1. 04 2月, 2011 1 次提交
    • D
      niu: Fix races between up/down and get_stats. · 9690c636
      David S. Miller 提交于
      As reported by Flavio Leitner, there is no synchronization to protect
      NIU's get_stats method from seeing a NULL pointer in either
      np->rx_rings or np->tx_rings.  In fact, as far as ->ndo_get_stats
      is concerned, these values are set completely asynchronously.
      
      Flavio attempted to fix this using a RW semaphore, which in fact
      works most of the time.  However, dev_get_stats() can be invoked
      from non-sleepable contexts in some cases, so this fix doesn't
      work in all cases.
      
      So instead, control the visibility of the np->{rx,tx}_ring pointers
      when the device is being brough up, and use properties of the device
      down sequence to our advantage.
      
      In niu_get_stats(), return immediately if netif_running() is false.
      The device shutdown sequence first marks the device as not running (by
      clearing the __LINK_STATE_START bit), then it performans a
      synchronize_rcu() (in dev_deactive_many()), and then finally it
      invokes the driver ->ndo_stop() method.
      
      This guarentees that all invocations of niu_get_stats() either see
      netif_running() as false, or they see the channel pointers before
      ->ndo_stop() clears them out.
      
      If netif_running() is true, protect against startup races by loading
      the np->{rx,tx}_rings pointer into a local variable, and punting if
      it is NULL.  Use ACCESS_ONCE to prevent the compiler from reloading
      the pointer on us.
      
      Also, during open, control the order in which the pointers and the
      ring counts become visible globally using SMP write memory barriers.
      We make sure the np->num_{rx,tx}_rings value is stable and visible
      before np->{rx,tx}_rings is.
      
      Such visibility control is not necessary on the niu_free_channels()
      side because of the RCU sequencing that happens during device down as
      described above.  We are always guarenteed that all niu_get_stats
      calls are finished, or will see netif_running() false, by the time
      ->ndo_stop is invoked.
      Reported-by: NFlavio Leitner <fleitner@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9690c636
  2. 03 2月, 2011 10 次提交
  3. 02 2月, 2011 9 次提交
  4. 01 2月, 2011 10 次提交
    • P
      netfilter: ecache: always set events bits, filter them later · 3db7e93d
      Pablo Neira Ayuso 提交于
      For the following rule:
      
      iptables -I PREROUTING -t raw -j CT --ctevents assured
      
      The event delivered looks like the following:
      
       [UPDATE] tcp      6 src=192.168.0.2 dst=192.168.1.2 sport=37041 dport=80 src=192.168.1.2 dst=192.168.1.100 sport=80 dport=37041 [ASSURED]
      
      Note that the TCP protocol state is not included. For that reason
      the CT event filtering is not very useful for conntrackd.
      
      To resolve this issue, instead of conditionally setting the CT events
      bits based on the ctmask, we always set them and perform the filtering
      in the late stage, just before the delivery.
      
      Thus, the event delivered looks like the following:
      
       [UPDATE] tcp      6 432000 ESTABLISHED src=192.168.0.2 dst=192.168.1.2 sport=37041 dport=80 src=192.168.1.2 dst=192.168.1.100 sport=80 dport=37041 [ASSURED]
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      3db7e93d
    • P
      netfilter: arpt_mangle: fix return values of checkentry · 9d0db8b6
      Pablo Neira Ayuso 提交于
      In 135367b8 "netfilter: xtables: change xt_target.checkentry return type",
      the type returned by checkentry was changed from boolean to int, but the
      return values where not adjusted.
      
      arptables: Input/output error
      
      This broke arptables with the mangle target since it returns true
      under success, which is interpreted by xtables as >0, thus
      returning EIO.
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      9d0db8b6
    • M
      vhost: rcu annotation fixup · 5e18247b
      Michael S. Tsirkin 提交于
      When built with rcu checks enabled, vhost triggers
      bogus warnings as vhost features are read without
      dev->mutex sometimes, and private pointer is read
      with our kind of rcu where work serves as a
      read side critical section.
      
      Fixing it properly is not trivial.
      Disable the warnings by stubbing out the checks for now.
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      5e18247b
    • S
      enc28j60: Fix reading of transmit status vector · fca540ab
      Stefan Weil 提交于
      This error was reported by cppcheck:
      drivers/net/enc28j60.c:815: error: Using sizeof for array given as function argument returns the size of pointer.
      
      The original code reads 4 or 8 bytes instead of TSV_SIZE (= 100) bytes.
      I just fixed the code, but did not run any tests.
      Signed-off-by: NStefan Weil <weil@mail.berlios.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      fca540ab
    • E
      net: Fix ipv6 neighbour unregister_sysctl_table warning · bf36076a
      Eric W. Biederman 提交于
      In my testing of 2.6.37 I was occassionally getting a warning about
      sysctl table entries being unregistered in the wrong order.  Digging
      in it turns out this dates back to the last great sysctl reorg done
      where Al Viro introduced the requirement that sysctl directories
      needed to be created before and destroyed after the files in them.
      
      It turns out that in that great reorg /proc/sys/net/ipv6/neigh was
      overlooked.  So this patch fixes that oversight and makes an annoying
      warning message go away.
      
      >------------[ cut here ]------------
      >WARNING: at kernel/sysctl.c:1992 unregister_sysctl_table+0x134/0x164()
      >Pid: 23951, comm: kworker/u:3 Not tainted 2.6.37-350888.2010AroraKernelBeta.fc14.x86_64 #1
      >Call Trace:
      > [<ffffffff8103e034>] warn_slowpath_common+0x80/0x98
      > [<ffffffff8103e061>] warn_slowpath_null+0x15/0x17
      > [<ffffffff810452f8>] unregister_sysctl_table+0x134/0x164
      > [<ffffffff810e7834>] ? kfree+0xc4/0xd1
      > [<ffffffff813439b2>] neigh_sysctl_unregister+0x22/0x3a
      > [<ffffffffa02cd14e>] addrconf_ifdown+0x33f/0x37b [ipv6]
      > [<ffffffff81331ec2>] ? skb_dequeue+0x5f/0x6b
      > [<ffffffffa02ce4a5>] addrconf_notify+0x69b/0x75c [ipv6]
      > [<ffffffffa02eb953>] ? ip6mr_device_event+0x98/0xa9 [ipv6]
      > [<ffffffff813d2413>] notifier_call_chain+0x32/0x5e
      > [<ffffffff8105bdea>] raw_notifier_call_chain+0xf/0x11
      > [<ffffffff8133cdac>] call_netdevice_notifiers+0x45/0x4a
      > [<ffffffff8133d2b0>] rollback_registered_many+0x118/0x201
      > [<ffffffff8133d3af>] unregister_netdevice_many+0x16/0x6d
      > [<ffffffff8133d571>] default_device_exit_batch+0xa4/0xb8
      > [<ffffffff81337c42>] ? cleanup_net+0x0/0x194
      > [<ffffffff81337a2a>] ops_exit_list+0x4e/0x56
      > [<ffffffff81337d36>] cleanup_net+0xf4/0x194
      > [<ffffffff81053318>] process_one_work+0x187/0x280
      > [<ffffffff8105441b>] worker_thread+0xff/0x19f
      > [<ffffffff8105431c>] ? worker_thread+0x0/0x19f
      > [<ffffffff8105776d>] kthread+0x7d/0x85
      > [<ffffffff81003824>] kernel_thread_helper+0x4/0x10
      > [<ffffffff810576f0>] ? kthread+0x0/0x85
      > [<ffffffff81003820>] ? kernel_thread_helper+0x0/0x10
      >---[ end trace 8a7e9310b35e9486 ]---
      Signed-off-by: NEric W. Biederman <ebiederm@xmission.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      bf36076a
    • K
      axnet_cs: reduce delay time at ei_rx_overrun · 785e8cc3
      Ken Kawasaki 提交于
      axnet_cs:
          mdelay of 10ms is too long at ei_rx_overrun.
          It should be reduced to 2ms.
      Signed-off-by: NKen Kawasaki <ken_kawasaki@spring.nifty.jp>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      785e8cc3
    • T
      net: Check rps_flow_table when RPS map length is 1 · 85875236
      Tom Herbert 提交于
      In get_rps_cpu, add check that the rps_flow_table for the device is
      NULL when trying to take fast path when RPS map length is one.
      Without this, RFS is effectively disabled if map length is one which
      is not correct.
      Signed-off-by: NTom Herbert <therbert@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      85875236
    • C
      CAN: softing driver depends on IOMEM · cc09b5f6
      Chuck Ebbert 提交于
      Without this dependency the softing driver will be buildable on s390,
      where it fails.
      Signed-Off-By: NChuck Ebbert <cebbert@redhat.com>
      Acked-by: NKurt Van Dijck <kurt.van.dijck@eia.be>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      cc09b5f6
    • R
      net: Add default_mtu() methods to blackhole dst_ops · ec831ea7
      Roland Dreier 提交于
      When an IPSEC SA is still being set up, __xfrm_lookup() will return
      -EREMOTE and so ip_route_output_flow() will return a blackhole route.
      This can happen in a sndmsg call, and after d33e4553 ("net: Abstract
      default MTU metric calculation behind an accessor.") this leads to a
      crash in ip_append_data() because the blackhole dst_ops have no
      default_mtu() method and so dst_mtu() calls a NULL pointer.
      
      Fix this by adding default_mtu() methods (that simply return 0, matching
      the old behavior) to the blackhole dst_ops.
      
      The IPv4 part of this patch fixes a crash that I saw when using an IPSEC
      VPN; the IPv6 part is untested because I don't have an IPv6 VPN, but it
      looks to be needed as well.
      Signed-off-by: NRoland Dreier <roland@purestorage.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ec831ea7
    • M
      wl12xx: fix use after free · 9b00b415
      Mathias Krause 提交于
      When DEBUG_SPI is included in the debug log level wl1271_spi_reset()
      will dump the already freed memory instead of the SPI buffer.
      
      This bug was spotted by the semantic patch tool coccinelle using the
      script found at scripts/coccinelle/free/kfree.cocci.
      
      More information about semantic patching is available at
      http://coccinelle.lip6.fr/Signed-off-by: NMathias Krause <minipli@googlemail.com>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      9b00b415
  5. 31 1月, 2011 6 次提交
  6. 30 1月, 2011 4 次提交
    • S
      batman-adv: Make vis info stack traversal threadsafe · 1181e1da
      Sven Eckelmann 提交于
      The batman-adv vis server has to a stack which stores all information
      about packets which should be send later. This stack is protected
      with a spinlock that is used to prevent concurrent write access to it.
      
      The send_vis_packets function has to take all elements from the stack
      and send them to other hosts over the primary interface. The send will
      be initiated without the lock which protects the stack.
      
      The implementation using list_for_each_entry_safe has the problem that
      it stores the next element as "safe ptr" to allow the deletion of the
      current element in the list. The list may be modified during the
      unlock/lock pair in the loop body which may make the safe pointer
      not pointing to correct next element.
      
      It is safer to remove and use the first element from the stack until no
      elements are available. This does not need reduntant information which
      would have to be validated each time the lock was removed.
      Reported-by: NRussell Senior <russell@personaltelco.net>
      Signed-off-by: NSven Eckelmann <sven@narfation.org>
      1181e1da
    • S
      batman-adv: Remove vis info element in free_info · dda9fc6b
      Sven Eckelmann 提交于
      The free_info function will be called when no reference to the info
      object exists anymore. It must be ensured that the allocated memory
      gets freed and not only the elements which are managed by the info
      object.
      Signed-off-by: NSven Eckelmann <sven@narfation.org>
      dda9fc6b
    • S
      batman-adv: Remove vis info on hashing errors · 2674c158
      Sven Eckelmann 提交于
      A newly created vis info object must be removed when it couldn't be
      added to the hash. The old_info which has to be replaced was already
      removed and isn't related to the hash anymore.
      Signed-off-by: NSven Eckelmann <sven@narfation.org>
      2674c158
    • E
      net: Add compat ioctl support for the ipv4 multicast ioctl SIOCGETSGCNT · 709b46e8
      Eric W. Biederman 提交于
      SIOCGETSGCNT is not a unique ioctl value as it it maps tio SIOCPROTOPRIVATE +1,
      which unfortunately means the existing infrastructure for compat networking
      ioctls is insufficient.  A trivial compact ioctl implementation would conflict
      with:
      
      SIOCAX25ADDUID
      SIOCAIPXPRISLT
      SIOCGETSGCNT_IN6
      SIOCGETSGCNT
      SIOCRSSCAUSE
      SIOCX25SSUBSCRIP
      SIOCX25SDTEFACILITIES
      
      To make this work I have updated the compat_ioctl decode path to mirror the
      the normal ioctl decode path.  I have added an ipv4 inet_compat_ioctl function
      so that I can have ipv4 specific compat ioctls.   I have added a compat_ioctl
      function into struct proto so I can break out ioctls by which kind of ip socket
      I am using.  I have added a compat_raw_ioctl function because SIOCGETSGCNT only
      works on raw sockets.  I have added a ipmr_compat_ioctl that mirrors the normal
      ipmr_ioctl.
      
      This was necessary because unfortunately the struct layout for the SIOCGETSGCNT
      has unsigned longs in it so changes between 32bit and 64bit kernels.
      
      This change was sufficient to run a 32bit ip multicast routing daemon on a
      64bit kernel.
      Reported-by: NBill Fenner <fenner@aristanetworks.com>
      Signed-off-by: NEric W. Biederman <ebiederm@xmission.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      709b46e8