* [ 00/22] 3.0.64-stable review
@ 2013-02-12 20:36 Greg Kroah-Hartman
2013-02-12 20:36 ` [ 01/22] rtlwifi: Fix the usage of the wrong variable in usb.c Greg Kroah-Hartman
` (23 more replies)
0 siblings, 24 replies; 25+ messages in thread
From: Greg Kroah-Hartman @ 2013-02-12 20:36 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, torvalds, akpm, stable
This is the start of the stable review cycle for the 3.0.64 release.
There are 22 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Thu Feb 14 20:31:38 UTC 2013.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
kernel.org/pub/linux/kernel/v3.0/stable-review/patch-3.0.64-rc1.gz
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 3.0.64-rc1
Nithin Nayak Sujir <nsujir@broadcom.com>
tg3: Fix crc errors on jumbo frame receive
Nithin Nayak Sujir <nsujir@broadcom.com>
tg3: Avoid null pointer dereference in tg3_interrupt in netconsole mode
Sarveshwar Bandi <sarveshwar.bandi@emulex.com>
bridge: Pull ip header into skb->data before looking into ip header.
Eric Dumazet <edumazet@google.com>
tcp: fix MSG_SENDPAGE_NOTLAST logic
Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
tcp: fix for zero packets_in_flight was too broad
Eric Dumazet <edumazet@google.com>
tcp: frto should not set snd_cwnd to 0
Daniel Borkmann <dborkman@redhat.com>
net: sctp: sctp_endpoint_free: zero out secret key data
Daniel Borkmann <dborkman@redhat.com>
net: sctp: sctp_setsockopt_auth_key: use kzfree instead of kfree
Neil Horman <nhorman@tuxdriver.com>
sctp: refactor sctp_outq_teardown to insure proper re-initalization
Heiko Carstens <heiko.carstens@de.ibm.com>
atm/iphase: rename fregt_t -> ffreg_t
Phil Sutter <phil.sutter@viprinet.com>
packet: fix leakage of tx_ring memory
Marcelo Ricardo Leitner <mleitner@redhat.com>
ipv6: do not create neighbor entries for local delivery
Cong Wang <amwang@redhat.com>
pktgen: correctly handle failures when adding a device
Eric Dumazet <edumazet@google.com>
net: loopback: fix a dst refcounting issue
Timo Teräs <timo.teras@iki.fi>
r8169: remove the obsolete and incorrect AMD workaround
Tilman Schmidt <tilman@imap.cc>
isdn/gigaset: fix zero size border case in debug dump
Stephen Hemminger <stephen.hemminger@vyatta.com>
MAINTAINERS: Stephen Hemminger email change
Cong Wang <xiyou.wangcong@gmail.com>
net: prevent setting ttl=0 via IP_TTL
Stanislaw Gruszka <sgruszka@redhat.com>
mac80211: synchronize scan off/on-channel and PS states
T Makphaibulchoke <tmac@hp.com>
kernel/resource.c: fix stack overflow in __reserve_region_with_split()
Sjur Brændeland <sjur.brandeland@stericsson.com>
virtio_console: Don't access uninitialized data.
Larry Finger <Larry.Finger@lwfinger.net>
rtlwifi: Fix the usage of the wrong variable in usb.c
-------------
Diffstat:
MAINTAINERS | 6 +-
Makefile | 4 +-
drivers/atm/iphase.h | 146 ++++++++++++++++++++--------------------
drivers/char/virtio_console.c | 3 +-
drivers/isdn/gigaset/capi.c | 2 +
drivers/net/loopback.c | 5 ++
drivers/net/r8169.c | 7 --
drivers/net/tg3.c | 58 ++++++++++------
drivers/net/wireless/rtlwifi/usb.c | 4 +-
fs/splice.c | 4 +-
kernel/resource.c | 50 ++++++++++----
net/bridge/br_netfilter.c | 3 +
net/core/pktgen.c | 9 ++-
net/ipv4/ip_sockglue.c | 2 +-
net/ipv4/tcp_input.c | 5 ++
net/ipv6/route.c | 3 +-
net/mac80211/ieee80211_i.h | 6 +-
net/mac80211/offchannel.c | 17 ++---
net/mac80211/scan.c | 6 +-
net/mac80211/work.c | 8 +--
net/packet/af_packet.c | 10 +--
net/sctp/endpointola.c | 5 ++
net/sctp/outqueue.c | 12 ++--
net/sctp/socket.c | 2 +-
24 files changed, 218 insertions(+), 159 deletions(-)
^ permalink raw reply [flat|nested] 25+ messages in thread
* [ 01/22] rtlwifi: Fix the usage of the wrong variable in usb.c
2013-02-12 20:36 [ 00/22] 3.0.64-stable review Greg Kroah-Hartman
@ 2013-02-12 20:36 ` Greg Kroah-Hartman
2013-02-12 20:36 ` [ 02/22] virtio_console: Dont access uninitialized data Greg Kroah-Hartman
` (22 subsequent siblings)
23 siblings, 0 replies; 25+ messages in thread
From: Greg Kroah-Hartman @ 2013-02-12 20:36 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Guenter Roeck, Larry Finger,
John W. Linville
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Larry Finger <Larry.Finger@lwfinger.net>
commit 0a06ad8e3a1cb5311b7dbafde45410aa1bce9d40 upstream.
In routine _rtl_rx_pre_process(), skb_dequeue() is called to get an skb;
however, the wrong variable name is used in subsequent calls.
Reported-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/rtlwifi/usb.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/wireless/rtlwifi/usb.c
+++ b/drivers/net/wireless/rtlwifi/usb.c
@@ -542,8 +542,8 @@ static void _rtl_rx_pre_process(struct i
WARN_ON(skb_queue_empty(&rx_queue));
while (!skb_queue_empty(&rx_queue)) {
_skb = skb_dequeue(&rx_queue);
- _rtl_usb_rx_process_agg(hw, skb);
- ieee80211_rx_irqsafe(hw, skb);
+ _rtl_usb_rx_process_agg(hw, _skb);
+ ieee80211_rx_irqsafe(hw, _skb);
}
}
^ permalink raw reply [flat|nested] 25+ messages in thread
* [ 02/22] virtio_console: Dont access uninitialized data.
2013-02-12 20:36 [ 00/22] 3.0.64-stable review Greg Kroah-Hartman
2013-02-12 20:36 ` [ 01/22] rtlwifi: Fix the usage of the wrong variable in usb.c Greg Kroah-Hartman
@ 2013-02-12 20:36 ` Greg Kroah-Hartman
2013-02-12 20:36 ` [ 03/22] kernel/resource.c: fix stack overflow in __reserve_region_with_split() Greg Kroah-Hartman
` (21 subsequent siblings)
23 siblings, 0 replies; 25+ messages in thread
From: Greg Kroah-Hartman @ 2013-02-12 20:36 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sjur Brændeland, Rusty Russell
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sjur Brændeland <sjur.brandeland@stericsson.com>
commit aded024a12b32fc1ed9a80639681daae2d07ec25 upstream.
Don't access uninitialized work-queue when removing device.
The work queue is initialized only if the device multi-queue.
So don't call cancel_work unless this is a multi-queue device.
This fixes the following panic:
Kernel panic - not syncing: BUG!
Call Trace:
62031b28: [<6026085d>] panic+0x16b/0x2d3
62031b30: [<6004ef5e>] flush_work+0x0/0x1d7
62031b60: [<602606f2>] panic+0x0/0x2d3
62031b68: [<600333b0>] memcpy+0x0/0x140
62031b80: [<6002d58a>] unblock_signals+0x0/0x84
62031ba0: [<602609c5>] printk+0x0/0xa0
62031bd8: [<60264e51>] __mutex_unlock_slowpath+0x13d/0x148
62031c10: [<6004ef5e>] flush_work+0x0/0x1d7
62031c18: [<60050234>] try_to_grab_pending+0x0/0x17e
62031c38: [<6004e984>] get_work_gcwq+0x71/0x8f
62031c48: [<60050539>] __cancel_work_timer+0x5b/0x115
62031c78: [<628acc85>] unplug_port+0x0/0x191 [virtio_console]
62031c98: [<6005061c>] cancel_work_sync+0x12/0x14
62031ca8: [<628ace96>] virtcons_remove+0x80/0x15c [virtio_console]
62031ce8: [<628191de>] virtio_dev_remove+0x1e/0x7e [virtio]
62031d08: [<601cf242>] __device_release_driver+0x75/0xe4
62031d28: [<601cf2dd>] device_release_driver+0x2c/0x40
62031d48: [<601ce0dd>] driver_unbind+0x7d/0xc6
62031d88: [<601cd5d9>] drv_attr_store+0x27/0x29
62031d98: [<60115f61>] sysfs_write_file+0x100/0x14d
62031df8: [<600b737d>] vfs_write+0xcb/0x184
62031e08: [<600b58b8>] filp_close+0x88/0x94
62031e38: [<600b7686>] sys_write+0x59/0x88
62031e88: [<6001ced1>] handle_syscall+0x5d/0x80
62031ea8: [<60030a74>] userspace+0x405/0x531
62031f08: [<600d32cc>] sys_dup+0x0/0x5e
62031f28: [<601b11d6>] strcpy+0x0/0x18
62031f38: [<600be46c>] do_execve+0x10/0x12
62031f48: [<600184c7>] run_init_process+0x43/0x45
62031fd8: [<60019a91>] new_thread_handler+0xba/0xbc
Signed-off-by: Sjur Brændeland <sjur.brandeland@stericsson.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/virtio_console.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/char/virtio_console.c
+++ b/drivers/char/virtio_console.c
@@ -1750,7 +1750,8 @@ static void virtcons_remove(struct virti
/* Disable interrupts for vqs */
vdev->config->reset(vdev);
/* Finish up work that's lined up */
- cancel_work_sync(&portdev->control_work);
+ if (use_multiport(portdev))
+ cancel_work_sync(&portdev->control_work);
list_for_each_entry_safe(port, port2, &portdev->ports, list)
unplug_port(port);
^ permalink raw reply [flat|nested] 25+ messages in thread
* [ 03/22] kernel/resource.c: fix stack overflow in __reserve_region_with_split()
2013-02-12 20:36 [ 00/22] 3.0.64-stable review Greg Kroah-Hartman
2013-02-12 20:36 ` [ 01/22] rtlwifi: Fix the usage of the wrong variable in usb.c Greg Kroah-Hartman
2013-02-12 20:36 ` [ 02/22] virtio_console: Dont access uninitialized data Greg Kroah-Hartman
@ 2013-02-12 20:36 ` Greg Kroah-Hartman
2013-02-12 20:36 ` [ 04/22] mac80211: synchronize scan off/on-channel and PS states Greg Kroah-Hartman
` (20 subsequent siblings)
23 siblings, 0 replies; 25+ messages in thread
From: Greg Kroah-Hartman @ 2013-02-12 20:36 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, T Makphaibulchoke, Ram Pai,
Paul Gortmaker, Wei Yang, Andrew Morton, Linus Torvalds,
Jiri Slaby
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: T Makphaibulchoke <tmac@hp.com>
commit 4965f5667f36a95b41cda6638875bc992bd7d18b upstream.
Using a recursive call add a non-conflicting region in
__reserve_region_with_split() could result in a stack overflow in the case
that the recursive calls are too deep. Convert the recursive calls to an
iterative loop to avoid the problem.
Tested on a machine containing 135 regions. The kernel no longer panicked
with stack overflow.
Also tested with code arbitrarily adding regions with no conflict,
embedding two consecutive conflicts and embedding two non-consecutive
conflicts.
Signed-off-by: T Makphaibulchoke <tmac@hp.com>
Reviewed-by: Ram Pai <linuxram@us.ibm.com>
Cc: Paul Gortmaker <paul.gortmaker@gmail.com>
Cc: Wei Yang <weiyang@linux.vnet.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/resource.c | 52 +++++++++++++++++++++++++++++++++++++++-------------
1 file changed, 39 insertions(+), 13 deletions(-)
--- a/kernel/resource.c
+++ b/kernel/resource.c
@@ -736,6 +736,7 @@ static void __init __reserve_region_with
struct resource *parent = root;
struct resource *conflict;
struct resource *res = kzalloc(sizeof(*res), GFP_ATOMIC);
+ struct resource *next_res = NULL;
if (!res)
return;
@@ -745,21 +746,46 @@ static void __init __reserve_region_with
res->end = end;
res->flags = IORESOURCE_BUSY;
- conflict = __request_resource(parent, res);
- if (!conflict)
- return;
-
- /* failed, split and try again */
- kfree(res);
+ while (1) {
- /* conflict covered whole area */
- if (conflict->start <= start && conflict->end >= end)
- return;
+ conflict = __request_resource(parent, res);
+ if (!conflict) {
+ if (!next_res)
+ break;
+ res = next_res;
+ next_res = NULL;
+ continue;
+ }
+
+ /* conflict covered whole area */
+ if (conflict->start <= res->start &&
+ conflict->end >= res->end) {
+ kfree(res);
+ WARN_ON(next_res);
+ break;
+ }
+
+ /* failed, split and try again */
+ if (conflict->start > res->start) {
+ end = res->end;
+ res->end = conflict->start - 1;
+ if (conflict->end < end) {
+ next_res = kzalloc(sizeof(*next_res),
+ GFP_ATOMIC);
+ if (!next_res) {
+ kfree(res);
+ break;
+ }
+ next_res->name = name;
+ next_res->start = conflict->end + 1;
+ next_res->end = end;
+ next_res->flags = IORESOURCE_BUSY;
+ }
+ } else {
+ res->start = conflict->end + 1;
+ }
+ }
- if (conflict->start > start)
- __reserve_region_with_split(root, start, conflict->start-1, name);
- if (conflict->end < end)
- __reserve_region_with_split(root, conflict->end+1, end, name);
}
void __init reserve_region_with_split(struct resource *root,
^ permalink raw reply [flat|nested] 25+ messages in thread
* [ 04/22] mac80211: synchronize scan off/on-channel and PS states
2013-02-12 20:36 [ 00/22] 3.0.64-stable review Greg Kroah-Hartman
` (2 preceding siblings ...)
2013-02-12 20:36 ` [ 03/22] kernel/resource.c: fix stack overflow in __reserve_region_with_split() Greg Kroah-Hartman
@ 2013-02-12 20:36 ` Greg Kroah-Hartman
2013-02-12 20:36 ` [ 05/22] net: prevent setting ttl=0 via IP_TTL Greg Kroah-Hartman
` (19 subsequent siblings)
23 siblings, 0 replies; 25+ messages in thread
From: Greg Kroah-Hartman @ 2013-02-12 20:36 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Stanislaw Gruszka, Seth Forshee,
Johannes Berg, CAI Qian
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stanislaw Gruszka <sgruszka@redhat.com>
commit aacde9ee45225f7e0b90960f479aef83c66bfdc0 upstream.
Since:
commit b23b025fe246f3acc2988eb6d400df34c27cb8ae
Author: Ben Greear <greearb@candelatech.com>
Date: Fri Feb 4 11:54:17 2011 -0800
mac80211: Optimize scans on current operating channel.
we do not disable PS while going back to operational channel (on
ieee80211_scan_state_suspend) and deffer that until scan finish.
But since we are allowed to send frames, we can send a frame to AP
without PM bit set, so disable PS on AP side. Then when we switch
to off-channel (in ieee80211_scan_state_resume) we do not enable PS.
Hence we are off-channel with PS disabled, frames are not buffered
by AP.
To fix remove offchannel_ps_disable argument and always enable PS when
going off-channel and disable it when going on-channel, like it was
before.
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Tested-by: Seth Forshee <seth.forshee@canonical.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: CAI Qian <caiqian@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mac80211/ieee80211_i.h | 6 ++----
net/mac80211/offchannel.c | 17 ++++++-----------
net/mac80211/scan.c | 6 +++---
net/mac80211/work.c | 8 +++-----
4 files changed, 14 insertions(+), 23 deletions(-)
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -1169,11 +1169,9 @@ void ieee80211_sched_scan_stopped_work(s
bool ieee80211_cfg_on_oper_channel(struct ieee80211_local *local);
void ieee80211_offchannel_enable_all_ps(struct ieee80211_local *local,
bool tell_ap);
-void ieee80211_offchannel_stop_vifs(struct ieee80211_local *local,
- bool offchannel_ps_enable);
+void ieee80211_offchannel_stop_vifs(struct ieee80211_local *local);
void ieee80211_offchannel_return(struct ieee80211_local *local,
- bool enable_beaconing,
- bool offchannel_ps_disable);
+ bool enable_beaconing);
void ieee80211_hw_roc_setup(struct ieee80211_local *local);
/* interface handling */
--- a/net/mac80211/offchannel.c
+++ b/net/mac80211/offchannel.c
@@ -102,8 +102,7 @@ static void ieee80211_offchannel_ps_disa
ieee80211_sta_reset_conn_monitor(sdata);
}
-void ieee80211_offchannel_stop_vifs(struct ieee80211_local *local,
- bool offchannel_ps_enable)
+void ieee80211_offchannel_stop_vifs(struct ieee80211_local *local)
{
struct ieee80211_sub_if_data *sdata;
@@ -128,8 +127,7 @@ void ieee80211_offchannel_stop_vifs(stru
if (sdata->vif.type != NL80211_IFTYPE_MONITOR) {
netif_tx_stop_all_queues(sdata->dev);
- if (offchannel_ps_enable &&
- (sdata->vif.type == NL80211_IFTYPE_STATION) &&
+ if (sdata->vif.type == NL80211_IFTYPE_STATION &&
sdata->u.mgd.associated)
ieee80211_offchannel_ps_enable(sdata, true);
}
@@ -155,8 +153,7 @@ void ieee80211_offchannel_enable_all_ps(
}
void ieee80211_offchannel_return(struct ieee80211_local *local,
- bool enable_beaconing,
- bool offchannel_ps_disable)
+ bool enable_beaconing)
{
struct ieee80211_sub_if_data *sdata;
@@ -166,11 +163,9 @@ void ieee80211_offchannel_return(struct
continue;
/* Tell AP we're back */
- if (offchannel_ps_disable &&
- sdata->vif.type == NL80211_IFTYPE_STATION) {
- if (sdata->u.mgd.associated)
- ieee80211_offchannel_ps_disable(sdata);
- }
+ if (sdata->vif.type == NL80211_IFTYPE_STATION &&
+ sdata->u.mgd.associated)
+ ieee80211_offchannel_ps_disable(sdata);
if (sdata->vif.type != NL80211_IFTYPE_MONITOR) {
clear_bit(SDATA_STATE_OFFCHANNEL, &sdata->state);
--- a/net/mac80211/scan.c
+++ b/net/mac80211/scan.c
@@ -314,7 +314,7 @@ static void __ieee80211_scan_completed(s
if (on_oper_chan2 && (on_oper_chan != on_oper_chan2))
enable_beacons = true;
- ieee80211_offchannel_return(local, enable_beacons, true);
+ ieee80211_offchannel_return(local, enable_beacons);
}
ieee80211_recalc_idle(local);
@@ -563,7 +563,7 @@ static void ieee80211_scan_state_leave_o
/* PS will already be in off-channel mode,
* we do that once at the beginning of scanning.
*/
- ieee80211_offchannel_stop_vifs(local, false);
+ ieee80211_offchannel_stop_vifs(local);
/*
* What if the nullfunc frames didn't arrive?
@@ -594,7 +594,7 @@ static void ieee80211_scan_state_enter_o
* in off-channel state..will put that back
* on-channel at the end of scanning.
*/
- ieee80211_offchannel_return(local, true, false);
+ ieee80211_offchannel_return(local, true);
*next_delay = HZ / 5;
local->next_scan_state = SCAN_DECISION;
--- a/net/mac80211/work.c
+++ b/net/mac80211/work.c
@@ -973,16 +973,14 @@ static void ieee80211_work_work(struct w
if (on_oper_chan != on_oper_chan2) {
if (on_oper_chan2) {
/* going off oper channel, PS too */
- ieee80211_offchannel_stop_vifs(local,
- true);
+ ieee80211_offchannel_stop_vifs(local);
ieee80211_hw_config(local, 0);
} else {
/* going on channel, but leave PS
* off-channel. */
ieee80211_hw_config(local, 0);
ieee80211_offchannel_return(local,
- true,
- false);
+ true);
}
} else if (tmp_chan_changed)
/* Still off-channel, but on some other
@@ -1085,7 +1083,7 @@ static void ieee80211_work_work(struct w
* beaconing if we were already on-oper-channel
* as a future optimization.
*/
- ieee80211_offchannel_return(local, true, true);
+ ieee80211_offchannel_return(local, true);
/* give connection some time to breathe */
run_again(local, jiffies + HZ/2);
^ permalink raw reply [flat|nested] 25+ messages in thread
* [ 05/22] net: prevent setting ttl=0 via IP_TTL
2013-02-12 20:36 [ 00/22] 3.0.64-stable review Greg Kroah-Hartman
` (3 preceding siblings ...)
2013-02-12 20:36 ` [ 04/22] mac80211: synchronize scan off/on-channel and PS states Greg Kroah-Hartman
@ 2013-02-12 20:36 ` Greg Kroah-Hartman
2013-02-12 20:36 ` [ 06/22] MAINTAINERS: Stephen Hemminger email change Greg Kroah-Hartman
` (18 subsequent siblings)
23 siblings, 0 replies; 25+ messages in thread
From: Greg Kroah-Hartman @ 2013-02-12 20:36 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, nitin padalia, Eric Dumazet,
David S. Miller, Cong Wang, Eric Dumazet
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cong Wang <xiyou.wangcong@gmail.com>
[ Upstream commit c9be4a5c49cf51cc70a993f004c5bb30067a65ce ]
A regression is introduced by the following commit:
commit 4d52cfbef6266092d535237ba5a4b981458ab171
Author: Eric Dumazet <eric.dumazet@gmail.com>
Date: Tue Jun 2 00:42:16 2009 -0700
net: ipv4/ip_sockglue.c cleanups
Pure cleanups
but it is not a pure cleanup...
- if (val != -1 && (val < 1 || val>255))
+ if (val != -1 && (val < 0 || val > 255))
Since there is no reason provided to allow ttl=0, change it back.
Reported-by: nitin padalia <padalia.nitin@gmail.com>
Cc: nitin padalia <padalia.nitin@gmail.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: David S. Miller <davem@davemloft.net>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/ip_sockglue.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -599,7 +599,7 @@ static int do_ip_setsockopt(struct sock
case IP_TTL:
if (optlen < 1)
goto e_inval;
- if (val != -1 && (val < 0 || val > 255))
+ if (val != -1 && (val < 1 || val > 255))
goto e_inval;
inet->uc_ttl = val;
break;
^ permalink raw reply [flat|nested] 25+ messages in thread
* [ 06/22] MAINTAINERS: Stephen Hemminger email change
2013-02-12 20:36 [ 00/22] 3.0.64-stable review Greg Kroah-Hartman
` (4 preceding siblings ...)
2013-02-12 20:36 ` [ 05/22] net: prevent setting ttl=0 via IP_TTL Greg Kroah-Hartman
@ 2013-02-12 20:36 ` Greg Kroah-Hartman
2013-02-12 20:36 ` [ 07/22] isdn/gigaset: fix zero size border case in debug dump Greg Kroah-Hartman
` (17 subsequent siblings)
23 siblings, 0 replies; 25+ messages in thread
From: Greg Kroah-Hartman @ 2013-02-12 20:36 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Stephen Hemminger, David S. Miller
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephen Hemminger <stephen.hemminger@vyatta.com>
[ Upstream commit adbbf69d1a54abf424e91875746a610dcc80017d ]
I changed my email because the vyatta.com mail server is now
redirected to brocade.com; and the Brocade mail system
is not friendly to Linux desktop users.
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
MAINTAINERS | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -2491,7 +2491,7 @@ S: Maintained
F: drivers/net/eexpress.*
ETHERNET BRIDGE
-M: Stephen Hemminger <shemminger@linux-foundation.org>
+M: Stephen Hemminger <stephen@networkplumber.org>
L: bridge@lists.linux-foundation.org
L: netdev@vger.kernel.org
W: http://www.linuxfoundation.org/en/Net:Bridge
@@ -4327,7 +4327,7 @@ S: Supported
F: drivers/infiniband/hw/nes/
NETEM NETWORK EMULATOR
-M: Stephen Hemminger <shemminger@linux-foundation.org>
+M: Stephen Hemminger <stephen@networkplumber.org>
L: netem@lists.linux-foundation.org
S: Maintained
F: net/sched/sch_netem.c
@@ -5779,7 +5779,7 @@ S: Maintained
F: drivers/usb/misc/sisusbvga/
SKGE, SKY2 10/100/1000 GIGABIT ETHERNET DRIVERS
-M: Stephen Hemminger <shemminger@linux-foundation.org>
+M: Stephen Hemminger <stephen@networkplumber.org>
L: netdev@vger.kernel.org
S: Maintained
F: drivers/net/skge.*
^ permalink raw reply [flat|nested] 25+ messages in thread
* [ 07/22] isdn/gigaset: fix zero size border case in debug dump
2013-02-12 20:36 [ 00/22] 3.0.64-stable review Greg Kroah-Hartman
` (5 preceding siblings ...)
2013-02-12 20:36 ` [ 06/22] MAINTAINERS: Stephen Hemminger email change Greg Kroah-Hartman
@ 2013-02-12 20:36 ` Greg Kroah-Hartman
2013-02-12 20:36 ` [ 08/22] r8169: remove the obsolete and incorrect AMD workaround Greg Kroah-Hartman
` (16 subsequent siblings)
23 siblings, 0 replies; 25+ messages in thread
From: Greg Kroah-Hartman @ 2013-02-12 20:36 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Tilman Schmidt,
David S. Miller
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tilman Schmidt <tilman@imap.cc>
[ Upstream commit d721a1752ba544df8d7d36959038b26bc92bdf80 ]
If subtracting 12 from l leaves zero we'd do a zero size allocation,
leading to an oops later when we try to set the NUL terminator.
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Tilman Schmidt <tilman@imap.cc>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/isdn/gigaset/capi.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/isdn/gigaset/capi.c
+++ b/drivers/isdn/gigaset/capi.c
@@ -263,6 +263,8 @@ static inline void dump_rawmsg(enum debu
CAPIMSG_APPID(data), CAPIMSG_MSGID(data), l,
CAPIMSG_CONTROL(data));
l -= 12;
+ if (l <= 0)
+ return;
dbgline = kmalloc(3*l, GFP_ATOMIC);
if (!dbgline)
return;
^ permalink raw reply [flat|nested] 25+ messages in thread
* [ 08/22] r8169: remove the obsolete and incorrect AMD workaround
2013-02-12 20:36 [ 00/22] 3.0.64-stable review Greg Kroah-Hartman
` (6 preceding siblings ...)
2013-02-12 20:36 ` [ 07/22] isdn/gigaset: fix zero size border case in debug dump Greg Kroah-Hartman
@ 2013-02-12 20:36 ` Greg Kroah-Hartman
2013-02-12 20:36 ` [ 09/22] net: loopback: fix a dst refcounting issue Greg Kroah-Hartman
` (15 subsequent siblings)
23 siblings, 0 replies; 25+ messages in thread
From: Greg Kroah-Hartman @ 2013-02-12 20:36 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Timo Ter�s, Francois Romieu,
David S. Miller
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=UTF-8, Size: 1982 bytes --]
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
[ Upstream commit 5d0feaff230c0abfe4a112e6f09f096ed99e0b2d ]
This was introduced in commit 6dccd16 "r8169: merge with version
6.001.00 of Realtek's r8169 driver". I did not find the version
6.001.00 online, but in 6.002.00 or any later r8169 from Realtek
this hunk is no longer present.
Also commit 05af214 "r8169: fix Ethernet Hangup for RTL8110SC
rev d" claims to have fixed this issue otherwise.
The magic compare mask of 0xfffe000 is dubious as it masks
parts of the Reserved part, and parts of the VLAN tag. But this
does not make much sense as the VLAN tag parts are perfectly
valid there. In matter of fact this seems to be triggered with
any VLAN tagged packet as RxVlanTag bit is matched. I would
suspect 0xfffe0000 was intended to test reserved part only.
Finally, this hunk is evil as it can cause more packets to be
handled than what was NAPI quota causing net/core/dev.c:
net_rx_action(): WARN_ON_ONCE(work > weight) to trigger, and
mess up the NAPI state causing device to hang.
As result, any system using VLANs and having high receive
traffic (so that NAPI poll budget limits rtl_rx) would result
in device hang.
Signed-off-by: Timo Teräs <timo.teras@iki.fi>
Acked-by: Francois Romieu <romieu@fr.zoreil.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/r8169.c | 7 -------
1 file changed, 7 deletions(-)
--- a/drivers/net/r8169.c
+++ b/drivers/net/r8169.c
@@ -5203,13 +5203,6 @@ static int rtl8169_rx_interrupt(struct n
dev->stats.rx_bytes += pkt_size;
dev->stats.rx_packets++;
}
-
- /* Work around for AMD plateform. */
- if ((desc->opts2 & cpu_to_le32(0xfffe000)) &&
- (tp->mac_version == RTL_GIGA_MAC_VER_05)) {
- desc->opts2 = 0;
- cur_rx++;
- }
}
count = cur_rx - tp->cur_rx;
^ permalink raw reply [flat|nested] 25+ messages in thread
* [ 09/22] net: loopback: fix a dst refcounting issue
2013-02-12 20:36 [ 00/22] 3.0.64-stable review Greg Kroah-Hartman
` (7 preceding siblings ...)
2013-02-12 20:36 ` [ 08/22] r8169: remove the obsolete and incorrect AMD workaround Greg Kroah-Hartman
@ 2013-02-12 20:36 ` Greg Kroah-Hartman
2013-02-12 20:36 ` [ 10/22] pktgen: correctly handle failures when adding a device Greg Kroah-Hartman
` (14 subsequent siblings)
23 siblings, 0 replies; 25+ messages in thread
From: Greg Kroah-Hartman @ 2013-02-12 20:36 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Ben Greear, Eric Dumazet, David S. Miller
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 794ed393b707f01858f5ebe2ae5eabaf89d00022 ]
Ben Greear reported crashes in ip_rcv_finish() on a stress
test involving many macvlans.
We tracked the bug to a dst use after free. ip_rcv_finish()
was calling dst->input() and got garbage for dst->input value.
It appears the bug is in loopback driver, lacking
a skb_dst_force() before calling netif_rx().
As a result, a non refcounted dst, normally protected by a
RCU read_lock section, was escaping this section and could
be freed before the packet being processed.
[<ffffffff813a3c4d>] loopback_xmit+0x64/0x83
[<ffffffff81477364>] dev_hard_start_xmit+0x26c/0x35e
[<ffffffff8147771a>] dev_queue_xmit+0x2c4/0x37c
[<ffffffff81477456>] ? dev_hard_start_xmit+0x35e/0x35e
[<ffffffff8148cfa6>] ? eth_header+0x28/0xb6
[<ffffffff81480f09>] neigh_resolve_output+0x176/0x1a7
[<ffffffff814ad835>] ip_finish_output2+0x297/0x30d
[<ffffffff814ad6d5>] ? ip_finish_output2+0x137/0x30d
[<ffffffff814ad90e>] ip_finish_output+0x63/0x68
[<ffffffff814ae412>] ip_output+0x61/0x67
[<ffffffff814ab904>] dst_output+0x17/0x1b
[<ffffffff814adb6d>] ip_local_out+0x1e/0x23
[<ffffffff814ae1c4>] ip_queue_xmit+0x315/0x353
[<ffffffff814adeaf>] ? ip_send_unicast_reply+0x2cc/0x2cc
[<ffffffff814c018f>] tcp_transmit_skb+0x7ca/0x80b
[<ffffffff814c3571>] tcp_connect+0x53c/0x587
[<ffffffff810c2f0c>] ? getnstimeofday+0x44/0x7d
[<ffffffff810c2f56>] ? ktime_get_real+0x11/0x3e
[<ffffffff814c6f9b>] tcp_v4_connect+0x3c2/0x431
[<ffffffff814d6913>] __inet_stream_connect+0x84/0x287
[<ffffffff814d6b38>] ? inet_stream_connect+0x22/0x49
[<ffffffff8108d695>] ? _local_bh_enable_ip+0x84/0x9f
[<ffffffff8108d6c8>] ? local_bh_enable+0xd/0x11
[<ffffffff8146763c>] ? lock_sock_nested+0x6e/0x79
[<ffffffff814d6b38>] ? inet_stream_connect+0x22/0x49
[<ffffffff814d6b49>] inet_stream_connect+0x33/0x49
[<ffffffff814632c6>] sys_connect+0x75/0x98
This bug was introduced in linux-2.6.35, in commit
7fee226ad2397b (net: add a noref bit on skb dst)
skb_dst_force() is enforced in dev_queue_xmit() for devices having a
qdisc.
Reported-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Tested-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/loopback.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/net/loopback.c
+++ b/drivers/net/loopback.c
@@ -78,6 +78,11 @@ static netdev_tx_t loopback_xmit(struct
skb_orphan(skb);
+ /* Before queueing this packet to netif_rx(),
+ * make sure dst is refcounted.
+ */
+ skb_dst_force(skb);
+
skb->protocol = eth_type_trans(skb, dev);
/* it's OK to use per_cpu_ptr() because BHs are off */
^ permalink raw reply [flat|nested] 25+ messages in thread
* [ 10/22] pktgen: correctly handle failures when adding a device
2013-02-12 20:36 [ 00/22] 3.0.64-stable review Greg Kroah-Hartman
` (8 preceding siblings ...)
2013-02-12 20:36 ` [ 09/22] net: loopback: fix a dst refcounting issue Greg Kroah-Hartman
@ 2013-02-12 20:36 ` Greg Kroah-Hartman
2013-02-12 20:36 ` [ 11/22] ipv6: do not create neighbor entries for local delivery Greg Kroah-Hartman
` (13 subsequent siblings)
23 siblings, 0 replies; 25+ messages in thread
From: Greg Kroah-Hartman @ 2013-02-12 20:36 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David S. Miller, Cong Wang
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cong Wang <amwang@redhat.com>
[ Upstream commit 604dfd6efc9b79bce432f2394791708d8e8f6efc ]
The return value of pktgen_add_device() is not checked, so
even if we fail to add some device, for example, non-exist one,
we still see "OK:...". This patch fixes it.
After this patch, I got:
# echo "add_device non-exist" > /proc/net/pktgen/kpktgend_0
-bash: echo: write error: No such device
# cat /proc/net/pktgen/kpktgend_0
Running:
Stopped:
Result: ERROR: can not add device non-exist
# echo "add_device eth0" > /proc/net/pktgen/kpktgend_0
# cat /proc/net/pktgen/kpktgend_0
Running:
Stopped: eth0
Result: OK: add_device=eth0
(Candidate for -stable)
Cc: David S. Miller <davem@davemloft.net>
Signed-off-by: Cong Wang <amwang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/pktgen.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/net/core/pktgen.c
+++ b/net/core/pktgen.c
@@ -1803,10 +1803,13 @@ static ssize_t pktgen_thread_write(struc
return -EFAULT;
i += len;
mutex_lock(&pktgen_thread_lock);
- pktgen_add_device(t, f);
+ ret = pktgen_add_device(t, f);
mutex_unlock(&pktgen_thread_lock);
- ret = count;
- sprintf(pg_result, "OK: add_device=%s", f);
+ if (!ret) {
+ ret = count;
+ sprintf(pg_result, "OK: add_device=%s", f);
+ } else
+ sprintf(pg_result, "ERROR: can not add device %s", f);
goto out;
}
^ permalink raw reply [flat|nested] 25+ messages in thread
* [ 11/22] ipv6: do not create neighbor entries for local delivery
2013-02-12 20:36 [ 00/22] 3.0.64-stable review Greg Kroah-Hartman
` (9 preceding siblings ...)
2013-02-12 20:36 ` [ 10/22] pktgen: correctly handle failures when adding a device Greg Kroah-Hartman
@ 2013-02-12 20:36 ` Greg Kroah-Hartman
2013-02-12 20:36 ` [ 12/22] packet: fix leakage of tx_ring memory Greg Kroah-Hartman
` (12 subsequent siblings)
23 siblings, 0 replies; 25+ messages in thread
From: Greg Kroah-Hartman @ 2013-02-12 20:36 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jiri Pirko, Marcelo Ricardo Leitner,
David S. Miller
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marcelo Ricardo Leitner <mleitner@redhat.com>
[ Upstream commit bd30e947207e2ea0ff2c08f5b4a03025ddce48d3 ]
They will be created at output, if ever needed. This avoids creating
empty neighbor entries when TPROXYing/Forwarding packets for addresses
that are not even directly reachable.
Note that IPv4 already handles it this way. No neighbor entries are
created for local input.
Tested by myself and customer.
Signed-off-by: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Marcelo Ricardo Leitner <mleitner@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/route.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -802,7 +802,8 @@ restart:
dst_hold(&rt->dst);
read_unlock_bh(&table->tb6_lock);
- if (!dst_get_neighbour_raw(&rt->dst) && !(rt->rt6i_flags & RTF_NONEXTHOP))
+ if (!dst_get_neighbour_raw(&rt->dst) &&
+ !(rt->rt6i_flags & (RTF_NONEXTHOP | RTF_LOCAL)))
nrt = rt6_alloc_cow(rt, &fl6->daddr, &fl6->saddr);
else if (!(rt->dst.flags & DST_HOST))
nrt = rt6_alloc_clone(rt, &fl6->daddr);
^ permalink raw reply [flat|nested] 25+ messages in thread
* [ 12/22] packet: fix leakage of tx_ring memory
2013-02-12 20:36 [ 00/22] 3.0.64-stable review Greg Kroah-Hartman
` (10 preceding siblings ...)
2013-02-12 20:36 ` [ 11/22] ipv6: do not create neighbor entries for local delivery Greg Kroah-Hartman
@ 2013-02-12 20:36 ` Greg Kroah-Hartman
2013-02-12 20:36 ` [ 13/22] atm/iphase: rename fregt_t -> ffreg_t Greg Kroah-Hartman
` (11 subsequent siblings)
23 siblings, 0 replies; 25+ messages in thread
From: Greg Kroah-Hartman @ 2013-02-12 20:36 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Phil Sutter, Johann Baudy,
Daniel Borkmann, David S. Miller
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Phil Sutter <phil.sutter@viprinet.com>
[ Upstream commit 9665d5d62487e8e7b1f546c00e11107155384b9a ]
When releasing a packet socket, the routine packet_set_ring() is reused
to free rings instead of allocating them. But when calling it for the
first time, it fills req->tp_block_nr with the value of rb->pg_vec_len
which in the second invocation makes it bail out since req->tp_block_nr
is greater zero but req->tp_block_size is zero.
This patch solves the problem by passing a zeroed auto-variable to
packet_set_ring() upon each invocation from packet_release().
As far as I can tell, this issue exists even since 69e3c75 (net: TX_RING
and packet mmap), i.e. the original inclusion of TX ring support into
af_packet, but applies only to sockets with both RX and TX ring
allocated, which is probably why this was unnoticed all the time.
Signed-off-by: Phil Sutter <phil.sutter@viprinet.com>
Cc: Johann Baudy <johann.baudy@gnu-log.net>
Cc: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/packet/af_packet.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1349,13 +1349,15 @@ static int packet_release(struct socket
packet_flush_mclist(sk);
- memset(&req, 0, sizeof(req));
-
- if (po->rx_ring.pg_vec)
+ if (po->rx_ring.pg_vec) {
+ memset(&req, 0, sizeof(req));
packet_set_ring(sk, &req, 1, 0);
+ }
- if (po->tx_ring.pg_vec)
+ if (po->tx_ring.pg_vec) {
+ memset(&req, 0, sizeof(req));
packet_set_ring(sk, &req, 1, 1);
+ }
synchronize_net();
/*
^ permalink raw reply [flat|nested] 25+ messages in thread
* [ 13/22] atm/iphase: rename fregt_t -> ffreg_t
2013-02-12 20:36 [ 00/22] 3.0.64-stable review Greg Kroah-Hartman
` (11 preceding siblings ...)
2013-02-12 20:36 ` [ 12/22] packet: fix leakage of tx_ring memory Greg Kroah-Hartman
@ 2013-02-12 20:36 ` Greg Kroah-Hartman
2013-02-12 20:36 ` [ 14/22] sctp: refactor sctp_outq_teardown to insure proper re-initalization Greg Kroah-Hartman
` (10 subsequent siblings)
23 siblings, 0 replies; 25+ messages in thread
From: Greg Kroah-Hartman @ 2013-02-12 20:36 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Heiko Carstens,
chas williams - CONTRACTOR, David S. Miller
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiko Carstens <heiko.carstens@de.ibm.com>
[ Upstream commit ab54ee80aa7585f9666ff4dd665441d7ce41f1e8 ]
We have conflicting type qualifiers for "freg_t" in s390's ptrace.h and the
iphase atm device driver, which causes the compile error below.
Unfortunately the s390 typedef can't be renamed, since it's a user visible api,
nor can I change the include order in s390 code to avoid the conflict.
So simply rename the iphase typedef to a new name. Fixes this compile error:
In file included from drivers/atm/iphase.c:66:0:
drivers/atm/iphase.h:639:25: error: conflicting type qualifiers for 'freg_t'
In file included from next/arch/s390/include/asm/ptrace.h:9:0,
from next/arch/s390/include/asm/lowcore.h:12,
from next/arch/s390/include/asm/thread_info.h:30,
from include/linux/thread_info.h:54,
from include/linux/preempt.h:9,
from include/linux/spinlock.h:50,
from include/linux/seqlock.h:29,
from include/linux/time.h:5,
from include/linux/stat.h:18,
from include/linux/module.h:10,
from drivers/atm/iphase.c:43:
next/arch/s390/include/uapi/asm/ptrace.h:197:3: note: previous declaration of 'freg_t' was here
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Acked-by: chas williams - CONTRACTOR <chas@cmf.nrl.navy.mil>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/atm/iphase.h | 146 +++++++++++++++++++++++++--------------------------
1 file changed, 73 insertions(+), 73 deletions(-)
--- a/drivers/atm/iphase.h
+++ b/drivers/atm/iphase.h
@@ -636,82 +636,82 @@ struct rx_buf_desc {
#define SEG_BASE IPHASE5575_FRAG_CONTROL_REG_BASE
#define REASS_BASE IPHASE5575_REASS_CONTROL_REG_BASE
-typedef volatile u_int freg_t;
+typedef volatile u_int ffreg_t;
typedef u_int rreg_t;
typedef struct _ffredn_t {
- freg_t idlehead_high; /* Idle cell header (high) */
- freg_t idlehead_low; /* Idle cell header (low) */
- freg_t maxrate; /* Maximum rate */
- freg_t stparms; /* Traffic Management Parameters */
- freg_t abrubr_abr; /* ABRUBR Priority Byte 1, TCR Byte 0 */
- freg_t rm_type; /* */
- u_int filler5[0x17 - 0x06];
- freg_t cmd_reg; /* Command register */
- u_int filler18[0x20 - 0x18];
- freg_t cbr_base; /* CBR Pointer Base */
- freg_t vbr_base; /* VBR Pointer Base */
- freg_t abr_base; /* ABR Pointer Base */
- freg_t ubr_base; /* UBR Pointer Base */
- u_int filler24;
- freg_t vbrwq_base; /* VBR Wait Queue Base */
- freg_t abrwq_base; /* ABR Wait Queue Base */
- freg_t ubrwq_base; /* UBR Wait Queue Base */
- freg_t vct_base; /* Main VC Table Base */
- freg_t vcte_base; /* Extended Main VC Table Base */
- u_int filler2a[0x2C - 0x2A];
- freg_t cbr_tab_beg; /* CBR Table Begin */
- freg_t cbr_tab_end; /* CBR Table End */
- freg_t cbr_pointer; /* CBR Pointer */
- u_int filler2f[0x30 - 0x2F];
- freg_t prq_st_adr; /* Packet Ready Queue Start Address */
- freg_t prq_ed_adr; /* Packet Ready Queue End Address */
- freg_t prq_rd_ptr; /* Packet Ready Queue read pointer */
- freg_t prq_wr_ptr; /* Packet Ready Queue write pointer */
- freg_t tcq_st_adr; /* Transmit Complete Queue Start Address*/
- freg_t tcq_ed_adr; /* Transmit Complete Queue End Address */
- freg_t tcq_rd_ptr; /* Transmit Complete Queue read pointer */
- freg_t tcq_wr_ptr; /* Transmit Complete Queue write pointer*/
- u_int filler38[0x40 - 0x38];
- freg_t queue_base; /* Base address for PRQ and TCQ */
- freg_t desc_base; /* Base address of descriptor table */
- u_int filler42[0x45 - 0x42];
- freg_t mode_reg_0; /* Mode register 0 */
- freg_t mode_reg_1; /* Mode register 1 */
- freg_t intr_status_reg;/* Interrupt Status register */
- freg_t mask_reg; /* Mask Register */
- freg_t cell_ctr_high1; /* Total cell transfer count (high) */
- freg_t cell_ctr_lo1; /* Total cell transfer count (low) */
- freg_t state_reg; /* Status register */
- u_int filler4c[0x58 - 0x4c];
- freg_t curr_desc_num; /* Contains the current descriptor num */
- freg_t next_desc; /* Next descriptor */
- freg_t next_vc; /* Next VC */
- u_int filler5b[0x5d - 0x5b];
- freg_t present_slot_cnt;/* Present slot count */
- u_int filler5e[0x6a - 0x5e];
- freg_t new_desc_num; /* New descriptor number */
- freg_t new_vc; /* New VC */
- freg_t sched_tbl_ptr; /* Schedule table pointer */
- freg_t vbrwq_wptr; /* VBR wait queue write pointer */
- freg_t vbrwq_rptr; /* VBR wait queue read pointer */
- freg_t abrwq_wptr; /* ABR wait queue write pointer */
- freg_t abrwq_rptr; /* ABR wait queue read pointer */
- freg_t ubrwq_wptr; /* UBR wait queue write pointer */
- freg_t ubrwq_rptr; /* UBR wait queue read pointer */
- freg_t cbr_vc; /* CBR VC */
- freg_t vbr_sb_vc; /* VBR SB VC */
- freg_t abr_sb_vc; /* ABR SB VC */
- freg_t ubr_sb_vc; /* UBR SB VC */
- freg_t vbr_next_link; /* VBR next link */
- freg_t abr_next_link; /* ABR next link */
- freg_t ubr_next_link; /* UBR next link */
- u_int filler7a[0x7c-0x7a];
- freg_t out_rate_head; /* Out of rate head */
- u_int filler7d[0xca-0x7d]; /* pad out to full address space */
- freg_t cell_ctr_high1_nc;/* Total cell transfer count (high) */
- freg_t cell_ctr_lo1_nc;/* Total cell transfer count (low) */
- u_int fillercc[0x100-0xcc]; /* pad out to full address space */
+ ffreg_t idlehead_high; /* Idle cell header (high) */
+ ffreg_t idlehead_low; /* Idle cell header (low) */
+ ffreg_t maxrate; /* Maximum rate */
+ ffreg_t stparms; /* Traffic Management Parameters */
+ ffreg_t abrubr_abr; /* ABRUBR Priority Byte 1, TCR Byte 0 */
+ ffreg_t rm_type; /* */
+ u_int filler5[0x17 - 0x06];
+ ffreg_t cmd_reg; /* Command register */
+ u_int filler18[0x20 - 0x18];
+ ffreg_t cbr_base; /* CBR Pointer Base */
+ ffreg_t vbr_base; /* VBR Pointer Base */
+ ffreg_t abr_base; /* ABR Pointer Base */
+ ffreg_t ubr_base; /* UBR Pointer Base */
+ u_int filler24;
+ ffreg_t vbrwq_base; /* VBR Wait Queue Base */
+ ffreg_t abrwq_base; /* ABR Wait Queue Base */
+ ffreg_t ubrwq_base; /* UBR Wait Queue Base */
+ ffreg_t vct_base; /* Main VC Table Base */
+ ffreg_t vcte_base; /* Extended Main VC Table Base */
+ u_int filler2a[0x2C - 0x2A];
+ ffreg_t cbr_tab_beg; /* CBR Table Begin */
+ ffreg_t cbr_tab_end; /* CBR Table End */
+ ffreg_t cbr_pointer; /* CBR Pointer */
+ u_int filler2f[0x30 - 0x2F];
+ ffreg_t prq_st_adr; /* Packet Ready Queue Start Address */
+ ffreg_t prq_ed_adr; /* Packet Ready Queue End Address */
+ ffreg_t prq_rd_ptr; /* Packet Ready Queue read pointer */
+ ffreg_t prq_wr_ptr; /* Packet Ready Queue write pointer */
+ ffreg_t tcq_st_adr; /* Transmit Complete Queue Start Address*/
+ ffreg_t tcq_ed_adr; /* Transmit Complete Queue End Address */
+ ffreg_t tcq_rd_ptr; /* Transmit Complete Queue read pointer */
+ ffreg_t tcq_wr_ptr; /* Transmit Complete Queue write pointer*/
+ u_int filler38[0x40 - 0x38];
+ ffreg_t queue_base; /* Base address for PRQ and TCQ */
+ ffreg_t desc_base; /* Base address of descriptor table */
+ u_int filler42[0x45 - 0x42];
+ ffreg_t mode_reg_0; /* Mode register 0 */
+ ffreg_t mode_reg_1; /* Mode register 1 */
+ ffreg_t intr_status_reg;/* Interrupt Status register */
+ ffreg_t mask_reg; /* Mask Register */
+ ffreg_t cell_ctr_high1; /* Total cell transfer count (high) */
+ ffreg_t cell_ctr_lo1; /* Total cell transfer count (low) */
+ ffreg_t state_reg; /* Status register */
+ u_int filler4c[0x58 - 0x4c];
+ ffreg_t curr_desc_num; /* Contains the current descriptor num */
+ ffreg_t next_desc; /* Next descriptor */
+ ffreg_t next_vc; /* Next VC */
+ u_int filler5b[0x5d - 0x5b];
+ ffreg_t present_slot_cnt;/* Present slot count */
+ u_int filler5e[0x6a - 0x5e];
+ ffreg_t new_desc_num; /* New descriptor number */
+ ffreg_t new_vc; /* New VC */
+ ffreg_t sched_tbl_ptr; /* Schedule table pointer */
+ ffreg_t vbrwq_wptr; /* VBR wait queue write pointer */
+ ffreg_t vbrwq_rptr; /* VBR wait queue read pointer */
+ ffreg_t abrwq_wptr; /* ABR wait queue write pointer */
+ ffreg_t abrwq_rptr; /* ABR wait queue read pointer */
+ ffreg_t ubrwq_wptr; /* UBR wait queue write pointer */
+ ffreg_t ubrwq_rptr; /* UBR wait queue read pointer */
+ ffreg_t cbr_vc; /* CBR VC */
+ ffreg_t vbr_sb_vc; /* VBR SB VC */
+ ffreg_t abr_sb_vc; /* ABR SB VC */
+ ffreg_t ubr_sb_vc; /* UBR SB VC */
+ ffreg_t vbr_next_link; /* VBR next link */
+ ffreg_t abr_next_link; /* ABR next link */
+ ffreg_t ubr_next_link; /* UBR next link */
+ u_int filler7a[0x7c-0x7a];
+ ffreg_t out_rate_head; /* Out of rate head */
+ u_int filler7d[0xca-0x7d]; /* pad out to full address space */
+ ffreg_t cell_ctr_high1_nc;/* Total cell transfer count (high) */
+ ffreg_t cell_ctr_lo1_nc;/* Total cell transfer count (low) */
+ u_int fillercc[0x100-0xcc]; /* pad out to full address space */
} ffredn_t;
typedef struct _rfredn_t {
^ permalink raw reply [flat|nested] 25+ messages in thread
* [ 14/22] sctp: refactor sctp_outq_teardown to insure proper re-initalization
2013-02-12 20:36 [ 00/22] 3.0.64-stable review Greg Kroah-Hartman
` (12 preceding siblings ...)
2013-02-12 20:36 ` [ 13/22] atm/iphase: rename fregt_t -> ffreg_t Greg Kroah-Hartman
@ 2013-02-12 20:36 ` Greg Kroah-Hartman
2013-02-12 20:36 ` [ 15/22] net: sctp: sctp_setsockopt_auth_key: use kzfree instead of kfree Greg Kroah-Hartman
` (9 subsequent siblings)
23 siblings, 0 replies; 25+ messages in thread
From: Greg Kroah-Hartman @ 2013-02-12 20:36 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Neil Horman, Jamie Parsons,
Vlad Yasevich, David S. Miller, netdev
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Neil Horman <nhorman@tuxdriver.com>
[ Upstream commit 2f94aabd9f6c925d77aecb3ff020f1cc12ed8f86 ]
Jamie Parsons reported a problem recently, in which the re-initalization of an
association (The duplicate init case), resulted in a loss of receive window
space. He tracked down the root cause to sctp_outq_teardown, which discarded
all the data on an outq during a re-initalization of the corresponding
association, but never reset the outq->outstanding_data field to zero. I wrote,
and he tested this fix, which does a proper full re-initalization of the outq,
fixing this problem, and hopefully future proofing us from simmilar issues down
the road.
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Reported-by: Jamie Parsons <Jamie.Parsons@metaswitch.com>
Tested-by: Jamie Parsons <Jamie.Parsons@metaswitch.com>
CC: Jamie Parsons <Jamie.Parsons@metaswitch.com>
CC: Vlad Yasevich <vyasevich@gmail.com>
CC: "David S. Miller" <davem@davemloft.net>
CC: netdev@vger.kernel.org
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sctp/outqueue.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
--- a/net/sctp/outqueue.c
+++ b/net/sctp/outqueue.c
@@ -223,7 +223,7 @@ void sctp_outq_init(struct sctp_associat
/* Free the outqueue structure and any related pending chunks.
*/
-void sctp_outq_teardown(struct sctp_outq *q)
+static void __sctp_outq_teardown(struct sctp_outq *q)
{
struct sctp_transport *transport;
struct list_head *lchunk, *temp;
@@ -276,8 +276,6 @@ void sctp_outq_teardown(struct sctp_outq
sctp_chunk_free(chunk);
}
- q->error = 0;
-
/* Throw away any leftover control chunks. */
list_for_each_entry_safe(chunk, tmp, &q->control_chunk_list, list) {
list_del_init(&chunk->list);
@@ -285,11 +283,17 @@ void sctp_outq_teardown(struct sctp_outq
}
}
+void sctp_outq_teardown(struct sctp_outq *q)
+{
+ __sctp_outq_teardown(q);
+ sctp_outq_init(q->asoc, q);
+}
+
/* Free the outqueue structure and any related pending chunks. */
void sctp_outq_free(struct sctp_outq *q)
{
/* Throw away leftover chunks. */
- sctp_outq_teardown(q);
+ __sctp_outq_teardown(q);
/* If we were kmalloc()'d, free the memory. */
if (q->malloced)
^ permalink raw reply [flat|nested] 25+ messages in thread
* [ 15/22] net: sctp: sctp_setsockopt_auth_key: use kzfree instead of kfree
2013-02-12 20:36 [ 00/22] 3.0.64-stable review Greg Kroah-Hartman
` (13 preceding siblings ...)
2013-02-12 20:36 ` [ 14/22] sctp: refactor sctp_outq_teardown to insure proper re-initalization Greg Kroah-Hartman
@ 2013-02-12 20:36 ` Greg Kroah-Hartman
2013-02-12 20:36 ` [ 16/22] net: sctp: sctp_endpoint_free: zero out secret key data Greg Kroah-Hartman
` (8 subsequent siblings)
23 siblings, 0 replies; 25+ messages in thread
From: Greg Kroah-Hartman @ 2013-02-12 20:36 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Daniel Borkmann, David S. Miller
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Borkmann <dborkman@redhat.com>
[ Upstream commit 6ba542a291a5e558603ac51cda9bded347ce7627 ]
In sctp_setsockopt_auth_key, we create a temporary copy of the user
passed shared auth key for the endpoint or association and after
internal setup, we free it right away. Since it's sensitive data, we
should zero out the key before returning the memory back to the
allocator. Thus, use kzfree instead of kfree, just as we do in
sctp_auth_key_put().
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sctp/socket.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -3304,7 +3304,7 @@ static int sctp_setsockopt_auth_key(stru
ret = sctp_auth_set_key(sctp_sk(sk)->ep, asoc, authkey);
out:
- kfree(authkey);
+ kzfree(authkey);
return ret;
}
^ permalink raw reply [flat|nested] 25+ messages in thread
* [ 16/22] net: sctp: sctp_endpoint_free: zero out secret key data
2013-02-12 20:36 [ 00/22] 3.0.64-stable review Greg Kroah-Hartman
` (14 preceding siblings ...)
2013-02-12 20:36 ` [ 15/22] net: sctp: sctp_setsockopt_auth_key: use kzfree instead of kfree Greg Kroah-Hartman
@ 2013-02-12 20:36 ` Greg Kroah-Hartman
2013-02-12 20:37 ` [ 17/22] tcp: frto should not set snd_cwnd to 0 Greg Kroah-Hartman
` (7 subsequent siblings)
23 siblings, 0 replies; 25+ messages in thread
From: Greg Kroah-Hartman @ 2013-02-12 20:36 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Daniel Borkmann, Vlad Yasevich,
David S. Miller
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Borkmann <dborkman@redhat.com>
[ Upstream commit b5c37fe6e24eec194bb29d22fdd55d73bcc709bf ]
On sctp_endpoint_destroy, previously used sensitive keying material
should be zeroed out before the memory is returned, as we already do
with e.g. auth keys when released.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Vlad Yasevich <vyasevic@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sctp/endpointola.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/net/sctp/endpointola.c
+++ b/net/sctp/endpointola.c
@@ -248,6 +248,8 @@ void sctp_endpoint_free(struct sctp_endp
/* Final destructor for endpoint. */
static void sctp_endpoint_destroy(struct sctp_endpoint *ep)
{
+ int i;
+
SCTP_ASSERT(ep->base.dead, "Endpoint is not dead", return);
/* Free up the HMAC transform. */
@@ -270,6 +272,9 @@ static void sctp_endpoint_destroy(struct
sctp_inq_free(&ep->base.inqueue);
sctp_bind_addr_free(&ep->base.bind_addr);
+ for (i = 0; i < SCTP_HOW_MANY_SECRETS; ++i)
+ memset(&ep->secret_key[i], 0, SCTP_SECRET_SIZE);
+
/* Remove and free the port */
if (sctp_sk(ep->base.sk)->bind_hash)
sctp_put_port(ep->base.sk);
^ permalink raw reply [flat|nested] 25+ messages in thread
* [ 17/22] tcp: frto should not set snd_cwnd to 0
2013-02-12 20:36 [ 00/22] 3.0.64-stable review Greg Kroah-Hartman
` (15 preceding siblings ...)
2013-02-12 20:36 ` [ 16/22] net: sctp: sctp_endpoint_free: zero out secret key data Greg Kroah-Hartman
@ 2013-02-12 20:37 ` Greg Kroah-Hartman
2013-02-12 20:37 ` [ 18/22] tcp: fix for zero packets_in_flight was too broad Greg Kroah-Hartman
` (6 subsequent siblings)
23 siblings, 0 replies; 25+ messages in thread
From: Greg Kroah-Hartman @ 2013-02-12 20:37 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Pasi K�rkk�inen,
Neal Cardwell, Eric Dumazet, Ilpo J�rvinen, Yuchung Cheng,
David S. Miller
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=UTF-8, Size: 1398 bytes --]
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 2e5f421211ff76c17130b4597bc06df4eeead24f ]
Commit 9dc274151a548 (tcp: fix ABC in tcp_slow_start())
uncovered a bug in FRTO code :
tcp_process_frto() is setting snd_cwnd to 0 if the number
of in flight packets is 0.
As Neal pointed out, if no packet is in flight we lost our
chance to disambiguate whether a loss timeout was spurious.
We should assume it was a proper loss.
Reported-by: Pasi Kärkkäinen <pasik@iki.fi>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Cc: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/tcp_input.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -3568,7 +3568,8 @@ static int tcp_process_frto(struct sock
((tp->frto_counter >= 2) && (flag & FLAG_RETRANS_DATA_ACKED)))
tp->undo_marker = 0;
- if (!before(tp->snd_una, tp->frto_highmark)) {
+ if (!before(tp->snd_una, tp->frto_highmark) ||
+ !tcp_packets_in_flight(tp)) {
tcp_enter_frto_loss(sk, (tp->frto_counter == 1 ? 2 : 3), flag);
return 1;
}
^ permalink raw reply [flat|nested] 25+ messages in thread
* [ 18/22] tcp: fix for zero packets_in_flight was too broad
2013-02-12 20:36 [ 00/22] 3.0.64-stable review Greg Kroah-Hartman
` (16 preceding siblings ...)
2013-02-12 20:37 ` [ 17/22] tcp: frto should not set snd_cwnd to 0 Greg Kroah-Hartman
@ 2013-02-12 20:37 ` Greg Kroah-Hartman
2013-02-12 20:37 ` [ 19/22] tcp: fix MSG_SENDPAGE_NOTLAST logic Greg Kroah-Hartman
` (5 subsequent siblings)
23 siblings, 0 replies; 25+ messages in thread
From: Greg Kroah-Hartman @ 2013-02-12 20:37 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Ilpo J�rvinen, Eric Dumazet,
Neal Cardwell, David S. Miller
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=UTF-8, Size: 1846 bytes --]
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= <ilpo.jarvinen@helsinki.fi>
[ Upstream commit 6731d2095bd4aef18027c72ef845ab1087c3ba63 ]
There are transients during normal FRTO procedure during which
the packets_in_flight can go to zero between write_queue state
updates and firing the resulting segments out. As FRTO processing
occurs during that window the check must be more precise to
not match "spuriously" :-). More specificly, e.g., when
packets_in_flight is zero but FLAG_DATA_ACKED is true the problematic
branch that set cwnd into zero would not be taken and new segments
might be sent out later.
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Tested-by: Eric Dumazet <edumazet@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/tcp_input.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -3568,8 +3568,7 @@ static int tcp_process_frto(struct sock
((tp->frto_counter >= 2) && (flag & FLAG_RETRANS_DATA_ACKED)))
tp->undo_marker = 0;
- if (!before(tp->snd_una, tp->frto_highmark) ||
- !tcp_packets_in_flight(tp)) {
+ if (!before(tp->snd_una, tp->frto_highmark)) {
tcp_enter_frto_loss(sk, (tp->frto_counter == 1 ? 2 : 3), flag);
return 1;
}
@@ -3589,6 +3588,11 @@ static int tcp_process_frto(struct sock
}
} else {
if (!(flag & FLAG_DATA_ACKED) && (tp->frto_counter == 1)) {
+ if (!tcp_packets_in_flight(tp)) {
+ tcp_enter_frto_loss(sk, 2, flag);
+ return true;
+ }
+
/* Prevent sending of new data. */
tp->snd_cwnd = min(tp->snd_cwnd,
tcp_packets_in_flight(tp));
^ permalink raw reply [flat|nested] 25+ messages in thread
* [ 19/22] tcp: fix MSG_SENDPAGE_NOTLAST logic
2013-02-12 20:36 [ 00/22] 3.0.64-stable review Greg Kroah-Hartman
` (17 preceding siblings ...)
2013-02-12 20:37 ` [ 18/22] tcp: fix for zero packets_in_flight was too broad Greg Kroah-Hartman
@ 2013-02-12 20:37 ` Greg Kroah-Hartman
2013-02-12 20:37 ` [ 20/22] bridge: Pull ip header into skb->data before looking into ip header Greg Kroah-Hartman
` (4 subsequent siblings)
23 siblings, 0 replies; 25+ messages in thread
From: Greg Kroah-Hartman @ 2013-02-12 20:37 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Willy Tarreau, Eric Dumazet, David S. Miller
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit ae62ca7b03217be5e74759dc6d7698c95df498b3 ]
commit 35f9c09fe9c72e (tcp: tcp_sendpages() should call tcp_push() once)
added an internal flag : MSG_SENDPAGE_NOTLAST meant to be set on all
frags but the last one for a splice() call.
The condition used to set the flag in pipe_to_sendpage() relied on
splice() user passing the exact number of bytes present in the pipe,
or a smaller one.
But some programs pass an arbitrary high value, and the test fails.
The effect of this bug is a lack of tcp_push() at the end of a
splice(pipe -> socket) call, and possibly very slow or erratic TCP
sessions.
We should both test sd->total_len and fact that another fragment
is in the pipe (pipe->nrbufs > 1)
Many thanks to Willy for providing very clear bug report, bisection
and test programs.
Reported-by: Willy Tarreau <w@1wt.eu>
Bisected-by: Willy Tarreau <w@1wt.eu>
Tested-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/splice.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -693,8 +693,10 @@ static int pipe_to_sendpage(struct pipe_
return -EINVAL;
more = (sd->flags & SPLICE_F_MORE) ? MSG_MORE : 0;
- if (sd->len < sd->total_len)
+
+ if (sd->len < sd->total_len && pipe->nrbufs > 1)
more |= MSG_SENDPAGE_NOTLAST;
+
return file->f_op->sendpage(file, buf->page, buf->offset,
sd->len, &pos, more);
}
^ permalink raw reply [flat|nested] 25+ messages in thread
* [ 20/22] bridge: Pull ip header into skb->data before looking into ip header.
2013-02-12 20:36 [ 00/22] 3.0.64-stable review Greg Kroah-Hartman
` (18 preceding siblings ...)
2013-02-12 20:37 ` [ 19/22] tcp: fix MSG_SENDPAGE_NOTLAST logic Greg Kroah-Hartman
@ 2013-02-12 20:37 ` Greg Kroah-Hartman
2013-02-12 20:37 ` [ 21/22] tg3: Avoid null pointer dereference in tg3_interrupt in netconsole mode Greg Kroah-Hartman
` (3 subsequent siblings)
23 siblings, 0 replies; 25+ messages in thread
From: Greg Kroah-Hartman @ 2013-02-12 20:37 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sarveshwar Bandi, David S. Miller
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sarveshwar Bandi <sarveshwar.bandi@emulex.com>
[ Upstream commit 6caab7b0544e83e6c160b5e80f5a4a7dd69545c7 ]
If lower layer driver leaves the ip header in the skb fragment, it needs to
be first pulled into skb->data before inspecting ip header length or ip version
number.
Signed-off-by: Sarveshwar Bandi <sarveshwar.bandi@emulex.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bridge/br_netfilter.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -233,6 +233,9 @@ static int br_parse_ip_options(struct sk
struct net_device *dev = skb->dev;
u32 len;
+ if (!pskb_may_pull(skb, sizeof(struct iphdr)))
+ goto inhdr_error;
+
iph = ip_hdr(skb);
opt = &(IPCB(skb)->opt);
^ permalink raw reply [flat|nested] 25+ messages in thread
* [ 21/22] tg3: Avoid null pointer dereference in tg3_interrupt in netconsole mode
2013-02-12 20:36 [ 00/22] 3.0.64-stable review Greg Kroah-Hartman
` (19 preceding siblings ...)
2013-02-12 20:37 ` [ 20/22] bridge: Pull ip header into skb->data before looking into ip header Greg Kroah-Hartman
@ 2013-02-12 20:37 ` Greg Kroah-Hartman
2013-02-12 20:37 ` [ 22/22] tg3: Fix crc errors on jumbo frame receive Greg Kroah-Hartman
` (2 subsequent siblings)
23 siblings, 0 replies; 25+ messages in thread
From: Greg Kroah-Hartman @ 2013-02-12 20:37 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Nithin Nayak Sujir, Michael Chan,
David S. Miller
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nithin Nayak Sujir <nsujir@broadcom.com>
[ Upstream commit 9c13cb8bb477a83b9a3c9e5a5478a4e21294a760 ]
When netconsole is enabled, logging messages generated during tg3_open
can result in a null pointer dereference for the uninitialized tg3
status block. Use the irq_sync flag to disable polling in the early
stages. irq_sync is cleared when the driver is enabling interrupts after
all initialization is completed.
Signed-off-by: Nithin Nayak Sujir <nsujir@broadcom.com>
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/tg3.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/net/tg3.c
+++ b/drivers/net/tg3.c
@@ -5662,6 +5662,9 @@ static void tg3_poll_controller(struct n
int i;
struct tg3 *tp = netdev_priv(dev);
+ if (tg3_irq_sync(tp))
+ return;
+
for (i = 0; i < tp->irq_cnt; i++)
tg3_interrupt(tp->napi[i].irq_vec, &tp->napi[i]);
}
@@ -14981,6 +14984,7 @@ static int __devinit tg3_init_one(struct
tp->pm_cap = pm_cap;
tp->rx_mode = TG3_DEF_RX_MODE;
tp->tx_mode = TG3_DEF_TX_MODE;
+ tp->irq_sync = 1;
if (tg3_debug > 0)
tp->msg_enable = tg3_debug;
^ permalink raw reply [flat|nested] 25+ messages in thread
* [ 22/22] tg3: Fix crc errors on jumbo frame receive
2013-02-12 20:36 [ 00/22] 3.0.64-stable review Greg Kroah-Hartman
` (20 preceding siblings ...)
2013-02-12 20:37 ` [ 21/22] tg3: Avoid null pointer dereference in tg3_interrupt in netconsole mode Greg Kroah-Hartman
@ 2013-02-12 20:37 ` Greg Kroah-Hartman
2013-02-13 8:06 ` [ 00/22] 3.0.64-stable review Satoru Takeuchi
2013-02-13 15:51 ` Shuah Khan
23 siblings, 0 replies; 25+ messages in thread
From: Greg Kroah-Hartman @ 2013-02-12 20:37 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Nithin Nayak Sujir, Michael Chan,
David S. Miller
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nithin Nayak Sujir <nsujir@broadcom.com>
[ Upstream commit daf3ec688e057f6060fb9bb0819feac7a8bbf45c ]
TG3_PHY_AUXCTL_SMDSP_ENABLE/DISABLE macros do a blind write to the phy
auxiliary control register and overwrite the EXT_PKT_LEN (bit 14) resulting
in intermittent crc errors on jumbo frames with some link partners. Change
the code to do a read/modify/write.
Signed-off-by: Nithin Nayak Sujir <nsujir@broadcom.com>
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/tg3.c | 56 ++++++++++++++++++++++++++++++++----------------------
1 file changed, 34 insertions(+), 22 deletions(-)
--- a/drivers/net/tg3.c
+++ b/drivers/net/tg3.c
@@ -996,14 +996,26 @@ static int tg3_phy_auxctl_write(struct t
return tg3_writephy(tp, MII_TG3_AUX_CTRL, set | reg);
}
-#define TG3_PHY_AUXCTL_SMDSP_ENABLE(tp) \
- tg3_phy_auxctl_write((tp), MII_TG3_AUXCTL_SHDWSEL_AUXCTL, \
- MII_TG3_AUXCTL_ACTL_SMDSP_ENA | \
- MII_TG3_AUXCTL_ACTL_TX_6DB)
-
-#define TG3_PHY_AUXCTL_SMDSP_DISABLE(tp) \
- tg3_phy_auxctl_write((tp), MII_TG3_AUXCTL_SHDWSEL_AUXCTL, \
- MII_TG3_AUXCTL_ACTL_TX_6DB);
+static int tg3_phy_toggle_auxctl_smdsp(struct tg3 *tp, bool enable)
+{
+ u32 val;
+ int err;
+
+ err = tg3_phy_auxctl_read(tp, MII_TG3_AUXCTL_SHDWSEL_AUXCTL, &val);
+
+ if (err)
+ return err;
+ if (enable)
+
+ val |= MII_TG3_AUXCTL_ACTL_SMDSP_ENA;
+ else
+ val &= ~MII_TG3_AUXCTL_ACTL_SMDSP_ENA;
+
+ err = tg3_phy_auxctl_write((tp), MII_TG3_AUXCTL_SHDWSEL_AUXCTL,
+ val | MII_TG3_AUXCTL_ACTL_TX_6DB);
+
+ return err;
+}
static int tg3_bmcr_reset(struct tg3 *tp)
{
@@ -1775,7 +1787,7 @@ static void tg3_phy_apply_otp(struct tg3
otp = tp->phy_otp;
- if (TG3_PHY_AUXCTL_SMDSP_ENABLE(tp))
+ if (tg3_phy_toggle_auxctl_smdsp(tp, true))
return;
phy = ((otp & TG3_OTP_AGCTGT_MASK) >> TG3_OTP_AGCTGT_SHIFT);
@@ -1800,7 +1812,7 @@ static void tg3_phy_apply_otp(struct tg3
((otp & TG3_OTP_RCOFF_MASK) >> TG3_OTP_RCOFF_SHIFT);
tg3_phydsp_write(tp, MII_TG3_DSP_EXP97, phy);
- TG3_PHY_AUXCTL_SMDSP_DISABLE(tp);
+ tg3_phy_toggle_auxctl_smdsp(tp, false);
}
static void tg3_phy_eee_adjust(struct tg3 *tp, u32 current_link_up)
@@ -1848,9 +1860,9 @@ static void tg3_phy_eee_enable(struct tg
(GET_ASIC_REV(tp->pci_chip_rev_id) == ASIC_REV_5717 ||
GET_ASIC_REV(tp->pci_chip_rev_id) == ASIC_REV_5719 ||
GET_ASIC_REV(tp->pci_chip_rev_id) == ASIC_REV_57765) &&
- !TG3_PHY_AUXCTL_SMDSP_ENABLE(tp)) {
+ !tg3_phy_toggle_auxctl_smdsp(tp, true)) {
tg3_phydsp_write(tp, MII_TG3_DSP_TAP26, 0x0003);
- TG3_PHY_AUXCTL_SMDSP_DISABLE(tp);
+ tg3_phy_toggle_auxctl_smdsp(tp, false);
}
val = tr32(TG3_CPMU_EEE_MODE);
@@ -1995,7 +2007,7 @@ static int tg3_phy_reset_5703_4_5(struct
(MII_TG3_CTRL_AS_MASTER |
MII_TG3_CTRL_ENABLE_AS_MASTER));
- err = TG3_PHY_AUXCTL_SMDSP_ENABLE(tp);
+ err = tg3_phy_toggle_auxctl_smdsp(tp, true);
if (err)
return err;
@@ -2016,7 +2028,7 @@ static int tg3_phy_reset_5703_4_5(struct
tg3_writephy(tp, MII_TG3_DSP_ADDRESS, 0x8200);
tg3_writephy(tp, MII_TG3_DSP_CONTROL, 0x0000);
- TG3_PHY_AUXCTL_SMDSP_DISABLE(tp);
+ tg3_phy_toggle_auxctl_smdsp(tp, false);
tg3_writephy(tp, MII_TG3_CTRL, phy9_orig);
@@ -2105,10 +2117,10 @@ static int tg3_phy_reset(struct tg3 *tp)
out:
if ((tp->phy_flags & TG3_PHYFLG_ADC_BUG) &&
- !TG3_PHY_AUXCTL_SMDSP_ENABLE(tp)) {
+ !tg3_phy_toggle_auxctl_smdsp(tp, true)) {
tg3_phydsp_write(tp, 0x201f, 0x2aaa);
tg3_phydsp_write(tp, 0x000a, 0x0323);
- TG3_PHY_AUXCTL_SMDSP_DISABLE(tp);
+ tg3_phy_toggle_auxctl_smdsp(tp, false);
}
if (tp->phy_flags & TG3_PHYFLG_5704_A0_BUG) {
@@ -2117,14 +2129,14 @@ out:
}
if (tp->phy_flags & TG3_PHYFLG_BER_BUG) {
- if (!TG3_PHY_AUXCTL_SMDSP_ENABLE(tp)) {
+ if (!tg3_phy_toggle_auxctl_smdsp(tp, true)) {
tg3_phydsp_write(tp, 0x000a, 0x310b);
tg3_phydsp_write(tp, 0x201f, 0x9506);
tg3_phydsp_write(tp, 0x401f, 0x14e2);
- TG3_PHY_AUXCTL_SMDSP_DISABLE(tp);
+ tg3_phy_toggle_auxctl_smdsp(tp, false);
}
} else if (tp->phy_flags & TG3_PHYFLG_JITTER_BUG) {
- if (!TG3_PHY_AUXCTL_SMDSP_ENABLE(tp)) {
+ if (!tg3_phy_toggle_auxctl_smdsp(tp, true)) {
tg3_writephy(tp, MII_TG3_DSP_ADDRESS, 0x000a);
if (tp->phy_flags & TG3_PHYFLG_ADJUST_TRIM) {
tg3_writephy(tp, MII_TG3_DSP_RW_PORT, 0x110b);
@@ -2133,7 +2145,7 @@ out:
} else
tg3_writephy(tp, MII_TG3_DSP_RW_PORT, 0x010b);
- TG3_PHY_AUXCTL_SMDSP_DISABLE(tp);
+ tg3_phy_toggle_auxctl_smdsp(tp, false);
}
}
@@ -2981,7 +2993,7 @@ static int tg3_phy_autoneg_cfg(struct tg
tw32(TG3_CPMU_EEE_MODE,
tr32(TG3_CPMU_EEE_MODE) & ~TG3_CPMU_EEEMD_LPI_ENABLE);
- err = TG3_PHY_AUXCTL_SMDSP_ENABLE(tp);
+ err = tg3_phy_toggle_auxctl_smdsp(tp, true);
if (!err) {
u32 err2;
@@ -3008,7 +3020,7 @@ static int tg3_phy_autoneg_cfg(struct tg
val |= MDIO_AN_EEE_ADV_1000T;
err = tg3_phy_cl45_write(tp, MDIO_MMD_AN, MDIO_AN_EEE_ADV, val);
- err2 = TG3_PHY_AUXCTL_SMDSP_DISABLE(tp);
+ err2 = tg3_phy_toggle_auxctl_smdsp(tp, false);
if (!err)
err = err2;
}
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [ 00/22] 3.0.64-stable review
2013-02-12 20:36 [ 00/22] 3.0.64-stable review Greg Kroah-Hartman
` (21 preceding siblings ...)
2013-02-12 20:37 ` [ 22/22] tg3: Fix crc errors on jumbo frame receive Greg Kroah-Hartman
@ 2013-02-13 8:06 ` Satoru Takeuchi
2013-02-13 15:51 ` Shuah Khan
23 siblings, 0 replies; 25+ messages in thread
From: Satoru Takeuchi @ 2013-02-13 8:06 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: linux-kernel, torvalds, akpm, stable
At Tue, 12 Feb 2013 12:36:43 -0800,
Greg Kroah-Hartman wrote:
>
> This is the start of the stable review cycle for the 3.0.64 release.
> There are 22 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu Feb 14 20:31:38 UTC 2013.
> Anything received after that time might be too late.
This kernel can be built and boot without any problem.
Building a kernel with this kernel also works fine.
- Build Machine: debian wheezy x86_64
CPU: Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz x 4
memory: 8GB
- Test machine: debian wheezy x86_64(KVM guest on the Build Machine)
vCPU: x2
memory: 2GB
I reviewed the following patches and it looks good to me.
> Stephen Hemminger <stephen.hemminger@vyatta.com>
> MAINTAINERS: Stephen Hemminger email change
...
> Sjur Brændeland <sjur.brandeland@stericsson.com>
> virtio_console: Don't access uninitialized data.
Thanks,
Satoru
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [ 00/22] 3.0.64-stable review
2013-02-12 20:36 [ 00/22] 3.0.64-stable review Greg Kroah-Hartman
` (22 preceding siblings ...)
2013-02-13 8:06 ` [ 00/22] 3.0.64-stable review Satoru Takeuchi
@ 2013-02-13 15:51 ` Shuah Khan
23 siblings, 0 replies; 25+ messages in thread
From: Shuah Khan @ 2013-02-13 15:51 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: linux-kernel, torvalds, akpm, stable
On Tue, Feb 12, 2013 at 1:36 PM, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
> This is the start of the stable review cycle for the 3.0.64 release.
> There are 22 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu Feb 14 20:31:38 UTC 2013.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> kernel.org/pub/linux/kernel/v3.0/stable-review/patch-3.0.64-rc1.gz
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Patches applied cleanly to 3.0.63, 3.4.30, and 3.7.7.
Compiled and booted on the following systems:
HP EliteBook 6930p Intel(R) Core(TM)2 Duo CPU T9400 @ 2.53GHz
HP ProBook 6475b AMD A10-4600M APU with Radeon(tm) HD Graphics
Cross-compile tests results:
alpha: defconfig passed on all
arm: defconfig passed on all
arm64: not applicable to 3.0.y, 3.4.y. defconfig passed on 3.7.y
c6x: not applicable to 3.0.y, defconfig passed on 3.4.y, and 3.7.y.
mips: defconfig passed on all
mipsel: defconfig passed on all
powerpc: wii_defconfig passed on all
sh: defconfig passed on all
sparc: defconfig passed on all
tile: tilegx_defconfig passed on all
-- Shuah
^ permalink raw reply [flat|nested] 25+ messages in thread
end of thread, other threads:[~2013-02-13 15:51 UTC | newest]
Thread overview: 25+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-02-12 20:36 [ 00/22] 3.0.64-stable review Greg Kroah-Hartman
2013-02-12 20:36 ` [ 01/22] rtlwifi: Fix the usage of the wrong variable in usb.c Greg Kroah-Hartman
2013-02-12 20:36 ` [ 02/22] virtio_console: Dont access uninitialized data Greg Kroah-Hartman
2013-02-12 20:36 ` [ 03/22] kernel/resource.c: fix stack overflow in __reserve_region_with_split() Greg Kroah-Hartman
2013-02-12 20:36 ` [ 04/22] mac80211: synchronize scan off/on-channel and PS states Greg Kroah-Hartman
2013-02-12 20:36 ` [ 05/22] net: prevent setting ttl=0 via IP_TTL Greg Kroah-Hartman
2013-02-12 20:36 ` [ 06/22] MAINTAINERS: Stephen Hemminger email change Greg Kroah-Hartman
2013-02-12 20:36 ` [ 07/22] isdn/gigaset: fix zero size border case in debug dump Greg Kroah-Hartman
2013-02-12 20:36 ` [ 08/22] r8169: remove the obsolete and incorrect AMD workaround Greg Kroah-Hartman
2013-02-12 20:36 ` [ 09/22] net: loopback: fix a dst refcounting issue Greg Kroah-Hartman
2013-02-12 20:36 ` [ 10/22] pktgen: correctly handle failures when adding a device Greg Kroah-Hartman
2013-02-12 20:36 ` [ 11/22] ipv6: do not create neighbor entries for local delivery Greg Kroah-Hartman
2013-02-12 20:36 ` [ 12/22] packet: fix leakage of tx_ring memory Greg Kroah-Hartman
2013-02-12 20:36 ` [ 13/22] atm/iphase: rename fregt_t -> ffreg_t Greg Kroah-Hartman
2013-02-12 20:36 ` [ 14/22] sctp: refactor sctp_outq_teardown to insure proper re-initalization Greg Kroah-Hartman
2013-02-12 20:36 ` [ 15/22] net: sctp: sctp_setsockopt_auth_key: use kzfree instead of kfree Greg Kroah-Hartman
2013-02-12 20:36 ` [ 16/22] net: sctp: sctp_endpoint_free: zero out secret key data Greg Kroah-Hartman
2013-02-12 20:37 ` [ 17/22] tcp: frto should not set snd_cwnd to 0 Greg Kroah-Hartman
2013-02-12 20:37 ` [ 18/22] tcp: fix for zero packets_in_flight was too broad Greg Kroah-Hartman
2013-02-12 20:37 ` [ 19/22] tcp: fix MSG_SENDPAGE_NOTLAST logic Greg Kroah-Hartman
2013-02-12 20:37 ` [ 20/22] bridge: Pull ip header into skb->data before looking into ip header Greg Kroah-Hartman
2013-02-12 20:37 ` [ 21/22] tg3: Avoid null pointer dereference in tg3_interrupt in netconsole mode Greg Kroah-Hartman
2013-02-12 20:37 ` [ 22/22] tg3: Fix crc errors on jumbo frame receive Greg Kroah-Hartman
2013-02-13 8:06 ` [ 00/22] 3.0.64-stable review Satoru Takeuchi
2013-02-13 15:51 ` Shuah Khan
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).