1. 08 Feb, 2013 22 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · e06b8405
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Revert iwlwifi reclaimed packet tracking, it causes problems for a
          bunch of folks.  From Emmanuel Grumbach.
      
       2) Work limiting code in brcmsmac wifi driver can clear tx status
          without processing the event.  From Arend van Spriel.
      
       3) rtlwifi USB driver processes wrong SKB, fix from Larry Finger.
      
       4) l2tp tunnel delete can race with close, fix from Tom Parkin.
      
       5) pktgen_add_device() failures are not checked at all, fix from Cong
          Wang.
      
       6) Fix unintentional removal of carrier off from tun_detach(),
          otherwise we confuse userspace, from Michael S.  Tsirkin.
      
       7) Don't leak socket reference counts and ubufs in vhost-net driver,
          from Jason Wang.
      
       8) vmxnet3 driver gets it's initial carrier state wrong, fix from Neil
          Horman.
      
       9) Protect against USB networking devices which spam the host with 0
          length frames, from Bjørn Mork.
      
      10) Prevent neighbour overflows in ipv6 for locally destined routes,
          from Marcelo Ricardo.  This is the best short-term fix for this, a
          longer term fix has been implemented in net-next.
      
      11) L2TP uses ipv4 datagram routines in it's ipv6 code, whoops.  This
          mistake is largely because the ipv6 functions don't even have some
          kind of prefix in their names to suggest they are ipv6 specific.
          From Tom Parkin.
      
      12) Check SYN packet drops properly in tcp_rcv_fastopen_synack(), from
          Yuchung Cheng.
      
      13) Fix races and TX skb freeing bugs in via-rhine's NAPI support, from
          Francois Romieu and your's truly.
      
      14) Fix infinite loops and divides by zero in TCP congestion window
          handling, from Eric Dumazet, Neal Cardwell, and Ilpo Järvinen.
      
      15) AF_PACKET tx ring handling can leak kernel memory to userspace, fix
          from Phil Sutter.
      
      16) Fix error handling in ipv6 GRE tunnel transmit, from Tommi Rantala.
      
      17) Protect XEN netback driver against hostile frontend putting garbage
          into the rings, don't leak pages in TX GOP checking, and add proper
          resource releasing in error path of xen_netbk_get_requests().  From
          Ian Campbell.
      
      18) SCTP authentication keys should be cleared out and released with
          kzfree(), from Daniel Borkmann.
      
      19) L2TP is a bit too clever trying to maintain skb->truesize, and ends
          up corrupting socket memory accounting to the point where packet
          sending is halted indefinitely.  Just remove the adjustments
          entirely, they aren't really needed.  From Eric Dumazet.
      
      20) ATM Iphase driver uses a data type with the same name as the S390
          headers, rename to fix the build.  From Heiko Carstens.
      
      21) Fix a typo in copying the inner network header offset from one SKB
          to another, from Pravin B Shelar.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (56 commits)
        net: sctp: sctp_endpoint_free: zero out secret key data
        net: sctp: sctp_setsockopt_auth_key: use kzfree instead of kfree
        atm/iphase: rename fregt_t -> ffreg_t
        net: usb: fix regression from FLAG_NOARP code
        l2tp: dont play with skb->truesize
        net: sctp: sctp_auth_key_put: use kzfree instead of kfree
        netback: correct netbk_tx_err to handle wrap around.
        xen/netback: free already allocated memory on failure in xen_netbk_get_requests
        xen/netback: don't leak pages on failure in xen_netbk_tx_check_gop.
        xen/netback: shutdown the ring if it contains garbage.
        net: qmi_wwan: add more Huawei devices, including E320
        net: cdc_ncm: add another Huawei vendor specific device
        ipv6/ip6_gre: fix error case handling in ip6gre_tunnel_xmit()
        tcp: fix for zero packets_in_flight was too broad
        brcmsmac: rework of mac80211 .flush() callback operation
        ssb: unregister gpios before unloading ssb
        bcma: unregister gpios before unloading bcma
        rtlwifi: Fix scheduling while atomic bug
        net: usbnet: fix tx_dropped statistics
        tcp: ipv6: Update MIB counters for drops
        ...
      e06b8405
    • David S. Miller's avatar
      Merge branch 'sctp_keys' · a1c83b05
      David S. Miller authored
      Daniel Borkmann says:
      
      ====================
      Cryptographically used keys should be zeroed out when our session
      ends resp. memory is freed, thus do not leave them somewhere in the
      memory.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a1c83b05
    • Daniel Borkmann's avatar
      net: sctp: sctp_endpoint_free: zero out secret key data · b5c37fe6
      Daniel Borkmann authored
      On sctp_endpoint_destroy, previously used sensitive keying material
      should be zeroed out before the memory is returned, as we already do
      with e.g. auth keys when released.
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Acked-by: default avatarVlad Yasevich <vyasevic@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b5c37fe6
    • Daniel Borkmann's avatar
      net: sctp: sctp_setsockopt_auth_key: use kzfree instead of kfree · 6ba542a2
      Daniel Borkmann authored
      In sctp_setsockopt_auth_key, we create a temporary copy of the user
      passed shared auth key for the endpoint or association and after
      internal setup, we free it right away. Since it's sensitive data, we
      should zero out the key before returning the memory back to the
      allocator. Thus, use kzfree instead of kfree, just as we do in
      sctp_auth_key_put().
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6ba542a2
    • Heiko Carstens's avatar
      atm/iphase: rename fregt_t -> ffreg_t · ab54ee80
      Heiko Carstens authored
      We have conflicting type qualifiers for "freg_t" in s390's ptrace.h and the
      iphase atm device driver, which causes the compile error below.
      Unfortunately the s390 typedef can't be renamed, since it's a user visible api,
      nor can I change the include order in s390 code to avoid the conflict.
      
      So simply rename the iphase typedef to a new name. Fixes this compile error:
      
      In file included from drivers/atm/iphase.c:66:0:
      drivers/atm/iphase.h:639:25: error: conflicting type qualifiers for 'freg_t'
      In file included from next/arch/s390/include/asm/ptrace.h:9:0,
                       from next/arch/s390/include/asm/lowcore.h:12,
                       from next/arch/s390/include/asm/thread_info.h:30,
                       from include/linux/thread_info.h:54,
                       from include/linux/preempt.h:9,
                       from include/linux/spinlock.h:50,
                       from include/linux/seqlock.h:29,
                       from include/linux/time.h:5,
                       from include/linux/stat.h:18,
                       from include/linux/module.h:10,
                       from drivers/atm/iphase.c:43:
      next/arch/s390/include/uapi/asm/ptrace.h:197:3: note: previous declaration of 'freg_t' was here
      Signed-off-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Acked-by: default avatarchas williams - CONTRACTOR <chas@cmf.nrl.navy.mil>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ab54ee80
    • Linus Torvalds's avatar
      Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux · 2a1a6e7a
      Linus Torvalds authored
      Pull drm regression fix from Dave Airlie:
       "This one fixes a sleep while locked regression that was introduced
        earlier in 3.8."
      
      * 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
        drm/ttm: fix fence locking in ttm_buffer_object_transfer, 2nd try
      2a1a6e7a
    • Lucas Stach's avatar
      net: usb: fix regression from FLAG_NOARP code · 9c79330d
      Lucas Stach authored
      In commit 6509141f ("usbnet: add new
      flag FLAG_NOARP for usb net devices"), the newly added flag NOARP was
      using an already defined value, which broke drivers using flag
      MULTI_PACKET.
      Signed-off-by: default avatarLucas Stach <dev@lynxeye.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9c79330d
    • Eric Dumazet's avatar
      l2tp: dont play with skb->truesize · 87c084a9
      Eric Dumazet authored
      Andrew Savchenko reported a DNS failure and we diagnosed that
      some UDP sockets were unable to send more packets because their
      sk_wmem_alloc was corrupted after a while (tx_queue column in
      following trace)
      
      $ cat /proc/net/udp
        sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode ref pointer drops
      ...
        459: 00000000:0270 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 4507 2 ffff88003d612380 0
        466: 00000000:0277 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 4802 2 ffff88003d613180 0
        470: 076A070A:007B 00000000:0000 07 FFFF4600:00000000 00:00000000 00000000   123        0 5552 2 ffff880039974380 0
        470: 010213AC:007B 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 4986 2 ffff88003dbd3180 0
        470: 010013AC:007B 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 4985 2 ffff88003dbd2e00 0
        470: 00FCA8C0:007B 00000000:0000 07 FFFFFB00:00000000 00:00000000 00000000     0        0 4984 2 ffff88003dbd2a80 0
      ...
      
      Playing with skb->truesize is tricky, especially when
      skb is attached to a socket, as we can fool memory charging.
      
      Just remove this code, its not worth trying to be ultra
      precise in xmit path.
      Reported-by: default avatarAndrew Savchenko <bircoph@gmail.com>
      Tested-by: default avatarAndrew Savchenko <bircoph@gmail.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: James Chapman <jchapman@katalix.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      87c084a9
    • Daniel Borkmann's avatar
      net: sctp: sctp_auth_key_put: use kzfree instead of kfree · 586c31f3
      Daniel Borkmann authored
      For sensitive data like keying material, it is common practice to zero
      out keys before returning the memory back to the allocator. Thus, use
      kzfree instead of kfree.
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Acked-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      586c31f3
    • David S. Miller's avatar
      Merge branch 'fixes' of... · 6cddded4
      David S. Miller authored
      Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jesse/openvswitch into openvswitch
      
      Jesse Gross says:
      
      ====================
      One bug fix for net/3.8 for a long standing problem that was reported a few
      times recently.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6cddded4
    • David S. Miller's avatar
      Merge branch 'netback' · 0c35565b
      David S. Miller authored
      Ian Campbell says:
      
      ====================
      The Xen netback implementation contains a couple of flaws which can
      allow a guest to cause a DoS in the backend domain, potentially
      affecting other domains in the system.
      
      CVE-2013-0216 is a failure to sanity check the ring producer/consumer
      pointers which can allow a guest to cause netback to loop for an
      extended period preventing other work from occurring.
      
      CVE-2013-0217 is a memory leak on an error path which is guest
      triggerable.
      
      The following series contains the fixes for these issues, as previously
      included in Xen Security Advisory 39:
      http://lists.xen.org/archives/html/xen-announce/2013-02/msg00001.html
      
      Changes in v2:
       - Typo and block comment format fixes
       - Added stable Cc
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0c35565b
    • Ian Campbell's avatar
    • Ian Campbell's avatar
    • Matthew Daley's avatar
    • Ian Campbell's avatar
      xen/netback: shutdown the ring if it contains garbage. · 48856286
      Ian Campbell authored
      A buggy or malicious frontend should not be able to confuse netback.
      If we spot anything which is not as it should be then shutdown the
      device and don't try to continue with the ring in a potentially
      hostile state. Well behaved and non-hostile frontends will not be
      penalised.
      
      As well as making the existing checks for such errors fatal also add a
      new check that ensures that there isn't an insane number of requests
      on the ring (i.e. more than would fit in the ring). If the ring
      contains garbage then previously is was possible to loop over this
      insane number, getting an error each time and therefore not generating
      any more pending requests and therefore not exiting the loop in
      xen_netbk_tx_build_gops for an externded period.
      
      Also turn various netdev_dbg calls which no precipitate a fatal error
      into netdev_err, they are rate limited because the device is shutdown
      afterwards.
      
      This fixes at least one known DoS/softlockup of the backend domain.
      Signed-off-by: default avatarIan Campbell <ian.campbell@citrix.com>
      Reviewed-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Acked-by: default avatarJan Beulich <JBeulich@suse.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      48856286
    • Linus Torvalds's avatar
      Merge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux · 124b69b6
      Linus Torvalds authored
      Pull virtio fix from Rusty Russell:
       "Obviously I forgot to push this before linux.conf.au..."
      
      * tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux:
        virtio_console: Don't access uninitialized data.
      124b69b6
    • Linus Torvalds's avatar
      Merge tag 'rdma-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband · bb5204c2
      Linus Torvalds authored
      Pull IB regression fixes from Roland Dreier:
      
       - Fix mlx4 VFs not working on old guests because of 64B CQE changes
      
       - Fix ill-considered sparse fix for qib
      
       - Fix IPoIB crash due to skb double destruct introduced in 3.8-rc1
      
      * tag 'rdma-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband:
        IB/qib: Fix for broken sparse warning fix
        mlx4_core: Fix advertisement of wrong PF context behaviour
        IPoIB: Fix crash due to skb double destruct
      bb5204c2
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs · 8d19514f
      Linus Torvalds authored
      Pull btrfs fixes from Chris Mason:
       "We've got corner cases for updating i_size that ceph was hitting,
        error handling for quotas when we run out of space, a very subtle
        snapshot deletion race, a crash while removing devices, and one
        deadlock between subvolume creation and the sb_internal code (thanks
        lockdep)."
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
        Btrfs: move d_instantiate outside the transaction during mksubvol
        Btrfs: fix EDQUOT handling in btrfs_delalloc_reserve_metadata
        Btrfs: fix possible stale data exposure
        Btrfs: fix missing i_size update
        Btrfs: fix race between snapshot deletion and getting inode
        Btrfs: fix missing release of the space/qgroup reservation in start_transaction()
        Btrfs: fix wrong sync_writers decrement in btrfs_file_aio_write()
        Btrfs: do not merge logged extents if we've removed them from the tree
        btrfs: don't try to notify udev about missing devices
      8d19514f
    • Linus Torvalds's avatar
      Merge tag 'pinctrl-for-v3.8-late' of... · 95436ada
      Linus Torvalds authored
      Merge tag 'pinctrl-for-v3.8-late' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl
      
      Pull late pinctrl fixes from Linus Walleij:
       "Two patches appeared as of late, one was completely news to me, the
        other one was rotated in -next for the next merge window but turned
        out to be a showstopper.
      
         - Exynos Kconfig fixup
         - SIRF DT translation bug"
      
      * tag 'pinctrl-for-v3.8-late' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
        pinctrl: sirf: replace of_gpio_simple_xlate by sirf specific of_xlate
        pinctrl: exynos: change PINCTRL_EXYNOS option
      95436ada
    • Linus Torvalds's avatar
      Merge tag 'stable/for-linus-3.8-rc6-tag' of... · a04521ab
      Linus Torvalds authored
      Merge tag 'stable/for-linus-3.8-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen
      
      Pull Xen fixes from Konrad Rzeszutek Wilk:
       "This has two fixes.  One is a security fix wherein we would spam the
        kernel printk buffer if one of the guests was misbehaving.  The other
        is much tamer and it was us only checking for one type of error from
        the IRQ subsystem (when allocating new IRQs) instead of for all of
        them.
      
         - Fix an IRQ allocation where we only check for a specific error (-1).
         - CVE-2013-0231 / XSA-43.  Make xen-pciback rate limit error messages
           from xen_pcibk_enable_msi{,x}()"
      
      * tag 'stable/for-linus-3.8-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen:
        xen: fix error handling path if xen_allocate_irq_dynamic fails
        xen-pciback: rate limit error messages from xen_pcibk_enable_msi{,x}()
      a04521ab
    • Linus Torvalds's avatar
      Merge tag 'regulator-v3.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator · 3227e04e
      Linus Torvalds authored
      Pull regulator fixes from Mark Brown:
       "Mostly driver specific fixes here, though one of them uncovered the
        issue Stephen Warren fixed with multiple OF matches getting upset due
        to a lack of cleanup."
      
      * tag 'regulator-v3.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
        regulator: s2mps11: fix incorrect register for buck10
        regulator: clear state each invocation of of_regulator_match
        regulator: max8997: Fix using wrong dev argument at various places
        regulator: max77686: Fix using wrong dev argument at various places
        regulator: max8907: Fix using wrong dev argument for calling of_regulator_match
        regulator: max8998: fix incorrect min_uV value for ldo10
        regulator: tps65910: Fix using wrong dev argument for calling of_regulator_match
        regulator: tps65217: Fix using wrong dev argument for calling of_regulator_match
      3227e04e
    • Daniel Vetter's avatar
      drm/ttm: fix fence locking in ttm_buffer_object_transfer, 2nd try · ff7c60c5
      Daniel Vetter authored
      This fixes up
      
      commit e8e89622
      Author: Daniel Vetter <daniel.vetter@ffwll.ch>
      Date:   Tue Dec 18 22:25:11 2012 +0100
      
          drm/ttm: fix fence locking in ttm_buffer_object_transfer
      
      which leaves behind a might_sleep in atomic context, since the
      fence_lock spinlock is held over a kmalloc(GFP_KERNEL) call. The fix
      is to revert the above commit and only take the lock where we need it,
      around the call to ->sync_obj_ref.
      
      v2: Fixup things noticed by Maarten Lankhorst:
      - Brown paper bag locking bug.
      - No need for kzalloc if we clear the entire thing on the next line.
      - check for bo->sync_obj (totally unlikely race, but still someone
        else could have snuck in) and clear fbo->sync_obj if it's cleared
        already.
      Reported-by: default avatarDave Airlie <airlied@gmail.com>
      Cc: Jerome Glisse <jglisse@redhat.com>
      Cc: Maarten Lankhorst <maarten.lankhorst@canonical.com>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      ff7c60c5
  2. 07 Feb, 2013 1 commit
    • Sjur Brændeland's avatar
      virtio_console: Don't access uninitialized data. · aded024a
      Sjur Brændeland authored
      Don't access uninitialized work-queue when removing device.
      The work queue is initialized only if the device multi-queue.
      So don't call cancel_work unless this is a multi-queue device.
      
      This fixes the following panic:
      
      Kernel panic - not syncing: BUG!
      Call Trace:
      62031b28:  [<6026085d>] panic+0x16b/0x2d3
      62031b30:  [<6004ef5e>] flush_work+0x0/0x1d7
      62031b60:  [<602606f2>] panic+0x0/0x2d3
      62031b68:  [<600333b0>] memcpy+0x0/0x140
      62031b80:  [<6002d58a>] unblock_signals+0x0/0x84
      62031ba0:  [<602609c5>] printk+0x0/0xa0
      62031bd8:  [<60264e51>] __mutex_unlock_slowpath+0x13d/0x148
      62031c10:  [<6004ef5e>] flush_work+0x0/0x1d7
      62031c18:  [<60050234>] try_to_grab_pending+0x0/0x17e
      62031c38:  [<6004e984>] get_work_gcwq+0x71/0x8f
      62031c48:  [<60050539>] __cancel_work_timer+0x5b/0x115
      62031c78:  [<628acc85>] unplug_port+0x0/0x191 [virtio_console]
      62031c98:  [<6005061c>] cancel_work_sync+0x12/0x14
      62031ca8:  [<628ace96>] virtcons_remove+0x80/0x15c [virtio_console]
      62031ce8:  [<628191de>] virtio_dev_remove+0x1e/0x7e [virtio]
      62031d08:  [<601cf242>] __device_release_driver+0x75/0xe4
      62031d28:  [<601cf2dd>] device_release_driver+0x2c/0x40
      62031d48:  [<601ce0dd>] driver_unbind+0x7d/0xc6
      62031d88:  [<601cd5d9>] drv_attr_store+0x27/0x29
      62031d98:  [<60115f61>] sysfs_write_file+0x100/0x14d
      62031df8:  [<600b737d>] vfs_write+0xcb/0x184
      62031e08:  [<600b58b8>] filp_close+0x88/0x94
      62031e38:  [<600b7686>] sys_write+0x59/0x88
      62031e88:  [<6001ced1>] handle_syscall+0x5d/0x80
      62031ea8:  [<60030a74>] userspace+0x405/0x531
      62031f08:  [<600d32cc>] sys_dup+0x0/0x5e
      62031f28:  [<601b11d6>] strcpy+0x0/0x18
      62031f38:  [<600be46c>] do_execve+0x10/0x12
      62031f48:  [<600184c7>] run_init_process+0x43/0x45
      62031fd8:  [<60019a91>] new_thread_handler+0xba/0xbc
      Signed-off-by: default avatarSjur Brændeland <sjur.brandeland@stericsson.com>
      Cc: stable@kernel.org
      Signed-off-by: default avatarRusty Russell <rusty@rustcorp.com.au>
      aded024a
  3. 06 Feb, 2013 17 commits