1. 17 Sep, 2016 7 commits
  2. 16 Sep, 2016 16 commits
  3. 13 Sep, 2016 6 commits
    • Johannes Berg's avatar
      nl80211: validate number of probe response CSA counters · ad5987b4
      Johannes Berg authored
      Due to an apparent copy/paste bug, the number of counters for the
      beacon configuration were checked twice, instead of checking the
      number of probe response counters. Fix this to check the number of
      probe response counters before parsing those.
      
      Cc: stable@vger.kernel.org
      Fixes: 9a774c78 ("cfg80211: Support multiple CSA counters")
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      ad5987b4
    • Christophe Jaillet's avatar
      drivers: net: phy: xgene: Fix 'remove' function · 440f895a
      Christophe Jaillet authored
      If 'IS_ERR(pdata->clk)' is true, then 'clk_disable_unprepare(pdata->clk)'
      will do nothing.
      
      It is likely that 'if (!IS_ERR(pdata->clk))' was expected here.
      In fact, the test can even be removed because 'clk_disable_unprepare'
      already handles such cases.
      Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      440f895a
    • Xin Long's avatar
      sctp: hold the transport before using it in sctp_hash_cmp · 715f5552
      Xin Long authored
      Since commit 4f008781 ("sctp: apply rhashtable api to send/recv
      path"), sctp uses transport rhashtable with .obj_cmpfn sctp_hash_cmp,
      in which it compares the members of the transport with the rhashtable
      args to check if it's the right transport.
      
      But sctp uses the transport without holding it in sctp_hash_cmp, it can
      cause a use-after-free panic. As after it gets transport from hashtable,
      another CPU may close the sk and free the asoc. In sctp_association_free,
      it frees all the transports, meanwhile, the assoc's refcnt may be reduced
      to 0, assoc can be destroyed by sctp_association_destroy.
      
      So after that, transport->assoc is actually an unavailable memory address
      in sctp_hash_cmp. Although sctp_hash_cmp is under rcu_read_lock, it still
      can not avoid this, as assoc is not freed by RCU.
      
      This patch is to hold the transport before checking it's members with
      sctp_transport_hold, in which it checks the refcnt first, holds it if
      it's not 0.
      
      Fixes: 4f008781 ("sctp: apply rhashtable api to send/recv path")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      715f5552
    • Baoquan He's avatar
      bnx2: Reset device during driver initialization · 3e1be7ad
      Baoquan He authored
      When system enters into kdump kernel because of kernel panic, it won't
      shutdown devices. On-flight DMA will continue transferring data until
      device driver initializes. All devices are supposed to reset during
      driver initialization. And this property is used to fix the kdump
      failure in system with intel iommu. Other systems with hardware iommu
      should be similar. Please check commit 091d42e4 ("iommu/vt-d: Copy
      translation tables from old kernel") and those commits around.
      
      But bnx2 driver doesn't reset device during driver initialization. The
      device resetting is deferred to net device up stage. This will cause
      hardware iommu handling failure on bnx2 device. And its resetting relies
      on firmware. So in this patch move the firmware requesting code to earlier
      bnx2_init_one(), then next call bnx2_reset_chip to reset device.
      Signed-off-by: default avatarBaoquan He <bhe@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3e1be7ad
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 67b9f0b7
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for your net tree,
      they are:
      
      1) Endianess fix for the new nf_tables netlink trace infrastructure,
         NFTA_TRACE_POLICY endianess was not correct, patch from Liping Zhang.
      
      2) Fix broken re-route after userspace queueing in nf_tables route
         chain. This patch is large but it is simple since it is just getting
         this code in sync with iptable_mangle. Also from Liping.
      
      3) NAT mangling via ctnetlink lies to userspace when nf_nat_setup_info()
         fails to setup the NAT conntrack extension. This problem has been
         there since the beginning, but it can now show up after rhashtable
         conversion.
      
      4) Fix possible NULL pointer dereference due to failures in allocating
         the synproxy and seqadj conntrack extensions, from Gao feng.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      67b9f0b7
    • Gao Feng's avatar
      netfilter: synproxy: Check oom when adding synproxy and seqadj ct extensions · 4440a2ab
      Gao Feng authored
      When memory is exhausted, nfct_seqadj_ext_add may fail to add the
      synproxy and seqadj extensions. The function nf_ct_seqadj_init doesn't
      check if get valid seqadj pointer by the nfct_seqadj.
      
      Now drop the packet directly when fail to add seqadj extension to
      avoid dereference NULL pointer in nf_ct_seqadj_init from
      init_conntrack().
      Signed-off-by: default avatarGao Feng <fgao@ikuai8.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      4440a2ab
  4. 12 Sep, 2016 11 commits