summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)Author
2010-11-10net: packet: fix information leak to userlandVasiliy Kulikov
packet_getname_spkt() doesn't initialize all members of sa_data field of sockaddr struct if strlen(dev->name) < 13. This structure is then copied to userland. It leads to leaking of contents of kernel stack memory. We have to fully fill sa_data with strncpy() instead of strlcpy(). The same with packet_getname(): it doesn't initialize sll_pkttype field of sockaddr_ll. Set it to zero. Signed-off-by: Vasiliy Kulikov <segooon@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-10filter: make sure filters dont read uninitialized memoryDavid S. Miller
There is a possibility malicious users can get limited information about uninitialized stack mem array. Even if sk_run_filter() result is bound to packet length (0 .. 65535), we could imagine this can be used by hostile user. Initializing mem[] array, like Dan Rosenberg suggested in his patch is expensive since most filters dont even use this array. Its hard to make the filter validation in sk_chk_filter(), because of the jumps. This might be done later. In this patch, I use a bitmap (a single long var) so that only filters using mem[] loads/stores pay the price of added security checks. For other filters, additional cost is a single instruction. [ Since we access fentry->k a lot now, cache it in a local variable and mark filter entry pointer as const. -DaveM ] Reported-by: Dan Rosenberg <drosenberg@vsecurity.com> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-10net: ax25: fix information leak to userlandVasiliy Kulikov
Sometimes ax25_getname() doesn't initialize all members of fsa_digipeater field of fsa struct, also the struct has padding bytes between sax25_call and sax25_ndigis fields. This structure is then copied to userland. It leads to leaking of contents of kernel stack memory. Signed-off-by: Vasiliy Kulikov <segooon@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-09net/dst: dst_dev_event() called after other notifiersEric Dumazet
Followup of commit ef885afbf8a37689 (net: use rcu_barrier() in rollback_registered_many) dst_dev_event() scans a garbage dst list that might be feeded by various network notifiers at device dismantle time. Its important to call dst_dev_event() after other notifiers, or we might enter the infamous msleep(250) in netdev_wait_allrefs(), and wait one second before calling again call_netdevice_notifiers(NETDEV_UNREGISTER, dev) to properly remove last device references. Use priority -10 to let dst_dev_notifier be called after other network notifiers (they have the default 0 priority) Reported-by: Ben Greear <greearb@candelatech.com> Reported-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Reported-by: Octavian Purdila <opurdila@ixiacom.com> Reported-by: Benjamin LaHaise <bcrl@kvack.org> Tested-by: Ben Greear <greearb@candelatech.com> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-09net: tipc: fix information leak to userlandKulikov Vasiliy
Structure sockaddr_tipc is copied to userland with padding bytes after "id" field in union field "name" unitialized. It leads to leaking of contents of kernel stack memory. We have to initialize them to zero. Signed-off-by: Vasiliy Kulikov <segooon@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-09r8169: fix sleeping while holding spinlock.françois romieu
As device_set_wakeup_enable can now sleep, move the call to outside the critical section. Signed-off-by: Daniel J Blueman <daniel.blueman@gmail.com> Acked-by: Rafael J. Wysocki <rjw@sisk.pl> Acked-by: Andrew Hendry <andrew.hendry@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-09r8169: revert "Handle rxfifo errors on 8168 chips"françois romieu
The original patch helps under obscure conditions (no pun) but some 8168 do not like it. The change needs to be tightened with a specific 8168 version. This reverts commit 801e147cde02f04b5c2f42764cd43a89fc7400a2 ("r8169: Handle rxfifo errors on 8168 chips"). Regression at https://bugzilla.kernel.org/show_bug.cgi?id=20882 Signed-off-by: Francois Romieu <romieu@fr.zoreil.com> Tested-by: Andreas Radke <a.radke@arcor.de> Cc: Matthew Garrett <mjg@redhat.com> Cc: Daniel J Blueman <daniel.blueman@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-09inet: fix ip_mc_drop_socket()Eric Dumazet
commit 8723e1b4ad9be4444 (inet: RCU changes in inetdev_by_index()) forgot one call site in ip_mc_drop_socket() We should not decrease idev refcount after inetdev_by_index() call, since refcount is not increased anymore. Reported-by: Markus Trippelsdorf <markus@trippelsdorf.de> Reported-by: Miles Lane <miles.lane@gmail.com> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-08rds: Fix rds message leak in rds_message_map_pagesPavel Emelyanov
The sgs allocation error path leaks the allocated message. Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Acked-by: Andy Grover <andy.grover@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-08qeth: fix race condition during device startupFrank Blaschka
QDIO is running independent from netdevice state. We are not allowed to schedule NAPI in case the netdevice is not open. Signed-off-by: Frank Blaschka <frank.blaschka@de.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-08qeth: remove dev_queue_xmit invocationUrsula Braun
For a certain Hipersockets specific error code in the xmit path, the qeth driver tries to invoke dev_queue_xmit again. Commit 79640a4ca6955e3ebdb7038508fa7a0cd7fa5527 introduces a busylock causing locking problems in case of re-invoked dev_queue_xmit by qeth. This patch removes the attempts to retry packet sending with dev_queue_xmit from the qeth driver. Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com> Signed-off-by: Frank Blaschka <frank.blaschka@de.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-08pktgen: correct uninitialized queue_mapJunchang Wang
This fix a bug reported by backyes. Right the first time pktgen's using queue_map that's not been initialized by set_cur_queue_map(pkt_dev); Signed-off-by: Junchang Wang <junchangwang@gmail.com> Signed-off-by: Backyes <backyes@mail.ustc.edu.cn> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-08net: Detect and ignore netif_stop_queue() calls before register_netdev()Guillaume Chazarain
After e6484930d7c73d324bccda7d43d131088da697b9: net: allocate tx queues in register_netdevice These calls make net drivers oops at load time, so let's avoid people git-bisect'ing known problems. Signed-off-by: Guillaume Chazarain <guichaz@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-08skge: Remove tx queue stopping in skge_devinit()Guillaume Chazarain
After e6484930d7c73d324bccda7d43d131088da697b9: net: allocate tx queues in register_netdevice It causes an Oops at skge_probe() time. Signed-off-by: Guillaume Chazarain <guichaz@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-08ipv6: fix overlap check for fragmentsShan Wei
The type of FRAG6_CB(prev)->offset is int, skb->len is *unsigned* int, and offset is int. Without this patch, type conversion occurred to this expression, when (FRAG6_CB(prev)->offset + prev->len) is less than offset. Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-08classifier: report statistics for basic classifierstephen hemminger
The basic classifier keeps statistics but does not report it to user space. This showed up when using basic classifier (with police) as a default catch all on ingress; no statistics were reported. Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-08solos: Refuse to upgrade firmware with older FPGA. It doesn't work.David Woodhouse
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-08solos: Add 'Firmware' attribute for Traverse overall firmware versionDavid Woodhouse
The existing 'FirmwareVersion' attribute only covers the DSP firmware as provided by Conexant; not the overall version of the device firmware. We do want to be able to see the full version number too. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-07net dst: need linux/cache.h for ____cacheline_aligned_in_smp.Paul Mundt
Presently the b43legacy build fails on an sh randconfig: In file included from include/net/dst.h:12, from drivers/net/wireless/b43legacy/xmit.c:32: include/net/dst_ops.h:28: error: expected ':', ',', ';', '}' or '__attribute__' before '____cacheline_aligned_in_smp' include/net/dst_ops.h: In function 'dst_entries_get_fast': include/net/dst_ops.h:33: error: 'struct dst_ops' has no member named 'pcpuc_entries' include/net/dst_ops.h: In function 'dst_entries_get_slow': include/net/dst_ops.h:41: error: 'struct dst_ops' has no member named 'pcpuc_entries' include/net/dst_ops.h: In function 'dst_entries_add': include/net/dst_ops.h:49: error: 'struct dst_ops' has no member named 'pcpuc_entries' include/net/dst_ops.h: In function 'dst_entries_init': include/net/dst_ops.h:55: error: 'struct dst_ops' has no member named 'pcpuc_entries' include/net/dst_ops.h: In function 'dst_entries_destroy': include/net/dst_ops.h:60: error: 'struct dst_ops' has no member named 'pcpuc_entries' make[5]: *** [drivers/net/wireless/b43legacy/xmit.o] Error 1 make[5]: *** Waiting for unfinished jobs.... Signed-off-by: Paul Mundt <lethal@linux-sh.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-07NET: pktgen - fix compile warningDmitry Torokhov
This should fix the following warning: net/core/pktgen.c: In function ‘pktgen_if_write’: net/core/pktgen.c:890: warning: comparison of distinct pointer types lacks a cast Signed-off-by: Dmitry Torokhov <dtor@mail.ru> Reviewed-by: Nelson Elhage <nelhage@ksplice.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-04inet_diag: Make sure we actually run the same bytecode we audited.Nelson Elhage
We were using nlmsg_find_attr() to look up the bytecode by attribute when auditing, but then just using the first attribute when actually running bytecode. So, if we received a message with two attribute elements, where only the second had type INET_DIAG_REQ_BYTECODE, we would validate and run different bytecode strings. Fix this by consistently using nlmsg_find_attr everywhere. Signed-off-by: Nelson Elhage <nelhage@ksplice.com> Signed-off-by: Thomas Graf <tgraf@infradead.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-04netlink: Make nlmsg_find_attr take a const nlmsghdr*.Nelson Elhage
This will let us use it on a nlmsghdr stored inside a netlink_callback. Signed-off-by: Nelson Elhage <nelhage@ksplice.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-04fib: fib_result_assign() should not change fib refcountsEric Dumazet
After commit ebc0ffae5 (RCU conversion of fib_lookup()), fib_result_assign() should not change fib refcounts anymore. Thanks to Michael who did the bisection and bug report. Reported-by: Michael Ellerman <michael@ellerman.id.au> Tested-by: Michael Ellerman <michael@ellerman.id.au> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-03netfilter: ip6_tables: fix information leak to userspaceJan Engelhardt
Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-03Merge branch 'master' of ↵David S. Miller
git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6
2010-11-03cls_cgroup: Fix crash on module unloadHerbert Xu
Somewhere along the lines net_cls_subsys_id became a macro when cls_cgroup is built as a module. Not only did it make cls_cgroup completely useless, it also causes it to crash on module unload. This patch fixes this by removing that macro. Thanks to Eric Dumazet for diagnosing this problem. Reported-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Reviewed-by: Li Zefan <lizf@cn.fujitsu.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-03memory corruption in X.25 facilities parsingandrew hendry
Signed-of-by: Andrew Hendry <andrew.hendry@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-03net dst: fix percpu_counter list corruption and poison overwrittenXiaotian Feng
There're some percpu_counter list corruption and poison overwritten warnings in recent kernel, which is resulted by fc66f95c. commit fc66f95c switches to use percpu_counter, in ip6_route_net_init, kernel init the percpu_counter for dst entries, but, the percpu_counter is never destroyed in ip6_route_net_exit. So if the related data is freed by kernel, the freed percpu_counter is still on the list, then if we insert/remove other percpu_counter, list corruption resulted. Also, if the insert/remove option modifies the ->prev,->next pointer of the freed value, the poison overwritten is resulted then. With the following patch, the percpu_counter list corruption and poison overwritten warnings disappeared. Signed-off-by: Xiaotian Feng <dfeng@redhat.com> Cc: "David S. Miller" <davem@davemloft.net> Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> Cc: "Pekka Savola (ipv6)" <pekkas@netcore.fi> Cc: James Morris <jmorris@namei.org> Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org> Cc: Patrick McHardy <kaber@trash.net> Acked-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-03rds: Remove kfreed tcp conn from listPavel Emelyanov
All the rds_tcp_connection objects are stored list, but when being freed it should be removed from there. Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-03rds: Lost locking in loop connection freeingPavel Emelyanov
The conn is removed from list in there and this requires proper lock protection. Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-03de2104x: fix panic on loadEric Dumazet
Its now illegal to call netif_stop_queue() before register_netdev() Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-03atl1 : fix panic on loadEric Dumazet
Its now illegal to call netif_stop_queue() before register_netdev() Reported-by: Tom Gundersen <teg@jklm.no> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-03netxen: remove unused firmware exportsAmerigo Wang
Quote from Amit Salecha: "Actually I was not updated, NX_UNIFIED_ROMIMAGE_NAME (phanfw.bin) is already submitted and its present in linux-firmware.git. I will get back to you on NX_P2_MN_ROMIMAGE_NAME, NX_P3_CT_ROMIMAGE_NAME and NX_P3_MN_ROMIMAGE_NAME. Whether this will be submitted ?" We have to remove these, otherwise we will get wrong info from modinfo. Signed-off-by: WANG Cong <amwang@redhat.com> Cc: Amit Kumar Salecha <amit.salecha@qlogic.com> Cc: "David S. Miller" <davem@davemloft.net> Cc: Dhananjay Phadke <dhananjay.phadke@qlogic.com> Cc: Narender Kumar <narender.kumar@qlogic.com> Acked-by: Amit Kumar Salecha <amit.salecha@qlogic.com>-- Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-03caif: Remove noisy printout when disconnecting caif socketsjur.brandeland@stericsson.com
Signed-off-by: Sjur Brændeland <sjur.brandeland@stericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-03caif: SPI-driver bugfix - incorrect padding.Sjur Brændeland
Signed-off-by: Sjur Braendeland <sjur.brandeland@stericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-03caif: Bugfix for socket priority, bindtodev and dbg channel.André Carvalho de Matos
Changes: o Bugfix: SO_PRIORITY for SOL_SOCKET could not be handled in caif's setsockopt, using the struct sock attribute priority instead. o Bugfix: SO_BINDTODEVICE for SOL_SOCKET could not be handled in caif's setsockopt, using the struct sock attribute ifindex instead. o Wrong assert statement for RFM layer segmentation. o CAIF Debug channels was not working over SPI, caif_payload_info containing padding info must be initialized. o Check on pointer before dereferencing when unregister dev in caif_dev.c Signed-off-by: Sjur Braendeland <sjur.brandeland@stericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-03smsc911x: Set Ethernet EEPROM size to supported device's sizeJohn Faith
The SMSC911x supports 128 x 8-bit EEPROMs. Increase the EEPROM size so more than just the MAC address can be stored. Signed-off-by: John Faith <jfaith7@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-03ipv4: netfilter: ip_tables: fix information leak to userlandVasiliy Kulikov
Structure ipt_getinfo is copied to userland with the field "name" that has the last elements unitialized. It leads to leaking of contents of kernel stack memory. Signed-off-by: Vasiliy Kulikov <segooon@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
2010-11-03ipv4: netfilter: arp_tables: fix information leak to userlandVasiliy Kulikov
Structure arpt_getinfo is copied to userland with the field "name" that has the last elements unitialized. It leads to leaking of contents of kernel stack memory. Signed-off-by: Vasiliy Kulikov <segooon@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
2010-11-01cxgb4vf: remove call to stop TX queues at load time.Divy Le Ray
Stopping TX queues at driver load time is not necessary. Signed-off-by: Casey Leedom <leedom@chelsio.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-01cxgb4: remove call to stop TX queues at load time.Divy Le Ray
Remove racy queue stopping after device registration. Signed-off-by: Dimitris Michailidis <dm@chelsio.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-01cxgb3: remove call to stop TX queues at load time.Divy Le Ray
Remove racy queue stopping after device registration. Signed-off-by: Divy Le Ray <divy@chelsio.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-01net: check queue_index from sock is valid for deviceTom Herbert
In dev_pick_tx recompute the queue index if the value stored in the socket is greater than or equal to the number of real queues for the device. The saved index in the sock structure is not guaranteed to be appropriate for the egress device (this could happen on a route change or in presence of tunnelling). The result of the queue index being bad would be to return a bogus queue (crash could prersumably follow). Signed-off-by: Tom Herbert <therbert@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-01USB: gadget: fix ethernet gadget crash in gether_setupDmitry Artamonow
Crash is triggered by commit e6484930d7 ("net: allocate tx queues in register_netdevice"), which moved tx netqueue creation into register_netdev. So now calling netif_stop_queue() before register_netdev causes an oops. Move netif_stop_queue() after net device registration to fix crash. Signed-off-by: Dmitry Artamonow <mad_soft@inbox.ru> Signed-off-by: Denis Kirjanov <dkirjanov@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-01ibm_newemac: Remove netif_stop_queue() in emac_probe().David S. Miller
Touching the queue state before register_netdev is not allowed, and besides the queue state before ->open() is "don't care" Reported-by: Josh Boyer <jwboyer@gmail.com> Reported-by: Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-01usbnet: fix usb_autopm_get_interface failure(v1)Ming Lei
Since usbnet already took usb runtime pm, we have to enable runtime pm for usb interface of usbnet, otherwise usb_autopm_get_interface may return failure and cause 'ifconfig usb0 up' failed if USB_SUSPEND(RUNTIME_PM) is enabled. Cc: David Brownell <dbrownell@users.sourceforge.net> Cc: Greg Kroah-Hartman <gregkh@suse.de> Cc: "David S. Miller" <davem@davemloft.net> Cc: Ben Hutchings <ben@decadent.org.uk> Cc: Joe Perches <joe@perches.com> Cc: Oliver Neukum <oliver@neukum.org> Cc: Andy Shevchenko <andy.shevchenko@gmail.com> Cc: stable@kernel.org Signed-off-by: Ming Lei <tom.leiming@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-01l2tp: kzalloc with swapped params in l2tp_dfs_seq_openDr. David Alan Gilbert
'sparse' spotted that the parameters to kzalloc in l2tp_dfs_seq_open were swapped. Tested on current git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux-2.6.git at 1792f17b7210280a3d7ff29da9614ba779cfcedb build, boots and I can see that directory, but there again I could see /sys/kernel/debug/l2tp with it swapped; I don't have any l2tp in use. Signed-off-by: Dr. David Alan Gilbert <linux@treblig.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-01trivial: fix typos concerning "function"Uwe Kleine-König
I'm a bit unsure about this patch. I'm unable to parse both statements. Cc: netdev@vger.kernel.org Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-01bnx2x: Update version numberYaniv Rosner
Update bnx2x version number. Signed-off-by: Yaniv Rosner <yanivr@broadcom.com> Signed-off-by: Eilon Greenstein <eilong@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-01bnx2x: Reset 8073 phy during common initYaniv Rosner
Resetting 8073 during common init is required on boards in which the 8073 reset pin is not asserted by default. Signed-off-by: Yaniv Rosner <yanivr@broadcom.com> Signed-off-by: Eilon Greenstein <eilong@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>