Andrew Lunn [Sun, 19 Oct 2014 14:41:47 +0000 (16:41 +0200)]
Net: DSA: Fix checking for get_phy_flags function
The check for the presence or not of the optional switch function
get_phy_flags() called the function, rather than checked to see if it
is a NULL pointer. This causes a derefernce of a NULL pointer on all
switch chips except the sf2, the only switch to implement this call.
Signed-off-by: Andrew Lunn <andrew@lunn.ch>
Fixes:
6819563e646a ("net: dsa: allow switch drivers to specify phy_device::dev_flags")
Cc: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Li RongQing [Sat, 18 Oct 2014 09:33:38 +0000 (17:33 +0800)]
ipv6: fix a potential use after free in sit.c
pskb_may_pull() maybe change skb->data and make iph pointer oboslete,
fix it by geting ip header length directly.
Fixes:
ca15a078 (sit: generate icmpv6 error when receiving icmpv4 error)
Cc: Oussama Ghorbel <ghorbel@pivasoftware.com>
Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Li RongQing [Sat, 18 Oct 2014 09:27:42 +0000 (17:27 +0800)]
ipv6: fix a potential use after free in ip6_offload.c
pskb_may_pull() maybe change skb->data and make opth pointer oboslete,
so set the opth again
Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Li RongQing [Sat, 18 Oct 2014 09:26:04 +0000 (17:26 +0800)]
ipv4: fix a potential use after free in gre_offload.c
pskb_may_pull() may change skb->data and make greh pointer oboslete;
so need to reassign greh;
but since first calling pskb_may_pull already ensured that skb->data
has enough space for greh, so move the reference of greh before second
calling pskb_may_pull(), to avoid reassign greh.
Fixes:
7a7ffbabf9("ipv4: fix tunneled VM traffic over hw VXLAN/GRE GSO NIC")
Cc: Wei-Chun Chao <weichunc@plumgrid.com>
Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Sat, 18 Oct 2014 15:34:37 +0000 (08:34 -0700)]
tcp: fix build error if IPv6 is not enabled
$ make M=net/ipv4
CC net/ipv4/route.o
In file included from net/ipv4/route.c:102:0:
include/net/tcp.h: In function ‘tcp_v6_iif’:
include/net/tcp.h:738:32: error: ‘union <anonymous>’ has no member named ‘h6’
return TCP_SKB_CB(skb)->header.h6.iif;
Signed-off-by: Eric Dumazet <edumazet@google.com>
Fixes:
870c3151382c ("ipv6: introduce tcp_v6_iif()")
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Fri, 17 Oct 2014 19:45:55 +0000 (12:45 -0700)]
bna: fix skb->truesize underestimation
skb->truesize is not meant to be tracking amount of used bytes
in an skb, but amount of reserved/consumed bytes in memory.
For instance, if we use a single byte in last page fragment,
we have to account the full size of the fragment.
skb->truesize can be very different from skb->len, that has
a very specific safety purpose.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Rasesh Mody <rasesh.mody@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Florian Fainelli [Fri, 17 Oct 2014 23:02:13 +0000 (16:02 -0700)]
net: dsa: add includes for ethtool and phy_fixed definitions
net/dsa/slave.c uses functions and structures declared in phy_fixed.h
but does not explicitely include it, while dsa.h needs structure
declarations for 'struct ethtool_wolinfo' and 'struct ethtool_eee', fix
those by including the correct header files.
Fixes:
ec9436baedb6 ("net: dsa: allow drivers to do link adjustment")
Fixes:
ce31b31c68e7 ("net: dsa: allow updating fixed PHY link information")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Pravin B Shelar [Fri, 17 Oct 2014 20:56:31 +0000 (13:56 -0700)]
openvswitch: Set flow-key members.
This patch adds missing memset which are required to initialize
flow key member. For example for IP flow we need to initialize
ip.frag for all cases.
Found by inspection.
This bug is introduced by commit
0714812134d7dcadeb7ecfbfeb18788aa7e1eaac
("openvswitch: Eliminate memset() from flow_extract").
Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Fabian Frederick [Fri, 17 Oct 2014 20:00:22 +0000 (22:00 +0200)]
netrom: use linux/uaccess.h
replace asm/uaccess.h by linux/uaccess.h
Signed-off-by: Fabian Frederick <fabf@skynet.be>
Signed-off-by: David S. Miller <davem@davemloft.net>
Guenter Roeck [Fri, 17 Oct 2014 19:30:58 +0000 (12:30 -0700)]
dsa: Fix conversion from host device to mii bus
Commit
b4d2394d01bc ("dsa: Replace mii_bus with a generic host device")
replaces mii_bus with a generic host_dev, and introduces
dsa_host_dev_to_mii_bus() to support conversion from host_dev to mii_bus.
However, in some cases it uses to_mii_bus to perform that conversion.
Since host_dev is not the phy bus device but typically a platform device,
this fails and results in a crash with the affected drivers.
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [<
ffffffff81781d35>] __mutex_lock_slowpath+0x75/0x100
PGD
406783067 PUD
406784067 PMD 0
Oops: 0002 [#1] SMP
...
Call Trace:
[<
ffffffff810a538b>] ? pick_next_task_fair+0x61b/0x880
[<
ffffffff81781de3>] mutex_lock+0x23/0x37
[<
ffffffff81533244>] mdiobus_read+0x34/0x60
[<
ffffffff8153b95a>] __mv88e6xxx_reg_read+0x8a/0xa0
[<
ffffffff8153b9bc>] mv88e6xxx_reg_read+0x4c/0xa0
Fixes:
b4d2394d01bc ("dsa: Replace mii_bus with a generic host device")
Cc: Alexander Duyck <alexander.h.duyck@intel.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Acked-by: Alexander Duyck <alexander.h.duyck@redhat.com>
Acked-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jon Paul Maloy [Fri, 17 Oct 2014 19:25:28 +0000 (15:25 -0400)]
tipc: fix bug in bundled buffer reception
In commit
ec8a2e5621db2da24badb3969eda7fd359e1869f ("tipc: same receive
code path for connection protocol and data messages") we omitted the
the possiblilty that an arriving message extracted from a bundle buffer
may be a multicast message. Such messages need to be to be delivered to
the socket via a separate function, tipc_sk_mcast_rcv(). As a result,
small multicast messages arriving as members of a bundle buffer will be
silently dropped.
This commit corrects the error by considering this case in the function
tipc_link_bundle_rcv().
Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Fri, 17 Oct 2014 16:17:20 +0000 (09:17 -0700)]
ipv6: introduce tcp_v6_iif()
Commit
971f10eca186 ("tcp: better TCP_SKB_CB layout to reduce cache line
misses") added a regression for SO_BINDTODEVICE on IPv6.
This is because we still use inet6_iif() which expects that IP6 control
block is still at the beginning of skb->cb[]
This patch adds tcp_v6_iif() helper and uses it where necessary.
Because __inet6_lookup_skb() is used by TCP and DCCP, we add an iif
parameter to it.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Fixes:
971f10eca186 ("tcp: better TCP_SKB_CB layout to reduce cache line misses")
Acked-by: Cong Wang <cwang@twopensource.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Edward Cree [Fri, 17 Oct 2014 14:32:25 +0000 (15:32 +0100)]
sfc: add support for skb->xmit_more
Don't ring the doorbell, and don't do PIO. This will also prevent
TX Push, because there will be more than one buffer waiting when
the doorbell is rung.
Signed-off-by: Edward Cree <ecree@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
hayeswang [Fri, 17 Oct 2014 08:55:08 +0000 (16:55 +0800)]
r8152: return -EBUSY for runtime suspend
Remove calling cancel_delayed_work_sync() for runtime suspend,
because it would cause dead lock. Instead, return -EBUSY to
avoid the device enters suspending if the net is running and
the delayed work is pending or running. The delayed work would
try to wake up the device later, so the suspending is not
necessary.
Signed-off-by: Hayes Wang <hayeswang@realtek.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Li RongQing [Fri, 17 Oct 2014 08:53:47 +0000 (16:53 +0800)]
ipv4: fix a potential use after free in fou.c
pskb_may_pull() maybe change skb->data and make uh pointer oboslete,
so reload uh and guehdr
Fixes:
37dd0247 ("gue: Receive side for Generic UDP Encapsulation")
Cc: Tom Herbert <therbert@google.com>
Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Li RongQing [Fri, 17 Oct 2014 08:53:23 +0000 (16:53 +0800)]
ipv4: fix a potential use after free in ip_tunnel_core.c
pskb_may_pull() maybe change skb->data and make eth pointer oboslete,
so set eth after pskb_may_pull()
Fixes:
3d7b46cd("ip_tunnel: push generic protocol handling to ip_tunnel module")
Cc: Pravin B Shelar <pshelar@nicira.com>
Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Haiyang Zhang [Thu, 16 Oct 2014 21:47:58 +0000 (14:47 -0700)]
hyperv: Add handling of IP header with option field in netvsc_set_hash()
In case that the IP header has optional field at the end, this patch will
get the port numbers after that field, and compute the hash. The general
parser skb_flow_dissect() is used here.
Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
Reviewed-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Pravin B Shelar [Fri, 17 Oct 2014 04:55:45 +0000 (21:55 -0700)]
openvswitch: Create right mask with disabled megaflows
If megaflows are disabled, the userspace does not send the netlink attribute
OVS_FLOW_ATTR_MASK, and the kernel must create an exact match mask.
sw_flow_mask_set() sets every bytes (in 'range') of the mask to 0xff, even the
bytes that represent padding for struct sw_flow, or the bytes that represent
fields that may not be set during ovs_flow_extract().
This is a problem, because when we extract a flow from a packet,
we do not memset() anymore the struct sw_flow to 0.
This commit gets rid of sw_flow_mask_set() and introduces mask_set_nlattr(),
which operates on the netlink attributes rather than on the mask key. Using
this approach we are sure that only the bytes that the user provided in the
flow are matched.
Also, if the parse_flow_mask_nlattrs() for the mask ENCAP attribute fails, we
now return with an error.
This bug is introduced by commit
0714812134d7dcadeb7ecfbfeb18788aa7e1eaac
("openvswitch: Eliminate memset() from flow_extract").
Reported-by: Alex Wang <alexw@nicira.com>
Signed-off-by: Daniele Di Proietto <ddiproietto@vmware.com>
Signed-off-by: Andy Zhou <azhou@nicira.com>
Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Li RongQing [Fri, 17 Oct 2014 06:06:16 +0000 (14:06 +0800)]
vxlan: fix a free after use
pskb_may_pull maybe change skb->data and make eth pointer oboslete,
so eth needs to reload
Fixes:
91269e390d062 ("vxlan: using pskb_may_pull as early as possible")
Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Li RongQing [Fri, 17 Oct 2014 06:03:08 +0000 (14:03 +0800)]
openvswitch: fix a use after free
pskb_may_pull() called by arphdr_ok can change skb->data, so put the arp
setting after arphdr_ok to avoid the use the freed memory
Fixes:
0714812134d7d ("openvswitch: Eliminate memset() from flow_extract.")
Cc: Jesse Gross <jesse@nicira.com>
Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
Acked-by: Jesse Gross <jesse@nicira.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Vasily Averin [Wed, 15 Oct 2014 12:24:02 +0000 (16:24 +0400)]
ipv4: dst_entry leak in ip_send_unicast_reply()
ip_setup_cork() called inside ip_append_data() steals dst entry from rt to cork
and in case errors in __ip_append_data() nobody frees stolen dst entry
Fixes:
2e77d89b2fa8 ("net: avoid a pair of dst_hold()/dst_release() in ip_append_data()")
Signed-off-by: Vasily Averin <vvs@parallels.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cong Wang [Wed, 15 Oct 2014 21:33:22 +0000 (14:33 -0700)]
ipv4: clean up cookie_v4_check()
We can retrieve opt from skb, no need to pass it as a parameter.
And opt should always be non-NULL, no need to check.
Cc: Krzysztof Kolasa <kkolasa@winsoft.pl>
Cc: Eric Dumazet <edumazet@google.com>
Tested-by: Krzysztof Kolasa <kkolasa@winsoft.pl>
Signed-off-by: Cong Wang <cwang@twopensource.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cong Wang [Wed, 15 Oct 2014 21:33:21 +0000 (14:33 -0700)]
ipv4: share tcp_v4_save_options() with cookie_v4_check()
cookie_v4_check() allocates ip_options_rcu in the same way
with tcp_v4_save_options(), we can just make it a helper function.
Cc: Krzysztof Kolasa <kkolasa@winsoft.pl>
Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Cong Wang <cwang@twopensource.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cong Wang [Wed, 15 Oct 2014 21:33:20 +0000 (14:33 -0700)]
ipv4: call __ip_options_echo() in cookie_v4_check()
commit
971f10eca186cab238c49da ("tcp: better TCP_SKB_CB layout to reduce cache line misses")
missed that cookie_v4_check() still calls ip_options_echo() which uses
IPCB(). It should use TCPCB() at TCP layer, so call __ip_options_echo()
instead.
Fixes: commit
971f10eca186cab238c49da ("tcp: better TCP_SKB_CB layout to reduce cache line misses")
Cc: Krzysztof Kolasa <kkolasa@winsoft.pl>
Cc: Eric Dumazet <edumazet@google.com>
Reported-by: Krzysztof Kolasa <kkolasa@winsoft.pl>
Tested-by: Krzysztof Kolasa <kkolasa@winsoft.pl>
Signed-off-by: Cong Wang <cwang@twopensource.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Michael Opdenacker [Wed, 15 Oct 2014 07:45:50 +0000 (09:45 +0200)]
atm: simplify lanai.c by using module_pci_driver
This simplifies the lanai.c driver by using
the module_pci_driver() macro, at the expense
of losing only debugging messages.
Signed-off-by: Michael Opdenacker <michael.opdenacker@free-electrons.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Nicolas Dichtel [Thu, 16 Oct 2014 13:47:51 +0000 (15:47 +0200)]
netlink: fix description of portid
Avoid confusion between pid and portid.
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Thu, 16 Oct 2014 18:42:51 +0000 (14:42 -0400)]
Merge branch 'master' of git://git./linux/kernel/git/jkirsher/net
Jeff Kirsher says:
====================
Intel Wired LAN Driver Updates 2014-10-16
This series contains updates to fm10k and ixgbe.
Matthew provides two fixes for fm10k, first sets the flag to fetch the
host state before kicking off the service task that reads the host
state when bringing the interface up. The second makes sure that we
release the mailbox lock after detecting an error and before we return
the error code.
Andy Zhou provides a compile fix for fm10k, when the driver is compiled
into the kernel and the VXLAN driver is compiled as a module.
Emil provides a fix for ixgbe to prevent against a panic by trying
to dereference a NULL pointer in ixgbe_ndo_set_vf_spoofchk().
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Emil Tantilov [Thu, 16 Oct 2014 15:49:02 +0000 (15:49 +0000)]
ixgbe: check for vfs outside of sriov_num_vfs before dereference
The check for vfinfo is not sufficient because it does not protect
against specifying vf that is outside of sriov_num_vfs range.
All of the ndo functions have a check for it except for
ixgbevf_ndo_set_spoofcheck().
The following patch is all we need to protect against this panic:
ip link set p96p1 vf 0 spoofchk off
BUG: unable to handle kernel NULL pointer dereference at
0000000000000052
IP: [<
ffffffffa044a1c1>]
ixgbe_ndo_set_vf_spoofchk+0x51/0x150 [ixgbe]
Reported-by: Thierry Herbelot <thierry.herbelot@6wind.com>
Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com>
Acked-by: Thierry Herbelot <thierry.herbelot@6wind.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Andy Zhou [Sat, 4 Oct 2014 06:19:11 +0000 (06:19 +0000)]
fm10k: Add CONFIG_FM10K_VXLAN configuration option
Compiling with CONFIG_FM10K=y and VXLAN=m resulting in linking error:
drivers/built-in.o: In function `fm10k_open':
(.text+0x1f9d7a): undefined reference to `vxlan_get_rx_port'
make: *** [vmlinux] Error 1
The fix follows the same strategy as I40E.
Signed-off-by: Andy Zhou <azhou@nicira.com>
Acked-by: Alexander Duyck <alexander.h.duyck@intel.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Matthew Vick [Fri, 3 Oct 2014 00:43:35 +0000 (00:43 +0000)]
fm10k: Unlock mailbox on VLAN addition failures
After grabbing the mailbox lock and detecting an error, the lock must be
released before the error code can be returned.
Signed-off-by: Matthew Vick <matthew.vick@intel.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Matthew Vick [Thu, 2 Oct 2014 05:10:18 +0000 (05:10 +0000)]
fm10k: Check the host state when bringing the interface up
Set the flag to fetch the host state before kicking off the service task
that reads the host state when bringing the interface back up.
Signed-off-by: Matthew Vick <matthew.vick@intel.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Li RongQing [Thu, 16 Oct 2014 01:17:18 +0000 (09:17 +0800)]
vxlan: using pskb_may_pull as early as possible
pskb_may_pull should be used to check if skb->data has enough space,
skb->len can not ensure that.
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Li RongQing [Thu, 16 Oct 2014 00:49:41 +0000 (08:49 +0800)]
vxlan: fix a use after free in vxlan_encap_bypass
when netif_rx() is done, the netif_rx handled skb maybe be freed,
and should not be used.
Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Fabian Frederick [Wed, 15 Oct 2014 19:03:41 +0000 (21:03 +0200)]
openvswitch: use vport instead of p
All functions used struct vport *vport except
ovs_vport_find_upcall_portid.
This fixes 1 kerneldoc warning
Signed-off-by: Fabian Frederick <fabf@skynet.be>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Fabian Frederick [Wed, 15 Oct 2014 19:03:18 +0000 (21:03 +0200)]
openvswitch: kerneldoc warning fix
s/sock/gs
Signed-off-by: Fabian Frederick <fabf@skynet.be>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Claudiu Manoil [Wed, 15 Oct 2014 16:11:46 +0000 (19:11 +0300)]
gianfar: Add FCS to rx buffer size (fix)
For each Rx frame the eTSEC writes its FCS (Frame Check Sequence)
to the Rx buffer.
The eTSEC h/w manual states in the "Receive Buffer Descriptor Field
Descriptions" table:
"Data length is the number of octets written by the eTSEC into this BD's
data buffer if L is cleared (the value is equal to MRBLR), or, if L is
set, the length of the frame including *CRC*, FCB (if RCTRL[PRSDEP > 00),
preamble (if MACCFG2[PreAmRxEn]=1), time stamp (if RCTRL[TS] = 1) and
any padding (RCTRL[PAL])."
Though the FCS bytes are removed by the driver before passing the skb
to the net stack, the Rx buffer size computation does not currently
take into account the FCS bytes (4 bytes).
Because the Rx buffer size is multiple of 512 bytes, leaving out the
FCS is not a problem for the default MTU of 1500, as the Rx buffer size
is 1536 in this case. However, for custom MTUs, where the difference
between the MTU size and the Rx buffer size is less, this can be a
problem as the computed Rx buffer size won't be enough to accomodate
the FCS for a received frame that is big enough (close to MTU size).
In such case the received frame is considered to be incomplete (L flag
not set in the RxBD status) and silently dropped.
Note that the driver does not currently support S/G on Rx, so it has to
compute its Rx buffer size based on the MTU of the device.
Reported-by: Kristian Otnes <kotnes@cisco.com>
Signed-off-by: Claudiu Manoil <claudiu.manoil@freescale.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Michael S. Tsirkin [Wed, 15 Oct 2014 13:23:28 +0000 (16:23 +0300)]
virtio_net: fix use after free
commit
0b725a2ca61bedc33a2a63d0451d528b268cf975
net: Remove ndo_xmit_flush netdev operation, use signalling instead.
added code that looks at skb->xmit_more after the skb has
been put in TX VQ. Since some paths process the ring and free the skb
immediately, this can cause use after free.
Fix by storing xmit_more in a local variable.
Cc: David S. Miller <davem@davemloft.net>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Nimrod Andy [Wed, 15 Oct 2014 09:30:12 +0000 (17:30 +0800)]
net: fec: ptp: fix convergence issue to support LinuxPTP stack
iMX6SX IEEE 1588 module has one hw issue in capturing the ATVR register.
The current SW flow is:
ENET0->ATCR |= ENET_ATCR_CAPTURE_MASK;
ts_counter_ns = ENET0->ATVR;
The ATVR value is not expected value that cause LinuxPTP stack cannot be convergent.
ENET Block Guide/ Chapter for the iMX6SX (PELE) address the issue:
After set ENET_ATCR[Capture], there need some time cycles before the counter
value is capture in the register clock domain. The wait-time-cycles is at least
6 clock cycles of the slower clock between the register clock and the 1588 clock.
So need something like:
ENET0->ATCR |= ENET_ATCR_CAPTURE_MASK;
wait();
ts_counter_ns = ENET0->ATVR;
For iMX6SX, the 1588 ts_clk is fixed to 25Mhz, register clock is 66Mhz, so the
wait-time-cycles must be greater than 240ns (40ns * 6). The patch add 1us delay
before cpu read ATVR register.
Changes V2:
Modify the commit/comments log to describe the issue clearly.
Signed-off-by: Fugang Duan <B38611@freescale.com>
Acked-by: Richard Cochran <richardcochran@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Anish Bhatt [Wed, 15 Oct 2014 07:26:47 +0000 (00:26 -0700)]
cxgb4i : Fix -Wmaybe-uninitialized warning.
Identified by kbuild test robot. csk family is always set to be AF_INET or
AF_INET6, so skb will always be initialized to some value but there is no harm
in silencing the warning anyways.
Signed-off-by: Anish Bhatt <anish@chelsio.com>
Fixes :
f42bb57c61fd ('cxgb4i : Fix -Wunused-function warning')
Signed-off-by: David S. Miller <davem@davemloft.net>
Tom Herbert [Tue, 14 Oct 2014 22:19:06 +0000 (15:19 -0700)]
net: Add ndo_gso_check
Add ndo_gso_check which a device can define to indicate whether is
is capable of doing GSO on a packet. This funciton would be called from
the stack to determine whether software GSO is needed to be done. A
driver should populate this function if it advertises GSO types for
which there are combinations that it wouldn't be able to handle. For
instance a device that performs UDP tunneling might only implement
support for transparent Ethernet bridging type of inner packets
or might have limitations on lengths of inner headers.
Signed-off-by: Tom Herbert <therbert@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Giuseppe CAVALLARO [Wed, 15 Oct 2014 05:30:41 +0000 (07:30 +0200)]
stmmac: fix sti compatibililies
this patch is to fix the stmmac data compatibilities for
all the SoCs inside the platform file.
Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Wed, 15 Oct 2014 04:29:08 +0000 (00:29 -0400)]
Merge branch 'cxgb4'
Anish Bhatt says:
====================
ipv6 and related cleanup for cxgb4/cxgb4i
This patch set removes some duplicated/extraneous code from cxgb4i, guards
cxgb4 against compilation failure based on ipv6 tristate, make ipv6 related
code no longer be enabled by default irrespective of ipv6 tristate and fixes
a refcnt issue.
-Anish
v2 : Provide more detailed commit messages, make subject more concise as
recommended by Dave Miller.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Anish Bhatt [Wed, 15 Oct 2014 03:07:24 +0000 (20:07 -0700)]
cxgb4i: Remove duplicate call to dst_neigh_lookup()
There is an extra call to dst_neigh_lookup() leftover in cxgb4i that can cause
an unreleased refcnt issue. Remove extraneous call.
Signed-off-by: Anish Bhatt <anish@chelsio.com>
Fixes :
759a0cc5a3e1b ('cxgb4i: Add ipv6 code to driver, call into libcxgbi ipv6 api')
Signed-off-by: David S. Miller <davem@davemloft.net>
Anish Bhatt [Wed, 15 Oct 2014 03:07:23 +0000 (20:07 -0700)]
cxgb4i : Fix -Wunused-function warning
A bunch of ipv6 related code is left on by default. While this causes no
compilation issues, there is no need to have this enabled by default. Guard
with an ipv6 check, which also takes care of a -Wunused-function warning.
Signed-off-by: Anish Bhatt <anish@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Anish Bhatt [Wed, 15 Oct 2014 03:07:22 +0000 (20:07 -0700)]
cxgb4 : Fix build failure in cxgb4 when ipv6 is disabled/not in-built
cxgb4 ipv6 does not guard against ipv6 being disabled, or the standard
ipv6 module vs inbuilt tri-state issue. This was fixed for cxgb4i & iw_cxgb4
but missed for cxgb4.
Signed-off-by: Anish Bhatt <anish@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Anish Bhatt [Wed, 15 Oct 2014 03:07:21 +0000 (20:07 -0700)]
cxgb4i : Remove duplicated CLIP handling code
cxgb4 already handles CLIP updates from a previous changeset for iw_cxgb4,
there is no need to have this functionality in cxgb4i. Remove duplicated code
Signed-off-by: Anish Bhatt <anish@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Mon, 13 Oct 2014 13:27:47 +0000 (06:27 -0700)]
tcp: TCP Small Queues and strange attractors
TCP Small queues tries to keep number of packets in qdisc
as small as possible, and depends on a tasklet to feed following
packets at TX completion time.
Choice of tasklet was driven by latencies requirements.
Then, TCP stack tries to avoid reorders, by locking flows with
outstanding packets in qdisc in a given TX queue.
What can happen is that many flows get attracted by a low performing
TX queue, and cpu servicing TX completion has to feed packets for all of
them, making this cpu 100% busy in softirq mode.
This became particularly visible with latest skb->xmit_more support
Strategy adopted in this patch is to detect when tcp_wfree() is called
from ksoftirqd and let the outstanding queue for this flow being drained
before feeding additional packets, so that skb->ooo_okay can be set
to allow select_queue() to select the optimal queue :
Incoming ACKS are normally handled by different cpus, so this patch
gives more chance for these cpus to take over the burden of feeding
qdisc with future packets.
Tested:
lpaa23:~# ./super_netperf 1400 --google-pacing-rate
3028000 -H lpaa24 -l 3600 &
lpaa23:~# sar -n DEV 1 10 | grep eth1
06:16:18 AM eth1 595448.00
1190564.00 38381.09
1760253.12 0.00 0.00 1.00
06:16:19 AM eth1 594858.00
1189686.00 38340.76
1758952.72 0.00 0.00 0.00
06:16:20 AM eth1 597017.00
1194019.00 38480.79
1765370.29 0.00 0.00 1.00
06:16:21 AM eth1 595450.00
1190936.00 38380.19
1760805.05 0.00 0.00 0.00
06:16:22 AM eth1 596385.00
1193096.00 38442.56
1763976.29 0.00 0.00 1.00
06:16:23 AM eth1 598155.00
1195978.00 38552.97
1768264.60 0.00 0.00 0.00
06:16:24 AM eth1 594405.00
1188643.00 38312.57
1757414.89 0.00 0.00 1.00
06:16:25 AM eth1 593366.00
1187154.00 38252.16
1755195.83 0.00 0.00 0.00
06:16:26 AM eth1 593188.00
1186118.00 38232.88
1753682.57 0.00 0.00 1.00
06:16:27 AM eth1 596301.00
1192241.00 38440.94
1762733.09 0.00 0.00 0.00
Average: eth1 595457.30
1190843.50 38381.69
1760664.84 0.00 0.00 0.50
lpaa23:~# ./tc -s -d qd sh dev eth1 | grep backlog
backlog
7606336b 2513p requeues 167982
backlog
224072b 74p requeues 566
backlog
581376b 192p requeues 5598
backlog
181680b 60p requeues 1070
backlog
5305056b 1753p requeues 110166 // Here, this TX queue is attracting flows
backlog
157456b 52p requeues 1758
backlog
672216b 222p requeues 3025
backlog 60560b 20p requeues 24541
backlog
448144b 148p requeues 21258
lpaa23:~# echo 1 >/proc/sys/net/ipv4/tcp_tsq_enable_tcp_wfree_ksoftirqd_detect
Immediate jump to full bandwidth, and traffic is properly
shard on all tx queues.
lpaa23:~# sar -n DEV 1 10 | grep eth1
06:16:46 AM eth1
1397632.00
2795397.00 90081.87
4133031.26 0.00 0.00 1.00
06:16:47 AM eth1
1396874.00
2793614.00 90032.99
4130385.46 0.00 0.00 0.00
06:16:48 AM eth1
1395842.00
2791600.00 89966.46
4127409.67 0.00 0.00 1.00
06:16:49 AM eth1
1395528.00
2791017.00 89946.17
4126551.24 0.00 0.00 0.00
06:16:50 AM eth1
1397891.00
2795716.00 90098.74
4133497.39 0.00 0.00 1.00
06:16:51 AM eth1
1394951.00
2789984.00 89908.96
4125022.51 0.00 0.00 0.00
06:16:52 AM eth1
1394608.00
2789190.00 89886.90
4123851.36 0.00 0.00 1.00
06:16:53 AM eth1
1395314.00
2790653.00 89934.33
4125983.09 0.00 0.00 0.00
06:16:54 AM eth1
1396115.00
2792276.00 89984.25
4128411.21 0.00 0.00 1.00
06:16:55 AM eth1
1396829.00
2793523.00 90030.19
4130250.28 0.00 0.00 0.00
Average: eth1
1396158.40
2792297.00 89987.09
4128439.35 0.00 0.00 0.50
lpaa23:~# tc -s -d qd sh dev eth1 | grep backlog
backlog
7900052b 2609p requeues 173287
backlog
878120b 290p requeues 589
backlog
1068884b 354p requeues 5621
backlog
996212b 329p requeues 1088
backlog
984100b 325p requeues 115316
backlog
956848b 316p requeues 1781
backlog
1080996b 357p requeues 3047
backlog
975016b 322p requeues 24571
backlog
990156b 327p requeues 21274
(All 8 TX queues get a fair share of the traffic)
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Tue, 14 Oct 2014 21:05:23 +0000 (17:05 -0400)]
Merge branch 'qlcnic'
Rajesh Borundia says:
====================
qlcnic: Bug fixes
This series fixes following issues.
* We were programming maximum number of arguments supported by
adapter instead of required in a command.
* Destroy tx command requires three arguments instead of two.
Please apply these patches to net.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Rajesh Borundia [Tue, 14 Oct 2014 11:41:46 +0000 (07:41 -0400)]
qlcnic: Fix number of arguments in destroy tx context command
o Number of arguments taken by destroy tx command is three
instead of two.
Signed-off-by: Rajesh Borundia <rajesh.borundia@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Rajesh Borundia [Tue, 14 Oct 2014 11:41:45 +0000 (07:41 -0400)]
qlcnic: Fix programming number of arguments in a command.
o Initially we were programming maximum number of arguments.
Instead we should program number of arguments required in
a command.
o Maximum number of arguments for 82xx adapter is four. Fix it
for GET_ESWITCH_STATS command.
Signed-off-by: Rajesh Borundia <rajesh.borundia@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Mark Rustad [Tue, 14 Oct 2014 13:28:38 +0000 (06:28 -0700)]
genl_magic: Resolve logical-op warnings
Resolve "logical 'and' applied to non-boolean constant" warnings"
that appear in W=2 builds by adding !! to a bit test.
Signed-off-by: Mark Rustad <mark.d.rustad@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Tue, 14 Oct 2014 21:02:37 +0000 (17:02 -0400)]
net: Trap attempts to call sock_kfree_s() with a NULL pointer.
Unlike normal kfree() it is never right to call sock_kfree_s() with
a NULL pointer, because sock_kfree_s() also has the side effect of
discharging the memory from the sockets quota.
Signed-off-by: David S. Miller <davem@davemloft.net>
Cong Wang [Tue, 14 Oct 2014 19:35:08 +0000 (12:35 -0700)]
rds: avoid calling sock_kfree_s() on allocation failure
It is okay to free a NULL pointer but not okay to mischarge the socket optmem
accounting. Compile test only.
Reported-by: rucsoftsec@gmail.com
Cc: Chien Yen <chien.yen@oracle.com>
Cc: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: Cong Wang <cwang@twopensource.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Hariprasad Shenai [Tue, 14 Oct 2014 20:24:14 +0000 (01:54 +0530)]
cxgb4: Fix FW flash logic using ethtool
Use t4_fw_upgrade instead of t4_load_fw to write firmware into FLASH, since
t4_load_fw doesn't co-ordinate with the firmware and the adapter can get hosed
enough to require a power cycle of the system.
Based on original work by Casey Leedom <leedom@chelsio.com>
Signed-off-by: Hariprasad Shenai <hariprasad@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Tue, 14 Oct 2014 20:40:49 +0000 (16:40 -0400)]
Merge branch 'stmmac'
Giuseppe Cavallaro says:
====================
stmmac: review and fix the dwmac-sti glue-logic
This patch is to review the whole glue logic adopted on STi SoCs that
was bugged.
In the old glue-logic there was a lot of confusion when setup the
retiming especially for STiD127 where, for example, the bits 6 and 7
(in the GMAC control register) have a different meaning of what is
used for STiH4xx SoCs. So we cannot adopt the same glue for all these
SoCs.
Moreover, GiGa on STiD127 didn't work and, for all the SoCs, the RGMII
couldn't run when the speed was 10Mbps (because the clock was not properly
managed).
Note that the phy clock needs to be provided by the platform as well as
documented in the related binding file (updated as consequence).
The old code supported too many configurations never adopted and validated.
This made the code very complex to maintain and debug in case of issues.
The patch simplifies all the configurations as commented in the tables
inside the file and obviously it has been tested on all the boards
based on the SoCs mentioned.
With this patch, the dwmac-sti is also ready to support new configurations that
will be available on next SoC generations.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Giuseppe CAVALLARO [Tue, 14 Oct 2014 06:12:56 +0000 (08:12 +0200)]
stmmac: dwmac-sti: review the glue-logic for STi4xx and STiD127 SoCs
This patch is to review the whole glue logic adopted on STi SoCs that
was bugged.
In the old glue-logic there was a lot of confusion when setup the
retiming especially for STiD127 where, for example, the bits 6 and 7
(in the GMAC control register) have a different meaning of what is
used for STiH4xx SoCs. So we cannot adopt the same glue for all these
SoCs.
Moreover, GiGa on STiD127 didn't work and, for all the SoCs, the RGMII
couldn't run when the speed was 10Mbps (because the clock was not properly
managed).
Note that the phy clock needs to be provided by the platform as well as
documented in the related binding file (updated as consequence).
The old code supported too many configurations never adopted and validated.
This made the code very complex to maintain and debug in case of issues.
The patch simplifies all the configurations as commented in the tables
inside the file and obviously it has been tested on all the boards
based on the SoCs mentioned.
With this patch, the dwmac-sti is also ready to support new configurations that
will be available on next SoC generations.
Signed-off-by: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Cc: Srinivas Kandagatla <srinivas.kandagatla@st.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Giuseppe CAVALLARO [Tue, 14 Oct 2014 06:12:55 +0000 (08:12 +0200)]
stmmac: make the STi Layer compatible to STiH407
This adds the missing compatibility to the STiH407 SoC.
Signed-off-by: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Giuseppe CAVALLARO [Tue, 14 Oct 2014 06:11:54 +0000 (08:11 +0200)]
stmmac: platform: fix FIXED_PHY support.
On several STi platforms: e.g. stihxxx-b2120 an Ethernet switch is
embedded and connected to the stmmac via RGMII mode. So this is managed
by using the FIXED_PHY. In that case, the support in the platform needs
to be fixed to allow the stmmac to dialog with the switch via fixed-link
by using phy_bus_name property.
Signed-off-by: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Guenter Roeck [Tue, 14 Oct 2014 18:21:04 +0000 (11:21 -0700)]
dsa: mv88e6171: Fix tag_protocol check
tag_protocol is now an enum, so drivers have to check against it.
Cc: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Acked-by: Florian Fainelli <f.fainelli@gmail.com>
Acked-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Tue, 14 Oct 2014 20:09:38 +0000 (16:09 -0400)]
Merge branch 'xgene'
Iyappan Subramanian says:
====================
Adding SGMII based 1GbE basic support to APM X-Gene SoC ethernet driver.
v2: Address comments from v1
* Split the patchset into two, the first one being preparatory patch
* Added link_state function pointer to the xgene_mac_ops structure
* Added xgene_indirect_ctl structure for indirect read/write arguments
v1:
* Initial version
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Iyappan Subramanian [Tue, 14 Oct 2014 00:05:35 +0000 (17:05 -0700)]
drivers: net: xgene: Add SGMII based 1GbE ethtool support
Signed-off-by: Iyappan Subramanian <isubramanian@apm.com>
Signed-off-by: Keyur Chudgar <kchudgar@apm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Iyappan Subramanian [Tue, 14 Oct 2014 00:05:34 +0000 (17:05 -0700)]
drivers: net: xgene: Add SGMII based 1GbE support
Signed-off-by: Iyappan Subramanian <isubramanian@apm.com>
Signed-off-by: Keyur Chudgar <kchudgar@apm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Iyappan Subramanian [Tue, 14 Oct 2014 00:05:33 +0000 (17:05 -0700)]
drivers: net: xgene: Preparing for adding SGMII based 1GbE
- Added link_state function pointer to the xgene__mac_ops structure
- Moved ring manager (pdata->rm) assignment to xgene_enet_setup_ops
- Removed unused variable (pdata->phy_addr) and macro (FULL_DUPLEX)
Signed-off-by: Iyappan Subramanian <isubramanian@apm.com>
Signed-off-by: Keyur Chudgar <kchudgar@apm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Iyappan Subramanian [Tue, 14 Oct 2014 00:05:32 +0000 (17:05 -0700)]
dtb: Add SGMII based 1GbE node to APM X-Gene SoC device tree
Signed-off-by: Iyappan Subramanian <isubramanian@apm.com>
Signed-off-by: Keyur Chudgar <kchudgar@apm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Alexei Starovoitov [Tue, 14 Oct 2014 09:08:54 +0000 (02:08 -0700)]
net: filter: move common defines into bpf_common.h
userspace programs that use eBPF instruction macros need to include two files:
uapi/linux/filter.h and uapi/linux/bpf.h
Move common macro definitions that are shared between classic BPF and eBPF
into uapi/linux/bpf_common.h, so that user app can include only one bpf.h file
Cc: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Fabian Frederick [Tue, 14 Oct 2014 17:01:14 +0000 (19:01 +0200)]
caif_usb: use target structure member in memset
parent cfusbl was used instead of first structure member 'layer'
Suggested-by: Joe Perches <joe@perches.com>
Signed-off-by: Fabian Frederick <fabf@skynet.be>
Signed-off-by: David S. Miller <davem@davemloft.net>
Fabian Frederick [Tue, 14 Oct 2014 17:00:55 +0000 (19:00 +0200)]
caif_usb: remove redundant memory message
Let MM subsystem display out of memory messages.
Signed-off-by: Fabian Frederick <fabf@skynet.be>
Signed-off-by: David S. Miller <davem@davemloft.net>
Fabian Frederick [Mon, 13 Oct 2014 20:21:46 +0000 (22:21 +0200)]
caif: replace kmalloc/memset 0 by kzalloc
Also add blank line after declaration
Signed-off-by: Fabian Frederick <fabf@skynet.be>
Signed-off-by: David S. Miller <davem@davemloft.net>
Mugunthan V N [Mon, 13 Oct 2014 16:51:07 +0000 (22:21 +0530)]
drivers: net: cpsw: remove child devices while driver detach
remove all the child devices from the system to make sure that re-insert of
cpsw module doesn't fail on child device populated by of_platform_populate().
Signed-off-by: Mugunthan V N <mugunthanvnm@ti.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Mugunthan V N [Mon, 13 Oct 2014 16:51:06 +0000 (22:21 +0530)]
drivers: net: davinci_cpdma: remove spinlock as SOFTIRQ-unsafe lock order detected
remove spinlock in cpdma_desc_pool_destroy() as there is no active cpdma
channel and iounmap should be called without auquiring lock.
root@dra7xx-evm:~# modprobe -r ti_cpsw
[ 50.539743]
[ 50.541312] ======================================================
[ 50.547796] [ INFO: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected ]
[ 50.554826]
3.14.19-02124-g95c5b7b #308 Not tainted
[ 50.559939] ------------------------------------------------------
[ 50.566416] modprobe/1921 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire:
[ 50.573347] (vmap_area_lock){+.+...}, at: [<
c01127fc>] find_vmap_area+0x10/0x6c
[ 50.581132]
[ 50.581132] and this task is already holding:
[ 50.587249] (&(&pool->lock)->rlock#2){..-...}, at: [<
bf017c74>] cpdma_ctlr_destroy+0x5c/0x114 [davinci_cpdma]
[ 50.597766] which would create a new lock dependency:
[ 50.603048] (&(&pool->lock)->rlock#2){..-...} -> (vmap_area_lock){+.+...}
[ 50.610296]
[ 50.610296] but this new dependency connects a SOFTIRQ-irq-safe lock:
[ 50.618601] (&(&pool->lock)->rlock#2){..-...}
... which became SOFTIRQ-irq-safe at:
[ 50.626829] [<
c06585a4>] _raw_spin_lock_irqsave+0x38/0x4c
[ 50.632677] [<
bf01773c>] cpdma_desc_free.constprop.7+0x28/0x58 [davinci_cpdma]
[ 50.640437] [<
bf0177e8>] __cpdma_chan_free+0x7c/0xa8 [davinci_cpdma]
[ 50.647289] [<
bf017908>] __cpdma_chan_process+0xf4/0x134 [davinci_cpdma]
[ 50.654512] [<
bf017984>] cpdma_chan_process+0x3c/0x54 [davinci_cpdma]
[ 50.661455] [<
bf0277e8>] cpsw_poll+0x14/0xa8 [ti_cpsw]
[ 50.667038] [<
c05844f4>] net_rx_action+0xc0/0x1e8
[ 50.672150] [<
c0048234>] __do_softirq+0xcc/0x304
[ 50.677183] [<
c004873c>] irq_exit+0xa8/0xfc
[ 50.681751] [<
c000eeac>] handle_IRQ+0x50/0xb0
[ 50.686513] [<
c0008638>] gic_handle_irq+0x28/0x5c
[ 50.691628] [<
c06590a4>] __irq_svc+0x44/0x5c
[ 50.696289] [<
c0658ab4>] _raw_spin_unlock_irqrestore+0x34/0x44
[ 50.702591] [<
c065a9c4>] do_page_fault.part.9+0x144/0x3c4
[ 50.708433] [<
c065acb8>] do_page_fault+0x74/0x84
[ 50.713453] [<
c00083dc>] do_DataAbort+0x34/0x98
[ 50.718391] [<
c065923c>] __dabt_usr+0x3c/0x40
[ 50.723148]
[ 50.723148] to a SOFTIRQ-irq-unsafe lock:
[ 50.728893] (vmap_area_lock){+.+...}
... which became SOFTIRQ-irq-unsafe at:
[ 50.736476] ... [<
c06584e8>] _raw_spin_lock+0x28/0x38
[ 50.741876] [<
c011376c>] alloc_vmap_area.isra.28+0xb8/0x300
[ 50.747908] [<
c0113a44>] __get_vm_area_node.isra.29+0x90/0x134
[ 50.754210] [<
c011486c>] get_vm_area_caller+0x3c/0x48
[ 50.759692] [<
c0114be0>] vmap+0x40/0x78
[ 50.763900] [<
c09442f0>] check_writebuffer_bugs+0x54/0x1a0
[ 50.769835] [<
c093eac0>] start_kernel+0x320/0x388
[ 50.774952] [<
80008074>] 0x80008074
[ 50.778793]
[ 50.778793] other info that might help us debug this:
[ 50.778793]
[ 50.787181] Possible interrupt unsafe locking scenario:
[ 50.787181]
[ 50.794295] CPU0 CPU1
[ 50.799042] ---- ----
[ 50.803785] lock(vmap_area_lock);
[ 50.807446] local_irq_disable();
[ 50.813652] lock(&(&pool->lock)->rlock#2);
[ 50.820782] lock(vmap_area_lock);
[ 50.827086] <Interrupt>
[ 50.829823] lock(&(&pool->lock)->rlock#2);
[ 50.834490]
[ 50.834490] *** DEADLOCK ***
[ 50.834490]
[ 50.840695] 4 locks held by modprobe/1921:
[ 50.844981] #0: (&__lockdep_no_validate__){......}, at: [<
c03e53e8>] driver_detach+0x44/0xb8
[ 50.854038] #1: (&__lockdep_no_validate__){......}, at: [<
c03e53f4>] driver_detach+0x50/0xb8
[ 50.863102] #2: (&(&ctlr->lock)->rlock){......}, at: [<
bf017c34>] cpdma_ctlr_destroy+0x1c/0x114 [davinci_cpdma]
[ 50.873890] #3: (&(&pool->lock)->rlock#2){..-...}, at: [<
bf017c74>] cpdma_ctlr_destroy+0x5c/0x114 [davinci_cpdma]
[ 50.884871]
the dependencies between SOFTIRQ-irq-safe lock and the holding lock:
[ 50.892827] -> (&(&pool->lock)->rlock#2){..-...} ops: 167 {
[ 50.898703] IN-SOFTIRQ-W at:
[ 50.901995] [<
c06585a4>] _raw_spin_lock_irqsave+0x38/0x4c
[ 50.909476] [<
bf01773c>] cpdma_desc_free.constprop.7+0x28/0x58 [davinci_cpdma]
[ 50.918878] [<
bf0177e8>] __cpdma_chan_free+0x7c/0xa8 [davinci_cpdma]
[ 50.927366] [<
bf017908>] __cpdma_chan_process+0xf4/0x134 [davinci_cpdma]
[ 50.936218] [<
bf017984>] cpdma_chan_process+0x3c/0x54 [davinci_cpdma]
[ 50.944794] [<
bf0277e8>] cpsw_poll+0x14/0xa8 [ti_cpsw]
[ 50.952009] [<
c05844f4>] net_rx_action+0xc0/0x1e8
[ 50.958765] [<
c0048234>] __do_softirq+0xcc/0x304
[ 50.965432] [<
c004873c>] irq_exit+0xa8/0xfc
[ 50.971635] [<
c000eeac>] handle_IRQ+0x50/0xb0
[ 50.978035] [<
c0008638>] gic_handle_irq+0x28/0x5c
[ 50.984788] [<
c06590a4>] __irq_svc+0x44/0x5c
[ 50.991085] [<
c0658ab4>] _raw_spin_unlock_irqrestore+0x34/0x44
[ 50.999023] [<
c065a9c4>] do_page_fault.part.9+0x144/0x3c4
[ 51.006510] [<
c065acb8>] do_page_fault+0x74/0x84
[ 51.013171] [<
c00083dc>] do_DataAbort+0x34/0x98
[ 51.019738] [<
c065923c>] __dabt_usr+0x3c/0x40
[ 51.026129] INITIAL USE at:
[ 51.029335] [<
c06585a4>] _raw_spin_lock_irqsave+0x38/0x4c
[ 51.036729] [<
bf017d78>] cpdma_chan_submit+0x4c/0x2f0 [davinci_cpdma]
[ 51.045225] [<
bf02863c>] cpsw_ndo_open+0x378/0x6bc [ti_cpsw]
[ 51.052897] [<
c058747c>] __dev_open+0x9c/0x104
[ 51.059287] [<
c05876ec>] __dev_change_flags+0x88/0x160
[ 51.066420] [<
c05877e4>] dev_change_flags+0x18/0x48
[ 51.073270] [<
c05ed51c>] devinet_ioctl+0x61c/0x6e0
[ 51.080029] [<
c056ee54>] sock_ioctl+0x5c/0x298
[ 51.086418] [<
c01350a4>] do_vfs_ioctl+0x78/0x61c
[ 51.092993] [<
c01356ac>] SyS_ioctl+0x64/0x74
[ 51.099200] [<
c000e580>] ret_fast_syscall+0x0/0x48
[ 51.105956] }
[ 51.107696] ... key at: [<
bf019000>] __key.21312+0x0/0xfffff650 [davinci_cpdma]
[ 51.115912] ... acquired at:
[ 51.119019] [<
c00899ac>] lock_acquire+0x9c/0x104
[ 51.124138] [<
c06584e8>] _raw_spin_lock+0x28/0x38
[ 51.129341] [<
c01127fc>] find_vmap_area+0x10/0x6c
[ 51.134547] [<
c0114960>] remove_vm_area+0x8/0x6c
[ 51.139659] [<
c0114a7c>] __vunmap+0x20/0xf8
[ 51.144318] [<
c001c350>] __arm_iounmap+0x10/0x18
[ 51.149440] [<
bf017d08>] cpdma_ctlr_destroy+0xf0/0x114 [davinci_cpdma]
[ 51.156560] [<
bf026294>] cpsw_remove+0x48/0x8c [ti_cpsw]
[ 51.162407] [<
c03e62c8>] platform_drv_remove+0x18/0x1c
[ 51.168063] [<
c03e4c44>] __device_release_driver+0x70/0xc8
[ 51.174094] [<
c03e5458>] driver_detach+0xb4/0xb8
[ 51.179212] [<
c03e4a6c>] bus_remove_driver+0x4c/0x90
[ 51.184693] [<
c00b024c>] SyS_delete_module+0x10c/0x198
[ 51.190355] [<
c000e580>] ret_fast_syscall+0x0/0x48
[ 51.195661]
[ 51.197217]
the dependencies between the lock to be acquired and SOFTIRQ-irq-unsafe lock:
[ 51.205986] -> (vmap_area_lock){+.+...} ops: 520 {
[ 51.211032] HARDIRQ-ON-W at:
[ 51.214321] [<
c06584e8>] _raw_spin_lock+0x28/0x38
[ 51.221090] [<
c011376c>] alloc_vmap_area.isra.28+0xb8/0x300
[ 51.228750] [<
c0113a44>] __get_vm_area_node.isra.29+0x90/0x134
[ 51.236690] [<
c011486c>] get_vm_area_caller+0x3c/0x48
[ 51.243811] [<
c0114be0>] vmap+0x40/0x78
[ 51.249654] [<
c09442f0>] check_writebuffer_bugs+0x54/0x1a0
[ 51.257239] [<
c093eac0>] start_kernel+0x320/0x388
[ 51.263994] [<
80008074>] 0x80008074
[ 51.269474] SOFTIRQ-ON-W at:
[ 51.272769] [<
c06584e8>] _raw_spin_lock+0x28/0x38
[ 51.279525] [<
c011376c>] alloc_vmap_area.isra.28+0xb8/0x300
[ 51.287190] [<
c0113a44>] __get_vm_area_node.isra.29+0x90/0x134
[ 51.295126] [<
c011486c>] get_vm_area_caller+0x3c/0x48
[ 51.302245] [<
c0114be0>] vmap+0x40/0x78
[ 51.308094] [<
c09442f0>] check_writebuffer_bugs+0x54/0x1a0
[ 51.315669] [<
c093eac0>] start_kernel+0x320/0x388
[ 51.322423] [<
80008074>] 0x80008074
[ 51.327906] INITIAL USE at:
[ 51.331112] [<
c06584e8>] _raw_spin_lock+0x28/0x38
[ 51.337775] [<
c011376c>] alloc_vmap_area.isra.28+0xb8/0x300
[ 51.345352] [<
c0113a44>] __get_vm_area_node.isra.29+0x90/0x134
[ 51.353197] [<
c011486c>] get_vm_area_caller+0x3c/0x48
[ 51.360224] [<
c0114be0>] vmap+0x40/0x78
[ 51.365977] [<
c09442f0>] check_writebuffer_bugs+0x54/0x1a0
[ 51.373464] [<
c093eac0>] start_kernel+0x320/0x388
[ 51.380131] [<
80008074>] 0x80008074
[ 51.385517] }
[ 51.387260] ... key at: [<
c0a66948>] vmap_area_lock+0x10/0x20
[ 51.393841] ... acquired at:
[ 51.396945] [<
c00899ac>] lock_acquire+0x9c/0x104
[ 51.402060] [<
c06584e8>] _raw_spin_lock+0x28/0x38
[ 51.407266] [<
c01127fc>] find_vmap_area+0x10/0x6c
[ 51.412478] [<
c0114960>] remove_vm_area+0x8/0x6c
[ 51.417592] [<
c0114a7c>] __vunmap+0x20/0xf8
[ 51.422252] [<
c001c350>] __arm_iounmap+0x10/0x18
[ 51.427369] [<
bf017d08>] cpdma_ctlr_destroy+0xf0/0x114 [davinci_cpdma]
[ 51.434487] [<
bf026294>] cpsw_remove+0x48/0x8c [ti_cpsw]
[ 51.440336] [<
c03e62c8>] platform_drv_remove+0x18/0x1c
[ 51.446000] [<
c03e4c44>] __device_release_driver+0x70/0xc8
[ 51.452031] [<
c03e5458>] driver_detach+0xb4/0xb8
[ 51.457147] [<
c03e4a6c>] bus_remove_driver+0x4c/0x90
[ 51.462628] [<
c00b024c>] SyS_delete_module+0x10c/0x198
[ 51.468289] [<
c000e580>] ret_fast_syscall+0x0/0x48
[ 51.473584]
[ 51.475140]
[ 51.475140] stack backtrace:
[ 51.479703] CPU: 0 PID: 1921 Comm: modprobe Not tainted
3.14.19-02124-g95c5b7b #308
[ 51.487744] [<
c0016090>] (unwind_backtrace) from [<
c0012060>] (show_stack+0x10/0x14)
[ 51.495865] [<
c0012060>] (show_stack) from [<
c0652a20>] (dump_stack+0x78/0x94)
[ 51.503444] [<
c0652a20>] (dump_stack) from [<
c0086f18>] (check_usage+0x408/0x594)
[ 51.511293] [<
c0086f18>] (check_usage) from [<
c00870f8>] (check_irq_usage+0x54/0xb0)
[ 51.519416] [<
c00870f8>] (check_irq_usage) from [<
c0088724>] (__lock_acquire+0xe54/0x1b90)
[ 51.528077] [<
c0088724>] (__lock_acquire) from [<
c00899ac>] (lock_acquire+0x9c/0x104)
[ 51.536291] [<
c00899ac>] (lock_acquire) from [<
c06584e8>] (_raw_spin_lock+0x28/0x38)
[ 51.544417] [<
c06584e8>] (_raw_spin_lock) from [<
c01127fc>] (find_vmap_area+0x10/0x6c)
[ 51.552726] [<
c01127fc>] (find_vmap_area) from [<
c0114960>] (remove_vm_area+0x8/0x6c)
[ 51.560935] [<
c0114960>] (remove_vm_area) from [<
c0114a7c>] (__vunmap+0x20/0xf8)
[ 51.568693] [<
c0114a7c>] (__vunmap) from [<
c001c350>] (__arm_iounmap+0x10/0x18)
[ 51.576362] [<
c001c350>] (__arm_iounmap) from [<
bf017d08>] (cpdma_ctlr_destroy+0xf0/0x114 [davinci_cpdma])
[ 51.586494] [<
bf017d08>] (cpdma_ctlr_destroy [davinci_cpdma]) from [<
bf026294>] (cpsw_remove+0x48/0x8c [ti_cpsw])
[ 51.597261] [<
bf026294>] (cpsw_remove [ti_cpsw]) from [<
c03e62c8>] (platform_drv_remove+0x18/0x1c)
[ 51.606659] [<
c03e62c8>] (platform_drv_remove) from [<
c03e4c44>] (__device_release_driver+0x70/0xc8)
[ 51.616237] [<
c03e4c44>] (__device_release_driver) from [<
c03e5458>] (driver_detach+0xb4/0xb8)
[ 51.625264] [<
c03e5458>] (driver_detach) from [<
c03e4a6c>] (bus_remove_driver+0x4c/0x90)
[ 51.633749] [<
c03e4a6c>] (bus_remove_driver) from [<
c00b024c>] (SyS_delete_module+0x10c/0x198)
[ 51.642781] [<
c00b024c>] (SyS_delete_module) from [<
c000e580>] (ret_fast_syscall+0x0/0x48)
Signed-off-by: Mugunthan V N <mugunthanvnm@ti.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Mugunthan V N [Mon, 13 Oct 2014 16:51:05 +0000 (22:21 +0530)]
drivers: net: davinci_cpdma: remove kfree on objects allocated with devm_* apis
memories allocated with devm_* apis must not be freed with kfree apis,
so removing the kfree calls
Fixes:
e194312854ed ('drivers: net: davinci_cpdma: Convert kzalloc() to devm_kzalloc().')
Signed-off-by: Mugunthan V N <mugunthanvnm@ti.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Prashant Sreedharan [Mon, 13 Oct 2014 16:21:42 +0000 (09:21 -0700)]
tg3: Add skb->xmit_more support
Ring TX doorbell only if xmit_more is not set or the queue is stopped.
Suggested-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Prashant Sreedharan <prashant@broadcom.com>
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jiri Pirko [Mon, 13 Oct 2014 14:34:10 +0000 (16:34 +0200)]
ipv4: fix nexthop attlen check in fib_nh_match
fib_nh_match does not match nexthops correctly. Example:
ip route add 172.16.10/24 nexthop via 192.168.122.12 dev eth0 \
nexthop via 192.168.122.13 dev eth0
ip route del 172.16.10/24 nexthop via 192.168.122.14 dev eth0 \
nexthop via 192.168.122.15 dev eth0
Del command is successful and route is removed. After this patch
applied, the route is correctly matched and result is:
RTNETLINK answers: No such process
Please consider this for stable trees as well.
Fixes:
4e902c57417c4 ("[IPv4]: FIB configuration using struct fib_config")
Signed-off-by: Jiri Pirko <jiri@resnulli.us>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Sat, 11 Oct 2014 22:17:29 +0000 (15:17 -0700)]
tcp: fix tcp_ack() performance problem
We worked hard to improve tcp_ack() performance, by not accessing
skb_shinfo() in fast path (
cd7d8498c9a5 tcp: change tcp_skb_pcount()
location)
We still have one spurious access because of ACK timestamping,
added in commit
e1c8a607b281 ("net-timestamp: ACK timestamp for
bytestreams")
By checking if sk_tsflags has SOF_TIMESTAMPING_TX_ACK set,
we can avoid two cache line misses for the common case.
While we are at it, add two prefetchw() :
One in tcp_ack() to bring skb at the head of write queue.
One in tcp_clean_rtx_queue() loop to bring following skb,
as we will delete skb from the write queue and dirty skb->next->prev.
Add a couple of [un]likely() clauses.
After this patch, tcp_ack() is no longer the most consuming
function in tcp stack.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Willem de Bruijn <willemb@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Van Jacobson <vanj@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Tue, 14 Oct 2014 19:05:39 +0000 (15:05 -0400)]
Merge branch 'isdn'
Tilman Schmidt says:
====================
Coverity patches for drivers/isdn
Here's a series of patches for the ISDN CAPI subsystem and the
Gigaset ISDN driver.
Patches 1 to 7 are specific fixes for Coverity warnings.
Patches 8 to 11 fix related problems with the handling of invalid
CAPI command codes I noticed while working on this.
Patch 12 fixes an unrelated problem I noticed during the subsequent
regression tests.
It would be great if these could still be merged.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Tilman Schmidt [Sat, 11 Oct 2014 11:46:30 +0000 (13:46 +0200)]
isdn/gigaset: fix usb_gigaset write_cmd result race
In usb_gigaset function gigaset_write_cmd(), the length field of
the command buffer structure could be cleared by the transmit
tasklet before it was used for the function's return value.
Fix by copying to a local variable before scheduling the tasklet.
Signed-off-by: Tilman Schmidt <tilman@imap.cc>
Signed-off-by: David S. Miller <davem@davemloft.net>
Tilman Schmidt [Sat, 11 Oct 2014 11:46:30 +0000 (13:46 +0200)]
isdn/capi: don't return NULL from capi_cmd2str()
capi_cmd2str() is used in many places to build log messages.
None of them is prepared to handle NULL as a result.
Change the function to return printable string "INVALID_COMMAND"
instead.
Signed-off-by: Tilman Schmidt <tilman@imap.cc>
Signed-off-by: David S. Miller <davem@davemloft.net>
Tilman Schmidt [Sat, 11 Oct 2014 11:46:30 +0000 (13:46 +0200)]
isdn/capi: handle CAPI 2.0 message parser failures
Have callers of capi_cmsg2message and capi_message2cmsg handle
non-zero return values indicating failure.
Signed-off-by: Tilman Schmidt <tilman@imap.cc>
Signed-off-by: David S. Miller <davem@davemloft.net>
Tilman Schmidt [Sat, 11 Oct 2014 11:46:30 +0000 (13:46 +0200)]
isdn/capi: prevent NULL pointer dereference on invalid CAPI command
An invalid CAPI 2.0 command/subcommand combination may retrieve a
NULL pointer from the cpars[] array which will later be dereferenced
by the parser routines.
Fix by adding NULL pointer checks in strategic places.
Signed-off-by: Tilman Schmidt <tilman@imap.cc>
Signed-off-by: David S. Miller <davem@davemloft.net>
Tilman Schmidt [Sat, 11 Oct 2014 11:46:30 +0000 (13:46 +0200)]
isdn/capi: refactor command/subcommand table accesses
Encapsulate accesses to the CAPI 2.0 command/subcommand name and
parameter tables in a single place in preparation for redesign.
Signed-off-by: Tilman Schmidt <tilman@imap.cc>
Signed-off-by: David S. Miller <davem@davemloft.net>
Tilman Schmidt [Sat, 11 Oct 2014 11:46:30 +0000 (13:46 +0200)]
isdn/capi: prevent index overrun from command_2_index()
The result of the function command_2_index() is used to index two
arrays mnames[] and cpars[] with max. index 0x4e but in its current
form that function can produce results up to 3*(0x9+0x9)+0x7f =
0xb5.
Fix by clamping all result values potentially overrunning the arrays
to zero which is already handled as an invalid value.
Re-spotted with Coverity.
Signed-off-by: Tilman Schmidt <tilman@imap.cc>
Signed-off-by: David S. Miller <davem@davemloft.net>
Tilman Schmidt [Sat, 11 Oct 2014 11:46:30 +0000 (13:46 +0200)]
isdn/capi: correct capi20_manufacturer argument type mismatch
Function capi20_manufacturer() is declared with unsigned int cmd
argument but called with unsigned long.
Fix by correcting the function prototype since the actual argument
is part of the user visible API.
Spotted with Coverity.
Signed-off-by: Tilman Schmidt <tilman@imap.cc>
Signed-off-by: David S. Miller <davem@davemloft.net>
Tilman Schmidt [Sat, 11 Oct 2014 11:46:30 +0000 (13:46 +0200)]
isdn/gigaset: fix non-heap pointer deallocation
at_state structures may be allocated individually or as part of a
cardstate or bc_state structure. The disconnect() function handled
both cases, creating a risk that it might try to deallocate an
at_state structure that had not been allocated individually.
Fix by splitting disconnect() into two variants handling cases
with and without an associated B channel separately, and adding
an explicit check.
Spotted with Coverity.
Signed-off-by: Tilman Schmidt <tilman@imap.cc>
Signed-off-by: David S. Miller <davem@davemloft.net>
Tilman Schmidt [Sat, 11 Oct 2014 11:46:29 +0000 (13:46 +0200)]
isdn/gigaset: fix NULL pointer dereference
In do_action, a NULL pointer might be passed to function start_dial
which will dereference it.
Fix by adding a check for NULL before the call.
Spotted with Coverity.
Signed-off-by: Tilman Schmidt <tilman@imap.cc>
Signed-off-by: David S. Miller <davem@davemloft.net>
Tilman Schmidt [Sat, 11 Oct 2014 11:46:29 +0000 (13:46 +0200)]
isdn/gigaset: limit raw CAPI message dump length
In dump_rawmsg, the length field from a received data package was
used unscrutinized, allowing an attacker to control the size of the
allocated buffer and the number of times the output loop iterates.
Fix by limiting to a reasonable value.
Spotted with Coverity.
Signed-off-by: Tilman Schmidt <tilman@imap.cc>
Signed-off-by: David S. Miller <davem@davemloft.net>
Tilman Schmidt [Sat, 11 Oct 2014 11:46:29 +0000 (13:46 +0200)]
isdn/gigaset: make sure controller name is null terminated
In gigaset_isdn_regdev, the name field may not have a null terminator
if the source string's length is equal to the buffer size.
Fix by zero filling the structure and excluding the last byte of the
name field from the copy.
Spotted with Coverity.
Signed-off-by: Tilman Schmidt <tilman@imap.cc>
Signed-off-by: David S. Miller <davem@davemloft.net>
Tilman Schmidt [Sat, 11 Oct 2014 11:46:29 +0000 (13:46 +0200)]
isdn/gigaset: missing break in do_facility_req
If we take the unsupported supplementary service notification mask
path, we end up falling through and overwriting the error code.
Insert a break statement to skip the remainder of the switch case
and proceed to sending the reply message.
Spotted with Coverity.
Reported-by: Dave Jones <davej@redhat.com>
Signed-off-by: Tilman Schmidt <tilman@imap.cc>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Tue, 14 Oct 2014 18:45:17 +0000 (14:45 -0400)]
Merge branch 'fec-ptp'
Luwei Zhou says:
====================
Enable FEC pps feather
Change from v2 to v3:
-Using the default channel 0 to be PPS channel not PTP_PIN_SET/GETFUNC interface.
-Using the linux definition of NSEC_PER_SEC.
Change from v1 to v2:
- Fix the potential 32-bit multiplication overflow issue.
- Optimize the hareware adjustment code to improve efficiency as Richard suggested
- Use ptp PTP_PIN_SET/GETFUNC interface to set PPS channel not device tree
and add PTP_PF_PPS enumeration
- Modify comments style
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Luwei Zhou [Fri, 10 Oct 2014 05:15:30 +0000 (13:15 +0800)]
net: fec: ptp: Enable PPS output based on ptp clock
FEC ptp timer has 4 channel compare/trigger function. It can be used to
enable pps output.
The pulse would be ouput high exactly on N second. The pulse ouput high
on compare event mode is used to produce pulse per second. The pulse
width would be one cycle based on ptp timer clock source.Since 31-bit
ptp hardware timer is used, the timer will wrap more than 2 seconds. We
need to reload the compare compare event about every 1 second.
Signed-off-by: Luwei Zhou <b45643@freescale.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Luwei Zhou [Fri, 10 Oct 2014 05:15:29 +0000 (13:15 +0800)]
net: fec: ptp: Use hardware algorithm to adjust PTP counter.
The FEC IP supports hardware adjustment for ptp timer. Refer to the description of
ENET_ATCOR and ENET_ATINC registers in the spec about the hardware adjustment. This
patch uses hardware support to adjust the ptp offset and frequency on the slave side.
Signed-off-by: Luwei Zhou <b45643@freescale.com>
Signed-off-by: Frank Li <Frank.Li@freescale.com>
Signed-off-by: Fugang Duan <b38611@freescale.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Luwei Zhou [Fri, 10 Oct 2014 05:15:28 +0000 (13:15 +0800)]
net: fec: ptp: Use the 31-bit ptp timer.
When ptp switches from software adjustment to hardware ajustment, linux ptp can't converge.
It is caused by the IP limit. Hardware adjustment logcial have issue when ptp counter
runs over 0x80000000(31 bit counter). The internal IP reference manual already remove 32bit
free-running count support. This patch replace the 32-bit PTP timer with 31-bit.
Signed-off-by: Luwei Zhou <b45643@freescale.com>
Signed-off-by: Frank Li <Frank.Li@freescale.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Li RongQing [Sat, 11 Oct 2014 05:03:34 +0000 (13:03 +0800)]
ipv6: remove aca_lock spinlock from struct ifacaddr6
no user uses this lock.
Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Alexei Starovoitov [Sat, 11 Oct 2014 03:30:23 +0000 (20:30 -0700)]
x86: bpf_jit: fix two bugs in eBPF JIT compiler
1.
JIT compiler using multi-pass approach to converge to final image size,
since x86 instructions are variable length. It starts with large
gaps between instructions (so some jumps may use imm32 instead of imm8)
and iterates until total program size is the same as in previous pass.
This algorithm works only if program size is strictly decreasing.
Programs that use LD_ABS insn need additional code in prologue, but it
was not emitted during 1st pass, so there was a chance that 2nd pass would
adjust imm32->imm8 jump offsets to the same number of bytes as increase in
prologue, which may cause algorithm to erroneously decide that size converged.
Fix it by always emitting largest prologue in the first pass which
is detected by oldproglen==0 check.
Also change error check condition 'proglen != oldproglen' to fail gracefully.
2.
while staring at the code realized that 64-byte buffer may not be enough
when 1st insn is large, so increase it to 128 to avoid buffer overflow
(theoretical maximum size of prologue+div is 109) and add runtime check.
Fixes:
622582786c9e ("net: filter: x86: internal BPF JIT")
Reported-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
Tested-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Sat, 11 Oct 2014 01:06:35 +0000 (18:06 -0700)]
tcp: fix ooo_okay setting vs Small Queues
TCP Small Queues (tcp_tsq_handler()) can hold one reference on
sk->sk_wmem_alloc, preventing skb->ooo_okay being set.
We should relax test done to set skb->ooo_okay to take care
of this extra reference.
Minimal truesize of skb containing one byte of payload is
SKB_TRUESIZE(1)
Without this fix, we have more chance locking flows into the wrong
transmit queue.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Alexander Aring [Fri, 10 Oct 2014 21:10:47 +0000 (23:10 +0200)]
skbuff: fix ftrace handling in skb_unshare
If the skb is not dropped afterwards we should run consume_skb instead
kfree_skb. Inside of function skb_unshare we do always a kfree_skb,
doesn't depend if skb_copy failed or was successful.
This patch switch this behaviour like skb_share_check, if allocation of
sk_buff failed we use kfree_skb otherwise consume_skb.
Signed-off-by: Alexander Aring <alex.aring@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Alexander Duyck [Fri, 10 Oct 2014 21:30:52 +0000 (14:30 -0700)]
fm10k: Add skb->xmit_more support
This change adds support for skb->xmit_more based on the changes that were
made to igb to support the feature. The main changes are moving up the
check for maybe_stop_tx so that we can check netif_xmit_stopped to determine
if we must write the tail because we can add no further buffers.
Acked-by: Matthew Vick <matthew.vick@intel.com>
Signed-off-by: Alexander Duyck <alexander.h.duyck@redhat.com>
Acked-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Nimrod Andy [Mon, 13 Oct 2014 02:53:48 +0000 (10:53 +0800)]
net: fec: Fix sparse warnings with different lock contexts for basic block
reproduce:
make ARCH=arm C=1 2>fec.txt drivers/net/ethernet/freescale/fec_main.o
cat fec.txt
sparse warnings:
drivers/net/ethernet/freescale/fec_main.c:2916:12: warning: context imbalance
in 'fec_set_features' - different lock contexts for basic block
Christopher Li suggest to change as below:
if (need_lock) {
lock();
do_something_real();
unlock();
} else {
do_something_real();
}
Reported-by: Fabio Estevam <festevam@gmail.com>
Suggested-by: Christopher Li <sparse@chrisli.org>
Signed-off-by: Fugang Duan <B38611@freescale.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Vince Bridgers [Thu, 9 Oct 2014 15:08:42 +0000 (10:08 -0500)]
MAINTAINERS: Update contact information for Vince Bridgers
Signed-off-by: Vince Bridgers <vbridger@opensource.altera.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Tue, 14 Oct 2014 16:46:29 +0000 (12:46 -0400)]
Merge branch 'sctp'
Daniel Borkmann says:
====================
Here are some SCTP fixes.
[ Note, immediate workaround would be to disable ASCONF (it
is sysctl disabled by default). It is actually only used
together with chunk authentication. ]
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Daniel Borkmann [Thu, 9 Oct 2014 20:55:33 +0000 (22:55 +0200)]
net: sctp: fix remote memory pressure from excessive queueing
This scenario is not limited to ASCONF, just taken as one
example triggering the issue. When receiving ASCONF probes
in the form of ...
-------------- INIT[ASCONF; ASCONF_ACK] ------------->
<----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
-------------------- COOKIE-ECHO -------------------->
<-------------------- COOKIE-ACK ---------------------
---- ASCONF_a; [ASCONF_b; ...; ASCONF_n;] JUNK ------>
[...]
---- ASCONF_m; [ASCONF_o; ...; ASCONF_z;] JUNK ------>
... where ASCONF_a, ASCONF_b, ..., ASCONF_z are good-formed
ASCONFs and have increasing serial numbers, we process such
ASCONF chunk(s) marked with !end_of_packet and !singleton,
since we have not yet reached the SCTP packet end. SCTP does
only do verification on a chunk by chunk basis, as an SCTP
packet is nothing more than just a container of a stream of
chunks which it eats up one by one.
We could run into the case that we receive a packet with a
malformed tail, above marked as trailing JUNK. All previous
chunks are here goodformed, so the stack will eat up all
previous chunks up to this point. In case JUNK does not fit
into a chunk header and there are no more other chunks in
the input queue, or in case JUNK contains a garbage chunk
header, but the encoded chunk length would exceed the skb
tail, or we came here from an entirely different scenario
and the chunk has pdiscard=1 mark (without having had a flush
point), it will happen, that we will excessively queue up
the association's output queue (a correct final chunk may
then turn it into a response flood when flushing the
queue ;)): I ran a simple script with incremental ASCONF
serial numbers and could see the server side consuming
excessive amount of RAM [before/after: up to 2GB and more].
The issue at heart is that the chunk train basically ends
with !end_of_packet and !singleton markers and since commit
2e3216cd54b1 ("sctp: Follow security requirement of responding
with 1 packet") therefore preventing an output queue flush
point in sctp_do_sm() -> sctp_cmd_interpreter() on the input
chunk (chunk = event_arg) even though local_cork is set,
but its precedence has changed since then. In the normal
case, the last chunk with end_of_packet=1 would trigger the
queue flush to accommodate possible outgoing bundling.
In the input queue, sctp_inq_pop() seems to do the right thing
in terms of discarding invalid chunks. So, above JUNK will
not enter the state machine and instead be released and exit
the sctp_assoc_bh_rcv() chunk processing loop. It's simply
the flush point being missing at loop exit. Adding a try-flush
approach on the output queue might not work as the underlying
infrastructure might be long gone at this point due to the
side-effect interpreter run.
One possibility, albeit a bit of a kludge, would be to defer
invalid chunk freeing into the state machine in order to
possibly trigger packet discards and thus indirectly a queue
flush on error. It would surely be better to discard chunks
as in the current, perhaps better controlled environment, but
going back and forth, it's simply architecturally not possible.
I tried various trailing JUNK attack cases and it seems to
look good now.
Joint work with Vlad Yasevich.
Fixes:
2e3216cd54b1 ("sctp: Follow security requirement of responding with 1 packet")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>