1. 15 Nov, 2013 4 commits
    • Michal Kubeček's avatar
      macvlan: introduce macvlan_dev_real_dev() helper function · be9eac48
      Michal Kubeček authored
      Introduce helper function macvlan_dev_real_dev which returns the
      underlying device of a macvlan device, similar to vlan_dev_real_dev()
      for 802.1q VLAN devices.
      
      v2: IFF_MACVLAN flag and equivalent of is_macvlan_dev() were
      introduced in the meantime
      
      v3: do BUG() if compiled without macvlan support
      Signed-off-by: default avatarMichal Kubecek <mkubecek@suse.cz>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      be9eac48
    • Wang Weidong's avatar
      bonding: add ip checks when store ip target · f9de11a1
      Wang Weidong authored
      I met a Bug when I add ip target with the wrong ip address:
      
      echo +500.500.500.500 > /sys/class/net/bond0/bonding/arp_ip_target
      
      the wrong ip address will transfor to 245.245.245.244 and add
      to the ip target success, it is uncorrect, so I add checks to avoid
      adding wrong address.
      
      The in4_pton() will set wrong ip address to 0.0.0.0, it will return by
      the next check and will not add to ip target.
      
      v2
      According Veaceslav's opinion, simplify the code.
      
      v3
      According Veaceslav's opinion, add broadcast check and make a micro
      definition to package it.
      
      v4
      Solve the problem of the format which David point out.
      Suggested-by: default avatarVeaceslav Falico <vfalico@redhat.com>
      Suggested-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarDing Tianhong <dingtianhong@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f9de11a1
    • Jukka Rissanen's avatar
      6lowpan: Uncompression of traffic class field was incorrect · 1188f054
      Jukka Rissanen authored
      If priority/traffic class field in IPv6 header is set (seen when
      using ssh), the uncompression sets the TC and Flow fields incorrectly.
      
      Example:
      
      This is IPv6 header of a sent packet. Note the priority/TC (=1) in
      the first byte.
      
      00000000: 61 00 00 00 00 2c 06 40 fe 80 00 00 00 00 00 00
      00000010: 02 02 72 ff fe c6 42 10 fe 80 00 00 00 00 00 00
      00000020: 02 1e ab ff fe 4c 52 57
      
      This gets compressed like this in the sending side
      
      00000000: 72 31 04 06 02 1e ab ff fe 4c 52 57 ec c2 00 16
      00000010: aa 2d fe 92 86 4e be c6 ....
      
      In the receiving end, the packet gets uncompressed to this
      IPv6 header
      
      00000000: 60 06 06 02 00 2a 1e 40 fe 80 00 00 00 00 00 00
      00000010: 02 02 72 ff fe c6 42 10 fe 80 00 00 00 00 00 00
      00000020: ab ff fe 4c 52 57 ec c2
      
      First four bytes are set incorrectly and we have also lost
      two bytes from destination address.
      
      The fix is to switch the case values in switch statement
      when checking the TC field.
      Signed-off-by: default avatarJukka Rissanen <jukka.rissanen@linux.intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1188f054
    • Erik Hugne's avatar
      tipc: fix dereference before check warning · 3db0a197
      Erik Hugne authored
      This fixes the following Smatch warning:
      net/tipc/link.c:2364 tipc_link_recv_fragment()
          warn: variable dereferenced before check '*head' (see line 2361)
      
      A null pointer might be passed to skb_try_coalesce if
      a malicious sender injects orphan fragments on a link.
      Signed-off-by: default avatarErik Hugne <erik.hugne@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3db0a197
  2. 14 Nov, 2013 36 commits
    • Eric Dumazet's avatar
      ipv4: fix possible seqlock deadlock · c9e90429
      Eric Dumazet authored
      ip4_datagram_connect() being called from process context,
      it should use IP_INC_STATS() instead of IP_INC_STATS_BH()
      otherwise we can deadlock on 32bit arches, or get corruptions of
      SNMP counters.
      
      Fixes: 584bdf8c ("[IPV4]: Fix "ipOutNoRoutes" counter error for TCP and UDP")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarDave Jones <davej@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c9e90429
    • Geyslan G. Bem's avatar
      net/hsr: Fix possible leak in 'hsr_get_node_status()' · 84a035f6
      Geyslan G. Bem authored
      If 'hsr_get_node_data()' returns error, going directly to 'fail' label
      doesn't free the memory pointed by 'skb_out'.
      Signed-off-by: default avatarGeyslan G. Bem <geyslan@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      84a035f6
    • David S. Miller's avatar
      Merge branch 'for-davem' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless · 8422d1f1
      David S. Miller authored
      John W. Linville says:
      
      ====================
      pull request: wireless 2013-11-14
      
      Please pull this batch of fixes intended for the 3.13 stream!
      
      Amitkumar Karwar offers a quartet of mwifiex fixes, including an
      endian fix and three fixes for invalid memory access.
      
      Avinash Patil trims the packet length value for packets received from
      an SDIO interface.
      
      Colin Ian King fixes a NULL pointer dereference in the rtlwifi
      efuse code.
      
      Dan Carpenter cleans-up an mwifiex integer underflow, a potential
      libertas oops, a memory corrupion bug in wcn36xx, and a locking issue
      also in wcn36xx.
      
      Dan Williams helps prism54 devices to avoid being misclassified as
      Ethernet devices.
      
      Felipe Pena fixes a couple of typo errors, one in rt2x00 and the
      other in rtlwifi.
      
      Janusz Dziedzic corrects a pair of DFS-related problems in ath9k.
      
      Larry Finger patches three rtlwifi drivers to correctly report signal
      strength even for an unassociated AP.
      
      Mark Cave-Ayland rewrites some endian-illiterate packet type extraction
      code in rtlwifi.
      
      Stanislaw Gruszka addresses an rt2x00 regression related to setting
      HT station WCID and AMPDU density parameters.
      
      Sujith Manoharan corrects the initvals settings for AR9485.
      
      Ujjal Roy patches an obscure bit of code in mwifiex that was using
      the wrong definition of eth_hdr when briding patches in AP mode.
      
      Wei Yongjun fixes a couple of bugs: one is a return code handling
      bug in libertas; and, the other is a locking issue in wcn36xx.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8422d1f1
    • Michael Dalton's avatar
      virtio-net: mergeable buffer size should include virtio-net header · 5061de36
      Michael Dalton authored
      Commit 2613af0e ("virtio_net: migrate mergeable rx buffers to page
      frag allocators") changed the mergeable receive buffer size from PAGE_SIZE
      to MTU-size. However, the merge buffer size does not take into account the
      size of the virtio-net header. Consequently, packets that are MTU-size
      will take two buffers intead of one (to store the virtio-net header),
      substantially decreasing the throughput of MTU-size traffic due to TCP
      window / SKB truesize effects.
      
      This commit changes the mergeable buffer size to include the virtio-net
      header. The buffer size is cacheline-aligned because skb_page_frag_refill
      will not automatically align the requested size.
      
      Benchmarks taken from an average of 5 netperf 30-second TCP_STREAM runs
      between two QEMU VMs on a single physical machine. Each VM has two VCPUs and
      vhost enabled. All VMs and vhost threads run in a single 4 CPU cgroup
      cpuset, using cgroups to ensure that other processes in the system will not
      be scheduled on the benchmark CPUs. Transmit offloads and mergeable receive
      buffers are enabled, but guest_tso4 / guest_csum are explicitly disabled to
      force MTU-sized packets on the receiver.
      
      next-net trunk before 2613af0e (PAGE_SIZE buf): 3861.08Gb/s
      net-next trunk (MTU 1500- packet uses two buf due to size bug): 4076.62Gb/s
      net-next trunk (MTU 1480- packet fits in one buf): 6301.34Gb/s
      net-next trunk w/ size fix (MTU 1500 - packet fits in one buf): 6445.44Gb/s
      Suggested-by: default avatarEric Northup <digitaleric@google.com>
      Signed-off-by: default avatarMichael Dalton <mwdalton@google.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5061de36
    • Chris Metcalf's avatar
      connector: improved unaligned access error fix · 1ca1a4cf
      Chris Metcalf authored
      In af3e095a, Erik Jacobsen fixed one type of unaligned access
      bug for ia64 by converting a 64-bit write to use put_unaligned().
      Unfortunately, since gcc will convert a short memset() to a series
      of appropriately-aligned stores, the problem is now visible again
      on tilegx, where the memset that zeros out proc_event is converted
      to three 64-bit stores, causing an unaligned access panic.
      
      A better fix for the original problem is to ensure that proc_event
      is aligned to 8 bytes here.  We can do that relatively easily by
      arranging to start the struct cn_msg aligned to 8 bytes and then
      offset by 4 bytes.  Doing so means that the immediately following
      proc_event structure is then correctly aligned to 8 bytes.
      
      The result is that the memset() stores are now aligned, and as an
      added benefit, we can remove the put_unaligned() calls in the code.
      Signed-off-by: default avatarChris Metcalf <cmetcalf@tilera.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1ca1a4cf
    • Maciej Żenczykowski's avatar
      pkt_sched: fq: change classification of control packets · 2abc2f07
      Maciej Żenczykowski authored
      Initial sch_fq implementation copied code from pfifo_fast to classify
      a packet as a high prio packet.
      
      This clashes with setups using PRIO with say 7 bands, as one of the
      band could be incorrectly (mis)classified by FQ.
      
      Packets would be queued in the 'internal' queue, and no pacing ever
      happen for this special queue.
      
      Fixes: afe4fd06 ("pkt_sched: fq: Fair Queue packet scheduler")
      Signed-off-by: default avatarMaciej Żenczykowski <maze@google.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Stephen Hemminger <stephen@networkplumber.org>
      Cc: Willem de Bruijn <willemb@google.com>
      Cc: Yuchung Cheng <ycheng@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2abc2f07
    • hahnjo's avatar
      alx: Reset phy speed after resume · b54629e2
      hahnjo authored
      This fixes bug 62491 (https://bugzilla.kernel.org/show_bug.cgi?id=62491).
      After resuming some users got the following error flooding the kernel log:
      alx 0000:02:00.0: invalid PHY speed/duplex: 0xffff
      Signed-off-by: default avatarJonas Hahnfeld <linux@hahnjo.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b54629e2
    • David S. Miller's avatar
      Merge branch 'genetlink' · 4fb09a87
      David S. Miller authored
      Johannes Berg says:
      
      ====================
      genetlink: reduce ops size and complexity (v2)
      
      As before - reduce the complexity and data/code size of genetlink ops
      by making them an array rather than a linked list. Most users already
      use an array thanks to genl_register_family_with_ops(), so convert the
      remaining ones allowing us to get rid of the list head in each op.
      
      Also make them const, this just makes sense at that point and the security
      people like making function pointers const as well :-)
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4fb09a87
    • Johannes Berg's avatar
      genetlink: make genl_ops flags a u8 and move to end · 3f5ccd06
      Johannes Berg authored
      To save some space in the struct on 32-bit systems,
      make the flags a u8 (only 4 bits are used) and also
      move them to the end of the struct.
      
      This has no impact on 64-bit systems as alignment of
      the struct in an array uses up the space anyway.
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3f5ccd06
    • Johannes Berg's avatar
      genetlink: make all genl_ops users const · 4534de83
      Johannes Berg authored
      Now that genl_ops are no longer modified in place when
      registering, they can be made const. This patch was done
      mostly with spatch:
      
      @@
      identifier ops;
      @@
      +const
       struct genl_ops ops[] = {
       ...
       };
      
      (except the struct thing in net/openvswitch/datapath.c)
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4534de83
    • Johannes Berg's avatar
      genetlink: allow making ops const · f84f771d
      Johannes Berg authored
      Allow making the ops array const by not modifying the ops
      flags on registration but rather only when ops are sent
      out in the family information.
      
      No users are updated yet except for the pre_doit/post_doit
      calls in wireless (the only ones that exist now.)
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f84f771d
    • Johannes Berg's avatar
      genetlink: register family ops as array · d91824c0
      Johannes Berg authored
      Instead of using a linked list, use an array. This reduces
      the data size needed by the users of genetlink, for example
      in wireless (net/wireless/nl80211.c) on 64-bit it frees up
      over 1K of data space.
      
      Remove the attempted sending of CTRL_CMD_NEWOPS ctrl event
      since genl_ctrl_event(CTRL_CMD_NEWOPS, ...) only returns
      -EINVAL anyway, therefore no such event could ever be sent.
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d91824c0
    • Johannes Berg's avatar
      genetlink: remove genl_register_ops/genl_unregister_ops · 3686ec5e
      Johannes Berg authored
      genl_register_ops() is still needed for internal registration,
      but is no longer available to users of the API.
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3686ec5e
    • Johannes Berg's avatar
      wimax: use genl_register_family_with_ops() · b61a5eea
      Johannes Berg authored
      This simplifies the code since there's no longer a need to
      have error handling in the registration.
      
      Unfortunately it means more extern function declarations are
      needed, but the overall goal would seem to justify this.
      
      Due to the removal of duplication in the netlink policies,
      this reduces the size of wimax by almost 1k.
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b61a5eea
    • Johannes Berg's avatar
      ieee802154: use genl_register_family_with_ops() · 1c582d91
      Johannes Berg authored
      This simplifies the code since there's no longer a need to
      have error handling in the registration.
      
      Unfortunately it means more extern function declarations are
      needed, but the overall goal would seem to justify this.
      
      While at it, also fix the registration error path - if the
      family registration failed then it shouldn't be unregistered.
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1c582d91
    • Johannes Berg's avatar
      hsr: use genl_register_family_with_ops() · 9504b3ee
      Johannes Berg authored
      This simplifies the code since there's no longer a
      need to have error handling in the registration.
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9504b3ee
    • Johannes Berg's avatar
      taskstats: use genl_register_family_with_ops() · 88d36a99
      Johannes Berg authored
      This simplifies the code since there's no longer a
      need to have error handling in the registration.
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      88d36a99
    • Nicolas Dichtel's avatar
      ip6tnl: fix use after free of fb_tnl_dev · 1e9f3d6f
      Nicolas Dichtel authored
      Bug has been introduced by commit bb814094 ("ip6tnl: allow to use rtnl ops
      on fb tunnel").
      
      When ip6_tunnel.ko is unloaded, FB device is delete by rtnl_link_unregister()
      and then we try to use the pointer in ip6_tnl_destroy_tunnels().
      
      Let's add an handler for dellink, which will never remove the FB tunnel. With
      this patch it will no more be possible to remove it via 'ip link del ip6tnl0',
      but it's safer.
      
      The same fix was already proposed by Willem de Bruijn <willemb@google.com> for
      sit interfaces.
      
      CC: Willem de Bruijn <willemb@google.com>
      Reported-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Acked-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1e9f3d6f
    • Nicolas Dichtel's avatar
      sit/gre6: don't try to add the same route two times · f7cb8886
      Nicolas Dichtel authored
      addrconf_add_linklocal() already adds the link local route, so there is no
      reason to add it before calling this function.
      Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f7cb8886
    • Nicolas Dichtel's avatar
      sit: link local routes are missing · f0e2acfa
      Nicolas Dichtel authored
      When a link local address was added to a sit interface, the corresponding route
      was not configured. This breaks routing protocols that use the link local
      address, like OSPFv3.
      
      To ease the code reading, I remove sit_route_add(), which only adds v4 mapped
      routes, and add this kind of route directly in sit_add_v4_addrs(). Thus link
      local and v4 mapped routes are configured in the same place.
      Reported-by: default avatarLi Hongjun <hongjun.li@6wind.com>
      Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f0e2acfa
    • Nicolas Dichtel's avatar
      sit: fix prefix length of ll and v4mapped addresses · 929c9cf3
      Nicolas Dichtel authored
      When the local IPv4 endpoint is wilcard (0.0.0.0), the prefix length is
      correctly set, ie 64 if the address is a link local one or 96 if the address is
      a v4 mapped one.
      But when the local endpoint is specified, the prefix length is set to 128 for
      both kind of address. This patch fix this wrong prefix length.
      Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      929c9cf3
    • Dan Carpenter's avatar
      isdnloop: use strlcpy() instead of strcpy() · f9a23c84
      Dan Carpenter authored
      These strings come from a copy_from_user() and there is no way to be
      sure they are NUL terminated.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f9a23c84
    • Willem de Bruijn's avatar
      sit: fix use after free of fb_tunnel_dev · 9434266f
      Willem de Bruijn authored
      Bug: The fallback device is created in sit_init_net and assumed to be
      freed in sit_exit_net. First, it is dereferenced in that function, in
      sit_destroy_tunnels:
      
              struct net *net = dev_net(sitn->fb_tunnel_dev);
      
      Prior to this, rtnl_unlink_register has removed all devices that match
      rtnl_link_ops == sit_link_ops.
      
      Commit 205983c4 added the line
      
      +       sitn->fb_tunnel_dev->rtnl_link_ops = &sit_link_ops;
      
      which cases the fallback device to match here and be freed before it
      is last dereferenced.
      
      Fix: This commit adds an explicit .delllink callback to sit_link_ops
      that skips deallocation at rtnl_unlink_register for the fallback
      device. This mechanism is comparable to the one in ip_tunnel.
      
      It also modifies sit_destroy_tunnels and its only caller sit_exit_net
      to avoid the offending dereference in the first place. That double
      lookup is more complicated than required.
      
      Test: The bug is only triggered when CONFIG_NET_NS is enabled. It
      causes a GPF only when CONFIG_DEBUG_SLAB is enabled. Verified that
      this bug exists at the mentioned commit, at davem-net HEAD and at
      3.11.y HEAD. Verified that it went away after applying this patch.
      
      Fixes: 205983c4 ("sit: allow to use rtnl ops on fb tunnel")
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Acked-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9434266f
    • Duan Fugang-B38611's avatar
      net:fec: fix WARNING caused by lack of calls to dma_mapping_error() · d842a31f
      Duan Fugang-B38611 authored
      The driver fails to check the results of DMA mapping and results in
      the following warning: (with kernel config "CONFIG_DMA_API_DEBUG" enable)
      
      ------------[ cut here ]------------
      WARNING: at lib/dma-debug.c:937 check_unmap+0x43c/0x7d8()
      fec 2188000.ethernet: DMA-API: device driver failed to check map
      error[device address=0x00000000383a8040] [size=2048 bytes] [mapped as single]
      
      Modules linked in:
      CPU: 0 PID: 0 Comm: swapper/0 Not tainted 3.10.17-16827-g9cdb0ba-dirty #188
      [<80013c4c>] (unwind_backtrace+0x0/0xf8) from [<80011704>] (show_stack+0x10/0x14)
      [<80011704>] (show_stack+0x10/0x14) from [<80025614>] (warn_slowpath_common+0x4c/0x6c)
      [<80025614>] (warn_slowpath_common+0x4c/0x6c) from [<800256c8>] (warn_slowpath_fmt+0x30/0x40)
      [<800256c8>] (warn_slowpath_fmt+0x30/0x40) from [<8026bfdc>] (check_unmap+0x43c/0x7d8)
      [<8026bfdc>] (check_unmap+0x43c/0x7d8) from [<8026c584>] (debug_dma_unmap_page+0x6c/0x78)
      [<8026c584>] (debug_dma_unmap_page+0x6c/0x78) from [<8038049c>] (fec_enet_rx_napi+0x254/0x8a8)
      [<8038049c>] (fec_enet_rx_napi+0x254/0x8a8) from [<804dc8c0>] (net_rx_action+0x94/0x160)
      [<804dc8c0>] (net_rx_action+0x94/0x160) from [<8002c758>] (__do_softirq+0xe8/0x1d0)
      [<8002c758>] (__do_softirq+0xe8/0x1d0) from [<8002c8e8>] (do_softirq+0x4c/0x58)
      [<8002c8e8>] (do_softirq+0x4c/0x58) from [<8002cb50>] (irq_exit+0x90/0xc8)
      [<8002cb50>] (irq_exit+0x90/0xc8) from [<8000ea88>] (handle_IRQ+0x3c/0x94)
      [<8000ea88>] (handle_IRQ+0x3c/0x94) from [<8000855c>] (gic_handle_irq+0x28/0x5c)
      [<8000855c>] (gic_handle_irq+0x28/0x5c) from [<8000de00>] (__irq_svc+0x40/0x50)
      Exception stack(0x815a5f38 to 0x815a5f80)
      5f20:                                                       815a5f80 3b9aca00
      5f40: 0fe52383 00000002 0dd8950e 00000002 81e7b080 00000000 00000000 815ac4d8
      5f60: 806032ec 00000000 00000017 815a5f80 80059028 8041fc4c 60000013 ffffffff
      [<8000de00>] (__irq_svc+0x40/0x50) from [<8041fc4c>] (cpuidle_enter_state+0x50/0xf0)
      [<8041fc4c>] (cpuidle_enter_state+0x50/0xf0) from [<8041fd94>] (cpuidle_idle_call+0xa8/0x14c)
      [<8041fd94>] (cpuidle_idle_call+0xa8/0x14c) from [<8000edac>] (arch_cpu_idle+0x10/0x4c)
      [<8000edac>] (arch_cpu_idle+0x10/0x4c) from [<800582f8>] (cpu_startup_entry+0x60/0x130)
      [<800582f8>] (cpu_startup_entry+0x60/0x130) from [<80bc7a48>] (start_kernel+0x2d0/0x328)
      [<80bc7a48>] (start_kernel+0x2d0/0x328) from [<10008074>] (0x10008074)
      ---[ end trace c6edec32436e0042 ]---
      
      Because dma-debug add new interfaces to debug dma mapping errors, pls refer
      to: http://lwn.net/Articles/516640/
      
      After dma mapping, it must call dma_mapping_error() to check mapping error,
      otherwise the map_err_type alway is MAP_ERR_NOT_CHECKED, check_unmap() define
      the mapping is not checked and dump the error msg. So,add dma_mapping_error()
      checking to fix the WARNING
      
      And RX DMA buffers are used repeatedly and the driver copies it into an skb,
      fec_enet_rx() should not map or unmap, use dma_sync_single_for_cpu()/dma_sync_single_for_device()
      instead of dma_map_single()/dma_unmap_single().
      
      There have another potential issue:  fec_enet_rx() passes the DMA address to __va().
      Physical and DMA addresses are *not* the same thing. They may differ if the device
      is behind an IOMMU or bounce buffering was required, or just because there is a fixed
      offset between the device and host physical addresses. Also fix it in this patch.
      
      =============================================
      V2: add net_ratelimit() to limit map err message.
          use dma_sync_single_for_cpu() instead of dma_map_single().
          fix the issue that pass DMA addresses to __va() to get virture address.
      V1: initial send
      =============================================
      Signed-off-by: default avatarFugang Duan <B38611@freescale.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d842a31f
    • Chang Xiangzhong's avatar
      net: sctp: bug-fixing: retran_path not set properly after transports recovering (v3) · d30a58ba
      Chang Xiangzhong authored
      When a transport recovers due to the new coming sack, SCTP should
      iterate all of its transport_list to locate the __two__ most recently used
      transport and set to active_path and retran_path respectively. The exising
      code does not find the two properly - In case of the following list:
      
      [most-recent] -> [2nd-most-recent] -> ...
      
      Both active_path and retran_path would be set to the 1st element.
      
      The bug happens when:
      1) multi-homing
      2) failure/partial_failure transport recovers
      Both active_path and retran_path would be set to the same most-recent one, in
      other words, retran_path would not take its role - an end user might not even
      notice this issue.
      Signed-off-by: default avatarChang Xiangzhong <changxiangzhong@gmail.com>
      Acked-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d30a58ba
    • Eric Dumazet's avatar
      net-tcp: fix panic in tcp_fastopen_cache_set() · dccf76ca
      Eric Dumazet authored
      We had some reports of crashes using TCP fastopen, and Dave Jones
      gave a nice stack trace pointing to the error.
      
      Issue is that tcp_get_metrics() should not be called with a NULL dst
      
      Fixes: 1fe4c481 ("net-tcp: Fast Open client - cookie cache")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarDave Jones <davej@redhat.com>
      Cc: Yuchung Cheng <ycheng@google.com>
      Acked-by: default avatarYuchung Cheng <ycheng@google.com>
      Tested-by: default avatarDave Jones <davej@fedoraproject.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dccf76ca
    • Nikolay Aleksandrov's avatar
      bonding: fix two race conditions in bond_store_updelay/downdelay · b869ccfa
      Nikolay Aleksandrov authored
      This patch fixes two race conditions between bond_store_updelay/downdelay
      and bond_store_miimon which could lead to division by zero as miimon can
      be set to 0 while either updelay/downdelay are being set and thus miss the
      zero check in the beginning, the zero div happens because updelay/downdelay
      are stored as new_value / bond->params.miimon. Use rtnl to synchronize with
      miimon setting.
      
      CC: Jay Vosburgh <fubar@us.ibm.com>
      CC: Andy Gospodarek <andy@greyhouse.net>
      CC: Veaceslav Falico <vfalico@redhat.com>
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@redhat.com>
      Acked-by: default avatarVeaceslav Falico <vfalico@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b869ccfa
    • Eric Dumazet's avatar
      tcp: tsq: restore minimal amount of queueing · 98e09386
      Eric Dumazet authored
      After commit c9eeec26 ("tcp: TSQ can use a dynamic limit"), several
      users reported throughput regressions, notably on mvneta and wifi
      adapters.
      
      802.11 AMPDU requires a fair amount of queueing to be effective.
      
      This patch partially reverts the change done in tcp_write_xmit()
      so that the minimal amount is sysctl_tcp_limit_output_bytes.
      
      It also remove the use of this sysctl while building skb stored
      in write queue, as TSO autosizing does the right thing anyway.
      
      Users with well behaving NICS and correct qdisc (like sch_fq),
      can then lower the default sysctl_tcp_limit_output_bytes value from
      128KB to 8KB.
      
      This new usage of sysctl_tcp_limit_output_bytes permits each driver
      authors to check how their driver performs when/if the value is set
      to a minimum of 4KB.
      
      Normally, line rate for a single TCP flow should be possible,
      but some drivers rely on timers to perform TX completion and
      too long TX completion delays prevent reaching full throughput.
      
      Fixes: c9eeec26 ("tcp: TSQ can use a dynamic limit")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarSujith Manoharan <sujith@msujith.org>
      Reported-by: default avatarArnaud Ebalard <arno@natisbad.org>
      Tested-by: default avatarSujith Manoharan <sujith@msujith.org>
      Cc: Felix Fietkau <nbd@openwrt.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      98e09386
    • David S. Miller's avatar
      Merge branch 'hwtstamp' · 6afae645
      David S. Miller authored
      Ben Hutchings says:
      
      ====================
      net_tstamp: Validate hwtstamp_config completely before applying it
      
      This series fixes very similar bugs in 6 implementations of
      SIOCSHWTSTAMP.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6afae645
    • Ben Hutchings's avatar
      ixp4xx_eth: Validate hwtstamp_config completely before applying it · a5be8cd3
      Ben Hutchings authored
      hwtstamp_ioctl() should validate all fields of hwtstamp_config
      before making any changes.  Currently it sets the TX configuration
      before validating the rx_filter field.
      
      Untested as I don't have a cross-compiler to hand.
      Signed-off-by: default avatarBen Hutchings <bhutchings@solarflare.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a5be8cd3
    • Ben Hutchings's avatar
      ti_cpsw: Validate hwtstamp_config completely before applying it · 2ee91e54
      Ben Hutchings authored
      cpsw_hwtstamp_ioctl() should validate all fields of hwtstamp_config,
      and the hardware version, before making any changes.  Currently it
      sets the TX configuration before validating the rx_filter field
      or that the hardware supports timestamping.
      
      Also correct the error code for hardware versions that don't
      support timestamping.  ENOTSUPP is used by the NFS implementation
      and is not part of userland API; we want EOPNOTSUPP (which glibc
      also calls ENOTSUP, with one 'P').
      
      Untested as I don't have a cross-compiler to hand.
      Signed-off-by: default avatarBen Hutchings <bhutchings@solarflare.com>
      Acked-by: default avatarMugunthan V N <mugunthanvnm@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2ee91e54
    • Ben Hutchings's avatar
      stmmac: Validate hwtstamp_config completely before applying it · 5f3da328
      Ben Hutchings authored
      stmmac_hwtstamp_ioctl() should validate all fields of hwtstamp_config
      before making any changes.  Currently it sets the TX configuration
      before validating the rx_filter field.
      
      Compile-tested only.
      Signed-off-by: default avatarBen Hutchings <bhutchings@solarflare.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5f3da328
    • Ben Hutchings's avatar
      pch_gbe: Validate hwtstamp_config completely before applying it · 810abe9b
      Ben Hutchings authored
      hwtstamp_ioctl() should validate all fields of hwtstamp_config
      before making any changes.  Currently it sets the TX configuration
      before validating the rx_filter field.
      
      Compile-tested only.
      Signed-off-by: default avatarBen Hutchings <bhutchings@solarflare.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      810abe9b
    • Ben Hutchings's avatar
      e1000e: Validate hwtstamp_config completely before applying it · 62d7e3a2
      Ben Hutchings authored
      e1000e_hwtstamp_ioctl() should validate all fields of hwtstamp_config
      before making any changes.  Currently it copies the configuration to
      the e1000_adapter structure before validating it at all.
      
      Change e1000e_config_hwtstamp() to take a pointer to the
      hwstamp_config and to copy the config after validating it.
      
      Compile-tested only.
      Signed-off-by: default avatarBen Hutchings <bhutchings@solarflare.com>
      Acked-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      62d7e3a2
    • Ben Hutchings's avatar
      tg3: Validate hwtstamp_config completely before applying it · 58b187c6
      Ben Hutchings authored
      tg3_hwtstamp_ioctl() should validate all fields of hwtstamp_config
      before making any changes.  Currently it sets the TX configuration
      before validating the rx_filter field.
      
      Compile-tested only.
      Signed-off-by: default avatarBen Hutchings <bhutchings@solarflare.com>
      Acked-by: default avatarNithin Nayak Sujir <nsujir@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      58b187c6
    • Toshiaki Makita's avatar
      bridge: Fix memory leak when deleting bridge with vlan filtering enabled · b4e09b29
      Toshiaki Makita authored
      We currently don't call br_vlan_flush() when deleting a bridge, which
      leads to memory leak if br->vlan_info is allocated.
      
      Steps to reproduce:
        while :
        do
          brctl addbr br0
          bridge vlan add dev br0 vid 10 self
          brctl delbr br0
        done
      We can observe the cache size of corresponding slab entry
      (as kmalloc-2048 in SLUB) is increased.
      
      kmemleak output:
      unreferenced object 0xffff8800b68a7000 (size 2048):
        comm "bridge", pid 2086, jiffies 4295774704 (age 47.656s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 00 48 9b 36 00 88 ff ff  .........H.6....
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff815eb6ae>] kmemleak_alloc+0x4e/0xb0
          [<ffffffff8116a1ca>] kmem_cache_alloc_trace+0xca/0x220
          [<ffffffffa03eddd6>] br_vlan_add+0x66/0xe0 [bridge]
          [<ffffffffa03e543c>] br_setlink+0x2dc/0x340 [bridge]
          [<ffffffff8150e481>] rtnl_bridge_setlink+0x101/0x200
          [<ffffffff8150d9d9>] rtnetlink_rcv_msg+0x99/0x260
          [<ffffffff81528679>] netlink_rcv_skb+0xa9/0xc0
          [<ffffffff8150d938>] rtnetlink_rcv+0x28/0x30
          [<ffffffff81527ccd>] netlink_unicast+0xdd/0x190
          [<ffffffff8152807f>] netlink_sendmsg+0x2ff/0x740
          [<ffffffff814e8368>] sock_sendmsg+0x88/0xc0
          [<ffffffff814e8ac8>] ___sys_sendmsg.part.14+0x298/0x2b0
          [<ffffffff814e91de>] __sys_sendmsg+0x4e/0x90
          [<ffffffff814e922e>] SyS_sendmsg+0xe/0x10
          [<ffffffff81601669>] system_call_fastpath+0x16/0x1b
          [<ffffffffffffffff>] 0xffffffffffffffff
      Signed-off-by: default avatarToshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b4e09b29