From 82709531a800fcf8de71bb8c5d8e92462fb81f84 Mon Sep 17 00:00:00 2001 From: Gerrit Renker Date: Wed, 11 Oct 2006 16:26:54 +0100 Subject: [DCCP]: Fix Oops in DCCPv6 I think I got the cause for the Oops observed in http://www.mail-archive.com/dccp@vger.kernel.org/msg00578.html The problem is always with applications listening on PF_INET6 sockets. Apart from the mentioned oops, I observed another one one, triggered at irregular intervals via timer interrupt: run_timer_softirq -> dccp_keepalive_timer -> inet_csk_reqsk_queue_prune -> reqsk_free -> dccp_v6_reqsk_destructor The latter function is the problem and is also the last function to be called in said kernel panic. In any case, there is a real problem with allocating the right request_sock which is what this patch tackles. It fixes the following problem: - application listens on PF_INET6 - DCCPv4 packet comes in, is handed over to dccp_v4_do_rcv, from there to dccp_v4_conn_request Now: socket is PF_INET6, packet is IPv4. The following code then furnishes the connection with IPv6 - request_sock operations: req = reqsk_alloc(sk->sk_prot->rsk_prot); The first problem is that all further incoming packets will get a Reset since the connection can not be looked up. The second problem is worse: --> reqsk_alloc is called instead of inet6_reqsk_alloc --> consequently inet6_rsk_offset is never set (dangling pointer) --> the request_sock_ops are nevertheless still dccp6_request_ops --> destructor is called via reqsk_free --> dccp_v6_reqsk_destructor tries to free random memory location (inet6_rsk_offset not set) --> panic I have tested this for a while, DCCP sockets are now handled correctly in all three scenarios (v4/v6 only/v4-mapped). Commiter note: I've added the dccp_request_sock_ops forward declaration to keep the tree building and to reduce the size of the patch for 2.6.19, later I'll move the functions to the top of the affected source code to match what we have in the TCP counterpart, where this problem hasn't existed in the first place, dumb me not to have done the same thing on DCCP land 8) Signed-off-by: Gerrit Renker Signed-off-by: Arnaldo Carvalho de Melo --- net/dccp/ipv4.c | 4 +++- net/dccp/ipv6.c | 4 +--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c index 7e746c4c16..aaaf4d0951 100644 --- a/net/dccp/ipv4.c +++ b/net/dccp/ipv4.c @@ -449,6 +449,8 @@ static inline u64 dccp_v4_init_sequence(const struct sock *sk, dccp_hdr(skb)->dccph_sport); } +static struct request_sock_ops dccp_request_sock_ops; + int dccp_v4_conn_request(struct sock *sk, struct sk_buff *skb) { struct inet_request_sock *ireq; @@ -489,7 +491,7 @@ int dccp_v4_conn_request(struct sock *sk, struct sk_buff *skb) if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1) goto drop; - req = reqsk_alloc(sk->sk_prot->rsk_prot); + req = reqsk_alloc(&dccp_request_sock_ops); if (req == NULL) goto drop; diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c index 7171a78671..91e7b12df1 100644 --- a/net/dccp/ipv6.c +++ b/net/dccp/ipv6.c @@ -672,7 +672,6 @@ static struct sock *dccp_v6_hnd_req(struct sock *sk,struct sk_buff *skb) static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb) { - struct inet_request_sock *ireq; struct dccp_sock dp; struct request_sock *req; struct dccp_request_sock *dreq; @@ -701,7 +700,7 @@ static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb) if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1) goto drop; - req = inet6_reqsk_alloc(sk->sk_prot->rsk_prot); + req = inet6_reqsk_alloc(&dccp6_request_sock_ops); if (req == NULL) goto drop; @@ -713,7 +712,6 @@ static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb) goto drop_and_free; ireq6 = inet6_rsk(req); - ireq = inet_rsk(req); ipv6_addr_copy(&ireq6->rmt_addr, &skb->nh.ipv6h->saddr); ipv6_addr_copy(&ireq6->loc_addr, &skb->nh.ipv6h->daddr); req->rcv_wnd = dccp_feat_default_sequence_window; -- cgit v1.2.2 From fd169f15a67b47f23bd1704919c719a8e8409a73 Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Fri, 20 Oct 2006 19:44:17 -0700 Subject: [DCCP] ipv6: Fix opt_skb leak. Based upon a patch from Jesper Juhl. Try to match the TCP IPv6 code this was copied from as much as possible, so that it's easy to see where to add the ipv6 pktoptions support code. Signed-off-by: David S. Miller --- net/dccp/ipv6.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c index 91e7b12df1..c8bf89bfb0 100644 --- a/net/dccp/ipv6.c +++ b/net/dccp/ipv6.c @@ -995,6 +995,10 @@ static int dccp_v6_do_rcv(struct sock *sk, struct sk_buff *skb) if (sk->sk_state == DCCP_OPEN) { /* Fast path */ if (dccp_rcv_established(sk, skb, dccp_hdr(skb), skb->len)) goto reset; + if (opt_skb) { + /* This is where we would goto ipv6_pktoptions. */ + __kfree_skb(opt_skb); + } return 0; } @@ -1019,6 +1023,10 @@ static int dccp_v6_do_rcv(struct sock *sk, struct sk_buff *skb) if (dccp_rcv_state_process(sk, skb, dccp_hdr(skb), skb->len)) goto reset; + if (opt_skb) { + /* This is where we would goto ipv6_pktoptions. */ + __kfree_skb(opt_skb); + } return 0; reset: -- cgit v1.2.2 From 97f80bc66f5c6384e3aab70c67340116b8c4284b Mon Sep 17 00:00:00 2001 From: Jeff Garzik Date: Fri, 20 Oct 2006 19:48:42 -0700 Subject: [ATM]: handle sysfs errors Signed-off-by: Jeff Garzik Signed-off-by: Andrew Morton Signed-off-by: David S. Miller --- net/atm/atm_sysfs.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/net/atm/atm_sysfs.c b/net/atm/atm_sysfs.c index c0a4ae28fc..62f6ed1f2f 100644 --- a/net/atm/atm_sysfs.c +++ b/net/atm/atm_sysfs.c @@ -141,7 +141,7 @@ static struct class atm_class = { int atm_register_sysfs(struct atm_dev *adev) { struct class_device *cdev = &adev->class_dev; - int i, err; + int i, j, err; cdev->class = &atm_class; class_set_devdata(cdev, adev); @@ -151,10 +151,19 @@ int atm_register_sysfs(struct atm_dev *adev) if (err < 0) return err; - for (i = 0; atm_attrs[i]; i++) - class_device_create_file(cdev, atm_attrs[i]); + for (i = 0; atm_attrs[i]; i++) { + err = class_device_create_file(cdev, atm_attrs[i]); + if (err) + goto err_out; + } return 0; + +err_out: + for (j = 0; j < i; j++) + class_device_remove_file(cdev, atm_attrs[j]); + class_device_del(cdev); + return err; } void atm_unregister_sysfs(struct atm_dev *adev) -- cgit v1.2.2 From b45eccdb51c102e3c5ff9eaecc36200ab2eb09c0 Mon Sep 17 00:00:00 2001 From: Tobias Klauser Date: Fri, 20 Oct 2006 19:49:45 -0700 Subject: [ATM]: No need to return void The module_exit function has return-type void and pci_unregister_driver() returns void anyway. Signed-off-by: Tobias Klauser Signed-off-by: Andrew Morton Signed-off-by: David S. Miller --- drivers/atm/ambassador.c | 4 ++-- drivers/atm/horizon.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/atm/ambassador.c b/drivers/atm/ambassador.c index 323592de04..9fffa7af6d 100644 --- a/drivers/atm/ambassador.c +++ b/drivers/atm/ambassador.c @@ -2452,8 +2452,8 @@ static int __init amb_module_init (void) static void __exit amb_module_exit (void) { PRINTD (DBG_FLOW|DBG_INIT, "cleanup_module"); - - return pci_unregister_driver(&amb_driver); + + pci_unregister_driver(&amb_driver); } module_init(amb_module_init); diff --git a/drivers/atm/horizon.c b/drivers/atm/horizon.c index f59349206d..44268cba5a 100644 --- a/drivers/atm/horizon.c +++ b/drivers/atm/horizon.c @@ -2932,8 +2932,8 @@ static int __init hrz_module_init (void) { static void __exit hrz_module_exit (void) { PRINTD (DBG_FLOW, "cleanup_module"); - - return pci_unregister_driver(&hrz_driver); + + pci_unregister_driver(&hrz_driver); } module_init(hrz_module_init); -- cgit v1.2.2 From 663bab6fd097c18ae0c7a7fd1b4a44558b998cdb Mon Sep 17 00:00:00 2001 From: Jeff Garzik Date: Fri, 20 Oct 2006 19:50:50 -0700 Subject: [ATM] firestream: handle thrown error MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit gcc emits the following warning: drivers/atm/firestream.c: In function ‘fs_open’: drivers/atm/firestream.c:870: warning: ‘tmc0’ may be used uninitialized in this function This indicates a real bug. We should check make_rate() return value for potential errors. Signed-off-by: Jeff Garzik Signed-off-by: Andrew Morton Signed-off-by: David S. Miller --- drivers/atm/firestream.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/atm/firestream.c b/drivers/atm/firestream.c index 40ab9b65fa..697ad82f66 100644 --- a/drivers/atm/firestream.c +++ b/drivers/atm/firestream.c @@ -1002,6 +1002,10 @@ static int fs_open(struct atm_vcc *atm_vcc) r = ROUND_UP; } error = make_rate (pcr, r, &tmc0, NULL); + if (error) { + kfree(tc); + return error; + } } fs_dprintk (FS_DEBUG_OPEN, "pcr = %d.\n", pcr); } -- cgit v1.2.2 From 69c3014763966b0ae2bd190dac3654dd6cebdd45 Mon Sep 17 00:00:00 2001 From: Alan Cox Date: Fri, 20 Oct 2006 19:51:46 -0700 Subject: [ATM] nicstar: Fix a bogus casting warning Not enough to make Nicstar 64bit friendly but got squashed in passing so might as well be applied Signed-off-by: Alan Cox Signed-off-by: Andrew Morton Signed-off-by: David S. Miller --- drivers/atm/nicstar.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/atm/nicstar.c b/drivers/atm/nicstar.c index 632ede5527..bd09045948 100644 --- a/drivers/atm/nicstar.c +++ b/drivers/atm/nicstar.c @@ -2759,7 +2759,7 @@ static int ns_ioctl(struct atm_dev *dev, unsigned int cmd, void __user *arg) { ns_dev *card; pool_levels pl; - int btype; + long btype; unsigned long flags; card = dev->dev_data; @@ -2859,7 +2859,7 @@ static int ns_ioctl(struct atm_dev *dev, unsigned int cmd, void __user *arg) case NS_ADJBUFLEV: if (!capable(CAP_NET_ADMIN)) return -EPERM; - btype = (int) arg; /* an int is the same size as a pointer */ + btype = (long) arg; /* a long is the same size as a pointer or bigger */ switch (btype) { case NS_BUFTYPE_SMALL: -- cgit v1.2.2 From 375216ad0c303adeed45281ce82e153d41de679a Mon Sep 17 00:00:00 2001 From: Thomas Graf Date: Sat, 21 Oct 2006 20:20:54 -0700 Subject: [IPv6] fib: initialize tb6_lock in common place to give lockdep a key Signed-off-by: Thomas Graf Signed-off-by: David S. Miller --- net/ipv6/ip6_fib.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c index 8fcae7a651..f98ca30d7c 100644 --- a/net/ipv6/ip6_fib.c +++ b/net/ipv6/ip6_fib.c @@ -169,7 +169,6 @@ static __inline__ void rt6_release(struct rt6_info *rt) static struct fib6_table fib6_main_tbl = { .tb6_id = RT6_TABLE_MAIN, - .tb6_lock = RW_LOCK_UNLOCKED, .tb6_root = { .leaf = &ip6_null_entry, .fn_flags = RTN_ROOT | RTN_TL_ROOT | RTN_RTINFO, @@ -187,6 +186,12 @@ static void fib6_link_table(struct fib6_table *tb) { unsigned int h; + /* + * Initialize table lock at a single place to give lockdep a key, + * tables aren't visible prior to being linked to the list. + */ + rwlock_init(&tb->tb6_lock); + h = tb->tb6_id & (FIB_TABLE_HASHSZ - 1); /* @@ -199,7 +204,6 @@ static void fib6_link_table(struct fib6_table *tb) #ifdef CONFIG_IPV6_MULTIPLE_TABLES static struct fib6_table fib6_local_tbl = { .tb6_id = RT6_TABLE_LOCAL, - .tb6_lock = RW_LOCK_UNLOCKED, .tb6_root = { .leaf = &ip6_null_entry, .fn_flags = RTN_ROOT | RTN_TL_ROOT | RTN_RTINFO, @@ -213,7 +217,6 @@ static struct fib6_table *fib6_alloc_table(u32 id) table = kzalloc(sizeof(*table), GFP_ATOMIC); if (table != NULL) { table->tb6_id = id; - table->tb6_lock = RW_LOCK_UNLOCKED; table->tb6_root.leaf = &ip6_null_entry; table->tb6_root.fn_flags = RTN_ROOT | RTN_TL_ROOT | RTN_RTINFO; } -- cgit v1.2.2 From 185b1aa122f87052d9154bb74990bc785372a750 Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Sat, 21 Oct 2006 20:24:01 -0700 Subject: [NET]: Reduce sizeof(struct flowi) by 20 bytes. As suggested by David, just kill off some unused fields in dnports to reduce sizef(struct flowi). If they come back, they should be moved to nl_u.dn_u in order not to enlarge again struct flowi [ Modified to really delete this stuff instead of using #if 0. -DaveM ] Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller --- include/net/dn.h | 5 ----- include/net/flow.h | 3 --- 2 files changed, 8 deletions(-) diff --git a/include/net/dn.h b/include/net/dn.h index 465b783027..ac4ce90917 100644 --- a/include/net/dn.h +++ b/include/net/dn.h @@ -199,11 +199,6 @@ static inline void dn_sk_ports_copy(struct flowi *fl, struct dn_scp *scp) { fl->uli_u.dnports.sport = scp->addrloc; fl->uli_u.dnports.dport = scp->addrrem; - fl->uli_u.dnports.objnum = scp->addr.sdn_objnum; - if (fl->uli_u.dnports.objnum == 0) { - fl->uli_u.dnports.objnamel = (__u8)dn_ntohs(scp->addr.sdn_objnamel); - memcpy(fl->uli_u.dnports.objname, scp->addr.sdn_objname, 16); - } } extern unsigned dn_mss_from_pmtu(struct net_device *dev, int mtu); diff --git a/include/net/flow.h b/include/net/flow.h index 3b44d72b27..5cda27cd9d 100644 --- a/include/net/flow.h +++ b/include/net/flow.h @@ -68,9 +68,6 @@ struct flowi { struct { __le16 sport; __le16 dport; - __u8 objnum; - __u8 objnamel; /* Not 16 bits since max val is 16 */ - __u8 objname[16]; /* Not zero terminated */ } dnports; __be32 spi; -- cgit v1.2.2 From 6a43487f43fbd4e03c606dcb62b98374a3af88fc Mon Sep 17 00:00:00 2001 From: Randy Dunlap Date: Sun, 22 Oct 2006 20:38:00 -0700 Subject: [NET]: kernel-doc fix for sock.h Fix kernel-doc warning in include/net/sock.h: Warning(/var/linsrc/linux-2619-rc1-pv//include/net/sock.h:894): No description found for parameter 'rcu' Signed-off-by: Randy Dunlap Signed-off-by: David S. Miller --- include/net/sock.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/include/net/sock.h b/include/net/sock.h index 40bb90ebb2..ac286a3530 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -884,8 +884,7 @@ static inline int sk_filter(struct sock *sk, struct sk_buff *skb) /** * sk_filter_release: Release a socket filter - * @sk: socket - * @fp: filter to remove + * @rcu: rcu_head that contains the sk_filter info to remove * * Remove a filter from a socket and release its resources. */ -- cgit v1.2.2 From 4e8a5201506423e0241202de1349422af4260296 Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Sun, 22 Oct 2006 21:00:33 -0700 Subject: [PKT_SCHED] netem: Orphan SKB when adding to queue. The networking emulator can queue SKBs for a very long time, so if you're using netem on the sender side for large bandwidth/delay product testing, the SKB socket send queue sizes become artificially larger. Correct this by calling skb_orphan() in netem_enqueue(). Signed-off-by: David S. Miller --- drivers/pci/quirks.c | 4 ++-- net/sched/sch_netem.c | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c index e8a7f1b1b2..ecf8e4d6b9 100644 --- a/drivers/pci/quirks.c +++ b/drivers/pci/quirks.c @@ -1634,7 +1634,7 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_NCR, PCI_DEVICE_ID_NCR_53C810, fixup_rev1 * is marked here since the boot video device will be the only enabled * video device at this point. */ - +#if 0 static void __devinit fixup_video(struct pci_dev *pdev) { struct pci_dev *bridge; @@ -1663,7 +1663,7 @@ static void __devinit fixup_video(struct pci_dev *pdev) } } DECLARE_PCI_FIXUP_HEADER(PCI_ANY_ID, PCI_ANY_ID, fixup_video); - +#endif static void pci_do_fixups(struct pci_dev *dev, struct pci_fixup *f, struct pci_fixup *end) { diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c index 45939bafbd..ef8874babf 100644 --- a/net/sched/sch_netem.c +++ b/net/sched/sch_netem.c @@ -170,6 +170,8 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch) return NET_XMIT_BYPASS; } + skb_orphan(skb); + /* * If we need to duplicate packet, then re-insert at top of the * qdisc tree, since parent queuer expects that only one -- cgit v1.2.2