1. 07 Sep, 2012 6 commits
  2. 05 Sep, 2012 3 commits
  3. 04 Sep, 2012 6 commits
    • Eric Dumazet's avatar
      l2tp: fix a typo in l2tp_eth_dev_recv() · c0cc88a7
      Eric Dumazet authored
      
      
      While investigating l2tp bug, I hit a bug in eth_type_trans(),
      because not enough bytes were pulled in skb head.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c0cc88a7
    • David S. Miller's avatar
    • Wu Fengguang's avatar
      i825xx: fix paging fault on znet_probe() · b320e972
      Wu Fengguang authored
      In znet_probe(), strncmp() may access beyond 0x100000 and
      trigger the below oops in kvm.  Fix it by limiting the loop
      under 0x100000-8. I suspect the limit could be further decreased
      to 0x100000-sizeof(struct netidblk), however no datasheet at hand..
      
      [    3.744312] BUG: unable to handle kernel paging request at 80100000
      [    3.746145] IP: [<8119d12a>] strncmp+0xc/0x20
      [    3.747446] *pde = 01d10067 *pte = 00100160
      [    3.747493] Oops: 0000 [#1] DEBUG_PAGEALLOC
      [    3.747493] Pid: 1, comm: swapper Not tainted 3.6.0-rc1-00018-g57bfc0a7
      
       #73 Bochs Bochs
      [    3.747493] EIP: 0060:[<8119d12a>] EFLAGS: 00010206 CPU: 0
      [    3.747493] EIP is at strncmp+0xc/0x20
      [    3.747493] EAX: 800fff4e EBX: 00000006 ECX: 00000006 EDX: 814d2bb9
      [    3.747493] ESI: 80100000 EDI: 814d2bba EBP: 8e03dfa0 ESP: 8e03df98
      [    3.747493]  DS: 007b ES: 007b FS: 0000 GS: 00e0 SS: 0068
      [    3.747493] CR0: 8005003b CR2: 80100000 CR3: 016f7000 CR4: 00000690
      [    3.747493] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
      [    3.747493] DR6: ffff0ff0 DR7: 00000400
      [    3.747493] Process swapper (pid: 1, ti=8e03c000 task=8e040000 task.ti=8e03c000)
      [    3.747493] Stack:
      [    3.747493]  800fffff 00000000 8e03dfb4 816a1376 00000006 816a134a 00000000 8e03dfd0
      [    3.747493]  816819b5 816ed1c0 8e03dfe4 00000006 00000123 816ed604 8e03dfe4 81681b29
      [    3.747493]  00000000 81681a5b 00000000 00000000 8134e542 00000000 00000000 00000000
      [    3.747493] Call Trace:
      [    3.747493]  [<816a1376>] znet_probe+0x2c/0x26b
      [    3.747493]  [<816a134a>] ? dnet_driver_init+0xf/0xf
      [    3.747493]  [<816819b5>] do_one_initcall+0x6a/0x110
      [    3.747493]  [<81681b29>] kernel_init+0xce/0x14b
      Signed-off-by: default avatarFengguang Wu <fengguang.wu@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b320e972
    • Steffen Klassert's avatar
      xfrm: Workaround incompatibility of ESN and async crypto · 3b59df46
      Steffen Klassert authored
      
      
      ESN for esp is defined in RFC 4303. This RFC assumes that the
      sequence number counters are always up to date. However,
      this is not true if an async crypto algorithm is employed.
      
      If the sequence number counters are not up to date on sequence
      number check, we may incorrectly update the upper 32 bit of
      the sequence number. This leads to a DOS.
      
      We workaround this by comparing the upper sequence number,
      (used for authentication) with the upper sequence number
      computed after the async processing. We drop the packet
      if these numbers are different.
      
      To do this, we introduce a recheck function that does this
      check in the ESN case.
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Acked-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3b59df46
    • Eric Dumazet's avatar
      l2tp: fix a lockdep splat · 37159ef2
      Eric Dumazet authored
      
      
      Fixes following lockdep splat :
      
      [ 1614.734896] =============================================
      [ 1614.734898] [ INFO: possible recursive locking detected ]
      [ 1614.734901] 3.6.0-rc3+ #782 Not tainted
      [ 1614.734903] ---------------------------------------------
      [ 1614.734905] swapper/11/0 is trying to acquire lock:
      [ 1614.734907]  (slock-AF_INET){+.-...}, at: [<ffffffffa0209d72>] l2tp_xmit_skb+0x172/0xa50 [l2tp_core]
      [ 1614.734920]
      [ 1614.734920] but task is already holding lock:
      [ 1614.734922]  (slock-AF_INET){+.-...}, at: [<ffffffff815fce23>] tcp_v4_err+0x163/0x6b0
      [ 1614.734932]
      [ 1614.734932] other info that might help us debug this:
      [ 1614.734935]  Possible unsafe locking scenario:
      [ 1614.734935]
      [ 1614.734937]        CPU0
      [ 1614.734938]        ----
      [ 1614.734940]   lock(slock-AF_INET);
      [ 1614.734943]   lock(slock-AF_INET);
      [ 1614.734946]
      [ 1614.734946]  *** DEADLOCK ***
      [ 1614.734946]
      [ 1614.734949]  May be due to missing lock nesting notation
      [ 1614.734949]
      [ 1614.734952] 7 locks held by swapper/11/0:
      [ 1614.734954]  #0:  (rcu_read_lock){.+.+..}, at: [<ffffffff81592801>] __netif_receive_skb+0x251/0xd00
      [ 1614.734964]  #1:  (rcu_read_lock){.+.+..}, at: [<ffffffff815d319c>] ip_local_deliver_finish+0x4c/0x4e0
      [ 1614.734972]  #2:  (rcu_read_lock){.+.+..}, at: [<ffffffff8160d116>] icmp_socket_deliver+0x46/0x230
      [ 1614.734982]  #3:  (slock-AF_INET){+.-...}, at: [<ffffffff815fce23>] tcp_v4_err+0x163/0x6b0
      [ 1614.734989]  #4:  (rcu_read_lock){.+.+..}, at: [<ffffffff815da240>] ip_queue_xmit+0x0/0x680
      [ 1614.734997]  #5:  (rcu_read_lock_bh){.+....}, at: [<ffffffff815d9925>] ip_finish_output+0x135/0x890
      [ 1614.735004]  #6:  (rcu_read_lock_bh){.+....}, at: [<ffffffff81595680>] dev_queue_xmit+0x0/0xe00
      [ 1614.735012]
      [ 1614.735012] stack backtrace:
      [ 1614.735016] Pid: 0, comm: swapper/11 Not tainted 3.6.0-rc3+ #782
      [ 1614.735018] Call Trace:
      [ 1614.735020]  <IRQ>  [<ffffffff810a50ac>] __lock_acquire+0x144c/0x1b10
      [ 1614.735033]  [<ffffffff810a334b>] ? check_usage+0x9b/0x4d0
      [ 1614.735037]  [<ffffffff810a6762>] ? mark_held_locks+0x82/0x130
      [ 1614.735042]  [<ffffffff810a5df0>] lock_acquire+0x90/0x200
      [ 1614.735047]  [<ffffffffa0209d72>] ? l2tp_xmit_skb+0x172/0xa50 [l2tp_core]
      [ 1614.735051]  [<ffffffff810a69ad>] ? trace_hardirqs_on+0xd/0x10
      [ 1614.735060]  [<ffffffff81749b31>] _raw_spin_lock+0x41/0x50
      [ 1614.735065]  [<ffffffffa0209d72>] ? l2tp_xmit_skb+0x172/0xa50 [l2tp_core]
      [ 1614.735069]  [<ffffffffa0209d72>] l2tp_xmit_skb+0x172/0xa50 [l2tp_core]
      [ 1614.735075]  [<ffffffffa014f7f2>] l2tp_eth_dev_xmit+0x32/0x60 [l2tp_eth]
      [ 1614.735079]  [<ffffffff81595112>] dev_hard_start_xmit+0x502/0xa70
      [ 1614.735083]  [<ffffffff81594c6e>] ? dev_hard_start_xmit+0x5e/0xa70
      [ 1614.735087]  [<ffffffff815957c1>] ? dev_queue_xmit+0x141/0xe00
      [ 1614.735093]  [<ffffffff815b622e>] sch_direct_xmit+0xfe/0x290
      [ 1614.735098]  [<ffffffff81595865>] dev_queue_xmit+0x1e5/0xe00
      [ 1614.735102]  [<ffffffff81595680>] ? dev_hard_start_xmit+0xa70/0xa70
      [ 1614.735106]  [<ffffffff815b4daa>] ? eth_header+0x3a/0xf0
      [ 1614.735111]  [<ffffffff8161d33e>] ? fib_get_table+0x2e/0x280
      [ 1614.735117]  [<ffffffff8160a7e2>] arp_xmit+0x22/0x60
      [ 1614.735121]  [<ffffffff8160a863>] arp_send+0x43/0x50
      [ 1614.735125]  [<ffffffff8160b82f>] arp_solicit+0x18f/0x450
      [ 1614.735132]  [<ffffffff8159d9da>] neigh_probe+0x4a/0x70
      [ 1614.735137]  [<ffffffff815a191a>] __neigh_event_send+0xea/0x300
      [ 1614.735141]  [<ffffffff815a1c93>] neigh_resolve_output+0x163/0x260
      [ 1614.735146]  [<ffffffff815d9cf5>] ip_finish_output+0x505/0x890
      [ 1614.735150]  [<ffffffff815d9925>] ? ip_finish_output+0x135/0x890
      [ 1614.735154]  [<ffffffff815dae79>] ip_output+0x59/0xf0
      [ 1614.735158]  [<ffffffff815da1cd>] ip_local_out+0x2d/0xa0
      [ 1614.735162]  [<ffffffff815da403>] ip_queue_xmit+0x1c3/0x680
      [ 1614.735165]  [<ffffffff815da240>] ? ip_local_out+0xa0/0xa0
      [ 1614.735172]  [<ffffffff815f4402>] tcp_transmit_skb+0x402/0xa60
      [ 1614.735177]  [<ffffffff815f5a11>] tcp_retransmit_skb+0x1a1/0x620
      [ 1614.735181]  [<ffffffff815f7e93>] tcp_retransmit_timer+0x393/0x960
      [ 1614.735185]  [<ffffffff815fce23>] ? tcp_v4_err+0x163/0x6b0
      [ 1614.735189]  [<ffffffff815fd317>] tcp_v4_err+0x657/0x6b0
      [ 1614.735194]  [<ffffffff8160d116>] ? icmp_socket_deliver+0x46/0x230
      [ 1614.735199]  [<ffffffff8160d19e>] icmp_socket_deliver+0xce/0x230
      [ 1614.735203]  [<ffffffff8160d116>] ? icmp_socket_deliver+0x46/0x230
      [ 1614.735208]  [<ffffffff8160d464>] icmp_unreach+0xe4/0x2c0
      [ 1614.735213]  [<ffffffff8160e520>] icmp_rcv+0x350/0x4a0
      [ 1614.735217]  [<ffffffff815d3285>] ip_local_deliver_finish+0x135/0x4e0
      [ 1614.735221]  [<ffffffff815d319c>] ? ip_local_deliver_finish+0x4c/0x4e0
      [ 1614.735225]  [<ffffffff815d3ffa>] ip_local_deliver+0x4a/0x90
      [ 1614.735229]  [<ffffffff815d37b7>] ip_rcv_finish+0x187/0x730
      [ 1614.735233]  [<ffffffff815d425d>] ip_rcv+0x21d/0x300
      [ 1614.735237]  [<ffffffff81592a1b>] __netif_receive_skb+0x46b/0xd00
      [ 1614.735241]  [<ffffffff81592801>] ? __netif_receive_skb+0x251/0xd00
      [ 1614.735245]  [<ffffffff81593368>] process_backlog+0xb8/0x180
      [ 1614.735249]  [<ffffffff81593cf9>] net_rx_action+0x159/0x330
      [ 1614.735257]  [<ffffffff810491f0>] __do_softirq+0xd0/0x3e0
      [ 1614.735264]  [<ffffffff8109ed24>] ? tick_program_event+0x24/0x30
      [ 1614.735270]  [<ffffffff8175419c>] call_softirq+0x1c/0x30
      [ 1614.735278]  [<ffffffff8100425d>] do_softirq+0x8d/0xc0
      [ 1614.735282]  [<ffffffff8104983e>] irq_exit+0xae/0xe0
      [ 1614.735287]  [<ffffffff8175494e>] smp_apic_timer_interrupt+0x6e/0x99
      [ 1614.735291]  [<ffffffff81753a1c>] apic_timer_interrupt+0x6c/0x80
      [ 1614.735293]  <EOI>  [<ffffffff810a14ad>] ? trace_hardirqs_off+0xd/0x10
      [ 1614.735306]  [<ffffffff81336f85>] ? intel_idle+0xf5/0x150
      [ 1614.735310]  [<ffffffff81336f7e>] ? intel_idle+0xee/0x150
      [ 1614.735317]  [<ffffffff814e6ea9>] cpuidle_enter+0x19/0x20
      [ 1614.735321]  [<ffffffff814e7538>] cpuidle_idle_call+0xa8/0x630
      [ 1614.735327]  [<ffffffff8100c1ba>] cpu_idle+0x8a/0xe0
      [ 1614.735333]  [<ffffffff8173762e>] start_secondary+0x220/0x222
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      37159ef2
    • Alan Cox's avatar
      netrom: copy_datagram_iovec can fail · 6cf5c951
      Alan Cox authored
      
      
      Check for an error from this and if so bail properly.
      Signed-off-by: default avatarAlan Cox <alan@linux.intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6cf5c951
  4. 03 Sep, 2012 7 commits
    • Jesse Gross's avatar
      openvswitch: Fix FLOW_BUFSIZE definition. · c303aa94
      Jesse Gross authored
      
      
      The vlan encapsulation fields in the maximum flow defintion were
      never updated when the representation changed before upstreaming.
      In theory this could cause a kernel panic when a maximum length
      flow is used.  In practice this has never happened (to my knowledge)
      because skb allocations are padded out to a cache line so you would
      need the right combination of flow and packet being sent to userspace.
      Signed-off-by: default avatarJesse Gross <jesse@nicira.com>
      c303aa94
    • Wei Yongjun's avatar
      mISDN: fix possible memory leak in hfcmulti_init() · 9fef7685
      Wei Yongjun authored
      hc has been allocated in this function and missing free it before
      leaving from some error handling cases.
      
      spatch with a semantic match is used to found this problem.
      (http://coccinelle.lip6.fr/
      
      )
      Signed-off-by: default avatarWei Yongjun <yongjun_wei@trendmicro.com.cn>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9fef7685
    • Eric Dumazet's avatar
      fq_codel: dont reinit flow state · b379135c
      Eric Dumazet authored
      
      
      When fq_codel builds a new flow, it should not reset codel state.
      
      Codel algo needs to get previous values (lastcount, drop_next) to get
      proper behavior.
      Signed-off-by: default avatarDave Taht <dave.taht@gmail.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarDave Taht <dave.taht@bufferbloat.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b379135c
    • Benoît Locher's avatar
      can: mcp251x: avoid repeated frame bug · cab32f39
      Benoît Locher authored
      
      
      The MCP2515 has a silicon bug causing repeated frame transmission, see section
      5 of MCP2515 Rev. B Silicon Errata Revision G (March 2007).
      
      Basically, setting TXBnCTRL.TXREQ in either SPI mode (00 or 11) will eventually
      cause the bug. The workaround proposed by Microchip is to use mode 00 and send
      a RTS command on the SPI bus to initiate the transmission.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarBenoît Locher <Benoit.Locher@skf.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      cab32f39
    • Bjørn Mork's avatar
      net: usbnet: fix softirq storm on suspend · 85e87870
      Bjørn Mork authored
      Suspending an open usbnet device results in constant
      rescheduling of usbnet_bh.
      
      commit 65841fd5
      
       "usbnet: handle remote wakeup asap"
      refactored the usbnet_bh code to allow sharing the
      urb allocate and submit code with usbnet_resume. In
      this process, a test for, and immediate return on,
      ENOLINK from rx_submit was unintentionally dropped.
      
      The rx queue will not grow if rx_submit fails,
      making usbnet_bh reschedule itself.  This results
      in a softirq storm if the error is persistent.
      rx_submit translates the usb_submit_urb error
      EHOSTUNREACH into ENOLINK, so this is an expected
      and persistent error for a suspended device. The
      old code tested for this condition and avoided
      rescheduling.  Putting this test back.
      
      Cc: <stable@vger.kernel.org> # v3.5
      Cc: Ming Lei <ming.lei@canonical.com>
      Cc: Oliver Neukum <oneukum@suse.de>
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      85e87870
    • Thomas Graf's avatar
      sctp: Don't charge for data in sndbuf again when transmitting packet · 4c3a5bda
      Thomas Graf authored
      
      
      SCTP charges wmem_alloc via sctp_set_owner_w() in sctp_sendmsg() and via
      skb_set_owner_w() in sctp_packet_transmit(). If a sender runs out of
      sndbuf it will sleep in sctp_wait_for_sndbuf() and expects to be waken up
      by __sctp_write_space().
      
      Buffer space charged via sctp_set_owner_w() is released in sctp_wfree()
      which calls __sctp_write_space() directly.
      
      Buffer space charged via skb_set_owner_w() is released via sock_wfree()
      which calls sk->sk_write_space() _if_ SOCK_USE_WRITE_QUEUE is not set.
      sctp_endpoint_init() sets SOCK_USE_WRITE_QUEUE on all sockets.
      
      Therefore if sctp_packet_transmit() manages to queue up more than sndbuf
      bytes, sctp_wait_for_sndbuf() will never be woken up again unless it is
      interrupted by a signal.
      
      This could be fixed by clearing the SOCK_USE_WRITE_QUEUE flag but ...
      
      Charging for the data twice does not make sense in the first place, it
      leads to overcharging sndbuf by a factor 2. Therefore this patch only
      charges a single byte in wmem_alloc when transmitting an SCTP packet to
      ensure that the socket stays alive until the packet has been released.
      
      This means that control chunks are no longer accounted for in wmem_alloc
      which I believe is not a problem as skb->truesize will typically lead
      to overcharging anyway and thus compensates for any control overhead.
      Signed-off-by: default avatarThomas Graf <tgraf@suug.ch>
      CC: Vlad Yasevich <vyasevic@redhat.com>
      CC: Neil Horman <nhorman@tuxdriver.com>
      CC: David Miller <davem@davemloft.net>
      Acked-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4c3a5bda
    • Eric Dumazet's avatar
      net: sock_edemux() should take care of timewait sockets · e812347c
      Eric Dumazet authored
      
      
      sock_edemux() can handle either a regular socket or a timewait socket
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e812347c
  5. 02 Sep, 2012 3 commits
    • Joe Stringer's avatar
      openvswitch: Fix typo · 39855b5b
      Joe Stringer authored
      
      Signed-off-by: default avatarJoe Stringer <joe@wand.net.nz>
      Signed-off-by: default avatarJesse Gross <jesse@nicira.com>
      39855b5b
    • Linus Torvalds's avatar
      Merge branch 'for-next' of git://git.samba.org/sfrench/cifs-2.6 · 5b716ac7
      Linus Torvalds authored
      Pull CIFS fixes from Steve French.
      
      * 'for-next' of git://git.samba.org/sfrench/cifs-2.6:
        CIFS: Fix cifs_do_create error hadnling
        cifs: print error code if smb signature verification fails
        CIFS: Fix log messages in packet checking for SMB2
        CIFS: Protect i_nlink from being negative
      5b716ac7
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 0b1a34c9
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) NLA_PUT* --> nla_put_* conversion got one case wrong in
          nfnetlink_log, fix from Patrick McHardy.
      
       2) Missed error return check in ipw2100 driver, from Julia Lawall.
      
       3) PMTU updates in ipv4 were setting the expiry time incorrectly, fix
          from Eric Dumazet.
      
       4) SFC driver erroneously reversed src and dst when reporting filters
          via ethtool.
      
       5) Memory leak in CAN protocol and wrong setting of IRQF_SHARED in
          sja1000 can platform driver, from Alexey Khoroshilov and Sven
          Schmitt.
      
       6) Fix multicast traffic scaling regression in ipv4_dst_destroy, only
          take the lock when we really need to.  From Eric Dumazet.
      
       7) Fix non-root process spoofing in netlink, from Pablo Neira Ayuso.
      
       8) CWND reduction in TCP is done incorrectly during non-SACK recovery,
          fix from Yuchung Cheng.
      
       9) Revert netpoll change, and fix what was actually a driver specific
          problem.  From Amerigo Wang.  This should cure bootup hangs with
          netconsole some people reported.
      
      10) Fix xen-netfront invoking __skb_fill_page_desc() with a NULL page
          pointer.  From Ian Campbell.
      
      11) SIP NAT fix for expectiontation creation, from Pablo Neira Ayuso.
      
      12) __ip_rt_update_pmtu() needs RCU locking, from Eric Dumazet.
      
      13) Fix usbnet deadlock on resume, can't use GFP_KERNEL in this
          situation.  From Oliver Neukum.
      
      14) The davinci ethernet driver triggers an OOPS on removal because it
          frees an MDIO object before unregistering it.  Fix from Bin Liu.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (41 commits)
        net: qmi_wwan: add several new Gobi devices
        fddi: 64 bit bug in smt_add_para()
        net: ethernet: fix kernel OOPS when remove davinci_mdio module
        net/xfrm/xfrm_state.c: fix error return code
        net: ipv6: fix error return code
        net: qmi_wwan: new device: Foxconn/Novatel E396
        usbnet: fix deadlock in resume
        cs89x0 : packet reception not working
        netfilter: nf_conntrack: fix racy timer handling with reliable events
        bnx2x: Correct the ndo_poll_controller call
        bnx2x: Move netif_napi_add to the open call
        ipv4: must use rcu protection while calling fib_lookup
        bnx2x: fix 57840_MF pci id
        net: ipv4: ipmr_expire_timer causes crash when removing net namespace
        e1000e: DoS while TSO enabled caused by link partner with small MSS
        l2tp: avoid to use synchronize_rcu in tunnel free function
        gianfar: fix default tx vlan offload feature flag
        netfilter: nf_nat_sip: fix incorrect handling of EBUSY for RTCP expectation
        xen-netfront: use __pskb_pull_tail to ensure linear area is big enough on RX
        netfilter: nfnetlink_log: fix error return code in init path
        ...
      0b1a34c9
  6. 01 Sep, 2012 4 commits
  7. 31 Aug, 2012 11 commits