1. 19 Apr, 2013 17 commits
    • Jitendra Kalsaria's avatar
      qlge: Fix ethtool autoneg advertising. · c5e991af
      Jitendra Kalsaria authored
      Autoneg is supported on specific port types only. Fix the driver to advertise
      autoneg based on the port type.
      Signed-off-by: default avatarJitendra Kalsaria <jitendra.kalsaria@qlogic.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • Sritej Velaga's avatar
      qlge: Fix receive path to drop error frames · ae721f3a
      Sritej Velaga authored
      o Fix the driver to drop error frames in the receive path
      o Update error counter which was not getting incremented
      Signed-off-by: default avatarSritej Velaga <sritej.velaga@qlogic.com>
      Signed-off-by: default avatarJitendra Kalsaria <jitendra.kalsaria@qlogic.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • David S. Miller's avatar
      Merge branch 'qmi_wwan' · b79d4a8d
      David S. Miller authored
      Bjørn Mork says:
      This series adds workarounds for 3 different firmware bugs, each
      preventing the affected devices from working at all. I therefore
      humbly request that these fixes go to stable-3.8 (if still
      maintained) and 3.9 (either via net if still possible, or via
      stable if not).
      All 3 workarounds are applied to all devices supported by the driver.
      Adding quirks for specific devices was considered as an alternative,
      but was rejected because we have too little information about the
      exact distribution of the buggy firmwares. All we know is that the
      same bug shows up in devices from at least 3 different, and presumably
      independent, vendors.
      The workarounds have instead been designed to automatically apply
      when necessary, and to have as little impact as possible on unaffected
      devices.  The series has been tested on a number of devices both with
      and without these bugs.
      The series should apply cleanly to net/master, net-next/master and
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • Bjørn Mork's avatar
      net: qmi_wwan: prevent duplicate mac address on link (firmware bug workaround) · cc6ba5fd
      Bjørn Mork authored
      We normally trust and use the CDC functional descriptors provided by a
      number of devices.  But some of these will erroneously list the address
      reserved for the device end of the link.  Attempting to use this on
      both the device and host side will naturally not work.
      Work around this bug by ignoring the functional descriptor and assign a
      random address instead in this case.
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • Bjørn Mork's avatar
      net: qmi_wwan: fixup destination address (firmware bug workaround) · 6483bdc9
      Bjørn Mork authored
      Received packets are sometimes addressed to 00:a0:c6:00:00:00
      instead of the address the device firmware should have learned
      from the host:
      321.224126 -> ICMP 98 Echo (ping) request  id=0x4025, seq=64/16384, ttl=64
      0000  82 c0 82 c9 f1 67 82 c0 82 c9 f1 67 08 00 45 00   .....g.....g..E.
      0010  00 54 00 00 40 00 40 01 57 cc 4d 10 55 cc 94 7a   .T..@.@.W.M.U..z
      0020  ab 86 08 00 62 fc 40 25 00 40 b2 bc 6e 51 00 00   ....b.@%.@..nQ..
      0030  00 00 6b bd 09 00 00 00 00 00 10 11 12 13 14 15   ..k.............
      0040  16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25   .......... !"#$%
      0050  26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35   &'()*+,-./012345
      0060  36 37                                             67
      321.240607 -> ICMP 98 Echo (ping) reply    id=0x4025, seq=64/16384, ttl=55
      0000  00 a0 c6 00 00 00 02 50 f3 00 00 00 08 00 45 00   .......P......E.
      0010  00 54 00 56 00 00 37 01 a0 76 94 7a ab 86 4d 10   .T.V..7..v.z..M.
      0020  55 cc 00 00 6a fc 40 25 00 40 b2 bc 6e 51 00 00   U...j.@%.@..nQ..
      0030  00 00 6b bd 09 00 00 00 00 00 10 11 12 13 14 15   ..k.............
      0040  16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25   .......... !"#$%
      0050  26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35   &'()*+,-./012345
      0060  36 37                                             67
      The bogus address is always the same, and matches the address
      suggested by many devices as a default address.  It is likely a
      hardcoded firmware default.
      The circumstances where this bug has been observed indicates that
      the trigger is related to timing or some other factor the host
      cannot control. Repeating the exact same configuration sequence
      that caused it to trigger once, will not necessarily cause it to
      trigger the next time. Reproducing the bug is therefore difficult.
      This opens up a possibility that the bug is more common than we can
      confirm, because affected devices often will work properly again
      after a reset.  A procedure most users are likely to try out before
      reporting a bug.
      Unconditionally rewriting the destination address if the first digit
      of the received packet is 0, is considered an acceptable compromise
      since we already have to inspect this digit.  The simplification will
      cause unnecessary rewrites if the real address starts with 0, but this
      is still better than adding additional tests for this particular case.
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • Bjørn Mork's avatar
      net: qmi_wwan: fixup missing ethernet header (firmware bug workaround) · 6ff509af
      Bjørn Mork authored
      A number of LTE devices from different vendors all suffer from the
      same firmware bug: Most of the packets received from the device while
      it is attached to a LTE network will not have an ethernet header. The
      devices work as expected when attached to 2G or 3G networks, sending
      an ethernet header with all packets.
      This driver is not aware of which network the modem attached to, and
      even if it were there are still some packet types which are always
      received with the header intact.
      All devices supported by this driver have severely limited
      networking capabilities:
       - can only transmit IPv4, IPv6 and possibly ARP
       - can only support a single host hardware address at any time
       - will only do point-to-point communcation with the host
      Because of this, we are able to reliably identify any bogus raw IP
      packets by simply looking at the 4 IP version bits.  All we need to
      do is to avoid 4 or 6 in the first digit of the mac address.  This
      workaround ensures this, and fix up the received packets as necessary.
      Given the distribution of the bug, it is believed that the source is
      the chipset vendor.  The devices which are verified to be affected are:
       Huawei E392u-12 (Qualcomm MDM9200)
       Pantech UML290  (Qualcomm MDM9600)
       Novatel USB551L (Qualcomm MDM9600)
       Novatel E362    (Qualcomm MDM9600)
      It is believed that the bug depend on firmware revision, which means
      that possibly all devices based on the above mentioned chipset may be
      affected if we consider all available firmware revisions.
      The information about affected devices and versions is likely
      incomplete.  As the additional overhead for packets not needing this
      fixup is very small, it is considered acceptable to apply the
      workaround to all devices handled by this driver.
      Reported-by: default avatarDan Williams <dcbw@redhat.com>
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • David S. Miller's avatar
      Merge branch 'bonding' · 0cb670ee
      David S. Miller authored
      Nikolay Aleksandrov says:
      This patch-set fixes mainly bugs on enslave failure and one occasion
      of a needed locking. The patches are:
      	1. On enslave failure mc addresses are not flushed from the slave
      	2. On enslave failure vlans are not cleaned up from the slave
      	3. On enslave failure the bond's primary and curr_active_slave
      	   are not cleaned up (which might result in use of freed memory)
      	4. On enslave failure netpoll is not disabled which might result in
      	   a memory leak
      	5. In bond_mc_swap() the bond's mc addr list is walked without
      	   netif_addr_lock, since it can be called without rtnl, add it
      v2: patch 01 - fix log message and remove unnecessary code move
      Signed-off-by: default avatarJay Vosburgh <fubar@us.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • nikolay@redhat.com's avatar
      bonding: in bond_mc_swap() bond's mc addr list is walked without lock · d632ce98
      nikolay@redhat.com authored
      Use netif_addr_lock_bh() to acquire the appropriate lock before walking.
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • nikolay@redhat.com's avatar
      bonding: disable netpoll on enslave failure · fc7a72ac
      nikolay@redhat.com authored
      slave_disable_netpoll() is not called upon enslave failure which would
      lead to a memory leak. Call slave_disable_netpoll() after err_detach as
      that's the first error path after enabling netpoll on that slave.
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • nikolay@redhat.com's avatar
      bonding: primary_slave & curr_active_slave are not cleaned on enslave failure · 3c5913b5
      nikolay@redhat.com authored
      On enslave failure primary_slave can point to new_slave which is to be
      freed, and the same applies to curr_active_slave. So check if this is
      the case and clean up properly after err_detach because that's the first
      error code path after they're set.
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • nikolay@redhat.com's avatar
      bonding: vlans don't get deleted on enslave failure · a506e7b4
      nikolay@redhat.com authored
      The main problem is with vid refcount which only gets bumped up.
      Delete the vlans after err_detach as that's the first error path
      after the vlans are added.
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • nikolay@redhat.com's avatar
      bonding: mc addresses don't get deleted on enslave failure · 25e40305
      nikolay@redhat.com authored
      Add bond_mc_list_flush() after err_detach as that's the first error path
      after the addresses are added. The main issue is the mc addresses' refcount
      which only gets bumped up.
      v2: update log message and don't move code unnecessarily
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • Wei Yongjun's avatar
      pkt_sched: fix error return code in fw_change_attrs() · cb95ec62
      Wei Yongjun authored
      Fix to return -EINVAL when tb[TCA_FW_MASK] is set and head->mask != 0xFFFFFFFF
      instead of 0 (ifdef CONFIG_NET_CLS_IND and tb[TCA_FW_INDEV]), as done elsewhere
      in this function.
      Signed-off-by: default avatarWei Yongjun <yongjun_wei@trendmicro.com.cn>
      Signed-off-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • Dan Carpenter's avatar
      irda: small read past the end of array in debug code · e15465e1
      Dan Carpenter authored
      The "reason" can come from skb->data[] and it hasn't been capped so it
      can be from 0-255 instead of just 0-6.  For example in irlmp_state_dtr()
      the code does:
      	reason = skb->data[3];
      	irlmp_disconnect_indication(self, reason, skb);
      Also LMREASON has a couple other values which don't have entries in the
      irlmp_reasons[] array.  And 0xff is a valid reason as well which means
      So far as I can see we don't actually care about "reason" except for in
      the debug code.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • David S. Miller's avatar
      Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · fd7fc253
      David S. Miller authored
      Pablo Neira Ayuso says:
      If time allows, please consider pulling the following patchset contains two
      late Netfilter fixes, they are:
      * Skip broadcast/multicast locally generated traffic in the rpfilter,
        (closes netfilter bugzilla #814), from Florian Westphal.
      * Fix missing elements in the listing of ipset bitmap ip,mac set
        type with timeout support enabled, from Jozsef Kadlecsik.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • David S. Miller's avatar
      Merge branch 'for-davem' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless · 6a4cd3fd
      David S. Miller authored
      John W. Linville says:
      A few stragglers hoping for 3.9, somewhat delayed due to my travels...
      On the mac80211 bits, Johannes says:
      "Sadly, I have another pull request -- the idle handling fix broke LED
      handling in some cases."
      "Yet one more!
      This fixes a fairly important/annoying bug -- when roaming between
      multiple APs of the same network, the system could get stuck thinking it
      was connected to the old one while it really wasn't."
      On top of that...
      Arend sends a brcmfmac patch that removes advertising a feature that
      isn't actually fully supported, and a brcmsmac patch that rearranges
      code to request firmware at IFF_UP to play more nicely with being
      built into the kernel.
      Felix gives us a minor ath9k_htc fix to support the newly released
      open source firmware, and an ath9k_hw initvals fix to improve device
      Rafał Miłecki provides a fix for an ssb regression that caused a
      serious performance problem with b43.
      Zefir Kurtisi offers an ath9k fix to change some kmalloc flags to
      allow the DFS detector to be called in softirq context.
      Please let me know if there are problems.  If these don't make 3.9,
      I'll just pull them into wireless-next -- just let me know if you
      want to do it that way!
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • Eric Dumazet's avatar
      tcp: call tcp_replace_ts_recent() from tcp_ack() · 12fb3dd9
      Eric Dumazet authored
      commit bd090dfc
       (tcp: tcp_replace_ts_recent() should not be called
      from tcp_validate_incoming()) introduced a TS ecr bug in slow path
      1 A > B P. 1:10001(10000) ack 1 <nop,nop,TS val 1001 ecr 200>
      2 B < A . 1:1(0) ack 1 win 257 <sack 9001:10001,TS val 300 ecr 1001>
      3 A > B . 1:1001(1000) ack 1 win 227 <nop,nop,TS val 1002 ecr 200>
      4 A > B . 1001:2001(1000) ack 1 win 227 <nop,nop,TS val 1002 ecr 200>
      (ecr 200 should be ecr 300 in packets 3 & 4)
      Problem is tcp_ack() can trigger send of new packets (retransmits),
      reflecting the prior TSval, instead of the TSval contained in the
      currently processed incoming packet.
      Fix this by calling tcp_replace_ts_recent() from tcp_ack() after the
      checks, but before the actions.
      Reported-by: default avatarYuchung Cheng <ycheng@google.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Neal Cardwell <ncardwell@google.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  2. 18 Apr, 2013 14 commits
  3. 17 Apr, 2013 9 commits
    • Antonio Quartulli's avatar
      batman-adv: make is_my_mac() check for the current mesh only · fe8a93b9
      Antonio Quartulli authored
      On a multi-mesh node (a node running more than one batman-adv
      virtual interface) batadv_is_my_mac() has to check MAC
      addresses of hard interfaces belonging to the current mesh
      Signed-off-by: default avatarAntonio Quartulli <ordex@autistici.org>
      Signed-off-by: default avatarMarek Lindner <lindner_marek@yahoo.de>
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client · 96d86834
      Linus Torvalds authored
      Pull Ceph fix from Sage Weil:
       "It's a simple fix for a hard to hit race, but low-risk and clearly
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client:
        rbd: do a safe list traversal in rbd_img_request_submit()
    • Marc Zyngier's avatar
      ARM: KVM: fix unbalanced get_cpu() in access_dcsw · 15bbc1b2
      Marc Zyngier authored
      In the very unlikely event where a guest would be foolish enough to
      *read* from a write-only cache maintainance register, we end up
      with preemption disabled, due to a misplaced get_cpu().
      Just move the "is_write" test outside of the critical section.
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: default avatarChristoffer Dall <cdall@cs.columbia.edu>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    • Alex Elder's avatar
      rbd: do a safe list traversal in rbd_img_request_submit() · 46faeed4
      Alex Elder authored
      It's possible that the reference to the object request dropped
      inside the loop in rbd_img_request_submit() will be the last
      one, in which case the content of the object pointer can't be
      Use a safe form of the object request list traversal to avoid
      This resolves:
      Signed-off-by: default avatarAlex Elder <elder@inktank.com>
      Reviewed-by: default avatarJosh Durgin <josh.durgin@inktank.com>
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · fca83168
      Linus Torvalds authored
      Pull networking fixes from David Miller:
       1) Fix erroneous netfilter drop of SIP packets generated by some Cisco
          phones, from Patrick McHardy.
       2) Fix netfilter IPSET refcounting in list_set_add(), from Jozsef
       3) Fix TCP syncookies route lookup key, we don't use the same values we
          would use for the usual SYN receive processing, from Dmitry Popov.
       4) Fix NULL deref in bond_slave_netdev_event(), from Nikolay
       5) When bonding enslave fails, we can forget to clear the IFF_BONDING
          bit, fix also from Nikolay Aleksandrov.
       6) skb->csum_start is 16-bits, which is almost always just fine.  But
          if we reallocate the headroom of an SKB this can push the
          skb->csum_start value outside of it's valid range.  This can easily
          happen when collapsing multiple SKBs from the retransmit queue
          Fix from Thomas Graf.
       7) Fix NULL deref in be2net driver due to missing check of
          __vlan_put_tag() return value, from Ivan Vecera.
       8) tun_set_iff() returns zero instead of error code on failure, fix
          from Wei Yongjun.
       9) Like GARP, 802 MRP needs to hold the app->lock when adding MAD
          events and queueing PDUs.  Fix from David Ward.
      10) Build fix, MVMDIO needs PHYLIB, from Thomas Petazzoni..
      11) Fix mac80211 static with ipv6 modular build, from Cong Wang.
      12) If userland specifies a path cost explicitly, do not override it
          when the carrier state changes.  From Stephen Hemminger.
      13) mvnets calculates the TX queue to use incorrectly resulting in
          garbage pointer derefs and crashes, fix from Willy Tarreau.
      14) cdc_mbim does erroneous sizeof(ETH_HLEN).  Fix from Bjorn Mork.
      15) IP fragmentation can leak a refcount-less route out from an RCU
          protected section.  This results in crashes and all sorts of hard to
          diagnose behavior.  Fix from Eric Dumazet.
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (24 commits)
        qlcnic: fix beaconing test for 82xx adapter
        net: drop dst before queueing fragments
        net: fec: fix regression in link change accounting
        net: cdc_mbim: remove bogus sizeof()
        drivers: net: ethernet: cpsw: get slave VLAN id from slave node instead of cpsw node
        net: mvneta: fix improper tx queue usage in mvneta_tx()
        esp4: fix error return code in esp_output()
        bridge: make user modified path cost sticky
        ipv6: statically link register_inet6addr_notifier()
        net: mvmdio: add select PHYLIB
        net/802/mrp: fix possible race condition when calling mrp_pdu_queue()
        tuntap: fix error return code in tun_set_iff()
        be2net: take care of __vlan_put_tag return value
        can: sja1000: fix handling on dt properties on little endian systems
        can: mcp251x: add missing IRQF_ONESHOT to request_threaded_irq
        netfilter: nf_nat: fix race when unloading protocol modules
        tcp: Reallocate headroom if it would overflow csum_start
        stmmac: prevent interrupt loop with MMC RX IPC Counter
        bonding: IFF_BONDING is not stripped on enslave failure
        bonding: fix netdev event NULL pointer dereference
    • Linus Torvalds's avatar
      s390: move dummy io_remap_pfn_range() to asm/pgtable.h · 4f2e2903
      Linus Torvalds authored
      Commit b4cbb197
       ("vm: add vm_iomap_memory() helper function") added
      a helper function wrapper around io_remap_pfn_range(), and every other
      architecture defined it in <asm/pgtable.h>.
      The s390 choice of <asm/io.h> may make sense, but is not very convenient
      for this case, and gratuitous differences like that cause unexpected errors like this:
         mm/memory.c: In function 'vm_iomap_memory':
         mm/memory.c:2439:2: error: implicit declaration of function 'io_remap_pfn_range' [-Werror=implicit-function-declaration]
      Glory be the kbuild test robot who noticed this, bisected it, and
      reported it to the guilty parties (ie me).
      Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    • Himanshu Madhani's avatar
      qlcnic: fix beaconing test for 82xx adapter · 361cd29c
      Himanshu Madhani authored
      o Commit 319ecf12
        ("qlcnic: 83xx sysfs routines") introduced regression
        for beaconing test while refactoring 82xx code. This patch is to
        revert code to fix beaconing test for 82xx adapter.
      Signed-off-by: default avatarHimanshu Madhani <himanshu.madhani@qlogic.com>
      Signed-off-by: default avatarShahed Shaikh <shahed.shaikh@qlogic.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • Eric Dumazet's avatar
      net: drop dst before queueing fragments · 97599dc7
      Eric Dumazet authored
      Commit 4a94445c (net: Use ip_route_input_noref() in input path)
      added a bug in IP defragmentation handling, as non refcounted
      dst could escape an RCU protected section.
      Commit 64f3b9e2
       (net: ip_expire() must revalidate route) fixed
      the case of timeouts, but not the general problem.
      Tom Parkin noticed crashes in UDP stack and provided a patch,
      but further analysis permitted us to pinpoint the root cause.
      Before queueing a packet into a frag list, we must drop its dst,
      as this dst has limited lifetime (RCU protected)
      When/if a packet is finally reassembled, we use the dst of the very
      last skb, still protected by RCU and valid, as the dst of the
      reassembled packet.
      Use same logic in IPv6, as there is no need to hold dst references.
      Reported-by: default avatarTom Parkin <tparkin@katalix.com>
      Tested-by: default avatarTom Parkin <tparkin@katalix.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • Linus Torvalds's avatar
      Merge branch 'fixes' of git://git.linaro.org/people/rmk/linux-arm · 542a6724
      Linus Torvalds authored
      Pull ARM fix from Russell King:
       "A build fix for an incomplete change to the ARM cpu suspend code"
      * branch 'fixes' of git://git.linaro.org/people/rmk/linux-arm:
        ARM: Do 15e0d9e3 (ARM: pm: let platforms select cpu_suspend support) properly