1. 08 7月, 2016 11 次提交
    • R
      Bluetooth: btmrvl: fix slab-out-of-bounds access in btmrvl_sdio · d2f30240
      Ricky Liang 提交于
      Kasan reported slab-out-of-bounds access in btmrvl_sdio:
      
      [   33.055400] ==================================================================
      [   33.062585] BUG: KASAN: slab-out-of-bounds in memcpy+0x24/0x50 at addr ffffffc0d89b4a00
      [   33.070529] Read of size 256 by task btmrvl_main_ser/3576
      [   33.075885] =============================================================================
      [   33.084002] BUG kmalloc-256 (Tainted: G    B         ): kasan: bad access detected
      [   33.091511] -----------------------------------------------------------------------------
      <snip...>
      [   33.413498] Call trace:
      [   33.415928] [<ffffffc00020a440>] dump_backtrace+0x0/0x190
      [   33.421288] [<ffffffc00020a5ec>] show_stack+0x1c/0x28
      [   33.426305] [<ffffffc000b3288c>] dump_stack+0xa0/0xf8
      [   33.431320] [<ffffffc000396130>] print_trailer+0x158/0x16c
      [   33.436765] [<ffffffc0003962cc>] object_err+0x48/0x5c
      [   33.441780] [<ffffffc00039be24>] kasan_report+0x344/0x510
      [   33.447141] [<ffffffc00039afd8>] __asan_loadN+0x20/0x150
      [   33.452413] [<ffffffc00039b60c>] memcpy+0x20/0x50
      [   33.457084] [<ffffffc000595fcc>] swiotlb_tbl_map_single+0x2ec/0x310
      [   33.463305] [<ffffffc000596b54>] map_single+0x24/0x30
      [   33.468320] [<ffffffc0005970c8>] swiotlb_map_sg_attrs+0xec/0x21c
      [   33.474286] [<ffffffc000219d4c>] __swiotlb_map_sg_attrs+0x48/0xec
      [   33.480339] [<ffffffc0008ea610>] msdc_prepare_data.isra.11+0xf0/0x11c
      [   33.486733] [<ffffffc0008ecbd0>] msdc_ops_request+0x74/0xf0
      [   33.492266] [<ffffffc0008c6b38>] __mmc_start_request+0x78/0x8c
      [   33.498057] [<ffffffc0008c6d6c>] mmc_start_request+0x220/0x240
      [   33.503848] [<ffffffc0008c6e04>] mmc_wait_for_req+0x78/0x250
      [   33.509468] [<ffffffc0008d70fc>] mmc_io_rw_extended+0x2ec/0x388
      [   33.515347] [<ffffffc0008d8fc0>] sdio_io_rw_ext_helper+0x160/0x268
      [   33.521483] [<ffffffc0008d93fc>] sdio_writesb+0x40/0x50
      [   33.526677] [<ffffffbffc338b38>] btmrvl_sdio_host_to_card+0x124/0x1bc [btmrvl_sdio]
      [   33.534283] [<ffffffbffc3290a0>] btmrvl_service_main_thread+0x384/0x428 [btmrvl]
      [   33.541626] [<ffffffc0002518e8>] kthread+0x140/0x158
      [   33.546550] Memory state around the buggy address:
      [   33.551305]  ffffffc0d89b4980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [   33.558474]  ffffffc0d89b4a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [   33.565643] >ffffffc0d89b4a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc
      [   33.572809]                                                                 ^
      [   33.579889]  ffffffc0d89b4b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [   33.587055]  ffffffc0d89b4b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [   33.594221] ==================================================================
      
      The cause of this is that btmrvl_sdio_host_to_card can access memory region
      out of its allocated space due to:
      
        1. the requested block size is smaller than SDIO_BLOCK_SIZE, and/or
        2. the allocated memory is not BTSDIO_DMA_ALIGN-aligned.
      
      This patch fixes the issue by allocating a buffer which is big enough for
      SDIO_BLOCK_SIZE transfer and/or BTSDIO_DMA_ALIGN address relocation.
      Signed-off-by: NRicky Liang <jcliang@chromium.org>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      d2f30240
    • T
      Bluetooth: Replace constant hw_variant from Intel Bluetooth firmware filename · 230b04ac
      Tedd Ho-Jeong An 提交于
      The format of Intel Bluetooth firmware filename for bootloader product
      is ibt-<hw_variant>-<device_revision_id>.sfi
      
      Currently the driver uses a constant value 11 (0x0b) for hw_variant
      to support LnP/SfP product. But new product like WsP product has
      a different value such as 12 (0x0c).
      
      To support the multiple products, this patch replaces the constant
      value of hw_variant to the actual hw_variant value read from
      the device.
      Signed-off-by: NTedd Ho-Jeong An <tedd.an@intel.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      230b04ac
    • D
      Bluetooth: Fix hci_sock_recvmsg return value · 83871f8c
      Denis Kenzior 提交于
      If recvmsg is called with a destination buffer that is too small to
      receive the contents of skb in its entirety, the return value from
      recvmsg was inconsistent with common SOCK_SEQPACKET or SOCK_DGRAM
      semantics.
      
      If destination buffer provided by userspace is too small (e.g. len <
      copied), then MSG_TRUNC flag is set and copied is returned.  Instead, it
      should return the length of the message, which is consistent with how
      other datagram based sockets act.  Quoting 'man recv':
      
      "All  three calls return the length of the message on successful comple‐
      tion.  If a message is too long to fit in the supplied  buffer,  excess
      bytes  may  be discarded depending on the type of socket the message is
      received from."
      
      and
      
      "MSG_TRUNC (since Linux 2.2)
      
          For   raw   (AF_PACKET),   Internet   datagram   (since    Linux
          2.4.27/2.6.8),  netlink  (since Linux 2.6.22), and UNIX datagram
          (since Linux 3.4) sockets: return the real length of the packet
          or datagram, even when it was longer than the passed buffer."
      Signed-off-by: NDenis Kenzior <denkenz@gmail.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      83871f8c
    • D
      Bluetooth: Fix bt_sock_recvmsg return value · b5f34f94
      Denis Kenzior 提交于
      If recvmsg is called with a destination buffer that is too small to
      receive the contents of skb in its entirety, the return value from
      recvmsg was inconsistent with common SOCK_SEQPACKET or SOCK_DGRAM
      semantics.
      
      If destination buffer provided by userspace is too small (e.g. len <
      copied), then MSG_TRUNC flag is set and copied is returned.  Instead, it
      should return the length of the message, which is consistent with how
      other datagram based sockets act.  Quoting 'man recv':
      
      "All  three calls return the length of the message on successful comple‐
      tion.  If a message is too long to fit in the supplied  buffer,  excess
      bytes  may  be discarded depending on the type of socket the message is
      received from."
      
      and
      
      "MSG_TRUNC (since Linux 2.2)
      
          For   raw   (AF_PACKET),   Internet   datagram   (since    Linux
          2.4.27/2.6.8),  netlink  (since Linux 2.6.22), and UNIX datagram
          (since Linux 3.4) sockets: return the real length of the packet
          or datagram, even when it was longer than the passed buffer."
      Signed-off-by: NDenis Kenzior <denkenz@gmail.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      b5f34f94
    • A
      ieee802154: allow netns create of lowpan interface · 1c5bf998
      Alexander Aring 提交于
      This patch reverts commit f9d1ce8f ("ieee802154: fix netns settings").
      The lowpan interface need to be created inside the net namespace where
      the wpan interface is available. The wpan namespace can be changed only
      by nl802154 before. Without this patch it's not possible to create a
      lowpan interface for a wpan interface which isn't inside init_net
      namespace.
      
      Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
      Reviewed-by: NStefan Schmidt <stefan@osg.samsung.com>
      Signed-off-by: NAlexander Aring <aar@pengutronix.de>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      1c5bf998
    • A
      ieee802154: add netns support · 66e5c267
      Alexander Aring 提交于
      This patch adds netns support for 802.15.4 subsystem. Most parts are
      copy&pasted from wireless subsystem, it has the identically userspace
      API.
      
      Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
      Reviewed-by: NStefan Schmidt <stefan@osg.samsung.com>
      Signed-off-by: NAlexander Aring <aar@pengutronix.de>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      66e5c267
    • A
      nl802154: move PAD to right position · aece0c3f
      Alexander Aring 提交于
      The PAD define should be above the experimental support. We don't care
      about if we break userspace in experimental stuff but PAD is part of the
      existing UAPI.
      
      Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
      Acked-by: NNicolas Dichtel <nicolas.dichtel@6wind.com>
      Reviewed-by: Stefan Schmidt<stefan@osg.samsung.com>
      Signed-off-by: NAlexander Aring <aar@pengutronix.de>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      aece0c3f
    • T
      Bluetooth: Add support for Intel Bluetooth device 3168 [8087:0aa7] · 439e65d3
      Tedd Ho-Jeong An 提交于
      This patch adds support for Intel Bluetooth device 3168 also known
      as Sandy Peak (SdP).
      
      T:  Bus=01 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#=  4 Spd=12   MxCh= 0
      D:  Ver= 2.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=8087 ProdID=0aa7 Rev= 0.01
      C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
      I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=81(I) Atr=03(Int.) MxPS=  64 Ivl=1ms
      E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      I:  If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      I:  If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      I:  If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      I:  If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      I:  If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      Signed-off-by: NTedd Ho-Jeong An <tedd.an@intel.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      439e65d3
    • A
      6lowpan: ndisc: add missing 802.15.4 only check · 966be9e7
      Alexander Aring 提交于
      This patch adds a missing check to handle short address parsing for
      802.15.4 6LoWPAN only.
      Signed-off-by: NAlexander Aring <aar@pengutronix.de>
      Reviewed-by: NStefan Schmidt <stefan@osg.samsung.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      966be9e7
    • A
      6lowpan: ndisc: fix double read unlock · 929946a4
      Alexander Aring 提交于
      This patch removes a double unlock case to accessing neighbour private
      data.
      Reported-by: NDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: NAlexander Aring <aar@pengutronix.de>
      Reviewed-by: NStefan Schmidt <stefan@osg.samsung.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      929946a4
    • A
      Bluetooth: Switch SMP to crypto_cipher_encrypt_one() · a4770e11
      Andy Lutomirski 提交于
      SMP does ECB crypto on stack buffers.  This is complicated and
      fragile, and it will not work if the stack is virtually allocated.
      
      Switch to the crypto_cipher interface, which is simpler and safer.
      Signed-off-by: NAndy Lutomirski <luto@kernel.org>
      Acked-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Acked-by: NJohan Hedberg <johan.hedberg@intel.com>
      Tested-by: NJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      a4770e11
  2. 07 7月, 2016 7 次提交
    • D
      Merge tag 'mac80211-next-for-davem-2016-07-06' of... · a90a6e55
      David S. Miller 提交于
      Merge tag 'mac80211-next-for-davem-2016-07-06' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next
      
      Johannes Berg says:
      
      ====================
      One more set of new features:
       * beacon report (for radio measurement) support in cfg80211/mac80211
       * hwsim: allow wmediumd in namespaces
       * mac80211: extend 160MHz workaround to CSA IEs
       * mesh: properly encrypt group-addressed privacy action frames
       * mesh: allow setting peer AID
       * first steps for MU-MIMO monitor mode
       * along with various other cleanups and improvements
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a90a6e55
    • W
      net: mediatek: remove .owner field for driver · fcf752ae
      Wei Yongjun 提交于
      Remove .owner field since calls to module_platform_driver() will
      set it automatically.
      Signed-off-by: NWei Yongjun <yongjun_wei@trendmicro.com.cn>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      fcf752ae
    • D
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 30d0844b
      David S. Miller 提交于
      Conflicts:
      	drivers/net/ethernet/mellanox/mlx5/core/en.h
      	drivers/net/ethernet/mellanox/mlx5/core/en_main.c
      	drivers/net/usb/r8152.c
      
      All three conflicts were overlapping changes.
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      30d0844b
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · bc867651
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) All users of AF_PACKET's fanout feature want a symmetric packet
          header hash for load balancing purposes, so give it to them.
      
       2) Fix vlan state synchronization in e1000e, from Jarod Wilson.
      
       3) Use correct socket pointer in ip_skb_dst_mtu(), from Shmulik
          Ladkani.
      
       4) mlx5 bug fixes from Mohamad Haj Yahia, Daniel Jurgens, Matthew
          Finlay, Rana Shahout, and Shaker Daibes.  Mostly to do with
          operation timeouts and PCI error handling.
      
       5) Fix checksum handling in mirred packet action, from WANG Cong.
      
       6) Set skb->dev correctly when transmitting in !protect_frames case of
          macsec driver, from Daniel Borkmann.
      
       7) Fix MTU calculation in geneve driver, from Haishuang Yan.
      
       8) Missing netif_napi_del() in unregister path of qeth driver, from
          Ursula Braun.
      
       9) Handle malformed route netlink messages in decnet properly, from
          Vergard Nossum.
      
      10) Memory leak of percpu data in ipv6 routing code, from Martin KaFai
          Lau.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (41 commits)
        ipv6: Fix mem leak in rt6i_pcpu
        net: fix decnet rtnexthop parsing
        cxgb4: update latest firmware version supported
        net/mlx5: Avoid setting unused var when modifying vport node GUID
        bonding: fix enslavement slave link notifications
        r8152: fix runtime function for RTL8152
        qeth: delete napi struct when removing a qeth device
        Revert "fsl/fman: fix error handling"
        fsl/fman: fix error handling
        cdc_ncm: workaround for EM7455 "silent" data interface
        RDS: fix rds_tcp_init() error path
        geneve: fix max_mtu setting
        net: phy: dp83867: Fix initialization of PHYCR register
        enc28j60: Fix race condition in enc28j60 driver
        net: stmmac: Fix null-function call in ISR on stmmac1000
        tipc: fix nl compat regression for link statistics
        net: bcmsysport: Device stats are unsigned long
        macsec: set actual real device for xmit when !protect_frames
        net_sched: fix mirrored packets checksum
        packet: Use symmetric hash for PACKET_FANOUT_HASH.
        ...
      bc867651
    • D
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next · ae3e4562
      David S. Miller 提交于
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter updates for net-next
      
      The following patchset contains Netfilter updates for net-next,
      they are:
      
      1) Don't use userspace datatypes in bridge netfilter code, from
         Tobin Harding.
      
      2) Iterate only once over the expectation table when removing the
         helper module, instead of once per-netns, from Florian Westphal.
      
      3) Extra sanitization in xt_hook_ops_alloc() to return error in case
         we ever pass zero hooks, xt_hook_ops_alloc():
      
      4) Handle NFPROTO_INET from the logging core infrastructure, from
         Liping Zhang.
      
      5) Autoload loggers when TRACE target is used from rules, this doesn't
         change the behaviour in case the user already selected nfnetlink_log
         as preferred way to print tracing logs, also from Liping Zhang.
      
      6) Conntrack slabs with SLAB_HWCACHE_ALIGN to allow rearranging fields
         by cache lines, increases the size of entries in 11% per entry.
         From Florian Westphal.
      
      7) Skip zone comparison if CONFIG_NF_CONNTRACK_ZONES=n, from Florian.
      
      8) Remove useless defensive check in nf_logger_find_get() from Shivani
         Bhardwaj.
      
      9) Remove zone extension as place it in the conntrack object, this is
         always include in the hashing and we expect more intensive use of
         zones since containers are in place. Also from Florian Westphal.
      
      10) Owner match now works from any namespace, from Eric Bierdeman.
      
      11) Make sure we only reply with TCP reset to TCP traffic from
          nf_reject_ipv4, patch from Liping Zhang.
      
      12) Introduce --nflog-size to indicate amount of network packet bytes
          that are copied to userspace via log message, from Vishwanath Pai.
          This obsoletes --nflog-range that has never worked, it was designed
          to achieve this but it has never worked.
      
      13) Introduce generic macros for nf_tables object generation masks.
      
      14) Use generation mask in table, chain and set objects in nf_tables.
          This allows fixes interferences with ongoing preparation phase of
          the commit protocol and object listings going on at the same time.
          This update is introduced in three patches, one per object.
      
      15) Check if the object is active in the next generation for element
          deactivation in the rbtree implementation, given that deactivation
          happens from the commit phase path we have to observe the future
          status of the object.
      
      16) Support for deletion of just added elements in the hash set type.
      
      17) Allow to resize hashtable from /proc entry, not only from the
          obscure /sys entry that maps to the module parameter, from Florian
          Westphal.
      
      18) Get rid of NFT_BASECHAIN_DISABLED, this code is not exercised
          anymore since we tear down the ruleset whenever the netdevice
          goes away.
      
      19) Support for matching inverted set lookups, from Arturo Borrero.
      
      20) Simplify the iptables_mangle_hook() by removing a superfluous
          extra branch.
      
      21) Introduce ether_addr_equal_masked() and use it from the netfilter
          codebase, from Joe Perches.
      
      22) Remove references to "Use netfilter MARK value as routing key"
          from the Netfilter Kconfig description given that this toggle
          doesn't exists already for 10 years, from Moritz Sichert.
      
      23) Introduce generic NF_INVF() and use it from the xtables codebase,
          from Joe Perches.
      
      24) Setting logger to NONE via /proc was not working unless explicit
          nul-termination was included in the string. This fixes seems to
          leave the former behaviour there, so we don't break backward.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ae3e4562
    • L
      Merge tag 'sound-4.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 4cdbbbd1
      Linus Torvalds 提交于
      Pull sound fixes from Takashi Iwai:
       "Here are a collection of small fixes: at this time, we've got a
        slightly high amount, but all small and trivial fixes, and nothing
        scary can be seen there"
      
      * tag 'sound-4.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (21 commits)
        ALSA: hda/realtek: Add Lenovo L460 to docking unit fixup
        ALSA: timer: Fix negative queue usage by racy accesses
        ASoC: rt5645: fix reg-2f default value.
        ASoC: fsl_ssi: Fix number of words per frame for I2S-slave mode
        ALSA: au88x0: Fix calculation in vortex_wtdma_bufshift()
        ALSA: hda - Add PCI ID for Kabylake-H
        ALSA: echoaudio: Fix memory allocation
        ASoC: Intel: atom: fix missing breaks that would cause the wrong operation to execute
        ALSA: hda - fix read before array start
        ASoC: cx20442: set tty->receiver_room in v253_open
        ASoC: ak4613: Enable cache usage to fix crashes on resume
        ASoC: wm8940: Enable cache usage to fix crashes on resume
        ASoC: Intel: Skylake: Initialize module list for Broxton
        ASoC: wm5102: Correct supported channels on trace compressed DAI
        ASoC: wm5110: Add missing route from OUT3R to SYSCLK
        ASoC: rt5670: fix HP Playback Volume control
        ASoC: hdmi-codec: select CONFIG_HDMI
        ASoC: davinci-mcasp: Fix dra7 DMA offset when using CFG port
        ASoC: hdac_hdmi: Fix potential NULL dereference
        ASoC: ak4613: Remove owner assignment from platform_driver
        ...
      4cdbbbd1
    • L
      Merge tag 'chrome-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/olof/chrome-platform · 4d0a279c
      Linus Torvalds 提交于
      Pull chrome platform fix from Olof Johansson:
       "A single fix this time, closing a window where ioctl args are fetched
        twice"
      
      * tag 'chrome-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/olof/chrome-platform:
        platform/chrome: cros_ec_dev - double fetch bug in ioctl
      4d0a279c
  3. 06 7月, 2016 22 次提交