- 20 7月, 2010 3 次提交
-
-
由 Herbert Xu 提交于
The new netpoll code in bridging contains use-after-free bugs that are non-trivial to fix. This patch fixes this by removing the code that uses skbs after they're freed. As a consequence, this means that we can no longer call bridge from the netpoll path, so this patch also removes the controller function in order to disable netpoll. Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au> Thanks, Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Ilpo Järvinen 提交于
It can happen that there are no packets in queue while calling tcp_xmit_retransmit_queue(). tcp_write_queue_head() then returns NULL and that gets deref'ed to get sacked into a local var. There is no work to do if no packets are outstanding so we just exit early. This oops was introduced by 08ebd172 (tcp: remove tp->lost_out guard to make joining diff nicer). Signed-off-by: NIlpo Järvinen <ilpo.jarvinen@helsinki.fi> Reported-by: NLennart Schulte <lennart.schulte@nets.rwth-aachen.de> Tested-by: NLennart Schulte <lennart.schulte@nets.rwth-aachen.de> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 19 7月, 2010 1 次提交
-
-
由 Arnaud Ebalard 提交于
The input handler for Type 2 Routing Header (mip6_rthdr_input()) checks if the CoA in the packet matches the CoA in the XFRM state. Current check is buggy: it compares the adddress in the Type 2 Routing Header, i.e. the HoA, against the expected CoA in the state. The comparison should be made against the address in the destination field of the IPv6 header. The bug remained unnoticed because the main (and possibly only current) user of the code (UMIP MIPv6 Daemon) initializes the XFRM state with the unspecified address, i.e. explicitly allows everything. Yoshifuji-san, can you ack that one? Signed-off-by: NArnaud Ebalard <arno@natisbad.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 17 7月, 2010 3 次提交
-
-
由 Robert Jennings 提交于
The order of freeing the IRQ and freeing the device in firmware in ibmveth_close can cause the adapter to become unusable after a subsequent ibmveth_open. Only a reboot of the OS will make the network device usable again. This is seen when cycling the adapter up and down while there is network activity. There is a window where an IRQ will be left unserviced (H_EOI will not be called). The solution is to make a VIO_IRQ_DISABLE h_call, free the device with firmware, and then call free_irq. Signed-off-by: NRobert Jennings <rcj@linux.vnet.ibm.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Stephen Boyd 提交于
The rt2x00dev->intf_work workqueue is never initialized when a driver is probed for a non-existent device (in this case rt2500usb). On such a path we call rt2x00lib_remove_dev() to free any resources initialized during the probe before we use INIT_WORK to initialize the workqueue. This causes lockdep to get confused since the lock used in the workqueue hasn't been initialized yet but is now being acquired during cancel_work_sync() called by rt2x00lib_remove_dev(). Fix this by initializing the workqueue first before we attempt to probe the device. This should make lockdep happy and avoid breaking any assumptions about how the library cleans up after a probe fails. phy0 -> rt2x00lib_probe_dev: Error - Failed to allocate device. INFO: trying to register non-static key. the code is fine but needs lockdep annotation. turning off the locking correctness validator. Pid: 2027, comm: modprobe Not tainted 2.6.35-rc5+ #60 Call Trace: [<ffffffff8105fe59>] register_lock_class+0x152/0x31f [<ffffffff81344a00>] ? usb_control_msg+0xd5/0x111 [<ffffffff81061bde>] __lock_acquire+0xce/0xcf4 [<ffffffff8105f6fd>] ? trace_hardirqs_off+0xd/0xf [<ffffffff81492aef>] ? _raw_spin_unlock_irqrestore+0x33/0x41 [<ffffffff810628d5>] lock_acquire+0xd1/0xf7 [<ffffffff8104f037>] ? __cancel_work_timer+0x99/0x17e [<ffffffff8104f06e>] __cancel_work_timer+0xd0/0x17e [<ffffffff8104f037>] ? __cancel_work_timer+0x99/0x17e [<ffffffff8104f136>] cancel_work_sync+0xb/0xd [<ffffffffa0096675>] rt2x00lib_remove_dev+0x25/0xb0 [rt2x00lib] [<ffffffffa0096bf7>] rt2x00lib_probe_dev+0x380/0x3ed [rt2x00lib] [<ffffffff811d78a7>] ? __raw_spin_lock_init+0x31/0x52 [<ffffffffa00bbd2c>] ? T.676+0xe/0x10 [rt2x00usb] [<ffffffffa00bbe4f>] rt2x00usb_probe+0x121/0x15e [rt2x00usb] [<ffffffff813468bd>] usb_probe_interface+0x151/0x19e [<ffffffff812ea08e>] driver_probe_device+0xa7/0x136 [<ffffffff812ea167>] __driver_attach+0x4a/0x66 [<ffffffff812ea11d>] ? __driver_attach+0x0/0x66 [<ffffffff812e96ca>] bus_for_each_dev+0x54/0x89 [<ffffffff812e9efd>] driver_attach+0x19/0x1b [<ffffffff812e9b64>] bus_add_driver+0xb4/0x204 [<ffffffff812ea41b>] driver_register+0x98/0x109 [<ffffffff813465dd>] usb_register_driver+0xb2/0x173 [<ffffffffa00ca000>] ? rt2500usb_init+0x0/0x20 [rt2500usb] [<ffffffffa00ca01e>] rt2500usb_init+0x1e/0x20 [rt2500usb] [<ffffffff81000203>] do_one_initcall+0x6d/0x17a [<ffffffff8106cae8>] sys_init_module+0x9c/0x1e0 [<ffffffff8100296b>] system_call_fastpath+0x16/0x1b Signed-off-by: NStephen Boyd <bebarino@gmail.com> Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
-
- 16 7月, 2010 2 次提交
-
-
由 Michael S. Tsirkin 提交于
Guest can trigger packet truncation by posting a very short buffer and disabling buffer merging. Convert pr_err to pr_debug to avoid log from filling up when this happens. Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 Ben Greear 提交于
This was detected using two mcast router tables. The pimreg for the second interface did not have a specific mrule, so packets received by it were handled by the default table, which had nothing configured. This caused the ipmr_fib_lookup to fail, causing the memory leak. Signed-off-by: NBen Greear <greearb@candelatech.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 15 7月, 2010 7 次提交
-
-
由 Michael S. Tsirkin 提交于
We flush under vq mutex when changing backends. This creates a deadlock as workqueue being flushed needs this lock as well. https://bugzilla.redhat.com/show_bug.cgi?id=612421 Drop the vq mutex before flush: we have the device mutex which is sufficient to prevent another ioctl from touching the vq. Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 Tom Herbert 提交于
Fix problem in reading the tx_queue recorded in a socket. In dev_pick_tx, the TX queue is read by doing a check with sk_tx_queue_recorded on the socket, followed by a sk_tx_queue_get. The problem is that there is not mutual exclusion across these calls in the socket so it it is possible that the queue in the sock can be invalidated after sk_tx_queue_recorded is called so that sk_tx_queue get returns -1, which sets 65535 in queue_index and thus dev_pick_tx returns 65536 which is a bogus queue and can cause crash in dev_queue_xmit. We fix this by only calling sk_tx_queue_get which does the proper checks. The interface is that sk_tx_queue_get returns the TX queue if the sock argument is non-NULL and TX queue is recorded, else it returns -1. sk_tx_queue_recorded is no longer used so it can be completely removed. Signed-off-by: NTom Herbert <therbert@google.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Doug Kehn 提交于
When configuring DMVPN (GRE + openNHRP) and a GRE remote address is configured a kernel Oops is observed. The obserseved Oops is caused by a NULL header_ops pointer (neigh->dev->header_ops) in neigh_update_hhs() when void (*update)(struct hh_cache*, const struct net_device*, const unsigned char *) = neigh->dev->header_ops->cache_update; is executed. The dev associated with the NULL header_ops is the GRE interface. This patch guards against the possibility that header_ops is NULL. This Oops was first observed in kernel version 2.6.26.8. Signed-off-by: NDoug Kehn <rdkehn@yahoo.com> Acked-by: NEric Dumazet <eric.dumazet@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Eric Dumazet 提交于
commit fc6055a5 (net: Introduce skb_orphan_try()) added early orphaning of skbs. This unfortunately added a performance regression in skb_tx_hash() in case of stacked devices (bonding, vlans, ...) Since skb->sk is now NULL, we cannot access sk->sk_hash anymore to spread tx packets to multiple NIC queues on multiqueue devices. skb_tx_hash() in this case only uses skb->protocol, same value for all flows. skb_orphan_try() can copy sk->sk_hash into skb->rxhash and skb_tx_hash() can use this saved sk_hash value to compute its internal hash value. Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Changli Gao 提交于
rfs: call sock_rps_record_flow() in tcp_splice_read() call sock_rps_record_flow() in tcp_splice_read(), so the applications using splice(2) or sendfile(2) can utilize RFS. Signed-off-by: NChangli Gao <xiaosuo@gmail.com> ---- net/ipv4/tcp.c | 1 + 1 file changed, 1 insertion(+) Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Timo Teräs 提交于
xfrm_resolve_and_create_bundle() assumed that, if policies indicated presence of xfrms, bundle template resolution would always return some xfrms. This is not true for 'use' level policies which can result in no xfrm's being applied if there is no suitable xfrm states. This fixes a crash by this incorrect assumption. Reported-by: NGeorge Spelvin <linux@horizon.com> Bisected-by: NGeorge Spelvin <linux@horizon.com> Tested-by: NGeorge Spelvin <linux@horizon.com> Signed-off-by: NTimo Teräs <timo.teras@iki.fi> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 John W. Linville 提交于
"hostap: Protect against initialization interrupt" (which reinstated "wireless: hostap, fix oops due to early probing interrupt") reintroduced Bug 16111. This is because hostap_pci wasn't setting dev->base_addr, which is now checked in prism2_interrupt. As a result, initialization was failing for PCI-based hostap devices. This corrects that oversight. Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
-
- 13 7月, 2010 4 次提交
-
-
由 Ken Kawasaki 提交于
Use spin_lock_irqsave instead of spin_lock in ax_interrupt because the interrupt handler can also be invoked from ei_watchdog. Signed-off-by: NKen Kawasaki <ken_kawasaki@spring.nifty.jp> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 David S. Miller 提交于
Based upon a report by Randy Dunlap. DSA needs PHYLIB, but PHYLIB needs NET_ETHERNET. So, in order to select PHYLIB we have to make DSA depend upon NET_ETHERNET. Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Changli Gao 提交于
not all of the ICMP packets need an IP header payload, so we check the length of the skbs only when the packets should have an IP header payload. Based upon analysis and initial patch by Rodrigo Partearroyo González. Signed-off-by: NChangli Gao <xiaosuo@gmail.com> Acked-by: NHerbert Xu <herbert@gondor.apana.org.au> ---- net/sched/act_nat.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 12 7月, 2010 1 次提交
-
-
由 Francois Romieu 提交于
Merge error. See CFG_METHOD_8 (0x3c800000 + 0x00300000) since version 8.002.00 of Realtek's driver. Signed-off-by: NFrancois Romieu <romieu@fr.zoreil.com> Cc: Hayes <hayeswang@realtek.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 09 7月, 2010 4 次提交
-
-
由 Rémi Denis-Courmont 提交于
Signed-off-by: NRémi Denis-Courmont <remi.denis-courmont@nokia.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Ville Tervo 提交于
Update auth level for already existing connections if it is lower than required by new connection. Signed-off-by: NVille Tervo <ville.tervo@nokia.com> Reviewed-by: NEmeltchenko Andrei <andrei.emeltchenko@nokia.com> Signed-off-by: NLuciano Coelho <luciano.coelho@nokia.com> Signed-off-by: NAndrei Emeltchenko <andrei.emeltchenko@nokia.com> Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
-
由 Johan Hedberg 提交于
When authentication fails for a connection the assumed security level should be set back to BT_SECURITY_LOW so that subsequent connect attempts over the same link don't falsely assume that security is adequate enough. Signed-off-by: NJohan Hedberg <johan.hedberg@nokia.com> Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
-
由 Andrei Emeltchenko 提交于
Due to race condition in L2CAP state machine L2CAP Connection Request may be sent twice for SDP with the same source channel id. Problems reported connecting to Apple products, some carkit, Blackberry phones. ... 2010-06-07 21:18:03.651031 < ACL data: handle 1 flags 0x02 dlen 12 L2CAP(s): Connect req: psm 1 scid 0x0040 2010-06-07 21:18:03.653473 > HCI Event: Number of Completed Packets (0x13) plen 5 handle 1 packets 1 2010-06-07 21:18:03.653808 > HCI Event: Auth Complete (0x06) plen 3 status 0x00 handle 1 2010-06-07 21:18:03.653869 < ACL data: handle 1 flags 0x02 dlen 12 L2CAP(s): Connect req: psm 1 scid 0x0040 ... Patch uses L2CAP_CONF_CONNECT_PEND flag to mark that L2CAP Connection Request has been sent already. Modified version of patch from Ville Tervo. Signed-off-by: NAndrei Emeltchenko <andrei.emeltchenko@nokia.com> Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
-
- 08 7月, 2010 5 次提交
-
-
由 Ralf Baechle 提交于
Signed-off-by: NRalf Baechle <ralf@linux-mips.org> drivers/net/sb1250-mac.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Wu Fengguang 提交于
The original KERN_CRIT will mess up terminals. CC: Sreenivasa Honnur <Sreenivasa.Honnur@neterion.com> Signed-off-by: NWu Fengguang <fengguang.wu@intel.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Denis Kirjanov 提交于
Fix missing iounmaps. Signed-off-by: NDenis Kirjanov <dkirjanov@kernel.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Herbert Xu 提交于
The bridge protocol lives dangerously by having incestuous relations with the IP stack. In this instance an abomination has been created where a bogus IPCB area from a bridged packet leads to a crash in the IP stack because it's interpreted as IP options. This patch papers over the problem by clearing the IPCB area in that particular spot. To fix this properly we'd also need to parse any IP options if present but I'm way too lazy for that. Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au> Cheers, Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Rajkumar Manoharan 提交于
Failure cases within ath9k_hif_usb_alloc_urbs are failed to release allocated memory. Signed-off-by: NRajkumar Manoharan <rmanoharan@atheros.com> Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
-
- 06 7月, 2010 3 次提交
-
-
由 Herbert Xu 提交于
On Tue, Jul 06, 2010 at 08:48:35AM +0800, Herbert Xu wrote: > > bridge: Restore NULL check in br_mdb_ip_get Resend with proper attribution. bridge: Restore NULL check in br_mdb_ip_get Somewhere along the line the NULL check in br_mdb_ip_get went AWOL, causing crashes when we receive an IGMP packet with no multicast table allocated. This patch restores it and ensures all br_mdb_*_get functions use it. Reported-by: NFrank Arnold <frank.arnold@amd.com> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au> Thanks, Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Ben Hutchings 提交于
netif_vdbg() was originally defined as entirely equivalent to netdev_vdbg(), but I assume that it was intended to take the same parameters as netif_dbg() etc. (Currently it is only used by the sfc driver, in which I worked on that assumption.) In commit a4ed89cb I changed the definition used when VERBOSE_DEBUG is not defined, but I failed to notice that the definition used when VERBOSE_DEBUG is defined was also not as I expected. Change that to match netif_dbg() as well. Signed-off-by: NBen Hutchings <bhutchings@solarflare.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Kulikov Vasiliy 提交于
net_device allocated with alloc_eip_netdev() must be freed. Signed-off-by: NKulikov Vasiliy <segooon@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 05 7月, 2010 1 次提交
-
-
由 Peter Kosyh 提交于
While using xfrm by MARK feature in 2.6.34 - 2.6.35 kernels, the mark is always cleared in flowi structure via memset in _decode_session4 (net/ipv4/xfrm4_policy.c), so the policy lookup fails. IPv6 code is affected by this bug too. Signed-off-by: NPeter Kosyh <p.kosyh@gmail.com> Acked-by: NEric Dumazet <eric.dumazet@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 03 7月, 2010 6 次提交
-
-
由 Rusty Russell 提交于
virtio net will never try to overflow the TX ring, so the only reason add_buf may fail is out of memory. Thus, we can not stop the device until some request completes - there's no guarantee anything at all is outstanding. Make the error message clearer as well: error here does not indicate queue full. Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> (...and avoid TX_BUSY) Cc: stable@kernel.org # .34.x (s/virtqueue_/vi->svq->vq_ops->/) Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Michael S. Tsirkin 提交于
We currently fill all of RX ring, then add_buf returns ENOSPC, which gets mis-detected as an out of memory condition and causes us to reschedule the work, and so on forever. Fix this by oom = err == -ENOMEM; Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NRusty Russell <rusty@rustcorp.com.au> Cc: stable@kernel.org # .34.x Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Jon Mason 提交于
This patch resolves a number of issues in the statistics gathering of the s2io driver. On Xframe adapters, the received multicast statistics counter includes pause frames which are not indicated to the driver. This can cause issues where the multicast packet count is higher than what has actually been received, possibly higher than the number of packets received. The driver software counters are replaced with the adapter hardware statistics for rx_packets, rx_bytes, and tx_bytes. It also uses the overflow registers to determine if the statistics wrapped the 32bit register (removing the window of having a statistic value less than the previous call). rx_length_errors statistic now includes undersized packets in addition to oversized packets in its counting. Finally, rx_crc_errors are now being counted. Signed-off-by: NJon Mason <jon.mason@exar.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Randy Dunlap 提交于
Fix kernel-doc warnings in linux/net.h: Warning(include/linux/net.h:151): No description found for parameter 'wq' Warning(include/linux/net.h:151): Excess struct/union/enum/typedef member 'fasync_list' description in 'socket' Warning(include/linux/net.h:151): Excess struct/union/enum/typedef member 'wait' description in 'socket' Signed-off-by: NRandy Dunlap <randy.dunlap@oracle.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>