- 25 Aug, 2014 3 commits
-
-
Himangi Saraogi authored
Rewrite a duplicated test to test the correct value The Coccinelle semantic patch that finds this problem is: // <smpl> @@ expression E; @@ ( * E || ... || E | * E && ... && E ) // </smpl> Signed-off-by: Himangi Saraogi <himangi774@gmail.com> Acked-by: Larry.Finger <Larry.Finger@lwfinger.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Álvaro Fernández Rojas authored
14e4:4351 is found on a Broadcom BCM43222. Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
- 22 Aug, 2014 23 commits
-
-
Michal Kazior authored
The new_ctx pointer is set only for non-chanctx drivers. This yielded a crash for chanctx-based drivers during channel switch finalization: BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 IP: ieee80211_vif_use_reserved_switch+0x71c/0xb00 [mac80211] Use an adequate chanctx pointer to fix this. Reported-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Michal Kazior <michal.kazior@tieto.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
git://git.kernel.org/pub/scm/linux/kernel/git/davem/netLinus Torvalds authored
Pull networking fixes from David Miller: "Here are some bug fixes that have piled up during ksummit/linuxcon. 1) Fix endian problems in ibmveth, from Anton Blanchard. 2) IPV6 routing code does GFP_KERNEL allocation in atomic, fix from Benjamin Block. 3) SCTP association fixes from Daniel Borkmann. 4) When multiple VLAN headers are present we have to make sure the second and subsequent ones are pullable in the SKB otherwise we blindly dereference garbage. From Jiri Benc. 5) The argument adjustment of the signature of hlist_add_after*() introduced a regression in the batman-adv code, fix from Sven Eckelmann. 6) Fix TX hang handling to avoid a panic in i40e, from Anjali Singhai Jain. 7) PTP flag test is inverted in i40e driver, from Jesse Brandeburg. 8) ATM LEC driver needs to hold RTNL mutex over MTU changes, from Chas Williams. 9) Truncate packets larger then the TPACKET_V3 format configured buffers, otherwise we overwrite past the end of said buffers. From Eric Dumazet. 10) Fix endianness bugs in qlcnic firmware handling, from Rajesh Borundia and Shahed Shaikh. 11) CXGB4 sometimes doesn't get all of the TX completion events it should resulting in SKBs getting stuck in the TX queue, from Hariprasad Shenai. 12) When the FEC chip's PTP clock is disabled, you can't access the register. Add necessary checks to avoid the resulting hang, from Fugang Duan" * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (37 commits) drivers: isdn: eicon: xdi_msg.h: Fix typo in #ifndef net: sctp: fix suboptimal edge-case on non-active active/retrans path selection net: sctp: spare unnecessary comparison in sctp_trans_elect_best net: ethernet: broadcom: bnx2x: Remove redundant #ifdef ibmveth: Fix endian issues with rx_no_buffer statistic net: xgene: fix possible NULL dereference in xgene_enet_free_desc_rings() openvswitch: fix panic with multiple vlan headers net: ipv6: fib: don't sleep inside atomic lock net: fec: ptp: avoid register access when ipg clock is disabled cxgb4: Free completed tx skbs promptly cxgb4: Fix race condition in cleanup sctp: not send SCTP_PEER_ADDR_CHANGE notifications with failed probe bnx2x: Revert UNDI flushing mechanism qlcnic: Fix endianess issue in firmware load from file operation qlcnic: Fix endianess issue in FW dump template header qlcnic: Fix flash access interface to application MAINTAINERS: Add section for MRF24J40 IEEE 802.15.4 radio driver macvlan: Allow setting multicast filter on all macvlan types packet: handle too big packets for PACKET_V3 MAINTAINERS: add entry for ec_bhf driver ...
-
Rasmus Villemoes authored
Test for definedness of the macro which is actually defined (the change is hard to see: it is s/SSS/SSA/). Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Daniel Borkmann authored
In SCTP, selection of active (T.ACT) and retransmission (T.RET) transports is being done whenever transport control operations (UP, DOWN, PF, ...) are engaged through sctp_assoc_control_transport(). Commits 4c47af4d ("net: sctp: rework multihoming retransmission path selection to rfc4960") and a7288c4d ("net: sctp: improve sctp_select_active_and_retran_path selection") have both improved it towards a more fine-grained and optimal path selection. Currently, the selection algorithm for T.ACT and T.RET is as follows: 1) Elect the two most recently used ACTIVE transports T1, T2 for T.ACT, T.RET, where T.ACT<-T1 and T1 is most recently used 2) In case primary path T.PRI not in {T1, T2} but ACTIVE, set T.ACT<-T.PRI and T.RET<-T1 3) If only T1 is ACTIVE from the set, set T.ACT<-T1 and T.RET<-T1 4) If none is ACTIVE, set T.ACT<-best(T.PRI, T.RET, T3) where T3 is the most recently used (if avail) in PF, set T.RET<-T.PRI Prior to above commits, 4) was simply a camp on T.ACT<-T.PRI and T.RET<-T.PRI, ignoring possible paths in PF. Camping on T.PRI is still slightly suboptimal as it can lead to the following scenario: Setup: <A> <B> T1: p1p1 (10.0.10.10) <==> .'`) <==> p1p1 (10.0.10.12) <= T.PRI T2: p1p2 (10.0.10.20) <==> (_ . ) <==> p1p2 (10.0.10.22) net.sctp.rto_min = 1000 net.sctp.path_max_retrans = 2 net.sctp.pf_retrans = 0 net.sctp.hb_interval = 1000 T.PRI is permanently down, T2 is put briefly into PF state (e.g. due to link flapping). Here, the first time transmission is sent over PF path T2 as it's the only non-INACTIVE path, but the retransmitted data-chunks are sent over the INACTIVE path T1 (T.PRI), which is not good. After the patch, it's choosing better transports in both cases by modifying step 4): 4) If none is ACTIVE, set T.ACT_new<-best(T.ACT_old, T3) where T3 is the most recently used (if avail) in PF, set T.RET<-T.ACT_new This will still select a best possible path in PF if available (which can also include T.PRI/T.RET), and set both T.ACT/T.RET to it. In case sctp_assoc_control_transport() *just* put T.ACT_old into INACTIVE as it transitioned from ACTIVE->PF->INACTIVE and stays in INACTIVE just for a very short while before going back ACTIVE, it will guarantee that this path will be reselected for T.ACT/T.RET since T3 (PF) is not available. Previously, this was not possible, as we would only select between T.PRI and T.RET, and a possible T3 would be NULL due to the fact that we have just transitioned T3 in sctp_assoc_control_transport() from PF->INACTIVE and would select a suboptimal path when T.PRI/T.RET have worse properties. In the case that T.ACT_old permanently went to INACTIVE during this transition and there's no PF path available, plus T.PRI and T.RET are INACTIVE as well, we would now camp on T.ACT_old, but if everything is being INACTIVE there's really not much we can do except hoping for a successful HB to bring one of the transports back up again and, thus cause a new selection through sctp_assoc_control_transport(). Now both tests work fine: Case 1: 1. T1 S(ACTIVE) T.ACT T2 S(ACTIVE) T.RET 2. T1 S(ACTIVE) T.ACT, T.RET T2 S(PF) 3. T1 S(ACTIVE) T.ACT, T.RET T2 S(INACTIVE) 5. T1 S(PF) T.ACT, T.RET T2 S(INACTIVE) [ 5.1 T1 S(INACTIVE) T.ACT, T.RET T2 S(INACTIVE) ] 6. T1 S(ACTIVE) T.ACT, T.RET T2 S(INACTIVE) 7. T1 S(ACTIVE) T.ACT T2 S(ACTIVE) T.RET Case 2: 1. T1 S(ACTIVE) T.ACT T2 S(ACTIVE) T.RET 2. T1 S(PF) T2 S(ACTIVE) T.ACT, T.RET 3. T1 S(INACTIVE) T2 S(ACTIVE) T.ACT, T.RET 5. T1 S(INACTIVE) T2 S(PF) T.ACT, T.RET [ 5.1 T1 S(INACTIVE) T2 S(INACTIVE) T.ACT, T.RET ] 6. T1 S(INACTIVE) T2 S(ACTIVE) T.ACT, T.RET 7. T1 S(ACTIVE) T.ACT T2 S(ACTIVE) T.RET Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Acked-by: Vlad Yasevich <vyasevich@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Daniel Borkmann authored
When both transports are the same, we don't have to go down that road only to realize that we will return the very same transport. We are guaranteed that curr is always non-NULL. Therefore, just short-circuit this special case. Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Acked-by: Vlad Yasevich <vyasevich@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Rasmus Villemoes authored
Nothing defines _ASM_GENERIC_INT_L64_H, it is a weird way to check for 64 bit longs, and u64 should be printed using %llx anyway. Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Anton Blanchard authored
Hidden away in the last 8 bytes of the buffer_list page is a solitary statistic. It needs to be byte swapped or else ethtool -S will produce numbers that terrify the user. Since we do this in multiple places, create a helper function with a comment explaining what is going on. Signed-off-by: Anton Blanchard <anton@samba.org> Cc: stable@vger.kernel.org Signed-off-by: David S. Miller <davem@davemloft.net>
-
Iyappan Subramanian authored
A NULL pointer dereference is possible for the argument ring->buf_pool which is passed to xgene_enet_free_desc_ring(), as ring could be NULL. And now since NULL pointers are being checked for before the calls to xgene_enet_free_desc_ring(), might as well take advantage of them and not call the function if the argument would be NULL. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Iyappan Subramanian <isubramanian@apm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Jiri Benc authored
When there are multiple vlan headers present in a received frame, the first one is put into vlan_tci and protocol is set to ETH_P_8021Q. Anything in the skb beyond the VLAN TPID may be still non-linear, including the inner TCI and ethertype. While ovs_flow_extract takes care of IP and IPv6 headers, it does nothing with ETH_P_8021Q. Later, if OVS_ACTION_ATTR_POP_VLAN is executed, __pop_vlan_tci pulls the next vlan header into vlan_tci. This leads to two things: 1. Part of the resulting ethernet header is in the non-linear part of the skb. When eth_type_trans is called later as the result of OVS_ACTION_ATTR_OUTPUT, kernel BUGs in __skb_pull. Also, __pop_vlan_tci is in fact accessing random data when it reads past the TPID. 2. network_header points into the ethernet header instead of behind it. mac_len is set to a wrong value (10), too. Reported-by: Yulong Pei <ypei@redhat.com> Signed-off-by: Jiri Benc <jbenc@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Benjamin Block authored
The function fib6_commit_metrics() allocates a piece of memory in mode GFP_KERNEL while holding an atomic lock from higher up in the stack, in the function __ip6_ins_rt(). This produces the following BUG: > BUG: sleeping function called from invalid context at mm/slub.c:1250 > in_atomic(): 1, irqs_disabled(): 0, pid: 2909, name: dhcpcd > 2 locks held by dhcpcd/2909: > #0: (rtnl_mutex){+.+.+.}, at: [<ffffffff81978e67>] rtnl_lock+0x17/0x20 > #1: (&tb->tb6_lock){++--+.}, at: [<ffffffff81a6951a>] ip6_route_add+0x65a/0x800 > CPU: 1 PID: 2909 Comm: dhcpcd Not tainted 3.17.0-rc1 #1 > Hardware name: ASUS All Series/Q87T, BIOS 0216 10/16/2013 > 0000000000000008 ffff8800c8f13858 ffffffff81af135a 0000000000000000 > ffff880212202430 ffff8800c8f13878 ffffffff810f8d3a ffff880212202c98 > 0000000000000010 ffff8800c8f138c8 ffffffff8121ad0e 0000000000000001 > Call Trace: > [<ffffffff81af135a>] dump_stack+0x4e/0x68 > [<ffffffff810f8d3a>] __might_sleep+0x10a/0x120 > [<ffffffff8121ad0e>] kmem_cache_alloc_trace+0x4e/0x190 > [<ffffffff81a6bcd6>] ? fib6_commit_metrics+0x66/0x110 > [<ffffffff81a6bcd6>] fib6_commit_metrics+0x66/0x110 > [<ffffffff81a6cbf3>] fib6_add+0x883/0xa80 > [<ffffffff81a6951a>] ? ip6_route_add+0x65a/0x800 > [<ffffffff81a69535>] ip6_route_add+0x675/0x800 > [<ffffffff81a68f2a>] ? ip6_route_add+0x6a/0x800 > [<ffffffff81a6990c>] inet6_rtm_newroute+0x5c/0x80 > [<ffffffff8197cf01>] rtnetlink_rcv_msg+0x211/0x260 > [<ffffffff81978e67>] ? rtnl_lock+0x17/0x20 > [<ffffffff81119708>] ? lock_release_holdtime+0x28/0x180 > [<ffffffff81978e67>] ? rtnl_lock+0x17/0x20 > [<ffffffff8197ccf0>] ? __rtnl_unlock+0x20/0x20 > [<ffffffff819a989e>] netlink_rcv_skb+0x6e/0xd0 > [<ffffffff81978ee5>] rtnetlink_rcv+0x25/0x40 > [<ffffffff819a8e59>] netlink_unicast+0xd9/0x180 > [<ffffffff819a9600>] netlink_sendmsg+0x700/0x770 > [<ffffffff81103735>] ? local_clock+0x25/0x30 > [<ffffffff8194e83c>] sock_sendmsg+0x6c/0x90 > [<ffffffff811f98e3>] ? might_fault+0xa3/0xb0 > [<ffffffff8195ca6d>] ? verify_iovec+0x7d/0xf0 > [<ffffffff8194ec3e>] ___sys_sendmsg+0x37e/0x3b0 > [<ffffffff8111ef15>] ? trace_hardirqs_on_caller+0x185/0x220 > [<ffffffff81af979e>] ? mutex_unlock+0xe/0x10 > [<ffffffff819a55ec>] ? netlink_insert+0xbc/0xe0 > [<ffffffff819a65e5>] ? netlink_autobind.isra.30+0x125/0x150 > [<ffffffff819a6520>] ? netlink_autobind.isra.30+0x60/0x150 > [<ffffffff819a84f9>] ? netlink_bind+0x159/0x230 > [<ffffffff811f989a>] ? might_fault+0x5a/0xb0 > [<ffffffff8194f25e>] ? SYSC_bind+0x7e/0xd0 > [<ffffffff8194f8cd>] __sys_sendmsg+0x4d/0x80 > [<ffffffff8194f912>] SyS_sendmsg+0x12/0x20 > [<ffffffff81afc692>] system_call_fastpath+0x16/0x1b Fixing this by replacing the mode GFP_KERNEL with GFP_ATOMIC. Signed-off-by: Benjamin Block <bebl@mageta.org> Acked-by: David Rientjes <rientjes@google.com> Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Nimrod Andy authored
The current kernel hang on i.MX6SX with rootfs mount from MMC. The root cause is that ptp uses a periodic timer to access enet register even if ipg clock is disabled. FEC ptp driver start one period timer to read 1588 counter register in the ptp init function that is called after FEC driver is probed. To save power, after FEC probe finish, FEC driver disable all clocks including ipg clock that is needed for register access. i.MX5x, i.MX6q/dl/sl FEC register access don't cause system hang when ipg clock is disabled, just return zero value. But for i.MX6sx SOC, it cause system hang. To avoid the issue, we need to check ptp clock status before ptp timer count access. Signed-off-by: Fugang Duan <B38611@freescale.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linuxLinus Torvalds authored
Pull arm64 fixes from Will Deacon: "This small set of fixes addresses a few issues introduced during the merge window, including: - fix typo in I-cache detection that was causing us to treat all I-caches as aliasing - hook up memfd_create and getrandom syscalls for native and compat - revert a temporary hack for defconfig builds in -next (the audit tree changes didn't make it in this merge window) - a couple of UEFI fixes for TEXT_OFFSET fuzzing and /memreserve/ - a simple sparsemem fix for 48-bit physical addressing - small defconfig updates to get autotesters working with X-gene" * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: Revert "arm64: Do not invoke audit_syscall_* functions if !CONFIG_AUDIT_SYSCALL" arm64: mm: update max pa bits to 48 arm64: ignore DT memreserve entries when booting in UEFI mode arm64: configs: Enable X-Gene SATA and ethernet in defconfig arm64: align randomized TEXT_OFFSET on 4 kB boundary asm-generic: add memfd_create system call to unistd.h arm64: compat: wire up memfd_create and getrandom syscalls for aarch32 arm64: fix typo in I-cache policy detection
-
git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommuLinus Torvalds authored
Pull IOMMU fixes from Joerg Roedel: "The fixes include: - fix a crash in the VT-d driver when devices with a driver attached are hot-unplugged - fix a AMD IOMMU driver crash with device assignment of 32 bit PCI devices to KVM guests - fix for a copy&paste error in generic IOMMU code. Now the right function pointer is checked before calling" * tag 'iommu-fixes-v3.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu: iommu/core: Check for the right function pointer in iommu_map() iommu/amd: Fix cleanup_domain for mass device removal iommu/vt-d: Defer domain removal if device is assigned to a driver
-
Hariprasad Shenai authored
Description of problem: The NIC card is not reporting back to the driver the transmitted skbs, so they get stuck in the TX ring causing issues with reference counters in other kernel components. Developed a new Automatic Egress Queue Update firmware facility to slowly tick through Egress Queues and send back any outstanding CIDX Updates which are laying around. Based on original work by Casey Leedom <leedom@chelsio.com> Signed-off-by: Hariprasad Shenai <hariprasad@chelsio.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
git://gitorious.org/linux-can/linux-canDavid S. Miller authored
Marc Kleine-Budde says: ==================== pull-request: can 2014-08-21 The first patch is from Mirza Krak, it fixes the initialization of the hardware in the sja1000 driver. The next patch is contributed by Dan Carpenter, it fixes the error handling in the c_can's probe function. Then there are two patches for the flexcan driver, one by Alexander Stein, which fixes the resetting of the bus error interrupt mask, the other one by Sebastian Andrzej Siewior which adds an additional error state transition message. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
-
Anish Bhatt authored
There is a possible race condition when we unregister the PCI Driver and then flush/destroy the global "workq". This could lead to situations where there are tasks on the Work Queue with references to now deleted adapter data structures. Instead, have per-adapter Work Queues which were instantiated and torn down in init_one() and remove_one(), respectively. v2: Remove unnecessary call to flush_workqueue() before destroy_workqueue() Signed-off-by: Anish Bhatt <anish@chelsio.com> Signed-off-by: Casey Leedom <leedom@chelsio.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
zhuyj authored
Since the transport has always been in state SCTP_UNCONFIRMED, it therefore wasn't active before and hasn't been used before, and it always has been, so it is unnecessary to bug the user with a notification. Reported-by: Deepak Khandelwal <khandelwal.deepak.1987@gmail.com> Suggested-by: Vlad Yasevich <vyasevich@gmail.com> Suggested-by: Michael Tuexen <tuexen@fh-muenster.de> Suggested-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: Zhu Yanjun <Yanjun.Zhu@windriver.com> Acked-by: Vlad Yasevich <vyasevich@gmail.com> Acked-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Yuval Mintz authored
Commit 91ebb929 ("bnx2x: Add support for Multi-Function UNDI") [which was later supposedly fixed by de682941 ("bnx2x: Fix UNDI driver unload")] introduced a bug in which in some [yet-to-be-determined] scenarios the alternative flushing mechanism which was to guarantee the Rx buffers are empty before resetting them during device probe will fail. If this happens, when device will be loaded once more a fatal attention will occur; Since this most likely happens in boot from SAN scenarios, the machine will fail to load. Notice this may occur not only in the 'Multi-Function' scenario but in the regular scenario as well, i.e., this introduced a regression in the driver's ability to perform boot from SAN. The patch reverts the mechanism and applies the old scheme to multi-function devices as well as to single-function devices. Signed-off-by: Yuval Mintz <Yuval.Mintz@qlogic.com> Signed-off-by: Ariel Elior <Ariel.Elior@qlogic.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
David S. Miller authored
Shahed Shaikh says: ==================== qlcnic: Bug fixes This series fixes some bugs related to endianess. Please apply this series to net. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
-
Shahed Shaikh authored
Firmware binary file is in little endian. On big-endian architecture, while writing this binary FW file to adapters memory, writel() swaps the data resulting into corruption of FW image. So, swap the data before writing into adapters memory. Signed-off-by: Shahed Shaikh <shahed.shaikh@qlogic.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Rajesh Borundia authored
Firmware dump template header is read from adapter using readl() which swaps the data. So, adjust structure element on the boundary of 32bit dword. Signed-off-by: Rajesh Borundia <rajesh.borundia@qlogic.com> Signed-off-by: Shahed Shaikh <shahed.shaikh@qlogic.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Jitendra Kalsaria authored
Application expects flash data in little endian, but driver reads/writes flash data using readl()/writel() APIs which swaps data on big endian machine. So, swap the data after reading from and before writing to flash memory. Signed-off-by: Jitendra Kalsaria <jitendra.kalsaria@qlogic.com> Signed-off-by: Shahed Shaikh <shahed.shaikh@qlogic.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Alan Ott authored
Alan is the original author of the driver. This change was discussed with the 802.15.4 subsystem maintainer, Alexander Aring. Signed-off-by: Alan Ott <alan@signal11.us> Acked-by: Alexander Aring <alex.aring@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 21 Aug, 2014 14 commits
-
-
Vlad Yasevich authored
Currently, macvlan code restricts multicast and unicast filter setting only to passthru devices. As a result, if a guest using macvtap wants to receive multicast traffic, it has to set IFF_ALLMULTI or IFF_PROMISC. This patch makes it possible to use the fdb interface to add multicast addresses to the filter thus allowing a guest to receive only targeted multicast traffic. CC: John Fastabend <john.r.fastabend@intel.com> CC: Michael S. Tsirkin <mst@redhat.com> CC: Jason Wang <jasowang@redhat.com> Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com> Acked-by: John Fastabend <john.r.fastabend@intel.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Eric Dumazet authored
af_packet can currently overwrite kernel memory by out of bound accesses, because it assumed a [new] block can always hold one frame. This is not generally the case, even if most existing tools do it right. This patch clamps too long frames as API permits, and issue a one time error on syslog. [ 394.357639] tpacket_rcv: packet too big, clamped from 5042 to 3966. macoff=82 In this example, packet header tp_snaplen was set to 3966, and tp_len was set to 5042 (skb->len) Signed-off-by: Eric Dumazet <edumazet@google.com> Fixes: f6fb8f10 ("af-packet: TPACKET_V3 flexible buffer implementation.") Acked-by: Daniel Borkmann <dborkman@redhat.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Dariusz Marcinkiewicz authored
Added entry for ec_bhf driver. Signed-off-by: Dariusz Marcinkiewicz <reksio@newterm.pl> Signed-off-by: David S. Miller <davem@davemloft.net>
-
chas williams - CONTRACTOR authored
The LECS response contains the MTU that should be used. Correctly synchronize with other layers when updating. Signed-off-by: Chas Williams - CONTRACTOR <chas@cmf.nrl.navy.mil> Signed-off-by: David S. Miller <davem@davemloft.net>
-
git://git.kernel.org/pub/scm/linux/kernel/git/tj/libataLinus Torvalds authored
Pull libata fixes from Tejun Heo: "Nothing drastic but pushing out early due to build breakage in the new tegra platform. Additionally: - M550 tagged trim blacklist pattern is widened so that it matches the new 1TB model - three controller specific fixes" * 'for-3.17-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata: libata: widen Crucial M550 blacklist matching pata_scc: propagate return value of scc_wait_after_reset ata: ahci_tegra: Change include to fix compilation pata_samsung_cf: change ret type to signed ahci_xgene: Removing NCQ support from the APM X-Gene SoC AHCI SATA Host Controller driver.
-
git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hidLinus Torvalds authored
Pull HID fixes from Jiri Kosina: - fixes for a couple potential memory corruption problems (the HW would have to be manufactured to be deliberately evil to trigger those) found by Ben Hawkes - fix for potential infinite loop when using sysfs interface of logitech driver, from Simon Wood - a couple more simple driver fixes * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid: HID: fix a couple of off-by-ones HID: logitech: perform bounds checking on device_id early enough HID: logitech: fix bounds checking on LED report size HID: logitech: Prevent possibility of infinite loop when using /sys interface HID: rmi: print an error if F11 is not found instead of stopping the device HID: hid-sensor-hub: use devm_ functions consistently HID: huion: Use allocated buffer for DMA HID: huion: Fail on parameter retrieval errors
-
git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/soundLinus Torvalds authored
Pull sound fixes from Takashi Iwai: "A bunch of ASoC fixes with a few HD-audio fixes in this pull request. All fairly small, boring and device-specific fixes, in addition to MAINTAINERS update for better reviewing" * tag 'sound-3.17-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: ALSA: hda/hdmi - apply Valleyview fix-ups to Cherryview display codec ALSA: hda/hdmi - set depop_delay for haswell plus ALSA: hda - restore the gpio led after resume ALSA: hda/realtek - Avoid setting wrong COEF on ALC269 & co ASoC: pxa-ssp: drop SNDRV_PCM_FMTBIT_S24_LE ASoC: fsl-esai: Revert .xlate_tdm_slot_mask() support ASoC: mcasp: Fix implicit BLCK divider setting ASoC: arizona: Fix TDM slot length handling in arizona_hw_params ASoC: pcm512x: Correct Digital Playback control names ASoC: dapm: Fix uninitialized variable in snd_soc_dapm_get_enum_double() ASoC: Intel: Restore Baytrail ADSP streams only when ADSP was in reset ASoC: Intel: Wait Baytrail ADSP boot at resume_early stage ASoC: Intel: Merge Baytrail ADSP suspend_noirq into suspend_late MAINTAINERS: Add i.MX maintainers and paths to Freescale ASoC entry ASoC: Intel: Update Baytrail ADSP firmware name
-
git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linuxLinus Torvalds authored
Pull i2c fixes from Wolfram Sang: "Here is the fixup for the 'lowlight' of my last pull request. I2C is not selected anymore by I2C_ACPI. Instead, the code in question now depends on I2C=y. Also, Mika has agreed to support me and be the maintainer for I2C-ACPI related patches. Finally, a new-ID-patch came along last week" * 'i2c/for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux: MAINTAINERS: add maintainer for ACPI parts of I2C i2c: i801: Add PCI ID for Intel Braswell i2c: rework kernel config I2C_ACPI
-
git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linuxLinus Torvalds authored
Pull ia64 update from Tony Luck: "Add memfd_create syscall to ia64" * tag 'please-pull-memfd_create' of git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux: [IA64] Wire up memfd_create() system call
-
git://git.monstr.eu/linux-2.6-microblazeLinus Torvalds authored
Pull microblaze update from Michal Simek: "Wire-up seccomp/getrandom/memfd_create syscalls" * tag 'microblaze-3.17-rc2' of git://git.monstr.eu/linux-2.6-microblaze: microblaze: Wire-up memfd_create syscall microblaze: Wire-up getrandom syscall microblaze: Wire-up seccomp syscall
-
Jiri Kosina authored
There are a few very theoretical off-by-one bugs in report descriptor size checking when performing a pre-parsing fixup. Fix those. Cc: stable@vger.kernel.org Reported-by: Ben Hawkes <hawkes@google.com> Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
-
Jiri Kosina authored
device_index is a char type and the size of paired_dj_deivces is 7 elements, therefore proper bounds checking has to be applied to device_index before it is used. We are currently performing the bounds checking in logi_dj_recv_add_djhid_device(), which is too late, as malicious device could send REPORT_TYPE_NOTIF_DEVICE_UNPAIRED early enough and trigger the problem in one of the report forwarding functions called from logi_dj_raw_event(). Fix this by performing the check at the earliest possible ocasion in logi_dj_raw_event(). Cc: stable@vger.kernel.org Reported-by: Ben Hawkes <hawkes@google.com> Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
-
Jiri Kosina authored
The check on report size for REPORT_TYPE_LEDS in logi_dj_ll_raw_request() is wrong; the current check doesn't make any sense -- the report allocated by HID core in hid_hw_raw_request() can be much larger than DJREPORT_SHORT_LENGTH, and currently logi_dj_ll_raw_request() doesn't handle this properly at all. Fix the check by actually trimming down the report size properly if it is too large. Cc: stable@vger.kernel.org Reported-by: Ben Hawkes <hawkes@google.com> Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
-
Sebastian Andrzej Siewior authored
Once the CAN-bus is open and a packet is sent, the controller switches into the PASSIVE state. Once the BUS is closed again it goes the back err-warning. The TX error counter goes 0 -> 0x80 -> 0x7f. This patch makes sure that the user learns about this state chang (CAN_STATE_ERROR_WARNING => CAN_STATE_ERROR_PASSIVE) Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Signed-off-by: Matthias Klein <matthias.klein@optimeas.de> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
-