1. 11 Feb, 2013 19 commits
  2. 08 Feb, 2013 21 commits
    • Linus Torvalds's avatar
      Linux 3.8-rc7 · 836dc9e3
      Linus Torvalds authored
      836dc9e3
    • Linus Torvalds's avatar
      Merge branch 'fixes' of git://git.linaro.org/people/rmk/linux-arm · 39923134
      Linus Torvalds authored
      Pull ARM fixes from Russell King:
       "I was going to hold these off until v3.8 was out, and send them with a
        stable tag, but as everyone else is pushing much bigger fixes which
        Linus is accepting, let's save people from the hastle of having to
        patch v3.8 back into working or use a stable kernel.
      
        Looking at the diffstat, this really is high value for its size; this
        is miniscule compared to how the -rc6 to tip diffstat currently looks.
      
        So, four patches in this set:
         - Punit Agrawal reports that the kernel no longer boots on MPCore due
           to a new assumption made in the GIC code which isn't true of
           earlier GIC designs.  This is the biggest change in this set.
         - Punit's boot log also revealed a bunch of WARN_ON() dumps caused by
           the DT-ification of the GIC support without fixing up non-DT
           Realview - which now sees a greater number of interrupts than it
           did before.
         - A fix for the DMA coherent code from Marek which uses the wrong
           check for atomic allocations; this can result in spinlock lockups
           or other nasty effects.
         - A fix from Will, which will affect all Android based platforms if
           not applied (which use the 2G:2G VM split) - this causes
           particularly 'make' to misbehave unless this bug is fixed."
      
      * 'fixes' of git://git.linaro.org/people/rmk/linux-arm:
        ARM: 7641/1: memory: fix broken mmap by ensuring TASK_UNMAPPED_BASE is aligned
        ARM: DMA mapping: fix bad atomic test
        ARM: realview: ensure that we have sufficient IRQs available
        ARM: GIC: fix GIC cpumask initialization
      39923134
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · e06b8405
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Revert iwlwifi reclaimed packet tracking, it causes problems for a
          bunch of folks.  From Emmanuel Grumbach.
      
       2) Work limiting code in brcmsmac wifi driver can clear tx status
          without processing the event.  From Arend van Spriel.
      
       3) rtlwifi USB driver processes wrong SKB, fix from Larry Finger.
      
       4) l2tp tunnel delete can race with close, fix from Tom Parkin.
      
       5) pktgen_add_device() failures are not checked at all, fix from Cong
          Wang.
      
       6) Fix unintentional removal of carrier off from tun_detach(),
          otherwise we confuse userspace, from Michael S.  Tsirkin.
      
       7) Don't leak socket reference counts and ubufs in vhost-net driver,
          from Jason Wang.
      
       8) vmxnet3 driver gets it's initial carrier state wrong, fix from Neil
          Horman.
      
       9) Protect against USB networking devices which spam the host with 0
          length frames, from Bjørn Mork.
      
      10) Prevent neighbour overflows in ipv6 for locally destined routes,
          from Marcelo Ricardo.  This is the best short-term fix for this, a
          longer term fix has been implemented in net-next.
      
      11) L2TP uses ipv4 datagram routines in it's ipv6 code, whoops.  This
          mistake is largely because the ipv6 functions don't even have some
          kind of prefix in their names to suggest they are ipv6 specific.
          From Tom Parkin.
      
      12) Check SYN packet drops properly in tcp_rcv_fastopen_synack(), from
          Yuchung Cheng.
      
      13) Fix races and TX skb freeing bugs in via-rhine's NAPI support, from
          Francois Romieu and your's truly.
      
      14) Fix infinite loops and divides by zero in TCP congestion window
          handling, from Eric Dumazet, Neal Cardwell, and Ilpo Järvinen.
      
      15) AF_PACKET tx ring handling can leak kernel memory to userspace, fix
          from Phil Sutter.
      
      16) Fix error handling in ipv6 GRE tunnel transmit, from Tommi Rantala.
      
      17) Protect XEN netback driver against hostile frontend putting garbage
          into the rings, don't leak pages in TX GOP checking, and add proper
          resource releasing in error path of xen_netbk_get_requests().  From
          Ian Campbell.
      
      18) SCTP authentication keys should be cleared out and released with
          kzfree(), from Daniel Borkmann.
      
      19) L2TP is a bit too clever trying to maintain skb->truesize, and ends
          up corrupting socket memory accounting to the point where packet
          sending is halted indefinitely.  Just remove the adjustments
          entirely, they aren't really needed.  From Eric Dumazet.
      
      20) ATM Iphase driver uses a data type with the same name as the S390
          headers, rename to fix the build.  From Heiko Carstens.
      
      21) Fix a typo in copying the inner network header offset from one SKB
          to another, from Pravin B Shelar.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (56 commits)
        net: sctp: sctp_endpoint_free: zero out secret key data
        net: sctp: sctp_setsockopt_auth_key: use kzfree instead of kfree
        atm/iphase: rename fregt_t -> ffreg_t
        net: usb: fix regression from FLAG_NOARP code
        l2tp: dont play with skb->truesize
        net: sctp: sctp_auth_key_put: use kzfree instead of kfree
        netback: correct netbk_tx_err to handle wrap around.
        xen/netback: free already allocated memory on failure in xen_netbk_get_requests
        xen/netback: don't leak pages on failure in xen_netbk_tx_check_gop.
        xen/netback: shutdown the ring if it contains garbage.
        net: qmi_wwan: add more Huawei devices, including E320
        net: cdc_ncm: add another Huawei vendor specific device
        ipv6/ip6_gre: fix error case handling in ip6gre_tunnel_xmit()
        tcp: fix for zero packets_in_flight was too broad
        brcmsmac: rework of mac80211 .flush() callback operation
        ssb: unregister gpios before unloading ssb
        bcma: unregister gpios before unloading bcma
        rtlwifi: Fix scheduling while atomic bug
        net: usbnet: fix tx_dropped statistics
        tcp: ipv6: Update MIB counters for drops
        ...
      e06b8405
    • David S. Miller's avatar
      Merge branch 'sctp_keys' · a1c83b05
      David S. Miller authored
      Daniel Borkmann says:
      
      ====================
      Cryptographically used keys should be zeroed out when our session
      ends resp. memory is freed, thus do not leave them somewhere in the
      memory.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a1c83b05
    • Daniel Borkmann's avatar
      net: sctp: sctp_endpoint_free: zero out secret key data · b5c37fe6
      Daniel Borkmann authored
      On sctp_endpoint_destroy, previously used sensitive keying material
      should be zeroed out before the memory is returned, as we already do
      with e.g. auth keys when released.
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Acked-by: default avatarVlad Yasevich <vyasevic@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b5c37fe6
    • Daniel Borkmann's avatar
      net: sctp: sctp_setsockopt_auth_key: use kzfree instead of kfree · 6ba542a2
      Daniel Borkmann authored
      In sctp_setsockopt_auth_key, we create a temporary copy of the user
      passed shared auth key for the endpoint or association and after
      internal setup, we free it right away. Since it's sensitive data, we
      should zero out the key before returning the memory back to the
      allocator. Thus, use kzfree instead of kfree, just as we do in
      sctp_auth_key_put().
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6ba542a2
    • Heiko Carstens's avatar
      atm/iphase: rename fregt_t -> ffreg_t · ab54ee80
      Heiko Carstens authored
      We have conflicting type qualifiers for "freg_t" in s390's ptrace.h and the
      iphase atm device driver, which causes the compile error below.
      Unfortunately the s390 typedef can't be renamed, since it's a user visible api,
      nor can I change the include order in s390 code to avoid the conflict.
      
      So simply rename the iphase typedef to a new name. Fixes this compile error:
      
      In file included from drivers/atm/iphase.c:66:0:
      drivers/atm/iphase.h:639:25: error: conflicting type qualifiers for 'freg_t'
      In file included from next/arch/s390/include/asm/ptrace.h:9:0,
                       from next/arch/s390/include/asm/lowcore.h:12,
                       from next/arch/s390/include/asm/thread_info.h:30,
                       from include/linux/thread_info.h:54,
                       from include/linux/preempt.h:9,
                       from include/linux/spinlock.h:50,
                       from include/linux/seqlock.h:29,
                       from include/linux/time.h:5,
                       from include/linux/stat.h:18,
                       from include/linux/module.h:10,
                       from drivers/atm/iphase.c:43:
      next/arch/s390/include/uapi/asm/ptrace.h:197:3: note: previous declaration of 'freg_t' was here
      Signed-off-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Acked-by: default avatarchas williams - CONTRACTOR <chas@cmf.nrl.navy.mil>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ab54ee80
    • Will Deacon's avatar
      ARM: 7641/1: memory: fix broken mmap by ensuring TASK_UNMAPPED_BASE is aligned · 79d1f5c9
      Will Deacon authored
      We have received multiple reports of mmap failures when running with a
      2:2 vm split. These manifest as either -EINVAL with a non page-aligned
      address (ending 0xaaa) or a SEGV, depending on the application. The
      issue is commonly observed in children of make, which appears to use
      bottom-up mmap (assumedly because it changes the stack rlimit).
      
      Further investigation reveals that this regression was triggered by
      394ef640 ("mm: use vm_unmapped_area() on arm architecture"), whereby
      TASK_UNMAPPED_BASE is no longer page-aligned for bottom-up mmap, causing
      get_unmapped_area to choke on misaligned addressed.
      
      This patch fixes the problem by defining TASK_UNMAPPED_BASE in terms of
      TASK_SIZE and explicitly aligns the result to 16M, matching the other
      end of the heap.
      Acked-by: default avatarNicolas Pitre <nico@linaro.org>
      Reported-by: default avatarSteve Capper <steve.capper@arm.com>
      Reported-by: default avatarJean-Francois Moine <moinejf@free.fr>
      Reported-by: default avatarChristoffer Dall <cdall@cs.columbia.edu>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      79d1f5c9
    • Russell King's avatar
      ARM: DMA mapping: fix bad atomic test · 633dc92a
      Russell King authored
      Realview fails to boot with this warning:
      BUG: spinlock lockup suspected on CPU#0, init/1
       lock: 0xcf8bde10, .magic: dead4ead, .owner: init/1, .owner_cpu: 0
      Backtrace:
      [<c00185d8>] (dump_backtrace+0x0/0x10c) from [<c03294e8>] (dump_stack+0x18/0x1c) r6:cf8bde10 r5:cf83d1c0 r4:cf8bde10 r3:cf83d1c0
      [<c03294d0>] (dump_stack+0x0/0x1c) from [<c018926c>] (spin_dump+0x84/0x98)
      [<c01891e8>] (spin_dump+0x0/0x98) from [<c0189460>] (do_raw_spin_lock+0x100/0x198)
      [<c0189360>] (do_raw_spin_lock+0x0/0x198) from [<c032cbac>] (_raw_spin_lock+0x3c/0x44)
      [<c032cb70>] (_raw_spin_lock+0x0/0x44) from [<c01c9224>] (pl011_console_write+0xe8/0x11c)
      [<c01c913c>] (pl011_console_write+0x0/0x11c) from [<c002aea8>] (call_console_drivers.clone.7+0xdc/0x104)
      [<c002adcc>] (call_console_drivers.clone.7+0x0/0x104) from [<c002b320>] (console_unlock+0x2e8/0x454)
      [<c002b038>] (console_unlock+0x0/0x454) from [<c002b8b4>] (vprintk_emit+0x2d8/0x594)
      [<c002b5dc>] (vprintk_emit+0x0/0x594) from [<c0329718>] (printk+0x3c/0x44)
      [<c03296dc>] (printk+0x0/0x44) from [<c002929c>] (warn_slowpath_common+0x28/0x6c)
      [<c0029274>] (warn_slowpath_common+0x0/0x6c) from [<c0029304>] (warn_slowpath_null+0x24/0x2c)
      [<c00292e0>] (warn_slowpath_null+0x0/0x2c) from [<c0070ab0>] (lockdep_trace_alloc+0xd8/0xf0)
      [<c00709d8>] (lockdep_trace_alloc+0x0/0xf0) from [<c00c0850>] (kmem_cache_alloc+0x24/0x11c)
      [<c00c082c>] (kmem_cache_alloc+0x0/0x11c) from [<c00bb044>] (__get_vm_area_node.clone.24+0x7c/0x16c)
      [<c00bafc8>] (__get_vm_area_node.clone.24+0x0/0x16c) from [<c00bb7b8>] (get_vm_area_caller+0x48/0x54)
      [<c00bb770>] (get_vm_area_caller+0x0/0x54) from [<c0020064>] (__alloc_remap_buffer.clone.15+0x38/0xb8)
      [<c002002c>] (__alloc_remap_buffer.clone.15+0x0/0xb8) from [<c0020244>] (__dma_alloc+0x160/0x2c8)
      [<c00200e4>] (__dma_alloc+0x0/0x2c8) from [<c00204d8>] (arm_dma_alloc+0x88/0xa0)[<c0020450>] (arm_dma_alloc+0x0/0xa0) from [<c00beb00>] (dma_pool_alloc+0xcc/0x1a8)
      [<c00bea34>] (dma_pool_alloc+0x0/0x1a8) from [<c01a9d14>] (pl08x_fill_llis_for_desc+0x28/0x568)
      [<c01a9cec>] (pl08x_fill_llis_for_desc+0x0/0x568) from [<c01aab8c>] (pl08x_prep_slave_sg+0x258/0x3b0)
      [<c01aa934>] (pl08x_prep_slave_sg+0x0/0x3b0) from [<c01c9f74>] (pl011_dma_tx_refill+0x140/0x288)
      [<c01c9e34>] (pl011_dma_tx_refill+0x0/0x288) from [<c01ca748>] (pl011_start_tx+0xe4/0x120)
      [<c01ca664>] (pl011_start_tx+0x0/0x120) from [<c01c54a4>] (__uart_start+0x48/0x4c)
      [<c01c545c>] (__uart_start+0x0/0x4c) from [<c01c632c>] (uart_start+0x2c/0x3c)
      [<c01c6300>] (uart_start+0x0/0x3c) from [<c01c795c>] (uart_write+0xcc/0xf4)
      [<c01c7890>] (uart_write+0x0/0xf4) from [<c01b0384>] (n_tty_write+0x1c0/0x3e4)
      [<c01b01c4>] (n_tty_write+0x0/0x3e4) from [<c01acfe8>] (tty_write+0x144/0x240)
      [<c01acea4>] (tty_write+0x0/0x240) from [<c01ad17c>] (redirected_tty_write+0x98/0xac)
      [<c01ad0e4>] (redirected_tty_write+0x0/0xac) from [<c00c371c>] (vfs_write+0xbc/0x150)
      [<c00c3660>] (vfs_write+0x0/0x150) from [<c00c39c0>] (sys_write+0x4c/0x78)
      [<c00c3974>] (sys_write+0x0/0x78) from [<c0014460>] (ret_fast_syscall+0x0/0x3c)
      
      This happens because the DMA allocation code is not respecting atomic
      allocations correctly.
      
      GFP flags should not be tested for GFP_ATOMIC to determine if an
      atomic allocation is being requested.  GFP_ATOMIC is not a flag but
      a value.  The GFP bitmask flags are all prefixed with __GFP_.
      
      The rest of the kernel tests for __GFP_WAIT not being set to indicate
      an atomic allocation.  We need to do the same.
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      633dc92a
    • Russell King's avatar
      ARM: realview: ensure that we have sufficient IRQs available · e210101d
      Russell King authored
      Realview EB with a rev B MPcore tile results in lots of warnings at
      boot because it can't allocate enough IRQs.  Fix this by increasing
      the number of available IRQs.
      
      WARNING: at /home/rmk/git/linux-rmk/arch/arm/common/gic.c:757 gic_init_bases+0x12c/0x2ec()
      Cannot allocate irq_descs @ IRQ96, assuming pre-allocated
      Modules linked in:
      Backtrace:
      [<c00185d8>] (dump_backtrace+0x0/0x10c) from [<c03294e8>] (dump_stack+0x18/0x1c) r6:000002f5 r5:c042c62c r4:c044ff40 r3:c045f240
      [<c03294d0>] (dump_stack+0x0/0x1c) from [<c00292c8>] (warn_slowpath_common+0x54/0x6c)
      [<c0029274>] (warn_slowpath_common+0x0/0x6c) from [<c0029384>] (warn_slowpath_fmt+0x38/0x40)
      [<c002934c>] (warn_slowpath_fmt+0x0/0x40) from [<c042c62c>] (gic_init_bases+0x12c/0x2ec)
      [<c042c500>] (gic_init_bases+0x0/0x2ec) from [<c042cdc8>] (gic_init_irq+0x8c/0xd8)
      [<c042cd3c>] (gic_init_irq+0x0/0xd8) from [<c042827c>] (init_IRQ+0x1c/0x24)
      [<c0428260>] (init_IRQ+0x0/0x24) from [<c04256c8>] (start_kernel+0x1a4/0x300)
      [<c0425524>] (start_kernel+0x0/0x300) from [<70008070>] (0x70008070)
      ---[ end trace 1b75b31a2719ed1c ]---
      ------------[ cut here ]------------
      WARNING: at /home/rmk/git/linux-rmk/kernel/irq/irqdomain.c:234 irq_domain_add_legacy+0x80/0x140()
      Modules linked in:
      Backtrace:
      [<c00185d8>] (dump_backtrace+0x0/0x10c) from [<c03294e8>] (dump_stack+0x18/0x1c) r6:000000ea r5:c0081a38 r4:00000000 r3:c045f240
      [<c03294d0>] (dump_stack+0x0/0x1c) from [<c00292c8>] (warn_slowpath_common+0x54/0x6c)
      [<c0029274>] (warn_slowpath_common+0x0/0x6c) from [<c0029304>] (warn_slowpath_null+0x24/0x2c)
      [<c00292e0>] (warn_slowpath_null+0x0/0x2c) from [<c0081a38>] (irq_domain_add_legacy+0x80/0x140)
      [<c00819b8>] (irq_domain_add_legacy+0x0/0x140) from [<c042c64c>] (gic_init_bases+0x14c/0x2ec)
      [<c042c500>] (gic_init_bases+0x0/0x2ec) from [<c042cdc8>] (gic_init_irq+0x8c/0xd8)
      [<c042cd3c>] (gic_init_irq+0x0/0xd8) from [<c042827c>] (init_IRQ+0x1c/0x24)
      [<c0428260>] (init_IRQ+0x0/0x24) from [<c04256c8>] (start_kernel+0x1a4/0x300)
      [<c0425524>] (start_kernel+0x0/0x300) from [<70008070>] (0x70008070)
      ---[ end trace 1b75b31a2719ed1d ]---
      ------------[ cut here ]------------
      WARNING: at /home/rmk/git/linux-rmk/arch/arm/common/gic.c:762 gic_init_bases+0x170/0x2ec()
      Modules linked in:
      Backtrace:
      [<c00185d8>] (dump_backtrace+0x0/0x10c) from [<c03294e8>] (dump_stack+0x18/0x1c) r6:000002fa r5:c042c670 r4:00000000 r3:c045f240
      [<c03294d0>] (dump_stack+0x0/0x1c) from [<c00292c8>] (warn_slowpath_common+0x54/0x6c)
      [<c0029274>] (warn_slowpath_common+0x0/0x6c) from [<c0029304>] (warn_slowpath_null+0x24/0x2c)
      [<c00292e0>] (warn_slowpath_null+0x0/0x2c) from [<c042c670>] (gic_init_bases+0x170/0x2ec)
      [<c042c500>] (gic_init_bases+0x0/0x2ec) from [<c042cdc8>] (gic_init_irq+0x8c/0xd8)
      [<c042cd3c>] (gic_init_irq+0x0/0xd8) from [<c042827c>] (init_IRQ+0x1c/0x24)
      [<c0428260>] (init_IRQ+0x0/0x24) from [<c04256c8>] (start_kernel+0x1a4/0x300)
      [<c0425524>] (start_kernel+0x0/0x300) from [<70008070>] (0x70008070)
      ---[ end trace 1b75b31a2719ed1e ]---
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      e210101d
    • Russell King's avatar
      ARM: GIC: fix GIC cpumask initialization · 2bb31351
      Russell King authored
      Punit Agrawal reports:
      > I was trying to boot 3.8-rc5 on Realview EB 11MPCore using
      > realview-smp_defconfig as a starting point but the kernel failed to
      > progress past the log below (config attached).
      >
      > Pawel suggested I try reverting 384a2902 - "ARM: gic: use a private
      > mapping for CPU target interfaces" that you've authored. With this
      > commit reverted the kernel boots.
      >
      > I am not quite sure why the commit breaks 11MPCore but Pawel (cc'd)
      > might be able to shed light on that.
      
      Some early GIC implementations return zero for the first distributor
      CPU routing register.  This means we can't rely on that telling us
      which CPU interface we're connected to.  We know that these platforms
      implement PPIs for IRQs 29-31 - but we shouldn't assume that these
      will always be populated.
      
      So, instead, scan for a non-zero CPU routing register in the first
      32 IRQs and use that as our CPU mask.
      Reported-by: default avatarPunit Agrawal <punit.agrawal@arm.com>
      Reviewed-by: default avatarNicolas Pitre <nico@linaro.org>
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      2bb31351
    • Linus Torvalds's avatar
      Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux · 2a1a6e7a
      Linus Torvalds authored
      Pull drm regression fix from Dave Airlie:
       "This one fixes a sleep while locked regression that was introduced
        earlier in 3.8."
      
      * 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
        drm/ttm: fix fence locking in ttm_buffer_object_transfer, 2nd try
      2a1a6e7a
    • Lucas Stach's avatar
      net: usb: fix regression from FLAG_NOARP code · 9c79330d
      Lucas Stach authored
      In commit 6509141f ("usbnet: add new
      flag FLAG_NOARP for usb net devices"), the newly added flag NOARP was
      using an already defined value, which broke drivers using flag
      MULTI_PACKET.
      Signed-off-by: default avatarLucas Stach <dev@lynxeye.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9c79330d
    • Eric Dumazet's avatar
      l2tp: dont play with skb->truesize · 87c084a9
      Eric Dumazet authored
      Andrew Savchenko reported a DNS failure and we diagnosed that
      some UDP sockets were unable to send more packets because their
      sk_wmem_alloc was corrupted after a while (tx_queue column in
      following trace)
      
      $ cat /proc/net/udp
        sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode ref pointer drops
      ...
        459: 00000000:0270 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 4507 2 ffff88003d612380 0
        466: 00000000:0277 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 4802 2 ffff88003d613180 0
        470: 076A070A:007B 00000000:0000 07 FFFF4600:00000000 00:00000000 00000000   123        0 5552 2 ffff880039974380 0
        470: 010213AC:007B 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 4986 2 ffff88003dbd3180 0
        470: 010013AC:007B 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 4985 2 ffff88003dbd2e00 0
        470: 00FCA8C0:007B 00000000:0000 07 FFFFFB00:00000000 00:00000000 00000000     0        0 4984 2 ffff88003dbd2a80 0
      ...
      
      Playing with skb->truesize is tricky, especially when
      skb is attached to a socket, as we can fool memory charging.
      
      Just remove this code, its not worth trying to be ultra
      precise in xmit path.
      Reported-by: default avatarAndrew Savchenko <bircoph@gmail.com>
      Tested-by: default avatarAndrew Savchenko <bircoph@gmail.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: James Chapman <jchapman@katalix.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      87c084a9
    • Daniel Borkmann's avatar
      net: sctp: sctp_auth_key_put: use kzfree instead of kfree · 586c31f3
      Daniel Borkmann authored
      For sensitive data like keying material, it is common practice to zero
      out keys before returning the memory back to the allocator. Thus, use
      kzfree instead of kfree.
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Acked-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      586c31f3
    • David S. Miller's avatar
      Merge branch 'fixes' of... · 6cddded4
      David S. Miller authored
      Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jesse/openvswitch into openvswitch
      
      Jesse Gross says:
      
      ====================
      One bug fix for net/3.8 for a long standing problem that was reported a few
      times recently.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6cddded4
    • David S. Miller's avatar
      Merge branch 'netback' · 0c35565b
      David S. Miller authored
      Ian Campbell says:
      
      ====================
      The Xen netback implementation contains a couple of flaws which can
      allow a guest to cause a DoS in the backend domain, potentially
      affecting other domains in the system.
      
      CVE-2013-0216 is a failure to sanity check the ring producer/consumer
      pointers which can allow a guest to cause netback to loop for an
      extended period preventing other work from occurring.
      
      CVE-2013-0217 is a memory leak on an error path which is guest
      triggerable.
      
      The following series contains the fixes for these issues, as previously
      included in Xen Security Advisory 39:
      http://lists.xen.org/archives/html/xen-announce/2013-02/msg00001.html
      
      Changes in v2:
       - Typo and block comment format fixes
       - Added stable Cc
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0c35565b
    • Ian Campbell's avatar
    • Ian Campbell's avatar
    • Matthew Daley's avatar
    • Ian Campbell's avatar
      xen/netback: shutdown the ring if it contains garbage. · 48856286
      Ian Campbell authored
      A buggy or malicious frontend should not be able to confuse netback.
      If we spot anything which is not as it should be then shutdown the
      device and don't try to continue with the ring in a potentially
      hostile state. Well behaved and non-hostile frontends will not be
      penalised.
      
      As well as making the existing checks for such errors fatal also add a
      new check that ensures that there isn't an insane number of requests
      on the ring (i.e. more than would fit in the ring). If the ring
      contains garbage then previously is was possible to loop over this
      insane number, getting an error each time and therefore not generating
      any more pending requests and therefore not exiting the loop in
      xen_netbk_tx_build_gops for an externded period.
      
      Also turn various netdev_dbg calls which no precipitate a fatal error
      into netdev_err, they are rate limited because the device is shutdown
      afterwards.
      
      This fixes at least one known DoS/softlockup of the backend domain.
      Signed-off-by: default avatarIan Campbell <ian.campbell@citrix.com>
      Reviewed-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Acked-by: default avatarJan Beulich <JBeulich@suse.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      48856286