1. 28 9月, 2012 7 次提交
  2. 27 9月, 2012 3 次提交
  3. 26 9月, 2012 7 次提交
    • J
      netfilter: xt_limit: have r->cost != 0 case work · 82e6bfe2
      Jan Engelhardt 提交于
      Commit v2.6.19-rc1~1272^2~41 tells us that r->cost != 0 can happen when
      a running state is saved to userspace and then reinstated from there.
      
      Make sure that private xt_limit area is initialized with correct values.
      Otherwise, random matchings due to use of uninitialized memory.
      Signed-off-by: NJan Engelhardt <jengelh@inai.de>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      82e6bfe2
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 6f0f9b6b
      Linus Torvalds 提交于
      Pull more networking fixes from David Miller:
      
       1) Eric Dumazet discovered and fixed what turned out to be a family of
          bugs.  These functions were using pskb_may_pull() which might need
          to reallocate the linear SKB data buffer, but the callers were not
          expecting this possibility.  The callers have cached pointers to the
          packet header areas, and would need to reload them if we were to
          continue using pskb_may_pull().
      
          So they could end up reading garbage.
      
          It's easier to just change these RAW4/RAW6/MIP6 routines to use
          skb_header_pointer() instead of pskb_may_pull(), which won't modify
          the linear SKB data area.
      
       2) Dave Jone's syscall spammer caught a case where a non-TCP socket can
          call down into the TCP keepalive code.  The case basically involves
          creating a raw socket with sk_protocol == IPPROTO_TCP, then calling
          setsockopt(sock_fd, SO_KEEPALIVE, ...)
      
          Fixed by Eric Dumazet.
      
       3) Bluetooth devices do not get configured properly while being powered
          on, resulting in always using legacy pairing instead of SSP.  Fix
          from Andrzej Kaczmarek.
      
       4) Bluetooth cancels delayed work erroneously, put stricter checks in
          place.  From Andrei Emeltchenko.
      
       5) Fix deadlock between cfg80211_mutex and reg_regdb_search_mutex in
          cfg80211, from Luis R.  Rodriguez.
      
       6) Fix interrupt double release in iwlwifi, from Emmanuel Grumbach.
      
       7) Missing module license in bcm87xx driver, from Peter Huewe.
      
       8) Team driver can lose port changed events when adding devices to a
          team, fix from Jiri Pirko.
      
       9) Fix endless loop when trying ot unregister PPPOE device in zombie
          state, from Xiaodong Xu.
      
      10) batman-adv layer needs to set MAC address of software device
          earlier, otherwise we call tt_local_add with it uninitialized.
      
      11) Fix handling of KSZ8021 PHYs, it's matched currently by KS8051 but
          that doesn't program the device properly.  From Marek Vasut.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
        ipv6: mip6: fix mip6_mh_filter()
        ipv6: raw: fix icmpv6_filter()
        net: guard tcp_set_keepalive() to tcp sockets
        phy/micrel: Add missing header to micrel_phy.h
        phy/micrel: Rename KS80xx to KSZ80xx
        phy/micrel: Implement support for KSZ8021
        batman-adv: Fix symmetry check / route flapping in multi interface setups
        batman-adv: Fix change mac address of soft iface.
        pppoe: drop PPPOX_ZOMBIEs in pppoe_release
        team: send port changed when added
        ipv4: raw: fix icmp_filter()
        net/phy/bcm87xx: Add MODULE_LICENSE("GPL") to GPL driver
        iwlwifi: don't double free the interrupt in failure path
        cfg80211: fix possible circular lock on reg_regdb_search()
        Bluetooth: Fix not removing power_off delayed work
        Bluetooth: Fix freeing uninitialized delayed works
        Bluetooth: mgmt: Fix enabling LE while powered off
        Bluetooth: mgmt: Fix enabling SSP while powered off
      6f0f9b6b
    • E
      ipv6: mip6: fix mip6_mh_filter() · 96af69ea
      Eric Dumazet 提交于
      mip6_mh_filter() should not modify its input, or else its caller
      would need to recompute ipv6_hdr() if skb->head is reallocated.
      
      Use skb_header_pointer() instead of pskb_may_pull()
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      96af69ea
    • D
      Merge tag 'batman-adv-fix-for-davem' of git://git.open-mesh.org/linux-merge · 78cc88c4
      David S. Miller 提交于
      Included fixes:
      - fix the behaviour of batman-adv in case of virtual interface MAC change event
      - fix symmetric link check in neighbour selection
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      78cc88c4
    • E
      ipv6: raw: fix icmpv6_filter() · 1b05c4b5
      Eric Dumazet 提交于
      icmpv6_filter() should not modify its input, or else its caller
      would need to recompute ipv6_hdr() if skb->head is reallocated.
      
      Use skb_header_pointer() instead of pskb_may_pull() and
      change the prototype to make clear both sk and skb are const.
      
      Also, if icmpv6 header cannot be found, do not deliver the packet,
      as we do in IPv4.
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1b05c4b5
    • L
      Merge tag 'sh-for-linus' of git://github.com/pmundt/linux-sh · 9391734d
      Linus Torvalds 提交于
      Pull SuperH fix from Paul Mundt:
       "One last minute regression fix.."
      
      * tag 'sh-for-linus' of git://github.com/pmundt/linux-sh:
        sh: pfc: Fix up GPIO mux type reconfig case.
      9391734d
    • L
      Merge branch 'akpm' (sundry from Andrew) · e108a3c3
      Linus Torvalds 提交于
      Merge misc fixes from Andrew Morton:
       "One maintainer change and three bugfixes"
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>: (4 commits)
        c/r: prctl: fix build error for no-MMU case
        lib/flex_proportions.c: fix corruption of denominator in flexible proportions
        checksyscalls: fix "here document" handling
        pwm-backlight: take over maintenance
      e108a3c3
  4. 25 9月, 2012 16 次提交
  5. 24 9月, 2012 7 次提交
    • K
      xen/boot: Disable NUMA for PV guests. · 8d54db79
      Konrad Rzeszutek Wilk 提交于
      The hypervisor is in charge of allocating the proper "NUMA" memory
      and dealing with the CPU scheduler to keep them bound to the proper
      NUMA node. The PV guests (and PVHVM) have no inkling of where they
      run and do not need to know that right now. In the future we will
      need to inject NUMA configuration data (if a guest spans two or more
      NUMA nodes) so that the kernel can make the right choices. But those
      patches are not yet present.
      
      In the meantime, disable the NUMA capability in the PV guest, which
      also fixes a bootup issue. Andre says:
      
      "we see Dom0 crashes due to the kernel detecting the NUMA topology not
      by ACPI, but directly from the northbridge (CONFIG_AMD_NUMA).
      
      This will detect the actual NUMA config of the physical machine, but
      will crash about the mismatch with Dom0's virtual memory. Variation of
      the theme: Dom0 sees what it's not supposed to see.
      
      This happens with the said config option enabled and on a machine where
      this scanning is still enabled (K8 and Fam10h, not Bulldozer class)
      
      We have this dump then:
      NUMA: Warning: node ids are out of bound, from=-1 to=-1 distance=10
      Scanning NUMA topology in Northbridge 24
      Number of physical nodes 4
      Node 0 MemBase 0000000000000000 Limit 0000000040000000
      Node 1 MemBase 0000000040000000 Limit 0000000138000000
      Node 2 MemBase 0000000138000000 Limit 00000001f8000000
      Node 3 MemBase 00000001f8000000 Limit 0000000238000000
      Initmem setup node 0 0000000000000000-0000000040000000
        NODE_DATA [000000003ffd9000 - 000000003fffffff]
      Initmem setup node 1 0000000040000000-0000000138000000
        NODE_DATA [0000000137fd9000 - 0000000137ffffff]
      Initmem setup node 2 0000000138000000-00000001f8000000
        NODE_DATA [00000001f095e000 - 00000001f0984fff]
      Initmem setup node 3 00000001f8000000-0000000238000000
      Cannot find 159744 bytes in node 3
      BUG: unable to handle kernel NULL pointer dereference at (null)
      IP: [<ffffffff81d220e6>] __alloc_bootmem_node+0x43/0x96
      Pid: 0, comm: swapper Not tainted 3.3.6 #1 AMD Dinar/Dinar
      RIP: e030:[<ffffffff81d220e6>]  [<ffffffff81d220e6>] __alloc_bootmem_node+0x43/0x96
      .. snip..
        [<ffffffff81d23024>] sparse_early_usemaps_alloc_node+0x64/0x178
        [<ffffffff81d23348>] sparse_init+0xe4/0x25a
        [<ffffffff81d16840>] paging_init+0x13/0x22
        [<ffffffff81d07fbb>] setup_arch+0x9c6/0xa9b
        [<ffffffff81683954>] ? printk+0x3c/0x3e
        [<ffffffff81d01a38>] start_kernel+0xe5/0x468
        [<ffffffff81d012cf>] x86_64_start_reservations+0xba/0xc1
        [<ffffffff81007153>] ? xen_setup_runstate_info+0x2c/0x36
        [<ffffffff81d050ee>] xen_start_kernel+0x565/0x56c
      "
      
      so we just disable NUMA scanning by setting numa_off=1.
      
      CC: stable@vger.kernel.org
      Reported-and-Tested-by: NAndre Przywara <andre.przywara@amd.com>
      Acked-by: NAndre Przywara <andre.przywara@amd.com>
      Signed-off-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      8d54db79
    • L
      Linux 3.6-rc7 · 979570e0
      Linus Torvalds 提交于
      979570e0
    • L
      Merge branch 'rc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild · 56bae802
      Linus Torvalds 提交于
      Pull kbuild fixes from Michal Marek:
       "There are two more kbuild fixes for 3.6.
      
        One fixes a race between x86's archscripts target and the rule
        (re)building scripts/basic/fixdep.  The second is a fix for the
        previous attempt at fixing make firmware_install with make 3.82.
        This new solution should work with any version of GNU make"
      
      * 'rc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild:
        x86/kbuild: archscripts depends on scripts_basic
        firmware: fix directory creation rule matching with make 3.80
      56bae802
    • L
      Merge branch 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging · 0737c8d7
      Linus Torvalds 提交于
      Pull hwmon subsystem fixes from Jean Delvare.
      
      * 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging:
        hwmon: (fam15h_power) Tweak runavg_range on resume
        hwmon: (coretemp) Use get_online_cpus to avoid races involving CPU hotplug
        hwmon: (via-cputemp) Use get_online_cpus to avoid races involving CPU hotplug
      0737c8d7
    • L
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 0bf7a705
      Linus Torvalds 提交于
      Pull SCSI fixes from James Bottomley:
       "This is a set of four essential fixes: two oops related (bnx2i,
        virtio-scsi), one data corruption related (hpsa) and one failure to
        boot due to interrupt routing issues (mpt2ss).
      
        Signed-off-by: James Bottomley <JBottomley@Parallels.com>"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        [SCSI] hpsa: fix handling of protocol error
        [SCSI] mpt2sas: Fix for issue - Unable to boot from the drive connected to HBA
        [SCSI] bnx2i: Fixed NULL ptr deference for 1G bnx2 Linux iSCSI offload
        [SCSI] scsi: virtio-scsi: Fix address translation failure of HighMem pages used by sg list
      0bf7a705
    • S
      edac_mc: edac_mc_free() cannot assume mem_ctl_info is registered in sysfs. · faa2ad09
      Shaun Ruffell 提交于
      Fix potential NULL pointer dereference in edac_unregister_sysfs() on
      system boot introduced in 3.6-rc1.
      
      Since commit 7a623c03 ("edac: rewrite the sysfs code to use struct
      device") edac_mc_alloc() no longer initializes embedded kobjects in
      struct mem_ctl_info.  Therefore edac_mc_free() can no longer simply
      decrement a kobject reference count to free the allocated memory unless
      the memory controller driver module had also called edac_mc_add_mc().
      
      Now edac_mc_free() will check if the newly embedded struct device has
      been registered with sysfs before using either the standard device
      release functions or freeing the data structures itself with logic
      pulled out of the error path of edac_mc_alloc().
      
      The BUG this patch resolves for me:
      
        BUG: unable to handle kernel NULL pointer dereference at   (null)
        EIP is at __wake_up_common+0x1a/0x6a
        Process modprobe (pid: 933, ti=f3dc6000 task=f3db9520 task.ti=f3dc6000)
        Call Trace:
          complete_all+0x3f/0x50
          device_pm_remove+0x23/0xa2
          device_del+0x34/0x142
          edac_unregister_sysfs+0x3b/0x5c [edac_core]
          edac_mc_free+0x29/0x2f [edac_core]
          e7xxx_probe1+0x268/0x311 [e7xxx_edac]
          e7xxx_init_one+0x56/0x61 [e7xxx_edac]
          local_pci_probe+0x13/0x15
        ...
      
      Cc: Mauro Carvalho Chehab <mchehab@redhat.com>
      Cc: Shaohui Xie <Shaohui.Xie@freescale.com>
      Signed-off-by: NShaun Ruffell <sruffell@digium.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      faa2ad09
    • F
      edac_mc: fix messy kfree calls in the error path · ef6e7816
      Fengguang Wu 提交于
      coccinelle warns about:
      
      + drivers/edac/edac_mc.c:429:9-23: ERROR: reference preceded by free on line 429
      
         421         if (mci->csrows) {
       > 422                 for (chn = 0; chn < tot_channels; chn++) {
         423                         csr = mci->csrows[chn];
         424                         if (csr) {
       > 425                                 for (chn = 0; chn < tot_channels; chn++)
         426                                          kfree(csr->channels[chn]);
         427                                  kfree(csr);
         428                          }
       > 429                          kfree(mci->csrows[i]);
         430                  }
         431                  kfree(mci->csrows);
         432          }
      
      and that code block seem to mess things up in several ways (double free, memory
      leak, out-of-bound reads etc.):
      
      L422: The iterator "chn" and bound "tot_channels" are totally wrong. Should be
            "row" and "tot_csrows" respectively. Which means either memory leak, or
            out-of-bound reads (which if does not trigger an immediate page fault
            error, will further lead to kfree() on random addresses).
      
      L425: The inner loop is reusing the same iterator "chn" as the outer loop,
            which could lead to premature end of the outer loop, and hence memory leak.
      
      L429: The array index 'i' in mci->csrows[i] is a temporary value used in
            previous loops, and won't change at all in the current loop. Which
            means either out-of-bound read and possibly kfree(random number), or the
            same mci->csrows[i] get freed once and again, and possibly double free
            for the kfree(csr) in L427.
      
      L426/L427: a kfree(csr->channels) is needed in between to avoid leaking the memory.
      
      The buggy code was introduced by commit de3910eb ("edac: change the mem
      allocation scheme to make Documentation/kobject.txt happy") in the 3.6-rc1
      merge window. Fix it by freeing up resources in this order:
      
        free csrows[i]->channels[j]
        free csrows[i]->channels
        free csrows[i]
        free csrows
      
      CC: Mauro Carvalho Chehab <mchehab@redhat.com>
      CC: Shaun Ruffell <sruffell@digium.com>
      Signed-off-by: NFengguang Wu <fengguang.wu@intel.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      ef6e7816