Linux v3.18-rc4-184-gb23dc5a7cc6e
This commit is contained in:
parent
4afc32034d
commit
5d76b33ba4
@ -19,7 +19,7 @@ Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|||||||
4 files changed, 10 insertions(+)
|
4 files changed, 10 insertions(+)
|
||||||
|
|
||||||
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
|
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
|
||||||
index 73bd9e2e42bc..e94afcc19eda 100644
|
index 3402033fa52a..3d3820ecaa49 100644
|
||||||
--- a/drivers/hid/hid-core.c
|
--- a/drivers/hid/hid-core.c
|
||||||
+++ b/drivers/hid/hid-core.c
|
+++ b/drivers/hid/hid-core.c
|
||||||
@@ -702,6 +702,11 @@ static void hid_scan_collection(struct hid_parser *parser, unsigned type)
|
@@ -702,6 +702,11 @@ static void hid_scan_collection(struct hid_parser *parser, unsigned type)
|
||||||
@ -34,7 +34,7 @@ index 73bd9e2e42bc..e94afcc19eda 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
static int hid_scan_main(struct hid_parser *parser, struct hid_item *item)
|
static int hid_scan_main(struct hid_parser *parser, struct hid_item *item)
|
||||||
@@ -1861,6 +1866,7 @@ static const struct hid_device_id hid_have_special_driver[] = {
|
@@ -1862,6 +1867,7 @@ static const struct hid_device_id hid_have_special_driver[] = {
|
||||||
{ HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_DIGITAL_MEDIA_3K) },
|
{ HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_DIGITAL_MEDIA_3K) },
|
||||||
{ HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_WIRELESS_OPTICAL_DESKTOP_3_0) },
|
{ HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_WIRELESS_OPTICAL_DESKTOP_3_0) },
|
||||||
{ HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_OFFICE_KB) },
|
{ HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_OFFICE_KB) },
|
||||||
@ -43,10 +43,10 @@ index 73bd9e2e42bc..e94afcc19eda 100644
|
|||||||
{ HID_USB_DEVICE(USB_VENDOR_ID_MSI, USB_DEVICE_ID_MSI_GT683R_LED_PANEL) },
|
{ HID_USB_DEVICE(USB_VENDOR_ID_MSI, USB_DEVICE_ID_MSI_GT683R_LED_PANEL) },
|
||||||
{ HID_USB_DEVICE(USB_VENDOR_ID_NTRIG, USB_DEVICE_ID_NTRIG_TOUCH_SCREEN) },
|
{ HID_USB_DEVICE(USB_VENDOR_ID_NTRIG, USB_DEVICE_ID_NTRIG_TOUCH_SCREEN) },
|
||||||
diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
|
diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
|
||||||
index e23ab8b30626..15f32c22178c 100644
|
index 7c863738e419..ab562f41c00c 100644
|
||||||
--- a/drivers/hid/hid-ids.h
|
--- a/drivers/hid/hid-ids.h
|
||||||
+++ b/drivers/hid/hid-ids.h
|
+++ b/drivers/hid/hid-ids.h
|
||||||
@@ -648,6 +648,7 @@
|
@@ -649,6 +649,7 @@
|
||||||
#define USB_DEVICE_ID_MS_SURFACE_PRO_2 0x0799
|
#define USB_DEVICE_ID_MS_SURFACE_PRO_2 0x0799
|
||||||
#define USB_DEVICE_ID_MS_TOUCH_COVER_2 0x07a7
|
#define USB_DEVICE_ID_MS_TOUCH_COVER_2 0x07a7
|
||||||
#define USB_DEVICE_ID_MS_TYPE_COVER_2 0x07a9
|
#define USB_DEVICE_ID_MS_TYPE_COVER_2 0x07a9
|
||||||
@ -68,10 +68,10 @@ index 8ba17a946f2a..cacda43f6a6f 100644
|
|||||||
{ HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_PRESENTER_8K_BT),
|
{ HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_PRESENTER_8K_BT),
|
||||||
.driver_data = MS_PRESENTER },
|
.driver_data = MS_PRESENTER },
|
||||||
diff --git a/drivers/hid/usbhid/hid-quirks.c b/drivers/hid/usbhid/hid-quirks.c
|
diff --git a/drivers/hid/usbhid/hid-quirks.c b/drivers/hid/usbhid/hid-quirks.c
|
||||||
index 5014bb567b29..cebfaf288bd3 100644
|
index 552671ee7c5d..41814fced1cc 100644
|
||||||
--- a/drivers/hid/usbhid/hid-quirks.c
|
--- a/drivers/hid/usbhid/hid-quirks.c
|
||||||
+++ b/drivers/hid/usbhid/hid-quirks.c
|
+++ b/drivers/hid/usbhid/hid-quirks.c
|
||||||
@@ -77,6 +77,7 @@ static const struct hid_blacklist {
|
@@ -78,6 +78,7 @@ static const struct hid_blacklist {
|
||||||
{ USB_VENDOR_ID_FORMOSA, USB_DEVICE_ID_FORMOSA_IR_RECEIVER, HID_QUIRK_NO_INIT_REPORTS },
|
{ USB_VENDOR_ID_FORMOSA, USB_DEVICE_ID_FORMOSA_IR_RECEIVER, HID_QUIRK_NO_INIT_REPORTS },
|
||||||
{ USB_VENDOR_ID_FREESCALE, USB_DEVICE_ID_FREESCALE_MX28, HID_QUIRK_NOGET },
|
{ USB_VENDOR_ID_FREESCALE, USB_DEVICE_ID_FREESCALE_MX28, HID_QUIRK_NOGET },
|
||||||
{ USB_VENDOR_ID_MGE, USB_DEVICE_ID_MGE_UPS, HID_QUIRK_NOGET },
|
{ USB_VENDOR_ID_MGE, USB_DEVICE_ID_MGE_UPS, HID_QUIRK_NOGET },
|
||||||
|
@ -21,7 +21,7 @@ Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|||||||
create mode 100644 drivers/input/touchscreen/goodix.c
|
create mode 100644 drivers/input/touchscreen/goodix.c
|
||||||
|
|
||||||
diff --git a/MAINTAINERS b/MAINTAINERS
|
diff --git a/MAINTAINERS b/MAINTAINERS
|
||||||
index ea4d0058fd1b..b9fb1cdad014 100644
|
index 60b1163dba28..ec5ae9692f7c 100644
|
||||||
--- a/MAINTAINERS
|
--- a/MAINTAINERS
|
||||||
+++ b/MAINTAINERS
|
+++ b/MAINTAINERS
|
||||||
@@ -4140,6 +4140,12 @@ L: linux-media@vger.kernel.org
|
@@ -4140,6 +4140,12 @@ L: linux-media@vger.kernel.org
|
||||||
|
@ -91,28 +91,6 @@ Date: Mon Nov 10 16:31:05 2014 -0500
|
|||||||
|
|
||||||
Signed-off-by: Mark Salter <msalter@redhat.com>
|
Signed-off-by: Mark Salter <msalter@redhat.com>
|
||||||
|
|
||||||
commit ae7850d2b972ee1258878ccc16824aba9d35b653
|
|
||||||
Author: Guenter Roeck <linux@roeck-us.net>
|
|
||||||
Date: Sun Nov 2 18:19:15 2014 -0800
|
|
||||||
|
|
||||||
netfilter: nft_reject_bridge: Fix powerpc build error
|
|
||||||
|
|
||||||
Fix:
|
|
||||||
net/bridge/netfilter/nft_reject_bridge.c:
|
|
||||||
In function 'nft_reject_br_send_v6_unreach':
|
|
||||||
net/bridge/netfilter/nft_reject_bridge.c:240:3:
|
|
||||||
error: implicit declaration of function 'csum_ipv6_magic'
|
|
||||||
csum_ipv6_magic(&nip6h->saddr, &nip6h->daddr,
|
|
||||||
^
|
|
||||||
make[3]: *** [net/bridge/netfilter/nft_reject_bridge.o] Error 1
|
|
||||||
|
|
||||||
Seen with powerpc:allmodconfig.
|
|
||||||
|
|
||||||
Fixes: 523b929d5446 ("netfilter: nft_reject_bridge: don't use IP stack to reject traffic")
|
|
||||||
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
||||||
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
|
|
||||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
||||||
|
|
||||||
commit e2992498e4b2aad3ceac52bfb6faccfd18332236
|
commit e2992498e4b2aad3ceac52bfb6faccfd18332236
|
||||||
Author: Mark Salter <msalter@redhat.com>
|
Author: Mark Salter <msalter@redhat.com>
|
||||||
Date: Mon Nov 10 21:35:11 2014 -0500
|
Date: Mon Nov 10 21:35:11 2014 -0500
|
||||||
@ -1867,7 +1845,6 @@ Date: Wed Oct 8 16:11:27 2014 +0200
|
|||||||
include/linux/of.h | 34 +
|
include/linux/of.h | 34 +
|
||||||
include/linux/pci.h | 37 +-
|
include/linux/pci.h | 37 +-
|
||||||
include/linux/property.h | 143 +++++
|
include/linux/property.h | 143 +++++
|
||||||
net/bridge/netfilter/nft_reject_bridge.c | 1 +
|
|
||||||
net/rfkill/rfkill-gpio.c | 18 +-
|
net/rfkill/rfkill-gpio.c | 18 +-
|
||||||
virt/kvm/arm/arch_timer.c | 108 ++--
|
virt/kvm/arm/arch_timer.c | 108 ++--
|
||||||
virt/kvm/arm/vgic-v2.c | 75 ++-
|
virt/kvm/arm/vgic-v2.c | 75 ++-
|
||||||
@ -9793,12 +9770,12 @@ index 789957d..59498eb 100644
|
|||||||
/* Timestamp support */
|
/* Timestamp support */
|
||||||
spinlock_t tstamp_lock;
|
spinlock_t tstamp_lock;
|
||||||
diff --git a/drivers/net/ethernet/apm/xgene/xgene_enet_hw.c b/drivers/net/ethernet/apm/xgene/xgene_enet_hw.c
|
diff --git a/drivers/net/ethernet/apm/xgene/xgene_enet_hw.c b/drivers/net/ethernet/apm/xgene/xgene_enet_hw.c
|
||||||
index 63ea194..bb059b4 100644
|
index 7ba83ffb08ac..3abbbd492a2c 100644
|
||||||
--- a/drivers/net/ethernet/apm/xgene/xgene_enet_hw.c
|
--- a/drivers/net/ethernet/apm/xgene/xgene_enet_hw.c
|
||||||
+++ b/drivers/net/ethernet/apm/xgene/xgene_enet_hw.c
|
+++ b/drivers/net/ethernet/apm/xgene/xgene_enet_hw.c
|
||||||
@@ -579,9 +579,11 @@ static void xgene_enet_reset(struct xgene_enet_pdata *pdata)
|
@@ -593,9 +593,11 @@ static int xgene_enet_reset(struct xgene_enet_pdata *pdata)
|
||||||
{
|
if (!xgene_ring_mgr_init(pdata))
|
||||||
u32 val;
|
return -ENODEV;
|
||||||
|
|
||||||
- clk_prepare_enable(pdata->clk);
|
- clk_prepare_enable(pdata->clk);
|
||||||
- clk_disable_unprepare(pdata->clk);
|
- clk_disable_unprepare(pdata->clk);
|
||||||
@ -9811,7 +9788,7 @@ index 63ea194..bb059b4 100644
|
|||||||
xgene_enet_ecc_init(pdata);
|
xgene_enet_ecc_init(pdata);
|
||||||
xgene_enet_config_ring_if_assoc(pdata);
|
xgene_enet_config_ring_if_assoc(pdata);
|
||||||
|
|
||||||
@@ -647,15 +649,20 @@ static int xgene_enet_phy_connect(struct net_device *ndev)
|
@@ -663,15 +665,21 @@ static int xgene_enet_phy_connect(struct net_device *ndev)
|
||||||
struct phy_device *phy_dev;
|
struct phy_device *phy_dev;
|
||||||
struct device *dev = &pdata->pdev->dev;
|
struct device *dev = &pdata->pdev->dev;
|
||||||
|
|
||||||
@ -9822,7 +9799,7 @@ index 63ea194..bb059b4 100644
|
|||||||
+ if (dev->of_node) {
|
+ if (dev->of_node) {
|
||||||
+ phy_np = of_parse_phandle(dev->of_node, "phy-handle", 0);
|
+ phy_np = of_parse_phandle(dev->of_node, "phy-handle", 0);
|
||||||
+ if (!phy_np) {
|
+ if (!phy_np) {
|
||||||
+ netdev_dbg(ndev, "No phy-handle found in DT\n");
|
+ netdev_dbg(ndev, "No phy-handle found\n");
|
||||||
+ return -ENODEV;
|
+ return -ENODEV;
|
||||||
+ }
|
+ }
|
||||||
+ pdata->phy_dev = of_phy_find_device(phy_np);
|
+ pdata->phy_dev = of_phy_find_device(phy_np);
|
||||||
@ -9836,10 +9813,11 @@ index 63ea194..bb059b4 100644
|
|||||||
+ if (phy_dev == NULL ||
|
+ if (phy_dev == NULL ||
|
||||||
+ phy_connect_direct(ndev, phy_dev, &xgene_enet_adjust_link,
|
+ phy_connect_direct(ndev, phy_dev, &xgene_enet_adjust_link,
|
||||||
+ pdata->phy_mode)) {
|
+ pdata->phy_mode)) {
|
||||||
|
+ 0, pdata->phy_mode);
|
||||||
netdev_err(ndev, "Could not connect to PHY\n");
|
netdev_err(ndev, "Could not connect to PHY\n");
|
||||||
return -ENODEV;
|
return -ENODEV;
|
||||||
}
|
}
|
||||||
@@ -665,11 +672,52 @@ static int xgene_enet_phy_connect(struct net_device *ndev)
|
@@ -681,11 +689,52 @@ static int xgene_enet_phy_connect(struct net_device *ndev)
|
||||||
~SUPPORTED_100baseT_Half &
|
~SUPPORTED_100baseT_Half &
|
||||||
~SUPPORTED_1000baseT_Half;
|
~SUPPORTED_1000baseT_Half;
|
||||||
phy_dev->advertising = phy_dev->supported;
|
phy_dev->advertising = phy_dev->supported;
|
||||||
@ -9893,7 +9871,7 @@ index 63ea194..bb059b4 100644
|
|||||||
int xgene_enet_mdio_config(struct xgene_enet_pdata *pdata)
|
int xgene_enet_mdio_config(struct xgene_enet_pdata *pdata)
|
||||||
{
|
{
|
||||||
struct net_device *ndev = pdata->ndev;
|
struct net_device *ndev = pdata->ndev;
|
||||||
@@ -686,7 +734,7 @@ int xgene_enet_mdio_config(struct xgene_enet_pdata *pdata)
|
@@ -702,7 +751,7 @@ int xgene_enet_mdio_config(struct xgene_enet_pdata *pdata)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -9902,7 +9880,7 @@ index 63ea194..bb059b4 100644
|
|||||||
netdev_dbg(ndev, "No mdio node in the dts\n");
|
netdev_dbg(ndev, "No mdio node in the dts\n");
|
||||||
return -ENXIO;
|
return -ENXIO;
|
||||||
}
|
}
|
||||||
@@ -704,7 +752,10 @@ int xgene_enet_mdio_config(struct xgene_enet_pdata *pdata)
|
@@ -720,7 +769,10 @@ int xgene_enet_mdio_config(struct xgene_enet_pdata *pdata)
|
||||||
mdio_bus->priv = pdata;
|
mdio_bus->priv = pdata;
|
||||||
mdio_bus->parent = &ndev->dev;
|
mdio_bus->parent = &ndev->dev;
|
||||||
|
|
||||||
@ -12810,16 +12788,6 @@ index 0000000..a6a3d98
|
|||||||
+#endif /* _LINUX_PROPERTY_H_ */
|
+#endif /* _LINUX_PROPERTY_H_ */
|
||||||
diff --git a/net/bridge/netfilter/nft_reject_bridge.c b/net/bridge/netfilter/nft_reject_bridge.c
|
diff --git a/net/bridge/netfilter/nft_reject_bridge.c b/net/bridge/netfilter/nft_reject_bridge.c
|
||||||
index 654c901..48da2c5 100644
|
index 654c901..48da2c5 100644
|
||||||
--- a/net/bridge/netfilter/nft_reject_bridge.c
|
|
||||||
+++ b/net/bridge/netfilter/nft_reject_bridge.c
|
|
||||||
@@ -18,6 +18,7 @@
|
|
||||||
#include <net/netfilter/ipv6/nf_reject.h>
|
|
||||||
#include <linux/ip.h>
|
|
||||||
#include <net/ip.h>
|
|
||||||
+#include <net/ip6_checksum.h>
|
|
||||||
#include <linux/netfilter_bridge.h>
|
|
||||||
#include "../br_private.h"
|
|
||||||
|
|
||||||
diff --git a/net/rfkill/rfkill-gpio.c b/net/rfkill/rfkill-gpio.c
|
diff --git a/net/rfkill/rfkill-gpio.c b/net/rfkill/rfkill-gpio.c
|
||||||
index 0f62326..2a47179 100644
|
index 0f62326..2a47179 100644
|
||||||
--- a/net/rfkill/rfkill-gpio.c
|
--- a/net/rfkill/rfkill-gpio.c
|
||||||
|
15
kernel.spec
15
kernel.spec
@ -69,7 +69,7 @@ Summary: The Linux kernel
|
|||||||
# The rc snapshot level
|
# The rc snapshot level
|
||||||
%define rcrev 4
|
%define rcrev 4
|
||||||
# The git snapshot level
|
# The git snapshot level
|
||||||
%define gitrev 1
|
%define gitrev 2
|
||||||
# Set rpm version accordingly
|
# Set rpm version accordingly
|
||||||
%define rpmversion 3.%{upstream_sublevel}.0
|
%define rpmversion 3.%{upstream_sublevel}.0
|
||||||
%endif
|
%endif
|
||||||
@ -602,8 +602,6 @@ Patch22000: weird-root-dentry-name-debug.patch
|
|||||||
# Patch series from Hans for various backlight and platform driver fixes
|
# Patch series from Hans for various backlight and platform driver fixes
|
||||||
Patch26002: samsung-laptop-Add-broken-acpi-video-quirk-for-NC210.patch
|
Patch26002: samsung-laptop-Add-broken-acpi-video-quirk-for-NC210.patch
|
||||||
|
|
||||||
Patch26057: virtio_console-move-early-VQ-enablement.patch
|
|
||||||
|
|
||||||
Patch26058: asus-nb-wmi-Add-wapf4-quirk-for-the-X550VB.patch
|
Patch26058: asus-nb-wmi-Add-wapf4-quirk-for-the-X550VB.patch
|
||||||
|
|
||||||
#rhbz 1111138
|
#rhbz 1111138
|
||||||
@ -619,9 +617,6 @@ Patch26065: sched-Remove-lockdep-check-in-sched_move_task.patch
|
|||||||
#rhbz 1161805
|
#rhbz 1161805
|
||||||
Patch26066: ahci-disable-MSI-instead-of-NCQ-on-Samsung-pci-e-SSD.patch
|
Patch26066: ahci-disable-MSI-instead-of-NCQ-on-Samsung-pci-e-SSD.patch
|
||||||
|
|
||||||
#CVE-2014-7841 rhbz 1163087 1163095
|
|
||||||
Patch26067: net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch
|
|
||||||
|
|
||||||
#CVE-2014-7843 rhbz 1163744 1163745
|
#CVE-2014-7843 rhbz 1163744 1163745
|
||||||
Patch26069: arm64-__clear_user-handle-exceptions-on-strb.patch
|
Patch26069: arm64-__clear_user-handle-exceptions-on-strb.patch
|
||||||
|
|
||||||
@ -1339,8 +1334,6 @@ ApplyPatch ath9k-rx-dma-stop-check.patch
|
|||||||
# Patch series from Hans for various backlight and platform driver fixes
|
# Patch series from Hans for various backlight and platform driver fixes
|
||||||
ApplyPatch samsung-laptop-Add-broken-acpi-video-quirk-for-NC210.patch
|
ApplyPatch samsung-laptop-Add-broken-acpi-video-quirk-for-NC210.patch
|
||||||
|
|
||||||
ApplyPatch virtio_console-move-early-VQ-enablement.patch
|
|
||||||
|
|
||||||
ApplyPatch asus-nb-wmi-Add-wapf4-quirk-for-the-X550VB.patch
|
ApplyPatch asus-nb-wmi-Add-wapf4-quirk-for-the-X550VB.patch
|
||||||
|
|
||||||
#rhbz 1111138
|
#rhbz 1111138
|
||||||
@ -1356,9 +1349,6 @@ ApplyPatch sched-Remove-lockdep-check-in-sched_move_task.patch
|
|||||||
#rhbz 1161805
|
#rhbz 1161805
|
||||||
ApplyPatch ahci-disable-MSI-instead-of-NCQ-on-Samsung-pci-e-SSD.patch
|
ApplyPatch ahci-disable-MSI-instead-of-NCQ-on-Samsung-pci-e-SSD.patch
|
||||||
|
|
||||||
#CVE-2014-7841 rhbz 1163087 1163095
|
|
||||||
ApplyPatch net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch
|
|
||||||
|
|
||||||
#CVE-2014-7843 rhbz 1163744 1163745
|
#CVE-2014-7843 rhbz 1163744 1163745
|
||||||
ApplyPatch arm64-__clear_user-handle-exceptions-on-strb.patch
|
ApplyPatch arm64-__clear_user-handle-exceptions-on-strb.patch
|
||||||
|
|
||||||
@ -2233,6 +2223,9 @@ fi
|
|||||||
# ||----w |
|
# ||----w |
|
||||||
# || ||
|
# || ||
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Nov 14 2014 Josh Boyer <jwboyer@fedoraproject.org> - 3.18.0-0.rc4.git2.1
|
||||||
|
- Linux v3.18-rc4-184-gb23dc5a7cc6e
|
||||||
|
|
||||||
* Thu Nov 13 2014 Josh Boyer <jwboyer@fedoraproject.org>
|
* Thu Nov 13 2014 Josh Boyer <jwboyer@fedoraproject.org>
|
||||||
- Add patch for MS Surface Pro 3 Type Cover (rhbz 1135338)
|
- Add patch for MS Surface Pro 3 Type Cover (rhbz 1135338)
|
||||||
- CVE-2014-7843 aarch64: copying from /dev/zero causes local DoS (rhbz 1163744 1163745)
|
- CVE-2014-7843 aarch64: copying from /dev/zero causes local DoS (rhbz 1163744 1163745)
|
||||||
|
@ -1,77 +0,0 @@
|
|||||||
From: Daniel Borkmann <dborkman@redhat.com>
|
|
||||||
Date: Mon, 10 Nov 2014 17:54:26 +0100
|
|
||||||
Subject: [PATCH] net: sctp: fix NULL pointer dereference in
|
|
||||||
af->from_addr_param on malformed packet
|
|
||||||
|
|
||||||
An SCTP server doing ASCONF will panic on malformed INIT ping-of-death
|
|
||||||
in the form of:
|
|
||||||
|
|
||||||
------------ INIT[PARAM: SET_PRIMARY_IP] ------------>
|
|
||||||
|
|
||||||
While the INIT chunk parameter verification dissects through many things
|
|
||||||
in order to detect malformed input, it misses to actually check parameters
|
|
||||||
inside of parameters. E.g. RFC5061, section 4.2.4 proposes a 'set primary
|
|
||||||
IP address' parameter in ASCONF, which has as a subparameter an address
|
|
||||||
parameter.
|
|
||||||
|
|
||||||
So an attacker may send a parameter type other than SCTP_PARAM_IPV4_ADDRESS
|
|
||||||
or SCTP_PARAM_IPV6_ADDRESS, param_type2af() will subsequently return 0
|
|
||||||
and thus sctp_get_af_specific() returns NULL, too, which we then happily
|
|
||||||
dereference unconditionally through af->from_addr_param().
|
|
||||||
|
|
||||||
The trace for the log:
|
|
||||||
|
|
||||||
BUG: unable to handle kernel NULL pointer dereference at 0000000000000078
|
|
||||||
IP: [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
|
|
||||||
PGD 0
|
|
||||||
Oops: 0000 [#1] SMP
|
|
||||||
[...]
|
|
||||||
Pid: 0, comm: swapper Not tainted 2.6.32-504.el6.x86_64 #1 Bochs Bochs
|
|
||||||
RIP: 0010:[<ffffffffa01e9c62>] [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
|
|
||||||
[...]
|
|
||||||
Call Trace:
|
|
||||||
<IRQ>
|
|
||||||
[<ffffffffa01f2add>] ? sctp_bind_addr_copy+0x5d/0xe0 [sctp]
|
|
||||||
[<ffffffffa01e1fcb>] sctp_sf_do_5_1B_init+0x21b/0x340 [sctp]
|
|
||||||
[<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
|
|
||||||
[<ffffffffa01e5c09>] ? sctp_endpoint_lookup_assoc+0xc9/0xf0 [sctp]
|
|
||||||
[<ffffffffa01e61f6>] sctp_endpoint_bh_rcv+0x116/0x230 [sctp]
|
|
||||||
[<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
|
|
||||||
[<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
|
|
||||||
[<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
|
|
||||||
[<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
|
|
||||||
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
|
|
||||||
[<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
|
|
||||||
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
|
|
||||||
[...]
|
|
||||||
|
|
||||||
A minimal way to address this is to check for NULL as we do on all
|
|
||||||
other such occasions where we know sctp_get_af_specific() could
|
|
||||||
possibly return with NULL.
|
|
||||||
|
|
||||||
Fixes: d6de3097592b ("[SCTP]: Add the handling of "Set Primary IP Address" parameter to INIT")
|
|
||||||
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
|
||||||
Cc: Vlad Yasevich <vyasevich@gmail.com>
|
|
||||||
Acked-by: Neil Horman <nhorman@tuxdriver.com>
|
|
||||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
||||||
---
|
|
||||||
net/sctp/sm_make_chunk.c | 3 +++
|
|
||||||
1 file changed, 3 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
|
|
||||||
index ab734be8cb20..9f32741abb1c 100644
|
|
||||||
--- a/net/sctp/sm_make_chunk.c
|
|
||||||
+++ b/net/sctp/sm_make_chunk.c
|
|
||||||
@@ -2609,6 +2609,9 @@ do_addr_param:
|
|
||||||
addr_param = param.v + sizeof(sctp_addip_param_t);
|
|
||||||
|
|
||||||
af = sctp_get_af_specific(param_type2af(param.p->type));
|
|
||||||
+ if (af == NULL)
|
|
||||||
+ break;
|
|
||||||
+
|
|
||||||
af->from_addr_param(&addr, addr_param,
|
|
||||||
htons(asoc->peer.port), 0);
|
|
||||||
|
|
||||||
--
|
|
||||||
1.9.3
|
|
||||||
|
|
2
sources
2
sources
@ -1,4 +1,4 @@
|
|||||||
fb30d0f29214d75cddd2faa94f73d5cf linux-3.17.tar.xz
|
fb30d0f29214d75cddd2faa94f73d5cf linux-3.17.tar.xz
|
||||||
159e969cbc27201d8e2fa0f609dc722f perf-man-3.17.tar.gz
|
159e969cbc27201d8e2fa0f609dc722f perf-man-3.17.tar.gz
|
||||||
587ecff959eff7392c4977c513580f44 patch-3.18-rc4.xz
|
587ecff959eff7392c4977c513580f44 patch-3.18-rc4.xz
|
||||||
07fdfa90e4a01192e10f802dcb810d4d patch-3.18-rc4-git1.xz
|
eaaef1d4eaf53e64e5b54c12f5dcdf0b patch-3.18-rc4-git2.xz
|
||||||
|
@ -1,46 +0,0 @@
|
|||||||
From: Cornelia Huck <cornelia.huck@de.ibm.com>
|
|
||||||
Date: Mon, 20 Oct 2014 15:58:49 +0200
|
|
||||||
Subject: [PATCH] virtio_console: move early VQ enablement
|
|
||||||
|
|
||||||
Commit f5866db6 (virtio_console: enable VQs early) tried to make
|
|
||||||
sure that DRIVER_OK was set when virtio_console started using its
|
|
||||||
virtqueues. Doing this in add_port(), however, means that we try
|
|
||||||
to set DRIVER_OK again when when a port is dynamically added after
|
|
||||||
the probe function is done.
|
|
||||||
|
|
||||||
Let's move virtio_device_ready() to the probe function just before
|
|
||||||
trying to use the virtqueues instead. This is fine as nothing can
|
|
||||||
fail inbetween.
|
|
||||||
|
|
||||||
Reported-by: Thomas Graf <tgraf@suug.ch>
|
|
||||||
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
|
|
||||||
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
|
|
||||||
---
|
|
||||||
drivers/char/virtio_console.c | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
|
|
||||||
index bfa640023e64..cf7a561fad7c 100644
|
|
||||||
--- a/drivers/char/virtio_console.c
|
|
||||||
+++ b/drivers/char/virtio_console.c
|
|
||||||
@@ -1449,8 +1449,6 @@ static int add_port(struct ports_device *portdev, u32 id)
|
|
||||||
spin_lock_init(&port->outvq_lock);
|
|
||||||
init_waitqueue_head(&port->waitqueue);
|
|
||||||
|
|
||||||
- virtio_device_ready(portdev->vdev);
|
|
||||||
-
|
|
||||||
/* Fill the in_vq with buffers so the host can send us data. */
|
|
||||||
nr_added_bufs = fill_queue(port->in_vq, &port->inbuf_lock);
|
|
||||||
if (!nr_added_bufs) {
|
|
||||||
@@ -2026,6 +2024,8 @@ static int virtcons_probe(struct virtio_device *vdev)
|
|
||||||
spin_lock_init(&portdev->ports_lock);
|
|
||||||
INIT_LIST_HEAD(&portdev->ports);
|
|
||||||
|
|
||||||
+ virtio_device_ready(portdev->vdev);
|
|
||||||
+
|
|
||||||
if (multiport) {
|
|
||||||
unsigned int nr_added_bufs;
|
|
||||||
|
|
||||||
--
|
|
||||||
1.9.3
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user