- 11 Nov, 2010 1 commit
-
-
David S. Miller authored
As noted by Steve Chen, since commit f5fff5dc ("tcp: advertise MSS requested by user") we can end up with a situation where tcp_select_initial_window() does a divide by a zero (or even negative) mss value. The problem is that sometimes we effectively subtract TCPOLEN_TSTAMP_ALIGNED and/or TCPOLEN_MD5SIG_ALIGNED from the mss. Fix this by increasing the minimum from 8 to 64. Reported-by:
Steve Chen <schen@mvista.com> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
- 10 Nov, 2010 4 commits
-
-
Eric Dumazet authored
Robin Holt tried to boot a 16TB machine and found some limits were reached : sysctl_tcp_mem[2], sysctl_udp_mem[2] We can switch infrastructure to use long "instead" of "int", now atomic_long_t primitives are available for free. Signed-off-by:
Eric Dumazet <eric.dumazet@gmail.com> Reported-by:
Robin Holt <holt@sgi.com> Reviewed-by:
Andrew Morton <akpm@linux-foundation.org> Signed-off-by:
-
Vasiliy Kulikov authored
packet_getname_spkt() doesn't initialize all members of sa_data field of sockaddr struct if strlen(dev->name) < 13. This structure is then copied to userland. It leads to leaking of contents of kernel stack memory. We have to fully fill sa_data with strncpy() instead of strlcpy(). The same with packet_getname(): it doesn't initialize sll_pkttype field of sockaddr_ll. Set it to zero. Signed-off-by:
Vasiliy Kulikov <segooon@gmail.com> Signed-off-by:
-
David S. Miller authored
There is a possibility malicious users can get limited information about uninitialized stack mem array. Even if sk_run_filter() result is bound to packet length (0 .. 65535), we could imagine this can be used by hostile user. Initializing mem[] array, like Dan Rosenberg suggested in his patch is expensive since most filters dont even use this array. Its hard to make the filter validation in sk_chk_filter(), because of the jumps. This might be done later. In this patch, I use a bitmap (a single long var) so that only filters using mem[] loads/stores pay the price of added security checks. For other filters, additional cost is a single instruction. [ Since we access fentry->k a lot now, cache it in a local variable and mark filter entry pointer as const. -DaveM ] Reported-by:
Dan Rosenberg <drosenberg@vsecurity.com> Signed-off-by:
-
Vasiliy Kulikov authored
Sometimes ax25_getname() doesn't initialize all members of fsa_digipeater field of fsa struct, also the struct has padding bytes between sax25_call and sax25_ndigis fields. This structure is then copied to userland. It leads to leaking of contents of kernel stack memory. Signed-off-by:
-
- 09 Nov, 2010 5 commits
-
-
Eric Dumazet authored
Followup of commit ef885afb (net: use rcu_barrier() in rollback_registered_many) dst_dev_event() scans a garbage dst list that might be feeded by various network notifiers at device dismantle time. Its important to call dst_dev_event() after other notifiers, or we might enter the infamous msleep(250) in netdev_wait_allrefs(), and wait one second before calling again call_netdevice_notifiers(NETDEV_UNREGISTER, dev) to properly remove last device references. Use priority -10 to let dst_dev_notifier be called after other network notifiers (they have the default 0 priority) Reported-by:
Ben Greear <greearb@candelatech.com> Reported-by:
Nicolas Dichtel <nicolas.dichtel@6wind.com> Reported-by:
Octavian Purdila <opurdila@ixiacom.com> Reported-by:
Benjamin LaHaise <bcrl@kvack.org> Tested-by:
-
Kulikov Vasiliy authored
Structure sockaddr_tipc is copied to userland with padding bytes after "id" field in union field "name" unitialized. It leads to leaking of contents of kernel stack memory. We have to initialize them to zero. Signed-off-by:
-
françois romieu authored
As device_set_wakeup_enable can now sleep, move the call to outside the critical section. Signed-off-by:
Daniel J Blueman <daniel.blueman@gmail.com> Acked-by:
Rafael J. Wysocki <rjw@sisk.pl> Acked-by:
Andrew Hendry <andrew.hendry@gmail.com> Signed-off-by:
-
françois romieu authored
The original patch helps under obscure conditions (no pun) but some 8168 do not like it. The change needs to be tightened with a specific 8168 version. This reverts commit 801e147c ("r8169: Handle rxfifo errors on 8168 chips"). Regression at https://bugzilla.kernel.org/show_bug.cgi?id=20882Signed-off-by:
Francois Romieu <romieu@fr.zoreil.com> Tested-by:
Andreas Radke <a.radke@arcor.de> Cc: Matthew Garrett <mjg@redhat.com> Cc: Daniel J Blueman <daniel.blueman@gmail.com> Signed-off-by:
-
Eric Dumazet authored
commit 8723e1b4 (inet: RCU changes in inetdev_by_index()) forgot one call site in ip_mc_drop_socket() We should not decrease idev refcount after inetdev_by_index() call, since refcount is not increased anymore. Reported-by:
Markus Trippelsdorf <markus@trippelsdorf.de> Reported-by:
Miles Lane <miles.lane@gmail.com> Signed-off-by:
-
- 08 Nov, 2010 11 commits
-
-
Pavel Emelyanov authored
The sgs allocation error path leaks the allocated message. Signed-off-by:
Pavel Emelyanov <xemul@openvz.org> Acked-by:
Andy Grover <andy.grover@oracle.com> Signed-off-by:
-
Frank Blaschka authored
QDIO is running independent from netdevice state. We are not allowed to schedule NAPI in case the netdevice is not open. Signed-off-by:
Frank Blaschka <frank.blaschka@de.ibm.com> Signed-off-by:
-
Ursula Braun authored
For a certain Hipersockets specific error code in the xmit path, the qeth driver tries to invoke dev_queue_xmit again. Commit 79640a4c introduces a busylock causing locking problems in case of re-invoked dev_queue_xmit by qeth. This patch removes the attempts to retry packet sending with dev_queue_xmit from the qeth driver. Signed-off-by:
Ursula Braun <ursula.braun@de.ibm.com> Signed-off-by:
-
Junchang Wang authored
This fix a bug reported by backyes. Right the first time pktgen's using queue_map that's not been initialized by set_cur_queue_map(pkt_dev); Signed-off-by:
Junchang Wang <junchangwang@gmail.com> Signed-off-by:
Backyes <backyes@mail.ustc.edu.cn> Signed-off-by:
-
Guillaume Chazarain authored
After e6484930: net: allocate tx queues in register_netdevice These calls make net drivers oops at load time, so let's avoid people git-bisect'ing known problems. Signed-off-by:
Guillaume Chazarain <guichaz@gmail.com> Signed-off-by:
-
Guillaume Chazarain authored
After e6484930: net: allocate tx queues in register_netdevice It causes an Oops at skge_probe() time. Signed-off-by:
-
Shan Wei authored
The type of FRAG6_CB(prev)->offset is int, skb->len is *unsigned* int, and offset is int. Without this patch, type conversion occurred to this expression, when (FRAG6_CB(prev)->offset + prev->len) is less than offset. Signed-off-by:
Shan Wei <shanwei@cn.fujitsu.com> Signed-off-by:
-
stephen hemminger authored
The basic classifier keeps statistics but does not report it to user space. This showed up when using basic classifier (with police) as a default catch all on ingress; no statistics were reported. Signed-off-by:
Stephen Hemminger <shemminger@vyatta.com> Signed-off-by:
-
David Woodhouse authored
Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com> Signed-off-by:
-
David Woodhouse authored
The existing 'FirmwareVersion' attribute only covers the DSP firmware as provided by Conexant; not the overall version of the device firmware. We do want to be able to see the full version number too. Signed-off-by:
-
Paul Mundt authored
Presently the b43legacy build fails on an sh randconfig: In file included from include/net/dst.h:12, from drivers/net/wireless/b43legacy/xmit.c:32: include/net/dst_ops.h:28: error: expected ':', ',', ';', '}' or '__attribute__' before '____cacheline_aligned_in_smp' include/net/dst_ops.h: In function 'dst_entries_get_fast': include/net/dst_ops.h:33: error: 'struct dst_ops' has no member named 'pcpuc_entries' include/net/dst_ops.h: In function 'dst_entries_get_slow': include/net/dst_ops.h:41: error: 'struct dst_ops' has no member named 'pcpuc_entries' include/net/dst_ops.h: In function 'dst_entries_add': include/net/dst_ops.h:49: error: 'struct dst_ops' has no member named 'pcpuc_entries' include/net/dst_ops.h: In function 'dst_entries_init': include/net/dst_ops.h:55: error: 'struct dst_ops' has no member named 'pcpuc_entries' include/net/dst_ops.h: In function 'dst_entries_destroy': include/net/dst_ops.h:60: error: 'struct dst_ops' has no member named 'pcpuc_entries' make[5]: *** [drivers/net/wireless/b43legacy/xmit.o] Error 1 make[5]: *** Waiting for unfinished jobs.... Signed-off-by:Paul Mundt <lethal@linux-sh.org> Signed-off-by:
-
- 07 Nov, 2010 1 commit
-
-
Dmitry Torokhov authored
This should fix the following warning: net/core/pktgen.c: In function ‘pktgen_if_write’: net/core/pktgen.c:890: warning: comparison of distinct pointer types lacks a cast Signed-off-by:
Dmitry Torokhov <dtor@mail.ru> Reviewed-by:
Nelson Elhage <nelhage@ksplice.com> Signed-off-by:
-
- 04 Nov, 2010 17 commits
-
-
Nelson Elhage authored
We were using nlmsg_find_attr() to look up the bytecode by attribute when auditing, but then just using the first attribute when actually running bytecode. So, if we received a message with two attribute elements, where only the second had type INET_DIAG_REQ_BYTECODE, we would validate and run different bytecode strings. Fix this by consistently using nlmsg_find_attr everywhere. Signed-off-by:
Thomas Graf <tgraf@infradead.org> Signed-off-by:
-
Nelson Elhage authored
This will let us use it on a nlmsghdr stored inside a netlink_callback. Signed-off-by:
-
Eric Dumazet authored
After commit ebc0ffae (RCU conversion of fib_lookup()), fib_result_assign() should not change fib refcounts anymore. Thanks to Michael who did the bisection and bug report. Reported-by:
Michael Ellerman <michael@ellerman.id.au> Tested-by:
-
Jan Engelhardt authored
Signed-off-by:
Jan Engelhardt <jengelh@medozas.de> Signed-off-by:
-
-
Herbert Xu authored
Somewhere along the lines net_cls_subsys_id became a macro when cls_cgroup is built as a module. Not only did it make cls_cgroup completely useless, it also causes it to crash on module unload. This patch fixes this by removing that macro. Thanks to Eric Dumazet for diagnosing this problem. Reported-by:
Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by:
Herbert Xu <herbert@gondor.apana.org.au> Reviewed-by:
Li Zefan <lizf@cn.fujitsu.com> Signed-off-by:
-
andrew hendry authored
Signed-of-by:
-
Xiaotian Feng authored
There're some percpu_counter list corruption and poison overwritten warnings in recent kernel, which is resulted by fc66f95c. commit fc66f95c switches to use percpu_counter, in ip6_route_net_init, kernel init the percpu_counter for dst entries, but, the percpu_counter is never destroyed in ip6_route_net_exit. So if the related data is freed by kernel, the freed percpu_counter is still on the list, then if we insert/remove other percpu_counter, list corruption resulted. Also, if the insert/remove option modifies the ->prev,->next pointer of the freed value, the poison overwritten is resulted then. With the following patch, the percpu_counter list corruption and poison overwritten warnings disappeared. Signed-off-by:
Xiaotian Feng <dfeng@redhat.com> Cc: "David S. Miller" <davem@davemloft.net> Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> Cc: "Pekka Savola (ipv6)" <pekkas@netcore.fi> Cc: James Morris <jmorris@namei.org> Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org> Cc: Patrick McHardy <kaber@trash.net> Acked-by:
-
Pavel Emelyanov authored
All the rds_tcp_connection objects are stored list, but when being freed it should be removed from there. Signed-off-by:
-
Pavel Emelyanov authored
The conn is removed from list in there and this requires proper lock protection. Signed-off-by:
-
Eric Dumazet authored
Its now illegal to call netif_stop_queue() before register_netdev() Signed-off-by:
-
Eric Dumazet authored
Its now illegal to call netif_stop_queue() before register_netdev() Reported-by:
Tom Gundersen <teg@jklm.no> Signed-off-by:
-
Amerigo Wang authored
Quote from Amit Salecha: "Actually I was not updated, NX_UNIFIED_ROMIMAGE_NAME (phanfw.bin) is already submitted and its present in linux-firmware.git. I will get back to you on NX_P2_MN_ROMIMAGE_NAME, NX_P3_CT_ROMIMAGE_NAME and NX_P3_MN_ROMIMAGE_NAME. Whether this will be submitted ?" We have to remove these, otherwise we will get wrong info from modinfo. Signed-off-by:
WANG Cong <amwang@redhat.com> Cc: Amit Kumar Salecha <amit.salecha@qlogic.com> Cc: "David S. Miller" <davem@davemloft.net> Cc: Dhananjay Phadke <dhananjay.phadke@qlogic.com> Cc: Narender Kumar <narender.kumar@qlogic.com> Acked-by: Amit Kumar Salecha <amit.salecha@qlogic.com>-- Signed-off-by:
-
sjur.brandeland@stericsson.com authored
Signed-off-by:
Sjur Brændeland <sjur.brandeland@stericsson.com> Signed-off-by:
-
Sjur Brændeland authored
Signed-off-by:
-
André Carvalho de Matos authored
Changes: o Bugfix: SO_PRIORITY for SOL_SOCKET could not be handled in caif's setsockopt, using the struct sock attribute priority instead. o Bugfix: SO_BINDTODEVICE for SOL_SOCKET could not be handled in caif's setsockopt, using the struct sock attribute ifindex instead. o Wrong assert statement for RFM layer segmentation. o CAIF Debug channels was not working over SPI, caif_payload_info containing padding info must be initialized. o Check on pointer before dereferencing when unregister dev in caif_dev.c Signed-off-by:
-
John Faith authored
The SMSC911x supports 128 x 8-bit EEPROMs. Increase the EEPROM size so more than just the MAC address can be stored. Signed-off-by:
John Faith <jfaith7@gmail.com> Signed-off-by:
-
- 03 Nov, 2010 1 commit
-
-
Vasiliy Kulikov authored
Structure ipt_getinfo is copied to userland with the field "name" that has the last elements unitialized. It leads to leaking of contents of kernel stack memory. Signed-off-by:
Patrick McHardy <kaber@trash.net>
-
