Eric Dumazet [Thu, 10 Oct 2013 13:30:09 +0000 (06:30 -0700)]
l2tp: must disable bh before calling l2tp_xmit_skb()
François Cachereul made a very nice bug report and suspected
the bh_lock_sock() / bh_unlok_sock() pair used in l2tp_xmit_skb() from
process context was not good.
This problem was added by commit
6af88da14ee284aaad6e4326da09a89191ab6165
("l2tp: Fix locking in l2tp_core.c").
l2tp_eth_dev_xmit() runs from BH context, so we must disable BH
from other l2tp_xmit_skb() users.
[ 452.060011] BUG: soft lockup - CPU#1 stuck for 23s! [accel-pppd:6662]
[ 452.061757] Modules linked in: l2tp_ppp l2tp_netlink l2tp_core pppoe pppox
ppp_generic slhc ipv6 ext3 mbcache jbd virtio_balloon xfs exportfs dm_mod
virtio_blk ata_generic virtio_net floppy ata_piix libata virtio_pci virtio_ring virtio [last unloaded: scsi_wait_scan]
[ 452.064012] CPU 1
[ 452.080015] BUG: soft lockup - CPU#2 stuck for 23s! [accel-pppd:6643]
[ 452.080015] CPU 2
[ 452.080015]
[ 452.080015] Pid: 6643, comm: accel-pppd Not tainted 3.2.46.mini #1 Bochs Bochs
[ 452.080015] RIP: 0010:[<
ffffffff81059f6c>] [<
ffffffff81059f6c>] do_raw_spin_lock+0x17/0x1f
[ 452.080015] RSP: 0018:
ffff88007125fc18 EFLAGS:
00000293
[ 452.080015] RAX:
000000000000aba9 RBX:
ffffffff811d0703 RCX:
0000000000000000
[ 452.080015] RDX:
00000000000000ab RSI:
ffff8800711f6896 RDI:
ffff8800745c8110
[ 452.080015] RBP:
ffff88007125fc18 R08:
0000000000000020 R09:
0000000000000000
[ 452.080015] R10:
0000000000000000 R11:
0000000000000280 R12:
0000000000000286
[ 452.080015] R13:
0000000000000020 R14:
0000000000000240 R15:
0000000000000000
[ 452.080015] FS:
00007fdc0cc24700(0000) GS:
ffff8800b6f00000(0000) knlGS:
0000000000000000
[ 452.080015] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 452.080015] CR2:
00007fdb054899b8 CR3:
0000000074404000 CR4:
00000000000006a0
[ 452.080015] DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
[ 452.080015] DR3:
0000000000000000 DR6:
00000000ffff0ff0 DR7:
0000000000000400
[ 452.080015] Process accel-pppd (pid: 6643, threadinfo
ffff88007125e000, task
ffff8800b27e6dd0)
[ 452.080015] Stack:
[ 452.080015]
ffff88007125fc28 ffffffff81256559 ffff88007125fc98 ffffffffa01b2bd1
[ 452.080015]
ffff88007125fc58 000000000000000c 00000000029490d0 0000009c71dbe25e
[ 452.080015]
000000000000005c 000000080000000e 0000000000000000 ffff880071170600
[ 452.080015] Call Trace:
[ 452.080015] [<
ffffffff81256559>] _raw_spin_lock+0xe/0x10
[ 452.080015] [<
ffffffffa01b2bd1>] l2tp_xmit_skb+0x189/0x4ac [l2tp_core]
[ 452.080015] [<
ffffffffa01c2d36>] pppol2tp_sendmsg+0x15e/0x19c [l2tp_ppp]
[ 452.080015] [<
ffffffff811c7872>] __sock_sendmsg_nosec+0x22/0x24
[ 452.080015] [<
ffffffff811c83bd>] sock_sendmsg+0xa1/0xb6
[ 452.080015] [<
ffffffff81254e88>] ? __schedule+0x5c1/0x616
[ 452.080015] [<
ffffffff8103c7c6>] ? __dequeue_signal+0xb7/0x10c
[ 452.080015] [<
ffffffff810bbd21>] ? fget_light+0x75/0x89
[ 452.080015] [<
ffffffff811c8444>] ? sockfd_lookup_light+0x20/0x56
[ 452.080015] [<
ffffffff811c9b34>] sys_sendto+0x10c/0x13b
[ 452.080015] [<
ffffffff8125cac2>] system_call_fastpath+0x16/0x1b
[ 452.080015] Code: 81 48 89 e5 72 0c 31 c0 48 81 ff 45 66 25 81 0f 92 c0 5d c3 55 b8 00 01 00 00 48 89 e5 f0 66 0f c1 07 0f b6 d4 38 d0 74 06 f3 90 <8a> 07 eb f6 5d c3 90 90 55 48 89 e5 9c 58 0f 1f 44 00 00 5d c3
[ 452.080015] Call Trace:
[ 452.080015] [<
ffffffff81256559>] _raw_spin_lock+0xe/0x10
[ 452.080015] [<
ffffffffa01b2bd1>] l2tp_xmit_skb+0x189/0x4ac [l2tp_core]
[ 452.080015] [<
ffffffffa01c2d36>] pppol2tp_sendmsg+0x15e/0x19c [l2tp_ppp]
[ 452.080015] [<
ffffffff811c7872>] __sock_sendmsg_nosec+0x22/0x24
[ 452.080015] [<
ffffffff811c83bd>] sock_sendmsg+0xa1/0xb6
[ 452.080015] [<
ffffffff81254e88>] ? __schedule+0x5c1/0x616
[ 452.080015] [<
ffffffff8103c7c6>] ? __dequeue_signal+0xb7/0x10c
[ 452.080015] [<
ffffffff810bbd21>] ? fget_light+0x75/0x89
[ 452.080015] [<
ffffffff811c8444>] ? sockfd_lookup_light+0x20/0x56
[ 452.080015] [<
ffffffff811c9b34>] sys_sendto+0x10c/0x13b
[ 452.080015] [<
ffffffff8125cac2>] system_call_fastpath+0x16/0x1b
[ 452.064012]
[ 452.064012] Pid: 6662, comm: accel-pppd Not tainted 3.2.46.mini #1 Bochs Bochs
[ 452.064012] RIP: 0010:[<
ffffffff81059f6e>] [<
ffffffff81059f6e>] do_raw_spin_lock+0x19/0x1f
[ 452.064012] RSP: 0018:
ffff8800b6e83ba0 EFLAGS:
00000297
[ 452.064012] RAX:
000000000000aaa9 RBX:
ffff8800b6e83b40 RCX:
0000000000000002
[ 452.064012] RDX:
00000000000000aa RSI:
000000000000000a RDI:
ffff8800745c8110
[ 452.064012] RBP:
ffff8800b6e83ba0 R08:
000000000000c802 R09:
000000000000001c
[ 452.064012] R10:
ffff880071096c4e R11:
0000000000000006 R12:
ffff8800b6e83b18
[ 452.064012] R13:
ffffffff8125d51e R14:
ffff8800b6e83ba0 R15:
ffff880072a589c0
[ 452.064012] FS:
00007fdc0b81e700(0000) GS:
ffff8800b6e80000(0000) knlGS:
0000000000000000
[ 452.064012] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 452.064012] CR2:
0000000000625208 CR3:
0000000074404000 CR4:
00000000000006a0
[ 452.064012] DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
[ 452.064012] DR3:
0000000000000000 DR6:
00000000ffff0ff0 DR7:
0000000000000400
[ 452.064012] Process accel-pppd (pid: 6662, threadinfo
ffff88007129a000, task
ffff8800744f7410)
[ 452.064012] Stack:
[ 452.064012]
ffff8800b6e83bb0 ffffffff81256559 ffff8800b6e83bc0 ffffffff8121c64a
[ 452.064012]
ffff8800b6e83bf0 ffffffff8121ec7a ffff880072a589c0 ffff880071096c62
[ 452.064012]
0000000000000011 ffffffff81430024 ffff8800b6e83c80 ffffffff8121f276
[ 452.064012] Call Trace:
[ 452.064012] <IRQ>
[ 452.064012] [<
ffffffff81256559>] _raw_spin_lock+0xe/0x10
[ 452.064012] [<
ffffffff8121c64a>] spin_lock+0x9/0xb
[ 452.064012] [<
ffffffff8121ec7a>] udp_queue_rcv_skb+0x186/0x269
[ 452.064012] [<
ffffffff8121f276>] __udp4_lib_rcv+0x297/0x4ae
[ 452.064012] [<
ffffffff8121c178>] ? raw_rcv+0xe9/0xf0
[ 452.064012] [<
ffffffff8121f4a7>] udp_rcv+0x1a/0x1c
[ 452.064012] [<
ffffffff811fe385>] ip_local_deliver_finish+0x12b/0x1a5
[ 452.064012] [<
ffffffff811fe54e>] ip_local_deliver+0x53/0x84
[ 452.064012] [<
ffffffff811fe1d0>] ip_rcv_finish+0x2bc/0x2f3
[ 452.064012] [<
ffffffff811fe78f>] ip_rcv+0x210/0x269
[ 452.064012] [<
ffffffff8101911e>] ? kvm_clock_get_cycles+0x9/0xb
[ 452.064012] [<
ffffffff811d88cd>] __netif_receive_skb+0x3a5/0x3f7
[ 452.064012] [<
ffffffff811d8eba>] netif_receive_skb+0x57/0x5e
[ 452.064012] [<
ffffffff811cf30f>] ? __netdev_alloc_skb+0x1f/0x3b
[ 452.064012] [<
ffffffffa0049126>] virtnet_poll+0x4ba/0x5a4 [virtio_net]
[ 452.064012] [<
ffffffff811d9417>] net_rx_action+0x73/0x184
[ 452.064012] [<
ffffffffa01b2cc2>] ? l2tp_xmit_skb+0x27a/0x4ac [l2tp_core]
[ 452.064012] [<
ffffffff810343b9>] __do_softirq+0xc3/0x1a8
[ 452.064012] [<
ffffffff81013b56>] ? ack_APIC_irq+0x10/0x12
[ 452.064012] [<
ffffffff81256559>] ? _raw_spin_lock+0xe/0x10
[ 452.064012] [<
ffffffff8125e0ac>] call_softirq+0x1c/0x26
[ 452.064012] [<
ffffffff81003587>] do_softirq+0x45/0x82
[ 452.064012] [<
ffffffff81034667>] irq_exit+0x42/0x9c
[ 452.064012] [<
ffffffff8125e146>] do_IRQ+0x8e/0xa5
[ 452.064012] [<
ffffffff8125676e>] common_interrupt+0x6e/0x6e
[ 452.064012] <EOI>
[ 452.064012] [<
ffffffff810b82a1>] ? kfree+0x8a/0xa3
[ 452.064012] [<
ffffffffa01b2cc2>] ? l2tp_xmit_skb+0x27a/0x4ac [l2tp_core]
[ 452.064012] [<
ffffffffa01b2c25>] ? l2tp_xmit_skb+0x1dd/0x4ac [l2tp_core]
[ 452.064012] [<
ffffffffa01c2d36>] pppol2tp_sendmsg+0x15e/0x19c [l2tp_ppp]
[ 452.064012] [<
ffffffff811c7872>] __sock_sendmsg_nosec+0x22/0x24
[ 452.064012] [<
ffffffff811c83bd>] sock_sendmsg+0xa1/0xb6
[ 452.064012] [<
ffffffff81254e88>] ? __schedule+0x5c1/0x616
[ 452.064012] [<
ffffffff8103c7c6>] ? __dequeue_signal+0xb7/0x10c
[ 452.064012] [<
ffffffff810bbd21>] ? fget_light+0x75/0x89
[ 452.064012] [<
ffffffff811c8444>] ? sockfd_lookup_light+0x20/0x56
[ 452.064012] [<
ffffffff811c9b34>] sys_sendto+0x10c/0x13b
[ 452.064012] [<
ffffffff8125cac2>] system_call_fastpath+0x16/0x1b
[ 452.064012] Code: 89 e5 72 0c 31 c0 48 81 ff 45 66 25 81 0f 92 c0 5d c3 55 b8 00 01 00 00 48 89 e5 f0 66 0f c1 07 0f b6 d4 38 d0 74 06 f3 90 8a 07 <eb> f6 5d c3 90 90 55 48 89 e5 9c 58 0f 1f 44 00 00 5d c3 55 48
[ 452.064012] Call Trace:
[ 452.064012] <IRQ> [<
ffffffff81256559>] _raw_spin_lock+0xe/0x10
[ 452.064012] [<
ffffffff8121c64a>] spin_lock+0x9/0xb
[ 452.064012] [<
ffffffff8121ec7a>] udp_queue_rcv_skb+0x186/0x269
[ 452.064012] [<
ffffffff8121f276>] __udp4_lib_rcv+0x297/0x4ae
[ 452.064012] [<
ffffffff8121c178>] ? raw_rcv+0xe9/0xf0
[ 452.064012] [<
ffffffff8121f4a7>] udp_rcv+0x1a/0x1c
[ 452.064012] [<
ffffffff811fe385>] ip_local_deliver_finish+0x12b/0x1a5
[ 452.064012] [<
ffffffff811fe54e>] ip_local_deliver+0x53/0x84
[ 452.064012] [<
ffffffff811fe1d0>] ip_rcv_finish+0x2bc/0x2f3
[ 452.064012] [<
ffffffff811fe78f>] ip_rcv+0x210/0x269
[ 452.064012] [<
ffffffff8101911e>] ? kvm_clock_get_cycles+0x9/0xb
[ 452.064012] [<
ffffffff811d88cd>] __netif_receive_skb+0x3a5/0x3f7
[ 452.064012] [<
ffffffff811d8eba>] netif_receive_skb+0x57/0x5e
[ 452.064012] [<
ffffffff811cf30f>] ? __netdev_alloc_skb+0x1f/0x3b
[ 452.064012] [<
ffffffffa0049126>] virtnet_poll+0x4ba/0x5a4 [virtio_net]
[ 452.064012] [<
ffffffff811d9417>] net_rx_action+0x73/0x184
[ 452.064012] [<
ffffffffa01b2cc2>] ? l2tp_xmit_skb+0x27a/0x4ac [l2tp_core]
[ 452.064012] [<
ffffffff810343b9>] __do_softirq+0xc3/0x1a8
[ 452.064012] [<
ffffffff81013b56>] ? ack_APIC_irq+0x10/0x12
[ 452.064012] [<
ffffffff81256559>] ? _raw_spin_lock+0xe/0x10
[ 452.064012] [<
ffffffff8125e0ac>] call_softirq+0x1c/0x26
[ 452.064012] [<
ffffffff81003587>] do_softirq+0x45/0x82
[ 452.064012] [<
ffffffff81034667>] irq_exit+0x42/0x9c
[ 452.064012] [<
ffffffff8125e146>] do_IRQ+0x8e/0xa5
[ 452.064012] [<
ffffffff8125676e>] common_interrupt+0x6e/0x6e
[ 452.064012] <EOI> [<
ffffffff810b82a1>] ? kfree+0x8a/0xa3
[ 452.064012] [<
ffffffffa01b2cc2>] ? l2tp_xmit_skb+0x27a/0x4ac [l2tp_core]
[ 452.064012] [<
ffffffffa01b2c25>] ? l2tp_xmit_skb+0x1dd/0x4ac [l2tp_core]
[ 452.064012] [<
ffffffffa01c2d36>] pppol2tp_sendmsg+0x15e/0x19c [l2tp_ppp]
[ 452.064012] [<
ffffffff811c7872>] __sock_sendmsg_nosec+0x22/0x24
[ 452.064012] [<
ffffffff811c83bd>] sock_sendmsg+0xa1/0xb6
[ 452.064012] [<
ffffffff81254e88>] ? __schedule+0x5c1/0x616
[ 452.064012] [<
ffffffff8103c7c6>] ? __dequeue_signal+0xb7/0x10c
[ 452.064012] [<
ffffffff810bbd21>] ? fget_light+0x75/0x89
[ 452.064012] [<
ffffffff811c8444>] ? sockfd_lookup_light+0x20/0x56
[ 452.064012] [<
ffffffff811c9b34>] sys_sendto+0x10c/0x13b
[ 452.064012] [<
ffffffff8125cac2>] system_call_fastpath+0x16/0x1b
Reported-by: François Cachereul <f.cachereul@alphalink.fr>
Tested-by: François Cachereul <f.cachereul@alphalink.fr>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Simon Horman [Thu, 10 Oct 2013 05:51:16 +0000 (14:51 +0900)]
net: sh_eth: Correct fix for RX packet errors on R8A7740
Nguyen Hong Ky posted a patch to correct RX packet errors on R8A7740 which
was applied as
2c6221e4a5aab417 ("net: sh_eth: Fix RX packets errors on
R8A7740"). Unfortunately sh_eth.c contains many similar instances
of struct sh_eth_cpu_data and the patch was miss-applied, updating
sh7734_data instead of r8a7740_data.
This patch corrects this problem by.
1. Reverting the change to sh7734_data and;
2. Applying the change to r8a7740_data.
Signed-off-by: Simon Horman <horms+renesas@verge.net.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Christophe Gouault [Tue, 8 Oct 2013 15:21:22 +0000 (17:21 +0200)]
vti: get rid of nf mark rule in prerouting
This patch fixes and improves the use of vti interfaces (while
lightly changing the way of configuring them).
Currently:
- it is necessary to identify and mark inbound IPsec
packets destined to each vti interface, via netfilter rules in
the mangle table at prerouting hook.
- the vti module cannot retrieve the right tunnel in input since
commit
b9959fd3: vti tunnels all have an i_key, but the tunnel lookup
is done with flag TUNNEL_NO_KEY, so there no chance to retrieve them.
- the i_key is used by the outbound processing as a mark to lookup
for the right SP and SA bundle.
This patch uses the o_key to store the vti mark (instead of i_key) and
enables:
- to avoid the need for previously marking the inbound skbuffs via a
netfilter rule.
- to properly retrieve the right tunnel in input, only based on the IPsec
packet outer addresses.
- to properly perform an inbound policy check (using the tunnel o_key
as a mark).
- to properly perform an outbound SPD and SAD lookup (using the tunnel
o_key as a mark).
- to keep the current mark of the skbuff. The skbuff mark is neither
used nor changed by the vti interface. Only the vti interface o_key
is used.
SAs have a wildcard mark.
SPs have a mark equal to the vti interface o_key.
The vti interface must be created as follows (i_key = 0, o_key = mark):
ip link add vti1 mode vti local 1.1.1.1 remote 2.2.2.2 okey 1
The SPs attached to vti1 must be created as follows (mark = vti1 o_key):
ip xfrm policy add dir out mark 1 tmpl src 1.1.1.1 dst 2.2.2.2 \
proto esp mode tunnel
ip xfrm policy add dir in mark 1 tmpl src 2.2.2.2 dst 1.1.1.1 \
proto esp mode tunnel
The SAs are created with the default wildcard mark. There is no
distinction between global vs. vti SAs. Just their addresses will
possibly link them to a vti interface:
ip xfrm state add src 1.1.1.1 dst 2.2.2.2 proto esp spi 1000 mode tunnel \
enc "cbc(aes)" "azertyuiopqsdfgh"
ip xfrm state add src 2.2.2.2 dst 1.1.1.1 proto esp spi 2000 mode tunnel \
enc "cbc(aes)" "sqbdhgqsdjqjsdfh"
To avoid matching "global" (not vti) SPs in vti interfaces, global SPs
should no use the default wildcard mark, but explicitly match mark 0.
To avoid a double SPD lookup in input and output (in global and vti SPDs),
the NOPOLICY and NOXFRM options should be set on the vti interfaces:
echo 1 > /proc/sys/net/ipv4/conf/vti1/disable_policy
echo 1 > /proc/sys/net/ipv4/conf/vti1/disable_xfrm
The outgoing traffic is steered to vti1 by a route via the vti interface:
ip route add 192.168.0.0/16 dev vti1
The incoming IPsec traffic is steered to vti1 because its outer addresses
match the vti1 tunnel configuration.
Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Vlad Yasevich [Thu, 10 Oct 2013 19:57:59 +0000 (15:57 -0400)]
bridge: update mdb expiration timer upon reports.
commit
9f00b2e7cf241fa389733d41b615efdaa2cb0f5b
bridge: only expire the mdb entry when query is received
changed the mdb expiration timer to be armed only when QUERY is
received. Howerver, this causes issues in an environment where
the multicast server socket comes and goes very fast while a client
is trying to send traffic to it.
The root cause is a race where a sequence of LEAVE followed by REPORT
messages can race against QUERY messages generated in response to LEAVE.
The QUERY ends up starting the expiration timer, and that timer can
potentially expire after the new REPORT message has been received signaling
the new join operation. This leads to a significant drop in multicast
traffic and possible complete stall.
The solution is to have REPORT messages update the expiration timer
on entries that already exist.
CC: Cong Wang <xiyou.wangcong@gmail.com>
CC: Herbert Xu <herbert@gondor.apana.org.au>
CC: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: Vlad Yasevich <vyasevic@redhat.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Marc Kleine-Budde [Wed, 9 Oct 2013 10:19:19 +0000 (12:19 +0200)]
can: at91-can: fix device to driver data mapping for platform devices
In commit:
3078cde7 can: at91_can: add dt support
device tree support was added to the at91_can driver. In this commit the
mapping of device to driver data was mixed up. This results in the sam9x5
parameters being used for the sam9263 and the workaround for the broken mailbox
0 on the sam9263 not being activated.
This patch fixes the broken platform_device_id table.
Cc: linux-stable <stable@vger.kernel.org>
Cc: Ludovic Desroches <ludovic.desroches@atmel.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Marc Kleine-Budde [Thu, 3 Oct 2013 21:51:55 +0000 (23:51 +0200)]
can: flexcan: fix mx28 detection by rearanging OF match table
The current implemetation of of_match_device() relies that the of_device_id
table in the driver is sorted from most specific to least specific compatible.
Without this patch the mx28 is detected as the less specific p1010. This leads
to a p1010 specific workaround is activated on the mx28, which is not needed.
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Marc Kleine-Budde [Fri, 4 Oct 2013 08:52:36 +0000 (10:52 +0200)]
can: flexcan: flexcan_chip_start: fix regression, mark one MB for TX and abort pending TX
In patch
0d1862e can: flexcan: fix flexcan_chip_start() on imx6
the loop in flexcan_chip_start() that iterates over all mailboxes after the
soft reset of the CAN core was removed. This loop put all mailboxes (even the
ones marked as reserved 1...7) into EMPTY/INACTIVE mode. On mailboxes 8...63,
this aborts any pending TX messages.
After a cold boot there is random garbage in the mailboxes, which leads to
spontaneous transmit of CAN frames during first activation. Further if the
interface was disabled with a pending message (usually due to an error
condition on the CAN bus), this message is retransmitted after enabling the
interface again.
This patch fixes the regression by:
1) Limiting the maximum number of used mailboxes to 8, 0...7 are used by the RX
FIFO, 8 is used by TX.
2) Marking the TX mailbox as EMPTY/INACTIVE, so that any pending TX of that
mailbox is aborted.
Cc: linux-stable <stable@vger.kernel.org>
Cc: Lothar Waßmann <LW@KARO-electronics.de>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
David S. Miller [Wed, 9 Oct 2013 18:04:00 +0000 (14:04 -0400)]
Merge branch 'for-davem' of git://git./linux/kernel/git/linville/wireless
John W. Linville says:
===================
Please pull this batch of fixes intended for 3.12...
Most of the bits are for iwlwifi -- Johannes says:
"I have a fix for WoWLAN/D3, a PCIe device fix, we're removing a
warning, there's a fix for RF-kill while scanning (which goes together
with a mac80211 fix) and last but not least we have many new PCI IDs."
Also for iwlwifi is a patch from Johannes to correct some merge damage
that crept into the tree before the last merge window.
On top of that, Felix Fietkau sends an ath9k patch to avoid a Tx
scheduling hang when changing channels to do a scan.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Wed, 9 Oct 2013 18:02:14 +0000 (14:02 -0400)]
Merge branch 'gianfar'
Merge in gianfar driver bug fixes from Claudiu Manoil.
Signed-off-by: David S. Miller <davem@davemloft.net>
Claudiu Manoil [Wed, 9 Oct 2013 17:20:42 +0000 (20:20 +0300)]
gianfar: Enable eTSEC-20 erratum w/a for P2020 Rev1
Enable workaround for P2020/P2010 erratum eTSEC 20,
"Excess delays when transmitting TOE=1 large frames".
The impact is that frames lager than 2500-bytes for which
TOE (i.e. TCP/IP hw accelerations like Tx csum) is enabled
may see excess delay before start of transmission.
This erratum was fixed in Rev 2.0.
Signed-off-by: Claudiu Manoil <claudiu.manoil@freescale.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Claudiu Manoil [Wed, 9 Oct 2013 17:20:41 +0000 (20:20 +0300)]
gianfar: Use mpc85xx support for errata detection
Use the macros and defines from mpc85xx.h to simplify
and prevent errors in identifying a mpc85xx based SoC
for errata detection.
This should help enabling (and identifying) workarounds
for various mpc85xx based chips and revisions.
For instance, express MPC8548 Rev.2 as:
(SVR_SOC_VER(svr) == SVR_8548) && (SVR_REV(svr) == 0x20)
instead of:
(pvr == 0x80210020 && mod == 0x8030 && rev == 0x0020)
Signed-off-by: Claudiu Manoil <claudiu.manoil@freescale.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Claudiu Manoil [Wed, 9 Oct 2013 17:20:40 +0000 (20:20 +0300)]
gianfar: Enable eTSEC-A002 erratum w/a for all parts
A002 is still in "no plans to fix" state, and applies to all
the current P1/P2 parts as well, so it's resonable to enable
its workaround by default, for all the soc's with etsec.
The impact of not enabling this workaround for affected parts
is that under certain conditons (runt frames or even frames
with RX error detected at PHY level) during controller reset,
the controller might fail to indicate Rx reset (GRS) completion.
Signed-off-by: Claudiu Manoil <claudiu.manoil@freescale.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Wed, 9 Oct 2013 17:41:45 +0000 (13:41 -0400)]
Merge branch 'master' of git://git./linux/kernel/git/klassert/ipsec
Steffen Klassert says:
====================
1) We used the wrong netlink attribute to verify the
lenght of the replay window on async events. Fix this by
using the right netlink attribute.
2) Policy lookups can not match the output interface on forwarding.
Add the needed informations to the flow informations.
3) We update the pmtu when we receive a ICMPV6_DEST_UNREACH message
on IPsec with ipv6. This is wrong and leads to strange fragmented
packets, only ICMPV6_PKT_TOOBIG messages should update the pmtu.
Fix this by removing the ICMPV6_DEST_UNREACH check from the IPsec
protocol error handlers.
4) The legacy IPsec anti replay mechanism supports anti replay
windows up to 32 packets. If a user requests for a bigger
anti replay window, we use 32 packets but pretend that we use
the requested window size. Fix from Fan Du.
5) If asynchronous events are enabled and replay_maxdiff is set to
zero, we generate an async event for every received packet instead
of checking whether a timeout occurred. Fix from Thomas Egerer.
6) Policies need a refcount when the state resolution timer is armed.
Otherwise the timer can fire after the policy is deleted.
7) We might dreference a NULL pointer if the hold_queue is empty,
add a check to avoid this.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Fabio Estevam [Sat, 5 Oct 2013 20:56:59 +0000 (17:56 -0300)]
net: secure_seq: Fix warning when CONFIG_IPV6 and CONFIG_INET are not selected
net_secret() is only used when CONFIG_IPV6 or CONFIG_INET are selected.
Building a defconfig with both of these symbols unselected (Using the ARM
at91sam9rl_defconfig, for example) leads to the following build warning:
$ make at91sam9rl_defconfig
#
# configuration written to .config
#
$ make net/core/secure_seq.o
scripts/kconfig/conf --silentoldconfig Kconfig
CHK include/config/kernel.release
CHK include/generated/uapi/linux/version.h
CHK include/generated/utsrelease.h
make[1]: `include/generated/mach-types.h' is up to date.
CALL scripts/checksyscalls.sh
CC net/core/secure_seq.o
net/core/secure_seq.c:17:13: warning: 'net_secret_init' defined but not used [-Wunused-function]
Fix this warning by protecting the definition of net_secret() with these
symbols.
Reported-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Fabio Estevam <fabio.estevam@freescale.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
John W. Linville [Wed, 9 Oct 2013 15:19:05 +0000 (11:19 -0400)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless into for-davem
David S. Miller [Wed, 9 Oct 2013 01:56:09 +0000 (21:56 -0400)]
Merge branch 'sfc-3.12' of git://git./linux/kernel/git/bwh/sfc
Ben Hutchings says:
====================
Some more fixes for EF10 support; hopefully the last lot:
1. Fixes for reading statistics, from Edward Cree and Jon Cooper.
2. Addition of ethtool statistics for packets dropped by the hardware
before they were associated with a specific function, from Edward Cree.
3. Only bind to functions that are in control of their associated port,
as the driver currently assumes this is the case.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Tue, 8 Oct 2013 22:16:00 +0000 (15:16 -0700)]
pkt_sched: fq: fix non TCP flows pacing
Steinar reported FQ pacing was not working for UDP flows.
It looks like the initial sk->sk_pacing_rate value of 0 was
a wrong choice. We should init it to ~0U (unlimited)
Then, TCA_FQ_FLOW_DEFAULT_RATE should be removed because it makes
no real sense. The default rate is really unlimited, and we
need to avoid a zero divide.
Reported-by: Steinar H. Gunderson <sesse@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Wei Yongjun [Tue, 8 Oct 2013 03:32:17 +0000 (11:32 +0800)]
qlcnic: add missing destroy_workqueue() on error path in qlcnic_probe()
Add the missing destroy_workqueue() before return from
qlcnic_probe() in the error handling case.
Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Signed-off-by: David S. Miller <davem@davemloft.net>
Wei Yongjun [Tue, 8 Oct 2013 03:19:19 +0000 (11:19 +0800)]
moxa: fix the error handling in moxart_mac_probe()
This patch fix the error handling in moxart_mac_probe():
- return -ENOMEM in some memory alloc fail cases
- add missing free_netdev() in the error handling case
Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Signed-off-by: David S. Miller <davem@davemloft.net>
Marc Kleine-Budde [Mon, 7 Oct 2013 21:19:58 +0000 (23:19 +0200)]
net: vlan: fix nlmsg size calculation in vlan_get_size()
This patch fixes the calculation of the nlmsg size, by adding the missing
nla_total_size().
Cc: Patrick McHardy <kaber@trash.net>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Mon, 7 Oct 2013 19:50:18 +0000 (12:50 -0700)]
pkt_sched: fq: fix typo for initial_quantum
TCA_FQ_INITIAL_QUANTUM should set q->initial_quantum
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Oussama Ghorbel [Mon, 7 Oct 2013 17:50:05 +0000 (18:50 +0100)]
ipv6: Fix the upper MTU limit in GRE tunnel
Unlike ipv4, the struct member hlen holds the length of the GRE and ipv6
headers. This length is also counted in dev->hard_header_len.
Perhaps, it's more clean to modify the hlen to count only the GRE header
without ipv6 header as the variable name suggest, but the simple way to fix
this without regression risk is simply modify the calculation of the limit
in ip6gre_tunnel_change_mtu function.
Verified in kernel version v3.11.
Signed-off-by: Oussama Ghorbel <ou.ghorbel@gmail.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
David Vrabel [Mon, 7 Oct 2013 12:55:19 +0000 (13:55 +0100)]
xen-netback: transition to CLOSED when removing a VIF
If a guest is destroyed without transitioning its frontend to CLOSED,
the domain becomes a zombie as netback was not grant unmapping the
shared rings.
When removing a VIF, transition the backend to CLOSED so the VIF is
disconnected if necessary (which will unmap the shared rings etc).
This fixes a regression introduced by
279f438e36c0a70b23b86d2090aeec50155034a9 (xen-netback: Don't destroy
the netdev until the vif is shut down).
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Cc: Ian Campbell <ian.campbell@citrix.com>
Cc: Wei Liu <wei.liu2@citrix.com>
Cc: Paul Durrant <Paul.Durrant@citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Paul Durrant <paul.durrant@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Tue, 8 Oct 2013 20:10:10 +0000 (16:10 -0400)]
Merge branch 'mlx4'
Amir Vadai says:
====================
net/mlx4_en: Fix pages never dma unmapped on rx
This patchset fixes a bug introduced by commit
51151a16 (mlx4: allow order-0
memory allocations in RX path). Where dma_unmap_page wasn't called.
Changes from V0:
- Added "Rename name of mlx4_en_rx_alloc members". Old names were confusing.
- Last frag in page calculation was wrong. Since all frags in page are of the
same size, need to add this frag_stride to end of frag offset, and not the
size of next frag in skb.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Amir Vadai [Mon, 7 Oct 2013 11:38:13 +0000 (13:38 +0200)]
net/mlx4_en: Fix pages never dma unmapped on rx
This patch fixes a bug introduced by commit
51151a16 (mlx4: allow
order-0 memory allocations in RX path).
dma_unmap_page never reached because condition to detect last fragment
in page is wrong. offset+frag_stride can't be greater than size, need to
make sure no additional frag will fit in page => compare offset +
frag_stride + next_frag_size instead.
next_frag_size is the same as the current one, since page is shared only
with frags of the same size.
CC: Eric Dumazet <edumazet@google.com>
Signed-off-by: Amir Vadai <amirv@mellanox.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Amir Vadai [Mon, 7 Oct 2013 11:38:12 +0000 (13:38 +0200)]
net/mlx4_en: Rename name of mlx4_en_rx_alloc members
Add page prefix to page related members: @size and @offset into
@page_size and @page_offset
CC: Eric Dumazet <edumazet@google.com>
Signed-off-by: Amir Vadai <amirv@mellanox.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Nguyen Hong Ky [Mon, 7 Oct 2013 06:29:25 +0000 (15:29 +0900)]
net: sh_eth: Fix RX packets errors on R8A7740
This patch will fix RX packets errors when receiving big size
of data by set bit RNC = 1.
RNC - Receive Enable Control
0: Upon completion of reception of one frame, the E-DMAC writes
the receive status to the descriptor and clears the RR bit in
EDRRR to 0.
1: Upon completion of reception of one frame, the E-DMAC writes
(writes back) the receive status to the descriptor. In addition,
the E-DMAC reads the next descriptor and prepares for reception
of the next frame.
In addition, for get more stable when receiving packets, I set
maximum size for the transmit/receive FIFO and inserts padding
in receive data.
Signed-off-by: Nguyen Hong Ky <nh-ky@jinso.co.jp>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Tue, 8 Oct 2013 19:44:26 +0000 (15:44 -0400)]
l2tp: Fix build warning with ipv6 disabled.
net/l2tp/l2tp_core.c: In function ‘l2tp_verify_udp_checksum’:
net/l2tp/l2tp_core.c:499:22: warning: unused variable ‘tunnel’ [-Wunused-variable]
Create a helper "l2tp_tunnel()" to facilitate this, and as a side
effect get rid of a bunch of unnecessary void pointer casts.
Signed-off-by: David S. Miller <davem@davemloft.net>
Michael S. Tsirkin [Sun, 6 Oct 2013 18:25:12 +0000 (21:25 +0300)]
tun: don't look at current when non-blocking
We play with a wait queue even if socket is
non blocking. This is an obvious waste.
Besides, it will prevent calling the non blocking
variant when current is not valid.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Tue, 8 Oct 2013 19:32:19 +0000 (15:32 -0400)]
Merge branch 'mrf24j40'
Alan Ott says:
====================
Fix race conditions in mrf24j40 interrupts
After testing with the betas of this patchset, it's been rebased and is
ready for inclusion.
David Hauweele noticed that the mrf24j40 would hang arbitrarily after some
period of heavy traffic. Two race conditions were discovered, and the
driver was changed to use threaded interrupts, since the enable/disable of
interrupts in the driver has recently been a lighning rod whenever issues
arise related to interrupts (costing engineering time), and since threaded
interrupts are the right way to do it.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Alan Ott [Sun, 6 Oct 2013 03:52:24 +0000 (23:52 -0400)]
mrf24j40: Use level-triggered interrupts
The mrf24j40 generates level interrupts. There are rare cases where it
appears that the interrupt line never gets de-asserted between interrupts,
causing interrupts to be lost, and causing a hung device from the driver's
perspective. Switching the driver to interpret these interrupts as
level-triggered fixes this issue.
Signed-off-by: Alan Ott <alan@signal11.us>
Signed-off-by: David S. Miller <davem@davemloft.net>
Alan Ott [Sun, 6 Oct 2013 03:52:23 +0000 (23:52 -0400)]
mrf24j40: Use threaded IRQ handler
Eliminate all the workqueue and interrupt enable/disable.
Signed-off-by: Alan Ott <alan@signal11.us>
Signed-off-by: David S. Miller <davem@davemloft.net>
Alan Ott [Sun, 6 Oct 2013 03:52:22 +0000 (23:52 -0400)]
mrf24j40: Move INIT_COMPLETION() to before packet transmission
This avoids a race condition where complete(tx_complete) could be called
before tx_complete is initialized.
Signed-off-by: Alan Ott <alan@signal11.us>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Tue, 8 Oct 2013 19:28:53 +0000 (15:28 -0400)]
Merge branch '6lowpan'
Alan Ott says:
====================
Alexander Aring suggested that devices desired to be linked to 6lowpan
be checked for actually being of type IEEE802154, since IEEE802154 devices
are all that are supported by 6lowpan at present.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Alan Ott [Sun, 6 Oct 2013 03:15:19 +0000 (23:15 -0400)]
6lowpan: Sync default hardware address of lowpan links to their wpan
When a lowpan link to a wpan device is created, set the hardware address
of the lowpan link to that of the wpan device.
Signed-off-by: Alan Ott <alan@signal11.us>
Signed-off-by: David S. Miller <davem@davemloft.net>
Alan Ott [Sun, 6 Oct 2013 03:15:18 +0000 (23:15 -0400)]
6lowpan: Only make 6lowpan links to IEEE802154 devices
Refuse to create 6lowpan links if the actual hardware interface is
of any type other than ARPHRD_IEEE802154.
Signed-off-by: Alan Ott <alan@signal11.us>
Suggested-by: Alexander Aring <alex.aring@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Steffen Klassert [Tue, 8 Oct 2013 08:49:51 +0000 (10:49 +0200)]
xfrm: check for a vaild skb in xfrm_policy_queue_process
We might dreference a NULL pointer if the hold_queue is empty,
so add a check to avoid this.
Bug was introduced with git commit
a0073fe18 ("xfrm: Add a state
resolution packet queue")
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Steffen Klassert [Tue, 8 Oct 2013 08:49:45 +0000 (10:49 +0200)]
xfrm: Add refcount handling to queued policies
We need to ensure that policies can't go away as long as the hold timer
is armed, so take a refcont when we arm the timer and drop one if we
delete it.
Bug was introduced with git commit
a0073fe18 ("xfrm: Add a state
resolution packet queue")
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Eric W. Biederman [Sat, 5 Oct 2013 20:15:30 +0000 (13:15 -0700)]
net: Update the sysctl permissions handler to test effective uid/gid
On Tue, 20 Aug 2013 11:40:04 -0500 Eric Sandeen <sandeen@redhat.com> wrote:
> This was brought up in a Red Hat bug (which may be marked private, I'm sorry):
>
> Bug 987055 - open O_WRONLY succeeds on some root owned files in /proc for process running with unprivileged EUID
>
> "On RHEL7 some of the files in /proc can be opened for writing by an unprivileged EUID."
>
> The flaw existed upstream as well last I checked.
>
> This commit in kernel v3.8 caused the regression:
>
> commit
cff109768b2d9c03095848f4cd4b0754117262aa
> Author: Eric W. Biederman <ebiederm@xmission.com>
> Date: Fri Nov 16 03:03:01 2012 +0000
>
> net: Update the per network namespace sysctls to be available to the network namespace owner
>
> - Allow anyone with CAP_NET_ADMIN rights in the user namespace of the
> the netowrk namespace to change sysctls.
> - Allow anyone the uid of the user namespace root the same
> permissions over the network namespace sysctls as the global root.
> - Allow anyone with gid of the user namespace root group the same
> permissions over the network namespace sysctl as the global root group.
>
> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>
>
> because it changed /sys/net's special permission handler to test current_uid, not
> current_euid; same for current_gid/current_egid.
>
> So in this case, root cannot drop privs via set[ug]id, and retains all privs
> in this codepath.
Modify the code to use current_euid(), and in_egroup_p, as in done
in fs/proc/proc_sysctl.c:test_perm()
Cc: stable@vger.kernel.org
Reviewed-by: Eric Sandeen <sandeen@redhat.com>
Reported-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Marc Kleine-Budde [Sat, 5 Oct 2013 19:25:17 +0000 (21:25 +0200)]
can: dev: fix nlmsg size calculation in can_get_size()
This patch fixes the calculation of the nlmsg size, by adding the missing
nla_total_size().
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jiri Benc [Fri, 4 Oct 2013 15:04:48 +0000 (17:04 +0200)]
ipv4: fix ineffective source address selection
When sending out multicast messages, the source address in inet->mc_addr is
ignored and rewritten by an autoselected one. This is caused by a typo in
commit
813b3b5db831 ("ipv4: Use caller's on-stack flowi as-is in output
route lookups").
Signed-off-by: Jiri Benc <jbenc@redhat.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Markus Pargmann [Fri, 4 Oct 2013 12:44:40 +0000 (14:44 +0200)]
net/ethernet: cpsw: DT read bool dual_emac
Signed-off-by: Markus Pargmann <mpa@pengutronix.de>
Acked-by: Mugunthan V N <mugunthanvnm@ti.com>
Acked-by: Peter Korsgaard <jacmet@sunsite.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Markus Pargmann [Fri, 4 Oct 2013 12:44:39 +0000 (14:44 +0200)]
net: ethernet: cpsw: Search childs for slave nodes
The current implementation searches the whole DT for nodes named
"slave".
This patch changes it to search only child nodes for slaves.
Signed-off-by: Markus Pargmann <mpa@pengutronix.de>
Acked-by: Mugunthan V N <mugunthanvnm@ti.com>
Acked-by: Peter Korsgaard <jacmet@sunsite.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Alexei Starovoitov [Fri, 4 Oct 2013 07:14:06 +0000 (00:14 -0700)]
net: fix unsafe set_memory_rw from softirq
on x86 system with net.core.bpf_jit_enable = 1
sudo tcpdump -i eth1 'tcp port 22'
causes the warning:
[ 56.766097] Possible unsafe locking scenario:
[ 56.766097]
[ 56.780146] CPU0
[ 56.786807] ----
[ 56.793188] lock(&(&vb->lock)->rlock);
[ 56.799593] <Interrupt>
[ 56.805889] lock(&(&vb->lock)->rlock);
[ 56.812266]
[ 56.812266] *** DEADLOCK ***
[ 56.812266]
[ 56.830670] 1 lock held by ksoftirqd/1/13:
[ 56.836838] #0: (rcu_read_lock){.+.+..}, at: [<
ffffffff8118f44c>] vm_unmap_aliases+0x8c/0x380
[ 56.849757]
[ 56.849757] stack backtrace:
[ 56.862194] CPU: 1 PID: 13 Comm: ksoftirqd/1 Not tainted 3.12.0-rc3+ #45
[ 56.868721] Hardware name: System manufacturer System Product Name/P8Z77 WS, BIOS 3007 07/26/2012
[ 56.882004]
ffffffff821944c0 ffff88080bbdb8c8 ffffffff8175a145 0000000000000007
[ 56.895630]
ffff88080bbd5f40 ffff88080bbdb928 ffffffff81755b14 0000000000000001
[ 56.909313]
ffff880800000001 ffff880800000000 ffffffff8101178f 0000000000000001
[ 56.923006] Call Trace:
[ 56.929532] [<
ffffffff8175a145>] dump_stack+0x55/0x76
[ 56.936067] [<
ffffffff81755b14>] print_usage_bug+0x1f7/0x208
[ 56.942445] [<
ffffffff8101178f>] ? save_stack_trace+0x2f/0x50
[ 56.948932] [<
ffffffff810cc0a0>] ? check_usage_backwards+0x150/0x150
[ 56.955470] [<
ffffffff810ccb52>] mark_lock+0x282/0x2c0
[ 56.961945] [<
ffffffff810ccfed>] __lock_acquire+0x45d/0x1d50
[ 56.968474] [<
ffffffff810cce6e>] ? __lock_acquire+0x2de/0x1d50
[ 56.975140] [<
ffffffff81393bf5>] ? cpumask_next_and+0x55/0x90
[ 56.981942] [<
ffffffff810cef72>] lock_acquire+0x92/0x1d0
[ 56.988745] [<
ffffffff8118f52a>] ? vm_unmap_aliases+0x16a/0x380
[ 56.995619] [<
ffffffff817628f1>] _raw_spin_lock+0x41/0x50
[ 57.002493] [<
ffffffff8118f52a>] ? vm_unmap_aliases+0x16a/0x380
[ 57.009447] [<
ffffffff8118f52a>] vm_unmap_aliases+0x16a/0x380
[ 57.016477] [<
ffffffff8118f44c>] ? vm_unmap_aliases+0x8c/0x380
[ 57.023607] [<
ffffffff810436b0>] change_page_attr_set_clr+0xc0/0x460
[ 57.030818] [<
ffffffff810cfb8d>] ? trace_hardirqs_on+0xd/0x10
[ 57.037896] [<
ffffffff811a8330>] ? kmem_cache_free+0xb0/0x2b0
[ 57.044789] [<
ffffffff811b59c3>] ? free_object_rcu+0x93/0xa0
[ 57.051720] [<
ffffffff81043d9f>] set_memory_rw+0x2f/0x40
[ 57.058727] [<
ffffffff8104e17c>] bpf_jit_free+0x2c/0x40
[ 57.065577] [<
ffffffff81642cba>] sk_filter_release_rcu+0x1a/0x30
[ 57.072338] [<
ffffffff811108e2>] rcu_process_callbacks+0x202/0x7c0
[ 57.078962] [<
ffffffff81057f17>] __do_softirq+0xf7/0x3f0
[ 57.085373] [<
ffffffff81058245>] run_ksoftirqd+0x35/0x70
cannot reuse jited filter memory, since it's readonly,
so use original bpf insns memory to hold work_struct
defer kfree of sk_filter until jit completed freeing
tested on x86_64 and i386
Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ben Hutchings [Mon, 7 Oct 2013 19:10:11 +0000 (20:10 +0100)]
sfc: Only bind to EF10 functions with the LinkCtrl and Trusted flags
Although we do not yet enable multiple PFs per port, it is possible
that a board will be reconfigured to enable them while the driver has
not yet been updated to fully support this.
The most obvious problem is that multiple functions may try to set
conflicting link settings. But we will also run into trouble if the
firmware doesn't consider us fully trusted. So, abort probing unless
both the LinkCtrl and Trusted flags are set for this function.
Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Johannes Berg [Mon, 30 Sep 2013 09:02:46 +0000 (11:02 +0200)]
iwlwifi: pcie: fix merge damage
The merge
b35c8097 seems to have lost commit
eabc4ac5d,
put the code back.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Felix Fietkau [Sat, 5 Oct 2013 12:09:30 +0000 (14:09 +0200)]
ath9k: fix tx queue scheduling after channel changes
Otherwise, if queues are full during a scan, tx scheduling does not
resume after switching back to the home channel.
Cc: stable@vger.kernel.org
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
John W. Linville [Mon, 7 Oct 2013 17:25:18 +0000 (13:25 -0400)]
Merge branch 'for-john' of git://git./linux/kernel/git/iwlwifi/iwlwifi-fixes
Oussama Ghorbel [Thu, 3 Oct 2013 13:49:26 +0000 (14:49 +0100)]
ipv6: Allow the MTU of ipip6 tunnel to be set below 1280
The (inner) MTU of a ipip6 (IPv4-in-IPv6) tunnel cannot be set below 1280, which is the minimum MTU in IPv6.
However, there should be no IPv6 on the tunnel interface at all, so the IPv6 rules should not apply.
More info at https://bugzilla.kernel.org/show_bug.cgi?id=15530
This patch allows to check the minimum MTU for ipv6 tunnel according to these rules:
-In case the tunnel is configured with ipip6 mode the minimum MTU is 68.
-In case the tunnel is configured with ip6ip6 or any mode the minimum MTU is 1280.
Signed-off-by: Oussama Ghorbel <ou.ghorbel@gmail.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Michael S. Tsirkin [Wed, 2 Oct 2013 06:14:06 +0000 (09:14 +0300)]
netif_set_xps_queue: make cpu mask const
virtio wants to pass in cpumask_of(cpu), make parameter
const to avoid build warnings.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Edward Cree [Wed, 25 Sep 2013 16:32:09 +0000 (17:32 +0100)]
sfc: Add PM and RXDP drop counters to ethtool stats
Recognise the new Packet Memory and RX Data Path counters.
The following counters are added:
rx_pm_{trunc,discard}_bb_overflow - burst buffer overflowed. This should not
occur if BB correctly configured.
rx_pm_{trunc,discard}_vfifo_full - not enough space in packet memory. May
indicate RX performance problems.
rx_pm_{trunc,discard}_qbb - dropped by 802.1Qbb early discard mechanism.
Since Qbb is not supported at present, this should not occur.
rx_pm_discard_mapping - 802.1p priority configured to be dropped. This should
not occur in normal operation.
rx_dp_q_disabled_packets - packet was to be delivered to a queue but queue is
disabled. May indicate misconfiguration by the driver.
rx_dp_di_dropped_packets - parser-dispatcher indicated that a packet should be
dropped.
rx_dp_streaming_packets - packet was sent to the RXDP streaming bus, ie. a
filter directed the packet to the MCPU.
rx_dp_emerg_{fetch,wait} - RX datapath had to wait for descriptors to be
loaded. Indicates performance problems but not drops.
These are only provided if the MC firmware has the
PM_AND_RXDP_COUNTERS capability. Otherwise, mask them out.
Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Matthew Slattery [Tue, 10 Sep 2013 18:06:27 +0000 (19:06 +0100)]
sfc: Add definitions for new stats counters and capability flag
Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Edward Cree [Fri, 27 Sep 2013 17:52:49 +0000 (18:52 +0100)]
sfc: Refactor EF10 stat mask code to allow for more conditional stats
Previously, efx_ef10_stat_mask returned a static const unsigned long[], which
meant that each possible mask had to be declared statically with
STAT_MASK_BITMAP. Since adding a condition would double the size of the
decision tree, we now create the bitmask dynamically.
To do this, we have two functions efx_ef10_raw_stat_mask, which returns a u64,
and efx_ef10_get_stat_mask, which fills in an unsigned long * argument.
Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Edward Cree [Wed, 25 Sep 2013 16:34:12 +0000 (17:34 +0100)]
sfc: Fix internal indices of ethtool stats for EF10
The indices in nic_data->stats need to match the EF10_STAT_whatever
enum values. In efx_nic_update_stats, only mask; gaps are removed in
efx_ef10_update_stats.
Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Jon Cooper [Fri, 27 Sep 2013 17:26:30 +0000 (18:26 +0100)]
sfc: Add rmb() between reading stats and generation count to ensure consistency
Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Eric Dumazet [Fri, 4 Oct 2013 17:31:41 +0000 (10:31 -0700)]
tcp: do not forget FIN in tcp_shifted_skb()
Yuchung found following problem :
There are bugs in the SACK processing code, merging part in
tcp_shift_skb_data(), that incorrectly resets or ignores the sacked
skbs FIN flag. When a receiver first SACK the FIN sequence, and later
throw away ofo queue (e.g., sack-reneging), the sender will stop
retransmitting the FIN flag, and hangs forever.
Following packetdrill test can be used to reproduce the bug.
$ cat sack-merge-bug.pkt
`sysctl -q net.ipv4.tcp_fack=0`
// Establish a connection and send 10 MSS.
0.000 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
+.000 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
+.000 bind(3, ..., ...) = 0
+.000 listen(3, 1) = 0
+.050 < S 0:0(0) win 32792 <mss 1000,sackOK,nop,nop,nop,wscale 7>
+.000 > S. 0:0(0) ack 1 <mss 1460,nop,nop,sackOK,nop,wscale 6>
+.001 < . 1:1(0) ack 1 win 1024
+.000 accept(3, ..., ...) = 4
+.100 write(4, ..., 12000) = 12000
+.000 shutdown(4, SHUT_WR) = 0
+.000 > . 1:10001(10000) ack 1
+.050 < . 1:1(0) ack 2001 win 257
+.000 > FP. 10001:12001(2000) ack 1
+.050 < . 1:1(0) ack 2001 win 257 <sack 10001:11001,nop,nop>
+.050 < . 1:1(0) ack 2001 win 257 <sack 10001:12002,nop,nop>
// SACK reneg
+.050 < . 1:1(0) ack 12001 win 257
+0 %{ print "unacked: ",tcpi_unacked }%
+5 %{ print "" }%
First, a typo inverted left/right of one OR operation, then
code forgot to advance end_seq if the merged skb carried FIN.
Bug was added in 2.6.29 by commit
832d11c5cd076ab
("tcp: Try to restore large SKBs while SACK processing")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Acked-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Thu, 3 Oct 2013 20:28:18 +0000 (16:28 -0400)]
Merge branch 'for-davem' of git://git./linux/kernel/git/linville/wireless
John W. Linville says:
====================
Here is another batch of fixes intended for the 3.12 stream...
For the mac80211 bits, Johannes says:
"This time I have two fixes for IBSS (including one for wext, hah), a fix
for extended rates IEs, an active monitor checking fix and a sysfs
registration race fix."
On top of those...
Amitkumar Karwar brings an mwifiex fix for an interrupt loss issue
w/ SDIO devices. The problem was due to a command timeout issue
introduced by an earlier patch.
Felix Fietkau a stall in the ath9k driver. This patch fixes the
regression introduced in the commit "ath9k: use software queues for
un-aggregated data packets".
Stanislaw Gruszka reverts an rt2x00 patch that was found to cause
connection problems with some devices.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Dan Carpenter [Wed, 2 Oct 2013 21:27:20 +0000 (00:27 +0300)]
net: heap overflow in __audit_sockaddr()
We need to cap ->msg_namelen or it leads to a buffer overflow when we
to the memcpy() in __audit_sockaddr(). It requires CAP_AUDIT_CONTROL to
exploit this bug.
The call tree is:
___sys_recvmsg()
move_addr_to_user()
audit_sockaddr()
__audit_sockaddr()
Reported-by: Jüri Aedla <juri.aedla@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
John W. Linville [Thu, 3 Oct 2013 20:00:03 +0000 (16:00 -0400)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless into for-davem
David S. Miller [Thu, 3 Oct 2013 19:57:36 +0000 (15:57 -0400)]
Merge tag 'batman-adv-fix-for-davem' of git://git.open-mesh.org/linux-merge
Included change:
- fix multi soft-interfaces setups with Network Coding enabled by
registering the CODED packet type once only (instead of once per soft-if)
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Wed, 2 Oct 2013 21:11:50 +0000 (17:11 -0400)]
Merge branch 'mv643xx'
Sebastian Hesselbarth says:
====================
This patch set comprises some one-liners to fix issues with repeated
loading and unloading of a modular mv643xx_eth driver.
First two patches take care of the periodic port statistic timer, that
updates statistics by reading port registers using add_timer/mod_timer.
Patch 1 moves timer re-schedule from mib_counters_update to the timer
callback. As mib_counters_update is also called from non-timer context,
this ensures the timer is reactivated from timer context only.
Patch 2 moves initial timer schedule from _probe() time to right before
the port is actually started as the corresponding del_timer_sync is at
_stop() time. This fixes a regression, where unloading the driver from a
non-started eth device can cause the timer to access deallocated mem.
Patch 3 adds an assignment of the ports device_node to the corresponding
self-created platform_device. This is required to allow fixups based on
the device_node's compatible string later. Actually, it is also a potential
regression because we already check compatible string for Kirkwood, but
does not (yet) rely on the fixup.
All patches are based on v3.12-rc3 and have been tested on Kirkwood-based
Seagate Dockstar.
Patches 1 and 2 can also possibly queued up for -stable.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Sebastian Hesselbarth [Wed, 2 Oct 2013 10:57:22 +0000 (12:57 +0200)]
net: mv643xx_eth: fix missing device_node for port devices
DT-based mv643xx_eth probes and creates platform_devices for the
port devices on its own. To allow fixups for ports based on the
device_node, we need to set .of_node of the corresponding device
with the correct node.
Signed-off-by: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
Acked-by: Jason Cooper <jason@lakedaemon.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Sebastian Hesselbarth [Wed, 2 Oct 2013 10:57:21 +0000 (12:57 +0200)]
net: mv643xx_eth: fix orphaned statistics timer crash
The periodic statistics timer gets started at port _probe() time, but
is stopped on _stop() only. In a modular environment, this can cause
the timer to access already deallocated memory, if the module is unloaded
without starting the eth device. To fix this, we add the timer right
before the port is started, instead of at _probe() time.
Signed-off-by: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
Acked-by: Jason Cooper <jason@lakedaemon.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Sebastian Hesselbarth [Wed, 2 Oct 2013 10:57:20 +0000 (12:57 +0200)]
net: mv643xx_eth: update statistics timer from timer context only
Each port driver installs a periodic timer to update port statistics
by calling mib_counters_update. As mib_counters_update is also called
from non-timer context, we should not reschedule the timer there but
rather move it to timer-only context.
Signed-off-by: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
Acked-by: Jason Cooper <jason@lakedaemon.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
François Cachereul [Wed, 2 Oct 2013 08:16:02 +0000 (10:16 +0200)]
l2tp: fix kernel panic when using IPv4-mapped IPv6 addresses
IPv4 mapped addresses cause kernel panic.
The patch juste check whether the IPv6 address is an IPv4 mapped
address. If so, use IPv4 API instead of IPv6.
[ 940.026915] general protection fault: 0000 [#1]
[ 940.026915] Modules linked in: l2tp_ppp l2tp_netlink l2tp_core pppox ppp_generic slhc loop psmouse
[ 940.026915] CPU: 0 PID: 3184 Comm: memcheck-amd64- Not tainted 3.11.0+ #1
[ 940.026915] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
[ 940.026915] task:
ffff880007130e20 ti:
ffff88000737e000 task.ti:
ffff88000737e000
[ 940.026915] RIP: 0010:[<
ffffffff81333780>] [<
ffffffff81333780>] ip6_xmit+0x276/0x326
[ 940.026915] RSP: 0018:
ffff88000737fd28 EFLAGS:
00010286
[ 940.026915] RAX:
c748521a75ceff48 RBX:
ffff880000c30800 RCX:
0000000000000000
[ 940.026915] RDX:
ffff88000075cc4e RSI:
0000000000000028 RDI:
ffff8800060e5a40
[ 940.026915] RBP:
ffff8800060e5a40 R08:
0000000000000000 R09:
ffff88000075cc90
[ 940.026915] R10:
0000000000000000 R11:
0000000000000000 R12:
ffff88000737fda0
[ 940.026915] R13:
0000000000000000 R14:
0000000000002000 R15:
ffff880005d3b580
[ 940.026915] FS:
00007f163dc5e800(0000) GS:
ffffffff81623000(0000) knlGS:
0000000000000000
[ 940.026915] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 940.026915] CR2:
00000004032dc940 CR3:
0000000005c25000 CR4:
00000000000006f0
[ 940.026915] Stack:
[ 940.026915]
ffff88000075cc4e ffffffff81694e90 ffff880000c30b38 0000000000000020
[ 940.026915]
11000000523c4bac ffff88000737fdb4 0000000000000000 ffff880000c30800
[ 940.026915]
ffff880005d3b580 ffff880000c30b38 ffff8800060e5a40 0000000000000020
[ 940.026915] Call Trace:
[ 940.026915] [<
ffffffff81356cc3>] ? inet6_csk_xmit+0xa4/0xc4
[ 940.026915] [<
ffffffffa0038535>] ? l2tp_xmit_skb+0x503/0x55a [l2tp_core]
[ 940.026915] [<
ffffffff812b8d3b>] ? pskb_expand_head+0x161/0x214
[ 940.026915] [<
ffffffffa003e91d>] ? pppol2tp_xmit+0xf2/0x143 [l2tp_ppp]
[ 940.026915] [<
ffffffffa00292e0>] ? ppp_channel_push+0x36/0x8b [ppp_generic]
[ 940.026915] [<
ffffffffa00293fe>] ? ppp_write+0xaf/0xc5 [ppp_generic]
[ 940.026915] [<
ffffffff8110ead4>] ? vfs_write+0xa2/0x106
[ 940.026915] [<
ffffffff8110edd6>] ? SyS_write+0x56/0x8a
[ 940.026915] [<
ffffffff81378ac0>] ? system_call_fastpath+0x16/0x1b
[ 940.026915] Code: 00 49 8b 8f d8 00 00 00 66 83 7c 11 02 00 74 60 49
8b 47 58 48 83 e0 fe 48 8b 80 18 01 00 00 48 85 c0 74 13 48 8b 80 78 02
00 00 <48> ff 40 28 41 8b 57 68 48 01 50 30 48 8b 54 24 08 49 c7 c1 51
[ 940.026915] RIP [<
ffffffff81333780>] ip6_xmit+0x276/0x326
[ 940.026915] RSP <
ffff88000737fd28>
[ 940.057945] ---[ end trace
be8aba9a61c8b7f3 ]---
[ 940.058583] Kernel panic - not syncing: Fatal exception in interrupt
Signed-off-by: François CACHEREUL <f.cachereul@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Wed, 2 Oct 2013 04:04:11 +0000 (21:04 -0700)]
net: do not call sock_put() on TIMEWAIT sockets
commit
3ab5aee7fe84 ("net: Convert TCP & DCCP hash tables to use RCU /
hlist_nulls") incorrectly used sock_put() on TIMEWAIT sockets.
We should instead use inet_twsk_put()
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Andy Gospodarek [Wed, 2 Oct 2013 01:23:25 +0000 (21:23 -0400)]
bonding: update MAINTAINERS
Veaceslav has been doing a significant amount of work on bonding lately and
reached out to me about being a maintainer. After discussing this with him, I
think he would be a good fit as a bonding maintainer.
Signed-off-by: Andy Gospodarek <andy@greyhouse.net>
Acked-by: Veaceslav Falico <vfalico@redhat.com>
Signed-off-by: Jay Vosburgh <fubar@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
stephen hemminger [Tue, 1 Oct 2013 04:30:22 +0000 (21:30 -0700)]
tc: export tc_defact.h to userspace
Jamal sent patch to add tc user simple actions to iproute2
but required header was not being exported.
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Andi Kleen [Mon, 30 Sep 2013 20:29:11 +0000 (13:29 -0700)]
tcp: Always set options to 0 before calling tcp_established_options
tcp_established_options assumes opts->options is 0 before calling,
as it read modify writes it.
For the tcp_current_mss() case the opts structure is not zeroed,
so this can be done with uninitialized values.
This is ok, because ->options is not read in this path.
But it's still better to avoid the operation on the uninitialized
field. This shuts up a static code analyzer, and presumably
may help the optimizer.
Cc: netdev@vger.kernel.org
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Andi Kleen [Mon, 30 Sep 2013 20:29:08 +0000 (13:29 -0700)]
igb: Avoid uninitialized advertised variable in eee_set_cur
eee_get_cur assumes that the output data is already zeroed. It can
read-modify-write the advertised field:
if (ipcnfg & E1000_IPCNFG_EEE_100M_AN)
2594 edata->advertised |= ADVERTISED_100baseT_Full;
This is ok for the normal ethtool eee_get call, which always
zeroes the input data before.
But eee_set_cur also calls eee_get_cur and it did not zero the input
field. Later on it then compares agsinst the field, which can contain partial
stack garbage.
Zero the input field in eee_set_cur() too.
Cc: jeffrey.t.kirsher@intel.com
Cc: netdev@vger.kernel.org
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Acked-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Wed, 2 Oct 2013 20:10:45 +0000 (16:10 -0400)]
Merge branch 'calxedaxgmac'
Rob Herring says:
====================
This is a couple of fixes related to xgmac_set_rx_mode. The changes are
necessary for "bridge fdb add" to work correctly.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Rob Herring [Mon, 30 Sep 2013 20:12:17 +0000 (15:12 -0500)]
net: calxedaxgmac: determine number of address filters at runtime
Highbank and Midway xgmac h/w have different number of MAC address filter
registers with 7 and 31, respectively. Highbank has been wrong, so fix it
and detect the number of filter registers at run-time. Unfortunately,
the version register is the same on both SOCs, so simply test if write to
the last filter register will take a value. It always reads as 0 if not.
Signed-off-by: Rob Herring <rob.herring@calxeda.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Rob Herring [Mon, 30 Sep 2013 20:12:16 +0000 (15:12 -0500)]
net: calxedaxgmac: add uc and mc filter addresses in promiscuous mode
Even in promiscuous mode, we need to add filter addresses for correct
operation. This fixes silent failures when using a bridge and adding
addresses using the "bridge fdb add" command.
Signed-off-by: Rob Herring <rob.herring@calxeda.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Rob Herring [Mon, 30 Sep 2013 20:12:15 +0000 (15:12 -0500)]
net: calxedaxgmac: fix clearing of old filter addresses
In commit
2ee68f621af280 (net: calxedaxgmac: fix various errors in
xgmac_set_rx_mode), a fix to clean-up old address entries was added.
However, the loop to zero out the entries failed to increment the register
address resulting in only 1 entry getting cleared. Fix this to correctly
use the loop index. Also, the end of the loop condition was off by 1 and
should have been <= rather than <.
Signed-off-by: Rob Herring <rob.herring@calxeda.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Mathias Krause [Mon, 30 Sep 2013 20:05:40 +0000 (22:05 +0200)]
unix_diag: fix info leak
When filling the netlink message we miss to wipe the pad field,
therefore leak one byte of heap memory to userland. Fix this by
setting pad to 0.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Wed, 2 Oct 2013 20:03:56 +0000 (16:03 -0400)]
Merge branch 'connector'
Mathias Krause says:
====================
This series fixes a few netlink related issues of the connector interface.
The first two patches are bug fixes. The last two are cleanups.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Mathias Krause [Mon, 30 Sep 2013 20:03:09 +0000 (22:03 +0200)]
connector - documentation: simplify netlink message length assignment
Use the precalculated size instead of obfuscating the message length
calculation by first subtracting the netlink header length from size
and then use the NLMSG_LENGTH() macro to add it back again.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Mathias Krause [Mon, 30 Sep 2013 20:03:08 +0000 (22:03 +0200)]
connector: use 'size' everywhere in cn_netlink_send()
We calculated the size for the netlink message buffer as size. Use size
in the memcpy() call as well instead of recalculating it.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Mathias Krause [Mon, 30 Sep 2013 20:03:07 +0000 (22:03 +0200)]
connector: use nlmsg_len() to check message length
The current code tests the length of the whole netlink message to be
at least as long to fit a cn_msg. This is wrong as nlmsg_len includes
the length of the netlink message header. Use nlmsg_len() instead to
fix this "off-by-NLMSG_HDRLEN" size check.
Cc: stable@vger.kernel.org # v2.6.14+
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Mathias Krause [Mon, 30 Sep 2013 20:03:06 +0000 (22:03 +0200)]
proc connector: fix info leaks
Initialize event_data for all possible message types to prevent leaking
kernel stack contents to userland (up to 20 bytes). Also set the flags
member of the connector message to 0 to prevent leaking two more stack
bytes this way.
Cc: stable@vger.kernel.org # v2.6.15+
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Matthias Schiffer [Fri, 27 Sep 2013 16:03:39 +0000 (18:03 +0200)]
batman-adv: set up network coding packet handlers during module init
batman-adv saves its table of packet handlers as a global state, so handlers
must be set up only once (and setting them up a second time will fail).
The recently-added network coding support tries to set up its handler each time
a new softif is registered, which obviously fails when more that one softif is
used (and in consequence, the softif creation fails).
Fix this by splitting up batadv_nc_init into batadv_nc_init (which is called
only once) and batadv_nc_mesh_init (which is called for each softif); in
addition batadv_nc_free is renamed to batadv_nc_mesh_free to keep naming
consistent.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
Emmanuel Grumbach [Sun, 15 Sep 2013 11:39:02 +0000 (14:39 +0300)]
iwlwifi: mvm: call ieee80211_scan_completed when needed
When RFKill cuts short a scan, mac80211 cancels the scan.
This is done by sending a host command to the firmware, but
this command was dropped because of RFKill. Flag this
command as "SEND_IN_RFKILL" to make sure it is sent to the
firmware. The firmware will send SCAN_COMPLETE_NOTIFICATION
which will trigger a call to ieee80211_scan_completed.
If the scan cannot be aborted, it is because the firmware
already finished the scan but we hadn't notified mac80211
at the time mac80211 decided to cancel the scan. By the time
we see the scan could not be aborted, mac80211 has been
notified already.
This patch fixes situations in which we didn't notify
mac80211 upon completion of the scan that was cut short
by RFkill.
Cc: stable@vger.kernel.org [3.10+]
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Emmanuel Grumbach [Tue, 24 Sep 2013 16:34:26 +0000 (19:34 +0300)]
iwlwifi: pcie: add SKUs for 6000, 6005 and 6235 series
Add some new PCI IDs to the table for 6000, 6005 and 6235 series.
Cc: stable@vger.kernel.org
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Emmanuel Grumbach [Sun, 15 Sep 2013 08:37:17 +0000 (11:37 +0300)]
iwlwifi: don't WARN on host commands sent when firmware is dead
This triggers automatic bug reports and add no valuable
information. Print a simple error instead and drop the
host command.
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Matti Gottlieb [Sun, 22 Sep 2013 05:23:23 +0000 (08:23 +0300)]
iwlwifi: pcie: add new SKUs for 7000 & 3160 NIC series
Add some new PCI IDs to the table for 7000 & 3160 series
Cc: stable@vger.kernel.org
Signed-off-by: Matti Gottlieb <matti.gottlieb@intel.com>
Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Emmanuel Grumbach [Wed, 24 Jul 2013 11:15:21 +0000 (14:15 +0300)]
iwlwifi: pcie: don't reset the TX queue counter
A few NICs can get into trouble if we reset the TX queue
counters in certain very rare situation. To be on the safe
side, simply avoid to reset the TX queue counter.
This is relevant for non-AMPDU queues only since on AMPDU
we have no choice - we must start the TX queue at the right
index.
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Alexander Bondar [Fri, 30 Aug 2013 08:12:05 +0000 (11:12 +0300)]
iwlwifi: mvm: Disable uAPSD for D3 image
The D3 firmware image doesn't support uAPSD, so disable it.
Signed-off-by: Alexander Bondar <alexander.bondar@intel.com>
Reviewed-by: Guy Cohen <guy.cohen@intel.com>
Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Linus Torvalds [Tue, 1 Oct 2013 19:58:48 +0000 (12:58 -0700)]
Merge git://git./linux/kernel/git/davem/net
Pull networking changes from David Miller:
1) Multiply in netfilter IPVS can overflow when calculating destination
weight. From Simon Kirby.
2) Use after free fixes in IPVS from Julian Anastasov.
3) SFC driver bug fixes from Daniel Pieczko.
4) Memory leak in pcan_usb_core failure paths, from Alexey Khoroshilov.
5) Locking and encapsulation fixes to serial line CAN driver, from
Andrew Naujoks.
6) Duplex and VF handling fixes to bnx2x driver from Yaniv Rosner,
Eilon Greenstein, and Ariel Elior.
7) In lapb, if no other packets are outstanding, T1 timeouts actually
stall things and no packet gets sent. Fix from Josselin Costanzi.
8) ICMP redirects should not make it to the socket error queues, from
Duan Jiong.
9) Fix bugs in skge DMA mapping error handling, from Nikulas Patocka.
10) Fix setting of VLAN priority field on via-rhine driver, from Roget
Luethi.
11) Fix TX stalls and VLAN promisc programming in be2net driver from
Ajit Khaparde.
12) Packet padding doesn't get handled correctly in new usbnet SG
support code, from Ming Lei.
13) Fix races in netdevice teardown wrt. network namespace closing.
From Eric W. Biederman.
14) Fix potential missed initialization of net_secret if not TCP
connections are openned. From Eric Dumazet.
15) Cinterion PLXX product ID in qmi_wwan driver is wrong, from
Aleksander Morgado.
16) skb_cow_head() can change skb->data and thus packet header pointers,
don't use stale ip_hdr reference in ip_tunnel code.
17) Backend state transition handling fixes in xen-netback, from Paul
Durrant.
18) Packet offset for AH protocol is handled wrong in flow dissector,
from Eric Dumazet.
19) Taking down an fq packet scheduler instance can leave stale packets
in the queues, fix from Eric Dumazet.
20) Fix performance regressions introduced by TCP Small Queues. From
Eric Dumazet.
21) IPV6 GRE tunneling code calculates max_headroom incorrectly, from
Hannes Frederic Sowa.
22) Multicast timer handlers in ipv4 and ipv6 can be the last and final
reference to the ipv4/ipv6 specific network device state, so use the
reference put that will check and release the object if the
reference hits zero. From Salam Noureddine.
23) Fix memory corruption in ip_tunnel driver, and use skb_push()
instead of __skb_push() so that similar bugs are less hard to find.
From Steffen Klassert.
24) Add forgotten hookup of rtnl_ops in SIT and ip6tnl drivers, from
Nicolas Dichtel.
25) fq scheduler doesn't accurately rate limit in certain circumstances,
from Eric Dumazet.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (103 commits)
pkt_sched: fq: rate limiting improvements
ip6tnl: allow to use rtnl ops on fb tunnel
sit: allow to use rtnl ops on fb tunnel
ip_tunnel: Remove double unregister of the fallback device
ip_tunnel_core: Change __skb_push back to skb_push
ip_tunnel: Add fallback tunnels to the hash lists
ip_tunnel: Fix a memory corruption in ip_tunnel_xmit
qlcnic: Fix SR-IOV configuration
ll_temac: Reset dma descriptors indexes on ndo_open
skbuff: size of hole is wrong in a comment
ipv6 mcast: use in6_dev_put in timer handlers instead of __in6_dev_put
ipv4 igmp: use in_dev_put in timer handlers instead of __in_dev_put
ethernet: moxa: fix incorrect placement of __initdata tag
ipv6: gre: correct calculation of max_headroom
powerpc/83xx: gianfar_ptp: select 1588 clock source through dts file
Revert "powerpc/83xx: gianfar_ptp: select 1588 clock source through dts file"
bonding: Fix broken promiscuity reference counting issue
tcp: TSQ can use a dynamic limit
dm9601: fix IFF_ALLMULTI handling
pkt_sched: fq: qdisc dismantle fixes
...
Linus Torvalds [Tue, 1 Oct 2013 19:57:59 +0000 (12:57 -0700)]
Merge git://git./linux/kernel/git/davem/sparc
Pull sparc fix from David Miller:
"Just a single bug fix to a regression added during some strlcpy()
conversions"
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
sparc64: Fix buggy strlcpy() conversion in ldom_reboot().
Linus Torvalds [Tue, 1 Oct 2013 17:28:11 +0000 (10:28 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/viro/vfs
Pull vfs lru leak fix from Al Viro:
"The fix in "super: fix for destroy lrus" didn't - they need to be
destroyed, all right, but that's the wrong place..."
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
fs/super.c: fix lru_list leak for real
Linus Torvalds [Tue, 1 Oct 2013 17:25:10 +0000 (10:25 -0700)]
Merge git://git.kernel.org/pub/scm/virt/kvm/kvm
Pull two KVM fixes from Gleb Natapov.
* git://git.kernel.org/pub/scm/virt/kvm/kvm:
KVM: VMX: do not check bit 12 of EPT violation exit qualification when undefined
ARM: kvm: rename cpu_reset to avoid name clash
Al Viro [Tue, 1 Oct 2013 17:11:21 +0000 (13:11 -0400)]
fs/super.c: fix lru_list leak for real
Freeing ->s_{inode,dentry}_lru in deactivate_locked_super() is wrong;
the right place is destroy_super(). As it is, we leak them if sget()
decides that new superblock it has allocated (and never shown to
anybody) isn't needed and should be freed.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Eric Dumazet [Tue, 1 Oct 2013 16:10:16 +0000 (09:10 -0700)]
pkt_sched: fq: rate limiting improvements
FQ rate limiting suffers from two problems, reported
by Steinar :
1) FQ enforces a delay when flow quantum is exhausted in order
to reduce cpu overhead. But if packets are small, current
delay computation is slightly wrong, and observed rates can
be too high.
Steinar had this problem because he disabled TSO and GSO,
and default FQ quantum is 2*1514.
(Of course, I wish recent TSO auto sizing changes will help
to not having to disable TSO in the first place)
2) maxrate was not used for forwarded flows (skbs not attached
to a socket)
Tested:
tc qdisc add dev eth0 root est 1sec 4sec fq maxrate 8Mbit
netperf -H lpq84 -l 1000 &
sleep 10 ; tc -s qdisc show dev eth0
qdisc fq 8003: root refcnt 32 limit 10000p flow_limit 100p buckets 1024
quantum 3028 initial_quantum 15140 maxrate 8000Kbit
Sent
16819357 bytes 11258 pkt (dropped 0, overlimits 0 requeues 0)
rate 7831Kbit 653pps backlog 7570b 5p requeues 0
44 flows (43 inactive, 1 throttled), next packet delay
2977352 ns
0 gc, 0 highprio, 5545 throttled
lpq83:~# tcpdump -p -i eth0 host lpq84 -c 12
09:02:52.079484 IP lpq83 > lpq84: .
1389536928:
1389538376(1448) ack
3808678021 win 457 <nop,nop,timestamp 961812
572609068>
09:02:52.079499 IP lpq83 > lpq84: . 1448:2896(1448) ack 1 win 457 <nop,nop,timestamp 961812
572609068>
09:02:52.079906 IP lpq84 > lpq83: . ack 2896 win 16384 <nop,nop,timestamp
572609080 961812>
09:02:52.082568 IP lpq83 > lpq84: . 2896:4344(1448) ack 1 win 457 <nop,nop,timestamp 961815
572609071>
09:02:52.082581 IP lpq83 > lpq84: . 4344:5792(1448) ack 1 win 457 <nop,nop,timestamp 961815
572609071>
09:02:52.083017 IP lpq84 > lpq83: . ack 5792 win 16384 <nop,nop,timestamp
572609083 961815>
09:02:52.085678 IP lpq83 > lpq84: . 5792:7240(1448) ack 1 win 457 <nop,nop,timestamp 961818
572609074>
09:02:52.085693 IP lpq83 > lpq84: . 7240:8688(1448) ack 1 win 457 <nop,nop,timestamp 961818
572609074>
09:02:52.086117 IP lpq84 > lpq83: . ack 8688 win 16384 <nop,nop,timestamp
572609086 961818>
09:02:52.088792 IP lpq83 > lpq84: . 8688:10136(1448) ack 1 win 457 <nop,nop,timestamp 961821
572609077>
09:02:52.088806 IP lpq83 > lpq84: . 10136:11584(1448) ack 1 win 457 <nop,nop,timestamp 961821
572609077>
09:02:52.089217 IP lpq84 > lpq83: . ack 11584 win 16384 <nop,nop,timestamp
572609090 961821>
Reported-by: Steinar H. Gunderson <sesse@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Nicolas Dichtel [Tue, 1 Oct 2013 16:05:00 +0000 (18:05 +0200)]
ip6tnl: allow to use rtnl ops on fb tunnel
rtnl ops where introduced by
c075b13098b3 ("ip6tnl: advertise tunnel param via
rtnl"), but I forget to assign rtnl ops to fb tunnels.
Now that it is done, we must remove the explicit call to
unregister_netdevice_queue(), because the fallback tunnel is added to the queue
in ip6_tnl_destroy_tunnels() when checking rtnl_link_ops of all netdevices (this
is valid since commit
0bd8762824e7 ("ip6tnl: add x-netns support")).
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Nicolas Dichtel [Tue, 1 Oct 2013 16:04:59 +0000 (18:04 +0200)]
sit: allow to use rtnl ops on fb tunnel
rtnl ops where introduced by
ba3e3f50a0e5 ("sit: advertise tunnel param via
rtnl"), but I forget to assign rtnl ops to fb tunnels.
Now that it is done, we must remove the explicit call to
unregister_netdevice_queue(), because the fallback tunnel is added to the queue
in sit_destroy_tunnels() when checking rtnl_link_ops of all netdevices (this
is valid since commit
5e6700b3bf98 ("sit: add support of x-netns")).
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Tue, 1 Oct 2013 16:42:28 +0000 (12:42 -0400)]
Merge branch 'ip_tunnel'
ip_tunnel bug fixes from Steffen Klassert.
Signed-off-by: David S. Miller <davem@davemloft.net>
Steffen Klassert [Tue, 1 Oct 2013 09:37:37 +0000 (11:37 +0200)]
ip_tunnel: Remove double unregister of the fallback device
When queueing the netdevices for removal, we queue the
fallback device twice in ip_tunnel_destroy(). The first
time when we queue all netdevices in the namespace and
then again explicitly. Fix this by removing the explicit
queueing of the fallback device.
Bug was introduced when network namespace support was added
with commit
6c742e714d8 ("ipip: add x-netns support").
Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Steffen Klassert [Tue, 1 Oct 2013 09:35:51 +0000 (11:35 +0200)]
ip_tunnel_core: Change __skb_push back to skb_push
Git commit
0e6fbc5b ("ip_tunnels: extend iptunnel_xmit()")
moved the IP header installation to iptunnel_xmit() and
changed skb_push() to __skb_push(). This makes possible
bugs hard to track down, so change it back to skb_push().
Cc: Pravin Shelar <pshelar@nicira.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Steffen Klassert [Tue, 1 Oct 2013 09:34:48 +0000 (11:34 +0200)]
ip_tunnel: Add fallback tunnels to the hash lists
Currently we can not update the tunnel parameters of
the fallback tunnels because we don't find them in the
hash lists. Fix this by adding them on initialization.
Bug was introduced with commit
c544193214
("GRE: Refactor GRE tunneling code.")
Cc: Pravin Shelar <pshelar@nicira.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Steffen Klassert [Tue, 1 Oct 2013 09:33:59 +0000 (11:33 +0200)]
ip_tunnel: Fix a memory corruption in ip_tunnel_xmit
We might extend the used aera of a skb beyond the total
headroom when we install the ipip header. Fix this by
calling skb_cow_head() unconditionally.
Bug was introduced with commit
c544193214
("GRE: Refactor GRE tunneling code.")
Cc: Pravin Shelar <pshelar@nicira.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: David S. Miller <davem@davemloft.net>