ASCONF chunks · 240432f9
      Daniel Borkmann authored
      commit 9de7922b upstream.
      
      Commit 6f4c618d ("SCTP : Add paramters validity check for
      ASCONF chunk") added basic verification of ASCONF chunks, however,
      it is still possible to remotely crash a server by sending a
      special crafted ASCONF chunk, even up to pre 2.6.12 kernels:
      
      skb_over_panic: text:ffffffffa01ea1c3 len:31056 put:30768
       head:ffff88011bd81800 data:ffff88011bd81800 tail:0x7950
       end:0x440 dev:<NULL>
       ------------[ cut here ]------------
      kernel BUG at net/core/skbuff.c:129!
      [...]
      Call Trace:
       <IRQ>
       [<ffffffff8144fb1c>] skb_put+0x5c/0x70
       [<ffffffffa01ea1c3>] sctp_addto_chunk+0x63/0xd0 [sctp]
       [<ffffffffa01eadaf>] sctp_process_asconf+0x1af/0x540 [sctp]
       [<ffffffff8152d025>] ? _read_unlock_bh+0x15/0x20
       [<ffffffffa01e0038>] sctp_sf_do_asconf+0x168/0x240 [sctp]
       [<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
       [<ffffffff8147645d>] ? fib_rules_lookup+0xad/0xf0
       [<ffffffffa01e6b22>] ? sctp_cmp_addr_exact+0x32/0x40 [sctp]
       [<ffffffffa01e8393>] sctp_assoc_bh_rcv+0xd3/0x180 [sctp]
       [<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
       [<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
       [<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
       [<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
       [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
       [<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
       [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
       [<ffffffff81496ded>] ip_local_deliver_finish+0xdd/0x2d0
       [<ffffffff81497078>] ip_local_deliver+0x98/0xa0
       [<ffffffff8149653d>] ip_rcv_finish+0x12d/0x440
       [<ffffffff81496ac5>] ip_rcv+0x275/0x350
       [<ffffffff8145c88b>] __netif_receive_skb+0x4ab/0x750
       [<ffffffff81460588>] netif_receive_skb+0x58/0x60
      
      This can be triggered e.g., through a simple scripted nmap
      connection scan injecting the chunk after the handshake, for
      example, ...
      
        -------------- INIT[ASCONF; ASCONF_ACK] ------------->
        <----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
        -------------------- COOKIE-ECHO -------------------->
        <-------------------- COOKIE-ACK ---------------------
        ------------------ ASCONF; UNKNOWN ------------------>
      
      ... where ASCONF chunk of length 280 contains 2 parameters ...
      
        1) Add IP address parameter (param length: 16)
        2) Add/del IP address parameter (param length: 255)
      
      ... followed by an UNKNOWN chunk of e.g. 4 bytes. Here, the
      Address Parameter in the ASCONF chunk is even missing, too.
      This is just an example and similarly-crafted ASCONF chunks
      could be used just as well.
      
      The ASCONF chunk passes through sctp_verify_asconf() as all
      parameters passed sanity checks, and after walking, we ended
      up successfully at the chunk end boundary, and thus may invoke
      sctp_process_asconf(). Parameter walking is done with
      WORD_ROUND() to take padding into account.
      
      In sctp_process_asconf()'s TLV processing, we may fail in
      sctp_process_asconf_param() e.g., due to removal of the IP
      address that is also the source address of the packet containing
      the ASCONF chunk, and thus we need to add all TLVs after the
      failure to our ASCONF response to remote via helper function
      sctp_add_asconf_response(), which basically invokes a
      sctp_addto_chunk() adding the error parameters to the given
      skb.
      
      When walking to the next parameter this time, we proceed
      with ...
      
        length = ntohs(asconf_param->param_hdr.length);
        asconf_param = (void *)asconf_param + length;
      
      ... instead of the WORD_ROUND()'ed length, thus resulting here
      in an off-by-one that leads to reading the follow-up garbage
      parameter length of 12336, and thus throwing an skb_over_panic
      for the reply when trying to sctp_addto_chunk() next time,
      which implicitly calls the skb_put() with that length.
      
      Fix it by using sctp_walk_params() [ which is also used in
      INIT parameter processing ] macro in the verification *and*
      in ASCONF processing: it will make sure we don't spill over,
      that we walk parameters WORD_ROUND()'ed. Moreover, we're being
      more defensive and guard against unknown parameter types and
      missized addresses.
      
      Joint work with Vlad Yasevich.
      
      Fixes: b896b82b ("[SCTP] ADDIP: Support for processing incoming ASCONF_ACK chunks.")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Signed-off-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      240432f9
    • Ben Hutchings's avatar
      drivers/net: macvtap and tun depend on INET · 6b99e68d
      Ben Hutchings authored
      commit de11b0e8 upstream.
      
      These drivers now call ipv6_proxy_select_ident(), which is defined
      only if CONFIG_INET is enabled.  However, they have really depended
      on CONFIG_INET for as long as they have allowed sending GSO packets
      from userland.
      Reported-by: default avatarkbuild test robot <fengguang.wu@intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Fixes: f43798c2 ("tun: Allow GSO using virtio_net_hdr")
      Fixes: b9fb9ee0 ("macvtap: add GSO/csum offload support")
      Fixes: 5188cd44 ("drivers/net, ipv6: Select IPv6 fragment idents for virtio UFO packets")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      6b99e68d
  2. 05 Nov, 2014 15 commits