1. 05 May, 2014 8 commits
  2. 25 Apr, 2014 6 commits
    • Jay Cornwall's avatar
      iommu/amd: Fix PASID format in INVALIDATE_IOTLB_PAGES command · 81528093
      Jay Cornwall authored
      commit e8d2d82d upstream.
      
      This patch corrects the PASID format in the INVALIDATE_IOTLB_PAGES
      command, which was caused by incorrect information in
      the AMD IOMMU Architectural Specification v2.01 document.
      
          Incorrect format:
               cmd->data[0][16:23] = PASID[7:0]
               cmd->data[1][16:27] = PASID[19:8]
      
           Correct format:
               cmd->data[0][16:23] = PASID[15:8]
               cmd->data[1][16:23] = PASID[7:0]
      
      However, this does not affect the IOMMUv2 hardware implementation,
      and has been corrected since version 2.02 of the specification
      (available through AMD NDA).
      Signed-off-by: default avatarJay Cornwall <jay.cornwall@amd.com>
      Reviewed-by: default avatarSuravee Suthikulpanit <suravee.suthikulpanit@amd.com>
      Signed-off-by: default avatarJoerg Roedel <joro@8bytes.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      81528093
    • Tedd Ho-Jeong An's avatar
      Bluetooth: Add support for Intel Bluetooth device [8087:0a2a] · d4527ea4
      Tedd Ho-Jeong An authored
      commit ef4e5e4a upstream.
      
      This patch adds support for new Intel Bluetooth device.
      
      T:  Bus=02 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  4 Spd=12   MxCh= 0
      D:  Ver= 2.01 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=8087 ProdID=0a2a Rev= 0.01
      C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
      I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=81(I) Atr=03(Int.) MxPS=  64 Ivl=1ms
      E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      I:  If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      I:  If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      I:  If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      I:  If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      I:  If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      Signed-off-by: default avatarTedd Ho-Jeong An <tedd.an@intel.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      d4527ea4
    • Ingo Molnar's avatar
      drivers/net: tulip_remove_one needs to call pci_disable_device() · 831bb557
      Ingo Molnar authored
      commit c321f7d7 upstream.
      
      Otherwise the device is not completely shut down.
      Signed-off-by: default avatarIngo Molnar <mingo@elte.hu>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      831bb557
    • Petr Tesarik's avatar
      /dev/mem: handle out-of-bounds read/write · 3566e03b
      Petr Tesarik authored
      commit 08d2d00b upstream.
      
      The loff_t type may be wider than phys_addr_t (e.g. on 32-bit systems).
      Consequently, the file offset may be truncated in the assignment.
      Currently, /dev/mem wraps around, which may cause applications to read
      or write incorrect regions of memory by accident.
      
      Let's follow POSIX file semantics here and return 0 when reading from
      and -EFBIG when writing to an offset that cannot be represented by a
      phys_addr_t.
      
      Note that the conditional is optimized out by the compiler if loff_t
      has the same size as phys_addr_t.
      Signed-off-by: default avatarPetr Tesarik <ptesarik@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      3566e03b
    • Emil Goode's avatar
      brcmsmac: fix deadlock on missing firmware · de0b7b0d
      Emil Goode authored
      commit 8fc1e8c2 upstream.
      
      When brcm80211 firmware is not installed networking hangs.
      A deadlock happens because we call ieee80211_unregister_hw()
      from the .start callback of struct ieee80211_ops. When .start
      is called we are under rtnl lock and ieee80211_unregister_hw()
      tries to take it again.
      
      Function call stack:
      
      dev_change_flags()
      	__dev_change_flags()
      		__dev_open()
      			ASSERT_RTNL() <-- Assert rtnl lock
      			ops->ndo_open()
      
      .ndo_open = ieee80211_open,
      
      ieee80211_open()
      	ieee80211_do_open()
      		drv_start()
      			local->ops->start()
      
      .start = brcms_ops_start,
      
      brcms_ops_start()
      	brcms_remove()
      		ieee80211_unregister_hw()
      			rtnl_lock() <-- Here we deadlock
      
      Introduced by:
      commit 25b5632f
      ("brcmsmac: request firmware in .start() callback")
      
      This patch fixes the bug by removing the call to brcms_remove()
      and moves the brcms_request_fw() call to the top of the .start
      callback to not initiate anything unless firmware is installed.
      Signed-off-by: default avatarEmil Goode <emilgoode@gmail.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      de0b7b0d
    • Alexei Starovoitov's avatar
      openvswitch: fix vport-netdev unregister · 7d4f4737
      Alexei Starovoitov authored
      commit b07c2651 upstream.
      
      The combination of two commits:
      commit 8e4e1713
      ("openvswitch: Simplify datapath locking.")
      commit 2537b4dd
      ("openvswitch:: link upper device for port devices")
      
      introduced a bug where upper_dev wasn't unlinked upon
      netdev_unregister notification
      
      The following steps:
      
        modprobe openvswitch
        ovs-dpctl add-dp test
        ip tuntap add dev tap1 mode tap
        ovs-dpctl add-if test tap1
        ip tuntap del dev tap1 mode tap
      
      are causing multiple warnings:
      
      [   62.747557] gre: GRE over IPv4 demultiplexor driver
      [   62.749579] openvswitch: Open vSwitch switching datapath
      [   62.755087] device test entered promiscuous mode
      [   62.765911] device tap1 entered promiscuous mode
      [   62.766033] IPv6: ADDRCONF(NETDEV_UP): tap1: link is not ready
      [   62.769017] ------------[ cut here ]------------
      [   62.769022] WARNING: CPU: 1 PID: 3267 at net/core/dev.c:5501 rollback_registered_many+0x20f/0x240()
      [   62.769023] Modules linked in: openvswitch gre vxlan ip_tunnel libcrc32c ip6table_filter ip6_tables ebtable_nat ebtables nf_conntrack_ipv4 nf_defrag_ipv4 xt_state nf_conntrack xt_CHECKSUM iptable_mangle ipt_REJECT xt_tcpudp iptable_filter ip_tables x_tables bridge stp llc vhost_net macvtap macvlan vhost kvm_intel kvm dm_crypt iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi hid_generic mxm_wmi eeepc_wmi asus_wmi sparse_keymap dm_multipath psmouse serio_raw usbhid hid parport_pc ppdev firewire_ohci lpc_ich firewire_core e1000e crc_itu_t binfmt_misc igb dca ptp pps_core mac_hid wmi lp parport i2o_config i2o_block video
      [   62.769051] CPU: 1 PID: 3267 Comm: ip Not tainted 3.12.0-rc3+ #60
      [   62.769052] Hardware name: System manufacturer System Product Name/P8Z77 WS, BIOS 3007 07/26/2012
      [   62.769053]  0000000000000009 ffff8807f25cbd28 ffffffff8175e575 0000000000000006
      [   62.769055]  0000000000000000 ffff8807f25cbd68 ffffffff8105314c ffff8807f25cbd58
      [   62.769057]  ffff8807f2634000 ffff8807f25cbdc8 ffff8807f25cbd88 ffff8807f25cbdc8
      [   62.769059] Call Trace:
      [   62.769062]  [<ffffffff8175e575>] dump_stack+0x55/0x76
      [   62.769065]  [<ffffffff8105314c>] warn_slowpath_common+0x8c/0xc0
      [   62.769067]  [<ffffffff8105319a>] warn_slowpath_null+0x1a/0x20
      [   62.769069]  [<ffffffff8162a04f>] rollback_registered_many+0x20f/0x240
      [   62.769071]  [<ffffffff8162a101>] rollback_registered+0x31/0x40
      [   62.769073]  [<ffffffff8162a488>] unregister_netdevice_queue+0x58/0x90
      [   62.769075]  [<ffffffff8154f900>] __tun_detach+0x140/0x340
      [   62.769077]  [<ffffffff8154fb36>] tun_chr_close+0x36/0x60
      [   62.769080]  [<ffffffff811bddaf>] __fput+0xff/0x260
      [   62.769082]  [<ffffffff811bdf5e>] ____fput+0xe/0x10
      [   62.769084]  [<ffffffff8107b515>] task_work_run+0xb5/0xe0
      [   62.769087]  [<ffffffff810029b9>] do_notify_resume+0x59/0x80
      [   62.769089]  [<ffffffff813a41fe>] ? trace_hardirqs_on_thunk+0x3a/0x3f
      [   62.769091]  [<ffffffff81770f5a>] int_signal+0x12/0x17
      [   62.769093] ---[ end trace 838756c62e156ffb ]---
      [   62.769481] ------------[ cut here ]------------
      [   62.769485] WARNING: CPU: 1 PID: 92 at fs/sysfs/inode.c:325 sysfs_hash_and_remove+0xa9/0xb0()
      [   62.769486] sysfs: can not remove 'master', no directory
      [   62.769486] Modules linked in: openvswitch gre vxlan ip_tunnel libcrc32c ip6table_filter ip6_tables ebtable_nat ebtables nf_conntrack_ipv4 nf_defrag_ipv4 xt_state nf_conntrack xt_CHECKSUM iptable_mangle ipt_REJECT xt_tcpudp iptable_filter ip_tables x_tables bridge stp llc vhost_net macvtap macvlan vhost kvm_intel kvm dm_crypt iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi hid_generic mxm_wmi eeepc_wmi asus_wmi sparse_keymap dm_multipath psmouse serio_raw usbhid hid parport_pc ppdev firewire_ohci lpc_ich firewire_core e1000e crc_itu_t binfmt_misc igb dca ptp pps_core mac_hid wmi lp parport i2o_config i2o_block video
      [   62.769514] CPU: 1 PID: 92 Comm: kworker/1:2 Tainted: G        W    3.12.0-rc3+ #60
      [   62.769515] Hardware name: System manufacturer System Product Name/P8Z77 WS, BIOS 3007 07/26/2012
      [   62.769518] Workqueue: events ovs_dp_notify_wq [openvswitch]
      [   62.769519]  0000000000000009 ffff880807ad3ac8 ffffffff8175e575 0000000000000006
      [   62.769521]  ffff880807ad3b18 ffff880807ad3b08 ffffffff8105314c ffff880807ad3b28
      [   62.769523]  0000000000000000 ffffffff81a87a1f ffff8807f2634000 ffff880037038500
      [   62.769525] Call Trace:
      [   62.769528]  [<ffffffff8175e575>] dump_stack+0x55/0x76
      [   62.769529]  [<ffffffff8105314c>] warn_slowpath_common+0x8c/0xc0
      [   62.769531]  [<ffffffff81053236>] warn_slowpath_fmt+0x46/0x50
      [   62.769533]  [<ffffffff8123e7e9>] sysfs_hash_and_remove+0xa9/0xb0
      [   62.769535]  [<ffffffff81240e96>] sysfs_remove_link+0x26/0x30
      [   62.769538]  [<ffffffff81631ef7>] __netdev_adjacent_dev_remove+0xf7/0x150
      [   62.769540]  [<ffffffff81632037>] __netdev_adjacent_dev_unlink_lists+0x27/0x50
      [   62.769542]  [<ffffffff8163213a>] __netdev_adjacent_dev_unlink_neighbour+0x3a/0x50
      [   62.769544]  [<ffffffff8163218d>] netdev_upper_dev_unlink+0x3d/0x140
      [   62.769548]  [<ffffffffa033c2db>] netdev_destroy+0x4b/0x80 [openvswitch]
      [   62.769550]  [<ffffffffa033b696>] ovs_vport_del+0x46/0x60 [openvswitch]
      [   62.769552]  [<ffffffffa0335314>] ovs_dp_detach_port+0x44/0x60 [openvswitch]
      [   62.769555]  [<ffffffffa0336574>] ovs_dp_notify_wq+0xb4/0x150 [openvswitch]
      [   62.769557]  [<ffffffff81075c28>] process_one_work+0x1d8/0x6a0
      [   62.769559]  [<ffffffff81075bc8>] ? process_one_work+0x178/0x6a0
      [   62.769562]  [<ffffffff8107659b>] worker_thread+0x11b/0x370
      [   62.769564]  [<ffffffff81076480>] ? rescuer_thread+0x350/0x350
      [   62.769566]  [<ffffffff8107f44a>] kthread+0xea/0xf0
      [   62.769568]  [<ffffffff8107f360>] ? flush_kthread_worker+0x150/0x150
      [   62.769570]  [<ffffffff81770bac>] ret_from_fork+0x7c/0xb0
      [   62.769572]  [<ffffffff8107f360>] ? flush_kthread_worker+0x150/0x150
      [   62.769573] ---[ end trace 838756c62e156ffc ]---
      [   62.769574] ------------[ cut here ]------------
      [   62.769576] WARNING: CPU: 1 PID: 92 at fs/sysfs/inode.c:325 sysfs_hash_and_remove+0xa9/0xb0()
      [   62.769577] sysfs: can not remove 'upper_test', no directory
      [   62.769577] Modules linked in: openvswitch gre vxlan ip_tunnel libcrc32c ip6table_filter ip6_tables ebtable_nat ebtables nf_conntrack_ipv4 nf_defrag_ipv4 xt_state nf_conntrack xt_CHECKSUM iptable_mangle ipt_REJECT xt_tcpudp iptable_filter ip_tables x_tables bridge stp llc vhost_net macvtap macvlan vhost kvm_intel kvm dm_crypt iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi hid_generic mxm_wmi eeepc_wmi asus_wmi sparse_keymap dm_multipath psmouse serio_raw usbhid hid parport_pc ppdev firewire_ohci lpc_ich firewire_core e1000e crc_itu_t binfmt_misc igb dca ptp pps_core mac_hid wmi lp parport i2o_config i2o_block video
      [   62.769603] CPU: 1 PID: 92 Comm: kworker/1:2 Tainted: G        W    3.12.0-rc3+ #60
      [   62.769604] Hardware name: System manufacturer System Product Name/P8Z77 WS, BIOS 3007 07/26/2012
      [   62.769606] Workqueue: events ovs_dp_notify_wq [openvswitch]
      [   62.769607]  0000000000000009 ffff880807ad3ac8 ffffffff8175e575 0000000000000006
      [   62.769609]  ffff880807ad3b18 ffff880807ad3b08 ffffffff8105314c ffff880807ad3b58
      [   62.769611]  0000000000000000 ffff880807ad3bd9 ffff8807f2634000 ffff880037038500
      [   62.769613] Call Trace:
      [   62.769615]  [<ffffffff8175e575>] dump_stack+0x55/0x76
      [   62.769617]  [<ffffffff8105314c>] warn_slowpath_common+0x8c/0xc0
      [   62.769619]  [<ffffffff81053236>] warn_slowpath_fmt+0x46/0x50
      [   62.769621]  [<ffffffff8123e7e9>] sysfs_hash_and_remove+0xa9/0xb0
      [   62.769622]  [<ffffffff81240e96>] sysfs_remove_link+0x26/0x30
      [   62.769624]  [<ffffffff81631f22>] __netdev_adjacent_dev_remove+0x122/0x150
      [   62.769627]  [<ffffffff81632037>] __netdev_adjacent_dev_unlink_lists+0x27/0x50
      [   62.769629]  [<ffffffff8163213a>] __netdev_adjacent_dev_unlink_neighbour+0x3a/0x50
      [   62.769631]  [<ffffffff8163218d>] netdev_upper_dev_unlink+0x3d/0x140
      [   62.769633]  [<ffffffffa033c2db>] netdev_destroy+0x4b/0x80 [openvswitch]
      [   62.769636]  [<ffffffffa033b696>] ovs_vport_del+0x46/0x60 [openvswitch]
      [   62.769638]  [<ffffffffa0335314>] ovs_dp_detach_port+0x44/0x60 [openvswitch]
      [   62.769640]  [<ffffffffa0336574>] ovs_dp_notify_wq+0xb4/0x150 [openvswitch]
      [   62.769642]  [<ffffffff81075c28>] process_one_work+0x1d8/0x6a0
      [   62.769644]  [<ffffffff81075bc8>] ? process_one_work+0x178/0x6a0
      [   62.769646]  [<ffffffff8107659b>] worker_thread+0x11b/0x370
      [   62.769648]  [<ffffffff81076480>] ? rescuer_thread+0x350/0x350
      [   62.769650]  [<ffffffff8107f44a>] kthread+0xea/0xf0
      [   62.769652]  [<ffffffff8107f360>] ? flush_kthread_worker+0x150/0x150
      [   62.769654]  [<ffffffff81770bac>] ret_from_fork+0x7c/0xb0
      [   62.769656]  [<ffffffff8107f360>] ? flush_kthread_worker+0x150/0x150
      [   62.769657] ---[ end trace 838756c62e156ffd ]---
      [   62.769724] device tap1 left promiscuous mode
      
      This patch also affects moving devices between net namespaces.
      
      OVS used to ignore netns move notifications which caused problems.
      Like:
        ovs-dpctl add-if test tap1
        ip link set tap1 netns 3512
      and then removing tap1 inside the namespace will cause hang on missing dev_put.
      
      With this patch OVS will detach dev upon receiving netns move event.
      Signed-off-by: default avatarAlexei Starovoitov <ast@plumgrid.com>
      Signed-off-by: default avatarJesse Gross <jesse@nicira.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      7d4f4737
  3. 18 Apr, 2014 26 commits
    • Jiri Slaby's avatar
      Linux 3.12.18 · ae2a5e12
      Jiri Slaby authored
      ae2a5e12
    • Ard Biesheuvel's avatar
      crypto: ghash-clmulni-intel - use C implementation for setkey() · a9149a36
      Ard Biesheuvel authored
      commit 8ceee728 upstream.
      
      The GHASH setkey() function uses SSE registers but fails to call
      kernel_fpu_begin()/kernel_fpu_end(). Instead of adding these calls, and
      then having to deal with the restriction that they cannot be called from
      interrupt context, move the setkey() implementation to the C domain.
      
      Note that setkey() does not use any particular SSE features and is not
      expected to become a performance bottleneck.
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Acked-by: default avatarH. Peter Anvin <hpa@linux.intel.com>
      Fixes: 0e1227d3 (crypto: ghash - Add PCLMULQDQ accelerated implementation)
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      a9149a36
    • Vineet Gupta's avatar
      ARC: [nsimosci] Unbork console · 9fc22da2
      Vineet Gupta authored
      commit 61fb4bfc upstream.
      
      Despite the switch to right UART driver (prev patch), serial console
      still doesn't work due to missing CONFIG_SERIAL_OF_PLATFORM
      
      Also fix the default cmdline in DT to not refer to out-of-tree
      ARC framebuffer driver for console.
      Signed-off-by: default avatarVineet Gupta <vgupta@synopsys.com>
      Cc: Francois Bedard <Francois.Bedard@synopsys.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      9fc22da2
    • Mischa Jonker's avatar
      ARC: [nsimosci] Change .dts to use generic 8250 UART · 83380df6
      Mischa Jonker authored
      commit 6eda477b upstream.
      
      The Synopsys APB DW UART has a couple of special features that are not
      in the System C model. In 3.8, the 8250_dw driver didn't really use these
      features, but from 3.9 onwards, the 8250_dw driver has become incompatible
      with our model.
      Signed-off-by: default avatarMischa Jonker <mjonker@synopsys.com>
      Signed-off-by: default avatarVineet Gupta <vgupta@synopsys.com>
      Cc: Francois Bedard <Francois.Bedard@synopsys.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      83380df6
    • Sasha Levin's avatar
      rds: prevent dereference of a NULL device in rds_iw_laddr_check · 64005923
      Sasha Levin authored
      [ Upstream commit bf39b424 ]
      
      Binding might result in a NULL device which is later dereferenced
      without checking.
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      64005923
    • Dan Carpenter's avatar
      isdnloop: several buffer overflows · f11c98ee
      Dan Carpenter authored
      [ Upstream commit 7563487c ]
      
      There are three buffer overflows addressed in this patch.
      
      1) In isdnloop_fake_err() we add an 'E' to a 60 character string and
      then copy it into a 60 character buffer.  I have made the destination
      buffer 64 characters and I'm changed the sprintf() to a snprintf().
      
      2) In isdnloop_parse_cmd(), p points to a 6 characters into a 60
      character buffer so we have 54 characters.  The ->eazlist[] is 11
      characters long.  I have modified the code to return if the source
      buffer is too long.
      
      3) In isdnloop_command() the cbuf[] array was 60 characters long but the
      max length of the string then can be up to 79 characters.  I made the
      cbuf array 80 characters long and changed the sprintf() to snprintf().
      I also removed the temporary "dial" buffer and changed it to use "p"
      directly.
      
      Unfortunately, we pass the "cbuf" string from isdnloop_command() to
      isdnloop_writecmd() which truncates anything over 60 characters to make
      it fit in card->omsg[].  (It can accept values up to 255 characters so
      long as there is a '\n' character every 60 characters).  For now I have
      just fixed the memory corruption bug and left the other problems in this
      driver alone.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      f11c98ee
    • YOSHIFUJI Hideaki's avatar
      isdnloop: Validate NUL-terminated strings from user. · 2d6c1221
      YOSHIFUJI Hideaki authored
      [ Upstream commit 77bc6bed ]
      
      Return -EINVAL unless all of user-given strings are correctly
      NUL-terminated.
      Signed-off-by: default avatarYOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      2d6c1221
    • Mike Rapoport's avatar
      net: vxlan: fix crash when interface is created with no group · 362bc7e2
      Mike Rapoport authored
      [ Upstream commit 5933a7bb ]
      
      If the vxlan interface is created without explicit group definition,
      there are corner cases which may cause kernel panic.
      
      For instance, in the following scenario:
      
      node A:
      $ ip link add dev vxlan42  address 2c:c2:60:00:10:20 type vxlan id 42
      $ ip addr add dev vxlan42 10.0.0.1/24
      $ ip link set up dev vxlan42
      $ arp -i vxlan42 -s 10.0.0.2 2c:c2:60:00:01:02
      $ bridge fdb add dev vxlan42 to 2c:c2:60:00:01:02 dst <IPv4 address>
      $ ping 10.0.0.2
      
      node B:
      $ ip link add dev vxlan42 address 2c:c2:60:00:01:02 type vxlan id 42
      $ ip addr add dev vxlan42 10.0.0.2/24
      $ ip link set up dev vxlan42
      $ arp -i vxlan42 -s 10.0.0.1 2c:c2:60:00:10:20
      
      node B crashes:
      
       vxlan42: 2c:c2:60:00:10:20 migrated from 4011:eca4:c0a8:6466:c0a8:6415:8e09:2118 to (invalid address)
       vxlan42: 2c:c2:60:00:10:20 migrated from 4011:eca4:c0a8:6466:c0a8:6415:8e09:2118 to (invalid address)
       BUG: unable to handle kernel NULL pointer dereference at 0000000000000046
       IP: [<ffffffff8143c459>] ip6_route_output+0x58/0x82
       PGD 7bd89067 PUD 7bd4e067 PMD 0
       Oops: 0000 [#1] SMP
       Modules linked in:
       CPU: 1 PID: 0 Comm: swapper/1 Not tainted 3.14.0-rc8-hvx-xen-00019-g97a5221f-dirty #154
       Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
       task: ffff88007c774f50 ti: ffff88007c79c000 task.ti: ffff88007c79c000
       RIP: 0010:[<ffffffff8143c459>]  [<ffffffff8143c459>] ip6_route_output+0x58/0x82
       RSP: 0018:ffff88007fd03668  EFLAGS: 00010282
       RAX: 0000000000000000 RBX: ffffffff8186a000 RCX: 0000000000000040
       RDX: 0000000000000000 RSI: ffff88007b0e4a80 RDI: ffff88007fd03754
       RBP: ffff88007fd03688 R08: ffff88007b0e4a80 R09: 0000000000000000
       R10: 0200000a0100000a R11: 0001002200000000 R12: ffff88007fd03740
       R13: ffff88007b0e4a80 R14: ffff88007b0e4a80 R15: ffff88007bba0c50
       FS:  0000000000000000(0000) GS:ffff88007fd00000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
       CR2: 0000000000000046 CR3: 000000007bb60000 CR4: 00000000000006e0
       Stack:
        0000000000000000 ffff88007fd037a0 ffffffff8186a000 ffff88007fd03740
        ffff88007fd036c8 ffffffff814320bb 0000000000006e49 ffff88007b8b7360
        ffff88007bdbf200 ffff88007bcbc000 ffff88007b8b7000 ffff88007b8b7360
       Call Trace:
        <IRQ>
        [<ffffffff814320bb>] ip6_dst_lookup_tail+0x2d/0xa4
        [<ffffffff814322a5>] ip6_dst_lookup+0x10/0x12
        [<ffffffff81323b4e>] vxlan_xmit_one+0x32a/0x68c
        [<ffffffff814a325a>] ? _raw_spin_unlock_irqrestore+0x12/0x14
        [<ffffffff8104c551>] ? lock_timer_base.isra.23+0x26/0x4b
        [<ffffffff8132451a>] vxlan_xmit+0x66a/0x6a8
        [<ffffffff8141a365>] ? ipt_do_table+0x35f/0x37e
        [<ffffffff81204ba2>] ? selinux_ip_postroute+0x41/0x26e
        [<ffffffff8139d0c1>] dev_hard_start_xmit+0x2ce/0x3ce
        [<ffffffff8139d491>] __dev_queue_xmit+0x2d0/0x392
        [<ffffffff813b380f>] ? eth_header+0x28/0xb5
        [<ffffffff8139d569>] dev_queue_xmit+0xb/0xd
        [<ffffffff813a5aa6>] neigh_resolve_output+0x134/0x152
        [<ffffffff813db741>] ip_finish_output2+0x236/0x299
        [<ffffffff813dc074>] ip_finish_output+0x98/0x9d
        [<ffffffff813dc749>] ip_output+0x62/0x67
        [<ffffffff813da9f2>] dst_output+0xf/0x11
        [<ffffffff813dc11c>] ip_local_out+0x1b/0x1f
        [<ffffffff813dcf1b>] ip_send_skb+0x11/0x37
        [<ffffffff813dcf70>] ip_push_pending_frames+0x2f/0x33
        [<ffffffff813ff732>] icmp_push_reply+0x106/0x115
        [<ffffffff813ff9e4>] icmp_reply+0x142/0x164
        [<ffffffff813ffb3b>] icmp_echo.part.16+0x46/0x48
        [<ffffffff813c1d30>] ? nf_iterate+0x43/0x80
        [<ffffffff813d8037>] ? xfrm4_policy_check.constprop.11+0x52/0x52
        [<ffffffff813ffb62>] icmp_echo+0x25/0x27
        [<ffffffff814005f7>] icmp_rcv+0x1d2/0x20a
        [<ffffffff813d8037>] ? xfrm4_policy_check.constprop.11+0x52/0x52
        [<ffffffff813d810d>] ip_local_deliver_finish+0xd6/0x14f
        [<ffffffff813d8037>] ? xfrm4_policy_check.constprop.11+0x52/0x52
        [<ffffffff813d7fde>] NF_HOOK.constprop.10+0x4c/0x53
        [<ffffffff813d82bf>] ip_local_deliver+0x4a/0x4f
        [<ffffffff813d7f7b>] ip_rcv_finish+0x253/0x26a
        [<ffffffff813d7d28>] ? inet_add_protocol+0x3e/0x3e
        [<ffffffff813d7fde>] NF_HOOK.constprop.10+0x4c/0x53
        [<ffffffff813d856a>] ip_rcv+0x2a6/0x2ec
        [<ffffffff8139a9a0>] __netif_receive_skb_core+0x43e/0x478
        [<ffffffff812a346f>] ? virtqueue_poll+0x16/0x27
        [<ffffffff8139aa2f>] __netif_receive_skb+0x55/0x5a
        [<ffffffff8139aaaa>] process_backlog+0x76/0x12f
        [<ffffffff8139add8>] net_rx_action+0xa2/0x1ab
        [<ffffffff81047847>] __do_softirq+0xca/0x1d1
        [<ffffffff81047ace>] irq_exit+0x3e/0x85
        [<ffffffff8100b98b>] do_IRQ+0xa9/0xc4
        [<ffffffff814a37ad>] common_interrupt+0x6d/0x6d
        <EOI>
        [<ffffffff810378db>] ? native_safe_halt+0x6/0x8
        [<ffffffff810110c7>] default_idle+0x9/0xd
        [<ffffffff81011694>] arch_cpu_idle+0x13/0x1c
        [<ffffffff8107480d>] cpu_startup_entry+0xbc/0x137
        [<ffffffff8102e741>] start_secondary+0x1a0/0x1a5
       Code: 24 14 e8 f1 e5 01 00 31 d2 a8 32 0f 95 c2 49 8b 44 24 2c 49 0b 44 24 24 74 05 83 ca 04 eb 1c 4d 85 ed 74 17 49 8b 85 a8 02 00 00 <66> 8b 40 46 66 c1 e8 07 83 e0 07 c1 e0 03 09 c2 4c 89 e6 48 89
       RIP  [<ffffffff8143c459>] ip6_route_output+0x58/0x82
        RSP <ffff88007fd03668>
       CR2: 0000000000000046
       ---[ end trace 4612329caab37efd ]---
      
      When vxlan interface is created without explicit group definition, the
      default_dst protocol family is initialiazed to AF_UNSPEC and the driver
      assumes IPv4 configuration. On the other side, the default_dst protocol
      family is used to differentiate between IPv4 and IPv6 cases and, since,
      AF_UNSPEC != AF_INET, the processing takes the IPv6 path.
      
      Making the IPv4 assumption explicit by settting default_dst protocol
      family to AF_INET4 and preventing mixing of IPv4 and IPv6 addresses in
      snooped fdb entries fixes the corner case crashes.
      Signed-off-by: default avatarMike Rapoport <mike.rapoport@ravellosystems.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      362bc7e2
    • Wei Liu's avatar
      xen-netback: disable rogue vif in kthread context · 699dfec4
      Wei Liu authored
      [ Upstream commit e9d8b2c2 ]
      
      When netback discovers frontend is sending malformed packet it will
      disables the interface which serves that frontend.
      
      However disabling a network interface involving taking a mutex which
      cannot be done in softirq context, so we need to defer this process to
      kthread context.
      
      This patch does the following:
      1. introduce a flag to indicate the interface is disabled.
      2. check that flag in TX path, don't do any work if it's true.
      3. check that flag in RX path, turn off that interface if it's true.
      
      The reason to disable it in RX path is because RX uses kthread. After
      this change the behavior of netback is still consistent -- it won't do
      any TX work for a rogue frontend, and the interface will be eventually
      turned off.
      
      Also change a "continue" to "break" after xenvif_fatal_tx_err, as it
      doesn't make sense to continue processing packets if frontend is rogue.
      
      This is a fix for XSA-90.
      Reported-by: default avatarTörök Edwin <edwin@etorok.net>
      Signed-off-by: default avatarWei Liu <wei.liu2@citrix.com>
      Cc: Ian Campbell <ian.campbell@citrix.com>
      Reviewed-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      Acked-by: default avatarIan Campbell <ian.campbell@citrix.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      699dfec4
    • Pablo Neira's avatar
      netlink: don't compare the nul-termination in nla_strcmp · 066bde36
      Pablo Neira authored
      [ Upstream commit 8b7b9324 ]
      
      nla_strcmp compares the string length plus one, so it's implicitly
      including the nul-termination in the comparison.
      
       int nla_strcmp(const struct nlattr *nla, const char *str)
       {
              int len = strlen(str) + 1;
              ...
                      d = memcmp(nla_data(nla), str, len);
      
      However, if NLA_STRING is used, userspace can send us a string without
      the nul-termination. This is a problem since the string
      comparison will not match as the last byte may be not the
      nul-termination.
      
      Fix this by skipping the comparison of the nul-termination if the
      attribute data is nul-terminated. Suggested by Thomas Graf.
      
      Cc: Florian Westphal <fw@strlen.de>
      Cc: Thomas Graf <tgraf@suug.ch>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      066bde36
    • Hannes Frederic Sowa's avatar
      ipv6: some ipv6 statistic counters failed to disable bh · 60fe3f63
      Hannes Frederic Sowa authored
      [ Upstream commit 43a43b60 ]
      
      After commit c15b1cca ("ipv6: move DAD and addrconf_verify
      processing to workqueue") some counters are now updated in process context
      and thus need to disable bh before doing so, otherwise deadlocks can
      happen on 32-bit archs. Fabio Estevam noticed this while while mounting
      a NFS volume on an ARM board.
      
      As a compensation for missing this I looked after the other *_STATS_BH
      and found three other calls which need updating:
      
      1) icmp6_send: ip6_fragment -> icmpv6_send -> icmp6_send (error handling)
      2) ip6_push_pending_frames: rawv6_sendmsg -> rawv6_push_pending_frames -> ...
         (only in case of icmp protocol with raw sockets in error handling)
      3) ping6_v6_sendmsg (error handling)
      
      Fixes: c15b1cca ("ipv6: move DAD and addrconf_verify processing to workqueue")
      Reported-by: default avatarFabio Estevam <festevam@gmail.com>
      Tested-by: default avatarFabio Estevam <fabio.estevam@freescale.com>
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      60fe3f63
    • Paul Durrant's avatar
      xen-netback: remove pointless clause from if statement · 63273418
      Paul Durrant authored
      [ Upstream commit 0576eddf ]
      
      This patch removes a test in start_new_rx_buffer() that checks whether
      a copy operation is less than MAX_BUFFER_OFFSET in length, since
      MAX_BUFFER_OFFSET is defined to be PAGE_SIZE and the only caller of
      start_new_rx_buffer() already limits copy operations to PAGE_SIZE or less.
      Signed-off-by: default avatarPaul Durrant <paul.durrant@citrix.com>
      Cc: Ian Campbell <ian.campbell@citrix.com>
      Cc: Wei Liu <wei.liu2@citrix.com>
      Cc: Sander Eikelenboom <linux@eikelenboom.it>
      Reported-By: default avatarSander Eikelenboom <linux@eikelenboom.it>
      Tested-By: default avatarSander Eikelenboom <linux@eikelenboom.it>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      63273418
    • Michael S. Tsirkin's avatar
      vhost: validate vhost_get_vq_desc return value · a2a366eb
      Michael S. Tsirkin authored
      [ Upstream commit a39ee449 ]
      
      vhost fails to validate negative error code
      from vhost_get_vq_desc causing
      a crash: we are using -EFAULT which is 0xfffffff2
      as vector size, which exceeds the allocated size.
      
      The code in question was introduced in commit
      8dd014ad
          vhost-net: mergeable buffers support
      
      CVE-2014-0055
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      a2a366eb
    • Michael S. Tsirkin's avatar
      vhost: fix total length when packets are too short · c6663594
      Michael S. Tsirkin authored
      [ Upstream commit d8316f39 ]
      
      When mergeable buffers are disabled, and the
      incoming packet is too large for the rx buffer,
      get_rx_bufs returns success.
      
      This was intentional in order for make recvmsg
      truncate the packet and then handle_rx would
      detect err != sock_len and drop it.
      
      Unfortunately we pass the original sock_len to
      recvmsg - which means we use parts of iov not fully
      validated.
      
      Fix this up by detecting this overrun and doing packet drop
      immediately.
      
      CVE-2014-0077
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      c6663594
    • Vlad Yasevich's avatar
      vlan: Set hard_header_len according to available acceleration · 9ef39f43
      Vlad Yasevich authored
      [ Upstream commit fc0d48b8 ]
      
      Currently, if the card supports CTAG acceleration we do not
      account for the vlan header even if we are configuring an
      8021AD vlan.  This may not be best since we'll do software
      tagging for 8021AD which will cause data copy on skb head expansion
      Configure the length based on available hw offload capabilities and
      vlan protocol.
      
      CC: Patrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarVlad Yasevich <vyasevic@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      9ef39f43
    • Oliver Neukum's avatar
      usbnet: include wait queue head in device structure · 0631987d
      Oliver Neukum authored
      [ Upstream commit 14a0d635 ]
      
      This fixes a race which happens by freeing an object on the stack.
      Quoting Julius:
      > The issue is
      > that it calls usbnet_terminate_urbs() before that, which temporarily
      > installs a waitqueue in dev->wait in order to be able to wait on the
      > tasklet to run and finish up some queues. The waiting itself looks
      > okay, but the access to 'dev->wait' is totally unprotected and can
      > race arbitrarily. I think in this case usbnet_bh() managed to succeed
      > it's dev->wait check just before usbnet_terminate_urbs() sets it back
      > to NULL. The latter then finishes and the waitqueue_t structure on its
      > stack gets overwritten by other functions halfway through the
      > wake_up() call in usbnet_bh().
      
      The fix is to just not allocate the data structure on the stack.
      As dev->wait is abused as a flag it also takes a runtime PM change
      to fix this bug.
      Signed-off-by: default avatarOliver Neukum <oneukum@suse.de>
      Reported-by: default avatarGrant Grundler <grundler@google.com>
      Tested-by: default avatarGrant Grundler <grundler@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      0631987d
    • Vlad Yasevich's avatar
      tg3: Do not include vlan acceleration features in vlan_features · 3552f3fc
      Vlad Yasevich authored
      [ Upstream commit 51dfe7b9 ]
      
      Including hardware acceleration features in vlan_features breaks
      stacked vlans (Q-in-Q) by marking the bottom vlan interface as
      capable of acceleration.  This causes one of the tags to be lost
      and the packets are sent with a sing vlan header.
      
      CC: Nithin Nayak Sujir <nsujir@broadcom.com>
      CC: Michael Chan <mchan@broadcom.com>
      Signed-off-by: default avatarVlad Yasevich <vyasevic@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      3552f3fc
    • Pravin B Shelar's avatar
      ip_tunnel: Fix dst ref-count. · 71986b40
      Pravin B Shelar authored
      [ Upstream commit fbd02dd4 ]
      
      Commit 10ddceb2 (ip_tunnel:multicast process cause panic due
      to skb->_skb_refdst NULL pointer) removed dst-drop call from
      ip-tunnel-recv.
      
      Following commit reintroduce dst-drop and fix the original bug by
      checking loopback packet before releasing dst.
      Original bug: https://bugzilla.kernel.org/show_bug.cgi?id=70681
      
      CC: Xin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarPravin B Shelar <pshelar@nicira.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      71986b40
    • Erik Hugne's avatar
      tipc: fix spinlock recursion bug for failed subscriptions · 21a018a5
      Erik Hugne authored
      [ Upstream commit a5d0e7c0 ]
      
      If a topology event subscription fails for any reason, such as out
      of memory, max number reached or because we received an invalid
      request the correct behavior is to terminate the subscribers
      connection to the topology server. This is currently broken and
      produces the following oops:
      
      [27.953662] tipc: Subscription rejected, illegal request
      [27.955329] BUG: spinlock recursion on CPU#1, kworker/u4:0/6
      [27.957066]  lock: 0xffff88003c67f408, .magic: dead4ead, .owner: kworker/u4:0/6, .owner_cpu: 1
      [27.958054] CPU: 1 PID: 6 Comm: kworker/u4:0 Not tainted 3.14.0-rc6+ #5
      [27.960230] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
      [27.960874] Workqueue: tipc_rcv tipc_recv_work [tipc]
      [27.961430]  ffff88003c67f408 ffff88003de27c18 ffffffff815c0207 ffff88003de1c050
      [27.962292]  ffff88003de27c38 ffffffff815beec5 ffff88003c67f408 ffffffff817f0a8a
      [27.963152]  ffff88003de27c58 ffffffff815beeeb ffff88003c67f408 ffffffffa0013520
      [27.964023] Call Trace:
      [27.964292]  [<ffffffff815c0207>] dump_stack+0x45/0x56
      [27.964874]  [<ffffffff815beec5>] spin_dump+0x8c/0x91
      [27.965420]  [<ffffffff815beeeb>] spin_bug+0x21/0x26
      [27.965995]  [<ffffffff81083df6>] do_raw_spin_lock+0x116/0x140
      [27.966631]  [<ffffffff815c6215>] _raw_spin_lock_bh+0x15/0x20
      [27.967256]  [<ffffffffa0008540>] subscr_conn_shutdown_event+0x20/0xa0 [tipc]
      [27.968051]  [<ffffffffa000fde4>] tipc_close_conn+0xa4/0xb0 [tipc]
      [27.968722]  [<ffffffffa00101ba>] tipc_conn_terminate+0x1a/0x30 [tipc]
      [27.969436]  [<ffffffffa00089a2>] subscr_conn_msg_event+0x1f2/0x2f0 [tipc]
      [27.970209]  [<ffffffffa0010000>] tipc_receive_from_sock+0x90/0xf0 [tipc]
      [27.970972]  [<ffffffffa000fa79>] tipc_recv_work+0x29/0x50 [tipc]
      [27.971633]  [<ffffffff8105dbf5>] process_one_work+0x165/0x3e0
      [27.972267]  [<ffffffff8105e869>] worker_thread+0x119/0x3a0
      [27.972896]  [<ffffffff8105e750>] ? manage_workers.isra.25+0x2a0/0x2a0
      [27.973622]  [<ffffffff810648af>] kthread+0xdf/0x100
      [27.974168]  [<ffffffff810647d0>] ? kthread_create_on_node+0x1a0/0x1a0
      [27.974893]  [<ffffffff815ce13c>] ret_from_fork+0x7c/0xb0
      [27.975466]  [<ffffffff810647d0>] ? kthread_create_on_node+0x1a0/0x1a0
      
      The recursion occurs when subscr_terminate tries to grab the
      subscriber lock, which is already taken by subscr_conn_msg_event.
      We fix this by checking if the request to establish a new
      subscription was successful, and if not we initiate termination of
      the subscriber after we have released the subscriber lock.
      Signed-off-by: default avatarErik Hugne <erik.hugne@ericsson.com>
      Reviewed-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      21a018a5
    • Li RongQing's avatar
      netpoll: fix the skb check in pkt_is_ns · d40390bf
      Li RongQing authored
      [ Not applicable upstream commit, the code here has been removed
        upstream. ]
      
      Neighbor Solicitation is ipv6 protocol, so we should check
      skb->protocol with ETH_P_IPV6
      Signed-off-by: default avatarLi RongQing <roy.qing.li@gmail.com>
      Cc: WANG Cong <amwang@redhat.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      d40390bf
    • Nishanth Menon's avatar
      net: micrel : ks8851-ml: add vdd-supply support · d8496cba
      Nishanth Menon authored
      [ Upstream commit ebf4ad95 ]
      
      Few platforms use external regulator to keep the ethernet MAC supplied.
      So, request and enable the regulator for driver functionality.
      
      Fixes: 66fda75f (regulator: core: Replace direct ops->disable usage)
      Reported-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Suggested-by: default avatarMarkus Pargmann <mpa@pengutronix.de>
      Signed-off-by: default avatarNishanth Menon <nm@ti.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      d8496cba
    • Nicolas Dichtel's avatar
      ip6mr: fix mfc notification flags · 5d0d91da
      Nicolas Dichtel authored
      [ Upstream commit f518338b ]
      
      Commit 812e44dd ("ip6mr: advertise new mfc entries via rtnl") reuses the
      function ip6mr_fill_mroute() to notify mfc events.
      But this function was used only for dump and thus was always setting the
      flag NLM_F_MULTI, which is wrong in case of a single notification.
      
      Libraries like libnl will wait forever for NLMSG_DONE.
      
      CC: Thomas Graf <tgraf@suug.ch>
      Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Acked-by: default avatarThomas Graf <tgraf@suug.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      5d0d91da
    • Nicolas Dichtel's avatar
      ipmr: fix mfc notification flags · 6007e2c2
      Nicolas Dichtel authored
      [ Upstream commit 65886f43 ]
      
      Commit 8cd3ac9f ("ipmr: advertise new mfc entries via rtnl") reuses the
      function ipmr_fill_mroute() to notify mfc events.
      But this function was used only for dump and thus was always setting the
      flag NLM_F_MULTI, which is wrong in case of a single notification.
      
      Libraries like libnl will wait forever for NLMSG_DONE.
      
      CC: Thomas Graf <tgraf@suug.ch>
      Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Acked-by: default avatarThomas Graf <tgraf@suug.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      6007e2c2
    • Nicolas Dichtel's avatar
      rtnetlink: fix fdb notification flags · be67f8bc
      Nicolas Dichtel authored
      [ Upstream commit 1c104a6b ]
      
      Commit 3ff661c3 ("net: rtnetlink notify events for FDB NTF_SELF adds and
      deletes") reuses the function nlmsg_populate_fdb_fill() to notify fdb events.
      But this function was used only for dump and thus was always setting the
      flag NLM_F_MULTI, which is wrong in case of a single notification.
      
      Libraries like libnl will wait forever for NLMSG_DONE.
      
      CC: Thomas Graf <tgraf@suug.ch>
      Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Acked-by: default avatarThomas Graf <tgraf@suug.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      be67f8bc
    • Eric Dumazet's avatar
      tcp: syncookies: do not use getnstimeofday() · dd79f191
      Eric Dumazet authored
      [ Upstream commit 63262315 ]
      
      While it is true that getnstimeofday() uses about 40 cycles if TSC
      is available, it can use 1600 cycles if hpet is the clocksource.
      
      Switch to get_jiffies_64(), as this is more than enough, and
      go back to 60 seconds periods.
      
      Fixes: 8c27bd75 ("tcp: syncookies: reduce cookie lifetime to 128 seconds")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Florian Westphal <fw@strlen.de>
      Acked-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      dd79f191
    • David Stevens's avatar
      vxlan: fix nonfunctional neigh_reduce() · d8be18c5
      David Stevens authored
      [ Upstream commit 4b29dba9 ]
      
      The VXLAN neigh_reduce() code is completely non-functional since
      check-in. Specific errors:
      
      1) The original code drops all packets with a multicast destination address,
      	even though neighbor solicitations are sent to the solicited-node
      	address, a multicast address. The code after this check was never run.
      2) The neighbor table lookup used the IPv6 header destination, which is the
      	solicited node address, rather than the target address from the
      	neighbor solicitation. So neighbor lookups would always fail if it
      	got this far. Also for L3MISSes.
      3) The code calls ndisc_send_na(), which does a send on the tunnel device.
      	The context for neigh_reduce() is the transmit path, vxlan_xmit(),
      	where the host or a bridge-attached neighbor is trying to transmit
      	a neighbor solicitation. To respond to it, the tunnel endpoint needs
      	to do a *receive* of the appropriate neighbor advertisement. Doing a
      	send, would only try to send the advertisement, encapsulated, to the
      	remote destinations in the fdb -- hosts that definitely did not do the
      	corresponding solicitation.
      4) The code uses the tunnel endpoint IPv6 forwarding flag to determine the
      	isrouter flag in the advertisement. This has nothing to do with whether
      	or not the target is a router, and generally won't be set since the
      	tunnel endpoint is bridging, not routing, traffic.
      
      	The patch below creates a proxy neighbor advertisement to respond to
      neighbor solicitions as intended, providing proper IPv6 support for neighbor
      reduction.
      Signed-off-by: default avatarDavid L Stevens <dlstevens@us.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      d8be18c5