From: Chris Wright Date: Mon, 30 Mar 2009 22:25:49 +0000 (-0700) Subject: start 2.6.29 queue w/ networking patches X-Git-Tag: v2.6.29.1~11 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bca9db30636caa93bd32b617de8c0484c7d15b83;p=thirdparty%2Fkernel%2Fstable-queue.git start 2.6.29 queue w/ networking patches --- diff --git a/queue-2.6.29/bridge-bad-error-handling-when-adding-invalid-ether-address.patch b/queue-2.6.29/bridge-bad-error-handling-when-adding-invalid-ether-address.patch new file mode 100644 index 00000000000..156ce5232ea --- /dev/null +++ b/queue-2.6.29/bridge-bad-error-handling-when-adding-invalid-ether-address.patch @@ -0,0 +1,32 @@ +From bb7db9596efa82e48a7885227c6b30a4149261cb Mon Sep 17 00:00:00 2001 +From: Stephen Hemminger +Date: Wed, 25 Mar 2009 21:01:47 -0700 +Message-Id: <20090327.193504.160753551.davem@davemloft.net> +Subject: bridge: bad error handling when adding invalid ether address + +[ Upstream commit cda6d377ec6b2ee2e58d563d0bd7eb313e0165df ] + +This fixes an crash when empty bond device is added to a bridge. +If an interface with invalid ethernet address (all zero) is added +to a bridge, then bridge code detects it when setting up the forward +databas entry. But the error unwind is broken, the bridge port object +can get freed twice: once when ref count went to zeo, and once by kfree. +Since object is never really accessible, just free it. + +Signed-off-by: Stephen Hemminger +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +--- + net/bridge/br_if.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/net/bridge/br_if.c ++++ b/net/bridge/br_if.c +@@ -426,7 +426,6 @@ err2: + err1: + kobject_del(&p->kobj); + err0: +- kobject_put(&p->kobj); + dev_set_promiscuity(dev, -1); + put_back: + dev_put(dev); diff --git a/queue-2.6.29/dnet-drivers-net-dnet.c-needs-linux-io.h.patch b/queue-2.6.29/dnet-drivers-net-dnet.c-needs-linux-io.h.patch new file mode 100644 index 00000000000..d04609410ce --- /dev/null +++ b/queue-2.6.29/dnet-drivers-net-dnet.c-needs-linux-io.h.patch @@ -0,0 +1,34 @@ +From bd4229ab9335537d61a546d9dd4209846c71d353 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Tue, 24 Mar 2009 13:19:50 -0700 +Message-Id: <20090327.193504.160753551.davem@davemloft.net> +Subject: dnet: drivers/net/dnet.c needs + +[ Upstream commit 142071b83426674ef2dab98cf2a6627328d0988e ] + +On m68k: +| drivers/net/dnet.c: In function 'dnet_readw_mac': +| drivers/net/dnet.c:36: error: implicit declaration of function 'writel' +| drivers/net/dnet.c:43: error: implicit declaration of function 'readl' +| drivers/net/dnet.c: In function 'dnet_probe': +| drivers/net/dnet.c:873: error: implicit declaration of function 'ioremap' +| drivers/net/dnet.c:873: warning: assignment makes pointer from integer without a cast +| drivers/net/dnet.c:939: error: implicit declaration of function 'iounmap' + +Signed-off-by: Geert Uytterhoeven +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +--- + drivers/net/dnet.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/dnet.c ++++ b/drivers/net/dnet.c +@@ -9,6 +9,7 @@ + * published by the Free Software Foundation. + */ + #include ++#include + #include + #include + #include diff --git a/queue-2.6.29/gro-disable-gro-on-legacy-netif_rx-path.patch b/queue-2.6.29/gro-disable-gro-on-legacy-netif_rx-path.patch new file mode 100644 index 00000000000..b0916447b5e --- /dev/null +++ b/queue-2.6.29/gro-disable-gro-on-legacy-netif_rx-path.patch @@ -0,0 +1,52 @@ +From f87cdb4e0c4dbafa9b70615962e9adb1eba54dbb Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Thu, 26 Mar 2009 00:59:10 -0700 +Message-Id: <20090327.193504.160753551.davem@davemloft.net> +Subject: GRO: Disable GRO on legacy netif_rx path + +[ Upstream commit 8f1ead2d1a626ed0c85b3d2c2046a49081d5933f ] + +When I fixed the GRO crash in the legacy receive path I used +napi_complete to replace __napi_complete. Unfortunately they're +not the same when NETPOLL is enabled, which may result in us +not calling __napi_complete at all. + +What's more, we really do need to keep the __napi_complete call +within the IRQ-off section since in theory an IRQ can occur in +between and fill up the backlog to the maximum, causing us to +lock up. + +Since we can't seem to find a fix that works properly right now, +this patch reverts all the GRO support from the netif_rx path. + +Signed-off-by: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +--- + net/core/dev.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -2588,18 +2588,15 @@ static int process_backlog(struct napi_s + local_irq_disable(); + skb = __skb_dequeue(&queue->input_pkt_queue); + if (!skb) { ++ __napi_complete(napi); + local_irq_enable(); +- napi_complete(napi); +- goto out; ++ break; + } + local_irq_enable(); + +- napi_gro_receive(napi, skb); ++ netif_receive_skb(skb); + } while (++work < quota && jiffies == start_time); + +- napi_gro_flush(napi); +- +-out: + return work; + } + diff --git a/queue-2.6.29/ipv6-plug-sk_buff-leak-in-ipv6_rcv.patch b/queue-2.6.29/ipv6-plug-sk_buff-leak-in-ipv6_rcv.patch new file mode 100644 index 00000000000..9869fc38807 --- /dev/null +++ b/queue-2.6.29/ipv6-plug-sk_buff-leak-in-ipv6_rcv.patch @@ -0,0 +1,51 @@ +From 503a280284037d56362928d903f3076d2b0a19e6 Mon Sep 17 00:00:00 2001 +From: Jesper Nilsson +Date: Fri, 27 Mar 2009 00:17:45 -0700 +Message-Id: <20090327.193504.160753551.davem@davemloft.net> +Subject: ipv6: Plug sk_buff leak in ipv6_rcv (net/ipv6/ip6_input.c) + +[ Upstream commit 71f6f6dfdf7c7a67462386d9ea05c1095a89c555 ] + +Commit 778d80be52699596bf70e0eb0761cf5e1e46088d +(ipv6: Add disable_ipv6 sysctl to disable IPv6 operaion on specific interface) +seems to have introduced a leak of sk_buff's for ipv6 traffic, +at least in some configurations where idev is NULL, or when ipv6 +is disabled via sysctl. + +The problem is that if the first condition of the if-statement +returns non-NULL, it returns an skb with only one reference, +and when the other conditions apply, execution jumps to the "out" +label, which does not call kfree_skb for it. + +To plug this leak, change to use the "drop" label instead. +(this relies on it being ok to call kfree_skb on NULL) +This also allows us to avoid calling rcu_read_unlock here, +and removes the only user of the "out" label. + +Signed-off-by: Jesper Nilsson +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +--- + net/ipv6/ip6_input.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/net/ipv6/ip6_input.c ++++ b/net/ipv6/ip6_input.c +@@ -75,8 +75,7 @@ int ipv6_rcv(struct sk_buff *skb, struct + if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL || + !idev || unlikely(idev->cnf.disable_ipv6)) { + IP6_INC_STATS_BH(net, idev, IPSTATS_MIB_INDISCARDS); +- rcu_read_unlock(); +- goto out; ++ goto drop; + } + + memset(IP6CB(skb), 0, sizeof(struct inet6_skb_parm)); +@@ -147,7 +146,6 @@ err: + drop: + rcu_read_unlock(); + kfree_skb(skb); +-out: + return 0; + } + diff --git a/queue-2.6.29/netfilter-nf_conntrack_tcp-fix-unaligned-memory-access-in-tcp_sack.patch b/queue-2.6.29/netfilter-nf_conntrack_tcp-fix-unaligned-memory-access-in-tcp_sack.patch new file mode 100644 index 00000000000..127b7c74df4 --- /dev/null +++ b/queue-2.6.29/netfilter-nf_conntrack_tcp-fix-unaligned-memory-access-in-tcp_sack.patch @@ -0,0 +1,41 @@ +From 7f9cc0663adb4761a014aa2e63ca4f78ae1f7634 Mon Sep 17 00:00:00 2001 +From: Mark H. Weaver +Date: Mon, 23 Mar 2009 13:46:12 +0100 +Message-Id: <20090327.193504.160753551.davem@davemloft.net> +Subject: netfilter: nf_conntrack_tcp: fix unaligned memory access in tcp_sack + +[ Upstream commit 534f81a5068799799e264fd162e9488a129f98d4 ] + +This patch fixes an unaligned memory access in tcp_sack while reading +sequence numbers from TCP selective acknowledgement options. Prior to +applying this patch, upstream linux-2.6.27.20 was occasionally +generating messages like this on my sparc64 system: + + [54678.532071] Kernel unaligned access at TPC[6b17d4] tcp_packet+0xcd4/0xd00 + +Acked-by: David S. Miller +Signed-off-by: Patrick McHardy +Signed-off-by: Chris Wright +--- + net/netfilter/nf_conntrack_proto_tcp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/netfilter/nf_conntrack_proto_tcp.c ++++ b/net/netfilter/nf_conntrack_proto_tcp.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + + #include + +@@ -466,7 +467,7 @@ static void tcp_sack(const struct sk_buf + for (i = 0; + i < (opsize - TCPOLEN_SACK_BASE); + i += TCPOLEN_SACK_PERBLOCK) { +- tmp = ntohl(*((__be32 *)(ptr+i)+1)); ++ tmp = get_unaligned_be32((__be32 *)(ptr+i)+1); + + if (after(tmp, *sack)) + *sack = tmp; diff --git a/queue-2.6.29/series b/queue-2.6.29/series new file mode 100644 index 00000000000..8f51912716d --- /dev/null +++ b/queue-2.6.29/series @@ -0,0 +1,7 @@ +netfilter-nf_conntrack_tcp-fix-unaligned-memory-access-in-tcp_sack.patch +udp-wrong-locking-code-in-udp-seq_file-infrastructure.patch +dnet-drivers-net-dnet.c-needs-linux-io.h.patch +bridge-bad-error-handling-when-adding-invalid-ether-address.patch +gro-disable-gro-on-legacy-netif_rx-path.patch +ipv6-plug-sk_buff-leak-in-ipv6_rcv.patch +xfrm-spin_lock-should-be-spin_unlock-in-xfrm_state.c.patch diff --git a/queue-2.6.29/udp-wrong-locking-code-in-udp-seq_file-infrastructure.patch b/queue-2.6.29/udp-wrong-locking-code-in-udp-seq_file-infrastructure.patch new file mode 100644 index 00000000000..c3346055598 --- /dev/null +++ b/queue-2.6.29/udp-wrong-locking-code-in-udp-seq_file-infrastructure.patch @@ -0,0 +1,92 @@ +From fd47bcf3f446518abd8170ef658f1ae676f5e41a Mon Sep 17 00:00:00 2001 +From: Vitaly Mayatskikh +Date: Mon, 23 Mar 2009 15:22:33 -0700 +Message-Id: <20090327.193504.160753551.davem@davemloft.net> +Subject: udp: Wrong locking code in udp seq_file infrastructure + +[ Upstream commit 30842f2989aacfaba3ccb39829b3417be9313dbe ] + +Reading zero bytes from /proc/net/udp or other similar files which use +the same seq_file udp infrastructure panics kernel in that way: + +===================================== +[ BUG: bad unlock balance detected! ] +------------------------------------- +read/1985 is trying to release lock (&table->hash[i].lock) at: +[] udp_seq_stop+0x27/0x29 +but there are no more locks to release! + +other info that might help us debug this: +1 lock held by read/1985: + #0: (&p->lock){--..}, at: [] seq_read+0x38/0x348 + +stack backtrace: +Pid: 1985, comm: read Not tainted 2.6.29-rc8 #9 +Call Trace: + [] ? udp_seq_stop+0x27/0x29 + [] print_unlock_inbalance_bug+0xd6/0xe1 + [] lock_release_non_nested+0x9e/0x1c6 + [] ? seq_read+0xb2/0x348 + [] ? mark_held_locks+0x68/0x86 + [] ? udp_seq_stop+0x27/0x29 + [] lock_release+0x15d/0x189 + [] _spin_unlock_bh+0x1e/0x34 + [] udp_seq_stop+0x27/0x29 + [] seq_read+0x2bb/0x348 + [] ? seq_read+0x0/0x348 + [] proc_reg_read+0x90/0xaf + [] vfs_read+0xa6/0x103 + [] ? trace_hardirqs_on_caller+0x12f/0x153 + [] sys_read+0x45/0x69 + [] system_call_fastpath+0x16/0x1b +BUG: scheduling while atomic: read/1985/0xffffff00 +INFO: lockdep is turned off. +Modules linked in: cpufreq_ondemand acpi_cpufreq freq_table dm_multipath kvm ppdev snd_hda_codec_analog snd_hda_intel snd_hda_codec snd_hwdep snd_seq_dummy snd_seq_oss snd_seq_midi_event arc4 snd_s +eq ecb thinkpad_acpi snd_seq_device iwl3945 hwmon sdhci_pci snd_pcm_oss sdhci rfkill mmc_core snd_mixer_oss i2c_i801 mac80211 yenta_socket ricoh_mmc i2c_core iTCO_wdt snd_pcm iTCO_vendor_support rs +rc_nonstatic snd_timer snd lib80211 cfg80211 soundcore snd_page_alloc video parport_pc output parport e1000e [last unloaded: scsi_wait_scan] +Pid: 1985, comm: read Not tainted 2.6.29-rc8 #9 +Call Trace: + [] ? __debug_show_held_locks+0x1b/0x24 + [] __schedule_bug+0x7e/0x83 + [] schedule+0xce/0x838 + [] ? fsnotify_access+0x5f/0x67 + [] ? sysret_careful+0xb/0x37 + [] ? trace_hardirqs_on_caller+0x1f/0x153 + [] ? trace_hardirqs_on_thunk+0x3a/0x3f + [] sysret_careful+0x31/0x37 +read[1985]: segfault at 7fffc479bfe8 ip 0000003e7420a180 sp 00007fffc479bfa0 error 6 +Kernel panic - not syncing: Aiee, killing interrupt handler! + +udp_seq_stop() tries to unlock not yet locked spinlock. The lock was lost +during splitting global udp_hash_lock to subsequent spinlocks. + +Signed-off by: Vitaly Mayatskikh +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +--- + net/ipv4/udp.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1614,7 +1614,8 @@ static struct sock *udp_get_next(struct + } while (sk && (!net_eq(sock_net(sk), net) || sk->sk_family != state->family)); + + if (!sk) { +- spin_unlock_bh(&state->udp_table->hash[state->bucket].lock); ++ if (state->bucket < UDP_HTABLE_SIZE) ++ spin_unlock_bh(&state->udp_table->hash[state->bucket].lock); + return udp_get_first(seq, state->bucket + 1); + } + return sk; +@@ -1632,6 +1633,9 @@ static struct sock *udp_get_idx(struct s + + static void *udp_seq_start(struct seq_file *seq, loff_t *pos) + { ++ struct udp_iter_state *state = seq->private; ++ state->bucket = UDP_HTABLE_SIZE; ++ + return *pos ? udp_get_idx(seq, *pos-1) : SEQ_START_TOKEN; + } + diff --git a/queue-2.6.29/xfrm-spin_lock-should-be-spin_unlock-in-xfrm_state.c.patch b/queue-2.6.29/xfrm-spin_lock-should-be-spin_unlock-in-xfrm_state.c.patch new file mode 100644 index 00000000000..00fcee44ce0 --- /dev/null +++ b/queue-2.6.29/xfrm-spin_lock-should-be-spin_unlock-in-xfrm_state.c.patch @@ -0,0 +1,33 @@ +From d296222e9e943b64cc64ed0c471211b34365ee33 Mon Sep 17 00:00:00 2001 +From: Chuck Ebbert +Date: Fri, 27 Mar 2009 00:22:01 -0700 +Message-Id: <20090327.193504.160753551.davem@davemloft.net> +Subject: xfrm: spin_lock() should be spin_unlock() in xfrm_state.c + +[ Upstream commit 7d0b591c655ca0d72ebcbd242cf659a20a8995c5 ] + +spin_lock() should be spin_unlock() in xfrm_state_walk_done(). + +caused by: +commit 12a169e7d8f4b1c95252d8b04ed0f1033ed7cfe2 +"ipsec: Put dumpers on the dump list" + +Reported-by: Marc Milgram +Signed-off-by: Chuck Ebbert +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +--- + net/xfrm/xfrm_state.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -1615,7 +1615,7 @@ void xfrm_state_walk_done(struct xfrm_st + + spin_lock_bh(&xfrm_state_lock); + list_del(&walk->all); +- spin_lock_bh(&xfrm_state_lock); ++ spin_unlock_bh(&xfrm_state_lock); + } + EXPORT_SYMBOL(xfrm_state_walk_done); +