27 Oct, 2012
1 commit
-
Pull networking fixes from David Miller:
"This is what we usually expect at this stage of the game, lots of
little things, mostly in drivers. With the occasional 'oops didn't
mean to do that' kind of regressions in the core code."1) Uninitialized data in __ip_vs_get_timeouts(), from Arnd Bergmann
2) Reject invalid ACK sequences in Fast Open sockets, from Jerry Chu.
3) Lost error code on return from _rtl_usb_receive(), from Christian
Lamparter.4) Fix reset resume on USB rt2x00, from Stanislaw Gruszka.
5) Release resources on error in pch_gbe driver, from Veaceslav Falico.
6) Default hop limit not set correctly in ip6_template_metrics[], fix
from Li RongQing.7) Gianfar PTP code requests wrong kind of resource during probe, fix
from Wei Yang.8) Fix VHOST net driver on big-endian, from Michael S Tsirkin.
9) Mallenox driver bug fixes from Jack Morgenstein, Or Gerlitz, Moni
Shoua, Dotan Barak, and Uri Habusha.10) usbnet leaks memory on TX path, fix from Hemant Kumar.
11) Use socket state test, rather than presence of FIN bit packet, to
determine FIONREAD/SIOCINQ value. Fix from Eric Dumazet.12) Fix cxgb4 build failure, from Vipul Pandya.
13) Provide a SYN_DATA_ACKED state to complement SYN_FASTOPEN in socket
info dumps. From Yuchung Cheng.14) Fix leak of security path in kfree_skb_partial(). Fix from Eric
Dumazet.15) Handle RX FIFO overflows more resiliently in pch_gbe driver, from
Veaceslav Falico.16) Fix MAINTAINERS file pattern for networking drivers, from Jean
Delvare.17) Add iPhone5 IDs to IPHETH driver, from Jay Purohit.
18) VLAN device type change restriction is too strict, and should not
trigger for the automatically generated vlan0 device. Fix from Jiri
Pirko.19) Make PMTU/redirect flushing work properly again in ipv4, from
Steffen Klassert.20) Fix memory corruptions by using kfree_rcu() in netlink_release().
From Eric Dumazet.21) More qmi_wwan device IDs, from Bjørn Mork.
22) Fix unintentional change of SNAT/DNAT hooks in generic NAT
infrastructure, from Elison Niven.23) Fix 3.6.x regression in xt_TEE netfilter module, from Eric Dumazet.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (57 commits)
tilegx: fix some issues in the SW TSO support
qmi_wwan/cdc_ether: move Novatel 551 and E362 to qmi_wwan
net: usb: Fix memory leak on Tx data path
net/mlx4_core: Unmap UAR also in the case of error flow
net/mlx4_en: Don't use vlan tag value as an indication for vlan presence
net/mlx4_en: Fix double-release-range in tx-rings
bas_gigaset: fix pre_reset handling
vhost: fix mergeable bufs on BE hosts
gianfar_ptp: use iomem, not ioports resource tree in probe
ipv6: Set default hoplimit as zero.
NET_VENDOR_TI: make available for am33xx as well
pch_gbe: fix error handling in pch_gbe_up()
b43: Fix oops on unload when firmware not found
mwifiex: clean up scan state on error
mwifiex: return -EBUSY if specific scan request cannot be honored
brcmfmac: fix potential NULL dereference
Revert "ath9k_hw: Updated AR9003 tx gain table for 5GHz"
ath9k_htc: Add PID/VID for a Ubiquiti WiFiStation
rt2x00: usb: fix reset resume
rtlwifi: pass rx setup error code to caller
...
25 Oct, 2012
1 commit
-
Commit a02e4b7dae4551(Demark default hoplimit as zero) only changes the
hoplimit checking condition and default value in ip6_dst_hoplimit, not
zeros all hoplimit default value.Keep the zeroing ip6_template_metrics[RTAX_HOPLIMIT - 1] to force it as
const, cause as a37e6e344910(net: force dst_default_metrics to const
section)Signed-off-by: Li RongQing
Signed-off-by: David S. Miller
24 Oct, 2012
4 commits
-
Chris Perl reports that we're seeing races between the wakeup call in
xs_error_report and the connect attempts. Basically, Chris has shown
that in certain circumstances, the call to xs_error_report causes the
rpc_task that is responsible for reconnecting to wake up early, thus
triggering a disconnect and retry.Since the sk->sk_error_report() calls in the socket layer are always
followed by a tcp_done() in the cases where we care about waking up
the rpc_tasks, just let the state_change callbacks take responsibility
for those wake ups.Reported-by: Chris Perl
Signed-off-by: Trond Myklebust
Cc: stable@vger.kernel.org
Tested-by: Chris Perl -
The call to xprt_disconnect_done() that is triggered by a successful
connection reset will trigger another automatic wakeup of all tasks
on the xprt->pending rpc_wait_queue. In particular it will cause an
early wake up of the task that called xprt_connect().All we really want to do here is clear all the socket-specific state
flags, so we split that functionality out of xs_sock_mark_closed()
into a helper that can be called by xs_abort_connection()Reported-by: Chris Perl
Signed-off-by: Trond Myklebust
Cc: stable@vger.kernel.org
Tested-by: Chris Perl -
This reverts commit 55420c24a0d4d1fce70ca713f84aa00b6b74a70e.
Now that we clear the connected flag when entering TCP_CLOSE_WAIT,
the deadlock described in this commit is no longer possible.
Instead, the resulting call to xs_tcp_shutdown() can interfere
with pending reconnection attempts.Reported-by: Chris Perl
Signed-off-by: Trond Myklebust
Cc: stable@vger.kernel.org
Tested-by: Chris Perl -
This is needed to ensure that we call xprt_connect() upon the next
call to call_connect().Signed-off-by: Trond Myklebust
Cc: stable@vger.kernel.org
Tested-by: Chris Perl
23 Oct, 2012
3 commits
-
A packet with an invalid ack_seq may cause a TCP Fast Open socket to switch
to the unexpected TCP_CLOSING state, triggering a BUG_ON kernel panic.When a FIN packet with an invalid ack_seq# arrives at a socket in
the TCP_FIN_WAIT1 state, rather than discarding the packet, the current
code will accept the FIN, causing state transition to TCP_CLOSING.This may be a small deviation from RFC793, which seems to say that the
packet should be dropped. Unfortunately I did not expect this case for
Fast Open hence it will trigger a BUG_ON panic.It turns out there is really nothing bad about a TFO socket going into
TCP_CLOSING state so I could just remove the BUG_ON statements. But after
some thought I think it's better to treat this case like TCP_SYN_RECV
and return a RST to the confused peer who caused the unacceptable ack_seq
to be generated in the first place.Signed-off-by: H.K. Jerry Chu
Cc: Neal Cardwell
Cc: Yuchung Cheng
Acked-by: Yuchung Cheng
Acked-by: Eric Dumazet
Acked-by: Neal Cardwell
Signed-off-by: David S. Miller -
Mike Kazantsev found 3.5 kernels and beyond were leaking memory,
and tracked the faulty commit to a1c7fff7e18f59e ("net:
netdev_alloc_skb() use build_skb()")While this commit seems fine, it uncovered a bug introduced
in commit bad43ca8325 ("net: introduce skb_try_coalesce()), in function
kfree_skb_partial()"):If head is stolen, we free the sk_buff,
without removing references on secpath (skb->sp).So IPsec + IP defrag/reassembly (using skb coalescing), or
TCP coalescing could leak secpath objects.Fix this bug by calling skb_release_head_state(skb) to properly
release all possible references to linked objects.Reported-by: Mike Kazantsev
Signed-off-by: Eric Dumazet
Bisected-by: Mike Kazantsev
Tested-by: Mike Kazantsev
Signed-off-by: David S. Miller -
Add a bit TCPI_OPT_SYN_DATA (32) to the socket option TCP_INFO:tcpi_options.
It's set if the data in SYN (sent or received) is acked by SYN-ACK. Server or
client application can use this information to check Fast Open success rate.Signed-off-by: Yuchung Cheng
Acked-by: Neal Cardwell
Acked-by: Eric Dumazet
Signed-off-by: David S. Miller
20 Oct, 2012
3 commits
-
Pull TTY fixes from Greg Kroah-Hartman:
"Here are some tty and serial driver fixes for your 3.7-rc1 tree.Again, the UABI header file fixes, and a number of build and runtime
serial driver bugfixes that solve problems people have been reporting
(the staging driver is a tty driver, hence the fixes coming in through
this tree.)All of these have been in the linux-next tree for a while.
Signed-off-by: Greg Kroah-Hartman "
* tag 'tty-3.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
staging: dgrp: check return value of alloc_tty_driver
staging: dgrp: check for NULL pointer in (un)register_proc_table
serial/8250_hp300: Missing 8250 register interface conversion bits
UAPI: (Scripted) Disintegrate include/linux/hsi
tty: serial: sccnxp: Fix bug with unterminated platform_id list
staging: serial: dgrp: Add missing #include
serial: sccnxp: Allows the driver to be compiled as a module
tty: Fix bogus "callbacks suppressed" messages
net, TTY: initialize tty->driver_data before usage -
Pull nfsd bugfixes from J Bruce Fields.
* 'for-3.7' of git://linux-nfs.org/~bfields/linux:
SUNRPC: Prevent kernel stack corruption on long values of flush
NLM: nlm_lookup_file() may return NLMv4-specific error codes -
…wireless into for-davem
19 Oct, 2012
7 commits
-
Included fixes:
- Fix broadcast packet CRC calculation which can lead to ~80% broadcast packet
loss
- Fix a race condition in duplicate broadcast packet checkSigned-off-by: David S. Miller
-
tcp_ioctl() tries to take into account if tcp socket received a FIN
to report correct number bytes in receive queue.But its flaky because if the application ate the last skb,
we return 1 instead of 0.Correct way to detect that FIN was received is to test SOCK_DONE.
Reported-by: Elliot Hughes
Signed-off-by: Eric Dumazet
Cc: Neal Cardwell
Cc: Tom Herbert
Signed-off-by: David S. Miller -
On some suspend/resume operations involving wimax device, we have
noticed some intermittent memory corruptions in netlink code.Stéphane Marchesin tracked this corruption in netlink_update_listeners()
and suggested a patch.It appears netlink_release() should use kfree_rcu() instead of kfree()
for the listeners structure as it may be used by other cpus using RCU
protection.netlink_release() must set to NULL the listeners pointer when
it is about to be freed.Also have to protect netlink_update_listeners() and
netlink_has_listeners() if listeners is NULL.Add a nl_deref_protected() lockdep helper to properly document which
locks protects us.Reported-by: Jonathan Kliegman
Signed-off-by: Eric Dumazet
Cc: Stéphane Marchesin
Cc: Sam Leffler
Signed-off-by: David S. Miller -
Currently we can not flush cached pmtu/redirect informations via
the ipv4_sysctl_rtcache_flush sysctl. We need to check the rt_genid
of the old route and reset the nh exeption if the old route is
expired when we bind a new route to a nh exeption.Signed-off-by: Steffen Klassert
Acked-by: Eric Dumazet
Signed-off-by: David S. Miller -
vlan_info might be present but still no vlan devices might be there.
That is in case of vlan0 automatically added.So in that case, allow to change netdev type.
Reported-by: Jon Stanley
Signed-off-by: Jiri Pirko
Signed-off-by: David S. Miller -
Threads in the bottom half of batadv_bla_check_bcast_duplist() might
otherwise for instance overwrite variables which other threads might
be using/reading at the same time in the top half, potentially
leading to messing up the bcast_duplist, possibly resulting in false
bridge loop avoidance duplicate check decisions.Signed-off-by: Linus Lüssing
Acked-by: Simon Wunderlich
Signed-off-by: Marek Lindner -
So far the crc16 checksum for a batman-adv broadcast data packet, received
on a batman-adv hard interface, was calculated over zero bytes of its
content leading to many incoming broadcast data packets wrongly being
dropped (60-80% packet loss).This patch fixes this issue by calculating the crc16 over the actual,
complete broadcast payload.The issue is a regression introduced by
("batman-adv: add broadcast duplicate check").Signed-off-by: Linus Lüssing
Acked-by: Simon Wunderlich
Signed-off-by: Marek Lindner
18 Oct, 2012
2 commits
-
The buffer size in read_flush() is too small for the longest possible values
for it. This can lead to a kernel stack corruption:[ 43.047329] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff833e64b4
[ 43.047329]
[ 43.049030] Pid: 6015, comm: trinity-child18 Tainted: G W 3.5.0-rc7-next-20120716-sasha #221
[ 43.050038] Call Trace:
[ 43.050435] [] panic+0xcd/0x1f4
[ 43.050931] [] ? read_flush.isra.7+0xe4/0x100
[ 43.051602] [] __stack_chk_fail+0x16/0x20
[ 43.052206] [] read_flush.isra.7+0xe4/0x100
[ 43.052951] [] ? read_flush_pipefs+0x30/0x30
[ 43.053594] [] read_flush_procfs+0x2c/0x30
[ 43.053596] [] proc_reg_read+0x9c/0xd0
[ 43.053596] [] ? proc_reg_write+0xd0/0xd0
[ 43.053596] [] do_loop_readv_writev+0x4b/0x90
[ 43.053596] [] do_readv_writev+0xf6/0x1d0
[ 43.053596] [] vfs_readv+0x3e/0x60
[ 43.053596] [] sys_readv+0x48/0xb0
[ 43.053596] [] system_call_fastpath+0x1a/0x1fSigned-off-by: Sasha Levin
Cc: stable@kernel.org
Signed-off-by: J. Bruce Fields
17 Oct, 2012
6 commits
-
Some changes to fix issues with HT40 APs in Korea
and follow-up changes to allow using HT40 even if
the local regulatory database disallows it caused
issues with iwlwifi (and could cause issues with
other devices); iwlwifi firmware would assert if
you tried to connect to an AP that has an invalid
configuration (e.g. using HT40- on channel 140.)Fix this, while avoiding the "Korean AP" issue by
disabling HT40 and advertising HT20 to the AP
when connecting.Cc: stable@vger.kernel.org [3.6]
Reported-by: Florian Reitmeir
Tested-by: Florian Reitmeir
Signed-off-by: Johannes Berg -
Torsten Luettgert bisected TEE regression starting with commit
f8126f1d5136be1 (ipv4: Adjust semantics of rt->rt_gateway.)The problem is that it tries to ARP-lookup the original destination
address of the forwarded packet, not the address of the gateway.Fix this using FLOWI_FLAG_KNOWN_NH Julian added in commit
c92b96553a80c1 (ipv4: Add FLOWI_FLAG_KNOWN_NH), so that known
nexthop (info->gw.ip) has preference on resolving.Reported-by: Torsten Luettgert
Bisected-by: Torsten Luettgert
Tested-by: Torsten Luettgert
Cc: Julian Anastasov
Signed-off-by: Eric Dumazet
Signed-off-by: Pablo Neira Ayuso -
To obtain new flag FLOWI_FLAG_KNOWN_NH to fix netfilter's xt_TEE target.
-
Commit 1d5783030a1 (ipv6/addrconf: speedup /proc/net/if_inet6 filling)
added bugs hiding some devices from if_inet6 and breaking applications."ip -6 addr" could still display all IPv6 addresses, while "ifconfig -a"
couldnt.One way to reproduce the bug is by starting in a shell :
unshare -n /bin/bash
ifconfig lo upAnd in original net namespace, lo device disappeared from if_inet6
Reported-by: Jan Hinnerk Stosch
Tested-by: Jan Hinnerk Stosch
Signed-off-by: Eric Dumazet
Cc: Mihai Maruseac
Signed-off-by: David S. Miller -
Bug introduced by commit edfee0339e681a784ebacec7e8c2dc97dc6d2839
(sctp: check src addr when processing SACK to update transport state)Signed-off-by: Zijie Pan
Signed-off-by: Nicolas Dichtel
Acked-by: Vlad Yasevich
Signed-off-by: David S. Miller -
In vlan_uses_dev() check for number of vlan devs rather than existence
of vlan_info. The reason is that vlan id 0 is there without appropriate
vlan dev on it by default which prevented from enslaving vlan challenged
dev.Reported-by: Jon Stanley
Signed-off-by: Jiri Pirko
Signed-off-by: David S. Miller
16 Oct, 2012
3 commits
-
Free tx status skbs when draining power save buffers, pending frames, or
when tearing down a vif.
Fixes remaining conditions that can lead to hostapd/wpa_supplicant hangs when
running out of socket write memory.Signed-off-by: Felix Fietkau
Cc: stable@vger.kernel.org
Signed-off-by: John W. Linville -
This patch fix corruption which can manifest itself by following crash
when switching on rfkill switch with rt2x00 driver:
https://bugzilla.redhat.com/attachment.cgi?id=615362Pointer key->u.ccmp.tfm of group key get corrupted in:
ieee80211_rx_h_michael_mic_verify():
/* update IV in key information to be able to detect replays */
rx->key->u.tkip.rx[rx->security_idx].iv32 = rx->tkip_iv32;
rx->key->u.tkip.rx[rx->security_idx].iv16 = rx->tkip_iv16;because rt2x00 always set RX_FLAG_MMIC_STRIPPED, even if key is not TKIP.
We already check type of the key in different path in
ieee80211_rx_h_michael_mic_verify() function, so adding additional
check here is reasonable.Cc: stable@vger.kernel.org # 3.0+
Signed-off-by: Stanislaw Gruszka
Signed-off-by: John W. Linville
15 Oct, 2012
6 commits
-
Avoid situation when we are on associate state in mac80211 and
on disassociate state in cfg80211. This can results on crash
during modules unload (like showed on this thread:
http://marc.info/?t=134373976300001&r=1&w=2) and possibly other
problems.Reported-by: Pedro Francisco
Cc: stable@vger.kernel.org
Signed-off-by: Stanislaw Gruszka
Signed-off-by: Johannes Berg -
In (c7232c9 netfilter: add protocol independent NAT core), the
hooks were accidentally modified:SNAT hooks are POST_ROUTING and LOCAL_IN (before it was LOCAL_OUT).
DNAT hooks are PRE_ROUTING and LOCAL_OUT (before it was LOCAL_IN).Signed-off-by: Elison Niven
Signed-off-by: Sanket Shah
Signed-off-by: Pablo Neira Ayuso -
This patch fixes ip6tables and the CT target if it is used to set
some custom conntrack timeout policy for IPv6.Use xt_ct_find_proto which already handles the ip6tables case for us.
Signed-off-by: Pablo Neira Ayuso
-
This syncs up the tty-linus branch to the latest in Linus's tree to get all of
the UAPI stuff needed for the next set of patches to merge.Signed-off-by: Greg Kroah-Hartman
-
Pull module signing support from Rusty Russell:
"module signing is the highlight, but it's an all-over David Howells frenzy..."Hmm "Magrathea: Glacier signing key". Somebody has been reading too much HHGTTG.
* 'modules-next' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux: (37 commits)
X.509: Fix indefinite length element skip error handling
X.509: Convert some printk calls to pr_devel
asymmetric keys: fix printk format warning
MODSIGN: Fix 32-bit overflow in X.509 certificate validity date checking
MODSIGN: Make mrproper should remove generated files.
MODSIGN: Use utf8 strings in signer's name in autogenerated X.509 certs
MODSIGN: Use the same digest for the autogen key sig as for the module sig
MODSIGN: Sign modules during the build process
MODSIGN: Provide a script for generating a key ID from an X.509 cert
MODSIGN: Implement module signature checking
MODSIGN: Provide module signing public keys to the kernel
MODSIGN: Automatically generate module signing keys if missing
MODSIGN: Provide Kconfig options
MODSIGN: Provide gitignore and make clean rules for extra files
MODSIGN: Add FIPS policy
module: signature checking hook
X.509: Add a crypto key parser for binary (DER) X.509 certificates
MPILIB: Provide a function to read raw data into an MPI
X.509: Add an ASN.1 decoder
X.509: Add simple ASN.1 grammar compiler
...
14 Oct, 2012
1 commit
-
Pull user namespace compile fixes from Eric W Biederman:
"This tree contains three trivial fixes. One compiler warning, one
thinko fix, and one build fix"* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace:
btrfs: Fix compilation with user namespace support enabled
userns: Fix posix_acl_file_xattr_userns gid conversion
userns: Properly print bluetooth socket uids
13 Oct, 2012
3 commits
-
Pull nfsd update from J Bruce Fields:
"Another relatively quiet cycle. There was some progress on my
remaining 4.1 todo's, but a couple of them were just of the form
"check that we do X correctly", so didn't have much affect on the
code.Other than that, a bunch of cleanup and some bugfixes (including an
annoying NFSv4.0 state leak and a busy-loop in the server that could
cause it to peg the CPU without making progress)."* 'for-3.7' of git://linux-nfs.org/~bfields/linux: (46 commits)
UAPI: (Scripted) Disintegrate include/linux/sunrpc
UAPI: (Scripted) Disintegrate include/linux/nfsd
nfsd4: don't allow reclaims of expired clients
nfsd4: remove redundant callback probe
nfsd4: expire old client earlier
nfsd4: separate session allocation and initialization
nfsd4: clean up session allocation
nfsd4: minor free_session cleanup
nfsd4: new_conn_from_crses should only allocate
nfsd4: separate connection allocation and initialization
nfsd4: reject bad forechannel attrs earlier
nfsd4: enforce per-client sessions/no-sessions distinction
nfsd4: set cl_minorversion at create time
nfsd4: don't pin clientids to pseudoflavors
nfsd4: fix bind_conn_to_session xdr comment
nfsd4: cast readlink() bug argument
NFSD: pass null terminated buf to kstrtouint()
nfsd: remove duplicate init in nfsd4_cb_recall
nfsd4: eliminate redundant nfs4_free_stateid
fs/nfsd/nfs4idmap.c: adjust inconsistent IS_ERR and PTR_ERR
... -
Pull networking updates from David Miller:
1) Alexey Kuznetsov noticed we routed TCP resets improperly in the
assymetric routing case, fix this by reverting a change that made us
use the incoming interface in the outgoing route key when we didn't
have a socket context to work with.2) TCP sysctl kernel memory leakage to userspace fix from Alan Cox.
3) Move UAPI bits from David Howells, WIMAX and CAN this time.
4) Fix TX stalls in e1000e wrt. Byte Queue Limits, from Hiroaki
SHIMODA, Denys Fedoryshchenko, and Jesse Brandeburg.5) Fix IPV6 crashes in packet generator module, from Amerigo Wang.
6) Tidies and fixes in the new VXLAN driver from Stephen Hemminger.
7) Bridge IP options parse doesn't check first if SKB header has at
least an IP header's worth of content present. Fix from Sarveshwar
Bandi.8) The kernel now generates compound pages on transmit and the Xen
netback drivers needs some adjustments in order to handle this. Fix
from Ian Campbell.9) Turn off ASPM in JME driver, from Kevin Bardon and Matthew Garrett.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (43 commits)
mcs7830: Fix link state detection
net: add doc for in4_pton()
net: add doc for in6_pton()
vti: fix sparse bit endian warnings
tcp: resets are misrouted
usbnet: Support devices reporting idleness
Add CDC-ACM support for the CX93010-2x UCMxx USB Modem
net/ethernet/jme: disable ASPM
tcp: sysctl interface leaks 16 bytes of kernel memory
kaweth: print correct debug ptr
e1000e: Change wthresh to 1 to avoid possible Tx stalls
ipv4: fix route mark sparse warning
xen: netback: handle compound page fragments on transmit.
bridge: Pull ip header into skb->data before looking into ip header.
isdn: fix a wrapping bug in isdn_ppp_ioctl()
vxlan: fix oops when give unknown ifindex
vxlan: fix receive checksum handling
vxlan: add additional headroom
vxlan: allow configuring port range
vxlan: associate with tunnel socket on transmit
... -
With user namespace support enabled building bluetooth generated the warning.
net/bluetooth/af_bluetooth.c: In function ‘bt_seq_show’:
net/bluetooth/af_bluetooth.c:598:7: warning: format ‘%u’ expects argument of type ‘unsigned int’, but argument 7 has type ‘kuid_t’ [-Wformat]Convert sock_i_uid from a kuid_t to a uid_t before printing, to avoid
this problem.Reported-by: Fengguang Wu
Cc: Masatake YAMATO
Cc: Gustavo Padovan
Signed-off-by: "Eric W. Biederman"
