1. 29 10月, 2017 2 次提交
  2. 28 10月, 2017 3 次提交
    • G
      tap: reference to KVA of an unloaded module causes kernel panic · dea6e19f
      Girish Moodalbail 提交于
      The commit 9a393b5d ("tap: tap as an independent module") created a
      separate tap module that implements tap functionality and exports
      interfaces that will be used by macvtap and ipvtap modules to create
      create respective tap devices.
      
      However, that patch introduced a regression wherein the modules macvtap
      and ipvtap can be removed (through modprobe -r) while there are
      applications using the respective /dev/tapX devices. These applications
      cause kernel to hold reference to /dev/tapX through 'struct cdev
      macvtap_cdev' and 'struct cdev ipvtap_dev' defined in macvtap and ipvtap
      modules respectively. So,  when the application is later closed the
      kernel panics because we are referencing KVA that is present in the
      unloaded modules.
      
      ----------8<------- Example ----------8<----------
      $ sudo ip li add name mv0 link enp7s0 type macvtap
      $ sudo ip li show mv0 |grep mv0| awk -e '{print $1 $2}'
        14:mv0@enp7s0:
      $ cat /dev/tap14 &
      $ lsmod |egrep -i 'tap|vlan'
      macvtap                16384  0
      macvlan                24576  1 macvtap
      tap                    24576  3 macvtap
      $ sudo modprobe -r macvtap
      $ fg
      cat /dev/tap14
      ^C
      
      <...system panics...>
      BUG: unable to handle kernel paging request at ffffffffa038c500
      IP: cdev_put+0xf/0x30
      ----------8<-----------------8<----------
      
      The fix is to set cdev.owner to the module that creates the tap device
      (either macvtap or ipvtap). With this set, the operations (in
      fs/char_dev.c) on char device holds and releases the module through
      cdev_get() and cdev_put() and will not allow the module to unload
      prematurely.
      
      Fixes: 9a393b5d (tap: tap as an independent module)
      Signed-off-by: NGirish Moodalbail <girish.moodalbail@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      dea6e19f
    • E
      tcp: refresh tp timestamp before tcp_mtu_probe() · ee1836ae
      Eric Dumazet 提交于
      In the unlikely event tcp_mtu_probe() is sending a packet, we
      want tp->tcp_mstamp being as accurate as possible.
      
      This means we need to call tcp_mstamp_refresh() a bit earlier in
      tcp_write_xmit().
      
      Fixes: 385e2070 ("tcp: use tp->tcp_mstamp in output path")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ee1836ae
    • J
      tuntap: properly align skb->head before building skb · 63b9ab65
      Jason Wang 提交于
      An unaligned alloc_frag->offset caused by previous allocation will
      result an unaligned skb->head. This will lead unaligned
      skb_shared_info and then unaligned dataref which requires to be
      aligned for accessing on some architecture. Fix this by aligning
      alloc_frag->offset before the frag refilling.
      
      Fixes: 0bbd7dad ("tun: make tun_build_skb() thread safe")
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
      Cc: Wei Wei <dotweiba@gmail.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Reported-by: NWei Wei <dotweiba@gmail.com>
      Signed-off-by: NJason Wang <jasowang@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      63b9ab65
  3. 27 10月, 2017 8 次提交
    • D
      Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/net-queue · 8ab190fb
      David S. Miller 提交于
      Jeff Kirsher says:
      
      ====================
      Intel Wired LAN Driver Updates 2017-10-26
      
      This series contains fixes to e1000, igb, ixgbe and i40e.
      
      Vincenzo Maffione fixes a potential race condition which would result in
      the interface being up but transmits are disabled in the hardware.
      
      Colin Ian King fixes a possible NULL pointer dereference in e1000, which
      was found by Coverity.
      
      Jean-Philippe Brucker fixes a possible kernel panic when a driver cannot
      map a transmit buffer, which is caused by an erroneous test.
      
      Alex provides a fix for ixgbe, which is a partial revert of the commit
      ffed21bc ("ixgbe: Don't bother clearing buffer memory for descriptor rings")
      because the previous commit messed up the exception handling path by
      adding the count back in when we did not need to.  Also fixed a typo,
      where the transmit ITR setting was being used to determine if we were
      using adaptive receive interrupt moderation or not.  Lastly, fixed a
      memory leak by including programming descriptors in the cleaned count.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8ab190fb
    • X
      ip6_gre: update dst pmtu if dev mtu has been updated by toobig in __gre6_xmit · 8aec4959
      Xin Long 提交于
      When receiving a Toobig icmpv6 packet, ip6gre_err would just set
      tunnel dev's mtu, that's not enough. For skb_dst(skb)'s pmtu may
      still be using the old value, it has no chance to be updated with
      tunnel dev's mtu.
      
      Jianlin found this issue by reducing route's mtu while running
      netperf, the performance went to 0.
      
      ip6ip6 and ip4ip6 tunnel can work well with this, as they lookup
      the upper dst and update_pmtu it's pmtu or icmpv6_send a Toobig
      to upper socket after setting tunnel dev's mtu.
      
      We couldn't do that for ip6_gre, as gre's inner packet could be
      any protocol, it's difficult to handle them (like lookup upper
      dst) in a good way.
      
      So this patch is to fix it by updating skb_dst(skb)'s pmtu when
      dev->mtu < skb_dst(skb)'s pmtu in tx path. It's safe to do this
      update there, as usually dev->mtu <= skb_dst(skb)'s pmtu and no
      performance regression can be caused by this.
      
      Fixes: c12b395a ("gre: Support GRE over IPv6")
      Reported-by: NJianlin Shi <jishi@redhat.com>
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8aec4959
    • X
      ip6_gre: only increase err_count for some certain type icmpv6 in ip6gre_err · f8d20b46
      Xin Long 提交于
      The similar fix in patch 'ipip: only increase err_count for some
      certain type icmp in ipip_err' is needed for ip6gre_err.
      
      In Jianlin's case, udp netperf broke even when receiving a TooBig
      icmpv6 packet.
      
      Fixes: c12b395a ("gre: Support GRE over IPv6")
      Reported-by: NJianlin Shi <jishi@redhat.com>
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f8d20b46
    • X
      ipip: only increase err_count for some certain type icmp in ipip_err · f3594f0a
      Xin Long 提交于
      t->err_count is used to count the link failure on tunnel and an err
      will be reported to user socket in tx path if t->err_count is not 0.
      udp socket could even return EHOSTUNREACH to users.
      
      Since commit fd58156e ("IPIP: Use ip-tunneling code.") removed
      the 'switch check' for icmp type in ipip_err(), err_count would be
      increased by the icmp packet with ICMP_EXC_FRAGTIME code. an link
      failure would be reported out due to this.
      
      In Jianlin's case, when receiving ICMP_EXC_FRAGTIME a icmp packet,
      udp netperf failed with the err:
        send_data: data send error: No route to host (errno 113)
      
      We expect this error reported from tunnel to socket when receiving
      some certain type icmp, but not ICMP_EXC_FRAGTIME, ICMP_SR_FAILED
      or ICMP_PARAMETERPROB ones.
      
      This patch is to bring 'switch check' for icmp type back to ipip_err
      so that it only reports link failure for the right type icmp, just as
      in ipgre_err() and ipip6_err().
      
      Fixes: fd58156e ("IPIP: Use ip-tunneling code.")
      Reported-by: NJianlin Shi <jishi@redhat.com>
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f3594f0a
    • J
      net: stmmac: First Queue must always be in DCB mode · 6d9f0790
      Jose Abreu 提交于
      According to DWMAC databook the first queue operating mode
      must always be in DCB.
      
      As MTL_QUEUE_DCB = 1, we need to always set the first queue
      operating mode to DCB otherwise driver will think that queue
      is in AVB mode (because MTL_QUEUE_AVB = 0).
      Signed-off-by: NJose Abreu <joabreu@synopsys.com>
      Cc: Joao Pinto <jpinto@synopsys.com>
      Cc: David S. Miller <davem@davemloft.net>
      Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
      Cc: Alexandre Torgue <alexandre.torgue@st.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6d9f0790
    • J
      net: stmmac: dwc-qos-eth: Fix typo in DT bindings parsing · 4894ac6b
      Jose Abreu 提交于
      According to DT bindings documentation we are expecting a
      property called "snps,read-requests" but we are parsing
      instead a property called "read,read-requests".
      
      This is clearly a typo. Fix it.
      Signed-off-by: NJose Abreu <joabreu@synopsys.com>
      Cc: Joao Pinto <jpinto@synopsys.com>
      Cc: David S. Miller <davem@davemloft.net>
      Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
      Cc: Alexandre Torgue <alexandre.torgue@st.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4894ac6b
    • D
      Merge tag 'mlx5-fixes-2017-10-26' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · 5be9541a
      David S. Miller 提交于
      Saeed Mahameed says:
      
      ====================
      Mellanox, mlx5 fixes 2017-10-26
      
      The series includes some misc fixes for mlx5 core and etherent driver.
      Please pull and let me know if there's any problem.
      
      For -Stable:
      net/mlx5e: Properly deal with encap flows add/del under neigh update (kernels >= 4.12)
      net/mlx5: Fix health work queue spin lock to IRQ safe  (kernels >= 4.13)
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5be9541a
    • D
      Merge tag 'mac80211-for-davem-2017-10-25' of... · 9618aec3
      David S. Miller 提交于
      Merge tag 'mac80211-for-davem-2017-10-25' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Johannes Berg says:
      
      ====================
      pull-request: mac80211 2017-10-25
      
      Here are:
       * follow-up fixes for the WoWLAN security issue, to fix a
         partial TKIP key material problem and to use crypto_memneq()
       * a change for better enforcement of FQ's memory limit
       * a disconnect/connect handling fix, and
       * a user rate mask validation fix
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9618aec3
  4. 26 10月, 2017 22 次提交
  5. 25 10月, 2017 3 次提交
  6. 24 10月, 2017 2 次提交
    • D
      Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec · 864f5af3
      David S. Miller 提交于
      Steffen Klassert says:
      
      ====================
      pull request (net): ipsec 2017-10-24
      
      1) Fix a memleak when we don't find a inner_mode
         during bundle creation. From David Miller.
      
      2) Fix a xfrm policy dump crash. We may crash
         on error when dumping policies via netlink.
         Fix this by initializing the policy walk
         with the cb->start method. This fix is a
         serious stable candidate. From Herbert Xu.
      
      Please pull or let me know if there are problems.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      864f5af3
    • J
      can: kvaser_usb: Ignore CMD_FLUSH_QUEUE_REPLY messages · e1d2d132
      Jimmy Assarsson 提交于
      To avoid kernel warning "Unhandled message (68)", ignore the
      CMD_FLUSH_QUEUE_REPLY message for now.
      
      As of Leaf v2 firmware version v4.1.844 (2017-02-15), flush tx queue is
      synchronous. There is a capability bit indicating whether flushing tx
      queue is synchronous or asynchronous.
      
      A proper solution would be to query the device for capabilities. If the
      synchronous tx flush capability bit is set, we should wait for
      CMD_FLUSH_QUEUE_REPLY message, while flushing the tx queue.
      Signed-off-by: NJimmy Assarsson <jimmyassarsson@gmail.com>
      Cc: linux-stable <stable@vger.kernel.org>
      Signed-off-by: NMarc Kleine-Budde <mkl@pengutronix.de>
      e1d2d132