1. 03 Mar, 2016 4 commits
    • Parthasarathy Bhuvaragan's avatar
      tipc: Revert "tipc: use existing sk_write_queue for outgoing packet chain" · f214fc40
      Parthasarathy Bhuvaragan authored
      reverts commit 94153e36 ("tipc: use existing sk_write_queue for
      outgoing packet chain")
      
      In Commit 94153e36, we assume that we fill & empty the socket's
      sk_write_queue within the same lock_sock() session.
      
      This is not true if the link is congested. During congestion, the
      socket lock is released while we wait for the congestion to cease.
      This implementation causes a nullptr exception, if the user space
      program has several threads accessing the same socket descriptor.
      
      Consider two threads of the same program performing the following:
           Thread1                                  Thread2
      --------------------                    ----------------------
      Enter tipc_sendmsg()                    Enter tipc_sendmsg()
      lock_sock()                             lock_sock()
      Enter tipc_link_xmit(), ret=ELINKCONG   spin on socket lock..
      sk_wait_event()                             :
      release_sock()                          grab socket lock
          :                                   Enter tipc_link_xmit(), ret=0
          :                                   release_sock()
      Wakeup after congestion
      lock_sock()
      skb = skb_peek(pktchain);
      !! TIPC_SKB_CB(skb)->wakeup_pending = tsk->link_cong;
      
      In this case, the second thread transmits the buffers belonging to
      both thread1 and thread2 successfully. When the first thread wakeup
      after the congestion it assumes that the pktchain is intact and
      operates on the skb's in it, which leads to the following exception:
      
      [2102.439969] BUG: unable to handle kernel NULL pointer dereference at 00000000000000d0
      [2102.440074] IP: [<ffffffffa005f330>] __tipc_link_xmit+0x2b0/0x4d0 [tipc]
      [2102.440074] PGD 3fa3f067 PUD 3fa6b067 PMD 0
      [2102.440074] Oops: 0000 [#1] SMP
      [2102.440074] CPU: 2 PID: 244 Comm: sender Not tainted 3.12.28 #1
      [2102.440074] RIP: 0010:[<ffffffffa005f330>]  [<ffffffffa005f330>] __tipc_link_xmit+0x2b0/0x4d0 [tipc]
      [...]
      [2102.440074] Call Trace:
      [2102.440074]  [<ffffffff8163f0b9>] ? schedule+0x29/0x70
      [2102.440074]  [<ffffffffa006a756>] ? tipc_node_unlock+0x46/0x170 [tipc]
      [2102.440074]  [<ffffffffa005f761>] tipc_link_xmit+0x51/0xf0 [tipc]
      [2102.440074]  [<ffffffffa006d8ae>] tipc_send_stream+0x11e/0x4f0 [tipc]
      [2102.440074]  [<ffffffff8106b150>] ? __wake_up_sync+0x20/0x20
      [2102.440074]  [<ffffffffa006dc9c>] tipc_send_packet+0x1c/0x20 [tipc]
      [2102.440074]  [<ffffffff81502478>] sock_sendmsg+0xa8/0xd0
      [2102.440074]  [<ffffffff81507895>] ? release_sock+0x145/0x170
      [2102.440074]  [<ffffffff815030d8>] ___sys_sendmsg+0x3d8/0x3e0
      [2102.440074]  [<ffffffff816426ae>] ? _raw_spin_unlock+0xe/0x10
      [2102.440074]  [<ffffffff81115c2a>] ? handle_mm_fault+0x6ca/0x9d0
      [2102.440074]  [<ffffffff8107dd65>] ? set_next_entity+0x85/0xa0
      [2102.440074]  [<ffffffff816426de>] ? _raw_spin_unlock_irq+0xe/0x20
      [2102.440074]  [<ffffffff8107463c>] ? finish_task_switch+0x5c/0xc0
      [2102.440074]  [<ffffffff8163ea8c>] ? __schedule+0x34c/0x950
      [2102.440074]  [<ffffffff81504e12>] __sys_sendmsg+0x42/0x80
      [2102.440074]  [<ffffffff81504e62>] SyS_sendmsg+0x12/0x20
      [2102.440074]  [<ffffffff8164aed2>] system_call_fastpath+0x16/0x1b
      
      In this commit, we maintain the skb list always in the stack.
      Signed-off-by: default avatarParthasarathy Bhuvaragan <parthasarathy.bhuvaragan@ericsson.com>
      Acked-by: default avatarYing Xue <ying.xue@windriver.com>
      Acked-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f214fc40
    • Benjamin Poirier's avatar
      mld, igmp: Fix reserved tailroom calculation · 1837b2e2
      Benjamin Poirier authored
      The current reserved_tailroom calculation fails to take hlen and tlen into
      account.
      
      skb:
      [__hlen__|__data____________|__tlen___|__extra__]
      ^                                               ^
      head                                            skb_end_offset
      
      In this representation, hlen + data + tlen is the size passed to alloc_skb.
      "extra" is the extra space made available in __alloc_skb because of
      rounding up by kmalloc. We can reorder the representation like so:
      
      [__hlen__|__data____________|__extra__|__tlen___]
      ^                                               ^
      head                                            skb_end_offset
      
      The maximum space available for ip headers and payload without
      fragmentation is min(mtu, data + extra). Therefore,
      reserved_tailroom
      = data + extra + tlen - min(mtu, data + extra)
      = skb_end_offset - hlen - min(mtu, skb_end_offset - hlen - tlen)
      = skb_tailroom - min(mtu, skb_tailroom - tlen) ; after skb_reserve(hlen)
      
      Compare the second line to the current expression:
      reserved_tailroom = skb_end_offset - min(mtu, skb_end_offset)
      and we can see that hlen and tlen are not taken into account.
      
      The min() in the third line can be expanded into:
      if mtu < skb_tailroom - tlen:
      	reserved_tailroom = skb_tailroom - mtu
      else:
      	reserved_tailroom = tlen
      
      Depending on hlen, tlen, mtu and the number of multicast address records,
      the current code may output skbs that have less tailroom than
      dev->needed_tailroom or it may output more skbs than needed because not all
      space available is used.
      
      Fixes: 4c672e4b ("ipv6: mld: fix add_grhead skb_over_panic for devs with large MTUs")
      Signed-off-by: default avatarBenjamin Poirier <bpoirier@suse.com>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1837b2e2
    • Igal Liberman's avatar
      fsl/fman: Initialize fman->dev earlier · 878e3c1b
      Igal Liberman authored
      Currently, in a case of error, dev_err is using fman->dev
      before its initialization and "(NULL device *)" is printed.
      This patch fixes this issue.
      Signed-off-by: default avatarIgal Liberman <igal.liberman@freescale.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      878e3c1b
    • Gabriel Fernandez's avatar
      stmmac: Fix 'eth0: No PHY found' regression · 88f8b1bb
      Gabriel Fernandez authored
      This patch manages the case when you have an Ethernet MAC with
      a "fixed link", and not connected to a normal MDIO-managed PHY device.
      
      The test of phy_bus_name was not helpful because it was never affected
      and replaced by the mdio test node.
      Signed-off-by: default avatarGabriel Fernandez <gabriel.fernandez@linaro.org>
      Acked-by: default avatarGiuseppe Cavallaro <peppe.cavallaro@st.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      88f8b1bb
  2. 02 Mar, 2016 29 commits
  3. 01 Mar, 2016 7 commits
    • Sergei Shtylyov's avatar
      of_mdio: fix kernel-doc for of_phy_connect() · 735c1e25
      Sergei Shtylyov authored
      The 'flags' parameter of the of_phy_connect() function wasn't described
      in  the kernel-doc comment...
      Signed-off-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      735c1e25
    • Xin Long's avatar
      sctp: sctp_remaddr_seq_show use the wrong variable to dump transport info · 3d73e8fa
      Xin Long authored
      Now in sctp_remaddr_seq_show(), we use variable *tsp to get the param *v.
      but *tsp is also used to traversal transport_addr_list, which will cover
      the previous value, and make sctp_transport_put work on the wrong transport.
      
      So fix it by adding a new variable to get the param *v.
      
      Fixes: fba4c330 ("sctp: hold transport before we access t->asoc in sctp proc")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3d73e8fa
    • Xin Long's avatar
      sctp: lack the check for ports in sctp_v6_cmp_addr · 40b4f0fd
      Xin Long authored
      As the member .cmp_addr of sctp_af_inet6, sctp_v6_cmp_addr should also check
      the port of addresses, just like sctp_v4_cmp_addr, cause it's invoked by
      sctp_cmp_addr_exact().
      
      Now sctp_v6_cmp_addr just check the port when two addresses have different
      family, and lack the port check for two ipv6 addresses. that will make
      sctp_hash_cmp() cannot work well.
      
      so fix it by adding ports comparison in sctp_v6_cmp_addr().
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      40b4f0fd
    • David S. Miller's avatar
      Merge branch 'phy-micrel-fixes' · f0da74bc
      David S. Miller authored
      Alexandre Belloni says:
      
      ====================
      phy: micrel: fix issues with interrupt on atmel boards
      
      Since the phy is not polled anymore, there were issues getting a link on the
      sama5d* xplained boards.
      
      I'm not too sure about were those fixes should go and I'm wondering whether the
      first one shoud be made generic.
      
      For the second one, I found the PHY_HAS_MAGICANEG flag that is not used and I
      wondering whether this is related to that kind of issue. I had a quick look at
      the history and could'nt find its use.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f0da74bc
    • Alexandre Belloni's avatar
      phy: micrel: Disable auto negotiation on startup · 99f81afc
      Alexandre Belloni authored
      Disable auto negotiation on init to properly detect an already plugged
      cable at boot.
      
      At boot, when the phy is started, it is in the PHY_UP state.
      However, if a cable is plugged at boot, because auto negociation is already
      enabled at the time we get the first interrupt, the phy is already running.
      But the state machine then switches from PHY_UP to PHY_AN and calls
      phy_start_aneg(). phy_start_aneg() will not do anything because aneg is
      already enabled on the phy. It will then wait for a interrupt before going
      further. This interrupt will never happen unless the cable is unplugged and
      then replugged.
      
      It was working properly before 321beec5 (net: phy: Use interrupts when
      available in NOLINK state) because switching to NOLINK meant starting
      polling the phy, even if IRQ were enabled.
      
      Fixes: 321beec5 (net: phy: Use interrupts when available in NOLINK state)
      Signed-off-by: default avatarAlexandre Belloni <alexandre.belloni@free-electrons.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      99f81afc
    • Alexandre Belloni's avatar
      phy: micrel: Ensure interrupts are reenabled on resume · f5aba91d
      Alexandre Belloni authored
      At least on ksz8081, when getting back from power down, interrupts are
      disabled. ensure they are reenabled if they were previously enabled.
      
      This fixes resuming which is failing on the xplained boards from atmel
      since 321beec5 (net: phy: Use interrupts when available in NOLINK
      state)
      
      Fixes: 321beec5 (net: phy: Use interrupts when available in NOLINK state)
      Signed-off-by: default avatarAlexandre Belloni <alexandre.belloni@free-electrons.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f5aba91d
    • Guillaume Nault's avatar
      ppp: lock ppp->flags in ppp_read() and ppp_poll() · edffc217
      Guillaume Nault authored
      ppp_read() and ppp_poll() can be called concurrently with ppp_ioctl().
      In this case, ppp_ioctl() might call ppp_ccp_closed(), which may update
      ppp->flags while ppp_read() or ppp_poll() is reading it.
      The update done by ppp_ccp_closed() isn't atomic due to the bit mask
      operation ('ppp->flags &= ~(SC_CCP_OPEN | SC_CCP_UP)'), so concurrent
      readers might get transient values.
      Reading incorrect ppp->flags may disturb the 'ppp->flags & SC_LOOP_TRAFFIC'
      test in ppp_read() and ppp_poll(), which in turn can lead to improper
      decision on whether the PPP unit file is ready for reading or not.
      
      Since ppp_ccp_closed() is protected by the Rx and Tx locks (with
      ppp_lock()), taking the Rx lock is enough for ppp_read() and ppp_poll()
      to guarantee that ppp_ccp_closed() won't update ppp->flags
      concurrently.
      
      The same reasoning applies to ppp->n_channels. The 'n_channels' field
      can also be written to concurrently by ppp_ioctl() (through
      ppp_connect_channel() or ppp_disconnect_channel()). These writes aren't
      atomic (simple increment/decrement), but are protected by both the Rx
      and Tx locks (like in the ppp->flags case). So holding the Rx lock
      before reading ppp->n_channels also prevents concurrent writes.
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      edffc217