Netdev List
 help / color / mirror / Atom feed
* Re: jme: UDP checksum error, and lots of them
From: Guo-Fu Tseng @ 2010-12-02  4:33 UTC (permalink / raw)
  To: David Miller, jengelh; +Cc: netdev
In-Reply-To: <20101201.200935.71110482.davem@davemloft.net>

On Wed, 01 Dec 2010 20:09:35 -0800 (PST), David Miller wrote
> From: Jan Engelhardt <jengelh@medozas.de>
> Date: Thu, 2 Dec 2010 04:39:34 +0100 (CET)
> 
> > Why does the JME driver care so much about this that it needs to print 
> > this for every packet? It does not look like it has any offloading 
> > features.
> 
> Well I'm glad it let us know about the bad checksum which would otherwise
> have been unnoticed.
> 
> Please try to pinpoint why the checksum is bad, because it seems that
> tcpdump agrees with the driver.  Perhaps it's some side effect of how
> vpnc uses TUN/TAP, or something like that.
> 
> Seeing the bad checksum even in tcpdump, and then seeing proper replies
> going back, that is very suspicious and should be looked into.
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Indeed... It is suspicious to reply proper response against the packet
with bad checksum.

Jan: Would you try to turn off the rx-checksum offloading with ethtool
and see how it goes?

I suspect that there might be some the HW-Checksum behavior error.
ex: Replaced the UDP checksum field while it's all zero(no need to checksum)

Guo-Fu Tseng


^ permalink raw reply

* Re: [PATCH net-next-2.6 v6 06/20] can: EG20T PCH: Fix endianness issue
From: Tomoya MORINAGA @ 2010-12-02  4:47 UTC (permalink / raw)
  To: Marc Kleine-Budde
  Cc: andrew.chih.howe.khor-ral2JQCrhuEAvxtiuMwx3w, Samuel Ortiz,
	margie.foster-ral2JQCrhuEAvxtiuMwx3w,
	netdev-u79uwXL29TY76Z2rM5mHXA,
	linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	socketcan-core-0fE9KPoRgkgATYTw5x5z8w,
	yong.y.wang-ral2JQCrhuEAvxtiuMwx3w,
	kok.howg.ewe-ral2JQCrhuEAvxtiuMwx3w, Wolfgang Grandegger,
	joel.clark-ral2JQCrhuEAvxtiuMwx3w, David S. Miller,
	Christian Pellegrin, qi.wang-ral2JQCrhuEAvxtiuMwx3w
In-Reply-To: <001101cb90e8$e60c76a0$66f8800a@maildom.okisemi.com>

Hi Marc,

Again, do you have any comments for v6 other patches ?
If you don't have, please give us your "Acked" for each patch.

==Current status of v6 series==
01/20: Acked
02/20:
03/20:
04/20:
05/20: Acked
06/20: I got your comments. Now modifying
07/20:
08/20:
09/20:
10/20:
11/20: Acked
12/20:
13/20: Acked
14/20:
15/20:
16/20:
17/20:
18/20:
19/20:
20/20:

Thanks,
-------
Tomoya MORINAGA
OKI SEMICONDUCTOR CO., LTD.

^ permalink raw reply

* [PATCH 2/2] ath: Fix logging message typos
From: Joe Perches @ 2010-12-02  5:13 UTC (permalink / raw)
  To: Jiri Slaby, Nick Kossifidis, Luis R. Rodriguez, Bob Copeland,
	Jouni Malinen
  Cc: netdev-u79uwXL29TY76Z2rM5mHXA, ath5k-devel-xDcbHBWguxEUs3QNXV6qNA,
	linux-wireless-u79uwXL29TY76Z2rM5mHXA, John W. Linville,
	linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	ath9k-devel-xDcbHBWguxHbcTqmT+pZeQ
In-Reply-To: <276469c602c402565b49f99521ea19757429e81e.1291266731.git.joe-6d6DIl74uiNBDgjK7y7TUQ@public.gmane.org>

Fix immunity misspelling.
Standardize strings from multiple modules.
Add spaces between words of concatenated strings.

Signed-off-by: Joe Perches <joe-6d6DIl74uiNBDgjK7y7TUQ@public.gmane.org>
---
 drivers/net/wireless/ath/ath5k/ani.c          |    2 +-
 drivers/net/wireless/ath/ath9k/ar9002_calib.c |    4 ++--
 drivers/net/wireless/ath/ath9k/eeprom_4k.c    |    4 ++--
 drivers/net/wireless/ath/ath9k/eeprom_9287.c  |    2 +-
 drivers/net/wireless/ath/ath9k/eeprom_def.c   |    2 +-
 drivers/net/wireless/ath/ath9k/htc_hst.c      |    6 +++---
 6 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/drivers/net/wireless/ath/ath5k/ani.c b/drivers/net/wireless/ath/ath5k/ani.c
index 6b75b22..9c41881 100644
--- a/drivers/net/wireless/ath/ath5k/ani.c
+++ b/drivers/net/wireless/ath/ath5k/ani.c
@@ -74,7 +74,7 @@ ath5k_ani_set_noise_immunity_level(struct ath5k_hw *ah, int level)
 	static const s8 fr[] = { -78, -80 };
 #endif
 	if (level < 0 || level >= ARRAY_SIZE(sz)) {
-		ATH5K_ERR(ah->ah_sc, "noise immuniy level %d out of range",
+		ATH5K_ERR(ah->ah_sc, "noise immunity level %d out of range",
 			  level);
 		return;
 	}
diff --git a/drivers/net/wireless/ath/ath9k/ar9002_calib.c b/drivers/net/wireless/ath/ath9k/ar9002_calib.c
index a7705e7..199131e 100644
--- a/drivers/net/wireless/ath/ath9k/ar9002_calib.c
+++ b/drivers/net/wireless/ath/ath9k/ar9002_calib.c
@@ -720,7 +720,7 @@ static bool ar9285_hw_cl_cal(struct ath_hw *ah, struct ath9k_channel *chan)
 		if (!ath9k_hw_wait(ah, AR_PHY_AGC_CONTROL,
 				  AR_PHY_AGC_CONTROL_CAL, 0, AH_WAIT_TIMEOUT)) {
 			ath_dbg(common, ATH_DBG_CALIBRATE,
-				"offset calibration failed to complete in 1ms; noisy ??\n");
+				"offset calibration failed to complete in 1ms; noisy environment?\n");
 			return false;
 		}
 		REG_CLR_BIT(ah, AR_PHY_TURBO, AR_PHY_FC_DYN2040_EN);
@@ -734,7 +734,7 @@ static bool ar9285_hw_cl_cal(struct ath_hw *ah, struct ath9k_channel *chan)
 	if (!ath9k_hw_wait(ah, AR_PHY_AGC_CONTROL, AR_PHY_AGC_CONTROL_CAL,
 			  0, AH_WAIT_TIMEOUT)) {
 		ath_dbg(common, ATH_DBG_CALIBRATE,
-			"offset calibration failed to complete in 1ms; noisy ??\n");
+			"offset calibration failed to complete in 1ms; noisy enfironment?\n");
 		return false;
 	}
 
diff --git a/drivers/net/wireless/ath/ath9k/eeprom_4k.c b/drivers/net/wireless/ath/ath9k/eeprom_4k.c
index 35b1a8c..939fc7a 100644
--- a/drivers/net/wireless/ath/ath9k/eeprom_4k.c
+++ b/drivers/net/wireless/ath/ath9k/eeprom_4k.c
@@ -90,7 +90,7 @@ static int ath9k_hw_4k_check_eeprom(struct ath_hw *ah)
 				}
 			} else {
 				ath_err(common,
-					"Invalid EEPROM Magic. endianness mismatch.\n");
+					"Invalid EEPROM Magic. Endianness mismatch.\n");
 				return -EINVAL;
 			}
 		}
@@ -1178,7 +1178,7 @@ static u16 ath9k_hw_4k_get_spur_channel(struct ath_hw *ah, u16 i, bool is2GHz)
 	u16 spur_val = AR_NO_SPUR;
 
 	ath_dbg(common, ATH_DBG_ANI,
-		"Getting spur idx %d is2Ghz. %d val %x\n",
+		"Getting spur idx:%d is2Ghz:%d val:%x\n",
 		i, is2GHz, ah->config.spurchans[i][is2GHz]);
 
 	switch (ah->config.spurmode) {
diff --git a/drivers/net/wireless/ath/ath9k/eeprom_9287.c b/drivers/net/wireless/ath/ath9k/eeprom_9287.c
index 0be5351..9ec4bc8 100644
--- a/drivers/net/wireless/ath/ath9k/eeprom_9287.c
+++ b/drivers/net/wireless/ath/ath9k/eeprom_9287.c
@@ -1150,7 +1150,7 @@ static u16 ath9k_hw_ar9287_get_spur_channel(struct ath_hw *ah,
 	u16 spur_val = AR_NO_SPUR;
 
 	ath_dbg(common, ATH_DBG_ANI,
-		"Getting spur idx %d is2Ghz. %d val %x\n",
+		"Getting spur idx:%d is2Ghz:%d val:%x\n",
 		i, is2GHz, ah->config.spurchans[i][is2GHz]);
 
 	switch (ah->config.spurmode) {
diff --git a/drivers/net/wireless/ath/ath9k/eeprom_def.c b/drivers/net/wireless/ath/ath9k/eeprom_def.c
index 91722fb..9aa31aa 100644
--- a/drivers/net/wireless/ath/ath9k/eeprom_def.c
+++ b/drivers/net/wireless/ath/ath9k/eeprom_def.c
@@ -1458,7 +1458,7 @@ static u16 ath9k_hw_def_get_spur_channel(struct ath_hw *ah, u16 i, bool is2GHz)
 	u16 spur_val = AR_NO_SPUR;
 
 	ath_dbg(common, ATH_DBG_ANI,
-		"Getting spur idx %d is2Ghz. %d val %x\n",
+		"Getting spur idx:%d is2Ghz:%d val:%x\n",
 		i, is2GHz, ah->config.spurchans[i][is2GHz]);
 
 	switch (ah->config.spurmode) {
diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
index c41ab8c..69b6aca 100644
--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
+++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
@@ -239,7 +239,7 @@ int htc_connect_service(struct htc_target *target,
 	/* Find an available endpoint */
 	endpoint = get_next_avail_ep(target->endpoint);
 	if (!endpoint) {
-		dev_err(target->dev, "Endpoint is not available for"
+		dev_err(target->dev, "Endpoint is not available for "
 			"service %d\n", service_connreq->service_id);
 		return -EINVAL;
 	}
@@ -253,7 +253,7 @@ int htc_connect_service(struct htc_target *target,
 	skb = alloc_skb(sizeof(struct htc_conn_svc_msg) +
 			    sizeof(struct htc_frame_hdr), GFP_ATOMIC);
 	if (!skb) {
-		dev_err(target->dev, "Failed to allocate buf to send"
+		dev_err(target->dev, "Failed to allocate buf to send "
 			"service connect req\n");
 		return -ENOMEM;
 	}
@@ -434,7 +434,7 @@ struct htc_target *ath9k_htc_hw_alloc(void *hif_handle,
 
 	target = kzalloc(sizeof(struct htc_target), GFP_KERNEL);
 	if (!target) {
-		printk(KERN_ERR "Unable to allocate memory for"
+		printk(KERN_ERR "Unable to allocate memory for "
 			"target device\n");
 		return NULL;
 	}
-- 
1.7.3.2.245.g03276.dirty

^ permalink raw reply related

* [PATCH 1/2] ath: Fix ath_dbg uses missing newlines and access beyond array bound
From: Joe Perches @ 2010-12-02  5:13 UTC (permalink / raw)
  To: Luis R. Rodriguez, Jouni Malinen, Vasanthakumar Thiagarajan,
	Senthil Balasubramanian
  Cc: John W. Linville, linux-wireless, ath9k-devel, netdev,
	linux-kernel

Add missing newlines to ath_dbg uses
ar9300RateSize is not a power of 4, fix to print array line by line.

Signed-off-by: Joe Perches <joe@perches.com>
---
 drivers/net/wireless/ath/ath9k/ar9003_eeprom.c |   29 ++---------------------
 drivers/net/wireless/ath/ath9k/calib.c         |    4 +-
 drivers/net/wireless/ath/ath9k/gpio.c          |    6 ++--
 drivers/net/wireless/ath/ath9k/htc_drv_gpio.c  |    7 ++---
 drivers/net/wireless/ath/ath9k/htc_drv_main.c  |    2 +-
 5 files changed, 12 insertions(+), 36 deletions(-)

diff --git a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
index e6ae62b..beb3e87 100644
--- a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
+++ b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
@@ -3342,7 +3342,7 @@ static int ar9300_eeprom_restore_internal(struct ath_hw *ah,
 	goto fail;
 
 found:
-	ath_dbg(common, ATH_DBG_EEPROM, "Found valid EEPROM data");
+	ath_dbg(common, ATH_DBG_EEPROM, "Found valid EEPROM data\n");
 
 	for (it = 0; it < MSTATE; it++) {
 		if (!read(ah, cptr, word, COMP_HDR_LEN))
@@ -4084,22 +4084,9 @@ static void ar9003_hw_set_target_power_eeprom(struct ath_hw *ah, u16 freq,
 	    ar9003_hw_eeprom_get_ht40_tgt_pwr(ah, HT_TARGET_RATE_23, freq,
 					      is2GHz) + ht40PowerIncForPdadc;
 
-	while (i < ar9300RateSize) {
-		ath_dbg(common, ATH_DBG_EEPROM,
-			"TPC[%02d] 0x%08x ", i, targetPowerValT2[i]);
-		i++;
-
-		ath_dbg(common, ATH_DBG_EEPROM,
-			"TPC[%02d] 0x%08x ", i, targetPowerValT2[i]);
-		i++;
-
-		ath_dbg(common, ATH_DBG_EEPROM,
-			"TPC[%02d] 0x%08x ", i, targetPowerValT2[i]);
-		i++;
-
+	for (i = 0; i < ar9300RateSize; i++) {
 		ath_dbg(common, ATH_DBG_EEPROM,
 			"TPC[%02d] 0x%08x\n", i, targetPowerValT2[i]);
-		i++;
 	}
 }
 
@@ -4687,17 +4674,7 @@ static void ath9k_hw_ar9300_set_txpower(struct ath_hw *ah,
 
 	for (i = 0; i < ar9300RateSize; i++) {
 		ath_dbg(common, ATH_DBG_EEPROM,
-			"TPC[%02d] 0x%08x ", i, targetPowerValT2[i]);
-		i++;
-		ath_dbg(common, ATH_DBG_EEPROM,
-			"TPC[%02d] 0x%08x ", i, targetPowerValT2[i]);
-		i++;
-		ath_dbg(common, ATH_DBG_EEPROM,
-			"TPC[%02d] 0x%08x ", i, targetPowerValT2[i]);
-		i++;
-		ath_dbg(common, ATH_DBG_EEPROM,
-			"TPC[%02d] 0x%08x\n\n", i, targetPowerValT2[i]);
-		i++;
+			"TPC[%02d] 0x%08x\n", i, targetPowerValT2[i]);
 	}
 
 	/*
diff --git a/drivers/net/wireless/ath/ath9k/calib.c b/drivers/net/wireless/ath/ath9k/calib.c
index 0b6c623..b68a1ac 100644
--- a/drivers/net/wireless/ath/ath9k/calib.c
+++ b/drivers/net/wireless/ath/ath9k/calib.c
@@ -324,12 +324,12 @@ static void ath9k_hw_nf_sanitize(struct ath_hw *ah, s16 *nf)
 
 		if (nf[i] > ATH9K_NF_TOO_HIGH) {
 			ath_dbg(common, ATH_DBG_CALIBRATE,
-				"NF[%d] (%d) > MAX (%d), correcting to MAX",
+				"NF[%d] (%d) > MAX (%d), correcting to MAX\n",
 				i, nf[i], ATH9K_NF_TOO_HIGH);
 			nf[i] = limit->max;
 		} else if (nf[i] < limit->min) {
 			ath_dbg(common, ATH_DBG_CALIBRATE,
-				"NF[%d] (%d) < MIN (%d), correcting to NOM",
+				"NF[%d] (%d) < MIN (%d), correcting to NOM\n",
 				i, nf[i], limit->min);
 			nf[i] = limit->nominal;
 		}
diff --git a/drivers/net/wireless/ath/ath9k/gpio.c b/drivers/net/wireless/ath/ath9k/gpio.c
index 60b2fb7..1337640 100644
--- a/drivers/net/wireless/ath/ath9k/gpio.c
+++ b/drivers/net/wireless/ath/ath9k/gpio.c
@@ -237,12 +237,12 @@ static void ath_detect_bt_priority(struct ath_softc *sc)
 		/* Detect if colocated bt started scanning */
 		if (btcoex->bt_priority_cnt >= ATH_BT_CNT_SCAN_THRESHOLD) {
 			ath_dbg(ath9k_hw_common(sc->sc_ah), ATH_DBG_BTCOEX,
-				"BT scan detected");
+				"BT scan detected\n");
 			sc->sc_flags |= (SC_OP_BT_SCAN |
 					 SC_OP_BT_PRIORITY_DETECTED);
 		} else if (btcoex->bt_priority_cnt >= ATH_BT_CNT_THRESHOLD) {
 			ath_dbg(ath9k_hw_common(sc->sc_ah), ATH_DBG_BTCOEX,
-				"BT priority traffic detected");
+				"BT priority traffic detected\n");
 			sc->sc_flags |= SC_OP_BT_PRIORITY_DETECTED;
 		}
 
@@ -379,7 +379,7 @@ void ath9k_btcoex_timer_resume(struct ath_softc *sc)
 	struct ath_hw *ah = sc->sc_ah;
 
 	ath_dbg(ath9k_hw_common(ah), ATH_DBG_BTCOEX,
-		"Starting btcoex timers");
+		"Starting btcoex timers\n");
 
 	/* make sure duty cycle timer is also stopped when resuming */
 	if (btcoex->hw_timer_enabled)
diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_gpio.c b/drivers/net/wireless/ath/ath9k/htc_drv_gpio.c
index d8685f0..283ff97 100644
--- a/drivers/net/wireless/ath/ath9k/htc_drv_gpio.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_gpio.c
@@ -21,12 +21,12 @@ static void ath_detect_bt_priority(struct ath9k_htc_priv *priv)
 		/* Detect if colocated bt started scanning */
 		if (btcoex->bt_priority_cnt >= ATH_BT_CNT_SCAN_THRESHOLD) {
 			ath_dbg(ath9k_hw_common(ah), ATH_DBG_BTCOEX,
-				"BT scan detected");
+				"BT scan detected\n");
 			priv->op_flags |= (OP_BT_SCAN |
 					 OP_BT_PRIORITY_DETECTED);
 		} else if (btcoex->bt_priority_cnt >= ATH_BT_CNT_THRESHOLD) {
 			ath_dbg(ath9k_hw_common(ah), ATH_DBG_BTCOEX,
-				"BT priority traffic detected");
+				"BT priority traffic detected\n");
 			priv->op_flags |= OP_BT_PRIORITY_DETECTED;
 		}
 
@@ -114,8 +114,7 @@ void ath_htc_resume_btcoex_work(struct ath9k_htc_priv *priv)
 	struct ath_btcoex *btcoex = &priv->btcoex;
 	struct ath_hw *ah = priv->ah;
 
-	ath_dbg(ath9k_hw_common(ah), ATH_DBG_BTCOEX,
-		"Starting btcoex work");
+	ath_dbg(ath9k_hw_common(ah), ATH_DBG_BTCOEX, "Starting btcoex work\n");
 
 	btcoex->bt_priority_cnt = 0;
 	btcoex->bt_priority_time = jiffies;
diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_main.c b/drivers/net/wireless/ath/ath9k/htc_drv_main.c
index 1af31b5..87731c2 100644
--- a/drivers/net/wireless/ath/ath9k/htc_drv_main.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_main.c
@@ -1133,7 +1133,7 @@ static int ath9k_htc_tx(struct ieee80211_hw *hw, struct sk_buff *skb)
 			spin_unlock_bh(&priv->tx_lock);
 		} else {
 			ath_dbg(ath9k_hw_common(priv->ah), ATH_DBG_XMIT,
-				"Tx failed");
+				"Tx failed\n");
 		}
 		goto fail_tx;
 	}
-- 
1.7.3.2.245.g03276.dirty


^ permalink raw reply related

* Re: [PATCH 2/2] ath: Fix logging message typos
From: Peter Stuge @ 2010-12-02  5:30 UTC (permalink / raw)
  To: Joe Perches
  Cc: linux-wireless, Jiri Slaby, netdev, ath5k-devel, Bob Copeland,
	John W. Linville, Jouni Malinen, Senthil Balasubramanian,
	ath9k-devel, Nick Kossifidis, Vasanthakumar Thiagarajan,
	linux-kernel
In-Reply-To: <a345e995a816576a4c2c39aec43716c18011475b.1291266731.git.joe@perches.com>

Joe Perches wrote:
> +++ b/drivers/net/wireless/ath/ath9k/ar9002_calib.c
..
> @@ -734,7 +734,7 @@ static bool ar9285_hw_cl_cal(struct ath_hw *ah, struct ath9k_channel *chan)
>  	if (!ath9k_hw_wait(ah, AR_PHY_AGC_CONTROL, AR_PHY_AGC_CONTROL_CAL,
>  			  0, AH_WAIT_TIMEOUT)) {
>  		ath_dbg(common, ATH_DBG_CALIBRATE,
> -			"offset calibration failed to complete in 1ms; noisy ??\n");
> +			"offset calibration failed to complete in 1ms; noisy enfironment?\n");

enfironment? :)


> +++ b/drivers/net/wireless/ath/ath9k/eeprom_4k.c
..
> @@ -1178,7 +1178,7 @@ static u16 ath9k_hw_4k_get_spur_channel(struct ath_hw *ah, u16 i, bool is2GHz)
>  	u16 spur_val = AR_NO_SPUR;
>  
>  	ath_dbg(common, ATH_DBG_ANI,
> -		"Getting spur idx %d is2Ghz. %d val %x\n",
> +		"Getting spur idx:%d is2Ghz:%d val:%x\n",
>  		i, is2GHz, ah->config.spurchans[i][is2GHz]);

Is this short for "spurious" ?


//Peter

^ permalink raw reply

* Re: [ath9k-devel] [PATCH 2/2] ath: Fix logging message typos
From: Joe Perches @ 2010-12-02  5:34 UTC (permalink / raw)
  To: Peter Stuge
  Cc: Jiri Slaby, Nick Kossifidis, Luis R. Rodriguez, Bob Copeland,
	Jouni Malinen, Vasanthakumar Thiagarajan, Senthil Balasubramanian,
	netdev-u79uwXL29TY76Z2rM5mHXA, ath5k-devel-xDcbHBWguxEUs3QNXV6qNA,
	linux-wireless-u79uwXL29TY76Z2rM5mHXA, John W. Linville,
	linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	ath9k-devel-xDcbHBWguxHbcTqmT+pZeQ
In-Reply-To: <20101202053055.19479.qmail-Y+HMSxxDrH8@public.gmane.org>

On Thu, 2010-12-02 at 06:30 +0100, Peter Stuge wrote:
> Joe Perches wrote:
> > +++ b/drivers/net/wireless/ath/ath9k/ar9002_calib.c
> ..
> > @@ -734,7 +734,7 @@ static bool ar9285_hw_cl_cal(struct ath_hw *ah, struct ath9k_channel *chan)
> >  	if (!ath9k_hw_wait(ah, AR_PHY_AGC_CONTROL, AR_PHY_AGC_CONTROL_CAL,
> >  			  0, AH_WAIT_TIMEOUT)) {
> >  		ath_dbg(common, ATH_DBG_CALIBRATE,
> > -			"offset calibration failed to complete in 1ms; noisy ??\n");
> > +			"offset calibration failed to complete in 1ms; noisy enfironment?\n");
> 
> enfironment? :)

Umm, what's a typo fix patch without more typos?
Correct?  How dull...

> >  	ath_dbg(common, ATH_DBG_ANI,
> > -		"Getting spur idx %d is2Ghz. %d val %x\n",
> > +		"Getting spur idx:%d is2Ghz:%d val:%x\n",
> >  		i, is2GHz, ah->config.spurchans[i][is2GHz]);
> 
> Is this short for "spurious" ?

Likely.  Anyone want to change it to a whole word?

--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply

* [PATCH 2/2 V2] ath: Fix logging message typos
From: Joe Perches @ 2010-12-02  5:35 UTC (permalink / raw)
  To: Jiri Slaby, Nick Kossifidis, Luis R. Rodriguez, Bob Copeland,
	Jouni Malinen
  Cc: John W. Linville, linux-wireless, ath5k-devel, netdev,
	linux-kernel, ath9k-devel
In-Reply-To: <276469c602c402565b49f99521ea19757429e81e.1291266731.git.joe@perches.com>

Fix immunity misspelling.
Standardize strings from multiple modules.
Add spaces between words of concatenated strings.

Signed-off-by: Joe Perches <joe@perches.com>
---

V2: Fix a newly introduced tyop...

 drivers/net/wireless/ath/ath5k/ani.c          |    2 +-
 drivers/net/wireless/ath/ath9k/ar9002_calib.c |    4 ++--
 drivers/net/wireless/ath/ath9k/eeprom_4k.c    |    4 ++--
 drivers/net/wireless/ath/ath9k/eeprom_9287.c  |    2 +-
 drivers/net/wireless/ath/ath9k/eeprom_def.c   |    2 +-
 drivers/net/wireless/ath/ath9k/htc_hst.c      |    6 +++---
 6 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/drivers/net/wireless/ath/ath5k/ani.c b/drivers/net/wireless/ath/ath5k/ani.c
index 6b75b22..9c41881 100644
--- a/drivers/net/wireless/ath/ath5k/ani.c
+++ b/drivers/net/wireless/ath/ath5k/ani.c
@@ -74,7 +74,7 @@ ath5k_ani_set_noise_immunity_level(struct ath5k_hw *ah, int level)
 	static const s8 fr[] = { -78, -80 };
 #endif
 	if (level < 0 || level >= ARRAY_SIZE(sz)) {
-		ATH5K_ERR(ah->ah_sc, "noise immuniy level %d out of range",
+		ATH5K_ERR(ah->ah_sc, "noise immunity level %d out of range",
 			  level);
 		return;
 	}
diff --git a/drivers/net/wireless/ath/ath9k/ar9002_calib.c b/drivers/net/wireless/ath/ath9k/ar9002_calib.c
index a7705e7..199131e 100644
--- a/drivers/net/wireless/ath/ath9k/ar9002_calib.c
+++ b/drivers/net/wireless/ath/ath9k/ar9002_calib.c
@@ -720,7 +720,7 @@ static bool ar9285_hw_cl_cal(struct ath_hw *ah, struct ath9k_channel *chan)
 		if (!ath9k_hw_wait(ah, AR_PHY_AGC_CONTROL,
 				  AR_PHY_AGC_CONTROL_CAL, 0, AH_WAIT_TIMEOUT)) {
 			ath_dbg(common, ATH_DBG_CALIBRATE,
-				"offset calibration failed to complete in 1ms; noisy ??\n");
+				"offset calibration failed to complete in 1ms; noisy environment?\n");
 			return false;
 		}
 		REG_CLR_BIT(ah, AR_PHY_TURBO, AR_PHY_FC_DYN2040_EN);
@@ -734,7 +734,7 @@ static bool ar9285_hw_cl_cal(struct ath_hw *ah, struct ath9k_channel *chan)
 	if (!ath9k_hw_wait(ah, AR_PHY_AGC_CONTROL, AR_PHY_AGC_CONTROL_CAL,
 			  0, AH_WAIT_TIMEOUT)) {
 		ath_dbg(common, ATH_DBG_CALIBRATE,
-			"offset calibration failed to complete in 1ms; noisy ??\n");
+			"offset calibration failed to complete in 1ms; noisy environment?\n");
 		return false;
 	}
 
diff --git a/drivers/net/wireless/ath/ath9k/eeprom_4k.c b/drivers/net/wireless/ath/ath9k/eeprom_4k.c
index 35b1a8c..939fc7a 100644
--- a/drivers/net/wireless/ath/ath9k/eeprom_4k.c
+++ b/drivers/net/wireless/ath/ath9k/eeprom_4k.c
@@ -90,7 +90,7 @@ static int ath9k_hw_4k_check_eeprom(struct ath_hw *ah)
 				}
 			} else {
 				ath_err(common,
-					"Invalid EEPROM Magic. endianness mismatch.\n");
+					"Invalid EEPROM Magic. Endianness mismatch.\n");
 				return -EINVAL;
 			}
 		}
@@ -1178,7 +1178,7 @@ static u16 ath9k_hw_4k_get_spur_channel(struct ath_hw *ah, u16 i, bool is2GHz)
 	u16 spur_val = AR_NO_SPUR;
 
 	ath_dbg(common, ATH_DBG_ANI,
-		"Getting spur idx %d is2Ghz. %d val %x\n",
+		"Getting spur idx:%d is2Ghz:%d val:%x\n",
 		i, is2GHz, ah->config.spurchans[i][is2GHz]);
 
 	switch (ah->config.spurmode) {
diff --git a/drivers/net/wireless/ath/ath9k/eeprom_9287.c b/drivers/net/wireless/ath/ath9k/eeprom_9287.c
index 0be5351..9ec4bc8 100644
--- a/drivers/net/wireless/ath/ath9k/eeprom_9287.c
+++ b/drivers/net/wireless/ath/ath9k/eeprom_9287.c
@@ -1150,7 +1150,7 @@ static u16 ath9k_hw_ar9287_get_spur_channel(struct ath_hw *ah,
 	u16 spur_val = AR_NO_SPUR;
 
 	ath_dbg(common, ATH_DBG_ANI,
-		"Getting spur idx %d is2Ghz. %d val %x\n",
+		"Getting spur idx:%d is2Ghz:%d val:%x\n",
 		i, is2GHz, ah->config.spurchans[i][is2GHz]);
 
 	switch (ah->config.spurmode) {
diff --git a/drivers/net/wireless/ath/ath9k/eeprom_def.c b/drivers/net/wireless/ath/ath9k/eeprom_def.c
index 91722fb..9aa31aa 100644
--- a/drivers/net/wireless/ath/ath9k/eeprom_def.c
+++ b/drivers/net/wireless/ath/ath9k/eeprom_def.c
@@ -1458,7 +1458,7 @@ static u16 ath9k_hw_def_get_spur_channel(struct ath_hw *ah, u16 i, bool is2GHz)
 	u16 spur_val = AR_NO_SPUR;
 
 	ath_dbg(common, ATH_DBG_ANI,
-		"Getting spur idx %d is2Ghz. %d val %x\n",
+		"Getting spur idx:%d is2Ghz:%d val:%x\n",
 		i, is2GHz, ah->config.spurchans[i][is2GHz]);
 
 	switch (ah->config.spurmode) {
diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
index c41ab8c..69b6aca 100644
--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
+++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
@@ -239,7 +239,7 @@ int htc_connect_service(struct htc_target *target,
 	/* Find an available endpoint */
 	endpoint = get_next_avail_ep(target->endpoint);
 	if (!endpoint) {
-		dev_err(target->dev, "Endpoint is not available for"
+		dev_err(target->dev, "Endpoint is not available for "
 			"service %d\n", service_connreq->service_id);
 		return -EINVAL;
 	}
@@ -253,7 +253,7 @@ int htc_connect_service(struct htc_target *target,
 	skb = alloc_skb(sizeof(struct htc_conn_svc_msg) +
 			    sizeof(struct htc_frame_hdr), GFP_ATOMIC);
 	if (!skb) {
-		dev_err(target->dev, "Failed to allocate buf to send"
+		dev_err(target->dev, "Failed to allocate buf to send "
 			"service connect req\n");
 		return -ENOMEM;
 	}
@@ -434,7 +434,7 @@ struct htc_target *ath9k_htc_hw_alloc(void *hif_handle,
 
 	target = kzalloc(sizeof(struct htc_target), GFP_KERNEL);
 	if (!target) {
-		printk(KERN_ERR "Unable to allocate memory for"
+		printk(KERN_ERR "Unable to allocate memory for "
 			"target device\n");
 		return NULL;
 	}
-- 
1.7.3.2.245.g03276.dirty

^ permalink raw reply related

* Re: jme: UDP checksum error, and lots of them
From: David Miller @ 2010-12-02  5:59 UTC (permalink / raw)
  To: cooldavid; +Cc: jengelh, netdev
In-Reply-To: <20101202042820.M98672@cooldavid.org>

From: "Guo-Fu Tseng" <cooldavid@cooldavid.org>
Date: Thu, 2 Dec 2010 12:33:01 +0800

> I suspect that there might be some the HW-Checksum behavior error.
> ex: Replaced the UDP checksum field while it's all zero(no need to checksum)

I checked the VPNC code and it receives UDP encapsulated traffic using
a normal UDP socket.  So any bad checksums should show up in the
statistics and in fact the packets should be dropped by the IPv4
stack before making it to the vpnc application.

Something isn't right here.  The only thing that makes sense is if
the tcpdump checksum validation is wrong for some reason.  Because
only then could we give a reason for the UDP frames to not be
dropped before vpnc can see them.


^ permalink raw reply

* Re: [PATCH 2/2] ath: Fix logging message typos
From: Nick Kossifidis @ 2010-12-02  6:01 UTC (permalink / raw)
  To: Joe Perches
  Cc: linux-wireless, Jiri Slaby, netdev, ath5k-devel, Bob Copeland,
	John W. Linville, Jouni Malinen, Senthil Balasubramanian,
	ath9k-devel, Vasanthakumar Thiagarajan, Peter Stuge, linux-kernel
In-Reply-To: <1291268087.1761.3.camel@Joe-Laptop>

2010/12/2 Joe Perches <joe@perches.com>:
> On Thu, 2010-12-02 at 06:30 +0100, Peter Stuge wrote:
>> Joe Perches wrote:
>> > +++ b/drivers/net/wireless/ath/ath9k/ar9002_calib.c
>> ..
>> > @@ -734,7 +734,7 @@ static bool ar9285_hw_cl_cal(struct ath_hw *ah, struct ath9k_channel *chan)
>> >     if (!ath9k_hw_wait(ah, AR_PHY_AGC_CONTROL, AR_PHY_AGC_CONTROL_CAL,
>> >                       0, AH_WAIT_TIMEOUT)) {
>> >             ath_dbg(common, ATH_DBG_CALIBRATE,
>> > -                   "offset calibration failed to complete in 1ms; noisy ??\n");
>> > +                   "offset calibration failed to complete in 1ms; noisy enfironment?\n");
>>
>> enfironment? :)
>
> Umm, what's a typo fix patch without more typos?
> Correct?  How dull...
>
>> >     ath_dbg(common, ATH_DBG_ANI,
>> > -           "Getting spur idx %d is2Ghz. %d val %x\n",
>> > +           "Getting spur idx:%d is2Ghz:%d val:%x\n",
>> >             i, is2GHz, ah->config.spurchans[i][is2GHz]);
>>
>> Is this short for "spurious" ?
>
> Likely.  Anyone want to change it to a whole word?
>
>

Nope it stands for spur noise (harmonics)
http://www.patentgenius.com/patent/7835456.html

(I have to add that link to the comments, it's new ;-))

-- 
GPG ID: 0xD21DB2DB
As you read this post global entropy rises. Have Fun ;-)
Nick
_______________________________________________
ath9k-devel mailing list
ath9k-devel@lists.ath9k.org
https://lists.ath9k.org/mailman/listinfo/ath9k-devel

^ permalink raw reply

* [PATCH] net: arp: use assignment
From: Changli Gao @ 2010-12-02  6:07 UTC (permalink / raw)
  To: David S. Miller; +Cc: netdev, Changli Gao

Only when dont_send is 0, arp_filter() is consulted, so we can simply
assign the return value of arp_filter() to dont_send instead.

Signed-off-by: Changli Gao <xiaosuo@gmail.com>
---
 net/ipv4/arp.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
index 7833f17..10af759 100644
--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -883,7 +883,7 @@ static int arp_process(struct sk_buff *skb)
 
 			dont_send = arp_ignore(in_dev, sip, tip);
 			if (!dont_send && IN_DEV_ARPFILTER(in_dev))
-				dont_send |= arp_filter(sip, tip, dev);
+				dont_send = arp_filter(sip, tip, dev);
 			if (!dont_send) {
 				n = neigh_event_ns(&arp_tbl, sha, &sip, dev);
 				if (n) {

^ permalink raw reply related

* Re: Bonding, GRO and tcp_reordering
From: Simon Horman @ 2010-12-02  6:39 UTC (permalink / raw)
  To: Eric Dumazet; +Cc: Ben Hutchings, netdev
In-Reply-To: <1291178826.2856.434.camel@edumazet-laptop>

On Wed, Dec 01, 2010 at 05:47:06AM +0100, Eric Dumazet wrote:
> Le mercredi 01 décembre 2010 à 13:34 +0900, Simon Horman a écrit :
> 
> > I was tweaking those values recently for some latency tuning
> > but I didn't think of them in relation to last night's tests.
> > 
> > In terms of my measurements, its just benchmarking at this stage.
> > So a trade-off between throughput and latency is acceptable, so long
> > as I remember to measure what it is.
> > 
> 
> I was thinking again this morning about GRO and bonding, and dont know
> if it actually works...
> 
> Is GRO on on individual eth0/eth1/eth2 you use, or on bonding device
> itself ?

All of the above. I can check different combinations if it helps.


^ permalink raw reply

* Re: [PATCH net-next-2.6] filter: add a security check at install time
From: Eric Dumazet @ 2010-12-02  6:46 UTC (permalink / raw)
  To: Changli Gao; +Cc: David Miller, hagen, wirelesser, netdev, Dan Rosenberg
In-Reply-To: <AANLkTikK=dy6U0QBjkJxZXeqYXVHwZqjmRhnmYBH-22r@mail.gmail.com>

Le jeudi 02 décembre 2010 à 10:30 +0800, Changli Gao a écrit :

> It seems wrong. Think about the following instructions:
> 
> /* m[1] isn't set */
>    jeq jt jf
> jt:
>    st m[1]
>    jmp ja
> jf:
>    jmp ja2 /* m[1] is invalidated by masks */
> ja:
>    ld m[1] /* -EINVAL is returned */
> ja2:
> 
> So you need to search all the possible branches to validate the instructions.

Well, I already did this branch search.

Its only that the instruction following a JMP should not inherit
memvalid from the JMP itself, but the AND of memvalid of all possible
jumps that can arrive to this instruction.

I'll think about it after some coffee, but I feel I might just set
memvalid to ~0 after the JMPS

Thanks

[PATCH v2 net-next-2.6] filter: add a security check at install time

We added some security checks in commit 57fe93b374a6
(filter: make sure filters dont read uninitialized memory) to close a
potential leak of kernel information to user.

This added a potential extra cost at run time, while we can perform a
check of the filter itself, to make sure a malicious user doesnt try to
abuse us.

This patch adds a check_loads() function, whole unique purpose is to
make this check, allocating a temporary array of mask. We scan the
filter and propagate a bitmask information, telling us if a load M(K) is
allowed because a previous store M(K) is guaranteed. (So that
sk_run_filter() can possibly not read unitialized memory)

Note: this can uncover application bug, denying a filter attach,
previously allowed.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: Changli Gao <xiaosuo@gmail.com>
---
v2: set memvalid to ~0 on JMP instructions

diff --git a/net/core/filter.c b/net/core/filter.c
index a44d27f..0d636ef 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -166,11 +166,9 @@ unsigned int sk_run_filter(struct sk_buff *skb, const struct sock_filter *fentry
 	u32 A = 0;			/* Accumulator */
 	u32 X = 0;			/* Index Register */
 	u32 mem[BPF_MEMWORDS];		/* Scratch Memory Store */
-	unsigned long memvalid = 0;
 	u32 tmp;
 	int k;
 
-	BUILD_BUG_ON(BPF_MEMWORDS > BITS_PER_LONG);
 	/*
 	 * Process array of filter instructions.
 	 */
@@ -318,12 +316,10 @@ load_b:
 			X = K;
 			continue;
 		case BPF_S_LD_MEM:
-			A = (memvalid & (1UL << K)) ?
-				mem[K] : 0;
+			A = mem[K];
 			continue;
 		case BPF_S_LDX_MEM:
-			X = (memvalid & (1UL << K)) ?
-				mem[K] : 0;
+			X = mem[K];
 			continue;
 		case BPF_S_MISC_TAX:
 			X = A;
@@ -336,11 +332,9 @@ load_b:
 		case BPF_S_RET_A:
 			return A;
 		case BPF_S_ST:
-			memvalid |= 1UL << K;
 			mem[K] = A;
 			continue;
 		case BPF_S_STX:
-			memvalid |= 1UL << K;
 			mem[K] = X;
 			continue;
 		default:
@@ -419,6 +413,66 @@ load_b:
 }
 EXPORT_SYMBOL(sk_run_filter);
 
+/*
+ * Security :
+ * A BPF program is able to use 16 cells of memory to store intermediate
+ * values (check u32 mem[BPF_MEMWORDS] in sk_run_filter())
+ * As we dont want to clear mem[] array for each packet going through
+ * sk_run_filter(), we check that filter loaded by user never try to read
+ * a cell if not previously written, and we check all branches to be sure
+ * a malicious user doesnt try to abuse us.
+ */
+static int check_load_and_stores(struct sock_filter *filter, int flen)
+{
+	u16 *masks, memvalid = 0; /* one bit per cell, 16 cells */
+	int pc, ret = 0;
+
+	BUILD_BUG_ON(BPF_MEMWORDS > 16);
+	masks = kmalloc(flen * sizeof(*masks), GFP_KERNEL);
+	if (!masks)
+		return -ENOMEM;
+	memset(masks, 0xff, flen * sizeof(*masks));
+
+	for (pc = 0; pc < flen; pc++) {
+		memvalid &= masks[pc];
+
+		switch (filter[pc].code) {
+		case BPF_S_ST:
+		case BPF_S_STX:
+			memvalid |= (1 << filter[pc].k);
+			break;
+		case BPF_S_LD_MEM:
+		case BPF_S_LDX_MEM:
+			if (!(memvalid & (1 << filter[pc].k))) {
+				ret = -EINVAL;
+				goto error;
+			}
+			break;
+		case BPF_S_JMP_JA:
+			/* a jump must set masks on target */
+			masks[pc + 1 + filter[pc].k] &= memvalid;
+			memvalid = ~0;
+			break;
+		case BPF_S_JMP_JEQ_K:
+		case BPF_S_JMP_JEQ_X:
+		case BPF_S_JMP_JGE_K:
+		case BPF_S_JMP_JGE_X:
+		case BPF_S_JMP_JGT_K:
+		case BPF_S_JMP_JGT_X:
+		case BPF_S_JMP_JSET_X:
+		case BPF_S_JMP_JSET_K:
+			/* a jump must set masks on targets */
+			masks[pc + 1 + filter[pc].jt] &= memvalid;
+			masks[pc + 1 + filter[pc].jf] &= memvalid;
+			memvalid = ~0;
+			break;
+		}
+	}
+error:
+	kfree(masks);
+	return ret;
+}
+
 /**
  *	sk_chk_filter - verify socket filter code
  *	@filter: filter to verify
@@ -547,7 +601,7 @@ int sk_chk_filter(struct sock_filter *filter, int flen)
 	switch (filter[flen - 1].code) {
 	case BPF_S_RET_K:
 	case BPF_S_RET_A:
-		return 0;
+		return check_load_and_stores(filter, flen);
 	}
 	return -EINVAL;
 }






^ permalink raw reply related

* Re: [RFC] [PATCH 02/11] crypto: Use scatterwalk_crypto_chain
From: Herbert Xu @ 2010-12-02  6:48 UTC (permalink / raw)
  To: Steffen Klassert
  Cc: David Miller, Andreas Gruenbacher, Alex Badea, netdev,
	linux-crypto
In-Reply-To: <20101122102654.GE1868@secunet.com>

On Mon, Nov 22, 2010 at 11:26:54AM +0100, Steffen Klassert wrote:
> Use scatterwalk_crypto_chain in favor of locally defined chaining functions.
> 
> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

I've applied patches 1&2 since they're logically separate from the
rest of the series and make sense on their own.

Thanks,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

^ permalink raw reply

* [net-2.6 PATCH] ixgbe: fix possible NULL pointer deference in shutdown path
From: Jeff Kirsher @ 2010-12-02  6:54 UTC (permalink / raw)
  To: davem; +Cc: netdev, gospo, bphilips, Don Skidmore, Jeff Kirsher

From: Don Skidmore <donald.c.skidmore@intel.com>

After freeing the rings we were not zeroing out the ring count values.
This patch now clears these counts correctly.

Reported-by: Yinghai Lu <yinghai@kernel.org>
Signed-off-by: Don Skidmore <donald.c.skidmore@intel.com>
Tested-by: Stephen Ko <stephen.s.ko@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
---

 0 files changed, 0 insertions(+), 0 deletions(-)

diff --git a/drivers/net/ixgbe/ixgbe_main.c b/drivers/net/ixgbe/ixgbe_main.c
index fbad4d8..eee0b29 100644
--- a/drivers/net/ixgbe/ixgbe_main.c
+++ b/drivers/net/ixgbe/ixgbe_main.c
@@ -4771,6 +4771,9 @@ void ixgbe_clear_interrupt_scheme(struct ixgbe_adapter *adapter)
 		adapter->rx_ring[i] = NULL;
 	}
 
+	adapter->num_tx_queues = 0;
+	adapter->num_rx_queues = 0;
+
 	ixgbe_free_q_vectors(adapter);
 	ixgbe_reset_interrupt_capability(adapter);
 }


^ permalink raw reply related

* [net-next-2.6 PATCH] ixgbe: fix for link failure on SFP+ DA cables
From: Jeff Kirsher @ 2010-12-02  6:59 UTC (permalink / raw)
  To: davem; +Cc: netdev, gospo, bphilips, Don Skidmore, Jeff Kirsher

From: Don Skidmore <donald.c.skidmore@intel.com>

This patch helps prevent FW/SW semaphore collision from leading
to link establishment failure.  The collision might mess up the
PHY registers so we reset the PHY.  However there are SFI/KR areas
in the PHY that are not reset with a Reset_AN so we need to change
LMS to reset it.  Also wait until AN state machine is AN_GOOD

Signed-off-by: Don Skidmore <donald.c.skidmore@intel.com>
Tested-by: Stephen Ko <stephen.s.ko@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
---

 drivers/net/ixgbe/ixgbe_82599.c |   28 +++++++++++++++++++++++++---
 drivers/net/ixgbe/ixgbe_type.h  |    3 +++
 2 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/drivers/net/ixgbe/ixgbe_82599.c b/drivers/net/ixgbe/ixgbe_82599.c
index e34643e..26b8ceb 100644
--- a/drivers/net/ixgbe/ixgbe_82599.c
+++ b/drivers/net/ixgbe/ixgbe_82599.c
@@ -90,6 +90,8 @@ static void ixgbe_init_mac_link_ops_82599(struct ixgbe_hw *hw)
 static s32 ixgbe_setup_sfp_modules_82599(struct ixgbe_hw *hw)
 {
 	s32 ret_val = 0;
+	u32 reg_anlp1 = 0;
+	u32 i = 0;
 	u16 list_offset, data_offset, data_value;
 
 	if (hw->phy.sfp_type != ixgbe_sfp_type_unknown) {
@@ -116,14 +118,34 @@ static s32 ixgbe_setup_sfp_modules_82599(struct ixgbe_hw *hw)
 			IXGBE_WRITE_FLUSH(hw);
 			hw->eeprom.ops.read(hw, ++data_offset, &data_value);
 		}
-		/* Now restart DSP by setting Restart_AN */
-		IXGBE_WRITE_REG(hw, IXGBE_AUTOC,
-		    (IXGBE_READ_REG(hw, IXGBE_AUTOC) | IXGBE_AUTOC_AN_RESTART));
 
 		/* Release the semaphore */
 		ixgbe_release_swfw_sync(hw, IXGBE_GSSR_MAC_CSR_SM);
 		/* Delay obtaining semaphore again to allow FW access */
 		msleep(hw->eeprom.semaphore_delay);
+
+		/* Now restart DSP by setting Restart_AN and clearing LMS */
+		IXGBE_WRITE_REG(hw, IXGBE_AUTOC, ((IXGBE_READ_REG(hw,
+		                IXGBE_AUTOC) & ~IXGBE_AUTOC_LMS_MASK) |
+		                IXGBE_AUTOC_AN_RESTART));
+
+		/* Wait for AN to leave state 0 */
+		for (i = 0; i < 10; i++) {
+			msleep(4);
+			reg_anlp1 = IXGBE_READ_REG(hw, IXGBE_ANLP1);
+			if (reg_anlp1 & IXGBE_ANLP1_AN_STATE_MASK)
+				break;
+		}
+		if (!(reg_anlp1 & IXGBE_ANLP1_AN_STATE_MASK)) {
+			hw_dbg(hw, "sfp module setup not complete\n");
+			ret_val = IXGBE_ERR_SFP_SETUP_NOT_COMPLETE;
+			goto setup_sfp_out;
+		}
+
+		/* Restart DSP by setting Restart_AN and return to SFI mode */
+		IXGBE_WRITE_REG(hw, IXGBE_AUTOC, (IXGBE_READ_REG(hw,
+		                IXGBE_AUTOC) | IXGBE_AUTOC_LMS_10G_SERIAL |
+		                IXGBE_AUTOC_AN_RESTART));
 	}
 
 setup_sfp_out:
diff --git a/drivers/net/ixgbe/ixgbe_type.h b/drivers/net/ixgbe/ixgbe_type.h
index 42c6073..20e1f03 100644
--- a/drivers/net/ixgbe/ixgbe_type.h
+++ b/drivers/net/ixgbe/ixgbe_type.h
@@ -1467,6 +1467,8 @@
 #define IXGBE_ANLP1_PAUSE               0x0C00
 #define IXGBE_ANLP1_SYM_PAUSE           0x0400
 #define IXGBE_ANLP1_ASM_PAUSE           0x0800
+#define IXGBE_ANLP1_AN_STATE_MASK       0x000f0000
+
 
 /* SW Semaphore Register bitmasks */
 #define IXGBE_SWSM_SMBI 0x00000001 /* Driver Semaphore bit */
@@ -2634,6 +2636,7 @@ struct ixgbe_info {
 #define IXGBE_ERR_NO_SPACE                      -25
 #define IXGBE_ERR_OVERTEMP                      -26
 #define IXGBE_ERR_RAR_INDEX                     -27
+#define IXGBE_ERR_SFP_SETUP_NOT_COMPLETE        -30
 #define IXGBE_NOT_IMPLEMENTED                   0x7FFFFFFF
 
 #endif /* _IXGBE_TYPE_H_ */


^ permalink raw reply related

* [net-next-2.6 PATCH] enic: Bug Fix: Pass napi reference to the isr that services receive queue
From: Vasanthy Kolluri @ 2010-12-02  7:08 UTC (permalink / raw)
  To: davem; +Cc: netdev, roprabhu, dwang2

From: Vasanthy Kolluri <vkolluri@cisco.com>

Pass reference to napi instead of enic device to the isr that services receive queue.

Signed-off-by: Vasanthy Kolluri <vkolluri@cisco.com>
Signed-off-by: Roopa Prabhu <roprabhu@cisco.com>
Signed-off-by: David Wang <dwang2@cisco.com>
---
 drivers/net/enic/enic.h      |    2 +-
 drivers/net/enic/enic_main.c |    3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)


diff --git a/drivers/net/enic/enic.h b/drivers/net/enic/enic.h
index 7067254..a930fb9 100644
--- a/drivers/net/enic/enic.h
+++ b/drivers/net/enic/enic.h
@@ -32,7 +32,7 @@
 
 #define DRV_NAME		"enic"
 #define DRV_DESCRIPTION		"Cisco VIC Ethernet NIC Driver"
-#define DRV_VERSION		"1.4.1.7"
+#define DRV_VERSION		"1.4.1.8"
 #define DRV_COPYRIGHT		"Copyright 2008-2010 Cisco Systems, Inc"
 
 #define ENIC_BARS_MAX		6
diff --git a/drivers/net/enic/enic_main.c b/drivers/net/enic/enic_main.c
index 9f293fa..828a436 100644
--- a/drivers/net/enic/enic_main.c
+++ b/drivers/net/enic/enic_main.c
@@ -1962,7 +1962,8 @@ static void enic_poll_controller(struct net_device *netdev)
 	case VNIC_DEV_INTR_MODE_MSIX:
 		for (i = 0; i < enic->rq_count; i++) {
 			intr = enic_msix_rq_intr(enic, i);
-			enic_isr_msix_rq(enic->msix_entry[intr].vector, enic);
+			enic_isr_msix_rq(enic->msix_entry[intr].vector,
+				&enic->napi[i]);
 		}
 		intr = enic_msix_wq_intr(enic, i);
 		enic_isr_msix_wq(enic->msix_entry[intr].vector, enic);


^ permalink raw reply related

* Re: [RFC] [PATCH 06/11] esp4: Add support for IPsec extended sequence numbers
From: Herbert Xu @ 2010-12-02  7:29 UTC (permalink / raw)
  To: Steffen Klassert
  Cc: David Miller, Andreas Gruenbacher, Alex Badea, netdev,
	linux-crypto
In-Reply-To: <20101122103014.GI1868@secunet.com>

On Mon, Nov 22, 2010 at 11:30:14AM +0100, Steffen Klassert wrote:
>
> @@ -205,11 +228,18 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
>  	skb_to_sgvec(skb, sg,
>  		     esph->enc_data + crypto_aead_ivsize(aead) - skb->data,
>  		     clen + alen);
> -	sg_init_one(asg, esph, sizeof(*esph));
> +
> +	if ((x->props.flags & XFRM_STATE_ESN)) {
> +		sg_init_table(asg, 2);
> +		sg_set_buf(asg, esph, sizeof(*esph));
> +		*seqhi = htonl(XFRM_SKB_CB(skb)->seq.output.hi);
> +		sg_set_buf(asg + 1, seqhi, seqhilen);
> +	} else
> +		sg_init_one(asg, esph, sizeof(*esph));

I think this is wrong for AEAD algorithms.  You want the sequence
number in network byte order for them so the high bits need to be
inserted into the middle of the ESP header.

The other problem is that you're currently requiring the authencesn
user to provide two SG entries which is fine for now.  However,
since this might be exported to user-space in future, authenecesn
shouldn't really rely on that, or at least it shouldn't BUG.

So one solution is to do it based on bytes in authencesn.  That is,
your associated input should always be 12 bytes long, and then you
simply construct a new SG list for your actual processing with the
middle 4 bytes taken out.

For IPsec it could just provide an SG list with three entries,
of 4 bytes each.

Of course for simplicity, you could require this to be the case in
authencesn and return -EINVAL (not BUG :) if it's not the case.

Thanks,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

^ permalink raw reply

* Re: [net-next-2.6 PATCH] ixgbe: fix for link failure on SFP+ DA cables
From: Joe Perches @ 2010-12-02  7:41 UTC (permalink / raw)
  To: Jeff Kirsher; +Cc: davem, netdev, gospo, bphilips, Don Skidmore
In-Reply-To: <20101202065921.13413.91380.stgit@localhost.localdomain>

On Wed, 2010-12-01 at 22:59 -0800, Jeff Kirsher wrote:
> This patch helps prevent FW/SW semaphore collision from leading
> to link establishment failure.  The collision might mess up the
> PHY registers so we reset the PHY.  However there are SFI/KR areas
> in the PHY that are not reset with a Reset_AN so we need to change
> LMS to reset it.  Also wait until AN state machine is AN_GOOD
[]
>  drivers/net/ixgbe/ixgbe_82599.c |   28 +++++++++++++++++++++++++---
> diff --git a/drivers/net/ixgbe/ixgbe_82599.c b/drivers/net/ixgbe/ixgbe_82599.c
[]
> @@ -116,14 +118,34 @@ static s32 ixgbe_setup_sfp_modules_82599(struct ixgbe_hw *hw)
>  			IXGBE_WRITE_FLUSH(hw);
>  			hw->eeprom.ops.read(hw, ++data_offset, &data_value);
>  		}
> -		/* Now restart DSP by setting Restart_AN */
> -		IXGBE_WRITE_REG(hw, IXGBE_AUTOC,
> -		    (IXGBE_READ_REG(hw, IXGBE_AUTOC) | IXGBE_AUTOC_AN_RESTART));
>  
>  		/* Release the semaphore */
>  		ixgbe_release_swfw_sync(hw, IXGBE_GSSR_MAC_CSR_SM);
>  		/* Delay obtaining semaphore again to allow FW access */
>  		msleep(hw->eeprom.semaphore_delay);

might these msleeps be usleep_range?

[]

> +		/* Wait for AN to leave state 0 */
> +		for (i = 0; i < 10; i++) {
> +			msleep(4);

Perhaps usleep_range?

Maybe all the msleep uses < 20ms in the intel drivers?

$ grep -nPr --include=*.[ch] "msleep\s*\(\s*1?\d\s*\)" drivers/net/ig* drivers/net/ixg* drivers/net/e100* | wc -l
123

Maybe something like doubling the sleep value
for the upper bound range?

Here's a little script that does that.

$ grep -nPrl --include=*.[ch] "msleep\s*\(\s*1?\d\s*\)" \
	drivers/net/ig* drivers/net/ixg* drivers/net/e100* | \
xargs perl -p -i -e 's/msleep\s*\(\s*(1?\d)\s*\)/"usleep_range\(${1}000, " . scalar($1) * 2 . "000\)"/ge'



^ permalink raw reply

* Re: IPV6 loopback bound socket succeeds connecting to remote host
From: Albert Pretorius @ 2010-12-02  7:45 UTC (permalink / raw)
  To: Shan Wei
  Cc: netdev, yoshfuji@linux-ipv6.org >> YOSHIFUJI Hideaki,
	David Miller, pekkas, jmorris
In-Reply-To: <4CF604DB.8000302@cn.fujitsu.com>

Hi

--- On Wed, 1/12/10, Shan Wei <shanwei@cn.fujitsu.com> wrote:
> I think it make nonsense to translate data between loopback
> device and other e.g. eth0 device in same machine.

I agree, RFC4291 makes it clear for IPV6 that no interface should accept traffic from loopback, I should not have tried to make it behave like IPV4.
I can not find an equivalent statement for IPV4 though, all I could find is this from RFC3330:

   127.0.0.0/8 - This block is assigned for use as the Internet host
   loopback address.  A datagram sent by a higher level protocol to an
   address anywhere within this block should loop back inside the host.
   This is ordinarily implemented using only 127.0.0.1/32 for loopback,
   but no addresses within this block should ever appear on any network
   anywhere [RFC1700, page 5].

Do you perhaps know?
thank you,
Albert Pretorius


      

^ permalink raw reply

* Re: [PATCH net-next-2.6] filter: add a security check at install time
From: Changli Gao @ 2010-12-02  8:11 UTC (permalink / raw)
  To: Eric Dumazet; +Cc: David Miller, hagen, wirelesser, netdev, Dan Rosenberg
In-Reply-To: <1291272384.2856.1074.camel@edumazet-laptop>

On Thu, Dec 2, 2010 at 2:46 PM, Eric Dumazet <eric.dumazet@gmail.com> wrote:
>
> [PATCH v2 net-next-2.6] filter: add a security check at install time
>
> We added some security checks in commit 57fe93b374a6
> (filter: make sure filters dont read uninitialized memory) to close a
> potential leak of kernel information to user.
>
> This added a potential extra cost at run time, while we can perform a
> check of the filter itself, to make sure a malicious user doesnt try to
> abuse us.
>
> This patch adds a check_loads() function, whole unique purpose is to
> make this check, allocating a temporary array of mask. We scan the
> filter and propagate a bitmask information, telling us if a load M(K) is
> allowed because a previous store M(K) is guaranteed. (So that
> sk_run_filter() can possibly not read unitialized memory)
>
> Note: this can uncover application bug, denying a filter attach,
> previously allowed.
>
> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
> Cc: Dan Rosenberg <drosenberg@vsecurity.com>
> Cc: Changli Gao <xiaosuo@gmail.com>

It seems correct to me now.

Acked-by: Changli Gao <xiaosuo@gmail.com>

-- 
Regards,
Changli Gao(xiaosuo@gmail.com)

^ permalink raw reply

* Re: bridge netpoll support: mismatch between net core and bridge headers
From: Mike Frysinger @ 2010-12-02  8:29 UTC (permalink / raw)
  To: David Miller; +Cc: herbert, netdev
In-Reply-To: <20101201.163319.193705748.davem@davemloft.net>

On Wed, Dec 1, 2010 at 19:33, David Miller wrote:
> Attached.  Also please provide one of the failing ".config" files,
> and please test if simply going "make oldconfig" unbreaks things.
> It may be that randconfig allows configurations that the config
> system normally does not allow.

hrm, so your patch does fix things.  the downside is that it might be
caused by kgdboe (which isnt in mainline yet).  that's the only
randconfig i can find so far to cause the issue.
-mike

^ permalink raw reply

* Re: IPV6 loopback bound socket succeeds connecting to remote host
From: Shan Wei @ 2010-12-02  8:41 UTC (permalink / raw)
  To: Albert Pretorius
  Cc: netdev, yoshfuji@linux-ipv6.org >> YOSHIFUJI Hideaki,
	David Miller, pekkas, jmorris
In-Reply-To: <616589.97517.qm@web29017.mail.ird.yahoo.com>

Albert Pretorius wrote, at 12/02/2010 03:45 PM:
> Hi
> 
> --- On Wed, 1/12/10, Shan Wei <shanwei@cn.fujitsu.com> wrote:
>> I think it make nonsense to translate data between loopback
>> device and other e.g. eth0 device in same machine.
> 
> I agree, RFC4291 makes it clear for IPV6 that no interface should accept traffic from loopback, I should not have tried to make it behave like IPV4.
> I can not find an equivalent statement for IPV4 though, all I could find is this from RFC3330:
> 
>    127.0.0.0/8 - This block is assigned for use as the Internet host
>    loopback address.  A datagram sent by a higher level protocol to an
>    address anywhere within this block should loop back inside the host.
>    This is ordinarily implemented using only 127.0.0.1/32 for loopback,
>    but no addresses within this block should ever appear on any network
>    anywhere [RFC1700, page 5].
> 
> Do you perhaps know?

There are no same statement for IPv4 loopback address. I have checked RFC1122, RFC1700 and RFC5753 .		

-- 
Best Regards
-----
Shan Wei


> thank you,
> Albert Pretorius
> 
> 
>       
> 



^ permalink raw reply

* Re: [PATCH net-next-2.6] filter: add a security check at install time
From: Eric Dumazet @ 2010-12-02  8:53 UTC (permalink / raw)
  To: Changli Gao; +Cc: David Miller, hagen, wirelesser, netdev, Dan Rosenberg
In-Reply-To: <AANLkTim8+9AA61HwcCQp3p7cSjzaTqerdd4Wtm-28kAt@mail.gmail.com>

Le jeudi 02 décembre 2010 à 16:11 +0800, Changli Gao a écrit :

> It seems correct to me now.
> 
> Acked-by: Changli Gao <xiaosuo@gmail.com>
> 

Thanks for reviewing Changli.

Now I am thinking about not denying the filter installation, but change
the problematic LOAD M(1)  and LOADX M(1)  by LOADI #0 (BPF_S_LD_IMM
K=0) and LOADIX #0 (BPF_S_LDX_IMM K=0)

(ie pretend the value of memory is 0, not a random value taken from
stack)


[PATCH v3 net-next-2.6] filter: add a security check at install time

We added some security checks in commit 57fe93b374a6
(filter: make sure filters dont read uninitialized memory) to close a
potential leak of kernel information to user.

This added a potential extra cost at run time, while we can perform a
check of the filter itself, to make sure a malicious user doesnt try to
abuse us.

This patch adds a check_loads() function, whole unique purpose is to
make this check, allocating a temporary array of mask. We scan the
filter and propagate a bitmask information, telling us if a load M(K) is
allowed because a previous store M(K) is guaranteed. 

If we detect a problematic load M(K), we replace it by a load of
immediate value 0

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: Changli Gao <xiaosuo@gmail.com>
---
v3: replace problematic loads M(K) by load of immediate 0 value,
    dont report an error to user.
v2: set memvalid to ~0 on JMP instructions

 net/core/filter.c |   78 ++++++++++++++++++++++++++++++++++++++------
 1 file changed, 69 insertions(+), 9 deletions(-)

diff --git a/net/core/filter.c b/net/core/filter.c
index a44d27f..4456a6c 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -166,11 +166,9 @@ unsigned int sk_run_filter(struct sk_buff *skb, const struct sock_filter *fentry
 	u32 A = 0;			/* Accumulator */
 	u32 X = 0;			/* Index Register */
 	u32 mem[BPF_MEMWORDS];		/* Scratch Memory Store */
-	unsigned long memvalid = 0;
 	u32 tmp;
 	int k;
 
-	BUILD_BUG_ON(BPF_MEMWORDS > BITS_PER_LONG);
 	/*
 	 * Process array of filter instructions.
 	 */
@@ -318,12 +316,10 @@ load_b:
 			X = K;
 			continue;
 		case BPF_S_LD_MEM:
-			A = (memvalid & (1UL << K)) ?
-				mem[K] : 0;
+			A = mem[K];
 			continue;
 		case BPF_S_LDX_MEM:
-			X = (memvalid & (1UL << K)) ?
-				mem[K] : 0;
+			X = mem[K];
 			continue;
 		case BPF_S_MISC_TAX:
 			X = A;
@@ -336,11 +332,9 @@ load_b:
 		case BPF_S_RET_A:
 			return A;
 		case BPF_S_ST:
-			memvalid |= 1UL << K;
 			mem[K] = A;
 			continue;
 		case BPF_S_STX:
-			memvalid |= 1UL << K;
 			mem[K] = X;
 			continue;
 		default:
@@ -419,6 +413,72 @@ load_b:
 }
 EXPORT_SYMBOL(sk_run_filter);
 
+/*
+ * Security :
+ * A BPF program is able to use 16 cells of memory to store intermediate
+ * values (check u32 mem[BPF_MEMWORDS] in sk_run_filter())
+ * As we dont want to clear mem[] array for each packet going through
+ * sk_run_filter(), we check that filter loaded by user never try to read
+ * a cell if not previously written, and we check all branches to be sure
+ * a malicious user doesnt try to abuse us.
+ * If such malicious (or buggy) read is detected, its replaced by a
+ * load of immediate zero value.
+ */
+static int check_load_and_stores(struct sock_filter *filter, int flen)
+{
+	u16 *masks, memvalid = 0; /* one bit per cell, 16 cells */
+	int pc;
+
+	BUILD_BUG_ON(BPF_MEMWORDS > 16);
+	masks = kmalloc(flen * sizeof(*masks), GFP_KERNEL);
+	if (!masks)
+		return -ENOMEM;
+	memset(masks, 0xff, flen * sizeof(*masks));
+
+	for (pc = 0; pc < flen; pc++) {
+		memvalid &= masks[pc];
+
+		switch (filter[pc].code) {
+		case BPF_S_ST:
+		case BPF_S_STX:
+			memvalid |= (1 << filter[pc].k);
+			break;
+		case BPF_S_LD_MEM:
+			if (!(memvalid & (1 << filter[pc].k))) {
+				filter[pc].code = BPF_S_LD_IMM;
+				filter[pc].k = 0;
+			}
+			break;
+		case BPF_S_LDX_MEM:
+			if (!(memvalid & (1 << filter[pc].k))) {
+				filter[pc].code = BPF_S_LDX_IMM;
+				filter[pc].k = 0;
+			}
+			break;
+		case BPF_S_JMP_JA:
+			/* a jump must set masks on target */
+			masks[pc + 1 + filter[pc].k] &= memvalid;
+			memvalid = ~0;
+			break;
+		case BPF_S_JMP_JEQ_K:
+		case BPF_S_JMP_JEQ_X:
+		case BPF_S_JMP_JGE_K:
+		case BPF_S_JMP_JGE_X:
+		case BPF_S_JMP_JGT_K:
+		case BPF_S_JMP_JGT_X:
+		case BPF_S_JMP_JSET_X:
+		case BPF_S_JMP_JSET_K:
+			/* a jump must set masks on targets */
+			masks[pc + 1 + filter[pc].jt] &= memvalid;
+			masks[pc + 1 + filter[pc].jf] &= memvalid;
+			memvalid = ~0;
+			break;
+		}
+	}
+	kfree(masks);
+	return 0;
+}
+
 /**
  *	sk_chk_filter - verify socket filter code
  *	@filter: filter to verify
@@ -547,7 +607,7 @@ int sk_chk_filter(struct sock_filter *filter, int flen)
 	switch (filter[flen - 1].code) {
 	case BPF_S_RET_K:
 	case BPF_S_RET_A:
-		return 0;
+		return check_load_and_stores(filter, flen);
 	}
 	return -EINVAL;
 }



^ permalink raw reply related

* Re: [PATCH net-next-2.6] filter: add a security check at install time
From: Eric Dumazet @ 2010-12-02  9:00 UTC (permalink / raw)
  To: Changli Gao; +Cc: David Miller, hagen, wirelesser, netdev, Dan Rosenberg
In-Reply-To: <1291280000.2871.16.camel@edumazet-laptop>

Le jeudi 02 décembre 2010 à 09:53 +0100, Eric Dumazet a écrit :
> Le jeudi 02 décembre 2010 à 16:11 +0800, Changli Gao a écrit :
> 
> > It seems correct to me now.
> > 
> > Acked-by: Changli Gao <xiaosuo@gmail.com>
> > 
> 
> Thanks for reviewing Changli.
> 
> Now I am thinking about not denying the filter installation, but change
> the problematic LOAD M(1)  and LOADX M(1)  by LOADI #0 (BPF_S_LD_IMM
> K=0) and LOADIX #0 (BPF_S_LDX_IMM K=0)
> 
> (ie pretend the value of memory is 0, not a random value taken from
> stack)
> 
> 
> [PATCH v3 net-next-2.6] filter: add a security check at install time

Doh, I sent a version with old (V1) check_load_and_stores() name, here
is a V4 with shorter name check_loads() as mentioned in changelog.

Sorry for the mess.

[PATCH v4 net-next-2.6] filter: add a security check at install time

We added some security checks in commit 57fe93b374a6
(filter: make sure filters dont read uninitialized memory) to close a
potential leak of kernel information to user.

This added a potential extra cost at run time, while we can perform a
check of the filter itself, to make sure a malicious user doesnt try to
abuse us.

This patch adds a check_loads() function, whole unique purpose is to
make this check, allocating a temporary array of mask. We scan the
filter and propagate a bitmask information, telling us if a load M(K) is
allowed because a previous store M(K) is guaranteed. 

If we detect a problematic load M(K), we replace it by a load of
immediate value 0

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: Changli Gao <xiaosuo@gmail.com>
---
v4: really use check_loads(), not check_load_and_stores()
v3: replace problematic loads M(K) by load of immediate 0 value,
    dont report an error to user.
v2: set memvalid to ~0 on JMP instructions

 net/core/filter.c |   78 ++++++++++++++++++++++++++++++++++++++------
 1 file changed, 69 insertions(+), 9 deletions(-)

diff --git a/net/core/filter.c b/net/core/filter.c
index a44d27f..2bd7dbc 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -166,11 +166,9 @@ unsigned int sk_run_filter(struct sk_buff *skb, const struct sock_filter *fentry
 	u32 A = 0;			/* Accumulator */
 	u32 X = 0;			/* Index Register */
 	u32 mem[BPF_MEMWORDS];		/* Scratch Memory Store */
-	unsigned long memvalid = 0;
 	u32 tmp;
 	int k;
 
-	BUILD_BUG_ON(BPF_MEMWORDS > BITS_PER_LONG);
 	/*
 	 * Process array of filter instructions.
 	 */
@@ -318,12 +316,10 @@ load_b:
 			X = K;
 			continue;
 		case BPF_S_LD_MEM:
-			A = (memvalid & (1UL << K)) ?
-				mem[K] : 0;
+			A = mem[K];
 			continue;
 		case BPF_S_LDX_MEM:
-			X = (memvalid & (1UL << K)) ?
-				mem[K] : 0;
+			X = mem[K];
 			continue;
 		case BPF_S_MISC_TAX:
 			X = A;
@@ -336,11 +332,9 @@ load_b:
 		case BPF_S_RET_A:
 			return A;
 		case BPF_S_ST:
-			memvalid |= 1UL << K;
 			mem[K] = A;
 			continue;
 		case BPF_S_STX:
-			memvalid |= 1UL << K;
 			mem[K] = X;
 			continue;
 		default:
@@ -419,6 +413,72 @@ load_b:
 }
 EXPORT_SYMBOL(sk_run_filter);
 
+/*
+ * Security :
+ * A BPF program is able to use 16 cells of memory to store intermediate
+ * values (check u32 mem[BPF_MEMWORDS] in sk_run_filter())
+ * As we dont want to clear mem[] array for each packet going through
+ * sk_run_filter(), we check that filter loaded by user never try to read
+ * a cell if not previously written, and we check all branches to be sure
+ * a malicious user doesnt try to abuse us.
+ * If such malicious (or buggy) read is detected, its replaced by a
+ * load of immediate zero value.
+ */
+static int check_loads(struct sock_filter *filter, int flen)
+{
+	u16 *masks, memvalid = 0; /* one bit per cell, 16 cells */
+	int pc;
+
+	BUILD_BUG_ON(BPF_MEMWORDS > 16);
+	masks = kmalloc(flen * sizeof(*masks), GFP_KERNEL);
+	if (!masks)
+		return -ENOMEM;
+	memset(masks, 0xff, flen * sizeof(*masks));
+
+	for (pc = 0; pc < flen; pc++) {
+		memvalid &= masks[pc];
+
+		switch (filter[pc].code) {
+		case BPF_S_ST:
+		case BPF_S_STX:
+			memvalid |= (1 << filter[pc].k);
+			break;
+		case BPF_S_LD_MEM:
+			if (!(memvalid & (1 << filter[pc].k))) {
+				filter[pc].code = BPF_S_LD_IMM;
+				filter[pc].k = 0;
+			}
+			break;
+		case BPF_S_LDX_MEM:
+			if (!(memvalid & (1 << filter[pc].k))) {
+				filter[pc].code = BPF_S_LDX_IMM;
+				filter[pc].k = 0;
+			}
+			break;
+		case BPF_S_JMP_JA:
+			/* a jump must set masks on target */
+			masks[pc + 1 + filter[pc].k] &= memvalid;
+			memvalid = ~0;
+			break;
+		case BPF_S_JMP_JEQ_K:
+		case BPF_S_JMP_JEQ_X:
+		case BPF_S_JMP_JGE_K:
+		case BPF_S_JMP_JGE_X:
+		case BPF_S_JMP_JGT_K:
+		case BPF_S_JMP_JGT_X:
+		case BPF_S_JMP_JSET_X:
+		case BPF_S_JMP_JSET_K:
+			/* a jump must set masks on targets */
+			masks[pc + 1 + filter[pc].jt] &= memvalid;
+			masks[pc + 1 + filter[pc].jf] &= memvalid;
+			memvalid = ~0;
+			break;
+		}
+	}
+	kfree(masks);
+	return 0;
+}
+
 /**
  *	sk_chk_filter - verify socket filter code
  *	@filter: filter to verify
@@ -547,7 +607,7 @@ int sk_chk_filter(struct sock_filter *filter, int flen)
 	switch (filter[flen - 1].code) {
 	case BPF_S_RET_K:
 	case BPF_S_RET_A:
-		return 0;
+		return check_loads(filter, flen);
 	}
 	return -EINVAL;
 }



^ permalink raw reply related

* Re: [PATCH net-next-2.6] filter: add a security check at install time
From: Changli Gao @ 2010-12-02  9:10 UTC (permalink / raw)
  To: Eric Dumazet; +Cc: David Miller, hagen, wirelesser, netdev, Dan Rosenberg
In-Reply-To: <1291280402.2871.20.camel@edumazet-laptop>

On Thu, Dec 2, 2010 at 5:00 PM, Eric Dumazet <eric.dumazet@gmail.com> wrote:
> Le jeudi 02 décembre 2010 à 09:53 +0100, Eric Dumazet a écrit :
>> Le jeudi 02 décembre 2010 à 16:11 +0800, Changli Gao a écrit :
>>
>> > It seems correct to me now.
>> >
>> > Acked-by: Changli Gao <xiaosuo@gmail.com>
>> >
>>
>> Thanks for reviewing Changli.
>>
>> Now I am thinking about not denying the filter installation, but change
>> the problematic LOAD M(1)  and LOADX M(1)  by LOADI #0 (BPF_S_LD_IMM
>> K=0) and LOADIX #0 (BPF_S_LDX_IMM K=0)

Oops. We were wrong. The RAM of BPF machine is initialized to 0. So
loading from a cell, in which no value is stored before, is valid. So
we can't prevent the following instructions.

jeq jt jf
jt:
store m[0]
jf:
load m[0]

After applying your patch, the third instruction will be replaced with
load 0. It is wrong for the jt branch. So NACK.


-- 
Regards,
Changli Gao(xiaosuo@gmail.com)

^ permalink raw reply


This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox