1. 19 Jan, 2015 7 commits
  2. 18 Jan, 2015 1 commit
    • Daniel Borkmann's avatar
      net: sctp: fix race for one-to-many sockets in sendmsg's auto associate · 2061dcd6
      Daniel Borkmann authored
      I.e. one-to-many sockets in SCTP are not required to explicitly
      call into connect(2) or sctp_connectx(2) prior to data exchange.
      Instead, they can directly invoke sendmsg(2) and the SCTP stack
      will automatically trigger connection establishment through 4WHS
      via sctp_primitive_ASSOCIATE(). However, this in its current
      implementation is racy: INIT is being sent out immediately (as
      it cannot be bundled anyway) and the rest of the DATA chunks are
      queued up for later xmit when connection is established, meaning
      sendmsg(2) will return successfully. This behaviour can result
      in an undesired side-effect that the kernel made the application
      think the data has already been transmitted, although none of it
      has actually left the machine, worst case even after close(2)'ing
      the socket.
      
      Instead, when the association from client side has been shut down
      e.g. first gracefully through SCTP_EOF and then close(2), the
      client could afterwards still receive the server's INIT_ACK due
      to a connection with higher latency. This INIT_ACK is then considered
      out of the blue and hence responded with ABORT as there was no
      alive assoc found anymore. This can be easily reproduced f.e.
      with sctp_test application from lksctp. One way to fix this race
      is to wait for the handshake to actually complete.
      
      The fix defers waiting after sctp_primitive_ASSOCIATE() and
      sctp_primitive_SEND() succeeded, so that DATA chunks cooked up
      from sctp_sendmsg() have already been placed into the output
      queue through the side-effect interpreter, and therefore can then
      be bundeled together with COOKIE_ECHO control chunks.
      
      strace from example application (shortened):
      
      socket(PF_INET, SOCK_SEQPACKET, IPPROTO_SCTP) = 3
      sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
                 msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
      sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
                 msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
      sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
                 msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
      sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
                 msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
      sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
                 msg_iov(0)=[], msg_controllen=48, {cmsg_len=48, cmsg_level=0x84 /* SOL_??? */, cmsg_type=, ...},
                 msg_flags=0}, 0) = 0 // graceful shutdown for SOCK_SEQPACKET via SCTP_EOF
      close(3) = 0
      
      tcpdump before patch (fooling the application):
      
      22:33:36.306142 IP 192.168.1.114.41462 > 192.168.1.115.8888: sctp (1) [INIT] [init tag: 3879023686] [rwnd: 106496] [OS: 10] [MIS: 65535] [init TSN: 3139201684]
      22:33:36.316619 IP 192.168.1.115.8888 > 192.168.1.114.41462: sctp (1) [INIT ACK] [init tag: 3345394793] [rwnd: 106496] [OS: 10] [MIS: 10] [init TSN: 3380109591]
      22:33:36.317600 IP 192.168.1.114.41462 > 192.168.1.115.8888: sctp (1) [ABORT]
      
      tcpdump after patch:
      
      14:28:58.884116 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [INIT] [init tag: 438593213] [rwnd: 106496] [OS: 10] [MIS: 65535] [init TSN: 3092969729]
      14:28:58.888414 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [INIT ACK] [init tag: 381429855] [rwnd: 106496] [OS: 10] [MIS: 10] [init TSN: 2141904492]
      14:28:58.888638 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [COOKIE ECHO] , (2) [DATA] (B)(E) [TSN: 3092969729] [...]
      14:28:58.893278 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [COOKIE ACK] , (2) [SACK] [cum ack 3092969729] [a_rwnd 106491] [#gap acks 0] [#dup tsns 0]
      14:28:58.893591 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [DATA] (B)(E) [TSN: 3092969730] [...]
      14:28:59.096963 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SACK] [cum ack 3092969730] [a_rwnd 106496] [#gap acks 0] [#dup tsns 0]
      14:28:59.097086 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [DATA] (B)(E) [TSN: 3092969731] [...] , (2) [DATA] (B)(E) [TSN: 3092969732] [...]
      14:28:59.103218 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SACK] [cum ack 3092969732] [a_rwnd 106486] [#gap acks 0] [#dup tsns 0]
      14:28:59.103330 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [SHUTDOWN]
      14:28:59.107793 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SHUTDOWN ACK]
      14:28:59.107890 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [SHUTDOWN COMPLETE]
      
      Looks like this bug is from the pre-git history museum. ;)
      
      Fixes: 08707d54 ("lksctp-2_5_31-0_5_1.patch")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Acked-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2061dcd6
  3. 16 Jan, 2015 17 commits
  4. 15 Jan, 2015 11 commits
    • Geert Uytterhoeven's avatar
      sh_eth: Fix addition of .trscer_err_mask to wrong SoC data · 01fbd3f5
      Geert Uytterhoeven authored
      commit b284fbe3 ("sh_eth: Fix access to TRSCER register") wanted
      to add a .trscer_err_mask value to the R-Car Gen2 family-specific data
      structure (r8a779x_data), but it was accidentally added to the
      SH7724-specific data structure (sh7724_data).
      
      Presumably this happened due to a patch conflict with commit
      d407bc02 ("sh-eth: Set fdr_value of R-Car SoCs"), which added
      another field at the same position.
      
      Move the field setting to fix this.
      Signed-off-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Fixes: b284fbe3 ("sh_eth: Fix access to TRSCER register")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      01fbd3f5
    • Mugunthan V N's avatar
      drivers: net: cpsw: fix cpsw hung with add vlan using vconfig · 9f6bd8fa
      Mugunthan V N authored
      while adding vlan in dual EMAC mode, only specific ports should be
      subscribed for the vlan, else it will lead to switching mode and
      if both ports connected to same switch cpsw will hung as it creates
      a network loop. Fixing this by adding only specific ports in case
      of dual EMAC.
      Signed-off-by: default avatarMugunthan V N <mugunthanvnm@ti.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9f6bd8fa
    • Ahmed S. Darwish's avatar
      can: kvaser_usb: Don't dereference skb after a netif_rx() · a58518cc
      Ahmed S. Darwish authored
      We should not touch the packet after a netif_rx: it might
      get freed behind our back.
      Suggested-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarAhmed S. Darwish <ahmed.darwish@valeo.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      a58518cc
    • Ahmed S. Darwish's avatar
      can: kvaser_usb: Don't send a RESET_CHIP for non-existing channels · 5e7e6e0c
      Ahmed S. Darwish authored
      Recent Leaf firmware versions (>= 3.1.557) do not allow to send
      commands for non-existing channels.  If a command is sent for a
      non-existing channel, the firmware crashes.
      Reported-by: default avatarChristopher Storah <Christopher.Storah@invetech.com.au>
      Signed-off-by: default avatarOlivier Sobrie <olivier@sobrie.be>
      Signed-off-by: default avatarAhmed S. Darwish <ahmed.darwish@valeo.com>
      Cc: linux-stable <stable@vger.kernel.org>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      5e7e6e0c
    • Ahmed S. Darwish's avatar
      can: kvaser_usb: Reset all URB tx contexts upon channel close · 889b77f7
      Ahmed S. Darwish authored
      Flooding the Kvaser CAN to USB dongle with multiple reads and
      writes in very high frequency (*), closing the CAN channel while
      all the transmissions are on (#), opening the device again (@),
      then sending a small number of packets would make the driver
      enter an almost infinite loop of:
      
      [....]
      [15959.853988] kvaser_usb 4-3:1.0 can0: cannot find free context
      [15959.853990] kvaser_usb 4-3:1.0 can0: cannot find free context
      [15959.853991] kvaser_usb 4-3:1.0 can0: cannot find free context
      [15959.853993] kvaser_usb 4-3:1.0 can0: cannot find free context
      [15959.853994] kvaser_usb 4-3:1.0 can0: cannot find free context
      [15959.853995] kvaser_usb 4-3:1.0 can0: cannot find free context
      [....]
      
      _dragging the whole system down_ in the process due to the
      excessive logging output.
      
      Initially, this has caused random panics in the kernel due to a
      buggy error recovery path.  That got fixed in an earlier commit.(%)
      This patch aims at solving the root cause. -->
      
      16 tx URBs and contexts are allocated per CAN channel per USB
      device. Such URBs are protected by:
      
      a) A simple atomic counter, up to a value of MAX_TX_URBS (16)
      b) A flag in each URB context, stating if it's free
      c) The fact that ndo_start_xmit calls are themselves protected
         by the networking layers higher above
      
      After grabbing one of the tx URBs, if the driver noticed that all
      of them are now taken, it stops the netif transmission queue.
      Such queue is worken up again only if an acknowedgment was received
      from the firmware on one of our earlier-sent frames.
      
      Meanwhile, upon channel close (#), the driver sends a CMD_STOP_CHIP
      to the firmware, effectively closing all further communication.  In
      the high traffic case, the atomic counter remains at MAX_TX_URBS,
      and all the URB contexts remain marked as active.  While opening
      the channel again (@), it cannot send any further frames since no
      more free tx URB contexts are available.
      
      Reset all tx URB contexts upon CAN channel close.
      
      (*) 50 parallel instances of `cangen0 -g 0 -ix`
      (#) `ifconfig can0 down`
      (@) `ifconfig can0 up`
      (%) "can: kvaser_usb: Don't free packets when tight on URBs"
      Signed-off-by: default avatarAhmed S. Darwish <ahmed.darwish@valeo.com>
      Cc: linux-stable <stable@vger.kernel.org>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      889b77f7
    • Ahmed S. Darwish's avatar
      can: kvaser_usb: Don't free packets when tight on URBs · b442723f
      Ahmed S. Darwish authored
      Flooding the Kvaser CAN to USB dongle with multiple reads and
      writes in high frequency caused seemingly-random panics in the
      kernel.
      
      On further inspection, it seems the driver erroneously freed the
      to-be-transmitted packet upon getting tight on URBs and returning
      NETDEV_TX_BUSY, leading to invalid memory writes and double frees
      at a later point in time.
      
      Note:
      
      Finding no more URBs/transmit-contexts and returning NETDEV_TX_BUSY
      is a driver bug in and out of itself: it means that our start/stop
      queue flow control is broken.
      
      This patch only fixes the (buggy) error handling code; the root
      cause shall be fixed in a later commit.
      Acked-by: default avatarOlivier Sobrie <olivier@sobrie.be>
      Signed-off-by: default avatarAhmed S. Darwish <ahmed.darwish@valeo.com>
      Cc: linux-stable <stable@vger.kernel.org>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      b442723f
    • Roger Quadros's avatar
      can: c_can: use regmap_update_bits() to modify RAMINIT register · 47e3485a
      Roger Quadros authored
      use of regmap_read() and regmap_write() in c_can_hw_raminit_syscon()
      is not safe as the RAMINIT register can be shared between different drivers
      at least for TI SoCs.
      
      To make the modification atomic we switch to using regmap_update_bits().
      
      regmap_update_bits() skips writing to the register if it's read content is the
      same as what is going to be written. This causes an issue for us when we
      need to clear the DONE bit with the initial condition START:0, DONE:1 as
      DONE bit must be written with 1 to clear it.
      
      So we defer the clearing of DONE bit to later when we set the START bit.
      There we are sure that START bit is changed from 0 to 1 so the write of
      1 to already set DONE bit will happen.
      Signed-off-by: default avatarRoger Quadros <rogerq@ti.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      47e3485a
    • Oliver Hartkopp's avatar
      can: m_can: tag current CAN FD controllers as non-ISO · 6cfda7fb
      Oliver Hartkopp authored
      During the CAN FD standardization process within the ISO it turned out that
      the failure detection capability has to be improved.
      
      The CAN in Automation organization (CiA) defined the already implemented CAN
      FD controllers as 'non-ISO' and the upcoming improved CAN FD controllers as
      'ISO' compliant. See at http://www.can-cia.com/index.php?id=1937
      
      Finally there will be three types of CAN FD controllers in the future:
      
      1. ISO compliant (fixed)
      2. non-ISO compliant (fixed, like the M_CAN IP v3.0.1 in m_can.c)
      3. ISO/non-ISO CAN FD controllers (switchable, like the PEAK USB FD)
      
      So the current M_CAN driver for the M_CAN IP v3.0.1 has to expose its non-ISO
      implementation by setting the CAN_CTRLMODE_FD_NON_ISO ctrlmode at startup.
      As this bit cannot be switched at configuration time CAN_CTRLMODE_FD_NON_ISO
      must not be set in ctrlmode_supported of the current M_CAN driver.
      Signed-off-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
      Cc: linux-stable <stable@vger.kernel.org>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      6cfda7fb
    • Oliver Hartkopp's avatar
      can: dev: fix crtlmode_supported check · 9b1087aa
      Oliver Hartkopp authored
      When changing flags in the CAN drivers ctrlmode the provided new content has to
      be checked whether the bits are allowed to be changed. The bits that are to be
      changed are given as a bitfield in cm->mask. Therefore checking against
      cm->flags is wrong as the content can hold any kind of values.
      
      The iproute2 tool sets the bits in cm->mask and cm->flags depending on the
      detected command line options. To be robust against bogus user space
      applications additionally sanitize the provided flags with the provided mask.
      
      Cc: Wolfgang Grandegger <wg@grandegger.com>
      Signed-off-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
      Cc: linux-stable <stable@vger.kernel.org>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      9b1087aa
    • Marc Kleine-Budde's avatar
      MAINTAINERS: update linux-can git repositories · 870482a4
      Marc Kleine-Budde authored
      The linux-can upstream git repositories are now hosted on kernel.org, update
      MAINTAINERS accordingly.
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      870482a4
    • Sriharsha Basavapatna's avatar
      be2net: Allow GRE to work concurrently while a VxLAN tunnel is configured · 16dde0d6
      Sriharsha Basavapatna authored
      Other tunnels like GRE break while VxLAN offloads are enabled in Skyhawk-R. To
      avoid this, we should restrict offload features on a per-packet basis in such
      conditions.
      Signed-off-by: default avatarSriharsha Basavapatna <sriharsha.basavapatna@emulex.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      16dde0d6
  5. 14 Jan, 2015 4 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · a6391a92
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Don't use uninitialized data in IPVS, from Dan Carpenter.
      
       2) conntrack race fixes from Pablo Neira Ayuso.
      
       3) Fix TX hangs with i40e, from Jesse Brandeburg.
      
       4) Fix budget return from poll calls in dnet and alx, from Eric
          Dumazet.
      
       5) Fix bugus "if (unlikely(x) < 0)" test in AF_PACKET, from Christoph
          Jaeger.
      
       6) Fix bug introduced by conversion to list_head in TIPC retransmit
          code, from Jon Paul Maloy.
      
       7) Don't use GFP_NOIO under spinlock in USB kaweth driver, from Alexey
          Khoroshilov.
      
       8) Fix bridge build with INET disabled, from Arnd Bergmann.
      
       9) Fix netlink array overrun for PROBE attributes in openvswitch, from
          Thomas Graf.
      
      10) Don't hold spinlock across synchronize_irq() in tg3 driver, from
          Prashant Sreedharan.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (44 commits)
        tg3: Release tp->lock before invoking synchronize_irq()
        tg3: tg3_reset_task() needs to use rtnl_lock to synchronize
        tg3: tg3_timer() should grab tp->lock before checking for tp->irq_sync
        team: avoid possible underflow of count_pending value for notify_peers and mcast_rejoin
        openvswitch: packet messages need their own probe attribtue
        i40e: adds FCoE configure option
        cxgb4vf: Fix queue allocation for 40G adapter
        netdevice: Add missing parentheses in macro
        bridge: only provide proxy ARP when CONFIG_INET is enabled
        neighbour: fix base_reachable_time(_ms) not effective immediatly when changed
        net: fec: fix MDIO bus assignement for dual fec SoC's
        xen-netfront: use different locks for Rx and Tx stats
        drivers: net: cpsw: fix multicast flush in dual emac mode
        cxgb4vf: Initialize mdio_addr before using it
        net: Corrected the comment describing the ndo operations to reflect the actual prototype for couple of operations
        usb/kaweth: use GFP_ATOMIC under spin_lock in usb_start_wait_urb()
        MAINTAINERS: add me as ibmveth maintainer
        tipc: fix bug in broadcast retransmit code
        update ip-sysctl.txt documentation (v2)
        net/at91_ether: prepare and unprepare clock
        ...
      a6391a92
    • David S. Miller's avatar
      Merge branch 'tg3-net' · c637dbce
      David S. Miller authored
      Prashant Sreedharan says:
      
      ====================
      tg3: synchronize_irq() should be called without taking locks
      
      v2: Added Reported-by, Tested-by fields and reference to the thread that
          reported the problem
      
      This series addresses the problem reported by Peter Hurley in mail thread
      https://lkml.org/lkml/2015/1/12/1082
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c637dbce
    • Prashant Sreedharan's avatar
      tg3: Release tp->lock before invoking synchronize_irq() · 932f19de
      Prashant Sreedharan authored
      synchronize_irq() can sleep waiting, for pending IRQ handlers so driver
      should release the tp->lock spin lock before invoking synchronize_irq()
      Reported-by: default avatarPeter Hurley <peter@hurleysoftware.com>
      Tested-by: default avatarPeter Hurley <peter@hurleysoftware.com>
      Signed-off-by: default avatarPrashant Sreedharan <prashant@broadcom.com>
      Signed-off-by: default avatarMichael Chan <mchan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      932f19de
    • Prashant Sreedharan's avatar
      tg3: tg3_reset_task() needs to use rtnl_lock to synchronize · db84bf43
      Prashant Sreedharan authored
      Currently tg3_reset_task() uses only tp->lock for synchronizing with code
      paths like tg3_open() etc. But since tp->lock is released before doing
      synchronize_irq(), rtnl_lock should be taken in tg3_reset_task() to
      synchronize it with other code paths.
      Reported-by: default avatarPeter Hurley <peter@hurleysoftware.com>
      Tested-by: default avatarPeter Hurley <peter@hurleysoftware.com>
      Signed-off-by: default avatarPrashant Sreedharan <prashant@broadcom.com>
      Signed-off-by: default avatarMichael Chan <mchan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      db84bf43