kernel/linux.git/net, branch v3.0.6 Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v3.0.6 2011-10-03T18:41:10+00:00 cfg80211: Fix validation of AKM suites 2011-10-03T18:41:10+00:00 Jouni Malinen jouni@qca.qualcomm.com 2011-09-21T13:13:07+00:00 urn:sha1:508ed7445438cb6dffa105a128333c8461bfd5e4 commit 1b9ca0272ffae212e726380f66777b30a56ed7a5 upstream. Incorrect variable was used in validating the akm_suites array from NL80211_ATTR_AKM_SUITES. In addition, there was no explicit validation of the array length (we only have room for NL80211_MAX_NR_AKM_SUITES). This can result in a buffer write overflow for stack variables with arbitrary data from user space. The nl80211 commands using the affected functionality require GENL_ADMIN_PERM, so this is only exposed to admin users. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> Signed-off-by: John W. Linville <linville@tuxdriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Bluetooth: Fix timeout on scanning for the second time 2011-10-03T18:41:01+00:00 Oliver Neukum oliver@neukum.org 2011-08-30T13:52:18+00:00 urn:sha1:8341e503c2628f056a9fdfe244f15c96b31c04c9 commit 2d20a26a92f72e3bb658fe8ce99c3663756e9e7a upstream. The checks for HCI_INQUIRY and HCI_MGMT were in the wrong order, so that second scans always failed. Signed-off-by: Oliver Neukum <oneukum@suse.de> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> bridge: fix a possible use after free 2011-10-03T18:40:56+00:00 Eric Dumazet eric.dumazet@gmail.com 2011-08-23T19:57:05+00:00 urn:sha1:af674335761a7ab9b015ec7e051ae232d5c0efab [ Upstream commit 22df13319d1fec30b8f9bcaadc295829647109bb ] br_multicast_ipv6_rcv() can call pskb_trim_rcsum() and therefore skb head can be reallocated. Cache icmp6_type field instead of dereferencing twice the struct icmp6hdr pointer. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> bridge: Pseudo-header required for the checksum of ICMPv6 2011-10-03T18:40:56+00:00 Yan, Zheng zheng.z.yan@intel.com 2011-08-23T22:54:33+00:00 urn:sha1:42270cd40ba8e0134cffd1c036a1aa3d844369a8 [ Upstream commit 4b275d7efa1c4412f0d572fcd7f78ed0919370b3 ] Checksum of ICMPv6 is not properly computed because the pseudo header is not used. Thus, the MLD packet gets dropped by the bridge. Signed-off-by: Zheng Yan <zheng.z.yan@intel.com> Reported-by: Ang Way Chuang <wcang@sfc.wide.ad.jp> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> xfrm: Perform a replay check after return from async codepaths 2011-10-03T18:40:55+00:00 Steffen Klassert steffen.klassert@secunet.com 2011-09-20T23:38:58+00:00 urn:sha1:23b576bfe4a6056afb6bca3cd1cb96581f4cb19d [ Upstream commit bcf66bf54aabffc150acd1c99e0f4bc51935eada ] When asyncronous crypto algorithms are used, there might be many packets that passed the xfrm replay check, but the replay advance function is not called yet for these packets. So the replay check function would accept a replay of all of these packets. Also the system might crash if there are more packets in async processing than the size of the anti replay window, because the replay advance function would try to update the replay window beyond the bounds. This pach adds a second replay check after resuming from the async processing to fix these issues. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> vlan: reset headers on accel emulation path 2011-10-03T18:40:55+00:00 Jiri Pirko jpirko@redhat.com 2011-08-19T04:29:27+00:00 urn:sha1:b082a5631a746b494553f7c72b387cb625a1674a [ Upstream commit c5114cd59d2664f258b0d021d79b1532d94bdc2b ] It's after all necessary to do reset headers here. The reason is we cannot depend that it gets reseted in __netif_receive_skb once skb is reinjected. For incoming vlanids without vlan_dev, vlan_do_receive() returns false with skb != NULL and __netif_reveive_skb continues, skb is not reinjected. This might be good material for 3.0-stable as well Reported-by: Mike Auty <mike.auty@gmail.com> Signed-off-by: Jiri Pirko <jpirko@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> tcp: initialize variable ecn_ok in syncookies path 2011-10-03T18:40:54+00:00 Mike Waychison mikew@google.com 2011-08-11T04:59:57+00:00 urn:sha1:bc4c1bd0d97dfd9a705bcb3ade46b051c3f4647d [ Upstream commit f0e3d0689da401f7d1981c2777a714ba295ea5ff ] Using a gcc 4.4.3, warnings are emitted for a possibly uninitialized use of ecn_ok. This can happen if cookie_check_timestamp() returns due to not having seen a timestamp. Defaulting to ecn off seems like a reasonable thing to do in this case, so initialized ecn_ok to false. Signed-off-by: Mike Waychison <mikew@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> tcp: fix validation of D-SACK 2011-10-03T18:40:54+00:00 Zheng Yan zheng.z.yan@intel.com 2011-09-19T02:37:34+00:00 urn:sha1:616ea55abc53ced58c4097b33b26abea01a743d4 [ Upstream commit f779b2d60ab95c17f1e025778ed0df3ec2f05d75 ] D-SACK is allowed to reside below snd_una. But the corresponding check in tcp_is_sackblock_valid() is the exact opposite. It looks like a typo. Signed-off-by: Zheng Yan <zheng.z.yan@intel.com> Acked-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> scm: Capture the full credentials of the scm sender 2011-10-03T18:40:54+00:00 Tim Chen tim.c.chen@linux.intel.com 2011-08-09T06:48:32+00:00 urn:sha1:265d5c2eb22550566cf4193df46596dac439374c [ Upstream commit e33f7a9f37d486f4c6cce5de18a6eea11d68f64f ] This patch corrects an erroneous update of credential's gid with uid introduced in commit 257b5358b32f17 since 2.6.36. Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Acked-by: Eric Dumazet <eric.dumazet@gmail.com> Reviewed-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> net_sched: prio: use qdisc_dequeue_peeked 2011-10-03T18:40:53+00:00 Florian Westphal fw@strlen.de 2011-08-09T02:04:43+00:00 urn:sha1:621ad27ca68f318db0d416e5c1401d35c95c6d91 [ Upstream commit 3557619f0f6f7496ed453d4825e24958ab1884e0 ] commit 07bd8df5df4369487812bf85a237322ff3569b77 (sch_sfq: fix peek() implementation) changed sfq to use generic peek helper. This makes HFSC complain about a non-work-conserving child qdisc, if prio with sfq child is used within hfsc: hfsc peeks into prio qdisc, which will then peek into sfq. returned skb is stashed in sch->gso_skb. Next, hfsc tries to dequeue from prio, but prio will call sfq dequeue directly, which may return NULL instead of previously peeked-at skb. Have prio call qdisc_dequeue_peeked, so sfq->dequeue() is not called in this case. Cc: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>