Eric Lee / smarc-fsl-linux-kernel

17 Sep, 2007

1 commit

  • 6ae5f983c   [IPV6]: Fix source address selection. ... Browse Code »

    The commit 95c385 broke proper source address selection for cases in which
    there is a address which is makred 'deprecated'. The commit mistakenly
    changed ifa->flags to ifa_result->flags (probably copy/paste error from a
    few lines above) in the 'Rule 3' address selection code.

    The patch restores the previous RFC-compliant behavior.

    Signed-off-by: Jiri Kosina
    Signed-off-by: David S. Miller

    Jiri Kosina
     

15 Sep, 2007

2 commits

11 Sep, 2007

3 commits

  • e1f52208b   [IPv6]: Fix NULL pointer dereference in ip6_flush_pending_frames ... Browse Code »

    Some of skbs in sk->write_queue do not have skb->dst because
    we do not fill skb->dst when we allocate new skb in append_data().

    BTW, I think we may not need to (or we should not) increment some stats
    when using corking; if 100 sendmsg() (with MSG_MORE) result in 2 packets,
    how many should we increment?

    If 100, we should set skb->dst for every queued skbs.

    If 1 (or 2 (*)), we increment the stats for the first queued skb and
    we should just skip incrementing OutDiscards for the rest of queued skbs,
    adn we should also impelement this semantics in other places;
    e.g., we should increment other stats just once, not 100 times.

    *: depends on the place we are discarding the datagram.

    I guess should just increment by 1 (or 2).

    Signed-off-by: YOSHIFUJI Hideaki
    Signed-off-by: David S. Miller

    YOSHIFUJI Hideaki
     
  • 16fcec35e   [NETFILTER]: Fix/improve deadlock condition on module removal netfilter ... Browse Code »

    So I've had a deadlock reported to me. I've found that the sequence of
    events goes like this:

    1) process A (modprobe) runs to remove ip_tables.ko

    2) process B (iptables-restore) runs and calls setsockopt on a netfilter socket,
    increasing the ip_tables socket_ops use count

    3) process A acquires a file lock on the file ip_tables.ko, calls remove_module
    in the kernel, which in turn executes the ip_tables module cleanup routine,
    which calls nf_unregister_sockopt

    4) nf_unregister_sockopt, seeing that the use count is non-zero, puts the
    calling process into uninterruptible sleep, expecting the process using the
    socket option code to wake it up when it exits the kernel

    4) the user of the socket option code (process B) in do_ipt_get_ctl, calls
    ipt_find_table_lock, which in this case calls request_module to load
    ip_tables_nat.ko

    5) request_module forks a copy of modprobe (process C) to load the module and
    blocks until modprobe exits.

    6) Process C. forked by request_module process the dependencies of
    ip_tables_nat.ko, of which ip_tables.ko is one.

    7) Process C attempts to lock the request module and all its dependencies, it
    blocks when it attempts to lock ip_tables.ko (which was previously locked in
    step 3)

    Theres not really any great permanent solution to this that I can see, but I've
    developed a two part solution that corrects the problem

    Part 1) Modifies the nf_sockopt registration code so that, instead of using a
    use counter internal to the nf_sockopt_ops structure, we instead use a pointer
    to the registering modules owner to do module reference counting when nf_sockopt
    calls a modules set/get routine. This prevents the deadlock by preventing set 4
    from happening.

    Part 2) Enhances the modprobe utilty so that by default it preforms non-blocking
    remove operations (the same way rmmod does), and add an option to explicity
    request blocking operation. So if you select blocking operation in modprobe you
    can still cause the above deadlock, but only if you explicity try (and since
    root can do any old stupid thing it would like.... :) ).

    Signed-off-by: Neil Horman
    Signed-off-by: Patrick McHardy
    Signed-off-by: David S. Miller

    Neil Horman
     
  • 9e3be4b34   [IPV6]: Freeing alive inet6 address ... Browse Code »

    From: Denis V. Lunev

    addrconf_dad_failure calls addrconf_dad_stop which takes referenced address
    and drops the count. So, in6_ifa_put perrformed at out: is extra. This
    results in message: "Freeing alive inet6 address" and not released dst entries.

    Signed-off-by: Denis V. Lunev
    Signed-off-by: Alexey Dobriyan
    Signed-off-by: David S. Miller

    Denis V. Lunev
     

27 Aug, 2007

1 commit

22 Aug, 2007

1 commit

  • 8984e41d1   [IPV6]: Fix kernel panic while send SCTP data with IP fragments ... Browse Code »

    If ICMP6 message with "Packet Too Big" is received after send SCTP DATA,
    kernel panic will occur when SCTP DATA is send again.

    This is because of a bad dest address when call to skb_copy_bits().

    The messages sequence is like this:

    Endpoint A Endpoint B

    (Packet Too Big pmtu=1280)
    ] Not tainted VLI
    EFLAGS: 00010282 (2.6.23-rc2 #1)
    EIP is at skb_copy_bits+0x4f/0x1ef
    eax: 000004d0 ebx: ce12a980 ecx: 00000134 edx: cfd5a880
    esi: c8246858 edi: 00000000 ebp: c0759b14 esp: c0759adc
    ds: 007b es: 007b fs: 00d8 gs: 0000 ss: 0068
    Process swapper (pid: 0, ti=c0759000 task=c06d0340 task.ti=c0713000)
    Stack: c0759b88 c0405867 ce12a980 c8bff838 c789c084 00000000 00000028 cfd5a880
    d09f1890 000005dc 0000007b ce12a980 cfd5a880 c8bff838 c0759b88 d09bc521
    000004d0 fffff96c 00000200 00000100 c0759b50 cfd5a880 00000246 c0759bd4
    Call Trace:
    [] show_trace_log_lvl+0x1a/0x2f
    [] show_stack_log_lvl+0x9b/0xa3
    [] show_registers+0x1b8/0x289
    [] die+0x113/0x246
    [] do_page_fault+0x4ad/0x57e
    [] error_code+0x72/0x78
    [] ip6_output+0x8e5/0xab2 [ipv6]
    [] ip6_xmit+0x2ea/0x3a3 [ipv6]
    [] sctp_v6_xmit+0x248/0x253 [sctp]
    [] sctp_packet_transmit+0x53f/0x5ae [sctp]
    [] sctp_outq_flush+0x555/0x587 [sctp]
    [] sctp_retransmit+0xf8/0x10f [sctp]
    [] sctp_icmp_frag_needed+0x57/0x5b [sctp]
    [] sctp_v6_err+0xcd/0x148 [sctp]
    [] icmpv6_notify+0xe6/0x167 [ipv6]
    [] icmpv6_rcv+0x7d7/0x849 [ipv6]
    [] ip6_input+0x1dc/0x310 [ipv6]
    [] ipv6_rcv+0x294/0x2df [ipv6]
    [] netif_receive_skb+0x2d2/0x335
    [] process_backlog+0x7f/0xd0
    [] net_rx_action+0x96/0x17e
    [] __do_softirq+0x64/0xcd
    [] do_softirq+0x5c/0xac
    =======================
    Code: 00 00 29 ca 89 d0 2b 45 e0 89 55 ec 85 c0 7e 35 39 45 08 8b 55 e4 0f 4e 45 08 8b 75 e0 8b 7d dc 89 c1 c1 e9 02 03 b2 a0 00 00 00 a5 89 c1 83 e1 03 74 02 f3 a4 29 45 08 0f 84 7b 01 00 00 01
    EIP: [] skb_copy_bits+0x4f/0x1ef SS:ESP 0068:c0759adc
    Kernel panic - not syncing: Fatal exception in interrupt

    Arnaldo says:
    ====================
    Thanks! I'm to blame for this one, problem was introduced in:

    b0e380b1d8a8e0aca215df97702f99815f05c094

    @@ -761,7 +762,7 @@ slow_path:
    /*
    * Copy a block of the IP datagram.
    */
    - if (skb_copy_bits(skb, ptr, frag->h.raw, len))
    + if (skb_copy_bits(skb, ptr, skb_transport_header(skb),
    len))
    BUG();
    left -= len;
    ====================

    Signed-off-by: Wei Yongjun
    Acked-by: YOSHIFUJI Hideaki
    Signed-off-by: Arnaldo Carvalho de Melo
    Signed-off-by: David S. Miller

    Wei Yongjun
     

16 Aug, 2007

1 commit

  • 660adc6e6   [IPv6]: Invalid semicolon after if statement ... Browse Code »

    A similar fix to netfilter from Eric Dumazet inspired me to
    look around a bit by using some grep/sed stuff as looking for
    this kind of bugs seemed easy to automate. This is one of them
    I found where it looks like this semicolon is not valid.

    Signed-off-by: Ilpo Järvinen
    Signed-off-by: David S. Miller

    Ilpo Järvinen
     

14 Aug, 2007

1 commit

03 Aug, 2007

1 commit

  • 3516ffb0f   [TCP]: Invoke tcp_sendmsg() directly, do not use inet_sendmsg(). ... Browse Code »

    As discovered by Evegniy Polyakov, if we try to sendmsg after
    a connection reset, we can do incredibly stupid things.

    The core issue is that inet_sendmsg() tries to autobind the
    socket, but we should never do that for TCP. Instead we should
    just go straight into TCP's sendmsg() code which will do all
    of the necessary state and pending socket error checks.

    TCP's sendpage already directly vectors to tcp_sendpage(), so this
    merely brings sendmsg() in line with that.

    Signed-off-by: David S. Miller

    David S. Miller
     

31 Jul, 2007

4 commits

27 Jul, 2007

1 commit

  • 704eae1f3   ip6_tunnel - endianness annotations ... Browse Code »

    Convert rel_info to host-endian before calling ip6_tnl_err().
    The things become much more straightforward that way.
    The key observation (and the reason why that code actually
    worked) is that after ip6_tnl_err() we either immediately
    bailed out or had rel_info set to 0 or had it set to host-endian
    and guaranteed to hit
    (rel_type == ICMP_DEST_UNREACH && rel_code == ICMP_FRAG_NEEDED)
    case. So inconsistent endianness didn't really lead to bugs,
    but it had been subtle and prone to breakage. New variant is
    saner and obviously safe.

    Signed-off-by: Al Viro
    Signed-off-by: Linus Torvalds

    Al Viro
     

25 Jul, 2007

2 commits

22 Jul, 2007

1 commit

20 Jul, 2007

1 commit

  • 20c2df83d   mm: Remove slab destructors from kmem_cache_create(). ... Browse Code »

    Slab destructors were no longer supported after Christoph's
    c59def9f222d44bb7e2f0a559f2906191a0862d7 change. They've been
    BUGs for both slab and slub, and slob never supported them
    either.

    This rips out support for the dtor pointer from kmem_cache_create()
    completely and fixes up every single callsite in the kernel (there were
    about 224, not including the slab allocator definitions themselves,
    or the documentation references).

    Signed-off-by: Paul Mundt

    Paul Mundt
     

15 Jul, 2007

7 commits

  • 063ed369c   [IPV6]: Call inet6addr_chain notifiers on link down ... Browse Code »

    Currently if the link is brought down via ip link or ifconfig down,
    the inet6addr_chain notifiers are not called even though all
    the addresses are removed from the interface. This caused SCTP
    to add duplicate addresses to it's list.

    Signed-off-by: Vlad Yasevich
    Signed-off-by: David S. Miller

    Vlad Yasevich
     
  • f13ec93fb   [IPV6]: MSG_ERRQUEUE messages do not pass to connected raw sockets ... Browse Code »

    From: Dmitry Butskoy

    Taken from http://bugzilla.kernel.org/show_bug.cgi?id=8747

    Problem Description:

    It is related to the possibility to obtain MSG_ERRQUEUE messages from the udp
    and raw sockets, both connected and unconnected.

    There is a little typo in net/ipv6/icmp.c code, which prevents such messages
    to be delivered to the errqueue of the correspond raw socket, when the socket
    is CONNECTED. The typo is due to swap of local/remote addresses.

    Consider __raw_v6_lookup() function from net/ipv6/raw.c. When a raw socket is
    looked up usual way, it is something like:

    sk = __raw_v6_lookup(sk, nexthdr, daddr, saddr, IP6CB(skb)->iif);

    where "daddr" is a destination address of the incoming packet (IOW our local
    address), "saddr" is a source address of the incoming packet (the remote end).

    But when the raw socket is looked up for some icmp error report, in
    net/ipv6/icmp.c:icmpv6_notify() , daddr/saddr are obtained from the echoed
    fragment of the "bad" packet, i.e. "daddr" is the original destination
    address of that packet, "saddr" is our local address. Hence, for
    icmpv6_notify() must use "saddr, daddr" in its arguments, not "daddr, saddr"
    ...

    Steps to reproduce:

    Create some raw socket, connect it to an address, and cause some error
    situation: f.e. set ttl=1 where the remote address is more than 1 hop to reach.
    Set IPV6_RECVERR .
    Then send something and wait for the error (f.e. poll() with POLLERR|POLLIN).
    You should receive "time exceeded" icmp message (because of "ttl=1"), but the
    socket do not receive it.

    If you do not connect your raw socket, you will receive MSG_ERRQUEUE
    successfully. (The reason is that for unconnected socket there are no actual
    checks for local/remote addresses).

    Signed-off-by: Andrew Morton
    Signed-off-by: David S. Miller

    Dmitry Butskoy
     
  • 61075af51   [NETFILTER]: nf_conntrack: mark protocols __read_mostly ... Browse Code »

    Also remove two unnecessary EXPORT_SYMBOLs and move the
    nf_conntrack_l3proto_ipv4 declaration to the correct file.

    Signed-off-by: Patrick McHardy
    Signed-off-by: David S. Miller

    Patrick McHardy
     
  • a887c1c14   [NETFILTER]: Lower *tables printk severity ... Browse Code »

    Lower ip6tables, arptables and ebtables printk severity similar to
    Dan Aloni's patch for iptables.

    Signed-off-by: Patrick McHardy
    Signed-off-by: David S. Miller

    Patrick McHardy
     
  • e2a3123fb   [NETFILTER]: nf_conntrack: Introduces nf_ct_get_tuplepr and uses it ... Browse Code »

    nf_ct_get_tuple() requires the offset to transport header and that bothers
    callers such as icmp[v6] l4proto modules. This introduces new function
    to simplify them.

    Signed-off-by: Yasuyuki Kozakai
    Signed-off-by: Patrick McHardy
    Signed-off-by: David S. Miller

    Yasuyuki Kozakai
     
  • ffc306904   [NETFILTER]: nf_conntrack: make l3proto->prepare() generic and renames it ... Browse Code »

    The icmp[v6] l4proto modules parse headers in ICMP[v6] error to get tuple.
    But they have to find the offset to transport protocol header before that.
    Their processings are almost same as prepare() of l3proto modules.
    This makes prepare() more generic to simplify icmp[v6] l4proto module
    later.

    Signed-off-by: Yasuyuki Kozakai
    Signed-off-by: Patrick McHardy
    Signed-off-by: David S. Miller

    Yasuyuki Kozakai
     
  • d87d8469e   [NETFILTER]: nf_conntrack: Increment error count on parsing IPv4 header ... Browse Code »

    Signed-off-by: Yasuyuki Kozakai
    Signed-off-by: Patrick McHardy
    Signed-off-by: David S. Miller

    Yasuyuki Kozakai
     

11 Jul, 2007

13 commits