summaryrefslogtreecommitdiff
path: root/net
AgeCommit message (Collapse)AuthorFilesLines
2007-01-27[PATCH] knfsd: fix an NFSD bug with full sized, non-page-aligned readsNeilBrown1-0/+2
NFSd assumes that largest number of pages that will be needed for a request+response is 2+N where N pages is the size of the largest permitted read/write request. The '2' are 1 for the non-data part of the request, and 1 for the non-data part of the reply. However, when a read request is not page-aligned, and we choose to use ->sendfile to send it directly from the page cache, we may need N+1 pages to hold the whole reply. This can overflow and array and cause an Oops. This patch increases size of the array for holding pages by one and makes sure that entry is NULL when it is not in use. Signed-off-by: Neil Brown <neilb@suse.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-01-27[PATCH] knfsd: fix setting of ACL server versionsNeilBrown1-1/+2
Due to silly typos, if the nfs versions are explicitly set, no NFSACL versions get enabled. Also improve an error message that would have made this bug a little easier to find. Signed-off-by: Neil Brown <neilb@suse.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-01-24[PATCH] NFS: Fix Oops in rpc_call_sync()Trond Myklebust2-6/+5
Fix the Oops in http://bugzilla.linux-nfs.org/show_bug.cgi?id=138 We shouldn't be calling rpc_release_task() for tasks that are not active. Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-01-24[SCTP]: Fix compiler warning.Brian Haley1-3/+0
> --- a/net/sctp/sm_statefuns.c > +++ b/net/sctp/sm_statefuns.c > @@ -462,24 +461,6 @@ sctp_disposition_t sctp_sf_do_5_1C_ack(const struct sctp_endpoint *ep, > - if (!init_tag) { > - struct sctp_chunk *reply = sctp_make_abort(asoc, chunk, 0); > - if (!reply) > - goto nomem; This introduced a compiler warning, easily fixed. Signed-off-by: Brian Haley <brian.haley@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-01-24[IPV6]: Fixed the size of the netlink message notified by inet6_rt_notify().Noriaki TAKAMIYA1-0/+1
I think the return value of rt6_nlmsg_size() should includes the amount of RTA_METRICS. Signed-off-by: Noriaki TAKAMIYA <takamiya@po.ntts.co.jp> Acked-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-01-24[TCP]: rare bad TCP checksum with 2.6.19Jarek Poplawski1-1/+2
The patch "Replace CHECKSUM_HW by CHECKSUM_PARTIAL/CHECKSUM_COMPLETE" changed to unconditional copying of ip_summed field from collapsed skb. This patch reverts this change. The majority of substantial work including heavy testing and diagnosing by: Michael Tokarev <mjt@tls.msk.ru> Possible reasons pointed by: Herbert Xu and Patrick McHardy. Signed-off-by: Jarek Poplawski <jarkao2@o2.pl> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-01-24Merge master.kernel.org:/pub/scm/linux/kernel/git/holtmann/bluetooth-2.6David S. Miller1-2/+8
2007-01-24[TCP]: skb is unexpectedly freed.Masayuki Nakagawa1-2/+4
I encountered a kernel panic with my test program, which is a very simple IPv6 client-server program. The server side sets IPV6_RECVPKTINFO on a listening socket, and the client side just sends a message to the server. Then the kernel panic occurs on the server. (If you need the test program, please let me know. I can provide it.) This problem happens because a skb is forcibly freed in tcp_rcv_state_process(). When a socket in listening state(TCP_LISTEN) receives a syn packet, then tcp_v6_conn_request() will be called from tcp_rcv_state_process(). If the tcp_v6_conn_request() successfully returns, the skb would be discarded by __kfree_skb(). However, in case of a listening socket which was already set IPV6_RECVPKTINFO, an address of the skb will be stored in treq->pktopts and a ref count of the skb will be incremented in tcp_v6_conn_request(). But, even if the skb is still in use, the skb will be freed. Then someone still using the freed skb will cause the kernel panic. I suggest to use kfree_skb() instead of __kfree_skb(). Signed-off-by: Masayuki Nakagawa <nakagawa.msy@ncos.nec.co.jp> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-01-24[IPSEC]: Policy list disorderHerbert Xu1-11/+5
The recent hashing introduced an off-by-one bug in policy list insertion. Instead of adding after the last entry with a lesser or equal priority, we're adding after the successor of that entry. This patch fixes this and also adds a warning if we detect a duplicate entry in the policy list. This should never happen due to this if clause. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-01-24[X.25]: Add missing sock_put in x25_receive_dataAndrew Hendry1-0/+1
__x25_find_socket does a sock_hold. This adds a missing sock_put in x25_receive_data. Signed-off-by: Andrew Hendry <andrew.hendry@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-01-24[SCTP]: Fix SACK sequence during shutdownVlad Yasevich1-1/+1
Currently, when association enters SHUTDOWN state,the implementation will SACK any DATA first and then transmit the SHUTDOWN chunk. This is against the order required by 2960bis spec. SHUTDOWN must always be first, followed by SACK. This change forces this order and also enables bundling. Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-01-24[SCTP]: Correctly handle unexpected INIT-ACK chunk.Vlad Yasevich2-1/+23
Consider the chunk as Out-of-the-Blue if we don't have an endpoint. Otherwise discard it as before. Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-01-24[SCTP]: Verify some mandatory parameters.Vlad Yasevich2-20/+3
Verify init_tag and a_rwnd mandatory parameters in INIT and INIT-ACK chunks. Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-01-24[SCTP]: Set correct error cause value for missing parametersVlad Yasevich1-1/+1
sctp_process_missing_param() needs to use the SCTP_ERROR_MISS_PARAM error cause value. Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-01-24[NETFILTER]: ctnetlink: fix leak in ctnetlink_create_conntrack error pathPatrick McHardy2-2/+2
Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-01-24[IPV6] MCAST: Fix joining all-node multicast group on device initialization.YOSHIFUJI Hideaki2-6/+6
Join all-node multicast group after assignment of dev->ip6_ptr because it must be assigned when ipv6_dev_mc_inc() is called. This fixes Bug#7817, reported by <gernoth@informatik.uni-erlangen.de>. Closes: 7817 Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-01-24[IPSEC] flow: Fix potential memory leakHerbert Xu1-16/+10
When old flow cache entries that are not at the head of their chain trigger a transient security error they get unlinked along with all the entries preceding them in the chain. The preceding entries are not freed correctly. This patch fixes this by simply leaving the entry around. It's based on a suggestion by Venkat Yekkirala. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-01-24[PATCH] email change for shemminger@osdl.orgStephen Hemminger1-1/+1
Change my email address to reflect OSDL merger. Signed-off-by: Stephen Hemminger <shemminger@osdl.org> [ The irony. Somebody still has his sign-off message hardcoded in a script or his brainstem ;^] Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-01-23[Bluetooth] Restrict well known PSM to privileged usersMarcel Holtmann1-0/+6
The PSM values below 0x1001 of L2CAP are reserved for well known services. Restrict the possibility to bind them to privileged users. Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2007-01-23[Bluetooth] Missing endian swapping for L2CAP socket listMarcel Holtmann1-2/+2
The PSM value in the L2CAP socket list must be converted to host order before printing it. Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2007-01-10[IPV4] devinet: inetdev_init out label moved after RCU assignmentJarek Poplawski1-1/+2
inetdev_init out label moved after RCU assignment (final suggestion by Herbert Xu) Signed-off-by: Jarek Poplawski <jarkao2@o2.pl> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-01-10[INET]: style updates for the inet_sock->is_icsk assignment fixPaul Moore2-2/+2
A quick patch to change the inet_sock->is_icsk assignment to better fit with existing kernel coding style. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: Arnaldo Carvalho de Melo <acme@ghostprotocols.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-01-10[SCTP]: Fix err_hdr assignment in sctp_init_cause.Vlad Yasevich1-2/+2
The subh->err_hdr should point to the error header, not the data. Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-01-10[NETFILTER]: nf_nat: fix hanging connections when loading the NAT modulePatrick McHardy1-1/+1
When loading the NAT module, existing connection tracking entries don't have room for NAT information allocated and packets are dropped, causing hanging connections. They really should be entered into the NAT table as NULL mappings, but the current allocation scheme doesn't allow this. For now simply accept those packets to avoid the hanging connections. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-01-10[NETFILTER]: nf_conntrack_ipv6: fix crash when handling fragmentsPatrick McHardy1-0/+2
When IPv6 connection tracking splits up a defragmented packet into its original fragments, the packets are taken from a list and are passed to the network stack with skb->next still set. This causes dev_hard_start_xmit to treat them as GSO fragments, resulting in a use after free when connection tracking handles the next fragment. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-01-09[TCP]: Fix iov_len calculation in tcp_v4_send_ack().Craig Schlenter1-1/+1
This fixes the ftp stalls present in the current kernels. All credit goes to Komuro <komurojun-mbn@nifty.com> for tracking this down. The patch is untested but it looks *cough* obviously correct. Signed-off-by: Craig Schlenter <craig@codefountain.com> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-01-09[NETFILTER]: nf_conntrack_netbios_ns: fix uninitialized member in expectationPatrick McHardy1-0/+1
->helper is uninitialized in the expectation registered by the netbios_ns helper and it later copied to the expected connection, which causes invalid memory dereferences when trying to call the helper. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-01-09NetLabel: correct CIPSO tag handling when adding new DOI definitionsPaul Moore1-3/+3
The current netlbl_cipsov4_add_common() function has two problems which are fixed with this patch. The first is an off-by-one bug where it is possibile to overflow the doi_def->tags[] array. The second is a bug where the same doi_def->tags[] array was not always fully initialized, which caused sporadic failures. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
2007-01-09[Bluetooth] Handle device registration failuresMarcel Holtmann1-1/+6
In the case the device registration for a new Bluetooth low-level connection fails there is no need to unregister it when the temporary data structure has been removed. Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2007-01-09[Bluetooth] Fix uninitialized return value for RFCOMM sendmsg()Marcel Holtmann1-3/+6
When calling send() with a zero length parameter on a RFCOMM socket it returns a positive value. In this rare case the variable err is used uninitialized and unfortunately its value is returned. Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2007-01-09[Bluetooth] More checks if DLC is still attached to the TTYMarcel Holtmann1-7/+15
If the DLC device is no longer attached to the TTY device, then return errors or default values for various callbacks of the TTY layer. Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2007-01-09[Bluetooth] Add packet size checks for CAPI messagesMarcel Holtmann1-6/+33
With malformed packets it might be possible to overwrite internal CMTP and CAPI data structures. This patch adds additional length checks to prevent these kinds of remote attacks. Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2007-01-09[X25]: Trivial, SOCK_DEBUG's in x25_facilities missing newlinesAndrew Hendry1-6/+6
Trivial. Newlines missing on the SOCK_DEBUG's for X.25 facility negotiation. Signed-off-by: Andrew Hendry <andrew.hendry@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-01-09[INET]: Fix incorrect "inet_sock->is_icsk" assignment.Paul Moore2-2/+2
The inet_create() and inet6_create() functions incorrectly set the inet_sock->is_icsk field. Both functions assume that the is_icsk field is large enough to hold at least a INET_PROTOSW_ICSK value when it is actually only a single bit. This patch corrects the assignment by doing a boolean comparison whose result will safely fit into a single bit field. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-01-04[IPV4/IPV6]: Fix inet{,6} device initialization order.David L Stevens2-4/+5
It is important that we only assign dev->ip{,6}_ptr only after all portions of the inet{,6} are setup. Otherwise we can receive packets before the multicast spinlocks et al. are initialized. Signed-off-by: David L Stevens <dlstevens@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-01-04[NETFILTER]: ebtables: don't compute gap before checking struct typeChuck Ebbert1-1/+2
We cannot compute the gap until we know we have a 'struct ebt_entry' and not 'struct ebt_entries'. Failure to check can cause crash. Tested-by: Santiago Garcia Mantinan <manty@manty.net> Acked-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Chuck Ebbert <76306.1226@compuserve.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-01-04[NETFILTER]: nf_nat: fix MASQUERADE crash on device downMartin Josefsson1-1/+4
Check the return value of nfct_nat() in device_cmp(), we might very well have non NAT conntrack entries as well (Netfilter bugzilla #528). Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-01-04[NETFILTER]: New connection tracking is not EXPERIMENTAL anymorePatrick McHardy2-15/+14
Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-01-04[NETFILTER]: Fix routing of REJECT target generated packets in output chainPatrick McHardy1-2/+5
Packets generated by the REJECT target in the output chain have a local destination address and a foreign source address. Make sure not to use the foreign source address for the output route lookup. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-01-04[NETFILTER]: compat offsets size changeDmitry Mishin1-5/+5
Used by compat code offsets of entries should be 'unsigned int' as entries array size has this dimension. Signed-off-by: Dmitry Mishin <dim@openvz.org> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-01-04[X25]: proper prototype for x25_init_timers()Adrian Bunk1-2/+0
This patch adds a proper prototype for x25_init_timers() in include/net/x25.h Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-01-04[AF_NETLINK]: module_put cleanupMariusz Kozlowski1-2/+1
This patch removes redundant argument check for module_put(). Signed-off-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-01-04[XFRM_USER]: avoid pointless void ** castsChristoph Hellwig1-31/+42
All ->doit handlers want a struct rtattr **, so pass down the right type. Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-01-04[NETFILTER] xt_hashlimit.c: fix typoAlexey Dobriyan1-1/+1
Signed-off-by: Alexey Dobriyan <adobriyan@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-01-04[PKTGEN]: Convert to kthread API.David S. Miller1-108/+48
Based upon a suggestion from Christoph Hellwig. This fixes various races in module load/unload handling too. Signed-off-by: David S. Miller <davem@davemloft.net>
2007-01-01[XFRM]: Algorithm lookup using .compat nameMartin Willi1-1/+2
Installing an IPsec SA using old algorithm names (.compat) does not work if the algorithm is not already loaded. When not using the PF_KEY interface, algorithms are not preloaded in xfrm_probe_algs() and installing a IPsec SA fails. Signed-off-by: Martin Willi <martin@strongswan.org> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-12-27Merge branch 'upstream-fixes' of ↵Jeff Garzik2-3/+3
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 into upstream-fixes
2006-12-22[UDP]: Fix reversed logic in udp_get_port().David S. Miller1-5/+8
When this code was converted to use sk_for_each() the logic for the "best hash chain length" code was reversed, breaking everything. The original code was of the form: size = 0; do { if (++size >= best_size_so_far) goto next; } while ((sk = sk->next) != NULL); best_size_so_far = size; best = result; next:; and this got converted into: sk_for_each(sk2, node, head) if (++size < best_size_so_far) { best_size_so_far = size; best = result; } Which does something very very different from the original. Signed-off-by: David S. Miller <davem@davemloft.net>
2006-12-22[SCTP]: make 2 functions staticAdrian Bunk2-4/+4
This patch makes the following needlessly global functions static: - ipv6.c: sctp_inet6addr_event() - protocol.c: sctp_inetaddr_event() Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-12-22[SCTP]: Fix typo adaption -> adaptation as per the latest API draft.Ivan Skytte Jorgensen4-55/+55
Signed-off-by: Ivan Skytte Jorgensen <isj-sctp@i1.dk> Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>