summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* atm: nicstar: fix regression made by previous patchAndy Shevchenko2013-09-161-1/+1
| | | | | | | | | The commit 8390f814 "atm: nicstar: re-use native mac_pton() helper" did a usefull thing. However, mac_pton() returns 1 in the case of the successfully parsed input. This patch fixes a typo. Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* vxlan: Fix sparse warningsJoseph Gasparakis2013-09-162-14/+12
| | | | | | | | | | | | This patch fixes sparse warnings when incorrectly handling the port number and using int instead of unsigned int iterating through &vn->sock_list[]. Keeping the port as __be16 also makes things clearer wrt endianess. Also, it was pointed out that vxlan_get_rx_port() had unnecessary checks which got removed. Signed-off-by: Joseph Gasparakis <joseph.gasparakis@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* qlcnic: Fix VF reset recoveryManish Chopra2013-09-161-0/+1
| | | | | | | | | | | o At the time of firmware hang "adapter->need_fw_reset" variable gets set but after re-initialization of firmware OR at the time of VF re-initialization that variable was not getting cleared which was leading to failure in VF reset recovery.Fix it by clearing this variable before re-initializing VF Signed-off-by: Manish Chopra <manish.chopra@qlogic.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* bridge: fix NULL pointer deref of br_port_get_rcuHong Zhiguo2013-09-161-4/+1
| | | | | | | | | | | | | | | | | | | | | | The NULL deref happens when br_handle_frame is called between these 2 lines of del_nbp: dev->priv_flags &= ~IFF_BRIDGE_PORT; /* --> br_handle_frame is called at this time */ netdev_rx_handler_unregister(dev); In br_handle_frame the return of br_port_get_rcu(dev) is dereferenced without check but br_port_get_rcu(dev) returns NULL if: !(dev->priv_flags & IFF_BRIDGE_PORT) Eric Dumazet pointed out the testing of IFF_BRIDGE_PORT is not necessary here since we're in rcu_read_lock and we have synchronize_net() in netdev_rx_handler_unregister. So remove the testing of IFF_BRIDGE_PORT and by the previous patch, make sure br_port_get_rcu is called in bridging code. Signed-off-by: Hong Zhiguo <zhiguohong@tencent.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* bridge: use br_port_get_rtnl within rtnl lockHong Zhiguo2013-09-162-3/+3
| | | | | | | | | current br_port_get_rcu is problematic in bridging path (NULL deref). Change these calls in netlink path first. Signed-off-by: Hong Zhiguo <zhiguohong@tencent.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: ps3_gelic: remove deprecated IRQF_DISABLEDMichael Opdenacker2013-09-161-1/+1
| | | | | | | | | | This patch proposes to remove the IRQF_DISABLED flag from drivers/net/ethernet/toshiba/ps3_gelic_net.c It's a NOOP since 2.6.35 and I will remove it one day ;) Signed-off-by: Michael Opdenacker <michael.opdenacker@free-electrons.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: smsc: remove deprecated IRQF_DISABLEDMichael Opdenacker2013-09-162-3/+2
| | | | | | | | | | This patch proposes to remove the IRQF_DISABLED flag from code in drivers/net/ethernet/smsc/ It's a NOOP since 2.6.35 and it will be removed one day. Signed-off-by: Michael Opdenacker <michael.opdenacker@free-electrons.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: pasemi: remove deprecated IRQF_DISABLEDMichael Opdenacker2013-09-161-2/+2
| | | | | | | | | | This patch proposes to remove the IRQF_DISABLED flag from drivers/net/ethernet/pasemi/pasemi_mac.c It's a NOOP since 2.6.35 and it will be removed one day. Signed-off-by: Michael Opdenacker <michael.opdenacker@free-electrons.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: natsemi: remove deprecated IRQF_DISABLEDMichael Opdenacker2013-09-162-4/+2
| | | | | | | | | | This patch proposes to remove the IRQF_DISABLED flag from code in drivers/net/ethernet/natsemi/ It's a NOOP since 2.6.35 and it will be removed one day. Signed-off-by: Michael Opdenacker <michael.opdenacker@free-electrons.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: ks8851-ml: remove deprecated IRQF_DISABLEDMichael Opdenacker2013-09-161-1/+1
| | | | | | | | | | This patch proposes to remove the IRQF_DISABLED flag from drivers/net/ethernet/micrel/ks8851_mll.c It's a NOOP since 2.6.35 and it will be removed one day. Signed-off-by: Michael Opdenacker <michael.opdenacker@free-electrons.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: pxa168_eth: remove deprecated IRQF_DISABLEDMichael Opdenacker2013-09-161-2/+1
| | | | | Signed-off-by: Michael Opdenacker <michael.opdenacker@free-electrons.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: lantiq_etop: remove deprecated IRQF_DISABLEDMichael Opdenacker2013-09-161-4/+2
| | | | | | | | | | This patch proposes to remove the IRQF_DISABLED flag from drivers/net/ethernet/lantiq_etop.c It's a NOOP since 2.6.35 and it will be removed one day. Signed-off-by: Michael Opdenacker <michael.opdenacker@free-electrons.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: hp100: remove deprecated IRQF_DISABLEDMichael Opdenacker2013-09-161-1/+1
| | | | | | | | | | This patch proposes to remove the IRQF_DISABLED flag from drivers/net/ethernet/hp/hp100.c It's a NOOP since 2.6.35 and it will be removed one day. Signed-off-by: Michael Opdenacker <michael.opdenacker@free-electrons.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: fec: remove deprecated IRQF_DISABLEDMichael Opdenacker2013-09-161-1/+1
| | | | | | | | | | This patch proposes to remove the IRQF_DISABLED flag from drivers/net/ethernet/freescale/fec_main.c It's a NOOP since 2.6.35 and it will be removed one day. Signed-off-by: Michael Opdenacker <michael.opdenacker@free-electrons.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* tg3: Use pci_dev pm_capJon Mason2013-09-142-4/+2
| | | | | | | | | | | Use the already existing pm_cap variable in struct pci_dev for determining the power management offset. This saves the driver from having to keep track of an extra variable. Signed-off-by: Jon Mason <jdmason@kudzu.us> Cc: Nithin Nayak Sujir <nsujir@broadcom.com> Cc: Michael Chan <mchan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* bnx2x: Use pci_dev pm_capJon Mason2013-09-144-12/+11
| | | | | | | | | | Use the already existing pm_cap variable in struct pci_dev for determining the power management offset. This saves the driver from having to keep track of an extra variable. Signed-off-by: Jon Mason <jdmason@kudzu.us> Cc: Eilon Greenstein <eilong@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* alx: remove redundant D0 power state setYijing Wang2013-09-141-7/+2
| | | | | | | | | | Pci_enable_device_mem() will set device power state to D0, so it's no need to do it again in alx_probe(). Also remove redundant PM Cap find code, because pci core has been saved the pci device pm cap value. Signed-off-by: Yijing Wang <wangyijing@huawei.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* be2net: missing variable initializationAntonio Alecrim Jr2013-09-141-1/+1
| | | | | Signed-off-by: Antonio Alecrim Jr <antonio.alecrim@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* isdn: clean up debug format string usageKees Cook2013-09-1419-79/+57
| | | | | | | | | | | | Avoid unneeded local string buffers for constructing debug output. Also cleans up debug calls that contain a single parameter so that they cannot be accidentally parsed as format strings. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Karsten Keil <isdn@linux-pingi.de> Cc: David Miller <davem@davemloft.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* drivers/atm/he.c: convert to module_pci_driverLibo Chen2013-09-141-12/+1
| | | | | | | Signed-off-by: Libo Chen <libo.chen@huawei.com> Cc: Chas Williams <chas@cmf.nrl.navy.mil> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* Merge branch 'master' of ↵David S. Miller2013-09-147-9/+61
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/net Jeff Kirsher says: ==================== Intel Wired LAN Driver Updates This series contains updates to ixgbe and e1000e. Jacob provides a ixgbe patch to fix the configure_rx patch to properly disable RSC hardware logic when a user disables it. Previously we only disabled RSC in the queue settings, but this does not fully disable hardware RSC logic which can lead to unexpected performance issues. Emil provides three fixes for ixgbe. First fixes the ethtool loopback test when DCB is enabled, where the frames may be modified on Tx (by adding VLAN tag) which will fail the check on receive. Then a fix for QSFP+ modules, limit the speed setting to advertise only one speed at a time since the QSFP+ modules do not support auto negotiation. Lastly, resolve an issue where the driver will display incorrect info for QSFP+ modules that were inserted after the driver has been loaded. David Ertman provides to fixes for e1000e, one removes a comparison to the boolean value true where evaluating the lvalue will produce the same result. The other fixes an error in the calculation of the rar_entry_count, which causes a write of unkown/undefined register space in the MAC to unknown/undefined register space in the PHY. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
| * e1000e: fix overrun of PHY RAR arrayDavid Ertman2013-09-133-6/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When copying the MAC RAR registers to PHY there is an error in the calculation of the rar_entry_count, which causes a write of unknown/ undefined register space in the MAC to unknown/undefined register space in the PHY. This patch fixes the overrun with writing to the PHY RAR and also fixes the ethtool offline register tests so that the correctly addressed registers have the appropriate bitmasks for R/W and RO bits for affected parts. Shawn Rader gets credit for finding and fixing the register overrun. Signed-off-by: Dave Ertman <davidx.m.ertman@intel.com> CC: Shawn Rader <shawn.t.rader@intel.com> Tested-by: Aaron Brown <aaron.f.brown@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
| * e1000e: cleanup boolean comparison to trueDavid Ertman2013-09-131-1/+1
| | | | | | | | | | | | | | | | | | Removing a comparison to the boolean value true where simply interrogating the lvalue will produce the same result. Signed-off-by: David Ertman <davidx.m.ertman@intel.com> Tested-by: Aaron Brown <aaron.f.brown@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
| * ixgbe: fix ethtool reporting of supported links for SFP modulesEmil Tantilov2013-09-131-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | This patch resolves an issue where the driver will display incorrect info for Q/SFP+ modules that were inserted after the driver has been loaded. This patch adds a call to identify_phy() in ixgbe_get_settings() prior to calling get_link_capabilities() which needs the PHY data in order to determine the correct settings. Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com> Tested-by: Phil Schmitt <phillip.j.schmitt@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
| * ixgbe: limit setting speed to only one at a time for QSFP modulesEmil Tantilov2013-09-132-1/+22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | QSFP+ modules do not support auto negotiation and should advertise only one speed at a time. This patch adds logic in ethtool to allow setting and reporting the advertised speed at either 1Gbps or 10Gbps, but not both. Also limits the speed set in ixgbe_sfp_link_config_subtask() to highest supported. Previously the link was set to whatever the supported speeds were. Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com> Tested-by: Phil Schmitt <phillip.j.schmitt@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
| * ixgbe: fix ethtool loopback diagnostic with DCB enabledEmil Tantilov2013-09-131-0/+5
| | | | | | | | | | | | | | | | | | | | | | This patch disables DCB prior to running the loopback test. When DCB is enabled the frames may be modified on Tx (by adding vlan tag) which will fail the check on Rx. Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com> Tested-by: Phil Schmitt <phillip.j.schmitt@intel.com> Tested-by: Jack Morgan <jack.morgan@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
| * ixgbe: fully disable hardware RSC logic when disabling RSCJacob Keller2013-09-132-1/+9
| | | | | | | | | | | | | | | | | | | | | | This patch modifies the configure_rx path in order to properly disable RSC hardware logic when the user disables it. Previously we only disabled RSC in the queue settings, but this does not fully disable hardware RSC logic which can lead to some unexpected performance issues. Signed-off-by: Jacob Keller <jacob.e.keller@intel.com> Tested-by: Phil Schmitt <phillip.j.schmitt@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
* | net/irda/mcs7780: fix memory leaks in mcs_net_open()Alexey Khoroshilov2013-09-131-17/+23
|/ | | | | | | | | | | | If rx_urb allocation fails in mcs_setup_urbs(), tx_urb leaks. If mcs_receive_start() fails in mcs_net_open(), the both urbs are not deallocated. The patch fixes the issues and by the way fixes label indentation. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru> Signed-off-by: David S. Miller <davem@davemloft.net>
* net/mlx4_en: Check device state when setting coalescingEugenia Emantayev2013-09-131-6/+10
| | | | | | | | | | When the device is down, CQs are freed. We must check the device state to avoid issuing firmware commands on non existing CQs. CC: Or Gerlitz <ogerlitz@mellanox.com> Signed-off-by: Eugenia Emantayev <eugenia@mellanox.com> Signed-off-by: Amir Vadai <amirv@mellanox.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* bridge: Clamp forward_delay when enabling STPHerbert Xu2013-09-133-8/+26
| | | | | | | | | | | | | | | | | | | At some point limits were added to forward_delay. However, the limits are only enforced when STP is enabled. This created a scenario where you could have a value outside the allowed range while STP is disabled, which then stuck around even after STP is enabled. This patch fixes this by clamping the value when we enable STP. I had to move the locking around a bit to ensure that there is no window where someone could insert a value outside the range while we're in the middle of enabling STP. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Cheers, Signed-off-by: David S. Miller <davem@davemloft.net>
* resubmit bridge: fix message_age_timer calculationChris Healy2013-09-131-1/+1
| | | | | | | | | | | | | | | This changes the message_age_timer calculation to use the BPDU's max age as opposed to the local bridge's max age. This is in accordance with section 8.6.2.3.2 Step 2 of the 802.1D-1998 sprecification. With the current implementation, when running with very large bridge diameters, convergance will not always occur even if a root bridge is configured to have a longer max age. Tested successfully on bridge diameters of ~200. Signed-off-by: Chris Healy <cphealy@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: tulip: remove deprecated IRQF_DISABLEDMichael Opdenacker2013-09-131-1/+1
| | | | | | | | | | | This patch proposes to remove the IRQF_DISABLED flag from drivers/net/ethernet/dec/tulip/de4x5.c It's a NOOP since 2.6.35 and it will be removed one day. Signed-off-by: Michael Opdenacker <michael.opdenacker@free-electrons.com> Acked-by: Grant Grundler <grundler@parisc-linux.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* ethernet: amd: remove deprecated IRQF_DISABLEDMichael Opdenacker2013-09-131-1/+1
| | | | | | | | | | This patch proposes to remove the IRQF_DISABLED flag from drivers/net/ethernet/amd/sun3lance.c It's a NOOP since 2.6.35 and it will be removed one day. Signed-off-by: Michael Opdenacker <michael.opdenacker@free-electrons.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* ehea: remove deprecated IRQF_DISABLEDMichael Opdenacker2013-09-131-4/+3
| | | | | | | | | | | This patch proposes to remove the IRQF_DISABLED flag from drivers/net/ethernet/ibm/ehea/ehea_main.c It's a NOOP since 2.6.35 and it will be removed one day. Signed-off-by: Michael Opdenacker <michael.opdenacker@free-electrons.com> Acked-by: Thadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* bfin_mac: remove deprecated IRQF_DISABLEDMichael Opdenacker2013-09-131-2/+2
| | | | | | | | | | | This patch proposes to remove the IRQF_DISABLED flag from drivers/net/ethernet/adi/bfin_mac.c. It's a NOOP since 2.6.35 and it will be removed one day. Signed-off-by: Michael Opdenacker <michael.opdenacker@free-electrons.com> Reviewed-by: Jingoo Han <jg1.han@samsung.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* xen-netback: count number required slots for an skb more carefullyDavid Vrabel2013-09-131-30/+64
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When a VM is providing an iSCSI target and the LUN is used by the backend domain, the generated skbs for direct I/O writes to the disk have large, multi-page skb->data but no frags. With some lengths and starting offsets, xen_netbk_count_skb_slots() would be one short because the simple calculation of DIV_ROUND_UP(skb_headlen(), PAGE_SIZE) was not accounting for the decisions made by start_new_rx_buffer() which does not guarantee responses are fully packed. For example, a skb with length < 2 pages but which spans 3 pages would be counted as requiring 2 slots but would actually use 3 slots. skb->data: | 1111|222222222222|3333 | Fully packed, this would need 2 slots: |111122222222|22223333 | But because the 2nd page wholy fits into a slot it is not split across slots and goes into a slot of its own: |1111 |222222222222|3333 | Miscounting the number of slots means netback may push more responses than the number of available requests. This will cause the frontend to get very confused and report "Too many frags/slots". The frontend never recovers and will eventually BUG. Fix this by counting the number of required slots more carefully. In xen_netbk_count_skb_slots(), more closely follow the algorithm used by xen_netbk_gop_skb() by introducing xen_netbk_count_frag_slots() which is the dry-run equivalent of netbk_gop_frag_copy(). Signed-off-by: David Vrabel <david.vrabel@citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* tg3: Expand led off fix to include 5720Nithin Sujir2013-09-131-0/+1
| | | | | | | | | | | | Commit 989038e217e94161862a959e82f9a1ecf8dda152 ("tg3: Don't turn off led on 5719 serdes port 0") added code to skip turning led off on port 0 of the 5719 since it powered down other ports. This workaround needs to be enabled on the 5720 as well. Cc: stable@vger.kernel.org Signed-off-by: Nithin Nayak Sujir <nsujir@broadcom.com> Signed-off-by: Michael Chan <mchan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: sctp: fix ipv6 ipsec encryption bug in sctp_v6_xmitDaniel Borkmann2013-09-121-29/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Alan Chester reported an issue with IPv6 on SCTP that IPsec traffic is not being encrypted, whereas on IPv4 it is. Setting up an AH + ESP transport does not seem to have the desired effect: SCTP + IPv4: 22:14:20.809645 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 116) 192.168.0.2 > 192.168.0.5: AH(spi=0x00000042,sumlen=16,seq=0x1): ESP(spi=0x00000044,seq=0x1), length 72 22:14:20.813270 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 340) 192.168.0.5 > 192.168.0.2: AH(spi=0x00000043,sumlen=16,seq=0x1): SCTP + IPv6: 22:31:19.215029 IP6 (class 0x02, hlim 64, next-header SCTP (132) payload length: 364) fe80::222:15ff:fe87:7fc.3333 > fe80::92e6:baff:fe0d:5a54.36767: sctp 1) [INIT ACK] [init tag: 747759530] [rwnd: 62464] [OS: 10] [MIS: 10] Moreover, Alan says: This problem was seen with both Racoon and Racoon2. Other people have seen this with OpenSwan. When IPsec is configured to encrypt all upper layer protocols the SCTP connection does not initialize. After using Wireshark to follow packets, this is because the SCTP packet leaves Box A unencrypted and Box B believes all upper layer protocols are to be encrypted so it drops this packet, causing the SCTP connection to fail to initialize. When IPsec is configured to encrypt just SCTP, the SCTP packets are observed unencrypted. In fact, using `socat sctp6-listen:3333 -` on one end and transferring "plaintext" string on the other end, results in cleartext on the wire where SCTP eventually does not report any errors, thus in the latter case that Alan reports, the non-paranoid user might think he's communicating over an encrypted transport on SCTP although he's not (tcpdump ... -X): ... 0x0030: 5d70 8e1a 0003 001a 177d eb6c 0000 0000 ]p.......}.l.... 0x0040: 0000 0000 706c 6169 6e74 6578 740a 0000 ....plaintext... Only in /proc/net/xfrm_stat we can see XfrmInTmplMismatch increasing on the receiver side. Initial follow-up analysis from Alan's bug report was done by Alexey Dobriyan. Also thanks to Vlad Yasevich for feedback on this. SCTP has its own implementation of sctp_v6_xmit() not calling inet6_csk_xmit(). This has the implication that it probably never really got updated along with changes in inet6_csk_xmit() and therefore does not seem to invoke xfrm handlers. SCTP's IPv4 xmit however, properly calls ip_queue_xmit() to do the work. Since a call to inet6_csk_xmit() would solve this problem, but result in unecessary route lookups, let us just use the cached flowi6 instead that we got through sctp_v6_get_dst(). Since all SCTP packets are being sent through sctp_packet_transmit(), we do the route lookup / flow caching in sctp_transport_route(), hold it in tp->dst and skb_dst_set() right after that. If we would alter fl6->daddr in sctp_v6_xmit() to np->opt->srcrt, we possibly could run into the same effect of not having xfrm layer pick it up, hence, use fl6_update_dst() in sctp_v6_get_dst() instead to get the correct source routed dst entry, which we assign to the skb. Also source address routing example from 625034113 ("sctp: fix sctp to work with ipv6 source address routing") still works with this patch! Nevertheless, in RFC5095 it is actually 'recommended' to not use that anyway due to traffic amplification [1]. So it seems we're not supposed to do that anyway in sctp_v6_xmit(). Moreover, if we overwrite the flow destination here, the lower IPv6 layer will be unable to put the correct destination address into IP header, as routing header is added in ipv6_push_nfrag_opts() but then probably with wrong final destination. Things aside, result of this patch is that we do not have any XfrmInTmplMismatch increase plus on the wire with this patch it now looks like: SCTP + IPv6: 08:17:47.074080 IP6 2620:52:0:102f:7a2b:cbff:fe27:1b0a > 2620:52:0:102f:213:72ff:fe32:7eba: AH(spi=0x00005fb4,seq=0x1): ESP(spi=0x00005fb5,seq=0x1), length 72 08:17:47.074264 IP6 2620:52:0:102f:213:72ff:fe32:7eba > 2620:52:0:102f:7a2b:cbff:fe27:1b0a: AH(spi=0x00003d54,seq=0x1): ESP(spi=0x00003d55,seq=0x1), length 296 This fixes Kernel Bugzilla 24412. This security issue seems to be present since 2.6.18 kernels. Lets just hope some big passive adversary in the wild didn't have its fun with that. lksctp-tools IPv6 regression test suite passes as well with this patch. [1] http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf Reported-by: Alan Chester <alan.chester@tekelec.com> Reported-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Cc: Steffen Klassert <steffen.klassert@secunet.com> Cc: Hannes Frederic Sowa <hannes@stressinduktion.org> Acked-by: Vlad Yasevich <vyasevich@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* tuntap: correctly handle error in tun_set_iff()Jason Wang2013-09-121-3/+8
| | | | | | | | | | | | | | | | | | Commit c8d68e6be1c3b242f1c598595830890b65cea64a (tuntap: multiqueue support) only call free_netdev() on error in tun_set_iff(). This causes several issues: - memory of tun security were leaked - use after free since the flow gc timer was not deleted and the tfile were not detached This patch solves the above issues. Reported-by: Wannes Rombouts <wannes.rombouts@epitech.eu> Cc: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* xen-netback: fix possible format string flawKees Cook2013-09-121-1/+1
| | | | | | | | | This makes sure a format string cannot accidentally leak into the kthread_run() call. Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Ian Campbell <ian.campbell@citrix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* netpoll: Should handle ETH_P_ARP other than ETH_P_IP in netpoll_neigh_replySonic Zhang2013-09-121-1/+1
| | | | | | | | | | The received ARP request type in the Ethernet packet head is ETH_P_ARP other than ETH_P_IP. [ Bug introduced by commit b7394d2429c198b1da3d46ac39192e891029ec0f ("netpoll: prepare for ipv6") ] Signed-off-by: Sonic Zhang <sonic.zhang@analog.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* igb: Read flow control for i350 from correct EEPROM sectionFujinaka, Todd2013-09-121-1/+9
| | | | | | | | | | Flow control is defined in the four EEPROM sections but the driver only reads from section 0. Signed-off-by: Todd Fujinaka <todd.fujinaka@intel.com> Tested-by: Aaron Brown <aaron.f.brown@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* igb: Add additional get_phy_id call for i354 devicesCarolyn Wyborny2013-09-121-0/+4
| | | | | | | | | | | This patch fixes a problem where some ports can fail to initialize on a cold boot. This patch adds an additional call to read the PHY id for i354 devices in order workaround the hardware problem. Signed-off-by: Carolyn Wyborny <carolyn.wyborny@intel.com> Tested-by: Aaron Brown <aaron.f.brown@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* Merge tag 'master-2013-09-09' of ↵David S. Miller2013-09-128-21/+67
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless John W. Linville says: ==================== This is a pull request for a few early fixes for the 3.12 stream. Alexey Khoroshilov corrects a use-after-free issue on rtl8187 found by the Linux Driver Verification project. Arend van Spriel provides a brcmfmac patch to fix a build issue reported by Randy Dunlap. Hauke Mehrtens offers a bcma fix to properly account for the storage width of error code values before checking them. Solomon Peachy brings a pair of cw1200 fixes to avoid hangs in that driver with SPI devices. One avoids transfers in interrupt context, the other fixes a locking issue. Stanislaw Gruszka changes the initialization of the rt2800 driver to avoid a freeze, addressing a bug in the Red Hat bugzilla. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
| * rt2800: change initialization sequence to fix system freezeStanislaw Gruszka2013-09-091-5/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | My commit commit c630ccf1a127578421a928489d51e99c05037054 Author: Stanislaw Gruszka <stf_xl@wp.pl> Date: Sat Mar 16 19:19:46 2013 +0100 rt2800: rearrange bbp/rfcsr initialization make Maxim machine freeze when try to start wireless device. Initialization order and sending MCU_BOOT_SIGNAL request, changed in above commit, is important. Doing things incorrectly make PCIe bus problems, which can froze the machine. This patch change initialization sequence like vendor driver do: function NICInitializeAsic() from 2011_1007_RT5390_RT5392_Linux_STA_V2.5.0.3_DPO (PCI devices) and DPO_RT5572_LinuxSTA_2.6.1.3_20121022 (according Mediatek, latest driver for RT8070/RT3070/RT3370/RT3572/RT5370/RT5372/RT5572 USB devices). It fixes freezes on Maxim system. Resolve: https://bugzilla.redhat.com/show_bug.cgi?id=1000679 Reported-and-tested-by: Maxim Polyakov <polyakov@dexmalabs.com> Bisected-by: Igor Gnatenko <i.gnatenko.brain@gmail.com> Cc: stable@vger.kernel.org # 3.10+ Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * bcma: fix error code handling on 64 Bit systemsHauke Mehrtens2013-09-091-5/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | On most 64 Bit systems unsigned long is 64 bit long and then -MAX_ERRNO is out of the range of a u32 used to store the error code in. This patch casts the -MAX_ERRNO to a u32 instead. This fixes a regression introduced in: commit fd4edf197544bae1c77d84bad354aa7ce1d08ce1 Author: Hauke Mehrtens <hauke@hauke-m.de> Date: Mon Jul 15 13:15:08 2013 +0200 bcma: fix handling of big addrl Reported-by: Arend van Spriel <arend@broadcom.com> Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> Tested-by: Arend van Spriel <arend@broadcom.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * rtl8187: fix use after free on failure path in rtl8187_init_urbs()Alexey Khoroshilov2013-09-091-5/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In case of __dev_alloc_skb() failure rtl8187_init_urbs() calls usb_free_urb(entry) where 'entry' can points to urb allocated at the previous iteration. That means refcnt will be decremented incorrectly and the urb can be used after memory deallocation. The patch fixes the issue and implements error handling of init_urbs in rtl8187_start(). Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * brcmfmac: fix bus interface selection in KconfigArend van Spriel2013-09-091-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The kernel configuration for the driver could result in compilation issues as reported by Randy Dunlap. His results are show below: "on x86_64: when CONFIG_MMC=m CONFIG_BRCMUTIL=y CONFIG_BRCMFMAC=y CONFIG_BRCMFMAC_SDIO=y This bool kconfig symbol: config BRCMFMAC_SDIO bool "SDIO bus interface support for FullMAC driver" depends on MMC allows BRCMFMAC_SDIO to be y even when MMC=m. Is there a reasonable solution to this? This causes many build errors: drivers/built-in.o: In function `brcmf_sdio_assert_info': dhd_sdio.c:(.text+0x39609b): undefined reference to `sdio_claim_host' dhd_sdio.c:(.text+0x3960d9): undefined reference to `sdio_release_host' drivers/built-in.o: In function `brcmf_sdio_readframes': dhd_sdio.c:(.text+0x396a62): undefined reference to `sdio_claim_host' dhd_sdio.c:(.text+0x396a9b): undefined reference to `sdio_release_host' ..." This patch adds the appropriate logic in Kconfig to resolve these issues. The solution was provided by Hauke Mehrtens. Reported-by: Randy Dunlap <rdunlap@infradead.org> Cc: Hauke Mehrtens <hauke@hauke-m.de> Reviewed-by: Hante Meuleman <meuleman@broadcom.com> Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com> Signed-off-by: Arend van Spriel <arend@broadcom.com> Acked-by: Randy Dunlap <rdunlap@infradead.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * cw1200: Prevent a lock-related hang in the cw1200_spi driverSolomon Peachy2013-09-091-0/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The cw1200_spi driver tries to mirror the cw1200_sdio driver's lock API, which relies on sdio_claim_host/sdio_release_host to serialize hardware operations across multiple threads. Unfortunately the implementation was flawed, as it lacked a way to wake up the lock requestor when there was contention, often resulting in a hang. This problem was uncovered while trying to fix the spi-transfers-in-interrupt-context BUG() corrected in the previous patch. Many thanks to Dave Sizeburns for his assistance in fixing this. Signed-off-by: Solomon Peachy <pizza@shaftnet.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * cw1200: Don't perform SPI transfers in interrupt contextSolomon Peachy2013-09-094-4/+33
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When we get an interrupt from the hardware, the first thing the driver does is tell the device to mask off the interrupt line. Unfortunately this involves a SPI transaction in interrupt context. Some (most?) SPI controllers perform the transfer asynchronously and try to sleep. This is bad, and triggers a BUG(). So, work around this by using adding a hwbus hook for the cw1200 driver core to call. The cw1200_spi driver translates this into irq_disable()/irq_enable() calls instead, which can safely be called in interrupt context. Apparently the platforms I used to develop the cw1200_spi driver used synchronous spi_sync() implementations, which is why this didn't surface until now. Many thanks to Dave Sizeburns for the inital bug report and his services as a tester. Signed-off-by: Solomon Peachy <pizza@shaftnet.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>