1. 11 Jun, 2014 6 commits
    • Wei-Chun Chao's avatar
      net: fix UDP tunnel GSO of frag_list GRO packets · 5882a07c
      Wei-Chun Chao authored
      This patch fixes a kernel BUG_ON in skb_segment. It is hit when
      testing two VMs on openvswitch with one VM acting as VXLAN gateway.
      
      During VXLAN packet GSO, skb_segment is called with skb->data
      pointing to inner TCP payload. skb_segment calls skb_network_protocol
      to retrieve the inner protocol. skb_network_protocol actually expects
      skb->data to point to MAC and it calls pskb_may_pull with ETH_HLEN.
      This ends up pulling in ETH_HLEN data from header tail. As a result,
      pskb_trim logic is skipped and BUG_ON is hit later.
      
      Move skb_push in front of skb_network_protocol so that skb->data
      lines up properly.
      
      kernel BUG at net/core/skbuff.c:2999!
      Call Trace:
      [<ffffffff816ac412>] tcp_gso_segment+0x122/0x410
      [<ffffffff816bc74c>] inet_gso_segment+0x13c/0x390
      [<ffffffff8164b39b>] skb_mac_gso_segment+0x9b/0x170
      [<ffffffff816b3658>] skb_udp_tunnel_segment+0xd8/0x390
      [<ffffffff816b3c00>] udp4_ufo_fragment+0x120/0x140
      [<ffffffff816bc74c>] inet_gso_segment+0x13c/0x390
      [<ffffffff8109d742>] ? default_wake_function+0x12/0x20
      [<ffffffff8164b39b>] skb_mac_gso_segment+0x9b/0x170
      [<ffffffff8164b4d0>] __skb_gso_segment+0x60/0xc0
      [<ffffffff8164b6b3>] dev_hard_start_xmit+0x183/0x550
      [<ffffffff8166c91e>] sch_direct_xmit+0xfe/0x1d0
      [<ffffffff8164bc94>] __dev_queue_xmit+0x214/0x4f0
      [<ffffffff8164bf90>] dev_queue_xmit+0x10/0x20
      [<ffffffff81687edb>] ip_finish_output+0x66b/0x890
      [<ffffffff81688a58>] ip_output+0x58/0x90
      [<ffffffff816c628f>] ? fib_table_lookup+0x29f/0x350
      [<ffffffff816881c9>] ip_local_out_sk+0x39/0x50
      [<ffffffff816cbfad>] iptunnel_xmit+0x10d/0x130
      [<ffffffffa0212200>] vxlan_xmit_skb+0x1d0/0x330 [vxlan]
      [<ffffffffa02a3919>] vxlan_tnl_send+0x129/0x1a0 [openvswitch]
      [<ffffffffa02a2cd6>] ovs_vport_send+0x26/0xa0 [openvswitch]
      [<ffffffffa029931e>] do_output+0x2e/0x50 [openvswitch]
      Signed-off-by: default avatarWei-Chun Chao <weichunc@plumgrid.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5882a07c
    • huizhang's avatar
      net: ipv6: Fixed up ipsec packet be re-routing issue · f6c20c59
      huizhang authored
      Bug report on https://bugzilla.kernel.org/show_bug.cgi?id=75781
      
      When a local output ipsec packet match the mangle table rule,
      and be set mark value, the packet will be route again in
      route_me_harder -> _session_decoder6
      
      In this case, the nhoff in CB of skb was still the default
      value 0. So the protocal match can't success and the packet can't match
      correct SA rule,and then the packet be send out in plaintext.
      
      To fixed up the issue. The CB->nhoff must be set.
      Signed-off-by: default avatarHui Zhang <huizhang@marvell.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f6c20c59
    • Dmitry Popov's avatar
      ip_tunnel: fix i_key matching in ip_tunnel_find · 5ce54af1
      Dmitry Popov authored
      Some tunnels (though only vti as for now) can use i_key just for internal use:
      for example vti uses it for fwmark'ing incoming packets. So raw i_key value
      shouldn't be treated as a distinguisher for them. ip_tunnel_key_match exists for
      cases when we want to compare two ip_tunnel_parms' i_keys.
      
      Example bug:
      ip link add type vti ikey 1 local 1.0.0.1 remote 2.0.0.2
      ip link add type vti ikey 2 local 1.0.0.1 remote 2.0.0.2
      spawned two tunnels, although it doesn't make sense.
      Signed-off-by: default avatarDmitry Popov <ixaphire@qrator.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5ce54af1
    • Dmitry Popov's avatar
      ip_vti: Fix 'ip tunnel add' with 'key' parameters · 7c8e6b9c
      Dmitry Popov authored
      ip tunnel add remote 10.2.2.1 local 10.2.2.2 mode vti ikey 1 okey 2
      translates to p->iflags = VTI_ISVTI|GRE_KEY and p->i_key = 1, but GRE_KEY !=
      TUNNEL_KEY, so ip_tunnel_ioctl would set i_key to 0 (same story with o_key)
      making us unable to create vti tunnels with [io]key via ip tunnel.
      
      We cannot simply translate GRE_KEY to TUNNEL_KEY (as GRE module does) because
      vti_tunnels with same local/remote addresses but different ikeys will be treated
      as different then. So, imo the best option here is to move p->i_flags & *_KEY
      check for vti tunnels from ip_tunnel.c to ip_vti.c and to think about [io]_mark
      field for ip_tunnel_parm in the future.
      Signed-off-by: default avatarDmitry Popov <ixaphire@qrator.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7c8e6b9c
    • Manuel Schölling's avatar
      dns_resolver: assure that dns_query() result is null-terminated · 84a7c0b1
      Manuel Schölling authored
      dns_query() credulously assumes that keys are null-terminated and
      returns a copy of a memory block that is off by one.
      Signed-off-by: default avatarManuel Schölling <manuel.schoelling@gmx.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      84a7c0b1
    • Dmitry Popov's avatar
      ipip, sit: fix ipv4_{update_pmtu,redirect} calls · 2346829e
      Dmitry Popov authored
      ipv4_{update_pmtu,redirect} were called with tunnel's ifindex (t->dev is a
      tunnel netdevice). It caused wrong route lookup and failure of pmtu update or
      redirect. We should use the same ifindex that we use in ip_route_output_* in
      *tunnel_xmit code. It is t->parms.link .
      Signed-off-by: default avatarDmitry Popov <ixaphire@qrator.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2346829e
  2. 08 Jun, 2014 1 commit
  3. 06 Jun, 2014 4 commits
  4. 05 Jun, 2014 6 commits
  5. 04 Jun, 2014 7 commits
  6. 03 Jun, 2014 10 commits
    • Michal Kubecek's avatar
      xfrm: fix race between netns cleanup and state expire notification · 21ee543e
      Michal Kubecek authored
      The xfrm_user module registers its pernet init/exit after xfrm
      itself so that its net exit function xfrm_user_net_exit() is
      executed before xfrm_net_exit() which calls xfrm_state_fini() to
      cleanup the SA's (xfrm states). This opens a window between
      zeroing net->xfrm.nlsk pointer and deleting all xfrm_state
      instances which may access it (via the timer). If an xfrm state
      expires in this window, xfrm_exp_state_notify() will pass null
      pointer as socket to nlmsg_multicast().
      
      As the notifications are called inside rcu_read_lock() block, it
      is sufficient to retrieve the nlsk socket with rcu_dereference()
      and check the it for null.
      Signed-off-by: default avatarMichal Kubecek <mkubecek@suse.cz>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      21ee543e
    • David S. Miller's avatar
      Merge branch 'cnic' · 1299b3c4
      David S. Miller authored
      Michael Chan says:
      
      ====================
      cnic fixes
      
      Fix 2 sleeping function from invalid context bugs and 1 missing iscsi netlink
      message bug.
      
      v2: Fixed typo in rcu_dereference_protected() and tested with CONFIG_PROVE_RCU
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1299b3c4
    • Michael Chan's avatar
      cnic: Fix missing ISCSI_KEVENT_IF_DOWN message · 59436914
      Michael Chan authored
      The iSCSI netlink message needs to be sent before the ulp_ops is cleared
      as it is sent through a function pointer in the ulp_ops.  This bug
      causes iscsid to not get the message when the bnx2i driver is unloaded.
      Signed-off-by: default avatarMichael Chan <mchan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      59436914
    • Michael Chan's avatar
      cnic: Don't take cnic_dev_lock in cnic_alloc_uio_rings() · 437b8a26
      Michael Chan authored
      We are allocating memory with GFP_KERNEL under spinlock.  Since this is
      the only call manipulating the cnic_udev_list and it is always under
      rtnl_lock, cnic_dev_lock can be safely removed.
      Signed-off-by: default avatarMichael Chan <mchan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      437b8a26
    • Michael Chan's avatar
      cnic: Don't take rcu_read_lock in cnic_rcv_netevent() · 20f30c2d
      Michael Chan authored
      Because the called function, such as bnx2fc_indicate_netevent(), can sleep,
      we cannot take rcu_lock().  To prevent the rcu protected ulp_ops from going
      away, we use the cnic_lock mutex and set the ULP_F_CALL_PENDING flag.
      The code already waits for ULP_F_CALL_PENDING flag to clear in
      cnic_unregister_device().
      Signed-off-by: default avatarMichael Chan <mchan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      20f30c2d
    • Christian Riesch's avatar
      net: davinci_emac: Remove unwanted debug/error message · 74f43922
      Christian Riesch authored
      In commit cd11cf50 I accidentally
      added an error message. I used it for debugging and forgot to remove
      it before submitting the patch.
      Signed-off-by: default avatarChristian Riesch <christian.riesch@omicron.at>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      74f43922
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · cae61ba3
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Unbreak zebra and other netlink apps, from Eric W Biederman.
      
       2) Some new qmi_wwan device IDs, from Aleksander Morgado.
      
       3) Fix info leak in DCB netlink handler of qlcnic driver, from Dan
          Carpenter.
      
       4) inet_getid() and ipv6_select_ident() do not generate monotonically
          increasing ID numbers, fix from Eric Dumazet.
      
       5) Fix memory leak in __sk_prepare_filter(), from Leon Yu.
      
       6) Netlink leftover bytes warning message is user triggerable, rate
          limit it.  From Michal Schmidt.
      
       7) Fix non-linear SKB panic in ipvs, from Peter Christensen.
      
       8) Congestion window undo needs to be performed even if only never
          retransmitted data is SACK'd, fix from Yuching Cheng.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (24 commits)
        net: filter: fix possible memory leak in __sk_prepare_filter()
        net: ec_bhf: Add runtime dependencies
        tcp: fix cwnd undo on DSACK in F-RTO
        netlink: Only check file credentials for implicit destinations
        ipheth: Add support for iPad 2 and iPad 3
        team: fix mtu setting
        net: fix inet_getid() and ipv6_select_ident() bugs
        net: qmi_wwan: interface #11 in Sierra Wireless MC73xx is not QMI
        net: qmi_wwan: add additional Sierra Wireless QMI devices
        bridge: Prevent insertion of FDB entry with disallowed vlan
        netlink: rate-limit leftover bytes warning and print process name
        bridge: notify user space after fdb update
        net: qmi_wwan: add Netgear AirCard 341U
        net: fix wrong mac_len calculation for vlans
        batman-adv: fix NULL pointer dereferences
        net/mlx4_core: Reset RoCE VF gids when guest driver goes down
        emac: aggregation of v1-2 PLB errors for IER register
        emac: add missing support of 10mbit in emac/rgmii
        can: only rename enabled led triggers when changing the netdev name
        ipvs: Fix panic due to non-linear skb
        ...
      cae61ba3
    • Leon Yu's avatar
      net: filter: fix possible memory leak in __sk_prepare_filter() · 418c96ac
      Leon Yu authored
      __sk_prepare_filter() was reworked in commit bd4cf0ed (net: filter:
      rework/optimize internal BPF interpreter's instruction set) so that it should
      have uncharged memory once things went wrong. However that work isn't complete.
      Error is handled only in __sk_migrate_filter() while memory can still leak in
      the error path right after sk_chk_filter().
      
      Fixes: bd4cf0ed ("net: filter: rework/optimize internal BPF interpreter's instruction set")
      Signed-off-by: default avatarLeon Yu <chianglungyu@gmail.com>
      Acked-by: default avatarAlexei Starovoitov <ast@plumgrid.com>
      Tested-by: default avatarAlexei Starovoitov <ast@plumgrid.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      418c96ac
    • Linus Torvalds's avatar
      Merge tag 'md/3.15-fixes' of git://neil.brown.name/md · ca755175
      Linus Torvalds authored
      Pull two md bugfixes from Neil Brown:
       "Two md bugfixes for possible corruption when restarting reshape
      
        If a raid5/6 reshape is restarted (After stopping and re-assembling
        the array) and the array is marked read-only (or read-auto), then the
        reshape will appear to complete immediately, without actually moving
        anything around.  This can result in corruption.
      
        There are two patches which do much the same thing in different
        places.  They are separate because one is an older bug and so can be
        applied to more -stable kernels"
      
      * tag 'md/3.15-fixes' of git://neil.brown.name/md:
        md: always set MD_RECOVERY_INTR when interrupting a reshape thread.
        md: always set MD_RECOVERY_INTR when aborting a reshape or other "resync".
      ca755175
    • Jean Delvare's avatar
      net: ec_bhf: Add runtime dependencies · 3aab01d8
      Jean Delvare authored
      The ec_bhf driver is specific to the Beckhoff CX embedded PC series.
      These are based on Intel x86 CPU. So we can add a dependency on
      X86, with COMPILE_TEST as an alternative to still allow for broader
      build-testing.
      Signed-off-by: default avatarJean Delvare <jdelvare@suse.de>
      Cc: Darek Marcinkiewicz <reksio@newterm.pl>
      Cc: David S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3aab01d8
  7. 02 Jun, 2014 6 commits