1. 07 Dec, 2013 2 commits
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: fix missing rules flushing per table · cf9dc09d
      Pablo Neira Ayuso authored
      This patch allows you to atomically remove all rules stored in
      a table via the NFT_MSG_DELRULE command. You only need to indicate
      the specific table and no chain to flush all rules stored in that
      table.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      cf9dc09d
    • Sergey Popovich's avatar
      netfilter: xt_hashlimit: fix proc entry leak in netns destroy path · b4ef4ce0
      Sergey Popovich authored
      In (32263dd1 netfilter: xt_hashlimit: fix namespace destroy path)
      the hashlimit_net_exit() function is always called right before
      hashlimit_mt_destroy() to release netns data. If you use xt_hashlimit
      with IPv4 and IPv6 together, this produces the following splat via
      netconsole in the netns destroy path:
      
       Pid: 9499, comm: kworker/u:0 Tainted: G        WC O 3.2.0-5-netctl-amd64-core2
       Call Trace:
        [<ffffffff8104708d>] ? warn_slowpath_common+0x78/0x8c
        [<ffffffff81047139>] ? warn_slowpath_fmt+0x45/0x4a
        [<ffffffff81144a99>] ? remove_proc_entry+0xd8/0x22e
        [<ffffffff810ebbaa>] ? kfree+0x5b/0x6c
        [<ffffffffa043c501>] ? hashlimit_net_exit+0x45/0x8d [xt_hashlimit]
        [<ffffffff8128ab30>] ? ops_exit_list+0x1c/0x44
        [<ffffffff8128b28e>] ? cleanup_net+0xf1/0x180
        [<ffffffff810369fc>] ? should_resched+0x5/0x23
        [<ffffffff8105b8f9>] ? process_one_work+0x161/0x269
        [<ffffffff8105aea5>] ? cwq_activate_delayed_work+0x3c/0x48
        [<ffffffff8105c8c2>] ? worker_thread+0xc2/0x145
        [<ffffffff8105c800>] ? manage_workers.isra.25+0x15b/0x15b
        [<ffffffff8105fa01>] ? kthread+0x76/0x7e
        [<ffffffff813581f4>] ? kernel_thread_helper+0x4/0x10
        [<ffffffff8105f98b>] ? kthread_worker_fn+0x139/0x139
        [<ffffffff813581f0>] ? gs_change+0x13/0x13
       ---[ end trace d8c3cc0ad163ef79 ]---
       ------------[ cut here ]------------
       WARNING: at /usr/src/linux-3.2.52/debian/build/source_netctl/fs/proc/generic.c:849
       remove_proc_entry+0x217/0x22e()
       Hardware name:
       remove_proc_entry: removing non-empty directory 'net/ip6t_hashlimit', leaking at least 'IN-REJECT'
      
      This is due to lack of removal net/ip6t_hashlimit/* entries in
      hashlimit_proc_net_exit(), since only IPv4 entries are deleted. Fix
      it by always removing the IPv4 and IPv6 entries and their parent
      directories in the netns destroy path.
      Signed-off-by: default avatarSergey Popovich <popovich_sergei@mail.ru>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      b4ef4ce0
  2. 25 Nov, 2013 1 commit
  3. 23 Nov, 2013 11 commits
  4. 21 Nov, 2013 15 commits
  5. 20 Nov, 2013 9 commits
    • Ding Tianhong's avatar
      bridge: flush br's address entry in fdb when remove the · f8730420
      Ding Tianhong authored
       bridge dev
      
      When the following commands are executed:
      
      brctl addbr br0
      ifconfig br0 hw ether <addr>
      rmmod bridge
      
      The calltrace will occur:
      
      [  563.312114] device eth1 left promiscuous mode
      [  563.312188] br0: port 1(eth1) entered disabled state
      [  563.468190] kmem_cache_destroy bridge_fdb_cache: Slab cache still has objects
      [  563.468197] CPU: 6 PID: 6982 Comm: rmmod Tainted: G           O 3.12.0-0.7-default+ #9
      [  563.468199] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
      [  563.468200]  0000000000000880 ffff88010f111e98 ffffffff814d1c92 ffff88010f111eb8
      [  563.468204]  ffffffff81148efd ffff88010f111eb8 0000000000000000 ffff88010f111ec8
      [  563.468206]  ffffffffa062a270 ffff88010f111ed8 ffffffffa063ac76 ffff88010f111f78
      [  563.468209] Call Trace:
      [  563.468218]  [<ffffffff814d1c92>] dump_stack+0x6a/0x78
      [  563.468234]  [<ffffffff81148efd>] kmem_cache_destroy+0xfd/0x100
      [  563.468242]  [<ffffffffa062a270>] br_fdb_fini+0x10/0x20 [bridge]
      [  563.468247]  [<ffffffffa063ac76>] br_deinit+0x4e/0x50 [bridge]
      [  563.468254]  [<ffffffff810c7dc9>] SyS_delete_module+0x199/0x2b0
      [  563.468259]  [<ffffffff814e0922>] system_call_fastpath+0x16/0x1b
      [  570.377958] Bridge firewalling registered
      
      --------------------------- cut here -------------------------------
      
      The reason is that when the bridge dev's address is changed, the
      br_fdb_change_mac_address() will add new address in fdb, but when
      the bridge was removed, the address entry in the fdb did not free,
      the bridge_fdb_cache still has objects when destroy the cache, Fix
      this by flushing the bridge address entry when removing the bridge.
      
      v2: according to the Toshiaki Makita and Vlad's suggestion, I only
          delete the vlan0 entry, it still have a leak here if the vlan id
          is other number, so I need to call fdb_delete_by_port(br, NULL, 1)
          to flush all entries whose dst is NULL for the bridge.
      Suggested-by: default avatarToshiaki Makita <toshiaki.makita1@gmail.com>
      Suggested-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Signed-off-by: default avatarDing Tianhong <dingtianhong@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f8730420
    • Vlad Yasevich's avatar
      net: core: Always propagate flag changes to interfaces · d2615bf4
      Vlad Yasevich authored
      The following commit:
          b6c40d68
          net: only invoke dev->change_rx_flags when device is UP
      
      tried to fix a problem with VLAN devices and promiscuouse flag setting.
      The issue was that VLAN device was setting a flag on an interface that
      was down, thus resulting in bad promiscuity count.
      This commit blocked flag propagation to any device that is currently
      down.
      
      A later commit:
          deede2fa
          vlan: Don't propagate flag changes on down interfaces
      
      fixed VLAN code to only propagate flags when the VLAN interface is up,
      thus fixing the same issue as above, only localized to VLAN.
      
      The problem we have now is that if we have create a complex stack
      involving multiple software devices like bridges, bonds, and vlans,
      then it is possible that the flags would not propagate properly to
      the physical devices.  A simple examle of the scenario is the
      following:
      
        eth0----> bond0 ----> bridge0 ---> vlan50
      
      If bond0 or eth0 happen to be down at the time bond0 is added to
      the bridge, then eth0 will never have promisc mode set which is
      currently required for operation as part of the bridge.  As a
      result, packets with vlan50 will be dropped by the interface.
      
      The only 2 devices that implement the special flag handling are
      VLAN and DSA and they both have required code to prevent incorrect
      flag propagation.  As a result we can remove the generic solution
      introduced in b6c40d68 and leave
      it to the individual devices to decide whether they will block
      flag propagation or not.
      Reported-by: default avatarStefan Priebe <s.priebe@profihost.ag>
      Suggested-by: default avatarVeaceslav Falico <vfalico@redhat.com>
      Signed-off-by: default avatarVlad Yasevich <vyasevic@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d2615bf4
    • Alexei Starovoitov's avatar
      ipv4: fix race in concurrent ip_route_input_slow() · dcdfdf56
      Alexei Starovoitov authored
      CPUs can ask for local route via ip_route_input_noref() concurrently.
      if nh_rth_input is not cached yet, CPUs will proceed to allocate
      equivalent DSTs on 'lo' and then will try to cache them in nh_rth_input
      via rt_cache_route()
      Most of the time they succeed, but on occasion the following two lines:
      	orig = *p;
      	prev = cmpxchg(p, orig, rt);
      in rt_cache_route() do race and one of the cpus fails to complete cmpxchg.
      But ip_route_input_slow() doesn't check the return code of rt_cache_route(),
      so dst is leaking. dst_destroy() is never called and 'lo' device
      refcnt doesn't go to zero, which can be seen in the logs as:
      	unregister_netdevice: waiting for lo to become free. Usage count = 1
      Adding mdelay() between above two lines makes it easily reproducible.
      Fix it similar to nh_pcpu_rth_output case.
      
      Fixes: d2d68ba9 ("ipv4: Cache input routes in fib_info nexthops.")
      Signed-off-by: default avatarAlexei Starovoitov <ast@plumgrid.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dcdfdf56
    • David S. Miller's avatar
      Merge branch 'r8152' · 4f837c3b
      David S. Miller authored
      Hayes Wang says:
      
      ====================
      r8152 bug fixes
      
      For the patch #3, I add netif_tx_lock() before checking the
      netif_queue_stopped(). Besides, I add checking the skb queue
      length before waking the tx queue.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4f837c3b
    • hayeswang's avatar
      r8152: fix incorrect type in assignment · 500b6d7e
      hayeswang authored
      The data from the hardware should be little endian. Correct the
      declaration.
      Signed-off-by: default avatarHayes Wang <hayeswang@realtek.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      500b6d7e
    • hayeswang's avatar
      r8152: support stopping/waking tx queue · dd1b119c
      hayeswang authored
      The maximum packet number which a tx aggregation buffer could contain
      is the tx_qlen.
      
      	tx_qlen = buffer size / (packet size + descriptor size).
      
      If the tx buffer is empty and the queued packets are more than the
      maximum value which is defined above, stop the tx queue. Wake the
      tx queue if tx queue is stopped and the queued packets are less than
      tx_qlen.
      Signed-off-by: default avatarHayes Wang <hayeswang@realtek.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dd1b119c
    • hayeswang's avatar
      r8152: modify the tx flow · 61598788
      hayeswang authored
      Remove the code for sending the packet in the rtl8152_start_xmit().
      Let rtl8152_start_xmit() to queue the packet only, and schedule a
      tasklet to send the queued packets. This simplify the code and make
      sure all the packet would be sent by the original order.
      Signed-off-by: default avatarHayes Wang <hayeswang@realtek.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      61598788
    • hayeswang's avatar
      r8152: fix tx/rx memory overflow · 7937f9e5
      hayeswang authored
      The tx/rx would access the memory which is out of the desired range.
      Modify the method of checking the end of the memory to avoid it.
      
      For r8152_tx_agg_fill(), the variable remain may become negative.
      However, the declaration is unsigned, so the while loop wouldn't
      break when reaching the end of the desied memory. Although to change
      the declaration from unsigned to signed is enough to fix it, I also
      modify the checking method for safe. Replace
      
      		remain = rx_buf_sz - sizeof(*tx_desc) -
      			 (u32)((void *)tx_data - agg->head);
      
      with
      
      		remain = rx_buf_sz - (int)(tx_agg_align(tx_data) - agg->head);
      
      to make sure the variable remain is always positive. Then, the
      overflow wouldn't happen.
      
      For rx_bottom(), the rx_desc should not be used to calculate the
      packet length before making sure the rx_desc is in the desired range.
      Change the checking to two parts. First, check the descriptor is in
      the memory. The other, using the descriptor to find out the packet
      length and check if the packet is in the memory.
      Signed-off-by: default avatarHayes Wang <hayeswang@realtek.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7937f9e5
    • Mahesh Rajashekhara's avatar
      aacraid: prevent invalid pointer dereference · b4789b8e
      Mahesh Rajashekhara authored
      It appears that driver runs into a problem here if fibsize is too small
      because we allocate user_srbcmd with fibsize size only but later we
      access it until user_srbcmd->sg.count to copy it over to srbcmd.
      
      It is not correct to test (fibsize < sizeof(*user_srbcmd)) because this
      structure already includes one sg element and this is not needed for
      commands without data.  So, we would recommend to add the following
      (instead of test for fibsize == 0).
      Signed-off-by: default avatarMahesh Rajashekhara <Mahesh.Rajashekhara@pmcs.com>
      Reported-by: default avatarNico Golde <nico@ngolde.de>
      Reported-by: default avatarFabian Yamaguchi <fabs@goesec.de>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      b4789b8e
  6. 19 Nov, 2013 2 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 1ee2dcc2
      Linus Torvalds authored
      Pull networking fixes from David Miller:
       "Mostly these are fixes for fallout due to merge window changes, as
        well as cures for problems that have been with us for a much longer
        period of time"
      
       1) Johannes Berg noticed two major deficiencies in our genetlink
          registration.  Some genetlink protocols we passing in constant
          counts for their ops array rather than something like
          ARRAY_SIZE(ops) or similar.  Also, some genetlink protocols were
          using fixed IDs for their multicast groups.
      
          We have to retain these fixed IDs to keep existing userland tools
          working, but reserve them so that other multicast groups used by
          other protocols can not possibly conflict.
      
          In dealing with these two problems, we actually now use less state
          management for genetlink operations and multicast groups.
      
       2) When configuring interface hardware timestamping, fix several
          drivers that simply do not validate that the hwtstamp_config value
          is one the driver actually supports.  From Ben Hutchings.
      
       3) Invalid memory references in mwifiex driver, from Amitkumar Karwar.
      
       4) In dev_forward_skb(), set the skb->protocol in the right order
          relative to skb_scrub_packet().  From Alexei Starovoitov.
      
       5) Bridge erroneously fails to use the proper wrapper functions to make
          calls to netdev_ops->ndo_vlan_rx_{add,kill}_vid.  Fix from Toshiaki
          Makita.
      
       6) When detaching a bridge port, make sure to flush all VLAN IDs to
          prevent them from leaking, also from Toshiaki Makita.
      
       7) Put in a compromise for TCP Small Queues so that deep queued devices
          that delay TX reclaim non-trivially don't have such a performance
          decrease.  One particularly problematic area is 802.11 AMPDU in
          wireless.  From Eric Dumazet.
      
       8) Fix crashes in tcp_fastopen_cache_get(), we can see NULL socket dsts
          here.  Fix from Eric Dumzaet, reported by Dave Jones.
      
       9) Fix use after free in ipv6 SIT driver, from Willem de Bruijn.
      
      10) When computing mergeable buffer sizes, virtio-net fails to take the
          virtio-net header into account.  From Michael Dalton.
      
      11) Fix seqlock deadlock in ip4_datagram_connect() wrt.  statistic
          bumping, this one has been with us for a while.  From Eric Dumazet.
      
      12) Fix NULL deref in the new TIPC fragmentation handling, from Erik
          Hugne.
      
      13) 6lowpan bit used for traffic classification was wrong, from Jukka
          Rissanen.
      
      14) macvlan has the same issue as normal vlans did wrt.  propagating LRO
          disabling down to the real device, fix it the same way.  From Michal
          Kubecek.
      
      15) CPSW driver needs to soft reset all slaves during suspend, from
          Daniel Mack.
      
      16) Fix small frame pacing in FQ packet scheduler, from Eric Dumazet.
      
      17) The xen-netfront RX buffer refill timer isn't properly scheduled on
          partial RX allocation success, from Ma JieYue.
      
      18) When ipv6 ping protocol support was added, the AF_INET6 protocol
          initialization cleanup path on failure was borked a little.  Fix
          from Vlad Yasevich.
      
      19) If a socket disconnects during a read/recvmsg/recvfrom/etc that
          blocks we can do the wrong thing with the msg_name we write back to
          userspace.  From Hannes Frederic Sowa.  There is another fix in the
          works from Hannes which will prevent future problems of this nature.
      
      20) Fix route leak in VTI tunnel transmit, from Fan Du.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (106 commits)
        genetlink: make multicast groups const, prevent abuse
        genetlink: pass family to functions using groups
        genetlink: add and use genl_set_err()
        genetlink: remove family pointer from genl_multicast_group
        genetlink: remove genl_unregister_mc_group()
        hsr: don't call genl_unregister_mc_group()
        quota/genetlink: use proper genetlink multicast APIs
        drop_monitor/genetlink: use proper genetlink multicast APIs
        genetlink: only pass array to genl_register_family_with_ops()
        tcp: don't update snd_nxt, when a socket is switched from repair mode
        atm: idt77252: fix dev refcnt leak
        xfrm: Release dst if this dst is improper for vti tunnel
        netlink: fix documentation typo in netlink_set_err()
        be2net: Delete secondary unicast MAC addresses during be_close
        be2net: Fix unconditional enabling of Rx interface options
        net, virtio_net: replace the magic value
        ping: prevent NULL pointer dereference on write to msg_name
        bnx2x: Prevent "timeout waiting for state X"
        bnx2x: prevent CFC attention
        bnx2x: Prevent panic during DMAE timeout
        ...
      1ee2dcc2
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc · 4457e6f6
      Linus Torvalds authored
      Pull sparc fixes from David Miller:
       "Two merge window fallout build fixes"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
        sparc64: merge fix
        sparc64: fix build regession
      4457e6f6