1. 12 3月, 2014 14 次提交
    • L
      bridge: multicast: add sanity check for general query destination · 9ed973cc
      Linus Lüssing 提交于
      General IGMP and MLD queries are supposed to have the multicast
      link-local all-nodes address as their destination according to RFC2236
      section 9, RFC3376 section 4.1.12/9.1, RFC2710 section 8 and RFC3810
      section 5.1.15.
      
      Without this check, such malformed IGMP/MLD queries can result in a
      denial of service: The queries are ignored by most IGMP/MLD listeners
      therefore they will not respond with an IGMP/MLD report. However,
      without this patch these malformed MLD queries would enable the
      snooping part in the bridge code, potentially shutting down the
      according ports towards these hosts for multicast traffic as the
      bridge did not learn about these listeners.
      Reported-by: NJan Stancek <jstancek@redhat.com>
      Signed-off-by: NLinus Lüssing <linus.luessing@web.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9ed973cc
    • E
      tcp: tcp_release_cb() should release socket ownership · c3f9b018
      Eric Dumazet 提交于
      Lars Persson reported following deadlock :
      
      -000 |M:0x0:0x802B6AF8(asm) <-- arch_spin_lock
      -001 |tcp_v4_rcv(skb = 0x8BD527A0) <-- sk = 0x8BE6B2A0
      -002 |ip_local_deliver_finish(skb = 0x8BD527A0)
      -003 |__netif_receive_skb_core(skb = 0x8BD527A0, ?)
      -004 |netif_receive_skb(skb = 0x8BD527A0)
      -005 |elk_poll(napi = 0x8C770500, budget = 64)
      -006 |net_rx_action(?)
      -007 |__do_softirq()
      -008 |do_softirq()
      -009 |local_bh_enable()
      -010 |tcp_rcv_established(sk = 0x8BE6B2A0, skb = 0x87D3A9E0, th = 0x814EBE14, ?)
      -011 |tcp_v4_do_rcv(sk = 0x8BE6B2A0, skb = 0x87D3A9E0)
      -012 |tcp_delack_timer_handler(sk = 0x8BE6B2A0)
      -013 |tcp_release_cb(sk = 0x8BE6B2A0)
      -014 |release_sock(sk = 0x8BE6B2A0)
      -015 |tcp_sendmsg(?, sk = 0x8BE6B2A0, ?, ?)
      -016 |sock_sendmsg(sock = 0x8518C4C0, msg = 0x87D8DAA8, size = 4096)
      -017 |kernel_sendmsg(?, ?, ?, ?, size = 4096)
      -018 |smb_send_kvec()
      -019 |smb_send_rqst(server = 0x87C4D400, rqst = 0x87D8DBA0)
      -020 |cifs_call_async()
      -021 |cifs_async_writev(wdata = 0x87FD6580)
      -022 |cifs_writepages(mapping = 0x852096E4, wbc = 0x87D8DC88)
      -023 |__writeback_single_inode(inode = 0x852095D0, wbc = 0x87D8DC88)
      -024 |writeback_sb_inodes(sb = 0x87D6D800, wb = 0x87E4A9C0, work = 0x87D8DD88)
      -025 |__writeback_inodes_wb(wb = 0x87E4A9C0, work = 0x87D8DD88)
      -026 |wb_writeback(wb = 0x87E4A9C0, work = 0x87D8DD88)
      -027 |wb_do_writeback(wb = 0x87E4A9C0, force_wait = 0)
      -028 |bdi_writeback_workfn(work = 0x87E4A9CC)
      -029 |process_one_work(worker = 0x8B045880, work = 0x87E4A9CC)
      -030 |worker_thread(__worker = 0x8B045880)
      -031 |kthread(_create = 0x87CADD90)
      -032 |ret_from_kernel_thread(asm)
      
      Bug occurs because __tcp_checksum_complete_user() enables BH, assuming
      it is running from softirq context.
      
      Lars trace involved a NIC without RX checksum support but other points
      are problematic as well, like the prequeue stuff.
      
      Problem is triggered by a timer, that found socket being owned by user.
      
      tcp_release_cb() should call tcp_write_timer_handler() or
      tcp_delack_timer_handler() in the appropriate context :
      
      BH disabled and socket lock held, but 'owned' field cleared,
      as if they were running from timer handlers.
      
      Fixes: 6f458dfb ("tcp: improve latencies of timer triggered events")
      Reported-by: NLars Persson <lars.persson@axis.com>
      Tested-by: NLars Persson <lars.persson@axis.com>
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c3f9b018
    • D
      Merge branch 'skb_frags' · c7b76f85
      David S. Miller 提交于
      Michael S. Tsirkin says:
      
      ====================
      skbuff: fix skb_segment with zero copy skbs
      
      This fixes a bug in skb_segment where it moves frags
      between skbs without orphaning them.
      This causes userspace to assume it's safe to
      reuse the buffer, and receiver gets corrupted data.
      This further might leak information from the
      transmitter on the wire.
      
      To fix track which skb does a copied frag belong
      to, and orphan frags when copying them.
      
      As we are tracking multiple skbs here, using
      short names (skb,nskb,fskb,skb_frag,frag) becomes confusing.
      So before adding another one, I refactor these names
      slightly.
      
      Patch is split out to make it easier to
      verify that all trasformations are trivially correct.
      
      The problem was observed in the field,
      so I think that the patch is necessary on stable
      as well.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Acked-by: NHerbert Xu <herbert@gondor.apana.org.au>
      c7b76f85
    • M
      skbuff: skb_segment: orphan frags before copying · 1fd819ec
      Michael S. Tsirkin 提交于
      skb_segment copies frags around, so we need
      to copy them carefully to avoid accessing
      user memory after reporting completion to userspace
      through a callback.
      
      skb_segment doesn't normally happen on datapath:
      TSO needs to be disabled - so disabling zero copy
      in this case does not look like a big deal.
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      Acked-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1fd819ec
    • M
      skbuff: skb_segment: s/fskb/list_skb/ · 1a4cedaf
      Michael S. Tsirkin 提交于
      fskb is unrelated to frag: it's coming from
      frag_list. Rename it list_skb to avoid confusion.
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1a4cedaf
    • M
      skbuff: skb_segment: s/skb/head_skb/ · df5771ff
      Michael S. Tsirkin 提交于
      rename local variable to make it easier to tell at a glance that we are
      dealing with a head skb.
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      df5771ff
    • M
      skbuff: skb_segment: s/skb_frag/frag/ · 4e1beba1
      Michael S. Tsirkin 提交于
      skb_frag can in fact point at either skb
      or fskb so rename it generally "frag".
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4e1beba1
    • M
      skbuff: skb_segment: s/frag/nskb_frag/ · 8cb19905
      Michael S. Tsirkin 提交于
      frag points at nskb, so name it appropriately
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8cb19905
    • D
      Merge branch 'stmmac' · 9d79b3c7
      David S. Miller 提交于
      Giuseppe Cavallaro says:
      
      ====================
      stmmac fixes: EEE and chained mode
      
      These patches are to fix some new problems in the STMMAC driver.
      
      Mandatory changes are for EEE that needs to be disabled if not supported
      and for the chain mode that is broken and the kernel panics if this mode
      is enabled.
      
      v3: removed a patch from my previous set that touched the stmmac_tx path
          that has not to be applied. Other patches for cleaning-up will be
          sent on top of net-next git repo.
      
      v4: do not surround the defaul buffer selection using Koption and adopt
          a default to 1536bytes.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9d79b3c7
    • G
      stmmac: dwmac-sti: fix broken STiD127 compatibility · c5e9103d
      Giuseppe CAVALLARO 提交于
      This is to fix the compatibility to the STiD127 SoC.
      Signed-off-by: NGiuseppe Cavallaro <peppe.cavallaro@st.com>
      Cc: Srinivas Kandagatla <srinivas.kandagatla@st.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c5e9103d
    • G
      stmmac: fix chained mode · 29896a67
      Giuseppe CAVALLARO 提交于
      This patch is to fix the chain mode that was broken
      and generated a panic. This patch reviews the chain/ring
      modes now shaing the same structure and taking care
      about the pointers and callbacks.
      Signed-off-by: NGiuseppe Cavallaro <peppe.cavallaro@st.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      29896a67
    • G
      stmmac: fix and better tune the default buffer sizes · d916701c
      Giuseppe CAVALLARO 提交于
      This patch is to fix and tune the default buffer sizes.
      It reduces the default bufsize used by the driver from
      4KiB to 1536 bytes.
      
      Patch has been tested on both ARM and SH4 platform based.
      Signed-off-by: NGiuseppe Cavallaro <peppe.cavallaro@st.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d916701c
    • G
      stmmac: disable at run-time the EEE if not supported · 83bf79b6
      Giuseppe CAVALLARO 提交于
      This patch is to disable the EEE (so HW and timers)
      for example when the phy communicates that the EEE
      can be supported anymore.
      Signed-off-by: NGiuseppe Cavallaro <peppe.cavallaro@st.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      83bf79b6
    • N
      vmxnet3: fix netpoll race condition · d25f06ea
      Neil Horman 提交于
      vmxnet3's netpoll driver is incorrectly coded.  It directly calls
      vmxnet3_do_poll, which is the driver internal napi poll routine.  As the netpoll
      controller method doesn't block real napi polls in any way, there is a potential
      for race conditions in which the netpoll controller method and the napi poll
      method run concurrently.  The result is data corruption causing panics such as this
      one recently observed:
      PID: 1371   TASK: ffff88023762caa0  CPU: 1   COMMAND: "rs:main Q:Reg"
       #0 [ffff88023abd5780] machine_kexec at ffffffff81038f3b
       #1 [ffff88023abd57e0] crash_kexec at ffffffff810c5d92
       #2 [ffff88023abd58b0] oops_end at ffffffff8152b570
       #3 [ffff88023abd58e0] die at ffffffff81010e0b
       #4 [ffff88023abd5910] do_trap at ffffffff8152add4
       #5 [ffff88023abd5970] do_invalid_op at ffffffff8100cf95
       #6 [ffff88023abd5a10] invalid_op at ffffffff8100bf9b
          [exception RIP: vmxnet3_rq_rx_complete+1968]
          RIP: ffffffffa00f1e80  RSP: ffff88023abd5ac8  RFLAGS: 00010086
          RAX: 0000000000000000  RBX: ffff88023b5dcee0  RCX: 00000000000000c0
          RDX: 0000000000000000  RSI: 00000000000005f2  RDI: ffff88023b5dcee0
          RBP: ffff88023abd5b48   R8: 0000000000000000   R9: ffff88023a3b6048
          R10: 0000000000000000  R11: 0000000000000002  R12: ffff8802398d4cd8
          R13: ffff88023af35140  R14: ffff88023b60c890  R15: 0000000000000000
          ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
       #7 [ffff88023abd5b50] vmxnet3_do_poll at ffffffffa00f204a [vmxnet3]
       #8 [ffff88023abd5b80] vmxnet3_netpoll at ffffffffa00f209c [vmxnet3]
       #9 [ffff88023abd5ba0] netpoll_poll_dev at ffffffff81472bb7
      
      The fix is to do as other drivers do, and have the poll controller call the top
      half interrupt handler, which schedules a napi poll properly to recieve frames
      
      Tested by myself, successfully.
      Signed-off-by: NNeil Horman <nhorman@tuxdriver.com>
      CC: Shreyas Bhatewara <sbhatewara@vmware.com>
      CC: "VMware, Inc." <pv-drivers@vmware.com>
      CC: "David S. Miller" <davem@davemloft.net>
      CC: stable@vger.kernel.org
      Reviewed-by: NShreyas N Bhatewara <sbhatewara@vmware.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d25f06ea
  2. 11 3月, 2014 6 次提交
  3. 10 3月, 2014 1 次提交
    • M
      bnx2: Fix shutdown sequence · a8d9bc2e
      Michael Chan 提交于
      The pci shutdown handler added in:
      
          bnx2: Add pci shutdown handler
          commit 25bfb1dd
      
      created a shutdown down sequence without chip reset if the device was
      never brought up.  This can cause the firmware to shutdown the PHY
      prematurely and cause MMIO read cycles to be unresponsive.  On some
      systems, it may generate NMI in the bnx2's pci shutdown handler.
      
      The fix is to tell the firmware not to shutdown the PHY if there was
      no prior chip reset.
      Signed-off-by: NMichael Chan <mchan@broadcom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a8d9bc2e
  4. 08 3月, 2014 1 次提交
  5. 07 3月, 2014 18 次提交