1. 28 Apr, 2010 8 commits
    • Wei Yongjun's avatar
      sctp: fix to calc the INIT/INIT-ACK chunk length correctly is set · a8170c35
      Wei Yongjun authored
      When calculating the INIT/INIT-ACK chunk length, we should not
      only account the length of parameters, but also the parameters
      zero padding length, such as AUTH HMACS parameter and CHUNKS
      parameter. Without the parameters zero padding length we may get
      following oops.
      
      skb_over_panic: text:ce2068d2 len:130 put:6 head:cac3fe00 data:cac3fe00 tail:0xcac3fe82 end:0xcac3fe80 dev:<NULL>
      ------------[ cut here ]------------
      kernel BUG at net/core/skbuff.c:127!
      invalid opcode: 0000 [#2] SMP
      last sysfs file: /sys/module/aes_generic/initstate
      Modules linked in: authenc ......
      
      Pid: 4102, comm: sctp_darn Tainted: G      D    2.6.34-rc2 #6
      EIP: 0060:[<c0607630>] EFLAGS: 00010282 CPU: 0
      EIP is at skb_over_panic+0x37/0x3e
      EAX: 00000078 EBX: c07c024b ECX: c07c02b9 EDX: cb607b78
      ESI: 00000000 EDI: cac3fe7a EBP: 00000002 ESP: cb607b74
       DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
      Process sctp_darn (pid: 4102, ti=cb607000 task=cabdc990 task.ti=cb607000)
      Stack:
       c07c02b9 ce2068d2 00000082 00000006 cac3fe00 cac3fe00 cac3fe82 cac3fe80
      <0> c07c024b cac3fe7c cac3fe7a c0608dec ca986e80 ce2068d2 00000006 0000007a
      <0> cb8120ca ca986e80 cb812000 00000003 cb8120c4 ce208a25 cb8120ca cadd9400
      Call Trace:
       [<ce2068d2>] ? sctp_addto_chunk+0x45/0x85 [sctp]
       [<c0608dec>] ? skb_put+0x2e/0x32
       [<ce2068d2>] ? sctp_addto_chunk+0x45/0x85 [sctp]
       [<ce208a25>] ? sctp_make_init+0x279/0x28c [sctp]
       [<c0686a92>] ? apic_timer_interrupt+0x2a/0x30
       [<ce1fdc0b>] ? sctp_sf_do_prm_asoc+0x2b/0x7b [sctp]
       [<ce202823>] ? sctp_do_sm+0xa0/0x14a [sctp]
       [<ce2133b9>] ? sctp_pname+0x0/0x14 [sctp]
       [<ce211d72>] ? sctp_primitive_ASSOCIATE+0x2b/0x31 [sctp]
       [<ce20f3cf>] ? sctp_sendmsg+0x7a0/0x9eb [sctp]
       [<c064eb1e>] ? inet_sendmsg+0x3b/0x43
       [<c04244b7>] ? task_tick_fair+0x2d/0xd9
       [<c06031e1>] ? sock_sendmsg+0xa7/0xc1
       [<c0416afe>] ? smp_apic_timer_interrupt+0x6b/0x75
       [<c0425123>] ? dequeue_task_fair+0x34/0x19b
       [<c0446abb>] ? sched_clock_local+0x17/0x11e
       [<c052ea87>] ? _copy_from_user+0x2b/0x10c
       [<c060ab3a>] ? verify_iovec+0x3c/0x6a
       [<c06035ca>] ? sys_sendmsg+0x186/0x1e2
       [<c042176b>] ? __wake_up_common+0x34/0x5b
       [<c04240c2>] ? __wake_up+0x2c/0x3b
       [<c057e35c>] ? tty_wakeup+0x43/0x47
       [<c04430f2>] ? remove_wait_queue+0x16/0x24
       [<c0580c94>] ? n_tty_read+0x5b8/0x65e
       [<c042be02>] ? default_wake_function+0x0/0x8
       [<c0604e0e>] ? sys_socketcall+0x17f/0x1cd
       [<c040264c>] ? sysenter_do_call+0x12/0x22
      Code: 0f 45 de 53 ff b0 98 00 00 00 ff b0 94 ......
      EIP: [<c0607630>] skb_over_panic+0x37/0x3e SS:ESP 0068:cb607b74
      
      To reproduce:
      
      # modprobe sctp
      # echo 1 > /proc/sys/net/sctp/addip_enable
      # echo 1 > /proc/sys/net/sctp/auth_enable
      # sctp_test -H 3ffe:501:ffff:100:20c:29ff:fe4d:f37e -P 800 -l
      # sctp_darn -H 3ffe:501:ffff:100:20c:29ff:fe4d:f37e -P 900 -h 192.168.0.21 -p 800 -I -s -t
      sctp_darn ready to send...
      3ffe:501:ffff:100:20c:29ff:fe4d:f37e:900-192.168.0.21:800 Interactive mode> bindx-add=192.168.0.21
      3ffe:501:ffff:100:20c:29ff:fe4d:f37e:900-192.168.0.21:800 Interactive mode> bindx-add=192.168.1.21
      3ffe:501:ffff:100:20c:29ff:fe4d:f37e:900-192.168.0.21:800 Interactive mode> snd=10
      
      ------------------------------------------------------------------
      eth0 has addresses: 3ffe:501:ffff:100:20c:29ff:fe4d:f37e and 192.168.0.21
      eth1 has addresses: 192.168.1.21
      ------------------------------------------------------------------
      Reported-by: default avatarGeorge Cheimonidis <gchimon@gmail.com>
      Signed-off-by: default avatarWei Yongjun <yjwei@cn.fujitsu.com>
      Signed-off-by: default avatarVlad Yasevich <vladislav.yasevich@hp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a8170c35
    • Vlad Yasevich's avatar
      sctp: per_cpu variables should be in bh_disabled section · 81419d86
      Vlad Yasevich authored
      Since the change of the atomics to percpu variables, we now
      have to disable BH in process context when touching percpu variables.
      Signed-off-by: default avatarVlad Yasevich <vladislav.yasevich@hp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      81419d86
    • Vlad Yasevich's avatar
      sctp: fix potential reference of a freed pointer · 0c42749c
      Vlad Yasevich authored
      When sctp attempts to update an assocition, it removes any
      addresses that were not in the updated INITs.  However, the loop
      may attempt to refrence a transport with address after removing it.
      Signed-off-by: default avatarVlad Yasevich <vladislav.yasevich@hp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0c42749c
    • Wei Yongjun's avatar
      sctp: avoid irq lock inversion while call sk->sk_data_ready() · 561b1733
      Wei Yongjun authored
      sk->sk_data_ready() of sctp socket can be called from both BH and non-BH
      contexts, but the default sk->sk_data_ready(), sock_def_readable(), can
      not be used in this case. Therefore, we have to make a new function
      sctp_data_ready() to grab sk->sk_data_ready() with BH disabling.
      
      =========================================================
      [ INFO: possible irq lock inversion dependency detected ]
      2.6.33-rc6 #129
      ---------------------------------------------------------
      sctp_darn/1517 just changed the state of lock:
       (clock-AF_INET){++.?..}, at: [<c06aab60>] sock_def_readable+0x20/0x80
      but this lock took another, SOFTIRQ-unsafe lock in the past:
       (slock-AF_INET){+.-...}
      
      and interrupts could create inverse lock ordering between them.
      
      other info that might help us debug this:
      1 lock held by sctp_darn/1517:
       #0:  (sk_lock-AF_INET){+.+.+.}, at: [<cdfe363d>] sctp_sendmsg+0x23d/0xc00 [sctp]
      Signed-off-by: default avatarWei Yongjun <yjwei@cn.fujitsu.com>
      Signed-off-by: default avatarVlad Yasevich <vladislav.yasevich@hp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      561b1733
    • David S. Miller's avatar
      Revert "tcp: bind() fix when many ports are bound" · 8d238b25
      David S. Miller authored
      This reverts two commits:
      
      fda48a0d
      tcp: bind() fix when many ports are bound
      
      and a follow-on fix for it:
      
      6443bb1f
      ipv6: Fix inet6_csk_bind_conflict()
      
      It causes problems with binding listening sockets when time-wait
      sockets from a previous instance still are alive.
      
      It's too late to keep fiddling with this so late in the -rc
      series, and we'll deal with it in net-next-2.6 instead.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8d238b25
    • Elina Pasheva's avatar
      net/usb: add sierra_net.c driver · eb4fd8cd
      Elina Pasheva authored
      Re-submitted based on comments from netdev community.
      Summary of the changes:
      1. Improved error handling.
      2. Added the missing timeout arguments to usb_control_msg().
      
      The following is a new Linux driver which exposes certain models of Sierra
      Wireless modems to the operating system as Network Interface Cards (NICs).
      
      This driver requires a version of the sierra.c driver which supports
      blacklisting to work properly. The blacklist in sierra.c rejects the interfaces
      claimed by sierra_net.c. Likewise, the sierra_net.c driver only accepts
      (i.e. whitelists) the interface(s) used for USB-to-WWAN traffic.
      The version of sierra.c which supports blacklisting is
      available from the sierra wireless knowledge base page for older kernels. It is
      also available in Linux kernel starting from version 2.6.31.
      
      This driver works with all Sierra Wireless devices configured with PID=68A3
      like USB305, USB306 provided the corresponding firmware version is I2.0
      (for USB305) or M3.0 (for USB306) and later.
      This driver will not work with earlier firmware versions than the ones shown
      above. In this case the driver will issue an error message indicating
      incompatibility and will not serve the device's USB-to-WWAN interface.
      
      Sierra_net.c sits atop a pre-existing Linux driver called usbnet.c.
      A series of hook functions are provided in sierra_net.c which are called by
      usbnet.c in response to a particular condition such as receipt or transmission
      of a data packet. As such, usbnet.c does most of the work of making
      a modem appear to the system as a network device and for properly exchanging
      traffic between the USB subsystem and the Network card interface.
      Sierra_net.c is concerned with managing the data exchanged between the
      USB-to-WWAN interface and the upper layers of the operating system.
      Signed-off-by: default avatarElina Pasheva <epasheva@sierrawireless.com>
      Signed-off-by: default avatarRory Filer <rfiler@sierrawireless.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      eb4fd8cd
    • Torgny Johansson's avatar
      cdc_ether: fix autosuspend for mbm devices · 55964d72
      Torgny Johansson authored
      Autosuspend works until you bring the wwan interface up, then the
      device does not enter autosuspend anymore.
      
      The following patch fixes the problem by setting the .manage_power
      field in the mbm_info struct to the same as in the cdc_info struct
      (cdc_manager_power).
      Signed-off-by: default avatarTorgny Johansson <torgny.johansson@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      55964d72
    • Dan Carpenter's avatar
      bluetooth: handle l2cap_create_connless_pdu() errors · 477fffb0
      Dan Carpenter authored
      l2cap_create_connless_pdu() can sometimes return ERR_PTR(-ENOMEM) or
      ERR_PTR(-EFAULT).
      Signed-off-by: default avatarDan Carpenter <error27@gmail.com>
      Acked-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      477fffb0
  2. 27 Apr, 2010 10 commits
  3. 26 Apr, 2010 5 commits
  4. 25 Apr, 2010 2 commits
  5. 23 Apr, 2010 3 commits
  6. 22 Apr, 2010 5 commits
  7. 21 Apr, 2010 7 commits
    • Hiroshi Shimamoto's avatar
      cxgb3: fix linkup issue · 9441cad9
      Hiroshi Shimamoto authored
      I encountered an issue that not to link up on cxgb3 fabric.
      I bisected and found that this regression was introduced by
      0f07c4ee.
      
      Correct to pass phy_addr to cphy_init() at t3_xaui_direct_phy_prep().
      Signed-off-by: default avatarHiroshi Shimamoto <h-shimamoto@ct.jp.nec.com>
      Acked-by: default avatarDivy Le Ray <divy@chelsio.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9441cad9
    • andrew hendry's avatar
      X25 fix dead unaccepted sockets · 2cec6b01
      andrew hendry authored
      1, An X25 program binds and listens
      2, calls arrive waiting to be accepted
      3, Program exits without accepting
      4, Sockets time out but don't get correctly cleaned up
      5, cat /proc/net/x25/socket shows the dead sockets with bad inode fields.
      
      This line borrowed from AX25 sets the dying socket so the timers clean up later.
      Signed-off-by: default avatarAndrew Hendry <andrew.hendry@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2cec6b01
    • Abraham Arce's avatar
      KS8851: NULL pointer dereference if list is empty · 761172fb
      Abraham Arce authored
      Fix NULL pointer dereference in ks8851_tx_work by checking if dequeued
      list is already empty before writing the packet to TX FIFO
      
       Unable to handle kernel NULL pointer dereference at virtual address 00000050
       PC is at ks8851_tx_work+0xdc/0x1b0
       LR is at wait_for_common+0x148/0x164
       pc : [<c01c0df4>]    lr : [<c025a980>]    psr: 20000013
       Backtrace:
        ks8851_tx_work+0x0/0x1b0
        worker_thread+0x0/0x190
        kthread+0x0/0x90
      Signed-off-by: default avatarAbraham Arce <x0066660@ti.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      761172fb
    • Alexander Kurz's avatar
      net: 3c574_cs fix stats.tx_bytes counter · df245dce
      Alexander Kurz authored
      Update the stats counter calculation in 3c574_cs, similar
      to the method used in 3c589_cs. This corrects the contents
      of the counter on tests using a "Megahertz 574B" card.
      
      [linux@dominikbrodowski.net: clean up commit message]
      Signed-off-by: default avatarAlexander Kurz <linux@kbdbabel.org>
      Signed-off-by: default avatarDominik Brodowski <linux@dominikbrodowski.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      df245dce
    • Nicolas Dichtel's avatar
      xfrm6: ensure to use the same dev when building a bundle · bc8e4b95
      Nicolas Dichtel authored
      When building a bundle, we set dst.dev and rt6.rt6i_idev.
      We must ensure to set the same device for both fields.
      Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bc8e4b95
    • Hans J. Koch's avatar
      can: Fix possible NULL pointer dereference in ems_usb.c · 1c0b28b1
      Hans J. Koch authored
      In ems_usb_probe(), a pointer is dereferenced after making sure it is NULL...
      
      This patch replaces netdev->dev.parent with &intf->dev in dev_err() calls to
      avoid this.
      Signed-off-by: default avatar"Hans J. Koch" <hjk@linutronix.de>
      Acked-by: default avatarWolfgang Grandegger <wg@grandegger.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1c0b28b1
    • David Howells's avatar
      net: Fix an RCU warning in dev_pick_tx() · 05d17608
      David Howells authored
      Fix the following RCU warning in dev_pick_tx():
      
      ===================================================
      [ INFO: suspicious rcu_dereference_check() usage. ]
      ---------------------------------------------------
      net/core/dev.c:1993 invoked rcu_dereference_check() without protection!
      
      other info that might help us debug this:
      
      rcu_scheduler_active = 1, debug_locks = 0
      2 locks held by swapper/0:
       #0:  (&idev->mc_ifc_timer){+.-...}, at: [<ffffffff81039e65>] run_timer_softirq+0x17b/0x278
       #1:  (rcu_read_lock_bh){.+....}, at: [<ffffffff812ea3eb>] dev_queue_xmit+0x14e/0x4dc
      
      stack backtrace:
      Pid: 0, comm: swapper Not tainted 2.6.34-rc5-cachefs #4
      Call Trace:
       <IRQ>  [<ffffffff810516c4>] lockdep_rcu_dereference+0xaa/0xb2
       [<ffffffff812ea4f6>] dev_queue_xmit+0x259/0x4dc
       [<ffffffff812ea3eb>] ? dev_queue_xmit+0x14e/0x4dc
       [<ffffffff81052324>] ? trace_hardirqs_on+0xd/0xf
       [<ffffffff81035362>] ? local_bh_enable_ip+0xbc/0xc1
       [<ffffffff812f0954>] neigh_resolve_output+0x24b/0x27c
       [<ffffffff8134f673>] ip6_output_finish+0x7c/0xb4
       [<ffffffff81350c34>] ip6_output2+0x256/0x261
       [<ffffffff81052324>] ? trace_hardirqs_on+0xd/0xf
       [<ffffffff813517fb>] ip6_output+0xbbc/0xbcb
       [<ffffffff8135bc5d>] ? fib6_force_start_gc+0x2b/0x2d
       [<ffffffff81368acb>] mld_sendpack+0x273/0x39d
       [<ffffffff81368858>] ? mld_sendpack+0x0/0x39d
       [<ffffffff81052099>] ? mark_held_locks+0x52/0x70
       [<ffffffff813692fc>] mld_ifc_timer_expire+0x24f/0x288
       [<ffffffff81039ed6>] run_timer_softirq+0x1ec/0x278
       [<ffffffff81039e65>] ? run_timer_softirq+0x17b/0x278
       [<ffffffff813690ad>] ? mld_ifc_timer_expire+0x0/0x288
       [<ffffffff81035531>] ? __do_softirq+0x69/0x140
       [<ffffffff8103556a>] __do_softirq+0xa2/0x140
       [<ffffffff81002e0c>] call_softirq+0x1c/0x28
       [<ffffffff81004b54>] do_softirq+0x38/0x80
       [<ffffffff81034f06>] irq_exit+0x45/0x47
       [<ffffffff810177c3>] smp_apic_timer_interrupt+0x88/0x96
       [<ffffffff810028d3>] apic_timer_interrupt+0x13/0x20
       <EOI>  [<ffffffff810488dd>] ? __atomic_notifier_call_chain+0x0/0x86
       [<ffffffff810096bf>] ? mwait_idle+0x6e/0x78
       [<ffffffff810096b6>] ? mwait_idle+0x65/0x78
       [<ffffffff810011cb>] cpu_idle+0x4d/0x83
       [<ffffffff81380b05>] rest_init+0xb9/0xc0
       [<ffffffff81380a4c>] ? rest_init+0x0/0xc0
       [<ffffffff8168dcf0>] start_kernel+0x392/0x39d
       [<ffffffff8168d2a3>] x86_64_start_reservations+0xb3/0xb7
       [<ffffffff8168d38b>] x86_64_start_kernel+0xe4/0xeb
      
      An rcu_dereference() should be an rcu_dereference_bh().
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      05d17608