1. 05 Jun, 2008 35 commits
  2. 04 Jun, 2008 5 commits
    • James Chapman's avatar
      l2tp: Fix possible oops if transmitting or receiving when tunnel goes down · 24b95685
      James Chapman authored
      Some problems have been experienced in the field which cause an oops
      in the pppol2tp driver if L2TP tunnels fail while passing data.
      
      The pppol2tp driver uses private data that is referenced via the
      sk->sk_user_data of its UDP and PPPoL2TP sockets. This patch makes
      sure that the driver uses sock_hold() when it holds a reference to the
      sk pointer. This affects its sendmsg(), recvmsg(), getname(),
      [gs]etsockopt() and ioctl() handlers.
      
      Tested by ISP where problem was seen. System has been up 10 days with
      no oops since running this patch. Without the patch, an oops would
      occur every 1-2 days.
      
      Signed-off-by: James Chapman <jchapman@katalix.com> 
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      24b95685
    • Octavian Purdila's avatar
      tcp: Fix for race due to temporary drop of the socket lock in skb_splice_bits. · 293ad604
      Octavian Purdila authored
      skb_splice_bits temporary drops the socket lock while iterating over
      the socket queue in order to break a reverse locking condition which
      happens with sendfile. This, however, opens a window of opportunity
      for tcp_collapse() to aggregate skbs and thus potentially free the
      current skb used in skb_splice_bits and tcp_read_sock.
      
      This patch fixes the problem by (re-)getting the same "logical skb"
      after the lock has been temporary dropped.
      
      Based on idea and initial patch from Evgeniy Polyakov.
      Signed-off-by: default avatarOctavian Purdila <opurdila@ixiacom.com>
      Acked-by: default avatarEvgeniy Polyakov <johnpol@2ka.mipt.ru>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      293ad604
    • Sridhar Samudrala's avatar
      tcp: Increment OUTRSTS in tcp_send_active_reset() · 26af65cb
      Sridhar Samudrala authored
      TCP "resets sent" counter is not incremented when a TCP Reset is 
      sent via tcp_send_active_reset().
      Signed-off-by: default avatarSridhar Samudrala <sri@us.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      26af65cb
    • Denis V. Lunev's avatar
      raw: Raw socket leak. · 22dd4850
      Denis V. Lunev authored
      The program below just leaks the raw kernel socket
      
      int main() {
              int fd = socket(PF_INET, SOCK_RAW, IPPROTO_UDP);
              struct sockaddr_in addr;
      
              memset(&addr, 0, sizeof(addr));
              inet_aton("127.0.0.1", &addr.sin_addr);
              addr.sin_family = AF_INET;
              addr.sin_port = htons(2048);
              sendto(fd,  "a", 1, MSG_MORE, &addr, sizeof(addr));
              return 0;
      }
      
      Corked packet is allocated via sock_wmalloc which holds the owner socket,
      so one should uncork it and flush all pending data on close. Do this in the
      same way as in UDP.
      Signed-off-by: default avatarDenis V. Lunev <den@openvz.org>
      Acked-by: default avatarAlexey Kuznetsov <kuznet@ms2.inr.ac.ru>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      22dd4850
    • James Chapman's avatar
      lt2p: Fix possible WARN_ON from socket code when UDP socket is closed · 199f7d24
      James Chapman authored
      If an L2TP daemon closes a tunnel socket while packets are queued in
      the tunnel's reorder queue, a kernel warning is logged because the
      socket is closed while skbs are still referencing it. The fix is to
      purge the queue in the socket's release handler.
      
      WARNING: at include/net/sock.h:351 udp_lib_unhash+0x41/0x68()
      Pid: 12998, comm: openl2tpd Not tainted 2.6.25 #8
       [<c0423c58>] warn_on_slowpath+0x41/0x51
       [<c05d33a7>] udp_lib_unhash+0x41/0x68
       [<c059424d>] sk_common_release+0x23/0x90
       [<c05d16be>] udp_lib_close+0x8/0xa
       [<c05d8684>] inet_release+0x42/0x48
       [<c0592599>] sock_release+0x14/0x60
       [<c059299f>] sock_close+0x29/0x30
       [<c046ef52>] __fput+0xad/0x15b
       [<c046f1d9>] fput+0x17/0x19
       [<c046c8c4>] filp_close+0x50/0x5a
       [<c046da06>] sys_close+0x69/0x9f
       [<c04048ce>] syscall_call+0x7/0xb
      Signed-off-by: default avatarJames Chapman <jchapman@katalix.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      199f7d24