04 Jul, 2012
2 commits
-
Pull networking update from David Miller:
1) Fix RX sequence number handling in mwifiex, from Stone Piao.
2) Netfilter ipset mis-compares device names, fix from Florian
Westphal.3) Fix route leak in ipv6 IPVS, from Eric Dumazet.
4) NFS fixes. Several buffer overflows in NCI layer from Dan
Rosenberg, and release sock OOPS'er fix from Eric Dumazet.5) Fix WEP handling ath9k, we started using a bit the chip provides to
indicate undecrypted packets but that bit turns out to be unreliable
in certain configurations. Fix from Felix Fietkau.6) Fix Kconfig dependency bug in wlcore, from Randy Dunlap.
7) New USB IDs for rtlwifi driver from Larry Finger.
8) Fix crashes in qmi_wwan usbnet driver when disconnecting, from Bjørn
Mork.9) Gianfar driver programs coalescing settings properly in single queue
mode, but does not do so in multi-queue mode. Fix from Claudiu
Manoil.10) Missing module.h include in davinci_cpdma.c, from Daniel Mack.
11) Need dummy handler for IPSET_CMD_NONE otherwise we crash in ipset if
we get this via nfnetlink, fix from Tomasz Bursztyka.12) Missing RCU unlock in nfnetlink error path, also from Tomasz.
13) Fix divide by zero in igbvf when the user tries to set an RX
coalescing value of 0 usecs, from Mitch A Williams.14) We can process SCTP sacks for the wrong transport, oops. Fix from
Neil Horman.15) Remove hw IP payload checksumming from e1000e driver. This has zery
value in our stack, and turning it on creates a very unintuitive
restriction for users when using jumbo MTUs.Specifically, when IP payload checksums are on you cannot use both
receive hashing offload and jumbo MTU. Fix from Bruce Allan.* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (27 commits)
e1000e: remove use of IP payload checksum
sctp: be more restrictive in transport selection on bundled sacks
igbvf: fix divide by zero
netfilter: nfnetlink: fix missing rcu_read_unlock in nfnetlink_rcv_msg
netfilter: ipset: fix crash if IPSET_CMD_NONE command is sent
davinci_cpdma: include linux/module.h
gianfar: Fix RXICr/TXICr programming for multi-queue mode
net: Downgrade CAP_SYS_MODULE deprecated message from error to warning.
net: qmi_wwan: fix Oops while disconnecting
mwifiex: fix memory leak associated with IE manamgement
ath9k: fix panic caused by returning a descriptor we have queued for reuse
mac80211: correct behaviour on unrecognised action frames
ath9k: enable serialize_regmode for non-PCIE AR9287
rtlwifi: rtl8192cu: New USB IDs
NFC: Return from rawsock_release when sk is NULL
iwlwifi: fix activating inactive stations
wlcore: drop INET dependency
ath9k: fix dynamic WEP related regression
NFC: Prevent multiple buffer overflows in NCI
netfilter: update location of my trees
... -
Pull block bits from Jens Axboe:
"As vacation is coming up, thought I'd better get rid of my pending
changes in my for-linus branch for this iteration. It contains:- Two patches for mtip32xx. Killing a non-compliant sysfs interface
and moving it to debugfs, where it belongs.- A few patches from Asias. Two legit bug fixes, and one killing an
interface that is no longer in use.- A patch from Jan, making the annoying partition ioctl warning a bit
less annoying, by restricting it to !CAP_SYS_RAWIO only.- Three bug fixes for drbd from Lars Ellenberg.
- A fix for an old regression for umem, it hasn't really worked since
the plugging scheme was changed in 3.0.- A few fixes from Tejun.
- A splice fix from Eric Dumazet, fixing an issue with pipe
resizing."* 'for-linus' of git://git.kernel.dk/linux-block:
scsi: Silence unnecessary warnings about ioctl to partition
block: Drop dead function blk_abort_queue()
block: Mitigate lock unbalance caused by lock switching
block: Avoid missed wakeup in request waitqueue
umem: fix up unplugging
splice: fix racy pipe->buffers uses
drbd: fix null pointer dereference with on-congestion policy when diskless
drbd: fix list corruption by failing but already aborted reads
drbd: fix access of unallocated pages and kernel panic
xen/blkfront: Add WARN to deal with misbehaving backends.
blkcg: drop local variable @q from blkg_destroy()
mtip32xx: Create debugfs entries for troubleshooting
mtip32xx: Remove 'registers' and 'flags' from sysfs
blkcg: fix blkg_alloc() failure path
block: blkcg_policy_cfq shouldn't be used if !CONFIG_CFQ_GROUP_IOSCHED
block: fix return value on cfq_init() failure
mtip32xx: Remove version.h header file inclusion
xen/blkback: Copy id field when doing BLKIF_DISCARD.
01 Jul, 2012
1 commit
-
It was noticed recently that when we send data on a transport, its possible that
we might bundle a sack that arrived on a different transport. While this isn't
a major problem, it does go against the SHOULD requirement in section 6.4 of RFC
2960:An endpoint SHOULD transmit reply chunks (e.g., SACK, HEARTBEAT ACK,
etc.) to the same destination transport address from which it
received the DATA or control chunk to which it is replying. This
rule should also be followed if the endpoint is bundling DATA chunks
together with the reply chunk.This patch seeks to correct that. It restricts the bundling of sack operations
to only those transports which have moved the ctsn of the association forward
since the last sack. By doing this we guarantee that we only bundle outbound
saks on a transport that has received a chunk since the last sack. This brings
us into stricter compliance with the RFC.Vlad had initially suggested that we strictly allow only sack bundling on the
transport that last moved the ctsn forward. While this makes sense, I was
concerned that doing so prevented us from bundling in the case where we had
received chunks that moved the ctsn on multiple transports. In those cases, the
RFC allows us to select any of the transports having received chunks to bundle
the sack on. so I've modified the approach to allow for that, by adding a state
variable to each transport that tracks weather it has moved the ctsn since the
last sack. This I think keeps our behavior (and performance), close enough to
our current profile that I think we can do this without a sysctl knob to
enable/disable it.Signed-off-by: Neil Horman
CC: Vlad Yaseivch
CC: David S. Miller
CC: linux-sctp@vger.kernel.org
Reported-by: Michele Baldessari
Reported-by: sorin serban
Acked-by: Vlad Yasevich
Signed-off-by: David S. Miller
30 Jun, 2012
1 commit
-
Pablo Neira Ayuso says:
====================
The following are 4 fixes and the update of the MAINTAINERS file
to point to my Netfilter trees.They are:
* One refcount leak fix in IPVS IPv6 support from Eric Dumazet.
* One fix for interface comparison in ipset hash-netiface sets
from Florian Westphal.* One fix for a missing rcu_read_unlock in nfnetlink from
Tomasz Bursztyka.* One fix for a kernel crash if IPSET_CMD_NONE is set to ipset via
nfnetlink, again from Tomasz Bursztyka.
====================Signed-off-by: David S. Miller
29 Jun, 2012
6 commits
-
Bug added in commit 6b75e3e8d664a9a (netfilter: nfnetlink: add RCU in
nfnetlink_rcv_msg())Signed-off-by: Tomasz Bursztyka
Acked-by: Eric Dumazet
Signed-off-by: Pablo Neira Ayuso -
This patch fixes a crash if that ipset command is sent over nfnetlink.
Signed-off-by: Tomasz Bursztyka
Acked-by: Jozsef Kadlecsik
Signed-off-by: Pablo Neira Ayuso -
John Linville says:
====================
Amitkumar Karwar gives us two mwifiex fixes: one fixes some skb
manipulations when handling some event messages; and another that
does some similar fixing on an error path.Avinash Patil gives us a fix for for a memory leak in mwifiex.
Dan Rosenberg offers an NFC NCI fix to enforce some message length
limits to prevent buffer overflows.Eliad Peller provides a mac80211 fix to prevent some frames from
being built with an invalid BSSID.Eric Dumazet sends an NFC fix to prevent a BUG caused by a NULL
pointer dereference.Felix Fietkau has an ath9k fix for a regression causing
LEAP-authenticated connection failures.Johannes Berg provides an iwlwifi fix that eliminates some log SPAM
after an authentication/association timeout. He also provides a
mac80211 fix to prevent incorrectly addressing certain action frames
(and in so doing, to comply with the 802.11 specs).Larry Finger provides a few USB IDs for the rtl8192cu driver --
should be harmless.Panayiotis Karabassis provices a one-liner to fix kernel bug 42903
(a system freeze).Randy Dunlap provides a one-line Kconfig change to prevent build
failures with some configurations.Stone Piao provides an mwifiex sequence numbering fix and a fix
to prevent mwifiex from attempting to include eapol frames in an
aggregation frame.Finally, Tom Hughes provides an ath9k fix for a NULL pointer
dereference.
====================Signed-off-by: David S. Miller
-
Make logging level consistent with other deprecation messages in net
subsystem.Signed-off-by: Vinson Lee
Cc: David Mackey
Signed-off-by: David S. Miller -
Pull networking update from David Miller:
1) Pairing and deadlock fixes in bluetooth from Johan Hedberg.
2) Add device IDs for AR3011 and AR3012 bluetooth chips. From
Giancarlo Formicuccia and Marek Vasut.3) Fix wireless regulatory deadlock, from Eliad Peller.
4) Fix full TX ring panic in bnx2x driver, from Eric Dumazet.
5) Revert the two commits that added skb_orphan_try(), it causes
erratic bonding behavior with UDP clients and the gains it used to
give are mostly no longer happening due to how BQL works. From Eric
Dumazet.6) It took two tries, but Thomas Graf fixed a problem wherein we
registered ipv6 routing procfs files before their backend data were
initialized properly.7) Fix max GSO size setting in be2net, from Sarveshwar Bandi.
8) PHY device id mask is wrong for KSZ9021 and KS8001 chips, fix from
Jason Wang.9) Fix use of stale SKB data pointer after skb_linearize() call in
batman-adv, from Antonio Quartulli.10) Fix memory leak in IXGBE due to missing __GFP_COMP, from Alexander
Duyck.11) Fix probing of Gobi devices in qmi_wwan usbnet driver, from Bjørn
Mork.12) Fix suspend/resume and open failure handling in usbnet from Ming
Lei.13) Attempt to fix device r8169 hangs for certain chips, from Francois
Romieu.14) Fix advancement of RX dirty pointer in some situations in sh_eth
driver, from Yoshihiro Shimoda.15) Attempt to fix restart of IPV6 routing table dumps when there is an
intervening table update. From Eric Dumazet.16) Respect security_inet_conn_request() return value in ipv6 TCP. From
Neal Cardwell.17) Add another iPAD device ID to ipheth driver, from Davide Gerhard.
18) Fix access to freed SKB in l2tp_eth_dev_xmit(), and fix l2tp lockdep
splats, from Eric Dumazet.19) Make sure all bridge devices, regardless of whether they were
created via netlink or ioctls, have their rtnetlink ops hooked up.
From Thomas Graf and Stephen Hemminger.* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (81 commits)
9p: fix min_t() casting in p9pdu_vwritef()
can: flexcan: use be32_to_cpup to handle the value of dt entry
xen/netfront: teardown the device before unregistering it.
bridge: Assign rtnl_link_ops to bridge devices created via ioctl (v2)
vhost: use USER_DS in vhost_worker thread
ixgbe: Do not pad FCoE frames as this can cause issues with FCoE DDP
net: l2tp_eth: use LLTX to avoid LOCKDEP splats
mac802154: add missed braces
net: l2tp_eth: fix l2tp_eth_dev_xmit race
net/mlx4_en: Release QP range in free_resources
net/mlx4: Use single completion vector after NOP failure
net/mlx4_en: Set correct port parameters during device initialization
ipheth: add support for iPad
caif-hsi: Add missing return in error path
caif-hsi: Bugfix - Piggyback'ed embedded CAIF frame lost
caif: Clear shutdown mask to zero at reconnect.
tcp: heed result of security_inet_conn_request() in tcp_v6_conn_request()
ipv6: fib: fix fib dump restart
batman-adv: fix race condition in TT full-table replacement
batman-adv: only drop packets of known wifi clients
... -
…wireless into for-davem
28 Jun, 2012
2 commits
-
I don't think we're actually likely to hit this limit but if we do
then the comparison should be done as size_t. The original code
is equivalent to:
len = strlen(sptr) % USHRT_MAX;Signed-off-by: Dan Carpenter
Signed-off-by: David S. Miller -
When receiving an "individually addressed" action frame, the
receiver is required to return it to the sender. mac80211
gets this wrong as it also returns group addressed (mcast)
frames to the sender. Fix this and update the reference to
the new 802.11 standards version since things were shuffled
around significantly.Cc: stable@kernel.org
Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville
27 Jun, 2012
3 commits
-
This ensures that bridges created with brctl(8) or ioctl(2) directly
also carry IFLA_LINKINFO when dumped over netlink. This also allows
to create a bridge with ioctl(2) and delete it with RTM_DELLINK.Signed-off-by: Thomas Graf
Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller -
Denys Fedoryshchenko reported a LOCKDEP issue with l2tp code.
[ 8683.927442] ======================================================
[ 8683.927555] [ INFO: possible circular locking dependency detected ]
[ 8683.927672] 3.4.1-build-0061 #14 Not tainted
[ 8683.927782] -------------------------------------------------------
[ 8683.927895] swapper/0/0 is trying to acquire lock:
[ 8683.928007] (slock-AF_INET){+.-...}, at: []
l2tp_xmit_skb+0x173/0x47e [l2tp_core]
[ 8683.928121]
[ 8683.928121] but task is already holding lock:
[ 8683.928121] (_xmit_ETHER#2){+.-...}, at: []
sch_direct_xmit+0x36/0x119
[ 8683.928121]
[ 8683.928121] which lock already depends on the new lock.
[ 8683.928121]
[ 8683.928121]
[ 8683.928121] the existing dependency chain (in reverse order) is:
[ 8683.928121]
[ 8683.928121] -> #1 (_xmit_ETHER#2){+.-...}:
[ 8683.928121] [] lock_acquire+0x71/0x85
[ 8683.928121] [] _raw_spin_lock+0x33/0x40
[ 8683.928121] [] ip_send_reply+0xf2/0x1ce
[ 8683.928121] [] tcp_v4_send_reset+0x153/0x16f
[ 8683.928121] [] tcp_v4_do_rcv+0x172/0x194
[ 8683.928121] [] tcp_v4_rcv+0x387/0x5a0
[ 8683.928121] [] ip_local_deliver_finish+0x13a/0x1e9
[ 8683.928121] [] NF_HOOK.clone.11+0x46/0x4d
[ 8683.928121] [] ip_local_deliver+0x41/0x45
[ 8683.928121] [] ip_rcv_finish+0x31a/0x33c
[ 8683.928121] [] NF_HOOK.clone.11+0x46/0x4d
[ 8683.928121] [] ip_rcv+0x201/0x23d
[ 8683.928121] [] __netif_receive_skb+0x329/0x378
[ 8683.928121] [] netif_receive_skb+0x4e/0x7d
[ 8683.928121] [] rtl8139_poll+0x243/0x33d [8139too]
[ 8683.928121] [] net_rx_action+0x90/0x15d
[ 8683.928121] [] __do_softirq+0x7b/0x118
[ 8683.928121]
[ 8683.928121] -> #0 (slock-AF_INET){+.-...}:
[ 8683.928121] [] __lock_acquire+0x9a3/0xc27
[ 8683.928121] [] lock_acquire+0x71/0x85
[ 8683.928121] [] _raw_spin_lock+0x33/0x40
[ 8683.928121] [] l2tp_xmit_skb+0x173/0x47e
[l2tp_core]
[ 8683.928121] [] l2tp_eth_dev_xmit+0x1a/0x2f
[l2tp_eth]
[ 8683.928121] [] dev_hard_start_xmit+0x333/0x3f2
[ 8683.928121] [] sch_direct_xmit+0x55/0x119
[ 8683.928121] [] dev_queue_xmit+0x282/0x418
[ 8683.928121] [] NF_HOOK.clone.19+0x45/0x4c
[ 8683.928121] [] arp_xmit+0x22/0x24
[ 8683.928121] [] arp_send+0x41/0x48
[ 8683.928121] [] arp_process+0x289/0x491
[ 8683.928121] [] NF_HOOK.clone.19+0x45/0x4c
[ 8683.928121] [] arp_rcv+0xb1/0xc3
[ 8683.928121] [] __netif_receive_skb+0x329/0x378
[ 8683.928121] [] process_backlog+0x69/0x130
[ 8683.928121] [] net_rx_action+0x90/0x15d
[ 8683.928121] [] __do_softirq+0x7b/0x118
[ 8683.928121]
[ 8683.928121] other info that might help us debug this:
[ 8683.928121]
[ 8683.928121] Possible unsafe locking scenario:
[ 8683.928121]
[ 8683.928121] CPU0 CPU1
[ 8683.928121] ---- ----
[ 8683.928121] lock(_xmit_ETHER#2);
[ 8683.928121] lock(slock-AF_INET);
[ 8683.928121] lock(_xmit_ETHER#2);
[ 8683.928121] lock(slock-AF_INET);
[ 8683.928121]
[ 8683.928121] *** DEADLOCK ***
[ 8683.928121]
[ 8683.928121] 3 locks held by swapper/0/0:
[ 8683.928121] #0: (rcu_read_lock){.+.+..}, at: []
rcu_lock_acquire+0x0/0x30
[ 8683.928121] #1: (rcu_read_lock_bh){.+....}, at: []
rcu_lock_acquire+0x0/0x30
[ 8683.928121] #2: (_xmit_ETHER#2){+.-...}, at: []
sch_direct_xmit+0x36/0x119
[ 8683.928121]
[ 8683.928121] stack backtrace:
[ 8683.928121] Pid: 0, comm: swapper/0 Not tainted 3.4.1-build-0061 #14
[ 8683.928121] Call Trace:
[ 8683.928121] [] ? printk+0x18/0x1a
[ 8683.928121] [] print_circular_bug+0x1ac/0x1b6
[ 8683.928121] [] __lock_acquire+0x9a3/0xc27
[ 8683.928121] [] lock_acquire+0x71/0x85
[ 8683.928121] [] ? l2tp_xmit_skb+0x173/0x47e [l2tp_core]
[ 8683.928121] [] _raw_spin_lock+0x33/0x40
[ 8683.928121] [] ? l2tp_xmit_skb+0x173/0x47e [l2tp_core]
[ 8683.928121] [] l2tp_xmit_skb+0x173/0x47e [l2tp_core]
[ 8683.928121] [] l2tp_eth_dev_xmit+0x1a/0x2f [l2tp_eth]
[ 8683.928121] [] dev_hard_start_xmit+0x333/0x3f2
[ 8683.928121] [] sch_direct_xmit+0x55/0x119
[ 8683.928121] [] dev_queue_xmit+0x282/0x418
[ 8683.928121] [] ? dev_hard_start_xmit+0x3f2/0x3f2
[ 8683.928121] [] NF_HOOK.clone.19+0x45/0x4c
[ 8683.928121] [] arp_xmit+0x22/0x24
[ 8683.928121] [] ? dev_hard_start_xmit+0x3f2/0x3f2
[ 8683.928121] [] arp_send+0x41/0x48
[ 8683.928121] [] arp_process+0x289/0x491
[ 8683.928121] [] ? __neigh_lookup.clone.20+0x42/0x42
[ 8683.928121] [] NF_HOOK.clone.19+0x45/0x4c
[ 8683.928121] [] arp_rcv+0xb1/0xc3
[ 8683.928121] [] ? __neigh_lookup.clone.20+0x42/0x42
[ 8683.928121] [] __netif_receive_skb+0x329/0x378
[ 8683.928121] [] process_backlog+0x69/0x130
[ 8683.928121] [] net_rx_action+0x90/0x15d
[ 8683.928121] [] __do_softirq+0x7b/0x118
[ 8683.928121] [] ? local_bh_enable+0xd/0xd
[ 8683.928121] [] ? irq_exit+0x41/0x91
[ 8683.928121] [] ? do_IRQ+0x79/0x8d
[ 8683.928121] [] ? trace_hardirqs_off_caller+0x2e/0x86
[ 8683.928121] [] ? common_interrupt+0x2e/0x34
[ 8683.928121] [] ? default_idle+0x23/0x38
[ 8683.928121] [] ? cpu_idle+0x55/0x6f
[ 8683.928121] [] ? rest_init+0xa1/0xa7
[ 8683.928121] [] ? __read_lock_failed+0x14/0x14
[ 8683.928121] [] ? start_kernel+0x303/0x30a
[ 8683.928121] [] ? repair_env_string+0x51/0x51
[ 8683.928121] [] ? i386_start_kernel+0xa8/0xafIt appears that like most virtual devices, l2tp should be converted to
LLTX mode.This patch takes care of statistics using atomic_long in both RX and TX
paths, and fix a bug in l2tp_eth_dev_recv(), which was caching skb->data
before a pskb_may_pull() call.Signed-off-by: Eric Dumazet
Reported-by: Denys Fedoryshchenko
Cc: James Chapman
Cc: Hong zhi guo
Cc: Francois Romieu
Signed-off-by: David S. Miller -
Pull HID fixes from Jiri Kosina:
"The most important one is a purification of Kconfig for CONFIG_HID;
the inclusion of HID groups and autoloading didn't leave the Kconfig
in a really consistent state. Henrik's patch fixes that. In addition
to that, there are two small fixes for logitech and magicmouse
drivers."* 'upstream-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
HID: Fix the generic Kconfig options
HID: magicmouse: Correct report range of major / minor axes
HID: logitech: don't use stack based dj_report structures
26 Jun, 2012
6 commits
-
Add missed braces after 'if' operator.
Signed-off-by: Alexander Smirnov
Signed-off-by: David S. Miller -
Sasha Levin reported following panic :
[ 2136.383310] BUG: unable to handle kernel NULL pointer dereference at
00000000000003b0
[ 2136.384022] IP: [] __lock_acquire+0xc0/0x4b0
[ 2136.384022] PGD 131c4067 PUD 11c0c067 PMD 0
[ 2136.388106] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
[ 2136.388106] CPU 1
[ 2136.388106] Pid: 24855, comm: trinity-child1 Tainted: G W
3.5.0-rc2-sasha-00015-g7b268f7 #374
[ 2136.388106] RIP: 0010:[] []
__lock_acquire+0xc0/0x4b0
[ 2136.388106] RSP: 0018:ffff8800130b3ca8 EFLAGS: 00010046
[ 2136.388106] RAX: 0000000000000086 RBX: ffff88001186b000 RCX:
0000000000000000
[ 2136.388106] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
0000000000000000
[ 2136.388106] RBP: ffff8800130b3d08 R08: 0000000000000001 R09:
0000000000000000
[ 2136.388106] R10: 0000000000000000 R11: 0000000000000001 R12:
0000000000000002
[ 2136.388106] R13: 00000000000003b0 R14: 0000000000000000 R15:
0000000000000000
[ 2136.388106] FS: 00007fa5b1bd4700(0000) GS:ffff88001b800000(0000)
knlGS:0000000000000000
[ 2136.388106] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2136.388106] CR2: 00000000000003b0 CR3: 0000000011d1f000 CR4:
00000000000406e0
[ 2136.388106] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 2136.388106] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
0000000000000400
[ 2136.388106] Process trinity-child1 (pid: 24855, threadinfo
ffff8800130b2000, task ffff88001186b000)
[ 2136.388106] Stack:
[ 2136.388106] ffff8800130b3cd8 ffffffff81121785 ffffffff81236774
000080d000000001
[ 2136.388106] ffff88001b9d6c00 00000000001d6c00 ffffffff130b3d08
ffff88001186b000
[ 2136.388106] 0000000000000000 0000000000000002 0000000000000000
0000000000000000
[ 2136.388106] Call Trace:
[ 2136.388106] [] ? sched_clock_local+0x25/0x90
[ 2136.388106] [] ? get_empty_filp+0x74/0x220
[ 2136.388106] [] lock_acquire+0x18a/0x1e0
[ 2136.388106] [] ? rawsock_release+0x4f/0xa0
[ 2136.388106] [] _raw_write_lock_bh+0x40/0x80
[ 2136.388106] [] ? rawsock_release+0x4f/0xa0
[ 2136.388106] [] rawsock_release+0x4f/0xa0
[ 2136.388106] [] sock_release+0x18/0x70
[ 2136.388106] [] sock_close+0x29/0x30
[ 2136.388106] [] __fput+0x11a/0x2c0
[ 2136.388106] [] fput+0x15/0x20
[ 2136.388106] [] sys_accept4+0x1b4/0x200
[ 2136.388106] [] ? _raw_spin_unlock_irq+0x4c/0x80
[ 2136.388106] [] ? _raw_spin_unlock_irq+0x59/0x80
[ 2136.388106] [] ? sysret_check+0x22/0x5d
[ 2136.388106] [] sys_accept+0xb/0x10
[ 2136.388106] [] system_call_fastpath+0x16/0x1b
[ 2136.388106] Code: ec 04 00 0f 85 ea 03 00 00 be d5 0b 00 00 48 c7 c7
8a c1 40 84 e8 b1 a5 f8 ff 31 c0 e9 d4 03 00 00 66 2e 0f 1f 84 00 00 00
00 00 81 7d 00 60 73 5e 85 b8 01 00 00 00 44 0f 44 e0 83 fe 01 77
[ 2136.388106] RIP [] __lock_acquire+0xc0/0x4b0
[ 2136.388106] RSP
[ 2136.388106] CR2: 00000000000003b0
[ 2136.388106] ---[ end trace 6d450e935ee18982 ]---
[ 2136.388106] Kernel panic - not syncing: Fatal exception in interruptrawsock_release() should test if sock->sk is NULL before calling
sock_orphan()/sock_put()Reported-by: Sasha Levin
Tested-by: Sasha Levin
Cc: stable@kernel.org
Signed-off-by: Eric Dumazet
Signed-off-by: Samuel Ortiz -
Its illegal to dereference skb after giving it to l2tp_xmit_skb()
as it might be already freed/reused.Signed-off-by: Eric Dumazet
Cc: James Chapman
Signed-off-by: David S. Miller -
Clear caif sockets's shutdown mask at (re)connect.
Signed-off-by: Sjur Brændeland
Signed-off-by: David S. Miller -
If security_inet_conn_request() returns non-zero then TCP/IPv6 should
drop the request, just as in TCP/IPv4 and DCCP in both IPv4 and IPv6.Signed-off-by: Neal Cardwell
Acked-by: Eric Dumazet
Signed-off-by: David S. Miller -
Commit 2bec5a369ee79576a3 (ipv6: fib: fix crash when changing large fib
while dumping it) introduced ability to restart the dump at tree root,
but failed to skip correctly a count of already dumped entries. Code
didn't match Patrick intent.We must skip exactly the number of already dumped entries.
Note that like other /proc/net files or netlink producers, we could
still dump some duplicates entries.Reported-by: Debabrata Banerjee
Reported-by: Josh Hunt
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller
25 Jun, 2012
4 commits
-
The generic HID driver is obviously not a special driver, so move it
outside of the special drivers menu. Explain the usage and make the
default follow the HID setting. This should simplify migration from
older kernels. While at it, remove the redundant HID_SUPPORT option
and modify the HID and USB_HID entries to better explain the bus
structure.Reported-by: Jan Beulich
Signed-off-by: Henrik Rydberg
Signed-off-by: Jiri Kosina -
Fix multiple remotely-exploitable stack-based buffer overflows due to
the NCI code pulling length fields directly from incoming frames and
copying too much data into statically-sized arrays.Signed-off-by: Dan Rosenberg
Cc: stable@kernel.org
Cc: security@kernel.org
Cc: Lauro Ramos Venancio
Cc: Aloisio Almeida Jr
Cc: Samuel Ortiz
Cc: David S. Miller
Acked-by: Ilan Elias
Signed-off-by: Samuel Ortiz -
After call to ip6_route_output() we must release dst or we leak it.
Also should test dst->error, as ip6_route_output() never returns NULL.
Use boolean while we are at it.
Signed-off-by: Eric Dumazet
Signed-off-by: Pablo Neira Ayuso -
ifname_compare() assumes that skb->dev is zero-padded,
e.g 'eth1\0\0\0\0\0...'. This isn't always the case. e1000 driver doesstrncpy(netdev->name, pci_name(pdev), sizeof(netdev->name) - 1);
in e1000_probe(), so once device is registered dev->name memory contains
'eth1\0:0:3\0\0\0' (or something like that), which makes eth1 compare
fail.Use plain strcmp() instead.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
23 Jun, 2012
4 commits
-
bug introduced with cea194d90b11aff7fc289149e4c7f305fad3535a
In the current TT code, when a TT_Response containing a full table is received
from an originator, first the node purges all the clients for that originator in
the global translation-table and then merges the newly received table.
During the purging phase each client deletion is done by means of a call_rcu()
invocation and at the end of this phase the global entry counter for that
originator is set to 0. However the invoked rcu function decreases the global
entry counter for that originator by one too and since the rcu invocation is
likely to be postponed, the node will end up in first setting the counter to 0
and then decreasing it one by one for each deleted client.This bug leads to having a wrong global entry counter for the related node, say
X. Then when the node with the broken counter will answer to a TT_REQUEST on
behalf of node X, it will create faulty TT_RESPONSE that will generate an
unrecoverable situation on the node that asked for the full table recover.The non-recoverability is given by the fact that the node with the broken
counter will keep answering on behalf of X because its knowledge about X's state
(ttvn + tt_crc) is correct.To solve this problem the counter is not explicitly set to 0 anymore and the
counter decrement is performed right before the invocation of call_rcu().Signed-off-by: Antonio Quartulli
-
bug introduced with 59b699cdee039d75915c354da06937102d1f9a84
If the source or destination mac address of an ethernet packet
could not be found in the translation table the packet was
dropped if AP isolation was turned on. This behavior would
make it impossible to send broadcast packets over the mesh as
the broadcast address will never enter the translation table.Signed-off-by: Marek Lindner
Acked-by: Antonio Quartulli -
…wireless into for-davem
22 Jun, 2012
1 commit
-
ieee80211_set_disassoc() clears ifmgd->bssid before
building DELBA frames, resulting in frames with invalid
bssid ("00:00:00:00:00:00").Fix it by clearing ifmgd->bssid only after building
all the needed frames.After this change, we no longer need to save the
bssid (before clearing it), so remove the local array.Reported-by: Ido Yariv
Cc: stable@vger.kernel.org
Signed-off-by: Eliad Peller
Signed-off-by: Johannes Berg
20 Jun, 2012
6 commits
-
We need to flush the msgr workqueue during mon_client shutdown to
ensure that any work affecting our embedded ceph_connection is
finished so that we can be safely destroyed.Previously, we were flushing the work queue after osd_client
shutdown and before mon_client shutdown to ensure that any osd
connection refs to authorizers are flushed. Remove the redundant
flush, and document in the comment that the mon_client flush is
needed to cover that case as well.Signed-off-by: Sage Weil
Reviewed-by: Alex Elder
(cherry picked from commit f3dea7edd3d449fe7a6d402c1ce56a294b985261) -
The bug can cause NULL pointer dereference in write_partial_msg_pages
Signed-off-by: Zheng Yan
Reviewed-by: Alex Elder
(cherry picked from commit 43643528cce60ca184fe8197efa8e8da7c89a037) -
There were a few direct calls to ceph_con_{get,put}() instead of the con
ops from osd_client.c. This is a bug since those ops aren't defined to
be ceph_con_get/put.This breaks refcounting on the ceph_osd structs that contain the
ceph_connections, and could lead to all manner of strangeness.The purpose of the ->get and ->put methods in a ceph connection are
to allow the connection to indicate it has a reference to something
external to the messaging system, *not* to indicate something
external has a reference to the connection.[elder@inktank.com: added that last sentence]
Signed-off-by: Sage Weil
Reviewed-by: Alex Elder
(cherry picked from commit 0d47766f14211a73eaf54cab234db134ece79f49) -
In ceph_osdc_release_request(), a reference to the r_reply message
is dropped. But just after that, that same message is revoked if it
was in use to receive an incoming reply. Reorder these so we are
sure we hold a reference until we're actually done with the message.Signed-off-by: Alex Elder
Reviewed-by: Sage Weil
(cherry picked from commit ab8cb34a4b2f60281a4b18b1f1ad23bc2313d91b) -
skb_linearize(skb) possibly rearranges the skb internal data and then changes
the skb->data pointer value. For this reason any other pointer in the code that
was assigned skb->data before invoking skb_linearise(skb) must be re-assigned.In the current tt_query message handling code this is not done and therefore, in
case of skb linearization, the pointer used to handle the packet header ends up
in pointing to free'd memory.This bug was introduced by a73105b8d4c765d9ebfb664d0a66802127d8e4c7
(batman-adv: improved client announcement mechanism)Signed-off-by: Antonio Quartulli
Cc:
Signed-off-by: David S. Miller
19 Jun, 2012
4 commits
-
net/sctp/protocol.c: In function ‘sctp_addr_wq_timeout_handler’:
net/sctp/protocol.c:676: warning: label ‘free_next’ defined but not usedSigned-off-by: Daniel Halperin
Signed-off-by: David S. Miller -
/proc/net/ipv6_route reflects the contents of fib_table_hash. The proc
handler is installed in ip6_route_net_init() whereas fib_table_hash is
allocated in fib6_net_init() _after_ the proc handler has been installed.This opens up a short time frame to access fib_table_hash with its pants
down.Move the registration of the proc files to a later point in the init
order to avoid the race.Tested :-)
Signed-off-by: Thomas Graf
Signed-off-by: David S. Miller -
Pull a 9p bugfix from Eric Van Hensbergen.
* 'v9fs-devel' of git://git.kernel.org/pub/scm/linux/kernel/git/ericvh/v9fs:
9p: BUG before corrupting memory -
…wireless into for-davem
