26 Jan, 2010
1 commit
-
By rounding up the buffer size to power of 2, several expensive
modulus operations can be avoided. This patch also solves a bug where
the gap need when ring gets full was not being accounted for.Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller
25 Jan, 2010
2 commits
-
GC is non-existent in netns, so after you hit GC threshold, no new
dst entries will be created until someone triggers cleanup in init_net.Make xfrm4_dst_ops and xfrm6_dst_ops per-netns.
This is not done in a generic way, because it woule waste
(AF_MAX - 2) * sizeof(struct dst_ops) bytes per-netns.Reorder GC threshold initialization so it'd be done before registering
XFRM policies.Signed-off-by: Alexey Dobriyan
Signed-off-by: David S. Miller -
Bruno Prémont found commit 9793241fe92f7d930
(vlan: Precise RX stats accounting) added a regression for non
hw accelerated vlans.[ 26.390576] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 26.396369] IP: [] vlan_skb_recv+0x89/0x280 [8021q]vlan_dev_info() was used with original device, instead of
skb->dev. Also spotted by Américo Wang.Reported-By: Bruno Prémont
Tested-By: Bruno Prémont
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller
24 Jan, 2010
1 commit
-
"ip xfrm state|policy count" report SA/SP count from init_net,
not from netns of caller process.Signed-off-by: Alexey Dobriyan
Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
23 Jan, 2010
1 commit
20 Jan, 2010
1 commit
-
The s-port should be compared.
Signed-off-by: Roel Kluin
Signed-off-by: David S. Miller
19 Jan, 2010
3 commits
-
Hey all-
I was tinkering with dccp recently and noticed that I BUG halted the
kernel when I rmmod-ed the dccp module. The bug halt occured because the page
that I passed to kfree failed the PageCompound and PageSlab test in the slub
implementation of kfree. I tracked the problem down to the following set of
events:1) dccp, unlike all other uses of kmem_cache_create, allocates a string
dynamically when registering a slab cache. This allocated string is freed when
the cache is destroyed.2) Normally, (1) is not an issue, but when Slub is in use, it is possible that
caches are 'merged'. This process causes multiple caches of simmilar
configuration to use the same cache data structure. When this happens, the new
name of the cache is effectively dropped.3) (2) results in kmem_cache_name returning an ambigous value (i.e.
ccid_kmem_cache_destroy, which uses this fuction to retrieve the name pointer
for freeing), is no longer guaranteed that the string it assigned is what is
returned.4) If such merge event occurs, ccid_kmem_cache_destroy frees the wrong pointer,
which trips over the BUG in the slub implementation of kfree (since its likely
not a slab allocation, but rather a pointer into the static string table
section.So, what to do about this. At first blush this is pretty clearly a leak in the
information that slub owns, and as such a slub bug. Unfortunately, theres no
really good way to fix it, without exposing slub specific implementation details
to the generic slab interface. Also, even if we could fix this in slub cleanly,
I think the RCU free option would force us to do lots of string duplication, not
only in slub, but in every slab allocator. As such, I'd like to propose this
solution. Basically, I just move the storage for the kmem cache name to the
ccid_operations structure. In so doing, we don't have to do the kstrdup or
kfree when we allocate/free the various caches for dccp, and so we avoid the
problem, by storing names with static memory, rather than heap, the way all
other calls to kmem_cache_create do.I've tested this out myself here, and it solves the problem quite well.
Signed-off-by: Neil Horman
Acked-by: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller -
While testing the pid rate controller in mac80211_hwsim, I noticed
that once the controller reached 54 Mbit rates, it would fail to
lower the rate when necessary. The debug log shows:1945 186786 pf_sample 50 3534 3577 50
My interpretation is that the fixed point scaling of the target
error value (pf) is incorrect: the error value of 50 compared to
a target of 14 case should result in a scaling value of
(14-50) = -36 * 256 or -9216, but instead it is (14 * 256)-50, or
3534.Correct this by doing fixed point scaling after subtraction.
Signed-off-by: Bob Copeland
Acked-by: Stefano Brivio
Acked-by: Mattias Nissler
Signed-off-by: John W. Linville
18 Jan, 2010
1 commit
-
/proc/net/rt_acct is not created if NET_CLS_ROUTE=n.
Signed-off-by: Alexey Dobriyan
Signed-off-by: David S. Miller
16 Jan, 2010
2 commits
-
Wrong ax25_cb refcounting in ax25_send_frame() and by its callers can
cause timer oopses (first reported with 2.6.29.6 kernel).Fixes: http://bugzilla.kernel.org/show_bug.cgi?id=14905
Reported-by: Bernard Pidoux
Tested-by: Bernard Pidoux
Signed-off-by: Jarek Poplawski
Signed-off-by: David S. Miller -
ieee80211_set_power_mgmt is meant for STA interfaces only. Moreover,
since sdata->u.mgd.mtx is only initialized for STA interfaces, using
this code for any other type of interface (like creating a monitor
interface) will result in a oops.Cc: stable@kernel.org
Signed-off-by: Benoit Papillault
Signed-off-by: John W. Linville
15 Jan, 2010
4 commits
-
da.s_net was not copied but assigned to itself.
Signed-off-by: Roel Kluin
Acked-by: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller -
This was just recently reported to me. When built as modules, the
dccp_probe module has a silent dependency on the dccp module. This
stems from the fact that the module_init routine of dccp_probe
registers a jprobe on the dccp_sendmsg symbol. Since the symbol is
only referenced as a text string (the .symbol_name field in the jprobe
struct) rather than the address of the symbol itself, depmod never
picks this dependency up, and so if you load the dccp_probe module
without the dccp module loaded, the register_jprobe call fails with an
-EINVAL, and the whole module load fails.The fix is pretty easy, we can just wrap the register_jprobe call in a
try_then_request_module call, which forces the dependency to get
satisfied prior to the probe registration.Signed-off-by: Neil Horman
Acked-by: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller -
Patch fixes the bug at
http://bugzilla.intellinuxwireless.org/show_bug.cgi?id=2139Currently we cannot set the channel using wext extension
if we have already associated and disconnected. As
cfg80211_mgd_wext_siwfreq will not switch the channel if ssid is set.
This fixes it by clearing the ssid.
Following is the sequence which it tries to fix.
modprobe iwlagn
iwconfig wlan0 essid ""
ifconfig wlan0 down
iwconfig wlan0 chan Xwext is marked as deprecate.If we use nl80211 we can easily play with
setting the channel.Signed-off-by: Abhijeet Kolekar
Acked-by: Samuel Ortiz
cc: stable@kernel.org
Signed-off-by: John W. Linville -
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (34 commits)
net: fix build erros with CONFIG_BUG=n, CONFIG_GENERIC_BUG=n
ipv6: skb_dst() can be NULL in ipv6_hop_jumbo().
tg3: Update copyright and driver version
tg3: Disable 5717 serdes and B0 support
tg3: Add reliable serdes detection for 5717 A0
tg3: Fix std rx prod ring handling
tg3: Fix std prod ring nicaddr for 5787 and 57765
sfc: Fix conditions for MDIO self-test
sfc: Fix polling for slow MCDI operations
e1000e: workaround link issues on busy hub in half duplex on 82577/82578
e1000e: MDIO slow mode should always be done for 82577
ixgbe: update copyright dates
ixgbe: Do not attempt to perform interrupts in netpoll when down
cfg80211: fix refcount imbalance when wext is disabled
mac80211: fix queue selection for data frames on monitor interfaces
iwlwifi: silence buffer overflow warning
iwlwifi: disable tx on beacon update notification
iwlwifi: fix iwl_queue_used bug when read_ptr == write_ptr
mac80211: fix endian error
mac80211: add missing sanity checks for action frames
...
14 Jan, 2010
1 commit
-
This fixes CERT-FI FICORA #341748
Discovered by Olli Jarva and Tuomo Untinen from the CROSS
project at Codenomicon Ltd.Just like in CVE-2007-4567, we can't rely upon skb_dst() being
non-NULL at this point. We fixed that in commit
e76b2b2567b83448c2ee85a896433b96150c92e6 ("[IPV6]: Do no rely on
skb->dst before it is assigned.")However commit 483a47d2fe794328d29950fe00ce26dd405d9437 ("ipv6: added
net argument to IP6_INC_STATS_BH") put a new version of the same bug
into this function.Complicating analysis further, this bug can only trigger when network
namespaces are enabled in the build. When namespaces are turned off,
the dev_net() does not evaluate it's argument, so the dereference
would not occur.So, for a long time, namespaces couldn't be turned on unless SYSFS was
disabled. Therefore, this code has largely been disabled except by
people turning it on explicitly for namespace development.With help from Eugene Teo
Signed-off-by: David S. Miller
13 Jan, 2010
2 commits
-
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (56 commits)
sky2: Fix oops in sky2_xmit_frame() after TX timeout
Documentation/3c509: document ethtool support
af_packet: Don't use skb after dev_queue_xmit()
vxge: use pci_dma_mapping_error to test return value
netfilter: ebtables: enforce CAP_NET_ADMIN
e1000e: fix and commonize code for setting the receive address registers
e1000e: e1000e_enable_tx_pkt_filtering() returns wrong value
e1000e: perform 10/100 adaptive IFS only on parts that support it
e1000e: don't accumulate PHY statistics on PHY read failure
e1000e: call pci_save_state() after pci_restore_state()
netxen: update version to 4.0.72
netxen: fix set mac addr
netxen: fix smatch warning
netxen: fix tx ring memory leak
tcp: update the netstamp_needed counter when cloning sockets
TI DaVinci EMAC: Handle emac module clock correctly.
dmfe/tulip: Let dmfe handle DM910x except for SPARC on-board chips
ixgbe: Fix compiler warning about variable being used uninitialized
netfilter: nf_ct_ftp: fix out of bounds read in update_nl_seq()
mv643xx_eth: don't include cache padding in rx desc buffer size
...Fix trivial conflict in drivers/scsi/cxgb3i/cxgb3i_offload.c
12 Jan, 2010
3 commits
-
When CONFIG_CFG80211_WEXT is not set, there is
a refcount imbalance with rdev->opencount, fix
that by moving it out of the ifdef.Reported-by: Alan Stern
Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville -
When ieee80211_monitor_select_queue encounters data frames, it selects
the WMM AC based on skb->priority and assumes that skb->priority
contains a valid 802.1d tag. However this assumption is incorrect, since
ieee80211_select_queue has not been called at this point.
If skb->priority > 7, an array overrun occurs, which could lead to
invalid values, resulting in crashes in the tx path.
Fix this by setting skb->priority based on the 802.11 header for QoS
frames and using the default AC for all non-QoS frames.Signed-off-by: Felix Fietkau
Signed-off-by: John W. Linville -
tpacket_snd() can change and kfree an skb after dev_queue_xmit(),
which is illegal.With debugging by: Stephen Hemminger
Reported-by: Michael Breuer
With help from: David S. Miller
Signed-off-by: Jarek Poplawski
Tested-by: Michael Breuer
Signed-off-by: David S. Miller
09 Jan, 2010
6 commits
-
* 'bugfixes' of git://git.linux-nfs.org/projects/trondmy/nfs-2.6:
nfs: fix oops in nfs_rename()
sunrpc: fix build-time warning
sunrpc: on successful gss error pipe write, don't return error
SUNRPC: Fix the return value in gss_import_sec_context()
SUNRPC: Fix up an error return value in gss_import_sec_context_kerberos() -
I forgot to convert the radiotap length to
CPU endian, which sparse found thankfully.Signed-off-by: Johannes Berg
Cc: stable@kernel.org
Signed-off-by: John W. Linville -
Various missing sanity checks caused rejected action frames to be
interpreted as channel switch announcements, which can cause a client
mode interface to switch away from its operating channel, thereby losing
connectivity. This patch ensures that only spectrum management action
frames are processed by the CSA handling function and prevents rejected
action frames from getting processed by the MLME code.Signed-off-by: Felix Fietkau
Cc: stable@kernel.org
Signed-off-by: John W. Linville -
Commit 'mac80211: fix skb buffering issue' added an ->ndo_select_queue()
for monitor interfaces which can end up dereferencing ieee802_1d_to_ac[]
beyond the end of the array for injected data packets (as skb->priority
isn't guaranteed to be zero or within [0:7]), which then triggers the
WARN_ON in net/core/dev.c:dev_cap_txqueue(). Fix this by always setting
the priority to zero on injected data frames.Signed-off-by: Lennert Buytenhek
Cc: stable@kernel.org
Signed-off-by: John W. Linville -
normal users are currently allowed to set/modify ebtables rules.
Restrict it to processes with CAP_NET_ADMIN.Note that this cannot be reproduced with unmodified ebtables binary
because it uses SOCK_RAW.Signed-off-by: Florian Westphal
Cc: stable@kernel.org
Signed-off-by: Patrick McHardy
08 Jan, 2010
2 commits
-
This fixes a netstamp_needed accounting issue when the listen socket
has SO_TIMESTAMP set:s = socket(AF_INET, SOCK_STREAM, 0);
setsockopt(s, SOL_SOCKET, SO_TIMESTAMP, 1); -> netstamp_needed = 1
bind(s, ...);
listen(s, ...);
s2 = accept(s, ...); -> netstamp_needed = 1
close(s2); -> netstamp_needed = 0
close(s); -> netstamp_needed = -1Signed-off-by: Octavian Purdila
Signed-off-by: David S. Miller -
As noticed by Dan Carpenter , update_nl_seq()
currently contains an out of bounds read of the seq_aft_nl array
when looking for the oldest sequence number position.Fix it to only compare valid positions.
Cc: stable@kernel.org
Signed-off-by: Patrick McHardy
07 Jan, 2010
6 commits
-
When we have L3 tunnels with different inner/outer families
(i.e. IPV4/IPV6) which use a multicast address as the outer tunnel
destination address, multicast packets will be loopbacked back to the
sending socket even if IP*_MULTICAST_LOOP is set to disabled.The mc_loop flag is present in the family specific part of the socket
(e.g. the IPv4 or IPv4 specific part). setsockopt sets the inner
family mc_loop flag. When the packet is pushed through the L3 tunnel
it will eventually be processed by the outer family which if different
will check the flag in a different part of the socket then it was set.Signed-off-by: Octavian Purdila
Signed-off-by: David S. Miller -
* 'for-2.6.33' of git://linux-nfs.org/~bfields/linux:
sunrpc: fix peername failed on closed listener
nfsd: make sure data is on disk before calling ->fsync
nfsd: fix "insecure" export option -
There're some warnings of "nfsd: peername failed (err 107)!"
socket error -107 means Transport endpoint is not connected.
This warning message was outputed by svc_tcp_accept() [net/sunrpc/svcsock.c],
when kernel_getpeername returns -107. This means socket might be CLOSED.And svc_tcp_accept was called by svc_recv() [net/sunrpc/svc_xprt.c]
if (test_bit(XPT_LISTENER, &xprt->xpt_flags)) {
newxpt = xprt->xpt_ops->xpo_accept(xprt);
So this might happen when xprt->xpt_flags has both XPT_LISTENER and XPT_CLOSE.
Let's take a look at commit b0401d72, this commit has moved the close
processing after do recvfrom method, but this commit also introduces this
warnings, if the xpt_flags has both XPT_LISTENER and XPT_CLOSED, we should
close it, not accpet then close.Signed-off-by: Xiaotian Feng
Cc: J. Bruce Fields
Cc: Neil Brown
Cc: Trond Myklebust
Cc: David S. Miller
Cc: stable@kernel.org
Signed-off-by: J. Bruce Fields -
Fix auth_gss printk format warning:
net/sunrpc/auth_gss/auth_gss.c:660: warning: format '%ld' expects type 'long int', but argument 3 has type 'ssize_t'
Signed-off-by: Randy Dunlap
Acked-by: Jeff Layton
Signed-off-by: Trond Myklebust -
This reverts commit 53623f1a09c7a7d23b74f0f7d93dba0ebde1006b.
This was inadvertantly missed in "mac80211: fix skb buffering issue",
and is required with that patch to restore proper queue operation.Signed-off-by: John W. Linville
-
"mac80211: fix skb buffering issue" is based on what will become 2.6.34,
so it includes an incompatible usage of sta_info_get. This patch will
need to be effectively reverted when merging for 2.6.34.Signed-off-by: John W. Linville
06 Jan, 2010
1 commit
-
Since I removed the master netdev, we've been
keeping internal queues only, and even before
that we never told the networking stack above
the virtual interfaces about congestion. This
means that packets are queued in mac80211 and
the upper layers never know, possibly leading
to memory exhaustion and other problems.This patch makes all interfaces multiqueue and
uses ndo_select_queue to put the packets into
queues per AC. Additionally, when the driver
stops a queue, we now stop all corresponding
queues for the virtual interfaces as well.The injection case will use VO by default for
non-data frames, and BE for data frames, but
downgrade any data frames according to ACM. It
needs to be fleshed out in the future to allow
chosing the queue/AC in radiotap.Reported-by: Lennert Buytenhek
Signed-off-by: Johannes Berg
Cc: stable@kernel.org [2.6.32]
Signed-off-by: John W. Linville
05 Jan, 2010
1 commit
-
This fixes a syntax error when setting up the user regulatory
hint. This change yields the same exact binary object though
so it ends up just being a syntax typo fix, fortunately.Cc: stable@kernel.org
Signed-off-by: Luis R. Rodriguez
Signed-off-by: John W. Linville
04 Jan, 2010
2 commits
-
The ipvs code has a nifty system for doing the size of ioctl command
copies; it defines an array with values into which it indexes the cmd
to find the right length.Unfortunately, the ipvs code forgot to check if the cmd was in the
range that the array provides, allowing for an index outside of the
array, which then gives a "garbage" result into the length, which
then gets used for copying into a stack buffer.Fix this by adding sanity checks on these as well as the copy size.
[ horms@verge.net.au: adjusted limit to IP_VS_SO_GET_MAX ]
Signed-off-by: Arjan van de Ven
Acked-by: Julian Anastasov
Signed-off-by: Simon Horman
Signed-off-by: Patrick McHardy -
net/sctp/socket.c: In function 'sctp_setsockopt_autoclose':
net/sctp/socket.c:2090: warning: comparison is always false due to limited range of data typeCc: Andrei Pelinescu-Onciul
Cc: Vlad Yasevich
Cc: "David S. Miller"
Signed-off-by: Andrew Morton
Signed-off-by: David S. Miller
