user/sven/linux.git/net/caif, branch v3.0.76

caif: Fix missing msg_namelen update in caif_seqpkt_recvmsg()

2013-05-01T15:56:39Z

[ Upstream commit 2d6fbfe733f35c6b355c216644e08e149c61b271 ] The current code does not fill the msg_name member in case it is set. It also does not set the msg_namelen member to 0 and therefore makes net/socket.c leak the local, uninitialized sockaddr_storage variable to userland -- 128 bytes of kernel stack memory. Fix that by simply setting msg_namelen to 0 as obviously nobody cared about caif_seqpkt_recvmsg() not filling the msg_name in case it was set. Signed-off-by: Mathias Krause Cc: Sjur Braendeland Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman

caif: Fix access to freed pernet memory

2012-08-09T15:27:51Z

[ Upstream commit 96f80d123eff05c3cd4701463786b87952a6c3ac ] unregister_netdevice_notifier() must be called before unregister_pernet_subsys() to avoid accessing already freed pernet memory. This fixes the following oops when doing rmmod: Call Trace: [] caif_device_notify+0x4d/0x5a0 [caif] [] unregister_netdevice_notifier+0xb9/0x100 [] caif_device_exit+0x1c/0x250 [caif] [] sys_delete_module+0x1a4/0x300 [] ? trace_hardirqs_on_caller+0x15d/0x1e0 [] ? trace_hardirqs_on_thunk+0x3a/0x3 [] system_call_fastpath+0x1a/0x1f RIP [] caif_get+0x51/0xb0 [caif] Signed-off-by: Sjur Brændeland Acked-by: "Eric W. Biederman" Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman

net caif: Register properly as a pernet subsystem.

2012-02-03T17:19:03Z

[ Upstream commit 8a8ee9aff6c3077dd9c2c7a77478e8ed362b96c6 ] caif is a subsystem and as such it needs to register with register_pernet_subsys instead of register_pernet_device. Among other problems using register_pernet_device was resulting in net_generic being called before the caif_net structure was allocated. Which has been causing net_generic to fail with either BUG_ON's or by return NULL pointers. A more ugly problem that could be caused is packets in flight why the subsystem is shutting down. To remove confusion also remove the cruft cause by inappropriately trying to fix this bug. With the aid of the previous patch I have tested this patch and confirmed that using register_pernet_subsys makes the failure go away as it should. Signed-off-by: Eric W. Biederman Acked-by: Sjur Brændeland Tested-by: Sasha Levin Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman

caif: Fix BUG() with network namespaces

2011-11-11T17:35:47Z

commit 08613e4626c06ca408fc55071f6aedee36986a87 upstream. The caif code will register its own pernet_operations, and then register a netdevice_notifier. Each time the netdevice_notifier is triggered, it'll do some stuff... including a lookup of its own pernet stuff with net_generic(). If the net_generic() call ever returns NULL, the caif code will BUG(). That doesn't seem *so* unreasonable, I suppose — it does seem like it should never happen. However, it *does* happen. When we clone a network namespace, setup_net() runs through all the pernet_operations one at a time. It gets to loopback before it gets to caif. And loopback_net_init() registers a netdevice... while caif hasn't been initialised. So the caif netdevice notifier triggers, and immediately goes BUG(). We could imagine a complex and overengineered solution to this generic class of problems, but this patch takes the simple approach. It just makes caif_device_notify() *not* go looking for its pernet data structures if the device it's being notified about isn't a caif device in the first place. Signed-off-by: David Woodhouse Acked-by: Sjur Brændeland Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman

caif: Bugfix - XOFF removed channel from caif-mux

2011-06-17T03:59:09Z

XOFF was mixed up with DOWN indication, causing causing CAIF channel to be removed from mux and all incoming traffic to be lost after receiving flow-off. Fix this by replacing FLOW_OFF with DOWN notification. Signed-off-by: Sjur Brændeland Signed-off-by: David S. Miller

caif: Fix race when conditionally taking rtnl lock

2011-06-02T04:13:53Z

Take the RTNL lock unconditionally when calling dev_close. Taking the lock conditionally may cause race conditions. Signed-off-by: Sjur Brændeland Signed-off-by: David S. Miller

caif: Plug memory leak for checksum error

2011-05-23T00:11:49Z

In case of checksum error, the framing layer returns -EILSEQ, but does not free the packet. Plug this hole by freeing the packet if -EILSEQ is returned. Signed-off-by: Sjur Brændeland Signed-off-by: David S. Miller

caif: Fix freezes when running CAIF loopback device

2011-05-23T00:11:48Z

Fix spinlock bugs when running out of link-ids in loopback tests and avoid allocating link-id when error is set in link-setup-response. Signed-off-by: Sjur Brændeland Signed-off-by: David S. Miller

caif: Fixes freeze on Link layer removal.

2011-05-23T00:11:47Z

CAIF Socket layer - caif_socket.c: - Plug mem-leak at reconnect. - Always call disconnect to cleanup CAIF stack. - Disconnect will always report success. CAIF configuration layer - cfcnfg.c - Disconnect must dismantle the caif stack correctly - Protect against faulty removals (check on id zero) CAIF mux layer - cfmuxl.c - When inserting new service layer in the MUX remove any old entries with the same ID. - When removing CAIF Link layer, remove the associated service layers before notifying service layers. Signed-off-by: Sjur Brændeland Signed-off-by: David S. Miller

caif: Bugfix add check NULL pointer before calling functions.

2011-05-23T00:11:47Z

Add check on layer->dn != NULL before calling functions in layer below. Signed-off-by: Sjur Brændeland Signed-off-by: David S. Miller