27 Mar, 2007
2 commits
-
Paul E. McKenney writes:
> Those of use who dive into networking only occasionally would much
> appreciate this. ;-)No problem here...
Acked-by: Robert Olsson
Signed-off-by: Paul E. McKenney (but trivial)
Signed-off-by: David S. Miller -
* d_alloc() in sock_attach_fd() fails leaving ->f_dentry of new file NULL
* bail out to out_fd label, doing fput()/__fput() on new file
* but __fput() assumes valid ->f_dentry and dereferences itSigned-off-by: Alexey Dobriyan
Signed-off-by: David S. Miller
26 Mar, 2007
9 commits
-
Ingress queueing uses a seperate lock for serializing enqueue operations,
but fails to properly protect itself against concurrent changes to the
qdisc tree. Use queue_lock for now since the real fix it quite intrusive.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
cls_basic doesn't allocate tp->root before it is linked into the
active classifier list, resulting in a NULL pointer dereference
when packets hit the classifier before its ->change function is
called.Reported by Chris Madden
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
dccp_write_xmit_timer() needlessly became global.
Signed-off-by: Adrian Bunk
Signed-off-by: David S. Miller -
As per RFC2461, section 6.3.6, item #2, when no routers on the
matching list are known to be reachable or probably reachable we
do round robin on those available routes so that we make sure
to probe as many of them as possible to detect when one becomes
reachable faster.Each routing table has a rwlock protecting the tree and the linked
list of routes at each leaf. The round robin code executes during
lookup and thus with the rwlock taken as a reader. A small local
spinlock tries to provide protection but this does not work at all
for two reasons:1) The round-robin list manipulation, as coded, goes like this (with
read lock held):walk routes finding head and tail
spin_lock();
rotate list using head and tail
spin_unlock();While one thread is rotating the list, another thread can
end up with stale values of head and tail and then proceed
to corrupt the list when it gets the lock. This ends up causing
the OOPS in fib6_add() later onthat many people have been hitting.2) All the other code paths that run with the rwlock held as
a reader do not expect the list to change on them, they
expect it to remain completely fixed while they hold the
lock in that way.So, simply stated, it is impossible to implement this correctly using
a manipulation of the list without violating the rwlock locking
semantics.Reimplement using a per-fib6_node round-robin pointer. This way we
don't need to manipulate the list at all, and since the round-robin
pointer can only ever point to real existing entries we don't need
to perform any locking on the changing of the round-robin pointer
itself. We only need to reset the round-robin pointer to NULL when
the entry it is pointing to is removed.The idea is from Thomas Graf and it is very similar to how this
was implemented before the advanced router selection code when in.Signed-off-by: David S. Miller
-
Fixes a typo which caused fib_props[] to have the wrong size
and makes sure the value used to index the array which is
provided by userspace via netlink is checked to avoid out of
bound access.Signed-off-by: Thomas Graf
Signed-off-by: David S. Miller -
Fixes a typo which caused fib_props[] to have the wrong size
and makes sure the value used to index the array which is
provided by userspace via netlink is checked to avoid out of
bound access.Signed-off-by: Thomas Graf
Signed-off-by: David S. Miller -
o The AX.25 Howto is unmaintained since several years. I've replaced it
with a wiki at http://www.linux-ax25.org which provides more uptodate
information.
o Change default for AX25_DAMA_SLAVE to Y. AX25_DAMA_SLAVE only compiles
in support for DAMA but doesn't activate it. I hope this gets Linux
distributions to ship their AX.25 kernels with AX25_DAMA_SLAVE enabled.
The price for this would be very small.
o Delete historic changelog from comments, that's what SCM systems are
meant to do.
o ---help--- in Kconfig looks so yellingly eye insulting. Use just help.
o Rewrite the commented out piece of old Linux 2.4 configuration language
to Kconfig for consistency.
o Fixup dependencies.Signed-off-by: Ralf Baechle
Signed-off-by: David S. Miller -
->neigh_destructor() is killed (not used), replaced with
->neigh_cleanup(), which is called when neighbor entry goes to dead
state. At this point everything is still valid: neigh->dev,
neigh->parms etc.The device should guarantee that dead neighbor entries (neigh->dead !=
0) do not get private part initialized, otherwise nobody will cleanup
it.I think this is enough for ipoib which is the only user of this thing.
Initialization private part of neighbor entries happens in ipib
start_xmit routine, which is not reached when device is down. But it
would be better to add explicit test for neigh->dead in any case.Signed-off-by: David S. Miller
-
Based upon a patch from Patrick McHardy.
The fib_rules netlink attribute policy introduced in 2.6.19 broke
userspace compatibilty. When specifying a rule with "from all"
or "to all", iproute adds a zero byte long netlink attribute,
but the policy requires all addresses to have a size equal to
sizeof(struct in_addr)/sizeof(struct in6_addr), resulting in a
validation error.Check attribute length of FRA_SRC/FRA_DST in the generic framework
by letting the family specific rules implementation provide the
length of an address. Report an error if address length is non
zero but no address attribute is provided. Fix actual bug by
checking address length for non-zero instead of relying on
availability of attribute.Signed-off-by: Thomas Graf
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
25 Mar, 2007
1 commit
-
This is just a QA / cosmetic fix ..
[ "a modules" => "a module" ]
Signed-off-by: Linus Torvalds
23 Mar, 2007
6 commits
-
Currently NAT not only reroutes packets in the OUTPUT chain when the
routing key changed, but also if only the non-routing part of the
IPsec policy key changed. This breaks ping -I since it doesn't use
SO_BINDTODEVICE but IP_PKTINFO cmsg to specify the output device, and
this information is lost.Only do full rerouting if the routing key changed, and just do a new
policy lookup with the old route if only the ports changed.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
NF_CT_NETLINK=y, NF_NAT=m results in:
LD .tmp_vmlinux1
net/built-in.o: dans la fonction « nfnetlink_parse_nat_proto »:
nf_conntrack_netlink.c:(.text+0x28db9): référence indéfinie vers « nf_nat_proto_find_get »
nf_conntrack_netlink.c:(.text+0x28dd6): référence indéfinie vers « nf_nat_proto_put »
net/built-in.o: dans la fonction « ctnetlink_new_conntrack »:
nf_conntrack_netlink.c:(.text+0x29959): référence indéfinie vers « nf_nat_setup_info »
nf_conntrack_netlink.c:(.text+0x29b35): référence indéfinie vers « nf_nat_setup_info »
nf_conntrack_netlink.c:(.text+0x29cf7): référence indéfinie vers « nf_nat_setup_info »
nf_conntrack_netlink.c:(.text+0x29de2): référence indéfinie vers « nf_nat_setup_info »
make: *** [.tmp_vmlinux1] Erreur 1Reported by Kevin Baradon
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Turning up the warnings on gcc makes it emit warnings
about the placement of 'inline' in function declarations.
Here's everything that was under net/Signed-off-by: Dave Jones
Signed-off-by: David S. Miller -
Reset ssthresh to the correct value (peer's a_rwnd) when restarting
association.Signed-off-by: Vlad Yasevich
Signed-off-by: David S. Miller -
br_fdb_get use atomic_inc to increase the refcount of an element found
on a RCU protected list, which can lead to the following race:CPU0 CPU1
br_fdb_get: rcu_read_lock
__br_fdb_get: find element
fdb_delete: hlist_del_rcu
br_fdb_put
br_fdb_put: atomic_dec_and_test
call_rcu(fdb_rcu_free) br_fdb_get: atomic_inc
rcu_read_unlock
fdb_rcu_free: kmem_cache_freeUse atomic_inc_not_zero instead.
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
fib_rules_dump needs to use list_for_each_entry_rcu to protect against
concurrent changes to the rules list.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
20 Mar, 2007
7 commits
-
This patch adds a space between printing of the src and dst ipv6 addresses.
Otherwise, audit or other test tools may fail to process the audit
record properly because they cannot find the dst address.Signed-off-by: Joy Latten
Signed-off-by: David S. Miller -
This patch fixes two NULL dereferences spotted by the Coverity checker.
Signed-off-by: Adrian Bunk
Signed-off-by: David S. Miller -
If the association has been restarted, we need to reset the
transport congestion variables as well as accumulated error
counts and CACC variables. If we do not, the association
will use the wrong values and may terminate prematurely.This was found with a scenario where the peer restarted
the association when lksctp was in the last HB timeout for
its association. The restart happened, but the error counts
have not been reset and when the timeout occurred, a newly
restarted association was terminated due to excessive
retransmits.Signed-off-by: Vlad Yasevich
Signed-off-by: Sridhar Samudrala
Signed-off-by: David S. Miller -
2960bis states (Section 8.3):
D) Request an on-demand HEARTBEAT on a specific destination transport
address of a given association.The endpoint should increment the respective error counter of the
destination transport address each time a HEARTBEAT is sent to that
address and not acknowledged within one RTO.Signed-off-by: Vlad Yasevich
Signed-off-by: Sridhar Samudrala
Signed-off-by: David S. Miller -
During association restart we may have stale data sitting
on the ULP queue waiting for ordering or reassembly. This
data may cause severe problems if not cleaned up. In particular
stale data pending ordering may cause problems with receive
window exhaustion if our peer has decided to restart the
association.Signed-off-by: Vlad Yasevich
Signed-off-by: Sridhar Samudrala
Signed-off-by: David S. Miller -
We need to call ppp_unregister_channel() when IrNET disconnects, and this
must be done from a process context.Bug reported and patch tested by Guennadi Liakhovetski.
Signed-off-by: Samuel Ortiz
Signed-off-by: David S. Miller -
Without this initialization one gets
kernel BUG at kernel/rtmutex_common.h:80!
This patch should also be included in the -stable kernel.
Signed-off-by: G. Liakhovetski
Signed-off-by: Samuel Ortiz
Signed-off-by: David S. Miller
17 Mar, 2007
4 commits
-
The ipv6_fl_socklist from listening socket is inadvertently shared
with new socket created for connection. This leads to a variety of
interesting, but fatal, bugs. For example, removing one of the
sockets may lead to the other socket's encountering a page fault
when the now freed list is referenced.The fix is to not share the flow label list with the new socket.
Signed-off-by: Masayuki Nakagawa
Signed-off-by: David S. Miller -
Change tcp_mem initialization function. The fraction of total memory
is now a continuous function of memory size, and independent of page
size.Signed-off-by: John Heffner
Signed-off-by: David S. Miller -
ANK says: "It is rarely used, that's wy it was not noticed.
But in the places, where it is used, it should be disaster."Signed-off-by: Alexey Dobriyan
Signed-off-by: David S. Miller -
Hello, Just discussed this Patrick...
We have two users of trie_leaf_remove, fn_trie_flush and fn_trie_delete
both are holding RTNL. So there shouldn't be need for this preempt stuff.
This is assumed to a leftover from an older RCU-take.> Mhh .. I think I just remembered something - me incorrectly suggesting
> to add it there while we were talking about this at OLS :) IIRC the
> idea was to make sure tnode_free (which at that time didn't use
> call_rcu) wouldn't free memory while still in use in a rcu read-side
> critical section. It should have been synchronize_rcu of course,
> but with tnode_free using call_rcu it seems to be completely
> unnecessary. So I guess we can simply remove it.Signed-off-by: Robert Olsson
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
13 Mar, 2007
6 commits
-
I noticed that in xfrm_state_add we look for the larval SA in a few
places without checking for protocol match. So when using both
AH and ESP, whichever one gets added first, deletes the larval SA.
It seems AH always gets added first and ESP is always the larval
SA's protocol since the xfrm->tmpl has it first. Thus causing the
additional km_query()Adding the check eliminates accidental double SA creation.
Signed-off-by: Joy Latten
Signed-off-by: David S. Miller -
Delete the apparently superfluous source file
net/wanrouter/af_wanpipe.c.Signed-off-by: Robert P. J. Day
Signed-off-by: David S. Miller -
Kill warning about unused variable `in_dev' when CONFIG_IP_MULTICAST
is not set.Signed-off-by: Geert Uytterhoeven
Signed-off-by: David S. Miller -
Especially if you actually try to do it ;-)
Signed-off-by: Ralf Baechle
Signed-off-by: David S. Miller -
Signed-off-by: Ralf Baechle
Signed-off-by: David S. Miller -
Commit 484b366932be0b73a22c74a82748ca10a721643e added support for the CIPSO
ranged categories tag. However, it appears that I made a mistake when rebasing
then patch to the latest upstream sources for submission and dropped the part
of the patch that actually parses the tag on incoming packets. This patch
fixes this mistake by adding the required function call to the
cipso_v4_skbuff_getattr() function.I've run this patch over the weekend and have not noticed any problems.
Signed-off-by: Paul Moore
Acked-by: James Morris
Signed-off-by: David S. Miller
10 Mar, 2007
4 commits
-
User supplied len < 0 can cause leak of kernel memory.
Use unsigned compare instead.Signed-off-by: Chris Wright
Signed-off-by: David S. Miller -
I came across this bug in http://bugzilla.kernel.org/show_bug.cgi?id=8155
Signed-off-by: Olaf Kirch
Acked-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller -
The TX CCID needs the write_xmit_timer for delaying packet sends. Previously
this timer was only activated on active (connecting) sockets.This patch initialises the write_xmit_timer in sync with the other timers, i.e.
the timer will be ready on any socket. This is used by applications with a
listening socket which start to stream after receiving an initiation by the
client. The write_xmit_timer is stopped when the application closes, as before.Was tested to work and to remove the timer bug reported on dccp@vger.
Also moved timer initialisation into timer.c (static).
Signed-off-by: Gerrit Renker
Acked-by: Ian McDonald
Signed-off-by: David S. Miller -
Return negative error value (embedded in the pointer) instead of
returning NULL.Signed-off-by: Evgeniy Polyakov
Signed-off-by: David S. Miller
09 Mar, 2007
1 commit
-
lockdep found that dev->lock taken from softirq in ipv6_add_addr
is also taken in sctp_v6_copy_addrlist with softirqs enabled, so
lockup is possible.Noticed-by: Simon Arlott
Signed-off-by: Jarek Poplawski
Signed-off-by: David S. Miller
