06 May, 2006
11 commits
-
Calling sock_orphan inside bh_lock_sock in dccp_close can lead to dead
locks. For example, the inet_diag code holds sk_callback_lock without
disabling BH. If an inbound packet arrives during that admittedly tiny
window, it will cause a dead lock on bh_lock_sock. Another possible
path would be through sock_wfree if the network device driver frees the
tx skb in process context with BH enabled.We can fix this by moving sock_orphan out of bh_lock_sock.
The tricky bit is to work out when we need to destroy the socket
ourselves and when it has already been destroyed by someone else.By moving sock_orphan before the release_sock we can solve this
problem. This is because as long as we own the socket lock its
state cannot change.So we simply record the socket state before the release_sock
and then check the state again after we regain the socket lock.
If the socket state has transitioned to DCCP_CLOSED in the time being,
we know that the socket has been destroyed. Otherwise the socket is
still ours to keep.This problem was discoverd by Ingo Molnar using his lock validator.
Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
It makes sense to add this simple statistic to keep track of received
multicast packets.Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller -
Discard an unexpected chunk in CLOSED state rather can calling BUG().
Signed-off-by: Sridhar Samudrala
Signed-off-by: David S. Miller -
Use pskb_pull() to handle incoming COOKIE_ECHO and HEARTBEAT chunks that
are received as skb's with fragment list.Signed-off-by: Sridhar Samudrala
Signed-off-by: David S. Miller -
There is a rare situation that causes lksctp to go into infinite recursion
and crash the system. The trigger is a packet that contains at least the
first two DATA fragments of a message bundled together. The recursion is
triggered when the user data buffer is smaller that the full data message.
The problem is that we clone the skb for every fragment in the message.
When reassembling the full message, we try to link skbs from the "first
fragment" clone using the frag_list. However, since the frag_list is shared
between two clones in this rare situation, we end up setting the frag_list
pointer of the second fragment to point to itself. This causes
sctp_skb_pull() to potentially recurse indefinitely.Proposed solution is to make a copy of the skb when attempting to link
things using frag_list.Signed-off-by: Vladislav Yasevich
Signed-off-by: Sridhar Samudrala
Signed-off-by: David S. Miller -
This patch fixes a deadlock situation in the receive path by allowing
temporary spillover of the receive buffer.- If the chunk we receive has a tsn that immediately follows the ctsn,
accept it even if we run out of receive buffer space and renege data with
higher TSNs.
- Once we accept one chunk in a packet, accept all the remaining chunks
even if we run out of receive buffer space.Signed-off-by: Neil Horman
Acked-by: Mark Butler
Acked-by: Vlad Yasevich
Signed-off-by: Sridhar Samudrala
Signed-off-by: David S. Miller -
* master.kernel.org:/home/rmk/linux-2.6-mmc:
[BLOCK] Fix oops on removal of SD/MMC card -
Patch from Nicolas Pitre
... but only for user space.
Signed-off-by: Nicolas Pitre
Signed-off-by: Russell King -
Patch from Nicolas Pitre
Intel PXA27x developers manual section 5.4.1.1 lists a priority
distribution for the DMA channels differently than what the code
currently assumes. This patch fixes that.Noticed by Simon Vogl
Signed-off-by: Nicolas Pitre
Signed-off-by: Russell King -
Patch from George G. Davis
The ARM VFP FPSCR register is corrupted when a condition flags modifying
VFP instruction is followed by a non-condition flags modifying VFP
instruction and both instructions raise exceptions. The fix is to
read the current FPSCR in between emulation of these two instructions
and use the current FPSCR value when handling the second exception.Signed-off-by: George G. Davis
Signed-off-by: Russell King -
The block layer keeps a reference (driverfs_dev) to the struct
device associated with the block device, and uses it internally
for generating uevents in block_uevent.Block device uevents include umounting the partition, which can
occur after the backing device has been removed.Unfortunately, this reference is not counted. This means that
if the struct device is removed from the device tree, the block
layers reference will become stale.Guard against this by holding a reference to the struct device
in add_disk(), and only drop the reference when we're releasing
the gendisk kobject - in other words when we can be sure that no
further uevents will be generated for this block device.Signed-off-by: Russell King
Acked-by: Jens Axboe
05 May, 2006
10 commits
-
Patch from Uwe Zeisberger
added the following constants:
- MACHINFO_TYPE
- MACHINFO_NAME
- MACHINFO_PHYSIO
- MACHINFO_PGOFFIO
- PROCINFO_INITFUNC
- PROCINFO_MMUFLAGSand removed their definition from head.S and head-nommu.S
Signed-off-by: Uwe Zeisberger
Signed-off-by: Russell King -
Patch from Nicolas Pitre
... for the definition of NULL.
Signed-off-by: Nicolas Pitre
Signed-off-by: Russell King -
* 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/paulus/powerpc:
[PATCH] powerpc: Use the ibm,pa-features property if available
powerpc: Fix incorrect might_sleep in __get_user/__put_user on kernel addresses
[PATCH] ppc32 CPM_UART: fixes and improvements
[PATCH] ppc32 CPM_UART: Fixed break send on SCC
[PATCH] powerpc/kprobes: fix singlestep out-of-line
[PATCH] powerpc/pseries: avoid crash in PCI code if mem system not up -
* master.kernel.org:/home/rmk/linux-2.6-arm:
[ARM] 3490/1: i.MX: move uart resources to board files
[ARM] 3488/1: make icedcc_putc do the right thing
[ARM] 3487/1: IXP4xx: Support non-PCI systems
[ARM] 3486/1: Mark memory as clobbered by the ARM _syscallX() macros -
* master.kernel.org:/home/rmk/linux-2.6-mmc:
[MMC] Move set_ios debugging into mmc.c
[MMC] Correct mmc_request_done comments
[MMC] PXA: reduce the number of lines PXAMCI debug uses
[MMC] PXA and i.MX: don't avoid sending stop command on error
[MMC] extend data timeout for writes
[ARM] 3485/1: i.MX: MX1 SD/MMC fix of unintentional double start possibility -
* 'splice' of git://brick.kernel.dk/data/git/linux-2.6-block:
[PATCH] compat_sys_vmsplice: one-off in UIO_MAXIOV check
[PATCH] splice: redo page lookup if add_to_page_cache() returns -EEXIST
[PATCH] splice: rename remaining info variables to pipe
[PATCH] splice: LRU fixups
[PATCH] splice: fix unlocking of page on error ->prepare_write() -
* master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6:
[DECNET]: Fix level1 router hello
[TCP]: Fix sock_orphan dead lock
[ROSE]: Eleminate HZ from ROSE kernel interfaces
[NETROM]: Eleminate HZ from NET/ROM kernel interfaces
[AX.25]: Eleminate HZ from AX.25 kernel interfaces
[ROSE]: Fix routing table locking in rose_remove_neigh.
[AX.25]: Move AX.25 symbol exports
[HAMRADIO]: Remove remaining SET_MODULE_OWNER calls from hamradio drivers.
[AX25, ROSE]: Remove useless SET_MODULE_OWNER calls.
[AX.25]: Spelling fix
[ROSE]: Remove useless prototype for rose_remove_neigh().
[NETFILTER]: x_tables: don't use __copy_{from,to}_user on unchecked memory in compat layer
[NETFILTER]: H.323 helper: Change author's email address
[NETFILTER]: NAT: silence unused variable warnings with CONFIG_XFRM=n
[NETFILTER]: H.323 helper: fix use of uninitialized data
[NETFILTER]: H.323 helper: fix endless loop caused by invalid TPKT len -
* master.kernel.org:/pub/scm/linux/kernel/git/davem/sparc-2.6:
[SPARC]: Hook up vmsplice into syscall tables. -
By request from Tristan.
Signed-off-by: Linus Torvalds
-
Rather than having every driver duplicate the set_ios debugging,
provide a single version in mmc.c which can be expanded as we
add additional functionality.Signed-off-by: Russell King
04 May, 2006
19 commits
-
Patch from Sascha Hauer
This patch moves the i.MX uart resources and the gpio pin setup to the
board files. This allows the boards to decide how many internal uarts
are connected to the outside world and whether they use rts/cts or
not.Signed-off-by: Sascha Hauer
Signed-off-by: Russell King -
mmc_request_done should be called at the end of handling a request, not
between the data and initial command parts of the request.Signed-off-by: Russell King
-
nr_segs may not be > UIO_MAXIOV, however it may be equal to. This makes
the behaviour identical to the real sys_vmsplice(). The other foov
syscalls also agree that this is the way to go.Signed-off-by: Jens Axboe
-
This patch fixes hello messages sent when a node is a level 1
router. Slightly contrary to the spec (maybe) VMS ignores hello
messages that do not name level2 routers that it also knows about.So, here we simply name all the routers that the node knows about
rather just other level1 routers. (I hope the patch is clearer than
the description. sorry).Signed-off-by: Patrick Caulfield
Signed-off-by: David S. Miller -
Calling sock_orphan inside bh_lock_sock in tcp_close can lead to dead
locks. For example, the inet_diag code holds sk_callback_lock without
disabling BH. If an inbound packet arrives during that admittedly tiny
window, it will cause a dead lock on bh_lock_sock. Another possible
path would be through sock_wfree if the network device driver frees the
tx skb in process context with BH enabled.We can fix this by moving sock_orphan out of bh_lock_sock.
The tricky bit is to work out when we need to destroy the socket
ourselves and when it has already been destroyed by someone else.By moving sock_orphan before the release_sock we can solve this
problem. This is because as long as we own the socket lock its
state cannot change.So we simply record the socket state before the release_sock
and then check the state again after we regain the socket lock.
If the socket state has transitioned to TCP_CLOSE in the time being,
we know that the socket has been destroyed. Otherwise the socket is
still ours to keep.Note that I've also moved the increment on the orphan count forward.
This may look like a problem as we're increasing it even if the socket
is just about to be destroyed where it'll be decreased again. However,
this simply enlarges a window that already exists. This also changes
the orphan count test by one.Considering what the orphan count is meant to do this is no big deal.
This problem was discoverd by Ingo Molnar using his lock validator.
Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
Convert all ROSE sysctl time values from jiffies to ms as units.
Signed-off-by: Ralf Baechle
Signed-off-by: David S. Miller -
Convert all NET/ROM sysctl time values from jiffies to ms as units.
Signed-off-by: Ralf Baechle
Signed-off-by: David S. Miller -
Convert all AX.25 sysctl time values from jiffies to ms as units.
Signed-off-by: Ralf Baechle
Signed-off-by: David S. Miller -
The locking rule for rose_remove_neigh() are that the caller needs to
hold rose_neigh_list_lock, so we better don't take it yet again in
rose_neigh_list_lock.Signed-off-by: Ralf Baechle
Signed-off-by: David S. Miller -
Move AX.25 symbol exports to next to their definitions where they're
supposed to be these days.Signed-off-by: Ralf Baechle
Signed-off-by: David S. Miller -
Signed-off-by: Ralf Baechle DL5RB
Signed-off-by: David S. Miller -
Signed-off-by: Ralf Baechle
Signed-off-by: David S. Miller -
Signed-off-by: Ralf Baechle
Signed-off-by: David S. Miller -
Signed-off-by: Ralf Baechle
Signed-off-by: David S. Miller -
Noticed by Linus Torvalds
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Jing Min Zhao
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
net/ipv4/netfilter/ip_nat_standalone.c: In function 'ip_nat_out':
net/ipv4/netfilter/ip_nat_standalone.c:223: warning: unused variable 'ctinfo'
net/ipv4/netfilter/ip_nat_standalone.c:222: warning: unused variable 'ct'Surprisingly no complaints so far ..
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
When a Choice element contains an unsupported choice no error is returned
and parsing continues normally, but the choice value is not set and
contains data from the last parsed message. This may in turn lead to
parsing of more stale data and following crashes.Fixes a crash triggered by testcase 0003243 from the PROTOS c07-h2250v4
testsuite following random other testcases:CPU: 0
EIP: 0060:[] Not tainted VLI
EFLAGS: 00210646 (2.6.17-rc2 #3)
EIP is at memmove+0x19/0x22
eax: d7be0307 ebx: d7be0307 ecx: e841fcf9 edx: d7be0307
esi: bfffffff edi: bfffffff ebp: da5eb980 esp: c0347e2c
ds: 007b es: 007b ss: 0068
Process events/0 (pid: 4, threadinfo=c0347000 task=dff86a90)
Stack: 00000006 c0347ea6 d7be0301 e09a6b2c 00000006 da5eb980 d7be003e d7be0052
c0347f6c e09a6d9c 00000006 c0347ea6 00000006 00000000 d7b9a548 00000000
c0347f6c d7b9a548 00000004 e0a1a119 0000028f 00000006 c0347ea6 00000006
Call Trace:
[] mangle_contents+0x40/0xd8 [ip_nat]
[] ip_nat_mangle_tcp_packet+0xa1/0x191 [ip_nat]
[] set_addr+0x60/0x14d [ip_nat_h323]
[] q931_help+0x2da/0x71a [ip_conntrack_h323]
[] q931_help+0x30c/0x71a [ip_conntrack_h323]
[] ip_conntrack_help+0x22/0x2f [ip_conntrack]
[] nf_iterate+0x2e/0x5f
[] xfrm4_output_finish+0x0/0x39f
[] nf_hook_slow+0x42/0xb0
[] xfrm4_output_finish+0x0/0x39f
[] xfrm4_output+0x3c/0x4e
[] xfrm4_output_finish+0x0/0x39f
[] ip_forward+0x1c2/0x1fa
[] ip_rcv+0x388/0x3b5
[] netif_receive_skb+0x2bc/0x2ec
[] process_backlog+0x6b/0xd0
[] net_rx_action+0x4b/0xb7
[] __do_softirq+0x35/0x7d
[] do_softirq+0x38/0x3fSigned-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
When the TPKT len included in the packet is below the lowest valid value
of 4 an underflow occurs which results in an endless loop.Found by testcase 0000058 from the PROTOS c07-h2250v4 testsuite.
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
