1. 12 Feb, 2010 4 commits
    • Patrick McHardy's avatar
      ipv6: fib: fix crash when changing large fib while dumping it · 2bec5a36
      Patrick McHardy authored
      When the fib size exceeds what can be dumped in a single skb, the
      dump is suspended and resumed once the last skb has been received
      by userspace. When the fib is changed while the dump is suspended,
      the walker might contain stale pointers, causing a crash when the
      dump is resumed.
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
      IP: [<ffffffffa01bce04>] fib6_walk_continue+0xbb/0x124 [ipv6]
      PGD 5347a067 PUD 65c7067 PMD 0
      Oops: 0000 [#1] PREEMPT SMP
      RIP: 0010:[<ffffffffa01bce04>]
      [<ffffffffa01bce04>] fib6_walk_continue+0xbb/0x124 [ipv6]
      Call Trace:
       [<ffffffff8104aca3>] ? mutex_spin_on_owner+0x59/0x71
       [<ffffffffa01bd105>] inet6_dump_fib+0x11b/0x1b9 [ipv6]
       [<ffffffff81371af4>] netlink_dump+0x5b/0x19e
       [<ffffffff8134f288>] ? consume_skb+0x28/0x2a
       [<ffffffff81373b69>] netlink_recvmsg+0x1ab/0x2c6
       [<ffffffff81372781>] ? netlink_unicast+0xfa/0x151
       [<ffffffff813483e0>] __sock_recvmsg+0x6d/0x79
       [<ffffffff81348a53>] sock_recvmsg+0xca/0xe3
       [<ffffffff81066d4b>] ? autoremove_wake_function+0x0/0x38
       [<ffffffff811ed1f8>] ? radix_tree_lookup_slot+0xe/0x10
       [<ffffffff810b3ed7>] ? find_get_page+0x90/0xa5
       [<ffffffff810b5dc5>] ? filemap_fault+0x201/0x34f
       [<ffffffff810ef152>] ? fget_light+0x2f/0xac
       [<ffffffff813519e7>] ? verify_iovec+0x4f/0x94
       [<ffffffff81349a65>] sys_recvmsg+0x14d/0x223
      Store the serial number when beginning to walk the fib and reload
      pointers when continuing to walk after a change occured. Similar
      to other dumping functions, this might cause unrelated entries to
      be missed when entries are deleted.
      Tested-by: default avatarBen Greear <greearb@candelatech.com>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • Gerrit Renker's avatar
      dccp: allow probing of CCID-array length · 69a6a0b3
      Gerrit Renker authored
      This fixes a problem in the DCCP getsockopt() API: currently there is no way
      for a user to a priori know the number of built-in CCIDs, other than trying
      DCCP_SOCKOPT_AVAILABLE_CCIDS in a loop, incrementing the option length until
      EINVAL is no longer returned.
      This patch truncates the array to the user-provided length. No copy is made
      when the length is <= 0.
      Due to the length restriction in do_dccp_getsockopt() to sizeof(int), the
      minimum array length remains 4, which is a reasonable default (only 3
      CCIDs, CCID-2..4, are currently defined).
      Signed-off-by: default avatarGerrit Renker <gerrit@erg.abdn.ac.uk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • Jiri Pirko's avatar
      macb: straighten out macb_mii_probe function · 7455a76f
      Jiri Pirko authored
      Use "phy_find_first" instead of manual lookup. Also use "phy_connect_direct"
      instead of "phy_connect" since we already have phy_device pointer here.
      Signed-off-by: default avatarJiri Pirko <jpirko@redhat.com>
      Acked-by: default avatarHaavard Skinnemoen <haavard.skinnemoen@atmel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • Jiri Pirko's avatar
      net: use netdev_mc_count and netdev_mc_empty when appropriate · 4cd24eaf
      Jiri Pirko authored
      This patch replaces dev->mc_count in all drivers (hopefully I didn't miss
      anything). Used spatch and did small tweaks and conding style changes when
      it was suitable.
      Signed-off-by: default avatarJiri Pirko <jpirko@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  2. 11 Feb, 2010 1 commit
  3. 10 Feb, 2010 22 commits
  4. 09 Feb, 2010 1 commit
  5. 08 Feb, 2010 11 commits
  6. 05 Feb, 2010 1 commit