1. 25 7月, 2013 4 次提交
    • H
      ipv6: take rtnl_lock and mark mrt6 table as freed on namespace cleanup · 905a6f96
      Hannes Frederic Sowa 提交于
      Otherwise we end up dereferencing the already freed net->ipv6.mrt pointer
      which leads to a panic (from Srivatsa S. Bhat):
      
      BUG: unable to handle kernel paging request at ffff882018552020
      IP: [<ffffffffa0366b02>] ip6mr_sk_done+0x32/0xb0 [ipv6]
      PGD 290a067 PUD 207ffe0067 PMD 207ff1d067 PTE 8000002018552060
      Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
      Modules linked in: ebtable_nat ebtables nfs fscache nf_conntrack_ipv4 nf_defrag_ipv4 ipt_REJECT xt_CHECKSUM iptable_mangle iptable_filter ip_tables nfsd lockd nfs_acl exportfs auth_rpcgss autofs4 sunrpc 8021q garp bridge stp llc ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter
      +ip6_tables ipv6 vfat fat vhost_net macvtap macvlan vhost tun kvm_intel kvm uinput iTCO_wdt iTCO_vendor_support cdc_ether usbnet mii microcode i2c_i801 i2c_core lpc_ich mfd_core shpchp ioatdma dca mlx4_core be2net wmi acpi_cpufreq mperf ext4 jbd2 mbcache dm_mirror dm_region_hash dm_log dm_mod
      CPU: 0 PID: 7 Comm: kworker/u33:0 Not tainted 3.11.0-rc1-ea45e-a #4
      Hardware name: IBM  -[8737R2A]-/00Y2738, BIOS -[B2E120RUS-1.20]- 11/30/2012
      Workqueue: netns cleanup_net
      task: ffff8810393641c0 ti: ffff881039366000 task.ti: ffff881039366000
      RIP: 0010:[<ffffffffa0366b02>]  [<ffffffffa0366b02>] ip6mr_sk_done+0x32/0xb0 [ipv6]
      RSP: 0018:ffff881039367bd8  EFLAGS: 00010286
      RAX: ffff881039367fd8 RBX: ffff882018552000 RCX: dead000000200200
      RDX: 0000000000000000 RSI: ffff881039367b68 RDI: ffff881039367b68
      RBP: ffff881039367bf8 R08: ffff881039367b68 R09: 2222222222222222
      R10: 2222222222222222 R11: 2222222222222222 R12: ffff882015a7a040
      R13: ffff882014eb89c0 R14: ffff8820289e2800 R15: 0000000000000000
      FS:  0000000000000000(0000) GS:ffff88103fc00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: ffff882018552020 CR3: 0000000001c0b000 CR4: 00000000000407f0
      Stack:
       ffff881039367c18 ffff882014eb89c0 ffff882015e28c00 0000000000000000
       ffff881039367c18 ffffffffa034d9d1 ffff8820289e2800 ffff882014eb89c0
       ffff881039367c58 ffffffff815bdecb ffffffff815bddf2 ffff882014eb89c0
      Call Trace:
       [<ffffffffa034d9d1>] rawv6_close+0x21/0x40 [ipv6]
       [<ffffffff815bdecb>] inet_release+0xfb/0x220
       [<ffffffff815bddf2>] ? inet_release+0x22/0x220
       [<ffffffffa032686f>] inet6_release+0x3f/0x50 [ipv6]
       [<ffffffff8151c1d9>] sock_release+0x29/0xa0
       [<ffffffff81525520>] sk_release_kernel+0x30/0x70
       [<ffffffffa034f14b>] icmpv6_sk_exit+0x3b/0x80 [ipv6]
       [<ffffffff8152fff9>] ops_exit_list+0x39/0x60
       [<ffffffff815306fb>] cleanup_net+0xfb/0x1a0
       [<ffffffff81075e3a>] process_one_work+0x1da/0x610
       [<ffffffff81075dc9>] ? process_one_work+0x169/0x610
       [<ffffffff81076390>] worker_thread+0x120/0x3a0
       [<ffffffff81076270>] ? process_one_work+0x610/0x610
       [<ffffffff8107da2e>] kthread+0xee/0x100
       [<ffffffff8107d940>] ? __init_kthread_worker+0x70/0x70
       [<ffffffff8162a99c>] ret_from_fork+0x7c/0xb0
       [<ffffffff8107d940>] ? __init_kthread_worker+0x70/0x70
      Code: 20 48 89 5d e8 4c 89 65 f0 4c 89 6d f8 66 66 66 66 90 4c 8b 67 30 49 89 fd e8 db 3c 1e e1 49 8b 9c 24 90 08 00 00 48 85 db 74 06 <4c> 39 6b 20 74 20 bb f3 ff ff ff e8 8e 3c 1e e1 89 d8 4c 8b 65
      RIP  [<ffffffffa0366b02>] ip6mr_sk_done+0x32/0xb0 [ipv6]
       RSP <ffff881039367bd8>
      CR2: ffff882018552020
      Reported-by: NSrivatsa S. Bhat <srivatsa.bhat@linux.vnet.ibm.com>
      Tested-by: NSrivatsa S. Bhat <srivatsa.bhat@linux.vnet.ibm.com>
      Signed-off-by: NHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      905a6f96
    • J
      fib_trie: potential out of bounds access in trie_show_stats() · f585a991
      Jerry Snitselaar 提交于
      With the <= max condition in the for loop, it will be always go 1
      element further than needed. If the condition for the while loop is
      never met, then max is MAX_STAT_DEPTH, and for loop will walk off the
      end of nodesizes[].
      Signed-off-by: NJerry Snitselaar <jerry.snitselaar@oracle.com>
      Acked-by: NHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f585a991
    • D
      mlx5: use after free in mlx5_cmd_comp_handler() · 64d2c22a
      Dan Carpenter 提交于
      We can't dereference "ent" after passing it to free_cmd().
      Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      64d2c22a
    • L
      r8169: fix lockdep warning when removing interface · 4ea72445
      Lekensteyn 提交于
      The work queue is initialised in rtl_open (when the interface goes up),
      but canceled in rtl_remove_one (when the PCI device gets removed). If
      the network interface is not brought up, then the work queue struct is
      not initialised. When the device is removed, the attempt to cancel the
      uninitialised work queue causes a lockdep warning.
      
      This patch fixes the issue by moving cancel_work_sync to rtl_close (to
      match rtl_open). (Note that rtl_close is also called via
      unregister_netdev in rtl_remove_one.)
      Signed-off-by: NPeter Wu <lekensteyn@gmail.com>
      Acked-by: NFrancois Romieu <romieu@fr.zoreil.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4ea72445
  2. 24 7月, 2013 1 次提交
  3. 23 7月, 2013 3 次提交
  4. 21 7月, 2013 2 次提交
    • D
      Merge branch 'for-davem' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless · f5f7ab67
      David S. Miller 提交于
      John W. Linville says:
      
      ====================
      Please accept this batch of fixes intended for the 3.11 tree...
      
      Alexey Khoroshilov fixes a suspend-related race in ath9k_htc.
      
      Arnd Bergmann corrects the alignment of a structure in the ssb code
      to be compatible with ARM devices.
      
      Bob Copeland provides an ath5k fix that corrects a mistaken variable
      initialization.
      
      Felix Fietkau corrects some frame accounting for dropped frames
      in ath9k.
      
      Geert Uytterhoeven brings a Kconfig fix to indicate the DMA
      requirements for rt2x00.
      
      Larry Finger offers two rtlwifi fixes: one that properly initializes
      a callback; and, a scattered collection of Kconfig, Makefile, and
      EXPORT_SYMBOL changes that correct some build problems.
      
      Finally, Sujith Manoharan provides an ath9k fix to disable a feature
      on a specific hardware device.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f5f7ab67
    • D
      Merge branch 'fixes-for-3.11' of git://gitorious.org/linux-can/linux-can · 8d716c7a
      David S. Miller 提交于
      Marc Kleine-Budde says:
      
      ====================
      here are two fixes for the v3.11 release cycle:
      
      Maximilian Schneider contributes a patch for the esd_usb2 CAN driver. It adds
      sanity checking to the data coming from the USB CAN adapter before using it.
      Alexey Khoroshilov from the Linux Driver Verification project fixes an urb leak
      in the error handling of the USB 8dev's usb_8dev_start() function.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8d716c7a
  5. 20 7月, 2013 16 次提交
  6. 19 7月, 2013 14 次提交
    • A
      can: usb_8dev: fix urb leak on failure path in usb_8dev_start() · 76719868
      Alexey Khoroshilov 提交于
      If usb_8dev_start() fails to submit urb,
      it unanchors the urb but forgets to free it.
      
      Found by Linux Driver Verification project (linuxtesting.org).
      Signed-off-by: NAlexey Khoroshilov <khoroshilov@ispras.ru>
      Signed-off-by: NMarc Kleine-Budde <mkl@pengutronix.de>
      76719868
    • M
      net: can: esd_usb2: check index of array before accessing · 233a26e8
      Maximilian Schneider 提交于
      The esd_usb2_read_bulk_callback() function is parsing the data that comes from
      the USB CAN adapter. One datum is used as an index to access the dev->nets[]
      array. This patch adds the missing bounds checking.
      Acked-by: NMatthias Fuchs <matthias.fuchs@esd.eu>
      Signed-off-by: NMaximilian Schneider <max@schneidersoft.net>
      Signed-off-by: NMarc Kleine-Budde <mkl@pengutronix.de>
      233a26e8
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · ecb2cf1a
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
       "A couple interesting SKB fragment handling fixes, plus the usual small
        bits here and there:
      
         1) Fix 64-bit divide build failure on 32-bit platforms in mlx5, from
            Tim Gardner.
      
         2) Get rid of a stupid reimplementation on "%*phC" in our sysfs MAC
            address printing helper.
      
         3) Fix NETIF_F_SG capability advertisement in hyperv driver, if the
            device can't do checksumming offloads then it shouldn't say it can
            do SG either.  From Haiyang Zhang.
      
         4) bgmac needs to depend on PHYLIB, from Hauke Mehrtens.
      
         5) Don't leak DMA mappings on mapping failures, from Neil Horman.
      
         6) We need to reset the transport header of SKBs in ipv4 before we
            attempt to perform early socket demux, just like ipv6 does.  From
            Eric Dumazet.
      
         7) Add missing locking on vxlan device removal, from Stephen
            Hemminger.
      
         8) xen-netfront has to make two passes over an SKB to prepare it for
            transfer.  One pass calculates the number of slots needed, the
            second massages the SKB and fills the slots.  Unfortunately, the
            first pass doesn't calculate the number of slots properly so we
            can end up trying to build a MAX_SKB_FRAGS + 1 SKB which doesn't
            work out so well.  Fix from Jan Beulich with help and discussion
            with several others.
      
         9) Fix a similar problem in tun and macvtap, which have to split up
            scatter-gather elements at PAGE_SIZE boundaries.  Don't do
            zerocopy if it would result in a > MAX_SKB_FRAGS skb.  Fixes from
            Jason Wang.
      
        10) On receive, once we've decoded the VLAN state completely, clear
            skb->vlan_tci.  Otherwise demuxed tunnels underneath can trigger
            the VLAN code again, corrupting the packet.  Fix from Eric
            Dumazet"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
        vlan: fix a race in egress prio management
        vlan: mask vlan prio bits
        macvtap: do not zerocopy if iov needs more pages than MAX_SKB_FRAGS
        tuntap: do not zerocopy if iov needs more pages than MAX_SKB_FRAGS
        pkt_sched: sch_qfq: remove a source of high packet delay/jitter
        xen-netfront: pull on receive skb may need to happen earlier
        vxlan: add necessary locking on device removal
        hyperv: Fix the NETIF_F_SG flag setting in netvsc
        net: Fix sysfs_format_mac() code duplication.
        be2net: Fix to avoid hardware workaround when not needed
        macvtap: do not assume 802.1Q when send vlan packets
        macvtap: fix the missing ret value of TUNSETQUEUE
        ipv4: set transport header earlier
        mlx5 core: Fix __udivdi3 when compiling for 32 bit arches
        bgmac: add dependency to phylib
        net/irda: fixed style issues in irlan_eth
        ethtool: fixed trailing statements in ethtool
        ndisc: bool initializations should use true and false
        atl1e: unmap partially mapped skb on dma error and free skb
      ecb2cf1a
    • L
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · ee114b97
      Linus Torvalds 提交于
      Pull x86 fixes from Peter Anvin:
       "Trying again to get the fixes queue, including the fixed IDT alignment
        patch.
      
        The UEFI patch is by far the biggest issue at hand: it is currently
        causing quite a few machines to boot.  Which is sad, because the only
        reason they would is because their BIOSes touch memory that has
        already been freed.  The other major issue is that we finally have
        tracked down the root cause of a significant number of machines
        failing to suspend/resume"
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86: Make sure IDT is page aligned
        x86, suspend: Handle CPUs which fail to #GP on RDMSR
        x86/platform/ce4100: Add header file for reboot type
        Revert "UEFI: Don't pass boot services regions to SetVirtualAddressMap()"
        efivars: check for EFI_RUNTIME_SERVICES
      ee114b97
    • L
      Merge tag 'md-3.11-fixes' of git://neil.brown.name/md · 4b8b8a4a
      Linus Torvalds 提交于
      Pull md bug fixes from NeilBrown:
       "Sorry boss, back at work now boss.  Here's them nice shiny patches ya
        wanted.  All nicely tagged and justified for -stable and everyfing:
      
        Three bug fixes for md in 3.10
      
        3.10 wasn't a good release for md.  The bio changes left a couple of
        bugs, and an md "fix" created another one.
      
        These three patches appear to fix the issues and have been tagged for
        -stable"
      
      * tag 'md-3.11-fixes' of git://neil.brown.name/md:
        md/raid1: fix bio handling problems in process_checks()
        md: Remove recent change which allows devices to skip recovery.
        md/raid10: fix two problems with RAID10 resync.
      4b8b8a4a
    • L
      Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux · 0a693ab6
      Linus Torvalds 提交于
      Pull drm fixes from Dave Airlie:
       "You'll be terribly disappointed in this, I'm not trying to sneak any
        features in or anything, its mostly radeon and intel fixes, a couple
        of ARM driver fixes"
      
      * 'drm-fixes' of git://people.freedesktop.org/~airlied/linux: (34 commits)
        drm/radeon/dpm: add debugfs support for RS780/RS880 (v3)
        drm/radeon/dpm/atom: fix broken gcc harder
        drm/radeon/dpm/atom: restructure logic to work around a compiler bug
        drm/radeon/dpm: fix atom vram table parsing
        drm/radeon: fix an endian bug in atom table parsing
        drm/radeon: add a module parameter to disable aspm
        drm/rcar-du: Use the GEM PRIME helpers
        drm/shmobile: Use the GEM PRIME helpers
        uvesafb: Really allow mtrr being 0, as documented and warn()ed
        radeon kms: do not flush uninitialized hotplug work
        drm/radeon/dpm/sumo: handle boost states properly when forcing a perf level
        drm/radeon: align VM PTBs (Page Table Blocks) to 32K
        drm/radeon: allow selection of alignment in the sub-allocator
        drm/radeon: never unpin UVD bo v3
        drm/radeon: fix UVD fence emit
        drm/radeon: add fault decode function for CIK
        drm/radeon: add fault decode function for SI (v2)
        drm/radeon: add fault decode function for cayman/TN (v2)
        drm/radeon: use radeon device for request firmware
        drm/radeon: add missing ttm_eu_backoff_reservation to radeon_bo_list_validate
        ...
      0a693ab6
    • S
      ath9k_hw: Fix multicast search for AR9002 family · 64b6f46f
      Sujith Manoharan 提交于
      The multicast search bit is disabled for the AR9003
      family, but this is required for AR9002 too. Fix this in
      the INI override routine.
      Signed-off-by: NSujith Manoharan <c_manoha@qca.qualcomm.com>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      64b6f46f
    • L
      rtlwifi: Fix build errors for unusual cases · 6f334c2b
      Larry Finger 提交于
      The present build configuration for the rtlwifi family of drivers will
      fail under two known conditions:
      
      (1) If rtlwifi is selected without selecting any of the dependent drivers,
          there are errors in the build.
      (2) If the PCI drivers are built into the kernel and the USB drivers are modules,
          or vice versa, there are missing globals.
      
      The first condition is fixed by never building rtlwifi unless at least one
      of the device drivers is selected. The second failure is fixed by splitting
      the PCI and USB codes out of rtlwifi, and creating their own mini drivers.
      If the drivers that use them are modules, they will also be modules.
      
      Although a number of files are touched by this patch, only Makefile and Kconfig
      have undergone significant changes. The only modifications to the other files
      were to export entry points needed by the new rtl_pci and rtl_usb units, or to
      rename two variables that had names that were likely to cause namespace collisions.
      
      Reported-by: Fengguang Wu <fengguang.wu@intel.com>  [Condition 1]
      Reported-by: Ben Hutchings <bhutchings@solarflare.com> [Condition 2]
      Signed-off-by: NLarry Finger <Larry.Finger@lwfinger.net>
      Cc: Ben Hutchings <bhutchings@solarflare.com>
      Cc: Fengguang Wu <fengguang.wu@intel.com>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      6f334c2b
    • B
      ath5k: fix extra set bit in multicast mask · f287cbd0
      Bob Copeland 提交于
      Bit 32 was always set which looks to have been accidental,
      according to git history.
      Signed-off-by: NBob Copeland <me@bobcopeland.com>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      f287cbd0
    • G
      rt2x00: RT2X00 should depend on HAS_DMA · 6a084839
      Geert Uytterhoeven 提交于
      If NO_DMA=y:
      
      drivers/built-in.o: In function `rt2x00queue_unmap_skb':
      drivers/net/wireless/rt2x00/rt2x00queue.c:129: undefined reference to `dma_unmap_single'
      drivers/net/wireless/rt2x00/rt2x00queue.c:133: undefined reference to `dma_unmap_single'
      drivers/built-in.o: In function `rt2x00queue_map_txskb':
      drivers/net/wireless/rt2x00/rt2x00queue.c:112: undefined reference to `dma_map_single'
      drivers/net/wireless/rt2x00/rt2x00queue.c:115: undefined reference to `dma_mapping_error'
      drivers/built-in.o: In function `rt2x00queue_alloc_rxskb':
      drivers/net/wireless/rt2x00/rt2x00queue.c:93: undefined reference to `dma_map_single'
      drivers/net/wireless/rt2x00/rt2x00queue.c:95: undefined reference to `dma_mapping_error'
      Signed-off-by: NGeert Uytterhoeven <geert@linux-m68k.org>
      Cc: linux-wireless@vger.kernel.org
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      6a084839
    • A
      ssb: fix alignment of struct bcma_device_id · b01a60be
      Arnd Bergmann 提交于
      The ARM OABI and EABI disagree on the alignment of structures
      with small members, so module init tools may interpret the
      ssb device table incorrectly, as shown  by this warning when
      building the b43 device driver in an OABI kernel:
      
      FATAL: drivers/net/wireless/b43/b43: sizeof(struct ssb_device_id)=6 is
      not a modulo of the size of section __mod_ssb_device_table=88.
      
      Forcing the default (EABI) alignment on the structure makes this
      problem go away. Since the ssb_device_id may have the same problem,
      better fix both structures.
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Cc: Russell King <linux@arm.linux.org.uk>
      Cc: John W. Linville <linville@tuxdriver.com>
      Cc: Michael Buesch <mb@bu3sch.de>
      Cc: Larry Finger <Larry.Finger@lwfinger.net>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      b01a60be
    • E
      vlan: fix a race in egress prio management · 3e3aac49
      Eric Dumazet 提交于
      egress_priority_map[] hash table updates are protected by rtnl,
      and we never remove elements until device is dismantled.
      
      We have to make sure that before inserting an new element in hash table,
      all its fields are committed to memory or else another cpu could
      find corrupt values and crash.
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Cc: Patrick McHardy <kaber@trash.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3e3aac49
    • E
      vlan: mask vlan prio bits · d4b812de
      Eric Dumazet 提交于
      In commit 48cc32d3
      ("vlan: don't deliver frames for unknown vlans to protocols")
      Florian made sure we set pkt_type to PACKET_OTHERHOST
      if the vlan id is set and we could find a vlan device for this
      particular id.
      
      But we also have a problem if prio bits are set.
      
      Steinar reported an issue on a router receiving IPv6 frames with a
      vlan tag of 4000 (id 0, prio 2), and tunneled into a sit device,
      because skb->vlan_tci is set.
      
      Forwarded frame is completely corrupted : We can see (8100:4000)
      being inserted in the middle of IPv6 source address :
      
      16:48:00.780413 IP6 2001:16d8:8100:4000:ee1c:0:9d9:bc87 >
      9f94:4d95:2001:67c:29f4::: ICMP6, unknown icmp6 type (0), length 64
             0x0000:  0000 0029 8000 c7c3 7103 0001 a0ae e651
             0x0010:  0000 0000 ccce 0b00 0000 0000 1011 1213
             0x0020:  1415 1617 1819 1a1b 1c1d 1e1f 2021 2223
             0x0030:  2425 2627 2829 2a2b 2c2d 2e2f 3031 3233
      
      It seems we are not really ready to properly cope with this right now.
      
      We can probably do better in future kernels :
      vlan_get_ingress_priority() should be a netdev property instead of
      a per vlan_dev one.
      
      For stable kernels, lets clear vlan_tci to fix the bugs.
      Reported-by: NSteinar H. Gunderson <sesse@google.com>
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d4b812de
    • J
      macvtap: do not zerocopy if iov needs more pages than MAX_SKB_FRAGS · ece793fc
      Jason Wang 提交于
      We try to linearize part of the skb when the number of iov is greater than
      MAX_SKB_FRAGS. This is not enough since each single vector may occupy more than
      one pages, so zerocopy_sg_fromiovec() may still fail and may break the guest
      network.
      
      Solve this problem by calculate the pages needed for iov before trying to do
      zerocopy and switch to use copy instead of zerocopy if it needs more than
      MAX_SKB_FRAGS.
      
      This is done through introducing a new helper to count the pages for iov, and
      call uarg->callback() manually when switching from zerocopy to copy to notify
      vhost.
      
      We can do further optimization on top.
      
      This bug were introduced from b92946e2
      (macvtap: zerocopy: validate vectors before building skb).
      
      Cc: Michael S. Tsirkin <mst@redhat.com>
      Signed-off-by: NJason Wang <jasowang@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ece793fc