1. 11 Jan, 2016 5 commits
  2. 10 Jan, 2016 6 commits
  3. 09 Jan, 2016 2 commits
  4. 08 Jan, 2016 5 commits
  5. 07 Jan, 2016 1 commit
  6. 06 Jan, 2016 7 commits
    • Sven Eckelmann's avatar
      batman-adv: Fix invalid read while copying bat_iv.bcast_own · 13bbdd37
      Sven Eckelmann authored
      
      
      batadv_iv_ogm_orig_del_if removes a part of the bcast_own which previously
      belonged to the now removed interface. This is done by copying all data
      which comes before the removed interface and then appending all the data
      which comes after the removed interface.
      
      The address calculation for the position of the data which comes after the
      removed interface assumed that the bat_iv.bcast_own is a pointer to a
      single byte datatype. But it is a pointer to unsigned long and thus the
      calculated position was wrong off factor sizeof(unsigned long).
      
      Fixes: 83a8342678a0 ("more basic routing code added (forwarding packets /
      bitarray added)")
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: default avatarAntonio Quartulli <a@unstable.cc>
      13bbdd37
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 51cb67c0
      Linus Torvalds authored
      Pull networking fixes from David Miller:
       "As usual, there are a couple straggler bug fixes:
      
         1) qlcnic_alloc_mbx_args() error returns are not checked in qlcnic
            driver.  Fix from Insu Yun.
      
         2) SKB refcounting bug in connector, from Florian Westphal.
      
         3) vrf_get_saddr() has to propagate fib_lookup() errors to it's
            callers, from David Ahern.
      
         4) Fix AF_UNIX splice/bind deadlock, from Rainer Weikusat.
      
         5) qdisc_rcu_free() fails to free the per-cpu qstats.  Fix from John
            Fastabend.
      
         6) vmxnet3 driver passes wrong page to dma_map_page(), fix from
           Shrikrishna Khare.
      
         7) Don't allow zero cwnd in tcp_cwnd_reduction(), from Yuchung Cheng"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
        tcp: fix zero cwnd in tcp_cwnd_reduction
        Driver: Vmxnet3: Fix regression caused by 5738a09d
        net: qmi_wwan: Add WeTelecom-WPD600N
        mkiss: fix scribble on freed memory
        net: possible use after free in dst_release
        net: sched: fix missing free per cpu on qstats
        ARM: net: bpf: fix zero right shift
        6pack: fix free memory scribbles
        net: filter: make JITs zero A for SKF_AD_ALU_XOR_X
        bridge: Only call /sbin/bridge-stp for the initial network namespace
        af_unix: Fix splice-bind deadlock
        net: Propagate lookup failure in l3mdev_get_saddr to caller
        r8152: add reset_resume function
        connector: bump skb->users before callback invocation
        cxgb4: correctly handling failed allocation
        qlcnic: correctly handle qlcnic_alloc_mbx_args
      51cb67c0
    • Yuchung Cheng's avatar
      tcp: fix zero cwnd in tcp_cwnd_reduction · 8b8a321f
      Yuchung Cheng authored
      Patch 3759824d ("tcp: PRR uses CRB mode by default and SS mode
      conditionally") introduced a bug that cwnd may become 0 when both
      inflight and sndcnt are 0 (cwnd = inflight + sndcnt). This may lead
      to a div-by-zero if the connection starts another cwnd reduction
      phase by setting tp->prior_cwnd to the current cwnd (0) in
      tcp_init_cwnd_reduction().
      
      To prevent this we skip PRR operation when nothing is acked or
      sacked. Then cwnd must be positive in all cases as long as ssthresh
      is positive:
      
      1) The proportional reduction mode
         inflight > ssthresh > 0
      
      2) The reduction bound mode
        a) inflight == ssthresh > 0
      
        b) inflight < ssthresh
           sndcnt > 0 since newly_acked_sacked > 0 and inflight < ssthresh
      
      Therefore in all cases inflight and sndcnt can not both be 0.
      We check invalid tp->prior_cwnd to avoid potential div0 bugs.
      
      In reality this bug is triggered only with a sequence of less common
      events.  For example, the connection is terminating an ECN-triggered
      cwnd reduction with an inflight 0, then it receives reordered/old
      ACKs or DSACKs from prior transmission (which acks nothing). Or the
      connection is in fast recovery stage that marks everything lost,
      but fails to retransmit due to local issues, then receives data
      packets from other end which acks nothing.
      
      Fixes: 3759824d
      
       ("tcp: PRR uses CRB mode by default and SS mode conditionally")
      Reported-by: default avatarOleksandr Natalenko <oleksandr@natalenko.name>
      Signed-off-by: default avatarYuchung Cheng <ycheng@google.com>
      Signed-off-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8b8a321f
    • Shrikrishna Khare's avatar
    • Kristian Evensen's avatar
      net: qmi_wwan: Add WeTelecom-WPD600N · e439bd4a
      Kristian Evensen authored
      
      
      The WeTelecom-WPD600N is an LTE module that, in addition to supporting most
      "normal" bands, also supports LTE over 450MHz. Manual testing showed that
      only interface number three replies to QMI messages.
      
      Cc: Bjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarKristian Evensen <kristian.evensen@gmail.com>
      Acked-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e439bd4a
    • Alan's avatar
      mkiss: fix scribble on freed memory · fde55c45
      Alan authored
      commit d79f16c0
      
       fixed a user triggerable
      scribble on free memory but added a new one which allows the user to
      scribble even more and user controlled data into freed space.
      
      As with 6pack we need to halt the queue before we free the buffers, because
      the transmit logic is not protected by the semaphore.
      Signed-off-by: default avatarAlan Cox <alan@linux.intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fde55c45
    • Francesco Ruggeri's avatar
      net: possible use after free in dst_release · 07a5d384
      Francesco Ruggeri authored
      dst_release should not access dst->flags after decrementing
      __refcnt to 0. The dst_entry may be in dst_busy_list and
      dst_gc_task may dst_destroy it before dst_release gets a chance
      to access dst->flags.
      
      Fixes: d69bbf88 ("net: fix a race in dst_release()")
      Fixes: 27b75c95
      
       ("net: avoid RCU for NOCACHE dst")
      Signed-off-by: default avatarFrancesco Ruggeri <fruggeri@arista.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      07a5d384
  7. 05 Jan, 2016 8 commits
  8. 04 Jan, 2016 6 commits