From ea4bd8ba804dedefa65303b3bd105d6d2808e621 Mon Sep 17 00:00:00 2001 From: David Miller Date: Fri, 30 Jul 2010 21:54:49 -0700 Subject: Bluetooth: Use list_head for HCI blacklist head The bdaddr in the list root is completely unused and just taking up space. Signed-off-by: David S. Miller Tested-by: Johan Hedberg Signed-off-by: Marcel Holtmann --- net/bluetooth/hci_core.c | 2 +- net/bluetooth/hci_sock.c | 8 +++----- net/bluetooth/hci_sysfs.c | 3 +-- 3 files changed, 5 insertions(+), 8 deletions(-) (limited to 'net') diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index 8303f1c9ef5..c52f091ee6d 100644 --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c @@ -924,7 +924,7 @@ int hci_register_dev(struct hci_dev *hdev) hci_conn_hash_init(hdev); - INIT_LIST_HEAD(&hdev->blacklist.list); + INIT_LIST_HEAD(&hdev->blacklist); memset(&hdev->stat, 0, sizeof(struct hci_dev_stats)); diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c index 4f170a59593..83acd164d39 100644 --- a/net/bluetooth/hci_sock.c +++ b/net/bluetooth/hci_sock.c @@ -168,9 +168,8 @@ static int hci_sock_release(struct socket *sock) struct bdaddr_list *hci_blacklist_lookup(struct hci_dev *hdev, bdaddr_t *bdaddr) { struct list_head *p; - struct bdaddr_list *blacklist = &hdev->blacklist; - list_for_each(p, &blacklist->list) { + list_for_each(p, &hdev->blacklist) { struct bdaddr_list *b; b = list_entry(p, struct bdaddr_list, list); @@ -202,7 +201,7 @@ static int hci_blacklist_add(struct hci_dev *hdev, void __user *arg) bacpy(&entry->bdaddr, &bdaddr); - list_add(&entry->list, &hdev->blacklist.list); + list_add(&entry->list, &hdev->blacklist); return 0; } @@ -210,9 +209,8 @@ static int hci_blacklist_add(struct hci_dev *hdev, void __user *arg) int hci_blacklist_clear(struct hci_dev *hdev) { struct list_head *p, *n; - struct bdaddr_list *blacklist = &hdev->blacklist; - list_for_each_safe(p, n, &blacklist->list) { + list_for_each_safe(p, n, &hdev->blacklist) { struct bdaddr_list *b; b = list_entry(p, struct bdaddr_list, list); diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c index ce44c47eeac..8fb967beee8 100644 --- a/net/bluetooth/hci_sysfs.c +++ b/net/bluetooth/hci_sysfs.c @@ -439,12 +439,11 @@ static const struct file_operations inquiry_cache_fops = { static int blacklist_show(struct seq_file *f, void *p) { struct hci_dev *hdev = f->private; - struct bdaddr_list *blacklist = &hdev->blacklist; struct list_head *l; hci_dev_lock_bh(hdev); - list_for_each(l, &blacklist->list) { + list_for_each(l, &hdev->blacklist) { struct bdaddr_list *b; bdaddr_t bdaddr; -- cgit v1.2.2 From 28e9509b1270e5cfa8bb3c5ff51f39214aa09262 Mon Sep 17 00:00:00 2001 From: "Gustavo F. Padovan" Date: Sat, 31 Jul 2010 19:57:05 -0300 Subject: Bluetooth: Remove __exit from rfcomm_cleanup_ttys() rfcomm_cleanup_ttys() is also called from rfcomm_init(), so it can't have __exit. Reported-by: Mat Martineau Signed-off-by: Gustavo F. Padovan Signed-off-by: Marcel Holtmann --- net/bluetooth/rfcomm/tty.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'net') diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c index 026205c18b7..befc3a52aa0 100644 --- a/net/bluetooth/rfcomm/tty.c +++ b/net/bluetooth/rfcomm/tty.c @@ -1183,7 +1183,7 @@ int __init rfcomm_init_ttys(void) return 0; } -void __exit rfcomm_cleanup_ttys(void) +void rfcomm_cleanup_ttys(void) { tty_unregister_driver(rfcomm_tty_driver); put_tty_driver(rfcomm_tty_driver); -- cgit v1.2.2 From 6340650400525a9ca8d86b1b4501cc50670dce0d Mon Sep 17 00:00:00 2001 From: "Gustavo F. Padovan" Date: Tue, 3 Aug 2010 23:49:29 -0300 Subject: Bluetooth: Don't send RFC for Basic Mode if only it is supported If the remote side doesn't support Enhanced Retransmission Mode neither Streaming Mode, we shall not send the RFC option. Some devices that only supports Basic Mode do not understanding the RFC option. This patch fixes the regression found with these devices. Signed-off-by: Gustavo F. Padovan Signed-off-by: Marcel Holtmann --- net/bluetooth/l2cap.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) (limited to 'net') diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c index 9ba1e8eee37..0f34e127514 100644 --- a/net/bluetooth/l2cap.c +++ b/net/bluetooth/l2cap.c @@ -2527,6 +2527,10 @@ done: if (pi->imtu != L2CAP_DEFAULT_MTU) l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu); + if (!(pi->conn->feat_mask & L2CAP_FEAT_ERTM) && + !(pi->conn->feat_mask & L2CAP_FEAT_STREAMING)) + break; + rfc.mode = L2CAP_MODE_BASIC; rfc.txwin_size = 0; rfc.max_transmit = 0; @@ -2534,6 +2538,8 @@ done: rfc.monitor_timeout = 0; rfc.max_pdu_size = 0; + l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), + (unsigned long) &rfc); break; case L2CAP_MODE_ERTM: @@ -2546,6 +2552,9 @@ done: if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10) rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10); + l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), + (unsigned long) &rfc); + if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS)) break; @@ -2566,6 +2575,9 @@ done: if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10) rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10); + l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), + (unsigned long) &rfc); + if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS)) break; @@ -2577,9 +2589,6 @@ done: break; } - l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), - (unsigned long) &rfc); - /* FIXME: Need actual value of the flush timeout */ //if (flush_to != L2CAP_DEFAULT_FLUSH_TO) // l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2, pi->flush_to); -- cgit v1.2.2 From adb08edea0119f7a5484a9f6a385fbcecdf85a63 Mon Sep 17 00:00:00 2001 From: Ville Tervo Date: Wed, 4 Aug 2010 09:43:33 +0300 Subject: Bluetooth: Check result code of L2CAP information response Check result code of L2CAP information response. Otherwise it would read invalid feature mask and access invalid memory. Signed-off-by: Ville Tervo Signed-off-by: Marcel Holtmann --- net/bluetooth/l2cap.c | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'net') diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c index 0f34e127514..3e3cd9d4e52 100644 --- a/net/bluetooth/l2cap.c +++ b/net/bluetooth/l2cap.c @@ -3348,6 +3348,15 @@ static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cm del_timer(&conn->info_timer); + if (result != L2CAP_IR_SUCCESS) { + conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE; + conn->info_ident = 0; + + l2cap_conn_start(conn); + + return 0; + } + if (type == L2CAP_IT_FEAT_MASK) { conn->feat_mask = get_unaligned_le32(rsp->data); -- cgit v1.2.2 From 1601b1e56e1093d6deb8f475fafc30cc30143357 Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Fri, 30 Jul 2010 13:30:47 +0200 Subject: mac80211: fix scan locking wrt. hw scan Releasing the scan mutex while starting scans can lead to unexpected things happening, so we shouldn't do that. Fix that and hold the mutex across the scan triggering. Signed-off-by: Johannes Berg Signed-off-by: John W. Linville --- net/mac80211/scan.c | 14 -------------- 1 file changed, 14 deletions(-) (limited to 'net') diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c index 41f20fb7e67..872d7b6ef6b 100644 --- a/net/mac80211/scan.c +++ b/net/mac80211/scan.c @@ -400,19 +400,7 @@ static int __ieee80211_start_scan(struct ieee80211_sub_if_data *sdata, else __set_bit(SCAN_SW_SCANNING, &local->scanning); - /* - * Kicking off the scan need not be protected, - * only the scan variable stuff, since now - * local->scan_req is assigned and other callers - * will abort their scan attempts. - * - * This avoids too many locking dependencies - * so that the scan completed calls have more - * locking freedom. - */ - ieee80211_recalc_idle(local); - mutex_unlock(&local->scan_mtx); if (local->ops->hw_scan) { WARN_ON(!ieee80211_prep_hw_scan(local)); @@ -420,8 +408,6 @@ static int __ieee80211_start_scan(struct ieee80211_sub_if_data *sdata, } else rc = ieee80211_start_sw_scan(local); - mutex_lock(&local->scan_mtx); - if (rc) { kfree(local->hw_scan_req); local->hw_scan_req = NULL; -- cgit v1.2.2 From 93c08c32914264f539baf7f04cce310a0dd30a7a Mon Sep 17 00:00:00 2001 From: Juuso Oikarinen Date: Tue, 3 Aug 2010 08:22:25 +0300 Subject: mac80211: Fix compilation warning when CONFIG_INET is not set MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The warning is: net/mac80211/main.c:688: warning: label ‘fail_ifa’ defined but not used Signed-off-by: Juuso Oikarinen Signed-off-by: John W. Linville --- net/mac80211/main.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'net') diff --git a/net/mac80211/main.c b/net/mac80211/main.c index 7cc4f913a43..798a91b100c 100644 --- a/net/mac80211/main.c +++ b/net/mac80211/main.c @@ -685,10 +685,12 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) return 0; +#ifdef CONFIG_INET fail_ifa: pm_qos_remove_notifier(PM_QOS_NETWORK_LATENCY, &local->network_latency_notifier); rtnl_lock(); +#endif fail_pm_qos: ieee80211_led_exit(local); ieee80211_remove_interfaces(local); -- cgit v1.2.2 From 36d12690a2e9bcacae5a2a7e0fb6345a3caad625 Mon Sep 17 00:00:00 2001 From: Changli Gao Date: Tue, 3 Aug 2010 17:39:18 +0000 Subject: act_nat: fix on the TX path On the TX path, skb->data points to the ethernet header, not the network header. So when validating the packet length for accessing we should take the ethernet header into account. Signed-off-by: Changli Gao Acked-by: Herbert Xu Signed-off-by: David S. Miller --- net/sched/act_nat.c | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) (limited to 'net') diff --git a/net/sched/act_nat.c b/net/sched/act_nat.c index d0386a413e8..509a2d53a99 100644 --- a/net/sched/act_nat.c +++ b/net/sched/act_nat.c @@ -114,6 +114,7 @@ static int tcf_nat(struct sk_buff *skb, struct tc_action *a, int egress; int action; int ihl; + int noff; spin_lock(&p->tcf_lock); @@ -132,7 +133,8 @@ static int tcf_nat(struct sk_buff *skb, struct tc_action *a, if (unlikely(action == TC_ACT_SHOT)) goto drop; - if (!pskb_may_pull(skb, sizeof(*iph))) + noff = skb_network_offset(skb); + if (!pskb_may_pull(skb, sizeof(*iph) + noff)) goto drop; iph = ip_hdr(skb); @@ -144,7 +146,7 @@ static int tcf_nat(struct sk_buff *skb, struct tc_action *a, if (!((old_addr ^ addr) & mask)) { if (skb_cloned(skb) && - !skb_clone_writable(skb, sizeof(*iph)) && + !skb_clone_writable(skb, sizeof(*iph) + noff) && pskb_expand_head(skb, 0, 0, GFP_ATOMIC)) goto drop; @@ -172,9 +174,9 @@ static int tcf_nat(struct sk_buff *skb, struct tc_action *a, { struct tcphdr *tcph; - if (!pskb_may_pull(skb, ihl + sizeof(*tcph)) || + if (!pskb_may_pull(skb, ihl + sizeof(*tcph) + noff) || (skb_cloned(skb) && - !skb_clone_writable(skb, ihl + sizeof(*tcph)) && + !skb_clone_writable(skb, ihl + sizeof(*tcph) + noff) && pskb_expand_head(skb, 0, 0, GFP_ATOMIC))) goto drop; @@ -186,9 +188,9 @@ static int tcf_nat(struct sk_buff *skb, struct tc_action *a, { struct udphdr *udph; - if (!pskb_may_pull(skb, ihl + sizeof(*udph)) || + if (!pskb_may_pull(skb, ihl + sizeof(*udph) + noff) || (skb_cloned(skb) && - !skb_clone_writable(skb, ihl + sizeof(*udph)) && + !skb_clone_writable(skb, ihl + sizeof(*udph) + noff) && pskb_expand_head(skb, 0, 0, GFP_ATOMIC))) goto drop; @@ -205,7 +207,7 @@ static int tcf_nat(struct sk_buff *skb, struct tc_action *a, { struct icmphdr *icmph; - if (!pskb_may_pull(skb, ihl + sizeof(*icmph))) + if (!pskb_may_pull(skb, ihl + sizeof(*icmph) + noff)) goto drop; icmph = (void *)(skb_network_header(skb) + ihl); @@ -215,7 +217,8 @@ static int tcf_nat(struct sk_buff *skb, struct tc_action *a, (icmph->type != ICMP_PARAMETERPROB)) break; - if (!pskb_may_pull(skb, ihl + sizeof(*icmph) + sizeof(*iph))) + if (!pskb_may_pull(skb, ihl + sizeof(*icmph) + sizeof(*iph) + + noff)) goto drop; icmph = (void *)(skb_network_header(skb) + ihl); @@ -229,8 +232,8 @@ static int tcf_nat(struct sk_buff *skb, struct tc_action *a, break; if (skb_cloned(skb) && - !skb_clone_writable(skb, - ihl + sizeof(*icmph) + sizeof(*iph)) && + !skb_clone_writable(skb, ihl + sizeof(*icmph) + + sizeof(*iph) + noff) && pskb_expand_head(skb, 0, 0, GFP_ATOMIC)) goto drop; -- cgit v1.2.2 From 4b95c3d40d7d9927438ed7b7b49c84c60e27b65b Mon Sep 17 00:00:00 2001 From: Changli Gao Date: Wed, 4 Aug 2010 04:48:12 +0000 Subject: cls_flow: add sanity check for the packet length The packet length should be checked before the packet data is dereferenced. Signed-off-by: Changli Gao Acked-by: Patrick McHardy Signed-off-by: David S. Miller --- net/sched/cls_flow.c | 96 ++++++++++++++++++++++++++++++---------------------- 1 file changed, 56 insertions(+), 40 deletions(-) (limited to 'net') diff --git a/net/sched/cls_flow.c b/net/sched/cls_flow.c index f73542d2cdd..e17096e3913 100644 --- a/net/sched/cls_flow.c +++ b/net/sched/cls_flow.c @@ -65,37 +65,47 @@ static inline u32 addr_fold(void *addr) return (a & 0xFFFFFFFF) ^ (BITS_PER_LONG > 32 ? a >> 32 : 0); } -static u32 flow_get_src(const struct sk_buff *skb) +static u32 flow_get_src(struct sk_buff *skb) { switch (skb->protocol) { case htons(ETH_P_IP): - return ntohl(ip_hdr(skb)->saddr); + if (pskb_network_may_pull(skb, sizeof(struct iphdr))) + return ntohl(ip_hdr(skb)->saddr); + break; case htons(ETH_P_IPV6): - return ntohl(ipv6_hdr(skb)->saddr.s6_addr32[3]); - default: - return addr_fold(skb->sk); + if (pskb_network_may_pull(skb, sizeof(struct ipv6hdr))) + return ntohl(ipv6_hdr(skb)->saddr.s6_addr32[3]); + break; } + + return addr_fold(skb->sk); } -static u32 flow_get_dst(const struct sk_buff *skb) +static u32 flow_get_dst(struct sk_buff *skb) { switch (skb->protocol) { case htons(ETH_P_IP): - return ntohl(ip_hdr(skb)->daddr); + if (pskb_network_may_pull(skb, sizeof(struct iphdr))) + return ntohl(ip_hdr(skb)->daddr); + break; case htons(ETH_P_IPV6): - return ntohl(ipv6_hdr(skb)->daddr.s6_addr32[3]); - default: - return addr_fold(skb_dst(skb)) ^ (__force u16)skb->protocol; + if (pskb_network_may_pull(skb, sizeof(struct ipv6hdr))) + return ntohl(ipv6_hdr(skb)->daddr.s6_addr32[3]); + break; } + + return addr_fold(skb_dst(skb)) ^ (__force u16)skb->protocol; } -static u32 flow_get_proto(const struct sk_buff *skb) +static u32 flow_get_proto(struct sk_buff *skb) { switch (skb->protocol) { case htons(ETH_P_IP): - return ip_hdr(skb)->protocol; + return pskb_network_may_pull(skb, sizeof(struct iphdr)) ? + ip_hdr(skb)->protocol : 0; case htons(ETH_P_IPV6): - return ipv6_hdr(skb)->nexthdr; + return pskb_network_may_pull(skb, sizeof(struct ipv6hdr)) ? + ipv6_hdr(skb)->nexthdr : 0; default: return 0; } @@ -116,58 +126,64 @@ static int has_ports(u8 protocol) } } -static u32 flow_get_proto_src(const struct sk_buff *skb) +static u32 flow_get_proto_src(struct sk_buff *skb) { - u32 res = 0; - switch (skb->protocol) { case htons(ETH_P_IP): { - struct iphdr *iph = ip_hdr(skb); + struct iphdr *iph; + if (!pskb_network_may_pull(skb, sizeof(*iph))) + break; + iph = ip_hdr(skb); if (!(iph->frag_off&htons(IP_MF|IP_OFFSET)) && - has_ports(iph->protocol)) - res = ntohs(*(__be16 *)((void *)iph + iph->ihl * 4)); + has_ports(iph->protocol) && + pskb_network_may_pull(skb, iph->ihl * 4 + 2)) + return ntohs(*(__be16 *)((void *)iph + iph->ihl * 4)); break; } case htons(ETH_P_IPV6): { - struct ipv6hdr *iph = ipv6_hdr(skb); + struct ipv6hdr *iph; + if (!pskb_network_may_pull(skb, sizeof(*iph) + 2)) + break; + iph = ipv6_hdr(skb); if (has_ports(iph->nexthdr)) - res = ntohs(*(__be16 *)&iph[1]); + return ntohs(*(__be16 *)&iph[1]); break; } - default: - res = addr_fold(skb->sk); } - return res; + return addr_fold(skb->sk); } -static u32 flow_get_proto_dst(const struct sk_buff *skb) +static u32 flow_get_proto_dst(struct sk_buff *skb) { - u32 res = 0; - switch (skb->protocol) { case htons(ETH_P_IP): { - struct iphdr *iph = ip_hdr(skb); + struct iphdr *iph; + if (!pskb_network_may_pull(skb, sizeof(*iph))) + break; + iph = ip_hdr(skb); if (!(iph->frag_off&htons(IP_MF|IP_OFFSET)) && - has_ports(iph->protocol)) - res = ntohs(*(__be16 *)((void *)iph + iph->ihl * 4 + 2)); + has_ports(iph->protocol) && + pskb_network_may_pull(skb, iph->ihl * 4 + 4)) + return ntohs(*(__be16 *)((void *)iph + iph->ihl * 4 + 2)); break; } case htons(ETH_P_IPV6): { - struct ipv6hdr *iph = ipv6_hdr(skb); + struct ipv6hdr *iph; + if (!pskb_network_may_pull(skb, sizeof(*iph) + 4)) + break; + iph = ipv6_hdr(skb); if (has_ports(iph->nexthdr)) - res = ntohs(*(__be16 *)((void *)&iph[1] + 2)); + return ntohs(*(__be16 *)((void *)&iph[1] + 2)); break; } - default: - res = addr_fold(skb_dst(skb)) ^ (__force u16)skb->protocol; } - return res; + return addr_fold(skb_dst(skb)) ^ (__force u16)skb->protocol; } static u32 flow_get_iif(const struct sk_buff *skb) @@ -211,7 +227,7 @@ static u32 flow_get_nfct(const struct sk_buff *skb) }) #endif -static u32 flow_get_nfct_src(const struct sk_buff *skb) +static u32 flow_get_nfct_src(struct sk_buff *skb) { switch (skb->protocol) { case htons(ETH_P_IP): @@ -223,7 +239,7 @@ fallback: return flow_get_src(skb); } -static u32 flow_get_nfct_dst(const struct sk_buff *skb) +static u32 flow_get_nfct_dst(struct sk_buff *skb) { switch (skb->protocol) { case htons(ETH_P_IP): @@ -235,14 +251,14 @@ fallback: return flow_get_dst(skb); } -static u32 flow_get_nfct_proto_src(const struct sk_buff *skb) +static u32 flow_get_nfct_proto_src(struct sk_buff *skb) { return ntohs(CTTUPLE(skb, src.u.all)); fallback: return flow_get_proto_src(skb); } -static u32 flow_get_nfct_proto_dst(const struct sk_buff *skb) +static u32 flow_get_nfct_proto_dst(struct sk_buff *skb) { return ntohs(CTTUPLE(skb, dst.u.all)); fallback: @@ -281,7 +297,7 @@ static u32 flow_get_vlan_tag(const struct sk_buff *skb) return tag & VLAN_VID_MASK; } -static u32 flow_key_get(const struct sk_buff *skb, int key) +static u32 flow_key_get(struct sk_buff *skb, int key) { switch (key) { case FLOW_KEY_SRC: -- cgit v1.2.2 From 12dc96d1673feabef98eed1b5ff37abaa67fbe64 Mon Sep 17 00:00:00 2001 From: Changli Gao Date: Wed, 4 Aug 2010 04:55:40 +0000 Subject: cls_rsvp: add sanity check for the packet length The packet length should be checked before the packet data is dereferenced. Signed-off-by: Changli Gao Signed-off-by: David S. Miller --- net/sched/cls_rsvp.h | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'net') diff --git a/net/sched/cls_rsvp.h b/net/sched/cls_rsvp.h index dd9414e4420..425a1790b04 100644 --- a/net/sched/cls_rsvp.h +++ b/net/sched/cls_rsvp.h @@ -143,9 +143,17 @@ static int rsvp_classify(struct sk_buff *skb, struct tcf_proto *tp, u8 tunnelid = 0; u8 *xprt; #if RSVP_DST_LEN == 4 - struct ipv6hdr *nhptr = ipv6_hdr(skb); + struct ipv6hdr *nhptr; + + if (!pskb_network_may_pull(skb, sizeof(*nhptr))) + return -1; + nhptr = ipv6_hdr(skb); #else - struct iphdr *nhptr = ip_hdr(skb); + struct iphdr *nhptr; + + if (!pskb_network_may_pull(skb, sizeof(*nhptr))) + return -1; + nhptr = ip_hdr(skb); #endif restart: -- cgit v1.2.2 From f2f009812f1fdcaf40fa547282c1b90d3b702a7d Mon Sep 17 00:00:00 2001 From: Changli Gao Date: Wed, 4 Aug 2010 04:58:59 +0000 Subject: sch_sfq: add sanity check for the packet length The packet length should be checked before the packet data is dereferenced. Signed-off-by: Changli Gao Signed-off-by: David S. Miller --- net/sched/sch_sfq.c | 29 ++++++++++++++++++++--------- 1 file changed, 20 insertions(+), 9 deletions(-) (limited to 'net') diff --git a/net/sched/sch_sfq.c b/net/sched/sch_sfq.c index c65762823f5..e85352b5c88 100644 --- a/net/sched/sch_sfq.c +++ b/net/sched/sch_sfq.c @@ -122,7 +122,11 @@ static unsigned sfq_hash(struct sfq_sched_data *q, struct sk_buff *skb) switch (skb->protocol) { case htons(ETH_P_IP): { - const struct iphdr *iph = ip_hdr(skb); + const struct iphdr *iph; + + if (!pskb_network_may_pull(skb, sizeof(*iph))) + goto err; + iph = ip_hdr(skb); h = (__force u32)iph->daddr; h2 = (__force u32)iph->saddr ^ iph->protocol; if (!(iph->frag_off&htons(IP_MF|IP_OFFSET)) && @@ -131,25 +135,32 @@ static unsigned sfq_hash(struct sfq_sched_data *q, struct sk_buff *skb) iph->protocol == IPPROTO_UDPLITE || iph->protocol == IPPROTO_SCTP || iph->protocol == IPPROTO_DCCP || - iph->protocol == IPPROTO_ESP)) + iph->protocol == IPPROTO_ESP) && + pskb_network_may_pull(skb, iph->ihl * 4 + 4)) h2 ^= *(((u32*)iph) + iph->ihl); break; } case htons(ETH_P_IPV6): { - struct ipv6hdr *iph = ipv6_hdr(skb); + struct ipv6hdr *iph; + + if (!pskb_network_may_pull(skb, sizeof(*iph))) + goto err; + iph = ipv6_hdr(skb); h = (__force u32)iph->daddr.s6_addr32[3]; h2 = (__force u32)iph->saddr.s6_addr32[3] ^ iph->nexthdr; - if (iph->nexthdr == IPPROTO_TCP || - iph->nexthdr == IPPROTO_UDP || - iph->nexthdr == IPPROTO_UDPLITE || - iph->nexthdr == IPPROTO_SCTP || - iph->nexthdr == IPPROTO_DCCP || - iph->nexthdr == IPPROTO_ESP) + if ((iph->nexthdr == IPPROTO_TCP || + iph->nexthdr == IPPROTO_UDP || + iph->nexthdr == IPPROTO_UDPLITE || + iph->nexthdr == IPPROTO_SCTP || + iph->nexthdr == IPPROTO_DCCP || + iph->nexthdr == IPPROTO_ESP) && + pskb_network_may_pull(skb, sizeof(*iph) + 4)) h2 ^= *(u32*)&iph[1]; break; } default: +err: h = (unsigned long)skb_dst(skb) ^ (__force u32)skb->protocol; h2 = (unsigned long)skb->sk; } -- cgit v1.2.2 From 3b5bac2bdea1de832bdd8e2c904ab7c9479ff9ed Mon Sep 17 00:00:00 2001 From: David Howells Date: Wed, 4 Aug 2010 02:34:17 +0000 Subject: RxRPC: Fix a potential deadlock between the call resend_timer and state_lock RxRPC can potentially deadlock as rxrpc_resend_time_expired() wants to get call->state_lock so that it can alter the state of an RxRPC call. However, its caller (call_timer_fn()) has an apparent lock on the timer struct. The problem is that rxrpc_resend_time_expired() isn't permitted to lock call->state_lock as this could cause a deadlock against rxrpc_send_abort() as that takes state_lock and then attempts to delete the resend timer by calling del_timer_sync(). The deadlock can occur because del_timer_sync() will sit there forever waiting for rxrpc_resend_time_expired() to return, but the latter may then wait for call->state_lock, which rxrpc_send_abort() holds around del_timer_sync()... This leads to a warning appearing in the kernel log that looks something like the attached. It should be sufficient to simply dispense with the locks. It doesn't matter if we set the resend timer expired event bit and queue the event processor whilst we're changing state to one where the resend timer is irrelevant as the event can just be ignored by the processor thereafter. ======================================================= [ INFO: possible circular locking dependency detected ] 2.6.35-rc3-cachefs+ #115 ------------------------------------------------------- swapper/0 is trying to acquire lock: (&call->state_lock){++--..}, at: [] rxrpc_resend_time_expired+0x56/0x96 [af_rxrpc] but task is already holding lock: (&call->resend_timer){+.-...}, at: [] run_timer_softirq+0x182/0x2a5 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&call->resend_timer){+.-...}: [] __lock_acquire+0x889/0x8fa [] lock_acquire+0x57/0x6d [] del_timer_sync+0x3c/0x86 [] rxrpc_send_abort+0x50/0x97 [af_rxrpc] [] rxrpc_kernel_abort_call+0xa1/0xdd [af_rxrpc] [] afs_deliver_to_call+0x129/0x368 [kafs] [] afs_process_async_call+0x54/0xff [kafs] [] worker_thread+0x1ef/0x2e2 [] kthread+0x7a/0x82 [] kernel_thread_helper+0x4/0x10 -> #0 (&call->state_lock){++--..}: [] validate_chain+0x727/0xd23 [] __lock_acquire+0x889/0x8fa [] lock_acquire+0x57/0x6d [] _raw_read_lock_bh+0x34/0x43 [] rxrpc_resend_time_expired+0x56/0x96 [af_rxrpc] [] run_timer_softirq+0x1f3/0x2a5 [] __do_softirq+0xa2/0x13e [] call_softirq+0x1c/0x28 [] do_softirq+0x38/0x80 [] irq_exit+0x45/0x47 [] smp_apic_timer_interrupt+0x88/0x96 [] apic_timer_interrupt+0x13/0x20 [] cpu_idle+0x4d/0x83 [] start_secondary+0x1bd/0x1c1 other info that might help us debug this: 1 lock held by swapper/0: #0: (&call->resend_timer){+.-...}, at: [] run_timer_softirq+0x182/0x2a5 stack backtrace: Pid: 0, comm: swapper Not tainted 2.6.35-rc3-cachefs+ #115 Call Trace: [] print_circular_bug+0xae/0xbd [] validate_chain+0x727/0xd23 [] __lock_acquire+0x889/0x8fa [] ? mark_lock+0x42f/0x51f [] lock_acquire+0x57/0x6d [] ? rxrpc_resend_time_expired+0x56/0x96 [af_rxrpc] [] _raw_read_lock_bh+0x34/0x43 [] ? rxrpc_resend_time_expired+0x56/0x96 [af_rxrpc] [] rxrpc_resend_time_expired+0x56/0x96 [af_rxrpc] [] run_timer_softirq+0x1f3/0x2a5 [] ? run_timer_softirq+0x182/0x2a5 [] ? rxrpc_resend_time_expired+0x0/0x96 [af_rxrpc] [] ? __do_softirq+0x69/0x13e [] __do_softirq+0xa2/0x13e [] call_softirq+0x1c/0x28 [] do_softirq+0x38/0x80 [] irq_exit+0x45/0x47 [] smp_apic_timer_interrupt+0x88/0x96 [] apic_timer_interrupt+0x13/0x20 [] ? __atomic_notifier_call_chain+0x0/0x86 [] ? mwait_idle+0x6e/0x78 [] ? mwait_idle+0x65/0x78 [] cpu_idle+0x4d/0x83 [] start_secondary+0x1bd/0x1c1 Signed-off-by: David Howells Signed-off-by: David S. Miller --- net/rxrpc/ar-ack.c | 3 +++ net/rxrpc/ar-call.c | 6 ++---- 2 files changed, 5 insertions(+), 4 deletions(-) (limited to 'net') diff --git a/net/rxrpc/ar-ack.c b/net/rxrpc/ar-ack.c index 2714da167fb..b6ffe4e1b84 100644 --- a/net/rxrpc/ar-ack.c +++ b/net/rxrpc/ar-ack.c @@ -245,6 +245,9 @@ static void rxrpc_resend_timer(struct rxrpc_call *call) _enter("%d,%d,%d", call->acks_tail, call->acks_unacked, call->acks_head); + if (call->state >= RXRPC_CALL_COMPLETE) + return; + resend = 0; resend_at = 0; diff --git a/net/rxrpc/ar-call.c b/net/rxrpc/ar-call.c index 909d092de9f..bf656c230ba 100644 --- a/net/rxrpc/ar-call.c +++ b/net/rxrpc/ar-call.c @@ -786,6 +786,7 @@ static void rxrpc_call_life_expired(unsigned long _call) /* * handle resend timer expiry + * - may not take call->state_lock as this can deadlock against del_timer_sync() */ static void rxrpc_resend_time_expired(unsigned long _call) { @@ -796,12 +797,9 @@ static void rxrpc_resend_time_expired(unsigned long _call) if (call->state >= RXRPC_CALL_COMPLETE) return; - read_lock_bh(&call->state_lock); clear_bit(RXRPC_CALL_RUN_RTIMER, &call->flags); - if (call->state < RXRPC_CALL_COMPLETE && - !test_and_set_bit(RXRPC_CALL_RESEND_TIMER, &call->events)) + if (!test_and_set_bit(RXRPC_CALL_RESEND_TIMER, &call->events)) rxrpc_queue_call(call); - read_unlock_bh(&call->state_lock); } /* -- cgit v1.2.2 From d7100da026317fcf07411f765fe1cdb044053917 Mon Sep 17 00:00:00 2001 From: stephen hemminger Date: Wed, 4 Aug 2010 07:34:36 +0000 Subject: ppp: make channel_ops const The PPP channel ops structure should be const. Cleanup the declarations to use standard C99 format. Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller --- net/atm/pppoatm.c | 2 +- net/irda/irnet/irnet_ppp.c | 2 +- net/l2tp/l2tp_ppp.c | 5 ++++- 3 files changed, 6 insertions(+), 3 deletions(-) (limited to 'net') diff --git a/net/atm/pppoatm.c b/net/atm/pppoatm.c index e49bb6d948a..e9aced0ec56 100644 --- a/net/atm/pppoatm.c +++ b/net/atm/pppoatm.c @@ -260,7 +260,7 @@ static int pppoatm_devppp_ioctl(struct ppp_channel *chan, unsigned int cmd, return -ENOTTY; } -static /*const*/ struct ppp_channel_ops pppoatm_ops = { +static const struct ppp_channel_ops pppoatm_ops = { .start_xmit = pppoatm_send, .ioctl = pppoatm_devppp_ioctl, }; diff --git a/net/irda/irnet/irnet_ppp.c b/net/irda/irnet/irnet_ppp.c index 800bc53b7f6..dfe7b38dd4a 100644 --- a/net/irda/irnet/irnet_ppp.c +++ b/net/irda/irnet/irnet_ppp.c @@ -20,7 +20,7 @@ /* Please put other headers in irnet.h - Thanks */ /* Generic PPP callbacks (to call us) */ -static struct ppp_channel_ops irnet_ppp_ops = { +static const struct ppp_channel_ops irnet_ppp_ops = { .start_xmit = ppp_irnet_send, .ioctl = ppp_irnet_ioctl }; diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c index 90d82b3f288..ff954b3e94b 100644 --- a/net/l2tp/l2tp_ppp.c +++ b/net/l2tp/l2tp_ppp.c @@ -135,7 +135,10 @@ struct pppol2tp_session { static int pppol2tp_xmit(struct ppp_channel *chan, struct sk_buff *skb); -static struct ppp_channel_ops pppol2tp_chan_ops = { pppol2tp_xmit , NULL }; +static const struct ppp_channel_ops pppol2tp_chan_ops = { + .start_xmit = pppol2tp_xmit, +}; + static const struct proto_ops pppol2tp_ops; /* Helpers to obtain tunnel/session contexts from sockets. -- cgit v1.2.2 From ce9e76c8450fc248d3e1fc16ef05e6eb50c02fa5 Mon Sep 17 00:00:00 2001 From: Jarek Poplawski Date: Thu, 5 Aug 2010 01:19:11 +0000 Subject: net: Fix napi_gro_frags vs netpoll path The netpoll_rx_on() check in __napi_gro_receive() skips part of the "common" GRO_NORMAL path, especially "pull:" in dev_gro_receive(), where at least eth header should be copied for entirely paged skbs. Signed-off-by: Jarek Poplawski Acked-by: Herbert Xu Signed-off-by: David S. Miller --- net/core/dev.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'net') diff --git a/net/core/dev.c b/net/core/dev.c index e1c1cdcc2bb..2b508966146 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -3072,7 +3072,7 @@ enum gro_result dev_gro_receive(struct napi_struct *napi, struct sk_buff *skb) int mac_len; enum gro_result ret; - if (!(skb->dev->features & NETIF_F_GRO)) + if (!(skb->dev->features & NETIF_F_GRO) || netpoll_rx_on(skb)) goto normal; if (skb_is_gso(skb) || skb_has_frags(skb)) @@ -3159,9 +3159,6 @@ __napi_gro_receive(struct napi_struct *napi, struct sk_buff *skb) { struct sk_buff *p; - if (netpoll_rx_on(skb)) - return GRO_NORMAL; - for (p = napi->gro_list; p; p = p->next) { NAPI_GRO_CB(p)->same_flow = (p->dev == skb->dev) && -- cgit v1.2.2 From ba78e2ddca844598c0efcbf2c76d73519a61b902 Mon Sep 17 00:00:00 2001 From: Dmitry Popov Date: Sat, 7 Aug 2010 20:24:28 -0700 Subject: tcp: no md5sig option size check bug tcp_parse_md5sig_option doesn't check md5sig option (TCPOPT_MD5SIG) length, but tcp_v[46]_inbound_md5_hash assume that it's at least 16 bytes long. Signed-off-by: Dmitry Popov Signed-off-by: David S. Miller --- net/ipv4/tcp_input.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'net') diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index 3c426cb318e..e663b78a2ef 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -3930,7 +3930,7 @@ u8 *tcp_parse_md5sig_option(struct tcphdr *th) if (opsize < 2 || opsize > length) return NULL; if (opcode == TCPOPT_MD5SIG) - return ptr; + return opsize == TCPOLEN_MD5SIG ? ptr : NULL; } ptr += opsize - 2; length -= opsize; -- cgit v1.2.2 From cece1945bffcf1a823cdfa36669beae118419351 Mon Sep 17 00:00:00 2001 From: Changli Gao Date: Sat, 7 Aug 2010 20:35:43 -0700 Subject: net: disable preemption before call smp_processor_id() Although netif_rx() isn't expected to be called in process context with preemption enabled, it'd better handle this case. And this is why get_cpu() is used in the non-RPS #ifdef branch. If tree RCU is selected, rcu_read_lock() won't disable preemption, so preempt_disable() should be called explictly. Signed-off-by: Changli Gao Signed-off-by: David S. Miller --- net/core/dev.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'net') diff --git a/net/core/dev.c b/net/core/dev.c index 2b508966146..1ae65439144 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -2517,6 +2517,7 @@ int netif_rx(struct sk_buff *skb) struct rps_dev_flow voidflow, *rflow = &voidflow; int cpu; + preempt_disable(); rcu_read_lock(); cpu = get_rps_cpu(skb->dev, skb, &rflow); @@ -2526,6 +2527,7 @@ int netif_rx(struct sk_buff *skb) ret = enqueue_to_backlog(skb, cpu, &rflow->last_qtail); rcu_read_unlock(); + preempt_enable(); } #else { -- cgit v1.2.2 From eb4a5527b1f0d581ac217c80ef3278ed5e38693c Mon Sep 17 00:00:00 2001 From: Jarek Poplawski Date: Fri, 6 Aug 2010 00:22:35 +0000 Subject: pkt_sched: Fix sch_sfq vs tcf_bind_filter oops Since there was added ->tcf_chain() method without ->bind_tcf() to sch_sfq class options, there is oops when a filter is added with the classid parameter. Fixes commit 7d2681a6ff4f9ab5e48d02550b4c6338f1638998 netdev thread: null pointer at cls_api.c Signed-off-by: Jarek Poplawski Reported-by: Franchoze Eric Signed-off-by: David S. Miller --- net/sched/sch_sfq.c | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'net') diff --git a/net/sched/sch_sfq.c b/net/sched/sch_sfq.c index e85352b5c88..534f33231c1 100644 --- a/net/sched/sch_sfq.c +++ b/net/sched/sch_sfq.c @@ -513,6 +513,12 @@ static unsigned long sfq_get(struct Qdisc *sch, u32 classid) return 0; } +static unsigned long sfq_bind(struct Qdisc *sch, unsigned long parent, + u32 classid) +{ + return 0; +} + static struct tcf_proto **sfq_find_tcf(struct Qdisc *sch, unsigned long cl) { struct sfq_sched_data *q = qdisc_priv(sch); @@ -567,6 +573,7 @@ static void sfq_walk(struct Qdisc *sch, struct qdisc_walker *arg) static const struct Qdisc_class_ops sfq_class_ops = { .get = sfq_get, .tcf_chain = sfq_find_tcf, + .bind_tcf = sfq_bind, .dump = sfq_dump_class, .dump_stats = sfq_dump_class_stats, .walk = sfq_walk, -- cgit v1.2.2