| Age | Commit message (Collapse) | Author |
|---|
|
I previously managed to reproduce a hang while scanning wireless
channels (reproducible with airodump-ng hopping channels); subsequent
lockdep instrumentation revealed a lock ordering issue.
Without knowing the design intent, it looks like the locks should be
taken in reverse order; please comment.
=======================================================
[ INFO: possible circular locking dependency detected ]
2.6.38-rc5-341cd #4
-------------------------------------------------------
airodump-ng/15445 is trying to acquire lock:
(&rdev->devlist_mtx){+.+.+.}, at: [<ffffffff816b1266>]
cfg80211_wext_siwfreq+0xc6/0x100
but task is already holding lock:
(&wdev->mtx){+.+.+.}, at: [<ffffffff816b125c>] cfg80211_wext_siwfreq+0xbc/0x100
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&wdev->mtx){+.+.+.}:
[<ffffffff810a79d6>] lock_acquire+0xc6/0x280
[<ffffffff816d6bce>] mutex_lock_nested+0x6e/0x4b0
[<ffffffff81696080>] cfg80211_netdev_notifier_call+0x430/0x5f0
[<ffffffff8109351b>] notifier_call_chain+0x8b/0x100
[<ffffffff810935b1>] raw_notifier_call_chain+0x11/0x20
[<ffffffff81576d92>] call_netdevice_notifiers+0x32/0x60
[<ffffffff815771a4>] __dev_notify_flags+0x34/0x80
[<ffffffff81577230>] dev_change_flags+0x40/0x70
[<ffffffff8158587c>] do_setlink+0x1fc/0x8d0
[<ffffffff81586042>] rtnl_setlink+0xf2/0x140
[<ffffffff81586923>] rtnetlink_rcv_msg+0x163/0x270
[<ffffffff8159d741>] netlink_rcv_skb+0xa1/0xd0
[<ffffffff815867b0>] rtnetlink_rcv+0x20/0x30
[<ffffffff8159d39a>] netlink_unicast+0x2ba/0x300
[<ffffffff8159dd57>] netlink_sendmsg+0x267/0x3e0
[<ffffffff8155e364>] sock_sendmsg+0xe4/0x110
[<ffffffff8155f3a3>] sys_sendmsg+0x253/0x3b0
[<ffffffff81003192>] system_call_fastpath+0x16/0x1b
-> #0 (&rdev->devlist_mtx){+.+.+.}:
[<ffffffff810a7222>] __lock_acquire+0x1622/0x1d10
[<ffffffff810a79d6>] lock_acquire+0xc6/0x280
[<ffffffff816d6bce>] mutex_lock_nested+0x6e/0x4b0
[<ffffffff816b1266>] cfg80211_wext_siwfreq+0xc6/0x100
[<ffffffff816b2fad>] ioctl_standard_call+0x5d/0xd0
[<ffffffff816b3223>] T.808+0x163/0x170
[<ffffffff816b326a>] wext_handle_ioctl+0x3a/0x90
[<ffffffff815798d2>] dev_ioctl+0x6f2/0x830
[<ffffffff8155cf3d>] sock_ioctl+0xfd/0x290
[<ffffffff8117dffd>] do_vfs_ioctl+0x9d/0x590
[<ffffffff8117e53a>] sys_ioctl+0x4a/0x80
[<ffffffff81003192>] system_call_fastpath+0x16/0x1b
other info that might help us debug this:
2 locks held by airodump-ng/15445:
#0: (rtnl_mutex){+.+.+.}, at: [<ffffffff81586782>] rtnl_lock+0x12/0x20
#1: (&wdev->mtx){+.+.+.}, at: [<ffffffff816b125c>]
cfg80211_wext_siwfreq+0xbc/0x100
stack backtrace:
Pid: 15445, comm: airodump-ng Not tainted 2.6.38-rc5-341cd #4
Call Trace:
[<ffffffff810a3f0a>] ? print_circular_bug+0xfa/0x100
[<ffffffff810a7222>] ? __lock_acquire+0x1622/0x1d10
[<ffffffff810a1f99>] ? trace_hardirqs_off_caller+0x29/0xc0
[<ffffffff810a79d6>] ? lock_acquire+0xc6/0x280
[<ffffffff816b1266>] ? cfg80211_wext_siwfreq+0xc6/0x100
[<ffffffff810a31d7>] ? mark_held_locks+0x67/0x90
[<ffffffff816d6bce>] ? mutex_lock_nested+0x6e/0x4b0
[<ffffffff816b1266>] ? cfg80211_wext_siwfreq+0xc6/0x100
[<ffffffff810a31d7>] ? mark_held_locks+0x67/0x90
[<ffffffff816b1266>] ? cfg80211_wext_siwfreq+0xc6/0x100
[<ffffffff816b1266>] ? cfg80211_wext_siwfreq+0xc6/0x100
[<ffffffff816b2fad>] ? ioctl_standard_call+0x5d/0xd0
[<ffffffff8157818b>] ? __dev_get_by_name+0x9b/0xc0
[<ffffffff816b2f50>] ? ioctl_standard_call+0x0/0xd0
[<ffffffff816b3223>] ? T.808+0x163/0x170
[<ffffffff8112ddf2>] ? might_fault+0x72/0xd0
[<ffffffff816b326a>] ? wext_handle_ioctl+0x3a/0x90
[<ffffffff8112de3b>] ? might_fault+0xbb/0xd0
[<ffffffff815798d2>] ? dev_ioctl+0x6f2/0x830
[<ffffffff810a1bae>] ? put_lock_stats+0xe/0x40
[<ffffffff810a1c8c>] ? lock_release_holdtime+0xac/0x150
[<ffffffff8155cf3d>] ? sock_ioctl+0xfd/0x290
[<ffffffff8117dffd>] ? do_vfs_ioctl+0x9d/0x590
[<ffffffff8116c8ff>] ? fget_light+0x1df/0x3c0
[<ffffffff8117e53a>] ? sys_ioctl+0x4a/0x80
[<ffffffff81003192>] ? system_call_fastpath+0x16/0x1b
Signed-off-by: Daniel J Blueman <daniel.blueman@gmail.com>
Acked-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
|
Fix a bug that undo_retrans is incorrectly decremented when undo_marker is
not set or undo_retrans is already 0. This happens when sender receives
more DSACK ACKs than packets retransmitted during the current
undo phase. This may also happen when sender receives DSACK after
the undo operation is completed or cancelled.
Fix another bug that undo_retrans is incorrectly incremented when
sender retransmits an skb and tcp_skb_pcount(skb) > 1 (TSO). This case
is rare but not impossible.
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Acked-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
|
|
From: Eric W. Biederman <ebiederm@xmission.com>
In the beginning with batching unreg_list was a list that was used only
once in the lifetime of a network device (I think). Now we have calls
using the unreg_list that can happen multiple times in the life of a
network device like dev_deactivate and dev_close that are also using the
unreg_list. In addition in unregister_netdevice_queue we also do a
list_move because for devices like veth pairs it is possible that
unregister_netdevice_queue will be called multiple times.
So I think the change below to fix dev_deactivate which Eric D. missed
will fix this problem. Now to go test that.
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
net/sctp/tsnmap.c: In function ‘sctp_tsnmap_num_gabs’:
net/sctp/tsnmap.c:347: warning: ‘start’ may be used uninitialized in this function
net/sctp/tsnmap.c:347: warning: ‘end’ may be used uninitialized in this function
Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Now, TCP_CHECK_TIMER is not used for debuging, it does nothing.
And, it has been there for several years, maybe 6 years.
Remove it to keep code clearer.
Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
Conflicts:
Documentation/feature-removal-schedule.txt
drivers/net/e1000e/netdev.c
net/xfrm/xfrm_policy.c
|
|
commit 5fa782c2f5ef6c2e4f04d3e228412c9b4a4c8809 re-worked the
handling of unknown parameters. sctp_init_cause_fixed() can now
return -ENOSPC if there is not enough tailroom in the error
chunk skb. When this happens, the error header is not appended to
the error chunk. In that case, the payload of the unknown parameter
should not be appended either.
Signed-off-by: Jiri Bohac <jbohac@suse.cz>
Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Eric W. Biederman reported a lockdep splat in inet_twsk_deschedule()
This is caused by inet_twsk_purge(), run from process context,
and commit 575f4cd5a5b6394577 (net: Use rcu lookups in inet_twsk_purge.)
removed the BH disabling that was necessary.
Add the BH disabling but fine grained, right before calling
inet_twsk_deschedule(), instead of whole function.
With help from Linus Torvalds and Eric W. Biederman
Reported-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
CC: Daniel Lezcano <daniel.lezcano@free.fr>
CC: Pavel Emelyanov <xemul@openvz.org>
CC: Arnaldo Carvalho de Melo <acme@redhat.com>
CC: stable <stable@kernel.org> (# 2.6.33+)
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6
|
|
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (37 commits)
net: deinit automatic LIST_HEAD
net: dont leave active on stack LIST_HEAD
net: provide default_advmss() methods to blackhole dst_ops
tg3: Restrict phy ioctl access
drivers/net: Call netif_carrier_off at the end of the probe
ixgbe: work around for DDP last buffer size
ixgbe: fix panic due to uninitialised pointer
e1000e: flush all writebacks before unload
e1000e: check down flag in tasks
isdn: hisax: Use l2headersize() instead of dup (and buggy) func.
arp_notify: unconditionally send gratuitous ARP for NETDEV_NOTIFY_PEERS.
cxgb4vf: Use defined Mailbox Timeout
cxgb4vf: Quiesce Virtual Interfaces on shutdown ...
cxgb4vf: Behave properly when CONFIG_DEBUG_FS isn't defined ...
cxgb4vf: Check driver parameters in the right place ...
pch_gbe: Fix the MAC Address load issue.
iwlwifi: Delete iwl3945_good_plcp_health.
net/can/softing: make CAN_SOFTING_CS depend on CAN_SOFTING
netfilter: nf_iterate: fix incorrect RCU usage
pch_gbe: Fix the issue that the receiving data is not normal.
...
|
|
Conflicts:
drivers/bluetooth/ath3k.c
drivers/bluetooth/btusb.c
|
|
Clear IEEE80211_STA_NULLFUNC_ACKED flag on disabling power
save. Without this fix, there is a chance of setting CONF_PS
before sending nullfunc frame.
Signed-off-by: Vivek Natarajan <vnatarajan@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
|
"def_bool n" without prompt is pointless, this should be just "bool".
Signed-off-by: Jan Beulich <jbeulich@novell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
|
The module parameter ieee80211_disable_40mhz_24ghz
was meant to allow disabling 40 MHz operation in
the 2.4 GHz band by default. However, it is buggy
as implemented because while it advertises to the
AP that the device doesn't support 40 MHz, it will
itself still use 40 MHz configurations.
To fix this, clear the 40 MHz bits from the sband
completely instead of overriding where used.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
|
Signed-off-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/padovan/bluetooth-next-2.6
|
|
Low level driver could pass rx frames to us after disassociate, what
can lead to run conn_mon_timer by ieee80211_sta_rx_notify(). That
is obviously wrong, but nothing happens until we unload modules and
resources are used after free. If kernel debugging is enabled following
warning could be observed:
WARNING: at lib/debugobjects.c:259 debug_print_object+0x65/0x70()
Hardware name: HP xw8600 Workstation
ODEBUG: free active (active state 0) object type: timer_list
Modules linked in: iwlagn(-) iwlcore mac80211 cfg80211 aes_x86_64 aes_generic fuse cpufreq_ondemand acpi_cpufreq freq_table mperf xt_physdev ipt_REJECT nf_conntrack_ipv4 nf_defrag_ipv4 iptable_filter ip_tables ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables ipv6 ext3 jbd dm_mirror dm_region_hash dm_log dm_mod uinput hp_wmi sparse_keymap sg wmi arc4 microcode serio_raw ecb tg3 shpchp rfkill ext4 mbcache jbd2 sr_mod cdrom sd_mod crc_t10dif firewire_ohci firewire_core crc_itu_t mptsas mptscsih mptbase scsi_transport_sas ahci libahci pata_acpi ata_generic ata_piix floppy nouveau ttm drm_kms_helper drm i2c_algo_bit i2c_core video [last unloaded: cfg80211]
Pid: 13827, comm: rmmod Tainted: G W 2.6.38-rc4-wl+ #22
Call Trace:
[<ffffffff810649cf>] ? warn_slowpath_common+0x7f/0xc0
[<ffffffff81064ac6>] ? warn_slowpath_fmt+0x46/0x50
[<ffffffff81226fc5>] ? debug_print_object+0x65/0x70
[<ffffffff81227625>] ? debug_check_no_obj_freed+0x125/0x210
[<ffffffff8109ebd7>] ? debug_check_no_locks_freed+0xf7/0x170
[<ffffffff81156092>] ? kfree+0xc2/0x2f0
[<ffffffff813ec5c5>] ? netdev_release+0x45/0x60
[<ffffffff812f1067>] ? device_release+0x27/0xa0
[<ffffffff81216ddd>] ? kobject_release+0x8d/0x1a0
[<ffffffff81216d50>] ? kobject_release+0x0/0x1a0
[<ffffffff812183b7>] ? kref_put+0x37/0x70
[<ffffffff81216c57>] ? kobject_put+0x27/0x60
[<ffffffff813d5d1b>] ? netdev_run_todo+0x1ab/0x270
[<ffffffff813e771e>] ? rtnl_unlock+0xe/0x10
[<ffffffffa0581188>] ? ieee80211_unregister_hw+0x58/0x120 [mac80211]
[<ffffffffa0377ed7>] ? iwl_pci_remove+0xdb/0x22a [iwlagn]
[<ffffffff8123cde2>] ? pci_device_remove+0x52/0x120
[<ffffffff812f5205>] ? __device_release_driver+0x75/0xe0
[<ffffffff812f5348>] ? driver_detach+0xd8/0xe0
[<ffffffff812f4111>] ? bus_remove_driver+0x91/0x100
[<ffffffff812f5b62>] ? driver_unregister+0x62/0xa0
[<ffffffff8123d194>] ? pci_unregister_driver+0x44/0xa0
[<ffffffffa0377df5>] ? iwl_exit+0x15/0x1c [iwlagn]
[<ffffffff810ab492>] ? sys_delete_module+0x1a2/0x270
[<ffffffff81498889>] ? trace_hardirqs_on_thunk+0x3a/0x3f
[<ffffffff8100bf42>] ? system_call_fastpath+0x16/0x1b
Acked-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
|
Much quicker than going through the FIB tables.
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
This will be used to optimize __ip_dev_find() and friends.
With help from Eric Dumazet.
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
commit 9b5e383c11b08784 (net: Introduce
unregister_netdevice_many()) left an active LIST_HEAD() in
rollback_registered(), with possible memory corruption.
Even if device is freed without touching its unreg_list (and therefore
touching the previous memory location holding LISTE_HEAD(single), better
close the bug for good, since its really subtle.
(Same fix for default_device_exit_batch() for completeness)
Reported-by: Michal Hocko <mhocko@suse.cz>
Tested-by: Michal Hocko <mhocko@suse.cz>
Reported-by: Eric W. Biderman <ebiderman@xmission.com>
Tested-by: Eric W. Biderman <ebiderman@xmission.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
CC: Ingo Molnar <mingo@elte.hu>
CC: Octavian Purdila <opurdila@ixiacom.com>
CC: stable <stable@kernel.org> [.33+]
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Eric W. Biderman and Michal Hocko reported various memory corruptions
that we suspected to be related to a LIST head located on stack, that
was manipulated after thread left function frame (and eventually exited,
so its stack was freed and reused).
Eric Dumazet suggested the problem was probably coming from commit
443457242beb (net: factorize
sync-rcu call in unregister_netdevice_many)
This patch fixes __dev_close() and dev_close() to properly deinit their
respective LIST_HEAD(single) before exiting.
References: https://lkml.org/lkml/2011/2/16/304
References: https://lkml.org/lkml/2011/2/14/223
Reported-by: Michal Hocko <mhocko@suse.cz>
Tested-by: Michal Hocko <mhocko@suse.cz>
Reported-by: Eric W. Biderman <ebiderman@xmission.com>
Tested-by: Eric W. Biderman <ebiderman@xmission.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
CC: Ingo Molnar <mingo@elte.hu>
CC: Octavian Purdila <opurdila@ixiacom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Commit 0dbaee3b37e118a (net: Abstract default ADVMSS behind an
accessor.) introduced a possible crash in tcp_connect_init(), when
dst->default_advmss() is called from dst_metric_advmss()
Reported-by: George Spelvin <linux@horizon.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
The only troublesome bit here is __mkroute_output which wants
to override res->fi and res->type, compute those in local
variables instead.
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
GCC emits all kinds of crazy zero extensions when we go from signed
int, to unsigned short, etc. etc.
This transformation has to be legal because:
1) In tkey_extract_bits() in mask_pfx(), the values are used to
perform shifts, on which negative values are undefined by C.
2) In fib_table_lookup() we perform comparisons with unsigned
values, constants, and additions. None of which should
encounter negative values.
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
This allows avoiding multiple writes to the initial __refcnt.
The most simplest cases of wanting an initial reference of "1"
in ipv4 and ipv6 have been converted, the rest have been left
along and kept at the existing "0".
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
This also allows us to combine all the dst->flags settings and avoid
read/modify/write sequences to this struct member.
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Simplifies tail of __ip_route_output_key().
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
There's a lot of redundancy and unnecessary stack frames
in the output route creation path.
1) Make __mkroute_output() return error pointers.
2) Eliminate ip_mkroute_output() entirely, made possible by #1.
3) Call __mkroute_output() directly and handling the returning error
pointers in ip_route_output_slow().
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
|
|
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
|
|
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
|
|
Introduce NETIF_F_RXCSUM to replace device-private flags for RX checksum
offload. Integrate it with ndo_fix_features.
ethtool_op_get_rx_csum() is removed altogether as nothing in-tree uses it.
Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
This introduces a new framework to handle device features setting.
It consists of:
- new fields in struct net_device:
+ hw_features - features that hw/driver supports toggling
+ wanted_features - features that user wants enabled, when possible
- new netdev_ops:
+ feat = ndo_fix_features(dev, feat) - API checking constraints for
enabling features or their combinations
+ ndo_set_features(dev) - API updating hardware state to match
changed dev->features
- new ethtool commands:
+ ETHTOOL_GFEATURES/ETHTOOL_SFEATURES: get/set dev->wanted_features
and trigger device reconfiguration if resulting dev->features
changed
+ ETHTOOL_GSTRINGS(ETH_SS_FEATURES): get feature bits names (meaning)
Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
This allows to enable GRO even if RX csum is disabled. GRO will not
be used for packets without hardware checksum anyway.
Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
This is needed for unified offloads patch.
Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Only oddities here are a couple of drivers that bogusly called the ldisc
helpers instead of returning -ENOIOCTLCMD. Fix the bug and the rest goes
away.
Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
Doing tiocmget was such fun we should do tiocmset as well for the same
reasons
Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
We don't actually need this and it causes problems for internal use of
this functionality. Currently there is a single use of the FILE * pointer.
That is the serial core which uses it to check tty_hung_up_p. However if
that is true then IO_ERROR is also already set so the check may be removed.
Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
|
Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
|
|
Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
|
|
Signed-off-by: Gilles Espinasse <g.esp@free.fr>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
The flaw was in skipping the second byte in MAC header due to increasing
the pointer AND indexed access starting at '1'.
Signed-off-by: Joerg Marx <joerg.marx@secunet.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
|
|
As warned by checkpatch.pl, use #include <linux/uaccess.h> instead of
<asm/uaccess.h>.
Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
|
|
Assigning a socket in timewait state to skb->sk can trigger
kernel oops, e.g. in nfnetlink_log, which does:
if (skb->sk) {
read_lock_bh(&skb->sk->sk_callback_lock);
if (skb->sk->sk_socket && skb->sk->sk_socket->file) ...
in the timewait case, accessing sk->sk_callback_lock and sk->sk_socket
is invalid.
Either all of these spots will need to add a test for sk->sk_state != TCP_TIME_WAIT,
or xt_TPROXY must not assign a timewait socket to skb->sk.
This does the latter.
If a TW socket is found, assign the tproxy nfmark, but skip the skb->sk assignment,
thus mimicking behaviour of a '-m socket .. -j MARK/ACCEPT' re-routing rule.
The 'SYN to TW socket' case is left unchanged -- we try to redirect to the
listener socket.
Cc: Balazs Scheidler <bazsi@balabit.hu>
Cc: KOVACS Krisztian <hidden@balabit.hu>
Signed-off-by: Florian Westphal <fwestphal@astaro.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
