From 971beb83aeb2a309175682cf5683d64fd4591841 Mon Sep 17 00:00:00 2001 From: Roel Kluin Date: Mon, 7 Dec 2009 14:23:21 +0100 Subject: Bluetooth: Fix PTR_ERR return of wrong pointer in hidp_setup_hid() Return the PTR_ERR of the correct pointer. Signed-off-by: Roel Kluin Signed-off-by: Marcel Holtmann --- net/bluetooth/hidp/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'net') diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c index 569750010fd3..18e7f5a43dc4 100644 --- a/net/bluetooth/hidp/core.c +++ b/net/bluetooth/hidp/core.c @@ -770,7 +770,7 @@ static int hidp_setup_hid(struct hidp_session *session, hid = hid_allocate_device(); if (IS_ERR(hid)) - return PTR_ERR(session->hid); + return PTR_ERR(hid); session->hid = hid; session->req = req; -- cgit v1.2.3 From 186de9a33803c7ee20d9af75c9049b50e68a3a08 Mon Sep 17 00:00:00 2001 From: "Gustavo F. Padovan" Date: Tue, 15 Dec 2009 15:56:34 -0200 Subject: Bluetooth: Fix unset of RemoteBusy flag for L2CAP RemoteBusy flag need to be unset before l2cap_ertm_send(), otherwise l2cap_ertm_send() will return without sending packets because it checks that flag before start sending. Signed-off-by: Gustavo F. Padovan Signed-off-by: Marcel Holtmann --- net/bluetooth/l2cap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'net') diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c index 5129b88c8e5b..7db9a1f8f882 100644 --- a/net/bluetooth/l2cap.c +++ b/net/bluetooth/l2cap.c @@ -3435,8 +3435,8 @@ static inline int l2cap_data_channel_sframe(struct sock *sk, u16 rx_control, str (pi->unacked_frames > 0)) __mod_retrans_timer(); - l2cap_ertm_send(sk); pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY; + l2cap_ertm_send(sk); } break; -- cgit v1.2.3 From 186ee8cf0130993dea8ab8867ff1af8a148f9ae6 Mon Sep 17 00:00:00 2001 From: "Gustavo F. Padovan" Date: Tue, 15 Dec 2009 20:13:27 -0200 Subject: Bluetooth: Ack L2CAP I-frames before retransmit missing packet Moving the Ack to before l2cap_retransmit_frame() we can avoid the case where txWindow is full and the packet can't be retransmited. Signed-off-by: Gustavo F. Padovan Signed-off-by: Marcel Holtmann --- net/bluetooth/l2cap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'net') diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c index 7db9a1f8f882..fb0f81d99f96 100644 --- a/net/bluetooth/l2cap.c +++ b/net/bluetooth/l2cap.c @@ -3471,9 +3471,9 @@ static inline int l2cap_data_channel_sframe(struct sock *sk, u16 rx_control, str pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY; if (rx_control & L2CAP_CTRL_POLL) { - l2cap_retransmit_frame(sk, tx_seq); pi->expected_ack_seq = tx_seq; l2cap_drop_acked_frames(sk); + l2cap_retransmit_frame(sk, tx_seq); l2cap_ertm_send(sk); if (pi->conn_state & L2CAP_CONN_WAIT_F) { pi->srej_save_reqseq = tx_seq; -- cgit v1.2.3 From b13f5860447a98daf0358a51fbff66154ac0663a Mon Sep 17 00:00:00 2001 From: Andrei Emeltchenko Date: Tue, 15 Dec 2009 11:38:04 +0200 Subject: Bluetooth: Fix L2CAP locking scheme regression When locking was introduced the error path branch was not taken into account. Error was found in sparse code checking. Kudos to Jani Nikula. Signed-off-by: Andrei Emeltchenko Acked-by: Gustavo F. Padovan Signed-off-by: Marcel Holtmann --- net/bluetooth/l2cap.c | 1 + 1 file changed, 1 insertion(+) (limited to 'net') diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c index fb0f81d99f96..1120cf14a548 100644 --- a/net/bluetooth/l2cap.c +++ b/net/bluetooth/l2cap.c @@ -1212,6 +1212,7 @@ static void l2cap_monitor_timeout(unsigned long arg) bh_lock_sock(sk); if (l2cap_pi(sk)->retry_count >= l2cap_pi(sk)->remote_max_tx) { l2cap_send_disconn_req(l2cap_pi(sk)->conn, sk); + bh_unlock_sock(sk); return; } -- cgit v1.2.3 From 9c69fabe789b0eb468a0c7031ae7bb850760aea8 Mon Sep 17 00:00:00 2001 From: Alexey Dobriyan Date: Fri, 18 Dec 2009 20:11:03 -0800 Subject: netns: fix net.ipv6.route.gc_min_interval_ms in netns sysctl table was copied, all right, but ->data for net.ipv6.route.gc_min_interval_ms was not reinitialized for "!= &init_net" case. In init_net everthing works by accident due to correct ->data initialization in source table. Signed-off-by: Alexey Dobriyan Signed-off-by: David S. Miller --- net/ipv6/route.c | 1 + 1 file changed, 1 insertion(+) (limited to 'net') diff --git a/net/ipv6/route.c b/net/ipv6/route.c index db3b27303890..c2bd74c5f8d9 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c @@ -2630,6 +2630,7 @@ struct ctl_table *ipv6_route_sysctl_init(struct net *net) table[6].data = &net->ipv6.sysctl.ip6_rt_gc_elasticity; table[7].data = &net->ipv6.sysctl.ip6_rt_mtu_expires; table[8].data = &net->ipv6.sysctl.ip6_rt_min_advmss; + table[9].data = &net->ipv6.sysctl.ip6_rt_gc_min_interval; } return table; -- cgit v1.2.3 From 3705e11a21bcdffe7422ee7870e1b23fe4ac70f4 Mon Sep 17 00:00:00 2001 From: Yang Hongyang Date: Fri, 18 Dec 2009 20:25:13 -0800 Subject: ipv6: fix an oops when force unload ipv6 module When I do an ipv6 module force unload,I got the following oops: #rmmod -f ipv6 ------------[ cut here ]------------ kernel BUG at mm/slub.c:2969! invalid opcode: 0000 [#1] SMP last sysfs file: /sys/devices/pci0000:00/0000:00:11.0/0000:02:03.0/net/eth2/ifindex Modules linked in: ipv6(-) dm_multipath uinput ppdev tpm_tis tpm tpm_bios pcspkr pcnet32 mii parport_pc i2c_piix4 parport i2c_core floppy mptspi mptscsih mptbase scsi_transport_spi Pid: 2530, comm: rmmod Tainted: G R 2.6.32 #2 440BX Desktop Reference Platform/VMware Virtual Platform EIP: 0060:[] EFLAGS: 00010246 CPU: 0 EIP is at kfree+0x6a/0xdd EAX: 00000000 EBX: c09e86bc ECX: c043e4dd EDX: c14293e0 ESI: e141f1d8 EDI: e140fc31 EBP: dec58ef0 ESP: dec58ed0 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 Process rmmod (pid: 2530, ti=dec58000 task=decb1940 task.ti=dec58000) Stack: c14293e0 00000282 df624240 c0897d08 c09e86bc c09e86bc e141f1d8 dec58f1c <0> dec58f00 e140fc31 c09e84c4 e141f1bc dec58f14 c0689d21 dec58f1c e141f1bc <0> 00000000 dec58f2c c0689eff c09e84d8 c09e84d8 e141f1bc bff33a90 dec58f38 Call Trace: [] ? ipv6_frags_exit_net+0x22/0x32 [ipv6] [] ? ops_exit_list+0x19/0x3d [] ? unregister_pernet_operations+0x2a/0x51 [] ? unregister_pernet_subsys+0x17/0x24 [] ? ipv6_frag_exit+0x21/0x32 [ipv6] [] ? inet6_exit+0x47/0x122 [ipv6] [] ? sys_delete_module+0x198/0x1f6 [] ? remove_vma+0x57/0x5d [] ? do_page_fault+0x2e7/0x315 [] ? sysenter_do_call+0x12/0x28 Code: 86 00 00 00 40 c1 e8 0c c1 e0 05 01 d0 89 45 e0 66 83 38 00 79 06 8b 40 0c 89 45 e0 8b 55 e0 8b 02 84 c0 78 14 66 a9 00 c0 75 04 <0f> 0b eb fe 8b 45 e0 e8 35 15 fe ff eb 5d 8b 45 04 8b 55 e0 89 EIP: [] kfree+0x6a/0xdd SS:ESP 0068:dec58ed0 ---[ end trace 4475d1a5b0afa7e5 ]--- It's because in ip6_frags_ns_sysctl_register, "table" only alloced when "net" is not equals to "init_net".So when we free "table" in ip6_frags_ns_sysctl_unregister,we should check this first. This patch fix the problem. Signed-off-by: Yang Hongyang Signed-off-by: David S. Miller --- net/ipv6/reassembly.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'net') diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c index 3b3a95607125..2cddea3bd6be 100644 --- a/net/ipv6/reassembly.c +++ b/net/ipv6/reassembly.c @@ -708,7 +708,8 @@ static void ip6_frags_ns_sysctl_unregister(struct net *net) table = net->ipv6.sysctl.frags_hdr->ctl_table_arg; unregister_net_sysctl_table(net->ipv6.sysctl.frags_hdr); - kfree(table); + if (!net_eq(net, &init_net)) + kfree(table); } static struct ctl_table_header *ip6_ctl_header; -- cgit v1.2.3