Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v3.16.76 2019-09-23T20:12:09+00:00 2019-09-23T20:12:09+00:00 Arik Nemtsov arik@wizery.com 2014-06-11T14:18:25+00:00 urn:sha1:4ddb257573f61238bca2e3482e2f9cd94627f936 commit c887f0d3a03283cb6fe2c32aae62229bebd3fa32 upstream. Write a mac80211 to the cfg80211 API for requesting a userspace TDLS operation. Define TDLS specific reason codes that can be used here. Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 2019-09-23T20:11:50+00:00 Marcel Holtmann marcel@holtmann.org 2019-04-24T20:19:17+00:00 urn:sha1:1f52c0fb870d0a3e00f790d5a8085bcb234ad0fe commit d5bb334a8e171b262e48f378bd2096c0ea458265 upstream. The minimum encryption key size for LE connections is 56 bits and to align LE with BR/EDR, enforce 56 bits of minimum encryption key size for BR/EDR connections as well. Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 2019-08-20T18:01:55+00:00 Ben Hutchings ben@decadent.org.uk 2019-08-03T16:11:42+00:00 urn:sha1:3157fbc900bdb366b2186e5a6e506cc5e4697cf0 Denis Andzakovic discovered a potential use-after-free in older kernel versions, using syzkaller. tcp_write_queue_purge() frees all skbs in the TCP write queue and can leave sk->sk_send_head pointing to freed memory. tcp_disconnect() clears that pointer after calling tcp_write_queue_purge(), but tcp_connect() does not. It is (surprisingly) possible to add to the write queue between disconnection and reconnection, so this needs to be done in both places. This bug was introduced by backports of commit 7f582b248d0a ("tcp: purge write queue in tcp_connect_init()") and does not exist upstream because of earlier changes in commit 75c119afe14f ("tcp: implement rb-tree based retransmit queue"). The latter is a major change that's not suitable for stable. Reported-by: Denis Andzakovic <denis.andzakovic@pulsesecurity.co.nz> Bisected-by: Salvatore Bonaccorso <carnil@debian.org> Fixes: 7f582b248d0a ("tcp: purge write queue in tcp_connect_init()") Cc: <stable@vger.kernel.org> # before 4.15 Cc: Eric Dumazet <edumazet@google.com> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 2019-08-13T11:39:32+00:00 Florian Westphal fw@strlen.de 2019-04-01T11:08:54+00:00 urn:sha1:3d8b3d0384f709126beef6b917b7e97c23f18e74 commit 3c79107631db1f7fd32cf3f7368e4672004a3010 upstream. else, we leak the addresses to userspace via ctnetlink events and dumps. Compute an ID on demand based on the immutable parts of nf_conn struct. Another advantage compared to using an address is that there is no immediate re-use of the same ID in case the conntrack entry is freed and reallocated again immediately. Fixes: 3583240249ef ("[NETFILTER]: nf_conntrack_expect: kill unique ID") Fixes: 7f85f914721f ("[NETFILTER]: nf_conntrack: kill unique ID") Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> [bwh: Backported to 3.16: - Include <net/netns/hash.h> in nf_conntrack_core.c - Adjust context] Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 2019-08-13T11:39:32+00:00 Eric Dumazet edumazet@google.com 2019-03-27T19:40:33+00:00 urn:sha1:9ebeec41ed3f52fd94267f25f8b9bf3f4cbf1e4e commit df453700e8d81b1bdafdf684365ee2b9431fb702 upstream. According to Amit Klein and Benny Pinkas, IP ID generation is too weak and might be used by attackers. Even with recent net_hash_mix() fix (netns: provide pure entropy for net_hash_mix()) having 64bit key and Jenkins hash is risky. It is time to switch to siphash and its 128bit keys. Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Amit Klein <aksecurity@gmail.com> Reported-by: Benny Pinkas <benny@pinkas.net> Signed-off-by: David S. Miller <davem@davemloft.net> [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 2019-08-13T11:39:31+00:00 Hannes Frederic Sowa hannes@stressinduktion.org 2015-03-25T16:07:45+00:00 urn:sha1:6caabe4c7dab391fcd7ee36e6cba75697b9e7871 commit 5a352dd0a3aac03b443c94828dfd7144261c8636 upstream. As namespaces are sometimes used with overlapping ip address ranges, we should also use the namespace as input to the hash to select the ip fragmentation counter bucket. Cc: Eric Dumazet <edumazet@google.com> Cc: Flavio Leitner <fbl@redhat.com> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 2019-08-13T11:39:30+00:00 Hannes Frederic Sowa hannes@stressinduktion.org 2015-03-25T16:07:44+00:00 urn:sha1:1c1e2a916e2715188dc0ad492dbe42e6379c1a66 commit b6a7719aedd7e5c0f2df7641aa47386111682df4 upstream. As namespaces are sometimes used with overlapping ip address ranges, we should also use the namespace as input to the hash to select the ip fragmentation counter bucket. Cc: Eric Dumazet <edumazet@google.com> Cc: Flavio Leitner <fbl@redhat.com> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net> [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 2019-08-13T11:39:30+00:00 Vlad Yasevich vyasevich@gmail.com 2015-02-09T14:38:21+00:00 urn:sha1:dbac56343705df2d24e3588a6ef421d386eda7be commit 8381eacf5c3b35cf7755f4bc521c4d56d24c1cd9 upstream. Make __ipv6_select_ident() static as it isn't used outside the file. Fixes: 0508c07f5e0c9 (ipv6: Select fragment id during UFO segmentation if not set.) Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 2019-08-13T11:39:29+00:00 Vlad Yasevich vyasevich@gmail.com 2015-02-03T21:36:15+00:00 urn:sha1:2e095ca0c58515774e6dd45f1f698682c073237f commit 0508c07f5e0c94f38afd5434e8b2a55b84553077 upstream. If the IPv6 fragment id has not been set and we perform fragmentation due to UFO, select a new fragment id. We now consider a fragment id of 0 as unset and if id selection process returns 0 (after all the pertrubations), we set it to 0x80000000, thus giving us ample space not to create collisions with the next packet we may have to fragment. When doing UFO integrity checking, we also select the fragment id if it has not be set yet. This is stored into the skb_shinfo() thus allowing UFO to function correclty. This patch also removes duplicate fragment id generation code and moves ipv6_select_ident() into the header as it may be used during GSO. Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 2019-08-13T11:38:44+00:00 Xin Long lucien.xin@gmail.com 2019-03-18T11:47:00+00:00 urn:sha1:3ef66b61b37b5e28dad11f3c3937f8be647e0e07 commit 273160ffc6b993c7c91627f5a84799c66dfe4dee upstream. sctp_hdr(skb) only works when skb->transport_header is set properly. But in Netfilter, skb->transport_header for ipv6 is not guaranteed to be right value for sctphdr. It would cause to fail to check the checksum for sctp packets. So fix it by using offset, which is always right in all places. v1->v2: - Fix the changelog. Fixes: e6d8b64b34aa ("net: sctp: fix and consolidate SCTP checksumming code") Reported-by: Li Shuang <shuali@redhat.com> Signed-off-by: Xin Long <lucien.xin@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>