1. 27 Jan, 2015 21 commits
    • Ben Hutchings's avatar
      sh_eth: Remove RX overflow log messages · dc1d0e6d
      Ben Hutchings authored
      If RX traffic is overflowing the FIFO or DMA ring, logging every time
      this happens just makes things worse.  These errors are visible in the
      statistics anyway.
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dc1d0e6d
    • David S. Miller's avatar
      Merge tag 'linux-can-fixes-for-3.19-20150127' of... · 8d8d67f1
      David S. Miller authored
      Merge tag 'linux-can-fixes-for-3.19-20150127' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
      
      Marc Kleine-Budde says:
      
      ====================
      pull-request: can 2015-01-27
      
      this is another pull request for net/master which consists of 4 patches.
      
      All 4 patches are contributed by Ahmed S. Darwish, he fixes more problems in
      the kvaser_usb driver.
      
      David, please merge net/master to net-next/master, as we have more kvaser_usb
      patches in the queue, that target net-next.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8d8d67f1
    • subashab@codeaurora.org's avatar
      ping: Fix race in free in receive path · fc752f1f
      subashab@codeaurora.org authored
      An exception is seen in ICMP ping receive path where the skb
      destructor sock_rfree() tries to access a freed socket. This happens
      because ping_rcv() releases socket reference with sock_put() and this
      internally frees up the socket. Later icmp_rcv() will try to free the
      skb and as part of this, skb destructor is called and which leads
      to a kernel panic as the socket is freed already in ping_rcv().
      
      -->|exception
      -007|sk_mem_uncharge
      -007|sock_rfree
      -008|skb_release_head_state
      -009|skb_release_all
      -009|__kfree_skb
      -010|kfree_skb
      -011|icmp_rcv
      -012|ip_local_deliver_finish
      
      Fix this incorrect free by cloning this skb and processing this cloned
      skb instead.
      
      This patch was suggested by Eric Dumazet
      Signed-off-by: default avatarSubash Abhinov Kasiviswanathan <subashab@codeaurora.org>
      Cc: Eric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fc752f1f
    • Herbert Xu's avatar
      udp_diag: Fix socket skipping within chain · 86f3cddb
      Herbert Xu authored
      While working on rhashtable walking I noticed that the UDP diag
      dumping code is buggy.  In particular, the socket skipping within
      a chain never happens, even though we record the number of sockets
      that should be skipped.
      
      As this code was supposedly copied from TCP, this patch does what
      TCP does and resets num before we walk a chain.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Acked-by: default avatarPavel Emelyanov <xemul@parallels.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      86f3cddb
    • Ahmed S. Darwish's avatar
      can: kvaser_usb: Fix state handling upon BUS_ERROR events · e638642b
      Ahmed S. Darwish authored
      While being in an ERROR_WARNING state, and receiving further
      bus error events with error counters still in the ERROR_WARNING
      range of 97-127 inclusive, the state handling code erroneously
      reverts back to ERROR_ACTIVE.
      
      Per the CAN standard, only revert to ERROR_ACTIVE when the
      error counters are less than 96.
      
      Moreover, in certain Kvaser models, the BUS_ERROR flag is
      always set along with undefined bits in the M16C status
      register. Thus use bitwise operators instead of full equality
      for checking that register against bus errors.
      Signed-off-by: default avatarAhmed S. Darwish <ahmed.darwish@valeo.com>
      Cc: linux-stable <stable@vger.kernel.org>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      e638642b
    • Ahmed S. Darwish's avatar
      can: kvaser_usb: Retry the first bulk transfer on -ETIMEDOUT · 14c10c2a
      Ahmed S. Darwish authored
      On some x86 laptops, plugging a Kvaser device again after an
      unplug makes the firmware always ignore the very first command.
      For such a case, provide some room for retries instead of
      completely exiting the driver init code.
      Signed-off-by: default avatarAhmed S. Darwish <ahmed.darwish@valeo.com>
      Cc: linux-stable <stable@vger.kernel.org>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      14c10c2a
    • Ahmed S. Darwish's avatar
      can: kvaser_usb: Send correct context to URB completion · 3803fa69
      Ahmed S. Darwish authored
      Send expected argument to the URB completion hander: a CAN
      netdevice instead of the network interface private context
      `kvaser_usb_net_priv'.
      
      This was discovered by having some garbage in the kernel
      log in place of the netdevice names: can0 and can1.
      Signed-off-by: default avatarAhmed S. Darwish <ahmed.darwish@valeo.com>
      Cc: linux-stable <stable@vger.kernel.org>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      3803fa69
    • Ahmed S. Darwish's avatar
      can: kvaser_usb: Do not sleep in atomic context · ded50066
      Ahmed S. Darwish authored
      Upon receiving a hardware event with the BUS_RESET flag set,
      the driver kills all of its anchored URBs and resets all of
      its transmit URB contexts.
      
      Unfortunately it does so under the context of URB completion
      handler `kvaser_usb_read_bulk_callback()', which is often
      called in an atomic context.
      
      While the device is flooded with many received error packets,
      usb_kill_urb() typically sleeps/reschedules till the transfer
      request of each killed URB in question completes, leading to
      the sleep in atomic bug. [3]
      
      In v2 submission of the original driver patch [1], it was
      stated that the URBs kill and tx contexts reset was needed
      since we don't receive any tx acknowledgments later and thus
      such resources will be locked down forever. Fortunately this
      is no longer needed since an earlier bugfix in this patch
      series is now applied: all tx URB contexts are reset upon CAN
      channel close. [2]
      
      Moreover, a BUS_RESET is now treated _exactly_ like a BUS_OFF
      event, which is the recommended handling method advised by
      the device manufacturer.
      
      [1] http://article.gmane.org/gmane.linux.network/239442
          http://www.webcitation.org/6Vr2yagAQ
      
      [2] can: kvaser_usb: Reset all URB tx contexts upon channel close
          889b77f7
      
      [3] Stacktrace:
      
       <IRQ>  [<ffffffff8158de87>] dump_stack+0x45/0x57
       [<ffffffff8158b60c>] __schedule_bug+0x41/0x4f
       [<ffffffff815904b1>] __schedule+0x5f1/0x700
       [<ffffffff8159360a>] ? _raw_spin_unlock_irqrestore+0xa/0x10
       [<ffffffff81590684>] schedule+0x24/0x70
       [<ffffffff8147d0a5>] usb_kill_urb+0x65/0xa0
       [<ffffffff81077970>] ? prepare_to_wait_event+0x110/0x110
       [<ffffffff8147d7d8>] usb_kill_anchored_urbs+0x48/0x80
       [<ffffffffa01f4028>] kvaser_usb_unlink_tx_urbs+0x18/0x50 [kvaser_usb]
       [<ffffffffa01f45d0>] kvaser_usb_rx_error+0xc0/0x400 [kvaser_usb]
       [<ffffffff8108b14a>] ? vprintk_default+0x1a/0x20
       [<ffffffffa01f5241>] kvaser_usb_read_bulk_callback+0x4c1/0x5f0 [kvaser_usb]
       [<ffffffff8147a73e>] __usb_hcd_giveback_urb+0x5e/0xc0
       [<ffffffff8147a8a1>] usb_hcd_giveback_urb+0x41/0x110
       [<ffffffffa0008748>] finish_urb+0x98/0x180 [ohci_hcd]
       [<ffffffff810cd1a7>] ? acct_account_cputime+0x17/0x20
       [<ffffffff81069f65>] ? local_clock+0x15/0x30
       [<ffffffffa000a36b>] ohci_work+0x1fb/0x5a0 [ohci_hcd]
       [<ffffffff814fbb31>] ? process_backlog+0xb1/0x130
       [<ffffffffa000cd5b>] ohci_irq+0xeb/0x270 [ohci_hcd]
       [<ffffffff81479fc1>] usb_hcd_irq+0x21/0x30
       [<ffffffff8108bfd3>] handle_irq_event_percpu+0x43/0x120
       [<ffffffff8108c0ed>] handle_irq_event+0x3d/0x60
       [<ffffffff8108ec84>] handle_fasteoi_irq+0x74/0x110
       [<ffffffff81004dfd>] handle_irq+0x1d/0x30
       [<ffffffff81004727>] do_IRQ+0x57/0x100
       [<ffffffff8159482a>] common_interrupt+0x6a/0x6a
      Signed-off-by: default avatarAhmed S. Darwish <ahmed.darwish@valeo.com>
      Cc: linux-stable <stable@vger.kernel.org>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      ded50066
    • David S. Miller's avatar
      Merge tag 'mac80211-for-davem-2015-01-23' of... · 7d63585b
      David S. Miller authored
      Merge tag 'mac80211-for-davem-2015-01-23' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Another set of last-minute fixes:
       * fix station double-removal when suspending while associating
       * fix the HT (802.11n) header length calculation
       * fix the CCK radiotap flag used for monitoring, a pretty
         old regression but a simple one-liner
       * fix per-station group-key handling
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7d63585b
    • Hannes Frederic Sowa's avatar
      ipv4: try to cache dst_entries which would cause a redirect · df4d9254
      Hannes Frederic Sowa authored
      Not caching dst_entries which cause redirects could be exploited by hosts
      on the same subnet, causing a severe DoS attack. This effect aggravated
      since commit f8864972 ("ipv4: fix dst race in sk_dst_get()").
      
      Lookups causing redirects will be allocated with DST_NOCACHE set which
      will force dst_release to free them via RCU.  Unfortunately waiting for
      RCU grace period just takes too long, we can end up with >1M dst_entries
      waiting to be released and the system will run OOM. rcuos threads cannot
      catch up under high softirq load.
      
      Attaching the flag to emit a redirect later on to the specific skb allows
      us to cache those dst_entries thus reducing the pressure on allocation
      and deallocation.
      
      This issue was discovered by Marcelo Leitner.
      
      Cc: Julian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarMarcelo Leitner <mleitner@redhat.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      df4d9254
    • David S. Miller's avatar
      Merge branch 'bpf' · 412d2907
      David S. Miller authored
      Alexei Starovoitov says:
      
      ====================
      bpf: fix two bugs
      
      Michael Holzheu caught two issues (in bpf syscall and in the test).
      Fix them. Details in corresponding patches.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      412d2907
    • Alexei Starovoitov's avatar
      samples: bpf: relax test_maps check · ba1a68bf
      Alexei Starovoitov authored
      hash map is unordered, so get_next_key() iterator shouldn't
      rely on particular order of elements. So relax this test.
      
      Fixes: ffb65f27 ("bpf: add a testsuite for eBPF maps")
      Reported-by: default avatarMichael Holzheu <holzheu@linux.vnet.ibm.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@plumgrid.com>
      Acked-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ba1a68bf
    • Alexei Starovoitov's avatar
      bpf: rcu lock must not be held when calling copy_to_user() · 8ebe667c
      Alexei Starovoitov authored
      BUG: sleeping function called from invalid context at mm/memory.c:3732
      in_atomic(): 0, irqs_disabled(): 0, pid: 671, name: test_maps
      1 lock held by test_maps/671:
       #0:  (rcu_read_lock){......}, at: [<0000000000264190>] map_lookup_elem+0xe8/0x260
      Call Trace:
      ([<0000000000115b7e>] show_trace+0x12e/0x150)
       [<0000000000115c40>] show_stack+0xa0/0x100
       [<00000000009b163c>] dump_stack+0x74/0xc8
       [<000000000017424a>] ___might_sleep+0x23a/0x248
       [<00000000002b58e8>] might_fault+0x70/0xe8
       [<0000000000264230>] map_lookup_elem+0x188/0x260
       [<0000000000264716>] SyS_bpf+0x20e/0x840
      
      Fix it by allocating temporary buffer to store map element value.
      
      Fixes: db20fd2b ("bpf: add lookup/update/delete/iterate methods to BPF maps")
      Reported-by: default avatarMichael Holzheu <holzheu@linux.vnet.ibm.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@plumgrid.com>
      Acked-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8ebe667c
    • Daniel Borkmann's avatar
      net: sctp: fix slab corruption from use after free on INIT collisions · 600ddd68
      Daniel Borkmann authored
      When hitting an INIT collision case during the 4WHS with AUTH enabled, as
      already described in detail in commit 1be9a950 ("net: sctp: inherit
      auth_capable on INIT collisions"), it can happen that we occasionally
      still remotely trigger the following panic on server side which seems to
      have been uncovered after the fix from commit 1be9a950 ...
      
      [  533.876389] BUG: unable to handle kernel paging request at 00000000ffffffff
      [  533.913657] IP: [<ffffffff811ac385>] __kmalloc+0x95/0x230
      [  533.940559] PGD 5030f2067 PUD 0
      [  533.957104] Oops: 0000 [#1] SMP
      [  533.974283] Modules linked in: sctp mlx4_en [...]
      [  534.939704] Call Trace:
      [  534.951833]  [<ffffffff81294e30>] ? crypto_init_shash_ops+0x60/0xf0
      [  534.984213]  [<ffffffff81294e30>] crypto_init_shash_ops+0x60/0xf0
      [  535.015025]  [<ffffffff8128c8ed>] __crypto_alloc_tfm+0x6d/0x170
      [  535.045661]  [<ffffffff8128d12c>] crypto_alloc_base+0x4c/0xb0
      [  535.074593]  [<ffffffff8160bd42>] ? _raw_spin_lock_bh+0x12/0x50
      [  535.105239]  [<ffffffffa0418c11>] sctp_inet_listen+0x161/0x1e0 [sctp]
      [  535.138606]  [<ffffffff814e43bd>] SyS_listen+0x9d/0xb0
      [  535.166848]  [<ffffffff816149a9>] system_call_fastpath+0x16/0x1b
      
      ... or depending on the the application, for example this one:
      
      [ 1370.026490] BUG: unable to handle kernel paging request at 00000000ffffffff
      [ 1370.026506] IP: [<ffffffff811ab455>] kmem_cache_alloc+0x75/0x1d0
      [ 1370.054568] PGD 633c94067 PUD 0
      [ 1370.070446] Oops: 0000 [#1] SMP
      [ 1370.085010] Modules linked in: sctp kvm_amd kvm [...]
      [ 1370.963431] Call Trace:
      [ 1370.974632]  [<ffffffff8120f7cf>] ? SyS_epoll_ctl+0x53f/0x960
      [ 1371.000863]  [<ffffffff8120f7cf>] SyS_epoll_ctl+0x53f/0x960
      [ 1371.027154]  [<ffffffff812100d3>] ? anon_inode_getfile+0xd3/0x170
      [ 1371.054679]  [<ffffffff811e3d67>] ? __alloc_fd+0xa7/0x130
      [ 1371.080183]  [<ffffffff816149a9>] system_call_fastpath+0x16/0x1b
      
      With slab debugging enabled, we can see that the poison has been overwritten:
      
      [  669.826368] BUG kmalloc-128 (Tainted: G        W     ): Poison overwritten
      [  669.826385] INFO: 0xffff880228b32e50-0xffff880228b32e50. First byte 0x6a instead of 0x6b
      [  669.826414] INFO: Allocated in sctp_auth_create_key+0x23/0x50 [sctp] age=3 cpu=0 pid=18494
      [  669.826424]  __slab_alloc+0x4bf/0x566
      [  669.826433]  __kmalloc+0x280/0x310
      [  669.826453]  sctp_auth_create_key+0x23/0x50 [sctp]
      [  669.826471]  sctp_auth_asoc_create_secret+0xcb/0x1e0 [sctp]
      [  669.826488]  sctp_auth_asoc_init_active_key+0x68/0xa0 [sctp]
      [  669.826505]  sctp_do_sm+0x29d/0x17c0 [sctp] [...]
      [  669.826629] INFO: Freed in kzfree+0x31/0x40 age=1 cpu=0 pid=18494
      [  669.826635]  __slab_free+0x39/0x2a8
      [  669.826643]  kfree+0x1d6/0x230
      [  669.826650]  kzfree+0x31/0x40
      [  669.826666]  sctp_auth_key_put+0x19/0x20 [sctp]
      [  669.826681]  sctp_assoc_update+0x1ee/0x2d0 [sctp]
      [  669.826695]  sctp_do_sm+0x674/0x17c0 [sctp]
      
      Since this only triggers in some collision-cases with AUTH, the problem at
      heart is that sctp_auth_key_put() on asoc->asoc_shared_key is called twice
      when having refcnt 1, once directly in sctp_assoc_update() and yet again
      from within sctp_auth_asoc_init_active_key() via sctp_assoc_update() on
      the already kzfree'd memory, which is also consistent with the observation
      of the poison decrease from 0x6b to 0x6a (note: the overwrite is detected
      at a later point in time when poison is checked on new allocation).
      
      Reference counting of auth keys revisited:
      
      Shared keys for AUTH chunks are being stored in endpoints and associations
      in endpoint_shared_keys list. On endpoint creation, a null key is being
      added; on association creation, all endpoint shared keys are being cached
      and thus cloned over to the association. struct sctp_shared_key only holds
      a pointer to the actual key bytes, that is, struct sctp_auth_bytes which
      keeps track of users internally through refcounting. Naturally, on assoc
      or enpoint destruction, sctp_shared_key are being destroyed directly and
      the reference on sctp_auth_bytes dropped.
      
      User space can add keys to either list via setsockopt(2) through struct
      sctp_authkey and by passing that to sctp_auth_set_key() which replaces or
      adds a new auth key. There, sctp_auth_create_key() creates a new sctp_auth_bytes
      with refcount 1 and in case of replacement drops the reference on the old
      sctp_auth_bytes. A key can be set active from user space through setsockopt()
      on the id via sctp_auth_set_active_key(), which iterates through either
      endpoint_shared_keys and in case of an assoc, invokes (one of various places)
      sctp_auth_asoc_init_active_key().
      
      sctp_auth_asoc_init_active_key() computes the actual secret from local's
      and peer's random, hmac and shared key parameters and returns a new key
      directly as sctp_auth_bytes, that is asoc->asoc_shared_key, plus drops
      the reference if there was a previous one. The secret, which where we
      eventually double drop the ref comes from sctp_auth_asoc_set_secret() with
      intitial refcount of 1, which also stays unchanged eventually in
      sctp_assoc_update(). This key is later being used for crypto layer to
      set the key for the hash in crypto_hash_setkey() from sctp_auth_calculate_hmac().
      
      To close the loop: asoc->asoc_shared_key is freshly allocated secret
      material and independant of the sctp_shared_key management keeping track
      of only shared keys in endpoints and assocs. Hence, also commit 4184b2a7
      ("net: sctp: fix memory leak in auth key management") is independant of
      this bug here since it concerns a different layer (though same structures
      being used eventually). asoc->asoc_shared_key is reference dropped correctly
      on assoc destruction in sctp_association_free() and when active keys are
      being replaced in sctp_auth_asoc_init_active_key(), it always has a refcount
      of 1. Hence, it's freed prematurely in sctp_assoc_update(). Simple fix is
      to remove that sctp_auth_key_put() from there which fixes these panics.
      
      Fixes: 730fc3d0 ("[SCTP]: Implete SCTP-AUTH parameter processing")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Acked-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      600ddd68
    • Ezequiel Garcia's avatar
      net: mv643xx_eth: Fix highmem support in non-TSO egress path · 9e911414
      Ezequiel Garcia authored
      Commit 69ad0dd7
      Author: Ezequiel Garcia <ezequiel.garcia@free-electrons.com>
      Date:   Mon May 19 13:59:59 2014 -0300
      
          net: mv643xx_eth: Use dma_map_single() to map the skb fragments
      
      caused a nasty regression by removing the support for highmem skb
      fragments. By using page_address() to get the address of a fragment's
      page, we are assuming a lowmem page. However, such assumption is incorrect,
      as fragments can be in highmem pages, resulting in very nasty issues.
      
      This commit fixes this by using the skb_frag_dma_map() helper,
      which takes care of mapping the skb fragment properly. Additionally,
      the type of mapping is now tracked, so it can be unmapped using
      dma_unmap_page or dma_unmap_single when appropriate.
      
      This commit also fixes the error path in txq_init() to release the
      resources properly.
      
      Fixes: 69ad0dd7 ("net: mv643xx_eth: Use dma_map_single() to map the skb fragments")
      Reported-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: default avatarEzequiel Garcia <ezequiel.garcia@free-electrons.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9e911414
    • David S. Miller's avatar
      Merge branch 'sh_eth' · 9d08da96
      David S. Miller authored
      Ben Hutchings says:
      
      ====================
      Fixes for sh_eth #2
      
      I'm continuing review and testing of Ethernet support on the R-Car H2
      chip.  This series fixes more of the issues I've found, but it won't be
      the last set.
      
      These are not tested on any of the other supported chips.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9d08da96
    • Ben Hutchings's avatar
      sh_eth: Fix serialisation of interrupt disable with interrupt & NAPI handlers · 283e38db
      Ben Hutchings authored
      In order to stop the RX path accessing the RX ring while it's being
      stopped or resized, we clear the interrupt mask (EESIPR) and then call
      free_irq() or synchronise_irq().  This is insufficient because the
      interrupt handler or NAPI poller may set EESIPR again after we clear
      it.  Also, in sh_eth_set_ringparam() we currently don't disable NAPI
      polling at all.
      
      I could easily trigger a crash by running the loop:
      
         while ethtool -G eth0 rx 128 && ethtool -G eth0 rx 64; do echo -n .; done
      
      and 'ping -f' toward the sh_eth port from another machine.
      
      To fix this:
      - Add a software flag (irq_enabled) to signal whether interrupts
        should be enabled
      - In the interrupt handler, if the flag is clear then clear EESIPR
        and return
      - In the NAPI poller, if the flag is clear then don't set EESIPR
      - Set the flag before enabling interrupts in sh_eth_dev_init() and
        sh_eth_set_ringparam()
      - Clear the flag and serialise with the interrupt and NAPI
        handlers before clearing EESIPR in sh_eth_close() and
        sh_eth_set_ringparam()
      
      After this, I could run the loop for 100,000 iterations successfully.
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      283e38db
    • Ben Hutchings's avatar
      sh_eth: Fix crash or memory leak when resizing rings on device that is down · 084236d8
      Ben Hutchings authored
      If the device is down then no packet buffers should be allocated.
      We also must not touch its registers as it may be powered off.
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      084236d8
    • Ben Hutchings's avatar
      sh_eth: Detach net device when stopping queue to resize DMA rings · bd888916
      Ben Hutchings authored
      We must only ever stop TX queues when they are full or the net device
      is not 'ready' so far as the net core, and specifically the watchdog,
      is concerned.  Otherwise, the watchdog may fire *immediately* if no
      packets have been added to the queue in the last 5 seconds.
      
      What's more, sh_eth_tx_timeout() will likely crash if called while
      we're resizing the TX ring.
      
      I could easily trigger this by running the loop:
      
         while ethtool -G eth0 rx 128 && ethtool -G eth0 rx 64; do echo -n .; done
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bd888916
    • Ben Hutchings's avatar
      sh_eth: Fix padding of short frames on TX · eebfb643
      Ben Hutchings authored
      If an skb to be transmitted is shorter than the minimum Ethernet frame
      length, we currently set the DMA descriptor length to the minimum but
      do not add zero-padding.  This could result in leaking sensitive
      data.  We also pass different lengths to dma_map_single() and
      dma_unmap_single().
      
      Use skb_padto() to pad properly, before calling dma_map_single().
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      eebfb643
    • Mugunthan V N's avatar
      drivers: net: cpsw: discard dual emac default vlan configuration · 02a54164
      Mugunthan V N authored
      In Dual EMAC, the default VLANs are used to segregate Rx packets between
      the ports, so adding the same default VLAN to the switch will affect the
      normal packet transfers. So returning error on addition of dual EMAC
      default VLANs.
      
      Even if EMAC 0 default port VLAN is added to EMAC 1, it will lead to
      break dual EMAC port separations.
      
      Fixes: d9ba8f9e (driver: net: ethernet: cpsw: dual emac interface implementation)
      Cc: <stable@vger.kernel.org> # v3.9+
      Reported-by: default avatarFelipe Balbi <balbi@ti.com>
      Signed-off-by: default avatarMugunthan V N <mugunthanvnm@ti.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      02a54164
  2. 26 Jan, 2015 9 commits
    • David S. Miller's avatar
      Merge branch 'cls_bpf' · b6663ad7
      David S. Miller authored
      Daniel Borkmann says:
      
      ====================
      Two cls_bpf fixes
      
      Found them while doing a review on act_bpf and going over the
      cls_bpf code again. Will also address the first issue in act_bpf
      as it needs to be fixed there, too.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b6663ad7
    • Daniel Borkmann's avatar
      net: cls_bpf: fix auto generation of per list handles · 3f2ab135
      Daniel Borkmann authored
      When creating a bpf classifier in tc with priority collisions and
      invoking automatic unique handle assignment, cls_bpf_grab_new_handle()
      will return a wrong handle id which in fact is non-unique. Usually
      altering of specific filters is being addressed over major id, but
      in case of collisions we result in a filter chain, where handle ids
      address individual cls_bpf_progs inside the classifier.
      
      Issue is, in cls_bpf_grab_new_handle() we probe for head->hgen handle
      in cls_bpf_get() and in case we found a free handle, we're supposed
      to use exactly head->hgen. In case of insufficient numbers of handles,
      we bail out later as handle id 0 is not allowed.
      
      Fixes: 7d1d65cb ("net: sched: cls_bpf: add BPF-based classifier")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Acked-by: default avatarJiri Pirko <jiri@resnulli.us>
      Acked-by: default avatarAlexei Starovoitov <ast@plumgrid.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3f2ab135
    • Daniel Borkmann's avatar
      net: cls_bpf: fix size mismatch on filter preparation · 7913ecf6
      Daniel Borkmann authored
      In cls_bpf_modify_existing(), we read out the number of filter blocks,
      do some sanity checks, allocate a block on that size, and copy over the
      BPF instruction blob from user space, then pass everything through the
      classic BPF checker prior to installation of the classifier.
      
      We should reject mismatches here, there are 2 scenarios: the number of
      filter blocks could be smaller than the provided instruction blob, so
      we do a partial copy of the BPF program, and thus the instructions will
      either be rejected from the verifier or a valid BPF program will be run;
      in the other case, we'll end up copying more than we're supposed to,
      and most likely the trailing garbage will be rejected by the verifier
      as well (i.e. we need to fit instruction pattern, ret {A,K} needs to be
      last instruction, load/stores must be correct, etc); in case not, we
      would leak memory when dumping back instruction patterns. The code should
      have only used nla_len() as Dave noted to avoid this from the beginning.
      Anyway, lets fix it by rejecting such load attempts.
      
      Fixes: 7d1d65cb ("net: sched: cls_bpf: add BPF-based classifier")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Acked-by: default avatarJiri Pirko <jiri@resnulli.us>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7913ecf6
    • David S. Miller's avatar
      Merge tag 'linux-can-fixes-for-3.19-20150121' of... · 9e79ce66
      David S. Miller authored
      Merge tag 'linux-can-fixes-for-3.19-20150121' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
      
      Marc Kleine-Budde says:
      
      ====================
      pull-request: can 2015-01-21
      
      this is a pull request for v3.19, net/master, which consists of a single patch.
      
      Viktor Babrian fixes the issue in the c_can dirver, that the CAN interface
      might continue to send frames after the interface has been shut down.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9e79ce66
    • David S. Miller's avatar
      Merge branch 's390' · 03a60580
      David S. Miller authored
      Ursula Braun says:
      
      ====================
      s390/qeth patches for net
      
      here are two s390/qeth patches built for net.
      One patch is quite large, but we would like to fix the locking warning
      seen in recent kernels as soon as possible. But if you want me to submit
      these patches for net-next, I will do.
      Or Gerlitz says:
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      03a60580
    • Thomas Richter's avatar
      390/qeth: Fix locking warning during qeth device setup · 1aec42bc
      Thomas Richter authored
      Do not wait for channel command buffers in IPA commands.
      The potential wait could be done while holding a spin lock and causes
      in recent kernels such a bug if kernel lock debugging is enabled:
      
      kernel: BUG: sleeping function called from invalid context at drivers/s390/net/qeth_core_main.c:
      794
      kernel: in_atomic(): 1, irqs_disabled(): 0, pid: 2031, name: NetworkManager
      kernel: 2 locks held by NetworkManager/2031:
      kernel:  #0:  (rtnl_mutex){+.+.+.}, at: [<00000000006e0d7a>] rtnetlink_rcv+0x32/0x50
      kernel:  #1:  (_xmit_ETHER){+.....}, at: [<00000000006cfe90>] dev_set_rx_mode+0x30/0x50
      kernel: CPU: 0 PID: 2031 Comm: NetworkManager Not tainted 3.18.0-rc5-next-20141124 #1
      kernel:        00000000275fb1f0 00000000275fb280 0000000000000002 0000000000000000
                     00000000275fb320 00000000275fb298 00000000275fb298 00000000007e326a
                     0000000000000000 000000000099ce2c 00000000009b4988 000000000000000b
                     00000000275fb2e0 00000000275fb280 0000000000000000 0000000000000000
                     0000000000000000 00000000001129c8 00000000275fb280 00000000275fb2e0
      kernel: Call Trace:
      kernel: ([<00000000001128b0>] show_trace+0xf8/0x158)
      kernel:  [<000000000011297a>] show_stack+0x6a/0xe8
      kernel:  [<00000000007e995a>] dump_stack+0x82/0xb0
      kernel:  [<000000000017d668>] ___might_sleep+0x170/0x228
      kernel:  [<000003ff80026f0e>] qeth_wait_for_buffer+0x36/0xd0 [qeth]
      kernel:  [<000003ff80026fe2>] qeth_get_ipacmd_buffer+0x3a/0xc0 [qeth]
      kernel:  [<000003ff80105078>] qeth_l3_send_setdelmc+0x58/0xf8 [qeth_l3]
      kernel:  [<000003ff8010b1fe>] qeth_l3_set_ip_addr_list+0x2c6/0x848 [qeth_l3]
      kernel:  [<000003ff8010bbb4>] qeth_l3_set_multicast_list+0x434/0xc48 [qeth_l3]
      kernel:  [<00000000006cfe9a>] dev_set_rx_mode+0x3a/0x50
      kernel:  [<00000000006cff90>] __dev_open+0xe0/0x140
      kernel:  [<00000000006d02a0>] __dev_change_flags+0xa0/0x178
      kernel:  [<00000000006d03a8>] dev_change_flags+0x30/0x70
      kernel:  [<00000000006e14ee>] do_setlink+0x346/0x9a0
      ...
      
      The device driver has plenty of command buffers available
      per channel for channel command communication.
      In the extremely rare case when there is no command buffer
      available, return a NULL pointer and issue a warning
      in the kernel log. The caller handles the case when
      a NULL pointer is encountered and returns an error.
      
      In the case the wait for command buffer is possible
      (because no lock is held as in the OSN case), still wait
      until a channel command buffer is available.
      Signed-off-by: default avatarThomas Richter <tmricht@linux.vnet.ibm.com>
      Signed-off-by: default avatarUrsula Braun <ursula.braun@de.ibm.com>
      Reviewed-by: default avatarEugene Crosser <Eugene.Crosser@ru.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1aec42bc
    • Eugene Crosser's avatar
      qeth: clean up error handling · efbbc1d5
      Eugene Crosser authored
      In the functions that are registering and unregistering MAC
      addresses in the qeth-handled hardware, remove callback functions
      that are unnesessary, as only the return code is analyzed.
      Translate hardware response codes to semi-standard 'errno'-like
      codes for readability.
      
      Add kernel-doc description to the internal API function
      qeth_send_control_data().
      Signed-off-by: default avatarEugene Crosser <Eugene.Crosser@ru.ibm.com>
      Signed-off-by: default avatarUrsula Braun <ursula.braun@de.ibm.com>
      Reviewed-by: default avatarThomas-Mich Richter <tmricht@linux.vnet.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      efbbc1d5
    • Martin KaFai Lau's avatar
      ipv6: Fix __ip6_route_redirect · b0a1ba59
      Martin KaFai Lau authored
      In my last commit (a3c00e46: ipv6: Remove BACKTRACK macro), the changes in
      __ip6_route_redirect is incorrect.  The following case is missed:
      1. The for loop tries to find a valid gateway rt. If it fails to find
         one, rt will be NULL.
      2. When rt is NULL, it is set to the ip6_null_entry.
      3. The newly added 'else if', from a3c00e46, will stop the backtrack from
         happening.
      Signed-off-by: default avatarMartin KaFai Lau <kafai@fb.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b0a1ba59
    • Vivien Didelot's avatar
      net: dsa: set slave MII bus PHY mask · 24df8986
      Vivien Didelot authored
      When registering a mdio bus, Linux assumes than every port has a PHY and tries
      to scan it. If a switch port has no PHY registered, DSA will fail to register
      the slave MII bus. To fix this, set the slave MII bus PHY mask to the switch
      PHYs mask.
      
      As an example, if we use a Marvell MV88E6352 (which is a 7-port switch with no
      registered PHYs for port 5 and port 6), with the following declared names:
      
      	static struct dsa_chip_data switch_cdata = {
      		[...]
      		.port_names[0] = "sw0",
      		.port_names[1] = "sw1",
      		.port_names[2] = "sw2",
      		.port_names[3] = "sw3",
      		.port_names[4] = "sw4",
      		.port_names[5] = "cpu",
      	};
      
      DSA will fail to create the switch instance. With the PHY mask set for the
      slave MII bus, only the PHY for ports 0-4 will be scanned and the instance will
      be successfully created.
      Signed-off-by: default avatarVivien Didelot <vivien.didelot@savoirfairelinux.com>
      Tested-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Acked-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      24df8986
  3. 25 Jan, 2015 6 commits
  4. 24 Jan, 2015 1 commit
  5. 23 Jan, 2015 3 commits