Upon a URB submission failure, the driver calls usb_free_urb()
but then manually frees the URB buffer by itself. Meanwhile
usb_free_urb() has alredy freed out that transfer buffer since
we're the only code path holding a reference to this URB.
Remove two of such invalid manual free().
Signed-off-by: Ahmed S. Darwish <ahmed.darwish@valeo.com>
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Fixes a missing initialization of ctrlmode and ctrlmode_supported fields,
for all other CAN devices than the first one. This fix only concerns
the PCAN-USB Pro FD dual-channels CAN-FD device made by PEAK-System.
Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
When accessing CAN network interfaces with AF_PACKET sockets e.g. by dhclient
this can lead to a skb_under_panic due to missing skb initialisations.
Add the missing initialisations at the CAN skbuff creation times on driver
level (rx path) and in the network layer (tx path).
Reported-by: Austin Schuh <austin@peloton-tech.com>
Reported-by: Daniel Steer <daniel.steer@mclaren.com>
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
When reading from the error queue, msg_name and msg_control are only
populated for some errors. A new exception for empty timestamp skbs
added a false positive on icmp errors without payload.
`traceroute -M udpconn` only displayed gateways that return payload
with the icmp error: the embedded network headers are pulled before
sock_queue_err_skb, leaving an skb with skb->len == 0 otherwise.
Fix this regression by refining when msg_name and msg_control
branches are taken. The solutions for the two fields are independent.
msg_name only makes sense for errors that configure serr->port and
serr->addr_offset. Test the first instead of skb->len. This also fixes
another issue. saddr could hold the wrong data, as serr->addr_offset
is not initialized in some code paths, pointing to the start of the
network header. It is only valid when serr->port is set (non-zero).
msg_control support differs between IPv4 and IPv6. IPv4 only honors
requests for ICMP and timestamps with SOF_TIMESTAMPING_OPT_CMSG. The
skb->len test can simply be removed, because skb->dev is also tested
and never true for empty skbs. IPv6 honors requests for all errors
aside from local errors and timestamps on empty skbs.
In both cases, make the policy more explicit by moving this logic to
a new function that decides whether to process msg_control and that
optionally prepares the necessary fields in skb->cb[]. After this
change, the IPv4 and IPv6 paths are more similar.
The last case is rxrpc. Here, simply refine to only match timestamps.
Fixes: 49ca0d8bfa ("net-timestamp: no-payload option")
Reported-by: Jan Niehusmann <jan@gondor.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
----
Changes
v1->v2
- fix local origin test inversion in ip6_datagram_support_cmsg
- make v4 and v6 code paths more similar by introducing analogous
ipv4_datagram_support_cmsg
- fix compile bug in rxrpc
Signed-off-by: David S. Miller <davem@davemloft.net>
On my test environment the throughput of a file transfer drops
from 4.4MBps to 116KBps due the number of repeated warning
messages. This patch removes the warning messages as DMA works
correctly with addresses using 0xC0000000 bits.
Signed-off-by: Peter Senna Tschudin <peter.senna@gmail.com>
Acked-by: Rafał Miłecki <zajec5@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
With some mss values, it is possible tcp_xmit_size_goal() puts
one segment more in TSO packet than tcp_tso_autosize().
We send then one TSO packet followed by one single MSS.
It is not a serious bug, but we can do slightly better, especially
for drivers using netif_set_gso_max_size() to lower gso_max_size.
Using same formula avoids these corner cases and makes
tcp_xmit_size_goal() a bit faster.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Fixes: 605ad7f184 ("tcp: refine TSO autosizing")
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
When the driver is removed (e.g. using unbind through sysfs), the
clocks get disabled twice, once on fec_enet_close and once on
fec_drv_remove. Since the clocks are enabled only once, this leads
to a warning:
WARNING: CPU: 0 PID: 402 at drivers/clk/clk.c:992 clk_core_disable+0x64/0x68()
Remove the call to fec_enet_clk_enable in fec_drv_remove to balance
the clock enable/disable calls again. This has been introduce by
e8fcfcd568 ("net: fec: optimize the clock management to save power").
Signed-off-by: Stefan Agner <stefan@agner.ch>
Acked-by: Fugang Duan <B38611@freescale.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The latest spec "I-IPA01-0266-USR Rev 10" limit the MID field length to 12 bit
value. For previous versions it is 16 bit value.
This change will not break the backward compatibility as the latest ID value is
7 and with in the 12 bit value limit.
Signed-off-by: Punnaiah Choudary Kalluri <punnaia@xilinx.com>
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
eTSEC of-nodes may have children which are not queue-group nodes. For
example new-style fixed-phy declarations. These where incorrectly
assumed to be additional queue-groups.
Change the search to filter out any nodes which are not queue-groups,
or have been disabled.
Signed-off-by: Tobias Waldekranz <tobias@waldekranz.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Pablo Neira Ayuso says:
====================
Netfilter/IPVS fixes for net
The following patchset contains Netfilter/IPVS fixes for your net tree,
they are:
1) Don't truncate ethernet protocol type to u8 in nft_compat, from
Arturo Borrero.
2) Fix several problems in the addition/deletion of elements in nf_tables.
3) Fix module refcount leak in ip_vs_sync, from Julian Anastasov.
4) Fix a race condition in the abort path in the nf_tables transaction
infrastructure. Basically aborted rules can show up as active rules
until changes are unrolled, oneliner from Patrick McHardy.
5) Check for overflows in the data area of the rule, also from Patrick.
6) Fix off-by-one in the per-rule user data size field. This introduces
a new nft_userdata structure that is placed at the beginning of the
user data area that contains the length to save some bits from the
rule and we only need one bit to indicate its presence, from Patrick.
7) Fix rule replacement error path, the replaced rule is deleted on
error instead of leaving it in place. This has been fixed by relying
on the abort path to undo the incomplete replacement.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
ip_check_defrag() may be used by af_packet to defragment outgoing packets.
skb_network_offset() of af_packet's outgoing packets is not zero.
Signed-off-by: Alexander Drozdov <al.drozdov@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
bcmgenet_set_wol() correctly sets MPD_PW_EN when a password is specified
to match magic packets against, however, when we switch from a
password-matching to a matching without password we would leave this bit
turned on, and GENET would only match magic packets with passwords.
This can be reproduced using the following sequence:
ethtool -s eth0 wol g
ethtool -s eth0 wol s sopass 00:11:22:33:44:55
ethtool -s eth0 wol g
The simple fix is to clear the MPD_PWD_EN bit when WAKE_MAGICSECURE is
not set.
Fixes: c51de7f397 ("net: bcmgenet: add Wake-on-LAN support code")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Commit de7b5b3d79 ("net: eth: xgene: change APM X-Gene SoC platform
ethernet to support ACPI") breaks booting with devicetree with UEFI
firmware. In that case, I get:
Unhandled fault: synchronous external abort (0x96000010) at 0xfffffc0000620010
Internal error: : 96000010 [#1] SMP
Modules linked in: vfat fat xfs libcrc32c ahci_xgene libahci_platform libahci
CPU: 7 PID: 634 Comm: NetworkManager Not tainted 4.0.0-rc1+ #4
Hardware name: AppliedMicro Mustang/Mustang, BIOS 1.1.0-rh-0.14 Mar 1 2015
task: fffffe03d4c7e100 ti: fffffe03d4e24000 task.ti: fffffe03d4e24000
PC is at xgene_enet_rd_mcx_mac.isra.11+0x58/0xd4
LR is at xgene_gmac_tx_enable+0x2c/0x50
pc : [<fffffe000069d6fc>] lr : [<fffffe000069dcc4>] pstate: 80000145
sp : fffffe03d4e27590
x29: fffffe03d4e27590 x28: 0000000000000000
x27: fffffe03d4e277c0 x26: fffffe03da8fda10
x25: fffffe03d4e2760c x24: fffffe03d49e28c0
x23: fffffc0000620004 x22: 0000000000000000
x21: fffffc0000620000 x20: fffffc0000620010
x19: 000000000000000b x18: 000003ffd4a96020
x17: 000003ff7fc1f7a0 x16: fffffe000079b9cc
x15: 0000000000000000 x14: 0000000000000000
x13: 0000000000000000 x12: fffffe03d4e24000
x11: fffffe03d4e27da0 x10: 0000000000000001
x9 : 0000000000000000 x8 : fffffe03d4e27a20
x7 : 0000000000000000 x6 : 00000000ffffffef
x5 : fffffe000105f7d0 x4 : fffffe00007ca8c8
x3 : fffffe03d4e2760c x2 : 0000000000000000
x1 : fffffc0000620000 x0 : 0000000040000000
Process NetworkManager (pid: 634, stack limit = 0xfffffe03d4e24028)
Stack: (0xfffffe03d4e27590 to 0xfffffe03d4e28000)
...
Call trace:
[<fffffe000069d6fc>] xgene_enet_rd_mcx_mac.isra.11+0x58/0xd4
[<fffffe000069dcc0>] xgene_gmac_tx_enable+0x28/0x50
[<fffffe00006a112c>] xgene_enet_open+0x2c/0x130
[<fffffe00007b9254>] __dev_open+0xc8/0x148
[<fffffe00007b956c>] __dev_change_flags+0x90/0x158
[<fffffe00007b9664>] dev_change_flags+0x30/0x70
[<fffffe00007c8ab8>] do_setlink+0x278/0x870
[<fffffe00007c95bc>] rtnl_newlink+0x404/0x6a8
[<fffffe00007c8040>] rtnetlink_rcv_msg+0x98/0x218
[<fffffe00007e78e4>] netlink_rcv_skb+0xe0/0xf8
[<fffffe00007c7f94>] rtnetlink_rcv+0x30/0x44
[<fffffe00007e6f2c>] netlink_unicast+0xfc/0x210
[<fffffe00007e75b8>] netlink_sendmsg+0x498/0x5ac
[<fffffe00007990b8>] do_sock_sendmsg+0xa4/0xcc
[<fffffe000079a958>] ___sys_sendmsg+0x1fc/0x208
[<fffffe000079b984>] __sys_sendmsg+0x4c/0x94
[<fffffe000079b9f8>] SyS_sendmsg+0x2c/0x3c
The problem here is that the enet hw clocks are not getting
initialized because of a test to avoid the initialization if
UEFI is used to boot. This is an incorrect test. When booting
with UEFI and devicetree, the kernel must still initialize
the enet hw clocks. If booting with ACPI, the clock hw is
not exposed to the kernel and it is that case where we want
to avoid initializing clocks.
Signed-off-by: Mark Salter <msalter@redhat.com>
Acked-by: Feng Kan <fkan@apm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
EEH recovery for bnx2x based adapters is not reliable on all Power
systems using the default hot reset, which can result in an
unrecoverable EEH error. Forcing the use of fundamental reset
during EEH recovery fixes this.
Cc: stable<stable@vger.kernel.org>
Signed-off-by: Brian King <brking@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David Vrabel says:
====================
xen-netback: fix ethtool stats and memory leak
A couple of bug fixes for netback:
- make ethool stats to report the correct values.
- don't leak 1 MiB every time a VIF is destroyed.
Changes in v2:
- Split 2nd patch into leak fix and refactor patches
====================
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
When handling a from-guest frag list, xenvif_handle_frag_list()
replaces the frags before calling the destructor to clean up the
original (foreign) frags. Whilst this is safe (the destructor doesn't
actually use the frags), it looks odd.
Reorder the function to be less confusing.
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Every time a VIF is destroyed up to 256 pages may be leaked if packets
with more than MAX_SKB_FRAGS frags were transmitted from the guest.
Even worse, if another user of ballooned pages allocated one of these
ballooned pages it would not handle the unexpectedly >1 page count
(e.g., gntdev would deadlock when unmapping a grant because the page
count would never reach 1).
When handling a from-guest skb with a frag list, unref the frags
before releasing them so they are freed correctly when the VIF is
destroyed.
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Use correct pointer arithmetic to get the pointer to each stat.
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
I recently did a rework of the smc91x driver and did some build-testing
by compiling hundreds of randconfig kernels. Unfortunately, my script
was wrong and did not actually test the configurations that mattered,
so I introduced stupid typos in almost every file I touched.
I fixed my script now, built all configurations that actually matter
and fixed all the typos, this is the result.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Fixes: b70661c708 ("net: smc91x: use run-time configuration on all ARM machines")
Signed-off-by: David S. Miller <davem@davemloft.net>
Currently the list is traversed using rcu variant. That is not correct
since dev_set_mac_address can be called which eventually calls
rtmsg_ifinfo_build_skb and there, skb allocation can sleep. So fix this
by remove the rcu usage here.
Fixes: 3d249d4ca7 "net: introduce ethernet teaming device"
Signed-off-by: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: David S. Miller <davem@davemloft.net>
Iyappan Subramanian says:
====================
drivers: net: xgene: Fix backward compatibility of newer firmware with older kernel
Kernel 3.17 driver supports only RGMII ethernet interface.
Since the Tianocore DT contains same compatibility string for RGMII,
SGMII based 1G and XFI based 10G interfaces, crash happens when probe called
on SGMII based 1G and XFI based 10G interface.
This patch fixes the backward compatibility of the older driver with the
newer firmware by making the binding unique so that the older driver won't
recognize the non-supported interfaces.
v2: Address comments from v1
* updated cover letter subject line with net: xgene
* Documentation: formatted compatible string values as list
v1:
* Initial version
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
This patch fixes the backward compatibile of the older driver with the
newer firmware by making the binding unique so that the older driver won't
recognize the non-supported interfaces.
Signed-off-by: Iyappan Subramanian <isubramanian@apm.com>
Signed-off-by: Keyur Chudgar <kchudgar@apm.com>
Tested-by: Mark Langsdorf <mlangsdo@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This patch fixes the backward compatibility of the older driver with the
newer firmware by making the binding unique so that the older driver won't
recognize the non-supported interfaces.
The new bindings are in sync with the newer firmware.
Signed-off-by: Iyappan Subramanian <isubramanian@apm.com>
Signed-off-by: Keyur Chudgar <kchudgar@apm.com>
Tested-by: Mark Langsdorf <mlangsdo@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Iyappan Subramanian <isubramanian@apm.com>
Signed-off-by: Keyur Chudgar <kchudgar@apm.com>
Tested-by: Mark Langsdorf <mlangsdo@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
1. For an IPv4 ping socket, ping_check_bind_addr does not check
the family of the socket address that's passed in. Instead,
make it behave like inet_bind, which enforces either that the
address family is AF_INET, or that the family is AF_UNSPEC and
the address is 0.0.0.0.
2. For an IPv6 ping socket, ping_check_bind_addr returns EINVAL
if the socket family is not AF_INET6. Return EAFNOSUPPORT
instead, for consistency with inet6_bind.
3. Make ping_v4_sendmsg and ping_v6_sendmsg return EAFNOSUPPORT
instead of EINVAL if an incorrect socket address structure is
passed in.
4. Make IPv6 ping sockets be IPv6-only. The code does not support
IPv4, and it cannot easily be made to support IPv4 because
the protocol numbers for ICMP and ICMPv6 are different. This
makes connect(::ffff:192.0.2.1) fail with EAFNOSUPPORT instead
of making the socket unusable.
Among other things, this fixes an oops that can be triggered by:
int s = socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP);
struct sockaddr_in6 sin6 = {
.sin6_family = AF_INET6,
.sin6_addr = in6addr_any,
};
bind(s, (struct sockaddr *) &sin6, sizeof(sin6));
Change-Id: If06ca86d9f1e4593c0d6df174caca3487c57a241
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
In case there was some tx buffer reclaimed and not enough rx packets
to consume the whole budget, napi_complete would not be called and
interrupts would be kept disabled, effectively resulting in the
network core never to call the poll callback again and no rx/tx
interrupts to be fired either.
Fix that by only accounting the rx work done in the poll callback.
Signed-off-by: Nicolas Schichan <nschichan@freebox.fr>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Currently we're getting IRQs after lots of resources are already
allocated:
* netdev
* clocks
* MDIO bus
Also HW gets initialized by the time when checking IRQs as well.
Now there's a possibility for master interrupt controller to be not
probed yet. This will lead to exit from GMAC probe routine with "-
EPROBE_DEFER" and so deferred probe will hapen later on.
But since we exited the first GMAC probe without release of all
allocated resources there could be conflicts on subsequent probes.
For example this is what happens for me:
--->8---
stmmaceth e0018000.ethernet: no reset control found
stmmac - user ID: 0x10, Synopsys ID: 0x37
Ring mode enabled
DMA HW capability register supported
Normal descriptors
RX Checksum Offload Engine supported (type 2)
TX Checksum insertion supported
Enable RX Mitigation via HW Watchdog Timer
libphy: stmmac: probed
eth0: PHY ID 20005c7a at 1 IRQ POLL (stmmac-0:01) active
platform e0018000.ethernet: Driver stmmaceth requests probe deferral
...
...
...
stmmaceth e0018000.ethernet: no reset control found
stmmac - user ID: 0x10, Synopsys ID: 0x37
Ring mode enabled
DMA HW capability register supported
Normal descriptors
RX Checksum Offload Engine supported (type 2)
TX Checksum insertion supported
Enable RX Mitigation via HW Watchdog Timer
------------[ cut here ]------------
WARNING: CPU: 0 PID: 6 at fs/sysfs/dir.c:31 sysfs_warn_dup+0x4e/0x68()
sysfs: cannot create duplicate filename
'/devices/platform/axs10x_mb/e0018000.ethernet/mdio_bus/stmmac-0'
CPU: 0 PID: 6 Comm: kworker/u2:0 Not tainted 4.0.0-rc1-next-20150303+#8
Workqueue: deferwq deferred_probe_work_func
Stack Trace:
arc_unwind_core+0xb8/0x114
warn_slowpath_common+0x5a/0x8c
warn_slowpath_fmt+0x2e/0x38
sysfs_warn_dup+0x4e/0x68
sysfs_create_dir_ns+0x98/0xa0
kobject_add_internal+0x8c/0x2e8
kobject_add+0x4a/0x8c
device_add+0xc6/0x448
mdiobus_register+0x6c/0x164
stmmac_mdio_register+0x112/0x264
stmmac_dvr_probe+0x6c0/0x85c
stmmac_pltfr_probe+0x2e4/0x50c
platform_drv_probe+0x26/0x5c
really_probe+0x76/0x1dc
bus_for_each_drv+0x42/0x7c
device_attach+0x64/0x6c
bus_probe_device+0x74/0xa4
deferred_probe_work_func+0x50/0x84
process_one_work+0xf8/0x2cc
worker_thread+0x110/0x478
kthread+0x8a/0x9c
ret_from_fork+0x14/0x18
---[ end trace a2dfaa7d630c8be1 ]---
------------[ cut here ]------------
WARNING: CPU: 0 PID: 6 at lib/kobject.c:240
kobject_add_internal+0x218/0x2e8()
kobject_add_internal failed for stmmac-0 with -EEXIST, don't try to
register things with the same name in the same di.
CPU: 0 PID: 6 Comm: kworker/u2:0 Tainted: G W
4.0.0-rc1-next-20150303+ #8
Workqueue: deferwq deferred_probe_work_func
Stack Trace:
arc_unwind_core+0xb8/0x114
warn_slowpath_common+0x5a/0x8c
warn_slowpath_fmt+0x2e/0x38
kobject_add_internal+0x218/0x2e8
kobject_add+0x4a/0x8c
device_add+0xc6/0x448
mdiobus_register+0x6c/0x164
stmmac_mdio_register+0x112/0x264
stmmac_dvr_probe+0x6c0/0x85c
stmmac_pltfr_probe+0x2e4/0x50c
platform_drv_probe+0x26/0x5c
really_probe+0x76/0x1dc
bus_for_each_drv+0x42/0x7c
device_attach+0x64/0x6c
bus_probe_device+0x74/0xa4
deferred_probe_work_func+0x50/0x84
process_one_work+0xf8/0x2cc
worker_thread+0x110/0x478
kthread+0x8a/0x9c
ret_from_fork+0x14/0x18
---[ end trace a2dfaa7d630c8be2 ]---
libphy: mii_bus stmmac-0 failed to register
: Cannot register as MDIO bus
stmmac_pltfr_probe: main driver probe failed
stmmaceth: probe of e0018000.ethernet failed with error -22
--->8---
Essential fix is to check for IRQs availability as early as possible and
then safely go to deferred probe if IRQs are not there yet.
Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
Cc: Vineet Gupta <vgupta@synopsys.com>
Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Cc: Sonic Zhang <sonic.zhang@analog.com>
Cc: David S. Miller <davem@davemloft.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
- minor timeout & other fixes on reservation/fence
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJU9q1GAAoJEAG+/NWsLn5bzhEQAOOVtIPmM2mF/FChUXROAv/M
AFNGamRi+F1cJH2dWNJCUKpqBDKw/73g84Qj7LH7VcnBZO3nc8fy9cBYIJ3yBrYE
fcUl88yzm7iQSlunlayBT+krItCxzzhVjS31OoEsQKlm1UdllYre0VPX/F50Zz2q
eB+ts6pRj7qRBfrX4bJ/zAoaAvLnHYxLCF/ib6toHCY2q0gnSzKq+LCUheGAKcc9
6Yi8uDd3oqOU9TJbP5kQgUhNgv/CmWeHATssmpbf81WUSavg7+WDQAy+eQz65z93
DIdP97GWEz+I9ClU1u0eG8JYUozvQ/YiY/DMqDcrZxoyTVSMdyRlnTMAXZZDVExJ
Op/n2IGj6Bu7sluDdtGvO8xSypCufLZm29upUWtmLsR5tsTtBcKGidBC0sqfpdSI
pDq4+KpFfxCfCx0iFnDATHnjFANNUZIOt14+eKnQZ58mximYphn/0iLO4q68VvSE
1E4JVMTOGXKcsA0XLqbIz8lsCEOva29svooXrOA7Hybb7bUnWXAfMMthvyAhWWVe
At0ZBJF1Ajx/UadfvhdRMuiZDPCbxrTcU344rxxANHfjBiDX99VqyvCoSFEqAMyL
iDhBK8xkOB/5f9k9KEd3dGU9ABvTmrg9sw2UbS0rDxkU0yZLE2+ajseQTFmJB4Dh
qHwFXLXN91FM4NwgeS73
=k3LO
-----END PGP SIGNATURE-----
Merge tag 'dma-buf-for-4.0-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/sumits/dma-buf
Pull dma-buf fixes from Sumit Semwal:
"Minor timeout & other fixes on reservation/fence"
* tag 'dma-buf-for-4.0-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/sumits/dma-buf:
reservation: Remove shadowing local variable 'ret'
dma-buf/fence: don't wait when specified timeout is zero
reservation: wait only with non-zero timeout specified (v3)
In general, if a transaction object is added to the list successfully,
we can rely on the abort path to undo what we've done. This allows us to
simplify the error handling of the rule replacement path in
nf_tables_newrule().
This implicitly fixes an unnecessary removal of the old rule, which
needs to be left in place if we fail to replace.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
The NFT_USERDATA_MAXLEN is defined to 256, however we only have a u8
to store its size. Introduce a struct nft_userdata which contains a
length field and indicate its presence using a single bit in the rule.
The length field of struct nft_userdata is also a u8, however we don't
store zero sized data, so the actual length is udata->len + 1.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Check that the space required for the expressions doesn't exceed the
size of the dlen field, which would lead to the iterators crashing.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
A race condition exists in the rule transaction code for rules that
get added and removed within the same transaction.
The new rule starts out as inactive in the current and active in the
next generation and is inserted into the ruleset. When it is deleted,
it is additionally set to inactive in the next generation as well.
On commit the next generation is begun, then the actions are finalized.
For the new rule this would mean clearing out the inactive bit for
the previously current, now next generation.
However nft_rule_clear() clears out the bits for *both* generations,
activating the rule in the current generation, where it should be
deactivated due to being deleted. The rule will thus be active until
the deletion is finalized, removing the rule from the ruleset.
Similarly, when aborting a transaction for the same case, the undo
of insertion will remove it from the RCU protected rule list, the
deletion will clear out all bits. However until the next RCU
synchronization after all operations have been undone, the rule is
active on CPUs which can still see the rule on the list.
Generally, there may never be any modifications of the current
generations' inactive bit since this defeats the entire purpose of
atomicity. Change nft_rule_clear() to only touch the next generations
bit to fix this.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
- Fix for dynticks.
- Fix for smpboot bug.
- Fix for IOMMU group refcounting.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJU9mwsAAoJEFHr6jzI4aWAS28QALF6rTNK0lywqO+eV75BRLco
z8eINZozRJBBXjt5ATp4zJSAjOpnRNFlclfDPEcYav51cyxZRREbD322rMYR5uOL
9ixnOTDGpOFE9Sgt562OEVmRadAVrJf9gKw7/Cjebxb9XgfwpepvwBfN8Xxl1yc+
LnvnkJN327nDaBnWP7eTSkTeiznhDCdXz0HYmO1zUnrico2AZ/9qVdd+XD/QTk6o
t6m+aTowy9+4Ps7B4Y/l5dmKuOruFMxwSWFhUZrC6huvArJrYAMGvMT7++r2JTW4
tyHBCuB3pWHBm3BjlcR23sZoi8jPVkulKKLShGiXwaZxCSOhwMLwwFFVBHw2gJIW
grzzAtkM5cXACmGKiCWzAc8WMM0+u4vz/w1md+Nt4XvtZssRJwbXdJJHh7nXq+RE
M7IDnyvLI5m8Ae7qAnAts2Lf1SRZALY0zOUyS0jsn6jDJUw49BbKD54RuFqNzuhL
70dEsHy+awHEagIO47q+JEFWPaG20HzupVDe33j7KEx20xROvC4R2u+LIEG8YiJH
ve4xDVwTM7rVqvIvb17Rs0LLqKs8P9O7sQFoQf2V/xie/X1QwHDZsC24C4r07M/+
7ZqL9og3/nMo9SIKE1eNgBHq0FmUgOYkoaF+biDuzava9JYNxeT7nOhFfOqNz4RO
M+tgZwHU1NDpVHJerdP3
=8wky
-----END PGP SIGNATURE-----
Merge tag 'powerpc-4.0-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mpe/linux
Pull powerpc fixes from Michael Ellerman:
- Fix for dynticks.
- Fix for smpboot bug.
- Fix for IOMMU group refcounting.
* tag 'powerpc-4.0-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mpe/linux:
powerpc/iommu: Remove IOMMU device references via bus notifier
powerpc/smp: Wait until secondaries are active & online
powerpc: Re-enable dynticks
After d905c5df9a ("PPC: POWERNV: move iommu_add_device earlier"), the
refcnt on the kobject backing the IOMMU group for a PCI device is
elevated by each call to pci_dma_dev_setup_pSeriesLP() (via
set_iommu_table_base_and_group). When we go to dlpar a multi-function
PCI device out:
iommu_reconfig_notifier ->
iommu_free_table ->
iommu_group_put
BUG_ON(tbl->it_group)
We trip this BUG_ON, because there are still references on the table, so
it is not freed. Fix this by moving the powernv bus notifier to common
code and calling it for both powernv and pseries.
Fixes: d905c5df9a ("PPC: POWERNV: move iommu_add_device earlier")
Signed-off-by: Nishanth Aravamudan <nacc@linux.vnet.ibm.com>
Tested-by: Nishanth Aravamudan <nacc@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Anton has a busy ppc64le KVM box where guests sometimes hit the infamous
"kernel BUG at kernel/smpboot.c:134!" issue during boot:
BUG_ON(td->cpu != smp_processor_id());
Basically a per CPU hotplug thread scheduled on the wrong CPU. The oops
output confirms it:
CPU: 0
Comm: watchdog/130
The problem is that we aren't ensuring the CPU active bit is set for the
secondary before allowing the master to continue on. The master unparks
the secondary CPU's kthreads and the scheduler looks for a CPU to run
on. It calls select_task_rq() and realises the suggested CPU is not in
the cpus_allowed mask. It then ends up in select_fallback_rq(), and
since the active bit isnt't set we choose some other CPU to run on.
This seems to have been introduced by 6acbfb9697 "sched: Fix hotplug
vs. set_cpus_allowed_ptr()", which changed from setting active before
online to setting active after online. However that was in turn fixing a
bug where other code assumed an active CPU was also online, so we can't
just revert that fix.
The simplest fix is just to spin waiting for both active & online to be
set. We already have a barrier prior to set_cpu_online() (which also
sets active), to ensure all other setup is completed before online &
active are set.
Fixes: 6acbfb9697 ("sched: Fix hotplug vs. set_cpus_allowed_ptr()")
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Anton Blanchard <anton@samba.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Pull nfsd fixes from Bruce Fields:
"Three miscellaneous bugfixes, most importantly the clp->cl_revoked
bug, which we've seen several reports of people hitting"
* 'for-4.0' of git://linux-nfs.org/~bfields/linux:
sunrpc: integer underflow in rsc_parse()
nfsd: fix clp->cl_revoked list deletion causing softlock in nfsd
svcrpc: fix memory leak in gssp_accept_sec_context_upcall
Pull networking fixes from David Miller:
1) If an IPVS tunnel is created with a mixed-family destination
address, it cannot be removed. Fix from Alexey Andriyanov.
2) Fix module refcount underflow in netfilter's nft_compat, from Pablo
Neira Ayuso.
3) Generic statistics infrastructure can reference variables sitting on
a released function stack, therefore use dynamic allocation always.
Fix from Ignacy Gawędzki.
4) skb_copy_bits() return value test is inverted in ip_check_defrag().
5) Fix network namespace exit in openvswitch, we have to release all of
the per-net vports. From Pravin B Shelar.
6) Fix signedness bug in CAIF's cfpkt_iterate(), from Dan Carpenter.
7) Fix rhashtable grow/shrink behavior, only expand during inserts and
shrink during deletes. From Daniel Borkmann.
8) Netdevice names with semicolons should never be allowed, because
they serve as a separator. From Matthew Thode.
9) Use {,__}set_current_state() where appropriate, from Fabian
Frederick.
10) Revert byte queue limits support in r8169 driver, it's causing
regressions we can't figure out.
11) tcp_should_expand_sndbuf() erroneously uses tp->packets_out to
measure packets in flight, properly use tcp_packets_in_flight()
instead. From Neal Cardwell.
12) Fix accidental removal of support for bluetooth in CSR based Intel
wireless cards. From Marcel Holtmann.
13) We accidently added a behavioral change between native and compat
tasks, wrt testing the MSG_CMSG_COMPAT bit. Just ignore it if the
user happened to set it in a native binary as that was always the
behavior we had. From Catalin Marinas.
14) Check genlmsg_unicast() return valud in hwsim netlink tx frame
handling, from Bob Copeland.
15) Fix stale ->radar_required setting in mac80211 that can prevent
starting new scans, from Eliad Peller.
16) Fix memory leak in nl80211 monitor, from Johannes Berg.
17) Fix race in TX index handling in xen-netback, from David Vrabel.
18) Don't enable interrupts in amx-xgbe driver until all software et al.
state is ready for the interrupt handler to run. From Thomas
Lendacky.
19) Add missing netlink_ns_capable() checks to rtnl_newlink(), from Eric
W Biederman.
20) The amount of header space needed in macvtap was not calculated
properly, fix it otherwise we splat past the beginning of the
packet. From Eric Dumazet.
21) Fix bcmgenet TCP TX perf regression, from Jaedon Shin.
22) Don't raw initialize or mod timers, use setup_timer() and
mod_timer() instead. From Vaishali Thakkar.
23) Fix software maintained statistics in bcmgenet and systemport
drivers, from Florian Fainelli.
24) DMA descriptor updates in sh_eth need proper memory barriers, from
Ben Hutchings.
25) Don't do UDP Fragmentation Offload on RAW sockets, from Michal
Kubecek.
26) Openvswitch's non-masked set actions aren't constructed properly
into netlink messages, fix from Joe Stringer.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (116 commits)
openvswitch: Fix serialization of non-masked set actions.
gianfar: Reduce logging noise seen due to phy polling if link is down
ibmveth: Add function to enable live MAC address changes
net: bridge: add compile-time assert for cb struct size
udp: only allow UFO for packets from SOCK_DGRAM sockets
sh_eth: Really fix padding of short frames on TX
Revert "sh_eth: Enable Rx descriptor word 0 shift for r8a7790"
sh_eth: Fix RX recovery on R-Car in case of RX ring underrun
sh_eth: Ensure proper ordering of descriptor active bit write/read
net/mlx4_en: Disbale GRO for incoming loopback/selftest packets
net/mlx4_core: Fix wrong mask and error flow for the update-qp command
net: systemport: fix software maintained statistics
net: bcmgenet: fix software maintained statistics
rxrpc: don't multiply with HZ twice
rxrpc: terminate retrans loop when sending of skb fails
net/hsr: Fix NULL pointer dereference and refcnt bugs when deleting a HSR interface.
net: pasemi: Use setup_timer and mod_timer
net: stmmac: Use setup_timer and mod_timer
net: 8390: axnet_cs: Use setup_timer and mod_timer
net: 8390: pcnet_cs: Use setup_timer and mod_timer
...
Set actions consist of a regular OVS_KEY_ATTR_* attribute nested inside
of a OVS_ACTION_ATTR_SET action attribute. When converting masked actions
back to regular set actions, the inner attribute length was not changed,
ie, double the length being serialized. This patch fixes the bug.
Fixes: 83d2b9b ("net: openvswitch: Support masked set actions.")
Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Commit 6ce29b0e2a ("gianfar: Avoid unnecessary reg accesses in adjust_link()")
eliminates unnecessary calls to adjust_link for phy devices which don't support
interrupts and need polling. As part of that work, the 'new_state' local flag,
which was used to reduce logging noise on the console, was eliminated.
Unfortunately, that means that a 'Link is Down' log message will now be
issued continuously if a link is configured as UP, the link state is down,
and the associated phy requires polling. This occurs because priv->oldduplex
is -1 in this case, which always differs from phydev->duplex. In addition,
phydev->speed may also differ from priv->oldspeed. gfar_update_link_state()
is therefore called each time a phy is polled, even if the link state did not
change.
Cc: Claudiu Manoil <claudiu.manoil@freescale.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Claudiu Manoil <claudiu.manoil@freescale.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Add a function that will enable changing the MAC address
of an ibmveth interface while it is still running.
Signed-off-by: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
Reviewed-by: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: David S. Miller <davem@davemloft.net>
make build fail if structure no longer fits into ->cb storage.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
This is a tricky story of the new atomic state handling and the legacy
code fighting over each another. The bug at hand is an underrun of the
framebuffer reference with subsequent hilarity caused by the load
detect code. Which is peculiar since the the exact same code works
fine as the implementation of the legacy setcrtc ioctl.
Let's look at the ingredients:
- Currently our code is a crazy mix of legacy modeset interfaces to
set the parameters and half-baked atomic state tracking underneath.
While this transition is going we're using the transitional plane
helpers to update the atomic side (drm_plane_helper_disable/update
and friends), i.e. plane->state->fb. Since the state structure owns
the fb those functions take care of that themselves.
The legacy state (specifically crtc->primary->fb) is still managed
by the old code (and mostly by the drm core), with the fb reference
counting done by callers (core drm for the ioctl or the i915 load
detect code). The relevant commit is
commit ea2c67bb4a
Author: Matt Roper <matthew.d.roper@intel.com>
Date: Tue Dec 23 10:41:52 2014 -0800
drm/i915: Move to atomic plane helpers (v9)
- drm_plane_helper_disable has special code to handle multiple calls
in a row - it checks plane->crtc == NULL and bails out. This is to
match the proper atomic implementation which needs the crtc to get
at the implied locking context atomic updates always need. See
commit acf24a395c
Author: Daniel Vetter <daniel.vetter@ffwll.ch>
Date: Tue Jul 29 15:33:05 2014 +0200
drm/plane-helper: transitional atomic plane helpers
- The universal plane code split out the implicit primary plane from
the CRTC into it's own full-blown drm_plane object. As part of that
the setcrtc ioctl (which updated both the crtc mode and primary
plane) learned to set crtc->primary->crtc on modeset to make sure
the plane->crtc assignments statate up to date in
commit e13161af80
Author: Matt Roper <matthew.d.roper@intel.com>
Date: Tue Apr 1 15:22:38 2014 -0700
drm: Add drm_crtc_init_with_planes() (v2)
Unfortunately we've forgotten to update the load detect code. Which
wasn't a problem since the load detect modeset is temporary and
always undone before we drop the locks.
- Finally there is a organically grown history (i.e. don't ask) around
who sets the legacy plane->fb for the various driver entry points.
Originally updating that was the drivers duty, but for almost all
places we've moved that (plus updating the refcounts) into the core.
Again the exception is the load detect code.
Taking all together the following happens:
- The load detect code doesn't set crtc->primary->crtc. This is only
really an issue on crtcs never before used or when userspace
explicitly disabled the primary plane.
- The plane helper glue code short-circuits because of that and leaves
a non-NULL fb behind in plane->state->fb and plane->fb. The state
fb isn't a real problem (it's properly refcounted on its own), it's
just the canary.
- Load detect code drops the reference for that fb, but doesn't set
plane->fb = NULL. This is ok since it's still living in that old
world where drivers had to clear the pointer but the core/callers
handled the refcounting.
- On the next modeset the drm core notices plane->fb and takes care of
refcounting it properly by doing another unref. This drops the
refcount to zero, leaving state->plane now pointing at freed memory.
- intel_plane_duplicate_state still assume it owns a reference to that
very state->fb and bad things start to happen.
Fix this all by applying the same duct-tape as for the legacy setcrtc
ioctl code and set crtc->primary->crtc properly.
Cc: Matt Roper <matthew.d.roper@intel.com>
Cc: Paul Bolle <pebolle@tiscali.nl>
Cc: Rob Clark <robdclark@gmail.com>
Cc: Paulo Zanoni <przanoni@gmail.com>
Cc: Sean Paul <seanpaul@chromium.org>
Cc: Matt Roper <matthew.d.roper@intel.com>
Reported-and-tested-by: Linus Torvalds <torvalds@linux-foundation.org>
Reported-by: Paul Bolle <pebolle@tiscali.nl>
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
If an over-MTU UDP datagram is sent through a SOCK_RAW socket to a
UFO-capable device, ip_ufo_append_data() sets skb->ip_summed to
CHECKSUM_PARTIAL unconditionally as all GSO code assumes transport layer
checksum is to be computed on segmentation. However, in this case,
skb->csum_start and skb->csum_offset are never set as raw socket
transmit path bypasses udp_send_skb() where they are usually set. As a
result, driver may access invalid memory when trying to calculate the
checksum and store the result (as observed in virtio_net driver).
Moreover, the very idea of modifying the userspace provided UDP header
is IMHO against raw socket semantics (I wasn't able to find a document
clearly stating this or the opposite, though). And while allowing
CHECKSUM_NONE in the UFO case would be more efficient, it would be a bit
too intrusive change just to handle a corner case like this. Therefore
disallowing UFO for packets from SOCK_DGRAM seems to be the best option.
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ben Hutchings says:
====================
Fixes for sh_eth #4 v2
I'm continuing review and testing of Ethernet support on the R-Car H2
chip, with help from a colleague. This series fixes a few more issues.
These are not tested on any of the other supported chips.
v2: Add note that the revert is not a pure revert.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
My previous fix to clear padding of short frames used skb->len as the
DMA length, assuming that skb_padto() extended skb->len to include the
padding. That isn't the case; we need to use skb_put_padto() instead.
(This wasn't immediately obvious because software padding isn't
actually needed on the R-Car H2. We could make it conditional on
which chip is being driven, but it's probably not worth the effort.)
Reported-by: "Violeta Menéndez González" <violeta.menendez@codethink.co.uk>
Fixes: 612a17a54b50 ("sh_eth: Fix padding of short frames on TX")
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
This reverts commit fd9af07c34.
The hardware manual states that the frame error and multicast bits are
copied to bits 9:0 of RD0, not bits 25:16. I've tested that this is
true for RFS1 (CRC error), RFS3 (frame too short), RFS4 (frame too
long) and RFS8 (multicast).
Also adjust a comment to agree with this.
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
