- 11 Nov, 2014 4 commits
-
-
Daniel Borkmann authored
A very minimal and simple user space application allocating an SCTP socket, setting SCTP_AUTH_KEY setsockopt(2) on it and then closing the socket again will leak the memory containing the authentication key from user space: unreferenced object 0xffff8800837047c0 (size 16): comm "a.out", pid 2789, jiffies 4296954322 (age 192.258s) hex dump (first 16 bytes): 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff816d7e8e>] kmemleak_alloc+0x4e/0xb0 [<ffffffff811c88d8>] __kmalloc+0xe8/0x270 [<ffffffffa0870c23>] sctp_auth_create_key+0x23/0x50 [sctp] [<ffffffffa08718b1>] sctp_auth_set_key+0xa1/0x140 [sctp] [<ffffffffa086b383>] sctp_setsockopt+0xd03/0x1180 [sctp] [<ffffffff815bfd94>] sock_common_setsockopt+0x14/0x20 [<ffffffff815beb61>] SyS_setsockopt+0x71/0xd0 [<ffffffff816e58a9>] system_call_fastpath+0x12/0x17 [<ffffffffffffffff>] 0xffffffffffffffff This is bad because of two things, we can bring down a machine from user space when auth_enable=1, but also we would leave security sensitive keying material in memory without clearing it after use. The issue is that sctp_auth_create_key() already sets the refcount to 1, but after allocation sctp_auth_set_key() does an additional refcount on it, and thus leaving it around when we free the socket. Fixes: 65b07e5d ("[SCTP]: API updates to suport SCTP-AUTH extensions.") Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Cc: Vlad Yasevich <vyasevich@gmail.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Daniel Borkmann authored
An SCTP server doing ASCONF will panic on malformed INIT ping-of-death in the form of: ------------ INIT[PARAM: SET_PRIMARY_IP] ------------> While the INIT chunk parameter verification dissects through many things in order to detect malformed input, it misses to actually check parameters inside of parameters. E.g. RFC5061, section 4.2.4 proposes a 'set primary IP address' parameter in ASCONF, which has as a subparameter an address parameter. So an attacker may send a parameter type other than SCTP_PARAM_IPV4_ADDRESS or SCTP_PARAM_IPV6_ADDRESS, param_type2af() will subsequently return 0 and thus sctp_get_af_specific() returns NULL, too, which we then happily dereference unconditionally through af->from_addr_param(). The trace for the log: BUG: unable to handle kernel NULL pointer dereference at 0000000000000078 IP: [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp] PGD 0 Oops: 0000 [#1] SMP [...] Pid: 0, comm: swapper Not tainted 2.6.32-504.el6.x86_64 #1 Bochs Bochs RIP: 0010:[<ffffffffa01e9c62>] [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp] [...] Call Trace: <IRQ> [<ffffffffa01f2add>] ? sctp_bind_addr_copy+0x5d/0xe0 [sctp] [<ffffffffa01e1fcb>] sctp_sf_do_5_1B_init+0x21b/0x340 [sctp] [<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp] [<ffffffffa01e5c09>] ? sctp_endpoint_lookup_assoc+0xc9/0xf0 [sctp] [<ffffffffa01e61f6>] sctp_endpoint_bh_rcv+0x116/0x230 [sctp] [<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp] [<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp] [<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter] [<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0 [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0 [<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120 [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0 [...] A minimal way to address this is to check for NULL as we do on all other such occasions where we know sctp_get_af_specific() could possibly return with NULL. Fixes: d6de3097 ("[SCTP]: Add the handling of "Set Primary IP Address" parameter to INIT") Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Cc: Vlad Yasevich <vyasevich@gmail.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Takashi Iwai authored
In ppp_ioctl(), bpf_prog_create() is called inside ppp_lock, which eventually calls vmalloc() and hits BUG_ON() in vmalloc.c. This patch works around the problem by moving the allocation outside the lock. The bug was revealed by the recent change in net/core/filter.c, as it allocates via vmalloc() instead of kmalloc() now. Reported-and-tested-by: Stefan Seyfried <stefan.seyfried@googlemail.com> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Or Gerlitz authored
Currenly we only support Large-Send and TX checksum offloads for encapsulated traffic of type VXLAN. We must make sure to advertize these offloads up to the stack only when VXLAN tunnel is set. Failing to do so, would mislead the the networking stack to assume that the driver can offload the internal TX checksum for GRE packets and other buggy schemes. Reported-by: Florian Westphal <fw@strlen.de> Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 10 Nov, 2014 6 commits
-
-
Anish Bhatt authored
Unlike CEE, IEEE has a bespoke app delete call and does not rely on priority for app deletion Fixes : 2376c879 ('cxgb4 : Improve handling of DCB negotiation or loss thereof') Signed-off-by: Anish Bhatt <anish@chelsio.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Jesse Gross authored
When doing GRO processing for UDP tunnels, we never add SKB_GSO_UDP_TUNNEL to gso_type - only the type of the inner protocol is added (such as SKB_GSO_TCPV4). The result is that if the packet is later resegmented we will do GSO but not treat it as a tunnel. This results in UDP fragmentation of the outer header instead of (i.e.) TCP segmentation of the inner header as was originally on the wire. Signed-off-by: Jesse Gross <jesse@nicira.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
David S. Miller authored
Hariprasad Shenai says: ==================== cxgb4/cxgb4vf: Misc. fixes for cxgb4vf For T5 use Packing and Padding Boundaries for SGE DMA transfers, move fl_starve_thres to adpater structure, since they are different for each adapter. The cxgb4vf driver's Free List Starvation Threshold needs to be larger than the SGE's Egress Congestion Threshold or we'll end up in a mutual stall where the driver waits for Ingress Packets to drive replacing Free List Pointers and the SGE waits for Free List Pointers before pushing Ingress Packets to the host. The patches series is created against 'net' tree. And includes patches on cxgb4 and cxgb4vf driver. We have included all the maintainers of respective drivers. Kindly review the change and let us know in case of any review comments. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
-
Hariprasad Shenai authored
Free List Starvation Threshold needs to be larger than the SGE's Egress Congestion Threshold or we'll end up in a mutual stall where the driver waits for Ingress Packets to drive replacing Free List Pointers and the SGE waits for Free List Pointers before pushing Ingress Packets to the host. Based on original work by Casey Leedom <leedom@chelsio.com> Signed-off-by: Hariprasad Shenai <hariprasad@chelsio.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Hariprasad Shenai authored
T5 introduces the ability to have separate Packing and Padding Boundaries for SGE DMA transfers from the chip to Host Memory. This change set takes advantage of that to set up a smaller Padding Boundary to conserve PCI Link and Memory Bandwidth with T5. Signed-off-by: Hariprasad Shenai <hariprasad@chelsio.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Hariprasad Shenai authored
Move fl_starv_thres into adapter->sge data structure since it _could_ be different from adapter to adapter. Also move other per-adapter SGE values which had been treated as driver globals into adapter->sge. Based on original work by Casey Leedom <leedom@chelsio.com> Signed-off-by: Hariprasad Shenai <hariprasad@chelsio.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 07 Nov, 2014 3 commits
-
-
Charles Keepax authored
commit 3cc81d85 ("asix: Don't reset PHY on if_up for ASIX 88772") causes the ethernet on Arndale to no longer function. This appears to be because the Arndale ethernet requires a full reset before it will function correctly, however simply reverting the above patch causes problems with ethtool settings getting reset. It seems the problem is that the ethernet is not properly reset during bind, and indeed the code in ax88772_bind that resets the device is a very small subset of the actual ax88772_reset function. This patch uses ax88772_reset in place of the existing reset code in ax88772_bind which removes some code duplication and fixes the ethernet on Arndale. It is still possible that the original patch causes some issues with suspend and resume but that seems like a separate issue and I haven't had a chance to test that yet. Signed-off-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com> Tested-by: Riku Voipio <riku.voipio@linaro.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Lothar Waßmann authored
commit 1b7bde6d ("net: fec: implement rx_copybreak to improve rx performance") introduced a regression for i.MX28. The swap_buffer() function doing the endian conversion of the received data on i.MX28 may access memory beyond the actual packet size in the DMA buffer. fec_enet_copybreak() does not copy those bytes, so that the last bytes of a packet may be filled with invalid data after swapping. This will likely lead to checksum errors on received packets. E.g. when trying to mount an NFS rootfs: UDP: bad checksum. From 192.168.1.225:111 to 192.168.100.73:44662 ulen 36 Do the byte swapping and copying to the new skb in one go if necessary. Signed-off-by: Lothar Waßmann <LW@KARO-electronics.de> Tested-by: Fabio Estevam <fabio.estevam@freescale.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wirelessDavid S. Miller authored
John W. Linville says: ==================== pull request: wireless 2014-11-06 Please pull this batch of fixes intended for the 3.18 stream... For the mac80211 bits, Johannes says: "This contains another small set of fixes for 3.18, these are all over the place and most of the bugs are old, one even dates back to the original mac80211 we merged into the kernel." For the iwlwifi bits, Emmanuel says: "I fix here two issues that are related to the firmware loading flow. A user reported that he couldn't load the driver because the rfkill line was pulled up while we were running the calibrations. This was happening while booting the system: systemd was restoring the "disable wifi settings" and that raised an RFKILL interrupt during the calibration. Our driver didn't handle that properly and this is now fixed." Please let me know if there are problems! ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 06 Nov, 2014 10 commits
-
-
Manish Chopra authored
o Poll for the link events only if firmware doesn't have capability to notify the driver for the link events. Signed-off-by: Manish Chopra <manish.chopra@qlogic.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Govindarajulu Varadarajan authored
When we reuse the rx buffer, we need to update the desc. If not hardware sees stale value. In the following crash, when mtu is changed, hardware sees old rx buffer value and crashes on skb_put. Fix this by using enic_queue_rq_desc helper function which updates the necessary desc. [ 64.657376] skbuff: skb_over_panic: text:ffffffffa041f55d len:9010 put:9010 head:ffff8800d3ca9fc0 data:ffff8800d3caa000 tail:0x2372 end:0x640 dev:enp0s3 [ 64.659965] ------------[ cut here ]------------ [ 64.661322] kernel BUG at net/core/skbuff.c:100! [ 64.662644] invalid opcode: 0000 [#1] PREEMPT SMP [ 64.664001] Modules linked in: rpcsec_gss_krb5 auth_rpcgss oid_registry nfsv4 cirrus ttm drm_kms_helper drm enic psmouse microcode evdev serio_raw syscopyarea sysfillrect sysimgblt i2c_piix4 i2c_core pcspkr nfs lockd grace sunrpc fscache ext4 crc16 mbcache jbd2 sd_mod ata_generic virtio_balloon ata_piix libata uhci_hcd virtio_pci virtio_ring usbcore usb_common virtio scsi_mod [ 64.664834] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 3.17.0-netnext-10335-g942396b0-dirty #273 [ 64.664834] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 64.664834] task: ffffffff81a1d580 ti: ffffffff81a00000 task.ti: ffffffff81a00000 [ 64.664834] RIP: 0010:[<ffffffff81392cf1>] [<ffffffff81392cf1>] skb_panic+0x61/0x70 [ 64.664834] RSP: 0018:ffff880210603d48 EFLAGS: 00010292 [ 64.664834] RAX: 000000000000008c RBX: ffff88020b0f6930 RCX: 0000000000000000 [ 64.664834] RDX: 000000000000008c RSI: ffffffff8178b288 RDI: 00000000ffffffff [ 64.664834] RBP: ffff880210603d68 R08: 0000000000000001 R09: 0000000000000001 [ 64.664834] R10: 00000000000005ce R11: 0000000000000001 R12: ffff88020b1f0b40 [ 64.664834] R13: 000000000000a332 R14: ffff880209a1a000 R15: 0000000000000001 [ 64.664834] FS: 0000000000000000(0000) GS:ffff880210600000(0000) knlGS:0000000000000000 [ 64.664834] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 64.664834] CR2: 00007f6752935e48 CR3: 0000000035743000 CR4: 00000000000006f0 [ 64.664834] Stack: [ 64.664834] ffff8800d3caa000 0000000000002372 0000000000000640 ffff88020b1f0000 [ 64.664834] ffff880210603d78 ffffffff81392d54 ffff880210603e08 ffffffffa041f55d [ 64.664834] 0000000000000296 ffffffff00000000 00008e7e00008e7e ffff880200002332 [ 64.664834] Call Trace: [ 64.664834] <IRQ> [ 64.664834] [ 64.664834] [<ffffffff81392d54>] skb_put+0x54/0x60 [ 64.664834] [<ffffffffa041f55d>] enic_rq_service.constprop.47+0x3ad/0x730 [enic] [ 64.664834] [<ffffffffa041fa79>] enic_poll_msix_rq+0x199/0x370 [enic] [ 64.664834] [<ffffffff813a5499>] net_rx_action+0x139/0x210 [ 64.664834] [<ffffffff81290db3>] ? __this_cpu_preempt_check+0x13/0x20 [ 64.664834] [<ffffffff8106110e>] __do_softirq+0x14e/0x280 [ 64.664834] [<ffffffff8106152e>] irq_exit+0x8e/0xb0 [ 64.664834] [<ffffffff8100fd21>] do_IRQ+0x61/0x100 [ 64.664834] [<ffffffff814a2bf2>] common_interrupt+0x72/0x72 fixes: a03bb56e ("enic: implement rx_copybreak") Signed-off-by: Govindarajulu Varadarajan <_govind@gmx.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Govindarajulu Varadarajan authored
In case of error in rx path, we free the buf->os_buf but we do not make it NULL. In next iteration we use the skb which is already freed. This causes the following crash. [ 886.154772] general protection fault: 0000 [#1] PREEMPT SMP [ 886.154851] Modules linked in: rpcsec_gss_krb5 auth_rpcgss oid_registry nfsv4 microcode evdev cirrus ttm drm_kms_helper drm enic syscopyarea sysfillrect sysimgblt psmouse i2c_piix4 serio_raw pcspkr i2c_core nfs lockd grace sunrpc fscache ext4 crc16 mbcache jbd2 sd_mod crc_t10dif crct10dif_common ata_generic ata_piix virtio_balloon libata scsi_mod uhci_hcd usbcore virtio_pci virtio_ring virtio usb_common [ 886.155199] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 3.17.0-netnext-05668-g876bc7f #272 [ 886.155263] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 886.155304] task: ffffffff81a1d580 ti: ffffffff81a00000 task.ti: ffffffff81a00000 [ 886.155356] RIP: 0010:[<ffffffff81384030>] [<ffffffff81384030>] kfree_skb_list+0x10/0x30 [ 886.155418] RSP: 0018:ffff880210603d48 EFLAGS: 00010206 [ 886.155456] RAX: 0000000000000020 RBX: 0000000000000000 RCX: 0000000000000000 [ 886.155504] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 004500084e000017 [ 886.155553] RBP: ffff880210603d50 R08: 00000000fe13d1b6 R09: 0000000000000001 [ 886.155601] R10: 0000000000000000 R11: 0000000000000000 R12: ffff880209ff2f00 [ 886.155650] R13: ffff88020ac0fe40 R14: ffff880209ff2f00 R15: ffff8800da8e3a80 [ 886.155699] FS: 0000000000000000(0000) GS:ffff880210600000(0000) knlGS:0000000000000000 [ 886.155774] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 886.155814] CR2: 00007f0e0c925000 CR3: 0000000035e8b000 CR4: 00000000000006f0 [ 886.155865] Stack: [ 886.155882] 0000000000000000 ffff880210603d78 ffffffff81383f79 ffff880209ff2f00 [ 886.155942] ffff88020b0c0b40 000000000000c000 ffff880210603d90 ffffffff81383faf [ 886.156001] ffff880209ff2f00 ffff880210603da8 ffffffff8138406d ffff88020b1b08c0 [ 886.156061] Call Trace: [ 886.156080] <IRQ> [ 886.156095] [ 886.156112] [<ffffffff81383f79>] skb_release_data+0xa9/0xc0 [ 886.157656] [<ffffffff81383faf>] skb_release_all+0x1f/0x30 [ 886.159195] [<ffffffff8138406d>] consume_skb+0x1d/0x40 [ 886.160719] [<ffffffff813942e5>] __dev_kfree_skb_any+0x35/0x40 [ 886.162224] [<ffffffffa02dc1d5>] enic_rq_service.constprop.47+0xe5/0x5a0 [enic] [ 886.163756] [<ffffffffa02dc829>] enic_poll_msix_rq+0x199/0x370 [enic] [ 886.164730] [<ffffffff81397e29>] net_rx_action+0x139/0x210 [ 886.164730] [<ffffffff8105fb2e>] __do_softirq+0x14e/0x280 [ 886.164730] [<ffffffff8105ff2e>] irq_exit+0x8e/0xb0 [ 886.164730] [<ffffffff8100fc1d>] do_IRQ+0x5d/0x100 [ 886.164730] [<ffffffff81496832>] common_interrupt+0x72/0x72 fixes: a03bb56e ("enic: implement rx_copybreak") Signed-off-by: Govindarajulu Varadarajan <_govind@gmx.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
David S. Miller authored
Eli Cohen says: ==================== mlx5_core fixes for 3.18 the following two patches fix races to could lead to kernel panic in some cases. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
-
Eli Cohen authored
When events arrive at driver load, the event handler gets called even before the spinlock and list are initialized. Fix this by moving the initialization before EQs creation. Signed-off-by: Eli Cohen <eli@mellanox.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Eli Cohen authored
After the EQ is created, it can possibly generate interrupts and the interrupt handler is referencing eq->dev. It is therefore required to set eq->dev before calling request_irq() so if an event is generated before request_irq() returns, we will have a valid eq->dev field. Signed-off-by: Eli Cohen <eli@mellanox.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Andrew Lunn authored
When the ports phys are connected to the switches internal MDIO bus, we need to connect the phy to the slave netdev, otherwise auto-negotiation etc, does not work. Signed-off-by: Andrew Lunn <andrew@lunn.ch> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Ryo Munakata authored
Signed-off-by: Ryo Munakata <ryomnktml@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Mugunthan V N authored
when cpsw is build as modulea and simple insert and removal of module creates a deadlock, due to delete timer. the timer is created and destroyed in cpsw_ale_start and cpsw_ale_stop which are from device open and close. root@am437x-evm:~# modprobe -r ti_cpsw [ 158.505333] INFO: trying to register non-static key. [ 158.510623] the code is fine but needs lockdep annotation. [ 158.516448] turning off the locking correctness validator. [ 158.522282] CPU: 0 PID: 1339 Comm: modprobe Not tainted 3.14.23-00445-gd41c88f #44 [ 158.530359] [<c0015380>] (unwind_backtrace) from [<c0012088>] (show_stack+0x10/0x14) [ 158.538603] [<c0012088>] (show_stack) from [<c054ad70>] (dump_stack+0x78/0x94) [ 158.546295] [<c054ad70>] (dump_stack) from [<c0088008>] (__lock_acquire+0x176c/0x1b74) [ 158.554711] [<c0088008>] (__lock_acquire) from [<c0088944>] (lock_acquire+0x9c/0x104) [ 158.563043] [<c0088944>] (lock_acquire) from [<c004e520>] (del_timer_sync+0x44/0xd8) [ 158.571289] [<c004e520>] (del_timer_sync) from [<bf2eac1c>] (cpsw_ale_destroy+0x10/0x3c [ti_cpsw]) [ 158.580821] [<bf2eac1c>] (cpsw_ale_destroy [ti_cpsw]) from [<bf2eb268>] (cpsw_remove+0x30/0xa0 [ti_cpsw]) [ 158.591000] [<bf2eb268>] (cpsw_remove [ti_cpsw]) from [<c035ef44>] (platform_drv_remove+0x18/0x1c) [ 158.600527] [<c035ef44>] (platform_drv_remove) from [<c035d8bc>] (__device_release_driver+0x70/0xc8) [ 158.610236] [<c035d8bc>] (__device_release_driver) from [<c035e0d4>] (driver_detach+0xb4/0xb8) [ 158.619386] [<c035e0d4>] (driver_detach) from [<c035d6e4>] (bus_remove_driver+0x4c/0x90) [ 158.627988] [<c035d6e4>] (bus_remove_driver) from [<c00af2a8>] (SyS_delete_module+0x10c/0x198) [ 158.637144] [<c00af2a8>] (SyS_delete_module) from [<c000e580>] (ret_fast_syscall+0x0/0x48) [ 179.524727] INFO: rcu_sched detected stalls on CPUs/tasks: {} (detected by 0, t=2102 jiffies, g=1487, c=1486, q=6) [ 179.535741] INFO: Stall ended before state dump start Signed-off-by: Mugunthan V N <mugunthanvnm@ti.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Karl Beldan authored
ATM, txq_reclaim will dequeue and free an skb for each tx desc released by the hw that has TX_LAST_DESC set. However, in case of TSO, each hw desc embedding the last part of a segment has TX_LAST_DESC set, losing the one-to-one 'last skb frag'/'TX_LAST_DESC set' correspondance, which causes data corruption. Fix this by checking TX_ENABLE_INTERRUPT instead of TX_LAST_DESC, and warn when trying to dequeue from an empty txq (which can be symptomatic of releasing skbs prematurely). Fixes: 3ae8f4e0 ('net: mv643xx_eth: Implement software TSO') Reported-by: Slawomir Gajzner <slawomir.gajzner@gmail.com> Reported-by: Julien D'Ascenzio <jdascenzio@yahoo.fr> Signed-off-by: Karl Beldan <karl.beldan@rivierawaves.com> Cc: Ian Campbell <ijc@hellion.org.uk> Cc: Eric Dumazet <eric.dumazet@gmail.com> Cc: Ezequiel Garcia <ezequiel.garcia@free-electrons.com> Cc: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 05 Nov, 2014 13 commits
-
-
Gregory Fong authored
if_bridge.h uses struct in6_addr ip6, but wasn't including the in6.h header. Thomas Backlund originally sent a patch to do this, but this revealed a redefinition issue: https://lkml.org/lkml/2013/1/13/116 The redefinition issue should have been fixed by the following Linux commits: ee262ad8 inet: defines IPPROTO_* needed for module alias generation cfd280c9 net: sync some IP headers with glibc and the following glibc commit: 6c82a2f8d7c8e21e39237225c819f182ae438db3 Coordinate IPv6 definitions for Linux and glibc so actually include the header now. Reported-by: Colin Guthrie <colin@mageia.org> Reported-by: Christiaan Welvaart <cjw@daneel.dyndns.org> Reported-by: Thomas Backlund <tmb@mageia.org> Cc: Florian Fainelli <f.fainelli@gmail.com> Cc: Cong Wang <xiyou.wangcong@gmail.com> Cc: David Miller <davem@davemloft.net> Signed-off-by: Gregory Fong <gregory.0xf0@gmail.com> Acked-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Marcelo Leitner authored
Ueki Kohei reported that when we are using NewReno with connections that have a very low traffic, we may timeout the connection too early if a second loss occurs after the first one was successfully acked but no data was transfered later. Below is his description of it: When SACK is disabled, and a socket suffers multiple separate TCP retransmissions, that socket's ETIMEDOUT value is calculated from the time of the *first* retransmission instead of the *latest* retransmission. This happens because the tcp_sock's retrans_stamp is set once then never cleared. Take the following connection: Linux remote-machine | | send#1---->(*1)|--------> data#1 --------->| | | | RTO : : | | | ---(*2)|----> data#1(retrans) ---->| | (*3)|<---------- ACK <----------| | | | | : : | : : | : : 16 minutes (or more) : | : : | : : | : : | | | send#2---->(*4)|--------> data#2 --------->| | | | RTO : : | | | ---(*5)|----> data#2(retrans) ---->| | | | | | | RTO*2 : : | | | | | | ETIMEDOUT<----(*6)| | (*1) One data packet sent. (*2) Because no ACK packet is received, the packet is retransmitted. (*3) The ACK packet is received. The transmitted packet is acknowledged. At this point the first "retransmission event" has passed and been recovered from. Any future retransmission is a completely new "event". (*4) After 16 minutes (to correspond with retries2=15), a new data packet is sent. Note: No data is transmitted between (*3) and (*4). The socket's timeout SHOULD be calculated from this point in time, but instead it's calculated from the prior "event" 16 minutes ago. (*5) Because no ACK packet is received, the packet is retransmitted. (*6) At the time of the 2nd retransmission, the socket returns ETIMEDOUT. Therefore, now we clear retrans_stamp as soon as all data during the loss window is fully acked. Reported-by: Ueki Kohei Cc: Neal Cardwell <ncardwell@google.com> Cc: Yuchung Cheng <ycheng@google.com> Signed-off-by: Marcelo Ricardo Leitner <mleitner@redhat.com> Acked-by: Neal Cardwell <ncardwell@google.com> Tested-by: Neal Cardwell <ncardwell@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
David S. Miller authored
Giuseppe Cavallaro says: ==================== stmmac: review and fix lock and atomicity Recently some issues have been reported for the driver for locking mechanism and atomicity. In fact, enabling DEBUG support to prove lock and to verify if sleeping while atomic context some warnings occur at runtime. I have reproduced all on STi platforms. Concerning the tx path, I had provided a patch time ago but I discarded the idea to completely remove locks; in this patch-set we can have some useful fixes instead of. This patch-set is to fix the atomicity in the PM stuff where I tried to collect all the points and advice reported in the past weeks. As final result, on my side no warnings and no problem when suspend/resume the driver on STi boxes. I also added a patch that fixes the locks for the EEE. As pointed in some thread there was a design problem behind the eee initialization and I have tried to fix that before. As final result no issues when proving locks too. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
-
Giuseppe CAVALLARO authored
This patch is to fix the atomicity when suspend and resume the driver. The clk api have been changed (as reported by Hao Liang) and the skb allocation is done out of the hw setup function and taking care about the GFP flags. Reported-by: Hao Liang <hliang1025@gmail.com> Signed-off-by: Giuseppe Cavallaro <peppe.cavallaro@st.com> Cc: Alexey Khoroshilov <khoroshilov@ispras.ru> Cc: Hao Liang <hliang1025@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Giuseppe CAVALLARO authored
This patch aims to fix the concurrency in eee initialization inside the stmmac driver and related warnings when enable DEBUG_ATOMIC_SLEEP. Prior this patch, the stmmac_eee_init could be called in several places as shown below: stmmac_open stmmac_resume PHY Layer | | | stmmac_hw_setup stmmac_adjust_link | | stmmac ethtool |__________________________|______________| | stmmac_eee_init The patch removes the stmmac_eee_init call inside the stmmac_hw_setup that is unnecessary. It is sufficient to call it in the adjust_link to always guarantee that EEE is always configured at mac level too. Fixing the lock protection now it is covered another case (not considered before). The stmmac_eee_init could be called by the ethtool so critical sections must be protected inside this function too. Signed-off-by: Giuseppe Cavallaro <peppe.cavallaro@st.com> Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Giuseppe CAVALLARO authored
When compile with CONFIG_PROVE_LOCKING the following warnings happen: [snip] HARDIRQ-ON-W at: [<c0480c1c>] _raw_spin_lock+0x3c/0x4c [<c02c2828>] stmmac_set_rx_mode+0x18/0x3c [<c038b2cc>] dev_set_rx_mode+0x1c/0x28 [<c038b38c>] __dev_open+0xb4/0xf8 [<c038b5a8>] __dev_change_flags+0x94/0x128 [<c038b6a8>] dev_change_flags+0x10/0x48 [<c062afe0>] ip_auto_config+0x1d4/0x1084 [<c000873c>] do_one_initcall+0x108/0x15c [<c060ec50>] kernel_init_freeable+0x1a8/0x248 [<c0472cc0>] kernel_init+0x8/0x160 [<c000dfc8>] ret_from_fork+0x14/0x2c INITIAL USE at: [<c0480c1c>] _raw_spin_lock+0x3c/0x4c [<c02c2828>] stmmac_set_rx_mode+0x18/0x3c [<c038b2cc>] dev_set_rx_mode+0x1c/0x28 [<c038b38c>] __dev_open+0xb4/0xf8 [<c038b5a8>] __dev_change_flags+0x94/0x128 [<c038b6a8>] dev_change_flags+0x10/0x48 [<c062afe0>] ip_auto_config+0x1d4/0x1084 [<c000873c>] do_one_initcall+0x108/0x15c [<c060ec50>] kernel_init_freeable+0x1a8/0x248 [<c0472cc0>] kernel_init+0x8/0x160 [<c000dfc8>] ret_from_fork+0x14/0x2c so the patch just removes the lock protection in the stmmac_set_rx_mode Signed-off-by: Giuseppe Cavallaro <peppe.cavallaro@st.com> Cc: Emilio Lopez <emilio@elopez.com.ar> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Fabrice Gasnier authored
Add missing spin_unlock when tx frames gets dropped. Signed-off-by: Fabrice Gasnier <fabrice.gasnier@st.com> Acked-by: Giuseppe Cavallaro <peppe.cavallaro@st.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Fabrice Gasnier authored
stmmac_tx_avail() may lie if used unprotected. It's using cur_tx and dirty_tx index. These index may be already in use by tx_clean when entering xmit routine. So, this should be called locked. This can cause transmit queue to be stuck, with following message: NETDEV WATCHDOG: eth0 (stmmaceth): transmit queue 0 timed out Signed-off-by: Fabrice Gasnier <fabrice.gasnier@st.com> Acked-by: Giuseppe Cavallaro <peppe.cavallaro@st.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Chen Gang authored
drivers: net: ethernet: xilinx: xilinx_emaclite: revert the original commit "1db3ddff" Microblaze is a fpga soft core, it can be customized easily, which may cause many various hardware version strings. So the original fix patch based on hard-coded compatible version strings is not a good idea (although it is correct for current issue). For it, there will be a new solving way soon (which based on the device tree). The original issue is related with qemu, so can only change the hardware version string in qemu for it, then keep the original driver no touch ( qemu is for virtualization which has much easier life than real world). Signed-off-by: Chen Gang <gang.chen.5i5j@gmail.com> Acked-by: Michal Simek <michal.simek@xilinx.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Rasmus Villemoes authored
File descriptors are always closed on exit :-) Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Loganaden Velvindron authored
It was initially sent by Lorenzo Colitti, but was subsequently lost in the final diff he submitted. Signed-off-by: Loganaden Velvindron <logan@elandsys.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Jesse Gross authored
The pernet ops aren't ever unregistered, which causes a memory leak and an OOPs if the module is ever reinserted. Fixes: 0b5e8b8e ("net: Add Geneve tunneling protocol driver") CC: Andy Zhou <azhou@nicira.com> Signed-off-by: Jesse Gross <jesse@nicira.com> Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Jesse Gross authored
Geneve does not currently set the inner protocol type when transmitting packets. This causes GSO segmentation to fail on NICs that do not support Geneve offloading. CC: Andy Zhou <azhou@nicira.com> Signed-off-by: Jesse Gross <jesse@nicira.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 04 Nov, 2014 4 commits
-
-
David S. Miller authored
Iyappan Subramanian says: ==================== drivers: net: xgene: Fix crash for backward compatibility This patch set fixes the following issues that were reported during regression. Patch 1,2 : Adds backward compatibility with the older firmware (<= 1.13.28). Patch 3 : Use separate hardware resources (descriptor ring, prefetch buffer) that are not shared with the firmware ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
-
Iyappan Subramanian authored
This patch fixes the following kernel crash during SGMII based 1GbE probe. BUG: Bad page state in process swapper/0 pfn:40fe6ad page:ffffffbee37a75d8 count:-1 mapcount:0 mapping: (null) index:0x0 flags: 0x0() page dumped because: nonzero _count Modules linked in: CPU: 0 PID: 0 Comm: swapper/0 Not tainted 3.17.0+ #7 Call trace: [<ffffffc000087fa0>] dump_backtrace+0x0/0x12c [<ffffffc0000880dc>] show_stack+0x10/0x1c [<ffffffc0004d981c>] dump_stack+0x74/0xc4 [<ffffffc00012fe70>] bad_page+0xd8/0x128 [<ffffffc000133000>] get_page_from_freelist+0x4b8/0x640 [<ffffffc000133260>] __alloc_pages_nodemask+0xd8/0x834 [<ffffffc0004194f8>] __netdev_alloc_frag+0x124/0x1b8 [<ffffffc00041bfdc>] __netdev_alloc_skb+0x90/0x10c [<ffffffc00039ff30>] xgene_enet_refill_bufpool+0x11c/0x280 [<ffffffc0003a11a4>] xgene_enet_process_ring+0x168/0x340 [<ffffffc0003a1498>] xgene_enet_napi+0x1c/0x50 [<ffffffc00042b454>] net_rx_action+0xc8/0x18c [<ffffffc0000b0880>] __do_softirq+0x114/0x24c [<ffffffc0000b0c34>] irq_exit+0x94/0xc8 [<ffffffc0000e68a0>] __handle_domain_irq+0x8c/0xf4 [<ffffffc000081288>] gic_handle_irq+0x30/0x7c This was due to hardware resource sharing conflict with the firmware. This patch fixes this crash by using resources (descriptor ring, prefetch buffer) that are not shared. Signed-off-by: Iyappan Subramanian <isubramanian@apm.com> Signed-off-by: Keyur Chudgar <kchudgar@apm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Iyappan Subramanian authored
This patch adds support when used with older firmware (<= 1.13.28). - Added xgene_ring_mgr_init() to check whether ring manager is initialized - Calling xgene_ring_mgr_init() from xgene_port_ops.reset() - To handle errors, changed the return type of xgene_port_ops.reset() Signed-off-by: Iyappan Subramanian <isubramanian@apm.com> Signed-off-by: Keyur Chudgar <kchudgar@apm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Iyappan Subramanian authored
The following kernel crash was reported when using older firmware (<= 1.13.28). [ 0.980000] libphy: APM X-Gene MDIO bus: probed [ 1.130000] Unhandled fault: synchronous external abort (0x96000010) at 0xffffff800009a17c [ 1.140000] Internal error: : 96000010 [#1] SMP [ 1.140000] Modules linked in: [ 1.140000] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 3.17.0+ #21 [ 1.140000] task: ffffffc3f0110000 ti: ffffffc3f0064000 task.ti: ffffffc3f0064000 [ 1.140000] PC is at ioread32+0x58/0x68 [ 1.140000] LR is at xgene_enet_setup_ring+0x18c/0x1cc [ 1.140000] pc : [<ffffffc0003cec68>] lr : [<ffffffc00053dad8>] pstate: a0000045 [ 1.140000] sp : ffffffc3f0067b20 [ 1.140000] x29: ffffffc3f0067b20 x28: ffffffc000aa8ea0 [ 1.140000] x27: ffffffc000bb2000 x26: ffffffc000a64270 [ 1.140000] x25: ffffffc000b05ad8 x24: ffffffc0ff99ba58 [ 1.140000] x23: 0000000000004000 x22: 0000000000004000 [ 1.140000] x21: 0000000000000200 x20: 0000000000200000 [ 1.140000] x19: ffffffc0ff99ba18 x18: ffffffc0007a6000 [ 1.140000] x17: 0000000000000007 x16: 000000000000000e [ 1.140000] x15: 0000000000000001 x14: 0000000000000000 [ 1.140000] x13: ffffffbeedb71320 x12: 00000000ffffff80 [ 1.140000] x11: 0000000000000002 x10: 0000000000000000 [ 1.140000] x9 : 0000000000000000 x8 : ffffffc3eb2a4000 [ 1.140000] x7 : 0000000000000000 x6 : 0000000000000000 [ 1.140000] x5 : 0000000001080000 x4 : 000000007d654010 [ 1.140000] x3 : ffffffffffffffff x2 : 000000000003ffff [ 1.140000] x1 : ffffff800009a17c x0 : ffffff800009a17c The issue was that the older firmware does not support 10GbE and SGMII based 1GBE interfaces. This patch changes the address length of the reg property of sgmii0 and xgmii nodes and serves as preparatory patch for the fix. Signed-off-by: Iyappan Subramanian <isubramanian@apm.com> Signed-off-by: Keyur Chudgar <kchudgar@apm.com> Reported-by: Dann Frazier <dann.frazier@canonical.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-