1. 21 Mar, 2010 3 commits
    • Andrei Emeltchenko's avatar
      Bluetooth: Fix kernel crash on L2CAP stress tests · c2c77ec8
      Andrei Emeltchenko authored
      Added very simple check that req buffer has enough space to
      fit configuration parameters. Shall be enough to reject packets
      with configuration size more than req buffer.
      
      Crash trace below
      
      [ 6069.659393] Unable to handle kernel paging request at virtual address 02000205
      [ 6069.673034] Internal error: Oops: 805 [#1] PREEMPT
      ...
      [ 6069.727172] PC is at l2cap_add_conf_opt+0x70/0xf0 [l2cap]
      [ 6069.732604] LR is at l2cap_recv_frame+0x1350/0x2e78 [l2cap]
      ...
      [ 6070.030303] Backtrace:
      [ 6070.032806] [<bf1c2880>] (l2cap_add_conf_opt+0x0/0xf0 [l2cap]) from
      [<bf1c6624>] (l2cap_recv_frame+0x1350/0x2e78 [l2cap])
      [ 6070.043823]  r8:dc5d3100 r7:df2a91d6 r6:00000001 r5:df2a8000 r4:00000200
      [ 6070.050659] [<bf1c52d4>] (l2cap_recv_frame+0x0/0x2e78 [l2cap]) from
      [<bf1c8408>] (l2cap_recv_acldata+0x2bc/0x350 [l2cap])
      [ 6070.061798] [<bf1c814c>] (l2cap_recv_acldata+0x0/0x350 [l2cap]) from
      [<bf0037a4>] (hci_rx_task+0x244/0x478 [bluetooth])
      [ 6070.072631]  r6:dc647700 r5:00000001 r4:df2ab740
      [ 6070.077362] [<bf003560>] (hci_rx_task+0x0/0x478 [bluetooth]) from
      [<c006b9fc>] (tasklet_action+0x78/0xd8)
      [ 6070.087005] [<c006b984>] (tasklet_action+0x0/0xd8) from [<c006c160>]
      Signed-off-by: default avatarAndrei Emeltchenko <andrei.emeltchenko@nokia.com>
      Acked-by: default avatarGustavo F. Padovan <gustavo@padovan.org>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      c2c77ec8
    • Marcel Holtmann's avatar
      Bluetooth: Convert debug files to actually use debugfs instead of sysfs · aef7d97c
      Marcel Holtmann authored
      Some of the debug files ended up wrongly in sysfs, because at that point
      of time, debugfs didn't exist. Convert these files to use debugfs and
      also seq_file. This patch converts all of these files at once and then
      removes the exported symbol for the Bluetooth sysfs class.
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      aef7d97c
    • Marcel Holtmann's avatar
      Bluetooth: Fix potential bad memory access with sysfs files · 101545f6
      Marcel Holtmann authored
      When creating a high number of Bluetooth sockets (L2CAP, SCO
      and RFCOMM) it is possible to scribble repeatedly on arbitrary
      pages of memory. Ensure that the content of these sysfs files is
      always less than one page. Even if this means truncating. The
      files in question are scheduled to be moved over to debugfs in
      the future anyway.
      
      Based on initial patches from Neil Brown and Linus Torvalds
      Reported-by: default avatarNeil Brown <neilb@suse.de>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      101545f6
  2. 20 Mar, 2010 17 commits
  3. 19 Mar, 2010 10 commits
  4. 17 Mar, 2010 3 commits
  5. 16 Mar, 2010 7 commits
    • David S. Miller's avatar
      bridge: Make first arg to deliver_clone const. · 87faf3cc
      David S. Miller authored
      Otherwise we get a warning from the call in br_forward().
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      87faf3cc
    • YOSHIFUJI Hideaki / 吉藤英明's avatar
      bridge br_multicast: Don't refer to BR_INPUT_SKB_CB(skb)->mrouters_only without IGMP snooping. · 32dec5dd
      YOSHIFUJI Hideaki / 吉藤英明 authored
      Without CONFIG_BRIDGE_IGMP_SNOOPING,
      BR_INPUT_SKB_CB(skb)->mrouters_only is not appropriately
      initialized, so we can see garbage.
      
      A clear option to fix this is to set it even without that
      config, but we cannot optimize out the branch.
      
      Let's introduce a macro that returns value of mrouters_only
      and let it return 0 without CONFIG_BRIDGE_IGMP_SNOOPING.
      Signed-off-by: default avatarYOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      32dec5dd
    • Vitaliy Gusev's avatar
      route: Fix caught BUG_ON during rt_secret_rebuild_oneshot() · 858a18a6
      Vitaliy Gusev authored
      route: Fix caught BUG_ON during rt_secret_rebuild_oneshot()
      
      Call rt_secret_rebuild can cause BUG_ON(timer_pending(&net->ipv4.rt_secret_timer)) in
      add_timer as there is not any synchronization for call rt_secret_rebuild_oneshot()
      for the same net namespace.
      
      Also this issue affects to rt_secret_reschedule().
      
      Thus use mod_timer enstead.
      Signed-off-by: default avatarVitaliy Gusev <vgusev@openvz.org>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      858a18a6
    • YOSHIFUJI Hideaki / 吉藤英明's avatar
    • YOSHIFUJI Hideaki / 吉藤英明's avatar
    • Jiri Slaby's avatar
      NET: netpoll, fix potential NULL ptr dereference · 21edbb22
      Jiri Slaby authored
      Stanse found that one error path in netpoll_setup dereferences npinfo
      even though it is NULL. Avoid that by adding new label and go to that
      instead.
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Cc: Daniel Borkmann <danborkmann@googlemail.com>
      Cc: David S. Miller <davem@davemloft.net>
      Acked-by: chavey@google.com
      Acked-by: default avatarMatt Mackall <mpm@selenic.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      21edbb22
    • Neil Horman's avatar
      tipc: fix lockdep warning on address assignment · a2f46ee1
      Neil Horman authored
      So in the forward porting of various tipc packages, I was constantly
      getting this lockdep warning everytime I used tipc-config to set a network
      address for the protocol:
      
      [ INFO: possible circular locking dependency detected ]
      2.6.33 #1
      tipc-config/1326 is trying to acquire lock:
      (ref_table_lock){+.-...}, at: [<ffffffffa0315148>] tipc_ref_discard+0x53/0xd4 [tipc]
      
      but task is already holding lock:
      (&(&entry->lock)->rlock#2){+.-...}, at: [<ffffffffa03150d5>] tipc_ref_lock+0x43/0x63 [tipc]
      
      which lock already depends on the new lock.
      
      the existing dependency chain (in reverse order) is:
      
      -> #1 (&(&entry->lock)->rlock#2){+.-...}:
      [<ffffffff8107b508>] __lock_acquire+0xb67/0xd0f
      [<ffffffff8107b78c>] lock_acquire+0xdc/0x102
      [<ffffffff8145471e>] _raw_spin_lock_bh+0x3b/0x6e
      [<ffffffffa03152b1>] tipc_ref_acquire+0xe8/0x11b [tipc]
      [<ffffffffa031433f>] tipc_createport_raw+0x78/0x1b9 [tipc]
      [<ffffffffa031450b>] tipc_createport+0x8b/0x125 [tipc]
      [<ffffffffa030f221>] tipc_subscr_start+0xce/0x126 [tipc]
      [<ffffffffa0308fb2>] process_signal_queue+0x47/0x7d [tipc]
      [<ffffffff81053e0c>] tasklet_action+0x8c/0xf4
      [<ffffffff81054bd8>] __do_softirq+0xf8/0x1cd
      [<ffffffff8100aadc>] call_softirq+0x1c/0x30
      [<ffffffff810549f4>] _local_bh_enable_ip+0xb8/0xd7
      [<ffffffff81054a21>] local_bh_enable_ip+0xe/0x10
      [<ffffffff81454d31>] _raw_spin_unlock_bh+0x34/0x39
      [<ffffffffa0308eb8>] spin_unlock_bh.clone.0+0x15/0x17 [tipc]
      [<ffffffffa0308f47>] tipc_k_signal+0x8d/0xb1 [tipc]
      [<ffffffffa0308dd9>] tipc_core_start+0x8a/0xad [tipc]
      [<ffffffffa01b1087>] 0xffffffffa01b1087
      [<ffffffff8100207d>] do_one_initcall+0x72/0x18a
      [<ffffffff810872fb>] sys_init_module+0xd8/0x23a
      [<ffffffff81009b42>] system_call_fastpath+0x16/0x1b
      
      -> #0 (ref_table_lock){+.-...}:
      [<ffffffff8107b3b2>] __lock_acquire+0xa11/0xd0f
      [<ffffffff8107b78c>] lock_acquire+0xdc/0x102
      [<ffffffff81454836>] _raw_write_lock_bh+0x3b/0x6e
      [<ffffffffa0315148>] tipc_ref_discard+0x53/0xd4 [tipc]
      [<ffffffffa03141ee>] tipc_deleteport+0x40/0x119 [tipc]
      [<ffffffffa0316e35>] release+0xeb/0x137 [tipc]
      [<ffffffff8139dbf4>] sock_release+0x1f/0x6f
      [<ffffffff8139dc6b>] sock_close+0x27/0x2b
      [<ffffffff811116f6>] __fput+0x12a/0x1df
      [<ffffffff811117c5>] fput+0x1a/0x1c
      [<ffffffff8110e49b>] filp_close+0x68/0x72
      [<ffffffff8110e552>] sys_close+0xad/0xe7
      [<ffffffff81009b42>] system_call_fastpath+0x16/0x1b
      
      Finally decided I should fix this.  Its a straightforward inversion,
      tipc_ref_acquire takes two locks in this order:
      ref_table_lock
      entry->lock
      
      while tipc_deleteport takes them in this order:
      entry->lock (via tipc_port_lock())
      ref_table_lock (via tipc_ref_discard())
      
      when the same entry is referenced, we get the above warning.  The fix is equally
      straightforward.  Theres no real relation between the entry->lock and the
      ref_table_lock (they just are needed at the same time), so move the entry->lock
      aquisition in tipc_ref_acquire down, after we unlock ref_table_lock (this is
      safe since the ref_table_lock guards changes to the reference table, and we've
      already claimed a slot there.  I've tested the below fix and confirmed that it
      clears up the lockdep issue
      Signed-off-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      CC: Allan Stephens <allan.stephens@windriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a2f46ee1