1. 14 Feb, 2013 3 commits
    • David Vrabel's avatar
      xen-netback: correctly return errors from netbk_count_requests() · 35876b5f
      David Vrabel authored
      netbk_count_requests() could detect an error, call
      netbk_fatal_tx_error() but return 0.  The vif may then be used
      afterwards (e.g., in a call to netbk_tx_error().
      
      Since netbk_fatal_tx_error() could set vif->refcnt to 1, the vif may
      be freed immediately after the call to netbk_fatal_tx_error() (e.g.,
      if the vif is also removed).
      
      Netback thread              Xenwatch thread
      -------------------------------------------
      netbk_fatal_tx_err()        netback_remove()
                                    xenvif_disconnect()
                                      ...
                                      free_netdev()
      netbk_tx_err() Oops!
      Signed-off-by: default avatarWei Liu <wei.liu2@citrix.com>
      Signed-off-by: default avatarJan Beulich <JBeulich@suse.com>
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      Reported-by: default avatarChristopher S. Aker <caker@theshore.net>
      Acked-by: default avatarIan Campbell <ian.campbell@citrix.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      35876b5f
    • David S. Miller's avatar
      Merge branch 'master' of git://1984.lsi.us.es/nf · 306dbf9e
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      The following patchset contains three Netfilter fixes, they are:
      
      * Fix conntrack helper re-assignment after NAT mangling if only if
        the same helper is attached to the conntrack again, from Florian
        Westphal.
      
      * Don't allow the creation of conntrack entries via ctnetlink if the
        original and reply tuples are missing, from Florian Westphal.
      
      * Fix broken sysctl interface in nf_ct_reasm while adding netns support
        to it, from Michal Kubecek.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      306dbf9e
    • Bjørn Mork's avatar
      net: cdc_ncm: fix probing of devices with multiple control interface altsettings · f350ca03
      Bjørn Mork authored
      commit bd329e12 ("net: cdc_ncm: do not bind to NCM compatible MBIM devices")
      added a test for a CDC MBIM altsetting, implementing the cdc_ncm part of
      MBIM backward compatibility support.  This intentionally made the driver
      behave differently for CDC NCM devices with 2 alternate settings for the
      Communication interface, depending on whether or not CONFIG_USB_NET_CDC_MBIM
      was enabled.  This is correct iff alternate setting #1 really *is* a MBIM
      setting.  If not, then NCM probing will use a different altsetting than before,
      possibly causing probing failures depending on CONFIG_USB_NET_CDC_MBIM.
      
      Fix by setting the altsetting back to default after the test, restoring the
      previous behaviour for non MBIM devices.
      
      This bug causes probing of Huawei E3276 devices to fail when the MBIM driver
      is enabled, because these devices have a second alternate setting with no CDC
      functional descriptors.
      
      Cc: Greg Suarez <gsuarez@smithmicro.com>
      Cc: Alexey Orishko <alexey.orishko@stericsson.com>
      Reported-and-tested-by: default avatarJonathan A. <yo.natan@hotmail.com>
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f350ca03
  2. 13 Feb, 2013 12 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 323a72d8
      Linus Torvalds authored
      Pull networking fixes from David Miller:
       "This is primarily to get those r8169 reverts sorted, but other fixes
        have accumulated meanwhile.
      
         1) Revert two r8169 changes to fix suspend/resume for some users,
            from Francois Romieu.
      
         2) PCI dma mapping errors in atl1c are not checked for and this cause
            hard crashes for some users, from Xiong Huang.
      
         3) In 3.8.x we merged the removal of the EXPERIMENTAL dependency for
            'dlm' but the same patch for 'sctp' got lost somewhere, resulting
            in the potential for build errors since there are cross
            dependencies.  From Kees Cook.
      
         4) SCTP's ipv6 socket route validation makes boolean tests
            incorrectly, fix from Daniel Borkmann.
      
         5) mac80211 does sizeof(ptr) instead of (sizeof(ptr) * nelem), from
            Cong Ding.
      
         6) arp_rcv() can crash on shared non-linear packets, from Eric
            Dumazet.
      
         7) Avoid crashes in macvtap by setting ->gso_type consistently in
            ixgbe, qlcnic, and bnx2x drivers.  From Michael S Tsirkin and
            Alexander Duyck.
      
         8) Trinity fuzzer spots infinite loop in __skb_recv_datagram(), fix
            from Eric Dumazet.
      
         9) STP protocol frames should use high packet priority, otherwise an
            overloaded bridge can get stuck.  From Stephen Hemminger.
      
        10) The HTB packet scheduler was converted some time ago to store
            internal timestamps in nanoseconds, but we don't convert back into
            psched ticks for the user during dumps.  Fix from Jiri Pirko.
      
        11) mwl8k channel table doesn't set the .band field properly,
            resulting in NULL pointer derefs.  Fix from Jonas Gorski.
      
        12) mac80211 doesn't accumulate channels properly during a scan so we
            can downgrade heavily to a much less desirable connection speed.
            Fix from Johannes Berg.
      
        13) PHY probe failure in stmmac can result in resource leaks and
            double MDIO registery later, from Giuseppe CAVALLARO.
      
        14) Correct ipv6 checksumming in ip6t_NPT netfilter module, also fix
            address prefix mangling, from YOSHIFUJI Hideaki."
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (27 commits)
        net, sctp: remove CONFIG_EXPERIMENTAL
        net: sctp: sctp_v6_get_dst: fix boolean test in dst cache
        batman-adv: Fix NULL pointer dereference in DAT hash collision avoidance
        net/macb: fix race with RX interrupt while doing NAPI
        atl1c: add error checking for pci_map_single functions
        htb: fix values in opt dump
        ixgbe: Only set gso_type to SKB_GSO_TCPV4 as RSC does not support IPv6
        net: fix infinite loop in __skb_recv_datagram()
        net: qmi_wwan: add Yota / Megafon M100-1 4g modem
        mwl8k: fix band for supported channels
        bridge: set priority of STP packets
        mac80211: fix channel selection bug
        arp: fix possible crash in arp_rcv()
        bnx2x: set gso_type
        qlcnic: set gso_type
        ixgbe: fix gso type
        stmmac: mdio register has to fail if the phy is not found
        stmmac: fix macro used for debugging the xmit
        Revert "r8169: enable internal ASPM and clock request settings".
        Revert "r8169: enable ALDPS for power saving".
        ...
      323a72d8
    • Linus Torvalds's avatar
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 42976ad0
      Linus Torvalds authored
      Pull x86 fixes from Peter Anvin:
       "One (hopefully) last batch of x86 fixes.  You asked for the patch by
        patch justifications, so here they are:
      
            x86, MCE: Retract most UAPI exports
      
         This one unexports from userspace a bunch of definitions which should
         never have been exported.  We really don't want to create an
         accidental legacy here.
      
            x86, doc: Add a bootloader ID for OVMF
      
         This is a documentation-only patch, just recording the official
         assignment of a boot loader ID.
      
            x86: Do not leak kernel page mapping locations
      
         Security: avoid making it needlessly easy for user space to probe the
         kernel memory layout.
      
            x86/mm: Check if PUD is large when validating a kernel address
      
         Prevent failures using /proc/kcore when using 1G pages.
      
            x86/apic: Work around boot failure on HP ProLiant DL980 G7 Server systems
      
         Works around a BIOS problem causing boot failures on affected hardware."
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/mm: Check if PUD is large when validating a kernel address
        x86/apic: Work around boot failure on HP ProLiant DL980 G7 Server systems
        x86, doc: Add a bootloader ID for OVMF
        x86: Do not leak kernel page mapping locations
        x86, MCE: Retract most UAPI exports
      42976ad0
    • Michal Kubeček's avatar
      netfilter: nf_ct_reasm: fix per-netns sysctl initialization · 894e2ac8
      Michal Kubeček authored
      Adjusting of data pointers in net/netfilter/nf_conntrack_frag6_*
      sysctl table for other namespaces points to wrong netns_frags
      structure and has reversed order of entries.
      
      Problem introduced by commit c038a767 in 3.7-rc1
      Signed-off-by: default avatarMichal Kubecek <mkubecek@suse.cz>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      894e2ac8
    • Kees Cook's avatar
      net, sctp: remove CONFIG_EXPERIMENTAL · 3bdb1a44
      Kees Cook authored
      This config item has not carried much meaning for a while now and is
      almost always enabled by default. As agreed during the Linux kernel
      summit, remove it.
      Acked-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Acked-by: default avatarSteven Whitehouse <swhiteho@redhat.com>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarDavid Rientjes <rientjes@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3bdb1a44
    • Daniel Borkmann's avatar
      net: sctp: sctp_v6_get_dst: fix boolean test in dst cache · e9c0dfba
      Daniel Borkmann authored
      We walk through the bind address list and try to get the best source
      address for a given destination. However, currently, we take the
      'continue' path of the loop when an entry is invalid (!laddr->valid)
      *and* the entry state does not equal SCTP_ADDR_SRC (laddr->state !=
      SCTP_ADDR_SRC).
      
      Thus, still, invalid entries with SCTP_ADDR_SRC might not 'continue'
      as well as valid entries with SCTP_ADDR_{NEW, SRC, DEL}, with a possible
      false baddr and matchlen as a result, causing in worst case dst route
      to be false or possibly NULL.
      
      This test should actually be a '||' instead of '&&'. But lets fix it
      and make this a bit easier to read by having the condition the same way
      as similarly done in sctp_v4_get_dst.
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Acked-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e9c0dfba
    • Pau Koning's avatar
      batman-adv: Fix NULL pointer dereference in DAT hash collision avoidance · 816cd5b8
      Pau Koning authored
      An entry in DAT with the hashed position of 0 can cause a NULL pointer
      dereference when the first entry is checked by batadv_choose_next_candidate.
      This first candidate automatically has the max value of 0 and the max_orig_node
      of NULL. Not checking max_orig_node for NULL in batadv_is_orig_node_eligible
      will lead to a NULL pointer dereference when checking for the lowest address.
      
      This problem was added in 785ea114
      ("batman-adv: Distributed ARP Table - create DHT helper functions").
      Signed-off-by: default avatarPau Koning <paukoning@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      816cd5b8
    • Nicolas Ferre's avatar
      net/macb: fix race with RX interrupt while doing NAPI · 8770e91a
      Nicolas Ferre authored
      When interrupts are disabled, an RX condition can occur but
      it is not reported when enabling interrupts again. We need to check
      RSR and use napi_reschedule() if condition is met.
      Signed-off-by: default avatarNicolas Ferre <nicolas.ferre@atmel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8770e91a
    • Huang, Xiong's avatar
      atl1c: add error checking for pci_map_single functions · ac574804
      Huang, Xiong authored
      it is reported that code hit DMA-API errors on 3.8-rc6+,
      (see https://bugzilla.redhat.com/show_bug.cgi?id=908436, and
           https://bugzilla.redhat.com/show_bug.cgi?id=908550)
      
      this patch just adds error handler for
          pci_map_single and skb_frag_dma_map.
      Signed-off-by: default avatarxiong <xiong@qca.qualcomm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ac574804
    • Mel Gorman's avatar
      x86/mm: Check if PUD is large when validating a kernel address · 0ee364eb
      Mel Gorman authored
      A user reported the following oops when a backup process reads
      /proc/kcore:
      
       BUG: unable to handle kernel paging request at ffffbb00ff33b000
       IP: [<ffffffff8103157e>] kern_addr_valid+0xbe/0x110
       [...]
      
       Call Trace:
        [<ffffffff811b8aaa>] read_kcore+0x17a/0x370
        [<ffffffff811ad847>] proc_reg_read+0x77/0xc0
        [<ffffffff81151687>] vfs_read+0xc7/0x130
        [<ffffffff811517f3>] sys_read+0x53/0xa0
        [<ffffffff81449692>] system_call_fastpath+0x16/0x1b
      
      Investigation determined that the bug triggered when reading
      system RAM at the 4G mark. On this system, that was the first
      address using 1G pages for the virt->phys direct mapping so the
      PUD is pointing to a physical address, not a PMD page.
      
      The problem is that the page table walker in kern_addr_valid() is
      not checking pud_large() and treats the physical address as if
      it was a PMD.  If it happens to look like pmd_none then it'll
      silently fail, probably returning zeros instead of real data. If
      the data happens to look like a present PMD though, it will be
      walked resulting in the oops above.
      
      This patch adds the necessary pud_large() check.
      
      Unfortunately the problem was not readily reproducible and now
      they are running the backup program without accessing
      /proc/kcore so the patch has not been validated but I think it
      makes sense.
      Signed-off-by: default avatarMel Gorman <mgorman@suse.de>
      Reviewed-by: default avatarRik van Riel <riel@redhat.coM>
      Reviewed-by: default avatarMichal Hocko <mhocko@suse.cz>
      Acked-by: default avatarJohannes Weiner <hannes@cmpxchg.org>
      Cc: stable@vger.kernel.org
      Cc: linux-mm@kvack.org
      Link: http://lkml.kernel.org/r/20130211145236.GX21389@suse.deSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      0ee364eb
    • Linus Torvalds's avatar
      Merge branch 'autofs-fix' of... · ecf223fc
      Linus Torvalds authored
      Merge branch 'autofs-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux into akpm
      
      Pull hp parisc automounter fix from Helge Deller:
       "This unbreaks automounter support for the parisc architecture (and
        probably aarch64 as well).""
      
      * 'autofs-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux:
        unbreak automounter support on 64-bit kernel with 32-bit userspace (v2)
      ecf223fc
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux into akpm · a0e5056e
      Linus Torvalds authored
      Pull s390 regression fix from Martin Schwidefsky:
       "The recent fix for the s390 sched_clock() function uncovered yet
        another bug in s390_next_ktime which causes an endless loop in KVM.
        This regression should be fixed before v3.8.
      
        I keep the fingers crossed that this is the last one for v3.8."
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390/timer: avoid overflow when programming clock comparator
      a0e5056e
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu into akpm · f2ea97cb
      Linus Torvalds authored
      Pull m68knommu fix from Greg Ungerer:
       "This contains a single critical fix for the non-MMU m68k platforms.
      
        The change of the kernel exec code path has revealed a problem in the
        start thread code that causes crashing on boot.  This is the fix for
        it."
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu:
        m68knommu: fix trap on execing /bin/init
      f2ea97cb
  3. 12 Feb, 2013 17 commits
  4. 11 Feb, 2013 8 commits
    • Jonas Gorski's avatar
      mwl8k: fix band for supported channels · d786f67e
      Jonas Gorski authored
      The band field for the supported channels were left unpopulated, making
      them default to 0 == IEEE80211_BAND_2GHZ, even for the 5GHz channels.
      
      This resulted in null pointer accesses if anything tries to access
      wiphy->bands[channel->band] of a 5GHz channel on 5GHz only cards, since
      wiphy->bands[2GHZ] is NULL for them (e.g. cfg80211_chandef_usable does).
      
      Example kernel OOPS:
      
      [  665.669993] Unable to handle kernel NULL pointer dereference at virtual address 00000016
      [  665.678194] pgd = c6d58000
      [  665.680941] [00000016] *pgd=06f8a831, *pte=00000000, *ppte=00000000
      [  665.687303] Internal error: Oops: 17 [#1]
      (...)
      [  666.116373] Backtrace:
      [  666.118866] [<bf0368dc>] (cfg80211_chandef_usable+0x0/0x1bc [cfg80211]) from [<bf025e64>] (nl80211_leave_mesh+0x244/0x264 [cfg80211])
      [  666.130919]  r7:c6d12100 r6:0000143c r5:c0611c48 r4:c0611b98
      [  666.136668] [<bf025d84>] (nl80211_leave_mesh+0x164/0x264 [cfg80211]) from [<bf02634c>] (nl80211_remain_on_channel+0x2a0/0x358 [cfg80211])
      [  666.149074]  r7:c6d12000 r6:c6d12000 r5:c6f4f368 r4:00000003
      [  666.154814] [<bf0262ec>] (nl80211_remain_on_channel+0x240/0x358 [cfg80211]) from [<bf02ddb0>] (nl80211_set_wiphy+0x264/0x560 [cfg80211])
      [  666.167150] [<bf02db4c>] (nl80211_set_wiphy+0x0/0x560 [cfg80211]) from [<c01f94e0>] (genl_rcv_msg+0x1b8/0x1f8)
      [  666.177205] [<c01f9328>] (genl_rcv_msg+0x0/0x1f8) from [<c01f89a0>] (netlink_rcv_skb+0x58/0xb4)
      [  666.185949] [<c01f8948>] (netlink_rcv_skb+0x0/0xb4) from [<c01f931c>] (genl_rcv+0x20/0x2c)
      [  666.194251]  r6:c6f70780 r5:0000002c r4:c6f70780 r3:00000001
      [  666.199973] [<c01f92fc>] (genl_rcv+0x0/0x2c) from [<c01f8418>] (netlink_unicast+0x154/0x1f4)
      [  666.208449]  r4:c785ea00 r3:c01f92fc
      [  666.212057] [<c01f82c4>] (netlink_unicast+0x0/0x1f4) from [<c01f8790>] (netlink_sendmsg+0x230/0x2b0)
      [  666.221240] [<c01f8560>] (netlink_sendmsg+0x0/0x2b0) from [<c01cccf8>] (sock_sendmsg+0x90/0xa4)
      [  666.229986] [<c01ccc68>] (sock_sendmsg+0x0/0xa4) from [<c01cdcb0>] (__sys_sendmsg+0x290/0x298)
      [  666.238637]  r9:00000000 r8:c0611ec8 r6:0000002c r5:c0610000 r4:c0611f64
      [  666.245411] [<c01cda20>] (__sys_sendmsg+0x0/0x298) from [<c01cf52c>] (sys_sendmsg+0x44/0x6c)
      [  666.253897] [<c01cf4e8>] (sys_sendmsg+0x0/0x6c) from [<c00090a0>] (ret_fast_syscall+0x0/0x2c)
      [  666.262460]  r6:00000000 r5:beeff96c r4:00000005
      Signed-off-by: default avatarJonas Gorski <jogo@openwrt.org>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      d786f67e
    • John W. Linville's avatar
    • Stephen Hemminger's avatar
      bridge: set priority of STP packets · 547b4e71
      Stephen Hemminger authored
      Spanning Tree Protocol packets should have always been marked as
      control packets, this causes them to get queued in the high prirority
      FIFO. As Radia Perlman mentioned in her LCA talk, STP dies if bridge
      gets overloaded and can't communicate. This is a long-standing bug back
      to the first versions of Linux bridge.
      Signed-off-by: default avatarStephen Hemminger <stephen@networkplumber.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      547b4e71
    • Stoney Wang's avatar
      x86/apic: Work around boot failure on HP ProLiant DL980 G7 Server systems · cb214ede
      Stoney Wang authored
      When a HP ProLiant DL980 G7 Server boots a regular kernel,
      there will be intermittent lost interrupts which could
      result in a hang or (in extreme cases) data loss.
      
      The reason is that this system only supports x2apic physical
      mode, while the kernel boots with a logical-cluster default
      setting.
      
      This bug can be worked around by specifying the "x2apic_phys" or
      "nox2apic" boot option, but we want to handle this system
      without requiring manual workarounds.
      
      The BIOS sets ACPI_FADT_APIC_PHYSICAL in FADT table.
      As all apicids are smaller than 255, BIOS need to pass the
      control to the OS with xapic mode, according to x2apic-spec,
      chapter 2.9.
      
      Current code handle x2apic when BIOS pass with xapic mode
      enabled:
      
      When user specifies x2apic_phys, or FADT indicates PHYSICAL:
      
      1. During madt oem check, apic driver is set with xapic logical
         or xapic phys driver at first.
      
      2. enable_IR_x2apic() will enable x2apic_mode.
      
      3. if user specifies x2apic_phys on the boot line, x2apic_phys_probe()
         will install the correct x2apic phys driver and use x2apic phys mode.
         Otherwise it will skip the driver will let x2apic_cluster_probe to
         take over to install x2apic cluster driver (wrong one) even though FADT
         indicates PHYSICAL, because x2apic_phys_probe does not check
         FADT PHYSICAL.
      
      Add checking x2apic_fadt_phys in x2apic_phys_probe() to fix the
      problem.
      Signed-off-by: default avatarStoney Wang <song-bo.wang@hp.com>
      [ updated the changelog and simplified the code ]
      Signed-off-by: default avatarYinghai Lu <yinghai@kernel.org>
      Cc: stable@kernel.org
      Link: http://lkml.kernel.org/r/1360263182-16226-1-git-send-email-yinghai@kernel.orgSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      cb214ede
    • Johannes Berg's avatar
      mac80211: fix channel selection bug · 3d9646d0
      Johannes Berg authored
      When trying to connect to an AP that advertises HT but not
      VHT, the mac80211 code erroneously uses the configuration
      from the AP as is instead of checking it against regulatory
      and local capabilities. This can lead to using an invalid
      or even inexistent channel (like 11/HT40+).
      
      Additionally, the return flags from downgrading must be
      ORed together, to collect them from all of the downgrades.
      Also clarify the message.
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      3d9646d0
    • David S. Miller's avatar
      Merge branch 'master' of git://1984.lsi.us.es/nf · cfa82e02
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      The following patchset contains Netfilter/IPVS fixes for 3.8-rc7, they are:
      
      * Fix oops in IPVS state-sync due to releasing a random memory area due
        to unitialized pointer, from Dan Carpenter.
      
      * Fix SCTP flow establishment due to bad checksumming mangling in IPVS,
        from Daniel Borkmann.
      
      * Three fixes for the recently added IPv6 NPT, all from YOSHIFUJI Hideaki,
        with an amendment collapsed into those patches from Ulrich Weber. They
        fiix adjustment calculation, fix prefix mangling and ensure LSB of
        prefixes are zeroes (as required by RFC).
      
      Specifically, it took me a while to validate the 1's complement arithmetics/
      checksumming approach in the IPv6 NPT code.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cfa82e02
    • Eric Dumazet's avatar
      arp: fix possible crash in arp_rcv() · 044453b3
      Eric Dumazet authored
      We should call skb_share_check() before pskb_may_pull(), or we
      can crash in pskb_expand_head()
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      044453b3
    • David S. Miller's avatar
      Merge branch 'gso_type' · 839c8cc3
      David S. Miller authored
      Michael S. Tsirkin says:
      
      ====================
      At the moment, macvtap crashes are observed if macvtap is attached
      to an interface with LRO enabled.
      The crash in question is BUG() in macvtap_skb_to_vnet_hdr.
      This happens because several drivers set gso_size but not gso_type
      in incoming skbs.
      This didn't use to be the case: with intel cards on 3.2 and older
      kernels, with qlogic - on 3.4 and older kernels, so it's a regression if
      not a recent one.
      The following patches fix this for qlogic, broadcom and intel drivers.
      
      I tested that the patch fixes the crash for ixgbe but
      don't have qlogic/broadcom hardware to test.
      I also only tested TCPv4.
      
      Please review, and consider for 3.8.
      
      Changes from v1:
      	- added missing htons as suggested by Eric
      	- backported the relevant bits from
      	  cbf1de72 for bnx2x
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      839c8cc3