- 11 Jul, 2016 4 commits
-
-
Eric Dumazet authored
Yue Cao claims that current host rate limiting of challenge ACKS (RFC 5961) could leak enough information to allow a patient attacker to hijack TCP sessions. He will soon provide details in an academic paper. This patch increases the default limit from 100 to 1000, and adds some randomization so that the attacker can no longer hijack sessions without spending a considerable amount of probes. Based on initial analysis and patch from Linus. Note that we also have per socket rate limiting, so it is tempting to remove the host limit in the future. v2: randomize the count of challenge acks per second, not the period. Fixes: 282f23c6 ("tcp: implement RFC 5961 3.2") Reported-by:
Yue Cao <ycao009@ucr.edu> Signed-off-by:
Eric Dumazet <edumazet@google.com> Suggested-by:
Linus Torvalds <torvalds@linux-foundation.org> Cc: Yuchung Cheng <ycheng@google.com> Cc: Neal Cardwell <ncardwell@google.com> Acked-by:
Neal Cardwell <ncardwell@google.com> Acked-by:
Yuchung Cheng <ycheng@google.com> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
Michal Kubeček authored
If socket filter truncates an udp packet below the length of UDP header in udpv6_queue_rcv_skb() or udp_queue_rcv_skb(), it will trigger a BUG_ON in skb_pull_rcsum(). This BUG_ON (and therefore a system crash if kernel is configured that way) can be easily enforced by an unprivileged user which was reported as CVE-2016-6162. For a reproducer, see http://seclists.org/oss-sec/2016/q3/8 Fixes: e6afc8ac ("udp: remove headers from UDP packets before queueing") Reported-by:
Marco Grassi <marco.gra@gmail.com> Signed-off-by:
Michal Kubecek <mkubecek@suse.cz> Acked-by:
Willem de Bruijn <willemb@google.com> Signed-off-by:
-
Colin Ian King authored
rc is not initialized so it can contain garbage if it is not set by the call to bnxt_read_sfp_module_eeprom_info. Ensure garbage is not returned by initializing rc to 0. Signed-off-by:
Colin Ian King <colin.king@canonical.com> Acked-by:
Michael Chan <michael.chan@broadcom.com> Signed-off-by:
-
git://git.open-mesh.org/linux-mergeDavid S. Miller authored
Simon Wunderlich says: ==================== Here are a couple batman-adv bugfix patches, all by Sven Eckelmann: - Fix possible NULL pointer dereference for vlan_insert_tag (two patches) - Fix reference handling in some features, which may lead to reference leaks or invalid memory access (four patches) - Fix speedy join: DHCP packets handled by the gateway feature should be sent with 4-address unicast instead of 3-address unicast to make speedy join work. This fixes/speeds up DHCP assignment for clients which join a mesh for the first time. (one patch) ==================== Signed-off-by:
-
- 09 Jul, 2016 10 commits
-
-
Eric Dumazet authored
In the prep work I did before enabling BH while handling socket backlog, I missed two points in DCCP : 1) dccp_v4_ctl_send_reset() uses bh_lock_sock(), assuming BH were blocked. It is not anymore always true. 2) dccp_v4_route_skb() was using __IP_INC_STATS() instead of IP_INC_STATS() A similar fix was done for TCP, in commit 47dcc20a ("ipv4: tcp: ip_send_unicast_reply() is not BH safe") Fixes: 7309f882 ("dccp: do not assume DCCP code is non preemptible") Fixes: 5413d1ba ("net: do not block BH while processing socket backlog") Signed-off-by:
Dmitry Vyukov <dvyukov@google.com> Signed-off-by:
-
David S. Miller authored
Thomas Falcon says: ==================== ibmvnic driver bugfixes and improvements Miscellaneous fixes and improvements on the ibmvnic driver. ==================== Signed-off-by: -
Thomas Falcon authored
In some cases, if there is no VNIC server available during the driver probe, the driver should wait until it receives an initialization request from the VNIC Server to start the login process. Recent testing has show that this is incorrectly handled in the current driver. The proposed solution handles this initialization request by scheduling a task in the shared workqueue that completes the login process and registers the net device. Signed-off-by:
Thomas Falcon <tlfalcon@linux.vnet.ibm.com> Signed-off-by:
-
Thomas Falcon authored
This patch creates a function that handles sub-CRQ IRQ creation separately from sub-CRQ initialization. Another function is then needed to release sub-CRQ resources prior to sub-CRQ IRQ creation. These additions allow the driver probe function to be simplified, specifically during the VNIC Server login process. A timeout is also included while waiting for completion of the login process in case the VNIC Server is not available or some other error occurs. Signed-off-by:
-
Thomas Falcon authored
IRQ mappings were not being properly disposed when releasing sub-CRQ's. Signed-off-by:
-
Thomas Falcon authored
Since ibmvnic uses multiple tx queues, start and stop all queues when opening and closing devices. Signed-off-by:
-
David S. Miller authored
Merge tag 'mac80211-for-davem-2016-07-06' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211 Johannes Berg says: ==================== Two more fixes: * handle allocation failures in new(ish) A-MSDU decapsulation * don't leak memory on nl80211 ACL parse errors ==================== Signed-off-by:
-
hayeswang authored
The LAN_WAKE_EN is not used to determine if the device could support WOL. It is used to signal a GPIO pin when a WOL event occurs. The WOL still works even though it is disabled. Signed-off-by:
Hayes Wang <hayeswang@realtek.com> Signed-off-by:
-
WANG Cong authored
Matt reported that we have a NULL pointer dereference in ppp_pernet() from ppp_connect_channel(), i.e. pch->chan_net is NULL. This is due to that a parallel ppp_unregister_channel() could happen while we are in ppp_connect_channel(), during which pch->chan_net set to NULL. Since we need a reference to net per channel, it makes sense to sync the refcnt with the life time of the channel, therefore we should release this reference when we destroy it. Fixes: 1f461dcd ("ppp: take reference on channels netns") Reported-by:
Matt Bennett <Matt.Bennett@alliedtelesis.co.nz> Cc: Paul Mackerras <paulus@samba.org> Cc: linux-ppp@vger.kernel.org Cc: Guillaume Nault <g.nault@alphalink.fr> Cc: Cyrill Gorcunov <gorcunov@openvz.org> Signed-off-by:
Cong Wang <xiyou.wangcong@gmail.com> Reviewed-by:
Cyrill Gorcunov <gorcunov@openvz.org> Signed-off-by:
-
Dmitri Epshtein authored
Commit aebea2ba ("net: mvneta: fix Tx interrupt delay") intended to set coalescing threshold to a value guaranteeing interrupt generation per each sent packet, so that buffers can be released with no delay. In fact setting threshold to '1' was wrong, because it causes interrupt every two packets. According to the documentation a reason behind it is following - interrupt occurs once sent buffers counter reaches a value, which is higher than one specified in MVNETA_TXQ_SIZE_REG(q). This behavior was confirmed during tests. Also when testing the SoC working as a NAS device, better performance was observed with int-per-packet, as it strongly depends on the fact that all transmitted packets are released immediately. This commit enables NETA controller work in interrupt per sent packet mode by setting coalescing threshold to 0. Signed-off-by:
Dmitri Epshtein <dima@marvell.com> Signed-off-by:
Marcin Wojtas <mw@semihalf.com> Cc: <stable@vger.kernel.org> # v3.10+ Fixes aebea2ba ("net: mvneta: fix Tx interrupt delay") Acked-by:
Willy Tarreau <w@1wt.eu> Signed-off-by:
-
- 06 Jul, 2016 6 commits
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/davem/netLinus Torvalds authored
Pull networking fixes from David Miller: 1) All users of AF_PACKET's fanout feature want a symmetric packet header hash for load balancing purposes, so give it to them. 2) Fix vlan state synchronization in e1000e, from Jarod Wilson. 3) Use correct socket pointer in ip_skb_dst_mtu(), from Shmulik Ladkani. 4) mlx5 bug fixes from Mohamad Haj Yahia, Daniel Jurgens, Matthew Finlay, Rana Shahout, and Shaker Daibes. Mostly to do with operation timeouts and PCI error handling. 5) Fix checksum handling in mirred packet action, from WANG Cong. 6) Set skb->dev correctly when transmitting in !protect_frames case of macsec driver, from Daniel Borkmann. 7) Fix MTU calculation in geneve driver, from Haishuang Yan. 8) Missing netif_napi_del() in unregister path of qeth driver, from Ursula Braun. 9) Handle malformed route netlink messages in decnet properly, from Vergard Nossum. 10) Memory leak of percpu data in ipv6 routing code, from Martin KaFai Lau. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (41 commits) ipv6: Fix mem leak in rt6i_pcpu net: fix decnet rtnexthop parsing cxgb4: update latest firmware version supported net/mlx5: Avoid setting unused var when modifying vport node GUID bonding: fix enslavement slave link notifications r8152: fix runtime function for RTL8152 qeth: delete napi struct when removing a qeth device Revert "fsl/fman: fix error handling" fsl/fman: fix error handling cdc_ncm: workaround for EM7455 "silent" data interface RDS: fix rds_tcp_init() error path geneve: fix max_mtu setting net: phy: dp83867: Fix initialization of PHYCR register enc28j60: Fix race condition in enc28j60 driver net: stmmac: Fix null-function call in ISR on stmmac1000 tipc: fix nl compat regression for link statistics net: bcmsysport: Device stats are unsigned long macsec: set actual real device for xmit when !protect_frames net_sched: fix mirrored packets checksum packet: Use symmetric hash for PACKET_FANOUT_HASH. ... -
git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/soundLinus Torvalds authored
Pull sound fixes from Takashi Iwai: "Here are a collection of small fixes: at this time, we've got a slightly high amount, but all small and trivial fixes, and nothing scary can be seen there" * tag 'sound-4.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (21 commits) ALSA: hda/realtek: Add Lenovo L460 to docking unit fixup ALSA: timer: Fix negative queue usage by racy accesses ASoC: rt5645: fix reg-2f default value. ASoC: fsl_ssi: Fix number of words per frame for I2S-slave mode ALSA: au88x0: Fix calculation in vortex_wtdma_bufshift() ALSA: hda - Add PCI ID for Kabylake-H ALSA: echoaudio: Fix memory allocation ASoC: Intel: atom: fix missing breaks that would cause the wrong operation to execute ALSA: hda - fix read before array start ASoC: cx20442: set tty->receiver_room in v253_open ASoC: ak4613: Enable cache usage to fix crashes on resume ASoC: wm8940: Enable cache usage to fix crashes on resume ASoC: Intel: Skylake: Initialize module list for Broxton ASoC: wm5102: Correct supported channels on trace compressed DAI ASoC: wm5110: Add missing route from OUT3R to SYSCLK ASoC: rt5670: fix HP Playback Volume control ASoC: hdmi-codec: select CONFIG_HDMI ASoC: davinci-mcasp: Fix dra7 DMA offset when using CFG port ASoC: hdac_hdmi: Fix potential NULL dereference ASoC: ak4613: Remove owner assignment from platform_driver ...
-
git://git.kernel.org/pub/scm/linux/kernel/git/olof/chrome-platformLinus Torvalds authored
Pull chrome platform fix from Olof Johansson: "A single fix this time, closing a window where ioctl args are fetched twice" * tag 'chrome-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/olof/chrome-platform: platform/chrome: cros_ec_dev - double fetch bug in ioctl
-
Sven Eckelmann authored
Speedy join only works when the received packet is either broadcast or an 4addr unicast packet. Thus packets converted from broadcast to unicast via the gateway handling code have to be converted to 4addr packets to allow the receiving gateway server to add the sender address as temporary entry to the translation table. Not doing it will make the batman-adv gateway server drop the DHCP response in many situations because it doesn't yet have the TT entry for the destination of the DHCP response. Fixes: 37135173 ("batman-adv: change interface_rx to get orig node") Signed-off-by:
Sven Eckelmann <sven@narfation.org> Acked-by:
Antonio Quartulli <a@unstable.cc> Signed-off-by:
Marek Lindner <mareklindner@neomailbox.ch> Signed-off-by:
Simon Wunderlich <sw@simonwunderlich.de>
-
Gregory Greenman authored
Handle the case when dev_alloc_skb returns NULL. Cc: stable@vger.kernel.org Fixes: 2b67f944 ("cfg80211: reuse existing page fragments in A-MSDU rx") Signed-off-by:
Gregory Greenman <gregory.greenman@intel.com> Signed-off-by:
Luca Coelho <luciano.coelho@intel.com> Signed-off-by:
Johannes Berg <johannes@sipsolutions.net>
-
Purushottam Kushwaha authored
No support for pbss results in a memory leak for the acl_data (if parse_acl_data succeeds). Fix this by moving the ACL parsing later. Cc: stable@vger.kernel.org Fixes: 34d50519 ("cfg80211: basic support for PBSS network type") Signed-off-by:
Purushottam Kushwaha <pkushwah@qti.qualcomm.com> Signed-off-by:
-
- 05 Jul, 2016 17 commits
-
-
Martin KaFai Lau authored
It was first reported and reproduced by Petr (thanks!) in https://bugzilla.kernel.org/show_bug.cgi?id=119581 free_percpu(rt->rt6i_pcpu) used to always happen in ip6_dst_destroy(). However, after fixing a deadlock bug in commit 9c7370a1 ("ipv6: Fix a potential deadlock when creating pcpu rt"), free_percpu() is not called before setting non_pcpu_rt->rt6i_pcpu to NULL. It is worth to note that rt6i_pcpu is protected by table->tb6_lock. kmemleak somehow did not report it. We nailed it down by observing the pcpu entries in /proc/vmallocinfo (first suggested by Hannes, thanks!). Signed-off-by:
Martin KaFai Lau <kafai@fb.com> Fixes: 9c7370a1 ("ipv6: Fix a potential deadlock when creating pcpu rt") Reported-by:
Petr Novopashenniy <pety@rusnet.ru> Tested-by:
Hannes Frederic Sowa <hannes@stressinduktion.org> Cc: Hannes Frederic Sowa <hannes@stressinduktion.org> Cc: Petr Novopashenniy <pety@rusnet.ru> Signed-off-by:
-
Vegard Nossum authored
dn_fib_count_nhs() could enter an infinite loop if nhp->rtnh_len == 0 (i.e. if userspace passes a malformed netlink message). Let's use the helpers from net/nexthop.h which take care of all this stuff. We can do exactly the same as e.g. fib_count_nexthops() and fib_get_nhs() from net/ipv4/fib_semantics.c. This fixes the softlockup for me. Cc: Thomas Graf <tgraf@suug.ch> Signed-off-by:
Vegard Nossum <vegard.nossum@oracle.com> Signed-off-by:
-
Dan Carpenter authored
We verify "u_cmd.outsize" and "u_cmd.insize" but we need to make sure that those values have not changed between the two copy_from_user() calls. Otherwise it could lead to a buffer overflow. Additionally, cros_ec_cmd_xfer() can set s_cmd->insize to a lower value. We should use the new smaller value so we don't copy too much data to the user. Reported-by:
Pengfei Wang <wpengfeinudt@gmail.com> Fixes: a8411784 ('mfd: cros_ec: Use a zero-length array for command data') Signed-off-by:
Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by:
Kees Cook <keescook@chromium.org> Tested-by:
Gwendal Grignou <gwendal@chromium.org> Cc: <stable@vger.kernel.org> # v4.2+ Signed-off-by:
Olof Johansson <olof@lixom.net>
-
Ganesh Goudar authored
Change t4fw_version.h to update latest firmware version number Signed-off-by:
Ganesh Goudar <ganeshgr@chelsio.com> Signed-off-by:
-
Or Gerlitz authored
GCC complains on unused-but-set-variable, clean this up. Fixes: 23898c76 ('net/mlx5: E-Switch, Modify node guid on vf set MAC') Signed-off-by:
Or Gerlitz <ogerlitz@mellanox.com> Acked-by:
Saeed Mahameed <saeedm@mellanox.com> Signed-off-by:
-
Aviv Heller authored
Currently, link notifications are not sent by bond_set_slave_link_state() upon enslavement if the slave is enslaved when up. This happens because slave->link default init value is 0, which is the same as BOND_LINK_UP, resulting in bond_set_slave_link_state() ignoring this transition. This patch sets the default value of slave->link to BOND_LINK_NOCHANGE, assuring it will count as a state transition and thus trigger notification logic. Signed-off-by:
Aviv Heller <avivh@mellanox.com> Reviewed-by:
Jiri Pirko <jiri@mellanox.com> Signed-off-by:
-
hayeswang authored
The RTL8152 doesn't have U1U2 and U2P3 features, so use different runtime functions for RTL812 and RTL8153 by adding autosuspend_en() to rtl_ops. Signed-off-by:
-
Sven Eckelmann authored
The orig_ifinfo reference counter for last_bonding_candidate in batadv_orig_node has to be reduced when an originator node is released. Otherwise the orig_ifinfo is leaked and the reference counter the netdevice is not reduced correctly. Fixes: f3b3d901 ("batman-adv: add bonding again") Signed-off-by:
-
Sven Eckelmann authored
The replacement of last_bonding_candidate in batadv_orig_node has to be an atomic operation. Otherwise it is possible that the reference counter of a batadv_orig_ifinfo is reduced which was no longer the last_bonding_candidate when the new candidate is added. This can either lead to an invalid memory access or to reference leaks which make it impossible to an interface which was added to batman-adv. Fixes: f3b3d901 ("batman-adv: add bonding again") Signed-off-by:
-
Sven Eckelmann authored
The pointer batadv_bla_claim::backbone_gw can be changed at any time. Therefore, access to it must be protected to ensure that two function accessing the same backbone_gw are actually accessing the same. This is especially important when the crc_lock is used or when the backbone_gw of a claim is exchanged. Not doing so leads to invalid memory access and/or reference leaks. Fixes: 23721387 ("batman-adv: add basic bridge loop avoidance code") Fixes: 5a1dd8a4 ("batman-adv: lock crc access in bridge loop avoidance") Signed-off-by:
-
Sven Eckelmann authored
batadv_orig_node_new uses batadv_orig_node_vlan_new to allocate a new batadv_orig_node_vlan and add it to batadv_orig_node::vlan_list. References to this list have also to be cleaned when the batadv_orig_node is removed. Fixes: 7ea7b4a1 ("batman-adv: make the TT CRC logic VLAN specific") Signed-off-by:
-
Sven Eckelmann authored
vlan_insert_tag can return NULL on errors. The distributed arp table code therefore has to check the return value of vlan_insert_tag for NULL before it can safely operate on this pointer. Fixes: be1db4f6 ("batman-adv: make the Distributed ARP Table vlan aware") Signed-off-by:
-
Sven Eckelmann authored
vlan_insert_tag can return NULL on errors. The bridge loop avoidance code therefore has to check the return value of vlan_insert_tag for NULL before it can safely operate on this pointer. Fixes: 23721387 ("batman-adv: add basic bridge loop avoidance code") Signed-off-by:
-
Torsten Hilbrich authored
This solves the issue that a headphone is not working on the docking unit. Signed-off-by:
Torsten Hilbrich <torsten.hilbrich@secunet.com> Cc: <stable@vger.kernel.org> Signed-off-by:
Takashi Iwai <tiwai@suse.de>
-
Ursula Braun authored
A qeth_card contains a napi_struct linked to the net_device during device probing. This struct must be deleted when removing the qeth device, otherwise Panic on oops can occur when qeth devices are repeatedly removed and added. Fixes: a1c3ed4c ("qeth: NAPI support for l2 and l3 discipline") Cc: stable@vger.kernel.org # v2.6.37+ Signed-off-by:
Ursula Braun <ubraun@linux.vnet.ibm.com> Tested-by:
Alexander Klein <ALKL@de.ibm.com> Signed-off-by:
-
David S. Miller authored
This reverts commit a788a4a0. This patch is wrong, the type returned doesn't fit what the error pointer macros expect. Signed-off-by:
-
Christophe Jaillet authored
This is likely that checking 'fman->fifo_offset' instead of 'fman->cam_offset' is expected here. Signed-off-by:
Christophe JAILLET <christophe.jaillet@wanadoo.fr> Signed-off-by:
-
- 04 Jul, 2016 3 commits
-
-
Bjørn Mork authored
Several Lenovo users have reported problems with their Sierra Wireless EM7455 modem. The driver has loaded successfully and the MBIM management channel has appeared to work, including establishing a connection to the mobile network. But no frames have been received over the data interface. The problem affects all EM7455 and MC7455, and is assumed to affect other modems based on the same Qualcomm chipset and baseband firmware. Testing narrowed the problem down to what seems to be a firmware timing bug during initialization. Adding a short sleep while probing is sufficient to make the problem disappear. Experiments have shown that 1-2 ms is too little to have any effect, while 10-20 ms is enough to reliably succeed. Reported-by:
Stefan Armbruster <ml001@armbruster-it.de> Reported-by:
Ralph Plawetzki <ralph@purejava.org> Reported-by:
Andreas Fett <andreas.fett@secunet.com> Reported-by:
Rasmus Lerdorf <rasmus@lerdorf.com> Reported-by:
Samo Ratnik <samo.ratnik@gmail.com> Reported-and-tested-by:
Aleksander Morgado <aleksander@aleksander.es> Signed-off-by:
Bjørn Mork <bjorn@mork.no> Signed-off-by:
-
Vegard Nossum authored
If register_pernet_subsys() fails, we shouldn't try to call unregister_pernet_subsys(). Fixes: 467fa153 ("RDS-TCP: Support multiple RDS-TCP listen endpoints, one per netns.") Cc: stable@vger.kernel.org Cc: Sowmini Varadhan <sowmini.varadhan@oracle.com> Cc: David S. Miller <davem@davemloft.net> Signed-off-by:
Sowmini Varadhan <sowmini.varadhan@oracle.com> Acked-by:
Santosh Shilimkar <santosh.shilimkar@oracle.com> Signed-off-by:
-
Haishuang Yan authored
For ipv6+udp+geneve encapsulation data, the max_mtu should subtract sizeof(ipv6hdr), instead of sizeof(iphdr). Signed-off-by:
Haishuang Yan <yanhaishuang@cmss.chinamobile.com> Signed-off-by:
-
