1. 19 Apr, 2013 13 commits
    • Bjørn Mork's avatar
      net: qmi_wwan: fixup destination address (firmware bug workaround) · 6483bdc9
      Bjørn Mork authored
      
      
      Received packets are sometimes addressed to 00:a0:c6:00:00:00
      instead of the address the device firmware should have learned
      from the host:
      
      321.224126 77.16.85.204 -> 148.122.171.134 ICMP 98 Echo (ping) request  id=0x4025, seq=64/16384, ttl=64
      
      0000  82 c0 82 c9 f1 67 82 c0 82 c9 f1 67 08 00 45 00   .....g.....g..E.
      0010  00 54 00 00 40 00 40 01 57 cc 4d 10 55 cc 94 7a   .T..@.@.W.M.U..z
      0020  ab 86 08 00 62 fc 40 25 00 40 b2 bc 6e 51 00 00   ....b.@%.@..nQ..
      0030  00 00 6b bd 09 00 00 00 00 00 10 11 12 13 14 15   ..k.............
      0040  16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25   .......... !"#$%
      0050  26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35   &'()*+,-./012345
      0060  36 37                                             67
      
      321.240607 148.122.171.134 -> 77.16.85.204 ICMP 98 Echo (ping) reply    id=0x4025, seq=64/16384, ttl=55
      
      0000  00 a0 c6 00 00 00 02 50 f3 00 00 00 08 00 45 00   .......P......E.
      0010  00 54 00 56 00 00 37 01 a0 76 94 7a ab 86 4d 10   .T.V..7..v.z..M.
      0020  55 cc 00 00 6a fc 40 25 00 40 b2 bc 6e 51 00 00   U...j.@%.@..nQ..
      0030  00 00 6b bd 09 00 00 00 00 00 10 11 12 13 14 15   ..k.............
      0040  16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25   .......... !"#$%
      0050  26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35   &'()*+,-./012345
      0060  36 37                                             67
      
      The bogus address is always the same, and matches the address
      suggested by many devices as a default address.  It is likely a
      hardcoded firmware default.
      
      The circumstances where this bug has been observed indicates that
      the trigger is related to timing or some other factor the host
      cannot control. Repeating the exact same configuration sequence
      that caused it to trigger once, will not necessarily cause it to
      trigger the next time. Reproducing the bug is therefore difficult.
      This opens up a possibility that the bug is more common than we can
      confirm, because affected devices often will work properly again
      after a reset.  A procedure most users are likely to try out before
      reporting a bug.
      
      Unconditionally rewriting the destination address if the first digit
      of the received packet is 0, is considered an acceptable compromise
      since we already have to inspect this digit.  The simplification will
      cause unnecessary rewrites if the real address starts with 0, but this
      is still better than adding additional tests for this particular case.
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6483bdc9
    • Bjørn Mork's avatar
      net: qmi_wwan: fixup missing ethernet header (firmware bug workaround) · 6ff509af
      Bjørn Mork authored
      
      
      A number of LTE devices from different vendors all suffer from the
      same firmware bug: Most of the packets received from the device while
      it is attached to a LTE network will not have an ethernet header. The
      devices work as expected when attached to 2G or 3G networks, sending
      an ethernet header with all packets.
      
      This driver is not aware of which network the modem attached to, and
      even if it were there are still some packet types which are always
      received with the header intact.
      
      All devices supported by this driver have severely limited
      networking capabilities:
       - can only transmit IPv4, IPv6 and possibly ARP
       - can only support a single host hardware address at any time
       - will only do point-to-point communcation with the host
      
      Because of this, we are able to reliably identify any bogus raw IP
      packets by simply looking at the 4 IP version bits.  All we need to
      do is to avoid 4 or 6 in the first digit of the mac address.  This
      workaround ensures this, and fix up the received packets as necessary.
      
      Given the distribution of the bug, it is believed that the source is
      the chipset vendor.  The devices which are verified to be affected are:
       Huawei E392u-12 (Qualcomm MDM9200)
       Pantech UML290  (Qualcomm MDM9600)
       Novatel USB551L (Qualcomm MDM9600)
       Novatel E362    (Qualcomm MDM9600)
      
      It is believed that the bug depend on firmware revision, which means
      that possibly all devices based on the above mentioned chipset may be
      affected if we consider all available firmware revisions.
      
      The information about affected devices and versions is likely
      incomplete.  As the additional overhead for packets not needing this
      fixup is very small, it is considered acceptable to apply the
      workaround to all devices handled by this driver.
      Reported-by: default avatarDan Williams <dcbw@redhat.com>
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6ff509af
    • David S. Miller's avatar
      Merge branch 'bonding' · 0cb670ee
      David S. Miller authored
      
      
      Nikolay Aleksandrov says:
      
      ====================
      This patch-set fixes mainly bugs on enslave failure and one occasion
      of a needed locking. The patches are:
      
      	1. On enslave failure mc addresses are not flushed from the slave
      	2. On enslave failure vlans are not cleaned up from the slave
      	3. On enslave failure the bond's primary and curr_active_slave
      	   are not cleaned up (which might result in use of freed memory)
      	4. On enslave failure netpoll is not disabled which might result in
      	   a memory leak
      	5. In bond_mc_swap() the bond's mc addr list is walked without
      	   netif_addr_lock, since it can be called without rtnl, add it
      
      v2: patch 01 - fix log message and remove unnecessary code move
      ====================
      Signed-off-by: default avatarJay Vosburgh <fubar@us.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0cb670ee
    • nikolay@redhat.com's avatar
      bonding: in bond_mc_swap() bond's mc addr list is walked without lock · d632ce98
      nikolay@redhat.com authored
      
      
      Use netif_addr_lock_bh() to acquire the appropriate lock before walking.
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d632ce98
    • nikolay@redhat.com's avatar
      bonding: disable netpoll on enslave failure · fc7a72ac
      nikolay@redhat.com authored
      
      
      slave_disable_netpoll() is not called upon enslave failure which would
      lead to a memory leak. Call slave_disable_netpoll() after err_detach as
      that's the first error path after enabling netpoll on that slave.
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fc7a72ac
    • nikolay@redhat.com's avatar
      bonding: primary_slave & curr_active_slave are not cleaned on enslave failure · 3c5913b5
      nikolay@redhat.com authored
      
      
      On enslave failure primary_slave can point to new_slave which is to be
      freed, and the same applies to curr_active_slave. So check if this is
      the case and clean up properly after err_detach because that's the first
      error code path after they're set.
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3c5913b5
    • nikolay@redhat.com's avatar
      bonding: vlans don't get deleted on enslave failure · a506e7b4
      nikolay@redhat.com authored
      
      
      The main problem is with vid refcount which only gets bumped up.
      Delete the vlans after err_detach as that's the first error path
      after the vlans are added.
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a506e7b4
    • nikolay@redhat.com's avatar
      bonding: mc addresses don't get deleted on enslave failure · 25e40305
      nikolay@redhat.com authored
      
      
      Add bond_mc_list_flush() after err_detach as that's the first error path
      after the addresses are added. The main issue is the mc addresses' refcount
      which only gets bumped up.
      
      v2: update log message and don't move code unnecessarily
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      25e40305
    • Wei Yongjun's avatar
      pkt_sched: fix error return code in fw_change_attrs() · cb95ec62
      Wei Yongjun authored
      
      
      Fix to return -EINVAL when tb[TCA_FW_MASK] is set and head->mask != 0xFFFFFFFF
      instead of 0 (ifdef CONFIG_NET_CLS_IND and tb[TCA_FW_INDEV]), as done elsewhere
      in this function.
      Signed-off-by: default avatarWei Yongjun <yongjun_wei@trendmicro.com.cn>
      Signed-off-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cb95ec62
    • Dan Carpenter's avatar
      irda: small read past the end of array in debug code · e15465e1
      Dan Carpenter authored
      
      
      The "reason" can come from skb->data[] and it hasn't been capped so it
      can be from 0-255 instead of just 0-6.  For example in irlmp_state_dtr()
      the code does:
      
      	reason = skb->data[3];
      	...
      	irlmp_disconnect_indication(self, reason, skb);
      
      Also LMREASON has a couple other values which don't have entries in the
      irlmp_reasons[] array.  And 0xff is a valid reason as well which means
      "unknown".
      
      So far as I can see we don't actually care about "reason" except for in
      the debug code.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e15465e1
    • David S. Miller's avatar
      Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · fd7fc253
      David S. Miller authored
      
      
      Pablo Neira Ayuso says:
      
      ====================
      If time allows, please consider pulling the following patchset contains two
      late Netfilter fixes, they are:
      
      * Skip broadcast/multicast locally generated traffic in the rpfilter,
        (closes netfilter bugzilla #814), from Florian Westphal.
      
      * Fix missing elements in the listing of ipset bitmap ip,mac set
        type with timeout support enabled, from Jozsef Kadlecsik.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fd7fc253
    • David S. Miller's avatar
      Merge branch 'for-davem' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless · 6a4cd3fd
      David S. Miller authored
      
      
      John W. Linville says:
      
      ====================
      A few stragglers hoping for 3.9, somewhat delayed due to my travels...
      
      On the mac80211 bits, Johannes says:
      
      "Sadly, I have another pull request -- the idle handling fix broke LED
      handling in some cases."
      
      and:
      
      "Yet one more!
      
      This fixes a fairly important/annoying bug -- when roaming between
      multiple APs of the same network, the system could get stuck thinking it
      was connected to the old one while it really wasn't."
      
      On top of that...
      
      Arend sends a brcmfmac patch that removes advertising a feature that
      isn't actually fully supported, and a brcmsmac patch that rearranges
      code to request firmware at IFF_UP to play more nicely with being
      built into the kernel.
      
      Felix gives us a minor ath9k_htc fix to support the newly released
      open source firmware, and an ath9k_hw initvals fix to improve device
      stability.
      
      Rafał Miłecki provides a fix for an ssb regression that caused a
      serious performance problem with b43.
      
      Zefir Kurtisi offers an ath9k fix to change some kmalloc flags to
      allow the DFS detector to be called in softirq context.
      
      Please let me know if there are problems.  If these don't make 3.9,
      I'll just pull them into wireless-next -- just let me know if you
      want to do it that way!
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6a4cd3fd
    • Eric Dumazet's avatar
      tcp: call tcp_replace_ts_recent() from tcp_ack() · 12fb3dd9
      Eric Dumazet authored
      commit bd090dfc
      
       (tcp: tcp_replace_ts_recent() should not be called
      from tcp_validate_incoming()) introduced a TS ecr bug in slow path
      processing.
      
      1 A > B P. 1:10001(10000) ack 1 <nop,nop,TS val 1001 ecr 200>
      2 B < A . 1:1(0) ack 1 win 257 <sack 9001:10001,TS val 300 ecr 1001>
      3 A > B . 1:1001(1000) ack 1 win 227 <nop,nop,TS val 1002 ecr 200>
      4 A > B . 1001:2001(1000) ack 1 win 227 <nop,nop,TS val 1002 ecr 200>
      
      (ecr 200 should be ecr 300 in packets 3 & 4)
      
      Problem is tcp_ack() can trigger send of new packets (retransmits),
      reflecting the prior TSval, instead of the TSval contained in the
      currently processed incoming packet.
      
      Fix this by calling tcp_replace_ts_recent() from tcp_ack() after the
      checks, but before the actions.
      Reported-by: default avatarYuchung Cheng <ycheng@google.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Neal Cardwell <ncardwell@google.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      12fb3dd9
  2. 18 Apr, 2013 14 commits
  3. 17 Apr, 2013 13 commits