summaryrefslogtreecommitdiffstats
path: root/net
Commit message (Collapse)AuthorAgeFilesLines
* Merge branch 'master' of ↵David S. Miller2009-07-2310-20/+43
|\ | | | | | | | | | | | | | | master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 Conflicts: drivers/net/wireless/iwmc3200wifi/netdev.c net/wireless/scan.c
| * cfg80211: double free in __cfg80211_scan_doneChristian Lamparter2009-07-211-2/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes a double free corruption in __cfg80211_scan_done: ================================================ BUG kmalloc-512: Object already free ------------------------------------------------ INFO: Allocated in load_elf_binary+0x18b/0x19af age=6 INFO: Freed in load_elf_binary+0x104e/0x19af age=5 INFO: Slab 0xffffea0001bae4c0 objects=14 used=7 INFO: Object 0xffff88007e8a9918 @offset=6424 fp=0xffff88007e8a9488 Bytes b4 0xffff88007e8a9908: 00 00 00 00 00 00 00 00 5a 5a [...] Pid: 28705, comm: rmmod Tainted: P C 2.6.31-rc2-wl #1 Call Trace: [<ffffffff810da9f4>] print_trailer+0x14e/0x16e [<ffffffff810daa56>] object_err+0x42/0x61 [<ffffffff810dbcd9>] __slab_free+0x2af/0x396 [<ffffffffa0ec9694>] ? wiphy_unregister+0x92/0x142 [cfg80211] [<ffffffff810dd5e3>] kfree+0x13c/0x17a [<ffffffffa0ec9694>] ? wiphy_unregister+0x92/0x142 [cfg80211] [<ffffffffa0ec9694>] wiphy_unregister+0x92/0x142 [cfg80211] [<ffffffffa0eed163>] ieee80211_unregister_hw+0xc8/0xff [mac80211] [<ffffffffa0f3fbc8>] p54_unregister_common+0x31/0x66 [p54common] [...] FIX kmalloc-512: Object at 0xffff88007e8a9918 not freed The code path which leads to the *funny* double free: request = rdev->scan_req; dev = dev_get_by_index(&init_net, request->ifidx); /* * the driver was unloaded recently and * therefore dev_get_by_index will return NULL! */ if (!dev) goto out; [...] rdev->scan_req = NULL; /* not executed... */ [...] out: kfree(request); Signed-off-by: Christian Lamparter <chunkeey@web.de> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * nl80211: Memory leak fixedNiko Jokinen2009-07-211-2/+3
| | | | | | | | | | | | | | | | Potential memory leak via msg pointer in nl80211_get_key() function. Signed-off-by: Niko Jokinen <ext-niko.k.jokinen@nokia.com> Signed-off-by: Luciano Coelho <luciano.coelho@nokia.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * mac80211: use correct address for mesh Path ErrorJavier Cardona2009-07-211-3/+5
| | | | | | | | | | | | | | | | | | | | For forwarded frames, we save the precursor address in addr1 in case it needs to be used to send a Path Error. mesh_path_discard_frame, however, was using addr2 instead of addr1 to send Path Error frames, so correct that and also make the comment regarding this more clear. Signed-off-by: Andrey Yurovsky <andrey@cozybit.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * rfkill: fix rfkill_set_states() to set the hw stateAlan Jenkins2009-07-211-0/+4
| | | | | | | | | | | | | | | | | | | | The point of this function is to set the software and hardware state at the same time. When I tried to use it, I found it was only setting the software state. Signed-off-by: Alan Jenkins <alan-jenkins@tuffmail.co.uk> Reviewed-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * mac80211: fix injection in monitor modePavel Roskin2009-07-211-1/+1
| | | | | | | | | | | | | | | | The location of the 802.11 header is calculated incorrectly due to a wrong placement of parentheses. Found by kmemcheck. Signed-off-by: Pavel Roskin <proski@gnu.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * rfkill: allow toggling soft state in sysfs againJohannes Berg2009-07-211-8/+19
| | | | | | | | | | | | | | | | | | | | | | | | Apparently there actually _are_ tools that try to set this in sysfs even though it wasn't supposed to be used this way without claiming first. Guess what: now that I've cleaned it all up it doesn't matter and we can simply allow setting the soft-block state in sysfs. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Tested-By: Darren Salt <linux@youmustbejoking.demon.co.uk> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * mac80211: disable meshJohannes Berg2009-07-212-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | My kvm instance was complaining a lot about sleeping in atomic contexts in the mesh code, and it turns out that both mesh_path_add() and mpp_path_add() need to be able to sleep (they even use synchronize_rcu()!). I put in a might_sleep() to annotate that, but I see no way, at least right now, of actually making sure those functions are only called from process context since they are both called during TX and RX and the mesh code itself even calls them with rcu_read_lock() "held". Therefore, let's disable it completely for now. It's possible that I'm only seeing this because the hwsim's beaconing is broken and thus the peers aren't discovered right away, but it is possible that this happens even if beaconing is working, for a peer that doesn't exist or so. It should be possible to solve this by deferring the freeing of the tables to call_rcu() instead of using synchronize_rcu(), and also using atomic allocations, but maybe it makes more sense to rework the code to not call these from atomic contexts and defer more of the work to the workqueue. Right now, I can't work on either of those solutions though. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * Fix error return for setsockopt(SO_TIMESTAMPING)Rémi Denis-Courmont2009-07-201-1/+1
| | | | | | | | | | | | | | | | I guess it should be -EINVAL rather than EINVAL. I have not checked when the bug came in. Perhaps a candidate for -stable? Signed-off-by: Rémi Denis-Courmont <remi.denis-courmont@nokia.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * tcp: Use correct peer adr when copying MD5 keysJohn Dykstra2009-07-202-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | When the TCP connection handshake completes on the passive side, a variety of state must be set up in the "child" sock, including the key if MD5 authentication is being used. Fix TCP for both address families to label the key with the peer's destination address, rather than the address from the listening sock, which is usually the wildcard. Reported-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: John Dykstra <john.dykstra1@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * tcp: Fix MD5 signature checking on IPv4 mapped socketsJohn Dykstra2009-07-203-1/+3
| | | | | | | | | | | | | | | | | | | | | | Fix MD5 signature checking so that an IPv4 active open to an IPv6 socket can succeed. In particular, use the correct address family's signature generation function for the SYN/ACK. Reported-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: John Dykstra <john.dykstra1@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | TCP: Add comments to (near) all functions in tcp_output.c v3Andi Kleen2009-07-231-14/+44
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | While looking for something else I spent some time adding one liner comments to the tcp_output.c functions that didn't have any. That makes the comments more consistent. I hope I documented everything right. No code changes. v2: Incorporated feedback from Ilpo. v3: Change style of one liner comments, add a few more comments. Signed-off-by: Andi Kleen <ak@linux.intel.com> Acked-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> Signed-off-by: David S. Miller <davem@davemloft.net>
* | af_packet: style cleanupsEric Dumazet2009-07-231-124/+122
| | | | | | | | | | | | | | Some style cleanups to match current code practices. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | Phonet: dropped datagrams accountingRémi Denis-Courmont2009-07-231-1/+4
| | | | | | | | | | | | | | The per-socket drop count is visible via /proc/net/phonet. Signed-off-by: Rémi Denis-Courmont <remi.denis-courmont@nokia.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | Phonet: account for dropped RX packetsRémi Denis-Courmont2009-07-231-1/+6
| | | | | | | | | | Signed-off-by: Rémi Denis-Courmont <remi.denis-courmont@nokia.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | Phonet: sockets list through proc_fsRémi Denis-Courmont2009-07-232-0/+103
| | | | | | | | | | | | | | | | This provides a list of sockets with their Phonet bind addresses and some socket debug informations through /proc/net/phonet. Signed-off-by: Rémi Denis-Courmont <remi.denis-courmont@nokia.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | mcastv6: Local variable shadows function argumentGerrit Renker2009-07-211-1/+0
| | | | | | | | | | | | | | | | | | | | The local variable 'idev' shadows the function argument 'idev' to ip6_mc_add_src(). Fixed by removing the local declaration, as pmc->idev should be identical with 'idev' passed as argument. Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk> Acked-by: David L Stevens <dlstevens@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | RDS: Refactor end of __conn_create for readabilityAndy Grover2009-07-201-17/+31
| | | | | | | | | | | | | | | | | | Add a comment for what's going on. Remove negative logic. I find this much easier to understand quickly, although there are a few lines duplicated. Signed-off-by: Andy Grover <andy.grover@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | RDS/IW: Remove dead codeAndy Grover2009-07-201-9/+4
| | | | | | | | | | | | | | In iWARP code, node_type will always be RNIC Signed-off-by: Andy Grover <andy.grover@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | RDS/IW: Remove page_shift variable from iwarp transportAndy Grover2009-07-204-22/+11
| | | | | | | | | | | | | | | | | | The existing code treated page_shift as a variable, when in fact we always want to have the fastreg page size be the same as the arch's page size -- and it is, so this doesn't need to be a variable. Signed-off-by: Andy Grover <andy.grover@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | RDS/IB: Always use PAGE_SIZE for FMR page sizeAndy Grover2009-07-203-12/+6
| | | | | | | | | | | | | | | | | | While FMRs allow significant flexibility in what size of pages they can use, we really just want FMR pages to match CPU page size. Roland says we can count on this always being supported, so this simplifies things. Signed-off-by: Andy Grover <andy.grover@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | RDS: Fix completion notifications on blocking socketsAndy Grover2009-07-201-11/+13
| | | | | | | | | | | | | | | | Completion or congestion notifications were not being checked if the socket went to sleep. This patch fixes that. Signed-off-by: Andy Grover <andy.grover@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | RDS/IB: Drop connection when a fatal QP event is receivedAndy Grover2009-07-201-3/+3
| | | | | | | | | | Signed-off-by: Andy Grover <andy.grover@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | RDS/IB: Disable flow control in sysctl and explain whyAndy Grover2009-07-201-1/+11
| | | | | | | | | | | | | | | | | | | | | | | | Backwards compatibility with rds 3.0 causes protocol- based flow control to be disabled as a side-effect. I don't want to pull out FC support from the IB transport but I do want to document and keep the sysctl consistent if possible. Signed-off-by: Andy Grover <andy.grover@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | RDS/IB: Move tx/rx ring init and refill to laterAndy Grover2009-07-201-6/+12
| | | | | | | | | | | | | | | | | | Since RDS 3.0 and 3.1 have different packet formats, we need to wait until after protocol negotiation is complete to layout the rx buffers. Signed-off-by: Andy Grover <andy.grover@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | RDS: Don't set c_version in __rds_conn_create()Andy Grover2009-07-201-1/+0
| | | | | | | | | | | | | | | | Protocol negotiation is logically a property of the transports, so rds core need not set it. Signed-off-by: Andy Grover <andy.grover@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | RDS/IB: Rename byte_len to data_len to enhance readabilityAndy Grover2009-07-201-6/+6
| | | | | | | | | | | | | | | | Of course len is in bytes. Calling it data_len hopefully indicates a little better what the variable is actually for. Signed-off-by: Andy Grover <andy.grover@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | RDS/RDMA: Fix cut-n-paste errors in printks in rdma_transport.cAndy Grover2009-07-201-4/+4
| | | | | | | | | | Signed-off-by: Andy Grover <andy.grover@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | RDS/IB: Fix printk to indicate remote IP, not localAndy Grover2009-07-201-1/+1
| | | | | | | | | | Signed-off-by: Andy Grover <andy.grover@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | RDS/IB: Handle connections using RDS 3.0 wire protocolAndy Grover2009-07-203-6/+58
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The big differences between RDS 3.0 and 3.1 are protocol-level flow control, and with 3.1 the header is in front of the data. The header always ends up in the header buffer, and the data goes in the data page. In 3.0 our "header" is a trailer, and will end up either in the data page, the header buffer, or split across the two. Since 3.1 is backwards- compatible with 3.0, we need to continue to support these cases. This patch does that -- if using RDS 3.0 wire protocol, it will copy the header from wherever it ended up into the header buffer. Signed-off-by: Andy Grover <andy.grover@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | RDS/IB: Improve RDS protocol version checkingAndy Grover2009-07-201-6/+19
| | | | | | | | | | | | | | | | | | RDS on IB uses privdata to do protocol version negotiation. Apparently the IB stack will return a larger privdata buffer than the struct we were expecting. Just to be extra-sure, this patch adds some checks in this area. Signed-off-by: Andy Grover <andy.grover@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | RDS: Set retry_count to 2 and make modifiable via modparamAndy Grover2009-07-203-1/+7
| | | | | | | | | | | | | | | | This will be default cause IB connections to failover faster, but allow a longer retry count to be used if desired. Signed-off-by: Andy Grover <andy.grover@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | ipv4: fib_trie: Use tnode_get_child_rcu() and node_parent_rcu() in lookupsJarek Poplawski2009-07-201-3/+3
| | | | | | | | | | | | | | | | | | While looking for other fib_trie problems reported by Pawel Staszewski I noticed there are a few uses of tnode_get_child() and node_parent() in lookups instead of their rcu versions. Signed-off-by: Jarek Poplawski <jarkao2@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | ipv4: Fix inflate_threshold_root automaticallyJarek Poplawski2009-07-201-7/+22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | During large updates there could be triggered warnings like: "Fix inflate_threshold_root. Now=25 size=11 bits" if inflate() of the root node isn't finished in 10 loops. It should be much rarer now, after changing the threshold from 15 to 25, and a temporary problem, so this patch tries to handle it automatically using a fix variable to increase by one inflate threshold for next root resizes (up to the 35 limit, max fix = 10). The fix variable is decreased when root's inflate() finishes below 7 loops (even if some other, smaller table/ trie is updated -- for simplicity the fix variable is global for now). Reported-by: Pawel Staszewski <pstaszewski@itcare.pl> Reported-by: Jorge Boncompte [DTI2] <jorge@dti2.net> Tested-by: Pawel Staszewski <pstaszewski@itcare.pl> Signed-off-by: Jarek Poplawski <jarkao2@gmail.com> Signed-off-by: Robert Olsson <robert.olsson@its.uu.se> Signed-off-by: David S. Miller <davem@davemloft.net>
* | ipv4: Use synchronize_rcu() during trie_rebalance()Jarek Poplawski2009-07-201-0/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | During trie_rebalance() we free memory after resizing with call_rcu(), but large updates, especially with PREEMPT_NONE configs, can cause memory stresses, so this patch calls synchronize_rcu() in tnode_free_flush() after each sync_pages to guarantee such freeing (especially before resizing the root node). The value of sync_pages = 128 is based on Pawel Staszewski's tests as the lowest which doesn't hinder updating times. (For testing purposes there was a sysfs module parameter to change it on demand, but it's removed until we're sure it could be really useful.) The patch is based on suggestions by: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Reported-by: Pawel Staszewski <pstaszewski@itcare.pl> Tested-by: Pawel Staszewski <pstaszewski@itcare.pl> Signed-off-by: Jarek Poplawski <jarkao2@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | vlan: Propagate physical MTU changesHerbert Xu2009-07-201-0/+13
| | | | | | | | | | | | | | | | | | When the physical MTU changes we want to ensure that all existing VLAN device MTUs do not exceed the new underlying MTU. This patch adds that propagation. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* | udp: cleanupsEric Dumazet2009-07-171-44/+43
| | | | | | | | | | | | | | Pure style cleanups. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | Merge branch 'master' of ↵David S. Miller2009-07-169-13/+67
|\| | | | | | | | | | | | | master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 Conflicts: drivers/net/wireless/orinoco/main.c
| * net: sock_copy() fixesEric Dumazet2009-07-161-2/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit e912b1142be8f1e2c71c71001dc992c6e5eb2ec1 (net: sk_prot_alloc() should not blindly overwrite memory) took care of not zeroing whole new socket at allocation time. sock_copy() is another spot where we should be very careful. We should not set refcnt to a non null value, until we are sure other fields are correctly setup, or a lockless reader could catch this socket by mistake, while not fully (re)initialized. This patch puts sk_node & sk_refcnt to the very beginning of struct sock to ease sock_copy() & sk_prot_alloc() job. We add appropriate smp_wmb() before sk_refcnt initializations to match our RCU requirements (changes to sock keys should be committed to memory before sk_refcnt setting) Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * Merge branch 'master' of ↵David S. Miller2009-07-162-5/+21
| |\ | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6
| | * netfilter: nf_conntrack: nf_conntrack_alloc() fixesEric Dumazet2009-07-161-3/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When a slab cache uses SLAB_DESTROY_BY_RCU, we must be careful when allocating objects, since slab allocator could give a freed object still used by lockless readers. In particular, nf_conntrack RCU lookups rely on ct->tuplehash[xxx].hnnode.next being always valid (ie containing a valid 'nulls' value, or a valid pointer to next object in hash chain.) kmem_cache_zalloc() setups object with NULL values, but a NULL value is not valid for ct->tuplehash[xxx].hnnode.next. Fix is to call kmem_cache_alloc() and do the zeroing ourself. As spotted by Patrick, we also need to make sure lookup keys are committed to memory before setting refcount to 1, or a lockless reader could get a reference on the old version of the object. Its key re-check could then pass the barrier. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
| | * netfilter: xt_osf: fix nf_log_packet() argumentsPatrick McHardy2009-07-161-2/+3
| | | | | | | | | | | | | | | | | | | | | The first argument is the address family, the second one the hook number. Signed-off-by: Patrick McHardy <kaber@trash.net>
| * | net/can: add module alias to can protocol driversLothar Waßmann2009-07-152-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | Add appropriate MODULE_ALIAS() to facilitate autoloading of can protocol drivers Signed-off-by: Lothar Wassmann <LW@KARO-electronics.de> Acked-by: Oliver Hartkopp <oliver@hartkopp.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | net/can bugfix: use after free bug in can protocol driversLothar Waßmann2009-07-152-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix a use after free bug in can protocol drivers The release functions of the can protocol drivers lack a call to sock_orphan() which leads to referencing freed memory under certain circumstances. This patch fixes a bug reported here: https://lists.berlios.de/pipermail/socketcan-users/2009-July/000985.html Signed-off-by: Lothar Wassmann <LW@KARO-electronics.de> Acked-by: Oliver Hartkopp <oliver@hartkopp.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | gre: fix ToS/DiffServ inherit bugAndreas Jaggi2009-07-141-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes two bugs: - ToS/DiffServ inheritance was unintentionally activated when using impair fixed ToS values - ECN bit was lost during ToS/DiffServ inheritance Signed-off-by: Andreas Jaggi <aj@open.ch> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | sit: fix regression: do not release skb->dst before xmitSascha Hlusiak2009-07-111-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The sit module makes use of skb->dst in it's xmit function, so since 93f154b594fe47 ("net: release dst entry in dev_hard_start_xmit()") sit tunnels are broken, because the flag IFF_XMIT_DST_RELEASE is not unset. This patch unsets that flag for sit devices to fix this regression. Signed-off-by: Sascha Hlusiak <contact@saschahlusiak.de> Acked-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | net: ip_push_pending_frames() fixEric Dumazet2009-07-112-2/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | After commit 2b85a34e911bf483c27cfdd124aeb1605145dc80 (net: No more expensive sock_hold()/sock_put() on each tx) we do not take any more references on sk->sk_refcnt on outgoing packets. I forgot to delete two __sock_put() from ip_push_pending_frames() and ip6_push_pending_frames(). Reported-by: Emil S Tantilov <emils.tantilov@gmail.com> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Tested-by: Emil S Tantilov <emils.tantilov@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | net: sk_prot_alloc() should not blindly overwrite memoryEric Dumazet2009-07-111-2/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Some sockets use SLAB_DESTROY_BY_RCU, and our RCU code correctness depends on sk->sk_nulls_node.next being always valid. A NULL value is not allowed as it might fault a lockless reader. Current sk_prot_alloc() implementation doesnt respect this hypothesis, calling kmem_cache_alloc() with __GFP_ZERO. Just call memset() around the forbidden field. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | net/compat/wext: send different messages to compat tasksJohannes Berg2009-07-154-3/+148
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Wireless extensions have the unfortunate problem that events are multicast netlink messages, and are not independent of pointer size. Thus, currently 32-bit tasks on 64-bit platforms cannot properly receive events and fail with all kinds of strange problems, for instance wpa_supplicant never notices disassociations, due to the way the 64-bit event looks (to a 32-bit process), the fact that the address is all zeroes is lost, it thinks instead it is 00:00:00:00:01:00. The same problem existed with the ioctls, until David Miller fixed those some time ago in an heroic effort. A different problem caused by this is that we cannot send the ASSOCREQIE/ASSOCRESPIE events because sending them causes a 32-bit wpa_supplicant on a 64-bit system to overwrite its internal information, which is worse than it not getting the information at all -- so we currently resort to sending a custom string event that it then parses. This, however, has a severe size limitation we are frequently hitting with modern access points; this limitation would can be lifted after this patch by sending the correct binary, not custom, event. A similar problem apparently happens for some other netlink users on x86_64 with 32-bit tasks due to the alignment for 64-bit quantities. In order to fix these problems, I have implemented a way to send compat messages to tasks. When sending an event, we send the non-compat event data together with a compat event data in skb_shinfo(main_skb)->frag_list. Then, when the event is read from the socket, the netlink code makes sure to pass out only the skb that is compatible with the task. This approach was suggested by David Miller, my original approach required always sending two skbs but that had various small problems. To determine whether compat is needed or not, I have used the MSG_CMSG_COMPAT flag, and adjusted the call path for recv and recvfrom to include it, even if those calls do not have a cmsg parameter. I have not solved one small part of the problem, and I don't think it is necessary to: if a 32-bit application uses read() rather than any form of recvmsg() it will still get the wrong (64-bit) event. However, neither do applications actually do this, nor would it be a regression. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | wext: optimise, comment and fix event sendingJohannes Berg2009-07-151-57/+57
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The current function for sending events first allocates the event stream buffer, and then an skb to copy the event stream into. This can be done in one go. Also, the current function leaks kernel data to userspace in a 4 uninitialised bytes, initialise those explicitly. Finally also add a few useful comments, as opposed to the current comments. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: David S. Miller <davem@davemloft.net>