1. 20 4月, 2013 14 次提交
    • B
      net: qmi_wwan: prevent duplicate mac address on link (firmware bug workaround) · cc6ba5fd
      Bjørn Mork 提交于
      We normally trust and use the CDC functional descriptors provided by a
      number of devices.  But some of these will erroneously list the address
      reserved for the device end of the link.  Attempting to use this on
      both the device and host side will naturally not work.
      
      Work around this bug by ignoring the functional descriptor and assign a
      random address instead in this case.
      Signed-off-by: NBjørn Mork <bjorn@mork.no>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      cc6ba5fd
    • B
      net: qmi_wwan: fixup destination address (firmware bug workaround) · 6483bdc9
      Bjørn Mork 提交于
      Received packets are sometimes addressed to 00:a0:c6:00:00:00
      instead of the address the device firmware should have learned
      from the host:
      
      321.224126 77.16.85.204 -> 148.122.171.134 ICMP 98 Echo (ping) request  id=0x4025, seq=64/16384, ttl=64
      
      0000  82 c0 82 c9 f1 67 82 c0 82 c9 f1 67 08 00 45 00   .....g.....g..E.
      0010  00 54 00 00 40 00 40 01 57 cc 4d 10 55 cc 94 7a   .T..@.@.W.M.U..z
      0020  ab 86 08 00 62 fc 40 25 00 40 b2 bc 6e 51 00 00   ....b.@%.@..nQ..
      0030  00 00 6b bd 09 00 00 00 00 00 10 11 12 13 14 15   ..k.............
      0040  16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25   .......... !"#$%
      0050  26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35   &'()*+,-./012345
      0060  36 37                                             67
      
      321.240607 148.122.171.134 -> 77.16.85.204 ICMP 98 Echo (ping) reply    id=0x4025, seq=64/16384, ttl=55
      
      0000  00 a0 c6 00 00 00 02 50 f3 00 00 00 08 00 45 00   .......P......E.
      0010  00 54 00 56 00 00 37 01 a0 76 94 7a ab 86 4d 10   .T.V..7..v.z..M.
      0020  55 cc 00 00 6a fc 40 25 00 40 b2 bc 6e 51 00 00   U...j.@%.@..nQ..
      0030  00 00 6b bd 09 00 00 00 00 00 10 11 12 13 14 15   ..k.............
      0040  16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25   .......... !"#$%
      0050  26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35   &'()*+,-./012345
      0060  36 37                                             67
      
      The bogus address is always the same, and matches the address
      suggested by many devices as a default address.  It is likely a
      hardcoded firmware default.
      
      The circumstances where this bug has been observed indicates that
      the trigger is related to timing or some other factor the host
      cannot control. Repeating the exact same configuration sequence
      that caused it to trigger once, will not necessarily cause it to
      trigger the next time. Reproducing the bug is therefore difficult.
      This opens up a possibility that the bug is more common than we can
      confirm, because affected devices often will work properly again
      after a reset.  A procedure most users are likely to try out before
      reporting a bug.
      
      Unconditionally rewriting the destination address if the first digit
      of the received packet is 0, is considered an acceptable compromise
      since we already have to inspect this digit.  The simplification will
      cause unnecessary rewrites if the real address starts with 0, but this
      is still better than adding additional tests for this particular case.
      Signed-off-by: NBjørn Mork <bjorn@mork.no>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6483bdc9
    • B
      net: qmi_wwan: fixup missing ethernet header (firmware bug workaround) · 6ff509af
      Bjørn Mork 提交于
      A number of LTE devices from different vendors all suffer from the
      same firmware bug: Most of the packets received from the device while
      it is attached to a LTE network will not have an ethernet header. The
      devices work as expected when attached to 2G or 3G networks, sending
      an ethernet header with all packets.
      
      This driver is not aware of which network the modem attached to, and
      even if it were there are still some packet types which are always
      received with the header intact.
      
      All devices supported by this driver have severely limited
      networking capabilities:
       - can only transmit IPv4, IPv6 and possibly ARP
       - can only support a single host hardware address at any time
       - will only do point-to-point communcation with the host
      
      Because of this, we are able to reliably identify any bogus raw IP
      packets by simply looking at the 4 IP version bits.  All we need to
      do is to avoid 4 or 6 in the first digit of the mac address.  This
      workaround ensures this, and fix up the received packets as necessary.
      
      Given the distribution of the bug, it is believed that the source is
      the chipset vendor.  The devices which are verified to be affected are:
       Huawei E392u-12 (Qualcomm MDM9200)
       Pantech UML290  (Qualcomm MDM9600)
       Novatel USB551L (Qualcomm MDM9600)
       Novatel E362    (Qualcomm MDM9600)
      
      It is believed that the bug depend on firmware revision, which means
      that possibly all devices based on the above mentioned chipset may be
      affected if we consider all available firmware revisions.
      
      The information about affected devices and versions is likely
      incomplete.  As the additional overhead for packets not needing this
      fixup is very small, it is considered acceptable to apply the
      workaround to all devices handled by this driver.
      Reported-by: NDan Williams <dcbw@redhat.com>
      Signed-off-by: NBjørn Mork <bjorn@mork.no>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6ff509af
    • D
      Merge branch 'bonding' · 0cb670ee
      David S. Miller 提交于
      Nikolay Aleksandrov says:
      
      ====================
      This patch-set fixes mainly bugs on enslave failure and one occasion
      of a needed locking. The patches are:
      
      	1. On enslave failure mc addresses are not flushed from the slave
      	2. On enslave failure vlans are not cleaned up from the slave
      	3. On enslave failure the bond's primary and curr_active_slave
      	   are not cleaned up (which might result in use of freed memory)
      	4. On enslave failure netpoll is not disabled which might result in
      	   a memory leak
      	5. In bond_mc_swap() the bond's mc addr list is walked without
      	   netif_addr_lock, since it can be called without rtnl, add it
      
      v2: patch 01 - fix log message and remove unnecessary code move
      ====================
      Signed-off-by: NJay Vosburgh <fubar@us.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0cb670ee
    • N
      bonding: in bond_mc_swap() bond's mc addr list is walked without lock · d632ce98
      nikolay@redhat.com 提交于
      Use netif_addr_lock_bh() to acquire the appropriate lock before walking.
      Signed-off-by: NNikolay Aleksandrov <nikolay@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d632ce98
    • N
      bonding: disable netpoll on enslave failure · fc7a72ac
      nikolay@redhat.com 提交于
      slave_disable_netpoll() is not called upon enslave failure which would
      lead to a memory leak. Call slave_disable_netpoll() after err_detach as
      that's the first error path after enabling netpoll on that slave.
      Signed-off-by: NNikolay Aleksandrov <nikolay@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      fc7a72ac
    • N
      bonding: primary_slave & curr_active_slave are not cleaned on enslave failure · 3c5913b5
      nikolay@redhat.com 提交于
      On enslave failure primary_slave can point to new_slave which is to be
      freed, and the same applies to curr_active_slave. So check if this is
      the case and clean up properly after err_detach because that's the first
      error code path after they're set.
      Signed-off-by: NNikolay Aleksandrov <nikolay@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3c5913b5
    • N
      bonding: vlans don't get deleted on enslave failure · a506e7b4
      nikolay@redhat.com 提交于
      The main problem is with vid refcount which only gets bumped up.
      Delete the vlans after err_detach as that's the first error path
      after the vlans are added.
      Signed-off-by: NNikolay Aleksandrov <nikolay@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a506e7b4
    • N
      bonding: mc addresses don't get deleted on enslave failure · 25e40305
      nikolay@redhat.com 提交于
      Add bond_mc_list_flush() after err_detach as that's the first error path
      after the addresses are added. The main issue is the mc addresses' refcount
      which only gets bumped up.
      
      v2: update log message and don't move code unnecessarily
      Signed-off-by: NNikolay Aleksandrov <nikolay@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      25e40305
    • W
      pkt_sched: fix error return code in fw_change_attrs() · cb95ec62
      Wei Yongjun 提交于
      Fix to return -EINVAL when tb[TCA_FW_MASK] is set and head->mask != 0xFFFFFFFF
      instead of 0 (ifdef CONFIG_NET_CLS_IND and tb[TCA_FW_INDEV]), as done elsewhere
      in this function.
      Signed-off-by: NWei Yongjun <yongjun_wei@trendmicro.com.cn>
      Signed-off-by: NJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      cb95ec62
    • D
      irda: small read past the end of array in debug code · e15465e1
      Dan Carpenter 提交于
      The "reason" can come from skb->data[] and it hasn't been capped so it
      can be from 0-255 instead of just 0-6.  For example in irlmp_state_dtr()
      the code does:
      
      	reason = skb->data[3];
      	...
      	irlmp_disconnect_indication(self, reason, skb);
      
      Also LMREASON has a couple other values which don't have entries in the
      irlmp_reasons[] array.  And 0xff is a valid reason as well which means
      "unknown".
      
      So far as I can see we don't actually care about "reason" except for in
      the debug code.
      Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e15465e1
    • D
      Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · fd7fc253
      David S. Miller 提交于
      Pablo Neira Ayuso says:
      
      ====================
      If time allows, please consider pulling the following patchset contains two
      late Netfilter fixes, they are:
      
      * Skip broadcast/multicast locally generated traffic in the rpfilter,
        (closes netfilter bugzilla #814), from Florian Westphal.
      
      * Fix missing elements in the listing of ipset bitmap ip,mac set
        type with timeout support enabled, from Jozsef Kadlecsik.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      fd7fc253
    • D
      Merge branch 'for-davem' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless · 6a4cd3fd
      David S. Miller 提交于
      John W. Linville says:
      
      ====================
      A few stragglers hoping for 3.9, somewhat delayed due to my travels...
      
      On the mac80211 bits, Johannes says:
      
      "Sadly, I have another pull request -- the idle handling fix broke LED
      handling in some cases."
      
      and:
      
      "Yet one more!
      
      This fixes a fairly important/annoying bug -- when roaming between
      multiple APs of the same network, the system could get stuck thinking it
      was connected to the old one while it really wasn't."
      
      On top of that...
      
      Arend sends a brcmfmac patch that removes advertising a feature that
      isn't actually fully supported, and a brcmsmac patch that rearranges
      code to request firmware at IFF_UP to play more nicely with being
      built into the kernel.
      
      Felix gives us a minor ath9k_htc fix to support the newly released
      open source firmware, and an ath9k_hw initvals fix to improve device
      stability.
      
      Rafał Miłecki provides a fix for an ssb regression that caused a
      serious performance problem with b43.
      
      Zefir Kurtisi offers an ath9k fix to change some kmalloc flags to
      allow the DFS detector to be called in softirq context.
      
      Please let me know if there are problems.  If these don't make 3.9,
      I'll just pull them into wireless-next -- just let me know if you
      want to do it that way!
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6a4cd3fd
    • E
      tcp: call tcp_replace_ts_recent() from tcp_ack() · 12fb3dd9
      Eric Dumazet 提交于
      commit bd090dfc (tcp: tcp_replace_ts_recent() should not be called
      from tcp_validate_incoming()) introduced a TS ecr bug in slow path
      processing.
      
      1 A > B P. 1:10001(10000) ack 1 <nop,nop,TS val 1001 ecr 200>
      2 B < A . 1:1(0) ack 1 win 257 <sack 9001:10001,TS val 300 ecr 1001>
      3 A > B . 1:1001(1000) ack 1 win 227 <nop,nop,TS val 1002 ecr 200>
      4 A > B . 1001:2001(1000) ack 1 win 227 <nop,nop,TS val 1002 ecr 200>
      
      (ecr 200 should be ecr 300 in packets 3 & 4)
      
      Problem is tcp_ack() can trigger send of new packets (retransmits),
      reflecting the prior TSval, instead of the TSval contained in the
      currently processed incoming packet.
      
      Fix this by calling tcp_replace_ts_recent() from tcp_ack() after the
      checks, but before the actions.
      Reported-by: NYuchung Cheng <ycheng@google.com>
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Cc: Neal Cardwell <ncardwell@google.com>
      Acked-by: NNeal Cardwell <ncardwell@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      12fb3dd9
  2. 19 4月, 2013 13 次提交
  3. 18 4月, 2013 5 次提交
  4. 17 4月, 2013 8 次提交
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · fca83168
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) Fix erroneous netfilter drop of SIP packets generated by some Cisco
          phones, from Patrick McHardy.
      
       2) Fix netfilter IPSET refcounting in list_set_add(), from Jozsef
          Kadlecsik.
      
       3) Fix TCP syncookies route lookup key, we don't use the same values we
          would use for the usual SYN receive processing, from Dmitry Popov.
      
       4) Fix NULL deref in bond_slave_netdev_event(), from Nikolay
          Aleksandrov.
      
       5) When bonding enslave fails, we can forget to clear the IFF_BONDING
          bit, fix also from Nikolay Aleksandrov.
      
       6) skb->csum_start is 16-bits, which is almost always just fine.  But
          if we reallocate the headroom of an SKB this can push the
          skb->csum_start value outside of it's valid range.  This can easily
          happen when collapsing multiple SKBs from the retransmit queue
          together.
      
          Fix from Thomas Graf.
      
       7) Fix NULL deref in be2net driver due to missing check of
          __vlan_put_tag() return value, from Ivan Vecera.
      
       8) tun_set_iff() returns zero instead of error code on failure, fix
          from Wei Yongjun.
      
       9) Like GARP, 802 MRP needs to hold the app->lock when adding MAD
          events and queueing PDUs.  Fix from David Ward.
      
      10) Build fix, MVMDIO needs PHYLIB, from Thomas Petazzoni..
      
      11) Fix mac80211 static with ipv6 modular build, from Cong Wang.
      
      12) If userland specifies a path cost explicitly, do not override it
          when the carrier state changes.  From Stephen Hemminger.
      
      13) mvnets calculates the TX queue to use incorrectly resulting in
          garbage pointer derefs and crashes, fix from Willy Tarreau.
      
      14) cdc_mbim does erroneous sizeof(ETH_HLEN).  Fix from Bjorn Mork.
      
      15) IP fragmentation can leak a refcount-less route out from an RCU
          protected section.  This results in crashes and all sorts of hard to
          diagnose behavior.  Fix from Eric Dumazet.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (24 commits)
        qlcnic: fix beaconing test for 82xx adapter
        net: drop dst before queueing fragments
        net: fec: fix regression in link change accounting
        net: cdc_mbim: remove bogus sizeof()
        drivers: net: ethernet: cpsw: get slave VLAN id from slave node instead of cpsw node
        net: mvneta: fix improper tx queue usage in mvneta_tx()
        esp4: fix error return code in esp_output()
        bridge: make user modified path cost sticky
        ipv6: statically link register_inet6addr_notifier()
        net: mvmdio: add select PHYLIB
        net/802/mrp: fix possible race condition when calling mrp_pdu_queue()
        tuntap: fix error return code in tun_set_iff()
        be2net: take care of __vlan_put_tag return value
        can: sja1000: fix handling on dt properties on little endian systems
        can: mcp251x: add missing IRQF_ONESHOT to request_threaded_irq
        netfilter: nf_nat: fix race when unloading protocol modules
        tcp: Reallocate headroom if it would overflow csum_start
        stmmac: prevent interrupt loop with MMC RX IPC Counter
        bonding: IFF_BONDING is not stripped on enslave failure
        bonding: fix netdev event NULL pointer dereference
        ...
      fca83168
    • L
      s390: move dummy io_remap_pfn_range() to asm/pgtable.h · 4f2e2903
      Linus Torvalds 提交于
      Commit b4cbb197 ("vm: add vm_iomap_memory() helper function") added
      a helper function wrapper around io_remap_pfn_range(), and every other
      architecture defined it in <asm/pgtable.h>.
      
      The s390 choice of <asm/io.h> may make sense, but is not very convenient
      for this case, and gratuitous differences like that cause unexpected errors like this:
      
         mm/memory.c: In function 'vm_iomap_memory':
         mm/memory.c:2439:2: error: implicit declaration of function 'io_remap_pfn_range' [-Werror=implicit-function-declaration]
      
      Glory be the kbuild test robot who noticed this, bisected it, and
      reported it to the guilty parties (ie me).
      
      Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      4f2e2903
    • H
      qlcnic: fix beaconing test for 82xx adapter · 361cd29c
      Himanshu Madhani 提交于
      o Commit 319ecf12
        ("qlcnic: 83xx sysfs routines") introduced regression
        for beaconing test while refactoring 82xx code. This patch is to
        revert code to fix beaconing test for 82xx adapter.
      Signed-off-by: NHimanshu Madhani <himanshu.madhani@qlogic.com>
      Signed-off-by: NShahed Shaikh <shahed.shaikh@qlogic.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      361cd29c
    • E
      net: drop dst before queueing fragments · 97599dc7
      Eric Dumazet 提交于
      Commit 4a94445c (net: Use ip_route_input_noref() in input path)
      added a bug in IP defragmentation handling, as non refcounted
      dst could escape an RCU protected section.
      
      Commit 64f3b9e2 (net: ip_expire() must revalidate route) fixed
      the case of timeouts, but not the general problem.
      
      Tom Parkin noticed crashes in UDP stack and provided a patch,
      but further analysis permitted us to pinpoint the root cause.
      
      Before queueing a packet into a frag list, we must drop its dst,
      as this dst has limited lifetime (RCU protected)
      
      When/if a packet is finally reassembled, we use the dst of the very
      last skb, still protected by RCU and valid, as the dst of the
      reassembled packet.
      
      Use same logic in IPv6, as there is no need to hold dst references.
      Reported-by: NTom Parkin <tparkin@katalix.com>
      Tested-by: NTom Parkin <tparkin@katalix.com>
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      97599dc7
    • L
      Merge branch 'fixes' of git://git.linaro.org/people/rmk/linux-arm · 542a6724
      Linus Torvalds 提交于
      Pull ARM fix from Russell King:
       "A build fix for an incomplete change to the ARM cpu suspend code"
      
      * branch 'fixes' of git://git.linaro.org/people/rmk/linux-arm:
        ARM: Do 15e0d9e3 (ARM: pm: let platforms select cpu_suspend support) properly
      542a6724
    • L
      Merge git://git.kernel.org/pub/scm/virt/kvm/kvm · 4be41343
      Linus Torvalds 提交于
      Pull kvm fixes from Marcelo Tosatti:
       "PPC and ARM KVM fixes"
      
      * git://git.kernel.org/pub/scm/virt/kvm/kvm:
        ARM: KVM: fix L_PTE_S2_RDWR to actually be Read/Write
        ARM: KVM: fix KVM_CAP_ARM_SET_DEVICE_ADDR reporting
        kvm/ppc/e500: eliminate tlb_refs
        kvm/ppc/e500: g2h_tlb1_map: clear old bit before setting new bit
        kvm/ppc/e500: h2g_tlb1_rmap: esel 0 is valid
        kvm/powerpc/e500mc: fix tlb invalidation on cpu migration
      4be41343
    • L
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sfr/next-fixes · de0024b6
      Linus Torvalds 提交于
      Pull powerpc fixes from Stephen Rothwell:
       "Three regresions in the PowerPC code.  One from v3.7 the others from
        this merge window."
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sfr/next-fixes:
        powerpc: add a missing label in resume_kernel
        powerpc: Fix audit crash due to save/restore PPR changes
        powerpc: fix compiling CONFIG_PPC_TRANSACTIONAL_MEM when CONFIG_ALTIVEC=n
      de0024b6
    • L
      Merge branch 'rc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild · c208278c
      Linus Torvalds 提交于
      Pull kbuild fix from Michal Marek:
       "Fix for a missing dependency when generating scripts/mod/devicetable-offsets.h.
        This dependency got introduced in v3.9-rc1."
      
      * 'rc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild:
        kbuild: generate generic headers before recursing into scripts
      c208278c