- 06 4月, 2013 1 次提交
-
-
由 Patrick McHardy 提交于
Commit 130549fe ("netfilter: reset nf_trace in nf_reset") added code to reset nf_trace in nf_reset(). This is wrong and unnecessary. nf_reset() is used in the following cases: - when passing packets up the the socket layer, at which point we want to release all netfilter references that might keep modules pinned while the packet is queued. nf_trace doesn't matter anymore at this point. - when encapsulating or decapsulating IPsec packets. We want to continue tracing these packets after IPsec processing. - when passing packets through virtual network devices. Only devices on that encapsulate in IPv4/v6 matter since otherwise nf_trace is not used anymore. Its not entirely clear whether those packets should be traced after that, however we've always done that. - when passing packets through virtual network devices that make the packet cross network namespace boundaries. This is the only cases where we clearly want to reset nf_trace and is also what the original patch intended to fix. Add a new function nf_reset_trace() and use it in dev_forward_skb() to fix this properly. Signed-off-by: NPatrick McHardy <kaber@trash.net> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 05 4月, 2013 10 次提交
-
-
由 Jiri Pirko 提交于
if userspace changes lifetime of address, send netlink notification and call notifier. Signed-off-by: NJiri Pirko <jiri@resnulli.us> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Jakub Kicinski 提交于
ixgbe_notify_dca cannot be called before driver registration because it expects driver's klist_devices to be allocated and initialized. While on it make sure debugfs files are removed when registration fails. Cc: stable <stable@vger.kernel.org> Signed-off-by: NJakub Kicinski <jakub.kicinski@intel.com> Tested-by: NPhil Schmitt <phillip.j.schmitt@intel.com> Signed-off-by: NJeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Eric W. Biederman 提交于
It was reported that the following LSB test case failed https://lsbbugs.linuxfoundation.org/attachment.cgi?id=2144 because we were not coallescing unix stream messages when the application was expecting us to. The problem was that the first send was before the socket was accepted and thus sock->sk_socket was NULL in maybe_add_creds, and the second send after the socket was accepted had a non-NULL value for sk->socket and thus we could tell the credentials were not needed so we did not bother. The unnecessary credentials on the first message cause unix_stream_recvmsg to start verifying that all messages had the same credentials before coallescing and then the coallescing failed because the second message had no credentials. Ignoring credentials when we don't care in unix_stream_recvmsg fixes a long standing pessimization which would fail to coallesce messages when reading from a unix stream socket if the senders were different even if we did not care about their credentials. I have tested this and verified that the in the LSB test case mentioned above that the messages do coallesce now, while the were failing to coallesce without this change. Reported-by: NKarel Srot <ksrot@redhat.com> Reported-by: NDing Tianhong <dingtianhong@huawei.com> Signed-off-by: N"Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Eric W. Biederman 提交于
This reverts commit 14134f65. The problem that the above patch was meant to address is that af_unix messages are not being coallesced because we are sending unnecesarry credentials. Not sending credentials in maybe_add_creds totally breaks unconnected unix domain sockets that wish to send credentails to other sockets. In practice this break some versions of udev because they receive a message and the sending uid is bogus so they drop the message. Reported-by: NSven Joachim <svenjoac@gmx.de> Signed-off-by: N"Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Veaceslav Falico 提交于
We have a race condition if we try to rmmod bonding and simultaneously add a bond master through sysfs. In bonding_exit() we first remove the devices (through rtnl_link_unregister() ) and only after that we remove the sysfs. If we manage to add a device through sysfs after that the devices were removed - we'll end up with that device/sysfs structure and with the module unloaded. Fix this by first removing the sysfs and only after that calling rtnl_link_unregister(). Signed-off-by: NVeaceslav Falico <vfalico@redhat.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Hannes Frederic Sowa 提交于
The limit of 0x3c00 is taken from the windows driver. Suggested-by: NHuang, Xiong <xiong@qca.qualcomm.com> Cc: Huang, Xiong <xiong@qca.qualcomm.com> Cc: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: NHannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Vlad Yasevich 提交于
A few drivers use dev_uc_sync/unsync to synchronize the address lists from master down to slave/lower devices. In some cases (bond/team) a single address list is synched down to multiple devices. At the time of unsync, we have a leak in these lower devices, because "synced" is treated as a boolean and the address will not be unsynced for anything after the first device/call. Treat "synced" as a count (same as refcount) and allow all unsync calls to work. Signed-off-by: NVlad Yasevich <vyasevic@redhat.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 hayeswang 提交于
It would cause no link after suspending or shutdowning when the nic changes the speed to 10M and connects to a link partner which forces the speed to 100M. Check the link partner ability to determine which speed to set. Signed-off-by: NHayes Wang <hayeswang@realtek.com> Acked-by: NFrancois Romieu <romieu@fr.zoreil.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
git://1984.lsi.us.es/nf由 David S. Miller 提交于
Pablo Neira Ayuso says: ==================== The following patchset contains netfilter updates for your net tree, they are: * Fix missing the skb->trace reset in nf_reset, noticed by Gao Feng while using the TRACE target with several net namespaces. * Fix prefix translation in IPv6 NPT if non-multiple of 32 prefixes are used, from Matthias Schiffer. * Fix invalid nfacct objects with empty name, they are now rejected with -EINVAL, spotted by Michael Zintakis, patch from myself. * A couple of fixes for wrong return values in the error path of nfnetlink_queue and nf_conntrack, from Wei Yongjun. ==================== Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 David S. Miller 提交于
Merge branch 'for-davem' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless into wireless John W. Linville says: ==================== Here are some more fixes intended for the 3.9 stream... Regarding the mac80211 bits, Johannes says: "I had changed the idle handling to simplify it, but broken the sequencing of commands, at least for ath9k-htc, one patch restores the sequence. The other patch fixes a crash Jouni found while stress-testing the remain-on-channel code, when an item is deleted the work struct can run twice and crash the second time." As for the iwlwifi bits, Johannes says: "The only fix here is to the passive-no-RX firmware regulatory enforcement driver support code to not drop auth frames in quick succession, leading to not being able to connect to APs on passive channels in certain circumstances." Don't forget the NFC bits, about which Samuel says: "This time we have: - A crash fix for when a DGRAM LLCP socket is listening while the NFC adapter is physically removed. - A potential double skb free when the LLCP socket receive queue is full. - A fix for properly handling multiple and consecutive LLCP connections, and not trash the socket ack log. - A build failure for the MEI microread physical layer, now that the MEI bus APIs have been merged into char-misc-next." On top of that, Stone Piao provides an mwifiex fix to avoid accessing beyond the end of a buffer. ==================== Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 04 4月, 2013 1 次提交
-
-
由 John W. Linville 提交于
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless into for-davem
-
- 03 4月, 2013 14 次提交
-
-
由 Matthias Schiffer 提交于
The bitmask used for the prefix mangling was being calculated incorrectly, leading to the wrong part of the address being replaced when the prefix length wasn't a multiple of 32. Signed-off-by: NMatthias Schiffer <mschiffer@universe-factory.net> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net由 Linus Torvalds 提交于
Pull networking fixes from David Miller: 1) Fix VSOCK layer handling of context ID changes, from Reilly Grant. 2) Now that we have a synchronize_net() in netdev_rx_handler_unregister(), we can't let any call sites hold locks. Unfortunately bonding does, so we have to drop the rwlock there a little bit earlier, fix from Veaceslav Falico. 3) MAC address setting loop exits one iteration too early in mlx4 driver, from Yan Burman. 4) Restore ipv6 routes properly upon ifdown/ifup of loopback, from Balakumaran Kannan. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: VSOCK: Handle changes to the VMCI context ID. net IPv6 : Fix broken IPv6 routing table after loopback down-up cbq: incorrect processing of high limits net/mlx4_en: Fix setting initial MAC address bonding: get netdev_rx_handler_unregister out of locks
-
git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap由 Linus Torvalds 提交于
Pull regmap fixes from Mark Brown: "A small collection of fixes. The most important ones are those from Stephen and Lars-Peter both of which fix cache issues that have been lurking for a while but not manifesting noticably enough for anyone to report them." * tag 'regmap-v3.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap: regmap: async: Add missing return regmap: don't corrupt work buffer in _regmap_raw_write() regmap: cache Fix regcache-rbtree sync regmap: Initialize `map->debugfs' before regcache
-
git://people.freedesktop.org/~airlied/linux由 Linus Torvalds 提交于
Pull DRM fixes from Dave Airlie: "Two core fixes, both regressions, along with some intel and some nouveau fixes for regressions and oopses" * 'drm-fixes' of git://people.freedesktop.org/~airlied/linux: drm: correctly restore mappings if drm_open fails drm/nouveau: fix NULL ptr dereference from nv50_disp_intr() drm/nouveau: fix handling empty channel list in ioctl's drm: don't unlock in the addfb error paths drm/i915: Fix build failure drm/i915: Be sure to turn hsync/vsync back on at crt enable (v2) drm/i915: duct-tape locking when eDP init fails
-
git://git.linux-mips.org/pub/scm/ralf/upstream-linus由 Linus Torvalds 提交于
Pull MIPS fixes from Ralf Baechle: "A collection of fixes pretty much across the MIPS code. Even the change to include/linux/signal.h by David Howells' 2a148698 ("Fix breakage in MIPS siginfo handling") should be considered MIPS-specific as it touches an ifdefed segment that is only relevant to MIPS and which unfortunately can't be made to go away entirely." * 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus: Fix breakage in MIPS siginfo handling Revert "MIPS: BCM63XX: Call board_register_device from device_initcall()" MIPS: BCM63XX: Make nvram checksum failure non fatal MIPS: Fix code generation for non-DSP capable CPUs MIPS: Fix inconsistent formatting inside /proc/cpuinfo MIPS: SEAD3: Enable LL/SC. MIPS: Get rid of CONFIG_CPU_HAS_LLSC again MIPS: Add dependencies for HAVE_ARCH_TRANSPARENT_HUGEPAGE MIPS: VR4133: Fix probe for LL/SC. MIPS: Fix logic errors in bitops.c MIPS: Use CONFIG_CPU_MIPSR2 in csum_partial.S MIPS: compat: Return same error ENOSYS as native for invalid operation.
-
由 Ilija Hadzic 提交于
If first drm_open fails, the error-handling path will incorrectly restore inode's mapping to NULL. This can cause the crash later on. Fix by separately storing away mapping pointers that drm_open can touch and restore each from its own respective variable if the call fails. Fixes: https://bugzilla.novell.com/show_bug.cgi?id=807850 (thanks to Michal Hocko for investigating investigating and finding the root cause of the bug) Reference: http://lists.freedesktop.org/archives/dri-devel/2013-March/036564.html v2: Use one variable to store file and inode mapping since they are the same at the function entry. Fix spelling mistakes in commit message. v3: Add reference to the original bug report. Reported-by: NMarco Munderloh <munderl@tnt.uni-hannover.de> Tested-by: NMarco Munderloh <munderl@tnt.uni-hannover.de> Signed-off-by: NIlija Hadzic <ihadzic@research.bell-labs.com> Cc: Michal Hocko <mhocko@suse.cz> Cc: stable@vger.kernel.org Signed-off-by: NDave Airlie <airlied@redhat.com>
-
由 Dave Airlie 提交于
Merge branch 'drm-nouveau-fixes-3.9' of git://anongit.freedesktop.org/git/nouveau/linux-2.6 into drm-next Oops fixers. * 'drm-nouveau-fixes-3.9' of git://anongit.freedesktop.org/git/nouveau/linux-2.6: drm/nouveau: fix NULL ptr dereference from nv50_disp_intr() drm/nouveau: fix handling empty channel list in ioctl's
-
git://people.freedesktop.org/~danvet/drm-intel由 Dave Airlie 提交于
One locking regression fix, and a couple of other i915 ones. * 'drm-intel-fixes' of git://people.freedesktop.org/~danvet/drm-intel: drm: don't unlock in the addfb error paths drm/i915: Fix build failure drm/i915: Be sure to turn hsync/vsync back on at crt enable (v2) drm/i915: duct-tape locking when eDP init fails
-
由 Reilly Grant 提交于
The VMCI context ID of a virtual machine may change at any time. There is a VMCI event which signals this but datagrams may be processed before this is handled. It is therefore necessary to be flexible about the destination context ID of any datagrams received. (It can be assumed to be correct because it is provided by the hypervisor.) The context ID on existing sockets should be updated to reflect how the hypervisor is currently referring to the system. Signed-off-by: NReilly Grant <grantr@vmware.com> Acked-by: NAndy King <acking@vmware.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Balakumaran Kannan 提交于
IPv6 Routing table becomes broken once we do ifdown, ifup of the loopback(lo) interface. After down-up, routes of other interface's IPv6 addresses through 'lo' are lost. IPv6 addresses assigned to all interfaces are routed through 'lo' for internal communication. Once 'lo' is down, those routing entries are removed from routing table. But those removed entries are not being re-created properly when 'lo' is brought up. So IPv6 addresses of other interfaces becomes unreachable from the same machine. Also this breaks communication with other machines because of NDISC packet processing failure. This patch fixes this issue by reading all interface's IPv6 addresses and adding them to IPv6 routing table while bringing up 'lo'. ==Testing== Before applying the patch: $ route -A inet6 Kernel IPv6 routing table Destination Next Hop Flag Met Ref Use If 2000::20/128 :: U 256 0 0 eth0 fe80::/64 :: U 256 0 0 eth0 ::/0 :: !n -1 1 1 lo ::1/128 :: Un 0 1 0 lo 2000::20/128 :: Un 0 1 0 lo fe80::xxxx:xxxx:xxxx:xxxx/128 :: Un 0 1 0 lo ff00::/8 :: U 256 0 0 eth0 ::/0 :: !n -1 1 1 lo $ sudo ifdown lo $ sudo ifup lo $ route -A inet6 Kernel IPv6 routing table Destination Next Hop Flag Met Ref Use If 2000::20/128 :: U 256 0 0 eth0 fe80::/64 :: U 256 0 0 eth0 ::/0 :: !n -1 1 1 lo ::1/128 :: Un 0 1 0 lo ff00::/8 :: U 256 0 0 eth0 ::/0 :: !n -1 1 1 lo $ After applying the patch: $ route -A inet6 Kernel IPv6 routing table Destination Next Hop Flag Met Ref Use If 2000::20/128 :: U 256 0 0 eth0 fe80::/64 :: U 256 0 0 eth0 ::/0 :: !n -1 1 1 lo ::1/128 :: Un 0 1 0 lo 2000::20/128 :: Un 0 1 0 lo fe80::xxxx:xxxx:xxxx:xxxx/128 :: Un 0 1 0 lo ff00::/8 :: U 256 0 0 eth0 ::/0 :: !n -1 1 1 lo $ sudo ifdown lo $ sudo ifup lo $ route -A inet6 Kernel IPv6 routing table Destination Next Hop Flag Met Ref Use If 2000::20/128 :: U 256 0 0 eth0 fe80::/64 :: U 256 0 0 eth0 ::/0 :: !n -1 1 1 lo ::1/128 :: Un 0 1 0 lo 2000::20/128 :: Un 0 1 0 lo fe80::xxxx:xxxx:xxxx:xxxx/128 :: Un 0 1 0 lo ff00::/8 :: U 256 0 0 eth0 ::/0 :: !n -1 1 1 lo $ Signed-off-by: NBalakumaran Kannan <Balakumaran.Kannan@ap.sony.com> Signed-off-by: NMaruthi Thotad <Maruthi.Thotad@ap.sony.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Vasily Averin 提交于
currently cbq works incorrectly for limits > 10% real link bandwidth, and practically does not work for limits > 50% real link bandwidth. Below are results of experiments taken on 1 Gbit link In shaper | Actual Result -----------+--------------- 100M | 108 Mbps 200M | 244 Mbps 300M | 412 Mbps 500M | 893 Mbps This happen because of q->now changes incorrectly in cbq_dequeue(): when it is called before real end of packet transmitting, L2T is greater than real time delay, q_now gets an extra boost but never compensate it. To fix this problem we prevent change of q->now until its synchronization with real time. Signed-off-by: NVasily Averin <vvs@openvz.org> Reviewed-by: NAlexey Kuznetsov <kuznet@ms2.inr.ac.ru> Acked-by: NEric Dumazet <edumazet@google.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Stanislav Kinsbursky 提交于
Make sure that msg pointer is set back to error value in case of MSG_COPY flag is set and desired message to copy wasn't found. This garantees that msg is either a error pointer or a copy address. Otherwise the last message in queue will be freed without unlinking from the queue (which leads to memory corruption) and the dummy allocated copy won't be released. Signed-off-by: NStanislav Kinsbursky <skinsbursky@parallels.com> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 Yan Burman 提交于
Commit 6bbb6d99 "net/mlx4_en: Optimize Rx fast path filter checks" introduced a regression under which the MAC address read from the card was not converted correctly (the most significant byte was not handled), fix that. Reviewed-by: NOr Gerlitz <ogerlitz@mellanox.com> Signed-off-by: NYan Burman <yanb@mellanox.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Veaceslav Falico 提交于
Now that netdev_rx_handler_unregister contains synchronize_net(), we need to call it outside of bond->lock, cause it might sleep. Also, remove the already unneded synchronize_net(). Signed-off-by: NVeaceslav Falico <vfalico@redhat.com> Acked-by: NEric Dumazet <edumazet@google.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 02 4月, 2013 12 次提交
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc由 Linus Torvalds 提交于
Pull ARM SoC bug fixes from Arnd Bergmann: "After a quiet set of fixes for 3.9-rc4, a lot of people woke up and sent urgent fixes for 3.9. I pushed back on a number of them that got deferred to 3.10, but these are the ones that seemed important. Regression in 3.9: - Multiple regressions in OMAP2+ clock cleanup - SH-Mobile frame buffer bug fix that merged here because of maintainer MIA - ux500 prcmu changes broke DT booting - MMCI duplicated regulator setup on ux500 - New ux500 clock driver broke ethernet on snowball - Local interrupt driver for mvebu broke ethernet - MVEBU GPIO driver did not get set up right on Orion DT - incorrect interrupt number on Orion crypto for DT Long-standing bugs, including candidates for stable: - Kirkwood MMC needs to disable invalid card detect pins - MV SDIO pinmux was wrong on Mirabox - GoFlex Net board file needs to set NAND chip delay - MSM timer restart race - ep93xx early debug code broke in 3.7 - i.MX CPU hotplug race - Incorrect clock setup for OMAP1 USB - Workaround for bad clock setup by some old OMAP4 boot loaders - Static I/O mappings on cns3xxx since 3.2" * tag 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: ARM: cns3xxx: fix mapping of private memory region arm: mvebu: Fix pinctrl for Armada 370 Mirabox SDIO port. arm: orion5x: correct IRQ used in dtsi for mv_cesa arm: orion5x: fix orion5x.dtsi gpio parameters ARM: Kirkwood: fix unused mvsdio gpio pins arm: mvebu: Use local interrupt only for the timer 0 ARM: kirkwood: Fix chip-delay for GoFlex Net ARM: ux500: Enable the clock controlling Ethernet on Snowball ARM: ux500: Stop passing ios_handler() as an MMCI power controlling call-back ARM: ux500: Apply the TCPM and TCDM locations and sizes to dbx5x0 DT fbdev: sh_mobile_lcdc: fixup B side hsync adjust settings ARM: OMAP: clocks: Delay clk inits atleast until slab is initialized ARM: imx: fix sync issue between imx_cpu_die and imx_cpu_kill ARM: msm: Stop counting before reprogramming clockevent ARM: ep93xx: Fix wait for UART FIFO to be empty ARM: OMAP4: PM: fix PM regression introduced by recent clock cleanup ARM: OMAP3: hwmod data: keep MIDLEMODE in force-standby for musb ARM: OMAP4: clock data: lock USB DPLL on boot ARM: OMAP1: fix USB host on 1710
-
git://linux-nfs.org/~bfields/linux由 Linus Torvalds 提交于
Pull nfsd bugfix from J Bruce Fields: "An xdr decoding error--thanks, Toralf Förster, and Trinity!" * 'for-3.9' of git://linux-nfs.org/~bfields/linux: nfsd4: reject "negative" acl lengths
-
git://git.infradead.org/users/cbou/linux-cns3xxx由 Arnd Bergmann 提交于
From Anton Vorontsov <anton@enomsg.org>: This tag includes Mac Lin's work to revive CNS3xxx booting: "Since commit 0536bdf3 (ARM: move iotable mappings within the vmalloc region), [...] the pre-defined iotable mappings is not in the vmalloc region. [...] move the iotable mappings into the vmalloc region, and merge the MPCore private memory region (containing the SCU, the GIC and the TWD) as a single region." Plus there is a small cosmetic fix, also from Mac Lin. * tag 'v3.9-rc1_cns3xxx_fixes' of git://git.infradead.org/users/cbou/linux-cns3xxx: ARM: cns3xxx: fix mapping of private memory region [arnd: dropped the cosmetic fix from the merge as it is not needed for 3.9] Signed-off-by: NArnd Bergmann <arnd@arndb.de>
-
git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux由 Linus Torvalds 提交于
Pull virtio fixes from Rusty Russell: "One reversion, a tiny leak fix, and a cc:stable locking fix, in two parts" * tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux: virtio: console: add locking around c_ovq operations virtio: console: rename cvq_lock to c_ivq_lock hw_random: free rng_buffer at module exit Revert "virtio_console: Initialize guest_connected=true for rproc_serial"
-
由 Anatol Pomozov 提交于
struct block_device lifecycle is defined by its inode (see fs/block_dev.c) - block_device allocated first time we access /dev/loopXX and deallocated on bdev_destroy_inode. When we create the device "losetup /dev/loopXX afile" we want that block_device stay alive until we destroy the loop device with "losetup -d". But because we do not hold /dev/loopXX inode its counter goes 0, and inode/bdev can be destroyed at any moment. Usually it happens at memory pressure or when user drops inode cache (like in the test below). When later in loop_clr_fd() we want to use bdev we have use-after-free error with following stack: BUG: unable to handle kernel NULL pointer dereference at 0000000000000280 bd_set_size+0x10/0xa0 loop_clr_fd+0x1f8/0x420 [loop] lo_ioctl+0x200/0x7e0 [loop] lo_compat_ioctl+0x47/0xe0 [loop] compat_blkdev_ioctl+0x341/0x1290 do_filp_open+0x42/0xa0 compat_sys_ioctl+0xc1/0xf20 do_sys_open+0x16e/0x1d0 sysenter_dispatch+0x7/0x1a To prevent use-after-free we need to grab the device in loop_set_fd() and put it later in loop_clr_fd(). The issue is reprodusible on current Linus head and v3.3. Here is the test: dd if=/dev/zero of=loop.file bs=1M count=1 while [ true ]; do losetup /dev/loop0 loop.file echo 2 > /proc/sys/vm/drop_caches losetup -d /dev/loop0 done [ Doing bdgrab/bput in loop_set_fd/loop_clr_fd is safe, because every time we call loop_set_fd() we check that loop_device->lo_state is Lo_unbound and set it to Lo_bound If somebody will try to set_fd again it will get EBUSY. And if we try to loop_clr_fd() on unbound loop device we'll get ENXIO. loop_set_fd/loop_clr_fd (and any other loop ioctl) is called under loop_device->lo_ctl_mutex. ] Signed-off-by: NAnatol Pomozov <anatol.pomozov@gmail.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
git://git.linaro.org/people/mturquette/linux由 Linus Torvalds 提交于
Pull tegra clock driver fix from Mike Turquette: "Missing base address in Tegra clock driver results in non-operational PCIe. On some devices this means that Ethernet will go uninitialized and other devices will fail. This pull request fixes it with a single patch to pass the proper base address in the Tegra clock driver." * tag 'clk-fixes-for-linus' of git://git.linaro.org/people/mturquette/linux: clk: tegra: Allow PLLE training to succeed
-
git://git.kernel.org/pub/scm/linux/kernel/git/rwlove/fcoe由 Linus Torvalds 提交于
Pull FCoE fixes from Robert Love: "Critical patches to fix FCoE VN2VN mode with new interfaces targeting 3.9-rc" * tag 'for-3.9-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/rwlove/fcoe: libfcoe: Fix fcoe_sysfs VN2VN mode libfc, fcoe, bnx2fc: Split fc_disc_init into fc_disc_{init, config} libfc, fcoe, bnx2fc: Always use fcoe_disc_init for discovery layer initialization fcoe: Fix deadlock between create and destroy paths bnx2fc: Make the fcoe_cltr the SCSI host parent
-
由 Stone Piao 提交于
Limit the channel number in scan request, or the driver scan config structure memory will be overflowed. Cc: <stable@vger.kernel.org> # 3.5+ Signed-off-by: NStone Piao <piaoyun@marvell.com> Signed-off-by: NBing Zhao <bzhao@marvell.com> Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
-
git://git.kernel.org/pub/scm/linux/kernel/git/sameo/nfc-fixes由 John W. Linville 提交于
Samuel Ortiz <sameo@linux.intel.com> says: "This is the 2nd batch of NFC fixes for 3.9. This time we have: - A crash fix for when a DGRAM LLCP socket is listening while the NFC adapter is physically removed. - A potential double skb free when the LLCP socket receive queue is full. - A fix for properly handling multiple and consecutive LLCP connections, and not trash the socket ack log. - A build failure for the MEI microread physical layer, now that the MEI bus APIs have been merged into char-misc-next." Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
-
由 Thierry Reding 提交于
Under some circumstances the PLLE needs to be retrained, in which case access to the PMC registers is required. Fix this by passing a pointer to the PMC registers instead of NULL when registering the PLLE clock. Signed-off-by: NThierry Reding <thierry.reding@avionic-design.de> Acked-By: NPeter De Schrijver <pdeschrijver@nvidia.com> Signed-off-by: NMike Turquette <mturquette@linaro.org>
-
- 01 4月, 2013 2 次提交
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/cmetcalf/linux-tile由 Linus Torvalds 提交于
Pull arch/tile fix from Chris Metcalf: "This change allows newer Tilera boot tools to work correctly with current (and stable) kernels by using the right filename to get the initramfs from the Tilera hypervisor filesystem." * 'stable' of git://git.kernel.org/pub/scm/linux/kernel/git/cmetcalf/linux-tile: tile: expect new initramfs name from hypervisor file system
-
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net由 Linus Torvalds 提交于
Pull networking fixes from David Miller: 1) sadb_msg prepared for IPSEC userspace forgets to initialize the satype field, fix from Nicolas Dichtel. 2) Fix mac80211 synchronization during station removal, from Johannes Berg. 3) Fix IPSEC sequence number notifications when they wrap, from Steffen Klassert. 4) Fix cfg80211 wdev tracing crashes when add_virtual_intf() returns an error pointer, from Johannes Berg. 5) In mac80211, don't call into the channel context code with the interface list mutex held. From Johannes Berg. 6) In mac80211, if we don't actually associate, do not restart the STA timer, otherwise we can crash. From Ben Greear. 7) Missing dma_mapping_error() check in e1000, ixgb, and e1000e. From Christoph Paasch. 8) Fix sja1000 driver defines to not conflict with SH port, from Marc Kleine-Budde. 9) Don't call il4965_rs_use_green with a NULL station, from Colin Ian King. 10) Suspend/Resume in the FEC driver fail because the buffer descriptors are not initialized at all the moments in which they should. Fix from Frank Li. 11) cpsw and davinci_emac drivers both use the wrong interface to restart a stopped TX queue. Use netif_wake_queue not netif_start_queue, the latter is for initialization/bringup not active management of the queue. From Mugunthan V N. 12) Fix regression in rate calculations done by psched_ratecfg_precompute(), missing u64 type promotion. From Sergey Popovich. 13) Fix length overflow in tg3 VPD parsing, from Kees Cook. 14) AOE driver fails to allocate enough headroom, resulting in crashes. Fix from Eric Dumazet. 15) RX overflow happens too quickly in sky2 driver because pause packet thresholds are not programmed correctly. From Mirko Lindner. 16) Bonding driver manages arp_interval and miimon settings incorrectly, disabling one unintentionally disables both. Fix from Nikolay Aleksandrov. 17) smsc75xx drivers don't program the RX mac properly for jumbo frames. Fix from Steve Glendinning. 18) Fix off-by-one in Codel packet scheduler. From Vijay Subramanian. 19) Fix packet corruption in atl1c by disabling MSI support, from Hannes Frederic Sowa. 20) netdev_rx_handler_unregister() needs a synchronize_net() to fix crashes in bonding driver unload stress tests. From Eric Dumazet. 21) rxlen field of ks8851 RX packet descriptors not interpreted correctly (it is 12 bits not 16 bits, so needs to be masked after shifting the 32-bit value down 16 bits). Fix from Max Nekludov. 22) Fix missed RX/TX enable in sh_eth driver due to mishandling of link change indications. From Sergei Shtylyov. 23) Fix crashes during spurious ECI interrupts in sh_eth driver, also from Sergei Shtylyov. 24) dm9000 driver initialization is done wrong for revision B devices with DSP PHY, from Joseph CHANG. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (53 commits) DM9000B: driver initialization upgrade sh_eth: make 'link' field of 'struct sh_eth_private' *int* sh_eth: workaround for spurious ECI interrupt sh_eth: fix handling of no LINK signal ks8851: Fix interpretation of rxlen field. net: add a synchronize_net() in netdev_rx_handler_unregister() MAINTAINERS: Update netxen_nic maintainers list atl1e: drop pci-msi support because of packet corruption net: fq_codel: Fix off-by-one error net: calxedaxgmac: Wake-on-LAN fixes net: calxedaxgmac: fix rx ring handling when OOM net: core: Remove redundant call to 'nf_reset' in 'dev_forward_skb' smsc75xx: fix jumbo frame support net: fix the use of this_cpu_ptr bonding: fix disabling of arp_interval and miimon ipv6: don't accept node local multicast traffic from the wire sky2: Threshold for Pause Packet is set wrong sky2: Receive Overflows not counted aoe: reserve enough headroom on skbs line up comment for ndo_bridge_getlink ...
-