Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v4.4.235 2020-02-05T13:03:43+00:00 2020-02-05T13:03:43+00:00 Michael Ellerman mpe@ellerman.id.au 2020-01-22T04:07:28+00:00 urn:sha1:bd786d8d13d528fddc4570a5b9a6f52c4b937791 [ Upstream commit 78f7a7566f5eb59321e99b55a6fdb16ea05b37d1 ] The driver for Cisco Aironet 4500 and 4800 series cards (airo.c), implements AIROOLDIOCTL/SIOCDEVPRIVATE in airo_ioctl(). The ioctl handler copies an aironet_ioctl struct from userspace, which includes a command. Some of the commands are handled in readrids(), where the user controlled command is converted into a driver-internal value called "ridcode". There are two command values, AIROGWEPKTMP and AIROGWEPKNV, which correspond to ridcode values of RID_WEP_TEMP and RID_WEP_PERM respectively. These commands both have checks that the user has CAP_NET_ADMIN, with the comment that "Only super-user can read WEP keys", otherwise they return -EPERM. However there is another command value, AIRORRID, that lets the user specify the ridcode value directly, with no other checks. This means the user can bypass the CAP_NET_ADMIN check on AIROGWEPKTMP and AIROGWEPKNV. Fix it by moving the CAP_NET_ADMIN check out of the command handling and instead do it later based on the ridcode. That way regardless of whether the ridcode is set via AIROGWEPKTMP or AIROGWEPKNV, or passed in using AIRORID, we always do the CAP_NET_ADMIN check. Found by Ilja by code inspection, not tested as I don't have the required hardware. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-02-05T13:03:43+00:00 Michael Ellerman mpe@ellerman.id.au 2020-01-22T04:07:27+00:00 urn:sha1:98fd2fc6f18c107f925d0519d10ea03177c2a537 [ Upstream commit d6bce2137f5d6bb1093e96d2f801479099b28094 ] The driver for Cisco Aironet 4500 and 4800 series cards (airo.c), implements AIROOLDIOCTL/SIOCDEVPRIVATE in airo_ioctl(). The ioctl handler copies an aironet_ioctl struct from userspace, which includes a command and a length. Some of the commands are handled in readrids(), which kmalloc()'s a buffer of RIDSIZE (2048) bytes. That buffer is then passed to PC4500_readrid(), which has two cases. The else case does some setup and then reads up to RIDSIZE bytes from the hardware into the kmalloc()'ed buffer. Here len == RIDSIZE, pBuf is the kmalloc()'ed buffer: // read the rid length field bap_read(ai, pBuf, 2, BAP1); // length for remaining part of rid len = min(len, (int)le16_to_cpu(*(__le16*)pBuf)) - 2; ... // read remainder of the rid rc = bap_read(ai, ((__le16*)pBuf)+1, len, BAP1); PC4500_readrid() then returns to readrids() which does: len = comp->len; if (copy_to_user(comp->data, iobuf, min(len, (int)RIDSIZE))) { Where comp->len is the user controlled length field. So if the "rid length field" returned by the hardware is < 2048, and the user requests 2048 bytes in comp->len, we will leak the previous contents of the kmalloc()'ed buffer to userspace. Fix it by kzalloc()'ing the buffer. Found by Ilja by code inspection, not tested as I don't have the required hardware. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> 2019-11-28T17:26:03+00:00 Dan Carpenter dan.carpenter@oracle.com 2018-10-24T08:33:34+00:00 urn:sha1:574161e0d97d3b895a938ead580d617e25e7cb8c [ Upstream commit 3d39e1bb1c88f32820c5f9271f2c8c2fb9a52bac ] It looks like we wanted to print a maximum of BSSList_rid.ssidLen bytes of the ssid, but we accidentally use "%*s" (width) instead of "%.*s" (precision) so if the ssid doesn't have a NUL terminator this could lead to an overflow. Static analysis. Not tested. Fixes: e174961ca1a0 ("net: convert print_mac to %pM") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2015-10-28T18:54:39+00:00 Ondrej Zary linux@rainbow-software.org 2015-10-16T19:04:14+00:00 urn:sha1:dae0412d0caa4948da07fe4ad91352b5b61a70ec SIOCSIWAP (airo_set_wap) affects scan: only the AP specified by SIOCSIWAP is present in scan results. This makes NetworkManager work for the first time but then unable to find any other APs. Clear APList before starting scan and set it back after scan completes to work-around the problem. To avoid losing packets during scan, modify disable_MAC() to omit netif_carrier_off() call when lock == 2. Signed-off-by: Ondrej Zary <linux@rainbow-software.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> 2015-10-28T18:54:35+00:00 Ondrej Zary linux@rainbow-software.org 2015-10-16T19:04:13+00:00 urn:sha1:f675f93a797a18fc1f82030d56d02286039d0fb3 Instead of dynamically allocating APList, make it a member of struct airo_info to always track state of APList_rid. This simplifies suspend/resume and allows removal of readAPListRid. Signed-off-by: Ondrej Zary <linux@rainbow-software.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> 2015-09-29T08:07:02+00:00 Ondrej Zary linux@rainbow-software.org 2015-09-21T13:44:25+00:00 urn:sha1:2b8fa9e870b7dd4ea30a0c72e3a134533552278f Add calls to netif_carrier_on and netif_carrier_off Signed-off-by: Ondrej Zary <linux@rainbow-software.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> 2015-09-29T08:07:00+00:00 Ondrej Zary linux@rainbow-software.org 2015-09-21T13:44:24+00:00 urn:sha1:4a0f2ea79797642341020eae5918871db94fc769 IW_AUTH_ALG_OPEN_SYSTEM is ambiguous in set_auth for WEP as wpa_supplicant uses it for both no encryption and WEP open system. Cache the last mode set (only of these two) and use it here. This allows wpa_supplicant to work with unencrypted APs. Signed-off-by: Ondrej Zary <linux@rainbow-software.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> 2015-04-15T16:00:47+00:00 Linus Torvalds torvalds@linux-foundation.org 2015-04-15T16:00:47+00:00 urn:sha1:6c373ca89399c5a3f7ef210ad8f63dc3437da345 Pull networking updates from David Miller: 1) Add BQL support to via-rhine, from Tino Reichardt. 2) Integrate SWITCHDEV layer support into the DSA layer, so DSA drivers can support hw switch offloading. From Floria Fainelli. 3) Allow 'ip address' commands to initiate multicast group join/leave, from Madhu Challa. 4) Many ipv4 FIB lookup optimizations from Alexander Duyck. 5) Support EBPF in cls_bpf classifier and act_bpf action, from Daniel Borkmann. 6) Remove the ugly compat support in ARP for ugly layers like ax25, rose, etc. And use this to clean up the neigh layer, then use it to implement MPLS support. All from Eric Biederman. 7) Support L3 forwarding offloading in switches, from Scott Feldman. 8) Collapse the LOCAL and MAIN ipv4 FIB tables when possible, to speed up route lookups even further. From Alexander Duyck. 9) Many improvements and bug fixes to the rhashtable implementation, from Herbert Xu and Thomas Graf. In particular, in the case where an rhashtable user bulk adds a large number of items into an empty table, we expand the table much more sanely. 10) Don't make the tcp_metrics hash table per-namespace, from Eric Biederman. 11) Extend EBPF to access SKB fields, from Alexei Starovoitov. 12) Split out new connection request sockets so that they can be established in the main hash table. Much less false sharing since hash lookups go direct to the request sockets instead of having to go first to the listener then to the request socks hashed underneath. From Eric Dumazet. 13) Add async I/O support for crytpo AF_ALG sockets, from Tadeusz Struk. 14) Support stable privacy address generation for RFC7217 in IPV6. From Hannes Frederic Sowa. 15) Hash network namespace into IP frag IDs, also from Hannes Frederic Sowa. 16) Convert PTP get/set methods to use 64-bit time, from Richard Cochran. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next: (1816 commits) fm10k: Bump driver version to 0.15.2 fm10k: corrected VF multicast update fm10k: mbx_update_max_size does not drop all oversized messages fm10k: reset head instead of calling update_max_size fm10k: renamed mbx_tx_dropped to mbx_tx_oversized fm10k: update xcast mode before synchronizing multicast addresses fm10k: start service timer on probe fm10k: fix function header comment fm10k: comment next_vf_mbx flow fm10k: don't handle mailbox events in iov_event path and always process mailbox fm10k: use separate workqueue for fm10k driver fm10k: Set PF queues to unlimited bandwidth during virtualization fm10k: expose tx_timeout_count as an ethtool stat fm10k: only increment tx_timeout_count in Tx hang path fm10k: remove extraneous "Reset interface" message fm10k: separate PF only stats so that VF does not display them fm10k: use hw->mac.max_queues for stats fm10k: only show actual queues, not the maximum in hardware fm10k: allow creation of VLAN on default vid fm10k: fix unused warnings ... 2015-03-06T22:04:40+00:00 Masanari Iida standby24x7@gmail.com 2015-02-24T14:11:26+00:00 urn:sha1:f42cf8d6a3ec934551ac0f20f4654dccb11fa30d This patch fix spelling typo in printk messages. Signed-off-by: Masanari Iida <standby24x7@gmail.com> Acked-by: Randy Dunlap <rdunlap@infradead.org> Signed-off-by: Jiri Kosina <jkosina@suse.cz> 2015-03-03T22:01:36+00:00 Joe Perches joe@perches.com 2015-03-03T03:54:49+00:00 urn:sha1:93803b3385c653bc6fd391c0de00ef811b3dadc0 Use the built-in function instead of memset. Miscellanea: Add #include <linux/etherdevice.h> where appropriate Use ETH_ALEN instead of 6 Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: David S. Miller <davem@davemloft.net>