1. 05 5月, 2011 1 次提交
    • E
      net: ip_expire() must revalidate route · 64f3b9e2
      Eric Dumazet 提交于
      Commit 4a94445c (net: Use ip_route_input_noref() in input path)
      added a bug in IP defragmentation handling, in case timeout is fired.
      
      When a frame is defragmented, we use last skb dst field when building
      final skb. Its dst is valid, since we are in rcu read section.
      
      But if a timeout occurs, we take first queued fragment to build one ICMP
      TIME EXCEEDED message. Problem is all queued skb have weak dst pointers,
      since we escaped RCU critical section after their queueing. icmp_send()
      might dereference a now freed (and possibly reused) part of memory.
      
      Calling skb_dst_drop() and ip_route_input_noref() to revalidate route is
      the only possible choice.
      Reported-by: NDenys Fedoryshchenko <denys@visp.net.lb>
      Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      64f3b9e2
  2. 03 5月, 2011 7 次提交
  3. 02 5月, 2011 2 次提交
    • A
      ipv4: don't spam dmesg with "Using LC-trie" messages · 7cfd2609
      Alexey Dobriyan 提交于
      fib_trie_table() is called during netns creation and
      Chromium uses clone(CLONE_NEWNET) to sandbox renderer process.
      
      Don't print anything.
      Signed-off-by: NAlexey Dobriyan <adobriyan@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7cfd2609
    • E
      af_unix: Only allow recv on connected seqpacket sockets. · a05d2ad1
      Eric W. Biederman 提交于
      This fixes the following oops discovered by Dan Aloni:
      > Anyway, the following is the output of the Oops that I got on the
      > Ubuntu kernel on which I first detected the problem
      > (2.6.37-12-generic). The Oops that followed will be more useful, I
      > guess.
      
      >[ 5594.669852] BUG: unable to handle kernel NULL pointer dereference
      > at           (null)
      > [ 5594.681606] IP: [<ffffffff81550b7b>] unix_dgram_recvmsg+0x1fb/0x420
      > [ 5594.687576] PGD 2a05d067 PUD 2b951067 PMD 0
      > [ 5594.693720] Oops: 0002 [#1] SMP
      > [ 5594.699888] last sysfs file:
      
      The bug was that unix domain sockets use a pseduo packet for
      connecting and accept uses that psudo packet to get the socket.
      In the buggy seqpacket case we were allowing unconnected
      sockets to call recvmsg and try to receive the pseudo packet.
      
      That is always wrong and as of commit 7361c36c the pseudo
      packet had become enough different from a normal packet
      that the kernel started oopsing.
      
      Do for seqpacket_recv what was done for seqpacket_send in 2.5
      and only allow it on connected seqpacket sockets.
      
      Cc: stable@kernel.org
      Tested-by: NDan Aloni <dan@aloni.org>
      Signed-off-by: NEric W. Biederman <ebiederm@xmission.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a05d2ad1
  4. 30 4月, 2011 7 次提交
    • A
      mii: add support of pause frames in mii_get_an · 2b5a4ace
      artpol 提交于
      Add support of pause frames advertise in mii_get_an. This provides all drivers
      that use mii_ethtool_gset to represent their own and Link partner flow control
      abilities in ethtool.
      Signed-off-by: NArtem Polyakov <artpol84@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2b5a4ace
    • A
    • O
      usbnet: Transfer of maintainership · 686f13bb
      Oliver Neukum 提交于
      Somebody has to do it, however unfortunate be the cause.
      Signed-off-by: NOliver Neukum <oneukum@suse.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      686f13bb
    • D
      usbnet: add support for some Huawei modems with cdc-ether ports · b3c914aa
      Dan Williams 提交于
      Some newer Huawei devices (T-Mobile Rocket, others) have cdc-ether
      compatible ports, so recognize and expose them.
      Signed-off-by: NDan Williams <dcbw@redhat.com>
      Acked-by: NOliver Neukum <oneukum@suse.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b3c914aa
    • N
      bnx2: cancel timer on device removal · 8333a46a
      Neil Horman 提交于
      This oops was recently reported to me:
      
      invalid opcode: 0000 [#1] SMP
      last sysfs file:
      /sys/devices/pci0000:00/0000:00:01.0/0000:01:0d.0/0000:02:05.0/device
      CPU 1
      Modules linked in: bnx2(+) sunrpc ipv6 dm_mirror dm_region_hash dm_log sg
      microcode serio_raw amd64_edac_mod edac_core edac_mce_amd k8temp i2c_piix4
      shpchp ext4 mbcache jbd2 sd_mod crc_t10dif mptsas mptscsih mptbase
      scsi_transport_sas radeon ttm drm_kms_helper drm hwmon i2c_algo_bit i2c_core
      dm_mod [last unloaded: bnx2]
      
      Modules linked in: bnx2(+) sunrpc ipv6 dm_mirror dm_region_hash dm_log sg
      microcode serio_raw amd64_edac_mod edac_core edac_mce_amd k8temp i2c_piix4
      shpchp ext4 mbcache jbd2 sd_mod crc_t10dif mptsas mptscsih mptbase
      scsi_transport_sas radeon ttm drm_kms_helper drm hwmon i2c_algo_bit i2c_core
      dm_mod [last unloaded: bnx2]
      Pid: 23900, comm: pidof Not tainted 2.6.32-130.el6.x86_64 #1 BladeCenter LS21
      -[797251Z]-
      RIP: 0010:[<ffffffffa058b270>]  [<ffffffffa058b270>] 0xffffffffa058b270
      RSP: 0018:ffff880002083e48  EFLAGS: 00010246
      RAX: ffff880002083e90 RBX: ffff88007ccd4000 RCX: 0000000000000000
      RDX: 0000000000000100 RSI: dead000000200200 RDI: ffff8800007b8700
      RBP: ffff880002083ed0 R08: ffff88000208db40 R09: 0000022d191d27c8
      R10: 0000000000000000 R11: 0000000000000000 R12: ffff8800007b9bc8
      R13: ffff880002083e90 R14: ffff8800007b8700 R15: ffffffffa058b270
      FS:  00007fbb3bcf7700(0000) GS:ffff880002080000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000001664a98 CR3: 0000000060395000 CR4: 00000000000006e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      Process pidof (pid: 23900, threadinfo ffff8800007e8000, task ffff8800091c0040)
      Stack:
       ffffffff81079f77 ffffffff8109e010 ffff88007ccd5c20 ffff88007ccd5820
      <0> ffff88007ccd5420 ffff8800007e9fd8 ffff8800007e9fd8 0000010000000000
      <0> ffff88007ccd5020 ffff880002083e90 ffff880002083e90 ffffffff8102a00d
      Call Trace:
       <IRQ>
       [<ffffffff81079f77>] ? run_timer_softirq+0x197/0x340
       [<ffffffff8109e010>] ? tick_sched_timer+0x0/0xc0
       [<ffffffff8102a00d>] ? lapic_next_event+0x1d/0x30
       [<ffffffff8106f737>] __do_softirq+0xb7/0x1e0
       [<ffffffff81092cc0>] ? hrtimer_interrupt+0x140/0x250
       [<ffffffff81185f90>] ? filldir+0x0/0xe0
       [<ffffffff8100c2cc>] call_softirq+0x1c/0x30
       [<ffffffff8100df05>] do_softirq+0x65/0xa0
       [<ffffffff8106f525>] irq_exit+0x85/0x90
       [<ffffffff814e3340>] smp_apic_timer_interrupt+0x70/0x9b
       [<ffffffff8100bc93>] apic_timer_interrupt+0x13/0x20
       <EOI>
       [<ffffffff81211ba5>] ? selinux_file_permission+0x45/0x150
       [<ffffffff81262a75>] ? _atomic_dec_and_lock+0x55/0x80
       [<ffffffff812050c6>] security_file_permission+0x16/0x20
       [<ffffffff811861c1>] vfs_readdir+0x71/0xe0
       [<ffffffff81186399>] sys_getdents+0x89/0xf0
       [<ffffffff8100b172>] system_call_fastpath+0x16/0x1b
      
      It occured during some stress testing, in which the reporter was repeatedly
      removing and modprobing the bnx2 module while doing various other random
      operations on the bnx2 registered net device.  Noting that this error occured on
      a serdes based device, we noted that there were a few ethtool operations (most
      notably self_test and set_phys_id) that have execution paths that lead into
      bnx2_setup_serdes_phy.  This function is notable because it executes a mod_timer
      call, which starts the bp->timer running.  Currently bnx2 is setup to assume
      that this timer only nees to be stopped when bnx2_close or bnx2_suspend is
      called.  Since the above ethtool operations are not gated on the net device
      having been opened however, that assumption is incorrect, and can lead to the
      timer still running after the module has been removed, leading to the oops above
      (as well as other simmilar oopses).
      
      Fix the problem by ensuring that the timer is stopped when pci_device_unregister
      is called.
      Signed-off-by: NNeil Horman <nhorman@tuxdriver.com>
      Reported-by: NHushan Jia <hjia@redhat.com>
      CC: Michael Chan <mchan@broadcom.com>
      CC: "David S. Miller" <davem@davemloft.net>
      Acked-by: NMichael Chan <mchan@broadcom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8333a46a
    • S
      iwl4965: fix "Received BA when not expected" · 16b345d8
      Stanislaw Gruszka 提交于
      Need to use broadcast sta_id for management frames, otherwise we broke
      BA session in the firmware and get messages like that:
      
      "Received BA when not expected"
      
      or (on older kernels):
      
      "BA scd_flow 0 does not match txq_id 10"
      
      This fix regression introduced in 2.6.35 during station management
      code rewrite by:
      
      commit 2a87c26b
      Author: Johannes Berg <johannes.berg@intel.com>
      Date:   Fri Apr 30 11:30:45 2010 -0700
      
          iwlwifi: use iwl_find_station less
      Signed-off-by: NStanislaw Gruszka <sgruszka@redhat.com>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      16b345d8
    • S
      iwlagn: fix "Received BA when not expected" · bfd36103
      Stanislaw Gruszka 提交于
      Need to use broadcast sta_id for management frames, otherwise we broke
      BA session in the firmware and get messages like that:
      
      "Received BA when not expected"
      
      or (on older kernels):
      
      "BA scd_flow 0 does not match txq_id 10"
      
      This fix regression introduced in 2.6.35 during station management
      code rewrite by:
      
      commit 2a87c26b
      Author: Johannes Berg <johannes.berg@intel.com>
      Date:   Fri Apr 30 11:30:45 2010 -0700
      
          iwlwifi: use iwl_find_station less
      
      Patch partially resolve:
      https://bugzilla.kernel.org/show_bug.cgi?id=16691
      However, there are still 11n performance problems on 4965 and 5xxx
      devices that need to be investigated.
      
      Cc: stable@kernel.org # 2.6.35+
      Signed-off-by: NStanislaw Gruszka <sgruszka@redhat.com>
      Acked-by: NJohannes Berg <johannes@sipsolutions.net>
      Acked-by: NWey-Yi Guy <wey-yi.w.guy@intel.com>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      bfd36103
  5. 29 4月, 2011 5 次提交
  6. 27 4月, 2011 3 次提交
  7. 26 4月, 2011 1 次提交
    • H
      net: provide cow_metrics() methods to blackhole dst_ops · 0972ddb2
      Held Bernhard 提交于
      Since commit 62fa8a84 (net: Implement read-only protection and COW'ing
      of metrics.) the kernel throws an oops.
      
      [  101.620985] BUG: unable to handle kernel NULL pointer dereference at
                 (null)
      [  101.621050] IP: [<          (null)>]           (null)
      [  101.621084] PGD 6e53c067 PUD 3dd6a067 PMD 0
      [  101.621122] Oops: 0010 [#1] SMP
      [  101.621153] last sysfs file: /sys/devices/virtual/ppp/ppp/uevent
      [  101.621192] CPU 2
      [  101.621206] Modules linked in: l2tp_ppp pppox ppp_generic slhc
      l2tp_netlink l2tp_core deflate zlib_deflate twofish_x86_64
      twofish_common des_generic cbc ecb sha1_generic hmac af_key
      iptable_filter snd_pcm_oss snd_mixer_oss snd_seq snd_seq_device loop
      snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_intel snd_hda_codec
      snd_pcm snd_timer snd i2c_i801 iTCO_wdt psmouse soundcore snd_page_alloc
      evdev uhci_hcd ehci_hcd thermal
      [  101.621552]
      [  101.621567] Pid: 5129, comm: openl2tpd Not tainted 2.6.39-rc4-Quad #3
      Gigabyte Technology Co., Ltd. G33-DS3R/G33-DS3R
      [  101.621637] RIP: 0010:[<0000000000000000>]  [<          (null)>]   (null)
      [  101.621684] RSP: 0018:ffff88003ddeba60  EFLAGS: 00010202
      [  101.621716] RAX: ffff88003ddb5600 RBX: ffff88003ddb5600 RCX:
      0000000000000020
      [  101.621758] RDX: ffffffff81a69a00 RSI: ffffffff81b7ee61 RDI:
      ffff88003ddb5600
      [  101.621800] RBP: ffff8800537cd900 R08: 0000000000000000 R09:
      ffff88003ddb5600
      [  101.621840] R10: 0000000000000005 R11: 0000000000014b38 R12:
      ffff88003ddb5600
      [  101.621881] R13: ffffffff81b7e480 R14: ffffffff81b7e8b8 R15:
      ffff88003ddebad8
      [  101.621924] FS:  00007f06e4182700(0000) GS:ffff88007fd00000(0000)
      knlGS:0000000000000000
      [  101.621971] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  101.622005] CR2: 0000000000000000 CR3: 0000000045274000 CR4:
      00000000000006e0
      [  101.622046] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
      0000000000000000
      [  101.622087] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
      0000000000000400
      [  101.622129] Process openl2tpd (pid: 5129, threadinfo
      ffff88003ddea000, task ffff88003de9a280)
      [  101.622177] Stack:
      [  101.622191]  ffffffff81447efa ffff88007d3ded80 ffff88003de9a280
      ffff88007d3ded80
      [  101.622245]  0000000000000001 ffff88003ddebbb8 ffffffff8148d5a7
      0000000000000212
      [  101.622299]  ffff88003dcea000 ffff88003dcea188 ffffffff00000001
      ffffffff81b7e480
      [  101.622353] Call Trace:
      [  101.622374]  [<ffffffff81447efa>] ? ipv4_blackhole_route+0x1ba/0x210
      [  101.622415]  [<ffffffff8148d5a7>] ? xfrm_lookup+0x417/0x510
      [  101.622450]  [<ffffffff8127672a>] ? extract_buf+0x9a/0x140
      [  101.622485]  [<ffffffff8144c6a0>] ? __ip_flush_pending_frames+0x70/0x70
      [  101.622526]  [<ffffffff8146fbbf>] ? udp_sendmsg+0x62f/0x810
      [  101.622562]  [<ffffffff813f98a6>] ? sock_sendmsg+0x116/0x130
      [  101.622599]  [<ffffffff8109df58>] ? find_get_page+0x18/0x90
      [  101.622633]  [<ffffffff8109fd6a>] ? filemap_fault+0x12a/0x4b0
      [  101.622668]  [<ffffffff813fb5c4>] ? move_addr_to_kernel+0x64/0x90
      [  101.622706]  [<ffffffff81405d5a>] ? verify_iovec+0x7a/0xf0
      [  101.622739]  [<ffffffff813fc772>] ? sys_sendmsg+0x292/0x420
      [  101.622774]  [<ffffffff810b994a>] ? handle_pte_fault+0x8a/0x7c0
      [  101.622810]  [<ffffffff810b76fe>] ? __pte_alloc+0xae/0x130
      [  101.622844]  [<ffffffff810ba2f8>] ? handle_mm_fault+0x138/0x380
      [  101.622880]  [<ffffffff81024af9>] ? do_page_fault+0x189/0x410
      [  101.622915]  [<ffffffff813fbe03>] ? sys_getsockname+0xf3/0x110
      [  101.622952]  [<ffffffff81450c4d>] ? ip_setsockopt+0x4d/0xa0
      [  101.622986]  [<ffffffff813f9932>] ? sockfd_lookup_light+0x22/0x90
      [  101.623024]  [<ffffffff814b61fb>] ? system_call_fastpath+0x16/0x1b
      [  101.623060] Code:  Bad RIP value.
      [  101.623090] RIP  [<          (null)>]           (null)
      [  101.623125]  RSP <ffff88003ddeba60>
      [  101.623146] CR2: 0000000000000000
      [  101.650871] ---[ end trace ca3856a7d8e8dad4 ]---
      [  101.651011] __sk_free: optmem leakage (160 bytes) detected.
      
      The oops happens in dst_metrics_write_ptr()
      include/net/dst.h:124: return dst->ops->cow_metrics(dst, p);
      
      dst->ops->cow_metrics is NULL and causes the oops.
      
      Provide cow_metrics() methods, like we did in commit 214f45c9
      (net: provide default_advmss() methods to blackhole dst_ops)
      Signed-off-by: NHeld Bernhard <berny156@gmx.de>
      Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0972ddb2
  8. 25 4月, 2011 2 次提交
  9. 24 4月, 2011 2 次提交
  10. 23 4月, 2011 2 次提交
    • N
      netconsole: fix deadlock when removing net driver that netconsole is using (v2) · 13f172ff
      Neil Horman 提交于
      A deadlock was reported to me recently that occured when netconsole was being
      used in a virtual guest.  If the virtio_net driver was removed while netconsole
      was setup to use an interface that was driven by that driver, the guest
      deadlocked.  No backtrace was provided because netconsole was the only console
      configured, but it became clear pretty quickly what the problem was.  In
      netconsole_netdev_event, if we get an unregister event, we call
      __netpoll_cleanup with the target_list_lock held and irqs disabled.
      __netpoll_cleanup can, if pending netpoll packets are waiting call
      cancel_delayed_work_sync, which is a sleeping path.  the might_sleep call in
      that path gets triggered, causing a console warning to be issued.  The
      netconsole write handler of course tries to take the target_list_lock again,
      which we already hold, causing deadlock.
      
      The fix is pretty striaghtforward.  Simply drop the target_list_lock and
      re-enable irqs prior to calling __netpoll_cleanup, the re-acquire the lock, and
      restart the loop.  Confirmed by myself to fix the problem reported.
      Signed-off-by: NNeil Horman <nhorman@tuxdriver.com>
      CC: "David S. Miller" <davem@davemloft.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      13f172ff
    • D
  11. 22 4月, 2011 6 次提交
  12. 21 4月, 2011 2 次提交