linux

History

Hendrik Brueckner bf95d20fdb af_iucv: fix race when queueing skbs on the backlog queue iucv_sock_recvmsg() and iucv_process_message()/iucv_fragment_skb race for dequeuing an skb from the backlog queue. If iucv_sock_recvmsg() dequeues first, iucv_process_message() calls sock_queue_rcv_skb() with an skb that is NULL. This results in the following kernel panic: <1>Unable to handle kernel pointer dereference at virtual kernel address (null) <4>Oops: 0004 [#1] PREEMPT SMP DEBUG_PAGEALLOC <4>Modules linked in: af_iucv sunrpc qeth_l3 dm_multipath dm_mod vmur qeth ccwgroup <4>CPU: 0 Not tainted 2.6.30 #4 <4>Process client-iucv (pid: 4787, task: 0000000034e75940, ksp: 00000000353e3710) <4>Krnl PSW : 0704000180000000 000000000043ebca (sock_queue_rcv_skb+0x7a/0x138) <4> R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:0 CC:0 PM:0 EA:3 <4>Krnl GPRS: 0052900000000000 000003e0016e0fe8 0000000000000000 0000000000000000 <4> 000000000043eba8 0000000000000002 0000000000000001 00000000341aa7f0 <4> 0000000000000000 0000000000007800 0000000000000000 0000000000000000 <4> 00000000341aa7f0 0000000000594650 000000000043eba8 000000003fc2fb28 <4>Krnl Code: 000000000043ebbe: a7840006 brc 8,43ebca <4> 000000000043ebc2: 5930c23c c %r3,572(%r12) <4> 000000000043ebc6: a724004c brc 2,43ec5e <4> >000000000043ebca: e3c0b0100024 stg %r12,16(%r11) <4> 000000000043ebd0: a7190000 lghi %r1,0 <4> 000000000043ebd4: e310b0200024 stg %r1,32(%r11) <4> 000000000043ebda: c010ffffdce9 larl %r1,43a5ac <4> 000000000043ebe0: e310b0800024 stg %r1,128(%r11) <4>Call Trace: <4>([<000000000043eba8>] sock_queue_rcv_skb+0x58/0x138) <4> [<000003e0016bcf2a>] iucv_process_message+0x112/0x3cc [af_iucv] <4> [<000003e0016bd3d4>] iucv_callback_rx+0x1f0/0x274 [af_iucv] <4> [<000000000053a21a>] iucv_message_pending+0xa2/0x120 <4> [<000000000053b5a6>] iucv_tasklet_fn+0x176/0x1b8 <4> [<000000000014fa82>] tasklet_action+0xfe/0x1f4 <4> [<0000000000150a56>] __do_softirq+0x116/0x284 <4> [<0000000000111058>] do_softirq+0xe4/0xe8 <4> [<00000000001504ba>] irq_exit+0xba/0xd8 <4> [<000000000010e0b2>] do_extint+0x146/0x190 <4> [<00000000001184b6>] ext_no_vtime+0x1e/0x22 <4> [<00000000001fbf4e>] kfree+0x202/0x28c <4>([<00000000001fbf44>] kfree+0x1f8/0x28c) <4> [<000000000044205a>] __kfree_skb+0x32/0x124 <4> [<000003e0016bd8b2>] iucv_sock_recvmsg+0x236/0x41c [af_iucv] <4> [<0000000000437042>] sock_aio_read+0x136/0x160 <4> [<0000000000205e50>] do_sync_read+0xe4/0x13c <4> [<0000000000206dce>] vfs_read+0x152/0x15c <4> [<0000000000206ed0>] SyS_read+0x54/0xac <4> [<0000000000117c8e>] sysc_noemu+0x10/0x16 <4> [<00000042ff8def3c>] 0x42ff8def3c Signed-off-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com> Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>		2009-09-16 20:57:39 -07:00
..
9p	net/9p: insulate the client against an invalid error code sent by a 9p server	2009-08-17 16:39:54 -05:00
802
8021q	vlan: adds drops accounting	2009-09-03 20:02:17 -07:00
appletalk	Have atalk_route_packet() return NET_RX_SUCCESS not NET_XMIT_SUCCESS	2009-09-14 17:02:47 -07:00
atm	atm/br2684: netif_stop_queue() when atm device busy and netif_wake_queue() when we can send packets again.	2009-09-02 23:46:10 -07:00
ax25
bluetooth	net: Add DEVTYPE support for Ethernet based devices	2009-09-11 12:54:55 -07:00
bridge	net: Add DEVTYPE support for Ethernet based devices	2009-09-11 12:54:55 -07:00
can	can: fix NOHZ local_softirq_pending 08 warning	2009-09-15 01:31:34 -07:00
core	bonding: remap muticast addresses without using dev_close() and dev_open()	2009-09-15 02:37:40 -07:00
dcb	dcbnl: Add implementations of dcbnl setapp/getapp commands	2009-09-01 01:24:36 -07:00
dccp	net: constify remaining proto_ops	2009-09-14 17:03:09 -07:00
decnet	net: make neigh_ops constant	2009-09-01 17:40:57 -07:00
dsa	netdev: convert pseudo-devices to netdev_tx_t	2009-09-01 01:13:07 -07:00
econet	Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6	2009-08-12 17:44:53 -07:00
ethernet
ieee802154	ieee802154: add locking for seq numbers	2009-09-15 18:25:16 +04:00
ipv4	tcp: fix CONFIG_TCP_MD5SIG + CONFIG_PREEMPT timer BUG()	2009-09-15 23:49:21 -07:00
ipv6	ipv6: Ignore route option with ROUTER_PREF_INVALID	2009-09-16 17:10:38 -07:00
ipx
irda	net: file_operations should be const	2009-09-02 01:03:53 -07:00
iucv	af_iucv: fix race when queueing skbs on the backlog queue	2009-09-16 20:57:39 -07:00
key	net: file_operations should be const	2009-09-02 01:03:53 -07:00
lapb
llc	Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6	2009-09-02 00:32:56 -07:00
mac80211	rc80211_minstrel: fix contention window calculation	2009-09-16 16:21:00 -04:00
netfilter	Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6	2009-09-10 18:17:09 -07:00
netlabel
netlink	genetlink: fix netns vs. netlink table locking	2009-09-14 17:02:50 -07:00
netrom	Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6	2009-09-02 00:32:56 -07:00
packet
phonet	Phonet: Netlink event for autoconfigured addresses	2009-09-14 17:03:27 -07:00
rds	net: constify remaining proto_ops	2009-09-14 17:03:09 -07:00
rfkill	rfkill: add the GPS radio type	2009-08-04 16:44:23 -04:00
rose	net: constify remaining proto_ops	2009-09-14 17:03:09 -07:00
rxrpc	RxRPC: Use uX/sX rather than uintX_t/intX_t types	2009-09-16 00:01:13 -07:00
sched	pkt_sched: Fix qdisc_create on stab error handling	2009-09-15 23:42:05 -07:00
sctp	net: constify struct inet6_protocol	2009-09-14 17:03:05 -07:00
sunrpc	Merge branch 'nfs-for-2.6.32'	2009-09-11 14:59:37 -04:00
tipc	tipc: fix test of bearer_priority range in tipc_register_media()	2009-08-29 00:19:42 -07:00
unix	net: unix: fix sending fds in multiple buffers	2009-09-11 11:31:45 -07:00
wanrouter
wimax
wireless	cfg80211: fix SME connect	2009-09-16 16:21:00 -04:00
x25
xfrm	net: file_operations should be const	2009-09-02 01:03:53 -07:00
compat.c
Kconfig
Makefile
nonet.c
socket.c	[PATCH] net: kmemcheck annotation in struct socket	2009-09-15 02:39:20 -07:00
sysctl_net.c
TUNABLE