1. 03 Jun, 2016 13 commits
  2. 02 Jun, 2016 6 commits
    • Eric Dumazet's avatar
      Possible problem with e6afc8ac ("udp: remove headers from UDP packets before queueing") · ce25d66a
      Eric Dumazet authored
      Paul Moore tracked a regression caused by a recent commit, which
      mistakenly assumed that sk_filter() could be avoided if socket
      had no current BPF filter.
      
      The intent was to avoid udp_lib_checksum_complete() overhead.
      
      But sk_filter() also checks skb_pfmemalloc() and
      security_sock_rcv_skb(), so better call it.
      
      Fixes: e6afc8ac ("udp: remove headers from UDP packets before queueing")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarPaul Moore <paul@paul-moore.com>
      Tested-by: default avatarPaul Moore <paul@paul-moore.com>
      Tested-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Cc: samanthakumar <samanthakumar@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ce25d66a
    • Vincent Palatin's avatar
      stmmac: do not sleep in atomic context for mdio_reset · f55d84b0
      Vincent Palatin authored
      stmmac_mdio_reset() has been updated to use msleep rather udelay
      (as some PHY requires a one second delay there).
      It called from stmmac_resume() within the spin_lock_irqsave block
      atomic context triggering 'scheduling while atomic'.
      
      The stmmac_priv lock usage is not fully documented, but it seems
      to protect the access to the MAC registers / DMA structures rather
      than the MDIO bus or the PHY (which have separate locking),
      so we can push the spin_lock after the stmmac_mdio_reset call.
      Signed-off-by: default avatarVincent Palatin <vpalatin@chromium.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f55d84b0
    • Arnd Bergmann's avatar
      qed: fix qed_fill_link() error handling · 14b84e86
      Arnd Bergmann authored
      gcc warns about qed_fill_link possibly accessing uninitialized data:
      
      drivers/net/ethernet/qlogic/qed/qed_main.c: In function 'qed_fill_link':
      drivers/net/ethernet/qlogic/qed/qed_main.c:1170:35: error: 'link_caps' may be used uninitialized in this function [-Werror=maybe-uninitialized]
      
      While this warning is only about the specific case of CONFIG_QED_SRIOV
      being disabled but the function getting called for a VF (which should
      never happen), another possibility is that qed_mcp_get_*() fails without
      returning data.
      
      This rearranges the code so we bail out in either of the two cases
      and print a warning instead of accessing the uninitialized data.
      
      The qed_link_output structure remains untouched in this case, but
      all callers first call memset() on it, so at least we are not leaking
      stack data then.
      
      As discussed, we also use a compile-time check to ensure we never
      use any of the VF code if CONFIG_QED_SRIOV is disabled, and the
      PCI device table is updated to no longer bind to virtual functions
      in that configuration.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Acked-by: default avatarYuval Mintz <Yuval.Mintz@qlogic.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      14b84e86
    • Colin Ian King's avatar
      net/ethoc: fix null dereference on error exit path · bfa49cfc
      Colin Ian King authored
      priv is assigned to NULL however some of the early error exit paths to
      label 'free' dereference priv, causing a null pointer dereference.
      
      Move the label 'free' to just the free_netdev statement, and add a new
      exit path 'free2' for the error cases were clk_disable_unprepare needs
      calling before the final free.
      
      Fixes issue found by CoverityScan, CID#113260
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Reviewed-by: default avatarMax Filippov <jcmvbkbc@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bfa49cfc
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · fc14963f
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for your net tree,
      they are:
      
      1) Fix incorrect timestamp in nfnetlink_queue introduced when addressing
         y2038 safe timestamp, from Florian Westphal.
      
      2) Get rid of leftover conntrack definition from the previous merge
         window, oneliner from Florian.
      
      3) Make nf_queue handler pernet to resolve race on dereferencing the
         hook state structure with netns removal, from Eric Biederman.
      
      4) Ensure clean exit on unregistered helper ports, from Taehee Yoo.
      
      5) Restore FLOWI_FLAG_KNOWN_NH in nf_dup_ipv6. This got lost while
         generalizing xt_TEE to add packet duplication support in nf_tables,
         from Paolo Abeni.
      
      6) Insufficient netlink NFTA_SET_TABLE attribute check in
         nf_tables_getset(), from Phil Turnbull.
      
      7) Reject helper registration on duplicated ports via modparams.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fc14963f
    • David S. Miller's avatar
      Merge tag 'mac80211-for-davem-2016-06-01' of... · 31843af4
      David S. Miller authored
      Merge tag 'mac80211-for-davem-2016-06-01' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Johannes Berg says:
      
      ====================
      Three small fixes for the current cycle:
       * missing netlink attribute check in hwsim wmediumd (Martin)
       * fast xmit structure alignment fix (Felix)
       * mesh path flush/synchronisation fix (Bob)
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      31843af4
  3. 01 Jun, 2016 3 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 6b15d665
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix negative error code usage in ATM layer, from Stefan Hajnoczi.
      
       2) If CONFIG_SYSCTL is disabled, the default TTL is not initialized
          properly.  From Ezequiel Garcia.
      
       3) Missing spinlock init in mvneta driver, from Gregory CLEMENT.
      
       4) Missing unlocks in hwmb error paths, also from Gregory CLEMENT.
      
       5) Fix deadlock on team->lock when propagating features, from Ivan
          Vecera.
      
       6) Work around buffer offset hw bug in alx chips, from Feng Tang.
      
       7) Fix double listing of SCTP entries in sctp_diag dumps, from Xin
          Long.
      
       8) Various statistics bug fixes in mlx4 from Eric Dumazet.
      
       9) Fix some randconfig build errors wrt fou ipv6 from Arnd Bergmann.
      
      10) All of l2tp was namespace aware, but the ipv6 support code was not
          doing so.  From Shmulik Ladkani.
      
      11) Handle on-stack hrtimers properly in pktgen, from Guenter Roeck.
      
      12) Propagate MAC changes properly through VLAN devices, from Mike
          Manning.
      
      13) Fix memory leak in bnx2x_init_one(), from Vitaly Kuznetsov.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (62 commits)
        sfc: Track RPS flow IDs per channel instead of per function
        usbnet: smsc95xx: fix link detection for disabled autonegotiation
        virtio_net: fix virtnet_open and virtnet_probe competing for try_fill_recv
        bnx2x: avoid leaking memory on bnx2x_init_one() failures
        fou: fix IPv6 Kconfig options
        openvswitch: update checksum in {push,pop}_mpls
        sctp: sctp_diag should dump sctp socket type
        net: fec: update dirty_tx even if no skb
        vlan: Propagate MAC address to VLANs
        atm: iphase: off by one in rx_pkt()
        atm: firestream: add more reserved strings
        vxlan: Accept user specified MTU value when create new vxlan link
        net: pktgen: Call destroy_hrtimer_on_stack()
        timer: Export destroy_hrtimer_on_stack()
        net: l2tp: Make l2tp_ip6 namespace aware
        Documentation: ip-sysctl.txt: clarify secure_redirects
        sfc: use flow dissector helpers for aRFS
        ieee802154: fix logic error in ieee802154_llsec_parse_dev_addr
        net: nps_enet: Disable interrupts before napi reschedule
        net/lapb: tuse %*ph to dump buffers
        ...
      6b15d665
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc · 58c1f995
      Linus Torvalds authored
      Pull sparc fixes from David Miller:
       "sparc64 mmu context allocation and trap return bug fixes"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
        sparc64: Fix return from trap window fill crashes.
        sparc: Harden signal return frame checks.
        sparc64: Take ctx_alloc_lock properly in hugetlb_setup().
      58c1f995
    • Jon Cooper's avatar
      sfc: Track RPS flow IDs per channel instead of per function · faf8dcc1
      Jon Cooper authored
      Otherwise we get confused when two flows on different channels get the
       same flow ID.
      Signed-off-by: default avatarEdward Cree <ecree@solarflare.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      faf8dcc1
  4. 31 May, 2016 18 commits
    • Christoph Fritz's avatar
      usbnet: smsc95xx: fix link detection for disabled autonegotiation · d69d1694
      Christoph Fritz authored
      To detect link status up/down for connections where autonegotiation is
      explicitly disabled, we don't get an irq but need to poll the status
      register for link up/down detection.
      This patch adds a workqueue to poll for link status.
      Signed-off-by: default avatarChristoph Fritz <chf.fritz@googlemail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d69d1694
    • wangyunjian's avatar
      virtio_net: fix virtnet_open and virtnet_probe competing for try_fill_recv · f00e35e2
      wangyunjian authored
      In function virtnet_open() and virtnet_probe(), func try_fill_recv() may
      be executed at the same time. VQ in virtqueue_add() has not been protected
      well and BUG_ON will be triggered when virito_net.ko being removed.
      Signed-off-by: default avatarYunjian Wang <wangyunjian@huawei.com>
      Acked-by: default avatarJason Wang <jasowang@redhat.com>
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f00e35e2
    • Vitaly Kuznetsov's avatar
      bnx2x: avoid leaking memory on bnx2x_init_one() failures · bae5499c
      Vitaly Kuznetsov authored
      bnx2x_init_bp() allocates memory with bnx2x_alloc_mem_bp() so if we
      fail later in bnx2x_init_one() we need to free this memory
      with bnx2x_free_mem_bp() to avoid leakages. E.g. I'm observing memory
      leaks reported by kmemleak when a failure (unrelated) happens in
      bnx2x_vfpf_acquire().
      Signed-off-by: default avatarVitaly Kuznetsov <vkuznets@redhat.com>
      Acked-by: default avatarYuval Mintz <Yuval.Mintz@qlogic.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bae5499c
    • Arnd Bergmann's avatar
      fou: fix IPv6 Kconfig options · 95e4daa8
      Arnd Bergmann authored
      The Kconfig options I added to work around broken compilation ended
      up screwing up things more, as I used the wrong symbol to control
      compilation of the file, resulting in IPv6 fou support to never be built
      into the kernel.
      
      Changing CONFIG_NET_FOU_IPV6_TUNNELS to CONFIG_IPV6_FOU fixes that
      problem, I had renamed the symbol in one location but not the other,
      and as the file is never being used by other kernel code, this did not
      lead to a build failure that I would have caught.
      
      After that fix, another issue with the same patch becomes obvious, as we
      'select INET6_TUNNEL', which is related to IPV6_TUNNEL, but not the same,
      and this can still cause the original build failure when IPV6_TUNNEL is
      not built-in but IPV6_FOU is. The fix is equally trivial, we just need
      to select the right symbol.
      
      I have successfully build 350 randconfig kernels with this patch
      and verified that the driver is now being built.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Reported-by: default avatarValentin Rothberg <valentinrothberg@gmail.com>
      Fixes: fabb13db ("fou: add Kconfig options for IPv6 support")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      95e4daa8
    • Simon Horman's avatar
      openvswitch: update checksum in {push,pop}_mpls · bc7cc599
      Simon Horman authored
      In the case of CHECKSUM_COMPLETE the skb checksum should be updated in
      {push,pop}_mpls() as they the type in the ethernet header.
      
      As suggested by Pravin Shelar.
      
      Cc: Pravin Shelar <pshelar@nicira.com>
      Fixes: 25cd9ba0 ("openvswitch: Add basic MPLS support to kernel")
      Signed-off-by: default avatarSimon Horman <simon.horman@netronome.com>
      Acked-by: default avatarPravin B Shelar <pshelar@ovn.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bc7cc599
    • Xin Long's avatar
      sctp: sctp_diag should dump sctp socket type · 40eb90e9
      Xin Long authored
      Now we cannot distinguish that one sk is a udp or sctp style when
      we use ss to dump sctp_info. it's necessary to dump it as well.
      
      For sctp_diag, ss support is not officially available, thus there
      are no official users of this yet, so we can add this field in the
      middle of sctp_info without breaking user API.
      
      v1->v2:
        - move 'sctpi_s_type' field to the end of struct sctp_info, so
          that it won't cause incompatibility with applications already
          built.
        - add __reserved3 in sctp_info to make sure sctp_info is 8-byte
          alignment.
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      40eb90e9
    • Troy Kisky's avatar
      net: fec: update dirty_tx even if no skb · 7fafe803
      Troy Kisky authored
      If dirty_tx isn't updated, then dma_unmap_single
      can be called twice.
      
      This fixes a
      [   58.420980] ------------[ cut here ]------------
      [   58.425667] WARNING: CPU: 0 PID: 377 at /home/schurig/d/mkarm/linux-4.5/lib/dma-debug.c:1096 check_unmap+0x9d0/0xab8()
      [   58.436405] fec 2188000.ethernet: DMA-API: device driver tries to free DMA memory it has not allocated [device address=0x0000000000000000] [size=66 bytes]
      
      encountered by Holger
      Signed-off-by: default avatarTroy Kisky <troy.kisky@boundarydevices.com>
      Tested-by: <holgerschurig@gmail.com>
      Acked-by: default avatarFugang Duan <fugang.duan@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7fafe803
    • Mike Manning's avatar
      vlan: Propagate MAC address to VLANs · 308453aa
      Mike Manning authored
      The MAC address of the physical interface is only copied to the VLAN
      when it is first created, resulting in an inconsistency after MAC
      address changes of only newly created VLANs having an up-to-date MAC.
      
      The VLANs should continue inheriting the MAC address of the physical
      interface until the VLAN MAC address is explicitly set to any value.
      This allows IPv6 EUI64 addresses for the VLAN to reflect any changes
      to the MAC of the physical interface and thus for DAD to behave as
      expected.
      Signed-off-by: default avatarMike Manning <mmanning@brocade.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      308453aa
    • Dan Carpenter's avatar
      atm: iphase: off by one in rx_pkt() · f2633d2e
      Dan Carpenter authored
      The iadev->rx_open[] array holds "iadev->num_vc" pointers (this code
      assumes that pointers are 32 bits).  So the > here should be >= or else
      we could end up reading a garbage pointer from one element beyond the
      end of the array.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f2633d2e
    • Dan Carpenter's avatar
      atm: firestream: add more reserved strings · 86f04396
      Dan Carpenter authored
      This bug was there when the driver was first added in back in year 2000.
      It causes a Smatch warning:
      
          drivers/atm/firestream.c:849 process_incoming()
          error: buffer overflow 'res_strings' 60 <= 63
      
      There are supposed to be 64 entries in this array and the missing
      strings are clearly in the 30 40 range.  I added them as reserved 37 to
      reserved 40.  It's possible that strings are really supposed to be added
      in the middle instead of at the end, but this approach is safe, in that
      it fixes the bug and doesn't break anything that wasn't already broken.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      86f04396
    • Chen Haiquan's avatar
      vxlan: Accept user specified MTU value when create new vxlan link · ce577668
      Chen Haiquan authored
      When create a new vxlan link, example:
        ip link add vtap mtu 1440 type vxlan vni 1 dev eth0
      
      The argument "mtu" has no effect, because it is not set to conf->mtu. The
      default value is used in vxlan_dev_configure function.
      
      This problem was introduced by commit 0dfbdf41 (vxlan: Factor out device
      configuration).
      
      Fixes: 0dfbdf41 (vxlan: Factor out device configuration)
      Signed-off-by: default avatarChen Haiquan <oc@yunify.com>
      Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ce577668
    • Guenter Roeck's avatar
      net: pktgen: Call destroy_hrtimer_on_stack() · bcf91bdb
      Guenter Roeck authored
      If CONFIG_DEBUG_OBJECTS_TIMERS=y, hrtimer_init_on_stack() requires
      a matching call to destroy_hrtimer_on_stack() to clean up timer
      debug objects.
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bcf91bdb
    • Guenter Roeck's avatar
      timer: Export destroy_hrtimer_on_stack() · c08376ac
      Guenter Roeck authored
      hrtimer_init_on_stack() needs a matching call to
      destroy_hrtimer_on_stack(), so both need to be exported.
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c08376ac
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · 367d3fd5
      Linus Torvalds authored
      Pull s390 fixes from Martin Schwidefsky:
       "Three bugs fixes and an update for the default configuration"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390: fix info leak in do_sigsegv
        s390/config: update default configuration
        s390/bpf: fix recache skb->data/hlen for skb_vlan_push/pop
        s390/bpf: reduce maximum program size to 64 KB
      367d3fd5
    • Linus Torvalds's avatar
      Merge tag 'gpio-v4.7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio · 5eca8317
      Linus Torvalds authored
      Pull GPIO fixes from Linus Walleij:
       "A bunch of GPIO fixes for the v4.7 series:
      
         - Drop the lock before reading out the GPIO direction setting in
           drivers supporting the .get_direction() callback: some of them may
           be slowpath.
      
         - Flush GPIO direction setting before locking a GPIO as an IRQ: some
           electronics or other poking around in the registers behind our back
           may have happened, so flush the direction status before trying to
           lock the line for use by IRQs.
      
         - Bail out silently when asked to perform operations on NULL GPIO
           descriptors.  That is what all the get_*_optional() is about: we
           get optional GPIO handles, if they are not there, we get NULL.
      
         - Handle compatible ioctl() correctly: we need to convert the ioctl()
           pointer using compat_ptr() here like everyone else.
      
         - Disable the broken .to_irq() on the LPC32xx platform.  The whole
           irqchip infrastructure was replaced in the last merge window, and a
           new implementation will be needed"
      
      * tag 'gpio-v4.7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
        gpio: drop lock before reading GPIO direction
        gpio: bail out silently on NULL descriptors
        gpio: handle compatible ioctl() pointers
        gpio: flush direction status in gpiochip_lock_as_irq()
        gpio: lpc32xx: disable broken to_irq support
      5eca8317
    • Felix Fietkau's avatar
      mac80211: fix fast_tx header alignment · 6fe04128
      Felix Fietkau authored
      The header field is defined as u8[] but also accessed as struct
      ieee80211_hdr. Enforce an alignment of 2 to prevent unnecessary
      unaligned accesses, which can be very harmful for performance on many
      platforms.
      
      Fixes: e495c247 ("mac80211: extend fast-xmit for more ciphers")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarFelix Fietkau <nbd@nbd.name>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      6fe04128
    • Bob Copeland's avatar
      mac80211: mesh: flush mesh paths unconditionally · fe7a7c57
      Bob Copeland authored
      Currently, the mesh paths associated with a nexthop station are cleaned
      up in the following code path:
      
          __sta_info_destroy_part1
          synchronize_net()
          __sta_info_destroy_part2
           -> cleanup_single_sta
             -> mesh_sta_cleanup
               -> mesh_plink_deactivate
                 -> mesh_path_flush_by_nexthop
      
      However, there are a couple of problems here:
      
      1) the paths aren't flushed at all if the MPM is running in userspace
         (e.g. when using wpa_supplicant or authsae)
      
      2) there is no synchronize_rcu between removing the path and readers
         accessing the nexthop, which means the following race is possible:
      
      CPU0                            CPU1
      ~~~~                            ~~~~
                                      sta_info_destroy_part1()
                                      synchronize_net()
      rcu_read_lock()
      mesh_nexthop_resolve()
        mpath = mesh_path_lookup()
                                      [...] -> mesh_path_flush_by_nexthop()
        sta = rcu_dereference(
          mpath->next_hop)
                                      kfree(sta)
        access sta <-- CRASH
      
      Fix both of these by unconditionally flushing paths before destroying
      the sta, and by adding a synchronize_net() after path flush to ensure
      no active readers can still dereference the sta.
      
      Fixes this crash:
      
      [  348.529295] BUG: unable to handle kernel paging request at 00020040
      [  348.530014] IP: [<f929245d>] ieee80211_mps_set_frame_flags+0x40/0xaa [mac80211]
      [  348.530014] *pde = 00000000
      [  348.530014] Oops: 0000 [#1] PREEMPT
      [  348.530014] Modules linked in: drbg ansi_cprng ctr ccm ppp_generic slhc ipt_MASQUERADE nf_nat_masquerade_ipv4 8021q ]
      [  348.530014] CPU: 0 PID: 20597 Comm: wget Tainted: G           O 4.6.0-rc5-wt=V1 #1
      [  348.530014] Hardware name: To Be Filled By O.E.M./To be filled by O.E.M., BIOS 080016  11/07/2014
      [  348.530014] task: f64fa280 ti: f4f9c000 task.ti: f4f9c000
      [  348.530014] EIP: 0060:[<f929245d>] EFLAGS: 00010246 CPU: 0
      [  348.530014] EIP is at ieee80211_mps_set_frame_flags+0x40/0xaa [mac80211]
      [  348.530014] EAX: f4ce63e0 EBX: 00000088 ECX: f3788416 EDX: 00020008
      [  348.530014] ESI: 00000000 EDI: 00000088 EBP: f6409a4c ESP: f6409a40
      [  348.530014]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
      [  348.530014] CR0: 80050033 CR2: 00020040 CR3: 33190000 CR4: 00000690
      [  348.530014] Stack:
      [  348.530014]  00000000 f4ce63e0 f5f9bd80 f6409a64 f9291d80 0000ce67 f5d51e00 f4ce63e0
      [  348.530014]  f3788416 f6409a80 f9291dc1 f4ce8320 f4ce63e0 f5d51e00 f4ce63e0 f4ce8320
      [  348.530014]  f6409a98 f9277f6f 00000000 00000000 0000007c 00000000 f6409b2c f9278dd1
      [  348.530014] Call Trace:
      [  348.530014]  [<f9291d80>] mesh_nexthop_lookup+0xbb/0xc8 [mac80211]
      [  348.530014]  [<f9291dc1>] mesh_nexthop_resolve+0x34/0xd8 [mac80211]
      [  348.530014]  [<f9277f6f>] ieee80211_xmit+0x92/0xc1 [mac80211]
      [  348.530014]  [<f9278dd1>] __ieee80211_subif_start_xmit+0x807/0x83c [mac80211]
      [  348.530014]  [<c04df012>] ? sch_direct_xmit+0xd7/0x1b3
      [  348.530014]  [<c022a8c6>] ? __local_bh_enable_ip+0x5d/0x7b
      [  348.530014]  [<f956870c>] ? nf_nat_ipv4_out+0x4c/0xd0 [nf_nat_ipv4]
      [  348.530014]  [<f957e036>] ? iptable_nat_ipv4_fn+0xf/0xf [iptable_nat]
      [  348.530014]  [<c04c6f45>] ? netif_skb_features+0x14d/0x30a
      [  348.530014]  [<f9278e10>] ieee80211_subif_start_xmit+0xa/0xe [mac80211]
      [  348.530014]  [<c04c769c>] dev_hard_start_xmit+0x1f8/0x267
      [  348.530014]  [<c04c7261>] ?  validate_xmit_skb.isra.120.part.121+0x10/0x253
      [  348.530014]  [<c04defc6>] sch_direct_xmit+0x8b/0x1b3
      [  348.530014]  [<c04c7a9c>] __dev_queue_xmit+0x2c8/0x513
      [  348.530014]  [<c04c7cfb>] dev_queue_xmit+0xa/0xc
      [  348.530014]  [<f91bfc7a>] batadv_send_skb_packet+0xd6/0xec [batman_adv]
      [  348.530014]  [<f91bfdc4>] batadv_send_unicast_skb+0x15/0x4a [batman_adv]
      [  348.530014]  [<f91b5938>] batadv_dat_send_data+0x27e/0x310 [batman_adv]
      [  348.530014]  [<f91c30b5>] ? batadv_tt_global_hash_find.isra.11+0x8/0xa [batman_adv]
      [  348.530014]  [<f91b63f3>] batadv_dat_snoop_outgoing_arp_request+0x208/0x23d [batman_adv]
      [  348.530014]  [<f91c0cd9>] batadv_interface_tx+0x206/0x385 [batman_adv]
      [  348.530014]  [<c04c769c>] dev_hard_start_xmit+0x1f8/0x267
      [  348.530014]  [<c04c7261>] ?  validate_xmit_skb.isra.120.part.121+0x10/0x253
      [  348.530014]  [<c04defc6>] sch_direct_xmit+0x8b/0x1b3
      [  348.530014]  [<c04c7a9c>] __dev_queue_xmit+0x2c8/0x513
      [  348.530014]  [<f80cbd2a>] ? igb_xmit_frame+0x57/0x72 [igb]
      [  348.530014]  [<c04c7cfb>] dev_queue_xmit+0xa/0xc
      [  348.530014]  [<f843a326>] br_dev_queue_push_xmit+0xeb/0xfb [bridge]
      [  348.530014]  [<f843a35f>] br_forward_finish+0x29/0x74 [bridge]
      [  348.530014]  [<f843a23b>] ? deliver_clone+0x3b/0x3b [bridge]
      [  348.530014]  [<f843a714>] __br_forward+0x89/0xe7 [bridge]
      [  348.530014]  [<f843a336>] ? br_dev_queue_push_xmit+0xfb/0xfb [bridge]
      [  348.530014]  [<f843a234>] deliver_clone+0x34/0x3b [bridge]
      [  348.530014]  [<f843a68b>] ? br_flood+0x95/0x95 [bridge]
      [  348.530014]  [<f843a66d>] br_flood+0x77/0x95 [bridge]
      [  348.530014]  [<f843a809>] br_flood_forward+0x13/0x1a [bridge]
      [  348.530014]  [<f843a68b>] ? br_flood+0x95/0x95 [bridge]
      [  348.530014]  [<f843b877>] br_handle_frame_finish+0x392/0x3db [bridge]
      [  348.530014]  [<c04e9b2b>] ? nf_iterate+0x2b/0x6b
      [  348.530014]  [<f843baa6>] br_handle_frame+0x1e6/0x240 [bridge]
      [  348.530014]  [<f843b4e5>] ? br_handle_local_finish+0x6a/0x6a [bridge]
      [  348.530014]  [<c04c4ba0>] __netif_receive_skb_core+0x43a/0x66b
      [  348.530014]  [<f843b8c0>] ? br_handle_frame_finish+0x3db/0x3db [bridge]
      [  348.530014]  [<c023cea4>] ? resched_curr+0x19/0x37
      [  348.530014]  [<c0240707>] ? check_preempt_wakeup+0xbf/0xfe
      [  348.530014]  [<c0255dec>] ? ktime_get_with_offset+0x5c/0xfc
      [  348.530014]  [<c04c4fc1>] __netif_receive_skb+0x47/0x55
      [  348.530014]  [<c04c57ba>] netif_receive_skb_internal+0x40/0x5a
      [  348.530014]  [<c04c61ef>] napi_gro_receive+0x3a/0x94
      [  348.530014]  [<f80ce8d5>] igb_poll+0x6fd/0x9ad [igb]
      [  348.530014]  [<c0242bd8>] ? swake_up_locked+0x14/0x26
      [  348.530014]  [<c04c5d29>] net_rx_action+0xde/0x250
      [  348.530014]  [<c022a743>] __do_softirq+0x8a/0x163
      [  348.530014]  [<c022a6b9>] ? __hrtimer_tasklet_trampoline+0x19/0x19
      [  348.530014]  [<c021100f>] do_softirq_own_stack+0x26/0x2c
      [  348.530014]  <IRQ>
      [  348.530014]  [<c022a957>] irq_exit+0x31/0x6f
      [  348.530014]  [<c0210eb2>] do_IRQ+0x8d/0xa0
      [  348.530014]  [<c058152c>] common_interrupt+0x2c/0x40
      [  348.530014] Code: e7 8c 00 66 81 ff 88 00 75 12 85 d2 75 0e b2 c3 b8 83 e9 29 f9 e8 a7 5f f9 c6 eb 74 66 81 e3 8c 005
      [  348.530014] EIP: [<f929245d>] ieee80211_mps_set_frame_flags+0x40/0xaa [mac80211] SS:ESP 0068:f6409a40
      [  348.530014] CR2: 0000000000020040
      [  348.530014] ---[ end trace 48556ac26779732e ]---
      [  348.530014] Kernel panic - not syncing: Fatal exception in interrupt
      [  348.530014] Kernel Offset: disabled
      
      Cc: stable@vger.kernel.org
      Reported-by: default avatarFred Veldini <fred.veldini@gmail.com>
      Tested-by: default avatarFred Veldini <fred.veldini@gmail.com>
      Signed-off-by: default avatarBob Copeland <me@bobcopeland.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      fe7a7c57
    • Martin Willi's avatar
      mac80211_hwsim: Add missing check for HWSIM_ATTR_SIGNAL · 62397da5
      Martin Willi authored
      A wmediumd that does not send this attribute causes a NULL pointer
      dereference, as the attribute is accessed even if it does not exist.
      
      The attribute was required but never checked ever since userspace frame
      forwarding has been introduced. The issue gets more problematic once we
      allow wmediumd registration from user namespaces.
      
      Cc: stable@vger.kernel.org
      Fixes: 7882513b ("mac80211_hwsim driver support userspace frame tx/rx")
      Signed-off-by: default avatarMartin Willi <martin@strongswan.org>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      62397da5