1. 11 1月, 2016 6 次提交
  2. 10 1月, 2016 2 次提交
  3. 09 1月, 2016 5 次提交
  4. 08 1月, 2016 1 次提交
  5. 07 1月, 2016 7 次提交
    • S
      batman-adv: Fix invalid read while copying bat_iv.bcast_own · 13bbdd37
      Sven Eckelmann 提交于
      batadv_iv_ogm_orig_del_if removes a part of the bcast_own which previously
      belonged to the now removed interface. This is done by copying all data
      which comes before the removed interface and then appending all the data
      which comes after the removed interface.
      
      The address calculation for the position of the data which comes after the
      removed interface assumed that the bat_iv.bcast_own is a pointer to a
      single byte datatype. But it is a pointer to unsigned long and thus the
      calculated position was wrong off factor sizeof(unsigned long).
      
      Fixes: 83a8342678a0 ("more basic routing code added (forwarding packets /
      bitarray added)")
      Signed-off-by: NSven Eckelmann <sven@narfation.org>
      Signed-off-by: NMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: NAntonio Quartulli <a@unstable.cc>
      13bbdd37
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 51cb67c0
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
       "As usual, there are a couple straggler bug fixes:
      
         1) qlcnic_alloc_mbx_args() error returns are not checked in qlcnic
            driver.  Fix from Insu Yun.
      
         2) SKB refcounting bug in connector, from Florian Westphal.
      
         3) vrf_get_saddr() has to propagate fib_lookup() errors to it's
            callers, from David Ahern.
      
         4) Fix AF_UNIX splice/bind deadlock, from Rainer Weikusat.
      
         5) qdisc_rcu_free() fails to free the per-cpu qstats.  Fix from John
            Fastabend.
      
         6) vmxnet3 driver passes wrong page to dma_map_page(), fix from
           Shrikrishna Khare.
      
         7) Don't allow zero cwnd in tcp_cwnd_reduction(), from Yuchung Cheng"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
        tcp: fix zero cwnd in tcp_cwnd_reduction
        Driver: Vmxnet3: Fix regression caused by 5738a09d
        net: qmi_wwan: Add WeTelecom-WPD600N
        mkiss: fix scribble on freed memory
        net: possible use after free in dst_release
        net: sched: fix missing free per cpu on qstats
        ARM: net: bpf: fix zero right shift
        6pack: fix free memory scribbles
        net: filter: make JITs zero A for SKF_AD_ALU_XOR_X
        bridge: Only call /sbin/bridge-stp for the initial network namespace
        af_unix: Fix splice-bind deadlock
        net: Propagate lookup failure in l3mdev_get_saddr to caller
        r8152: add reset_resume function
        connector: bump skb->users before callback invocation
        cxgb4: correctly handling failed allocation
        qlcnic: correctly handle qlcnic_alloc_mbx_args
      51cb67c0
    • Y
      tcp: fix zero cwnd in tcp_cwnd_reduction · 8b8a321f
      Yuchung Cheng 提交于
      Patch 3759824d ("tcp: PRR uses CRB mode by default and SS mode
      conditionally") introduced a bug that cwnd may become 0 when both
      inflight and sndcnt are 0 (cwnd = inflight + sndcnt). This may lead
      to a div-by-zero if the connection starts another cwnd reduction
      phase by setting tp->prior_cwnd to the current cwnd (0) in
      tcp_init_cwnd_reduction().
      
      To prevent this we skip PRR operation when nothing is acked or
      sacked. Then cwnd must be positive in all cases as long as ssthresh
      is positive:
      
      1) The proportional reduction mode
         inflight > ssthresh > 0
      
      2) The reduction bound mode
        a) inflight == ssthresh > 0
      
        b) inflight < ssthresh
           sndcnt > 0 since newly_acked_sacked > 0 and inflight < ssthresh
      
      Therefore in all cases inflight and sndcnt can not both be 0.
      We check invalid tp->prior_cwnd to avoid potential div0 bugs.
      
      In reality this bug is triggered only with a sequence of less common
      events.  For example, the connection is terminating an ECN-triggered
      cwnd reduction with an inflight 0, then it receives reordered/old
      ACKs or DSACKs from prior transmission (which acks nothing). Or the
      connection is in fast recovery stage that marks everything lost,
      but fails to retransmit due to local issues, then receives data
      packets from other end which acks nothing.
      
      Fixes: 3759824d ("tcp: PRR uses CRB mode by default and SS mode conditionally")
      Reported-by: NOleksandr Natalenko <oleksandr@natalenko.name>
      Signed-off-by: NYuchung Cheng <ycheng@google.com>
      Signed-off-by: NNeal Cardwell <ncardwell@google.com>
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8b8a321f
    • S
    • K
      net: qmi_wwan: Add WeTelecom-WPD600N · e439bd4a
      Kristian Evensen 提交于
      The WeTelecom-WPD600N is an LTE module that, in addition to supporting most
      "normal" bands, also supports LTE over 450MHz. Manual testing showed that
      only interface number three replies to QMI messages.
      
      Cc: Bjørn Mork <bjorn@mork.no>
      Signed-off-by: NKristian Evensen <kristian.evensen@gmail.com>
      Acked-by: NBjørn Mork <bjorn@mork.no>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e439bd4a
    • A
      mkiss: fix scribble on freed memory · fde55c45
      Alan 提交于
      commit d79f16c0 fixed a user triggerable
      scribble on free memory but added a new one which allows the user to
      scribble even more and user controlled data into freed space.
      
      As with 6pack we need to halt the queue before we free the buffers, because
      the transmit logic is not protected by the semaphore.
      Signed-off-by: NAlan Cox <alan@linux.intel.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      fde55c45
    • F
      net: possible use after free in dst_release · 07a5d384
      Francesco Ruggeri 提交于
      dst_release should not access dst->flags after decrementing
      __refcnt to 0. The dst_entry may be in dst_busy_list and
      dst_gc_task may dst_destroy it before dst_release gets a chance
      to access dst->flags.
      
      Fixes: d69bbf88 ("net: fix a race in dst_release()")
      Fixes: 27b75c95 ("net: avoid RCU for NOCACHE dst")
      Signed-off-by: NFrancesco Ruggeri <fruggeri@arista.com>
      Acked-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      07a5d384
  6. 06 1月, 2016 7 次提交
  7. 05 1月, 2016 9 次提交
    • C
      tile: provide CONFIG_PAGE_SIZE_64KB etc for tilepro · c1b27ab5
      Chris Metcalf 提交于
      This allows the build system to know that it can't attempt to
      configure the Lustre virtual block device, for example, when tilepro
      is using 64KB pages (as it does by default).  The tilegx build
      already provided those symbols.
      
      Previously we required that the tilepro hypervisor be rebuilt with
      a different hardcoded page size in its headers, and then Linux be
      rebuilt using the updated hypervisor header.  Now we allow each of
      the hypervisor and Linux to be built independently.  We still check
      at boot time to ensure that the page size provided by the hypervisor
      matches what Linux expects.
      Signed-off-by: NChris Metcalf <cmetcalf@ezchip.com>
      Cc: stable@vger.kernel.org [3.19+]
      c1b27ab5
    • R
      af_unix: Fix splice-bind deadlock · c845acb3
      Rainer Weikusat 提交于
      On 2015/11/06, Dmitry Vyukov reported a deadlock involving the splice
      system call and AF_UNIX sockets,
      
      http://lists.openwall.net/netdev/2015/11/06/24
      
      The situation was analyzed as
      
      (a while ago) A: socketpair()
      B: splice() from a pipe to /mnt/regular_file
      	does sb_start_write() on /mnt
      C: try to freeze /mnt
      	wait for B to finish with /mnt
      A: bind() try to bind our socket to /mnt/new_socket_name
      	lock our socket, see it not bound yet
      	decide that it needs to create something in /mnt
      	try to do sb_start_write() on /mnt, block (it's
      	waiting for C).
      D: splice() from the same pipe to our socket
      	lock the pipe, see that socket is connected
      	try to lock the socket, block waiting for A
      B:	get around to actually feeding a chunk from
      	pipe to file, try to lock the pipe.  Deadlock.
      
      on 2015/11/10 by Al Viro,
      
      http://lists.openwall.net/netdev/2015/11/10/4
      
      The patch fixes this by removing the kern_path_create related code from
      unix_mknod and executing it as part of unix_bind prior acquiring the
      readlock of the socket in question. This means that A (as used above)
      will sb_start_write on /mnt before it acquires the readlock, hence, it
      won't indirectly block B which first did a sb_start_write and then
      waited for a thread trying to acquire the readlock. Consequently, A
      being blocked by C waiting for B won't cause a deadlock anymore
      (effectively, both A and B acquire two locks in opposite order in the
      situation described above).
      
      Dmitry Vyukov(<dvyukov@google.com>) tested the original patch.
      Signed-off-by: NRainer Weikusat <rweikusat@mobileactivedefense.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c845acb3
    • D
      net: Propagate lookup failure in l3mdev_get_saddr to caller · b5bdacf3
      David Ahern 提交于
      Commands run in a vrf context are not failing as expected on a route lookup:
          root@kenny:~# ip ro ls table vrf-red
          unreachable default
      
          root@kenny:~# ping -I vrf-red -c1 -w1 10.100.1.254
          ping: Warning: source address might be selected on device other than vrf-red.
          PING 10.100.1.254 (10.100.1.254) from 0.0.0.0 vrf-red: 56(84) bytes of data.
      
          --- 10.100.1.254 ping statistics ---
          2 packets transmitted, 0 received, 100% packet loss, time 999ms
      
      Since the vrf table does not have a route for 10.100.1.254 the ping
      should have failed. The saddr lookup causes a full VRF table lookup.
      Propogating a lookup failure to the user allows the command to fail as
      expected:
      
          root@kenny:~# ping -I vrf-red -c1 -w1 10.100.1.254
          connect: No route to host
      Signed-off-by: NDavid Ahern <dsa@cumulusnetworks.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b5bdacf3
    • H
      r8152: add reset_resume function · 7ec2541a
      hayeswang 提交于
      When the reset_resume() is called, the flag of SELECTIVE_SUSPEND should be
      cleared and reinitialize the device, whether the SELECTIVE_SUSPEND is set
      or not. If reset_resume() is called, it means the power supply is cut or the
      device is reset. That is, the device wouldn't be in runtime suspend state and
      the reinitialization is necessary.
      Signed-off-by: NHayes Wang <hayeswang@realtek.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7ec2541a
    • F
      connector: bump skb->users before callback invocation · 55285bf0
      Florian Westphal 提交于
      Dmitry reports memleak with syskaller program.
      Problem is that connector bumps skb usecount but might not invoke callback.
      
      So move skb_get to where we invoke the callback.
      Reported-by: NDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      55285bf0
    • I
      cxgb4: correctly handling failed allocation · 3934aa4c
      Insu Yun 提交于
      Since t4_alloc_mem can be failed in memory pressure,
      if not properly handled, NULL dereference could be happened.
      Signed-off-by: NInsu Yun <wuninsu@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3934aa4c
    • I
      qlcnic: correctly handle qlcnic_alloc_mbx_args · b77357b6
      Insu Yun 提交于
      Since qlcnic_alloc_mbx_args can be failed,
      return value should be checked.
      Signed-off-by: NInsu Yun <wuninsu@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b77357b6
    • Q
      tracing: Fix setting of start_index in find_next() · f36d1be2
      Qiu Peiyang 提交于
      When we do cat /sys/kernel/debug/tracing/printk_formats, we hit kernel
      panic at t_show.
      
      general protection fault: 0000 [#1] PREEMPT SMP
      CPU: 0 PID: 2957 Comm: sh Tainted: G W  O 3.14.55-x86_64-01062-gd4acdc7 #2
      RIP: 0010:[<ffffffff811375b2>]
       [<ffffffff811375b2>] t_show+0x22/0xe0
      RSP: 0000:ffff88002b4ebe80  EFLAGS: 00010246
      RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000004
      RDX: 0000000000000004 RSI: ffffffff81fd26a6 RDI: ffff880032f9f7b1
      RBP: ffff88002b4ebe98 R08: 0000000000001000 R09: 000000000000ffec
      R10: 0000000000000000 R11: 000000000000000f R12: ffff880004d9b6c0
      R13: 7365725f6d706400 R14: ffff880004d9b6c0 R15: ffffffff82020570
      FS:  0000000000000000(0000) GS:ffff88003aa00000(0063) knlGS:00000000f776bc40
      CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
      CR2: 00000000f6c02ff0 CR3: 000000002c2b3000 CR4: 00000000001007f0
      Call Trace:
       [<ffffffff811dc076>] seq_read+0x2f6/0x3e0
       [<ffffffff811b749b>] vfs_read+0x9b/0x160
       [<ffffffff811b7f69>] SyS_read+0x49/0xb0
       [<ffffffff81a3a4b9>] ia32_do_call+0x13/0x13
       ---[ end trace 5bd9eb630614861e ]---
      Kernel panic - not syncing: Fatal exception
      
      When the first time find_next calls find_next_mod_format, it should
      iterate the trace_bprintk_fmt_list to find the first print format of
      the module. However in current code, start_index is smaller than *pos
      at first, and code will not iterate the list. Latter container_of will
      get the wrong address with former v, which will cause mod_fmt be a
      meaningless object and so is the returned mod_fmt->fmt.
      
      This patch will fix it by correcting the start_index. After fixed,
      when the first time calls find_next_mod_format, start_index will be
      equal to *pos, and code will iterate the trace_bprintk_fmt_list to
      get the right module printk format, so is the returned mod_fmt->fmt.
      
      Link: http://lkml.kernel.org/r/5684B900.9000309@intel.com
      
      Cc: stable@vger.kernel.org # 3.12+
      Fixes: 102c9323 "tracing: Add __tracepoint_string() to export string pointers"
      Signed-off-by: NQiu Peiyang <peiyangx.qiu@intel.com>
      Signed-off-by: NSteven Rostedt <rostedt@goodmis.org>
      f36d1be2
    • C
      ftrace/scripts: Fix incorrect use of sprintf in recordmcount · 713a3e4d
      Colin Ian King 提交于
      Fix build warning:
      
      scripts/recordmcount.c:589:4: warning: format not a string
      literal and no format arguments [-Wformat-security]
          sprintf("%s: failed\n", file);
      
      Fixes: a50bd439 ("ftrace/scripts: Have recordmcount copy the object file")
      Link: http://lkml.kernel.org/r/1451516801-16951-1-git-send-email-colin.king@canonical.com
      
      Cc: Li Bin <huawei.libin@huawei.com>
      Cc: Russell King <rmk+kernel@arm.linux.org.uk>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: stable@vger.kernel.org # 2.6.37+
      Signed-off-by: NColin Ian King <colin.king@canonical.com>
      Signed-off-by: NSteven Rostedt <rostedt@goodmis.org>
      713a3e4d
  8. 04 1月, 2016 3 次提交