1. 06 9月, 2012 3 次提交
    • L
      Merge tag 'fbdev-fixes-for-3.6-1' of git://github.com/schandinat/linux-2.6 · 6d1a0503
      Linus Torvalds 提交于
      Pull fbdev fixes from Florian Tobias Schandinat:
       - a fix by Paul Cercueil to prevent a possible buffer overflow
       - a fix by Bruno Prémont to prevent a rare sleep in invalid context
       - a fix by Julia Lawall for a double free in auo_k190x
       - a fix by Dan Carpenter to prevent a division by zero in mb862xxfb
       - a regression fix by Tomi Valkeinen for the SDI output in OMAP
       - a fix by Grazvydas Ignotas to fix the console colors in OMAP
      
      * tag 'fbdev-fixes-for-3.6-1' of git://github.com/schandinat/linux-2.6:
        OMAPFB: fix framebuffer console colors
        OMAPDSS: Fix SDI PLL locking
        video: mb862xxfb: prevent divide by zero bug
        drivers/video/auo_k190x.c: drop kfree of devm_kzalloc's data
        fbcon: Fix bit_putcs() call to kmalloc(s, GFP_KERNEL)
        fbcon: prevent possible buffer overflow.
      6d1a0503
    • L
      Merge tag 'upstream-3.6-rc5' of git://git.infradead.org/linux-ubi · 50234c58
      Linus Torvalds 提交于
      Pull ubi fix from Artem Bityutskiy:
       "A single small fix for memory deallocation: we allocated memory using
        'kmem_cache_alloc()' but were freeing it using 'kfree()' in some
        cases.  Now we fix this by using 'kmem_cache_free()' instead."
      
      * tag 'upstream-3.6-rc5' of git://git.infradead.org/linux-ubi:
        UBI: fix a horrible memory deallocation bug
      50234c58
    • M
      Fix order of arguments to compat_put_time[spec|val] · ed6fe9d6
      Mikulas Patocka 提交于
      Commit 644595f8 ("compat: Handle COMPAT_USE_64BIT_TIME in
      net/socket.c") introduced a bug where the helper functions to take
      either a 64-bit or compat time[spec|val] got the arguments in the wrong
      order, passing the kernel stack pointer off as a user pointer (and vice
      versa).
      
      Because of the user address range check, that in turn then causes an
      EFAULT due to the user pointer range checking failing for the kernel
      address.  Incorrectly resuling in a failed system call for 32-bit
      processes with a 64-bit kernel.
      
      On odder architectures like HP-PA (with separate user/kernel address
      spaces), it can be used read kernel memory.
      Signed-off-by: NMikulas Patocka <mpatocka@redhat.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      ed6fe9d6
  2. 04 9月, 2012 1 次提交
  3. 03 9月, 2012 2 次提交
    • L
      Merge branch 'for-next' of git://git.samba.org/sfrench/cifs-2.6 · 5b716ac7
      Linus Torvalds 提交于
      Pull CIFS fixes from Steve French.
      
      * 'for-next' of git://git.samba.org/sfrench/cifs-2.6:
        CIFS: Fix cifs_do_create error hadnling
        cifs: print error code if smb signature verification fails
        CIFS: Fix log messages in packet checking for SMB2
        CIFS: Protect i_nlink from being negative
      5b716ac7
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 0b1a34c9
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) NLA_PUT* --> nla_put_* conversion got one case wrong in
          nfnetlink_log, fix from Patrick McHardy.
      
       2) Missed error return check in ipw2100 driver, from Julia Lawall.
      
       3) PMTU updates in ipv4 were setting the expiry time incorrectly, fix
          from Eric Dumazet.
      
       4) SFC driver erroneously reversed src and dst when reporting filters
          via ethtool.
      
       5) Memory leak in CAN protocol and wrong setting of IRQF_SHARED in
          sja1000 can platform driver, from Alexey Khoroshilov and Sven
          Schmitt.
      
       6) Fix multicast traffic scaling regression in ipv4_dst_destroy, only
          take the lock when we really need to.  From Eric Dumazet.
      
       7) Fix non-root process spoofing in netlink, from Pablo Neira Ayuso.
      
       8) CWND reduction in TCP is done incorrectly during non-SACK recovery,
          fix from Yuchung Cheng.
      
       9) Revert netpoll change, and fix what was actually a driver specific
          problem.  From Amerigo Wang.  This should cure bootup hangs with
          netconsole some people reported.
      
      10) Fix xen-netfront invoking __skb_fill_page_desc() with a NULL page
          pointer.  From Ian Campbell.
      
      11) SIP NAT fix for expectiontation creation, from Pablo Neira Ayuso.
      
      12) __ip_rt_update_pmtu() needs RCU locking, from Eric Dumazet.
      
      13) Fix usbnet deadlock on resume, can't use GFP_KERNEL in this
          situation.  From Oliver Neukum.
      
      14) The davinci ethernet driver triggers an OOPS on removal because it
          frees an MDIO object before unregistering it.  Fix from Bin Liu.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (41 commits)
        net: qmi_wwan: add several new Gobi devices
        fddi: 64 bit bug in smt_add_para()
        net: ethernet: fix kernel OOPS when remove davinci_mdio module
        net/xfrm/xfrm_state.c: fix error return code
        net: ipv6: fix error return code
        net: qmi_wwan: new device: Foxconn/Novatel E396
        usbnet: fix deadlock in resume
        cs89x0 : packet reception not working
        netfilter: nf_conntrack: fix racy timer handling with reliable events
        bnx2x: Correct the ndo_poll_controller call
        bnx2x: Move netif_napi_add to the open call
        ipv4: must use rcu protection while calling fib_lookup
        bnx2x: fix 57840_MF pci id
        net: ipv4: ipmr_expire_timer causes crash when removing net namespace
        e1000e: DoS while TSO enabled caused by link partner with small MSS
        l2tp: avoid to use synchronize_rcu in tunnel free function
        gianfar: fix default tx vlan offload feature flag
        netfilter: nf_nat_sip: fix incorrect handling of EBUSY for RTCP expectation
        xen-netfront: use __pskb_pull_tail to ensure linear area is big enough on RX
        netfilter: nfnetlink_log: fix error return code in init path
        ...
      0b1a34c9
  4. 02 9月, 2012 4 次提交
  5. 01 9月, 2012 10 次提交
  6. 31 8月, 2012 12 次提交
    • P
      netfilter: nf_conntrack: fix racy timer handling with reliable events · 5b423f6a
      Pablo Neira Ayuso 提交于
      Existing code assumes that del_timer returns true for alive conntrack
      entries. However, this is not true if reliable events are enabled.
      In that case, del_timer may return true for entries that were
      just inserted in the dying list. Note that packets / ctnetlink may
      hold references to conntrack entries that were just inserted to such
      list.
      
      This patch fixes the issue by adding an independent timer for
      event delivery. This increases the size of the ecache extension.
      Still we can revisit this later and use variable size extensions
      to allocate this area on demand.
      Tested-by: NOliver Smith <olipro@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      5b423f6a
    • M
      bnx2x: Correct the ndo_poll_controller call · 14a15d61
      Merav Sicron 提交于
      This patch correct poll_bnx2x (ndo_poll_controller call) which was not
      functioning well with MSI-X.
      Signed-off-by: NMerav Sicron <meravs@broadcom.com>
      Signed-off-by: NDmitry Kravkov <dmitry@broadcom.com>
      Signed-off-by: NEilon Greenstein <eilong@broadcom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      14a15d61
    • M
      bnx2x: Move netif_napi_add to the open call · 26614ba5
      Merav Sicron 提交于
      Move netif_napi_add for all queues from the probe call to the open call, to
      avoid the case that napi objects are added for queues that may eventually not
      be initialized and activated. With the former behavior, the driver could crash
      when netpoll was calling ndo_poll_controller.
      Signed-off-by: NMerav Sicron <meravs@broadcom.com>
      Signed-off-by: NDmitry Kravkov <dmitry@broadcom.com>
      Signed-off-by: NEilon Greenstein <eilong@broadcom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      26614ba5
    • E
      ipv4: must use rcu protection while calling fib_lookup · c5ae7d41
      Eric Dumazet 提交于
      Following lockdep splat was reported by Pavel Roskin :
      
      [ 1570.586223] ===============================
      [ 1570.586225] [ INFO: suspicious RCU usage. ]
      [ 1570.586228] 3.6.0-rc3-wl-main #98 Not tainted
      [ 1570.586229] -------------------------------
      [ 1570.586231] /home/proski/src/linux/net/ipv4/route.c:645 suspicious rcu_dereference_check() usage!
      [ 1570.586233]
      [ 1570.586233] other info that might help us debug this:
      [ 1570.586233]
      [ 1570.586236]
      [ 1570.586236] rcu_scheduler_active = 1, debug_locks = 0
      [ 1570.586238] 2 locks held by Chrome_IOThread/4467:
      [ 1570.586240]  #0:  (slock-AF_INET){+.-...}, at: [<ffffffff814f2c0c>] release_sock+0x2c/0xa0
      [ 1570.586253]  #1:  (fnhe_lock){+.-...}, at: [<ffffffff815302fc>] update_or_create_fnhe+0x2c/0x270
      [ 1570.586260]
      [ 1570.586260] stack backtrace:
      [ 1570.586263] Pid: 4467, comm: Chrome_IOThread Not tainted 3.6.0-rc3-wl-main #98
      [ 1570.586265] Call Trace:
      [ 1570.586271]  [<ffffffff810976ed>] lockdep_rcu_suspicious+0xfd/0x130
      [ 1570.586275]  [<ffffffff8153042c>] update_or_create_fnhe+0x15c/0x270
      [ 1570.586278]  [<ffffffff815305b3>] __ip_rt_update_pmtu+0x73/0xb0
      [ 1570.586282]  [<ffffffff81530619>] ip_rt_update_pmtu+0x29/0x90
      [ 1570.586285]  [<ffffffff815411dc>] inet_csk_update_pmtu+0x2c/0x80
      [ 1570.586290]  [<ffffffff81558d1e>] tcp_v4_mtu_reduced+0x2e/0xc0
      [ 1570.586293]  [<ffffffff81553bc4>] tcp_release_cb+0xa4/0xb0
      [ 1570.586296]  [<ffffffff814f2c35>] release_sock+0x55/0xa0
      [ 1570.586300]  [<ffffffff815442ef>] tcp_sendmsg+0x4af/0xf50
      [ 1570.586305]  [<ffffffff8156fc60>] inet_sendmsg+0x120/0x230
      [ 1570.586308]  [<ffffffff8156fb40>] ? inet_sk_rebuild_header+0x40/0x40
      [ 1570.586312]  [<ffffffff814f4bdd>] ? sock_update_classid+0xbd/0x3b0
      [ 1570.586315]  [<ffffffff814f4c50>] ? sock_update_classid+0x130/0x3b0
      [ 1570.586320]  [<ffffffff814ec435>] do_sock_write+0xc5/0xe0
      [ 1570.586323]  [<ffffffff814ec4a3>] sock_aio_write+0x53/0x80
      [ 1570.586328]  [<ffffffff8114bc83>] do_sync_write+0xa3/0xe0
      [ 1570.586332]  [<ffffffff8114c5a5>] vfs_write+0x165/0x180
      [ 1570.586335]  [<ffffffff8114c805>] sys_write+0x45/0x90
      [ 1570.586340]  [<ffffffff815d2722>] system_call_fastpath+0x16/0x1b
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: NPavel Roskin <proski@gnu.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c5ae7d41
    • Y
      bnx2x: fix 57840_MF pci id · 5c879d20
      Yuval Mintz 提交于
      Commit c3def943 have added support for
      new pci ids of the 57840 board, while failing to change the obsolete value
      in 'pci_ids.h'.
      This patch does so, allowing the probe of such devices.
      Signed-off-by: NYuval Mintz <yuvalmin@broadcom.com>
      Signed-off-by: NEilon Greenstein <eilong@broadcom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5c879d20
    • F
      net: ipv4: ipmr_expire_timer causes crash when removing net namespace · acbb219d
      Francesco Ruggeri 提交于
      When tearing down a net namespace, ipv4 mr_table structures are freed
      without first deactivating their timers. This can result in a crash in
      run_timer_softirq.
      This patch mimics the corresponding behaviour in ipv6.
      Locking and synchronization seem to be adequate.
      We are about to kfree mrt, so existing code should already make sure that
      no other references to mrt are pending or can be created by incoming traffic.
      The functions invoked here do not cause new references to mrt or other
      race conditions to be created.
      Invoking del_timer_sync guarantees that ipmr_expire_timer is inactive.
      Both ipmr_expire_process (whose completion we may have to wait in
      del_timer_sync) and mroute_clean_tables internally use mfc_unres_lock
      or other synchronizations when needed, and they both only modify mrt.
      
      Tested in Linux 3.4.8.
      Signed-off-by: NFrancesco Ruggeri <fruggeri@aristanetworks.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      acbb219d
    • B
      e1000e: DoS while TSO enabled caused by link partner with small MSS · d821a4c4
      Bruce Allan 提交于
      With a low enough MSS on the link partner and TSO enabled locally, the
      networking stack can periodically send a very large (e.g.  64KB) TCP
      message for which the driver will attempt to use more Tx descriptors than
      are available by default in the Tx ring.  This is due to a workaround in
      the code that imposes a limit of only 4 MSS-sized segments per descriptor
      which appears to be a carry-over from the older e1000 driver and may be
      applicable only to some older PCI or PCIx parts which are not supported in
      e1000e.  When the driver gets a message that is too large to fit across the
      configured number of Tx descriptors, it stops the upper stack from queueing
      any more and gets stuck in this state.  After a timeout, the upper stack
      assumes the adapter is hung and calls the driver to reset it.
      
      Remove the unnecessary limitation of using up to only 4 MSS-sized segments
      per Tx descriptor, and put in a hard failure test to catch when attempting
      to check for message sizes larger than would fit in the whole Tx ring.
      Refactor the remaining logic that limits the size of data per Tx descriptor
      from a seemingly arbitrary 8KB to a limit based on the dynamic size of the
      Tx packet buffer as described in the hardware specification.
      
      Also, fix the logic in the check for space in the Tx ring for the next
      largest possible packet after the current one has been successfully queued
      for transmit, and use the appropriate defines for default ring sizes in
      e1000_probe instead of magic values.
      
      This issue goes back to the introduction of e1000e in 2.6.24 when it was
      split off from e1000.
      Reported-by: NBen Hutchings <bhutchings@solarflare.com>
      Signed-off-by: NBruce Allan <bruce.w.allan@intel.com>
      Cc: Stable <stable@vger.kernel.org> [2.6.24+]
      Tested-by: NAaron Brown <aaron.f.brown@intel.com>
      Signed-off-by: NJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d821a4c4
    • X
      l2tp: avoid to use synchronize_rcu in tunnel free function · 99469c32
      xeb@mail.ru 提交于
      Avoid to use synchronize_rcu in l2tp_tunnel_free because context may be
      atomic.
      Signed-off-by: NDmitry Kozlov <xeb@mail.ru>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      99469c32
    • C
      gianfar: fix default tx vlan offload feature flag · e2c53be2
      Claudiu Manoil 提交于
      Commit -
      "b852b720 gianfar: fix bug caused by
      87c288c6"
      disables by default (on mac init) the hw vlan tag insertion.
      The "features" flags were not updated to reflect this, and
      "ethtool -K" shows tx-vlan-offload to be "on" by default.
      
      Cc: Sebastian Poehn <sebastian.poehn@belden.com>
      Signed-off-by: NClaudiu Manoil <claudiu.manoil@freescale.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e2c53be2
    • P
      netfilter: nf_nat_sip: fix incorrect handling of EBUSY for RTCP expectation · 3f509c68
      Pablo Neira Ayuso 提交于
      We're hitting bug while trying to reinsert an already existing
      expectation:
      
      kernel BUG at kernel/timer.c:895!
      invalid opcode: 0000 [#1] SMP
      [...]
      Call Trace:
       <IRQ>
       [<ffffffffa0069563>] nf_ct_expect_related_report+0x4a0/0x57a [nf_conntrack]
       [<ffffffff812d423a>] ? in4_pton+0x72/0x131
       [<ffffffffa00ca69e>] ip_nat_sdp_media+0xeb/0x185 [nf_nat_sip]
       [<ffffffffa00b5b9b>] set_expected_rtp_rtcp+0x32d/0x39b [nf_conntrack_sip]
       [<ffffffffa00b5f15>] process_sdp+0x30c/0x3ec [nf_conntrack_sip]
       [<ffffffff8103f1eb>] ? irq_exit+0x9a/0x9c
       [<ffffffffa00ca738>] ? ip_nat_sdp_media+0x185/0x185 [nf_nat_sip]
      
      We have to remove the RTP expectation if the RTCP expectation hits EBUSY
      since we keep trying with other ports until we succeed.
      Reported-by: NRafal Fitt <rafalf@aplusc.com.pl>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      3f509c68
    • I
      xen-netfront: use __pskb_pull_tail to ensure linear area is big enough on RX · 3683243b
      Ian Campbell 提交于
      I'm slightly concerned by the "only in exceptional circumstances"
      comment on __pskb_pull_tail but the structure of an skb just created
      by netfront shouldn't hit any of the especially slow cases.
      
      This approach still does slightly more work than the old way, since if
      we pull up the entire first frag we now have to shuffle everything
      down where before we just received into the right place in the first
      place.
      Signed-off-by: NIan Campbell <ian.campbell@citrix.com>
      Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Cc: Jeremy Fitzhardinge <jeremy@goop.org>
      Cc: Mel Gorman <mgorman@suse.de>
      Cc: xen-devel@lists.xensource.com
      Cc: netdev@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Tested-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Acked-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3683243b
    • L
      Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux · 155e36d4
      Linus Torvalds 提交于
      Pull drm fixes from Dave Airlie:
       "A bunch of scattered fixes ati/intel/nouveau, couple of core ones,
        nothing too shocking or different."
      
      * 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
        drm: Add EDID_QUIRK_FORCE_REDUCED_BLANKING for ASUS VW222S
        gma500: Consider CRTC initially active.
        drm/radeon: fix dig encoder selection on DCE61
        drm/radeon: fix double free in radeon_gpu_reset
        drm/radeon: force dma32 to fix regression rs4xx,rs6xx,rs740
        drm/radeon: rework panel mode setup
        drm/radeon/atom: powergating fixes for DCE6
        drm/radeon/atom: rework DIG modesetting on DCE3+
        drm/radeon: don't disable plls that are in use by other crtcs
        drm/radeon: add proper checking of RESOLVE_BOX command for r600-r700
        drm/radeon: initialize tracked CS state
        drm/radeon: fix reading CB_COLORn_MASK from the CS
        drm/nvc0/copy: check PUNITS to determine which copy engines are disabled
        i915: Quirk no_lvds on Gigabyte GA-D525TUD ITX motherboard
        drm/i915: Use the correct size of the GTT for placing the per-process entries
        drm: Check for invalid cursor flags
        drm: Initialize object type when using DRM_MODE() macro
        drm/i915: fix color order for BGR formats on IVB
        drm/i915: fix wrong order of parameters in port checking functions
      155e36d4
  7. 30 8月, 2012 8 次提交