1. 13 May, 2014 4 commits
    • Alexei Starovoitov's avatar
      net: filter: x86: fix JIT address randomization · 773cd38f
      Alexei Starovoitov authored
      bpf_alloc_binary() adds 128 bytes of room to JITed program image
      and rounds it up to the nearest page size. If image size is close
      to page size (like 4000), it is rounded to two pages:
      round_up(4000 + 4 + 128) == 8192
      then 'hole' is computed as 8192 - (4000 + 4) = 4188
      If prandom_u32() % hole selects a number >= PAGE_SIZE - sizeof(*header)
      then kernel will crash during bpf_jit_free():
      
      kernel BUG at arch/x86/mm/pageattr.c:887!
      Call Trace:
       [<ffffffff81037285>] change_page_attr_set_clr+0x135/0x460
       [<ffffffff81694cc0>] ? _raw_spin_unlock_irq+0x30/0x50
       [<ffffffff810378ff>] set_memory_rw+0x2f/0x40
       [<ffffffffa01a0d8d>] bpf_jit_free_deferred+0x2d/0x60
       [<ffffffff8106bf98>] process_one_work+0x1d8/0x6a0
       [<ffffffff8106bf38>] ? process_one_work+0x178/0x6a0
       [<ffffffff8106c90c>] worker_thread+0x11c/0x370
      
      since bpf_jit_free() does:
        unsigned long addr = (unsigned long)fp->bpf_func & PAGE_MASK;
        struct bpf_binary_header *header = (void *)addr;
      to compute start address of 'bpf_binary_header'
      and header->pages will pass junk to:
        set_memory_rw(addr, header->pages);
      
      Fix it by making sure that &header->image[prandom_u32() % hole] and &header
      are in the same page
      
      Fixes: 314beb9b ("x86: bpf_jit_comp: secure bpf jit against spraying attacks")
      Signed-off-by: default avatarAlexei Starovoitov <ast@plumgrid.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      773cd38f
    • David S. Miller's avatar
      Merge tag 'batman-adv-fix-for-davem' of git://git.open-mesh.org/linux-merge · 6262971a
      David S. Miller authored
      Included changes:
      - properly release neigh_ifinfo in batadv_iv_ogm_process_per_outif()
      - properly release orig_ifinfo->router when freeing orig_ifinfo
      - properly release neigh_node objects during periodic check
      - properly release neigh_info objects when the related hard_iface
        is free'd
      
      These changes are all very important because they fix some
      reference counting imbalances that lead to the
      impossibility of releasing the netdev object used by
      batman-adv on shutdown.
      The consequence is that such object cannot be destroyed by
      the networking stack (the refcounter does not reach zero)
      thus bringing the system in hanging state during a normal
      reboot operation or a network reconfiguration.
      6262971a
    • Duan Jiong's avatar
      neigh: set nud_state to NUD_INCOMPLETE when probing router reachability · 2176d5d4
      Duan Jiong authored
      Since commit 7e980569("ipv6: router reachability probing"), a router falls
      into NUD_FAILED will be probed.
      
      Now if function rt6_select() selects a router which neighbour state is NUD_FAILED,
      and at the same time function rt6_probe() changes the neighbour state to NUD_PROBE,
      then function dst_neigh_output() can directly send packets, but actually the
      neighbour still is unreachable. If we set nud_state to NUD_INCOMPLETE instead
      NUD_PROBE, packets will not be sent out until the neihbour is reachable.
      
      In addition, because the route should be probes with a single NS, so we must
      set neigh->probes to neigh_max_probes(), then the neigh timer timeout and function
      neigh_timer_handler() will not send other NS Messages.
      Signed-off-by: default avatarDuan Jiong <duanj.fnst@cn.fujitsu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2176d5d4
    • Susant Sahani's avatar
      ip6_tunnel: fix potential NULL pointer dereference · c8965932
      Susant Sahani authored
      The function ip6_tnl_validate assumes that the rtnl
      attribute IFLA_IPTUN_PROTO always be filled . If this
      attribute is not filled by  the userspace application
      kernel get crashed with NULL pointer dereference. This
      patch fixes the potential kernel crash when
      IFLA_IPTUN_PROTO is missing .
      Signed-off-by: default avatarSusant Sahani <susant@redhat.com>
      Acked-by: default avatarThomas Graf <tgraf@suug.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c8965932
  2. 12 May, 2014 3 commits
  3. 11 May, 2014 1 commit
  4. 10 May, 2014 3 commits
  5. 09 May, 2014 15 commits
  6. 08 May, 2014 1 commit
  7. 07 May, 2014 12 commits
    • Daniel Mack's avatar
      net: mdio: of_mdiobus_register(): fall back to mdiobus_register() for !CONFIG_OF · 23a456f0
      Daniel Mack authored
      If CONFIG_OF is not set, make of_mdiobus_register() call
      mdiobus_register() instead of returning -ENOSYS.
      
      This way, we can just call of_mdiobus_register() from all DT-enabled
      drivers to handle the compat cases.
      Signed-off-by: default avatarDaniel Mack <zonque@gmail.com>
      Suggested-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Acked-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Acked-by: default avatarMugunthan V N <mugunthanvnm@ti.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      23a456f0
    • Sergey Popovich's avatar
      ipv4: fib_semantics: increment fib_info_cnt after fib_info allocation · aeefa1ec
      Sergey Popovich authored
      Increment fib_info_cnt in fib_create_info() right after successfuly
      alllocating fib_info structure, overwise fib_metrics allocation failure
      leads to fib_info_cnt incorrectly decremented in free_fib_info(), called
      on error path from fib_create_info().
      Signed-off-by: default avatarSergey Popovich <popovich_sergei@mail.ru>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      aeefa1ec
    • David S. Miller's avatar
      Merge branch 'qlcnic_net' · 7fc1c5f3
      David S. Miller authored
      Rajesh Borundia says:
      
      ====================
      qlcnic: Bug fixes.
      
      This patch series contain following bug fixes.
      
      * Fix panic where driver was accessing un-initialized crb_intr_mask
        in non Multi-Tx queue mode while dumping TX queue.
      * Do not set netdev->real_num_tx_queues directly from driver instead
        use kernel defined netif_set_real_num_tx_queues() API. Also notify
        stack about change in number of Rx queues.
      
      Please apply this series to net.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7fc1c5f3
    • Shahed Shaikh's avatar
      qlcnic: Set real_num_{tx|rx}_queues properly · 84d7ad2c
      Shahed Shaikh authored
      Do not set netdev->real_num_tx_queues directly,
      let netif_set_real_num_tx_queues() take care of it.
      Do not overwrite netdev->num_tx_queues everytime when driver
      changes its Tx ring size through ethtool -L and also notify
      stack to update number of Rx queues.
      Signed-off-by: default avatarShahed Shaikh <shahed.shaikh@qlogic.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      84d7ad2c
    • Manish Chopra's avatar
      qlcnic: Fix panic while dumping TX queues on TX timeout · d5d2bf3e
      Manish Chopra authored
      o In case of non-multi TX queue mode driver does not initialize "crb_intr_mask" pointer
        and driver was accessing that un-initialized pointer while dumping TX queue.
        So dump "crb_intr_mask" only when it is initilaized.
      Signed-off-by: default avatarManish Chopra <manish.chopra@qlogic.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d5d2bf3e
    • Neil Horman's avatar
      jme: Fix DMA unmap warning · 76a691d0
      Neil Horman authored
      The jme driver forgot to check the return status from pci_map_page in its tx
      path, causing a dma api warning on unmap.  Easy fix, just do the check and
      augment the tx path to tell the stack that the driver is busy so we re-queue the
      frame.
      Signed-off-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      CC: Guo-Fu Tseng <cooldavid@cooldavid.org>
      CC: "David S. Miller" <davem@davemloft.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      76a691d0
    • David S. Miller's avatar
      Merge branch 'gso_forward' · d32aebfd
      David S. Miller authored
      Florian Westphal says:
      
      ====================
      net: ip: push gso skb forwarding handling down the stack
      
      Turns out doing the segmentation in forwarding was not a bright idea,
      there are corner-cases where this has unintended side-effects.
      
      This patch pushes the segmentation downwards.
      
      After this, netif_skb_dev_features() function can be removed
      again, it was only added to fetch the features of the output device,
      we can just use skb->dev after the pushdown.
      
      Tested with following setup:
      
      host -> kvm_router  -> kvm_host
        mtu 1500        mtu1280
      
      - 'host' has route to kvm_host with locked mtu of 1500
      - gso/gro enabled on all interfaces
      
      Did tests with all of following combinations:
      - netfilter conntrack off and on on kvm_router
      - virtio-net and e1000 driver on kvm_router
      - tcp and udp bulk xmit from host to kvm_host
      
      for tcp, I added TCPMSS mangling on kvm_host to make it lie about tcp mss.
      
      Also added a dummy '-t mangle -A POSTROUTING -p udp -f'
      rule to make sure no udp fragments are seen in the 'conntrack on'
      and 'virtio-net' case.
      
      Also checked (with ping -M do -s 1400)' that it still sends the wanted
      icmp error message when size exceeds 1280.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d32aebfd
    • Florian Westphal's avatar
      Revert "net: core: introduce netif_skb_dev_features" · c1e756bf
      Florian Westphal authored
      This reverts commit d2069403,
      there are no more callers.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c1e756bf
    • Florian Westphal's avatar
      net: ip: push gso skb forwarding handling down the stack · c7ba65d7
      Florian Westphal authored
      Doing the segmentation in the forward path has one major drawback:
      
      When using virtio, we may process gso udp packets coming
      from host network stack.  In that case, netfilter POSTROUTING
      will see one packet with udp header followed by multiple ip
      fragments.
      
      Delay the segmentation and do it after POSTROUTING invocation
      to avoid this.
      
      Fixes: fe6cc55f ("net: ip, ipv6: handle gso skbs in forwarding path")
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c7ba65d7
    • Florian Westphal's avatar
      net: ipv6: send pkttoobig immediately if orig frag size > mtu · 418a3156
      Florian Westphal authored
      If conntrack defragments incoming ipv6 frags it stores largest original
      frag size in ip6cb and sets ->local_df.
      
      We must thus first test the largest original frag size vs. mtu, and not
      vice versa.
      
      Without this patch PKTTOOBIG is still generated in ip6_fragment() later
      in the stack, but
      
      1) IPSTATS_MIB_INTOOBIGERRORS won't increment
      2) packet did (needlessly) traverse netfilter postrouting hook.
      
      Fixes: fe6cc55f ("net: ip, ipv6: handle gso skbs in forwarding path")
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      418a3156
    • Florian Westphal's avatar
      net: ipv4: ip_forward: fix inverted local_df test · ca6c5d4a
      Florian Westphal authored
      local_df means 'ignore DF bit if set', so if its set we're
      allowed to perform ip fragmentation.
      
      This wasn't noticed earlier because the output path also drops such skbs
      (and emits needed icmp error) and because netfilter ip defrag did not
      set local_df until couple of days ago.
      
      Only difference is that DF-packets-larger-than MTU now discarded
      earlier (f.e. we avoid pointless netfilter postrouting trip).
      
      While at it, drop the repeated test ip_exceeds_mtu, checking it once
      is enough...
      
      Fixes: fe6cc55f ("net: ip, ipv6: handle gso skbs in forwarding path")
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ca6c5d4a
    • Bjørn Mork's avatar
      net: cdc_mbim: __vlan_find_dev_deep need rcu_read_lock · 4f4178f3
      Bjørn Mork authored
      Fixes this warning introduced by commit 5b8f15f7
      ("net: cdc_mbim: handle IPv6 Neigbor Solicitations"):
      
      ===============================
      [ INFO: suspicious RCU usage. ]
      3.15.0-rc3 #213 Tainted: G        W  O
      -------------------------------
      net/8021q/vlan_core.c:69 suspicious rcu_dereference_check() usage!
      
      other info that might help us debug this:
      
      rcu_scheduler_active = 1, debug_locks = 1
      no locks held by ksoftirqd/0/3.
      
      stack backtrace:
      CPU: 0 PID: 3 Comm: ksoftirqd/0 Tainted: G        W  O  3.15.0-rc3 #213
      Hardware name: LENOVO 2776LEG/2776LEG, BIOS 6EET55WW (3.15 ) 12/19/2011
       0000000000000001 ffff880232533bf0 ffffffff813a5ee6 0000000000000006
       ffff880232530090 ffff880232533c20 ffffffff81076b94 0000000000000081
       0000000000000000 ffff8802085ac000 ffff88007fc8ea00 ffff880232533c50
      Call Trace:
       [<ffffffff813a5ee6>] dump_stack+0x4e/0x68
       [<ffffffff81076b94>] lockdep_rcu_suspicious+0xfa/0x103
       [<ffffffff813978a6>] __vlan_find_dev_deep+0x54/0x94
       [<ffffffffa04a1938>] cdc_mbim_rx_fixup+0x379/0x66a [cdc_mbim]
       [<ffffffff813ab76f>] ? _raw_spin_unlock_irqrestore+0x3a/0x49
       [<ffffffff81079671>] ? trace_hardirqs_on_caller+0x192/0x1a1
       [<ffffffffa059bd10>] usbnet_bh+0x59/0x287 [usbnet]
       [<ffffffff8104067d>] tasklet_action+0xbb/0xcd
       [<ffffffff81040057>] __do_softirq+0x14c/0x30d
       [<ffffffff81040237>] run_ksoftirqd+0x1f/0x50
       [<ffffffff8105f13e>] smpboot_thread_fn+0x172/0x18e
       [<ffffffff8105efcc>] ? SyS_setgroups+0xdf/0xdf
       [<ffffffff810594b0>] kthread+0xb5/0xbd
       [<ffffffff813a84b1>] ? __wait_for_common+0x13b/0x170
       [<ffffffff810593fb>] ? __kthread_parkme+0x5c/0x5c
       [<ffffffff813b147c>] ret_from_fork+0x7c/0xb0
       [<ffffffff810593fb>] ? __kthread_parkme+0x5c/0x5c
      
      Fixes: 5b8f15f7 ("net: cdc_mbim: handle IPv6 Neigbor Solicitations")
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4f4178f3
  8. 06 May, 2014 1 commit