summaryrefslogtreecommitdiff
path: root/net
AgeCommit message (Collapse)AuthorFilesLines
2012-11-11Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/netLinus Torvalds7-40/+91
Pull networking fixes from David Miller: "Bug fixes galore, mostly in drivers as is often the case: 1) USB gadget and cdc_eem drivers need adjustments to their frame size lengths in order to handle VLANs correctly. From Ian Coolidge. 2) TIPC and several network drivers erroneously call tasklet_disable before tasklet_kill, fix from Xiaotian Feng. 3) r8169 driver needs to apply the WOL suspend quirk to more chipsets, fix from Cyril Brulebois. 4) Fix multicast filters on RTL_GIGA_MAC_VER_35 r8169 chips, from Nathan Walp. 5) FDB netlink dumps should use RTM_NEWNEIGH as the message type, not zero. From John Fastabend. 6) Fix smsc95xx tx checksum offload on big-endian, from Steve Glendinning. 7) __inet_diag_dump() needs to repsect and report the error value returned from inet_diag_lock_handler() rather than ignore it. Otherwise if an inet diag handler is not available for a particular protocol, we essentially report success instead of giving an error indication. Fix from Cyrill Gorcunov. 8) When the QFQ packet scheduler sees TSO/GSO packets it does not handle things properly, and in fact ends up corrupting it's datastructures as well as mis-schedule packets. Fix from Paolo Valente. 9) Fix oopser in skb_loop_sk(), from Eric Leblond. 10) CXGB4 passes partially uninitialized datastructures in to FW commands, fix from Vipul Pandya. 11) When we send unsolicited ipv6 neighbour advertisements, we should send them to the link-local allnodes multicast address, as per RFC4861. Fix from Hannes Frederic Sowa. 12) There is some kind of bug in the usbnet's kevent deferral mechanism, but more immediately when it triggers an uncontrolled stream of kernel messages spam the log. Rate limit the error log message triggered when this problem occurs, as sending thousands of error messages into the kernel log doesn't help matters at all, and in fact makes further diagnosis more difficult. From Steve Glendinning. 13) Fix gianfar restore from hibernation, from Wang Dongsheng. 14) The netlink message attribute sizes are wrong in the ipv6 GRE driver, it was using the size of ipv4 addresses instead of ipv6 ones :-) Fix from Nicolas Dichtel." * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: gre6: fix rtnl dump messages gianfar: ethernet vanishes after restoring from hibernation usbnet: ratelimit kevent may have been dropped warnings ipv6: send unsolicited neighbour advertisements to all-nodes net: usb: cdc_eem: Fix rx skb allocation for 802.1Q VLANs usb: gadget: g_ether: fix frame size check for 802.1Q cxgb4: Fix initialization of SGE_CONTROL register isdn: Make CONFIG_ISDN depend on CONFIG_NETDEVICES cxgb4: Initialize data structures before using. af-packet: fix oops when socket is not present pkt_sched: enable QFQ to support TSO/GSO net: inet_diag -- Return error code if protocol handler is missed net: bnx2x: Fix typo in bnx2x driver smsc95xx: fix tx checksum offload for big endian rtnetlink: Use nlmsg type RTM_NEWNEIGH from dflt fdb dump ptp: update adjfreq callback description r8169: allow multicast packets on sub-8168f chipset. r8169: Fix WoL on RTL8168d/8111d. drivers/net: use tasklet_kill in device remove/close process tipc: do not use tasklet_disable before tasklet_kill
2012-11-10gre6: fix rtnl dump messagesNicolas Dichtel1-4/+4
Spotted after a code review. Introduced by c12b395a46646bab69089ce7016ac78177f6001f (gre: Support GRE over IPv6). Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-10ipv6: send unsolicited neighbour advertisements to all-nodesHannes Frederic Sowa1-2/+1
As documented in RFC4861 (Neighbor Discovery for IP version 6) 7.2.6., unsolicited neighbour advertisements should be sent to the all-nodes multicast address. Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-08af-packet: fix oops when socket is not presentEric Leblond1-1/+1
Due to a NULL dereference, the following patch is causing oops in normal trafic condition: commit c0de08d04215031d68fa13af36f347a6cfa252ca Author: Eric Leblond <eric@regit.org> Date:   Thu Aug 16 22:02:58 2012 +0000     af_packet: don't emit packet on orig fanout group This buggy patch was a feature fix and has reached most stable branches. When skb->sk is NULL and when packet fanout is used, there is a crash in match_fanout_group where skb->sk is accessed. This patch fixes the issue by returning false as soon as the socket is NULL: this correspond to the wanted behavior because the kernel as to resend the skb to all the listening socket in this case. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-08pkt_sched: enable QFQ to support TSO/GSOPaolo Valente1-30/+79
If the max packet size for some class (configured through tc) is violated by the actual size of the packets of that class, then QFQ would not schedule classes correctly, and the data structures implementing the bucket lists may get corrupted. This problem occurs with TSO/GSO even if the max packet size is set to the MTU, and is, e.g., the cause of the failure reported in [1]. Two patches have been proposed to solve this problem in [2], one of them is a preliminary version of this patch. This patch addresses the above issues by: 1) setting QFQ parameters to proper values for supporting TSO/GSO (in particular, setting the maximum possible packet size to 64KB), 2) automatically increasing the max packet size for a class, lmax, when a packet with a larger size than the current value of lmax arrives. The drawback of the first point is that the maximum weight for a class is now limited to 4096, which is equal to 1/16 of the maximum weight sum. Finally, this patch also forcibly caps the timestamps of a class if they are too high to be stored in the bucket list. This capping, taken from QFQ+ [3], handles the unfrequent case described in the comment to the function slot_insert. [1] http://marc.info/?l=linux-netdev&m=134968777902077&w=2 [2] http://marc.info/?l=linux-netdev&m=135096573507936&w=2 [3] http://marc.info/?l=linux-netdev&m=134902691421670&w=2 Signed-off-by: Paolo Valente <paolo.valente@unimore.it> Tested-by: Cong Wang <amwang@redhat.com> Acked-by: Stephen Hemminger <shemminger@vyatta.com> Acked-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-04net: inet_diag -- Return error code if protocol handler is missedCyrill Gorcunov1-1/+4
We've observed that in case if UDP diag module is not supported in kernel the netlink returns NLMSG_DONE without notifying a caller that handler is missed. This patch makes __inet_diag_dump to return error code instead. So as example it become possible to detect such situation and handle it gracefully on userspace level. Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org> CC: David Miller <davem@davemloft.net> CC: Eric Dumazet <eric.dumazet@gmail.com> CC: Pavel Emelyanov <xemul@parallels.com> Acked-by: Pavel Emelyanov <xemul@parallels.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-04Merge tag 'nfs-for-3.7-4' of git://git.linux-nfs.org/projects/trondmy/linux-nfsLinus Torvalds1-1/+1
Pull NFS client bugfixes from Trond Myklebust: - Fix a bunch of deadlock situations: * State recovery can deadlock if we fail to release sequence ids before scheduling the recovery thread. * Calling deactivate_super() from an RPC workqueue thread can deadlock because of the call to rpc_shutdown_client. - Display the device name correctly in /proc/*/mounts - Fix a number of incorrect error return values: * When NFSv3 mounts fail due to a timeout. * On NFSv4.1 backchannel setup failure * On NFSv4 open access checks - pnfs_find_alloc_layout() must check the layout pointer for NULL - Fix a regression in the legacy DNS resolved * tag 'nfs-for-3.7-4' of git://git.linux-nfs.org/projects/trondmy/linux-nfs: NFS4: nfs4_opendata_access should return errno NFSv4: Initialise the NFSv4.1 slot table highest_used_slotid correctly SUNRPC: return proper errno from backchannel_rqst NFS: add nfs_sb_deactive_async to avoid deadlock nfs: Show original device name verbatim in /proc/*/mount{s,info} nfsv3: Make v3 mounts fail with ETIMEDOUTs instead EIO on mountd timeouts nfs: Check whether a layout pointer is NULL before free it NFS: fix bug in legacy DNS resolver. NFSv4: nfs4_locku_done must release the sequence id NFSv4.1: We must release the sequence id when we fail to get a session slot NFS: Wait for session recovery to finish before returning
2012-11-03rtnetlink: Use nlmsg type RTM_NEWNEIGH from dflt fdb dumpJohn Fastabend1-1/+2
Change the dflt fdb dump handler to use RTM_NEWNEIGH to be compatible with bridge dump routines. The dump reply from the network driver handlers should match the reply from bridge handler. The fact they were not in the ixgbe case was effectively a bug. This patch resolves it. Applications that were not checking the nlmsg type will continue to work. And now applications that do check the type will work as expected. Signed-off-by: John Fastabend <john.r.fastabend@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-03tipc: do not use tasklet_disable before tasklet_killXiaotian Feng1-1/+0
If tasklet_disable() is called before related tasklet handled, tasklet_kill will never be finished. tasklet_kill is enough. Signed-off-by: Xiaotian Feng <dannyfeng@tencent.com> Cc: Jon Maloy <jon.maloy@ericsson.com> Cc: Allan Stephens <allan.stephens@windriver.com> Cc: "David S. Miller" <davem@davemloft.net> Cc: netdev@vger.kernel.org Cc: tipc-discussion@lists.sourceforge.net Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-03Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/netLinus Torvalds15-46/+125
Pull networking fixes from David Miller: "First post-Sandy pull request" 1) Fix antenna gain handling and initialization of chan->max_reg_power in wireless, from Felix Fietkau. 2) Fix nexthop handling in H.232 conntrack helper, from Julian Anastasov. 3) Only process 80211 mesh config header in certain kinds of frames, from Javier Cardona. 4) 80211 management frame header length needs to be validated, from Johannes Berg. 5) Don't access free'd SKBs in ath9k driver, from Felix Fietkay. 6) Test for permanent state correctly in VXLAN driver, from Stephen Hemminger. 7) BNX2X bug fixes from Yaniv Rosner and Dmitry Kravkov. 8) Fix off by one errors in bonding, from Nikolay ALeksandrov. 9) Fix divide by zero in TCP-Illinois congestion control. From Jesper Dangaard Brouer. 10) TCP metrics code says "Yo dawg, I heard you like sizeof, so I did a sizeof of a sizeof, so you can size your size" Fix from Julian Anastasov. 11) Several drivers do mdiobus_free without first doing an mdiobus_unregister leading to stray pointer references. Fix from Peter Senna Tschudin. 12) Fix OOPS in l2tp_eth_create() error path, it's another danling pointer kinda situation. Fix from Tom Parkin. 13) Hardware driven by the vmxnet driver can't handle larger than 16K fragments, so split them up when necessary. From Eric Dumazet. 14) Handle zero length data length in tcp_send_rcvq() properly. Fix from Pavel Emelyanov. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (38 commits) tcp-repair: Handle zero-length data put in rcv queue vmxnet3: must split too big fragments l2tp: fix oops in l2tp_eth_create() error path cxgb4: Fix unable to get UP event from the LLD drivers/net/phy/mdio-bitbang.c: Call mdiobus_unregister before mdiobus_free drivers/net/ethernet/nxp/lpc_eth.c: Call mdiobus_unregister before mdiobus_free bnx2x: fix HW initialization using fw 7.8.x tcp: Fix double sizeof in new tcp_metrics code net: fix divide by zero in tcp algorithm illinois net: sctp: Fix typo in net/sctp bonding: fix second off-by-one error bonding: fix off-by-one error bnx2x: Disable FCoE for 57840 since not yet supported by FW bnx2x: Fix no link on 577xx 10G-baseT bnx2x: Fix unrecognized SFP+ module after driver is loaded bnx2x: Fix potential incorrect link speed provision bnx2x: Restore global registers back to default. bnx2x: Fix link down in 57712 following LFA bnx2x: Fix 57810 1G-KR link against certain switches. ixgbe: PTP get_ts_info missing software support ...
2012-11-03tcp-repair: Handle zero-length data put in rcv queuePavel Emelyanov1-0/+3
When sending data into a tcp socket in repair state we should check for the amount of data being 0 explicitly. Otherwise we'll have an skb with seq == end_seq in rcv queue, but tcp doesn't expect this to happen (in particular a warn_on in tcp_recvmsg shoots). Signed-off-by: Pavel Emelyanov <xemul@parallels.com> Reported-by: Giorgos Mavrikas <gmavrikas@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-03l2tp: fix oops in l2tp_eth_create() error pathTom Parkin1-0/+1
When creating an L2TPv3 Ethernet session, if register_netdev() should fail for any reason (for example, automatic naming for "l2tpeth%d" interfaces hits the 32k-interface limit), the netdev is freed in the error path. However, the l2tp_eth_sess structure's dev pointer is left uncleared, and this results in l2tp_eth_delete() then attempting to unregister the same netdev later in the session teardown. This results in an oops. To avoid this, clear the session dev pointer in the error path. Signed-off-by: Tom Parkin <tparkin@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-01tcp: Fix double sizeof in new tcp_metrics codeJulian Anastasov1-1/+1
Fix double sizeof when parsing IPv6 address from user space because it breaks get/del by specific IPv6 address. Problem noticed by David Binderman: https://bugzilla.kernel.org/show_bug.cgi?id=49171 Signed-off-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-01net: fix divide by zero in tcp algorithm illinoisJesper Dangaard Brouer1-3/+5
Reading TCP stats when using TCP Illinois congestion control algorithm can cause a divide by zero kernel oops. The division by zero occur in tcp_illinois_info() at: do_div(t, ca->cnt_rtt); where ca->cnt_rtt can become zero (when rtt_reset is called) Steps to Reproduce: 1. Register tcp_illinois: # sysctl -w net.ipv4.tcp_congestion_control=illinois 2. Monitor internal TCP information via command "ss -i" # watch -d ss -i 3. Establish new TCP conn to machine Either it fails at the initial conn, or else it needs to wait for a loss or a reset. This is only related to reading stats. The function avg_delay() also performs the same divide, but is guarded with a (ca->cnt_rtt > 0) at its calling point in update_params(). Thus, simply fix tcp_illinois_info(). Function tcp_illinois_info() / get_info() is called without socket lock. Thus, eliminate any race condition on ca->cnt_rtt by using a local stack variable. Simply reuse info.tcpv_rttcnt, as its already set to ca->cnt_rtt. Function avg_delay() is not affected by this race condition, as its called with the socket lock. Cc: Petr Matousek <pmatouse@redhat.com> Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com> Acked-by: Eric Dumazet <edumazet@google.com> Acked-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-01net: sctp: Fix typo in net/sctpMasanari Iida1-1/+1
Correct spelling typo in net/sctp/socket.c Signed-off-by: Masanari Iida <standby24x7@gmail.com> Acked-by: Vlad Yasevich <vyasevich@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-01SUNRPC: return proper errno from backchannel_rqstWeston Andros Adamson1-1/+1
The one and only caller (in fs/nfs/nfs4client.c) uses the result as an errno and would have interpreted an error as EPERM. Signed-off-by: Weston Andros Adamson <dros@netapp.com> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
2012-10-31Merge branch 'for-davem' of ↵David S. Miller6-36/+104
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless John W. Linville says: ==================== This is a batch of fixes intended for 3.7... The biggest portion of this is a pull request from Johannes Berg: "Please pull my mac80211.git tree per below to get a number of fixes. I have included a patch from Antonio to fix a memcpy overrun, Felix's patches for the antenna gain/tx power issues, a few mesh-related fixes from Javier for mac80211 and my own patches to not access data that might not be present in an skb at all as well as a patch (the duplicate IE check one) to make mac80211 forward-compatible with potential future spec extensions that use the same IE multiple times. It's a bit bigger than I'd like maybe, but I think all of these are worthwhile fixes at this point." In addition... Felix Fietkau fixes an ath9k use-after-free issue. Stanislaw Gruszka adds a valid value check to rt2800. Sven Eckelmann adds a check to only check a TID value in a BlockAck, for frames that could be either a BlockAck or a normal Ack. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
2012-10-31Merge branch 'master' of git://1984.lsi.us.es/nfDavid S. Miller4-5/+10
Pablo Neira Ayuso says: ==================== The following patchset contains fixes for your net tree, two of them are due to relatively recent changes, one has been a longstanding bug, they are: * Fix incorrect usage of rt_gateway in the H.323 helper, from Julian Anastasov. * Skip re-route in nf_nat code for ICMP traffic. If CONFIG_XFRM is enabled, we waste cycles to look up for the route again. This problem seems to be there since really long time. From Ulrich Weber. * Fix mismatching section in nf_conntrack_reasm, from Hein Tibosch. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
2012-10-31Merge branch 'master' of ↵John W. Linville6-36/+104
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless into for-davem
2012-10-29Merge branch 'for-john' of ↵John W. Linville6-36/+104
git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
2012-10-29Merge branch 'for-linus' of ↵Linus Torvalds1-2/+4
git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client Pull Ceph fixes form Sage Weil: "There are two fixes in the messenger code, one that can trigger a NULL dereference, and one that error in refcounting (extra put). There is also a trivial fix that in the fs client code that is triggered by NFS reexport." * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client: ceph: fix dentry reference leak in encode_fh() libceph: avoid NULL kref_put when osd reset races with alloc_msg rbd: reset BACKOFF if unable to re-queue
2012-10-29netfilter: nf_defrag_ipv6: solve section mismatch in nf_conntrack_reasmHein Tibosch1-2/+2
WARNING: net/ipv6/netfilter/nf_defrag_ipv6.o(.text+0xe0): Section mismatch in reference from the function nf_ct_net_init() to the function .init.text:nf_ct_frag6_sysctl_register() The function nf_ct_net_init() references the function __init nf_ct_frag6_sysctl_register(). In case nf_conntrack_ipv6 is compiled as a module, nf_ct_net_init could be called after the init code and data are unloaded. Therefore remove the "__net_init" annotation from nf_ct_frag6_sysctl_register(). Signed-off-by: Hein Tibosch <hein_tibosch@yahoo.es> Acked-by: Cong Wang <amwang@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2012-10-29netfilter: nf_nat: don't check for port change on ICMP tuplesUlrich Weber2-2/+6
ICMP tuples have id in src and type/code in dst. So comparing src.u.all with dst.u.all will always fail here and ip_xfrm_me_harder() is called for every ICMP packet, even if there was no NAT. Signed-off-by: Ulrich Weber <ulrich.weber@sophos.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2012-10-27Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/netLinus Torvalds24-72/+135
Pull networking fixes from David Miller: "This is what we usually expect at this stage of the game, lots of little things, mostly in drivers. With the occasional 'oops didn't mean to do that' kind of regressions in the core code." 1) Uninitialized data in __ip_vs_get_timeouts(), from Arnd Bergmann 2) Reject invalid ACK sequences in Fast Open sockets, from Jerry Chu. 3) Lost error code on return from _rtl_usb_receive(), from Christian Lamparter. 4) Fix reset resume on USB rt2x00, from Stanislaw Gruszka. 5) Release resources on error in pch_gbe driver, from Veaceslav Falico. 6) Default hop limit not set correctly in ip6_template_metrics[], fix from Li RongQing. 7) Gianfar PTP code requests wrong kind of resource during probe, fix from Wei Yang. 8) Fix VHOST net driver on big-endian, from Michael S Tsirkin. 9) Mallenox driver bug fixes from Jack Morgenstein, Or Gerlitz, Moni Shoua, Dotan Barak, and Uri Habusha. 10) usbnet leaks memory on TX path, fix from Hemant Kumar. 11) Use socket state test, rather than presence of FIN bit packet, to determine FIONREAD/SIOCINQ value. Fix from Eric Dumazet. 12) Fix cxgb4 build failure, from Vipul Pandya. 13) Provide a SYN_DATA_ACKED state to complement SYN_FASTOPEN in socket info dumps. From Yuchung Cheng. 14) Fix leak of security path in kfree_skb_partial(). Fix from Eric Dumazet. 15) Handle RX FIFO overflows more resiliently in pch_gbe driver, from Veaceslav Falico. 16) Fix MAINTAINERS file pattern for networking drivers, from Jean Delvare. 17) Add iPhone5 IDs to IPHETH driver, from Jay Purohit. 18) VLAN device type change restriction is too strict, and should not trigger for the automatically generated vlan0 device. Fix from Jiri Pirko. 19) Make PMTU/redirect flushing work properly again in ipv4, from Steffen Klassert. 20) Fix memory corruptions by using kfree_rcu() in netlink_release(). From Eric Dumazet. 21) More qmi_wwan device IDs, from Bjørn Mork. 22) Fix unintentional change of SNAT/DNAT hooks in generic NAT infrastructure, from Elison Niven. 23) Fix 3.6.x regression in xt_TEE netfilter module, from Eric Dumazet. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (57 commits) tilegx: fix some issues in the SW TSO support qmi_wwan/cdc_ether: move Novatel 551 and E362 to qmi_wwan net: usb: Fix memory leak on Tx data path net/mlx4_core: Unmap UAR also in the case of error flow net/mlx4_en: Don't use vlan tag value as an indication for vlan presence net/mlx4_en: Fix double-release-range in tx-rings bas_gigaset: fix pre_reset handling vhost: fix mergeable bufs on BE hosts gianfar_ptp: use iomem, not ioports resource tree in probe ipv6: Set default hoplimit as zero. NET_VENDOR_TI: make available for am33xx as well pch_gbe: fix error handling in pch_gbe_up() b43: Fix oops on unload when firmware not found mwifiex: clean up scan state on error mwifiex: return -EBUSY if specific scan request cannot be honored brcmfmac: fix potential NULL dereference Revert "ath9k_hw: Updated AR9003 tx gain table for 5GHz" ath9k_htc: Add PID/VID for a Ubiquiti WiFiStation rt2x00: usb: fix reset resume rtlwifi: pass rx setup error code to caller ...
2012-10-27mac80211: make sure data is accessible in EAPOL checkJohannes Berg1-8/+10
The code to allow EAPOL frames even when the station isn't yet marked associated needs to check that the incoming frame is long enough and due to paged RX it also can't assume skb->data contains the right data, it must use skb_copy_bits(). Fix this to avoid using data that doesn't really exist. Cc: stable@vger.kernel.org Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-27mac80211: verify that skb data is presentJohannes Berg2-2/+33
A number of places in the mesh code don't check that the frame data is present and in the skb header when trying to access. Add those checks and the necessary pskb_may_pull() calls. This prevents accessing data that doesn't actually exist. To do this, export ieee80211_get_mesh_hdrlen() to be able to use it in mac80211. Cc: stable@vger.kernel.org Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-27mac80211: check management frame header lengthJohannes Berg1-4/+8
Due to pskb_may_pull() checking the skb length, all non-management frames are checked on input whether their 802.11 header is fully present. Also add that check for management frames and remove a check that is now duplicate. This prevents accessing skb data beyond the frame end. Cc: stable@vger.kernel.org Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-27wireless: drop invalid mesh address extension framesJohannes Berg1-5/+6
The mesh header can have address extension by a 4th or a 5th and 6th address, but never both. Drop such frames in 802.11 -> 802.3 conversion along with any frames that have the wrong extension. Cc: stable@vger.kernel.org Reviewed-by: Javier Cardona <javier@cozybit.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-27mac80211: fix SSID copy on IBSS JOINAntonio Quartulli1-1/+1
The 'ssid' field of the cfg80211_ibss_params is a u8 pointer and its length is likely to be less than IEEE80211_MAX_SSID_LEN most of the time. This patch fixes the ssid copy in ieee80211_ibss_join() by using the SSID length to prevent it from reading beyond the string. Cc: stable@vger.kernel.org Signed-off-by: Antonio Quartulli <ordex@autistici.org> [rewrapped commit message, small rewording] Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-25mac80211: don't inspect Sequence Control field on control framesJavier Cardona1-0/+4
Per IEEE Std. 802.11-2012, Sec 8.2.4.4.1, the sequence Control field is not present in control frames. We noticed this problem when processing Block Ack Requests. Cc: stable@vger.kernel.org Signed-off-by: Javier Cardona <javier@cozybit.com> Signed-off-by: Javier Lopez <jlopex@cozybit.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-25mac80211: Don't drop frames received with mesh ttl == 1Javier Cardona1-1/+1
Prior this fix, those frames were not received, nor forwarded. Fix this to receive and not forward. Signed-off-by: Javier Cardona <javier@cozybit.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-25mac80211: Only process mesh config header on frames that RA_MATCHJavier Cardona1-4/+2
Doing otherwise is wrong, and may wreak havoc on the mpp tables, specially if the frame is encrypted. Cc: stable@vger.kernel.org Reported-by: Chaoxing Lin <Chaoxing.Lin@ultra-3eti.com> Signed-off-by: Javier Cardona <javier@cozybit.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-25ipv6: Set default hoplimit as zero.Li RongQing1-2/+2
Commit a02e4b7dae4551(Demark default hoplimit as zero) only changes the hoplimit checking condition and default value in ip6_dst_hoplimit, not zeros all hoplimit default value. Keep the zeroing ip6_template_metrics[RTAX_HOPLIMIT - 1] to force it as const, cause as a37e6e344910(net: force dst_default_metrics to const section) Signed-off-by: Li RongQing <roy.qing.li@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-10-25libceph: avoid NULL kref_put when osd reset races with alloc_msgSage Weil1-1/+2
The ceph_on_in_msg_alloc() method drops con->mutex while it allocates a message. If that races with a timeout that resends a zillion messages and resets the connection, and the ->alloc_msg() method returns a NULL message, it will call ceph_msg_put(NULL) and BUG. Fix by only calling put if msg is non-NULL. Fixes http://tracker.newdream.net/issues/3142 Signed-off-by: Sage Weil <sage@inktank.com>
2012-10-24mac80211: use blacklist for duplicate IE checkJohannes Berg1-7/+35
Instead of the current whitelist which accepts duplicates only for the quiet and vendor IEs, use a blacklist of all IEs (that we currently parse) that can't be duplicated. This avoids detecting a beacon as corrupt in the future when new IEs are added that can be duplicated. Cc: stable@vger.kernel.org Signed-off-by: Paul Stewart <pstew@chromium.org> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-24SUNRPC: Get rid of the xs_error_report socket callbackTrond Myklebust1-25/+0
Chris Perl reports that we're seeing races between the wakeup call in xs_error_report and the connect attempts. Basically, Chris has shown that in certain circumstances, the call to xs_error_report causes the rpc_task that is responsible for reconnecting to wake up early, thus triggering a disconnect and retry. Since the sk->sk_error_report() calls in the socket layer are always followed by a tcp_done() in the cases where we care about waking up the rpc_tasks, just let the state_change callbacks take responsibility for those wake ups. Reported-by: Chris Perl <chris.perl@gmail.com> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Cc: stable@vger.kernel.org Tested-by: Chris Perl <chris.perl@gmail.com>
2012-10-24SUNRPC: Prevent races in xs_abort_connection()Trond Myklebust1-5/+8
The call to xprt_disconnect_done() that is triggered by a successful connection reset will trigger another automatic wakeup of all tasks on the xprt->pending rpc_wait_queue. In particular it will cause an early wake up of the task that called xprt_connect(). All we really want to do here is clear all the socket-specific state flags, so we split that functionality out of xs_sock_mark_closed() into a helper that can be called by xs_abort_connection() Reported-by: Chris Perl <chris.perl@gmail.com> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Cc: stable@vger.kernel.org Tested-by: Chris Perl <chris.perl@gmail.com>
2012-10-24Revert "SUNRPC: Ensure we close the socket on EPIPE errors too..."Trond Myklebust1-1/+1
This reverts commit 55420c24a0d4d1fce70ca713f84aa00b6b74a70e. Now that we clear the connected flag when entering TCP_CLOSE_WAIT, the deadlock described in this commit is no longer possible. Instead, the resulting call to xs_tcp_shutdown() can interfere with pending reconnection attempts. Reported-by: Chris Perl <chris.perl@gmail.com> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Cc: stable@vger.kernel.org Tested-by: Chris Perl <chris.perl@gmail.com>
2012-10-24SUNRPC: Clear the connect flag when socket state is TCP_CLOSE_WAITTrond Myklebust1-0/+1
This is needed to ensure that we call xprt_connect() upon the next call to call_connect(). Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Cc: stable@vger.kernel.org Tested-by: Chris Perl <chris.perl@gmail.com>
2012-10-23tcp: Reject invalid ack_seq to Fast Open socketsJerry Chu2-4/+12
A packet with an invalid ack_seq may cause a TCP Fast Open socket to switch to the unexpected TCP_CLOSING state, triggering a BUG_ON kernel panic. When a FIN packet with an invalid ack_seq# arrives at a socket in the TCP_FIN_WAIT1 state, rather than discarding the packet, the current code will accept the FIN, causing state transition to TCP_CLOSING. This may be a small deviation from RFC793, which seems to say that the packet should be dropped. Unfortunately I did not expect this case for Fast Open hence it will trigger a BUG_ON panic. It turns out there is really nothing bad about a TFO socket going into TCP_CLOSING state so I could just remove the BUG_ON statements. But after some thought I think it's better to treat this case like TCP_SYN_RECV and return a RST to the confused peer who caused the unacceptable ack_seq to be generated in the first place. Signed-off-by: H.K. Jerry Chu <hkchu@google.com> Cc: Neal Cardwell <ncardwell@google.com> Cc: Yuchung Cheng <ycheng@google.com> Acked-by: Yuchung Cheng <ycheng@google.com> Acked-by: Eric Dumazet <edumazet@google.com> Acked-by: Neal Cardwell <ncardwell@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-10-22net: fix secpath kmemleakEric Dumazet1-2/+4
Mike Kazantsev found 3.5 kernels and beyond were leaking memory, and tracked the faulty commit to a1c7fff7e18f59e ("net: netdev_alloc_skb() use build_skb()") While this commit seems fine, it uncovered a bug introduced in commit bad43ca8325 ("net: introduce skb_try_coalesce()), in function kfree_skb_partial()"): If head is stolen, we free the sk_buff, without removing references on secpath (skb->sp). So IPsec + IP defrag/reassembly (using skb coalescing), or TCP coalescing could leak secpath objects. Fix this bug by calling skb_release_head_state(skb) to properly release all possible references to linked objects. Reported-by: Mike Kazantsev <mk.fraggod@gmail.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Bisected-by: Mike Kazantsev <mk.fraggod@gmail.com> Tested-by: Mike Kazantsev <mk.fraggod@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-10-22tcp: add SYN/data info to TCP_INFOYuchung Cheng4-0/+5
Add a bit TCPI_OPT_SYN_DATA (32) to the socket option TCP_INFO:tcpi_options. It's set if the data in SYN (sent or received) is acked by SYN-ACK. Server or client application can use this information to check Fast Open success rate. Signed-off-by: Yuchung Cheng <ycheng@google.com> Acked-by: Neal Cardwell <ncardwell@google.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-10-22netfilter: nf_conntrack: fix rt_gateway checks for H.323 helperJulian Anastasov1-1/+2
After the change "Adjust semantics of rt->rt_gateway" (commit f8126f1d51) we should properly match the nexthop when destinations are directly connected because rt_gateway can be 0. The rt_gateway checks in H.323 helper try to avoid the creation of an unnecessary expectation in this call-forwarding case: http://people.netfilter.org/zhaojingmin/h323_conntrack_nat_helper/#_Toc133598073 However, the existing code fails to avoid that in many cases, see this thread: http://marc.info/?l=linux-netdev&m=135043175028620&w=2 It seems it is not trivial to know from the kernel if two hosts have to go through the firewall to communicate each other, which is the main point of the call-forwarding filter code to avoid creating unnecessary expectations. So this patch just gets things the way they were as before commit f8126f1d51. Signed-off-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2012-10-19Merge tag 'tty-3.7-rc1' of ↵Linus Torvalds1-0/+2
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty Pull TTY fixes from Greg Kroah-Hartman: "Here are some tty and serial driver fixes for your 3.7-rc1 tree. Again, the UABI header file fixes, and a number of build and runtime serial driver bugfixes that solve problems people have been reporting (the staging driver is a tty driver, hence the fixes coming in through this tree.) All of these have been in the linux-next tree for a while. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>" * tag 'tty-3.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: staging: dgrp: check return value of alloc_tty_driver staging: dgrp: check for NULL pointer in (un)register_proc_table serial/8250_hp300: Missing 8250 register interface conversion bits UAPI: (Scripted) Disintegrate include/linux/hsi tty: serial: sccnxp: Fix bug with unterminated platform_id list staging: serial: dgrp: Add missing #include <linux/uaccess.h> serial: sccnxp: Allows the driver to be compiled as a module tty: Fix bogus "callbacks suppressed" messages net, TTY: initialize tty->driver_data before usage
2012-10-19Merge branch 'for-3.7' of git://linux-nfs.org/~bfields/linuxLinus Torvalds1-2/+2
Pull nfsd bugfixes from J Bruce Fields. * 'for-3.7' of git://linux-nfs.org/~bfields/linux: SUNRPC: Prevent kernel stack corruption on long values of flush NLM: nlm_lookup_file() may return NLMv4-specific error codes
2012-10-19Merge branch 'master' of ↵John W. Linville7-32/+45
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless into for-davem
2012-10-18Merge tag 'batman-adv-fix-for-davem' of git://git.open-mesh.org/linux-mergeDavid S. Miller3-10/+27
Included fixes: - Fix broadcast packet CRC calculation which can lead to ~80% broadcast packet loss - Fix a race condition in duplicate broadcast packet check Signed-off-by: David S. Miller <davem@davemloft.net>
2012-10-18tcp: fix FIONREAD/SIOCINQEric Dumazet1-5/+3
tcp_ioctl() tries to take into account if tcp socket received a FIN to report correct number bytes in receive queue. But its flaky because if the application ate the last skb, we return 1 instead of 0. Correct way to detect that FIN was received is to test SOCK_DONE. Reported-by: Elliot Hughes <enh@google.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Neal Cardwell <ncardwell@google.com> Cc: Tom Herbert <therbert@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-10-18netlink: use kfree_rcu() in netlink_release()Eric Dumazet1-4/+15
On some suspend/resume operations involving wimax device, we have noticed some intermittent memory corruptions in netlink code. Stéphane Marchesin tracked this corruption in netlink_update_listeners() and suggested a patch. It appears netlink_release() should use kfree_rcu() instead of kfree() for the listeners structure as it may be used by other cpus using RCU protection. netlink_release() must set to NULL the listeners pointer when it is about to be freed. Also have to protect netlink_update_listeners() and netlink_has_listeners() if listeners is NULL. Add a nl_deref_protected() lockdep helper to properly document which locks protects us. Reported-by: Jonathan Kliegman <kliegs@google.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Stéphane Marchesin <marcheu@google.com> Cc: Sam Leffler <sleffler@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-10-18ipv4: Fix flushing of cached routing informationsSteffen Klassert1-3/+6
Currently we can not flush cached pmtu/redirect informations via the ipv4_sysctl_rtcache_flush sysctl. We need to check the rt_genid of the old route and reset the nh exeption if the old route is expired when we bind a new route to a nh exeption. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>