- 20 Apr, 2013 1 commit
-
-
Linus Torvalds authored
Commit 257b5358 ("scm: Capture the full credentials of the scm sender") changed the credentials passing code to pass in the effective uid/gid instead of the real uid/gid. Obviously this doesn't matter most of the time (since normally they are the same), but it results in differences for suid binaries when the wrong uid/gid ends up being used. This just undoes that (presumably unintentional) part of the commit. Reported-by:
Andy Lutomirski <luto@amacapital.net> Cc: Eric W. Biederman <ebiederm@xmission.com> Cc: Serge E. Hallyn <serge@hallyn.com> Cc: David S. Miller <davem@davemloft.net> Cc: stable@vger.kernel.org Signed-off-by:
Linus Torvalds <torvalds@linux-foundation.org> Acked-by:
"Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
- 19 Apr, 2013 20 commits
-
-
Ben Greear authored
If one does do something unfortunate and allow a bad offload bug into the kernel, this the skb_warn_bad_offload can effectively live-lock the system, filling the logs with the same error over and over. Add rate limitation to this so that box remains otherwise functional in this case. Signed-off-by:
Ben Greear <greearb@candelatech.com> Signed-off-by:
-
Arnd Bergmann authored
When building ax88796 on an ARM platform with 64-bit resource_size_t, we currently get drivers/net/ethernet/8390/ax88796.c:875: undefined reference to `__aeabi_uldivmod' because we do a division on the length of the MMIO resource. Since we know that this resource is very short, using an "unsigned long" instead of "resource_size_t" is entirely sufficient, and avoids this link-time error. Cc: Ben Dooks <ben-linux@fluff.org> Cc: netdev@vger.kernel.org Signed-off-by:
Arnd Bergmann <arnd@arndb.de> Signed-off-by:
-
Jitendra Kalsaria authored
Signed-off-by:
Jitendra Kalsaria <jitendra.kalsaria@qlogic.com> Signed-off-by:
-
Jitendra Kalsaria authored
Autoneg is supported on specific port types only. Fix the driver to advertise autoneg based on the port type. Signed-off-by:
-
Sritej Velaga authored
o Fix the driver to drop error frames in the receive path o Update error counter which was not getting incremented Signed-off-by:
Sritej Velaga <sritej.velaga@qlogic.com> Signed-off-by:
-
David S. Miller authored
Bjørn Mork says: ==================== This series adds workarounds for 3 different firmware bugs, each preventing the affected devices from working at all. I therefore humbly request that these fixes go to stable-3.8 (if still maintained) and 3.9 (either via net if still possible, or via stable if not). All 3 workarounds are applied to all devices supported by the driver. Adding quirks for specific devices was considered as an alternative, but was rejected because we have too little information about the exact distribution of the buggy firmwares. All we know is that the same bug shows up in devices from at least 3 different, and presumably independent, vendors. The workarounds have instead been designed to automatically apply when necessary, and to have as little impact as possible on unaffected devices. The series has been tested on a number of devices both with and without these bugs. The series should apply cleanly to net/master, net-next/master and stable/linux-3.8.y ==================== Signed-off-by: -
Bjørn Mork authored
We normally trust and use the CDC functional descriptors provided by a number of devices. But some of these will erroneously list the address reserved for the device end of the link. Attempting to use this on both the device and host side will naturally not work. Work around this bug by ignoring the functional descriptor and assign a random address instead in this case. Signed-off-by:
Bjørn Mork <bjorn@mork.no> Signed-off-by:
-
Bjørn Mork authored
Received packets are sometimes addressed to 00:a0:c6:00:00:00 instead of the address the device firmware should have learned from the host: 321.224126 77.16.85.204 -> 148.122.171.134 ICMP 98 Echo (ping) request id=0x4025, seq=64/16384, ttl=64 0000 82 c0 82 c9 f1 67 82 c0 82 c9 f1 67 08 00 45 00 .....g.....g..E. 0010 00 54 00 00 40 00 40 01 57 cc 4d 10 55 cc 94 7a .T..@.@.W.M.U..z 0020 ab 86 08 00 62 fc 40 25 00 40 b2 bc 6e 51 00 00 ....b.@%.@..nQ.. 0030 00 00 6b bd 09 00 00 00 00 00 10 11 12 13 14 15 ..k............. 0040 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 .......... !"#$% 0050 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 &'()*+,-./012345 0060 36 37 67 321.240607 148.122.171.134 -> 77.16.85.204 ICMP 98 Echo (ping) reply id=0x4025, seq=64/16384, ttl=55 0000 00 a0 c6 00 00 00 02 50 f3 00 00 00 08 00 45 00 .......P......E. 0010 00 54 00 56 00 00 37 01 a0 76 94 7a ab 86 4d 10 .T.V..7..v.z..M. 0020 55 cc 00 00 6a fc 40 25 00 40 b2 bc 6e 51 00 00 U...j.@%.@..nQ.. 0030 00 00 6b bd 09 00 00 00 00 00 10 11 12 13 14 15 ..k............. 0040 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 .......... !"#$% 0050 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 &'()*+,-./012345 0060 36 37 67 The bogus address is always the same, and matches the address suggested by many devices as a default address. It is likely a hardcoded firmware default. The circumstances where this bug has been observed indicates that the trigger is related to timing or some other factor the host cannot control. Repeating the exact same configuration sequence that caused it to trigger once, will not necessarily cause it to trigger the next time. Reproducing the bug is therefore difficult. This opens up a possibility that the bug is more common than we can confirm, because affected devices often will work properly again after a reset. A procedure most users are likely to try out before reporting a bug. Unconditionally rewriting the destination address if the first digit of the received packet is 0, is considered an acceptable compromise since we already have to inspect this digit. The simplification will cause unnecessary rewrites if the real address starts with 0, but this is still better than adding additional tests for this particular case. Signed-off-by:
-
Bjørn Mork authored
A number of LTE devices from different vendors all suffer from the same firmware bug: Most of the packets received from the device while it is attached to a LTE network will not have an ethernet header. The devices work as expected when attached to 2G or 3G networks, sending an ethernet header with all packets. This driver is not aware of which network the modem attached to, and even if it were there are still some packet types which are always received with the header intact. All devices supported by this driver have severely limited networking capabilities: - can only transmit IPv4, IPv6 and possibly ARP - can only support a single host hardware address at any time - will only do point-to-point communcation with the host Because of this, we are able to reliably identify any bogus raw IP packets by simply looking at the 4 IP version bits. All we need to do is to avoid 4 or 6 in the first digit of the mac address. This workaround ensures this, and fix up the received packets as necessary. Given the distribution of the bug, it is believed that the source is the chipset vendor. The devices which are verified to be affected are: Huawei E392u-12 (Qualcomm MDM9200) Pantech UML290 (Qualcomm MDM9600) Novatel USB551L (Qualcomm MDM9600) Novatel E362 (Qualcomm MDM9600) It is believed that the bug depend on firmware revision, which means that possibly all devices based on the above mentioned chipset may be affected if we consider all available firmware revisions. The information about affected devices and versions is likely incomplete. As the additional overhead for packets not needing this fixup is very small, it is considered acceptable to apply the workaround to all devices handled by this driver. Reported-by:
Dan Williams <dcbw@redhat.com> Signed-off-by:
-
David S. Miller authored
Nikolay Aleksandrov says: ==================== This patch-set fixes mainly bugs on enslave failure and one occasion of a needed locking. The patches are: 1. On enslave failure mc addresses are not flushed from the slave 2. On enslave failure vlans are not cleaned up from the slave 3. On enslave failure the bond's primary and curr_active_slave are not cleaned up (which might result in use of freed memory) 4. On enslave failure netpoll is not disabled which might result in a memory leak 5. In bond_mc_swap() the bond's mc addr list is walked without netif_addr_lock, since it can be called without rtnl, add it v2: patch 01 - fix log message and remove unnecessary code move ==================== Signed-off-by:
Jay Vosburgh <fubar@us.ibm.com> Signed-off-by:
-
nikolay@redhat.com authored
Use netif_addr_lock_bh() to acquire the appropriate lock before walking. Signed-off-by:
Nikolay Aleksandrov <nikolay@redhat.com> Signed-off-by:
-
nikolay@redhat.com authored
slave_disable_netpoll() is not called upon enslave failure which would lead to a memory leak. Call slave_disable_netpoll() after err_detach as that's the first error path after enabling netpoll on that slave. Signed-off-by:
-
nikolay@redhat.com authored
On enslave failure primary_slave can point to new_slave which is to be freed, and the same applies to curr_active_slave. So check if this is the case and clean up properly after err_detach because that's the first error code path after they're set. Signed-off-by:
-
nikolay@redhat.com authored
The main problem is with vid refcount which only gets bumped up. Delete the vlans after err_detach as that's the first error path after the vlans are added. Signed-off-by:
-
nikolay@redhat.com authored
Add bond_mc_list_flush() after err_detach as that's the first error path after the addresses are added. The main issue is the mc addresses' refcount which only gets bumped up. v2: update log message and don't move code unnecessarily Signed-off-by:
-
Wei Yongjun authored
Fix to return -EINVAL when tb[TCA_FW_MASK] is set and head->mask != 0xFFFFFFFF instead of 0 (ifdef CONFIG_NET_CLS_IND and tb[TCA_FW_INDEV]), as done elsewhere in this function. Signed-off-by:
Wei Yongjun <yongjun_wei@trendmicro.com.cn> Signed-off-by:
Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by:
-
Dan Carpenter authored
The "reason" can come from skb->data[] and it hasn't been capped so it can be from 0-255 instead of just 0-6. For example in irlmp_state_dtr() the code does: reason = skb->data[3]; ... irlmp_disconnect_indication(self, reason, skb); Also LMREASON has a couple other values which don't have entries in the irlmp_reasons[] array. And 0xff is a valid reason as well which means "unknown". So far as I can see we don't actually care about "reason" except for in the debug code. Signed-off-by:
Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by:
-
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nfDavid S. Miller authored
Pablo Neira Ayuso says: ==================== If time allows, please consider pulling the following patchset contains two late Netfilter fixes, they are: * Skip broadcast/multicast locally generated traffic in the rpfilter, (closes netfilter bugzilla #814), from Florian Westphal. * Fix missing elements in the listing of ipset bitmap ip,mac set type with timeout support enabled, from Jozsef Kadlecsik. ==================== Signed-off-by: -
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wirelessDavid S. Miller authored
John W. Linville says: ==================== A few stragglers hoping for 3.9, somewhat delayed due to my travels... On the mac80211 bits, Johannes says: "Sadly, I have another pull request -- the idle handling fix broke LED handling in some cases." and: "Yet one more! This fixes a fairly important/annoying bug -- when roaming between multiple APs of the same network, the system could get stuck thinking it was connected to the old one while it really wasn't." On top of that... Arend sends a brcmfmac patch that removes advertising a feature that isn't actually fully supported, and a brcmsmac patch that rearranges code to request firmware at IFF_UP to play more nicely with being built into the kernel. Felix gives us a minor ath9k_htc fix to support the newly released open source firmware, and an ath9k_hw initvals fix to improve device stability. Rafał Miłecki provides a fix for an ssb regression that caused a serious performance problem with b43. Zefir Kurtisi offers an ath9k fix to change some kmalloc flags to allow the DFS detector to be called in softirq context. Please let me know if there are problems. If these don't make 3.9, I'll just pull them into wireless-next -- just let me know if you want to do it that way! ==================== Signed-off-by: -
Eric Dumazet authored
commit bd090dfc (tcp: tcp_replace_ts_recent() should not be called from tcp_validate_incoming()) introduced a TS ecr bug in slow path processing. 1 A > B P. 1:10001(10000) ack 1 <nop,nop,TS val 1001 ecr 200> 2 B < A . 1:1(0) ack 1 win 257 <sack 9001:10001,TS val 300 ecr 1001> 3 A > B . 1:1001(1000) ack 1 win 227 <nop,nop,TS val 1002 ecr 200> 4 A > B . 1001:2001(1000) ack 1 win 227 <nop,nop,TS val 1002 ecr 200> (ecr 200 should be ecr 300 in packets 3 & 4) Problem is tcp_ack() can trigger send of new packets (retransmits), reflecting the prior TSval, instead of the TSval contained in the currently processed incoming packet. Fix this by calling tcp_replace_ts_recent() from tcp_ack() after the checks, but before the actions. Reported-by:
Yuchung Cheng <ycheng@google.com> Signed-off-by:
Eric Dumazet <edumazet@google.com> Cc: Neal Cardwell <ncardwell@google.com> Acked-by:
Neal Cardwell <ncardwell@google.com> Signed-off-by:
-
- 18 Apr, 2013 14 commits
-
-
Florian Westphal authored
Alex Efros reported rpfilter module doesn't match following packets: IN=br.qemu SRC=192.168.2.1 DST=192.168.2.255 [ .. ] (netfilter bugzilla #814). Problem is that network stack arranges for the locally generated broadcasts to appear on the interface they were sent out, so the IFF_LOOPBACK check doesn't trigger. As -m rpfilter is restricted to PREROUTING, we can check for existing rtable instead, it catches locally-generated broad/multicast case, too. Signed-off-by:
Florian Westphal <fw@strlen.de> Signed-off-by:
Pablo Neira Ayuso <pablo@netfilter.org>
-
Jozsef Kadlecsik authored
The type when timeout support was enabled, could not list all elements, just the first ones which could fit into one netlink message: it just did not continue listing after the first message. Reported-by:
Yoann JUET <yoann.juet@univ-nantes.fr> Signed-off-by:
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Tested-by:
-
Eric Dumazet authored
Since commit 6b923cb7 (bonding: support for IPv6 transmit hashing) bonding doesn't properly hash traffic in forwarding setups. Vitaly V. Bursov diagnosed that skb_network_header_len() returned 0 in this case. More generally, the transport header might not be in the skb head. Use pskb_may_pull() & skb_header_pointer() to get it right, and use proto_ports_offset() in bond_xmit_hash_policy_l34() to get support for more protocols than TCP and UDP. Reported-by:
Vitaly V. Bursov <vitalyb@telenet.dn.ua> Signed-off-by:
-
Ariel Elior authored
This fixes 2 issues regarding bnx2x's status blocks: 1. ethtool -c caused corruption of status blocks in FW RAM. 2. when using multi-CoS, the configuration of the timeout values of status blocks is incorrect, harming the coalescing of interrupts for such CoSs. Signed-off-by:Ariel Elior <ariele@broadcom.com> Signed-off-by:
Yuval Mintz <yuvalmin@broadcom.com> Signed-off-by:
Eilon Greenstein <eilong@broadcom.com> Signed-off-by:
-
Dmitry Kravkov authored
When loading after UNDI (e.g., Boot from SAN) the UNDI does not gracefully yield its resources; The bnx2x driver handles that release itself. During the manipulation required to release those resources, it's possible for the UNDI to try and write to memory regions which are no longer accessible, causing the PCI bus to prevent further writes from the chip. This would in turn cause DMAE timeouts later on in the driver, as the driver will be unable to use the chip's DMA engines. This patch prevents the chip from actually writing through the PCI bus in said scenario, thus allowing the release without the unfortunate by-product. Signed-off-by:
Dmitry Kravkov <dmitry@broadcom.com> Signed-off-by:
-
John W. Linville authored
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless into for-davem
-
David S. Miller authored
Shahed Shaikh says: ==================== This patch series contains bug fixes for - * Loopback test failure while traffic is running. * Tx timeout and subsequent firmware reset by removing check for '(adapter->netdev->features & (NETIF_F_TSO | NETIF_F_TSO6)' from tx fast path, as per Eric's suggestion. * Typo in logs. ==================== Signed-off-by: -
Shahed Shaikh authored
o Debug logs were not matching with code functionality. o Changed dev_info to netdev_err Signed-off-by:
Shahed Shaikh <shahed.shaikh@qlogic.com> Signed-off-by:
-
Sritej Velaga authored
When driver receives a packet with gso size > 0 and when TSO is disabled, it should be transmitted as a TSO packet to prevent Tx timeout and subsequent firmware reset. Signed-off-by:
-
Jitendra Kalsaria authored
Before conducting loopback test by sending packets, driver should stop transmit queue and turn off carrier. Signed-off-by:
-
Greg Rose authored
The PF driver does not check if the administrator has already set a VF VLAN via the PF driver before setting the new VLAN. This results in the following scenario: A) Administrator sets VF <n> to VLAN 100 B) Administrator sets VF <x> to VLAN 100 C) Administrator sets VF <n> to VLAN 200 D) The VF <n> driver continues to be able to receive traffic on VLAN 100 because the VLVFB pool enable bit for that VF was left set instead of being cleared as it should be. This fix ensures that the old VLAN filter for VF <n> is first removed and the pool bit enable for VF <n> is cleared so that it no longer receives traffic on VLAN 100. Signed-off-by:
Greg Rose <gregory.v.rose@intel.com> Tested-by:
Sibai Li <sibai.li@intel.com> Signed-off-by:
Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by:
-
Alexander Duyck authored
This patch actually reverts: igb: Support using build_skb in the case that jumbo frames are disabled The reason for reverting this patch is that it can lead to data corruption. The following flow was pointed out by Ben Hutchings: 1. skb is forwarded to another device 2. Packet headers are modified and it's put into a queue 3. Second packet is received into the other half of this page 4. Page cannot be reused, so is DMA-unmapped 5. The DMA mapping was non-coherent, so unmap copies or invalidates cache The headers added in step 2 get trashed in step 5. Reported-by:
Ben Hutchings <bhutchings@solarflare.com> Signed-off-by:
Alexander Duyck <alexander.h.duyck@intel.com> Tested-by:
Aaron Brown <aaron.f.brown@intel.com> Signed-off-by:
-
git://git.open-mesh.org/linux-mergeDavid S. Miller authored
Included changes: - fix MAC address check in case of multiple mesh interfaces Signed-off-by: -
git://git.kernel.org/pub/scm/linux/kernel/git/jesse/openvswitchDavid S. Miller authored
Jesse Gross says: ==================== Two small bug fixes for net/3.9 including the issue previously discussed where allocation of netlink notifications can fail after changes have been committed. ==================== Signed-off-by:
-
- 17 Apr, 2013 5 commits
-
-
Antonio Quartulli authored
On a multi-mesh node (a node running more than one batman-adv virtual interface) batadv_is_my_mac() has to check MAC addresses of hard interfaces belonging to the current mesh only. Signed-off-by:
Antonio Quartulli <ordex@autistici.org> Signed-off-by:
Marek Lindner <lindner_marek@yahoo.de>
-
git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-clientLinus Torvalds authored
Pull Ceph fix from Sage Weil: "It's a simple fix for a hard to hit race, but low-risk and clearly correct" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client: rbd: do a safe list traversal in rbd_img_request_submit()
-
Marc Zyngier authored
In the very unlikely event where a guest would be foolish enough to *read* from a write-only cache maintainance register, we end up with preemption disabled, due to a misplaced get_cpu(). Just move the "is_write" test outside of the critical section. Signed-off-by:
Marc Zyngier <marc.zyngier@arm.com> Signed-off-by:
Christoffer Dall <cdall@cs.columbia.edu> Signed-off-by:
-
Alex Elder authored
It's possible that the reference to the object request dropped inside the loop in rbd_img_request_submit() will be the last one, in which case the content of the object pointer can't be trusted. Use a safe form of the object request list traversal to avoid problems. This resolves: http://tracker.ceph.com/issues/4705Signed-off-by:Alex Elder <elder@inktank.com> Reviewed-by:
Josh Durgin <josh.durgin@inktank.com>
-
git://git.kernel.org/pub/scm/linux/kernel/git/davem/netLinus Torvalds authored
Pull networking fixes from David Miller: 1) Fix erroneous netfilter drop of SIP packets generated by some Cisco phones, from Patrick McHardy. 2) Fix netfilter IPSET refcounting in list_set_add(), from Jozsef Kadlecsik. 3) Fix TCP syncookies route lookup key, we don't use the same values we would use for the usual SYN receive processing, from Dmitry Popov. 4) Fix NULL deref in bond_slave_netdev_event(), from Nikolay Aleksandrov. 5) When bonding enslave fails, we can forget to clear the IFF_BONDING bit, fix also from Nikolay Aleksandrov. 6) skb->csum_start is 16-bits, which is almost always just fine. But if we reallocate the headroom of an SKB this can push the skb->csum_start value outside of it's valid range. This can easily happen when collapsing multiple SKBs from the retransmit queue together. Fix from Thomas Graf. 7) Fix NULL deref in be2net driver due to missing check of __vlan_put_tag() return value, from Ivan Vecera. 8) tun_set_iff() returns zero instead of error code on failure, fix from Wei Yongjun. 9) Like GARP, 802 MRP needs to hold the app->lock when adding MAD events and queueing PDUs. Fix from David Ward. 10) Build fix, MVMDIO needs PHYLIB, from Thomas Petazzoni.. 11) Fix mac80211 static with ipv6 modular build, from Cong Wang. 12) If userland specifies a path cost explicitly, do not override it when the carrier state changes. From Stephen Hemminger. 13) mvnets calculates the TX queue to use incorrectly resulting in garbage pointer derefs and crashes, fix from Willy Tarreau. 14) cdc_mbim does erroneous sizeof(ETH_HLEN). Fix from Bjorn Mork. 15) IP fragmentation can leak a refcount-less route out from an RCU protected section. This results in crashes and all sorts of hard to diagnose behavior. Fix from Eric Dumazet. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (24 commits) qlcnic: fix beaconing test for 82xx adapter net: drop dst before queueing fragments net: fec: fix regression in link change accounting net: cdc_mbim: remove bogus sizeof() drivers: net: ethernet: cpsw: get slave VLAN id from slave node instead of cpsw node net: mvneta: fix improper tx queue usage in mvneta_tx() esp4: fix error return code in esp_output() bridge: make user modified path cost sticky ipv6: statically link register_inet6addr_notifier() net: mvmdio: add select PHYLIB net/802/mrp: fix possible race condition when calling mrp_pdu_queue() tuntap: fix error return code in tun_set_iff() be2net: take care of __vlan_put_tag return value can: sja1000: fix handling on dt properties on little endian systems can: mcp251x: add missing IRQF_ONESHOT to request_threaded_irq netfilter: nf_nat: fix race when unloading protocol modules tcp: Reallocate headroom if it would overflow csum_start stmmac: prevent interrupt loop with MMC RX IPC Counter bonding: IFF_BONDING is not stripped on enslave failure bonding: fix netdev event NULL pointer dereference ...
-
