1. 20 Oct, 2011 5 commits
    • David S. Miller's avatar
    • Eric Dumazet's avatar
      ip_gre: dont increase dev->needed_headroom on a live device · 113ab386
      Eric Dumazet authored
      It seems ip_gre is able to change dev->needed_headroom on the fly.
      
      Its is not legal unfortunately and triggers a BUG in raw_sendmsg()
      
      skb = sock_alloc_send_skb(sk, ... + LL_ALLOCATED_SPACE(rt->dst.dev)
      
      < another cpu change dev->needed_headromm (making it bigger)
      
      ...
      skb_reserve(skb, LL_RESERVED_SPACE(rt->dst.dev));
      
      We end with LL_RESERVED_SPACE() being bigger than LL_ALLOCATED_SPACE()
      -> we crash later because skb head is exhausted.
      
      Bug introduced in commit 243aad83 in 2.6.34 (ip_gre: include route
      header_len in max_headroom calculation)
      Reported-by: default avatarElmar Vonlanthen <evonlanthen@gmail.com>
      Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      CC: Timo Teräs <timo.teras@iki.fi>
      CC: Herbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      113ab386
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc · fd11e153
      Linus Torvalds authored
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
        sparc: Add alignment flag to PCI expansion resources
        sparc: Avoid calling sigprocmask()
        sparc: Use set_current_blocked()
        sparc32,leon: SRMMU MMU Table probe fix
      fd11e153
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 505f48b5
      Linus Torvalds authored
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
        fib_rules: fix unresolved_rules counting
        r8169: fix wrong eee setting for rlt8111evl
        r8169: fix driver shutdown WoL regression.
        ehea: Change maintainer to me
        pptp: pptp_rcv_core() misses pskb_may_pull() call
        tproxy: copy transparent flag when creating a time wait
        pptp: fix skb leak in pptp_xmit()
        bonding: use local function pointer of bond->recv_probe in bond_handle_frame
        smsc911x: Add support for SMSC LAN89218
        tg3: negate USE_PHYLIB flag check
        netconsole: enable netconsole can make net_device refcnt incorrent
        bluetooth: Properly clone LSM attributes to newly created child connections
        l2tp: fix a potential skb leak in l2tp_xmit_skb()
        bridge: fix hang on removal of bridge via netlink
        x25: Prevent skb overreads when checking call user data
        x25: Handle undersized/fragmented skbs
        x25: Validate incoming call user data lengths
        udplite: fast-path computation of checksum coverage
        IPVS netns shutdown/startup dead-lock
        netfilter: nf_conntrack: fix event flooding in GRE protocol tracker
      505f48b5
    • Hugh Dickins's avatar
      mm: fix race between mremap and removing migration entry · 486cf46f
      Hugh Dickins authored
      I don't usually pay much attention to the stale "? " addresses in
      stack backtraces, but this lucky report from Pawel Sikora hints that
      mremap's move_ptes() has inadequate locking against page migration.
      
       3.0 BUG_ON(!PageLocked(p)) in migration_entry_to_page():
       kernel BUG at include/linux/swapops.h:105!
       RIP: 0010:[<ffffffff81127b76>]  [<ffffffff81127b76>]
                             migration_entry_wait+0x156/0x160
        [<ffffffff811016a1>] handle_pte_fault+0xae1/0xaf0
        [<ffffffff810feee2>] ? __pte_alloc+0x42/0x120
        [<ffffffff8112c26b>] ? do_huge_pmd_anonymous_page+0xab/0x310
        [<ffffffff81102a31>] handle_mm_fault+0x181/0x310
        [<ffffffff81106097>] ? vma_adjust+0x537/0x570
        [<ffffffff81424bed>] do_page_fault+0x11d/0x4e0
        [<ffffffff81109a05>] ? do_mremap+0x2d5/0x570
        [<ffffffff81421d5f>] page_fault+0x1f/0x30
      
      mremap's down_write of mmap_sem, together with i_mmap_mutex or lock,
      and pagetable locks, were good enough before page migration (with its
      requirement that every migration entry be found) came in, and enough
      while migration always held mmap_sem; but not enough nowadays, when
      there's memory hotremove and compaction.
      
      The danger is that move_ptes() lets a migration entry dodge around
      behind remove_migration_pte()'s back, so it's in the old location when
      looking at the new, then in the new location when looking at the old.
      
      Either mremap's move_ptes() must additionally take anon_vma lock(), or
      migration's remove_migration_pte() must stop peeking for is_swap_entry()
      before it takes pagetable lock.
      
      Consensus chooses the latter: we prefer to add overhead to migration
      than to mremapping, which gets used by JVMs and by exec stack setup.
      Reported-and-tested-by: default avatarPaweł Sikora <pluto@agmk.net>
      Signed-off-by: default avatarHugh Dickins <hughd@google.com>
      Acked-by: default avatarAndrea Arcangeli <aarcange@redhat.com>
      Acked-by: default avatarMel Gorman <mgorman@suse.de>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      486cf46f
  2. 19 Oct, 2011 19 commits
  3. 18 Oct, 2011 8 commits
  4. 17 Oct, 2011 6 commits
  5. 16 Oct, 2011 1 commit
  6. 15 Oct, 2011 1 commit