- 01 Aug, 2010 2 commits
-
-
Changli Gao authored
after updating the value of the ICMP payload, inet_proto_csum_replace4() should be called with zero pseudohdr. Signed-off-by: Changli Gao <xiaosuo@gmail.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Changli Gao authored
pskb_may_pull() may change skb pointers, so adjust icmph after pskb_may_pull(). Signed-off-by: Changli Gao <xiaosuo@gmail.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 31 Jul, 2010 2 commits
-
-
Herbert Xu authored
On the bridge TX path we're leaking an skb when br_multicast_rcv returns an error. Reported-by: David Lamparter <equinox@diac24.net> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Dmitry Popov authored
There is a bug in do_tcp_setsockopt(net/ipv4/tcp.c), TCP_COOKIE_TRANSACTIONS case. In some cases (when tp->cookie_values == NULL) new tcp_cookie_values structure can be allocated (at cvp), but not bound to tp->cookie_values. So a memory leak occurs. Signed-off-by: Dmitry Popov <dp@highloadlab.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 28 Jul, 2010 2 commits
-
-
stephen hemminger authored
Long ago, when bridge was converted to RCU, rcu lock was equivalent to having preempt disabled. RCU has changed a lot since then and bridge code was still assuming the since transmit was called with bottom half disabled, it was RCU safe. Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Tested-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Bruce Allan authored
The MAC-PHY interconnect on 82577/82578 uses a power management feature (called K1) which must be disabled when in 1Gbps due to a hardware issue on these parts. The #define bit setting used to enable/disable K1 is incorrect and can cause PHY register accesses to stop working altogether until the next device reset. This patch sets the register correctly. This issue is present in kernels since 2.6.32. CC: stable@kernel.org Signed-off-by: Bruce Allan <bruce.w.allan@intel.com> Tested-by: Jeff Pieper <jeffrey.e.pieper@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 26 Jul, 2010 4 commits
-
-
Breno Leitao authored
Patch 9e39f7c5 changed the DBG_PRINT() macro and the if clause was wrongly changed. It means that currently all the DBG_PRINT are being printed, flooding the kernel log buffer with things like: s2io: eth6: Next block at: c0000000b9c90000 s2io: eth6: In Neterion Tx routine Signed-off-by: Breno Leitao <leitao@linux.vnet.ibm.com> Acked-by: Sreenivasa Honnur <Sreenivasa.Honnur@neterion.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Ming Lei authored
For edma, we should use DMA_BIDIRECTIONAL, or else use DMA_FROM_DEVICE. This is found to address "BUG at arch/x86/mm/physaddr.c:5" as described here: http://lkml.org/lkml/2010/7/14/21Signed-off-by: Ming Lei <tom.leiming@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Ben Greear authored
With conn-track zones and probably with different network namespaces, the netfilter logic needs to be re-calculated on packet receive. If the netfilter logic is not reset, it will not be recalculated properly. This patch adds the nf_reset logic to dev_forward_skb. Signed-off-by: Ben Greear <greearb@candelatech.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 25 Jul, 2010 4 commits
-
-
stephen hemminger authored
This fixes hang when target device of mirred packet classifier action is removed. If a mirror or redirection action is configured to cause packets to go to another device, the classifier holds a ref count, but was assuming the adminstrator cleaned up all redirections before removing. The fix is to add a notifier and cleanup during unregister. The new list is implicitly protected by RTNL mutex because it is held during filter add/delete as well as notifier. Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Acked-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: David S. Miller <davem@davemloft.net>
-
-
Michael S. Tsirkin authored
There are still some LRO cards that cause GSO errors in tun, and BUG on this is an unfriendly way to tell the admin to disable LRO. Further, experience shows we might have more GSO bugs lurking. See https://bugzilla.kernel.org/show_bug.cgi?id=16413 as a recent example. dumping a packet will make it easier to figure it out. Replace BUG with warning+dump+drop the packet to make GSO errors in tun less critical and easier to debug. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Tested-by: Alex Unigovsky <unik@compot.ru> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Greg Edwards authored
After: commit 6146b1a4 Author: Jay Vosburgh <fubar@us.ibm.com> Date: Tue Nov 4 17:51:15 2008 -0800 bonding: Fix ALB mode to balance traffic on VLANs the dev field in the RLB ARP packet handler was set to NULL to wildcard and accommodate balancing VLANs on top of bonds. This has the side-effect of the packet handler being called against other, non RLB-enabled bonds, and a kernel oops results when it tries to dereference rx_hashtbl in rlb_update_entry_from_arp(), which won't be set for those bonds, e.g. active-backup. With the __netif_receive_skb() changes from: commit 1f3c8804 Author: Andy Gospodarek <andy@greyhouse.net> Date: Mon Dec 14 10:48:58 2009 +0000 bonding: allow arp_ip_targets on separate vlans to use arp validation frames received on VLANs correctly make their way to the bond's handler, so we no longer need to wildcard the device. The oops can be reproduced by: modprobe bonding echo active-backup > /sys/class/net/bond0/bonding/mode echo 100 > /sys/class/net/bond0/bonding/miimon ifconfig bond0 xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx echo +eth0 > /sys/class/net/bond0/bonding/slaves echo +eth1 > /sys/class/net/bond0/bonding/slaves echo +bond1 > /sys/class/net/bonding_masters echo balance-alb > /sys/class/net/bond1/bonding/mode echo 100 > /sys/class/net/bond1/bonding/miimon ifconfig bond1 xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx echo +eth2 > /sys/class/net/bond1/bonding/slaves echo +eth3 > /sys/class/net/bond1/bonding/slaves Pass some traffic on bond0. Boom. [ Tested, behaves as advertised. I do not believe a test of the bonding mode is necessary, as there is no race between the packet handler and the bonding mode changing (the mode can only change when the device is closed). Also updated the log message to include the reproduction and full commit ids. -J ] Signed-off-by: Greg Edwards <greg.edwards@hp.com> Signed-off-by: Jay Vosburgh <fubar@us.ibm.com> Acked-by: Andy Gospodarek <andy@greyhouse.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 22 Jul, 2010 5 commits
-
-
Alexey Shvetsov authored
This version of intel wimax device was found in my IBM ThinkPad x201 Signed-off-by: Alexey Shvetsov <alexxy@gentoo.org>
-
Brian Haley authored
If the interface has IPv6 disabled, don't add a multicast or link-local route since we won't be adding a link-local address. Reported-by: Mahesh Kelkar <maheshkelkar@gmail.com> Signed-off-by: Brian Haley <brian.haley@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
David S. Miller authored
It should only be adjusted if ip_summed == CHECKSUM_PARTIAL. Signed-off-by: David S. Miller <davem@davemloft.net>
-
Andrea Shepard authored
Make pskb_expand_head() check ip_summed to make sure csum_start is really csum_start and not csum before adjusting it. This fixes a bug I encountered using a Sun Quad-Fast Ethernet card and VLANs. On my configuration, the sunhme driver produces skbs with differing amounts of headroom on receive depending on the packet size. See line 2030 of drivers/net/sunhme.c; packets smaller than RX_COPY_THRESHOLD have 52 bytes of headroom but packets larger than that cutoff have only 20 bytes. When these packets reach the VLAN driver, vlan_check_reorder_header() calls skb_cow(), which, if the packet has less than NET_SKB_PAD (== 32) bytes of headroom, uses pskb_expand_head() to make more. Then, pskb_expand_head() needs to adjust a lot of offsets into the skb, including csum_start. Since csum_start is a union with csum, if the packet has a valid csum value this will corrupt it, which was the effect I observed. The sunhme hardware computes receive checksums, so the skbs would be created by the driver with ip_summed == CHECKSUM_COMPLETE and a valid csum field, and then pskb_expand_head() would corrupt the csum field, leading to an "hw csum error" message later on, for example in icmp_rcv() for pings larger than the sunhme RX_COPY_THRESHOLD. On the basis of the comment at the beginning of include/linux/skbuff.h, I believe that the csum_start skb field is only meaningful if ip_csummed is CSUM_PARTIAL, so this patch makes pskb_expand_head() adjust it only in that case to avoid corrupting a valid csum value. Please see my more in-depth disucssion of tracking down this bug for more details if you like: http://puellavulnerata.livejournal.com/112186.html http://puellavulnerata.livejournal.com/112567.html http://puellavulnerata.livejournal.com/112891.html http://puellavulnerata.livejournal.com/113096.html http://puellavulnerata.livejournal.com/113591.html I am not subscribed to this list, so please CC me on replies. Signed-off-by: Andrea Shepard <andrea@persephoneslair.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Herbert Xu authored
Mark Wagner reported OOM symptoms when sending UDP traffic over a macvtap link to a kvm receiver. This appears to be caused by the fact that macvtap packet queues are unlimited in length. This means that if the receiver can't keep up with the rate of flow, then we will hit OOM. Of course it gets worse if the OOM killer then decides to kill the receiver. This patch imposes a cap on the packet queue length, in the same way as the tuntap driver, using the device TX queue length. Please note that macvtap currently has no way of giving congestion notification, that means the software device TX queue cannot be used and packets will always be dropped once the macvtap driver queue fills up. This shouldn't be a great problem for the scenario where macvtap is used to feed a kvm receiver, as the traffic is most likely external in origin so congestion notification can't be applied anyway. Of course, if anybody decides to complain about guest-to-guest UDP packet loss down the track, then we may have to revisit this. Incidentally, this patch also fixes a real memory leak when macvtap_get_queue fails. Chris Wright noticed that for this patch to work, we need a non-zero TX queue length. This patch includes his work to change the default macvtap TX queue length to 500. Reported-by: Mark Wagner <mwagner@redhat.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Acked-by: Chris Wright <chrisw@sous-sol.org> Acked-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 21 Jul, 2010 4 commits
-
-
Andy Gospodarek authored
Some ixgbe cards put an invalid VF device ID in the PCIe SR-IOV capability. The ixgbe driver is only valid for PFs or non SR-IOV hardware. It seems that the same problem could occur on igb hardware as well, so if we discover we are trying to initialize a VF in ixbge_probe or igb_probe, print an error and exit. Based on a patch for ixgbe from Chris Wright <chrisw@sous-sol.org>. Signed-off-by: Andy Gospodarek <andy@greyhouse.net> Cc: Chris Wright <chrisw@sous-sol.org> Acked-by: Chris Wright <chrisw@sous-sol.org> Acked-by: Greg Rose <gregory.v.rose@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Vladislav Zolotarov authored
Advance a module version to 1.52.53-2. Signed-off-by: Vladislav Zolotarov <vladz@broadcom.com> Signed-off-by: Dmitry Kravkov <dmitry@broadcom.com> Signed-off-by: Eilon Greenstein <eilong@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Vladislav Zolotarov authored
Bug fix: Protect statistics ramrod sending code and a statistics counter update with a spinlock. Otherwise there was a race condition that would allow sending a statistics ramrods with the same sequence number or with sequence numbers not in a natural order, which would cause a FW assert. Signed-off-by: Vladislav Zolotarov <vladz@broadcom.com> Signed-off-by: Dmitry Kravkov <dmitry@broadcom.com> Signed-off-by: Eilon Greenstein <eilong@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Vladislav Zolotarov authored
Bug fix: Protect the statistics state machine state update with a spinlock. Otherwise there was a race condition that would cause the statistics to stay enabled despite the fact that they were disabled in the LINK_DOWN event handler. Signed-off-by: Vladislav Zolotarov <vladz@broadcom.com> Signed-off-by: Dmitry Kravkov <dmitry@broadcom.com> Signed-off-by: Eilon Greenstein <eilong@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 20 Jul, 2010 2 commits
-
-
John W. Linville authored
These synthetic frames are all triggered from userland requests in process context. https://bugzilla.kernel.org/show_bug.cgi?id=16412Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Herbert Xu authored
The new netpoll code in bridging contains use-after-free bugs that are non-trivial to fix. This patch fixes this by removing the code that uses skbs after they're freed. As a consequence, this means that we can no longer call bridge from the netpoll path, so this patch also removes the controller function in order to disable netpoll. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Thanks, Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 19 Jul, 2010 2 commits
-
-
Ilpo Järvinen authored
It can happen that there are no packets in queue while calling tcp_xmit_retransmit_queue(). tcp_write_queue_head() then returns NULL and that gets deref'ed to get sacked into a local var. There is no work to do if no packets are outstanding so we just exit early. This oops was introduced by 08ebd172 (tcp: remove tp->lost_out guard to make joining diff nicer). Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> Reported-by: Lennart Schulte <lennart.schulte@nets.rwth-aachen.de> Tested-by: Lennart Schulte <lennart.schulte@nets.rwth-aachen.de> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 18 Jul, 2010 1 commit
-
-
Arnaud Ebalard authored
The input handler for Type 2 Routing Header (mip6_rthdr_input()) checks if the CoA in the packet matches the CoA in the XFRM state. Current check is buggy: it compares the adddress in the Type 2 Routing Header, i.e. the HoA, against the expected CoA in the state. The comparison should be made against the address in the destination field of the IPv6 header. The bug remained unnoticed because the main (and possibly only current) user of the code (UMIP MIPv6 Daemon) initializes the XFRM state with the unspecified address, i.e. explicitly allows everything. Yoshifuji-san, can you ack that one? Signed-off-by: Arnaud Ebalard <arno@natisbad.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 16 Jul, 2010 5 commits
-
-
Robert Jennings authored
The order of freeing the IRQ and freeing the device in firmware in ibmveth_close can cause the adapter to become unusable after a subsequent ibmveth_open. Only a reboot of the OS will make the network device usable again. This is seen when cycling the adapter up and down while there is network activity. There is a window where an IRQ will be left unserviced (H_EOI will not be called). The solution is to make a VIO_IRQ_DISABLE h_call, free the device with firmware, and then call free_irq. Signed-off-by: Robert Jennings <rcj@linux.vnet.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
-
Stephen Boyd authored
The rt2x00dev->intf_work workqueue is never initialized when a driver is probed for a non-existent device (in this case rt2500usb). On such a path we call rt2x00lib_remove_dev() to free any resources initialized during the probe before we use INIT_WORK to initialize the workqueue. This causes lockdep to get confused since the lock used in the workqueue hasn't been initialized yet but is now being acquired during cancel_work_sync() called by rt2x00lib_remove_dev(). Fix this by initializing the workqueue first before we attempt to probe the device. This should make lockdep happy and avoid breaking any assumptions about how the library cleans up after a probe fails. phy0 -> rt2x00lib_probe_dev: Error - Failed to allocate device. INFO: trying to register non-static key. the code is fine but needs lockdep annotation. turning off the locking correctness validator. Pid: 2027, comm: modprobe Not tainted 2.6.35-rc5+ #60 Call Trace: [<ffffffff8105fe59>] register_lock_class+0x152/0x31f [<ffffffff81344a00>] ? usb_control_msg+0xd5/0x111 [<ffffffff81061bde>] __lock_acquire+0xce/0xcf4 [<ffffffff8105f6fd>] ? trace_hardirqs_off+0xd/0xf [<ffffffff81492aef>] ? _raw_spin_unlock_irqrestore+0x33/0x41 [<ffffffff810628d5>] lock_acquire+0xd1/0xf7 [<ffffffff8104f037>] ? __cancel_work_timer+0x99/0x17e [<ffffffff8104f06e>] __cancel_work_timer+0xd0/0x17e [<ffffffff8104f037>] ? __cancel_work_timer+0x99/0x17e [<ffffffff8104f136>] cancel_work_sync+0xb/0xd [<ffffffffa0096675>] rt2x00lib_remove_dev+0x25/0xb0 [rt2x00lib] [<ffffffffa0096bf7>] rt2x00lib_probe_dev+0x380/0x3ed [rt2x00lib] [<ffffffff811d78a7>] ? __raw_spin_lock_init+0x31/0x52 [<ffffffffa00bbd2c>] ? T.676+0xe/0x10 [rt2x00usb] [<ffffffffa00bbe4f>] rt2x00usb_probe+0x121/0x15e [rt2x00usb] [<ffffffff813468bd>] usb_probe_interface+0x151/0x19e [<ffffffff812ea08e>] driver_probe_device+0xa7/0x136 [<ffffffff812ea167>] __driver_attach+0x4a/0x66 [<ffffffff812ea11d>] ? __driver_attach+0x0/0x66 [<ffffffff812e96ca>] bus_for_each_dev+0x54/0x89 [<ffffffff812e9efd>] driver_attach+0x19/0x1b [<ffffffff812e9b64>] bus_add_driver+0xb4/0x204 [<ffffffff812ea41b>] driver_register+0x98/0x109 [<ffffffff813465dd>] usb_register_driver+0xb2/0x173 [<ffffffffa00ca000>] ? rt2500usb_init+0x0/0x20 [rt2500usb] [<ffffffffa00ca01e>] rt2500usb_init+0x1e/0x20 [rt2500usb] [<ffffffff81000203>] do_one_initcall+0x6d/0x17a [<ffffffff8106cae8>] sys_init_module+0x9c/0x1e0 [<ffffffff8100296b>] system_call_fastpath+0x16/0x1b Signed-off-by: Stephen Boyd <bebarino@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Michael S. Tsirkin authored
Guest can trigger packet truncation by posting a very short buffer and disabling buffer merging. Convert pr_err to pr_debug to avoid log from filling up when this happens. Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-
Ben Greear authored
This was detected using two mcast router tables. The pimreg for the second interface did not have a specific mrule, so packets received by it were handled by the default table, which had nothing configured. This caused the ipmr_fib_lookup to fail, causing the memory leak. Signed-off-by: Ben Greear <greearb@candelatech.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 15 Jul, 2010 3 commits
-
-
Michael S. Tsirkin authored
We flush under vq mutex when changing backends. This creates a deadlock as workqueue being flushed needs this lock as well. https://bugzilla.redhat.com/show_bug.cgi?id=612421 Drop the vq mutex before flush: we have the device mutex which is sufficient to prevent another ioctl from touching the vq. Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-
Tom Herbert authored
Fix problem in reading the tx_queue recorded in a socket. In dev_pick_tx, the TX queue is read by doing a check with sk_tx_queue_recorded on the socket, followed by a sk_tx_queue_get. The problem is that there is not mutual exclusion across these calls in the socket so it it is possible that the queue in the sock can be invalidated after sk_tx_queue_recorded is called so that sk_tx_queue get returns -1, which sets 65535 in queue_index and thus dev_pick_tx returns 65536 which is a bogus queue and can cause crash in dev_queue_xmit. We fix this by only calling sk_tx_queue_get which does the proper checks. The interface is that sk_tx_queue_get returns the TX queue if the sock argument is non-NULL and TX queue is recorded, else it returns -1. sk_tx_queue_recorded is no longer used so it can be completely removed. Signed-off-by: Tom Herbert <therbert@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Doug Kehn authored
When configuring DMVPN (GRE + openNHRP) and a GRE remote address is configured a kernel Oops is observed. The obserseved Oops is caused by a NULL header_ops pointer (neigh->dev->header_ops) in neigh_update_hhs() when void (*update)(struct hh_cache*, const struct net_device*, const unsigned char *) = neigh->dev->header_ops->cache_update; is executed. The dev associated with the NULL header_ops is the GRE interface. This patch guards against the possibility that header_ops is NULL. This Oops was first observed in kernel version 2.6.26.8. Signed-off-by: Doug Kehn <rdkehn@yahoo.com> Acked-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 14 Jul, 2010 4 commits
-
-
Eric Dumazet authored
commit fc6055a5 (net: Introduce skb_orphan_try()) added early orphaning of skbs. This unfortunately added a performance regression in skb_tx_hash() in case of stacked devices (bonding, vlans, ...) Since skb->sk is now NULL, we cannot access sk->sk_hash anymore to spread tx packets to multiple NIC queues on multiqueue devices. skb_tx_hash() in this case only uses skb->protocol, same value for all flows. skb_orphan_try() can copy sk->sk_hash into skb->rxhash and skb_tx_hash() can use this saved sk_hash value to compute its internal hash value. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Changli Gao authored
rfs: call sock_rps_record_flow() in tcp_splice_read() call sock_rps_record_flow() in tcp_splice_read(), so the applications using splice(2) or sendfile(2) can utilize RFS. Signed-off-by: Changli Gao <xiaosuo@gmail.com> ---- net/ipv4/tcp.c | 1 + 1 file changed, 1 insertion(+) Signed-off-by: David S. Miller <davem@davemloft.net>
-
Timo Teräs authored
xfrm_resolve_and_create_bundle() assumed that, if policies indicated presence of xfrms, bundle template resolution would always return some xfrms. This is not true for 'use' level policies which can result in no xfrm's being applied if there is no suitable xfrm states. This fixes a crash by this incorrect assumption. Reported-by: George Spelvin <linux@horizon.com> Bisected-by: George Spelvin <linux@horizon.com> Tested-by: George Spelvin <linux@horizon.com> Signed-off-by: Timo Teräs <timo.teras@iki.fi> Signed-off-by: David S. Miller <davem@davemloft.net>
-
John W. Linville authored
"hostap: Protect against initialization interrupt" (which reinstated "wireless: hostap, fix oops due to early probing interrupt") reintroduced Bug 16111. This is because hostap_pci wasn't setting dev->base_addr, which is now checked in prism2_interrupt. As a result, initialization was failing for PCI-based hostap devices. This corrects that oversight. Signed-off-by: John W. Linville <linville@tuxdriver.com>
-