Vlad Yasevich [Fri, 16 May 2014 21:04:53 +0000 (17:04 -0400)]
net: Find the nesting level of a given device by type.
Multiple devices in the kernel can be stacked/nested and they
need to know their nesting level for the purposes of lockdep.
This patch provides a generic function that determines a nesting
level of a particular device by its type (ex: vlan, macvlan, etc).
We only care about nesting of the same type of devices.
For example:
eth0 <- vlan0.10 <- macvlan0 <- vlan1.20
The nesting level of vlan1.20 would be 1, since there is another vlan
in the stack under it.
Signed-off-by: Vlad Yasevich <vyasevic@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Fri, 16 May 2014 18:34:37 +0000 (11:34 -0700)]
net: gro: make sure skb->cb[] initial content has not to be zero
Starting from linux-3.13, GRO attempts to build full size skbs.
Problem is the commit assumed one particular field in skb->cb[]
was clean, but it is not the case on some stacked devices.
Timo reported a crash in case traffic is decrypted before
reaching a GRE device.
Fix this by initializing NAPI_GRO_CB(skb)->last at the right place,
this also removes one conditional.
Thanks a lot to Timo for providing full reports and bisecting this.
Fixes: 8a29111c7ca6 ("net: gro: allow to build full sized skb")
Bisected-by: Timo Teras <timo.teras@iki.fi>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Tested-by: Timo Teräs <timo.teras@iki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
Timo Teräs [Fri, 16 May 2014 05:34:39 +0000 (08:34 +0300)]
ipv4: ip_tunnels: disable cache for nbma gre tunnels
The connected check fails to check for ip_gre nbma mode tunnels
properly. ip_gre creates temporary tnl_params with daddr specified
to pass-in the actual target on per-packet basis from neighbor
layer. Detect these tunnels by inspecting the actual tunnel
configuration.
Minimal test case:
ip route add 192.168.1.1/32 via 10.0.0.1
ip route add 192.168.1.2/32 via 10.0.0.2
ip tunnel add nbma0 mode gre key 1 tos c0
ip addr add 172.17.0.0/16 dev nbma0
ip link set nbma0 up
ip neigh add 172.17.0.1 lladdr 192.168.1.1 dev nbma0
ip neigh add 172.17.0.2 lladdr 192.168.1.2 dev nbma0
ping 172.17.0.1
ping 172.17.0.2
The second ping should be going to 192.168.1.2 and head 10.0.0.2;
but cached gre tunnel level route is used and it's actually going
to 192.168.1.1 via 10.0.0.1.
The lladdr's need to go to separate dst for the bug to trigger.
Test case uses separate route entries, but this can also happen
when the route entry is same: if there is a nexthop exception or
the GRE tunnel is IPsec'ed in which case the dst points to xfrm
bundle unique to the gre lladdr.
Fixes: 7d442fab0a67 ("ipv4: Cache dst in tunnels")
Signed-off-by: Timo Teräs <timo.teras@iki.fi>
Cc: Tom Herbert <therbert@google.com>
Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Fabian Godehardt [Fri, 16 May 2014 04:21:44 +0000 (06:21 +0200)]
net/dsa/dsa.c: increment chip_index during of_node handling on dsa_of_probe()
Adding more than one chip on device-tree currently causes the probing
routine to always use the first chips data pointer.
Signed-off-by: Fabian Godehardt <fg@emlix.com>
Acked-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Lorenzo Colitti [Thu, 15 May 2014 23:38:41 +0000 (16:38 -0700)]
net: ipv6: make "ip -6 route get mark xyz" work.
Currently, "ip -6 route get mark xyz" ignores the mark passed in
by userspace. Make it honour the mark, just like IPv4 does.
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Fri, 16 May 2014 20:28:53 +0000 (16:28 -0400)]
Merge tag 'batman-adv-fix-for-davem' of git://git.open-mesh.org/linux-merge
Include changes:
- fix NULL dereference in batadv_orig_hardif_seq_print_text()
- fix reference counting imbalance when using fragmentation
- avoid access to orig_node objects after they have been free'd
- fix local TT check for outgoing arp requests in DAT
David Vrabel [Fri, 16 May 2014 11:26:04 +0000 (12:26 +0100)]
xen-netback: fix race between napi_complete() and interrupt handler
When the NAPI budget was not all used, xenvif_poll() would call
napi_complete() /after/ enabling the interrupt. This resulted in a
race between the napi_complete() and the napi_schedule() in the
interrupt handler. The use of local_irq_save/restore() avoided by
race iff the handler is running on the same CPU but not if it was
running on a different CPU.
Fix this properly by calling napi_complete() before reenabling
interrupts (in the xenvif_napi_schedule_or_enable_irq() call).
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Fri, 16 May 2014 19:45:56 +0000 (15:45 -0400)]
Merge branch 'for-davem' of git://git./linux/kernel/git/linville/wireless
John W. Linville says:
====================
pull request: wireless 2014-05-15
Please pull this batch of fixes for the 3.15 stream...
For the mac80211 bits, Johannes says:
"One fix is to get better VHT performance and the other fixes tracing
garbage or other potential issues with the interface name tracing."
And...
"This has a fix from Emmanuel for a problem I failed to fix - when
association is in progress then it needs to be cancelled while
suspending (I had fixed the same for authentication). Also included a
fix from myself for a userspace API problem that hit the iw tool and a
fix to the remain-on-channel framework."
For the iwlwifi bits, Emmanuel says:
"Alex fixes the scan by disabling the fragmented scan. David prevents
scan offload while associated, the firmware seems not to like it. I
fix a stupid bug I made in BT Coex, and fix a bad #ifdef clause in rate
scaling. Along with that there is a fix for a NULL pointer exception
that can happen if we load the driver and our ISR gets called because
the interrupt line is shared. The fix has been tested by the reporter."
And...
"We have here a fix from David Spinadel that makes a previous fix more
complete, and an off-by-one issue fixed by Eliad in the same area.
I fix the monitor that broke on the way."
Beyond that...
Daniel Kim's one-liner fixes a brcmfmac regression caused by a typo
in an earlier commit..
Rajkumar Manoharan fixes an ath9k oops reported by David Herrmann.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Nathaniel W Filardo [Thu, 15 May 2014 14:51:22 +0000 (15:51 +0100)]
af_rxrpc: Fix XDR length check in rxrpc key demarshalling.
There may be padding on the ticket contained in the key payload, so just ensure
that the claimed token length is large enough, rather than exactly the right
size.
Signed-off-by: Nathaniel Wesley Filardo <nwf@cs.jhu.edu>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Zhangfei Gao [Thu, 15 May 2014 05:35:34 +0000 (13:35 +0800)]
net: phy: resume phydev when going to RESUMING
With commit
be9dad1f9f26604fb ("net: phy: suspend phydev when going
to HALTED"), an unused PHY device will be put in a low-power mode
using BMCR_PDOWN. Some Ethernet drivers might be calling phy_start()
and phy_stop() from ndo_open and ndo_close() respectively, while
calling phy_connect() and phy_disconnect() from probe and remove.
In such a case, the PHY will be powered down during the phy_stop()
call, but will fail to be powered up in phy_start().
This patch fixes this scenario.
Signed-off-by: Jiancheng Xue <xuejiancheng@huawei.com>
Signed-off-by: Zhangfei Gao <zhangfei.gao@linaro.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Fri, 16 May 2014 19:13:18 +0000 (15:13 -0400)]
Merge branch 'mlx4-net'
Or Gerlitz says:
====================
mlx4: Fix VF MAC address change under RoCE usage
This short series provides proper handling for the case where a
VF netdevice change their MAC address under a RoCE use case. The code
it deals with was introduced in 3.15-rc1
Prior to this series the source MAC used for the VM RoCE CM
packets remains as before the MAC modification. Hence RoCE CM
packets sent by the VF will not carry the same source MAC
address as the non-CM packets.
Earlier 3.15-rc commit
f24f790 "net/mlx4_core: Load the Eth driver
first" handled just one instance of the problem, but this one
provides a more generic and proper solution which covers all
cases of VF mac change.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Matan Barak [Thu, 15 May 2014 12:29:28 +0000 (15:29 +0300)]
IB/mlx4: Invoke UPDATE_QP for proxy QP1 on MAC changes
When we receive a netdev event indicating a netdev change and/or
a netdev address change, we must change the MAC index used by the
proxy QP1 (in the QP context), otherwise RoCE CM packets sent by the
VF will not carry the same source MAC address as the non-CM packets.
We use the UPDATE_QP command to perform this change.
In order to avoid modifying a QP context based on netdev event,
while the driver attempts to destroy this QP (e.g either the mlx4_ib
or ib_mad modules are unloaded), we use mutex locking in both flows.
Since the relevant mlx4 proxy GSI QP is created indirectly by the
mad module when they create their GSI QP, the mlx4 didn't need to
keep track on that QP prior to this change.
Now, when QP modifications are needed to this QP from within the
driver, we added refernece to it.
Signed-off-by: Matan Barak <matanb@mellanox.com>
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Matan Barak [Thu, 15 May 2014 12:29:27 +0000 (15:29 +0300)]
net/mlx4_core: Add UPDATE_QP SRIOV wrapper support
This patch adds UPDATE_QP SRIOV wrapper support.
The mechanism is a general one, but currently only source MAC
index changes are allowed for VFs.
Signed-off-by: Matan Barak <matanb@mellanox.com>
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Nikolay Aleksandrov [Thu, 15 May 2014 11:35:23 +0000 (13:35 +0200)]
bonding: fix out of range parameters for bond_intmax_tbl
I've missed to add a NULL entry to the bond_intmax_tbl when I introduced
it with the conversion of arp_interval so add it now.
CC: Jay Vosburgh <j.vosburgh@gmail.com>
CC: Veaceslav Falico <vfalico@gmail.com>
CC: Andy Gospodarek <andy@greyhouse.net>
Fixes: 7bdb04ed0dbf ("bonding: convert arp_interval to use the new option API")
Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
Acked-by: Veaceslav Falico <vfalico@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Zoltan Kiss [Thu, 15 May 2014 10:08:34 +0000 (11:08 +0100)]
xen-netback: Fix grant ref resolution in RX path
The original series for reintroducing grant mapping for netback had a patch [1]
to handle receiving of packets from an another VIF. Grant copy on the receiving
side needs the grant ref of the page to set up the op.
The original patch assumed (wrongly) that the frags array haven't changed. In
the case reported by Sander, the sending guest sent a packet where the linear
buffer and the first frag were under PKT_PROT_LEN (=128) bytes.
xenvif_tx_submit() then pulled up the linear area to 128 bytes, and ditched the
first frag. The receiving side had an off-by-one problem when gathered the grant
refs.
This patch fixes that by checking whether the actual frag's page pointer is the
same as the page in the original frag list. It can handle any kind of changes on
the original frags array, like:
- removing granted frags from the array at any point
- adding local pages to the frags list anywhere
- reordering the frags
It's optimized to the most common case, when there is 1:1 relation between the
frags and the list, plus works optimal when frags are removed from the end or
the beginning.
[1]: 3e2234: xen-netback: Handle foreign mapped pages on the guest RX path
Reported-by: Sander Eikelenboom <linux@eikelenboom.it>
Signed-off-by: Zoltan Kiss <zoltan.kiss@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Duan Jiong [Thu, 15 May 2014 07:56:14 +0000 (15:56 +0800)]
ipv6: update Destination Cache entries when gateway turn into host
RFC 4861 states in 7.2.5:
The IsRouter flag in the cache entry MUST be set based on the
Router flag in the received advertisement. In those cases
where the IsRouter flag changes from TRUE to FALSE as a result
of this update, the node MUST remove that router from the
Default Router List and update the Destination Cache entries
for all destinations using that neighbor as a router as
specified in Section 7.3.3. This is needed to detect when a
node that is used as a router stops forwarding packets due to
being configured as a host.
Currently, when dealing with NA Message which IsRouter flag changes from
TRUE to FALSE, the kernel only removes router from the Default Router List,
and don't update the Destination Cache entries.
Now in order to update those Destination Cache entries, i introduce
function rt6_clean_tohost().
Signed-off-by: Duan Jiong <duanj.fnst@cn.fujitsu.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Fri, 16 May 2014 03:23:48 +0000 (23:23 -0400)]
Merge branch 'master' of git://git./linux/kernel/git/klassert/ipsec
Conflicts:
net/ipv4/ip_vti.c
Steffen Klassert says:
====================
pull request (net): ipsec 2014-05-15
This pull request has a merge conflict in net/ipv4/ip_vti.c
between commit
8d89dcdf80d8 ("vti: don't allow to add the same
tunnel twice") and commit
a32452366b72 ("vti4:Don't count header
length twice"). It can be solved like it is done in linux-next.
1) Fix a ipv6 xfrm output crash when a packet is rerouted
by netfilter to not use IPsec.
2) vti4 counts some header lengths twice leading to an incorrect
device mtu. Fix this by counting these headers only once.
3) We don't catch the case if an unsupported protocol is submitted
to the xfrm protocol handlers, this can lead to NULL pointer
dereferences. Fix this by adding the appropriate checks.
4) vti6 may unregister pernet ops twice on init errors.
Fix this by removing one of the calls to do it only once.
From Mathias Krause.
5) Set the vti tunnel mark before doing a lookup in the error
handlers. Otherwise we don't find the correct xfrm state.
====================
The conflict in ip_vti.c was simple, 'net' had a commit
removing a line from vti_tunnel_init() and this tree
being merged had a commit adding a line to the same
location.
Signed-off-by: David S. Miller <davem@davemloft.net>
Guenter Roeck [Wed, 14 May 2014 20:12:49 +0000 (13:12 -0700)]
net: phy: Don't call phy_resume if phy_init_hw failed
After the call to phy_init_hw failed in phy_attach_direct, phy_detach is called
to detach the phy device from its network device. If the attached driver is a
generic phy driver, this also detaches the driver. Subsequently phy_resume
is called, which assumes without checking that a driver is attached to the
device. This will result in a crash such as
Unable to handle kernel paging request for data at address 0xffffffffffffff90
Faulting instruction address: 0xc0000000003a0e18
Oops: Kernel access of bad area, sig: 11 [#1]
...
NIP [
c0000000003a0e18] .phy_attach_direct+0x68/0x17c
LR [
c0000000003a0e6c] .phy_attach_direct+0xbc/0x17c
Call Trace:
[
c0000003fc0475d0] [
c0000000003a0e6c] .phy_attach_direct+0xbc/0x17c (unreliable)
[
c0000003fc047670] [
c0000000003a0ff8] .phy_connect_direct+0x28/0x98
[
c0000003fc047700] [
c0000000003f0074] .of_phy_connect+0x4c/0xa4
Only call phy_resume if phy_init_hw was successful.
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Acked-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Thu, 15 May 2014 20:46:54 +0000 (16:46 -0400)]
Merge branch 'altera_tse'
Vince Bridgers says:
====================
Altera TSE: Fix Sparse errors and misc issues
This is version 2 of a patch series to correct sparse errors, cppcheck
warnings, and workaound a multicast filtering issue in the Altera TSE
Ethernet driver. Multicast filtering is not working as expected, so if
present in the hardware will not be used and promiscuous mode enabled
instead. This workaround will be replaced with a working solution when
completely debugged, integrated and tested.
Version 2 is different from the first submission by breaking out the
workaround as a seperate patch and addressing a few structure instance
declarations by making them const per review comments.
If you find this patch acceptable, please consider this for inclusion into
the Altera TSE driver source code.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Vince Bridgers [Wed, 14 May 2014 19:38:37 +0000 (14:38 -0500)]
Altera TSE: Disable Multicast filtering to workaround problem
This patch disables multicast hash filtering if present in the hardware
and uses promiscuous mode instead until the problem with multicast
filtering has been debugged, integrated and tested.
Signed-off-by: Vince Bridgers <vbridgers2013@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Vince Bridgers [Wed, 14 May 2014 19:38:36 +0000 (14:38 -0500)]
Altera TSE: Fix sparse errors and warnings
This patch fixes the many sparse errors and warnings contained in the
initial submission of the Altera Triple Speed Ethernet driver, and a
few minor cppcheck warnings. Changes are tested on ARM and NIOS2
example designs, and compile tested against multiple architectures.
Typical issues addressed were as follows:
altera_tse_ethtool.c:136:19: warning: incorrect type in argument
1 (different address spaces)
altera_tse_ethtool.c:136:19: expected void const volatile
[noderef] <asn:2>*addr
altera_tse_ethtool.c:136:19: got unsigned int *<noident>
...
altera_sgdma.c:129:31: warning: cast removes address space of
expression
Signed-off-by: Vince Bridgers <vbridgers2013@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cong Wang [Mon, 12 May 2014 22:11:20 +0000 (15:11 -0700)]
rtnetlink: wait for unregistering devices in rtnl_link_unregister()
From: Cong Wang <cwang@twopensource.com>
commit
50624c934db18ab90 (net: Delay default_device_exit_batch until no
devices are unregistering) introduced rtnl_lock_unregistering() for
default_device_exit_batch(). Same race could happen we when rmmod a driver
which calls rtnl_link_unregister() as we call dev->destructor without rtnl
lock.
For long term, I think we should clean up the mess of netdev_run_todo()
and net namespce exit code.
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: David S. Miller <davem@davemloft.net>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Cong Wang <cwang@twopensource.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Antonio Quartulli [Sat, 29 Mar 2014 16:27:38 +0000 (17:27 +0100)]
batman-adv: fix local TT check for outgoing arp requests in DAT
Change introduced by
88e48d7b3340ef07b108eb8a8b3813dd093cc7f7
("batman-adv: make DAT drop ARP requests targeting local clients")
implements a check that prevents DAT from using the caching
mechanism when the client that is supposed to provide a reply
to an arp request is local.
However change brought by
be1db4f6615b5e6156c807ea8985171c215c2d57
("batman-adv: make the Distributed ARP Table vlan aware")
has not converted the above check into its vlan aware version
thus making it useless when the local client is behind a vlan.
Fix the behaviour by properly specifying the vlan when
checking for a client being local or not.
Reported-by: Simon Wunderlich <simon@open-mesh.com>
Signed-off-by: Antonio Quartulli <antonio@open-mesh.com>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Antonio Quartulli [Thu, 1 May 2014 23:35:13 +0000 (01:35 +0200)]
batman-adv: increase orig refcount when storing ref in gw_node
A pointer to the orig_node representing a bat-gateway is
stored in the gw_node->orig_node member, but the refcount
for such orig_node is never increased.
This leads to memory faults when gw_node->orig_node is accessed
and the originator has already been freed.
Fix this by increasing the refcount on gw_node creation
and decreasing it on gw_node free.
Signed-off-by: Antonio Quartulli <antonio@open-mesh.com>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Antonio Quartulli [Wed, 23 Apr 2014 12:05:16 +0000 (14:05 +0200)]
batman-adv: fix reference counting imbalance while sending fragment
In the new fragmentation code the batadv_frag_send_packet()
function obtains a reference to the primary_if, but it does
not release it upon return.
This reference imbalance prevents the primary_if (and then
the related netdevice) to be properly released on shut down.
Fix this by releasing the primary_if in batadv_frag_send_packet().
Introduced by
ee75ed88879af88558818a5c6609d85f60ff0df4
("batman-adv: Fragment and send skbs larger than mtu")
Cc: Martin Hundebøll <martin@hundeboll.net>
Signed-off-by: Antonio Quartulli <antonio@open-mesh.com>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Acked-by: Martin Hundebøll <martin@hundeboll.net>
Marek Lindner [Wed, 23 Apr 2014 19:44:25 +0000 (03:44 +0800)]
batman-adv: fix indirect hard_iface NULL dereference
If hard_iface is NULL and goto out is made batadv_hardif_free_ref()
doesn't check for NULL before dereferencing it to get to refcount.
Introduced in
cb1c92ec37fb70543d133a1fa7d9b54d6f8a1ecd
("batman-adv: add debugfs support to view multiif tables").
Reported-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Acked-by: Antonio Quartulli <antonio@meshcoding.com>
Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
John W. Linville [Thu, 15 May 2014 14:24:28 +0000 (10:24 -0400)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless into for-davem
Heiko Carstens [Wed, 14 May 2014 07:48:21 +0000 (09:48 +0200)]
net: filter: s390: fix JIT address randomization
This is the s390 variant of Alexei's JIT bug fix.
(patch description below stolen from Alexei's patch)
bpf_alloc_binary() adds 128 bytes of room to JITed program image
and rounds it up to the nearest page size. If image size is close
to page size (like 4000), it is rounded to two pages:
round_up(4000 + 4 + 128) == 8192
then 'hole' is computed as 8192 - (4000 + 4) = 4188
If prandom_u32() % hole selects a number >= PAGE_SIZE - sizeof(*header)
then kernel will crash during bpf_jit_free():
kernel BUG at arch/x86/mm/pageattr.c:887!
Call Trace:
[<
ffffffff81037285>] change_page_attr_set_clr+0x135/0x460
[<
ffffffff81694cc0>] ? _raw_spin_unlock_irq+0x30/0x50
[<
ffffffff810378ff>] set_memory_rw+0x2f/0x40
[<
ffffffffa01a0d8d>] bpf_jit_free_deferred+0x2d/0x60
[<
ffffffff8106bf98>] process_one_work+0x1d8/0x6a0
[<
ffffffff8106bf38>] ? process_one_work+0x178/0x6a0
[<
ffffffff8106c90c>] worker_thread+0x11c/0x370
since bpf_jit_free() does:
unsigned long addr = (unsigned long)fp->bpf_func & PAGE_MASK;
struct bpf_binary_header *header = (void *)addr;
to compute start address of 'bpf_binary_header'
and header->pages will pass junk to:
set_memory_rw(addr, header->pages);
Fix it by making sure that &header->image[prandom_u32() % hole] and &header
are in the same page.
Fixes: aa2d2c73c21f2 ("s390/bpf,jit: address randomize and write protect jit code")
Reported-by: Alexei Starovoitov <ast@plumgrid.com>
Cc: <stable@vger.kernel.org> # v3.11+
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Rajkumar Manoharan [Wed, 14 May 2014 09:09:21 +0000 (14:39 +0530)]
ath9k_htc: Stop ANI before doing hw_reset
During remain on channel request, ANI worker thread is not stopped
before doing hw reset. This is causing kernel crash in
hw_per_calibration. This change ensures that ANI is stopped before
doing chip reset and it will be rescheduled later when the chip is
configured back to home channel and having valid bss.
Reported-by: David Herrmann <dh.herrmann@gmail.com>
Tested-by: David Herrmann <dh.herrmann@gmail.com>
Signed-off-by: Rajkumar Manoharan <rmanohar@qti.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
John W. Linville [Wed, 14 May 2014 19:39:45 +0000 (15:39 -0400)]
Merge git://git./linux/kernel/git/jberg/mac80211
Ursula Braun [Tue, 13 May 2014 12:38:02 +0000 (14:38 +0200)]
af_iucv: wrong mapping of sent and confirmed skbs
When sending data through IUCV a MESSAGE COMPLETE interrupt
signals that sent data memory can be freed or reused again.
With commit
f9c41a62bba3f3f7ef3541b2a025e3371bcbba97
"af_iucv: fix recvmsg by replacing skb_pull() function" the
MESSAGE COMPLETE callback iucv_callback_txdone() identifies
the wrong skb as being confirmed, which leads to data corruption.
This patch fixes the skb mapping logic in iucv_callback_txdone().
Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com>
Signed-off-by: Frank Blaschka <frank.blaschka@de.ibm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Kalesh AP [Tue, 13 May 2014 08:33:11 +0000 (14:03 +0530)]
be2net: enable interrupts in EEH resume
On some BE3 FW versions, after a HW reset, interrupts will remain disabled
for each function. So, explicitly enable the interrupts in the eeh_resume
handler, else after an eeh recovery interrupts wouldn't work.
Signed-off-by: Kalesh AP <kalesh.purayil@emulex.com>
Signed-off-by: Sathya Perla <sathya.perla@emulex.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Neil Horman [Mon, 12 May 2014 14:38:18 +0000 (10:38 -0400)]
jme: Fix unmap loop counting error:
In my recent fix (
76a691d0a: fix dma unmap warning), Ben Hutchings noted that my
loop count was incorrect. Where j started at startidx, it should have started
at zero, and gone on for count entries, not to endidx. Additionally, a DMA
resource exhaustion should drop the frame and (for now), return
NETDEV_TX_OK, not NETEV_TX_BUSY. This patch fixes both of those issues:
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
CC: Ben Hutchings <ben@decadent.org.uk>
CC: "David S. Miller" <davem@davemloft.net>
CC: Guo-Fu Tseng <cooldavid@cooldavid.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Johannes Berg [Wed, 14 May 2014 13:34:41 +0000 (15:34 +0200)]
mac80211: fix on-channel remain-on-channel
Jouni reported that if a remain-on-channel was active on the
same channel as the current operating channel, then the ROC
would start, but any frames transmitted using mgmt-tx on the
same channel would get delayed until after the ROC.
The reason for this is that the ROC starts, but doesn't have
any handling for "remain on the same channel", so it stops
the interface queues. The later mgmt-tx then puts the frame
on the interface queues (since it's on the current operating
channel) and thus they get delayed until after the ROC.
To fix this, add some logic to handle remaining on the same
channel specially and not stop the queues etc. in this case.
This not only fixes the bug but also improves behaviour in
this case as data frames etc. can continue to flow.
Cc: stable@vger.kernel.org
Reported-by: Jouni Malinen <j@w1.fi>
Tested-by: Jouni Malinen <j@w1.fi>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Hannes Frederic Sowa [Sun, 11 May 2014 21:01:13 +0000 (23:01 +0200)]
ipv6: fix calculation of option len in ip6_append_data
tot_len does specify the size of struct ipv6_txoptions. We need opt_flen +
opt_nflen to calculate the overall length of additional ipv6 extensions.
I found this while auditing the ipv6 output path for a memory corruption
reported by Alexey Preobrazhensky while he fuzzed an instrumented
AddressSanitizer kernel with trinity. This may or may not be the cause
of the original bug.
Fixes: 4df98e76cde7c6 ("ipv6: pmtudisc setting not respected with UFO/CORK")
Reported-by: Alexey Preobrazhensky <preobr@google.com>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Hannes Frederic Sowa [Sun, 11 May 2014 20:59:30 +0000 (22:59 +0200)]
net: avoid dependency of net_get_random_once on nop patching
net_get_random_once depends on the static keys infrastructure to patch up
the branch to the slow path during boot. This was realized by abusing the
static keys api and defining a new initializer to not enable the call
site while still indicating that the branch point should get patched
up. This was needed to have the fast path considered likely by gcc.
The static key initialization during boot up normally walks through all
the registered keys and either patches in ideal nops or enables the jump
site but omitted that step on x86 if ideal nops where already placed at
static_key branch points. Thus net_get_random_once branches not always
became active.
This patch switches net_get_random_once to the ordinary static_key
api and thus places the kernel fast path in the - by gcc considered -
unlikely path. Microbenchmarks on Intel and AMD x86-64 showed that
the unlikely path actually beats the likely path in terms of cycle cost
and that different nop patterns did not make much difference, thus this
switch should not be noticeable.
Fixes: a48e42920ff38b ("net: introduce new macro net_get_random_once")
Reported-by: Tuomas Räsänen <tuomasjjrasanen@tjjr.fi>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Alexei Starovoitov [Tue, 13 May 2014 22:05:55 +0000 (15:05 -0700)]
net: filter: x86: fix JIT address randomization
bpf_alloc_binary() adds 128 bytes of room to JITed program image
and rounds it up to the nearest page size. If image size is close
to page size (like 4000), it is rounded to two pages:
round_up(4000 + 4 + 128) == 8192
then 'hole' is computed as 8192 - (4000 + 4) = 4188
If prandom_u32() % hole selects a number >= PAGE_SIZE - sizeof(*header)
then kernel will crash during bpf_jit_free():
kernel BUG at arch/x86/mm/pageattr.c:887!
Call Trace:
[<
ffffffff81037285>] change_page_attr_set_clr+0x135/0x460
[<
ffffffff81694cc0>] ? _raw_spin_unlock_irq+0x30/0x50
[<
ffffffff810378ff>] set_memory_rw+0x2f/0x40
[<
ffffffffa01a0d8d>] bpf_jit_free_deferred+0x2d/0x60
[<
ffffffff8106bf98>] process_one_work+0x1d8/0x6a0
[<
ffffffff8106bf38>] ? process_one_work+0x178/0x6a0
[<
ffffffff8106c90c>] worker_thread+0x11c/0x370
since bpf_jit_free() does:
unsigned long addr = (unsigned long)fp->bpf_func & PAGE_MASK;
struct bpf_binary_header *header = (void *)addr;
to compute start address of 'bpf_binary_header'
and header->pages will pass junk to:
set_memory_rw(addr, header->pages);
Fix it by making sure that &header->image[prandom_u32() % hole] and &header
are in the same page
Fixes: 314beb9bcabfd ("x86: bpf_jit_comp: secure bpf jit against spraying attacks")
Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
John W. Linville [Tue, 13 May 2014 18:52:34 +0000 (14:52 -0400)]
Merge branch 'for-john' of git://git./linux/kernel/git/iwlwifi/iwlwifi-fixes
David S. Miller [Tue, 13 May 2014 16:53:36 +0000 (12:53 -0400)]
Merge tag 'batman-adv-fix-for-davem' of git://git.open-mesh.org/linux-merge
Included changes:
- properly release neigh_ifinfo in batadv_iv_ogm_process_per_outif()
- properly release orig_ifinfo->router when freeing orig_ifinfo
- properly release neigh_node objects during periodic check
- properly release neigh_info objects when the related hard_iface
is free'd
These changes are all very important because they fix some
reference counting imbalances that lead to the
impossibility of releasing the netdev object used by
batman-adv on shutdown.
The consequence is that such object cannot be destroyed by
the networking stack (the refcounter does not reach zero)
thus bringing the system in hanging state during a normal
reboot operation or a network reconfiguration.
Duan Jiong [Fri, 9 May 2014 05:16:48 +0000 (13:16 +0800)]
neigh: set nud_state to NUD_INCOMPLETE when probing router reachability
Since commit
7e98056964("ipv6: router reachability probing"), a router falls
into NUD_FAILED will be probed.
Now if function rt6_select() selects a router which neighbour state is NUD_FAILED,
and at the same time function rt6_probe() changes the neighbour state to NUD_PROBE,
then function dst_neigh_output() can directly send packets, but actually the
neighbour still is unreachable. If we set nud_state to NUD_INCOMPLETE instead
NUD_PROBE, packets will not be sent out until the neihbour is reachable.
In addition, because the route should be probes with a single NS, so we must
set neigh->probes to neigh_max_probes(), then the neigh timer timeout and function
neigh_timer_handler() will not send other NS Messages.
Signed-off-by: Duan Jiong <duanj.fnst@cn.fujitsu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Johannes Berg [Tue, 13 May 2014 13:45:55 +0000 (15:45 +0200)]
nl80211: fix NL80211_FEATURE_P2P_DEVICE_NEEDS_CHANNEL API
My commit removing that also removed it from the header file
which can break compilation of userspace that needed it, add
it back for API/ABI compatibility purposes (but no code to
implement anything for it.)
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
David Spinadel [Tue, 13 May 2014 11:29:36 +0000 (14:29 +0300)]
iwlwifi: mvm: prevent sched scan while not idle
Prevent sched scan while not idle (including during association or in AP
mode) instead of while associated only.
This fixes my previous commit which was incomplete:
commit
bd5e4744a6ca64299b57a2682c720d00a475a734
Author: David Spinadel <david.spinadel@intel.com>
Date: Thu Apr 24 13:15:29 2014 +0300
iwlwifi: mvm: do no sched scan while associated
Currently the FW doesn't support sched scan while associated,
Prevent it.
Signed-off-by: David Spinadel <david.spinadel@intel.com>
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Emmanuel Grumbach [Tue, 13 May 2014 09:54:09 +0000 (12:54 +0300)]
mac80211: fix suspend vs. association race
If the association is in progress while we suspend, the
stack will be in a messed up state. Clean it before we
suspend.
This patch completes Johannes's patch:
1a1cb744de160ee70086a77afff605bbc275d291
Author: Johannes Berg <johannes.berg@intel.com>
mac80211: fix suspend vs. authentication race
Cc: <stable@vger.kernel.org>
Fixes: 12e7f517029d ("mac80211: cleanup generic suspend/resume procedures")
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Eliad Peller [Sun, 11 May 2014 16:59:43 +0000 (19:59 +0300)]
iwlwifi: mvm: fix off-by-one in scan channels configuration
tail should be equal to the last valid index, so
decrease it by one.
This error causes in "a gap" in some cases (as well as
some possible out-of-bound write), finally resulting in
ucode assertion.
Signed-off-by: Eliad Peller <eliadx.peller@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Susant Sahani [Fri, 9 May 2014 18:41:32 +0000 (00:11 +0530)]
ip6_tunnel: fix potential NULL pointer dereference
The function ip6_tnl_validate assumes that the rtnl
attribute IFLA_IPTUN_PROTO always be filled . If this
attribute is not filled by the userspace application
kernel get crashed with NULL pointer dereference. This
patch fixes the potential kernel crash when
IFLA_IPTUN_PROTO is missing .
Signed-off-by: Susant Sahani <susant@redhat.com>
Acked-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Nikolay Aleksandrov [Fri, 9 May 2014 09:11:39 +0000 (11:11 +0200)]
sfc: fix calling of free_irq with already free vector
If the sfc driver is in legacy interrupt mode (either explicitly by
using interrupt_mode module param or by falling back to it) it will
hit a warning at kernel/irq/manage.c because it will try to free an irq
which wasn't allocated by it in the first place because the MSI(X) irqs are
zero and it'll try to free them unconditionally. So fix it by checking if
we're in legacy mode and freeing the appropriate irqs.
CC: Zenghui Shi <zshi@redhat.com>
CC: Ben Hutchings <ben@decadent.org.uk>
CC: <linux-net-drivers@solarflare.com>
CC: Shradha Shah <sshah@solarflare.com>
CC: David S. Miller <davem@davemloft.net>
Fixes: 1899c111a535 ("sfc: Fix IRQ cleanup in case of a probe failure")
Reported-by: Zenghui Shi <zshi@redhat.com>
Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
Acked-by: Shradha Shah <sshah@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Peter Christensen [Thu, 8 May 2014 09:15:37 +0000 (11:15 +0200)]
macvlan: Don't propagate IFF_ALLMULTI changes on down interfaces.
Clearing the IFF_ALLMULTI flag on a down interface could cause an allmulti
overflow on the underlying interface.
Attempting the set IFF_ALLMULTI on the underlying interface would cause an
error and the log message:
"allmulti touches root, set allmulti failed."
Signed-off-by: Peter Christensen <pch@ordbogen.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Daniel Kim [Fri, 9 May 2014 10:37:05 +0000 (12:37 +0200)]
brcmfmac: Fix iovar 'bw_cap' set command failure
Fix iovar 'bw_cap' set command failure introduced by
commit
ff3b0fba6f25555ef59c55d138a467d0f81d82d7
Author: Arend van Spriel <arend@broadcom.com>
Date: Sat Mar 15 12:00:57 2014 +0100
brcmfmac: fallback to mimo_bw_cap for older firmwares
This resulted in disabling 20MHz operation in the firmware.
Reviewed-by: Arend Van Spriel <arend@broadcom.com>
Signed-off-by: Daniel Kim <dekim@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
John W. Linville [Mon, 12 May 2014 18:12:19 +0000 (14:12 -0400)]
Merge git://git./linux/kernel/git/jberg/mac80211
Steffen Klassert [Mon, 12 May 2014 07:09:26 +0000 (09:09 +0200)]
vti: Use the tunnel mark for lookup in the error handlers.
We need to use the mark we get from the tunnels o_key to
lookup the right vti state in the error handlers. This patch
ensures that.
Fixes: df3893c1 ("vti: Update the ipv4 side to use it's own receive hook.")
Fixes: fa9ad96d ("vti6: Update the ipv6 side to use its own receive hook.")
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Mathias Krause [Fri, 9 May 2014 21:43:40 +0000 (23:43 +0200)]
vti6: Don't unregister pernet ops twice on init errors
If we fail to register one of the xfrm protocol handlers we will
unregister the pernet ops twice on the error exit path. This will
probably lead to a kernel panic as the double deregistration
leads to a double kfree().
Fix this by removing one of the calls to do it only once.
Fixes: fa9ad96d49 ("vti6: Update the ipv6 side to use its own...")
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Randy Dunlap [Thu, 8 May 2014 21:54:42 +0000 (14:54 -0700)]
ptp: fix kconfig dependency warnings
Fix kconfig warnings:
PTP_1588_CLOCK selects NET_PTP_CLASSIFY, which depends on NET,
so PTP_1588_CLOCK should also depend on NET.
PTP_1588_CLOCK_PCH selects PTP_1588_CLOCK so the former should
depend on NET.
warning: (IXP4XX_ETH && PTP_1588_CLOCK) selects NET_PTP_CLASSIFY which has unmet direct dependencies (NET)
warning: (SFC && TILE_NET && BFIN_MAC_USE_HWSTAMP && TIGON3 && FEC && E1000E && IGB && IXGBE && I40E && MLX4_EN && SXGBE_ETH && STMMAC_ETH && TI_CPTS && PTP_1588_CLOCK_GIANFAR && PTP_1588_CLOCK_IXP46X && DP83640_PHY && PTP_1588_CLOCK_PCH) selects PTP_1588_CLOCK which has unmet direct dependencies (NET)
[This warning is caused by the new 'depends on NET' in PTP_1588_CLOCK.]
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Acked-by: Richard Cochran <richardcochran@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Emmanuel Grumbach [Thu, 8 May 2014 06:48:10 +0000 (09:48 +0300)]
iwlwifi: mvm: fix setting channel in monitor mode
There was a deadlock in monitor mode when we were setting the
channel if the channel was not 1.
======================================================
[ INFO: possible circular locking dependency detected ]
3.14.3 #4 Not tainted
-------------------------------------------------------
iw/3323 is trying to acquire lock:
(&local->chanctx_mtx){+.+.+.}, at: [<
ffffffffa062e2f2>] ieee80211_vif_release_channel+0x42/0xb0 [mac80211]
but task is already holding lock:
(&local->iflist_mtx){+.+...}, at: [<
ffffffffa0609e0a>] ieee80211_set_monitor_channel+0x5a/0x1b0 [mac80211]
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (&local->iflist_mtx){+.+...}:
[<
ffffffff810d95bb>] __lock_acquire+0xb3b/0x13b0
[<
ffffffff810d9ee0>] lock_acquire+0xb0/0x1f0
[<
ffffffff817eb9c8>] mutex_lock_nested+0x78/0x4f0
[<
ffffffffa06225cf>] ieee80211_iterate_active_interfaces+0x2f/0x60 [mac80211]
[<
ffffffffa0518189>] iwl_mvm_recalc_multicast+0x49/0xa0 [iwlmvm]
[<
ffffffffa051822e>] iwl_mvm_configure_filter+0x4e/0x70 [iwlmvm]
[<
ffffffffa05e6d43>] ieee80211_configure_filter+0x153/0x5f0 [mac80211]
[<
ffffffffa05e71f5>] ieee80211_reconfig_filter+0x15/0x20 [mac80211]
[snip]
-> #1 (&mvm->mutex){+.+.+.}:
[<
ffffffff810d95bb>] __lock_acquire+0xb3b/0x13b0
[<
ffffffff810d9ee0>] lock_acquire+0xb0/0x1f0
[<
ffffffff817eb9c8>] mutex_lock_nested+0x78/0x4f0
[<
ffffffffa0517246>] iwl_mvm_add_chanctx+0x56/0xe0 [iwlmvm]
[<
ffffffffa062ca1e>] ieee80211_new_chanctx+0x13e/0x410 [mac80211]
[<
ffffffffa062d953>] ieee80211_vif_use_channel+0x1c3/0x5a0 [mac80211]
[<
ffffffffa06035ab>] ieee80211_add_virtual_monitor+0x1ab/0x6b0 [mac80211]
[<
ffffffffa06052ea>] ieee80211_do_open+0xe6a/0x15a0 [mac80211]
[<
ffffffffa0605a79>] ieee80211_open+0x59/0x60 [mac80211]
[snip]
-> #0 (&local->chanctx_mtx){+.+.+.}:
[<
ffffffff810d6cb7>] check_prevs_add+0x977/0x980
[<
ffffffff810d95bb>] __lock_acquire+0xb3b/0x13b0
[<
ffffffff810d9ee0>] lock_acquire+0xb0/0x1f0
[<
ffffffff817eb9c8>] mutex_lock_nested+0x78/0x4f0
[<
ffffffffa062e2f2>] ieee80211_vif_release_channel+0x42/0xb0 [mac80211]
[<
ffffffffa0609ec3>] ieee80211_set_monitor_channel+0x113/0x1b0 [mac80211]
[<
ffffffffa058fb37>] cfg80211_set_monitor_channel+0x77/0x2b0 [cfg80211]
[<
ffffffffa056e0b2>] __nl80211_set_channel+0x122/0x140 [cfg80211]
[<
ffffffffa0581374>] nl80211_set_wiphy+0x284/0xaf0 [cfg80211]
[snip]
other info that might help us debug this:
Chain exists of:
&local->chanctx_mtx --> &mvm->mutex --> &local->iflist_mtx
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&local->iflist_mtx);
lock(&mvm->mutex);
lock(&local->iflist_mtx);
lock(&local->chanctx_mtx);
*** DEADLOCK ***
This deadlock actually occurs:
INFO: task iw:3323 blocked for more than 120 seconds.
Not tainted 3.14.3 #4
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
iw D
ffff8800c8afcd80 4192 3323 3322 0x00000000
ffff880078fdb7e0 0000000000000046 ffff8800c8afcd80 ffff880078fdbfd8
00000000001d5540 00000000001d5540 ffff8801141b0000 ffff8800c8afcd80
ffff880078ff9e38 ffff880078ff9e38 ffff880078ff9e40 0000000000000246
Call Trace:
[<
ffffffff817ea841>] schedule_preempt_disabled+0x31/0x80
[<
ffffffff817ebaed>] mutex_lock_nested+0x19d/0x4f0
[<
ffffffffa06225cf>] ? ieee80211_iterate_active_interfaces+0x2f/0x60 [mac80211]
[<
ffffffffa06225cf>] ? ieee80211_iterate_active_interfaces+0x2f/0x60 [mac80211]
[<
ffffffffa052a680>] ? iwl_mvm_power_mac_update_mode+0xc0/0xc0 [iwlmvm]
[<
ffffffffa06225cf>] ieee80211_iterate_active_interfaces+0x2f/0x60 [mac80211]
[<
ffffffffa0529357>] _iwl_mvm_power_update_binding+0x27/0x80 [iwlmvm]
[<
ffffffffa0516eb1>] iwl_mvm_unassign_vif_chanctx+0x81/0xc0 [iwlmvm]
[<
ffffffffa062d3ff>] __ieee80211_vif_release_channel+0xdf/0x470 [mac80211]
[<
ffffffffa062e2fa>] ieee80211_vif_release_channel+0x4a/0xb0 [mac80211]
[<
ffffffffa0609ec3>] ieee80211_set_monitor_channel+0x113/0x1b0 [mac80211]
[<
ffffffffa058fb37>] cfg80211_set_monitor_channel+0x77/0x2b0 [cfg80211]
[<
ffffffffa056e0b2>] __nl80211_set_channel+0x122/0x140 [cfg80211]
[<
ffffffffa0581374>] nl80211_set_wiphy+0x284/0xaf0 [cfg80211]
This fixes https://bugzilla.kernel.org/show_bug.cgi?id=75541
Cc: <stable@vger.kernel.org> [3.13+]
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Simon Wunderlich [Wed, 26 Mar 2014 14:46:24 +0000 (15:46 +0100)]
batman-adv: fix removing neigh_ifinfo
When an interface is removed separately, all neighbors need to be
checked if they have a neigh_ifinfo structure for that particular
interface. If that is the case, remove that ifinfo so any references to
a hard interface can be freed.
This is a regression introduced by
89652331c00f43574515059ecbf262d26d885717
("batman-adv: split tq information in neigh_node struct")
Reported-by: Antonio Quartulli <antonio@open-mesh.com>
Signed-off-by: Simon Wunderlich <simon@open-mesh.com>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
Simon Wunderlich [Wed, 26 Mar 2014 14:46:23 +0000 (15:46 +0100)]
batman-adv: always run purge_orig_neighbors
The current code will not execute batadv_purge_orig_neighbors() when an
orig_ifinfo has already been purged. However we need to run it in any
case. Fix that.
This is a regression introduced by
7351a4822d42827ba0110677c0cbad88a3d52585
("batman-adv: split out router from orig_node")
Signed-off-by: Simon Wunderlich <simon@open-mesh.com>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
Simon Wunderlich [Wed, 26 Mar 2014 14:46:22 +0000 (15:46 +0100)]
batman-adv: fix neigh reference imbalance
When an interface is removed from batman-adv, the orig_ifinfo of a
orig_node may be removed without releasing the router first.
This will prevent the reference for the neighbor pointed at by the
orig_ifinfo->router to be released, and this leak may result in
reference leaks for the interface used by this neighbor. Fix that.
This is a regression introduced by
7351a4822d42827ba0110677c0cbad88a3d52585
("batman-adv: split out router from orig_node").
Reported-by: Antonio Quartulli <antonio@open-mesh.com>
Signed-off-by: Simon Wunderlich <simon@open-mesh.com>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
Simon Wunderlich [Wed, 26 Mar 2014 14:46:21 +0000 (15:46 +0100)]
batman-adv: fix neigh_ifinfo imbalance
The neigh_ifinfo object must be freed if it has been used in
batadv_iv_ogm_process_per_outif().
This is a regression introduced by
89652331c00f43574515059ecbf262d26d885717
("batman-adv: split tq information in neigh_node struct")
Reported-by: Antonio Quartulli <antonio@open-mesh.com>
Signed-off-by: Simon Wunderlich <simon@open-mesh.com>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
David S. Miller [Fri, 9 May 2014 20:46:53 +0000 (16:46 -0400)]
Merge branch 'for-davem' of git://git./linux/kernel/git/linville/wireless
John W. Linville says:
====================
pull request: wireless 2014-05-08
This one is all from Johannes:
"Here are a few small fixes for the current cycle: radiotap TX flags were
wrong (fix by Bob), Chun-Yeow fixes an SMPS issue with mesh interfaces,
Eliad fixes a locking bug and a cfg80211 state problem and finally
Henning sent me a fix for IBSS rate information."
Please let me know if there are problems!
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Emil Goode [Thu, 8 May 2014 23:07:17 +0000 (01:07 +0200)]
net: cassini: use nested lock annotation
In the cas_lock_tx function we acquire multiple locks in a loop and
need to use nested lock annotation to prevent lockdep warnings.
Reported-by: Meelis Roos <mroos@linux.ee>
Signed-off-by: Emil Goode <emilgoode@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Yuval Mintz [Thu, 8 May 2014 09:34:31 +0000 (12:34 +0300)]
bnx2x: Fix UNDI driver unload
Commit
91ebb928b "bnx2x: Add support for Multi-Function UNDI" contains a bug
which prevent the emptying of the device's Rx buffers before reset.
As a result, on new boards it is likely HW will reach some fatal assertion
once its interfaces load after UNDI was previously loaded.
Signed-off-by: Yuval Mintz <Yuval.Mintz@qlogic.com>
Signed-off-by: Ariel Elior <Ariel.Elior@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Fri, 9 May 2014 19:51:25 +0000 (15:51 -0400)]
Merge branch 'mdio_net'
Johan Hovold says:
====================
net: cpsw and mdio-gpio fixes for v3.15-final
These patches against v3.15-rc4 fix a few issues in the cpsw and
mdio-gpio drivers.
Resend with proper stable CC (git send-email still fails to parse the
Sorry about the noise.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Johan Hovold [Thu, 8 May 2014 08:09:24 +0000 (10:09 +0200)]
net: cpsw: add missing of_node_put
Add missing of_node_put to avoid kref leak.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Johan Hovold [Thu, 8 May 2014 08:09:23 +0000 (10:09 +0200)]
net: cpsw: fix null dereference at probe
Fix null-pointer dereference at probe when the mdio platform device is
missing (e.g. when it has been disabled in DT).
Cc: stable <stable@vger.kernel.org> # v3.8
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Johan Hovold [Thu, 8 May 2014 08:09:22 +0000 (10:09 +0200)]
Revert "net: eth: cpsw: Correctly attach to GPIO bitbang MDIO driver"
This reverts commit
f8d56d8f892be43a2404356073e16401eb5a42e6 ("net:
eth: cpsw: Correctly attach to GPIO bitbang MDIO driver").
Fix potential null-pointer dereference at probe if the mdio-gpio device
has not been successfully probed yet.
The offending commit is plain wrong for a number of reasons. First of
all it accesses internal driver data of an unrelated device. Neither
does it check that the data is non-null (which it is in case the device
has not been probed yet).
Furthermore, the decision on whether to treat any driver data according
to the mdio-gpio driver's internals is made based on the node name. But
the name is not compared against "mdio" which is the normal name for the
node, but rather against "gpio" which the node does not have to be named
(and shouldn't be according to the binding documentation). [ If this
hack is to be kept out-of-tree it should at least be matching against
the compatible property. ]
Cc: Stefan Roese <sr@denx.de>
Cc: stable <stable@vger.kernel.org> # v3.14
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Johan Hovold [Thu, 8 May 2014 08:09:21 +0000 (10:09 +0200)]
net: mdio-gpio: warn about missing bus alias id
Use a sane default bus id (rather than -ENODEV) and print a warning when
the bus alias id is missing.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Johan Hovold [Thu, 8 May 2014 08:09:20 +0000 (10:09 +0200)]
net: mdio-gpio: fix device-tree binding documentation
Fix aliases syntax in device-tree binding example to avoid
copy-paste errors (the alias would be dropped silently).
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Bjørn Mork [Fri, 9 May 2014 12:45:00 +0000 (14:45 +0200)]
net: cdc_mbim: handle unaccelerated VLAN tagged frames
This driver maps 802.1q VLANs to MBIM sessions. The mapping is based on
a bogus assumption that all tagged frames will use the acceleration API
because we enable NETIF_F_HW_VLAN_CTAG_TX. This fails for e.g. frames
tagged in userspace using packet sockets. Such frames will erroneously
be considered as untagged and silently dropped based on not being IP.
Fix by falling back to looking into the ethernet header for a tag if no
accelerated tag was found.
Fixes: a82c7ce5bc5b ("net: cdc_ncm: map MBIM IPS SessionID to VLAN ID")
Cc: Greg Suarez <gsuarez@smithmicro.com>
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Fri, 9 May 2014 17:17:30 +0000 (13:17 -0400)]
Merge git://git./pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says:
====================
Netfilter fixes for net
The following batch contains netfilter fixes for your net tree, they are:
1) Fix use after free in nfnetlink when sending a batch for some
unsupported subsystem, from Denys Fedoryshchenko.
2) Skip autoload of the nat module if no binding is specified via
ctnetlink, from Florian Westphal.
3) Set local_df after netfilter defragmentation to avoid a bogus ICMP
fragmentation needed in the forwarding path, also from Florian.
4) Fix potential user after free in ip6_route_me_harder() when returning
the error code to the upper layers, from Sergey Popovich.
5) Skip possible bogus ICMP time exceeded emitted from the router (not
valid according to RFC) if conntrack zones are used, from Vasily Averin.
6) Fix fragment handling when nf_defrag_ipv4 is loaded but nf_conntrack
is not present, also from Vasily.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Eliad Peller [Wed, 26 Feb 2014 12:46:35 +0000 (14:46 +0200)]
mac80211: fix vif name tracing
If sdata doesn't have a valid dev (e.g. in case of monitor
vif), the vif_name field was initialized with (a length of)
some short string, but later was set to a different,
potentially larger one.
This resulted in out-of-bounds write, which usually
appeared as garbage in the trace log.
Simply trace sdata->name, as it should always have the
correct name for both cases.
Signed-off-by: Eliad Peller <eliadx.peller@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Johannes Berg [Fri, 9 May 2014 07:56:53 +0000 (09:56 +0200)]
mac80211: allow VHT with peers not capable of 40MHz
There are two (related) issues with this.
One case, reported by Michal, is related to hostap: it unsets the
20/40 capability bit for stations that associate when it's in 20
MHz mode.
The other case, reported by Eyal, is that some APs like Netgear
R6300v2 and probably others based on the BCM4360 chipset can be
configured for doing VHT at 20Mhz. In this case the beacon has
a VHT IE but the HT cap indicates transmitter only support 20Mhz.
In both of these cases, we currently avoid VHT and use only HT
this means we can't use the highest rates (MCS8), so fixing this
leads to throughput improvements.
Reported-by: Michal Kazior <michal.kazior@tieto.com>
Reported-by: Eyal Shapira <eyal@wizery.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Darek Marcinkiewicz [Tue, 6 May 2014 20:24:50 +0000 (22:24 +0200)]
Driver for Beckhoff CX5020 EtherCAT master module.
This driver adds support for EtherCAT master module located on CCAT
FPGA found on Beckhoff CX series industrial PCs. The driver exposes
EtherCAT master as an ethernet interface.
EtherCAT is a fieldbus protocol defined on top of ethernet and Beckhoff
CX5020 PCs come with built-in EtherCAT master module located on a FPGA,
which in turn is connected to a PCI bus.
Signed-off-by: Dariusz Marcinkiewicz <reksio@newterm.pl>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cong Wang [Tue, 6 May 2014 18:02:50 +0000 (11:02 -0700)]
ping: move ping_group_range out of CONFIG_SYSCTL
Similarly, when CONFIG_SYSCTL is not set, ping_group_range should still
work, just that no one can change it. Therefore we should move it out of
sysctl_net_ipv4.c. And, it should not share the same seqlock with
ip_local_port_range.
BTW, rename it to ->ping_group_range instead.
Cc: David S. Miller <davem@davemloft.net>
Cc: Francois Romieu <romieu@fr.zoreil.com>
Reported-by: Stefan de Konink <stefan@konink.de>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cong Wang [Tue, 6 May 2014 18:02:49 +0000 (11:02 -0700)]
ipv4: move local_port_range out of CONFIG_SYSCTL
When CONFIG_SYSCTL is not set, ip_local_port_range should still work,
just that no one can change it. Therefore we should move it out of sysctl_inet.c.
Also, rename it to ->ip_local_ports instead.
Cc: David S. Miller <davem@davemloft.net>
Cc: Francois Romieu <romieu@fr.zoreil.com>
Reported-by: Stefan de Konink <stefan@konink.de>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Sergey Popovich [Thu, 8 May 2014 13:22:35 +0000 (16:22 +0300)]
netfilter: Fix potential use after free in ip6_route_me_harder()
Dst is released one line before we access it again with dst->error.
Fixes: 58e35d147128 netfilter: ipv6: propagate routing errors from
ip6_route_me_harder()
Signed-off-by: Sergey Popovich <popovich_sergei@mail.ru>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
John W. Linville [Thu, 8 May 2014 15:28:35 +0000 (11:28 -0400)]
Merge branch 'master' of git://git./linux/kernel/git/iwlwifi/iwlwifi-fixes
John W. Linville [Thu, 8 May 2014 15:13:41 +0000 (11:13 -0400)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless into for-davem
Daniel Mack [Tue, 6 May 2014 16:52:16 +0000 (18:52 +0200)]
net: mdio: of_mdiobus_register(): fall back to mdiobus_register() for !CONFIG_OF
If CONFIG_OF is not set, make of_mdiobus_register() call
mdiobus_register() instead of returning -ENOSYS.
This way, we can just call of_mdiobus_register() from all DT-enabled
drivers to handle the compat cases.
Signed-off-by: Daniel Mack <zonque@gmail.com>
Suggested-by: Florian Fainelli <f.fainelli@gmail.com>
Acked-by: Florian Fainelli <f.fainelli@gmail.com>
Acked-by: Mugunthan V N <mugunthanvnm@ti.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Sergey Popovich [Tue, 6 May 2014 15:23:08 +0000 (18:23 +0300)]
ipv4: fib_semantics: increment fib_info_cnt after fib_info allocation
Increment fib_info_cnt in fib_create_info() right after successfuly
alllocating fib_info structure, overwise fib_metrics allocation failure
leads to fib_info_cnt incorrectly decremented in free_fib_info(), called
on error path from fib_create_info().
Signed-off-by: Sergey Popovich <popovich_sergei@mail.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Wed, 7 May 2014 20:53:28 +0000 (16:53 -0400)]
Merge branch 'qlcnic_net'
Rajesh Borundia says:
====================
qlcnic: Bug fixes.
This patch series contain following bug fixes.
* Fix panic where driver was accessing un-initialized crb_intr_mask
in non Multi-Tx queue mode while dumping TX queue.
* Do not set netdev->real_num_tx_queues directly from driver instead
use kernel defined netif_set_real_num_tx_queues() API. Also notify
stack about change in number of Rx queues.
Please apply this series to net.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Shahed Shaikh [Tue, 6 May 2014 07:46:49 +0000 (03:46 -0400)]
qlcnic: Set real_num_{tx|rx}_queues properly
Do not set netdev->real_num_tx_queues directly,
let netif_set_real_num_tx_queues() take care of it.
Do not overwrite netdev->num_tx_queues everytime when driver
changes its Tx ring size through ethtool -L and also notify
stack to update number of Rx queues.
Signed-off-by: Shahed Shaikh <shahed.shaikh@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Manish Chopra [Tue, 6 May 2014 07:46:48 +0000 (03:46 -0400)]
qlcnic: Fix panic while dumping TX queues on TX timeout
o In case of non-multi TX queue mode driver does not initialize "crb_intr_mask" pointer
and driver was accessing that un-initialized pointer while dumping TX queue.
So dump "crb_intr_mask" only when it is initilaized.
Signed-off-by: Manish Chopra <manish.chopra@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Emmanuel Grumbach [Sun, 13 Apr 2014 13:03:11 +0000 (16:03 +0300)]
iwlwifi: pcie: disable interrupts upon PCIe alloc
In case RFKILL is in KILL position, the NIC will issue an
interrupt straight away. This interrupt won't be sent
because it is masked in the hardware.
But if our interrupt service routine is called for another
reason (SHARED_IRQ), then we'll look at the interrupt cause
and service it. This can cause bad things if we are not
ready yet.
Explicitly clean the interrupt cause register to make sure
we won't service anything before we are ready to.
Cc: <stable@vger.kernel.org> [3.14]
Reported-and-tested-by: Alexander Monakov <amonakov@gmail.com>
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Neil Horman [Mon, 5 May 2014 18:51:47 +0000 (14:51 -0400)]
jme: Fix DMA unmap warning
The jme driver forgot to check the return status from pci_map_page in its tx
path, causing a dma api warning on unmap. Easy fix, just do the check and
augment the tx path to tell the stack that the driver is busy so we re-queue the
frame.
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
CC: Guo-Fu Tseng <cooldavid@cooldavid.org>
CC: "David S. Miller" <davem@davemloft.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Wed, 7 May 2014 19:49:16 +0000 (15:49 -0400)]
Merge branch 'gso_forward'
Florian Westphal says:
====================
net: ip: push gso skb forwarding handling down the stack
Turns out doing the segmentation in forwarding was not a bright idea,
there are corner-cases where this has unintended side-effects.
This patch pushes the segmentation downwards.
After this, netif_skb_dev_features() function can be removed
again, it was only added to fetch the features of the output device,
we can just use skb->dev after the pushdown.
Tested with following setup:
host -> kvm_router -> kvm_host
mtu 1500 mtu1280
- 'host' has route to kvm_host with locked mtu of 1500
- gso/gro enabled on all interfaces
Did tests with all of following combinations:
- netfilter conntrack off and on on kvm_router
- virtio-net and e1000 driver on kvm_router
- tcp and udp bulk xmit from host to kvm_host
for tcp, I added TCPMSS mangling on kvm_host to make it lie about tcp mss.
Also added a dummy '-t mangle -A POSTROUTING -p udp -f'
rule to make sure no udp fragments are seen in the 'conntrack on'
and 'virtio-net' case.
Also checked (with ping -M do -s 1400)' that it still sends the wanted
icmp error message when size exceeds 1280.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Florian Westphal [Mon, 5 May 2014 13:00:44 +0000 (15:00 +0200)]
Revert "net: core: introduce netif_skb_dev_features"
This reverts commit
d206940319c41df4299db75ed56142177bb2e5f6,
there are no more callers.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Florian Westphal [Mon, 5 May 2014 13:00:43 +0000 (15:00 +0200)]
net: ip: push gso skb forwarding handling down the stack
Doing the segmentation in the forward path has one major drawback:
When using virtio, we may process gso udp packets coming
from host network stack. In that case, netfilter POSTROUTING
will see one packet with udp header followed by multiple ip
fragments.
Delay the segmentation and do it after POSTROUTING invocation
to avoid this.
Fixes: fe6cc55f3a9 ("net: ip, ipv6: handle gso skbs in forwarding path")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Florian Westphal [Sun, 4 May 2014 22:03:34 +0000 (00:03 +0200)]
net: ipv6: send pkttoobig immediately if orig frag size > mtu
If conntrack defragments incoming ipv6 frags it stores largest original
frag size in ip6cb and sets ->local_df.
We must thus first test the largest original frag size vs. mtu, and not
vice versa.
Without this patch PKTTOOBIG is still generated in ip6_fragment() later
in the stack, but
1) IPSTATS_MIB_INTOOBIGERRORS won't increment
2) packet did (needlessly) traverse netfilter postrouting hook.
Fixes: fe6cc55f3a9 ("net: ip, ipv6: handle gso skbs in forwarding path")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Florian Westphal [Sun, 4 May 2014 21:24:31 +0000 (23:24 +0200)]
net: ipv4: ip_forward: fix inverted local_df test
local_df means 'ignore DF bit if set', so if its set we're
allowed to perform ip fragmentation.
This wasn't noticed earlier because the output path also drops such skbs
(and emits needed icmp error) and because netfilter ip defrag did not
set local_df until couple of days ago.
Only difference is that DF-packets-larger-than MTU now discarded
earlier (f.e. we avoid pointless netfilter postrouting trip).
While at it, drop the repeated test ip_exceeds_mtu, checking it once
is enough...
Fixes: fe6cc55f3a9 ("net: ip, ipv6: handle gso skbs in forwarding path")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Bjørn Mork [Sat, 3 May 2014 14:12:47 +0000 (16:12 +0200)]
net: cdc_mbim: __vlan_find_dev_deep need rcu_read_lock
Fixes this warning introduced by commit
5b8f15f78e6f
("net: cdc_mbim: handle IPv6 Neigbor Solicitations"):
===============================
[ INFO: suspicious RCU usage. ]
3.15.0-rc3 #213 Tainted: G W O
-------------------------------
net/8021q/vlan_core.c:69 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
rcu_scheduler_active = 1, debug_locks = 1
no locks held by ksoftirqd/0/3.
stack backtrace:
CPU: 0 PID: 3 Comm: ksoftirqd/0 Tainted: G W O 3.15.0-rc3 #213
Hardware name: LENOVO 2776LEG/2776LEG, BIOS 6EET55WW (3.15 ) 12/19/2011
0000000000000001 ffff880232533bf0 ffffffff813a5ee6 0000000000000006
ffff880232530090 ffff880232533c20 ffffffff81076b94 0000000000000081
0000000000000000 ffff8802085ac000 ffff88007fc8ea00 ffff880232533c50
Call Trace:
[<
ffffffff813a5ee6>] dump_stack+0x4e/0x68
[<
ffffffff81076b94>] lockdep_rcu_suspicious+0xfa/0x103
[<
ffffffff813978a6>] __vlan_find_dev_deep+0x54/0x94
[<
ffffffffa04a1938>] cdc_mbim_rx_fixup+0x379/0x66a [cdc_mbim]
[<
ffffffff813ab76f>] ? _raw_spin_unlock_irqrestore+0x3a/0x49
[<
ffffffff81079671>] ? trace_hardirqs_on_caller+0x192/0x1a1
[<
ffffffffa059bd10>] usbnet_bh+0x59/0x287 [usbnet]
[<
ffffffff8104067d>] tasklet_action+0xbb/0xcd
[<
ffffffff81040057>] __do_softirq+0x14c/0x30d
[<
ffffffff81040237>] run_ksoftirqd+0x1f/0x50
[<
ffffffff8105f13e>] smpboot_thread_fn+0x172/0x18e
[<
ffffffff8105efcc>] ? SyS_setgroups+0xdf/0xdf
[<
ffffffff810594b0>] kthread+0xb5/0xbd
[<
ffffffff813a84b1>] ? __wait_for_common+0x13b/0x170
[<
ffffffff810593fb>] ? __kthread_parkme+0x5c/0x5c
[<
ffffffff813b147c>] ret_from_fork+0x7c/0xb0
[<
ffffffff810593fb>] ? __kthread_parkme+0x5c/0x5c
Fixes: 5b8f15f78e6f ("net: cdc_mbim: handle IPv6 Neigbor Solicitations")
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
David Spinadel [Thu, 24 Apr 2014 10:15:29 +0000 (13:15 +0300)]
iwlwifi: mvm: do no sched scan while associated
Currently the FW doesn't support sched scan while associated,
Prevent it.
Signed-off-by: David Spinadel <david.spinadel@intel.com>
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Reviewed-by: Luciano Coelho <luciano.coelho@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
John W. Linville [Tue, 6 May 2014 18:05:51 +0000 (14:05 -0400)]
Merge git://git./linux/kernel/git/jberg/mac80211
Emmanuel Grumbach [Tue, 6 May 2014 17:35:10 +0000 (20:35 +0300)]
iwlwifi: mvm: rs - s/CPTCFG/CONFIG
My bad - I forgot to update this when sending the patch
upstream.
Fixes: 87d5e4155c00 ("iwlwifi: mvm: rs: reinit rs if no tx for a long time")
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Emmanuel Grumbach [Sun, 13 Apr 2014 19:55:27 +0000 (22:55 +0300)]
iwlwifi: mvm: BT Coex - fix validity flags during init
The commit below introduced a bug in the validity bits in
init. Due to that, all the Coex mechanism stopped sending
kills to the BT side. Fix that.
Fixes: b9fae2d54c9f ("iwlwifi: mvm: BT Coex add support for Co-running block")
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Steffen Klassert [Tue, 29 Apr 2014 06:23:03 +0000 (08:23 +0200)]
xfrm6: Properly handle unsupported protocols
We don't catch the case if an unsupported protocol is submitted
to the xfrm6 protocol handlers, this can lead to NULL pointer
dereferences. Fix this by adding the appropriate checks.
Fixes: 7e14ea15 ("xfrm6: Add IPsec protocol multiplexer")
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Linus Torvalds [Mon, 5 May 2014 22:59:46 +0000 (15:59 -0700)]
Merge git://git./linux/kernel/git/davem/net
Pull networking fixes from David Miller:
1) e1000e computes header length incorrectly wrt vlans, fix from Vlad
Yasevich.
2) ns_capable() check in sock_diag netlink code, from Andrew
Lutomirski.
3) Fix invalid queue pairs handling in virtio_net, from Amos Kong.
4) Checksum offloading busted in sxgbe driver due to incorrect
descriptor layout, fix from Byungho An.
5) Fix build failure with SMC_DEBUG set to 2 or larger, from Zi Shen
Lim.
6) Fix uninitialized A and X registers in BPF interpreter, from Alexei
Starovoitov.
7) Fix arch dependencies of candence driver.
8) Fix netlink capabilities checking tree-wide, from Eric W Biederman.
9) Don't dump IFLA_VF_PORTS if netlink request didn't ask for it in
IFLA_EXT_MASK, from David Gibson.
10) IPV6 FIB dump restart doesn't handle table changes that happen
meanwhile, causing the code to loop forever or emit dups, fix from
Kumar Sandararajan.
11) Memory leak on VF removal in bnx2x, from Yuval Mintz.
12) Bug fixes for new Altera TSE driver from Vince Bridgers.
13) Fix route lookup key in SCTP, from Xugeng Zhang.
14) Use BH blocking spinlocks in SLIP, as per a similar fix to CAN/SLCAN
driver. From Oliver Hartkopp.
15) TCP doesn't bump retransmit counters in some code paths, fix from
Eric Dumazet.
16) Clamp delayed_ack in tcp_cubic to prevent theoretical divides by
zero. Fix from Liu Yu.
17) Fix locking imbalance in error paths of HHF packet scheduler, from
John Fastabend.
18) Properly reference the transport module when vsock_core_init() runs,
from Andy King.
19) Fix buffer overflow in cdc_ncm driver, from Bjørn Mork.
20) IP_ECN_decapsulate() doesn't see a correct SKB network header in
ip_tunnel_rcv(), fix from Ying Cai.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (132 commits)
net: macb: Fix race between HW and driver
net: macb: Remove 'unlikely' optimization
net: macb: Re-enable RX interrupt only when RX is done
net: macb: Clear interrupt flags
net: macb: Pass same size to DMA_UNMAP as used for DMA_MAP
ip_tunnel: Set network header properly for IP_ECN_decapsulate()
e1000e: Restrict MDIO Slow Mode workaround to relevant parts
e1000e: Fix issue with link flap on 82579
e1000e: Expand workaround for 10Mb HD throughput bug
e1000e: Workaround for dropped packets in Gig/100 speeds on 82579
net/mlx4_core: Don't issue PCIe speed/width checks for VFs
net/mlx4_core: Load the Eth driver first
net/mlx4_core: Fix slave id computation for single port VF
net/mlx4_core: Adjust port number in qp_attach wrapper when detaching
net: cdc_ncm: fix buffer overflow
Altera TSE: ALTERA_TSE should depend on HAS_DMA
vsock: Make transport the proto owner
net: sched: lock imbalance in hhf qdisc
net: mvmdio: Check for a valid interrupt instead of an error
net phy: Check for aneg completion before setting state to PHY_RUNNING
...
Linus Torvalds [Mon, 5 May 2014 22:51:17 +0000 (15:51 -0700)]
Merge tag 'usb-3.15-rc4' of git://git./linux/kernel/git/gregkh/usb
Pull USB fixes from Greg KH:
"Here are some small fixes and device ids for 3.15-rc4.
All have been in linux-next just fine"
* tag 'usb-3.15-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
USB: Nokia 5300 should be treated as unusual dev
USB: Nokia 305 should be treated as unusual dev
fsl-usb: do not test for PHY_CLK_VALID bit on controller version 1.6
usb: storage: shuttle_usbat: fix discs being detected twice
usb: qcserial: add a number of Dell devices
USB: OHCI: fix problem with global suspend on ATI controllers
usb: gadget: at91-udc: fix irq and iomem resource retrieval
usb: phy: fsm: change "|" to "||" for condition OTG_STATE_A_WAIT_BCON at statemachine
usb: phy: fsm: update OTG HNP state transition
Linus Torvalds [Mon, 5 May 2014 22:50:16 +0000 (15:50 -0700)]
Merge tag 'tty-3.15-rc4' of git://git./linux/kernel/git/gregkh/tty
Pull tty/serial fixes from Greg KH:
"Here are some tty and serial driver fixes for things reported
recently"
* tag 'tty-3.15-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
tty: Fix lockless tty buffer race
Revert "tty: Fix race condition between __tty_buffer_request_room and flush_to_ldisc"
drivers/tty/hvc: don't free hvc_console_setup after init
n_tty: Fix n_tty_write crash when echoing in raw mode
tty: serial: 8250_core.c Bug fix for Exar chips.
Linus Torvalds [Mon, 5 May 2014 22:49:38 +0000 (15:49 -0700)]
Merge tag 'staging-3.15-rc4' of git://git./linux/kernel/git/gregkh/staging
Pull staging / iio fixes from Greg KH:
"Here are some small IIO driver fixes for 3.15-rc4 that resolve some
reported issues"
* tag 'staging-3.15-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
iio: adc: Nothing in ADC should be a bool CONFIG
iio: exynos_adc: use indio_dev->dev structure to handle child nodes
iio:imu:mpu6050: Fixed segfault in Invensens MPU driver due to null dereference
staging:iio:ad2s1200 fix missing parenthesis in a for statment.
Linus Torvalds [Mon, 5 May 2014 22:36:59 +0000 (15:36 -0700)]
Merge tag 'xtensa-next-
20140503' of git://github.com/czankel/xtensa-linux
Pull Xtensa fixes from Chris Zankel:
- Fixes allmodconfig, allnoconfig builds
- Adds highmem support
- Enables build-time exception table sorting.
* tag 'xtensa-next-
20140503' of git://github.com/czankel/xtensa-linux:
xtensa: ISS: don't depend on CONFIG_TTY
xtensa: xt2000: drop redundant sysmem initialization
xtensa: add support for KC705
xtensa: xtfpga: introduce SoC I/O bus
xtensa: add HIGHMEM support
xtensa: optimize local_flush_tlb_kernel_range
xtensa: dump sysmem from the bootmem_init
xtensa: handle memmap kernel option
xtensa: keep sysmem banks ordered in mem_reserve
xtensa: keep sysmem banks ordered in add_sysmem_bank
xtensa: split bootparam and kernel meminfo
xtensa: enable sorting extable at build time
xtensa: export __{invalidate,flush}_dcache_range
xtensa: Export __invalidate_icache_range
Linus Torvalds [Mon, 5 May 2014 22:17:02 +0000 (15:17 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/sage/ceph-client
Pull Ceph fixes from Sage Weil:
"First, there is a critical fix for the new primary-affinity function
that went into -rc1.
The second batch of patches from Zheng fix a range of problems with
directory fragmentation, readdir, and a few odds and ends for cephfs"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client:
ceph: reserve caps for file layout/lock MDS requests
ceph: avoid releasing caps that are being used
ceph: clear directory's completeness when creating file
libceph: fix non-default values check in apply_primary_affinity()
ceph: use fpos_cmp() to compare dentry positions
ceph: check directory's completeness before emitting directory entry