- 03 Nov, 2012 9 commits
-
-
Jeff Layton authored
The userspace cifs.idmap program generally works with the wbclient libs to generate binary SIDs in userspace. That program defines the struct that holds these values as having a max of 15 subauthorities. The kernel idmapping code however limits that value to 5. When the kernel copies those values around though, it doesn't sanity check the num_subauths value handed back from userspace or from the server. It's possible therefore for userspace to hand us back a bogus num_subauths value (or one that's valid, but greater than 5) that could cause the kernel to walk off the end of the cifs_sid->sub_auths array. Fix this by defining a new routine for copying sids and using that in all of the places that copy it. If we end up with a sid that's longer than expected then this approach will just lop off the "extra" subauths, but that's basically what the code does today already. Better approaches might be to fix this code to reject SIDs with >5 subauths, or fix it to handle the subauths array dynamically. At the same time, change the kernel to check the length of the data returned by userspace. If it's shorter than struct cifs_sid, reject it and return -EIO. If that happens we'll end up with fields that are basically uninitialized. Long term, it might make sense to redefine cifs_sid using a flexarray at the end, to allow for variable-length subauth lists, and teach the code to handle the case where the subauths array being passed in from userspace is shorter than 5 elements. Note too, that I don't consider this a security issue since you'd need a compromised cifs.idmap program. If you have that, you can do all sorts of nefarious stuff. Still, this is probably reasonable for stable. Cc: stable@kernel.org Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com> Signed-off-by: Jeff Layton <jlayton@redhat.com>
-
git://git.kernel.org/pub/scm/linux/kernel/git/davem/netLinus Torvalds authored
Pull networking fixes from David Miller: "First post-Sandy pull request" 1) Fix antenna gain handling and initialization of chan->max_reg_power in wireless, from Felix Fietkau. 2) Fix nexthop handling in H.232 conntrack helper, from Julian Anastasov. 3) Only process 80211 mesh config header in certain kinds of frames, from Javier Cardona. 4) 80211 management frame header length needs to be validated, from Johannes Berg. 5) Don't access free'd SKBs in ath9k driver, from Felix Fietkay. 6) Test for permanent state correctly in VXLAN driver, from Stephen Hemminger. 7) BNX2X bug fixes from Yaniv Rosner and Dmitry Kravkov. 8) Fix off by one errors in bonding, from Nikolay ALeksandrov. 9) Fix divide by zero in TCP-Illinois congestion control. From Jesper Dangaard Brouer. 10) TCP metrics code says "Yo dawg, I heard you like sizeof, so I did a sizeof of a sizeof, so you can size your size" Fix from Julian Anastasov. 11) Several drivers do mdiobus_free without first doing an mdiobus_unregister leading to stray pointer references. Fix from Peter Senna Tschudin. 12) Fix OOPS in l2tp_eth_create() error path, it's another danling pointer kinda situation. Fix from Tom Parkin. 13) Hardware driven by the vmxnet driver can't handle larger than 16K fragments, so split them up when necessary. From Eric Dumazet. 14) Handle zero length data length in tcp_send_rcvq() properly. Fix from Pavel Emelyanov. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (38 commits) tcp-repair: Handle zero-length data put in rcv queue vmxnet3: must split too big fragments l2tp: fix oops in l2tp_eth_create() error path cxgb4: Fix unable to get UP event from the LLD drivers/net/phy/mdio-bitbang.c: Call mdiobus_unregister before mdiobus_free drivers/net/ethernet/nxp/lpc_eth.c: Call mdiobus_unregister before mdiobus_free bnx2x: fix HW initialization using fw 7.8.x tcp: Fix double sizeof in new tcp_metrics code net: fix divide by zero in tcp algorithm illinois net: sctp: Fix typo in net/sctp bonding: fix second off-by-one error bonding: fix off-by-one error bnx2x: Disable FCoE for 57840 since not yet supported by FW bnx2x: Fix no link on 577xx 10G-baseT bnx2x: Fix unrecognized SFP+ module after driver is loaded bnx2x: Fix potential incorrect link speed provision bnx2x: Restore global registers back to default. bnx2x: Fix link down in 57712 following LFA bnx2x: Fix 57810 1G-KR link against certain switches. ixgbe: PTP get_ts_info missing software support ...
-
Pavel Emelyanov authored
When sending data into a tcp socket in repair state we should check for the amount of data being 0 explicitly. Otherwise we'll have an skb with seq == end_seq in rcv queue, but tcp doesn't expect this to happen (in particular a warn_on in tcp_recvmsg shoots). Signed-off-by: Pavel Emelyanov <xemul@parallels.com> Reported-by: Giorgos Mavrikas <gmavrikas@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Eric Dumazet authored
vmxnet3 has a 16Kbytes limit per tx descriptor, that happened to work as long as we provided PAGE_SIZE fragments. Our stack can now build larger fragments, so we need to split them to the 16kbytes boundary. Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: jongman heo <jongman.heo@samsung.com> Tested-by: jongman heo <jongman.heo@samsung.com> Cc: Shreyas Bhatewara <sbhatewara@vmware.com> Reviewed-by: Bhavesh Davda <bhavesh@vmware.com> Signed-off-by: Shreyas Bhatewara <sbhatewara@vmware.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Tom Parkin authored
When creating an L2TPv3 Ethernet session, if register_netdev() should fail for any reason (for example, automatic naming for "l2tpeth%d" interfaces hits the 32k-interface limit), the netdev is freed in the error path. However, the l2tp_eth_sess structure's dev pointer is left uncleared, and this results in l2tp_eth_delete() then attempting to unregister the same netdev later in the session teardown. This results in an oops. To avoid this, clear the session dev pointer in the error path. Signed-off-by: Tom Parkin <tparkin@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Vipul Pandya authored
If T4 configuration file gets loaded from the /lib/firmware/cxgb4/ directory then offload capabilities of the cards were getting disabled during initialization. Hence ULDs do not get an UP event from the LLD. Signed-off-by: Jay Hernandez <jay@chelsio.com> Signed-off-by: Vipul Pandya <vipul@chelsio.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Peter Senna Tschudin authored
Based on commit b27393ae Calling mdiobus_free without calling mdiobus_unregister causes BUG_ON(). This patch fixes the issue. The semantic patch that found this issue(http://coccinelle.lip6.fr/): // <smpl> @@ expression E; @@ ... when != mdiobus_unregister(E); + mdiobus_unregister(E); mdiobus_free(E); // </smpl> Signed-off-by: Peter Senna Tschudin <peter.senna@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Peter Senna Tschudin authored
Based on commit b27393ae Calling mdiobus_free without calling mdiobus_unregister causes BUG_ON(). This patch fixes the issue. The semantic patch that found this issue(http://coccinelle.lip6.fr/): // <smpl> @@ expression E; @@ ... when != mdiobus_unregister(E); + mdiobus_unregister(E); mdiobus_free(E); // </smpl> Signed-off-by: Peter Senna Tschudin <peter.senna@gmail.com> Tested-by: Roland Stigge <stigge@antcom.de> Tested-by: Alexandre Pereira da Silva <aletes.xgr@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Dmitry Kravkov authored
Since commit 96bed4b9 (use FW 7.8.2) BRB HW block needs to be initialized using fw values for all devices. Otherwise ETS on 57712/578xx will not work. Signed-off-by: Dmitry Kravkov <dmitry@broadcom.com> Signed-off-by: Ariel Elior <ariele@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 02 Nov, 2012 16 commits
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pmLinus Torvalds authored
Pull power management update from Rafael J. Wysocki: "Change the email address of the powernow-k8 maintainer." * tag 'pm-for-3.7-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: cpufreq / powernow-k8: Change maintainer's email address
-
git://git.kernel.org/pub/scm/linux/kernel/git/dtor/inputLinus Torvalds authored
Pull input subsystem fixes from Dmitry Torokhov: "Just a few driver fixes." * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: Input: tsc40 - remove wrong announcement of pressure support Input: lpc32xx-keys - select INPUT_MATRIXKMAP Input: pxa27x_keypad - clear pending interrupts on keypad config Input: wacom - correct bad Cintiq 24HD check Input: wacom - add INPUT_PROP_DIRECT flag to Cintiq 24HD Input: egalax_ts - get gpio from devicetree
-
git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pendingLinus Torvalds authored
Pull more scsi target fixes from Nicholas Bellinger: "This series is a second round of target fixes for v3.7-rc4 that have come into target-devel over the last days, and are important enough to be applied ASAP. All are being CC'ed to stable. The most important two are: - target: Re-add explict zeroing of INQUIRY bounce buffer memory to fix a regression for handling zero-length payloads, a bug that went during v3.7-rc1, and hit >= v3.6.3 stable. (nab + paolo) - iscsi-target: Fix a long-standing missed R2T wakeup race in TX thread processing when using a single queue slot. (Roland) Thanks to Roland & PureStorage team for helping to track down this long standing race with iscsi-target single queue slot operation. Also, the tcm_fc(FCoE) regression bug that was observed recently with -rc2 code has also been resolved with the cancel_delayed_work() return bugfix (commit c0158ca6: "workqueue: cancel_delayed_work() should return %false if work item is idle") now in -rc3. Thanks again to Yi Zou, MDR, Robert Love @ Intel for helping to track this down." * git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending: target: Fix incorrect usage of nested IRQ spinlocks in ABORT_TASK path iscsi-target: Fix missed wakeup race in TX thread target: Avoid integer overflow in se_dev_align_max_sectors() target: Don't return success from module_init() if setup fails target: Re-add explict zeroing of INQUIRY bounce buffer memory
-
git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-stagingLinus Torvalds authored
Pull hwmon fixes from Guenter Roeck: "An e-mail address update, and fix a compile error on SPARC" * tag 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging: hwmon: Only include of_match_table with CONFIG_OF_GPIO hwmon, fam15h_power: Change email address, MAINTAINERS entry
-
git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-frvLinus Torvalds authored
Pull FRV fixes from David Howells: "A collection of small fixes for the FRV architecture." * tag 'frv-fixes-20121102' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-frv: frv: fix the broken preempt frv: switch to saner kernel_execve() semantics FRV: Fix the new-style kernel_thread() stuff FRV: Fix the preemption handling FRV: gcc-4.1.2 also inlines weak functions FRV: Don't objcopy the GNU build_id note FRV: Add missing linux/export.h #inclusions
-
Linus Torvalds authored
Merge tag 'stable/for-linus-3.7-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen Pull Xen bugfixes from Konrad Rzeszutek Wilk: - Use appropriate macros instead of hand-rolling our own (ARM). - Fixes if FB/KBD closed unexpectedly. - Fix memory leak in /dev/gntdev ioctl calls. - Fix overflow check in xenbus_file_write. - Document cleanup. - Performance optimization when migrating guests. * tag 'stable/for-linus-3.7-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen: xen/mmu: Use Xen specific TLB flush instead of the generic one. xen/arm: use the __HVC macro xen/xenbus: fix overflow check in xenbus_file_write() xen-kbdfront: handle backend CLOSED without CLOSING xen-fbfront: handle backend CLOSED without CLOSING xen/gntdev: don't leak memory from IOCTL_GNTDEV_MAP_GRANT_REF x86: remove obsolete comment from asm/xen/hypervisor.h
-
Sasha Levin authored
This hashtable implementation is using hlist buckets to provide a simple hashtable to prevent it from getting reimplemented all over the kernel. Signed-off-by: Sasha Levin <levinsasha928@gmail.com> [ Merging this now, so that subsystems can start applying Sasha's patches that use this - Linus ] Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
Al Viro authored
Just get %icc2 into the state we would have after local_irq_disable() and physical IRQ having happened since then. Then we can simply use preempt_schedule_irq() and be done with the whole mess. Acked-by: David Howells <dhowells@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-
Al Viro authored
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-
David Howells authored
The kernel_thread() changes for FRV don't work, and FRV fails to boot, starting with: commit 02ce496f Author: Al Viro <viro@zeniv.linux.org.uk> Date: Tue Sep 18 22:18:51 2012 -0400 Subject: frv: split ret_from_fork, simplify kernel_thread() a lot The problem is that the userspace registers are completely cleared when a kernel thread is created and all subsequent user threads are then copied from that. Unfortunately, however, the TBR and PSR registers are restored from the pt_regs and the values they should be set to are clobbered by the memset. Instead, copy across the old user registers as normal, and then merely alter GR8 and GR9 in it if we're going to execute a kernel thread. Signed-off-by: David Howells <dhowells@redhat.com>
-
David Howells authored
Fix the preemption handling in FRV code where the PREEMPT_ACTIVE value is incorrectly loaded into the threadinfo flags rather than the threadinfo preemption count. Unfortunately, the code cannot be simply converted to use preempt_schedule_irq() as is because FRV uses virtual interrupt disablement to cut down on the cost of actually disabling interrupts and thus local_irq_enable() doesn't actually enable interrupts. Reported-by: Al Viro <viro@ZenIV.linux.org.uk> Signed-off-by: David Howells <dhowells@redhat.com> cc: Al Viro <viro@ZenIV.linux.org.uk>
-
David Howells authored
gcc-4.1.2 inlines weak functions, which causes FRV to fail when the dummy thread_info_cache_init() gets inlined into start_kernel(). Signed-off-by: David Howells <dhowells@redhat.com>
-
David Howells authored
Don't let objcopy transfer the GNU build_id note into the loadable image as it is located at address 0 and the image ends up >3G in size. Signed-off-by: David Howells <dhowells@redhat.com>
-
David Howells authored
Add missing linux/export.h #inclusions to the FRV arch. Signed-off-by: David Howells <dhowells@redhat.com>
-
git://github.com/czankel/xtensa-linuxLinus Torvalds authored
Pull Xtensa fixes from Chris Zankel: "Some important bug fixes. With the change to uapi, there was a bug introduced that results in an empty syscall table (mult-inclusion bug). Switching to the generic thread/execve allowed us to fix a bug we had in vfork()." * tag 'xtensa-next-20121101' of git://github.com/czankel/xtensa-linux: xtensa: switch to generic sys_execve() xtensa: switch to generic kernel_execve() xtensa: switch to generic kernel_thread() xtensa: reset windowbase/windowstart when cloning the VM xtensa: use physical addresses for bus addresses xtensa: allow multi-inclusion for uapi/unistd.h
-
Jamie Lentin authored
The following fixes build errors on sparc. Without any DT support, of_match_ptr is NULL and the below is a no-op. However, if just CONFIG_OF is defined then so is of_match_ptr. All useful parts of the gpio-fan DT support rely on CONFIG_OF_GPIO anyway, so of_match_table should too. Signed-off-by: Jamie Lentin <jm@lentin.co.uk> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
-
- 01 Nov, 2012 15 commits
-
-
Julian Anastasov authored
Fix double sizeof when parsing IPv6 address from user space because it breaks get/del by specific IPv6 address. Problem noticed by David Binderman: https://bugzilla.kernel.org/show_bug.cgi?id=49171Signed-off-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Jesper Dangaard Brouer authored
Reading TCP stats when using TCP Illinois congestion control algorithm can cause a divide by zero kernel oops. The division by zero occur in tcp_illinois_info() at: do_div(t, ca->cnt_rtt); where ca->cnt_rtt can become zero (when rtt_reset is called) Steps to Reproduce: 1. Register tcp_illinois: # sysctl -w net.ipv4.tcp_congestion_control=illinois 2. Monitor internal TCP information via command "ss -i" # watch -d ss -i 3. Establish new TCP conn to machine Either it fails at the initial conn, or else it needs to wait for a loss or a reset. This is only related to reading stats. The function avg_delay() also performs the same divide, but is guarded with a (ca->cnt_rtt > 0) at its calling point in update_params(). Thus, simply fix tcp_illinois_info(). Function tcp_illinois_info() / get_info() is called without socket lock. Thus, eliminate any race condition on ca->cnt_rtt by using a local stack variable. Simply reuse info.tcpv_rttcnt, as its already set to ca->cnt_rtt. Function avg_delay() is not affected by this race condition, as its called with the socket lock. Cc: Petr Matousek <pmatouse@redhat.com> Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com> Acked-by: Eric Dumazet <edumazet@google.com> Acked-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Masanari Iida authored
Correct spelling typo in net/sctp/socket.c Signed-off-by: Masanari Iida <standby24x7@gmail.com> Acked-by: Vlad Yasevich <vyasevich@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
nikolay@redhat.com authored
Fix off-by-one error because IFNAMSIZ == 16 and when this code gets executed we stick a NULL byte where we should not. How to reproduce: with CONFIG_CC_STACKPROTECTOR=y (otherwise it may pass by silently) modprobe bonding; echo 1 > /sys/class/net/bond0/bonding/mode; echo "AAAAAAAAAAAAAAAA" > /sys/class/net/bond0/bonding/active_slave; Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com> Note: Sorry for the second patch but I missed this one while checking the file. You can squash them into one patch. Signed-off-by: David S. Miller <davem@davemloft.net>
-
nikolay@redhat.com authored
Fix off-by-one error because IFNAMSIZ == 16 and when this code gets executed we stick a NULL byte where we should not. How to reproduce: with CONFIG_CC_STACKPROTECTOR=y (otherwise it may pass by silently) modprobe bonding; echo 1 > /sys/class/net/bond0/bonding/mode; echo "AAAAAAAAAAAAAAAA" > /sys/class/net/bond0/bonding/primary; Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Dmitry Kravkov authored
Signed-off-by: Dmitry Kravkov <dmitry@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Yaniv Rosner authored
Since the Warpcore supports various link types, need to set only the correct supported modes for XFI which is the serdes interface for the 10G-baseT PHY. Signed-off-by: Yaniv Rosner <yanivr@broadcom.com> Signed-off-by: Barak Witkowski <barak@broadcom.com> Signed-off-by: Dmitry Kravkov <dmitry@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Yaniv Rosner authored
When SFP+ module is plugged in after driver is already loaded, it may not be recognized, so set SFP module recognition time up to 300ms, without resetting the module power in the middle. Signed-off-by: Yaniv Rosner <yanivr@broadcom.com> Signed-off-by: Barak Witkowski <barak@broadcom.com> Signed-off-by: Dmitry Kravkov <dmitry@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Yaniv Rosner authored
Fix possible incorrect link speed provision following rapid link speed change. Clear link speed mask after each link change, and not only after link down. Signed-off-by: Yaniv Rosner <yanivr@broadcom.com> Signed-off-by: Barak Witkowski <barak@broadcom.com> Signed-off-by: Dmitry Kravkov <dmitry@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Yaniv Rosner authored
Several KR registers were not set correctly back to default after loopback test, so set those global registers over the global WC lane (zero) rather than the current lane. Signed-off-by: Yaniv Rosner <yanivr@broadcom.com> Signed-off-by: Barak Witkowski <barak@broadcom.com> Signed-off-by: Dmitry Kravkov <dmitry@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Yaniv Rosner authored
In case of link flap avoidance between PXE boot and bnx2x, set the appropriate PHY DEVAD even if LFA kicks in. Signed-off-by: Yaniv Rosner <yanivr@broadcom.com> Signed-off-by: Barak Witkowski <barak@broadcom.com> Signed-off-by: Dmitry Kravkov <dmitry@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Yaniv Rosner authored
Fix 1G KR link by restoring CL72 misc control register to default value rather than 0. Signed-off-by: Yaniv Rosner <yanivr@broadcom.com> Signed-off-by: Barak Witkowski <barak@broadcom.com> Signed-off-by: Dmitry Kravkov <dmitry@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
git://git.kernel.org/pub/scm/virt/kvm/kvmLinus Torvalds authored
Pull KVM fix from Marcelo Tosatti. * git://git.kernel.org/pub/scm/virt/kvm/kvm: KVM: x86: fix vcpu->mmio_fragments overflow
-
Jacob Keller authored
This patch corrects the ethtool get_ts_info functon which did not state that software timestamping was supported, even though it is. Signed-off-by: Jacob Keller <jacob.e.keller@intel.com> CC: Stable <stable@vger.kernel.org> [3.5] Tested-by: Stephen Ko <stephen.s.ko@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Steve Hodgson authored
This patch changes core_tmr_abort_task() to use spin_lock -> spin_unlock around se_cmd->t_state_lock while spin_lock_irqsave is held via se_sess->sess_cmd_lock. Signed-off-by: Steve Hodgson <steve@purestorage.com> Signed-off-by: Roland Dreier <roland@purestorage.com> Cc: stable@vger.kernel.org Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
-