summaryrefslogtreecommitdiff
path: root/net
AgeCommit message (Collapse)Author
2010-09-23tegra bluesleep: Bluetooth active power management driverAnantha Idapalapati
A new driver is implemented to actively manage the bluetooth module power. bluesleep also tries to manage the power of the transport used. Two signals (GPIOs) are used to manage the power events. BT_WAKE : signal from HOST to BT chip to intimate BT chip can sleep. HOST_WAKE: signal from BT chip to HOST to intimate HOST should wakeup/ activate the transport modules required for BT communication. Bug 680524, 691608 (cherry picked from commit 111f4ccd3c4cfde2fa52ae4c0c56a2288c3af3a8) Change-Id: I5edba2aa18c566f0ebfc4ecf9c54149ee3376666 Reviewed-on: http://git-master/r/6850 Reviewed-by: Udaykumar Rameshchan Raval <uraval@nvidia.com> Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com> Reviewed-by: Anantha Idapalapati <aidapalapati@nvidia.com> Tested-by: Anantha Idapalapati <aidapalapati@nvidia.com>
2010-05-23Bluetooth: Hack: Don't dereference null pointer.Nick Pelly
This avoids the S305 panic during incoming connection. S305 sends PSM 25 L2CAP connection request before the L2CAP info response. When we receive that info response we crash on null pointer here. Bug: 2127637 Change-Id: Ib637516251f46fa9a9c87ac015dc2f27df5a27fd Signed-off-by: Nick Pelly <npelly@google.com>
2010-03-10Merge commit 'v2.6.32.9' into android-2.6.32Arve Hjønnevåg
2010-03-09Bluetooth: Use non-flushable pb flag by default for ACL data on capable ↵Nick Pelly
chipsets. With Bluetooth 2.1 ACL packets can be flushable or non-flushable. This commit makes ACL data packets non-flushable by default on compatible chipsets, and adds the L2CAP_LM_FLUSHABLE socket option to explicitly request flushable ACL data packets for a given L2CAP socket. This is useful for A2DP data which can be safely discarded if it can not be delivered within a short time (while other ACL data should not be discarded). Note that making ACL data flushable has no effect unless the automatic flush timeout for that ACL link is changed from its default of 0 (infinite). Change-Id: Ie3d4befdeaefb8c979de7ae603ff5ec462b3483c Signed-off-by: Nick Pelly <npelly@google.com>
2010-03-09Revert "Bluetooth: Introduce L2CAP_LM_FLUSHABLE to allow flushing of ACL ↵Nick Pelly
packets." This reverts commit d7897fd1e9fb3a5df0740dc2dc45ec94ca0965f2. Change-Id: I3401550b6dc97b683104e9fdac30a617a2db8c8e Signed-off-by: Nick Pelly <npelly@google.com>
2010-02-24Bluetooth: Allow SCO/eSCO packet type selection for outgoing SCO connections.Nick Pelly
__u16 sco_pkt_type is introduced to struct sockaddr_sco. It allows bitwise selection of SCO/eSCO packet types. Currently those bits are: 0x0001 HV1 may be used. 0x0002 HV2 may be used. 0x0004 HV3 may be used. 0x0008 EV3 may be used. 0x0010 EV4 may be used. 0x0020 EV5 may be used. 0x0040 2-EV3 may be used. 0x0080 3-EV3 may be used. 0x0100 2-EV5 may be used. 0x0200 3-EV5 may be used. This is similar to the Packet Type parameter in the HCI Setup Synchronous Connection Command, except that we are not reversing the logic on the EDR bits. This makes the use of sco_pkt_tpye forward portable for the use case of white-listing packet types, which we expect will be the primary use case. If sco_pkt_type is zero, or userspace uses the old struct sockaddr_sco, then the default behavior is to allow all packet types. Packet type selection is just a request made to the Bluetooth chipset, and it is up to the link manager on the chipset to negiotiate and decide on the actual packet types used. Furthermore, when a SCO/eSCO connection is eventually made there is no way for the host stack to determine which packet type was used (however it is possible to get the link type of SCO or eSCO). sco_pkt_type is ignored for incoming SCO connections. It is possible to add this in the future as a parameter to the Accept Synchronous Connection Command, however its a little trickier because the kernel does not currently preserve sockaddr_sco data between userspace calls to accept(). The most common use for sco_pkt_type will be to white-list only SCO packets, which can be done with the hci.h constant SCO_ESCO_MASK. This patch is motivated by broken Bluetooth carkits such as the Motorolo HF850 (it claims to support eSCO, but will actually reject eSCO connections after 5 seconds) and the 2007/2008 Infiniti G35/37 (fails to route audio if a 2-EV5 packet type is negiotiated). With this patch userspace can maintain a list of compatible packet types to workaround remote devices such as these. Based on a patch by Marcel Holtmann. Change-Id: I304d8fda5b4145254820a3003820163bf53de5a5 Signed-off-by: Nick Pelly <npelly@google.com>
2010-02-24Revert "Bluetooth: Change RFCOMM to use BT_CONNECT2 for BT_DEFER_SETUP"Nick Pelly
This reverts commit 8bf4794174659b06d43cc5e290cd384757374613. Change-Id: Ieaeed6866996446e0392e387b77b446361f23d46 Signed-off-by: Nick Pelly <npelly@google.com>
2010-02-24Revert "Bluetooth: Fix removing of RFCOMM DLC timer with DEFER_SETUP"Nick Pelly
This reverts commit e2139b32726e5dd184974c785ea3f62026590801. Change-Id: Id948d5860840aaf85eca7d8894a7bb3192f0bb47 Signed-off-by: Nick Pelly <npelly@google.com>
2010-02-23mac80211: Fix probe request filtering in IBSS modeBenoit Papillault
commit 0da780c269957783d341fc3559e6b4c9912af7b4 upstream. We only reply to probe request if either the requested SSID is the broadcast SSID or if the requested SSID matches our own SSID. This latter case was not properly handled since we were replying to different SSID with the same length as our own SSID. Signed-off-by: Benoit Papillault <benoit.papillault@free.fr> Signed-off-by: John W. Linville <linville@tuxdriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-02-23pktgen: Fix freezing problemRafael J. Wysocki
commit 1b3f720bf033fde1fbb6231f9b156b918c5f68d8 upstream. Add missing try_to_freeze() to one of the pktgen_thread_worker() code paths so that it doesn't block suspend/hibernation. Fixes http://bugzilla.kernel.org/show_bug.cgi?id=15006 Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl> Reported-and-tested-by: Ciprian Dorin Craciun <ciprian.craciun@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-02-23dst: call cond_resched() in dst_gc_task()Eric Dumazet
commit 2fc1b5dd99f66d93ffc23fd8df82d384c1a354c8 upstream. Kernel bugzilla #15239 On some workloads, it is quite possible to get a huge dst list to process in dst_gc_task(), and trigger soft lockup detection. Fix is to call cond_resched(), as we run in process context. Reported-by: Pawel Staszewski <pstaszewski@itcare.pl> Tested-by: Pawel Staszewski <pstaszewski@itcare.pl> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-02-23netfilter: nf_conntrack: fix hash resizing with namespacesPatrick McHardy
commit d696c7bdaa55e2208e56c6f98e6bc1599f34286d upstream. As noticed by Jon Masters <jonathan@jonmasters.org>, the conntrack hash size is global and not per namespace, but modifiable at runtime through /sys/module/nf_conntrack/hashsize. Changing the hash size will only resize the hash in the current namespace however, so other namespaces will use an invalid hash size. This can cause crashes when enlarging the hashsize, or false negative lookups when shrinking it. Move the hash size into the per-namespace data and only use the global hash size to initialize the per-namespace value when instanciating a new namespace. Additionally restrict hash resizing to init_net for now as other namespaces are not handled currently. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-02-23netfilter: xtables: compat out of scope fixAlexey Dobriyan
commit 14c7dbe043d01a83a30633ab6b109ba2ac61d9f7 upstream. As per C99 6.2.4(2) when temporary table data goes out of scope, the behaviour is undefined: if (compat) { struct foo tmp; ... private = &tmp; } [dereference private] Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-02-23netfilter: nf_conntrack: restrict runtime expect hashsize modificationsAlexey Dobriyan
commit 13ccdfc2af03e09e60791f7d4bc4ccf53398af7c upstream. Expectation hashtable size was simply glued to a variable with no code to rehash expectations, so it was a bug to allow writing to it. Make "expect_hashsize" readonly. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-02-23netfilter: nf_conntrack: per netns nf_conntrack_cachepEric Dumazet
commit 5b3501faa8741d50617ce4191c20061c6ef36cb3 upstream. nf_conntrack_cachep is currently shared by all netns instances, but because of SLAB_DESTROY_BY_RCU special semantics, this is wrong. If we use a shared slab cache, one object can instantly flight between one hash table (netns ONE) to another one (netns TWO), and concurrent reader (doing a lookup in netns ONE, 'finding' an object of netns TWO) can be fooled without notice, because no RCU grace period has to be observed between object freeing and its reuse. We dont have this problem with UDP/TCP slab caches because TCP/UDP hashtables are global to the machine (and each object has a pointer to its netns). If we use per netns conntrack hash tables, we also *must* use per netns conntrack slab caches, to guarantee an object can not escape from one namespace to another one. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> [Patrick: added unique slab name allocation] Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-02-23netfilter: nf_conntrack: fix memory corruption with multiple namespacesPatrick McHardy
commit 9edd7ca0a3e3999c260642c92fa008892d82ca6e upstream. As discovered by Jon Masters <jonathan@jonmasters.org>, the "untracked" conntrack, which is located in the data section, might be accidentally freed when a new namespace is instantiated while the untracked conntrack is attached to a skb because the reference count it re-initialized. The best fix would be to use a seperate untracked conntrack per namespace since it includes a namespace pointer. Unfortunately this is not possible without larger changes since the namespace is not easily available everywhere we need it. For now move the untracked conntrack initialization to the init_net setup function to make sure the reference count is not re-initialized and handle cleanup in the init_net cleanup function to make sure namespaces can exit properly while the untracked conntrack is in use in other namespaces. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-02-17Revert "Bluetooth: Fix rejected connection not disconnecting ACL link"Nick Pelly
This reverts commit 9e726b17422bade75fba94e625cd35fd1353e682. Change-Id: I3bc2e4caa2a0e0c36b9c7de4a09b03276adae4e1 Signed-off-by: Nick Pelly <npelly@google.com>
2010-02-09mac80211: fix NULL pointer dereference when ftrace is enabledZhu Yi
commit 3092ad054406f069991ca561adc74f2d9fbb6867 upstream. I got below kernel oops when I try to bring down the network interface if ftrace is enabled. The root cause is drv_ampdu_action() is passed with a NULL ssn pointer in the BA session tear down case. We need to check and avoid dereferencing it in trace entry assignment. BUG: unable to handle kernel NULL pointer dereference Modules linked in: at (null) IP: [<f98fe02a>] ftrace_raw_event_drv_ampdu_action+0x10a/0x160 [mac80211] *pde = 00000000 Oops: 0000 [#1] SMP DEBUG_PAGEALLOC [...] Call Trace: [<f98fdf20>] ? ftrace_raw_event_drv_ampdu_action+0x0/0x160 [mac80211] [<f98dac4c>] ? __ieee80211_stop_rx_ba_session+0xfc/0x220 [mac80211] [<f98d97fb>] ? ieee80211_sta_tear_down_BA_sessions+0x3b/0x50 [mac80211] [<f98dc6f6>] ? ieee80211_set_disassoc+0xe6/0x230 [mac80211] [<f98dc6ac>] ? ieee80211_set_disassoc+0x9c/0x230 [mac80211] [<f98dcbb8>] ? ieee80211_mgd_deauth+0x158/0x170 [mac80211] [<f98e4bdb>] ? ieee80211_deauth+0x1b/0x20 [mac80211] [<f8987f49>] ? __cfg80211_mlme_deauth+0xe9/0x120 [cfg80211] [<f898b870>] ? __cfg80211_disconnect+0x170/0x1d0 [cfg80211] Cc: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: Zhu Yi <yi.zhu@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-02-09ax25: netrom: rose: Fix timer oopsesJarek Poplawski
[ Upstream commit d00c362f1b0ff54161e0a42b4554ac621a9ef92d ] Wrong ax25_cb refcounting in ax25_send_frame() and by its callers can cause timer oopses (first reported with 2.6.29.6 kernel). Fixes: http://bugzilla.kernel.org/show_bug.cgi?id=14905 Reported-by: Bernard Pidoux <bpidoux@free.fr> Tested-by: Bernard Pidoux <bpidoux@free.fr> Signed-off-by: Jarek Poplawski <jarkao2@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-02-09af_packet: Don't use skb after dev_queue_xmit()Jarek Poplawski
[ Upstream commit eb70df13ee52dbc0f2c0ffd8ed34a8cd27440baf ] tpacket_snd() can change and kfree an skb after dev_queue_xmit(), which is illegal. With debugging by: Stephen Hemminger <shemminger@vyatta.com> Reported-by: Michael Breuer <mbreuer@majjas.com> With help from: David S. Miller <davem@davemloft.net> Signed-off-by: Jarek Poplawski <jarkao2@gmail.com> Tested-by: Michael Breuer<mbreuer@majjas.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-02-09net: restore ip source validationJamal Hadi Salim
[ Upstream commit 28f6aeea3f12d37bd258b2c0d5ba891bff4ec479 ] when using policy routing and the skb mark: there are cases where a back path validation requires us to use a different routing table for src ip validation than the one used for mapping ingress dst ip. One such a case is transparent proxying where we pretend to be the destination system and therefore the local table is used for incoming packets but possibly a main table would be used on outbound. Make the default behavior to allow the above and if users need to turn on the symmetry via sysctl src_valid_mark Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-02-09tcp: update the netstamp_needed counter when cloning socketsOctavian Purdila
[ Upstream commit 704da560c0a0120d8869187f511491a00951a1d3 ] This fixes a netstamp_needed accounting issue when the listen socket has SO_TIMESTAMP set: s = socket(AF_INET, SOCK_STREAM, 0); setsockopt(s, SOL_SOCKET, SO_TIMESTAMP, 1); -> netstamp_needed = 1 bind(s, ...); listen(s, ...); s2 = accept(s, ...); -> netstamp_needed = 1 close(s2); -> netstamp_needed = 0 close(s); -> netstamp_needed = -1 Signed-off-by: Octavian Purdila <opurdila@ixiacom.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-02-08Bluetooth: Hack: Do not use power_save feature.Nick Pelly
power_save is a feature to allow HID devices to control the sniff mode. Unfortunately it also prevents us exiting sniff mode on some A2DP devices that do not explicitly exit sniff mode themselves, resulting in skipping audio. Marcel is trying to finalize a setsockopt() API to control whether power_save is enabled on a per socket basis. In the mean-time, turn off power_save for Android, since we do not have official HID support, and this is causing problems for A2DP which we do support. (Note the power_save logic is reversed, 0 is on, 1 is off). Change-Id: Ife4478055128b81669bf49308d2e2199e1aa11a1 Signed-off-by: Nick Pelly <npelly@google.com>
2010-02-08Bluetooth: Introduce L2CAP_LM_FLUSHABLE to allow flushing of ACL packets.Nick Pelly
With Bluetooth 2.1 ACL packets can be flushable or non-flushable. This changes makes the default ACL packet non-flushable, and allows selection of flushable packets on a per-L2CAP socket basis with L2CAP_LM_FLUSHABLE. Note the HCI Write Automatic Flush Timeout command also needs to be issued to set the flush timeout to non-zero. Need to featurize this change to Bluetooth 2.1 chipsets only before pushing upstream. Signed-off-by: Nick Pelly <npelly@google.com>
2010-02-08Bluetooth: Add ACL MTU, available buffers and total buffers to hci_conn_info.Nick Pelly
This provides userspace debugging tools access to ACL flow control state. Signed-off-by: Nick Pelly <npelly@google.com>
2010-02-08Bluetooth: Enter active mode before establishing a SCO link.Nick Pelly
When in sniff mode with a long interval time (1.28s) it can take 4+ seconds to establish a SCO link. Fix by requesting active mode before requesting SCO connection. This improves SCO setup time to ~500ms. Bluetooth headsets that use a long interval time, and exhibit the long SCO connection time include Motorola H790, HX1 and H17. They have a CSR 2.1 chipset Verified this behavior and fix with host Bluetooth chipsets: BCM4329 and TI1271. Signed-off-by: Nick Pelly <npelly@google.com>
2010-02-08Bluetooth: Fallback to SCO on error code 0x10 (Connection Accept Timeout).Nick Pelly
This is to support the Motorola HF850 carkit which reports the error code 0x10 for an eSCO attempt, even though it advertises eSCO support. Here is the hcidump: 2009-09-22 15:40:24.492391 < HCI Command: Setup Synchronous Connection (0x01|0x0028) plen 17 handle 1 voice setting 0x0060 2009-09-22 15:40:24.493002 > HCI Event: Command Status (0x0f) plen 4 Setup Synchronous Connection (0x01|0x0028) status 0x00 ncmd 1 2009-09-22 15:40:30.594869 > HCI Event: Synchronous Connect Complete (0x2c) plen 17 status 0x10 handle 257 bdaddr 00:50:CD:20:C6:84 type eSCO Error: Connection Accept Timeout Exceeded With this patch we will retry with a SCO connection, which succeeds. Unfortunately the Moto HF850 also takes 5 seconds to return the error for the eSCO attempt, so it will still take 5 seconds to fallback to SCO with this patch. Signed-off-by: Nick Pelly <npelly@google.com>
2010-02-08Bluetooth: Do not call rfcomm_session_put() due to RFCOMM UA on closed socket.Nick Pelly
Processing a RFCOMM UA frame when the socket is closed and we were not the RFCOMM initiator would cause rfcomm_session_put() to be called twice during rfcomm_process_rx(). This would cause a kernel panic in rfcomm_session_close. This could be easily reproduced during disconnect with devices such as Motorola H270 that send RFCOMM UA followed quickly by L2CAP disconnect request. This hcidump for this looks like: 2009-09-21 17:22:37.788895 < ACL data: handle 1 flags 0x02 dlen 8 L2CAP(d): cid 0x0041 len 4 [psm 3] RFCOMM(s): DISC: cr 0 dlci 20 pf 1 ilen 0 fcs 0x7d 2009-09-21 17:22:37.906204 > HCI Event: Number of Completed Packets (0x13) plen 5 handle 1 packets 1 2009-09-21 17:22:37.933090 > ACL data: handle 1 flags 0x02 dlen 8 L2CAP(d): cid 0x0040 len 4 [psm 3] RFCOMM(s): UA: cr 0 dlci 20 pf 1 ilen 0 fcs 0x57 2009-09-21 17:22:38.636764 < ACL data: handle 1 flags 0x02 dlen 8 L2CAP(d): cid 0x0041 len 4 [psm 3] RFCOMM(s): DISC: cr 0 dlci 0 pf 1 ilen 0 fcs 0x9c 2009-09-21 17:22:38.744125 > HCI Event: Number of Completed Packets (0x13) plen 5 handle 1 packets 1 2009-09-21 17:22:38.763687 > ACL data: handle 1 flags 0x02 dlen 8 L2CAP(d): cid 0x0040 len 4 [psm 3] RFCOMM(s): UA: cr 0 dlci 0 pf 1 ilen 0 fcs 0xb6 2009-09-21 17:22:38.783554 > ACL data: handle 1 flags 0x02 dlen 12 L2CAP(s): Disconn req: dcid 0x0040 scid 0x0041 Avoid calling rfcomm_session_put() twice by skipping this call in rfcomm_recv_ua() if the socket is closed. Signed-off-by: Nick Pelly <npelly@google.com>
2010-02-08Bluetooth: Fallback from eSCO to SCO on error code 0x1a (unsupported feature).Nick Pelly
GM carkits with LGE BT chipsets return this error code when eSCO is attempted. Signed-off-by: Jaikumar Ganesh <jaikumar@google.com> Acked-by: Nick Pelly <npelly@google.com>
2010-02-08Bluetooth: Do not attempt to send dlci disconnect when in BT_CONFIG.Nick Pelly
This fixes a bug where shutdown() and close() on a rfcomm socket during ACL connection would not cause HCI Create Connection Cancel. Signed-off-by: Nick Pelly <npelly@google.com>
2010-02-08rfkill: Introduce CONFIG_RFKILL_PM and use instead of CONFIG_PM to power downNick Pelly
Some platforms do not want to power down rfkill devices on suspend. Change-Id: I62a11630521c636d54a4a02ab9037a43435925f5 Signed-off-by: Nick Pelly <npelly@google.com>
2010-02-08net: Replace AID_NET_RAW checks with capable(CAP_NET_RAW).Chia-chi Yeh
Signed-off-by: Chia-chi Yeh <chiachi@android.com>
2010-02-08uidstat: Adding uid stat driver to collect network statistics.Mike Chan
Signed-off-by: Mike Chan <mike@android.com>
2010-02-08sysfs_net_ipv4: Add sysfs-based knobs for controlling TCP window sizeRobert Love
Add a family of knobs to /sys/kernel/ipv4 for controlling the TCP window size: tcp_wmem_min tcp_wmem_def tcp_wmem_max tcp_rmem_min tcp_rmem_def tcp_rmem_max This six values mirror the sysctl knobs in /proc/sys/net/ipv4/tcp_wmem and /proc/sys/net/ipv4/tcp_rmem. Sysfs, unlike sysctl, allows us to set and manage the files' permissions and owners. Signed-off-by: Robert Love <rlove@google.com>
2010-02-08net: socket ioctl to reset connections matching local addressRobert Love
Introduce a new socket ioctl, SIOCKILLADDR, that nukes all sockets bound to the same local address. This is useful in situations with dynamic IPs, to kill stuck connections. Signed-off-by: Brian Swetland <swetland@google.com> net: fix tcp_v4_nuke_addr Signed-off-by: Dima Zavin <dima@android.com> net: ipv4: Fix a spinlock recursion bug in tcp_v4_nuke. We can't hold the lock while calling to tcp_done(), so we drop it before calling. We then have to start at the top of the chain again. Signed-off-by: Dima Zavin <dima@android.com> net: ipv4: Fix race in tcp_v4_nuke_addr(). To fix a recursive deadlock in 2.6.29, we stopped holding the hash table lock across tcp_done() calls. This fixed the deadlock, but introduced a race where the socket could die or change state. Fix: Before unlocking the hash table, we grab a reference to the socket. We can then unlock the hash table without risk of the socket going away. We then lock the socket, which is safe because it is pinned. We can then call tcp_done() without recursive deadlock and without race. Upon return, we unlock the socket and then unpin it, killing it. Change-Id: Idcdae072b48238b01bdbc8823b60310f1976e045 Signed-off-by: Robert Love <rlove@google.com> Acked-by: Dima Zavin <dima@android.com> ipv4: disable bottom halves around call to tcp_done(). Signed-off-by: Robert Love <rlove@google.com> Signed-off-by: Colin Cross <ccross@android.com> ipv4: Move sk_error_report inside bh_lock_sock in tcp_v4_nuke_addr When sk_error_report is called, it wakes up the user-space thread, which then calls tcp_close. When the tcp_close is interrupted by the tcp_v4_nuke_addr ioctl thread running tcp_done, it leaks 392 bytes and triggers a WARN_ON. This patch moves the call to sk_error_report inside the bh_lock_sock, which matches the locking used in tcp_v4_err. Signed-off-by: Colin Cross <ccross@android.com>
2010-02-08Paranoid network.Robert Love
With CONFIG_ANDROID_PARANOID_NETWORK, require specific uids/gids to instantiate network sockets. Signed-off-by: Robert Love <rlove@google.com> paranoid networking: Use in_egroup_p() to check group membership The previous group_search() caused trouble for partners with module builds. in_egroup_p() is also cleaner. Signed-off-by: Nick Pelly <npelly@google.com> Fix 2.6.29 build. Signed-off-by: Arve Hjønnevåg <arve@android.com> net: Fix compilation of the IPv6 module Fix compilation of the IPv6 module -- current->euid does not exist anymore, current_euid() is what needs to be used. Signed-off-by: Steinar H. Gunderson <sesse@google.com>
2010-01-28cfg80211: fix channel setting for wextAbhijeet Kolekar
commit 5f6120335c701ba07d5151206071f4d6ccaa684f upstream. Patch fixes the bug at http://bugzilla.intellinuxwireless.org/show_bug.cgi?id=2139 Currently we cannot set the channel using wext extension if we have already associated and disconnected. As cfg80211_mgd_wext_siwfreq will not switch the channel if ssid is set. This fixes it by clearing the ssid. Following is the sequence which it tries to fix. modprobe iwlagn iwconfig wlan0 essid "" ifconfig wlan0 down iwconfig wlan0 chan X wext is marked as deprecate.If we use nl80211 we can easily play with setting the channel. Signed-off-by: Abhijeet Kolekar <abhijeet.kolekar@intel.com> Acked-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-28mac80211: check that ieee80211_set_power_mgmt only handles STA interfaces.Benoit Papillault
commit e5de30c9bf4a39db9f54c4a373470ce65881ade0 upstream. ieee80211_set_power_mgmt is meant for STA interfaces only. Moreover, since sdata->u.mgd.mtx is only initialized for STA interfaces, using this code for any other type of interface (like creating a monitor interface) will result in a oops. Signed-off-by: Benoit Papillault <benoit.papillault@free.fr> Signed-off-by: John W. Linville <linville@tuxdriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-28netfilter: xtables: fix conntrack match v1 ipt-save outputFlorian Westphal
commit 3a0429292daa0e1ec848bd26479f5e48b0d54a42 upstream. commit d6d3f08b0fd998b647a05540cedd11a067b72867 (netfilter: xtables: conntrack match revision 2) does break the v1 conntrack match iptables-save output in a subtle way. Problem is as follows: up = kmalloc(sizeof(*up), GFP_KERNEL); [..] /* * The strategy here is to minimize the overhead of v1 matching, * by prebuilding a v2 struct and putting the pointer into the * v1 dataspace. */ memcpy(up, info, offsetof(typeof(*info), state_mask)); [..] *(void **)info = up; As the v2 struct pointer is saved in the match data space, it clobbers the first structure member (->origsrc_addr). Because the _v1 match function grabs this pointer and does not actually look at the v1 origsrc, run time functionality does not break. But iptables -nvL (or iptables-save) cannot know that v1 origsrc_addr has been overloaded in this way: $ iptables -p tcp -A OUTPUT -m conntrack --ctorigsrc 10.0.0.1 -j ACCEPT $ iptables-save -A OUTPUT -p tcp -m conntrack --ctorigsrc 128.173.134.206 -j ACCEPT (128.173... is the address to the v2 match structure). To fix this, we take advantage of the fact that the v1 and v2 structures are identical with exception of the last two structure members (u8 in v1, u16 in v2). We extract them as early as possible and prevent the v2 matching function from looking at those two members directly. Previously reported by Michel Messerschmidt via Ben Hutchings, also see Debian Bug tracker #556587. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Cc: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-18ipv6: skb_dst() can be NULL in ipv6_hop_jumbo().David S. Miller
commit 2570a4f5428bcdb1077622342181755741e7fa60 upstream. This fixes CERT-FI FICORA #341748 Discovered by Olli Jarva and Tuomo Untinen from the CROSS project at Codenomicon Ltd. Just like in CVE-2007-4567, we can't rely upon skb_dst() being non-NULL at this point. We fixed that in commit e76b2b2567b83448c2ee85a896433b96150c92e6 ("[IPV6]: Do no rely on skb->dst before it is assigned.") However commit 483a47d2fe794328d29950fe00ce26dd405d9437 ("ipv6: added net argument to IP6_INC_STATS_BH") put a new version of the same bug into this function. Complicating analysis further, this bug can only trigger when network namespaces are enabled in the build. When namespaces are turned off, the dev_net() does not evaluate it's argument, so the dereference would not occur. So, for a long time, namespaces couldn't be turned on unless SYSFS was disabled. Therefore, this code has largely been disabled except by people turning it on explicitly for namespace development. With help from Eugene Teo <eugene@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-18mac80211: fix skb buffering issue (and fixes to that)Johannes Berg
This is a backport of the mainline patches cf0277e714a0db302a8f80e1b85fd61c32cf00b3 045cfb71a3901005bf6dcedae98cecb3360a0bfc b49bb574e44226b332c28439999d196ddec2f643 Here is the description of the first of those patches (the other two just fixed bugs added by that patch): Since I removed the master netdev, we've been keeping internal queues only, and even before that we never told the networking stack above the virtual interfaces about congestion. This means that packets are queued in mac80211 and the upper layers never know, possibly leading to memory exhaustion and other problems. This patch makes all interfaces multiqueue and uses ndo_select_queue to put the packets into queues per AC. Additionally, when the driver stops a queue, we now stop all corresponding queues for the virtual interfaces as well. The injection case will use VO by default for non-data frames, and BE for data frames, but downgrade any data frames according to ACM. It needs to be fleshed out in the future to allow chosing the queue/AC in radiotap. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Cc: John W. Linville <linville@tuxdriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-18mac80211: add missing sanity checks for action framesFelix Fietkau
commit d79074488083ec0d7ecd15352192dc1631f25643 upstream. Various missing sanity checks caused rejected action frames to be interpreted as channel switch announcements, which can cause a client mode interface to switch away from its operating channel, thereby losing connectivity. This patch ensures that only spectrum management action frames are processed by the CSA handling function and prevents rejected action frames from getting processed by the MLME code. Signed-off-by: Felix Fietkau <nbd@openwrt.org> Signed-off-by: John W. Linville <linville@tuxdriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-18cfg80211: fix syntax error on user regulatory hintsLuis R. Rodriguez
commit e12822e1d3fface0d9e1095c5177e10141bd6bd6 upstream. This fixes a syntax error when setting up the user regulatory hint. This change yields the same exact binary object though so it ends up just being a syntax typo fix, fortunately. Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-18netfilter: nf_ct_ftp: fix out of bounds read in update_nl_seq()Patrick McHardy
commit aaff23a95aea5f000895f50d90e91f1e2f727002 upstream. As noticed by Dan Carpenter <error27@gmail.com>, update_nl_seq() currently contains an out of bounds read of the seq_aft_nl array when looking for the oldest sequence number position. Fix it to only compare valid positions. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-18netfilter: ebtables: enforce CAP_NET_ADMINFlorian Westphal
commit dce766af541f6605fa9889892c0280bab31c66ab upstream. normal users are currently allowed to set/modify ebtables rules. Restrict it to processes with CAP_NET_ADMIN. Note that this cannot be reproduced with unmodified ebtables binary because it uses SOCK_RAW. Signed-off-by: Florian Westphal <fwestphal@astaro.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-18sunrpc: on successful gss error pipe write, don't return errorJeff Layton
commit 486bad2e40e938cd68fd853b7a9fa3115a9d3a4a upstream. When handling the gssd downcall, the kernel should distinguish between a successful downcall that contains an error code and a failed downcall (i.e. where the parsing failed or some other sort of problem occurred). In the former case, gss_pipe_downcall should be returning the number of bytes written to the pipe instead of an error. In the event of other errors, we generally want the initiating task to retry the upcall so we set msg.errno to -EAGAIN. An unexpected error code here is a bug however, so BUG() in that case. Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-18SUNRPC: Fix the return value in gss_import_sec_context()Trond Myklebust
commit b891e4a05ef6beac85465295a032431577c66b16 upstream. If the context allocation fails, it will return GSS_S_FAILURE, which is neither a valid error code, nor is it even negative. Return ENOMEM instead... Reported-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-18SUNRPC: Fix up an error return value in gss_import_sec_context_kerberos()Trond Myklebust
commit 14ace024b1e16d2bb9445c8387494fbbd820a738 upstream. If the context allocation fails, the function currently returns a random error code, since the variable 'p' still points to a valid memory location. Ensure that it returns ENOMEM... Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-18sunrpc: fix peername failed on closed listenerXiaotian Feng
commit b292cf9ce70d221c3f04ff62db5ab13d9a249ca8 upstream. There're some warnings of "nfsd: peername failed (err 107)!" socket error -107 means Transport endpoint is not connected. This warning message was outputed by svc_tcp_accept() [net/sunrpc/svcsock.c], when kernel_getpeername returns -107. This means socket might be CLOSED. And svc_tcp_accept was called by svc_recv() [net/sunrpc/svc_xprt.c] if (test_bit(XPT_LISTENER, &xprt->xpt_flags)) { <snip> newxpt = xprt->xpt_ops->xpo_accept(xprt); <snip> So this might happen when xprt->xpt_flags has both XPT_LISTENER and XPT_CLOSE. Let's take a look at commit b0401d72, this commit has moved the close processing after do recvfrom method, but this commit also introduces this warnings, if the xpt_flags has both XPT_LISTENER and XPT_CLOSED, we should close it, not accpet then close. Signed-off-by: Xiaotian Feng <dfeng@redhat.com> Cc: J. Bruce Fields <bfields@fieldses.org> Cc: Neil Brown <neilb@suse.de> Cc: Trond Myklebust <Trond.Myklebust@netapp.com> Cc: David S. Miller <davem@davemloft.net> Cc: Nikola Ciprich <extmaillist@linuxbox.cz> Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-06netfilter: fix crashes in bridge netfilter caused by fragment jumpsPatrick McHardy
commit 8fa9ff6849bb86c59cc2ea9faadf3cb2d5223497 upstream. When fragments from bridge netfilter are passed to IPv4 or IPv6 conntrack and a reassembly queue with the same fragment key already exists from reassembling a similar packet received on a different device (f.i. with multicasted fragments), the reassembled packet might continue on a different codepath than where the head fragment originated. This can cause crashes in bridge netfilter when a fragment received on a non-bridge device (and thus with skb->nf_bridge == NULL) continues through the bridge netfilter code. Add a new reassembly identifier for packets originating from bridge netfilter and use it to put those packets in insolated queues. Fixes http://bugzilla.kernel.org/show_bug.cgi?id=14805 Reported-and-Tested-by: Chong Qiao <qiaochong@loongson.cn> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>