- 26 10月, 2011 3 次提交
-
-
由 Sage Weil 提交于
The pool allocation failures are masked by the pool; there is no need to spam the console about them. (That's the whole point of having the pool in the first place.) Mark msg allocations whose failure is safely handled as such. Signed-off-by: NSage Weil <sage@newdream.net>
-
由 Sage Weil 提交于
Allocate the mon connection on init. We already reuse it across reconnects. Remove now unnecessary (and incomplete) NULL checks. Signed-off-by: NSage Weil <sage@newdream.net>
-
由 Sage Weil 提交于
This simplifies the init/shutdown paths, and makes client->msgr available during the rest of the setup process. Signed-off-by: NSage Weil <sage@newdream.net>
-
- 20 10月, 2011 1 次提交
-
-
由 Yan, Zheng 提交于
we should decrease ops->unresolved_rules when deleting a unresolved rule. Signed-off-by: NZheng Yan <zheng.z.yan@intel.com> Acked-by: NEric Dumazet <eric.dumazet@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 19 10月, 2011 4 次提交
-
-
由 KOVACS Krisztian 提交于
The transparent socket option setting was not copied to the time wait socket when an inet socket was being replaced by a time wait socket. This broke the --transparent option of the socket match and may have caused that FIN packets belonging to sockets in FIN_WAIT2 or TIME_WAIT state were being dropped by the packet filter. Signed-off-by: NKOVACS Krisztian <hidden@balabit.hu> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Paul Moore 提交于
The Bluetooth stack has internal connection handlers for all of the various Bluetooth protocols, and unfortunately, they are currently lacking the LSM hooks found in the core network stack's connection handlers. I say unfortunately, because this can cause problems for users who have have an LSM enabled and are using certain Bluetooth devices. See one problem report below: * http://bugzilla.redhat.com/show_bug.cgi?id=741703 In order to keep things simple at this point in time, this patch fixes the problem by cloning the parent socket's LSM attributes to the newly created child socket. If we decide we need a more elaborate LSM marking mechanism for Bluetooth (I somewhat doubt this) we can always revisit this decision in the future. Reported-by: NJames M. Cape <jcape@ignore-your.tv> Signed-off-by: NPaul Moore <pmoore@redhat.com> Acked-by: NJames Morris <jmorris@namei.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Eric Dumazet 提交于
l2tp_xmit_skb() can leak one skb if skb_cow_head() returns an error. Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 stephen hemminger 提交于
Need to cleanup bridge device timers and ports when being bridge device is being removed via netlink. This fixes the problem of observed when doing: ip link add br0 type bridge ip link set dev eth1 master br0 ip link set br0 up ip link del br0 which would cause br0 to hang in unregister_netdev because of leftover reference count. Reported-by: NSridhar Samudrala <sri@us.ibm.com> Signed-off-by: NStephen Hemminger <shemminger@vyatta.com> Acked-by: NSridhar Samudrala <sri@us.ibm.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 18 10月, 2011 3 次提交
-
-
由 Matthew Daley 提交于
x25_find_listener does not check that the amount of call user data given in the skb is big enough in per-socket comparisons, hence buffer overreads may occur. Fix this by adding a check. Signed-off-by: NMatthew Daley <mattjd@gmail.com> Cc: Eric Dumazet <eric.dumazet@gmail.com> Cc: Andrew Hendry <andrew.hendry@gmail.com> Cc: stable <stable@kernel.org> Acked-by: NAndrew Hendry <andrew.hendry@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Matthew Daley 提交于
There are multiple locations in the X.25 packet layer where a skb is assumed to be of at least a certain size and that all its data is currently available at skb->data. These assumptions are not checked, hence buffer overreads may occur. Use pskb_may_pull to check these minimal size assumptions and ensure that data is available at skb->data when necessary, as well as use skb_copy_bits where needed. Signed-off-by: NMatthew Daley <mattjd@gmail.com> Cc: Eric Dumazet <eric.dumazet@gmail.com> Cc: Andrew Hendry <andrew.hendry@gmail.com> Cc: stable <stable@kernel.org> Acked-by: NAndrew Hendry <andrew.hendry@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Matthew Daley 提交于
X.25 call user data is being copied in its entirety from incoming messages without consideration to the size of the destination buffers, leading to possible buffer overflows. Validate incoming call user data lengths before these copies are performed. It appears this issue was noticed some time ago, however nothing seemed to come of it: see http://www.spinics.net/lists/linux-x25/msg00043.html and commit 8db09f26. Signed-off-by: NMatthew Daley <mattjd@gmail.com> Acked-by: NEric Dumazet <eric.dumazet@gmail.com> Tested-by: NAndrew Hendry <andrew.hendry@gmail.com> Cc: stable <stable@kernel.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 13 10月, 2011 1 次提交
-
-
由 Hans Schillstrom 提交于
ip_vs_mutext is used by both netns shutdown code and startup and both implicit uses sk_lock-AF_INET mutex. cleanup CPU-1 startup CPU-2 ip_vs_dst_event() ip_vs_genl_set_cmd() sk_lock-AF_INET __ip_vs_mutex sk_lock-AF_INET __ip_vs_mutex * DEAD LOCK * A new mutex placed in ip_vs netns struct called sync_mutex is added. Comments from Julian and Simon added. This patch has been running for more than 3 month now and it seems to work. Ver. 3 IP_VS_SO_GET_DAEMON in do_ip_vs_get_ctl protected by sync_mutex instead of __ip_vs_mutex as sugested by Julian. Signed-off-by: NHans Schillstrom <hans@schillstrom.com> Acked-by: NJulian Anastasov <ja@ssi.bg> Signed-off-by: NSimon Horman <horms@verge.net.au> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
- 11 10月, 2011 1 次提交
-
-
由 Yan, Zheng 提交于
ipv6_gro_receive() doesn't update the protocol ops after pulling the ext headers. It looks like a typo. Signed-off-by: NZheng Yan <zheng.z.yan@intel.com> Acked-by: NEric Dumazet <eric.dumazet@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 07 10月, 2011 1 次提交
-
-
由 stephen hemminger 提交于
This resolves a regression seen by some users of bridging. Some users use the bridge like a dummy device. They expect to be able to put an IPv6 address on the device with no ports attached. Although there are better ways of doing this, there is no reason to not allow it. Note: the bridge still will reflect the state of ports in the bridge if there are any added. Signed-off-by: NStephen Hemminger <shemminger@vyatta.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 06 10月, 2011 1 次提交
-
-
由 Thomas Gleixner 提交于
Replace the open coded initialization with the init function. Signed-off-by: NThomas Gleixner <tglx@linutronix.de> Acked-by: NHans Schillstrom <hans.schillstrom@ericsson.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 05 10月, 2011 2 次提交
-
-
由 Yan, Zheng 提交于
lost_skb_hint is used by tcp_mark_head_lost() to mark the first unhandled skb. lost_cnt_hint is the number of packets or sacked packets before the lost_skb_hint; When shifting a skb that is before the lost_skb_hint, if tcp_is_fack() is ture, the skb has already been counted in the lost_cnt_hint; if tcp_is_fack() is false, tcp_sacktag_one() will increase the lost_cnt_hint. So tcp_shifted_skb() does not need to adjust the lost_cnt_hint by itself. When shifting a skb that is equal to lost_skb_hint, the shifted packets will not be counted by tcp_mark_head_lost(). So tcp_shifted_skb() should adjust the lost_cnt_hint even tcp_is_fack(tp) is true. Signed-off-by: NZheng Yan <zheng.z.yan@intel.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Yan, Zheng 提交于
tcp_v4_clear_md5_list() assumes that multiple tcp md5sig peers only hold one reference to md5sig_pool. but tcp_v4_md5_do_add() increases use count of md5sig_pool for each peer. This patch makes tcp_v4_md5_do_add() only increases use count for the first tcp md5sig peer. Signed-off-by: NZheng Yan <zheng.z.yan@intel.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 04 10月, 2011 1 次提交
-
-
由 Willem de Bruijn 提交于
This is a minor change. Up until kernel 2.6.32, getsockopt(fd, SOL_PACKET, PACKET_STATISTICS, ...) would return total and dropped packets since its last invocation. The introduction of socket queue overflow reporting [1] changed drop rate calculation in the normal packet socket path, but not when using a packet ring. As a result, the getsockopt now returns different statistics depending on the reception method used. With a ring, it still returns the count since the last call, as counts are incremented in tpacket_rcv and reset in getsockopt. Without a ring, it returns 0 if no drops occurred since the last getsockopt and the total drops over the lifespan of the socket otherwise. The culprit is this line in packet_rcv, executed on a drop: drop_n_acct: po->stats.tp_drops = atomic_inc_return(&sk->sk_drops); As it shows, the new drop number it taken from the socket drop counter, which is not reset at getsockopt. I put together a small example that demonstrates the issue [2]. It runs for 10 seconds and overflows the queue/ring on every odd second. The reported drop rates are: ring: 16, 0, 16, 0, 16, ... non-ring: 0, 15, 0, 30, 0, 46, 0, 60, 0 , 74. Note how the even ring counts monotonically increase. Because the getsockopt adds tp_drops to tp_packets, total counts are similarly reported cumulatively. Long story short, reinstating the original code, as the below patch does, fixes the issue at the cost of additional per-packet cycles. Another solution that does not introduce per-packet overhead is be to keep the current data path, record the value of sk_drops at getsockopt() at call N in a new field in struct packetsock and subtract that when reporting at call N+1. I'll be happy to code that, instead, it's just more messy. [1] http://patchwork.ozlabs.org/patch/35665/ [2] http://kernel.googlecode.com/files/test-packetsock-getstatistics.cSigned-off-by: NWillem de Bruijn <willemb@google.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 03 10月, 2011 1 次提交
-
-
由 Florian Westphal 提交于
GRE connections cause ctnetlink event flood because the ASSURED event is set for every packet received. Reported-by: NDenys Fedoryshchenko <denys@visp.net.lb> Tested-by: NDenys Fedoryshchenko <denys@visp.net.lb> Signed-off-by: NFlorian Westphal <fw@strlen.de> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
- 30 9月, 2011 2 次提交
-
-
由 Oliver Hartkopp 提交于
The commit aabdcb0b ("can bcm: fix tx_setup off-by-one errors") fixed only a part of the original problem reported by Andre Naujoks. It turned out that the original code needed to be re-ordered to reduce complexity and to finally fix the reported frame counting issues. Signed-off-by: NOliver Hartkopp <socketcan@hartkopp.net> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Jonathan Lallinger 提交于
In the rds_iw_mr_pool struct the free_pinned field keeps track of memory pinned by free MRs. While this field is incremented properly upon allocation, it is never decremented upon unmapping. This would cause the rds_rdma module to crash the kernel upon unloading, by triggering the BUG_ON in the rds_iw_destroy_mr_pool function. This change keeps track of the MRs that become unpinned, so that free_pinned can be decremented appropriately. Signed-off-by: NJonathan Lallinger <jonathan@ogc.us> Signed-off-by: NSteve Wise <swise@ogc.us> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 29 9月, 2011 4 次提交
-
-
由 Yan, Zheng 提交于
ipv6_ac_list and ipv6_fl_list from listening socket are inadvertently shared with new socket created for connection. Signed-off-by: NZheng Yan <zheng.z.yan@intel.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Oliver Hartkopp 提交于
This patch fixes two off-by-one errors that canceled each other out. Checking for the same condition two times in bcm_tx_timeout_tsklet() reduced the count of frames to be sent by one. This did not show up the first time tx_setup is invoked as an additional frame is sent due to TX_ANNONCE. Invoking a second tx_setup on the same item led to a reduced (by 1) number of sent frames. Reported-by: NAndre Naujoks <nautsch@gmail.com> Signed-off-by: NOliver Hartkopp <socketcan@hartkopp.net> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Sage Weil 提交于
The incremental map updates have a record for each pg_temp mapping that is to be add/updated (len > 0) or removed (len == 0). The old code was written as if the updates were a complete enumeration; that was just wrong. Update the code to remove 0-length entries and drop the rbtree traversal. This avoids misdirected (and hung) requests that manifest as server errors like [WRN] client4104 10.0.1.219:0/275025290 misdirected client4104.1:129 0.1 to osd0 not [1,0] in e11/11 Signed-off-by: NSage Weil <sage@newdream.net>
-
由 Sage Weil 提交于
We need to apply the modulo pg_num calculation before looking up a pgid in the pg_temp mapping rbtree. This fixes pg_temp mappings, and fixes (some) misdirected requests that result in messages like [WRN] client4104 10.0.1.219:0/275025290 misdirected client4104.1:129 0.1 to osd0 not [1,0] in e11/11 on the server and stall make the client block without getting a reply (at least until the pg_temp mapping goes way, but that can take a long long time). Reorder calc_pg_raw() a bit to make more sense. Signed-off-by: NSage Weil <sage@newdream.net>
-
- 28 9月, 2011 4 次提交
-
-
由 Ben Greear 提交于
If reg_vif_xmit cannot find a routing entry, be sure to free the skb before returning the error. Signed-off-by: NBen Greear <greearb@candelatech.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Madalin Bucur 提交于
return value of dst_alloc must be checked before use Signed-off-by: NMadalin Bucur <madalin.bucur@freescale.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Madalin Bucur 提交于
return value of dst_alloc must be checked before use Signed-off-by: NMadalin Bucur <madalin.bucur@freescale.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Ben Greear 提交于
Have to free the skb before returning if we fail the fib lookup. Signed-off-by: NBen Greear <greearb@candelatech.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 23 9月, 2011 1 次提交
-
-
由 Antonio Quartulli 提交于
corrects a critical bug of the GW feature. This bug made all the unicast packets destined to a GW to be sent as broadcast. This bug is present even if the sender GW feature is configured as OFF. It's an urgent bug fix and should be committed as soon as possible. This was a regression introduced by 43676ab5Signed-off-by: NAntonio Quartulli <ordex@autistici.org> Signed-off-by: NMarek Lindner <lindner_marek@yahoo.de>
-
- 22 9月, 2011 3 次提交
-
-
由 Jouni Malinen 提交于
Incorrect variable was used in validating the akm_suites array from NL80211_ATTR_AKM_SUITES. In addition, there was no explicit validation of the array length (we only have room for NL80211_MAX_NR_AKM_SUITES). This can result in a buffer write overflow for stack variables with arbitrary data from user space. The nl80211 commands using the affected functionality require GENL_ADMIN_PERM, so this is only exposed to admin users. Cc: stable@kernel.org Signed-off-by: NJouni Malinen <jouni@qca.qualcomm.com> Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
-
由 Steffen Klassert 提交于
When asyncronous crypto algorithms are used, there might be many packets that passed the xfrm replay check, but the replay advance function is not called yet for these packets. So the replay check function would accept a replay of all of these packets. Also the system might crash if there are more packets in async processing than the size of the anti replay window, because the replay advance function would try to update the replay window beyond the bounds. This pach adds a second replay check after resuming from the async processing to fix these issues. Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com> Acked-by: NHerbert Xu <herbert@gondor.apana.org.au> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Gao feng 提交于
add new fib rule can cause BUG_ON happen the reproduce shell is ip rule add pref 38 ip rule add pref 38 ip rule add to 192.168.3.0/24 goto 38 ip rule del pref 38 ip rule add to 192.168.3.0/24 goto 38 ip rule add pref 38 then the BUG_ON will happen del BUG_ON and use (ctarget == NULL) identify whether this rule is unresolved Signed-off-by: NGao feng <gaofeng@cn.fujitsu.com> Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 21 9月, 2011 1 次提交
-
-
由 Roy Li 提交于
When calling snmp6_alloc_dev fails, the snmp6 relevant memory are freed by snmp6_alloc_dev. Calling in6_dev_finish_destroy will free these memory twice. Double free will lead that undefined behavior occurs. Signed-off-by: NRoy Li <rongqing.li@windriver.com> Acked-by: NEric Dumazet <eric.dumazet@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 19 9月, 2011 1 次提交
-
-
由 Zheng Yan 提交于
D-SACK is allowed to reside below snd_una. But the corresponding check in tcp_is_sackblock_valid() is the exact opposite. It looks like a typo. Signed-off-by: NZheng Yan <zheng.z.yan@intel.com> Acked-by: NEric Dumazet <eric.dumazet@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 17 9月, 2011 5 次提交
-
-
由 Yan, Zheng 提交于
Current IPv6 implementation uses inetpeer to store metrics for routes. The problem of inetpeer is that it doesn't take subnet prefix length in to consideration. If two routes have the same address but different prefix length, they share same inetpeer. So changing metrics of one route also affects the other. The fix is to allocate separate metrics storage for each route. Signed-off-by: NZheng Yan <zheng.z.yan@intel.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Andi Kleen 提交于
The externs here didn't agree with the declarations in qos.c. Better would be probably to move this into a header, but since it's common practice to have naked externs with sysctls I left it for now. Cc: samuel@sortiz.org Signed-off-by: NAndi Kleen <ak@linux.intel.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 dpward 提交于
With the conversion of struct flowi to a union of AF-specific structs, some operations on the flow cache need to account for the exact size of the key. Signed-off-by: NDavid Ward <david.ward@ll.mit.edu> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Yan, Zheng 提交于
Commit 4670994d(net,rcu: convert call_rcu(fc_rport_free_rcu) to kfree_rcu()) introduced a memory leak. This patch reverts it. Signed-off-by: NZheng Yan <zheng.z.yan@intel.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Eric Dumazet 提交于
Commit bd30ce4b (caif: Use RCU instead of spin-lock in caif_dev.c) added a potential NULL dereference in case alloc_percpu() fails. caif_device_alloc() can also use GFP_KERNEL instead of GFP_ATOMIC. Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com> CC: Sjur Brændeland <sjur.brandeland@stericsson.com> Acked-by: NSjur Brændeland <sjur.brandeland@stericsson.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-