- 06 1月, 2012 6 次提交
-
-
由 James Morris 提交于
Fix several sparse warnings in the SELinux security server code. Signed-off-by: NJames Morris <jmorris@namei.org> Signed-off-by: NEric Paris <eparis@redhat.com>
-
由 James Morris 提交于
Fix sparse warnings in SELinux Netlink code. Signed-off-by: NJames Morris <jmorris@namei.org> Signed-off-by: NEric Paris <eparis@redhat.com>
-
由 James Morris 提交于
Fixes several sparse warnings for selinuxfs.c Signed-off-by: NJames Morris <jmorris@namei.org> Signed-off-by: NEric Paris <eparis@redhat.com>
-
由 James Morris 提交于
Sparse fix: declare selinux_disable() in security.h Signed-off-by: NJames Morris <jmorris@namei.org> Signed-off-by: NEric Paris <eparis@redhat.com>
-
由 James Morris 提交于
Sparse fix: move selinux_complete_init Signed-off-by: NJames Morris <jmorris@namei.org> Signed-off-by: NEric Paris <eparis@redhat.com>
-
由 James Morris 提交于
Sparse fix: make selinux_secmark_refcount static. Signed-off-by: NJames Morris <jmorris@namei.org> Signed-off-by: NEric Paris <eparis@redhat.com>
-
- 21 12月, 2011 1 次提交
-
-
由 David Howells 提交于
Fix the following bug in sel_netport_insert() where rcu_dereference() should be rcu_dereference_protected() as sel_netport_lock is held. =================================================== [ INFO: suspicious rcu_dereference_check() usage. ] --------------------------------------------------- security/selinux/netport.c:127 invoked rcu_dereference_check() without protection! other info that might help us debug this: rcu_scheduler_active = 1, debug_locks = 0 1 lock held by ossec-rootcheck/3323: #0: (sel_netport_lock){+.....}, at: [<ffffffff8117d775>] sel_netport_sid+0xbb/0x226 stack backtrace: Pid: 3323, comm: ossec-rootcheck Not tainted 3.1.0-rc8-fsdevel+ #1095 Call Trace: [<ffffffff8105cfb7>] lockdep_rcu_dereference+0xa7/0xb0 [<ffffffff8117d871>] sel_netport_sid+0x1b7/0x226 [<ffffffff8117d6ba>] ? sel_netport_avc_callback+0xbc/0xbc [<ffffffff8117556c>] selinux_socket_bind+0x115/0x230 [<ffffffff810a5388>] ? might_fault+0x4e/0x9e [<ffffffff810a53d1>] ? might_fault+0x97/0x9e [<ffffffff81171cf4>] security_socket_bind+0x11/0x13 [<ffffffff812ba967>] sys_bind+0x56/0x95 [<ffffffff81380dac>] ? sysret_check+0x27/0x62 [<ffffffff8105b767>] ? trace_hardirqs_on_caller+0x11e/0x155 [<ffffffff81076fcd>] ? audit_syscall_entry+0x17b/0x1ae [<ffffffff811b5eae>] ? trace_hardirqs_on_thunk+0x3a/0x3f [<ffffffff81380d7b>] system_call_fastpath+0x16/0x1b Signed-off-by: NDavid Howells <dhowells@redhat.com> Acked-by: NEric Dumazet <eric.dumazet@gmail.com> Acked-by: NPaul Moore <paul@paul-moore.com> Signed-off-by: NEric Paris <eparis@redhat.com>
-
- 24 10月, 2011 5 次提交
-
-
由 Linus Torvalds 提交于
-
git://git.infradead.org/iommu-2.6由 Linus Torvalds 提交于
* git://git.infradead.org/iommu-2.6: intel-iommu: fix superpage support in pfn_to_dma_pte() intel-iommu: set iommu_superpage on VM domains to lowest common denominator intel-iommu: fix return value of iommu_unmap() API MAINTAINERS: Update VT-d entry for drivers/pci -> drivers/iommu move intel-iommu: Export a flag indicating that the IOMMU is used for iGFX. intel-iommu: Workaround IOTLB hang on Ironlake GPU intel-iommu: Fix AB-BA lockdep report
-
http://people.redhat.com/agk/git/linux-dm由 Linus Torvalds 提交于
* 'for-linus' of http://people.redhat.com/agk/git/linux-dm: dm kcopyd: fix job_pool leak
-
由 Takashi Iwai 提交于
Commit 4b239f45 ("x86-64, mm: Put early page table high") causes a S4 regression since 2.6.39, namely the machine reboots occasionally at S4 resume. It doesn't happen always, overall rate is about 1/20. But, like other bugs, once when this happens, it continues to happen. This patch fixes the problem by essentially reverting the memory assignment in the older way. Signed-off-by: NTakashi Iwai <tiwai@suse.de> Cc: <stable@kernel.org> Cc: Rafael J. Wysocki <rjw@sisk.pl> Cc: Yinghai Lu <yinghai.lu@oracle.com> [ We'll hopefully find the real fix, but that's too late for 3.1 now ] Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 Alasdair G Kergon 提交于
Fix memory leak introduced by commit a6e50b40 (dm snapshot: skip reading origin when overwriting complete chunk). When allocating a set of jobs from kc->job_pool, job->master_job must be set (to point to itself) so that the mempool item gets freed when the master_job completes. master_job was introduced by commit c6ea41fb (dm kcopyd: preallocate sub jobs to avoid deadlock) Reported-by: NMichael Leun <ml@newton.leun.net> Cc: Mikulas Patocka <mpatocka@redhat.com> Signed-off-by: NAlasdair G Kergon <agk@redhat.com>
-
- 23 10月, 2011 2 次提交
-
-
git://github.com/kgene/linux-samsung由 Linus Torvalds 提交于
* 'samsung-fixes-4' of git://github.com/kgene/linux-samsung: ARM: S3C24XX: Fix s3c24xx build errors if !CONFIG_PM ARM: S5P: fix offset calculation on gpio-interrupt
-
由 Linus Torvalds 提交于
Merge branch 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging * 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging: hwmon: (w83627ehf) Fix negative 8-bit temperature values
-
- 22 10月, 2011 1 次提交
-
-
由 Domenico Andreoli 提交于
v2: - register_syscore_ops(&s3c24xx_irq_syscore_ops) does not need to be conditionally compiled out, it is already optimized out on !CONFIG_PM - fix also s3c2412 and s3c2416 affected by the same build issue v1: s3c2440.c fails to build if !CONFIG_PM because in such case s3c2410_pm_syscore_ops is not defined. Same error should happen also in s3c2410.c and s3c2442.c Signed-off-by: NDomenico Andreoli <cavokz@gmail.com> Signed-off-by: NKukjin Kim <kgene.kim@samsung.com>
-
- 21 10月, 2011 6 次提交
-
-
git://github.com/herbertx/crypto由 Linus Torvalds 提交于
* git://github.com/herbertx/crypto: crypto: ghash - Avoid null pointer dereference if no key is set
-
git://github.com/tiwai/sound由 Linus Torvalds 提交于
* 'fix/hda' of git://github.com/tiwai/sound: ALSA: HDA: conexant support for Lenovo T520/W520 ALSA: hda - Add position_fix quirk for Dell Inspiron 1010
-
由 Nick Bowler 提交于
The ghash_update function passes a pointer to gf128mul_4k_lle which will be NULL if ghash_setkey is not called or if the most recent call to ghash_setkey failed to allocate memory. This causes an oops. Fix this up by returning an error code in the null case. This is trivially triggered from unprivileged userspace through the AF_ALG interface by simply writing to the socket without setting a key. The ghash_final function has a similar issue, but triggering it requires a memory allocation failure in ghash_setkey _after_ at least one successful call to ghash_update. BUG: unable to handle kernel NULL pointer dereference at 00000670 IP: [<d88c92d4>] gf128mul_4k_lle+0x23/0x60 [gf128mul] *pde = 00000000 Oops: 0000 [#1] PREEMPT SMP Modules linked in: ghash_generic gf128mul algif_hash af_alg nfs lockd nfs_acl sunrpc bridge ipv6 stp llc Pid: 1502, comm: hashatron Tainted: G W 3.1.0-rc9-00085-ge9308cfd #32 Bochs Bochs EIP: 0060:[<d88c92d4>] EFLAGS: 00000202 CPU: 0 EIP is at gf128mul_4k_lle+0x23/0x60 [gf128mul] EAX: d69db1f0 EBX: d6b8ddac ECX: 00000004 EDX: 00000000 ESI: 00000670 EDI: d6b8ddac EBP: d6b8ddc8 ESP: d6b8dda4 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 Process hashatron (pid: 1502, ti=d6b8c000 task=d6810000 task.ti=d6b8c000) Stack: 00000000 d69db1f0 00000163 00000000 d6b8ddc8 c101a520 d69db1f0 d52aa000 00000ff0 d6b8dde8 d88d310f d6b8a3f8 d52aa000 00001000 d88d502c d6b8ddfc 00001000 d6b8ddf4 c11676ed d69db1e8 d6b8de24 c11679ad d52aa000 00000000 Call Trace: [<c101a520>] ? kmap_atomic_prot+0x37/0xa6 [<d88d310f>] ghash_update+0x85/0xbe [ghash_generic] [<c11676ed>] crypto_shash_update+0x18/0x1b [<c11679ad>] shash_ahash_update+0x22/0x36 [<c11679cc>] shash_async_update+0xb/0xd [<d88ce0ba>] hash_sendpage+0xba/0xf2 [algif_hash] [<c121b24c>] kernel_sendpage+0x39/0x4e [<d88ce000>] ? 0xd88cdfff [<c121b298>] sock_sendpage+0x37/0x3e [<c121b261>] ? kernel_sendpage+0x4e/0x4e [<c10b4dbc>] pipe_to_sendpage+0x56/0x61 [<c10b4e1f>] splice_from_pipe_feed+0x58/0xcd [<c10b4d66>] ? splice_from_pipe_begin+0x10/0x10 [<c10b51f5>] __splice_from_pipe+0x36/0x55 [<c10b4d66>] ? splice_from_pipe_begin+0x10/0x10 [<c10b6383>] splice_from_pipe+0x51/0x64 [<c10b63c2>] ? default_file_splice_write+0x2c/0x2c [<c10b63d5>] generic_splice_sendpage+0x13/0x15 [<c10b4d66>] ? splice_from_pipe_begin+0x10/0x10 [<c10b527f>] do_splice_from+0x5d/0x67 [<c10b6865>] sys_splice+0x2bf/0x363 [<c129373b>] ? sysenter_exit+0xf/0x16 [<c104dc1e>] ? trace_hardirqs_on_caller+0x10e/0x13f [<c129370c>] sysenter_do_call+0x12/0x32 Code: 83 c4 0c 5b 5e 5f c9 c3 55 b9 04 00 00 00 89 e5 57 8d 7d e4 56 53 8d 5d e4 83 ec 18 89 45 e0 89 55 dc 0f b6 70 0f c1 e6 04 01 d6 <f3> a5 be 0f 00 00 00 4e 89 d8 e8 48 ff ff ff 8b 45 e0 89 da 0f EIP: [<d88c92d4>] gf128mul_4k_lle+0x23/0x60 [gf128mul] SS:ESP 0068:d6b8dda4 CR2: 0000000000000670 ---[ end trace 4eaa2a86a8e2da24 ]--- note: hashatron[1502] exited with preempt_count 1 BUG: scheduling while atomic: hashatron/1502/0x10000002 INFO: lockdep is turned off. [...] Signed-off-by: NNick Bowler <nbowler@elliptictech.com> Cc: stable@kernel.org [2.6.37+] Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
由 Marek Szyprowski 提交于
Offsets of the irq controller registers were calculated correctly only for first GPIO bank. This patch fixes calculation of the register offsets for all GPIO banks. Reported-by: NSylwester Nawrocki <s.nawrocki@samsung.com> Signed-off-by: NMarek Szyprowski <m.szyprowski@samsung.com> Signed-off-by: NKyungmin Park <kyungmin.park@samsung.com> Signed-off-by: NKukjin Kim <kgene.kim@samsung.com>
-
git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc由 Linus Torvalds 提交于
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc: sparc: Add alignment flag to PCI expansion resources sparc: Avoid calling sigprocmask() sparc: Use set_current_blocked() sparc32,leon: SRMMU MMU Table probe fix
-
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net由 Linus Torvalds 提交于
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: fib_rules: fix unresolved_rules counting r8169: fix wrong eee setting for rlt8111evl r8169: fix driver shutdown WoL regression. ehea: Change maintainer to me pptp: pptp_rcv_core() misses pskb_may_pull() call tproxy: copy transparent flag when creating a time wait pptp: fix skb leak in pptp_xmit() bonding: use local function pointer of bond->recv_probe in bond_handle_frame smsc911x: Add support for SMSC LAN89218 tg3: negate USE_PHYLIB flag check netconsole: enable netconsole can make net_device refcnt incorrent bluetooth: Properly clone LSM attributes to newly created child connections l2tp: fix a potential skb leak in l2tp_xmit_skb() bridge: fix hang on removal of bridge via netlink x25: Prevent skb overreads when checking call user data x25: Handle undersized/fragmented skbs x25: Validate incoming call user data lengths udplite: fast-path computation of checksum coverage IPVS netns shutdown/startup dead-lock netfilter: nf_conntrack: fix event flooding in GRE protocol tracker
-
- 20 10月, 2011 7 次提交
-
-
由 Jean Delvare 提交于
Since 8-bit temperature values are now handled in 16-bit struct members, values have to be cast to s8 for negative temperatures to be properly handled. This is broken since kernel version 2.6.39 (commit bce26c58.) Signed-off-by: NJean Delvare <khali@linux-fr.org> Cc: Guenter Roeck <guenter.roeck@ericsson.com> Cc: stable@kernel.org # 2.6.39+ Signed-off-by: NGuenter Roeck <guenter.roeck@ericsson.com>
-
由 Hugh Dickins 提交于
I don't usually pay much attention to the stale "? " addresses in stack backtraces, but this lucky report from Pawel Sikora hints that mremap's move_ptes() has inadequate locking against page migration. 3.0 BUG_ON(!PageLocked(p)) in migration_entry_to_page(): kernel BUG at include/linux/swapops.h:105! RIP: 0010:[<ffffffff81127b76>] [<ffffffff81127b76>] migration_entry_wait+0x156/0x160 [<ffffffff811016a1>] handle_pte_fault+0xae1/0xaf0 [<ffffffff810feee2>] ? __pte_alloc+0x42/0x120 [<ffffffff8112c26b>] ? do_huge_pmd_anonymous_page+0xab/0x310 [<ffffffff81102a31>] handle_mm_fault+0x181/0x310 [<ffffffff81106097>] ? vma_adjust+0x537/0x570 [<ffffffff81424bed>] do_page_fault+0x11d/0x4e0 [<ffffffff81109a05>] ? do_mremap+0x2d5/0x570 [<ffffffff81421d5f>] page_fault+0x1f/0x30 mremap's down_write of mmap_sem, together with i_mmap_mutex or lock, and pagetable locks, were good enough before page migration (with its requirement that every migration entry be found) came in, and enough while migration always held mmap_sem; but not enough nowadays, when there's memory hotremove and compaction. The danger is that move_ptes() lets a migration entry dodge around behind remove_migration_pte()'s back, so it's in the old location when looking at the new, then in the new location when looking at the old. Either mremap's move_ptes() must additionally take anon_vma lock(), or migration's remove_migration_pte() must stop peeking for is_swap_entry() before it takes pagetable lock. Consensus chooses the latter: we prefer to add overhead to migration than to mremapping, which gets used by JVMs and by exec stack setup. Reported-and-tested-by: NPaweł Sikora <pluto@agmk.net> Signed-off-by: NHugh Dickins <hughd@google.com> Acked-by: NAndrea Arcangeli <aarcange@redhat.com> Acked-by: NMel Gorman <mgorman@suse.de> Cc: stable@vger.kernel.org Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 Kjetil Oftedal 提交于
Currently no type of alignment is specified for PCI expansion roms while parsing the openfirmware tree. This causes calls to pci_map_rom() to fail. IORESOURCE_SIZEALIGN is the default alignment used for rom resouces in pci/probe.c, and has been verified to work with various cards on a ultra 10. Signed-off-By: NKjetil Oftedal <oftedal@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Yan, Zheng 提交于
we should decrease ops->unresolved_rules when deleting a unresolved rule. Signed-off-by: NZheng Yan <zheng.z.yan@intel.com> Acked-by: NEric Dumazet <eric.dumazet@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 hayeswang 提交于
Correct the wrong parameter for setting EEE for RTL8111E-VL. Signed-off-by: NHayes Wang <hayeswang@realtek.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 françois romieu 提交于
Due to commit 92fc43b4 ("r8169: modify the flow of the hw reset."), rtl8169_hw_reset stomps during driver shutdown on RxConfig bits which are needed for WOL on some versions of the hardware. As these bits were formerly set from the r81{0x, 68}_pll_power_down methods, factor them out for use in the driver shutdown (rtl_shutdown) handler. I favored __rtl8169_get_wol() -hardware state indication- over RTL_FEATURE_WOL as the latter has become a good candidate for removal. Signed-off-by: NFrancois Romieu <romieu@fr.zoreil.com> Cc: Hayes <hayeswang@realtek.com> Tested-by: NMarc Ballarin <ballarin.marc@gmx.de> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
Breno Leitao has passed the maintainership to me. Signed-off-by: NThadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com> Cc: Breno Leitao <leitao@linux.vnet.ibm.com> Acked-by: NBreno Leitão <leitao@linux.vnet.ibm.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 19 10月, 2011 12 次提交
-
-
git://linuxtv.org/mchehab/for_linus由 Linus Torvalds 提交于
* 'v4l_for_linus' of git://linuxtv.org/mchehab/for_linus: [media] videodev: fix a NULL pointer dereference in v4l2_device_release()
-
git://people.freedesktop.org/~airlied/linux由 Linus Torvalds 提交于
* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux: drm/radeon/kms/atom: fix handling of FB scratch indices drm/radeon/kms/DCE4.1: fix Select_CrtcSource EncodeMode setting for DP bridges (v2) drm/radeon/kms/DCE4.1: ss is not supported on the internal pplls drm/radeon/kms/DCE4.1: fix dig encoder to transmitter mapping ttm: Fix error-path using an uninitialized value
-
由 Antonio Ospite 提交于
The change in 8280b662 does not cover the case when v4l2_dev is already NULL, fix that. With a Kinect sensor, seen as an USB camera using GSPCA in this context, a NULL pointer dereference BUG can be triggered by just unplugging the device after the camera driver has been loaded. Signed-off-by: NAntonio Ospite <ospite@studenti.unina.it> Signed-off-by: NMauro Carvalho Chehab <mchehab@redhat.com>
-
由 Allen Kay 提交于
If target_level == 0, current code breaks out of the while-loop if SUPERPAGE bit is set. We should also break out if PTE is not present. If we don't do this, KVM calls to iommu_iova_to_phys() will cause pfn_to_dma_pte() to create mapping for 4KiB pages. Signed-off-by: NAllen Kay <allen.m.kay@intel.com> Signed-off-by: NDavid Woodhouse <David.Woodhouse@intel.com>
-
由 Allen Kay 提交于
set dmar->iommu_superpage field to the smallest common denominator of super page sizes supported by all active VT-d engines. Initialize this field in intel_iommu_domain_init() API so intel_iommu_map() API will be able to use iommu_superpage field to determine the appropriate super page size to use. Signed-off-by: NAllen Kay <allen.m.kay@intel.com> Signed-off-by: NDavid Woodhouse <David.Woodhouse@intel.com>
-
由 Allen Kay 提交于
iommu_unmap() API expects IOMMU drivers to return the actual page order of the address being unmapped. Previous code was just returning page order passed in from the caller. This patch fixes this problem. Signed-off-by: NAllen Kay <allen.m.kay@intel.com> Signed-off-by: NDavid Woodhouse <David.Woodhouse@intel.com>
-
由 Roland Dreier 提交于
Commit 166e9278 ("x86/ia64: intel-iommu: move to drivers/iommu/") moved the VT-d driver to drivers/iommu, but left the "F:" line in MAINTAINERS pointing to drivers/pci, which breaks scripts/get_maintainer.pl. Signed-off-by: NRoland Dreier <roland@purestorage.com> Signed-off-by: NDavid Woodhouse <David.Woodhouse@intel.com>
-
由 Alex Deucher 提交于
FB scratch indices are dword indices, but we were treating them as byte indices. As such, we were getting the wrong FB scratch data for non-0 indices. Fix the indices and guard the indexing against indices larger than the scratch allocation. Fixes memory corruption on some boards if data was written past the end of the FB scratch array. Signed-off-by: NAlex Deucher <alexander.deucher@amd.com> Reported-by: NDave Airlie <airlied@redhat.com> Tested-by: NDave Airlie <airlied@redhat.com> Cc: stable@kernel.org Signed-off-by: NDave Airlie <airlied@redhat.com>
-
由 Eric Dumazet 提交于
e1000e uses paged frags, so any layer incorrectly pulling bytes from skb can trigger a BUG in skb_pull() [951.142737] [<ffffffff813d2f36>] skb_pull+0x15/0x17 [951.142737] [<ffffffffa0286824>] pptp_rcv_core+0x126/0x19a [pptp] [951.152725] [<ffffffff813d17c4>] sk_receive_skb+0x69/0x105 [951.163558] [<ffffffffa0286993>] pptp_rcv+0xc8/0xdc [pptp] [951.165092] [<ffffffffa02800a3>] gre_rcv+0x62/0x75 [gre] [951.165092] [<ffffffff81410784>] ip_local_deliver_finish+0x150/0x1c1 [951.177599] [<ffffffff81410634>] ? ip_local_deliver_finish+0x0/0x1c1 [951.177599] [<ffffffff81410846>] NF_HOOK.clone.7+0x51/0x58 [951.177599] [<ffffffff81410996>] ip_local_deliver+0x51/0x55 [951.177599] [<ffffffff814105b9>] ip_rcv_finish+0x31a/0x33e [951.177599] [<ffffffff8141029f>] ? ip_rcv_finish+0x0/0x33e [951.204898] [<ffffffff81410846>] NF_HOOK.clone.7+0x51/0x58 [951.214651] [<ffffffff81410bb5>] ip_rcv+0x21b/0x246 pptp_rcv_core() is a nice example of a function assuming everything it needs is available in skb head. Reported-by: NBradley Peterson <despite@gmail.com> Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 KOVACS Krisztian 提交于
The transparent socket option setting was not copied to the time wait socket when an inet socket was being replaced by a time wait socket. This broke the --transparent option of the socket match and may have caused that FIN packets belonging to sockets in FIN_WAIT2 or TIME_WAIT state were being dropped by the packet filter. Signed-off-by: NKOVACS Krisztian <hidden@balabit.hu> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Eric Dumazet 提交于
In case we cant transmit skb, we must free it Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com> CC: Dmitry Kozlov <xeb@mail.ru> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Mitsuo Hayasaka 提交于
The bond->recv_probe is called in bond_handle_frame() when a packet is received, but bond_close() sets it to NULL. So, a panic occurs when both functions work in parallel. Why this happen: After null pointer check of bond->recv_probe, an sk_buff is duplicated and bond->recv_probe is called in bond_handle_frame. So, a panic occurs when bond_close() is called between the check and call of bond->recv_probe. Patch: This patch uses a local function pointer of bond->recv_probe in bond_handle_frame(). So, it can avoid the null pointer dereference. Signed-off-by: NMitsuo Hayasaka <mitsuo.hayasaka.hu@hitachi.com> Cc: Jay Vosburgh <fubar@us.ibm.com> Cc: Andy Gospodarek <andy@greyhouse.net> Cc: Eric Dumazet <eric.dumazet@gmail.com> Cc: WANG Cong <xiyou.wangcong@gmail.com> Acked-by: NEric Dumazet <eric.dumazet@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-