1. 17 Mar, 2015 1 commit
  2. 16 Mar, 2015 10 commits
  3. 14 Mar, 2015 4 commits
  4. 13 Mar, 2015 4 commits
  5. 12 Mar, 2015 6 commits
    • Jason Wang's avatar
      virtio-net: correctly delete napi hash · ab3971b1
      Jason Wang authored
      We don't delete napi from hash list during module exit. This will
      cause the following panic when doing module load and unload:
      
      BUG: unable to handle kernel paging request at 0000004e00000075
      IP: [<ffffffff816bd01b>] napi_hash_add+0x6b/0xf0
      PGD 3c5d5067 PUD 0
      Oops: 0000 [#1] SMP
      ...
      Call Trace:
      [<ffffffffa0a5bfb7>] init_vqs+0x107/0x490 [virtio_net]
      [<ffffffffa0a5c9f2>] virtnet_probe+0x562/0x791815639d880be [virtio_net]
      [<ffffffff8139e667>] virtio_dev_probe+0x137/0x200
      [<ffffffff814c7f2a>] driver_probe_device+0x7a/0x250
      [<ffffffff814c81d3>] __driver_attach+0x93/0xa0
      [<ffffffff814c8140>] ? __device_attach+0x40/0x40
      [<ffffffff814c6053>] bus_for_each_dev+0x63/0xa0
      [<ffffffff814c7a79>] driver_attach+0x19/0x20
      [<ffffffff814c76f0>] bus_add_driver+0x170/0x220
      [<ffffffffa0a60000>] ? 0xffffffffa0a60000
      [<ffffffff814c894f>] driver_register+0x5f/0xf0
      [<ffffffff8139e41b>] register_virtio_driver+0x1b/0x30
      [<ffffffffa0a60010>] virtio_net_driver_init+0x10/0x12 [virtio_net]
      
      This patch fixes this by doing this in virtnet_free_queues(). And also
      don't delete napi in virtnet_freeze() since it will call
      virtnet_free_queues() which has already did this.
      
      Fixes 91815639 ("virtio-net: rx busy polling support")
      Cc: Rusty Russell <rusty@rustcorp.com.au>
      Cc: Michael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarJason Wang <jasowang@redhat.com>
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Reviewed-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ab3971b1
    • Arnd Bergmann's avatar
      rds: avoid potential stack overflow · f862e07c
      Arnd Bergmann authored
      The rds_iw_update_cm_id function stores a large 'struct rds_sock' object
      on the stack in order to pass a pair of addresses. This happens to just
      fit withint the 1024 byte stack size warning limit on x86, but just
      exceed that limit on ARM, which gives us this warning:
      
      net/rds/iw_rdma.c:200:1: warning: the frame size of 1056 bytes is larger than 1024 bytes [-Wframe-larger-than=]
      
      As the use of this large variable is basically bogus, we can rearrange
      the code to not do that. Instead of passing an rds socket into
      rds_iw_get_device, we now just pass the two addresses that we have
      available in rds_iw_update_cm_id, and we change rds_iw_get_mr accordingly,
      to create two address structures on the stack there.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Acked-by: default avatarSowmini Varadhan <sowmini.varadhan@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f862e07c
    • Willem de Bruijn's avatar
      sock: fix possible NULL sk dereference in __skb_tstamp_tx · 3a8dd971
      Willem de Bruijn authored
      Test that sk != NULL before reading sk->sk_tsflags.
      
      Fixes: 49ca0d8b ("net-timestamp: no-payload option")
      Reported-by: default avatarOne Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3a8dd971
    • Eric Dumazet's avatar
      xps: must clear sender_cpu before forwarding · c29390c6
      Eric Dumazet authored
      John reported that my previous commit added a regression
      on his router.
      
      This is because sender_cpu & napi_id share a common location,
      so get_xps_queue() can see garbage and perform an out of bound access.
      
      We need to make sure sender_cpu is cleared before doing the transmit,
      otherwise any NIC busy poll enabled (skb_mark_napi_id()) can trigger
      this bug.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarJohn <jw@nuclearfallout.net>
      Bisected-by: default avatarJohn <jw@nuclearfallout.net>
      Fixes: 2bd82484 ("xps: fix xps for stacked devices")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c29390c6
    • David Vrabel's avatar
      xen-netback: notify immediately after pushing Tx response. · c8a4d299
      David Vrabel authored
      This fixes a performance regression introduced by
      7fbb9d84 (xen-netback: release pending
      index before pushing Tx responses)
      
      Moving the notify outside of the spin locks means it can be delayed a
      long time (if the dealloc thread is descheduled or there is an
      interrupt or softirq).
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      Reviewed-by: default avatarZoltan Kiss <zoltan.kiss@linaro.org>
      Acked-by: default avatarWei Liu <wei.liu2@citrix.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c8a4d299
    • Alexey Kodanev's avatar
      net: sysctl_net_core: check SNDBUF and RCVBUF for min length · b1cb59cf
      Alexey Kodanev authored
      sysctl has sysctl.net.core.rmem_*/wmem_* parameters which can be
      set to incorrect values. Given that 'struct sk_buff' allocates from
      rcvbuf, incorrectly set buffer length could result to memory
      allocation failures. For example, set them as follows:
      
          # sysctl net.core.rmem_default=64
            net.core.wmem_default = 64
          # sysctl net.core.wmem_default=64
            net.core.wmem_default = 64
          # ping localhost -s 1024 -i 0 > /dev/null
      
      This could result to the following failure:
      
      skbuff: skb_over_panic: text:ffffffff81628db4 len:-32 put:-32
      head:ffff88003a1cc200 data:ffff88003a1cc200 tail:0xffffffe0 end:0xc0 dev:<NULL>
      kernel BUG at net/core/skbuff.c:102!
      invalid opcode: 0000 [#1] SMP
      ...
      task: ffff88003b7f5550 ti: ffff88003ae88000 task.ti: ffff88003ae88000
      RIP: 0010:[<ffffffff8155fbd1>]  [<ffffffff8155fbd1>] skb_put+0xa1/0xb0
      RSP: 0018:ffff88003ae8bc68  EFLAGS: 00010296
      RAX: 000000000000008d RBX: 00000000ffffffe0 RCX: 0000000000000000
      RDX: ffff88003fdcf598 RSI: ffff88003fdcd9c8 RDI: ffff88003fdcd9c8
      RBP: ffff88003ae8bc88 R08: 0000000000000001 R09: 0000000000000000
      R10: 0000000000000001 R11: 00000000000002b2 R12: 0000000000000000
      R13: 0000000000000000 R14: ffff88003d3f7300 R15: ffff88000012a900
      FS:  00007fa0e2b4a840(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000000d0f7e0 CR3: 000000003b8fb000 CR4: 00000000000006f0
      Stack:
       ffff88003a1cc200 00000000ffffffe0 00000000000000c0 ffffffff818cab1d
       ffff88003ae8bd68 ffffffff81628db4 ffff88003ae8bd48 ffff88003b7f5550
       ffff880031a09408 ffff88003b7f5550 ffff88000012aa48 ffff88000012ab00
      Call Trace:
       [<ffffffff81628db4>] unix_stream_sendmsg+0x2c4/0x470
       [<ffffffff81556f56>] sock_write_iter+0x146/0x160
       [<ffffffff811d9612>] new_sync_write+0x92/0xd0
       [<ffffffff811d9cd6>] vfs_write+0xd6/0x180
       [<ffffffff811da499>] SyS_write+0x59/0xd0
       [<ffffffff81651532>] system_call_fastpath+0x12/0x17
      Code: 00 00 48 89 44 24 10 8b 87 c8 00 00 00 48 89 44 24 08 48 8b 87 d8 00
            00 00 48 c7 c7 30 db 91 81 48 89 04 24 31 c0 e8 4f a8 0e 00 <0f> 0b
            eb fe 66 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 48 83
      RIP  [<ffffffff8155fbd1>] skb_put+0xa1/0xb0
      RSP <ffff88003ae8bc68>
      Kernel panic - not syncing: Fatal exception
      
      Moreover, the possible minimum is 1, so we can get another kernel panic:
      ...
      BUG: unable to handle kernel paging request at ffff88013caee5c0
      IP: [<ffffffff815604cf>] __alloc_skb+0x12f/0x1f0
      ...
      Signed-off-by: default avatarAlexey Kodanev <alexey.kodanev@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b1cb59cf
  6. 11 Mar, 2015 4 commits
  7. 10 Mar, 2015 11 commits
    • Oliver Hartkopp's avatar
    • David S. Miller's avatar
      Merge tag 'wireless-drivers-for-davem-2015-03-10' of... · 3f39d625
      David S. Miller authored
      Merge tag 'wireless-drivers-for-davem-2015-03-10' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers
      
      iwlwifi:
      
      * fix ROC removal - avoids a firmware crash
      * fix throughput regression on iwldvm devices
      * fix panic in BT Coex
      * fixes in rate control
      * fixes in scan
      
      b43:
      
      * fix support for 5 GHz only BCM43228 model
      
      rtlwifi:
      
      * improve handling of IPv6 packets
      
      brcmfmac:
      
      * perform bound checking on vendor command buffer
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3f39d625
    • Hariprasad Shenai's avatar
      cxgb4: fix coccinelle warnings · e3d50738
      Hariprasad Shenai authored
      Commit 16e47624 ("cxgb4: Add new scheme to update T4/T5 firmware")
      introduced below coccinelle warning.
      
      >> drivers/net/ethernet/chelsio/cxgb4/t4_hw.c:994:2-8: Replace memcpy with
         struct assignment
      Reported-by: default avatarFengguang Wu <fengguang.wu@intel.com>
      Signed-off-by: default avatarHariprasad Shenai <hariprasad@chelsio.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e3d50738
    • Nimrod Andy's avatar
      net: fec: fix receive VLAN CTAG HW acceleration issue · af5cbc98
      Nimrod Andy authored
      The current driver support receive VLAN CTAG HW acceleration feature
      (NETIF_F_HW_VLAN_CTAG_RX) through software simulation. There calls the
      api .skb_copy_to_linear_data_offset() to skip the VLAN tag, but there
      have overlap between the two memory data point range. The patch just fix
      the issue.
      
      V2:
      Michael Grzeschik suggest to use memmove() instead of skb_copy_to_linear_data_offset().
      Reported-by: default avatarMichael Grzeschik <m.grzeschik@pengutronix.de>
      Fixes: 1b7bde6d ("net: fec: implement rx_copybreak to improve rx performance")
      Signed-off-by: default avatarFugang Duan <B38611@freescale.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      af5cbc98
    • Yongbae Park's avatar
      net: WIZnet drivers: enable interrupts after napi_complete() · 5a3dba7a
      Yongbae Park authored
      The interrupt is enabled before napi_complete(). A network timeout
      occurs if the interrupt handler is called before napi_complete().
      
      Fix the bug by enabling the interrupt after napi_complete().
      Signed-off-by: default avatarYongbae Park <yongbae2@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5a3dba7a
    • Yongbae Park's avatar
      ibmveth: enable interrupts after napi_complete() · 4736edc7
      Yongbae Park authored
      The interrupt is enabled before napi_complete(). A network timeout
      occurs if the interrupt handler is called before napi_complete().
      
      Fix the bug by enabling the interrupt after napi_complete().
      Signed-off-by: default avatarYongbae Park <yongbae2@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4736edc7
    • WANG Cong's avatar
      net_sched: fix struct tc_u_hnode layout in u32 · 5778d39d
      WANG Cong authored
      We dynamically allocate divisor+1 entries for ->ht[] in tc_u_hnode:
      
        ht = kzalloc(sizeof(*ht) + divisor*sizeof(void *), GFP_KERNEL);
      
      So ->ht is supposed to be the last field of this struct, however
      this is broken, since an rcu head is appended after it.
      
      Fixes: 1ce87720 ("net: sched: make cls_u32 lockless")
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: John Fastabend <john.fastabend@gmail.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5778d39d
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/virt/kvm/kvm · affb8172
      Linus Torvalds authored
      Pull kvm/s390 bugfixes from Marcelo Tosatti.
      
      * git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: s390: non-LPAR case obsolete during facilities mask init
        KVM: s390: include guest facilities in kvm facility test
        KVM: s390: fix in memory copy of facility lists
        KVM: s390/cpacf: Fix kernel bug under z/VM
        KVM: s390/cpacf: Enable key wrapping by default
      affb8172
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · ec0e6bd3
      Linus Torvalds authored
      Pull s390 fixes from Martin Schwidefsky:
       "One performance optimization for page_clear and a couple of bug fixes"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390/mm: fix incorrect ASCE after crst_table_downgrade
        s390/ftrace: fix crashes when switching tracers / add notrace to cpu_relax()
        s390/pci: unify pci_iomap symbol exports
        s390/pci: fix [un]map_resources sequence
        s390: let the compiler do page clearing
        s390/pci: fix possible information leak in mmio syscall
        s390/dcss: array index 'i' is used before limits check.
        s390/scm_block: fix off by one during cluster reservation
        s390/jump label: improve and fix sanity check
        s390/jump label: add missing jump_label_apply_nops() call
      ec0e6bd3
    • Linus Torvalds's avatar
      Merge tag 'trace-fixes-v4.0-rc2-2' of... · e7901af1
      Linus Torvalds authored
      Merge tag 'trace-fixes-v4.0-rc2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace
      
      Pull seq-buf/ftrace fixes from Steven Rostedt:
       "This includes fixes for seq_buf_bprintf() truncation issue.  It also
        contains fixes to ftrace when /proc/sys/kernel/ftrace_enabled and
        function tracing are started.  Doing the following causes some issues:
      
          # echo 0 > /proc/sys/kernel/ftrace_enabled
          # echo function_graph > /sys/kernel/debug/tracing/current_tracer
          # echo 1 > /proc/sys/kernel/ftrace_enabled
          # echo nop > /sys/kernel/debug/tracing/current_tracer
          # echo function_graph > /sys/kernel/debug/tracing/current_tracer
      
        As well as with function tracing too.  Pratyush Anand first reported
        this issue to me and supplied a patch.  When I tested this on my x86
        test box, it caused thousands of backtraces and warnings to appear in
        dmesg, which also caused a denial of service (a warning for every
        function that was listed).  I applied Pratyush's patch but it did not
        fix the issue for me.  I looked into it and found a slight problem
        with trampoline accounting.  I fixed it and sent Pratyush a patch, but
        he said that it did not fix the issue for him.
      
        I later learned tha Pratyush was using an ARM64 server, and when I
        tested on my ARM board, I was able to reproduce the same issue as
        Pratyush.  After applying his patch, it fixed the problem.  The above
        test uncovered two different bugs, one in x86 and one in ARM and
        ARM64.  As this looked like it would affect PowerPC, I tested it on my
        PPC64 box.  It too broke, but neither the patch that fixed ARM or x86
        fixed this box (the changes were all in generic code!).  The above
        test, uncovered two more bugs that affected PowerPC.  Again, the
        changes were only done to generic code.  It's the way the arch code
        expected things to be done that was different between the archs.  Some
        where more sensitive than others.
      
        The rest of this series fixes the PPC bugs as well"
      
      * tag 'trace-fixes-v4.0-rc2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        ftrace: Fix ftrace enable ordering of sysctl ftrace_enabled
        ftrace: Fix en(dis)able graph caller when en(dis)abling record via sysctl
        ftrace: Clear REGS_EN and TRAMP_EN flags on disabling record via sysctl
        seq_buf: Fix seq_buf_bprintf() truncation
        seq_buf: Fix seq_buf_vprintf() truncation
      e7901af1
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 36bef883
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) nft_compat accidently truncates ethernet protocol to 8-bits, from
          Arturo Borrero.
      
       2) Memory leak in ip_vs_proc_conn(), from Julian Anastasov.
      
       3) Don't allow the space required for nftables rules to exceed the
          maximum value representable in the dlen field.  From Patrick
          McHardy.
      
       4) bcm63xx_enet can accidently leave interrupts permanently disabled
          due to errors in the NAPI polling exit logic.  Fix from Nicolas
          Schichan.
      
       5) Fix OOPSes triggerable by the ping protocol module, due to missing
          address family validations etc.  From Lorenzo Colitti.
      
       6) Don't use RCU locking in sleepable context in team driver, from Jiri
          Pirko.
      
       7) xen-netback miscalculates statistic offset pointers when reporting
          the stats to userspace.  From David Vrabel.
      
       8) Fix a leak of up to 256 pages per VIF destroy in xen-netaback, also
          from David Vrabel.
      
       9) ip_check_defrag() cannot assume that skb_network_offset(),
          particularly when it is used by the AF_PACKET fanout defrag code.
          From Alexander Drozdov.
      
      10) gianfar driver doesn't query OF node names properly when trying to
          determine the number of hw queues available.  Fix it to explicitly
          check for OF nodes named queue-group.  From Tobias Waldekranz.
      
      11) MID field in macb driver should be 12 bits, not 16.  From Punnaiah
          Choudary Kalluri.
      
      12) Fix unintentional regression in traceroute due to timestamp socket
          option changes.  Empty ICMP payloads should be allowed in
          non-timestamp cases.  From Willem de Bruijn.
      
      13) When devices are unregistered, we have to get rid of AF_PACKET
          multicast list entries that point to it via ifindex.  Fix from
          Francesco Ruggeri.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (38 commits)
        tipc: fix bug in link failover handling
        net: delete stale packet_mclist entries
        net: macb: constify macb configuration data
        MAINTAINERS: add Marc Kleine-Budde as co maintainer for CAN networking layer
        MAINTAINERS: linux-can moved to github
        can: kvaser_usb: Read all messages in a bulk-in URB buffer
        can: kvaser_usb: Avoid double free on URB submission failures
        can: peak_usb: fix missing ctrlmode_ init for every dev
        can: add missing initialisations in CAN related skbuffs
        ip: fix error queue empty skb handling
        bgmac: Clean warning messages
        tcp: align tcp_xmit_size_goal() on tcp_tso_autosize()
        net: fec: fix unbalanced clk disable on driver unbind
        net: macb: Correct the MID field length value
        net: gianfar: correctly determine the number of queue groups
        ipv4: ip_check_defrag should not assume that skb_network_offset is zero
        net: bcmgenet: properly disable password matching
        net: eth: xgene: fix booting with devicetree
        bnx2x: Force fundamental reset for EEH recovery
        xen-netback: refactor xenvif_handle_frag_list()
        ...
      36bef883