1. 11 Nov, 2014 11 commits
    • David S. Miller's avatar
      Merge branch 'bcmgenet-net' · caa13a9f
      David S. Miller authored
      Florian Fainelli says:
      
      ====================
      net: bcmgenet: power management related fixes
      
      These two patches fixes issues seen while testing power management on
      platforms using the GENET driver.
      
      First patch fixes an issue with the PHY state machine queuing work after
      resume since we are not properly detached from it.
      
      Second patch fixes an issue with GENET interfaces that were not properly
      restored to a working state after a S3 suspend/resume cycle.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      caa13a9f
    • Florian Fainelli's avatar
      net: bcmgenet: apply MII configuration in bcmgenet_open() · dbd479db
      Florian Fainelli authored
      In case an interface has been brought down before entering S3, and then
      brought up out of S3, all the initialization done during
      bcmgenet_probe() by bcmgenet_mii_init() calling bcmgenet_mii_config() is
      just lost since register contents are restored to their reset values.
      
      Re-apply this configuration anytime we call bcmgenet_open() to make sure
      our port multiplexer is properly configured to match the PHY interface.
      
      Since we are now calling bcmgenet_mii_config() everytime bcmgenet_open()
      is called, make sure we only print the message during initialization
      time not to pollute the console.
      
      Fixes: b6e978e5 ("net: bcmgenet: add suspend/resume callbacks")
      Fixes: 1c1008c7 ("net: bcmgenet: add main driver file")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dbd479db
    • Florian Fainelli's avatar
      net: bcmgenet: connect and disconnect from the PHY state machine · c96e731c
      Florian Fainelli authored
      phy_disconnect() is the only way to guarantee that we are not going to
      schedule more work on the PHY state machine workqueue for that
      particular PHY device.
      
      This fixes an issue where a network interface was suspended prior to a
      system suspend/resume cycle and would then be resumed as part of
      mdio_bus_resume(), since the GENET interface clocks would have been
      disabled, this basically resulted in bus errors to appear since we are
      invoking the GENET driver adjust_link() callback.
      
      Fixes: b6e978e5 ("net: bcmgenet: add suspend/resume callbacks")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c96e731c
    • Stefan Wahren's avatar
      net: qualcomm: Fix dependency · 93ecd260
      Stefan Wahren authored
      This patch removes the dependency of the VENDOR entry and fixes
      the QCA7000 one.
      Signed-off-by: default avatarStefan Wahren <stefan.wahren@i2se.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      93ecd260
    • Daniel Borkmann's avatar
      ixgbe: phy: fix uninitialized status in ixgbe_setup_phy_link_tnx · 48eb5b9c
      Daniel Borkmann authored
      Status variable is never initialized, can carry an arbitrary value
      on the stack and thus may let the function fail.
      
      Fixes: e90dd264 ("ixgbe: Make return values more direct")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Acked-by: default avatarEmil Tantilov <emil.s.tantilov@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      48eb5b9c
    • Brian Hill's avatar
      net: phy: Correctly handle MII ioctl which changes autonegotiation. · 79ce0477
      Brian Hill authored
      When advertised capabilities are changed with mii-tool, such as:
      mii-tool -A 10baseT
      the existing handler has two errors.
      
      - An actual PHY register value is provided by mii-tool, and this
        must be mapped to internal state with mii_adv_to_ethtool_adv_t().
      - The PHY state machine needs to be told that autonegotiation has
        again been performed.  If not, the MAC will not be notified of
        the new link speed and duplex, resulting in a possible config
        mismatch.
      Signed-off-by: default avatarBrian Hill <Brian@houston-radar.com>
      Acked-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      79ce0477
    • Eric Dumazet's avatar
      ipv6: fix IPV6_PKTINFO with v4 mapped · 5337b5b7
      Eric Dumazet authored
      Use IS_ENABLED(CONFIG_IPV6), to enable this code if IPv6 is
      a module.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Fixes: c8e6ad08 ("ipv6: honor IPV6_PKTINFO with v4 mapped addresses on sendmsg")
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5337b5b7
    • Daniel Borkmann's avatar
      net: sctp: fix memory leak in auth key management · 4184b2a7
      Daniel Borkmann authored
      A very minimal and simple user space application allocating an SCTP
      socket, setting SCTP_AUTH_KEY setsockopt(2) on it and then closing
      the socket again will leak the memory containing the authentication
      key from user space:
      
      unreferenced object 0xffff8800837047c0 (size 16):
        comm "a.out", pid 2789, jiffies 4296954322 (age 192.258s)
        hex dump (first 16 bytes):
          01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff816d7e8e>] kmemleak_alloc+0x4e/0xb0
          [<ffffffff811c88d8>] __kmalloc+0xe8/0x270
          [<ffffffffa0870c23>] sctp_auth_create_key+0x23/0x50 [sctp]
          [<ffffffffa08718b1>] sctp_auth_set_key+0xa1/0x140 [sctp]
          [<ffffffffa086b383>] sctp_setsockopt+0xd03/0x1180 [sctp]
          [<ffffffff815bfd94>] sock_common_setsockopt+0x14/0x20
          [<ffffffff815beb61>] SyS_setsockopt+0x71/0xd0
          [<ffffffff816e58a9>] system_call_fastpath+0x12/0x17
          [<ffffffffffffffff>] 0xffffffffffffffff
      
      This is bad because of two things, we can bring down a machine from
      user space when auth_enable=1, but also we would leave security sensitive
      keying material in memory without clearing it after use. The issue is
      that sctp_auth_create_key() already sets the refcount to 1, but after
      allocation sctp_auth_set_key() does an additional refcount on it, and
      thus leaving it around when we free the socket.
      
      Fixes: 65b07e5d ("[SCTP]: API updates to suport SCTP-AUTH extensions.")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Cc: Vlad Yasevich <vyasevich@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4184b2a7
    • Daniel Borkmann's avatar
      net: sctp: fix NULL pointer dereference in af->from_addr_param on malformed packet · e40607cb
      Daniel Borkmann authored
      An SCTP server doing ASCONF will panic on malformed INIT ping-of-death
      in the form of:
      
        ------------ INIT[PARAM: SET_PRIMARY_IP] ------------>
      
      While the INIT chunk parameter verification dissects through many things
      in order to detect malformed input, it misses to actually check parameters
      inside of parameters. E.g. RFC5061, section 4.2.4 proposes a 'set primary
      IP address' parameter in ASCONF, which has as a subparameter an address
      parameter.
      
      So an attacker may send a parameter type other than SCTP_PARAM_IPV4_ADDRESS
      or SCTP_PARAM_IPV6_ADDRESS, param_type2af() will subsequently return 0
      and thus sctp_get_af_specific() returns NULL, too, which we then happily
      dereference unconditionally through af->from_addr_param().
      
      The trace for the log:
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000078
      IP: [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
      PGD 0
      Oops: 0000 [#1] SMP
      [...]
      Pid: 0, comm: swapper Not tainted 2.6.32-504.el6.x86_64 #1 Bochs Bochs
      RIP: 0010:[<ffffffffa01e9c62>]  [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
      [...]
      Call Trace:
       <IRQ>
       [<ffffffffa01f2add>] ? sctp_bind_addr_copy+0x5d/0xe0 [sctp]
       [<ffffffffa01e1fcb>] sctp_sf_do_5_1B_init+0x21b/0x340 [sctp]
       [<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
       [<ffffffffa01e5c09>] ? sctp_endpoint_lookup_assoc+0xc9/0xf0 [sctp]
       [<ffffffffa01e61f6>] sctp_endpoint_bh_rcv+0x116/0x230 [sctp]
       [<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
       [<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
       [<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
       [<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
       [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
       [<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
       [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
      [...]
      
      A minimal way to address this is to check for NULL as we do on all
      other such occasions where we know sctp_get_af_specific() could
      possibly return with NULL.
      
      Fixes: d6de3097 ("[SCTP]: Add the handling of "Set Primary IP Address" parameter to INIT")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Cc: Vlad Yasevich <vyasevich@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e40607cb
    • Takashi Iwai's avatar
      net: ppp: Don't call bpf_prog_create() in ppp_lock · 5748eb8f
      Takashi Iwai authored
      In ppp_ioctl(), bpf_prog_create() is called inside ppp_lock, which
      eventually calls vmalloc() and hits BUG_ON() in vmalloc.c.  This patch
      works around the problem by moving the allocation outside the lock.
      
      The bug was revealed by the recent change in net/core/filter.c, as it
      allocates via vmalloc() instead of kmalloc() now.
      Reported-and-tested-by: default avatarStefan Seyfried <stefan.seyfried@googlemail.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5748eb8f
    • Or Gerlitz's avatar
      net/mlx4_en: Advertize encapsulation offloads features only when VXLAN tunnel is set · f4a1edd5
      Or Gerlitz authored
      Currenly we only support Large-Send and TX checksum offloads for
      encapsulated traffic of type VXLAN. We must make sure to advertize
      these offloads up to the stack only when VXLAN tunnel is set.
      
      Failing to do so, would mislead the the networking stack to assume
      that the driver can offload the internal TX checksum for GRE packets
      and other buggy schemes.
      Reported-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarOr Gerlitz <ogerlitz@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f4a1edd5
  2. 10 Nov, 2014 6 commits
  3. 07 Nov, 2014 3 commits
    • Charles Keepax's avatar
      asix: Do full reset during ax88772_bind · 436c2a50
      Charles Keepax authored
      commit 3cc81d85 ("asix: Don't reset PHY on if_up for ASIX 88772")
      causes the ethernet on Arndale to no longer function. This appears to
      be because the Arndale ethernet requires a full reset before it will
      function correctly, however simply reverting the above patch causes
      problems with ethtool settings getting reset.
      
      It seems the problem is that the ethernet is not properly reset during
      bind, and indeed the code in ax88772_bind that resets the device is a
      very small subset of the actual ax88772_reset function. This patch uses
      ax88772_reset in place of the existing reset code in ax88772_bind which
      removes some code duplication and fixes the ethernet on Arndale.
      
      It is still possible that the original patch causes some issues with
      suspend and resume but that seems like a separate issue and I haven't
      had a chance to test that yet.
      Signed-off-by: default avatarCharles Keepax <ckeepax@opensource.wolfsonmicro.com>
      Tested-by: default avatarRiku Voipio <riku.voipio@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      436c2a50
    • Lothar Waßmann's avatar
      net: fec: fix regression on i.MX28 introduced by rx_copybreak support · 1310b544
      Lothar Waßmann authored
      commit 1b7bde6d ("net: fec: implement rx_copybreak to improve rx performance")
      introduced a regression for i.MX28. The swap_buffer() function doing
      the endian conversion of the received data on i.MX28 may access memory
      beyond the actual packet size in the DMA buffer. fec_enet_copybreak()
      does not copy those bytes, so that the last bytes of a packet may be
      filled with invalid data after swapping.
      This will likely lead to checksum errors on received packets.
      E.g. when trying to mount an NFS rootfs:
      UDP: bad checksum. From 192.168.1.225:111 to 192.168.100.73:44662 ulen 36
      
      Do the byte swapping and copying to the new skb in one go if
      necessary.
      Signed-off-by: default avatarLothar Waßmann <LW@KARO-electronics.de>
      Tested-by: default avatarFabio Estevam <fabio.estevam@freescale.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1310b544
    • David S. Miller's avatar
      Merge tag 'master-2014-11-04' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless · 1f562310
      David S. Miller authored
      John W. Linville says:
      
      ====================
      pull request: wireless 2014-11-06
      
      Please pull this batch of fixes intended for the 3.18 stream...
      
      For the mac80211 bits, Johannes says:
      
      "This contains another small set of fixes for 3.18, these are all
      over the place and most of the bugs are old, one even dates back
      to the original mac80211 we merged into the kernel."
      
      For the iwlwifi bits, Emmanuel says:
      
      "I fix here two issues that are related to the firmware
      loading flow. A user reported that he couldn't load the
      driver because the rfkill line was pulled up while we
      were running the calibrations. This was happening while
      booting the system: systemd was restoring the "disable
      wifi settings" and that raised an RFKILL interrupt during
      the calibration. Our driver didn't handle that properly
      and this is now fixed."
      
      Please let me know if there are problems!
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1f562310
  4. 06 Nov, 2014 10 commits
    • Manish Chopra's avatar
      netxen: Fix link event handling. · 9d01412a
      Manish Chopra authored
      o Poll for the link events only if firmware doesn't have capability
        to notify the driver for the link events.
      Signed-off-by: default avatarManish Chopra <manish.chopra@qlogic.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9d01412a
    • Govindarajulu Varadarajan's avatar
      enic: update desc properly in rx_copybreak · f6b7734b
      Govindarajulu Varadarajan authored
      When we reuse the rx buffer, we need to update the desc. If not hardware sees
      stale value.
      
      In the following crash, when mtu is changed, hardware sees old rx buffer value
      and crashes on skb_put.
      
      Fix this by using enic_queue_rq_desc helper function which updates the necessary
      desc.
      
      [   64.657376] skbuff: skb_over_panic: text:ffffffffa041f55d len:9010 put:9010 head:ffff8800d3ca9fc0 data:ffff8800d3caa000 tail:0x2372 end:0x640 dev:enp0s3
      [   64.659965] ------------[ cut here ]------------
      [   64.661322] kernel BUG at net/core/skbuff.c:100!
      [   64.662644] invalid opcode: 0000 [#1] PREEMPT SMP
      [   64.664001] Modules linked in: rpcsec_gss_krb5 auth_rpcgss oid_registry nfsv4 cirrus ttm drm_kms_helper drm enic psmouse microcode evdev serio_raw syscopyarea sysfillrect sysimgblt i2c_piix4 i2c_core pcspkr nfs lockd grace sunrpc fscache ext4 crc16 mbcache jbd2 sd_mod ata_generic virtio_balloon ata_piix libata uhci_hcd virtio_pci virtio_ring usbcore usb_common virtio scsi_mod
      [   64.664834] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G        W      3.17.0-netnext-10335-g942396b0-dirty #273
      [   64.664834] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
      [   64.664834] task: ffffffff81a1d580 ti: ffffffff81a00000 task.ti: ffffffff81a00000
      [   64.664834] RIP: 0010:[<ffffffff81392cf1>]  [<ffffffff81392cf1>] skb_panic+0x61/0x70
      [   64.664834] RSP: 0018:ffff880210603d48  EFLAGS: 00010292
      [   64.664834] RAX: 000000000000008c RBX: ffff88020b0f6930 RCX: 0000000000000000
      [   64.664834] RDX: 000000000000008c RSI: ffffffff8178b288 RDI: 00000000ffffffff
      [   64.664834] RBP: ffff880210603d68 R08: 0000000000000001 R09: 0000000000000001
      [   64.664834] R10: 00000000000005ce R11: 0000000000000001 R12: ffff88020b1f0b40
      [   64.664834] R13: 000000000000a332 R14: ffff880209a1a000 R15: 0000000000000001
      [   64.664834] FS:  0000000000000000(0000) GS:ffff880210600000(0000) knlGS:0000000000000000
      [   64.664834] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      [   64.664834] CR2: 00007f6752935e48 CR3: 0000000035743000 CR4: 00000000000006f0
      [   64.664834] Stack:
      [   64.664834]  ffff8800d3caa000 0000000000002372 0000000000000640 ffff88020b1f0000
      [   64.664834]  ffff880210603d78 ffffffff81392d54 ffff880210603e08 ffffffffa041f55d
      [   64.664834]  0000000000000296 ffffffff00000000 00008e7e00008e7e ffff880200002332
      [   64.664834] Call Trace:
      [   64.664834]  <IRQ>
      [   64.664834]
      [   64.664834]  [<ffffffff81392d54>] skb_put+0x54/0x60
      [   64.664834]  [<ffffffffa041f55d>] enic_rq_service.constprop.47+0x3ad/0x730 [enic]
      [   64.664834]  [<ffffffffa041fa79>] enic_poll_msix_rq+0x199/0x370 [enic]
      [   64.664834]  [<ffffffff813a5499>] net_rx_action+0x139/0x210
      [   64.664834]  [<ffffffff81290db3>] ? __this_cpu_preempt_check+0x13/0x20
      [   64.664834]  [<ffffffff8106110e>] __do_softirq+0x14e/0x280
      [   64.664834]  [<ffffffff8106152e>] irq_exit+0x8e/0xb0
      [   64.664834]  [<ffffffff8100fd21>] do_IRQ+0x61/0x100
      [   64.664834]  [<ffffffff814a2bf2>] common_interrupt+0x72/0x72
      
      fixes: a03bb56e ("enic: implement rx_copybreak")
      Signed-off-by: default avatarGovindarajulu Varadarajan <_govind@gmx.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f6b7734b
    • Govindarajulu Varadarajan's avatar
      enic: handle error condition properly in enic_rq_indicate_buf · 44aa91ab
      Govindarajulu Varadarajan authored
      In case of error in rx path, we free the buf->os_buf but we do not make it NULL.
      In next iteration we use the skb which is already freed. This causes the
      following crash.
      
      [  886.154772] general protection fault: 0000 [#1] PREEMPT SMP
      [  886.154851] Modules linked in: rpcsec_gss_krb5 auth_rpcgss oid_registry nfsv4 microcode evdev cirrus ttm drm_kms_helper drm enic syscopyarea sysfillrect sysimgblt psmouse i2c_piix4 serio_raw pcspkr i2c_core nfs lockd grace sunrpc fscache ext4 crc16 mbcache jbd2 sd_mod crc_t10dif crct10dif_common ata_generic ata_piix virtio_balloon libata scsi_mod uhci_hcd usbcore virtio_pci virtio_ring virtio usb_common
      [  886.155199] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G        W      3.17.0-netnext-05668-g876bc7f #272
      [  886.155263] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
      [  886.155304] task: ffffffff81a1d580 ti: ffffffff81a00000 task.ti: ffffffff81a00000
      [  886.155356] RIP: 0010:[<ffffffff81384030>]  [<ffffffff81384030>] kfree_skb_list+0x10/0x30
      [  886.155418] RSP: 0018:ffff880210603d48  EFLAGS: 00010206
      [  886.155456] RAX: 0000000000000020 RBX: 0000000000000000 RCX: 0000000000000000
      [  886.155504] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 004500084e000017
      [  886.155553] RBP: ffff880210603d50 R08: 00000000fe13d1b6 R09: 0000000000000001
      [  886.155601] R10: 0000000000000000 R11: 0000000000000000 R12: ffff880209ff2f00
      [  886.155650] R13: ffff88020ac0fe40 R14: ffff880209ff2f00 R15: ffff8800da8e3a80
      [  886.155699] FS:  0000000000000000(0000) GS:ffff880210600000(0000) knlGS:0000000000000000
      [  886.155774] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      [  886.155814] CR2: 00007f0e0c925000 CR3: 0000000035e8b000 CR4: 00000000000006f0
      [  886.155865] Stack:
      [  886.155882]  0000000000000000 ffff880210603d78 ffffffff81383f79 ffff880209ff2f00
      [  886.155942]  ffff88020b0c0b40 000000000000c000 ffff880210603d90 ffffffff81383faf
      [  886.156001]  ffff880209ff2f00 ffff880210603da8 ffffffff8138406d ffff88020b1b08c0
      [  886.156061] Call Trace:
      [  886.156080]  <IRQ>
      [  886.156095]
      [  886.156112]  [<ffffffff81383f79>] skb_release_data+0xa9/0xc0
      [  886.157656]  [<ffffffff81383faf>] skb_release_all+0x1f/0x30
      [  886.159195]  [<ffffffff8138406d>] consume_skb+0x1d/0x40
      [  886.160719]  [<ffffffff813942e5>] __dev_kfree_skb_any+0x35/0x40
      [  886.162224]  [<ffffffffa02dc1d5>] enic_rq_service.constprop.47+0xe5/0x5a0 [enic]
      [  886.163756]  [<ffffffffa02dc829>] enic_poll_msix_rq+0x199/0x370 [enic]
      [  886.164730]  [<ffffffff81397e29>] net_rx_action+0x139/0x210
      [  886.164730]  [<ffffffff8105fb2e>] __do_softirq+0x14e/0x280
      [  886.164730]  [<ffffffff8105ff2e>] irq_exit+0x8e/0xb0
      [  886.164730]  [<ffffffff8100fc1d>] do_IRQ+0x5d/0x100
      [  886.164730]  [<ffffffff81496832>] common_interrupt+0x72/0x72
      
      fixes: a03bb56e ("enic: implement rx_copybreak")
      Signed-off-by: default avatarGovindarajulu Varadarajan <_govind@gmx.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      44aa91ab
    • David S. Miller's avatar
      Merge branch 'mlx5-net' · c8119067
      David S. Miller authored
      Eli Cohen says:
      
      ====================
      mlx5_core fixes for 3.18
      
      the following two patches fix races to could lead to kernel panic in some cases.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c8119067
    • Eli Cohen's avatar
      net/mlx5_core: Fix race on driver load · 364d1798
      Eli Cohen authored
      When events arrive at driver load, the event handler gets called even before
      the spinlock and list are initialized. Fix this by moving the initialization
      before EQs creation.
      Signed-off-by: default avatarEli Cohen <eli@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      364d1798
    • Eli Cohen's avatar
      net/mlx5_core: Fix race in create EQ · a158906d
      Eli Cohen authored
      After the EQ is created, it can possibly generate interrupts and the interrupt
      handler is referencing eq->dev. It is therefore required to set eq->dev before
      calling request_irq() so if an event is generated before request_irq() returns,
      we will have a valid eq->dev field.
      Signed-off-by: default avatarEli Cohen <eli@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a158906d
    • Andrew Lunn's avatar
      net: dsa: slave: Fix autoneg for phys on switch MDIO bus · b31f65fb
      Andrew Lunn authored
      When the ports phys are connected to the switches internal MDIO bus,
      we need to connect the phy to the slave netdev, otherwise
      auto-negotiation etc, does not work.
      Signed-off-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b31f65fb
    • Ryo Munakata's avatar
    • Mugunthan V N's avatar
      drivers: net: cpsw: remove cpsw_ale_stop from cpsw_ale_destroy · 4484d052
      Mugunthan V N authored
      when cpsw is build as modulea and simple insert and removal of module
      creates a deadlock, due to delete timer. the timer is created and destroyed
      in cpsw_ale_start and cpsw_ale_stop which are from device open and close.
      
      root@am437x-evm:~# modprobe -r ti_cpsw
      [  158.505333] INFO: trying to register non-static key.
      [  158.510623] the code is fine but needs lockdep annotation.
      [  158.516448] turning off the locking correctness validator.
      [  158.522282] CPU: 0 PID: 1339 Comm: modprobe Not tainted 3.14.23-00445-gd41c88f #44
      [  158.530359] [<c0015380>] (unwind_backtrace) from [<c0012088>] (show_stack+0x10/0x14)
      [  158.538603] [<c0012088>] (show_stack) from [<c054ad70>] (dump_stack+0x78/0x94)
      [  158.546295] [<c054ad70>] (dump_stack) from [<c0088008>] (__lock_acquire+0x176c/0x1b74)
      [  158.554711] [<c0088008>] (__lock_acquire) from [<c0088944>] (lock_acquire+0x9c/0x104)
      [  158.563043] [<c0088944>] (lock_acquire) from [<c004e520>] (del_timer_sync+0x44/0xd8)
      [  158.571289] [<c004e520>] (del_timer_sync) from [<bf2eac1c>] (cpsw_ale_destroy+0x10/0x3c [ti_cpsw])
      [  158.580821] [<bf2eac1c>] (cpsw_ale_destroy [ti_cpsw]) from [<bf2eb268>] (cpsw_remove+0x30/0xa0 [ti_cpsw])
      [  158.591000] [<bf2eb268>] (cpsw_remove [ti_cpsw]) from [<c035ef44>] (platform_drv_remove+0x18/0x1c)
      [  158.600527] [<c035ef44>] (platform_drv_remove) from [<c035d8bc>] (__device_release_driver+0x70/0xc8)
      [  158.610236] [<c035d8bc>] (__device_release_driver) from [<c035e0d4>] (driver_detach+0xb4/0xb8)
      [  158.619386] [<c035e0d4>] (driver_detach) from [<c035d6e4>] (bus_remove_driver+0x4c/0x90)
      [  158.627988] [<c035d6e4>] (bus_remove_driver) from [<c00af2a8>] (SyS_delete_module+0x10c/0x198)
      [  158.637144] [<c00af2a8>] (SyS_delete_module) from [<c000e580>] (ret_fast_syscall+0x0/0x48)
      [  179.524727] INFO: rcu_sched detected stalls on CPUs/tasks: {} (detected by 0, t=2102 jiffies, g=1487, c=1486, q=6)
      [  179.535741] INFO: Stall ended before state dump start
      Signed-off-by: default avatarMugunthan V N <mugunthanvnm@ti.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4484d052
    • Karl Beldan's avatar
      net: mv643xx_eth: reclaim TX skbs only when released by the HW · 2c2a9cbd
      Karl Beldan authored
      ATM, txq_reclaim will dequeue and free an skb for each tx desc released
      by the hw that has TX_LAST_DESC set. However, in case of TSO, each
      hw desc embedding the last part of a segment has TX_LAST_DESC set,
      losing the one-to-one 'last skb frag'/'TX_LAST_DESC set' correspondance,
      which causes data corruption.
      
      Fix this by checking TX_ENABLE_INTERRUPT instead of TX_LAST_DESC, and
      warn when trying to dequeue from an empty txq (which can be symptomatic
      of releasing skbs prematurely).
      
      Fixes: 3ae8f4e0 ('net: mv643xx_eth: Implement software TSO')
      Reported-by: default avatarSlawomir Gajzner <slawomir.gajzner@gmail.com>
      Reported-by: default avatarJulien D'Ascenzio <jdascenzio@yahoo.fr>
      Signed-off-by: default avatarKarl Beldan <karl.beldan@rivierawaves.com>
      Cc: Ian Campbell <ijc@hellion.org.uk>
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Cc: Ezequiel Garcia <ezequiel.garcia@free-electrons.com>
      Cc: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2c2a9cbd
  5. 05 Nov, 2014 10 commits
    • Gregory Fong's avatar
      bridge: include in6.h in if_bridge.h for struct in6_addr · 66f1c448
      Gregory Fong authored
      if_bridge.h uses struct in6_addr ip6, but wasn't including the in6.h
      header.  Thomas Backlund originally sent a patch to do this, but this
      revealed a redefinition issue: https://lkml.org/lkml/2013/1/13/116
      
      The redefinition issue should have been fixed by the following Linux
      commits:
      ee262ad8 inet: defines IPPROTO_* needed for module alias generation
      cfd280c9 net: sync some IP headers with glibc
      
      and the following glibc commit:
      6c82a2f8d7c8e21e39237225c819f182ae438db3 Coordinate IPv6 definitions for Linux and glibc
      
      so actually include the header now.
      Reported-by: default avatarColin Guthrie <colin@mageia.org>
      Reported-by: default avatarChristiaan Welvaart <cjw@daneel.dyndns.org>
      Reported-by: default avatarThomas Backlund <tmb@mageia.org>
      Cc: Florian Fainelli <f.fainelli@gmail.com>
      Cc: Cong Wang <xiyou.wangcong@gmail.com>
      Cc: David Miller <davem@davemloft.net>
      Signed-off-by: default avatarGregory Fong <gregory.0xf0@gmail.com>
      Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      66f1c448
    • Marcelo Leitner's avatar
      tcp: zero retrans_stamp if all retrans were acked · 1f37bf87
      Marcelo Leitner authored
      Ueki Kohei reported that when we are using NewReno with connections that
      have a very low traffic, we may timeout the connection too early if a
      second loss occurs after the first one was successfully acked but no
      data was transfered later. Below is his description of it:
      
      When SACK is disabled, and a socket suffers multiple separate TCP
      retransmissions, that socket's ETIMEDOUT value is calculated from the
      time of the *first* retransmission instead of the *latest*
      retransmission.
      
      This happens because the tcp_sock's retrans_stamp is set once then never
      cleared.
      
      Take the following connection:
      
                            Linux                    remote-machine
                              |                           |
               send#1---->(*1)|--------> data#1 --------->|
                        |     |                           |
                       RTO    :                           :
                        |     |                           |
                       ---(*2)|----> data#1(retrans) ---->|
                        | (*3)|<---------- ACK <----------|
                        |     |                           |
                        |     :                           :
                        |     :                           :
                        |     :                           :
                      16 minutes (or more)                :
                        |     :                           :
                        |     :                           :
                        |     :                           :
                        |     |                           |
               send#2---->(*4)|--------> data#2 --------->|
                        |     |                           |
                       RTO    :                           :
                        |     |                           |
                       ---(*5)|----> data#2(retrans) ---->|
                        |     |                           |
                        |     |                           |
                      RTO*2   :                           :
                        |     |                           |
                        |     |                           |
            ETIMEDOUT<----(*6)|                           |
      
      (*1) One data packet sent.
      (*2) Because no ACK packet is received, the packet is retransmitted.
      (*3) The ACK packet is received. The transmitted packet is acknowledged.
      
      At this point the first "retransmission event" has passed and been
      recovered from. Any future retransmission is a completely new "event".
      
      (*4) After 16 minutes (to correspond with retries2=15), a new data
      packet is sent. Note: No data is transmitted between (*3) and (*4).
      
      The socket's timeout SHOULD be calculated from this point in time, but
      instead it's calculated from the prior "event" 16 minutes ago.
      
      (*5) Because no ACK packet is received, the packet is retransmitted.
      (*6) At the time of the 2nd retransmission, the socket returns
      ETIMEDOUT.
      
      Therefore, now we clear retrans_stamp as soon as all data during the
      loss window is fully acked.
      
      Reported-by: Ueki Kohei
      Cc: Neal Cardwell <ncardwell@google.com>
      Cc: Yuchung Cheng <ycheng@google.com>
      Signed-off-by: default avatarMarcelo Ricardo Leitner <mleitner@redhat.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Tested-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1f37bf87
    • David S. Miller's avatar
      Merge branch 'stmmac-net' · 46d38026
      David S. Miller authored
      Giuseppe Cavallaro says:
      
      ====================
      stmmac: review and fix lock and atomicity
      
      Recently some issues have been reported for the driver for locking mechanism
      and atomicity.
      
      In fact, enabling DEBUG support to prove lock and to verify if sleeping while
      atomic context some warnings occur at runtime. I have reproduced all on STi
      platforms.
      
      Concerning the tx path, I had provided a patch time ago but
      I discarded the idea to completely remove locks; in this patch-set we can have
      some useful fixes instead of.
      
      This patch-set is to fix the atomicity in the PM stuff where I tried to collect
      all the points and advice reported in the past weeks.
      As final result, on my side no warnings and no problem when suspend/resume the
      driver on STi boxes.
      
      I also added a patch that fixes the locks for the EEE.
      As pointed in some thread there was a design problem behind the eee
      initialization and I have tried to fix that before.
      As final result no issues when proving locks too.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      46d38026
    • Giuseppe CAVALLARO's avatar
      stmmac: fix atomicity in pm routines · 777da230
      Giuseppe CAVALLARO authored
      This patch is to fix the atomicity when suspend and resume the
      driver. The clk api have been changed (as reported by Hao Liang)
      and the skb allocation is done out of the hw setup function and
      taking care about the GFP flags.
      Reported-by: default avatarHao Liang <hliang1025@gmail.com>
      Signed-off-by: default avatarGiuseppe Cavallaro <peppe.cavallaro@st.com>
      Cc: Alexey Khoroshilov <khoroshilov@ispras.ru>
      Cc: Hao Liang <hliang1025@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      777da230
    • Giuseppe CAVALLARO's avatar
      stmmac: fix concurrency in eee initialization. · 4741cf9c
      Giuseppe CAVALLARO authored
      This patch aims to fix the concurrency in eee initialization
      inside the stmmac driver and related warnings when enable
      DEBUG_ATOMIC_SLEEP.
      
      Prior this patch, the stmmac_eee_init could be called in several places
      as shown below:
      
      stmmac_open  stmmac_resume         PHY Layer
          |            |                     |
        stmmac_hw_setup           stmmac_adjust_link
          |                                  |           stmmac ethtool
          |__________________________|______________|
                                             |
                                       stmmac_eee_init
      
      The patch removes the stmmac_eee_init call inside the stmmac_hw_setup
      that is unnecessary. It is sufficient to call it in the adjust_link to
      always guarantee that EEE is always configured at mac level too.
      
      Fixing the lock protection now it is covered another case (not
      considered before). The stmmac_eee_init could be called by the ethtool
      so critical sections must be protected inside this function too.
      Signed-off-by: default avatarGiuseppe Cavallaro <peppe.cavallaro@st.com>
      Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4741cf9c
    • Giuseppe CAVALLARO's avatar
      stmmac: fix lock in stmmac_set_rx_mode · b9d73704
      Giuseppe CAVALLARO authored
      When compile with CONFIG_PROVE_LOCKING the following warnings happen:
      
      [snip]
      
          HARDIRQ-ON-W at:
                              [<c0480c1c>] _raw_spin_lock+0x3c/0x4c
                              [<c02c2828>] stmmac_set_rx_mode+0x18/0x3c
                              [<c038b2cc>] dev_set_rx_mode+0x1c/0x28
                              [<c038b38c>] __dev_open+0xb4/0xf8
                              [<c038b5a8>] __dev_change_flags+0x94/0x128
                              [<c038b6a8>] dev_change_flags+0x10/0x48
                              [<c062afe0>] ip_auto_config+0x1d4/0x1084
                              [<c000873c>] do_one_initcall+0x108/0x15c
                              [<c060ec50>] kernel_init_freeable+0x1a8/0x248
                              [<c0472cc0>] kernel_init+0x8/0x160
                              [<c000dfc8>] ret_from_fork+0x14/0x2c
           INITIAL USE at:
                             [<c0480c1c>] _raw_spin_lock+0x3c/0x4c
                             [<c02c2828>] stmmac_set_rx_mode+0x18/0x3c
                             [<c038b2cc>] dev_set_rx_mode+0x1c/0x28
                             [<c038b38c>] __dev_open+0xb4/0xf8
                             [<c038b5a8>] __dev_change_flags+0x94/0x128
                             [<c038b6a8>] dev_change_flags+0x10/0x48
                             [<c062afe0>] ip_auto_config+0x1d4/0x1084
                             [<c000873c>] do_one_initcall+0x108/0x15c
                             [<c060ec50>] kernel_init_freeable+0x1a8/0x248
                             [<c0472cc0>] kernel_init+0x8/0x160
                             [<c000dfc8>] ret_from_fork+0x14/0x2c
      
      so the patch just removes the lock protection in the stmmac_set_rx_mode
      Signed-off-by: default avatarGiuseppe Cavallaro <peppe.cavallaro@st.com>
      Cc: Emilio Lopez <emilio@elopez.com.ar>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b9d73704
    • Fabrice Gasnier's avatar
      stmmac: release tx lock, in case of dma mapping error. · 758a0ab5
      Fabrice Gasnier authored
      Add missing spin_unlock when tx frames gets dropped.
      Signed-off-by: default avatarFabrice Gasnier <fabrice.gasnier@st.com>
      Acked-by: default avatarGiuseppe Cavallaro <peppe.cavallaro@st.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      758a0ab5
    • Fabrice Gasnier's avatar
      stmmac: fix stmmac_tx_avail should be called with TX locked · 16ee817e
      Fabrice Gasnier authored
      stmmac_tx_avail() may lie if used unprotected. It's using cur_tx
      and dirty_tx index. These index may be already in use by tx_clean
      when entering xmit routine. So, this should be called locked.
      
      This can cause transmit queue to be stuck, with following message:
      NETDEV WATCHDOG: eth0 (stmmaceth): transmit queue 0 timed out
      Signed-off-by: default avatarFabrice Gasnier <fabrice.gasnier@st.com>
      Acked-by: default avatarGiuseppe Cavallaro <peppe.cavallaro@st.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      16ee817e
    • Chen Gang's avatar
      drivers: net: ethernet: xilinx: xilinx_emaclite: revert the original commit... · b994ca6b
      Chen Gang authored
      drivers: net: ethernet: xilinx: xilinx_emaclite: revert the original commit "1db3ddff"
      
      Microblaze is a fpga soft core, it can be customized easily, which may
      cause many various hardware version strings.
      
      So the original fix patch based on hard-coded compatible version strings
      is not a good idea (although it is correct for current issue). For it,
      there will be a new solving way soon (which based on the device tree).
      
      The original issue is related with qemu, so can only change the hardware
      version string in qemu for it, then keep the original driver no touch (
      qemu is for virtualization which has much easier life than real world).
      Signed-off-by: default avatarChen Gang <gang.chen.5i5j@gmail.com>
      Acked-by: default avatarMichal Simek <michal.simek@xilinx.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b994ca6b
    • Rasmus Villemoes's avatar
      include/linux/socket.h: Fix comment · 9cdb5dbf
      Rasmus Villemoes authored
      File descriptors are always closed on exit :-)
      Signed-off-by: default avatarRasmus Villemoes <linux@rasmusvillemoes.dk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9cdb5dbf