From a98f300a28303c181bb1d27249de2d8d25778d64 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 4 Feb 2014 08:39:26 -0800 Subject: [PATCH] 3.4-stable patches added patches: bnx2x-fix-dma-unmapping-of-tso-split-bds.patch inet_diag-fix-inet_diag_dump_icsk-timewait-socket-state-logic.patch net-avoid-reference-counter-overflows-on-fib_rules-in-multicast-forwarding.patch net-via-rhine-fix-tx_timeout-handling.patch --- ...x-fix-dma-unmapping-of-tso-split-bds.patch | 73 +++++++++++++++++++ ...ump_icsk-timewait-socket-state-logic.patch | 62 ++++++++++++++++ ...on-fib_rules-in-multicast-forwarding.patch | 73 +++++++++++++++++++ ...et-via-rhine-fix-tx_timeout-handling.patch | 34 +++++++++ queue-3.4/series | 4 + 5 files changed, 246 insertions(+) create mode 100644 queue-3.4/bnx2x-fix-dma-unmapping-of-tso-split-bds.patch create mode 100644 queue-3.4/inet_diag-fix-inet_diag_dump_icsk-timewait-socket-state-logic.patch create mode 100644 queue-3.4/net-avoid-reference-counter-overflows-on-fib_rules-in-multicast-forwarding.patch create mode 100644 queue-3.4/net-via-rhine-fix-tx_timeout-handling.patch diff --git a/queue-3.4/bnx2x-fix-dma-unmapping-of-tso-split-bds.patch b/queue-3.4/bnx2x-fix-dma-unmapping-of-tso-split-bds.patch new file mode 100644 index 00000000000..35cfb2e66ef --- /dev/null +++ b/queue-3.4/bnx2x-fix-dma-unmapping-of-tso-split-bds.patch @@ -0,0 +1,73 @@ +From foo@baz Tue Feb 4 08:37:18 PST 2014 +From: Michal Schmidt +Date: Thu, 9 Jan 2014 14:36:27 +0100 +Subject: bnx2x: fix DMA unmapping of TSO split BDs + +From: Michal Schmidt + +[ Upstream commit 95e92fd40c967c363ad66b2fd1ce4dcd68132e54 ] + +bnx2x triggers warnings with CONFIG_DMA_API_DEBUG=y: + + WARNING: CPU: 0 PID: 2253 at lib/dma-debug.c:887 check_unmap+0xf8/0x920() + bnx2x 0000:28:00.0: DMA-API: device driver frees DMA memory with + different size [device address=0x00000000da2b389e] [map size=1490 bytes] + [unmap size=66 bytes] + +The reason is that bnx2x splits a TSO BD into two BDs (headers + data) +using one DMA mapping for both, but it uses only the length of the first +BD when unmapping. + +This patch fixes the bug by unmapping the whole length of the two BDs. + +Signed-off-by: Michal Schmidt +Reviewed-by: Eric Dumazet +Acked-by: Dmitry Kravkov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c +@@ -71,6 +71,7 @@ static u16 bnx2x_free_tx_pkt(struct bnx2 + struct sk_buff *skb = tx_buf->skb; + u16 bd_idx = TX_BD(tx_buf->first_bd), new_cons; + int nbd; ++ u16 split_bd_len = 0; + + /* prefetch skb end pointer to speedup dev_kfree_skb() */ + prefetch(&skb->end); +@@ -78,10 +79,7 @@ static u16 bnx2x_free_tx_pkt(struct bnx2 + DP(NETIF_MSG_TX_DONE, "fp[%d]: pkt_idx %d buff @(%p)->skb %p\n", + txdata->txq_index, idx, tx_buf, skb); + +- /* unmap first bd */ + tx_start_bd = &txdata->tx_desc_ring[bd_idx].start_bd; +- dma_unmap_single(&bp->pdev->dev, BD_UNMAP_ADDR(tx_start_bd), +- BD_UNMAP_LEN(tx_start_bd), DMA_TO_DEVICE); + + + nbd = le16_to_cpu(tx_start_bd->nbd) - 1; +@@ -100,12 +98,19 @@ static u16 bnx2x_free_tx_pkt(struct bnx2 + --nbd; + bd_idx = TX_BD(NEXT_TX_IDX(bd_idx)); + +- /* ...and the TSO split header bd since they have no mapping */ ++ /* TSO headers+data bds share a common mapping. See bnx2x_tx_split() */ + if (tx_buf->flags & BNX2X_TSO_SPLIT_BD) { ++ tx_data_bd = &txdata->tx_desc_ring[bd_idx].reg_bd; ++ split_bd_len = BD_UNMAP_LEN(tx_data_bd); + --nbd; + bd_idx = TX_BD(NEXT_TX_IDX(bd_idx)); + } + ++ /* unmap first bd */ ++ dma_unmap_single(&bp->pdev->dev, BD_UNMAP_ADDR(tx_start_bd), ++ BD_UNMAP_LEN(tx_start_bd) + split_bd_len, ++ DMA_TO_DEVICE); ++ + /* now free frags */ + while (nbd > 0) { + diff --git a/queue-3.4/inet_diag-fix-inet_diag_dump_icsk-timewait-socket-state-logic.patch b/queue-3.4/inet_diag-fix-inet_diag_dump_icsk-timewait-socket-state-logic.patch new file mode 100644 index 00000000000..6ba6760e6c5 --- /dev/null +++ b/queue-3.4/inet_diag-fix-inet_diag_dump_icsk-timewait-socket-state-logic.patch @@ -0,0 +1,62 @@ +From foo@baz Tue Feb 4 08:37:18 PST 2014 +From: Neal Cardwell +Date: Sun, 2 Feb 2014 20:40:13 -0500 +Subject: inet_diag: fix inet_diag_dump_icsk() timewait socket state logic + +From: Neal Cardwell + +[ Based upon upstream commit 70315d22d3c7383f9a508d0aab21e2eb35b2303a ] + +Fix inet_diag_dump_icsk() to reflect the fact that both TIME_WAIT and +FIN_WAIT2 connections are represented by inet_timewait_sock (not just +TIME_WAIT). Thus: + +(a) We need to iterate through the time_wait buckets if the user wants +either TIME_WAIT or FIN_WAIT2. (Before fixing this, "ss -nemoi state +fin-wait-2" would not return any sockets, even if there were some in +FIN_WAIT2.) + +(b) We need to check tw_substate to see if the user wants to dump +sockets in the particular substate (TIME_WAIT or FIN_WAIT2) that a +given connection is in. (Before fixing this, "ss -nemoi state +time-wait" would actually return sockets in state FIN_WAIT2.) + +An analogous fix is in v3.13: 70315d22d3c7383f9a508d0aab21e2eb35b2303a +("inet_diag: fix inet_diag_dump_icsk() to use correct state for +timewait sockets") but that patch is quite different because 3.13 code +is very different in this area due to the unification of TCP hash +tables in 05dbc7b ("tcp/dccp: remove twchain") in v3.13-rc1. + +I tested that this applies cleanly between v3.3 and v3.12, and tested +that it works in both 3.3 and 3.12. It does not apply cleanly to 3.2 +and earlier (though it makes semantic sense), and semantically is not +the right fix for 3.13 and beyond (as mentioned above). + +Signed-off-by: Neal Cardwell +Cc: Eric Dumazet +Acked-by: Eric Dumazet +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/inet_diag.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ipv4/inet_diag.c ++++ b/net/ipv4/inet_diag.c +@@ -941,7 +941,7 @@ next_normal: + ++num; + } + +- if (r->idiag_states & TCPF_TIME_WAIT) { ++ if (r->idiag_states & (TCPF_TIME_WAIT | TCPF_FIN_WAIT2)) { + struct inet_timewait_sock *tw; + + inet_twsk_for_each(tw, node, +@@ -949,6 +949,8 @@ next_normal: + + if (num < s_num) + goto next_dying; ++ if (!(r->idiag_states & (1 << tw->tw_substate))) ++ goto next_dying; + if (r->sdiag_family != AF_UNSPEC && + tw->tw_family != r->sdiag_family) + goto next_dying; diff --git a/queue-3.4/net-avoid-reference-counter-overflows-on-fib_rules-in-multicast-forwarding.patch b/queue-3.4/net-avoid-reference-counter-overflows-on-fib_rules-in-multicast-forwarding.patch new file mode 100644 index 00000000000..a6da41f93e5 --- /dev/null +++ b/queue-3.4/net-avoid-reference-counter-overflows-on-fib_rules-in-multicast-forwarding.patch @@ -0,0 +1,73 @@ +From foo@baz Tue Feb 4 08:37:18 PST 2014 +From: Hannes Frederic Sowa +Date: Mon, 13 Jan 2014 02:45:22 +0100 +Subject: net: avoid reference counter overflows on fib_rules in multicast forwarding + +From: Hannes Frederic Sowa + +[ Upstream commit 95f4a45de1a0f172b35451fc52283290adb21f6e ] + +Bob Falken reported that after 4G packets, multicast forwarding stopped +working. This was because of a rule reference counter overflow which +freed the rule as soon as the overflow happend. + +This patch solves this by adding the FIB_LOOKUP_NOREF flag to +fib_rules_lookup calls. This is safe even from non-rcu locked sections +as in this case the flag only implies not taking a reference to the rule, +which we don't need at all. + +Rules only hold references to the namespace, which are guaranteed to be +available during the call of the non-rcu protected function reg_vif_xmit +because of the interface reference which itself holds a reference to +the net namespace. + +Fixes: f0ad0860d01e47 ("ipv4: ipmr: support multiple tables") +Fixes: d1db275dd3f6e4 ("ipv6: ip6mr: support multiple tables") +Reported-by: Bob Falken +Cc: Patrick McHardy +Cc: Thomas Graf +Cc: Julian Anastasov +Cc: Eric Dumazet +Signed-off-by: Hannes Frederic Sowa +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ipmr.c | 7 +++++-- + net/ipv6/ip6mr.c | 7 +++++-- + 2 files changed, 10 insertions(+), 4 deletions(-) + +--- a/net/ipv4/ipmr.c ++++ b/net/ipv4/ipmr.c +@@ -154,9 +154,12 @@ static struct mr_table *ipmr_get_table(s + static int ipmr_fib_lookup(struct net *net, struct flowi4 *flp4, + struct mr_table **mrt) + { +- struct ipmr_result res; +- struct fib_lookup_arg arg = { .result = &res, }; + int err; ++ struct ipmr_result res; ++ struct fib_lookup_arg arg = { ++ .result = &res, ++ .flags = FIB_LOOKUP_NOREF, ++ }; + + err = fib_rules_lookup(net->ipv4.mr_rules_ops, + flowi4_to_flowi(flp4), 0, &arg); +--- a/net/ipv6/ip6mr.c ++++ b/net/ipv6/ip6mr.c +@@ -138,9 +138,12 @@ static struct mr6_table *ip6mr_get_table + static int ip6mr_fib_lookup(struct net *net, struct flowi6 *flp6, + struct mr6_table **mrt) + { +- struct ip6mr_result res; +- struct fib_lookup_arg arg = { .result = &res, }; + int err; ++ struct ip6mr_result res; ++ struct fib_lookup_arg arg = { ++ .result = &res, ++ .flags = FIB_LOOKUP_NOREF, ++ }; + + err = fib_rules_lookup(net->ipv6.mr6_rules_ops, + flowi6_to_flowi(flp6), 0, &arg); diff --git a/queue-3.4/net-via-rhine-fix-tx_timeout-handling.patch b/queue-3.4/net-via-rhine-fix-tx_timeout-handling.patch new file mode 100644 index 00000000000..b7be22c87e6 --- /dev/null +++ b/queue-3.4/net-via-rhine-fix-tx_timeout-handling.patch @@ -0,0 +1,34 @@ +From foo@baz Tue Feb 4 08:37:18 PST 2014 +From: Richard Weinberger +Date: Tue, 14 Jan 2014 22:46:36 +0100 +Subject: net,via-rhine: Fix tx_timeout handling + +From: Richard Weinberger + +[ Upstream commit a926592f5e4e900f3fa903298c4619a131e60963 ] + +rhine_reset_task() misses to disable the tx scheduler upon reset, +this can lead to a crash if work is still scheduled while we're resetting +the tx queue. + +Fixes: +[ 93.591707] BUG: unable to handle kernel NULL pointer dereference at 0000004c +[ 93.595514] IP: [] rhine_napipoll+0x491/0x6 + +Signed-off-by: Richard Weinberger +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/via/via-rhine.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/via/via-rhine.c ++++ b/drivers/net/ethernet/via/via-rhine.c +@@ -1601,6 +1601,7 @@ static void rhine_reset_task(struct work + goto out_unlock; + + napi_disable(&rp->napi); ++ netif_tx_disable(dev); + spin_lock_bh(&rp->lock); + + /* clear all descriptors */ diff --git a/queue-3.4/series b/queue-3.4/series index dbbe2ef9433..f4dc6cde491 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -26,3 +26,7 @@ asoc-adau1701-fix-adau1701_seroctl_word_len_16-constant.patch alsa-rme9652-fix-a-missing-comma-in-channel_map_9636_ds.patch alsa-enable-config_zone_dma-for-smaller-pci-dma-masks.patch hp_accel-add-a-new-pnp-id-hpq6007-for-new-hp-laptops.patch +bnx2x-fix-dma-unmapping-of-tso-split-bds.patch +inet_diag-fix-inet_diag_dump_icsk-timewait-socket-state-logic.patch +net-avoid-reference-counter-overflows-on-fib_rules-in-multicast-forwarding.patch +net-via-rhine-fix-tx_timeout-handling.patch -- 2.47.2