1. 29 Jun, 2016 35 commits
    • Linus Torvalds's avatar
      Merge branch 'stable-4.7' of git://git.infradead.org/users/pcmoore/audit · 89a82a92
      Linus Torvalds authored
      Pull audit fixes from Paul Moore:
       "Two small patches to fix audit problems in 4.7-rcX: the first fixes a
        potential kref leak, the second removes some header file noise.
      
        The first is an important bug fix that really should go in before 4.7
        is released, the second is not critical, but falls into the very-nice-
        to-have category so I'm including in the pull request.
      
        Both patches are straightforward, self-contained, and pass our
        testsuite without problem"
      
      * 'stable-4.7' of git://git.infradead.org/users/pcmoore/audit:
        audit: move audit_get_tty to reduce scope and kabi changes
        audit: move calcs after alloc and check when logging set loginuid
      89a82a92
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 32826ac4
      Linus Torvalds authored
      Pull networking fixes from David Miller:
       "I've been traveling so this accumulates more than week or so of bug
        fixing.  It perhaps looks a little worse than it really is.
      
         1) Fix deadlock in ath10k driver, from Ben Greear.
      
         2) Increase scan timeout in iwlwifi, from Luca Coelho.
      
         3) Unbreak STP by properly reinjecting STP packets back into the
            stack.  Regression fix from Ido Schimmel.
      
         4) Mediatek driver fixes (missing malloc failure checks, leaking of
            scratch memory, wrong indexing when mapping TX buffers, etc.) from
            John Crispin.
      
         5) Fix endianness bug in icmpv6_err() handler, from Hannes Frederic
            Sowa.
      
         6) Fix hashing of flows in UDP in the ruseport case, from Xuemin Su.
      
         7) Fix netlink notifications in ovs for tunnels, delete link messages
            are never emitted because of how the device registry state is
            handled.  From Nicolas Dichtel.
      
         8) Conntrack module leaks kmemcache on unload, from Florian Westphal.
      
         9) Prevent endless jump loops in nft rules, from Liping Zhang and
            Pablo Neira Ayuso.
      
        10) Not early enough spinlock initialization in mlx4, from Eric
            Dumazet.
      
        11) Bind refcount leak in act_ipt, from Cong WANG.
      
        12) Missing RCU locking in HTB scheduler, from Florian Westphal.
      
        13) Several small MACSEC bug fixes from Sabrina Dubroca (missing RCU
            barrier, using heap for SG and IV, and erroneous use of async flag
            when allocating AEAD conext.)
      
        14) RCU handling fix in TIPC, from Ying Xue.
      
        15) Pass correct protocol down into ipv4_{update_pmtu,redirect}() in
            SIT driver, from Simon Horman.
      
        16) Socket timer deadlock fix in TIPC from Jon Paul Maloy.
      
        17) Fix potential deadlock in team enslave, from Ido Schimmel.
      
        18) Memory leak in KCM procfs handling, from Jiri Slaby.
      
        19) ESN generation fix in ipv4 ESP, from Herbert Xu.
      
        20) Fix GFP_KERNEL allocations with locks held in act_ife, from Cong
            WANG.
      
        21) Use after free in netem, from Eric Dumazet.
      
        22) Uninitialized last assert time in multicast router code, from Tom
            Goff.
      
        23) Skip raw sockets in sock_diag destruction broadcast, from Willem
            de Bruijn.
      
        24) Fix link status reporting in thunderx, from Sunil Goutham.
      
        25) Limit resegmentation of retransmit queue so that we do not
            retransmit too large GSO frames.  From Eric Dumazet.
      
        26) Delay bpf program release after grace period, from Daniel
            Borkmann"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (141 commits)
        openvswitch: fix conntrack netlink event delivery
        qed: Protect the doorbell BAR with the write barriers.
        neigh: Explicitly declare RCU-bh read side critical section in neigh_xmit()
        e1000e: keep VLAN interfaces functional after rxvlan off
        cfg80211: fix proto in ieee80211_data_to_8023 for frames without LLC header
        qlcnic: use the correct ring in qlcnic_83xx_process_rcv_ring_diag()
        bpf, perf: delay release of BPF prog after grace period
        net: bridge: fix vlan stats continue counter
        tcp: do not send too big packets at retransmit time
        ibmvnic: fix to use list_for_each_safe() when delete items
        net: thunderx: Fix TL4 configuration for secondary Qsets
        net: thunderx: Fix link status reporting
        net/mlx5e: Reorganize ethtool statistics
        net/mlx5e: Fix number of PFC counters reported to ethtool
        net/mlx5e: Prevent adding the same vxlan port
        net/mlx5e: Check for BlueFlame capability before allocating SQ uar
        net/mlx5e: Change enum to better reflect usage
        net/mlx5: Add ConnectX-5 PCIe 4.0 to list of supported devices
        net/mlx5: Update command strings
        net: marvell: Add separate config ANEG function for Marvell 88E1111
        ...
      32826ac4
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · 653c574a
      Linus Torvalds authored
      Pull s390 fixes from Martin Schwidefsky:
       "Another two bug fixes for 4.7:
      
         - The revert of patch which removed boot information for systems
           using an intermediate boot kernel, e.g. the SLES12 grub setup.
      
         - A fix for an incorrect inline assembly constraint that causes
           broken code to be generated with gcc 4.8.5"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390: fix test_fp_ctl inline assembly contraints
        Revert "s390/kdump: Clear subchannel ID to signal non-CCW/SCSI IPL"
      653c574a
    • Linus Torvalds's avatar
      Merge tag 'pinctrl-v4.7-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl · 00bf377d
      Linus Torvalds authored
      Pull pin control fixes from Linus Walleij:
       "Here are a bunch of fixes for pin control.  Just drivers and a
        MAINTAINERS fixup:
      
         - Driver fixes for i.MX, single register, Tegra and BayTrail.
      
         - MAINTAINERS entry for the documentation"
      
      * tag 'pinctrl-v4.7-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
        pinctrl: baytrail: Fix mingled clock pins
        MAINTAINERS: belong Documentation/pinctrl.txt properly
        pinctrl: tegra: Fix build dependency
        gpio: tegra: Make lockdep class file-scoped
        pinctrl: single: Fix missing flush of posted write for a wakeirq
        pinctrl: imx: Do not treat a PIN without MUX register as an error
      00bf377d
    • Linus Torvalds's avatar
      Merge branch 'for-4.7-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup · 52827f38
      Linus Torvalds authored
      Pull cgroup fixes from Tejun Heo:
       "Three fix patches.  Two are for cgroup / css init failure path.  The
        last one makes css_set_lock irq-safe as the deadline scheduler ends up
        calling put_css_set() from irq context"
      
      * 'for-4.7-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup:
        cgroup: Disable IRQs while holding css_set_lock
        cgroup: set css->id to -1 during init
        cgroup: remove redundant cleanup in css_create
      52827f38
    • David S. Miller's avatar
      Merge tag 'mac80211-for-davem-2016-06-29-v2' of... · 751ad819
      David S. Miller authored
      Merge tag 'mac80211-for-davem-2016-06-29-v2' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Johannes Berg says:
      
      ====================
      Just two small fixes
       * fix mesh peer link counter, decrement wasn't always done at all
       * fix ethertype (length) for packets without RFC 1042 or bridge
         tunnel header
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      751ad819
    • Samuel Gauthier's avatar
      openvswitch: fix conntrack netlink event delivery · d913d3a7
      Samuel Gauthier authored
      Only the first and last netlink message for a particular conntrack are
      actually sent. The first message is sent through nf_conntrack_confirm when
      the conntrack is committed. The last one is sent when the conntrack is
      destroyed on timeout. The other conntrack state change messages are not
      advertised.
      
      When the conntrack subsystem is used from netfilter, nf_conntrack_confirm
      is called for each packet, from the postrouting hook, which in turn calls
      nf_ct_deliver_cached_events to send the state change netlink messages.
      
      This commit fixes the problem by calling nf_ct_deliver_cached_events in the
      non-commit case as well.
      
      Fixes: 7f8a436e ("openvswitch: Add conntrack action")
      CC: Joe Stringer <joestringer@nicira.com>
      CC: Justin Pettit <jpettit@nicira.com>
      CC: Andy Zhou <azhou@nicira.com>
      CC: Thomas Graf <tgraf@suug.ch>
      Signed-off-by: default avatarSamuel Gauthier <samuel.gauthier@6wind.com>
      Acked-by: default avatarJoe Stringer <joe@ovn.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d913d3a7
    • Sudarsana Reddy Kalluru's avatar
      qed: Protect the doorbell BAR with the write barriers. · 34c7bb47
      Sudarsana Reddy Kalluru authored
      SPQ doorbell is currently protected with the compilation barrier. Under the
      stress scenarios, we may get into a state where (due to the weak ordering)
      several ramrod doorbells were written to the BAR with an out-of-order
      producer values. Need to change the barrier type to a write barrier to make
      sure that the write buffer is flushed after each doorbell.
      Signed-off-by: default avatarSudarsana Reddy Kalluru <sudarsana.kalluru@qlogic.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      34c7bb47
    • David Barroso's avatar
      neigh: Explicitly declare RCU-bh read side critical section in neigh_xmit() · b560f03d
      David Barroso authored
      neigh_xmit() expects to be called inside an RCU-bh read side critical
      section, and while one of its two current callers gets this right, the
      other one doesn't.
      
      More specifically, neigh_xmit() has two callers, mpls_forward() and
      mpls_output(), and while both callers call neigh_xmit() under
      rcu_read_lock(), this provides sufficient protection for neigh_xmit()
      only in the case of mpls_forward(), as that is always called from
      softirq context and therefore doesn't need explicit BH protection,
      while mpls_output() can be called from process context with softirqs
      enabled.
      
      When mpls_output() is called from process context, with softirqs
      enabled, we can be preempted by a softirq at any time, and RCU-bh
      considers the completion of a softirq as signaling the end of any
      pending read-side critical sections, so if we do get a softirq
      while we are in the part of neigh_xmit() that expects to be run inside
      an RCU-bh read side critical section, we can end up with an unexpected
      RCU grace period running right in the middle of that critical section,
      making things go boom.
      
      This patch fixes this impedance mismatch in the callee, by making
      neigh_xmit() always take rcu_read_{,un}lock_bh() around the code that
      expects to be treated as an RCU-bh read side critical section, as this
      seems a safer option than fixing it in the callers.
      
      Fixes: 4fd3d7d9 ("neigh: Add helper function neigh_xmit")
      Signed-off-by: default avatarDavid Barroso <dbarroso@fastly.com>
      Signed-off-by: default avatarLennert Buytenhek <lbuytenhek@fastly.com>
      Acked-by: default avatarDavid Ahern <dsa@cumulusnetworks.com>
      Acked-by: default avatarRobert Shearman <rshearma@brocade.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b560f03d
    • Jarod Wilson's avatar
      e1000e: keep VLAN interfaces functional after rxvlan off · 889ad456
      Jarod Wilson authored
      I've got a bug report about an e1000e interface, where a VLAN interface is
      set up on top of it:
      
      $ ip link add link ens1f0 name ens1f0.99 type vlan id 99
      $ ip link set ens1f0 up
      $ ip link set ens1f0.99 up
      $ ip addr add 192.168.99.92 dev ens1f0.99
      
      At this point, I can ping another host on vlan 99, ip 192.168.99.91.
      However, if I do the following:
      
      $ ethtool -K ens1f0 rxvlan off
      
      Then no traffic passes on ens1f0.99. It comes back if I toggle rxvlan on
      again. I'm not sure if this is actually intended behavior, or if there's a
      lack of software VLAN stripping fallback, or what, but things continue to
      work if I simply don't call e1000e_vlan_strip_disable() if there are
      active VLANs (plagiarizing a function from the e1000 driver here) on the
      interface.
      
      Also slipped a related-ish fix to the kerneldoc text for
      e1000e_vlan_strip_disable here...
      Signed-off-by: default avatarJarod Wilson <jarod@redhat.com>
      Tested-by: default avatarAaron Brown <aaron.f.brown@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      889ad456
    • Felix Fietkau's avatar
      cfg80211: fix proto in ieee80211_data_to_8023 for frames without LLC header · c041778c
      Felix Fietkau authored
      The PDU length of incoming LLC frames is set to the total skb payload size
      in __ieee80211_data_to_8023() of net/wireless/util.c which incorrectly
      includes the length of the IEEE 802.11 header.
      
      The resulting LLC frame header has a too large PDU length, causing the
      llc_fixup_skb() function of net/llc/llc_input.c to reject the incoming
      skb, effectively breaking STP.
      
      Solve the problem by properly substracting the IEEE 802.11 frame header size
      from the PDU length, allowing the LLC processor to pick up the incoming
      control messages.
      
      Special thanks to Gerry Rozema for tracking down the regression and proposing
      a suitable patch.
      
      Fixes: 2d1c304c ("cfg80211: add function for 802.3 conversion with separate output buffer")
      Cc: stable@vger.kernel.org
      Reported-by: default avatarGerry Rozema <gerryr@rozeware.com>
      Signed-off-by: default avatarFelix Fietkau <nbd@nbd.name>
      Signed-off-by: default avatarJohannes Berg <johannes@sipsolutions.net>
      c041778c
    • Dan Carpenter's avatar
      qlcnic: use the correct ring in qlcnic_83xx_process_rcv_ring_diag() · 5b4d10f5
      Dan Carpenter authored
      There is a static checker warning here "warn: mask and shift to zero"
      and the code sets "ring" to zero every time.  From looking at how
      QLCNIC_FETCH_RING_ID() is used in qlcnic_83xx_process_rcv_ring() the
      qlcnic_83xx_hndl() should be removed.
      
      Fixes: 4be41e92 ('qlcnic: 83xx data path routines')
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5b4d10f5
    • Daniel Borkmann's avatar
      bpf, perf: delay release of BPF prog after grace period · ceb56070
      Daniel Borkmann authored
      Commit dead9f29 ("perf: Fix race in BPF program unregister") moved
      destruction of BPF program from free_event_rcu() callback to __free_event(),
      which is problematic if used with tail calls: if prog A is attached as
      trace event directly, but at the same time present in a tail call map used
      by another trace event program elsewhere, then we need to delay destruction
      via RCU grace period since it can still be in use by the program doing the
      tail call (the prog first needs to be dropped from the tail call map, then
      trace event with prog A attached destroyed, so we get immediate destruction).
      
      Fixes: dead9f29 ("perf: Fix race in BPF program unregister")
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Cc: Jann Horn <jann@thejh.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ceb56070
    • Nikolay Aleksandrov's avatar
      net: bridge: fix vlan stats continue counter · 565ce8f3
      Nikolay Aleksandrov authored
      I made a dumb off-by-one mistake when I added the vlan stats counter
      dumping code. The increment should happen before the check, not after
      otherwise we miss one entry when we continue dumping.
      
      Fixes: a60c0903 ("bridge: netlink: export per-vlan stats")
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      565ce8f3
    • Eric Dumazet's avatar
      tcp: do not send too big packets at retransmit time · a3d2e9f8
      Eric Dumazet authored
      Arjun reported a bug in TCP stack and bisected it to a recent commit.
      
      In case where we process SACK, we can coalesce multiple skbs
      into fat ones (tcp_shift_skb_data()), to lower write queue
      overhead, because we do not expect to retransmit these packets.
      
      However, SACK reneging can happen, forcing the sender to retransmit
      all these packets. If skb->len is above 64KB, we then send buggy
      IP packets that could hang TSO engine on cxgb4.
      
      Neal suggested to use tcp_tso_autosize() instead of tp->gso_segs
      so that we cook packets of optimal size vs TCP/pacing.
      
      Thanks to Arjun for reporting the bug and running the tests !
      
      Fixes: 10d3be56 ("tcp-tso: do not split TSO packets at retransmit time")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarArjun V <arjun@chelsio.com>
      Tested-by: default avatarArjun V <arjun@chelsio.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a3d2e9f8
    • Wei Yongjun's avatar
      ibmvnic: fix to use list_for_each_safe() when delete items · 96183182
      Wei Yongjun authored
      Since we will remove items off the list using list_del() we need
      to use a safe version of the list_for_each() macro aptly named
      list_for_each_safe().
      Signed-off-by: default avatarWei Yongjun <yongjun_wei@trendmicro.com.cn>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      96183182
    • David S. Miller's avatar
      Merge branch 'thunderx-fixes' · b2c1b30e
      David S. Miller authored
      Sunil Goutham says:
      
      ====================
      net: thunderx: Miscellaneous fixes
      
      This 2 patch series fixes issues w.r.t physical link status
      reporting and transmit datapath configuration for
      secondary qsets.
      
      Changes from v1:
      Fixed lmac disable sequence for interfaces of type SGMII.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b2c1b30e
    • Sunil Goutham's avatar
      net: thunderx: Fix TL4 configuration for secondary Qsets · 3e29adba
      Sunil Goutham authored
      TL4 calculation for a given SQ of secondary Qsets is incorrect
      and goes out of bounds and also for some SQ's TL4 chosen will
      transmit data via a different BGX interface and not same as
      primary Qset's interface.
      
      This patch fixes this issue.
      Signed-off-by: default avatarSunil Goutham <sgoutham@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3e29adba
    • Sunil Goutham's avatar
      net: thunderx: Fix link status reporting · 3f4c68cf
      Sunil Goutham authored
      Check for SMU RX local/remote faults along with SPU LINK
      status. Otherwise at times link is UP at our end but DOWN
      at link partner's side. Also due to an issue in BGX it's
      rarely seen that initialization doesn't happen properly
      and SMU RX reports faults with everything fine at SPU.
      This patch tries to reinitialize LMAC to fix it.
      
      Also fixed LMAC disable sequence to properly bring down link.
      Signed-off-by: default avatarSunil Goutham <sgoutham@cavium.com>
      Signed-off-by: default avatarTao Wang <tao.wang@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3f4c68cf
    • David S. Miller's avatar
      Merge branch 'mlx5-100G-fixes' · f5074d0c
      David S. Miller authored
      Saeed Mahameed says:
      
      ====================
      Mellanox 100G mlx5 fixes#2 for 4.7-rc
      
      The following series provides one-liners fixes for mlx5 driver plus one
      medium patch to reorganize ethtool counters reporting.
      
      Highlights:
      	- Added MODIFY_FLOW_TABLE to command strings table
      	- Add ConnectX-5 PCIe 4.0 to list of supported devices
      	- Rename ASYNC_EVENTS enum
      	- Enable BlueFlame only when supported by device
      	- Avoid adding same vxlan port twice
      	- Report the correct number of PFC counters
      	- Reorganize ethtool reported counters and remove duplications
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f5074d0c
    • Gal Pressman's avatar
      net/mlx5e: Reorganize ethtool statistics · bfe6d8d1
      Gal Pressman authored
      Categorize and reorganize ethtool statistics counters by renaming to
      "rx_*" and "tx_*" and removing redundant and duplicated counters, this
      way they are easier to grasp and more user friendly.
      Signed-off-by: default avatarGal Pressman <galp@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bfe6d8d1
    • Gal Pressman's avatar
      net/mlx5e: Fix number of PFC counters reported to ethtool · ed80ec4c
      Gal Pressman authored
      Number of PFC counters used to count only number of priorities with PFC
      enabled, but each priority has more than one counter, hence the need to
      multiply it by the number of PFC counters per priority.
      
      Fixes: cf678570 ('net/mlx5e: Add per priority group to PPort counters')
      Signed-off-by: default avatarGal Pressman <galp@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ed80ec4c
    • Matthew Finlay's avatar
      net/mlx5e: Prevent adding the same vxlan port · 9ceec359
      Matthew Finlay authored
      Do not allow the same vxlan udp port to be added to the device more than
      once.
      
      Fixes: b3f63c3d ("net/mlx5e: Add netdev support for VXLAN tunneling")
      Signed-off-by: default avatarMatthew Finlay <matt@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9ceec359
    • Gal Pressman's avatar
      net/mlx5e: Check for BlueFlame capability before allocating SQ uar · fd4782c2
      Gal Pressman authored
      Previous to this patch mapping was always set to write combining without
      checking whether BlueFlame is supported in the device.
      
      Fixes: 0ba42241 ('net/mlx5: Fix global UAR mapping')
      Signed-off-by: default avatarGal Pressman <galp@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fd4782c2
    • Eli Cohen's avatar
      net/mlx5e: Change enum to better reflect usage · e0f46eb9
      Eli Cohen authored
      Change MLX5E_STATE_ASYNC_EVENTS_ENABLE to
      MLX5E_STATE_ASYNC_EVENTS_ENABLED since it represent a state and not an
      operation.
      
      Fixes: acff797c ('net/mlx5: Extend mlx5_core to support ConnectX-4 Ethernet functionality')
      Signed-off-by: default avatarEli Cohen <eli@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e0f46eb9
    • Majd Dibbiny's avatar
      net/mlx5: Add ConnectX-5 PCIe 4.0 to list of supported devices · 7092fe86
      Majd Dibbiny authored
      Add the upcoming ConnectX-5 PCIe 4.0 device to the list of
      supported devices by the mlx5 driver.
      Signed-off-by: default avatarMajd Dibbiny <majd@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7092fe86
    • Eli Cohen's avatar
      net/mlx5: Update command strings · 5be1ea89
      Eli Cohen authored
      Add command string for MODIFY_FLOW_TABLE which is used by the driver.
      Signed-off-by: default avatarEli Cohen <eli@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5be1ea89
    • Harini Katakam's avatar
      net: marvell: Add separate config ANEG function for Marvell 88E1111 · 3ec0a0f1
      Harini Katakam authored
      Marvell 88E1111 currently uses the generic marvell config ANEG function.
      This function has a sequence accessing Page 5 and Register 31,
      both of which are not defined or reserved for this PHY.
      Hence this patch adds a new config ANEG function for Marvell 88E1111
      without these erroneous accesses.
      Signed-off-by: default avatarHarini Katakam <harinik@xilinx.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3ec0a0f1
    • David S. Miller's avatar
      Merge branch 'batman-adv-fixes' · d10f0b31
      David S. Miller authored
      Sven Eckelmann says:
      
      ====================
      batman-adv: Fixes for Linux 4.7
      
      Antonio currently seems to be occupied. This is currently rather unfortunate
      because there are patches waiting in the batman-adv development repository
      maint(enance) branch [1] since up to 6 weeks. I am now getting asked when
      these patches will hit the distribution kernels and therefore decided to
      submit these patches directly to netdev.
      
      The patch from Simon works around the problem that warnings could be triggered
      in the translation table code via packets using a VLAN not configured on the
      target host. This warning was replaced with a rate limited info message.
      
      Ben Hutchings found an superfluous batadv_softif_vlan_put in the error
      handling code of the translation table while he backported the "batman-adv:
      Fix reference counting of vlan object for tt_local_entry" patch to the stable
      kernels. He noticed correctly that this batadv_softif_vlan_put should also
      have been removed by the said patch.
      
      The most requested fix at the moment is related to a double free in the
      translation table code. It is a race condition which mostly happens on systems
      with multiple cores and multiple network interface attached to batman-adv. Two
      Freifunk communities which were haunted by weird crashes (with backtraces
      reporting problems in other parts of the kernel) were kind enough to test this
      patch. They reported that there systems are now running stable after applying
      this patch.
      
      An invalid memory access was detected in the batadv_icmp_packet_rr handling
      code when receiving a skbuff with fragments. The last patch is fixing a memory
      leak when the interface is removed via .dellink. The code to fix it was copied
      from the code handling the legacy sysfs interface to remove netdevices from a
      batman-adv netdevice.
      
      There are still 28 patches in the development tree for v4.8 but I will leave
      them to Antonio because these are cleanups and features and therefore for net-
      next.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d10f0b31
    • Sven Eckelmann's avatar
      batman-adv: Clean up untagged vlan when destroying via rtnl-link · 420cb1b7
      Sven Eckelmann authored
      The untagged vlan object is only destroyed when the interface is removed
      via the legacy sysfs interface. But it also has to be destroyed when the
      standard rtnl-link interface is used.
      
      Fixes: 5d2c05b2 ("batman-adv: add per VLAN interface attribute framework")
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Acked-by: default avatarAntonio Quartulli <a@unstable.cc>
      Signed-off-by: default avatarMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      420cb1b7
    • Sven Eckelmann's avatar
      batman-adv: Fix ICMP RR ethernet access after skb_linearize · 3b55e442
      Sven Eckelmann authored
      The skb_linearize may reallocate the skb. This makes the calculated pointer
      for ethhdr invalid. But it the pointer is used later to fill in the RR
      field of the batadv_icmp_packet_rr packet.
      
      Instead re-evaluate eth_hdr after the skb_linearize+skb_cow to fix the
      pointer and avoid the invalid read.
      
      Fixes: da6b8c20 ("batman-adv: generalize batman-adv icmp packet handling")
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3b55e442
    • Ben Hutchings's avatar
      batman-adv: Fix double-put of vlan object · baceced9
      Ben Hutchings authored
      Each batadv_tt_local_entry hold a single reference to a
      batadv_softif_vlan.  In case a new entry cannot be added to the hash
      table, the error path puts the reference, but the reference will also
      now be dropped by batadv_tt_local_entry_release().
      
      Fixes: a33d970d ("batman-adv: Fix reference counting of vlan object for tt_local_entry")
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Signed-off-by: default avatarMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      baceced9
    • Sven Eckelmann's avatar
      batman-adv: Fix use-after-free/double-free of tt_req_node · 9c4604a2
      Sven Eckelmann authored
      The tt_req_node is added and removed from a list inside a spinlock. But the
      locking is sometimes removed even when the object is still referenced and
      will be used later via this reference. For example batadv_send_tt_request
      can create a new tt_req_node (including add to a list) and later
      re-acquires the lock to remove it from the list and to free it. But at this
      time another context could have already removed this tt_req_node from the
      list and freed it.
      
      CPU#0
      
          batadv_batman_skb_recv from net_device 0
          -> batadv_iv_ogm_receive
            -> batadv_iv_ogm_process
              -> batadv_iv_ogm_process_per_outif
                -> batadv_tvlv_ogm_receive
                  -> batadv_tvlv_ogm_receive
                    -> batadv_tvlv_containers_process
                      -> batadv_tvlv_call_handler
                        -> batadv_tt_tvlv_ogm_handler_v1
                          -> batadv_tt_update_orig
                            -> batadv_send_tt_request
                              -> batadv_tt_req_node_new
                                 spin_lock(...)
                                 allocates new tt_req_node and adds it to list
                                 spin_unlock(...)
                                 return tt_req_node
      
      CPU#1
      
          batadv_batman_skb_recv from net_device 1
          -> batadv_recv_unicast_tvlv
            -> batadv_tvlv_containers_process
              -> batadv_tvlv_call_handler
                -> batadv_tt_tvlv_unicast_handler_v1
                  -> batadv_handle_tt_response
                     spin_lock(...)
                     tt_req_node gets removed from list and is freed
                     spin_unlock(...)
      
      CPU#0
      
                            <- returned to batadv_send_tt_request
                               spin_lock(...)
                               tt_req_node gets removed from list and is freed
                               MEMORY CORRUPTION/SEGFAULT/...
                               spin_unlock(...)
      
      This can only be solved via reference counting to allow multiple contexts
      to handle the list manipulation while making sure that only the last
      context holding a reference will free the object.
      
      Fixes: a73105b8 ("batman-adv: improved client announcement mechanism")
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Tested-by: default avatarMartin Weinelt <martin@darmstadt.freifunk.net>
      Tested-by: default avatarAmadeus Alfa <amadeus@chemnitz.freifunk.net>
      Signed-off-by: default avatarMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9c4604a2
    • Simon Wunderlich's avatar
      batman-adv: replace WARN with rate limited output on non-existing VLAN · 0b3dd7df
      Simon Wunderlich authored
      If a VLAN tagged frame is received and the corresponding VLAN is not
      configured on the soft interface, it will splat a WARN on every packet
      received. This is a quite annoying behaviour for some scenarios, e.g. if
      bat0 is bridged with eth0, and there are arbitrary VLAN tagged frames
      from Ethernet coming in without having any VLAN configuration on bat0.
      
      The code should probably create vlan objects on the fly and
      transparently transport these VLAN-tagged Ethernet frames, but until
      this is done, at least the WARN splat should be replaced by a rate
      limited output.
      
      Fixes: 354136bc ("batman-adv: fix kernel crash due to missing NULL checks")
      Signed-off-by: default avatarSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: default avatarMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0b3dd7df
    • Florian Fainelli's avatar
      net: phy: Manage fixed PHY address space using IDA · 69fc58a5
      Florian Fainelli authored
      If we have a system which uses fixed PHY devices and calls
      fixed_phy_register() then fixed_phy_unregister() we can exhaust the
      number of fixed PHYs available after a while, since we keep incrementing
      the variable phy_fixed_addr, but we never decrement it.
      
      This patch fixes that by converting the fixed PHY allocation to using
      IDA, which takes care of the allocation/dealloaction of the PHY
      addresses for us.
      
      Fixes: a7595121 ("net: phy: extend fixed driver with fixed_phy_register()")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      69fc58a5
  2. 28 Jun, 2016 5 commits