* Re: [PATCH v2] Prevent crashing when parsing bad X.25 facilities
From: Dan Rosenberg @ 2010-11-12 20:44 UTC (permalink / raw)
To: David Miller; +Cc: andrew.hendry, netdev
In-Reply-To: <20101112.122946.102556009.davem@davemloft.net>
> I find this kind of carelessness extremely amusing coming from someone
> who is so big on security theatre.
You know what I find amusing? The sheer number of security issues a
single person can find in his spare time. Congratulations on your
attention to detail.
-Dan
^ permalink raw reply
* Re: [PATCH v3] Prevent crashing when parsing bad X.25 facilities
From: David Miller @ 2010-11-12 20:45 UTC (permalink / raw)
To: drosenberg; +Cc: andrew.hendry, netdev
In-Reply-To: <1289594548.3090.334.camel@Dan>
From: Dan Rosenberg <drosenberg@vsecurity.com>
Date: Fri, 12 Nov 2010 15:42:28 -0500
> Now with improved comma support.
>
> On parsing malformed X.25 facilities, decrementing the remaining length
> may cause it to underflow. Since the length is an unsigned integer,
> this will result in the loop continuing until the kernel crashes.
>
> This patch adds checks to ensure decrementing the remaining length does
> not cause it to wrap around.
>
> Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Applied.
^ permalink raw reply
* Re: [PATCH v2] Prevent crashing when parsing bad X.25 facilities
From: David Miller @ 2010-11-12 20:50 UTC (permalink / raw)
To: drosenberg; +Cc: andrew.hendry, netdev
In-Reply-To: <1289594665.3090.336.camel@Dan>
From: Dan Rosenberg <drosenberg@vsecurity.com>
Date: Fri, 12 Nov 2010 15:44:25 -0500
>
>> I find this kind of carelessness extremely amusing coming from someone
>> who is so big on security theatre.
>
> You know what I find amusing? The sheer number of security issues a
> single person can find in his spare time. Congratulations on your
> attention to detail.
I do not even agree that, for example, pointer exposure is a real
issue. It still remains a matter of opinion.
And much of your claims and boasting is based upon that opinion.
So don't pass it off saliently or indirectly as fact.
^ permalink raw reply
* Re: [net-2.6 PATCH] nete zero kobject in rx_queue_release
From: David Miller @ 2010-11-12 21:08 UTC (permalink / raw)
To: john.r.fastabend; +Cc: netdev, eric.dumazet, therbert
In-Reply-To: <20101111201341.4418.16400.stgit@jf-dev1-dcblab>
From: John Fastabend <john.r.fastabend@intel.com>
Date: Thu, 11 Nov 2010 12:13:41 -0800
> netif_set_real_num_rx_queues() can decrement and increment
> the number of rx queues. For example ixgbe does this as
> features and offloads are toggled. Presumably this could
> also happen across down/up on most devices if the available
> resources changed (cpu offlined).
>
> The kobject needs to be zero'd in this case so that the
> state is not preserved across kobject_put()/kobject_init_and_add().
>
> This resolves the following error report.
...
> Signed-off-by: John Fastabend <john.r.fastabend@intel.com>
I think it's probably better to clear the entire netdev_rx_queue
object rather than just the embedded kobject.
Otherwise we leave dangling rps_map, rps_flow_table, etc. pointers.
In fact, it's more tricky than this, because notice that your
patch will memset() free'd memory in the case where the
first->count drops to zero and we execute the kfree().
So we'll need something like:
if (atomic_dec_and_test(&first->count))
kfree(first);
else
/* clear everything except queue->first */
or, alternatively:
--------------------
map = rcu_dereference_raw(queue->rps_map);
if (map) {
call_rcu(&map->rcu, rps_map_release);
rcu_assign_pointer(queue->rps_map, NULL);
}
flow_table = rcu_dereference_raw(queue->rps_flow_table);
if (flow_table) {
call_rcu(&flow_table->rcu, rps_dev_flow_table_release);
rcu_assign_pointer(queue->rps_flow_table, NULL);
}
if (atomic_dec_and_test(&first->count))
kfree(first);
else
memset(kobj);
--------------------
Something like that.
^ permalink raw reply
* Re: [RFC PATCH] network: return errors if we know tcp_connect failed
From: David Lamparter @ 2010-11-12 21:16 UTC (permalink / raw)
To: Patrick McHardy
Cc: David Lamparter, Eric Dumazet, Eric Paris, Hua Zhong, netdev,
linux-kernel, davem, kuznet, pekkas, jmorris, yoshfuji,
paul.moore
In-Reply-To: <4CDD7145.8070606@trash.net>
On Fri, Nov 12, 2010 at 05:54:29PM +0100, Patrick McHardy wrote:
> Am 12.11.2010 17:35, schrieb David Lamparter:
> > On Fri, Nov 12, 2010 at 05:15:32PM +0100, Eric Dumazet wrote:
> >> Le vendredi 12 novembre 2010 à 11:08 -0500, Eric Paris a écrit :
> >>
> >>> 2) What should the generic TCP code (tcp_connect()) do if the skb failed
> >>> to send. Should it return error codes back up the stack somehow or
> >>> should they continue to be ignored? Obviously continuing to just ignore
> >>> information we have doesn't make me happy (otherwise I wouldn't have
> >>> started scratching this itch). But the point about ENOBUFS is well
> >>> taken. Maybe I should make tcp_connect(), or the caller to
> >>> tcp_connect() more intelligent about specific error codes?
> >>>
> >>> I'm looking for a path forward. If SELinux is rejecting the SYN packets
> >>> on connect() I want to pass that info to userspace rather than just
> >>> hanging. What's the best way to accomplish that?
> >>>
> >>
> >> Eric, if you can differentiate a permanent reject, instead of a
> >> temporary one (congestion, or rate limiting, or ENOBUF, or ...), then
> >> yes, you could make tcp_connect() report to user the permanent error,
> >> and ignore the temporary one.
>
> Indeed. We could even make the NF_DROP return value configurable
> by encoding it in the verdict.
> There is no NF_REJECT.
Ah, sorry, not at home in netfilter, coming from an user perspective here.
> Returning NF_DROP results in -EPERM getting reported back. As Eric
> noticed, this is ignored for SYN packets.
Hrm. But how do you silently drop packets? This seems counterintuitive
or even buggy to me; or at least the netfilter DROP target shouldn't use
this kind of error-reporting drop.
As food for thought I'd like to pose the following rule:
iptables -A OUTPUT -m statistic --mode nth --every 5 -j DROP
which should, to my understanding, still allow the connect to complete,
even if the first SYN got (silently!...) dropped.
Also, i'm *very* sure i was able to trigger a "permission denied" from
either firewall or route rules; weirdly enough i can't get that on my
2.6.35.7 router... (poking older boxes to reproduce it right now)
Just for reference some test results: (heavily cropped)
TL;DR: only tcp-reset and route prohibit work immediately.
+ telnet 74.125.43.105 80
Connected to 74.125.43.105.
+ iptables -I OUTPUT -p tcp -d 74.125.43.105 --dport 80 -j REJECT
# default w/o reject-with is icmp-port-unreachable
+ telnet 74.125.43.105 80
telnet: connect to address 74.125.43.105: Connection refused
real 0m3.014s
+ iptables -I OUTPUT -p tcp -d 74.125.43.105 --dport 80 -j REJECT --reject-with tcp-reset
+ telnet 74.125.43.105 80
telnet: connect to address 74.125.43.105: Connection refused
real 0m0.007s
+ iptables -I OUTPUT -p tcp -d 74.125.43.105 --dport 80 -j REJECT --reject-with host-prohib
+ telnet 74.125.43.105 80
telnet: connect to address 74.125.43.105: No route to host
real 0m3.010s
+ iptables -I OUTPUT -p tcp -d 74.125.43.105 --dport 80 -j REJECT --reject-with admin-prohib
+ telnet 74.125.43.105 80
telnet: connect to address 74.125.43.105: No route to host
real 0m3.009s
+ iptables -I OUTPUT -p tcp -d 74.125.43.105 --dport 80 -j REJECT --reject-with net-prohib
+ telnet 74.125.43.105 80
telnet: connect to address 74.125.43.105: Network is unreachable
real 0m3.011s
+ iptables -F OUTPUT
+ ip route add prohibit 74.125.43.105
+ ip route flush cache
+ telnet 74.125.43.105 80
telnet: connect to address 74.125.43.105: Network is unreachable
real 0m0.007s
-David
^ permalink raw reply
* Re: [RFC PATCH] network: return errors if we know tcp_connect failed
From: David Miller @ 2010-11-12 21:18 UTC (permalink / raw)
To: equinox
Cc: kaber, eric.dumazet, eparis, hzhong, netdev, linux-kernel, kuznet,
pekkas, jmorris, yoshfuji, paul.moore
In-Reply-To: <20101112211627.GC122902@jupiter.n2.diac24.net>
From: David Lamparter <equinox@diac24.net>
Date: Fri, 12 Nov 2010 22:16:27 +0100
> As food for thought I'd like to pose the following rule:
> iptables -A OUTPUT -m statistic --mode nth --every 5 -j DROP
> which should, to my understanding, still allow the connect to complete,
> even if the first SYN got (silently!...) dropped.
Yes, I agree and this is pretty much the point I tried to make
earlier.
^ permalink raw reply
* Re: a problem tcp_v4_err()
From: Eric Dumazet @ 2010-11-12 21:18 UTC (permalink / raw)
To: David Miller
Cc: kuznet, kaber, equinox, eparis, hzhong, netdev, linux-kernel,
pekkas, jmorris, yoshfuji, paul.moore, damian
In-Reply-To: <20101112.112224.112610807.davem@davemloft.net>
Le vendredi 12 novembre 2010 à 11:22 -0800, David Miller a écrit :
> From: Eric Dumazet <eric.dumazet@gmail.com>
> Date: Fri, 12 Nov 2010 19:33:23 +0100
>
> > I CC Damian Lukowski in my previous answer (and this one too)
>
> Probably the safest fix is this:
>
> diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
> index 8f8527d..69ccbc1 100644
> --- a/net/ipv4/tcp_ipv4.c
> +++ b/net/ipv4/tcp_ipv4.c
> @@ -415,6 +415,9 @@ void tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
> !icsk->icsk_backoff)
> break;
>
> + if (sock_owned_by_user(sk))
> + break;
> +
> icsk->icsk_backoff--;
> inet_csk(sk)->icsk_rto = __tcp_set_rto(tp) <<
> icsk->icsk_backoff;
> @@ -429,11 +432,6 @@ void tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
> if (remaining) {
> inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS,
> remaining, TCP_RTO_MAX);
> - } else if (sock_owned_by_user(sk)) {
> - /* RTO revert clocked out retransmission,
> - * but socket is locked. Will defer. */
> - inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS,
> - HZ/20, TCP_RTO_MAX);
> } else {
> /* RTO revert clocked out retransmission.
> * Will retransmit now */
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
^ permalink raw reply
* Re: [PATCH net-next-2.6 V2] igmp: RCU conversion of in_dev->mc_list
From: David Miller @ 2010-11-12 21:19 UTC (permalink / raw)
To: eric.dumazet; +Cc: xiyou.wangcong, cypher.w, linux-kernel, netdev
In-Reply-To: <1289576810.3185.261.camel@edumazet-laptop>
From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Fri, 12 Nov 2010 16:46:50 +0100
> [PATCH net-next-2.6 V2] igmp: RCU conversion of in_dev->mc_list
>
> in_dev->mc_list is protected by one rwlock (in_dev->mc_list_lock).
>
> This can easily be converted to a RCU protection.
>
> Writers hold RTNL, so mc_list_lock is removed, not replaced by a
> spinlock.
>
> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
This looks good to me, so I've applied it to net-next-2.6
We have enough time there to fix any fallout or revert if
necessary.
^ permalink raw reply
* Re: [PATCH] net: Kconfig whitespace cleanup
From: David Miller @ 2010-11-12 21:21 UTC (permalink / raw)
To: phdm; +Cc: netdev
In-Reply-To: <1289514681-3940-1-git-send-email-phdm@macqel.be>
From: Philippe De Muyter <phdm@macqel.be>
Date: Thu, 11 Nov 2010 23:31:21 +0100
> Many lines in Kconfig start withe 8 spaces instead of a TAB, and even
> sometimes with 7 spaces. Replace 10 or 9 spaces, or TAB + 1 space,
> by TAB + 2 spaces, and 8 or 7 spaces by TAB.
>
> Signed-off-by: Philippe De Muyter <phdm@macqel.be>
Applied, thanks.
^ permalink raw reply
* Re: [PATCH net-next-2.6] net: net_families __rcu annotations
From: David Miller @ 2010-11-12 21:27 UTC (permalink / raw)
To: eric.dumazet; +Cc: netdev
In-Reply-To: <1289422244.17691.2.camel@edumazet-laptop>
From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Wed, 10 Nov 2010 21:50:44 +0100
> Use modern RCU API / annotations for net_families array.
>
> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Applied, thanks.
^ permalink raw reply
* Re: a problem tcp_v4_err()
From: David Miller @ 2010-11-12 21:36 UTC (permalink / raw)
To: eric.dumazet
Cc: kuznet, kaber, equinox, eparis, hzhong, netdev, linux-kernel,
pekkas, jmorris, yoshfuji, paul.moore, damian
In-Reply-To: <1289596718.2743.2.camel@edumazet-laptop>
From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Fri, 12 Nov 2010 22:18:38 +0100
> Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Thanks for reviewing, here is the final bit I committed and
I'll queue this up for whatever -stable trees need this.
--------------------
tcp: Don't change unlocked socket state in tcp_v4_err().
Alexey Kuznetsov noticed a regression introduced by
commit f1ecd5d9e7366609d640ff4040304ea197fbc618
("Revert Backoff [v3]: Revert RTO on ICMP destination unreachable")
The RTO and timer modification code added to tcp_v4_err()
doesn't check sock_owned_by_user(), which if true means we
don't have exclusive access to the socket and therefore cannot
modify it's critical state.
Just skip this new code block if sock_owned_by_user() is true
and eliminate the now superfluous sock_owned_by_user() code
block contained within.
Reported-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
CC: Damian Lukowski <damian@tvk.rwth-aachen.de>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
---
net/ipv4/tcp_ipv4.c | 8 +++-----
1 files changed, 3 insertions(+), 5 deletions(-)
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 8f8527d..69ccbc1 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -415,6 +415,9 @@ void tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
!icsk->icsk_backoff)
break;
+ if (sock_owned_by_user(sk))
+ break;
+
icsk->icsk_backoff--;
inet_csk(sk)->icsk_rto = __tcp_set_rto(tp) <<
icsk->icsk_backoff;
@@ -429,11 +432,6 @@ void tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
if (remaining) {
inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS,
remaining, TCP_RTO_MAX);
- } else if (sock_owned_by_user(sk)) {
- /* RTO revert clocked out retransmission,
- * but socket is locked. Will defer. */
- inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS,
- HZ/20, TCP_RTO_MAX);
} else {
/* RTO revert clocked out retransmission.
* Will retransmit now */
--
1.7.3.2
^ permalink raw reply related
* [PATCH 00/14] Use printf extension %pR for struct resource
From: Joe Perches @ 2010-11-12 21:37 UTC (permalink / raw)
To: Jiri Kosina
Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA,
linux-mips-6z/3iImG2C8G8FEW9MqTrA,
linuxppc-dev-uLR06cmDAlY/bJ5BZ2RsiQ,
linux-rdma-u79uwXL29TY76Z2rM5mHXA,
linux-mtd-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r,
socketcan-core-0fE9KPoRgkgATYTw5x5z8w,
netdev-u79uwXL29TY76Z2rM5mHXA,
linux-parisc-u79uwXL29TY76Z2rM5mHXA,
linux-usb-u79uwXL29TY76Z2rM5mHXA,
alsa-devel-K7yf7f+aM1XWsZ/bQMPhNw
Yet more trivia...
Joe Perches (14):
arch/frv: Use printf extension %pR for struct resource
arch/mips: Use printf extension %pR for struct resource
arch/powerpc: Use printf extension %pR for struct resource
drivers/dma/ppc4xx: Use printf extension %pR for struct resource
drivers/infiniband: Use printf extension %pR for struct resource
drivers/mfd: Use printf extension %pR for struct resource
drivers/mtd/maps: Use printf extension %pR for struct resource
drivers/mtd/nand: Use printf extension %pR for struct resource
drivers/net/can/sja1000: Use printf extension %pR for struct resource
drivers/parisc: Use printf extension %pR for struct resource
drivers/rapidio: Use printf extension %pR for struct resource
drivers/uwb: Use printf extension %pR for struct resource
drivers/video: Use printf extension %pR for struct resource
sound/ppc: Use printf extension %pR for struct resource
arch/frv/mb93090-mb00/pci-vdk.c | 8 ++------
arch/mips/txx9/generic/pci.c | 7 ++-----
arch/powerpc/kernel/pci_64.c | 3 +--
arch/powerpc/sysdev/tsi108_dev.c | 8 ++++----
drivers/dma/ppc4xx/adma.c | 5 ++---
drivers/infiniband/hw/ipath/ipath_driver.c | 5 ++---
drivers/mfd/sm501.c | 7 ++-----
drivers/mtd/maps/amd76xrom.c | 7 ++-----
drivers/mtd/maps/ck804xrom.c | 7 ++-----
drivers/mtd/maps/esb2rom.c | 9 +++------
drivers/mtd/maps/ichxrom.c | 9 +++------
drivers/mtd/maps/physmap_of.c | 4 +---
drivers/mtd/maps/scx200_docflash.c | 5 ++---
drivers/mtd/nand/pasemi_nand.c | 2 +-
drivers/net/can/sja1000/sja1000_of_platform.c | 8 ++------
drivers/parisc/dino.c | 13 +++++--------
drivers/parisc/hppb.c | 6 ++----
drivers/rapidio/rio.c | 4 ++--
drivers/uwb/umc-dev.c | 7 ++-----
drivers/video/platinumfb.c | 8 ++------
sound/ppc/pmac.c | 12 ++++--------
21 files changed, 48 insertions(+), 96 deletions(-)
--
1.7.3.1.g432b3.dirty
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply
* [PATCH 09/14] drivers/net/can/sja1000: Use printf extension %pR for struct resource
From: Joe Perches @ 2010-11-12 21:37 UTC (permalink / raw)
To: Jiri Kosina; +Cc: Wolfgang Grandegger, socketcan-core, netdev, linux-kernel
In-Reply-To: <cover.1289597644.git.joe@perches.com>
Using %pR standardizes the struct resource output.
Signed-off-by: Joe Perches <joe@perches.com>
---
drivers/net/can/sja1000/sja1000_of_platform.c | 8 ++------
1 files changed, 2 insertions(+), 6 deletions(-)
diff --git a/drivers/net/can/sja1000/sja1000_of_platform.c b/drivers/net/can/sja1000/sja1000_of_platform.c
index 5bfccfd..09c3e9d 100644
--- a/drivers/net/can/sja1000/sja1000_of_platform.c
+++ b/drivers/net/can/sja1000/sja1000_of_platform.c
@@ -107,17 +107,13 @@ static int __devinit sja1000_ofp_probe(struct platform_device *ofdev,
res_size = resource_size(&res);
if (!request_mem_region(res.start, res_size, DRV_NAME)) {
- dev_err(&ofdev->dev, "couldn't request %#llx..%#llx\n",
- (unsigned long long)res.start,
- (unsigned long long)res.end);
+ dev_err(&ofdev->dev, "couldn't request %pR\n", &res);
return -EBUSY;
}
base = ioremap_nocache(res.start, res_size);
if (!base) {
- dev_err(&ofdev->dev, "couldn't ioremap %#llx..%#llx\n",
- (unsigned long long)res.start,
- (unsigned long long)res.end);
+ dev_err(&ofdev->dev, "couldn't ioremap %pR\n", &res);
err = -ENOMEM;
goto exit_release_mem;
}
--
1.7.3.1.g432b3.dirty
^ permalink raw reply related
* Re: [PATCH] ipv6: addrconf: don't remove address state on ifdown if the address is being kept
From: David Miller @ 2010-11-12 21:45 UTC (permalink / raw)
To: lorenzo; +Cc: netdev, maze, brian.haley
In-Reply-To: <AANLkTimLicmgC3BptZvXGoA0aN6-cFJtRG3DpqJ3NTpJ@mail.gmail.com>
From: Lorenzo Colitti <lorenzo@google.com>
Date: Wed, 27 Oct 2010 23:45:17 -0700
> On Wed, Oct 27, 2010 at 9:16 PM, Lorenzo Colitti <lorenzo@google.com> wrote:
>> Fix it so that none of this state is updated if the address is being kept on the interface.
>
> Or, since the logic of the patched code is a little hard to follow,
> here's an alternative patch against 2.6.36. I think it does exactly
> the same as the previous patch, but it moves things around to make the
> result more readable.
>
> Tested: Added a statically configured IPv6 address to an interface,
> started ping, brought link down, brought link up again. When link came
> up ping kept on going and "ip -6 maddr" showed that the host was still
> subscribed to there
>
> Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Ok, this looks good, applied.
Thanks for your patience.
^ permalink raw reply
* Re: [PATCH kernel 2.6.37-rc1] axnet_cs: fix resume problem for some Ax88790 chip
From: David Miller @ 2010-11-12 22:01 UTC (permalink / raw)
To: ken_kawasaki; +Cc: netdev
In-Reply-To: <20101107001124.7d8ef6c4.ken_kawasaki@spring.nifty.jp>
From: Ken Kawasaki <ken_kawasaki@spring.nifty.jp>
Date: Sun, 7 Nov 2010 00:11:24 +0900
>
> axnet_cs:
> Some Ax88790 chip need to reinitialize the CISREG_CCSR register
> after resume.
>
> Signed-off-by: Ken Kawasaki <ken_kawasaki@spring.nifty.jp>
Applied, thank you.
^ permalink raw reply
* Re: [PATCH 1/2] docs: Add neigh/gc_thresh3 and route/max_size documentation.
From: David Miller @ 2010-11-12 22:04 UTC (permalink / raw)
To: greearb; +Cc: netdev
In-Reply-To: <1289243629-20789-1-git-send-email-greearb@candelatech.com>
From: Ben Greear <greearb@candelatech.com>
Date: Mon, 8 Nov 2010 11:13:48 -0800
> Signed-off-by: Ben Greear <greearb@candelatech.com>
Applied.
> + with large numbers of directly-connected peers.
This line has trailing whitespace, please avoid that in the
future so I don't have to correct your patches by hand.
Thanks.
^ permalink raw reply
* Re: [PATCH v2 2/2] ipv6: Warn users if maximum number of routes is reached.
From: David Miller @ 2010-11-12 22:04 UTC (permalink / raw)
To: greearb; +Cc: netdev
In-Reply-To: <1289255628-9596-1-git-send-email-greearb@candelatech.com>
From: Ben Greear <greearb@candelatech.com>
Date: Mon, 8 Nov 2010 14:33:48 -0800
> This gives users at least some clue as to what the problem
> might be and how to go about fixing it.
>
> Signed-off-by: Ben Greear <greearb@candelatech.com>
Applied.
^ permalink raw reply
* Re: [PATCH] gianfar: Do not call device_set_wakeup_enable() under a spinlock
From: David Miller @ 2010-11-12 22:06 UTC (permalink / raw)
To: rjw; +Cc: daniel.blueman, romieu, linux-kernel, netdev
In-Reply-To: <201011092254.19550.rjw@sisk.pl>
From: "Rafael J. Wysocki" <rjw@sisk.pl>
Date: Tue, 9 Nov 2010 22:54:19 +0100
> The gianfar driver calls device_set_wakeup_enable() under a spinlock,
> which causes a problem to happen after the recent core power
> management changes, because this function can sleep now. Fix this
> by moving the device_set_wakeup_enable() call out of the
> spinlock-protected area.
>
> Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
Patch applied, thank you.
^ permalink raw reply
* Re: can-bcm: fix minor heap overflow
From: David Miller @ 2010-11-12 22:07 UTC (permalink / raw)
To: socketcan; +Cc: netdev, drosenberg, torvalds, urs, security
In-Reply-To: <4CDB1856.4040001@hartkopp.net>
From: Oliver Hartkopp <socketcan@hartkopp.net>
Date: Wed, 10 Nov 2010 23:10:30 +0100
> On 64-bit platforms the ASCII representation of a pointer may be up to 17
> bytes long. This patch increases the length of the buffer accordingly.
>
> http://marc.info/?l=linux-netdev&m=128872251418192&w=2
>
> Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
> Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
> CC: Linus Torvalds <torvalds@linux-foundation.org>
Patch applied, thanks.
^ permalink raw reply
* [GIT] Networking
From: David Miller @ 2010-11-12 22:38 UTC (permalink / raw)
To: torvalds; +Cc: akpm, netdev, linux-kernel
1) mac80211 fix for handling of a scan cancellation, from Brian Cavagnolo
2) Minor overflow in can-bcm, from Oliver Hartkopp
3) cxgb4vf bug fixes from Casey Leedom
4) X.25 facility parsing validation bug fixes from Dan Rosenberg
5) ATM solos bug fixes from David Woodhouse.
6) TCP does state changes on unlocked socket, oops. Based upon
a report by Alexey Kuznetsov.
7) Don't allow socket filters to read uninitialized memory. Based
upon a patch by Eric Dumazet.
8) TCP_MAXSEG, if set low enough, can result in a divide by zero or
by a negative number (because we sometimes subtract certain TCP
option sizes), bump minimum from 8 to 64.
9) MaxBookAir3,1(2) bluetooth support, from Edgar Hucek.
10) ip_mc_drop_socket() does wrong refcounting, fix from Eric Dumazet.
11) VLAN regression fixes from Hao Zheng.
12) Link state reporting fix in virtio-net from Jason Wang.
13) ucc_geth bug fixes from Joakim Tjernlund.
14) queue_map can be used uninitialized in pktgen, from Junchang Wang.
15) axnet_cs resume fix from Ken Kawasaki.
16) Don't lose state of ipv6 addresses which will be kept across an
ifdown/ifup cycle, fix and report from Lorenzo Colitti.
17) af_packet recvmsg() header size check is borked in the GSO case,
fix from Mariusz Kozlowski.
18) dst cache build fix, missing linux/cache.h include, from Paul Mundt.
19) Fix from Rafael J. Wysocki for device_set_wakeup_enable() being called
in gianfar driver from unsleepable context.
20) Fragment overlap check in ipv6 and netfilter/ipv6 is buggered, from
Shan Wei.
21) Fix message size calculation in rtnetlink link messages, from Thomas
Graf.
22) ax25/packet ->getsockopt() info leak to userland fix from Vasiliy
Kulikov
23) r8169 regression fixes from françois romieu
24) Packet scheduler basic classifier doesn't report stats, fix from
Stephen Hemminger.
Please pull, thanks a lot!
The following changes since commit 5398a64c63a69a0ac33dbae458ea4aab0dc23f14:
Merge git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty-2.6 (2010-11-08 10:55:29 -0800)
are available in the git repository at:
master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6.git master
Ben Greear (2):
docs: Add neigh/gc_thresh3 and route/max_size documentation.
ipv6: Warn users if maximum number of routes is reached.
Brian Cavagnolo (1):
mac80211: unset SDATA_STATE_OFFCHANNEL when cancelling a scan
Casey Leedom (6):
cxgb4vf: don't implement trivial (and incorrect) ndo_select_queue()
cxgb4vf: fix bug in Generic Receive Offload
cxgb4vf: fix some errors in Gather List to skb conversion
cxgb4vf: flesh out PCI Device ID Table ...
cxgb4vf: Fail open if link_start() fails.
cxgb4vf: add call to Firmware to reset VF State.
Christian Lamparter (1):
carl9170: usbid table updates
Dan Rosenberg (1):
x25: Prevent crashing when parsing bad X.25 facilities
Daniel Drake (1):
libertas: terminate scan when stopping interface
David S. Miller (5):
filter: make sure filters dont read uninitialized memory
tcp: Increase TCP_MAXSEG socket option minimum.
Merge branch 'master' of git://git.kernel.org/.../linville/wireless-2.6
Merge git://git.kernel.org/.../kaber/nf-2.6
tcp: Don't change unlocked socket state in tcp_v4_err().
David Woodhouse (2):
solos: Add 'Firmware' attribute for Traverse overall firmware version
solos: Refuse to upgrade firmware with older FPGA. It doesn't work.
Dmitry Torokhov (1):
NET: pktgen - fix compile warning
Edgar (gimli) Hucek (1):
Bluetooth: Add MacBookAir3,1(2) support
Eric Dumazet (3):
inet: fix ip_mc_drop_socket()
net/dst: dst_dev_event() called after other notifiers
net: avoid limits overflow
Eric Paris (1):
netfilter: NF_HOOK_COND has wrong conditional
Felix Fietkau (2):
cfg80211: fix a crash in dev lookup on dump commands
ath9k: check old power mode before clearing cycle counters
Frank Blaschka (1):
qeth: fix race condition during device startup
Guillaume Chazarain (2):
skge: Remove tx queue stopping in skge_devinit()
net: Detect and ignore netif_stop_queue() calls before register_netdev()
Gustavo F. Padovan (1):
Bluetooth: fix endianness conversion in L2CAP
Haitao Zhang (1):
ath9k_htc: Add support for device ID 3346
Hao Zheng (3):
vlan: Add function to retrieve EtherType from vlan packets.
bnx2x: Look inside vlan when determining checksum proto.
ixgbe: Look inside vlan when determining offload protocol.
Jason Wang (1):
virtio-net: init link state correctly
Joakim Tjernlund (2):
ucc_geth: Do not bring the whole IF down when TX failure.
ucc_geth: Fix deadlock
Johan Hedberg (1):
Bluetooth: Fix non-SSP auth request for HIGH security level sockets
Junchang Wang (1):
pktgen: correct uninitialized queue_map
Ken Kawasaki (1):
axnet_cs: fix resume problem for some Ax88790 chip
Kulikov Vasiliy (1):
net: tipc: fix information leak to userland
Linus Torvalds (1):
libipw: fix proc entry removal
Lorenzo Colitti (1):
ipv6: addrconf: don't remove address state on ifdown if the address is being kept
Luiz Augusto von Dentz (1):
Bluetooth: fix not setting security level when creating a rfcomm session
Mariusz Kozlowski (1):
net: Fix header size check for GSO case in recvmsg (af_packet)
Matthew Garrett (1):
Bluetooth: Enable USB autosuspend by default on btusb
Oliver Hartkopp (1):
can-bcm: fix minor heap overflow
Paul Mundt (1):
net dst: need linux/cache.h for ____cacheline_aligned_in_smp.
Pavel Emelyanov (1):
rds: Fix rds message leak in rds_message_map_pages
Rafael J. Wysocki (1):
gianfar: Do not call device_set_wakeup_enable() under a spinlock
Rajkumar Manoharan (3):
ath9k: Avoid HW opmode overridden on monitor mode changes
ath9k_htc: Fix probe failure if CONFIG_USB_DEBUG enabled
ath9k_hw: Fix memory leak on ath9k_hw_rf_alloc_ext_banks failure
Randy Dunlap (1):
Bluetooth: fix hidp kconfig dependency warning
Shan Wei (2):
ipv6: fix overlap check for fragments
netfilter: ipv6: fix overlap check for fragments
Thomas Graf (1):
rtnetlink: Fix message size calculation for link messages
Ursula Braun (1):
qeth: remove dev_queue_xmit invocation
Vasanthakumar Thiagarajan (1):
ath9k_hw: Fix AR9280 surprise removal during frequent idle on/off
Vasiliy Kulikov (2):
net: ax25: fix information leak to userland
net: packet: fix information leak to userland
Vivek Natarajan (1):
ath9k: Fix a DMA latency issue for Intel Pinetrail platforms.
Wey-Yi Guy (1):
iwlwifi: dont use pci_dev before it being assign
françois romieu (2):
r8169: revert "Handle rxfifo errors on 8168 chips"
r8169: fix sleeping while holding spinlock.
stephen hemminger (1):
classifier: report statistics for basic classifier
steven miao (1):
Bluetooth: fix unaligned access to l2cap conf data
Documentation/networking/ip-sysctl.txt | 9 ++
drivers/atm/solos-attrlist.c | 1 +
drivers/atm/solos-pci.c | 8 ++
drivers/bluetooth/btusb.c | 5 +
drivers/net/bnx2x/bnx2x_cmn.c | 2 +-
drivers/net/cxgb4vf/cxgb4vf_main.c | 42 ++++++---
drivers/net/cxgb4vf/sge.c | 122 ++++++++++++++++----------
drivers/net/cxgb4vf/t4vf_common.h | 1 +
drivers/net/cxgb4vf/t4vf_hw.c | 19 ++++
drivers/net/gianfar_ethtool.c | 5 +-
drivers/net/ixgbe/ixgbe_main.c | 60 +++++++------
drivers/net/pcmcia/axnet_cs.c | 30 ++++--
drivers/net/r8169.c | 9 +-
drivers/net/skge.c | 1 -
drivers/net/ucc_geth.c | 25 ++++--
drivers/net/virtio_net.c | 12 ++-
drivers/net/wireless/ath/ath9k/ar9002_hw.c | 3 +
drivers/net/wireless/ath/ath9k/ath9k.h | 1 +
drivers/net/wireless/ath/ath9k/hif_usb.c | 31 +++----
drivers/net/wireless/ath/ath9k/hw.c | 15 +++-
drivers/net/wireless/ath/ath9k/hw.h | 1 +
drivers/net/wireless/ath/ath9k/init.c | 8 ++
drivers/net/wireless/ath/ath9k/main.c | 29 +++++--
drivers/net/wireless/ath/ath9k/recv.c | 4 +-
drivers/net/wireless/ath/ath9k/reg.h | 1 +
drivers/net/wireless/ath/carl9170/usb.c | 4 +-
drivers/net/wireless/ipw2x00/libipw_module.c | 9 +-
drivers/net/wireless/iwlwifi/iwl3945-base.c | 3 +-
drivers/net/wireless/libertas/cfg.c | 5 +-
drivers/net/wireless/libertas/dev.h | 1 +
drivers/net/wireless/libertas/main.c | 7 ++
drivers/s390/net/qeth_core.h | 9 --
drivers/s390/net/qeth_core_main.c | 55 ++----------
include/linux/if_vlan.h | 25 +++++
include/linux/netdevice.h | 5 +
include/linux/netfilter.h | 2 +-
include/net/dn.h | 2 +-
include/net/dst_ops.h | 1 +
include/net/sock.h | 4 +-
include/net/tcp.h | 6 +-
include/net/udp.h | 4 +-
net/ax25/af_ax25.c | 2 +-
net/bluetooth/hci_event.c | 6 ++
net/bluetooth/hidp/Kconfig | 2 +-
net/bluetooth/l2cap.c | 8 +-
net/bluetooth/rfcomm/core.c | 13 ++-
net/can/bcm.c | 2 +-
net/core/dst.c | 1 +
net/core/filter.c | 64 ++++++++------
net/core/pktgen.c | 6 +-
net/core/rtnetlink.c | 9 +-
net/core/sock.c | 14 ++--
net/decnet/af_decnet.c | 2 +-
net/decnet/sysctl_net_decnet.c | 4 +-
net/ipv4/igmp.c | 4 +-
net/ipv4/proc.c | 8 +-
net/ipv4/sysctl_net_ipv4.c | 5 +-
net/ipv4/tcp.c | 6 +-
net/ipv4/tcp_input.c | 11 ++-
net/ipv4/tcp_ipv4.c | 8 +-
net/ipv4/udp.c | 4 +-
net/ipv6/addrconf.c | 24 ++----
net/ipv6/netfilter/nf_conntrack_reasm.c | 2 +-
net/ipv6/reassembly.c | 2 +-
net/ipv6/route.c | 6 +-
net/mac80211/iface.c | 6 +-
net/packet/af_packet.c | 7 +-
net/rds/message.c | 4 +-
net/sched/cls_basic.c | 4 +
net/sctp/protocol.c | 2 +-
net/sctp/socket.c | 4 +-
net/sctp/sysctl.c | 4 +-
net/tipc/socket.c | 1 +
net/wireless/nl80211.c | 4 +-
net/x25/x25_facilities.c | 12 ++-
75 files changed, 512 insertions(+), 335 deletions(-)
^ permalink raw reply
* Re: [PATCH 4/10] Fix leaking of kernel heap addresses in net/
From: Alexey Dobriyan @ 2010-11-12 22:40 UTC (permalink / raw)
To: David Miller; +Cc: shemminger, netdev
In-Reply-To: <20101112.123738.179940542.davem@davemloft.net>
On Fri, Nov 12, 2010 at 12:37:38PM -0800, David Miller wrote:
> From: Alexey Dobriyan <adobriyan@gmail.com>
> Date: Fri, 12 Nov 2010 22:18:50 +0200
>
> > On Fri, Nov 12, 2010 at 08:33:15AM -0800, Stephen Hemminger wrote:
> >> Also, the whole idea needs to be under a config option, so only
> >> the paranoid idiots turn it on.
> >
> > Would be fun if something will break because ffff8800bcd498c0
> > will become something else. :-)
>
> Actually, this is not even a joke.
>
> Take a look at how we track what sockets a user wants dumped via
> the inet_diag netlink facility, the socket pointer is used as
> the identification cookie.
I think we should not expose kernel pointers in future interfaces,
but leave existing ones alone.
^ permalink raw reply
* Re: [PATCH 4/10] Fix leaking of kernel heap addresses in net/
From: David Miller @ 2010-11-12 22:46 UTC (permalink / raw)
To: adobriyan; +Cc: shemminger, netdev
In-Reply-To: <20101112224026.GA21134@core2.telecom.by>
From: Alexey Dobriyan <adobriyan@gmail.com>
Date: Sat, 13 Nov 2010 00:40:27 +0200
> I think we should not expose kernel pointers in future interfaces,
> but leave existing ones alone.
That seems like the most reasonable and pragmatic position I've seen
thus far :-)
^ permalink raw reply
* Re: [PATCH] r8169: fix checksum broken
From: Francois Romieu @ 2010-11-12 22:47 UTC (permalink / raw)
To: Shan Wei; +Cc: netdev@vger.kernel.org, David Miller
In-Reply-To: <4CDD13BD.7060109@cn.fujitsu.com>
Shan Wei <shanwei@cn.fujitsu.com> :
> If r8196 received packets with invalid sctp/igmp(not tcp, udp) checksum, r8196 set skb->ip_summed
> wit CHECKSUM_UNNECESSARY. This cause that upper protocol don't check checksum field.
...
Which kind of device do you use : PCI-E 8168 / 810x or PCI 8169 ?
Have a nice night.
--
Ueimor
^ permalink raw reply
* Re: possible kernel oops from user MSS
From: Min Zhang @ 2010-11-12 22:59 UTC (permalink / raw)
To: netdev
In-Reply-To: <AANLkTin-gXceUQxKvQeP8Nc8oXZDJnyjoFUjYD5x_g_y@mail.gmail.com>
Regarding commit 7a1abd08d52fdeddb3e9a5a33f2f15cc6a5674d2 ("tcp:
Increase TCP_MAXSEG socket option minimum"). What is the reason
TCP_MAXSEG minimum be 64? Isn't the exact be 40 which is
TCPOLEN_MD5SIG_ALIGNED(20) + TCPOLEN_TSTAMP_ALIGNED(12) + 8?
Or is it better to use TCP_MIN_MSS from tcp.h:
/* Minimal accepted MSS. It is (60+60+8) - (20+20). */
#define TCP_MIN_MSS 88U
^ permalink raw reply
* Re: [PATCH] r8169: fix checksum broken
From: Francois Romieu @ 2010-11-12 23:13 UTC (permalink / raw)
To: Shan Wei; +Cc: netdev@vger.kernel.org, David Miller
In-Reply-To: <20101112224746.GA6676@electric-eye.fr.zoreil.com>
Francois Romieu <romieu@fr.zoreil.com> :
[...]
> Which kind of device do you use : PCI-E 8168 / 810x or PCI 8169 ?
Wrong page. Forget it.
Acked-by: Francois Romieu <romieu@fr.zoreil.com>
--
Ueimor
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox