04 Aug, 2013
2 commits
-
Pull networking fixes from David Miller:
1) Don't ignore user initiated wireless regulatory settings on cards
with custom regulatory domains, from Arik Nemtsov.2) Fix length check of bluetooth information responses, from Jaganath
Kanakkassery.3) Fix misuse of PTR_ERR in btusb, from Adam Lee.
4) Handle rfkill properly while iwlwifi devices are offline, from
Emmanuel Grumbach.5) Fix r815x devices DMA'ing to stack buffers, from Hayes Wang.
6) Kernel info leak in ATM packet scheduler, from Dan Carpenter.
7) 8139cp doesn't check for DMA mapping errors, from Neil Horman.
8) Fix bridge multicast code to not snoop when no querier exists,
otherwise mutlicast traffic is lost. From Linus Lüssing.9) Avoid soft lockups in fib6_run_gc(), from Michal Kubecek.
10) Fix races in automatic address asignment on ipv6, which can result
in incorrect lifetime assignments. From Jiri Benc.11) Cure build bustage when CONFIG_NET_LL_RX_POLL is not set and rename
it CONFIG_NET_RX_BUSY_POLL to eliminate the last reference to the
original naming of this feature. From Cong Wang.12) Fix crash in TIPC when server socket creation fails, from Ying Xue.
13) macvlan_changelink() silently succeeds when it shouldn't, from
Michael S Tsirkin.14) HTB packet scheduler can crash due to sign extension, fix from
Stephen Hemminger.15) With the cable unplugged, r8169 prints out a message every 10
seconds, make it netif_dbg() instead of netif_warn(). From Peter
Wu.16) Fix memory leak in rtm_to_ifaddr(), from Daniel Borkmann.
17) sis900 gets spurious TX queue timeouts due to mismanagement of link
carrier state, from Denis Kirjanov.18) Validate somaxconn sysctl to make sure it fits inside of a u16.
From Roman Gushchin.19) Fix MAC address filtering on qlcnic, from Shahed Shaikh.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (68 commits)
qlcnic: Fix for flash update failure on 83xx adapter
qlcnic: Fix link speed and duplex display for 83xx adapter
qlcnic: Fix link speed display for 82xx adapter
qlcnic: Fix external loopback test.
qlcnic: Removed adapter series name from warning messages.
qlcnic: Free up memory in error path.
qlcnic: Fix ingress MAC learning
qlcnic: Fix MAC address filter issue on 82xx adapter
net: ethernet: davinci_emac: drop IRQF_DISABLED
netlabel: use domain based selectors when address based selectors are not available
net: check net.core.somaxconn sysctl values
sis900: Fix the tx queue timeout issue
net: rtm_to_ifaddr: free ifa if ifa_cacheinfo processing fails
r8169: remove "PHY reset until link up" log spam
net: ethernet: cpsw: drop IRQF_DISABLED
htb: fix sign extension bug
macvlan: handle set_promiscuity failures
macvlan: better mode validation
tipc: fix oops when creating server socket fails
net: rename CONFIG_NET_LL_RX_POLL to CONFIG_NET_RX_BUSY_POLL
... -
Pull nfsd bugfixes from Bruce Fields:
"Most of this is due to a screwup on my part -- some gss-proxy crashes
got fixed before the merge window but somehow never made it out of a
temporary git repo on my laptop...."* 'for-3.11' of git://linux-nfs.org/~bfields/linux:
svcrpc: set cr_gss_mech from gss-proxy as well as legacy upcall
svcrpc: fix kfree oops in gss-proxy code
svcrpc: fix gss-proxy xdr decoding oops
svcrpc: fix gss_rpc_upcall create error
NFSD/sunrpc: avoid deadlock on TCP connection due to memory pressure.
03 Aug, 2013
4 commits
-
NetLabel has the ability to selectively assign network security labels
to outbound traffic based on either the LSM's "domain" (different for
each LSM), the network destination, or a combination of both. Depending
on the type of traffic, local or forwarded, and the type of traffic
selector, domain or address based, different hooks are used to label the
traffic; the goal being minimal overhead.Unfortunately, there is a bug such that a system using NetLabel domain
based traffic selectors does not correctly label outbound local traffic
that is not assigned to a socket. The issue is that in these cases
the associated NetLabel hook only looks at the address based selectors
and not the domain based selectors. This patch corrects this by
checking both the domain and address based selectors so that the correct
labeling is applied, regardless of the configuration type.In order to acomplish this fix, this patch also simplifies some of the
NetLabel domainhash structures to use a more common outbound traffic
mapping type: struct netlbl_dommap_def. This simplifies some of the code
in this patch and paves the way for further simplifications in the
future.Signed-off-by: Paul Moore
Signed-off-by: David S. Miller -
It's possible to assign an invalid value to the net.core.somaxconn
sysctl variable, because there is no checks at all.The sk_max_ack_backlog field of the sock structure is defined as
unsigned short. Therefore, the backlog argument in inet_listen()
shouldn't exceed USHRT_MAX. The backlog argument in the listen() syscall
is truncated to the somaxconn value. So, the somaxconn value shouldn't
exceed 65535 (USHRT_MAX).
Also, negative values of somaxconn are meaningless.before:
$ sysctl -w net.core.somaxconn=256
net.core.somaxconn = 256
$ sysctl -w net.core.somaxconn=65536
net.core.somaxconn = 65536
$ sysctl -w net.core.somaxconn=-100
net.core.somaxconn = -100after:
$ sysctl -w net.core.somaxconn=256
net.core.somaxconn = 256
$ sysctl -w net.core.somaxconn=65536
error: "Invalid argument" setting key "net.core.somaxconn"
$ sysctl -w net.core.somaxconn=-100
error: "Invalid argument" setting key "net.core.somaxconn"Based on a prior patch from Changli Gao.
Signed-off-by: Roman Gushchin
Reported-by: Changli Gao
Suggested-by: Eric Dumazet
Acked-by: Eric Dumazet
Signed-off-by: David S. Miller -
Commit 5c766d642 ("ipv4: introduce address lifetime") leaves the ifa
resource that was allocated via inet_alloc_ifa() unfreed when returning
the function with -EINVAL. Thus, free it first via inet_free_ifa().Signed-off-by: Daniel Borkmann
Reviewed-by: Jiri Pirko
Signed-off-by: David S. Miller -
When userspace passes a large priority value
the assignment of the unsigned value hopt->prio
to signed int cl->prio causes cl->prio to become negative and the
comparison is with TC_HTB_NUMPRIO is always false.The result is that HTB crashes by referencing outside
the array when processing packets. With this patch the large value
wraps around like other values outside the normal range.See: https://bugzilla.kernel.org/show_bug.cgi?id=60669
Signed-off-by: Stephen Hemminger
Acked-by: Eric Dumazet
Signed-off-by: David S. Miller
02 Aug, 2013
7 commits
-
When creation of TIPC internal server socket fails,
we get an oops with the following dump:BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
IP: [] tipc_close_conn+0x59/0xb0 [tipc]
PGD 13719067 PUD 12008067 PMD 0
Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
Modules linked in: tipc(+)
CPU: 4 PID: 4340 Comm: insmod Not tainted 3.10.0+ #1
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
task: ffff880014360000 ti: ffff88001374c000 task.ti: ffff88001374c000
RIP: 0010:[] [] tipc_close_conn+0x59/0xb0 [tipc]
RSP: 0018:ffff88001374dc98 EFLAGS: 00010292
RAX: 0000000000000000 RBX: ffff880012ac09d8 RCX: 0000000000000000
RDX: 0000000000000046 RSI: 0000000000000001 RDI: ffff880014360000
RBP: ffff88001374dcb8 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffa0016fa0
R13: ffffffffa0017010 R14: ffffffffa0017010 R15: ffff880012ac09d8
FS: 0000000000000000(0000) GS:ffff880016600000(0063) knlGS:00000000f76668d0
CS: 0010 DS: 002b ES: 002b CR0: 000000008005003b
CR2: 0000000000000020 CR3: 0000000012227000 CR4: 00000000000006e0
Stack:
ffff88001374dcb8 ffffffffa0016fa0 0000000000000000 0000000000000001
ffff88001374dcf8 ffffffffa0012922 ffff88001374dce8 00000000ffffffea
ffffffffa0017100 0000000000000000 ffff8800134241a8 ffffffffa0017150
Call Trace:
[] tipc_server_stop+0xa2/0x1b0 [tipc]
[] tipc_subscr_stop+0x15/0x20 [tipc]
[] tipc_core_stop+0x1d/0x33 [tipc]
[] tipc_init+0xd4/0xf8 [tipc]
[] ? 0xffffffffa001efff
[] do_one_initcall+0x3f/0x150
[] ? __blocking_notifier_call_chain+0x7d/0xd0
[] load_module+0x11aa/0x19c0
[] ? show_initstate+0x50/0x50
[] ? retint_restore_args+0xe/0xe
[] SyS_init_module+0xd9/0x110
[] sysenter_dispatch+0x7/0x1f
Code: 6c 24 70 4c 89 ef e8 b7 04 8f e1 8b 73 04 4c 89 e7 e8 7c 9e 32 e1 41 83 ac 24
b8 00 00 00 01 4c 89 ef e8 eb 0a 8f e1 48 8b 43 08 8b 68 20 4d 8d a5 48 03 00
00 4c 89 e7 e8 04 05 8f e1 4c 89
RIP [] tipc_close_conn+0x59/0xb0 [tipc]
RSP
CR2: 0000000000000020
---[ end trace b02321f40e4269a3 ]---We have the following call chain:
tipc_core_start()
ret = tipc_subscr_start()
ret = tipc_server_start(){
server->enabled = 1;
ret = tipc_open_listening_sock()
}I.e., the server->enabled flag is unconditionally set to 1, whatever
the return value of tipc_open_listening_sock().This causes a crash when tipc_core_start() tries to clean up
resources after a failed initialization:if (ret == failed)
tipc_subscr_stop()
tipc_server_stop(){
if (server->enabled)
tipc_close_conn(){
NULL reference of con->sock-sk
OOPS!
}
}To avoid this, tipc_server_start() should only set server->enabled
to 1 in case of a succesful socket creation. In case of failure, it
should release all allocated resources before returning.Problem introduced in commit c5fa7b3cf3cb22e4ac60485fc2dc187fe012910f
("tipc: introduce new TIPC server infrastructure") in v3.11-rc1.
Note that it won't be seen often; it takes a module load under memory
constrained conditions in order to trigger the failure condition.Signed-off-by: Ying Xue
Signed-off-by: Jon Maloy
Signed-off-by: Paul Gortmaker
Signed-off-by: David S. Miller -
Eliezer renames several *ll_poll to *busy_poll, but forgets
CONFIG_NET_LL_RX_POLL, so in case of confusion, rename it too.Cc: Eliezer Tamir
Cc: David S. Miller
Signed-off-by: Cong Wang
Signed-off-by: David S. Miller -
There's a race in IPv6 automatic addess assignment. The address is created
with zero lifetime when it's added to various address lists. Before it gets
assigned the correct lifetime, there's a window where a new address may be
configured. This causes the semi-initiated address to be deleted in
addrconf_verify.This was discovered as a reference leak caused by concurrent run of
__ipv6_ifa_notify for both RTM_NEWADDR and RTM_DELADDR with the same
address.Fix this by setting the lifetime before the address is added to
inet6_addr_lst.A few notes:
1. In addrconf_prefix_rcv, by setting update_lft to zero, the
if (update_lft) { ... } condition is no longer executed for newly
created addresses. This is okay, as the ifp fields are set in
ipv6_add_addr now and ipv6_ifa_notify is called (and has been called)
through addrconf_dad_start.2. The removal of the whole block under ifp->lock in inet6_addr_add is okay,
too, as tstamp is initialized to jiffies in ipv6_add_addr.Signed-off-by: Jiri Benc
Signed-off-by: Jiri Pirko
Signed-off-by: David S. Miller -
Signed-off-by: Jiri Pirko
Signed-off-by: David S. Miller -
As pointed out by Eric Dumazet, net->ipv6.ip6_rt_last_gc should
hold the last time garbage collector was run so that we should
update it whenever fib6_run_gc() calls fib6_clean_all(), not only
if we got there from ip6_dst_gc().Signed-off-by: Michal Kubecek
Signed-off-by: David S. Miller -
On a high-traffic router with many processors and many IPv6 dst
entries, soft lockup in fib6_run_gc() can occur when number of
entries reaches gc_thresh.This happens because fib6_run_gc() uses fib6_gc_lock to allow
only one thread to run the garbage collector but ip6_dst_gc()
doesn't update net->ipv6.ip6_rt_last_gc until fib6_run_gc()
returns. On a system with many entries, this can take some time
so that in the meantime, other threads pass the tests in
ip6_dst_gc() (ip6_rt_last_gc is still not updated) and wait for
the lock. They then have to run the garbage collector one after
another which blocks them for quite long.Resolve this by replacing special value ~0UL of expire parameter
to fib6_run_gc() by explicit "force" parameter to choose between
spin_lock_bh() and spin_trylock_bh() and call fib6_run_gc() with
force=false if gc_thresh is reached but not max_size.Signed-off-by: Michal Kubecek
Signed-off-by: David S. Miller -
…wireless into for-davem
01 Aug, 2013
10 commits
-
The change made to rsc_parse() in
0dc1531aca7fd1440918bd55844a054e9c29acad "svcrpc: store gss mech in
svc_cred" should also have been propagated to the gss-proxy codepath.
This fixes a crash in the gss-proxy case.Signed-off-by: J. Bruce Fields
-
mech_oid.data is an array, not kmalloc()'d memory.
Cc: stable@vger.kernel.org
Signed-off-by: J. Bruce Fields -
Uninitialized stack data was being used as the destination for memcpy's.
Longer term we'll just delete some of this code; all we're doing is
skipping over xdr that we don't care about.Cc: stable@vger.kernel.org
Signed-off-by: J. Bruce Fields -
Cc: stable@vger.kernel.org
Signed-off-by: J. Bruce Fields -
Since we enabled auto-tuning for sunrpc TCP connections we do not
guarantee that there is enough write-space on each connection to
queue a reply.If memory pressure causes the window to shrink too small, the request
throttling in sunrpc/svc will not accept any requests so no more requests
will be handled. Even when pressure decreases the window will not
grow again until data is sent on the connection.
This means we get a deadlock: no requests will be handled until there
is more space, and no space will be allocated until a request is
handled.This can be simulated by modifying svc_tcp_has_wspace to inflate the
number of byte required and removing the 'svc_sock_setbufsize' calls
in svc_setup_socket.I found that multiplying by 16 was enough to make the requirement
exceed the default allocation. With this modification in place:
mount -o vers=3,proto=tcp 127.0.0.1:/home /mnt
would block and eventually time out because the nfs server could not
accept any requests.This patch relaxes the request throttling to always allow at least one
request through per connection. It does this by checking both
sk_stream_min_wspace() and xprt->xpt_reserved
are zero.
The first is zero when the TCP transmit queue is empty.
The second is zero when there are no RPC requests being processed.
When both of these are zero the socket is idle and so one more
request can safely be allowed through.Applying this patch allows the above mount command to succeed cleanly.
Tracing shows that the allocated write buffer space quickly grows and
after a few requests are handled, the extra tests are no longer needed
to permit further requests to be processed.The main purpose of request throttling is to handle the case when one
client is slow at collecting replies and the send queue gets full of
replies that the client hasn't acknowledged (at the TCP level) yet.
As we only change behaviour when the send queue is empty this main
purpose is still preserved.Reported-by: Ben Myers
Signed-off-by: NeilBrown
Signed-off-by: J. Bruce Fields -
If there is no querier on a link then we won't get periodic reports and
therefore won't be able to learn about multicast listeners behind ports,
potentially leading to lost multicast packets, especially for multicast
listeners that joined before the creation of the bridge.These lost multicast packets can appear since c5c23260594
("bridge: Add multicast_querier toggle and disable queries by default")
in particular.With this patch we are flooding multicast packets if our querier is
disabled and if we didn't detect any other querier.A grace period of the Maximum Response Delay of the querier is added to
give multicast responses enough time to arrive and to be learned from
before disabling the flooding behaviour again.Signed-off-by: Linus Lüssing
Signed-off-by: David S. Miller -
The "pvc" struct has a hole after pvc.sap_family which is not cleared.
Signed-off-by: Dan Carpenter
Reviewed-by: Jiri Pirko
Signed-off-by: David S. Miller -
Pull networking fixes from David Miller:
1) Fix association failures not triggering a connect-failure event in
cfg80211, from Johannes Berg.2) Eliminate a potential NULL deref with older iptables tools when
configuring xt_socket rules, from Eric Dumazet.3) Missing RTNL locking in wireless regulatory code, from Johannes
Berg.4) Fix OOPS caused by firmware loading races in ath9k_htc, from Alexey
Khoroshilov.5) Fix usb URB leak in usb_8dev CAN driver, also from Alexey
Khoroshilov.6) VXLAN namespace teardown fails to unregister devices, from Stephen
Hemminger.7) Fix multicast settings getting dropped by firmware in qlcnic driver,
from Sucheta Chakraborty.8) Add sysctl range enforcement for tcp_syn_retries, from Michal Tesar.
9) Fix a nasty bug in bridging where an active timer would get
reinitialized with a setup_timer() call. From Eric Dumazet.10) Fix use after free in new mlx5 driver, from Dan Carpenter.
11) Fix freed pointer reference in ipv6 multicast routing on namespace
cleanup, from Hannes Frederic Sowa.12) Some usbnet drivers report TSO and SG in their feature set, but the
usbnet layer doesn't really support them. From Eric Dumazet.13) Fix crash on EEH errors in tg3 driver, from Gavin Shan.
14) Drop cb_lock when requesting modules in genetlink, from Stanislaw
Gruszka.15) Kernel stack leaks in cbq scheduler and af_key pfkey messages, from
Dan Carpenter.16) FEC driver erroneously signals NETDEV_TX_BUSY on transmit leading to
endless loops, from Uwe Kleine-König.17) Fix hangs from loading mvneta driver, from Arnaud Patard.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (84 commits)
mlx5: fix error return code in mlx5_alloc_uuars()
mvneta: Try to fix mvneta when compiled as module
mvneta: Fix hang when loading the mvneta driver
atl1c: Fix misuse of netdev_alloc_skb in refilling rx ring
genetlink: fix usage of NLM_F_EXCL or NLM_F_REPLACE
af_key: more info leaks in pfkey messages
net/fec: Don't let ndo_start_xmit return NETDEV_TX_BUSY without link
net_sched: Fix stack info leak in cbq_dump_wrr().
igb: fix vlan filtering in promisc mode when not in VT mode
ixgbe: Fix Tx Hang issue with lldpad on 82598EB
genetlink: release cb_lock before requesting additional module
net: fec: workaround stop tx during errata ERR006358
qlcnic: Fix diagnostic interrupt test for 83xx adapters.
qlcnic: Fix setting Guest VLAN
qlcnic: Fix operation type and command type.
qlcnic: Fix initialization of work function.
Revert "atl1c: Fix misuse of netdev_alloc_skb in refilling rx ring"
atl1c: Fix misuse of netdev_alloc_skb in refilling rx ring
net/tg3: Fix warning from pci_disable_device()
net/tg3: Fix kernel crash
... -
Samuel Ortiz says:
'This is the second NFC fixes pull request for 3.11.
We have:
- A build failure fix for the NCI SPI transport layer due to a
missing CRC_CCITT Kconfig dependency.- A netlink command rename: CMD_FW_UPLOAD was merged during the 3.11
merge window but the typical terminology for loading a firmware to a
target is firmware download rather than upload. In order to avoid any
confusion in a file exported to userspace, we rename this command into
CMD_FW_DOWNLOAD."Signed-off-by: John W. Linville
-
Conflicts:
net/bluetooth/hci_core.c
31 Jul, 2013
3 commits
-
Currently, it is not possible to use neither NLM_F_EXCL nor
NLM_F_REPLACE from genetlink. This is due to this checking in
genl_family_rcv_msg:if (nlh->nlmsg_flags & NLM_F_DUMP)
NLM_F_DUMP is NLM_F_MATCH|NLM_F_ROOT. Thus, if NLM_F_EXCL or
NLM_F_REPLACE flag is set, genetlink believes that you're
requesting a dump and it calls the .dumpit callback.The solution that I propose is to refine this checking to
make it stricter:if ((nlh->nlmsg_flags & NLM_F_DUMP) == NLM_F_DUMP)
And given the combination NLM_F_REPLACE and NLM_F_EXCL does
not make sense to me, it removes the ambiguity.There was a patch that tried to fix this some time ago (0ab03c2
netlink: test for all flags of the NLM_F_DUMP composite) but it
tried to resolve this ambiguity in *all* existing netlink subsystems,
not only genetlink. That patch was reverted since it broke iproute2,
which is using NLM_F_ROOT to request the dump of the routing cache.Signed-off-by: Pablo Neira Ayuso
Signed-off-by: David S. Miller -
This is inspired by a5cc68f3d6 "af_key: fix info leaks in notify
messages". There are some struct members which don't get initialized
and could disclose small amounts of private information.Acked-by: Mathias Krause
Signed-off-by: Dan Carpenter
Acked-by: Steffen Klassert
Signed-off-by: David S. Miller -
Loading a firmware into a target is typically called firmware
download, not firmware upload. So we rename the netlink API to
NFC_CMD_FW_DOWNLOAD in order to avoid any terminology confusion from
userspace.Signed-off-by: Samuel Ortiz
30 Jul, 2013
1 commit
-
Make sure the reserved fields, and padding (if any), are
fully initialized.Based upon a patch by Dan Carpenter and feedback from
Joe Perches.Signed-off-by: David S. Miller
29 Jul, 2013
2 commits
-
In certain circumstances, such as an HCI driver using __hci_cmd_sync_ev
with HCI_EV_CMD_COMPLETE as the expected completion event there is the
chance that hci_event_packet will call hci_req_cmd_complete twice (once
for the explicitly looked after event and another time in the actual
handler of cmd_complete).In the case of __hci_cmd_sync_ev this introduces a race where the first
call wakes up the blocking __hci_cmd_sync_ev and lets it complete.
However, by the time that a second __hci_cmd_sync_ev call is already in
progress the second hci_req_cmd_complete call (from the previous
operation) will wake up the blocking function prematurely and cause it
to fail, as witnessed by the following log:[ 639.232195] hci_rx_work: hci0 Event packet
[ 639.232201] hci_req_cmd_complete: opcode 0xfc8e status 0x00
[ 639.232205] hci_sent_cmd_data: hci0 opcode 0xfc8e
[ 639.232210] hci_req_sync_complete: hci0 result 0x00
[ 639.232220] hci_cmd_complete_evt: hci0 opcode 0xfc8e
[ 639.232225] hci_req_cmd_complete: opcode 0xfc8e status 0x00
[ 639.232228] __hci_cmd_sync_ev: hci0 end: err 0
[ 639.232234] __hci_cmd_sync_ev: hci0
[ 639.232238] hci_req_add_ev: hci0 opcode 0xfc8e plen 250
[ 639.232242] hci_prepare_cmd: skb len 253
[ 639.232246] hci_req_run: length 1
[ 639.232250] hci_sent_cmd_data: hci0 opcode 0xfc8e
[ 639.232255] hci_req_sync_complete: hci0 result 0x00
[ 639.232266] hci_cmd_work: hci0 cmd_cnt 1 cmd queued 1
[ 639.232271] __hci_cmd_sync_ev: hci0 end: err 0
[ 639.232276] Bluetooth: hci0 sending Intel patch command (0xfc8e) failed (-61)Signed-off-by: Johan Hedberg
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo Padovan -
None of the BlueFRITZ! devices with manufacurer ID 31 (AVM Berlin)
support HCI_Read_Local_Supported_Commands. It is safe to use the
manufacturer ID (instead of e.g. a USB ID specific quirk) because the
company never created any newer controllers.< HCI Command: Read Local Supported Comm.. (0x04|0x0002) plen 0 [hci0] 0.210014
> HCI Event: Command Status (0x0f) plen 4 [hci0] 0.217361
Read Local Supported Commands (0x04|0x0002) ncmd 1
Status: Unknown HCI Command (0x01)Reported-by: Jörg Esser
Signed-off-by: Johan Hedberg
Tested-by: Jörg Esser
Signed-off-by: Gustavo Padovan
28 Jul, 2013
1 commit
-
Requesting external module with cb_lock taken can result in
the deadlock like showed below:[ 2458.111347] Showing all locks held in the system:
[ 2458.111347] 1 lock held by NetworkManager/582:
[ 2458.111347] #0: (cb_lock){++++++}, at: [] genl_rcv+0x19/0x40
[ 2458.111347] 1 lock held by modprobe/603:
[ 2458.111347] #0: (cb_lock){++++++}, at: [] genl_lock_all+0x15/0x30[ 2461.579457] SysRq : Show Blocked State
[ 2461.580103] task PC stack pid father
[ 2461.580103] NetworkManager D ffff880034b84500 4040 582 1 0x00000080
[ 2461.580103] ffff8800197ff720 0000000000000046 00000000001d5340 ffff8800197fffd8
[ 2461.580103] ffff8800197fffd8 00000000001d5340 ffff880019631700 7fffffffffffffff
[ 2461.580103] ffff8800197ff880 ffff8800197ff878 ffff880019631700 ffff880019631700
[ 2461.580103] Call Trace:
[ 2461.580103] [] schedule+0x29/0x70
[ 2461.580103] [] schedule_timeout+0x1c1/0x360
[ 2461.580103] [] ? mark_held_locks+0xbb/0x140
[ 2461.580103] [] ? _raw_spin_unlock_irq+0x2c/0x50
[ 2461.580103] [] ? trace_hardirqs_on_caller+0xfd/0x1c0
[ 2461.580103] [] wait_for_completion_killable+0xe8/0x170
[ 2461.580103] [] ? wake_up_state+0x20/0x20
[ 2461.580103] [] call_usermodehelper_exec+0x1a5/0x210
[ 2461.580103] [] ? wait_for_completion_killable+0x3d/0x170
[ 2461.580103] [] __request_module+0x1b3/0x370
[ 2461.580103] [] ? trace_hardirqs_on_caller+0xfd/0x1c0
[ 2461.580103] [] ctrl_getfamily+0x159/0x190
[ 2461.580103] [] genl_family_rcv_msg+0x1f4/0x2e0
[ 2461.580103] [] ? genl_family_rcv_msg+0x2e0/0x2e0
[ 2461.580103] [] genl_rcv_msg+0x8e/0xd0
[ 2461.580103] [] netlink_rcv_skb+0xa9/0xc0
[ 2461.580103] [] genl_rcv+0x28/0x40
[ 2461.580103] [] netlink_unicast+0xdd/0x190
[ 2461.580103] [] netlink_sendmsg+0x329/0x750
[ 2461.580103] [] sock_sendmsg+0x99/0xd0
[ 2461.580103] [] ? local_clock+0x5f/0x70
[ 2461.580103] [] ? lock_release_non_nested+0x308/0x350
[ 2461.580103] [] ___sys_sendmsg+0x39e/0x3b0
[ 2461.580103] [] ? kvm_clock_read+0x2f/0x50
[ 2461.580103] [] ? sched_clock+0x9/0x10
[ 2461.580103] [] ? sched_clock_local+0x1d/0x80
[ 2461.580103] [] ? sched_clock_cpu+0xa8/0x100
[ 2461.580103] [] ? trace_hardirqs_off+0xd/0x10
[ 2461.580103] [] ? local_clock+0x5f/0x70
[ 2461.580103] [] ? lock_release_holdtime.part.28+0xf/0x1a0
[ 2461.580103] [] ? fget_light+0xf9/0x510
[ 2461.580103] [] ? fget_light+0x3c/0x510
[ 2461.580103] [] __sys_sendmsg+0x42/0x80
[ 2461.580103] [] SyS_sendmsg+0x12/0x20
[ 2461.580103] [] system_call_fastpath+0x16/0x1b
[ 2461.580103] modprobe D ffff88000f2c8000 4632 603 602 0x00000080
[ 2461.580103] ffff88000f04fba8 0000000000000046 00000000001d5340 ffff88000f04ffd8
[ 2461.580103] ffff88000f04ffd8 00000000001d5340 ffff8800377d4500 ffff8800377d4500
[ 2461.580103] ffffffff81d0b260 ffffffff81d0b268 ffffffff00000000 ffffffff81d0b2b0
[ 2461.580103] Call Trace:
[ 2461.580103] [] schedule+0x29/0x70
[ 2461.580103] [] rwsem_down_write_failed+0xed/0x1a0
[ 2461.580103] [] ? update_cpu_load_active+0x10/0xb0
[ 2461.580103] [] call_rwsem_down_write_failed+0x13/0x20
[ 2461.580103] [] ? down_write+0x9d/0xb2
[ 2461.580103] [] ? genl_lock_all+0x15/0x30
[ 2461.580103] [] genl_lock_all+0x15/0x30
[ 2461.580103] [] genl_register_family+0x53/0x1f0
[ 2461.580103] [] ? 0xffffffffa01dbfff
[ 2461.580103] [] genl_register_family_with_ops+0x20/0x80
[ 2461.580103] [] ? 0xffffffffa01dbfff
[ 2461.580103] [] nl80211_init+0x24/0xf0 [cfg80211]
[ 2461.580103] [] ? 0xffffffffa01dbfff
[ 2461.580103] [] cfg80211_init+0x43/0xdb [cfg80211]
[ 2461.580103] [] do_one_initcall+0xfa/0x1b0
[ 2461.580103] [] ? set_memory_nx+0x43/0x50
[ 2461.580103] [] load_module+0x1c6f/0x27f0
[ 2461.580103] [] ? store_uevent+0x40/0x40
[ 2461.580103] [] SyS_finit_module+0x86/0xb0
[ 2461.580103] [] system_call_fastpath+0x16/0x1b
[ 2461.580103] Sched Debug Version: v0.10, 3.11.0-0.rc1.git4.1.fc20.x86_64 #1Problem start to happen after adding net-pf-16-proto-16-family-nl80211
alias name to cfg80211 module by below commit (though that commit
itself is perfectly fine):commit fb4e156886ce6e8309e912d8b370d192330d19d3
Author: Marcel Holtmann
Date: Sun Apr 28 16:22:06 2013 -0700nl80211: Add generic netlink module alias for cfg80211/nl80211
Reported-and-tested-by: Jeff Layton
Reported-by: Richard W.M. Jones
Signed-off-by: Stanislaw Gruszka
Reviewed-by: Pravin B Shelar
Signed-off-by: David S. Miller
27 Jul, 2013
1 commit
-
Without this patch, the fields app_solicit, gc_thresh1, gc_thresh2,
gc_thresh3, proxy_qlen, ucast_solicit, mcast_solicit could have
assumed negative values when setting large numbers.Signed-off-by: Francesco Fusco
Signed-off-by: David S. Miller
26 Jul, 2013
2 commits
-
If hci_dev_open() is called after hci_register_dev() added the device to
the hci_dev_list but before the workqueue are created we could run into a
NULL pointer dereference (see below).This bug is very unlikely to happen, systems using bluetoothd to
manage their bluetooth devices will never see this happen.BUG: unable to handle kernel NULL pointer dereference
0100
IP: [] __queue_work+0x32/0x3d0
(...)
Call Trace:
[] queue_work_on+0x45/0x50
[] hci_req_run+0xbf/0xf0 [bluetooth]
[] ? hci_init2_req+0x720/0x720 [bluetooth]
[] __hci_req_sync+0xd6/0x1c0 [bluetooth]
[] ? try_to_wake_up+0x2b0/0x2b0
[] ? usb_autopm_put_interface+0x30/0x40
[] hci_dev_open+0x275/0x2e0 [bluetooth]
[] hci_sock_ioctl+0x1f2/0x3f0 [bluetooth]
[] sock_do_ioctl+0x30/0x70
[] sock_ioctl+0x79/0x2f0
[] do_vfs_ioctl+0x96/0x560
[] SyS_ioctl+0x91/0xb0
[] system_call_fastpath+0x1a/0x1fReported-by: Sedat Dilek
Signed-off-by: Gustavo Padovan -
The length check is invalid since the length varies with type of
info response.This was introduced by the commit cb3b3152b2f5939d67005cff841a1ca748b19888
Because of this, l2cap info rsp is not handled and command reject is sent.
> ACL data: handle 11 flags 0x02 dlen 16
L2CAP(s): Info rsp: type 2 result 0
Extended feature mask 0x00b8
Enhanced Retransmission mode
Streaming mode
FCS Option
Fixed Channels
< ACL data: handle 11 flags 0x00 dlen 10
L2CAP(s): Command rej: reason 0
Command not understoodCc: stable@vger.kernel.org
Signed-off-by: Jaganath Kanakkassery
Signed-off-by: Chan-Yeol Park
Acked-by: Johan Hedberg
Signed-off-by: Gustavo Padovan
25 Jul, 2013
5 commits
-
The current regdomain was not always set by the core. This causes
cards with a custom regulatory domain to ignore user initiated changes
if done before the card was registered.Signed-off-by: Arik Nemtsov
Acked-by: Luis R. Rodriguez
Signed-off-by: Johannes Berg -
John W. Linville says:
====================
This is another batch of fixes intended for the 3.11 stream. FWIW,
this is the first request with fixes from the mac80211 and iwlwifi
trees as well.Regarding the mac80211 bits, Johannes says:
"Here I have a fix for RSSI thresholds in mesh, two minstrel fixes from
Felix, an nl80211 fix from Michal and four various fixes I did myself."As for the iwlwifi bits, Johannes says:
"Here I have a fix for debugfs directory creation (causing a spurious
error message), two scanning fixes from David Spinadel, an LED fix and
two patches related to a BA session problem that eventually caused
firmware crashes from Emmanuel and a small BT fix for older devices as
well as a workaround for a firmware problem with APs with very small
beacon intervals from myself."Along with those:
Arend van Spriel addresses a lock-up and a NULL pointer dereference
in brcmfmac.Daniel Drake fixes an unhandled interrupt during device tear down
in mwifiex.Larry Finger corrects a wil6210 build error.
Oleksij Rempel fixes two ath9k_htc problems related to keeping the
driver and firmware in sync.Solomon Peachy gives us a cw1200 fix to avoid an oops in monitor mode.
====================Signed-off-by: David S. Miller
-
build_skb() specifies that the data parameter must come from a kmalloc'd
area, this is only true if frag_size equals 0, because then build_skb()
will use kzsize(data) to figure out the actual data size. Update the
comment to reflect that special condition.Signed-off-by: Florian Fainelli
Signed-off-by: David S. Miller -
Otherwise we end up dereferencing the already freed net->ipv6.mrt pointer
which leads to a panic (from Srivatsa S. Bhat):BUG: unable to handle kernel paging request at ffff882018552020
IP: [] ip6mr_sk_done+0x32/0xb0 [ipv6]
PGD 290a067 PUD 207ffe0067 PMD 207ff1d067 PTE 8000002018552060
Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
Modules linked in: ebtable_nat ebtables nfs fscache nf_conntrack_ipv4 nf_defrag_ipv4 ipt_REJECT xt_CHECKSUM iptable_mangle iptable_filter ip_tables nfsd lockd nfs_acl exportfs auth_rpcgss autofs4 sunrpc 8021q garp bridge stp llc ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter
+ip6_tables ipv6 vfat fat vhost_net macvtap macvlan vhost tun kvm_intel kvm uinput iTCO_wdt iTCO_vendor_support cdc_ether usbnet mii microcode i2c_i801 i2c_core lpc_ich mfd_core shpchp ioatdma dca mlx4_core be2net wmi acpi_cpufreq mperf ext4 jbd2 mbcache dm_mirror dm_region_hash dm_log dm_mod
CPU: 0 PID: 7 Comm: kworker/u33:0 Not tainted 3.11.0-rc1-ea45e-a #4
Hardware name: IBM -[8737R2A]-/00Y2738, BIOS -[B2E120RUS-1.20]- 11/30/2012
Workqueue: netns cleanup_net
task: ffff8810393641c0 ti: ffff881039366000 task.ti: ffff881039366000
RIP: 0010:[] [] ip6mr_sk_done+0x32/0xb0 [ipv6]
RSP: 0018:ffff881039367bd8 EFLAGS: 00010286
RAX: ffff881039367fd8 RBX: ffff882018552000 RCX: dead000000200200
RDX: 0000000000000000 RSI: ffff881039367b68 RDI: ffff881039367b68
RBP: ffff881039367bf8 R08: ffff881039367b68 R09: 2222222222222222
R10: 2222222222222222 R11: 2222222222222222 R12: ffff882015a7a040
R13: ffff882014eb89c0 R14: ffff8820289e2800 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88103fc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff882018552020 CR3: 0000000001c0b000 CR4: 00000000000407f0
Stack:
ffff881039367c18 ffff882014eb89c0 ffff882015e28c00 0000000000000000
ffff881039367c18 ffffffffa034d9d1 ffff8820289e2800 ffff882014eb89c0
ffff881039367c58 ffffffff815bdecb ffffffff815bddf2 ffff882014eb89c0
Call Trace:
[] rawv6_close+0x21/0x40 [ipv6]
[] inet_release+0xfb/0x220
[] ? inet_release+0x22/0x220
[] inet6_release+0x3f/0x50 [ipv6]
[] sock_release+0x29/0xa0
[] sk_release_kernel+0x30/0x70
[] icmpv6_sk_exit+0x3b/0x80 [ipv6]
[] ops_exit_list+0x39/0x60
[] cleanup_net+0xfb/0x1a0
[] process_one_work+0x1da/0x610
[] ? process_one_work+0x169/0x610
[] worker_thread+0x120/0x3a0
[] ? process_one_work+0x610/0x610
[] kthread+0xee/0x100
[] ? __init_kthread_worker+0x70/0x70
[] ret_from_fork+0x7c/0xb0
[] ? __init_kthread_worker+0x70/0x70
Code: 20 48 89 5d e8 4c 89 65 f0 4c 89 6d f8 66 66 66 66 90 4c 8b 67 30 49 89 fd e8 db 3c 1e e1 49 8b 9c 24 90 08 00 00 48 85 db 74 06 39 6b 20 74 20 bb f3 ff ff ff e8 8e 3c 1e e1 89 d8 4c 8b 65
RIP [] ip6mr_sk_done+0x32/0xb0 [ipv6]
RSP
CR2: ffff882018552020Reported-by: Srivatsa S. Bhat
Tested-by: Srivatsa S. Bhat
Signed-off-by: Hannes Frederic Sowa
Signed-off-by: David S. Miller -
With the
Acked-by: Hannes Frederic Sowa
Signed-off-by: David S. Miller
24 Jul, 2013
1 commit
-
…wireless into for-davem
23 Jul, 2013
1 commit
-
My commit:
commit 12e7f517029dad819c45eca9ca01fdb9ba57616b
Author: Stanislaw Gruszka
Date: Thu Feb 28 10:55:26 2013 +0100mac80211: cleanup generic suspend/resume procedures
removed check for deleting MONITOR and AP_VLAN when suspend. That can
cause a crash (i.e. in iwlagn_mac_remove_interface()) since we remove
interface in the driver that we did not add before.Reference:
http://marc.info/?l=linux-kernel&m=137391815113860&w=2Bisected-by: Ortwin Glück
Reported-and-tested-by: Ortwin Glück
Cc: stable@vger.kernel.org # 3.10
Signed-off-by: Stanislaw Gruszka
Signed-off-by: Johannes Berg