1. 19 Sep, 2016 1 commit
  2. 17 Sep, 2016 7 commits
  3. 16 Sep, 2016 16 commits
  4. 13 Sep, 2016 6 commits
    • Johannes Berg's avatar
      nl80211: validate number of probe response CSA counters · ad5987b4
      Johannes Berg authored
      Due to an apparent copy/paste bug, the number of counters for the
      beacon configuration were checked twice, instead of checking the
      number of probe response counters. Fix this to check the number of
      probe response counters before parsing those.
      
      Cc: stable@vger.kernel.org
      Fixes: 9a774c78 ("cfg80211: Support multiple CSA counters")
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      ad5987b4
    • Christophe Jaillet's avatar
      drivers: net: phy: xgene: Fix 'remove' function · 440f895a
      Christophe Jaillet authored
      If 'IS_ERR(pdata->clk)' is true, then 'clk_disable_unprepare(pdata->clk)'
      will do nothing.
      
      It is likely that 'if (!IS_ERR(pdata->clk))' was expected here.
      In fact, the test can even be removed because 'clk_disable_unprepare'
      already handles such cases.
      Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      440f895a
    • Xin Long's avatar
      sctp: hold the transport before using it in sctp_hash_cmp · 715f5552
      Xin Long authored
      Since commit 4f008781 ("sctp: apply rhashtable api to send/recv
      path"), sctp uses transport rhashtable with .obj_cmpfn sctp_hash_cmp,
      in which it compares the members of the transport with the rhashtable
      args to check if it's the right transport.
      
      But sctp uses the transport without holding it in sctp_hash_cmp, it can
      cause a use-after-free panic. As after it gets transport from hashtable,
      another CPU may close the sk and free the asoc. In sctp_association_free,
      it frees all the transports, meanwhile, the assoc's refcnt may be reduced
      to 0, assoc can be destroyed by sctp_association_destroy.
      
      So after that, transport->assoc is actually an unavailable memory address
      in sctp_hash_cmp. Although sctp_hash_cmp is under rcu_read_lock, it still
      can not avoid this, as assoc is not freed by RCU.
      
      This patch is to hold the transport before checking it's members with
      sctp_transport_hold, in which it checks the refcnt first, holds it if
      it's not 0.
      
      Fixes: 4f008781 ("sctp: apply rhashtable api to send/recv path")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      715f5552
    • Baoquan He's avatar
      bnx2: Reset device during driver initialization · 3e1be7ad
      Baoquan He authored
      When system enters into kdump kernel because of kernel panic, it won't
      shutdown devices. On-flight DMA will continue transferring data until
      device driver initializes. All devices are supposed to reset during
      driver initialization. And this property is used to fix the kdump
      failure in system with intel iommu. Other systems with hardware iommu
      should be similar. Please check commit 091d42e4 ("iommu/vt-d: Copy
      translation tables from old kernel") and those commits around.
      
      But bnx2 driver doesn't reset device during driver initialization. The
      device resetting is deferred to net device up stage. This will cause
      hardware iommu handling failure on bnx2 device. And its resetting relies
      on firmware. So in this patch move the firmware requesting code to earlier
      bnx2_init_one(), then next call bnx2_reset_chip to reset device.
      Signed-off-by: default avatarBaoquan He <bhe@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3e1be7ad
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 67b9f0b7
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for your net tree,
      they are:
      
      1) Endianess fix for the new nf_tables netlink trace infrastructure,
         NFTA_TRACE_POLICY endianess was not correct, patch from Liping Zhang.
      
      2) Fix broken re-route after userspace queueing in nf_tables route
         chain. This patch is large but it is simple since it is just getting
         this code in sync with iptable_mangle. Also from Liping.
      
      3) NAT mangling via ctnetlink lies to userspace when nf_nat_setup_info()
         fails to setup the NAT conntrack extension. This problem has been
         there since the beginning, but it can now show up after rhashtable
         conversion.
      
      4) Fix possible NULL pointer dereference due to failures in allocating
         the synproxy and seqadj conntrack extensions, from Gao feng.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      67b9f0b7
    • Gao Feng's avatar
      netfilter: synproxy: Check oom when adding synproxy and seqadj ct extensions · 4440a2ab
      Gao Feng authored
      When memory is exhausted, nfct_seqadj_ext_add may fail to add the
      synproxy and seqadj extensions. The function nf_ct_seqadj_init doesn't
      check if get valid seqadj pointer by the nfct_seqadj.
      
      Now drop the packet directly when fail to add seqadj extension to
      avoid dereference NULL pointer in nf_ct_seqadj_init from
      init_conntrack().
      Signed-off-by: default avatarGao Feng <fgao@ikuai8.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      4440a2ab
  5. 12 Sep, 2016 10 commits
    • Pablo Neira Ayuso's avatar
      netfilter: nf_nat: handle NF_DROP from nfnetlink_parse_nat_setup() · ecfcdfec
      Pablo Neira Ayuso authored
      nf_nat_setup_info() returns NF_* verdicts, so convert them to error
      codes that is what ctnelink expects. This has passed overlook without
      having any impact since this nf_nat_setup_info() has always returned
      NF_ACCEPT so far. Since 870190a9 ("netfilter: nat: convert nat bysrc
      hash to rhashtable"), this is problem.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      ecfcdfec
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · da499f8f
      Linus Torvalds authored
      Pull networking fixes from David Miller:
       "Mostly small sets of driver fixes scattered all over the place.
      
         1) Mediatek driver fixes from Sean Wang.  Forward port not written
            correctly during TX map, missed handling of EPROBE_DEFER, and
            mistaken use of put_page() instead of skb_free_frag().
      
         2) Fix socket double-free in KCM code, from WANG Cong.
      
         3) QED driver fixes from Sudarsana Reddy Kalluru, including a fix for
            using the dcbx buffers before initializing them.
      
         4) Mellanox Switch driver fixes from Jiri Pirko, including a fix for
            double fib removals and an error handling fix in
            mlxsw_sp_module_init().
      
         5) Fix kernel panic when enabling LLDP in i40e driver, from Dave
            Ertman.
      
         6) Fix padding of TSO packets in thunderx driver, from Sunil Goutham.
      
         7) TCP's rcv_wup not initialized properly when using fastopen, from
            Neal Cardwell.
      
         8) Don't use uninitialized flow keys in flow dissector, from Gao
            Feng.
      
         9) Use after free in l2tp module unload, from Sabrina Dubroca.
      
        10) Fix interrupt registry ordering issues in smsc911x driver, from
            Jeremy Linton.
      
        11) Fix crashes in bonding having to do with enslaving and rx_handler,
            from Mahesh Bandewar.
      
        12) AF_UNIX deadlock fixes from Linus.
      
        13) In mlx5 driver, don't read skb->xmit_mode after it might have been
            freed from the TX reclaim path.  From Tariq Toukan.
      
        14) Fix a bug from 2015 in TCP Yeah where the congestion window does
            not increase, from Artem Germanov.
      
        15) Don't pad frames on receive in NFP driver, from Jakub Kicinski.
      
        16) Fix chunk fragmenting in SCTP wrt. GSO, from Marcelo Ricardo
            Leitner.
      
        17) Fix deletion of VRF routes, from Mark Tomlinson.
      
        18) Fix device refcount leak when DAD fails in ipv6, from Wei Yongjun"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (101 commits)
        net/mlx4_en: Fix panic on xmit while port is down
        net/mlx4_en: Fixes for DCBX
        net/mlx4_en: Fix the return value of mlx4_en_dcbnl_set_state()
        net/mlx4_en: Fix the return value of mlx4_en_dcbnl_set_all()
        net: ethernet: renesas: sh_eth: add POST registers for rz
        drivers: net: phy: mdio-xgene: Add hardware dependency
        dwc_eth_qos: do not register semi-initialized device
        sctp: identify chunks that need to be fragmented at IP level
        mlxsw: spectrum: Set port type before setting its address
        mlxsw: spectrum_router: Fix error path in mlxsw_sp_router_init
        nfp: don't pad frames on receive
        nfp: drop support for old firmware ABIs
        nfp: remove linux/version.h includes
        tcp: cwnd does not increase in TCP YeAH
        net/mlx5e: Fix parsing of vlan packets when updating lro header
        net/mlx5e: Fix global PFC counters replication
        net/mlx5e: Prevent casting overflow
        net/mlx5e: Move an_disable_cap bit to a new position
        net/mlx5e: Fix xmit_more counter race issue
        tcp: fastopen: avoid negative sk_forward_alloc
        ...
      da499f8f
    • Pedersen, Thomas's avatar
      mac80211: make mpath path fixing more robust · 5df20f21
      Pedersen, Thomas authored
      A fixed mpath was not quite being treated as such:
      
      1) if a PERR frame was received, a fixed mpath was
         deactivated.
      
      2) queued path discovery for fixed mpath was potentially
         being considered, changing mpath state.
      
      3) other mpath flags were potentially being inherited when
         fixing the mpath. Just assign PATH_FIXED and SN_VALID.
      
      This solves several issues when fixing a mesh path in one
      direction. The reverse direction mpath should probably
      also be fixed, or root announcements at least be enabled.
      Signed-off-by: default avatarThomas Pedersen <twp@qca.qualcomm.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      5df20f21
    • Felix Fietkau's avatar
      mac80211: fix sequence number assignment for PS response frames · df6ef5d8
      Felix Fietkau authored
      When using intermediate queues, sequence number allocation is deferred
      until dequeue. This doesn't work for PS response frames, which bypass
      those queues.
      Signed-off-by: default avatarFelix Fietkau <nbd@nbd.name>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      df6ef5d8
    • Felix Fietkau's avatar
      mac80211: fix tim recalculation after PS response · 83843c80
      Felix Fietkau authored
      Handle the case where the mac80211 intermediate queues are empty and the
      driver has buffered frames
      
      Fixes: ba8c3d6f ("mac80211: add an intermediate software queue implementation")
      Signed-off-by: default avatarFelix Fietkau <nbd@nbd.name>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      83843c80
    • Linus Torvalds's avatar
      Linux 4.8-rc6 · 9395452b
      Linus Torvalds authored
      9395452b
    • David S. Miller's avatar
      Merge branch 'mlx4-fixes' · 373df313
      David S. Miller authored
      Tariq Toukan says:
      
      ====================
      mlx4 fixes
      
      This patchset contains several bug fixes from the team to the
      mlx4 Eth driver.
      
      Series generated against net commit:
      c2f57fb9 "drivers: net: phy: mdio-xgene: Add hardware dependency"
      
      v2:
      * excluded some cleanup patches.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      373df313
    • Moshe Shemesh's avatar
      net/mlx4_en: Fix panic on xmit while port is down · 7a61fc86
      Moshe Shemesh authored
      When port is down, tx drop counter update is not needed.
      Updating the counter in this case can cause a kernel
      panic as when the port is down, ring can be NULL.
      
      Fixes: 63a664b7 ("net/mlx4_en: fix tx_dropped bug")
      Signed-off-by: default avatarMoshe Shemesh <moshe@mellanox.com>
      Signed-off-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7a61fc86
    • Tariq Toukan's avatar
      net/mlx4_en: Fixes for DCBX · 564ed9b1
      Tariq Toukan authored
      This patch adds a capability check before enabling DCBX.
      In addition, it re-organizes the relevant data structures,
      and fixes a typo in a define.
      
      Fixes: af7d5185 ("net/mlx4_en: Add DCB PFC support through CEE netlink commands")
      Signed-off-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      564ed9b1
    • Kamal Heib's avatar
      net/mlx4_en: Fix the return value of mlx4_en_dcbnl_set_state() · c6770717
      Kamal Heib authored
      mlx4_en_dcbnl_set_state() returns u8, the return value from
      mlx4_en_setup_tc() could be negative in case of failure, so fix that.
      
      Fixes: af7d5185 ("net/mlx4_en: Add DCB PFC support through CEE netlink commands")
      Signed-off-by: default avatarKamal Heib <kamalh@mellanox.com>
      Signed-off-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c6770717