1. 24 11月, 2014 3 次提交
    • D
      ixgbe: fix use after free adapter->state test in ixgbe_remove/ixgbe_probe · b5b2ffc0
      Daniel Borkmann 提交于
      While working on a different issue, I noticed an annoying use
      after free bug on my machine when unloading the ixgbe driver:
      
      [ 8642.318797] ixgbe 0000:02:00.1: removed PHC on p2p2
      [ 8642.742716] ixgbe 0000:02:00.1: complete
      [ 8642.743784] BUG: unable to handle kernel paging request at ffff8807d3740a90
      [ 8642.744828] IP: [<ffffffffa01c77dc>] ixgbe_remove+0xfc/0x1b0 [ixgbe]
      [ 8642.745886] PGD 20c6067 PUD 81c1f6067 PMD 81c15a067 PTE 80000007d3740060
      [ 8642.746956] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC
      [ 8642.748039] Modules linked in: [...]
      [ 8642.752929] CPU: 1 PID: 1225 Comm: rmmod Not tainted 3.18.0-rc2+ #49
      [ 8642.754203] Hardware name: Supermicro X10SLM-F/X10SLM-F, BIOS 1.1b 11/01/2013
      [ 8642.755505] task: ffff8807e34d3fe0 ti: ffff8807b7204000 task.ti: ffff8807b7204000
      [ 8642.756831] RIP: 0010:[<ffffffffa01c77dc>]  [<ffffffffa01c77dc>] ixgbe_remove+0xfc/0x1b0 [ixgbe]
      [...]
      [ 8642.774335] Stack:
      [ 8642.775805]  ffff8807ee824098 ffff8807ee824098 ffffffffa01f3000 ffff8807ee824000
      [ 8642.777326]  ffff8807b7207e18 ffffffff8137720f ffff8807ee824098 ffff8807ee824098
      [ 8642.778848]  ffffffffa01f3068 ffff8807ee8240f8 ffff8807b7207e38 ffffffff8144180f
      [ 8642.780365] Call Trace:
      [ 8642.781869]  [<ffffffff8137720f>] pci_device_remove+0x3f/0xc0
      [ 8642.783395]  [<ffffffff8144180f>] __device_release_driver+0x7f/0xf0
      [ 8642.784876]  [<ffffffff814421f8>] driver_detach+0xb8/0xc0
      [ 8642.786352]  [<ffffffff814414a9>] bus_remove_driver+0x59/0xe0
      [ 8642.787783]  [<ffffffff814429d0>] driver_unregister+0x30/0x70
      [ 8642.789202]  [<ffffffff81375c65>] pci_unregister_driver+0x25/0xa0
      [ 8642.790657]  [<ffffffffa01eb38e>] ixgbe_exit_module+0x1c/0xc8e [ixgbe]
      [ 8642.792064]  [<ffffffff810f93a2>] SyS_delete_module+0x132/0x1c0
      [ 8642.793450]  [<ffffffff81012c61>] ? do_notify_resume+0x61/0xa0
      [ 8642.794837]  [<ffffffff816d2029>] system_call_fastpath+0x12/0x17
      
      The issue is that test_and_set_bit() done on adapter->state is being
      performed *after* the netdevice has been freed via free_netdev().
      
      When netdev is being allocated on initialization time, it allocates
      a private area, here struct ixgbe_adapter, that resides after the
      net_device structure. In ixgbe_probe(), the device init routine,
      we set up the adapter after alloc_etherdev_mq() on the private area
      and add a reference for the pci_dev as well via pci_set_drvdata().
      
      Both in the error path of ixgbe_probe(), but also on module unload
      when ixgbe_remove() is being called, commit 41c62843 ("ixgbe:
      Fix rcu warnings induced by LER") accesses adapter after free_netdev().
      The patch stores the result in a bool and thus fixes above oops on my
      side.
      
      Fixes: 41c62843 ("ixgbe: Fix rcu warnings induced by LER")
      Cc: stable <stable@vger.kernel.org>
      Cc: Mark Rustad <mark.d.rustad@intel.com>
      Signed-off-by: NDaniel Borkmann <dborkman@redhat.com>
      Signed-off-by: NJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b5b2ffc0
    • V
      ixgbe: Correctly disable VLAN filter in promiscuous mode · 4556dc59
      Vlad Yasevich 提交于
      IXGBE adapter seems to require that VLAN filtering be enabled if
      VMDQ or SRIOV are enabled.  When those functions are disabled,
      VLAN filtering may be disabled in promiscuous mode.
      
      Prior to commit a9b8943e ("ixgbe: remove vlan_filter_disable
      and enable functions")
      
      The logic was correct.  However, after the commit the logic
      got reversed and VLAN filtered in now turned on when VMDQ/SRIOV
      is disabled.
      
      This patch changes the condition to enable hw vlan filtered
      when VMDQ or SRIOV is enabled.
      
      Fixes: a9b8943e ("ixgbe: remove vlan_filter_disable and enable functions")
      Cc: stable <stable@vger.kernel.org>
      CC: Jacob Keller <jacob.e.keller@intel.com>
      Signed-off-by: NVladislav Yasevich <vyasevic@redhat.com>
      Acked-by: NEmil Tantilov <emil.s.tantilov@intel.com>
      Tested-by: NPhil Schmitt <phillip.j.schmitt@intel.com>
      Signed-off-by: NJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4556dc59
    • A
      ipv6: Do not treat a GSO_TCPV4 request from UDP tunnel over IPv6 as invalid · b6fef4c6
      Alexander Duyck 提交于
      This patch adds SKB_GSO_TCPV4 to the list of supported GSO types handled by
      the IPv6 GSO offloads.  Without this change VXLAN tunnels running over IPv6
      do not currently handle IPv4 TCP TSO requests correctly and end up handing
      the non-segmented frame off to the device.
      
      Below is the before and after for a simple netperf TCP_STREAM test between
      two endpoints tunneling IPv4 over a VXLAN tunnel running on IPv6 on top of
      a 1Gb/s network adapter.
      
      Recv   Send    Send
      Socket Socket  Message  Elapsed
      Size   Size    Size     Time     Throughput
      bytes  bytes   bytes    secs.    10^6bits/sec
      
       87380  16384  16384    10.29       0.88      Before
       87380  16384  16384    10.03     895.69      After
      Signed-off-by: NAlexander Duyck <alexander.h.duyck@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b6fef4c6
  2. 22 11月, 2014 16 次提交
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 8a84e01e
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) Fix BUG when decrypting empty packets in mac80211, from Ronald Wahl.
      
       2) nf_nat_range is not fully initialized and this is copied back to
          userspace, from Daniel Borkmann.
      
       3) Fix read past end of b uffer in netfilter ipset, also from Dan
          Carpenter.
      
       4) Signed integer overflow in ipv4 address mask creation helper
          inet_make_mask(), from Vincent BENAYOUN.
      
       5) VXLAN, be2net, mlx4_en, and qlcnic need ->ndo_gso_check() methods to
          properly describe the device's capabilities, from Joe Stringer.
      
       6) Fix memory leaks and checksum miscalculations in openvswitch, from
          Pravin B SHelar and Jesse Gross.
      
       7) FIB rules passes back ambiguous error code for unreachable routes,
          making behavior confusing for userspace.  Fix from Panu Matilainen.
      
       8) ieee802154fake_probe() doesn't release resources properly on error,
          from Alexey Khoroshilov.
      
       9) Fix skb_over_panic in add_grhead(), from Daniel Borkmann.
      
      10) Fix access of stale slave pointers in bonding code, from Nikolay
          Aleksandrov.
      
      11) Fix stack info leak in PPP pptp code, from Mathias Krause.
      
      12) Cure locking bug in IPX stack, from Jiri Bohac.
      
      13) Revert SKB fclone memory freeing optimization that is racey and can
          allow accesses to freed up memory, from Eric Dumazet.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (71 commits)
        tcp: Restore RFC5961-compliant behavior for SYN packets
        net: Revert "net: avoid one atomic operation in skb_clone()"
        virtio-net: validate features during probe
        cxgb4 : Fix DCB priority groups being returned in wrong order
        ipx: fix locking regression in ipx_sendmsg and ipx_recvmsg
        openvswitch: Don't validate IPv6 label masks.
        pptp: fix stack info leak in pptp_getname()
        brcmfmac: don't include linux/unaligned/access_ok.h
        cxgb4i : Don't block unload/cxgb4 unload when remote closes TCP connection
        ipv6: delete protocol and unregister rtnetlink when cleanup
        net/mlx4_en: Add VXLAN ndo calls to the PF net device ops too
        bonding: fix curr_active_slave/carrier with loadbalance arp monitoring
        mac80211: minstrel_ht: fix a crash in rate sorting
        vxlan: Inline vxlan_gso_check().
        can: m_can: update to support CAN FD features
        can: m_can: fix incorrect error messages
        can: m_can: add missing delay after setting CCCR_INIT bit
        can: m_can: fix not set can_dlc for remote frame
        can: m_can: fix possible sleep in napi poll
        can: m_can: add missing message RAM initialization
        ...
      8a84e01e
    • L
      Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux · 928352e9
      Linus Torvalds 提交于
      Pull drm fixes from Dave Airlie:
       "Just two radeon and two intel fixes: endian and regression fixes"
      
      * 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
        drm/radeon: fix endian swapping in vbios fetch for tdp table
        drm/radeon: disable native backlight control on pre-r6xx asics (v2)
        drm/i915: Kick fbdev before vgacon
        drm/i915: drop WaSetupGtModeTdRowDispatch:snb
      928352e9
    • L
      Merge tag 'sound-3.18-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 9a7e4f56
      Linus Torvalds 提交于
      Pull sound fixes from Takashi Iwai:
       "This batch ended up as a relatively high volume due to pending ASoC
        fixes.  But most of fixes there are trivial and/or device- specific
        fixes and quirks, so safe to apply.  The only (ASoC) core fixes are
        the DPCM race fix and the machine-driver matching fix for
        componentization"
      
      * tag 'sound-3.18-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: hda - fix the mic mute led problem for Latitude E5550
        ALSA: hda - move DELL_WMI_MIC_MUTE_LED to the tail in the quirk chain
        ASoC: wm_adsp: Avoid attempt to free buffers that might still be in use
        ALSA: usb-audio: Set the Control Selector to SU_SELECTOR_CONTROL for UAC2
        ALSA: usb-audio: Add ctrl message delay quirk for Marantz/Denon devices
        ASoC: sgtl5000: Fix SMALL_POP bit definition
        ASoC: cs42l51: re-hook of_match_table pointer
        ASoC: rt5670: change dapm routes of PLL connection
        ASoC: rt5670: correct the incorrect default values
        ASoC: samsung: Add MODULE_DEVICE_TABLE for Snow
        ASoC: max98090: Correct pclk divisor settings
        ASoC: dpcm: Fix race between FE/BE updates and trigger
        ASoC: Fix snd_soc_find_dai() matching component by name
        ASoC: rsnd: remove unsupported PAUSE flag
        ASoC: fsi: remove unsupported PAUSE flag
        ASoC: rt5645: Mark RT5645_TDM_CTRL_3 as readable
        ASoC: rockchip-i2s: fix infinite loop in rockchip_snd_rxctrl
        ASoC: es8328-i2c: Fix i2c_device_id name field in es8328_id
        ASoC: fsl_asrc: Add reg_defaults for regmap to fix kernel dump
      9a7e4f56
    • L
      Merge tag 'pm+acpi-3.18-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · f100a746
      Linus Torvalds 提交于
      Pull ACPI power management fix from Rafael Wysocki:
       "This is just a one-liner fixing a regression introduced in 3.13 that
        broke system suspend on some Chromebooks.
      
        On those machines there are ACPI device objects for some I2C devices
        that can wake up the system from sleep states, but that is done via a
        platform-specific mechanism and the ACPI objects don't contain any
        wakeup-related information.  When we started to use ACPI power
        management with those devices (which happened during the 3.13 cycle),
        their configuration confused the ACPI PM layer that returned error
        codes from suspend callbacks for them causing system suspend to fail.
      
        However, the ACPI PM layer can safely ignore the wakeup setting from a
        device driver if the ACPI object corresponding to the device in
        question doesn't contain wakeup information in which case the driver
        itself is responsible for setting up the device for system wakeup"
      
      * tag 'pm+acpi-3.18-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        ACPI / PM: Ignore wakeup setting if the ACPI companion can't wake up
      f100a746
    • L
      Merge tag 'devicetree-fixes-for-3.18' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux · 2e29a6d0
      Linus Torvalds 提交于
      Pull devicetree fixes from Rob Herring:
       "DeviceTree fixes for 3.18:
      
         - two fixes for OF selftest code
         - fix for PowerPC address parsing to disable work-around except on
           old PowerMACs
         - fix a crash when earlycon is enabled, but no device is found
         - DT documentation fixes and missing vendor prefixes
      
        All but the doc updates are also for stable"
      
      * tag 'devicetree-fixes-for-3.18' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
        of/selftest: Fix testing when /aliases is missing
        of/selftest: Fix off-by-one error in removal path
        documentation: pinctrl bindings: Fix trivial typo 'abitrary'
        devicetree: bindings: Add vendor prefix for Micron Technology, Inc.
        of: Add vendor prefix for Chips&Media, Inc.
        of/base: Fix PowerPC address parsing hack
        devicetree: vendor-prefixes.txt: fix whitespace
        of: Fix crash if an earlycon driver is not found
        of/irq: Drop obsolete 'interrupts' vs 'interrupts-extended' text
        of: Spelling s/stucture/structure/
        devicetree: bindings: add sandisk to the vendor prefixes
      2e29a6d0
    • L
      Merge tag 'pci-v3.18-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci · 08685897
      Linus Torvalds 提交于
      Pull PCI fixes from Bjorn Helgaas:
       "These are fixes for an issue with 64-bit PCI bus addresses on 32-bit
        PAE kernels, an APM X-Gene problem (it depended on a generic change we
        removed before merging), a fix for my hotplug device configuration
        changes, and a devicetree documentation update.
      
        Resource management:
          - Support 64-bit bridge windows if we have 64-bit dma_addr_t (Yinghai Lu)
      
        PCI device hotplug:
          - Apply _HPX Link Control settings to all devices with a link (Yinghai Lu)
      
        Generic host bridge driver:
          - Add DT binding for "linux,pci-domain" property (Lucas Stach)
      
        APM X-Gene:
          - Assign resources to bus before adding new devices (Duc Dang)"
      
      * tag 'pci-v3.18-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
        PCI: Support 64-bit bridge windows if we have 64-bit dma_addr_t
        PCI: Apply _HPX Link Control settings to all devices with a link
        PCI: Add missing DT binding for "linux,pci-domain" property
        PCI: xgene: Assign resources to bus before adding new devices
      08685897
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending · a46171d0
      Linus Torvalds 提交于
      Pull SCSI target fixes from Nicholas Bellinger:
       "Here are the target-pending fixes queued for v3.18-rc6.
      
        The highlights include:
      
         - target-core OOPs fix with tcm_qla2xxx + vxworks FC initiators +
           zero length SCSI commands having a transfer direction set.  (Roland
           + Craig Watson)
      
         - vhost-scsi OOPs fix to explicitly prevent WWPN endpoint configfs
           group removal while qemu still has an active reference.  (Paolo +
           nab)
      
         - ib_srpt fix for RDMA hardware with lower srp_sq_size limits.
           (Bart)
      
         - two ib_isert work-arounds for running on ocrdma hardware (Or + Sagi
           + Chris)
      
         - iscsi-target discovery portal typo + SPC-3 PR Preempt SA key
           matching fix (Steve)"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending:
        IB/isert: Adjust CQ size to HW limits
        target: return CONFLICT only when SA key unmatched
        iser-target: Handle DEVICE_REMOVAL event on network portal listener correctly
        ib_isert: Add max_send_sge=2 minimum for control PDU responses
        srp-target: Retry when QP creation fails with ENOMEM
        iscsi-target: return the correct port in SendTargets
        vhost-scsi: Take configfs group dependency during VHOST_SCSI_SET_ENDPOINT
        target: Don't call TFO->write_pending if data_length == 0
      a46171d0
    • L
      Merge branch 'fixes' of git://git.infradead.org/users/vkoul/slave-dma · 4ec69c7e
      Linus Torvalds 提交于
      Pull dmaengine fixes from Vinod Koul:
       "We have couple of fixes for dmaengine queued up:
         - dma mempcy fix for dma configuration of sun6i by Maxime
         - pl330 fixes: First the fixing allocation for data buffers by Liviu
           and then Jon's fixe for fifo width and usage"
      
      * 'fixes' of git://git.infradead.org/users/vkoul/slave-dma:
        dmaengine: Fix allocation size for PL330 data buffer depth.
        dmaengine: pl330: Limit MFIFO usage for memcpy to avoid exhausting entries
        dmaengine: pl330: Align DMA memcpy operations to MFIFO width
        dmaengine: sun6i: Fix memcpy operation
      4ec69c7e
    • L
      Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus · e6a588d0
      Linus Torvalds 提交于
      Pull MIPS fixes from Ralf Baechle:
       "More 3.18 fixes for MIPS:
      
         - backtraces were not quite working on on 64-bit kernels
         - loongson needs a different cache coherency setting
         - Loongson 3 is a MIPS64 R2 version but due to erratum we treat is an
           older architecture revision.
         - fix build errors due to undefined references to __node_distances
           for certain configurations.
         - fix instruction decodig in the jump label code.
         - for certain configurations copy_{from,to}_user destroy the content
           of $3 so that register needs to be marked as clobbed by the calling
           code.
         - Hardware Table Walker fixes.
         - fill the delay slot of the last instruction of memcpy otherwise
           whatever ends up there randomly might have undesirable effects.
         - ensure get_user/__get_user always zero the variable to be read even
           in case of an error"
      
      * 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus:
        MIPS: jump_label.c: Handle the microMIPS J instruction encoding
        MIPS: jump_label.c: Correct the span of the J instruction
        MIPS: Zero variable read by get_user / __get_user in case of an error.
        MIPS: lib: memcpy: Restore NOP on delay slot before returning to caller
        MIPS: tlb-r4k: Add missing HTW stop/start sequences
        MIPS: asm: uaccess: Add v1 register to clobber list on EVA
        MIPS: oprofile: Fix backtrace on 64-bit kernel
        MIPS: Loongson: Set Loongson-3's ISA level to MIPS64R1
        MIPS: Loongson: Fix the write-combine CCA value setting
        MIPS: IP27: Fix __node_distances undefined error
        MIPS: Loongson3: Fix __node_distances undefined error
      e6a588d0
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mpe/linux · 4fc82c0a
      Linus Torvalds 提交于
      Pull powerpc fix from Michael Ellerman:
       "One fix from Scott, he says:
      
        This patch fixes a crash (introduced in v3.18-rc1) in the FSL MSI driver
        when threaded IRQs are enabled"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mpe/linux:
        powerpc/fsl_msi: mark the msi cascade handler IRQF_NO_THREAD
      4fc82c0a
    • L
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · c6c9161d
      Linus Torvalds 提交于
      Pull x86 fixes from Thomas Gleixner:
       "Misc fixes:
         - gold linker build fix
         - noxsave command line parsing fix
         - bugfix for NX setup
         - microcode resume path bug fix
         - _TIF_NOHZ versus TIF_NOHZ bugfix as discussed in the mysterious
           lockup thread"
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86, syscall: Fix _TIF_NOHZ handling in syscall_trace_enter_phase1
        x86, kaslr: Handle Gold linker for finding bss/brk
        x86, mm: Set NX across entire PMD at boot
        x86, microcode: Update BSPs microcode on resume
        x86: Require exact match for 'noxsave' command line option
      c6c9161d
    • L
      Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 8b2ed21e
      Linus Torvalds 提交于
      Pull scheduler fixes from Ingo Molnar:
       "Misc fixes: two NUMA fixes, two cputime fixes and an RCU/lockdep fix"
      
      * 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        sched/cputime: Fix clock_nanosleep()/clock_gettime() inconsistency
        sched/cputime: Fix cpu_timer_sample_group() double accounting
        sched/numa: Avoid selecting oneself as swap target
        sched/numa: Fix out of bounds read in sched_init_numa()
        sched: Remove lockdep check in sched_move_task()
      8b2ed21e
    • L
      Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 13f5004c
      Linus Torvalds 提交于
      Pull perf fixes from Ingo Molnar:
       "Misc fixes: two Intel uncore driver fixes, a CPU-hotplug fix and a
        build dependencies fix"
      
      * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        perf/x86/intel/uncore: Fix boot crash on SBOX PMU on Haswell-EP
        perf/x86/intel/uncore: Fix IRP uncore register offsets on Haswell EP
        perf: Fix corruption of sibling list with hotplug
        perf/x86: Fix embarrasing typo
      13f5004c
    • L
      Merge branch 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · a64bb02f
      Linus Torvalds 提交于
      Pull core fix from Ingo Molnar:
       "Fix GENMASK macro shift overflow"
      
      Nobody seems to currently use GENMASK() to fill every single last bit
      (which is what overflows) in-tree, and gcc would warn about it, so we
      have that going for us.  But apparently there are pending changes that
      want this.
      
      * 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        bitops: Fix shift overflow in GENMASK macros
      a64bb02f
    • C
      tcp: Restore RFC5961-compliant behavior for SYN packets · 0c228e83
      Calvin Owens 提交于
      Commit c3ae62af ("tcp: should drop incoming frames without ACK
      flag set") was created to mitigate a security vulnerability in which a
      local attacker is able to inject data into locally-opened sockets by
      using TCP protocol statistics in procfs to quickly find the correct
      sequence number.
      
      This broke the RFC5961 requirement to send a challenge ACK in response
      to spurious RST packets, which was subsequently fixed by commit
      7b514a88 ("tcp: accept RST without ACK flag").
      
      Unfortunately, the RFC5961 requirement that spurious SYN packets be
      handled in a similar manner remains broken.
      
      RFC5961 section 4 states that:
      
         ... the handling of the SYN in the synchronized state SHOULD be
         performed as follows:
      
         1) If the SYN bit is set, irrespective of the sequence number, TCP
            MUST send an ACK (also referred to as challenge ACK) to the remote
            peer:
      
            <SEQ=SND.NXT><ACK=RCV.NXT><CTL=ACK>
      
            After sending the acknowledgment, TCP MUST drop the unacceptable
            segment and stop processing further.
      
         By sending an ACK, the remote peer is challenged to confirm the loss
         of the previous connection and the request to start a new connection.
         A legitimate peer, after restart, would not have a TCB in the
         synchronized state.  Thus, when the ACK arrives, the peer should send
         a RST segment back with the sequence number derived from the ACK
         field that caused the RST.
      
         This RST will confirm that the remote peer has indeed closed the
         previous connection.  Upon receipt of a valid RST, the local TCP
         endpoint MUST terminate its connection.  The local TCP endpoint
         should then rely on SYN retransmission from the remote end to
         re-establish the connection.
      
      This patch lets SYN packets through the discard added in c3ae62af,
      so that spurious SYN packets are properly dealt with as per the RFC.
      
      The challenge ACK is sent unconditionally and is rate-limited, so the
      original vulnerability is not reintroduced by this patch.
      Signed-off-by: NCalvin Owens <calvinowens@fb.com>
      Acked-by: NEric Dumazet <edumazet@google.com>
      Acked-by: NNeal Cardwell <ncardwell@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0c228e83
    • E
      net: Revert "net: avoid one atomic operation in skb_clone()" · e7820e39
      Eric Dumazet 提交于
      Not sure what I was thinking, but doing anything after
      releasing a refcount is suicidal or/and embarrassing.
      
      By the time we set skb->fclone to SKB_FCLONE_FREE, another cpu
      could have released last reference and freed whole skb.
      
      We potentially corrupt memory or trap if CONFIG_DEBUG_PAGEALLOC is set.
      Reported-by: NChris Mason <clm@fb.com>
      Fixes: ce1a4ea3 ("net: avoid one atomic operation in skb_clone()")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Cc: Sabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e7820e39
  3. 21 11月, 2014 12 次提交
  4. 20 11月, 2014 9 次提交
    • G
      of/selftest: Fix testing when /aliases is missing · 788ec2fc
      Grant Likely 提交于
      The /aliases node isn't always present in the device tree, but the
      unittest code assumes that /aliases is there. Add a check when inserting
      the testcase data to see if of_aliases needs to be updated, and undo the
      settings when the nodes are removed.
      Signed-off-by: NGrant Likely <grant.likely@linaro.org>
      Cc: Rob Herring <robh+dt@kernel.org>
      Cc: Gaurav Minocha <gaurav.minocha.os@gmail.com>
      Cc: <stable@vger.kernel.org>
      788ec2fc
    • C
      IB/isert: Adjust CQ size to HW limits · b1a5ad00
      Chris Moore 提交于
      isert has an issue of trying to create a CQ with more CQEs than are
      supported by the hardware, that currently results in failures during
      isert_device creation during first session login.
      
      This is the isert version of the patch that Minh Tran submitted for
      iser, and is simple a workaround required to function with existing
      ocrdma hardware.
      Signed-off-by: NChris Moore <chris.moore@emulex.com>
      Reviewied-by: NSagi Grimberg <sagig@mellanox.com>
      Cc: <stable@vger.kernel.org> # 3.10+
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      b1a5ad00
    • D
      Merge tag 'drm-intel-fixes-2014-11-19' of git://anongit.freedesktop.org/drm-intel into drm-fixes · 92ff59a6
      Dave Airlie 提交于
      two regression fixes.
      
      * tag 'drm-intel-fixes-2014-11-19' of git://anongit.freedesktop.org/drm-intel:
        drm/i915: Kick fbdev before vgacon
        drm/i915: drop WaSetupGtModeTdRowDispatch:snb
      92ff59a6
    • R
      ACPI / PM: Ignore wakeup setting if the ACPI companion can't wake up · 78579b7c
      Rafael J. Wysocki 提交于
      As reported by Dmitry, on some Chromebooks there are devices with
      corresponding ACPI objects and with unusual system wakeup
      configuration.  Namely, they technically are wakeup-capable, but the
      wakeup is handled via a platform-specific out-of-band mechanism and
      the ACPI PM layer has no information on the wakeup capability.  As
      a result, device_may_wakeup(dev) called from acpi_dev_suspend_late()
      returns 'true' for those devices, but the wakeup.flags.valid flag is
      unset for the corresponding ACPI device objects, so acpi_device_wakeup()
      reproducibly fails for them causing acpi_dev_suspend_late() to return
      an error code.  The entire system suspend is then aborted and the
      machines in question cannot suspend at all.
      
      Address the problem by ignoring the device_may_wakeup(dev) return
      value in acpi_dev_suspend_late() if the ACPI companion of the device
      being handled has wakeup.flags.valid unset (in which case it is clear
      that the wakeup is supposed to be handled by other means).
      
      This fixes a regression introduced by commit a76e9bd8 (i2c:
      attach/detach I2C client device to the ACPI power domain) as the
      affected systems could suspend and resume successfully before that
      commit.
      
      Fixes: a76e9bd8 (i2c: attach/detach I2C client device to the ACPI power domain)
      Reported-by: NDmitry Torokhov <dtor@chromium.org>
      Reviewed-by: NDmitry Torokhov <dtor@chromium.org>
      Cc: 3.13+ <stable@vger.kernel.org> # 3.13+
      Signed-off-by: NRafael J. Wysocki <rafael.j.wysocki@intel.com>
      78579b7c
    • A
      cxgb4i : Don't block unload/cxgb4 unload when remote closes TCP connection · ee7255ad
      Anish Bhatt 提交于
      cxgb4i was returning wrong error and not releasing module reference if remote
      end abruptly closed TCP connection. This prevents the cxgb4 network module from
      being unloaded, further affecting other network drivers dependent on cxgb4
      
      Sending to net as this affects all cxgb4 based network drivers.
      Signed-off-by: NAnish Bhatt <anish@chelsio.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ee7255ad
    • D
      ipv6: delete protocol and unregister rtnetlink when cleanup · ffb1388a
      Duan Jiong 提交于
      pim6_protocol was added when initiation, but it not deleted.
      Similarly, unregister RTNL_FAMILY_IP6MR rtnetlink.
      Signed-off-by: NDuan Jiong <duanj.fnst@cn.fujitsu.com>
      Reviewed-by: NCong Wang <cwang@twopensource.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ffb1388a
    • Y
      PCI: Support 64-bit bridge windows if we have 64-bit dma_addr_t · 7fc986d8
      Yinghai Lu 提交于
      Aaron reported that a 32-bit x86 kernel with Physical Address Extension
      (PAE) support complains about bridge prefetchable memory windows above 4GB:
      
        pci_bus 0000:00: root bus resource [mem 0x380000000000-0x383fffffffff]
        ...
        pci 0000:03:00.0: reg 0x10: [mem 0x383fffc00000-0x383fffdfffff 64bit pref]
        pci 0000:03:00.0: reg 0x20: [mem 0x383fffe04000-0x383fffe07fff 64bit pref]
        pci 0000:03:00.1: reg 0x10: [mem 0x383fffa00000-0x383fffbfffff 64bit pref]
        pci 0000:03:00.1: reg 0x20: [mem 0x383fffe00000-0x383fffe03fff 64bit pref]
        pci 0000:00:02.2: PCI bridge to [bus 03-04]
        pci 0000:00:02.2:   bridge window [io  0x1000-0x1fff]
        pci 0000:00:02.2:   bridge window [mem 0x91900000-0x91cfffff]
        pci 0000:00:02.2: can't handle 64-bit address space for bridge
      
      In this kernel, unsigned long is 32 bits and dma_addr_t is 64 bits.
      Previously we used "unsigned long" to hold the bridge window address.  But
      this is a bus address, so we should use dma_addr_t instead.
      
      Use dma_addr_t to hold the bridge window base and limit.
      
      The question of whether the CPU can actually *address* the window is
      separate and depends on what the physical address space of the CPU is and
      whether the host bridge does any address translation.
      
      [bhelgaas: fix "shift count > width of type", changelog, stable tag]
      Fixes: d56dbf5b ("PCI: Allocate 64-bit BARs above 4G when possible")
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=88131Reported-by: NAaron Ma <mapengyu@gmail.com>
      Tested-by: NAaron Ma <mapengyu@gmail.com>
      Signed-off-by: NYinghai Lu <yinghai@kernel.org>
      Signed-off-by: NBjorn Helgaas <bhelgaas@google.com>
      CC: stable@vger.kernel.org	# v3.14+
      7fc986d8
    • J
      Merge tag 'mac80211-for-john-2014-11-18' of... · 6158fb37
      John W. Linville 提交于
      Merge tag 'mac80211-for-john-2014-11-18' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Johannes Berg <johannes@sipsolutions.net> says:
      
      "Here's another last minute fix, for minstrel HT crashing
      depending on the value of some uninitialised stack."
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      6158fb37
    • D
      Merge tag 'linux-can-fixes-for-3.18-20141118' of git://gitorious.org/linux-can/linux-can · ddecab1a
      David S. Miller 提交于
      Marc Kleine-Budde says:
      
      ====================
      pull-request: can 2014-11-18
      
      this is a pull request of 17 patches for net/master for the v3.18 release
      cycle.
      
      The last patch of this pull request ("can: m_can: update to support CAN FD
      features") adds, as the description says, a new feature to the m_can driver. As
      the m_can driver has been added in v3.18 there is no risk of causing a
      regression. Give me a note if this is not okay and I'll create a new pull
      request without it.
      
      There is a patch for the CAN infrastructure by Thomas Körper which fixes
      calling kfree_skb() from interrupt context. Roman Fietze fixes a typo also in
      the infrastructure. A patch by Dong Aisheng adds a generic helper function to
      tell if a skb is normal CAN or CAN-FD frame. Alexey Khoroshilov of the Linux
      Driver Verification project fixes a memory leak in the esd_usb2 driver. Two
      patches by Sudip Mukherjee remove unused variables and fixe the signess of a
      variable. Three patches by me add the missing .ndo_change_mtu callback to the
      xilinx_can, rcar_can and gs_usb driver.
      
      The remaining patches improve the m_can driver: David Cohen adds the missing
      CONFIG_HAS_IOMEM dependency. Dong Aisheng provides 6 bugfix patches (most
      important: missing RAM init, sleep in NAPI poll, dlc in RTR). While the last of
      his patches adds CAN FD support to the driver.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ddecab1a