- 10 Nov, 2015 4 commits
-
-
Pablo Neira Ayuso authored
With the conversion of the counter expressions to make it percpu, we need to clone the percpu memory area, otherwise we crash when using counters from flow tables. Signed-off-by:Pablo Neira Ayuso <pablo@netfilter.org>
-
Pablo Neira Ayuso authored
nf_tables may create percpu counters from the packet path through its dynamic set instantiation infrastructure, so we need a way to allocate this through GFP_ATOMIC. Signed-off-by:
David S. Miller <davem@davemloft.net>
-
Arnd Bergmann authored
Kconfig is too smart for its own good: a Kconfig line that states select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES means that if IP6_NF_IPTABLES is set to 'm', then NF_DEFRAG_IPV6 will also be set to 'm', regardless of the state of the symbol from which it is selected. When the xt_TEE driver is built-in and nothing else forces NF_DEFRAG_IPV6 to be built-in, this causes a link-time error: net/built-in.o: In function `tee_tg6': net/netfilter/xt_TEE.c:46: undefined reference to `nf_dup_ipv6' This works around that behavior by changing the dependency to 'if IP6_NF_IPTABLES != n', which is interpreted as boolean expression rather than a tristate and causes the NF_DEFRAG_IPV6 symbol to be built-in as well. The bug only occurs once in thousands of 'randconfig' builds and does not really impact real users. From inspecting the other surrounding Kconfig symbols, I am guessing that NETFILTER_XT_TARGET_TPROXY and NETFILTER_XT_MATCH_SOCKET have the same issue. If not, this change should still be harmless. Signed-off-by:
Arnd Bergmann <arnd@arndb.de> Signed-off-by:
-
Arnd Bergmann authored
After a recent (correct) change, gcc started warning about the use of the 'flags' variable in nfulnl_recv_config() net/netfilter/nfnetlink_log.c: In function 'nfulnl_recv_config': net/netfilter/nfnetlink_log.c:320:14: warning: 'flags' may be used uninitialized in this function [-Wmaybe-uninitialized] net/netfilter/nfnetlink_log.c:828:6: note: 'flags' was declared here The warning first shows up in ARM s3c2410_defconfig with gcc-4.3 or higher (including 5.2.1, which is the latest version I checked) I tried working around it by rearranging the code but had no success with that. As a last resort, this initializes the variable to zero, which shuts up the warning, but means that we don't get a warning if the code is ever changed in a way that actually causes the variable to be used without first being written. Signed-off-by:
-
- 09 Nov, 2015 1 commit
-
-
Anthony Lineham authored
The uninitialized tuple structure caused incorrect hash calculation and the lookup failed. Link: https://bugzilla.kernel.org/show_bug.cgi?id=106441Signed-off-by:
Anthony Lineham <anthony.lineham@alliedtelesis.co.nz> Signed-off-by:
-
- 08 Nov, 2015 1 commit
-
-
git://blackhole.kfki.hu/nfPablo Neira Ayuso authored
Jozsef Kadlecsik says: ==================== Please apply the next bugfixes against the nf tree. - Fix extensions alignment in ipset: Gerhard Wiesinger reported that the missing data aligments lead to crash on non-intel architecture. The patch was tested on armv7h by Gerhard Wiesinger and on x86_64 and sparc64 by me. - An incorrect index at the hash:* types could lead to falsely early expired entries and memory leak when the comment extension was used too. - Release empty hash bucket block when all entries are expired or all slots are empty instead of shrinkig the data part to zero. ==================== Signed-off-by:
-
- 07 Nov, 2015 3 commits
-
-
Jozsef Kadlecsik authored
When all entries are expired/all slots are empty, release the bucket. Signed-off-by:Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
-
Jozsef Kadlecsik authored
Incorrect index was used when the data blob was shrinked at expiration, which could lead to falsely expired entries and memory leak when the comment extension was used too. Signed-off-by: -
Jozsef Kadlecsik authored
The data extensions in ipset lacked the proper memory alignment and thus could lead to kernel crash on several architectures. Therefore the structures have been reorganized and alignment attributes added where needed. The patch was tested on armv7h by Gerhard Wiesinger and on x86_64, sparc64 by Jozsef Kadlecsik. Reported-by:
Gerhard Wiesinger <lists@wiesinger.com> Tested-by:
-
- 06 Nov, 2015 2 commits
-
-
Pablo Neira Ayuso authored
The input and output interfaces in nf_hook_state_init() are flipped. This fixes iif matching on nftables. Reported-by:
Patrick McHardy <kaber@trash.net> Signed-off-by:
-
Florian Westphal authored
nf_hook_list_active() always returns true once at least one device has NF_INGRESS hook enabled. Thus, don't use this function. Instead, inverse the test and use the static key to elide list_empty test if no NF_INGRESS hooks are active. Signed-off-by:
Florian Westphal <fw@strlen.de> Signed-off-by:
-
- 05 Nov, 2015 29 commits
-
-
Eric Dumazet authored
In commit e446f9df ("net: synack packets can be attached to request sockets"), I missed one remaining case of invalid skb->sk->sk_security access. Dmitry Vyukov got a KASan report pointing to it. Add selinux_skb_sk() helper that is responsible to get back to the listener if skb is attached to a request socket, instead of duplicating the logic. Fixes: ca6fb065 ("tcp: attach SYNACK messages to request sockets instead of listener") Signed-off-by:
Eric Dumazet <edumazet@google.com> Reported-by:
Dmitry Vyukov <dvyukov@google.com> Cc: Paul Moore <paul@paul-moore.com> Signed-off-by:
-
David S. Miller authored
Michael Chan says: ==================== bnxt_en: Bug fixes. Miscellaneous small bug fixes. ==================== Signed-off-by: -
Jeffrey Huang authored
Instead of always calling pci_sriov_disable() in remove_one(), the driver should detect whether VFs are currently assigned to the VMs. If the VFs are active in VMs, then it should not disable SRIOV as it is catastrophic to the VMs. Instead, it just leaves the VFs alone and continues to unload the PF. The user can then cleanup the VMs even after the PF driver has been unloaded. Signed-off-by:
Jeffrey Huang <huangjw@broadcom.com> Signed-off-by:
Michael Chan <mchan@broadcom.com> Signed-off-by:
-
Michael Chan authored
Assign the return value from bitmap_find_free_region() to an integer variable and check for negative error codes first, before assigning the bit ID to the unsigned sw_id field. Reported-by:
Dan Carpenter <dan.carpenter@oracle.com> Cc: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by:
-
Jeffrey Huang authored
In order to use offset 0x4014 for reading CAG interrupt status, the actual CAG register must be mapped to GRC bar0 window #4. Otherwise, the driver is reading garbage. This patch corrects this issue. Signed-off-by:
-
Michael Chan authored
The profile ID in the completion record needs to be ANDed with the profile ID mask of 0x1f. This bug was causing the SKB hash type and the gso_type to be wrong in some cases. Signed-off-by:
-
Jeffrey Huang authored
Fix the sp event bits to be bit positions instead of bit values since the bit helper functions are expecting the former. Signed-off-by:
-
Eric Dumazet authored
I mistakenly took wrong request sock pointer when calling tcp_move_syn() @req_unhash is either a copy of @req, or a NULL value for FastOpen connexions (as we do not expect to unhash the temporary request sock from ehash table) Fixes: 805c4bc0 ("tcp: fix req->saved_syn race") Signed-off-by:
-
Francesco Ruggeri authored
There is a race conditions between packet_notifier and packet_bind{_spkt}. It happens if packet_notifier(NETDEV_UNREGISTER) executes between the time packet_bind{_spkt} takes a reference on the new netdevice and the time packet_do_bind sets po->ifindex. In this case the notification can be missed. If this happens during a dev_change_net_namespace this can result in the netdevice to be moved to the new namespace while the packet_sock in the old namespace still holds a reference on it. When the netdevice is later deleted in the new namespace the deletion hangs since the packet_sock is not found in the new namespace' &net->packet.sklist. It can be reproduced with the script below. This patch makes packet_do_bind check again for the presence of the netdevice in the packet_sock's namespace after the synchronize_net in unregister_prot_hook. More in general it also uses the rcu lock for the duration of the bind to stop dev_change_net_namespace/rollback_registered_many from going past the synchronize_net following unlist_netdevice, so that no NETDEV_UNREGISTER notifications can happen on the new netdevice while the bind is executing. In order to do this some code from packet_bind{_spkt} is consolidated into packet_do_dev. import socket, os, time, sys proto=7 realDev='em1' vlanId=400 if len(sys.argv) > 1: vlanId=int(sys.argv[1]) dev='vlan%d' % vlanId os.system('taskset -p 0x10 %d' % os.getpid()) s = socket.socket(socket.PF_PACKET, socket.SOCK_RAW, proto) os.system('ip link add link %s name %s type vlan id %d' % (realDev, dev, vlanId)) os.system('ip netns add dummy') pid=os.fork() if pid == 0: # dev should be moved while packet_do_bind is in synchronize net os.system('taskset -p 0x20000 %d' % os.getpid()) os.system('ip link set %s netns dummy' % dev) os.system('ip netns exec dummy ip link del %s' % dev) s.close() sys.exit(0) time.sleep(.004) try: s.bind(('%s' % dev, proto+1)) except: print 'Could not bind socket' s.close() os.system('ip netns del dummy') sys.exit(0) os.waitpid(pid, 0) s.close() os.system('ip netns del dummy') sys.exit(0) Signed-off-by:Francesco Ruggeri <fruggeri@arista.com> Signed-off-by:
-
Eric Dumazet authored
Before converting a 'socket pointer' into inet socket, use sk_fullsock() to detect timewait or request sockets. Fixes: ca6fb065 ("tcp: attach SYNACK messages to request sockets instead of listener") Signed-off-by:
-
Eric Dumazet authored
For the reasons explained in commit ce105008 ("tcp/dccp: fix ireq->pktopts race"), we need to make sure we do not access req->saved_syn unless we own the request sock. This fixes races for listeners using TCP_SAVE_SYN option. Fixes: e994b2f0 ("tcp: do not lock listener to process SYN packets") Fixes: 079096f1 ("tcp/dccp: install syn_recv requests into ehash table") Signed-off-by:
Ying Cai <ycai@google.com> Signed-off-by:
-
LABBE Corentin authored
The variable phy_iface is double-initialized to itself. This patch remove that. Reported-by: coverity (CID 1271141) Signed-off-by:
LABBE Corentin <clabbe.montjoie@gmail.com> Signed-off-by:
-
Dan Carpenter authored
We accidentally return success instead of -ENOMEM here. Fixes: fe56b9e6 ('qed: Add module with basic common support') Signed-off-by:
-
Vivien Didelot authored
The DSA documentation specifies that each port must be capable of forwarding frames to the CPU port. The last changes on bridging support for the mv88e6xxx driver broke this requirement for non-bridged ports. So as for the bridged ports, reserve a few VLANs (4000+) in the switch to isolate ports that have not been bridged yet. By default, a port will be isolated with the CPU and DSA ports. When the port joins a bridge, it will leave its reserved port. When it is removed from a bridge, it will join its reserved VLAN again. Fixes: 5fe7f680 ("net: dsa: mv88e6xxx: fix hardware bridging") Reported-by:
Andrew Lunn <andrew@lunn.ch> Signed-off-by:
Vivien Didelot <vivien.didelot@savoirfairelinux.com> Signed-off-by:
-
Petr Štetiar authored
This device has same vendor and product IDs as G2K devices, but it has different number of interfaces(4 vs 5) and also different interface layout where EC20 has QMI on interface 4 instead of 0. lsusb output: Bus 002 Device 003: ID 05c6:9215 Qualcomm, Inc. Acer Gobi 2000 Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x05c6 Qualcomm, Inc. idProduct 0x9215 Acer Gobi 2000 Wireless Modem bcdDevice 2.32 iManufacturer 1 Quectel iProduct 2 Quectel LTE Module iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 209 bNumInterfaces 5 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 500mA Signed-off-by:
Petr Štetiar <ynezz@true.cz> Acked-by:
Bjørn Mork <bjorn@mork.no> Signed-off-by:
-
git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetoothDavid S. Miller authored
Johan Hedberg says: ==================== pull request: bluetooth 2015-11-05 The following set of Bluetooth patches would be good to get into 4.4-rc1 if possible: - Fix for missing LE CoC parameter validity checks - Fix for potential deadlock in btusb - Fix for issuing unsupported commands during HCI init Please let me know if there are any issues pulling. Thanks. ==================== Signed-off-by: -
Yang Shi authored
When running "mod X" operation, if X is 0 the filter has to be halt. Add new test cases to cover A = A mod X if X is 0, and A = A mod 1. CC: Xi Wang <xi.wang@gmail.com> CC: Zi Shen Lim <zlim.lnx@gmail.com> Signed-off-by:
Yang Shi <yang.shi@linaro.org> Acked-by:
Daniel Borkmann <daniel@iogearbox.net> Acked-by:
Alexei Starovoitov <ast@kernel.org> Acked-by:
Zi Shen Lim <zlim.lnx@gmail.com> Acked-by:
Xi Wang <xi.wang@gmail.com> Signed-off-by:
-
Arnd Bergmann authored
VXLAN may be a loadable module, and this driver cannot be built-in in that case, or we get a link error: drivers/built-in.o: In function `__bnxt_open_nic': drivers/net/ethernet/broadcom/bnxt/bnxt.c:4581: undefined reference to `vxlan_get_rx_port' This adds a Kconfig dependency that ensures that either VXLAN is disabled (which the driver handles correctly), or we depend on VXLAN itself and disallow built-in compilation when VXLAN is a module. Signed-off-by:
-
Jiri Pirko authored
Fixes: fee6d4c7 ("net: Add netif_is_l3_slave") Signed-off-by:
Jiri Pirko <jiri@mellanox.com> Acked-by:
David Ahern <dsa@cumulusnetworks.com> Signed-off-by:
-
Sabrina Dubroca authored
In ipv6_add_dev, when addrconf_sysctl_register fails, we do not clean up the dev_snmp6 entry that we have already registered for this device. Call snmp6_unregister_dev in this case. Fixes: a317a2f1 ("ipv6: fail early when creating netdev named all or default") Reported-by:
Sabrina Dubroca <sd@queasysnail.net> Signed-off-by:
-
Dan Carpenter authored
MODE_MF_SI is 9. We should be testing bit 9 instead of AND 0x9. Fixes: fe56b9e6 ('qed: Add module with basic common support') Signed-off-by:
Yuval Mintz <Yuval.Mintz@qlogic.com> Signed-off-by:
-
Dan Carpenter authored
We check if "p_hwfn" is NULL and then dereference it in the error handling code. I read the code and it isn't NULL so let's remove the check. Signed-off-by:
-
Johan Hedberg authored
When receiving a connect response we should make sure that the DCID is within the valid range and that we don't already have another channel allocated for the same DCID. Signed-off-by:
Johan Hedberg <johan.hedberg@intel.com> Signed-off-by:
Marcel Holtmann <marcel@holtmann.org>
-
Johan Hedberg authored
The 'dyn_end' value is also a valid CID so it should be included in the range of values checked. Signed-off-by:
-
Johan Hedberg authored
The core spec defines specific response codes for situations when the received CID is incorrect. Add the defines for these and return them as appropriate from the LE Connect Request handler function. Signed-off-by:
-
Marcel Holtmann authored
The white list commands might not be implemented if the controller does not actually support the white list. So check the supported commands first before issuing these commands. Not supporting the white list is the same as supporting a white list with zero size. Signed-off-by:
-
Kuba Pawlak authored
commit 8f9d02f4 introduced spinlocks in btusb_work. This is run in a context of a worqueue and can be interrupted by hardware irq. If it happens while spinlock is held, we have a deadlock. Solution is to use _irqsave/_resore version of locking [ 466.460560] ================================= [ 466.460565] [ INFO: inconsistent lock state ] [ 466.460572] 4.3.0-rc6+ #1 Tainted: G W [ 466.460576] --------------------------------- [ 466.460582] inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage. [ 466.460589] kworker/0:2/94 [HC0[0]:SC0[0]:HE1:SE1] takes: [ 466.460595] (&(&data->rxlock)->rlock){?.-...}, at: [<ffffffffa0526923>] btusb_work+0xa3/0x3fd [btusb] [ 466.460621] {IN-HARDIRQ-W} state was registered at: [ 466.460625] [<ffffffff811021b5>] __lock_acquire+0xc45/0x1e80 [ 466.460638] [<ffffffff811040d5>] lock_acquire+0xe5/0x1f0 [ 466.460646] [<ffffffff8182f108>] _raw_spin_lock+0x38/0x50 [ 466.460657] [<ffffffffa0525448>] btusb_recv_intr+0x38/0x170 [btusb] [ 466.460668] [<ffffffffa0525626>] btusb_intr_complete+0xa6/0x130 [btusb] [ 466.460679] [<ffffffff815d8f1e>] __usb_hcd_giveback_urb+0x8e/0x160 [ 466.460690] [<ffffffff815d911f>] usb_hcd_giveback_urb+0x3f/0x120 [ 466.460698] [<ffffffff81606e4d>] uhci_giveback_urb+0xad/0x280 [ 466.460706] [<ffffffff81608f64>] uhci_scan_schedule.part.33+0x6b4/0xbe0 [ 466.460714] [<ffffffff81609b50>] uhci_irq+0xd0/0x180 [ 466.460722] [<ffffffff815d8296>] usb_hcd_irq+0x26/0x40 [ 466.460729] [<ffffffff81117d40>] handle_irq_event_percpu+0x40/0x300 [ 466.460739] [<ffffffff81118040>] handle_irq_event+0x40/0x60 [ 466.460746] [<ffffffff8111af39>] handle_fasteoi_irq+0x89/0x150 [ 466.460754] [<ffffffff8101e0f3>] handle_irq+0x73/0x120 [ 466.460763] [<ffffffff81832f11>] do_IRQ+0x61/0x120 [ 466.460772] [<ffffffff8183084c>] ret_from_intr+0x0/0x31 [ 466.460780] [<ffffffff81697a77>] cpuidle_enter+0x17/0x20 [ 466.460790] [<ffffffff810f62c2>] call_cpuidle+0x32/0x60 [ 466.460800] [<ffffffff810f65a8>] cpu_startup_entry+0x2b8/0x3f0 [ 466.460807] [<ffffffff818214ca>] rest_init+0x13a/0x140 [ 466.460817] [<ffffffff81f76029>] start_kernel+0x4a3/0x4c4 [ 466.460827] [<ffffffff81f75339>] x86_64_start_reservations+0x2a/0x2c [ 466.460837] [<ffffffff81f75485>] x86_64_start_kernel+0x14a/0x16d [ 466.460846] irq event stamp: 754913 [ 466.460851] hardirqs last enabled at (754913): [<ffffffff8182f4cc>] _raw_spin_unlock_irq+0x2c/0x40 [ 466.460861] hardirqs last disabled at (754912): [<ffffffff8182f28d>] _raw_spin_lock_irq+0x1d/0x60 [ 466.460869] softirqs last enabled at (753024): [<ffffffff810aeaa0>] __do_softirq+0x380/0x490 [ 466.460880] softirqs last disabled at (753009): [<ffffffff810aedef>] irq_exit+0x10f/0x120 [ 466.460888] other info that might help us debug this: [ 466.460894] Possible unsafe locking scenario: [ 466.460899] CPU0 [ 466.460903] ---- [ 466.460907] lock(&(&data->rxlock)->rlock); [ 466.460915] <Interrupt> [ 466.460918] lock(&(&data->rxlock)->rlock); [ 466.460926] *** DEADLOCK *** [ 466.460935] 2 locks held by kworker/0:2/94: [ 466.460939] #0: ("events"){.+.+.+}, at: [<ffffffff810c69bb>] process_one_work+0x16b/0x660 [ 466.460958] #1: ((&data->work)){+.+...}, at: [<ffffffff810c69bb>] process_one_work+0x16b/0x660 [ 466.460974] Signed-off-by:
Kuba Pawlak <kubax.t.pawlak@intel.com> Signed-off-by:
-
Stefan Hajnoczi authored
When a listen socket enqueues a connection for userspace to accept(), the sk->sk_data_ready() callback should be invoked. In-kernel socket users rely on this callback to detect when incoming connections are available. Currently the sk->sk_state_change() callback is invoked by vmci_transport.c. This happens to work for userspace applications since sk->sk_state_change = sock_def_wakeup() and sk->sk_data_ready = sock_def_readable() both wake up the accept() waiter. In-kernel socket users, on the other hand, fail to detect incoming connections. Signed-off-by:
Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by:
-
Tobias Klauser authored
In tun_dst_unclone() the return value of skb_metadata_dst() is checked for being NULL after it is dereferenced. Fix this by moving the dereference after the NULL check. Found by the Coverity scanner (CID 1338068). Fixes: fc4099f1 ("openvswitch: Fix egress tunnel info.") Cc: Pravin B Shelar <pshelar@nicira.com> Signed-off-by:
Tobias Klauser <tklauser@distanz.ch> Signed-off-by:
-
