af_packet can currently overwrite kernel memory by out of bound
accesses, because it assumed a [new] block can always hold one frame.
This is not generally the case, even if most existing tools do it right.
This patch clamps too long frames as API permits, and issue a one time
error on syslog.
[ 394.357639] tpacket_rcv: packet too big, clamped from 5042 to 3966. macoff=82
In this example, packet header tp_snaplen was set to 3966,
and tp_len was set to 5042 (skb->len)
Signed-off-by: Eric Dumazet <edumazet@google.com>
Fixes: f6fb8f100b ("af-packet: TPACKET_V3 flexible buffer implementation.")
Acked-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The LECS response contains the MTU that should be used. Correctly
synchronize with other layers when updating.
Signed-off-by: Chas Williams - CONTRACTOR <chas@cmf.nrl.navy.mil>
Signed-off-by: David S. Miller <davem@davemloft.net>
Pull libata fixes from Tejun Heo:
"Nothing drastic but pushing out early due to build breakage in the new
tegra platform.
Additionally:
- M550 tagged trim blacklist pattern is widened so that it matches
the new 1TB model
- three controller specific fixes"
* 'for-3.17-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata:
libata: widen Crucial M550 blacklist matching
pata_scc: propagate return value of scc_wait_after_reset
ata: ahci_tegra: Change include to fix compilation
pata_samsung_cf: change ret type to signed
ahci_xgene: Removing NCQ support from the APM X-Gene SoC AHCI SATA Host Controller driver.
Pull HID fixes from Jiri Kosina:
- fixes for a couple potential memory corruption problems (the HW would
have to be manufactured to be deliberately evil to trigger those)
found by Ben Hawkes
- fix for potential infinite loop when using sysfs interface of
logitech driver, from Simon Wood
- a couple more simple driver fixes
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
HID: fix a couple of off-by-ones
HID: logitech: perform bounds checking on device_id early enough
HID: logitech: fix bounds checking on LED report size
HID: logitech: Prevent possibility of infinite loop when using /sys interface
HID: rmi: print an error if F11 is not found instead of stopping the device
HID: hid-sensor-hub: use devm_ functions consistently
HID: huion: Use allocated buffer for DMA
HID: huion: Fail on parameter retrieval errors
A bunch of ASoC fixes with a few HD-audio fixes in this pull request.
All fairly small, boring and device-specific fixes, in addition to
MAINTAINERS update for better reviewing.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABAgAGBQJT9b8uAAoJEGwxgFQ9KSmkOZUP/RmB+4/vscB3z+exCFldIG3R
gHOn4ER/JRWoObVVST3VabU5T5v88/gC2/12uYHFJQdDIwaMQytdVMDzhi6v8Uyf
MFh24DcHQ7dRsedCCrUeoy2DZ42G+HhPH+SRGinkFUZ0RJjnCgqvyYw1p6KZD29K
AuB07FbgmThqRVyoZoMh3K7zm8d/ZeZU59SkyGi2U8dhCfgZyrsYZ1jHd/fGuwq4
XgJIJvHWZoniFnnxoVW/r9wutbF5JSf/FbwRI7ptZT0Rj/u+PcgDPmrhYPINFkt2
IrIt/ZnGadKZuiK9p+aSSIUPWluVjyChCwskkWfKtg+5N4FOFed48HjZNw5TVsdc
deJjao7dtyqxugMcA2E6VkWqTprFRhRbauT0WU7KX54HBrnng3792YGLJqqqggCE
bAP5crrT1wMjk7qXPLouk0TvcXbSkCYQ53Ip+QITGNkLUiN0tj8cgbsfPjDU4GvH
T9tz0I5thLkKp4xP3xSEphQdaLdmG0zGiBcoOH/6jByUxvQdiQimo7a1YEuxtFN2
sIGbrpM8k9ypfJaOpqoh6FtHRL9Y41W1guY4TqUm+QZbLw9KQn1QRe9HQF5M6kU+
vsIoVR8UGTudaLG/AIg+YFEbSsTcTlCNHw1iXYxmqj5pP5J+N0N/aNIFYeObWkcO
8O9/WAwBUdH0cVdXoWze
=x5gm
-----END PGP SIGNATURE-----
Merge tag 'sound-3.17-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
Pull sound fixes from Takashi Iwai:
"A bunch of ASoC fixes with a few HD-audio fixes in this pull request.
All fairly small, boring and device-specific fixes, in addition to
MAINTAINERS update for better reviewing"
* tag 'sound-3.17-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
ALSA: hda/hdmi - apply Valleyview fix-ups to Cherryview display codec
ALSA: hda/hdmi - set depop_delay for haswell plus
ALSA: hda - restore the gpio led after resume
ALSA: hda/realtek - Avoid setting wrong COEF on ALC269 & co
ASoC: pxa-ssp: drop SNDRV_PCM_FMTBIT_S24_LE
ASoC: fsl-esai: Revert .xlate_tdm_slot_mask() support
ASoC: mcasp: Fix implicit BLCK divider setting
ASoC: arizona: Fix TDM slot length handling in arizona_hw_params
ASoC: pcm512x: Correct Digital Playback control names
ASoC: dapm: Fix uninitialized variable in snd_soc_dapm_get_enum_double()
ASoC: Intel: Restore Baytrail ADSP streams only when ADSP was in reset
ASoC: Intel: Wait Baytrail ADSP boot at resume_early stage
ASoC: Intel: Merge Baytrail ADSP suspend_noirq into suspend_late
MAINTAINERS: Add i.MX maintainers and paths to Freescale ASoC entry
ASoC: Intel: Update Baytrail ADSP firmware name
Pull i2c fixes from Wolfram Sang:
"Here is the fixup for the 'lowlight' of my last pull request. I2C is
not selected anymore by I2C_ACPI. Instead, the code in question now
depends on I2C=y.
Also, Mika has agreed to support me and be the maintainer for I2C-ACPI
related patches. Finally, a new-ID-patch came along last week"
* 'i2c/for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
MAINTAINERS: add maintainer for ACPI parts of I2C
i2c: i801: Add PCI ID for Intel Braswell
i2c: rework kernel config I2C_ACPI
There are a few very theoretical off-by-one bugs in report descriptor size
checking when performing a pre-parsing fixup. Fix those.
Cc: stable@vger.kernel.org
Reported-by: Ben Hawkes <hawkes@google.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
device_index is a char type and the size of paired_dj_deivces is 7
elements, therefore proper bounds checking has to be applied to
device_index before it is used.
We are currently performing the bounds checking in
logi_dj_recv_add_djhid_device(), which is too late, as malicious device
could send REPORT_TYPE_NOTIF_DEVICE_UNPAIRED early enough and trigger the
problem in one of the report forwarding functions called from
logi_dj_raw_event().
Fix this by performing the check at the earliest possible ocasion in
logi_dj_raw_event().
Cc: stable@vger.kernel.org
Reported-by: Ben Hawkes <hawkes@google.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
The check on report size for REPORT_TYPE_LEDS in logi_dj_ll_raw_request()
is wrong; the current check doesn't make any sense -- the report allocated
by HID core in hid_hw_raw_request() can be much larger than
DJREPORT_SHORT_LENGTH, and currently logi_dj_ll_raw_request() doesn't
handle this properly at all.
Fix the check by actually trimming down the report size properly if it is
too large.
Cc: stable@vger.kernel.org
Reported-by: Ben Hawkes <hawkes@google.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Once the CAN-bus is open and a packet is sent, the controller switches
into the PASSIVE state. Once the BUS is closed again it goes the back
err-warning. The TX error counter goes 0 -> 0x80 -> 0x7f.
This patch makes sure that the user learns about this state chang
(CAN_STATE_ERROR_WARNING => CAN_STATE_ERROR_PASSIVE)
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Matthias Klein <matthias.klein@optimeas.de>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
In case we don't have FLEXCAN_HAS_BROKEN_ERR_STATE and the user set
CAN_CTRLMODE_BERR_REPORTING once it can not be unset again until reboot.
So in case neither hardware nor user wants the error interrupt disable
the bit.
Signed-off-by: Alexander Stein <alexander.stein@systec-electronic.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
devm_ioremap() returns NULL on error, not an ERR_PTR().
Fixes: 33cf756569 ('can: c_can_platform: Fix raminit, use devm_ioremap() instead of devm_ioremap_resource()')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: linux-stable <stable@vger.kernel.org> # >= v3.11
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
When sja1000 is not compiled as module the SJA1000 chip is only
initialized during device registration on kernel boot. Should the chip
get a hardware reset there is no way to reinitialize it without re-
booting the Linux kernel.
This patch adds a check in sja1000_start if the chip is initialized, if
not we initialize it.
Signed-off-by: Mirza Krak <mirza.krak@hostmobility.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Pull cifs fixes from Steve French:
"Most important fixes in this set include three SMB3 fixes for stable
(including fix for possible kernel oops), and a workaround to allow
writes to Mac servers (only cifs dialect, not more current SMB2.1,
worked to Mac servers). Also fallocate support added, and lease fix
from Jeff"
* 'for-linus' of git://git.samba.org/sfrench/cifs-2.6:
[SMB3] Enable fallocate -z support for SMB3 mounts
enable fallocate punch hole ("fallocate -p") for SMB3
Incorrect error returned on setting file compressed on SMB2
CIFS: Fix wrong directory attributes after rename
CIFS: Fix SMB2 readdir error handling
[CIFS] Possible null ptr deref in SMB2_tcon
[CIFS] Workaround MacOS server problem with SMB2.1 write response
cifs: handle lease F_UNLCK requests properly
Cleanup sparse file support by creating worker function for it
Add sparse file support to SMB2/SMB3 mounts
Add missing definitions for CIFS File System Attributes
cifs: remove unused function cifs_oplock_break_wait
Pull filesystem fixes from Jan Kara:
"udf, isofs, and ext3 bug fixes"
* 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs:
ext3: Count internal journal as bsddf overhead in ext3_statfs
isofs: Fix unbounded recursion when processing relocated directories
udf: avoid unneeded up_write when fail to add entry in ->symlink
Pull x86 platform driver revert from Matthew Garrett:
"This clearly shouldn't have been merged. No excuse on my part"
* 'for_linus' of git://cavan.codon.org.uk/platform-drivers-x86:
Revert "platform/x86/toshiba-apci.c possible bad if test?"
(one has a CVE), and fixing some problems introduced during the merge window
(the CMA bug came in via Andrew, the x86 ones via yours truly).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAABAgAGBQJT9IfLAAoJEBvWZb6bTYbyAG8P/2GLPast76I9Pc269UNACV0f
vNgJfSAH97PrEQtVzCurqb0RKHMKcZ5XyYmKh5TvzlbWYXnqJuJr5TrIh0gsuxn9
DaBKVgeXBTd43OCRXJKw6SgkKlnf+yfQeASLRwjQgVCqsvNR/rKksEPjAhVqQJIJ
PlRYKeBc7SA8bPUG64GDtF3yP9e/KG5ItGudj4eUADtadPmyldJbTWl0zLwY7jvJ
/qcSxRgwqUsIS0c8xE5rlByxuWQ43RF+MfohNttNUjXD/dhvJo07NpkPUS6TsqHf
x1VyWPuIY1zB/WghKutI8oZxS14iUs1l0LL9egS7fc4sYQqQ7+HHLaJnEMloTXqF
GYfwmnyz53ocR1M4dgCPyBi0uxM3ydRzbSnsToR2kzVdS3WKu5O8GfjkE2zooEaA
OP77OsSxtl5mLD68ZtubmLt8ttYCiWOEIOzviUSoJjPv0gUE07oAjecp7C8nKDCP
lUxM2JZ01SLSzRf3uSlrNfRpeyMWVmYhyiG3lqLmph9FfP7p4donbIdh/QA0W7Nj
E2GEEv3lCUZp7+TnOydsiWNVwv026dDanh5QLSuCvfCqf+xhNMJbrRzlbUpfGAsm
89XasETdOnAqIO9VOOBLAKE2wrMEx+9vT2G0Dv3e+3IedGwLuM7/53X4zXUIB8ys
L9C7kZwci9+X3qIExWJI
=lhLd
-----END PGP SIGNATURE-----
Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm
Pull KVM fixes from Paolo Bonzini:
"Reverting a 3.16 patch, fixing two bugs in device assignment (one has
a CVE), and fixing some problems introduced during the merge window
(the CMA bug came in via Andrew, the x86 ones via yours truly)"
* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
virt/kvm/assigned-dev.c: Set 'dev->irq_source_id' to '-1' after free it
Revert "KVM: x86: Increase the number of fixed MTRR regs to 10"
KVM: x86: do not check CS.DPL against RPL during task switch
KVM: x86: Avoid emulating instructions on #UD mistakenly
PC, KVM, CMA: Fix regression caused by wrong get_order() use
kvm: iommu: fix the third parameter of kvm_iommu_put_pages (CVE-2014-3601)
These are the two bug fixes I mentioned in the final merge window pull. One
is a reversed logic check in the device busy tests which can cause a nasty
hang and another crash seen in the new SCSI pool support if the use count ever
goes to zero.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQEcBAABAgAGBQJT85zGAAoJEDeqqVYsXL0Mnw4IAJ7BP+4nUlP7Oib8JfPu4Df2
b6dv3YEGe6th4awrHqUnATusjQLIybk/rgRKb6P50o1iX2VI+rs1mAm9esw9NalS
8aKzDMAv9pTRsRvAhe3AnIVGGCYAekV4AZWmsXQPCKqcsQZSZKAnIerLBf0lBemR
X3+1VhYtbB9z4o0Gpv4E5mR/7CqIouDpe5QGRKRY2+/Yyp2El6Vzwqr9XMLyOvmY
Y9WaIhM1UzABl+NAlDhMnA0Yw27UHJfWY6UWZ3Wa73DQCWsdZ6eydal4g8YNA5pB
+6UjMQKWh/bXHZl8v+eCuuXODXZQGazKOFFoc6SGumxAcuLraCBFsuU5m4AQ0NA=
=v+g2
-----END PGP SIGNATURE-----
Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi
Pull SCSI fixes from James Bottomley:
"These are the two bug fixes I mentioned in the final merge window
pull. One is a reversed logic check in the device busy tests which
can cause a nasty hang and another crash seen in the new SCSI pool
support if the use count ever goes to zero"
[ The device busy test already got merged from a patch earlier, so is
now duplicated. ]
* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
[SCSI] save command pool address of Scsi_Host
[SCSI] fix qemu boot hang problem
Recently the LE passive scanning and auto-connections feature was
introduced. It uses the hci_connect_le() API which returns a hci_conn
along with a reference count to that object. All previous users would
tie this returned reference to some existing object, such as an L2CAP
channel, and there'd be no leaked references this way. For
auto-connections however the reference was returned but not stored
anywhere, leaving established connections with one higher reference
count than they should have.
Instead of playing special tricks with hci_conn_hold/drop this patch
associates the returned reference from hci_connect_le() with the object
that in practice does own this reference, i.e. the hci_conn_params
struct that caused us to initiate a connection in the first place. Once
the connection is established or fails to establish this reference is
removed appropriately.
One extra thing needed is to call hci_pend_le_actions_clear() before
calling hci_conn_hash_flush() so that the reference is cleared before
the hci_conn objects are fully removed.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
The journal blocks of external journal device should not
be counted as overhead.
Signed-off-by: Chin-Tsung Cheng <chintzung@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
For some reason, the audit patches didn't make it out of -next this
merge window, so revert our temporary hack and let the audit guys deal
with fixing up -next.
This reverts commit 2a8f45b040.
Signed-off-by: Will Deacon <will.deacon@arm.com>
This enables the netfilter NAT engine in first place, otherwise
you cannot ever select the nf_tables nat expression if iptables
is not selected.
Reported-by: Matteo Croce <technoboy85@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
There's actually no good reason why we cannot use cgroup id 0,
so lets just remove this artificial barrier.
Reported-by: Alexey Perevalov <a.perevalov@samsung.com>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Tested-by: Alexey Perevalov <a.perevalov@samsung.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Now that we support 48-bit physical addressing, update MAX_PHYSMEM_BITS
accordingly.
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Ganapatrao Kulkarni <ganapatrao.kulkarni@caviumnetworks.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
UEFI provides its own method for marking regions to reserve, via the
memory map which is also used to initialise memblock. So when using the
UEFI memory map, ignore any memreserve entries present in the DT.
Reported-by: Mark Rutland <mark.rutland@arm.com>
Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Leif Lindholm <leif.lindholm@linaro.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Currently when run on an APM platform the ARMv8 defconfig has no viable
options for rootfs other than ramdisk which is rather limiting. Since
we already have both SATA and the bits needed for NFS root enabled we just
need to enable the relevant drivers so do that, helping enable direct
testing of upstream.
If the configuration ends up becoming too big we can consider modularising
some of the drivers and asking people to use an initramfs but for now this
is not an issue.
Signed-off-by: Mark Brown <broonie@linaro.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
When booting via UEFI, the kernel Image is loaded at a 4 kB boundary and
the embedded EFI stub is executed in place. The EFI stub relocates the
Image to reside TEXT_OFFSET bytes above a 2 MB boundary, and jumps into
the kernel proper.
In AArch64, PC relative symbol references are emitted using adrp/add or
adrp/ldr pairs, where the offset into a 4 kB page is resolved using a
separate :lo12: relocation. This implicitly assumes that the code will
always be executed at the same relative offset with respect to a 4 kB
boundary, or the references will point to the wrong address.
This means we should link the kernel at a 4 kB aligned base address in
order to remain compatible with the base address the UEFI loader uses
when doing the initial load of Image. So update the code that generates
TEXT_OFFSET to choose a multiple of 4 kB.
At the same time, update the code so it chooses from the interval [0..2MB)
as the author originally intended.
Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Vasily Averin says:
====================
cbq: incorrectly low bandwidth blocks limited traffic
v2: patch description changes
Fixes: f0f6ee1f70 ("cbq: incorrect processing of high limits")
Mainstream commit f0f6ee1f70 ("cbq: incorrect processing of high limits")
have side effect: if cbq bandwidth setting is less than real interface
throughput non-limited traffic can delay limited traffic for a very long time.
This happen because of q->now changes incorrectly in cbq_dequeue():
in described scenario L2T is much greater than real time delay,
and q->now gets an extra boost for each transmitted packet.
Accumulated boost prevents update q->now, and blocked class can wait
very long time until (q->now >= cl->undertime) will be true again.
More detailed problem description can be found here:
http://www.spinics.net/lists/netdev/msg292493.html
Following patches should fix the problem.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Now q->now_rt is identical to q->now and is not required anymore.
Signed-off-by: Vasily Averin <vvs@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Mainstream commit f0f6ee1f70 ("cbq: incorrect processing of high limits")
have side effect: if cbq bandwidth setting is less than real interface
throughput non-limited traffic can delay limited traffic for a very long time.
This happen because of q->now changes incorrectly in cbq_dequeue():
in described scenario L2T is much greater than real time delay,
and q->now gets an extra boost for each transmitted packet.
Accumulated boost prevents update q->now, and blocked class can wait
very long time until (q->now >= cl->undertime) will be true again.
To fix the problem the patch updates q->now on each cbq_update() call.
L2T-related pre-modification q->now was moved to cbq_update().
My testing confirmed that it fixes the problem and did not discover
any side-effects
Fixes: f0f6ee1f70 ("cbq: incorrect processing of high limits")
Signed-off-by: Vasily Averin <vvs@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
The latest kernel fails to boot qemu arm images when using scsi
for disk access. Boot gets stuck after the following messages.
brd: module loaded
sym53c8xx 0000:00:0c.0: enabling device (0100 -> 0103)
sym0: <895a> rev 0x0 at pci 0000:00:0c.0 irq 93
sym0: No NVRAM, ID 7, Fast-40, LVD, parity checking
sym0: SCSI BUS has been reset.
scsi host0: sym-2.2.3
Bisect points to commit 71e75c97f9 ("scsi: convert device_busy to
atomic_t"). Code inspection shows the following suspicious change
in scsi_request_fn.
out_delay:
- if (sdev->device_busy == 0 && !scsi_device_blocked(sdev))
+ if (atomic_read(&sdev->device_busy) && !scsi_device_blocked(sdev))
blk_delay_queue(q, SCSI_QUEUE_DELAY);
}
'sdev->device_busy == 0' was replaced with 'atomic_read(&sdev->device_busy)',
meaning the logic was reversed. Changing this expression to
'!atomic_read(&sdev->device_busy)' fixes the problem.
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Acked-by: Jens Axboe <axboe@fb.com>
Reviewed-by: Venkatesh Srinivas <venkateshs@google.com>
Reviewed-by: Webb Scales <webbnh@hp.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This patch drops the userspace accessable sysfs entry for the maximum
datagram size of a 6LoWPAN fragment packet.
A fragment should not have a datagram size value greater than 1280 byte.
Instead of make this value configurable, we accept 1280 datagram size
fragment packets only.
Signed-off-by: Martin Townsend <martin.townsend@xsilon.com>
Signed-off-by: Alexander Aring <alex.aring@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
This patch changes the 1281 MTU to 1280. Others stack have only a 1280
byte array for uncompressed 6LoWPAN packets, this avoid that these
stacks have an overflow. Sending 1281 uncompressed 6LoWPAN packets isn't
also rfc complaint.
Signed-off-by: Alexander Aring <alex.aring@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
If received frame contains the reserved destination address mode. The
frame should be dropped and free the skb.
Signed-off-by: Martin Townsend <martin.townsend@xsilon.com>
Signed-off-by: Alexander Aring <alex.aring@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
This patch correct the return value of lowpan_alloc_frag if an error
occur. Errno numbers should always be negative.
Signed-off-by: Alexander Aring <alex.aring@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
This patch fix a memory leak if received frame was not able to parse.
Signed-off-by: Martin Townsend <martin.townsend@xsilon.com>
Signed-off-by: Alexander Aring <alex.aring@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
We did not check relocated directory in any way when processing Rock
Ridge 'CL' tag. Thus a corrupted isofs image can possibly have a CL
entry pointing to another CL entry leading to possibly unbounded
recursion in kernel code and thus stack overflow or deadlocks (if there
is a loop created from CL entries).
Fix the problem by not allowing CL entry to point to a directory entry
with CL entry (such use makes no good sense anyway) and by checking
whether CL entry doesn't point to itself.
CC: stable@vger.kernel.org
Reported-by: Chris Evans <cevans@google.com>
Signed-off-by: Jan Kara <jack@suse.cz>
We have released the ->i_data_sem before invoking udf_add_entry(),
so in following error path, we should not release this lock again.
Signed-off-by: Chao Yu <chao2.yu@samsung.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Mika has done great work in that field, so let people know.
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
The SMBus host controller is the same as used in Baytrail so add the new
PCI ID to the driver's list of supported IDs.
Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Commit da3c6647(I2C/ACPI: Clean up I2C ACPI code and Add CONFIG_I2C_ACPI
config) adds a new kernel config I2C_ACPI and make I2C core built in
when the config is selected. This is wrong because distributions
etc generally compile I2C as a module and the commit broken that.
This patch is to rename I2C_ACPI to ACPI_I2C_OPREGION. New config
only controls ACPI I2C operation region code and depends on I2C=y.
Signed-off-by: Lan Tianyu <tianyu.lan@intel.com>
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
[wsa: removed unrelated change for Kconfig]
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
- raid6 data corruption during recovery
- raid6 livelock
- raid10 memory leaks.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIVAwUAU/L7ITnsnt1WYoG5AQLO7Q/+K5r4cJAqs2NwCKrzkMbRvnMnjEi/SnFk
aCyVs4v52Q3LhR8Vjj3sFqDsDcNp4OWdJcU6E23s2yPwODboF4PS3oh31yHZ0LJx
r3pkWm6aNm+6VS+oNCfmilnmUfV615hzDdgL8km0LId3/RZzFf9hfrTZT1SSVzIK
b8WZP+R8+OhofRp8Qt+98bz8C9M+GAAnLI1ku2sstoCvhExbytTXsr/B/n3pN/W5
lqLvMsFdydvtmQ66Ak28bFPZ7j2snw+pg5avKAxF5Nly8iNzmTSRWsLEgc9d7X52
9WKMlZcum8OamioM0qceggUMD58HsR3shNkdLUZNDcImKzSd2dGUsYOSqNGqGRqC
WDuz8SCQLvHULfJFIpDHkTVgYUnnCUzeDTy9LJlDJ3MI9Eln7eDYsx/klhA5cYNO
lPUMYQdNqBZASNxrlhg4i5rjrwZXZT4BLPwi794lgY31fpDnyGriEpjKfUCYUznG
KbJZNoZTayTLUYVrTV4WWPsiEbbjQcsdTK2Ez50Fiv3bG5OU04czlEs+9ZQb17Lk
HwgVzwSlGhLYv+NIngQI1C8Ga0DD0CViKyouypS3EStR7TKv3iWRRaxdKJhwsoFc
mjet/cyL8LlCx8Os7fJL12SQYe/UOCejib0nDvek+qs0D8yrjiwONov+YbHG39Yw
/R3m50gHbcU=
=Pi8y
-----END PGP SIGNATURE-----
Merge tag 'md/3.17-fixes' of git://neil.brown.name/md
Pull md bugfixes from Neil Brown:
"Here are the bug-fixes I promised :-)
Funny how you start looking for one and other start appearing.
- raid6 data corruption during recovery
- raid6 livelock
- raid10 memory leaks"
* tag 'md/3.17-fixes' of git://neil.brown.name/md:
md/raid10: always initialise ->state on newly allocated r10_bio
md/raid10: avoid memory leak on error path during reshape.
md/raid10: Fix memory leak when raid10 reshape completes.
md/raid10: fix memory leak when reshaping a RAID10.
md/raid6: avoid data corruption during recovery of double-degraded RAID6
md/raid5: avoid livelock caused by non-aligned writes.
Eric Dumazet
Dariusz Marcinkiewicz
chas williams - CONTRACTOR
Linus Torvalds
Jiri Kosina
Sebastian Andrzej Siewior
Alexander Stein
Dan Carpenter
Mirza Krak
Michal Simek
Johan Hedberg
Matthew Garrett
Chin-Tsung Cheng
Will Deacon
Pablo Neira Ayuso
Daniel Borkmann
Ganapatrao Kulkarni
Leif Lindholm
Mark Brown
Ard Biesheuvel
David S. Miller
Vasily Averin
Guenter Roeck
Martin Townsend
Alexander Aring
Jan Kara
Chao Yu
Wolfram Sang
Alan Cox
Lan Tianyu