1. 25 11月, 2013 19 次提交
  2. 22 11月, 2013 7 次提交
    • J
      genetlink: fix genl_set_err() group ID · 91398a09
      Johannes Berg 提交于
      Fix another really stupid bug - I introduced genl_set_err()
      precisely to be able to adjust the group and reject invalid
      ones, but then forgot to do so.
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      91398a09
    • J
      genetlink: fix genlmsg_multicast() bug · 220815a9
      Johannes Berg 提交于
      Unfortunately, I introduced a tremendously stupid bug into
      genlmsg_multicast() when doing all those multicast group
      changes: it adjusts the group number, but then passes it
      to genlmsg_multicast_netns() which does that again.
      
      Somehow, my tests failed to catch this, so add a warning
      into genlmsg_multicast_netns() and remove the offending
      group ID adjustment.
      
      Also add a warning to the similar code in other functions
      so people who misuse them are more loudly warned.
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      220815a9
    • D
      packet: fix use after free race in send path when dev is released · e40526cb
      Daniel Borkmann 提交于
      Salam reported a use after free bug in PF_PACKET that occurs when
      we're sending out frames on a socket bound device and suddenly the
      net device is being unregistered. It appears that commit 827d9780
      introduced a possible race condition between {t,}packet_snd() and
      packet_notifier(). In the case of a bound socket, packet_notifier()
      can drop the last reference to the net_device and {t,}packet_snd()
      might end up suddenly sending a packet over a freed net_device.
      
      To avoid reverting 827d9780 and thus introducing a performance
      regression compared to the current state of things, we decided to
      hold a cached RCU protected pointer to the net device and maintain
      it on write side via bind spin_lock protected register_prot_hook()
      and __unregister_prot_hook() calls.
      
      In {t,}packet_snd() path, we access this pointer under rcu_read_lock
      through packet_cached_dev_get() that holds reference to the device
      to prevent it from being freed through packet_notifier() while
      we're in send path. This is okay to do as dev_put()/dev_hold() are
      per-cpu counters, so this should not be a performance issue. Also,
      the code simplifies a bit as we don't need need_rls_dev anymore.
      
      Fixes: 827d9780 ("af-packet: Use existing netdev reference for bound sockets.")
      Reported-by: NSalam Noureddine <noureddine@aristanetworks.com>
      Signed-off-by: NDaniel Borkmann <dborkman@redhat.com>
      Signed-off-by: NSalam Noureddine <noureddine@aristanetworks.com>
      Cc: Ben Greear <greearb@candelatech.com>
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e40526cb
    • D
      xen-netback: stop the VIF thread before unbinding IRQs · db739ef3
      David Vrabel 提交于
      If the VIF thread is still running after unbinding the Tx and Rx IRQs
      in xenvif_disconnect(), the thread may attempt to raise an event which
      will BUG (as the irq is unbound).
      Signed-off-by: NDavid Vrabel <david.vrabel@citrix.com>
      Acked-by: NWei Liu <wei.liu2@citrix.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      db739ef3
    • M
      wimax: remove dead code · aec6f90d
      Michael Opdenacker 提交于
      This removes a code line that is between a "return 0;" and an error label.
      This code line can never be reached.
      
      Found by Coverity (CID: 1130529)
      Signed-off-by: NMichael Opdenacker <michael.opdenacker@free-electrons.com>
      Acked-by: NJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      aec6f90d
    • D
      Merge branch 'for-davem' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless · 78ef359c
      David S. Miller 提交于
      John W. Linville says:
      
      ====================
      pull request: wireless 2013-11-21
      
      Please pull this batch of fixes intended for the 3.13 stream!
      
      For the Bluetooth bits, Gustavo says:
      
      "A few fixes for 3.13. There is 3 fixes to the RFCOMM protocol. One
      crash fix to L2CAP. A simple fix to a bad behaviour in the SMP
      protocol."
      
      On top of that...
      
      Amitkumar Karwar sends a quintet of mwifiex fixes -- two fixes related
      to failure handling, two memory leak fixes, and a NULL pointer fix.
      
      Felix Fietkau corrects and earlier rt2x00 HT descriptor handling fix
      to address a crash.
      
      Geyslan G. Bem fixes a memory leak in brcmfmac.
      
      Larry Finger address more pointer arithmetic errors in rtlwifi.
      
      Luis R. Rodriguez provides a regulatory fix in the shared ath code.
      
      Sujith Manoharan brings a couple ath9k initialization fixes.
      
      Ujjal Roy offers one more mwifiex fix to avoid invalid memory accesses
      when unloading the USB driver.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      78ef359c
    • D
      Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · cd2cc01b
      David S. Miller 提交于
      Pablo Neira Ayuso says:
      
      ====================
      netfilter fixes for net
      
      The following patchset contains fixes for your net tree, they are:
      
      * Remove extra quote from connlimit configuration in Kconfig, from
        Randy Dunlap.
      
      * Fix missing mss option in syn packets sent to the backend in our
        new synproxy target, from Martin Topholm.
      
      * Use window scale announced by client when sending the forged
        syn to the backend, from Martin Topholm.
      
      * Fix IPv6 address comparison in ebtables, from Luís Fernando
        Cornachioni Estrozi.
      
      * Fix wrong endianess in sequence adjustment which breaks helpers
        in NAT configurations, from Phil Oester.
      
      * Fix the error path handling of nft_compat, from me.
      
      * Make sure the global conntrack counter is decremented after the
        object has been released, also from me.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      cd2cc01b
  3. 21 11月, 2013 14 次提交