summaryrefslogtreecommitdiff
path: root/net
AgeCommit message (Collapse)AuthorFilesLines
2012-12-02tcp: fix crashes in do_tcp_sendpages()Eric Dumazet1-9/+6
Recent network changes allowed high order pages being used for skb fragments. This uncovered a bug in do_tcp_sendpages() which was assuming its caller provided an array of order-0 page pointers. We only have to deal with a single page in this function, and its order is irrelevant. Reported-by: Willy Tarreau <w@1wt.eu> Tested-by: Willy Tarreau <w@1wt.eu> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-30Merge branch 'master' of ↵John W. Linville1-2/+0
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless into for-davem
2012-11-29Merge branch 'fixes' of ↵David S. Miller2-10/+6
git://git.kernel.org/pub/scm/linux/kernel/git/jesse/openvswitch Two small openswitch fixes from Jesse Gross. Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-28Merge branch 'master' of git://1984.lsi.us.es/nfDavid S. Miller1-1/+1
An interface name overflow fix in netfilter via Pablo Neira Ayuso. Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-28irda: irttp: fix memory leak in irttp_open_tsap() error pathTommi Rantala1-0/+1
Cleanup the memory we allocated earlier in irttp_open_tsap() when we hit this error path. The leak goes back to at least 1da177e4 ("Linux-2.6.12-rc2"). Discovered with Trinity (the syscall fuzzer). Signed-off-by: Tommi Rantala <tt.rantala@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-28sctp: Error in calculation of RTTvarSchoch Christian1-1/+1
The calculation of RTTVAR involves the subtraction of two unsigned numbers which may causes rollover and results in very high values of RTTVAR when RTT > SRTT. With this patch it is possible to set RTOmin = 1 to get the minimum of RTO at 4 times the clock granularity. Change Notes: v2) *Replaced abs() by abs64() and long by __s64, changed patch description. Signed-off-by: Christian Schoch <e0326715@student.tuwien.ac.at> CC: Vlad Yasevich <vyasevich@gmail.com> CC: Sridhar Samudrala <sri@us.ibm.com> CC: Neil Horman <nhorman@tuxdriver.com> CC: linux-sctp@vger.kernel.org Acked-by: Vlad Yasevich <vyasevich@gmail.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-28sctp: fix -ENOMEM result with invalid user space pointer in sendto() syscallTommi Rantala2-6/+11
Consider the following program, that sets the second argument to the sendto() syscall incorrectly: #include <string.h> #include <arpa/inet.h> #include <sys/socket.h> int main(void) { int fd; struct sockaddr_in sa; fd = socket(AF_INET, SOCK_STREAM, 132 /*IPPROTO_SCTP*/); if (fd < 0) return 1; memset(&sa, 0, sizeof(sa)); sa.sin_family = AF_INET; sa.sin_addr.s_addr = inet_addr("127.0.0.1"); sa.sin_port = htons(11111); sendto(fd, NULL, 1, 0, (struct sockaddr *)&sa, sizeof(sa)); return 0; } We get -ENOMEM: $ strace -e sendto ./demo sendto(3, NULL, 1, 0, {sa_family=AF_INET, sin_port=htons(11111), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 ENOMEM (Cannot allocate memory) Propagate the error code from sctp_user_addto_chunk(), so that we will tell user space what actually went wrong: $ strace -e sendto ./demo sendto(3, NULL, 1, 0, {sa_family=AF_INET, sin_port=htons(11111), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EFAULT (Bad address) Noticed while running Trinity (the syscall fuzzer). Signed-off-by: Tommi Rantala <tt.rantala@gmail.com> Acked-by: Vlad Yasevich <vyasevich@gmail.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-28sctp: fix memory leak in sctp_datamsg_from_user() when copy from user space ↵Tommi Rantala1-2/+5
fails Trinity (the syscall fuzzer) discovered a memory leak in SCTP, reproducible e.g. with the sendto() syscall by passing invalid user space pointer in the second argument: #include <string.h> #include <arpa/inet.h> #include <sys/socket.h> int main(void) { int fd; struct sockaddr_in sa; fd = socket(AF_INET, SOCK_STREAM, 132 /*IPPROTO_SCTP*/); if (fd < 0) return 1; memset(&sa, 0, sizeof(sa)); sa.sin_family = AF_INET; sa.sin_addr.s_addr = inet_addr("127.0.0.1"); sa.sin_port = htons(11111); sendto(fd, NULL, 1, 0, (struct sockaddr *)&sa, sizeof(sa)); return 0; } As far as I can tell, the leak has been around since ~2003. Signed-off-by: Tommi Rantala <tt.rantala@gmail.com> Acked-by: Vlad Yasevich <vyasevich@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-27net: ipmr: limit MRT_TABLE identifiersEric Dumazet1-0/+4
Name of pimreg devices are built from following format : char name[IFNAMSIZ]; // IFNAMSIZ == 16 sprintf(name, "pimreg%u", mrt->id); We must therefore limit mrt->id to 9 decimal digits or risk a buffer overflow and a crash. Restrict table identifiers in [0 ... 999999999] interval. Reported-by: Chen Gang <gang.chen@asianux.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-27ipv4: avoid passing NULL to inet_putpeer() in icmpv4_xrlim_allow()Neal Cardwell1-1/+2
inet_getpeer_v4() can return NULL under OOM conditions, and while inet_peer_xrlim_allow() is OK with a NULL peer, inet_putpeer() will crash. This code path now uses the same idiom as the others from: 1d861aa4b3fb08822055345f480850205ffe6170 ("inet: Minimize use of cached route inetpeer."). Signed-off-by: Neal Cardwell <ncardwell@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-27can: bcm: initialize ifindex for timeouts without previous frame receptionOliver Hartkopp1-0/+3
Set in the rx_ifindex to pass the correct interface index in the case of a message timeout detection. Usually the rx_ifindex value is set at receive time. But when no CAN frame has been received the RX_TIMEOUT notification did not contain a valid value. Cc: linux-stable <stable@vger.kernel.org> Reported-by: Andre Naujoks <nautsch2@googlemail.com> Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2012-11-26mac80211: fix remain-on-channel (non-)cancellingJohannes Berg1-2/+0
Felix Liao reported that when an interface is set DOWN while another interface is executing a ROC, the warning in ieee80211_start_next_roc() (about the first item on the list having started already) triggers. This is because ieee80211_roc_purge() calls it even if it never actually changed the list of ROC items. To fix this, simply remove the function call. If it is needed then it will be done by the ieee80211_sw_roc_work() function when the ROC item that is being removed while active is cleaned up. Cc: stable@vger.kernel.org Reported-by: Felix Liao <Felix.Liao@watchguard.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-11-25netfilter: ipset: fix netiface set name overflowFlorian Westphal1-1/+1
attribute is copied to IFNAMSIZ-size stack variable, but IFNAMSIZ is smaller than IPSET_MAXNAMELEN. Fortunately nfnetlink needs CAP_NET_ADMIN. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2012-11-23ipv4: do not cache looped multicastsJulian Anastasov1-2/+5
Starting from 3.6 we cache output routes for multicasts only when using route to 224/4. For local receivers we can set RTCF_LOCAL flag depending on the membership but in such case we use maddr and saddr which are not caching keys as before. Additionally, we can not use same place to cache routes that differ in RTCF_LOCAL flag value. Fix it by caching only RTCF_MULTICAST entries without RTCF_LOCAL (send-only, no loopback). As a side effect, we avoid unneeded lookup for fnhe when not caching because multicasts are not redirected and they do not learn PMTU. Thanks to Maxime Bizon for showing the caching problems in __mkroute_output for 3.6 kernels: different RTCF_LOCAL flag in cache can lead to wrong ip_mc_output or ip_output call and the visible problem is that traffic can not reach local receivers via loopback. Reported-by: Maxime Bizon <mbizon@freebox.fr> Tested-by: Maxime Bizon <mbizon@freebox.fr> Signed-off-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-23Merge branch 'master' of git://1984.lsi.us.es/nfDavid S. Miller5-13/+15
Pablo Neira Ayuso says: ==================== The following patchset contains two Netfilter fixes: * Fix buffer overflow in the name of the timeout policy object in the cttimeout infrastructure, from Florian Westphal. * Fix a bug in the hash set in case that IP ranges are specified, from Jozsef Kadlecsik. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-23Merge branch 'master' of ↵David S. Miller2-13/+2
git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec Steffen Klassert says: ==================== This pull request is intended for 3.7 and contains a single patch to fix the IPsec gc threshold value for ipv4. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-22netfilter: cttimeout: fix buffer overflowFlorian Westphal1-1/+2
Chen Gang reports: the length of nla_data(cda[CTA_TIMEOUT_NAME]) is not limited in server side. And indeed, its used to strcpy to a fixed-sized buffer. Fortunately, nfnetlink users need CAP_NET_ADMIN. Reported-by: Chen Gang <gang.chen@asianux.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2012-11-22netfilter: ipset: Fix range bug in hash:ip,port,netJozsef Kadlecsik4-12/+13
Due to the missing ininitalization at adding/deleting entries, when a plain_ip,port,net element was the object, multiple elements were added/deleted instead. The bug came from the missing dangling default initialization. The error-prone default initialization is corrected in all hash:* types. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2012-11-21Merge branch 'master' of ↵John W. Linville3-5/+25
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless into for-davem John W. Linville says: ==================== This is a batch of fixes intended for 3.7... Included are two pulls. Regarding the mac80211 tree, Johannes says: "Please pull my mac80211.git tree (see below) to get two more fixes for 3.7. Both fix regressions introduced *before* this cycle that weren't noticed until now, one for IBSS not cleaning up properly and the other to add back the "wireless" sysfs directory for Fedora's startup scripts." Regarding the iwlwifi tree, Johannes says: "Please also pull my iwlwifi.git tree, I have two fixes: one to remove a spurious warning that can actually trigger in legitimate situations, and the other to fix a regression from when monitor mode was changed to use the "sniffer" firmware mode." Also included is an nfc tree pull. Samuel says: "We mostly have pn533 fixes here, 2 memory leaks and an early unlocking fix. Moreover, we also have an LLCP adapter linked list insertion fix." On top of that, a few more bits... Albert Pool adds a USB ID to rtlwifi. Bing Zhao provides two mwifiex fixes -- one to fix a system hang during a command timeout, and the other to properly report a suspend error to the MMC core. Finally, Sujith Manoharan fixes a thinko that would trigger an ath9k hang during device reset. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-21ipv6: fix inet6_csk_update_pmtu() return valueEric Dumazet1-1/+2
In case of error, inet6_csk_update_pmtu() should consistently return NULL. Bug added in commit 35ad9b9cf7d8a (ipv6: Add helper inet6_csk_update_pmtu().) Reported-by: Lluís Batlle i Rossell <viric@viric.name> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-20NFC: Fix nfc_llcp_local chained list insertionThierry Escande1-1/+1
list_add was called with swapped parameters Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2012-11-19Merge branch 'for-john' of ↵John W. Linville2-4/+24
git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
2012-11-17wireless: add back sysfs directoryJohannes Berg1-0/+20
commit 35b2a113cb0298d4f9a1263338b456094a414057 broke (at least) Fedora's networking scripts, they check for the existence of the wireless directory. As the files aren't used, add the directory back and not the files. Also do it for both drivers based on the old wireless extensions and cfg80211, regardless of whether the compat code for wext is built into cfg80211 or not. Cc: stable@vger.kernel.org [3.6] Reported-by: Dave Airlie <airlied@gmail.com> Reported-by: Bill Nottingham <notting@redhat.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-11-16Merge branch 'for-davem' of ↵David S. Miller12-20/+47
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless John W. Linville says: ==================== This batch of fixes is intended for the 3.7 stream... This includes a pull of the Bluetooth tree. Gustavo says: "A few important fixes to go into 3.7. There is a new hw support by Marcos Chaparro. Johan added a memory leak fix and hci device index list fix. Also Marcel fixed a race condition in the device set up that was prevent the bt monitor to work properly. Last, Paulo Sérgio added a fix to the error status when pairing for LE fails. This was prevent userspace to work to handle the failure properly." Regarding the mac80211 pull, Johannes says: "I have a locking fix for some SKB queues, a variable initialization to avoid crashes in a certain failure case, another free_txskb fix from Felix and another fix from him to avoid calling a stopped driver, a fix for a (very unlikely) memory leak and a fix to not send null data packets when resuming while not associated." Regarding the iwlwifi pull, Johannes says: "Two more fixes for iwlwifi ... one to use ieee80211_free_txskb(), and one to check DMA mapping errors, please pull." On top of that, Johannes also included a wireless regulatory fix to allow 40 MHz on channels 12 and 13 in world roaming mode. Also, Hauke Mehrtens fixes a #ifdef typo in brcmfmac. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-16net-rps: Fix brokeness causing OOO packetsTom Herbert1-1/+3
In commit c445477d74ab3779 which adds aRFS to the kernel, the CPU selected for RFS is not set correctly when CPU is changing. This is causing OOO packets and probably other issues. Signed-off-by: Tom Herbert <therbert@google.com> Acked-by: Eric Dumazet <edumazet@google.com> Acked-by: Ben Hutchings <bhutchings@solarflare.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-16Merge tag 'batman-adv-fix-for-davem' of git://git.open-mesh.org/linux-mergeDavid S. Miller2-7/+20
Included fixes are: - update the client entry status flags when using the "early client detection". This makes the Distributed AP isolation correctly work; - transfer the client entry status flags when recovering the translation table from another node. This makes the Distributed AP isolation correctly work; - prevent the "early client detection mechanism" to add clients belonging to other backbone nodes in the same LAN. This breaks connectivity when using this mechanism together with the Bridge Loop Avoidance - process broadcast packets with the Bridge Loop Avoidance before any other component. BLA can possibly drop the packets based on the source address. This makes the "early client detection mechanism" correctly work when used with BLA. Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-16tcp: handle tcp_net_metrics_init() order-5 memory allocation failuresEric Dumazet1-3/+9
order-5 allocations can fail with current kernels, we should try vmalloc() as well. Reported-by: Julien Tinnes <jln@google.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-16Merge branch 'master' of ↵John W. Linville12-20/+47
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless into for-davem
2012-11-16batman-adv: process broadcast packets in BLA earlierAntonio Quartulli1-6/+6
The logic in the BLA mechanism may decide to drop broadcast packets because the node may still be in the setup phase. For this reason, further broadcast processing like the early client detection mechanism must be done only after the BLA check. This patches moves the invocation to BLA before any other broadcast processing. This was introduced 30cfd02b60e1cb16f5effb0a01f826c5bb7e4c59 ("batman-adv: detect not yet announced clients") Reported-by: Glen Page <glen.page@thet.net> Signed-off-by: Simon Wunderlich <siwu@hrz.tu-chemnitz.de> Signed-off-by: Antonio Quartulli <ordex@autistici.org> Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
2012-11-16batman-adv: don't add TEMP clients belonging to other backbone nodesAntonio Quartulli1-0/+7
The "early client detection" mechanism must not add clients belonging to other backbone nodes. Such clients must be reached by directly using the LAN instead of the mesh. This was introduced by 30cfd02b60e1cb16f5effb0a01f826c5bb7e4c59 ("batman-adv: detect not yet announced clients") Reported-by: Glen Page <glen.page@thet.net> Signed-off-by: Antonio Quartulli <ordex@autistici.org> Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
2012-11-16batman-adv: correctly pass the client flag on tt_responseAntonio Quartulli1-1/+1
When a TT response with the full table is sent, the client flags should be sent as well. This patch fix the flags assignment when populating the tt_response to send back This was introduced by 30cfd02b60e1cb16f5effb0a01f826c5bb7e4c59 ("batman-adv: detect not yet announced clients") Signed-off-by: Antonio Quartulli <ordex@autistici.org> Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
2012-11-16batman-adv: fix tt_global_entries flags updateAntonio Quartulli1-0/+6
Flags carried by a change_entry have to be always copied into the client entry as they may contain important attributes (e.g. TT_CLIENT_WIFI). For instance, a client added by means of the "early detection mechanism" has no flag set at the beginning, so they must be updated once the proper ADD event is received. This was introduced by 30cfd02b60e1cb16f5effb0a01f826c5bb7e4c59 ("batman-adv: detect not yet announced clients") Signed-off-by: Antonio Quartulli <ordex@autistici.org> Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
2012-11-16net: correct check in dev_addr_del()Jiri Pirko1-1/+2
Check (ha->addr == dev->dev_addr) is always true because dev_addr_init() sets this. Correct the check to behave properly on addr removal. Signed-off-by: Jiri Pirko <jiri@resnulli.us> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-16tcp: fix retransmission in repair modeAndrew Vagin2-2/+6
Currently if a socket was repaired with a few packet in a write queue, a kernel bug may be triggered: kernel BUG at net/ipv4/tcp_output.c:2330! RIP: 0010:[<ffffffff8155784f>] tcp_retransmit_skb+0x5ff/0x610 According to the initial realization v3.4-rc2-963-gc0e88ff, all skb-s should look like already posted. This patch fixes code according with this sentence. Here are three points, which were not done in the initial patch: 1. A tcp send head should not be changed 2. Initialize TSO state of a skb 3. Reset the retransmission time This patch moves logic from tcp_sendmsg to tcp_write_xmit. A packet passes the ussual way, but isn't sent to network. This patch solves all described problems and handles tcp_sendpages. Cc: Pavel Emelyanov <xemul@parallels.com> Cc: "David S. Miller" <davem@davemloft.net> Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> Cc: James Morris <jmorris@namei.org> Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org> Cc: Patrick McHardy <kaber@trash.net> Signed-off-by: Andrey Vagin <avagin@openvz.org> Acked-by: Pavel Emelyanov <xemul@parallels.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-15sctp: fix /proc/net/sctp/ memory leakTommi Rantala1-4/+4
Commit 13d782f ("sctp: Make the proc files per network namespace.") changed the /proc/net/sctp/ struct file_operations opener functions to use single_open_net() and seq_open_net(). Avoid leaking memory by using single_release_net() and seq_release_net() as the release functions. Discovered with Trinity (the syscall fuzzer). Signed-off-by: Tommi Rantala <tt.rantala@gmail.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-15ipv4/ip_vti.c: VTI fix post-decryption forwardingSaurabh Mohan1-0/+5
With the latest kernel there are two things that must be done post decryption so that the packet are forwarded. 1. Remove the mark from the packet. This will cause the packet to not match the ipsec-policy again. However doing this causes the post-decryption check to fail also and the packet will get dropped. (cat /proc/net/xfrm_stat). 2. Remove the sp association in the skbuff so that no policy check is done on the packet for VTI tunnels. Due to #2 above we must now do a security-policy check in the vti rcv path prior to resetting the mark in the skbuff. Signed-off-by: Saurabh Mohan <saurabh.mohan@vyatta.com> Reported-by: Ruben Herold <ruben@puettmann.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-14Merge branch 'master' of ↵John W. Linville3-8/+10
git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth
2012-11-14Merge branch 'for-john' of ↵John W. Linville9-12/+37
git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
2012-11-14mac80211: deinitialize ibss-internals after emptiness checkSimon Wunderlich1-4/+4
The check whether the IBSS is active and can be removed should be performed before deinitializing the fields used for the check/search. Otherwise, the configured BSS will not be found and removed properly. To make it more clear for the future, rename sdata->u.ibss to the local pointer ifibss which is used within the checks. This behaviour was introduced by f3209bea110cade12e2b133da8b8499689cb0e2e ("mac80211: fix IBSS teardown race") Cc: stable@vger.kernel.org Cc: Ignacy Gawedzki <i@lri.fr> Signed-off-by: Simon Wunderlich <siwu@hrz.tu-chemnitz.de> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-11-13ipv6: setsockopt(IPIPPROTO_IPV6, IPV6_MINHOPCOUNT) forgot to set return valueHannes Frederic Sowa1-0/+1
Cc: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-13tcp: tcp_replace_ts_recent() should not be called from tcp_validate_incoming()Eric Dumazet1-5/+10
We added support for RFC 5961 in latest kernels but TCP fails to perform exhaustive check of ACK sequence. We can update our view of peer tsval from a frame that is later discarded by tcp_ack() This makes timestamps enabled sessions vulnerable to injection of a high tsval : peers start an ACK storm, since the victim sends a dupack each time it receives an ACK from the other peer. As tcp_validate_incoming() is called before tcp_ack(), we should not peform tcp_replace_ts_recent() from it, and let callers do it at the right time. Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Neal Cardwell <ncardwell@google.com> Cc: Yuchung Cheng <ycheng@google.com> Cc: Nandita Dukkipati <nanditad@google.com> Cc: H.K. Jerry Chu <hkchu@google.com> Cc: Romain Francoise <romain@orebokech.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-13xfrm: Fix the gc threshold value for ipv4Steffen Klassert2-13/+2
The xfrm gc threshold value depends on ip_rt_max_size. This value was set to INT_MAX with the routing cache removal patch, so we start doing garbage collecting when we have INT_MAX/2 IPsec routes cached. Fix this by going back to the static threshold of 1024 routes. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2012-11-12wireless: allow 40 MHz on world roaming channels 12/13Johannes Berg1-3/+2
When in world roaming mode, allow 40 MHz to be used on channels 12 and 13 so that an AP that is, e.g., using HT40+ on channel 9 (in the UK) can be used. Cc: stable@vger.kernel.org Reported-by: Eddie Chapman <eddie@ehuk.net> Tested-by: Eddie Chapman <eddie@ehuk.net> Acked-by: Luis R. Rodriguez <mcgrof@qca.qualcomm.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-11-12ipv4: avoid undefined behavior in do_ip_setsockopt()Xi Wang1-13/+22
(1<<optname) is undefined behavior in C with a negative optname or optname larger than 31. In those cases the result of the shift is not necessarily zero (e.g., on x86). This patch simplifies the code with a switch statement on optname. It also allows the compiler to generate better code (e.g., using a 64-bit mask). Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-11Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/netLinus Torvalds7-40/+91
Pull networking fixes from David Miller: "Bug fixes galore, mostly in drivers as is often the case: 1) USB gadget and cdc_eem drivers need adjustments to their frame size lengths in order to handle VLANs correctly. From Ian Coolidge. 2) TIPC and several network drivers erroneously call tasklet_disable before tasklet_kill, fix from Xiaotian Feng. 3) r8169 driver needs to apply the WOL suspend quirk to more chipsets, fix from Cyril Brulebois. 4) Fix multicast filters on RTL_GIGA_MAC_VER_35 r8169 chips, from Nathan Walp. 5) FDB netlink dumps should use RTM_NEWNEIGH as the message type, not zero. From John Fastabend. 6) Fix smsc95xx tx checksum offload on big-endian, from Steve Glendinning. 7) __inet_diag_dump() needs to repsect and report the error value returned from inet_diag_lock_handler() rather than ignore it. Otherwise if an inet diag handler is not available for a particular protocol, we essentially report success instead of giving an error indication. Fix from Cyrill Gorcunov. 8) When the QFQ packet scheduler sees TSO/GSO packets it does not handle things properly, and in fact ends up corrupting it's datastructures as well as mis-schedule packets. Fix from Paolo Valente. 9) Fix oopser in skb_loop_sk(), from Eric Leblond. 10) CXGB4 passes partially uninitialized datastructures in to FW commands, fix from Vipul Pandya. 11) When we send unsolicited ipv6 neighbour advertisements, we should send them to the link-local allnodes multicast address, as per RFC4861. Fix from Hannes Frederic Sowa. 12) There is some kind of bug in the usbnet's kevent deferral mechanism, but more immediately when it triggers an uncontrolled stream of kernel messages spam the log. Rate limit the error log message triggered when this problem occurs, as sending thousands of error messages into the kernel log doesn't help matters at all, and in fact makes further diagnosis more difficult. From Steve Glendinning. 13) Fix gianfar restore from hibernation, from Wang Dongsheng. 14) The netlink message attribute sizes are wrong in the ipv6 GRE driver, it was using the size of ipv4 addresses instead of ipv6 ones :-) Fix from Nicolas Dichtel." * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: gre6: fix rtnl dump messages gianfar: ethernet vanishes after restoring from hibernation usbnet: ratelimit kevent may have been dropped warnings ipv6: send unsolicited neighbour advertisements to all-nodes net: usb: cdc_eem: Fix rx skb allocation for 802.1Q VLANs usb: gadget: g_ether: fix frame size check for 802.1Q cxgb4: Fix initialization of SGE_CONTROL register isdn: Make CONFIG_ISDN depend on CONFIG_NETDEVICES cxgb4: Initialize data structures before using. af-packet: fix oops when socket is not present pkt_sched: enable QFQ to support TSO/GSO net: inet_diag -- Return error code if protocol handler is missed net: bnx2x: Fix typo in bnx2x driver smsc95xx: fix tx checksum offload for big endian rtnetlink: Use nlmsg type RTM_NEWNEIGH from dflt fdb dump ptp: update adjfreq callback description r8169: allow multicast packets on sub-8168f chipset. r8169: Fix WoL on RTL8168d/8111d. drivers/net: use tasklet_kill in device remove/close process tipc: do not use tasklet_disable before tasklet_kill
2012-11-11mac80211: call skb_dequeue/ieee80211_free_txskb instead of __skb_queue_purgeFelix Fietkau4-6/+20
Fixes more wifi status skb leaks, leading to hostapd/wpa_supplicant hangs. Signed-off-by: Felix Fietkau <nbd@openwrt.org> Cc: stable@vger.kernel.org Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-11-10gre6: fix rtnl dump messagesNicolas Dichtel1-4/+4
Spotted after a code review. Introduced by c12b395a46646bab69089ce7016ac78177f6001f (gre: Support GRE over IPv6). Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-10ipv6: send unsolicited neighbour advertisements to all-nodesHannes Frederic Sowa1-2/+1
As documented in RFC4861 (Neighbor Discovery for IP version 6) 7.2.6., unsolicited neighbour advertisements should be sent to the all-nodes multicast address. Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-09mac80211: don't send null data packet when not associatedJohannes Berg1-0/+2
On resume or firmware recovery, mac80211 sends a null data packet to see if the AP is still around and hasn't disconnected us. However, it always does this even if it wasn't even connected before, leading to a warning in the new channel context code. Fix this by checking that it's associated. Cc: stable@vger.kernel.org Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-11-09Bluetooth: Fix memory leak when removing a UUIDJohan Hedberg1-0/+1
When removing a UUID from the list in the remove_uuid() function we must also kfree the entry in addition to removing it from the list. Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>