1. 04 Feb, 2013 6 commits
    • Daniel Borkmann's avatar
      sctp: sctp_close: fix release of bindings for deferred call_rcu's · 8c98653f
      Daniel Borkmann authored
      It seems due to RCU usage, i.e. within SCTP's address binding list,
      a, say, ``behavioral change'' was introduced which does actually
      not conform to the RFC anymore. In particular consider the following
      (fictional) scenario to demonstrate this:
      
        do:
          Two SOCK_SEQPACKET-style sockets are opened (S1, S2)
          S1 is bound to 127.0.0.1, port 1024 [server]
          S2 is bound to 127.0.0.1, port 1025 [client]
          listen(2) is invoked on S1
          From S2 we call one sendmsg(2) with msg.msg_name and
             msg.msg_namelen parameters set to the server's
             address
          S1, S2 are closed
          goto do
      
      The first pass of this loop passes successful, while the second round
      fails during binding of S1 (address still in use). What is happening?
      In the first round, the initial handshake is being done, and, at the
      time close(2) is called on S1, a non-graceful shutdown is performed via
      ABORT since in S1's receive queue an unprocessed packet is present,
      thus stating an error condition. This can be considered as a correct
      behavior.
      
      During close also all bound addresses are freed, thus nothing *must*
      be active anymore. In reference to RFC2960:
      
        After checking the Verification Tag, the receiving endpoint shall
        remove the association from its record, and shall report the
        termination to its upper layer. (9.1 Abort of an Association)
      
      Also, no half-open states are supported, thus after an ungraceful
      shutdown, we leave nothing behind. However, this seems not to be
      happening though. In a real-world scenario, this is exactly where
      it breaks the lksctp-tools functional test suite, *for instance*:
      
        ./test_sockopt
        test_sockopt.c  1 PASS : getsockopt(SCTP_STATUS) on a socket with no assoc
        test_sockopt.c  2 PASS : getsockopt(SCTP_STATUS)
        test_sockopt.c  3 PASS : getsockopt(SCTP_STATUS) with invalid associd
        test_sockopt.c  4 PASS : getsockopt(SCTP_STATUS) with NULL associd
        test_sockopt.c  5 BROK : bind: Address already in use
      
      The underlying problem is that sctp_endpoint_destroy() hasn't been
      triggered yet while the next bind attempt is being done. It will be
      triggered eventually (but too late) by sctp_transport_destroy_rcu()
      after one RCU grace period:
      
        sctp_transport_destroy()
          sctp_transport_destroy_rcu() ----.
            sctp_association_put() [*]  <--+--> sctp_packet_free()
              sctp_association_destroy()          [...]
                sctp_endpoint_put()                 skb->destructor
                  sctp_endpoint_destroy()             sctp_wfree()
                    sctp_bind_addr_free()               sctp_association_put() [*]
      
      Thus, we move out the condition with sctp_association_put() as well as
      the sctp_packet_free() invocation and the issue can be solved. We also
      better free the SCTP chunks first before putting the ref of the association.
      
      With this patch, the example above (which simulates a similar scenario
      as in the implementation of this test case) and therefore also the test
      suite run successfully through. Tested by myself.
      
      Cc: Vlad Yasevich <vyasevich@gmail.com>
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Acked-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8c98653f
    • Vipul Pandya's avatar
      72073ad2
    • Gao feng's avatar
      netns: bond: allow unprivileged users to control bond device · 387ff911
      Gao feng authored
      reduce the permission check of bond device's ioctl.
      allow the userns root to control the bond device.
      Signed-off-by: default avatarGao feng <gaofeng@cn.fujitsu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      387ff911
    • Gao feng's avatar
      netns: bridge: allow unprivileged users add/delete mdb entry · e4d343ea
      Gao feng authored
      since the mdb table is belong to bridge device,and the
      bridge device can only be seen in one netns.
      So it's safe to allow unprivileged user which is the
      creator of userns and netns to modify the mdb table.
      Signed-off-by: default avatarGao feng <gaofeng@cn.fujitsu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e4d343ea
    • Gao feng's avatar
      netns: ebtable: allow unprivileged users to operate ebtables · bb12b8b2
      Gao feng authored
      ebt_table is a private resource of netns, operating ebtables
      in one netns will not affect other netns, we can allow the
      creator user of userns and netns to change the ebtables.
      Signed-off-by: default avatarGao feng <gaofeng@cn.fujitsu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bb12b8b2
    • Gao feng's avatar
      netns: fdb: allow unprivileged users to add/del fdb entries · c5c35108
      Gao feng authored
      Right now,only ixgdb,macvlan,vxlan and bridge implement
      fdb_add/fdb_del operations.
      
      these operations only operate the private data of net
      device. So allowing the unprivileged users who creates
      the userns and netns to add/del fdb entries will do no
      harm to other netns.
      Signed-off-by: default avatarGao feng <gaofeng@cn.fujitsu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c5c35108
  2. 03 Feb, 2013 5 commits
    • Alexey Khoroshilov's avatar
      stmmac: don't return zero on failure path in stmmac_pci_probe() · 4f463855
      Alexey Khoroshilov authored
      If stmmac_dvr_probe() fails in stmmac_pci_probe(), it breaks off initialization,
      deallocates all resources, but returns zero.
      The patch adds -ENODEV as return value in this case.
      
      Found by Linux Driver Verification project (linuxtesting.org).
      Signed-off-by: default avatarAlexey Khoroshilov <khoroshilov@ispras.ru>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4f463855
    • David S. Miller's avatar
      Merge branch 'delete-wanrouter' of git://git.kernel.org/pub/scm/linux/kernel/git/paulg/linux · 33397a71
      David S. Miller authored
      Paul Gortmaker says:
      
      ====================
      The removal of wanrouter code was originally listed in the (now
      gone) feature removal file since May 2012, and an RFC of the
      deletion was posted[1] in late 2012.  The overall concept was given
      an OK, but defconfig contamination, build failures, etc. meant that
      it didn't quite make it into mainline for 3.8.
      
      Since that time, Dan discovered (via code audit) a runtime bug that
      proves nobody has been using this for over four years[2].  With that
      new information, I think it makes sense for someone to follow through
      on Joe's original RFC and get this done for the 3.9 release.
      
      In addition to resolving the build failures of the RFC by keeping
      stub headers, this also splits the change into two parts, just like
      the token ring removal did.  Part #1 decouples the mainline kernel
      from the expired subsystem, and part #2 does the large scale
      deletion of the subsystem content.
      
      The advantage of the above, is that a "git blame" will never lead
      you to a 4000+ line deletion commit.  The large scale deletion will
      never show up in a "git blame" and hence the same advantages that we
      get from the "--irreversible-delete" in the review stage of "git
      format-patch" are also embedded into the git history itself.  This
      may seem like a moot point to some, but for those who spend a
      considerable amount of time data mining in the git history, this is
      probably worth doing.
      
      I have done build tests of all[mod/yes]config for both the stage 1
      (Makefile and Kconfig) and stage 2 (full driver delete) as a sanity
      check, and the issues with the previously posted RFC should be gone.
      
      Speaking of "--irreversible-delete" -- these patches were created
      with that option, so if you want to use them locally, you are going
      to have to pull (location below) the content instead of doing a
      "git am" of the mailed out content.
      
      [1] http://patchwork.ozlabs.org/patch/198794/
      [2] http://www.spinics.net/lists/netdev/msg218670.html
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      33397a71
    • Dan Carpenter's avatar
      qlcnic: silence false positive overflow warning · 7bc48646
      Dan Carpenter authored
      We actually store the MAC address as well as the board_name here.  The
      longest board_name is 75 characters so there is more than enough room
      to hold the 17 character MAC and the ": " divider.  But making this
      buffer larger silences a static checker warning.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Acked-By: default avatarJitendra Kalsaria <jitendra.kalsaria@qlogic.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7bc48646
    • Mahesh Bandewar's avatar
      bnx2x: Force link UP when the interface is in LOOPBACK mode · 7614fe88
      Mahesh Bandewar authored
      When the interface does not have carrier but when it's put into
      loopback mode (for tests), it does not make sense to not have
      the carrier. So force it!
      Signed-off-by: default avatarMahesh Bandewar <maheshb@google.com>
      Acked-by: default avatarEilon Greenstein <eilong@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7614fe88
    • David S. Miller's avatar
      Merge branch 'intel' · daef2262
      David S. Miller authored
      Jeff Kirsher says:
      
      ====================
      This series contains updates to ixgbe and e1000e.  The ixgbe patches are
      a mix of fixes, cleanup and added functionality.  The first fix is for
      traffic classes, where if the mapping has changed reset the NIC.  The other
      ixgbe fix resolves an issue where the device lookup neglected to do a
      pci_dev_put() to decrement the device reference count.
      
      The ixgbe cleanup was done by Josh, where the auto-negotiation variables
      were renamed/cleaned up and refactored.
      
      The remaining patches are from Bruce to do additional cleanup on e1000e as
      well as bump the driver version.  Most notably is the cleanup to use the
      kernel IEEE MII definitions where possible instead of the local MII
      definitions.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      daef2262
  3. 01 Feb, 2013 13 commits
  4. 31 Jan, 2013 16 commits