shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-06-10 21:07:02 +09:00
Code Issues Packages Projects Releases Wiki Activity
270,404 Commits 55 Branches 2,486 Tags
bfdcc0593035be2ebbab2f8a73d134aaa28883f5
Commit Graph

270404 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Tommi Rantala
55fdb80050 sctp: fix -ENOMEM result with invalid user space pointer in sendto() syscall 
[ Upstream commit 6e51fe7572 ]

Consider the following program, that sets the second argument to the
sendto() syscall incorrectly:

 #include <string.h>
 #include <arpa/inet.h>
 #include <sys/socket.h>

 int main(void)
 {
         int fd;
         struct sockaddr_in sa;

         fd = socket(AF_INET, SOCK_STREAM, 132 /*IPPROTO_SCTP*/);
         if (fd < 0)
                 return 1;

         memset(&sa, 0, sizeof(sa));
         sa.sin_family = AF_INET;
         sa.sin_addr.s_addr = inet_addr("127.0.0.1");
         sa.sin_port = htons(11111);

         sendto(fd, NULL, 1, 0, (struct sockaddr *)&sa, sizeof(sa));

         return 0;
 }

We get -ENOMEM:

 $ strace -e sendto ./demo
 sendto(3, NULL, 1, 0, {sa_family=AF_INET, sin_port=htons(11111), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 ENOMEM (Cannot allocate memory)

Propagate the error code from sctp_user_addto_chunk(), so that we will
tell user space what actually went wrong:

 $ strace -e sendto ./demo
 sendto(3, NULL, 1, 0, {sa_family=AF_INET, sin_port=htons(11111), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EFAULT (Bad address)

Noticed while running Trinity (the syscall fuzzer).

Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2013-01-11 09:03:35 -08:00
Tommi Rantala
e620776f6c sctp: fix memory leak in sctp_datamsg_from_user() when copy from user space fails 
[ Upstream commit be364c8c0f ]

Trinity (the syscall fuzzer) discovered a memory leak in SCTP,
reproducible e.g. with the sendto() syscall by passing invalid
user space pointer in the second argument:

 #include <string.h>
 #include <arpa/inet.h>
 #include <sys/socket.h>

 int main(void)
 {
         int fd;
         struct sockaddr_in sa;

         fd = socket(AF_INET, SOCK_STREAM, 132 /*IPPROTO_SCTP*/);
         if (fd < 0)
                 return 1;

         memset(&sa, 0, sizeof(sa));
         sa.sin_family = AF_INET;
         sa.sin_addr.s_addr = inet_addr("127.0.0.1");
         sa.sin_port = htons(11111);

         sendto(fd, NULL, 1, 0, (struct sockaddr *)&sa, sizeof(sa));

         return 0;
 }

As far as I can tell, the leak has been around since ~2003.

Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2013-01-11 09:03:35 -08:00
nikolay@redhat.com
cefbc05835 bonding: fix race condition in bonding_store_slaves_active 
[ Upstream commit e196c0e579 ]

Race between bonding_store_slaves_active() and slave manipulation
 functions. The bond_for_each_slave use in bonding_store_slaves_active()
 is not protected by any synchronization mechanism.
 NULL pointer dereference is easy to reach.
 Fixed by acquiring the bond->lock for the slave walk.

 v2: Make description text < 75 columns

Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
Signed-off-by: Jay Vosburgh <fubar@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2013-01-11 09:03:35 -08:00
Sarveshwar Bandi
a8695e1c80 bonding: Bonding driver does not consider the gso_max_size/gso_max_segs setting of slave devices. 
[ Upstream commit 0e376bd0b7 ]

Patch sets the lowest gso_max_size and gso_max_segs values of the slave devices during enslave and detach.

Signed-off-by: Sarveshwar Bandi <sarveshwar.bandi@emulex.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2013-01-11 09:03:34 -08:00
chenxing
124c1f31f9 rk3188: update soft rst macro 2013-01-11 18:37:48 +08:00
chenxing
0104b7a12a rk3188: add clock_data, but do not compiled 2013-01-11 17:34:15 +08:00
zyc
0d7e7d236f camera:fix regulator_disable(ldo_28) executing warnings 2013-01-11 14:52:29 +08:00
zyc
a513fce3a2 camera: modify mv9335 autofocus logic. 2013-01-11 15:10:01 +08:00
XieKedi
fb04ada114 fixes problem in setting bl_pwm output freq 20K 
last commit is 9aeb6ccfc7
 2013-01-11 14:30:04 +08:00
kfx
9aeb6ccfc7 rk3168: ds1006h: set bl_pwm output freq 20K 2013-01-10 17:56:49 +08:00
zyc
50e9c2909f camera: add mv9335+ov56550 driver,version upated to 0.2.0x1e. 2013-01-10 14:25:40 +08:00
黄涛
f34744a8a9 pack-kernel.sh: fix for rk3066b and exclude rk3188 2013-01-10 11:07:05 +08:00
xbw
199bbc1662 RK3168: add gpio for MT5931_MT6622 2013-01-10 10:34:09 +08:00
邱建斌
eb9517c662 rk610: add rk3188 support 2013-01-10 10:17:06 +08:00
yxj
d57359e6a8 board LR097:sync from sdk 2013-01-09 13:51:46 +08:00
yxj
ba301913b0 display transmitter:edp anx9804 anx9805 anx6345 support 2013-01-09 12:23:10 +08:00
黄涛
88c809fe6e rk3188: initial support 2013-01-09 11:08:02 +08:00
黄涛
f36ca38760 rk: add ddr_get_cap to ddr.h 2013-01-09 11:04:27 +08:00
黄涛
d103823b51 rk: add debug_uart.h 2013-01-09 11:04:27 +08:00
黄涛
83ff0af39d rk30: add debug_uart.h 2013-01-09 11:04:27 +08:00
黄涛
12ae803e30 rk2928: add debug_uart.h 2013-01-09 11:04:26 +08:00
黄涛
4ef3571689 sound: rk29: simplify Makefile, snd-soc-rockchip-i2s-objs default is rk30_i2s.o 2013-01-09 11:04:26 +08:00
黄涛
f8e76c325e rk3066b: pmu.h: add PMU_GPIO0_CON define 2013-01-09 11:04:26 +08:00
黄涛
e0a524312d rk: board.h: move more define to plat 2013-01-09 10:57:15 +08:00
hxy
77878fab4b rk3168: enable rtc 32K clock out in shut down 2013-01-09 10:51:52 +08:00
hxy
80e3280652 rk3168: enable rtc 32K clock out in shut down 2013-01-09 10:45:09 +08:00
yzq
411635c3fc rk610:fix rk30 board macro config 2013-01-09 09:48:35 +08:00
hwg
72f408e9f2 wifi: update mt5931 driver to 2.04 2013-01-08 23:58:31 +08:00
hwg
95258f1876 wifi: support rk3066 mtk 5931 6622 15x15 modules power controle 2013-01-08 23:38:52 +08:00
hwg
ea852b6fbb wifi: support rk2928 mtk 5931 6622 15x15 modules bt power controle 2013-01-08 23:05:57 +08:00
hwg
43c0e30954 wifi: support rk2928 mtk 5931 6622 15x15 modules power controle 2013-01-08 23:01:44 +08:00
kfx
a049c5cc06 rk3168:ds1006h:lcd: transmitter: select CONFIG_RK610_LVDS 2013-01-08 18:27:00 +08:00
kfx
8deea53642 i2c: check_idle: gpio_free 2013-01-08 17:18:46 +08:00
kfx
1d5b1aa60c i2c: use new iomux api 2013-01-08 17:05:59 +08:00
黄涛
a0533e2189 rk: gpio: fix GPIOPullType define and no clear FLAG_IS_OUT when pull updown 2013-01-08 11:27:35 +08:00
黄涛
e23fcf37d3 gpio-rk30: fix pull updown setup 2013-01-08 11:27:35 +08:00
chenxing
c99ed0e7d0 rk30xx: dvfs enable clk do not set voltage 2013-01-07 19:35:53 +08:00
kfx
da94d78f22 iomux: fixed bug: gpio_to_mode 2013-01-07 09:40:24 +08:00
yxj
d28e03369e display transmitter Kconfig: modify for paltform which not need dispaly transmitter driver 2013-01-06 21:09:31 +08:00
yxj
05e720bd70 LR097 defconfig:add tp ct36x support 2013-01-06 21:01:39 +08:00
yxj
c144ebdb5c rkfb:load screeen in rk_fb_open 2013-01-06 20:55:57 +08:00
yxj
af581b2d17 hd screen LP097Qx1: max resolution supported on rk3066b is 2047 2013-01-06 20:53:05 +08:00
yxj
ab958ad5c4 edp anx9804: do not need to set register 0x70:0x82 0x72:0xe2 2013-01-06 20:46:17 +08:00
yxj
510c189c07 edp anx9804:add debug fs 2013-01-06 20:30:23 +08:00
yxj
0b9e8a2bf0 rk3066b lcdc: add dump display info support 2013-01-06 20:30:23 +08:00
yxj
99ecd51af8 board LR097:add touch screen ct363 2013-01-06 20:30:22 +08:00
黄涛
44621b3014 rk: move more gpio defines to plat 2013-01-06 16:01:59 +08:00
chenxing
b8a0c8e3f2 rk2928: fix too many usb hub irqs when changing frequency 2013-01-06 14:24:35 +08:00
黄涛
11900c817c rk30: gpio: pin base linear 2013-01-06 14:19:48 +08:00
黄涛
0c2ef6f278 adc: core: better init adc_host_head 2013-01-06 14:13:48 +08:00