1. 22 2月, 2016 10 次提交
  2. 20 2月, 2016 16 次提交
    • D
      Bluetooth: hci_core: Avoid mixing up req_complete and req_complete_skb · 3bd7594e
      Douglas Anderson 提交于
      In commit 44d27137 ("Bluetooth: Compress the size of struct
      hci_ctrl") we squashed down the size of the structure by using a union
      with the assumption that all users would use the flag to determine
      whether we had a req_complete or a req_complete_skb.
      
      Unfortunately we had a case in hci_req_cmd_complete() where we weren't
      looking at the flag.  This can result in a situation where we might be
      storing a hci_req_complete_skb_t in a hci_req_complete_t variable, or
      vice versa.
      
      During some testing I found at least one case where the function
      hci_req_sync_complete() was called improperly because the kernel thought
      that it didn't require an SKB.  Looking through the stack in kgdb I
      found that it was called by hci_event_packet() and that
      hci_event_packet() had both of its locals "req_complete" and
      "req_complete_skb" pointing to the same place: both to
      hci_req_sync_complete().
      
      Let's make sure we always check the flag.
      
      For more details on debugging done, see <http://crbug.com/588288>.
      
      Fixes: 44d27137 ("Bluetooth: Compress the size of struct hci_ctrl")
      Signed-off-by: NDouglas Anderson <dianders@chromium.org>
      Acked-by: NJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      3bd7594e
    • J
      net: bcmgenet: Fix internal PHY link state · d07c0278
      Jaedon Shin 提交于
      The PHY link state is not chaged in GENETv2 caused by the previous
      commit 49f7a471 ("net: bcmgenet: Properly configure PHY to ignore
      interrupt") was set to PHY_IGNORE_INTERRUPT in bcmgenet_mii_probe().
      
      The internal PHY should use phy_mac_interrupt() when not in use
      PHY_POLL. The statement for phy_mac_interrupt() has two conditions. The
      first condition to check GENET_HAS_MDIO_INTR is not related PHY link
      state, so this patch removes it.
      
      Fixes: 49f7a471 ("net: bcmgenet: Properly configure PHY to ignore interrupt")
      Signed-off-by: NJaedon Shin <jaedon.shin@gmail.com>
      Acked-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d07c0278
    • R
      af_unix: Don't use continue to re-execute unix_stream_read_generic loop · 18eceb81
      Rainer Weikusat 提交于
      The unix_stream_read_generic function tries to use a continue statement
      to restart the receive loop after waiting for a message. This may not
      work as intended as the caller might use a recvmsg call to peek at
      control messages without specifying a message buffer. If this was the
      case, the continue will cause the function to return without an error
      and without the credential information if the function had to wait for a
      message while it had returned with the credentials otherwise. Change to
      using goto to restart the loop without checking the condition first in
      this case so that credentials are returned either way.
      Signed-off-by: NRainer Weikusat <rweikusat@mobileactivedefense.com>
      Acked-by: NHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      18eceb81
    • D
      unix_diag: fix incorrect sign extension in unix_lookup_by_ino · b5f05492
      Dmitry V. Levin 提交于
      The value passed by unix_diag_get_exact to unix_lookup_by_ino has type
      __u32, but unix_lookup_by_ino's argument ino has type int, which is not
      a problem yet.
      However, when ino is compared with sock_i_ino return value of type
      unsigned long, ino is sign extended to signed long, and this results
      to incorrect comparison on 64-bit architectures for inode numbers
      greater than INT_MAX.
      
      This bug was found by strace test suite.
      
      Fixes: 5d3cae8b ("unix_diag: Dumping exact socket core")
      Signed-off-by: NDmitry V. Levin <ldv@altlinux.org>
      Acked-by: NCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b5f05492
    • D
      Merge branch 'bnxt_en-fixes' · 5a0e2f26
      David S. Miller 提交于
      Michael Chan says:
      
      ====================
      bnxt_en: Phy related fixes.
      
      3 small patches to fix PHY related code.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5a0e2f26
    • M
      bnxt_en: Failure to update PHY is not fatal condition. · ba41d46f
      Michael Chan 提交于
      If we fail to update the PHY, we should print a warning and continue.
      The current code to exit is buggy as it has not freed up the NIC
      resources yet.
      Signed-off-by: NMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ba41d46f
    • M
      bnxt_en: Remove unnecessary call to update PHY settings. · de73018f
      Michael Chan 提交于
      Fix bnxt_update_phy_setting() to check the correct parameters when
      determining whether to update the PHY.  Requested line speed/duplex should
      only be checked for forced speed mode.  This avoids unnecessary link
      interruptions when loading the driver.
      Signed-off-by: NMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      de73018f
    • M
      bnxt_en: Poll link at the end of __bnxt_open_nic(). · 035a1539
      Michael Chan 提交于
      When shutting down the NIC, we shutdown async event processing before
      freeing all the rings.  If there is a link change event during reset, the
      driver may miss it and the link state may be incorrect after the NIC is
      re-opened.  Poll the link at the end of __bnxt_open_nic() to get the
      correct link status.
      
      Signed-off-by Michael Chan <michael.chan@broadcom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      035a1539
    • P
      ser_gigaset: use container_of() instead of detour · 8d2c3ab4
      Paul Bolle 提交于
      The purpose of gigaset_device_release() is to kfree() the struct
      ser_cardstate that contains our struct device. This is done via a bit of
      a detour. First we make our struct device's driver_data point to the
      container of our struct ser_cardstate (which is a struct cardstate). In
      gigaset_device_release() we then retrieve that driver_data again. And
      after that we finally kfree() the struct ser_cardstate that was saved in
      the struct cardstate.
      
      All of this can be achieved much easier by using container_of() to get
      from our struct device to its container, struct ser_cardstate. Do so.
      
      Note that at the time the detour was implemented commit b8b2c7d8
      ("base/platform: assert that dev_pm_domain callbacks are called
      unconditionally") had just entered the tree. That commit disconnected
      our platform_device and our platform_driver. These were reconnected
      again in v4.5-rc2 through commit 25cad69f ("base/platform: Fix
      platform drivers with no probe callback"). And one of the consequences
      of that fix was that it broke the detour via driver_data. That's because
      it made __device_release_driver() stop being a NOP for our struct device
      and actually do stuff again. One of the things it now does, is setting
      our driver_data to NULL. That, in turn, makes it impossible for
      gigaset_device_release() to get to our struct cardstate. Which has the
      net effect of leaking a struct ser_cardstate at every call of this
      driver's tty close() operation. So using container_of() has the
      additional benefit of actually working.
      Reported-by: NDmitry Vyukov <dvyukov@google.com>
      Tested-by: NDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: NPaul Bolle <pebolle@tiscali.nl>
      Acked-by: NTilman Schmidt <tilman@imap.cc>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8d2c3ab4
    • D
      Merge tag 'wireless-drivers-for-davem-2016-02-18' of... · 0b7662cf
      David S. Miller 提交于
      Merge tag 'wireless-drivers-for-davem-2016-02-18' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers
      
      Kalle Valo says:
      
      ====================
      rtlwifi
      
      * fix broken VHT (802.11ac) support, reported by Linus
      
      wlcore
      
      * fix firmware initialisation regression on wl1271
      
      iwlwifi
      
      * fix a race that users reported when we try to load the firmware
        and the hardware rfkill interrupt triggers at the same time
      * fix a very visible bug in scheduled scan: the firmware
        doesn't support scheduled scan with no profile configured and
        the supplicant sometimes requests such scheduled scans
      * build system fix to be able to link iwlwifi statically into kernel
      * firmware name update for 8265
      * typo fix in return value
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0b7662cf
    • S
      cxgb3: fix up vpd strings for kstrto*() · 1003e19c
      Steve Wise 提交于
      The vpd strings are left justified, in a fixed length array, with possible
      trailing white space and no NUL.  So fix them up before calling kstrto*().
      
      This is a recent regression which causes cxgb3 to fail to load.
      
      Fixes: e72c932d ("cxgb3: Convert simple_strtoul to kstrtox")
      Signed-off-by: NSteve Wise <swise@opengridcomputing.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1003e19c
    • P
      lwt: fix rx checksum setting for lwt devices tunneling over ipv6 · c868ee70
      Paolo Abeni 提交于
      the commit 35e2d115 ("tunnels: Allow IPv6 UDP checksums to be
      correctly controlled.") changed the default xmit checksum setting
      for lwt vxlan/geneve ipv6 tunnels, so that now the checksum is not
      set into external UDP header.
      This commit changes the rx checksum setting for both lwt vxlan/geneve
      devices created by openvswitch accordingly, so that lwt over ipv6
      tunnel pairs are again able to communicate with default values.
      Signed-off-by: NPaolo Abeni <pabeni@redhat.com>
      Acked-by: NJiri Benc <jbenc@redhat.com>
      Acked-by: NJesse Gross <jesse@kernel.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c868ee70
    • I
      tipc: unlock in error path · b53ce3e7
      Insu Yun 提交于
      tipc_bcast_unlock need to be unlocked in error path.
      Signed-off-by: NInsu Yun <wuninsu@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b53ce3e7
    • D
      Merge tag 'batman-adv-fix-for-davem' of git://git.open-mesh.org/linux-merge · 29d1441d
      David S. Miller 提交于
      Antonio Quartulli says:
      
      ====================
      Two of the fixes included in this patchset prevent wrong memory
      access - it was triggered when removing an object from a list
      after it was already free'd due to bad reference counting.
      This misbehaviour existed for both the gw_node and the
      orig_node_vlan object and has been fixed by Sven Eckelmann.
      
      The last patch fixes our interface feasibility check and prevents
      it from looping indefinitely when two net_device objects
      reference each other via iflink index (i.e. veth pair), by
      Andrew Lunn
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      29d1441d
    • A
      rtnl: RTM_GETNETCONF: fix wrong return value · a97eb33f
      Anton Protopopov 提交于
      An error response from a RTM_GETNETCONF request can return the positive
      error value EINVAL in the struct nlmsgerr that can mislead userspace.
      Signed-off-by: NAnton Protopopov <a.s.protopopov@gmail.com>
      Acked-by: NCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a97eb33f
    • N
      net: make netdev_for_each_lower_dev safe for device removal · cfdd28be
      Nikolay Aleksandrov 提交于
      When I used netdev_for_each_lower_dev in commit bad53162 ("vrf:
      remove slave queue and private slave struct") I thought that it acts
      like netdev_for_each_lower_private and can be used to remove the current
      device from the list while walking, but unfortunately it acts more like
      netdev_for_each_lower_private_rcu and doesn't allow it. The difference
      is where the "iter" points to, right now it points to the current element
      and that makes it impossible to remove it. Change the logic to be
      similar to netdev_for_each_lower_private and make it point to the "next"
      element so we can safely delete the current one. VRF is the only such
      user right now, there's no change for the read-only users.
      
      Here's what can happen now:
      [98423.249858] general protection fault: 0000 [#1] SMP
      [98423.250175] Modules linked in: vrf bridge(O) stp llc nfsd auth_rpcgss
      oid_registry nfs_acl nfs lockd grace sunrpc crct10dif_pclmul
      crc32_pclmul crc32c_intel ghash_clmulni_intel jitterentropy_rng
      sha256_generic hmac drbg ppdev aesni_intel aes_x86_64 glue_helper lrw
      gf128mul ablk_helper cryptd evdev serio_raw pcspkr virtio_balloon
      parport_pc parport i2c_piix4 i2c_core virtio_console acpi_cpufreq button
      9pnet_virtio 9p 9pnet fscache ipv6 autofs4 ext4 crc16 mbcache jbd2 sg
      virtio_blk virtio_net sr_mod cdrom e1000 ata_generic ehci_pci uhci_hcd
      ehci_hcd usbcore usb_common virtio_pci ata_piix libata floppy
      virtio_ring virtio scsi_mod [last unloaded: bridge]
      [98423.255040] CPU: 1 PID: 14173 Comm: ip Tainted: G           O
      4.5.0-rc2+ #81
      [98423.255386] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
      BIOS 1.8.1-20150318_183358- 04/01/2014
      [98423.255777] task: ffff8800547f5540 ti: ffff88003428c000 task.ti:
      ffff88003428c000
      [98423.256123] RIP: 0010:[<ffffffff81514f3e>]  [<ffffffff81514f3e>]
      netdev_lower_get_next+0x1e/0x30
      [98423.256534] RSP: 0018:ffff88003428f940  EFLAGS: 00010207
      [98423.256766] RAX: 0002000100000004 RBX: ffff880054ff9000 RCX:
      0000000000000000
      [98423.257039] RDX: ffff88003428f8b8 RSI: ffff88003428f950 RDI:
      ffff880054ff90c0
      [98423.257287] RBP: ffff88003428f940 R08: 0000000000000000 R09:
      0000000000000000
      [98423.257537] R10: 0000000000000001 R11: 0000000000000000 R12:
      ffff88003428f9e0
      [98423.257802] R13: ffff880054a5fd00 R14: ffff88003428f970 R15:
      0000000000000001
      [98423.258055] FS:  00007f3d76881700(0000) GS:ffff88005d000000(0000)
      knlGS:0000000000000000
      [98423.258418] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [98423.258650] CR2: 00007ffe5951ffa8 CR3: 0000000052077000 CR4:
      00000000000406e0
      [98423.258902] Stack:
      [98423.259075]  ffff88003428f960 ffffffffa0442636 0002000100000004
      ffff880054ff9000
      [98423.259647]  ffff88003428f9b0 ffffffff81518205 ffff880054ff9000
      ffff88003428f978
      [98423.260208]  ffff88003428f978 ffff88003428f9e0 ffff88003428f9e0
      ffff880035b35f00
      [98423.260739] Call Trace:
      [98423.260920]  [<ffffffffa0442636>] vrf_dev_uninit+0x76/0xa0 [vrf]
      [98423.261156]  [<ffffffff81518205>]
      rollback_registered_many+0x205/0x390
      [98423.261401]  [<ffffffff815183ec>] unregister_netdevice_many+0x1c/0x70
      [98423.261641]  [<ffffffff8153223c>] rtnl_delete_link+0x3c/0x50
      [98423.271557]  [<ffffffff815335bb>] rtnl_dellink+0xcb/0x1d0
      [98423.271800]  [<ffffffff811cd7da>] ? __inc_zone_state+0x4a/0x90
      [98423.272049]  [<ffffffff815337b4>] rtnetlink_rcv_msg+0x84/0x200
      [98423.272279]  [<ffffffff810cfe7d>] ? trace_hardirqs_on+0xd/0x10
      [98423.272513]  [<ffffffff8153370b>] ? rtnetlink_rcv+0x1b/0x40
      [98423.272755]  [<ffffffff81533730>] ? rtnetlink_rcv+0x40/0x40
      [98423.272983]  [<ffffffff8155d6e7>] netlink_rcv_skb+0x97/0xb0
      [98423.273209]  [<ffffffff8153371a>] rtnetlink_rcv+0x2a/0x40
      [98423.273476]  [<ffffffff8155ce8b>] netlink_unicast+0x11b/0x1a0
      [98423.273710]  [<ffffffff8155d2f1>] netlink_sendmsg+0x3e1/0x610
      [98423.273947]  [<ffffffff814fbc98>] sock_sendmsg+0x38/0x70
      [98423.274175]  [<ffffffff814fc253>] ___sys_sendmsg+0x2e3/0x2f0
      [98423.274416]  [<ffffffff810d841e>] ? do_raw_spin_unlock+0xbe/0x140
      [98423.274658]  [<ffffffff811e1bec>] ? handle_mm_fault+0x26c/0x2210
      [98423.274894]  [<ffffffff811e19cd>] ? handle_mm_fault+0x4d/0x2210
      [98423.275130]  [<ffffffff81269611>] ? __fget_light+0x91/0xb0
      [98423.275365]  [<ffffffff814fcd42>] __sys_sendmsg+0x42/0x80
      [98423.275595]  [<ffffffff814fcd92>] SyS_sendmsg+0x12/0x20
      [98423.275827]  [<ffffffff81611bb6>] entry_SYSCALL_64_fastpath+0x16/0x7a
      [98423.276073] Code: c3 31 c0 5d c3 0f 1f 84 00 00 00 00 00 66 66 66 66
      90 48 8b 06 55 48 81 c7 c0 00 00 00 48 89 e5 48 8b 00 48 39 f8 74 09 48
      89 06 <48> 8b 40 e8 5d c3 31 c0 5d c3 0f 1f 84 00 00 00 00 00 66 66 66
      [98423.279639] RIP  [<ffffffff81514f3e>] netdev_lower_get_next+0x1e/0x30
      [98423.279920]  RSP <ffff88003428f940>
      
      CC: David Ahern <dsa@cumulusnetworks.com>
      CC: David S. Miller <davem@davemloft.net>
      CC: Roopa Prabhu <roopa@cumulusnetworks.com>
      CC: Vlad Yasevich <vyasevic@redhat.com>
      Fixes: bad53162 ("vrf: remove slave queue and private slave struct")
      Signed-off-by: NNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Reviewed-by: NDavid Ahern <dsa@cumulusnetworks.com>
      Tested-by: NDavid Ahern <dsa@cumulusnetworks.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      cfdd28be
  3. 19 2月, 2016 14 次提交