1. 06 Oct, 2010 2 commits
    • Eric Dumazet's avatar
      caif: fix two caif_connect() bugs · 79315068
      Eric Dumazet authored
      caif_connect() might dereference a netdevice after dev_put() it.
      
      It also doesnt check dev_get_by_index() return value and could
      dereference a NULL pointer.
      
      Fix it, using RCU to avoid taking a reference.
      Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      CC: Sjur Braendeland <sjur.brandeland@stericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      79315068
    • Neil Horman's avatar
      bonding: fix WARN_ON when writing to bond_master sysfs file · 27e6f065
      Neil Horman authored
      Fix a WARN_ON failure in bond_masters sysfs file
      
      Got a report of this warning recently
      
      bonding: bond0 is being created...
      ------------[ cut here ]------------
      WARNING: at fs/proc/generic.c:590 proc_register+0x14d/0x185()
      Hardware name: ProLiant BL465c G1
      proc_dir_entry 'bonding/bond0' already registered
      Modules linked in: bonding ipv6 tg3 bnx2 shpchp amd64_edac_mod edac_core
      ipmi_si
      ipmi_msghandler serio_raw i2c_piix4 k8temp edac_mce_amd hpwdt microcode hpsa
      cc
      iss radeon ttm drm_kms_helper drm i2c_algo_bit i2c_core [last unloaded:
      scsi_wai
      t_scan]
      Pid: 935, comm: ifup-eth Not tainted 2.6.33.5-124.fc13.x86_64 #1
      Call Trace:
      [<ffffffff8104b54c>] warn_slowpath_common+0x77/0x8f
      [<ffffffff8104b5b1>] warn_slowpath_fmt+0x3c/0x3e
      [<ffffffff8114bf0b>] proc_register+0x14d/0x185
      [<ffffffff8114c20c>] proc_create_data+0x87/0xa1
      [<ffffffffa0211e9b>] bond_create_proc_entry+0x55/0x95 [bonding]
      [<ffffffffa0215e5d>] bond_init+0x95/0xd0 [bonding]
      [<ffffffff8138cd97>] register_netdevice+0xdd/0x29e
      [<ffffffffa021240b>] bond_create+0x8e/0xb8 [bonding]
      [<ffffffffa021c4be>] bonding_store_bonds+0xb3/0x1c1 [bonding]
      [<ffffffff812aec85>] class_attr_store+0x27/0x29
      [<ffffffff8115423d>] sysfs_write_file+0x10f/0x14b
      [<ffffffff81101acf>] vfs_write+0xa9/0x106
      [<ffffffff81101be2>] sys_write+0x45/0x69
      [<ffffffff81009b02>] system_call_fastpath+0x16/0x1b
      ---[ end trace a677c3f7f8b16b1e ]---
      bonding: Bond creation failed.
      
      It happens because a user space writer to bond_master can try to
      register an already existing bond interface name.  Fix it by teaching
      bond_create to check for the existance of devices with that name first
      in cases where a non-NULL name parameter has been passed in
      Signed-off-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      27e6f065
  2. 05 Oct, 2010 6 commits
  3. 04 Oct, 2010 6 commits
    • Dan Rosenberg's avatar
      sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac() · 51e97a12
      Dan Rosenberg authored
      The sctp_asoc_get_hmac() function iterates through a peer's hmac_ids
      array and attempts to ensure that only a supported hmac entry is
      returned.  The current code fails to do this properly - if the last id
      in the array is out of range (greater than SCTP_AUTH_HMAC_ID_MAX), the
      id integer remains set after exiting the loop, and the address of an
      out-of-bounds entry will be returned and subsequently used in the parent
      function, causing potentially ugly memory corruption.  This patch resets
      the id integer to 0 on encountering an invalid id so that NULL will be
      returned after finishing the loop if no valid ids are found.
      Signed-off-by: default avatarDan Rosenberg <drosenberg@vsecurity.com>
      Acked-by: default avatarVlad Yasevich <vladislav.yasevich@hp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      51e97a12
    • Dan Rosenberg's avatar
      sctp: prevent reading out-of-bounds memory · d7e0d19a
      Dan Rosenberg authored
      Two user-controlled allocations in SCTP are subsequently dereferenced as
      sockaddr structs, without checking if the dereferenced struct members fall
      beyond the end of the allocated chunk.  There doesn't appear to be any
      information leakage here based on how these members are used and
      additional checking, but it's still worth fixing.
      
      [akpm@linux-foundation.org: remove unfashionable newlines, fix gmail tab->space conversion]
      Signed-off-by: default avatarDan Rosenberg <dan.j.rosenberg@gmail.com>
      Acked-by: default avatarVlad Yasevich <vladislav.yasevich@hp.com>
      Cc: David Miller <davem@davemloft.net>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d7e0d19a
    • David Stevens's avatar
      ipv4: correct IGMP behavior on v3 query during v2-compatibility mode · 5b7c8406
      David Stevens authored
      A recent patch to allow IGMPv2 responses to IGMPv3 queries
      bypasses length checks for valid query lengths, incorrectly
      resets the v2_seen timer, and does not support IGMPv1.
      
      The following patch responds with a v2 report as required
      by IGMPv2 while correcting the other problems introduced
      by the patch.
      Signed-Off-By: default avatarDavid L Stevens <dlstevens@us.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5b7c8406
    • Ben Hutchings's avatar
      netdev: Depend on INET before selecting INET_LRO · 10ccff62
      Ben Hutchings authored
      Since 'select' ignores dependencies, drivers that select INET_LRO must
      depend on INET.  This fixes the broken configuration reported in
      <http://article.gmane.org/gmane.linux.kernel/825646>.
      Reported-by: default avatarSubrata Modak <subrata@linux.vnet.ibm.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      10ccff62
    • Ben Hutchings's avatar
      Revert "ipv4: Make INET_LRO a bool instead of tristate." · c5d35571
      Ben Hutchings authored
      This reverts commit e81963b1.
      
      LRO is now deprecated in favour of GRO, and only a few drivers use it,
      so it is desirable to build it as a module in distribution kernels.
      
      The original change to prevent building it as a module was made in an
      attempt to avoid the case where some dependents are set to y and some
      to m, and INET_LRO can be set to m rather than y.  However, the
      Kconfig system will reliably set INET_LRO=y in this case.
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c5d35571
    • Nagendra Tomar's avatar
      net: Fix the condition passed to sk_wait_event() · 482964e5
      Nagendra Tomar authored
      This patch fixes the condition (3rd arg) passed to sk_wait_event() in
      sk_stream_wait_memory(). The incorrect check in sk_stream_wait_memory()
      causes the following soft lockup in tcp_sendmsg() when the global tcp
      memory pool has exhausted.
      
      >>> snip <<<
      
      localhost kernel: BUG: soft lockup - CPU#3 stuck for 11s! [sshd:6429]
      localhost kernel: CPU 3:
      localhost kernel: RIP: 0010:[sk_stream_wait_memory+0xcd/0x200]  [sk_stream_wait_memory+0xcd/0x200] sk_stream_wait_memory+0xcd/0x200
      localhost kernel:
      localhost kernel: Call Trace:
      localhost kernel:  [sk_stream_wait_memory+0x1b1/0x200] sk_stream_wait_memory+0x1b1/0x200
      localhost kernel:  [<ffffffff802557c0>] autoremove_wake_function+0x0/0x40
      localhost kernel:  [ipv6:tcp_sendmsg+0x6e6/0xe90] tcp_sendmsg+0x6e6/0xce0
      localhost kernel:  [sock_aio_write+0x126/0x140] sock_aio_write+0x126/0x140
      localhost kernel:  [xfs:do_sync_write+0xf1/0x130] do_sync_write+0xf1/0x130
      localhost kernel:  [<ffffffff802557c0>] autoremove_wake_function+0x0/0x40
      localhost kernel:  [hrtimer_start+0xe3/0x170] hrtimer_start+0xe3/0x170
      localhost kernel:  [vfs_write+0x185/0x190] vfs_write+0x185/0x190
      localhost kernel:  [sys_write+0x50/0x90] sys_write+0x50/0x90
      localhost kernel:  [system_call+0x7e/0x83] system_call+0x7e/0x83
      
      >>> snip <<<
      
      What is happening is, that the sk_wait_event() condition passed from
      sk_stream_wait_memory() evaluates to true for the case of tcp global memory
      exhaustion. This is because both sk_stream_memory_free() and vm_wait are true
      which causes sk_wait_event() to *not* call schedule_timeout().
      Hence sk_stream_wait_memory() returns immediately to the caller w/o sleeping.
      This causes the caller to again try allocation, which again fails and again
      calls sk_stream_wait_memory(), and so on.
      
      [ Bug introduced by commit c1cbe4b7
        ("[NET]: Avoid atomic xchg() for non-error case") -DaveM ]
      Signed-off-by: default avatarNagendra Singh Tomar <tomer_iisc@yahoo.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      482964e5
  4. 03 Oct, 2010 1 commit
  5. 01 Oct, 2010 1 commit
  6. 30 Sep, 2010 3 commits
  7. 29 Sep, 2010 1 commit
  8. 28 Sep, 2010 3 commits
  9. 27 Sep, 2010 15 commits
  10. 26 Sep, 2010 2 commits
    • Ondrej Zary's avatar
      de2104x: fix TP link detection · ca9a7835
      Ondrej Zary authored
      Compex FreedomLine 32 PnP-PCI2 cards have only TP and BNC connectors but the
      SROM contains AUI port too. When TP loses link, the driver switches to
      non-existing AUI port (which reports that carrier is always present).
      
      Connecting TP back generates LinkPass interrupt but de_media_interrupt() is
      broken - it only updates the link state of currently connected media, ignoring
      the fact that LinkPass and LinkFail bits of MacStatus register belong to the
      TP port only (the chip documentation says that).
      
      This patch changes de_media_interrupt() to switch media to TP when link goes
      up (and media type is not locked) and also to update the link state only when
      the TP port is used.
      
      Also the NonselPortActive (and also SelPortActive) bits of SIAStatus register
      need to be cleared (by writing 1) after reading or they're useless.
      Signed-off-by: default avatarOndrej Zary <linux@rainbow-software.org>
      Acked-by: default avatarJeff Garzik <jgarzik@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ca9a7835
    • Ondrej Zary's avatar
      de2104x: fix power management · b0255a02
      Ondrej Zary authored
      At least my 21041 cards come out of suspend with bus mastering disabled so
      they did not work after resume(no data transferred).
      After adding pci_set_master(), the driver oopsed immediately on resume -
      because de_clean_rings() is called on suspend but de_init_rings() call
      was missing in resume.
      
      Also disable link (reset SIA) before sleep (de4x5 does this too).
      Signed-off-by: default avatarOndrej Zary <linux@rainbow-software.org>
      Acked-by: default avatarJeff Garzik <jgarzik@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b0255a02