1. 03 4月, 2015 4 次提交
    • L
      Merge tag 'rdma-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband · 06459fc0
      Linus Torvalds 提交于
      Pull infiniband/rdma fix from Roland Dreier:
       "Fix for exploitable integer overflow in uverbs interface"
      
      * tag 'rdma-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband:
        IB/uverbs: Prevent integer overflow in ib_umem_get address arithmetic
      06459fc0
    • L
      Merge branch 'fixes' of git://git.infradead.org/users/vkoul/slave-dma · 0a481279
      Linus Torvalds 提交于
      Pull dmaengine fixes from Vinod Koul:
       "This time we have addition of caps for jz4740 which fixes intentional
        warning at boot.  Then we have memory leak issues in drivers using
        virt-dma by Peter on few drive"
      
      * 'fixes' of git://git.infradead.org/users/vkoul/slave-dma:
        dmaengine: moxart-dma: Fix memory leak when stopping a running transfer
        dmaengine: bcm2835-dma: Fix memory leak when stopping a running transfer
        dmaengine: omap-dma: Fix memory leak when terminating running transfer
        dmaengine: edma: fix memory leak when terminating running transfers
        dmaengine: jz4740: Define capabilities
      0a481279
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 8172ba51
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) Fix use-after-free with mac80211 RX A-MPDU reorder timer, from
          Johannes Berg.
      
       2) iwlwifi leaks memory every module load/unload cycles, fix from Larry
          Finger.
      
       3) Need to use for_each_netdev_safe() in rtnl_group_changelink()
          otherwise we can crash, from WANG Cong.
      
       4) mlx4 driver does register_netdev() too early in the probe sequence,
          from Ido Shamay.
      
       5) Don't allow router discovery hop limit to decrease the interface's
          hop limit, from D.S. Ljungmark.
      
       6) tx_packets and tx_bytes improperly accounted for certain classes of
          USB network devices, fix from Ben Hutchings.
      
       7) ip{6}mr_rules_init() mistakenly use plain kfree to release the ipmr
          tables in the error path, they must instead use ip{6}mr_free_table().
          Fix from WANG Cong.
      
       8) cxgb4 doesn't properly quiesce all RX activity before unregistering
          the netdevice.  Fix from Hariprasad Shenai.
      
       9) Fix hash corruptions in ipvlan driver, from Jiri Benc.
      
      10) nla_memcpy(), like a real memcpy, should fully initialize the
          destination buffer, even if the source attribute is smaller.  Fix
          from Jiri Benc.
      
      11) Fix wrong error code returned from iucv_sock_sendmsg().  We should
          use whatever sock_alloc_send_skb() put into 'err'.  From Eugene
          Crosser.
      
      12) Fix slab object leak on module unload in TIPC, from Ying Xue.
      
      13) Need a READ_ONCE() when reading the cached RX socket route in
          tcp_v{4,6}_early_demux().  From Michal Kubecek.
      
      14) Still too many problems with TPC support in the ath9k driver, so
          disable it for now.  From Felix Fietkau.
      
      15) When in AP mode the rtlwifi driver can leak DMA mappings, fix from
          Larry Finger.
      
      16) Missing kzalloc() failure check in gs_usb CAN driver, from Colin Ian
          King.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (52 commits)
        cxgb4: Fix to dump devlog, even if FW is crashed
        cxgb4: Firmware macro changes for fw verison 1.13.32.0
        bnx2x: Fix kdump when iommu=on
        bnx2x: Fix kdump on 4-port device
        mac80211: fix RX A-MPDU session reorder timer deletion
        MAINTAINERS: Update Intel Wired Ethernet Driver info
        tipc: fix a slab object leak
        net/usb/r8152: add device id for Lenovo TP USB 3.0 Ethernet
        af_iucv: fix AF_IUCV sendmsg() errno
        openvswitch: Return vport module ref before destruction
        netlink: pad nla_memcpy dest buffer with zeroes
        bonding: Bonding Overriding Configuration logic restored.
        ipvlan: fix check for IP addresses in control path
        ipvlan: do not use rcu operations for address list
        ipvlan: protect against concurrent link removal
        ipvlan: fix addr hash list corruption
        net: fec: setup right value for mdio hold time
        net: tcp6: fix double call of tcp_v6_fill_cb()
        cxgb4vf: Fix sparse warnings
        netns: don't clear nsid too early on removal
        ...
      8172ba51
    • S
      IB/uverbs: Prevent integer overflow in ib_umem_get address arithmetic · 8494057a
      Shachar Raindel 提交于
      Properly verify that the resulting page aligned end address is larger
      than both the start address and the length of the memory area requested.
      
      Both the start and length arguments for ib_umem_get are controlled by
      the user. A misbehaving user can provide values which will cause an
      integer overflow when calculating the page aligned end address.
      
      This overflow can cause also miscalculation of the number of pages
      mapped, and additional logic issues.
      
      Addresses: CVE-2014-8159
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NShachar Raindel <raindel@mellanox.com>
      Signed-off-by: NJack Morgenstein <jackm@mellanox.com>
      Signed-off-by: NOr Gerlitz <ogerlitz@mellanox.com>
      Signed-off-by: NRoland Dreier <roland@purestorage.com>
      8494057a
  2. 02 4月, 2015 12 次提交
  3. 01 4月, 2015 14 次提交
  4. 31 3月, 2015 9 次提交
  5. 30 3月, 2015 1 次提交