Eric Lee / smarc-fsl-linux-kernel

01 Mar, 2012

11 commits

  • c90fa02e7   tcp: fix tcp_shifted_skb() adjustment of lost_cnt_hint for FACK ... Browse Code »

    [ Upstream commit 0af2a0d0576205dda778d25c6c344fc6508fc81d ]

    This commit ensures that lost_cnt_hint is correctly updated in
    tcp_shifted_skb() for FACK TCP senders. The lost_cnt_hint adjustment
    in tcp_sacktag_one() only applies to non-FACK senders, so FACK senders
    need their own adjustment.

    This applies the spirit of 1e5289e121372a3494402b1b131b41bfe1cf9b7f -
    except now that the sequence range passed into tcp_sacktag_one() is
    correct we need only have a special case adjustment for FACK.

    Signed-off-by: Neal Cardwell
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Neal Cardwell
     
  • 85a90ef60   tcp: fix range tcp_shifted_skb() passes to tcp_sacktag_one() ... Browse Code »

    [ Upstream commit daef52bab1fd26e24e8e9578f8fb33ba1d0cb412 ]

    Fix the newly-SACKed range to be the range of newly-shifted bytes.

    Previously - since 832d11c5cd076abc0aa1eaf7be96c81d1a59ce41 -
    tcp_shifted_skb() incorrectly called tcp_sacktag_one() with the start
    and end sequence numbers of the skb it passes in set to the range just
    beyond the range that is newly-SACKed.

    This commit also removes a special-case adjustment to lost_cnt_hint in
    tcp_shifted_skb() since the pre-existing adjustment of lost_cnt_hint
    in tcp_sacktag_one() now properly handles this things now that the
    correct start sequence number is passed in.

    Signed-off-by: Neal Cardwell
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Neal Cardwell
     
  • aaa9bcd96   tcp: allow tcp_sacktag_one() to tag ranges not aligned with skbs ... Browse Code »

    [ Upstream commit cc9a672ee522d4805495b98680f4a3db5d0a0af9 ]

    This commit allows callers of tcp_sacktag_one() to pass in sequence
    ranges that do not align with skb boundaries, as tcp_shifted_skb()
    needs to do in an upcoming fix in this patch series.

    In fact, now tcp_sacktag_one() does not need to depend on an input skb
    at all, which makes its semantics and dependencies more clear.

    Signed-off-by: Neal Cardwell
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Neal Cardwell
     
  • 156f251f7   gro: more generic L2 header check ... Browse Code »

    [ Upstream commit 5ca3b72c5da47d95b83857b768def6172fbc080a ]

    Shlomo Pongratz reported GRO L2 header check was suited for Ethernet
    only, and failed on IB/ipoib traffic.

    He provided a patch faking a zeroed header to let GRO aggregates frames.

    Roland Dreier, Herbert Xu, and others suggested we change GRO L2 header
    check to be more generic, ie not assuming L2 header is 14 bytes, but
    taking into account hard_header_len.

    __napi_gro_receive() has special handling for the common case (Ethernet)
    to avoid a memcmp() call and use an inline optimized function instead.

    Signed-off-by: Eric Dumazet
    Reported-by: Shlomo Pongratz
    Cc: Roland Dreier
    Cc: Or Gerlitz
    Cc: Herbert Xu
    Tested-by: Sean Hefty
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Eric Dumazet
     
  • 79246cb05   net: Make qdisc_skb_cb upper size bound explicit. ... Browse Code »

    [ Upstream commit 16bda13d90c8d5da243e2cfa1677e62ecce26860 ]

    Just like skb->cb[], so that qdisc_skb_cb can be encapsulated inside
    of other data structures.

    This is intended to be used by IPoIB so that it can remember
    addressing information stored at hard_header_ops->create() time that
    it can fetch when the packet gets to the transmit routine.

    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    David S. Miller
     
  • 763fe579c   ipv4: Fix wrong order of ip_rt_get_source() and update iph->daddr. ... Browse Code »

    [ Upstream commit 5dc7883f2a7c25f8df40d7479687153558cd531b ]

    This patch fix a bug which introduced by commit ac8a4810 (ipv4: Save
    nexthop address of LSRR/SSRR option to IPCB.).In that patch, we saved
    the nexthop of SRR in ip_option->nexthop and update iph->daddr until
    we get to ip_forward_options(), but we need to update it before
    ip_rt_get_source(), otherwise we may get a wrong src.

    Signed-off-by: Li Wei
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Li Wei
     
  • 017d76275   tcp_v4_send_reset: binding oif to iif in no sock case ... Browse Code »

    [ Upstream commit e2446eaab5585555a38ea0df4e01ff313dbb4ac9 ]

    Binding RST packet outgoing interface to incoming interface
    for tcp v4 when there is no socket associate with it.
    when sk is not NULL, using sk->sk_bound_dev_if instead.
    (suggested by Eric Dumazet).

    This has few benefits:
    1. tcp_v6_send_reset already did that.
    2. This helps tcp connect with SO_BINDTODEVICE set. When
    connection is lost, we still able to sending out RST using
    same interface.
    3. we are sending reply, it is most likely to be succeed
    if iif is used

    Signed-off-by: Shawn Lu
    Acked-by: Eric Dumazet
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Shawn Lu
     
  • a1845875b   net_sched: Bug in netem reordering ... Browse Code »

    [ Upstream commit eb10192447370f19a215a8c2749332afa1199d46 ]

    Not now, but it looks you are correct. q->qdisc is NULL until another
    additional qdisc is attached (beside tfifo). See 50612537e9ab2969312.
    The following patch should work.

    From: Hagen Paul Pfeifer

    netem: catch NULL pointer by updating the real qdisc statistic

    Reported-by: Vijay Subramanian
    Signed-off-by: Hagen Paul Pfeifer
    Acked-by: Eric Dumazet
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Hagen Paul Pfeifer
     
  • 39994fb22   netpoll: netpoll_poll_dev() should access dev->flags ... Browse Code »

    [ Upstream commit 58e05f357a039a94aa36475f8c110256f693a239 ]

    commit 5a698af53f (bond: service netpoll arp queue on master device)
    tested IFF_SLAVE flag against dev->priv_flags instead of dev->flags

    Signed-off-by: Eric Dumazet
    Cc: WANG Cong
    Acked-by: Neil Horman
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Eric Dumazet
     
  • 1b22d2ddf   net: Don't proxy arp respond if iif == rt->dst.dev if private VLAN is disabled ... Browse Code »

    [ Upstream commit 70620c46ac2b45c24b0f22002fdf5ddd1f7daf81 ]

    Commit 653241 (net: RFC3069, private VLAN proxy arp support) changed
    the behavior of arp proxy to send arp replies back out on the interface
    the request came in even if the private VLAN feature is disabled.

    Previously we checked rt->dst.dev != skb->dev for in scenarios, when
    proxy arp is enabled on for the netdevice and also when individual proxy
    neighbour entries have been added.

    This patch adds the check back for the pneigh_lookup() scenario.

    Signed-off-by: Thomas Graf
    Acked-by: Jesper Dangaard Brouer
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Thomas Graf
     
  • c5ffed924   mac80211: Fix a rwlock bad magic bug ... Browse Code »

    commit b57e6b560fc2a2742910ac5ca0eb2c46e45aeac2 upstream.

    read_lock(&tpt_trig->trig.leddev_list_lock) is accessed via the path
    ieee80211_open (->) ieee80211_do_open (->) ieee80211_mod_tpt_led_trig
    (->) ieee80211_start_tpt_led_trig (->) tpt_trig_timer before initializing
    it.
    the intilization of this read/write lock happens via the path
    ieee80211_led_init (->) led_trigger_register, but we are doing
    'ieee80211_led_init' after 'ieeee80211_if_add' where we
    register netdev_ops.
    so we access leddev_list_lock before initializing it and causes the
    following bug in chrome laptops with AR928X cards with the following
    script

    while true
    do
    sudo modprobe -v ath9k
    sleep 3
    sudo modprobe -r ath9k
    sleep 3
    done

    BUG: rwlock bad magic on CPU#1, wpa_supplicant/358, f5b9eccc
    Pid: 358, comm: wpa_supplicant Not tainted 3.0.13 #1
    Call Trace:

    [] rwlock_bug+0x3d/0x47
    [] do_raw_read_lock+0x19/0x29
    [] _raw_read_lock+0xd/0xf
    [] tpt_trig_timer+0xc3/0x145 [mac80211]
    [] ieee80211_mod_tpt_led_trig+0x152/0x174 [mac80211]
    [] ieee80211_do_open+0x11e/0x42e [mac80211]
    [] ? ieee80211_check_concurrent_iface+0x26/0x13c [mac80211]
    [] ieee80211_open+0x48/0x4c [mac80211]
    [] __dev_open+0x82/0xab
    [] __dev_change_flags+0x9c/0x113
    [] dev_change_flags+0x18/0x44
    [] devinet_ioctl+0x243/0x51a
    [] inet_ioctl+0x93/0xac
    [] sock_ioctl+0x1c6/0x1ea
    [] ? might_fault+0x20/0x20
    [] do_vfs_ioctl+0x46e/0x4a2
    [] ? fget_light+0x2f/0x70
    [] ? sys_recvmsg+0x3e/0x48
    [] sys_ioctl+0x46/0x69
    [] sysenter_do_call+0x12/0x2

    Cc: Gary Morain
    Cc: Paul Stewart
    Cc: Abhijit Pradhan
    Cc: Vasanthakumar Thiagarajan
    Cc: Rajkumar Manoharan
    Acked-by: Johannes Berg
    Tested-by: Mohammed Shafi Shajakhan
    Signed-off-by: Mohammed Shafi Shajakhan
    Signed-off-by: John W. Linville
    Signed-off-by: Greg Kroah-Hartman

    Mohammed Shafi Shajakhan
     

21 Feb, 2012

1 commit

  • 60d08dde8   mac80211: timeout a single frame in the rx reorder buffer ... Browse Code »

    commit 07ae2dfcf4f7143ce191c6436da1c33f179af0d6 upstream.

    The current code checks for stored_mpdu_num > 1, causing
    the reorder_timer to be triggered indefinitely, but the
    frame is never timed-out (until the next packet is received)

    Signed-off-by: Eliad Peller
    Acked-by: Johannes Berg
    Signed-off-by: John W. Linville
    Signed-off-by: Greg Kroah-Hartman

    Eliad Peller
     

04 Feb, 2012

9 commits

  • 377db2f8f   tcp: md5: using remote adress for md5 lookup in rst packet ... Browse Code »

    [ Upstream commit 8a622e71f58ec9f092fc99eacae0e6cf14f6e742 ]

    md5 key is added in socket through remote address.
    remote address should be used in finding md5 key when
    sending out reset packet.

    Signed-off-by: shawnlu
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    shawnlu
     
  • bcabae7b1   tcp: fix tcp_trim_head() to adjust segment count with skb MSS ... Browse Code »

    [ Upstream commit 5b35e1e6e9ca651e6b291c96d1106043c9af314a ]

    This commit fixes tcp_trim_head() to recalculate the number of
    segments in the skb with the skb's existing MSS, so trimming the head
    causes the skb segment count to be monotonically non-increasing - it
    should stay the same or go down, but not increase.

    Previously tcp_trim_head() used the current MSS of the connection. But
    if there was a decrease in MSS between original transmission and ACK
    (e.g. due to PMTUD), this could cause tcp_trim_head() to
    counter-intuitively increase the segment count when trimming bytes off
    the head of an skb. This violated assumptions in tcp_tso_acked() that
    tcp_trim_head() only decreases the packet count, so that packets_acked
    in tcp_tso_acked() could underflow, leading tcp_clean_rtx_queue() to
    pass u32 pkts_acked values as large as 0xffffffff to
    ca_ops->pkts_acked().

    As an aside, if tcp_trim_head() had really wanted the skb to reflect
    the current MSS, it should have called tcp_set_skb_tso_segs()
    unconditionally, since a decrease in MSS would mean that a
    single-packet skb should now be sliced into multiple segments.

    Signed-off-by: Neal Cardwell
    Acked-by: Nandita Dukkipati
    Acked-by: Ilpo Järvinen
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Neal Cardwell
     
  • e5efde92d   rds: Make rds_sock_lock BH rather than IRQ safe. ... Browse Code »

    [ Upstream commit efc3dbc37412c027e363736b4f4c74ee5e8ecffc ]

    rds_sock_info() triggers locking warnings because we try to perform a
    local_bh_enable() (via sock_i_ino()) while hardware interrupts are
    disabled (via taking rds_sock_lock).

    There is no reason for rds_sock_lock to be a hardware IRQ disabling
    lock, none of these access paths run in hardware interrupt context.

    Therefore making it a BH disabling lock is safe and sufficient to
    fix this bug.

    Reported-by: Kumar Sanghvi
    Reported-by: Josh Boyer
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    David S. Miller
     
  • 4704f3edf   net: reintroduce missing rcu_assign_pointer() calls ... Browse Code »

    [ Upstream commit cf778b00e96df6d64f8e21b8395d1f8a859ecdc7 ]

    commit a9b3cd7f32 (rcu: convert uses of rcu_assign_pointer(x, NULL) to
    RCU_INIT_POINTER) did a lot of incorrect changes, since it did a
    complete conversion of rcu_assign_pointer(x, y) to RCU_INIT_POINTER(x,
    y).

    We miss needed barriers, even on x86, when y is not NULL.

    Signed-off-by: Eric Dumazet
    CC: Stephen Hemminger
    CC: Paul E. McKenney
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Eric Dumazet
     
  • 7596e3d4d   l2tp: l2tp_ip - fix possible oops on packet receive ... Browse Code »

    [ Upstream commit 68315801dbf3ab2001679fd2074c9dc5dcf87dfa ]

    When a packet is received on an L2TP IP socket (L2TPv3 IP link
    encapsulation), the l2tpip socket's backlog_rcv function calls
    xfrm4_policy_check(). This is not necessary, since it was called
    before the skb was added to the backlog. With CONFIG_NET_NS enabled,
    xfrm4_policy_check() will oops if skb->dev is null, so this trivial
    patch removes the call.

    This bug has always been present, but only when CONFIG_NET_NS is
    enabled does it cause problems. Most users are probably using UDP
    encapsulation for L2TP, hence the problem has only recently
    surfaced.

    EIP: 0060:[] EFLAGS: 00210246 CPU: 0
    EIP is at l2tp_ip_recvmsg+0xd4/0x2a7
    EAX: 00000001 EBX: d77b5180 ECX: 00000000 EDX: 00200246
    ESI: 00000000 EDI: d63cbd30 EBP: d63cbd18 ESP: d63cbcf4
    DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
    Call Trace:
    [] sock_common_recvmsg+0x31/0x46
    [] __sock_recvmsg_nosec+0x45/0x4d
    [] __sock_recvmsg+0x31/0x3b
    [] sock_recvmsg+0x96/0xab
    [] ? might_fault+0x47/0x81
    [] ? might_fault+0x47/0x81
    [] ? _copy_from_user+0x31/0x115
    [] ? copy_from_user+0x8/0xa
    [] ? verify_iovec+0x3e/0x78
    [] __sys_recvmsg+0x10a/0x1aa
    [] ? sock_recvmsg+0x0/0xab
    [] ? __lock_acquire+0xbdf/0xbee
    [] ? do_page_fault+0x193/0x375
    [] ? fcheck_files+0x9b/0xca
    [] ? fget_light+0x2a/0x9c
    [] sys_recvmsg+0x2b/0x43
    [] sys_socketcall+0x16d/0x1a5
    [] ? trace_hardirqs_on_thunk+0xc/0x10
    [] sysenter_do_call+0x12/0x38
    Code: c6 05 8c ea a8 c1 01 e8 0c d4 d9 ff 85 f6 74 07 3e ff 86 80 00 00 00 b9 17 b6 2b c1 ba 01 00 00 00 b8 78 ed 48 c1 e8 23 f6 d9 ff 76 0c 68 28 e3 30 c1 68 2d 44 41 c1 e8 89 57 01 00 83 c4 0c

    Signed-off-by: James Chapman
    Acked-by: Eric Dumazet
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    James Chapman
     
  • 2703165a0   af_unix: fix EPOLLET regression for stream sockets ... Browse Code »

    [ Upstream commit 6f01fd6e6f6809061b56e78f1e8d143099716d70 ]

    Commit 0884d7aa24 (AF_UNIX: Fix poll blocking problem when reading from
    a stream socket) added a regression for epoll() in Edge Triggered mode
    (EPOLLET)

    Appropriate fix is to use skb_peek()/skb_unlink() instead of
    skb_dequeue(), and only call skb_unlink() when skb is fully consumed.

    This remove the need to requeue a partial skb into sk_receive_queue head
    and the extra sk->sk_data_ready() calls that added the regression.

    This is safe because once skb is given to sk_receive_queue, it is not
    modified by a writer, and readers are serialized by u->readlock mutex.

    This also reduce number of spinlock acquisition for small reads or
    MSG_PEEK users so should improve overall performance.

    Reported-by: Nick Mathewson
    Signed-off-by: Eric Dumazet
    Cc: Alexey Moiseytsev
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Eric Dumazet
     
  • 9e1309545   net caif: Register properly as a pernet subsystem. ... Browse Code »

    [ Upstream commit 8a8ee9aff6c3077dd9c2c7a77478e8ed362b96c6 ]

    caif is a subsystem and as such it needs to register with
    register_pernet_subsys instead of register_pernet_device.

    Among other problems using register_pernet_device was resulting in
    net_generic being called before the caif_net structure was allocated.
    Which has been causing net_generic to fail with either BUG_ON's or by
    return NULL pointers.

    A more ugly problem that could be caused is packets in flight why the
    subsystem is shutting down.

    To remove confusion also remove the cruft cause by inappropriately
    trying to fix this bug.

    With the aid of the previous patch I have tested this patch and
    confirmed that using register_pernet_subsys makes the failure go away as
    it should.

    Signed-off-by: Eric W. Biederman
    Acked-by: Sjur Brændeland
    Tested-by: Sasha Levin
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Eric W. Biederman
     
  • a2c82f7be   netns: fix net_alloc_generic() ... Browse Code »

    [ Upstream commit 073862ba5d249c20bd5c49fc6d904ff0e1f6a672 ]

    When a new net namespace is created, we should attach to it a "struct
    net_generic" with enough slots (even empty), or we can hit the following
    BUG_ON() :

    [ 200.752016] kernel BUG at include/net/netns/generic.h:40!
    ...
    [ 200.752016] [] ? get_cfcnfg+0x3a/0x180
    [ 200.752016] [] ? lockdep_rtnl_is_held+0x10/0x20
    [ 200.752016] [] caif_device_notify+0x2e/0x530
    [ 200.752016] [] notifier_call_chain+0x67/0x110
    [ 200.752016] [] raw_notifier_call_chain+0x11/0x20
    [ 200.752016] [] call_netdevice_notifiers+0x32/0x60
    [ 200.752016] [] register_netdevice+0x196/0x300
    [ 200.752016] [] register_netdev+0x19/0x30
    [ 200.752016] [] loopback_net_init+0x4a/0xa0
    [ 200.752016] [] ops_init+0x42/0x180
    [ 200.752016] [] setup_net+0x6b/0x100
    [ 200.752016] [] copy_net_ns+0x86/0x110
    [ 200.752016] [] create_new_namespaces+0xd9/0x190

    net_alloc_generic() should take into account the maximum index into the
    ptr array, as a subsystem might use net_generic() anytime.

    This also reduces number of reallocations in net_assign_generic()

    Reported-by: Sasha Levin
    Tested-by: Sasha Levin
    Signed-off-by: Eric Dumazet
    Cc: Sjur Brændeland
    Cc: Eric W. Biederman
    Cc: Pavel Emelyanov
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Eric Dumazet
     
  • 427038dfb   mac80211: fix work removal on deauth request ... Browse Code »

    commit bc4934bc61d0a11fd62c5187ff83645628f8be8b upstream.

    When deauth is requested while an auth or assoc
    work item is in progress, we currently delete it
    without regard for any state it might need to
    clean up. Fix it by cleaning up for those items.

    In the case Pontus found, the problem manifested
    itself as such:

    authenticate with 00:23:69:aa:dd:7b (try 1)
    authenticated
    failed to insert Dummy STA entry for the AP (error -17)
    deauthenticating from 00:23:69:aa:dd:7b by local choice (reason=2)

    It could also happen differently if the driver
    uses the tx_sync callback.

    We can't just call the ->done() method of the work
    items because that will lock up due to the locking
    in cfg80211. This fix isn't very clean, but that
    seems acceptable since I have patches pending to
    remove this code completely.

    Reported-by: Pontus Fuchs
    Tested-by: Pontus Fuchs
    Signed-off-by: Johannes Berg
    Signed-off-by: John W. Linville
    Signed-off-by: Greg Kroah-Hartman

    Johannes Berg
     

26 Jan, 2012

6 commits

  • 5cb46f319   mac80211: revert on-channel work optimisations ... Browse Code »

    commit e76aadc572288a158ae18ae1c10fe395c7bca066 upstream.

    Backport note:
    This patch it's a full revert of commit b23b025f "mac80211: Optimize
    scans on current operating channel.". On upstrem revert e76aadc5 we
    keep some bits from that commit, which are needed for upstream version
    of mac80211.

    The on-channel work optimisations have caused a
    number of issues, and the code is unfortunately
    very complex and almost impossible to follow.
    Instead of attempting to put in more workarounds
    let's just remove those optimisations, we can
    work on them again later, after we change the
    whole auth/assoc design.

    This should fix rate_control_send_low() warnings,
    see RH bug 731365.

    Signed-off-by: Johannes Berg
    Signed-off-by: John W. Linville
    Signed-off-by: Stanislaw Gruszka
    Signed-off-by: Greg Kroah-Hartman

    Johannes Berg
     
  • dd9631739   svcrpc: avoid memory-corruption on pool shutdown ... Browse Code »

    commit b4f36f88b3ee7cf26bf0be84e6c7fc15f84dcb71 upstream.

    Socket callbacks use svc_xprt_enqueue() to add an xprt to a
    pool->sp_sockets list. In normal operation a server thread will later
    come along and take the xprt off that list. On shutdown, after all the
    threads have exited, we instead manually walk the sv_tempsocks and
    sv_permsocks lists to find all the xprt's and delete them.

    So the sp_sockets lists don't really matter any more. As a result,
    we've mostly just ignored them and hoped they would go away.

    Which has gotten us into trouble; witness for example ebc63e531cc6
    "svcrpc: fix list-corrupting race on nfsd shutdown", the result of Ben
    Greear noticing that a still-running svc_xprt_enqueue() could re-add an
    xprt to an sp_sockets list just before it was deleted. The fix was to
    remove it from the list at the end of svc_delete_xprt(). But that only
    made corruption less likely--I can see nothing that prevents a
    svc_xprt_enqueue() from adding another xprt to the list at the same
    moment that we're removing this xprt from the list. In fact, despite
    the earlier xpo_detach(), I don't even see what guarantees that
    svc_xprt_enqueue() couldn't still be running on this xprt.

    So, instead, note that svc_xprt_enqueue() essentially does:
    lock sp_lock
    if XPT_BUSY unset
    add to sp_sockets
    unlock sp_lock

    So, if we do:

    set XPT_BUSY on every xprt.
    Empty every sp_sockets list, under the sp_socks locks.

    Then we're left knowing that the sp_sockets lists are all empty and will
    stay that way, since any svc_xprt_enqueue() will check XPT_BUSY under
    the sp_lock and see it set.

    And *then* we can continue deleting the xprt's.

    (Thanks to Jeff Layton for being correctly suspicious of this code....)

    Cc: Ben Greear
    Cc: Jeff Layton
    Signed-off-by: J. Bruce Fields
    Signed-off-by: Greg Kroah-Hartman

    J. Bruce Fields
     
  • 0832fe15f   svcrpc: destroy server sockets all at once ... Browse Code »

    commit 2fefb8a09e7ed251ae8996e0c69066e74c5aa560 upstream.

    There's no reason I can see that we need to call sv_shutdown between
    closing the two lists of sockets.

    Signed-off-by: J. Bruce Fields
    Signed-off-by: Greg Kroah-Hartman

    J. Bruce Fields
     
  • bcf641763   svcrpc: fix double-free on shutdown of nfsd after changing pool mode ... Browse Code »

    commit 61c8504c428edcebf23b97775a129c5b393a302b upstream.

    The pool_to and to_pool fields of the global svc_pool_map are freed on
    shutdown, but are initialized in nfsd startup only in the
    SVC_POOL_PERCPU and SVC_POOL_PERNODE cases.

    They *are* initialized to zero on kernel startup. So as long as you use
    only SVC_POOL_GLOBAL (the default), this will never be a problem.

    You're also OK if you only ever use SVC_POOL_PERCPU or SVC_POOL_PERNODE.

    However, the following sequence events leads to a double-free:

    1. set SVC_POOL_PERCPU or SVC_POOL_PERNODE
    2. start nfsd: both fields are initialized.
    3. shutdown nfsd: both fields are freed.
    4. set SVC_POOL_GLOBAL
    5. start nfsd: the fields are left untouched.
    6. shutdown nfsd: now we try to free them again.

    Step 4 is actually unnecessary, since (for some bizarre reason), nfsd
    automatically resets the pool mode to SVC_POOL_GLOBAL on shutdown.

    Signed-off-by: J. Bruce Fields
    Signed-off-by: Greg Kroah-Hartman

    J. Bruce Fields
     
  • 62b2e1674   mac80211: fix rx->key NULL pointer dereference in promiscuous mode ... Browse Code »

    commit 1140afa862842ac3e56678693050760edc4ecde9 upstream.

    Since:

    commit 816c04fe7ef01dd9649f5ccfe796474db8708be5
    Author: Christian Lamparter
    Date: Sat Apr 30 15:24:30 2011 +0200

    mac80211: consolidate MIC failure report handling

    is possible to that we dereference rx->key == NULL when driver set
    RX_FLAG_MMIC_STRIPPED and not RX_FLAG_IV_STRIPPED and we are in
    promiscuous mode. This happen with rt73usb and rt61pci at least.

    Before the commit we always check rx->key against NULL, so I assume
    fix should be done in mac80211 (also mic_fail path has similar check).

    References:
    https://bugzilla.redhat.com/show_bug.cgi?id=769766
    http://rt2x00.serialmonkey.com/pipermail/users_rt2x00.serialmonkey.com/2012-January/004395.html

    Reported-by: Stuart D Gathman
    Reported-by: Kai Wohlfahrt
    Signed-off-by: Stanislaw Gruszka
    Signed-off-by: John W. Linville
    Signed-off-by: Greg Kroah-Hartman

    Stanislaw Gruszka
     
  • 628fc192a   NFSv4: include bitmap in nfsv4 get acl data ... Browse Code »

    commit bf118a342f10dafe44b14451a1392c3254629a1f upstream.

    The NFSv4 bitmap size is unbounded: a server can return an arbitrary
    sized bitmap in an FATTR4_WORD0_ACL request. Replace using the
    nfs4_fattr_bitmap_maxsz as a guess to the maximum bitmask returned by a server
    with the inclusion of the bitmap (xdr length plus bitmasks) and the acl data
    xdr length to the (cached) acl page data.

    This is a general solution to commit e5012d1f "NFSv4.1: update
    nfs4_fattr_bitmap_maxsz" and fixes hitting a BUG_ON in xdr_shrink_bufhead
    when getting ACLs.

    Fix a bug in decode_getacl that returned -EINVAL on ACLs > page when getxattr
    was called with a NULL buffer, preventing ACL > PAGE_SIZE from being retrieved.

    Signed-off-by: Andy Adamson
    Signed-off-by: Trond Myklebust
    Signed-off-by: Greg Kroah-Hartman

    Andy Adamson
     

13 Jan, 2012

1 commit

  • 25c413ad0   igmp: Avoid zero delay when receiving odd mixture of IGMP queries ... Browse Code »

    commit a8c1f65c79cbbb2f7da782d4c9d15639a9b94b27 upstream.

    Commit 5b7c84066733c5dfb0e4016d939757b38de189e4 ('ipv4: correct IGMP
    behavior on v3 query during v2-compatibility mode') added yet another
    case for query parsing, which can result in max_delay = 0. Substitute
    a value of 1, as in the usual v3 case.

    Reported-by: Simon McVittie
    References: http://bugs.debian.org/654876
    Signed-off-by: Ben Hutchings
    Signed-off-by: David S. Miller

    Ben Hutchings
     

05 Jan, 2012

1 commit

04 Jan, 2012

2 commits

31 Dec, 2011

2 commits

  • c12163827   netfilter: ctnetlink: fix timeout calculation ... Browse Code »

    The sanity check (timeout < 0) never works; the dividend is unsigned
    and so is the division, which should have been a signed division.

    long timeout = (ct->timeout.expires - jiffies) / HZ;
    if (timeout < 0)
    timeout = 0;

    This patch converts the time values to signed for the division.

    Signed-off-by: Xi Wang
    Signed-off-by: Pablo Neira Ayuso

    Xi Wang
     
  • 52793dbe3   ipvs: try also real server with port 0 in backup server ... Browse Code »

    We should not forget to try for real server with port 0
    in the backup server when processing the sync message. We should
    do it in all cases because the backup server can use different
    forwarding method.

    Signed-off-by: Julian Anastasov
    Signed-off-by: Simon Horman
    Signed-off-by: Pablo Neira Ayuso

    Julian Anastasov
     

28 Dec, 2011

1 commit

25 Dec, 2011

4 commits

24 Dec, 2011

2 commits