1. 13 2月, 2010 4 次提交
    • P
      ipv6: fib: fix crash when changing large fib while dumping it · 2bec5a36
      Patrick McHardy 提交于
      When the fib size exceeds what can be dumped in a single skb, the
      dump is suspended and resumed once the last skb has been received
      by userspace. When the fib is changed while the dump is suspended,
      the walker might contain stale pointers, causing a crash when the
      dump is resumed.
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
      IP: [<ffffffffa01bce04>] fib6_walk_continue+0xbb/0x124 [ipv6]
      PGD 5347a067 PUD 65c7067 PMD 0
      Oops: 0000 [#1] PREEMPT SMP
      ...
      RIP: 0010:[<ffffffffa01bce04>]
      [<ffffffffa01bce04>] fib6_walk_continue+0xbb/0x124 [ipv6]
      ...
      Call Trace:
       [<ffffffff8104aca3>] ? mutex_spin_on_owner+0x59/0x71
       [<ffffffffa01bd105>] inet6_dump_fib+0x11b/0x1b9 [ipv6]
       [<ffffffff81371af4>] netlink_dump+0x5b/0x19e
       [<ffffffff8134f288>] ? consume_skb+0x28/0x2a
       [<ffffffff81373b69>] netlink_recvmsg+0x1ab/0x2c6
       [<ffffffff81372781>] ? netlink_unicast+0xfa/0x151
       [<ffffffff813483e0>] __sock_recvmsg+0x6d/0x79
       [<ffffffff81348a53>] sock_recvmsg+0xca/0xe3
       [<ffffffff81066d4b>] ? autoremove_wake_function+0x0/0x38
       [<ffffffff811ed1f8>] ? radix_tree_lookup_slot+0xe/0x10
       [<ffffffff810b3ed7>] ? find_get_page+0x90/0xa5
       [<ffffffff810b5dc5>] ? filemap_fault+0x201/0x34f
       [<ffffffff810ef152>] ? fget_light+0x2f/0xac
       [<ffffffff813519e7>] ? verify_iovec+0x4f/0x94
       [<ffffffff81349a65>] sys_recvmsg+0x14d/0x223
      
      Store the serial number when beginning to walk the fib and reload
      pointers when continuing to walk after a change occured. Similar
      to other dumping functions, this might cause unrelated entries to
      be missed when entries are deleted.
      Tested-by: NBen Greear <greearb@candelatech.com>
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2bec5a36
    • G
      dccp: allow probing of CCID-array length · 69a6a0b3
      Gerrit Renker 提交于
      This fixes a problem in the DCCP getsockopt() API: currently there is no way
      for a user to a priori know the number of built-in CCIDs, other than trying
      DCCP_SOCKOPT_AVAILABLE_CCIDS in a loop, incrementing the option length until
      EINVAL is no longer returned.
      
      This patch truncates the array to the user-provided length. No copy is made
      when the length is <= 0.
      
      Due to the length restriction in do_dccp_getsockopt() to sizeof(int), the
      minimum array length remains 4, which is a reasonable default (only 3
      CCIDs, CCID-2..4, are currently defined).
      Signed-off-by: NGerrit Renker <gerrit@erg.abdn.ac.uk>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      69a6a0b3
    • J
      macb: straighten out macb_mii_probe function · 7455a76f
      Jiri Pirko 提交于
      Use "phy_find_first" instead of manual lookup. Also use "phy_connect_direct"
      instead of "phy_connect" since we already have phy_device pointer here.
      Signed-off-by: NJiri Pirko <jpirko@redhat.com>
      Acked-by: NHaavard Skinnemoen <haavard.skinnemoen@atmel.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7455a76f
    • J
      net: use netdev_mc_count and netdev_mc_empty when appropriate · 4cd24eaf
      Jiri Pirko 提交于
      This patch replaces dev->mc_count in all drivers (hopefully I didn't miss
      anything). Used spatch and did small tweaks and conding style changes when
      it was suitable.
      
      Jirka
      Signed-off-by: NJiri Pirko <jpirko@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4cd24eaf
  2. 12 2月, 2010 1 次提交
  3. 11 2月, 2010 22 次提交
  4. 10 2月, 2010 1 次提交
  5. 09 2月, 2010 11 次提交
  6. 06 2月, 2010 1 次提交