1. 27 May, 2015 8 commits
    • Jason Gunthorpe's avatar
      sctp: Fix mangled IPv4 addresses on a IPv6 listening socket · 9302d7bb
      Jason Gunthorpe authored
      sctp_v4_map_v6 was subtly writing and reading from members
      of a union in a way the clobbered data it needed to read before
      it read it.
      
      Zeroing the v6 flowinfo overwrites the v4 sin_addr with 0, meaning
      that every place that calls sctp_v4_map_v6 gets ::ffff:0.0.0.0 as the
      result.
      
      Reorder things to guarantee correct behaviour no matter what the
      union layout is.
      
      This impacts user space clients that open an IPv6 SCTP socket and
      receive IPv4 connections. Prior to 299ee user space would see a
      sockaddr with AF_INET and a correct address, after 299ee the sockaddr
      is AF_INET6, but the address is wrong.
      
      Fixes: 299ee123 (sctp: Fixup v4mapped behaviour to comply with Sock API)
      Signed-off-by: default avatarJason Gunthorpe <jgunthorpe@obsidianresearch.com>
      Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9302d7bb
    • WANG Cong's avatar
      net_sched: invoke ->attach() after setting dev->qdisc · 86e363dc
      WANG Cong authored
      For mq qdisc, we add per tx queue qdisc to root qdisc
      for display purpose, however, that happens too early,
      before the new dev->qdisc is finally set, this causes
      q->list points to an old root qdisc which is going to be
      freed right before assigning with a new one.
      
      Fix this by moving ->attach() after setting dev->qdisc.
      
      For the record, this fixes the following crash:
      
       ------------[ cut here ]------------
       WARNING: CPU: 1 PID: 975 at lib/list_debug.c:59 __list_del_entry+0x5a/0x98()
       list_del corruption. prev->next should be ffff8800d1998ae8, but was 6b6b6b6b6b6b6b6b
       CPU: 1 PID: 975 Comm: tc Not tainted 4.1.0-rc4+ #1019
       Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
        0000000000000009 ffff8800d73fb928 ffffffff81a44e7f 0000000047574756
        ffff8800d73fb978 ffff8800d73fb968 ffffffff810790da ffff8800cfc4cd20
        ffffffff814e725b ffff8800d1998ae8 ffffffff82381250 0000000000000000
       Call Trace:
        [<ffffffff81a44e7f>] dump_stack+0x4c/0x65
        [<ffffffff810790da>] warn_slowpath_common+0x9c/0xb6
        [<ffffffff814e725b>] ? __list_del_entry+0x5a/0x98
        [<ffffffff81079162>] warn_slowpath_fmt+0x46/0x48
        [<ffffffff81820eb0>] ? dev_graft_qdisc+0x5e/0x6a
        [<ffffffff814e725b>] __list_del_entry+0x5a/0x98
        [<ffffffff814e72a7>] list_del+0xe/0x2d
        [<ffffffff81822f05>] qdisc_list_del+0x1e/0x20
        [<ffffffff81820cd1>] qdisc_destroy+0x30/0xd6
        [<ffffffff81822676>] qdisc_graft+0x11d/0x243
        [<ffffffff818233c1>] tc_get_qdisc+0x1a6/0x1d4
        [<ffffffff810b5eaf>] ? mark_lock+0x2e/0x226
        [<ffffffff817ff8f5>] rtnetlink_rcv_msg+0x181/0x194
        [<ffffffff817ff72e>] ? rtnl_lock+0x17/0x19
        [<ffffffff817ff72e>] ? rtnl_lock+0x17/0x19
        [<ffffffff817ff774>] ? __rtnl_unlock+0x17/0x17
        [<ffffffff81855dc6>] netlink_rcv_skb+0x4d/0x93
        [<ffffffff817ff756>] rtnetlink_rcv+0x26/0x2d
        [<ffffffff818544b2>] netlink_unicast+0xcb/0x150
        [<ffffffff81161db9>] ? might_fault+0x59/0xa9
        [<ffffffff81854f78>] netlink_sendmsg+0x4fa/0x51c
        [<ffffffff817d6e09>] sock_sendmsg_nosec+0x12/0x1d
        [<ffffffff817d8967>] sock_sendmsg+0x29/0x2e
        [<ffffffff817d8cf3>] ___sys_sendmsg+0x1b4/0x23a
        [<ffffffff8100a1b8>] ? native_sched_clock+0x35/0x37
        [<ffffffff810a1d83>] ? sched_clock_local+0x12/0x72
        [<ffffffff810a1fd4>] ? sched_clock_cpu+0x9e/0xb7
        [<ffffffff810def2a>] ? current_kernel_time+0xe/0x32
        [<ffffffff810b4bc5>] ? lock_release_holdtime.part.29+0x71/0x7f
        [<ffffffff810ddebf>] ? read_seqcount_begin.constprop.27+0x5f/0x76
        [<ffffffff810b6292>] ? trace_hardirqs_on_caller+0x17d/0x199
        [<ffffffff811b14d5>] ? __fget_light+0x50/0x78
        [<ffffffff817d9808>] __sys_sendmsg+0x42/0x60
        [<ffffffff817d9838>] SyS_sendmsg+0x12/0x1c
        [<ffffffff81a50e97>] system_call_fastpath+0x12/0x6f
       ---[ end trace ef29d3fb28e97ae7 ]---
      
      For long term, we probably need to clean up the qdisc_graft() code
      in case it hides other bugs like this.
      
      Fixes: 95dc1929 ("pkt_sched: give visibility to mq slave qdiscs")
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      86e363dc
    • David Vrabel's avatar
      xen-netfront: properly destroy queues when removing device · ad068118
      David Vrabel authored
      xennet_remove() freed the queues before freeing the netdevice which
      results in a use-after-free when free_netdev() tries to delete the
      napi instances that have already been freed.
      
      Fix this by fully destroy the queues (which includes deleting the napi
      instances) before freeing the netdevice.
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      Reviewed-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ad068118
    • Benjamin Poirier's avatar
      mlx4_core: Fix fallback from MSI-X to INTx · f4ecf29f
      Benjamin Poirier authored
      The test in mlx4_load_one() to remove MLX4_FLAG_MSI_X expects mlx4_NOP() to
      fail with -EBUSY. It is also necessary to avoid the reset since the device
      is not fully reinitialized before calling mlx4_start_hca() a second time.
      
      Note that this will also affect mlx4_test_interrupts(), the only other user
      of MLX4_CMD_NOP.
      
      Fixes: f5aef5aa ("net/mlx4_core: Activate reset flow upon fatal command cases")
      Signed-off-by: default avatarBenjamin Poirier <bpoirier@suse.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f4ecf29f
    • Ross Lagerwall's avatar
      xen/netback: Properly initialize credit_bytes · ce0e5c52
      Ross Lagerwall authored
      Commit e9ce7cb6 ("xen-netback: Factor queue-specific data into queue
      struct") introduced a regression when moving queue-specific data into
      the queue struct by failing to set the credit_bytes field. This
      prevented bandwidth limiting from working. Initialize the field as it
      was done before multiqueue support was added.
      Signed-off-by: default avatarRoss Lagerwall <ross.lagerwall@citrix.com>
      Acked-by: default avatarWei Liu <wei.liu2@citrix.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ce0e5c52
    • Vladimir Zapolskiy's avatar
      net: netxen: correct sysfs bin attribute return code · 748a7295
      Vladimir Zapolskiy authored
      If read() syscall requests unexpected number of bytes from "dimm" binary
      attribute file, return EINVAL instead of EPERM.
      
      At the same time pin down sysfs file size to the fixed
      sizeof(struct netxen_dimm_cfg), which allows to exploit some missing
      sanity checks from kernfs (file boundary checks vs offset etc.)
      Signed-off-by: default avatarVladimir Zapolskiy <vz@mleia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      748a7295
    • Daniel Borkmann's avatar
      tools: bpf_jit_disasm: fix segfault on disabled debugging log output · 082739aa
      Daniel Borkmann authored
      With recent debugging, I noticed that bpf_jit_disasm segfaults when
      there's no debugging output from the JIT compiler to the kernel log.
      
      Reason is that when regexec(3) doesn't match on anything, start/end
      offsets are not being filled out and contain some uninitialized garbage
      from stack. Thus, we need zero out offsets first.
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      082739aa
    • Mark Salyzyn's avatar
      unix/caif: sk_socket can disappear when state is unlocked · b48732e4
      Mark Salyzyn authored
      got a rare NULL pointer dereference in clear_bit
      Signed-off-by: default avatarMark Salyzyn <salyzyn@android.com>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      ----
      v2: switch to sock_flag(sk, SOCK_DEAD) and added net/caif/caif_socket.c
      v3: return -ECONNRESET in upstream caller of wait function for SOCK_DEAD
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b48732e4
  2. 26 May, 2015 2 commits
  3. 25 May, 2015 9 commits
  4. 23 May, 2015 1 commit
    • Linus Torvalds's avatar
      Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux · cf539cbd
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Radeon has two displayport fixes, one for a regression.
      
        i915 regression flicker fix needed so 4.0 can get fixed.
      
        A bunch of msm fixes and a bunch of exynos fixes, these two are
        probably a bit larger than I'd like, but most of them seems pretty
        good"
      
      * 'drm-fixes' of git://people.freedesktop.org/~airlied/linux: (29 commits)
        drm/radeon: fix error flag checking in native aux path
        drm/radeon: retry dcpd fetch
        drm/msm/mdp5: fix incorrect parameter for msm_framebuffer_iova()
        drm/exynos: dp: Lower level of EDID read success message
        drm/exynos: cleanup exynos_drm_plane
        drm/exynos: 'win' is always unsigned
        drm/exynos: mixer: don't dump registers under spinlock
        drm/exynos: Consolidate return statements in fimd_bind()
        drm/exynos: Constify exynos_drm_crtc_ops
        drm/exynos: Fix build breakage on !DRM_EXYNOS_FIMD
        drm/exynos: mixer: Constify platform_device_id
        drm/exynos: mixer: cleanup pixelformat handling
        drm/exynos: mixer: also allow NV21 for the video processor
        drm/exynos: mixer: remove buffer count handling in vp_video_buffer()
        drm/exynos: plane: honor buffer offset for dma_addr
        drm/exynos: fb: use drm_format_num_planes to get buffer count
        drm/i915: fix screen flickering
        drm/msm: fix locking inconsistencies in gpu->destroy()
        drm/msm/dsi: Simplify the code to get the number of read byte
        drm/msm: Attach assigned encoder to eDP and DSI connectors
        ...
      cf539cbd
  5. 22 May, 2015 20 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 0b6280c6
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Don't leak ipvs->sysctl_tbl, from Tommi Rentala.
      
       2) Fix neighbour table entry leak in rocker driver, from Ying Xue.
      
       3) Do not emit bonding notifications for unregistered interfaces, from
          Nicolas Dichtel.
      
       4) Set ipv6 flow label properly when in TIME_WAIT state, from Florent
          Fourcot.
      
       5) Fix regression in ipv6 multicast filter test, from Henning Rogge.
      
       6) do_replace() in various footables netfilter modules is missing a
          check for 0 counters in the datastructure provided by the user.  Fix
          from Dave Jones, and found with trinity.
      
       7) Fix RCU bug in packet scheduler classifier module unloads, from
          Daniel Borkmann.
      
       8) Avoid deadlock in tcp_get_info() by using u64_sync.  From Eric
          Dumzaet.
      
       9) Input packet processing can race with inetdev_destroy() teardown,
          fix potential OOPS in ip_error() by explicitly testing whether the
          inetdev is still attached.  From Eric W Biederman.
      
      10) MLDv2 parser in bridge multicast code breaks too early while
          parsing.  Fix from Thadeu Lima de Souza Cascardo.
      
      11) Asking for settings on non-zero PHYID doesn't work because we do not
          import the command structure from the user and use the PHYID
          provided there.  Fix from Arun Parameswaran.
      
      12) Fix UDP checksums with IPV6 RAW sockets, from Vlad Yasevich.
      
      13) Missing NF_TABLES depends for TPROXY etc can cause build failures,
          fix from Florian Westphal.
      
      14) Fix netfilter conntrack to handle RFC5961 challenge ACKs properly,
          from Jesper Dangaard Brouer.
      
      15) If netlink autobind retry fails, we have to reset the sockets portid
          back to zero.  From Herbert Xu.
      
      16) VXLAN netns exit code unregisters using wrong device, from John W
          Linville.
      
      17) Add some USB device IDs to ath3k and btusb bluetooth drivers, from
          Dmitry Tunin and Wen-chien Jesse Sung.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (44 commits)
        bridge: fix lockdep splat
        net: core: 'ethtool' issue with querying phy settings
        bridge: fix parsing of MLDv2 reports
        ARM: zynq: DT: Use the zynq binding with macb
        net: macb: Disable half duplex gigabit on Zynq
        net: macb: Document zynq gem dt binding
        ipv4: fill in table id when replacing a route
        cdc_ncm: Fix tx_bytes statistics
        ipv4: Avoid crashing in ip_error
        tcp: fix a potential deadlock in tcp_get_info()
        net: sched: fix call_rcu() race on classifier module unloads
        net: phy: Make sure phy_start() always re-enables the phy interrupts
        ipv6: fix ECMP route replacement
        ipv6: do not delete previously existing ECMP routes if add fails
        Revert "netfilter: bridge: query conntrack about skb dnat"
        netfilter: ensure number of counters is >0 in do_replace()
        netfilter: nfnetlink_{log,queue}: Register pernet in first place
        tcp: don't over-send F-RTO probes
        tcp: only undo on partial ACKs in CA_Loss
        net/ipv6/udp: Fix ipv6 multicast socket filter regression
        ...
      0b6280c6
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.dk/linux-block · 1c8df7bd
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
       "Three small fixes that have been picked up the last few weeks.
        Specifically:
      
         - Fix a memory corruption issue in NVMe with malignant user
           constructed request.  From Christoph.
      
         - Kill (now) unused blk_queue_bio(), dm was changed to not need this
           anymore.  From Mike Snitzer.
      
         - Always use blk_schedule_flush_plug() from the io_schedule() path
           when flushing a plug, fixing a !TASK_RUNNING warning with md.  From
           Shaohua"
      
      * 'for-linus' of git://git.kernel.dk/linux-block:
        sched: always use blk_schedule_flush_plug in io_schedule_out
        nvme: fix kernel memory corruption with short INQUIRY buffers
        block: remove export for blk_queue_bio
      1c8df7bd
    • Linus Torvalds's avatar
      Merge tag 'md/4.1-rc4-fixes' of git://neil.brown.name/md · a30ec4b3
      Linus Torvalds authored
      Pull md bugfixes from Neil Brown:
       "I have a few more raid5 bugfixes pending, but I want them to get a bit
        more review first.  In the meantime:
      
         - one serious RAID0 data corruption - caused by recent bugfix that
           wasn't reviewed properly.
      
         - one raid5 fix in new code (a couple more of those to come).
      
         - one little fix to stop static analysis complaining about silly rcu
           annotation"
      
      * tag 'md/4.1-rc4-fixes' of git://neil.brown.name/md:
        md/bitmap: remove rcu annotation from pointer arithmetic.
        md/raid0: fix restore to sector variable in raid0_make_request
        raid5: fix broken async operation chain
      a30ec4b3
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · 1d82b0ba
      Linus Torvalds authored
      Pull input fixes from Dmitry Torokhov:
       "Updates for the input subsystem.
      
        The main change is that we tell joydev not to touch "absolute mice",
        such as VMware virtual mouse, as that produced bad result (cursor
        stuck in upper right corner) with games"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
        Input: smtpe-ts - wait 50mS until polling for pen-up
        Input: smtpe-ts - use msecs_to_jiffies() instead of HZ
        Input: joydev - don't classify the vmmouse as a joystick
        Input: vmmouse - do not reference non-existing version of X driver
        Input: alps - fix finger jumps on lifting 2 fingers on v7 touchpad
        Input: elantech - fix semi-mt protocol for v3 HW
        Input: sx8654 - fix memory allocation check
      1d82b0ba
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · 2a058f38
      Linus Torvalds authored
      Pull another crypto fix from Herbert Xu:
       "Fix ICV corruption in s390/ghash when the same tfm is used by more
        than one thread"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: s390/ghash - Fix incorrect ghash icv buffer handling.
      2a058f38
    • Eric Dumazet's avatar
      bridge: fix lockdep splat · 93a33a58
      Eric Dumazet authored
      Following lockdep splat was reported :
      
      [   29.382286] ===============================
      [   29.382315] [ INFO: suspicious RCU usage. ]
      [   29.382344] 4.1.0-0.rc0.git11.1.fc23.x86_64 #1 Not tainted
      [   29.382380] -------------------------------
      [   29.382409] net/bridge/br_private.h:626 suspicious
      rcu_dereference_check() usage!
      [   29.382455]
                     other info that might help us debug this:
      
      [   29.382507]
                     rcu_scheduler_active = 1, debug_locks = 0
      [   29.382549] 2 locks held by swapper/0/0:
      [   29.382576]  #0:  (((&p->forward_delay_timer))){+.-...}, at:
      [<ffffffff81139f75>] call_timer_fn+0x5/0x4f0
      [   29.382660]  #1:  (&(&br->lock)->rlock){+.-...}, at:
      [<ffffffffa0450dc1>] br_forward_delay_timer_expired+0x31/0x140
      [bridge]
      [   29.382754]
                     stack backtrace:
      [   29.382787] CPU: 0 PID: 0 Comm: swapper/0 Not tainted
      4.1.0-0.rc0.git11.1.fc23.x86_64 #1
      [   29.382838] Hardware name: LENOVO 422916G/LENOVO, BIOS A1KT53AUS 04/07/2015
      [   29.382882]  0000000000000000 3ebfc20364115825 ffff880666603c48
      ffffffff81892d4b
      [   29.382943]  0000000000000000 ffffffff81e124e0 ffff880666603c78
      ffffffff8110bcd7
      [   29.383004]  ffff8800785c9d00 ffff88065485ac58 ffff880c62002800
      ffff880c5fc88ac0
      [   29.383065] Call Trace:
      [   29.383084]  <IRQ>  [<ffffffff81892d4b>] dump_stack+0x4c/0x65
      [   29.383130]  [<ffffffff8110bcd7>] lockdep_rcu_suspicious+0xe7/0x120
      [   29.383178]  [<ffffffffa04520f9>] br_fill_ifinfo+0x4a9/0x6a0 [bridge]
      [   29.383225]  [<ffffffffa045266b>] br_ifinfo_notify+0x11b/0x4b0 [bridge]
      [   29.383271]  [<ffffffffa0450d90>] ? br_hold_timer_expired+0x70/0x70 [bridge]
      [   29.383320]  [<ffffffffa0450de8>]
      br_forward_delay_timer_expired+0x58/0x140 [bridge]
      [   29.383371]  [<ffffffffa0450d90>] ? br_hold_timer_expired+0x70/0x70 [bridge]
      [   29.383416]  [<ffffffff8113a033>] call_timer_fn+0xc3/0x4f0
      [   29.383454]  [<ffffffff81139f75>] ? call_timer_fn+0x5/0x4f0
      [   29.383493]  [<ffffffff8110a90f>] ? lock_release_holdtime.part.29+0xf/0x200
      [   29.383541]  [<ffffffffa0450d90>] ? br_hold_timer_expired+0x70/0x70 [bridge]
      [   29.383587]  [<ffffffff8113a6a4>] run_timer_softirq+0x244/0x490
      [   29.383629]  [<ffffffff810b68cc>] __do_softirq+0xec/0x670
      [   29.383666]  [<ffffffff810b70d5>] irq_exit+0x145/0x150
      [   29.383703]  [<ffffffff8189f506>] smp_apic_timer_interrupt+0x46/0x60
      [   29.383744]  [<ffffffff8189d523>] apic_timer_interrupt+0x73/0x80
      [   29.383782]  <EOI>  [<ffffffff816f131f>] ? cpuidle_enter_state+0x5f/0x2f0
      [   29.383832]  [<ffffffff816f131b>] ? cpuidle_enter_state+0x5b/0x2f0
      
      Problem here is that br_forward_delay_timer_expired() is a timer
      handler, calling br_ifinfo_notify() which assumes either rcu_read_lock()
      or RTNL are held.
      
      Simplest fix seems to add rcu read lock section.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarJosh Boyer <jwboyer@fedoraproject.org>
      Reported-by: default avatarDominick Grift <dac.override@gmail.com>
      Cc: Vlad Yasevich <vyasevich@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      93a33a58
    • Arun Parameswaran's avatar
      net: core: 'ethtool' issue with querying phy settings · f96dee13
      Arun Parameswaran authored
      When trying to configure the settings for PHY1, using commands
      like 'ethtool -s eth0 phyad 1 speed 100', the 'ethtool' seems to
      modify other settings apart from the speed of the PHY1, in the
      above case.
      
      The ethtool seems to query the settings for PHY0, and use this
      as the base to apply the new settings to the PHY1. This is
      causing the other settings of the PHY 1 to be wrongly
      configured.
      
      The issue is caused by the '_ethtool_get_settings()' API, which
      gets called because of the 'ETHTOOL_GSET' command, is clearing
      the 'cmd' pointer (of type 'struct ethtool_cmd') by calling
      memset. This clears all the parameters (if any) passed for the
      'ETHTOOL_GSET' cmd. So the driver's callback is always invoked
      with 'cmd->phy_address' as '0'.
      
      The '_ethtool_get_settings()' is called from other files in the
      'net/core'. So the fix is applied to the 'ethtool_get_settings()'
      which is only called in the context of the 'ethtool'.
      Signed-off-by: default avatarArun Parameswaran <aparames@broadcom.com>
      Reviewed-by: default avatarRay Jui <rjui@broadcom.com>
      Reviewed-by: default avatarScott Branden <sbranden@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f96dee13
    • Thadeu Lima de Souza Cascardo's avatar
      bridge: fix parsing of MLDv2 reports · 47cc84ce
      Thadeu Lima de Souza Cascardo authored
      When more than a multicast address is present in a MLDv2 report, all but
      the first address is ignored, because the code breaks out of the loop if
      there has not been an error adding that address.
      
      This has caused failures when two guests connected through the bridge
      tried to communicate using IPv6. Neighbor discoveries would not be
      transmitted to the other guest when both used a link-local address and a
      static address.
      
      This only happens when there is a MLDv2 querier in the network.
      
      The fix will only break out of the loop when there is a failure adding a
      multicast address.
      
      The mdb before the patch:
      
      dev ovirtmgmt port vnet0 grp ff02::1:ff7d:6603 temp
      dev ovirtmgmt port vnet1 grp ff02::1:ff7d:6604 temp
      dev ovirtmgmt port bond0.86 grp ff02::2 temp
      
      After the patch:
      
      dev ovirtmgmt port vnet0 grp ff02::1:ff7d:6603 temp
      dev ovirtmgmt port vnet1 grp ff02::1:ff7d:6604 temp
      dev ovirtmgmt port bond0.86 grp ff02::fb temp
      dev ovirtmgmt port bond0.86 grp ff02::2 temp
      dev ovirtmgmt port bond0.86 grp ff02::d temp
      dev ovirtmgmt port vnet0 grp ff02::1:ff00:76 temp
      dev ovirtmgmt port bond0.86 grp ff02::16 temp
      dev ovirtmgmt port vnet1 grp ff02::1:ff00:77 temp
      dev ovirtmgmt port bond0.86 grp ff02::1:ff00:def temp
      dev ovirtmgmt port bond0.86 grp ff02::1:ffa1:40bf temp
      
      Fixes: 08b202b6 ("bridge br_multicast: IPv6 MLD support.")
      Reported-by: default avatarRik Theys <Rik.Theys@esat.kuleuven.be>
      Signed-off-by: default avatarThadeu Lima de Souza Cascardo <cascardo@redhat.com>
      Tested-by: default avatarRik Theys <Rik.Theys@esat.kuleuven.be>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      47cc84ce
    • Nathan Sullivan's avatar
      ARM: zynq: DT: Use the zynq binding with macb · 9eeb5161
      Nathan Sullivan authored
      Use the new zynq binding for macb ethernet, since it will disable half
      duplex gigabit like the Zynq TRM says to do.
      Signed-off-by: default avatarNathan Sullivan <nathan.sullivan@ni.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9eeb5161
    • Nathan Sullivan's avatar
      net: macb: Disable half duplex gigabit on Zynq · 222ca8e0
      Nathan Sullivan authored
      According to the Zynq TRM, gigabit half duplex is not supported.  Add a
      new cap and compatible string so Zynq can avoid advertising that mode.
      Signed-off-by: default avatarNathan Sullivan <nathan.sullivan@ni.com>
      Acked-by: default avatarNicolas Ferre <nicolas.ferre@atmel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      222ca8e0
    • Nathan Sullivan's avatar
    • Michal Kubeček's avatar
      ipv4: fill in table id when replacing a route · d4e64c29
      Michal Kubeček authored
      When replacing an IPv4 route, tb_id member of the new fib_alias
      structure is not set in the replace code path so that the new route is
      ignored.
      
      Fixes: 0ddcf43d ("ipv4: FIB Local/MAIN table collapse")
      Signed-off-by: default avatarMichal Kubecek <mkubecek@suse.cz>
      Acked-by: default avatarAlexander Duyck <alexander.h.duyck@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d4e64c29
    • Bjørn Mork's avatar
      cdc_ncm: Fix tx_bytes statistics · 44f6731d
      Bjørn Mork authored
      The tx_curr_frame_payload field is u32. When we try to calculate a
      small negative delta based on it, we end up with a positive integer
      close to 2^32 instead.  So the tx_bytes pointer increases by about
      2^32 for every transmitted frame.
      
      Fix by calculating the delta as a signed long.
      
      Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
      Reported-by: default avatarFlorian Bruhin <me@the-compiler.org>
      Fixes: 7a1e890e ("usbnet: Fix tx_bytes statistic running backward in cdc_ncm")
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      44f6731d
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 572152ad
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contain Netfilter fixes for your net tree, they are:
      
      1) Fix a race in nfnetlink_log and nfnetlink_queue that can lead to a crash.
         This problem is due to wrong order in the per-net registration and netlink
         socket events. Patch from Francesco Ruggeri.
      
      2) Make sure that counters that userspace pass us are higher than 0 in all the
         x_tables frontends. Discovered via Trinity, patch from Dave Jones.
      
      3) Revert a patch for br_netfilter to rely on the conntrack status bits. This
         breaks stateless IPv6 NAT transformations. Patch from Florian Westphal.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      572152ad
    • Eric W. Biederman's avatar
      ipv4: Avoid crashing in ip_error · 381c759d
      Eric W. Biederman authored
      ip_error does not check if in_dev is NULL before dereferencing it.
      
      IThe following sequence of calls is possible:
      CPU A                          CPU B
      ip_rcv_finish
          ip_route_input_noref()
              ip_route_input_slow()
                                     inetdev_destroy()
          dst_input()
      
      With the result that a network device can be destroyed while processing
      an input packet.
      
      A crash was triggered with only unicast packets in flight, and
      forwarding enabled on the only network device.   The error condition
      was created by the removal of the network device.
      
      As such it is likely the that error code was -EHOSTUNREACH, and the
      action taken by ip_error (if in_dev had been accessible) would have
      been to not increment any counters and to have tried and likely failed
      to send an icmp error as the network device is going away.
      
      Therefore handle this weird case by just dropping the packet if
      !in_dev.  It will result in dropping the packet sooner, and will not
      result in an actual change of behavior.
      
      Fixes: 251da413 ("ipv4: Cache ip_error() routes even when not forwarding.")
      Reported-by: default avatarVittorio Gambaletta <linuxbugs@vittgam.net>
      Tested-by: default avatarVittorio Gambaletta <linuxbugs@vittgam.net>
      Signed-off-by: default avatarVittorio Gambaletta <linuxbugs@vittgam.net>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      381c759d
    • Eric Dumazet's avatar
      tcp: fix a potential deadlock in tcp_get_info() · d654976c
      Eric Dumazet authored
      Taking socket spinlock in tcp_get_info() can deadlock, as
      inet_diag_dump_icsk() holds the &hashinfo->ehash_locks[i],
      while packet processing can use the reverse locking order.
      
      We could avoid this locking for TCP_LISTEN states, but lockdep would
      certainly get confused as all TCP sockets share same lockdep classes.
      
      [  523.722504] ======================================================
      [  523.728706] [ INFO: possible circular locking dependency detected ]
      [  523.734990] 4.1.0-dbg-DEV #1676 Not tainted
      [  523.739202] -------------------------------------------------------
      [  523.745474] ss/18032 is trying to acquire lock:
      [  523.750002]  (slock-AF_INET){+.-...}, at: [<ffffffff81669d44>] tcp_get_info+0x2c4/0x360
      [  523.758129]
      [  523.758129] but task is already holding lock:
      [  523.763968]  (&(&hashinfo->ehash_locks[i])->rlock){+.-...}, at: [<ffffffff816bcb75>] inet_diag_dump_icsk+0x1d5/0x6c0
      [  523.774661]
      [  523.774661] which lock already depends on the new lock.
      [  523.774661]
      [  523.782850]
      [  523.782850] the existing dependency chain (in reverse order) is:
      [  523.790326]
      -> #1 (&(&hashinfo->ehash_locks[i])->rlock){+.-...}:
      [  523.796599]        [<ffffffff811126bb>] lock_acquire+0xbb/0x270
      [  523.802565]        [<ffffffff816f5868>] _raw_spin_lock+0x38/0x50
      [  523.808628]        [<ffffffff81665af8>] __inet_hash_nolisten+0x78/0x110
      [  523.815273]        [<ffffffff816819db>] tcp_v4_syn_recv_sock+0x24b/0x350
      [  523.822067]        [<ffffffff81684d41>] tcp_check_req+0x3c1/0x500
      [  523.828199]        [<ffffffff81682d09>] tcp_v4_do_rcv+0x239/0x3d0
      [  523.834331]        [<ffffffff816842fe>] tcp_v4_rcv+0xa8e/0xc10
      [  523.840202]        [<ffffffff81658fa3>] ip_local_deliver_finish+0x133/0x3e0
      [  523.847214]        [<ffffffff81659a9a>] ip_local_deliver+0xaa/0xc0
      [  523.853440]        [<ffffffff816593b8>] ip_rcv_finish+0x168/0x5c0
      [  523.859624]        [<ffffffff81659db7>] ip_rcv+0x307/0x420
      
      Lets use u64_sync infrastructure instead. As a bonus, 64bit
      arches get optimized, as these are nop for them.
      
      Fixes: 0df48c26 ("tcp: add tcpi_bytes_acked to tcp_info")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d654976c
    • Kalle Valo's avatar
      Merge tag 'iwlwifi-for-kalle-2015-05-21' of... · aefa441b
      Kalle Valo authored
      Merge tag 'iwlwifi-for-kalle-2015-05-21' of https://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/iwlwifi-fixes
      
      * fix firmware name and other things to enable 3165
      * fix bad APMG configuration for 8000 (no AMPG on these devices)
      * fix MAC address assignment for 8000
      * fix firmware debugging triggers (MLME)
      * fix several bugs in low power states code (net-detect,
        d0i3)
      aefa441b
    • Dave Airlie's avatar
      Merge branch 'drm-fixes-4.1' of git://people.freedesktop.org/~agd5f/linux into drm-fixes · a8106b14
      Dave Airlie authored
      Just two small DP fixes for 4.1
      
      * 'drm-fixes-4.1' of git://people.freedesktop.org/~agd5f/linux:
        drm/radeon: fix error flag checking in native aux path
        drm/radeon: retry dcpd fetch
      a8106b14
    • Dave Airlie's avatar
      Merge tag 'drm-intel-fixes-2015-05-21' of git://anongit.freedesktop.org/drm-intel into drm-fixes · bb435897
      Dave Airlie authored
      There's a stable backport from Ander [1] that combines this and a few
      other commits to fix the flickering on v4.0, reported in [2] among
      others. Having this upstream is obviously a requirement for stable.
      
      * tag 'drm-intel-fixes-2015-05-21' of git://anongit.freedesktop.org/drm-intel:
        drm/i915: fix screen flickering
      bb435897
    • Harald Freudenberger's avatar
      crypto: s390/ghash - Fix incorrect ghash icv buffer handling. · a1cae34e
      Harald Freudenberger authored
      Multitheaded tests showed that the icv buffer in the current ghash
      implementation is not handled correctly. A move of this working ghash
      buffer value to the descriptor context fixed this. Code is tested and
      verified with an multithreaded application via af_alg interface.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarHarald Freudenberger <freude@linux.vnet.ibm.com>
      Signed-off-by: default avatarGerald Schaefer <geraldsc@linux.vnet.ibm.com>
      Reported-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      a1cae34e