summaryrefslogtreecommitdiff
path: root/net
AgeCommit message (Collapse)AuthorFilesLines
2008-01-11[AX25] af_ax25: Possible circular locking.Jarek Poplawski1-0/+12
Bernard Pidoux F6BVP reported: > When I killall kissattach I can see the following message. > > This happens on kernel 2.6.24-rc5 already patched with the 6 previously > patches I sent recently. > > > ======================================================= > [ INFO: possible circular locking dependency detected ] > 2.6.23.9 #1 > ------------------------------------------------------- > kissattach/2906 is trying to acquire lock: > (linkfail_lock){-+..}, at: [<d8bd4603>] ax25_link_failed+0x11/0x39 [ax25] > > but task is already holding lock: > (ax25_list_lock){-+..}, at: [<d8bd7c7c>] ax25_device_event+0x38/0x84 > [ax25] > > which lock already depends on the new lock. > > > the existing dependency chain (in reverse order) is: ... lockdep is worried about the different order here: #1 (rose_neigh_list_lock){-+..}: #3 (ax25_list_lock){-+..}: #0 (linkfail_lock){-+..}: #1 (rose_neigh_list_lock){-+..}: #3 (ax25_list_lock){-+..}: #0 (linkfail_lock){-+..}: So, ax25_list_lock could be taken before and after linkfail_lock. I don't know if this three-thread clutch is very probable (or possible at all), but it seems another bug reported by Bernard ("[...] system impossible to reboot with linux-2.6.24-rc5") could have similar source - namely ax25_list_lock held by ax25_kill_by_device() during ax25_disconnect(). It looks like the only place which calls ax25_disconnect() this way, so I guess, it isn't necessary. This patch is breaking the lock for ax25_disconnect(). Reported-and-tested-by: Bernard Pidoux <f6bvp@free.fr> Signed-off-by: Jarek Poplawski <jarkao2@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-10[AX25]: Kill user triggable printks.maximilian attems1-21/+18
sfuzz can easily trigger any of those. move the printk message to the corresponding comment: makes the intention of the code clear and easy to pick up on an scheduled removal. as bonus simplify the braces placement. Signed-off-by: maximilian attems <max@stro.at> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-10[IPV4] ROUTE: fix rcu_dereference() uses in /proc/net/rt_cacheEric Dumazet1-3/+3
In rt_cache_get_next(), no need to guard seq->private by a rcu_dereference() since seq is private to the thread running this function. Reading seq.private once (as guaranted bu rcu_dereference()) or several time if compiler really is dumb enough wont change the result. But we miss real spots where rcu_dereference() are needed, both in rt_cache_get_first() and rt_cache_get_next() Signed-off-by: Eric Dumazet <dada1@cosmosbay.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-10[NEIGH]: Fix race between neigh_parms_release and neightbl_fill_parmsPavel Emelyanov1-2/+2
The neightbl_fill_parms() is called under the write-locked tbl->lock and accesses the parms->dev. The negh_parm_release() calls the dev_put(parms->dev) without this lock. This creates a tiny race window on which the parms contains potentially stale dev pointer. To fix this race it's enough to move the dev_put() upper under the tbl->lock, but note, that the parms are held by neighbors and thus can live after the neigh_parms_release() is called, so we still can have a parm with bad dev pointer. I didn't find where the neigh->parms->dev is accessed, but still think that putting the dev is to be done in a place, where the parms are really freed. Am I right with that? Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-09[ATM]: Check IP header validity in mpc_send_packetHerbert Xu1-0/+7
Al went through the ip_fast_csum callers and found this piece of code that did not validate the IP header. While root crashing the machine by sending bogus packets through raw or AF_PACKET sockets isn't that serious, it is still nice to react gracefully. This patch ensures that the skb has enough data for an IP header and that the header length field is valid. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-09[IPV6]: IPV6_MULTICAST_IF setting is ignored on link-local connect()Brian Haley1-3/+3
Signed-off-by: Brian Haley <brian.haley@hp.com> Acked-by: David L Stevens <dlstevens@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-09[XFRM]: xfrm_algo_clone() allocates too much memoryEric Dumazet1-11/+6
alg_key_len is the length in bits of the key, not in bytes. Best way to fix this is to move alg_len() function from net/xfrm/xfrm_user.c to include/net/xfrm.h, and to use it in xfrm_algo_clone() alg_len() is renamed to xfrm_alg_len() because of its global exposition. Signed-off-by: Eric Dumazet <dada1@cosmosbay.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-09[LRO] Fix lro_mgr->features checksBrice Goglin1-8/+8
lro_mgr->features contains a bitmask of LRO_F_* values which are defined as power of two, not as bit indexes. They must be checked with x&LRO_F_FOO, not with test_bit(LRO_F_FOO,&x). Signed-off-by: Brice Goglin <Brice.Goglin@inria.fr> Acked-by: Andrew Gallatin <gallatin@myri.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-09[NET]: Clone the sk_buff 'iif' field in __skb_clone()Paul Moore1-5/+6
Both NetLabel and SELinux (other LSMs may grow to use it as well) rely on the 'iif' field to determine the receiving network interface of inbound packets. Unfortunately, at present this field is not preserved across a skb clone operation which can lead to garbage values if the cloned skb is sent back through the network stack. This patch corrects this problem by properly copying the 'iif' field in __skb_clone() and removing the 'iif' field assignment from skb_act_clone() since it is no longer needed. Also, while we are here, put the assignments in the same order as the offsets to reduce cacheline bounces. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-09[IPV4] ROUTE: ip_rt_dump() is unecessary slowEric Dumazet1-4/+4
I noticed "ip route list cache x.y.z.t" can be *very* slow. While strace-ing -T it I also noticed that first part of route cache is fetched quite fast : recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202 GXm\0\0\2 \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3772 <0.000047> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\234\0\0\0\30\0\2\0\254i\ 202GXm\0\0\2 \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3736 <0.000042> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\ 202GXm\0\0\2 \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3740 <0.000055> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\234\0\0\0\30\0\2\0\254i\ 202GXm\0\0\2 \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3712 <0.000043> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\ 202GXm\0\0\2 \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3732 <0.000053> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202 GXm\0\0\2 \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3708 <0.000052> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202 GXm\0\0\2 \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3680 <0.000041> while the part at the end of the table is more expensive: recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3656 <0.003857> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3772 <0.003891> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3712 <0.003765> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3700 <0.003879> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3676 <0.003797> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3724 <0.003856> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\234\0\0\0\30\0\2\0\254i\202GXm\0\0\2 \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3736 <0.003848> The following patch corrects this performance/latency problem, removing quadratic behavior. Signed-off-by: Eric Dumazet <dada1@cosmosbay.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-09[NET]: Stop polling when napi_disable() is pending.David S. Miller1-2/+6
This finally adds the code in net_rx_action() to break out of the ->poll()'ing loop when a napi_disable() is found to be pending. Now, even if a device is being flooded with packets it can be cleanly brought down. Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-09mac80211: return an error when SIWRATE doesn't match any rateAndrew Lutomirski1-3/+3
Currently mac80211 fails silently when trying to set a nonexistent rate. Return an error instead. Signed-Off-By: Andy Lutomirski <luto@myrealbox.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2008-01-09[IRDA]: irda_create() nuke user triggable printkmaximilian attems1-2/+0
easy to trigger as user with sfuzz. irda_create() is quiet on unknown sock->type, match this behaviour for SOCK_DGRAM unknown protocol Signed-off-by: maximilian attems <max@stro.at> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-09[SCTP]: Add back the code that accounted for FORWARD_TSN parameter in INIT.Vlad Yasevich1-0/+6
Some recent changes completely removed accounting for the FORWARD_TSN parameter length in the INIT and INIT-ACK chunk. This is wrong and should be restored. Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-09[SCTP]: Correctly handle AUTH parameters in unexpected INITVlad Yasevich1-22/+0
When processing an unexpected INIT chunk, we do not need to do any preservation of the old AUTH parameters. In fact, doing such preservations will nullify AUTH and allow connection stealing. Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-09[SCTP]: Fix the name of the authentication event.Vlad Yasevich1-1/+1
The even should be called SCTP_AUTHENTICATION_INDICATION. Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-09[IPV4] ipconfig: Fix regression in ip command line processingAmos Waterland1-4/+18
The recent changes for ip command line processing fixed some problems but unfortunately broke some common usage scenarios. In current 2.6.24-rc6 the following command line results in no IP address assignment, which is surely a regression: ip=10.0.2.15::10.0.2.2:255.255.255.0::eth0:off Please find below a patch that works for all cases I can find. Signed-off-by: Amos Waterland <apw@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-09[IPV4] raw: Strengthen check on validity of iph->ihlHerbert Xu1-1/+3
We currently check that iph->ihl is bounded by the real length and that the real length is greater than the minimum IP header length. However, we did not check the caes where iph->ihl is less than the minimum IP header length. This breaks because some ip_fast_csum implementations assume that which is quite reasonable. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-04[INET]: Fix netdev renaming and inet address labelsMark McLoughlin1-1/+1
When re-naming an interface, the previous secondary address labels get lost e.g. $> brctl addbr foo $> ip addr add 192.168.0.1 dev foo $> ip addr add 192.168.0.2 dev foo label foo:00 $> ip addr show dev foo | grep inet inet 192.168.0.1/32 scope global foo inet 192.168.0.2/32 scope global foo:00 $> ip link set foo name bar $> ip addr show dev bar | grep inet inet 192.168.0.1/32 scope global bar inet 192.168.0.2/32 scope global bar:2 Turns out to be a simple thinko in inetdev_changename() - clearly we want to look at the address label, rather than the device name, for a suffix to retain. Signed-off-by: Mark McLoughlin <markmc@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-04[XFRM]: Do not define km_migrate() if !CONFIG_XFRM_MIGRATEEric Dumazet1-0/+2
In include/net/xfrm.h we find : #ifdef CONFIG_XFRM_MIGRATE extern int km_migrate(struct xfrm_selector *sel, u8 dir, u8 type, struct xfrm_migrate *m, int num_bundles); ... #endif We can also guard the function body itself in net/xfrm/xfrm_state.c with same condition. (Problem spoted by sparse checker) make C=2 net/xfrm/xfrm_state.o ... net/xfrm/xfrm_state.c:1765:5: warning: symbol 'km_migrate' was not declared. Should it be static? ... Signed-off-by: Eric Dumazet <dada1@cosmosbay.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-04[X25]: Add missing x25_neigh_putJulia Lawall1-2/+3
The function x25_get_neigh increments a reference count. At the point of the second goto out, the result of calling x25_get_neigh is only stored in a local variable, and thus no one outside the function will be able to decrease the reference count. Thus, x25_neigh_put should be called before the return in this case. The problem was found using the following semantic match. (http://www.emn.fr/x-info/coccinelle/) // <smpl> @@ type T,T1,T2; identifier E; statement S; expression x1,x2,x3; int ret; @@ T E; ... * if ((E = x25_get_neigh(...)) == NULL) S ... when != x25_neigh_put(...,(T1)E,...) when != if (E != NULL) { ... x25_neigh_put(...,(T1)E,...); ...} when != x1 = (T1)E when != E = x3; when any if (...) { ... when != x25_neigh_put(...,(T2)E,...) when != if (E != NULL) { ... x25_neigh_put(...,(T2)E,...); ...} when != x2 = (T2)E ( * return; | * return ret; ) } // </smpl> Signed-off-by: Julia Lawall <julia@diku.dk> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-03NFS: add newline to kernel warning message in auth_gss codeJames Morris1-1/+1
Add newline to kernel warning message in gss_create(). Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
2007-12-30[BLUETOOTH]: put_device before device_del fixDave Young2-9/+2
Because of workqueue delay, the put_device could be called before device_del, so move it to del_conn. Signed-off-by: Dave Young <hidave.darkstar@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-12-30[TCP]: use non-delayed ACK for congestion control RTTGavin McCullagh1-8/+11
When a delayed ACK representing two packets arrives, there are two RTT samples available, one for each packet. The first (in order of seq number) will be artificially long due to the delay waiting for the second packet, the second will trigger the ACK and so will not itself be delayed. According to rfc1323, the SRTT used for RTO calculation should use the first rtt, so receivers echo the timestamp from the first packet in the delayed ack. For congestion control however, it seems measuring delayed ack delay is not desirable as it varies independently of congestion. The patch below causes seq_rtt and last_ackt to be updated with any available later packet rtts which should have less (and hopefully zero) delack delay. The rtt value then gets passed to ca_ops->pkts_acked(). Where TCP_CONG_RTT_STAMP was set, effort was made to supress RTTs from within a TSO chunk (!fully_acked), using only the final ACK (which includes any TSO delay) to generate RTTs. This patch removes these checks so RTTs are passed for each ACK to ca_ops->pkts_acked(). For non-delay based congestion control (cubic, h-tcp), rtt is sometimes used for rtt-scaling. In shortening the RTT, this may make them a little less aggressive. Delay-based schemes (eg vegas, veno, illinois) should get a cleaner, more accurate congestion signal, particularly for small cwnds. The congestion control module can potentially also filter out bad RTTs due to the delayed ack alarm by looking at the associated cnt which (where delayed acking is in use) should probably be 1 if the alarm went off or greater if the ACK was triggered by a packet. Signed-off-by: Gavin McCullagh <gavin.mccullagh@nuim.ie> Acked-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-12-29[IPV4] Fix ip=dhcp regressionSimon Horman1-0/+1
David Brownell pointed out a regression in my recent "Fix ip command line processing" patch. It turns out to be a fairly blatant oversight on my part whereby ic_enable is never set, and thus autoconfiguration is never enabled. Clearly my testing was broken :-( The solution that I have is to set ic_enable to 1 if we hit ip_auto_config_setup(), which basically means that autoconfiguration is activated unless told otherwise. I then flip ic_enable to 0 if ip=off, ip=none, ip=::::::off or ip=::::::none using ic_proto_name(); The incremental patch is below, let me know if a non-incremental version is prepared, as I did as for the original patch to be reverted pending a fix. Signed-off-by: Simon Horman <horms@verge.net.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-12-27[IPV4]: Fix ip command line processing.Simon Horman1-6/+4
Recently the documentation in Documentation/nfsroot.txt was update to note that in fact ip=off and ip=::::::off as the latter is ignored and the default (on) is used. This was certainly a step in the direction of reducing confusion. But it seems to me that the code ought to be fixed up so that ip=::::::off actually turns off ip autoconfiguration. This patch also notes more specifically that ip=on (aka ip=::::::on) is the default. Signed-off-by: Simon Horman <horms@verge.net.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-12-27[NETFILTER]: nf_conntrack_ipv4: fix module parameter compatibilityPatrick McHardy2-2/+6
Some users do "modprobe ip_conntrack hashsize=...". Since we have the module aliases this loads nf_conntrack_ipv4 and nf_conntrack, the hashsize parameter is unknown for nf_conntrack_ipv4 however and makes it fail. Allow to specify hashsize= for both nf_conntrack and nf_conntrack_ipv4. Note: the nf_conntrack message in the ringbuffer will display an incorrect hashsize since nf_conntrack is first pulled in as a dependency and calculates the size itself, then it gets changed through a call to nf_conntrack_set_hashsize(). Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-12-27mac80211: warn when receiving frames with unaligned dataJohannes Berg1-0/+13
This patch makes mac80211 warn (once) when the driver passes up a frame in which the payload data is not aligned on a four-byte boundary, with a long comment for people who run into the condition and need to know what to do. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2007-12-27mac80211: round station cleanup timerJohannes Berg1-2/+5
The station cleanup timer runs every ten seconds, the exact timing is not relevant at all so it can well run together with other things to save power. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2007-12-21[IPV4]: OOPS with NETLINK_FIB_LOOKUP netlink socketDenis V. Lunev1-3/+6
[ Regression added by changeset: cd40b7d3983c708aabe3d3008ec64ffce56d33b0 [NET]: make netlink user -> kernel interface synchronious -DaveM ] nl_fib_input re-reuses incoming skb to send the reply. This means that this packet will be freed twice, namely in: - netlink_unicast_kernel - on receive path Use clone to send as a cure, the caller is responsible for kfree_skb on error. Thanks to Alexey Dobryan, who originally found the problem. Signed-off-by: Denis V. Lunev <den@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-12-21[NET]: Fix function put_cmsg() which may cause usr application memory overflowWei Yongjun2-0/+4
When used function put_cmsg() to copy kernel information to user application memory, if the memory length given by user application is not enough, by the bad length calculate of msg.msg_controllen, put_cmsg() function may cause the msg.msg_controllen to be a large value, such as 0xFFFFFFF0, so the following put_cmsg() can also write data to usr application memory even usr has no valid memory to store this. This may cause usr application memory overflow. int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data) { struct cmsghdr __user *cm = (__force struct cmsghdr __user *)msg->msg_control; struct cmsghdr cmhdr; int cmlen = CMSG_LEN(len); ~~~~~~~~~~~~~~~~~~~~~ int err; if (MSG_CMSG_COMPAT & msg->msg_flags) return put_cmsg_compat(msg, level, type, len, data); if (cm==NULL || msg->msg_controllen < sizeof(*cm)) { msg->msg_flags |= MSG_CTRUNC; return 0; /* XXX: return error? check spec. */ } if (msg->msg_controllen < cmlen) { ~~~~~~~~~~~~~~~~~~~~~~~~ msg->msg_flags |= MSG_CTRUNC; cmlen = msg->msg_controllen; } cmhdr.cmsg_level = level; cmhdr.cmsg_type = type; cmhdr.cmsg_len = cmlen; err = -EFAULT; if (copy_to_user(cm, &cmhdr, sizeof cmhdr)) goto out; if (copy_to_user(CMSG_DATA(cm), data, cmlen - sizeof(struct cmsghdr))) goto out; cmlen = CMSG_SPACE(len); ~~~~~~~~~~~~~~~~~~~~~~~~~~~ If MSG_CTRUNC flags is set, msg->msg_controllen is less than CMSG_SPACE(len), "msg->msg_controllen -= cmlen" will cause unsinged int type msg->msg_controllen to be a large value. ~~~~~~~~~~~~~~~~~~~~~~~~~~~ msg->msg_control += cmlen; msg->msg_controllen -= cmlen; ~~~~~~~~~~~~~~~~~~~~~ err = 0; out: return err; } The same promble exists in put_cmsg_compat(). This patch can fix this problem. Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-12-21[NETFILTER] ipv4: Spelling fixesJoe Perches1-1/+1
Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-12-21[NETFILTER]: Spelling fixesJoe Perches1-2/+2
Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-12-21[SCTP]: Spelling fixesJoe Perches1-4/+4
Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-12-21[NETLABEL]: Spelling fixesJoe Perches1-1/+1
Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-12-21[PKT_SCHED]: Spelling fixesJoe Perches1-1/+1
Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-12-21[NET] net/core/: Spelling fixesJoe Perches1-1/+1
Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-12-21[IPV6]: Spelling fixesJoe Perches1-1/+1
Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-12-21[IRDA]: Spelling fixesJoe Perches5-10/+10
Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-12-21[DCCP]: Spelling fixesJoe Perches2-2/+2
Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-12-20[NET]: Correct two mistaken skb_reset_mac_header() conversions.David S. Miller2-2/+2
This operation helper abstracts: skb->mac_header = skb->data; but it was done in two more places which were actually: skb->mac_header = skb->network_header; and those are corrected here. Signed-off-by: David S. Miller <davem@davemloft.net>
2007-12-20[IPV4] ip_gre: set mac_header correctly in receive pathTimo Teras1-1/+1
mac_header update in ipgre_recv() was incorrectly changed to skb_reset_mac_header() when it was introduced. Signed-off-by: Timo Teras <timo.teras@iki.fi> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-12-20[XFRM]: Audit function arguments misorderedPaul Moore2-4/+4
In several places the arguments to the xfrm_audit_start() function are in the wrong order resulting in incorrect user information being reported. This patch corrects this by pacing the arguments in the correct order. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-12-20[IPSEC]: Avoid undefined shift operation when testing algorithm IDHerbert Xu1-2/+12
The aalgos/ealgos fields are only 32 bits wide. However, af_key tries to test them with the expression 1 << id where id can be as large as 253. This produces different behaviour on different architectures. The following patch explicitly checks whether ID is greater than 31 and fails the check if that's the case. We cannot easily extend the mask to be longer than 32 bits due to exposure to user-space. Besides, this whole interface is obsolete anyway in favour of the xfrm_user interface which doesn't use this bit mask in templates (well not within the kernel anyway). Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-12-20[IPV4] ARP: Remove not used codeMark Ryden1-2/+1
In arp_process() (net/ipv4/arp.c), there is unused code: definition and assignment of tha (target hw address ). Signed-off-by: Mark Ryden <markryde@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-12-20NET: mac80211: fix inappropriate memory freeingCyrill Gorcunov1-1/+1
Fix inappropriate memory freeing in case of requested rate_control_ops was not found. In this case the list head entity is going to be accidentally wasted. Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com> Acked-by: Michael Wu <flamingice@sourmilk.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2007-12-20mac80211: fix header opsJohannes Berg1-1/+0
When using recvfrom() on a SOCK_DGRAM packet socket, I noticed that the MAC address passed back for wireless frames was always completely wrong. The reason for this is that the header parse function assigned to our virtual interfaces is a function parsing an 802.11 rather than 802.3 header. This patch fixes it by keeping the default ethernet header operations assigned. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2007-12-20mac80211: Drop out of associated state if link is lostMichael Wu1-6/+2
There is no point in staying in IEEE80211_ASSOCIATED if there is no sta_info entry to receive frames with. Signed-off-by: Michael Wu <flamingice@sourmilk.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2007-12-18Merge branch 'upstream-linus' of ↵Linus Torvalds1-0/+1
git://git.kernel.org/pub/scm/linux/kernel/git/jgarzik/netdev-2.6 * 'upstream-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jgarzik/netdev-2.6: (23 commits) iwlwifi: fix rf_kill state inconsistent during suspend and resume b43: Fix rfkill radio LED bcm43xx_debugfs sscanf fix libertas: select WIRELESS_EXT iwlwifi3945/4965: fix rate control algo reference leak ieee80211_rate: missed unlock wireless/ipw2200.c: add __dev{init,exit} annotations zd1211rw: Fix alignment problems libertas: add Dan Williams as maintainer sis190 endianness ucc_geth: really fix section mismatch pcnet_cs: add new id ixgb: make sure jumbos stay enabled after reset Net: ibm_newemac, remove SPIN_LOCK_UNLOCKED net: smc911x: shut up compiler warnings ucc_geth: minor whitespace fix drivers/net/s2io.c section fixes drivers/net/sis190.c section fix hamachi endianness fixes e100: free IRQ to remove warningwhenrebooting ...
2007-12-18Merge branch 'fixes-jgarzik' of ↵Jeff Garzik1-0/+1
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 into upstream-fixes