Skip to content
Commits on Oct 10, 2012
  1. @bwhacks

    Linux 3.2.31

    bwhacks committed
  2. @yevmel @bwhacks

    Bluetooth: Add support for Sony Vaio T-Series

    yevmel committed with bwhacks
    commit bc21fde upstream.
    
    Add Sony Vaio T-Series Bluetooth Module( 0x489:0xE036) to
    the blacklist of btusb module and add it to the ath3k module.
    
    output of cat /sys/kernel/debug/usb/devices
    
    T:  Bus=01 Lev=02 Prnt=02 Port=01 Cnt=01 Dev#=  5 Spd=12   MxCh= 0
    D:  Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
    P:  Vendor=0489 ProdID=e036 Rev= 0.02
    S:  Manufacturer=Atheros Communications
    S:  Product=Bluetooth USB Host Controller
    S:  SerialNumber=Alaska Day 2006
    C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
    I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
    E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
    E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
    E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
    I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
    E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
    E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
    I:  If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
    E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
    E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
    I:  If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
    E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
    E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
    I:  If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
    E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
    E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
    I:  If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
    E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
    E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
    I:  If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
    E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms
    E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms
    
    Signed-off-by: Yevgeniy Melnichuk <yevgeniy.melnichuk@googlemail.com>
    Signed-off-by: Mohammed Shafi Shajakhan <mohammed@qca.qualcomm.com>
    Acked-by: Marcel Holtmann <marcel@holtmann.org>
    Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  3. @bwhacks

    Bluetooth: add support for atheros 0489:e057

    Peng Chen committed with bwhacks
    commit 2096ae6 upstream.
    
        Add support for the AR3012 chip found on Fioxconn.
    
        usb-devices shows:
    
        T:  Bus=06 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 44 Spd=12   MxCh= 0
        D:  Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
        P:  Vendor=0489 ProdID=e057 Rev= 0.02
        C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
        I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
        E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
        E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
        E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
        I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
        E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
        E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
        I:  If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
        E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
        E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
        I:  If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
        E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
        E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
        I:  If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
        E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
        E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
        I:  If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
        E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
        E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
        I:  If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
        E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms
        E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms
    
    Signed-off-by: Peng Chen <pengchen@qca.qualcomm.com>
    Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  4. @bwhacks

    Bluetooth: add support for atheros 0930:0219

    Giancarlo Formicuccia committed with bwhacks
    commit 6c4ae5c upstream.
    
    Add support for the AR3012 chip found on the Toshiba Sallite M840-1000-XQ.
    
    usb-devices shows:
    
    T:  Bus=01 Lev=02 Prnt=02 Port=02 Cnt=01 Dev#=  5 Spd=12  MxCh= 0
    D:  Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
    P:  Vendor=0930 ProdID=0219 Rev=00.02
    S:  Manufacturer=Atheros Communications
    S:  Product=Bluetooth USB Host Controller
    S:  SerialNumber=Alaska Day 2006
    C:  #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
    I:  If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
    I:  If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
    
    Signed-off-by: Giancarlo Formicuccia <giancarlo.formicuccia@gmail.com>
    Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  5. @bwhacks

    Bluetooth: Support AR3011 in Acer Iconia Tab W500

    Marek Vasut committed with bwhacks
    commit 6eda541 upstream.
    
    Acer used this chip connected via USB:
    
    Bus 005 Device 005: ID 0cf3:3005 Atheros Communications, Inc. AR3011 Bluetooth
    Device Descriptor:
      bLength                18
      bDescriptorType         1
      bcdUSB               1.10
      bDeviceClass          224 Wireless
      bDeviceSubClass         1 Radio Frequency
      bDeviceProtocol         1 Bluetooth
      bMaxPacketSize0        64
      idVendor           0x0cf3 Atheros Communications, Inc.
      idProduct          0x3005 AR3011 Bluetooth
      bcdDevice            0.01
      iManufacturer           0
      iProduct                0
      iSerial                 0
      bNumConfigurations      1
    
    Signed-off-by: Marek Vasut <marex@denx.de>
    Cc: Gustavo Padovan <gustavo@padovan.org>
    Cc: Johan Hedberg <johan.hedberg@gmail.com>
    Cc: Marcel Holtmann <marcel@holtmann.org>
    Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  6. @bwhacks

    tg3: Fix TSO CAP for 5704 devs w / ASF enabled

    Matt Carlson committed with bwhacks
    [ Upstream commit cf9ecf4 ]
    
    On the earliest TSO capable devices, TSO was accomplished through
    firmware.  The TSO cannot coexist with ASF management firmware though.
    The tg3 driver determines whether or not ASF is enabled by calling
    tg3_get_eeprom_hw_cfg(), which checks a particular bit of NIC memory.
    Commit dabc5c6, entitled "tg3: Move
    TSO_CAPABLE assignment", accidentally moved the code that determines
    TSO capabilities earlier than the call to tg3_get_eeprom_hw_cfg().  As a
    consequence, the driver was attempting to determine TSO capabilities
    before it had all the data it needed to make the decision.
    
    This patch fixes the problem by revisiting and reevaluating the decision
    after tg3_get_eeprom_hw_cfg() is called.
    
    Signed-off-by: Matt Carlson <mcarlson@broadcom.com>
    Signed-off-by: Michael Chan <mchan@broadcom.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  7. @ecashin @bwhacks

    aoe: assert AoE packets marked as requiring no checksum

    ecashin committed with bwhacks
    [ Upstream commit 8babe8c ]
    
    In order for the network layer to see that AoE requires
    no checksumming in a generic way, the packets must be
    marked as requiring no checksum, so we make this requirement
    explicit with the assertion.
    
    Signed-off-by: Ed Cashin <ecashin@coraid.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  8. @ecashin @bwhacks

    net: do not disable sg for packets requiring no checksum

    ecashin committed with bwhacks
    [ Upstream commit c0d680e ]
    
    A change in a series of VLAN-related changes appears to have
    inadvertently disabled the use of the scatter gather feature of
    network cards for transmission of non-IP ethernet protocols like ATA
    over Ethernet (AoE).  Below is a reference to the commit that
    introduces a "harmonize_features" function that turns off scatter
    gather when the NIC does not support hardware checksumming for the
    ethernet protocol of an sk buff.
    
      commit f01a523
      Author: Jesse Gross <jesse@nicira.com>
      Date:   Sun Jan 9 06:23:31 2011 +0000
    
          net offloading: Generalize netif_get_vlan_features().
    
    The can_checksum_protocol function is not equipped to consider a
    protocol that does not require checksumming.  Calling it for a
    protocol that requires no checksum is inappropriate.
    
    The patch below has harmonize_features call can_checksum_protocol when
    the protocol needs a checksum, so that the network layer is not forced
    to perform unnecessary skb linearization on the transmission of AoE
    packets.  Unnecessary linearization results in decreased performance
    and increased memory pressure, as reported here:
    
      http://www.spinics.net/lists/linux-mm/msg15184.html
    
    The problem has probably not been widely experienced yet, because
    only recently has the kernel.org-distributed aoe driver acquired the
    ability to use payloads of over a page in size, with the patchset
    recently included in the mm tree:
    
      https://lkml.org/lkml/2012/8/28/140
    
    The coraid.com-distributed aoe driver already could use payloads of
    greater than a page in size, but its users generally do not use the
    newest kernels.
    
    Signed-off-by: Ed Cashin <ecashin@coraid.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  9. @bwhacks

    netrom: copy_datagram_iovec can fail

    Alan Cox committed with bwhacks
    [ Upstream commit 6cf5c95 ]
    
    Check for an error from this and if so bail properly.
    
    Signed-off-by: Alan Cox <alan@linux.intel.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  10. @bwhacks

    l2tp: fix a typo in l2tp_eth_dev_recv()

    Eric Dumazet committed with bwhacks
    [ Upstream commit c0cc88a ]
    
    While investigating l2tp bug, I hit a bug in eth_type_trans(),
    because not enough bytes were pulled in skb head.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  11. @bwhacks

    ipv6: mip6: fix mip6_mh_filter()

    Eric Dumazet committed with bwhacks
    [ Upstream commit 96af69e ]
    
    mip6_mh_filter() should not modify its input, or else its caller
    would need to recompute ipv6_hdr() if skb->head is reallocated.
    
    Use skb_header_pointer() instead of pskb_may_pull()
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  12. @bwhacks

    ipv6: raw: fix icmpv6_filter()

    Eric Dumazet committed with bwhacks
    [ Upstream commit 1b05c4b ]
    
    icmpv6_filter() should not modify its input, or else its caller
    would need to recompute ipv6_hdr() if skb->head is reallocated.
    
    Use skb_header_pointer() instead of pskb_may_pull() and
    change the prototype to make clear both sk and skb are const.
    
    Also, if icmpv6 header cannot be found, do not deliver the packet,
    as we do in IPv4.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  13. @bwhacks

    ipv4: raw: fix icmp_filter()

    Eric Dumazet committed with bwhacks
    [ Upstream commit ab43ed8 ]
    
    icmp_filter() should not modify its input, or else its caller
    would need to recompute ip_hdr() if skb->head is reallocated.
    
    Use skb_header_pointer() instead of pskb_may_pull() and
    change the prototype to make clear both sk and skb are const.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  14. @bwhacks

    net: guard tcp_set_keepalive() to tcp sockets

    Eric Dumazet committed with bwhacks
    [ Upstream commit 3e10986 ]
    
    Its possible to use RAW sockets to get a crash in
    tcp_set_keepalive() / sk_reset_timer()
    
    Fix is to make sure socket is a SOCK_STREAM one.
    
    Reported-by: Dave Jones <davej@redhat.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  15. @chemag @bwhacks

    net: small bug on rxhash calculation

    chemag committed with bwhacks
    [ Upstream commit 6862234 ]
    
    In the current rxhash calculation function, while the
    sorting of the ports/addrs is coherent (you get the
    same rxhash for packets sharing the same 4-tuple, in
    both directions), ports and addrs are sorted
    independently. This implies packets from a connection
    between the same addresses but crossed ports hash to
    the same rxhash.
    
    For example, traffic between A=S:l and B=L:s is hashed
    (in both directions) from {L, S, {s, l}}. The same
    rxhash is obtained for packets between C=S:s and D=L:l.
    
    This patch ensures that you either swap both addrs and ports,
    or you swap none. Traffic between A and B, and traffic
    between C and D, get their rxhash from different sources
    ({L, S, {l, s}} for A<->B, and {L, S, {s, l}} for C<->D)
    
    The patch is co-written with Eric Dumazet <edumazet@google.com>
    
    Signed-off-by: Chema Gonzalez <chema@google.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  16. @xdxu @bwhacks

    pppoe: drop PPPOX_ZOMBIEs in pppoe_release

    xdxu committed with bwhacks
    [ Upstream commit 2b018d5 ]
    
    When PPPOE is running over a virtual ethernet interface (e.g., a
    bonding interface) and the user tries to delete the interface in case
    the PPPOE state is ZOMBIE, the kernel will loop forever while
    unregistering net_device for the reference count is not decreased to
    zero which should have been done with dev_put().
    
    Signed-off-by: Xiaodong Xu <stid.smth@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  17. @tgraf @bwhacks

    sctp: Don't charge for data in sndbuf again when transmitting packet

    tgraf committed with bwhacks
    [ Upstream commit 4c3a5bd ]
    
    SCTP charges wmem_alloc via sctp_set_owner_w() in sctp_sendmsg() and via
    skb_set_owner_w() in sctp_packet_transmit(). If a sender runs out of
    sndbuf it will sleep in sctp_wait_for_sndbuf() and expects to be waken up
    by __sctp_write_space().
    
    Buffer space charged via sctp_set_owner_w() is released in sctp_wfree()
    which calls __sctp_write_space() directly.
    
    Buffer space charged via skb_set_owner_w() is released via sock_wfree()
    which calls sk->sk_write_space() _if_ SOCK_USE_WRITE_QUEUE is not set.
    sctp_endpoint_init() sets SOCK_USE_WRITE_QUEUE on all sockets.
    
    Therefore if sctp_packet_transmit() manages to queue up more than sndbuf
    bytes, sctp_wait_for_sndbuf() will never be woken up again unless it is
    interrupted by a signal.
    
    This could be fixed by clearing the SOCK_USE_WRITE_QUEUE flag but ...
    
    Charging for the data twice does not make sense in the first place, it
    leads to overcharging sndbuf by a factor 2. Therefore this patch only
    charges a single byte in wmem_alloc when transmitting an SCTP packet to
    ensure that the socket stays alive until the packet has been released.
    
    This means that control chunks are no longer accounted for in wmem_alloc
    which I believe is not a problem as skb->truesize will typically lead
    to overcharging anyway and thus compensates for any control overhead.
    
    Signed-off-by: Thomas Graf <tgraf@suug.ch>
    CC: Vlad Yasevich <vyasevic@redhat.com>
    CC: Neil Horman <nhorman@tuxdriver.com>
    CC: David Miller <davem@davemloft.net>
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  18. @mkubecek @bwhacks

    tcp: flush DMA queue before sk_wait_data if rcv_wnd is zero

    mkubecek committed with bwhacks
    [ Upstream commit 15c0417 ]
    
    If recv() syscall is called for a TCP socket so that
      - IOAT DMA is used
      - MSG_WAITALL flag is used
      - requested length is bigger than sk_rcvbuf
      - enough data has already arrived to bring rcv_wnd to zero
    then when tcp_recvmsg() gets to calling sk_wait_data(), receive
    window can be still zero while sk_async_wait_queue exhausts
    enough space to keep it zero. As this queue isn't cleaned until
    the tcp_service_net_dma() call, sk_wait_data() cannot receive
    any data and blocks forever.
    
    If zero receive window and non-empty sk_async_wait_queue is
    detected before calling sk_wait_data(), process the queue first.
    
    Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  19. @bwhacks

    ipv6: release reference of ip6_null_entry's dst entry in __ip6_del_rt

    Gao feng committed with bwhacks
    [ Upstream commit 6825a26 ]
    
    as we hold dst_entry before we call __ip6_del_rt,
    so we should alse call dst_release not only return
    -ENOENT when the rt6_info is ip6_null_entry.
    
    and we already hold the dst entry, so I think it's
    safe to call dst_release out of the write-read lock.
    
    Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  20. @bwhacks

    8021q: fix mac_len recomputation in vlan_untag()

    Antonio Quartulli committed with bwhacks
    [ Upstream commit 5316cf9 ]
    
    skb_reset_mac_len() relies on the value of the skb->network_header pointer,
    therefore we must wait for such pointer to be recalculated before computing
    the new mac_len value.
    
    Signed-off-by: Antonio Quartulli <ordex@autistici.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  21. @bwhacks

    sierra_net: Endianess bug fix.

    Lennart Sorensen committed with bwhacks
    [ Upstream commit 2120c52 ]
    
    I discovered I couldn't get sierra_net to work on a powerpc.  Turns out
    the firmware attribute check assumes the system is little endian and
    hence fails because the attributes is a 16 bit value.
    
    Signed-off-by: Len Sorensen <lsorense@csclub.uwaterloo.ca>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  22. @paolo-github @bwhacks

    pkt_sched: fix virtual-start-time update in QFQ

    paolo-github committed with bwhacks
    [ Upstream commit 7126195 ]
    
    If the old timestamps of a class, say cl, are stale when the class
    becomes active, then QFQ may assign to cl a much higher start time
    than the maximum value allowed. This may happen when QFQ assigns to
    the start time of cl the finish time of a group whose classes are
    characterized by a higher value of the ratio
    max_class_pkt/weight_of_the_class with respect to that of
    cl. Inserting a class with a too high start time into the bucket list
    corrupts the data structure and may eventually lead to crashes.
    This patch limits the maximum start time assigned to a class.
    
    Signed-off-by: Paolo Valente <paolo.valente@unimore.it>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  23. @bwhacks

    net-sched: sch_cbq: avoid infinite loop

    Eric Dumazet committed with bwhacks
    [ Upstream commit bdfc87f ]
    
    Its possible to setup a bad cbq configuration leading to
    an infinite loop in cbq_classify()
    
    DEV_OUT=eth0
    ICMP="match ip protocol 1 0xff"
    U32="protocol ip u32"
    DST="match ip dst"
    tc qdisc add dev $DEV_OUT root handle 1: cbq avpkt 1000 \
    	bandwidth 100mbit
    tc class add dev $DEV_OUT parent 1: classid 1:1 cbq \
    	rate 512kbit allot 1500 prio 5 bounded isolated
    tc filter add dev $DEV_OUT parent 1: prio 3 $U32 \
    	$ICMP $DST 192.168.3.234 flowid 1:
    
    Reported-by: Denys Fedoryschenko <denys@visp.net.lb>
    Tested-by: Denys Fedoryschenko <denys@visp.net.lb>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  24. @newbg @bwhacks

    netxen: check for root bus in netxen_mask_aer_correctable

    newbg committed with bwhacks
    [ Upstream commit e4d1aa4 ]
    
    Add a check if pdev->bus->self == NULL (root bus). When attaching
    a netxen NIC to a VM it can be on the root bus and the guest would
    crash in netxen_mask_aer_correctable() because of a NULL pointer
    dereference if CONFIG_PCIEAER is present.
    
    Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  25. @ffainelli @bwhacks

    ixp4xx_hss: fix build failure due to missing linux/module.h inclusion

    ffainelli committed with bwhacks
    [ Upstream commit 0b836dd ]
    
    Commit 36a1211 (netprio_cgroup.h:
    dont include module.h from other includes) made the following build
    error on ixp4xx_hss pop up:
    
      CC [M]  drivers/net/wan/ixp4xx_hss.o
     drivers/net/wan/ixp4xx_hss.c:1412:20: error: expected ';', ',' or ')'
     before string constant
     drivers/net/wan/ixp4xx_hss.c:1413:25: error: expected ';', ',' or ')'
     before string constant
     drivers/net/wan/ixp4xx_hss.c:1414:21: error: expected ';', ',' or ')'
     before string constant
     drivers/net/wan/ixp4xx_hss.c:1415:19: error: expected ';', ',' or ')'
     before string constant
     make[8]: *** [drivers/net/wan/ixp4xx_hss.o] Error 1
    
    This was previously hidden because ixp4xx_hss includes linux/hdlc.h which
    includes linux/netdevice.h which includes linux/netprio_cgroup.h which
    used to include linux/module.h. The real issue was actually present since
    the initial commit that added this driver since it uses macros from
    linux/module.h without including this file.
    
    Signed-off-by: Florian Fainelli <florian@openwrt.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  26. @htbegin @bwhacks

    net: ethernet: davinci_cpdma: decrease the desc count when cleaning u…

    htbegin committed with bwhacks
    …p the remaining packets
    
    [ Upstream commit ffb5ba9 ]
    
    chan->count is used by rx channel. If the desc count is not updated by
    the clean up loop in cpdma_chan_stop, the value written to the rxfree
    register in cpdma_chan_start will be incorrect.
    
    Signed-off-by: Tao Hou <hotforest@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  27. @minipli @bwhacks

    xfrm_user: ensure user supplied esn replay window is valid

    minipli committed with bwhacks
    [ Upstream commit ecd7918 ]
    
    The current code fails to ensure that the netlink message actually
    contains as many bytes as the header indicates. If a user creates a new
    state or updates an existing one but does not supply the bytes for the
    whole ESN replay window, the kernel copies random heap bytes into the
    replay bitmap, the ones happen to follow the XFRMA_REPLAY_ESN_VAL
    netlink attribute. This leads to following issues:
    
    1. The replay window has random bits set confusing the replay handling
       code later on.
    
    2. A malicious user could use this flaw to leak up to ~3.5kB of heap
       memory when she has access to the XFRM netlink interface (requires
       CAP_NET_ADMIN).
    
    Known users of the ESN replay window are strongSwan and Steffen's
    iproute2 patch (<http://patchwork.ozlabs.org/patch/85962/>). The latter
    uses the interface with a bitmap supplied while the former does not.
    strongSwan is therefore prone to run into issue 1.
    
    To fix both issues without breaking existing userland allow using the
    XFRMA_REPLAY_ESN_VAL netlink attribute with either an empty bitmap or a
    fully specified one. For the former case we initialize the in-kernel
    bitmap with zero, for the latter we copy the user supplied bitmap. For
    state updates the full bitmap must be supplied.
    
    To prevent overflows in the bitmap length calculation the maximum size
    of bmp_len is limited to 128 by this patch -- resulting in a maximum
    replay window of 4096 packets. This should be sufficient for all real
    life scenarios (RFC 4303 recommends a default replay window size of 64).
    
    Cc: Steffen Klassert <steffen.klassert@secunet.com>
    Cc: Martin Willi <martin@revosec.ch>
    Cc: Ben Hutchings <bhutchings@solarflare.com>
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  28. @minipli @bwhacks

    xfrm_user: don't copy esn replay window twice for new states

    minipli committed with bwhacks
    [ Upstream commit e3ac104 ]
    
    The ESN replay window was already fully initialized in
    xfrm_alloc_replay_state_esn(). No need to copy it again.
    
    Cc: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  29. @minipli @bwhacks

    xfrm_user: fix info leak in copy_to_user_tmpl()

    minipli committed with bwhacks
    [ Upstream commit 1f86840 ]
    
    The memory used for the template copy is a local stack variable. As
    struct xfrm_user_tmpl contains multiple holes added by the compiler for
    alignment, not initializing the memory will lead to leaking stack bytes
    to userland. Add an explicit memset(0) to avoid the info leak.
    
    Initial version of the patch by Brad Spengler.
    
    Cc: Brad Spengler <spender@grsecurity.net>
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  30. @minipli @bwhacks

    xfrm_user: fix info leak in copy_to_user_policy()

    minipli committed with bwhacks
    [ Upstream commit 7b78983 ]
    
    The memory reserved to dump the xfrm policy includes multiple padding
    bytes added by the compiler for alignment (padding bytes in struct
    xfrm_selector and struct xfrm_userpolicy_info). Add an explicit
    memset(0) before filling the buffer to avoid the heap info leak.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  31. @minipli @bwhacks

    xfrm_user: fix info leak in copy_to_user_state()

    minipli committed with bwhacks
    [ Upstream commit f778a63 ]
    
    The memory reserved to dump the xfrm state includes the padding bytes of
    struct xfrm_usersa_info added by the compiler for alignment (7 for
    amd64, 3 for i386). Add an explicit memset(0) before filling the buffer
    to avoid the info leak.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  32. @minipli @bwhacks

    xfrm_user: fix info leak in copy_to_user_auth()

    minipli committed with bwhacks
    [ Upstream commit 4c87308 ]
    
    copy_to_user_auth() fails to initialize the remainder of alg_name and
    therefore discloses up to 54 bytes of heap memory via netlink to
    userland.
    
    Use strncpy() instead of strcpy() to fill the trailing bytes of alg_name
    with null bytes.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  33. @bwhacks

    xfrm: fix a read lock imbalance in make_blackhole

    Li RongQing committed with bwhacks
    [ Upstream commit 433a195 ]
    
    if xfrm_policy_get_afinfo returns 0, it has already released the read
    lock, xfrm_policy_put_afinfo should not be called again.
    
    Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  34. @minipli @bwhacks

    xfrm_user: return error pointer instead of NULL #2

    minipli committed with bwhacks
    [ Upstream commit c254637 ]
    
    When dump_one_policy() returns an error, e.g. because of a too small
    buffer to dump the whole xfrm policy, xfrm_policy_netlink() returns
    NULL instead of an error pointer. But its caller expects an error
    pointer and therefore continues to operate on a NULL skbuff.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  35. @minipli @bwhacks

    xfrm_user: return error pointer instead of NULL

    minipli committed with bwhacks
    [ Upstream commit 864745d ]
    
    When dump_one_state() returns an error, e.g. because of a too small
    buffer to dump the whole xfrm state, xfrm_state_netlink() returns NULL
    instead of an error pointer. But its callers expect an error pointer
    and therefore continue to operate on a NULL skbuff.
    
    This could lead to a privilege escalation (execution of user code in
    kernel context) if the attacker has CAP_NET_ADMIN and is able to map
    address 0.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Something went wrong with that request. Please try again.