1. 17 6月, 2017 1 次提交
  2. 16 6月, 2017 10 次提交
  3. 15 6月, 2017 14 次提交
    • X
      ipv6: fix calling in6_ifa_hold incorrectly for dad work · f8a894b2
      Xin Long 提交于
      Now when starting the dad work in addrconf_mod_dad_work, if the dad work
      is idle and queued, it needs to hold ifa.
      
      The problem is there's one gap in [1], during which if the pending dad work
      is removed elsewhere. It will miss to hold ifa, but the dad word is still
      idea and queue.
      
              if (!delayed_work_pending(&ifp->dad_work))
                      in6_ifa_hold(ifp);
                          <--------------[1]
              mod_delayed_work(addrconf_wq, &ifp->dad_work, delay);
      
      An use-after-free issue can be caused by this.
      
      Chen Wei found this issue when WARN_ON(!hlist_unhashed(&ifp->addr_lst)) in
      net6_ifa_finish_destroy was hit because of it.
      
      As Hannes' suggestion, this patch is to fix it by holding ifa first in
      addrconf_mod_dad_work, then calling mod_delayed_work and putting ifa if
      the dad_work is already in queue.
      
      Note that this patch did not choose to fix it with:
      
        if (!mod_delayed_work(delay))
                in6_ifa_hold(ifp);
      
      As with it, when delay == 0, dad_work would be scheduled immediately, all
      addrconf_mod_dad_work(0) callings had to be moved under ifp->lock.
      Reported-by: NWei Chen <weichen@redhat.com>
      Suggested-by: NHannes Frederic Sowa <hannes@stressinduktion.org>
      Acked-by: NHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f8a894b2
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · a090bd4f
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) The netlink attribute passed in to dev_set_alias() is not
          necessarily NULL terminated, don't use strlcpy() on it. From
          Alexander Potapenko.
      
       2) Fix implementation of atomics in arm64 bpf JIT, from Daniel
          Borkmann.
      
       3) Correct the release of netdevs and driver private data in certain
          circumstances.
      
       4) Sanitize netlink message length properly in decnet, from Mateusz
          Jurczyk.
      
       5) Don't leak kernel data in rtnl_fill_vfinfo() netlink blobs. From
          Yuval Mintz.
      
       6) Hash secret is never initialized in ipv6 ILA translation code, from
          Arnd Bergmann. I guess those clang warnings about unused inline
          functions are useful for something!
      
       7) Fix endian selection in bpf_endian.h, from Daniel Borkmann.
      
       8) Sanitize sockaddr length before dereferncing any fields in AF_UNIX
          and CAIF. From Mateusz Jurczyk.
      
       9) Fix timestamping for GMAC3 chips in stmmac driver, from Mario
          Molitor.
      
      10) Do not leak netdev on dev_alloc_name() errors in mac80211, from
          Johannes Berg.
      
      11) Fix locking in sctp_for_each_endpoint(), from Xin Long.
      
      12) Fix wrong memset size on 32-bit in snmp6, from Christian Perle.
      
      13) Fix use after free in ip_mc_clear_src(), from WANG Cong.
      
      14) Fix regressions caused by ICMP rate limiting changes in 4.11, from
          Jesper Dangaard Brouer.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (91 commits)
        i40e: Fix a sleep-in-atomic bug
        net: don't global ICMP rate limit packets originating from loopback
        net/act_pedit: fix an error code
        net: update undefined ->ndo_change_mtu() comment
        net_sched: move tcf_lock down after gen_replace_estimator()
        caif: Add sockaddr length check before accessing sa_family in connect handler
        qed: fix dump of context data
        qmi_wwan: new Telewell and Sierra device IDs
        net: phy: Fix MDIO_THUNDER dependencies
        netconsole: Remove duplicate "netconsole: " logging prefix
        igmp: acquire pmc lock for ip_mc_clear_src()
        r8152: give the device version
        net: rps: fix uninitialized symbol warning
        mac80211: don't send SMPS action frame in AP mode when not needed
        mac80211/wpa: use constant time memory comparison for MACs
        mac80211: set bss_info data before configuring the channel
        mac80211: remove 5/10 MHz rate code from station MLME
        mac80211: Fix incorrect condition when checking rx timestamp
        mac80211: don't look at the PM bit of BAR frames
        i40e: fix handling of HW ATR eviction
        ...
      a090bd4f
    • L
      Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · 54ed0f71
      Linus Torvalds 提交于
      Pull crypto fix from Herbert Xu:
       "This fixes a bug on sparc where we may dereference freed stack memory"
      
      * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: Work around deallocated stack frame reference gcc bug on sparc.
      54ed0f71
    • L
      Merge tag 'acpi-4.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 35e60a6b
      Linus Torvalds 提交于
      Pull ACPI fixes from Rafael Wysocki:
       "These revert an ACPICA commit from the 4.11 cycle that causes problems
        to happen on some systems and add a protection against possible kernel
        crashes due to table reference counter imbalance.
      
        Specifics:
      
         - Revert a 4.11 ACPICA change that made assumptions which are not
           satisfied on some systems and caused the enumeration of resources
           to fail on them (Rafael Wysocki).
      
         - Add a mechanism to prevent tables from being unmapped prematurely
           due to reference counter overflows (Lv Zheng)"
      
      * tag 'acpi-4.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        ACPICA: Tables: Mechanism to handle late stage acpi_get_table() imbalance
        Revert "ACPICA: Disassembler: Enhance resource descriptor detection"
      35e60a6b
    • L
      Merge tag 'pm-4.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 92091c43
      Linus Torvalds 提交于
      Pull power management fixes from Rafael Wysocki:
       "These revert a recent cpufreq schedutil governor change that turned
        out to be problematic and fix a few minor issues in cpufreq, cpuidle
        and the Exynos devfreq drivers.
      
        Specifics:
      
         - Revert a recent cpufreq schedutil governor change that caused some
           systems to behave undesirably (Rafael Wysocki).
      
         - Fix a cpufreq conservative governor issue introduced during the
           3.10 cycle that prevents it from working as expected in some
           situations (Tomasz Wilczyński).
      
         - Fix an error code path in the generic cpuidle driver for DT-based
           systems (Christophe Jaillet).
      
         - Fix three minor issues in devfreq drivers for Exynos (Arvind Yadav,
           Krzysztof Kozlowski)"
      
      * tag 'pm-4.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        cpuidle: dt: Add missing 'of_node_put()'
        cpufreq: conservative: Allow down_threshold to take values from 1 to 10
        Revert "cpufreq: schedutil: Reduce frequencies slower"
        PM / devfreq: exynos-ppmu: Staticize event list
        PM / devfreq: exynos-ppmu: Handle return value of clk_prepare_enable
        PM / devfreq: exynos-nocp: Handle return value of clk_prepare_enable
      92091c43
    • L
      Merge branch 'for-4.12/driver-matching-fix' of... · b45edc2d
      Linus Torvalds 提交于
      Merge branch 'for-4.12/driver-matching-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid
      
      Pull HID fix from Jiri Kosina:
      
       - ifdef-based bandaid for a long-standing issue with HID driver
         matching, avoiding regressions in cases where specific driver is not
         enabled in kernel .config, from Jiri Kosina
      
      * 'for-4.12/driver-matching-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
        HID: let generic driver yield control iff specific driver has been enabled
      b45edc2d
    • L
      Merge tag 'media/v4.12-3' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media · 906e0c5b
      Linus Torvalds 提交于
      Pull media fixes from Mauro Carvalho Chehab:
      
       - some build dependency issues at CEC core with randconfigs
      
       - fix an off by one error at vb2
      
       - a race fix at cec core
      
       - driver fixes at tc358743, sir_ir and rainshadow-cec
      
      * tag 'media/v4.12-3' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
        [media] media/cec.h: use IS_REACHABLE instead of IS_ENABLED
        [media] cec: race fix: don't return -ENONET in cec_receive()
        [media] sir_ir: infinite loop in interrupt handler
        [media] cec-notifier.h: handle unreachable CONFIG_CEC_CORE
        [media] cec: improve MEDIA_CEC_RC dependencies
        [media] vb2: Fix an off by one error in 'vb2_plane_vaddr'
        [media] rainshadow-cec: Fix missing spin_lock_init()
        [media] tc358743: fix register i2c_rd/wr function fix
      906e0c5b
    • J
      i40e: Fix a sleep-in-atomic bug · 640f93cc
      Jia-Ju Bai 提交于
      The driver may sleep under a spin lock, and the function call path is:
      i40e_ndo_set_vf_port_vlan (acquire the lock by spin_lock_bh)
        i40e_vsi_remove_pvid
          i40e_vlan_stripping_disable
            i40e_aq_update_vsi_params
              i40e_asq_send_command
                mutex_lock --> may sleep
      
      To fixed it, the spin lock is released before "i40e_vsi_remove_pvid", and
      the lock is acquired again after this function.
      Signed-off-by: NJia-Ju Bai <baijiaju1990@163.com>
      Tested-by: NAndrew Bowers <andrewx.bowers@intel.com>
      Signed-off-by: NJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      640f93cc
    • R
      Merge branch 'acpica-fixes' · 95229334
      Rafael J. Wysocki 提交于
      * acpica-fixes:
        ACPICA: Tables: Mechanism to handle late stage acpi_get_table() imbalance
        Revert "ACPICA: Disassembler: Enhance resource descriptor detection"
      95229334
    • R
      Merge branches 'pm-cpufreq', 'pm-cpuidle' and 'pm-devfreq' · f63e4f7d
      Rafael J. Wysocki 提交于
      * pm-cpufreq:
        cpufreq: conservative: Allow down_threshold to take values from 1 to 10
        Revert "cpufreq: schedutil: Reduce frequencies slower"
      
      * pm-cpuidle:
        cpuidle: dt: Add missing 'of_node_put()'
      
      * pm-devfreq:
        PM / devfreq: exynos-ppmu: Staticize event list
        PM / devfreq: exynos-ppmu: Handle return value of clk_prepare_enable
        PM / devfreq: exynos-nocp: Handle return value of clk_prepare_enable
      f63e4f7d
    • J
      net: don't global ICMP rate limit packets originating from loopback · 849a44de
      Jesper Dangaard Brouer 提交于
      Florian Weimer seems to have a glibc test-case which requires that
      loopback interfaces does not get ICMP ratelimited.  This was broken by
      commit c0303efe ("net: reduce cycles spend on ICMP replies that
      gets rate limited").
      
      An ICMP response will usually be routed back-out the same incoming
      interface.  Thus, take advantage of this and skip global ICMP
      ratelimit when the incoming device is loopback.  In the unlikely event
      that the outgoing it not loopback, due to strange routing policy
      rules, ICMP rate limiting still works via peer ratelimiting via
      icmpv4_xrlim_allow().  Thus, we should still comply with RFC1812
      (section 4.3.2.8 "Rate Limiting").
      
      This seems to fix the reproducer given by Florian.  While still
      avoiding to perform expensive and unneeded outgoing route lookup for
      rate limited packets (in the non-loopback case).
      
      Fixes: c0303efe ("net: reduce cycles spend on ICMP replies that gets rate limited")
      Reported-by: NFlorian Weimer <fweimer@redhat.com>
      Reported-by: N"H.J. Lu" <hjl.tools@gmail.com>
      Signed-off-by: NJesper Dangaard Brouer <brouer@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      849a44de
    • D
      net/act_pedit: fix an error code · c4f65b09
      Dan Carpenter 提交于
      I'm reviewing static checker warnings where we do ERR_PTR(0), which is
      the same as NULL.  I'm pretty sure we intended to return ERR_PTR(-EINVAL)
      here.  Sometimes these bugs lead to a NULL dereference but I don't
      immediately see that problem here.
      
      Fixes: 71d0ed70 ("net/act_pedit: Support using offset relative to the conventional network headers")
      Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
      Acked-by: NAmir Vadai <amir@vadai.me>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c4f65b09
    • M
      net: update undefined ->ndo_change_mtu() comment · db46a0e1
      Magnus Damm 提交于
      Update ->ndo_change_mtu() callback comment to remove text
      about returning error in case of undefined callback. This
      change makes the comment match the existing code behavior.
      Signed-off-by: NMagnus Damm <damm+renesas@opensource.se>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      db46a0e1
    • W
      net_sched: move tcf_lock down after gen_replace_estimator() · 74030603
      WANG Cong 提交于
      Laura reported a sleep-in-atomic kernel warning inside
      tcf_act_police_init() which calls gen_replace_estimator() with
      spinlock protection.
      
      It is not necessary in this case, we already have RTNL lock here
      so it is enough to protect concurrent writers. For the reader,
      i.e. tcf_act_police(), it needs to make decision based on this
      rate estimator, in the worst case we drop more/less packets than
      necessary while changing the rate in parallel, it is still acceptable.
      Reported-by: NLaura Abbott <labbott@redhat.com>
      Reported-by: NNick Huber <nicholashuber@gmail.com>
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: NCong Wang <xiyou.wangcong@gmail.com>
      Acked-by: NJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      74030603
  4. 14 6月, 2017 9 次提交
  5. 13 6月, 2017 6 次提交
    • A
      net: rps: fix uninitialized symbol warning · 97d8b6e3
      Ashwanth Goli 提交于
      This patch fixes uninitialized symbol warning that
      got introduced by the following commit
      773fc8f6 ("net: rps: send out pending IPI's on CPU hotplug")
      Signed-off-by: NAshwanth Goli <ashwanth@codeaurora.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      97d8b6e3
    • J
      HID: let generic driver yield control iff specific driver has been enabled · 0ca4cd7b
      Jiri Kosina 提交于
      There are many situations where generic HID driver provides some basic level
      of support for certain device, but later this support (usually by implementing
      vendor-specific extensions of HID protocol) is extended and the support moved
      over to a separate (usually per-vendor) specific driver.
      
      This might bring a rather unpleasant suprise for users, as all of a sudden
      there is a new config option they have to enable in order to get any support
      for their device whatsoever, although previous kernel versions provided basic
      support through the generic driver. Which is rightfully seen as a regression.
      
      Fix this by including the entry for a particular device in
      hid_have_special_driver[] iff the specific config option has been specified,
      and let generic driver handle the device otherwise.
      Also make the behavior of hid_scan_report() (where the same decision is being
      taken on a per-report level) consistent.
      
      While at it, reshuffle the hid_have_special_driver[] a bit to restore the
      alphabetical ordering (first order by config option, and within those
      sections order by VID).
      
      This is considered a short-term solution, before generic way of giving
      precedence to special drivers and falling back to generic driver is
      figured out.
      
      While at it, fixup a missing entry for GFRM driver; thanks to Hans de Geode for
      spotting this (and for discovering a few issues in the conversion).
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      0ca4cd7b
    • E
      mac80211: don't send SMPS action frame in AP mode when not needed · b3dd8279
      Emmanuel Grumbach 提交于
      mac80211 allows to modify the SMPS state of an AP both,
      when it is started, and after it has been started. Such a
      change will trigger an action frame to all the peers that
      are currently connected, and will be remembered so that
      new peers will get notified as soon as they connect (since
      the SMPS setting in the beacon may not be the right one).
      
      This means that we need to remember the SMPS state
      currently requested as well as the SMPS state that was
      configured initially (and advertised in the beacon).
      The former is bss->req_smps and the latter is
      sdata->smps_mode.
      
      Initially, the AP interface could only be started with
      SMPS_OFF, which means that sdata->smps_mode was SMPS_OFF
      always. Later, a nl80211 API was added to be able to start
      an AP with a different AP mode. That code forgot to update
      bss->req_smps and because of that, if the AP interface was
      started with SMPS_DYNAMIC, we had:
         sdata->smps_mode = SMPS_DYNAMIC
         bss->req_smps = SMPS_OFF
      
      That configuration made mac80211 think it needs to fire off
      an action frame to any new station connecting to the AP in
      order to let it know that the actual SMPS configuration is
      SMPS_OFF.
      
      Fix that by properly setting bss->req_smps in
      ieee80211_start_ap.
      
      Fixes: f6993174 ("mac80211: set smps_mode according to ap params")
      Signed-off-by: NEmmanuel Grumbach <emmanuel.grumbach@intel.com>
      Signed-off-by: NLuca Coelho <luciano.coelho@intel.com>
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      b3dd8279
    • J
      mac80211/wpa: use constant time memory comparison for MACs · 98c67d18
      Jason A. Donenfeld 提交于
      Otherwise, we enable all sorts of forgeries via timing attack.
      Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
      Cc: Johannes Berg <johannes@sipsolutions.net>
      Cc: linux-wireless@vger.kernel.org
      Cc: stable@vger.kernel.org
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      98c67d18
    • J
      mac80211: set bss_info data before configuring the channel · c87905be
      Johannes Berg 提交于
      When mac80211 changes the channel, it also calls into the driver's
      bss_info_changed() callback, e.g. with BSS_CHANGED_IDLE. The driver
      may, like iwlwifi does, access more data from bss_info in that case
      and iwlwifi accesses the basic_rates bitmap, but if changing from a
      band with more (basic) rates to one with fewer, an out-of-bounds
      access of the rate array may result.
      
      While we can't avoid having invalid data at some point in time, we
      can avoid having it while we call the driver - so set up all the
      data before configuring the channel, and then apply it afterwards.
      
      This fixes https://bugzilla.kernel.org/show_bug.cgi?id=195677Reported-by: NJohannes Hirte <johannes.hirte@datenkhaos.de>
      Tested-by: NJohannes Hirte <johannes.hirte@datenkhaos.de>
      Debugged-by: NEmmanuel Grumbach <emmanuel.grumbach@intel.com>
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      c87905be
    • J
      mac80211: remove 5/10 MHz rate code from station MLME · 44f6d42c
      Johannes Berg 提交于
      There's no need for the station MLME code to handle bitrates for 5
      or 10 MHz channels when it can't ever create such a configuration.
      Remove the unnecessary code.
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      44f6d42c