deliverable/linux.git
9 years agoNFC: st21nfcb: Add support for secure element
Christophe Ricard [Sun, 1 Feb 2015 21:26:15 +0000 (22:26 +0100)] 
NFC: st21nfcb: Add support for secure element

The st21nfcb chipset has 3 SWP (Single Wire Protocol) lines and
supports up to 3 secure elements (UICC/eSE and µSD in the future).

Some st21nfcb firmware does not support the nci command
nci_nfcee_mode_set(NCI_NFCEE_DISABLE). For this reason, we assume
2 secures elements are always present (UICC and eSE).
They will be added to the SE list once successfully activated and
they will be available only after running through enable_se
handler or when the poll in listen mode is started.

During initialization, the white_list will be always set assuming
both UICC & eSE are present.

On eSE activation, the ATR bytes are fetched to build the command
exchange timeout.

The se_io hook will allow to transfer data over SWP. 2 kind of
events may appear data is sent over:
- ST21NFCB_EVT_TRANSMIT_DATA when receiving an apdu answer
- ST21NFCB_EVT_WTX_REQUEST when the secure element needs more time
  than expected to process a command. If this timeout expires, we
  send a software reset, and then a hardware one if it still fails.

Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
9 years agoNFC: nci: Add HCI over NCI protocol support
Christophe Ricard [Sun, 1 Feb 2015 21:26:14 +0000 (22:26 +0100)] 
NFC: nci: Add HCI over NCI protocol support

According to the NCI specification, one can use HCI over NCI
to talk with specific NFCEE. The HCI network is viewed as one
logical NFCEE.
This is needed to support secure element running HCI only
firmwares embedded on an NCI capable chipset, like e.g. the
st21nfcb.
There is some duplication between this piece of code and the
HCI core code, but the latter would need to be abstracted even
more to be able to use NCI as a logical transport for HCP packets.

Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
9 years agoNFC: nci: Support logical connections management
Christophe Ricard [Sun, 1 Feb 2015 21:26:12 +0000 (22:26 +0100)] 
NFC: nci: Support logical connections management

In order to communicate with an NFCEE, we need to open a logical
connection to it, by sending the NCI_OP_CORE_CONN_CREATE_CMD
command to the NFCC. It's left up to the drivers to decide when
to close an already opened logical connection.

Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
9 years agoNFC: nci: Add NFCEE enabling and disabling support
Christophe Ricard [Sun, 1 Feb 2015 21:26:11 +0000 (22:26 +0100)] 
NFC: nci: Add NFCEE enabling and disabling support

NFCEEs can be enabled or disabled by sending the
NCI_OP_NFCEE_MODE_SET_CMD command to the NFCC. This patch
provides an API for drivers to enable and disable e.g. their
NCI discoveredd secure elements.

Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
9 years agoNFC: nci: Add NFCEE discover support
Christophe Ricard [Sun, 1 Feb 2015 21:26:10 +0000 (22:26 +0100)] 
NFC: nci: Add NFCEE discover support

NFCEEs (NFC Execution Environment) have to be explicitly
discovered by sending the NCI_OP_NFCEE_DISCOVER_CMD
command. The NFCC will respond to this command by telling
us how many NFCEEs are connected to it. Then the NFCC sends
a notification command for each and every NFCEE connected.
Here we implement support for sending
NCI_OP_NFCEE_DISCOVER_CMD command, receiving the response
and the potential notifications.

Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
9 years agoNFC: nci: Add NCI NFCEE constants
Christophe Ricard [Sun, 1 Feb 2015 21:26:09 +0000 (22:26 +0100)] 
NFC: nci: Add NCI NFCEE constants

Add NFCEE NCI constant for:
- NFCEE Interface/Protocols
- Destination type
- Destination-specific parameters type
- NFCEE Discovery Action

Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
9 years agoNFC: nci: Add dynamic logical connections support
Christophe Ricard [Sun, 1 Feb 2015 21:26:08 +0000 (22:26 +0100)] 
NFC: nci: Add dynamic logical connections support

The current NCI core only support the RF static connection.
For other NFC features such as Secure Element communication, we
may need to create logical connections to the NFCEE (Execution
Environment.

In order to track each logical connection ID dynamically, we add a
linked list of connection info pointers to the nci_dev structure.

Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
9 years agopkt_sched: fq: remove useless TIME_WAIT check
Eric Dumazet [Wed, 28 Jan 2015 14:06:36 +0000 (06:06 -0800)] 
pkt_sched: fq: remove useless TIME_WAIT check

TIME_WAIT sockets are not owning any skb.

ip_send_unicast_reply() and tcp_v6_send_response() both use
regular sockets.

We can safely remove a test in sch_fq and save one cache line miss,
as sk_state is far away from sk_pacing_rate.

Tested at Google for about one year.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agoact_connmark: fix dependencies better
Arnd Bergmann [Wed, 28 Jan 2015 16:30:09 +0000 (17:30 +0100)] 
act_connmark: fix dependencies better

NET_ACT_CONNMARK fails to build if NF_CONNTRACK_MARK is disabled,
and d7924450e14ea4 ("act_connmark: Add missing dependency on
NF_CONNTRACK_MARK") fixed that case, but missed the cased where
NF_CONNTRACK is a loadable module.

This adds the second dependency to ensure that NET_ACT_CONNMARK
can only be built-in if NF_CONNTRACK is also part of the kernel
rather than a loadable module.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agonet: remove sock_iocb
Christoph Hellwig [Wed, 28 Jan 2015 17:04:53 +0000 (18:04 +0100)] 
net: remove sock_iocb

The sock_iocb structure is allocate on stack for each read/write-like
operation on sockets, and contains various fields of which only the
embedded msghdr and sometimes a pointer to the scm_cookie is ever used.
Get rid of the sock_iocb and put a msghdr directly on the stack and pass
the scm_cookie explicitly to netlink_mmap_sendmsg.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agohisilicon: add some missing curly braces
Dan Carpenter [Wed, 28 Jan 2015 18:58:33 +0000 (21:58 +0300)] 
hisilicon: add some missing curly braces

The if block was supposed to have curly braces.  In the current code we
complain about dropped rx packets when we shouldn't.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agoopenvswitch: Add support for checksums on UDP tunnels.
Jesse Gross [Thu, 29 Jan 2015 00:32:46 +0000 (16:32 -0800)] 
openvswitch: Add support for checksums on UDP tunnels.

Currently, it isn't possible to request checksums on the outer UDP
header of tunnels - the TUNNEL_CSUM flag is ignored. This adds
support for requesting that UDP checksums be computed on transmit
and properly reported if they are present on receive.

Signed-off-by: Jesse Gross <jesse@nicira.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agoMerge tag 'nfc-next-3.20-1' of git://git.kernel.org/pub/scm/linux/kernel/git/sameo...
David S. Miller [Thu, 29 Jan 2015 06:49:55 +0000 (22:49 -0800)] 
Merge tag 'nfc-next-3.20-1' of git://git./linux/kernel/git/sameo/nfc-next

NFC: 3.20 first pull request

This is the first NFC pull request for 3.20.

With this one we have:

- Secure element support for the ST Micro st21nfca driver. This depends
  on a few HCI internal changes in order for example to support more
  than one secure element per controller.

- ACPI support for NXP's pn544 HCI driver. This controller is found on
  many x86 SoCs and is typically enumerated on the ACPI bus there.

- A few st21nfca and st21nfcb fixes.

Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agoMerge branch 'stmmac-pci'
David S. Miller [Wed, 28 Jan 2015 05:08:13 +0000 (21:08 -0800)] 
Merge branch 'stmmac-pci'

Andy Shevchenko says:

====================
stmmac: Enable Intel Quark SoC X1000 Ethernet support

This is third version of the patch series [1] to bring network card support to
Intel Quark SoC.

The series has been tested on Intel Galileo board.

Changelog v3:
 - rebase on top of recent net-next
 - rework an approach to get the custom configuration
 - rework an approach how to get unique bus_id
 - improve DMI lookup function

[1] http://www.spinics.net/lists/netdev/msg296010.html
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agostmmac: pci: add MSI support for Intel Quark X1000
Kweh, Hock Leong [Tue, 27 Jan 2015 19:44:49 +0000 (21:44 +0200)] 
stmmac: pci: add MSI support for Intel Quark X1000

In Intel Quark SoC X1000, both of the Ethernet controllers support
MSI interrupt handling. This patch enables them to use MSI interrupt
servicing in stmmac_pci for Intel Quark X1000.

Signed-off-by: Kweh, Hock Leong <hock.leong.kweh@intel.com>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agostmmac: pci: introduce Intel Quark X1000 runtime detection
Andy Shevchenko [Tue, 27 Jan 2015 19:44:48 +0000 (21:44 +0200)] 
stmmac: pci: introduce Intel Quark X1000 runtime detection

This patch introduces run-time board detection through DMI and MAC-PHY
configuration function used by quark_default_data() during initialization. It
fills up the phy_addr for Galileo and Galileo Gen2 boards to indicate that the
Ethernet MAC controller is or is not connected to any PHY.

The implementation takes into consideration for future expansion in Quark
series boards that may have different PHY address that is linked to its MAC
controllers.

This piece of work is derived from Bryan O'Donoghue's initial work for Quark
X1000 enabling.

Signed-off-by: Kweh, Hock Leong <hock.leong.kweh@intel.com>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agostmmac: pci: add support for Intel Quark X1000
Kweh, Hock Leong [Tue, 27 Jan 2015 19:44:47 +0000 (21:44 +0200)] 
stmmac: pci: add support for Intel Quark X1000

The Intel Quark SoC X1000 provides two 10/100 Mbps Ethernet MAC
controllers which may or may not be connected to PHY on board.
This MAC controller only supports RMII PHY. This patch add Quark
PCI ID as well as Quark default platform data info to this driver.

Signed-off-by: Kweh, Hock Leong <hock.leong.kweh@intel.com>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agonet: netcp: remove unused kconfig option and code
Karicheri, Muralidharan [Tue, 27 Jan 2015 14:49:54 +0000 (09:49 -0500)] 
net: netcp: remove unused kconfig option and code

Currently CPTS is built into the netcp driver even though there is no
call out to the CPTS driver. This patch removes the dependency in Kconfig
and remove cpts.o from the Makefile for NetCP.

Signed-off-by: Murali Karicheri <m-karicheri2@ti.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agocxgb4: Move firmware version MACRO to t4fw_version.h
Hariprasad Shenai [Tue, 27 Jan 2015 14:42:52 +0000 (20:12 +0530)] 
cxgb4: Move firmware version MACRO to t4fw_version.h

Move firmware version MACRO to a new t4fw_version.h file so that csiostor driver
can also use it.

Signed-off-by: Hariprasad Shenai <hariprasad@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agocsiostor:T5 Firmware fix and cleanup.
Praveen Madhavan [Tue, 27 Jan 2015 14:16:37 +0000 (19:46 +0530)] 
csiostor:T5 Firmware fix and cleanup.

This patch fix is to use default firmware configuration files
present in the adapter incase if not available in standard
/lib/firmware/* dir. Additional cleanup is done to reuse flash
related defines from cxgb4 header file.

Please apply over net-next since it depends on previous commit.

Signed-off-by: Praveen Madhavan <praveenm@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agoMerge branch 'mlx4-next'
David S. Miller [Wed, 28 Jan 2015 01:13:01 +0000 (17:13 -0800)] 
Merge branch 'mlx4-next'

Amir Vadai says:

====================
Mellanox ethernet driver updates Jan-27-2015

This patchset introduces some bug fixes, code cleanups and support in a new
firmware event called recoverable error events.

Patches were applied and tested against commit b8665c6 ("net: dsa/mv88e6352:
make mv88e6352_wait generic")

Changes from V0:
- Patch 6/11 ("net/mlx4_core: Fix struct mlx4_vhcr_cmd to make implicit padding
  explicit"):
  - Removed __packed
  - Rephrased commit message

- Added a new patch by Majd ("net/mlx4_core: Update the HCA core clock frequency
  after INIT_PORT")
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agonet/mlx4_core: Update the HCA core clock frequency after INIT_PORT
Majd Dibbiny [Tue, 27 Jan 2015 13:58:09 +0000 (15:58 +0200)] 
net/mlx4_core: Update the HCA core clock frequency after INIT_PORT

The firmware might change the hca core clock frequency after the driver
issues the INIT_PORT command. Therefore we need to query the new
value again and save in to the cached dev caps.

Fixes: ddd8a6c1 ('net/mlx4_core: Read HCA frequency and map internal clock')
Signed-off-by: Majd Dibbiny <majd@mellanox.com>
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: Amir Vadai <amirv@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agonet/mlx4_core: Fix device capabilities dumping
Or Gerlitz [Tue, 27 Jan 2015 13:58:08 +0000 (15:58 +0200)] 
net/mlx4_core: Fix device capabilities dumping

We are dumping device capabilities which are supported both by the
firmware and the driver. Align the array that holds the capability
strings with this practice.

Reported-by: Yuval Shaia <yuval.shaia@oracle.com>
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: Amir Vadai <amirv@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agonet/mlx4: Fix memory corruption in mlx4_MAD_IFC_wrapper
Matan Barak [Tue, 27 Jan 2015 13:58:07 +0000 (15:58 +0200)] 
net/mlx4: Fix memory corruption in mlx4_MAD_IFC_wrapper

Fix a memory corruption at mlx4_MAD_IFC_wrapper.

A table of size dev->caps.pkey_table_len[port]*sizeof(*table)
was allocated, but get_full_pkey_table() assumes that the number
of entries in the table is a multiplication of 32 (which isn't always
correct).

Fixes: 0a9a018 ('mlx4: MAD_IFC paravirtualization')
Signed-off-by: Matan Barak <matanb@mellanox.com>
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: Amir Vadai <amirv@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agonet/mlx4_en: Use ethtool cmd->autoneg as a hint for ethtool set settings
Saeed Mahameed [Tue, 27 Jan 2015 13:58:06 +0000 (15:58 +0200)] 
net/mlx4_en: Use ethtool cmd->autoneg as a hint for ethtool set settings

Use cmd->autoneg as a user hint to decide what to set in ethtool set settings callback.
When cmd->autoneg == AUTONEG_ENABLE set according to ethtool->advertise otherwise,
set according to ethtool->speed.

Usage:
- ethtool -s eth<x> speed 56000 autoneg off
- ethtool -s eth<x> advertise 0x800000 autoneg on

While we're here:
- Move proto_admin masking outcome check to be adjacent to the operation.
- Move en_warn("port reset..") print to "port reset" block.

Fixes: 312df74 ("net/mlx4_en: mlx4_en_set_settings() always fails when autoneg is set")
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: Amir Vadai <amirv@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agonet/mlx4_core: Remove duplicate code line from procedure mlx4_bf_alloc
Jack Morgenstein [Tue, 27 Jan 2015 13:58:05 +0000 (15:58 +0200)] 
net/mlx4_core: Remove duplicate code line from procedure mlx4_bf_alloc

mlx4_bf_alloc had an unnecessary/duplicate code line. Did no harm,
but not good practice.

Reported by the Mellanox Beijing team.

Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Amir Vadai <amirv@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agonet/mlx4_core: Fix struct mlx4_vhcr_cmd to make implicit padding explicit
Jack Morgenstein [Tue, 27 Jan 2015 13:58:04 +0000 (15:58 +0200)] 
net/mlx4_core: Fix struct mlx4_vhcr_cmd to make implicit padding explicit

Struct mlx4_vhcr was implicitly padded by the gcc compiler on 64-bit
architectures.

This commit makes that padding explicit, to prevent issues with
changing compilers and with incompatibilities between 32-bit architecture
implicit padding and 64-bit architecture implicit padding.

This structure is used in virtualization for communication between
the Host and its Guests. The explicit padding allows 64-bit Hosts
(old and new) to continue to interoperate with 64-bit Guests (old and new).

However, without this fix, 64-bit Hosts could not interoperate with 32-bit
Guests (since these did not insert the padding dword). With this fix,
32-bit Guests will be able to interoperate with 64-bit Hosts (since
the structure offsets will be identical on both).

Reported-by: Alexander Schmidt <alexs@linux.vnet.ibm.com>
Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Amir Vadai <amirv@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agonet/mlx4_core: Fix HW2SW_EQ to conform to the firmware spec
Jack Morgenstein [Tue, 27 Jan 2015 13:58:03 +0000 (15:58 +0200)] 
net/mlx4_core: Fix HW2SW_EQ to conform to the firmware spec

The driver incorrectly assigned an out-mailbox to this command,
and used an opcode modifier = 0, which is a reserved value (it
should use opcode modifier = 1).

Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Amir Vadai <amirv@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agonet/mlx4_core: Adjust command timeouts to conform to the firmware spec
Jack Morgenstein [Tue, 27 Jan 2015 13:58:02 +0000 (15:58 +0200)] 
net/mlx4_core: Adjust command timeouts to conform to the firmware spec

The firmware spec states that the timeout for all commands should be 60 seconds.

In the past, the spec indicated that there were several classes of timeout
(short, medium, and long).  The driver has these different timeout classes.
We leave the class differentiation in the driver as-is (to protect against any
future spec changes), but set the timeout for all classes to be 60 seconds.

In addition, we fix a few commands which had hard-coded numeric timeouts specified.

Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Amir Vadai <amirv@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agonet/mlx4_core: Fix mem leak in SRIOV mlx4_init_one error flow
Jack Morgenstein [Tue, 27 Jan 2015 13:58:01 +0000 (15:58 +0200)] 
net/mlx4_core: Fix mem leak in SRIOV mlx4_init_one error flow

Structs allocated for the resource tracker must be freed in
the error flow.

Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Amir Vadai <amirv@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agonet/mlx4_core: Add reserved lkey for VFs to QUERY_FUNC_CAP
Jack Morgenstein [Tue, 27 Jan 2015 13:58:00 +0000 (15:58 +0200)] 
net/mlx4_core: Add reserved lkey for VFs to QUERY_FUNC_CAP

The reserved lKey is different for each VF.
A base lkey value is returned in QUERY_DEV_CAP at offset 0x98.

The reserved L_key value for a VF is:
    VF_lkey = base_lkey + (VF_number << 8).

This VF L_key value should be returned in QUERY_FUNC_CAP
(opcode-modifier = 0) at offset 0x48.

To indicate that the lkey value at offset 0x48 is valid, the Hypervisor
sets a flag bit in dword 0x0, offset 27 in the QUERY_FUNC_CAP wrapper
function.

When the VF calls QUERY_FUNC_CAP, it should check if this flag bit is set.
If it is set, the VF should take the reserved lkey value at offset 0x48.
If the bit is not set, the VF should not use a reserved lkey
(i.e., should set its reserved lkey value to 0).

Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Amir Vadai <amirv@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agonet/mlx4_core: Add bad-cable event support
Jack Morgenstein [Tue, 27 Jan 2015 13:57:59 +0000 (15:57 +0200)] 
net/mlx4_core: Add bad-cable event support

If the firmware can detect a bad cable, allow it to generate an
event, and print the problem in the log.

Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Amir Vadai <amirv@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agovxlan: advertise link netns in fdb messages
Nicolas Dichtel [Mon, 26 Jan 2015 13:10:53 +0000 (14:10 +0100)] 
vxlan: advertise link netns in fdb messages

Previous commit is based on a wrong assumption, fdb messages are always sent
into the netns where the interface stands (see vxlan_fdb_notify()).

These fdb messages doesn't embed the rtnl attribute IFLA_LINK_NETNSID, thus we
need to add it (useful to interpret NDA_IFINDEX or NDA_DST for example).

Note also that vxlan_nlmsg_size() was not updated.

Fixes: 193523bf9373 ("vxlan: advertise netns of vxlan dev in fdb msg")
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agoMerge branch 'bonding-next'
David S. Miller [Wed, 28 Jan 2015 01:09:09 +0000 (17:09 -0800)] 
Merge branch 'bonding-next'

Jonathan Toppins says:

====================
bonding: various 802.3ad fixes

This patch series is a forward porting of patches we (Cumulus) are shipping
in our 3.2 series kernels. These fixes attempt to make 802.3ad bonding mode
more predictable in certian state machine transtions in addition to fixing
802.3ad bond carrier determination when bonding min_links option is changed.
Specific notes are contained within each patch.

For this patch series there are no userspace facing changes, a diff between
the modinfo output showed no difference. However, there are behavioral
facing changes, primarily in the bond carrier state. Please make sure to
review carefully.

v2:
 * fixed some style issues
 * dropped a portion of patch 1 in favor of more testing on my side
====================

Signed-off-by: Andy Gospodarek <gospo@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agobonding: cleanup and remove dead code
Jonathan Toppins [Mon, 26 Jan 2015 06:17:01 +0000 (01:17 -0500)] 
bonding: cleanup and remove dead code

fix sparse warning about non-static function

drivers/net/bonding/bond_main.c:3737:5: warning: symbol
'bond_3ad_xor_xmit' was not declared. Should it be static?

Reviewed-by: Nikolay Aleksandrov <nikolay@redhat.com>
Signed-off-by: Jonathan Toppins <jtoppins@cumulusnetworks.com>
Signed-off-by: Jay Vosburgh <jay.vosburgh@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agobonding: fix LACP PDU not sent on slave port sometimes
Satish Ashok [Mon, 26 Jan 2015 06:17:00 +0000 (01:17 -0500)] 
bonding: fix LACP PDU not sent on slave port sometimes

When a slave is added to a bond and it is not in full duplex mode,
AD_PORT_LACP_ENABLED flag is cleared, due to this LACP PDU is not sent
on slave. When the duplex is changed to full, the flag needs to be set
to send LACP PDU.

Cc: Andy Gospodarek <gospo@cumulusnetworks.com>
Reviewed-by: Nikolay Aleksandrov <nikolay@redhat.com>
Signed-off-by: Satish Ashok <sashok@cumulusnetworks.com>
Signed-off-by: Jonathan Toppins <jtoppins@cumulusnetworks.com>
Signed-off-by: Jay Vosburgh <jay.vosburgh@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agobonding: fix incorrect lacp mux state when agg not active
Wilson Kok [Mon, 26 Jan 2015 06:16:59 +0000 (01:16 -0500)] 
bonding: fix incorrect lacp mux state when agg not active

This patch attempts to fix the following problems when an actor or
partner's aggregator is not active:
    1. a slave's lacp port state is marked as AD_STATE_SYNCHRONIZATION
       even if it is attached to an inactive aggregator. LACP advertises
       this state to the partner, making the partner think he can move
       into COLLECTING_DISTRIBUTING state even though this link will not
       pass traffic on the local side

    2. a slave goes into COLLECTING_DISTRIBUTING state without checking
       if the aggregator is actually active

    3. when in COLLECTING_DISTRIBUTING state, the partner parameters may
       change, e.g. the partner_oper_port_state.SYNCHRONIZATION. The
       local mux machine is not reacting to the change and continue to
       keep the slave and bond up

    4. When bond slave leaves an inactive aggregator and joins an active
       aggregator, the actor oper port state need to update to SYNC state.

v2:
 * fix style issues in bond_3ad.c

Cc: Andy Gospodarek <gospo@cumulusnetworks.com>
Reviewed-by: Nikolay Aleksandrov <nikolay@redhat.com>
Signed-off-by: Wilson Kok <wkok@cumulusnetworks.com>
Signed-off-by: Jonathan Toppins <jtoppins@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agobonding: fix bond_open() don't always set slave active flag
Wilson Kok [Mon, 26 Jan 2015 06:16:58 +0000 (01:16 -0500)] 
bonding: fix bond_open() don't always set slave active flag

Mode 802.3ad, fix incorrect bond slave active state when slave is not in
active aggregator. During bond_open(), the bonding driver always sets
the slave active flag to true if the bond is not in active-backup, alb,
or tlb modes. Bonding should let the aggregator selection logic set the
active flag when in 802.3ad mode.

Cc: Andy Gospodarek <gospo@cumulusnetworks.com>
Reviewed-by: Nikolay Aleksandrov <nikolay@redhat.com>
Signed-off-by: Wilson Kok <wkok@cumulusnetworks.com>
Signed-off-by: Jonathan Toppins <jtoppins@cumulusnetworks.com>
Signed-off-by: Jay Vosburgh <jay.vosburgh@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agobonding: update bond carrier state when min_links option changes
Jonathan Toppins [Mon, 26 Jan 2015 06:16:57 +0000 (01:16 -0500)] 
bonding: update bond carrier state when min_links option changes

Cc: Andy Gospodarek <gospo@cumulusnetworks.com>
Signed-off-by: Jonathan Toppins <jtoppins@cumulusnetworks.com>
Signed-off-by: Jay Vosburgh <jay.vosburgh@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agohyperv: match wait_for_completion_timeout return type
Nicholas Mc Guire [Sun, 25 Jan 2015 14:48:23 +0000 (15:48 +0100)] 
hyperv: match wait_for_completion_timeout return type

return type of wait_for_completion_timeout is unsigned long not int, this
patch just fixes up the declarations.

Signed-off-by: Nicholas Mc Guire <der.herr@hofr.at>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agohyperv: netvsc.c: match wait_for_completion_timeout return type
Nicholas Mc Guire [Sun, 25 Jan 2015 14:46:31 +0000 (15:46 +0100)] 
hyperv: netvsc.c: match wait_for_completion_timeout return type

Signed-off-by: Nicholas Mc Guire <der.herr@hofr.at>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
David S. Miller [Wed, 28 Jan 2015 00:59:56 +0000 (16:59 -0800)] 
Merge git://git./linux/kernel/git/davem/net

Conflicts:
arch/arm/boot/dts/imx6sx-sdb.dts
net/sched/cls_bpf.c

Two simple sets of overlapping changes.

Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agoNFC: Add ACPI support for NXP PN544
Robert Dolca [Mon, 26 Jan 2015 11:13:37 +0000 (13:13 +0200)] 
NFC: Add ACPI support for NXP PN544

Currently there is no support for ACPI.
This patch uses the following configuration:
- Device id: NXP5440
- Pin mapping:
- 0 IRQ pin
- 1 enable pin
- 2 firmware pin

Signed-off-by: Robert Dolca <robert.dolca@intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
9 years agoNFC: PN544: GPIO access that may sleep
Robert Dolca [Mon, 26 Jan 2015 11:13:36 +0000 (13:13 +0200)] 
NFC: PN544: GPIO access that may sleep

gpio_set_value was replaced with gpio_set_value_cansleep in order
to allow GPIO access that may sleep. This is particularelly useful
when GPIO is accessed using busses like I2C, SPI, USB

Signed-off-by: Robert Dolca <robert.dolca@intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
9 years agoNFC: dts: st21nfca: Document ese-present & uicc-present DTS property
Christophe Ricard [Tue, 27 Jan 2015 00:18:20 +0000 (01:18 +0100)] 
NFC: dts: st21nfca: Document ese-present & uicc-present DTS property

On st21nfca, the mechanism to enable a secure element needs to add 2
properties in order manage the SWP line correctly.

Document ese-present and uicc-present properties.

Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
9 years agoNFC: st21nfca: Adding support for secure element
Christophe Ricard [Tue, 27 Jan 2015 00:18:19 +0000 (01:18 +0100)] 
NFC: st21nfca: Adding support for secure element

st21nfca has 1 physical SWP line and can support up to 2 secure elements
(UICC & eSE) thanks to an external switch managed with a gpio.

The platform integrator needs to specify thanks to 2 initialization
properties, uicc-present and ese-present, if it is suppose to have uicc
and/or ese. Of course if the platform does not have an external switch,
only one kind of secure element can be supported. Those parameters are
under platform integrator responsibilities.

During initialization, the white_list will be set according to those
parameters.

The discovery_se function will assume a secure element is physically
present according to uicc-present and ese-present values and will add it
to the secure element list. On ese activation, the atr is retrieved to
calculate a command exchange timeout based on the first atr(TB) value.

The se_io will allow to transfer data over SWP. 2 kind of events may appear
after a data is sent over:
- ST21NFCA_EVT_TRANSMIT_DATA when receiving an apdu answer
- ST21NFCA_EVT_WTX_REQUEST when the secure element needs more time than
expected to compute a command. If this timeout expired, a first recovery
tentative consist to send a simple software reset proprietary command.
If this tentative still fail, a second recovery tentative consist to send
a hardware reset proprietary command.
This function is only relevant for eSE like secure element.

This patch also change the way a pipe is referenced. There can be
different pipe connected to the same gate with different host destination
(ex: CONNECTIVITY). In order to keep host information every pipe are
reference with a tuple (gate, host). In order to reduce changes, we are
keeping unchanged the way a gate is addressed on the Terminal Host.
However, this is working because we consider the apdu reader gate is only
present on the eSE slot also the connectivity gate cannot give a reliable
value; it will give the latest stored pipe value.

Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
9 years agoNFC: hci: Remove nfc_hci_pipe2gate function
Christophe Ricard [Tue, 27 Jan 2015 00:18:18 +0000 (01:18 +0100)] 
NFC: hci: Remove nfc_hci_pipe2gate function

With the newly introduced pipes table hci_dev fields,
the nfc_hci_pipe2gate routine is no longer needed.

Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
9 years agoNFC: microread: Change event_received gate parameter to pipe
Christophe Ricard [Tue, 27 Jan 2015 00:18:17 +0000 (01:18 +0100)] 
NFC: microread: Change event_received gate parameter to pipe

The below event_received hci handler has change the gate parameter to pipe.

Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
9 years agoNFC: pn544: Change event_received gate parameter to pipe
Christophe Ricard [Tue, 27 Jan 2015 00:18:16 +0000 (01:18 +0100)] 
NFC: pn544: Change event_received gate parameter to pipe

The below event_received hci handler has change the gate parameter to pipe.

Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
9 years agoNFC: hci: Add cmd_received handler
Christophe Ricard [Tue, 27 Jan 2015 00:18:15 +0000 (01:18 +0100)] 
NFC: hci: Add cmd_received handler

When a command is received, it is sometime needed to let the CLF driver do
some additional operations. (ex: count remaining pipe notification...)

Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
9 years agoNFC: hci: Reference every pipe information according to notification
Christophe Ricard [Tue, 27 Jan 2015 00:18:14 +0000 (01:18 +0100)] 
NFC: hci: Reference every pipe information according to notification

We update the tracked pipes status when receiving HCI commands.
Also we forward HCI errors and we reply to any HCI command, even though
we don't support it.

Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
9 years agoNFC: hci: Change nfc_hci_send_response gate parameter to pipe
Christophe Ricard [Tue, 27 Jan 2015 00:18:13 +0000 (01:18 +0100)] 
NFC: hci: Change nfc_hci_send_response gate parameter to pipe

As there can be several pipes connected to the same gate, we need
to know which pipe ID to use when sending an HCI response. A gate
ID is not enough.

Instead of changing the nfc_hci_send_response() API to something
not aligned with the rest of the HCI API, we call nfc_hci_hcp_message_tx
directly.

Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
9 years agoNFC: hci: Add pipes table to reference them with a tuple {gate, host}
Christophe Ricard [Tue, 27 Jan 2015 00:18:12 +0000 (01:18 +0100)] 
NFC: hci: Add pipes table to reference them with a tuple {gate, host}

In order to keep host source information on specific hci event (such as
evt_connectivity or evt_transaction) and because 2 pipes can be connected
to the same gate, it is necessary to add a table referencing every pipe
with a {gate, host} tuple.

Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
9 years agoNFC: hci: Change event_received handler gate parameter to pipe
Christophe Ricard [Tue, 27 Jan 2015 00:18:11 +0000 (01:18 +0100)] 
NFC: hci: Change event_received handler gate parameter to pipe

Several pipes may point to the same CLF gate, so getting the gate ID
as an input is not enough.
For example dual secure element may have 2 pipes (1 for uicc and
1 for eSE) pointing to the connectivity gate.

As resolving gate and host IDs can be done from a pipe, we now pass
the pipe ID to the event received handler.

Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
9 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Linus Torvalds [Tue, 27 Jan 2015 21:55:36 +0000 (13:55 -0800)] 
Merge git://git./linux/kernel/git/davem/net

Pull networking fixes from David Miller:

 1) Don't OOPS on socket AIO, from Christoph Hellwig.

 2) Scheduled scans should be aborted upon RFKILL, from Emmanuel
    Grumbach.

 3) Fix sleep in atomic context in kvaser_usb, from Ahmed S Darwish.

 4) Fix RCU locking across copy_to_user() in bpf code, from Alexei
    Starovoitov.

 5) Lots of crash, memory leak, short TX packet et al bug fixes in
    sh_eth from Ben Hutchings.

 6) Fix memory corruption in SCTP wrt.  INIT collitions, from Daniel
    Borkmann.

 7) Fix return value logic for poll handlers in netxen, enic, and bnx2x.
    From Eric Dumazet and Govindarajulu Varadarajan.

 8) Header length calculation fix in mac80211 from Fred Chou.

 9) mv643xx_eth doesn't handle highmem correctly in non-TSO code paths.
    From Ezequiel Garcia.

10) udp_diag has bogus logic in it's hash chain skipping, copy same fix
    tcp diag used.  From Herbert Xu.

11) amd-xgbe programs wrong rx flow control register, from Thomas
    Lendacky.

12) Fix race leading to use after free in ping receive path, from Subash
    Abhinov Kasiviswanathan.

13) Cache redirect routes otherwise we can get a heavy backlog of rcu
    jobs liberating DST_NOCACHE entries.  From Hannes Frederic Sowa.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (48 commits)
  net: don't OOPS on socket aio
  stmmac: prevent probe drivers to crash kernel
  bnx2x: fix napi poll return value for repoll
  ipv6: replacing a rt6_info needs to purge possible propagated rt6_infos too
  sh_eth: Fix DMA-API usage for RX buffers
  sh_eth: Check for DMA mapping errors on transmit
  sh_eth: Ensure DMA engines are stopped before freeing buffers
  sh_eth: Remove RX overflow log messages
  ping: Fix race in free in receive path
  udp_diag: Fix socket skipping within chain
  can: kvaser_usb: Fix state handling upon BUS_ERROR events
  can: kvaser_usb: Retry the first bulk transfer on -ETIMEDOUT
  can: kvaser_usb: Send correct context to URB completion
  can: kvaser_usb: Do not sleep in atomic context
  ipv4: try to cache dst_entries which would cause a redirect
  samples: bpf: relax test_maps check
  bpf: rcu lock must not be held when calling copy_to_user()
  net: sctp: fix slab corruption from use after free on INIT collisions
  net: mv643xx_eth: Fix highmem support in non-TSO egress path
  sh_eth: Fix serialisation of interrupt disable with interrupt & NAPI handlers
  ...

9 years agonet: don't OOPS on socket aio
Christoph Hellwig [Tue, 27 Jan 2015 20:25:33 +0000 (12:25 -0800)] 
net: don't OOPS on socket aio

Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agostmmac: prevent probe drivers to crash kernel
Andy Shevchenko [Tue, 27 Jan 2015 16:38:03 +0000 (18:38 +0200)] 
stmmac: prevent probe drivers to crash kernel

In the case when alloc_netdev fails we return NULL to a caller. But there is no
check for NULL in the probe drivers. This patch changes NULL to an error
pointer. The function description is amended to reflect what we may get
returned.

Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agoMerge tag 'powerpc-3.19-5' of git://git.kernel.org/pub/scm/linux/kernel/git/mpe/linux
Linus Torvalds [Tue, 27 Jan 2015 18:04:38 +0000 (10:04 -0800)] 
Merge tag 'powerpc-3.19-5' of git://git./linux/kernel/git/mpe/linux

Pull powerpc fixes from Michael Ellerman:
 "Two powerpc fixes"

* tag 'powerpc-3.19-5' of git://git.kernel.org/pub/scm/linux/kernel/git/mpe/linux:
  powerpc/powernv: Restore LPCR with LPCR_PECE1 cleared
  powerpc/xmon: Fix another endiannes issue in RTAS call from xmon

9 years agoMerge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty...
Linus Torvalds [Tue, 27 Jan 2015 17:02:09 +0000 (09:02 -0800)] 
Merge tag 'fixes-for-linus' of git://git./linux/kernel/git/rusty/linux

Pull one more module fix from Rusty Russell:
 "SCSI was using module_refcount() to figure out when the module was
  unloading: this broke with new atomic refcounting.  The code is still
  suspicious, but this solves the WARN_ON()"

* tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux:
  scsi: always increment reference count

9 years agonetlink: Kill redundant net argument in netlink_insert
Herbert Xu [Mon, 26 Jan 2015 03:02:56 +0000 (14:02 +1100)] 
netlink: Kill redundant net argument in netlink_insert

The socket already carries the net namespace with it so there is
no need to be passing another net around.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agobnx2x: fix napi poll return value for repoll
Govindarajulu Varadarajan [Sun, 25 Jan 2015 10:39:23 +0000 (16:09 +0530)] 
bnx2x: fix napi poll return value for repoll

With the commit d75b1ade567ffab ("net: less interrupt masking in NAPI") napi
repoll is done only when work_done == budget. When in busy_poll is we return 0
in napi_poll. We should return budget.

Signed-off-by: Govindarajulu Varadarajan <_govind@gmx.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agoMerge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec
David S. Miller [Tue, 27 Jan 2015 08:28:38 +0000 (00:28 -0800)] 
Merge branch 'master' of git://git./linux/kernel/git/klassert/ipsec

Steffen Klassert says:

====================
ipsec 2015-01-26

Just two small fixes for _decode_session6() where we
might decode to wrong header information in some rare
situations.

Please pull or let me know if there are problems.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agonet: phy: Invalidate LP advertising flags when restarting or disabling AN
Ben Hutchings [Tue, 27 Jan 2015 00:58:15 +0000 (00:58 +0000)] 
net: phy: Invalidate LP advertising flags when restarting or disabling AN

It is possible to see the old value of the LP advertising flags
through ethtool after reconfiguring the PHY and before autonegotiation
completes.  If autonegotiation is turned off then the last value seen
will persist indefinitely.

Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Acked-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agoMerge branch 'sunvnet-next'
David S. Miller [Tue, 27 Jan 2015 08:25:27 +0000 (00:25 -0800)] 
Merge branch 'sunvnet-next'

David L Stevens says:

====================
sunvnet: fix null pointer deref and crash recovery

These patches fix an incorrect ordering in releasing ring data, clear pending
tx buffers on a reset, and make the sunvnet driver more reliable when remote
systems crash during active transmits.
====================

Acked-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agosunvnet: improve error handling when a remote crashes
David L Stevens [Mon, 26 Jan 2015 20:54:27 +0000 (15:54 -0500)] 
sunvnet: improve error handling when a remote crashes

If a remote machine crashes while there are pending transmit buffers, the
sunvnet driver reallocates the ring descriptors giving us enries that have
state VIO_DESC_FREE but also an allocated skb. This results in a BUG_ON()
call when the remote reboots and we reach that point in the ring.

This patch:

1) clears pending tx packets in the ring on port reset
2) changes a BUG_ON() to a pr_warn() when a remote host has given us an invalid
descriptor state
3) collapses multiple active buffer frees in a ring to a single message per
ring and adds the device name and remote MAC address

This fixes the particular problem of not cleaning up pending buffers on a
reset, but also prevents us from crashing if the remote handles descriptors
out of order or sets an unexpected state for a descriptor.

Signed-off-by: David L Stevens <david.stevens@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agosunvnet: free pending tx buffers before clearing ring data
David L Stevens [Mon, 26 Jan 2015 20:54:35 +0000 (15:54 -0500)] 
sunvnet: free pending tx buffers before clearing ring data

This patch moves the clearing of ring data in vnet_port_free_tx_bufs to after
 the freeing of pending buffers in the ring. Otherwise, this can result in
 dereferencing a NULL pointer.

Reported-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Signed-off-by: David L Stevens <david.stevens@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agoipv6: replacing a rt6_info needs to purge possible propagated rt6_infos too
Hannes Frederic Sowa [Mon, 26 Jan 2015 14:11:17 +0000 (15:11 +0100)] 
ipv6: replacing a rt6_info needs to purge possible propagated rt6_infos too

Lubomir Rintel reported that during replacing a route the interface
reference counter isn't correctly decremented.

To quote bug <https://bugzilla.kernel.org/show_bug.cgi?id=91941>:
| [root@rhel7-5 lkundrak]# sh -x lal
| + ip link add dev0 type dummy
| + ip link set dev0 up
| + ip link add dev1 type dummy
| + ip link set dev1 up
| + ip addr add 2001:db8:8086::2/64 dev dev0
| + ip route add 2001:db8:8086::/48 dev dev0 proto static metric 20
| + ip route add 2001:db8:8088::/48 dev dev1 proto static metric 10
| + ip route replace 2001:db8:8086::/48 dev dev1 proto static metric 20
| + ip link del dev0 type dummy
| Message from syslogd@rhel7-5 at Jan 23 10:54:41 ...
|  kernel:unregister_netdevice: waiting for dev0 to become free. Usage count = 2
|
| Message from syslogd@rhel7-5 at Jan 23 10:54:51 ...
|  kernel:unregister_netdevice: waiting for dev0 to become free. Usage count = 2

During replacement of a rt6_info we must walk all parent nodes and check
if the to be replaced rt6_info got propagated. If so, replace it with
an alive one.

Fixes: 4a287eba2de3957 ("IPv6 routing, NLM_F_* flag support: REPLACE and EXCL flags support, warn about missing CREATE flag")
Reported-by: Lubomir Rintel <lkundrak@v3.sk>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Tested-by: Lubomir Rintel <lkundrak@v3.sk>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agoMerge branch 'sh_eth'
David S. Miller [Tue, 27 Jan 2015 08:18:57 +0000 (00:18 -0800)] 
Merge branch 'sh_eth'

Ben Hutchings says:

====================
Fixes for sh_eth #3

I'm continuing review and testing of Ethernet support on the R-Car H2
chip.  This series fixes the last of the more serious issues I've found.

These are not tested on any of the other supported chips.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agosh_eth: Fix DMA-API usage for RX buffers
Ben Hutchings [Tue, 27 Jan 2015 00:50:24 +0000 (00:50 +0000)] 
sh_eth: Fix DMA-API usage for RX buffers

- Use the return value of dma_map_single(), rather than calling
  virt_to_page() separately
- Check for mapping failue
- Call dma_unmap_single() rather than dma_sync_single_for_cpu()

Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agosh_eth: Check for DMA mapping errors on transmit
Ben Hutchings [Tue, 27 Jan 2015 00:49:47 +0000 (00:49 +0000)] 
sh_eth: Check for DMA mapping errors on transmit

dma_map_single() may fail if an IOMMU or swiotlb is in use, so
we need to check for this.

Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agosh_eth: Ensure DMA engines are stopped before freeing buffers
Ben Hutchings [Tue, 27 Jan 2015 00:49:32 +0000 (00:49 +0000)] 
sh_eth: Ensure DMA engines are stopped before freeing buffers

Currently we try to clear EDRRR and EDTRR and immediately continue to
free buffers.  This is unsafe because:

- In general, register writes are not serialised with DMA, so we still
  have to wait for DMA to complete somehow
- The R8A7790 (R-Car H2) manual states that the TX running flag cannot
  be cleared by writing to EDTRR
- The same manual states that clearing the RX running flag only stops
  RX DMA at the next packet boundary

I applied this patch to the driver to detect DMA writes to freed
buffers:

> --- a/drivers/net/ethernet/renesas/sh_eth.c
> +++ b/drivers/net/ethernet/renesas/sh_eth.c
> @@ -1098,7 +1098,14 @@ static void sh_eth_ring_free(struct net_device *ndev)
>   /* Free Rx skb ringbuffer */
>   if (mdp->rx_skbuff) {
>   for (i = 0; i < mdp->num_rx_ring; i++)
> + memcpy(mdp->rx_skbuff[i]->data,
> +        "Hello, world", 12);
> + msleep(100);
> + for (i = 0; i < mdp->num_rx_ring; i++) {
> + WARN_ON(memcmp(mdp->rx_skbuff[i]->data,
> +        "Hello, world", 12));
>   dev_kfree_skb(mdp->rx_skbuff[i]);
> + }
>   }
>   kfree(mdp->rx_skbuff);
>   mdp->rx_skbuff = NULL;

then ran the loop:

    while ethtool -G eth0 rx 128 ; ethtool -G eth0 rx 64; do echo -n .; done

and 'ping -f' toward the sh_eth port from another machine.  The
warning fired several times a minute.

To fix these issues:

- Deactivate all TX descriptors rather than writing to EDTRR
- As there seems to be no way of telling when RX DMA is stopped,
  perform a soft reset to ensure that both DMA enginess are stopped
- To reduce the possibility of the reset truncating a transmitted
  frame, disable egress and wait a reasonable time to reach a
  packet boundary before resetting
- Update statistics before resetting

(The 'reasonable time' does not allow for CS/CD in half-duplex
mode, but half-duplex no longer seems reasonable!)

Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agosh_eth: Remove RX overflow log messages
Ben Hutchings [Tue, 27 Jan 2015 00:41:16 +0000 (00:41 +0000)] 
sh_eth: Remove RX overflow log messages

If RX traffic is overflowing the FIFO or DMA ring, logging every time
this happens just makes things worse.  These errors are visible in the
statistics anyway.

Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agoMerge branch 'phy-next'
David S. Miller [Tue, 27 Jan 2015 08:16:56 +0000 (00:16 -0800)] 
Merge branch 'phy-next'

Florian Fainelli says:

====================
net: phy: prevent double suspend

This patch series addresses a problem that Fugang and I observed on different
platforms where a given PHY device might end-up being suspended twice.

Once as part of the call from ndo_open() all the way down to phy_detach() and
phy_suspend() and a second time when the generic platform device/driver
suspend/resume callbacks are called in drivers/net/phy/mdio_bus.c.

Thanks to Fugang for giving this a quick try on i.MX6/FEC and reporting
positive test results!
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agonet: phy: avoid suspending twice a PHY
Florian Fainelli [Tue, 27 Jan 2015 06:05:40 +0000 (22:05 -0800)] 
net: phy: avoid suspending twice a PHY

As part of a call to ndo_close() a netdevice driver may call
phy_disconnect() -> phy_detach() -> phy_suspend(), such that the PHY is
suspsended at this point and a netdevice driver may clock gate the
backing peripheral providing MDIO bus accessses as well.

Update mdio_bus_phy_may_suspend() to return whether a PHY is allowed to
be suspended and conversely resumed if and only if it was not previously
suspended before while it is currently in detached (netdev pointer is
NULL) state.

This fixes bus errors seen during S2/S3 suspend/resume cycles for
netdevice drivers such as GENET which clock gates the entire Ethernet
MAC, including the MDIO bus block.

Acked-by: Fugang Duan <B38611@freescale.com>
Tested-by: Fugang Duan <B38611@freescale.com>
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agonet: phy: keep track of the PHY suspend state
Florian Fainelli [Tue, 27 Jan 2015 06:05:39 +0000 (22:05 -0800)] 
net: phy: keep track of the PHY suspend state

In order to avoid double calls to phydev->drv->suspend and resume, keep
track of whether the PHY has already been suspended as a consequence of
a successful call to phy_suspend(). We will use this in our MDIO bus
suspend/resume hooks to avoid a double suspend call.

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agonet: phy: document has_fixups field
Florian Fainelli [Tue, 27 Jan 2015 06:05:38 +0000 (22:05 -0800)] 
net: phy: document has_fixups field

has_fixups was introduced to help keeping track of fixups/quirks running
on a PHY device, but we did not update the comment above struct
phy_device accordingly.

Fixes: b0ae009f3dc14 (net: phy: add "has_fixups" boolean property")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agonet: phy: utilize phy_suspend and phy_resume
Florian Fainelli [Tue, 27 Jan 2015 06:05:37 +0000 (22:05 -0800)] 
net: phy: utilize phy_suspend and phy_resume

phy_suspend and phy_resume are an abstraction on top of the PHY device
driver suspend and resume callbacks, utilize those since they are the
proper interface to suspending and resuming a PHY device.

Acked-by: Fugang Duan <B38611@freescale.com>
Tested-by: Fugang Duan <B38611@freescale.com>
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agoMerge branch 'cxgb4-next'
David S. Miller [Tue, 27 Jan 2015 08:15:06 +0000 (00:15 -0800)] 
Merge branch 'cxgb4-next'

Hariprasad Shenai says:

====================
Add support to dump cim ibq, obq and qinfo, etc

This patch series adds support to dump cim_ibq, cim_obq, sge_qinfo, pm_stats
and clk debugfs entries.

The patches series is created against 'net-next' tree.
And includes patches on cxgb4 driver.

We have included all the maintainers of respective drivers. Kindly review the
change and let us know in case of any review comments.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agocxgb4: Added support in debugfs to dump different timer and clock values of the adapter
Hariprasad Shenai [Tue, 27 Jan 2015 08:17:49 +0000 (13:47 +0530)] 
cxgb4: Added support in debugfs to dump different timer and clock values of the adapter

Signed-off-by: Hariprasad Shenai <hariprasad@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agocxgb4: Added support in debugfs to dump PM module stats
Hariprasad Shenai [Tue, 27 Jan 2015 08:17:48 +0000 (13:47 +0530)] 
cxgb4: Added support in debugfs to dump PM module stats

Signed-off-by: Hariprasad Shenai <hariprasad@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agocxgb4: Addded support in debugfs to dump CIM outbound queue content
Hariprasad Shenai [Tue, 27 Jan 2015 08:17:47 +0000 (13:47 +0530)] 
cxgb4: Addded support in debugfs to dump CIM outbound queue content

Signed-off-by: Hariprasad Shenai <hariprasad@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agocxgb4: Added support in debugfs to dump cim ingress bound queue contents
Hariprasad Shenai [Tue, 27 Jan 2015 08:17:46 +0000 (13:47 +0530)] 
cxgb4: Added support in debugfs to dump cim ingress bound queue contents

Signed-off-by: Hariprasad Shenai <hariprasad@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agocxgb4: Added support in debugfs to dump sge_qinfo
Hariprasad Shenai [Tue, 27 Jan 2015 08:17:45 +0000 (13:47 +0530)] 
cxgb4: Added support in debugfs to dump sge_qinfo

Signed-off-by: Hariprasad Shenai <hariprasad@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agoMerge tag 'linux-can-fixes-for-3.19-20150127' of git://git.kernel.org/pub/scm/linux...
David S. Miller [Tue, 27 Jan 2015 08:13:05 +0000 (00:13 -0800)] 
Merge tag 'linux-can-fixes-for-3.19-20150127' of git://git./linux/kernel/git/mkl/linux-can

Marc Kleine-Budde says:

====================
pull-request: can 2015-01-27

this is another pull request for net/master which consists of 4 patches.

All 4 patches are contributed by Ahmed S. Darwish, he fixes more problems in
the kvaser_usb driver.

David, please merge net/master to net-next/master, as we have more kvaser_usb
patches in the queue, that target net-next.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agonet: dsa/mv88e6352: make mv88e6352_wait generic
Vivien Didelot [Fri, 23 Jan 2015 23:34:41 +0000 (18:34 -0500)] 
net: dsa/mv88e6352: make mv88e6352_wait generic

Some busy bits are available in the global register 1, such as the ATU
Busy bit. We may want to use this function to wait for them to change,
so add a new parameter to mv88e6352_wait() instead of hard-coding
REG_GLOBAL2.

In the meantime, since the REG_READ() macro already checks for error,
remove the redundant check for ret < 0.

Signed-off-by: Vivien Didelot <vivien.didelot@savoirfairelinux.com>
Acked-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agoping: Fix race in free in receive path
subashab@codeaurora.org [Fri, 23 Jan 2015 22:26:02 +0000 (22:26 +0000)] 
ping: Fix race in free in receive path

An exception is seen in ICMP ping receive path where the skb
destructor sock_rfree() tries to access a freed socket. This happens
because ping_rcv() releases socket reference with sock_put() and this
internally frees up the socket. Later icmp_rcv() will try to free the
skb and as part of this, skb destructor is called and which leads
to a kernel panic as the socket is freed already in ping_rcv().

-->|exception
-007|sk_mem_uncharge
-007|sock_rfree
-008|skb_release_head_state
-009|skb_release_all
-009|__kfree_skb
-010|kfree_skb
-011|icmp_rcv
-012|ip_local_deliver_finish

Fix this incorrect free by cloning this skb and processing this cloned
skb instead.

This patch was suggested by Eric Dumazet

Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agonet: dsa/mv88e6xxx: add reg read and write debug
Vivien Didelot [Fri, 23 Jan 2015 21:10:36 +0000 (16:10 -0500)] 
net: dsa/mv88e6xxx: add reg read and write debug

This commit adds debug messages for the generic mv88e6xxx read and write
routines. The output is similar to this:

    mdio-gpio mdio-gpio.0: <- addr: 0x1b reg: 0x05 val: 0x4000
    mdio-gpio mdio-gpio.0: -> addr: 0x1b reg: 0x07 val: 0x3113
    mdio-gpio mdio-gpio.0: -> addr: 0x1b reg: 0x08 val: 0x0330
    mdio-gpio mdio-gpio.0: -> addr: 0x1b reg: 0x09 val: 0x0000

This is convenient to dynamically debug operations through debugfs with:

    echo file mv88e6xxx.c +p > <debugfs>/dynamic_debug/control

Signed-off-by: Vivien Didelot <vivien.didelot@savoirfairelinux.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agoudp_diag: Fix socket skipping within chain
Herbert Xu [Fri, 23 Jan 2015 21:02:40 +0000 (08:02 +1100)] 
udp_diag: Fix socket skipping within chain

While working on rhashtable walking I noticed that the UDP diag
dumping code is buggy.  In particular, the socket skipping within
a chain never happens, even though we record the number of sockets
that should be skipped.

As this code was supposedly copied from TCP, this patch does what
TCP does and resets num before we walk a chain.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Acked-by: Pavel Emelyanov <xemul@parallels.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agocan: kvaser_usb: Fix state handling upon BUS_ERROR events
Ahmed S. Darwish [Mon, 26 Jan 2015 05:25:43 +0000 (07:25 +0200)] 
can: kvaser_usb: Fix state handling upon BUS_ERROR events

While being in an ERROR_WARNING state, and receiving further
bus error events with error counters still in the ERROR_WARNING
range of 97-127 inclusive, the state handling code erroneously
reverts back to ERROR_ACTIVE.

Per the CAN standard, only revert to ERROR_ACTIVE when the
error counters are less than 96.

Moreover, in certain Kvaser models, the BUS_ERROR flag is
always set along with undefined bits in the M16C status
register. Thus use bitwise operators instead of full equality
for checking that register against bus errors.

Signed-off-by: Ahmed S. Darwish <ahmed.darwish@valeo.com>
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
9 years agocan: kvaser_usb: Retry the first bulk transfer on -ETIMEDOUT
Ahmed S. Darwish [Mon, 26 Jan 2015 05:24:06 +0000 (07:24 +0200)] 
can: kvaser_usb: Retry the first bulk transfer on -ETIMEDOUT

On some x86 laptops, plugging a Kvaser device again after an
unplug makes the firmware always ignore the very first command.
For such a case, provide some room for retries instead of
completely exiting the driver init code.

Signed-off-by: Ahmed S. Darwish <ahmed.darwish@valeo.com>
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
9 years agocan: kvaser_usb: Send correct context to URB completion
Ahmed S. Darwish [Mon, 26 Jan 2015 05:22:54 +0000 (07:22 +0200)] 
can: kvaser_usb: Send correct context to URB completion

Send expected argument to the URB completion hander: a CAN
netdevice instead of the network interface private context
`kvaser_usb_net_priv'.

This was discovered by having some garbage in the kernel
log in place of the netdevice names: can0 and can1.

Signed-off-by: Ahmed S. Darwish <ahmed.darwish@valeo.com>
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
9 years agocan: kvaser_usb: Do not sleep in atomic context
Ahmed S. Darwish [Mon, 26 Jan 2015 05:20:39 +0000 (07:20 +0200)] 
can: kvaser_usb: Do not sleep in atomic context

Upon receiving a hardware event with the BUS_RESET flag set,
the driver kills all of its anchored URBs and resets all of
its transmit URB contexts.

Unfortunately it does so under the context of URB completion
handler `kvaser_usb_read_bulk_callback()', which is often
called in an atomic context.

While the device is flooded with many received error packets,
usb_kill_urb() typically sleeps/reschedules till the transfer
request of each killed URB in question completes, leading to
the sleep in atomic bug. [3]

In v2 submission of the original driver patch [1], it was
stated that the URBs kill and tx contexts reset was needed
since we don't receive any tx acknowledgments later and thus
such resources will be locked down forever. Fortunately this
is no longer needed since an earlier bugfix in this patch
series is now applied: all tx URB contexts are reset upon CAN
channel close. [2]

Moreover, a BUS_RESET is now treated _exactly_ like a BUS_OFF
event, which is the recommended handling method advised by
the device manufacturer.

[1] http://article.gmane.org/gmane.linux.network/239442
    http://www.webcitation.org/6Vr2yagAQ

[2] can: kvaser_usb: Reset all URB tx contexts upon channel close
    889b77f7fd2bcc922493d73a4c51d8a851505815

[3] Stacktrace:

 <IRQ>  [<ffffffff8158de87>] dump_stack+0x45/0x57
 [<ffffffff8158b60c>] __schedule_bug+0x41/0x4f
 [<ffffffff815904b1>] __schedule+0x5f1/0x700
 [<ffffffff8159360a>] ? _raw_spin_unlock_irqrestore+0xa/0x10
 [<ffffffff81590684>] schedule+0x24/0x70
 [<ffffffff8147d0a5>] usb_kill_urb+0x65/0xa0
 [<ffffffff81077970>] ? prepare_to_wait_event+0x110/0x110
 [<ffffffff8147d7d8>] usb_kill_anchored_urbs+0x48/0x80
 [<ffffffffa01f4028>] kvaser_usb_unlink_tx_urbs+0x18/0x50 [kvaser_usb]
 [<ffffffffa01f45d0>] kvaser_usb_rx_error+0xc0/0x400 [kvaser_usb]
 [<ffffffff8108b14a>] ? vprintk_default+0x1a/0x20
 [<ffffffffa01f5241>] kvaser_usb_read_bulk_callback+0x4c1/0x5f0 [kvaser_usb]
 [<ffffffff8147a73e>] __usb_hcd_giveback_urb+0x5e/0xc0
 [<ffffffff8147a8a1>] usb_hcd_giveback_urb+0x41/0x110
 [<ffffffffa0008748>] finish_urb+0x98/0x180 [ohci_hcd]
 [<ffffffff810cd1a7>] ? acct_account_cputime+0x17/0x20
 [<ffffffff81069f65>] ? local_clock+0x15/0x30
 [<ffffffffa000a36b>] ohci_work+0x1fb/0x5a0 [ohci_hcd]
 [<ffffffff814fbb31>] ? process_backlog+0xb1/0x130
 [<ffffffffa000cd5b>] ohci_irq+0xeb/0x270 [ohci_hcd]
 [<ffffffff81479fc1>] usb_hcd_irq+0x21/0x30
 [<ffffffff8108bfd3>] handle_irq_event_percpu+0x43/0x120
 [<ffffffff8108c0ed>] handle_irq_event+0x3d/0x60
 [<ffffffff8108ec84>] handle_fasteoi_irq+0x74/0x110
 [<ffffffff81004dfd>] handle_irq+0x1d/0x30
 [<ffffffff81004727>] do_IRQ+0x57/0x100
 [<ffffffff8159482a>] common_interrupt+0x6a/0x6a

Signed-off-by: Ahmed S. Darwish <ahmed.darwish@valeo.com>
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
9 years agoMerge tag 'mac80211-for-davem-2015-01-23' of git://git.kernel.org/pub/scm/linux/kerne...
David S. Miller [Tue, 27 Jan 2015 01:32:24 +0000 (17:32 -0800)] 
Merge tag 'mac80211-for-davem-2015-01-23' of git://git./linux/kernel/git/jberg/mac80211

Another set of last-minute fixes:
 * fix station double-removal when suspending while associating
 * fix the HT (802.11n) header length calculation
 * fix the CCK radiotap flag used for monitoring, a pretty
   old regression but a simple one-liner
 * fix per-station group-key handling

Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agoipv4: try to cache dst_entries which would cause a redirect
Hannes Frederic Sowa [Fri, 23 Jan 2015 11:01:26 +0000 (12:01 +0100)] 
ipv4: try to cache dst_entries which would cause a redirect

Not caching dst_entries which cause redirects could be exploited by hosts
on the same subnet, causing a severe DoS attack. This effect aggravated
since commit f88649721268999 ("ipv4: fix dst race in sk_dst_get()").

Lookups causing redirects will be allocated with DST_NOCACHE set which
will force dst_release to free them via RCU.  Unfortunately waiting for
RCU grace period just takes too long, we can end up with >1M dst_entries
waiting to be released and the system will run OOM. rcuos threads cannot
catch up under high softirq load.

Attaching the flag to emit a redirect later on to the specific skb allows
us to cache those dst_entries thus reducing the pressure on allocation
and deallocation.

This issue was discovered by Marcelo Leitner.

Cc: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Marcelo Leitner <mleitner@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agonet: macb: Remove CONFIG_PM ifdef because of compilation warning
Michal Simek [Fri, 23 Jan 2015 08:36:03 +0000 (09:36 +0100)] 
net: macb: Remove CONFIG_PM ifdef because of compilation warning

Fix compilation warning:
drivers/net/ethernet/cadence/macb.c:2415:12: warning: 'macb_suspend'
defined but not used [-Wunused-function]
 static int macb_suspend(struct device *dev)
drivers/net/ethernet/cadence/macb.c:2432:12: warning: 'macb_resume'
defined but not used [-Wunused-function]
 static int macb_resume(struct device *dev)

when CONFIG_PM=y, CONFIG_PM_SLEEP=n are used.

Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agoMerge branch 'bpf'
David S. Miller [Tue, 27 Jan 2015 01:20:48 +0000 (17:20 -0800)] 
Merge branch 'bpf'

Alexei Starovoitov says:

====================
bpf: fix two bugs

Michael Holzheu caught two issues (in bpf syscall and in the test).
Fix them. Details in corresponding patches.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agosamples: bpf: relax test_maps check
Alexei Starovoitov [Fri, 23 Jan 2015 01:11:09 +0000 (17:11 -0800)] 
samples: bpf: relax test_maps check

hash map is unordered, so get_next_key() iterator shouldn't
rely on particular order of elements. So relax this test.

Fixes: ffb65f27a155 ("bpf: add a testsuite for eBPF maps")
Reported-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
Acked-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agobpf: rcu lock must not be held when calling copy_to_user()
Alexei Starovoitov [Fri, 23 Jan 2015 01:11:08 +0000 (17:11 -0800)] 
bpf: rcu lock must not be held when calling copy_to_user()

BUG: sleeping function called from invalid context at mm/memory.c:3732
in_atomic(): 0, irqs_disabled(): 0, pid: 671, name: test_maps
1 lock held by test_maps/671:
 #0:  (rcu_read_lock){......}, at: [<0000000000264190>] map_lookup_elem+0xe8/0x260
Call Trace:
([<0000000000115b7e>] show_trace+0x12e/0x150)
 [<0000000000115c40>] show_stack+0xa0/0x100
 [<00000000009b163c>] dump_stack+0x74/0xc8
 [<000000000017424a>] ___might_sleep+0x23a/0x248
 [<00000000002b58e8>] might_fault+0x70/0xe8
 [<0000000000264230>] map_lookup_elem+0x188/0x260
 [<0000000000264716>] SyS_bpf+0x20e/0x840

Fix it by allocating temporary buffer to store map element value.

Fixes: db20fd2b0108 ("bpf: add lookup/update/delete/iterate methods to BPF maps")
Reported-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
Acked-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agonet: macb: allow deffered probe of the driver
Nicolae Rosia [Thu, 22 Jan 2015 17:31:05 +0000 (17:31 +0000)] 
net: macb: allow deffered probe of the driver

The driver is trying to acquire clocks which maybe
are not available yet. Allow the driver to request
deffered probe by providing a probe function and
registering it with module_platform_driver. [1]
This patch is based on 3.19-rc5.

[1] https://lkml.org/lkml/2013/9/23/118

Signed-off-by: Nicolae Rosia <nicolae.rosia@certsign.ro>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agonet: sctp: fix slab corruption from use after free on INIT collisions
Daniel Borkmann [Thu, 22 Jan 2015 17:26:54 +0000 (18:26 +0100)] 
net: sctp: fix slab corruption from use after free on INIT collisions

When hitting an INIT collision case during the 4WHS with AUTH enabled, as
already described in detail in commit 1be9a950c646 ("net: sctp: inherit
auth_capable on INIT collisions"), it can happen that we occasionally
still remotely trigger the following panic on server side which seems to
have been uncovered after the fix from commit 1be9a950c646 ...

[  533.876389] BUG: unable to handle kernel paging request at 00000000ffffffff
[  533.913657] IP: [<ffffffff811ac385>] __kmalloc+0x95/0x230
[  533.940559] PGD 5030f2067 PUD 0
[  533.957104] Oops: 0000 [#1] SMP
[  533.974283] Modules linked in: sctp mlx4_en [...]
[  534.939704] Call Trace:
[  534.951833]  [<ffffffff81294e30>] ? crypto_init_shash_ops+0x60/0xf0
[  534.984213]  [<ffffffff81294e30>] crypto_init_shash_ops+0x60/0xf0
[  535.015025]  [<ffffffff8128c8ed>] __crypto_alloc_tfm+0x6d/0x170
[  535.045661]  [<ffffffff8128d12c>] crypto_alloc_base+0x4c/0xb0
[  535.074593]  [<ffffffff8160bd42>] ? _raw_spin_lock_bh+0x12/0x50
[  535.105239]  [<ffffffffa0418c11>] sctp_inet_listen+0x161/0x1e0 [sctp]
[  535.138606]  [<ffffffff814e43bd>] SyS_listen+0x9d/0xb0
[  535.166848]  [<ffffffff816149a9>] system_call_fastpath+0x16/0x1b

... or depending on the the application, for example this one:

[ 1370.026490] BUG: unable to handle kernel paging request at 00000000ffffffff
[ 1370.026506] IP: [<ffffffff811ab455>] kmem_cache_alloc+0x75/0x1d0
[ 1370.054568] PGD 633c94067 PUD 0
[ 1370.070446] Oops: 0000 [#1] SMP
[ 1370.085010] Modules linked in: sctp kvm_amd kvm [...]
[ 1370.963431] Call Trace:
[ 1370.974632]  [<ffffffff8120f7cf>] ? SyS_epoll_ctl+0x53f/0x960
[ 1371.000863]  [<ffffffff8120f7cf>] SyS_epoll_ctl+0x53f/0x960
[ 1371.027154]  [<ffffffff812100d3>] ? anon_inode_getfile+0xd3/0x170
[ 1371.054679]  [<ffffffff811e3d67>] ? __alloc_fd+0xa7/0x130
[ 1371.080183]  [<ffffffff816149a9>] system_call_fastpath+0x16/0x1b

With slab debugging enabled, we can see that the poison has been overwritten:

[  669.826368] BUG kmalloc-128 (Tainted: G        W     ): Poison overwritten
[  669.826385] INFO: 0xffff880228b32e50-0xffff880228b32e50. First byte 0x6a instead of 0x6b
[  669.826414] INFO: Allocated in sctp_auth_create_key+0x23/0x50 [sctp] age=3 cpu=0 pid=18494
[  669.826424]  __slab_alloc+0x4bf/0x566
[  669.826433]  __kmalloc+0x280/0x310
[  669.826453]  sctp_auth_create_key+0x23/0x50 [sctp]
[  669.826471]  sctp_auth_asoc_create_secret+0xcb/0x1e0 [sctp]
[  669.826488]  sctp_auth_asoc_init_active_key+0x68/0xa0 [sctp]
[  669.826505]  sctp_do_sm+0x29d/0x17c0 [sctp] [...]
[  669.826629] INFO: Freed in kzfree+0x31/0x40 age=1 cpu=0 pid=18494
[  669.826635]  __slab_free+0x39/0x2a8
[  669.826643]  kfree+0x1d6/0x230
[  669.826650]  kzfree+0x31/0x40
[  669.826666]  sctp_auth_key_put+0x19/0x20 [sctp]
[  669.826681]  sctp_assoc_update+0x1ee/0x2d0 [sctp]
[  669.826695]  sctp_do_sm+0x674/0x17c0 [sctp]

Since this only triggers in some collision-cases with AUTH, the problem at
heart is that sctp_auth_key_put() on asoc->asoc_shared_key is called twice
when having refcnt 1, once directly in sctp_assoc_update() and yet again
from within sctp_auth_asoc_init_active_key() via sctp_assoc_update() on
the already kzfree'd memory, which is also consistent with the observation
of the poison decrease from 0x6b to 0x6a (note: the overwrite is detected
at a later point in time when poison is checked on new allocation).

Reference counting of auth keys revisited:

Shared keys for AUTH chunks are being stored in endpoints and associations
in endpoint_shared_keys list. On endpoint creation, a null key is being
added; on association creation, all endpoint shared keys are being cached
and thus cloned over to the association. struct sctp_shared_key only holds
a pointer to the actual key bytes, that is, struct sctp_auth_bytes which
keeps track of users internally through refcounting. Naturally, on assoc
or enpoint destruction, sctp_shared_key are being destroyed directly and
the reference on sctp_auth_bytes dropped.

User space can add keys to either list via setsockopt(2) through struct
sctp_authkey and by passing that to sctp_auth_set_key() which replaces or
adds a new auth key. There, sctp_auth_create_key() creates a new sctp_auth_bytes
with refcount 1 and in case of replacement drops the reference on the old
sctp_auth_bytes. A key can be set active from user space through setsockopt()
on the id via sctp_auth_set_active_key(), which iterates through either
endpoint_shared_keys and in case of an assoc, invokes (one of various places)
sctp_auth_asoc_init_active_key().

sctp_auth_asoc_init_active_key() computes the actual secret from local's
and peer's random, hmac and shared key parameters and returns a new key
directly as sctp_auth_bytes, that is asoc->asoc_shared_key, plus drops
the reference if there was a previous one. The secret, which where we
eventually double drop the ref comes from sctp_auth_asoc_set_secret() with
intitial refcount of 1, which also stays unchanged eventually in
sctp_assoc_update(). This key is later being used for crypto layer to
set the key for the hash in crypto_hash_setkey() from sctp_auth_calculate_hmac().

To close the loop: asoc->asoc_shared_key is freshly allocated secret
material and independant of the sctp_shared_key management keeping track
of only shared keys in endpoints and assocs. Hence, also commit 4184b2a79a76
("net: sctp: fix memory leak in auth key management") is independant of
this bug here since it concerns a different layer (though same structures
being used eventually). asoc->asoc_shared_key is reference dropped correctly
on assoc destruction in sctp_association_free() and when active keys are
being replaced in sctp_auth_asoc_init_active_key(), it always has a refcount
of 1. Hence, it's freed prematurely in sctp_assoc_update(). Simple fix is
to remove that sctp_auth_key_put() from there which fixes these panics.

Fixes: 730fc3d05cd4 ("[SCTP]: Implete SCTP-AUTH parameter processing")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This page took 0.05517 seconds and 5 git commands to generate.