1. 28 12月, 2013 4 次提交
    • E
      arc_emac: fix potential use after free · 37ec274e
      Eric Dumazet 提交于
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      
      skb_tx_timestamp(skb) should be called _before_ TX completion
      has a chance to trigger, otherwise it is too late and we access
      freed memory.
      
      Fixes: e4f2379d ("ethernet/arc/arc_emac - Add new driver")
      From: Eric Dumazet <edumazet@google.com>
      Cc: Alexey Brodkin <Alexey.Brodkin@synopsys.com>
      Cc: Richard Cochran <richardcochran@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      37ec274e
    • N
      tg3: Expand 4g_overflow_test workaround to skb fragments of any size. · 37567910
      Nithin Sujir 提交于
      The current driver assumes that an skb fragment can only be upto jumbo
      size. Presumably this was a fast-path optimization. This assumption is
      no longer true as fragments can be upto 32k.
      
      v2: Remove unnecessary parantheses per Eric Dumazet.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NNithin Nayak Sujir <nsujir@broadcom.com>
      Signed-off-by: NMichael Chan <mchan@broadcom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      37567910
    • J
      net_sched: act: Dont increment refcnt on replace · 1a29321e
      Jamal Hadi Salim 提交于
       This is a bug fix. The existing code tries to kill many
       birds with one stone: Handling binding of actions to
       filters, new actions and replacing of action
       attributes. A simple test case to illustrate:
      
      XXXX
       moja@fe1:~$ sudo tc actions add action drop index 12
       moja@fe1:~$ actions get action gact index 12
       action order 1: gact action drop
        random type none pass val 0
        index 12 ref 1 bind 0
       moja@fe1:~$ sudo tc actions replace action ok index 12
       moja@fe1:~$ actions get action gact index 12
       action order 1: gact action drop
        random type none pass val 0
        index 12 ref 2 bind 0
      XXXX
      
      The above shows the refcounf being wrongly incremented on replace.
      There are more complex scenarios with binding of actions to filters
      that i am leaving out that didnt work as well...
      Signed-off-by: NJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1a29321e
    • S
      rds: prevent dereference of a NULL device · c2349758
      Sasha Levin 提交于
      Binding might result in a NULL device, which is dereferenced
      causing this BUG:
      
      [ 1317.260548] BUG: unable to handle kernel NULL pointer dereference at 000000000000097
      4
      [ 1317.261847] IP: [<ffffffff84225f52>] rds_ib_laddr_check+0x82/0x110
      [ 1317.263315] PGD 418bcb067 PUD 3ceb21067 PMD 0
      [ 1317.263502] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
      [ 1317.264179] Dumping ftrace buffer:
      [ 1317.264774]    (ftrace buffer empty)
      [ 1317.265220] Modules linked in:
      [ 1317.265824] CPU: 4 PID: 836 Comm: trinity-child46 Tainted: G        W    3.13.0-rc4-
      next-20131218-sasha-00013-g2cebb9b-dirty #4159
      [ 1317.267415] task: ffff8803ddf33000 ti: ffff8803cd31a000 task.ti: ffff8803cd31a000
      [ 1317.268399] RIP: 0010:[<ffffffff84225f52>]  [<ffffffff84225f52>] rds_ib_laddr_check+
      0x82/0x110
      [ 1317.269670] RSP: 0000:ffff8803cd31bdf8  EFLAGS: 00010246
      [ 1317.270230] RAX: 0000000000000000 RBX: ffff88020b0dd388 RCX: 0000000000000000
      [ 1317.270230] RDX: ffffffff8439822e RSI: 00000000000c000a RDI: 0000000000000286
      [ 1317.270230] RBP: ffff8803cd31be38 R08: 0000000000000000 R09: 0000000000000000
      [ 1317.270230] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
      [ 1317.270230] R13: 0000000054086700 R14: 0000000000a25de0 R15: 0000000000000031
      [ 1317.270230] FS:  00007ff40251d700(0000) GS:ffff88022e200000(0000) knlGS:000000000000
      0000
      [ 1317.270230] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      [ 1317.270230] CR2: 0000000000000974 CR3: 00000003cd478000 CR4: 00000000000006e0
      [ 1317.270230] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [ 1317.270230] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000090602
      [ 1317.270230] Stack:
      [ 1317.270230]  0000000054086700 5408670000a25de0 5408670000000002 0000000000000000
      [ 1317.270230]  ffffffff84223542 00000000ea54c767 0000000000000000 ffffffff86d26160
      [ 1317.270230]  ffff8803cd31be68 ffffffff84223556 ffff8803cd31beb8 ffff8800c6765280
      [ 1317.270230] Call Trace:
      [ 1317.270230]  [<ffffffff84223542>] ? rds_trans_get_preferred+0x42/0xa0
      [ 1317.270230]  [<ffffffff84223556>] rds_trans_get_preferred+0x56/0xa0
      [ 1317.270230]  [<ffffffff8421c9c3>] rds_bind+0x73/0xf0
      [ 1317.270230]  [<ffffffff83e4ce62>] SYSC_bind+0x92/0xf0
      [ 1317.270230]  [<ffffffff812493f8>] ? context_tracking_user_exit+0xb8/0x1d0
      [ 1317.270230]  [<ffffffff8119313d>] ? trace_hardirqs_on+0xd/0x10
      [ 1317.270230]  [<ffffffff8107a852>] ? syscall_trace_enter+0x32/0x290
      [ 1317.270230]  [<ffffffff83e4cece>] SyS_bind+0xe/0x10
      [ 1317.270230]  [<ffffffff843a6ad0>] tracesys+0xdd/0xe2
      [ 1317.270230] Code: 00 8b 45 cc 48 8d 75 d0 48 c7 45 d8 00 00 00 00 66 c7 45 d0 02 00
      89 45 d4 48 89 df e8 78 49 76 ff 41 89 c4 85 c0 75 0c 48 8b 03 <80> b8 74 09 00 00 01 7
      4 06 41 bc 9d ff ff ff f6 05 2a b6 c2 02
      [ 1317.270230] RIP  [<ffffffff84225f52>] rds_ib_laddr_check+0x82/0x110
      [ 1317.270230]  RSP <ffff8803cd31bdf8>
      [ 1317.270230] CR2: 0000000000000974
      Signed-off-by: NSasha Levin <sasha.levin@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c2349758
  2. 27 12月, 2013 1 次提交
    • F
      macvlan: fix netdev feature propagation from lower device · 797f87f8
      Florian Westphal 提交于
      There are inconsistencies wrt. feature propagation/inheritance between
      macvlan and the underlying interface.
      
      When a feature is turned off on the real device before a macvlan is
      created on top, these will remain enabled on the macvlan device, whereas
      turning off the feature on the lower device after macvlan creation the
      kernel will propagate the changes to the macvlan.
      
      The second issue is that, when propagating changes from underlying device
      to the macvlan interface, macvlan can erronously lose its NETIF_F_LLTX flag,
      as features are anded with the underlying device.
      
      However, LLTX should be kept since it has no dependencies on physical
      hardware (LLTX is set on macvlan creation regardless of the lower
      device properties, see 8ffab51b
      (macvlan: lockless tx path).
      
      The LLTX flag is now forced regardless of user settings in absence of
      layer2 hw acceleration (a6cc0cfa,
      net: Add layer 2 hardware acceleration operations for macvlan devices).
      
      Use netdev_increment_features to rebuild the feature set on capability
      changes on either the lower device or on the macvlan interface.
      
      As pointed out by Ben Hutchings, use netdev_update_features on
      NETDEV_FEAT_CHANGE event (it calls macvlan_fix_features/netdev_features_change
      if needed).
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      797f87f8
  3. 23 12月, 2013 11 次提交
  4. 22 12月, 2013 2 次提交
    • D
      Merge branch 'for-davem' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless · 6eb3c282
      David S. Miller 提交于
      John W. Linville says:
      
      ====================
      Please consider pulling this batch of fixes for the 3.13 stream...
      
      For the mac80211 bits, Johannes says:
      
      "Here's a fix for another potential radiotap parser buffer overrun thanks
      to Evan Huus, and a fix for a cfg80211 warning in a certain corner case
      (reconnecting to the same BSS)."
      
      For the bluetooth bits, Gustavo says:
      
      "Two patches in this pull request. An important fix from Marcel in the
      permission check for HCI User Channels, there was a extra check for
      CAP_NET_RAW, and it was now removed. These channels should only require
      CAP_NET_ADMIN. The other patch is a device id addition."
      
      On top of that...
      
      Sujith Manoharan provides a workaround for a hardware problem that
      can result in lost interrupts.
      
      Larry Finger fixes an oops when unloading the rtlwifi driver (Red
      Hat bug 852761).
      
      Mathy Vanhoef fixes a somewhat minor MAC address privacy issue
      (CVE-2013-4579).
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6eb3c282
    • H
      hyperv: Fix race between probe and open calls · a68f9614
      Haiyang Zhang 提交于
      Moving the register_netdev to the end of probe to prevent
      possible open call happens before NetVSP is connected.
      Signed-off-by: NHaiyang Zhang <haiyangz@microsoft.com>
      Reviewed-by: NK. Y. Srinivasan <kys@microsoft.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a68f9614
  5. 21 12月, 2013 1 次提交
  6. 20 12月, 2013 11 次提交
  7. 19 12月, 2013 10 次提交