1. 13 1月, 2017 2 次提交
    • M
      mac80211: prevent skb/txq mismatch · dbef5362
      Michal Kazior 提交于
      Station structure is considered as not uploaded
      (to driver) until drv_sta_state() finishes. This
      call is however done after the structure is
      attached to mac80211 internal lists and hashes.
      This means mac80211 can lookup (and use) station
      structure before it is uploaded to a driver.
      
      If this happens (structure exists, but
      sta->uploaded is false) fast_tx path can still be
      taken. Deep in the fastpath call the sta->uploaded
      is checked against to derive "pubsta" argument for
      ieee80211_get_txq(). If sta->uploaded is false
      (and sta is actually non-NULL) ieee80211_get_txq()
      effectively downgraded to vif->txq.
      
      At first glance this may look innocent but coerces
      mac80211 into a state that is almost guaranteed
      (codel may drop offending skb) to crash because a
      station-oriented skb gets queued up on
      vif-oriented txq. The ieee80211_tx_dequeue() ends
      up looking at info->control.flags and tries to use
      txq->sta which in the fail case is NULL.
      
      It's probably pointless to pretend one can
      downgrade skb from sta-txq to vif-txq.
      
      Since downgrading unicast traffic to vif->txq must
      not be done there's no txq to put a frame on if
      sta->uploaded is false. Therefore the code is made
      to fall back to regular tx() op path if the
      described condition is hit.
      
      Only drivers using wake_tx_queue were affected.
      
      Example crash dump before fix:
      
       Unable to handle kernel paging request at virtual address ffffe26c
       PC is at ieee80211_tx_dequeue+0x204/0x690 [mac80211]
       [<bf4252a4>] (ieee80211_tx_dequeue [mac80211]) from
       [<bf4b1388>] (ath10k_mac_tx_push_txq+0x54/0x1c0 [ath10k_core])
       [<bf4b1388>] (ath10k_mac_tx_push_txq [ath10k_core]) from
       [<bf4bdfbc>] (ath10k_htt_txrx_compl_task+0xd78/0x11d0 [ath10k_core])
       [<bf4bdfbc>] (ath10k_htt_txrx_compl_task [ath10k_core])
       [<bf51c5a4>] (ath10k_pci_napi_poll+0x54/0xe8 [ath10k_pci])
       [<bf51c5a4>] (ath10k_pci_napi_poll [ath10k_pci]) from
       [<c0572e90>] (net_rx_action+0xac/0x160)
      Reported-by: NMohammed Shafi Shajakhan <mohammed@qti.qualcomm.com>
      Signed-off-by: NMichal Kazior <michal.kazior@tieto.com>
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      dbef5362
    • F
      mac80211: initialize SMPS field in HT capabilities · 43071d8f
      Felix Fietkau 提交于
      ibss and mesh modes copy the ht capabilites from the band without
      overriding the SMPS state. Unfortunately the default value 0 for the
      SMPS field means static SMPS instead of disabled.
      
      This results in HT ibss and mesh setups using only single-stream rates,
      even though SMPS is not supposed to be active.
      
      Initialize SMPS to disabled for all bands on ieee80211_hw_register to
      ensure that the value is sane where it is not overriden with the real
      SMPS state.
      Reported-by: NElektra Wagenrad <onelektra@gmx.net>
      Signed-off-by: NFelix Fietkau <nbd@nbd.name>
      [move VHT TODO comment to a better place]
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      43071d8f
  2. 11 1月, 2017 5 次提交
    • J
      mac80211: recalculate min channel width on VHT opmode changes · d2941df8
      Johannes Berg 提交于
      When an associated station changes its VHT operating mode this
      can/will affect the bandwidth it's using, and consequently we
      must recalculate the minimum bandwidth we need to use. Failure
      to do so can lead to one of two scenarios:
       1) we use a too high bandwidth, this is benign
       2) we use a too narrow bandwidth, causing rate control and
          actual PHY configuration to be out of sync, which can in
          turn cause problems/crashes
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      d2941df8
    • J
      mac80211: calculate min channel width correctly · 96aa2e7c
      Johannes Berg 提交于
      In the current minimum chandef code there's an issue in that the
      recalculation can happen after rate control is initialized for a
      station that has a wider bandwidth than the current chanctx, and
      then rate control can immediately start using those higher rates
      which could cause problems.
      
      Observe that first of all that this problem is because we don't
      take non-associated and non-uploaded stations into account. The
      restriction to non-associated is quite pointless and is one of
      the causes for the problem described above, since the rate init
      will happen before the station is set to associated; no frames
      could actually be sent until associated, but the rate table can
      already contain higher rates and that might cause problems.
      
      Also, rejecting non-uploaded stations is wrong, since the rate
      control can select higher rates for those as well.
      
      Secondly, it's then necessary to recalculate the minimal config
      before initializing rate control, so that when rate control is
      initialized, the higher rates are already available. This can be
      done easily by adding the necessary function call in rate init.
      
      Change-Id: Ib9bc02d34797078db55459d196993f39dcd43070
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      96aa2e7c
    • B
      cfg80211: consider VHT opmode on station update · 06f7c88c
      Beni Lev 提交于
      Currently, this attribute is only fetched on station addition, but
      not on station change. Since this info is only present in the assoc
      request, with full station state support in the driver it cannot be
      present when the station is added.
      
      Thus, add support for changing the VHT opmode on station update if
      done before (or while) the station is marked as associated. After
      this, ignore it, since it used to be ignored.
      Signed-off-by: NBeni Lev <beni.lev@intel.com>
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      06f7c88c
    • E
      mac80211: fix the TID on NDPs sent as EOSP carrier · d7f84244
      Emmanuel Grumbach 提交于
      In the commit below, I forgot to translate the mac80211's
      AC to QoS IE order. Moreover, the condition in the if was
      wrong. Fix both issues.
      This bug would hit only with clients that didn't set all
      the ACs as delivery enabled.
      
      Fixes: f438ceb8 ("mac80211: uapsd_queues is in QoS IE order")
      Signed-off-by: NEmmanuel Grumbach <emmanuel.grumbach@intel.com>
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      d7f84244
    • C
      mac80211: Fix headroom allocation when forwarding mesh pkt · c38c39bf
      Cedric Izoard 提交于
      This patch fix issue introduced by my previous commit that
      tried to ensure enough headroom was present, and instead
      broke it.
      
      When forwarding mesh pkt, mac80211 may also add security header,
      and it must therefore be taken into account in the needed headroom.
      
      Fixes: d8da0b5d ("mac80211: Ensure enough headroom when forwarding mesh pkt")
      Signed-off-by: NCedric Izoard <cedric.izoard@ceva-dsp.com>
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      c38c39bf
  3. 09 1月, 2017 6 次提交
  4. 08 1月, 2017 2 次提交
    • M
      tg3: Fix race condition in tg3_get_stats64(). · f5992b72
      Michael Chan 提交于
      The driver's ndo_get_stats64() method is not always called under RTNL.
      So it can race with driver close or ethtool reconfigurations.  Fix the
      race condition by taking tp->lock spinlock in tg3_free_consistent()
      when freeing the tp->hw_stats memory block.  tg3_get_stats64() is
      already taking tp->lock.
      Reported-by: NWang Yufen <wangyufen@huawei.com>
      Signed-off-by: NMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f5992b72
    • I
      be2net: fix unicast list filling · 6052cd1a
      Ivan Vecera 提交于
      The adapter->pmac_id[0] item is used for primary MAC address but
      this is not true for adapter->uc_list[0] as is assumed in
      be_set_uc_list(). There are N UC addresses copied first from net_device
      to adapter->uc_list[1..N] and then N UC addresses from
      adapter->uc_list[0..N-1] are sent to HW. So the last UC address is never
      stored into HW and address 00:00:00:00;00:00 (from uc_list[0]) is used
      instead.
      
      Cc: Sathya Perla <sathya.perla@broadcom.com>
      Cc: Ajit Khaparde <ajit.khaparde@broadcom.com>
      Cc: Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com>
      Cc: Somnath Kotur <somnath.kotur@broadcom.com>
      Fixes: b7172414 be2net: replace polling with sleeping in the FW completion path
      Signed-off-by: NIvan Vecera <cera@cera.cz>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6052cd1a
  5. 07 1月, 2017 8 次提交
  6. 06 1月, 2017 2 次提交
    • D
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · d896b312
      David S. Miller 提交于
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains accumulated Netfilter fixes for your
      net tree:
      
      1) Ensure quota dump and reset happens iff we can deliver numbers to
         userspace.
      
      2) Silence splat on incorrect use of smp_processor_id() from nft_queue.
      
      3) Fix an out-of-bound access reported by KASAN in
         nf_tables_rule_destroy(), patch from Florian Westphal.
      
      4) Fix layer 4 checksum mangling in the nf_tables payload expression
         with IPv6.
      
      5) Fix a race in the CLUSTERIP target from control plane path when two
         threads run to add a new configuration object. Serialize invocations
         of clusterip_config_init() using spin_lock. From Xin Long.
      
      6) Call br_nf_pre_routing_finish_bridge_finish() once we are done with
         the br_nf_pre_routing_finish() hook. From Artur Molchanov.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d896b312
    • Z
      r8169: fix the typo in the comment · 9b60047a
      Zhu Yanjun 提交于
      >From the realtek data sheet, the PID0 should be bit 0.
      Signed-off-by: NZhu Yanjun <yanjun.zhu@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9b60047a
  7. 05 1月, 2017 15 次提交
    • J
      nl80211: fix sched scan netlink socket owner destruction · 753aacfd
      Johannes Berg 提交于
      A single netlink socket might own multiple interfaces *and* a
      scheduled scan request (which might belong to another interface),
      so when it goes away both may need to be destroyed.
      
      Remove the schedule_scan_stop indirection to fix this - it's only
      needed for interface destruction because of the way this works
      right now, with a single work taking care of all interfaces.
      
      Cc: stable@vger.kernel.org
      Fixes: 93a1e86c ("nl80211: Stop scheduled scan if netlink client disappears")
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      753aacfd
    • L
      Merge tag 'xfs-for-linus-4.10-rc3' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux · e02003b5
      Linus Torvalds 提交于
      Pull xfs fixes from Darrick Wong:
      
       - fixes for crashes and double-cleanup errors
      
       - XFS maintainership handover
      
       - fix to prevent absurdly large block reservations
      
       - fix broken sysfs getter/setters
      
      * tag 'xfs-for-linus-4.10-rc3' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
        xfs: fix max_retries _show and _store functions
        xfs: update MAINTAINERS
        xfs: fix crash and data corruption due to removal of busy COW extents
        xfs: use the actual AG length when reserving blocks
        xfs: fix double-cleanup when CUI recovery fails
      e02003b5
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 4cf18463
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) stmmac_drv_probe() can race with stmmac_open() because we register
          the netdevice too early. Fix from Florian Fainelli.
      
       2) UFO handling in __ip6_append_data() and ip6_finish_output() use
          different tests for deciding whether a frame will be fragmented or
          not, put them in sync. Fix from Zheng Li.
      
       3) The rtnetlink getstats handlers need to validate that the netlink
          request is large enough, fix from Mathias Krause.
      
       4) Use after free in mlx4 driver, from Jack Morgenstein.
      
       5) Fix setting of garbage UID value in sockets during setattr() calls,
          from Eric Biggers.
      
       6) Packet drop_monitor doesn't format the netlink messages properly
          such that nlmsg_next fails to work, fix from Reiter Wolfgang.
      
       7) Fix handling of wildcard addresses in l2tp lookups, from Guillaume
          Nault.
      
       8) __skb_flow_dissect() can crash on pptp packets, from Ian Kumlien.
      
       9) IGMP code doesn't reset group query timers properly, from Michal
          Tesar.
      
      10) Fix overzealous MAIN/LOCAL route table combining in ipv4, from
          Alexander Duyck.
      
      11) vxlan offload check needs to be more strict in be2net driver, from
          Sabrina Dubroca.
      
      12) Moving l3mdev to packet hooks lost RX stat counters unintentionally,
          fix from David Ahern.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (52 commits)
        sh_eth: enable RX descriptor word 0 shift on SH7734
        sfc: don't report RX hash keys to ethtool when RSS wasn't enabled
        dpaa_eth: Initialize CGR structure before init
        dpaa_eth: cleanup after init_phy() failure
        net: systemport: Pad packet before inserting TSB
        net: systemport: Utilize skb_put_padto()
        LiquidIO VF: s/select/imply/ for PTP_1588_CLOCK
        libcxgb: fix error check for ip6_route_output()
        net: usb: asix_devices: add .reset_resume for USB PM
        net: vrf: Add missing Rx counters
        drop_monitor: consider inserted data in genlmsg_end
        benet: stricter vxlan offloading check in be_features_check
        ipv4: Do not allow MAIN to be alias for new LOCAL w/ custom rules
        net: macb: Updated resource allocation function calls to new version of API.
        net: stmmac: dwmac-oxnas: use generic pm implementation
        net: stmmac: dwmac-oxnas: fix fixed-link-phydev leaks
        net: stmmac: dwmac-oxnas: fix of-node leak
        Documentation/networking: fix typo in mpls-sysctl
        igmp: Make igmp group member RFC 3376 compliant
        flow_dissector: Update pptp handling to avoid null pointer deref.
        ...
      4cf18463
    • S
      sh_eth: enable RX descriptor word 0 shift on SH7734 · 71eae1ca
      Sergei Shtylyov 提交于
      The RX descriptor word 0 on SH7734 has the RFS[9:0] field in bits 16-25
      (bits  0-15 usually used for that are occupied by the packet checksum).
      Thus  we need to set the 'shift_rd0'  field in the SH7734 SoC data...
      
      Fixes: f0e81fec ("net: sh_eth: Add support SH7734")
      Signed-off-by: NSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      71eae1ca
    • E
      sfc: don't report RX hash keys to ethtool when RSS wasn't enabled · 4fdda958
      Edward Cree 提交于
      If we failed to set up RSS on EF10 (e.g. because firmware declared
       RX_RSS_LIMITED), ethtool --show-nfc $dev rx-flow-hash ... should report
       no fields, rather than confusingly reporting what fields we _would_ be
       hashing on if RSS was working.
      
      Fixes: dcb4123c ("sfc: disable RSS when unsupported")
      Signed-off-by: NEdward Cree <ecree@solarflare.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4fdda958
    • D
      Merge branch 'dpaa_eth-fixes' · aa9773be
      David S. Miller 提交于
      Madalin Bucur says:
      
      ====================
      dpaa_eth: a couple of fixes
      
      Add cleanup on PHY initialization failure path, avoid using
      uninitialized memory at CGR init.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      aa9773be
    • R
      dpaa_eth: Initialize CGR structure before init · 0fbb0f24
      Roy Pledge 提交于
      The QBMan CGR options needs to be zeroed before calling the init
      function
      Signed-off-by: NRoy Pledge <roy.pledge@nxp.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0fbb0f24
    • M
      3fe61f09
    • D
      Merge branch 'systemport-padding-and-TSB-insertion' · c030af87
      David S. Miller 提交于
      Florian Fainelli says:
      
      ====================
      net: systemport: Fix padding vs. TSB insertion
      
      This patch series fixes how we pad the packets submitted to the SYSTEMPORT
      adapter, and how the transmit status block (prepended 8 bytes) fits in the
      picture. The first patch is not technically a bug fix, but is required for the
      second path to be applied and to greatly simplify the skb length calculation.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c030af87
    • F
      net: systemport: Pad packet before inserting TSB · 38e5a855
      Florian Fainelli 提交于
      Inserting the TSB means adding an extra 8 bytes in front the of packet
      that is going to be used as metadata information by the TDMA engine, but
      stripped off, so it does not really help with the packet padding.
      
      For some odd packet sizes that fall below the 60 bytes payload (e.g: ARP)
      we can end-up padding them after the TSB insertion, thus making them 64
      bytes, but with the TDMA stripping off the first 8 bytes, they could
      still be smaller than 64 bytes which is required to ingress the switch.
      
      Fix this by swapping the padding and TSB insertion, guaranteeing that
      the packets have the right sizes.
      
      Fixes: 80105bef ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver")
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      38e5a855
    • F
      net: systemport: Utilize skb_put_padto() · bb7da333
      Florian Fainelli 提交于
      Since we need to pad our packets, utilize skb_put_padto() which
      increases skb->len by how much we need to pad, allowing us to eliminate
      the test on skb->len right below.
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      bb7da333
    • N
      LiquidIO VF: s/select/imply/ for PTP_1588_CLOCK · cd7aeb1f
      Nicolas Pitre 提交于
      Fix a minor fallout from the merge of the timers and the networking
      trees. The following error may result if the PTP_1588_CLOCK
      prerequisites are not available:
      
      drivers/built-in.o: In function `ptp_clock_unregister':
      (.text+0x40e0a5): undefined reference to `pps_unregister_source'
      drivers/built-in.o: In function `ptp_clock_unregister':
      (.text+0x40e0cc): undefined reference to `posix_clock_unregister'
      drivers/built-in.o: In function `ptp_clock_event':
      (.text+0x40e249): undefined reference to `pps_event'
      drivers/built-in.o: In function `ptp_clock_register':
      (.text+0x40e5e1): undefined reference to `pps_register_source'
      drivers/built-in.o: In function `ptp_clock_register':
      (.text+0x40e62c): undefined reference to `posix_clock_register'
      drivers/built-in.o: In function `ptp_clock_register':
      (.text+0x40e68d): undefined reference to `pps_unregister_source'
      Signed-off-by: NNicolas Pitre <nico@linaro.org>
      Acked-by: NRichard Cochran <richardcochran@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      cd7aeb1f
    • V
      libcxgb: fix error check for ip6_route_output() · a9a8cdb3
      Varun Prakash 提交于
      ip6_route_output() never returns NULL so
      check dst->error instead of !dst.
      Signed-off-by: NVarun Prakash <varun@chelsio.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a9a8cdb3
    • P
      net: usb: asix_devices: add .reset_resume for USB PM · 63dfb0da
      Peter Chen 提交于
      The USB core may call reset_resume when it fails to resume asix device.
      And USB core can recovery this abnormal resume at low level driver,
      the same .resume at asix driver can work too. Add .reset_resume can
      avoid disconnecting after backing from system resume, and NFS can
      still be mounted after this commit.
      Signed-off-by: NPeter Chen <peter.chen@nxp.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      63dfb0da
    • L
      Merge branch 'for-linus' of git://git.kernel.dk/linux-block · 62f8c405
      Linus Torvalds 提交于
      Pull block layer fixes from Jens Axboe:
       "A set of fixes for the current series, one fixing a regression with
        block size < page cache size in the alias series from Jan. Outside of
        that, two small cleanups for wbt from Bart, a nvme pull request from
        Christoph, and a few small fixes of documentation updates"
      
      * 'for-linus' of git://git.kernel.dk/linux-block:
        block: fix up io_poll documentation
        block: Avoid that sparse complains about context imbalance in __wbt_wait()
        block: Make wbt_wait() definition consistent with declaration
        clean_bdev_aliases: Prevent cleaning blocks that are not in block range
        genhd: remove dead and duplicated scsi code
        block: add back plugging in __blkdev_direct_IO
        nvmet/fcloop: remove some logically dead code performing redundant ret checks
        nvmet: fix KATO offset in Set Features
        nvme/fc: simplify error handling of nvme_fc_create_hw_io_queues
        nvme/fc: correct some printk information
        nvme/scsi: Remove START STOP emulation
        nvme/pci: Delete misleading queue-wrap comment
        nvme/pci: Fix whitespace problem
        nvme: simplify stripe quirk
        nvme: update maintainers information
      62f8c405