<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/net, branch v3.0.13</title>
<subtitle>Linux kernel source tree</subtitle>
<id>https://git.amat.us/linux/atom/net?h=v3.0.13</id>
<link rel='self' href='https://git.amat.us/linux/atom/net?h=v3.0.13'/>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/'/>
<updated>2011-12-09T16:52:45Z</updated>
<entry>
<title>cfg80211: amend regulatory NULL dereference fix</title>
<updated>2011-12-09T16:52:45Z</updated>
<author>
<name>Luis R. Rodriguez</name>
<email>mcgrof@qca.qualcomm.com</email>
</author>
<published>2011-11-28T21:47:16Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=7e06614ab127e8c9de4af2e8f9d66953d3e68297'/>
<id>urn:sha1:7e06614ab127e8c9de4af2e8f9d66953d3e68297</id>
<content type='text'>
commit 0bac71af6e66dc798bf07d0c0dd14ee5503362f9 upstream.

Johannes' patch for "cfg80211: fix regulatory NULL dereference"
broke user regulaotry hints and it did not address the fact that
last_request was left populated even if the previous regulatory
hint was stale due to the wiphy disappearing.

Fix user reguluatory hints by only bailing out if for those
regulatory hints where a request_wiphy is expected. The stale last_request
considerations are addressed through the previous fixes on last_request
where we reset the last_request to a static world regdom request upon
reset_regdomains(). In this case though we further enhance the effect
by simply restoring reguluatory settings completely.

Cc: Johannes Berg &lt;johannes.berg@intel.com&gt;
Signed-off-by: Luis R. Rodriguez &lt;mcgrof@qca.qualcomm.com&gt;
Reviewed-by: Johannes Berg &lt;johannes@sipsolutions.net&gt;
Signed-off-by: John W. Linville &lt;linville@tuxdriver.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>cfg80211: fix race on init and driver registration</title>
<updated>2011-12-09T16:52:45Z</updated>
<author>
<name>Luis R. Rodriguez</name>
<email>mcgrof@qca.qualcomm.com</email>
</author>
<published>2011-11-28T21:47:15Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=3ed26be17352133a2dadbc4212a5d23b403b0980'/>
<id>urn:sha1:3ed26be17352133a2dadbc4212a5d23b403b0980</id>
<content type='text'>
commit a042994dd377d86bff9446ee76151ceb6267c9ba upstream.

There is a theoretical race that if hit will trigger
a crash. The race is between when we issue the first
regulatory hint, regulatory_hint_core(), gets processed
by the workqueue and between when the first device
gets registered to the wireless core. This is not easy
to reproduce but it was easy to do so through the
regulatory simulator I have been working on. This
is a port of the fix I implemented there [1].

[1] https://github.com/mcgrof/regsim/commit/a246ccf81f059cb662eee288aa13100f631e4cc8

Cc: Johannes Berg &lt;johannes.berg@intel.com&gt;
Signed-off-by: Luis R. Rodriguez &lt;mcgrof@qca.qualcomm.com&gt;
Signed-off-by: John W. Linville &lt;linville@tuxdriver.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>mac80211: fix race between the AGG SM and the Tx data path</title>
<updated>2011-12-09T16:52:33Z</updated>
<author>
<name>Emmanuel Grumbach</name>
<email>emmanuel.grumbach@intel.com</email>
</author>
<published>2011-11-27T13:29:44Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=20f8d725863ca926a199cab1bc5cf31f8bf53cb0'/>
<id>urn:sha1:20f8d725863ca926a199cab1bc5cf31f8bf53cb0</id>
<content type='text'>
commit 2a1e0fd175dcfd72096ba9291d31e3b1b5342e60 upstream.

When a packet is supposed to sent be as an a-MPDU, mac80211 sets
IEEE80211_TX_CTL_AMPDU to let the driver know. On the other
hand, mac80211 configures the driver for aggregration with the
ampdu_action callback.
There is race between these two mechanisms since the following
scenario can occur when the BA agreement is torn down:

Tx softIRQ	 			drv configuration
==========				=================

check OPERATIONAL bit
Set the TX_CTL_AMPDU bit in the packet

					clear OPERATIONAL bit
					stop Tx AGG
Pass Tx packet to the driver.

In that case the driver would get a packet with TX_CTL_AMPDU set
although it has already been notified that the BA session has been
torn down.

To fix this, we need to synchronize all the Qdisc activity after we
cleared the OPERATIONAL bit. After that step, all the following
packets will be buffered until the driver reports it is ready to get
new packets for this RA / TID. This buffering allows not to run into
another race that would send packets with TX_CTL_AMPDU unset while
the driver hasn't been requested to tear down the BA session yet.

This race occurs in practice and iwlwifi complains with a WARN_ON
when it happens.

Signed-off-by: Emmanuel Grumbach &lt;emmanuel.grumbach@intel.com&gt;
Reviewed-by: Johannes Berg &lt;johannes@sipsolutions.net&gt;
Signed-off-by: John W. Linville &lt;linville@tuxdriver.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>mac80211: don't stop a single aggregation session twice</title>
<updated>2011-12-09T16:52:33Z</updated>
<author>
<name>Johannes Berg</name>
<email>johannes.berg@intel.com</email>
</author>
<published>2011-11-24T19:06:14Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=64a1b241dd84ed6b12b62bbb67b380609bdd50b2'/>
<id>urn:sha1:64a1b241dd84ed6b12b62bbb67b380609bdd50b2</id>
<content type='text'>
commit 24f50a9d165745fd0701c6e089d35f58a229ea69 upstream.

Nikolay noticed (by code review) that mac80211 can
attempt to stop an aggregation session while it is
already being stopped. So to fix it, check whether
stop is already being done and bail out if so.

Also move setting the STOPPING state into the lock
so things are properly atomic.

Reported-by: Nikolay Martynov &lt;mar.kolya@gmail.com&gt;
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
Signed-off-by: John W. Linville &lt;linville@tuxdriver.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>cfg80211: fix regulatory NULL dereference</title>
<updated>2011-12-09T16:52:32Z</updated>
<author>
<name>Johannes Berg</name>
<email>johannes.berg@intel.com</email>
</author>
<published>2011-11-21T09:44:00Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=6cb4e0db2f318c0730f31622fc5812a19e7ff379'/>
<id>urn:sha1:6cb4e0db2f318c0730f31622fc5812a19e7ff379</id>
<content type='text'>
commit de3584bd62d87b4c250129fbc46ca52c80330add upstream.

By the time userspace returns with a response to
the regulatory domain request, the wiphy causing
the request might have gone away. If this is so,
reject the update but mark the request as having
been processed anyway.

Cc: Luis R. Rodriguez &lt;lrodriguez@qca.qualcomm.com&gt;
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
Signed-off-by: John W. Linville &lt;linville@tuxdriver.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>nl80211: fix MAC address validation</title>
<updated>2011-12-09T16:52:31Z</updated>
<author>
<name>Eliad Peller</name>
<email>eliad@wizery.com</email>
</author>
<published>2011-11-24T16:13:56Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=e30922bd0c3d24c27f457a64997ed4a47161621e'/>
<id>urn:sha1:e30922bd0c3d24c27f457a64997ed4a47161621e</id>
<content type='text'>
commit e007b857e88097c96c45620bf3b04a4e309053d1 upstream.

MAC addresses have a fixed length. The current
policy allows passing &lt; ETH_ALEN bytes, which
might result in reading beyond the buffer.

Signed-off-by: Eliad Peller &lt;eliad@wizery.com&gt;
Signed-off-by: John W. Linville &lt;linville@tuxdriver.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>SUNRPC: Ensure we return EAGAIN in xs_nospace if congestion is cleared</title>
<updated>2011-12-09T16:52:27Z</updated>
<author>
<name>Trond Myklebust</name>
<email>Trond.Myklebust@netapp.com</email>
</author>
<published>2011-11-22T12:44:28Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=421f55945fb8515c6f322d20e9b0a2d390235e05'/>
<id>urn:sha1:421f55945fb8515c6f322d20e9b0a2d390235e05</id>
<content type='text'>
commit 24ca9a847791fd53d9b217330b15f3c285827a18 upstream.

By returning '0' instead of 'EAGAIN' when the tests in xs_nospace() fail
to find evidence of socket congestion, we are making the RPC engine believe
that the message was incorrectly sent and so it disconnects the socket
instead of just retrying.

The bug appears to have been introduced by commit
5e3771ce2d6a69e10fcc870cdf226d121d868491 (SUNRPC: Ensure that xs_nospace
return values are propagated).

Reported-by: Andrew Cooper &lt;andrew.cooper3@citrix.com&gt;
Signed-off-by: Trond Myklebust &lt;Trond.Myklebust@netapp.com&gt;
Tested-by: Andrew Cooper &lt;andrew.cooper3@citrix.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>ip6_tunnel: copy parms.name after register_netdevice</title>
<updated>2011-11-26T17:09:55Z</updated>
<author>
<name>Josh Boyer</name>
<email>jwboyer@redhat.com</email>
</author>
<published>2011-11-10T15:10:23Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=d11d8cff78f91d5b956975b5c9e4c271e15f864e'/>
<id>urn:sha1:d11d8cff78f91d5b956975b5c9e4c271e15f864e</id>
<content type='text'>
commit 731abb9cb27aef6013ce60808a04e04a545f3f4e upstream.

Commit 1c5cae815d removed an explicit call to dev_alloc_name in ip6_tnl_create
because register_netdevice will now create a valid name.  This works for the
net_device itself.

However the tunnel keeps a copy of the name in the parms structure for the
ip6_tnl associated with the tunnel.  parms.name is set by copying the net_device
name in ip6_tnl_dev_init_gen.  That function is called from ip6_tnl_dev_init in
ip6_tnl_create, but it is done before register_netdevice is called so the name
is set to a bogus value in the parms.name structure.

This shows up if you do a simple tunnel add, followed by a tunnel show:

[root@localhost ~]# ip -6 tunnel add remote fec0::100 local fec0::200
[root@localhost ~]# ip -6 tunnel show
ip6tnl0: ipv6/ipv6 remote :: local :: encaplimit 0 hoplimit 0 tclass 0x00 flowlabel 0x00000 (flowinfo 0x00000000)
ip6tnl%d: ipv6/ipv6 remote fec0::100 local fec0::200 encaplimit 4 hoplimit 64 tclass 0x00 flowlabel 0x00000 (flowinfo 0x00000000)
[root@localhost ~]#

Fix this by moving the strcpy out of ip6_tnl_dev_init_gen, and calling it after
register_netdevice has successfully returned.

Signed-off-by: Josh Boyer &lt;jwboyer@redhat.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>cfg80211: fix bug on regulatory core exit on access to last_request</title>
<updated>2011-11-26T17:09:55Z</updated>
<author>
<name>Luis R. Rodriguez</name>
<email>mcgrof@qca.qualcomm.com</email>
</author>
<published>2011-11-08T22:28:06Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=5c02e3ae0a16cfc2fb86549cca9898ead2b0d666'/>
<id>urn:sha1:5c02e3ae0a16cfc2fb86549cca9898ead2b0d666</id>
<content type='text'>
commit 58ebacc66bd11be2327edcefc79de94bd6f5bb4a upstream.

Commit 4d9d88d1 by Scott James Remnant &lt;keybuk@google.com&gt; added
the .uevent() callback for the regulatory device used during
the platform device registration. The change was done to account
for queuing up udev change requests through udevadm triggers.
The change also meant that upon regulatory core exit we will now
send a uevent() but the uevent() callback, reg_device_uevent(),
also accessed last_request. Right before commiting device suicide
we free'd last_request but never set it to NULL so
platform_device_unregister() would lead to bogus kernel paging
request. Fix this and also simply supress uevents right before
we commit suicide as they are pointless.

This fix is required for kernels &gt;= v2.6.39

$ git describe --contains 4d9d88d1
v2.6.39-rc1~468^2~25^2^2~21

The impact of not having this present is that a bogus paging
access may occur (only read) upon cfg80211 unload time. You
may also get this BUG complaint below. Although Johannes
could not reproduce the issue this fix is theoretically correct.

mac80211_hwsim: unregister radios
mac80211_hwsim: closing netlink
BUG: unable to handle kernel paging request at ffff88001a06b5ab
IP: [&lt;ffffffffa030df9a&gt;] reg_device_uevent+0x1a/0x50 [cfg80211]
PGD 1836063 PUD 183a063 PMD 1ffcb067 PTE 1a06b160
Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
CPU 0
Modules linked in: cfg80211(-) [last unloaded: mac80211]

Pid: 2279, comm: rmmod Tainted: G        W   3.1.0-wl+ #663 Bochs Bochs
RIP: 0010:[&lt;ffffffffa030df9a&gt;]  [&lt;ffffffffa030df9a&gt;] reg_device_uevent+0x1a/0x50 [cfg80211]
RSP: 0000:ffff88001c5f9d58  EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff88001d2eda88 RCX: ffff88001c7468fc
RDX: ffff88001a06b5a0 RSI: ffff88001c7467b0 RDI: ffff88001c7467b0
RBP: ffff88001c5f9d58 R08: 000000000000ffff R09: 000000000000ffff
R10: 0000000000000000 R11: 0000000000000001 R12: ffff88001c7467b0
R13: ffff88001d2eda78 R14: ffffffff8164a840 R15: 0000000000000001
FS:  00007f8a91d8a6e0(0000) GS:ffff88001fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: ffff88001a06b5ab CR3: 000000001c62e000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process rmmod (pid: 2279, threadinfo ffff88001c5f8000, task ffff88000023c780)
Stack:
 ffff88001c5f9d98 ffffffff812ff7e5 ffffffff8176ab3d ffff88001c7468c2
 000000000000ffff ffff88001d2eda88 ffff88001c7467b0 ffff880000114820
 ffff88001c5f9e38 ffffffff81241dc7 ffff88001c5f9db8 ffffffff81040189
Call Trace:
 [&lt;ffffffff812ff7e5&gt;] dev_uevent+0xc5/0x170
 [&lt;ffffffff81241dc7&gt;] kobject_uevent_env+0x1f7/0x490
 [&lt;ffffffff81040189&gt;] ? sub_preempt_count+0x29/0x60
 [&lt;ffffffff814cab1a&gt;] ? _raw_spin_unlock_irqrestore+0x4a/0x90
 [&lt;ffffffff81305307&gt;] ? devres_release_all+0x27/0x60
 [&lt;ffffffff8124206b&gt;] kobject_uevent+0xb/0x10
 [&lt;ffffffff812fee27&gt;] device_del+0x157/0x1b0
 [&lt;ffffffff8130377d&gt;] platform_device_del+0x1d/0x90
 [&lt;ffffffff81303b76&gt;] platform_device_unregister+0x16/0x30
 [&lt;ffffffffa030fffd&gt;] regulatory_exit+0x5d/0x180 [cfg80211]
 [&lt;ffffffffa032bec3&gt;] cfg80211_exit+0x2b/0x45 [cfg80211]
 [&lt;ffffffff8109a84c&gt;] sys_delete_module+0x16c/0x220
 [&lt;ffffffff8108a23e&gt;] ? trace_hardirqs_on_caller+0x7e/0x120
 [&lt;ffffffff814cba02&gt;] system_call_fastpath+0x16/0x1b
Code: &lt;all your base are belong to me&gt;
RIP  [&lt;ffffffffa030df9a&gt;] reg_device_uevent+0x1a/0x50 [cfg80211]
 RSP &lt;ffff88001c5f9d58&gt;
CR2: ffff88001a06b5ab
---[ end trace 147c5099a411e8c0 ]---

Reported-by: Johannes Berg &lt;johannes@sipsolutions.net&gt;
Cc: Scott James Remnant &lt;keybuk@google.com&gt;
Signed-off-by: Luis R. Rodriguez &lt;mcgrof@qca.qualcomm.com&gt;
Signed-off-by: John W. Linville &lt;linville@tuxdriver.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>nl80211: fix HT capability attribute validation</title>
<updated>2011-11-26T17:09:55Z</updated>
<author>
<name>Johannes Berg</name>
<email>johannes.berg@intel.com</email>
</author>
<published>2011-11-03T08:27:01Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=c1ce1705eb0778927a0b81a6eb29e8ff193aa3de'/>
<id>urn:sha1:c1ce1705eb0778927a0b81a6eb29e8ff193aa3de</id>
<content type='text'>
commit 6c7394197af90f6a332180e33f5d025d3037d883 upstream.

Since the NL80211_ATTR_HT_CAPABILITY attribute is
used as a struct, it needs a minimum, not maximum
length. Enforce that properly. Not doing so could
potentially lead to reading after the buffer.

Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
Signed-off-by: John W. Linville &lt;linville@tuxdriver.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
</feed>
