1. 10 Jan, 2016 3 commits
    • Hannes Frederic Sowa's avatar
      udp: restrict offloads to one namespace · 787d7ac3
      Hannes Frederic Sowa authored
      udp tunnel offloads tend to aggregate datagrams based on inner
      headers. gro engine gets notified by tunnel implementations about
      possible offloads. The match is solely based on the port number.
      
      Imagine a tunnel bound to port 53, the offloading will look into all
      DNS packets and tries to aggregate them based on the inner data found
      within. This could lead to data corruption and malformed DNS packets.
      
      While this patch minimizes the problem and helps an administrator to find
      the issue by querying ip tunnel/fou, a better way would be to match on
      the specific destination ip address so if a user space socket is bound
      to the same address it will conflict.
      
      Cc: Tom Herbert <tom@herbertland.com>
      Cc: Eric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      787d7ac3
    • Nicolas Dichtel's avatar
      vxlan: fix test which detect duplicate vxlan iface · 07b9b37c
      Nicolas Dichtel authored
      When a vxlan interface is created, the driver checks that there is not
      another vxlan interface with the same properties. To do this, it checks
      the existing vxlan udp socket. Since commit 1c51a915, the creation of
      the vxlan socket is done only when the interface is set up, thus it breaks
      that test.
      
      Example:
      $ ip l a vxlan10 type vxlan id 10 group 239.0.0.10 dev eth0 dstport 0
      $ ip l a vxlan11 type vxlan id 10 group 239.0.0.10 dev eth0 dstport 0
      $ ip -br l | grep vxlan
      vxlan10          DOWN           f2:55:1c:6a:fb:00 <BROADCAST,MULTICAST>
      vxlan11          DOWN           7a:cb:b9:38:59:0d <BROADCAST,MULTICAST>
      
      Instead of checking sockets, let's loop over the vxlan iface list.
      
      Fixes: 1c51a915 ("vxlan: fix race caused by dropping rtnl_unlock")
      Reported-by: default avatarThomas Faivre <thomas.faivre@6wind.com>
      Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      07b9b37c
    • Oliver Neukum's avatar
      cdc-acm: fix NULL pointer reference · 29c6dd59
      Oliver Neukum authored
      The union descriptor must be checked. Its usage was conditional
      before the parser was introduced. This is important, because
      many RNDIS device, which also use the common parser, have
      bogus extra descriptors.
      Signed-off-by: default avatarOliver Neukum <oneukum@suse.com>
      Tested-by: default avatarVasily Galkin <galkin-vv@yandex.ru>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      29c6dd59
  2. 09 Jan, 2016 3 commits
  3. 08 Jan, 2016 2 commits
  4. 07 Jan, 2016 3 commits
    • Woojung.Huh@microchip.com's avatar
      net: lan78xx: Fix to write to OTP(One Time Programmable) per magic number. · 9fb6066d
      Woojung.Huh@microchip.com authored
      This patch fixes a bug writing to EEPROM in lan78xx_ethtool_set_eeprom()
      when asked to write to OTP.
      Signed-off-by: default avatarWoojung Huh <woojung.huh@microchip.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9fb6066d
    • Sven Eckelmann's avatar
      batman-adv: Fix invalid read while copying bat_iv.bcast_own · 13bbdd37
      Sven Eckelmann authored
      batadv_iv_ogm_orig_del_if removes a part of the bcast_own which previously
      belonged to the now removed interface. This is done by copying all data
      which comes before the removed interface and then appending all the data
      which comes after the removed interface.
      
      The address calculation for the position of the data which comes after the
      removed interface assumed that the bat_iv.bcast_own is a pointer to a
      single byte datatype. But it is a pointer to unsigned long and thus the
      calculated position was wrong off factor sizeof(unsigned long).
      
      Fixes: 83a8342678a0 ("more basic routing code added (forwarding packets /
      bitarray added)")
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: default avatarAntonio Quartulli <a@unstable.cc>
      13bbdd37
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 51cb67c0
      Linus Torvalds authored
      Pull networking fixes from David Miller:
       "As usual, there are a couple straggler bug fixes:
      
         1) qlcnic_alloc_mbx_args() error returns are not checked in qlcnic
            driver.  Fix from Insu Yun.
      
         2) SKB refcounting bug in connector, from Florian Westphal.
      
         3) vrf_get_saddr() has to propagate fib_lookup() errors to it's
            callers, from David Ahern.
      
         4) Fix AF_UNIX splice/bind deadlock, from Rainer Weikusat.
      
         5) qdisc_rcu_free() fails to free the per-cpu qstats.  Fix from John
            Fastabend.
      
         6) vmxnet3 driver passes wrong page to dma_map_page(), fix from
           Shrikrishna Khare.
      
         7) Don't allow zero cwnd in tcp_cwnd_reduction(), from Yuchung Cheng"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
        tcp: fix zero cwnd in tcp_cwnd_reduction
        Driver: Vmxnet3: Fix regression caused by 5738a09d
        net: qmi_wwan: Add WeTelecom-WPD600N
        mkiss: fix scribble on freed memory
        net: possible use after free in dst_release
        net: sched: fix missing free per cpu on qstats
        ARM: net: bpf: fix zero right shift
        6pack: fix free memory scribbles
        net: filter: make JITs zero A for SKF_AD_ALU_XOR_X
        bridge: Only call /sbin/bridge-stp for the initial network namespace
        af_unix: Fix splice-bind deadlock
        net: Propagate lookup failure in l3mdev_get_saddr to caller
        r8152: add reset_resume function
        connector: bump skb->users before callback invocation
        cxgb4: correctly handling failed allocation
        qlcnic: correctly handle qlcnic_alloc_mbx_args
      51cb67c0
  5. 06 Jan, 2016 9 commits
  6. 05 Jan, 2016 8 commits
    • Hannes Frederic Sowa's avatar
      bridge: Only call /sbin/bridge-stp for the initial network namespace · ff621985
      Hannes Frederic Sowa authored
      [I stole this patch from Eric Biederman. He wrote:]
      
      > There is no defined mechanism to pass network namespace information
      > into /sbin/bridge-stp therefore don't even try to invoke it except
      > for bridge devices in the initial network namespace.
      >
      > It is possible for unprivileged users to cause /sbin/bridge-stp to be
      > invoked for any network device name which if /sbin/bridge-stp does not
      > guard against unreasonable arguments or being invoked twice on the
      > same network device could cause problems.
      
      [Hannes: changed patch using netns_eq]
      
      Cc: Eric W. Biederman <ebiederm@xmission.com>
      Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
      Signed-off-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ff621985
    • Linus Torvalds's avatar
      Merge tag 'trace-v4.4-rc4-3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace · ee9a7d2c
      Linus Torvalds authored
      Pull tracing fixes from Steven Rostedt:
       "Two more fixes:
      
        1. The recordmcount change had an output that used sprintf()
           (incorrectly) when it should have been a fprintf() to stderr.
      
        2. The printk_formats file could crash if someone added a
           trace_printk() in the core kernel, and also added one in a module.
           This does not affect production kernels.  Only kernels where
           developers add trace_printk() for debugging can crash"
      
      * tag 'trace-v4.4-rc4-3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        tracing: Fix setting of start_index in find_next()
        ftrace/scripts: Fix incorrect use of sprintf in recordmcount
      ee9a7d2c
    • Linus Torvalds's avatar
      Merge branch 'stable' of git://git.kernel.org/pub/scm/linux/kernel/git/cmetcalf/linux-tile · 3331f99a
      Linus Torvalds authored
      Pull tile bugfix from Chris Metcalf:
       "This fixes a bug that Sudip's buildbot found for tilepro allmodconfig.
      
        I've tagged it for stable only back to 3.19, which was when most of
        the other affected architectures added their support for working
        around this issue"
      
      * 'stable' of git://git.kernel.org/pub/scm/linux/kernel/git/cmetcalf/linux-tile:
        tile: provide CONFIG_PAGE_SIZE_64KB etc for tilepro
      3331f99a
    • Chris Metcalf's avatar
      tile: provide CONFIG_PAGE_SIZE_64KB etc for tilepro · c1b27ab5
      Chris Metcalf authored
      This allows the build system to know that it can't attempt to
      configure the Lustre virtual block device, for example, when tilepro
      is using 64KB pages (as it does by default).  The tilegx build
      already provided those symbols.
      
      Previously we required that the tilepro hypervisor be rebuilt with
      a different hardcoded page size in its headers, and then Linux be
      rebuilt using the updated hypervisor header.  Now we allow each of
      the hypervisor and Linux to be built independently.  We still check
      at boot time to ensure that the page size provided by the hypervisor
      matches what Linux expects.
      Signed-off-by: default avatarChris Metcalf <cmetcalf@ezchip.com>
      Cc: stable@vger.kernel.org [3.19+]
      c1b27ab5
    • Rainer Weikusat's avatar
      af_unix: Fix splice-bind deadlock · c845acb3
      Rainer Weikusat authored
      On 2015/11/06, Dmitry Vyukov reported a deadlock involving the splice
      system call and AF_UNIX sockets,
      
      http://lists.openwall.net/netdev/2015/11/06/24
      
      The situation was analyzed as
      
      (a while ago) A: socketpair()
      B: splice() from a pipe to /mnt/regular_file
      	does sb_start_write() on /mnt
      C: try to freeze /mnt
      	wait for B to finish with /mnt
      A: bind() try to bind our socket to /mnt/new_socket_name
      	lock our socket, see it not bound yet
      	decide that it needs to create something in /mnt
      	try to do sb_start_write() on /mnt, block (it's
      	waiting for C).
      D: splice() from the same pipe to our socket
      	lock the pipe, see that socket is connected
      	try to lock the socket, block waiting for A
      B:	get around to actually feeding a chunk from
      	pipe to file, try to lock the pipe.  Deadlock.
      
      on 2015/11/10 by Al Viro,
      
      http://lists.openwall.net/netdev/2015/11/10/4
      
      The patch fixes this by removing the kern_path_create related code from
      unix_mknod and executing it as part of unix_bind prior acquiring the
      readlock of the socket in question. This means that A (as used above)
      will sb_start_write on /mnt before it acquires the readlock, hence, it
      won't indirectly block B which first did a sb_start_write and then
      waited for a thread trying to acquire the readlock. Consequently, A
      being blocked by C waiting for B won't cause a deadlock anymore
      (effectively, both A and B acquire two locks in opposite order in the
      situation described above).
      
      Dmitry Vyukov(<dvyukov@google.com>) tested the original patch.
      Signed-off-by: default avatarRainer Weikusat <rweikusat@mobileactivedefense.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c845acb3
    • David Ahern's avatar
      net: Propagate lookup failure in l3mdev_get_saddr to caller · b5bdacf3
      David Ahern authored
      Commands run in a vrf context are not failing as expected on a route lookup:
          root@kenny:~# ip ro ls table vrf-red
          unreachable default
      
          root@kenny:~# ping -I vrf-red -c1 -w1 10.100.1.254
          ping: Warning: source address might be selected on device other than vrf-red.
          PING 10.100.1.254 (10.100.1.254) from 0.0.0.0 vrf-red: 56(84) bytes of data.
      
          --- 10.100.1.254 ping statistics ---
          2 packets transmitted, 0 received, 100% packet loss, time 999ms
      
      Since the vrf table does not have a route for 10.100.1.254 the ping
      should have failed. The saddr lookup causes a full VRF table lookup.
      Propogating a lookup failure to the user allows the command to fail as
      expected:
      
          root@kenny:~# ping -I vrf-red -c1 -w1 10.100.1.254
          connect: No route to host
      Signed-off-by: default avatarDavid Ahern <dsa@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b5bdacf3
    • hayeswang's avatar
      r8152: add reset_resume function · 7ec2541a
      hayeswang authored
      When the reset_resume() is called, the flag of SELECTIVE_SUSPEND should be
      cleared and reinitialize the device, whether the SELECTIVE_SUSPEND is set
      or not. If reset_resume() is called, it means the power supply is cut or the
      device is reset. That is, the device wouldn't be in runtime suspend state and
      the reinitialization is necessary.
      Signed-off-by: default avatarHayes Wang <hayeswang@realtek.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7ec2541a
    • Florian Westphal's avatar
      connector: bump skb->users before callback invocation · 55285bf0
      Florian Westphal authored
      Dmitry reports memleak with syskaller program.
      Problem is that connector bumps skb usecount but might not invoke callback.
      
      So move skb_get to where we invoke the callback.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      55285bf0
  7. 04 Jan, 2016 4 commits
    • Insu Yun's avatar
      cxgb4: correctly handling failed allocation · 3934aa4c
      Insu Yun authored
      Since t4_alloc_mem can be failed in memory pressure,
      if not properly handled, NULL dereference could be happened.
      Signed-off-by: default avatarInsu Yun <wuninsu@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3934aa4c
    • Insu Yun's avatar
      qlcnic: correctly handle qlcnic_alloc_mbx_args · b77357b6
      Insu Yun authored
      Since qlcnic_alloc_mbx_args can be failed,
      return value should be checked.
      Signed-off-by: default avatarInsu Yun <wuninsu@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b77357b6
    • Qiu Peiyang's avatar
      tracing: Fix setting of start_index in find_next() · f36d1be2
      Qiu Peiyang authored
      When we do cat /sys/kernel/debug/tracing/printk_formats, we hit kernel
      panic at t_show.
      
      general protection fault: 0000 [#1] PREEMPT SMP
      CPU: 0 PID: 2957 Comm: sh Tainted: G W  O 3.14.55-x86_64-01062-gd4acdc7 #2
      RIP: 0010:[<ffffffff811375b2>]
       [<ffffffff811375b2>] t_show+0x22/0xe0
      RSP: 0000:ffff88002b4ebe80  EFLAGS: 00010246
      RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000004
      RDX: 0000000000000004 RSI: ffffffff81fd26a6 RDI: ffff880032f9f7b1
      RBP: ffff88002b4ebe98 R08: 0000000000001000 R09: 000000000000ffec
      R10: 0000000000000000 R11: 000000000000000f R12: ffff880004d9b6c0
      R13: 7365725f6d706400 R14: ffff880004d9b6c0 R15: ffffffff82020570
      FS:  0000000000000000(0000) GS:ffff88003aa00000(0063) knlGS:00000000f776bc40
      CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
      CR2: 00000000f6c02ff0 CR3: 000000002c2b3000 CR4: 00000000001007f0
      Call Trace:
       [<ffffffff811dc076>] seq_read+0x2f6/0x3e0
       [<ffffffff811b749b>] vfs_read+0x9b/0x160
       [<ffffffff811b7f69>] SyS_read+0x49/0xb0
       [<ffffffff81a3a4b9>] ia32_do_call+0x13/0x13
       ---[ end trace 5bd9eb630614861e ]---
      Kernel panic - not syncing: Fatal exception
      
      When the first time find_next calls find_next_mod_format, it should
      iterate the trace_bprintk_fmt_list to find the first print format of
      the module. However in current code, start_index is smaller than *pos
      at first, and code will not iterate the list. Latter container_of will
      get the wrong address with former v, which will cause mod_fmt be a
      meaningless object and so is the returned mod_fmt->fmt.
      
      This patch will fix it by correcting the start_index. After fixed,
      when the first time calls find_next_mod_format, start_index will be
      equal to *pos, and code will iterate the trace_bprintk_fmt_list to
      get the right module printk format, so is the returned mod_fmt->fmt.
      
      Link: http://lkml.kernel.org/r/5684B900.9000309@intel.com
      
      Cc: stable@vger.kernel.org # 3.12+
      Fixes: 102c9323 "tracing: Add __tracepoint_string() to export string pointers"
      Signed-off-by: default avatarQiu Peiyang <peiyangx.qiu@intel.com>
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      f36d1be2
    • Colin Ian King's avatar
      ftrace/scripts: Fix incorrect use of sprintf in recordmcount · 713a3e4d
      Colin Ian King authored
      Fix build warning:
      
      scripts/recordmcount.c:589:4: warning: format not a string
      literal and no format arguments [-Wformat-security]
          sprintf("%s: failed\n", file);
      
      Fixes: a50bd439 ("ftrace/scripts: Have recordmcount copy the object file")
      Link: http://lkml.kernel.org/r/1451516801-16951-1-git-send-email-colin.king@canonical.com
      
      Cc: Li Bin <huawei.libin@huawei.com>
      Cc: Russell King <rmk+kernel@arm.linux.org.uk>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: stable@vger.kernel.org # 2.6.37+
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      713a3e4d
  8. 03 Jan, 2016 3 commits
  9. 31 Dec, 2015 5 commits
    • Linus Torvalds's avatar
      Merge tag 'pci-v4.4-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci · 9c982e86
      Linus Torvalds authored
      Pull PCI bugfix from Bjorn Helgaas:
       "Here's another fix for v4.4.
      
        This fixes 32-bit config reads for the HiSilicon driver.  Obviously
        the driver is completely broken without this fix (apparently it
        actually was tested internally, but got broken somehow in the process
        of upstreaming it).
      
        Summary:
      
        HiSilicon host bridge driver
          Fix 32-bit config reads (Dongdong Liu)"
      
      * tag 'pci-v4.4-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
        PCI: hisi: Fix hisi_pcie_cfg_read() 32-bit reads
      9c982e86
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc · 7c672dd6
      Linus Torvalds authored
      Pull sparc fixes from David Miller:
       "Just some missing syscall wire ups"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
        sparc: Wire up mlock2 system call.
        sparc: Add all necessary direct socket system calls.
      7c672dd6
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 8f5daf2a
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Prevent XFRM per-cpu counter updates for one namespace from being
          applied to another namespace.  Fix from DanS treetman.
      
       2) Fix RCU de-reference in iwl_mvm_get_key_sta_id(), from Johannes
          Berg.
      
       3) Remove ethernet header assumption in nft_do_chain_netdev(), from
          Pablo Neira Ayuso.
      
       4) Fix cpsw PHY ident with multiple slaves and fixed-phy, from Pascal
          Speck.
      
       5) Fix use after free in sixpack_close and mkiss_close.
      
       6) Fix VXLAN fw assertion on bnx2x, from Yuval Mintz.
      
       7) natsemi doesn't check for DMA mapping errors, from Alexey
          Khoroshilov.
      
       8) Fix inverted test in ip6addrlbl_get(), from ANdrey Ryabinin.
      
       9) Missing initialization of needed_headroom in geneve tunnel driver,
          from Paolo Abeni.
      
      10) Fix conntrack template leak in openvswitch, from Joe Stringer.
      
      11) Mission initialization of wq->flags in sock_alloc_inode(), from
          Nicolai Stange.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (35 commits)
        sctp: sctp should release assoc when sctp_make_abort_user return NULL in sctp_close
        net, socket, socket_wq: fix missing initialization of flags
        drivers: net: cpsw: fix error return code
        openvswitch: Fix template leak in error cases.
        sctp: label accepted/peeled off sockets
        sctp: use GFP_USER for user-controlled kmalloc
        qlcnic: fix a loop exit condition better
        net: cdc_ncm: avoid changing RX/TX buffers on MTU changes
        geneve: initialize needed_headroom
        ipv6: honor ifindex in case we receive ll addresses in router advertisements
        addrconf: always initialize sysctl table data
        ipv6/addrlabel: fix ip6addrlbl_get()
        switchdev: bridge: Pass ageing time as clock_t instead of jiffies
        sh_eth: fix 16-bit descriptor field access endianness too
        veth: don’t modify ip_summed; doing so treats packets with bad checksums as good.
        net: usb: cdc_ncm: Adding Dell DW5813 LTE AT&T Mobile Broadband Card
        net: usb: cdc_ncm: Adding Dell DW5812 LTE Verizon Mobile Broadband Card
        natsemi: add checks for dma mapping errors
        rhashtable: Kill harmless RCU warning in rhashtable_walk_init
        openvswitch: correct encoding of set tunnel action attributes
        ...
      8f5daf2a
    • David S. Miller's avatar
      sparc: Wire up mlock2 system call. · 42d85c52
      David S. Miller authored
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      42d85c52
    • David S. Miller's avatar
      sparc: Add all necessary direct socket system calls. · 8b30ca73
      David S. Miller authored
      The GLIBC folks would like to eliminate socketcall support
      eventually, and this makes sense regardless so wire them
      all up.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8b30ca73