1. 13 Sep, 2008 32 commits
  2. 12 Sep, 2008 4 commits
  3. 11 Sep, 2008 4 commits
    • David S. Miller's avatar
    • Vegard Nossum's avatar
      netlink: fix overrun in attribute iteration · 1045b03e
      Vegard Nossum authored
      kmemcheck reported this:
      
        kmemcheck: Caught 16-bit read from uninitialized memory (f6c1ba30)
        0500110001508abf050010000500000002017300140000006f72672e66726565
         i i i i i i i i i i i i i u u u u u u u u u u u u u u u u u u u
                                         ^
      
        Pid: 3462, comm: wpa_supplicant Not tainted (2.6.27-rc3-00054-g6397ab9-dirty #13)
        EIP: 0060:[<c05de64a>] EFLAGS: 00010296 CPU: 0
        EIP is at nla_parse+0x5a/0xf0
        EAX: 00000008 EBX: fffffffd ECX: c06f16c0 EDX: 00000005
        ESI: 00000010 EDI: f6c1ba30 EBP: f6367c6c ESP: c0a11e88
         DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
        CR0: 8005003b CR2: f781cc84 CR3: 3632f000 CR4: 000006d0
        DR0: c0ead9bc DR1: 00000000 DR2: 00000000 DR3: 00000000
        DR6: ffff4ff0 DR7: 00000400
         [<c05d4b23>] rtnl_setlink+0x63/0x130
         [<c05d5f75>] rtnetlink_rcv_msg+0x165/0x200
         [<c05ddf66>] netlink_rcv_skb+0x76/0xa0
         [<c05d5dfe>] rtnetlink_rcv+0x1e/0x30
         [<c05dda21>] netlink_unicast+0x281/0x290
         [<c05ddbe9>] netlink_sendmsg+0x1b9/0x2b0
         [<c05beef2>] sock_sendmsg+0xd2/0x100
         [<c05bf945>] sys_sendto+0xa5/0xd0
         [<c05bf9a6>] sys_send+0x36/0x40
         [<c05c03d6>] sys_socketcall+0x1e6/0x2c0
         [<c020353b>] sysenter_do_call+0x12/0x3f
         [<ffffffff>] 0xffffffff
      
      This is the line in nla_ok():
      
        /**
         * nla_ok - check if the netlink attribute fits into the remaining bytes
         * @nla: netlink attribute
         * @remaining: number of bytes remaining in attribute stream
         */
        static inline int nla_ok(const struct nlattr *nla, int remaining)
        {
                return remaining >= sizeof(*nla) &&
                       nla->nla_len >= sizeof(*nla) &&
                       nla->nla_len <= remaining;
        }
      
      It turns out that remaining can become negative due to alignment in
      nla_next(). But GCC promotes "remaining" to unsigned in the test
      against sizeof(*nla) above. Therefore the test succeeds, and the
      nla_for_each_attr() may access memory outside the received buffer.
      
      A short example illustrating this point is here:
      
        #include <stdio.h>
      
        main(void)
        {
                printf("%d\n", -1 >= sizeof(int));
        }
      
      ...which prints "1".
      
      This patch adds a cast in front of the sizeof so that GCC will make
      a signed comparison and fix the illegal memory dereference. With the
      patch applied, there is no kmemcheck report.
      Signed-off-by: default avatarVegard Nossum <vegard.nossum@gmail.com>
      Acked-by: default avatarThomas Graf <tgraf@suug.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1045b03e
    • Marcel Holtmann's avatar
      [Bluetooth] Fix regression from using default link policy · 7c6a329e
      Marcel Holtmann authored
      To speed up the Simple Pairing connection setup, the support for the
      default link policy has been enabled. This is in contrast to settings
      the link policy on every connection setup. Using the default link policy
      is the preferred way since there is no need to dynamically change it for
      every connection.
      
      For backward compatibility reason and to support old userspace the
      HCISETLINKPOL ioctl has been switched over to using hci_request() to
      issue the HCI command for setting the default link policy instead of
      just storing it in the HCI device structure.
      
      However the hci_request() can only be issued when the device is
      brought up. If used on a device that is registered, but still down
      it will timeout and fail. This is problematic since the command is
      put on the TX queue and the Bluetooth core tries to submit it to
      hardware that is not ready yet. The timeout for these requests is
      10 seconds and this causes a significant regression when setting up
      a new device.
      
      The userspace can perfectly handle a failure of the HCISETLINKPOL
      ioctl and will re-submit it later, but the 10 seconds delay causes
      a problem. So in case hci_request() is called on a device that is
      still down, just fail it with ENETDOWN to indicate what happens.
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      7c6a329e
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.dk/linux-2.6-block · a551b98d
      Linus Torvalds authored
      * 'for-linus' of git://git.kernel.dk/linux-2.6-block:
        sg: disable interrupts inside sg_copy_buffer
      a551b98d