- 06 Jan, 2015 4 commits
-
-
Pablo Neira Ayuso authored
Jumping between chains doesn't mix well with flush ruleset. Rules from a different chain and set elements may still refer to us. [ 353.373791] ------------[ cut here ]------------ [ 353.373845] kernel BUG at net/netfilter/nf_tables_api.c:1159! [ 353.373896] invalid opcode: 0000 [#1] SMP [ 353.373942] Modules linked in: intel_powerclamp uas iwldvm iwlwifi [ 353.374017] CPU: 0 PID: 6445 Comm: 31c3.nft Not tainted 3.18.0 #98 [ 353.374069] Hardware name: LENOVO 5129CTO/5129CTO, BIOS 6QET47WW (1.17 ) 07/14/2010 [...] [ 353.375018] Call Trace: [ 353.375046] [<ffffffff81964c31>] ? nf_tables_commit+0x381/0x540 [ 353.375101] [<ffffffff81949118>] nfnetlink_rcv+0x3d8/0x4b0 [ 353.375150] [<ffffffff81943fc5>] netlink_unicast+0x105/0x1a0 [ 353.375200] [<ffffffff8194438e>] netlink_sendmsg+0x32e/0x790 [ 353.375253] [<ffffffff818f398e>] sock_sendmsg+0x8e/0xc0 [ 353.375300] [<ffffffff818f36b9>] ? move_addr_to_kernel.part.20+0x19/0x70 [ 353.375357] [<ffffffff818f44f9>] ? move_addr_to_kernel+0x19/0x30 [ 353.375410] [<ffffffff819016d2>] ? verify_iovec+0x42/0xd0 [ 353.375459] [<ffffffff818f3e10>] ___sys_sendmsg+0x3f0/0x400 [ 353.375510] [<ffffffff810615fa>] ? native_sched_clock+0x2a/0x90 [ 353.375563] [<ffffffff81176697>] ? acct_account_cputime+0x17/0x20 [ 353.375616] [<ffffffff8110dc78>] ? account_user_time+0x88/0xa0 [ 353.375667] [<ffffffff818f4bbd>] __sys_sendmsg+0x3d/0x80 [ 353.375719] [<ffffffff81b184f4>] ? int_check_syscall_exit_work+0x34/0x3d [ 353.375776] [<ffffffff818f4c0d>] SyS_sendmsg+0xd/0x20 [ 353.375823] [<ffffffff81b1826d>] system_call_fastpath+0x16/0x1b Release objects in this order: rules -> sets -> chains -> tables, to make sure no references to chains are held anymore. Reported-by:
Asbjoern Sloth Toennesen <asbjorn@asbjorn.biz> Signed-off-by:
Pablo Neira Ayuso <pablo@netfilter.org>
-
Pablo Neira Ayuso authored
Relax the checking that was introduced in 97840cb6 ("netfilter: nfnetlink: fix insufficient validation in nfnetlink_bind") when the subscription bitmask is used. Existing userspace code code may request to listen to all of the existing netlink groups by setting an all to one subscription group bitmask. Netlink already validates subscription via setsockopt() for us. Signed-off-by:
-
Pablo Neira Ayuso authored
Make sure there is enough room for the nfnetlink header in the netlink messages that are part of the batch. There is a similar check in netlink_rcv_skb(). Signed-off-by: -
Pablo Neira Ayuso authored
Commit 5195c14c ("netfilter: conntrack: fix race in __nf_conntrack_confirm against get_next_corpse") aimed to resolve the race condition between the confirmation (packet path) and the flush command (from control plane). However, it introduced a crash when several packets race to add a new conntrack, which seems easier to reproduce when nf_queue is in place. Fix this race, in __nf_conntrack_confirm(), by removing the CT from unconfirmed list before checking the DYING bit. In case race occured, re-add the CT to the dying list This patch also changes the verdict from NF_ACCEPT to NF_DROP when we lose race. Basically, the confirmation happens for the first packet that we see in a flow. If you just invoked conntrack -F once (which should be the common case), then this is likely to be the first packet of the flow (unless you already called flush anytime soon in the past). This should be hard to trigger, but better drop this packet, otherwise we leave things in inconsistent state since the destination will likely reply to this packet, but it will find no conntrack, unless the origin retransmits. The change of the verdict has been discussed in: https://www.marc.info/?l=linux-netdev&m=141588039530056&w=2Signed-off-by:
-
- 23 Dec, 2014 1 commit
-
-
leroy christophe authored
Make sure this fetches 16-bits port data from the register. Remove casting to make sparse happy, not needed anymore. Signed-off-by:
leroy christophe <christophe.leroy@c-s.fr> Signed-off-by:
-
- 18 Dec, 2014 10 commits
-
-
Pablo Neira Ayuso authored
Merge tag 'ipvs2-for-v3.19' of https://git.kernel.org/pub/scm/linux/kernel/git/horms/ipvs-next into ipvs-next Simon Horman says: ==================== Second round of IPVS Updates for v3.19 please consider these IPVS updates for v3.19 or alternatively v3.20. The single patch in this series fixes a long standing bug that has not caused any trouble and thus is not being prioritised as a fix. ==================== Signed-off-by:
-
Sriharsha Basavapatna authored
An earlier commit to resolve an issue with encapsulation offloads missed setting a bit in the outer netdev features flag. This results in loss of TSO feature on a VxLAN interface. Fixes: 630f4b70 ("Export tunnel offloads only when a VxLAN tunnel is created") Signed-off-by:
Sriharsha Basavapatna <sriharsha.basavapatna@emulex.com> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
Jiri Benc authored
Noticed when debugging ptp. Signed-off-by:
Jiri Benc <jbenc@redhat.com> Signed-off-by:
-
David Vrabel authored
Commit bc96f648 (xen-netback: make feature-rx-notify mandatory) incorrectly assumed that there were no frontends in use that did not support this feature. But the frontend driver in MiniOS does not and since this is used by (qemu) stubdoms, these stopped working. Netback sort of works as-is in this mode except: - If there are no Rx requests and the internal Rx queue fills, only the drain timeout will wake the thread. The default drain timeout of 10 s would give unacceptable pauses. - If an Rx stall was detected and the internal Rx queue is drained, then the Rx thread would never wake. Handle these two cases (when feature-rx-notify is disabled) by: - Reducing the drain timeout to 30 ms. - Disabling Rx stall detection. Reported-by:
John <jw@nuclearfallout.net> Tested-by:
David Vrabel <david.vrabel@citrix.com> Reviewed-by:
Wei Liu <wei.liu2@citrix.com> Signed-off-by:
-
John W. Linville authored
http://marc.info/?l=linux-wireless&m=141883202530292&w=2 This makes it official... :-) Signed-off-by:
John W. Linville <linville@tuxdriver.com> Signed-off-by:
-
Hariprasad Shenai authored
QSA module was getting decoded as QSFP module in ethtool get settings, this patch fixes it. Signed-off-by:
Hariprasad Shenai <hariprasad@chelsio.com> Signed-off-by:
-
Jesse Gross authored
Currently, searching for a socket to add a reference to is not synchronized with deletion of sockets. This can result in use after free if there is another operation that is removing a socket at the same time. Solving this requires both holding the appropriate lock and checking the refcount to ensure that it has not already hit zero. Inspired by a related (but not exactly the same) issue in the VXLAN driver. Fixes: 0b5e8b8e ("net: Add Geneve tunneling protocol driver") CC: Andy Zhou <azhou@nicira.com> Signed-off-by:
Jesse Gross <jesse@nicira.com> Acked-by:
Thomas Graf <tgraf@suug.ch> Signed-off-by:
-
Jesse Gross authored
Sockets aren't currently removed from the the global list when they are destroyed. In addition, offload handlers need to be cleaned up as well. Fixes: 0b5e8b8e ("net: Add Geneve tunneling protocol driver") CC: Andy Zhou <azhou@nicira.com> Signed-off-by:
-
Thomas Graf authored
Each mmap Netlink frame contains a status field which indicates whether the frame is unused, reserved, contains data or needs to be skipped. Both loads and stores may not be reordeded and must complete before the status field is changed and another CPU might pick up the frame for use. Use an smp_mb() to cover needs of both types of callers to netlink_set_status(), callers which have been reading data frame from the frame, and callers which have been filling or releasing and thus writing to the frame. - Example code path requiring a smp_rmb(): memcpy(skb->data, (void *)hdr + NL_MMAP_HDRLEN, hdr->nm_len); netlink_set_status(hdr, NL_MMAP_STATUS_UNUSED); - Example code path requiring a smp_wmb(): hdr->nm_uid = from_kuid(sk_user_ns(sk), NETLINK_CB(skb).creds.uid); hdr->nm_gid = from_kgid(sk_user_ns(sk), NETLINK_CB(skb).creds.gid); netlink_frame_flush_dcache(hdr); netlink_set_status(hdr, NL_MMAP_STATUS_VALID); Fixes: f9c228 ("netlink: implement memory mapped recvmsg()") Reported-by:Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by:
-
David Miller authored
Checking the file f_count and the nlk->mapped count is not completely sufficient to prevent the mmap'd area contents from changing from under us during netlink mmap sendmsg() operations. Be careful to sample the header's length field only once, because this could change from under us as well. Fixes: 5fd96123 ("netlink: implement memory mapped sendmsg()") Signed-off-by:
Daniel Borkmann <dborkman@redhat.com> Acked-by:
-
- 16 Dec, 2014 18 commits
-
-
Or Gerlitz authored
The current implementations all use dev_uc_add_excl() and such whose API doesn't support vlans, so we can't make it with NICs HW for now. Fixes: f6f6424b ('net: make vid as a parameter for ndo_fdb_add/ndo_fdb_del') Signed-off-by:
Or Gerlitz <ogerlitz@mellanox.com> Reviewed-by:
Jiri Pirko <jiri@resnulli.us> Acked-by:
Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by:
-
Ido Shamay authored
This commit contains 2 fixes for the 128B CQE/EQE stride feaure. Wei found that mlx4_QUERY_HCA function marked the wrong capability in flags (64B CQE/EQE), when CQE/EQE stride feature was enabled. Also added small fix in initial CQE ownership bit assignment, when CQE is size is not default 32B. Fixes: 77507aa2 (net/mlx4: Enable CQE/EQE stride support) Signed-off-by:
Wei Yang <weiyang@linux.vnet.ibm.com> Signed-off-by:
Ido Shamay <idos@mellanox.com> Signed-off-by:
Amir Vadai <amirv@mellanox.com> Signed-off-by:
-
Nimrod Andy authored
Do camera capture test on i.MX6q sabresd board, and save the capture data to nfs rootfs. The command is: gst-launch-1.0 -e imxv4l2src device=/dev/video1 num-buffers=2592000 ! tee name=t ! queue ! imxv4l2sink sync=false t. ! queue ! vpuenc ! queue ! mux. pulsesrc num-buffers=3720937 blocksize=4096 ! 'audio/x-raw, rate=44100, channels=2' ! queue ! imxmp3enc ! mpegaudioparse ! queue ! mux. qtmux name=mux ! filesink location=video_recording_long.mov After about 10 hours running, there have net watchdog timeout kernel dump: ... WARNING: CPU: 0 PID: 0 at net/sched/sch_generic.c:264 dev_watchdog+0x2b4/0x2d8() NETDEV WATCHDOG: eth0 (fec): transmit queue 0 timed out CPU: 0 PID: 0 Comm: swapper/0 Not tainted 3.14.24-01051-gdb840b7 #440 [<80014e6c>] (unwind_backtrace) from [<800118ac>] (show_stack+0x10/0x14) [<800118ac>] (show_stack) from [<806ae3f0>] (dump_stack+0x78/0xc0) [<806ae3f0>] (dump_stack) from [<8002b504>] (warn_slowpath_common+0x68/0x8c) [<8002b504>] (warn_slowpath_common) from [<8002b558>] (warn_slowpath_fmt+0x30/0x40) [<8002b558>] (warn_slowpath_fmt) from [<8055e0d4>] (dev_watchdog+0x2b4/0x2d8) [<8055e0d4>] (dev_watchdog) from [<800352d8>] (call_timer_fn.isra.33+0x24/0x8c) [<800352d8>] (call_timer_fn.isra.33) from [<800354c4>] (run_timer_softirq+0x184/0x220) [<800354c4>] (run_timer_softirq) from [<8002f420>] (__do_softirq+0xc0/0x22c) [<8002f420>] (__do_softirq) from [<8002f804>] (irq_exit+0xa8/0xf4) [<8002f804>] (irq_exit) from [<8000ee5c>] (handle_IRQ+0x54/0xb4) [<8000ee5c>] (handle_IRQ) from [<80008598>] (gic_handle_irq+0x28/0x5c) [<80008598>] (gic_handle_irq) from [<800123c0>] (__irq_svc+0x40/0x74) Exception stack(0x80d27f18 to 0x80d27f60) 7f00: 80d27f60 0000014c 7f20: 8858c60e 0000004d 884e4540 0000004d ab7250d0 80d34348 00000000 00000000 7f40: 00000001 00000000 00000017 80d27f60 800702a4 80476e6c 600f0013 ffffffff [<800123c0>] (__irq_svc) from [<80476e6c>] (cpuidle_enter_state+0x50/0xe0) [<80476e6c>] (cpuidle_enter_state) from [<80476fa8>] (cpuidle_idle_call+0xac/0x154) [<80476fa8>] (cpuidle_idle_call) from [<8000f174>] (arch_cpu_idle+0x8/0x44) [<8000f174>] (arch_cpu_idle) from [<80064c54>] (cpu_startup_entry+0x100/0x158) [<80064c54>] (cpu_startup_entry) from [<80cd8a9c>] (start_kernel+0x304/0x368) ---[ end trace 09ebd32fb032f86d ]--- ... There might have a race in napi_schedule(), leaving interrupts disabled forever. After these patch, the case still work more than 40 hours running. Signed-off-by:
Fugang Duan <B38611@freescale.com> Signed-off-by:
-
David Vrabel authored
After d75b1ade (net: less interrupt masking in NAPI) the napi instance is removed from the per-cpu list prior to calling the n->poll(), and is only requeued if all of the budget was used. This inadvertently broke netfront because netfront does not use NAPI correctly. If netfront had not used all of its budget it would do a final check for any Rx responses and avoid calling napi_complete() if there were more responses. It would still return under budget so it would never be rescheduled. The final check would also not re-enable the Rx interrupt. Additionally, xenvif_poll() would also call napi_complete() /after/ enabling the interrupt. This resulted in a race between the napi_complete() and the napi_schedule() in the interrupt handler. The use of local_irq_save/restore() avoided by race iff the handler is running on the same CPU but not if it was running on a different CPU. Fix both of these by always calling napi_compete() if the budget was not all used, and then calling napi_schedule() if the final checks says there's more work. Signed-off-by:
-
Thomas Graf authored
The encap->type comes straight from Netlink. Validate it against max supported encap types just like ip_encap_hlen() already does. Fixes: a8c5f9 ("ip_tunnel: Ops registration for secondary encap (fou, gue)") Signed-off-by: -
Thomas Graf authored
The symbols are exported and could be used by external modules. Fixes: a8c5f9 ("ip_tunnel: Ops registration for secondary encap (fou, gue)") Signed-off-by: -
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wirelessDavid S. Miller authored
John W. Linville says: ==================== pull request: wireless 2014-12-16 Please pull this batch of fixes intended for the 3.19 stream! For the Bluetooth bits, Johan says: "The patches consist of: - Coccinelle warning fix - hci_dev_lock/unlock fixes - Fixes for pending mgmt command handling - Fixes for properly following the force_lesc_support switch - Fix for a Microsoft branded Broadcom adapter - New device id for Atheros AR3012 - Fix for BR/EDR Secure Connections enabling" Along with that... Brian Norris avoids leaking some kernel memory contents via printk in brcmsmac. Julia Lawall corrects some misspellings in a few drivers. Larry Finger gives us one more rtlwifi fix to correct a porting oversight. Wei Yongjun fixes a sparse warning in rtlwifi. Please let me know if there are problems! ==================== Signed-off-by: -
David S. Miller authored
Otherwise we get things like: warning: (NET_DSA_BCM_SF2 && BCMGENET && SYSTEMPORT) selects FIXED_PHY which has unmet direct dependencies (NETDEVICES && PHYLIB=y) In order to make this work we have to rename fixed.c to fixed_phy.c because the regulator drivers already have a module named "fixed.o". Signed-off-by: -
David S. Miller authored
Michael S. Tsirkin says: ==================== tun/macvtap: TUNSETIFF fixes Dan Carpenter reported the following: static checker warning: drivers/net/tun.c:1694 tun_set_iff() warn: 0x17100 is larger than 16 bits drivers/net/tun.c 1692 1693 tun->flags = (tun->flags & ~TUN_FEATURES) | 1694 (ifr->ifr_flags & TUN_FEATURES); 1695 It's complaining because the "ifr->ifr_flags" variable is a short (should it be unsigned?). The new define: #define IFF_VNET_LE 0x10000 doesn't fit in two bytes. Other suspect looking code could be: return __virtio16_to_cpu(q->flags & IFF_VNET_LE, val); And that's true: we have run out of IFF flags in tun. So let's not try to add more: add simple GET/SET ioctls instead. Easy to test, leads to clear semantics. Alternatively we'll have to revert the whole thing for 3.19, but that seems more work as this has dependencies in other places. While here, I noticed that macvtap was actually reading ifreq flags as a 32 bit field. Fix that up as well. ==================== Signed-off-by: -
Michael S. Tsirkin authored
Everyone should use TUNSETVNETLE/TUNGETVNETLE instead. Signed-off-by:
Michael S. Tsirkin <mst@redhat.com> Signed-off-by:
-
Michael S. Tsirkin authored
Use TUNSETVNETLE/TUNGETVNETLE instead. Signed-off-by:
-
Michael S. Tsirkin authored
Use TUNSETVNETLE/TUNGETVNETLE instead. Signed-off-by:
-
Michael S. Tsirkin authored
ifreq flags field is only 16 bit wide, so setting IFF_VNET_LE there has no effect: doesn't fit in two bytes. The tests passed apparently because they have an even number of bugs, all cancelling out. Luckily we didn't release a kernel with this flag, so it's not too late to fix this. Add TUNSETVNETLE/TUNGETVNETLE to really achieve the purpose of IFF_VNET_LE. This has an added benefit that if we ever want a BE flag, we won't have to deal with weird configurations like setting both LE and BE at the same time. IFF_VNET_LE will be dropped in a follow-up patch. Reported-by:
Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by:
-
Michael S. Tsirkin authored
flags field in ifreq is only 16 bit wide, but we read it as a 32 bit value. If userspace doesn't zero-initialize unused fields, this will lead to failures. Signed-off-by:
-
David S. Miller authored
Florian Fainelli says: ==================== net: broadcom: fix FIXED_PHY dependencies This patch series removes the bogus "select FIXED_PHY if FOO=y" that I have been using in GENET, SYSTEMPORT and the SF2 DSA switch driver. ==================== Signed-off-by: -
Florian Fainelli authored
There is no need to do the following: select FIXED_PHY if NET_DSA_BCM_SF2=y, as this implies that we will not be able to build and/or run the driver correctly when built as a module, which is no longer an issue since commit 37e9a690 ("net: phy: export fixed_phy_register()"). Fixes: 246d7f77 ("net: dsa: add Broadcom SF2 switch driver") Signed-off-by:
Florian Fainelli <f.fainelli@gmail.com> Signed-off-by:
-
Florian Fainelli authored
There is no need to do the following: select FIXED_PHY if SYSTEMPORT=y, as this implies that we will not be able to build and/or run the driver correctly when built as a module, which is no longer an issue since commit 37e9a690 ("net: phy: export fixed_phy_register()") Fixes: a3862db2 ("net: systemport: hook SYSTEMPORT driver in the build") Signed-off-by:
-
Florian Fainelli authored
There is no need to do the following: select FIXED_PHY if BCMGENET=y, as this implies that we will not be able to build and/or run the driver correctly when built as a module, which is no longer an issue since commit 37e9a690 ("net: phy: export fixed_phy_register()") Fixes: b0ba512e225d ("net: bcmgenet: enable driver to work without device tree" Fixes: bdaa53bd ("net: bcmgenet: hook into the build system") Signed-off-by:
-
- 15 Dec, 2014 7 commits
-
-
Larry Finger authored
The setting of this flag was missed in previous modifications. Signed-off-by:
Larry Finger <Larry.Finger@lwfinger.net> Cc: Stable <stable@vger.kernel.org> Signed-off-by:
-
Brian Norris authored
Debug code prints the fifo name via custom dev_warn() wrappers. The fifo_names array is only non-zero when debugging is manually enabled, which is all well and good. However, it's *not* good that this array uses zero-length arrays in the non-debug case, and so it doesn't actually have any memory allocated to it. This means that as far as we know, fifo_names[i] actually points to garbage memory. I've seen this in my log: [ 4601.205511] brcmsmac bcma0:1: wl0: brcms_c_d11hdrs_mac80211: �GeL txop exceeded phylen 137/256 dur 1602/1504 So let's give this array space enough to fill it with a NULL byte. Signed-off-by:
Brian Norris <computersforpeace@gmail.com> Cc: Brett Rudley <brudley@broadcom.com> Cc: Arend van Spriel <arend@broadcom.com> Cc: "Franky (Zhenhui) Lin" <frankyl@broadcom.com> Cc: Hante Meuleman <meuleman@broadcom.com> Cc: "John W. Linville" <linville@tuxdriver.com> Cc: linux-wireless@vger.kernel.org Cc: brcm80211-dev-list@broadcom.com Cc: netdev@vger.kernel.org Acked-by:
Arend van Spriel <arend@broadcom.com> Signed-off-by:
-
Wei Yongjun authored
Fixes the following sparse warning: drivers/net/wireless/rtlwifi/rtl8192cu/hw.c:1595:6: warning: symbol 'usb_cmd_send_packet' was not declared. Should it be static? Signed-off-by:
Wei Yongjun <yongjun_wei@trendmicro.com.cn> Acked-by:
-
Julia Lawall authored
Replace a misspelled function name by %s and then __func__. 8821 was written as 8812. This was done using Coccinelle, including the use of Levenshtein distance, as proposed by Rasmus Villemoes. Signed-off-by:
Julia Lawall <Julia.Lawall@lip6.fr> Signed-off-by:
-
Julia Lawall authored
Replace a misspelled function name by %s and then __func__. This was done using Coccinelle, including the use of Levenshtein distance, as proposed by Rasmus Villemoes. Signed-off-by:
-
Julia Lawall authored
Replace a misspelled function name by %s and then __func__. This was done using Coccinelle, including the use of Levenshtein distance, as proposed by Rasmus Villemoes. Signed-off-by:
-
John W. Linville authored
Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next
-
