1. 13 Jun, 2013 14 commits
    • Saurabh Mohan's avatar
      net/ipv4: ip_vti clear skb cb before tunneling. · baafc77b
      Saurabh Mohan authored
      If users apply shaper to vti tunnel then it will cause a kernel crash. The
      problem seems to be due to the vti_tunnel_xmit function not clearing
      skb->opt field before passing the packet to xfrm tunneling code.
      Signed-off-by: default avatarSaurabh Mohan <saurabh@vyatta.com>
      Acked-by: default avatarStephen Hemminger <stephen@networkplumber.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      baafc77b
    • Nithin Sujir's avatar
      tg3: Wait for boot code to finish after power on · df465abf
      Nithin Sujir authored
      Some systems that don't need wake-on-lan may choose to power down the
      chip on system standby. Upon resume, the power on causes the boot code
      to startup and initialize the hardware. On one new platform, this is
      causing the device to go into a bad state due to a race between the
      driver and boot code, once every several hundred resumes. The same race
      exists on open since we come up from a power on.
      
      This patch adds a wait for boot code signature at the beginning of
      tg3_init_hw() which is common to both cases. If there has not been a
      power-off or the boot code has already completed, the signature will be
      present and poll_fw() returns immediately. Also return immediately if
      the device does not have firmware.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarNithin Nayak Sujir <nsujir@broadcom.com>
      Signed-off-by: default avatarMichael Chan <mchan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      df465abf
    • Guillaume Nault's avatar
      l2tp: Fix sendmsg() return value · a6f79d0f
      Guillaume Nault authored
      PPPoL2TP sockets should comply with the standard send*() return values
      (i.e. return number of bytes sent instead of 0 upon success).
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a6f79d0f
    • Guillaume Nault's avatar
      l2tp: Fix PPP header erasure and memory leak · 55b92b7a
      Guillaume Nault authored
      Copy user data after PPP framing header. This prevents erasure of the
      added PPP header and avoids leaking two bytes of uninitialised memory
      at the end of skb's data buffer.
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      55b92b7a
    • Nikolay Aleksandrov's avatar
      bonding: fix igmp_retrans type and two related races · 4f5474e7
      Nikolay Aleksandrov authored
      First the type of igmp_retrans (which is the actual counter of
      igmp_resend parameter) is changed to u8 to be able to store values up
      to 255 (as per documentation). There are two races that were hidden
      there and which are easy to trigger after the previous fix, the first is
      between bond_resend_igmp_join_requests and bond_change_active_slave
      where igmp_retrans is set and can be altered by the periodic. The second
      race condition is between multiple running instances of the periodic
      (upon execution it can be scheduled again for immediate execution which
      can cause the counter to go < 0 which in the unsigned case leads to
      unnecessary igmp retransmissions).
      Since in bond_change_active_slave bond->lock is held for reading and
      curr_slave_lock for writing, we use curr_slave_lock for mutual
      exclusion. We can't drop them as there're cases where RTNL is not held
      when bond_change_active_slave is called. RCU is unlocked in
      bond_resend_igmp_join_requests before getting curr_slave_lock since we
      don't need it there and it's pointless to delay.
      The decrement is moved inside the "if" block because if we decrement
      unconditionally there's still a possibility for a race condition although
      it is much more difficult to hit (many changes have to happen in
      a very short period in order to trigger) which in the case of 3 parallel
      running instances of this function and igmp_retrans == 1
      (with check bond->igmp_retrans-- > 1) is:
      f1 passes, doesn't re-schedule, but decrements - igmp_retrans = 0
      f2 then passes, doesn't re-schedule, but decrements - igmp_retrans = 255
      f3 does the unnecessary retransmissions.
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@redhat.com>
      Signed-off-by: default avatarJay Vosburgh <fubar@us.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4f5474e7
    • Nikolay Aleksandrov's avatar
      bonding: reset master mac on first enslave failure · b8fad459
      Nikolay Aleksandrov authored
      If the bond device is supposed to get the first slave's MAC address and
      the first enslavement fails then we need to reset the master's MAC
      otherwise it will stay the same as the failed slave device. We do it
      after err_undo_flags since that is the first place where the MAC can be
      changed and we check if it should've been the first slave and if the
      bond's MAC was set to it because that err place is used by multiple
      locations prior to changing the master's MAC address.
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@redhat.com>
      Signed-off-by: default avatarJay Vosburgh <fubar@us.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b8fad459
    • Daniel Borkmann's avatar
      packet: packet_getname_spkt: make sure string is always 0-terminated · 2dc85bf3
      Daniel Borkmann authored
      uaddr->sa_data is exactly of size 14, which is hard-coded here and
      passed as a size argument to strncpy(). A device name can be of size
      IFNAMSIZ (== 16), meaning we might leave the destination string
      unterminated. Thus, use strlcpy() and also sizeof() while we're
      at it. We need to memset the data area beforehand, since strlcpy
      does not padd the remaining buffer with zeroes for user space, so
      that we do not possibly leak anything.
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2dc85bf3
    • Dinh Nguyen's avatar
      net: ethernet: stmicro: stmmac: Fix compile error when STMMAC_XMIT_DEBUG used · 631f24a2
      Dinh Nguyen authored
      drivers/net/ethernet/stmicro/stmmac/stmmac_main.c: In function:
      stmmac_xmit drivers/net/ethernet/stmicro/stmmac/stmmac_main.c:1902:74:
      error: expected ) before __func__
      Signed-off-by: default avatarDinh Nguyen <dinguyen@altera.com>
      Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
      CC: David S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      631f24a2
    • Somnath Kotur's avatar
      be2net: Fix 32-bit DMA Mask handling · 0c5fed09
      Somnath Kotur authored
      Fix to set the coherent DMA mask only if dma_set_mask() succeeded, and to
      error out if either fails.
      Signed-off-by: default avatarSomnath Kotur <somnath.kotur@emulex.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0c5fed09
    • David S. Miller's avatar
      Merge tag 'batman-adv-fix-for-davem' of git://git.open-mesh.org/linux-merge · e86c9861
      David S. Miller authored
      Included change:
      - fix "rtnl locked" concurrent executions by using rtnl_lock instead of
        rtnl_trylock. This fix enables batman-adv initialisation to do not fail just
        because somewhere else in the system another code path is holding the rtnl
        lock. It is easy to see the problem when batman-adv is trying to start
        together with other networking components.
      - fix the routing protocol forwarding policy by enhancing the duplicate control
        packet detection. When the right circumstances trigger the issue, some nodes in
        the network become totally unreachable, so breaking the mesh connectivity.
      - fix the Bridge Loop Avoidance component by not running the originator address
        change handling routine when the component is disabled. The routine was
        generating useless packets that were sent over the network.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e86c9861
    • Jan Beulich's avatar
      xen-netback: don't de-reference vif pointer after having called xenvif_put() · 94f950c4
      Jan Beulich authored
      When putting vif-s on the rx notify list, calling xenvif_put() must be
      deferred until after the removal from the list and the issuing of the
      notification, as both operations dereference the pointer.
      
      Changing this got me to notice that the "irq" variable was effectively
      unused (and was of too narrow type anyway).
      Signed-off-by: default avatarJan Beulich <jbeulich@suse.com>
      Acked-by: default avatarIan Campbell <ian.campbell@citrix.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      94f950c4
    • Michael S. Tsirkin's avatar
      macvlan: don't touch promisc without passthrough · 99ffc3e7
      Michael S. Tsirkin authored
      commit df8ef8f3
      "macvlan: add FDB bridge ops and macvlan flags"
      added a way to control NOPROMISC macvlan flag through netlink.
      
      However, with a non passthrough device we never set promisc on open,
      even if NOPROMISC is off.  As a result:
      
      If userspace clears NOPROMISC on open, then does not clear it on a
      netlink command, promisc counter is not decremented on stop and there
      will be no way to clear it once macvlan is detached.
      
      If userspace does not clear NOPROMISC on open, then sets NOPROMISC on a
      netlink command, promisc counter will be decremented from 0 and overflow
      to fffffffff with no way to clear promisc.
      
      To fix, simply ignore NOPROMISC flag in a netlink command for
      non-passthrough devices, same as we do at open/close.
      
      Since we touch this code anyway - check dev_set_promiscuity return code
      and pass it to users (though an error here is unlikely).
      
      Cc: "David S. Miller" <davem@davemloft.net>
      Reviewed-by: default avatarJohn Fastabend <john.r.fastabend@intel.com>
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      99ffc3e7
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 26e04462
      Linus Torvalds authored
      Pull networking update from David Miller:
      
       1) Fix dump iterator in nfnl_acct_dump() and ctnl_timeout_dump() to
          dump all objects properly, from Pablo Neira Ayuso.
      
       2) xt_TCPMSS must use the default MSS of 536 when no MSS TCP option is
          present.  Fix from Phil Oester.
      
       3) qdisc_get_rtab() looks for an existing matching rate table and uses
          that instead of creating a new one.  However, it's key matching is
          incomplete, it fails to check to make sure the ->data[] array is
          identical too.  Fix from Eric Dumazet.
      
       4) ip_vs_dest_entry isn't fully initialized before copying back to
          userspace, fix from Dan Carpenter.
      
       5) Fix ubuf reference counting regression in vhost_net, from Jason
          Wang.
      
       6) When sock_diag dumps a socket filter back to userspace, we have to
          translate it out of the kernel's internal representation first.
          From Nicolas Dichtel.
      
       7) davinci_mdio holds a spinlock while calling pm_runtime, which
          sleeps.  Fix from Sebastian Siewior.
      
       8) Timeout check in sh_eth_check_reset is off by one, from Sergei
          Shtylyov.
      
       9) If sctp socket init fails, we can NULL deref during cleanup.  Fix
          from Daniel Borkmann.
      
      10) netlink_mmap() does not propagate errors properly, from Patrick
          McHardy.
      
      11) Disable powersave and use minstrel by default in ath9k.  From Sujith
          Manoharan.
      
      12) Fix a regression in that SOCK_ZEROCOPY is not set on tuntap sockets
          which prevents vhost from being able to use zerocopy.  From Jason
          Wang.
      
      13) Fix race between port lookup and TX path in team driver, from Jiri
          Pirko.
      
      14) Missing length checks in bluetooth L2CAP packet parsing, from Johan
          Hedberg.
      
      15) rtlwifi fails to connect to networking using any encryption method
          other than WPA2.  Fix from Larry Finger.
      
      16) Fix iwlegacy build due to incorrect CONFIG_* ifdeffing for power
          management stuff.  From Yijing Wang.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (35 commits)
        b43: stop format string leaking into error msgs
        ath9k: Use minstrel rate control by default
        Revert "ath9k_hw: Update rx gain initval to improve rx sensitivity"
        ath9k: Disable PowerSave by default
        net: wireless: iwlegacy: fix build error for il_pm_ops
        rtlwifi: Fix a false leak indication for PCI devices
        wl12xx/wl18xx: scan all 5ghz channels
        wl12xx: increase minimum singlerole firmware version required
        wl12xx: fix minimum required firmware version for wl127x multirole
        rtlwifi: rtl8192cu: Fix problem in connecting to WEP or WPA(1) networks
        mwifiex: debugfs: Fix out of bounds array access
        Bluetooth: Fix mgmt handling of power on failures
        Bluetooth: Fix missing length checks for L2CAP signalling PDUs
        Bluetooth: btmrvl: support Marvell Bluetooth device SD8897
        Bluetooth: Fix checks for LE support on LE-only controllers
        team: fix checks in team_get_first_port_txable_rcu()
        team: move add to port list before port enablement
        team: check return value of team_get_port_by_index_rcu() for NULL
        tuntap: set SOCK_ZEROCOPY flag during open
        netlink: fix error propagation in netlink_mmap()
        ...
      26e04462
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid · 645a9929
      Linus Torvalds authored
      Pull input layer bugfix from Jiri Kosina:
       "Memory leak regression fix from Benjamin Tissoires"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
        HID: multitouch: prevent memleak with the allocated name
      645a9929
  2. 12 Jun, 2013 26 commits