linux.git/drivers/net/pppol2tp.c, branch v2.6.27 Linux kernel source tree [netdrvr] remove unnecessary #include 2008-08-14T08:26:38+00:00 Huang Weiyi weiyi.huang@gmail.com 2008-08-11T04:56:44+00:00 fde9403a982218fa8a437f815e7aa0e583e2d6ed The drivers below do not use LINUX_VERSION_CODE nor KERNEL_VERSION. drivers/net/acenic.c drivers/net/bnx2x_link.c drivers/net/bnx2x_main.c drivers/net/cpmac.c drivers/net/gianfar_sysfs.c drivers/net/ipg.h drivers/net/ppp_mppe.c drivers/net/pppol2tp.c drivers/net/r6040.c drivers/net/sh_eth.c drivers/net/sky2.c drivers/net/tehuti.h drivers/net/typhoon.c This patch removes the said #include <linux/version.h>. Signed-off-by: Huang Weiyi <hwy@cn.fujitsu.com> Signed-off-by: Jeff Garzik <jgarzik@redhat.com> 
The drivers below do not use LINUX_VERSION_CODE nor KERNEL_VERSION.
  drivers/net/acenic.c
  drivers/net/bnx2x_link.c
  drivers/net/bnx2x_main.c
  drivers/net/cpmac.c
  drivers/net/gianfar_sysfs.c
  drivers/net/ipg.h
  drivers/net/ppp_mppe.c
  drivers/net/pppol2tp.c
  drivers/net/r6040.c
  drivers/net/sh_eth.c
  drivers/net/sky2.c
  drivers/net/tehuti.h
  drivers/net/typhoon.c

This patch removes the said #include <linux/version.h>.

Signed-off-by: Huang Weiyi <hwy@cn.fujitsu.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
l2tp: Fix potential memory corruption in pppol2tp_recvmsg() 2008-06-10T19:35:00+00:00 James Chapman jchapman@katalix.com 2008-06-10T19:35:00+00:00 6b6707a50c7598a83820077393f8823ab791abf8 This patch fixes a potential memory corruption in pppol2tp_recvmsg(). If skb->len is bigger than the caller's buffer length, memcpy_toiovec() will go into unintialized data on the kernel heap, interpret it as an iovec and start modifying memory. The fix is to change the memcpy_toiovec() call to skb_copy_datagram_iovec() so that paged packets (rare for PPPOL2TP) are handled properly. Also check that the caller's buffer is big enough for the data and set the MSG_TRUNC flag if it is not so. Reported-by: Ilja <ilja@netric.org> Signed-off-by: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
This patch fixes a potential memory corruption in
pppol2tp_recvmsg(). If skb->len is bigger than the caller's buffer
length, memcpy_toiovec() will go into unintialized data on the kernel
heap, interpret it as an iovec and start modifying memory.

The fix is to change the memcpy_toiovec() call to
skb_copy_datagram_iovec() so that paged packets (rare for PPPOL2TP)
are handled properly. Also check that the caller's buffer is big
enough for the data and set the MSG_TRUNC flag if it is not so.

Reported-by: Ilja <ilja@netric.org>
Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
l2tp: Fix possible oops if transmitting or receiving when tunnel goes down 2008-06-04T22:54:07+00:00 James Chapman jchapman@katalix.com 2008-06-04T22:54:07+00:00 24b95685ffcdb3dc28f64b9e8af6ea3e8360fbc5 Some problems have been experienced in the field which cause an oops in the pppol2tp driver if L2TP tunnels fail while passing data. The pppol2tp driver uses private data that is referenced via the sk->sk_user_data of its UDP and PPPoL2TP sockets. This patch makes sure that the driver uses sock_hold() when it holds a reference to the sk pointer. This affects its sendmsg(), recvmsg(), getname(), [gs]etsockopt() and ioctl() handlers. Tested by ISP where problem was seen. System has been up 10 days with no oops since running this patch. Without the patch, an oops would occur every 1-2 days. Signed-off-by: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
Some problems have been experienced in the field which cause an oops
in the pppol2tp driver if L2TP tunnels fail while passing data.

The pppol2tp driver uses private data that is referenced via the
sk->sk_user_data of its UDP and PPPoL2TP sockets. This patch makes
sure that the driver uses sock_hold() when it holds a reference to the
sk pointer. This affects its sendmsg(), recvmsg(), getname(),
[gs]etsockopt() and ioctl() handlers.

Tested by ISP where problem was seen. System has been up 10 days with
no oops since running this patch. Without the patch, an oops would
occur every 1-2 days.

Signed-off-by: James Chapman <jchapman@katalix.com> 
Signed-off-by: David S. Miller <davem@davemloft.net>
lt2p: Fix possible WARN_ON from socket code when UDP socket is closed 2008-06-04T22:07:32+00:00 James Chapman jchapman@katalix.com 2008-06-04T22:07:32+00:00 199f7d24ae59894243687a234a909f44a8724506 If an L2TP daemon closes a tunnel socket while packets are queued in the tunnel's reorder queue, a kernel warning is logged because the socket is closed while skbs are still referencing it. The fix is to purge the queue in the socket's release handler. WARNING: at include/net/sock.h:351 udp_lib_unhash+0x41/0x68() Pid: 12998, comm: openl2tpd Not tainted 2.6.25 #8 [<c0423c58>] warn_on_slowpath+0x41/0x51 [<c05d33a7>] udp_lib_unhash+0x41/0x68 [<c059424d>] sk_common_release+0x23/0x90 [<c05d16be>] udp_lib_close+0x8/0xa [<c05d8684>] inet_release+0x42/0x48 [<c0592599>] sock_release+0x14/0x60 [<c059299f>] sock_close+0x29/0x30 [<c046ef52>] __fput+0xad/0x15b [<c046f1d9>] fput+0x17/0x19 [<c046c8c4>] filp_close+0x50/0x5a [<c046da06>] sys_close+0x69/0x9f [<c04048ce>] syscall_call+0x7/0xb Signed-off-by: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
If an L2TP daemon closes a tunnel socket while packets are queued in
the tunnel's reorder queue, a kernel warning is logged because the
socket is closed while skbs are still referencing it. The fix is to
purge the queue in the socket's release handler.

WARNING: at include/net/sock.h:351 udp_lib_unhash+0x41/0x68()
Pid: 12998, comm: openl2tpd Not tainted 2.6.25 #8
 [<c0423c58>] warn_on_slowpath+0x41/0x51
 [<c05d33a7>] udp_lib_unhash+0x41/0x68
 [<c059424d>] sk_common_release+0x23/0x90
 [<c05d16be>] udp_lib_close+0x8/0xa
 [<c05d8684>] inet_release+0x42/0x48
 [<c0592599>] sock_release+0x14/0x60
 [<c059299f>] sock_close+0x29/0x30
 [<c046ef52>] __fput+0xad/0x15b
 [<c046f1d9>] fput+0x17/0x19
 [<c046c8c4>] filp_close+0x50/0x5a
 [<c046da06>] sys_close+0x69/0x9f
 [<c04048ce>] syscall_call+0x7/0xb

Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
l2tp: avoid skb truesize bug if headroom is increased 2008-05-19T21:10:01+00:00 James Chapman jchapman@katalix.com 2008-05-19T21:10:01+00:00 090c48d3dd5ea90b37350334aaed9a93b0c1e0a1 A user reported seeing occasional bugs such as the following when using the L2TP driver. SKB BUG: Invalid truesize (272) len=72, sizeof(sk_buff)=208 When L2TP adds its header in the transmit path, it might need to increase the headroom of the skb. In some cases, the increased headroom trips a kernel bug when the skb is freed because the skb has grown beyond its truesize value. The fix is to increase the truesize by the amount of headroom added, after orphaning the skb. While here, fix a misleading comment. Thanks to Iouri Kharon <bc-info@styx.cabel.net> for the initial report and testing the fix. Signed-off-by: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
A user reported seeing occasional bugs such as the following when
using the L2TP driver.

  SKB BUG: Invalid truesize (272) len=72, sizeof(sk_buff)=208

When L2TP adds its header in the transmit path, it might need to
increase the headroom of the skb. In some cases, the increased
headroom trips a kernel bug when the skb is freed because the skb has
grown beyond its truesize value. The fix is to increase the truesize
by the amount of headroom added, after orphaning the skb.

While here, fix a misleading comment.

Thanks to Iouri Kharon <bc-info@styx.cabel.net> for the initial
report and testing the fix.

Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
pppol2tp: Remove null pointer dereference. 2008-05-12T22:43:46+00:00 Julia Lawall julia@diku.dk 2008-05-12T22:43:46+00:00 5dc474d6b3ba19df7d491d4eabd9fb7a0c1c2423 If session is NULL, it is not possible to access its name field. So I have split apart the printing of the error message to drop the printing of the name field in this case. The macro PRINTK actually only evaluates its arguments starting with the third one if the bitwise conjunction of the first two is non-zero. Normally, this conjunction would only be non-zero if debugging mode were turned on, but when session is NULL, the first argument in both the old and new code is -1, and thus the bitwise conjunction is true. Perhaps a different strategy is desired, such as using tunnel->debug, which session->debug is initialized to, but tunnel can also be NULL, so this does not completely solve the problem. This problem was found using the following semantic match (http://www.emn.fr/x-info/coccinelle/) // <smpl> @@ expression E, E1; identifier f; statement S1,S2,S3; @@ * if (E == NULL) { ... when != if (E == NULL) S1 else S2 when != E = E1 * E->f ... when any return ...; } else S3 // </smpl> Signed-off-by: Julia Lawall <julia@diku.dk> Signed-off-by: David S. Miller <davem@davemloft.net> 
If session is NULL, it is not possible to access its name field.  So I
have split apart the printing of the error message to drop the
printing of the name field in this case.

The macro PRINTK actually only evaluates its arguments starting with
the third one if the bitwise conjunction of the first two is non-zero.
Normally, this conjunction would only be non-zero if debugging mode
were turned on, but when session is NULL, the first argument in both
the old and new code is -1, and thus the bitwise conjunction is true.
Perhaps a different strategy is desired, such as using tunnel->debug,
which session->debug is initialized to, but tunnel can also be NULL,
so this does not completely solve the problem.


This problem was found using the following semantic match
(http://www.emn.fr/x-info/coccinelle/)

// <smpl>
@@
expression E, E1;
identifier f;
statement S1,S2,S3;
@@

* if (E == NULL)
{
  ... when != if (E == NULL) S1 else S2
      when != E = E1
* E->f
  ... when any
  return ...;
}
else S3
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
netdev: use non-racy method for proc entries creation 2008-04-29T15:06:22+00:00 Denis V. Lunev den@openvz.org 2008-04-29T08:02:29+00:00 a95609cb0283a23e519e607ff9fc2a4aa77e2532 Use proc_create()/proc_create_data() to make sure that ->proc_fops and ->data be setup before gluing PDE to main tree. Signed-off-by: Denis V. Lunev <den@openvz.org> Cc: Jeff Garzik <jgarzik@pobox.com> Cc: Alexey Dobriyan <adobriyan@gmail.com> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 
Use proc_create()/proc_create_data() to make sure that ->proc_fops and ->data
be setup before gluing PDE to main tree.

Signed-off-by: Denis V. Lunev <den@openvz.org>
Cc: Jeff Garzik <jgarzik@pobox.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[PPPOL2TP]: Fix SMP issues in skb reorder queue handling 2008-03-06T02:40:01+00:00 James Chapman jchapman@katalix.com 2008-03-06T02:40:01+00:00 e653181dd6b3ad38ce14904351b03a5388f4b0f7 When walking a session's packet reorder queue, use skb_queue_walk_safe() since the list could be modified inside the loop. Rearrange the unlinking skbs from the reorder queue such that it is done while the queue lock is held in pppol2tp_recv_dequeue() when walking the skb list. A version of this patch was suggested by Jarek Poplawski. Signed-off-by: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
When walking a session's packet reorder queue, use
skb_queue_walk_safe() since the list could be modified inside the
loop.

Rearrange the unlinking skbs from the reorder queue such that it is
done while the queue lock is held in pppol2tp_recv_dequeue() when
walking the skb list.

A version of this patch was suggested by Jarek Poplawski.

Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[PPPOL2TP]: Make locking calls softirq-safe 2008-03-06T02:39:08+00:00 James Chapman jchapman@katalix.com 2008-03-06T02:39:08+00:00 cf3752e2d203bbbfc88d29e362e6938cef4339b3 Fix locking issues in the pppol2tp driver which can cause a kernel crash on SMP boxes. There were two problems:- 1. The driver was violating read_lock() and write_lock() scheduling rules because it wasn't using softirq-safe locks in softirq contexts. So we now consistently use the _bh variants of the lock functions. 2. The driver was calling sk_dst_get() in pppol2tp_xmit() which was taking sk_dst_lock in softirq context. We now call __sk_dst_get(). Signed-off-by: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
Fix locking issues in the pppol2tp driver which can cause a kernel
crash on SMP boxes. There were two problems:-

1. The driver was violating read_lock() and write_lock() scheduling
   rules because it wasn't using softirq-safe locks in softirq
   contexts. So we now consistently use the _bh variants of the lock
   functions.

2. The driver was calling sk_dst_get() in pppol2tp_xmit() which was
   taking sk_dst_lock in softirq context. We now call __sk_dst_get().

Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[PPPOL2TP]: Add missing sock_put() in pppol2tp_tunnel_closeall() 2008-03-04T04:49:34+00:00 Jarek Poplawski jarkao2@gmail.com 2008-03-04T04:49:34+00:00 ec9b6add7d81f902f6094e71f595da4a362f3348 Every skb removed from session->reorder_q needs sock_put(). Signed-off-by: Jarek Poplawski <jarkao2@gmail.com> Acked-by: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
Every skb removed from session->reorder_q needs sock_put().

Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
Acked-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>