1. 03 May, 2010 11 commits
  2. 02 May, 2010 3 commits
  3. 01 May, 2010 2 commits
    • Eric Dumazet's avatar
      net: sock_def_readable() and friends RCU conversion · 43815482
      Eric Dumazet authored
      sk_callback_lock rwlock actually protects sk->sk_sleep pointer, so we
      need two atomic operations (and associated dirtying) per incoming
      packet.
      
      RCU conversion is pretty much needed :
      
      1) Add a new structure, called "struct socket_wq" to hold all fields
      that will need rcu_read_lock() protection (currently: a
      wait_queue_head_t and a struct fasync_struct pointer).
      
      [Future patch will add a list anchor for wakeup coalescing]
      
      2) Attach one of such structure to each "struct socket" created in
      sock_alloc_inode().
      
      3) Respect RCU grace period when freeing a "struct socket_wq"
      
      4) Change sk_sleep pointer in "struct sock" by sk_wq, pointer to "struct
      socket_wq"
      
      5) Change sk_sleep() function to use new sk->sk_wq instead of
      sk->sk_sleep
      
      6) Change sk_has_sleeper() to wq_has_sleeper() that must be used inside
      a rcu_read_lock() section.
      
      7) Change all sk_has_sleeper() callers to :
        - Use rcu_read_lock() instead of read_lock(&sk->sk_callback_lock)
        - Use wq_has_sleeper() to eventually wakeup tasks.
        - Use rcu_read_unlock() instead of read_unlock(&sk->sk_callback_lock)
      
      8) sock_wake_async() is modified to use rcu protection as well.
      
      9) Exceptions :
        macvtap, drivers/net/tun.c, af_unix use integrated "struct socket_wq"
      instead of dynamically allocated ones. They dont need rcu freeing.
      
      Some cleanups or followups are probably needed, (possible
      sk_callback_lock conversion to a spinlock for example...).
      Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      43815482
    • Elina Pasheva's avatar
      net/usb: remove default in Kconfig for sierra_net driver · 2fdc45c7
      Elina Pasheva authored
      The following patch removes the default from the Kconfig entry for sierra_net
      driver as recommended.
      Signed-off-by: default avatarElina Pasheva <epasheva@sierrawireless.com>
      Signed-off-by: default avatarRory Filer <rfiler@sierrawireless.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2fdc45c7
  4. 30 Apr, 2010 8 commits
  5. 28 Apr, 2010 16 commits
    • Eric Dumazet's avatar
      net: ip_queue_rcv_skb() helper · f84af32c
      Eric Dumazet authored
      When queueing a skb to socket, we can immediately release its dst if
      target socket do not use IP_CMSG_PKTINFO.
      
      tcp_data_queue() can drop dst too.
      
      This to benefit from a hot cache line and avoid the receiver, possibly
      on another cpu, to dirty this cache line himself.
      Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f84af32c
    • Eric Dumazet's avatar
      net: speedup udp receive path · 4b0b72f7
      Eric Dumazet authored
      Since commit 95766fff ([UDP]: Add memory accounting.), 
      each received packet needs one extra sock_lock()/sock_release() pair.
      
      This added latency because of possible backlog handling. Then later,
      ticket spinlocks added yet another latency source in case of DDOS.
      
      This patch introduces lock_sock_bh() and unlock_sock_bh()
      synchronization primitives, avoiding one atomic operation and backlog
      processing.
      
      skb_free_datagram_locked() uses them instead of full blown
      lock_sock()/release_sock(). skb is orphaned inside locked section for
      proper socket memory reclaim, and finally freed outside of it.
      
      UDP receive path now take the socket spinlock only once.
      Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4b0b72f7
    • Sebastian Siewior's avatar
      net/sb1250: register mdio bus in probe · 03f80cc3
      Sebastian Siewior authored
      "ifconfig eth0 up && ifconfig eth0 down" triggers:
      | kobject (a8000000cfa5a480): tried to init an initialized object, something is seriously wrong.
      | Call Trace:
      | [<ffffffff8010aabc>] dump_stack+0x8/0x34
      | [<ffffffff80293128>] kobject_init+0xe8/0xf0
      | [<ffffffff802d922c>] device_initialize+0x2c/0x98
      | [<ffffffff802d9cfc>] device_register+0x14/0x28
      | [<ffffffff80312cd4>] mdiobus_register+0xdc/0x1e0
      | [<ffffffff80314cf0>] sbmac_open+0x58/0x220
      | [<ffffffff803519bc>] __dev_open+0x11c/0x180
      | [<ffffffff8034d578>] __dev_change_flags+0x120/0x180
      | [<ffffffff80351848>] dev_change_flags+0x20/0x78
      | [<ffffffff803a753c>] devinet_ioctl+0x7cc/0x820
      | [<ffffffff80339ac8>] sock_do_ioctl+0x38/0x90
      | [<ffffffff8033a258>] compat_sock_ioctl_trans+0x408/0x1030
      | [<ffffffff8033af30>] compat_sock_ioctl+0xb0/0xd0
      | [<ffffffff80208b08>] compat_sys_ioctl+0xa0/0x18b8
      | [<ffffffff80102f94>] handle_sys+0x114/0x130
      |
      | sb1250-mac-mdio: probed
      
      mdiobus_register() calls device_register() which initializes the kobj of
      the device. mdiobus_unregister() calls only device_del() so we have one
      reference left. That one is leaving with mdiobus_free() which is only
      called on remove.
      Since I don't see any reason why mdiobus_register()/mdiobus_unregister()
      should happen in ->open()/->close() I move them to probe & exit.
      Signed-off-by: default avatarSebastian Andrzej Siewior <sebastian@breakpoint.cc>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      03f80cc3
    • Emil Tantilov's avatar
    • Hauke Mehrtens's avatar
      wireless: Fix merge. · 28b4c3bf
      Hauke Mehrtens authored
      in your merge in 5c01d566 you added "int
      i;" into wl1271_main.c which is unused in that function.
      
      This patch fixes the merge problem:
      Signed-off-by: default avatarHauke Mehrtens <hauke@hauke-m.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      28b4c3bf
    • Neil Horman's avatar
      sctp: Fix skb_over_panic resulting from multiple invalid parameter errors (CVE-2010-1173) (v4) · 5fa782c2
      Neil Horman authored
      Ok, version 4
      
      Change Notes:
      1) Minor cleanups, from Vlads notes
      
      Summary:
      
      Hey-
      	Recently, it was reported to me that the kernel could oops in the
      following way:
      
      <5> kernel BUG at net/core/skbuff.c:91!
      <5> invalid operand: 0000 [#1]
      <5> Modules linked in: sctp netconsole nls_utf8 autofs4 sunrpc iptable_filter
      ip_tables cpufreq_powersave parport_pc lp parport vmblock(U) vsock(U) vmci(U)
      vmxnet(U) vmmemctl(U) vmhgfs(U) acpiphp dm_mirror dm_mod button battery ac md5
      ipv6 uhci_hcd ehci_hcd snd_ens1371 snd_rawmidi snd_seq_device snd_pcm_oss
      snd_mixer_oss snd_pcm snd_timer snd_page_alloc snd_ac97_codec snd soundcore
      pcnet32 mii floppy ext3 jbd ata_piix libata mptscsih mptsas mptspi mptscsi
      mptbase sd_mod scsi_mod
      <5> CPU:    0
      <5> EIP:    0060:[<c02bff27>]    Not tainted VLI
      <5> EFLAGS: 00010216   (2.6.9-89.0.25.EL)
      <5> EIP is at skb_over_panic+0x1f/0x2d
      <5> eax: 0000002c   ebx: c033f461   ecx: c0357d96   edx: c040fd44
      <5> esi: c033f461   edi: df653280   ebp: 00000000   esp: c040fd40
      <5> ds: 007b   es: 007b   ss: 0068
      <5> Process swapper (pid: 0, threadinfo=c040f000 task=c0370be0)
      <5> Stack: c0357d96 e0c29478 00000084 00000004 c033f461 df653280 d7883180
      e0c2947d
      <5>        00000000 00000080 df653490 00000004 de4f1ac0 de4f1ac0 00000004
      df653490
      <5>        00000001 e0c2877a 08000800 de4f1ac0 df653490 00000000 e0c29d2e
      00000004
      <5> Call Trace:
      <5>  [<e0c29478>] sctp_addto_chunk+0xb0/0x128 [sctp]
      <5>  [<e0c2947d>] sctp_addto_chunk+0xb5/0x128 [sctp]
      <5>  [<e0c2877a>] sctp_init_cause+0x3f/0x47 [sctp]
      <5>  [<e0c29d2e>] sctp_process_unk_param+0xac/0xb8 [sctp]
      <5>  [<e0c29e90>] sctp_verify_init+0xcc/0x134 [sctp]
      <5>  [<e0c20322>] sctp_sf_do_5_1B_init+0x83/0x28e [sctp]
      <5>  [<e0c25333>] sctp_do_sm+0x41/0x77 [sctp]
      <5>  [<c01555a4>] cache_grow+0x140/0x233
      <5>  [<e0c26ba1>] sctp_endpoint_bh_rcv+0xc5/0x108 [sctp]
      <5>  [<e0c2b863>] sctp_inq_push+0xe/0x10 [sctp]
      <5>  [<e0c34600>] sctp_rcv+0x454/0x509 [sctp]
      <5>  [<e084e017>] ipt_hook+0x17/0x1c [iptable_filter]
      <5>  [<c02d005e>] nf_iterate+0x40/0x81
      <5>  [<c02e0bb9>] ip_local_deliver_finish+0x0/0x151
      <5>  [<c02e0c7f>] ip_local_deliver_finish+0xc6/0x151
      <5>  [<c02d0362>] nf_hook_slow+0x83/0xb5
      <5>  [<c02e0bb2>] ip_local_deliver+0x1a2/0x1a9
      <5>  [<c02e0bb9>] ip_local_deliver_finish+0x0/0x151
      <5>  [<c02e103e>] ip_rcv+0x334/0x3b4
      <5>  [<c02c66fd>] netif_receive_skb+0x320/0x35b
      <5>  [<e0a0928b>] init_stall_timer+0x67/0x6a [uhci_hcd]
      <5>  [<c02c67a4>] process_backlog+0x6c/0xd9
      <5>  [<c02c690f>] net_rx_action+0xfe/0x1f8
      <5>  [<c012a7b1>] __do_softirq+0x35/0x79
      <5>  [<c0107efb>] handle_IRQ_event+0x0/0x4f
      <5>  [<c01094de>] do_softirq+0x46/0x4d
      
      Its an skb_over_panic BUG halt that results from processing an init chunk in
      which too many of its variable length parameters are in some way malformed.
      
      The problem is in sctp_process_unk_param:
      if (NULL == *errp)
      	*errp = sctp_make_op_error_space(asoc, chunk,
      					 ntohs(chunk->chunk_hdr->length));
      
      	if (*errp) {
      		sctp_init_cause(*errp, SCTP_ERROR_UNKNOWN_PARAM,
      				 WORD_ROUND(ntohs(param.p->length)));
      		sctp_addto_chunk(*errp,
      			WORD_ROUND(ntohs(param.p->length)),
      				  param.v);
      
      When we allocate an error chunk, we assume that the worst case scenario requires
      that we have chunk_hdr->length data allocated, which would be correct nominally,
      given that we call sctp_addto_chunk for the violating parameter.  Unfortunately,
      we also, in sctp_init_cause insert a sctp_errhdr_t structure into the error
      chunk, so the worst case situation in which all parameters are in violation
      requires chunk_hdr->length+(sizeof(sctp_errhdr_t)*param_count) bytes of data.
      
      The result of this error is that a deliberately malformed packet sent to a
      listening host can cause a remote DOS, described in CVE-2010-1173:
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1173
      
      I've tested the below fix and confirmed that it fixes the issue.  We move to a
      strategy whereby we allocate a fixed size error chunk and ignore errors we don't
      have space to report.  Tested by me successfully
      Signed-off-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Acked-by: default avatarVlad Yasevich <vladislav.yasevich@hp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5fa782c2
    • Sjur Braendeland's avatar
    • Sjur Braendeland's avatar
      caif: Bugfixes in CAIF netdevice for close and flow control · 8391c4aa
      Sjur Braendeland authored
      Changes:
      o Bugfix: Flow control was causing the device to be destroyed.
      o Bugfix: Handle CAIF channel connect failures.
      o If the underlying link layer is gone the net-device is no longer removed,
        but closed.
      Signed-off-by: default avatarSjur Braendeland <sjur.brandeland@stericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8391c4aa
    • Sjur Braendeland's avatar
      caif: Rewritten socket implementation · bece7b23
      Sjur Braendeland authored
      Changes:
       This is a complete re-write of the socket layer. Making the socket
       implementation more aligned with the other socket layers and using more
       of the support functions available in sock.c. Lots of code is copied
       from af_unix (and some from af_irda).
       Non-blocking mode should be working as well.
      Signed-off-by: default avatarSjur Braendeland <sjur.brandeland@stericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bece7b23
    • Sjur Braendeland's avatar
      caif: Disconnect without waiting for response · 8d545c8f
      Sjur Braendeland authored
      Changes:
      o Function cfcnfg_disconn_adapt_layer is changed to do asynchronous
        disconnect, not waiting for any response from the modem. Due to this
        the function cfcnfg_linkdestroy_rsp does nothing anymore.
      o Because disconnect may take down a connection before a connect response
        is received the function cfcnfg_linkup_rsp is checking if the client is
        still waiting for the response, if not a disconnect request is sent to
        the modem.
      o cfctrl is no longer keeping track of pending disconnect requests.
      o Added function cfctrl_cancel_req, which is used for deleting a pending
        connect request if disconnect is done before connect response is received.
      o Removed unused function cfctrl_insert_req2
      o Added better handling of connect reject from modem.
      Signed-off-by: default avatarSjur Braendeland <sjur.brandeland@stericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8d545c8f
    • Sjur Braendeland's avatar
      caif: Add reference counting to service layer · 5b208656
      Sjur Braendeland authored
      Changes:
      o Added functions cfsrvl_get and cfsrvl_put.
      o Added support release_client to use by socket and net device.
      o Increase reference counting for in-flight packets from cfmuxl
      Signed-off-by: default avatarSjur Braendeland <sjur.brandeland@stericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5b208656
    • Sjur Braendeland's avatar
      caif: Rename functions in cfcnfg and caif_dev · e539d83c
      Sjur Braendeland authored
      Changes:
       o Renamed cfcnfg_del_adapt_layer to cfcnfg_disconn_adapt_layer
       o Fixed typo cfcfg to cfcnfg
       o Renamed linkid to channel_id
       o Updated documentation in caif_dev.h
       o Minor formatting changes
      Signed-off-by: default avatarSjur Braendeland <sjur.brandeland@stericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e539d83c
    • Sjur Braendeland's avatar
      caif: Ldisc add permission check and mem-alloc error check · d3f744e0
      Sjur Braendeland authored
      Changes:
         o Added permission checks for installing. CAP_SYS_ADMIN and
           CAP_SYS_TTY_CONFIG can install the ldisc.
         o Check if allocation of skb was successful.
      Signed-off-by: default avatarSjur Braendeland <sjur.brandeland@stericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d3f744e0
    • Ben Hutchings's avatar
      sfc: Create multiple TX queues · a4900ac9
      Ben Hutchings authored
      Create a core TX queue and 2 hardware TX queues for each channel.
      If separate_tx_channels is set, create equal numbers of RX and TX
      channels instead.
      
      Rewrite the channel and queue iteration macros accordingly.
      Eliminate efx_channel::used_flags as redundant.
      Signed-off-by: default avatarBen Hutchings <bhutchings@solarflare.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a4900ac9
    • Ben Hutchings's avatar
      sfc: Test only the first pair of TX queues · 5298c37f
      Ben Hutchings authored
      This makes no immediate difference, but we definitely do not want
      to test all TX queues once we allocate a pair of TX queues to each
      channel.
      Signed-off-by: default avatarBen Hutchings <bhutchings@solarflare.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5298c37f
    • Steve Hodgson's avatar