1. 14 Feb, 2013 32 commits
  2. 13 Feb, 2013 8 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 323a72d8
      Linus Torvalds authored
      Pull networking fixes from David Miller:
       "This is primarily to get those r8169 reverts sorted, but other fixes
        have accumulated meanwhile.
      
         1) Revert two r8169 changes to fix suspend/resume for some users,
            from Francois Romieu.
      
         2) PCI dma mapping errors in atl1c are not checked for and this cause
            hard crashes for some users, from Xiong Huang.
      
         3) In 3.8.x we merged the removal of the EXPERIMENTAL dependency for
            'dlm' but the same patch for 'sctp' got lost somewhere, resulting
            in the potential for build errors since there are cross
            dependencies.  From Kees Cook.
      
         4) SCTP's ipv6 socket route validation makes boolean tests
            incorrectly, fix from Daniel Borkmann.
      
         5) mac80211 does sizeof(ptr) instead of (sizeof(ptr) * nelem), from
            Cong Ding.
      
         6) arp_rcv() can crash on shared non-linear packets, from Eric
            Dumazet.
      
         7) Avoid crashes in macvtap by setting ->gso_type consistently in
            ixgbe, qlcnic, and bnx2x drivers.  From Michael S Tsirkin and
            Alexander Duyck.
      
         8) Trinity fuzzer spots infinite loop in __skb_recv_datagram(), fix
            from Eric Dumazet.
      
         9) STP protocol frames should use high packet priority, otherwise an
            overloaded bridge can get stuck.  From Stephen Hemminger.
      
        10) The HTB packet scheduler was converted some time ago to store
            internal timestamps in nanoseconds, but we don't convert back into
            psched ticks for the user during dumps.  Fix from Jiri Pirko.
      
        11) mwl8k channel table doesn't set the .band field properly,
            resulting in NULL pointer derefs.  Fix from Jonas Gorski.
      
        12) mac80211 doesn't accumulate channels properly during a scan so we
            can downgrade heavily to a much less desirable connection speed.
            Fix from Johannes Berg.
      
        13) PHY probe failure in stmmac can result in resource leaks and
            double MDIO registery later, from Giuseppe CAVALLARO.
      
        14) Correct ipv6 checksumming in ip6t_NPT netfilter module, also fix
            address prefix mangling, from YOSHIFUJI Hideaki."
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (27 commits)
        net, sctp: remove CONFIG_EXPERIMENTAL
        net: sctp: sctp_v6_get_dst: fix boolean test in dst cache
        batman-adv: Fix NULL pointer dereference in DAT hash collision avoidance
        net/macb: fix race with RX interrupt while doing NAPI
        atl1c: add error checking for pci_map_single functions
        htb: fix values in opt dump
        ixgbe: Only set gso_type to SKB_GSO_TCPV4 as RSC does not support IPv6
        net: fix infinite loop in __skb_recv_datagram()
        net: qmi_wwan: add Yota / Megafon M100-1 4g modem
        mwl8k: fix band for supported channels
        bridge: set priority of STP packets
        mac80211: fix channel selection bug
        arp: fix possible crash in arp_rcv()
        bnx2x: set gso_type
        qlcnic: set gso_type
        ixgbe: fix gso type
        stmmac: mdio register has to fail if the phy is not found
        stmmac: fix macro used for debugging the xmit
        Revert "r8169: enable internal ASPM and clock request settings".
        Revert "r8169: enable ALDPS for power saving".
        ...
      323a72d8
    • Linus Torvalds's avatar
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 42976ad0
      Linus Torvalds authored
      Pull x86 fixes from Peter Anvin:
       "One (hopefully) last batch of x86 fixes.  You asked for the patch by
        patch justifications, so here they are:
      
            x86, MCE: Retract most UAPI exports
      
         This one unexports from userspace a bunch of definitions which should
         never have been exported.  We really don't want to create an
         accidental legacy here.
      
            x86, doc: Add a bootloader ID for OVMF
      
         This is a documentation-only patch, just recording the official
         assignment of a boot loader ID.
      
            x86: Do not leak kernel page mapping locations
      
         Security: avoid making it needlessly easy for user space to probe the
         kernel memory layout.
      
            x86/mm: Check if PUD is large when validating a kernel address
      
         Prevent failures using /proc/kcore when using 1G pages.
      
            x86/apic: Work around boot failure on HP ProLiant DL980 G7 Server systems
      
         Works around a BIOS problem causing boot failures on affected hardware."
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/mm: Check if PUD is large when validating a kernel address
        x86/apic: Work around boot failure on HP ProLiant DL980 G7 Server systems
        x86, doc: Add a bootloader ID for OVMF
        x86: Do not leak kernel page mapping locations
        x86, MCE: Retract most UAPI exports
      42976ad0
    • Kees Cook's avatar
      net, sctp: remove CONFIG_EXPERIMENTAL · 3bdb1a44
      Kees Cook authored
      This config item has not carried much meaning for a while now and is
      almost always enabled by default. As agreed during the Linux kernel
      summit, remove it.
      Acked-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Acked-by: default avatarSteven Whitehouse <swhiteho@redhat.com>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarDavid Rientjes <rientjes@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3bdb1a44
    • Daniel Borkmann's avatar
      net: sctp: sctp_v6_get_dst: fix boolean test in dst cache · e9c0dfba
      Daniel Borkmann authored
      We walk through the bind address list and try to get the best source
      address for a given destination. However, currently, we take the
      'continue' path of the loop when an entry is invalid (!laddr->valid)
      *and* the entry state does not equal SCTP_ADDR_SRC (laddr->state !=
      SCTP_ADDR_SRC).
      
      Thus, still, invalid entries with SCTP_ADDR_SRC might not 'continue'
      as well as valid entries with SCTP_ADDR_{NEW, SRC, DEL}, with a possible
      false baddr and matchlen as a result, causing in worst case dst route
      to be false or possibly NULL.
      
      This test should actually be a '||' instead of '&&'. But lets fix it
      and make this a bit easier to read by having the condition the same way
      as similarly done in sctp_v4_get_dst.
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Acked-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e9c0dfba
    • Pau Koning's avatar
      batman-adv: Fix NULL pointer dereference in DAT hash collision avoidance · 816cd5b8
      Pau Koning authored
      An entry in DAT with the hashed position of 0 can cause a NULL pointer
      dereference when the first entry is checked by batadv_choose_next_candidate.
      This first candidate automatically has the max value of 0 and the max_orig_node
      of NULL. Not checking max_orig_node for NULL in batadv_is_orig_node_eligible
      will lead to a NULL pointer dereference when checking for the lowest address.
      
      This problem was added in 785ea114
      ("batman-adv: Distributed ARP Table - create DHT helper functions").
      Signed-off-by: default avatarPau Koning <paukoning@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      816cd5b8
    • Nicolas Ferre's avatar
      net/macb: fix race with RX interrupt while doing NAPI · 8770e91a
      Nicolas Ferre authored
      When interrupts are disabled, an RX condition can occur but
      it is not reported when enabling interrupts again. We need to check
      RSR and use napi_reschedule() if condition is met.
      Signed-off-by: default avatarNicolas Ferre <nicolas.ferre@atmel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8770e91a
    • Huang, Xiong's avatar
      atl1c: add error checking for pci_map_single functions · ac574804
      Huang, Xiong authored
      it is reported that code hit DMA-API errors on 3.8-rc6+,
      (see https://bugzilla.redhat.com/show_bug.cgi?id=908436, and
           https://bugzilla.redhat.com/show_bug.cgi?id=908550)
      
      this patch just adds error handler for
          pci_map_single and skb_frag_dma_map.
      Signed-off-by: default avatarxiong <xiong@qca.qualcomm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ac574804
    • Mel Gorman's avatar
      x86/mm: Check if PUD is large when validating a kernel address · 0ee364eb
      Mel Gorman authored
      A user reported the following oops when a backup process reads
      /proc/kcore:
      
       BUG: unable to handle kernel paging request at ffffbb00ff33b000
       IP: [<ffffffff8103157e>] kern_addr_valid+0xbe/0x110
       [...]
      
       Call Trace:
        [<ffffffff811b8aaa>] read_kcore+0x17a/0x370
        [<ffffffff811ad847>] proc_reg_read+0x77/0xc0
        [<ffffffff81151687>] vfs_read+0xc7/0x130
        [<ffffffff811517f3>] sys_read+0x53/0xa0
        [<ffffffff81449692>] system_call_fastpath+0x16/0x1b
      
      Investigation determined that the bug triggered when reading
      system RAM at the 4G mark. On this system, that was the first
      address using 1G pages for the virt->phys direct mapping so the
      PUD is pointing to a physical address, not a PMD page.
      
      The problem is that the page table walker in kern_addr_valid() is
      not checking pud_large() and treats the physical address as if
      it was a PMD.  If it happens to look like pmd_none then it'll
      silently fail, probably returning zeros instead of real data. If
      the data happens to look like a present PMD though, it will be
      walked resulting in the oops above.
      
      This patch adds the necessary pud_large() check.
      
      Unfortunately the problem was not readily reproducible and now
      they are running the backup program without accessing
      /proc/kcore so the patch has not been validated but I think it
      makes sense.
      Signed-off-by: default avatarMel Gorman <mgorman@suse.de>
      Reviewed-by: default avatarRik van Riel <riel@redhat.coM>
      Reviewed-by: default avatarMichal Hocko <mhocko@suse.cz>
      Acked-by: default avatarJohannes Weiner <hannes@cmpxchg.org>
      Cc: stable@vger.kernel.org
      Cc: linux-mm@kvack.org
      Link: http://lkml.kernel.org/r/20130211145236.GX21389@suse.deSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      0ee364eb