<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/net/core, branch linux-2.6.26.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>net: Fix netdev_run_todo dead-lock</title>
<updated>2008-11-10T19:18:00+00:00</updated>
<author>
<name>Herbert Xu</name>
<email>herbert@gondor.apana.org.au</email>
</author>
<published>2008-10-07T22:50:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=858fac9c58f8a0bd447653e80e06170b46161c89'/>
<id>858fac9c58f8a0bd447653e80e06170b46161c89</id>
<content type='text'>
[ Upstream commit 58ec3b4db9eb5a28e3aec5f407a54e28f7039c19 ]

Benjamin Thery tracked down a bug that explains many instances
of the error

unregister_netdevice: waiting for %s to become free. Usage count = %d

It turns out that netdev_run_todo can dead-lock with itself if
a second instance of it is run in a thread that will then free
a reference to the device waited on by the first instance.

The problem is really quite silly.  We were trying to create
parallelism where none was required.  As netdev_run_todo always
follows a RTNL section, and that todo tasks can only be added
with the RTNL held, by definition you should only need to wait
for the very ones that you've added and be done with it.

There is no need for a second mutex or spinlock.

This is exactly what the following patch does.

Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 58ec3b4db9eb5a28e3aec5f407a54e28f7039c19 ]

Benjamin Thery tracked down a bug that explains many instances
of the error

unregister_netdevice: waiting for %s to become free. Usage count = %d

It turns out that netdev_run_todo can dead-lock with itself if
a second instance of it is run in a thread that will then free
a reference to the device waited on by the first instance.

The problem is really quite silly.  We were trying to create
parallelism where none was required.  As netdev_run_todo always
follows a RTNL section, and that todo tasks can only be added
with the RTNL held, by definition you should only need to wait
for the very ones that you've added and be done with it.

There is no need for a second mutex or spinlock.

This is exactly what the following patch does.

Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>net: Fix recursive descent in __scm_destroy().</title>
<updated>2008-11-10T19:17:53+00:00</updated>
<author>
<name>David Miller</name>
<email>davem@davemloft.net</email>
</author>
<published>2008-11-06T08:37:40+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1e675381c2c443e84ba7bea055017ded1ac8f816'/>
<id>1e675381c2c443e84ba7bea055017ded1ac8f816</id>
<content type='text'>
commit f8d570a4745835f2238a33b537218a1bb03fc671 and
3b53fbf4314594fa04544b02b2fc6e607912da18 upstream (because once wasn't
good enough...)

__scm_destroy() walks the list of file descriptors in the scm_fp_list
pointed to by the scm_cookie argument.

Those, in turn, can close sockets and invoke __scm_destroy() again.

There is nothing which limits how deeply this can occur.

The idea for how to fix this is from Linus.  Basically, we do all of
the fput()s at the top level by collecting all of the scm_fp_list
objects hit by an fput().  Inside of the initial __scm_destroy() we
keep running the list until it is empty.

Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit f8d570a4745835f2238a33b537218a1bb03fc671 and
3b53fbf4314594fa04544b02b2fc6e607912da18 upstream (because once wasn't
good enough...)

__scm_destroy() walks the list of file descriptors in the scm_fp_list
pointed to by the scm_cookie argument.

Those, in turn, can close sockets and invoke __scm_destroy() again.

There is nothing which limits how deeply this can occur.

The idea for how to fix this is from Linus.  Basically, we do all of
the fput()s at the top level by collecting all of the scm_fp_list
objects hit by an fput().  Inside of the initial __scm_destroy() we
keep running the list until it is empty.

Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>net: fib_rules: fix error code for unsupported families</title>
<updated>2008-07-02T02:59:37+00:00</updated>
<author>
<name>Patrick McHardy</name>
<email>kaber@trash.net</email>
</author>
<published>2008-07-02T02:59:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2fe195cfe3e53c144d247b2768e37732e8eae4d8'/>
<id>2fe195cfe3e53c144d247b2768e37732e8eae4d8</id>
<content type='text'>
The errno code returned must be negative.

Fixes "RTNETLINK answers: Unknown error 18446744073709551519".

Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The errno code returned must be negative.

Fixes "RTNETLINK answers: Unknown error 18446744073709551519".

Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>netdevice: Fix wrong string handle in kernel command line parsing</title>
<updated>2008-07-02T02:57:19+00:00</updated>
<author>
<name>Wang Chen</name>
<email>wangchen@cn.fujitsu.com</email>
</author>
<published>2008-07-02T02:57:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=93b3cff9915322d6fa36bac0064714a7076230e4'/>
<id>93b3cff9915322d6fa36bac0064714a7076230e4</id>
<content type='text'>
v1-&gt;v2: Use strlcpy() to ensure s[i].name be null-termination.

1. In netdev_boot_setup_add(), a long name will leak.
   ex. : dev=21,0x1234,0x1234,0x2345,eth123456789verylongname.........
2. In netdev_boot_setup_check(), mismatch will happen if s[i].name
   is a substring of dev-&gt;name.
   ex. : dev=...eth1 dev=...eth11

[ With feedback from Ben Hutchings. ]

Signed-off-by: Wang Chen &lt;wangchen@cn.fujitsu.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
v1-&gt;v2: Use strlcpy() to ensure s[i].name be null-termination.

1. In netdev_boot_setup_add(), a long name will leak.
   ex. : dev=21,0x1234,0x1234,0x2345,eth123456789verylongname.........
2. In netdev_boot_setup_check(), mismatch will happen if s[i].name
   is a substring of dev-&gt;name.
   ex. : dev=...eth1 dev=...eth11

[ With feedback from Ben Hutchings. ]

Signed-off-by: Wang Chen &lt;wangchen@cn.fujitsu.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: Tyop of sk_filter() comment</title>
<updated>2008-07-02T02:55:40+00:00</updated>
<author>
<name>Wang Chen</name>
<email>wangchen@cn.fujitsu.com</email>
</author>
<published>2008-07-02T02:55:40+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=8fde8a076940969d32805b853efdce8b988d7dda'/>
<id>8fde8a076940969d32805b853efdce8b988d7dda</id>
<content type='text'>
Parameter "needlock" no long exists.

Signed-off-by: Wang Chen &lt;wangchen@cn.fujitsu.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Parameter "needlock" no long exists.

Signed-off-by: Wang Chen &lt;wangchen@cn.fujitsu.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>netdevice: Fix typo of dev_unicast_add() comment</title>
<updated>2008-06-28T02:35:16+00:00</updated>
<author>
<name>Wang Chen</name>
<email>wangchen@cn.fujitsu.com</email>
</author>
<published>2008-06-28T02:35:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5dbaec5dc6a4895db8bf9765a867418481ed7311'/>
<id>5dbaec5dc6a4895db8bf9765a867418481ed7311</id>
<content type='text'>
Signed-off-by: Wang Chen &lt;wangchen@cn.fujitsu.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Signed-off-by: Wang Chen &lt;wangchen@cn.fujitsu.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>tcp: fix for splice receive when used with software LRO</title>
<updated>2008-06-28T00:27:21+00:00</updated>
<author>
<name>Octavian Purdila</name>
<email>opurdila@ixiacom.com</email>
</author>
<published>2008-06-28T00:27:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=db43a282d3ec92ea45109c5551fff3dcc5afef02'/>
<id>db43a282d3ec92ea45109c5551fff3dcc5afef02</id>
<content type='text'>
If an skb has nr_frags set to zero but its frag_list is not empty (as
it can happen if software LRO is enabled), and a previous
tcp_read_sock has consumed the linear part of the skb, then
__skb_splice_bits:

(a) incorrectly reports an error and

(b) forgets to update the offset to account for the linear part

Any of the two problems will cause the subsequent __skb_splice_bits
call (the one that handles the frag_list skbs) to either skip data,
or, if the unadjusted offset is greater then the size of the next skb
in the frag_list, make tcp_splice_read loop forever.

Signed-off-by: Octavian Purdila &lt;opurdila@ixiacom.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
If an skb has nr_frags set to zero but its frag_list is not empty (as
it can happen if software LRO is enabled), and a previous
tcp_read_sock has consumed the linear part of the skb, then
__skb_splice_bits:

(a) incorrectly reports an error and

(b) forgets to update the offset to account for the linear part

Any of the two problems will cause the subsequent __skb_splice_bits
call (the one that handles the frag_list skbs) to either skip data,
or, if the unadjusted offset is greater then the size of the next skb
in the frag_list, make tcp_splice_read loop forever.

Signed-off-by: Octavian Purdila &lt;opurdila@ixiacom.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>netns: Don't receive new packets in a dead network namespace.</title>
<updated>2008-06-21T05:16:51+00:00</updated>
<author>
<name>Eric W. Biederman</name>
<email>ebiederm@xmission.com</email>
</author>
<published>2008-06-21T05:16:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b9f75f45a6b46a0ab4eb0857d437a0845871f314'/>
<id>b9f75f45a6b46a0ab4eb0857d437a0845871f314</id>
<content type='text'>
Alexey Dobriyan &lt;adobriyan@gmail.com&gt; writes:
&gt; Subject: ICMP sockets destruction vs ICMP packets oops

&gt; After icmp_sk_exit() nuked ICMP sockets, we get an interrupt.
&gt; icmp_reply() wants ICMP socket.
&gt;
&gt; Steps to reproduce:
&gt;
&gt; 	launch shell in new netns
&gt; 	move real NIC to netns
&gt; 	setup routing
&gt; 	ping -i 0
&gt; 	exit from shell
&gt;
&gt; BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
&gt; IP: [&lt;ffffffff803fce17&gt;] icmp_sk+0x17/0x30
&gt; PGD 17f3cd067 PUD 17f3ce067 PMD 0 
&gt; Oops: 0000 [1] PREEMPT SMP DEBUG_PAGEALLOC
&gt; CPU 0 
&gt; Modules linked in: usblp usbcore
&gt; Pid: 0, comm: swapper Not tainted 2.6.26-rc6-netns-ct #4
&gt; RIP: 0010:[&lt;ffffffff803fce17&gt;]  [&lt;ffffffff803fce17&gt;] icmp_sk+0x17/0x30
&gt; RSP: 0018:ffffffff8057fc30  EFLAGS: 00010286
&gt; RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff81017c7db900
&gt; RDX: 0000000000000034 RSI: ffff81017c7db900 RDI: ffff81017dc41800
&gt; RBP: ffffffff8057fc40 R08: 0000000000000001 R09: 000000000000a815
&gt; R10: 0000000000000000 R11: 0000000000000001 R12: ffffffff8057fd28
&gt; R13: ffffffff8057fd00 R14: ffff81017c7db938 R15: ffff81017dc41800
&gt; FS:  0000000000000000(0000) GS:ffffffff80525000(0000) knlGS:0000000000000000
&gt; CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
&gt; CR2: 0000000000000000 CR3: 000000017fcda000 CR4: 00000000000006e0
&gt; DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
&gt; DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
&gt; Process swapper (pid: 0, threadinfo ffffffff8053a000, task ffffffff804fa4a0)
&gt; Stack:  0000000000000000 ffff81017c7db900 ffffffff8057fcf0 ffffffff803fcfe4
&gt;  ffffffff804faa38 0000000000000246 0000000000005a40 0000000000000246
&gt;  000000000001ffff ffff81017dd68dc0 0000000000005a40 0000000055342436
&gt; Call Trace:
&gt;  &lt;IRQ&gt;  [&lt;ffffffff803fcfe4&gt;] icmp_reply+0x44/0x1e0
&gt;  [&lt;ffffffff803d3a0a&gt;] ? ip_route_input+0x23a/0x1360
&gt;  [&lt;ffffffff803fd645&gt;] icmp_echo+0x65/0x70
&gt;  [&lt;ffffffff803fd300&gt;] icmp_rcv+0x180/0x1b0
&gt;  [&lt;ffffffff803d6d84&gt;] ip_local_deliver+0xf4/0x1f0
&gt;  [&lt;ffffffff803d71bb&gt;] ip_rcv+0x33b/0x650
&gt;  [&lt;ffffffff803bb16a&gt;] netif_receive_skb+0x27a/0x340
&gt;  [&lt;ffffffff803be57d&gt;] process_backlog+0x9d/0x100
&gt;  [&lt;ffffffff803bdd4d&gt;] net_rx_action+0x18d/0x250
&gt;  [&lt;ffffffff80237be5&gt;] __do_softirq+0x75/0x100
&gt;  [&lt;ffffffff8020c97c&gt;] call_softirq+0x1c/0x30
&gt;  [&lt;ffffffff8020f085&gt;] do_softirq+0x65/0xa0
&gt;  [&lt;ffffffff80237af7&gt;] irq_exit+0x97/0xa0
&gt;  [&lt;ffffffff8020f198&gt;] do_IRQ+0xa8/0x130
&gt;  [&lt;ffffffff80212ee0&gt;] ? mwait_idle+0x0/0x60
&gt;  [&lt;ffffffff8020bc46&gt;] ret_from_intr+0x0/0xf
&gt;  &lt;EOI&gt;  [&lt;ffffffff80212f2c&gt;] ? mwait_idle+0x4c/0x60
&gt;  [&lt;ffffffff80212f23&gt;] ? mwait_idle+0x43/0x60
&gt;  [&lt;ffffffff8020a217&gt;] ? cpu_idle+0x57/0xa0
&gt;  [&lt;ffffffff8040f380&gt;] ? rest_init+0x70/0x80
&gt; Code: 10 5b 41 5c 41 5d 41 5e c9 c3 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 53
&gt; 48 83 ec 08 48 8b 9f 78 01 00 00 e8 2b c7 f1 ff 89 c0 &lt;48&gt; 8b 04 c3 48 83 c4 08
&gt; 5b c9 c3 66 66 66 66 66 2e 0f 1f 84 00
&gt; RIP  [&lt;ffffffff803fce17&gt;] icmp_sk+0x17/0x30
&gt;  RSP &lt;ffffffff8057fc30&gt;
&gt; CR2: 0000000000000000
&gt; ---[ end trace ea161157b76b33e8 ]---
&gt; Kernel panic - not syncing: Aiee, killing interrupt handler!

Receiving packets while we are cleaning up a network namespace is a
racy proposition. It is possible when the packet arrives that we have
removed some but not all of the state we need to fully process it.  We
have the choice of either playing wack-a-mole with the cleanup routines
or simply dropping packets when we don't have a network namespace to
handle them.

Since the check looks inexpensive in netif_receive_skb let's just
drop the incoming packets.

Signed-off-by: Eric W. Biederman &lt;ebiederm@xmission.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Alexey Dobriyan &lt;adobriyan@gmail.com&gt; writes:
&gt; Subject: ICMP sockets destruction vs ICMP packets oops

&gt; After icmp_sk_exit() nuked ICMP sockets, we get an interrupt.
&gt; icmp_reply() wants ICMP socket.
&gt;
&gt; Steps to reproduce:
&gt;
&gt; 	launch shell in new netns
&gt; 	move real NIC to netns
&gt; 	setup routing
&gt; 	ping -i 0
&gt; 	exit from shell
&gt;
&gt; BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
&gt; IP: [&lt;ffffffff803fce17&gt;] icmp_sk+0x17/0x30
&gt; PGD 17f3cd067 PUD 17f3ce067 PMD 0 
&gt; Oops: 0000 [1] PREEMPT SMP DEBUG_PAGEALLOC
&gt; CPU 0 
&gt; Modules linked in: usblp usbcore
&gt; Pid: 0, comm: swapper Not tainted 2.6.26-rc6-netns-ct #4
&gt; RIP: 0010:[&lt;ffffffff803fce17&gt;]  [&lt;ffffffff803fce17&gt;] icmp_sk+0x17/0x30
&gt; RSP: 0018:ffffffff8057fc30  EFLAGS: 00010286
&gt; RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff81017c7db900
&gt; RDX: 0000000000000034 RSI: ffff81017c7db900 RDI: ffff81017dc41800
&gt; RBP: ffffffff8057fc40 R08: 0000000000000001 R09: 000000000000a815
&gt; R10: 0000000000000000 R11: 0000000000000001 R12: ffffffff8057fd28
&gt; R13: ffffffff8057fd00 R14: ffff81017c7db938 R15: ffff81017dc41800
&gt; FS:  0000000000000000(0000) GS:ffffffff80525000(0000) knlGS:0000000000000000
&gt; CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
&gt; CR2: 0000000000000000 CR3: 000000017fcda000 CR4: 00000000000006e0
&gt; DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
&gt; DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
&gt; Process swapper (pid: 0, threadinfo ffffffff8053a000, task ffffffff804fa4a0)
&gt; Stack:  0000000000000000 ffff81017c7db900 ffffffff8057fcf0 ffffffff803fcfe4
&gt;  ffffffff804faa38 0000000000000246 0000000000005a40 0000000000000246
&gt;  000000000001ffff ffff81017dd68dc0 0000000000005a40 0000000055342436
&gt; Call Trace:
&gt;  &lt;IRQ&gt;  [&lt;ffffffff803fcfe4&gt;] icmp_reply+0x44/0x1e0
&gt;  [&lt;ffffffff803d3a0a&gt;] ? ip_route_input+0x23a/0x1360
&gt;  [&lt;ffffffff803fd645&gt;] icmp_echo+0x65/0x70
&gt;  [&lt;ffffffff803fd300&gt;] icmp_rcv+0x180/0x1b0
&gt;  [&lt;ffffffff803d6d84&gt;] ip_local_deliver+0xf4/0x1f0
&gt;  [&lt;ffffffff803d71bb&gt;] ip_rcv+0x33b/0x650
&gt;  [&lt;ffffffff803bb16a&gt;] netif_receive_skb+0x27a/0x340
&gt;  [&lt;ffffffff803be57d&gt;] process_backlog+0x9d/0x100
&gt;  [&lt;ffffffff803bdd4d&gt;] net_rx_action+0x18d/0x250
&gt;  [&lt;ffffffff80237be5&gt;] __do_softirq+0x75/0x100
&gt;  [&lt;ffffffff8020c97c&gt;] call_softirq+0x1c/0x30
&gt;  [&lt;ffffffff8020f085&gt;] do_softirq+0x65/0xa0
&gt;  [&lt;ffffffff80237af7&gt;] irq_exit+0x97/0xa0
&gt;  [&lt;ffffffff8020f198&gt;] do_IRQ+0xa8/0x130
&gt;  [&lt;ffffffff80212ee0&gt;] ? mwait_idle+0x0/0x60
&gt;  [&lt;ffffffff8020bc46&gt;] ret_from_intr+0x0/0xf
&gt;  &lt;EOI&gt;  [&lt;ffffffff80212f2c&gt;] ? mwait_idle+0x4c/0x60
&gt;  [&lt;ffffffff80212f23&gt;] ? mwait_idle+0x43/0x60
&gt;  [&lt;ffffffff8020a217&gt;] ? cpu_idle+0x57/0xa0
&gt;  [&lt;ffffffff8040f380&gt;] ? rest_init+0x70/0x80
&gt; Code: 10 5b 41 5c 41 5d 41 5e c9 c3 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 53
&gt; 48 83 ec 08 48 8b 9f 78 01 00 00 e8 2b c7 f1 ff 89 c0 &lt;48&gt; 8b 04 c3 48 83 c4 08
&gt; 5b c9 c3 66 66 66 66 66 2e 0f 1f 84 00
&gt; RIP  [&lt;ffffffff803fce17&gt;] icmp_sk+0x17/0x30
&gt;  RSP &lt;ffffffff8057fc30&gt;
&gt; CR2: 0000000000000000
&gt; ---[ end trace ea161157b76b33e8 ]---
&gt; Kernel panic - not syncing: Aiee, killing interrupt handler!

Receiving packets while we are cleaning up a network namespace is a
racy proposition. It is possible when the packet arrives that we have
removed some but not all of the state we need to fully process it.  We
have the choice of either playing wack-a-mole with the cleanup routines
or simply dropping packets when we don't have a network namespace to
handle them.

Since the check looks inexpensive in netif_receive_skb let's just
drop the incoming packets.

Signed-off-by: Eric W. Biederman &lt;ebiederm@xmission.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: Fix test for VLAN TX checksum offload capability</title>
<updated>2008-06-17T00:02:28+00:00</updated>
<author>
<name>Ben Hutchings</name>
<email>bhutchings@solarflare.com</email>
</author>
<published>2008-06-17T00:02:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6de329e26caed7bbbf51229c80f3948549d3c010'/>
<id>6de329e26caed7bbbf51229c80f3948549d3c010</id>
<content type='text'>
Selected device feature bits can be propagated to VLAN devices, so we
can make use of TX checksum offload and TSO on VLAN-tagged packets.
However, if the physical device does not do VLAN tag insertion or
generic checksum offload then the test for TX checksum offload in
dev_queue_xmit() will see a protocol of htons(ETH_P_8021Q) and yield
false.

This splits the checksum offload test into two functions:

- can_checksum_protocol() tests a given protocol against a feature bitmask

- dev_can_checksum() first tests the skb protocol against the device
  features; if that fails and the protocol is htons(ETH_P_8021Q) then
  it tests the encapsulated protocol against the effective device
  features for VLANs

Signed-off-by: Ben Hutchings &lt;bhutchings@solarflare.com&gt;
Acked-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Selected device feature bits can be propagated to VLAN devices, so we
can make use of TX checksum offload and TSO on VLAN-tagged packets.
However, if the physical device does not do VLAN tag insertion or
generic checksum offload then the test for TX checksum offload in
dev_queue_xmit() will see a protocol of htons(ETH_P_8021Q) and yield
false.

This splits the checksum offload test into two functions:

- can_checksum_protocol() tests a given protocol against a feature bitmask

- dev_can_checksum() first tests the skb protocol against the device
  features; if that fails and the protocol is htons(ETH_P_8021Q) then
  it tests the encapsulated protocol against the effective device
  features for VLANs

Signed-off-by: Ben Hutchings &lt;bhutchings@solarflare.com&gt;
Acked-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>tcp: Fix for race due to temporary drop of the socket lock in skb_splice_bits.</title>
<updated>2008-06-04T22:45:58+00:00</updated>
<author>
<name>Octavian Purdila</name>
<email>opurdila@ixiacom.com</email>
</author>
<published>2008-06-04T22:45:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=293ad60401da621b8b329abbe8c388edb25f658a'/>
<id>293ad60401da621b8b329abbe8c388edb25f658a</id>
<content type='text'>
skb_splice_bits temporary drops the socket lock while iterating over
the socket queue in order to break a reverse locking condition which
happens with sendfile. This, however, opens a window of opportunity
for tcp_collapse() to aggregate skbs and thus potentially free the
current skb used in skb_splice_bits and tcp_read_sock.

This patch fixes the problem by (re-)getting the same "logical skb"
after the lock has been temporary dropped.

Based on idea and initial patch from Evgeniy Polyakov.

Signed-off-by: Octavian Purdila &lt;opurdila@ixiacom.com&gt;
Acked-by: Evgeniy Polyakov &lt;johnpol@2ka.mipt.ru&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
skb_splice_bits temporary drops the socket lock while iterating over
the socket queue in order to break a reverse locking condition which
happens with sendfile. This, however, opens a window of opportunity
for tcp_collapse() to aggregate skbs and thus potentially free the
current skb used in skb_splice_bits and tcp_read_sock.

This patch fixes the problem by (re-)getting the same "logical skb"
after the lock has been temporary dropped.

Based on idea and initial patch from Evgeniy Polyakov.

Signed-off-by: Octavian Purdila &lt;opurdila@ixiacom.com&gt;
Acked-by: Evgeniy Polyakov &lt;johnpol@2ka.mipt.ru&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
</feed>
