Commit Graph

413927 Commits

Author SHA1 Message Date
Li RongQing
6a9eadccff ipv6: release dst properly in ipip6_tunnel_xmit
if a dst is not attached to anywhere, it should be released before
exit ipip6_tunnel_xmit, otherwise cause dst memory leakage.

Fixes: 61c1db7fae ("ipv6: sit: add GSO/TSO support")
Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-27 13:14:40 -05:00
David Gibson
4710b2ba87 netxen: Correct off-by-one errors in bounds checks
netxen_process_lro() contains two bounds checks.  One for the ring number
against the number of rings, and one for the Rx buffer ID against the
array of receive buffers.

Both of these have off-by-one errors, using > instead of >=. The correct
versions are used in netxen_process_rcv(), they're just wrong in
netxen_process_lro().

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-27 13:08:25 -05:00
David S. Miller
73409f3b0f net: Add some clarification to skb_tx_timestamp() comment.
We've seen so many instances of people invoking skb_tx_timestamp()
after the device already has been given the packet, that it's worth
being a little bit more verbose and explicit in this comment.

Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-27 13:04:33 -05:00
Eric Dumazet
37ec274e97 arc_emac: fix potential use after free
Signed-off-by: Eric Dumazet <edumazet@google.com>

skb_tx_timestamp(skb) should be called _before_ TX completion
has a chance to trigger, otherwise it is too late and we access
freed memory.

Fixes: e4f2379db6 ("ethernet/arc/arc_emac - Add new driver")
From: Eric Dumazet <edumazet@google.com>
Cc: Alexey Brodkin <Alexey.Brodkin@synopsys.com>
Cc: Richard Cochran <richardcochran@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-27 13:00:31 -05:00
Nithin Sujir
375679104a tg3: Expand 4g_overflow_test workaround to skb fragments of any size.
The current driver assumes that an skb fragment can only be upto jumbo
size. Presumably this was a fast-path optimization. This assumption is
no longer true as fragments can be upto 32k.

v2: Remove unnecessary parantheses per Eric Dumazet.

Cc: stable@vger.kernel.org
Signed-off-by: Nithin Nayak Sujir <nsujir@broadcom.com>
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-27 12:51:44 -05:00
Jamal Hadi Salim
1a29321ed0 net_sched: act: Dont increment refcnt on replace
This is a bug fix. The existing code tries to kill many
 birds with one stone: Handling binding of actions to
 filters, new actions and replacing of action
 attributes. A simple test case to illustrate:

XXXX
 moja@fe1:~$ sudo tc actions add action drop index 12
 moja@fe1:~$ actions get action gact index 12
 action order 1: gact action drop
  random type none pass val 0
  index 12 ref 1 bind 0
 moja@fe1:~$ sudo tc actions replace action ok index 12
 moja@fe1:~$ actions get action gact index 12
 action order 1: gact action drop
  random type none pass val 0
  index 12 ref 2 bind 0
XXXX

The above shows the refcounf being wrongly incremented on replace.
There are more complex scenarios with binding of actions to filters
that i am leaving out that didnt work as well...

Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-27 12:50:00 -05:00
Sasha Levin
c2349758ac rds: prevent dereference of a NULL device
Binding might result in a NULL device, which is dereferenced
causing this BUG:

[ 1317.260548] BUG: unable to handle kernel NULL pointer dereference at 000000000000097
4
[ 1317.261847] IP: [<ffffffff84225f52>] rds_ib_laddr_check+0x82/0x110
[ 1317.263315] PGD 418bcb067 PUD 3ceb21067 PMD 0
[ 1317.263502] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
[ 1317.264179] Dumping ftrace buffer:
[ 1317.264774]    (ftrace buffer empty)
[ 1317.265220] Modules linked in:
[ 1317.265824] CPU: 4 PID: 836 Comm: trinity-child46 Tainted: G        W    3.13.0-rc4-
next-20131218-sasha-00013-g2cebb9b-dirty #4159
[ 1317.267415] task: ffff8803ddf33000 ti: ffff8803cd31a000 task.ti: ffff8803cd31a000
[ 1317.268399] RIP: 0010:[<ffffffff84225f52>]  [<ffffffff84225f52>] rds_ib_laddr_check+
0x82/0x110
[ 1317.269670] RSP: 0000:ffff8803cd31bdf8  EFLAGS: 00010246
[ 1317.270230] RAX: 0000000000000000 RBX: ffff88020b0dd388 RCX: 0000000000000000
[ 1317.270230] RDX: ffffffff8439822e RSI: 00000000000c000a RDI: 0000000000000286
[ 1317.270230] RBP: ffff8803cd31be38 R08: 0000000000000000 R09: 0000000000000000
[ 1317.270230] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
[ 1317.270230] R13: 0000000054086700 R14: 0000000000a25de0 R15: 0000000000000031
[ 1317.270230] FS:  00007ff40251d700(0000) GS:ffff88022e200000(0000) knlGS:000000000000
0000
[ 1317.270230] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 1317.270230] CR2: 0000000000000974 CR3: 00000003cd478000 CR4: 00000000000006e0
[ 1317.270230] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1317.270230] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000090602
[ 1317.270230] Stack:
[ 1317.270230]  0000000054086700 5408670000a25de0 5408670000000002 0000000000000000
[ 1317.270230]  ffffffff84223542 00000000ea54c767 0000000000000000 ffffffff86d26160
[ 1317.270230]  ffff8803cd31be68 ffffffff84223556 ffff8803cd31beb8 ffff8800c6765280
[ 1317.270230] Call Trace:
[ 1317.270230]  [<ffffffff84223542>] ? rds_trans_get_preferred+0x42/0xa0
[ 1317.270230]  [<ffffffff84223556>] rds_trans_get_preferred+0x56/0xa0
[ 1317.270230]  [<ffffffff8421c9c3>] rds_bind+0x73/0xf0
[ 1317.270230]  [<ffffffff83e4ce62>] SYSC_bind+0x92/0xf0
[ 1317.270230]  [<ffffffff812493f8>] ? context_tracking_user_exit+0xb8/0x1d0
[ 1317.270230]  [<ffffffff8119313d>] ? trace_hardirqs_on+0xd/0x10
[ 1317.270230]  [<ffffffff8107a852>] ? syscall_trace_enter+0x32/0x290
[ 1317.270230]  [<ffffffff83e4cece>] SyS_bind+0xe/0x10
[ 1317.270230]  [<ffffffff843a6ad0>] tracesys+0xdd/0xe2
[ 1317.270230] Code: 00 8b 45 cc 48 8d 75 d0 48 c7 45 d8 00 00 00 00 66 c7 45 d0 02 00
89 45 d4 48 89 df e8 78 49 76 ff 41 89 c4 85 c0 75 0c 48 8b 03 <80> b8 74 09 00 00 01 7
4 06 41 bc 9d ff ff ff f6 05 2a b6 c2 02
[ 1317.270230] RIP  [<ffffffff84225f52>] rds_ib_laddr_check+0x82/0x110
[ 1317.270230]  RSP <ffff8803cd31bdf8>
[ 1317.270230] CR2: 0000000000000974

Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-27 12:33:58 -05:00
Florian Westphal
797f87f83b macvlan: fix netdev feature propagation from lower device
There are inconsistencies wrt. feature propagation/inheritance between
macvlan and the underlying interface.

When a feature is turned off on the real device before a macvlan is
created on top, these will remain enabled on the macvlan device, whereas
turning off the feature on the lower device after macvlan creation the
kernel will propagate the changes to the macvlan.

The second issue is that, when propagating changes from underlying device
to the macvlan interface, macvlan can erronously lose its NETIF_F_LLTX flag,
as features are anded with the underlying device.

However, LLTX should be kept since it has no dependencies on physical
hardware (LLTX is set on macvlan creation regardless of the lower
device properties, see 8ffab51b3d
(macvlan: lockless tx path).

The LLTX flag is now forced regardless of user settings in absence of
layer2 hw acceleration (a6cc0cfa72,
net: Add layer 2 hardware acceleration operations for macvlan devices).

Use netdev_increment_features to rebuild the feature set on capability
changes on either the lower device or on the macvlan interface.

As pointed out by Ben Hutchings, use netdev_update_features on
NETDEV_FEAT_CHANGE event (it calls macvlan_fix_features/netdev_features_change
if needed).

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-26 13:41:00 -05:00
Hannes Frederic Sowa
61e7f09d0f ipv4: consistent reporting of pmtu data in case of corking
We report different pmtu values back on the first write and on further
writes on an corked socket.

Also don't include the dst.header_len (respectively exthdrlen) as this
should already be dealt with by the interface mtu of the outgoing
(virtual) interface and policy of that interface should dictate if
fragmentation should happen.

Instead reduce the pmtu data by IP options as we do for IPv6. Make the
same changes for ip_append_data, where we did not care about options or
dst.header_len at all.

Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-22 18:52:09 -05:00
Mugunthan V N
db850559a3 drivers: net : cpsw: pass proper device name while requesting irq
During checking the interrupts with "cat /proc/interrupts", it is showing
device name as (null), this change was done with commit id aa1a15e2d where
request_irq is changed to devm_request_irq also changing the irq name from
platform device name to net device name, but the net device is not
registered at this point with the network frame work, so devm_request_irq
is called with device name as NULL, by which it is showed as "(null)" in
"cat /proc/interrupts". So this patch changes back irq name to platform
device name itself in devm_request_irq so that the device name shows as
below.

Previous to this patch
root@am335x-evm:~# cat /proc/interrupts
           CPU0
 28:       2265      INTC  12  edma
 30:         80      INTC  14  edma_error
 56:          0      INTC  40  (null)
 57:       1794      INTC  41  (null)
 58:          7      INTC  42  (null)
 59:          0      INTC  43  (null)

With this patch
root@am335x-evm:~# cat /proc/interrupts
           CPU0
 28:        213      INTC  12  edma
 30:          9      INTC  14  edma_error
 56:          0      INTC  40  4a100000.ethernet
 57:      16097      INTC  41  4a100000.ethernet
 58:      11964      INTC  42  4a100000.ethernet
 59:          0      INTC  43  4a100000.ethernet

Signed-off-by: Mugunthan V N <mugunthanvnm@ti.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-22 18:22:15 -05:00
David S. Miller
015cdf686a Merge branch 'cxgb4'
Hariprasad Shenai says:

====================
This patch series provides miscelleneous fixes for Chelsio T4/T5 adapters
related to server entries and server filter entries.

Also, fixes a bug in ULD (Upper Level Driver) like iw_cxgb4 where-in it
calculates wrong tuple values
on T5 adapter. So, a new API cxgb4_select_ntuple is exported so as to enable
Upper Lever Drivers like iw_cxgb4 to correctly calculate tuple values.

The patches series is created agains David Miller's 'net' tree.
And includes patches on cxgb4 and iw_cxgb4 driver.

Patch 8/8 (RDMA-cxgb4-Use-cxgb4_select_ntuple-to-correctly-calc.patch)
has a build dependency on Patch 5/8
(cxgb4-Add-API-to-correctly-calculate-tuple-fields.patch).

Also, Patch 6/8 (RDMA-cxgb4-Calculate-the-filter-server-TID-properly.patch) has
a functional
dependency on Patch 3/8 (cxgb4-Assign-filter-server-TIDs-properly.patch)

We would like to request this patch series to get merged via David Miller's
'net' tree.

We have included all the maintainers of respective drivers. Kindly review the
change and let us know in case of any review comments.

V2 changes:
 - Removed earlier patch which added sftids_in_use counter. However, the counter
   was actually not used anywhere in this patch series.
   Thanks to David Miller for spotting this.
   We have dropped this patch in V2 and will submit a more complete patch which
   uses sftids_in_use counter later on.
 - Fixed a 'checkpatch.pl --strict' warning on Patch 5/8
   (cxgb4-Add-API-to-correctly-calculate-tuple-fields.patch).
 - Removed some un-used #defines from Patch 5/8
   (cxgb4-Add-API-to-correctly-calculate-tuple-fields.patch).
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
2013-12-22 18:09:24 -05:00
Kumar Sanghvi
41b4f86c13 RDMA/cxgb4: Use cxgb4_select_ntuple to correctly calculate ntuple fields
Signed-off-by: Kumar Sanghvi <kumaras@chelsio.com>
Signed-off-by: Hariprasad Shenai <hariprasad@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-22 18:09:08 -05:00
Kumar Sanghvi
8c04469057 RDMA/cxgb4: Server filters are supported only for IPv4
Signed-off-by: Kumar Sanghvi <kumaras@chelsio.com>
Signed-off-by: Hariprasad Shenai <hariprasad@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-22 18:09:08 -05:00
Kumar Sanghvi
a4ea025fc2 RDMA/cxgb4: Calculate the filter server TID properly
Based on original work by Santosh Rastapur <santosh@chelsio.com>

Signed-off-by: Kumar Sanghvi <kumaras@chelsio.com>
Signed-off-by: Hariprasad Shenai <hariprasad@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-22 18:09:08 -05:00
Kumar Sanghvi
dcf7b6f5bd cxgb4: Add API to correctly calculate tuple fields
Adds API cxgb4_select_ntuple so as to enable Upper Level Drivers to correctly
calculate the tuple fields.

Adds constant definitions for TP_VLAN_PRI_MAP for the Compressed
Filter Tuple field widths and structures and uses them.

Also, the CPL Parameters field for T5 is 40 bits so we need to prototype
cxgb4_select_ntuple() to calculate and return u64 values.

Based on original work by Casey Leedom <leedom@chelsio.com>

Signed-off-by: Kumar Sanghvi <kumaras@chelsio.com>
Signed-off-by: Hariprasad Shenai <hariprasad@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-22 18:09:08 -05:00
Kumar Sanghvi
15f63b74c2 cxgb4: Account for stid entries properly in case of IPv6
IPv6 uses 2 TIDs with CLIP enabled and 4 TIDs without CLIP.
Currently we are incrementing STIDs in use by 1 for both IPv4 and IPv6 which
is wrong.

Further, driver currently does not have interface to query if CLIP is programmed
for particular IPv6 address. So, in this patch we increment/decrement TIDs in use
by 4 for IPv6 assuming absence of CLIP. Such assumption keeps us on safe side and
we don't end up allocating more stids for IPv6 than actually supported.

Based on original work by Santosh Rastapur <santosh@chelsio.com>

Signed-off-by: Kumar Sanghvi <kumaras@chelsio.com>
Signed-off-by: Hariprasad Shenai <hariprasad@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-22 18:09:08 -05:00
Kumar Sanghvi
470c60c47a cxgb4: Assign filter server TIDs properly
The LE workaround code is incorrectly reusing the TCAM TIDs
(meant for allocation by firmware in case of hash collisions) for filter
servers. This patch assigns the filter server TIDs properly starting from
sftid_base index.

Based on original work by Santosh Rastapur <santosh@chelsio.com>

Signed-off-by: Kumar Sanghvi <kumaras@chelsio.com>
Signed-off-by: Hariprasad Shenai <hariprasad@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-22 18:09:07 -05:00
Kumar Sanghvi
7c89e5550c cxgb4: Include TCP as protocol when creating server filters
We were creating LE Workaround Server Filters without specifying
IPPROTO_TCP (6) in the filters (when F_PROTOCOL is set in TP_VLAN_PRI_MAP).
This meant that UDP packets with matching IP Addresses/Ports would get
caught up in the filter and be delivered to ULDs like iw_cxgb4.
So, include the protocol information in the server filter properly.

Based on original work by Casey Leedom <leedom@chelsio.com>

Signed-off-by: Kumar Sanghvi <kumaras@chelsio.com>
Signed-off-by: Hariprasad Shenai <hariprasad@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-22 18:09:07 -05:00
Kumar Sanghvi
b6f8eaece6 cxgb4: Reserve stid 0 for T4/T5 adapters
When creating offload server entries, an IPv6 passive connection request
can trigger a reply with a null STID, whereas the driver would expect
the reply 'STID to match the value used for the request.
This happens due to h/w limitation on T4 and T5.

This patch ensures that STID 0 is never used if the stid range starts
from zero.

Based on original work by Santosh Rastapur <santosh@chelsio.com>

Signed-off-by: Kumar Sanghvi <kumaras@chelsio.com>
Signed-off-by: Hariprasad Shenai <hariprasad@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-22 18:09:07 -05:00
David S. Miller
6eb3c2822e Merge branch 'for-davem' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless
John W. Linville says:

====================
Please consider pulling this batch of fixes for the 3.13 stream...

For the mac80211 bits, Johannes says:

"Here's a fix for another potential radiotap parser buffer overrun thanks
to Evan Huus, and a fix for a cfg80211 warning in a certain corner case
(reconnecting to the same BSS)."

For the bluetooth bits, Gustavo says:

"Two patches in this pull request. An important fix from Marcel in the
permission check for HCI User Channels, there was a extra check for
CAP_NET_RAW, and it was now removed. These channels should only require
CAP_NET_ADMIN. The other patch is a device id addition."

On top of that...

Sujith Manoharan provides a workaround for a hardware problem that
can result in lost interrupts.

Larry Finger fixes an oops when unloading the rtlwifi driver (Red
Hat bug 852761).

Mathy Vanhoef fixes a somewhat minor MAC address privacy issue
(CVE-2013-4579).
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-21 22:34:53 -05:00
Haiyang Zhang
a68f961461 hyperv: Fix race between probe and open calls
Moving the register_netdev to the end of probe to prevent
possible open call happens before NetVSP is connected.

Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
Reviewed-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-21 22:23:06 -05:00
John W. Linville
76ae07df25 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless into for-davem 2013-12-20 15:40:06 -05:00
Wang Weidong
965cdea825 dccp: catch failed request_module call in dccp_probe init
Check the return value of request_module during dccp_probe initialisation,
bail out if that call fails.

Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Signed-off-by: Wang Weidong <wangweidong1@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-19 19:25:50 -05:00
David S. Miller
b1aca94efa Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/net
Jeff Kirsher says:

====================
Intel Wired LAN Driver Updates

This series contains updates to net, ixgbe and e1000e.

David provides compiler fixes for e1000e.

Don provides a fix for ixgbe to resolve a compile warning.

John provides a fix to net where it is useful to be able to walk all
upper devices when bringing a device online where the RTNL lock is held.
In this case, it is safe to walk the all_adj_list because the RTNL lock is
used to protect the write side as well.  This patch adds a check to see
if the RTNL lock is held before throwing a warning in
netdev_all_upper_get_next_dev_rcu().
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-19 19:23:54 -05:00
Leigh Brown
1a1f20bc9d net: mvmdio: fix interrupt timeout handling
This version corrects the whitespace issue.

orion_mdio_wait_ready uses wait_event_timeout to wait for the
SMI interrupt to fire.  wait_event_timeout waits for between
"timeout - 1" and "timeout" jiffies.  In this case a 1ms timeout
when HZ is 1000 results in a wait of 0 to 1 jiffies, causing
premature timeouts.

This fix ensures a minimum timeout of 2 jiffies, ensuring
wait_event_timeout will always wait at least 1 jiffie.

Issue reported by Nicolas Schichan.

Tested-by: Nicolas Schichan <nschichan@freebox.fr>
Signed-off-by: Leigh Brown <leigh@solinno.co.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-19 19:20:44 -05:00
Betty Dall
a4f6363476 atl1c: Check return from pci_find_ext_capability() in atl1c_reset_pcie()
The function atl1c_reset_pcie() does not check the return from
pci_find_ext_cabability() where it is getting the postion of the
PCI_EXT_CAP_ID_ERR. It is possible for the return to be 0.

Signed-off-by: Betty Dall <betty.dall@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-19 19:14:42 -05:00
Li RongQing
24f5b855e1 ipv6: always set the new created dst's from in ip6_rt_copy
ip6_rt_copy only sets dst.from if ort has flag RTF_ADDRCONF and RTF_DEFAULT.
but the prefix routes which did get installed by hand locally can have an
expiration, and no any flag combination which can ensure a potential from
does never expire, so we should always set the new created dst's from.

This also fixes the new created dst is always expired since the ort, which
is created by RA, maybe has RTF_EXPIRES and RTF_ADDRCONF, but no RTF_DEFAULT.

Suggested-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
CC: Gao feng <gaofeng@cn.fujitsu.com>
Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-19 18:35:21 -05:00
Eric Dumazet
7a2a84518c net: fec: fix potential use after free
skb_tx_timestamp(skb) should be called _before_ TX completion
has a chance to trigger, otherwise it is too late and we access
freed memory.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Fixes: de5fb0a053 ("net: fec: put tx to napi poll function to fix dead lock")
Cc: Frank Li <Frank.Li@freescale.com>
Cc: Richard Cochran <richardcochran@gmail.com>
Acked-by: Richard Cochran <richardcochran@gmail.com>
Acked-by: Frank Li <Frank.Li@freescale.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-19 18:03:25 -05:00
Michal Schmidt
c047e07073 bnx2x: downgrade "valid ME register value" message level
"valid ME register value" is not an error. It should be logged for
debugging only.

Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
Acked-by: Yuval Mintz <yuvalmin@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-19 15:16:16 -05:00
Salva Peiró
8e3fbf8704 hamradio/yam: fix info leak in ioctl
The yam_ioctl() code fails to initialise the cmd field
of the struct yamdrv_ioctl_cfg. Add an explicit memset(0)
before filling the structure to avoid the 4-byte info leak.

Signed-off-by: Salva Peiró <speiro@ai2.upv.es>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-19 15:09:38 -05:00
Wenliang Fan
e9db5c21d3 drivers/net/hamradio: Integer overflow in hdlcdrv_ioctl()
The local variable 'bi' comes from userspace. If userspace passed a
large number to 'bi.data.calibrate', there would be an integer overflow
in the following line:
	s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16;

Signed-off-by: Wenliang Fan <fanwlexca@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-19 15:02:14 -05:00
Wei Yongjun
0c8d087c04 xen-netback: fix some error return code
'err' is overwrited to 0 after maybe_pull_tail() call, so the error
code was not set if skb_partial_csum_set() call failed. Fix to return
error -EPROTO from those error handling case instead of 0.

Fixes: d52eb0d46f ('xen-netback: make sure skb linear area covers checksum field')
Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Acked-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-19 14:58:47 -05:00
Daniel Borkmann
b1aac815c0 net: inet_diag: zero out uninitialized idiag_{src,dst} fields
Jakub reported while working with nlmon netlink sniffer that parts of
the inet_diag_sockid are not initialized when r->idiag_family != AF_INET6.
That is, fields of r->id.idiag_src[1 ... 3], r->id.idiag_dst[1 ... 3].

In fact, it seems that we can leak 6 * sizeof(u32) byte of kernel [slab]
memory through this. At least, in udp_dump_one(), we allocate a skb in ...

  rep = nlmsg_new(sizeof(struct inet_diag_msg) + ..., GFP_KERNEL);

... and then pass that to inet_sk_diag_fill() that puts the whole struct
inet_diag_msg into the skb, where we only fill out r->id.idiag_src[0],
r->id.idiag_dst[0] and leave the rest untouched:

  r->id.idiag_src[0] = inet->inet_rcv_saddr;
  r->id.idiag_dst[0] = inet->inet_daddr;

struct inet_diag_msg embeds struct inet_diag_sockid that is correctly /
fully filled out in IPv6 case, but for IPv4 not.

So just zero them out by using plain memset (for this little amount of
bytes it's probably not worth the extra check for idiag_family == AF_INET).

Similarly, fix also other places where we fill that out.

Reported-by: Jakub Zawadzki <darkjames-ws@darkjames.pl>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-19 14:55:52 -05:00
Eric Dumazet
58a4782449 ipv6: sit: update mtu check to take care of gso packets
While testing my changes for TSO support in SIT devices,
I was using sit0 tunnel which appears to include nopmtudisc flag.

But using :

ip tun add sittun mode sit remote $REMOTE_IPV4 local $LOCAL_IPV4 \
   dev $IFACE

We get a tunnel which rejects too long packets because of the mtu check
which is not yet GSO aware.

erd:~# ip tunnel
sittun: ipv6/ip  remote 10.246.17.84  local 10.246.17.83  ttl inherit  6rd-prefix 2002::/16
sit0: ipv6/ip  remote any  local any  ttl 64  nopmtudisc 6rd-prefix 2002::/16

This patch is based on an excellent report from
Michal Shmidt.

In the future, we probably want to extend the MTU check to do the
right thing for GSO packets...

Fixes: ("61c1db7fae21 ipv6: sit: add GSO/TSO support")
Reported-by: Michal Schmidt <mschmidt@redhat.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Tested-by: Michal Schmidt <mschmidt@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-18 17:55:24 -05:00
Hannes Frederic Sowa
4df98e76cd ipv6: pmtudisc setting not respected with UFO/CORK
Sockets marked with IPV6_PMTUDISC_PROBE (or later IPV6_PMTUDISC_INTERFACE)
don't respect this setting when the outgoing interface supports UFO.

We had the same problem in IPv4, which was fixed in commit
daba287b29 ("ipv4: fix DO and PROBE pmtu
mode regarding local fragmentation with UFO/CORK").

Also IPV6_DONTFRAG mode did not care about already corked data, thus
it may generate a fragmented frame even if this socket option was
specified. It also did not care about the length of the ipv6 header and
possible options.

In the error path allow the user to receive the pmtu notifications via
both, rxpmtu method or error queue. The user may opted in for both,
so deliver the notification to both error handlers (the handlers check
if the error needs to be enqueued).

Also report back consistent pmtu values when sending on an already
cork-appended socket.

Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-18 17:52:15 -05:00
Peter Korsgaard
4263c86dca dm9601: work around tx fifo sync issue on dm962x
Certain dm962x revisions contain an bug, where if a USB bulk transfer retry
(E.G. if bulk crc mismatch) happens right after a transfer with odd or
maxpacket length, the internal tx hardware fifo gets out of sync causing
the interface to stop working.

Work around it by adding up to 3 bytes of padding to ensure this situation
cannot trigger.

This workaround also means we never pass multiple-of-maxpacket size skb's
to usbnet, so the length adjustment to handle usbnet's padding of those can
be removed.

Cc: <stable@vger.kernel.org>
Reported-by: Joseph Chang <joseph_chang@davicom.com.tw>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-18 17:46:55 -05:00
Peter Korsgaard
cabd0e3a38 dm9601: make it clear that dm9620/dm9621a are also supported
The driver nowadays also support dm9620/dm9621a based USB 2.0 ethernet
adapters, so adjust module/driver description and Kconfig help text to
match.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-18 17:46:55 -05:00
Peter Korsgaard
407900cfb5 dm9601: fix reception of full size ethernet frames on dm9620/dm9621a
dm9620/dm9621a require room for 4 byte padding even in dm9601 (3 byte
header) mode.

Cc: <stable@vger.kernel.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-18 17:46:55 -05:00
Peter Korsgaard
3b3878926c dm9601: add support for dm9621a based dongle
dm9621a is functionally identical to dm9620, so the existing handling can
directly be used.

Thanks to Davicom for sending me a dongle.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-18 17:46:55 -05:00
Timo Teräs
0e3da5bb8d ip_gre: fix msg_name parsing for recvfrom/recvmsg
ipgre_header_parse() needs to parse the tunnel's ip header and it
uses mac_header to locate the iphdr. This got broken when gre tunneling
was refactored as mac_header is no longer updated to point to iphdr.
Introduce skb_pop_mac_header() helper to do the mac_header assignment
and use it in ipgre_rcv() to fix msg_name parsing.

Bug introduced in commit c544193214 (GRE: Refactor GRE tunneling code.)

Cc: Pravin B Shelar <pshelar@nicira.com>
Signed-off-by: Timo Teräs <timo.teras@iki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-18 17:44:33 -05:00
Mugunthan V N
a81d8762d7 drivers: net cpsw: Enable In Band mode in cpsw for 10 mbps
This patch adds support for enabling In Band mode in 10 mbps speed.
RGMII supports 1 Gig and 100 mbps mode for Forced mode of operation.
For 10mbps mode it should be configured to in band mode so that link
status, duplexity and speed are determined from the RGMII input data
stream

Signed-off-by: Mugunthan V N <mugunthanvnm@ti.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-18 16:54:19 -05:00
David S. Miller
405a96d6ea Merge branch 'bond_locking'
Ding Tianhong says:

====================
Jay Vosburgh said that the bond_3ad_adapter_speed_changed and
bond_3ad_adapter_duplex_changed is called with RTNL only, and
the functions will modify the port's information with no further
locking, they will not mutex against bond state machine and
incoming LACPDU which do not hold RTNL, So I add port lock to
protect the port information.

But they are not critical bugs, they exist since day one, and till
now they have never been hit and reported, because change for speed
and duplex is very rare, and will not occur critical problem.

The comments in the function is very old, cleanup the comments together.
====================

Signed-off-by: Jay Vosburgh <fubar@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-18 16:52:34 -05:00
dingtianhong
108db73637 bonding: protect port for bond_3ad_handle_link_change()
The bond_3ad_handle_link_change is called with RTNL only,
and the function will modify the port's information with
no further locking, it will not mutex against bond state
machine and incoming LACPDU which do not hold RTNL, So I
add __get_state_machine_lock to protect the port.

But it is not a critical bug, it exist since day one, and till
now it has never been hit and reported, because changes to
speed is very rare, and will not occur critical problem.

The comments in the function is very old, cleanup it and
add a new pr_debug to debug the port message.

Signed-off-by: Ding Tianhong <dingtianhong@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-18 16:52:26 -05:00
dingtianhong
bca44a7341 bonding: protect port for bond_3ad_adapter_duplex_changed()
Jay Vosburgh said that the bond_3ad_adapter_duplex_changed is
called with RTNL only, and the function will modify the port's
information with no further locking, it will not mutex against
bond state machine and incoming LACPDU which do not hold RTNL,
So I add __get_state_machine_lock to protect the port.

But it is not a critical bug, it exist since day one, and till
now it has never been hit and reported, because changes to
speed is very rare, and will not occur critical problem.

The comments in the function is very old, cleanup it.

Suggested-by: Jay Vosburgh <fubar@us.ibm.com>
Signed-off-by: Ding Tianhong <dingtianhong@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-18 16:52:26 -05:00
dingtianhong
71a06c59d1 bonding: protect port for bond_3ad_adapter_speed_changed()
Jay Vosburgh said that the bond_3ad_adapter_speed_changed is
called with RTNL only, and the function will modify the port's
information with no further locking, it will not mutex against
bond state machine and incoming LACPDU which do not hold RTNL,
So I add __get_state_machine_lock to protect the port.

But it is not a critical bug, it exist since day one, and till
now it has never been hit and reported, because changes to
speed is very rare, and will not occur critical problem.

The comment in the function is very old, cleanup it.

Suggested-by: Jay Vosburgh <fubar@us.ibm.com>
Signed-off-by: Ding Tianhong <dingtianhong@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-12-18 16:52:25 -05:00
John W. Linville
b7e0473584 Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth 2013-12-18 13:46:08 -05:00
Don Skidmore
8f48f5bc75 ixgbe: fix for unused variable warning with certain config
If CONFIG_PCI_IOV isn't defined we get an "unused variable" warining so
now wrap the variable declaration like it's usage already was.

Signed-off-by: Don Skidmore <donald.c.skidmore@intel.com>
Acked-by: John Fastabend <john.r.fastabend@intel.com>
Tested-by: Phil Schmitt <phillip.j.schmitt@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
2013-12-17 22:52:40 -08:00
David Ertman
7509963c70 e1000e: Fix a compile flag mis-match for suspend/resume
This patch addresses a mis-match between the declaration and usage of
the e1000_suspend and e1000_resume functions.  Previously, these
functions were declared in a CONFIG_PM_SLEEP wrapper, and then utilized
within a CONFIG_PM wrapper.  Both the declaration and usage will now be
contained within CONFIG_PM wrappers.

Signed-off-by: Dave Ertman <davidx.m.ertman@intel.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
2013-12-17 22:45:03 -08:00
David Ertman
918a4308ba e1000e: fix compiler warning (maybe-unitialized variable)
This patch is to fix a compiler warning of maybe-uininitialized-variable
that is generated from gcc when the -O3 flag is used.  In the function
e1000_reset_hw_80003es2lan(), the variable krmn_reg_data is first given
a value by being passed to a register read function as a
pass-by-reference parameter.  But, the return value of that read
function was never checked to see if the read failed and the variable
not given an initial value.  The compiler was smart enough to spot
this.  This patch is to check the return value for that read function
and return it, if an error occurs, without trying to utilize the value
in kmrn_reg_data.

Signed-off-by: David Ertman <davidx.m.ertman@intel.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
2013-12-17 22:20:49 -08:00
David Ertman
9e6c3b6339 e1000e: fix compiler warnings
This patch is to fix a compiler warning of __bad_udelay due to a value
of >999 being passed as a parameter to udelay() in the function
e1000e_phy_has_link_generic().  This affects the gcc compiler when
it is given a flag of -O3 and the icc compiler.

This patch is also making the change from mdelay() to msleep() in the
same function, since it was determined though code inspection that this
function is never called in atomic context.

Signed-off-by: David Ertman <davidx.m.ertman@intel.com>
Acked-by: Bruce Allan <bruce.w.allan@intel.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
2013-12-17 21:52:39 -08:00