1. 13 Aug, 2012 9 commits
  2. 12 Aug, 2012 10 commits
    • Joren Van Onder's avatar
      bnx2x: Fix compiler warnings · f57b07c0
      Joren Van Onder authored
      Fix the following compiler warnings:
      
       - drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c:2908:3: warning: comparison
         of distinct pointer types lacks a cast [enabled by default]
       - drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c:1709:7: warning: comparison
         of distinct pointer types lacks a cast [enabled by default]
      Signed-off-by: default avatarJoren Van Onder <joren.vanonder@gmail.com>
      Acked-By: default avatarYuval Mintz <yuvalmin@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f57b07c0
    • danborkmann@iogearbox.net's avatar
      af_packet: remove BUG statement in tpacket_destruct_skb · 7f5c3e3a
      danborkmann@iogearbox.net authored
      Here's a quote of the comment about the BUG macro from asm-generic/bug.h:
      
       Don't use BUG() or BUG_ON() unless there's really no way out; one
       example might be detecting data structure corruption in the middle
       of an operation that can't be backed out of.  If the (sub)system
       can somehow continue operating, perhaps with reduced functionality,
       it's probably not BUG-worthy.
      
       If you're tempted to BUG(), think again:  is completely giving up
       really the *only* solution?  There are usually better options, where
       users don't need to reboot ASAP and can mostly shut down cleanly.
      
      In our case, the status flag of a ring buffer slot is managed from both sides,
      the kernel space and the user space. This means that even though the kernel
      side might work as expected, the user space screws up and changes this flag
      right between the send(2) is triggered when the flag is changed to
      TP_STATUS_SENDING and a given skb is destructed after some time. Then, this
      will hit the BUG macro. As David suggested, the best solution is to simply
      remove this statement since it cannot be used for kernel side internal
      consistency checks. I've tested it and the system still behaves /stable/ in
      this case, so in accordance with the above comment, we should rather remove it.
      Signed-off-by: default avatarDaniel Borkmann <daniel.borkmann@tik.ee.ethz.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7f5c3e3a
    • Denis Efremov's avatar
      macvtap: rcu_dereference outside read-lock section · 3a7f8c34
      Denis Efremov authored
      rcu_dereference occurs in update section. Replacement by
      rcu_dereference_protected in order to prevent lockdep
      complaint.
      
      Found by Linux Driver Verification project (linuxtesting.org)
      Signed-off-by: default avatarDenis Efremov <yefremov.denis@gmail.com>
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3a7f8c34
    • Linus Torvalds's avatar
      Merge tag 'gpio-fixes-v3.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio · 21d2f8dc
      Linus Torvalds authored
      Pull gpio fixes from Linus Walleij:
       - Fix a resource leak in the SCH driver
       - Fix the register address calculation in the MSIC driver
       - Fix the PXA driver's devicetree functions
       - Delete redundant shadow variable leftovers in the MXC driver
       - Specify the GPIO base for the device tree probe in the MXC driver
       - Add a modalias for the i.MX driver
       - Fix off-by-one bug in the Samsung driver
       - Fix erroneous errorpath in the Langwell driver
      
      * tag 'gpio-fixes-v3.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
        drivers/gpio/gpio-langwell.c: fix error return code
        gpio: samsung: Fix off-by-one bug in gpio addresses
        ARM: dts: imx: add alias for gpio
        gpio/mxc: specify gpio base for device tree probe
        gpio/mxc: remove redundant shadow variables initialization
        GPIO: gpio-pxa: fix devicetree functions
        gpio: msic: Fix calculating register address in msic_gpio_to_oreg()
        gpio-sch: Fix leak of resource
      21d2f8dc
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security · c8dfbf48
      Linus Torvalds authored
      Pull a security subsystem fix from James Morris
       "This fixes an issue in the Yama LSM"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
        Yama: higher restrictions should block PTRACE_TRACEME
      c8dfbf48
    • Linus Torvalds's avatar
      Merge tag 'pm-for-3.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · e4e139be
      Linus Torvalds authored
      Pull power management fixes from Rafael J. Wysocki:
      
       - Fix for two recent regressions in the generic PM domains framework.
      
       - Revert of a commit that introduced a resume regression and is
         conceptually incorrect in my opinion.
      
       - Fix for a return value in pcc-cpufreq.c from Julia Lawall.
      
       - RTC wakeup signaling fix from Neil Brown.
      
       - Suppression of compiler warnings for CONFIG_PM_SLEEP unset in ACPI,
         platform/x86 and TPM drivers.
      
      * tag 'pm-for-3.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        tpm_tis / PM: Fix unused function warning for CONFIG_PM_SLEEP
        platform / x86 / PM: Fix unused function warnings for CONFIG_PM_SLEEP
        ACPI / PM: Fix unused function warnings for CONFIG_PM_SLEEP
        Revert "NMI watchdog: fix for lockup detector breakage on resume"
        PM: Make dev_pm_get_subsys_data() always return 0 on success
        drivers/cpufreq/pcc-cpufreq.c: fix error return code
        RTC: Avoid races between RTC alarm wakeup and suspend.
      e4e139be
    • Linus Torvalds's avatar
      Merge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · 88de3d0d
      Linus Torvalds authored
      Pull arm-soc bug fixes from Arnd Bergmann:
       "These are a bunch of bug fixes that came in after the merge window and
        one update for the MAINTAINERS file.
      
        The largest part of the fixes are patches that address bugs found by
        building all the ARM defconfig files.  There are a lot more warnings
        that we have patches for, but the others are either still under
        discussion or are harmless and do not cause actual problems besides
        making the build slightly noisy."
      
      * tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: (30 commits)
        ARM: davinci: remove broken ntosd2_init_i2c
        ARM: s3c24xx: enable CONFIG_BUG for tct_hammer
        omap-rng: fix use of SIMPLE_DEV_PM_OPS
        spi/s3c64xx: improve error handling
        mtd/omap2: fix dmaengine_slave_config error handling
        gpio: em: do not discard em_gio_irq_domain_cleanup
        ARM: exynos: exynos_pm_add_dev_to_genpd may be unused
        ARM: imx: gpmi-nand depends on mxs-dma
        ARM: integrator: include <linux/export.h>
        ARM: s3c24xx: use new PWM driver
        ARM: sa1100: include linux/io.h in hackkit leds code
        Input: eeti_ts: pass gpio value instead of IRQ
        ARM: pxa: remove irq_to_gpio from ezx-pcap driver
        ARM: tegra: more regulator fixes for Harmony
        usb/ohci-omap: remove unused variable
        mfd/asic3: fix asic3_mfd_probe return value
        ARM: kirkwood: fix typo in Makefile.boot
        i.MX27: Fix emma-prp and csi clocks.
        ARM: integrator: use clk_prepare_enable() for timer
        MAINTAINERS: update entry for Linus Walleij
        ...
      88de3d0d
    • Linus Torvalds's avatar
      Merge branch 'fixes-for-linus-for-3.6-rc2' of... · f720e7ea
      Linus Torvalds authored
      Merge branch 'fixes-for-linus-for-3.6-rc2' of git://git.linaro.org/people/mszyprowski/linux-dma-mapping
      
      Pull three dma-mapping fixes from Marek Szyprowski.
      
      * 'fixes-for-linus-for-3.6-rc2' of git://git.linaro.org/people/mszyprowski/linux-dma-mapping:
        ARM: dma-mapping: fix incorrect freeing of atomic allocations
        ARM: dma-mapping: fix atomic allocation alignment
        ARM: mm: fix MMU mapping of CMA regions
      f720e7ea
    • Linus Torvalds's avatar
      Merge branch 'for-linus-3.6' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs · 15fc5deb
      Linus Torvalds authored
      Pull btrfs merge fix from Chris Mason:
       "This fixes a merge error in rc1.  The calls to mnt_want_write should
        have been removed."
      
      * 'for-linus-3.6' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
        Btrfs: remove mnt_want_write call in btrfs_mksubvol
      15fc5deb
    • Jeff Mahoney's avatar
      printk: Fix calculation of length used to discard records · e3756477
      Jeff Mahoney authored
      While tracking down a weird buffer overflow issue in a program that
      looked to be sane, I started double checking the length returned by
      syslog(SYSLOG_ACTION_READ_ALL, ...) to make sure it wasn't overflowing
      the buffer.
      
      Sure enough, it was.  I saw this in strace:
      
        11339 syslog(SYSLOG_ACTION_READ_ALL, "<5>[244017.708129] REISERFS (dev"..., 8192) = 8279
      
      It turns out that the loops that calculate how much space the entries
      will take when they're copied don't include the newlines and prefixes
      that will be included in the final output since prev flags is passed as
      zero.
      
      This patch properly accounts for it and fixes the overflow.
      
      CC: stable@kernel.org
      Signed-off-by: default avatarJeff Mahoney <jeffm@suse.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      e3756477
  3. 10 Aug, 2012 19 commits
    • Eric Dumazet's avatar
      codel: refine one condition to avoid a nul rec_inv_sqrt · 2359a476
      Eric Dumazet authored
      One condition before codel_Newton_step() was not good if
      we never left the dropping state for a flow. As a result
      rec_inv_sqrt was 0, instead of the ~0 initial value.
      
      codel control law was then set to a very aggressive mode, dropping
      many packets before reaching 'target' and recovering from this problem.
      
      To keep codel_vars_init() as efficient as possible, refine
      the condition to make sure rec_inv_sqrt initial value is correct
      
      Many thanks to Anton Mich for discovering the issue and suggesting
      a fix.
      Reported-by: default avatarAnton Mich <lp2s1h@gmail.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2359a476
    • Emil Tantilov's avatar
      ixgbe: add missing braces · 55461ddb
      Emil Tantilov authored
      This patch adds missing braces around the 10gig link check to include the check for  KR support.
      Signed-off-by: default avatarEmil Tantilov <emil.s.tantilov@intel.com>
      Reported-by: default avatarSascha Wildner <saw@online.de>
      Tested-by: default avatarPhil Schmitt <phillip.j.schmitt@intel.com>
      Signed-off-by: default avatarPeter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      55461ddb
    • David S. Miller's avatar
      Merge branch 'for-davem' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless · 69f1de1f
      David S. Miller authored
      John W. Linville says:
      
      ====================
      Here is a handful of fixes intended for 3.6.
      
      Daniel Drake offers a cfg80211 fix to consume pending events before
      taking a wireless device down.  This prevents a resource leak.
      
      Stanislaw Gruszka gives us a fix for a NULL pointer dereference in
      rt61pci.
      
      Johannes Berg provides an iwlwifi patch to disable "greenfield" mode.
      Use of that mode was causing a rate scaling problem in for iwlwifi.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      69f1de1f
    • Eric Dumazet's avatar
      ipv4: fix ip_send_skb() · b5ec8eea
      Eric Dumazet authored
      ip_send_skb() can send orphaned skb, so we must pass the net pointer to
      avoid possible NULL dereference in error path.
      
      Bug added by commit 3a7c384f (ipv4: tcp: unicast_sock should not
      land outside of TCP stack)
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b5ec8eea
    • John W. Linville's avatar
      Merge branch 'master' of... · 039aafba
      John W. Linville authored
      Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless into for-davem
      039aafba
    • Rafael J. Wysocki's avatar
      tpm_tis / PM: Fix unused function warning for CONFIG_PM_SLEEP · 07368d32
      Rafael J. Wysocki authored
      According to a compiler warning, the tpm_tis_resume() function is not
      used for CONFIG_PM_SLEEP unset, so add a #ifdef to prevent it from
      being built in that case.
      Signed-off-by: default avatarRafael J. Wysocki <rjw@sisk.pl>
      07368d32
    • Rafael J. Wysocki's avatar
      platform / x86 / PM: Fix unused function warnings for CONFIG_PM_SLEEP · 3567a4e2
      Rafael J. Wysocki authored
      According to compiler warnings, quite some suspend/resume functions
      in platform x86 drivers are not used for CONFIG_PM_SLEEP unset, so
      add #ifdefs to prevent them from being built in that case.
      Signed-off-by: default avatarRafael J. Wysocki <rjw@sisk.pl>
      3567a4e2
    • Rafael J. Wysocki's avatar
      ACPI / PM: Fix unused function warnings for CONFIG_PM_SLEEP · 90692404
      Rafael J. Wysocki authored
      According to compiler warnings, several suspend/resume functions
      in ACPI drivers are not used for CONFIG_PM_SLEEP unset, so add
      #ifdefs to prevent them from being built in that case.
      Signed-off-by: default avatarRafael J. Wysocki <rjw@sisk.pl>
      90692404
    • Arnd Bergmann's avatar
      ARM: davinci: remove broken ntosd2_init_i2c · de923430
      Arnd Bergmann authored
      ntosd2_init_i2c walks the ntosd2_i2c_info array, which it expects to
      be populated with at least one member. gcc correctly warns about
      the out-of-bounds access here.
      
      Since this can not possibly work, it's better to disable i2c
      support entirely on this board.
      
      Without this patch, building davinci_all_defconfig results in:
      
      arch/arm/mach-davinci/board-neuros-osd2.c: In function 'davinci_ntosd2_init':
      arch/arm/mach-davinci/board-neuros-osd2.c:187:20: warning: array subscript is above array bounds [-Warray-bounds]
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Acked-by: default avatarSekhar Nori <nsekhar@ti.com>
      Cc: Kevin Hilman <khilman@ti.com>
      Cc: Andrey Porodko <panda@chelcom.ru>
      de923430
    • Arnd Bergmann's avatar
      ARM: s3c24xx: enable CONFIG_BUG for tct_hammer · 15b5eb2d
      Arnd Bergmann authored
      Disabling CONFIG_BUG creates an insane amount of build warnings, which
      makes it useless to check for building defconfigs to see if new
      warnings show up.
      
      Without this patch, building tct_hammer_defconfig results in:
      
      net/packet/af_packet.c: In function 'tpacket_rcv':
      net/packet/af_packet.c:1889:30: warning: 'hdrlen' may be used uninitialized in this function [-Wuninitialized]
      net/core/ethtool.c: In function 'ethtool_get_feature_mask':
      net/core/ethtool.c:213:1: warning: control reaches end of non-void function [-Wreturn-type]
      block/cfq-iosched.c: In function 'cfq_async_queue_prio':
      block/cfq-iosched.c:2914:1: warning: control reaches end of non-void function [-Wreturn-type]
      mm/bootmem.c: In function 'mark_bootmem':
      mm/bootmem.c:352:1: warning: control reaches end of non-void function [-Wreturn-type]
      net/core/dev.c: In function 'skb_warn_bad_offload':
      net/core/dev.c:1904:33: warning: unused variable 'null_features' [-Wunused-variable]
      drivers/mtd/chips/cfi_probe.c: In function 'cfi_chip_setup':
      include/linux/mtd/cfi.h:489:3: warning: 'r.x[0]' may be used uninitialized in this function [-Wuninitialized]
      include/linux/mtd/map.h:394:11: note: 'r.x[0]' was declared here
      include/linux/mtd/cfi.h:489:3: warning: 'r.x[0]' may be used uninitialized in this function [-Wuninitialized]
      (and many more)
      
      The size of vmlinux increases by 1.78% because of this:
      
      size obj-arm/vmlinux.nobug
         text    data     bss     dec     hex filename
         2108474  116916   55352 2280742  22cd26 obj-arm/vmlinux
      size obj-arm/vmlinux.bug
         text    data     bss     dec     hex filename
         2150804  116916   53696 2321416  236c08 obj-arm/vmlinux
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Acked-by: default avatarKukjin Kim <kgene.kim@samsung.com>
      Cc: Ben Dooks <ben-linux@fluff.org>
      15b5eb2d
    • Arnd Bergmann's avatar
      Merge branch 'testing/new-warnings' into fixes · b64456a4
      Arnd Bergmann authored
      These patches all fix bugs that were newly introduced in v3.6-rc1
      and found because they cause a gcc warning with one of the ARM
      defconfigs. Most of them are harmless, but since we're trying
      to get rid of all warnings eventually, we can start with the ones
      that were not there before.
      
      * testing/new-warnings:
        omap-rng: fix use of SIMPLE_DEV_PM_OPS
        spi/s3c64xx: improve error handling
        mtd/omap2: fix dmaengine_slave_config error handling
        gpio: em: do not discard em_gio_irq_domain_cleanup
        ARM: exynos: exynos_pm_add_dev_to_genpd may be unused
        usb/ohci-omap: remove unused variable
        mfd/asic3: fix asic3_mfd_probe return value
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      b64456a4
    • Arnd Bergmann's avatar
      omap-rng: fix use of SIMPLE_DEV_PM_OPS · 59596df6
      Arnd Bergmann authored
      omap_rng_suspend and omap_rng_resume are unused if CONFIG_PM is enabled
      but CONFIG_PM_SLEEP is disabled. I found this while building all defconfig
      files on ARM. It's not clear to me if this is the right solution, but
      at least it makes the code consistent again.
      
      Without this patch, building omap1_defconfig results in:
      
      drivers/char/hw_random/omap-rng.c:165:12: warning: 'omap_rng_suspend' defined but not used [-Wunused-function]
      drivers/char/hw_random/omap-rng.c:171:12: warning: 'omap_rng_resume' defined but not used [-Wunused-function]
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Acked-by: default avatarKevin Hilman <khilman@ti.com>
      Cc: Rafael J. Wysocki <rjw@sisk.pl>
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      59596df6
    • Arnd Bergmann's avatar
      spi/s3c64xx: improve error handling · 4732cc63
      Arnd Bergmann authored
      When a device tree definition os an s3c64xx SPI master is missing
      a "controller-data" subnode, the newly added s3c64xx_get_slave_ctrldata
      function might use uninitialized memory in place of that node,
      which was correctly reported by gcc.
      
      Without this patch, building s3c6400_defconfig results in:
      
      drivers/spi/spi-s3c64xx.c: In function 's3c64xx_get_slave_ctrldata.isra.25':
      drivers/spi/spi-s3c64xx.c:841:5: warning: 'data_np' may be used uninitialized in this function [-Wuninitialized]
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Acked-by: default avatarThomas Abraham <thomas.abraham@linaro.org>
      Acked-by: default avatarKukjin Kim <kgene.kim@samsung.com>
      Cc: Jaswinder Singh <jaswinder.singh@linaro.org>
      Cc: Grant Likely <grant.likely@secretlab.ca>
      4732cc63
    • Arnd Bergmann's avatar
      mtd/omap2: fix dmaengine_slave_config error handling · d680e2c1
      Arnd Bergmann authored
      The newly added dmaengine support in the omap2 nand driver
      potentially causes an undefined return value from the
      omap_nand_probe function when dmaengine_slave_config
      reports an error. Let's handle this by returning the
      same error back to the caller.
      
      Without this patch, building omap2plus_defconfig results in:
      
      drivers/mtd/nand/omap2.c: In function 'omap_nand_probe':
      drivers/mtd/nand/omap2.c:1154:6: warning: 'err' may be used uninitialized in this function [-Wuninitialized]
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Cc: Russell King <rmk+kernel@arm.linux.org.uk>
      Cc: Grazvydas Ignotas <notasas@gmail.com>
      d680e2c1
    • Arnd Bergmann's avatar
      gpio: em: do not discard em_gio_irq_domain_cleanup · 38eaed32
      Arnd Bergmann authored
      The newly added gpio-em driver marks its em_gio_irq_domain_cleanup
      function as __devexit, which would lead to that function being
      discarded in case CONFIG_HOTPLUG is disabled. However, the function
      is also called by the error handling logic em_gio_probe, which
      would cause a jump into a NULL pointer if it was removed from the
      kernel or module.
      
      Without this patch, building kzm9d_defconfig results in:
      
      WARNING: drivers/gpio/built-in.o(.devinit.text+0x330): Section mismatch in reference from the function em_gio_probe() to the function .devexit.text:em_gio_irq_domain_cleanup()
      The function __devinit em_gio_probe() references
      a function __devexit em_gio_irq_domain_cleanup().
      This is often seen when error handling in the init function
      uses functionality in the exit path.
      The fix is often to remove the __devexit annotation of
      em_gio_irq_domain_cleanup() so it may be used outside an exit section.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Cc: Magnus Damm <damm@opensource.se>
      Cc: Linus Walleij <linus.walleij@linaro.org>
      Cc: Rafael J. Wysocki <rjw@sisk.pl>
      38eaed32
    • Arnd Bergmann's avatar
      ARM: exynos: exynos_pm_add_dev_to_genpd may be unused · 8ab08c0c
      Arnd Bergmann authored
      exynos_pm_add_dev_to_genpd is used if one or more out of a large
      number of Kconfig symbols are enabled. However the new
      exynos_defconfig selects none of those, so the function becomes
      unused. Marking it so lets the compiler automatically discard
      it.
      
      Without this patch, building exynos_defconfig results in:
      
      arch/arm/mach-exynos/pm_domains.c:118:123: warning: 'exynos_pm_add_dev_to_genpd' defined but not used [-Wunused-function]
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Acked-by: default avatarThomas Abraham <thomas.abraham@linaro.org>
      Acked-by: default avatarKukjin Kim <kgene.kim@samsung.com>
      Cc: Rafael J. Wysocki <rjw@sisk.pl>
      8ab08c0c
    • Kees Cook's avatar
      Yama: higher restrictions should block PTRACE_TRACEME · 9d8dad74
      Kees Cook authored
      The higher ptrace restriction levels should be blocking even
      PTRACE_TRACEME requests. The comments in the LSM documentation are
      misleading about when the checks happen (the parent does not go through
      security_ptrace_access_check() on a PTRACE_TRACEME call).
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Cc: stable@vger.kernel.org # 3.5.x and later
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      9d8dad74
    • Eric Dumazet's avatar
      net: tcp: ipv6_mapped needs sk_rx_dst_set method · 63d02d15
      Eric Dumazet authored
      commit 5d299f3d (net: ipv6: fix TCP early demux) added a
      regression for ipv6_mapped case.
      
      [   67.422369] SELinux: initialized (dev autofs, type autofs), uses
      genfs_contexts
      [   67.449678] SELinux: initialized (dev autofs, type autofs), uses
      genfs_contexts
      [   92.631060] BUG: unable to handle kernel NULL pointer dereference at
      (null)
      [   92.631435] IP: [<          (null)>]           (null)
      [   92.631645] PGD 0
      [   92.631846] Oops: 0010 [#1] SMP
      [   92.632095] Modules linked in: autofs4 sunrpc ipv6 dm_mirror
      dm_region_hash dm_log dm_multipath dm_mod video sbs sbshc battery ac lp
      parport sg snd_hda_intel snd_hda_codec snd_seq_oss snd_seq_midi_event
      snd_seq snd_seq_device pcspkr snd_pcm_oss snd_mixer_oss snd_pcm
      snd_timer serio_raw button floppy snd i2c_i801 i2c_core soundcore
      snd_page_alloc shpchp ide_cd_mod cdrom microcode ehci_hcd ohci_hcd
      uhci_hcd
      [   92.634294] CPU 0
      [   92.634294] Pid: 4469, comm: sendmail Not tainted 3.6.0-rc1 #3
      [   92.634294] RIP: 0010:[<0000000000000000>]  [<          (null)>]
      (null)
      [   92.634294] RSP: 0018:ffff880245fc7cb0  EFLAGS: 00010282
      [   92.634294] RAX: ffffffffa01985f0 RBX: ffff88024827ad00 RCX:
      0000000000000000
      [   92.634294] RDX: 0000000000000218 RSI: ffff880254735380 RDI:
      ffff88024827ad00
      [   92.634294] RBP: ffff880245fc7cc8 R08: 0000000000000001 R09:
      0000000000000000
      [   92.634294] R10: 0000000000000000 R11: ffff880245fc7bf8 R12:
      ffff880254735380
      [   92.634294] R13: ffff880254735380 R14: 0000000000000000 R15:
      7fffffffffff0218
      [   92.634294] FS:  00007f4516ccd6f0(0000) GS:ffff880256600000(0000)
      knlGS:0000000000000000
      [   92.634294] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      [   92.634294] CR2: 0000000000000000 CR3: 0000000245ed1000 CR4:
      00000000000007f0
      [   92.634294] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
      0000000000000000
      [   92.634294] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
      0000000000000400
      [   92.634294] Process sendmail (pid: 4469, threadinfo ffff880245fc6000,
      task ffff880254b8cac0)
      [   92.634294] Stack:
      [   92.634294]  ffffffff813837a7 ffff88024827ad00 ffff880254b6b0e8
      ffff880245fc7d68
      [   92.634294]  ffffffff81385083 00000000001d2680 ffff8802547353a8
      ffff880245fc7d18
      [   92.634294]  ffffffff8105903a ffff88024827ad60 0000000000000002
      00000000000000ff
      [   92.634294] Call Trace:
      [   92.634294]  [<ffffffff813837a7>] ? tcp_finish_connect+0x2c/0xfa
      [   92.634294]  [<ffffffff81385083>] tcp_rcv_state_process+0x2b6/0x9c6
      [   92.634294]  [<ffffffff8105903a>] ? sched_clock_cpu+0xc3/0xd1
      [   92.634294]  [<ffffffff81059073>] ? local_clock+0x2b/0x3c
      [   92.634294]  [<ffffffff8138caf3>] tcp_v4_do_rcv+0x63a/0x670
      [   92.634294]  [<ffffffff8133278e>] release_sock+0x128/0x1bd
      [   92.634294]  [<ffffffff8139f060>] __inet_stream_connect+0x1b1/0x352
      [   92.634294]  [<ffffffff813325f5>] ? lock_sock_nested+0x74/0x7f
      [   92.634294]  [<ffffffff8104b333>] ? wake_up_bit+0x25/0x25
      [   92.634294]  [<ffffffff813325f5>] ? lock_sock_nested+0x74/0x7f
      [   92.634294]  [<ffffffff8139f223>] ? inet_stream_connect+0x22/0x4b
      [   92.634294]  [<ffffffff8139f234>] inet_stream_connect+0x33/0x4b
      [   92.634294]  [<ffffffff8132e8cf>] sys_connect+0x78/0x9e
      [   92.634294]  [<ffffffff813fd407>] ? sysret_check+0x1b/0x56
      [   92.634294]  [<ffffffff81088503>] ? __audit_syscall_entry+0x195/0x1c8
      [   92.634294]  [<ffffffff811cc26e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
      [   92.634294]  [<ffffffff813fd3e2>] system_call_fastpath+0x16/0x1b
      [   92.634294] Code:  Bad RIP value.
      [   92.634294] RIP  [<          (null)>]           (null)
      [   92.634294]  RSP <ffff880245fc7cb0>
      [   92.634294] CR2: 0000000000000000
      [   92.648982] ---[ end trace 24e2bed94314c8d9 ]---
      [   92.649146] Kernel panic - not syncing: Fatal exception in interrupt
      
      Fix this using inet_sk_rx_dst_set(), and export this function in case
      IPv6 is modular.
      Reported-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      63d02d15
    • Eric Dumazet's avatar
      ipv4: tcp: unicast_sock should not land outside of TCP stack · 3a7c384f
      Eric Dumazet authored
      commit be9f4a44 (ipv4: tcp: remove per net tcp_sock) added a
      selinux regression, reported and bisected by John Stultz
      
      selinux_ip_postroute_compat() expect to find a valid sk->sk_security
      pointer, but this field is NULL for unicast_sock
      
      It turns out that unicast_sock are really temporary stuff to be able
      to reuse  part of IP stack (ip_append_data()/ip_push_pending_frames())
      
      Fact is that frames sent by ip_send_unicast_reply() should be orphaned
      to not fool LSM.
      
      Note IPv6 never had this problem, as tcp_v6_send_response() doesnt use a
      fake socket at all. I'll probably implement tcp_v4_send_response() to
      remove these unicast_sock in linux-3.7
      Reported-by: default avatarJohn Stultz <johnstul@us.ibm.com>
      Bisected-by: default avatarJohn Stultz <johnstul@us.ibm.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Paul Moore <paul@paul-moore.com>
      Cc: Eric Paris <eparis@parisplace.org>
      Cc: "Serge E. Hallyn" <serge@hallyn.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3a7c384f
  4. 09 Aug, 2012 2 commits