linux.git/drivers/isdn, branch v3.15 Clone of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git hisax/icc: add missing semicolon after label 2014-04-23T01:22:47+00:00 Julia Lawall Julia.Lawall@lip6.fr 2014-04-20T09:48:33+00:00 6a51b5e4d59e00051e65e836520912cd7c717be1 A label just before a brace needs a following semicolon (empty statement). Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr> Signed-off-by: David S. Miller <davem@davemloft.net> 
A label just before a brace needs a following semicolon (empty statement).

Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
isdn: icn: buffer overflow in icn_command() 2014-04-16T19:24:15+00:00 Dan Carpenter dan.carpenter@oracle.com 2014-04-16T11:25:16+00:00 b7a314054eb55e3745a9409beaa5d8be5cd2d273 This buffer over was detected using static analysis: drivers/isdn/icn/icn.c:1325 icn_command() error: format string overflow. buf_size: 60 length: 98 The calculation for the length of the string is off because it assumes that the dial[] buffer holds a 50 character string, but actually it is at most 31 characters and NUL. I have removed the dial[] buffer because it isn't needed. The maximum length of the string is actually 79 characters and a NUL. I have made the cbuf[] array large enough to hold it and changed the sprintf() to an snprintf() as a further safety enhancement. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
This buffer over was detected using static analysis:

	drivers/isdn/icn/icn.c:1325 icn_command()
	error: format string overflow. buf_size: 60 length: 98

The calculation for the length of the string is off because it assumes
that the dial[] buffer holds a 50 character string, but actually it is
at most 31 characters and NUL.  I have removed the dial[] buffer because
it isn't needed.

The maximum length of the string is actually 79 characters and a NUL.  I
have made the cbuf[] array large enough to hold it and changed the
sprintf() to an snprintf() as a further safety enhancement.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
isdnloop: several buffer overflows 2014-04-08T16:41:13+00:00 Dan Carpenter dan.carpenter@oracle.com 2014-04-08T09:23:09+00:00 7563487cbf865284dcd35e9ef5a95380da046737 There are three buffer overflows addressed in this patch. 1) In isdnloop_fake_err() we add an 'E' to a 60 character string and then copy it into a 60 character buffer. I have made the destination buffer 64 characters and I'm changed the sprintf() to a snprintf(). 2) In isdnloop_parse_cmd(), p points to a 6 characters into a 60 character buffer so we have 54 characters. The ->eazlist[] is 11 characters long. I have modified the code to return if the source buffer is too long. 3) In isdnloop_command() the cbuf[] array was 60 characters long but the max length of the string then can be up to 79 characters. I made the cbuf array 80 characters long and changed the sprintf() to snprintf(). I also removed the temporary "dial" buffer and changed it to use "p" directly. Unfortunately, we pass the "cbuf" string from isdnloop_command() to isdnloop_writecmd() which truncates anything over 60 characters to make it fit in card->omsg[]. (It can accept values up to 255 characters so long as there is a '\n' character every 60 characters). For now I have just fixed the memory corruption bug and left the other problems in this driver alone. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
There are three buffer overflows addressed in this patch.

1) In isdnloop_fake_err() we add an 'E' to a 60 character string and
then copy it into a 60 character buffer.  I have made the destination
buffer 64 characters and I'm changed the sprintf() to a snprintf().

2) In isdnloop_parse_cmd(), p points to a 6 characters into a 60
character buffer so we have 54 characters.  The ->eazlist[] is 11
characters long.  I have modified the code to return if the source
buffer is too long.

3) In isdnloop_command() the cbuf[] array was 60 characters long but the
max length of the string then can be up to 79 characters.  I made the
cbuf array 80 characters long and changed the sprintf() to snprintf().
I also removed the temporary "dial" buffer and changed it to use "p"
directly.

Unfortunately, we pass the "cbuf" string from isdnloop_command() to
isdnloop_writecmd() which truncates anything over 60 characters to make
it fit in card->omsg[].  (It can accept values up to 255 characters so
long as there is a '\n' character every 60 characters).  For now I have
just fixed the memory corruption bug and left the other problems in this
driver alone.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
isdnloop: Validate NUL-terminated strings from user. 2014-04-03T15:26:24+00:00 YOSHIFUJI Hideaki / 吉藤英明 yoshfuji@linux-ipv6.org 2014-04-02T03:48:42+00:00 77bc6bed7121936bb2e019a8c336075f4c8eef62 Return -EINVAL unless all of user-given strings are correctly NUL-terminated. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
Return -EINVAL unless all of user-given strings are correctly
NUL-terminated.

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
net: isdn: use sk_unattached_filter api 2014-03-31T04:45:09+00:00 Daniel Borkmann dborkman@redhat.com 2014-03-28T17:58:24+00:00 77e0114ae9ae08685c503772a57af21d299c6701 Similarly as in ppp, we need to migrate the ISDN/PPP code to make use of the sk_unattached_filter api in order to decouple having direct filter structure access. By using sk_unattached_filter_{create,destroy}, we can allow for the possibility to jit compile filters for faster filter verdicts as well. Joint work with Alexei Starovoitov. Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: Alexei Starovoitov <ast@plumgrid.com> Cc: Karsten Keil <isdn@linux-pingi.de> Cc: isdn4linux@listserv.isdn4linux.de Signed-off-by: David S. Miller <davem@davemloft.net> 
Similarly as in ppp, we need to migrate the ISDN/PPP code to make use
of the sk_unattached_filter api in order to decouple having direct
filter structure access. By using sk_unattached_filter_{create,destroy},
we can allow for the possibility to jit compile filters for faster
filter verdicts as well.

Joint work with Alexei Starovoitov.

Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
Cc: Karsten Keil <isdn@linux-pingi.de>
Cc: isdn4linux@listserv.isdn4linux.de
Signed-off-by: David S. Miller <davem@davemloft.net>
isdn: replace del_timer by del_timer_sync 2014-03-27T19:28:06+00:00 Julia Lawall Julia.Lawall@lip6.fr 2014-03-26T21:33:39+00:00 0c295e44dea607be5f4cc2d19ce98afbd77e2619 Use del_timer_sync to ensure that the timer is stopped on all CPUs before the driver exists. This change was suggested by Thomas Gleixner. The semantic patch that makes this change is as follows: (http://coccinelle.lip6.fr/) // <smpl> @r@ declarer name module_exit; identifier ex; @@ module_exit(ex); @@ identifier r.ex; @@ ex(...) { <... - del_timer + del_timer_sync (...) ...> } // </smpl> Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr> Signed-off-by: David S. Miller <davem@davemloft.net> 
Use del_timer_sync to ensure that the timer is stopped on all CPUs before
the driver exists.

This change was suggested by Thomas Gleixner.

The semantic patch that makes this change is as follows:
(http://coccinelle.lip6.fr/)

// <smpl>
@r@
declarer name module_exit;
identifier ex;
@@

module_exit(ex);

@@
identifier r.ex;
@@

ex(...) {
  <...
- del_timer
+ del_timer_sync
    (...)
  ...>
}
// </smpl>

Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2014-03-26T00:29:20+00:00 David S. Miller davem@davemloft.net 2014-03-26T00:29:20+00:00 04f58c88542b6b351efb4eea01134eb672e22e6e Conflicts: Documentation/devicetree/bindings/net/micrel-ks8851.txt net/core/netpoll.c The net/core/netpoll.c conflict is a bug fix in 'net' happening to code which is completely removed in 'net-next'. In micrel-ks8851.txt we simply have overlapping changes. Signed-off-by: David S. Miller <davem@davemloft.net> 
Conflicts:
	Documentation/devicetree/bindings/net/micrel-ks8851.txt
	net/core/netpoll.c

The net/core/netpoll.c conflict is a bug fix in 'net' happening
to code which is completely removed in 'net-next'.

In micrel-ks8851.txt we simply have overlapping changes.

Signed-off-by: David S. Miller <davem@davemloft.net>
isdn/capi: Make Middleware depend on CAPI2.0 2014-03-18T19:02:57+00:00 Paul Bolle pebolle@tiscali.nl 2014-03-16T17:44:21+00:00 d1958f8c2f0d6bfaa115f4dce1d5d19be5c6b090 The Kconfig symbol ISDN_CAPI_MIDDLEWARE is only used in capi.c. Setting it without setting ISDN_CAPI_CAPI20 is therefor useless. Make it depend on ISDN_CAPI_CAPI20 and put its entry after ISDN_CAPI_CAPI20's entry. Signed-off-by: Paul Bolle <pebolle@tiscali.nl> Signed-off-by: Tilman Schmidt <tilman@imap.cc> Signed-off-by: David S. Miller <davem@davemloft.net> 
The Kconfig symbol ISDN_CAPI_MIDDLEWARE is only used in capi.c. Setting
it without setting ISDN_CAPI_CAPI20 is therefor useless. Make it depend
on ISDN_CAPI_CAPI20 and put its entry after ISDN_CAPI_CAPI20's entry.

Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
Signed-off-by: Tilman Schmidt <tilman@imap.cc>
Signed-off-by: David S. Miller <davem@davemloft.net>
isdn: fix multiple sleep_on races 2014-02-26T21:06:13+00:00 Arnd Bergmann arnd@arndb.de 2014-02-26T11:01:55+00:00 94fcf6964c797cc24c84c677e106dbce676a0374 The isdn core code uses a couple of wait queues with interruptible_sleep_on, which is racy and about to get removed from the kernel. Fortunately, we know for each case what we are waiting for, so they can all be converted to the better wait_event_interruptible interface. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Cc: Karsten Keil <isdn@linux-pingi.de> Cc: netdev@vger.kernel.org Signed-off-by: David S. Miller <davem@davemloft.net> 
The isdn core code uses a couple of wait queues with
interruptible_sleep_on, which is racy and about to get
removed from the kernel. Fortunately, we know for each case
what we are waiting for, so they can all be converted to
the better wait_event_interruptible interface.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Cc: Karsten Keil <isdn@linux-pingi.de>
Cc: netdev@vger.kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
isdn: divert, hysdn: fix interruptible_sleep_on race 2014-02-26T21:06:13+00:00 Arnd Bergmann arnd@arndb.de 2014-02-26T11:01:54+00:00 c11da83bdae210e1d40a6755b78f8543a9be9227 These two drivers use identical code for their procfs status file handling, which contains a small race against status data becoming available while reading the file. This uses wait_event_interruptible instead to fix this particular race and eventually get rid of all sleep_on instances. There seems to be another race involving multiple concurrent readers of the same procfs file, which I don't try to fix here. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Cc: Karsten Keil <isdn@linux-pingi.de> Cc: netdev@vger.kernel.org Signed-off-by: David S. Miller <davem@davemloft.net> 
These two drivers use identical code for their procfs status
file handling, which contains a small race against status
data becoming available while reading the file.

This uses wait_event_interruptible instead to fix this
particular race and eventually get rid of all sleep_on
instances. There seems to be another race involving
multiple concurrent readers of the same procfs file, which
I don't try to fix here.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Cc: Karsten Keil <isdn@linux-pingi.de>
Cc: netdev@vger.kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>