1. 11 Nov, 2014 4 commits
    • Daniel Borkmann's avatar
      net: sctp: fix memory leak in auth key management · 4184b2a7
      Daniel Borkmann authored
      A very minimal and simple user space application allocating an SCTP
      socket, setting SCTP_AUTH_KEY setsockopt(2) on it and then closing
      the socket again will leak the memory containing the authentication
      key from user space:
      
      unreferenced object 0xffff8800837047c0 (size 16):
        comm "a.out", pid 2789, jiffies 4296954322 (age 192.258s)
        hex dump (first 16 bytes):
          01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff816d7e8e>] kmemleak_alloc+0x4e/0xb0
          [<ffffffff811c88d8>] __kmalloc+0xe8/0x270
          [<ffffffffa0870c23>] sctp_auth_create_key+0x23/0x50 [sctp]
          [<ffffffffa08718b1>] sctp_auth_set_key+0xa1/0x140 [sctp]
          [<ffffffffa086b383>] sctp_setsockopt+0xd03/0x1180 [sctp]
          [<ffffffff815bfd94>] sock_common_setsockopt+0x14/0x20
          [<ffffffff815beb61>] SyS_setsockopt+0x71/0xd0
          [<ffffffff816e58a9>] system_call_fastpath+0x12/0x17
          [<ffffffffffffffff>] 0xffffffffffffffff
      
      This is bad because of two things, we can bring down a machine from
      user space when auth_enable=1, but also we would leave security sensitive
      keying material in memory without clearing it after use. The issue is
      that sctp_auth_create_key() already sets the refcount to 1, but after
      allocation sctp_auth_set_key() does an additional refcount on it, and
      thus leaving it around when we free the socket.
      
      Fixes: 65b07e5d ("[SCTP]: API updates to suport SCTP-AUTH extensions.")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Cc: Vlad Yasevich <vyasevich@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4184b2a7
    • Daniel Borkmann's avatar
      net: sctp: fix NULL pointer dereference in af->from_addr_param on malformed packet · e40607cb
      Daniel Borkmann authored
      An SCTP server doing ASCONF will panic on malformed INIT ping-of-death
      in the form of:
      
        ------------ INIT[PARAM: SET_PRIMARY_IP] ------------>
      
      While the INIT chunk parameter verification dissects through many things
      in order to detect malformed input, it misses to actually check parameters
      inside of parameters. E.g. RFC5061, section 4.2.4 proposes a 'set primary
      IP address' parameter in ASCONF, which has as a subparameter an address
      parameter.
      
      So an attacker may send a parameter type other than SCTP_PARAM_IPV4_ADDRESS
      or SCTP_PARAM_IPV6_ADDRESS, param_type2af() will subsequently return 0
      and thus sctp_get_af_specific() returns NULL, too, which we then happily
      dereference unconditionally through af->from_addr_param().
      
      The trace for the log:
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000078
      IP: [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
      PGD 0
      Oops: 0000 [#1] SMP
      [...]
      Pid: 0, comm: swapper Not tainted 2.6.32-504.el6.x86_64 #1 Bochs Bochs
      RIP: 0010:[<ffffffffa01e9c62>]  [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
      [...]
      Call Trace:
       <IRQ>
       [<ffffffffa01f2add>] ? sctp_bind_addr_copy+0x5d/0xe0 [sctp]
       [<ffffffffa01e1fcb>] sctp_sf_do_5_1B_init+0x21b/0x340 [sctp]
       [<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
       [<ffffffffa01e5c09>] ? sctp_endpoint_lookup_assoc+0xc9/0xf0 [sctp]
       [<ffffffffa01e61f6>] sctp_endpoint_bh_rcv+0x116/0x230 [sctp]
       [<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
       [<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
       [<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
       [<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
       [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
       [<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
       [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
      [...]
      
      A minimal way to address this is to check for NULL as we do on all
      other such occasions where we know sctp_get_af_specific() could
      possibly return with NULL.
      
      Fixes: d6de3097 ("[SCTP]: Add the handling of "Set Primary IP Address" parameter to INIT")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Cc: Vlad Yasevich <vyasevich@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e40607cb
    • Takashi Iwai's avatar
      net: ppp: Don't call bpf_prog_create() in ppp_lock · 5748eb8f
      Takashi Iwai authored
      In ppp_ioctl(), bpf_prog_create() is called inside ppp_lock, which
      eventually calls vmalloc() and hits BUG_ON() in vmalloc.c.  This patch
      works around the problem by moving the allocation outside the lock.
      
      The bug was revealed by the recent change in net/core/filter.c, as it
      allocates via vmalloc() instead of kmalloc() now.
      Reported-and-tested-by: default avatarStefan Seyfried <stefan.seyfried@googlemail.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5748eb8f
    • Or Gerlitz's avatar
      net/mlx4_en: Advertize encapsulation offloads features only when VXLAN tunnel is set · f4a1edd5
      Or Gerlitz authored
      Currenly we only support Large-Send and TX checksum offloads for
      encapsulated traffic of type VXLAN. We must make sure to advertize
      these offloads up to the stack only when VXLAN tunnel is set.
      
      Failing to do so, would mislead the the networking stack to assume
      that the driver can offload the internal TX checksum for GRE packets
      and other buggy schemes.
      Reported-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarOr Gerlitz <ogerlitz@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f4a1edd5
  2. 10 Nov, 2014 6 commits
  3. 07 Nov, 2014 3 commits
    • Charles Keepax's avatar
      asix: Do full reset during ax88772_bind · 436c2a50
      Charles Keepax authored
      commit 3cc81d85 ("asix: Don't reset PHY on if_up for ASIX 88772")
      causes the ethernet on Arndale to no longer function. This appears to
      be because the Arndale ethernet requires a full reset before it will
      function correctly, however simply reverting the above patch causes
      problems with ethtool settings getting reset.
      
      It seems the problem is that the ethernet is not properly reset during
      bind, and indeed the code in ax88772_bind that resets the device is a
      very small subset of the actual ax88772_reset function. This patch uses
      ax88772_reset in place of the existing reset code in ax88772_bind which
      removes some code duplication and fixes the ethernet on Arndale.
      
      It is still possible that the original patch causes some issues with
      suspend and resume but that seems like a separate issue and I haven't
      had a chance to test that yet.
      Signed-off-by: default avatarCharles Keepax <ckeepax@opensource.wolfsonmicro.com>
      Tested-by: default avatarRiku Voipio <riku.voipio@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      436c2a50
    • Lothar Waßmann's avatar
      net: fec: fix regression on i.MX28 introduced by rx_copybreak support · 1310b544
      Lothar Waßmann authored
      commit 1b7bde6d ("net: fec: implement rx_copybreak to improve rx performance")
      introduced a regression for i.MX28. The swap_buffer() function doing
      the endian conversion of the received data on i.MX28 may access memory
      beyond the actual packet size in the DMA buffer. fec_enet_copybreak()
      does not copy those bytes, so that the last bytes of a packet may be
      filled with invalid data after swapping.
      This will likely lead to checksum errors on received packets.
      E.g. when trying to mount an NFS rootfs:
      UDP: bad checksum. From 192.168.1.225:111 to 192.168.100.73:44662 ulen 36
      
      Do the byte swapping and copying to the new skb in one go if
      necessary.
      Signed-off-by: default avatarLothar Waßmann <LW@KARO-electronics.de>
      Tested-by: default avatarFabio Estevam <fabio.estevam@freescale.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1310b544
    • David S. Miller's avatar
      Merge tag 'master-2014-11-04' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless · 1f562310
      David S. Miller authored
      John W. Linville says:
      
      ====================
      pull request: wireless 2014-11-06
      
      Please pull this batch of fixes intended for the 3.18 stream...
      
      For the mac80211 bits, Johannes says:
      
      "This contains another small set of fixes for 3.18, these are all
      over the place and most of the bugs are old, one even dates back
      to the original mac80211 we merged into the kernel."
      
      For the iwlwifi bits, Emmanuel says:
      
      "I fix here two issues that are related to the firmware
      loading flow. A user reported that he couldn't load the
      driver because the rfkill line was pulled up while we
      were running the calibrations. This was happening while
      booting the system: systemd was restoring the "disable
      wifi settings" and that raised an RFKILL interrupt during
      the calibration. Our driver didn't handle that properly
      and this is now fixed."
      
      Please let me know if there are problems!
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1f562310
  4. 06 Nov, 2014 10 commits
    • Manish Chopra's avatar
      netxen: Fix link event handling. · 9d01412a
      Manish Chopra authored
      o Poll for the link events only if firmware doesn't have capability
        to notify the driver for the link events.
      Signed-off-by: default avatarManish Chopra <manish.chopra@qlogic.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9d01412a
    • Govindarajulu Varadarajan's avatar
      enic: update desc properly in rx_copybreak · f6b7734b
      Govindarajulu Varadarajan authored
      When we reuse the rx buffer, we need to update the desc. If not hardware sees
      stale value.
      
      In the following crash, when mtu is changed, hardware sees old rx buffer value
      and crashes on skb_put.
      
      Fix this by using enic_queue_rq_desc helper function which updates the necessary
      desc.
      
      [   64.657376] skbuff: skb_over_panic: text:ffffffffa041f55d len:9010 put:9010 head:ffff8800d3ca9fc0 data:ffff8800d3caa000 tail:0x2372 end:0x640 dev:enp0s3
      [   64.659965] ------------[ cut here ]------------
      [   64.661322] kernel BUG at net/core/skbuff.c:100!
      [   64.662644] invalid opcode: 0000 [#1] PREEMPT SMP
      [   64.664001] Modules linked in: rpcsec_gss_krb5 auth_rpcgss oid_registry nfsv4 cirrus ttm drm_kms_helper drm enic psmouse microcode evdev serio_raw syscopyarea sysfillrect sysimgblt i2c_piix4 i2c_core pcspkr nfs lockd grace sunrpc fscache ext4 crc16 mbcache jbd2 sd_mod ata_generic virtio_balloon ata_piix libata uhci_hcd virtio_pci virtio_ring usbcore usb_common virtio scsi_mod
      [   64.664834] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G        W      3.17.0-netnext-10335-g942396b0-dirty #273
      [   64.664834] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
      [   64.664834] task: ffffffff81a1d580 ti: ffffffff81a00000 task.ti: ffffffff81a00000
      [   64.664834] RIP: 0010:[<ffffffff81392cf1>]  [<ffffffff81392cf1>] skb_panic+0x61/0x70
      [   64.664834] RSP: 0018:ffff880210603d48  EFLAGS: 00010292
      [   64.664834] RAX: 000000000000008c RBX: ffff88020b0f6930 RCX: 0000000000000000
      [   64.664834] RDX: 000000000000008c RSI: ffffffff8178b288 RDI: 00000000ffffffff
      [   64.664834] RBP: ffff880210603d68 R08: 0000000000000001 R09: 0000000000000001
      [   64.664834] R10: 00000000000005ce R11: 0000000000000001 R12: ffff88020b1f0b40
      [   64.664834] R13: 000000000000a332 R14: ffff880209a1a000 R15: 0000000000000001
      [   64.664834] FS:  0000000000000000(0000) GS:ffff880210600000(0000) knlGS:0000000000000000
      [   64.664834] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      [   64.664834] CR2: 00007f6752935e48 CR3: 0000000035743000 CR4: 00000000000006f0
      [   64.664834] Stack:
      [   64.664834]  ffff8800d3caa000 0000000000002372 0000000000000640 ffff88020b1f0000
      [   64.664834]  ffff880210603d78 ffffffff81392d54 ffff880210603e08 ffffffffa041f55d
      [   64.664834]  0000000000000296 ffffffff00000000 00008e7e00008e7e ffff880200002332
      [   64.664834] Call Trace:
      [   64.664834]  <IRQ>
      [   64.664834]
      [   64.664834]  [<ffffffff81392d54>] skb_put+0x54/0x60
      [   64.664834]  [<ffffffffa041f55d>] enic_rq_service.constprop.47+0x3ad/0x730 [enic]
      [   64.664834]  [<ffffffffa041fa79>] enic_poll_msix_rq+0x199/0x370 [enic]
      [   64.664834]  [<ffffffff813a5499>] net_rx_action+0x139/0x210
      [   64.664834]  [<ffffffff81290db3>] ? __this_cpu_preempt_check+0x13/0x20
      [   64.664834]  [<ffffffff8106110e>] __do_softirq+0x14e/0x280
      [   64.664834]  [<ffffffff8106152e>] irq_exit+0x8e/0xb0
      [   64.664834]  [<ffffffff8100fd21>] do_IRQ+0x61/0x100
      [   64.664834]  [<ffffffff814a2bf2>] common_interrupt+0x72/0x72
      
      fixes: a03bb56e ("enic: implement rx_copybreak")
      Signed-off-by: default avatarGovindarajulu Varadarajan <_govind@gmx.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f6b7734b
    • Govindarajulu Varadarajan's avatar
      enic: handle error condition properly in enic_rq_indicate_buf · 44aa91ab
      Govindarajulu Varadarajan authored
      In case of error in rx path, we free the buf->os_buf but we do not make it NULL.
      In next iteration we use the skb which is already freed. This causes the
      following crash.
      
      [  886.154772] general protection fault: 0000 [#1] PREEMPT SMP
      [  886.154851] Modules linked in: rpcsec_gss_krb5 auth_rpcgss oid_registry nfsv4 microcode evdev cirrus ttm drm_kms_helper drm enic syscopyarea sysfillrect sysimgblt psmouse i2c_piix4 serio_raw pcspkr i2c_core nfs lockd grace sunrpc fscache ext4 crc16 mbcache jbd2 sd_mod crc_t10dif crct10dif_common ata_generic ata_piix virtio_balloon libata scsi_mod uhci_hcd usbcore virtio_pci virtio_ring virtio usb_common
      [  886.155199] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G        W      3.17.0-netnext-05668-g876bc7f #272
      [  886.155263] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
      [  886.155304] task: ffffffff81a1d580 ti: ffffffff81a00000 task.ti: ffffffff81a00000
      [  886.155356] RIP: 0010:[<ffffffff81384030>]  [<ffffffff81384030>] kfree_skb_list+0x10/0x30
      [  886.155418] RSP: 0018:ffff880210603d48  EFLAGS: 00010206
      [  886.155456] RAX: 0000000000000020 RBX: 0000000000000000 RCX: 0000000000000000
      [  886.155504] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 004500084e000017
      [  886.155553] RBP: ffff880210603d50 R08: 00000000fe13d1b6 R09: 0000000000000001
      [  886.155601] R10: 0000000000000000 R11: 0000000000000000 R12: ffff880209ff2f00
      [  886.155650] R13: ffff88020ac0fe40 R14: ffff880209ff2f00 R15: ffff8800da8e3a80
      [  886.155699] FS:  0000000000000000(0000) GS:ffff880210600000(0000) knlGS:0000000000000000
      [  886.155774] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      [  886.155814] CR2: 00007f0e0c925000 CR3: 0000000035e8b000 CR4: 00000000000006f0
      [  886.155865] Stack:
      [  886.155882]  0000000000000000 ffff880210603d78 ffffffff81383f79 ffff880209ff2f00
      [  886.155942]  ffff88020b0c0b40 000000000000c000 ffff880210603d90 ffffffff81383faf
      [  886.156001]  ffff880209ff2f00 ffff880210603da8 ffffffff8138406d ffff88020b1b08c0
      [  886.156061] Call Trace:
      [  886.156080]  <IRQ>
      [  886.156095]
      [  886.156112]  [<ffffffff81383f79>] skb_release_data+0xa9/0xc0
      [  886.157656]  [<ffffffff81383faf>] skb_release_all+0x1f/0x30
      [  886.159195]  [<ffffffff8138406d>] consume_skb+0x1d/0x40
      [  886.160719]  [<ffffffff813942e5>] __dev_kfree_skb_any+0x35/0x40
      [  886.162224]  [<ffffffffa02dc1d5>] enic_rq_service.constprop.47+0xe5/0x5a0 [enic]
      [  886.163756]  [<ffffffffa02dc829>] enic_poll_msix_rq+0x199/0x370 [enic]
      [  886.164730]  [<ffffffff81397e29>] net_rx_action+0x139/0x210
      [  886.164730]  [<ffffffff8105fb2e>] __do_softirq+0x14e/0x280
      [  886.164730]  [<ffffffff8105ff2e>] irq_exit+0x8e/0xb0
      [  886.164730]  [<ffffffff8100fc1d>] do_IRQ+0x5d/0x100
      [  886.164730]  [<ffffffff81496832>] common_interrupt+0x72/0x72
      
      fixes: a03bb56e ("enic: implement rx_copybreak")
      Signed-off-by: default avatarGovindarajulu Varadarajan <_govind@gmx.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      44aa91ab
    • David S. Miller's avatar
      Merge branch 'mlx5-net' · c8119067
      David S. Miller authored
      Eli Cohen says:
      
      ====================
      mlx5_core fixes for 3.18
      
      the following two patches fix races to could lead to kernel panic in some cases.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c8119067
    • Eli Cohen's avatar
      net/mlx5_core: Fix race on driver load · 364d1798
      Eli Cohen authored
      When events arrive at driver load, the event handler gets called even before
      the spinlock and list are initialized. Fix this by moving the initialization
      before EQs creation.
      Signed-off-by: default avatarEli Cohen <eli@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      364d1798
    • Eli Cohen's avatar
      net/mlx5_core: Fix race in create EQ · a158906d
      Eli Cohen authored
      After the EQ is created, it can possibly generate interrupts and the interrupt
      handler is referencing eq->dev. It is therefore required to set eq->dev before
      calling request_irq() so if an event is generated before request_irq() returns,
      we will have a valid eq->dev field.
      Signed-off-by: default avatarEli Cohen <eli@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a158906d
    • Andrew Lunn's avatar
      net: dsa: slave: Fix autoneg for phys on switch MDIO bus · b31f65fb
      Andrew Lunn authored
      When the ports phys are connected to the switches internal MDIO bus,
      we need to connect the phy to the slave netdev, otherwise
      auto-negotiation etc, does not work.
      Signed-off-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b31f65fb
    • Ryo Munakata's avatar
    • Mugunthan V N's avatar
      drivers: net: cpsw: remove cpsw_ale_stop from cpsw_ale_destroy · 4484d052
      Mugunthan V N authored
      when cpsw is build as modulea and simple insert and removal of module
      creates a deadlock, due to delete timer. the timer is created and destroyed
      in cpsw_ale_start and cpsw_ale_stop which are from device open and close.
      
      root@am437x-evm:~# modprobe -r ti_cpsw
      [  158.505333] INFO: trying to register non-static key.
      [  158.510623] the code is fine but needs lockdep annotation.
      [  158.516448] turning off the locking correctness validator.
      [  158.522282] CPU: 0 PID: 1339 Comm: modprobe Not tainted 3.14.23-00445-gd41c88f #44
      [  158.530359] [<c0015380>] (unwind_backtrace) from [<c0012088>] (show_stack+0x10/0x14)
      [  158.538603] [<c0012088>] (show_stack) from [<c054ad70>] (dump_stack+0x78/0x94)
      [  158.546295] [<c054ad70>] (dump_stack) from [<c0088008>] (__lock_acquire+0x176c/0x1b74)
      [  158.554711] [<c0088008>] (__lock_acquire) from [<c0088944>] (lock_acquire+0x9c/0x104)
      [  158.563043] [<c0088944>] (lock_acquire) from [<c004e520>] (del_timer_sync+0x44/0xd8)
      [  158.571289] [<c004e520>] (del_timer_sync) from [<bf2eac1c>] (cpsw_ale_destroy+0x10/0x3c [ti_cpsw])
      [  158.580821] [<bf2eac1c>] (cpsw_ale_destroy [ti_cpsw]) from [<bf2eb268>] (cpsw_remove+0x30/0xa0 [ti_cpsw])
      [  158.591000] [<bf2eb268>] (cpsw_remove [ti_cpsw]) from [<c035ef44>] (platform_drv_remove+0x18/0x1c)
      [  158.600527] [<c035ef44>] (platform_drv_remove) from [<c035d8bc>] (__device_release_driver+0x70/0xc8)
      [  158.610236] [<c035d8bc>] (__device_release_driver) from [<c035e0d4>] (driver_detach+0xb4/0xb8)
      [  158.619386] [<c035e0d4>] (driver_detach) from [<c035d6e4>] (bus_remove_driver+0x4c/0x90)
      [  158.627988] [<c035d6e4>] (bus_remove_driver) from [<c00af2a8>] (SyS_delete_module+0x10c/0x198)
      [  158.637144] [<c00af2a8>] (SyS_delete_module) from [<c000e580>] (ret_fast_syscall+0x0/0x48)
      [  179.524727] INFO: rcu_sched detected stalls on CPUs/tasks: {} (detected by 0, t=2102 jiffies, g=1487, c=1486, q=6)
      [  179.535741] INFO: Stall ended before state dump start
      Signed-off-by: default avatarMugunthan V N <mugunthanvnm@ti.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4484d052
    • Karl Beldan's avatar
      net: mv643xx_eth: reclaim TX skbs only when released by the HW · 2c2a9cbd
      Karl Beldan authored
      ATM, txq_reclaim will dequeue and free an skb for each tx desc released
      by the hw that has TX_LAST_DESC set. However, in case of TSO, each
      hw desc embedding the last part of a segment has TX_LAST_DESC set,
      losing the one-to-one 'last skb frag'/'TX_LAST_DESC set' correspondance,
      which causes data corruption.
      
      Fix this by checking TX_ENABLE_INTERRUPT instead of TX_LAST_DESC, and
      warn when trying to dequeue from an empty txq (which can be symptomatic
      of releasing skbs prematurely).
      
      Fixes: 3ae8f4e0 ('net: mv643xx_eth: Implement software TSO')
      Reported-by: default avatarSlawomir Gajzner <slawomir.gajzner@gmail.com>
      Reported-by: default avatarJulien D'Ascenzio <jdascenzio@yahoo.fr>
      Signed-off-by: default avatarKarl Beldan <karl.beldan@rivierawaves.com>
      Cc: Ian Campbell <ijc@hellion.org.uk>
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Cc: Ezequiel Garcia <ezequiel.garcia@free-electrons.com>
      Cc: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2c2a9cbd
  5. 05 Nov, 2014 13 commits
  6. 04 Nov, 2014 4 commits
    • David S. Miller's avatar
      Merge branch 'xgene-net' · 15e4123b
      David S. Miller authored
      Iyappan Subramanian says:
      
      ====================
      drivers: net: xgene: Fix crash for backward compatibility
      
      This patch set fixes the following issues that were reported during regression.
      
      Patch 1,2 : Adds backward compatibility with the older firmware (<= 1.13.28).
      Patch 3   : Use separate hardware resources (descriptor ring, prefetch buffer)
      	   that are not shared with the firmware
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      15e4123b
    • Iyappan Subramanian's avatar
      drivers: net: xgene: fix: Use separate resources · bdd330f0
      Iyappan Subramanian authored
      This patch fixes the following kernel crash during SGMII based 1GbE probe.
      
      	BUG: Bad page state in process swapper/0  pfn:40fe6ad
      	page:ffffffbee37a75d8 count:-1 mapcount:0 mapping:          (null) index:0x0
      	flags: 0x0()
      	page dumped because: nonzero _count
      	Modules linked in:
      	CPU: 0 PID: 0 Comm: swapper/0 Not tainted 3.17.0+ #7
      	Call trace:
      	[<ffffffc000087fa0>] dump_backtrace+0x0/0x12c
      	[<ffffffc0000880dc>] show_stack+0x10/0x1c
      	[<ffffffc0004d981c>] dump_stack+0x74/0xc4
      	[<ffffffc00012fe70>] bad_page+0xd8/0x128
      	[<ffffffc000133000>] get_page_from_freelist+0x4b8/0x640
      	[<ffffffc000133260>] __alloc_pages_nodemask+0xd8/0x834
      	[<ffffffc0004194f8>] __netdev_alloc_frag+0x124/0x1b8
      	[<ffffffc00041bfdc>] __netdev_alloc_skb+0x90/0x10c
      	[<ffffffc00039ff30>] xgene_enet_refill_bufpool+0x11c/0x280
      	[<ffffffc0003a11a4>] xgene_enet_process_ring+0x168/0x340
      	[<ffffffc0003a1498>] xgene_enet_napi+0x1c/0x50
      	[<ffffffc00042b454>] net_rx_action+0xc8/0x18c
      	[<ffffffc0000b0880>] __do_softirq+0x114/0x24c
      	[<ffffffc0000b0c34>] irq_exit+0x94/0xc8
      	[<ffffffc0000e68a0>] __handle_domain_irq+0x8c/0xf4
      	[<ffffffc000081288>] gic_handle_irq+0x30/0x7c
      
      This was due to hardware resource sharing conflict with the firmware. This
      patch fixes this crash by using resources (descriptor ring, prefetch buffer)
      that are not shared.
      Signed-off-by: default avatarIyappan Subramanian <isubramanian@apm.com>
      Signed-off-by: default avatarKeyur Chudgar <kchudgar@apm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bdd330f0
    • Iyappan Subramanian's avatar
      drivers: net: xgene: Backward compatibility with older firmware · c3f4465d
      Iyappan Subramanian authored
      This patch adds support when used with older firmware (<= 1.13.28).
      
      - Added xgene_ring_mgr_init() to check whether ring manager is initialized
      - Calling xgene_ring_mgr_init() from xgene_port_ops.reset()
      - To handle errors, changed the return type of xgene_port_ops.reset()
      Signed-off-by: default avatarIyappan Subramanian <isubramanian@apm.com>
      Signed-off-by: default avatarKeyur Chudgar <kchudgar@apm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c3f4465d
    • Iyappan Subramanian's avatar
      dtb: xgene: fix: Backward compatibility with older firmware · 09c9e059
      Iyappan Subramanian authored
      The following kernel crash was reported when using older firmware (<= 1.13.28).
      
      [    0.980000] libphy: APM X-Gene MDIO bus: probed
      [    1.130000] Unhandled fault: synchronous external abort (0x96000010) at 0xffffff800009a17c
      [    1.140000] Internal error: : 96000010 [#1] SMP
      [    1.140000] Modules linked in:
      [    1.140000] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 3.17.0+ #21
      [    1.140000] task: ffffffc3f0110000 ti: ffffffc3f0064000 task.ti: ffffffc3f0064000
      [    1.140000] PC is at ioread32+0x58/0x68
      [    1.140000] LR is at xgene_enet_setup_ring+0x18c/0x1cc
      [    1.140000] pc : [<ffffffc0003cec68>] lr : [<ffffffc00053dad8>] pstate: a0000045
      [    1.140000] sp : ffffffc3f0067b20
      [    1.140000] x29: ffffffc3f0067b20 x28: ffffffc000aa8ea0
      [    1.140000] x27: ffffffc000bb2000 x26: ffffffc000a64270
      [    1.140000] x25: ffffffc000b05ad8 x24: ffffffc0ff99ba58
      [    1.140000] x23: 0000000000004000 x22: 0000000000004000
      [    1.140000] x21: 0000000000000200 x20: 0000000000200000
      [    1.140000] x19: ffffffc0ff99ba18 x18: ffffffc0007a6000
      [    1.140000] x17: 0000000000000007 x16: 000000000000000e
      [    1.140000] x15: 0000000000000001 x14: 0000000000000000
      [    1.140000] x13: ffffffbeedb71320 x12: 00000000ffffff80
      [    1.140000] x11: 0000000000000002 x10: 0000000000000000
      [    1.140000] x9 : 0000000000000000 x8 : ffffffc3eb2a4000
      [    1.140000] x7 : 0000000000000000 x6 : 0000000000000000
      [    1.140000] x5 : 0000000001080000 x4 : 000000007d654010
      [    1.140000] x3 : ffffffffffffffff x2 : 000000000003ffff
      [    1.140000] x1 : ffffff800009a17c x0 : ffffff800009a17c
      
      The issue was that the older firmware does not support 10GbE and
      SGMII based 1GBE interfaces.
      
      This patch changes the address length of the reg property of sgmii0 and xgmii
      nodes and serves as preparatory patch for the fix.
      Signed-off-by: default avatarIyappan Subramanian <isubramanian@apm.com>
      Signed-off-by: default avatarKeyur Chudgar <kchudgar@apm.com>
      Reported-by: default avatarDann Frazier <dann.frazier@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      09c9e059