1. 04 Mar, 2013 1 commit
    • Cong Wang's avatar
      rds: limit the size allocated by rds_message_alloc() · ece6b0a2
      Cong Wang authored
      Dave Jones reported the following bug:
      
      "When fed mangled socket data, rds will trust what userspace gives it,
      and tries to allocate enormous amounts of memory larger than what
      kmalloc can satisfy."
      
      WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0()
      Hardware name: GA-MA78GM-S2H
      Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s
      Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65
      Call Trace:
       [<ffffffff81044155>] warn_slowpath_common+0x75/0xa0
       [<ffffffff8104419a>] warn_slowpath_null+0x1a/0x20
       [<ffffffff811444ad>] __alloc_pages_nodemask+0xa0d/0xbe0
       [<ffffffff8100a196>] ? native_sched_clock+0x26/0x90
       [<ffffffff810b2128>] ? trace_hardirqs_off_caller+0x28/0xc0
       [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
       [<ffffffff811861f8>] alloc_pages_current+0xb8/0x180
       [<ffffffff8113eaaa>] __get_free_pages+0x2a/0x80
       [<ffffffff811934fe>] kmalloc_order_trace+0x3e/0x1a0
       [<ffffffff81193955>] __kmalloc+0x2f5/0x3a0
       [<ffffffff8104df0c>] ? local_bh_enable_ip+0x7c/0xf0
       [<ffffffffa0401ab3>] rds_message_alloc+0x23/0xb0 [rds]
       [<ffffffffa04043a1>] rds_sendmsg+0x2b1/0x990 [rds]
       [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
       [<ffffffff81564620>] sock_sendmsg+0xb0/0xe0
       [<ffffffff810b2052>] ? get_lock_stats+0x22/0x70
       [<ffffffff810b24be>] ? put_lock_stats.isra.23+0xe/0x40
       [<ffffffff81567f30>] sys_sendto+0x130/0x180
       [<ffffffff810b872d>] ? trace_hardirqs_on+0xd/0x10
       [<ffffffff816c547b>] ? _raw_spin_unlock_irq+0x3b/0x60
       [<ffffffff816cd767>] ? sysret_check+0x1b/0x56
       [<ffffffff810b8695>] ? trace_hardirqs_on_caller+0x115/0x1a0
       [<ffffffff81341d8e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
       [<ffffffff816cd742>] system_call_fastpath+0x16/0x1b
      ---[ end trace eed6ae990d018c8b ]---
      Reported-by: default avatarDave Jones <davej@redhat.com>
      Cc: Dave Jones <davej@redhat.com>
      Cc: David S. Miller <davem@davemloft.net>
      Cc: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
      Signed-off-by: default avatarCong Wang <amwang@redhat.com>
      Acked-by: default avatarVenkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ece6b0a2
  2. 03 Mar, 2013 5 commits
  3. 01 Mar, 2013 5 commits
    • Dan Carpenter's avatar
      sctp: use the passed in gfp flags instead GFP_KERNEL · 81ce0dbc
      Dan Carpenter authored
      This patch doesn't change how the code works because in the current
      kernel gfp is always GFP_KERNEL.  But gfp was obviously intended
      instead of GFP_KERNEL.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      81ce0dbc
    • Neil Horman's avatar
      ipv[4|6]: correct dropwatch false positive in local_deliver_finish · d8c6f4b9
      Neil Horman authored
      I had a report recently of a user trying to use dropwatch to localise some frame
      loss, and they were getting false positives.  Turned out they were using a user
      space SCTP stack that used raw sockets to grab frames.  When we don't have a
      registered protocol for a given packet, we record it as a drop, even if a raw
      socket receieves the frame.  We should only record the drop in the event a raw
      socket doesnt exist to receive the frames
      
      Tested by the reported successfully
      Signed-off-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Reported-by: default avatarWilliam Reich <reich@ulticom.com>
      Tested-by: default avatarWilliam Reich <reich@ulticom.com>
      CC: "David S. Miller" <davem@davemloft.net>
      CC: William Reich <reich@ulticom.com>
      CC: eric.dumazet@gmail.com
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d8c6f4b9
    • David S. Miller's avatar
      Merge branch 'for-davem' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless · 9e0aab86
      David S. Miller authored
      John W. Linville says:
      
      ====================
      This is another flurry of fixes intended for the 3.9 stream...
      
      A mac80211 pull from Johannes:
      
      "Seth fixes a stupid bug I introduced into one of his earlier patches,
      Chun-Yeow fixes mesh forwarding and Felix fixes monitor mode. I myself
      fixed a small locking issue and, the biggest change here, removed some
      nl80211 information with which sometimes the per wiphy information was
      getting too large for the typical 4k-minus-overhead. In my -next tree I
      have a patch to allow splitting that and add back the information
      removed now."
      
      An iwlwifi pull from Johannes:
      
      "I have a fix for a pretty important bug regarding DMA mapping, that
      could cause the DMA engine to overwrite data we wanted to send to it, so
      that the next time we send it it would be bad. This particularly affects
      calibration results. Other than that, three little fixes for the MVM
      driver."
      
      But wait, there's more!
      
      Avinash Patil fixes an incorrectly timed delay in mwifiex.
      
      Bing Zhao prevents a crash in SD8688 caused by failing to properly
      set a flag before issuing a command.
      
      Felix Fietkau is the big here this time, providing a trio of minor
      ath9k fixes and correcting the advertised interface combinations for
      rt2x00 when mesh support is disabled.
      
      Finally, Hauke Mehrtens gives us a patch that correctlin initializes
      a spin lock in the bcma code.
      
      Please let me know if there are problems!
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9e0aab86
    • Guillaume Nault's avatar
      l2tp: Restore socket refcount when sendmsg succeeds · 8b82547e
      Guillaume Nault authored
      The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket
      reference counter after successful transmissions. Any successful
      sendmsg() call from userspace will then increase the reference counter
      forever, thus preventing the kernel's session and tunnel data from
      being freed later on.
      
      The problem only happens when writing directly on L2TP sockets.
      PPP sockets attached to L2TP are unaffected as the PPP subsystem
      uses pppol2tp_xmit() which symmetrically increase/decrease reference
      counters.
      
      This patch adds the missing call to sock_put() before returning from
      pppol2tp_sendmsg().
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8b82547e
    • John W. Linville's avatar
      Merge branch 'master' of... · 98b7ff9a
      John W. Linville authored
      Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless into for-davem
      98b7ff9a
  4. 28 Feb, 2013 13 commits
    • Vlastimil Kosar's avatar
      net/phy: micrel: Disable asymmetric pause for KSZ9021 · 32fcafbc
      Vlastimil Kosar authored
      Phyter KSZ9021 has hardware bug. If asymmetric pause is enabled,
      then it is necessary to disconnect and then reconnect the ethernet
      cable to get the phyter working. The solution is to disable the
      asymmetric pause.
      Signed-off-by: default avatarVlastimil Kosar <ikosar@fit.vutbr.cz>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      32fcafbc
    • Hauke Mehrtens's avatar
      bgmac: omit the fcs · 02e71127
      Hauke Mehrtens authored
      Do not include the frame check sequence when adding the skb to
      netif_receive_skb(). This causes problems when this interface was
      bridged to a wifi ap and a big package should be forwarded from this
      Ethernet driver through a bride to the wifi client.
      Signed-off-by: default avatarHauke Mehrtens <hauke@hauke-m.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      02e71127
    • Petr Malat's avatar
      phy: Fix phy_device_free memory leak · b2a43191
      Petr Malat authored
      Fix memory leak in phy_device_free() for the case when phy_device*
      returned by phy_device_create() is not registered in the system.
      
      Bug description:
      phy_device_create() sets name of kobject using dev_set_name(), which
      allocates memory using kvasprintf(), but this memory isn't freed if
      the underlying device isn't registered properly, because kobject_cleanup()
      is not called in that case. This can happen (and actually is happening on
      our machines) if phy_device_register(), called by mdiobus_scan(), fails.
      
      Patch description:
      Embedded struct device is initialized in phy_device_create() and it
      counterpart phy_device_free() just drops one reference to the device,
      which leads to proper deinitialization including releasing the kobject
      name memory.
      Signed-off-by: default avatarPetr Malat <oss@malat.biz>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b2a43191
    • Yaniv Rosner's avatar
      bnx2x: Fix KR2 work-around condition · d521de04
      Yaniv Rosner authored
      Fix condition typo for running KR2 work-around though it doesn't have
      real effect since the typo bits matched by chance.
      Signed-off-by: default avatarYaniv Rosner <yanivr@broadcom.com>
      Signed-off-by: default avatarEilon Greenstein <eilong@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d521de04
    • Yaniv Rosner's avatar
      bnx2x: Fix KR2 link · be94bea7
      Yaniv Rosner authored
      Fix KR2 link down problem after reboot when link speed is reconfigured via ethtool.
      Since 1G/10G support link speed were missing by default, 1G/10G link speed were
      not advertised.
      Signed-off-by: default avatarYaniv Rosner <yanivr@broadcom.com>
      Signed-off-by: default avatarEilon Greenstein <eilong@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      be94bea7
    • Yaniv Rosner's avatar
      bnx2x: Fix port identification for the 84834 · 8ce76845
      Yaniv Rosner authored
      Fix the "ethtool -p" for boards with BCM84834, by using LED4 of the PHY
      to toggle the link LED while keeping interrupt disabled to avoid NIG attentions,
      and at the end restore NIG to previous state.
      Signed-off-by: default avatarYaniv Rosner <yanivr@broadcom.com>
      Signed-off-by: default avatarEilon Greenstein <eilong@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8ce76845
    • françois romieu's avatar
      r8169: honor jumbo settings when chipset is requested to start. · faf1e785
      françois romieu authored
      Some hardware start settings implicitely assume an usual 1500 bytes mtu
      that can't be guaranteed because changes of mtu may be requested both
      before and after the hardware is started.
      Reported-by: default avatarTomi Orava <tomimo@ncircle.nullnet.fi>
      Signed-off-by: default avatarFrancois Romieu <romieu@fr.zoreil.com>
      Cc: Hayes Wang <hayeswang@realtek.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      faf1e785
    • Eric Dumazet's avatar
      tcp: avoid wakeups for pure ACK · 79ffef1f
      Eric Dumazet authored
      TCP prequeue mechanism purpose is to let incoming packets
      being processed by the thread currently blocked in tcp_recvmsg(),
      instead of behalf of the softirq handler, to better adapt flow
      control on receiver host capacity to schedule the consumer.
      
      But in typical request/answer workloads, we send request, then
      block to receive the answer. And before the actual answer, TCP
      stack receives the ACK packets acknowledging the request.
      
      Processing pure ACK on behalf of the thread blocked in tcp_recvmsg()
      is a waste of resources, as thread has to immediately sleep again
      because it got no payload.
      
      This patch avoids the extra context switches and scheduler overhead.
      
      Before patch :
      
      a:~# echo 0 >/proc/sys/net/ipv4/tcp_low_latency
      a:~# perf stat ./super_netperf 300 -t TCP_RR -l 10 -H 7.7.7.84 -- -r 8k,8k
      231676
      
       Performance counter stats for './super_netperf 300 -t TCP_RR -l 10 -H 7.7.7.84 -- -r 8k,8k':
      
           116251.501765 task-clock                #   11.369 CPUs utilized
               5,025,463 context-switches          #    0.043 M/sec
               1,074,511 CPU-migrations            #    0.009 M/sec
                 216,923 page-faults               #    0.002 M/sec
         311,636,972,396 cycles                    #    2.681 GHz
         260,507,138,069 stalled-cycles-frontend   #   83.59% frontend cycles idle
         155,590,092,840 stalled-cycles-backend    #   49.93% backend  cycles idle
         100,101,255,411 instructions              #    0.32  insns per cycle
                                                   #    2.60  stalled cycles per insn
          16,535,930,999 branches                  #  142.243 M/sec
             646,483,591 branch-misses             #    3.91% of all branches
      
            10.225482774 seconds time elapsed
      
      After patch :
      
      a:~# echo 0 >/proc/sys/net/ipv4/tcp_low_latency
      a:~# perf stat ./super_netperf 300 -t TCP_RR -l 10 -H 7.7.7.84 -- -r 8k,8k
      233297
      
       Performance counter stats for './super_netperf 300 -t TCP_RR -l 10 -H 7.7.7.84 -- -r 8k,8k':
      
            91084.870855 task-clock                #    8.887 CPUs utilized
               2,485,916 context-switches          #    0.027 M/sec
                 815,520 CPU-migrations            #    0.009 M/sec
                 216,932 page-faults               #    0.002 M/sec
         245,195,022,629 cycles                    #    2.692 GHz
         202,635,777,041 stalled-cycles-frontend   #   82.64% frontend cycles idle
         124,280,372,407 stalled-cycles-backend    #   50.69% backend  cycles idle
          83,457,289,618 instructions              #    0.34  insns per cycle
                                                   #    2.43  stalled cycles per insn
          13,431,472,361 branches                  #  147.461 M/sec
             504,470,665 branch-misses             #    3.76% of all branches
      
            10.249594448 seconds time elapsed
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Neal Cardwell <ncardwell@google.com>
      Cc: Tom Herbert <therbert@google.com>
      Cc: Yuchung Cheng <ycheng@google.com>
      Cc: Andi Kleen <ak@linux.intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      79ffef1f
    • David S. Miller's avatar
      Merge branch 'sctp' · 8d6d8406
      David S. Miller authored
      Lee A. Roberts says:
      
      ====================
      This series of patches resolves several SCTP association hangs observed during
      SCTP stress testing.  Observable symptoms include communications hangs with
      data being held in the association reassembly and/or lobby (ordering) queues.
      Close examination of reassembly/ordering queues may show either duplicated
      or missing packets.
      
      In version #2, corrected build failure in initial version of patch series
      due to wrong calling sequence for sctp_ulpq_partial_delivery() being inserted
      in sctp_ulpq_renege().
      
      In version #3, adjusted patch documentation to be less repetitive.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8d6d8406
    • Lee A. Roberts's avatar
      sctp: fix association hangs due to partial delivery errors · d003b41b
      Lee A. Roberts authored
      In sctp_ulpq_tail_data(), use return values 0,1 to indicate whether
      a complete event (with MSG_EOR set) was delivered.  A return value
      of -ENOMEM continues to indicate an out-of-memory condition was
      encountered.
      
      In sctp_ulpq_retrieve_partial() and sctp_ulpq_retrieve_first(),
      correct message reassembly logic for SCTP partial delivery.
      Change logic to ensure that as much data as possible is sent
      with the initial partial delivery and that following partial
      deliveries contain all available data.
      
      In sctp_ulpq_partial_delivery(), attempt partial delivery only
      if the data on the head of the reassembly queue is at or before
      the cumulative TSN ACK point.
      
      In sctp_ulpq_renege(), use the modified return values from
      sctp_ulpq_tail_data() to choose whether to attempt partial
      delivery or to attempt to drain the reassembly queue as a
      means to reduce memory pressure.  Remove call to
      sctp_tsnmap_mark(), as this is handled correctly in call to
      sctp_ulpq_tail_data().
      Signed-off-by: default avatarLee A. Roberts <lee.roberts@hp.com>
      Acked-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      d003b41b
    • Lee A. Roberts's avatar
      sctp: fix association hangs due to errors when reneging events from the ordering queue · 95ac7b85
      Lee A. Roberts authored
      In sctp_ulpq_renege_list(), events being reneged from the
      ordering queue may correspond to multiple TSNs.  Identify
      all affected packets; sum freed space and renege from the
      tsnmap.
      Signed-off-by: default avatarLee A. Roberts <lee.roberts@hp.com>
      Acked-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      95ac7b85
    • Lee A. Roberts's avatar
      sctp: fix association hangs due to reneging packets below the cumulative TSN ACK point · e67f85ec
      Lee A. Roberts authored
      In sctp_ulpq_renege_list(), do not renege packets below the
      cumulative TSN ACK point.
      Signed-off-by: default avatarLee A. Roberts <lee.roberts@hp.com>
      Acked-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      e67f85ec
    • Lee A. Roberts's avatar
      sctp: fix association hangs due to off-by-one errors in sctp_tsnmap_grow() · 70fc69bc
      Lee A. Roberts authored
      In sctp_tsnmap_mark(), correct off-by-one error when calculating
      size value for sctp_tsnmap_grow().
      
      In sctp_tsnmap_grow(), correct off-by-one error when copying
      and resizing the tsnmap.  If max_tsn_seen is in the LSB of the
      word, this bit can be lost, causing the corresponding packet
      to be transmitted again and to be entered as a duplicate into
      the SCTP reassembly/ordering queues.  Change parameter name
      from "gap" (zero-based index) to "size" (one-based) to enhance
      code readability.
      Signed-off-by: default avatarLee A. Roberts <lee.roberts@hp.com>
      Acked-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      70fc69bc
  5. 27 Feb, 2013 16 commits