08 Oct, 2007
4 commits
-
When the ICMPv6 Target address is multicast, Linux processes the
redirect instead of dropping it. The problem is in this code in
ndisc_redirect_rcv():if (ipv6_addr_equal(dest, target)) {
on_link = 1;
} else if (!(ipv6_addr_type(target) & IPV6_ADDR_LINKLOCAL)) {
ND_PRINTK2(KERN_WARNING
"ICMPv6 Redirect: target address is not
link-local.\n");
return;
}This second check will succeed if the Target address is, for example,
FF02::1 because it has link-local scope. Instead, it should be checking
if it's a unicast link-local address, as stated in RFC 2461/4861 Section
8.1:- The ICMP Target Address is either a link-local address (when
redirected to a router) or the same as the ICMP Destination
Address (when redirected to the on-link destination).I know this doesn't explicitly say unicast link-local address, but it's
implied.This bug is preventing Linux kernels from achieving IPv6 Logo Phase II
certification because of a recent error that was found in the TAHI test
suite - Neighbor Disovery suite test 206 (v6LC.2.3.6_G) had the
multicast address in the Destination field instead of Target field, so
we were passing the test. This won't be the case anymore.The patch below fixes this problem, and also fixes ndisc_send_redirect()
to not send an invalid redirect with a multicast address in the Target
field. I re-ran the TAHI Neighbor Discovery section to make sure Linux
passes all 245 tests now.Signed-off-by: Brian Haley
Acked-by: David L Stevens
Signed-off-by: David S. Miller -
Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller -
Commit a3d384029aa304f8f3f5355d35f0ae274454f7cd aka
"[AX.25]: Fix unchecked rose_add_loopback_neigh uses"
transformed rose_loopback_neigh var into statically allocated one.
However, on unload it will be kfree's which can't work.Steps to reproduce:
modprobe rose
rmmod roseBUG: unable to handle kernel NULL pointer dereference at virtual address 00000008
printing eip:
c014c664
*pde = 00000000
Oops: 0000 [#1]
PREEMPT DEBUG_PAGEALLOC
Modules linked in: rose ax25 fan ufs loop usbhid rtc snd_intel8x0 snd_ac97_codec ehci_hcd ac97_bus uhci_hcd thermal usbcore button processor evdev sr_mod cdrom
CPU: 0
EIP: 0060:[] Not tainted VLI
EFLAGS: 00210086 (2.6.23-rc9 #3)
EIP is at kfree+0x48/0xa1
eax: 00000556 ebx: c1734aa0 ecx: f6a5e000 edx: f7082000
esi: 00000000 edi: f9a55d20 ebp: 00200287 esp: f6a5ef28
ds: 007b es: 007b fs: 0000 gs: 0033 ss: 0068
Process rmmod (pid: 1823, ti=f6a5e000 task=f7082000 task.ti=f6a5e000)
Stack: f9a55d20 f9a5200c 00000000 00000000 00000000 f6a5e000 f9a5200c f9a55a00
00000000 bf818cf0 f9a51f3f f9a55a00 00000000 c0132c60 65736f72 00000000
f69f9630 f69f9528 c014244a f6a4e900 00200246 f7082000 c01025e6 00000000
Call Trace:
[] rose_rt_free+0x1d/0x49 [rose]
[] rose_rt_free+0x1d/0x49 [rose]
[] rose_exit+0x4c/0xd5 [rose]
[] sys_delete_module+0x15e/0x186
[] remove_vma+0x40/0x45
[] sysenter_past_esp+0x8f/0x99
[] trace_hardirqs_on+0x118/0x13b
[] sysenter_past_esp+0x5f/0x99
=======================
Code: 05 03 1d 80 db 5b c0 8b 03 25 00 40 02 00 3d 00 40 02 00 75 03 8b 5b 0c 8b 73 10 8b 44 24 18 89 44 24 04 9c 5d fa e8 77 df fd ff 56 08 89 f8 e8 84 f4 fd ff e8 bd 32 06 00 3b 5c 86 60 75 0f
EIP: [] kfree+0x48/0xa1 SS:ESP 0068:f6a5ef28Signed-off-by: Alexey Dobriyan
Signed-off-by: David S. Miller -
When only GSO skb was partially ACKed, no hints are reset,
therefore fastpath_cnt_hint must be tweaked too or else it can
corrupt fackets_out. The corruption to occur, one must have
non-trivial ACK/SACK sequence, so this bug is not very often
that harmful. There's a fackets_out state reset in TCP because
fackets_out is known to be inaccurate and that fixes the issue
eventually anyway.In case there was also at least one skb that got fully ACKed,
the fastpath_skb_hint is set to NULL which causes a recount for
fastpath_cnt_hint (the old value won't be accessed anymore),
thus it can safely be decremented without additional checking.Reported by Cedric Le Goater
Signed-off-by: Ilpo Järvinen
Signed-off-by: David S. Miller
04 Oct, 2007
1 commit
-
…nville/wireless-2.6 into upstream-fixes
03 Oct, 2007
1 commit
-
CC net/ieee80211/softmac/ieee80211softmac_wx.o
/home/kernel/src/net/ieee80211/softmac/ieee80211softmac_wx.c: In function âieee80211softmac_wx_set_essidâ:
/home/kernel/src/net/ieee80211/softmac/ieee80211softmac_wx.c:117: warning: label âoutâ defined but not useddue to commit: efe870f9f4ad74410a18ecbf0d9ba7c14b50a0fb. Removing the label.
Signed-off-by: Richard Knutsson
Signed-off-by: John W. Linville
02 Oct, 2007
2 commits
-
Reported by Chris Evans :
> The summary is that an evil 80211 frame can crash out a victim's
> machine. It only applies to drivers using the 80211 wireless code, and
> only then to certain drivers (and even then depends on a card's
> firmware not dropping a dubious packet). I must confess I'm not
> keeping track of Linux wireless support, and the different protocol
> stacks etc.
>
> Details are as follows:
>
> ieee80211_rx() does not explicitly check that "skb->len >= hdrlen".
> There are other skb->len checks, but not enough to prevent a subtle
> off-by-two error if the frame has the IEEE80211_STYPE_QOS_DATA flag
> set.
>
> This leads to integer underflow and crash here:
>
> if (frag != 0)
> flen -= hdrlen;
>
> (flen is subsequently used as a memcpy length parameter).How about this?
Signed-off-by: John W. Linville
Signed-off-by: David S. Miller -
This is followup to Patrick's patch. A little optimization to enqueue
routine allows to remove artificial limitation on queue length.Plus, testing showed that hash function used by SFQ is too bad or even worse.
It does not even sweep the whole range of hash values.
Switched to Jenkins' hash.Signed-off-by: Alexey Kuznetsov
Signed-off-by: David S. Miller
29 Sep, 2007
1 commit
-
Based upon a report and initial patch by Peter Lieven.
tcp4_md5sig_key and tcp6_md5sig_key need to start with
the exact same members as tcp_md5sig_key. Because they
are both cast to that type by tcp_v{4,6}_md5_do_lookup().Unfortunately tcp{4,6}_md5sig_key use a u16 for the key
length instead of a u8, which is what tcp_md5sig_key
uses. This just so happens to work by accident on
little-endian, but on big-endian it doesn't.Instead of casting, just place tcp_md5sig_key as the first member of
the address-family specific structures, adjust the access sites, and
kill off the ugly casts.Signed-off-by: David S. Miller
28 Sep, 2007
1 commit
-
This fixes kernel bugzilla #5731
It should generate an empty packet for datagram protocols when the
socket is connected, for one.The check is doubly-wrong because all that a write() can be is a
sendmsg() call with a NULL msg_control and a single entry iovec. No
special semantics should be assigned to it, therefore the zero length
check should be removed entirely.This matches the behavior of BSD and several other systems.
Alan Cox notes that SuSv3 says the behavior of a zero length write on
non-files is "unspecified", but that's kind of useless since BSD has
defined this behavior for a quarter century and BSD is essentially
what application folks code to.Based upon a patch from Stephen Hemminger.
Signed-off-by: David S. Miller
27 Sep, 2007
1 commit
-
It gets pointer to fastcall function, expects a pointer to normal
one and calls the sucker.Signed-off-by: Al Viro
Signed-off-by: Linus Torvalds
26 Sep, 2007
12 commits
-
* 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6:
[PPP_MPPE]: Don't put InterimKey on the stack
SCTP : Add paramters validity check for ASCONF chunk
SCTP: Discard OOTB packetes with bundled INIT early.
SCTP: Clean up OOTB handling and fix infinite loop processing
SCTP: Explicitely discard OOTB chunks
SCTP: Send ABORT chunk with correct tag in response to INIT ACK
SCTP: Validate buffer room when processing sequential chunks
[PATCH] mac80211: fix initialisation when built-in
[PATCH] net/mac80211/wme.c: fix sparse warning
[PATCH] cfg80211: fix initialisation if built-in
[PATCH] net/wireless/sysfs.c: Shut up build warning -
If ADDIP is enabled, when an ASCONF chunk is received with ASCONF
paramter length set to zero, this will cause infinite loop.
By the way, if an malformed ASCONF chunk is received, will cause
processing to access memory without verifying.This is because of not check the validity of parameters in ASCONF chunk.
This patch fixed this.Signed-off-by: Wei Yongjun
Signed-off-by: Vlad Yasevich -
RFC 4460 and future RFC 4960 (2960-bis) specify that packets
with bundled INIT chunks need to be dropped. We currenlty do
that only after processing any leading chunks. For OOTB chunks,
since we already walk the entire packet, we should discard packets
with bundled INITs.There are other chunks chunks that MUST NOT be bundled, but the spec
is silent on theire treatment. Thus, we'll leave their teatment
alone for the moment.Signed-off-by: Vlad Yasevich
Acked-by: Wei Yongjun -
While processing OOTB chunks as well as chunks with an invalid
length of 0, it was possible to SCTP to get wedged inside an
infinite loop because we didn't catch the condition correctly,
or didn't mark the packet for discard correctly.
This work is based on original findings and work by
Wei YongjunSigned-off-by: Vlad Yasevich
-
Explicitely discard OOTB chunks, whether the result is a
SHUTDOWN COMPLETE or an ABORT. We need to discard the OOTB
SHUTDOWN ACK to prevent bombing attackes since responsed
MUST NOT be bundled. We also explicietely discard in the
ABORT case since that function is widely used internally.Signed-off-by: Vlad Yasevich
Acked-by: Neil Horman -
When SCTP client received an INIT ACK chunk with missing mandatory
parameter such as "cookie parameter", it will send back a ABORT
with T-bit not set and verification tag is set to 0.
This is because before we accept this INIT ACK chunk, we do not know
the peer's tag. This patch change to reflect vtag when responding to
INIT ACK with missing mandatory parameter.Signed-off-by: Wei Yongjun
Signed-off-by: Vlad Yasevich -
When we process bundled chunks, we need to make sure that
the skb has the buffer for each header since we assume it's
always there. Some malicious node can send us something like
DATA + 2 bytes and we'll try to walk off the end refrencing
potentially uninitialized memory.Signed-off-by: Vlad Yasevich
-
When mac80211 is built into the kernel it needs to init earlier
so that device registrations are run after it has initialised.
The same applies to rate control algorithms.Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville -
wme.c triggers a sparse warning; it wasn't noticed before because until
recently ARRAY_SIZE triggered a sparse error.Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville -
When cfg80211 is built into the kernel it needs to init earlier
so that device registrations are run after it has initialised.Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville -
net/wireless/sysfs.c:108: warning: ‘wiphy_uevent’ defined but not used
when CONFIG_HOTPLUG=n is because the only usage site of this function
is #ifdef'ed as such, so let's #ifdef the definition also.Signed-off-by: Satyam Sharma
Acked-by: Johannes Berg
Signed-off-by: John W. Linville -
…nville/wireless-2.6 into upstream-fixes
21 Sep, 2007
4 commits
-
Commit 4cf92a3c was submitted as a fix for bug #8686 at bugzilla.kernel.org
(http://bugzilla.kernel.org/show_bug.cgi?id=8686). Unfortunately, the fix led to
a new bug, reported by Yoshifuji Hideaki, that prevented association for WEP
encrypted networks that use ifconfig to control the device. This patch effectively
reverts the earlier commit and does a proper fix for bug #8686.Signed-off-by: Larry Finger
Signed-off-by: John W. Linville -
we upgraded the kernel of a nfs-server from 2.6.17.11 to 2.6.22.6. Since
then we get the messagelockd: too many open TCP sockets, consider increasing the number of nfsd threads
lockd: last TCP connect from ^\\236^\É^DThese random characters in the second line are caused by a bug in
svc_tcp_accept.(Note: there are two previous __svc_print_addr(sin, buf, sizeof(buf))
calls in this function, either of which would initialize buf correctly;
but both are inside "if"'s and are not necessarily executed. This is
less obvious in the second case, which is inside a dprintk(), which is a
macro which expands to an if statement.)Signed-off-by: Wolfgang Walter
Signed-off-by: J. Bruce Fields
Signed-off-by: Linus Torvalds -
Acked-by: Patrick McHardy
Signed-off-by: David S. Miller -
The following patch fixes the handling of netlink packets containing
multiple messages.As exposed during netfilter workshop, nfnetlink_log was overwritten the
message type of the last message (setting it to MSG_DONE) in a multipart
packet. The consequence was libnfnetlink to ignore the last message in the
packet.The following patch adds a supplementary message (with type MSG_DONE) af
the end of the netlink skb.Signed-off-by: Eric Leblond
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
17 Sep, 2007
9 commits
-
* 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6:
[VLAN]: Fix net_device leak.
[PPP] generic: Fix receive path data clobbering & non-linear handling
[PPP] generic: Call skb_cow_head before scribbling over skb
[NET] skbuff: Add skb_cow_head
[BRIDGE]: Kill clone argument to br_flood_*
[PPP] pppoe: Fill in header directly in __pppoe_xmit
[PPP] pppoe: Fix data clobbering in __pppoe_xmit and return value
[PPP] pppoe: Fix skb_unshare_check call position
[SCTP]: Convert bind_addr_list locking to RCU
[SCTP]: Add RCU synchronization around sctp_localaddr_list
[PKT_SCHED]: sch_cbq.c: Shut up uninitialized variable warning
[PKTGEN]: srcmac fix
[IPV6]: Fix source address selection.
[IPV4]: Just increment OutDatagrams once per a datagram.
[IPV6]: Just increment OutDatagrams once per a datagram.
[IPV6]: Fix unbalanced socket reference with MSG_CONFIRM.
[NET_SCHED] protect action config/dump from irqs
[NET]: Fix two issues wrt. SO_BINDTODEVICE. -
In "[VLAN]: Move device registation to seperate function" (commit
e89fe42cd03c8fd3686df82d8390a235717a66de), a pile of code got moved
to register_vlan_dev(), including grabbing a reference to underlying
device. However, original dev_hold() had been left behind, so we
leak a reference to net_device now...Signed-off-by: Al Viro
Signed-off-by: David S. Miller -
This patch adds an optimised version of skb_cow that avoids the copy if
the header can be modified even if the rest of the payload is cloned.This can be used in encapsulating paths where we only need to modify the
header. As it is, this can be used in PPPOE and bridging.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
The clone argument is only used by one caller and that caller can clone
the packet itself. This patch moves the clone call into the caller and
kills the clone argument.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
Since the sctp_sockaddr_entry is now RCU enabled as part of
the patch to synchronize sctp_localaddr_list, it makes sense to
change all handling of these entries to RCU. This includes the
sctp_bind_addrs structure and it's list of bound addresses.This list is currently protected by an external rw_lock and that
looks like an overkill. There are only 2 writers to the list:
bind()/bindx() calls, and BH processing of ASCONF-ACK chunks.
These are already seriealized via the socket lock, so they will
not step on each other. These are also relatively rare, so we
should be good with RCU.The readers are varied and they are easily converted to RCU.
Signed-off-by: Vlad Yasevich
Acked-by: Paul E. McKenney
Acked-by: Sridhar Samdurala
Signed-off-by: David S. Miller -
sctp_localaddr_list is modified dynamically via NETDEV_UP
and NETDEV_DOWN events, but there is not synchronization
between writer (even handler) and readers. As a result,
the readers can access an entry that has been freed and
crash the sytem.Signed-off-by: Vlad Yasevich
Acked-by: Paul E. McKenney
Acked-by: Sridhar Samdurala
Signed-off-by: David S. Miller -
net/sched/sch_cbq.c: In function 'cbq_enqueue':
net/sched/sch_cbq.c:383: warning: 'ret' may be used uninitialized in this functionhas been verified to be a bogus case. So let's shut it up.
Signed-off-by: Satyam Sharma
Acked-by: Patrick McHardy
Signed-off-by: Andrew Morton
Signed-off-by: David S. Miller -
From: Adit Ranadive
Signed-off-by: Andrew Morton
Signed-off-by: David S. Miller -
The commit 95c385 broke proper source address selection for cases in which
there is a address which is makred 'deprecated'. The commit mistakenly
changed ifa->flags to ifa_result->flags (probably copy/paste error from a
few lines above) in the 'Rule 3' address selection code.The patch restores the previous RFC-compliant behavior.
Signed-off-by: Jiri Kosina
Signed-off-by: David S. Miller
15 Sep, 2007
4 commits
-
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller -
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller -
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller -
(with no apologies to C Heston)
On Mon, 2007-10-09 at 21:00 +0800, Herbert Xu wrote:
On Sun, Sep 02, 2007 at 01:11:29PM +0000, Christian Kujau wrote:
> >
> > after upgrading to 2.6.23-rc5 (and applying davem's fix [0]), lockdep
> > was quite noisy when I tried to shape my external (wireless) interface:
> >
> > [ 6400.534545] FahCore_78.exe/3552 just changed the state of lock:
> > [ 6400.534713] (&dev->ingress_lock){-+..}, at: []
> > netif_receive_skb+0x2d5/0x3c0
> > [ 6400.534941] but this lock took another, soft-read-irq-unsafe lock in the
> > past:
> > [ 6400.535145] (police_lock){-.--}
>
> This is a genuine dead-lock. The police lock can be taken
> for reading with softirqs on. If a second CPU tries to take
> the police lock for writing, while holding the ingress lock,
> then a softirq on the first CPU can dead-lock when it tries
> to get the ingress lock.Signed-off-by: Jamal Hadi Salim
Acked-by: Herbert Xu
Signed-off-by: David S. Miller
