- 09 2月, 2013 4 次提交
-
-
由 David S. Miller 提交于
Daniel Borkmann says: ==================== Cryptographically used keys should be zeroed out when our session ends resp. memory is freed, thus do not leave them somewhere in the memory. ==================== Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Daniel Borkmann 提交于
On sctp_endpoint_destroy, previously used sensitive keying material should be zeroed out before the memory is returned, as we already do with e.g. auth keys when released. Signed-off-by: NDaniel Borkmann <dborkman@redhat.com> Acked-by: NVlad Yasevich <vyasevic@redhat.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Daniel Borkmann 提交于
In sctp_setsockopt_auth_key, we create a temporary copy of the user passed shared auth key for the endpoint or association and after internal setup, we free it right away. Since it's sensitive data, we should zero out the key before returning the memory back to the allocator. Thus, use kzfree instead of kfree, just as we do in sctp_auth_key_put(). Signed-off-by: NDaniel Borkmann <dborkman@redhat.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Heiko Carstens 提交于
We have conflicting type qualifiers for "freg_t" in s390's ptrace.h and the iphase atm device driver, which causes the compile error below. Unfortunately the s390 typedef can't be renamed, since it's a user visible api, nor can I change the include order in s390 code to avoid the conflict. So simply rename the iphase typedef to a new name. Fixes this compile error: In file included from drivers/atm/iphase.c:66:0: drivers/atm/iphase.h:639:25: error: conflicting type qualifiers for 'freg_t' In file included from next/arch/s390/include/asm/ptrace.h:9:0, from next/arch/s390/include/asm/lowcore.h:12, from next/arch/s390/include/asm/thread_info.h:30, from include/linux/thread_info.h:54, from include/linux/preempt.h:9, from include/linux/spinlock.h:50, from include/linux/seqlock.h:29, from include/linux/time.h:5, from include/linux/stat.h:18, from include/linux/module.h:10, from drivers/atm/iphase.c:43: next/arch/s390/include/uapi/asm/ptrace.h:197:3: note: previous declaration of 'freg_t' was here Signed-off-by: NHeiko Carstens <heiko.carstens@de.ibm.com> Acked-by: Nchas williams - CONTRACTOR <chas@cmf.nrl.navy.mil> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 08 2月, 2013 9 次提交
-
-
由 Lucas Stach 提交于
In commit 6509141f ("usbnet: add new flag FLAG_NOARP for usb net devices"), the newly added flag NOARP was using an already defined value, which broke drivers using flag MULTI_PACKET. Signed-off-by: NLucas Stach <dev@lynxeye.de> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Eric Dumazet 提交于
Andrew Savchenko reported a DNS failure and we diagnosed that some UDP sockets were unable to send more packets because their sk_wmem_alloc was corrupted after a while (tx_queue column in following trace) $ cat /proc/net/udp sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode ref pointer drops ... 459: 00000000:0270 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 4507 2 ffff88003d612380 0 466: 00000000:0277 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 4802 2 ffff88003d613180 0 470: 076A070A:007B 00000000:0000 07 FFFF4600:00000000 00:00000000 00000000 123 0 5552 2 ffff880039974380 0 470: 010213AC:007B 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 4986 2 ffff88003dbd3180 0 470: 010013AC:007B 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 4985 2 ffff88003dbd2e00 0 470: 00FCA8C0:007B 00000000:0000 07 FFFFFB00:00000000 00:00000000 00000000 0 0 4984 2 ffff88003dbd2a80 0 ... Playing with skb->truesize is tricky, especially when skb is attached to a socket, as we can fool memory charging. Just remove this code, its not worth trying to be ultra precise in xmit path. Reported-by: NAndrew Savchenko <bircoph@gmail.com> Tested-by: NAndrew Savchenko <bircoph@gmail.com> Signed-off-by: NEric Dumazet <edumazet@google.com> Cc: James Chapman <jchapman@katalix.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Daniel Borkmann 提交于
For sensitive data like keying material, it is common practice to zero out keys before returning the memory back to the allocator. Thus, use kzfree instead of kfree. Signed-off-by: NDaniel Borkmann <dborkman@redhat.com> Acked-by: NNeil Horman <nhorman@tuxdriver.com> Acked-by: NVlad Yasevich <vyasevich@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 David S. Miller 提交于
Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jesse/openvswitch into openvswitch Jesse Gross says: ==================== One bug fix for net/3.8 for a long standing problem that was reported a few times recently. ==================== Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 David S. Miller 提交于
Ian Campbell says: ==================== The Xen netback implementation contains a couple of flaws which can allow a guest to cause a DoS in the backend domain, potentially affecting other domains in the system. CVE-2013-0216 is a failure to sanity check the ring producer/consumer pointers which can allow a guest to cause netback to loop for an extended period preventing other work from occurring. CVE-2013-0217 is a memory leak on an error path which is guest triggerable. The following series contains the fixes for these issues, as previously included in Xen Security Advisory 39: http://lists.xen.org/archives/html/xen-announce/2013-02/msg00001.html Changes in v2: - Typo and block comment format fixes - Added stable Cc ==================== Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Ian Campbell 提交于
Signed-off-by: NIan Campbell <ian.campbell@citrix.com> Acked-by: NJan Beulich <JBeulich@suse.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Ian Campbell 提交于
Signed-off-by: NIan Campbell <ian.campbell@citrix.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Matthew Daley 提交于
Signed-off-by: NMatthew Daley <mattjd@gmail.com> Reviewed-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com> Acked-by: NIan Campbell <ian.campbell@citrix.com> Acked-by: NJan Beulich <JBeulich@suse.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Ian Campbell 提交于
A buggy or malicious frontend should not be able to confuse netback. If we spot anything which is not as it should be then shutdown the device and don't try to continue with the ring in a potentially hostile state. Well behaved and non-hostile frontends will not be penalised. As well as making the existing checks for such errors fatal also add a new check that ensures that there isn't an insane number of requests on the ring (i.e. more than would fit in the ring). If the ring contains garbage then previously is was possible to loop over this insane number, getting an error each time and therefore not generating any more pending requests and therefore not exiting the loop in xen_netbk_tx_build_gops for an externded period. Also turn various netdev_dbg calls which no precipitate a fatal error into netdev_err, they are rate limited because the device is shutdown afterwards. This fixes at least one known DoS/softlockup of the backend domain. Signed-off-by: NIan Campbell <ian.campbell@citrix.com> Reviewed-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com> Acked-by: NJan Beulich <JBeulich@suse.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 07 2月, 2013 6 次提交
-
-
由 Bjørn Mork 提交于
Adding new class/subclass/protocol combinations based on the GPLed out-of-tree Huawei driver. One of these has already appeared on a device labelled as "E320". Signed-off-by: NBjørn Mork <bjorn@mork.no> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Bjørn Mork 提交于
Adding a new vendor specific class/subclass/protocol combination for CDC NCM devices based on information from a GPLed out-of-tree driver from Huawei. Signed-off-by: NBjørn Mork <bjorn@mork.no> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Tommi Rantala 提交于
ip6gre_tunnel_xmit() is leaking the skb when we hit this error branch, and the -1 return value from this function is bogus. Use the error handling we already have in place in ip6gre_tunnel_xmit() for this error case to fix this. Signed-off-by: NTommi Rantala <tt.rantala@gmail.com> Acked-by: NEric Dumazet <edumazet@google.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Ilpo Järvinen 提交于
There are transients during normal FRTO procedure during which the packets_in_flight can go to zero between write_queue state updates and firing the resulting segments out. As FRTO processing occurs during that window the check must be more precise to not match "spuriously" :-). More specificly, e.g., when packets_in_flight is zero but FLAG_DATA_ACKED is true the problematic branch that set cwnd into zero would not be taken and new segments might be sent out later. Signed-off-by: NIlpo Järvinen <ilpo.jarvinen@helsinki.fi> Tested-by: NEric Dumazet <edumazet@google.com> Acked-by: NNeal Cardwell <ncardwell@google.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 David S. Miller 提交于
John W. Linville says: ==================== Please consider this pull request for the 3.8 stream... Included is a bluetooth pull. Gustavo says: "Two simple fixes for 3.8. One of the patches fixes a situation where the connection wasn't terminated if a timeout ocurrs for LE an SCO connections. The other fixes prevent NULL dereference in the SMP code, it is a security fix as well." Along with those... Hauke Mehrtens provides a couple of ssb and bcma bus fixes that prevent oopses when unloading those modules. Larry Finger provides and rtlwifi fix to avoid a "scheduling while atomic" bug. Last but certainly not least, Arend van Spriel bring a brcmsmac fix that reworks the mac80211 .flush() callback in order to avoid the dreaded brcms_c_wait_for_tx_completion warnings. This one looks a little large, but I think it is safe and isolated to brcmsmac in any case. ==================== Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 John W. Linville 提交于
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless into for-davem
-
- 05 2月, 2013 8 次提交
-
-
由 Arend van Spriel 提交于
This patch addresses a long standing issue of the driver with the mac80211 .flush() callback. Since implementing the .flush() callback a number of issues have been fixed, but a WARN_ON_ONCE() was still triggered because the timeout on the flush could still occur. This patch changes the awkward design using msleep() into one using a waitqueue. The waiting flush() context will kick the transmit dma when it is idle and the timeout used waiting for the event is set to 500 ms. Worst case there can be 64 frames outstanding for transmit in the driver. At a rate of 1Mbps that would take 1.5 seconds assuming MTU is 1500 bytes and ignoring retries. The WARN_ON_ONCE() is also removed as this was put in to indicate the flush timeout as a reason for the driver to stall. That was not happening since fixing endless AMPDU retries with following upstream commit: commit 85091fc0 Author: Arend van Spriel <arend@broadcom.com> Date: Thu Feb 23 18:38:22 2012 +0100 brcm80211: smac: fix endless retry of A-MPDU transmissions bugzilla: 42840 <https://bugzilla.kernel.org/show_bug.cgi?id=42840> bugzilla@redhat: <https://bugzilla.redhat.com/show_bug.cgi?id=799168> bugzilla@redhat: <https://bugzilla.redhat.com/show_bug.cgi?id=787649> Cc: Jonathan Nieder <jrnieder@gmail.com> Cc: Stanislaw Gruszka <sgruszka@redhat.com> Cc: Camaleón <noelamac@gmail.com> Cc: Milan Bouchet-Valat <nalimilan@club-internet.fr> Cc: Seth Forshee <seth.forshee@canonical.com> Reviewed-by: NPieter-Paul Giesberts <pieterpg@broadcom.com> Reviewed-by: NHante Meuleman <meuleman@broadcom.com> Reviewed-by: NPiotr Haber <phaber@broadcom.com> Signed-off-by: NArend van Spriel <arend@broadcom.com> Acked-by: NSeth Forshee <seth.forshee@canonical.com> Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
-
由 Hauke Mehrtens 提交于
This patch unregisters the gpio chip before ssb gets unloaded. Signed-off-by: NHauke Mehrtens <hauke@hauke-m.de> Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
-
由 Hauke Mehrtens 提交于
This patch unregisters the gpio chip before bcma gets unloaded. Signed-off-by: NHauke Mehrtens <hauke@hauke-m.de> Reported-by: NPiotr Haber <phaber@broadcom.com> Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
-
由 Larry Finger 提交于
Kernel commits 41affd52 and 6539306b changed the locking in rtl_lps_leave() from a spinlock to a mutex by doing the calls indirectly from a work queue to reduce the time that interrupts were disabled. This change was fine for most systems; however a scheduling while atomic bug was reported in https://bugzilla.redhat.com/show_bug.cgi?id=903881. The backtrace indicates that routine rtl_is_special(), which calls rtl_lps_leave() in three places was entered in atomic context. These direct calls are replaced by putting a request on the appropriate work queue. Signed-off-by: NLarry Finger <Larry.Finger@lwfinger.net> Reported-and-tested-by: NNathaniel Doherty <ntdoherty@gmail.com> Cc: Nathaniel Doherty <ntdoherty@gmail.com> Cc: Stanislaw Gruszka <sgruszka@redhat.com> Cc: Stable <stable@vger.kernel.org> Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
-
由 Bjørn Mork 提交于
It is normal for minidrivers accumulating frames to return NULL from their tx_fixup function. We do not want to count this as a drop, or log any debug messages. A different exit path is therefore chosen for such drivers, skipping the debug message and the tx_dropped increment. The test for accumulating drivers was however completely bogus, making the exit path selection depend on whether the user had enabled tx_err logging or not. This would arbitrarily mess up accounting for both accumulating and non-accumulating minidrivers, and would result in unwanted debug messages for the accumulating drivers. Fix by testing for FLAG_MULTI_PACKET instead, which probably was the intention from the beginning. This usage match the documented behaviour of this flag: Indicates to usbnet, that USB driver accumulates multiple IP packets. Affects statistic (counters) and short packet handling. Signed-off-by: NBjørn Mork <bjorn@mork.no> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Vijay Subramanian 提交于
This patch updates LINUX_MIB_LISTENDROPS and LINUX_MIB_LISTENOVERFLOWS in tcp_v6_conn_request() and tcp_v6_err(). tcp_v6_conn_request() in particular can drop SYNs for various reasons which are not currently tracked. Signed-off-by: NVijay Subramanian <subramanian.vijay@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Vijay Subramanian 提交于
This patch updates LINUX_MIB_LISTENDROPS in tcp_v4_conn_request() and tcp_v4_err(). tcp_v4_conn_request() in particular can drop SYNs for various reasons which are not currently tracked. Signed-off-by: NVijay Subramanian <subramanian.vijay@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 04 2月, 2013 4 次提交
-
-
由 Phil Sutter 提交于
When releasing a packet socket, the routine packet_set_ring() is reused to free rings instead of allocating them. But when calling it for the first time, it fills req->tp_block_nr with the value of rb->pg_vec_len which in the second invocation makes it bail out since req->tp_block_nr is greater zero but req->tp_block_size is zero. This patch solves the problem by passing a zeroed auto-variable to packet_set_ring() upon each invocation from packet_release(). As far as I can tell, this issue exists even since 69e3c75f (net: TX_RING and packet mmap), i.e. the original inclusion of TX ring support into af_packet, but applies only to sockets with both RX and TX ring allocated, which is probably why this was unnoticed all the time. Signed-off-by: NPhil Sutter <phil.sutter@viprinet.com> Cc: Johann Baudy <johann.baudy@gnu-log.net> Cc: Daniel Borkmann <dborkman@redhat.com> Acked-by: NDaniel Borkmann <dborkman@redhat.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Pravin B Shelar 提交于
Use correct inner offset to set inner_network_offset. Found by inspection. Signed-off-by: NPravin B Shelar <pshelar@nicira.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Eric Dumazet 提交于
Commit 9dc27415 (tcp: fix ABC in tcp_slow_start()) uncovered a bug in FRTO code : tcp_process_frto() is setting snd_cwnd to 0 if the number of in flight packets is 0. As Neal pointed out, if no packet is in flight we lost our chance to disambiguate whether a loss timeout was spurious. We should assume it was a proper loss. Reported-by: NPasi Kärkkäinen <pasik@iki.fi> Signed-off-by: NNeal Cardwell <ncardwell@google.com> Signed-off-by: NEric Dumazet <edumazet@google.com> Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> Cc: Yuchung Cheng <ycheng@google.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Eric Dumazet 提交于
Since commit 9dc27415 (tcp: fix ABC in tcp_slow_start()), a nul snd_cwnd triggers an infinite loop in tcp_slow_start() Avoid this infinite loop and log a one time error for further analysis. FRTO code is suspected to cause this bug. Reported-by: NPasi Kärkkäinen <pasik@iki.fi> Signed-off-by: NEric Dumazet <edumazet@google.com> Cc: Neal Cardwell <ncardwell@google.com> Cc: Yuchung Cheng <ycheng@google.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 03 2月, 2013 2 次提交
-
-
git://gitorious.org/linux-can/linux-can由 David S. Miller 提交于
Marc Kleine-Budde says: ==================== here's a patch for net for the v3.8 release cycle. Alexander Stein noticed that the c_can hardware has a fixed bit in the IFx_MASK2 register. His patch fixes writing of this register by always setting this bit. ==================== Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 David S. Miller 提交于
1) rhine_tx() should use dev_kfree_skb() not dev_kfree_skb_irq() 2) rhine_slow_event_task's NAPI triggering logic is racey, it should just hit the interrupt mask register. This is the same as commit 7dbb4918 ("r8169: avoid NAPI scheduling delay.") made to fix the same problem in the r8169 driver. From Francois Romieu. Reported-by: NJamie Gloudon <jamie.gloudon@gmail.com> Tested-by: NJamie Gloudon <jamie.gloudon@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 02 2月, 2013 2 次提交
-
-
由 David S. Miller 提交于
John W. Linville says: ==================== This is a small batch of fixes intended for the 3.8 stream... There are two pulls from Johannes. Regarding mac80211, Johannes says: "One fix from Dan for a possible memory overrun." Regarding iwlwifi, Johannes says: "I have one fix from Emmanuel reverting a previous fix that caused more trouble than it's worth." Along with those: Arend van Spriel fixes a fatal error in brcsmac related to tx status processing. Bing Zhao corrects a problem where mwifiex would fail to complete a scan in the event of an IE processing error. Larry Finger fixes a thinko in rtlwifi in which the wrong skb variable was being used in some cases. Rafał Miłecki fixes a thinko in an ID check in the bcma flash code. ==================== Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 John W. Linville 提交于
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless into for-davem
-
- 01 2月, 2013 5 次提交
-
-
由 Alexander Stein 提交于
According to C_CAN documentation, the reserved bit in IFx_MASK2 register is fixed 1. Cc: linux-stable <stable@vger.kernel.org> Signed-off-by: NAlexander Stein <alexander.stein@systec-electronic.com> Signed-off-by: NMarc Kleine-Budde <mkl@pengutronix.de>
-
由 Yuchung Cheng 提交于
On receiving the SYN-ACK, Fast Open checks icsk_retransmit for SYN retransmission to detect SYN/data drops. But if F-RTO is disabled, icsk_retransmit is reset at step D of tcp_fastretrans_alert() ( under tcp_ack()) before tcp_rcv_fastopen_synack(). The fix is to use total_retrans instead which accounts for SYN retransmission regardless the use of F-RTO. Signed-off-by: NYuchung Cheng <ycheng@google.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Tom Parkin 提交于
l2tp_ip6 is incorrectly using the IPv4-specific ip_cmsg_recv to handle ancillary data. This means that socket options such as IPV6_RECVPKTINFO are not honoured in userspace. Convert l2tp_ip6 to use the IPv6-specific handler. Ref: net/ipv6/udp.c Signed-off-by: NTom Parkin <tparkin@katalix.com> Signed-off-by: NJames Chapman <jchapman@katalix.com> Signed-off-by: NChris Elston <celston@katalix.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Tom Parkin 提交于
ip6_datagram_recv_ctl and ip6_datagram_send_ctl are used for handling IPv6 ancillary data. Since ip6_datagram_send_ctl is already publicly exported for use in modules, ip6_datagram_recv_ctl should also be available to support ancillary data in the receive path. Signed-off-by: NTom Parkin <tparkin@katalix.com> Signed-off-by: NJames Chapman <jchapman@katalix.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Tom Parkin 提交于
The datagram_*_ctl functions in net/ipv6/datagram.c are IPv6-specific. Since datagram_send_ctl is publicly exported it should be appropriately named to reflect the fact that it's for IPv6 only. Signed-off-by: NTom Parkin <tparkin@katalix.com> Signed-off-by: NJames Chapman <jchapman@katalix.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-