- 21 9月, 2012 8 次提交
-
-
由 Mathias Krause 提交于
The ESN replay window was already fully initialized in xfrm_alloc_replay_state_esn(). No need to copy it again. Cc: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: NMathias Krause <minipli@googlemail.com> Acked-by: NSteffen Klassert <steffen.klassert@secunet.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Mathias Krause 提交于
The current code fails to ensure that the netlink message actually contains as many bytes as the header indicates. If a user creates a new state or updates an existing one but does not supply the bytes for the whole ESN replay window, the kernel copies random heap bytes into the replay bitmap, the ones happen to follow the XFRMA_REPLAY_ESN_VAL netlink attribute. This leads to following issues: 1. The replay window has random bits set confusing the replay handling code later on. 2. A malicious user could use this flaw to leak up to ~3.5kB of heap memory when she has access to the XFRM netlink interface (requires CAP_NET_ADMIN). Known users of the ESN replay window are strongSwan and Steffen's iproute2 patch (<http://patchwork.ozlabs.org/patch/85962/>). The latter uses the interface with a bitmap supplied while the former does not. strongSwan is therefore prone to run into issue 1. To fix both issues without breaking existing userland allow using the XFRMA_REPLAY_ESN_VAL netlink attribute with either an empty bitmap or a fully specified one. For the former case we initialize the in-kernel bitmap with zero, for the latter we copy the user supplied bitmap. For state updates the full bitmap must be supplied. To prevent overflows in the bitmap length calculation the maximum size of bmp_len is limited to 128 by this patch -- resulting in a maximum replay window of 4096 packets. This should be sufficient for all real life scenarios (RFC 4303 recommends a default replay window size of 64). Cc: Steffen Klassert <steffen.klassert@secunet.com> Cc: Martin Willi <martin@revosec.ch> Cc: Ben Hutchings <bhutchings@solarflare.com> Signed-off-by: NMathias Krause <minipli@googlemail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Mathias Krause 提交于
The memory used for the template copy is a local stack variable. As struct xfrm_user_tmpl contains multiple holes added by the compiler for alignment, not initializing the memory will lead to leaking stack bytes to userland. Add an explicit memset(0) to avoid the info leak. Initial version of the patch by Brad Spengler. Cc: Brad Spengler <spender@grsecurity.net> Signed-off-by: NMathias Krause <minipli@googlemail.com> Acked-by: NSteffen Klassert <steffen.klassert@secunet.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Mathias Krause 提交于
The memory reserved to dump the xfrm policy includes multiple padding bytes added by the compiler for alignment (padding bytes in struct xfrm_selector and struct xfrm_userpolicy_info). Add an explicit memset(0) before filling the buffer to avoid the heap info leak. Signed-off-by: NMathias Krause <minipli@googlemail.com> Acked-by: NSteffen Klassert <steffen.klassert@secunet.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Mathias Krause 提交于
The memory reserved to dump the xfrm state includes the padding bytes of struct xfrm_usersa_info added by the compiler for alignment (7 for amd64, 3 for i386). Add an explicit memset(0) before filling the buffer to avoid the info leak. Signed-off-by: NMathias Krause <minipli@googlemail.com> Acked-by: NSteffen Klassert <steffen.klassert@secunet.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Mathias Krause 提交于
copy_to_user_auth() fails to initialize the remainder of alg_name and therefore discloses up to 54 bytes of heap memory via netlink to userland. Use strncpy() instead of strcpy() to fill the trailing bytes of alg_name with null bytes. Signed-off-by: NMathias Krause <minipli@googlemail.com> Acked-by: NSteffen Klassert <steffen.klassert@secunet.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Bjørn Mork 提交于
One of the modes of Huawei E367 has this QMI/wwan interface: I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=07 Driver=(none) E: Ad=83(I) Atr=03(Int.) MxPS= 64 Ivl=2ms E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms Huawei use subclass and protocol to identify vendor specific functions, so adding a new vendor rule for this combination. The Pantech devices UML290 (106c:3718) and P4200 (106c:3721) use the same subclass to identify the QMI/wwan function. Replace the existing device specific UML290 entries with generic vendor matching, adding support for the Pantech P4200. The ZTE MF683 has 6 vendor specific interfaces, all using ff/ff/ff for cls/sub/prot. Adding a match on interface #5 which is a QMI/wwan interface. Cc: Fangxiaozhi (Franko) <fangxiaozhi@huawei.com> Cc: Thomas Schäfer <tschaefer@t-online.de> Cc: Dan Williams <dcbw@redhat.com> Cc: Shawn J. Goff <shawn7400@gmail.com> Signed-off-by: NBjørn Mork <bjorn@mork.no> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Andrey Vagin 提交于
rcv_wscale is a symetric parameter with snd_wscale. Both this parameters are set on a connection handshake. Without this value a remote window size can not be interpreted correctly, because a value from a packet should be shifted on rcv_wscale. And one more thing is that wscale_ok should be set too. This patch doesn't break a backward compatibility. If someone uses it in a old scheme, a rcv window will be restored with the same bug (rcv_wscale = 0). v2: Save backward compatibility on big-endian system. Before the first two bytes were snd_wscale and the second two bytes were rcv_wscale. Now snd_wscale is opt_val & 0xFFFF and rcv_wscale >> 16. This approach is independent on byte ordering. Cc: David S. Miller <davem@davemloft.net> Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> Cc: James Morris <jmorris@namei.org> Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org> Cc: Patrick McHardy <kaber@trash.net> CC: Pavel Emelyanov <xemul@parallels.com> Signed-off-by: NAndrew Vagin <avagin@openvz.org> Acked-by: NPavel Emelyanov <xemul@parallels.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 20 9月, 2012 5 次提交
-
-
由 Li RongQing 提交于
It should be the skb which is not cloned Signed-off-by: NLi RongQing <roy.qing.li@gmail.com> Acked-by: NEric Dumazet <edumazet@google.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Søren holm 提交于
Signed-off-by: NSøren Holm <sgh@sgh.dk> Cc: stable@vger.kernel.org Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Paolo Valente 提交于
If the old timestamps of a class, say cl, are stale when the class becomes active, then QFQ may assign to cl a much higher start time than the maximum value allowed. This may happen when QFQ assigns to the start time of cl the finish time of a group whose classes are characterized by a higher value of the ratio max_class_pkt/weight_of_the_class with respect to that of cl. Inserting a class with a too high start time into the bucket list corrupts the data structure and may eventually lead to crashes. This patch limits the maximum start time assigned to a class. Signed-off-by: NPaolo Valente <paolo.valente@unimore.it> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Michal Kubeček 提交于
If recv() syscall is called for a TCP socket so that - IOAT DMA is used - MSG_WAITALL flag is used - requested length is bigger than sk_rcvbuf - enough data has already arrived to bring rcv_wnd to zero then when tcp_recvmsg() gets to calling sk_wait_data(), receive window can be still zero while sk_async_wait_queue exhausts enough space to keep it zero. As this queue isn't cleaned until the tcp_service_net_dma() call, sk_wait_data() cannot receive any data and blocks forever. If zero receive window and non-empty sk_async_wait_queue is detected before calling sk_wait_data(), process the queue first. Signed-off-by: NMichal Kubecek <mkubecek@suse.cz> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Linus Lüssing 提交于
On some architectures test_bit() can return other values than 0 or 1: With a generic x86 OpenWrt image in a kvm setup (batadv_)test_bit() frequently returns -1 for me, leading to batadv_iv_ogm_update_seqnos() wrongly signaling a protected seqno window. This patch tries to fix this issue by making batadv_test_bit() return 0 or 1 only. Signed-off-by: NLinus Lüssing <linus.luessing@web.de> Acked-by: NSven Eckelmann <sven@narfation.org> Signed-off-by: NAntonio Quartulli <ordex@autistici.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 19 9月, 2012 14 次提交
-
-
由 Tushar Dave 提交于
On PCI/PCI-X HW, if packet size is less than ETH_ZLEN, packets may get corrupted during padding by HW. To WA this issue, pad all small packets manually. Signed-off-by: NTushar Dave <tushar.n.dave@intel.com> Tested-by: NAaron Brown <aaron.f.brown@intel.com> Signed-off-by: NJeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Li RongQing 提交于
if xfrm_policy_get_afinfo returns 0, it has already released the read lock, xfrm_policy_put_afinfo should not be called again. Signed-off-by: NLi RongQing <roy.qing.li@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Eric Dumazet 提交于
Stephan Springl found that commit 1402d366 "tcp: introduce tcp_try_coalesce" introduced a regression for rlogin It turns out problem comes from TCP urgent data handling and a change in behavior in input path. rlogin sends two one-byte packets with URG ptr set, and when next data frame is coalesced, we lack sk_data_ready() calls to wakeup consumer. Signed-off-by: NEric Dumazet <edumazet@google.com> Reported-by: NStephan Springl <springl-k@lar.bfw.de> Cc: Alexander Duyck <alexander.h.duyck@intel.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Michael S. Tsirkin 提交于
If orphan flags fails, we don't free the skb on receive, which leaks the skb memory. Return value was also wrong: netif_receive_skb is supposed to return NET_RX_DROP, not ENOMEM. Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Nikolay Aleksandrov 提交于
Add a check if pdev->bus->self == NULL (root bus). When attaching a netxen NIC to a VM it can be on the root bus and the guest would crash in netxen_mask_aer_correctable() because of a NULL pointer dereference if CONFIG_PCIEAER is present. Signed-off-by: NNikolay Aleksandrov <nikolay@redhat.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Michal Schmidt 提交于
Commit d6cb3e41 "bnx2x: fix checksum validation" caused a performance regression for IPv6. Rx checksum offload does not work. IPv6 packets are passed to the stack with CHECKSUM_NONE. The hardware obviously cannot perform IP checksum validation for IPv6, because there is no checksum in the IPv6 header. This should not prevent us from setting CHECKSUM_UNNECESSARY. Tested on BCM57711. Signed-off-by: NMichal Schmidt <mschmidt@redhat.com> Acked-by: NEric Dumazet <edumazet@google.com> Acked-by: NEilon Greenstein <eilong@broadcom.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Mathias Krause 提交于
When dump_one_policy() returns an error, e.g. because of a too small buffer to dump the whole xfrm policy, xfrm_policy_netlink() returns NULL instead of an error pointer. But its caller expects an error pointer and therefore continues to operate on a NULL skbuff. Signed-off-by: NMathias Krause <minipli@googlemail.com> Acked-by: NSteffen Klassert <steffen.klassert@secunet.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Mathias Krause 提交于
When dump_one_state() returns an error, e.g. because of a too small buffer to dump the whole xfrm state, xfrm_state_netlink() returns NULL instead of an error pointer. But its callers expect an error pointer and therefore continue to operate on a NULL skbuff. This could lead to a privilege escalation (execution of user code in kernel context) if the attacker has CAP_NET_ADMIN and is able to map address 0. Signed-off-by: NMathias Krause <minipli@googlemail.com> Acked-by: NSteffen Klassert <steffen.klassert@secunet.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Nicolas Dichtel 提交于
Signed-off-by: NNicolas Dichtel <nicolas.dichtel@6wind.com> Acked-by: NEric Dumazet <edumazet@google.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Nicolas Dichtel 提交于
IPv6 dst should take care of rt_genid too. When a xfrm policy is inserted or deleted, all dst should be invalidated. To force the validation, dst entries should be created with ->obsolete set to DST_OBSOLETE_FORCE_CHK. This was already the case for all functions calling ip6_dst_alloc(), except for ip6_rt_copy(). As a consequence, we can remove the specific code in inet6_connection_sock. Signed-off-by: NNicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Nicolas Dichtel 提交于
When a policy is inserted or deleted, all dst should be recalculated. Signed-off-by: NNicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Nicolas Dichtel 提交于
This commit prepares the use of rt_genid by both IPv4 and IPv6. Initialization is left in IPv4 part. Signed-off-by: NNicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Eric Dumazet 提交于
We dont use jhash anymore since route cache removal, so we can get rid of get_random_bytes() calls for rt_genid changes. Signed-off-by: NEric Dumazet <edumazet@google.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Nicolas Dichtel 提交于
Since route cache deletion (89aef892), delay is no more used. Remove it. Signed-off-by: NNicolas Dichtel <nicolas.dichtel@6wind.com> Acked-by: NEric Dumazet <edumazet@google.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 17 9月, 2012 1 次提交
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless由 David S. Miller 提交于
John W. Linville says: ==================== This is a batch of fixes intended for the 3.6 stream. Arend van Spriel sends a simple thinko fix to correct a constant, preventing the setting of an invalid power level. Colin Ian King gives us a simple allocation failure check to avoid a NULL pointer dereference. Felix Fietkau sends another ath9k tx power patch, this time disabling a feature that has been reported to cause rx problems. Hante Meuleman provides a pair of endian fixes for brcmfmac. Larry Finger offers an rtlwifi fix that avoids a system lockup related to loading the wrong firmware for RTL8188CE devices. These have been in linux-next for a few days and I think they should be included in the final 3.6 kernel if possible. ==================== Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 15 9月, 2012 12 次提交
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/steve/gfs2-3.0-fixes由 Linus Torvalds 提交于
Pull GFS2 fixes from Steven Whitehouse: "Here are three GFS2 fixes for the current kernel tree. These are all related to the block reservation code which was added at the merge window. That code will be getting an update at the forthcoming merge window too. In the mean time though there are a few smaller issues which should be fixed. The first patch resolves an issue with write sizes of greater than 32 bits with the size hinting code. The second ensures that the allocation data structure is initialised when using xattrs and the third takes into account allocations which may have been made by other nodes which affect a reservation on the local node." * git://git.kernel.org/pub/scm/linux/kernel/git/steve/gfs2-3.0-fixes: GFS2: Take account of blockages when using reserved blocks GFS2: Fix missing allocation data for set/remove xattr GFS2: Make write size hinting code common
-
git://cavan.codon.org.uk/platform-drivers-x86由 Linus Torvalds 提交于
Pull x86 platform driver updates from Matthew Garrett: "A few small updates for 3.6 - a trivial regression fix and a couple of conformance updates for the gmux driver, plus some tiny fixes for asus-wmi, eeepc-laptop and thinkpad_acpi." * 'for_linus' of git://cavan.codon.org.uk/platform-drivers-x86: thinkpad_acpi: buffer overflow in fan_get_status() eeepc-laptop: fix device reference count leakage in eeepc_rfkill_hotplug() platform/x86: fix asus_laptop.wled_type description asus-laptop: HRWS/HWRS typo drivers-platform-x86: remove useless #ifdef CONFIG_ACPI_VIDEO apple-gmux: Fix port address calculation in gmux_pio_write32() apple-gmux: Fix index read functions apple-gmux: Obtain version info from indexed gmux
-
git://git.pengutronix.de/git/wsa/linux由 Linus Torvalds 提交于
Pull i2c embedded fixes from Wolfram Sang: "The last bunch of (typical) i2c-embedded driver fixes for 3.6. Also update the MAINTAINERS file to point to my tree since people keep asking where to find their patches." * 'i2c-embedded/for-current' of git://git.pengutronix.de/git/wsa/linux: i2c: algo: pca: Fix mode selection for PCA9665 MAINTAINERS: fix tree for current i2c-embedded development i2c: mxs: correctly setup speed for non devicetree i2c: pnx: Fix read transactions of >= 2 bytes i2c: pnx: Fix bit definitions
-
由 Linus Torvalds 提交于
Merge tag 'ecryptfs-3.6-rc6-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs Pull ecryptfs fixes from Tyler Hicks: - Fixes a regression, introduced in 3.6-rc1, when a file is closed before its shared memory mapping is dirtied and unmapped. The lower file was being released when the eCryptfs file was closed and the dirtied pages could not be written out. - Adds a call to the lower filesystem's ->flush() from ecryptfs_flush(). - Fixes a regression, introduced in 2.6.39, when a file is renamed on top of another file. The target file's inode was not being evicted and the space taken by the file was not reclaimed until eCryptfs was unmounted. * tag 'ecryptfs-3.6-rc6-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs: eCryptfs: Copy up attributes of the lower target inode after rename eCryptfs: Call lower ->flush() from ecryptfs_flush() eCryptfs: Write out all dirty pages just before releasing the lower file
-
git://git.linaro.org/people/mszyprowski/linux-dma-mapping由 Linus Torvalds 提交于
Pull one more DMA-mapping fix from Marek Szyprowski: "This patch fixes very subtle bug (typical off-by-one error) which might appear in very rare circumstances." * 'fixes-for-3.6' of git://git.linaro.org/people/mszyprowski/linux-dma-mapping: arm: mm: fix DMA pool affiliation check
-
git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging由 Linus Torvalds 提交于
Pull hwmon fixes from Guenter Roeck: "Fix word size register read and write operations in ina2xx driver, and initialize uninitialized structure elements in twl4030-madc-hwmon driver." * tag 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging: hwmon: (ina2xx) Fix word size register read and write operations hwmon: (twl4030-madc-hwmon) Initialize uninitialized structure elements
-
git://people.freedesktop.org/~airlied/linux由 Linus Torvalds 提交于
Pull drm fixes from Dave Airlie: "I realise this a bit bigger than I would want at this point. Exynos is a large chunk, I got them to half what they wanted already, and hey its ARM based, so not going to hurt many people. Radeon has only two fixes, but the PLL fixes were a bit bigger, but required for a lot of scenarios, the fence fix is really urgent. vmwgfx: I've pulled in a dumb ioctl support patch that I was going to shove in later and cc stable, but we need it asap, its mainly to stop mesa growing a really ugly dependency in userspace to run stuff on vmware, and if I don't stick it in the kernel now, everyone will have to ship ugly userspace libs to workaround it. nouveau: single urgent fix found in F18 testing, causes X to not start properly when f18 plymouth is used i915: smattering of fixes and debug quieting gma500: single regression fix So as I said a bit large, but its fairly well scattered and its all stuff I'll be shipping in F18's 3.6 kernel." * 'drm-fixes' of git://people.freedesktop.org/~airlied/linux: (26 commits) drm/nouveau: fix booting with plymouth + dumb support drm/radeon: make 64bit fences more robust v3 drm/radeon: rework pll selection (v3) drm: Drop the NV12M and YUV420M formats drm/exynos: remove DRM_FORMAT_NV12M from plane module drm/exynos: fix double call of drm_prime_(init/destroy)_file_private drm/exynos: add dummy support for dmabuf-mmap drm/exynos: Add missing braces around sizeof in exynos_mixer.c drm/exynos: Add missing braces around sizeof in exynos_hdmi.c drm/exynos: Make g2d_pm_ops static drm/exynos: Add dependency for G2D in Kconfig drm/exynos: fixed page align bug. drm/exynos: Use ERR_CAST inlined function instead of ERR_PTR(PTR_ERR(.. [1] drm/exynos: Use devm_* functions in exynos_drm_g2d.c file drm/exynos: Use devm_kzalloc in exynos_drm_hdmi.c file drm/exynos: Use devm_kzalloc in exynos_drm_vidi.c file drm/exynos: Remove redundant check in exynos_drm_fimd.c file drm/exynos: Remove redundant check in exynos_hdmi.c file vmwgfx: add dumb ioctl support gma500: Fix regression on Oaktrail devices ...
-
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip由 Linus Torvalds 提交于
Pull scheduler fixes from Ingo Molnar: "Smaller fixlets" * 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: sched: Fix kernel-doc warnings in kernel/sched/fair.c sched: Unthrottle rt runqueues in __disable_runtime() sched: Add missing call to calc_load_exit_idle() sched: Fix load avg vs cpu-hotplug
-
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip由 Linus Torvalds 提交于
Pull perf fixes from Ingo Molnar: "This tree includes various fixes" Ingo really needs to improve on the whole "explain git pull" part. "Various fixes" indeed. * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: perf/hwpb: Invoke __perf_event_disable() if interrupts are already disabled perf/x86: Enable Intel Cedarview Atom suppport perf_event: Switch to internal refcount, fix race with close() oprofile, s390: Fix uninitialized memory access when writing to oprofilefs perf/x86: Fix microcode revision check for SNB-PEBS
-
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip由 Linus Torvalds 提交于
Pull a core sparse warning fix from Ingo Molnar * 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: mm/memblock: Use NULL instead of 0 for pointers
-
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net由 Linus Torvalds 提交于
Pull networking fixes from David Miller: 1) Use after free and new device IDs in bluetooth from Andre Guedes, Yevgeniy Melnichuk, Gustavo Padovan, and Henrik Rydberg. 2) Fix crashes with short packet lengths and VLAN in pktgen, from Nishank Trivedi. 3) mISDN calls flush_work_sync() with locks held, fix from Karsten Keil. 4) Packet scheduler gred parameters are reported to userspace improperly scaled, and WRED idling is not performed correctly. All from David Ward. 5) Fix TCP socket refcount problem in ipv6, from Julian Anastasov. 6) ibmveth device has RX queue alignment requirements which are not being explicitly met resulting in sporadic failures, fix from Santiago Leon. 7) Netfilter needs to take care when interpreting sockets attached to socket buffers, they could be time-wait minisockets. Fix from Eric Dumazet. 8) sock_edemux() has the same issue as netfilter did in #7 above, fix from Eric Dumazet. 9) Avoid infinite loops in CBQ scheduler with some configurations, from Eric Dumazet. 10) Deal with "Reflection scan: an Off-Path Attack on TCP", from Jozsef Kadlecsik. 11) SCTP overcharges socket for TX packets, fix from Thomas Graf. 12) CODEL packet scheduler should not reset it's state every time it builds a new flow, fix from Eric Dumazet. 13) Fix memory leak in nl80211, from Wei Yongjun. 14) NETROM doesn't check skb_copy_datagram_iovec() return values, from Alan Cox. 15) l2tp ethernet was using sizeof(ETH_HLEN) instead of plain ETH_HLEN, oops. From Eric Dumazet. 16) Fix selection of ath9k chips on which PA linearization and AM2PM predistoration are used, from Felix Fietkau. 17) Flow steering settings in mlx4 driver need to be validated properly, from Hadar Hen Zion. 18) bnx2x doesn't show the correct link duplex setting, from Yaniv Rosner. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (75 commits) pktgen: fix crash with vlan and packet size less than 46 bnx2x: Add missing afex code bnx2x: fix registers dumped bnx2x: correct advertisement of pause capabilities bnx2x: display the correct duplex value bnx2x: prevent timeouts when using PFC bnx2x: fix stats copying logic bnx2x: Avoid sending multiple statistics queries net: qmi_wwan: call subdriver with control intf only net_sched: gred: actually perform idling in WRED mode net_sched: gred: fix qave reporting via netlink net_sched: gred: eliminate redundant DP prio comparisons net_sched: gred: correct comment about qavg calculation in RIO mode mISDN: Fix wrong usage of flush_work_sync while holding locks netfilter: log: Fix log-level processing net-sched: sch_cbq: avoid infinite loop net: qmi_wwan: fix Gobi device probing for un2430 net: fix net/core/sock.c build error ixp4xx_hss: fix build failure due to missing linux/module.h inclusion caif: move the dereference below the NULL test ...
-
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb由 Linus Torvalds 提交于
Pull USB patches from Greg Kroah-Hartman: "Here are a number of USB patches, a bit more than I normally like this late in the -rc series, but given people's vacations (myself included), and the kernel summit, it seems to have happened this way. All are tiny, but they add up. A number of gadget and xhci fixes, and a few new device ids. All have been tested in linux-next. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>" * tag 'usb-3.6-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (33 commits) usb: chipidea: udc: don't stall endpoint if request list is empty in isr_tr_complete_low usb: chipidea: cleanup dma_pool if udc_start() fails usb: chipidea: udc: fix error path in udc_start() usb: chipidea: udc: add pullup fuction, needed by the uvc gadget usb: chipidea: udc: fix setup of endpoint maxpacket size USB: option: replace ZTE K5006-Z entry with vendor class rule EHCI: Update qTD next pointer in QH overlay region during unlink USB: cdc-wdm: fix wdm_find_device* return value USB: ftdi_sio: do not claim CDC ACM function usb: dwc3: gadget: fix pending isoc handling usb: renesas_usbhs: fixup DMA transport data alignment usb: gadget: at91udc: Don't check for ep->ep.desc usb: gadget: at91udc: don't overwrite driver data usb: dwc3: core: fix incorrect usage of resource pointer usb: musb: musbhsdma: fix IRQ check usb: musb: tusb6010: fix error path in tusb_probe() usb: musb: host: fix for musb_start_urb Oops usb: gadget: dummy_hcd: add support for USB_DT_BOS on rh usb: gadget: dummy_hcd: fixup error probe path usb: gadget: s3c-hsotg.c: fix error return code ...
-