- 11 11月, 2010 5 次提交
-
-
由 David S. Miller 提交于
As noted by Steve Chen, since commit f5fff5dc ("tcp: advertise MSS requested by user") we can end up with a situation where tcp_select_initial_window() does a divide by a zero (or even negative) mss value. The problem is that sometimes we effectively subtract TCPOLEN_TSTAMP_ALIGNED and/or TCPOLEN_MD5SIG_ALIGNED from the mss. Fix this by increasing the minimum from 8 to 64. Reported-by: NSteve Chen <schen@mvista.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Eric Dumazet 提交于
Robin Holt tried to boot a 16TB machine and found some limits were reached : sysctl_tcp_mem[2], sysctl_udp_mem[2] We can switch infrastructure to use long "instead" of "int", now atomic_long_t primitives are available for free. Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com> Reported-by: NRobin Holt <holt@sgi.com> Reviewed-by: NRobin Holt <holt@sgi.com> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Vasiliy Kulikov 提交于
packet_getname_spkt() doesn't initialize all members of sa_data field of sockaddr struct if strlen(dev->name) < 13. This structure is then copied to userland. It leads to leaking of contents of kernel stack memory. We have to fully fill sa_data with strncpy() instead of strlcpy(). The same with packet_getname(): it doesn't initialize sll_pkttype field of sockaddr_ll. Set it to zero. Signed-off-by: NVasiliy Kulikov <segooon@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 David S. Miller 提交于
There is a possibility malicious users can get limited information about uninitialized stack mem array. Even if sk_run_filter() result is bound to packet length (0 .. 65535), we could imagine this can be used by hostile user. Initializing mem[] array, like Dan Rosenberg suggested in his patch is expensive since most filters dont even use this array. Its hard to make the filter validation in sk_chk_filter(), because of the jumps. This might be done later. In this patch, I use a bitmap (a single long var) so that only filters using mem[] loads/stores pay the price of added security checks. For other filters, additional cost is a single instruction. [ Since we access fentry->k a lot now, cache it in a local variable and mark filter entry pointer as const. -DaveM ] Reported-by: NDan Rosenberg <drosenberg@vsecurity.com> Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Vasiliy Kulikov 提交于
Sometimes ax25_getname() doesn't initialize all members of fsa_digipeater field of fsa struct, also the struct has padding bytes between sax25_call and sax25_ndigis fields. This structure is then copied to userland. It leads to leaking of contents of kernel stack memory. Signed-off-by: NVasiliy Kulikov <segooon@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 10 11月, 2010 5 次提交
-
-
由 Eric Dumazet 提交于
Followup of commit ef885afb (net: use rcu_barrier() in rollback_registered_many) dst_dev_event() scans a garbage dst list that might be feeded by various network notifiers at device dismantle time. Its important to call dst_dev_event() after other notifiers, or we might enter the infamous msleep(250) in netdev_wait_allrefs(), and wait one second before calling again call_netdevice_notifiers(NETDEV_UNREGISTER, dev) to properly remove last device references. Use priority -10 to let dst_dev_notifier be called after other network notifiers (they have the default 0 priority) Reported-by: NBen Greear <greearb@candelatech.com> Reported-by: NNicolas Dichtel <nicolas.dichtel@6wind.com> Reported-by: NOctavian Purdila <opurdila@ixiacom.com> Reported-by: NBenjamin LaHaise <bcrl@kvack.org> Tested-by: NBen Greear <greearb@candelatech.com> Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Kulikov Vasiliy 提交于
Structure sockaddr_tipc is copied to userland with padding bytes after "id" field in union field "name" unitialized. It leads to leaking of contents of kernel stack memory. We have to initialize them to zero. Signed-off-by: NVasiliy Kulikov <segooon@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 françois romieu 提交于
As device_set_wakeup_enable can now sleep, move the call to outside the critical section. Signed-off-by: NDaniel J Blueman <daniel.blueman@gmail.com> Acked-by: NRafael J. Wysocki <rjw@sisk.pl> Acked-by: NAndrew Hendry <andrew.hendry@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 françois romieu 提交于
The original patch helps under obscure conditions (no pun) but some 8168 do not like it. The change needs to be tightened with a specific 8168 version. This reverts commit 801e147c ("r8169: Handle rxfifo errors on 8168 chips"). Regression at https://bugzilla.kernel.org/show_bug.cgi?id=20882Signed-off-by: NFrancois Romieu <romieu@fr.zoreil.com> Tested-by: NAndreas Radke <a.radke@arcor.de> Cc: Matthew Garrett <mjg@redhat.com> Cc: Daniel J Blueman <daniel.blueman@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Eric Dumazet 提交于
commit 8723e1b4 (inet: RCU changes in inetdev_by_index()) forgot one call site in ip_mc_drop_socket() We should not decrease idev refcount after inetdev_by_index() call, since refcount is not increased anymore. Reported-by: NMarkus Trippelsdorf <markus@trippelsdorf.de> Reported-by: NMiles Lane <miles.lane@gmail.com> Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 09 11月, 2010 10 次提交
-
-
由 Pavel Emelyanov 提交于
The sgs allocation error path leaks the allocated message. Signed-off-by: NPavel Emelyanov <xemul@openvz.org> Acked-by: NAndy Grover <andy.grover@oracle.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Frank Blaschka 提交于
QDIO is running independent from netdevice state. We are not allowed to schedule NAPI in case the netdevice is not open. Signed-off-by: NFrank Blaschka <frank.blaschka@de.ibm.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Ursula Braun 提交于
For a certain Hipersockets specific error code in the xmit path, the qeth driver tries to invoke dev_queue_xmit again. Commit 79640a4c introduces a busylock causing locking problems in case of re-invoked dev_queue_xmit by qeth. This patch removes the attempts to retry packet sending with dev_queue_xmit from the qeth driver. Signed-off-by: NUrsula Braun <ursula.braun@de.ibm.com> Signed-off-by: NFrank Blaschka <frank.blaschka@de.ibm.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Junchang Wang 提交于
This fix a bug reported by backyes. Right the first time pktgen's using queue_map that's not been initialized by set_cur_queue_map(pkt_dev); Signed-off-by: NJunchang Wang <junchangwang@gmail.com> Signed-off-by: NBackyes <backyes@mail.ustc.edu.cn> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Guillaume Chazarain 提交于
After e6484930: net: allocate tx queues in register_netdevice These calls make net drivers oops at load time, so let's avoid people git-bisect'ing known problems. Signed-off-by: NGuillaume Chazarain <guichaz@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Guillaume Chazarain 提交于
After e6484930: net: allocate tx queues in register_netdevice It causes an Oops at skge_probe() time. Signed-off-by: NGuillaume Chazarain <guichaz@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Shan Wei 提交于
The type of FRAG6_CB(prev)->offset is int, skb->len is *unsigned* int, and offset is int. Without this patch, type conversion occurred to this expression, when (FRAG6_CB(prev)->offset + prev->len) is less than offset. Signed-off-by: NShan Wei <shanwei@cn.fujitsu.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 stephen hemminger 提交于
The basic classifier keeps statistics but does not report it to user space. This showed up when using basic classifier (with police) as a default catch all on ingress; no statistics were reported. Signed-off-by: NStephen Hemminger <shemminger@vyatta.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 David Woodhouse 提交于
Signed-off-by: NDavid Woodhouse <David.Woodhouse@intel.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 David Woodhouse 提交于
The existing 'FirmwareVersion' attribute only covers the DSP firmware as provided by Conexant; not the overall version of the device firmware. We do want to be able to see the full version number too. Signed-off-by: NDavid Woodhouse <David.Woodhouse@intel.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 08 11月, 2010 1 次提交
-
-
由 Paul Mundt 提交于
Presently the b43legacy build fails on an sh randconfig: In file included from include/net/dst.h:12, from drivers/net/wireless/b43legacy/xmit.c:32: include/net/dst_ops.h:28: error: expected ':', ',', ';', '}' or '__attribute__' before '____cacheline_aligned_in_smp' include/net/dst_ops.h: In function 'dst_entries_get_fast': include/net/dst_ops.h:33: error: 'struct dst_ops' has no member named 'pcpuc_entries' include/net/dst_ops.h: In function 'dst_entries_get_slow': include/net/dst_ops.h:41: error: 'struct dst_ops' has no member named 'pcpuc_entries' include/net/dst_ops.h: In function 'dst_entries_add': include/net/dst_ops.h:49: error: 'struct dst_ops' has no member named 'pcpuc_entries' include/net/dst_ops.h: In function 'dst_entries_init': include/net/dst_ops.h:55: error: 'struct dst_ops' has no member named 'pcpuc_entries' include/net/dst_ops.h: In function 'dst_entries_destroy': include/net/dst_ops.h:60: error: 'struct dst_ops' has no member named 'pcpuc_entries' make[5]: *** [drivers/net/wireless/b43legacy/xmit.o] Error 1 make[5]: *** Waiting for unfinished jobs.... Signed-off-by: NPaul Mundt <lethal@linux-sh.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 07 11月, 2010 1 次提交
-
-
由 Dmitry Torokhov 提交于
This should fix the following warning: net/core/pktgen.c: In function ‘pktgen_if_write’: net/core/pktgen.c:890: warning: comparison of distinct pointer types lacks a cast Signed-off-by: NDmitry Torokhov <dtor@mail.ru> Reviewed-by: NNelson Elhage <nelhage@ksplice.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 05 11月, 2010 3 次提交
-
-
由 Nelson Elhage 提交于
We were using nlmsg_find_attr() to look up the bytecode by attribute when auditing, but then just using the first attribute when actually running bytecode. So, if we received a message with two attribute elements, where only the second had type INET_DIAG_REQ_BYTECODE, we would validate and run different bytecode strings. Fix this by consistently using nlmsg_find_attr everywhere. Signed-off-by: NNelson Elhage <nelhage@ksplice.com> Signed-off-by: NThomas Graf <tgraf@infradead.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Nelson Elhage 提交于
This will let us use it on a nlmsghdr stored inside a netlink_callback. Signed-off-by: NNelson Elhage <nelhage@ksplice.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Eric Dumazet 提交于
After commit ebc0ffae (RCU conversion of fib_lookup()), fib_result_assign() should not change fib refcounts anymore. Thanks to Michael who did the bisection and bug report. Reported-by: NMichael Ellerman <michael@ellerman.id.au> Tested-by: NMichael Ellerman <michael@ellerman.id.au> Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 04 11月, 2010 14 次提交
-
-
由 Jan Engelhardt 提交于
Signed-off-by: NJan Engelhardt <jengelh@medozas.de> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Herbert Xu 提交于
Somewhere along the lines net_cls_subsys_id became a macro when cls_cgroup is built as a module. Not only did it make cls_cgroup completely useless, it also causes it to crash on module unload. This patch fixes this by removing that macro. Thanks to Eric Dumazet for diagnosing this problem. Reported-by: NRandy Dunlap <randy.dunlap@oracle.com> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au> Reviewed-by: NLi Zefan <lizf@cn.fujitsu.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 andrew hendry 提交于
Signed-of-by: NAndrew Hendry <andrew.hendry@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Xiaotian Feng 提交于
There're some percpu_counter list corruption and poison overwritten warnings in recent kernel, which is resulted by fc66f95c. commit fc66f95c switches to use percpu_counter, in ip6_route_net_init, kernel init the percpu_counter for dst entries, but, the percpu_counter is never destroyed in ip6_route_net_exit. So if the related data is freed by kernel, the freed percpu_counter is still on the list, then if we insert/remove other percpu_counter, list corruption resulted. Also, if the insert/remove option modifies the ->prev,->next pointer of the freed value, the poison overwritten is resulted then. With the following patch, the percpu_counter list corruption and poison overwritten warnings disappeared. Signed-off-by: NXiaotian Feng <dfeng@redhat.com> Cc: "David S. Miller" <davem@davemloft.net> Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> Cc: "Pekka Savola (ipv6)" <pekkas@netcore.fi> Cc: James Morris <jmorris@namei.org> Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org> Cc: Patrick McHardy <kaber@trash.net> Acked-by: NEric Dumazet <eric.dumazet@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Pavel Emelyanov 提交于
All the rds_tcp_connection objects are stored list, but when being freed it should be removed from there. Signed-off-by: NPavel Emelyanov <xemul@openvz.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Pavel Emelyanov 提交于
The conn is removed from list in there and this requires proper lock protection. Signed-off-by: NPavel Emelyanov <xemul@openvz.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Eric Dumazet 提交于
Its now illegal to call netif_stop_queue() before register_netdev() Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Eric Dumazet 提交于
Its now illegal to call netif_stop_queue() before register_netdev() Reported-by: NTom Gundersen <teg@jklm.no> Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Amerigo Wang 提交于
Quote from Amit Salecha: "Actually I was not updated, NX_UNIFIED_ROMIMAGE_NAME (phanfw.bin) is already submitted and its present in linux-firmware.git. I will get back to you on NX_P2_MN_ROMIMAGE_NAME, NX_P3_CT_ROMIMAGE_NAME and NX_P3_MN_ROMIMAGE_NAME. Whether this will be submitted ?" We have to remove these, otherwise we will get wrong info from modinfo. Signed-off-by: NWANG Cong <amwang@redhat.com> Cc: Amit Kumar Salecha <amit.salecha@qlogic.com> Cc: "David S. Miller" <davem@davemloft.net> Cc: Dhananjay Phadke <dhananjay.phadke@qlogic.com> Cc: Narender Kumar <narender.kumar@qlogic.com> Acked-by: Amit Kumar Salecha <amit.salecha@qlogic.com>-- Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
Signed-off-by: NSjur Brændeland <sjur.brandeland@stericsson.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Sjur Brændeland 提交于
Signed-off-by: NSjur Braendeland <sjur.brandeland@stericsson.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 André Carvalho de Matos 提交于
Changes: o Bugfix: SO_PRIORITY for SOL_SOCKET could not be handled in caif's setsockopt, using the struct sock attribute priority instead. o Bugfix: SO_BINDTODEVICE for SOL_SOCKET could not be handled in caif's setsockopt, using the struct sock attribute ifindex instead. o Wrong assert statement for RFM layer segmentation. o CAIF Debug channels was not working over SPI, caif_payload_info containing padding info must be initialized. o Check on pointer before dereferencing when unregister dev in caif_dev.c Signed-off-by: NSjur Braendeland <sjur.brandeland@stericsson.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 John Faith 提交于
The SMSC911x supports 128 x 8-bit EEPROMs. Increase the EEPROM size so more than just the MAC address can be stored. Signed-off-by: NJohn Faith <jfaith7@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 03 11月, 2010 1 次提交
-
-
由 Vasiliy Kulikov 提交于
Structure ipt_getinfo is copied to userland with the field "name" that has the last elements unitialized. It leads to leaking of contents of kernel stack memory. Signed-off-by: NVasiliy Kulikov <segooon@gmail.com> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-