1. 15 5月, 2012 1 次提交
  2. 01 5月, 2012 1 次提交
  3. 25 4月, 2012 1 次提交
    • E
      mac80211: call ieee80211_mgd_stop() on interface stop · afa762f6
      Eliad Peller 提交于
      ieee80211_mgd_teardown() is called on netdev removal, which
      occurs after the vif was already removed from the low-level
      driver, resulting in the following warning:
      
      [ 4809.014734] ------------[ cut here ]------------
      [ 4809.019861] WARNING: at net/mac80211/driver-ops.h:12 ieee80211_bss_info_change_notify+0x200/0x2c8 [mac80211]()
      [ 4809.030388] wlan0:  Failed check-sdata-in-driver check, flags: 0x4
      [ 4809.036862] Modules linked in: wlcore_sdio(-) wl12xx wlcore mac80211 cfg80211 [last unloaded: cfg80211]
      [ 4809.046849] [<c001bd4c>] (unwind_backtrace+0x0/0x12c)
      [ 4809.055937] [<c047cf1c>] (dump_stack+0x20/0x24)
      [ 4809.065385] [<c003e334>] (warn_slowpath_common+0x5c/0x74)
      [ 4809.075589] [<c003e408>] (warn_slowpath_fmt+0x40/0x48)
      [ 4809.088291] [<bf033630>] (ieee80211_bss_info_change_notify+0x200/0x2c8 [mac80211])
      [ 4809.102844] [<bf067f84>] (ieee80211_destroy_auth_data+0x80/0xa4 [mac80211])
      [ 4809.116276] [<bf068004>] (ieee80211_mgd_teardown+0x5c/0x74 [mac80211])
      [ 4809.129331] [<bf043f18>] (ieee80211_teardown_sdata+0xb0/0xd8 [mac80211])
      [ 4809.141595] [<c03b5e58>] (rollback_registered_many+0x228/0x2f0)
      [ 4809.153056] [<c03b5f48>] (unregister_netdevice_many+0x28/0x50)
      [ 4809.165696] [<bf041ea8>] (ieee80211_remove_interfaces+0xb4/0xdc [mac80211])
      [ 4809.179151] [<bf032174>] (ieee80211_unregister_hw+0x50/0xf0 [mac80211])
      [ 4809.191043] [<bf0bebb4>] (wlcore_remove+0x5c/0x7c [wlcore])
      [ 4809.201491] [<c02c6918>] (platform_drv_remove+0x24/0x28)
      [ 4809.212029] [<c02c4d50>] (__device_release_driver+0x8c/0xcc)
      [ 4809.222738] [<c02c4e84>] (device_release_driver+0x30/0x3c)
      [ 4809.233099] [<c02c4258>] (bus_remove_device+0x10c/0x128)
      [ 4809.242620] [<c02c26f8>] (device_del+0x11c/0x17c)
      [ 4809.252150] [<c02c6de0>] (platform_device_del+0x28/0x68)
      [ 4809.263051] [<bf0df49c>] (wl1271_remove+0x3c/0x50 [wlcore_sdio])
      [ 4809.273590] [<c03806b0>] (sdio_bus_remove+0x48/0xf8)
      [ 4809.283754] [<c02c4d50>] (__device_release_driver+0x8c/0xcc)
      [ 4809.293729] [<c02c4e2c>] (driver_detach+0x9c/0xc4)
      [ 4809.303163] [<c02c3d7c>] (bus_remove_driver+0xc4/0xf4)
      [ 4809.312973] [<c02c5a98>] (driver_unregister+0x70/0x7c)
      [ 4809.323220] [<c03809c4>] (sdio_unregister_driver+0x24/0x2c)
      [ 4809.334213] [<bf0df458>] (wl1271_exit+0x14/0x1c [wlcore_sdio])
      [ 4809.344930] [<c009b1a4>] (sys_delete_module+0x228/0x2a8)
      [ 4809.354734] ---[ end trace 515290ccf5feb522 ]---
      
      Rename ieee80211_mgd_teardown() to ieee80211_mgd_stop(),
      and call it on ieee80211_do_stop().
      Signed-off-by: NEliad Peller <eliad@wizery.com>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      afa762f6
  4. 24 4月, 2012 1 次提交
  5. 18 4月, 2012 2 次提交
  6. 16 4月, 2012 2 次提交
  7. 14 4月, 2012 1 次提交
  8. 12 4月, 2012 1 次提交
  9. 10 4月, 2012 3 次提交
  10. 06 4月, 2012 5 次提交
    • E
      net: fix a race in sock_queue_err_skb() · 110c4330
      Eric Dumazet 提交于
      As soon as an skb is queued into socket error queue, another thread
      can consume it, so we are not allowed to reference skb anymore, or risk
      use after free.
      Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      110c4330
    • E
      netlink: fix races after skb queueing · 4a7e7c2a
      Eric Dumazet 提交于
      As soon as an skb is queued into socket receive_queue, another thread
      can consume it, so we are not allowed to reference skb anymore, or risk
      use after free.
      Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4a7e7c2a
    • S
      phonet: Check input from user before allocating · bcf1b70a
      Sasha Levin 提交于
      A phonet packet is limited to USHRT_MAX bytes, this is never checked during
      tx which means that the user can specify any size he wishes, and the kernel
      will attempt to allocate that size.
      
      In the good case, it'll lead to the following warning, but it may also cause
      the kernel to kick in the OOM and kill a random task on the server.
      
      [ 8921.744094] WARNING: at mm/page_alloc.c:2255 __alloc_pages_slowpath+0x65/0x730()
      [ 8921.749770] Pid: 5081, comm: trinity Tainted: G        W    3.4.0-rc1-next-20120402-sasha #46
      [ 8921.756672] Call Trace:
      [ 8921.758185]  [<ffffffff810b2ba7>] warn_slowpath_common+0x87/0xb0
      [ 8921.762868]  [<ffffffff810b2be5>] warn_slowpath_null+0x15/0x20
      [ 8921.765399]  [<ffffffff8117eae5>] __alloc_pages_slowpath+0x65/0x730
      [ 8921.769226]  [<ffffffff81179c8a>] ? zone_watermark_ok+0x1a/0x20
      [ 8921.771686]  [<ffffffff8117d045>] ? get_page_from_freelist+0x625/0x660
      [ 8921.773919]  [<ffffffff8117f3a8>] __alloc_pages_nodemask+0x1f8/0x240
      [ 8921.776248]  [<ffffffff811c03e0>] kmalloc_large_node+0x70/0xc0
      [ 8921.778294]  [<ffffffff811c4bd4>] __kmalloc_node_track_caller+0x34/0x1c0
      [ 8921.780847]  [<ffffffff821b0e3c>] ? sock_alloc_send_pskb+0xbc/0x260
      [ 8921.783179]  [<ffffffff821b3c65>] __alloc_skb+0x75/0x170
      [ 8921.784971]  [<ffffffff821b0e3c>] sock_alloc_send_pskb+0xbc/0x260
      [ 8921.787111]  [<ffffffff821b002e>] ? release_sock+0x7e/0x90
      [ 8921.788973]  [<ffffffff821b0ff0>] sock_alloc_send_skb+0x10/0x20
      [ 8921.791052]  [<ffffffff824cfc20>] pep_sendmsg+0x60/0x380
      [ 8921.792931]  [<ffffffff824cb4a6>] ? pn_socket_bind+0x156/0x180
      [ 8921.794917]  [<ffffffff824cb50f>] ? pn_socket_autobind+0x3f/0x90
      [ 8921.797053]  [<ffffffff824cb63f>] pn_socket_sendmsg+0x4f/0x70
      [ 8921.798992]  [<ffffffff821ab8e7>] sock_aio_write+0x187/0x1b0
      [ 8921.801395]  [<ffffffff810e325e>] ? sub_preempt_count+0xae/0xf0
      [ 8921.803501]  [<ffffffff8111842c>] ? __lock_acquire+0x42c/0x4b0
      [ 8921.805505]  [<ffffffff821ab760>] ? __sock_recv_ts_and_drops+0x140/0x140
      [ 8921.807860]  [<ffffffff811e07cc>] do_sync_readv_writev+0xbc/0x110
      [ 8921.809986]  [<ffffffff811958e7>] ? might_fault+0x97/0xa0
      [ 8921.811998]  [<ffffffff817bd99e>] ? security_file_permission+0x1e/0x90
      [ 8921.814595]  [<ffffffff811e17e2>] do_readv_writev+0xe2/0x1e0
      [ 8921.816702]  [<ffffffff810b8dac>] ? do_setitimer+0x1ac/0x200
      [ 8921.818819]  [<ffffffff810e2ec1>] ? get_parent_ip+0x11/0x50
      [ 8921.820863]  [<ffffffff810e325e>] ? sub_preempt_count+0xae/0xf0
      [ 8921.823318]  [<ffffffff811e1926>] vfs_writev+0x46/0x60
      [ 8921.825219]  [<ffffffff811e1a3f>] sys_writev+0x4f/0xb0
      [ 8921.827127]  [<ffffffff82658039>] system_call_fastpath+0x16/0x1b
      [ 8921.829384] ---[ end trace dffe390f30db9eb7 ]---
      Signed-off-by: NSasha Levin <levinsasha928@gmail.com>
      Acked-by: NRémi Denis-Courmont <remi.denis-courmont@nokia.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      bcf1b70a
    • E
      tcp: tcp_sendpages() should call tcp_push() once · 35f9c09f
      Eric Dumazet 提交于
      commit 2f533844 (tcp: allow splice() to build full TSO packets) added
      a regression for splice() calls using SPLICE_F_MORE.
      
      We need to call tcp_flush() at the end of the last page processed in
      tcp_sendpages(), or else transmits can be deferred and future sends
      stall.
      
      Add a new internal flag, MSG_SENDPAGE_NOTLAST, acting like MSG_MORE, but
      with different semantic.
      
      For all sendpage() providers, its a transparent change. Only
      sock_sendpage() and tcp_sendpages() can differentiate the two different
      flags provided by pipe_to_sendpage()
      Reported-by: NTom Herbert <therbert@google.com>
      Cc: Nandita Dukkipati <nanditad@google.com>
      Cc: Neal Cardwell <ncardwell@google.com>
      Cc: Tom Herbert <therbert@google.com>
      Cc: Yuchung Cheng <ycheng@google.com>
      Cc: H.K. Jerry Chu <hkchu@google.com>
      Cc: Maciej Żenczykowski <maze@google.com>
      Cc: Mahesh Bandewar <maheshb@google.com>
      Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
      Signed-off-by: NEric Dumazet <eric.dumazet@gmail&gt;com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      35f9c09f
    • S
      simple_open: automatically convert to simple_open() · 234e3405
      Stephen Boyd 提交于
      Many users of debugfs copy the implementation of default_open() when
      they want to support a custom read/write function op.  This leads to a
      proliferation of the default_open() implementation across the entire
      tree.
      
      Now that the common implementation has been consolidated into libfs we
      can replace all the users of this function with simple_open().
      
      This replacement was done with the following semantic patch:
      
      <smpl>
      @ open @
      identifier open_f != simple_open;
      identifier i, f;
      @@
      -int open_f(struct inode *i, struct file *f)
      -{
      (
      -if (i->i_private)
      -f->private_data = i->i_private;
      |
      -f->private_data = i->i_private;
      )
      -return 0;
      -}
      
      @ has_open depends on open @
      identifier fops;
      identifier open.open_f;
      @@
      struct file_operations fops = {
      ...
      -.open = open_f,
      +.open = simple_open,
      ...
      };
      </smpl>
      
      [akpm@linux-foundation.org: checkpatch fixes]
      Signed-off-by: NStephen Boyd <sboyd@codeaurora.org>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Julia Lawall <Julia.Lawall@lip6.fr>
      Acked-by: NIngo Molnar <mingo@elte.hu>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      234e3405
  11. 05 4月, 2012 2 次提交
    • R
      ipv6: fix array index in ip6_mc_add_src() · 78d50217
      RongQing.Li 提交于
      Convert array index from the loop bound to the loop index.
      
      And remove the void type conversion to ip6_mc_del1_src() return
      code, seem it is unnecessary, since ip6_mc_del1_src() does not
      use __must_check similar attribute, no compiler will report the
      warning when it is removed.
      
      v2: enrich the commit header
      Signed-off-by: NRongQing.Li <roy.qing.li@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      78d50217
    • T
      sctp: Allow struct sctp_event_subscribe to grow without breaking binaries · acdd5985
      Thomas Graf 提交于
      getsockopt(..., SCTP_EVENTS, ...) performs a length check and returns
      an error if the user provides less bytes than the size of struct
      sctp_event_subscribe.
      
      Struct sctp_event_subscribe needs to be extended by an u8 for every
      new event or notification type that is added.
      
      This obviously makes getsockopt fail for binaries that are compiled
      against an older versions of <net/sctp/user.h> which do not contain
      all event types.
      
      This patch changes getsockopt behaviour to no longer return an error
      if not enough bytes are being provided by the user. Instead, it
      returns as much of sctp_event_subscribe as fits into the provided buffer.
      
      This leads to the new behavior that users see what they have been aware
      of at compile time.
      
      The setsockopt(..., SCTP_EVENTS, ...) API is already behaving like this.
      Signed-off-by: NThomas Graf <tgraf@suug.ch>
      Acked-by: NVlad Yasevich <vladislav.yasevich@hp.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      acdd5985
  12. 04 4月, 2012 6 次提交
  13. 03 4月, 2012 1 次提交
  14. 02 4月, 2012 4 次提交
  15. 29 3月, 2012 4 次提交
  16. 28 3月, 2012 5 次提交
    • A
      Bluetooth: Fix memory leaks due to chan refcnt · 8d7e1c7f
      Andrei Emeltchenko 提交于
      When we queue delayed work we hold(chan) and delayed work
      shall put(chan) after execution.
      Signed-off-by: NAndrei Emeltchenko <andrei.emeltchenko@intel.com>
      Signed-off-by: NGustavo Padovan <gustavo@padovan.org>
      8d7e1c7f
    • J
      Bluetooth: hci_core: fix NULL-pointer dereference at unregister · 94324962
      Johan Hovold 提交于
      Make sure hci_dev_open returns immediately if hci_dev_unregister has
      been called.
      
      This fixes a race between hci_dev_open and hci_dev_unregister which can
      lead to a NULL-pointer dereference.
      
      Bug is 100% reproducible using hciattach and a disconnected serial port:
      
      0. # hciattach -n /dev/ttyO1 any noflow
      
      1. hci_dev_open called from hci_power_on grabs req lock
      2. hci_init_req executes but device fails to initialise (times out
         eventually)
      3. hci_dev_open is called from hci_sock_ioctl and sleeps on req lock
      4. hci_uart_tty_close calls hci_dev_unregister and sleeps on req lock in
         hci_dev_do_close
      5. hci_dev_open (1) releases req lock
      6. hci_dev_do_close grabs req lock and returns as device is not up
      7. hci_dev_unregister sleeps in destroy_workqueue
      8. hci_dev_open (3) grabs req lock, calls hci_init_req and eventually sleeps
      9. hci_dev_unregister finishes, while hci_dev_open is still running...
      
      [   79.627136] INFO: trying to register non-static key.
      [   79.632354] the code is fine but needs lockdep annotation.
      [   79.638122] turning off the locking correctness validator.
      [   79.643920] [<c00188bc>] (unwind_backtrace+0x0/0xf8) from [<c00729c4>] (__lock_acquire+0x1590/0x1ab0)
      [   79.653594] [<c00729c4>] (__lock_acquire+0x1590/0x1ab0) from [<c00733f8>] (lock_acquire+0x9c/0x128)
      [   79.663085] [<c00733f8>] (lock_acquire+0x9c/0x128) from [<c0040a88>] (run_timer_softirq+0x150/0x3ac)
      [   79.672668] [<c0040a88>] (run_timer_softirq+0x150/0x3ac) from [<c003a3b8>] (__do_softirq+0xd4/0x22c)
      [   79.682281] [<c003a3b8>] (__do_softirq+0xd4/0x22c) from [<c003a924>] (irq_exit+0x8c/0x94)
      [   79.690856] [<c003a924>] (irq_exit+0x8c/0x94) from [<c0013a50>] (handle_IRQ+0x34/0x84)
      [   79.699157] [<c0013a50>] (handle_IRQ+0x34/0x84) from [<c0008530>] (omap3_intc_handle_irq+0x48/0x4c)
      [   79.708648] [<c0008530>] (omap3_intc_handle_irq+0x48/0x4c) from [<c037499c>] (__irq_usr+0x3c/0x60)
      [   79.718048] Exception stack(0xcf281fb0 to 0xcf281ff8)
      [   79.723358] 1fa0:                                     0001e6a0 be8dab00 0001e698 00036698
      [   79.731933] 1fc0: 0002df98 0002df38 0000001f 00000000 b6f234d0 00000000 00000004 00000000
      [   79.740509] 1fe0: 0001e6f8 be8d6aa0 be8dac50 0000aab8 80000010 ffffffff
      [   79.747497] Unable to handle kernel NULL pointer dereference at virtual address 00000000
      [   79.756011] pgd = cf3b4000
      [   79.758850] [00000000] *pgd=8f0c7831, *pte=00000000, *ppte=00000000
      [   79.765502] Internal error: Oops: 80000007 [#1]
      [   79.770294] Modules linked in:
      [   79.773529] CPU: 0    Tainted: G        W     (3.3.0-rc6-00002-gb5d5c87 #421)
      [   79.781066] PC is at 0x0
      [   79.783721] LR is at run_timer_softirq+0x16c/0x3ac
      [   79.788787] pc : [<00000000>]    lr : [<c0040aa4>]    psr: 60000113
      [   79.788787] sp : cf281ee0  ip : 00000000  fp : cf280000
      [   79.800903] r10: 00000004  r9 : 00000100  r8 : b6f234d0
      [   79.806427] r7 : c0519c28  r6 : cf093488  r5 : c0561a00  r4 : 00000000
      [   79.813323] r3 : 00000000  r2 : c054eee0  r1 : 00000001  r0 : 00000000
      [   79.820190] Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
      [   79.827728] Control: 10c5387d  Table: 8f3b4019  DAC: 00000015
      [   79.833801] Process gpsd (pid: 1265, stack limit = 0xcf2802e8)
      [   79.839965] Stack: (0xcf281ee0 to 0xcf282000)
      [   79.844573] 1ee0: 00000002 00000000 c0040a24 00000000 00000002 cf281f08 00200200 00000000
      [   79.853210] 1f00: 00000000 cf281f18 cf281f08 00000000 00000000 00000000 cf281f18 cf281f18
      [   79.861816] 1f20: 00000000 00000001 c056184c 00000000 00000001 b6f234d0 c0561848 00000004
      [   79.870452] 1f40: cf280000 c003a3b8 c051e79c 00000001 00000000 00000100 3fa9e7b8 0000000a
      [   79.879089] 1f60: 00000025 cf280000 00000025 00000000 00000000 b6f234d0 00000000 00000004
      [   79.887756] 1f80: 00000000 c003a924 c053ad38 c0013a50 fa200000 cf281fb0 ffffffff c0008530
      [   79.896362] 1fa0: 0001e6a0 0000aab8 80000010 c037499c 0001e6a0 be8dab00 0001e698 00036698
      [   79.904998] 1fc0: 0002df98 0002df38 0000001f 00000000 b6f234d0 00000000 00000004 00000000
      [   79.913665] 1fe0: 0001e6f8 be8d6aa0 be8dac50 0000aab8 80000010 ffffffff 00fbf700 04ffff00
      [   79.922302] [<c0040aa4>] (run_timer_softirq+0x16c/0x3ac) from [<c003a3b8>] (__do_softirq+0xd4/0x22c)
      [   79.931945] [<c003a3b8>] (__do_softirq+0xd4/0x22c) from [<c003a924>] (irq_exit+0x8c/0x94)
      [   79.940582] [<c003a924>] (irq_exit+0x8c/0x94) from [<c0013a50>] (handle_IRQ+0x34/0x84)
      [   79.948913] [<c0013a50>] (handle_IRQ+0x34/0x84) from [<c0008530>] (omap3_intc_handle_irq+0x48/0x4c)
      [   79.958404] [<c0008530>] (omap3_intc_handle_irq+0x48/0x4c) from [<c037499c>] (__irq_usr+0x3c/0x60)
      [   79.967773] Exception stack(0xcf281fb0 to 0xcf281ff8)
      [   79.973083] 1fa0:                                     0001e6a0 be8dab00 0001e698 00036698
      [   79.981658] 1fc0: 0002df98 0002df38 0000001f 00000000 b6f234d0 00000000 00000004 00000000
      [   79.990234] 1fe0: 0001e6f8 be8d6aa0 be8dac50 0000aab8 80000010 ffffffff
      [   79.997161] Code: bad PC value
      [   80.000396] ---[ end trace 6f6739840475f9ee ]---
      [   80.005279] Kernel panic - not syncing: Fatal exception in interrupt
      
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NJohan Hovold <jhovold@gmail.com>
      Acked-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      94324962
    • S
      Bluetooth: Fix Endian Bug. · 6e4aff10
      Santosh Nayak 提交于
      Fix network to host endian conversion for L2CAP chan id.
      Signed-off-by: NSantosh Nayak <santoshprasadnayak@gmail.com>
      Acked-by: NAndrei Emeltchenko <andrei.emeltchenko@intel.com>
      Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
      6e4aff10
    • B
      net/core: dev_forward_skb() should clear skb_iif · 3b9785c6
      Benjamin LaHaise 提交于
      While investigating another bug, I found that the code on the incoming path
      in __netif_receive_skb will only set skb->skb_iif if it is already 0.  When
      dev_forward_skb() is used in the case of interfaces like veth, skb_iif may
      already have been set.  Making dev_forward_skb() cause the packet to look
      like a newly received packet would seem to the the correct behaviour here,
      as otherwise the wrong incoming interface can be reported for such a packet.
      Signed-off-by: NBenjamin LaHaise <bcrl@kvack.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3b9785c6
    • B
      net/ipv4: fix IPv4 multicast over network namespaces · 4e7b2f14
      Benjamin LaHaise 提交于
      When using multicast over a local bridge feeding a number of LXC guests
      using veth, the LXC guests are unable to get a response from other guests
      when pinging 224.0.0.1.  Multicast packets did not appear to be getting
      delivered to the network namespaces of the guest hosts, and further
      inspection showed that the incoming route was pointing to the loopback
      device of the host, not the guest.  This lead to the wrong network namespace
      being picked up by sockets (like ICMP).  Fix this by using the correct
      network namespace when creating the inbound route entry.
      Signed-off-by: NBenjamin LaHaise <bcrl@kvack.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4e7b2f14
反馈
建议
客服 返回
顶部