1. 08 Feb, 2016 1 commit
    • Phil Turnbull's avatar
      netfilter: nfnetlink: correctly validate length of batch messages · c58d6c93
      Phil Turnbull authored
      If nlh->nlmsg_len is zero then an infinite loop is triggered because
      'skb_pull(skb, msglen);' pulls zero bytes.
      
      The calculation in nlmsg_len() underflows if 'nlh->nlmsg_len <
      NLMSG_HDRLEN' which bypasses the length validation and will later
      trigger an out-of-bound read.
      
      If the length validation does fail then the malformed batch message is
      copied back to userspace. However, we cannot do this because the
      nlh->nlmsg_len can be invalid. This leads to an out-of-bounds read in
      netlink_ack:
      
          [   41.455421] ==================================================================
          [   41.456431] BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 at addr ffff880119e79340
          [   41.456431] Read of size 4294967280 by task a.out/987
          [   41.456431] =============================================================================
          [   41.456431] BUG kmalloc-512 (Not tainted): kasan: bad access detected
          [   41.456431] -----------------------------------------------------------------------------
          ...
          [   41.456431] Bytes b4 ffff880119e79310: 00 00 00 00 d5 03 00 00 b0 fb fe ff 00 00 00 00  ................
          [   41.456431] Object ffff880119e79320: 20 00 00 00 10 00 05 00 00 00 00 00 00 00 00 00   ...............
          [   41.456431] Object ffff880119e79330: 14 00 0a 00 01 03 fc 40 45 56 11 22 33 10 00 05  .......@EV."3...
          [   41.456431] Object ffff880119e79340: f0 ff ff ff 88 99 aa bb 00 14 00 0a 00 06 fe fb  ................
                                                  ^^ start of batch nlmsg with
                                                     nlmsg_len=4294967280
          ...
          [   41.456431] Memory state around the buggy address:
          [   41.456431]  ffff880119e79400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
          [   41.456431]  ffff880119e79480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
          [   41.456431] >ffff880119e79500: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
          [   41.456431]                                ^
          [   41.456431]  ffff880119e79580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
          [   41.456431]  ffff880119e79600: fc fc fc fc fc fc fc fc fc fc fb fb fb fb fb fb
          [   41.456431] ==================================================================
      
      Fix this with better validation of nlh->nlmsg_len and by setting
      NFNL_BATCH_FAILURE if any batch message fails length validation.
      
      CAP_NET_ADMIN is required to trigger the bugs.
      
      Fixes: 9ea2aa8b ("netfilter: nfnetlink: validate nfnetlink header from batch")
      Signed-off-by: default avatarPhil Turnbull <phil.turnbull@oracle.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      c58d6c93
  2. 31 Jan, 2016 3 commits
  3. 30 Jan, 2016 25 commits
    • David S. Miller's avatar
      Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth · 53729eb1
      David S. Miller authored
      Johan Hedberg says:
      
      ====================
      pull request: bluetooth 2016-01-30
      
      Here's a set of important Bluetooth fixes for the 4.5 kernel:
      
       - Two fixes to 6LoWPAN code (one fixing a potential crash)
       - Fix LE pairing with devices using both public and random addresses
       - Fix allocation of dynamic LE PSM values
       - Fix missing COMPATIBLE_IOCTL for UART line discipline
      
      Please let me know if there are any issues pulling. Thanks.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      53729eb1
    • Yuchung Cheng's avatar
      tcp: avoid cwnd undo after receiving ECN · 99b4dd9f
      Yuchung Cheng authored
      RFC 4015 section 3.4 says the TCP sender MUST refrain from
      reversing the congestion control state when the ACK signals
      congestion through the ECN-Echo flag. Currently we may not
      always do that when prior_ssthresh is reset upon receiving
      ACKs with ECE marks. This patch fixes that.
      Signed-off-by: default avatarYuchung Cheng <ycheng@google.com>
      Signed-off-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      99b4dd9f
    • WANG Cong's avatar
      irda: fix a potential use-after-free in ircomm_param_request · 3d45296a
      WANG Cong authored
      self->ctrl_skb is protected by self->spinlock, we should not
      access it out of the lock. Move the debugging printk inside.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Cc: Samuel Ortiz <samuel@sortiz.org>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3d45296a
    • David S. Miller's avatar
      Merge branch 'arnd-net-driver-fixes' · ae9d723e
      David S. Miller authored
      Arnd Bergmann says:
      
      ====================
      network driver fixes
      
      This is an updated series of fixes for the network device drivers
      that showed warnings in ARM randconfig.
      
      Changes since v1 are:
      
      dropped "net: macb: avoid uninitialized variables", already fixed in net-next
      
      dropped "net: fddi/defxx: avoid warning about uninitialized variable
      	use", already fixed in net-next
      
      added missing barriers in "net: moxart: use correct accessors for
      	DMA memory"
      
      clarified "net: bgmac: clarify CONFIG_BCMA dependency" changelog
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ae9d723e
    • Arnd Bergmann's avatar
      net: tg3: avoid uninitialized variable warning · e434e041
      Arnd Bergmann authored
      The tg3_set_eeprom() function correctly initializes the 'start' variable,
      but gcc generates a false warning:
      
      drivers/net/ethernet/broadcom/tg3.c: In function 'tg3_set_eeprom':
      drivers/net/ethernet/broadcom/tg3.c:12057:4: warning: 'start' may be used uninitialized in this function [-Wmaybe-uninitialized]
      
      I have not come up with a way to restructure the code in a way that
      avoids the warning without making it less readable, so this adds an
      initialization for the declaration to shut up that warning.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e434e041
    • Arnd Bergmann's avatar
      net: nb8800: avoid uninitialized variable warning · 8bdb2908
      Arnd Bergmann authored
      The nb8800_poll() function initializes the 'next' variable in the
      loop looking for new input data. We know this will be called at
      least once because 'budget' is a guaranteed to be a positive number
      when we enter the function, but the compiler doesn't know that
      and warns when the variable is used later:
      
      drivers/net/ethernet/aurora/nb8800.c: In function 'nb8800_poll':
      drivers/net/ethernet/aurora/nb8800.c:350:21: warning: 'next' may be used uninitialized in this function [-Wmaybe-uninitialized]
      
      Changing the 'while() {}' loop to 'do {} while()' makes it obvious
      to the compiler what is going on so it no longer warns.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Acked-by: default avatarMans Rullgard <mans@mansr.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8bdb2908
    • Arnd Bergmann's avatar
      net: vxge: avoid unused function warnings · 57e7c8ce
      Arnd Bergmann authored
      When CONFIG_PCI_MSI is disabled, we get warnings about unused functions
      in the vxge driver:
      
      drivers/net/ethernet/neterion/vxge/vxge-main.c:2121:13: warning: 'adaptive_coalesce_tx_interrupts' defined but not used [-Wunused-function]
      drivers/net/ethernet/neterion/vxge/vxge-main.c:2149:13: warning: 'adaptive_coalesce_rx_interrupts' defined but not used [-Wunused-function]
      
      We could add another #ifdef here, but it's nicer to avoid those warnings
      for good by converting the existing #ifdef to if(IS_ENABLED()), which has
      the same effect but provides better compile-time coverage in general,
      and lets the compiler understand better when the function is intentionally
      unused.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      57e7c8ce
    • Arnd Bergmann's avatar
      net: bgmac: clarify CONFIG_BCMA dependency · 1f820f53
      Arnd Bergmann authored
      The bgmac driver depends on BCMA_HOST_SOC, which is only used
      when CONFIG_BCMA is enabled. However, it is a bool option and can
      be set when CONFIG_BCMA=m, and then bgmac can be built-in, leading
      to an obvious link error:
      
      drivers/built-in.o: In function `bgmac_init':
      :(.init.text+0x7f2c): undefined reference to `__bcma_driver_register'
      drivers/built-in.o: In function `bgmac_exit':
      :(.exit.text+0x110a): undefined reference to `bcma_driver_unregister'
      
      To avoid this case, we need to depend on both BCMA and BCMA_SOC,
      as this patch does. I'm also trying to make the dependency more
      readable by splitting it into three lines, and adding a COMPILE_TEST
      alternative so we can test-build it in all configurations that
      support BCMA.
      
      The added dependency on FIXED_PHY addresses a related issue where
      we cannot call fixed_phy_register() when CONFIG_FIXED_PHY=m and
      CONFIG_BGMAC=y.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1f820f53
    • Arnd Bergmann's avatar
      net: hp100: remove unnecessary #ifdefs · 747a1127
      Arnd Bergmann authored
      Building the hp100 ethernet driver causes warnings when both the PCI
      and EISA drivers are disabled:
      
      ethernet/hp/hp100.c: In function 'hp100_module_init':
      ethernet/hp/hp100.c:3047:2: warning: label 'out3' defined but not used [-Wunused-label]
      ethernet/hp/hp100.c: At top level:
      ethernet/hp/hp100.c:2828:13: warning: 'cleanup_dev' defined but not used [-Wunused-function]
      
      We can easily avoid the warnings and make the driver look slightly
      nicer by removing the #ifdefs that check for the CONFIG_PCI and
      CONFIG_EISA, as all the registration functions are designed to
      have no effect when the buses are disabled.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      747a1127
    • Arnd Bergmann's avatar
      net: davinci_cpdma: use dma_addr_t for DMA address · 84092996
      Arnd Bergmann authored
      The davinci_cpdma mixes up physical addresses as seen from the CPU
      and DMA addresses as seen from a DMA master, since it can operate
      on both normal memory or an on-chip buffer. If dma_addr_t is
      different from phys_addr_t, this means we get a compile-time warning
      about the type mismatch:
      
      ethernet/ti/davinci_cpdma.c: In function 'cpdma_desc_pool_create':
      ethernet/ti/davinci_cpdma.c:182:48: error: passing argument 3 of 'dma_alloc_coherent' from incompatible pointer type [-Werror=incompatible-pointer-types]
         pool->cpumap = dma_alloc_coherent(dev, size, &pool->phys,
      In file included from ethernet/ti/davinci_cpdma.c:21:0:
      dma-mapping.h:398:21: note: expected 'dma_addr_t * {aka long long unsigned int *}' but argument is of type 'phys_addr_t * {aka unsigned int *}'
       static inline void *dma_alloc_coherent(struct device *dev, size_t size,
      
      This slightly restructures the code so the address we use for
      mapping RAM into a DMA address is always a dma_addr_t, avoiding
      the warning. The code is correct even if both types are 32-bit
      because the DMA master in this device only supports 32-bit addressing
      anyway, independent of the types that are used.
      
      We still assign this value to pool->phys, and that is wrong if
      the driver is ever used with an IOMMU, but that value appears to
      be never used, so there is no problem really. I've added a couple
      of comments about where we do things that are slightly violating
      the API.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      84092996
    • David S. Miller's avatar
      Merge branch 'ipv6-sticky-pktinfo' · 84922d8c
      David S. Miller authored
      Paolo Abeni says:
      
      ====================
      ipv6: fix sticky pktinfo behaviour
      
      Currently:
      
      ip addr add dev eth0 2001:0010::1/64
      ip addr add dev eth1 2001:0020::1/64
      ping6 -I eth0 2001:0020::2
      
      do not lead to the expected results, i.e. eth1 is used as the
      egress interface.
      
      This is due to two related issues in handling sticky pktinfo,
      used by ping6 to enforce the device binding:
      
      - ip6_dst_lookup_flow()/ip6_dst_lookup_tail() do not really enforce
      flowi6_oif match
      - ipv6 udp connect() just ignore flowi6_oif
      
      These patches address each issue individually.
      
      The kernel has never enforced the egress interface specified
      via the sticky pktinfo, except briefly between the commits
      741a11d9 ("net: ipv6: Add RT6_LOOKUP_F_IFACE flag if oif is set")
      and
      d46a9d67 ("net: ipv6: Dont add RT6_LOOKUP_F_IFACE flag if saddr set"),
      but the ping6 tools was unaffected up to iputils-20100214,
      since before it used SO_BINDTODEVICE to enforce the egress
      interface.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      84922d8c
    • Paolo Abeni's avatar
      ipv6/udp: use sticky pktinfo egress ifindex on connect() · 1cdda918
      Paolo Abeni authored
      Currently, the egress interface index specified via IPV6_PKTINFO
      is ignored by __ip6_datagram_connect(), so that RFC 3542 section 6.7
      can be subverted when the user space application calls connect()
      before sendmsg().
      Fix it by initializing properly flowi6_oif in connect() before
      performing the route lookup.
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1cdda918
    • Paolo Abeni's avatar
      ipv6: enforce flowi6_oif usage in ip6_dst_lookup_tail() · 6f21c96a
      Paolo Abeni authored
      The current implementation of ip6_dst_lookup_tail basically
      ignore the egress ifindex match: if the saddr is set,
      ip6_route_output() purposefully ignores flowi6_oif, due
      to the commit d46a9d67 ("net: ipv6: Dont add RT6_LOOKUP_F_IFACE
      flag if saddr set"), if the saddr is 'any' the first route lookup
      in ip6_dst_lookup_tail fails, but upon failure a second lookup will
      be performed with saddr set, thus ignoring the ifindex constraint.
      
      This commit adds an output route lookup function variant, which
      allows the caller to specify lookup flags, and modify
      ip6_dst_lookup_tail() to enforce the ifindex match on the second
      lookup via said helper.
      
      ip6_route_output() becames now a static inline function build on
      top of ip6_route_output_flags(); as a side effect, out-of-tree
      modules need now a GPL license to access the output route lookup
      functionality.
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Acked-by: default avatarDavid Ahern <dsa@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6f21c96a
    • David S. Miller's avatar
      Merge tag 'wireless-drivers-for-davem-2016-01-29' of... · 39a4867a
      David S. Miller authored
      Merge tag 'wireless-drivers-for-davem-2016-01-29' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers
      
      Kalle Valo says:
      
      ====================
      iwlwifi
      
      * Fix support for 3168 device:
        * NVM version
        * firmware file name
        * device IDs
      * Fix a compilation warning in dvm calibration code
      * Fix the TPC (reduced Tx Power) code. This fixes performance issues
      * Add device IDs for 8265
      
      rtx2x00
      
      * fix monitor mode regression dating back to 4.1
      
      brcmfmac
      
      * fix sdio initialisation related crash
      
      rtlwifi
      
      * rtl8821ae: Fix 5G failure when EEPROM is incorrectly encoded
      
      ath9k
      
      * ignore eeprom magic mismatch on flash based devices
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      39a4867a
    • Ken-ichirou MATSUZAWA's avatar
      netlink: not trim skb for mmaped socket when dump · aa3a0220
      Ken-ichirou MATSUZAWA authored
      We should not trim skb for mmaped socket since its buf size is fixed
      and userspace will read as frame which data equals head. mmaped
      socket will not call recvmsg, means max_recvmsg_len is 0,
      skb_reserve was not called before commit: db65a3aa.
      
      Fixes: db65a3aa (netlink: Trim skb to alloc size to avoid MSG_TRUNC)
      Signed-off-by: default avatarKen-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      aa3a0220
    • Li RongQing's avatar
      vxlan: fix a out of bounds access in __vxlan_find_mac · 7256eac1
      Li RongQing authored
      The size of all_zeros_mac is 6 byte, but eth_hash() will access the
      8 byte, and KASan reported the below bug:
      
      [ 8596.479031] BUG: KASan: out of bounds access in __vxlan_find_mac+0x24/0x100 at addr ffffffff841514c0
      [ 8596.487647] Read of size 8 by task ip/52820
      [ 8596.490818] Address belongs to variable all_zeros_mac+0x0/0x40
      [ 8596.496051] CPU: 0 PID: 52820 Comm: ip Tainted: G WC 4.1.15 #1
      [ 8596.503520] Hardware name: HP ProLiant DL380p Gen8, BIOS P70 02/10/2014
      [ 8596.509365] ffffffff841514c0 ffff88007450f0b8 ffffffff822fa5e1 0000000000000032
      [ 8596.516112] ffff88007450f150 ffff88007450f138 ffffffff812dd58c ffff88007450f1d8
      [ 8596.522856] ffffffff81113b80 0000000000000282 0000000000000001 ffffffff8101ee4d
      [ 8596.529599] Call Trace:
      [ 8596.530858] [<ffffffff822fa5e1>] dump_stack+0x4f/0x7b
      [ 8596.535080] [<ffffffff812dd58c>] kasan_report_error+0x3bc/0x3f0
      [ 8596.540258] [<ffffffff81113b80>] ? __lock_acquire+0x90/0x2140
      [ 8596.545245] [<ffffffff8101ee4d>] ? save_stack_trace+0x2d/0x80
      [ 8596.550234] [<ffffffff812dda70>] kasan_report+0x40/0x50
      [ 8596.554647] [<ffffffff81b211e4>] ? __vxlan_find_mac+0x24/0x100
      [ 8596.559729] [<ffffffff812dc399>] __asan_load8+0x69/0xa0
      [ 8596.564141] [<ffffffff81b211e4>] __vxlan_find_mac+0x24/0x100
      [ 8596.569033] [<ffffffff81b2683d>] vxlan_fdb_create+0x9d/0x570
      
      it can be fixed by enlarging the all_zeros_mac to 8 byte, although it is
      harmless; eth_hash() will be called in other place with the memory which
      is larger and equal to 8 byte.
      Signed-off-by: default avatarLi RongQing <roy.qing.li@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7256eac1
    • Vivien Didelot's avatar
      net: dsa: mv88e6xxx: fix port VLAN maps · be1faa92
      Vivien Didelot authored
      Currently the port based VLAN maps should be configured to allow every
      port to egress frames on all other ports, except themselves.
      
      The debugfs interface shows that they are misconfigured. For instance, a
      7-port switch has the following content in the related register 0x06:
      
             GLOBAL GLOBAL2 SERDES   0    1    2    3    4    5    6
          ...
          6:  1fa4    1f0f       4   7f   7e   7d   7c   7b   7a   79
          ...
      
      This means that port 3 is allowed to talk to port 2-6, but cannot talk
      to ports 0 and 1. With this fix, port 3 can correctly talk to all ports
      except 3 itself:
      
             GLOBAL GLOBAL2 SERDES   0    1    2    3    4    5    6
          ...
          6:  1fa4    1f0f       4   7e   7d   7b   77   6f   5f   3f
          ...
      
      Fixes: ede8098d ("net: dsa: mv88e6xxx: bridges do not need an FID")
      Reported-by: default avatarKevin Smith <kevin.smith@elecsyscorp.com>
      Signed-off-by: default avatarVivien Didelot <vivien.didelot@savoirfairelinux.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Tested-by: default avatarKevin Smith <kevin.smith@elecsyscorp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      be1faa92
    • Alexander Duyck's avatar
      fib_trie: Fix shift by 32 in fib_table_lookup · a5829f53
      Alexander Duyck authored
      The fib_table_lookup function had a shift by 32 that triggered a UBSAN
      warning.  This was due to the fact that I had placed the shift first and
      then followed it with the check for the suffix length to ignore the
      undefined behavior.  If we reorder this so that we verify the suffix is
      less than 32 before shifting the value we can avoid the issue.
      Reported-by: default avatarToralf Förster <toralf.foerster@gmx.de>
      Signed-off-by: default avatarAlexander Duyck <aduyck@mirantis.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a5829f53
    • Arnd Bergmann's avatar
      net: moxart: use correct accessors for DMA memory · 59a557be
      Arnd Bergmann authored
      The moxart ethernet driver confuses coherent DMA buffers with
      MMIO registers.
      
      moxart_ether.c: In function 'moxart_mac_setup_desc_ring':
      moxart_ether.c:146:428: error: passing argument 1 of '__fswab32' makes integer from pointer without a cast [-Werror=int-conversion]
      moxart_ether.c:74:39: warning: incorrect type in argument 3 (different address spaces)
      moxart_ether.c:74:39:    expected void *cpu_addr
      moxart_ether.c:74:39:    got void [noderef] <asn:2>*tx_desc_base
      
      This leaves the basic logic alone and uses normal pointers for
      the virtual address of the descriptor. As we cannot use readl/writel
      to access them, we also introduce our own moxart_desc_read
      moxart_desc_write helpers that perform the same endianess swap
      as the original code, but without the address space conversion.
      
      The barriers are made explicit here where needed: Even in the worst-case
      scenario, we just have to use a rmb() after checking ownership so
      we don't read any input data before we are sure it is value, and we
      use wmb() before transferring ownership back to the device.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      59a557be
    • Arnd Bergmann's avatar
      ipv4: ipconfig: avoid unused ic_proto_used symbol · 52b79e2b
      Arnd Bergmann authored
      When CONFIG_PROC_FS, CONFIG_IP_PNP_BOOTP, CONFIG_IP_PNP_DHCP and
      CONFIG_IP_PNP_RARP are all disabled, we get a warning about the
      ic_proto_used variable being unused:
      
      net/ipv4/ipconfig.c:146:12: error: 'ic_proto_used' defined but not used [-Werror=unused-variable]
      
      This avoids the warning, by making the definition conditional on
      whether a dynamic IP configuration protocol is configured. If not,
      we know that the value is always zero, so we can optimize away the
      variable and all code that depends on it.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      52b79e2b
    • David S. Miller's avatar
      Merge branch 'bnxt_en-fixes' · 0260a2f4
      David S. Miller authored
      Michael Chan says:
      
      ====================
      bnxt_en: Bug fixes.
      
      3 small bug fix patches for net.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0260a2f4
    • Michael Chan's avatar
      bnxt_en: Fix crash in bnxt_free_tx_skbs() during tx timeout. · d612a579
      Michael Chan authored
      The ring index j is not wrapped properly at the end of the ring, causing
      it to reference pointers past the end of the ring.  For proper loop
      termination and to access the ring properly, we need to increment j and
      mask it before referencing the ring entry.
      Signed-off-by: default avatarMichael Chan <mchan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d612a579
    • Michael Chan's avatar
      bnxt_en: Exclude rx_drop_pkts hw counter from the stack's rx_dropped counter. · 8a4d4c8d
      Michael Chan authored
      This hardware counter is misleading as it counts dropped packets that
      don't match the hardware filters for unicast/broadcast/multicast.  We
      will still report this counter in ethtool -S for diagnostics purposes.
      Signed-off-by: default avatarMichael Chan <mchan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8a4d4c8d
    • Prashant Sreedharan's avatar
      bnxt_en: Ring free response from close path should use completion ring · 74608fc9
      Prashant Sreedharan authored
      Use completion ring for ring free response from firmware.  The response
      will be the last entry in the ring and we can free the ring after getting
      the response.  This will guarantee no spurious DMA to freed memory.
      Signed-off-by: default avatarPrashant Sreedharan <prashant@broadcom.com>
      Signed-off-by: default avatarMichael Chan <mchan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      74608fc9
    • Bernie Harris's avatar
      net_sched: drr: check for NULL pointer in drr_dequeue · df3eb6cd
      Bernie Harris authored
      There are cases where qdisc_dequeue_peeked can return NULL, and the result
      is dereferenced later on in the function.
      
      Similarly to the other qdisc dequeue functions, check whether the skb
      pointer is NULL and if it is, goto out.
      Signed-off-by: default avatarBernie Harris <bernie.harris@alliedtelesis.co.nz>
      Reviewed-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      df3eb6cd
  4. 29 Jan, 2016 11 commits
    • Kefeng Wang's avatar
      ptp: ixp46x: use helpers for converting ns to timespec · b83ef507
      Kefeng Wang authored
      Convert the driver to use ns_to_timespec64() and timespec64_to_ns()
      instead of open coding the same logic.
      Signed-off-by: default avatarKefeng Wang <wangkefeng.wang@huawei.com>
      Acked-by: default avatarRichard Cochran <richardcochran@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b83ef507
    • Jörg Thalheim's avatar
    • Nikolay Aleksandrov's avatar
      macvlan: make operstate and carrier more accurate · de7d244d
      Nikolay Aleksandrov authored
      Currently when a macvlan is being initialized and the lower device is
      netif_carrier_ok(), the macvlan device doesn't run through
      rfc2863_policy() and is left with UNKNOWN operstate. Fix it by adding an
      unconditional linkwatch event for the new macvlan device. Similar fix is
      already used by the 8021q device (see register_vlan_dev()). Also fix the
      inconsistent state when the lower device has been down and its carrier
      was changed (when a device is down NETDEV_CHANGE doesn't get generated).
      The second issue can be seen f.e. when we have a macvlan on top of a 8021q
      device which has been down and its real device has been changing carrier
      states, after setting the 8021q device up, the macvlan device will have
      the same carrier state as it was before even though the 8021q can now
      have a different state.
      Example for case 1:
      4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
      state UP mode DEFAULT group default qlen 1000
      
      $ ip l add l eth2 macvl0 type macvlan
      $ ip l set macvl0 up
      $ ip l sh macvl0
      72: macvl0@eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
      noqueue state UNKNOWN mode DEFAULT group default
          link/ether f6:0b:54:0a:9d:a3 brd ff:ff:ff:ff:ff:ff
      
      Example for case 2 (order is important):
      Prestate: eth2 UP/CARRIER, vlan1 down, vlan1-macvlan down
      $ ip l set vlan1-macvlan up
      $ ip l sh vlan1-macvlan
      71: vlan1-macvlan@vlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
      qdisc noqueue state UNKNOWN mode DEFAULT group default
          link/ether 4a:b8:44:56:b9:b9 brd ff:ff:ff:ff:ff:ff
      
      [ eth2 loses CARRIER before vlan1 has been UP-ed ]
      
      $ ip l sh eth2
      4: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast
      state DOWN mode DEFAULT group default qlen 1000
          link/ether 52:54:00:bf:57:16 brd ff:ff:ff:ff:ff:ff
      $ ip l sh vlan1-macvlan
      71: vlan1-macvlan@vlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
      qdisc noqueue state UNKNOWN mode DEFAULT group default
          link/ether 4a:b8:44:56:b9:b9 brd ff:ff:ff:ff:ff:ff
      $ ip l set vlan1 up
      $ ip l sh vlan1
      70: vlan1@eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc
      noqueue state LOWERLAYERDOWN mode DEFAULT group default qlen 1000
          link/ether 52:54:00:bf:57:16 brd ff:ff:ff:ff:ff:ff
      $ ip l sh vlan1-macvlan
      71: vlan1-macvlan@vlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
      qdisc noqueue state UNKNOWN mode DEFAULT group default
          link/ether 4a:b8:44:56:b9:b9 brd ff:ff:ff:ff:ff:ff
      
      vlan1-macvlan is still UP, still has carrier and is still in the same
      operstate as before. After the patch in case 1 macvl0 has state UP as it
      should and in case 2 vlan1-macvlan has state LOWERLAYERDOWN again as it
      should. Note that while the lower macvlan device is down their carrier
      and thus operstate can go out of sync but that will be fixed once the
      lower device goes up again.
      This behaviour seems to have been present since beginning of git history.
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      de7d244d
    • Parthasarathy Bhuvaragan's avatar
      tipc: fix connection abort during subscription cancel · 4d5cfcba
      Parthasarathy Bhuvaragan authored
      In 'commit 7fe8097c ("tipc: fix nullpointer bug when subscribing
      to events")', we terminate the connection if the subscription
      creation fails.
      In the same commit, the subscription creation result was based on
      the value of the subscription pointer (set in the function) instead
      of the return code.
      
      Unfortunately, the same function tipc_subscrp_create() handles
      subscription cancel request. For a subscription cancellation request,
      the subscription pointer cannot be set. Thus if a subscriber has
      several subscriptions and cancels any of them, the connection is
      terminated.
      
      In this commit, we terminate the connection based on the return value
      of tipc_subscrp_create().
      Fixes: commit 7fe8097c ("tipc: fix nullpointer bug when subscribing to events")
      Reviewed-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarParthasarathy Bhuvaragan <parthasarathy.bhuvaragan@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4d5cfcba
    • Kefeng Wang's avatar
      net: cavium: liquidio: use helpers ns_to_timespec64() · 286af315
      Kefeng Wang authored
      Convert the driver to use ns_to_timespec64() to keep consistency
      with timespec64_to_ns() instead of open coding the same logic.
      Signed-off-by: default avatarKefeng Wang <wangkefeng.wang@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      286af315
    • Eric Dumazet's avatar
      ipv4: early demux should be aware of fragments · 63e51b6a
      Eric Dumazet authored
      We should not assume a valid protocol header is present,
      as this is not the case for IPv4 fragments.
      
      Lets avoid extra cache line misses and potential bugs
      if we actually find a socket and incorrectly uses its dst.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      63e51b6a
    • Johan Hedberg's avatar
      Bluetooth: Fix incorrect removing of IRKs · cff10ce7
      Johan Hedberg authored
      The commit cad20c27 was supposed to
      fix handling of devices first using public addresses and then
      switching to RPAs after pairing. Unfortunately it missed a couple of
      key places in the code.
      
      1. When evaluating which devices should be removed from the existing
      white list we also need to consider whether we have an IRK for them or
      not, i.e. a call to hci_find_irk_by_addr() is needed.
      
      2. In smp_notify_keys() we should not be requiring the knowledge of
      the RPA, but should simply keep the IRK around if the other conditions
      require it.
      Signed-off-by: default avatarJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Cc: stable@vger.kernel.org # 4.4+
      cff10ce7
    • Johan Hedberg's avatar
      Bluetooth: L2CAP: Fix setting chan src info before adding PSM/CID · a2342c5f
      Johan Hedberg authored
      At least the l2cap_add_psm() routine depends on the source address
      type being properly set to know what auto-allocation ranges to use, so
      the assignment to l2cap_chan needs to happen before this.
      Signed-off-by: default avatarJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      a2342c5f
    • Johan Hedberg's avatar
      Bluetooth: L2CAP: Fix auto-allocating LE PSM values · 92594a51
      Johan Hedberg authored
      The LE dynamic PSM range is different from BR/EDR (0x0080 - 0x00ff)
      and doesn't have requirements relating to parity, so separate checks
      are needed.
      Signed-off-by: default avatarJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      92594a51
    • Johan Hedberg's avatar
      Bluetooth: L2CAP: Introduce proper defines for PSM ranges · 114f9f1e
      Johan Hedberg authored
      Having proper defines makes the code a bit readable, it also avoids
      duplicating hard-coded values since these are also needed when
      auto-allocating PSM values (in a subsequent patch).
      Signed-off-by: default avatarJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      114f9f1e
    • David S. Miller's avatar
      Merge branch 'phylib-regressions-part-2' · b6443885
      David S. Miller authored
      Andrew Lunn says:
      
      ====================
      Part 2 of v4.5-rc1 phylib regression
      
      White list PHY compatible values which indicate PHYs.  Issue a warning
      when one is encountered.
      
      Update the documentation to make it clear what is expected in the
      compatible string.
      
      v2:
      Fix Grammar, reword changelog, add Tested-by and Acked-by.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b6443885