1. 30 Dec, 2015 3 commits
    • Xin Long's avatar
      sctp: sctp should release assoc when sctp_make_abort_user return NULL in sctp_close · 068d8bd3
      Xin Long authored
      In sctp_close, sctp_make_abort_user may return NULL because of memory
      allocation failure. If this happens, it will bypass any state change
      and never free the assoc. The assoc has no chance to be freed and it
      will be kept in memory with the state it had even after the socket is
      closed by sctp_close().
      
      So if sctp_make_abort_user fails to allocate memory, we should abort
      the asoc via sctp_primitive_ABORT as well. Just like the annotation in
      sctp_sf_cookie_wait_prm_abort and sctp_sf_do_9_1_prm_abort said,
      "Even if we can't send the ABORT due to low memory delete the TCB.
      This is a departure from our typical NOMEM handling".
      
      But then the chunk is NULL (low memory) and the SCTP_CMD_REPLY cmd would
      dereference the chunk pointer, and system crash. So we should add
      SCTP_CMD_REPLY cmd only when the chunk is not NULL, just like other
      places where it adds SCTP_CMD_REPLY cmd.
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      068d8bd3
    • David S. Miller's avatar
      Merge tag 'wireless-drivers-for-davem-2015-12-28' of... · a0ccc3f2
      David S. Miller authored
      Merge tag 'wireless-drivers-for-davem-2015-12-28' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers
      
      Kalle Valo says:
      
      ====================
      iwlwifi
      
      * don't load firmware that won't exist for 7260
      * fix RCU splat
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a0ccc3f2
    • Nicolai Stange's avatar
      net, socket, socket_wq: fix missing initialization of flags · 574aab1e
      Nicolai Stange authored
      Commit ceb5d58b ("net: fix sock_wake_async() rcu protection") from
      the current 4.4 release cycle introduced a new flags member in
      struct socket_wq and moved SOCKWQ_ASYNC_NOSPACE and SOCKWQ_ASYNC_WAITDATA
      from struct socket's flags member into that new place.
      
      Unfortunately, the new flags field is never initialized properly, at least
      not for the struct socket_wq instance created in sock_alloc_inode().
      
      One particular issue I encountered because of this is that my GNU Emacs
      failed to draw anything on my desktop -- i.e. what I got is a transparent
      window, including the title bar. Bisection lead to the commit mentioned
      above and further investigation by means of strace told me that Emacs
      is indeed speaking to my Xorg through an O_ASYNC AF_UNIX socket. This is
      reproducible 100% of times and the fact that properly initializing the
      struct socket_wq ->flags fixes the issue leads me to the conclusion that
      somehow SOCKWQ_ASYNC_WAITDATA got set in the uninitialized ->flags,
      preventing my Emacs from receiving any SIGIO's due to data becoming
      available and it got stuck.
      
      Make sock_alloc_inode() set the newly created struct socket_wq's ->flags
      member to zero.
      
      Fixes: ceb5d58b ("net: fix sock_wake_async() rcu protection")
      Signed-off-by: default avatarNicolai Stange <nicstange@gmail.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      574aab1e
  2. 29 Dec, 2015 2 commits
    • Julia Lawall's avatar
      drivers: net: cpsw: fix error return code · c1e3334f
      Julia Lawall authored
      Propagate the return value of platform_get_irq on failure.
      
      A simplified version of the semantic match that finds the two cases where
      no error code is returned at all is as follows:
      (http://coccinelle.lip6.fr/)
      
      // <smpl>
      @@
      identifier ret; expression e1,e2;
      @@
      (
      if (\(ret < 0\|ret != 0\))
       { ... return ret; }
      |
      ret = 0
      )
      ... when != ret = e1
          when != &ret
      *if(...)
      {
        ... when != ret = e2
            when forall
       return ret;
      }
      // </smpl>
      Signed-off-by: default avatarJulia Lawall <Julia.Lawall@lip6.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c1e3334f
    • Joe Stringer's avatar
      openvswitch: Fix template leak in error cases. · 90c7afc9
      Joe Stringer authored
      Commit 5b48bb8506c5 ("openvswitch: Fix helper reference leak") fixed a
      reference leak on helper objects, but inadvertently introduced a leak on
      the ct template.
      
      Previously, ct_info.ct->general.use was initialized to 0 by
      nf_ct_tmpl_alloc() and only incremented when ovs_ct_copy_action()
      returned successful. If an error occurred while adding the helper or
      adding the action to the actions buffer, the __ovs_ct_free_action()
      cleanup would use nf_ct_put() to free the entry; However, this relies on
      atomic_dec_and_test(ct_info.ct->general.use). This reference must be
      incremented first, or nf_ct_put() will never free it.
      
      Fix the issue by acquiring a reference to the template immediately after
      allocation.
      
      Fixes: cae3a262 ("openvswitch: Allow attaching helpers to ct action")
      Fixes: 5b48bb8506c5 ("openvswitch: Fix helper reference leak")
      Signed-off-by: default avatarJoe Stringer <joe@ovn.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      90c7afc9
  3. 28 Dec, 2015 2 commits
  4. 24 Dec, 2015 4 commits
  5. 22 Dec, 2015 7 commits
  6. 21 Dec, 2015 3 commits
  7. 19 Dec, 2015 2 commits
  8. 18 Dec, 2015 16 commits
  9. 17 Dec, 2015 1 commit
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 73796d8b
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix uninitialized variable warnings in nfnetlink_queue, a lot of
          people reported this...  From Arnd Bergmann.
      
       2) Don't init mutex twice in i40e driver, from Jesse Brandeburg.
      
       3) Fix spurious EBUSY in rhashtable, from Herbert Xu.
      
       4) Missing DMA unmaps in mvpp2 driver, from Marcin Wojtas.
      
       5) Fix race with work structure access in pppoe driver causing
          corruptions, from Guillaume Nault.
      
       6) Fix OOPS due to sh_eth_rx() not checking whether netdev_alloc_skb()
          actually succeeded or not, from Sergei Shtylyov.
      
       7) Don't lose flags when settifn IFA_F_OPTIMISTIC in ipv6 code, from
          Bjørn Mork.
      
       8) VXLAN_HD_RCO defined incorrectly, fix from Jiri Benc.
      
       9) Fix clock source used for cookies in SCTP, from Marcelo Ricardo
          Leitner.
      
      10) aurora driver needs HAS_DMA dependency, from Geert Uytterhoeven.
      
      11) ndo_fill_metadata_dst op of vxlan has to handle ipv6 tunneling
          properly as well, from Jiri Benc.
      
      12) Handle request sockets properly in xfrm layer, from Eric Dumazet.
      
      13) Double stats update in ipv6 geneve transmit path, fix from Pravin B
          Shelar.
      
      14) sk->sk_policy[] needs RCU protection, and as a result
          xfrm_policy_destroy() needs to free policies using an RCU grace
          period, from Eric Dumazet.
      
      15) SCTP needs to clone ipv6 tx options in order to avoid use after
          free, from Eric Dumazet.
      
      16) Missing kbuild export if ila.h, from Stephen Hemminger.
      
      17) Missing mdiobus_alloc() return value checking in mdio-mux.c, from
          Tobias Klauser.
      
      18) Validate protocol value range in ->create() methods, from Hannes
          Frederic Sowa.
      
      19) Fix early socket demux races that result in illegal dst reuse, from
          Eric Dumazet.
      
      20) Validate socket address length in pptp code, from WANG Cong.
      
      21) skb_reorder_vlan_header() uses incorrect offset and can corrupt
          packets, from Vlad Yasevich.
      
      22) Fix memory leaks in nl80211 registry code, from Ola Olsson.
      
      23) Timeout loop count handing fixes in mISDN, xgbe, qlge, sfc, and
          qlcnic.  From Dan Carpenter.
      
      24) msg.msg_iocb needs to be cleared in recvfrom() otherwise, for
          example, AF_ALG will interpret it as an async call.  From Tadeusz
          Struk.
      
      25) inetpeer_set_addr_v4 forgets to initialize the 'vif' field, from
          Eric Dumazet.
      
      26) rhashtable enforces the minimum table size not early enough,
          breaking how we calculate the per-cpu lock allocations.  From
          Herbert Xu.
      
      27) Fix FCC port lockup in 82xx driver, from Martin Roth.
      
      28) FOU sockets need to be freed using RCU, from Hannes Frederic Sowa.
      
      29) Fix out-of-bounds access in __skb_complete_tx_timestamp() and
          sock_setsockopt() wrt.  timestamp handling.  From WANG Cong.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (117 commits)
        net: check both type and procotol for tcp sockets
        drivers: net: xgene: fix Tx flow control
        tcp: restore fastopen with no data in SYN packet
        af_unix: Revert 'lock_interruptible' in stream receive code
        fou: clean up socket with kfree_rcu
        82xx: FCC: Fixing a bug causing to FCC port lock-up
        gianfar: Don't enable RX Filer if not supported
        net: fix warnings in 'make htmldocs' by moving macro definition out of field declaration
        rhashtable: Fix walker list corruption
        rhashtable: Enforce minimum size on initial hash table
        inet: tcp: fix inetpeer_set_addr_v4()
        ipv6: automatically enable stable privacy mode if stable_secret set
        net: fix uninitialized variable issue
        bluetooth: Validate socket address length in sco_sock_bind().
        net_sched: make qdisc_tree_decrease_qlen() work for non mq
        ser_gigaset: remove unnecessary kfree() calls from release method
        ser_gigaset: fix deallocation of platform device structure
        ser_gigaset: turn nonsense checks into WARN_ON
        ser_gigaset: fix up NULL checks
        qlcnic: fix a timeout loop
        ...
      73796d8b