aboutsummaryrefslogtreecommitdiffstats
path: root/net
Commit message (Collapse)AuthorAge
* Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/sparc-2.6Linus Torvalds2007-04-13
|\ | | | | | | | | | | | | | | | | | | * master.kernel.org:/pub/scm/linux/kernel/git/davem/sparc-2.6: [SPARC64]: Fix inline directive in pci_iommu.c [SPARC64]: Fix arg passing to compat_sys_ipc(). [SPARC]: Fix section mismatch warnings in pci.c and pcic.c [SUNRPC]: Make sure on-stack cmsg buffer is properly aligned. [SPARC]: avoid CHILD_MAX and OPEN_MAX constants [SPARC64]: Fix SBUS IOMMU allocation code.
| * [SUNRPC]: Make sure on-stack cmsg buffer is properly aligned.David S. Miller2007-04-12
| | | | | | | | | | | | Based upon a report from Meelis Roos. Signed-off-by: David S. Miller <davem@davemloft.net>
* | [NETFILTER] arp_tables: Fix unaligned accesses.David S. Miller2007-04-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | There are two device string comparison loops in arp_packet_match(). The first one goes byte-by-byte but the second one tries to be clever and cast the string to a long and compare by longs. The device name strings in the arp table entries are not guarenteed to be aligned enough to make this value, so just use byte-by-byte for both cases. Based upon a report by <drraid@gmail.com>. Signed-off-by: David S. Miller <davem@davemloft.net>
* | [IPV6] SNMP: Fix {In,Out}NoRoutes statistics.YOSHIFUJI Hideaki2007-04-13
| | | | | | | | | | | | | | | | | | | | | | | | | | A packet which is being discarded because of no routes in the forwarding path should not be counted as OutNoRoutes but as InNoRoutes. Additionally, on this occasion, a packet whose destinaion is not valid should be counted as InAddrErrors separately. Based on patch from Mitsuru Chinen <mitch@linux.vnet.ibm.com>. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* | [IPSEC] XFRM_USER: kernel panic when large security contexts in ACQUIREJoy Latten2007-04-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When sending a security context of 50+ characters in an ACQUIRE message, following kernel panic occurred. kernel BUG in xfrm_send_acquire at net/xfrm/xfrm_user.c:1781! cpu 0x3: Vector: 700 (Program Check) at [c0000000421bb2e0] pc: c00000000033b074: .xfrm_send_acquire+0x240/0x2c8 lr: c00000000033b014: .xfrm_send_acquire+0x1e0/0x2c8 sp: c0000000421bb560 msr: 8000000000029032 current = 0xc00000000fce8f00 paca = 0xc000000000464b00 pid = 2303, comm = ping kernel BUG in xfrm_send_acquire at net/xfrm/xfrm_user.c:1781! enter ? for help 3:mon> t [c0000000421bb650] c00000000033538c .km_query+0x6c/0xec [c0000000421bb6f0] c000000000337374 .xfrm_state_find+0x7f4/0xb88 [c0000000421bb7f0] c000000000332350 .xfrm_tmpl_resolve+0xc4/0x21c [c0000000421bb8d0] c0000000003326e8 .xfrm_lookup+0x1a0/0x5b0 [c0000000421bba00] c0000000002e6ea0 .ip_route_output_flow+0x88/0xb4 [c0000000421bbaa0] c0000000003106d8 .ip4_datagram_connect+0x218/0x374 [c0000000421bbbd0] c00000000031bc00 .inet_dgram_connect+0xac/0xd4 [c0000000421bbc60] c0000000002b11ac .sys_connect+0xd8/0x120 [c0000000421bbd90] c0000000002d38d0 .compat_sys_socketcall+0xdc/0x214 [c0000000421bbe30] c00000000000869c syscall_exit+0x0/0x40 --- Exception: c00 (System Call) at 0000000007f0ca9c SP (fc0ef8f0) is in userspace We are using size of security context from xfrm_policy to determine how much space to alloc skb and then putting security context from xfrm_state into skb. Should have been using size of security context from xfrm_state to alloc skb. Following fix does that Signed-off-by: Joy Latten <latten@austin.ibm.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* | [VLAN]: Allow VLAN interface on top of bridge interfaceJerome Borsboom2007-04-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | When a VLAN interface is created on top of a bridge interface and netfilter is enabled to see the bridged packets, the packets can be corrupted when passing through the netfilter code. This is caused by the VLAN driver not setting the 'protocol' and 'nh' members of the sk_buff structure. In general, this is no problem as the VLAN interface is mostly connected to a physical ethernet interface which does not use the 'protocol' and 'nh' members. For a bridge interface, however, these members do matter. Signed-off-by: Jerome Borsboom <j.borsboom@erasmusmc.nl> Signed-off-by: David S. Miller <davem@davemloft.net>
* | [PKTGEN]: Add try_to_freeze()Andrew Morton2007-04-12
| | | | | | | | | | | | | | | | The pktgen module prevents suspend-to-disk. Fix. Acked-by: "Michal Piotrowski" <michal.k.k.piotrowski@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* | [NETFILTER]: ipt_ULOG: use put_unalignedPatrick McHardy2007-04-12
|/ | | | | | | Use put_unaligned to fix warnings about unaligned accesses. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETFILTER]: ipt_CLUSTERIP: fix oops in checkentry functionJaroslav Kysela2007-04-10
| | | | | | | | | | | | The clusterip_config_find_get() already increases entries reference counter, so there is no reason to do it twice in checkentry() callback. This causes the config to be freed before it is removed from the list, resulting in a crash when adding the next rule. Signed-off-by: Jaroslav Kysela <perex@suse.cz> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [TCP]: slow_start_after_idle should influence cwnd validation tooDavid S. Miller2007-04-09
| | | | | | | | | | | | | | | | For the cases that slow_start_after_idle are meant to deal with, it is almost a certainty that the congestion window tests will think the connection is application limited and we'll thus decrease the cwnd there too. This defeats the whole point of setting slow_start_after_idle to zero. So test it there too. We do not cancel out the entire tcp_cwnd_validate() function so that if the sysctl is changed we still have the validation state maintained. Signed-off-by: David S. Miller <davem@davemloft.net>
* [NET_SCHED]: cls_tcindex: fix compatibility breakagePatrick McHardy2007-04-09
| | | | | | | | | | | Userspace uses an integer for TCA_TCINDEX_SHIFT, the kernel was changed to expect and use a u16 value in 2.6.11, which broke compatibility on big endian machines. Change back to use int. Reported by Ole Reinartz <ole.reinartz@gmx.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPV6]: Revert recent change to rt6_check_dev().David S. Miller2007-04-06
| | | | | | | | This reverts a0d78ebf3a0e33a1aeacf2fc518ad9273d6a1c2f It causes pings to link-local addresses to fail. Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM]: beet: fix IP option decapsulationPatrick McHardy2007-04-05
| | | | | | | | | | Beet mode looks for the beet pseudo header after the outer IP header, which is wrong since that is followed by the ESP header. Additionally it needs to adjust the packet length after removing the pseudo header and point the data pointer to the real data location. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM]: beet: fix beet mode decapsulationPatrick McHardy2007-04-05
| | | | | | | | | | Beet mode decapsulation fails to properly set up the skb pointers, which only works by accident in combination with CONFIG_NETFILTER, since in that case the skb is fixed up in xfrm4_input before passing it to the netfilter hooks. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM]: beet: use IPOPT_NOP for option paddingPatrick McHardy2007-04-05
| | | | | | | | | draft-nikander-esp-beet-mode-07.txt states "The padding MUST be filled with NOP options as defined in Internet Protocol [1] section 3.1 Internet header format.", so do that. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM]: beet: fix IP option encapsulationPatrick McHardy2007-04-05
| | | | | | | | | | | Beet mode calculates an incorrect value for the transport header location when IP options are present, resulting in encapsulation errors. The correct location is 4 or 8 bytes before the end of the original IP header, depending on whether the pseudo header is padded. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPSEC]: Reject packets within replay window but outside the bit maskHerbert Xu2007-04-05
| | | | | | | | | | | | Up until this point we've accepted replay window settings greater than 32 but our bit mask can only accomodate 32 packets. Thus any packet with a sequence number within the window but outside the bit mask would be accepted. This patch causes those packets to be rejected instead. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPv6]: Exclude truncated packets from InHdrErrors statisticsMitsuru Chinen2007-04-05
| | | | | | | | | Incoming trancated packets are counted as not only InTruncatedPkts but also InHdrErrors. They should be counted as InTruncatedPkts only. Signed-off-by: Mitsuru Chinen <mitch@linux.vnet.ibm.com> Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [APPLETALK]: Fix a remotely triggerable crashJean Delvare2007-04-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When we receive an AppleTalk frame shorter than what its header says, we still attempt to verify its checksum, and trip on the BUG_ON() at the end of function atalk_sum_skb() because of the length mismatch. This has security implications because this can be triggered by simply sending a specially crafted ethernet frame to a target victim, effectively crashing that host. Thus this qualifies, I think, as a remote DoS. Here is the frame I used to trigger the crash, in npg format: <Appletalk Killer> { # Ethernet header ----- XX XX XX XX XX XX # Destination MAC 00 00 00 00 00 00 # Source MAC 00 1D # Length # LLC header ----- AA AA 03 08 00 07 80 9B # Appletalk # Appletalk header ----- 00 1B # Packet length (invalid) 00 01 # Fake checksum 00 00 00 00 # Destination and source networks 00 00 00 00 # Destination and source nodes and ports # Payload ----- 0C 0D 0E 0F 10 11 12 13 14 } The destination MAC address must be set to those of the victim. The severity is mitigated by two requirements: * The target host must have the appletalk kernel module loaded. I suspect this isn't so frequent. * AppleTalk frames are non-IP, thus I guess they can only travel on local networks. I am no network expert though, maybe it is possible to somehow encapsulate AppleTalk packets over IP. The bug has been reported back in June 2004: http://bugzilla.kernel.org/show_bug.cgi?id=2979 But it wasn't investigated, and was closed in July 2006 as both reporters had vanished meanwhile. This code was new in kernel 2.6.0-test5: http://git.kernel.org/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=7ab442d7e0a76402c12553ee256f756097cae2d2 And not modified since then, so we can assume that vanilla kernels 2.6.0-test5 and later, and distribution kernels based thereon, are affected. Note that I still do not know for sure what triggered the bug in the real-world cases. The frame could have been corrupted by the kernel if we have a bug hiding somewhere. But more likely, we are receiving the faulty frame from the network. Signed-off-by: Jean Delvare <jdelvare@suse.de> Signed-off-by: David S. Miller <davem@davemloft.net>
* [PATCH] net/sunrpc/svcsock.c: fix a checkAdrian Bunk2007-04-05
| | | | | | | | | | | | | | The return value of kernel_recvmsg() should be assigned to "err", not compared with the random value of a never initialized "err" (and the "< 0" check wrongly always returned false since == comparisons never have a result < 0). Spotted by the Coverity checker. Signed-off-by: Adrian Bunk <bunk@stusta.de> Acked-by: Neil Brown <neilb@suse.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* [PATCH] net: Ignore sysfs network device rename bugs.Eric W. Biederman2007-04-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | The generic networking code ensures that no two networking devices have the same name, so there is no time except when sysfs has implementation bugs that device_rename when called from dev_change_name will fail. The current error handling for errors from device_rename in dev_change_name is wrong and results in an unusable and unrecoverable network device if device_rename is happens to return an error. This patch removes the buggy error handling. Which confines the mess when device_rename hits a problem to sysfs, instead of propagating it the rest of the network stack. Making linux a little more robust. Without this patch you can observe what happens when sysfs has a bug when CONFIG_SYSFS_DEPRECATED is not set and you attempt to rename a real network device to a name like (broken_parity_status, device, modalias, power, resource2, subsystem_vendor, class, driver, irq, msi_bus, resource, subsystem, uevent, config, enable, local_cpus, numa_node, resource0, subsystem_device, vendor) Greg has a patch that fixes the sysfs bugs but he doesn't trust it for a 2.6.21 timeframe. This patch which just ignores errors should be safe and it keeps the system from going completely wacky. Signed-off-by: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* [TCP]: Do receiver-side SWS avoidance for rcvbuf < MSS.John Heffner2007-04-02
| | | | | Signed-off-by: John Heffner <jheffner@psc.edu> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPv6]: Fix incorrect length check in rawv6_sendmsg()YOSHIFUJI Hideaki2007-04-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | In article <20070329.142644.70222545.davem@davemloft.net> (at Thu, 29 Mar 2007 14:26:44 -0700 (PDT)), David Miller <davem@davemloft.net> says: > From: Sridhar Samudrala <sri@us.ibm.com> > Date: Thu, 29 Mar 2007 14:17:28 -0700 > > > The check for length in rawv6_sendmsg() is incorrect. > > As len is an unsigned int, (len < 0) will never be TRUE. > > I think checking for IPV6_MAXPLEN(65535) is better. > > > > Is it possible to send ipv6 jumbo packets using raw > > sockets? If so, we can remove this check. > > I don't see why such a limitation against jumbo would exist, > does anyone else? > > Thanks for catching this Sridhar. A good compiler should simply > fail to compile "if (x < 0)" when 'x' is an unsigned type, don't > you think :-) Dave, we use "int" for returning value, so we should fix this anyway, IMHO; we should not allow len > INT_MAX. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Acked-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NET_SCHED]: cls_basic: fix memory leak in basic_destroyPatrick McHardy2007-04-02
| | | | | | | tp->root is not freed on destruction. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NET]: Change "not found" return value for rule lookupSteven Whitehouse2007-04-02
| | | | | | | | | | | | | | | This changes the "not found" error return for the lookup function to -ESRCH so that it can be distinguished from the case where a rule or route resulting in -ENETUNREACH has been found during the search. It fixes a bug where if DECnet was compiled with routing support, but no routes were added to the routing table, it was failing to fall back to endnode routing. Signed-off-by: Steven Whitehouse <swhiteho@redhat.com> Signed-off-by: Patrick Caulfield <pcaulfie@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6Linus Torvalds2007-03-29
|\ | | | | | | | | | | * master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6: [IFB]: Fix crash on input device removal [BNX2]: Fix link interrupt problem.
| * [IFB]: Fix crash on input device removalPatrick McHardy2007-03-29
| | | | | | | | | | | | | | | | | | | | | | | | The input_device pointer is not refcounted, which means the device may disappear while packets are queued, causing a crash when ifb passes packets with a stale skb->dev pointer to netif_rx(). Fix by storing the interface index instead and do a lookup where neccessary. Signed-off-by: Patrick McHardy <kaber@trash.net> Acked-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: David S. Miller <davem@davemloft.net>
* | [PATCH] bluetooth hid quirks: mightymouse quirkJiri Kosina2007-03-29
|/ | | | | | | | | | | | | | | | | | | I have a bugreport that scrollwheel of bluetooth version of apple mightymouse doesn't work. The USB version of mightymouse works, as there is a quirk for handling scrollwheel in hid/usbhid for it. Now that bluetooth git tree is hooked to generic hid layer, it could easily use the quirks which are already present in generic hid parser, hid-input, etc. Below is a simple patch against bluetooth git tree, which adds quirk handling to current bluetooth hidp code, and sets quirk flags for device 0x05ac/0x030c, which is the bluetooth version of the apple mightymouse. Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6Linus Torvalds2007-03-28
|\ | | | | | | | | * master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6: [DCCP] getsockopt: Fix DCCP_SOCKOPT_[SEND,RECV]_CSCOV
| * [DCCP] getsockopt: Fix DCCP_SOCKOPT_[SEND,RECV]_CSCOVArnaldo Carvalho de Melo2007-03-28
| | | | | | | | | | | | | | | | | | | | | | | | We were only checking if there was enough space to put the int, but left len as specified by the (malicious) user, sigh, fix it by setting len to sizeof(val) and transfering just one int worth of data, the one asked for. Also check for negative len values. Signed-off-by: Arnaldo Carvalho de Melo <acme@ghostprotocols.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* | Merge branch 'upstream-linus' of ↵Linus Torvalds2007-03-28
|\ \ | |/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/netdev-2.6 * 'upstream-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/netdev-2.6: SUN3/3X Lance trivial fix improved mv643xx_eth: Fix use of uninitialized port_num field forcedeth: fix tx timeout forcedeth: fix nic poll qla3xxx: bugfix: Jumbo frame handling. qla3xxx: bugfix: Dropping interrupt under heavy network load. qla3xxx: bugfix: Multi segment sends were getting whacked. qla3xxx: bugfix: Add tx control block memset. atl1: remove unnecessary crc inversion myri10ge: correctly detect when TSO should be used [PATCH] WE-22 : prevent information leak on 64 bit [PATCH] wext: Add missing ioctls to 64<->32 conversion [PATCH] bcm43xx: Fix machine check on PPC for version 1 PHY [PATCH] bcm43xx: fix radio_set_tx_iq [PATCH] bcm43xx: Fix code for confusion between PHY revision and PHY version
| * Merge branch 'upstream-fixes' of ↵Jeff Garzik2007-03-28
| |\ | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 into upstream-fixes
| | * [PATCH] WE-22 : prevent information leak on 64 bitJean Tourrilhes2007-03-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | Johannes Berg discovered that kernel space was leaking to userspace on 64 bit platform. He made a first patch to fix that. This is an improved version of his patch. Signed-off-by: Jean Tourrilhes <jt@hpl.hp.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* | | [IPV6]: Set IF_READY if the device is up and has carrierHerbert Xu2007-03-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We still need to set the IF_READY flag in ipv6_add_dev for the case where all addresses (including the link-local) are deleted and then recreated. In that case the IPv6 device too will be destroyed and then recreated. In order to prevent the original problem, we simply ensure that the device is up before setting IF_READY. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | [NET_SCHED]: sch_htb/sch_hfsc: fix oops in qlen_notifyPatrick McHardy2007-03-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | During both HTB and HFSC class deletion the class is removed from the class hash before calling qdisc_tree_decrease_qlen. This makes the ->get operation in qdisc_tree_decrease_qlen fail, so it passes a NULL pointer to ->qlen_notify, causing an oops. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | [NET]: Remove dead net/sched/Makefile entry for sch_hpfq.o.Robert P. J. Day2007-03-26
|/ / | | | | | | | | | | | | | | Remove the worthless net/sched/Makefile entry for the non-existent source file sch_hpfq.c. Signed-off-by: Robert P. J. Day <rpjday@mindspring.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | [IPV4] fib_trie: Document locking.Robert Olsson2007-03-26
| | | | | | | | | | | | | | | | | | | | | | | | | | Paul E. McKenney writes: > Those of use who dive into networking only occasionally would much > appreciate this. ;-) No problem here... Acked-by: Robert Olsson <robert.olsson@its.uu.se> Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com> (but trivial) Signed-off-by: David S. Miller <davem@davemloft.net>
* | [NET]: Correct accept(2) recovery after sock_attach_fd()Alexey Dobriyan2007-03-26
| | | | | | | | | | | | | | | | | | * d_alloc() in sock_attach_fd() fails leaving ->f_dentry of new file NULL * bail out to out_fd label, doing fput()/__fput() on new file * but __fput() assumes valid ->f_dentry and dereferences it Signed-off-by: Alexey Dobriyan <adobriyan@sw.ru> Signed-off-by: David S. Miller <davem@davemloft.net>
* | [NET_SCHED]: Fix ingress lockingPatrick McHardy2007-03-25
| | | | | | | | | | | | | | | | | | Ingress queueing uses a seperate lock for serializing enqueue operations, but fails to properly protect itself against concurrent changes to the qdisc tree. Use queue_lock for now since the real fix it quite intrusive. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* | [NET_SCHED]: cls_basic: fix NULL pointer dereferencePatrick McHardy2007-03-25
| | | | | | | | | | | | | | | | | | | | | | | | cls_basic doesn't allocate tp->root before it is linked into the active classifier list, resulting in a NULL pointer dereference when packets hit the classifier before its ->change function is called. Reported by Chris Madden <chris@reflexsecurity.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* | [DCCP]: make dccp_write_xmit_timer() static againAdrian Bunk2007-03-25
| | | | | | | | | | | | | | dccp_write_xmit_timer() needlessly became global. Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: David S. Miller <davem@davemloft.net>
* | [IPV6]: Fix routing round-robin locking.David S. Miller2007-03-25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As per RFC2461, section 6.3.6, item #2, when no routers on the matching list are known to be reachable or probably reachable we do round robin on those available routes so that we make sure to probe as many of them as possible to detect when one becomes reachable faster. Each routing table has a rwlock protecting the tree and the linked list of routes at each leaf. The round robin code executes during lookup and thus with the rwlock taken as a reader. A small local spinlock tries to provide protection but this does not work at all for two reasons: 1) The round-robin list manipulation, as coded, goes like this (with read lock held): walk routes finding head and tail spin_lock(); rotate list using head and tail spin_unlock(); While one thread is rotating the list, another thread can end up with stale values of head and tail and then proceed to corrupt the list when it gets the lock. This ends up causing the OOPS in fib6_add() later onthat many people have been hitting. 2) All the other code paths that run with the rwlock held as a reader do not expect the list to change on them, they expect it to remain completely fixed while they hold the lock in that way. So, simply stated, it is impossible to implement this correctly using a manipulation of the list without violating the rwlock locking semantics. Reimplement using a per-fib6_node round-robin pointer. This way we don't need to manipulate the list at all, and since the round-robin pointer can only ever point to real existing entries we don't need to perform any locking on the changing of the round-robin pointer itself. We only need to reset the round-robin pointer to NULL when the entry it is pointing to is removed. The idea is from Thomas Graf and it is very similar to how this was implemented before the advanced router selection code when in. Signed-off-by: David S. Miller <davem@davemloft.net>
* | [DECNet] fib: Fix out of bound access of dn_fib_props[]Thomas Graf2007-03-25
| | | | | | | | | | | | | | | | | | | | Fixes a typo which caused fib_props[] to have the wrong size and makes sure the value used to index the array which is provided by userspace via netlink is checked to avoid out of bound access. Signed-off-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: David S. Miller <davem@davemloft.net>
* | [IPv4] fib: Fix out of bound access of fib_props[]Thomas Graf2007-03-25
| | | | | | | | | | | | | | | | | | | | Fixes a typo which caused fib_props[] to have the wrong size and makes sure the value used to index the array which is provided by userspace via netlink is checked to avoid out of bound access. Signed-off-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: David S. Miller <davem@davemloft.net>
* | [NET] AX.25 Kconfig and docs updates and fixesRalf Baechle2007-03-25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | o The AX.25 Howto is unmaintained since several years. I've replaced it with a wiki at http://www.linux-ax25.org which provides more uptodate information. o Change default for AX25_DAMA_SLAVE to Y. AX25_DAMA_SLAVE only compiles in support for DAMA but doesn't activate it. I hope this gets Linux distributions to ship their AX.25 kernels with AX25_DAMA_SLAVE enabled. The price for this would be very small. o Delete historic changelog from comments, that's what SCM systems are meant to do. o ---help--- in Kconfig looks so yellingly eye insulting. Use just help. o Rewrite the commented out piece of old Linux 2.4 configuration language to Kconfig for consistency. o Fixup dependencies. Signed-off-by: Ralf Baechle <ralf@linux-mips.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* | [NET]: Fix neighbour destructor handling.Alexey Kuznetsov2007-03-25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ->neigh_destructor() is killed (not used), replaced with ->neigh_cleanup(), which is called when neighbor entry goes to dead state. At this point everything is still valid: neigh->dev, neigh->parms etc. The device should guarantee that dead neighbor entries (neigh->dead != 0) do not get private part initialized, otherwise nobody will cleanup it. I think this is enough for ipoib which is the only user of this thing. Initialization private part of neighbor entries happens in ipib start_xmit routine, which is not reached when device is down. But it would be better to add explicit test for neigh->dead in any case. Signed-off-by: David S. Miller <davem@davemloft.net>
* | [NET]: Fix fib_rules compatibility breakageThomas Graf2007-03-25
|/ | | | | | | | | | | | | | | | | | | | | | Based upon a patch from Patrick McHardy. The fib_rules netlink attribute policy introduced in 2.6.19 broke userspace compatibilty. When specifying a rule with "from all" or "to all", iproute adds a zero byte long netlink attribute, but the policy requires all addresses to have a size equal to sizeof(struct in_addr)/sizeof(struct in6_addr), resulting in a validation error. Check attribute length of FRA_SRC/FRA_DST in the generic framework by letting the family specific rules implementation provide the length of an address. Report an error if address length is non zero but no address attribute is provided. Fix actual bug by checking address length for non-zero instead of relying on availability of attribute. Signed-off-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [PATCH] fix typos in net/ieee80211/KconfigPatrick Ringl2007-03-24
| | | | | | | | This is just a QA / cosmetic fix .. [ "a modules" => "a module" ] Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* [NETFILTER]: nat: avoid rerouting packets if only XFRM policy key changedPatrick McHardy2007-03-22
| | | | | | | | | | | | | | Currently NAT not only reroutes packets in the OUTPUT chain when the routing key changed, but also if only the non-routing part of the IPsec policy key changed. This breaks ping -I since it doesn't use SO_BINDTODEVICE but IP_PKTINFO cmsg to specify the output device, and this information is lost. Only do full rerouting if the routing key changed, and just do a new policy lookup with the old route if only the ports changed. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETFILTER]: nf_conntrack_netlink: add missing dependency on NF_NATPatrick McHardy2007-03-22
| | | | | | | | | | | | | | | | | | | | NF_CT_NETLINK=y, NF_NAT=m results in: LD .tmp_vmlinux1 net/built-in.o: dans la fonction « nfnetlink_parse_nat_proto »: nf_conntrack_netlink.c:(.text+0x28db9): référence indéfinie vers « nf_nat_proto_find_get » nf_conntrack_netlink.c:(.text+0x28dd6): référence indéfinie vers « nf_nat_proto_put » net/built-in.o: dans la fonction « ctnetlink_new_conntrack »: nf_conntrack_netlink.c:(.text+0x29959): référence indéfinie vers « nf_nat_setup_info » nf_conntrack_netlink.c:(.text+0x29b35): référence indéfinie vers « nf_nat_setup_info » nf_conntrack_netlink.c:(.text+0x29cf7): référence indéfinie vers « nf_nat_setup_info » nf_conntrack_netlink.c:(.text+0x29de2): référence indéfinie vers « nf_nat_setup_info » make: *** [.tmp_vmlinux1] Erreur 1 Reported by Kevin Baradon <kevin.baradon@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>