- 26 Nov, 2007 3 commits
-
-
Herbert Xu authored
The skb_morph function only freed the data part of the dst skb, but leaked the auxiliary data such as the netfilter fields. This patch fixes this by moving the relevant parts from __kfree_skb to skb_release_all and calling it in skb_morph. It also makes kfree_skbmem static since it's no longer called anywhere else and it now no longer does skb_release_data. Thanks to Yasuyuki KOZAKAI for finding this problem and posting a patch for it. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
Pavel Emelyanov authored
The inet_ehash_locks_alloc() looks like this: #ifdef CONFIG_NUMA if (size > PAGE_SIZE) x = vmalloc(...); else #endif x = kmalloc(...); Unlike it, the inet_ehash_locks_alloc() looks like this: #ifdef CONFIG_NUMA if (size > PAGE_SIZE) vfree(x); else #else kfree(x); #endif The error is obvious - if the NUMA is on and the size is less than the PAGE_SIZE we leak the pointer (kfree is inside the #else branch). Compiler doesn't warn us because after the kfree(x) there's a "x = NULL" assignment, so here's another (minor?) bug: we don't set x to NULL under certain circumstances. Boring explanation, I know... Patch explains it better. Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
Herbert Xu authored
The change 050f009e [IPSEC]: Lock state when copying non-atomic fields to user-space caused a regression. Ingo Molnar reports that it causes a potential dead-lock found by the lock validator as it tries to take x->lock within xfrm_state_lock while numerous other sites take the locks in opposite order. For 2.6.24, the best fix is to simply remove the added locks as that puts us back in the same state as we've been in for years. For later kernels a proper fix would be to reverse the locking order for every xfrm state user such that if x->lock is taken together with xfrm_state_lock then it is to be taken within it. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
- 23 Nov, 2007 2 commits
-
-
Ilpo Järvinen authored
The original code has striking complexity to perform a query which can be reduced to a very simple compare. FIN seqno may be included to write_seq but it should not make any significant difference here compared to skb->len which was used previously. One won't end up there with SYN still queued. Use of write_seq check guarantees that there's a valid skb in send_head so I removed the extra check. Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> Acked-by: John Heffner <jheffner@psc.edu> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
Ilpo Järvinen authored
It seems that the checked range for receiver window check should begin from the first rather than from the last skb that is going to be included to the probe. And that can be achieved without reference to skbs at all, snd_nxt and write_seq provides the correct seqno already. Plus, it SHOULD account packets that are necessary to trigger fast retransmit [RFC4821]. Location of snd_wnd < probe_size/size_needed check is bogus because it will cause the other if() match as well (due to snd_nxt >= snd_una invariant). Removed dead obvious comment. Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
- 22 Nov, 2007 5 commits
-
-
Gabriel Craciunescu authored
Your mail to 'Tlan-devel' with the subject drivers/net/tlan question Is being held until the list moderator can review it for approval. The reason it is being held: Post by non-member to a members-only list Signed-off-by: Gabriel Craciunescu <nix.or.die@googlemail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
Jiri Slaby authored
SPIN_LOCK_UNLOCKED is deprecated, use DEFINE_SPINLOCK instead Signed-off-by: Jiri Slaby <jirislaby@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
Adrian Bunk authored
xs_setup_{udp,tcp}() can now become static. Signed-off-by: Adrian Bunk <bunk@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
Charles Hardin authored
From: Charles Hardin <chardin@2wire.com> Kernel needs to respond to an SADB_GET with the same message type to conform to the RFC 2367 Section 3.1.5 Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
Pavel Emelyanov authored
Found this occasionally. The CONFIG_INET=n is hardly ever set, but if it is the irlan_eth_send_gratuitous_arp() compilation should produce a warning about unused variable in_dev. Too pedantic? :) Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
- 21 Nov, 2007 7 commits
-
-
Pavel Emelyanov authored
This is silly, but I have turned the CONFIG_IP_VS to m, to check the compilation of one (recently sent) fix and set all the CONFIG_IP_VS_PROTO_XXX options to n to speed up the compilation. In this configuration the compiler warns me about CC [M] net/ipv4/ipvs/ip_vs_proto.o net/ipv4/ipvs/ip_vs_proto.c:49: warning: 'register_ip_vs_protocol' defined but not used Indeed. With no protocols selected there are no calls to this function - all are compiled out with ifdefs. Maybe the best fix would be to surround this call with ifdef-s or tune the Kconfig dependences, but I think that marking this register function as __used is enough. No? Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Acked-by: Simon Horman <horms@verge.net.au> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Jonas Danielsson authored
Fix arp reply when received arp probe with sender ip 0. Send arp reply with target ip address 0.0.0.0 and target hardware address set to hardware address of requester. Previously sent reply with target ip address and target hardware address set to same as source fields. Signed-off-by: Jonas Danielsson <the.sator@gmail.com> Acked-by: Alexey Kuznetov <kuznet@ms2.inr.ac.ru> Signed-off-by: David S. Miller <davem@davemloft.net>
-
YOSHIFUJI Hideaki authored
Due to the bug, refcnt for md5sig pool was leaked when an user try to delete a key if we have more than one key. In addition to the leakage, we returned incorrect return result value for userspace. This fix should close Bug #9418, reported by <ming-baini@163.com>. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
YOSHIFUJI Hideaki authored
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
YOSHIFUJI Hideaki authored
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
YOSHIFUJI Hideaki authored
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 20 Nov, 2007 19 commits
-
-
Guillaume Chazarain authored
if (net_ratelimit()) IEEE80211_DEBUG_DROP(...) can pollute the logs with messages like: printk: 1 messages suppressed. printk: 2 messages suppressed. printk: 7 messages suppressed. if debugging information is disabled. These messages are printed by net_ratelimit(). Add a wrapper to net_ratelimit() that takes into account the log level, so that net_ratelimit() is called only when we really want to print something. Signed-off-by: Guillaume Chazarain <guichaz@yahoo.fr> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Bruno Randolf authored
Signed-off-by: Bruno Randolf <bruno@thinktube.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Johannes Berg authored
When an interface with promisc/allmulti bit is taken down, the mac80211 state can become confused. This fixes it by making mac80211 keep track of all *active* interfaces that have the promisc/allmulti bit set in the sdata, we sync the interface bit into sdata at set_multicast_list() time so this works. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Johannes Berg authored
I recently experienced unexplainable behaviour with the b43 driver when I had broken firmware uploaded. The cause may have been that promisc mode was not correctly enabled or disabled and this bug may have been the cause. Note how the values are compared later in the function so just doing the & will result in the wrong thing being compared and the test being false almost always. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Evgeniy Polyakov authored
When connection tracking entry (nf_conn) is about to copy itself it can have some of its extension users (like nat) as being already freed and thus not required to be copied. Actually looking at this function I suspect it was copied from nf_nat_setup_info() and thus bug was introduced. Report and testing from David <david@unsolicited.net>. [ Patrick McHardy states: I now understand whats happening: - new connection is allocated without helper - connection is REDIRECTed to localhost - nf_nat_setup_info adds NAT extension, but doesn't initialize it yet - nf_conntrack_alter_reply performs a helper lookup based on the new tuple, finds the SIP helper and allocates a helper extension, causing reallocation because of too little space - nf_nat_move_storage is called with the uninitialized nat extension So your fix is entirely correct, thanks a lot :) ] Signed-off-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru> Acked-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-
David S. Miller authored
On 64-bit systems sizeof(struct ifreq) is 8 bytes larger than sizeof(struct iwreq). For GET calls, the wireless extension code copies back into userspace using sizeof(struct ifreq) but userspace and elsewhere only allocates a "struct iwreq". Thus, this copy writes past the end of the iwreq object and corrupts whatever sits after it in memory. Fix the copy_to_user() length. This particularly hurts the compat case because the wireless compat code uses compat_alloc_userspace() and right after this allocated buffer is the current bottom of the user stack, and that's what gets overwritten by the copy_to_user() call. Signed-off-by: David S. Miller <davem@davemloft.net>
-
Joe Perches authored
Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Joe Perches authored
Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Joe Perches authored
Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Joe Perches authored
Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Joe Perches authored
Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Joe Perches authored
Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Joe Perches authored
Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Sam Jansen authored
From: "Sam Jansen" <sjansen@google.com> sysctl_tcp_congestion_control seems to have a bug that prevents it from actually calling the tcp_set_default_congestion_control function. This is not so apparent because it does not return an error and generally the /proc interface is used to configure the default TCP congestion control algorithm. This is present in 2.6.18 onwards and probably earlier, though I have not inspected 2.6.15--2.6.17. sysctl_tcp_congestion_control calls sysctl_string and expects a successful return code of 0. In such a case it actually sets the congestion control algorithm with tcp_set_default_congestion_control. Otherwise, it returns the value returned by sysctl_string. This was correct in 2.6.14, as sysctl_string returned 0 on success. However, sysctl_string was updated to return 1 on success around about 2.6.15 and sysctl_tcp_congestion_control was not updated. Even though sysctl_tcp_congestion_control returns 1, do_sysctl_strategy converts this return code to '0', so the caller never notices the error. Signed-off-by: David S. Miller <davem@davemloft.net>
-
Ilpo Jrvinen authored
When the abstraction functions got added, conversion here was made incorrectly. As a result, the skb may end up pointing to skb which got included to the probe skb and then was freed. For it to trigger, however, skb_transmit must fail sending as well. Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Pavel Emelyanov authored
The pktgen_output_ipsec() function can unlock this lock twice due to merged error and plain paths. Remove one of the calls to spin_unlock. Other possible solution would be to place "return 0" right after the first unlock, but at this place the err is known to be 0, so these solutions are the same except for this one makes the code shorter. Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Simon Horman authored
Switch the remaining IPVS sysctl entries over to to use CTL_UNNUMBERED, I stronly doubt that anyone is using the sys_sysctl interface to these variables. Signed-off-by: Simon Horman <horms@verge.net.au> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Simon Horman authored
sysctl table check failed: /net/ipv4/vs/lblc_expiration .3.5.21.19 Missing strategy [...] sysctl table check failed: /net/ipv4/vs/lblcr_expiration .3.5.21.20 Missing strategy Switch these entried over to use CTL_UNNUMBERED as clearly the sys_syscal portion wasn't working. This is along the same lines as Christian Borntraeger's patch that fixes up entries with no stratergy in net/ipv4/ipvs/ip_vs_ctl.c Signed-off-by: Simon Horman <horms@verge.net.au> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Christian Borntraeger authored
Running the latest git code I get the following messages during boot: sysctl table check failed: /net/ipv4/vs/drop_entry .3.5.21.4 Missing strategy [...] sysctl table check failed: /net/ipv4/vs/drop_packet .3.5.21.5 Missing strategy [...] sysctl table check failed: /net/ipv4/vs/secure_tcp .3.5.21.6 Missing strategy [...] sysctl table check failed: /net/ipv4/vs/sync_threshold .3.5.21.24 Missing strategy I removed the binary sysctl handler for those messages and also removed the definitions in ip_vs.h. The alternative would be to implement a proper strategy handler, but syscall sysctl is deprecated. There are other sysctl definitions that are commented out or work with the default sysctl_data strategy. I did not touch these. Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> Acked-by: Simon Horman <horms@verge.net.au> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 19 Nov, 2007 3 commits
-
-
Herbert Xu authored
Indeed my previous change to alloc_pskb has made it possible for the TCP header to be misaligned iff the MTU is not a multiple of 4 (and less than a page). So I suspect the optimised IPsec MTU calculation is giving you just such an MTU :) This patch fixes it by changing alloc_pskb to make sure that the size is at least 32-bit aligned. This does not cause the problem fixed by the previous patch because max_header is always 32-bit aligned which means that in the SG/NOTSO case this will be a no-op. I thought about putting this in the callers but all the current callers are from TCP. If and when we get a non-TCP caller we can always create a TCP wrapper for this function and move the alignment over there. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Eric Dumazet authored
It seems that stats of cpu 0 are counted twice, since for_each_possible_cpu() is looping on all possible cpus, including 0 Before percpu conversion of ip_rt_acct, we should also remove the assumption that CPU 0 is online (or even possible) Signed-off-by: Eric Dumazet <dada1@cosmosbay.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Ivo van Doorn authored
The usb max packet size won't change during the device's presence. We should store it in a variable inside rt2x00dev and use that. This should also fix a division error when the device is being hot-unplugged while a frame is being send out. Signed-off-by: Ivo van Doorn <IvDoorn@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
- 17 Nov, 2007 1 commit
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/x86/linux-2.6-x86Linus Torvalds authored
* 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/x86/linux-2.6-x86: x86: simplify "make ARCH=x86" and fix kconfig all.config x86: reboot fixup for wrap2c board x86: check boundary in count setup resource x86: fix reboot with no keyboard attached x86: add hpet sanity checks x86: on x86_64, correct reading of PC RTC when update in progress in time_64.c x86: fix freeze in x86_64 RTC update code in time_64.c ntp: fix typo that makes sync_cmos_clock erratic Remove x86 merge artifact from top Makefile x86: fixup cpu_info array conversion x86: show cpuinfo only for online CPUs x86: fix cpu-hotplug regression x86: ignore the sys_getcpu() tcache parameter x86: voyager use correct header file name x86: fix smp init sections x86: fix voyager_cat_init section x86: fix bogus memcpy in es7000_check_dsdt()
-