15 Mar, 2013
1 commit
-
In (c296bb4 netfilter: nf_conntrack: refactor l4proto support for netns)
the l4proto gre/dccp/udplite/sctp registration happened before the pernet
subsystem, which is wrong.Register pernet subsystem before register L4proto since after register
L4proto, init_conntrack may try to access the resources which allocated
in register_pernet_subsys.Reported-by: Alexey Dobriyan
Cc: Alexey Dobriyan
Signed-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso
14 Mar, 2013
2 commits
-
Hi.
I'm trying to send big chunks of memory from application address space via
TCP socket using vmsplice + splice like thismem = mmap(128Mb);
vmsplice(pipe[1], mem); /* splice memory into pipe */
splice(pipe[0], tcp_socket); /* send it into network */When I'm lucky and a huge page splices into the pipe and then into the socket
_and_ client and server ends of the TCP connection are on the same host,
communicating via lo, the whole connection gets stuck! The sending queue
becomes full and app stops writing/splicing more into it, but the receiving
queue remains empty, and that's why.The __skb_fill_page_desc observes a tail page of a huge page and erroneously
propagates its page->pfmemalloc value onto socket (the pfmemalloc on tail pages
contain garbage). Then this skb->pfmemalloc leaks through lo and due to thetcp_v4_rcv
sk_filter
if (skb->pfmemalloc && !sock_flag(sk, SOCK_MEMALLOC)) /* true */
return -ENOMEM
goto release_and_discard;no packets reach the socket. Even TCP re-transmits are dropped by this, as skb
cloning clones the pfmemalloc flag as well.That said, here's the proper page->pfmemalloc propagation onto socket: we
must check the huge-page's head page only, other pages' pfmemalloc and mapping
values do not contain what is expected in this place. However, I'm not sure
whether this fix is _complete_, since pfmemalloc propagation via lo also
oesn't look great.Both, bit propagation from page to skb and this check in sk_filter, were
introduced by c48a11c7 (netvm: propagate page->pfmemalloc to skb), in v3.5 so
Mel and stable@ are in Cc.Signed-off-by: Pavel Emelyanov
Acked-by: Eric Dumazet
Acked-by: Mel Gorman
Signed-off-by: David S. Miller -
Chrome OS team reported a crash on a Pixel ChromeBook in TCP stack :
https://code.google.com/p/chromium/issues/detail?id=182056
commit a21d45726acac (tcp: avoid order-1 allocations on wifi and tx
path) did a poor choice adding an 'avail_size' field to skb, while
what we really needed was a 'reserved_tailroom' one.It would have avoided commit 22b4a4f22da (tcp: fix retransmit of
partially acked frames) and this commit.Crash occurs because skb_split() is not aware of the 'avail_size'
management (and should not be aware)Signed-off-by: Eric Dumazet
Reported-by: Mukesh Agrawal
Signed-off-by: David S. Miller
13 Mar, 2013
9 commits
-
commit bd877e4 ("net: qmi_wwan: use a single bind function for
all device types") made Gobi 1K devices fail probing.Using the number of endpoints in the default altsetting to decide
whether the function use one or two interfaces is wrong. Other
altsettings may provide more endpoints.With Gobi 1K devices, USB interface #3's altsetting is 0 by default, but
altsetting 0 only provides one interrupt endpoint and is not sufficent
for QMI. Altsetting 1 provides all 3 endpoints required for qmi_wwan
and works with QMI. Gobi 1K layout for intf#3 is:Interface Descriptor: 255/255/255
bInterfaceNumber 3
bAlternateSetting 0
Endpoint Descriptor: Interrupt IN
Interface Descriptor: 255/255/255
bInterfaceNumber 3
bAlternateSetting 1
Endpoint Descriptor: Interrupt IN
Endpoint Descriptor: Bulk IN
Endpoint Descriptor: Bulk OUTPrior to commit bd877e4, we would call usbnet_get_endpoints
before giving up finding enough endpoints. Removing the early
endpoint number test and the strict functional descriptor
requirement allow qmi_wwan_bind to continue until
usbnet_get_endpoints has made the final attempt to collect
endpoints. This restores the behaviour from before commit
bd877e4 without losing the added benefit of using a single bind
function.The driver has always required a CDC Union functional descriptor
for two-interface functions. Using the existence of this
descriptor to detect two-interface functions is the logically
correct method.Reported-by: Dan Williams
Signed-off-by: Bjørn Mork
Tested-by: Dan Williams
Signed-off-by: David S. Miller -
a long time ago by the commit
commit 93456b6d7753def8760b423ac6b986eb9d5a4a95
Author: Denis V. Lunev
Date: Thu Jan 10 03:23:38 2008 -0800[IPV4]: Unify access to the routing tables.
the defenition of FIB_HASH_TABLE size has obtained wrong dependency:
it should depend upon CONFIG_IP_MULTIPLE_TABLES (as was in the original
code) but it was depended from CONFIG_IP_ROUTE_MULTIPATHThis patch returns the situation to the original state.
The problem was spotted by Tingwei Liu.
Signed-off-by: Denis V. Lunev
CC: Tingwei Liu
CC: Alexey Kuznetsov
Signed-off-by: David S. Miller -
sctp_assoc_lookup_tsn() function searchs which transport a certain TSN
was sent on, if not found in the active_path transport, then go search
all the other transports in the peer's transport_addr_list, however, we
should continue to the next entry rather than break the loop when meet
the active_path transport.Signed-off-by: Xufeng Zhang
Acked-by: Neil Horman
Acked-by: Vlad Yasevich
Signed-off-by: David S. Miller -
When SCTP is done processing a duplicate cookie chunk, it tries
to delete a newly created association. For that, it has to set
the right association for the side-effect processing to work.
However, when it uses the SCTP_CMD_NEW_ASOC command, that performs
more work then really needed (like hashing the associationa and
assigning it an id) and there is no point to do that only to
delete the association as a next step. In fact, it also creates
an impossible condition where an association may be found by
the getsockopt() call, and that association is empty. This
causes a crash in some sctp getsockopts.The solution is rather simple. We simply use SCTP_CMD_SET_ASOC
command that doesn't have all the overhead and does exactly
what we need.Reported-by: Karl Heiss
Tested-by: Karl Heiss
CC: Neil Horman
Signed-off-by: Vlad Yasevich
Acked-by: Neil Horman
Signed-off-by: David S. Miller -
Commit d13ba512cbba7de5d55d7a3b2aae7d83c8921457 ("tg3: Remove
SPEED_UNKNOWN checks") cleaned up the autoneg advertisement by
removing some dead code. One effect of this change was that the
advertisement register would not be updated if autoneg is turned off.This exposed a bug on the 5715 device w.r.t linking. The 5715 defaults
to advertise only 10Mb Full duplex. But with autoneg disabled, it needs
the configured speed enabled in the advertisement register to link up.This patch adds the work around to advertise all speeds on the 5715 when
autoneg is disabled.Reported-by: Marcin Miotk
Reviewed-by: Benjamin Li
Signed-off-by: Nithin Nayak Sujir
Signed-off-by: Michael Chan
Signed-off-by: David S. Miller -
Ben Hutchings says:
====================
Just the one bug fix I mentioned before, but it's a pretty important one
as it can cause silent data corruption or IOMMU page faults.This would be suitable for stable and should apply cleanly to all the
3.x.y branches. I'm still working through testing of larger sets of
fixes.
====================Signed-off-by: David S. Miller
-
bond_update_speed_duplex() might sleep while calling underlying slave's
routines. Move it out of atomic context in bond_enslave() and remove it
from bond_miimon_commit() - it was introduced by commit 546add79, however
when the slave interfaces go up/change state it's their responsibility to
fire NETDEV_UP/NETDEV_CHANGE events so that bonding can properly update
their speed.I've tested it on all combinations of ifup/ifdown, autoneg/speed/duplex
changes, remote-controlled and local, on (not) MII-based cards. All changes
are visible.Signed-off-by: Veaceslav Falico
Signed-off-by: David S. Miller -
Commit fae50823d0 ("net: ethernet: davinci_cpdma: Add boundary for rx
and tx descriptors") introduced a function to check the current
allocation state of tx packets. The return value is taken into account
to stop the netqork queue on the adapter in case there are no free
slots.However, cpdma_check_free_tx_desc() returns 'true' if there is room in
the bitmap, not 'false', so the usage of the function is wrong.Signed-off-by: Daniel Mack
Cc: Mugunthan V N
Reported-by: Sven Neumann
Reported-by: Andreas Fenkart
Tested-by: Mugunthan V N
Acked-by: Mugunthan V N
Tested-by: Andreas Fenkart
Signed-off-by: David S. Miller -
Using TX push when notifying the NIC of multiple new descriptors in
the ring will very occasionally cause the TX DMA engine to re-use an
old descriptor. This can result in a duplicated or partly duplicated
packet (new headers with old data), or an IOMMU page fault. This does
not happen when the pushed descriptor is the only one written.TX push also provides little latency benefit when a packet requires
more than one descriptor.Signed-off-by: Ben Hutchings
12 Mar, 2013
8 commits
-
[ Bug added added in commit 05e8ef4ab2d8087d (net: factor out
skb_mac_gso_segment() from skb_gso_segment() ) ]move vlan_depth out of while loop, or else vlan_depth always is ETH_HLEN,
can not be increased, and lead to infinite loop when frame has two vlan headers.Signed-off-by: Li RongQing
Acked-by: Eric Dumazet
Signed-off-by: David S. Miller -
k is u32 which never < 0, need type cast, or cause issue.
Signed-off-by: Chen Gang
Acked-by: Russell King
Acked-by: Mircea Gherzan
Signed-off-by: David S. Miller -
__netpoll_cleanup() is called in netconsole_netdev_event() while holding a
spinlock. Release/acquire the spinlock before/after it and restart the
loop. Also, disable the netconsole completely, because we won't have chance
after the restart of the loop, and might end up in a situation where
nt->enabled == 1 and nt->np.dev == NULL.Signed-off-by: Veaceslav Falico
Acked-by: Neil Horman
Signed-off-by: David S. Miller -
The bridge multicast fast leave feature was added sufficient space
was not reserved in the netlink message. This means the flag may be
lost in netlink events and results of queries.Found by observation while looking up some netlink stuff for discussion with Vlad.
Problem introduced by commit c2d3babfafbb9f6629cfb47139758e59a5eb0d80
Author: David S. Miller
Date: Wed Dec 5 16:24:45 2012 -0500bridge: implement multicast fast leave
Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller -
Included changes ares:
- fix packet parsing routine to avoid to read beyond the packet boundarySigned-off-by: David S. Miller
-
This is needed in order to detect if the timestamp option appears
more than once in a packet, to remove the option if the packet is
fragmented, etc. My previous change neglected to store the option
location when the router addresses were prespecified and Pointer >
Length. But now the option location is also stored when Flag is an
unrecognized value, to ensure these option handling behaviors are
still performed.Signed-off-by: David Ward
Signed-off-by: David S. Miller -
New scheme calls for 3rd party VPD at offset 0x0 and Chelsio VPD at offset
0x400 of the function. If no 3rd party VPD is present, then a copy of
Chelsio's VPD will be at offset 0x0 to keep in line with PCI spec which
requires the VPD to be present at offset 0x0.Signed-off-by: Santosh Rastapur
Signed-off-by: Vipul Pandya
Signed-off-by: David S. Miller -
batadv_iv_ogm_process() accesses the packet using the tt_num_changes
attribute regardless of the real packet len (assuming the length check
was done before). Therefore a length check is needed to avoid reading
random memory.Signed-off-by: Marek Lindner
Signed-off-by: Antonio Quartulli
11 Mar, 2013
17 commits
-
Pull perf fixes from Ingo Molnar:
"Misc minor fixes mostly related to tracing"* 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
s390: Fix a header dependencies related build error
tracing: update documentation of snapshot utility
tracing: Do not return EINVAL in snapshot when not allocated
tracing: Add help of snapshot feature when snapshot is empty
ftrace: Update the kconfig for DYNAMIC_FTRACE -
Pull networking fixes from David Miller:
1) Missing cancel of work items in mac80211 MLME, from Ben Greear.
2) Fix DMA mapping handling in iwlwifi by using coherent DMA for
command headers, from Johannes Berg.3) Decrease the amount of pressure on the page allocator by using order
1 pages less in iwlwifi, from Emmanuel Grumbach.4) Fix mesh PS broadcast OOPS in mac80211, from Marco Porsch.
5) Don't forget to recalculate idle state in mac80211 monitor
interface, from Felix Fietkau.6) Fix varargs in netfilter conntrack handler, from Joe Perches.
7) Need to reset entire chip when command queue fills up in iwlwifi,
from Emmanuel Grumbach.8) The TX antenna value must be valid when calibrations are performed
in iwlwifi, fix from Dor Shaish.9) Don't generate netfilter audit log entries when audit is disabled,
from Gao Feng.10) Deal with DMA unit hang on e1000e during power state transitions,
from Bruce Allan.11) Remove BUILD_BUG_ON check from igb driver, from Alexander Duyck.
12) Fix lockdep warning on i2c handling of igb driver, from Carolyn
Wyborny.13) Fix several TTY handling issues in IRDA ircomm tty driver, from
Peter Hurley.14) Several QFQ packet scheduler fixes from Paolo Valente.
15) When VXLAN encapsulates on transmit, we have to reset the netfilter
state. From Zang MingJie.16) Fix jiffie check in net_rx_action() so that we really cap the
processing at 2HZ. From Eric Dumazet.17) Fix erroneous trigger of IP option space exhaustion, when routers
are pre-specified and we are looking to see if we can insert a
timestamp, we will have the space. From David Ward.18) Fix various issues in benet driver wrt waiting for firmware to
finish POST after resets or errors. From Gavin Shan and Sathya
Perla.19) Fix TX locking in SFC driver, from Ben Hutchings.
20) Like the VXLAN fix above, when we encap in a TUN device we have to
reset the netfilter state. This should fix several strange crashes
reported by Dave Jones and others. From Eric Dumazet.21) Don't forget to clean up MAC address resources when shutting down a
port in mlx4 driver, from Yan Burman.22) Fix divide by zero in vmxnet3 driver, from Bhavesh Davda.
23) Fix device statistic regression in tg3 when the driver is using
phylib, from Nithin Sujir.24) Fix info leak in several netlink handlers, from Mathias Krause.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (79 commits)
6lowpan: Fix endianness issue in is_addr_link_local().
rrunner.c: fix possible memory leak in rr_init_one()
dcbnl: fix various netlink info leaks
rtnl: fix info leak on RTM_GETLINK request for VF devices
bridge: fix mdb info leaks
tg3: Update link_up flag for phylib devices
ipv6: stop multicast forwarding to process interface scoped addresses
bridging: fix rx_handlers return code
netlabel: fix build problems when CONFIG_IPV6=n
drivers/isdn: checkng length to be sure not memory overflow
net/rds: zero last byte for strncpy
bnx2x: Fix SFP+ misconfiguration in iSCSI boot scenario
bnx2x: Fix intermittent long KR2 link up time
macvlan: Set IFF_UNICAST_FLT flag to prevent unnecessary promisc mode.
team: unsyc the devices addresses when port is removed
bridge: add missing vid to br_mdb_get()
Fix: sparse warning in inet_csk_prepare_forced_close
afkey: fix a typo
MAINTAINERS: Update qlcnic maintainers list
netlabel: correctly list all the static label mappings
... -
Pull UML fixes from Richard Weinberger:
"This update brings various fixes.
Nothing special...In my local queue I have some more fixes which will be sent later to
you. 3.9 uncovered strange UML issues. :("* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/uml:
um: Use tty_port in SIGWINCH handler
um: Use tty_port_operations->destruct
um: fix build failure due to mess-up of sig_info protorype
um: add missing declaration of 'getrlimit()' and friends
net : enable tx time stamping in the vde driver.
hostfs: fix a not needed double check -
Pull input updates from Dmitry Torokhov:
"Except for the largish change to the ALPS driver adding "Dolphin V1"
support and Wacom getting a new signature of yet another device, the
rest are straightforward driver fixes."* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
Input: mms114 - Fix regulator enable and disable paths
Input: ads7864 - check return value of regulator enable
Input: tc3589x-keypad - fix keymap size
Input: wacom - add support for 0x10d
Input: ALPS - update documentation for recent touchpad driver mods
Input: ALPS - add "Dolphin V1" touchpad support
Input: ALPS - remove unused argument to alps_enter_command_mode()
Input: cypress_ps2 - fix trackpadi found in Dell XPS12 -
Commit 877c685607925238e302cd3aa38788dca6c1b226
("perf: Remove include of cgroup.h from perf_event.h") caused
this build failure if PERF_EVENTS is enabled:In file included from arch/s390/include/asm/perf_event.h:9:0,
from include/linux/perf_event.h:24,
from kernel/events/ring_buffer.c:12:
arch/s390/include/asm/cpu_mf.h: In function 'qctri':
arch/s390/include/asm/cpu_mf.h:61:12: error: 'EINVAL' undeclared (first use in this function)cpu_mf.h had an implicit errno.h dependency, which was added
indirectly via cgroups.h but not anymore. Add it explicitly.Reported-by: Fengguang Wu
Tested-by: Fengguang Wu
Signed-off-by: Li Zefan
Cc: Martin Schwidefsky
Cc: Heiko Carstens
Link: http://lkml.kernel.org/r/51385F79.7000106@huawei.com
Signed-off-by: Ingo Molnar -
The tty below tty_port might get destroyed by the tty layer
while we hold a reference to it.
So we have to carry tty_port around...Signed-off-by: Richard Weinberger
-
As we setup the SIGWINCH handler in tty_port_operations->activate
it makes sense to tear down it in ->destruct.Signed-off-by: Richard Weinberger
-
arch/um/os-Linux/signal.c:18:8: error: conflicting types for 'sig_info'
In file included from /home/slyfox/linux-2.6/arch/um/os-Linux/signal.c:12:0:
arch/um/include/shared/as-layout.h:64:15: note: previous declaration of 'sig_info' was hereSigned-off-by: Sergei Trofimovich
CC: Jeff Dike
CC: Richard Weinberger
CC: "Martin Pärtel"
CC: Al Viro
CC: user-mode-linux-devel@lists.sourceforge.net
CC: user-mode-linux-user@lists.sourceforge.net
CC: linux-kernel@vger.kernel.org
Signed-off-by: Richard Weinberger -
arch/um/os-Linux/start_up.c: In function 'check_coredump_limit':
arch/um/os-Linux/start_up.c:338:16: error: storage size of 'lim' isn't known
arch/um/os-Linux/start_up.c:339:2: error: implicit declaration of function 'getrlimit' [-Werror=implicit-function-declaration]Signed-off-by: Sergei Trofimovich
CC: Jeff Dike
CC: Richard Weinberger
CC: Al Viro
CC: user-mode-linux-devel@lists.sourceforge.net
CC: user-mode-linux-user@lists.sourceforge.net
CC: linux-kernel@vger.kernel.org
Signed-off-by: Richard Weinberger -
This new version moves the skb_tx_timestamp in the main uml
driver. This should avoid the need to call this function in each
transport (vde, slirp, tuntap, ...). It also add support for ethtool
get_ts_info.Signed-off-by: Paul Chavent
Acked-by: Richard Cochran
Signed-off-by: Richard Weinberger -
With the commit 3be2be0a32c18b0fd6d623cda63174a332ca0de1 we removed vmtruncate,
but actaully there is no need to call inode_newsize_ok() because the checks are
already done in inode_change_ok() at the begin of the function.Signed-off-by: Marco Stornelli
Signed-off-by: Richard Weinberger -
When it uses regulators the mms114 driver checks to see if it managed to
acquire regulators and ignores errors. This is not the intended usage and
not great style in general.Since the driver already refuses to probe if it fails to allocate the
regulators simply make the enable and disable calls unconditional and
add appropriate error handling, including adding cleanup of the
regulators if setup_reg() fails.Signed-off-by: Mark Brown
Acked-by: Joonyoung Shim
Signed-off-by: Dmitry Torokhov -
At least print a warning if we can't power the device up.
Signed-off-by: Mark Brown
Signed-off-by: Dmitry Torokhov -
The keymap size used by tc3589x is too low, leading to the driver
overwriting other people's memory. Fix this by making the driver
use the automatically allocated keymap provided by
matrix_keypad_build_keymap() instead of allocating one on its own.Signed-off-by: Rabin Vincent
Signed-off-by: Dmitry Torokhov -
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller -
In the event that register_netdev() failed, the rrpriv->evt_ring
allocation would have not been freed.Signed-off-by: David Oostdyk
Signed-off-by: David S. Miller
10 Mar, 2013
3 commits
-
The dcb netlink interface leaks stack memory in various places:
* perm_addr[] buffer is only filled at max with 12 of the 32 bytes but
copied completely,
* no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand,
so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes
for ieee_pfc structs, etc.,
* the same is true for CEE -- no in-kernel driver fills the whole
struct,Prevent all of the above stack info leaks by properly initializing the
buffers/structures involved.Signed-off-by: Mathias Krause
Signed-off-by: David S. Miller -
Initialize the mac address buffer with 0 as the driver specific function
will probably not fill the whole buffer. In fact, all in-kernel drivers
fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible
bytes. Therefore we currently leak 26 bytes of stack memory to userland
via the netlink interface.Signed-off-by: Mathias Krause
Signed-off-by: David S. Miller -
The bridging code discloses heap and stack bytes via the RTM_GETMDB
netlink interface and via the notify messages send to group RTNLGRP_MDB
afer a successful add/del.Fix both cases by initializing all unset members/padding bytes with
memset(0).Cc: Stephen Hemminger
Signed-off-by: Mathias Krause
Signed-off-by: David S. Miller
