1. 06 10月, 2010 1 次提交
  2. 05 10月, 2010 2 次提交
  3. 04 10月, 2010 6 次提交
    • D
      sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac() · 51e97a12
      Dan Rosenberg 提交于
      The sctp_asoc_get_hmac() function iterates through a peer's hmac_ids
      array and attempts to ensure that only a supported hmac entry is
      returned.  The current code fails to do this properly - if the last id
      in the array is out of range (greater than SCTP_AUTH_HMAC_ID_MAX), the
      id integer remains set after exiting the loop, and the address of an
      out-of-bounds entry will be returned and subsequently used in the parent
      function, causing potentially ugly memory corruption.  This patch resets
      the id integer to 0 on encountering an invalid id so that NULL will be
      returned after finishing the loop if no valid ids are found.
      Signed-off-by: NDan Rosenberg <drosenberg@vsecurity.com>
      Acked-by: NVlad Yasevich <vladislav.yasevich@hp.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      51e97a12
    • D
      sctp: prevent reading out-of-bounds memory · d7e0d19a
      Dan Rosenberg 提交于
      Two user-controlled allocations in SCTP are subsequently dereferenced as
      sockaddr structs, without checking if the dereferenced struct members fall
      beyond the end of the allocated chunk.  There doesn't appear to be any
      information leakage here based on how these members are used and
      additional checking, but it's still worth fixing.
      
      [akpm@linux-foundation.org: remove unfashionable newlines, fix gmail tab->space conversion]
      Signed-off-by: NDan Rosenberg <dan.j.rosenberg@gmail.com>
      Acked-by: NVlad Yasevich <vladislav.yasevich@hp.com>
      Cc: David Miller <davem@davemloft.net>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d7e0d19a
    • D
      ipv4: correct IGMP behavior on v3 query during v2-compatibility mode · 5b7c8406
      David Stevens 提交于
      A recent patch to allow IGMPv2 responses to IGMPv3 queries
      bypasses length checks for valid query lengths, incorrectly
      resets the v2_seen timer, and does not support IGMPv1.
      
      The following patch responds with a v2 report as required
      by IGMPv2 while correcting the other problems introduced
      by the patch.
      Signed-Off-By: NDavid L Stevens <dlstevens@us.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5b7c8406
    • B
      Revert "ipv4: Make INET_LRO a bool instead of tristate." · c5d35571
      Ben Hutchings 提交于
      This reverts commit e81963b1.
      
      LRO is now deprecated in favour of GRO, and only a few drivers use it,
      so it is desirable to build it as a module in distribution kernels.
      
      The original change to prevent building it as a module was made in an
      attempt to avoid the case where some dependents are set to y and some
      to m, and INET_LRO can be set to m rather than y.  However, the
      Kconfig system will reliably set INET_LRO=y in this case.
      Signed-off-by: NBen Hutchings <ben@decadent.org.uk>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c5d35571
    • N
      net: Fix the condition passed to sk_wait_event() · 482964e5
      Nagendra Tomar 提交于
      This patch fixes the condition (3rd arg) passed to sk_wait_event() in
      sk_stream_wait_memory(). The incorrect check in sk_stream_wait_memory()
      causes the following soft lockup in tcp_sendmsg() when the global tcp
      memory pool has exhausted.
      
      >>> snip <<<
      
      localhost kernel: BUG: soft lockup - CPU#3 stuck for 11s! [sshd:6429]
      localhost kernel: CPU 3:
      localhost kernel: RIP: 0010:[sk_stream_wait_memory+0xcd/0x200]  [sk_stream_wait_memory+0xcd/0x200] sk_stream_wait_memory+0xcd/0x200
      localhost kernel:
      localhost kernel: Call Trace:
      localhost kernel:  [sk_stream_wait_memory+0x1b1/0x200] sk_stream_wait_memory+0x1b1/0x200
      localhost kernel:  [<ffffffff802557c0>] autoremove_wake_function+0x0/0x40
      localhost kernel:  [ipv6:tcp_sendmsg+0x6e6/0xe90] tcp_sendmsg+0x6e6/0xce0
      localhost kernel:  [sock_aio_write+0x126/0x140] sock_aio_write+0x126/0x140
      localhost kernel:  [xfs:do_sync_write+0xf1/0x130] do_sync_write+0xf1/0x130
      localhost kernel:  [<ffffffff802557c0>] autoremove_wake_function+0x0/0x40
      localhost kernel:  [hrtimer_start+0xe3/0x170] hrtimer_start+0xe3/0x170
      localhost kernel:  [vfs_write+0x185/0x190] vfs_write+0x185/0x190
      localhost kernel:  [sys_write+0x50/0x90] sys_write+0x50/0x90
      localhost kernel:  [system_call+0x7e/0x83] system_call+0x7e/0x83
      
      >>> snip <<<
      
      What is happening is, that the sk_wait_event() condition passed from
      sk_stream_wait_memory() evaluates to true for the case of tcp global memory
      exhaustion. This is because both sk_stream_memory_free() and vm_wait are true
      which causes sk_wait_event() to *not* call schedule_timeout().
      Hence sk_stream_wait_memory() returns immediately to the caller w/o sleeping.
      This causes the caller to again try allocation, which again fails and again
      calls sk_stream_wait_memory(), and so on.
      
      [ Bug introduced by commit c1cbe4b7
        ("[NET]: Avoid atomic xchg() for non-error case") -DaveM ]
      Signed-off-by: NNagendra Singh Tomar <tomer_iisc@yahoo.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      482964e5
    • M
  4. 01 10月, 2010 1 次提交
  5. 30 9月, 2010 6 次提交
    • G
      Revert "Bluetooth: Don't accept ConfigReq if we aren't in the BT_CONFIG state" · b0239c80
      Gustavo F. Padovan 提交于
      This reverts commit 8cb8e6f1.
      
      That commit introduced a regression with the Bluetooth Profile Tuning
      Suite(PTS), Reverting this make sure that L2CAP is in a qualificable
      state.
      Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
      b0239c80
    • G
      Bluetooth: Fix inconsistent lock state with RFCOMM · fad003b6
      Gustavo F. Padovan 提交于
      When receiving a rfcomm connection with the old dund deamon a
      inconsistent lock state happens. That's because interrupts were already
      disabled by l2cap_conn_start() when rfcomm_sk_state_change() try to lock
      the spin_lock.
      
      As result we may have a inconsistent lock state for l2cap_conn_start()
      after rfcomm_sk_state_change() calls bh_lock_sock() and disable interrupts
      as well.
      
      [ 2833.151999]
      [ 2833.151999] =================================
      [ 2833.151999] [ INFO: inconsistent lock state ]
      [ 2833.151999] 2.6.36-rc3 #2
      [ 2833.151999] ---------------------------------
      [ 2833.151999] inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage.
      [ 2833.151999] krfcommd/2306 [HC0[0]:SC0[0]:HE1:SE1] takes:
      [ 2833.151999]  (slock-AF_BLUETOOTH){+.?...}, at: [<ffffffffa00bcb56>] rfcomm_sk_state_change+0x46/0x170 [rfcomm]
      [ 2833.151999] {IN-SOFTIRQ-W} state was registered at:
      [ 2833.151999]   [<ffffffff81094346>] __lock_acquire+0x5b6/0x1560
      [ 2833.151999]   [<ffffffff8109534a>] lock_acquire+0x5a/0x70
      [ 2833.151999]   [<ffffffff81392b6c>] _raw_spin_lock+0x2c/0x40
      [ 2833.151999]   [<ffffffffa00a5092>] l2cap_conn_start+0x92/0x640 [l2cap]
      [ 2833.151999]   [<ffffffffa00a6a3f>] l2cap_sig_channel+0x6bf/0x1320 [l2cap]
      [ 2833.151999]   [<ffffffffa00a9173>] l2cap_recv_frame+0x133/0x770 [l2cap]
      [ 2833.151999]   [<ffffffffa00a997b>] l2cap_recv_acldata+0x1cb/0x390 [l2cap]
      [ 2833.151999]   [<ffffffffa000db4b>] hci_rx_task+0x2ab/0x450 [bluetooth]
      [ 2833.151999]   [<ffffffff8106b22b>] tasklet_action+0xcb/0xe0
      [ 2833.151999]   [<ffffffff8106b91e>] __do_softirq+0xae/0x150
      [ 2833.151999]   [<ffffffff8102bc0c>] call_softirq+0x1c/0x30
      [ 2833.151999]   [<ffffffff8102ddb5>] do_softirq+0x75/0xb0
      [ 2833.151999]   [<ffffffff8106b56d>] irq_exit+0x8d/0xa0
      [ 2833.151999]   [<ffffffff8104484b>] smp_apic_timer_interrupt+0x6b/0xa0
      [ 2833.151999]   [<ffffffff8102b6d3>] apic_timer_interrupt+0x13/0x20
      [ 2833.151999]   [<ffffffff81029dfa>] cpu_idle+0x5a/0xb0
      [ 2833.151999]   [<ffffffff81381ded>] rest_init+0xad/0xc0
      [ 2833.151999]   [<ffffffff817ebc4d>] start_kernel+0x2dd/0x2e8
      [ 2833.151999]   [<ffffffff817eb2e6>] x86_64_start_reservations+0xf6/0xfa
      [ 2833.151999]   [<ffffffff817eb3ce>] x86_64_start_kernel+0xe4/0xeb
      [ 2833.151999] irq event stamp: 731
      [ 2833.151999] hardirqs last  enabled at (731): [<ffffffff8106b762>] local_bh_enable_ip+0x82/0xe0
      [ 2833.151999] hardirqs last disabled at (729): [<ffffffff8106b93e>] __do_softirq+0xce/0x150
      [ 2833.151999] softirqs last  enabled at (730): [<ffffffff8106b96e>] __do_softirq+0xfe/0x150
      [ 2833.151999] softirqs last disabled at (711): [<ffffffff8102bc0c>] call_softirq+0x1c/0x30
      [ 2833.151999]
      [ 2833.151999] other info that might help us debug this:
      [ 2833.151999] 2 locks held by krfcommd/2306:
      [ 2833.151999]  #0:  (rfcomm_mutex){+.+.+.}, at: [<ffffffffa00bb744>] rfcomm_run+0x174/0xb20 [rfcomm]
      [ 2833.151999]  #1:  (&(&d->lock)->rlock){+.+...}, at: [<ffffffffa00b9223>] rfcomm_dlc_accept+0x53/0x100 [rfcomm]
      [ 2833.151999]
      [ 2833.151999] stack backtrace:
      [ 2833.151999] Pid: 2306, comm: krfcommd Tainted: G        W   2.6.36-rc3 #2
      [ 2833.151999] Call Trace:
      [ 2833.151999]  [<ffffffff810928e1>] print_usage_bug+0x171/0x180
      [ 2833.151999]  [<ffffffff810936c3>] mark_lock+0x333/0x400
      [ 2833.151999]  [<ffffffff810943ca>] __lock_acquire+0x63a/0x1560
      [ 2833.151999]  [<ffffffff810948b5>] ? __lock_acquire+0xb25/0x1560
      [ 2833.151999]  [<ffffffff8109534a>] lock_acquire+0x5a/0x70
      [ 2833.151999]  [<ffffffffa00bcb56>] ? rfcomm_sk_state_change+0x46/0x170 [rfcomm]
      [ 2833.151999]  [<ffffffff81392b6c>] _raw_spin_lock+0x2c/0x40
      [ 2833.151999]  [<ffffffffa00bcb56>] ? rfcomm_sk_state_change+0x46/0x170 [rfcomm]
      [ 2833.151999]  [<ffffffffa00bcb56>] rfcomm_sk_state_change+0x46/0x170 [rfcomm]
      [ 2833.151999]  [<ffffffffa00b9239>] rfcomm_dlc_accept+0x69/0x100 [rfcomm]
      [ 2833.151999]  [<ffffffffa00b9a49>] rfcomm_check_accept+0x59/0xd0 [rfcomm]
      [ 2833.151999]  [<ffffffffa00bacab>] rfcomm_recv_frame+0x9fb/0x1320 [rfcomm]
      [ 2833.151999]  [<ffffffff813932bb>] ? _raw_spin_unlock_irqrestore+0x3b/0x60
      [ 2833.151999]  [<ffffffff81093acd>] ? trace_hardirqs_on_caller+0x13d/0x180
      [ 2833.151999]  [<ffffffff81093b1d>] ? trace_hardirqs_on+0xd/0x10
      [ 2833.151999]  [<ffffffffa00bb7f1>] rfcomm_run+0x221/0xb20 [rfcomm]
      [ 2833.151999]  [<ffffffff813905e7>] ? schedule+0x287/0x780
      [ 2833.151999]  [<ffffffffa00bb5d0>] ? rfcomm_run+0x0/0xb20 [rfcomm]
      [ 2833.151999]  [<ffffffff81081026>] kthread+0x96/0xa0
      [ 2833.151999]  [<ffffffff8102bb14>] kernel_thread_helper+0x4/0x10
      [ 2833.151999]  [<ffffffff813936bc>] ? restore_args+0x0/0x30
      [ 2833.151999]  [<ffffffff81080f90>] ? kthread+0x0/0xa0
      [ 2833.151999]  [<ffffffff8102bb10>] ? kernel_thread_helper+0x0/0x10
      Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
      fad003b6
    • G
      Bluetooth: Simplify L2CAP Streaming mode sending · ccbb84af
      Gustavo F. Padovan 提交于
      As we don't have any error control on the Streaming mode, i.e., we don't
      need to keep a copy of the skb for later resending we don't need to
      call skb_clone() on it.
      Then we can go one further here, and dequeue the skb before sending it,
      that also means we don't need to look to sk->sk_send_head anymore.
      
      The patch saves memory and time when sending Streaming mode data, so
      it is good to mainline.
      Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
      ccbb84af
    • A
      Bluetooth: fix MTU L2CAP configuration parameter · 8183b775
      Andrei Emeltchenko 提交于
      When receiving L2CAP negative configuration response with respect
      to MTU parameter we modify wrong field. MTU here means proposed
      value of MTU that the remote device intends to transmit. So for local
      L2CAP socket it is pi->imtu.
      Signed-off-by: NAndrei Emeltchenko <andrei.emeltchenko@nokia.com>
      Acked-by: NVille Tervo <ville.tervo@nokia.com>
      Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
      8183b775
    • M
      Bluetooth: Only enable L2CAP FCS for ERTM or streaming · 8c462b60
      Mat Martineau 提交于
      This fixes a bug which caused the FCS setting to show L2CAP_FCS_CRC16
      with L2CAP modes other than ERTM or streaming.  At present, this only
      affects the FCS value shown with getsockopt() for basic mode.
      Signed-off-by: NMat Martineau <mathewm@codeaurora.org>
      Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
      8c462b60
    • K
      Phonet: Correct header retrieval after pskb_may_pull · a91e7d47
      Kumar Sanghvi 提交于
      Retrieve the header after doing pskb_may_pull since, pskb_may_pull
      could change the buffer structure.
      
      This is based on the comment given by Eric Dumazet on Phonet
      Pipe controller patch for a similar problem.
      Signed-off-by: NKumar Sanghvi <kumar.sanghvi@stericsson.com>
      Acked-by: NLinus Walleij <linus.walleij@stericsson.com>
      Acked-by: NEric Dumazet <eric.dumazet@gmail.com>
      Acked-by: NRémi Denis-Courmont <remi.denis-courmont@nokia.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a91e7d47
  6. 29 9月, 2010 2 次提交
  7. 28 9月, 2010 4 次提交
  8. 27 9月, 2010 3 次提交
  9. 25 9月, 2010 2 次提交
    • E
      net: fix a lockdep splat · f064af1e
      Eric Dumazet 提交于
      We have for each socket :
      
      One spinlock (sk_slock.slock)
      One rwlock (sk_callback_lock)
      
      Possible scenarios are :
      
      (A) (this is used in net/sunrpc/xprtsock.c)
      read_lock(&sk->sk_callback_lock) (without blocking BH)
      <BH>
      spin_lock(&sk->sk_slock.slock);
      ...
      read_lock(&sk->sk_callback_lock);
      ...
      
      (B)
      write_lock_bh(&sk->sk_callback_lock)
      stuff
      write_unlock_bh(&sk->sk_callback_lock)
      
      (C)
      spin_lock_bh(&sk->sk_slock)
      ...
      write_lock_bh(&sk->sk_callback_lock)
      stuff
      write_unlock_bh(&sk->sk_callback_lock)
      spin_unlock_bh(&sk->sk_slock)
      
      This (C) case conflicts with (A) :
      
      CPU1 [A]                         CPU2 [C]
      read_lock(callback_lock)
      <BH>                             spin_lock_bh(slock)
      <wait to spin_lock(slock)>
                                       <wait to write_lock_bh(callback_lock)>
      
      We have one problematic (C) use case in inet_csk_listen_stop() :
      
      local_bh_disable();
      bh_lock_sock(child); // spin_lock_bh(&sk->sk_slock)
      WARN_ON(sock_owned_by_user(child));
      ...
      sock_orphan(child); // write_lock_bh(&sk->sk_callback_lock)
      
      lockdep is not happy with this, as reported by Tetsuo Handa
      
      It seems only way to deal with this is to use read_lock_bh(callbacklock)
      everywhere.
      
      Thanks to Jarek for pointing a bug in my first attempt and suggesting
      this solution.
      Reported-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Tested-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com>
      CC: Jarek Poplawski <jarkao2@gmail.com>
      Tested-by: NEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f064af1e
    • J
      mac80211: fix use-after-free · cd87a2d3
      Johannes Berg 提交于
      commit 8c0c709e
      Author: Johannes Berg <johannes@sipsolutions.net>
      Date:   Wed Nov 25 17:46:15 2009 +0100
      
          mac80211: move cmntr flag out of rx flags
      
      moved the CMTR flag into the skb's status, and
      in doing so introduced a use-after-free -- when
      the skb has been handed to cooked monitors the
      status setting will touch now invalid memory.
      
      Additionally, moving it there has effectively
      discarded the optimisation -- since the bit is
      only ever set on freed SKBs, and those were a
      copy, it could never be checked.
      
      For the current release, fixing this properly
      is a bit too involved, so let's just remove the
      problematic code and leave userspace with one
      copy of each frame for each virtual interface.
      
      Cc: stable@kernel.org [2.6.33+]
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      cd87a2d3
  10. 23 9月, 2010 7 次提交
  11. 22 9月, 2010 1 次提交
    • E
      ip: fix truesize mismatch in ip fragmentation · 3d13008e
      Eric Dumazet 提交于
      Special care should be taken when slow path is hit in ip_fragment() :
      
      When walking through frags, we transfert truesize ownership from skb to
      frags. Then if we hit a slow_path condition, we must undo this or risk
      uncharging frags->truesize twice, and in the end, having negative socket
      sk_wmem_alloc counter, or even freeing socket sooner than expected.
      
      Many thanks to Nick Bowler, who provided a very clean bug report and
      test program.
      
      Thanks to Jarek for reviewing my first patch and providing a V2
      
      While Nick bisection pointed to commit 2b85a34e (net: No more
      expensive sock_hold()/sock_put() on each tx), underlying bug is older
      (2.6.12-rc5)
      
      A side effect is to extend work done in commit b2722b1c
      (ip_fragment: also adjust skb->truesize for packets not owned by a
      socket) to ipv6 as well.
      Reported-and-bisected-by: NNick Bowler <nbowler@elliptictech.com>
      Tested-by: NNick Bowler <nbowler@elliptictech.com>
      Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com>
      CC: Jarek Poplawski <jarkao2@gmail.com>
      CC: Patrick McHardy <kaber@trash.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3d13008e
  12. 21 9月, 2010 5 次提交
新手
引导
客服 返回
顶部