- 14 Sep, 2013 28 commits
-
-
Rob Gardner authored
[ Upstream commit 03803a59 ] This patch adds another entry (HP hs2434 Mobile Broadband) to the list of exceptional devices that require a zero length packet in order to function properly. This list was added in commit 844e88f0. The hs2434 is manufactured by Sierra Wireless, who also produces the MC7710, which the ZLP exception list was created for in the first place. So hopefully it is just this one producer's devices that will need this workaround. Tested on a DM1-4310NR HP notebook, which does not function without this change. Signed-off-by:
Rob Gardner <robmatic@gmail.com> Acked-by:
Bjørn Mork <bjorn@mork.no> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
Sathya Perla authored
[ Upstream commit 6e1f9975 ] commit fba87559 ("disable TX in be_close()") disabled TX in be_close() to protect be_xmit() from touching freed up queues in the AER recovery flow. But, TX must be disabled *before* cleaning up TX completions in the close() path, not after. This allows be_tx_compl_clean() to free up all TX-req skbs that were notified to the HW. Signed-off-by:
Sathya Perla <sathya.perla@emulex.com> Signed-off-by:
-
Ben Hutchings authored
[ Upstream commit f3851b0a ] commit 385904f8 ('sfc: Don't use efx_filter_{build,hash,increment}() for default MAC filters') used the wrong name to find the index of default RX MAC filters at insertion/ update time. This could result in memory corruption and would in any case silently fail to update the filter. Signed-off-by:
Ben Hutchings <bhutchings@solarflare.com> Signed-off-by:
-
Jesper Dangaard Brouer authored
[ Upstream commit 8a8e3d84 ] commit 56b765b7 ("htb: improved accuracy at high rates") broke the "linklayer atm" handling. tc class add ... htb rate X ceil Y linklayer atm The linklayer setting is implemented by modifying the rate table which is send to the kernel. No direct parameter were transferred to the kernel indicating the linklayer setting. The commit 56b765b7 ("htb: improved accuracy at high rates") removed the use of the rate table system. To keep compatible with older iproute2 utils, this patch detects the linklayer by parsing the rate table. It also supports future versions of iproute2 to send this linklayer parameter to the kernel directly. This is done by using the __reserved field in struct tc_ratespec, to convey the choosen linklayer option, but only using the lower 4 bits of this field. Linklayer detection is limited to speeds below 100Mbit/s, because at high rates the rtab is gets too inaccurate, so bad that several fields contain the same values, this resembling the ATM detect. Fields even start to contain "0" time to send, e.g. at 1000Mbit/s sending a 96 bytes packet cost "0", thus the rtab have been more broken than we first realized. Signed-off-by:
Jesper Dangaard Brouer <brouer@redhat.com> Signed-off-by:
-
Toshiaki Makita authored
[ Upstream commit ef40b7ef ] The VLAN code needs to know the length of the per-port VLAN bitmap to perform its most basic operations (retrieving VLAN informations, removing VLANs, forwarding database manipulation, etc). Unfortunately, in the current implementation we are using a macro that indicates the bitmap size in longs in places where the size in bits is expected, which in some cases can cause what appear to be random failures. Use the correct macro. Signed-off-by:
Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp> Signed-off-by:
-
Willem de Bruijn authored
[ Upstream commit 8bcdeaff ] getsockopt PACKET_STATISTICS returns tp_packets + tp_drops. Commit ee80fbf3 ("packet: account statistics only in tpacket_stats_u") cleaned up the getsockopt PACKET_STATISTICS code. This also changed semantics. Historically, tp_packets included tp_drops on return. The commit removed the line that adds tp_drops into tp_packets. This patch reinstates the old semantics. Signed-off-by:
Willem de Bruijn <willemb@google.com> Acked-by:
Daniel Borkmann <dborkman@redhat.com> Signed-off-by:
-
Andrey Vagin authored
[ Upstream commit 7ed5c5ae ] When the repair mode is turned off, the write queue seqs are updated so that the whole queue is considered to be 'already sent. The "when" field must be set for such skb. It's used in tcp_rearm_rto for example. If the "when" field isn't set, the retransmit timeout can be calculated incorrectly and a tcp connected can stop for two minutes (TCP_RTO_MAX). Acked-by:
Pavel Emelyanov <xemul@parallels.com> Cc: "David S. Miller" <davem@davemloft.net> Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> Cc: James Morris <jmorris@namei.org> Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org> Cc: Patrick McHardy <kaber@trash.net> Signed-off-by:
Andrey Vagin <avagin@openvz.org> Signed-off-by:
-
Hannes Frederic Sowa authored
[ Upstream commit f46078cf ] It is not allowed for an ipv6 packet to contain multiple fragmentation headers. So discard packets which were already reassembled by fragmentation logic and send back a parameter problem icmp. The updates for RFC 6980 will come in later, I have to do a bit more research here. Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by:
Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by:
-
Hannes Frederic Sowa authored
[ Upstream commit 4b08a8f1 ] Because of the max_addresses check attackers were able to disable privacy extensions on an interface by creating enough autoconfigured addresses: <http://seclists.org/oss-sec/2012/q4/292> But the check is not actually needed: max_addresses protects the kernel to install too many ipv6 addresses on an interface and guards addrconf_prefix_rcv to install further addresses as soon as this limit is reached. We only generate temporary addresses in direct response of a new address showing up. As soon as we filled up the maximum number of addresses of an interface, we stop installing more addresses and thus also stop generating more temp addresses. Even if the attacker tries to generate a lot of temporary addresses by announcing a prefix and removing it again (lifetime == 0) we won't install more temp addresses, because the temporary addresses do count to the maximum number of addresses, thus we would stop installing new autoconfigured addresses when the limit is reached. This patch fixes CVE-2013-0343 (but other layer-2 attacks are still possible). Thanks to Ding Tianhong to bring this topic up again. Signed-off-by:
Ding Tianhong <dingtianhong@huawei.com> Signed-off-by:
-
Dan Carpenter authored
[ Upstream commit 15718ea0 ] The recent fix d9bf5f13 "tun: compare with 0 instead of total_len" is not totally correct. Because "len" and "sizeof()" are size_t type, that means they are never less than zero. Signed-off-by:
Dan Carpenter <dan.carpenter@oracle.com> Acked-by:
Michael S. Tsirkin <mst@redhat.com> Acked-by:
Neil Horman <nhorman@tuxdriver.com> Signed-off-by:
-
Asbjoern Sloth Toennesen authored
[ Upstream commit 3e805ad2 ] Fix the iproute2 command `bridge vlan show`, after switching from rtgenmsg to ifinfomsg. Let's start with a little history: Feb 20: Vlad Yasevich got his VLAN-aware bridge patchset included in the 3.9 merge window. In the kernel commit 6cbdceeb, he added attribute support to bridge GETLINK requests sent with rtgenmsg. Mar 6th: Vlad got this iproute2 reference implementation of the bridge vlan netlink interface accepted (iproute2 9eff0e5c) Apr 25th: iproute2 switched from using rtgenmsg to ifinfomsg (63338dca) http://patchwork.ozlabs.org/patch/239602/ http://marc.info/?t=136680900700007 Apr 28th: Linus released 3.9 Apr 30th: Stephen released iproute2 3.9.0 The `bridge vlan show` command haven't been working since the switch to ifinfomsg, or in a released version of iproute2. Since the kernel side only supports rtgenmsg, which iproute2 switched away from just prior to the iproute2 3.9.0 release. I haven't been able to find any documentation, about neither rtgenmsg nor ifinfomsg, and in which situation to use which, but kernel commit 88c5b5ce seams to suggest that ifinfomsg should be used. Fixing this in kernel will break compatibility, but I doubt that anybody have been using it due to this bug in the user space reference implementation, at least not without noticing this bug. That said the functionality is still fully functional in 3.9, when reversing iproute2 commit 63338dca. This could also be fixed in iproute2, but thats an ugly patch that would reintroduce rtgenmsg in iproute2, and from searching in netdev it seams like rtgenmsg usage is discouraged. I'm assuming that the only reason that Vlad implemented the kernel side to use rtgenmsg, was because iproute2 was using it at the time. Signed-off-by:
Asbjoern Sloth Toennesen <ast@fiberby.net> Reviewed-by:
Vlad Yasevich <vyasevich@gmail.com> Signed-off-by:
-
Pravin B Shelar authored
[ Upstream commit 4221f405 ] Using inner-id for tunnel id is not safe in some rare cases. E.g. packets coming from multiple sources entering same tunnel can have same id. Therefore on tunnel packet receive we could have packets from two different stream but with same source and dst IP with same ip-id which could confuse ip packet reassembly. Following patch reverts optimization from commit 490ab081 (IP_GRE: Fix IP-Identification.) Signed-off-by:
Pravin B Shelar <pshelar@nicira.com> CC: Jarno Rajahalme <jrajahalme@nicira.com> CC: Ansis Atteka <aatteka@nicira.com> Signed-off-by:
-
Pravin B Shelar authored
[ Upstream commit 33c6b1f6 ] netlink dump operations take module as parameter to hold reference for entire netlink dump duration. Currently it holds ref only on genl module which is not correct when we use ops registered to genl from another module. Following patch adds module pointer to genl_ops so that netlink can hold ref count on it. Signed-off-by:
-
Pravin B Shelar authored
[ Upstream commit 9b96309c ] In case of genl-family with parallel ops off, dumpif() callback is expected to run under genl_lock, But commit def31174 (genl: Allow concurrent genl callbacks.) changed this behaviour where only first dumpit() op was called under genl-lock. For subsequent dump, only nlk->cb_lock was taken. Following patch fixes it by defining locked dumpit() and done() callback which takes care of genl-locking. Signed-off-by:
-
Sridhar Samudrala authored
[ Upstream commit 64535993 ] Fix inverted check when deleting an fdb entry. Signed-off-by:
Sridhar Samudrala <sri@us.ibm.com> Signed-off-by:
-
Dave Jones authored
[ Upstream commit d06f5187 ] Introduced in cf3c4c03 ("8139cp: Add dma_mapping_error checking") Signed-off-by:
Dave Jones <davej@redhat.com> Signed-off-by:
-
Timo Teräs authored
[ Upstream commit 77a482bd ] Fix ipgre_header() (header_ops->create) to return the correct amount of bytes pushed. Most callers of dev_hard_header() seem to care only if it was success, but af_packet.c uses it as offset to the skb to copy from userspace only once. In practice this fixes packet socket sendto()/sendmsg() to gre tunnels. Regression introduced in c5441932 ("GRE: Refactor GRE tunneling code.") Cc: Pravin B Shelar <pshelar@nicira.com> Signed-off-by:
Timo Teräs <timo.teras@iki.fi> Acked-by:
Eric Dumazet <edumazet@google.com> Signed-off-by:
-
Hannes Frederic Sowa authored
[ Upstream commit 3e3be275 ] In case a subtree did not match we currently stop backtracking and return NULL (root table from fib_lookup). This could yield in invalid routing table lookups when using subtrees. Instead continue to backtrack until a valid subtree or node is found and return this match. Also remove unneeded NULL check. Reported-by:
Teco Boot <teco@inf-net.nl> Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Cc: David Lamparter <equinox@diac24.net> Cc: <boutier@pps.univ-paris-diderot.fr> Signed-off-by:
-
Eric Dumazet authored
[ Upstream commit cd6b423a ] While investigating about strange increase of retransmit rates on hosts ~24 days after boot, Van found hystart was disabled if ca->epoch_start was 0, as following condition is true when tcp_time_stamp high order bit is set. (s32)(tcp_time_stamp - ca->epoch_start) < HZ Quoting Van : At initialization & after every loss ca->epoch_start is set to zero so I believe that the above line will turn off hystart as soon as the 2^31 bit is set in tcp_time_stamp & hystart will stay off for 24 days. I think we've observed that cubic's restart is too aggressive without hystart so this might account for the higher drop rate we observe. Diagnosed-by:
Van Jacobson <vanj@google.com> Signed-off-by:
Neal Cardwell <ncardwell@google.com> Signed-off-by:
-
Eric Dumazet authored
[ Upstream commit 2ed0edf9 ] commit 17a6e9f1 ("tcp_cubic: fix clock dependency") added an overflow error in bictcp_update() in following code : /* change the unit from HZ to bictcp_HZ */ t = ((tcp_time_stamp + msecs_to_jiffies(ca->delay_min>>3) - ca->epoch_start) << BICTCP_HZ) / HZ; Because msecs_to_jiffies() being unsigned long, compiler does implicit type promotion. We really want to constrain (tcp_time_stamp - ca->epoch_start) to a signed 32bit value, or else 't' has unexpected high values. This bugs triggers an increase of retransmit rates ~24 days after boot [1], as the high order bit of tcp_time_stamp flips. [1] for hosts with HZ=1000 Big thanks to Van Jacobson for spotting this problem. Diagnosed-by:
-
Linus Lüssing authored
[ Upstream commit 248ba8ec ] Currently we are reading an uninitialized value for the max_delay variable when snooping an MLD query message of invalid length and would update our timers with that. Fixing this by simply ignoring such broken MLD queries (just like we do for IGMP already). This is a regression introduced by: "bridge: disable snooping if there is no querier" (b00589af) Reported-by:
Paul Bolle <pebolle@tiscali.nl> Signed-off-by:
Linus Lüssing <linus.luessing@web.de> Signed-off-by:
-
Eric Dumazet authored
[ Upstream commit aab515d7 ] AddressSanitizer [1] dynamic checker pointed a potential out of bound access in leaf_walk_rcu() We could allocate one more slot in tnode_new() to leave the prefetch() in-place but it looks not worth the pain. Bug added in commit 82cfbb00 ("[IPV4] fib_trie: iterator recode") [1] : https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernelReported-by:
Andrey Konovalov <andreyknvl@google.com> Signed-off-by:
-
Veaceslav Falico authored
[ Upstream commit 9918d5bf ] Otherwise, on neighbour creation, bond_neigh_init() will be called with a foreign netdev. Signed-off-by:
Veaceslav Falico <vfalico@redhat.com> Signed-off-by:
-
Veaceslav Falico authored
[ Upstream commit 63134803 ] dev->ndo_neigh_setup() might need some of the values of neigh_parms, so populate them before calling it. Signed-off-by:
-
Michael S. Tsirkin authored
[ Upstream commit 15127478 ] commit df8ef8f3 macvlan: add FDB bridge ops and macvlan flags added a flags field to macvlan, which can be controlled from userspace. The idea is to make the interface future-proof so we can add flags and not new fields. However, flags value isn't validated, as a result, userspace can't detect which flags are supported. Signed-off-by:
-
Roman Gushchin authored
[ Upstream commit 5f671d6b ] It's possible to assign an invalid value to the net.core.somaxconn sysctl variable, because there is no checks at all. The sk_max_ack_backlog field of the sock structure is defined as unsigned short. Therefore, the backlog argument in inet_listen() shouldn't exceed USHRT_MAX. The backlog argument in the listen() syscall is truncated to the somaxconn value. So, the somaxconn value shouldn't exceed 65535 (USHRT_MAX). Also, negative values of somaxconn are meaningless. before: $ sysctl -w net.core.somaxconn=256 net.core.somaxconn = 256 $ sysctl -w net.core.somaxconn=65536 net.core.somaxconn = 65536 $ sysctl -w net.core.somaxconn=-100 net.core.somaxconn = -100 after: $ sysctl -w net.core.somaxconn=256 net.core.somaxconn = 256 $ sysctl -w net.core.somaxconn=65536 error: "Invalid argument" setting key "net.core.somaxconn" $ sysctl -w net.core.somaxconn=-100 error: "Invalid argument" setting key "net.core.somaxconn" Based on a prior patch from Changli Gao. Signed-off-by:
Roman Gushchin <klamm@yandex-team.ru> Reported-by:
Changli Gao <xiaosuo@gmail.com> Suggested-by:
-
Daniel Borkmann authored
[ Upstream commit 446266b0 ] Commit 5c766d64 ("ipv4: introduce address lifetime") leaves the ifa resource that was allocated via inet_alloc_ifa() unfreed when returning the function with -EINVAL. Thus, free it first via inet_free_ifa(). Signed-off-by:
Jiri Pirko <jiri@resnulli.us> Signed-off-by:
-
stephen hemminger authored
[ Upstream commit cbd37556 ] When userspace passes a large priority value the assignment of the unsigned value hopt->prio to signed int cl->prio causes cl->prio to become negative and the comparison is with TC_HTB_NUMPRIO is always false. The result is that HTB crashes by referencing outside the array when processing packets. With this patch the large value wraps around like other values outside the normal range. See: https://bugzilla.kernel.org/show_bug.cgi?id=60669Signed-off-by:
Stephen Hemminger <stephen@networkplumber.org> Acked-by:
-
- 08 Sep, 2013 12 commits
-
-
Greg Kroah-Hartman authored
-
David Jander authored
commit 4e67fb5f upstream. Avoid overlapping register regions by making the initial blklen of a new node 1. If a register write occurs to a yet uncached register, that is lower than but near an existing node's base_reg, a new node is created and it's blklen is set to an arbitrary value (sizeof(*rbnode)). That may cause this node to overlap with another node. Those nodes should be merged, but this merge doesn't happen yet, so this patch at least makes the initial blklen small enough to avoid hitting the wrong node, which may otherwise lead to severe breakage. Signed-off-by:
David Jander <david@protonic.nl> Signed-off-by:
Mark Brown <broonie@linaro.org> Signed-off-by:
Zhouping Liu <zliu@redhat.com> Signed-off-by:
-
Fabio Estevam authored
commit ea8d1583 upstream. When building imx_v6_v7_defconfig with imx-drm drivers selected as modules, we get the following build error: ERROR: "imx_drm_encoder_get_mux_id" [drivers/staging/imx-drm/imx-ldb.ko] undefined! Export the required function to avoid this problem. Signed-off-by:
Fabio Estevam <fabio.estevam@freescale.com> Acked-by:
Sascha Hauer <s.hauer@pengutronix.de> Acked-by:
Philipp Zabel <p.zabel@pengutronix.de> Cc: Guenter Roeck <linux@roeck-us.net> Signed-off-by:
-
Julien Grall authored
commit 0d7febe5 upstream. When CONFIG_PREEMPT is enabled, Linux will not be able to boot and warn: [ 4.127825] ------------[ cut here ]------------ [ 4.133376] WARNING: at init/main.c:699 do_one_initcall+0x150/0x158() [ 4.140738] initcall xen_init_events+0x0/0x10c returned with preemption imbalance This is because xen_percpu_init uses get_cpu but doesn't have the corresponding put_cpu. Signed-off-by:
Julien Grall <julien.grall@linaro.org> Signed-off-by:
Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by:
Jonghwan Choi <jhbird.choi@samsung.com> Signed-off-by:
-
Mark Rusk authored
commit eefbc594 upstream. Using an uninitialized variable 'devnum' after 'goto out;' was causing panic. Just go ahead and return, we need to ignore AUX iLO devs. Oops: 0002 [#1] SMP . . . RIP [<ffffffffa033e270>] ilo_probe+0xec/0xe7c [hpilo] Signed-off-by:
Mark Rusk <mark.rusk@hp.com> Signed-off-by:
-
Lan Tianyu authored
commit 524f42fa upstream. The ECDT of ASUSTEK L4R doesn't provide correct command and data I/O ports. The DSDT provides the correct information instead. For this reason, add this machine to quirk list for ECDT validation and use the EC information from the DSDT. [rjw: Changelog] References: https://bugzilla.kernel.org/show_bug.cgi?id=60765Reported-and-tested-by:
Daniele Esposti <expo@expobrain.net> Signed-off-by:
Lan Tianyu <tianyu.lan@intel.com> Signed-off-by:
Rafael J. Wysocki <rafael.j.wysocki@intel.com> Signed-off-by:
-
Wei Hu authored
commit 30b146d1 upstream. The temperature reporting interface stays the same, so we just add the PCI-ID to the list. Verified on AMD Olive Hill. Signed-off-by:
Wei Hu <wei@aristanetworks.com> Acked-by:
Clemens Ladisch <clemens@ladisch.de> Signed-off-by:
Guenter Roeck <linux@roeck-us.net> Signed-off-by:
-
Graham Williams authored
commit d2572218 upstream. The gadget strings table should be null terminated. usb_gadget_get_string() loops through the table expecting a null at the end of the list. Signed-off-by:
Graham Williams <gwilli@broadcom.com> Signed-off-by:
-
Tomas Winkler authored
commit ff96066e upstream. Both H_IS and H_IE needs to be set to receive H_RDY interrupt 1. Assert H_IS to clear the interrupts during hw reset and use mei_me_reg_write instead of mei_hcsr_set as the later strips down the H_IS 2. fix interrupt disablement embarrassing typo hcsr |= ~H_IE -> hcsr &= ~H_IE; this will remove the unwanted interrupt on power down 3. remove useless debug print outs Signed-off-by:
Tomas Winkler <tomas.winkler@intel.com> Cc: Shuah Khan <shuah.kh@samsung.com> Cc: Konstantin Khlebnikov <khlebnikov@openvz.org> Signed-off-by:
-
Nicholas Bellinger authored
commit 28aaa950 upstream. This patch addresses a potential NULL pointer dereference regression in iscsit_setup_nop_out() code, specifically for two cases when a solicited NOPOUT triggers a ISCSI_REASON_PROTOCOL_ERROR reject to be generated. This is because iscsi_cmd is expected to be NULL for solicited NOPOUT case before iscsit_process_nop_out() locates the descriptor via TTT using iscsit_find_cmd_from_ttt(). This regression was originally introduced in: commit ba159914 Author: Nicholas Bellinger <nab@linux-iscsi.org> Date: Wed Jul 3 03:48:24 2013 -0700 iscsi-target: Fix iscsit_add_reject* usage for iser Signed-off-by:
Nicholas Bellinger <nab@linux-iscsi.org> Signed-off-by:
-
Nicholas Bellinger authored
commit c9a03c12 upstream. This patch fixes a bug in __iscsi_target_login_thread() where an explicit network portal thread reset ends up leaking the iscsit_transport module reference, along with the associated iscsi_conn allocation. This manifests itself with iser-target where a NP reset causes the extra iscsit_transport reference to be taken in iscsit_conn_set_transport() during the reset, which prevents the ib_isert module from being unloaded after the NP thread shutdown has finished. Signed-off-by:
-
Nicholas Bellinger authored
commit 9d86a2be upstream. This patch addresses a regression bug within ImmediateData=Yes failure handling that ends up triggering an OOPs within >= v3.10 iscsi-target code. The problem occurs when iscsit_process_scsi_cmd() does the call to target_put_sess_cmd(), and once again in iscsit_get_immediate_data() that is triggered during two different cases: - When iscsit_sequence_cmd() returns CMDSN_LOWER_THAN_EXP, for which the descriptor state will already have been set to ISTATE_REMOVE by iscsit_sequence_cmd(), and - When iscsi_cmd->sense_reason is set, for which iscsit_execute_cmd() will have already called transport_send_check_condition_and_sense() to queue the exception response. It changes iscsit_process_scsi_cmd() to drop the early call, and makes iscsit_get_immediate_data() call target_put_sess_cmd() from a single location after dumping the immediate data for the failed command. The regression was initially introduced in commit: commit 561bf158 Author: Nicholas Bellinger <nab@linux-iscsi.org> Date: Wed Jul 3 03:58:58 2013 -0700 iscsi-target: Fix iscsit_sequence_cmd reject handling for iser Signed-off-by:
-
