1. 11 3月, 2011 2 次提交
  2. 10 3月, 2011 4 次提交
    • D
      ipv6: Don't create clones of host routes. · 7343ff31
      David S. Miller 提交于
      Addresses https://bugzilla.kernel.org/show_bug.cgi?id=29252
      Addresses https://bugzilla.kernel.org/show_bug.cgi?id=30462
      
      In commit d80bc0fd ("ipv6: Always
      clone offlink routes.") we forced the kernel to always clone offlink
      routes.
      
      The reason we do that is to make sure we never bind an inetpeer to a
      prefixed route.
      
      The logic turned on here has existed in the tree for many years,
      but was always off due to a protecting CPP define.  So perhaps
      it's no surprise that there is a logic bug here.
      
      The problem is that we canot clone a route that is already a
      host route (ie. has DST_HOST set).  Because if we do, an identical
      entry already exists in the routing tree and therefore the
      ip6_rt_ins() call is going to fail.
      
      This sets off a series of failures and high cpu usage, because when
      ip6_rt_ins() fails we loop retrying this operation a few times in
      order to handle a race between two threads trying to clone and insert
      the same host route at the same time.
      
      Fix this by simply using the route as-is when DST_HOST is set.
      
      Reported-by: slash@ac.auone-net.jp
      Reported-by: NErnst Sjöstrand <ernstp@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7343ff31
    • V
      net: don't allow CAP_NET_ADMIN to load non-netdev kernel modules · 8909c9ad
      Vasiliy Kulikov 提交于
      Since a8f80e8f any process with
      CAP_NET_ADMIN may load any module from /lib/modules/.  This doesn't mean
      that CAP_NET_ADMIN is a superset of CAP_SYS_MODULE as modules are
      limited to /lib/modules/**.  However, CAP_NET_ADMIN capability shouldn't
      allow anybody load any module not related to networking.
      
      This patch restricts an ability of autoloading modules to netdev modules
      with explicit aliases.  This fixes CVE-2011-1019.
      
      Arnd Bergmann suggested to leave untouched the old pre-v2.6.32 behavior
      of loading netdev modules by name (without any prefix) for processes
      with CAP_SYS_MODULE to maintain the compatibility with network scripts
      that use autoloading netdev modules by aliases like "eth0", "wlan0".
      
      Currently there are only three users of the feature in the upstream
      kernel: ipip, ip_gre and sit.
      
          root@albatros:~# capsh --drop=$(seq -s, 0 11),$(seq -s, 13 34) --
          root@albatros:~# grep Cap /proc/$$/status
          CapInh:	0000000000000000
          CapPrm:	fffffff800001000
          CapEff:	fffffff800001000
          CapBnd:	fffffff800001000
          root@albatros:~# modprobe xfs
          FATAL: Error inserting xfs
          (/lib/modules/2.6.38-rc6-00001-g2bf4ca3/kernel/fs/xfs/xfs.ko): Operation not permitted
          root@albatros:~# lsmod | grep xfs
          root@albatros:~# ifconfig xfs
          xfs: error fetching interface information: Device not found
          root@albatros:~# lsmod | grep xfs
          root@albatros:~# lsmod | grep sit
          root@albatros:~# ifconfig sit
          sit: error fetching interface information: Device not found
          root@albatros:~# lsmod | grep sit
          root@albatros:~# ifconfig sit0
          sit0      Link encap:IPv6-in-IPv4
      	      NOARP  MTU:1480  Metric:1
      
          root@albatros:~# lsmod | grep sit
          sit                    10457  0
          tunnel4                 2957  1 sit
      
      For CAP_SYS_MODULE module loading is still relaxed:
      
          root@albatros:~# grep Cap /proc/$$/status
          CapInh:	0000000000000000
          CapPrm:	ffffffffffffffff
          CapEff:	ffffffffffffffff
          CapBnd:	ffffffffffffffff
          root@albatros:~# ifconfig xfs
          xfs: error fetching interface information: Device not found
          root@albatros:~# lsmod | grep xfs
          xfs                   745319  0
      
      Reference: https://lkml.org/lkml/2011/2/24/203Signed-off-by: NVasiliy Kulikov <segoon@openwall.com>
      Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>
      Acked-by: NDavid S. Miller <davem@davemloft.net>
      Acked-by: NKees Cook <kees.cook@canonical.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      8909c9ad
    • D
      pktgen: fix errata in show results · 03a14ab1
      Daniel Turull 提交于
      The units in show_results in pktgen were not correct.
      The results are in usec but it was displayed nsec.
      Reported-by: NJong-won Lee <ljw@handong.edu>
      Signed-off-by: NDaniel Turull <daniel.turull@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      03a14ab1
    • D
      ipv4: Fix erroneous uses of ifa_address. · 6c91afe1
      David S. Miller 提交于
      In usual cases ifa_address == ifa_local, but in the case where
      SIOCSIFDSTADDR sets the destination address on a point-to-point
      link, ifa_address gets set to that destination address.
      
      Therefore we should use ifa_local when we want the local interface
      address.
      
      There were two cases where the selection was done incorrectly:
      
      1) When devinet_ioctl() does matching, it checks ifa_address even
         though gifconf correct reported ifa_local to the user
      
      2) IN_DEV_ARP_NOTIFY handling sends a gratuitous ARP using
         ifa_address instead of ifa_local.
      Reported-by: NJulian Anastasov <ja@ssi.bg>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6c91afe1
  3. 09 3月, 2011 1 次提交
    • N
      rds: prevent BUG_ON triggering on congestion map updates · 6094628b
      Neil Horman 提交于
      Recently had this bug halt reported to me:
      
      kernel BUG at net/rds/send.c:329!
      Oops: Exception in kernel mode, sig: 5 [#1]
      SMP NR_CPUS=1024 NUMA pSeries
      Modules linked in: rds sunrpc ipv6 dm_mirror dm_region_hash dm_log ibmveth sg
      ext4 jbd2 mbcache sd_mod crc_t10dif ibmvscsic scsi_transport_srp scsi_tgt
      dm_mod [last unloaded: scsi_wait_scan]
      NIP: d000000003ca68f4 LR: d000000003ca67fc CTR: d000000003ca8770
      REGS: c000000175cab980 TRAP: 0700   Not tainted  (2.6.32-118.el6.ppc64)
      MSR: 8000000000029032 <EE,ME,CE,IR,DR>  CR: 44000022  XER: 00000000
      TASK = c00000017586ec90[1896] 'krdsd' THREAD: c000000175ca8000 CPU: 0
      GPR00: 0000000000000150 c000000175cabc00 d000000003cb7340 0000000000002030
      GPR04: ffffffffffffffff 0000000000000030 0000000000000000 0000000000000030
      GPR08: 0000000000000001 0000000000000001 c0000001756b1e30 0000000000010000
      GPR12: d000000003caac90 c000000000fa2500 c0000001742b2858 c0000001742b2a00
      GPR16: c0000001742b2a08 c0000001742b2820 0000000000000001 0000000000000001
      GPR20: 0000000000000040 c0000001742b2814 c000000175cabc70 0800000000000000
      GPR24: 0000000000000004 0200000000000000 0000000000000000 c0000001742b2860
      GPR28: 0000000000000000 c0000001756b1c80 d000000003cb68e8 c0000001742b27b8
      NIP [d000000003ca68f4] .rds_send_xmit+0x4c4/0x8a0 [rds]
      LR [d000000003ca67fc] .rds_send_xmit+0x3cc/0x8a0 [rds]
      Call Trace:
      [c000000175cabc00] [d000000003ca67fc] .rds_send_xmit+0x3cc/0x8a0 [rds]
      (unreliable)
      [c000000175cabd30] [d000000003ca7e64] .rds_send_worker+0x54/0x100 [rds]
      [c000000175cabdb0] [c0000000000b475c] .worker_thread+0x1dc/0x3c0
      [c000000175cabed0] [c0000000000baa9c] .kthread+0xbc/0xd0
      [c000000175cabf90] [c000000000032114] .kernel_thread+0x54/0x70
      Instruction dump:
      4bfffd50 60000000 60000000 39080001 935f004c f91f0040 41820024 813d017c
      7d094a78 7d290074 7929d182 394a0020 <0b090000> 40e2ff68 4bffffa4 39200000
      Kernel panic - not syncing: Fatal exception
      Call Trace:
      [c000000175cab560] [c000000000012e04] .show_stack+0x74/0x1c0 (unreliable)
      [c000000175cab610] [c0000000005a365c] .panic+0x80/0x1b4
      [c000000175cab6a0] [c00000000002fbcc] .die+0x21c/0x2a0
      [c000000175cab750] [c000000000030000] ._exception+0x110/0x220
      [c000000175cab910] [c000000000004b9c] program_check_common+0x11c/0x180
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6094628b
  4. 08 3月, 2011 2 次提交
    • R
      net: fix multithreaded signal handling in unix recv routines · b3ca9b02
      Rainer Weikusat 提交于
      The unix_dgram_recvmsg and unix_stream_recvmsg routines in
      net/af_unix.c utilize mutex_lock(&u->readlock) calls in order to
      serialize read operations of multiple threads on a single socket. This
      implies that, if all n threads of a process block in an AF_UNIX recv
      call trying to read data from the same socket, one of these threads
      will be sleeping in state TASK_INTERRUPTIBLE and all others in state
      TASK_UNINTERRUPTIBLE. Provided that a particular signal is supposed to
      be handled by a signal handler defined by the process and that none of
      this threads is blocking the signal, the complete_signal routine in
      kernel/signal.c will select the 'first' such thread it happens to
      encounter when deciding which thread to notify that a signal is
      supposed to be handled and if this is one of the TASK_UNINTERRUPTIBLE
      threads, the signal won't be handled until the one thread not blocking
      on the u->readlock mutex is woken up because some data to process has
      arrived (if this ever happens). The included patch fixes this by
      changing mutex_lock to mutex_lock_interruptible and handling possible
      error returns in the same way interruptions are handled by the actual
      receive-code.
      Signed-off-by: NRainer Weikusat <rweikusat@mobileactivedefense.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b3ca9b02
    • T
      net: Enter net/ipv6/ even if CONFIG_IPV6=n · 2ea6d8c4
      Thomas Graf 提交于
      exthdrs_core.c and addrconf_core.c in net/ipv6/ contain bits which
      must be made available even if IPv6 is disabled.
      
      net/ipv6/Makefile already correctly includes them if CONFIG_IPV6=n
      but net/Makefile prevents entering the subdirectory.
      Signed-off-by: NThomas Graf <tgraf@infradead.org>
      Acked-by: NRandy Dunlap <randy.dunlap@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2ea6d8c4
  5. 05 3月, 2011 3 次提交
    • S
      libceph: fix msgr standby handling · e00de341
      Sage Weil 提交于
      The standby logic used to be pretty dependent on the work requeueing
      behavior that changed when we switched to WQ_NON_REENTRANT.  It was also
      very fragile.
      
      Restructure things so that:
       - We clear WRITE_PENDING when we set STANDBY.  This ensures we will
         requeue work when we wake up later.
       - con_work backs off if STANDBY is set.  There is nothing to do if we are
         in standby.
       - clear_standby() helper is called by both con_send() and con_keepalive(),
         the two actions that can wake us up again.  Move the connect_seq++
         logic here.
      Signed-off-by: NSage Weil <sage@newdream.net>
      e00de341
    • S
      libceph: fix msgr keepalive flag · e76661d0
      Sage Weil 提交于
      There was some broken keepalive code using a dead variable.  Shift to using
      the proper bit flag.
      Signed-off-by: NSage Weil <sage@newdream.net>
      e76661d0
    • S
      libceph: fix msgr backoff · 60bf8bf8
      Sage Weil 提交于
      With commit f363e45f we replaced a bunch of hacky workqueue mutual
      exclusion logic with the WQ_NON_REENTRANT flag.  One pieces of fallout is
      that the exponential backoff breaks in certain cases:
      
       * con_work attempts to connect.
       * we get an immediate failure, and the socket state change handler queues
         immediate work.
       * con_work calls con_fault, we decide to back off, but can't queue delayed
         work.
      
      In this case, we add a BACKOFF bit to make con_work reschedule delayed work
      next time it runs (which should be immediately).
      Signed-off-by: NSage Weil <sage@newdream.net>
      60bf8bf8
  6. 04 3月, 2011 3 次提交
    • D
      DNS: Fix a NULL pointer deref when trying to read an error key [CVE-2011-1076] · 1362fa07
      David Howells 提交于
      When a DNS resolver key is instantiated with an error indication, attempts to
      read that key will result in an oops because user_read() is expecting there to
      be a payload - and there isn't one [CVE-2011-1076].
      
      Give the DNS resolver key its own read handler that returns the error cached in
      key->type_data.x[0] as an error rather than crashing.
      
      Also make the kenter() at the beginning of dns_resolver_instantiate() limit the
      amount of data it prints, since the data is not necessarily NUL-terminated.
      
      The buggy code was added in:
      
      	commit 4a2d7892
      	Author: Wang Lei <wang840925@gmail.com>
      	Date:   Wed Aug 11 09:37:58 2010 +0100
      	Subject: DNS: If the DNS server returns an error, allow that to be cached [ver #2]
      
      This can trivially be reproduced by any user with the following program
      compiled with -lkeyutils:
      
      	#include <stdlib.h>
      	#include <keyutils.h>
      	#include <err.h>
      	static char payload[] = "#dnserror=6";
      	int main()
      	{
      		key_serial_t key;
      		key = add_key("dns_resolver", "a", payload, sizeof(payload),
      			      KEY_SPEC_SESSION_KEYRING);
      		if (key == -1)
      			err(1, "add_key");
      		if (keyctl_read(key, NULL, 0) == -1)
      			err(1, "read_key");
      		return 0;
      	}
      
      What should happen is that keyctl_read() reports error 6 (ENXIO) to the user:
      
      	dns-break: read_key: No such device or address
      
      but instead the kernel oopses.
      
      This cannot be reproduced with the 'keyutils add' or 'keyutils padd' commands
      as both of those cut the data down below the NUL termination that must be
      included in the data.  Without this dns_resolver_instantiate() will return
      -EINVAL and the key will not be instantiated such that it can be read.
      
      The oops looks like:
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
      IP: [<ffffffff811b99f7>] user_read+0x4f/0x8f
      PGD 3bdf8067 PUD 385b9067 PMD 0
      Oops: 0000 [#1] SMP
      last sysfs file: /sys/devices/pci0000:00/0000:00:19.0/irq
      CPU 0
      Modules linked in:
      
      Pid: 2150, comm: dns-break Not tainted 2.6.38-rc7-cachefs+ #468                  /DG965RY
      RIP: 0010:[<ffffffff811b99f7>]  [<ffffffff811b99f7>] user_read+0x4f/0x8f
      RSP: 0018:ffff88003bf47f08  EFLAGS: 00010246
      RAX: 0000000000000001 RBX: ffff88003b5ea378 RCX: ffffffff81972368
      RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88003b5ea378
      RBP: ffff88003bf47f28 R08: ffff88003be56620 R09: 0000000000000000
      R10: 0000000000000395 R11: 0000000000000002 R12: 0000000000000000
      R13: 0000000000000000 R14: 0000000000000000 R15: ffffffffffffffa1
      FS:  00007feab5751700(0000) GS:ffff88003e000000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000000000010 CR3: 000000003de40000 CR4: 00000000000006f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      Process dns-break (pid: 2150, threadinfo ffff88003bf46000, task ffff88003be56090)
      Stack:
       ffff88003b5ea378 ffff88003b5ea3a0 0000000000000000 0000000000000000
       ffff88003bf47f68 ffffffff811b708e ffff88003c442bc8 0000000000000000
       00000000004005a0 00007fffba368060 0000000000000000 0000000000000000
      Call Trace:
       [<ffffffff811b708e>] keyctl_read_key+0xac/0xcf
       [<ffffffff811b7c07>] sys_keyctl+0x75/0xb6
       [<ffffffff81001f7b>] system_call_fastpath+0x16/0x1b
      Code: 75 1f 48 83 7b 28 00 75 18 c6 05 58 2b fb 00 01 be bb 00 00 00 48 c7 c7 76 1c 75 81 e8 13 c2 e9 ff 4c 8b b3 e0 00 00 00 4d 85 ed <41> 0f b7 5e 10 74 2d 4d 85 e4 74 28 e8 98 79 ee ff 49 39 dd 48
      RIP  [<ffffffff811b99f7>] user_read+0x4f/0x8f
       RSP <ffff88003bf47f08>
      CR2: 0000000000000010
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Acked-by: NJeff Layton <jlayton@redhat.com>
      cc: Wang Lei <wang840925@gmail.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      1362fa07
    • S
      libceph: retry after authorization failure · 692d20f5
      Sage Weil 提交于
      If we mark the connection CLOSED we will give up trying to reconnect to
      this server instance.  That is appropriate for things like a protocol
      version mismatch that won't change until the server is restarted, at which
      point we'll get a new addr and reconnect.  An authorization failure like
      this is probably due to the server not properly rotating it's secret keys,
      however, and should be treated as transient so that the normal backoff and
      retry behavior kicks in.
      Signed-off-by: NSage Weil <sage@newdream.net>
      692d20f5
    • S
      libceph: fix handling of short returns from get_user_pages · 38815b78
      Sage Weil 提交于
      get_user_pages() can return fewer pages than we ask for.  We were returning
      a bogus pointer/error code in that case.  Instead, loop until we get all
      the pages we want or get an error we can return to the caller.
      Signed-off-by: NSage Weil <sage@newdream.net>
      38815b78
  7. 03 3月, 2011 2 次提交
  8. 02 3月, 2011 3 次提交
    • J
      netfilter: nf_log: avoid oops in (un)bind with invalid nfproto values · 9ef0298a
      Jan Engelhardt 提交于
      Like many other places, we have to check that the array index is
      within allowed limits, or otherwise, a kernel oops and other nastiness
      can ensue when we access memory beyond the end of the array.
      
      [ 5954.115381] BUG: unable to handle kernel paging request at 0000004000000000
      [ 5954.120014] IP:  __find_logger+0x6f/0xa0
      [ 5954.123979]  nf_log_bind_pf+0x2b/0x70
      [ 5954.123979]  nfulnl_recv_config+0xc0/0x4a0 [nfnetlink_log]
      [ 5954.123979]  nfnetlink_rcv_msg+0x12c/0x1b0 [nfnetlink]
      ...
      
      The problem goes back to v2.6.30-rc1~1372~1342~31 where nf_log_bind
      was decoupled from nf_log_register.
      
      Reported-by: Miguel Di Ciurcio Filho <miguel.filho@gmail.com>,
        via irc.freenode.net/#netfilter
      Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      9ef0298a
    • G
      dccp: fix oops on Reset after close · 720dc34b
      Gerrit Renker 提交于
      This fixes a bug in the order of dccp_rcv_state_process() that still permitted
      reception even after closing the socket. A Reset after close thus causes a NULL
      pointer dereference by not preventing operations on an already torn-down socket.
      
       dccp_v4_do_rcv() 
      	|
      	| state other than OPEN
      	v
       dccp_rcv_state_process()
      	|
      	| DCCP_PKT_RESET
      	v
       dccp_rcv_reset()
      	|
      	v
       dccp_time_wait()
      
       WARNING: at net/ipv4/inet_timewait_sock.c:141 __inet_twsk_hashdance+0x48/0x128()
       Modules linked in: arc4 ecb carl9170 rt2870sta(C) mac80211 r8712u(C) crc_ccitt ah
       [<c0038850>] (unwind_backtrace+0x0/0xec) from [<c0055364>] (warn_slowpath_common)
       [<c0055364>] (warn_slowpath_common+0x4c/0x64) from [<c0055398>] (warn_slowpath_n)
       [<c0055398>] (warn_slowpath_null+0x1c/0x24) from [<c02b72d0>] (__inet_twsk_hashd)
       [<c02b72d0>] (__inet_twsk_hashdance+0x48/0x128) from [<c031caa0>] (dccp_time_wai)
       [<c031caa0>] (dccp_time_wait+0x40/0xc8) from [<c031c15c>] (dccp_rcv_state_proces)
       [<c031c15c>] (dccp_rcv_state_process+0x120/0x538) from [<c032609c>] (dccp_v4_do_)
       [<c032609c>] (dccp_v4_do_rcv+0x11c/0x14c) from [<c0286594>] (release_sock+0xac/0)
       [<c0286594>] (release_sock+0xac/0x110) from [<c031fd34>] (dccp_close+0x28c/0x380)
       [<c031fd34>] (dccp_close+0x28c/0x380) from [<c02d9a78>] (inet_release+0x64/0x70)
      
      The fix is by testing the socket state first. Receiving a packet in Closed state
      now also produces the required "No connection" Reset reply of RFC 4340, 8.3.1.
      Reported-and-tested-by: NJohan Hovold <jhovold@gmail.com>
      Cc: stable@kernel.org
      Signed-off-by: NGerrit Renker <gerrit@erg.abdn.ac.uk>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      720dc34b
    • J
      ipvs: fix dst_lock locking on dest update · ff75f40f
      Julian Anastasov 提交于
      	Fix dst_lock usage in __ip_vs_update_dest. We need
      _bh locking because destination is updated in user context.
      Can cause lockups on frequent destination updates.
      Problem reported by Simon Kirby. Bug was introduced
      in 2.6.37 from the "ipvs: changes for local real server"
      change.
      Signed-off-by: NJulian Anastasov <ja@ssi.bg>
      Signed-off-by: NHans Schillstrom <hans@schillstrom.com>
      Signed-off-by: NSimon Horman <horms@verge.net.au>
      ff75f40f
  9. 01 3月, 2011 1 次提交
    • A
      netlink: handle errors from netlink_dump() · b44d211e
      Andrey Vagin 提交于
      netlink_dump() may failed, but nobody handle its error.
      It generates output data, when a previous portion has been returned to
      user space. This mechanism works when all data isn't go in skb. If we
      enter in netlink_recvmsg() and skb is absent in the recv queue, the
      netlink_dump() will not been executed. So if netlink_dump() is failed
      one time, the new data never appear and the reader will sleep forever.
      
      netlink_dump() is called from two places:
      
      1. from netlink_sendmsg->...->netlink_dump_start().
         In this place we can report error directly and it will be returned
         by sendmsg().
      
      2. from netlink_recvmsg
         There we can't report error directly, because we have a portion of
         valid output data and call netlink_dump() for prepare the next portion.
         If netlink_dump() is failed, the socket will be mark as error and the
         next recvmsg will be failed.
      Signed-off-by: NAndrey Vagin <avagin@openvz.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b44d211e
  10. 26 2月, 2011 3 次提交
  11. 23 2月, 2011 6 次提交
  12. 22 2月, 2011 2 次提交
    • D
      fix cfg80211_wext_siwfreq lock ordering... · 4f919a3b
      Daniel J Blueman 提交于
      I previously managed to reproduce a hang while scanning wireless
      channels (reproducible with airodump-ng hopping channels); subsequent
      lockdep instrumentation revealed a lock ordering issue.
      
      Without knowing the design intent, it looks like the locks should be
      taken in reverse order; please comment.
      
      =======================================================
      [ INFO: possible circular locking dependency detected ]
      2.6.38-rc5-341cd #4
      -------------------------------------------------------
      airodump-ng/15445 is trying to acquire lock:
       (&rdev->devlist_mtx){+.+.+.}, at: [<ffffffff816b1266>]
      cfg80211_wext_siwfreq+0xc6/0x100
      
      but task is already holding lock:
       (&wdev->mtx){+.+.+.}, at: [<ffffffff816b125c>] cfg80211_wext_siwfreq+0xbc/0x100
      
      which lock already depends on the new lock.
      
      the existing dependency chain (in reverse order) is:
      
      -> #1 (&wdev->mtx){+.+.+.}:
             [<ffffffff810a79d6>] lock_acquire+0xc6/0x280
             [<ffffffff816d6bce>] mutex_lock_nested+0x6e/0x4b0
             [<ffffffff81696080>] cfg80211_netdev_notifier_call+0x430/0x5f0
             [<ffffffff8109351b>] notifier_call_chain+0x8b/0x100
             [<ffffffff810935b1>] raw_notifier_call_chain+0x11/0x20
             [<ffffffff81576d92>] call_netdevice_notifiers+0x32/0x60
             [<ffffffff815771a4>] __dev_notify_flags+0x34/0x80
             [<ffffffff81577230>] dev_change_flags+0x40/0x70
             [<ffffffff8158587c>] do_setlink+0x1fc/0x8d0
             [<ffffffff81586042>] rtnl_setlink+0xf2/0x140
             [<ffffffff81586923>] rtnetlink_rcv_msg+0x163/0x270
             [<ffffffff8159d741>] netlink_rcv_skb+0xa1/0xd0
             [<ffffffff815867b0>] rtnetlink_rcv+0x20/0x30
             [<ffffffff8159d39a>] netlink_unicast+0x2ba/0x300
             [<ffffffff8159dd57>] netlink_sendmsg+0x267/0x3e0
             [<ffffffff8155e364>] sock_sendmsg+0xe4/0x110
             [<ffffffff8155f3a3>] sys_sendmsg+0x253/0x3b0
             [<ffffffff81003192>] system_call_fastpath+0x16/0x1b
      
      -> #0 (&rdev->devlist_mtx){+.+.+.}:
             [<ffffffff810a7222>] __lock_acquire+0x1622/0x1d10
             [<ffffffff810a79d6>] lock_acquire+0xc6/0x280
             [<ffffffff816d6bce>] mutex_lock_nested+0x6e/0x4b0
             [<ffffffff816b1266>] cfg80211_wext_siwfreq+0xc6/0x100
             [<ffffffff816b2fad>] ioctl_standard_call+0x5d/0xd0
             [<ffffffff816b3223>] T.808+0x163/0x170
             [<ffffffff816b326a>] wext_handle_ioctl+0x3a/0x90
             [<ffffffff815798d2>] dev_ioctl+0x6f2/0x830
             [<ffffffff8155cf3d>] sock_ioctl+0xfd/0x290
             [<ffffffff8117dffd>] do_vfs_ioctl+0x9d/0x590
             [<ffffffff8117e53a>] sys_ioctl+0x4a/0x80
             [<ffffffff81003192>] system_call_fastpath+0x16/0x1b
      
      other info that might help us debug this:
      
      2 locks held by airodump-ng/15445:
       #0:  (rtnl_mutex){+.+.+.}, at: [<ffffffff81586782>] rtnl_lock+0x12/0x20
       #1:  (&wdev->mtx){+.+.+.}, at: [<ffffffff816b125c>]
      cfg80211_wext_siwfreq+0xbc/0x100
      
      stack backtrace:
      Pid: 15445, comm: airodump-ng Not tainted 2.6.38-rc5-341cd #4
      Call Trace:
       [<ffffffff810a3f0a>] ? print_circular_bug+0xfa/0x100
       [<ffffffff810a7222>] ? __lock_acquire+0x1622/0x1d10
       [<ffffffff810a1f99>] ? trace_hardirqs_off_caller+0x29/0xc0
       [<ffffffff810a79d6>] ? lock_acquire+0xc6/0x280
       [<ffffffff816b1266>] ? cfg80211_wext_siwfreq+0xc6/0x100
       [<ffffffff810a31d7>] ? mark_held_locks+0x67/0x90
       [<ffffffff816d6bce>] ? mutex_lock_nested+0x6e/0x4b0
       [<ffffffff816b1266>] ? cfg80211_wext_siwfreq+0xc6/0x100
       [<ffffffff810a31d7>] ? mark_held_locks+0x67/0x90
       [<ffffffff816b1266>] ? cfg80211_wext_siwfreq+0xc6/0x100
       [<ffffffff816b1266>] ? cfg80211_wext_siwfreq+0xc6/0x100
       [<ffffffff816b2fad>] ? ioctl_standard_call+0x5d/0xd0
       [<ffffffff8157818b>] ? __dev_get_by_name+0x9b/0xc0
       [<ffffffff816b2f50>] ? ioctl_standard_call+0x0/0xd0
       [<ffffffff816b3223>] ? T.808+0x163/0x170
       [<ffffffff8112ddf2>] ? might_fault+0x72/0xd0
       [<ffffffff816b326a>] ? wext_handle_ioctl+0x3a/0x90
       [<ffffffff8112de3b>] ? might_fault+0xbb/0xd0
       [<ffffffff815798d2>] ? dev_ioctl+0x6f2/0x830
       [<ffffffff810a1bae>] ? put_lock_stats+0xe/0x40
       [<ffffffff810a1c8c>] ? lock_release_holdtime+0xac/0x150
       [<ffffffff8155cf3d>] ? sock_ioctl+0xfd/0x290
       [<ffffffff8117dffd>] ? do_vfs_ioctl+0x9d/0x590
       [<ffffffff8116c8ff>] ? fget_light+0x1df/0x3c0
       [<ffffffff8117e53a>] ? sys_ioctl+0x4a/0x80
       [<ffffffff81003192>] ? system_call_fastpath+0x16/0x1b
      Signed-off-by: NDaniel J Blueman <daniel.blueman@gmail.com>
      Acked-by: NJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      4f919a3b
    • Y
      tcp: undo_retrans counter fixes · c24f691b
      Yuchung Cheng 提交于
      Fix a bug that undo_retrans is incorrectly decremented when undo_marker is
      not set or undo_retrans is already 0. This happens when sender receives
      more DSACK ACKs than packets retransmitted during the current
      undo phase. This may also happen when sender receives DSACK after
      the undo operation is completed or cancelled.
      
      Fix another bug that undo_retrans is incorrectly incremented when
      sender retransmits an skb and tcp_skb_pcount(skb) > 1 (TSO). This case
      is rare but not impossible.
      Signed-off-by: NYuchung Cheng <ycheng@google.com>
      Acked-by: NIlpo Järvinen <ilpo.jarvinen@helsinki.fi>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c24f691b
  13. 21 2月, 2011 1 次提交
    • E
      net: Fix more stale on-stack list_head objects. · 5f04d506
      Eric W. Biederman 提交于
      From: Eric W. Biederman <ebiederm@xmission.com>
      
      In the beginning with batching unreg_list was a list that was used only
      once in the lifetime of a network device (I think).  Now we have calls
      using the unreg_list that can happen multiple times in the life of a
      network device like dev_deactivate and dev_close that are also using the
      unreg_list.  In addition in unregister_netdevice_queue we also do a
      list_move because for devices like veth pairs it is possible that
      unregister_netdevice_queue will be called multiple times.
      
      So I think the change below to fix dev_deactivate which Eric D. missed
      will fix this problem.  Now to go test that.
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5f04d506
  14. 20 2月, 2011 2 次提交
  15. 19 2月, 2011 4 次提交
    • S
      mac80211: fix conn_mon_timer running after disassociate · 05e7c991
      Stanislaw Gruszka 提交于
      Low level driver could pass rx frames to us after disassociate, what
      can lead to run conn_mon_timer by ieee80211_sta_rx_notify(). That
      is obviously wrong, but nothing happens until we unload modules and
      resources are used after free. If kernel debugging is enabled following
      warning could be observed:
      
      WARNING: at lib/debugobjects.c:259 debug_print_object+0x65/0x70()
      Hardware name: HP xw8600 Workstation
      ODEBUG: free active (active state 0) object type: timer_list
      Modules linked in: iwlagn(-) iwlcore mac80211 cfg80211 aes_x86_64 aes_generic fuse cpufreq_ondemand acpi_cpufreq freq_table mperf xt_physdev ipt_REJECT nf_conntrack_ipv4 nf_defrag_ipv4 iptable_filter ip_tables ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables ipv6 ext3 jbd dm_mirror dm_region_hash dm_log dm_mod uinput hp_wmi sparse_keymap sg wmi arc4 microcode serio_raw ecb tg3 shpchp rfkill ext4 mbcache jbd2 sr_mod cdrom sd_mod crc_t10dif firewire_ohci firewire_core crc_itu_t mptsas mptscsih mptbase scsi_transport_sas ahci libahci pata_acpi ata_generic ata_piix floppy nouveau ttm drm_kms_helper drm i2c_algo_bit i2c_core video [last unloaded: cfg80211]
      Pid: 13827, comm: rmmod Tainted: G        W   2.6.38-rc4-wl+ #22
      Call Trace:
       [<ffffffff810649cf>] ? warn_slowpath_common+0x7f/0xc0
       [<ffffffff81064ac6>] ? warn_slowpath_fmt+0x46/0x50
       [<ffffffff81226fc5>] ? debug_print_object+0x65/0x70
       [<ffffffff81227625>] ? debug_check_no_obj_freed+0x125/0x210
       [<ffffffff8109ebd7>] ? debug_check_no_locks_freed+0xf7/0x170
       [<ffffffff81156092>] ? kfree+0xc2/0x2f0
       [<ffffffff813ec5c5>] ? netdev_release+0x45/0x60
       [<ffffffff812f1067>] ? device_release+0x27/0xa0
       [<ffffffff81216ddd>] ? kobject_release+0x8d/0x1a0
       [<ffffffff81216d50>] ? kobject_release+0x0/0x1a0
       [<ffffffff812183b7>] ? kref_put+0x37/0x70
       [<ffffffff81216c57>] ? kobject_put+0x27/0x60
       [<ffffffff813d5d1b>] ? netdev_run_todo+0x1ab/0x270
       [<ffffffff813e771e>] ? rtnl_unlock+0xe/0x10
       [<ffffffffa0581188>] ? ieee80211_unregister_hw+0x58/0x120 [mac80211]
       [<ffffffffa0377ed7>] ? iwl_pci_remove+0xdb/0x22a [iwlagn]
       [<ffffffff8123cde2>] ? pci_device_remove+0x52/0x120
       [<ffffffff812f5205>] ? __device_release_driver+0x75/0xe0
       [<ffffffff812f5348>] ? driver_detach+0xd8/0xe0
       [<ffffffff812f4111>] ? bus_remove_driver+0x91/0x100
       [<ffffffff812f5b62>] ? driver_unregister+0x62/0xa0
       [<ffffffff8123d194>] ? pci_unregister_driver+0x44/0xa0
       [<ffffffffa0377df5>] ? iwl_exit+0x15/0x1c [iwlagn]
       [<ffffffff810ab492>] ? sys_delete_module+0x1a2/0x270
       [<ffffffff81498889>] ? trace_hardirqs_on_thunk+0x3a/0x3f
       [<ffffffff8100bf42>] ? system_call_fastpath+0x16/0x1b
      Acked-by: NJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: NStanislaw Gruszka <sgruszka@redhat.com>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      05e7c991
    • E
      net: deinit automatic LIST_HEAD · ceaaec98
      Eric Dumazet 提交于
      commit 9b5e383c (net: Introduce
      unregister_netdevice_many()) left an active LIST_HEAD() in
      rollback_registered(), with possible memory corruption.
      
      Even if device is freed without touching its unreg_list (and therefore
      touching the previous memory location holding LISTE_HEAD(single), better
      close the bug for good, since its really subtle.
      
      (Same fix for default_device_exit_batch() for completeness)
      Reported-by: NMichal Hocko <mhocko@suse.cz>
      Tested-by: NMichal Hocko <mhocko@suse.cz>
      Reported-by: NEric W. Biderman <ebiderman@xmission.com>
      Tested-by: NEric W. Biderman <ebiderman@xmission.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com>
      CC: Ingo Molnar <mingo@elte.hu>
      CC: Octavian Purdila <opurdila@ixiacom.com>
      CC: stable <stable@kernel.org> [.33+]
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ceaaec98
    • L
      net: dont leave active on stack LIST_HEAD · f87e6f47
      Linus Torvalds 提交于
      Eric W. Biderman and Michal Hocko reported various memory corruptions
      that we suspected to be related to a LIST head located on stack, that
      was manipulated after thread left function frame (and eventually exited,
      so its stack was freed and reused).
      
      Eric Dumazet suggested the problem was probably coming from commit
      44345724 (net: factorize
      sync-rcu call in unregister_netdevice_many)
      
      This patch fixes __dev_close() and dev_close() to properly deinit their
      respective LIST_HEAD(single) before exiting.
      
      References: https://lkml.org/lkml/2011/2/16/304
      References: https://lkml.org/lkml/2011/2/14/223Reported-by: NMichal Hocko <mhocko@suse.cz>
      Tested-by: NMichal Hocko <mhocko@suse.cz>
      Reported-by: NEric W. Biderman <ebiderman@xmission.com>
      Tested-by: NEric W. Biderman <ebiderman@xmission.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com>
      CC: Ingo Molnar <mingo@elte.hu>
      CC: Octavian Purdila <opurdila@ixiacom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f87e6f47
    • E
      net: provide default_advmss() methods to blackhole dst_ops · 214f45c9
      Eric Dumazet 提交于
      Commit 0dbaee3b (net: Abstract default ADVMSS behind an
      accessor.) introduced a possible crash in tcp_connect_init(), when
      dst->default_advmss() is called from dst_metric_advmss()
      Reported-by: NGeorge Spelvin <linux@horizon.com>
      Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      214f45c9
  16. 17 2月, 2011 1 次提交