Searched hist:1797 (Results 26 - 38 of 38) sorted by relevance
/linux-master/drivers/platform/x86/ | ||
H A D | asus-wmi.c | diff 1797d588 Wed Sep 16 08:14:39 MDT 2020 Hans de Goede <hdegoede@redhat.com> platform/x86: asus-wmi: Fix SW_TABLET_MODE always reporting 1 on many different models Commit b0dbd97de1f1 ("platform/x86: asus-wmi: Add support for SW_TABLET_MODE") added support for reporting SW_TABLET_MODE using the Asus 0x00120063 WMI-device-id to see if various transformer models were docked into their keyboard-dock (SW_TABLET_MODE=0) or if they were being used as a tablet. The new SW_TABLET_MODE support (naively?) assumed that non Transformer devices would either not support the 0x00120063 WMI-device-id at all, or would NOT set ASUS_WMI_DSTS_PRESENCE_BIT in their reply when querying the device-id. Unfortunately this is not true and we have received many bug reports about this change causing the asus-wmi driver to always report SW_TABLET_MODE=1 on non Transformer devices. This causes libinput to think that these are 360 degree hinges style 2-in-1s folded into tablet-mode. Making libinput suppress keyboard and touchpad events from the builtin keyboard and touchpad. So effectively this causes the keyboard and touchpad to not work on many non Transformer Asus models. This commit fixes this by using the existing DMI based quirk mechanism in asus-nb-wmi.c to allow using the 0x00120063 device-id for reporting SW_TABLET_MODE on Transformer models and ignoring it on all other models. Fixes: b0dbd97de1f1 ("platform/x86: asus-wmi: Add support for SW_TABLET_MODE") Link: https://patchwork.kernel.org/patch/11780901/ BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=209011 BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1876997 Reported-by: Samuel Čavoj <samuel@cavoj.net> Signed-off-by: Hans de Goede <hdegoede@redhat.com> |
/linux-master/drivers/s390/net/ | ||
H A D | qeth_l3_main.c | diff 91b1c1aa Sat Apr 20 18:09:34 MDT 2013 Patrick McHardy <kaber@trash.net> qeth: fix VLAN related compilation errors drivers/s390/net/qeth_l3_main.c: In function 'qeth_l3_add_vlan_mc': >> drivers/s390/net/qeth_l3_main.c:1662:3: error: too few arguments to function '__vlan_find_dev_deep' include/linux/if_vlan.h:88:27: note: declared here drivers/s390/net/qeth_l3_main.c: In function 'qeth_l3_add_vlan_mc6': >> drivers/s390/net/qeth_l3_main.c:1723:3: error: too few arguments to function '__vlan_find_dev_deep' include/linux/if_vlan.h:88:27: note: declared here drivers/s390/net/qeth_l3_main.c: In function 'qeth_l3_free_vlan_addresses4': >> drivers/s390/net/qeth_l3_main.c:1767:2: error: too few arguments to function '__vlan_find_dev_deep' include/linux/if_vlan.h:88:27: note: declared here drivers/s390/net/qeth_l3_main.c: In function 'qeth_l3_free_vlan_addresses6': >> drivers/s390/net/qeth_l3_main.c:1797:2: error: too few arguments to function '__vlan_find_dev_deep' include/linux/if_vlan.h:88:27: note: declared here drivers/s390/net/qeth_l3_main.c: In function 'qeth_l3_process_inbound_buffer': >> drivers/s390/net/qeth_l3_main.c:1980:6: error: too few arguments to function '__vlan_hwaccel_put_tag' include/linux/if_vlan.h:234:31: note: declared here drivers/s390/net/qeth_l3_main.c: In function 'qeth_l3_verify_vlan_dev': >> drivers/s390/net/qeth_l3_main.c:2089:3: error: too few arguments to function '__vlan_find_dev_deep' include/linux/if_vlan.h:88:27: note: declared here Reported-by: kbuild test robot <fengguang.wu@intel.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> |
/linux-master/include/net/ | ||
H A D | devlink.h | diff 1797f5b3 Thu Aug 31 09:59:12 MDT 2017 Arkadi Sharshevsky <arkadis@mellanox.com> devlink: Add IPv6 header for dpipe This will be used by the IPv6 host table which will be introduced in the following patches. The fields in the header are added per-use. This header is global and can be reused by many drivers. Signed-off-by: Arkadi Sharshevsky <arkadis@mellanox.com> Signed-off-by: Jiri Pirko <jiri@mellanox.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
/linux-master/drivers/gpu/drm/amd/amdgpu/ | ||
H A D | gfx_v10_0.c | diff 1797ec7f Tue Nov 26 04:36:29 MST 2019 Monk Liu <Monk.Liu@amd.com> drm/amdgpu: skip rlc ucode loading for SRIOV gfx10 Signed-off-by: Monk Liu <Monk.Liu@amd.com> Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> |
/linux-master/arch/mips/kernel/ | ||
H A D | traps.c | diff 5c200197 Thu Nov 10 10:59:45 MST 2011 Maksim Rayskiy <maksim.rayskiy@gmail.com> MIPS: ASID conflict after CPU hotplug I am running SMP Linux 2.6.37-rc1 on BMIPS5000 (single core dual thread) and observe some abnormalities when doing system suspend/resume which I narrowed down to cpu hotplugging. The suspend brings the second thread processor down and then restarts it, after which I see memory corruption in userspace. I started digging and found out that problem occurs because while doing execve() the child process is getting the same ASID as the parent, which obviously corrupts parent's address space. Further digging showed that activate_mm() calls get_new_mmu_context() to get a new ASID, but at this time ASID field in entryHi is 1, and asid_cache(cpu) is 0x100 (it was just reset to ASID_FIRST_VERSION when the secondary TP was booting). So, get_new_mmu_context() increments the asid_cache(cpu) value to 0x101, and thus puts 0x01 into entryHi. The result - ASID field does not get changed as it was supposed to. My solution is very simple - do not reset asid_cache(cpu) on TP warm restart. Patchwork: https://patchwork.linux-mips.org/patch/1797/ Signed-off-by: Ralf Baechle <ralf@linux-mips.org> |
/linux-master/net/netfilter/ | ||
H A D | nf_conntrack_core.c | diff e37542ba Wed Oct 09 10:19:13 MDT 2019 Eric Dumazet <edumazet@google.com> netfilter: conntrack: avoid possible false sharing As hinted by KCSAN, we need at least one READ_ONCE() to prevent a compiler optimization. More details on : https://github.com/google/ktsan/wiki/READ_ONCE-and-WRITE_ONCE#it-may-improve-performance sysbot report : BUG: KCSAN: data-race in __nf_ct_refresh_acct / __nf_ct_refresh_acct read to 0xffff888123eb4f08 of 4 bytes by interrupt on cpu 0: __nf_ct_refresh_acct+0xd4/0x1b0 net/netfilter/nf_conntrack_core.c:1796 nf_ct_refresh_acct include/net/netfilter/nf_conntrack.h:201 [inline] nf_conntrack_tcp_packet+0xd40/0x3390 net/netfilter/nf_conntrack_proto_tcp.c:1161 nf_conntrack_handle_packet net/netfilter/nf_conntrack_core.c:1633 [inline] nf_conntrack_in+0x410/0xaa0 net/netfilter/nf_conntrack_core.c:1727 ipv4_conntrack_in+0x27/0x40 net/netfilter/nf_conntrack_proto.c:178 nf_hook_entry_hookfn include/linux/netfilter.h:135 [inline] nf_hook_slow+0x83/0x160 net/netfilter/core.c:512 nf_hook include/linux/netfilter.h:260 [inline] NF_HOOK include/linux/netfilter.h:303 [inline] ip_rcv+0x12f/0x1a0 net/ipv4/ip_input.c:523 __netif_receive_skb_one_core+0xa7/0xe0 net/core/dev.c:5004 __netif_receive_skb+0x37/0xf0 net/core/dev.c:5118 netif_receive_skb_internal+0x59/0x190 net/core/dev.c:5208 napi_skb_finish net/core/dev.c:5671 [inline] napi_gro_receive+0x28f/0x330 net/core/dev.c:5704 receive_buf+0x284/0x30b0 drivers/net/virtio_net.c:1061 virtnet_receive drivers/net/virtio_net.c:1323 [inline] virtnet_poll+0x436/0x7d0 drivers/net/virtio_net.c:1428 napi_poll net/core/dev.c:6352 [inline] net_rx_action+0x3ae/0xa50 net/core/dev.c:6418 __do_softirq+0x115/0x33f kernel/softirq.c:292 write to 0xffff888123eb4f08 of 4 bytes by task 7191 on cpu 1: __nf_ct_refresh_acct+0xfb/0x1b0 net/netfilter/nf_conntrack_core.c:1797 nf_ct_refresh_acct include/net/netfilter/nf_conntrack.h:201 [inline] nf_conntrack_tcp_packet+0xd40/0x3390 net/netfilter/nf_conntrack_proto_tcp.c:1161 nf_conntrack_handle_packet net/netfilter/nf_conntrack_core.c:1633 [inline] nf_conntrack_in+0x410/0xaa0 net/netfilter/nf_conntrack_core.c:1727 ipv4_conntrack_local+0xbe/0x130 net/netfilter/nf_conntrack_proto.c:200 nf_hook_entry_hookfn include/linux/netfilter.h:135 [inline] nf_hook_slow+0x83/0x160 net/netfilter/core.c:512 nf_hook include/linux/netfilter.h:260 [inline] __ip_local_out+0x1f7/0x2b0 net/ipv4/ip_output.c:114 ip_local_out+0x31/0x90 net/ipv4/ip_output.c:123 __ip_queue_xmit+0x3a8/0xa40 net/ipv4/ip_output.c:532 ip_queue_xmit+0x45/0x60 include/net/ip.h:236 __tcp_transmit_skb+0xdeb/0x1cd0 net/ipv4/tcp_output.c:1158 __tcp_send_ack+0x246/0x300 net/ipv4/tcp_output.c:3685 tcp_send_ack+0x34/0x40 net/ipv4/tcp_output.c:3691 tcp_cleanup_rbuf+0x130/0x360 net/ipv4/tcp.c:1575 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 7191 Comm: syz-fuzzer Not tainted 5.3.0+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Fixes: cc16921351d8 ("netfilter: conntrack: avoid same-timeout update") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Cc: Jozsef Kadlecsik <kadlec@netfilter.org> Cc: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> |
/linux-master/drivers/infiniband/core/ | ||
H A D | cma.c | diff 889d916b Mon May 10 23:48:28 MDT 2021 Shay Drory <shayd@nvidia.com> RDMA/core: Don't access cm_id after its destruction restrack should only be attached to a cm_id while the ID has a valid device pointer. It is set up when the device is first loaded, but not cleared when the device is removed. There is also two copies of the device pointer, one private and one in the public API, and these were left out of sync. Make everything go to NULL together and manipulate restrack right around the device assignments. Found by syzcaller: BUG: KASAN: wild-memory-access in __list_del include/linux/list.h:112 [inline] BUG: KASAN: wild-memory-access in __list_del_entry include/linux/list.h:135 [inline] BUG: KASAN: wild-memory-access in list_del include/linux/list.h:146 [inline] BUG: KASAN: wild-memory-access in cma_cancel_listens drivers/infiniband/core/cma.c:1767 [inline] BUG: KASAN: wild-memory-access in cma_cancel_operation drivers/infiniband/core/cma.c:1795 [inline] BUG: KASAN: wild-memory-access in cma_cancel_operation+0x1f4/0x4b0 drivers/infiniband/core/cma.c:1783 Write of size 8 at addr dead000000000108 by task syz-executor716/334 CPU: 0 PID: 334 Comm: syz-executor716 Not tainted 5.11.0+ #271 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0xbe/0xf9 lib/dump_stack.c:120 __kasan_report mm/kasan/report.c:400 [inline] kasan_report.cold+0x5f/0xd5 mm/kasan/report.c:413 __list_del include/linux/list.h:112 [inline] __list_del_entry include/linux/list.h:135 [inline] list_del include/linux/list.h:146 [inline] cma_cancel_listens drivers/infiniband/core/cma.c:1767 [inline] cma_cancel_operation drivers/infiniband/core/cma.c:1795 [inline] cma_cancel_operation+0x1f4/0x4b0 drivers/infiniband/core/cma.c:1783 _destroy_id+0x29/0x460 drivers/infiniband/core/cma.c:1862 ucma_close_id+0x36/0x50 drivers/infiniband/core/ucma.c:185 ucma_destroy_private_ctx+0x58d/0x5b0 drivers/infiniband/core/ucma.c:576 ucma_close+0x91/0xd0 drivers/infiniband/core/ucma.c:1797 __fput+0x169/0x540 fs/file_table.c:280 task_work_run+0xb7/0x100 kernel/task_work.c:140 exit_task_work include/linux/task_work.h:30 [inline] do_exit+0x7da/0x17f0 kernel/exit.c:825 do_group_exit+0x9e/0x190 kernel/exit.c:922 __do_sys_exit_group kernel/exit.c:933 [inline] __se_sys_exit_group kernel/exit.c:931 [inline] __x64_sys_exit_group+0x2d/0x30 kernel/exit.c:931 do_syscall_64+0x2d/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: 255d0c14b375 ("RDMA/cma: rdma_bind_addr() leaks a cma_dev reference count") Link: https://lore.kernel.org/r/3352ee288fe34f2b44220457a29bfc0548686363.1620711734.git.leonro@nvidia.com Signed-off-by: Shay Drory <shayd@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com> |
/linux-master/net/mac80211/ | ||
H A D | tx.c | diff fe80123d Fri Jan 25 07:14:33 MST 2013 Arnd Bergmann <arnd@arndb.de> mac80211: avoid a build warning gcc cannot prove that the value of sdata->vif.type does not change between the switch() statement and the second comparison to NL80211_IFTYPE_AP, causing a harmless warning. Slightly reordering the code makes the warning go away with no functional change. Without this patch, building ARM at91sam9g45_defconfig with gcc-4.6 results in: net/mac80211/tx.c: In function 'ieee80211_subif_start_xmit': net/mac80211/tx.c:1797:22: warning: 'chanctx_conf' may be used uninitialized in this function [-Wuninitialized] Signed-off-by: Arnd Bergmann <arnd@arndb.de> Cc: Johannes Berg <johannes@sipsolutions.net> Cc: "John W. Linville" <linville@tuxdriver.com> Cc: "David S. Miller" <davem@davemloft.net> Cc: linux-wireless@vger.kernel.org Cc: netdev@vger.kernel.org Signed-off-by: Johannes Berg <johannes.berg@intel.com> |
/linux-master/net/bluetooth/ | ||
H A D | l2cap_core.c | diff 98d2c3e1 Tue Dec 08 10:29:12 MST 2020 Bastien Nocera <hadess@hadess.net> Bluetooth: L2CAP: Try harder to accept device not knowing options The current implementation of L2CAP options negotiation will continue the negotiation when a device responds with L2CAP_CONF_UNACCEPT ("unaccepted options"), but not when the device replies with L2CAP_CONF_UNKNOWN ("unknown options"). Trying to continue the negotiation without ERTM support will allow Bluetooth-capable XBox One controllers (notably models 1708 and 1797) to connect. btmon before patch: > ACL Data RX: Handle 256 flags 0x02 dlen 16 #64 [hci0] 59.182702 L2CAP: Connection Response (0x03) ident 2 len 8 Destination CID: 64 Source CID: 64 Result: Connection successful (0x0000) Status: No further information available (0x0000) < ACL Data TX: Handle 256 flags 0x00 dlen 23 #65 [hci0] 59.182744 L2CAP: Configure Request (0x04) ident 3 len 15 Destination CID: 64 Flags: 0x0000 Option: Retransmission and Flow Control (0x04) [mandatory] Mode: Basic (0x00) TX window size: 0 Max transmit: 0 Retransmission timeout: 0 Monitor timeout: 0 Maximum PDU size: 0 > ACL Data RX: Handle 256 flags 0x02 dlen 16 #66 [hci0] 59.183948 L2CAP: Configure Request (0x04) ident 1 len 8 Destination CID: 64 Flags: 0x0000 Option: Maximum Transmission Unit (0x01) [mandatory] MTU: 1480 < ACL Data TX: Handle 256 flags 0x00 dlen 18 #67 [hci0] 59.183994 L2CAP: Configure Response (0x05) ident 1 len 10 Source CID: 64 Flags: 0x0000 Result: Success (0x0000) Option: Maximum Transmission Unit (0x01) [mandatory] MTU: 1480 > ACL Data RX: Handle 256 flags 0x02 dlen 15 #69 [hci0] 59.187676 L2CAP: Configure Response (0x05) ident 3 len 7 Source CID: 64 Flags: 0x0000 Result: Failure - unknown options (0x0003) 04 . < ACL Data TX: Handle 256 flags 0x00 dlen 12 #70 [hci0] 59.187722 L2CAP: Disconnection Request (0x06) ident 4 len 4 Destination CID: 64 Source CID: 64 > ACL Data RX: Handle 256 flags 0x02 dlen 12 #73 [hci0] 59.192714 L2CAP: Disconnection Response (0x07) ident 4 len 4 Destination CID: 64 Source CID: 64 btmon after patch: > ACL Data RX: Handle 256 flags 0x02 dlen 16 #248 [hci0] 103.502970 L2CAP: Connection Response (0x03) ident 5 len 8 Destination CID: 65 Source CID: 65 Result: Connection pending (0x0001) Status: No further information available (0x0000) > ACL Data RX: Handle 256 flags 0x02 dlen 16 #249 [hci0] 103.504184 L2CAP: Connection Response (0x03) ident 5 len 8 Destination CID: 65 Source CID: 65 Result: Connection successful (0x0000) Status: No further information available (0x0000) < ACL Data TX: Handle 256 flags 0x00 dlen 23 #250 [hci0] 103.504398 L2CAP: Configure Request (0x04) ident 6 len 15 Destination CID: 65 Flags: 0x0000 Option: Retransmission and Flow Control (0x04) [mandatory] Mode: Basic (0x00) TX window size: 0 Max transmit: 0 Retransmission timeout: 0 Monitor timeout: 0 Maximum PDU size: 0 > ACL Data RX: Handle 256 flags 0x02 dlen 16 #251 [hci0] 103.505472 L2CAP: Configure Request (0x04) ident 3 len 8 Destination CID: 65 Flags: 0x0000 Option: Maximum Transmission Unit (0x01) [mandatory] MTU: 1480 < ACL Data TX: Handle 256 flags 0x00 dlen 18 #252 [hci0] 103.505689 L2CAP: Configure Response (0x05) ident 3 len 10 Source CID: 65 Flags: 0x0000 Result: Success (0x0000) Option: Maximum Transmission Unit (0x01) [mandatory] MTU: 1480 > ACL Data RX: Handle 256 flags 0x02 dlen 15 #254 [hci0] 103.509165 L2CAP: Configure Response (0x05) ident 6 len 7 Source CID: 65 Flags: 0x0000 Result: Failure - unknown options (0x0003) 04 . < ACL Data TX: Handle 256 flags 0x00 dlen 12 #255 [hci0] 103.509426 L2CAP: Configure Request (0x04) ident 7 len 4 Destination CID: 65 Flags: 0x0000 < ACL Data TX: Handle 256 flags 0x00 dlen 12 #257 [hci0] 103.511870 L2CAP: Connection Request (0x02) ident 8 len 4 PSM: 1 (0x0001) Source CID: 66 > ACL Data RX: Handle 256 flags 0x02 dlen 14 #259 [hci0] 103.514121 L2CAP: Configure Response (0x05) ident 7 len 6 Source CID: 65 Flags: 0x0000 Result: Success (0x0000) Signed-off-by: Florian Dollinger <dollinger.florian@gmx.de> Co-developed-by: Florian Dollinger <dollinger.florian@gmx.de> Reviewed-by: Luiz Augusto Von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> |
/linux-master/net/core/ | ||
H A D | skbuff.c | diff ff907a11 Thu Jul 19 17:04:38 MDT 2018 Eric Dumazet <edumazet@google.com> net: skb_segment() should not return NULL syzbot caught a NULL deref [1], caused by skb_segment() skb_segment() has many "goto err;" that assume the @err variable contains -ENOMEM. A successful call to __skb_linearize() should not clear @err, otherwise a subsequent memory allocation error could return NULL. While we are at it, we might use -EINVAL instead of -ENOMEM when MAX_SKB_FRAGS limit is reached. [1] kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] SMP KASAN CPU: 0 PID: 13285 Comm: syz-executor3 Not tainted 4.18.0-rc4+ #146 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:tcp_gso_segment+0x3dc/0x1780 net/ipv4/tcp_offload.c:106 Code: f0 ff ff 0f 87 1c fd ff ff e8 00 88 0b fb 48 8b 75 d0 48 b9 00 00 00 00 00 fc ff df 48 8d be 90 00 00 00 48 89 f8 48 c1 e8 03 <0f> b6 14 08 48 8d 86 94 00 00 00 48 89 c6 83 e0 07 48 c1 ee 03 0f RSP: 0018:ffff88019b7fd060 EFLAGS: 00010206 RAX: 0000000000000012 RBX: 0000000000000020 RCX: dffffc0000000000 RDX: 0000000000040000 RSI: 0000000000000000 RDI: 0000000000000090 RBP: ffff88019b7fd0f0 R08: ffff88019510e0c0 R09: ffffed003b5c46d6 R10: ffffed003b5c46d6 R11: ffff8801dae236b3 R12: 0000000000000001 R13: ffff8801d6c581f4 R14: 0000000000000000 R15: ffff8801d6c58128 FS: 00007fcae64d6700(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000004e8664 CR3: 00000001b669b000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: tcp4_gso_segment+0x1c3/0x440 net/ipv4/tcp_offload.c:54 inet_gso_segment+0x64e/0x12d0 net/ipv4/af_inet.c:1342 inet_gso_segment+0x64e/0x12d0 net/ipv4/af_inet.c:1342 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 __skb_gso_segment+0x3c3/0x880 net/core/dev.c:2865 skb_gso_segment include/linux/netdevice.h:4099 [inline] validate_xmit_skb+0x640/0xf30 net/core/dev.c:3104 __dev_queue_xmit+0xc14/0x3910 net/core/dev.c:3561 dev_queue_xmit+0x17/0x20 net/core/dev.c:3602 neigh_hh_output include/net/neighbour.h:473 [inline] neigh_output include/net/neighbour.h:481 [inline] ip_finish_output2+0x1063/0x1860 net/ipv4/ip_output.c:229 ip_finish_output+0x841/0xfa0 net/ipv4/ip_output.c:317 NF_HOOK_COND include/linux/netfilter.h:276 [inline] ip_output+0x223/0x880 net/ipv4/ip_output.c:405 dst_output include/net/dst.h:444 [inline] ip_local_out+0xc5/0x1b0 net/ipv4/ip_output.c:124 iptunnel_xmit+0x567/0x850 net/ipv4/ip_tunnel_core.c:91 ip_tunnel_xmit+0x1598/0x3af1 net/ipv4/ip_tunnel.c:778 ipip_tunnel_xmit+0x264/0x2c0 net/ipv4/ipip.c:308 __netdev_start_xmit include/linux/netdevice.h:4148 [inline] netdev_start_xmit include/linux/netdevice.h:4157 [inline] xmit_one net/core/dev.c:3034 [inline] dev_hard_start_xmit+0x26c/0xc30 net/core/dev.c:3050 __dev_queue_xmit+0x29ef/0x3910 net/core/dev.c:3569 dev_queue_xmit+0x17/0x20 net/core/dev.c:3602 neigh_direct_output+0x15/0x20 net/core/neighbour.c:1403 neigh_output include/net/neighbour.h:483 [inline] ip_finish_output2+0xa67/0x1860 net/ipv4/ip_output.c:229 ip_finish_output+0x841/0xfa0 net/ipv4/ip_output.c:317 NF_HOOK_COND include/linux/netfilter.h:276 [inline] ip_output+0x223/0x880 net/ipv4/ip_output.c:405 dst_output include/net/dst.h:444 [inline] ip_local_out+0xc5/0x1b0 net/ipv4/ip_output.c:124 ip_queue_xmit+0x9df/0x1f80 net/ipv4/ip_output.c:504 tcp_transmit_skb+0x1bf9/0x3f10 net/ipv4/tcp_output.c:1168 tcp_write_xmit+0x1641/0x5c20 net/ipv4/tcp_output.c:2363 __tcp_push_pending_frames+0xb2/0x290 net/ipv4/tcp_output.c:2536 tcp_push+0x638/0x8c0 net/ipv4/tcp.c:735 tcp_sendmsg_locked+0x2ec5/0x3f00 net/ipv4/tcp.c:1410 tcp_sendmsg+0x2f/0x50 net/ipv4/tcp.c:1447 inet_sendmsg+0x1a1/0x690 net/ipv4/af_inet.c:798 sock_sendmsg_nosec net/socket.c:641 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:651 __sys_sendto+0x3d7/0x670 net/socket.c:1797 __do_sys_sendto net/socket.c:1809 [inline] __se_sys_sendto net/socket.c:1805 [inline] __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1805 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x455ab9 Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fcae64d5c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007fcae64d66d4 RCX: 0000000000455ab9 RDX: 0000000000000001 RSI: 0000000020000200 RDI: 0000000000000013 RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000014 R13: 00000000004c1145 R14: 00000000004d1818 R15: 0000000000000006 Modules linked in: Dumping ftrace buffer: (ftrace buffer empty) Fixes: ddff00d42043 ("net: Move skb_has_shared_frag check out of GRE code and into segmentation") Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Alexander Duyck <alexander.h.duyck@intel.com> Reported-by: syzbot <syzkaller@googlegroups.com> Acked-by: Alexander Duyck <alexander.h.duyck@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
/linux-master/arch/x86/include/asm/ | ||
H A D | kvm_host.h | diff 0b79459b Wed Feb 20 15:48:10 MST 2013 Andy Honig <ahonig@google.com> KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797) There is a potential use after free issue with the handling of MSR_KVM_SYSTEM_TIME. If the guest specifies a GPA in a movable or removable memory such as frame buffers then KVM might continue to write to that address even after it's removed via KVM_SET_USER_MEMORY_REGION. KVM pins the page in memory so it's unlikely to cause an issue, but if the user space component re-purposes the memory previously used for the guest, then the guest will be able to corrupt that memory. Tested: Tested against kvmclock unit test Signed-off-by: Andrew Honig <ahonig@google.com> Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com> |
/linux-master/drivers/gpu/drm/i915/ | ||
H A D | i915_debugfs.c | diff b6ae3c7c Thu Feb 13 12:51:33 MST 2014 Paulo Zanoni <paulo.r.zanoni@intel.com> drm/i915: don't reference null pointer at i915_sink_crc Reproducible by runtime suspending a Haswell machine with eDP + HDMI outputs connected. [ 209.600086] [drm:i915_runtime_suspend], Suspending device [ 209.688435] BUG: unable to handle kernel NULL pointer dereference at 0000000000000060 [ 209.688500] IP: [<ffffffffa0109d4e>] i915_sink_crc+0x6e/0xf0 [i915] [ 209.688577] PGD 36aba067 PUD 35d7f067 PMD 0 [ 209.688613] Oops: 0000 [#1] SMP [ 209.688641] Modules linked in: fuse ip6table_filter ip6_tables ebtable_nat ebtables iTCO_wdt iTCO_vendor_support x86_pkg_temp_thermal coretemp microcode serio_raw e1000e pcspkr i2c_i801 ptp mei_me mei lpc_ich mfd_core pps_core dm_crypt i915 i2c_algo_bit crc32_pclmul drm_kms_helper crc32c_intel drm ghash_clmulni_intel video [ 209.688893] CPU: 1 PID: 1797 Comm: pm_pc8 Not tainted 3.13.0+ #118 [ 209.688937] Hardware name: Intel Corporation Shark Bay Client platform/WhiteTip Mountain 1, BIOS HSWLPTU1.86C.0133.R00.1309172123 09/17/2013 [ 209.689023] task: ffff88007fb4b690 ti: ffff88007d9d2000 task.ti: ffff88007d9d2000 [ 209.689074] RIP: 0010:[<ffffffffa0109d4e>] [<ffffffffa0109d4e>] i915_sink_crc+0x6e/0xf0 [i915] [ 209.689169] RSP: 0018:ffff88007d9d3e68 EFLAGS: 00010246 [ 209.689205] RAX: 0000000000000000 RBX: ffff880036a03478 RCX: ffff8800366c9770 [ 209.689252] RDX: ffff88014325cf38 RSI: ffff88007fb4bd08 RDI: ffff88007fb4b690 [ 209.689299] RBP: ffff88007d9d3e98 R08: 0000000000000000 R09: 0000000000000000 [ 209.689346] R10: 0000000000000001 R11: 0000000000000000 R12: ffff8800366c9148 [ 209.689393] R13: 00000000ffffffed R14: ffff88007d9d3f50 R15: ffff880036a03478 [ 209.689441] FS: 00007f5a74bc29c0(0000) GS:ffff88014f240000(0000) knlGS:0000000000000000 [ 209.689494] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 209.689533] CR2: 0000000000000060 CR3: 0000000079d7e000 CR4: 00000000001407e0 [ 209.689580] Stack: [ 209.689594] 0000000000001000 ffff880146083980 ffff880146083980 0000000000000000 [ 209.689649] ffff880146083980 0000000000000001 ffff88007d9d3f00 ffffffff811d0744 [ 209.689702] 0000000000000046 00007fff7949fe20 ffff880036a034b8 0000000000000080 [ 209.689756] Call Trace: [ 209.689778] [<ffffffff811d0744>] seq_read+0x164/0x3e0 [ 209.689816] [<ffffffff811ab165>] vfs_read+0x95/0x160 [ 209.689851] [<ffffffff811abc79>] SyS_read+0x49/0xa0 [ 209.689888] [<ffffffff810ef64c>] ? __audit_syscall_entry+0x9c/0xf0 [ 209.689933] [<ffffffff81659412>] system_call_fastpath+0x16/0x1b Testcase: igt/pm_pc8 (do a full run, it will fail at the debugfs-read subtest) Signed-off-by: Paulo Zanoni <paulo.r.zanoni@intel.com> [danvet: Flip around NULL check for robustness.] Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> |
/linux-master/arch/x86/kvm/ | ||
H A D | x86.c | diff 0b79459b Wed Feb 20 15:48:10 MST 2013 Andy Honig <ahonig@google.com> KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797) There is a potential use after free issue with the handling of MSR_KVM_SYSTEM_TIME. If the guest specifies a GPA in a movable or removable memory such as frame buffers then KVM might continue to write to that address even after it's removed via KVM_SET_USER_MEMORY_REGION. KVM pins the page in memory so it's unlikely to cause an issue, but if the user space component re-purposes the memory previously used for the guest, then the guest will be able to corrupt that memory. Tested: Tested against kvmclock unit test Signed-off-by: Andrew Honig <ahonig@google.com> Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com> |
Completed in 2277 milliseconds