lwn.git/net/ax25, branch v4.8-rc3

AX.25: Close socket connection on session completion

2016-06-19T03:55:34+00:00

A socket connection made in ax.25 is not closed when session is completed. The heartbeat timer is stopped prematurely and this is where the socket gets closed. Allow heatbeat timer to run to close socket. Symptom occurs in kernels >= 4.2.0 Originally sent 6/15/2016. Resend with distribution list matching scripts/maintainer.pl output. Signed-off-by: Basil Gunn Signed-off-by: David S. Miller

ax25: add link layer header validation function

2016-03-10T03:13:01+00:00

As variable length protocol, AX25 fails link layer header validation tests based on a minimum length. header_ops.validate allows protocols to validate headers that are shorter than hard_header_len. Implement this callback for AX25. See also http://comments.gmane.org/gmane.linux.network/401064 Signed-off-by: Willem de Bruijn Signed-off-by: David S. Miller

net: add validation for the socket syscall protocol argument

2015-12-14T21:09:30+00:00

郭永刚 reported that one could simply crash the kernel as root by using a simple program: int socket_fd; struct sockaddr_in addr; addr.sin_port = 0; addr.sin_addr.s_addr = INADDR_ANY; addr.sin_family = 10; socket_fd = socket(10,3,0x40000000); connect(socket_fd , &addr,16); AF_INET, AF_INET6 sockets actually only support 8-bit protocol identifiers. inet_sock's skc_protocol field thus is sized accordingly, thus larger protocol identifiers simply cut off the higher bits and store a zero in the protocol fields. This could lead to e.g. NULL function pointer because as a result of the cut off inet_num is zero and we call down to inet_autobind, which is NULL for raw sockets. kernel: Call Trace: kernel: [] ? inet_autobind+0x2e/0x70 kernel: [] inet_dgram_connect+0x54/0x80 kernel: [] SYSC_connect+0xd9/0x110 kernel: [] ? ptrace_notify+0x5b/0x80 kernel: [] ? syscall_trace_enter_phase2+0x108/0x200 kernel: [] SyS_connect+0xe/0x10 kernel: [] tracesys_phase2+0x84/0x89 I found no particular commit which introduced this problem. CVE: CVE-2015-8543 Cc: Cong Wang Reported-by: 郭永刚 Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller

NET: AX.25: Stop heartbeat timer on disconnect.

2015-07-15T22:59:58+00:00

This may result in a kernel panic. The bug has always existed but somehow we've run out of luck now and it bites. Signed-off-by: Richard Stearn Cc: stable@vger.kernel.org # all branches Signed-off-by: Ralf Baechle Signed-off-by: David S. Miller

ax25: Stop using sock->sk_protinfo.

2015-06-28T23:55:44+00:00

Just make a ax25_sock structure that provides the ax25_cb pointer. Signed-off-by: David S. Miller

netfilter: Remove spurios included of netfilter.h

2015-06-18T19:14:32+00:00

While testing my netfilter changes I noticed several files where recompiling unncessarily because they unncessarily included netfilter.h. Signed-off-by: "Eric W. Biederman" Signed-off-by: Pablo Neira Ayuso

net: Pass kern from net_proto_family.create to sk_alloc

2015-05-11T14:50:17+00:00

In preparation for changing how struct net is refcounted on kernel sockets pass the knowledge that we are creating a kernel socket from sock_create_kern through to sk_alloc. Signed-off-by: "Eric W. Biederman" Signed-off-by: David S. Miller

ax25: Fix the build when CONFIG_INET is disabled

2015-03-05T18:17:39+00:00

> > >> net/ax25/ax25_ip.c:225:26: error: unknown type name 'sturct' > netdev_tx_t ax25_ip_xmit(sturct sk_buff *skb) > ^ > > vim +/sturct +225 net/ax25/ax25_ip.c > > 219 unsigned short type, const void *daddr, > 220 const void *saddr, unsigned int len) > 221 { > 222 return -AX25_HEADER_LEN; > 223 } > 224 > > 225 netdev_tx_t ax25_ip_xmit(sturct sk_buff *skb) > 226 { > 227 kfree_skb(skb); > 228 return NETDEV_TX_OK; Ooops I misspelled struct... Signed-off-by: "Eric W. Biederman" Signed-off-by: David S. Miller

ax25: Stop using magic neighbour cache operations.

2015-03-03T19:44:41+00:00

Before the ax25 stack calls dev_queue_xmit it always calls ax25_type_trans which sets skb->protocol to ETH_P_AX25. Which means that by looking at the protocol type it is possible to detect IP packets that have not been munged by the ax25 stack in ndo_start_xmit and call a function to munge them. Rename ax25_neigh_xmit to ax25_ip_xmit and tweak the return type and value to be appropriate for an ndo_start_xmit function. Update all of the ax25 devices to test the protocol type for ETH_P_IP and return ax25_ip_xmit as the first thing they do. This preserves the existing semantics of IP packet processing, but the timing will be a little different as the IP packets now pass through the qdisc layer before reaching the ax25 ip packet processing. Remove the now unnecessary ax25 neighbour table operations. Signed-off-by: "Eric W. Biederman" Signed-off-by: David S. Miller

ax25: Stop depending on arp_find

2015-03-02T21:43:41+00:00

Have ax25_neigh_output perform ordinary arp resolution before calling ax25_neigh_xmit. Call dev_hard_header in ax25_neigh_output with a destination address so it will not fail, and the destination mac address will not need to be set in ax25_neigh_xmit. Remove arp_find from ax25_neigh_xmit (the ordinary arp resolution added to ax25_neigh_output removes the need for calling arp_find). Document how close ax25_neigh_output is to neigh_resolve_output. Cc: Ralf Baechle Cc: linux-hams@vger.kernel.org Signed-off-by: "Eric W. Biederman" Signed-off-by: David S. Miller