09 Sep, 2008
6 commits
-
The Security Mode 4 of the Bluetooth 2.1 specification has strict
authentication and encryption requirements. It is the initiators job
to create a secure ACL link. However in case of malicious devices, the
acceptor has to make sure that the ACL is encrypted before allowing
any kind of L2CAP connection. The only exception here is the PSM 1 for
the service discovery protocol, because that is allowed to run on an
insecure ACL link.Previously it was enough to reject a L2CAP connection during the
connection setup phase, but with Bluetooth 2.1 it is forbidden to
do any L2CAP protocol exchange on an insecure link (except SDP).The new hci_conn_check_link_mode() function can be used to check the
integrity of an ACL link. This functions also takes care of the cases
where Security Mode 4 is disabled or one of the devices is based on
an older specification.Signed-off-by: Marcel Holtmann
-
With the introduction of Security Mode 4 and Simple Pairing from the
Bluetooth 2.1 specification it became mandatory that the initiator
requires authentication and encryption before any L2CAP channel can
be established. The only exception here is PSM 1 for the service
discovery protocol (SDP). It is meant to be used without any encryption
since it contains only public information. This is how Bluetooth 2.0
and before handle connections on PSM 1.For Bluetooth 2.1 devices the pairing procedure differentiates between
no bonding, general bonding and dedicated bonding. The L2CAP layer
wrongly uses always general bonding when creating new connections, but it
should not do this for SDP connections. In this case the authentication
requirement should be no bonding and the just-works model should be used,
but in case of non-SDP connection it is required to use general bonding.If the new connection requires man-in-the-middle (MITM) protection, it
also first wrongly creates an unauthenticated link key and then later on
requests an upgrade to an authenticated link key to provide full MITM
protection. With Simple Pairing the link key generation is an expensive
operation (compared to Bluetooth 2.0 and before) and doing this twice
during a connection setup causes a noticeable delay when establishing
a new connection. This should be avoided to not regress from the expected
Bluetooth 2.0 connection times. The authentication requirements are known
up-front and so enforce them.To fulfill these requirements the hci_connect() function has been extended
with an authentication requirement parameter that will be stored inside
the connection information and can be retrieved by userspace at any
time. This allows the correct IO capabilities exchange and results in
the expected behavior.Signed-off-by: Marcel Holtmann
-
…l/git/tip/linux-2.6-tip
* 'sched-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
sched: arch_reinit_sched_domains() must destroy domains to force rebuild
sched, cpuset: rework sched domains and CPU hotplug handling (v4) -
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6:
bridge: don't allow setting hello time to zero
netns : fix kernel panic in timewait socket destruction
pkt_sched: Fix qdisc state in net_tx_action()
netfilter: nf_conntrack_irc: make sure string is terminated before calling simple_strtoul
netfilter: nf_conntrack_gre: nf_ct_gre_keymap_flush() fixlet
netfilter: nf_conntrack_gre: more locking around keymap list
netfilter: nf_conntrack_sip: de-static helper pointers -
How to reproduce ?
- create a network namespace
- use tcp protocol and get timewait socket
- exit the network namespace
- after a moment (when the timewait socket is destroyed), the kernel
panics.# BUG: unable to handle kernel NULL pointer dereference at
0000000000000007
IP: [] inet_twdr_do_twkill_work+0x6e/0xb8
PGD 119985067 PUD 11c5c0067 PMD 0
Oops: 0000 [1] SMP
CPU 1
Modules linked in: ipv6 button battery ac loop dm_mod tg3 libphy ext3 jbd
edd fan thermal processor thermal_sys sg sata_svw libata dock serverworks
sd_mod scsi_mod ide_disk ide_core [last unloaded: freq_table]
Pid: 0, comm: swapper Not tainted 2.6.27-rc2 #3
RIP: 0010:[] []
inet_twdr_do_twkill_work+0x6e/0xb8
RSP: 0018:ffff88011ff7fed0 EFLAGS: 00010246
RAX: ffffffffffffffff RBX: ffffffff82339420 RCX: ffff88011ff7ff30
RDX: 0000000000000001 RSI: ffff88011a4d03c0 RDI: ffff88011ac2fc00
RBP: ffffffff823392e0 R08: 0000000000000000 R09: ffff88002802a200
R10: ffff8800a5c4b000 R11: ffffffff823e4080 R12: ffff88011ac2fc00
R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000000
FS: 0000000041cbd940(0000) GS:ffff8800bff839c0(0000)
knlGS:0000000000000000
CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b
CR2: 0000000000000007 CR3: 00000000bd87c000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process swapper (pid: 0, threadinfo ffff8800bff9e000, task
ffff88011ff76690)
Stack: ffffffff823392e0 0000000000000100 ffffffff821e3a3a
0000000000000008
0000000000000000 ffffffff821e3a61 ffff8800bff7c000 ffffffff8203c7e7
ffff88011ff7ff10 ffff88011ff7ff10 0000000000000021 ffffffff82351108
Call Trace:
[] ? inet_twdr_hangman+0x0/0x9e
[] ? inet_twdr_hangman+0x27/0x9e
[] ? run_timer_softirq+0x12c/0x193
[] ? __do_softirq+0x5e/0xcd
[] ? call_softirq+0x1c/0x28
[] ? do_softirq+0x2c/0x68
[] ? smp_apic_timer_interrupt+0x8e/0xa9
[] ? apic_timer_interrupt+0x66/0x70
[] ? default_idle+0x27/0x3b
[] ? cpu_idle+0x5f/0x7dCode: e8 01 00 00 4c 89 e7 41 ff c5 e8 8d fd ff ff 49 8b 44 24 38 4c 89 e7
65 8b 14 25 24 00 00 00 89 d2 48 8b 80 e8 00 00 00 48 f7 d0 8b 04 d0
48 ff 40 58 e8 fc fc ff ff 48 89 df e8 c0 5f 04 00
RIP [] inet_twdr_do_twkill_work+0x6e/0xb8
RSP
CR2: 0000000000000007This patch provides a function to purge all timewait sockets related
to a network namespace. The timewait sockets life cycle is not tied with
the network namespace, that means the timewait sockets stay alive while
the network namespace dies. The timewait sockets are for avoiding to
receive a duplicate packet from the network, if the network namespace is
freed, the network stack is removed, so no chance to receive any packets
from the outside world. Furthermore, having a pending destruction timer
on these sockets with a network namespace freed is not safe and will lead
to an oops if the timer callback which try to access data belonging to
the namespace like for example in:
inet_twdr_do_twkill_work
-> NET_INC_STATS_BH(twsk_net(tw), LINUX_MIB_TIMEWAITED);Purging the timewait sockets at the network namespace destruction will:
1) speed up memory freeing for the namespace
2) fix kernel panic on asynchronous timewait destructionSigned-off-by: Daniel Lezcano
Acked-by: Denis V. Lunev
Acked-by: Eric W. Biederman
Signed-off-by: David S. Miller
07 Sep, 2008
5 commits
-
…git/tip/linux-2.6-tip
* 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
x86: cpu_init(): fix memory leak when using CPU hotplug
x86: pda_init(): fix memory leak when using CPU hotplug
x86, xen: Use native_pte_flags instead of native_pte_val for .pte_flags
x86: move mtrr cpu cap setting early in early_init_xxxx
x86: delay early cpu initialization until cpuid is done
x86: use X86_FEATURE_NOPL in alternatives
x86: add NOPL as a synthetic CPU feature bit
x86: boot: stub out unimplemented CPU feature words -
…el/git/tip/linux-2.6-tip
* 'timers-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
clocksource, acpi_pm.c: check for monotonicity
clocksource, acpi_pm.c: use proper read function also in errata mode
ntp: fix calculation of the next jiffie to trigger RTC sync
x86: HPET: read back compare register before reading counter
x86: HPET fix moronic 32/64bit thinko
clockevents: broadcast fixup possible waiters
HPET: make minimum reprogramming delta useful
clockevents: prevent endless loop lockup
clockevents: prevent multiple init/shutdown
clockevents: enforce reprogram in oneshot setup
clockevents: prevent endless loop in periodic broadcast handler
clockevents: prevent clockevent event_handler ending up handler_noop -
* 'upstream' of git://ftp.linux-mips.org/pub/scm/upstream-linus:
[MIPS] Probe initrd header only if explicitly specified
[MIPS] TX39xx: Add missing local_flush_icache_range initialization
[MIPS] TXx9: Fix txx9_pcode initialization
[MIPS] Fix WARNING: at kernel/smp.c:290
[MIPS] Fix data bus error recovery -
What I realized recently is that calling rebuild_sched_domains() in
arch_reinit_sched_domains() by itself is not enough when cpusets are enabled.
partition_sched_domains() code is trying to avoid unnecessary domain rebuilds
and will not actually rebuild anything if new domain masks match the old ones.What this means is that doing
echo 1 > /sys/devices/system/cpu/sched_mc_power_savings
on a system with cpusets enabled will not take affect untill something changes
in the cpuset setup (ie new sets created or deleted).This patch fixes restore correct behaviour where domains must be rebuilt in
order to enable MC powersaving flags.Test on quad-core Core2 box with both CONFIG_CPUSETS and !CONFIG_CPUSETS.
Also tested on dual-core Core2 laptop. Lockdep is happy and things are working
as expected.Signed-off-by: Max Krasnyansky
Tested-by: Vaidyanathan Srinivasan
Signed-off-by: Ingo Molnar
06 Sep, 2008
9 commits
-
The long noops ("NOPL") are supposed to be detected by family >= 6.
Unfortunately, several non-Intel x86 implementations, both hardware
and software, don't obey this dictum. Instead, probe for NOPL
directly by executing a NOPL instruction and see if we get #UD.Signed-off-by: H. Peter Anvin
-
Fix some pasto's in comments in the new linux/tracehook.h and
asm-generic/syscall.h files.Reported-by: Wenji Huang
Signed-off-by: Roland McGrath
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
I found we can no longer set limit to 0 with 2.6.27-rcX:
# mount -t cgroup -omemory xxx /mnt
# mkdir /mnt/0
# echo 0 > /mnt/0/memory.limit_in_bytes
bash: echo: write error: Device or resource busyIt turned out 'limit' can't be set to 'usage', which is wrong IMO.
Signed-off-by: Li Zefan
Acked-by: KAMEZAWA Hiroyuki
Acked-by: Balbir Singh
Acked-by: Pavel Emelyanov
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
…l/git/tip/linux-2.6-tip
* 'sched-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
sched: fix process time monotonicity
sched_clock: fix NOHZ interaction -
* git://git.infradead.org/~dwmw2/dwmw2-2.6.27:
Revert "[ARM] use the new byteorder headers"
Fix conditional export of kvh.h and a.out.h to userspace.
[MTD] [NAND] tmio_nand: fix base address programming -
* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/v4l-dvb: (98 commits)
V4L/DVB (8881): gspca: After 'while (retry--) {...}', retry will be -1 but not 0.
V4L/DVB (8880): PATCH: Fix parents on some webcam drivers
V4L/DVB (8877): b2c2 and bt8xx: udelay to mdelay
V4L/DVB (8876): budget: udelay changed to mdelay
V4L/DVB (8874): gspca: Adjust hstart for sn9c103/ov7630 and update usb-id's.
V4L/DVB (8873): gspca: Bad image offset with rev012a of spca561 and adjust exposure.
V4L/DVB (8872): gspca: Bad image format and offset with rev072a of spca561.
V4L/DVB (8870): gspca: Fix dark room problem with sonixb.
V4L/DVB (8869): gspca: Move the Sonix webcams with TAS5110C1B from sn9c102 to gspca.
V4L/DVB (8868): gspca: Support for vga modes with sif sensors in sonixb.
V4L/DVB (8844): dabusb_fpga_download(): fix a memory leak
V4L/DVB (8843): tda10048_firmware_upload(): fix a memory leak
V4L/DVB (8842): vivi_release(): fix use-after-free
V4L/DVB (8840): dib0700: add basic support for Hauppauge Nova-TD-500 (84xxx)
V4L/DVB (8839): dib0700: add comment to identify 35th USB id pair
V4L/DVB (8837): dvb: fix I2C adapters name size
V4L/DVB (8835): gspca: Same pixfmt as the sn9c102 driver and raw Bayer added in sonixb.
V4L/DVB (8834): gspca: Have a bigger buffer for sn9c10x compressed images.
V4L/DVB (8833): gspca: Cleanup the sonixb code.
V4L/DVB (8832): gspca: Bad pixelformat of vc0321 webcams.
... -
* 'core/debugobjects' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
debugobjects: fix lockdep warning -
trap_init issues flush_icache_range(), which uses ipi functions to
get icache flushing done on all cpus. But this is done before interrupts
are enabled and caused WARN_ON messages. This changeset introduces
a new local_flush_icache_range() and uses it before interrupts (and
additional CPUs) are enabled to avoid this problem.Signed-off-by: Thomas Bogendoerfer
Signed-off-by: Ralf Baechle -
Spencer reported a problem where utime and stime were going negative despite
the fixes in commit b27f03d4bdc145a09fb7b0c0e004b29f1ee555fa. The suspected
reason for the problem is that signal_struct maintains it's own utime and
stime (of exited tasks), these are not updated using the new task_utime()
routine, hence sig->utime can go backwards and cause the same problem
to occur (sig->utime, adds tsk->utime and not task_utime()). This patch
fixes the problemTODO: using max(task->prev_utime, derived utime) works for now, but a more
generic solution is to implement cputime_max() and use the cputime_gt()
function for comparison.Reported-by: spencer@bluehost.com
Signed-off-by: Balbir Singh
Signed-off-by: Peter Zijlstra
Signed-off-by: Ingo Molnar
05 Sep, 2008
3 commits
-
Some architectures have moved the asm/ into arch/ and some have not.
This patch checks for a.out.h and kvh.h in both places before exporting
the corresponding file from linux/[dwmw2: simplified a little]
Signed-off-by: Khem Raj
Signed-off-by: David Woodhouse -
There is a ordering related problem with clockevents code, due to which
clockevents_register_device() called after tickless/highres switch
will not work. The new clockevent ends up with clockevents_handle_noop as
event handler, resulting in no timer activity.The problematic path seems to be
* old device already has hrtimer_interrupt as the event_handler
* new clockevent device registers with a higher rating
* tick_check_new_device() is called
* clockevents_exchange_device() gets called
* old->event_handler is set to clockevents_handle_noop
* tick_setup_device() is called for the new device
* which sets new->event_handler using the old->event_handler which is noop.Change the ordering so that new device inherits the proper handler.
This does not have any issue in normal case as most likely all the clockevent
devices are setup before the highres switch. But, can potentially be affecting
some corner case where HPET force detect happens after the highres switch.
This was a problem with HPET in MSI mode code that we have been experimenting
with.Signed-off-by: Venkatesh Pallipadi
Signed-off-by: Shaohua Li
Signed-off-by: Thomas Gleixner
Signed-off-by: Ingo Molnar
04 Sep, 2008
4 commits
-
Signed-off-by: Jean-Francois Moine
Signed-off-by: Mauro Carvalho Chehab -
the previous patch (sensor upside down).
Signed-off-by: Hans de Goede
Signed-off-by: Jean-Francois Moine
Signed-off-by: Mauro Carvalho Chehab -
This patch adds a V4L2_CAP_SENSOR_UPSIDE_DOWN flag to the capabilities flags,
and sets this flag for the Philips SPC200NC cam (which has its sensor installed
upside down). The same flag is also needed and added for the Philips SPC300NC.Together with a patch to libv4l which adds flipping the image in software this
fixes the upside down display with the SPC200NC cam.Signed-of-by: Hans de Goede
Signed-off-by: Jean-Francois Moine
Signed-off-by: Mauro Carvalho Chehab -
The JPEG frames generated by the Pixart 73xx have:
- special markers 'ff ff ff xx' every 1024/512 bytes,
- unused 8 bits at end of JPEG blocks,
and then ask for a new pixel format.Signed-off-by: Jean-Francois Moine
Signed-off-by: Mauro Carvalho Chehab
03 Sep, 2008
6 commits
-
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6:
ipsec: Fix deadlock in xfrm_state management.
ipv: Re-enable IP when MTU > 68
net/xfrm: Use an IS_ERR test rather than a NULL test
ath9: Fix ath_rx_flush_tid() for IRQs disabled kernel warning message.
ath9k: Incorrect key used when group and pairwise ciphers are different.
rt2x00: Compiler warning unmasked by fix of BUILD_BUG_ON
mac80211: Fix debugfs union misuse and pointer corruption
wireless/libertas/if_cs.c: fix memory leaks
orinoco: Multicast to the specified addresses
iwlwifi: fix 64bit platform firmware loading
iwlwifi: fix apm_stop (wrong bit polarity for FLAG_INIT_DONE)
iwlwifi: workaround interrupt handling no some platforms
iwlwifi: do not use GFP_DMA in iwl_tx_queue_init
net/wireless/Kconfig: clarify the description for CONFIG_WIRELESS_EXT_SYSFS
net: Unbreak userspace usage of linux/mroute.h
pkt_sched: Fix locking of qdisc_root with qdisc_root_sleeping_lock()
ipv6: When we droped a packet, we should return NET_RX_DROP instead of 0 -
Quicklists can consume several GB of memory. We should provide a means of
monitoring this.After this patch is applied, /proc/meminfo will output the following:
% cat /proc/meminfo
MemTotal: 7715392 kB
MemFree: 5401600 kB
Buffers: 80384 kB
Cached: 300800 kB
SwapCached: 0 kB
Active: 235584 kB
Inactive: 262656 kB
SwapTotal: 2031488 kB
SwapFree: 2031488 kB
Dirty: 3520 kB
Writeback: 0 kB
AnonPages: 117696 kB
Mapped: 38528 kB
Slab: 1589952 kB
SReclaimable: 23104 kB
SUnreclaim: 1566848 kB
PageTables: 14656 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
WritebackTmp: 0 kB
CommitLimit: 5889152 kB
Committed_AS: 393152 kB
VmallocTotal: 17592177655808 kB
VmallocUsed: 29056 kB
VmallocChunk: 17592177626432 kB
Quicklists: 130944 kB
HugePages_Total: 0
HugePages_Free: 0
HugePages_Rsvd: 0
HugePages_Surp: 0
Hugepagesize: 262144 kBSigned-off-by: KOSAKI Motohiro
Cc: Christoph Lameter
Cc: Keiichiro Tokunaga
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
* git://git.kernel.org/pub/scm/linux/kernel/git/bart/ide-2.6:
ide/Kconfig: mark ide-scsi as deprecated
ide-disk: remove stale init_idedisk_capacity() documentation
palm_bk3710: improve IDE registration
ide: fix hwif_to_node()
IDE: palm_bk3710: fix compile warning for unused variable
IDE: compile fix for sff_dma_ops -
hwif_to_node() incorrectly assumes that hwif->dev always belongs to
a PCI device. This results in ide-cs oopsing in init_irq() after
commit c56c5648a3bd15ff14c50f284b261140cd5b5472 accidentally fixed
device tree registration for ide-cs. Fix it by using dev_to_node().Thanks to Martin Michlmayr and Larry Finger for help with debugging
the issue.Reported-by: Martin Michlmayr
Tested-by: Martin Michlmayr
Cc: Larry Finger
Cc: Dominik Brodowski
Signed-off-by: Bartlomiej Zolnierkiewicz -
The sff_dma_ops struct should be wrapped by BLK_DEV_IDEDMA_SFF instead
of BLK_DEV_IDEDMA_PCI.Signed-off-by: Kevin Hilman
Cc: Sergei Shtylyov
Signed-off-by: Bartlomiej Zolnierkiewicz -
* 'for-2.6.27' of git://linux-nfs.org/~bfields/linux:
nfsd: fix buffer overrun decoding NFSv4 acl
sunrpc: fix possible overrun on read of /proc/sys/sunrpc/transports
nfsd: fix compound state allocation error handling
svcrdma: Fix race between svc_rdma_recvfrom thread and the dto_tasklet
01 Sep, 2008
1 commit
-
Daniel J. Blueman reported:
> =======================================================
> [ INFO: possible circular locking dependency detected ]
> 2.6.27-rc4-224c #1
> -------------------------------------------------------
> hald/4680 is trying to acquire lock:
> (&n->list_lock){++..}, at: [] add_partial+0x26/0x80
>
> but task is already holding lock:
> (&obj_hash[i].lock){++..}, at: []
> debug_object_free+0x5c/0x120We fix it by moving the actual freeing to outside the lock (the lock
now only protects the list).The pool lock is also promoted to irq-safe (suggested by Dan). It's
necessary because free_pool is now called outside the irq disabled
region. So we need to protect against an interrupt handler which calls
debug_object_init().[tglx@linutronix.de: added hlist_move_list helper to avoid looping
through the list twice]Reported-by: Daniel J Blueman
Signed-off-by: Vegard Nossum
Signed-off-by: Thomas Gleixner
30 Aug, 2008
2 commits
-
Not used anywhere yet, but this complements the existing plain
'insert_resource()' functionality with a version that can expand the
resource we are adding in order to fix up any conflicts it has with
existing resources.Signed-off-by: Linus Torvalds
-
Nothing in linux/pim.h should be exported to userspace.
This should fix the XORP build failure reported by
Jose Calhariz, the debain package maintainer.Nothing originally in linux/mroute.h was exported to userspace
ever, but some of this stuff started to be when it was moved into
this new linux/pim.h, and that was wrong. If we didn't provide these
definitions for 10 years we can reasonably expect that applications
defined this stuff locally or used GLIBC headers providing the
protocol definitions. And as such the only result of this can
be conflict and userland build breakage.Signed-off-by: David S. Miller
29 Aug, 2008
3 commits
-
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/cooloney/blackfin-2.6:
Blackfin arch: Fix PM building on BF52x: No ROTWE on BF52x, add USBWE
Blackfin arch: sram: use 'unsigned long' for irqflags
Blackfin arch: let PCI depend on BROKEN
Blackfin arch: move include/asm-blackfin header files to arch/blackfin
Blackfin arch: fix bug - MPU crashes under stress
Blackfin arch: Fix bug - when to rmmod the L1_module, it stucks and then reboot the board.
Blackfin arch: dont actually need to muck with EMAC_SYSTAT for BF52x for demuxing
Blackfin arch: Add MTD Partitions for MTD_DATAFLASH, increase max SPI SCLK -
…git/tip/linux-2.6-tip
* 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
x86: update defconfigs
x86: msr: fix bogus return values from rdmsr_safe/wrmsr_safe
x86: cpuid: correct return value on partial operations
x86: msr: correct return value on partial operations
x86: cpuid: propagate error from smp_call_function_single()
x86: msr: propagate errors from smp_call_function_single()
smp: have smp_call_function_single() detect invalid CPUs -
* 'i2c-for-linus' of git://jdelvare.pck.nerim.net/jdelvare-2.6:
i2c: Prevent log spam on some DVB adapters
i2c: Add missing kerneldoc descriptions
i2c: Fix device_init_wakeup place
28 Aug, 2008
1 commit
-
Add missing kernel descriptions of struct i2c_driver members.
Signed-off-by: Jean Delvare
Acked-by: Randy Dunlap
Cc: David Brownell
