<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/net/ipv4, branch linux-2.6.29.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>net: fix rtable leak in net/ipv4/route.c</title>
<updated>2009-06-15T16:39:52+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>dada1@cosmosbay.com</email>
</author>
<published>2009-05-19T20:14:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=224db0799320b9ad875e4115ad16ee64f44a2fea'/>
<id>224db0799320b9ad875e4115ad16ee64f44a2fea</id>
<content type='text'>
[ Upstream commit 1ddbcb005c395518c2cd0df504cff3d4b5c85853 ]

Alexander V. Lukyanov found a regression in 2.6.29 and made a complete
analysis found in http://bugzilla.kernel.org/show_bug.cgi?id=13339
Quoted here because its a perfect one :

begin_of_quotation
 2.6.29 patch has introduced flexible route cache rebuilding. Unfortunately the
 patch has at least one critical flaw, and another problem.

 rt_intern_hash calculates rthi pointer, which is later used for new entry
 insertion. The same loop calculates cand pointer which is used to clean the
 list. If the pointers are the same, rtable leak occurs, as first the cand is
 removed then the new entry is appended to it.

 This leak leads to unregister_netdevice problem (usage count &gt; 0).

 Another problem of the patch is that it tries to insert the entries in certain
 order, to facilitate counting of entries distinct by all but QoS parameters.
 Unfortunately, referencing an existing rtable entry moves it to list beginning,
 to speed up further lookups, so the carefully built order is destroyed.

 For the first problem the simplest patch it to set rthi=0 when rthi==cand, but
 it will also destroy the ordering.
end_of_quotation

Problematic commit is 1080d709fb9d8cd4392f93476ee46a9d6ea05a5b
(net: implement emergency route cache rebulds when gc_elasticity is exceeded)

Trying to keep dst_entries ordered is too complex and breaks the fact that
order should depend on the frequency of use for garbage collection.

A possible fix is to make rt_intern_hash() simpler, and only makes
rt_check_expire() a litle bit smarter, being able to cope with an arbitrary
entries order. The added loop is running on cache hot data, while cpu
is prefetching next object, so should be unnoticied.

Reported-and-analyzed-by: Alexander V. Lukyanov &lt;lav@yar.ru&gt;
Signed-off-by: Eric Dumazet &lt;dada1@cosmosbay.com&gt;
Acked-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 1ddbcb005c395518c2cd0df504cff3d4b5c85853 ]

Alexander V. Lukyanov found a regression in 2.6.29 and made a complete
analysis found in http://bugzilla.kernel.org/show_bug.cgi?id=13339
Quoted here because its a perfect one :

begin_of_quotation
 2.6.29 patch has introduced flexible route cache rebuilding. Unfortunately the
 patch has at least one critical flaw, and another problem.

 rt_intern_hash calculates rthi pointer, which is later used for new entry
 insertion. The same loop calculates cand pointer which is used to clean the
 list. If the pointers are the same, rtable leak occurs, as first the cand is
 removed then the new entry is appended to it.

 This leak leads to unregister_netdevice problem (usage count &gt; 0).

 Another problem of the patch is that it tries to insert the entries in certain
 order, to facilitate counting of entries distinct by all but QoS parameters.
 Unfortunately, referencing an existing rtable entry moves it to list beginning,
 to speed up further lookups, so the carefully built order is destroyed.

 For the first problem the simplest patch it to set rthi=0 when rthi==cand, but
 it will also destroy the ordering.
end_of_quotation

Problematic commit is 1080d709fb9d8cd4392f93476ee46a9d6ea05a5b
(net: implement emergency route cache rebulds when gc_elasticity is exceeded)

Trying to keep dst_entries ordered is too complex and breaks the fact that
order should depend on the frequency of use for garbage collection.

A possible fix is to make rt_intern_hash() simpler, and only makes
rt_check_expire() a litle bit smarter, being able to cope with an arbitrary
entries order. The added loop is running on cache hot data, while cpu
is prefetching next object, so should be unnoticied.

Reported-and-analyzed-by: Alexander V. Lukyanov &lt;lav@yar.ru&gt;
Signed-off-by: Eric Dumazet &lt;dada1@cosmosbay.com&gt;
Acked-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: fix length computation in rt_check_expire()</title>
<updated>2009-06-15T16:39:52+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>dada1@cosmosbay.com</email>
</author>
<published>2009-05-19T18:54:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=00ec06b2727596bb52ea01d596da0fa55793bd5c'/>
<id>00ec06b2727596bb52ea01d596da0fa55793bd5c</id>
<content type='text'>
[ Upstream commit cf8da764fc6959b7efb482f375dfef9830e98205 ]

rt_check_expire() computes average and standard deviation of chain lengths,
but not correclty reset length to 0 at beginning of each chain.
This probably gives overflows for sum2 (and sum) on loaded machines instead
of meaningful results.

Signed-off-by: Eric Dumazet &lt;dada1@cosmosbay.com&gt;
Acked-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit cf8da764fc6959b7efb482f375dfef9830e98205 ]

rt_check_expire() computes average and standard deviation of chain lengths,
but not correclty reset length to 0 at beginning of each chain.
This probably gives overflows for sum2 (and sum) on loaded machines instead
of meaningful results.

Signed-off-by: Eric Dumazet &lt;dada1@cosmosbay.com&gt;
Acked-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>tcp: fix &gt;2 iw selection</title>
<updated>2009-06-15T16:39:50+00:00</updated>
<author>
<name>Ilpo Jarvinen</name>
<email>ilpo.jarvinen@helsinki.fi</email>
</author>
<published>2009-04-14T09:08:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=3ae0f1042ff18706e652b2cff7419136cebf0f22'/>
<id>3ae0f1042ff18706e652b2cff7419136cebf0f22</id>
<content type='text'>
[ Upstream commit 86bcebafc5e7f5163ccf828792fe694b112ed6fa ]

A long-standing feature in tcp_init_metrics() is such that
any of its goto reset prevents call to tcp_init_cwnd().

Signed-off-by: Ilpo Jarvinen &lt;ilpo.jarvinen@helsinki.fi&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 86bcebafc5e7f5163ccf828792fe694b112ed6fa ]

A long-standing feature in tcp_init_metrics() is such that
any of its goto reset prevents call to tcp_init_cwnd().

Signed-off-by: Ilpo Jarvinen &lt;ilpo.jarvinen@helsinki.fi&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>tcp: fix MSG_PEEK race check</title>
<updated>2009-06-15T16:39:50+00:00</updated>
<author>
<name>Ilpo Jarvinen</name>
<email>ilpo.jarvinen@helsinki.fi</email>
</author>
<published>2009-05-10T20:32:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=35eca254c87cb5664e59da0e4ceb2a755d04c047'/>
<id>35eca254c87cb5664e59da0e4ceb2a755d04c047</id>
<content type='text'>
[ Upstream commit 775273131810caa41dfc7f9e552ea5d8508caf40 ]

Commit 518a09ef11 (tcp: Fix recvmsg MSG_PEEK influence of
blocking behavior) lets the loop run longer than the race check
did previously expect, so we need to be more careful with this
check and consider the work we have been doing.

I tried my best to deal with urg hole madness too which happens
here:
	if (!sock_flag(sk, SOCK_URGINLINE)) {
		++*seq;
		...
by using additional offset by one but I certainly have very
little interest in testing that part.

Signed-off-by: Ilpo Jarvinen &lt;ilpo.jarvinen@helsinki.fi&gt;
Tested-by: Frans Pop &lt;elendil@planet.nl&gt;
Tested-by: Ian Zimmermann &lt;itz@buug.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 775273131810caa41dfc7f9e552ea5d8508caf40 ]

Commit 518a09ef11 (tcp: Fix recvmsg MSG_PEEK influence of
blocking behavior) lets the loop run longer than the race check
did previously expect, so we need to be more careful with this
check and consider the work we have been doing.

I tried my best to deal with urg hole madness too which happens
here:
	if (!sock_flag(sk, SOCK_URGINLINE)) {
		++*seq;
		...
by using additional offset by one but I certainly have very
little interest in testing that part.

Signed-off-by: Ilpo Jarvinen &lt;ilpo.jarvinen@helsinki.fi&gt;
Tested-by: Frans Pop &lt;elendil@planet.nl&gt;
Tested-by: Ian Zimmermann &lt;itz@buug.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>netlabel: Add CIPSO {set, del}attr request_sock functions</title>
<updated>2009-05-18T23:34:49+00:00</updated>
<author>
<name>Paul Moore</name>
<email>paul.moore@hp.com</email>
</author>
<published>2009-05-08T21:58:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=81aef7a11718924e60f51bc4472bdbba74d4b1cb'/>
<id>81aef7a11718924e60f51bc4472bdbba74d4b1cb</id>
<content type='text'>
[NOTE: based on 389fb800ac8be2832efedd19978a2b8ced37eb61]

Add the cipso_v4_req_setattr() and cipso_v4_req_delattr() functions to set and
delete the CIPSO security attributes on a request_sock used during a incoming
connection request.

Signed-off-by: Paul Moore &lt;paul.moore@hp.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[NOTE: based on 389fb800ac8be2832efedd19978a2b8ced37eb61]

Add the cipso_v4_req_setattr() and cipso_v4_req_delattr() functions to set and
delete the CIPSO security attributes on a request_sock used during a incoming
connection request.

Signed-off-by: Paul Moore &lt;paul.moore@hp.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>lsm: Relocate the IPv4 security_inet_conn_request() hooks</title>
<updated>2009-05-18T23:34:47+00:00</updated>
<author>
<name>Paul Moore</name>
<email>paul.moore@hp.com</email>
</author>
<published>2009-05-08T21:58:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=18414ab61a689fa3fdaf90ad962aeae930be64d5'/>
<id>18414ab61a689fa3fdaf90ad962aeae930be64d5</id>
<content type='text'>
[NOTE: present in Linus' tree as 284904aa79466a4736f4c775fdbe5c7407fa136c]

The current placement of the security_inet_conn_request() hooks do not allow
individual LSMs to override the IP options of the connection's request_sock.
This is a problem as both SELinux and Smack have the ability to use labeled
networking protocols which make use of IP options to carry security attributes
and the inability to set the IP options at the start of the TCP handshake is
problematic.

This patch moves the IPv4 security_inet_conn_request() hooks past the code
where the request_sock's IP options are set/reset so that the LSM can safely
manipulate the IP options as needed.  This patch intentionally does not change
the related IPv6 hooks as IPv6 based labeling protocols which use IPv6 options
are not currently implemented, once they are we will have a better idea of
the correct placement for the IPv6 hooks.

Signed-off-by: Paul Moore &lt;paul.moore@hp.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[NOTE: present in Linus' tree as 284904aa79466a4736f4c775fdbe5c7407fa136c]

The current placement of the security_inet_conn_request() hooks do not allow
individual LSMs to override the IP options of the connection's request_sock.
This is a problem as both SELinux and Smack have the ability to use labeled
networking protocols which make use of IP options to carry security attributes
and the inability to set the IP options at the start of the TCP handshake is
problematic.

This patch moves the IPv4 security_inet_conn_request() hooks past the code
where the request_sock's IP options are set/reset so that the LSM can safely
manipulate the IP options as needed.  This patch intentionally does not change
the related IPv6 hooks as IPv6 based labeling protocols which use IPv6 options
are not currently implemented, once they are we will have a better idea of
the correct placement for the IPv6 hooks.

Signed-off-by: Paul Moore &lt;paul.moore@hp.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: {ip, ip6, arp}_tables: fix incorrect loop detection</title>
<updated>2009-04-27T17:36:58+00:00</updated>
<author>
<name>Patrick McHardy</name>
<email>kaber@trash.net</email>
</author>
<published>2009-04-06T15:31:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6bc1b5deb47f0fc3d697abd2fcd417618cf07e3f'/>
<id>6bc1b5deb47f0fc3d697abd2fcd417618cf07e3f</id>
<content type='text'>
upstream commit: 1f9352ae2253a97b07b34dcf16ffa3b4ca12c558

Commit e1b4b9f ([NETFILTER]: {ip,ip6,arp}_tables: fix exponential worst-case
search for loops) introduced a regression in the loop detection algorithm,
causing sporadic incorrectly detected loops.

When a chain has already been visited during the check, it is treated as
having a standard target containing a RETURN verdict directly at the
beginning in order to not check it again. The real target of the first
rule is then incorrectly treated as STANDARD target and checked not to
contain invalid verdicts.

Fix by making sure the rule does actually contain a standard target.

Based on patch by Francis Dupont &lt;Francis_Dupont@isc.org&gt;
Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: Chris Wright &lt;chrisw@sous-sol.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
upstream commit: 1f9352ae2253a97b07b34dcf16ffa3b4ca12c558

Commit e1b4b9f ([NETFILTER]: {ip,ip6,arp}_tables: fix exponential worst-case
search for loops) introduced a regression in the loop detection algorithm,
causing sporadic incorrectly detected loops.

When a chain has already been visited during the check, it is treated as
having a standard target containing a RETURN verdict directly at the
beginning in order to not check it again. The real target of the first
rule is then incorrectly treated as STANDARD target and checked not to
contain invalid verdicts.

Fix by making sure the rule does actually contain a standard target.

Based on patch by Francis Dupont &lt;Francis_Dupont@isc.org&gt;
Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: Chris Wright &lt;chrisw@sous-sol.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>udp: Wrong locking code in udp seq_file infrastructure</title>
<updated>2009-04-02T20:55:14+00:00</updated>
<author>
<name>Vitaly Mayatskikh</name>
<email>v.mayatskih@gmail.com</email>
</author>
<published>2009-03-23T22:22:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=efc337c45aa1e1b13188508de2593694fbe85b55'/>
<id>efc337c45aa1e1b13188508de2593694fbe85b55</id>
<content type='text'>
[ Upstream commit 30842f2989aacfaba3ccb39829b3417be9313dbe ]

Reading zero bytes from /proc/net/udp or other similar files which use
the same seq_file udp infrastructure panics kernel in that way:

=====================================
[ BUG: bad unlock balance detected! ]
-------------------------------------
read/1985 is trying to release lock (&amp;table-&gt;hash[i].lock) at:
[&lt;ffffffff81321d83&gt;] udp_seq_stop+0x27/0x29
but there are no more locks to release!

other info that might help us debug this:
1 lock held by read/1985:
 #0:  (&amp;p-&gt;lock){--..}, at: [&lt;ffffffff810eefb6&gt;] seq_read+0x38/0x348

stack backtrace:
Pid: 1985, comm: read Not tainted 2.6.29-rc8 #9
Call Trace:
 [&lt;ffffffff81321d83&gt;] ? udp_seq_stop+0x27/0x29
 [&lt;ffffffff8106dab9&gt;] print_unlock_inbalance_bug+0xd6/0xe1
 [&lt;ffffffff8106db62&gt;] lock_release_non_nested+0x9e/0x1c6
 [&lt;ffffffff810ef030&gt;] ? seq_read+0xb2/0x348
 [&lt;ffffffff8106bdba&gt;] ? mark_held_locks+0x68/0x86
 [&lt;ffffffff81321d83&gt;] ? udp_seq_stop+0x27/0x29
 [&lt;ffffffff8106dde7&gt;] lock_release+0x15d/0x189
 [&lt;ffffffff8137163c&gt;] _spin_unlock_bh+0x1e/0x34
 [&lt;ffffffff81321d83&gt;] udp_seq_stop+0x27/0x29
 [&lt;ffffffff810ef239&gt;] seq_read+0x2bb/0x348
 [&lt;ffffffff810eef7e&gt;] ? seq_read+0x0/0x348
 [&lt;ffffffff8111aedd&gt;] proc_reg_read+0x90/0xaf
 [&lt;ffffffff810d878f&gt;] vfs_read+0xa6/0x103
 [&lt;ffffffff8106bfac&gt;] ? trace_hardirqs_on_caller+0x12f/0x153
 [&lt;ffffffff810d88a2&gt;] sys_read+0x45/0x69
 [&lt;ffffffff8101123a&gt;] system_call_fastpath+0x16/0x1b
BUG: scheduling while atomic: read/1985/0xffffff00
INFO: lockdep is turned off.
Modules linked in: cpufreq_ondemand acpi_cpufreq freq_table dm_multipath kvm ppdev snd_hda_codec_analog snd_hda_intel snd_hda_codec snd_hwdep snd_seq_dummy snd_seq_oss snd_seq_midi_event arc4 snd_s
eq ecb thinkpad_acpi snd_seq_device iwl3945 hwmon sdhci_pci snd_pcm_oss sdhci rfkill mmc_core snd_mixer_oss i2c_i801 mac80211 yenta_socket ricoh_mmc i2c_core iTCO_wdt snd_pcm iTCO_vendor_support rs
rc_nonstatic snd_timer snd lib80211 cfg80211 soundcore snd_page_alloc video parport_pc output parport e1000e [last unloaded: scsi_wait_scan]
Pid: 1985, comm: read Not tainted 2.6.29-rc8 #9
Call Trace:
 [&lt;ffffffff8106b456&gt;] ? __debug_show_held_locks+0x1b/0x24
 [&lt;ffffffff81043660&gt;] __schedule_bug+0x7e/0x83
 [&lt;ffffffff8136ede9&gt;] schedule+0xce/0x838
 [&lt;ffffffff810d7972&gt;] ? fsnotify_access+0x5f/0x67
 [&lt;ffffffff810112d0&gt;] ? sysret_careful+0xb/0x37
 [&lt;ffffffff8106be9c&gt;] ? trace_hardirqs_on_caller+0x1f/0x153
 [&lt;ffffffff8137127b&gt;] ? trace_hardirqs_on_thunk+0x3a/0x3f
 [&lt;ffffffff810112f6&gt;] sysret_careful+0x31/0x37
read[1985]: segfault at 7fffc479bfe8 ip 0000003e7420a180 sp 00007fffc479bfa0 error 6
Kernel panic - not syncing: Aiee, killing interrupt handler!

udp_seq_stop() tries to unlock not yet locked spinlock. The lock was lost
during splitting global udp_hash_lock to subsequent spinlocks.

Signed-off by: Vitaly Mayatskikh &lt;v.mayatskih@gmail.com&gt;
Acked-by: Eric Dumazet &lt;dada1@cosmosbay.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Chris Wright &lt;chrisw@sous-sol.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 30842f2989aacfaba3ccb39829b3417be9313dbe ]

Reading zero bytes from /proc/net/udp or other similar files which use
the same seq_file udp infrastructure panics kernel in that way:

=====================================
[ BUG: bad unlock balance detected! ]
-------------------------------------
read/1985 is trying to release lock (&amp;table-&gt;hash[i].lock) at:
[&lt;ffffffff81321d83&gt;] udp_seq_stop+0x27/0x29
but there are no more locks to release!

other info that might help us debug this:
1 lock held by read/1985:
 #0:  (&amp;p-&gt;lock){--..}, at: [&lt;ffffffff810eefb6&gt;] seq_read+0x38/0x348

stack backtrace:
Pid: 1985, comm: read Not tainted 2.6.29-rc8 #9
Call Trace:
 [&lt;ffffffff81321d83&gt;] ? udp_seq_stop+0x27/0x29
 [&lt;ffffffff8106dab9&gt;] print_unlock_inbalance_bug+0xd6/0xe1
 [&lt;ffffffff8106db62&gt;] lock_release_non_nested+0x9e/0x1c6
 [&lt;ffffffff810ef030&gt;] ? seq_read+0xb2/0x348
 [&lt;ffffffff8106bdba&gt;] ? mark_held_locks+0x68/0x86
 [&lt;ffffffff81321d83&gt;] ? udp_seq_stop+0x27/0x29
 [&lt;ffffffff8106dde7&gt;] lock_release+0x15d/0x189
 [&lt;ffffffff8137163c&gt;] _spin_unlock_bh+0x1e/0x34
 [&lt;ffffffff81321d83&gt;] udp_seq_stop+0x27/0x29
 [&lt;ffffffff810ef239&gt;] seq_read+0x2bb/0x348
 [&lt;ffffffff810eef7e&gt;] ? seq_read+0x0/0x348
 [&lt;ffffffff8111aedd&gt;] proc_reg_read+0x90/0xaf
 [&lt;ffffffff810d878f&gt;] vfs_read+0xa6/0x103
 [&lt;ffffffff8106bfac&gt;] ? trace_hardirqs_on_caller+0x12f/0x153
 [&lt;ffffffff810d88a2&gt;] sys_read+0x45/0x69
 [&lt;ffffffff8101123a&gt;] system_call_fastpath+0x16/0x1b
BUG: scheduling while atomic: read/1985/0xffffff00
INFO: lockdep is turned off.
Modules linked in: cpufreq_ondemand acpi_cpufreq freq_table dm_multipath kvm ppdev snd_hda_codec_analog snd_hda_intel snd_hda_codec snd_hwdep snd_seq_dummy snd_seq_oss snd_seq_midi_event arc4 snd_s
eq ecb thinkpad_acpi snd_seq_device iwl3945 hwmon sdhci_pci snd_pcm_oss sdhci rfkill mmc_core snd_mixer_oss i2c_i801 mac80211 yenta_socket ricoh_mmc i2c_core iTCO_wdt snd_pcm iTCO_vendor_support rs
rc_nonstatic snd_timer snd lib80211 cfg80211 soundcore snd_page_alloc video parport_pc output parport e1000e [last unloaded: scsi_wait_scan]
Pid: 1985, comm: read Not tainted 2.6.29-rc8 #9
Call Trace:
 [&lt;ffffffff8106b456&gt;] ? __debug_show_held_locks+0x1b/0x24
 [&lt;ffffffff81043660&gt;] __schedule_bug+0x7e/0x83
 [&lt;ffffffff8136ede9&gt;] schedule+0xce/0x838
 [&lt;ffffffff810d7972&gt;] ? fsnotify_access+0x5f/0x67
 [&lt;ffffffff810112d0&gt;] ? sysret_careful+0xb/0x37
 [&lt;ffffffff8106be9c&gt;] ? trace_hardirqs_on_caller+0x1f/0x153
 [&lt;ffffffff8137127b&gt;] ? trace_hardirqs_on_thunk+0x3a/0x3f
 [&lt;ffffffff810112f6&gt;] sysret_careful+0x31/0x37
read[1985]: segfault at 7fffc479bfe8 ip 0000003e7420a180 sp 00007fffc479bfa0 error 6
Kernel panic - not syncing: Aiee, killing interrupt handler!

udp_seq_stop() tries to unlock not yet locked spinlock. The lock was lost
during splitting global udp_hash_lock to subsequent spinlocks.

Signed-off by: Vitaly Mayatskikh &lt;v.mayatskih@gmail.com&gt;
Acked-by: Eric Dumazet &lt;dada1@cosmosbay.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Chris Wright &lt;chrisw@sous-sol.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>netns: oops in ip[6]_frag_reasm incrementing stats</title>
<updated>2009-03-19T06:26:11+00:00</updated>
<author>
<name>Jorge Boncompte [DTI2]</name>
<email>jorge@dti2.net</email>
</author>
<published>2009-03-19T06:26:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2bad35b7c9588eb5e65c03bcae54e7eb6b1a6504'/>
<id>2bad35b7c9588eb5e65c03bcae54e7eb6b1a6504</id>
<content type='text'>
dev can be NULL in ip[6]_frag_reasm for skb's coming from RAW sockets.

Quagga's OSPFD sends fragmented packets on a RAW socket, when netfilter
conntrack reassembles them on the OUTPUT path you hit this code path.

You can test it with something like "hping2 -0 -d 2000 -f AA.BB.CC.DD"

With help from Jarek Poplawski.

Signed-off-by: Jorge Boncompte [DTI2] &lt;jorge@dti2.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
dev can be NULL in ip[6]_frag_reasm for skb's coming from RAW sockets.

Quagga's OSPFD sends fragmented packets on a RAW socket, when netfilter
conntrack reassembles them on the OUTPUT path you hit this code path.

You can test it with something like "hping2 -0 -d 2000 -f AA.BB.CC.DD"

With help from Jarek Poplawski.

Signed-off-by: Jorge Boncompte [DTI2] &lt;jorge@dti2.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>tcp: Like icmp use register_pernet_subsys</title>
<updated>2009-03-03T09:14:21+00:00</updated>
<author>
<name>Eric W. Biederman</name>
<email>ebiederm@aristanetworks.com</email>
</author>
<published>2009-02-22T08:10:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2f20d2e667ab1ca44cde5fb361386dff5bb6081d'/>
<id>2f20d2e667ab1ca44cde5fb361386dff5bb6081d</id>
<content type='text'>
To remove the possibility of packets flying around when network
devices are being cleaned up use reisger_pernet_subsys instead of
register_pernet_device.

Signed-off-by: Eric W. Biederman &lt;ebiederm@aristanetworks.com&gt;
Acked-by: Denis V. Lunev &lt;den@openvz.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
To remove the possibility of packets flying around when network
devices are being cleaned up use reisger_pernet_subsys instead of
register_pernet_device.

Signed-off-by: Eric W. Biederman &lt;ebiederm@aristanetworks.com&gt;
Acked-by: Denis V. Lunev &lt;den@openvz.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
</feed>
