1. 13 6月, 2013 1 次提交
    • D
      Merge branch 'wireless' · 090adb89
      David S. Miller 提交于
      John W. Linville says:
      
      ====================
      For now I have dropped the mac80211 tree from this request.
      We are developing a little backlog of fixes and I would like to
      avoid introducing any more uncertainty to this pull request for the
      3.10 stream.  All the other bits are the same as what was in the
      2013-06-06 request, including the ath9k fixes intended to address
      the problems observed by Linus w/ his Pixel, and a CVE fix for a
      potential security issue in the b43 driver.
      
      Regarding the wl12xx bits, Luca says:
      
      "Here are three patches that I'd like to get into 3.10.  Two of them, by
      me, are related to the firmware version checks in our driver.  Without
      them, the firmwares fail to load.  The other one, by Eliad, fixes a typo
      bug in our 5GHz scanning code."
      
      And as for the Bluetooth bits, Gustavo says:
      
      "The following patches are important bug fixes for 3.10, plus the
      support for a new device. We do have three fixes from Johan. The first
      one is a fix to avoid LE-only devices to rely on the (inexistent)
      extended features data. The second patch fixes length checks on
      incoming L2CAP signalling PDUs so we can discard PDU whose size
      doesn't match the one reported in the header.  The last one fixes
      the handling of power on failures, we now report proper errors to
      mgmt when hci_dev_open()."
      
      Along with that...
      
      Larry Finger corrects an rtlwifi problem that caused some devices to
      refuse to connect to non-WPA2 networks if the device had previously
      assocated with a WPA2 network.  He also adds a one-line fix to prevent
      false reports from kmemleak.
      
      Mark A. Greer fixes an out of bounds array access in mwifiex.
      
      Felix Fietkau reverts an earlier ath9k initval patch that reduced rx
      sensitivity in a number of ath9k devices with no corresponding benefit.
      
      Kees Cook fixes a potential uid-0 to ring-0 escalation in b43
      (CVE-2013-2852).
      
      Sujith Manoharan turns-off powersave mode by default for ath9k, and
      also defaults ath9k to use the minstrel_ht rate control algorithm.
      Both of these are believed to contribute to greater stability/usability
      of ath9k in real-world situations.
      
      Yijing Wang fixes an iwlegacy build error for il_pm_ops if CONFIG_PM
      is set but CONFIG_PM_SLEEP is not set.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      090adb89
  2. 12 6月, 2013 20 次提交
  3. 11 6月, 2013 11 次提交
    • P
      netlink: fix error propagation in netlink_mmap() · 7cdbac71
      Patrick McHardy 提交于
      Return the error if something went wrong instead of unconditionally
      returning 0.
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7cdbac71
    • D
      net: sctp: fix NULL pointer dereference in socket destruction · 1abd165e
      Daniel Borkmann 提交于
      While stress testing sctp sockets, I hit the following panic:
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
      IP: [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
      PGD 7cead067 PUD 7ce76067 PMD 0
      Oops: 0000 [#1] SMP
      Modules linked in: sctp(F) libcrc32c(F) [...]
      CPU: 7 PID: 2950 Comm: acc Tainted: GF            3.10.0-rc2+ #1
      Hardware name: Dell Inc. PowerEdge T410/0H19HD, BIOS 1.6.3 02/01/2011
      task: ffff88007ce0e0c0 ti: ffff88007b568000 task.ti: ffff88007b568000
      RIP: 0010:[<ffffffffa0490c4e>]  [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
      RSP: 0018:ffff88007b569e08  EFLAGS: 00010292
      RAX: 0000000000000000 RBX: ffff88007db78a00 RCX: dead000000200200
      RDX: ffffffffa049fdb0 RSI: ffff8800379baf38 RDI: 0000000000000000
      RBP: ffff88007b569e18 R08: ffff88007c230da0 R09: 0000000000000001
      R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
      R13: ffff880077990d00 R14: 0000000000000084 R15: ffff88007db78a00
      FS:  00007fc18ab61700(0000) GS:ffff88007fc60000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      CR2: 0000000000000020 CR3: 000000007cf9d000 CR4: 00000000000007e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      Stack:
       ffff88007b569e38 ffff88007db78a00 ffff88007b569e38 ffffffffa049fded
       ffffffff81abf0c0 ffff88007db78a00 ffff88007b569e58 ffffffff8145b60e
       0000000000000000 0000000000000000 ffff88007b569eb8 ffffffff814df36e
      Call Trace:
       [<ffffffffa049fded>] sctp_destroy_sock+0x3d/0x80 [sctp]
       [<ffffffff8145b60e>] sk_common_release+0x1e/0xf0
       [<ffffffff814df36e>] inet_create+0x2ae/0x350
       [<ffffffff81455a6f>] __sock_create+0x11f/0x240
       [<ffffffff81455bf0>] sock_create+0x30/0x40
       [<ffffffff8145696c>] SyS_socket+0x4c/0xc0
       [<ffffffff815403be>] ? do_page_fault+0xe/0x10
       [<ffffffff8153cb32>] ? page_fault+0x22/0x30
       [<ffffffff81544e02>] system_call_fastpath+0x16/0x1b
      Code: 0c c9 c3 66 2e 0f 1f 84 00 00 00 00 00 e8 fb fe ff ff c9 c3 66 0f
            1f 84 00 00 00 00 00 55 48 89 e5 53 48 83 ec 08 66 66 66 66 90 <48>
            8b 47 20 48 89 fb c6 47 1c 01 c6 40 12 07 e8 9e 68 01 00 48
      RIP  [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
       RSP <ffff88007b569e08>
      CR2: 0000000000000020
      ---[ end trace e0d71ec1108c1dd9 ]---
      
      I did not hit this with the lksctp-tools functional tests, but with a
      small, multi-threaded test program, that heavily allocates, binds,
      listens and waits in accept on sctp sockets, and then randomly kills
      some of them (no need for an actual client in this case to hit this).
      Then, again, allocating, binding, etc, and then killing child processes.
      
      This panic then only occurs when ``echo 1 > /proc/sys/net/sctp/auth_enable''
      is set. The cause for that is actually very simple: in sctp_endpoint_init()
      we enter the path of sctp_auth_init_hmacs(). There, we try to allocate
      our crypto transforms through crypto_alloc_hash(). In our scenario,
      it then can happen that crypto_alloc_hash() fails with -EINTR from
      crypto_larval_wait(), thus we bail out and release the socket via
      sk_common_release(), sctp_destroy_sock() and hit the NULL pointer
      dereference as soon as we try to access members in the endpoint during
      sctp_endpoint_free(), since endpoint at that time is still NULL. Now,
      if we have that case, we do not need to do any cleanup work and just
      leave the destruction handler.
      Signed-off-by: NDaniel Borkmann <dborkman@redhat.com>
      Acked-by: NNeil Horman <nhorman@tuxdriver.com>
      Acked-by: NVlad Yasevich <vyasevich@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1abd165e
    • M
      vhost: fix ubuf_info cleanup · 288cfe78
      Michael S. Tsirkin 提交于
      vhost_net_clear_ubuf_info didn't clear ubuf_info
      after kfree, this could trigger double free.
      Fix this and simplify this code to make it more robust: make sure
      ubuf info is always freed through vhost_net_clear_ubuf_info.
      Reported-by: NTommi Rantala <tt.rantala@gmail.com>
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      288cfe78
    • M
      vhost: check owner before we overwrite ubuf_info · 05c05351
      Michael S. Tsirkin 提交于
      If device has an owner, we shouldn't touch ubuf_info
      since it might be in use.
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      05c05351
    • B
      qmi_wwan/cdc_ether: let qmi_wwan handle the Huawei E1820 · c2020be3
      Bjørn Mork 提交于
      Another QMI speaking Qualcomm based device, which should be
      driven by qmi_wwan, while cdc_ether should ignore it.
      
      Like on other Huawei devices, the wwan function can appear
      either as a single vendor specific interface or as a CDC ECM
      class function using separate control and data interfaces.
      The ECM control interface protocol is 0xff, likely in an
      attempt to indicate that vendor specific management is
      required.
      
      In addition to the near standard CDC class, Huawei also add
      vendor specific AT management commands to their firmwares.
      This is probably an attempt to support non-Windows systems
      using standard class drivers.  Unfortunately, this part of
      the firmware is often buggy.  Linux is much better off using
      whatever native vendor specific management protocol the
      device offers, and Windows uses, whenever possible. This
      means QMI in the case of Qualcomm based devices.
      
      The E1820 has been verified to work fine with QMI.
      
      Matching on interface number is necessary to distiguish the
      wwan function from serial functions in the single interface
      mode, as both function types will have class/subclass/function
      set to ff/ff/ff.
      
      The control interface number does not change in CDC ECM mode,
      so the interface number matching rule is sufficient to handle
      both modes.  The cdc_ether blacklist entry is only relevant in
      CDC ECM mode, but using a similar interface number based rule
      helps document this as a transfer from one driver to another.
      
      Other Huawei 02/06/ff devices are left with the cdc_ether driver
      because we do not know whether they are based on Qualcomm chips.
      The Huawei specific AT command management is known to be somewhat
      hardware independent, and their usage of these class codes may
      also be independent of the modem hardware.
      Reported-by: NGraham Inggs <graham.inggs@uct.ac.za>
      Signed-off-by: NBjørn Mork <bjorn@mork.no>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c2020be3
    • S
      sh_eth: fix result of sh_eth_check_reset() on timeout · 9f8c4265
      Sergei Shtylyov 提交于
      When  the first loop in sh_eth_check_reset() runs to its end, 'cnt' is 0, so the
      following check for 'cnt < 0' fails to catch the timeout.  Fix the  condition in
      this check, so that the timeout  is actually reported.
      While at it, fix the grammar in the failure message...
      Signed-off-by: NSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9f8c4265
    • S
      net/ti davinci_mdio: don't hold a spin lock while calling pm_runtime · 2786aae7
      Sebastian Siewior 提交于
      was playing with suspend and run into this:
      
      |BUG: sleeping function called from invalid context at drivers/base/power/runtime.c:891
      |in_atomic(): 1, irqs_disabled(): 0, pid: 1963, name: bash
      |6 locks held by bash/1963:
      |CPU: 0 PID: 1963 Comm: bash Not tainted 3.10.0-rc4+ #50
      |[<c0014fdc>] (unwind_backtrace+0x0/0xf8) from [<c0011da4>] (show_stack+0x10/0x14)
      |[<c0011da4>] (show_stack+0x10/0x14) from [<c02e8680>] (__pm_runtime_idle+0xa4/0xac)
      |[<c02e8680>] (__pm_runtime_idle+0xa4/0xac) from [<c0341158>] (davinci_mdio_suspend+0x6c/0x9c)
      |[<c0341158>] (davinci_mdio_suspend+0x6c/0x9c) from [<c02e0628>] (platform_pm_suspend+0x2c/0x54)
      |[<c02e0628>] (platform_pm_suspend+0x2c/0x54) from [<c02e52bc>] (dpm_run_callback.isra.3+0x2c/0x64)
      |[<c02e52bc>] (dpm_run_callback.isra.3+0x2c/0x64) from [<c02e57e4>] (__device_suspend+0x100/0x22c)
      |[<c02e57e4>] (__device_suspend+0x100/0x22c) from [<c02e67e8>] (dpm_suspend+0x68/0x230)
      |[<c02e67e8>] (dpm_suspend+0x68/0x230) from [<c0072a20>] (suspend_devices_and_enter+0x68/0x350)
      |[<c0072a20>] (suspend_devices_and_enter+0x68/0x350) from [<c0072f18>] (pm_suspend+0x210/0x24c)
      |[<c0072f18>] (pm_suspend+0x210/0x24c) from [<c0071c74>] (state_store+0x6c/0xbc)
      |[<c0071c74>] (state_store+0x6c/0xbc) from [<c02714dc>] (kobj_attr_store+0x14/0x20)
      |[<c02714dc>] (kobj_attr_store+0x14/0x20) from [<c01341a0>] (sysfs_write_file+0x16c/0x19c)
      |[<c01341a0>] (sysfs_write_file+0x16c/0x19c) from [<c00ddfe4>] (vfs_write+0xb4/0x190)
      |[<c00ddfe4>] (vfs_write+0xb4/0x190) from [<c00de3a4>] (SyS_write+0x3c/0x70)
      |[<c00de3a4>] (SyS_write+0x3c/0x70) from [<c000e2c0>] (ret_fast_syscall+0x0/0x48)
      
      I don't see a reason why the pm_runtime call must be under the lock.
      Further I don't understand why this is a spinlock and not mutex.
      
      Cc: Mugunthan V N <mugunthanvnm@ti.com>
      Signed-off-by: NSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Acked-by: NMugunthan V N <mugunthanvnm@ti.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2786aae7
    • N
      sock_diag: fix filter code sent to userspace · ed13998c
      Nicolas Dichtel 提交于
      Filters need to be translated to real BPF code for userland, like SO_GETFILTER.
      Signed-off-by: NNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ed13998c
    • J
      tuntap: fix a possible race between queue selection and changing queues · 92bb73ea
      Jason Wang 提交于
      Complier may generate codes that re-read the tun->numqueues during
      tun_select_queue(). This may be a race if vlan->numqueues were changed in the
      same time and can lead unexpected result (e.g. very huge value).
      
      We need prevent the compiler from generating such codes by adding an
      ACCESS_ONCE() to make sure tun->numqueues were only read once.
      
      Bug were introduced by commit c8d68e6b
      (tuntap: multiqueue support).
      Reported-by: NMichael S. Tsirkin <mst@redhat.com>
      Cc: Michael S. Tsirkin <mst@redhat.com>
      Signed-off-by: NJason Wang <jasowang@redhat.com>
      Acked-by: NMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      92bb73ea
    • J
      vhost_net: clear msg.control for non-zerocopy case during tx · 4364d5f9
      Jason Wang 提交于
      When we decide not use zero-copy, msg.control should be set to NULL otherwise
      macvtap/tap may set zerocopy callbacks which may decrease the kref of ubufs
      wrongly.
      
      Bug were introduced by commit cedb9bdc
      (vhost-net: skip head management if no outstanding).
      
      This solves the following warnings:
      
      WARNING: at include/linux/kref.h:47 handle_tx+0x477/0x4b0 [vhost_net]()
      Modules linked in: vhost_net macvtap macvlan tun nfsd exportfs bridge stp llc openvswitch kvm_amd kvm bnx2 megaraid_sas [last unloaded: tun]
      CPU: 5 PID: 8670 Comm: vhost-8668 Not tainted 3.10.0-rc2+ #1566
      Hardware name: Dell Inc. PowerEdge R715/00XHKG, BIOS 1.5.2 04/19/2011
      ffffffffa0198323 ffff88007c9ebd08 ffffffff81796b73 ffff88007c9ebd48
      ffffffff8103d66b 000000007b773e20 ffff8800779f0000 ffff8800779f43f0
      ffff8800779f8418 000000000000015c 0000000000000062 ffff88007c9ebd58
      Call Trace:
      [<ffffffff81796b73>] dump_stack+0x19/0x1e
      [<ffffffff8103d66b>] warn_slowpath_common+0x6b/0xa0
      [<ffffffff8103d6b5>] warn_slowpath_null+0x15/0x20
      [<ffffffffa0197627>] handle_tx+0x477/0x4b0 [vhost_net]
      [<ffffffffa0197690>] handle_tx_kick+0x10/0x20 [vhost_net]
      [<ffffffffa019541e>] vhost_worker+0xfe/0x1a0 [vhost_net]
      [<ffffffffa0195320>] ? vhost_attach_cgroups_work+0x30/0x30 [vhost_net]
      [<ffffffffa0195320>] ? vhost_attach_cgroups_work+0x30/0x30 [vhost_net]
      [<ffffffff81061f46>] kthread+0xc6/0xd0
      [<ffffffff81061e80>] ? kthread_freezable_should_stop+0x70/0x70
      [<ffffffff817a1aec>] ret_from_fork+0x7c/0xb0
      [<ffffffff81061e80>] ? kthread_freezable_should_stop+0x70/0x70
      Signed-off-by: NJason Wang <jasowang@redhat.com>
      Acked-by: NMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4364d5f9
    • D
      Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · d8821091
      David S. Miller 提交于
      Pablo Neira Ayuso says:
      
      ====================
      The following patchset contains four fixes for Netfilter and one fix
      for IPVS, they are:
      
      * Fix data leak to user-space via getsockopt IP_VS_SO_GET_DESTS, from
        Dan Carpenter.
      
      * Fix xt_TCPMSS if no TCP MSS is specified in syn packets, to avoid the
        violation of RFC879, from Phil Oester.
      
      * Fix incomplete dump of objects via nfnetlink_acct and nfnetlink_cttimeout,
        from myself.
      
      * Fix missing HW protocol in packets passed to user-space via NFQUEUE,
        from myself.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d8821091
  4. 10 6月, 2013 1 次提交
  5. 08 6月, 2013 2 次提交
  6. 07 6月, 2013 5 次提交
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 1612e111
      Linus Torvalds 提交于
      Pull networking fix from David Miller:
       "This is a quick one commit pull request to cure the regression
        introduced by the MSG_CMSG_COMPAT change."
      
      (Background: commit 1be374a0 completely broke 32-bit COMPAT handling
      by not only disallowing MSG_CMSG_COMPAT from user APIs, but clearing it
      in our own internal use too!)
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
        net: Unbreak compat_sys_{send,recv}msg
      1612e111
    • L
      Merge tag 'staging-3.10-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · e2b02e25
      Linus Torvalds 提交于
      Pull staging driver fixes from Greg Kroah-Hartman:
       "Here are some staging and IIO driver fixes for the 3.10-rc5 release.
      
        All of them are tiny, and fix a number of reported issues (build and
        runtime)"
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      * tag 'staging-3.10-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        iio:inkern: Fix typo/bug in convert raw to processed.
        iio: frequency: ad4350: Fix bug / typo in mask
        inkern: iio_device_put after incorrect return/goto
        staging: alarm-dev: information leak in alarm_compat_ioctl()
        iio:callback buffer: free the scan_mask
        staging: alarm-dev: information leak in alarm_ioctl()
        drivers: staging: zcache: fix compile error
        staging: dwc2: fix value of dma_mask
      e2b02e25
    • L
      Merge tag 'tty-3.10-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · 3b285cb2
      Linus Torvalds 提交于
      Pull tty/serial driver fixes from Greg Kroah-Hartman:
       "Here are some small bugfixes, and one revert, of serial driver issues
        that have been reported"
      
      * tag 'tty-3.10-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        Revert "serial: 8250: Make SERIAL_8250_RUNTIME_UARTS work correctly"
        serial: samsung: enable clock before clearing pending interrupts during init
        serial/imx: disable hardware flow control at startup
      3b285cb2
    • L
      Merge tag 'usb-3.10-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · c6d6b9d1
      Linus Torvalds 提交于
      Pull USB fixes from Greg Kroah-Hartman:
       "Here are a number of USB bugfixes and new device ids for the 3.10-rc5
        tree.
      
        Nothing major here, a number of new device ids (and movement from the
        option to the zte_ev driver of a number of ids that we had previously
        gotten wrong, some xhci bugfixes, some usb-serial driver fixes that
        were recently found, some host controller fixes / reverts, and a
        variety of smaller other things"
      
      * tag 'usb-3.10-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (29 commits)
        USB: option,zte_ev: move most ZTE CDMA devices to zte_ev
        USB: option: blacklist network interface on Huawei E1820
        USB: whiteheat: fix broken port configuration
        USB: serial: fix TIOCMIWAIT return value
        USB: mos7720: fix hardware flow control
        USB: keyspan: remove unused endpoint-array access
        USB: keyspan: fix bogus array index
        USB: zte_ev: fix broken open
        USB: serial: Add Option GTM681W to qcserial device table.
        USB: Serial: cypress_M8: Enable FRWD Dongle hidcom device
        USB: EHCI: fix regression related to qh_refresh()
        usbfs: Increase arbitrary limit for USB 3 isopkt length
        USB: zte_ev: fix control-message timeouts
        USB: mos7720: fix message timeouts
        USB: iuu_phoenix: fix bulk-message timeout
        USB: ark3116: fix control-message timeout
        USB: mos7840: fix DMA to stack
        USB: mos7720: fix DMA to stack
        USB: visor: fix initialisation of Treo/Kyocera devices
        USB: serial: fix Treo/Kyocera interrrupt-in urb context
        ...
      c6d6b9d1
    • L
      Merge tag 'pci-v3.10-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci · c51aa6db
      Linus Torvalds 提交于
      Pull PCI fixes from Bjorn Helgaas:
       "This fixes a crash when booting a 32-bit kernel via the EFI boot stub.
      
        PCI ROM from EFI
            x86/PCI: Map PCI setup data with ioremap() so it can be in highmem"
      
      * tag 'pci-v3.10-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
        x86/PCI: Map PCI setup data with ioremap() so it can be in highmem
      c51aa6db