Linux kernel documentation tree maintained by Jonathan Corbet http://mirrors.hust.edu.cn/git/lwn.git/atom?h=v3.12 2013-10-23T06:47:42+00:00 2013-10-23T06:47:42+00:00 Linus Torvalds torvalds@linux-foundation.org 2013-10-23T06:47:42+00:00 urn:sha1:db10accfd266a93149cd21cd75026aa03c635e7e Pull networking fixes from David Miller: "Sorry I let so much accumulate, I was in Buffalo and wanted a few things to cook in my tree for a while before sending to you. Anyways, it's a lot of little things as usual at this stage in the game" 1) Make bonding MAINTAINERS entry reflect reality, from Andy Gospodarek. 2) Fix accidental sock_put() on timewait mini sockets, from Eric Dumazet. 3) Fix crashes in l2tp due to mis-handling of ipv4 mapped ipv6 addresses, from François CACHEREUL. 4) Fix heap overflow in __audit_sockaddr(), from the eagle eyed Dan Carpenter. 5) tcp_shifted_skb() doesn't take handle FINs properly, from Eric Dumazet. 6) SFC driver bug fixes from Ben Hutchings. 7) Fix TX packet scheduling wedge after channel change in ath9k driver, from Felix Fietkau. 8) Fix user after free in BPF JIT code, from Alexei Starovoitov. 9) Source address selection test is reversed in __ip_route_output_key(), fix from Jiri Benc. 10) VLAN and CAN layer mis-size netlink attributes, from Marc Kleine-Budde. 11) Fix permission checks in sysctls to use current_euid() instead of current_uid(). From Eric W Biederman. 12) IPSEC policies can go away while a timer is still pending for them, add appropriate ref-counting to fix, from Steffen Klassert. 13) Fix mis-programming of FDR and RMCR registers on R8A7740 sh_eth chips, from Nguyen Hong Ky and Simon Horman. 14) MLX4 forgets to DMA unmap pages on RX, fix from Amir Vadai. 15) IPV6 GRE tunnel MTU upper limit is miscalculated, from Oussama Ghorbel. 16) Fix typo in fq_change(), we were assigning "initial quantum" to "quantum". From Eric Dumazet. 17) Set a more appropriate sk_pacing_rate for non-TCP sockets, otherwise FQ packet scheduler does not pace those flows properly. Also from Eric Dumazet. 18) rtlwifi miscalculates packet pointers, from Mark Cave-Ayland. 19) l2tp_xmit_skb() can be called from process context, not just softirq context, so we must always make sure to BH disable around it. From Eric Dumazet. 20) On qdisc reset, we forget to purge the RB tree of SKBs in netem packet scheduler. From Stephen Hemminger. 21) Fix info leak in farsync WAN driver ioctl() handler, from Dan Carpenter and Salva Peiró. 22) Fix PHY reset and other issues in dm9000 driver, from Nikita Kiryanov and Michael Abbott. 23) When hardware can do SCTP crc32 checksums, we accidently don't disable the csum offload when IPSEC transformations have been applied. From Fan Du and Vlad Yasevich. 24) Tail loss probing in TCP leaves the socket in the wrong congestion avoidance state. From Yuchung Cheng. 25) In CPSW driver, enable NAPI before interrupts are turned on, from Markus Pargmann. 26) Integer underflow and dual-assignment in YAM hamradio driver, from Dan Carpenter. 27) If we are going to mangle a packet in tcp_set_skb_tso_segs() we must unclone it. This fixes various hard to track down crashes in drivers where the SKBs ->gso_segs was changing right from underneath the driver during TX queueing. From Eric Dumazet. 28) Fix the handling of VLAN IDs, and in particular the special IDs 0 and 4095, in the bridging layer. From Toshiaki Makita. 29) Another info leak, this time in wanxl WAN driver, from Salva Peiró. 30) Fix race in socket credential passing, from Daniel Borkmann. 31) WHen NETLABEL is disabled, we don't validate CIPSO packets properly, from Seif Mazareeb. 32) Fix identification of fragmented frames in ipv4/ipv6 UDP Fragmentation Offload output paths, from Jiri Pirko. 33) Virtual Function fixes in bnx2x driver from Yuval Mintz and Ariel Elior. 34) When we removed the explicit neighbour pointer from ipv6 routes a slight regression was introduced for users such as IPVS, xt_TEE, and raw sockets. We mix up the users requested destination address with the routes assigned nexthop/gateway. From Julian Anastasov and Simon Horman. 35) Fix stack overruns in rt6_probe(), the issue is that can end up doing two full packet xmit paths at the same time when emitting neighbour discovery messages. From Hannes Frederic Sowa. 36) davinci_emac driver doesn't handle IFF_ALLMULTI correctly, from Mariusz Ceier. 37) Make sure to set TCP sk_pacing_rate after the first legitimate RTT sample, from Neal Cardwell. 38) Wrong netlink attribute passed to xfrm_replay_verify_len(), from Steffen Klassert. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (152 commits) ax88179_178a: Add VID:DID for Samsung USB Ethernet Adapter ax88179_178a: Correct the RX error definition in RX header Revert "bridge: only expire the mdb entry when query is received" tcp: initialize passive-side sk_pacing_rate after 3WHS davinci_emac.c: Fix IFF_ALLMULTI setup mac802154: correct a typo in ieee802154_alloc_device() prototype ipv6: probe routes asynchronous in rt6_probe netfilter: nf_conntrack: fix rt6i_gateway checks for H.323 helper ipv6: fill rt6i_gateway with nexthop address ipv6: always prefer rt6i_gateway if present bnx2x: Set NETIF_F_HIGHDMA unconditionally bnx2x: Don't pretend during register dump bnx2x: Lock DMAE when used by statistic flow bnx2x: Prevent null pointer dereference on error flow bnx2x: Fix config when SR-IOV and iSCSI are enabled bnx2x: Fix Coalescing configuration bnx2x: Unlock VF-PF channel on MAC/VLAN config error bnx2x: Prevent an illegal pointer dereference during panic bnx2x: Fix Maximum CoS estimation for VFs drivers: net: cpsw: fix kernel warn during iperf test with interrupt pacing ... 2013-10-11T05:39:14+00:00 Ingo Molnar mingo@kernel.org 2013-10-10T08:16:30+00:00 urn:sha1:3f0116c3238a96bc18ad4b4acefe4e7be32fa861 Fengguang Wu, Oleg Nesterov and Peter Zijlstra tracked down a kernel crash to a GCC bug: GCC miscompiles certain 'asm goto' constructs, as outlined here: http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58670 Implement a workaround suggested by Jakub Jelinek. Reported-and-tested-by: Fengguang Wu <fengguang.wu@intel.com> Reported-by: Oleg Nesterov <oleg@redhat.com> Reported-by: Peter Zijlstra <a.p.zijlstra@chello.nl> Suggested-by: Jakub Jelinek <jakub@redhat.com> Reviewed-by: Richard Henderson <rth@twiddle.net> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: <stable@kernel.org> Signed-off-by: Ingo Molnar <mingo@kernel.org> 2013-10-07T19:16:45+00:00 Alexei Starovoitov ast@plumgrid.com 2013-10-04T07:14:06+00:00 urn:sha1:d45ed4a4e33ae103053c0a53d280014e7101bb5c on x86 system with net.core.bpf_jit_enable = 1 sudo tcpdump -i eth1 'tcp port 22' causes the warning: [ 56.766097] Possible unsafe locking scenario: [ 56.766097] [ 56.780146] CPU0 [ 56.786807] ---- [ 56.793188] lock(&(&vb->lock)->rlock); [ 56.799593] <Interrupt> [ 56.805889] lock(&(&vb->lock)->rlock); [ 56.812266] [ 56.812266] *** DEADLOCK *** [ 56.812266] [ 56.830670] 1 lock held by ksoftirqd/1/13: [ 56.836838] #0: (rcu_read_lock){.+.+..}, at: [<ffffffff8118f44c>] vm_unmap_aliases+0x8c/0x380 [ 56.849757] [ 56.849757] stack backtrace: [ 56.862194] CPU: 1 PID: 13 Comm: ksoftirqd/1 Not tainted 3.12.0-rc3+ #45 [ 56.868721] Hardware name: System manufacturer System Product Name/P8Z77 WS, BIOS 3007 07/26/2012 [ 56.882004] ffffffff821944c0 ffff88080bbdb8c8 ffffffff8175a145 0000000000000007 [ 56.895630] ffff88080bbd5f40 ffff88080bbdb928 ffffffff81755b14 0000000000000001 [ 56.909313] ffff880800000001 ffff880800000000 ffffffff8101178f 0000000000000001 [ 56.923006] Call Trace: [ 56.929532] [<ffffffff8175a145>] dump_stack+0x55/0x76 [ 56.936067] [<ffffffff81755b14>] print_usage_bug+0x1f7/0x208 [ 56.942445] [<ffffffff8101178f>] ? save_stack_trace+0x2f/0x50 [ 56.948932] [<ffffffff810cc0a0>] ? check_usage_backwards+0x150/0x150 [ 56.955470] [<ffffffff810ccb52>] mark_lock+0x282/0x2c0 [ 56.961945] [<ffffffff810ccfed>] __lock_acquire+0x45d/0x1d50 [ 56.968474] [<ffffffff810cce6e>] ? __lock_acquire+0x2de/0x1d50 [ 56.975140] [<ffffffff81393bf5>] ? cpumask_next_and+0x55/0x90 [ 56.981942] [<ffffffff810cef72>] lock_acquire+0x92/0x1d0 [ 56.988745] [<ffffffff8118f52a>] ? vm_unmap_aliases+0x16a/0x380 [ 56.995619] [<ffffffff817628f1>] _raw_spin_lock+0x41/0x50 [ 57.002493] [<ffffffff8118f52a>] ? vm_unmap_aliases+0x16a/0x380 [ 57.009447] [<ffffffff8118f52a>] vm_unmap_aliases+0x16a/0x380 [ 57.016477] [<ffffffff8118f44c>] ? vm_unmap_aliases+0x8c/0x380 [ 57.023607] [<ffffffff810436b0>] change_page_attr_set_clr+0xc0/0x460 [ 57.030818] [<ffffffff810cfb8d>] ? trace_hardirqs_on+0xd/0x10 [ 57.037896] [<ffffffff811a8330>] ? kmem_cache_free+0xb0/0x2b0 [ 57.044789] [<ffffffff811b59c3>] ? free_object_rcu+0x93/0xa0 [ 57.051720] [<ffffffff81043d9f>] set_memory_rw+0x2f/0x40 [ 57.058727] [<ffffffff8104e17c>] bpf_jit_free+0x2c/0x40 [ 57.065577] [<ffffffff81642cba>] sk_filter_release_rcu+0x1a/0x30 [ 57.072338] [<ffffffff811108e2>] rcu_process_callbacks+0x202/0x7c0 [ 57.078962] [<ffffffff81057f17>] __do_softirq+0xf7/0x3f0 [ 57.085373] [<ffffffff81058245>] run_ksoftirqd+0x35/0x70 cannot reuse jited filter memory, since it's readonly, so use original bpf insns memory to hold work_struct defer kfree of sk_filter until jit completed freeing tested on x86_64 and i386 Signed-off-by: Alexei Starovoitov <ast@plumgrid.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2013-10-03T00:02:35+00:00 Thomas Petazzoni thomas.petazzoni@free-electrons.com 2013-09-11T10:32:05+00:00 urn:sha1:a988fb806d72d4e3a0edbeaece3f2f1172ce44b8 Commit ebd97be635 ('PCI: remove ARCH_SUPPORTS_MSI kconfig option') removes the ARCH_SUPPORTS_MSI Kconfig option that allowed architectures to indicate whether they support PCI MSI or not. Now, PCI MSI support can be compiled in on any architecture thanks to the use of weak functions thanks to 4287d824f265 ('PCI: use weak functions for MSI arch-specific functions'). So, architecture specific code is now responsible to ensure that its PCI MSI code builds in all cases, or be appropriately conditionally compiled. On Sparc, the MSI support is only provided for Sparc64, so the ARCH_SUPPORTS_MSI kconfig option was only selected for SPARC64, and not for the Sparc architecture as a whole. Therefore, removing ARCH_SUPPORTS_MSI broke Sparc32 configurations with CONFIG_PCI_MSI=y, because the Sparc-specific MSI code is not designed to be built on Sparc32. To solve this, this commit ensures that the Sparc MSI code is only built on Sparc64. This is done thanks to a new Kconfig Makefile helper option SPARC64_PCI_MSI, modeled after the existing SPARC64_PCI. The SPARC64_PCI_MSI option is an hidden option that is true when both Sparc64 PCI support is enabled and MSI is enabled. The arch/sparc/kernel/pci_msi.c file is now only built when SPARC64_PCI_MSI is true. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Reported-by: Guenter Roeck <linux@roeck-us.net> Tested-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: David S. Miller <davem@davemloft.net> 2013-10-03T00:02:35+00:00 Michael Opdenacker michael.opdenacker@free-electrons.com 2013-09-07T07:38:09+00:00 urn:sha1:d2f09b1c17158fa870fb4f78babf1b307cd2685b This patch proposes to remove the IRQF_DISABLED flag from sparc architecture code. It's a NOOP since 2.6.35 and it will be removed one day. Signed-off-by: Michael Opdenacker <michael.opdenacker@free-electrons.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2013-10-03T00:01:56+00:00 Kees Cook keescook@chromium.org 2013-10-02T05:13:34+00:00 urn:sha1:20928bd3f08afb036c096d9559d581926b895918 The length argument to strlcpy was still wrong. It could overflow the end of full_boot_str by 5 bytes. Instead of strcat and strlcpy, just use snprint. Reported-by: Brad Spengler <spender@grsecurity.net> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: David S. Miller <davem@davemloft.net> 2013-09-27T20:46:04+00:00 David S. Miller davem@davemloft.net 2013-09-27T20:46:04+00:00 urn:sha1:2bd161a605f1f84a5fc8a4fe8410113a94f79355 Commit 117a0c5fc9c2d06045bd217385b2b39ea426b5a6 ("sparc: kernel: using strlcpy() instead of strcpy()") added a bug to ldom_reboot in arch/sparc/kernel/ds.c - strcpy(full_boot_str + strlen("boot "), boot_command); + strlcpy(full_boot_str + strlen("boot "), boot_command, + sizeof(full_boot_str + strlen("boot "))); That last sizeof() expression evaluates to sizeof(size_t) which is not what was intended. Also even the corrected: sizeof(full_boot_str) + strlen("boot ") is not right as the destination buffer length is just plain "sizeof(full_boot_str)" and that's what the final argument should be. Signed-off-by: David S. Miller <davem@davemloft.net> 2013-09-13T13:09:52+00:00 Martin Schwidefsky schwidefsky@de.ibm.com 2013-08-30T07:39:53+00:00 urn:sha1:0244ad004a54e39308d495fee0a2e637f8b5c317 After the last architecture switched to generic hard irqs the config options HAVE_GENERIC_HARDIRQS & GENERIC_HARDIRQS and the related code for !CONFIG_GENERIC_HARDIRQS can be removed. Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> 2013-09-12T22:38:01+00:00 Johannes Weiner hannes@cmpxchg.org 2013-09-12T22:13:39+00:00 urn:sha1:759496ba6407c6994d6a5ce3a5e74937d7816208 Unlike global OOM handling, memory cgroup code will invoke the OOM killer in any OOM situation because it has no way of telling faults occuring in kernel context - which could be handled more gracefully - from user-triggered faults. Pass a flag that identifies faults originating in user space from the architecture-specific fault handlers to generic code so that memcg OOM handling can be improved. Signed-off-by: Johannes Weiner <hannes@cmpxchg.org> Reviewed-by: Michal Hocko <mhocko@suse.cz> Cc: David Rientjes <rientjes@google.com> Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Cc: azurIt <azurit@pobox.sk> Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2013-09-11T22:58:18+00:00 Mathieu Desnoyers mathieu.desnoyers@efficios.com 2013-09-11T21:23:18+00:00 urn:sha1:3ddc5b46a8e90f3c9251338b60191d0a804b0d92 I found the following pattern that leads in to interesting findings: grep -r "ret.*|=.*__put_user" * grep -r "ret.*|=.*__get_user" * grep -r "ret.*|=.*__copy" * The __put_user() calls in compat_ioctl.c, ptrace compat, signal compat, since those appear in compat code, we could probably expect the kernel addresses not to be reachable in the lower 32-bit range, so I think they might not be exploitable. For the "__get_user" cases, I don't think those are exploitable: the worse that can happen is that the kernel will copy kernel memory into in-kernel buffers, and will fail immediately afterward. The alpha csum_partial_copy_from_user() seems to be missing the access_ok() check entirely. The fix is inspired from x86. This could lead to information leak on alpha. I also noticed that many architectures map csum_partial_copy_from_user() to csum_partial_copy_generic(), but I wonder if the latter is performing the access checks on every architectures. Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> Cc: Richard Henderson <rth@twiddle.net> Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru> Cc: Matt Turner <mattst88@gmail.com> Cc: Jens Axboe <axboe@kernel.dk> Cc: Oleg Nesterov <oleg@redhat.com> Cc: David Miller <davem@davemloft.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>