Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Commits on Dec 14, 2010
  1. cfg80211: fix extension channel checks to initiate communication

    Luis R. Rodriguez authored Andi Kleen committed
    commit 9236d838c920e90708570d9bbd7bb82d30a38130 upstream.
    
    When operating in a mode that initiates communication and using
    HT40 we should fail if we cannot use both primary and secondary
    channels to initiate communication. Our current ht40 allowmap
    only covers STA mode of operation, for beaconing modes we need
    a check on the fly as the mode of operation is dynamic and
    there other flags other than disable which we should read
    to check if we can initiate communication.
    
    Do not allow for initiating communication if our secondary HT40
    channel has is either disabled, has a passive scan flag, a
    no-ibss flag or is a radar channel. Userspace now has similar
    checks but this is also needed in-kernel.
    
    Reported-by: Jouni Malinen <jouni.malinen@atheros.com>
    Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  2. rds: Integer overflow in RDS cmsg handling

    Dan Rosenberg authored Andi Kleen committed
    commit 218854af84038d828a32f061858b1902ed2beec6 upstream.
    
    In rds_cmsg_rdma_args(), the user-provided args->nr_local value is
    restricted to less than UINT_MAX.  This seems to need a tighter upper
    bound, since the calculation of total iov_size can overflow, resulting
    in a small sock_kmalloc() allocation.  This would probably just result
    in walking off the heap and crashing when calling rds_rdma_pages() with
    a high count value.  If it somehow doesn't crash here, then memory
    corruption could occur soon after.
    
    Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  3. @philb

    econet: fix CVE-2010-3848

    philb authored Andi Kleen committed
    commit a27e13d370415add3487949c60810e36069a23a6 upstream.
    
    Don't declare variable sized array of iovecs on the stack since this
    could cause stack overflow if msg->msgiovlen is large.  Instead, coalesce
    the user-supplied data into a new buffer and use a single iovec for it.
    
    Signed-off-by: Phil Blundell <philb@gnu.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  4. @philb

    econet: fix CVE-2010-3850

    philb authored Andi Kleen committed
    commit 16c41745c7b92a243d0874f534c1655196c64b74 upstream.
    
    Add missing check for capable(CAP_NET_ADMIN) in SIOCSIFADDR operation.
    
    Signed-off-by: Phil Blundell <philb@gnu.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  5. @philb

    econet: disallow NULL remote addr for sendmsg(), fixes CVE-2010-3849

    philb authored Andi Kleen committed
    commit fa0e846494792e722d817b9d3d625a4ef4896c96 upstream.
    
    Later parts of econet_sendmsg() rely on saddr != NULL, so return early
    with EINVAL if NULL was passed otherwise an oops may occur.
    
    Signed-off-by: Phil Blundell <philb@gnu.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  6. x25: Prevent crashing when parsing bad X.25 facilities

    Dan Rosenberg authored Andi Kleen committed
    commit 5ef41308f94dcbb3b7afc56cdef1c2ba53fa5d2f upstream.
    
    Now with improved comma support.
    
    On parsing malformed X.25 facilities, decrementing the remaining length
    may cause it to underflow.  Since the length is an unsigned integer,
    this will result in the loop continuing until the kernel crashes.
    
    This patch adds checks to ensure decrementing the remaining length does
    not cause it to wrap around.
    
    Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  7. @hartkopp

    can-bcm: fix minor heap overflow

    hartkopp authored Andi Kleen committed
    commit 0597d1b99fcfc2c0eada09a698f85ed413d4ba84 upstream.
    
    On 64-bit platforms the ASCII representation of a pointer may be up to 17
    bytes long. This patch increases the length of the buffer accordingly.
    
    http://marc.info/?l=linux-netdev&m=128872251418192&w=2
    
    Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
    Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
    CC: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  8. @davem330

    filter: make sure filters dont read uninitialized memory

    davem330 authored Andi Kleen committed
    commit 57fe93b374a6b8711995c2d466c502af9f3a08bb upstream.
    
    There is a possibility malicious users can get limited information about
    uninitialized stack mem array. Even if sk_run_filter() result is bound
    to packet length (0 .. 65535), we could imagine this can be used by
    hostile user.
    
    Initializing mem[] array, like Dan Rosenberg suggested in his patch is
    expensive since most filters dont even use this array.
    
    Its hard to make the filter validation in sk_chk_filter(), because of
    the jumps. This might be done later.
    
    In this patch, I use a bitmap (a single long var) so that only filters
    using mem[] loads/stores pay the price of added security checks.
    
    For other filters, additional cost is a single instruction.
    
    [ Since we access fentry->k a lot now, cache it in a local variable
      and mark filter entry pointer as const. -DaveM ]
    
    Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
    Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  9. @hgn

    net: optimize Berkeley Packet Filter (BPF) processing

    hgn authored Andi Kleen committed
    Gcc is currenlty not in the ability to optimize the switch statement in
    sk_run_filter() because of dense case labels. This patch replace the
    OR'd labels with ordered sequenced case labels. The sk_chk_filter()
    function is modified to patch/replace the original OPCODES in a
    ordered but equivalent form. gcc is now in the ability to transform the
    switch statement in sk_run_filter into a jump table of complexity O(1).
    
    Until this patch gcc generates a sequence of conditional branches (O(n) of 567
    byte .text segment size (arch x86_64):
    
    7ff: 8b 06                 mov    (%rsi),%eax
    801: 66 83 f8 35           cmp    $0x35,%ax
    805: 0f 84 d0 02 00 00     je     adb <sk_run_filter+0x31d>
    80b: 0f 87 07 01 00 00     ja     918 <sk_run_filter+0x15a>
    811: 66 83 f8 15           cmp    $0x15,%ax
    815: 0f 84 c5 02 00 00     je     ae0 <sk_run_filter+0x322>
    81b: 77 73                 ja     890 <sk_run_filter+0xd2>
    81d: 66 83 f8 04           cmp    $0x4,%ax
    821: 0f 84 17 02 00 00     je     a3e <sk_run_filter+0x280>
    827: 77 29                 ja     852 <sk_run_filter+0x94>
    829: 66 83 f8 01           cmp    $0x1,%ax
    [...]
    
    With the modification the compiler translate the switch statement into
    the following jump table fragment:
    
    7ff: 66 83 3e 2c           cmpw   $0x2c,(%rsi)
    803: 0f 87 1f 02 00 00     ja     a28 <sk_run_filter+0x26a>
    809: 0f b7 06              movzwl (%rsi),%eax
    80c: ff 24 c5 00 00 00 00  jmpq   *0x0(,%rax,8)
    813: 44 89 e3              mov    %r12d,%ebx
    816: e9 43 03 00 00        jmpq   b5e <sk_run_filter+0x3a0>
    81b: 41 89 dc              mov    %ebx,%r12d
    81e: e9 3b 03 00 00        jmpq   b5e <sk_run_filter+0x3a0>
    
    Furthermore, I reordered the instructions to reduce cache line misses by
    order the most common instruction to the start.
    
    [AK: Added as dependency on next patch]
    Signed-off-by: Hagen Paul Pfeifer <hagen@jauu.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  10. @AndrewHendry

    memory corruption in X.25 facilities parsing

    AndrewHendry authored Andi Kleen committed
    commit a6331d6f9a4298173b413cf99a40cc86a9d92c37 upstream.
    
    Signed-of-by: Andrew Hendry <andrew.hendry@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  11. @davem330

    net: Limit socket I/O iovec total length to INT_MAX.

    davem330 authored Andi Kleen committed
    commit 8acfe468b0384e834a303f08ebc4953d72fb690a upstream.
    
    This helps protect us from overflow issues down in the
    individual protocol sendmsg/recvmsg handlers.  Once
    we hit INT_MAX we truncate out the rest of the iovec
    by setting the iov_len members to zero.
    
    This works because:
    
    1) For SOCK_STREAM and SOCK_SEQPACKET sockets, partial
       writes are allowed and the application will just continue
       with another write to send the rest of the data.
    
    2) For datagram oriented sockets, where there must be a
       one-to-one correspondance between write() calls and
       packets on the wire, INT_MAX is going to be far larger
       than the packet size limit the protocol is going to
       check for and signal with -EMSGSIZE.
    
    Based upon a patch by Linus Torvalds.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  12. @torvalds

    net: Truncate recvfrom and sendto length to INT_MAX.

    torvalds authored Andi Kleen committed
    commit 253eacc070b114c2ec1f81b067d2fed7305467b0 upstream.
    
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  13. DECnet: don't leak uninitialized stack byte

    Dan Rosenberg authored Andi Kleen committed
    commit 3c6f27bf33052ea6ba9d82369fb460726fb779c0 upstream.
    
    A single uninitialized padding byte is leaked to userspace.
    
    Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  14. netfilter: nf_conntrack: allow nf_ct_alloc_hashtable() to get highmem…

    Eric Dumazet authored Andi Kleen committed
    … pages
    
    commit 6b1686a71e3158d3c5f125260effce171cc7852b upstream.
    
    commit ea781f1 (use SLAB_DESTROY_BY_RCU and get rid of call_rcu())
    did a mistake in __vmalloc() call in nf_ct_alloc_hashtable().
    
    I forgot to add __GFP_HIGHMEM, so pages were taken from LOWMEM only.
    
    Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  15. net: NETIF_F_HW_CSUM does not imply FCoE CRC offload

    Ben Hutchings authored Andi Kleen committed
    commit 66c68bcc489fadd4f5e8839e966e3a366e50d1d5 upstream.
    
    NETIF_F_HW_CSUM indicates the ability to update an TCP/IP-style 16-bit
    checksum with the checksum of an arbitrary part of the packet data,
    whereas the FCoE CRC is something entirely different.
    
    Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  16. @jmberg

    mac80211: delete AddBA response timer

    jmberg authored Andi Kleen committed
    commit 44271488b91c9eecf249e075a1805dd887e222d2 upstream.
    
    We never delete the addBA response timer, which
    is typically fine, but if the station it belongs
    to is deleted very quickly after starting the BA
    session, before the peer had a chance to reply,
    the timer may fire after the station struct has
    been freed already. Therefore, we need to delete
    the timer in a suitable spot -- best when the
    session is being stopped (which will happen even
    then) in which case the delete will be a no-op
    most of the time.
    
    I've reproduced the scenario and tested the fix.
    
    This fixes the crash reported at
    http://mid.gmane.org/4CAB6F96.6090701@candelatech.com
    
    Reported-by: Ben Greear <greearb@candelatech.com>
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  17. @chunkeey

    mac80211: don't sanitize invalid rates

    chunkeey authored Andi Kleen committed
    commit 5f4e6b2d3c74c1adda1cbfd9d9d30da22c7484fc upstream.
    
    I found this bug while poking around with a pure-gn AP.
    
    Commit:
    cfg80211/mac80211: Use more generic bitrate mask for rate control
    
    Added some sanity checks to ensure that each tx rate index
    is included in the configured mask and it would change any
    rate indexes if it wasn't.
    
    But, the current implementation doesn't take into account
    that the invalid rate index "-1" has a special meaning
    (= no further attempts) and it should not be "changed".
    
    Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  18. mac80211: Fix ibss station got expired immediately

    Rajkumar Manoharan authored Andi Kleen committed
    commit c8716d9dc13c7f6ee92f2bfc6cc3b723b417bff8 upstream.
    
    Station addition in ieee80211_ibss_rx_queued_mgmt is not updating
    sta->last_rx which is causing station expiry in ieee80211_ibss_work
    path. So sta addition and deletion happens repeatedly.
    
    Signed-off-by: Rajkumar Manoharan <rmanoharan@atheros.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  19. mac80211: reset probe send counter upon connection timer reset

    Luis R. Rodriguez authored Andi Kleen committed
    commit 0c699c3a75d4e8d0d2c317f83048d8fd3ffe692a upstream.
    
    Upon beacon loss we send probe requests after 30 seconds of idle
    time and we wait for each probe response 1/2 second. We send a
    total of 3 probe requests before giving up on the AP. In the case
    that we reset the connection idle monitor we should reset the probe
    requests count to 0. Right now this won't help in any way but
    the next patch will.
    
    This patch has fixes for stable kernel [2.6.35+].
    
    Cc: Paul Stewart <pstew@google.com>
    Cc: Amod Bodas <amod.bodas@atheros.com>
    Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  20. @chunkeey

    mac80211: clear txflags for ps-filtered frames

    chunkeey authored Andi Kleen committed
    commit eb7d3066cf864342e8ae6a5c1126a1602c4d06c0 upstream.
    
    This patch fixes stale mac80211_tx_control_flags for
    filtered / retried frames.
    
    Because ieee80211_handle_filtered_frame feeds skbs back
    into the tx path, they have to be stripped of some tx
    flags so they won't confuse the stack, driver or device.
    
    Acked-by: Johannes Berg <johannes@sipsolutions.net>
    Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  21. @jmberg

    mac80211: use correct station flags lock

    jmberg authored Andi Kleen committed
    commit f5521b13880f4f4f612e1d20dd4f565122d16e04 upstream.
    
    This code is modifying the station flags, and
    as such should hold the flags lock so it can
    do so atomically vs. other flags modifications
    and readers. This issue was introduced when
    this code was added in eccb8e8, as it used
    the wrong lock (thus not fixing the race that
    was previously documented in a comment.)
    
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  22. mac80211: disable beacon monitor while going offchannel

    Luis R. Rodriguez authored Andi Kleen committed
    commit 3bc3c0d748402e8c1f31b8569f5924d25d7b8e30 upstream.
    
    The beacon monitor should be disabled when going off channel
    to prevent spurious warnings and triggering connection
    deterioration work such as sending probe requests. Re-enable
    the beacon monitor once we come back to the home channel.
    
    This patch has fixes for stable kernels [2.6.34+].
    
    Cc: Paul Stewart <pstew@google.com>
    Cc: Amod Bodas <amod.bodas@atheros.com>
    Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  23. mac80211: send last 3/5 probe requests as unicast

    Luis R. Rodriguez authored Andi Kleen committed
    commit f01a067d9e4598c71e3c9ee3a84859d2e8af4f8e upstream.
    
    Some buggy APs do not respond to unicast probe requests
    or send unicast probe requests very delayed so in the
    worst case we should try to send broadcast probe requests,
    otherwise we can get disconnected from these APs.
    
    Even if drivers do not have filters to disregard probe
    responses from foreign APs mac80211 will only process
    probe responses from our associated AP for re-arming
    connection monitoring.
    
    We need to do this since the beacon monitor does not
    push back the connection monitor by design so even if we
    are getting beacons from these type of APs our connection
    monitor currently relies heavily on the way the probe
    requests are received on the AP. An example of an AP
    affected by this is the Nexus One, but this has also been
    observed with random APs.
    
    We can probably optimize this later by using null funcs
    instead of probe requests.
    
    For more details refer to:
    
    http://code.google.com/p/chromium-os/issues/detail?id=5715
    
    This patch has fixes for stable kernels [2.6.35+].
    
    Cc: Paul Stewart <pstew@google.com>
    Cc: Amod Bodas <amod.bodas@atheros.com>
    Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  24. mac80211: make the beacon monitor available externally

    Luis R. Rodriguez authored Andi Kleen committed
    commit d3a910a8e4e846b9a767d35483f4dc7c6de7af82 upstream.
    
    This will be used by other components next. The beacon
    monitor was added as of 2.6.34 so these fixes are applicable
    only to kernels >= 2.6.34.
    
    Cc: Paul Stewart <pstew@google.com>
    Cc: Amod Bodas <amod.bodas@atheros.com>
    Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  25. mac80211: reset connection idle when going offchannel

    Luis R. Rodriguez authored Andi Kleen committed
    commit 4730d5977f3e12b828d354f7752cffd94bdf39e5 upstream.
    
    When we go offchannel mac80211 currently leaves alive the
    connection idle monitor. This should be instead postponed
    until we come back to our home channel, otherwise by the
    time we get back to the home channel we could be triggering
    unecesary probe requests. For APs that do not respond to
    unicast probe requests (Nexus One is a simple example) this
    means we essentially get disconnected after the probes
    fails.
    
    This patch has stable fixes for kernels [2.6.35+]
    
    Cc: Paul Stewart <pstew@google.com>
    Cc: Amod Bodas <amod.bodas@atheros.com>
    Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  26. mac80211: add helper for reseting the connection monitor

    Luis R. Rodriguez authored Andi Kleen committed
    commit be099e82e9cf6d5d65d044e9ef6fc8bee3c7a113 upstream.
    
    This will be used in another place later. The connection
    monitor was added as of 2.6.35 so these fixes will be
    applicable to >= 2.6.35.
    
    Cc: Paul Stewart <pstew@google.com>
    Cc: Amod Bodas <amod.bodas@atheros.com>
    Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  27. @jmalinen

    mac80211: Fix signal strength average initialization for CQM events

    jmalinen authored Andi Kleen committed
    commit 3ba06c6fbd651ed3377e584026d1c112b492cc8b upstream.
    
    The ave_beacon_signal value uses 1/16 dB unit and as such, must be
    initialized with the signal level of the first Beacon frame multiplied
    by 16. This fixes an issue where the initial CQM events are reported
    incorrectly with a burst of events while the running average
    approaches the correct value after the incorrect initialization. This
    could cause user space -based roaming decision process to get quite
    confused at the moment when we would like to go through authentication
    and DHCP.
    
    Signed-off-by: Jouni Malinen <j@w1.fi>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  28. mac80211: fix offchannel assumption upon association

    Luis R. Rodriguez authored Andi Kleen committed
    commit 8d4780eb1ece4e8109b4f6b2e5e61f7fc593c3f4 upstream.
    
    Association is dealt with as an atomic offchannel operation,
    we do this because we don't know we are associated until we
    get the associatin response from the AP. When we do get the
    associatin response though we were never clearing the offchannel
    state. This has a few implications, we told drivers we were
    still offchannel, and the first configured TX power for the
    channel does not take into account any power constraints.
    
    For ath9k this meant ANI calibration would not start upon
    association, and we'd have to wait until the first bgscan
    to be triggered. There may be other issues this resolves
    but I'm too lazy to comb the code to check.
    
    Cc: Amod Bodas <amod.bodas@atheros.com>
    Cc: Vasanth Thiagarajan <vasanth.thiagarajan@atheros.com>
    Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  29. mac80211: fix channel assumption for association done work

    Luis R. Rodriguez authored Andi Kleen committed
    commit e7480bbb926c5816e4fbfca70748096bbe0e4978 upstream.
    
    Be consistent and use the wk->chan instead of the
    local->hw.conf.channel for the association done work.
    This prevents any possible races against channel changes
    while we run this work.
    
    In the case that the race did happen we would be initializing
    the bit rates for the new AP under the assumption of a wrong
    channel and in the worst case, wrong band. This could lead
    to trying to assuming we could use CCK frames on 5 GHz, for
    example.
    
    This patch has a fix for kernels >= v2.6.34
    
    Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  30. cfg80211: fix regression on processing country IEs

    Luis R. Rodriguez authored Andi Kleen committed
    commit a171fba491f54216e356efa46096171a7ed01d10 upstream.
    
    The patch 4f366c5:
    
    	wireless: only use alpha2 regulatory information from country IE
    
    removed some complex intersection we were always doing between the AP's
    country IE info and what we got from CRDA. When CRDA sent us back a
    regulatory domain we would do some sanity checks on that regulatory
    domain response we just got. Part of these sanity checks included
    checking that we already had performed an intersection for the
    request of NL80211_REGDOM_SET_BY_COUNTRY_IE type.
    
    This mean that cfg80211 was only processing country IEs for cases
    where we already had an intersection, but since we removed enforcing
    this this is no longer required, we should just apply the country
    IE country hint with the data received from CRDA.
    
    This patch has fixes intended for kernels >= 2.6.36.
    [AK: it seems to be needed for .35 too?? Kept for now]
    
    Reported-by: Easwar Krishnan <easwar.krishnan@atheros.com>
    Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  31. @jmberg

    cfg80211: fix locking

    jmberg authored Andi Kleen committed
    commit 2234362c427e2ef667595b9b81c0125003ac5607 upstream.
    
    Add missing unlocking of the wiphy in set_channel,
    and don't try to unlock a non-existing wiphy in
    set_cqm.
    
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  32. @jmberg

    cfg80211: fix BSS double-unlinking

    jmberg authored Andi Kleen committed
    commit 3207390a8b58bfc1335750f91cf6783c48ca19ca upstream.
    
    When multiple interfaces are actively trying
    to associate with the same BSS, they may both
    find that the BSS isn't there and then try to
    unlink it. This can cause errors since the
    unlinking code can't currently deal with items
    that have already been unlinked.
    
    Normally this doesn't happen as most people
    don't try to use multiple station interfaces
    that associate at the same time too.
    
    Fix this by using the list entry as a flag to
    see if the item is still on a list.
    
    Reported-by: Ben Greear <greearb@candelatech.com>
    Tested-by: Hun-Kyi Wynn <hkwynn@candelatech.com>
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  33. @sameo

    irda: Fix heap memory corruption in iriap.c

    sameo authored Andi Kleen committed
    commit 37f9fc452d138dfc4da2ee1ce5ae85094efc3606 upstream.
    
    While parsing the GetValuebyClass command frame, we could potentially write
    passed the skb->data pointer.
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Samuel Ortiz <samuel@sortiz.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
  34. @sameo

    irda: Fix parameter extraction stack overflow

    sameo authored Andi Kleen committed
    commit efc463eb508798da4243625b08c7396462cabf9f upstream.
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Samuel Ortiz <samuel@sortiz.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
Commits on Nov 22, 2010
  1. @eparis @gregkh

    secmark: do not return early if there was no error

    eparis authored gregkh committed
    commit 15714f7b58011cf3948cab2988abea560240c74f upstream.
    
    Commit 4a5a5c7 attempted to pass decent error messages back to userspace for
    netfilter errors.  In xt_SECMARK.c however the patch screwed up and returned
    on 0 (aka no error) early and didn't finish setting up secmark.  This results
    in a kernel BUG if you use SECMARK.
    
    Signed-off-by: Eric Paris <eparis@redhat.com>
    Acked-by: Paul Moore <paul.moore@hp.com>
    Signed-off-by: James Morris <jmorris@namei.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Something went wrong with that request. Please try again.