1. 19 Aug, 2015 1 commit
    • Sven Eckelmann's avatar
      batman-adv: Fix memory leak on tt add with invalid vlan · fd7dec25
      Sven Eckelmann authored
      The object tt_local is allocated with kmalloc and not initialized when the
      function batadv_tt_local_add checks for the vlan. But this function can
      only cleanup the object when the (not yet initialized) reference counter of
      the object is 1. This is unlikely and thus the object would leak when the
      vlan could not be found.
      
      Instead the uninitialized object tt_local has to be freed manually and the
      pointer has to set to NULL to avoid calling the function which would try to
      decrement the reference counter of the not existing object.
      
      CID: 1316518
      Fixes: 354136bc ("batman-adv: fix kernel crash due to missing NULL checks")
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fd7dec25
  2. 17 Aug, 2015 13 commits
    • kbuild test robot's avatar
      net: phy: fix semicolon.cocci warnings · ff94c742
      kbuild test robot authored
      drivers/net/phy/smsc.c:127:3-4: Unneeded semicolon
      
       Remove unneeded semicolon.
      
      Generated by: scripts/coccinelle/misc/semicolon.cocci
      
      CC: Igor Plyatov <plyatov@gmail.com>
      Signed-off-by: default avatarFengguang Wu <fengguang.wu@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ff94c742
    • David Ward's avatar
      a8079092
    • Ivan Vecera's avatar
      be2net: avoid vxlan offloading on multichannel configs · af19e686
      Ivan Vecera authored
      VxLAN offloading is not functional if the NIC is running in multichannel
      mode (UMC, FLEX-10, VNIC...). Enabling this additionally kills whole
      connectivity through the NIC and the device needs to be down and up to
      restore it. The firmware should take care about it and does not allow
      the conversion of interface to tunnel type (be_cmd_manage_iface) or should
      support VxLAN offloading if multichannel config is enabled.
      I have tested this on the latest available firmware (10.6.144.21).
      
      Result:
      [root@sm-04 ~]# ip link set enp5s0f0 up[root@sm-04 ~]# ip addr add 172.30.10.50/24 dev enp5s0f0
      [root@sm-04 ~]# ping -c 3 172.30.10.254PING 172.30.10.254 (172.30.10.254) 56(84) bytes of data.
      64 bytes from 172.30.10.254: icmp_seq=1 ttl=64 time=0.317 ms
      64 bytes from 172.30.10.254: icmp_seq=2 ttl=64 time=0.187 ms
      64 bytes from 172.30.10.254: icmp_seq=3 ttl=64 time=0.188 ms
      
       --- 172.30.10.254 ping statistics ---
      3 packets transmitted, 3 received, 0% packet loss, time 2000ms
      rtt min/avg/max/mdev = 0.187/0.230/0.317/0.063 ms
      [root@sm-04 ~]# ip link add link enp5s0f0 vxlan10 type vxlan id 10 remote 172.30.10.60 dstport 4789
      [root@sm-04 ~]# ip link set vxlan10 up
      [ 7900.442811] be2net 0000:05:00.0: Enabled VxLAN offloads for UDP port 4789
      [ 7900.455722] be2net 0000:05:00.1: Enabled VxLAN offloads for UDP port 4789
      [ 7900.468635] be2net 0000:05:00.2: Enabled VxLAN offloads for UDP port 4789
      [ 7900.481553] be2net 0000:05:00.3: Enabled VxLAN offloads for UDP port 4789
      [root@sm-04 ~]# ping -c 3 172.30.10.254
      PING 172.30.10.254 (172.30.10.254) 56(84) bytes of data.
      
       --- 172.30.10.254 ping statistics ---
      3 packets transmitted, 0 received, 100% packet loss, time 1999ms
      
      [root@sm-04 ~]# ip link set vxlan10 down
      [ 7959.434093] be2net 0000:05:00.0: Disabled VxLAN offloads for UDP port 4789
      [ 7959.444792] be2net 0000:05:00.1: Disabled VxLAN offloads for UDP port 4789
      [ 7959.455592] be2net 0000:05:00.2: Disabled VxLAN offloads for UDP port 4789
      [ 7959.466416] be2net 0000:05:00.3: Disabled VxLAN offloads for UDP port 4789
      [root@sm-04 ~]# ip link del vxlan10
      [root@sm-04 ~]# ping -c 3 172.30.10.254
      PING 172.30.10.254 (172.30.10.254) 56(84) bytes of data.
      
       --- 172.30.10.254 ping statistics ---
      3 packets transmitted, 0 received, 100% packet loss, time 1999ms
      
      [root@sm-04 ~]# ip link set enp5s0f0 down
      [root@sm-04 ~]# ip link set enp5s0f0 up
      [ 8071.019003] be2net 0000:05:00.0 enp5s0f0: Link is Up
      [root@sm-04 ~]# ping -c 3 172.30.10.254
      PING 172.30.10.254 (172.30.10.254) 56(84) bytes of data.
      64 bytes from 172.30.10.254: icmp_seq=1 ttl=64 time=0.318 ms
      64 bytes from 172.30.10.254: icmp_seq=2 ttl=64 time=0.196 ms
      64 bytes from 172.30.10.254: icmp_seq=3 ttl=64 time=0.194 ms
      
       --- 172.30.10.254 ping statistics ---
      3 packets transmitted, 3 received, 0% packet loss, time 2000ms
      rtt min/avg/max/mdev = 0.194/0.236/0.318/0.057 ms
      
      Cc: Sathya Perla <sathya.perla@avagotech.com>
      Cc: Ajit Khaparde <ajit.khaparde@avagotech.com>
      Cc: Padmanabh Ratnakar <padmanabh.ratnakar@avagotech.com>
      Cc: Sriharsha Basavapatna <sriharsha.basavapatna@avagotech.com>
      Signed-off-by: default avatarIvan Vecera <ivecera@redhat.com>
      Acked-by: default avatarAjit Khaparde <ajit.khaparde@avagotech.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      af19e686
    • David S. Miller's avatar
      Merge branch 'ipv6_percpu_rt_deadlock' · 1f979b11
      David S. Miller authored
      Martin KaFai Lau says:
      
      ====================
      ipv6: Fix a potential deadlock when creating pcpu rt
      
      v1 -> v2:
      A minor change in the commit message of patch 2.
      
      This patch series fixes a potential deadlock when creating a pcpu rt.
      It happens when dst_alloc() decided to run gc. Something like this:
      
      read_lock(&table->tb6_lock);
      ip6_rt_pcpu_alloc()
      => dst_alloc()
      => ip6_dst_gc()
      => write_lock(&table->tb6_lock); /* oops */
      
      Patch 1 and 2 are some prep works.
      Patch 3 is the fix.
      
      Original report: https://bugzilla.kernel.org/show_bug.cgi?id=102291
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1f979b11
    • Martin KaFai Lau's avatar
      ipv6: Fix a potential deadlock when creating pcpu rt · 9c7370a1
      Martin KaFai Lau authored
      rt6_make_pcpu_route() is called under read_lock(&table->tb6_lock).
      rt6_make_pcpu_route() calls ip6_rt_pcpu_alloc(rt) which then
      calls dst_alloc().  dst_alloc() _may_ call ip6_dst_gc() which takes
      the write_lock(&tabl->tb6_lock).  A visualized version:
      
      read_lock(&table->tb6_lock);
      rt6_make_pcpu_route();
      => ip6_rt_pcpu_alloc();
      => dst_alloc();
      => ip6_dst_gc();
      => write_lock(&table->tb6_lock); /* oops */
      
      The fix is to do a read_unlock first before calling ip6_rt_pcpu_alloc().
      
      A reported stack:
      
      [141625.537638] INFO: rcu_sched self-detected stall on CPU { 27}  (t=60000 jiffies g=4159086 c=4159085 q=2139)
      [141625.547469] Task dump for CPU 27:
      [141625.550881] mtr             R  running task        0 22121  22081 0x00000008
      [141625.558069]  0000000000000000 ffff88103f363d98 ffffffff8106e488 000000000000001b
      [141625.565641]  ffffffff81684900 ffff88103f363db8 ffffffff810702b0 0000000008000000
      [141625.573220]  ffffffff81684900 ffff88103f363de8 ffffffff8108df9f ffff88103f375a00
      [141625.580803] Call Trace:
      [141625.583345]  <IRQ>  [<ffffffff8106e488>] sched_show_task+0xc1/0xc6
      [141625.589650]  [<ffffffff810702b0>] dump_cpu_task+0x35/0x39
      [141625.595144]  [<ffffffff8108df9f>] rcu_dump_cpu_stacks+0x6a/0x8c
      [141625.601320]  [<ffffffff81090606>] rcu_check_callbacks+0x1f6/0x5d4
      [141625.607669]  [<ffffffff810940c8>] update_process_times+0x2a/0x4f
      [141625.613925]  [<ffffffff8109fbee>] tick_sched_handle+0x32/0x3e
      [141625.619923]  [<ffffffff8109fc2f>] tick_sched_timer+0x35/0x5c
      [141625.625830]  [<ffffffff81094a1f>] __hrtimer_run_queues+0x8f/0x18d
      [141625.632171]  [<ffffffff81094c9e>] hrtimer_interrupt+0xa0/0x166
      [141625.638258]  [<ffffffff8102bf2a>] local_apic_timer_interrupt+0x4e/0x52
      [141625.645036]  [<ffffffff8102c36f>] smp_apic_timer_interrupt+0x39/0x4a
      [141625.651643]  [<ffffffff8140b9e8>] apic_timer_interrupt+0x68/0x70
      [141625.657895]  <EOI>  [<ffffffff81346ee8>] ? dst_destroy+0x7c/0xb5
      [141625.664188]  [<ffffffff813d45b5>] ? fib6_flush_trees+0x20/0x20
      [141625.670272]  [<ffffffff81082b45>] ? queue_write_lock_slowpath+0x60/0x6f
      [141625.677140]  [<ffffffff8140aa33>] _raw_write_lock_bh+0x23/0x25
      [141625.683218]  [<ffffffff813d4553>] __fib6_clean_all+0x40/0x82
      [141625.689124]  [<ffffffff813d45b5>] ? fib6_flush_trees+0x20/0x20
      [141625.695207]  [<ffffffff813d6058>] fib6_clean_all+0xe/0x10
      [141625.700854]  [<ffffffff813d60d3>] fib6_run_gc+0x79/0xc8
      [141625.706329]  [<ffffffff813d0510>] ip6_dst_gc+0x85/0xf9
      [141625.711718]  [<ffffffff81346d68>] dst_alloc+0x55/0x159
      [141625.717105]  [<ffffffff813d09b5>] __ip6_dst_alloc.isra.32+0x19/0x63
      [141625.723620]  [<ffffffff813d1830>] ip6_pol_route+0x36a/0x3e8
      [141625.729441]  [<ffffffff813d18d6>] ip6_pol_route_output+0x11/0x13
      [141625.735700]  [<ffffffff813f02c8>] fib6_rule_action+0xa7/0x1bf
      [141625.741698]  [<ffffffff813d18c5>] ? ip6_pol_route_input+0x17/0x17
      [141625.748043]  [<ffffffff81357c48>] fib_rules_lookup+0xb5/0x12a
      [141625.754050]  [<ffffffff81141628>] ? poll_select_copy_remaining+0xf9/0xf9
      [141625.761002]  [<ffffffff813f0535>] fib6_rule_lookup+0x37/0x5c
      [141625.766914]  [<ffffffff813d18c5>] ? ip6_pol_route_input+0x17/0x17
      [141625.773260]  [<ffffffff813d008c>] ip6_route_output+0x7a/0x82
      [141625.779177]  [<ffffffff813c44c8>] ip6_dst_lookup_tail+0x53/0x112
      [141625.785437]  [<ffffffff813c45c3>] ip6_dst_lookup_flow+0x2a/0x6b
      [141625.791604]  [<ffffffff813ddaab>] rawv6_sendmsg+0x407/0x9b6
      [141625.797423]  [<ffffffff813d7914>] ? do_ipv6_setsockopt.isra.8+0xd87/0xde2
      [141625.804464]  [<ffffffff8139d4b4>] inet_sendmsg+0x57/0x8e
      [141625.810028]  [<ffffffff81329ba3>] sock_sendmsg+0x2e/0x3c
      [141625.815588]  [<ffffffff8132be57>] SyS_sendto+0xfe/0x143
      [141625.821063]  [<ffffffff813dd551>] ? rawv6_setsockopt+0x5e/0x67
      [141625.827146]  [<ffffffff8132c9f8>] ? sock_common_setsockopt+0xf/0x11
      [141625.833660]  [<ffffffff8132c08c>] ? SyS_setsockopt+0x81/0xa2
      [141625.839565]  [<ffffffff8140ac17>] entry_SYSCALL_64_fastpath+0x12/0x6a
      
      Fixes: d52d3997 ("pv6: Create percpu rt6_info")
      Signed-off-by: default avatarMartin KaFai Lau <kafai@fb.com>
      CC: Hannes Frederic Sowa <hannes@stressinduktion.org>
      Reported-by: default avatarSteinar H. Gunderson <sgunderson@bigfoot.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9c7370a1
    • Martin KaFai Lau's avatar
      ipv6: Add rt6_make_pcpu_route() · a73e4195
      Martin KaFai Lau authored
      It is a prep work for fixing a potential deadlock when creating
      a pcpu rt.
      
      The current rt6_get_pcpu_route() will also create a pcpu rt if one does not
      exist.  This patch moves the pcpu rt creation logic into another function,
      rt6_make_pcpu_route().
      Signed-off-by: default avatarMartin KaFai Lau <kafai@fb.com>
      CC: Hannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a73e4195
    • Martin KaFai Lau's avatar
      ipv6: Remove un-used argument from ip6_dst_alloc() · ad706862
      Martin KaFai Lau authored
      After 4b32b5ad ("ipv6: Stop rt6_info from using inet_peer's metrics"),
      ip6_dst_alloc() does not need the 'table' argument.  This patch
      cleans it up.
      Signed-off-by: default avatarMartin KaFai Lau <kafai@fb.com>
      CC: Hannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ad706862
    • Igor Plyatov's avatar
      net: phy: workaround for buggy cable detection by LAN8700 after cable plugging · 776829de
      Igor Plyatov authored
      * Due to HW bug, LAN8700 sometimes does not detect presence of energy in the
        Ethernet cable in Energy Detect Power-Down mode (e.g while EDPWRDOWN bit is
        set, the ENERGYON bit does not asserted sometimes). This is a common bug of
        LAN87xx family of PHY chips.
      * The lan87xx_read_status() was improved to acquire ENERGYON bit. Its previous
        algorythm still not reliable on 100 % and sometimes skip cable plugging.
      Signed-off-by: default avatarIgor Plyatov <plyatov@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      776829de
    • David S. Miller's avatar
      Merge tag 'mac80211-for-davem-2015-08-14' of... · a27cc68b
      David S. Miller authored
      Merge tag 'mac80211-for-davem-2015-08-14' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Johannes Berg says:
      
      ====================
      We have a single bugfix for an invalid memory read.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a27cc68b
    • Dan Carpenter's avatar
      net: ethernet: micrel: fix an error code · 2902bc66
      Dan Carpenter authored
      The dma_mapping_error() function returns true or false.  We should
      return -ENOMEM if it there is a dma mapping error.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2902bc66
    • Guillaume Nault's avatar
      ppp: fix device unregistration upon netns deletion · 8cb775bc
      Guillaume Nault authored
      PPP devices may get automatically unregistered when their network
      namespace is getting removed. This happens if the ppp control plane
      daemon (e.g. pppd) exits while it is the last user of this namespace.
      
      This leads to several races:
      
        * ppp_exit_net() may destroy the per namespace idr (pn->units_idr)
          before all file descriptors were released. Successive ppp_release()
          calls may then cleanup PPP devices with ppp_shutdown_interface() and
          try to use the already destroyed idr.
      
        * Automatic device unregistration may also happen before the
          ppp_release() call for that device gets executed. Once called on
          the file owning the device, ppp_release() will then clean it up and
          try to unregister it a second time.
      
      To fix these issues, operations defined in ppp_shutdown_interface() are
      moved to the PPP device's ndo_uninit() callback. This allows PPP
      devices to be properly cleaned up by unregister_netdev() and friends.
      So checking for ppp->owner is now an accurate test to decide if a PPP
      device should be unregistered.
      
      Setting ppp->owner is done in ppp_create_interface(), before device
      registration, in order to avoid unprotected modification of this field.
      
      Finally, ppp_exit_net() now starts by unregistering all remaining PPP
      devices to ensure that none will get unregistered after the call to
      idr_destroy().
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8cb775bc
    • Shaohui Xie's avatar
      net: phy: fix PHY_RUNNING in phy_state_machine · 11e122cb
      Shaohui Xie authored
      Currently, if phy state is PHY_RUNNING, we always register a CHANGE
      when phy works in polling or interrupt ignored, this will make the
      adjust_link being called even the phy link did Not changed.
      
      checking the phy link to make sure the link did changed before we
      register a CHANGE, if link did not changed, we do nothing.
      Signed-off-by: default avatarShaohui Xie <Shaohui.Xie@freescale.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      11e122cb
    • Calvin Owens's avatar
      Revert "net: limit tcp/udp rmem/wmem to SOCK_{RCV,SND}BUF_MIN" · 5d37852b
      Calvin Owens authored
      Commit 8133534c ("net: limit tcp/udp rmem/wmem to
      SOCK_{RCV,SND}BUF_MIN") modified four sysctls to enforce that the values
      written to them are not less than SOCK_MIN_{RCV,SND}BUF.
      
      That change causes 4096 to no longer be accepted as a valid value for
      'min' in tcp_wmem and udp_wmem_min. 4096 has been the default for both
      of those sysctls for a long time, and unfortunately seems to be an
      extremely popular setting. This change breaks a large number of sysctl
      configurations at Facebook.
      
      That commit referred to b1cb59cf ("net: sysctl_net_core: check
      SNDBUF and RCVBUF for min length"), which choose to use the SOCK_MIN
      constants as the lower limits to avoid nasty bugs. But AFAICS, a limit
      of SOCK_MIN_SNDBUF isn't necessary to do that: the BUG_ON cited in the
      commit message seems to have happened because unix_stream_sendmsg()
      expects a minimum of a full page (ie SK_MEM_QUANTUM) and the math broke,
      not because it had less than SOCK_MIN_SNDBUF allocated.
      
      This particular issue doesn't seem to affect TCP however: using a
      setting of "1 1 1" for tcp_{r,w}mem works, although it's obviously
      suboptimal. SK_MEM_QUANTUM would be a nice minimum, but it's 64K on
      some archs, so there would still be breakage.
      
      Since a value of one doesn't seem to cause any problems, we can drop the
      minimum 8133534c added to fix this.
      
      This reverts commit 8133534c.
      
      Fixes: 8133534c ("net: limit tcp/udp rmem/wmem to SOCK_MIN...")
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Cc: Sorin Dumitru <sorin@returnze.ro>
      Signed-off-by: default avatarCalvin Owens <calvinowens@fb.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5d37852b
  3. 14 Aug, 2015 4 commits
    • Eric Dumazet's avatar
      inet: fix potential deadlock in reqsk_queue_unlink() · 83fccfc3
      Eric Dumazet authored
      When replacing del_timer() with del_timer_sync(), I introduced
      a deadlock condition :
      
      reqsk_queue_unlink() is called from inet_csk_reqsk_queue_drop()
      
      inet_csk_reqsk_queue_drop() can be called from many contexts,
      one being the timer handler itself (reqsk_timer_handler()).
      
      In this case, del_timer_sync() loops forever.
      
      Simple fix is to test if timer is pending.
      
      Fixes: 2235f2ac ("inet: fix races with reqsk timers")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      83fccfc3
    • Claudiu Manoil's avatar
      gianfar: Restore link state settings after MAC reset · 2a4eebf0
      Claudiu Manoil authored
      There are some MAC registers that need to be kept in sync
      with the link state parameters, see adjust_link().
      However, after a MAC soft reset default values for
      these registers are assumed.  In some cases (excepting
      if down/ if up for example) adjust_link() does not see
      that these values were reset to default because the
      priv->old* link parameters were left unchanged.
      So, reset the priv->old* link params as well during a
      MAC reset to let adjust_link() restore the MAC link
      settings to the actual link state values.
      
      Fixes following case, for example:
      Setting link to 100M, changing MTU (implies MAC reset),
      link state remains unchanged to 100M but MAC registers
      were reset to default (1G) breaking the connectivity w/
      the PHY.  Closing and re-opening the interface would
      restore the MAC link parameters to the correct values.
      Signed-off-by: default avatarClaudiu Manoil <claudiu.manoil@freescale.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2a4eebf0
    • Andy Whitcroft's avatar
      ipv4: off-by-one in continuation handling in /proc/net/route · 25b97c01
      Andy Whitcroft authored
      When generating /proc/net/route we emit a header followed by a line for
      each route.  When a short read is performed we will restart this process
      based on the open file descriptor.  When calculating the start point we
      fail to take into account that the 0th entry is the header.  This leads
      us to skip the first entry when doing a continuation read.
      
      This can be easily seen with the comparison below:
      
        while read l; do echo "$l"; done </proc/net/route >A
        cat /proc/net/route >B
        diff -bu A B | grep '^[+-]'
      
      On my example machine I have approximatly 10KB of route output.  There we
      see the very first non-title element is lost in the while read case,
      and an entry around the 8K mark in the cat case:
      
        +wlan0 00000000 02021EAC 0003 0 0 400 00000000 0 0 0
        -tun1  00C0AC0A 00000000 0001 0 0 950 00C0FFFF 0 0 0
      
      Fix up the off-by-one when reaquiring position on continuation.
      
      Fixes: 8be33e95 ("fib_trie: Fib walk rcu should take a tnode and key instead of a trie and a leaf")
      BugLink: http://bugs.launchpad.net/bugs/1483440Acked-by: default avatarAlexander Duyck <alexander.h.duyck@redhat.com>
      Signed-off-by: default avatarAndy Whitcroft <apw@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      25b97c01
    • Linus Lüssing's avatar
      net: fix wrong skb_get() usage / crash in IGMP/MLD parsing code · a516993f
      Linus Lüssing authored
      The recent refactoring of the IGMP and MLD parsing code into
      ipv6_mc_check_mld() / ip_mc_check_igmp() introduced a potential crash /
      BUG() invocation for bridges:
      
      I wrongly assumed that skb_get() could be used as a simple reference
      counter for an skb which is not the case. skb_get() bears additional
      semantics, a user count. This leads to a BUG() invocation in
      pskb_expand_head() / kernel panic if pskb_may_pull() is called on an skb
      with a user count greater than one - unfortunately the refactoring did
      just that.
      
      Fixing this by removing the skb_get() call and changing the API: The
      caller of ipv6_mc_check_mld() / ip_mc_check_igmp() now needs to
      additionally check whether the returned skb_trimmed is a clone.
      
      Fixes: 9afd85c9 ("net: Export IGMP/MLD message validation code")
      Reported-by: default avatarBrenden Blanco <bblanco@plumgrid.com>
      Signed-off-by: default avatarLinus Lüssing <linus.luessing@c0d3.blue>
      Acked-by: default avatarAlexei Starovoitov <ast@plumgrid.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a516993f
  4. 13 Aug, 2015 8 commits
    • Linus Torvalds's avatar
      Merge tag 'dm-4.2-fixes-5' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm · 5b3e2e14
      Linus Torvalds authored
      Pull device mapper fixes from Mike Snitzer:
      
       - two stable fixes for corruption seen in a snapshot of thinp metadata;
         metadata snapshots aren't widely used but help provide a consistent
         view of the metadata associated with an active thin-pool.
      
       - a dm-cache fix for the 4.2 "default" policy switch from "mq" to "smq"
      
      * tag 'dm-4.2-fixes-5' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
        dm cache policy smq: move 'dm-cache-default' module alias to SMQ
        dm btree: add ref counting ops for the leaves of top level btrees
        dm thin metadata: delete btrees when releasing metadata snapshot
      5b3e2e14
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.dk/linux-block · ebcbf166
      Linus Torvalds authored
      Pull xen block driver fixes from Jens Axboe:
       "A few small bug fixes for xen-blk{front,back} that have been sitting
        over my vacation"
      
      * 'for-linus' of git://git.kernel.dk/linux-block:
        xen-blkback: replace work_pending with work_busy in purge_persistent_gnt()
        xen-blkfront: don't add indirect pages to list when !feature_persistent
        xen-blkfront: introduce blkfront_gather_backend_features()
      ebcbf166
    • Linus Torvalds's avatar
      Merge tag 'for-linus-4.2-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip · 6b476e11
      Linus Torvalds authored
      Pull xen bug fixes from David Vrabel:
      
       - revert a fix from 4.2-rc5 that was causing lots of WARNING spam.
      
       - fix a memory leak affecting backends in HVM guests.
      
       - fix PV domU hang with certain configurations.
      
      * tag 'for-linus-4.2-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
        xen/xenbus: Don't leak memory when unmapping the ring on HVM backend
        Revert "xen/events/fifo: Handle linked events when closing a port"
        x86/xen: build "Xen PV" APIC driver for domU as well
      6b476e11
    • Linus Torvalds's avatar
      Revert x86 sigcontext cleanups · ed596cde
      Linus Torvalds authored
      This reverts commits 9a036b93 ("x86/signal/64: Remove 'fs' and 'gs'
      from sigcontext") and c6f20629 ("x86/signal/64: Fix SS handling for
      signals delivered to 64-bit programs").
      
      They were cleanups, but they break dosemu by changing the signal return
      behavior (and removing 'fs' and 'gs' from the sigcontext struct - while
      not actually changing any behavior - causes build problems).
      Reported-and-tested-by: default avatarStas Sergeev <stsp@list.ru>
      Acked-by: default avatarAndy Lutomirski <luto@amacapital.net>
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      ed596cde
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 26b552e0
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Workaround hw bug when acquiring PCI bos ownership of iwlwifi
          devices, from Emmanuel Grumbach.
      
       2) Falling back to vmalloc in conntrack should not emit a warning, from
          Pablo Neira Ayuso.
      
       3) Fix NULL deref when rtlwifi driver is used as an AP, from Luis
          Felipe Dominguez Vega.
      
       4) Rocker doesn't free netdev on device removal, from Ido Schimmel.
      
       5) UDP multicast early sock demux has route handling races, from Eric
          Dumazet.
      
       6) Fix L4 checksum handling in openvswitch, from Glenn Griffin.
      
       7) Fix use-after-free in skb_set_peeked, from Herbert Xu.
      
       8) Don't advertize NETIF_F_FRAGLIST in virtio_net driver, this can lead
          to fraglists longer than the driver can support.  From Jason Wang.
      
       9) Fix mlx5 on non-4k-pagesize systems, from Carol L Soto.
      
      10) Fix interrupt storm in bna driver, from Ivan Vecera.
      
      11) Don't propagate -EBUSY from netlink_insert(), from Daniel Borkmann.
      
      12) Fix inet request sock leak, from Eric Dumazet.
      
      13) Fix TX interrupt masking and marking in TX descriptors of fs_enet
          driver, from LEROY Christophe.
      
      14) Get rid of rule optimizer in gianfar driver, it's buggy and unlikely
          to get fixed any time soon.  From Jakub Kicinski
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (61 commits)
        cosa: missing error code on failure in probe()
        gianfar: remove faulty filer optimizer
        gianfar: correct list membership accounting
        gianfar: correct filer table writing
        bonding: Gratuitous ARP gets dropped when first slave added
        net: dsa: Do not override PHY interface if already configured
        net: fs_enet: mask interrupts for TX partial frames.
        net: fs_enet: explicitly remove I flag on TX partial frames
        inet: fix possible request socket leak
        inet: fix races with reqsk timers
        mkiss: Fix error handling in mkiss_open()
        bnx2x: Free NVRAM lock at end of each page
        bnx2x: Prevent null pointer dereference on SKB release
        cxgb4: missing curly braces in t4_setup_debugfs()
        net-timestamp: Update skb_complete_tx_timestamp comment
        ipv6: don't reject link-local nexthop on other interface
        netlink: make sure -EBUSY won't escape from netlink_insert
        bna: fix interrupts storm caused by erroneous packets
        net: mvpp2: replace TX coalescing interrupts with hrtimer
        net: mvpp2: enable proper per-CPU TX buffers unmapping
        ...
      26b552e0
    • Linus Torvalds's avatar
      Merge tag 'edac_fix_for_4.2' of git://git.kernel.org/pub/scm/linux/kernel/git/bp/bp · 2331d30d
      Linus Torvalds authored
      Pull EDAC fix from Borislav Petkov:
       "A ppc4xx_edac fix for accessing ->csrows properly.  This driver was
        missed during the conversion a couple of years ago"
      
      * tag 'edac_fix_for_4.2' of git://git.kernel.org/pub/scm/linux/kernel/git/bp/bp:
        EDAC, ppc4xx: Access mci->csrows array elements properly
      2331d30d
    • Adrien Schildknecht's avatar
      mac80211: fix invalid read in minstrel_sort_best_tp_rates() · f5eeb5fa
      Adrien Schildknecht authored
      At the last iteration of the loop, j may equal zero and thus
      tp_list[j - 1] causes an invalid read.
      Change the logic of the loop so that j - 1 is always >= 0.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAdrien Schildknecht <adrien+dev@schischi.me>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      f5eeb5fa
    • Michael Walle's avatar
      EDAC, ppc4xx: Access mci->csrows array elements properly · 5c16179b
      Michael Walle authored
      The commit
      
        de3910eb ("edac: change the mem allocation scheme to
      		 make Documentation/kobject.txt happy")
      
      changed the memory allocation for the csrows member. But ppc4xx_edac was
      forgotten in the patch. Fix it.
      Signed-off-by: default avatarMichael Walle <michael@walle.cc>
      Cc: <stable@vger.kernel.org>
      Cc: linux-edac <linux-edac@vger.kernel.org>
      Cc: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
      Link: http://lkml.kernel.org/r/1437469253-8611-1-git-send-email-michael@walle.ccSigned-off-by: default avatarBorislav Petkov <bp@suse.de>
      5c16179b
  5. 12 Aug, 2015 14 commits