1. 11 Dec, 2013 17 commits
    • Eric Dumazet's avatar
      udp: ipv4: fix an use after free in __udp4_lib_rcv() · 8afdd99a
      Eric Dumazet authored
      Dave Jones reported a use after free in UDP stack :
      
      [ 5059.434216] =========================
      [ 5059.434314] [ BUG: held lock freed! ]
      [ 5059.434420] 3.13.0-rc3+ #9 Not tainted
      [ 5059.434520] -------------------------
      [ 5059.434620] named/863 is freeing memory ffff88005e960000-ffff88005e96061f, with a lock still held there!
      [ 5059.434815]  (slock-AF_INET){+.-...}, at: [<ffffffff8149bd21>] udp_queue_rcv_skb+0xd1/0x4b0
      [ 5059.435012] 3 locks held by named/863:
      [ 5059.435086]  #0:  (rcu_read_lock){.+.+..}, at: [<ffffffff8143054d>] __netif_receive_skb_core+0x11d/0x940
      [ 5059.435295]  #1:  (rcu_read_lock){.+.+..}, at: [<ffffffff81467a5e>] ip_local_deliver_finish+0x3e/0x410
      [ 5059.435500]  #2:  (slock-AF_INET){+.-...}, at: [<ffffffff8149bd21>] udp_queue_rcv_skb+0xd1/0x4b0
      [ 5059.435734]
      stack backtrace:
      [ 5059.435858] CPU: 0 PID: 863 Comm: named Not tainted 3.13.0-rc3+ #9 [loadavg: 0.21 0.06 0.06 1/115 1365]
      [ 5059.436052] Hardware name:                  /D510MO, BIOS MOPNV10J.86A.0175.2010.0308.0620 03/08/2010
      [ 5059.436223]  0000000000000002 ffff88007e203ad8 ffffffff8153a372 ffff8800677130e0
      [ 5059.436390]  ffff88007e203b10 ffffffff8108cafa ffff88005e960000 ffff88007b00cfc0
      [ 5059.436554]  ffffea00017a5800 ffffffff8141c490 0000000000000246 ffff88007e203b48
      [ 5059.436718] Call Trace:
      [ 5059.436769]  <IRQ>  [<ffffffff8153a372>] dump_stack+0x4d/0x66
      [ 5059.436904]  [<ffffffff8108cafa>] debug_check_no_locks_freed+0x15a/0x160
      [ 5059.437037]  [<ffffffff8141c490>] ? __sk_free+0x110/0x230
      [ 5059.437147]  [<ffffffff8112da2a>] kmem_cache_free+0x6a/0x150
      [ 5059.437260]  [<ffffffff8141c490>] __sk_free+0x110/0x230
      [ 5059.437364]  [<ffffffff8141c5c9>] sk_free+0x19/0x20
      [ 5059.437463]  [<ffffffff8141cb25>] sock_edemux+0x25/0x40
      [ 5059.437567]  [<ffffffff8141c181>] sock_queue_rcv_skb+0x81/0x280
      [ 5059.437685]  [<ffffffff8149bd21>] ? udp_queue_rcv_skb+0xd1/0x4b0
      [ 5059.437805]  [<ffffffff81499c82>] __udp_queue_rcv_skb+0x42/0x240
      [ 5059.437925]  [<ffffffff81541d25>] ? _raw_spin_lock+0x65/0x70
      [ 5059.438038]  [<ffffffff8149bebb>] udp_queue_rcv_skb+0x26b/0x4b0
      [ 5059.438155]  [<ffffffff8149c712>] __udp4_lib_rcv+0x152/0xb00
      [ 5059.438269]  [<ffffffff8149d7f5>] udp_rcv+0x15/0x20
      [ 5059.438367]  [<ffffffff81467b2f>] ip_local_deliver_finish+0x10f/0x410
      [ 5059.438492]  [<ffffffff81467a5e>] ? ip_local_deliver_finish+0x3e/0x410
      [ 5059.438621]  [<ffffffff81468653>] ip_local_deliver+0x43/0x80
      [ 5059.438733]  [<ffffffff81467f70>] ip_rcv_finish+0x140/0x5a0
      [ 5059.438843]  [<ffffffff81468926>] ip_rcv+0x296/0x3f0
      [ 5059.438945]  [<ffffffff81430b72>] __netif_receive_skb_core+0x742/0x940
      [ 5059.439074]  [<ffffffff8143054d>] ? __netif_receive_skb_core+0x11d/0x940
      [ 5059.442231]  [<ffffffff8108c81d>] ? trace_hardirqs_on+0xd/0x10
      [ 5059.442231]  [<ffffffff81430d83>] __netif_receive_skb+0x13/0x60
      [ 5059.442231]  [<ffffffff81431c1e>] netif_receive_skb+0x1e/0x1f0
      [ 5059.442231]  [<ffffffff814334e0>] napi_gro_receive+0x70/0xa0
      [ 5059.442231]  [<ffffffffa01de426>] rtl8169_poll+0x166/0x700 [r8169]
      [ 5059.442231]  [<ffffffff81432bc9>] net_rx_action+0x129/0x1e0
      [ 5059.442231]  [<ffffffff810478cd>] __do_softirq+0xed/0x240
      [ 5059.442231]  [<ffffffff81047e25>] irq_exit+0x125/0x140
      [ 5059.442231]  [<ffffffff81004241>] do_IRQ+0x51/0xc0
      [ 5059.442231]  [<ffffffff81542bef>] common_interrupt+0x6f/0x6f
      
      We need to keep a reference on the socket, by using skb_steal_sock()
      at the right place.
      
      Note that another patch is needed to fix a race in
      udp_sk_rx_dst_set(), as we hold no lock protecting the dst.
      
      Fixes: 421b3885 ("udp: ipv4: Add udp early demux")
      Reported-by: default avatarDave Jones <davej@redhat.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Shawn Bohrer <sbohrer@rgmadvisors.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8afdd99a
    • David S. Miller's avatar
      Merge branch 'sctp' · 4585a79d
      David S. Miller authored
      Wang Weidong says:
      
      ====================
      sctp: check the rto_min and rto_max
      
      v6 -> v7:
        -patch2: fix the whitespace issues which pointed out by Daniel
      
      v5 -> v6:
        split the v5' first patch to patch1 and patch2, and remove the
        macro in constants.h
      
        -patch1: do rto_min/max socket option handling in its own patch, and
         fix the check of rto_min/max.
        -patch2: do rto_min/max sysctl handling in its own patch.
        -patch3: add Suggested-by Daniel.
      
      v4 -> v5:
        - patch1: add marco in constants.h and fix up spacing as
          suggested by Daniel
        - patch2: add a patch for fix up do_hmac_alg for according
          to do_rto_min[max]
      
      v3 -> v4:
        -patch1: fix use init_net directly which suggested by Vlad.
      
      v2 -> v3:
        -patch1: add proc_handler for check rto_min and rto_max which suggested
         by Vlad
      
      v1 -> v2:
        -patch1: fix the From Name which pointed out by David, and
         add the ACK by Neil
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4585a79d
    • wangweidong's avatar
      sctp: fix up a spacing · b486b228
      wangweidong authored
      fix up spacing of proc_sctp_do_hmac_alg for according to the
      proc_sctp_do_rto_min[max] in sysctl.c
      Suggested-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Signed-off-by: default avatarWang Weidong <wangweidong1@huawei.com>
      Acked-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b486b228
    • wangweidong's avatar
      sctp: add check rto_min and rto_max in sysctl · 4f3fdf3b
      wangweidong authored
      rto_min should be smaller than rto_max while rto_max should be larger
      than rto_min. Add two proc_handler for the checking.
      Suggested-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Signed-off-by: default avatarWang Weidong <wangweidong1@huawei.com>
      Acked-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4f3fdf3b
    • wangweidong's avatar
      sctp: check the rto_min and rto_max in setsockopt · 85f935d4
      wangweidong authored
      When we set 0 to rto_min or rto_max, just not change the value. Also
      we should check the rto_min > rto_max.
      Suggested-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Signed-off-by: default avatarWang Weidong <wangweidong1@huawei.com>
      Acked-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      85f935d4
    • Florent Fourcot's avatar
      ipv6: do not erase dst address with flow label destination · ce7a3bdf
      Florent Fourcot authored
      This patch is following b579035f
      	"ipv6: remove old conditions on flow label sharing"
      
      Since there is no reason to restrict a label to a
      destination, we should not erase the destination value of a
      socket with the value contained in the flow label storage.
      
      This patch allows to really have the same flow label to more
      than one destination.
      Signed-off-by: default avatarFlorent Fourcot <florent.fourcot@enst-bretagne.fr>
      Reviewed-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ce7a3bdf
    • Neil Horman's avatar
      sctp: properly latch and use autoclose value from sock to association · 9f70f46b
      Neil Horman authored
      Currently, sctp associations latch a sockets autoclose value to an association
      at association init time, subject to capping constraints from the max_autoclose
      sysctl value.  This leads to an odd situation where an application may set a
      socket level autoclose timeout, but sliently sctp will limit the autoclose
      timeout to something less than that.
      
      Fix this by modifying the autoclose setsockopt function to check the limit, cap
      it and warn the user via syslog that the timeout is capped.  This will allow
      getsockopt to return valid autoclose timeout values that reflect what subsequent
      associations actually use.
      
      While were at it, also elimintate the assoc->autoclose variable, it duplicates
      whats in the timeout array, which leads to multiple sources for the same
      information, that may differ (as the former isn't subject to any capping).  This
      gives us the timeout information in a canonical place and saves some space in
      the association structure as well.
      Signed-off-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Acked-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      CC: Wang Weidong <wangweidong1@huawei.com>
      CC: David Miller <davem@davemloft.net>
      CC: Vlad Yasevich <vyasevich@gmail.com>
      CC: netdev@vger.kernel.org
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9f70f46b
    • David S. Miller's avatar
      Merge branch 'tipc' · 231df15f
      David S. Miller authored
      Jon Maloy says:
      
      ====================
      tipc: corrections related to tasklet job mechanism
      
      These commits correct two bugs related to tipc' service for launching
      functions for asynchronous execution in a separate tasklet.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      231df15f
    • Ying Xue's avatar
      tipc: protect handler_enabled variable with qitem_lock spin lock · 00ede977
      Ying Xue authored
      'handler_enabled' is a global flag indicating whether the TIPC
      signal handling service is enabled or not. The lack of lock
      protection for this flag incurs a risk for contention, so that
      a tipc_k_signal() call might queue a signal handler to a destroyed
      signal queue, with unpredictable results. To correct this, we let
      the already existing 'qitem_lock' protect the flag, as it already
      does with the queue itself. This way, we ensure that the flag
      always is consistent across all cores.
      Signed-off-by: default avatarYing Xue <ying.xue@windriver.com>
      Reviewed-by: default avatarPaul Gortmaker <paul.gortmaker@windriver.com>
      Signed-off-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      00ede977
    • Jon Paul Maloy's avatar
      tipc: correct the order of stopping services at rmmod · 993b858e
      Jon Paul Maloy authored
      The 'signal handler' service in TIPC is a mechanism that makes it
      possible to postpone execution of functions, by launcing them into
      a job queue for execution in a separate tasklet, independent of
      the launching execution thread.
      
      When we do rmmod on the tipc module, this service is stopped after
      the network service. At the same time, the stopping of the network
      service may itself launch jobs for execution, with the risk that these
      functions may be scheduled for execution after the data structures
      meant to be accessed by the job have already been deleted. We have
      seen this happen, most often resulting in an oops.
      
      This commit ensures that the signal handler is the very first to be
      stopped when TIPC is shut down, so there are no surprises during
      the cleanup of the other services.
      Signed-off-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Reviewed-by: default avatarPaul Gortmaker <paul.gortmaker@windriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      993b858e
    • Nat Gurumoorthy's avatar
      tg3: Initialize REG_BASE_ADDR at PCI config offset 120 to 0 · 388d3335
      Nat Gurumoorthy authored
      The new tg3 driver leaves REG_BASE_ADDR (PCI config offset 120)
      uninitialized. From power on reset this register may have garbage in it. The
      Register Base Address register defines the device local address of a
      register. The data pointed to by this location is read or written using
      the Register Data register (PCI config offset 128). When REG_BASE_ADDR has
      garbage any read or write of Register Data Register (PCI 128) will cause the
      PCI bus to lock up. The TCO watchdog will fire and bring down the system.
      Signed-off-by: default avatarNat Gurumoorthy <natg@google.com>
      Acked-by: default avatarMichael Chan <mchan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      388d3335
    • David S. Miller's avatar
      net: Revert macvtap/tun truncation signalling changes. · bbd37626
      David S. Miller authored
      Jason Wang and Michael S. Tsirkin are still discussing how
      to properly fix this.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bbd37626
    • Jason Wang's avatar
      macvtap: signal truncated packets · 730054da
      Jason Wang authored
      macvtap_put_user() never return a value grater than iov length, this in fact
      bypasses the truncated checking in macvtap_recvmsg(). Fix this by always
      returning the size of packet plus the possible vlan header to let the truncated
      checking work.
      
      Cc: Vlad Yasevich <vyasevich@gmail.com>
      Cc: Zhi Yong Wu <wuzhy@linux.vnet.ibm.com>
      Signed-off-by: default avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      730054da
    • Jason Wang's avatar
      tun: unbreak truncated packet signalling · 923347bb
      Jason Wang authored
      Commit 6680ec68
      (tuntap: hardware vlan tx support) breaks the truncated packet signal by never
      return a length greater than iov length in tun_put_user(). This patch fixes this
      by always return the length of packet plus possible vlan header. Caller can
      detect the truncated packet by comparing the return value and the size of iov
      length.
      Reported-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Cc: Vlad Yasevich <vyasevich@gmail.com>
      Cc: Zhi Yong Wu <wuzhy@linux.vnet.ibm.com>
      Signed-off-by: default avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      923347bb
    • Fan Du's avatar
      vxlan: release rt when found circular route · fffc15a5
      Fan Du authored
      Otherwise causing dst memory leakage.
      Have Checked all other type tunnel device transmit implementation,
      no such things happens anymore.
      Signed-off-by: default avatarFan Du <fan.du@windriver.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fffc15a5
    • Sasha Levin's avatar
      net: unix: allow set_peek_off to fail · 12663bfc
      Sasha Levin authored
      unix_dgram_recvmsg() will hold the readlock of the socket until recv
      is complete.
      
      In the same time, we may try to setsockopt(SO_PEEK_OFF) which will hang until
      unix_dgram_recvmsg() will complete (which can take a while) without allowing
      us to break out of it, triggering a hung task spew.
      
      Instead, allow set_peek_off to fail, this way userspace will not hang.
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      Acked-by: default avatarPavel Emelyanov <xemul@parallels.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      12663bfc
    • David S. Miller's avatar
      Merge branch 'sfc-3.13' of git://git.kernel.org/pub/scm/linux/kernel/git/bwh/sfc · 88b07b36
      David S. Miller authored
      Ben Hutchings says:
      
      ====================
      Several fixes for the PTP hardware support added in 3.7:
      1. Fix filtering of PTP packets on the TX path to be robust against bad
      header lengths.
      2. Limit logging on the RX path in case of a PTP packet flood, partly
      from Laurence Evans.
      3. Disable PTP hardware when the interface is down so that we don't
      receive RX timestamp events, from Alexandre Rames.
      4. Maintain clock frequency adjustment when a time offset is applied.
      
      Also fixes for the SFC9100 family support added in 3.12:
      5. Take the RX prefix length into account when applying NET_IP_ALIGN,
      from Andrew Rybchenko.
      6. Work around a bug that breaks communication between the driver and
      firmware, from Robert Stonehouse.
      
      Please also queue these up for the appropriate stable branches.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      88b07b36
  2. 10 Dec, 2013 8 commits
  3. 07 Dec, 2013 2 commits
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: fix missing rules flushing per table · cf9dc09d
      Pablo Neira Ayuso authored
      This patch allows you to atomically remove all rules stored in
      a table via the NFT_MSG_DELRULE command. You only need to indicate
      the specific table and no chain to flush all rules stored in that
      table.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      cf9dc09d
    • Sergey Popovich's avatar
      netfilter: xt_hashlimit: fix proc entry leak in netns destroy path · b4ef4ce0
      Sergey Popovich authored
      In (32263dd1 netfilter: xt_hashlimit: fix namespace destroy path)
      the hashlimit_net_exit() function is always called right before
      hashlimit_mt_destroy() to release netns data. If you use xt_hashlimit
      with IPv4 and IPv6 together, this produces the following splat via
      netconsole in the netns destroy path:
      
       Pid: 9499, comm: kworker/u:0 Tainted: G        WC O 3.2.0-5-netctl-amd64-core2
       Call Trace:
        [<ffffffff8104708d>] ? warn_slowpath_common+0x78/0x8c
        [<ffffffff81047139>] ? warn_slowpath_fmt+0x45/0x4a
        [<ffffffff81144a99>] ? remove_proc_entry+0xd8/0x22e
        [<ffffffff810ebbaa>] ? kfree+0x5b/0x6c
        [<ffffffffa043c501>] ? hashlimit_net_exit+0x45/0x8d [xt_hashlimit]
        [<ffffffff8128ab30>] ? ops_exit_list+0x1c/0x44
        [<ffffffff8128b28e>] ? cleanup_net+0xf1/0x180
        [<ffffffff810369fc>] ? should_resched+0x5/0x23
        [<ffffffff8105b8f9>] ? process_one_work+0x161/0x269
        [<ffffffff8105aea5>] ? cwq_activate_delayed_work+0x3c/0x48
        [<ffffffff8105c8c2>] ? worker_thread+0xc2/0x145
        [<ffffffff8105c800>] ? manage_workers.isra.25+0x15b/0x15b
        [<ffffffff8105fa01>] ? kthread+0x76/0x7e
        [<ffffffff813581f4>] ? kernel_thread_helper+0x4/0x10
        [<ffffffff8105f98b>] ? kthread_worker_fn+0x139/0x139
        [<ffffffff813581f0>] ? gs_change+0x13/0x13
       ---[ end trace d8c3cc0ad163ef79 ]---
       ------------[ cut here ]------------
       WARNING: at /usr/src/linux-3.2.52/debian/build/source_netctl/fs/proc/generic.c:849
       remove_proc_entry+0x217/0x22e()
       Hardware name:
       remove_proc_entry: removing non-empty directory 'net/ip6t_hashlimit', leaking at least 'IN-REJECT'
      
      This is due to lack of removal net/ip6t_hashlimit/* entries in
      hashlimit_proc_net_exit(), since only IPv4 entries are deleted. Fix
      it by always removing the IPv4 and IPv6 entries and their parent
      directories in the netns destroy path.
      Signed-off-by: default avatarSergey Popovich <popovich_sergei@mail.ru>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      b4ef4ce0
  4. 06 Dec, 2013 13 commits
    • Robert Stonehouse's avatar
      sfc: Poll for MCDI completion once before timeout occurs · 6b294b8e
      Robert Stonehouse authored
      There is an as-yet unexplained bug that sometimes prevents (or delays)
      the driver seeing the completion event for a completed MCDI request on
      the SFC9120.  The requested configuration change will have happened
      but the driver assumes it to have failed, and this can result in
      further failures.  We can mitigate this by polling for completion
      after unsuccessfully waiting for an event.
      
      Fixes: 8127d661 ('sfc: Add support for Solarflare SFC9100 family')
      Signed-off-by: default avatarBen Hutchings <bhutchings@solarflare.com>
      6b294b8e
    • Robert Stonehouse's avatar
    • Andrew Rybchenko's avatar
      sfc: RX buffer allocation takes prefix size into account in IP header alignment · 2ec03014
      Andrew Rybchenko authored
      rx_prefix_size is 4-bytes aligned on Falcon/Siena (16 bytes), but it is equal
      to 14 on EF10. So, it should be taken into account if arch requires IP header
      to be 4-bytes aligned (via NET_IP_ALIGN).
      
      Fixes: 8127d661 ('sfc: Add support for Solarflare SFC9100 family')
      Signed-off-by: default avatarBen Hutchings <bhutchings@solarflare.com>
      2ec03014
    • Ben Hutchings's avatar
      sfc: Maintain current frequency adjustment when applying a time offset · cd6fe65e
      Ben Hutchings authored
      There is a single MCDI PTP operation for setting the frequency
      adjustment and applying a time offset to the hardware clock.  When
      applying a time offset we should not change the frequency adjustment.
      
      These two operations can now be requested separately but this requires
      a flash firmware update.  Keep using the single operation, but
      remember and repeat the previous frequency adjustment.
      
      Fixes: 7c236c43 ('sfc: Add support for IEEE-1588 PTP')
      Signed-off-by: default avatarBen Hutchings <bhutchings@solarflare.com>
      cd6fe65e
    • Alexandre Rames's avatar
      sfc: Stop/re-start PTP when stopping/starting the datapath. · 2ea4dc28
      Alexandre Rames authored
      This disables PTP when we bring the interface down to avoid getting
      unmatched RX timestamp events, and tries to re-enable it when bringing
      the interface up.
      
      [bwh: Make efx_ptp_stop() safe on Falcon. Introduce
       efx_ptp_{start,stop}_datapath() functions; we'll expand them later.]
      
      Fixes: 7c236c43 ('sfc: Add support for IEEE-1588 PTP')
      Signed-off-by: default avatarBen Hutchings <bhutchings@solarflare.com>
      2ea4dc28
    • Ben Hutchings's avatar
      sfc: Rate-limit log message for PTP packets without a matching timestamp event · 35f9a7a3
      Ben Hutchings authored
      In case of a flood of PTP packets, the timestamp peripheral and MC
      firmware on the SFN[56]322F boards may not be able to provide
      timestamp events for all packets.  Don't complain too much about this.
      
      Fixes: 7c236c43 ('sfc: Add support for IEEE-1588 PTP')
      Signed-off-by: default avatarBen Hutchings <bhutchings@solarflare.com>
      35f9a7a3
    • Laurence Evans's avatar
      sfc: PTP: Moderate log message on event queue overflow · f3211600
      Laurence Evans authored
      Limit syslog flood if a PTP packet storm occurs.
      
      Fixes: 7c236c43 ('sfc: Add support for IEEE-1588 PTP')
      Signed-off-by: default avatarBen Hutchings <bhutchings@solarflare.com>
      f3211600
    • Michael Dalton's avatar
      virtio-net: free bufs correctly on invalid packet length · 98bfd23c
      Michael Dalton authored
      When a packet with invalid length arrives, ensure that the packet
      is freed correctly if mergeable packet buffers and big packets
      (GUEST_TSO4) are both enabled.
      Signed-off-by: default avatarMichael Dalton <mwdalton@google.com>
      Acked-by: default avatarJason Wang <jasowang@redhat.com>
      Acked-by: default avatarAndrew Vagin <avagin@openvz.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      98bfd23c
    • Ezequiel Garcia's avatar
      net: mvneta: Fix incorrect DMA unmapping size · a328f3a0
      Ezequiel Garcia authored
      The current code unmaps the DMA mapping created for rx skb_buff's by
      using the data_size as the the mapping size. This is wrong since the
      correct size to specify should match the size used to create the mapping.
      
      This commit removes the following DMA_API_DEBUG warning:
      
      ------------[ cut here ]------------
      WARNING: at lib/dma-debug.c:887 check_unmap+0x3a8/0x860()
      mvneta d0070000.ethernet: DMA-API: device driver frees DMA memory with different size [device address=0x000000002eb80000] [map size=1600 bytes] [unmap size=66 bytes]
      CPU: 0 PID: 0 Comm: swapper/0 Not tainted 3.10.21-01444-ga88ae13-dirty #92
      [<c0013600>] (unwind_backtrace+0x0/0xf8) from [<c0010fb8>] (show_stack+0x10/0x14)
      [<c0010fb8>] (show_stack+0x10/0x14) from [<c001afa0>] (warn_slowpath_common+0x48/0x68)
      [<c001afa0>] (warn_slowpath_common+0x48/0x68) from [<c001b01c>] (warn_slowpath_fmt+0x30/0x40)
      [<c001b01c>] (warn_slowpath_fmt+0x30/0x40) from [<c018d0fc>] (check_unmap+0x3a8/0x860)
      [<c018d0fc>] (check_unmap+0x3a8/0x860) from [<c018d734>] (debug_dma_unmap_page+0x64/0x70)
      [<c018d734>] (debug_dma_unmap_page+0x64/0x70) from [<c0233f78>] (mvneta_rx+0xec/0x468)
      [<c0233f78>] (mvneta_rx+0xec/0x468) from [<c023436c>] (mvneta_poll+0x78/0x16c)
      [<c023436c>] (mvneta_poll+0x78/0x16c) from [<c02db468>] (net_rx_action+0x94/0x160)
      [<c02db468>] (net_rx_action+0x94/0x160) from [<c0021e68>] (__do_softirq+0xe8/0x1d0)
      [<c0021e68>] (__do_softirq+0xe8/0x1d0) from [<c0021ff8>] (do_softirq+0x4c/0x58)
      [<c0021ff8>] (do_softirq+0x4c/0x58) from [<c0022228>] (irq_exit+0x58/0x90)
      [<c0022228>] (irq_exit+0x58/0x90) from [<c000e7c8>] (handle_IRQ+0x3c/0x94)
      [<c000e7c8>] (handle_IRQ+0x3c/0x94) from [<c0008548>] (armada_370_xp_handle_irq+0x4c/0xb4)
      [<c0008548>] (armada_370_xp_handle_irq+0x4c/0xb4) from [<c000dc20>] (__irq_svc+0x40/0x50)
      Exception stack(0xc04f1f70 to 0xc04f1fb8)
      1f60:                                     c1fe46f8 00000000 00001d92 00001d92
      1f80: c04f0000 c04f0000 c04f84a4 c03e081c c05220e7 00000001 c05220e7 c04f0000
      1fa0: 00000000 c04f1fb8 c000eaf8 c004c048 60000113 ffffffff
      [<c000dc20>] (__irq_svc+0x40/0x50) from [<c004c048>] (cpu_startup_entry+0x54/0x128)
      [<c004c048>] (cpu_startup_entry+0x54/0x128) from [<c04c1a14>] (start_kernel+0x29c/0x2f0)
      [<c04c1a14>] (start_kernel+0x29c/0x2f0) from [<00008074>] (0x8074)
      ---[ end trace d4955f6acd178110 ]---
      Mapped at:
       [<c018d600>] debug_dma_map_page+0x4c/0x11c
       [<c0235d6c>] mvneta_setup_rxqs+0x398/0x598
       [<c0236084>] mvneta_open+0x40/0x17c
       [<c02dbbd4>] __dev_open+0x9c/0x100
       [<c02dbe58>] __dev_change_flags+0x7c/0x134
      Signed-off-by: default avatarEzequiel Garcia <ezequiel.garcia@free-electrons.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a328f3a0
    • Jiri Pirko's avatar
      br: fix use of ->rx_handler_data in code executed on non-rx_handler path · 859828c0
      Jiri Pirko authored
      br_stp_rcv() is reached by non-rx_handler path. That means there is no
      guarantee that dev is bridge port and therefore simple NULL check of
      ->rx_handler_data is not enough. There is need to check if dev is really
      bridge port and since only rcu read lock is held here, do it by checking
      ->rx_handler pointer.
      
      Note that synchronize_net() in netdev_rx_handler_unregister() ensures
      this approach as valid.
      
      Introduced originally by:
      commit f350a0a8
        "bridge: use rx_handler_data pointer to store net_bridge_port pointer"
      
      Fixed but not in the best way by:
      commit b5ed54e9
        "bridge: fix RCU races with bridge port"
      
      Reintroduced by:
      commit 716ec052
        "bridge: fix NULL pointer deref of br_port_get_rcu"
      
      Please apply to stable trees as well. Thanks.
      
      RH bugzilla reference: https://bugzilla.redhat.com/show_bug.cgi?id=1025770Reported-by: default avatarLaine Stump <laine@redhat.com>
      Debugged-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarJiri Pirko <jiri@resnulli.us>
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      859828c0
    • Ben Hutchings's avatar
      sfc: Add length checks to efx_xmit_with_hwtstamp() and efx_ptp_is_ptp_tx() · e5a498e9
      Ben Hutchings authored
      efx_ptp_is_ptp_tx() must be robust against skbs from raw sockets that
      have invalid IPv4 and UDP headers.
      
      Add checks that:
      - the transport header has been found
      - there is enough space between network and transport header offset
        for an IPv4 header
      - there is enough space after the transport header offset for a
        UDP header
      
      Fixes: 7c236c43 ('sfc: Add support for IEEE-1588 PTP')
      Signed-off-by: default avatarBen Hutchings <bhutchings@solarflare.com>
      e5a498e9
    • Andrey Vagin's avatar
      virtio: delete napi structures from netdev before releasing memory · d4fb84ee
      Andrey Vagin authored
      free_netdev calls netif_napi_del too, but it's too late, because napi
      structures are placed on vi->rq. netif_napi_add() is called from
      virtnet_alloc_queues.
      
      general protection fault: 0000 [#1] SMP
      Dumping ftrace buffer:
         (ftrace buffer empty)
      Modules linked in: ip6table_filter ip6_tables iptable_filter ip_tables virtio_balloon pcspkr virtio_net(-) i2c_pii
      CPU: 1 PID: 347 Comm: rmmod Not tainted 3.13.0-rc2+ #171
      Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
      task: ffff8800b779c420 ti: ffff8800379e0000 task.ti: ffff8800379e0000
      RIP: 0010:[<ffffffff81322e19>]  [<ffffffff81322e19>] __list_del_entry+0x29/0xd0
      RSP: 0018:ffff8800379e1dd0  EFLAGS: 00010a83
      RAX: 6b6b6b6b6b6b6b6b RBX: ffff8800379c2fd0 RCX: dead000000200200
      RDX: 6b6b6b6b6b6b6b6b RSI: 0000000000000001 RDI: ffff8800379c2fd0
      RBP: ffff8800379e1dd0 R08: 0000000000000001 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000001 R12: ffff8800379c2f90
      R13: ffff880037839160 R14: 0000000000000000 R15: 00000000013352f0
      FS:  00007f1400e34740(0000) GS:ffff8800bfb00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      CR2: 00007f464124c763 CR3: 00000000b68cf000 CR4: 00000000000006e0
      Stack:
       ffff8800379e1df0 ffffffff8155beab 6b6b6b6b6b6b6b2b ffff8800378391c0
       ffff8800379e1e18 ffffffff8156499b ffff880037839be0 ffff880037839d20
       ffff88003779d3f0 ffff8800379e1e38 ffffffffa003477c ffff88003779d388
      Call Trace:
       [<ffffffff8155beab>] netif_napi_del+0x1b/0x80
       [<ffffffff8156499b>] free_netdev+0x8b/0x110
       [<ffffffffa003477c>] virtnet_remove+0x7c/0x90 [virtio_net]
       [<ffffffff813ae323>] virtio_dev_remove+0x23/0x80
       [<ffffffff813f62ef>] __device_release_driver+0x7f/0xf0
       [<ffffffff813f6ca0>] driver_detach+0xc0/0xd0
       [<ffffffff813f5f28>] bus_remove_driver+0x58/0xd0
       [<ffffffff813f72ec>] driver_unregister+0x2c/0x50
       [<ffffffff813ae65e>] unregister_virtio_driver+0xe/0x10
       [<ffffffffa0036942>] virtio_net_driver_exit+0x10/0x6ce [virtio_net]
       [<ffffffff810d7cf2>] SyS_delete_module+0x172/0x220
       [<ffffffff810a732d>] ? trace_hardirqs_on+0xd/0x10
       [<ffffffff810f5d4c>] ? __audit_syscall_entry+0x9c/0xf0
       [<ffffffff81677f69>] system_call_fastpath+0x16/0x1b
      Code: 00 00 55 48 8b 17 48 b9 00 01 10 00 00 00 ad de 48 8b 47 08 48 89 e5 48 39 ca 74 29 48 b9 00 02 20 00 00 00
      RIP  [<ffffffff81322e19>] __list_del_entry+0x29/0xd0
       RSP <ffff8800379e1dd0>
      ---[ end trace d5931cd3f87c9763 ]---
      
      Fixes: 986a4f4d (virtio_net: multiqueue support)
      Cc: Rusty Russell <rusty@rustcorp.com.au>
      Cc: "Michael S. Tsirkin" <mst@redhat.com>
      Signed-off-by: default avatarAndrey Vagin <avagin@openvz.org>
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Acked-by: default avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d4fb84ee
    • Andrey Vagin's avatar
      virtio-net: determine type of bufs correctly · fa9fac17
      Andrey Vagin authored
      free_unused_bufs must check vi->mergeable_rx_bufs before
      vi->big_packets, because we use this sequence in other places.
      Otherwise we allocate buffer of one type, then free it as another
      type.
      
      general protection fault: 0000 [#1] SMP
      Dumping ftrace buffer:
         (ftrace buffer empty)
      Modules linked in: ip6table_filter ip6_tables iptable_filter ip_tables pcspkr virtio_balloon virtio_net(-) i2c_pii
      CPU: 0 PID: 400 Comm: rmmod Not tainted 3.13.0-rc2+ #170
      Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
      task: ffff8800b6d2a210 ti: ffff8800aed32000 task.ti: ffff8800aed32000
      RIP: 0010:[<ffffffffa00345f3>]  [<ffffffffa00345f3>] free_unused_bufs+0xc3/0x190 [virtio_net]
      RSP: 0018:ffff8800aed33dd8  EFLAGS: 00010202
      RAX: ffff8800b1fe2c00 RBX: ffff8800b66a7240 RCX: 6b6b6b6b6b6b6b6b
      RDX: 6b6b6b6b6b6b6b6b RSI: ffff8800b8419a68 RDI: ffff8800b66a1148
      RBP: ffff8800aed33e00 R08: 0000000000000001 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
      R13: ffff8800b66a1148 R14: 0000000000000000 R15: 000077ff80000000
      FS:  00007fc4f9c4e740(0000) GS:ffff8800bfa00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      CR2: 00007f63f432f000 CR3: 00000000b6538000 CR4: 00000000000006f0
      Stack:
       ffff8800b66a7240 ffff8800b66a7380 ffff8800377bd3f0 0000000000000000
       00000000023302f0 ffff8800aed33e18 ffffffffa00346e2 ffff8800b66a7240
       ffff8800aed33e38 ffffffffa003474d ffff8800377bd388 ffff8800377bd390
      Call Trace:
       [<ffffffffa00346e2>] remove_vq_common+0x22/0x40 [virtio_net]
       [<ffffffffa003474d>] virtnet_remove+0x4d/0x90 [virtio_net]
       [<ffffffff813ae303>] virtio_dev_remove+0x23/0x80
       [<ffffffff813f62cf>] __device_release_driver+0x7f/0xf0
       [<ffffffff813f6c80>] driver_detach+0xc0/0xd0
       [<ffffffff813f5f08>] bus_remove_driver+0x58/0xd0
       [<ffffffff813f72cc>] driver_unregister+0x2c/0x50
       [<ffffffff813ae63e>] unregister_virtio_driver+0xe/0x10
       [<ffffffffa0036852>] virtio_net_driver_exit+0x10/0x7be [virtio_net]
       [<ffffffff810d7cf2>] SyS_delete_module+0x172/0x220
       [<ffffffff810a732d>] ? trace_hardirqs_on+0xd/0x10
       [<ffffffff810f5d4c>] ? __audit_syscall_entry+0x9c/0xf0
       [<ffffffff81677f69>] system_call_fastpath+0x16/0x1b
      Code: c0 74 55 0f 1f 44 00 00 80 7b 30 00 74 7a 48 8b 50 30 4c 89 e6 48 03 73 20 48 85 d2 0f 84 bb 00 00 00 66 0f
      RIP  [<ffffffffa00345f3>] free_unused_bufs+0xc3/0x190 [virtio_net]
       RSP <ffff8800aed33dd8>
      ---[ end trace edb570ea923cce9c ]---
      
      Fixes: 2613af0e (virtio_net: migrate mergeable rx buffers to page frag allocators)
      Cc: Michael Dalton <mwdalton@google.com>
      Cc: Rusty Russell <rusty@rustcorp.com.au>
      Cc: "Michael S. Tsirkin" <mst@redhat.com>
      Signed-off-by: default avatarAndrey Vagin <avagin@openvz.org>
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Acked-by: default avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fa9fac17