17 Nov, 2012
5 commits
-
John W. Linville says:
====================
This batch of fixes is intended for the 3.7 stream...This includes a pull of the Bluetooth tree. Gustavo says:
"A few important fixes to go into 3.7. There is a new hw support by Marcos
Chaparro. Johan added a memory leak fix and hci device index list fix.
Also Marcel fixed a race condition in the device set up that was prevent the
bt monitor to work properly. Last, Paulo Sérgio added a fix to the error
status when pairing for LE fails. This was prevent userspace to work to handle
the failure properly."Regarding the mac80211 pull, Johannes says:
"I have a locking fix for some SKB queues, a variable initialization to
avoid crashes in a certain failure case, another free_txskb fix from
Felix and another fix from him to avoid calling a stopped driver, a fix
for a (very unlikely) memory leak and a fix to not send null data
packets when resuming while not associated."Regarding the iwlwifi pull, Johannes says:
"Two more fixes for iwlwifi ... one to use ieee80211_free_txskb(), and
one to check DMA mapping errors, please pull."On top of that, Johannes also included a wireless regulatory fix
to allow 40 MHz on channels 12 and 13 in world roaming mode. Also,
Hauke Mehrtens fixes a #ifdef typo in brcmfmac.
====================Signed-off-by: David S. Miller
-
In commit c445477d74ab3779 which adds aRFS to the kernel, the CPU
selected for RFS is not set correctly when CPU is changing.
This is causing OOO packets and probably other issues.Signed-off-by: Tom Herbert
Acked-by: Eric Dumazet
Acked-by: Ben Hutchings
Signed-off-by: David S. Miller -
Included fixes are:
- update the client entry status flags when using the "early client
detection". This makes the Distributed AP isolation correctly work;
- transfer the client entry status flags when recovering the translation
table from another node. This makes the Distributed AP isolation correctly
work;
- prevent the "early client detection mechanism" to add clients belonging to
other backbone nodes in the same LAN. This breaks connectivity when using this
mechanism together with the Bridge Loop Avoidance
- process broadcast packets with the Bridge Loop Avoidance before any other
component. BLA can possibly drop the packets based on the source address. This
makes the "early client detection mechanism" correctly work when used with
BLA.Signed-off-by: David S. Miller
-
order-5 allocations can fail with current kernels, we should
try vmalloc() as well.Reported-by: Julien Tinnes
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller -
…wireless into for-davem
16 Nov, 2012
7 commits
-
The logic in the BLA mechanism may decide to drop broadcast packets
because the node may still be in the setup phase. For this reason,
further broadcast processing like the early client detection mechanism
must be done only after the BLA check.This patches moves the invocation to BLA before any other broadcast
processing.This was introduced 30cfd02b60e1cb16f5effb0a01f826c5bb7e4c59
("batman-adv: detect not yet announced clients")Reported-by: Glen Page
Signed-off-by: Simon Wunderlich
Signed-off-by: Antonio Quartulli
Signed-off-by: Marek Lindner -
The "early client detection" mechanism must not add clients belonging
to other backbone nodes. Such clients must be reached by directly
using the LAN instead of the mesh.This was introduced by 30cfd02b60e1cb16f5effb0a01f826c5bb7e4c59
("batman-adv: detect not yet announced clients")Reported-by: Glen Page
Signed-off-by: Antonio Quartulli
Signed-off-by: Marek Lindner -
When a TT response with the full table is sent, the client flags
should be sent as well. This patch fix the flags assignment when
populating the tt_response to send backThis was introduced by 30cfd02b60e1cb16f5effb0a01f826c5bb7e4c59
("batman-adv: detect not yet announced clients")Signed-off-by: Antonio Quartulli
Signed-off-by: Marek Lindner -
Flags carried by a change_entry have to be always copied into the
client entry as they may contain important attributes (e.g.
TT_CLIENT_WIFI).For instance, a client added by means of the "early detection
mechanism" has no flag set at the beginning, so they must be updated once the
proper ADD event is received.This was introduced by 30cfd02b60e1cb16f5effb0a01f826c5bb7e4c59
("batman-adv: detect not yet announced clients")Signed-off-by: Antonio Quartulli
Signed-off-by: Marek Lindner -
Check (ha->addr == dev->dev_addr) is always true because dev_addr_init()
sets this. Correct the check to behave properly on addr removal.Signed-off-by: Jiri Pirko
Signed-off-by: David S. Miller -
Currently if a socket was repaired with a few packet in a write queue,
a kernel bug may be triggered:kernel BUG at net/ipv4/tcp_output.c:2330!
RIP: 0010:[] tcp_retransmit_skb+0x5ff/0x610According to the initial realization v3.4-rc2-963-gc0e88ff,
all skb-s should look like already posted. This patch fixes code
according with this sentence.Here are three points, which were not done in the initial patch:
1. A tcp send head should not be changed
2. Initialize TSO state of a skb
3. Reset the retransmission timeThis patch moves logic from tcp_sendmsg to tcp_write_xmit. A packet
passes the ussual way, but isn't sent to network. This patch solves
all described problems and handles tcp_sendpages.Cc: Pavel Emelyanov
Cc: "David S. Miller"
Cc: Alexey Kuznetsov
Cc: James Morris
Cc: Hideaki YOSHIFUJI
Cc: Patrick McHardy
Signed-off-by: Andrey Vagin
Acked-by: Pavel Emelyanov
Signed-off-by: David S. Miller -
Commit 13d782f ("sctp: Make the proc files per network namespace.")
changed the /proc/net/sctp/ struct file_operations opener functions to
use single_open_net() and seq_open_net().Avoid leaking memory by using single_release_net() and seq_release_net()
as the release functions.Discovered with Trinity (the syscall fuzzer).
Signed-off-by: Tommi Rantala
Acked-by: Neil Horman
Cc: "Eric W. Biederman"
Signed-off-by: David S. Miller
15 Nov, 2012
3 commits
-
With the latest kernel there are two things that must be done post decryption
so that the packet are forwarded.
1. Remove the mark from the packet. This will cause the packet to not match
the ipsec-policy again. However doing this causes the post-decryption check to
fail also and the packet will get dropped. (cat /proc/net/xfrm_stat).
2. Remove the sp association in the skbuff so that no policy check is done on
the packet for VTI tunnels.Due to #2 above we must now do a security-policy check in the vti rcv path
prior to resetting the mark in the skbuff.Signed-off-by: Saurabh Mohan
Reported-by: Ruben Herold
Signed-off-by: David S. Miller
14 Nov, 2012
2 commits
-
Cc: Stephen Hemminger
Signed-off-by: Hannes Frederic Sowa
Signed-off-by: David S. Miller -
We added support for RFC 5961 in latest kernels but TCP fails
to perform exhaustive check of ACK sequence.We can update our view of peer tsval from a frame that is
later discarded by tcp_ack()This makes timestamps enabled sessions vulnerable to injection of
a high tsval : peers start an ACK storm, since the victim
sends a dupack each time it receives an ACK from the other peer.As tcp_validate_incoming() is called before tcp_ack(), we should
not peform tcp_replace_ts_recent() from it, and let callers do it
at the right time.Signed-off-by: Eric Dumazet
Cc: Neal Cardwell
Cc: Yuchung Cheng
Cc: Nandita Dukkipati
Cc: H.K. Jerry Chu
Cc: Romain Francoise
Signed-off-by: David S. Miller
12 Nov, 2012
2 commits
-
When in world roaming mode, allow 40 MHz to be used
on channels 12 and 13 so that an AP that is, e.g.,
using HT40+ on channel 9 (in the UK) can be used.Cc: stable@vger.kernel.org
Reported-by: Eddie Chapman
Tested-by: Eddie Chapman
Acked-by: Luis R. Rodriguez
Signed-off-by: Johannes Berg -
(1<
Signed-off-by: David S. Miller
11 Nov, 2012
2 commits
-
Pull networking fixes from David Miller:
"Bug fixes galore, mostly in drivers as is often the case:1) USB gadget and cdc_eem drivers need adjustments to their frame size
lengths in order to handle VLANs correctly. From Ian Coolidge.2) TIPC and several network drivers erroneously call tasklet_disable
before tasklet_kill, fix from Xiaotian Feng.3) r8169 driver needs to apply the WOL suspend quirk to more chipsets,
fix from Cyril Brulebois.4) Fix multicast filters on RTL_GIGA_MAC_VER_35 r8169 chips, from
Nathan Walp.5) FDB netlink dumps should use RTM_NEWNEIGH as the message type, not
zero. From John Fastabend.6) Fix smsc95xx tx checksum offload on big-endian, from Steve
Glendinning.7) __inet_diag_dump() needs to repsect and report the error value
returned from inet_diag_lock_handler() rather than ignore it.
Otherwise if an inet diag handler is not available for a particular
protocol, we essentially report success instead of giving an error
indication. Fix from Cyrill Gorcunov.8) When the QFQ packet scheduler sees TSO/GSO packets it does not
handle things properly, and in fact ends up corrupting it's
datastructures as well as mis-schedule packets. Fix from Paolo
Valente.9) Fix oopser in skb_loop_sk(), from Eric Leblond.
10) CXGB4 passes partially uninitialized datastructures in to FW
commands, fix from Vipul Pandya.11) When we send unsolicited ipv6 neighbour advertisements, we should
send them to the link-local allnodes multicast address, as per
RFC4861. Fix from Hannes Frederic Sowa.12) There is some kind of bug in the usbnet's kevent deferral
mechanism, but more immediately when it triggers an uncontrolled
stream of kernel messages spam the log. Rate limit the error log
message triggered when this problem occurs, as sending thousands
of error messages into the kernel log doesn't help matters at all,
and in fact makes further diagnosis more difficult.From Steve Glendinning.
13) Fix gianfar restore from hibernation, from Wang Dongsheng.
14) The netlink message attribute sizes are wrong in the ipv6 GRE
driver, it was using the size of ipv4 addresses instead of ipv6
ones :-) Fix from Nicolas Dichtel."* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
gre6: fix rtnl dump messages
gianfar: ethernet vanishes after restoring from hibernation
usbnet: ratelimit kevent may have been dropped warnings
ipv6: send unsolicited neighbour advertisements to all-nodes
net: usb: cdc_eem: Fix rx skb allocation for 802.1Q VLANs
usb: gadget: g_ether: fix frame size check for 802.1Q
cxgb4: Fix initialization of SGE_CONTROL register
isdn: Make CONFIG_ISDN depend on CONFIG_NETDEVICES
cxgb4: Initialize data structures before using.
af-packet: fix oops when socket is not present
pkt_sched: enable QFQ to support TSO/GSO
net: inet_diag -- Return error code if protocol handler is missed
net: bnx2x: Fix typo in bnx2x driver
smsc95xx: fix tx checksum offload for big endian
rtnetlink: Use nlmsg type RTM_NEWNEIGH from dflt fdb dump
ptp: update adjfreq callback description
r8169: allow multicast packets on sub-8168f chipset.
r8169: Fix WoL on RTL8168d/8111d.
drivers/net: use tasklet_kill in device remove/close process
tipc: do not use tasklet_disable before tasklet_kill -
Fixes more wifi status skb leaks, leading to hostapd/wpa_supplicant hangs.
Signed-off-by: Felix Fietkau
Cc: stable@vger.kernel.org
Signed-off-by: Johannes Berg
10 Nov, 2012
3 commits
-
Spotted after a code review.
Introduced by c12b395a46646bab69089ce7016ac78177f6001f (gre: Support GRE over
IPv6).Signed-off-by: Nicolas Dichtel
Acked-by: Eric Dumazet
Signed-off-by: David S. Miller -
As documented in RFC4861 (Neighbor Discovery for IP version 6) 7.2.6.,
unsolicited neighbour advertisements should be sent to the all-nodes
multicast address.Signed-off-by: Hannes Frederic Sowa
Signed-off-by: David S. Miller -
On resume or firmware recovery, mac80211 sends a null
data packet to see if the AP is still around and hasn't
disconnected us. However, it always does this even if
it wasn't even connected before, leading to a warning
in the new channel context code. Fix this by checking
that it's associated.Cc: stable@vger.kernel.org
Reviewed-by: Emmanuel Grumbach
Signed-off-by: Johannes Berg
09 Nov, 2012
5 commits
-
When removing a UUID from the list in the remove_uuid() function we must
also kfree the entry in addition to removing it from the list.Signed-off-by: Johan Hedberg
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo Padovan -
It is important that the monitor interface gets notified about
a new device before its power on procedure has been started.For some reason that is no longer working as expected and the power
on procedure runs first. It is safe to just notify about device
registration and trigger the power on procedure afterwards.Signed-off-by: Marcel Holtmann
Acked-by: Johan Hedberg
Signed-off-by: Gustavo Padovan -
When pairing fails due to wrong confirm value, the management layer
doesn't report a proper error status. It sends
MGMT_STATUS_CONNECT_FAILED instead of MGMT_STATUS_AUTH_FAILED.Most of management functions that receive a status as a parameter
expects for it to be encoded as a HCI status. But when a SMP pairing
fails, the SMP layer sends the SMP reason as the error status to the
management layer.This commit maps all SMP reasons to HCI_ERROR_AUTH_FAILURE, which will
be converted to MGMT_STATUS_AUTH_FAILED in the management layer.Reported-by: Claudio Takahasi
Reviewed-by: João Paulo Rechi Vita
Signed-off-by: Paulo Sérgio
Signed-off-by: Gustavo Padovan -
The mgmt_read_index_list uses one loop to calculate the max needed size
of its response with the help of an upper-bound of the controller count.
The second loop is more strict as it checks for HCI_SETUP (which might
have gotten set after the first loop) and could result in some indexes
being skipped. Because of this the function needs to readjust the event
length and index count after filling in the response array.Signed-off-by: Johan Hedberg
Cc: stable@vger.kernel.org
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo Padovan -
If the cipher suites need to be allocated, but this
allocation fails, this leaks the internal scan request.
Fix that by going to the correct error handling label.Signed-off-by: Johannes Berg
08 Nov, 2012
2 commits
-
Due to a NULL dereference, the following patch is causing oops
in normal trafic condition:commit c0de08d04215031d68fa13af36f347a6cfa252ca
Author: Eric Leblond
Date: Thu Aug 16 22:02:58 2012 +0000af_packet: don't emit packet on orig fanout group
This buggy patch was a feature fix and has reached most stable
branches.When skb->sk is NULL and when packet fanout is used, there is a
crash in match_fanout_group where skb->sk is accessed.
This patch fixes the issue by returning false as soon as the
socket is NULL: this correspond to the wanted behavior because
the kernel as to resend the skb to all the listening socket in
this case.Signed-off-by: Eric Leblond
Signed-off-by: David S. Miller -
If the max packet size for some class (configured through tc) is
violated by the actual size of the packets of that class, then QFQ
would not schedule classes correctly, and the data structures
implementing the bucket lists may get corrupted. This problem occurs
with TSO/GSO even if the max packet size is set to the MTU, and is,
e.g., the cause of the failure reported in [1]. Two patches have been
proposed to solve this problem in [2], one of them is a preliminary
version of this patch.This patch addresses the above issues by: 1) setting QFQ parameters to
proper values for supporting TSO/GSO (in particular, setting the
maximum possible packet size to 64KB), 2) automatically increasing the
max packet size for a class, lmax, when a packet with a larger size
than the current value of lmax arrives.The drawback of the first point is that the maximum weight for a class
is now limited to 4096, which is equal to 1/16 of the maximum weight
sum.Finally, this patch also forcibly caps the timestamps of a class if
they are too high to be stored in the bucket list. This capping, taken
from QFQ+ [3], handles the unfrequent case described in the comment to
the function slot_insert.[1] http://marc.info/?l=linux-netdev&m=134968777902077&w=2
[2] http://marc.info/?l=linux-netdev&m=135096573507936&w=2
[3] http://marc.info/?l=linux-netdev&m=134902691421670&w=2Signed-off-by: Paolo Valente
Tested-by: Cong Wang
Acked-by: Stephen Hemminger
Acked-by: Stephen Hemminger
Signed-off-by: David S. Miller
05 Nov, 2012
1 commit
-
These are accessed without a lock when ending STA PSM. If the
sta_cleanup timer accesses these lists at the same time, we might crash.This may fix some mysterious crashes we had during
ieee80211_sta_ps_deliver_wakeup.Cc: stable@vger.kernel.org
Signed-off-by: Arik Nemtsov
Signed-off-by: Ido Yariv
Signed-off-by: Johannes Berg
04 Nov, 2012
4 commits
-
We've observed that in case if UDP diag module is not
supported in kernel the netlink returns NLMSG_DONE without
notifying a caller that handler is missed.This patch makes __inet_diag_dump to return error code instead.
So as example it become possible to detect such situation
and handle it gracefully on userspace level.Signed-off-by: Cyrill Gorcunov
CC: David Miller
CC: Eric Dumazet
CC: Pavel Emelyanov
Acked-by: Pavel Emelyanov
Signed-off-by: David S. Miller -
Pull NFS client bugfixes from Trond Myklebust:
- Fix a bunch of deadlock situations:
* State recovery can deadlock if we fail to release sequence ids
before scheduling the recovery thread.
* Calling deactivate_super() from an RPC workqueue thread can
deadlock because of the call to rpc_shutdown_client.- Display the device name correctly in /proc/*/mounts
- Fix a number of incorrect error return values:
* When NFSv3 mounts fail due to a timeout.
* On NFSv4.1 backchannel setup failure
* On NFSv4 open access checks- pnfs_find_alloc_layout() must check the layout pointer for NULL
- Fix a regression in the legacy DNS resolved
* tag 'nfs-for-3.7-4' of git://git.linux-nfs.org/projects/trondmy/linux-nfs:
NFS4: nfs4_opendata_access should return errno
NFSv4: Initialise the NFSv4.1 slot table highest_used_slotid correctly
SUNRPC: return proper errno from backchannel_rqst
NFS: add nfs_sb_deactive_async to avoid deadlock
nfs: Show original device name verbatim in /proc/*/mount{s,info}
nfsv3: Make v3 mounts fail with ETIMEDOUTs instead EIO on mountd timeouts
nfs: Check whether a layout pointer is NULL before free it
NFS: fix bug in legacy DNS resolver.
NFSv4: nfs4_locku_done must release the sequence id
NFSv4.1: We must release the sequence id when we fail to get a session slot
NFS: Wait for session recovery to finish before returning -
Change the dflt fdb dump handler to use RTM_NEWNEIGH to
be compatible with bridge dump routines.The dump reply from the network driver handlers should
match the reply from bridge handler. The fact they were
not in the ixgbe case was effectively a bug. This patch
resolves it.Applications that were not checking the nlmsg type will
continue to work. And now applications that do check
the type will work as expected.Signed-off-by: John Fastabend
Signed-off-by: David S. Miller -
If tasklet_disable() is called before related tasklet handled,
tasklet_kill will never be finished. tasklet_kill is enough.Signed-off-by: Xiaotian Feng
Cc: Jon Maloy
Cc: Allan Stephens
Cc: "David S. Miller"
Cc: netdev@vger.kernel.org
Cc: tipc-discussion@lists.sourceforge.net
Signed-off-by: David S. Miller
03 Nov, 2012
3 commits
-
Pull networking fixes from David Miller:
"First post-Sandy pull request"1) Fix antenna gain handling and initialization of chan->max_reg_power
in wireless, from Felix Fietkau.2) Fix nexthop handling in H.232 conntrack helper, from Julian
Anastasov.3) Only process 80211 mesh config header in certain kinds of frames,
from Javier Cardona.4) 80211 management frame header length needs to be validated, from
Johannes Berg.5) Don't access free'd SKBs in ath9k driver, from Felix Fietkay.
6) Test for permanent state correctly in VXLAN driver, from Stephen
Hemminger.7) BNX2X bug fixes from Yaniv Rosner and Dmitry Kravkov.
8) Fix off by one errors in bonding, from Nikolay ALeksandrov.
9) Fix divide by zero in TCP-Illinois congestion control. From Jesper
Dangaard Brouer.10) TCP metrics code says "Yo dawg, I heard you like sizeof, so I did a
sizeof of a sizeof, so you can size your size" Fix from Julian
Anastasov.11) Several drivers do mdiobus_free without first doing an
mdiobus_unregister leading to stray pointer references. Fix from
Peter Senna Tschudin.12) Fix OOPS in l2tp_eth_create() error path, it's another danling
pointer kinda situation. Fix from Tom Parkin.13) Hardware driven by the vmxnet driver can't handle larger than 16K
fragments, so split them up when necessary. From Eric Dumazet.14) Handle zero length data length in tcp_send_rcvq() properly. Fix
from Pavel Emelyanov.* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (38 commits)
tcp-repair: Handle zero-length data put in rcv queue
vmxnet3: must split too big fragments
l2tp: fix oops in l2tp_eth_create() error path
cxgb4: Fix unable to get UP event from the LLD
drivers/net/phy/mdio-bitbang.c: Call mdiobus_unregister before mdiobus_free
drivers/net/ethernet/nxp/lpc_eth.c: Call mdiobus_unregister before mdiobus_free
bnx2x: fix HW initialization using fw 7.8.x
tcp: Fix double sizeof in new tcp_metrics code
net: fix divide by zero in tcp algorithm illinois
net: sctp: Fix typo in net/sctp
bonding: fix second off-by-one error
bonding: fix off-by-one error
bnx2x: Disable FCoE for 57840 since not yet supported by FW
bnx2x: Fix no link on 577xx 10G-baseT
bnx2x: Fix unrecognized SFP+ module after driver is loaded
bnx2x: Fix potential incorrect link speed provision
bnx2x: Restore global registers back to default.
bnx2x: Fix link down in 57712 following LFA
bnx2x: Fix 57810 1G-KR link against certain switches.
ixgbe: PTP get_ts_info missing software support
... -
When sending data into a tcp socket in repair state we should check
for the amount of data being 0 explicitly. Otherwise we'll have an skb
with seq == end_seq in rcv queue, but tcp doesn't expect this to happen
(in particular a warn_on in tcp_recvmsg shoots).Signed-off-by: Pavel Emelyanov
Reported-by: Giorgos Mavrikas
Signed-off-by: David S. Miller -
When creating an L2TPv3 Ethernet session, if register_netdev() should fail for
any reason (for example, automatic naming for "l2tpeth%d" interfaces hits the
32k-interface limit), the netdev is freed in the error path. However, the
l2tp_eth_sess structure's dev pointer is left uncleared, and this results in
l2tp_eth_delete() then attempting to unregister the same netdev later in the
session teardown. This results in an oops.To avoid this, clear the session dev pointer in the error path.
Signed-off-by: Tom Parkin
Signed-off-by: David S. Miller
01 Nov, 2012
1 commit
-
Fix double sizeof when parsing IPv6 address from
user space because it breaks get/del by specific IPv6 address.Problem noticed by David Binderman:
https://bugzilla.kernel.org/show_bug.cgi?id=49171
Signed-off-by: Julian Anastasov
Signed-off-by: David S. Miller
