<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux.git/net/iucv, branch v2.6.32</title>
<subtitle>Linux kernel source tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/'/>
<entry>
<title>net: Make setsockopt() optlen be unsigned.</title>
<updated>2009-09-30T23:12:20+00:00</updated>
<author>
<name>David S. Miller</name>
<email>davem@davemloft.net</email>
</author>
<published>2009-09-30T23:12:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=b7058842c940ad2c08dd829b21e5c92ebe3b8758'/>
<id>b7058842c940ad2c08dd829b21e5c92ebe3b8758</id>
<content type='text'>
This provides safety against negative optlen at the type
level instead of depending upon (sometimes non-trivial)
checks against this sprinkled all over the the place, in
each and every implementation.

Based upon work done by Arjan van de Ven and feedback
from Linus Torvalds.

Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This provides safety against negative optlen at the type
level instead of depending upon (sometimes non-trivial)
checks against this sprinkled all over the the place, in
each and every implementation.

Based upon work done by Arjan van de Ven and feedback
from Linus Torvalds.

Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>af_iucv: fix race when queueing skbs on the backlog queue</title>
<updated>2009-09-17T03:57:39+00:00</updated>
<author>
<name>Hendrik Brueckner</name>
<email>brueckner@linux.vnet.ibm.com</email>
</author>
<published>2009-09-16T04:37:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=bf95d20fdbd602d72c28a009a55d90d5109b8a86'/>
<id>bf95d20fdbd602d72c28a009a55d90d5109b8a86</id>
<content type='text'>
iucv_sock_recvmsg() and iucv_process_message()/iucv_fragment_skb race
for dequeuing an skb from the backlog queue.

If iucv_sock_recvmsg() dequeues first, iucv_process_message() calls
sock_queue_rcv_skb() with an skb that is NULL.

This results in the following kernel panic:

&lt;1&gt;Unable to handle kernel pointer dereference at virtual kernel address (null)
&lt;4&gt;Oops: 0004 [#1] PREEMPT SMP DEBUG_PAGEALLOC
&lt;4&gt;Modules linked in: af_iucv sunrpc qeth_l3 dm_multipath dm_mod vmur qeth ccwgroup
&lt;4&gt;CPU: 0 Not tainted 2.6.30 #4
&lt;4&gt;Process client-iucv (pid: 4787, task: 0000000034e75940, ksp: 00000000353e3710)
&lt;4&gt;Krnl PSW : 0704000180000000 000000000043ebca (sock_queue_rcv_skb+0x7a/0x138)
&lt;4&gt;           R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:0 CC:0 PM:0 EA:3
&lt;4&gt;Krnl GPRS: 0052900000000000 000003e0016e0fe8 0000000000000000 0000000000000000
&lt;4&gt;           000000000043eba8 0000000000000002 0000000000000001 00000000341aa7f0
&lt;4&gt;           0000000000000000 0000000000007800 0000000000000000 0000000000000000
&lt;4&gt;           00000000341aa7f0 0000000000594650 000000000043eba8 000000003fc2fb28
&lt;4&gt;Krnl Code: 000000000043ebbe: a7840006            brc     8,43ebca
&lt;4&gt;           000000000043ebc2: 5930c23c            c       %r3,572(%r12)
&lt;4&gt;           000000000043ebc6: a724004c            brc     2,43ec5e
&lt;4&gt;          &gt;000000000043ebca: e3c0b0100024        stg     %r12,16(%r11)
&lt;4&gt;           000000000043ebd0: a7190000            lghi    %r1,0
&lt;4&gt;           000000000043ebd4: e310b0200024        stg     %r1,32(%r11)
&lt;4&gt;           000000000043ebda: c010ffffdce9        larl    %r1,43a5ac
&lt;4&gt;           000000000043ebe0: e310b0800024        stg     %r1,128(%r11)
&lt;4&gt;Call Trace:
&lt;4&gt;([&lt;000000000043eba8&gt;] sock_queue_rcv_skb+0x58/0x138)
&lt;4&gt; [&lt;000003e0016bcf2a&gt;] iucv_process_message+0x112/0x3cc [af_iucv]
&lt;4&gt; [&lt;000003e0016bd3d4&gt;] iucv_callback_rx+0x1f0/0x274 [af_iucv]
&lt;4&gt; [&lt;000000000053a21a&gt;] iucv_message_pending+0xa2/0x120
&lt;4&gt; [&lt;000000000053b5a6&gt;] iucv_tasklet_fn+0x176/0x1b8
&lt;4&gt; [&lt;000000000014fa82&gt;] tasklet_action+0xfe/0x1f4
&lt;4&gt; [&lt;0000000000150a56&gt;] __do_softirq+0x116/0x284
&lt;4&gt; [&lt;0000000000111058&gt;] do_softirq+0xe4/0xe8
&lt;4&gt; [&lt;00000000001504ba&gt;] irq_exit+0xba/0xd8
&lt;4&gt; [&lt;000000000010e0b2&gt;] do_extint+0x146/0x190
&lt;4&gt; [&lt;00000000001184b6&gt;] ext_no_vtime+0x1e/0x22
&lt;4&gt; [&lt;00000000001fbf4e&gt;] kfree+0x202/0x28c
&lt;4&gt;([&lt;00000000001fbf44&gt;] kfree+0x1f8/0x28c)
&lt;4&gt; [&lt;000000000044205a&gt;] __kfree_skb+0x32/0x124
&lt;4&gt; [&lt;000003e0016bd8b2&gt;] iucv_sock_recvmsg+0x236/0x41c [af_iucv]
&lt;4&gt; [&lt;0000000000437042&gt;] sock_aio_read+0x136/0x160
&lt;4&gt; [&lt;0000000000205e50&gt;] do_sync_read+0xe4/0x13c
&lt;4&gt; [&lt;0000000000206dce&gt;] vfs_read+0x152/0x15c
&lt;4&gt; [&lt;0000000000206ed0&gt;] SyS_read+0x54/0xac
&lt;4&gt; [&lt;0000000000117c8e&gt;] sysc_noemu+0x10/0x16
&lt;4&gt; [&lt;00000042ff8def3c&gt;] 0x42ff8def3c

Signed-off-by: Hendrik Brueckner &lt;brueckner@linux.vnet.ibm.com&gt;
Signed-off-by: Ursula Braun &lt;ursula.braun@de.ibm.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
iucv_sock_recvmsg() and iucv_process_message()/iucv_fragment_skb race
for dequeuing an skb from the backlog queue.

If iucv_sock_recvmsg() dequeues first, iucv_process_message() calls
sock_queue_rcv_skb() with an skb that is NULL.

This results in the following kernel panic:

&lt;1&gt;Unable to handle kernel pointer dereference at virtual kernel address (null)
&lt;4&gt;Oops: 0004 [#1] PREEMPT SMP DEBUG_PAGEALLOC
&lt;4&gt;Modules linked in: af_iucv sunrpc qeth_l3 dm_multipath dm_mod vmur qeth ccwgroup
&lt;4&gt;CPU: 0 Not tainted 2.6.30 #4
&lt;4&gt;Process client-iucv (pid: 4787, task: 0000000034e75940, ksp: 00000000353e3710)
&lt;4&gt;Krnl PSW : 0704000180000000 000000000043ebca (sock_queue_rcv_skb+0x7a/0x138)
&lt;4&gt;           R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:0 CC:0 PM:0 EA:3
&lt;4&gt;Krnl GPRS: 0052900000000000 000003e0016e0fe8 0000000000000000 0000000000000000
&lt;4&gt;           000000000043eba8 0000000000000002 0000000000000001 00000000341aa7f0
&lt;4&gt;           0000000000000000 0000000000007800 0000000000000000 0000000000000000
&lt;4&gt;           00000000341aa7f0 0000000000594650 000000000043eba8 000000003fc2fb28
&lt;4&gt;Krnl Code: 000000000043ebbe: a7840006            brc     8,43ebca
&lt;4&gt;           000000000043ebc2: 5930c23c            c       %r3,572(%r12)
&lt;4&gt;           000000000043ebc6: a724004c            brc     2,43ec5e
&lt;4&gt;          &gt;000000000043ebca: e3c0b0100024        stg     %r12,16(%r11)
&lt;4&gt;           000000000043ebd0: a7190000            lghi    %r1,0
&lt;4&gt;           000000000043ebd4: e310b0200024        stg     %r1,32(%r11)
&lt;4&gt;           000000000043ebda: c010ffffdce9        larl    %r1,43a5ac
&lt;4&gt;           000000000043ebe0: e310b0800024        stg     %r1,128(%r11)
&lt;4&gt;Call Trace:
&lt;4&gt;([&lt;000000000043eba8&gt;] sock_queue_rcv_skb+0x58/0x138)
&lt;4&gt; [&lt;000003e0016bcf2a&gt;] iucv_process_message+0x112/0x3cc [af_iucv]
&lt;4&gt; [&lt;000003e0016bd3d4&gt;] iucv_callback_rx+0x1f0/0x274 [af_iucv]
&lt;4&gt; [&lt;000000000053a21a&gt;] iucv_message_pending+0xa2/0x120
&lt;4&gt; [&lt;000000000053b5a6&gt;] iucv_tasklet_fn+0x176/0x1b8
&lt;4&gt; [&lt;000000000014fa82&gt;] tasklet_action+0xfe/0x1f4
&lt;4&gt; [&lt;0000000000150a56&gt;] __do_softirq+0x116/0x284
&lt;4&gt; [&lt;0000000000111058&gt;] do_softirq+0xe4/0xe8
&lt;4&gt; [&lt;00000000001504ba&gt;] irq_exit+0xba/0xd8
&lt;4&gt; [&lt;000000000010e0b2&gt;] do_extint+0x146/0x190
&lt;4&gt; [&lt;00000000001184b6&gt;] ext_no_vtime+0x1e/0x22
&lt;4&gt; [&lt;00000000001fbf4e&gt;] kfree+0x202/0x28c
&lt;4&gt;([&lt;00000000001fbf44&gt;] kfree+0x1f8/0x28c)
&lt;4&gt; [&lt;000000000044205a&gt;] __kfree_skb+0x32/0x124
&lt;4&gt; [&lt;000003e0016bd8b2&gt;] iucv_sock_recvmsg+0x236/0x41c [af_iucv]
&lt;4&gt; [&lt;0000000000437042&gt;] sock_aio_read+0x136/0x160
&lt;4&gt; [&lt;0000000000205e50&gt;] do_sync_read+0xe4/0x13c
&lt;4&gt; [&lt;0000000000206dce&gt;] vfs_read+0x152/0x15c
&lt;4&gt; [&lt;0000000000206ed0&gt;] SyS_read+0x54/0xac
&lt;4&gt; [&lt;0000000000117c8e&gt;] sysc_noemu+0x10/0x16
&lt;4&gt; [&lt;00000042ff8def3c&gt;] 0x42ff8def3c

Signed-off-by: Hendrik Brueckner &lt;brueckner@linux.vnet.ibm.com&gt;
Signed-off-by: Ursula Braun &lt;ursula.braun@de.ibm.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>af_iucv: do not call iucv_sock_kill() twice</title>
<updated>2009-09-17T03:57:38+00:00</updated>
<author>
<name>Hendrik Brueckner</name>
<email>brueckner@linux.vnet.ibm.com</email>
</author>
<published>2009-09-16T04:37:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=7514bab04e567c9408fe0facbde4277f09d5eb74'/>
<id>7514bab04e567c9408fe0facbde4277f09d5eb74</id>
<content type='text'>
For non-accepted sockets on the accept queue, iucv_sock_kill()
is called twice (in iucv_sock_close() and iucv_sock_cleanup_listen()).
This typically results in a kernel oops as shown below.

Remove the duplicate call to iucv_sock_kill() and set the SOCK_ZAPPED
flag in iucv_sock_close() only.

The iucv_sock_kill() function frees a socket only if the socket is zapped
and orphaned (sk-&gt;sk_socket == NULL):
  - Non-accepted sockets are always orphaned and, thus, iucv_sock_kill()
    frees the socket twice.
  - For accepted sockets or sockets created with iucv_sock_create(),
    sk-&gt;sk_socket is initialized. This caused the first call to
    iucv_sock_kill() to return immediately. To free these sockets,
    iucv_sock_release() uses sock_orphan() before calling iucv_sock_kill().

&lt;1&gt;Unable to handle kernel pointer dereference at virtual kernel address 000000003edd3000
&lt;4&gt;Oops: 0011 [#1] PREEMPT SMP DEBUG_PAGEALLOC
&lt;4&gt;Modules linked in: af_iucv sunrpc qeth_l3 dm_multipath dm_mod qeth vmur ccwgroup
&lt;4&gt;CPU: 0 Not tainted 2.6.30 #4
&lt;4&gt;Process iucv_sock_close (pid: 2486, task: 000000003aea4340, ksp: 000000003b75bc68)
&lt;4&gt;Krnl PSW : 0704200180000000 000003e00168e23a (iucv_sock_kill+0x2e/0xcc [af_iucv])
&lt;4&gt;           R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:0 CC:2 PM:0 EA:3
&lt;4&gt;Krnl GPRS: 0000000000000000 000000003b75c000 000000003edd37f0 0000000000000001
&lt;4&gt;           000003e00168ec62 000000003988d960 0000000000000000 000003e0016b0608
&lt;4&gt;           000000003fe81b20 000000003839bb58 00000000399977f0 000000003edd37f0
&lt;4&gt;           000003e00168b000 000003e00168f138 000000003b75bcd0 000000003b75bc98
&lt;4&gt;Krnl Code: 000003e00168e22a: c0c0ffffe6eb	larl	%r12,3e00168b000
&lt;4&gt;           000003e00168e230: b90400b2		lgr	%r11,%r2
&lt;4&gt;           000003e00168e234: e3e0f0980024	stg	%r14,152(%r15)
&lt;4&gt;          &gt;000003e00168e23a: e310225e0090	llgc	%r1,606(%r2)
&lt;4&gt;           000003e00168e240: a7110001		tmll	%r1,1
&lt;4&gt;           000003e00168e244: a7840007		brc	8,3e00168e252
&lt;4&gt;           000003e00168e248: d507d00023c8	clc	0(8,%r13),968(%r2)
&lt;4&gt;           000003e00168e24e: a7840009		brc	8,3e00168e260
&lt;4&gt;Call Trace:
&lt;4&gt;([&lt;000003e0016b0608&gt;] afiucv_dbf+0x0/0xfffffffffffdea20 [af_iucv])
&lt;4&gt; [&lt;000003e00168ec6c&gt;] iucv_sock_close+0x130/0x368 [af_iucv]
&lt;4&gt; [&lt;000003e00168ef02&gt;] iucv_sock_release+0x5e/0xe4 [af_iucv]
&lt;4&gt; [&lt;0000000000438e6c&gt;] sock_release+0x44/0x104
&lt;4&gt; [&lt;0000000000438f5e&gt;] sock_close+0x32/0x50
&lt;4&gt; [&lt;0000000000207898&gt;] __fput+0xf4/0x250
&lt;4&gt; [&lt;00000000002038aa&gt;] filp_close+0x7a/0xa8
&lt;4&gt; [&lt;00000000002039ba&gt;] SyS_close+0xe2/0x148
&lt;4&gt; [&lt;0000000000117c8e&gt;] sysc_noemu+0x10/0x16
&lt;4&gt; [&lt;00000042ff8deeac&gt;] 0x42ff8deeac

Signed-off-by: Hendrik Brueckner &lt;brueckner@linux.vnet.ibm.com&gt;
Signed-off-by: Ursula Braun &lt;ursula.braun@de.ibm.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
For non-accepted sockets on the accept queue, iucv_sock_kill()
is called twice (in iucv_sock_close() and iucv_sock_cleanup_listen()).
This typically results in a kernel oops as shown below.

Remove the duplicate call to iucv_sock_kill() and set the SOCK_ZAPPED
flag in iucv_sock_close() only.

The iucv_sock_kill() function frees a socket only if the socket is zapped
and orphaned (sk-&gt;sk_socket == NULL):
  - Non-accepted sockets are always orphaned and, thus, iucv_sock_kill()
    frees the socket twice.
  - For accepted sockets or sockets created with iucv_sock_create(),
    sk-&gt;sk_socket is initialized. This caused the first call to
    iucv_sock_kill() to return immediately. To free these sockets,
    iucv_sock_release() uses sock_orphan() before calling iucv_sock_kill().

&lt;1&gt;Unable to handle kernel pointer dereference at virtual kernel address 000000003edd3000
&lt;4&gt;Oops: 0011 [#1] PREEMPT SMP DEBUG_PAGEALLOC
&lt;4&gt;Modules linked in: af_iucv sunrpc qeth_l3 dm_multipath dm_mod qeth vmur ccwgroup
&lt;4&gt;CPU: 0 Not tainted 2.6.30 #4
&lt;4&gt;Process iucv_sock_close (pid: 2486, task: 000000003aea4340, ksp: 000000003b75bc68)
&lt;4&gt;Krnl PSW : 0704200180000000 000003e00168e23a (iucv_sock_kill+0x2e/0xcc [af_iucv])
&lt;4&gt;           R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:0 CC:2 PM:0 EA:3
&lt;4&gt;Krnl GPRS: 0000000000000000 000000003b75c000 000000003edd37f0 0000000000000001
&lt;4&gt;           000003e00168ec62 000000003988d960 0000000000000000 000003e0016b0608
&lt;4&gt;           000000003fe81b20 000000003839bb58 00000000399977f0 000000003edd37f0
&lt;4&gt;           000003e00168b000 000003e00168f138 000000003b75bcd0 000000003b75bc98
&lt;4&gt;Krnl Code: 000003e00168e22a: c0c0ffffe6eb	larl	%r12,3e00168b000
&lt;4&gt;           000003e00168e230: b90400b2		lgr	%r11,%r2
&lt;4&gt;           000003e00168e234: e3e0f0980024	stg	%r14,152(%r15)
&lt;4&gt;          &gt;000003e00168e23a: e310225e0090	llgc	%r1,606(%r2)
&lt;4&gt;           000003e00168e240: a7110001		tmll	%r1,1
&lt;4&gt;           000003e00168e244: a7840007		brc	8,3e00168e252
&lt;4&gt;           000003e00168e248: d507d00023c8	clc	0(8,%r13),968(%r2)
&lt;4&gt;           000003e00168e24e: a7840009		brc	8,3e00168e260
&lt;4&gt;Call Trace:
&lt;4&gt;([&lt;000003e0016b0608&gt;] afiucv_dbf+0x0/0xfffffffffffdea20 [af_iucv])
&lt;4&gt; [&lt;000003e00168ec6c&gt;] iucv_sock_close+0x130/0x368 [af_iucv]
&lt;4&gt; [&lt;000003e00168ef02&gt;] iucv_sock_release+0x5e/0xe4 [af_iucv]
&lt;4&gt; [&lt;0000000000438e6c&gt;] sock_release+0x44/0x104
&lt;4&gt; [&lt;0000000000438f5e&gt;] sock_close+0x32/0x50
&lt;4&gt; [&lt;0000000000207898&gt;] __fput+0xf4/0x250
&lt;4&gt; [&lt;00000000002038aa&gt;] filp_close+0x7a/0xa8
&lt;4&gt; [&lt;00000000002039ba&gt;] SyS_close+0xe2/0x148
&lt;4&gt; [&lt;0000000000117c8e&gt;] sysc_noemu+0x10/0x16
&lt;4&gt; [&lt;00000042ff8deeac&gt;] 0x42ff8deeac

Signed-off-by: Hendrik Brueckner &lt;brueckner@linux.vnet.ibm.com&gt;
Signed-off-by: Ursula Braun &lt;ursula.braun@de.ibm.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>af_iucv: handle non-accepted sockets after resuming from suspend</title>
<updated>2009-09-17T03:57:36+00:00</updated>
<author>
<name>Hendrik Brueckner</name>
<email>brueckner@linux.vnet.ibm.com</email>
</author>
<published>2009-09-16T04:37:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=56a73de3889383b70ed1fef06aaab0677731b0ea'/>
<id>56a73de3889383b70ed1fef06aaab0677731b0ea</id>
<content type='text'>
After resuming from suspend, all af_iucv sockets are disconnected.
Ensure that iucv_accept_dequeue() can handle disconnected sockets
which are not yet accepted.

Signed-off-by: Hendrik Brueckner &lt;brueckner@linux.vnet.ibm.com&gt;
Signed-off-by: Ursula Braun &lt;ursula.braun@de.ibm.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
After resuming from suspend, all af_iucv sockets are disconnected.
Ensure that iucv_accept_dequeue() can handle disconnected sockets
which are not yet accepted.

Signed-off-by: Hendrik Brueckner &lt;brueckner@linux.vnet.ibm.com&gt;
Signed-off-by: Ursula Braun &lt;ursula.braun@de.ibm.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>af_iucv: fix race in __iucv_sock_wait()</title>
<updated>2009-09-17T03:57:35+00:00</updated>
<author>
<name>Hendrik Brueckner</name>
<email>brueckner@linux.vnet.ibm.com</email>
</author>
<published>2009-09-16T04:37:25+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=d9973179aef2af88b6fe4cc1df7ced6fe7cec7d0'/>
<id>d9973179aef2af88b6fe4cc1df7ced6fe7cec7d0</id>
<content type='text'>
Moving prepare_to_wait before the condition to avoid a race between
schedule_timeout and wake up.
The race can appear during iucv_sock_connect() and iucv_callback_connack().

Signed-off-by: Hendrik Brueckner &lt;brueckner@linux.vnet.ibm.com&gt;
Signed-off-by: Ursula Braun &lt;ursula.braun@de.ibm.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Moving prepare_to_wait before the condition to avoid a race between
schedule_timeout and wake up.
The race can appear during iucv_sock_connect() and iucv_callback_connack().

Signed-off-by: Hendrik Brueckner &lt;brueckner@linux.vnet.ibm.com&gt;
Signed-off-by: Ursula Braun &lt;ursula.braun@de.ibm.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>iucv: use correct output register in iucv_query_maxconn()</title>
<updated>2009-09-17T03:57:33+00:00</updated>
<author>
<name>Hendrik Brueckner</name>
<email>brueckner@linux.vnet.ibm.com</email>
</author>
<published>2009-09-16T04:37:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=b29e4da41eb1114080b06dce31326d5a0e96a15a'/>
<id>b29e4da41eb1114080b06dce31326d5a0e96a15a</id>
<content type='text'>
The iucv_query_maxconn() function uses the wrong output register and
stores the size of the interrupt buffer instead of the maximum number
of connections.

According to the QUERY IUCV function, general register 1 contains the
maximum number of connections.

If the maximum number of connections is not set properly, the following
warning is displayed:

Badness at /usr/src/kernel-source/2.6.30-39.x.20090806/net/iucv/iucv.c:1808
Modules linked in: netiucv fsm af_iucv sunrpc qeth_l3 dm_multipath dm_mod vmur qeth ccwgroup
CPU: 0 Tainted: G        W  2.6.30 #4
Process seq (pid: 16925, task: 0000000030e24a40, ksp: 000000003033bd98)
Krnl PSW : 0404200180000000 000000000053b270 (iucv_external_interrupt+0x64/0x224)
           R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:0 CC:2 PM:0 EA:3
Krnl GPRS: 00000000011279c2 00000000014bdb70 0029000000000000 0000000000000029
           000000000053b236 000000000001dba4 0000000000000000 0000000000859210
           0000000000a67f68 00000000008a6100 000000003f83fb90 0000000000004000
           000000003f8c7bc8 00000000005a2250 000000000053b236 000000003fc2fe08
Krnl Code: 000000000053b262: e33010000021	clg	%r3,0(%r1)
           000000000053b268: a7440010		brc	4,53b288
           000000000053b26c: a7f40001		brc	15,53b26e
          &gt;000000000053b270: c03000184134	larl	%r3,8434d8
           000000000053b276: eb220030000c	srlg	%r2,%r2,48
           000000000053b27c: eb6ff0a00004	lmg	%r6,%r15,160(%r15)
           000000000053b282: c0f4fffff6a7	brcl	15,539fd0
           000000000053b288: 4310a003		ic	%r1,3(%r10)
Call Trace:
([&lt;000000000053b236&gt;] iucv_external_interrupt+0x2a/0x224)
 [&lt;000000000010e09e&gt;] do_extint+0x132/0x190
 [&lt;00000000001184b6&gt;] ext_no_vtime+0x1e/0x22
 [&lt;0000000000549f7a&gt;] _spin_unlock_irqrestore+0x96/0xa4
([&lt;0000000000549f70&gt;] _spin_unlock_irqrestore+0x8c/0xa4)
 [&lt;00000000002101d6&gt;] pipe_write+0x3da/0x5bc
 [&lt;0000000000205d14&gt;] do_sync_write+0xe4/0x13c
 [&lt;0000000000206a7e&gt;] vfs_write+0xae/0x15c
 [&lt;0000000000206c24&gt;] SyS_write+0x54/0xac
 [&lt;0000000000117c8e&gt;] sysc_noemu+0x10/0x16
 [&lt;00000042ff8defcc&gt;] 0x42ff8defcc

Signed-off-by: Hendrik Brueckner &lt;brueckner@linux.vnet.ibm.com&gt;
Signed-off-by: Ursula Braun &lt;ursula.braun@de.ibm.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The iucv_query_maxconn() function uses the wrong output register and
stores the size of the interrupt buffer instead of the maximum number
of connections.

According to the QUERY IUCV function, general register 1 contains the
maximum number of connections.

If the maximum number of connections is not set properly, the following
warning is displayed:

Badness at /usr/src/kernel-source/2.6.30-39.x.20090806/net/iucv/iucv.c:1808
Modules linked in: netiucv fsm af_iucv sunrpc qeth_l3 dm_multipath dm_mod vmur qeth ccwgroup
CPU: 0 Tainted: G        W  2.6.30 #4
Process seq (pid: 16925, task: 0000000030e24a40, ksp: 000000003033bd98)
Krnl PSW : 0404200180000000 000000000053b270 (iucv_external_interrupt+0x64/0x224)
           R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:0 CC:2 PM:0 EA:3
Krnl GPRS: 00000000011279c2 00000000014bdb70 0029000000000000 0000000000000029
           000000000053b236 000000000001dba4 0000000000000000 0000000000859210
           0000000000a67f68 00000000008a6100 000000003f83fb90 0000000000004000
           000000003f8c7bc8 00000000005a2250 000000000053b236 000000003fc2fe08
Krnl Code: 000000000053b262: e33010000021	clg	%r3,0(%r1)
           000000000053b268: a7440010		brc	4,53b288
           000000000053b26c: a7f40001		brc	15,53b26e
          &gt;000000000053b270: c03000184134	larl	%r3,8434d8
           000000000053b276: eb220030000c	srlg	%r2,%r2,48
           000000000053b27c: eb6ff0a00004	lmg	%r6,%r15,160(%r15)
           000000000053b282: c0f4fffff6a7	brcl	15,539fd0
           000000000053b288: 4310a003		ic	%r1,3(%r10)
Call Trace:
([&lt;000000000053b236&gt;] iucv_external_interrupt+0x2a/0x224)
 [&lt;000000000010e09e&gt;] do_extint+0x132/0x190
 [&lt;00000000001184b6&gt;] ext_no_vtime+0x1e/0x22
 [&lt;0000000000549f7a&gt;] _spin_unlock_irqrestore+0x96/0xa4
([&lt;0000000000549f70&gt;] _spin_unlock_irqrestore+0x8c/0xa4)
 [&lt;00000000002101d6&gt;] pipe_write+0x3da/0x5bc
 [&lt;0000000000205d14&gt;] do_sync_write+0xe4/0x13c
 [&lt;0000000000206a7e&gt;] vfs_write+0xae/0x15c
 [&lt;0000000000206c24&gt;] SyS_write+0x54/0xac
 [&lt;0000000000117c8e&gt;] sysc_noemu+0x10/0x16
 [&lt;00000042ff8defcc&gt;] 0x42ff8defcc

Signed-off-by: Hendrik Brueckner &lt;brueckner@linux.vnet.ibm.com&gt;
Signed-off-by: Ursula Braun &lt;ursula.braun@de.ibm.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>iucv: fix iucv_buffer_cpumask check when calling IUCV functions</title>
<updated>2009-09-17T03:57:31+00:00</updated>
<author>
<name>Hendrik Brueckner</name>
<email>brueckner@linux.vnet.ibm.com</email>
</author>
<published>2009-09-16T04:37:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=d28ecab0c40f587fd1e28701c195747220c984e2'/>
<id>d28ecab0c40f587fd1e28701c195747220c984e2</id>
<content type='text'>
Prior to calling IUCV functions, the DECLARE BUFFER function must have been
called for at least one CPU to receive IUCV interrupts.

With commit "iucv: establish reboot notifier" (6c005961), a check has been
introduced to avoid calling IUCV functions if the current CPU does not have
an interrupt buffer declared.
Because one interrupt buffer is sufficient, change the condition to ensure
that one interrupt buffer is available.

In addition, checking the buffer on the current CPU creates a race with
CPU up/down notifications: before checking the buffer, the IUCV function
might be interrupted by an smp_call_function() that retrieves the interrupt
buffer for the current CPU.
When the IUCV function continues, the check fails and -EIO is returned. If a
buffer is available on any other CPU, the IUCV function call must be invoked
(instead of failing with -EIO).

Signed-off-by: Hendrik Brueckner &lt;brueckner@linux.vnet.ibm.com&gt;
Signed-off-by: Ursula Braun &lt;ursula.braun@de.ibm.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Prior to calling IUCV functions, the DECLARE BUFFER function must have been
called for at least one CPU to receive IUCV interrupts.

With commit "iucv: establish reboot notifier" (6c005961), a check has been
introduced to avoid calling IUCV functions if the current CPU does not have
an interrupt buffer declared.
Because one interrupt buffer is sufficient, change the condition to ensure
that one interrupt buffer is available.

In addition, checking the buffer on the current CPU creates a race with
CPU up/down notifications: before checking the buffer, the IUCV function
might be interrupted by an smp_call_function() that retrieves the interrupt
buffer for the current CPU.
When the IUCV function continues, the check fails and -EIO is returned. If a
buffer is available on any other CPU, the IUCV function call must be invoked
(instead of failing with -EIO).

Signed-off-by: Hendrik Brueckner &lt;brueckner@linux.vnet.ibm.com&gt;
Signed-off-by: Ursula Braun &lt;ursula.braun@de.ibm.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>iucv: suspend/resume error msg for left over pathes</title>
<updated>2009-09-17T03:57:29+00:00</updated>
<author>
<name>Ursula Braun</name>
<email>ursula.braun@de.ibm.com</email>
</author>
<published>2009-09-16T04:37:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=4c89d86b4df8e4f2cdccb72495e2f4664118ebf1'/>
<id>4c89d86b4df8e4f2cdccb72495e2f4664118ebf1</id>
<content type='text'>
During suspend IUCV exploiters have to close their IUCV connections.
When restoring an image, it can be checked if all IUCV pathes had
been closed before the Linux instance was suspended. If not, an
error message is issued to indicate a problem in one of the
used programs exploiting IUCV communication.

Signed-off-by: Ursula Braun &lt;ursula.braun@de.ibm.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
During suspend IUCV exploiters have to close their IUCV connections.
When restoring an image, it can be checked if all IUCV pathes had
been closed before the Linux instance was suspended. If not, an
error message is issued to indicate a problem in one of the
used programs exploiting IUCV communication.

Signed-off-by: Ursula Braun &lt;ursula.braun@de.ibm.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: constify remaining proto_ops</title>
<updated>2009-09-15T00:03:09+00:00</updated>
<author>
<name>Alexey Dobriyan</name>
<email>adobriyan@gmail.com</email>
</author>
<published>2009-09-14T12:23:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=5708e868dc512f055f0ea4a14d01f8252c3ca8a1'/>
<id>5708e868dc512f055f0ea4a14d01f8252c3ca8a1</id>
<content type='text'>
Signed-off-by: Alexey Dobriyan &lt;adobriyan@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Signed-off-by: Alexey Dobriyan &lt;adobriyan@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: adding memory barrier to the poll and receive callbacks</title>
<updated>2009-07-10T00:06:57+00:00</updated>
<author>
<name>Jiri Olsa</name>
<email>jolsa@redhat.com</email>
</author>
<published>2009-07-08T12:09:13+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=a57de0b4336e48db2811a2030bb68dba8dd09d88'/>
<id>a57de0b4336e48db2811a2030bb68dba8dd09d88</id>
<content type='text'>
Adding memory barrier after the poll_wait function, paired with
receive callbacks. Adding fuctions sock_poll_wait and sk_has_sleeper
to wrap the memory barrier.

Without the memory barrier, following race can happen.
The race fires, when following code paths meet, and the tp-&gt;rcv_nxt
and __add_wait_queue updates stay in CPU caches.

CPU1                         CPU2

sys_select                   receive packet
  ...                        ...
  __add_wait_queue           update tp-&gt;rcv_nxt
  ...                        ...
  tp-&gt;rcv_nxt check          sock_def_readable
  ...                        {
  schedule                      ...
                                if (sk-&gt;sk_sleep &amp;&amp; waitqueue_active(sk-&gt;sk_sleep))
                                        wake_up_interruptible(sk-&gt;sk_sleep)
                                ...
                             }

If there was no cache the code would work ok, since the wait_queue and
rcv_nxt are opposit to each other.

Meaning that once tp-&gt;rcv_nxt is updated by CPU2, the CPU1 either already
passed the tp-&gt;rcv_nxt check and sleeps, or will get the new value for
tp-&gt;rcv_nxt and will return with new data mask.
In both cases the process (CPU1) is being added to the wait queue, so the
waitqueue_active (CPU2) call cannot miss and will wake up CPU1.

The bad case is when the __add_wait_queue changes done by CPU1 stay in its
cache, and so does the tp-&gt;rcv_nxt update on CPU2 side.  The CPU1 will then
endup calling schedule and sleep forever if there are no more data on the
socket.

Calls to poll_wait in following modules were ommited:
	net/bluetooth/af_bluetooth.c
	net/irda/af_irda.c
	net/irda/irnet/irnet_ppp.c
	net/mac80211/rc80211_pid_debugfs.c
	net/phonet/socket.c
	net/rds/af_rds.c
	net/rfkill/core.c
	net/sunrpc/cache.c
	net/sunrpc/rpc_pipe.c
	net/tipc/socket.c

Signed-off-by: Jiri Olsa &lt;jolsa@redhat.com&gt;
Signed-off-by: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Adding memory barrier after the poll_wait function, paired with
receive callbacks. Adding fuctions sock_poll_wait and sk_has_sleeper
to wrap the memory barrier.

Without the memory barrier, following race can happen.
The race fires, when following code paths meet, and the tp-&gt;rcv_nxt
and __add_wait_queue updates stay in CPU caches.

CPU1                         CPU2

sys_select                   receive packet
  ...                        ...
  __add_wait_queue           update tp-&gt;rcv_nxt
  ...                        ...
  tp-&gt;rcv_nxt check          sock_def_readable
  ...                        {
  schedule                      ...
                                if (sk-&gt;sk_sleep &amp;&amp; waitqueue_active(sk-&gt;sk_sleep))
                                        wake_up_interruptible(sk-&gt;sk_sleep)
                                ...
                             }

If there was no cache the code would work ok, since the wait_queue and
rcv_nxt are opposit to each other.

Meaning that once tp-&gt;rcv_nxt is updated by CPU2, the CPU1 either already
passed the tp-&gt;rcv_nxt check and sleeps, or will get the new value for
tp-&gt;rcv_nxt and will return with new data mask.
In both cases the process (CPU1) is being added to the wait queue, so the
waitqueue_active (CPU2) call cannot miss and will wake up CPU1.

The bad case is when the __add_wait_queue changes done by CPU1 stay in its
cache, and so does the tp-&gt;rcv_nxt update on CPU2 side.  The CPU1 will then
endup calling schedule and sleep forever if there are no more data on the
socket.

Calls to poll_wait in following modules were ommited:
	net/bluetooth/af_bluetooth.c
	net/irda/af_irda.c
	net/irda/irnet/irnet_ppp.c
	net/mac80211/rc80211_pid_debugfs.c
	net/phonet/socket.c
	net/rds/af_rds.c
	net/rfkill/core.c
	net/sunrpc/cache.c
	net/sunrpc/rpc_pipe.c
	net/tipc/socket.c

Signed-off-by: Jiri Olsa &lt;jolsa@redhat.com&gt;
Signed-off-by: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
</feed>
