kernel/linux.git, branch v3.0.64 Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v3.0.64 2013-02-14T18:50:09+00:00 Linux 3.0.64 2013-02-14T18:50:09+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2013-02-14T18:50:09+00:00 urn:sha1:54ea5b40f067cf098cac639973c6628c6944cfb2 netback: correct netbk_tx_err to handle wrap around. 2013-02-14T18:47:45+00:00 Ian Campbell Ian.Campbell@citrix.com 2013-02-06T23:41:38+00:00 urn:sha1:7406f4230c4d086793cc62fa657750abf98559d6 [ Upstream commit b9149729ebdcfce63f853aa54a404c6a8f6ebbf3 ] Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Jan Beulich <JBeulich@suse.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> xen/netback: free already allocated memory on failure in xen_netbk_get_requests 2013-02-14T18:47:40+00:00 Ian Campbell Ian.Campbell@citrix.com 2013-02-06T23:41:37+00:00 urn:sha1:1d08d86d53d881952af35f841d8cf5ff23f726d9 [ Upstream commit 4cc7c1cb7b11b6f3515bd9075527576a1eecc4aa ] Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> xen/netback: don't leak pages on failure in xen_netbk_tx_check_gop. 2013-02-14T18:47:37+00:00 Matthew Daley mattjd@gmail.com 2013-02-06T23:41:36+00:00 urn:sha1:f0457844e605984a12b8043c3e21554b9b1fc8a5 [ Upstream commit 7d5145d8eb2b9791533ffe4dc003b129b9696c48 ] Signed-off-by: Matthew Daley <mattjd@gmail.com> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Jan Beulich <JBeulich@suse.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> xen/netback: shutdown the ring if it contains garbage. 2013-02-14T18:47:37+00:00 Ian Campbell Ian.Campbell@citrix.com 2013-02-06T23:41:35+00:00 urn:sha1:2af567a11daa093a0141d675f8b3f1ab8ae8e70f [ Upstream commit 48856286b64e4b66ec62b94e504d0b29c1ade664 ] A buggy or malicious frontend should not be able to confuse netback. If we spot anything which is not as it should be then shutdown the device and don't try to continue with the ring in a potentially hostile state. Well behaved and non-hostile frontends will not be penalised. As well as making the existing checks for such errors fatal also add a new check that ensures that there isn't an insane number of requests on the ring (i.e. more than would fit in the ring). If the ring contains garbage then previously is was possible to loop over this insane number, getting an error each time and therefore not generating any more pending requests and therefore not exiting the loop in xen_netbk_tx_build_gops for an externded period. Also turn various netdev_dbg calls which no precipitate a fatal error into netdev_err, they are rate limited because the device is shutdown afterwards. This fixes at least one known DoS/softlockup of the backend domain. Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Acked-by: Jan Beulich <JBeulich@suse.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> tg3: Fix crc errors on jumbo frame receive 2013-02-14T18:47:37+00:00 Nithin Nayak Sujir nsujir@broadcom.com 2013-01-14T17:11:00+00:00 urn:sha1:01cc083b977577eae3e91372f868019efc39bfeb [ Upstream commit daf3ec688e057f6060fb9bb0819feac7a8bbf45c ] TG3_PHY_AUXCTL_SMDSP_ENABLE/DISABLE macros do a blind write to the phy auxiliary control register and overwrite the EXT_PKT_LEN (bit 14) resulting in intermittent crc errors on jumbo frames with some link partners. Change the code to do a read/modify/write. Signed-off-by: Nithin Nayak Sujir <nsujir@broadcom.com> Signed-off-by: Michael Chan <mchan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> tg3: Avoid null pointer dereference in tg3_interrupt in netconsole mode 2013-02-14T18:47:37+00:00 Nithin Nayak Sujir nsujir@broadcom.com 2013-01-14T17:10:59+00:00 urn:sha1:98d5919834d6091f0a4144ebd3c2c17f1b883d84 [ Upstream commit 9c13cb8bb477a83b9a3c9e5a5478a4e21294a760 ] When netconsole is enabled, logging messages generated during tg3_open can result in a null pointer dereference for the uninitialized tg3 status block. Use the irq_sync flag to disable polling in the early stages. irq_sync is cleared when the driver is enabling interrupts after all initialization is completed. Signed-off-by: Nithin Nayak Sujir <nsujir@broadcom.com> Signed-off-by: Michael Chan <mchan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> bridge: Pull ip header into skb->data before looking into ip header. 2013-02-14T18:47:37+00:00 Sarveshwar Bandi sarveshwar.bandi@emulex.com 2012-10-10T01:15:01+00:00 urn:sha1:98df2584aaa730220adc29a7fbfa1c551fee5930 [ Upstream commit 6caab7b0544e83e6c160b5e80f5a4a7dd69545c7 ] If lower layer driver leaves the ip header in the skb fragment, it needs to be first pulled into skb->data before inspecting ip header length or ip version number. Signed-off-by: Sarveshwar Bandi <sarveshwar.bandi@emulex.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> tcp: fix MSG_SENDPAGE_NOTLAST logic 2013-02-14T18:47:36+00:00 Eric Dumazet edumazet@google.com 2013-01-06T18:21:49+00:00 urn:sha1:9f557574821b44a87d95756bf53f1b7fb76eb4d4 [ Upstream commit ae62ca7b03217be5e74759dc6d7698c95df498b3 ] commit 35f9c09fe9c72e (tcp: tcp_sendpages() should call tcp_push() once) added an internal flag : MSG_SENDPAGE_NOTLAST meant to be set on all frags but the last one for a splice() call. The condition used to set the flag in pipe_to_sendpage() relied on splice() user passing the exact number of bytes present in the pipe, or a smaller one. But some programs pass an arbitrary high value, and the test fails. The effect of this bug is a lack of tcp_push() at the end of a splice(pipe -> socket) call, and possibly very slow or erratic TCP sessions. We should both test sd->total_len and fact that another fragment is in the pipe (pipe->nrbufs > 1) Many thanks to Willy for providing very clear bug report, bisection and test programs. Reported-by: Willy Tarreau <w@1wt.eu> Bisected-by: Willy Tarreau <w@1wt.eu> Tested-by: Willy Tarreau <w@1wt.eu> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> tcp: fix for zero packets_in_flight was too broad 2013-02-14T18:47:35+00:00 Ilpo Järvinen ilpo.jarvinen@helsinki.fi 2013-02-04T02:14:25+00:00 urn:sha1:31885683c218d57ff90d827a1be5c5d3cb4263ac [ Upstream commit 6731d2095bd4aef18027c72ef845ab1087c3ba63 ] There are transients during normal FRTO procedure during which the packets_in_flight can go to zero between write_queue state updates and firing the resulting segments out. As FRTO processing occurs during that window the check must be more precise to not match "spuriously" :-). More specificly, e.g., when packets_in_flight is zero but FLAG_DATA_ACKED is true the problematic branch that set cwnd into zero would not be taken and new segments might be sent out later. Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> Tested-by: Eric Dumazet <edumazet@google.com> Acked-by: Neal Cardwell <ncardwell@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>