1. 05 Sep, 2012 3 commits
  2. 04 Sep, 2012 7 commits
    • Eric Dumazet's avatar
      l2tp: fix a typo in l2tp_eth_dev_recv() · c0cc88a7
      Eric Dumazet authored
      While investigating l2tp bug, I hit a bug in eth_type_trans(),
      because not enough bytes were pulled in skb head.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c0cc88a7
    • David S. Miller's avatar
    • Wu Fengguang's avatar
      i825xx: fix paging fault on znet_probe() · b320e972
      Wu Fengguang authored
      In znet_probe(), strncmp() may access beyond 0x100000 and
      trigger the below oops in kvm.  Fix it by limiting the loop
      under 0x100000-8. I suspect the limit could be further decreased
      to 0x100000-sizeof(struct netidblk), however no datasheet at hand..
      
      [    3.744312] BUG: unable to handle kernel paging request at 80100000
      [    3.746145] IP: [<8119d12a>] strncmp+0xc/0x20
      [    3.747446] *pde = 01d10067 *pte = 00100160
      [    3.747493] Oops: 0000 [#1] DEBUG_PAGEALLOC
      [    3.747493] Pid: 1, comm: swapper Not tainted 3.6.0-rc1-00018-g57bfc0a7 #73 Bochs Bochs
      [    3.747493] EIP: 0060:[<8119d12a>] EFLAGS: 00010206 CPU: 0
      [    3.747493] EIP is at strncmp+0xc/0x20
      [    3.747493] EAX: 800fff4e EBX: 00000006 ECX: 00000006 EDX: 814d2bb9
      [    3.747493] ESI: 80100000 EDI: 814d2bba EBP: 8e03dfa0 ESP: 8e03df98
      [    3.747493]  DS: 007b ES: 007b FS: 0000 GS: 00e0 SS: 0068
      [    3.747493] CR0: 8005003b CR2: 80100000 CR3: 016f7000 CR4: 00000690
      [    3.747493] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
      [    3.747493] DR6: ffff0ff0 DR7: 00000400
      [    3.747493] Process swapper (pid: 1, ti=8e03c000 task=8e040000 task.ti=8e03c000)
      [    3.747493] Stack:
      [    3.747493]  800fffff 00000000 8e03dfb4 816a1376 00000006 816a134a 00000000 8e03dfd0
      [    3.747493]  816819b5 816ed1c0 8e03dfe4 00000006 00000123 816ed604 8e03dfe4 81681b29
      [    3.747493]  00000000 81681a5b 00000000 00000000 8134e542 00000000 00000000 00000000
      [    3.747493] Call Trace:
      [    3.747493]  [<816a1376>] znet_probe+0x2c/0x26b
      [    3.747493]  [<816a134a>] ? dnet_driver_init+0xf/0xf
      [    3.747493]  [<816819b5>] do_one_initcall+0x6a/0x110
      [    3.747493]  [<81681b29>] kernel_init+0xce/0x14b
      Signed-off-by: default avatarFengguang Wu <fengguang.wu@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b320e972
    • Steffen Klassert's avatar
      xfrm: Workaround incompatibility of ESN and async crypto · 3b59df46
      Steffen Klassert authored
      ESN for esp is defined in RFC 4303. This RFC assumes that the
      sequence number counters are always up to date. However,
      this is not true if an async crypto algorithm is employed.
      
      If the sequence number counters are not up to date on sequence
      number check, we may incorrectly update the upper 32 bit of
      the sequence number. This leads to a DOS.
      
      We workaround this by comparing the upper sequence number,
      (used for authentication) with the upper sequence number
      computed after the async processing. We drop the packet
      if these numbers are different.
      
      To do this, we introduce a recheck function that does this
      check in the ESN case.
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Acked-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3b59df46
    • Eric Dumazet's avatar
      l2tp: fix a lockdep splat · 37159ef2
      Eric Dumazet authored
      Fixes following lockdep splat :
      
      [ 1614.734896] =============================================
      [ 1614.734898] [ INFO: possible recursive locking detected ]
      [ 1614.734901] 3.6.0-rc3+ #782 Not tainted
      [ 1614.734903] ---------------------------------------------
      [ 1614.734905] swapper/11/0 is trying to acquire lock:
      [ 1614.734907]  (slock-AF_INET){+.-...}, at: [<ffffffffa0209d72>] l2tp_xmit_skb+0x172/0xa50 [l2tp_core]
      [ 1614.734920]
      [ 1614.734920] but task is already holding lock:
      [ 1614.734922]  (slock-AF_INET){+.-...}, at: [<ffffffff815fce23>] tcp_v4_err+0x163/0x6b0
      [ 1614.734932]
      [ 1614.734932] other info that might help us debug this:
      [ 1614.734935]  Possible unsafe locking scenario:
      [ 1614.734935]
      [ 1614.734937]        CPU0
      [ 1614.734938]        ----
      [ 1614.734940]   lock(slock-AF_INET);
      [ 1614.734943]   lock(slock-AF_INET);
      [ 1614.734946]
      [ 1614.734946]  *** DEADLOCK ***
      [ 1614.734946]
      [ 1614.734949]  May be due to missing lock nesting notation
      [ 1614.734949]
      [ 1614.734952] 7 locks held by swapper/11/0:
      [ 1614.734954]  #0:  (rcu_read_lock){.+.+..}, at: [<ffffffff81592801>] __netif_receive_skb+0x251/0xd00
      [ 1614.734964]  #1:  (rcu_read_lock){.+.+..}, at: [<ffffffff815d319c>] ip_local_deliver_finish+0x4c/0x4e0
      [ 1614.734972]  #2:  (rcu_read_lock){.+.+..}, at: [<ffffffff8160d116>] icmp_socket_deliver+0x46/0x230
      [ 1614.734982]  #3:  (slock-AF_INET){+.-...}, at: [<ffffffff815fce23>] tcp_v4_err+0x163/0x6b0
      [ 1614.734989]  #4:  (rcu_read_lock){.+.+..}, at: [<ffffffff815da240>] ip_queue_xmit+0x0/0x680
      [ 1614.734997]  #5:  (rcu_read_lock_bh){.+....}, at: [<ffffffff815d9925>] ip_finish_output+0x135/0x890
      [ 1614.735004]  #6:  (rcu_read_lock_bh){.+....}, at: [<ffffffff81595680>] dev_queue_xmit+0x0/0xe00
      [ 1614.735012]
      [ 1614.735012] stack backtrace:
      [ 1614.735016] Pid: 0, comm: swapper/11 Not tainted 3.6.0-rc3+ #782
      [ 1614.735018] Call Trace:
      [ 1614.735020]  <IRQ>  [<ffffffff810a50ac>] __lock_acquire+0x144c/0x1b10
      [ 1614.735033]  [<ffffffff810a334b>] ? check_usage+0x9b/0x4d0
      [ 1614.735037]  [<ffffffff810a6762>] ? mark_held_locks+0x82/0x130
      [ 1614.735042]  [<ffffffff810a5df0>] lock_acquire+0x90/0x200
      [ 1614.735047]  [<ffffffffa0209d72>] ? l2tp_xmit_skb+0x172/0xa50 [l2tp_core]
      [ 1614.735051]  [<ffffffff810a69ad>] ? trace_hardirqs_on+0xd/0x10
      [ 1614.735060]  [<ffffffff81749b31>] _raw_spin_lock+0x41/0x50
      [ 1614.735065]  [<ffffffffa0209d72>] ? l2tp_xmit_skb+0x172/0xa50 [l2tp_core]
      [ 1614.735069]  [<ffffffffa0209d72>] l2tp_xmit_skb+0x172/0xa50 [l2tp_core]
      [ 1614.735075]  [<ffffffffa014f7f2>] l2tp_eth_dev_xmit+0x32/0x60 [l2tp_eth]
      [ 1614.735079]  [<ffffffff81595112>] dev_hard_start_xmit+0x502/0xa70
      [ 1614.735083]  [<ffffffff81594c6e>] ? dev_hard_start_xmit+0x5e/0xa70
      [ 1614.735087]  [<ffffffff815957c1>] ? dev_queue_xmit+0x141/0xe00
      [ 1614.735093]  [<ffffffff815b622e>] sch_direct_xmit+0xfe/0x290
      [ 1614.735098]  [<ffffffff81595865>] dev_queue_xmit+0x1e5/0xe00
      [ 1614.735102]  [<ffffffff81595680>] ? dev_hard_start_xmit+0xa70/0xa70
      [ 1614.735106]  [<ffffffff815b4daa>] ? eth_header+0x3a/0xf0
      [ 1614.735111]  [<ffffffff8161d33e>] ? fib_get_table+0x2e/0x280
      [ 1614.735117]  [<ffffffff8160a7e2>] arp_xmit+0x22/0x60
      [ 1614.735121]  [<ffffffff8160a863>] arp_send+0x43/0x50
      [ 1614.735125]  [<ffffffff8160b82f>] arp_solicit+0x18f/0x450
      [ 1614.735132]  [<ffffffff8159d9da>] neigh_probe+0x4a/0x70
      [ 1614.735137]  [<ffffffff815a191a>] __neigh_event_send+0xea/0x300
      [ 1614.735141]  [<ffffffff815a1c93>] neigh_resolve_output+0x163/0x260
      [ 1614.735146]  [<ffffffff815d9cf5>] ip_finish_output+0x505/0x890
      [ 1614.735150]  [<ffffffff815d9925>] ? ip_finish_output+0x135/0x890
      [ 1614.735154]  [<ffffffff815dae79>] ip_output+0x59/0xf0
      [ 1614.735158]  [<ffffffff815da1cd>] ip_local_out+0x2d/0xa0
      [ 1614.735162]  [<ffffffff815da403>] ip_queue_xmit+0x1c3/0x680
      [ 1614.735165]  [<ffffffff815da240>] ? ip_local_out+0xa0/0xa0
      [ 1614.735172]  [<ffffffff815f4402>] tcp_transmit_skb+0x402/0xa60
      [ 1614.735177]  [<ffffffff815f5a11>] tcp_retransmit_skb+0x1a1/0x620
      [ 1614.735181]  [<ffffffff815f7e93>] tcp_retransmit_timer+0x393/0x960
      [ 1614.735185]  [<ffffffff815fce23>] ? tcp_v4_err+0x163/0x6b0
      [ 1614.735189]  [<ffffffff815fd317>] tcp_v4_err+0x657/0x6b0
      [ 1614.735194]  [<ffffffff8160d116>] ? icmp_socket_deliver+0x46/0x230
      [ 1614.735199]  [<ffffffff8160d19e>] icmp_socket_deliver+0xce/0x230
      [ 1614.735203]  [<ffffffff8160d116>] ? icmp_socket_deliver+0x46/0x230
      [ 1614.735208]  [<ffffffff8160d464>] icmp_unreach+0xe4/0x2c0
      [ 1614.735213]  [<ffffffff8160e520>] icmp_rcv+0x350/0x4a0
      [ 1614.735217]  [<ffffffff815d3285>] ip_local_deliver_finish+0x135/0x4e0
      [ 1614.735221]  [<ffffffff815d319c>] ? ip_local_deliver_finish+0x4c/0x4e0
      [ 1614.735225]  [<ffffffff815d3ffa>] ip_local_deliver+0x4a/0x90
      [ 1614.735229]  [<ffffffff815d37b7>] ip_rcv_finish+0x187/0x730
      [ 1614.735233]  [<ffffffff815d425d>] ip_rcv+0x21d/0x300
      [ 1614.735237]  [<ffffffff81592a1b>] __netif_receive_skb+0x46b/0xd00
      [ 1614.735241]  [<ffffffff81592801>] ? __netif_receive_skb+0x251/0xd00
      [ 1614.735245]  [<ffffffff81593368>] process_backlog+0xb8/0x180
      [ 1614.735249]  [<ffffffff81593cf9>] net_rx_action+0x159/0x330
      [ 1614.735257]  [<ffffffff810491f0>] __do_softirq+0xd0/0x3e0
      [ 1614.735264]  [<ffffffff8109ed24>] ? tick_program_event+0x24/0x30
      [ 1614.735270]  [<ffffffff8175419c>] call_softirq+0x1c/0x30
      [ 1614.735278]  [<ffffffff8100425d>] do_softirq+0x8d/0xc0
      [ 1614.735282]  [<ffffffff8104983e>] irq_exit+0xae/0xe0
      [ 1614.735287]  [<ffffffff8175494e>] smp_apic_timer_interrupt+0x6e/0x99
      [ 1614.735291]  [<ffffffff81753a1c>] apic_timer_interrupt+0x6c/0x80
      [ 1614.735293]  <EOI>  [<ffffffff810a14ad>] ? trace_hardirqs_off+0xd/0x10
      [ 1614.735306]  [<ffffffff81336f85>] ? intel_idle+0xf5/0x150
      [ 1614.735310]  [<ffffffff81336f7e>] ? intel_idle+0xee/0x150
      [ 1614.735317]  [<ffffffff814e6ea9>] cpuidle_enter+0x19/0x20
      [ 1614.735321]  [<ffffffff814e7538>] cpuidle_idle_call+0xa8/0x630
      [ 1614.735327]  [<ffffffff8100c1ba>] cpu_idle+0x8a/0xe0
      [ 1614.735333]  [<ffffffff8173762e>] start_secondary+0x220/0x222
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      37159ef2
    • Alan Cox's avatar
      netrom: copy_datagram_iovec can fail · 6cf5c951
      Alan Cox authored
      Check for an error from this and if so bail properly.
      Signed-off-by: default avatarAlan Cox <alan@linux.intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6cf5c951
    • Jesse Gross's avatar
      openvswitch: Fix FLOW_BUFSIZE definition. · c303aa94
      Jesse Gross authored
      The vlan encapsulation fields in the maximum flow defintion were
      never updated when the representation changed before upstreaming.
      In theory this could cause a kernel panic when a maximum length
      flow is used.  In practice this has never happened (to my knowledge)
      because skb allocations are padded out to a cache line so you would
      need the right combination of flow and packet being sent to userspace.
      Signed-off-by: default avatarJesse Gross <jesse@nicira.com>
      c303aa94
  3. 03 Sep, 2012 6 commits
    • Wei Yongjun's avatar
      mISDN: fix possible memory leak in hfcmulti_init() · 9fef7685
      Wei Yongjun authored
      hc has been allocated in this function and missing free it before
      leaving from some error handling cases.
      
      spatch with a semantic match is used to found this problem.
      (http://coccinelle.lip6.fr/)
      Signed-off-by: default avatarWei Yongjun <yongjun_wei@trendmicro.com.cn>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9fef7685
    • Eric Dumazet's avatar
      fq_codel: dont reinit flow state · b379135c
      Eric Dumazet authored
      When fq_codel builds a new flow, it should not reset codel state.
      
      Codel algo needs to get previous values (lastcount, drop_next) to get
      proper behavior.
      Signed-off-by: default avatarDave Taht <dave.taht@gmail.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarDave Taht <dave.taht@bufferbloat.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b379135c
    • Benoît Locher's avatar
      can: mcp251x: avoid repeated frame bug · cab32f39
      Benoît Locher authored
      The MCP2515 has a silicon bug causing repeated frame transmission, see section
      5 of MCP2515 Rev. B Silicon Errata Revision G (March 2007).
      
      Basically, setting TXBnCTRL.TXREQ in either SPI mode (00 or 11) will eventually
      cause the bug. The workaround proposed by Microchip is to use mode 00 and send
      a RTS command on the SPI bus to initiate the transmission.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarBenoît Locher <Benoit.Locher@skf.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      cab32f39
    • Bjørn Mork's avatar
      net: usbnet: fix softirq storm on suspend · 85e87870
      Bjørn Mork authored
      Suspending an open usbnet device results in constant
      rescheduling of usbnet_bh.
      
      commit 65841fd5 "usbnet: handle remote wakeup asap"
      refactored the usbnet_bh code to allow sharing the
      urb allocate and submit code with usbnet_resume. In
      this process, a test for, and immediate return on,
      ENOLINK from rx_submit was unintentionally dropped.
      
      The rx queue will not grow if rx_submit fails,
      making usbnet_bh reschedule itself.  This results
      in a softirq storm if the error is persistent.
      rx_submit translates the usb_submit_urb error
      EHOSTUNREACH into ENOLINK, so this is an expected
      and persistent error for a suspended device. The
      old code tested for this condition and avoided
      rescheduling.  Putting this test back.
      
      Cc: <stable@vger.kernel.org> # v3.5
      Cc: Ming Lei <ming.lei@canonical.com>
      Cc: Oliver Neukum <oneukum@suse.de>
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      85e87870
    • Thomas Graf's avatar
      sctp: Don't charge for data in sndbuf again when transmitting packet · 4c3a5bda
      Thomas Graf authored
      SCTP charges wmem_alloc via sctp_set_owner_w() in sctp_sendmsg() and via
      skb_set_owner_w() in sctp_packet_transmit(). If a sender runs out of
      sndbuf it will sleep in sctp_wait_for_sndbuf() and expects to be waken up
      by __sctp_write_space().
      
      Buffer space charged via sctp_set_owner_w() is released in sctp_wfree()
      which calls __sctp_write_space() directly.
      
      Buffer space charged via skb_set_owner_w() is released via sock_wfree()
      which calls sk->sk_write_space() _if_ SOCK_USE_WRITE_QUEUE is not set.
      sctp_endpoint_init() sets SOCK_USE_WRITE_QUEUE on all sockets.
      
      Therefore if sctp_packet_transmit() manages to queue up more than sndbuf
      bytes, sctp_wait_for_sndbuf() will never be woken up again unless it is
      interrupted by a signal.
      
      This could be fixed by clearing the SOCK_USE_WRITE_QUEUE flag but ...
      
      Charging for the data twice does not make sense in the first place, it
      leads to overcharging sndbuf by a factor 2. Therefore this patch only
      charges a single byte in wmem_alloc when transmitting an SCTP packet to
      ensure that the socket stays alive until the packet has been released.
      
      This means that control chunks are no longer accounted for in wmem_alloc
      which I believe is not a problem as skb->truesize will typically lead
      to overcharging anyway and thus compensates for any control overhead.
      Signed-off-by: default avatarThomas Graf <tgraf@suug.ch>
      CC: Vlad Yasevich <vyasevic@redhat.com>
      CC: Neil Horman <nhorman@tuxdriver.com>
      CC: David Miller <davem@davemloft.net>
      Acked-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4c3a5bda
    • Eric Dumazet's avatar
      net: sock_edemux() should take care of timewait sockets · e812347c
      Eric Dumazet authored
      sock_edemux() can handle either a regular socket or a timewait socket
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e812347c
  4. 02 Sep, 2012 5 commits
    • Joe Stringer's avatar
      openvswitch: Fix typo · 39855b5b
      Joe Stringer authored
      Signed-off-by: default avatarJoe Stringer <joe@wand.net.nz>
      Signed-off-by: default avatarJesse Gross <jesse@nicira.com>
      39855b5b
    • Linus Torvalds's avatar
      Merge branch 'for-next' of git://git.samba.org/sfrench/cifs-2.6 · 5b716ac7
      Linus Torvalds authored
      Pull CIFS fixes from Steve French.
      
      * 'for-next' of git://git.samba.org/sfrench/cifs-2.6:
        CIFS: Fix cifs_do_create error hadnling
        cifs: print error code if smb signature verification fails
        CIFS: Fix log messages in packet checking for SMB2
        CIFS: Protect i_nlink from being negative
      5b716ac7
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 0b1a34c9
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) NLA_PUT* --> nla_put_* conversion got one case wrong in
          nfnetlink_log, fix from Patrick McHardy.
      
       2) Missed error return check in ipw2100 driver, from Julia Lawall.
      
       3) PMTU updates in ipv4 were setting the expiry time incorrectly, fix
          from Eric Dumazet.
      
       4) SFC driver erroneously reversed src and dst when reporting filters
          via ethtool.
      
       5) Memory leak in CAN protocol and wrong setting of IRQF_SHARED in
          sja1000 can platform driver, from Alexey Khoroshilov and Sven
          Schmitt.
      
       6) Fix multicast traffic scaling regression in ipv4_dst_destroy, only
          take the lock when we really need to.  From Eric Dumazet.
      
       7) Fix non-root process spoofing in netlink, from Pablo Neira Ayuso.
      
       8) CWND reduction in TCP is done incorrectly during non-SACK recovery,
          fix from Yuchung Cheng.
      
       9) Revert netpoll change, and fix what was actually a driver specific
          problem.  From Amerigo Wang.  This should cure bootup hangs with
          netconsole some people reported.
      
      10) Fix xen-netfront invoking __skb_fill_page_desc() with a NULL page
          pointer.  From Ian Campbell.
      
      11) SIP NAT fix for expectiontation creation, from Pablo Neira Ayuso.
      
      12) __ip_rt_update_pmtu() needs RCU locking, from Eric Dumazet.
      
      13) Fix usbnet deadlock on resume, can't use GFP_KERNEL in this
          situation.  From Oliver Neukum.
      
      14) The davinci ethernet driver triggers an OOPS on removal because it
          frees an MDIO object before unregistering it.  Fix from Bin Liu.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (41 commits)
        net: qmi_wwan: add several new Gobi devices
        fddi: 64 bit bug in smt_add_para()
        net: ethernet: fix kernel OOPS when remove davinci_mdio module
        net/xfrm/xfrm_state.c: fix error return code
        net: ipv6: fix error return code
        net: qmi_wwan: new device: Foxconn/Novatel E396
        usbnet: fix deadlock in resume
        cs89x0 : packet reception not working
        netfilter: nf_conntrack: fix racy timer handling with reliable events
        bnx2x: Correct the ndo_poll_controller call
        bnx2x: Move netif_napi_add to the open call
        ipv4: must use rcu protection while calling fib_lookup
        bnx2x: fix 57840_MF pci id
        net: ipv4: ipmr_expire_timer causes crash when removing net namespace
        e1000e: DoS while TSO enabled caused by link partner with small MSS
        l2tp: avoid to use synchronize_rcu in tunnel free function
        gianfar: fix default tx vlan offload feature flag
        netfilter: nf_nat_sip: fix incorrect handling of EBUSY for RTCP expectation
        xen-netfront: use __pskb_pull_tail to ensure linear area is big enough on RX
        netfilter: nfnetlink_log: fix error return code in init path
        ...
      0b1a34c9
    • Bjørn Mork's avatar
      net: qmi_wwan: add several new Gobi devices · 50022005
      Bjørn Mork authored
      Gobi devices are composite, needing both the qcserial and
      qmi_wwan drivers to support all functions.  Re-syncing the
      list of supported devices with qcserial.
      
      Cc: Aleksander Morgado <aleksander@lanedo.com>
      Cc: Thomas Tuttle <ttuttle@chromium.org>
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@tempietto.lan>
      50022005
    • Dan Carpenter's avatar
      fddi: 64 bit bug in smt_add_para() · e1b2aa7f
      Dan Carpenter authored
      The intent was to set 4 bytes of data so that's why the sp_len is set
      to 4 on the next line.  The cast to u_long pointer clears 8 bytes
      on 64 bit arches.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@tempietto.lan>
      e1b2aa7f
  5. 01 Sep, 2012 5 commits
  6. 31 Aug, 2012 8 commits
  7. 30 Aug, 2012 6 commits
    • Merav Sicron's avatar
      bnx2x: Correct the ndo_poll_controller call · 14a15d61
      Merav Sicron authored
      This patch correct poll_bnx2x (ndo_poll_controller call) which was not
      functioning well with MSI-X.
      Signed-off-by: default avatarMerav Sicron <meravs@broadcom.com>
      Signed-off-by: default avatarDmitry Kravkov <dmitry@broadcom.com>
      Signed-off-by: default avatarEilon Greenstein <eilong@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      14a15d61
    • Merav Sicron's avatar
      bnx2x: Move netif_napi_add to the open call · 26614ba5
      Merav Sicron authored
      Move netif_napi_add for all queues from the probe call to the open call, to
      avoid the case that napi objects are added for queues that may eventually not
      be initialized and activated. With the former behavior, the driver could crash
      when netpoll was calling ndo_poll_controller.
      Signed-off-by: default avatarMerav Sicron <meravs@broadcom.com>
      Signed-off-by: default avatarDmitry Kravkov <dmitry@broadcom.com>
      Signed-off-by: default avatarEilon Greenstein <eilong@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      26614ba5
    • Eric Dumazet's avatar
      ipv4: must use rcu protection while calling fib_lookup · c5ae7d41
      Eric Dumazet authored
      Following lockdep splat was reported by Pavel Roskin :
      
      [ 1570.586223] ===============================
      [ 1570.586225] [ INFO: suspicious RCU usage. ]
      [ 1570.586228] 3.6.0-rc3-wl-main #98 Not tainted
      [ 1570.586229] -------------------------------
      [ 1570.586231] /home/proski/src/linux/net/ipv4/route.c:645 suspicious rcu_dereference_check() usage!
      [ 1570.586233]
      [ 1570.586233] other info that might help us debug this:
      [ 1570.586233]
      [ 1570.586236]
      [ 1570.586236] rcu_scheduler_active = 1, debug_locks = 0
      [ 1570.586238] 2 locks held by Chrome_IOThread/4467:
      [ 1570.586240]  #0:  (slock-AF_INET){+.-...}, at: [<ffffffff814f2c0c>] release_sock+0x2c/0xa0
      [ 1570.586253]  #1:  (fnhe_lock){+.-...}, at: [<ffffffff815302fc>] update_or_create_fnhe+0x2c/0x270
      [ 1570.586260]
      [ 1570.586260] stack backtrace:
      [ 1570.586263] Pid: 4467, comm: Chrome_IOThread Not tainted 3.6.0-rc3-wl-main #98
      [ 1570.586265] Call Trace:
      [ 1570.586271]  [<ffffffff810976ed>] lockdep_rcu_suspicious+0xfd/0x130
      [ 1570.586275]  [<ffffffff8153042c>] update_or_create_fnhe+0x15c/0x270
      [ 1570.586278]  [<ffffffff815305b3>] __ip_rt_update_pmtu+0x73/0xb0
      [ 1570.586282]  [<ffffffff81530619>] ip_rt_update_pmtu+0x29/0x90
      [ 1570.586285]  [<ffffffff815411dc>] inet_csk_update_pmtu+0x2c/0x80
      [ 1570.586290]  [<ffffffff81558d1e>] tcp_v4_mtu_reduced+0x2e/0xc0
      [ 1570.586293]  [<ffffffff81553bc4>] tcp_release_cb+0xa4/0xb0
      [ 1570.586296]  [<ffffffff814f2c35>] release_sock+0x55/0xa0
      [ 1570.586300]  [<ffffffff815442ef>] tcp_sendmsg+0x4af/0xf50
      [ 1570.586305]  [<ffffffff8156fc60>] inet_sendmsg+0x120/0x230
      [ 1570.586308]  [<ffffffff8156fb40>] ? inet_sk_rebuild_header+0x40/0x40
      [ 1570.586312]  [<ffffffff814f4bdd>] ? sock_update_classid+0xbd/0x3b0
      [ 1570.586315]  [<ffffffff814f4c50>] ? sock_update_classid+0x130/0x3b0
      [ 1570.586320]  [<ffffffff814ec435>] do_sock_write+0xc5/0xe0
      [ 1570.586323]  [<ffffffff814ec4a3>] sock_aio_write+0x53/0x80
      [ 1570.586328]  [<ffffffff8114bc83>] do_sync_write+0xa3/0xe0
      [ 1570.586332]  [<ffffffff8114c5a5>] vfs_write+0x165/0x180
      [ 1570.586335]  [<ffffffff8114c805>] sys_write+0x45/0x90
      [ 1570.586340]  [<ffffffff815d2722>] system_call_fastpath+0x16/0x1b
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarPavel Roskin <proski@gnu.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c5ae7d41
    • Yuval Mintz's avatar
      bnx2x: fix 57840_MF pci id · 5c879d20
      Yuval Mintz authored
      Commit c3def943 have added support for
      new pci ids of the 57840 board, while failing to change the obsolete value
      in 'pci_ids.h'.
      This patch does so, allowing the probe of such devices.
      Signed-off-by: default avatarYuval Mintz <yuvalmin@broadcom.com>
      Signed-off-by: default avatarEilon Greenstein <eilong@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5c879d20
    • Francesco Ruggeri's avatar
      net: ipv4: ipmr_expire_timer causes crash when removing net namespace · acbb219d
      Francesco Ruggeri authored
      When tearing down a net namespace, ipv4 mr_table structures are freed
      without first deactivating their timers. This can result in a crash in
      run_timer_softirq.
      This patch mimics the corresponding behaviour in ipv6.
      Locking and synchronization seem to be adequate.
      We are about to kfree mrt, so existing code should already make sure that
      no other references to mrt are pending or can be created by incoming traffic.
      The functions invoked here do not cause new references to mrt or other
      race conditions to be created.
      Invoking del_timer_sync guarantees that ipmr_expire_timer is inactive.
      Both ipmr_expire_process (whose completion we may have to wait in
      del_timer_sync) and mroute_clean_tables internally use mfc_unres_lock
      or other synchronizations when needed, and they both only modify mrt.
      
      Tested in Linux 3.4.8.
      Signed-off-by: default avatarFrancesco Ruggeri <fruggeri@aristanetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      acbb219d
    • Bruce Allan's avatar
      e1000e: DoS while TSO enabled caused by link partner with small MSS · d821a4c4
      Bruce Allan authored
      With a low enough MSS on the link partner and TSO enabled locally, the
      networking stack can periodically send a very large (e.g.  64KB) TCP
      message for which the driver will attempt to use more Tx descriptors than
      are available by default in the Tx ring.  This is due to a workaround in
      the code that imposes a limit of only 4 MSS-sized segments per descriptor
      which appears to be a carry-over from the older e1000 driver and may be
      applicable only to some older PCI or PCIx parts which are not supported in
      e1000e.  When the driver gets a message that is too large to fit across the
      configured number of Tx descriptors, it stops the upper stack from queueing
      any more and gets stuck in this state.  After a timeout, the upper stack
      assumes the adapter is hung and calls the driver to reset it.
      
      Remove the unnecessary limitation of using up to only 4 MSS-sized segments
      per Tx descriptor, and put in a hard failure test to catch when attempting
      to check for message sizes larger than would fit in the whole Tx ring.
      Refactor the remaining logic that limits the size of data per Tx descriptor
      from a seemingly arbitrary 8KB to a limit based on the dynamic size of the
      Tx packet buffer as described in the hardware specification.
      
      Also, fix the logic in the check for space in the Tx ring for the next
      largest possible packet after the current one has been successfully queued
      for transmit, and use the appropriate defines for default ring sizes in
      e1000_probe instead of magic values.
      
      This issue goes back to the introduction of e1000e in 2.6.24 when it was
      split off from e1000.
      Reported-by: default avatarBen Hutchings <bhutchings@solarflare.com>
      Signed-off-by: default avatarBruce Allan <bruce.w.allan@intel.com>
      Cc: Stable <stable@vger.kernel.org> [2.6.24+]
      Tested-by: default avatarAaron Brown <aaron.f.brown@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d821a4c4