28 Jul, 2010
1 commit
-
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6:
s2io: fixing DBG_PRINT() macro
ath9k: fix dma direction for map/unmap in ath_rx_tasklet
net: dev_forward_skb should call nf_reset
net sched: fix race in mirred device removal
tun: avoid BUG, dump packet on GSO errors
bonding: set device in RLB ARP packet handler
wimax/i2400m: Add PID & VID for Intel WiMAX 6250
ipv6: Don't add routes to ipv6 disabled interfaces.
net: Fix skb_copy_expand() handling of ->csum_start
net: Fix corruption of skb csum field in pskb_expand_head() of net/core/skbuff.c
macvtap: Limit packet queue length
ixgbe/igb: catch invalid VF settings
bnx2x: Advance a module version
bnx2x: Protect statistics ramrod and sequence number
bnx2x: Protect a SM state change
wireless: use netif_rx_ni in ieee80211_send_layer2_update
27 Jul, 2010
1 commit
26 Jul, 2010
1 commit
-
With conn-track zones and probably with different network
namespaces, the netfilter logic needs to be re-calculated
on packet receive. If the netfilter logic is not reset,
it will not be recalculated properly. This patch adds
the nf_reset logic to dev_forward_skb.Signed-off-by: Ben Greear
Signed-off-by: David S. Miller
25 Jul, 2010
1 commit
-
This fixes hang when target device of mirred packet classifier
action is removed.If a mirror or redirection action is configured to cause packets
to go to another device, the classifier holds a ref count, but was assuming
the adminstrator cleaned up all redirections before removing. The fix
is to add a notifier and cleanup during unregister.The new list is implicitly protected by RTNL mutex because
it is held during filter add/delete as well as notifier.Signed-off-by: Stephen Hemminger
Acked-by: Jamal Hadi Salim
Signed-off-by: David S. Miller
23 Jul, 2010
3 commits
-
If the interface has IPv6 disabled, don't add a multicast or
link-local route since we won't be adding a link-local address.Reported-by: Mahesh Kelkar
Signed-off-by: Brian Haley
Signed-off-by: David S. Miller -
It should only be adjusted if ip_summed == CHECKSUM_PARTIAL.
Signed-off-by: David S. Miller
-
Make pskb_expand_head() check ip_summed to make sure csum_start is really
csum_start and not csum before adjusting it.This fixes a bug I encountered using a Sun Quad-Fast Ethernet card and VLANs.
On my configuration, the sunhme driver produces skbs with differing amounts
of headroom on receive depending on the packet size. See line 2030 of
drivers/net/sunhme.c; packets smaller than RX_COPY_THRESHOLD have 52 bytes
of headroom but packets larger than that cutoff have only 20 bytes.When these packets reach the VLAN driver, vlan_check_reorder_header()
calls skb_cow(), which, if the packet has less than NET_SKB_PAD (== 32) bytes
of headroom, uses pskb_expand_head() to make more.Then, pskb_expand_head() needs to adjust a lot of offsets into the skb,
including csum_start. Since csum_start is a union with csum, if the packet
has a valid csum value this will corrupt it, which was the effect I observed.
The sunhme hardware computes receive checksums, so the skbs would be created
by the driver with ip_summed == CHECKSUM_COMPLETE and a valid csum field, and
then pskb_expand_head() would corrupt the csum field, leading to an "hw csum
error" message later on, for example in icmp_rcv() for pings larger than the
sunhme RX_COPY_THRESHOLD.On the basis of the comment at the beginning of include/linux/skbuff.h,
I believe that the csum_start skb field is only meaningful if ip_csummed is
CSUM_PARTIAL, so this patch makes pskb_expand_head() adjust it only in that
case to avoid corrupting a valid csum value.Please see my more in-depth disucssion of tracking down this bug for
more details if you like:http://puellavulnerata.livejournal.com/112186.html
http://puellavulnerata.livejournal.com/112567.html
http://puellavulnerata.livejournal.com/112891.html
http://puellavulnerata.livejournal.com/113096.html
http://puellavulnerata.livejournal.com/113591.htmlI am not subscribed to this list, so please CC me on replies.
Signed-off-by: Andrea Shepard
Signed-off-by: David S. Miller
21 Jul, 2010
3 commits
-
Add the shrinkers missed in the first conversion of the API in
commit 7f8275d0d660c146de6ee3017e1e2e594c49e820 ("mm: add context argument to
shrinker callback").Signed-off-by: Dave Chinner
-
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (24 commits)
bridge: Partially disable netpoll support
tcp: fix crash in tcp_xmit_retransmit_queue
IPv6: fix CoA check in RH2 input handler (mip6_rthdr_input())
ibmveth: lost IRQ while closing/opening device leads to service loss
rt2x00: Fix lockdep warning in rt2x00lib_probe_dev()
vhost: avoid pr_err on condition guest can trigger
ipmr: Don't leak memory if fib lookup fails.
vhost-net: avoid flush under lock
net: fix problem in reading sock TX queue
net/core: neighbour update Oops
net: skb_tx_hash() fix relative to skb_orphan_try()
rfs: call sock_rps_record_flow() in tcp_splice_read()
xfrm: do not assume that template resolving always returns xfrms
hostap_pci: set dev->base_addr during probe
axnet_cs: use spin_lock_irqsave in ax_interrupt
dsa: Fix Kconfig dependencies.
act_nat: not all of the ICMP packets need an IP header payload
r8169: incorrect identifier for a 8168dp
Phonet: fix skb leak in pipe endpoint accept()
Bluetooth: Update sec_level/auth_type for already existing connections
... -
These synthetic frames are all triggered from userland requests in
process context.https://bugzilla.kernel.org/show_bug.cgi?id=16412
Signed-off-by: John W. Linville
20 Jul, 2010
2 commits
-
The new netpoll code in bridging contains use-after-free bugs
that are non-trivial to fix.This patch fixes this by removing the code that uses skbs after
they're freed.As a consequence, this means that we can no longer call bridge
from the netpoll path, so this patch also removes the controller
function in order to disable netpoll.Signed-off-by: Herbert Xu
Thanks,
Signed-off-by: David S. Miller -
It can happen that there are no packets in queue while calling
tcp_xmit_retransmit_queue(). tcp_write_queue_head() then returns
NULL and that gets deref'ed to get sacked into a local var.There is no work to do if no packets are outstanding so we just
exit early.This oops was introduced by 08ebd1721ab8fd (tcp: remove tp->lost_out
guard to make joining diff nicer).Signed-off-by: Ilpo Järvinen
Reported-by: Lennart Schulte
Tested-by: Lennart Schulte
Signed-off-by: David S. Miller
19 Jul, 2010
1 commit
-
The input handler for Type 2 Routing Header (mip6_rthdr_input())
checks if the CoA in the packet matches the CoA in the XFRM state.Current check is buggy: it compares the adddress in the Type 2
Routing Header, i.e. the HoA, against the expected CoA in the state.
The comparison should be made against the address in the destination
field of the IPv6 header.The bug remained unnoticed because the main (and possibly only current)
user of the code (UMIP MIPv6 Daemon) initializes the XFRM state with the
unspecified address, i.e. explicitly allows everything.Yoshifuji-san, can you ack that one?
Signed-off-by: Arnaud Ebalard
Signed-off-by: David S. Miller
16 Jul, 2010
1 commit
-
This was detected using two mcast router tables. The
pimreg for the second interface did not have a specific
mrule, so packets received by it were handled by the
default table, which had nothing configured.This caused the ipmr_fib_lookup to fail, causing
the memory leak.Signed-off-by: Ben Greear
Signed-off-by: David S. Miller
15 Jul, 2010
5 commits
-
Fix problem in reading the tx_queue recorded in a socket. In
dev_pick_tx, the TX queue is read by doing a check with
sk_tx_queue_recorded on the socket, followed by a sk_tx_queue_get.
The problem is that there is not mutual exclusion across these
calls in the socket so it it is possible that the queue in the
sock can be invalidated after sk_tx_queue_recorded is called so
that sk_tx_queue get returns -1, which sets 65535 in queue_index
and thus dev_pick_tx returns 65536 which is a bogus queue and
can cause crash in dev_queue_xmit.We fix this by only calling sk_tx_queue_get which does the proper
checks. The interface is that sk_tx_queue_get returns the TX queue
if the sock argument is non-NULL and TX queue is recorded, else it
returns -1. sk_tx_queue_recorded is no longer used so it can be
completely removed.Signed-off-by: Tom Herbert
Signed-off-by: David S. Miller -
When configuring DMVPN (GRE + openNHRP) and a GRE remote
address is configured a kernel Oops is observed. The
obserseved Oops is caused by a NULL header_ops pointer
(neigh->dev->header_ops) in neigh_update_hhs() whenvoid (*update)(struct hh_cache*, const struct net_device*, const unsigned char *)
= neigh->dev->header_ops->cache_update;is executed. The dev associated with the NULL header_ops is
the GRE interface. This patch guards against the
possibility that header_ops is NULL.This Oops was first observed in kernel version 2.6.26.8.
Signed-off-by: Doug Kehn
Acked-by: Eric Dumazet
Signed-off-by: David S. Miller -
commit fc6055a5ba31e2 (net: Introduce skb_orphan_try()) added early
orphaning of skbs.This unfortunately added a performance regression in skb_tx_hash() in
case of stacked devices (bonding, vlans, ...)Since skb->sk is now NULL, we cannot access sk->sk_hash anymore to
spread tx packets to multiple NIC queues on multiqueue devices.skb_tx_hash() in this case only uses skb->protocol, same value for all
flows.skb_orphan_try() can copy sk->sk_hash into skb->rxhash and skb_tx_hash()
can use this saved sk_hash value to compute its internal hash value.Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller -
rfs: call sock_rps_record_flow() in tcp_splice_read()
call sock_rps_record_flow() in tcp_splice_read(), so the applications using
splice(2) or sendfile(2) can utilize RFS.Signed-off-by: Changli Gao
----
net/ipv4/tcp.c | 1 +
1 file changed, 1 insertion(+)
Signed-off-by: David S. Miller -
xfrm_resolve_and_create_bundle() assumed that, if policies indicated
presence of xfrms, bundle template resolution would always return
some xfrms. This is not true for 'use' level policies which can
result in no xfrm's being applied if there is no suitable xfrm states.
This fixes a crash by this incorrect assumption.Reported-by: George Spelvin
Bisected-by: George Spelvin
Tested-by: George Spelvin
Signed-off-by: Timo Teräs
Signed-off-by: David S. Miller
13 Jul, 2010
2 commits
-
Based upon a report by Randy Dunlap.
DSA needs PHYLIB, but PHYLIB needs NET_ETHERNET. So, in order
to select PHYLIB we have to make DSA depend upon NET_ETHERNET.Signed-off-by: David S. Miller
-
not all of the ICMP packets need an IP header payload, so we check the length
of the skbs only when the packets should have an IP header payload.Based upon analysis and initial patch by Rodrigo Partearroyo González.
Signed-off-by: Changli Gao
Acked-by: Herbert Xu
----
net/sched/act_nat.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
Signed-off-by: David S. Miller
09 Jul, 2010
4 commits
-
Signed-off-by: Rémi Denis-Courmont
Signed-off-by: David S. Miller -
Update auth level for already existing connections if it is lower
than required by new connection.Signed-off-by: Ville Tervo
Reviewed-by: Emeltchenko Andrei
Signed-off-by: Luciano Coelho
Signed-off-by: Andrei Emeltchenko
Signed-off-by: Marcel Holtmann -
When authentication fails for a connection the assumed security level
should be set back to BT_SECURITY_LOW so that subsequent connect
attempts over the same link don't falsely assume that security is
adequate enough.Signed-off-by: Johan Hedberg
Signed-off-by: Marcel Holtmann -
Due to race condition in L2CAP state machine L2CAP Connection Request
may be sent twice for SDP with the same source channel id. Problems
reported connecting to Apple products, some carkit, Blackberry phones....
2010-06-07 21:18:03.651031 < ACL data: handle 1 flags 0x02 dlen 12
L2CAP(s): Connect req: psm 1 scid 0x0040
2010-06-07 21:18:03.653473 > HCI Event: Number of Completed Packets (0x13) plen 5
handle 1 packets 1
2010-06-07 21:18:03.653808 > HCI Event: Auth Complete (0x06) plen 3
status 0x00 handle 1
2010-06-07 21:18:03.653869 < ACL data: handle 1 flags 0x02 dlen 12
L2CAP(s): Connect req: psm 1 scid 0x0040
...Patch uses L2CAP_CONF_CONNECT_PEND flag to mark that L2CAP Connection
Request has been sent already.Modified version of patch from Ville Tervo.
Signed-off-by: Andrei Emeltchenko
Signed-off-by: Marcel Holtmann
08 Jul, 2010
2 commits
-
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (35 commits)
NET: SB1250: Initialize .owner
vxge: show startup message with KERN_INFO
ll_temac: Fix missing iounmaps
bridge: Clear IPCB before possible entry into IP stack
bridge br_multicast: BUG: unable to handle kernel NULL pointer dereference
net: Fix definition of netif_vdbg() when VERBOSE_DEBUG is defined
net/ne: fix memory leak in ne_drv_probe()
xfrm: fix xfrm by MARK logic
virtio_net: fix oom handling on tx
virtio_net: do not reschedule rx refill forever
s2io: resolve statistics issues
linux/net.h: fix kernel-doc warnings
net: decreasing real_num_tx_queues needs to flush qdisc
sched: qdisc_reset_all_tx is calling qdisc_reset without qdisc_lock
qlge: fix a eeh handler to not add a pending timer
qlge: Replacing add_timer() to mod_timer()
usbnet: Set parent device early for netdev_printk()
net: Revert "rndis_host: Poll status channel before control channel"
netfilter: ip6t_REJECT: fix a dst leak in ipv6 REJECT
drivers: bluetooth: bluecard_cs.c: Fixed include error, changed to linux/io.h
... -
The bridge protocol lives dangerously by having incestuous relations
with the IP stack. In this instance an abomination has been created
where a bogus IPCB area from a bridged packet leads to a crash in
the IP stack because it's interpreted as IP options.This patch papers over the problem by clearing the IPCB area in that
particular spot. To fix this properly we'd also need to parse any
IP options if present but I'm way too lazy for that.Signed-off-by: Herbert Xu
Cheers,
Signed-off-by: David S. Miller
06 Jul, 2010
1 commit
-
On Tue, Jul 06, 2010 at 08:48:35AM +0800, Herbert Xu wrote:
>
> bridge: Restore NULL check in br_mdb_ip_getResend with proper attribution.
bridge: Restore NULL check in br_mdb_ip_get
Somewhere along the line the NULL check in br_mdb_ip_get went
AWOL, causing crashes when we receive an IGMP packet with no
multicast table allocated.This patch restores it and ensures all br_mdb_*_get functions
use it.Reported-by: Frank Arnold
Signed-off-by: Herbert XuThanks,
Signed-off-by: David S. Miller
05 Jul, 2010
1 commit
-
While using xfrm by MARK feature in
2.6.34 - 2.6.35 kernels, the mark
is always cleared in flowi structure via memset in
_decode_session4 (net/ipv4/xfrm4_policy.c), so
the policy lookup fails.
IPv6 code is affected by this bug too.Signed-off-by: Peter Kosyh
Acked-by: Eric Dumazet
Signed-off-by: David S. Miller
03 Jul, 2010
2 commits
-
Reducing real_num_queues needs to flush the qdisc otherwise
skbs with queue_mappings greater then real_num_tx_queues can
be sent to the underlying driver.The flow for this is,
dev_queue_xmit()
dev_pick_tx()
skb_tx_hash() => hash using real_num_tx_queues
skb_set_queue_mapping()
...
qdisc_enqueue_root() => enqueue skb on txq from hash
...
dev->real_num_tx_queues -= n
...
sch_direct_xmit()
dev_hard_start_xmit()
ndo_start_xmit(skb,dev) => skb queue set with old hashskbs are enqueued on the qdisc with skb->queue_mapping set
0 < queue_mappings < real_num_tx_queues. When the driver
decreases real_num_tx_queues skb's may be dequeued from the
qdisc with a queue_mapping greater then real_num_tx_queues.This fixes a case in ixgbe where this was occurring with DCB
and FCoE. Because the driver is using queue_mapping to map
skbs to tx descriptor rings we can potentially map skbs to
rings that no longer exist.Signed-off-by: John Fastabend
Tested-by: Ross Brattain
Signed-off-by: Jeff Kirsher
Signed-off-by: David S. Miller
02 Jul, 2010
1 commit
-
We should release dst if dst->error is set.
Bug introduced in 2.6.14 by commit e104411b82f5c
([XFRM]: Always release dst_entry on error in xfrm_lookup)Signed-off-by: Eric Dumazet
Cc: stable@kernel.org
Signed-off-by: Patrick McHardy
29 Jun, 2010
2 commits
-
struct ethtool_rxnfc was originally defined in 2.6.27 for the
ETHTOOL_{G,S}RXFH command with only the cmd, flow_type and data
fields. It was then extended in 2.6.30 to support various additional
commands. These commands should have been defined to use a new
structure, but it is too late to change that now.Since user-space may still be using the old structure definition
for the ETHTOOL_{G,S}RXFH commands, and since they do not need the
additional fields, only copy the originally defined fields to and
from user-space.Signed-off-by: Ben Hutchings
Cc: stable@kernel.org
Signed-off-by: David S. Miller -
On a 32-bit machine, info.rule_cnt >= 0x40000000 leads to integer
overflow and the buffer may be smaller than needed. Since
ETHTOOL_GRXCLSRLALL is unprivileged, this can presumably be used for at
least denial of service.Signed-off-by: Ben Hutchings
Cc: stable@kernel.org
Signed-off-by: David S. Miller
28 Jun, 2010
1 commit
-
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (52 commits)
phylib: Add autoload support for the LXT973 phy.
ISDN: hysdn, fix potential NULL dereference
vxge: fix memory leak in vxge_alloc_msix() error path
isdn/gigaset: correct CAPI connection state storage
isdn/gigaset: encode HLC and BC together
isdn/gigaset: correct CAPI DATA_B3 Delivery Confirmation
isdn/gigaset: correct CAPI voice connection encoding
isdn/gigaset: honor CAPI application's buffer size request
cpmac: do not leak struct net_device on phy_connect errors
smc91c92_cs: fix the problem that lan & modem does not work simultaneously
ipv6: fix NULL reference in proxy neighbor discovery
Bluetooth: Bring back var 'i' increment
xfrm: check bundle policy existance before dereferencing it
sky2: enable rx/tx in sky2_phy_reinit()
cnic: Disable statistics initialization for eth clients that do not support statistics
net: add dependency on fw class module to qlcnic and netxen_nic
snmp: fix SNMP_ADD_STATS()
hso: remove setting of low_latency flag
udp: Fix bogus UFO packet generation
lasi82596: fix netdev_mc_count conversion
...
26 Jun, 2010
1 commit
-
The addition of TLLAO option created a kernel OOPS regression
for the case where neighbor advertisement is being sent via
proxy path. When using proxy, ipv6_get_ifaddr() returns NULL
causing the NULL dereference.Change causing the bug was:
commit f7734fdf61ec6bb848e0bafc1fb8bad2c124bb50
Author: Octavian Purdila
Date: Fri Oct 2 11:39:15 2009 +0000make TLLAO option for NA packets configurable
Signed-off-by: Stephen Hemminger
Acked-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller
25 Jun, 2010
2 commits
-
commit ff6e2163f28a1094fb5ca5950fe2b43c3cf6bc7a accidentally added a
regression on the bnep code. Fixing it.Signed-off-by: Gustavo F. Padovan
Signed-off-by: David S. Miller -
Fix the bundle validation code to not assume having a valid policy.
When we have multiple transformations for a xfrm policy, the bundle
instance will be a chain of bundles with only the first one having
the policy reference. When policy_genid is bumped it will expire the
first bundle in the chain which is equivalent of expiring the whole
chain.Reported-bisected-and-tested-by: Justin P. Mattock
Signed-off-by: Timo Teräs
Signed-off-by: David S. Miller
23 Jun, 2010
1 commit
-
If the attempt to read the calldir fails, then instead of storing the read
bytes, we currently discard them. This leads to a garbage final result when
upon re-entry to the same routine, we read the remaining bytes.Fixes the regression in bugzilla number 16213. Please see
https://bugzilla.kernel.org/show_bug.cgi?id=16213Signed-off-by: Trond Myklebust
Cc: stable@kernel.org
22 Jun, 2010
1 commit
-
It has been reported that the new UFO software fallback path
fails under certain conditions with NFS. I tracked the problem
down to the generation of UFO packets that are smaller than the
MTU. The software fallback path simply discards these packets.This patch fixes the problem by not generating such packets on
the UFO path.Signed-off-by: Herbert Xu
Reviewed-by: Michael S. Tsirkin
Signed-off-by: David S. Miller