1. 05 12月, 2013 1 次提交
    • U
      cfg80211: fix WARN_ON for re-association to the expired BSS · 4c4d684a
      Ujjal Roy 提交于
      cfg80211 allows re-association in managed mode and if a user
      wants to re-associate to the same AP network after the time
      period of IEEE80211_SCAN_RESULT_EXPIRE, cfg80211 warns with
      the following message on receiving the connect result event.
      
      ------------[ cut here ]------------
      WARNING: CPU: 0 PID: 13984 at net/wireless/sme.c:658
               __cfg80211_connect_result+0x3a6/0x3e0 [cfg80211]()
      Call Trace:
       [<ffffffff81747a41>] dump_stack+0x46/0x58
       [<ffffffff81045847>] warn_slowpath_common+0x87/0xb0
       [<ffffffff81045885>] warn_slowpath_null+0x15/0x20
       [<ffffffffa05345f6>] __cfg80211_connect_result+0x3a6/0x3e0 [cfg80211]
       [<ffffffff8107168b>] ? update_rq_clock+0x2b/0x50
       [<ffffffff81078c01>] ? update_curr+0x1/0x160
       [<ffffffffa05133d2>] cfg80211_process_wdev_events+0xb2/0x1c0 [cfg80211]
       [<ffffffff81079303>] ? pick_next_task_fair+0x63/0x170
       [<ffffffffa0513518>] cfg80211_process_rdev_events+0x38/0x90 [cfg80211]
       [<ffffffffa050f03d>] cfg80211_event_work+0x1d/0x30 [cfg80211]
       [<ffffffff8105f21f>] process_one_work+0x17f/0x420
       [<ffffffff8105f90a>] worker_thread+0x11a/0x370
       [<ffffffff8105f7f0>] ? rescuer_thread+0x2f0/0x2f0
       [<ffffffff8106638b>] kthread+0xbb/0xc0
       [<ffffffff810662d0>] ? kthread_create_on_node+0x120/0x120
       [<ffffffff817574bc>] ret_from_fork+0x7c/0xb0
       [<ffffffff810662d0>] ? kthread_create_on_node+0x120/0x120
      ---[ end trace 61f3bddc9c4981f7 ]---
      
      The reason is that, in connect result event cfg80211 unholds
      the BSS to which the device is associated (and was held so
      far). So, for the event with status successful, when cfg80211
      wants to get that BSS from the device's BSS list it gets a
      NULL BSS because the BSS has been expired and unheld already.
      
      Fix it by reshuffling the code.
      Signed-off-by: NUjjal Roy <royujjal@gmail.com>
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      4c4d684a
  2. 02 12月, 2013 2 次提交
  3. 25 11月, 2013 19 次提交
  4. 22 11月, 2013 7 次提交
    • J
      genetlink: fix genl_set_err() group ID · 91398a09
      Johannes Berg 提交于
      Fix another really stupid bug - I introduced genl_set_err()
      precisely to be able to adjust the group and reject invalid
      ones, but then forgot to do so.
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      91398a09
    • J
      genetlink: fix genlmsg_multicast() bug · 220815a9
      Johannes Berg 提交于
      Unfortunately, I introduced a tremendously stupid bug into
      genlmsg_multicast() when doing all those multicast group
      changes: it adjusts the group number, but then passes it
      to genlmsg_multicast_netns() which does that again.
      
      Somehow, my tests failed to catch this, so add a warning
      into genlmsg_multicast_netns() and remove the offending
      group ID adjustment.
      
      Also add a warning to the similar code in other functions
      so people who misuse them are more loudly warned.
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      220815a9
    • D
      packet: fix use after free race in send path when dev is released · e40526cb
      Daniel Borkmann 提交于
      Salam reported a use after free bug in PF_PACKET that occurs when
      we're sending out frames on a socket bound device and suddenly the
      net device is being unregistered. It appears that commit 827d9780
      introduced a possible race condition between {t,}packet_snd() and
      packet_notifier(). In the case of a bound socket, packet_notifier()
      can drop the last reference to the net_device and {t,}packet_snd()
      might end up suddenly sending a packet over a freed net_device.
      
      To avoid reverting 827d9780 and thus introducing a performance
      regression compared to the current state of things, we decided to
      hold a cached RCU protected pointer to the net device and maintain
      it on write side via bind spin_lock protected register_prot_hook()
      and __unregister_prot_hook() calls.
      
      In {t,}packet_snd() path, we access this pointer under rcu_read_lock
      through packet_cached_dev_get() that holds reference to the device
      to prevent it from being freed through packet_notifier() while
      we're in send path. This is okay to do as dev_put()/dev_hold() are
      per-cpu counters, so this should not be a performance issue. Also,
      the code simplifies a bit as we don't need need_rls_dev anymore.
      
      Fixes: 827d9780 ("af-packet: Use existing netdev reference for bound sockets.")
      Reported-by: NSalam Noureddine <noureddine@aristanetworks.com>
      Signed-off-by: NDaniel Borkmann <dborkman@redhat.com>
      Signed-off-by: NSalam Noureddine <noureddine@aristanetworks.com>
      Cc: Ben Greear <greearb@candelatech.com>
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e40526cb
    • D
      xen-netback: stop the VIF thread before unbinding IRQs · db739ef3
      David Vrabel 提交于
      If the VIF thread is still running after unbinding the Tx and Rx IRQs
      in xenvif_disconnect(), the thread may attempt to raise an event which
      will BUG (as the irq is unbound).
      Signed-off-by: NDavid Vrabel <david.vrabel@citrix.com>
      Acked-by: NWei Liu <wei.liu2@citrix.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      db739ef3
    • M
      wimax: remove dead code · aec6f90d
      Michael Opdenacker 提交于
      This removes a code line that is between a "return 0;" and an error label.
      This code line can never be reached.
      
      Found by Coverity (CID: 1130529)
      Signed-off-by: NMichael Opdenacker <michael.opdenacker@free-electrons.com>
      Acked-by: NJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      aec6f90d
    • D
      Merge branch 'for-davem' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless · 78ef359c
      David S. Miller 提交于
      John W. Linville says:
      
      ====================
      pull request: wireless 2013-11-21
      
      Please pull this batch of fixes intended for the 3.13 stream!
      
      For the Bluetooth bits, Gustavo says:
      
      "A few fixes for 3.13. There is 3 fixes to the RFCOMM protocol. One
      crash fix to L2CAP. A simple fix to a bad behaviour in the SMP
      protocol."
      
      On top of that...
      
      Amitkumar Karwar sends a quintet of mwifiex fixes -- two fixes related
      to failure handling, two memory leak fixes, and a NULL pointer fix.
      
      Felix Fietkau corrects and earlier rt2x00 HT descriptor handling fix
      to address a crash.
      
      Geyslan G. Bem fixes a memory leak in brcmfmac.
      
      Larry Finger address more pointer arithmetic errors in rtlwifi.
      
      Luis R. Rodriguez provides a regulatory fix in the shared ath code.
      
      Sujith Manoharan brings a couple ath9k initialization fixes.
      
      Ujjal Roy offers one more mwifiex fix to avoid invalid memory accesses
      when unloading the USB driver.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      78ef359c
    • D
      Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · cd2cc01b
      David S. Miller 提交于
      Pablo Neira Ayuso says:
      
      ====================
      netfilter fixes for net
      
      The following patchset contains fixes for your net tree, they are:
      
      * Remove extra quote from connlimit configuration in Kconfig, from
        Randy Dunlap.
      
      * Fix missing mss option in syn packets sent to the backend in our
        new synproxy target, from Martin Topholm.
      
      * Use window scale announced by client when sending the forged
        syn to the backend, from Martin Topholm.
      
      * Fix IPv6 address comparison in ebtables, from Luís Fernando
        Cornachioni Estrozi.
      
      * Fix wrong endianess in sequence adjustment which breaks helpers
        in NAT configurations, from Phil Oester.
      
      * Fix the error path handling of nft_compat, from me.
      
      * Make sure the global conntrack counter is decremented after the
        object has been released, also from me.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      cd2cc01b
  5. 21 11月, 2013 11 次提交
    • J
      Merge branch 'master' of... · 7acd7187
      John W. Linville 提交于
      Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless into for-davem
      7acd7187
    • M
      net/phy: Add the autocross feature for forced links on VSC82x4 · 3fb69bca
      Madalin Bucur 提交于
      Add auto-MDI/MDI-X capability for forced (autonegotiation disabled)
      10/100 Mbps speeds on Vitesse VSC82x4 PHYs. Exported previously static
      function genphy_setup_forced() required by the new config_aneg handler
      in the Vitesse PHY module.
      Signed-off-by: NMadalin Bucur <madalin.bucur@freescale.com>
      Signed-off-by: NShruti Kanetkar <Shruti@freescale.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3fb69bca
    • S
      net/phy: Add VSC8662 support · 06ae4f84
      Sandeep Singh 提交于
      Vitesse VSC8662 is Dual Port 10/100/1000Base-T Phy
      Its register set and features are similar to other Vitesse Phys.
      Signed-off-by: NSandeep Singh <Sandeep@freescale.com>
      Signed-off-by: NAndy Fleming <afleming@gmail.com>
      Signed-off-by: NShruti Kanetkar <Shruti@Freescale.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      06ae4f84
    • S
      net/phy: Add VSC8574 support · c2efef74
      shaohui xie 提交于
      The VSC8574 is a quad-port Gigabit Ethernet transceiver with four SerDes
      interfaces for quad-port dual media capability.
      Signed-off-by: NShaohui Xie <Shaohui.Xie@freescale.com>
      Signed-off-by: NAndy Fleming <afleming@gmail.com>
      Signed-off-by: NShruti Kanetkar <Shruti@freescale.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c2efef74
    • A
      net/phy: Add VSC8234 support · 0508019c
      Andy Fleming 提交于
      Vitesse VSC8234 is quad port 10/100/1000BASE-T PHY
      with SGMII and SERDES MAC interfaces.
      Signed-off-by: NAndy Fleming <afleming@gmail.com>
      Signed-off-by: NKumar Gala <galak@kernel.crashing.org>
      Signed-off-by: NShruti Kanetkar <Shruti@freescale.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0508019c
    • H
      net: add BUG_ON if kernel advertises msg_namelen > sizeof(struct sockaddr_storage) · 68c6beb3
      Hannes Frederic Sowa 提交于
      In that case it is probable that kernel code overwrote part of the
      stack. So we should bail out loudly here.
      
      The BUG_ON may be removed in future if we are sure all protocols are
      conformant.
      Suggested-by: NEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: NHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      68c6beb3
    • H
      net: rework recvmsg handler msg_name and msg_namelen logic · f3d33426
      Hannes Frederic Sowa 提交于
      This patch now always passes msg->msg_namelen as 0. recvmsg handlers must
      set msg_namelen to the proper size <= sizeof(struct sockaddr_storage)
      to return msg_name to the user.
      
      This prevents numerous uninitialized memory leaks we had in the
      recvmsg handlers and makes it harder for new code to accidentally leak
      uninitialized memory.
      
      Optimize for the case recvfrom is called with NULL as address. We don't
      need to copy the address at all, so set it to NULL before invoking the
      recvmsg handler. We can do so, because all the recvmsg handlers must
      cope with the case a plain read() is called on them. read() also sets
      msg_name to NULL.
      
      Also document these changes in include/linux/net.h as suggested by David
      Miller.
      
      Changes since RFC:
      
      Set msg->msg_name = NULL if user specified a NULL in msg_name but had a
      non-null msg_namelen in verify_iovec/verify_compat_iovec. This doesn't
      affect sendto as it would bail out earlier while trying to copy-in the
      address. It also more naturally reflects the logic by the callers of
      verify_iovec.
      
      With this change in place I could remove "
      if (!uaddr || msg_sys->msg_namelen == 0)
      	msg->msg_name = NULL
      ".
      
      This change does not alter the user visible error logic as we ignore
      msg_namelen as long as msg_name is NULL.
      
      Also remove two unnecessary curly brackets in ___sys_recvmsg and change
      comments to netdev style.
      
      Cc: David Miller <davem@davemloft.net>
      Suggested-by: NEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: NHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f3d33426
    • D
      bridge: flush br's address entry in fdb when remove the · f8730420
      Ding Tianhong 提交于
       bridge dev
      
      When the following commands are executed:
      
      brctl addbr br0
      ifconfig br0 hw ether <addr>
      rmmod bridge
      
      The calltrace will occur:
      
      [  563.312114] device eth1 left promiscuous mode
      [  563.312188] br0: port 1(eth1) entered disabled state
      [  563.468190] kmem_cache_destroy bridge_fdb_cache: Slab cache still has objects
      [  563.468197] CPU: 6 PID: 6982 Comm: rmmod Tainted: G           O 3.12.0-0.7-default+ #9
      [  563.468199] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
      [  563.468200]  0000000000000880 ffff88010f111e98 ffffffff814d1c92 ffff88010f111eb8
      [  563.468204]  ffffffff81148efd ffff88010f111eb8 0000000000000000 ffff88010f111ec8
      [  563.468206]  ffffffffa062a270 ffff88010f111ed8 ffffffffa063ac76 ffff88010f111f78
      [  563.468209] Call Trace:
      [  563.468218]  [<ffffffff814d1c92>] dump_stack+0x6a/0x78
      [  563.468234]  [<ffffffff81148efd>] kmem_cache_destroy+0xfd/0x100
      [  563.468242]  [<ffffffffa062a270>] br_fdb_fini+0x10/0x20 [bridge]
      [  563.468247]  [<ffffffffa063ac76>] br_deinit+0x4e/0x50 [bridge]
      [  563.468254]  [<ffffffff810c7dc9>] SyS_delete_module+0x199/0x2b0
      [  563.468259]  [<ffffffff814e0922>] system_call_fastpath+0x16/0x1b
      [  570.377958] Bridge firewalling registered
      
      --------------------------- cut here -------------------------------
      
      The reason is that when the bridge dev's address is changed, the
      br_fdb_change_mac_address() will add new address in fdb, but when
      the bridge was removed, the address entry in the fdb did not free,
      the bridge_fdb_cache still has objects when destroy the cache, Fix
      this by flushing the bridge address entry when removing the bridge.
      
      v2: according to the Toshiaki Makita and Vlad's suggestion, I only
          delete the vlan0 entry, it still have a leak here if the vlan id
          is other number, so I need to call fdb_delete_by_port(br, NULL, 1)
          to flush all entries whose dst is NULL for the bridge.
      Suggested-by: NToshiaki Makita <toshiaki.makita1@gmail.com>
      Suggested-by: NVlad Yasevich <vyasevich@gmail.com>
      Signed-off-by: NDing Tianhong <dingtianhong@huawei.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f8730420
    • V
      net: core: Always propagate flag changes to interfaces · d2615bf4
      Vlad Yasevich 提交于
      The following commit:
          b6c40d68
          net: only invoke dev->change_rx_flags when device is UP
      
      tried to fix a problem with VLAN devices and promiscuouse flag setting.
      The issue was that VLAN device was setting a flag on an interface that
      was down, thus resulting in bad promiscuity count.
      This commit blocked flag propagation to any device that is currently
      down.
      
      A later commit:
          deede2fa
          vlan: Don't propagate flag changes on down interfaces
      
      fixed VLAN code to only propagate flags when the VLAN interface is up,
      thus fixing the same issue as above, only localized to VLAN.
      
      The problem we have now is that if we have create a complex stack
      involving multiple software devices like bridges, bonds, and vlans,
      then it is possible that the flags would not propagate properly to
      the physical devices.  A simple examle of the scenario is the
      following:
      
        eth0----> bond0 ----> bridge0 ---> vlan50
      
      If bond0 or eth0 happen to be down at the time bond0 is added to
      the bridge, then eth0 will never have promisc mode set which is
      currently required for operation as part of the bridge.  As a
      result, packets with vlan50 will be dropped by the interface.
      
      The only 2 devices that implement the special flag handling are
      VLAN and DSA and they both have required code to prevent incorrect
      flag propagation.  As a result we can remove the generic solution
      introduced in b6c40d68 and leave
      it to the individual devices to decide whether they will block
      flag propagation or not.
      Reported-by: NStefan Priebe <s.priebe@profihost.ag>
      Suggested-by: NVeaceslav Falico <vfalico@redhat.com>
      Signed-off-by: NVlad Yasevich <vyasevic@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d2615bf4
    • A
      ipv4: fix race in concurrent ip_route_input_slow() · dcdfdf56
      Alexei Starovoitov 提交于
      CPUs can ask for local route via ip_route_input_noref() concurrently.
      if nh_rth_input is not cached yet, CPUs will proceed to allocate
      equivalent DSTs on 'lo' and then will try to cache them in nh_rth_input
      via rt_cache_route()
      Most of the time they succeed, but on occasion the following two lines:
      	orig = *p;
      	prev = cmpxchg(p, orig, rt);
      in rt_cache_route() do race and one of the cpus fails to complete cmpxchg.
      But ip_route_input_slow() doesn't check the return code of rt_cache_route(),
      so dst is leaking. dst_destroy() is never called and 'lo' device
      refcnt doesn't go to zero, which can be seen in the logs as:
      	unregister_netdevice: waiting for lo to become free. Usage count = 1
      Adding mdelay() between above two lines makes it easily reproducible.
      Fix it similar to nh_pcpu_rth_output case.
      
      Fixes: d2d68ba9 ("ipv4: Cache input routes in fib_info nexthops.")
      Signed-off-by: NAlexei Starovoitov <ast@plumgrid.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      dcdfdf56
    • D
      Merge branch 'r8152' · 4f837c3b
      David S. Miller 提交于
      Hayes Wang says:
      
      ====================
      r8152 bug fixes
      
      For the patch #3, I add netif_tx_lock() before checking the
      netif_queue_stopped(). Besides, I add checking the skb queue
      length before waking the tx queue.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4f837c3b