03 Mar, 2011
1 commit
02 Mar, 2011
4 commits
-
Like many other places, we have to check that the array index is
within allowed limits, or otherwise, a kernel oops and other nastiness
can ensue when we access memory beyond the end of the array.[ 5954.115381] BUG: unable to handle kernel paging request at 0000004000000000
[ 5954.120014] IP: __find_logger+0x6f/0xa0
[ 5954.123979] nf_log_bind_pf+0x2b/0x70
[ 5954.123979] nfulnl_recv_config+0xc0/0x4a0 [nfnetlink_log]
[ 5954.123979] nfnetlink_rcv_msg+0x12c/0x1b0 [nfnetlink]
...The problem goes back to v2.6.30-rc1~1372~1342~31 where nf_log_bind
was decoupled from nf_log_register.Reported-by: Miguel Di Ciurcio Filho ,
via irc.freenode.net/#netfilter
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy -
This fixes a bug in the order of dccp_rcv_state_process() that still permitted
reception even after closing the socket. A Reset after close thus causes a NULL
pointer dereference by not preventing operations on an already torn-down socket.dccp_v4_do_rcv()
|
| state other than OPEN
v
dccp_rcv_state_process()
|
| DCCP_PKT_RESET
v
dccp_rcv_reset()
|
v
dccp_time_wait()WARNING: at net/ipv4/inet_timewait_sock.c:141 __inet_twsk_hashdance+0x48/0x128()
Modules linked in: arc4 ecb carl9170 rt2870sta(C) mac80211 r8712u(C) crc_ccitt ah
[] (unwind_backtrace+0x0/0xec) from [] (warn_slowpath_common)
[] (warn_slowpath_common+0x4c/0x64) from [] (warn_slowpath_n)
[] (warn_slowpath_null+0x1c/0x24) from [] (__inet_twsk_hashd)
[] (__inet_twsk_hashdance+0x48/0x128) from [] (dccp_time_wai)
[] (dccp_time_wait+0x40/0xc8) from [] (dccp_rcv_state_proces)
[] (dccp_rcv_state_process+0x120/0x538) from [] (dccp_v4_do_)
[] (dccp_v4_do_rcv+0x11c/0x14c) from [] (release_sock+0xac/0)
[] (release_sock+0xac/0x110) from [] (dccp_close+0x28c/0x380)
[] (dccp_close+0x28c/0x380) from [] (inet_release+0x64/0x70)The fix is by testing the socket state first. Receiving a packet in Closed state
now also produces the required "No connection" Reset reply of RFC 4340, 8.3.1.Reported-and-tested-by: Johan Hovold
Cc: stable@kernel.org
Signed-off-by: Gerrit Renker
Signed-off-by: David S. Miller -
Fix dst_lock usage in __ip_vs_update_dest. We need
_bh locking because destination is updated in user context.
Can cause lockups on frequent destination updates.
Problem reported by Simon Kirby. Bug was introduced
in 2.6.37 from the "ipvs: changes for local real server"
change.Signed-off-by: Julian Anastasov
Signed-off-by: Hans Schillstrom
Signed-off-by: Simon Horman
01 Mar, 2011
20 commits
-
This patch adds an additional check in the Davinci EMAC RX Handler,
which tests the __LINK_STATE_NOCARRIER flag along with the
__LINK_STATE_START flag as part EMAC shutting down procedure.This avoids
WARNING: at drivers/net/davinci_emac.c:1040 emac_rx_handler+0xf8/0x120()
during rtcwake used to suspend the target for a specified duration.Signed-off-by: Hegde, Vinay
Acked-by: Cyril Chemparathy
Signed-off-by: David S. Miller -
Signed-off-by: Dmitry Kravkov
Signed-off-by: Eilon Greenstein
Signed-off-by: David S. Miller -
Signed-off-by: Dmitry Kravkov
Signed-off-by: Eilon Greenstein
Signed-off-by: David S. Miller -
Signed-off-by: Dmitry Kravkov
Signed-off-by: Eilon Greenstein
Signed-off-by: David S. Miller -
Signed-off-by: Dmitry Kravkov
Signed-off-by: Eilon Greenstein
Signed-off-by: David S. Miller -
Signed-off-by: Dmitry Kravkov
Signed-off-by: Eilon Greenstein
Signed-off-by: David S. Miller -
Signed-off-by: Dmitry Kravkov
Signed-off-by: Eilon Greenstein
Signed-off-by: David S. Miller -
Fix FW initialization according to max BW stored in percents
for NPAR mode. Protect HW from being configured to speed 0.Signed-off-by: Dmitry Kravkov
Signed-off-by: Eilon Greenstein
Signed-off-by: David S. Miller -
Currently nla_policy_len always returns n * NLA_HDRLEN:
It loops, but does not advance it's iterator.
NLA_UNSPEC == 0 does not contain a .len in any policy.Trivially fixed by adding p++.
Signed-off-by: Lars Ellenberg
Signed-off-by: David S. Miller -
This is similar to what we already do in cdc-phonet.c in the same
situation. pskb_pull() refuses to work with HIGHMEM, even if it is
known that the socket buffer is entirely in "low" memory.Signed-off-by: Rémi Denis-Courmont
Signed-off-by: David S. Miller -
The platform_device_id table is supposed to be zero-terminated.
Signed-off-by: Axel Lin
Signed-off-by: David S. Miller -
Clean up entries in 00-INDEX: drop files that have been removed.
Reported-by: Rob Landley
Signed-off-by: Randy Dunlap
Acked-by: Rob Landley
Signed-off-by: David S. Miller -
platform_set_drvdata() was used with argument of incorrect type and
could cause memory corruption. Moreover, because of not setting drvdata
in the correct place not all resources were freed upon module unload.Signed-off-by: Ilya Yanok
Signed-off-by: David S. Miller -
Commit 71d6429 (Driver core: convert platform_{get,set}_drvdata to
static inline functions) now triggers a warning in the macb network
driver:CC drivers/net/macb.o
drivers/net/macb.c: In function ‘macb_mii_init’:
drivers/net/macb.c:263: warning: passing argument 1 of ‘platform_set_drvdata’ from incompatible pointer type
include/linux/platform_device.h:138: note: expected ‘struct platform_device *’ but argument is of type ‘struct net_device *’Use dev_set_drvdata() on the device embedded in the net_device instead.
Cc: Nicolas Ferre
Signed-off-by: Jamie Iles
Signed-off-by: David S. Miller -
netlink_dump() may failed, but nobody handle its error.
It generates output data, when a previous portion has been returned to
user space. This mechanism works when all data isn't go in skb. If we
enter in netlink_recvmsg() and skb is absent in the recv queue, the
netlink_dump() will not been executed. So if netlink_dump() is failed
one time, the new data never appear and the reader will sleep forever.netlink_dump() is called from two places:
1. from netlink_sendmsg->...->netlink_dump_start().
In this place we can report error directly and it will be returned
by sendmsg().2. from netlink_recvmsg
There we can't report error directly, because we have a portion of
valid output data and call netlink_dump() for prepare the next portion.
If netlink_dump() is failed, the socket will be mark as error and the
next recvmsg will be failed.Signed-off-by: Andrey Vagin
Signed-off-by: David S. Miller -
I just found that the controller hardware name is not set for the Softing
driver. After this patch, "$ ip -d link show" looks nicer.Signed-off-by: Kurt Van Dijck
Acked-by: Marc Kleine-Budde
Signed-off-by: David S. Miller -
The below patch changes a typo "pice" to "piece"
Signed-off-by: Justin P. Mattock
Signed-off-by: David S. Miller -
fmvj18x_cs:add new id
Toshiba lan&modem multifuction card (model name:IPC5010A)Signed-off-by: Ken Kawasaki
Signed-off-by: David S. Miller -
Reported-by: Mark Davis
Cc:
Signed-off-by: Christian Lamparter
Signed-off-by: John W. Linville -
The stream length/tag fields have to be in little endian
format. Fixing this makes the driver work on big-endian
platforms.Cc: stable@kernel.org
Tested-by: raghunathan.kailasanathan@wipro.com
Signed-off-by: Sujith Manoharan
Signed-off-by: John W. Linville
28 Feb, 2011
1 commit
-
Signed-off-by: Vladislav Zolotarov
Signed-off-by: Eilon Greenstein
Signed-off-by: David S. Miller
27 Feb, 2011
1 commit
-
Today was as good as any other day, but I felt I had to do things I love
to when paying hommage to somebody I love, so please apply this one,
something he would be proud of, even if so geekly.Way past it was/is deserved.
Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller
26 Feb, 2011
6 commits
-
addr_type of 0 means that the type should be adopted from from_dev and
not from __hw_addr_del_multiple(). Unfortunately it isn't so and
addr_type will always be considered. Fix this by implementing the
considered and documented behavior.Signed-off-by: Hagen Paul Pfeifer
Signed-off-by: David S. Miller -
BCM4320a breaks when enabling power save (bug 29732). So disable power save
for anything but BCM4320b that is known to work.Signed-off-by: Jussi Kivilinna
Signed-off-by: John W. Linville -
"AirLive X.USB now works perfectly under a Linux
environment!"Cc:
Signed-off-by: Christian Lamparter
Signed-off-by: John W. Linville -
Commit 4df3071ebd92ef7115b409da64d0eb405d24a631 "ath9k_hw: optimize
interrupt mask changes", changed ath9k_hw_set_interrupts function to
enable interrupts regardless of function argument, what could possibly
be wrong. Correct that behaviour and check "ints" arguments before
enabling interrupts, also disable interrupts if ints do not have
ATH9K_INT_GLOBAL flag set.Signed-off-by: Stanislaw Gruszka
Signed-off-by: John W. Linville -
Before this patch issuing these commands:
fd = open("/proc/sys/net/ipv6/route/flush")
unshare(CLONE_NEWNET)
write(fd, "stuff")would flush the newly created net, not the original one.
The equivalent ipv4 code is correct (stores the net inside ->extra1).
Acked-by: Daniel LezcanoSigned-off-by: David S. Miller
25 Feb, 2011
1 commit
-
The API for network devices has changed so that setting carrier off at
probe is no longer required. This should fix the IPv6 addrconf issue.Addresses https://bugzilla.kernel.org/show_bug.cgi?id=29612
Signed-off-by: Stephen Hemminger
Reported-by: George Billios
Cc: David Miller
Signed-off-by: Andrew Morton
Signed-off-by: David S. Miller
24 Feb, 2011
6 commits
-
The device is very similar to (0x0fe6, 0x8101),
And works well with dm9601 driver.Signed-off-by: Shahar Havivi
Acked-by: Peter Korsgaard
Signed-off-by: David S. Miller -
- fix the RTL8111DP turn off the power when DASH is enabled.
- RTL_GIGA_MAC_VER_27 must wait for tx finish before reset.Signed-off-by: Hayes Wang
Acked-by: Francois Romieu -
Adjust and remove certain settings of RTL8102E which are for previous chips.
Signed-off-by: Hayes Wang
Acked-off-by: Francois Romieu -
It results in the wrong point address and influences RTL8168DP.
Signed-off-by: Hayes Wang
Acked-by: Francois Romieu -
DM9000 revision B needs 1 ms delay after PHY power-on.
PHY must be powered on by writing 0 into register DM9000_GPR before
all other settings will change (see Davicom spec and example code).Remember, that register DM9000_GPR was not changed by reset sequence.
Without this fix the FIFO is out of sync and sends wrong data after
sequence of "ifconfig ethX down ; ifconfig ethX up".Signed-off-by: David S. Miller
