summaryrefslogtreecommitdiff
path: root/net
AgeCommit message (Collapse)AuthorFilesLines
2012-11-04Merge tag 'nfs-for-3.7-4' of git://git.linux-nfs.org/projects/trondmy/linux-nfsLinus Torvalds1-1/+1
Pull NFS client bugfixes from Trond Myklebust: - Fix a bunch of deadlock situations: * State recovery can deadlock if we fail to release sequence ids before scheduling the recovery thread. * Calling deactivate_super() from an RPC workqueue thread can deadlock because of the call to rpc_shutdown_client. - Display the device name correctly in /proc/*/mounts - Fix a number of incorrect error return values: * When NFSv3 mounts fail due to a timeout. * On NFSv4.1 backchannel setup failure * On NFSv4 open access checks - pnfs_find_alloc_layout() must check the layout pointer for NULL - Fix a regression in the legacy DNS resolved * tag 'nfs-for-3.7-4' of git://git.linux-nfs.org/projects/trondmy/linux-nfs: NFS4: nfs4_opendata_access should return errno NFSv4: Initialise the NFSv4.1 slot table highest_used_slotid correctly SUNRPC: return proper errno from backchannel_rqst NFS: add nfs_sb_deactive_async to avoid deadlock nfs: Show original device name verbatim in /proc/*/mount{s,info} nfsv3: Make v3 mounts fail with ETIMEDOUTs instead EIO on mountd timeouts nfs: Check whether a layout pointer is NULL before free it NFS: fix bug in legacy DNS resolver. NFSv4: nfs4_locku_done must release the sequence id NFSv4.1: We must release the sequence id when we fail to get a session slot NFS: Wait for session recovery to finish before returning
2012-11-03Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/netLinus Torvalds15-46/+125
Pull networking fixes from David Miller: "First post-Sandy pull request" 1) Fix antenna gain handling and initialization of chan->max_reg_power in wireless, from Felix Fietkau. 2) Fix nexthop handling in H.232 conntrack helper, from Julian Anastasov. 3) Only process 80211 mesh config header in certain kinds of frames, from Javier Cardona. 4) 80211 management frame header length needs to be validated, from Johannes Berg. 5) Don't access free'd SKBs in ath9k driver, from Felix Fietkay. 6) Test for permanent state correctly in VXLAN driver, from Stephen Hemminger. 7) BNX2X bug fixes from Yaniv Rosner and Dmitry Kravkov. 8) Fix off by one errors in bonding, from Nikolay ALeksandrov. 9) Fix divide by zero in TCP-Illinois congestion control. From Jesper Dangaard Brouer. 10) TCP metrics code says "Yo dawg, I heard you like sizeof, so I did a sizeof of a sizeof, so you can size your size" Fix from Julian Anastasov. 11) Several drivers do mdiobus_free without first doing an mdiobus_unregister leading to stray pointer references. Fix from Peter Senna Tschudin. 12) Fix OOPS in l2tp_eth_create() error path, it's another danling pointer kinda situation. Fix from Tom Parkin. 13) Hardware driven by the vmxnet driver can't handle larger than 16K fragments, so split them up when necessary. From Eric Dumazet. 14) Handle zero length data length in tcp_send_rcvq() properly. Fix from Pavel Emelyanov. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (38 commits) tcp-repair: Handle zero-length data put in rcv queue vmxnet3: must split too big fragments l2tp: fix oops in l2tp_eth_create() error path cxgb4: Fix unable to get UP event from the LLD drivers/net/phy/mdio-bitbang.c: Call mdiobus_unregister before mdiobus_free drivers/net/ethernet/nxp/lpc_eth.c: Call mdiobus_unregister before mdiobus_free bnx2x: fix HW initialization using fw 7.8.x tcp: Fix double sizeof in new tcp_metrics code net: fix divide by zero in tcp algorithm illinois net: sctp: Fix typo in net/sctp bonding: fix second off-by-one error bonding: fix off-by-one error bnx2x: Disable FCoE for 57840 since not yet supported by FW bnx2x: Fix no link on 577xx 10G-baseT bnx2x: Fix unrecognized SFP+ module after driver is loaded bnx2x: Fix potential incorrect link speed provision bnx2x: Restore global registers back to default. bnx2x: Fix link down in 57712 following LFA bnx2x: Fix 57810 1G-KR link against certain switches. ixgbe: PTP get_ts_info missing software support ...
2012-11-03tcp-repair: Handle zero-length data put in rcv queuePavel Emelyanov1-0/+3
When sending data into a tcp socket in repair state we should check for the amount of data being 0 explicitly. Otherwise we'll have an skb with seq == end_seq in rcv queue, but tcp doesn't expect this to happen (in particular a warn_on in tcp_recvmsg shoots). Signed-off-by: Pavel Emelyanov <xemul@parallels.com> Reported-by: Giorgos Mavrikas <gmavrikas@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-03l2tp: fix oops in l2tp_eth_create() error pathTom Parkin1-0/+1
When creating an L2TPv3 Ethernet session, if register_netdev() should fail for any reason (for example, automatic naming for "l2tpeth%d" interfaces hits the 32k-interface limit), the netdev is freed in the error path. However, the l2tp_eth_sess structure's dev pointer is left uncleared, and this results in l2tp_eth_delete() then attempting to unregister the same netdev later in the session teardown. This results in an oops. To avoid this, clear the session dev pointer in the error path. Signed-off-by: Tom Parkin <tparkin@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-01tcp: Fix double sizeof in new tcp_metrics codeJulian Anastasov1-1/+1
Fix double sizeof when parsing IPv6 address from user space because it breaks get/del by specific IPv6 address. Problem noticed by David Binderman: https://bugzilla.kernel.org/show_bug.cgi?id=49171 Signed-off-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-01net: fix divide by zero in tcp algorithm illinoisJesper Dangaard Brouer1-3/+5
Reading TCP stats when using TCP Illinois congestion control algorithm can cause a divide by zero kernel oops. The division by zero occur in tcp_illinois_info() at: do_div(t, ca->cnt_rtt); where ca->cnt_rtt can become zero (when rtt_reset is called) Steps to Reproduce: 1. Register tcp_illinois: # sysctl -w net.ipv4.tcp_congestion_control=illinois 2. Monitor internal TCP information via command "ss -i" # watch -d ss -i 3. Establish new TCP conn to machine Either it fails at the initial conn, or else it needs to wait for a loss or a reset. This is only related to reading stats. The function avg_delay() also performs the same divide, but is guarded with a (ca->cnt_rtt > 0) at its calling point in update_params(). Thus, simply fix tcp_illinois_info(). Function tcp_illinois_info() / get_info() is called without socket lock. Thus, eliminate any race condition on ca->cnt_rtt by using a local stack variable. Simply reuse info.tcpv_rttcnt, as its already set to ca->cnt_rtt. Function avg_delay() is not affected by this race condition, as its called with the socket lock. Cc: Petr Matousek <pmatouse@redhat.com> Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com> Acked-by: Eric Dumazet <edumazet@google.com> Acked-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-01net: sctp: Fix typo in net/sctpMasanari Iida1-1/+1
Correct spelling typo in net/sctp/socket.c Signed-off-by: Masanari Iida <standby24x7@gmail.com> Acked-by: Vlad Yasevich <vyasevich@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-01SUNRPC: return proper errno from backchannel_rqstWeston Andros Adamson1-1/+1
The one and only caller (in fs/nfs/nfs4client.c) uses the result as an errno and would have interpreted an error as EPERM. Signed-off-by: Weston Andros Adamson <dros@netapp.com> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
2012-10-31Merge branch 'for-davem' of ↵David S. Miller6-36/+104
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless John W. Linville says: ==================== This is a batch of fixes intended for 3.7... The biggest portion of this is a pull request from Johannes Berg: "Please pull my mac80211.git tree per below to get a number of fixes. I have included a patch from Antonio to fix a memcpy overrun, Felix's patches for the antenna gain/tx power issues, a few mesh-related fixes from Javier for mac80211 and my own patches to not access data that might not be present in an skb at all as well as a patch (the duplicate IE check one) to make mac80211 forward-compatible with potential future spec extensions that use the same IE multiple times. It's a bit bigger than I'd like maybe, but I think all of these are worthwhile fixes at this point." In addition... Felix Fietkau fixes an ath9k use-after-free issue. Stanislaw Gruszka adds a valid value check to rt2800. Sven Eckelmann adds a check to only check a TID value in a BlockAck, for frames that could be either a BlockAck or a normal Ack. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
2012-10-31Merge branch 'master' of git://1984.lsi.us.es/nfDavid S. Miller4-5/+10
Pablo Neira Ayuso says: ==================== The following patchset contains fixes for your net tree, two of them are due to relatively recent changes, one has been a longstanding bug, they are: * Fix incorrect usage of rt_gateway in the H.323 helper, from Julian Anastasov. * Skip re-route in nf_nat code for ICMP traffic. If CONFIG_XFRM is enabled, we waste cycles to look up for the route again. This problem seems to be there since really long time. From Ulrich Weber. * Fix mismatching section in nf_conntrack_reasm, from Hein Tibosch. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
2012-10-31Merge branch 'master' of ↵John W. Linville6-36/+104
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless into for-davem
2012-10-29Merge branch 'for-john' of ↵John W. Linville6-36/+104
git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
2012-10-29Merge branch 'for-linus' of ↵Linus Torvalds1-2/+4
git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client Pull Ceph fixes form Sage Weil: "There are two fixes in the messenger code, one that can trigger a NULL dereference, and one that error in refcounting (extra put). There is also a trivial fix that in the fs client code that is triggered by NFS reexport." * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client: ceph: fix dentry reference leak in encode_fh() libceph: avoid NULL kref_put when osd reset races with alloc_msg rbd: reset BACKOFF if unable to re-queue
2012-10-29netfilter: nf_defrag_ipv6: solve section mismatch in nf_conntrack_reasmHein Tibosch1-2/+2
WARNING: net/ipv6/netfilter/nf_defrag_ipv6.o(.text+0xe0): Section mismatch in reference from the function nf_ct_net_init() to the function .init.text:nf_ct_frag6_sysctl_register() The function nf_ct_net_init() references the function __init nf_ct_frag6_sysctl_register(). In case nf_conntrack_ipv6 is compiled as a module, nf_ct_net_init could be called after the init code and data are unloaded. Therefore remove the "__net_init" annotation from nf_ct_frag6_sysctl_register(). Signed-off-by: Hein Tibosch <hein_tibosch@yahoo.es> Acked-by: Cong Wang <amwang@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2012-10-29netfilter: nf_nat: don't check for port change on ICMP tuplesUlrich Weber2-2/+6
ICMP tuples have id in src and type/code in dst. So comparing src.u.all with dst.u.all will always fail here and ip_xfrm_me_harder() is called for every ICMP packet, even if there was no NAT. Signed-off-by: Ulrich Weber <ulrich.weber@sophos.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2012-10-27Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/netLinus Torvalds24-72/+135
Pull networking fixes from David Miller: "This is what we usually expect at this stage of the game, lots of little things, mostly in drivers. With the occasional 'oops didn't mean to do that' kind of regressions in the core code." 1) Uninitialized data in __ip_vs_get_timeouts(), from Arnd Bergmann 2) Reject invalid ACK sequences in Fast Open sockets, from Jerry Chu. 3) Lost error code on return from _rtl_usb_receive(), from Christian Lamparter. 4) Fix reset resume on USB rt2x00, from Stanislaw Gruszka. 5) Release resources on error in pch_gbe driver, from Veaceslav Falico. 6) Default hop limit not set correctly in ip6_template_metrics[], fix from Li RongQing. 7) Gianfar PTP code requests wrong kind of resource during probe, fix from Wei Yang. 8) Fix VHOST net driver on big-endian, from Michael S Tsirkin. 9) Mallenox driver bug fixes from Jack Morgenstein, Or Gerlitz, Moni Shoua, Dotan Barak, and Uri Habusha. 10) usbnet leaks memory on TX path, fix from Hemant Kumar. 11) Use socket state test, rather than presence of FIN bit packet, to determine FIONREAD/SIOCINQ value. Fix from Eric Dumazet. 12) Fix cxgb4 build failure, from Vipul Pandya. 13) Provide a SYN_DATA_ACKED state to complement SYN_FASTOPEN in socket info dumps. From Yuchung Cheng. 14) Fix leak of security path in kfree_skb_partial(). Fix from Eric Dumazet. 15) Handle RX FIFO overflows more resiliently in pch_gbe driver, from Veaceslav Falico. 16) Fix MAINTAINERS file pattern for networking drivers, from Jean Delvare. 17) Add iPhone5 IDs to IPHETH driver, from Jay Purohit. 18) VLAN device type change restriction is too strict, and should not trigger for the automatically generated vlan0 device. Fix from Jiri Pirko. 19) Make PMTU/redirect flushing work properly again in ipv4, from Steffen Klassert. 20) Fix memory corruptions by using kfree_rcu() in netlink_release(). From Eric Dumazet. 21) More qmi_wwan device IDs, from Bjørn Mork. 22) Fix unintentional change of SNAT/DNAT hooks in generic NAT infrastructure, from Elison Niven. 23) Fix 3.6.x regression in xt_TEE netfilter module, from Eric Dumazet. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (57 commits) tilegx: fix some issues in the SW TSO support qmi_wwan/cdc_ether: move Novatel 551 and E362 to qmi_wwan net: usb: Fix memory leak on Tx data path net/mlx4_core: Unmap UAR also in the case of error flow net/mlx4_en: Don't use vlan tag value as an indication for vlan presence net/mlx4_en: Fix double-release-range in tx-rings bas_gigaset: fix pre_reset handling vhost: fix mergeable bufs on BE hosts gianfar_ptp: use iomem, not ioports resource tree in probe ipv6: Set default hoplimit as zero. NET_VENDOR_TI: make available for am33xx as well pch_gbe: fix error handling in pch_gbe_up() b43: Fix oops on unload when firmware not found mwifiex: clean up scan state on error mwifiex: return -EBUSY if specific scan request cannot be honored brcmfmac: fix potential NULL dereference Revert "ath9k_hw: Updated AR9003 tx gain table for 5GHz" ath9k_htc: Add PID/VID for a Ubiquiti WiFiStation rt2x00: usb: fix reset resume rtlwifi: pass rx setup error code to caller ...
2012-10-27mac80211: make sure data is accessible in EAPOL checkJohannes Berg1-8/+10
The code to allow EAPOL frames even when the station isn't yet marked associated needs to check that the incoming frame is long enough and due to paged RX it also can't assume skb->data contains the right data, it must use skb_copy_bits(). Fix this to avoid using data that doesn't really exist. Cc: stable@vger.kernel.org Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-27mac80211: verify that skb data is presentJohannes Berg2-2/+33
A number of places in the mesh code don't check that the frame data is present and in the skb header when trying to access. Add those checks and the necessary pskb_may_pull() calls. This prevents accessing data that doesn't actually exist. To do this, export ieee80211_get_mesh_hdrlen() to be able to use it in mac80211. Cc: stable@vger.kernel.org Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-27mac80211: check management frame header lengthJohannes Berg1-4/+8
Due to pskb_may_pull() checking the skb length, all non-management frames are checked on input whether their 802.11 header is fully present. Also add that check for management frames and remove a check that is now duplicate. This prevents accessing skb data beyond the frame end. Cc: stable@vger.kernel.org Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-27wireless: drop invalid mesh address extension framesJohannes Berg1-5/+6
The mesh header can have address extension by a 4th or a 5th and 6th address, but never both. Drop such frames in 802.11 -> 802.3 conversion along with any frames that have the wrong extension. Cc: stable@vger.kernel.org Reviewed-by: Javier Cardona <javier@cozybit.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-27mac80211: fix SSID copy on IBSS JOINAntonio Quartulli1-1/+1
The 'ssid' field of the cfg80211_ibss_params is a u8 pointer and its length is likely to be less than IEEE80211_MAX_SSID_LEN most of the time. This patch fixes the ssid copy in ieee80211_ibss_join() by using the SSID length to prevent it from reading beyond the string. Cc: stable@vger.kernel.org Signed-off-by: Antonio Quartulli <ordex@autistici.org> [rewrapped commit message, small rewording] Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-25mac80211: don't inspect Sequence Control field on control framesJavier Cardona1-0/+4
Per IEEE Std. 802.11-2012, Sec 8.2.4.4.1, the sequence Control field is not present in control frames. We noticed this problem when processing Block Ack Requests. Cc: stable@vger.kernel.org Signed-off-by: Javier Cardona <javier@cozybit.com> Signed-off-by: Javier Lopez <jlopex@cozybit.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-25mac80211: Don't drop frames received with mesh ttl == 1Javier Cardona1-1/+1
Prior this fix, those frames were not received, nor forwarded. Fix this to receive and not forward. Signed-off-by: Javier Cardona <javier@cozybit.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-25mac80211: Only process mesh config header on frames that RA_MATCHJavier Cardona1-4/+2
Doing otherwise is wrong, and may wreak havoc on the mpp tables, specially if the frame is encrypted. Cc: stable@vger.kernel.org Reported-by: Chaoxing Lin <Chaoxing.Lin@ultra-3eti.com> Signed-off-by: Javier Cardona <javier@cozybit.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-25ipv6: Set default hoplimit as zero.Li RongQing1-2/+2
Commit a02e4b7dae4551(Demark default hoplimit as zero) only changes the hoplimit checking condition and default value in ip6_dst_hoplimit, not zeros all hoplimit default value. Keep the zeroing ip6_template_metrics[RTAX_HOPLIMIT - 1] to force it as const, cause as a37e6e344910(net: force dst_default_metrics to const section) Signed-off-by: Li RongQing <roy.qing.li@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-10-25libceph: avoid NULL kref_put when osd reset races with alloc_msgSage Weil1-1/+2
The ceph_on_in_msg_alloc() method drops con->mutex while it allocates a message. If that races with a timeout that resends a zillion messages and resets the connection, and the ->alloc_msg() method returns a NULL message, it will call ceph_msg_put(NULL) and BUG. Fix by only calling put if msg is non-NULL. Fixes http://tracker.newdream.net/issues/3142 Signed-off-by: Sage Weil <sage@inktank.com>
2012-10-24mac80211: use blacklist for duplicate IE checkJohannes Berg1-7/+35
Instead of the current whitelist which accepts duplicates only for the quiet and vendor IEs, use a blacklist of all IEs (that we currently parse) that can't be duplicated. This avoids detecting a beacon as corrupt in the future when new IEs are added that can be duplicated. Cc: stable@vger.kernel.org Signed-off-by: Paul Stewart <pstew@chromium.org> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-24SUNRPC: Get rid of the xs_error_report socket callbackTrond Myklebust1-25/+0
Chris Perl reports that we're seeing races between the wakeup call in xs_error_report and the connect attempts. Basically, Chris has shown that in certain circumstances, the call to xs_error_report causes the rpc_task that is responsible for reconnecting to wake up early, thus triggering a disconnect and retry. Since the sk->sk_error_report() calls in the socket layer are always followed by a tcp_done() in the cases where we care about waking up the rpc_tasks, just let the state_change callbacks take responsibility for those wake ups. Reported-by: Chris Perl <chris.perl@gmail.com> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Cc: stable@vger.kernel.org Tested-by: Chris Perl <chris.perl@gmail.com>
2012-10-24SUNRPC: Prevent races in xs_abort_connection()Trond Myklebust1-5/+8
The call to xprt_disconnect_done() that is triggered by a successful connection reset will trigger another automatic wakeup of all tasks on the xprt->pending rpc_wait_queue. In particular it will cause an early wake up of the task that called xprt_connect(). All we really want to do here is clear all the socket-specific state flags, so we split that functionality out of xs_sock_mark_closed() into a helper that can be called by xs_abort_connection() Reported-by: Chris Perl <chris.perl@gmail.com> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Cc: stable@vger.kernel.org Tested-by: Chris Perl <chris.perl@gmail.com>
2012-10-24Revert "SUNRPC: Ensure we close the socket on EPIPE errors too..."Trond Myklebust1-1/+1
This reverts commit 55420c24a0d4d1fce70ca713f84aa00b6b74a70e. Now that we clear the connected flag when entering TCP_CLOSE_WAIT, the deadlock described in this commit is no longer possible. Instead, the resulting call to xs_tcp_shutdown() can interfere with pending reconnection attempts. Reported-by: Chris Perl <chris.perl@gmail.com> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Cc: stable@vger.kernel.org Tested-by: Chris Perl <chris.perl@gmail.com>
2012-10-24SUNRPC: Clear the connect flag when socket state is TCP_CLOSE_WAITTrond Myklebust1-0/+1
This is needed to ensure that we call xprt_connect() upon the next call to call_connect(). Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Cc: stable@vger.kernel.org Tested-by: Chris Perl <chris.perl@gmail.com>
2012-10-23tcp: Reject invalid ack_seq to Fast Open socketsJerry Chu2-4/+12
A packet with an invalid ack_seq may cause a TCP Fast Open socket to switch to the unexpected TCP_CLOSING state, triggering a BUG_ON kernel panic. When a FIN packet with an invalid ack_seq# arrives at a socket in the TCP_FIN_WAIT1 state, rather than discarding the packet, the current code will accept the FIN, causing state transition to TCP_CLOSING. This may be a small deviation from RFC793, which seems to say that the packet should be dropped. Unfortunately I did not expect this case for Fast Open hence it will trigger a BUG_ON panic. It turns out there is really nothing bad about a TFO socket going into TCP_CLOSING state so I could just remove the BUG_ON statements. But after some thought I think it's better to treat this case like TCP_SYN_RECV and return a RST to the confused peer who caused the unacceptable ack_seq to be generated in the first place. Signed-off-by: H.K. Jerry Chu <hkchu@google.com> Cc: Neal Cardwell <ncardwell@google.com> Cc: Yuchung Cheng <ycheng@google.com> Acked-by: Yuchung Cheng <ycheng@google.com> Acked-by: Eric Dumazet <edumazet@google.com> Acked-by: Neal Cardwell <ncardwell@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-10-22net: fix secpath kmemleakEric Dumazet1-2/+4
Mike Kazantsev found 3.5 kernels and beyond were leaking memory, and tracked the faulty commit to a1c7fff7e18f59e ("net: netdev_alloc_skb() use build_skb()") While this commit seems fine, it uncovered a bug introduced in commit bad43ca8325 ("net: introduce skb_try_coalesce()), in function kfree_skb_partial()"): If head is stolen, we free the sk_buff, without removing references on secpath (skb->sp). So IPsec + IP defrag/reassembly (using skb coalescing), or TCP coalescing could leak secpath objects. Fix this bug by calling skb_release_head_state(skb) to properly release all possible references to linked objects. Reported-by: Mike Kazantsev <mk.fraggod@gmail.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Bisected-by: Mike Kazantsev <mk.fraggod@gmail.com> Tested-by: Mike Kazantsev <mk.fraggod@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-10-22tcp: add SYN/data info to TCP_INFOYuchung Cheng4-0/+5
Add a bit TCPI_OPT_SYN_DATA (32) to the socket option TCP_INFO:tcpi_options. It's set if the data in SYN (sent or received) is acked by SYN-ACK. Server or client application can use this information to check Fast Open success rate. Signed-off-by: Yuchung Cheng <ycheng@google.com> Acked-by: Neal Cardwell <ncardwell@google.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-10-22netfilter: nf_conntrack: fix rt_gateway checks for H.323 helperJulian Anastasov1-1/+2
After the change "Adjust semantics of rt->rt_gateway" (commit f8126f1d51) we should properly match the nexthop when destinations are directly connected because rt_gateway can be 0. The rt_gateway checks in H.323 helper try to avoid the creation of an unnecessary expectation in this call-forwarding case: http://people.netfilter.org/zhaojingmin/h323_conntrack_nat_helper/#_Toc133598073 However, the existing code fails to avoid that in many cases, see this thread: http://marc.info/?l=linux-netdev&m=135043175028620&w=2 It seems it is not trivial to know from the kernel if two hosts have to go through the firewall to communicate each other, which is the main point of the call-forwarding filter code to avoid creating unnecessary expectations. So this patch just gets things the way they were as before commit f8126f1d51. Signed-off-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2012-10-19Merge tag 'tty-3.7-rc1' of ↵Linus Torvalds1-0/+2
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty Pull TTY fixes from Greg Kroah-Hartman: "Here are some tty and serial driver fixes for your 3.7-rc1 tree. Again, the UABI header file fixes, and a number of build and runtime serial driver bugfixes that solve problems people have been reporting (the staging driver is a tty driver, hence the fixes coming in through this tree.) All of these have been in the linux-next tree for a while. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>" * tag 'tty-3.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: staging: dgrp: check return value of alloc_tty_driver staging: dgrp: check for NULL pointer in (un)register_proc_table serial/8250_hp300: Missing 8250 register interface conversion bits UAPI: (Scripted) Disintegrate include/linux/hsi tty: serial: sccnxp: Fix bug with unterminated platform_id list staging: serial: dgrp: Add missing #include <linux/uaccess.h> serial: sccnxp: Allows the driver to be compiled as a module tty: Fix bogus "callbacks suppressed" messages net, TTY: initialize tty->driver_data before usage
2012-10-19Merge branch 'for-3.7' of git://linux-nfs.org/~bfields/linuxLinus Torvalds1-2/+2
Pull nfsd bugfixes from J Bruce Fields. * 'for-3.7' of git://linux-nfs.org/~bfields/linux: SUNRPC: Prevent kernel stack corruption on long values of flush NLM: nlm_lookup_file() may return NLMv4-specific error codes
2012-10-19Merge branch 'master' of ↵John W. Linville7-32/+45
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless into for-davem
2012-10-18Merge tag 'batman-adv-fix-for-davem' of git://git.open-mesh.org/linux-mergeDavid S. Miller3-10/+27
Included fixes: - Fix broadcast packet CRC calculation which can lead to ~80% broadcast packet loss - Fix a race condition in duplicate broadcast packet check Signed-off-by: David S. Miller <davem@davemloft.net>
2012-10-18tcp: fix FIONREAD/SIOCINQEric Dumazet1-5/+3
tcp_ioctl() tries to take into account if tcp socket received a FIN to report correct number bytes in receive queue. But its flaky because if the application ate the last skb, we return 1 instead of 0. Correct way to detect that FIN was received is to test SOCK_DONE. Reported-by: Elliot Hughes <enh@google.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Neal Cardwell <ncardwell@google.com> Cc: Tom Herbert <therbert@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-10-18netlink: use kfree_rcu() in netlink_release()Eric Dumazet1-4/+15
On some suspend/resume operations involving wimax device, we have noticed some intermittent memory corruptions in netlink code. Stéphane Marchesin tracked this corruption in netlink_update_listeners() and suggested a patch. It appears netlink_release() should use kfree_rcu() instead of kfree() for the listeners structure as it may be used by other cpus using RCU protection. netlink_release() must set to NULL the listeners pointer when it is about to be freed. Also have to protect netlink_update_listeners() and netlink_has_listeners() if listeners is NULL. Add a nl_deref_protected() lockdep helper to properly document which locks protects us. Reported-by: Jonathan Kliegman <kliegs@google.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Stéphane Marchesin <marcheu@google.com> Cc: Sam Leffler <sleffler@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-10-18ipv4: Fix flushing of cached routing informationsSteffen Klassert1-3/+6
Currently we can not flush cached pmtu/redirect informations via the ipv4_sysctl_rtcache_flush sysctl. We need to check the rt_genid of the old route and reset the nh exeption if the old route is expired when we bind a new route to a nh exeption. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-10-18vlan: allow to change type when no vlan device is hooked on netdevJiri Pirko1-1/+3
vlan_info might be present but still no vlan devices might be there. That is in case of vlan0 automatically added. So in that case, allow to change netdev type. Reported-by: Jon Stanley <jstanley@rmrf.net> Signed-off-by: Jiri Pirko <jiri@resnulli.us> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-10-18batman-adv: Fix potential broadcast BLA-duplicate-check race conditionLinus Lüssing2-5/+16
Threads in the bottom half of batadv_bla_check_bcast_duplist() might otherwise for instance overwrite variables which other threads might be using/reading at the same time in the top half, potentially leading to messing up the bcast_duplist, possibly resulting in false bridge loop avoidance duplicate check decisions. Signed-off-by: Linus Lüssing <linus.luessing@web.de> Acked-by: Simon Wunderlich <siwu@hrz.tu-chemnitz.de> Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
2012-10-18batman-adv: Fix broadcast packet CRC calculationLinus Lüssing2-5/+11
So far the crc16 checksum for a batman-adv broadcast data packet, received on a batman-adv hard interface, was calculated over zero bytes of its content leading to many incoming broadcast data packets wrongly being dropped (60-80% packet loss). This patch fixes this issue by calculating the crc16 over the actual, complete broadcast payload. The issue is a regression introduced by ("batman-adv: add broadcast duplicate check"). Signed-off-by: Linus Lüssing <linus.luessing@web.de> Acked-by: Simon Wunderlich <siwu@hrz.tu-chemnitz.de> Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
2012-10-18cfg80211: fix initialization of chan->max_reg_powerFelix Fietkau1-2/+3
A few places touch chan->max_power based on updated tx power rules, but forget to do the same to chan->max_reg_power. Signed-off-by: Felix Fietkau <nbd@openwrt.org> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-18cfg80211: fix antenna gain handlingFelix Fietkau1-2/+1
No driver initializes chan->max_antenna_gain to something sensible, and the only place where it is being used right now is inside ath9k. This leads to ath9k potentially using less tx power than it can use, which can decrease performance/range in some rare cases. Rather than going through every single driver, this patch initializes chan->orig_mag in wiphy_register(), ignoring whatever value the driver left in there. If a driver for some reason wishes to limit it independent from regulatory rulesets, it can do so internally. Signed-off-by: Felix Fietkau <nbd@openwrt.org> Cc: stable@vger.kernel.org Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-18Merge branch 'for-john' of ↵John W. Linville3-24/+34
git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
2012-10-17SUNRPC: Prevent kernel stack corruption on long values of flushSasha Levin1-2/+2
The buffer size in read_flush() is too small for the longest possible values for it. This can lead to a kernel stack corruption: [ 43.047329] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff833e64b4 [ 43.047329] [ 43.049030] Pid: 6015, comm: trinity-child18 Tainted: G W 3.5.0-rc7-next-20120716-sasha #221 [ 43.050038] Call Trace: [ 43.050435] [<ffffffff836c60c2>] panic+0xcd/0x1f4 [ 43.050931] [<ffffffff833e64b4>] ? read_flush.isra.7+0xe4/0x100 [ 43.051602] [<ffffffff810e94e6>] __stack_chk_fail+0x16/0x20 [ 43.052206] [<ffffffff833e64b4>] read_flush.isra.7+0xe4/0x100 [ 43.052951] [<ffffffff833e6500>] ? read_flush_pipefs+0x30/0x30 [ 43.053594] [<ffffffff833e652c>] read_flush_procfs+0x2c/0x30 [ 43.053596] [<ffffffff812b9a8c>] proc_reg_read+0x9c/0xd0 [ 43.053596] [<ffffffff812b99f0>] ? proc_reg_write+0xd0/0xd0 [ 43.053596] [<ffffffff81250d5b>] do_loop_readv_writev+0x4b/0x90 [ 43.053596] [<ffffffff81250fd6>] do_readv_writev+0xf6/0x1d0 [ 43.053596] [<ffffffff812510ee>] vfs_readv+0x3e/0x60 [ 43.053596] [<ffffffff812511b8>] sys_readv+0x48/0xb0 [ 43.053596] [<ffffffff8378167d>] system_call_fastpath+0x1a/0x1f Signed-off-by: Sasha Levin <levinsasha928@gmail.com> Cc: stable@kernel.org Signed-off-by: J. Bruce Fields <bfields@redhat.com>
2012-10-17mac80211: connect with HT20 if HT40 is not permittedJohannes Berg1-10/+20
Some changes to fix issues with HT40 APs in Korea and follow-up changes to allow using HT40 even if the local regulatory database disallows it caused issues with iwlwifi (and could cause issues with other devices); iwlwifi firmware would assert if you tried to connect to an AP that has an invalid configuration (e.g. using HT40- on channel 140.) Fix this, while avoiding the "Korean AP" issue by disabling HT40 and advertising HT20 to the AP when connecting. Cc: stable@vger.kernel.org [3.6] Reported-by: Florian Reitmeir <florian@reitmeir.org> Tested-by: Florian Reitmeir <florian@reitmeir.org> Signed-off-by: Johannes Berg <johannes.berg@intel.com>