diff options
Diffstat (limited to 'extras/recipes-kernel/linux/linux-omap/linus/0058-bridge-fix-br_multicast_ipv6_rcv-for-paged-skbs.patch')
-rw-r--r-- | extras/recipes-kernel/linux/linux-omap/linus/0058-bridge-fix-br_multicast_ipv6_rcv-for-paged-skbs.patch | 157 |
1 files changed, 157 insertions, 0 deletions
diff --git a/extras/recipes-kernel/linux/linux-omap/linus/0058-bridge-fix-br_multicast_ipv6_rcv-for-paged-skbs.patch b/extras/recipes-kernel/linux/linux-omap/linus/0058-bridge-fix-br_multicast_ipv6_rcv-for-paged-skbs.patch new file mode 100644 index 00000000..857f506f --- /dev/null +++ b/extras/recipes-kernel/linux/linux-omap/linus/0058-bridge-fix-br_multicast_ipv6_rcv-for-paged-skbs.patch | |||
@@ -0,0 +1,157 @@ | |||
1 | From 87bd79394bd7f4b7e01199421aae0df5fb1910d0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Tomas Winkler <tomas.winkler@intel.com> | ||
3 | Date: Mon, 3 Jan 2011 11:26:08 -0800 | ||
4 | Subject: [PATCH 58/65] bridge: fix br_multicast_ipv6_rcv for paged skbs | ||
5 | |||
6 | use pskb_may_pull to access ipv6 header correctly for paged skbs | ||
7 | It was omitted in the bridge code leading to crash in blind | ||
8 | __skb_pull | ||
9 | |||
10 | since the skb is cloned undonditionally we also simplify the | ||
11 | the exit path | ||
12 | |||
13 | this fixes bug https://bugzilla.kernel.org/show_bug.cgi?id=25202 | ||
14 | |||
15 | Dec 15 14:36:40 User-PC hostapd: wlan0: STA 00:15:00:60:5d:34 IEEE 802.11: authenticated | ||
16 | Dec 15 14:36:40 User-PC hostapd: wlan0: STA 00:15:00:60:5d:34 IEEE 802.11: associated (aid 2) | ||
17 | Dec 15 14:36:40 User-PC hostapd: wlan0: STA 00:15:00:60:5d:34 RADIUS: starting accounting session 4D0608A3-00000005 | ||
18 | Dec 15 14:36:41 User-PC kernel: [175576.120287] ------------[ cut here ]------------ | ||
19 | Dec 15 14:36:41 User-PC kernel: [175576.120452] kernel BUG at include/linux/skbuff.h:1178! | ||
20 | Dec 15 14:36:41 User-PC kernel: [175576.120609] invalid opcode: 0000 [#1] SMP | ||
21 | Dec 15 14:36:41 User-PC kernel: [175576.120749] last sysfs file: /sys/devices/pci0000:00/0000:00:1f.2/host0/target0:0:0/0:0:0:0/block/sda/uevent | ||
22 | Dec 15 14:36:41 User-PC kernel: [175576.121035] Modules linked in: approvals binfmt_misc bridge stp llc parport_pc ppdev arc4 iwlagn snd_hda_codec_realtek iwlcore i915 snd_hda_intel mac80211 joydev snd_hda_codec snd_hwdep snd_pcm snd_seq_midi drm_kms_helper snd_rawmidi drm snd_seq_midi_event snd_seq snd_timer snd_seq_device cfg80211 eeepc_wmi usbhid psmouse intel_agp i2c_algo_bit intel_gtt uvcvideo agpgart videodev sparse_keymap snd shpchp v4l1_compat lp hid video serio_raw soundcore output snd_page_alloc ahci libahci atl1c | ||
23 | Dec 15 14:36:41 User-PC kernel: [175576.122712] | ||
24 | Dec 15 14:36:41 User-PC kernel: [175576.122769] Pid: 0, comm: kworker/0:0 Tainted: G W 2.6.37-rc5-wl+ #3 1015PE/1016P | ||
25 | Dec 15 14:36:41 User-PC kernel: [175576.123012] EIP: 0060:[<f83edd65>] EFLAGS: 00010283 CPU: 1 | ||
26 | Dec 15 14:36:41 User-PC kernel: [175576.123193] EIP is at br_multicast_rcv+0xc95/0xe1c [bridge] | ||
27 | Dec 15 14:36:41 User-PC kernel: [175576.123362] EAX: 0000001c EBX: f5626318 ECX: 00000000 EDX: 00000000 | ||
28 | Dec 15 14:36:41 User-PC kernel: [175576.123550] ESI: ec512262 EDI: f5626180 EBP: f60b5ca0 ESP: f60b5bd8 | ||
29 | Dec 15 14:36:41 User-PC kernel: [175576.123737] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 | ||
30 | Dec 15 14:36:41 User-PC kernel: [175576.123902] Process kworker/0:0 (pid: 0, ti=f60b4000 task=f60a8000 task.ti=f60b0000) | ||
31 | Dec 15 14:36:41 User-PC kernel: [175576.124137] Stack: | ||
32 | Dec 15 14:36:41 User-PC kernel: [175576.124181] ec556500 f6d06800 f60b5be8 c01087d8 ec512262 00000030 00000024 f5626180 | ||
33 | Dec 15 14:36:41 User-PC kernel: [175576.124181] f572c200 ef463440 f5626300 3affffff f6d06dd0 e60766a4 000000c4 f6d06860 | ||
34 | Dec 15 14:36:41 User-PC kernel: [175576.124181] ffffffff ec55652c 00000001 f6d06844 f60b5c64 c0138264 c016e451 c013e47d | ||
35 | Dec 15 14:36:41 User-PC kernel: [175576.124181] Call Trace: | ||
36 | Dec 15 14:36:41 User-PC kernel: [175576.124181] [<c01087d8>] ? sched_clock+0x8/0x10 | ||
37 | Dec 15 14:36:41 User-PC kernel: [175576.124181] [<c0138264>] ? enqueue_entity+0x174/0x440 | ||
38 | Dec 15 14:36:41 User-PC kernel: [175576.124181] [<c016e451>] ? sched_clock_cpu+0x131/0x190 | ||
39 | Dec 15 14:36:41 User-PC kernel: [175576.124181] [<c013e47d>] ? select_task_rq_fair+0x2ad/0x730 | ||
40 | Dec 15 14:36:41 User-PC kernel: [175576.124181] [<c0524fc1>] ? nf_iterate+0x71/0x90 | ||
41 | Dec 15 14:36:41 User-PC kernel: [175576.124181] [<f83e4914>] ? br_handle_frame_finish+0x184/0x220 [bridge] | ||
42 | Dec 15 14:36:41 User-PC kernel: [175576.124181] [<f83e4790>] ? br_handle_frame_finish+0x0/0x220 [bridge] | ||
43 | Dec 15 14:36:41 User-PC kernel: [175576.124181] [<f83e46e9>] ? br_handle_frame+0x189/0x230 [bridge] | ||
44 | Dec 15 14:36:41 User-PC kernel: [175576.124181] [<f83e4790>] ? br_handle_frame_finish+0x0/0x220 [bridge] | ||
45 | Dec 15 14:36:41 User-PC kernel: [175576.124181] [<f83e4560>] ? br_handle_frame+0x0/0x230 [bridge] | ||
46 | Dec 15 14:36:41 User-PC kernel: [175576.124181] [<c04ff026>] ? __netif_receive_skb+0x1b6/0x5b0 | ||
47 | Dec 15 14:36:41 User-PC kernel: [175576.124181] [<c04f7a30>] ? skb_copy_bits+0x110/0x210 | ||
48 | Dec 15 14:36:41 User-PC kernel: [175576.124181] [<c0503a7f>] ? netif_receive_skb+0x6f/0x80 | ||
49 | Dec 15 14:36:41 User-PC kernel: [175576.124181] [<f82cb74c>] ? ieee80211_deliver_skb+0x8c/0x1a0 [mac80211] | ||
50 | Dec 15 14:36:41 User-PC kernel: [175576.124181] [<f82cc836>] ? ieee80211_rx_handlers+0xeb6/0x1aa0 [mac80211] | ||
51 | Dec 15 14:36:41 User-PC kernel: [175576.124181] [<c04ff1f0>] ? __netif_receive_skb+0x380/0x5b0 | ||
52 | Dec 15 14:36:41 User-PC kernel: [175576.124181] [<c016e242>] ? sched_clock_local+0xb2/0x190 | ||
53 | Dec 15 14:36:41 User-PC kernel: [175576.124181] [<c012b688>] ? default_spin_lock_flags+0x8/0x10 | ||
54 | Dec 15 14:36:41 User-PC kernel: [175576.124181] [<c05d83df>] ? _raw_spin_lock_irqsave+0x2f/0x50 | ||
55 | Dec 15 14:36:41 User-PC kernel: [175576.124181] [<f82cd621>] ? ieee80211_prepare_and_rx_handle+0x201/0xa90 [mac80211] | ||
56 | Dec 15 14:36:41 User-PC kernel: [175576.124181] [<f82ce154>] ? ieee80211_rx+0x2a4/0x830 [mac80211] | ||
57 | Dec 15 14:36:41 User-PC kernel: [175576.124181] [<f815a8d6>] ? iwl_update_stats+0xa6/0x2a0 [iwlcore] | ||
58 | Dec 15 14:36:41 User-PC kernel: [175576.124181] [<f8499212>] ? iwlagn_rx_reply_rx+0x292/0x3b0 [iwlagn] | ||
59 | Dec 15 14:36:41 User-PC kernel: [175576.124181] [<c05d83df>] ? _raw_spin_lock_irqsave+0x2f/0x50 | ||
60 | Dec 15 14:36:41 User-PC kernel: [175576.124181] [<f8483697>] ? iwl_rx_handle+0xe7/0x350 [iwlagn] | ||
61 | Dec 15 14:36:41 User-PC kernel: [175576.124181] [<f8486ab7>] ? iwl_irq_tasklet+0xf7/0x5c0 [iwlagn] | ||
62 | Dec 15 14:36:41 User-PC kernel: [175576.124181] [<c01aece1>] ? __rcu_process_callbacks+0x201/0x2d0 | ||
63 | Dec 15 14:36:41 User-PC kernel: [175576.124181] [<c0150d05>] ? tasklet_action+0xc5/0x100 | ||
64 | Dec 15 14:36:41 User-PC kernel: [175576.124181] [<c0150a07>] ? __do_softirq+0x97/0x1d0 | ||
65 | Dec 15 14:36:41 User-PC kernel: [175576.124181] [<c05d910c>] ? nmi_stack_correct+0x2f/0x34 | ||
66 | Dec 15 14:36:41 User-PC kernel: [175576.124181] [<c0150970>] ? __do_softirq+0x0/0x1d0 | ||
67 | Dec 15 14:36:41 User-PC kernel: [175576.124181] <IRQ> | ||
68 | Dec 15 14:36:41 User-PC kernel: [175576.124181] [<c01508f5>] ? irq_exit+0x65/0x70 | ||
69 | Dec 15 14:36:41 User-PC kernel: [175576.124181] [<c05df062>] ? do_IRQ+0x52/0xc0 | ||
70 | Dec 15 14:36:41 User-PC kernel: [175576.124181] [<c01036b0>] ? common_interrupt+0x30/0x38 | ||
71 | Dec 15 14:36:41 User-PC kernel: [175576.124181] [<c03a1fc2>] ? intel_idle+0xc2/0x160 | ||
72 | Dec 15 14:36:41 User-PC kernel: [175576.124181] [<c04daebb>] ? cpuidle_idle_call+0x6b/0x100 | ||
73 | Dec 15 14:36:41 User-PC kernel: [175576.124181] [<c0101dea>] ? cpu_idle+0x8a/0xf0 | ||
74 | Dec 15 14:36:41 User-PC kernel: [175576.124181] [<c05d2702>] ? start_secondary+0x1e8/0x1ee | ||
75 | |||
76 | Cc: David Miller <davem@davemloft.net> | ||
77 | Cc: Johannes Berg <johannes@sipsolutions.net> | ||
78 | Cc: Stephen Hemminger <shemminger@vyatta.com> | ||
79 | Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> | ||
80 | Signed-off-by: David S. Miller <davem@davemloft.net> | ||
81 | --- | ||
82 | net/bridge/br_multicast.c | 28 ++++++++++++++++++---------- | ||
83 | 1 files changed, 18 insertions(+), 10 deletions(-) | ||
84 | |||
85 | diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c | ||
86 | index f19e347..543b326 100644 | ||
87 | --- a/net/bridge/br_multicast.c | ||
88 | +++ b/net/bridge/br_multicast.c | ||
89 | @@ -1430,7 +1430,7 @@ static int br_multicast_ipv6_rcv(struct net_bridge *br, | ||
90 | struct net_bridge_port *port, | ||
91 | struct sk_buff *skb) | ||
92 | { | ||
93 | - struct sk_buff *skb2 = skb; | ||
94 | + struct sk_buff *skb2; | ||
95 | struct ipv6hdr *ip6h; | ||
96 | struct icmp6hdr *icmp6h; | ||
97 | u8 nexthdr; | ||
98 | @@ -1469,15 +1469,15 @@ static int br_multicast_ipv6_rcv(struct net_bridge *br, | ||
99 | if (!skb2) | ||
100 | return -ENOMEM; | ||
101 | |||
102 | + err = -EINVAL; | ||
103 | + if (!pskb_may_pull(skb2, offset + sizeof(struct icmp6hdr))) | ||
104 | + goto out; | ||
105 | + | ||
106 | len -= offset - skb_network_offset(skb2); | ||
107 | |||
108 | __skb_pull(skb2, offset); | ||
109 | skb_reset_transport_header(skb2); | ||
110 | |||
111 | - err = -EINVAL; | ||
112 | - if (!pskb_may_pull(skb2, sizeof(*icmp6h))) | ||
113 | - goto out; | ||
114 | - | ||
115 | icmp6h = icmp6_hdr(skb2); | ||
116 | |||
117 | switch (icmp6h->icmp6_type) { | ||
118 | @@ -1516,7 +1516,12 @@ static int br_multicast_ipv6_rcv(struct net_bridge *br, | ||
119 | switch (icmp6h->icmp6_type) { | ||
120 | case ICMPV6_MGM_REPORT: | ||
121 | { | ||
122 | - struct mld_msg *mld = (struct mld_msg *)icmp6h; | ||
123 | + struct mld_msg *mld; | ||
124 | + if (!pskb_may_pull(skb2, sizeof(*mld))) { | ||
125 | + err = -EINVAL; | ||
126 | + goto out; | ||
127 | + } | ||
128 | + mld = (struct mld_msg *)skb_transport_header(skb2); | ||
129 | BR_INPUT_SKB_CB(skb2)->mrouters_only = 1; | ||
130 | err = br_ip6_multicast_add_group(br, port, &mld->mld_mca); | ||
131 | break; | ||
132 | @@ -1529,15 +1534,18 @@ static int br_multicast_ipv6_rcv(struct net_bridge *br, | ||
133 | break; | ||
134 | case ICMPV6_MGM_REDUCTION: | ||
135 | { | ||
136 | - struct mld_msg *mld = (struct mld_msg *)icmp6h; | ||
137 | + struct mld_msg *mld; | ||
138 | + if (!pskb_may_pull(skb2, sizeof(*mld))) { | ||
139 | + err = -EINVAL; | ||
140 | + goto out; | ||
141 | + } | ||
142 | + mld = (struct mld_msg *)skb_transport_header(skb2); | ||
143 | br_ip6_multicast_leave_group(br, port, &mld->mld_mca); | ||
144 | } | ||
145 | } | ||
146 | |||
147 | out: | ||
148 | - __skb_push(skb2, offset); | ||
149 | - if (skb2 != skb) | ||
150 | - kfree_skb(skb2); | ||
151 | + kfree_skb(skb2); | ||
152 | return err; | ||
153 | } | ||
154 | #endif | ||
155 | -- | ||
156 | 1.6.6.1 | ||
157 | |||