From 7386397636d49cd5f03da29432467d3e98cbad35 Mon Sep 17 00:00:00 2001 From: Marcel Holtmann Date: Mon, 22 Jan 2007 22:00:40 +0100 Subject: [PATCH 01/23] [Bluetooth] Missing endian swapping for L2CAP socket list The PSM value in the L2CAP socket list must be converted to host order before printing it. Signed-off-by: Marcel Holtmann --- net/bluetooth/l2cap.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c index 29a8fa4d3728..be5a6e60a3c4 100644 --- a/net/bluetooth/l2cap.c +++ b/net/bluetooth/l2cap.c @@ -2150,8 +2150,8 @@ static ssize_t l2cap_sysfs_show(struct class *dev, char *buf) str += sprintf(str, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d 0x%x\n", batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst), - sk->sk_state, pi->psm, pi->scid, pi->dcid, pi->imtu, - pi->omtu, pi->link_mode); + sk->sk_state, btohs(pi->psm), pi->scid, pi->dcid, + pi->imtu, pi->omtu, pi->link_mode); } read_unlock_bh(&l2cap_sk_list.lock); From 847641d7db15ac3f18b3d4aa05479812abdf397a Mon Sep 17 00:00:00 2001 From: Marcel Holtmann Date: Mon, 22 Jan 2007 22:00:45 +0100 Subject: [PATCH 02/23] [Bluetooth] Restrict well known PSM to privileged users The PSM values below 0x1001 of L2CAP are reserved for well known services. Restrict the possibility to bind them to privileged users. Signed-off-by: Marcel Holtmann --- net/bluetooth/l2cap.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c index be5a6e60a3c4..f8c25d500155 100644 --- a/net/bluetooth/l2cap.c +++ b/net/bluetooth/l2cap.c @@ -585,6 +585,12 @@ static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_ goto done; } + if (la->l2_psm > 0 && btohs(la->l2_psm) < 0x1001 && + !capable(CAP_NET_BIND_SERVICE)) { + err = -EACCES; + goto done; + } + write_lock_bh(&l2cap_sk_list.lock); if (la->l2_psm && __l2cap_get_sock_by_addr(la->l2_psm, &la->l2_bdaddr)) { From e0e8f1c8220c43bdf25cfb5622f6ab6947027fb1 Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Wed, 10 Jan 2007 22:06:32 -0800 Subject: [PATCH 03/23] [IPSEC] flow: Fix potential memory leak When old flow cache entries that are not at the head of their chain trigger a transient security error they get unlinked along with all the entries preceding them in the chain. The preceding entries are not freed correctly. This patch fixes this by simply leaving the entry around. It's based on a suggestion by Venkat Yekkirala. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller --- net/core/flow.c | 22 ++++++++-------------- 1 file changed, 8 insertions(+), 14 deletions(-) diff --git a/net/core/flow.c b/net/core/flow.c index d137f971f97d..5d25697920b1 100644 --- a/net/core/flow.c +++ b/net/core/flow.c @@ -231,22 +231,16 @@ nocache: err = resolver(key, family, dir, &obj, &obj_ref); - if (fle) { - if (err) { - /* Force security policy check on next lookup */ - *head = fle->next; - flow_entry_kill(cpu, fle); - } else { - fle->genid = atomic_read(&flow_cache_genid); + if (fle && !err) { + fle->genid = atomic_read(&flow_cache_genid); - if (fle->object) - atomic_dec(fle->object_ref); + if (fle->object) + atomic_dec(fle->object_ref); - fle->object = obj; - fle->object_ref = obj_ref; - if (obj) - atomic_inc(fle->object_ref); - } + fle->object = obj; + fle->object_ref = obj_ref; + if (obj) + atomic_inc(fle->object_ref); } local_bh_enable(); From d88ae4cc97b24783ee4480697fbdcc02ab4133a6 Mon Sep 17 00:00:00 2001 From: YOSHIFUJI Hideaki Date: Sun, 14 Jan 2007 21:48:40 -0800 Subject: [PATCH 04/23] [IPV6] MCAST: Fix joining all-node multicast group on device initialization. Join all-node multicast group after assignment of dev->ip6_ptr because it must be assigned when ipv6_dev_mc_inc() is called. This fixes Bug#7817, reported by . Closes: 7817 Signed-off-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller --- net/ipv6/addrconf.c | 6 ++++++ net/ipv6/mcast.c | 6 ------ 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index 171e5b55d7d6..2a7e4618f526 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -341,6 +341,7 @@ void in6_dev_finish_destroy(struct inet6_dev *idev) static struct inet6_dev * ipv6_add_dev(struct net_device *dev) { struct inet6_dev *ndev; + struct in6_addr maddr; ASSERT_RTNL(); @@ -425,6 +426,11 @@ static struct inet6_dev * ipv6_add_dev(struct net_device *dev) #endif /* protected by rtnl_lock */ rcu_assign_pointer(dev->ip6_ptr, ndev); + + /* Join all-node multicast group */ + ipv6_addr_all_nodes(&maddr); + ipv6_dev_mc_inc(dev, &maddr); + return ndev; } diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c index a1c231a04ac2..882cde4b4047 100644 --- a/net/ipv6/mcast.c +++ b/net/ipv6/mcast.c @@ -2258,8 +2258,6 @@ void ipv6_mc_up(struct inet6_dev *idev) void ipv6_mc_init_dev(struct inet6_dev *idev) { - struct in6_addr maddr; - write_lock_bh(&idev->lock); rwlock_init(&idev->mc_lock); idev->mc_gq_running = 0; @@ -2275,10 +2273,6 @@ void ipv6_mc_init_dev(struct inet6_dev *idev) idev->mc_maxdelay = IGMP6_UNSOLICITED_IVAL; idev->mc_v1_seen = 0; write_unlock_bh(&idev->lock); - - /* Add all-nodes address. */ - ipv6_addr_all_nodes(&maddr); - ipv6_dev_mc_inc(idev->dev, &maddr); } /* From 334c85569b8adeaa820c0f2fab3c8f0a9dc8b92e Mon Sep 17 00:00:00 2001 From: Venkat Yekkirala Date: Mon, 15 Jan 2007 16:38:45 -0800 Subject: [PATCH 05/23] [SELINUX]: increment flow cache genid Currently, old flow cache entries remain valid even after a reload of SELinux policy. This patch increments the flow cache generation id on policy (re)loads so that flow cache entries are revalidated as needed. Thanks to Herbet Xu for pointing this out. See: http://marc.theaimsgroup.com/?l=linux-netdev&m=116841378704536&w=2 There's also a general issue as well as a solution proposed by David Miller for when flow_cache_genid wraps. I might be submitting a separate patch for that later. I request that this be applied to 2.6.20 since it's a security relevant fix. Signed-off-by: Venkat Yekkirala Signed-off-by: David S. Miller --- security/selinux/ss/services.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 3eb1fa9f0de1..ff0393317f39 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -1299,6 +1299,7 @@ int security_load_policy(void *data, size_t len) avc_ss_reset(seqno); selnl_notify_policyload(seqno); selinux_netlbl_cache_invalidate(); + atomic_inc(&flow_cache_genid); return 0; } @@ -1354,6 +1355,7 @@ int security_load_policy(void *data, size_t len) avc_ss_reset(seqno); selnl_notify_policyload(seqno); selinux_netlbl_cache_invalidate(); + atomic_inc(&flow_cache_genid); return 0; @@ -1853,6 +1855,7 @@ out: if (!rc) { avc_ss_reset(seqno); selnl_notify_policyload(seqno); + atomic_inc(&flow_cache_genid); } return rc; } From c54ea3b95ac504ed81e0ec3acfaa26d0f55bdfa4 Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Mon, 15 Jan 2007 17:16:03 -0800 Subject: [PATCH 06/23] [NETFILTER]: ctnetlink: fix leak in ctnetlink_create_conntrack error path Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- net/ipv4/netfilter/ip_conntrack_netlink.c | 2 +- net/netfilter/nf_conntrack_netlink.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/net/ipv4/netfilter/ip_conntrack_netlink.c b/net/ipv4/netfilter/ip_conntrack_netlink.c index 5fcf91d617cd..6f31fad9be13 100644 --- a/net/ipv4/netfilter/ip_conntrack_netlink.c +++ b/net/ipv4/netfilter/ip_conntrack_netlink.c @@ -959,7 +959,7 @@ ctnetlink_create_conntrack(struct nfattr *cda[], if (cda[CTA_PROTOINFO-1]) { err = ctnetlink_change_protoinfo(ct, cda); if (err < 0) - return err; + goto err; } #if defined(CONFIG_IP_NF_CONNTRACK_MARK) diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index bd1d2de75e45..811e3e782f0f 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -981,7 +981,7 @@ ctnetlink_create_conntrack(struct nfattr *cda[], if (cda[CTA_PROTOINFO-1]) { err = ctnetlink_change_protoinfo(ct, cda); if (err < 0) - return err; + goto err; } #if defined(CONFIG_NF_CONNTRACK_MARK) From 16d807988ffaf9b7cbb1966955aa8f738c32e740 Mon Sep 17 00:00:00 2001 From: Mikael Pettersson Date: Mon, 15 Jan 2007 17:17:31 -0800 Subject: [PATCH 07/23] [NETFILTER]: fix xt_state compile failure In file included from net/netfilter/xt_state.c:13: include/net/netfilter/nf_conntrack_compat.h: In function 'nf_ct_l3proto_try_module_get': include/net/netfilter/nf_conntrack_compat.h:70: error: 'PF_INET' undeclared (first use in this function) include/net/netfilter/nf_conntrack_compat.h:70: error: (Each undeclared identifier is reported only once include/net/netfilter/nf_conntrack_compat.h:70: error: for each function it appears in.) include/net/netfilter/nf_conntrack_compat.h:71: warning: control reaches end of non-void function make[2]: *** [net/netfilter/xt_state.o] Error 1 make[1]: *** [net/netfilter] Error 2 make: *** [net] Error 2 A simple fix is to have nf_conntrack_compat.h #include . Signed-off-by: Mikael Pettersson Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/net/netfilter/nf_conntrack_compat.h | 1 + 1 file changed, 1 insertion(+) diff --git a/include/net/netfilter/nf_conntrack_compat.h b/include/net/netfilter/nf_conntrack_compat.h index b9ce5c80d9d5..6f84c1f7fcd4 100644 --- a/include/net/netfilter/nf_conntrack_compat.h +++ b/include/net/netfilter/nf_conntrack_compat.h @@ -6,6 +6,7 @@ #if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE) #include +#include #ifdef CONFIG_IP_NF_CONNTRACK_MARK static inline u_int32_t *nf_ct_get_mark(const struct sk_buff *skb, From ebdfcad4dc2a6851f75fac0a3315046cbd9c4410 Mon Sep 17 00:00:00 2001 From: Vlad Yasevich Date: Mon, 15 Jan 2007 19:12:31 -0800 Subject: [PATCH 08/23] [SCTP]: Set correct error cause value for missing parameters sctp_process_missing_param() needs to use the SCTP_ERROR_MISS_PARAM error cause value. Signed-off-by: Vlad Yasevich Signed-off-by: Sridhar Samudrala Signed-off-by: David S. Miller --- net/sctp/sm_make_chunk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c index 167d888d1df2..ea0f8fac3f01 100644 --- a/net/sctp/sm_make_chunk.c +++ b/net/sctp/sm_make_chunk.c @@ -1562,7 +1562,7 @@ static int sctp_process_missing_param(const struct sctp_association *asoc, if (*errp) { report.num_missing = htonl(1); report.type = paramtype; - sctp_init_cause(*errp, SCTP_ERROR_INV_PARAM, + sctp_init_cause(*errp, SCTP_ERROR_MISS_PARAM, &report, sizeof(report)); } From d023f629451ace6f37eb5d2cf29ddd24497c91dc Mon Sep 17 00:00:00 2001 From: Vlad Yasevich Date: Mon, 15 Jan 2007 19:15:45 -0800 Subject: [PATCH 09/23] [SCTP]: Verify some mandatory parameters. Verify init_tag and a_rwnd mandatory parameters in INIT and INIT-ACK chunks. Signed-off-by: Vlad Yasevich Signed-off-by: Sridhar Samudrala Signed-off-by: David S. Miller --- net/sctp/sm_make_chunk.c | 4 +++- net/sctp/sm_statefuns.c | 19 ------------------- 2 files changed, 3 insertions(+), 20 deletions(-) diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c index ea0f8fac3f01..0b1ddb1005ac 100644 --- a/net/sctp/sm_make_chunk.c +++ b/net/sctp/sm_make_chunk.c @@ -1775,7 +1775,9 @@ int sctp_verify_init(const struct sctp_association *asoc, /* Verify stream values are non-zero. */ if ((0 == peer_init->init_hdr.num_outbound_streams) || - (0 == peer_init->init_hdr.num_inbound_streams)) { + (0 == peer_init->init_hdr.num_inbound_streams) || + (0 == peer_init->init_hdr.init_tag) || + (SCTP_DEFAULT_MINWINDOW > ntohl(peer_init->init_hdr.a_rwnd))) { sctp_process_inv_mandatory(asoc, chunk, errp); return 0; diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index aa51d190bfb2..2c165dc9fb71 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -440,7 +440,6 @@ sctp_disposition_t sctp_sf_do_5_1C_ack(const struct sctp_endpoint *ep, { struct sctp_chunk *chunk = arg; sctp_init_chunk_t *initchunk; - __u32 init_tag; struct sctp_chunk *err_chunk; struct sctp_packet *packet; sctp_error_t error; @@ -462,24 +461,6 @@ sctp_disposition_t sctp_sf_do_5_1C_ack(const struct sctp_endpoint *ep, /* Grab the INIT header. */ chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data; - init_tag = ntohl(chunk->subh.init_hdr->init_tag); - - /* Verification Tag: 3.3.3 - * If the value of the Initiate Tag in a received INIT ACK - * chunk is found to be 0, the receiver MUST treat it as an - * error and close the association by transmitting an ABORT. - */ - if (!init_tag) { - struct sctp_chunk *reply = sctp_make_abort(asoc, chunk, 0); - if (!reply) - goto nomem; - - sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply)); - return sctp_stop_t1_and_abort(commands, SCTP_ERROR_INV_PARAM, - ECONNREFUSED, asoc, - chunk->transport); - } - /* Verify the INIT chunk before processing it. */ err_chunk = NULL; if (!sctp_verify_init(asoc, chunk->chunk_hdr->type, From 610ab73ac4cc8912fc253bbdc6d1f74bad3c8e3a Mon Sep 17 00:00:00 2001 From: Vlad Yasevich Date: Mon, 15 Jan 2007 19:18:30 -0800 Subject: [PATCH 10/23] [SCTP]: Correctly handle unexpected INIT-ACK chunk. Consider the chunk as Out-of-the-Blue if we don't have an endpoint. Otherwise discard it as before. Signed-off-by: Vlad Yasevich Signed-off-by: Sridhar Samudrala Signed-off-by: David S. Miller --- include/net/sctp/sm.h | 1 + net/sctp/sm_statefuns.c | 22 ++++++++++++++++++++++ net/sctp/sm_statetable.c | 2 +- 3 files changed, 24 insertions(+), 1 deletion(-) diff --git a/include/net/sctp/sm.h b/include/net/sctp/sm.h index 3269ed1cc222..73cb9943c8a8 100644 --- a/include/net/sctp/sm.h +++ b/include/net/sctp/sm.h @@ -134,6 +134,7 @@ sctp_state_fn_t sctp_sf_violation; sctp_state_fn_t sctp_sf_discard_chunk; sctp_state_fn_t sctp_sf_do_5_2_1_siminit; sctp_state_fn_t sctp_sf_do_5_2_2_dupinit; +sctp_state_fn_t sctp_sf_do_5_2_3_initack; sctp_state_fn_t sctp_sf_do_5_2_4_dupcook; sctp_state_fn_t sctp_sf_unk_chunk; sctp_state_fn_t sctp_sf_do_8_5_1_E_sa; diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index 2c165dc9fb71..fce1f602cde2 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -1534,6 +1534,28 @@ sctp_disposition_t sctp_sf_do_5_2_2_dupinit(const struct sctp_endpoint *ep, } +/* + * Unexpected INIT-ACK handler. + * + * Section 5.2.3 + * If an INIT ACK received by an endpoint in any state other than the + * COOKIE-WAIT state, the endpoint should discard the INIT ACK chunk. + * An unexpected INIT ACK usually indicates the processing of an old or + * duplicated INIT chunk. +*/ +sctp_disposition_t sctp_sf_do_5_2_3_initack(const struct sctp_endpoint *ep, + const struct sctp_association *asoc, + const sctp_subtype_t type, + void *arg, sctp_cmd_seq_t *commands) +{ + /* Per the above section, we'll discard the chunk if we have an + * endpoint. If this is an OOTB INIT-ACK, treat it as such. + */ + if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) + return sctp_sf_ootb(ep, asoc, type, arg, commands); + else + return sctp_sf_discard_chunk(ep, asoc, type, arg, commands); +} /* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A') * diff --git a/net/sctp/sm_statetable.c b/net/sctp/sm_statetable.c index 733dd87b3a7d..5f6cc7aa661b 100644 --- a/net/sctp/sm_statetable.c +++ b/net/sctp/sm_statetable.c @@ -152,7 +152,7 @@ const sctp_sm_table_entry_t *sctp_sm_lookup_event(sctp_event_t event_type, /* SCTP_STATE_EMPTY */ \ TYPE_SCTP_FUNC(sctp_sf_ootb), \ /* SCTP_STATE_CLOSED */ \ - TYPE_SCTP_FUNC(sctp_sf_discard_chunk), \ + TYPE_SCTP_FUNC(sctp_sf_do_5_2_3_initack), \ /* SCTP_STATE_COOKIE_WAIT */ \ TYPE_SCTP_FUNC(sctp_sf_do_5_1C_ack), \ /* SCTP_STATE_COOKIE_ECHOED */ \ From 732ba35e759112be5cecd79d4351084edf88dba7 Mon Sep 17 00:00:00 2001 From: Vlad Yasevich Date: Mon, 15 Jan 2007 19:20:21 -0800 Subject: [PATCH 11/23] [SCTP]: Fix SACK sequence during shutdown Currently, when association enters SHUTDOWN state,the implementation will SACK any DATA first and then transmit the SHUTDOWN chunk. This is against the order required by 2960bis spec. SHUTDOWN must always be first, followed by SACK. This change forces this order and also enables bundling. Signed-off-by: Vlad Yasevich Signed-off-by: Sridhar Samudrala Signed-off-by: David S. Miller --- net/sctp/sm_sideeffect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c index 7bbc6156e455..8bd30976cdee 100644 --- a/net/sctp/sm_sideeffect.c +++ b/net/sctp/sm_sideeffect.c @@ -217,7 +217,7 @@ static int sctp_gen_sack(struct sctp_association *asoc, int force, asoc->peer.sack_needed = 0; - error = sctp_outq_tail(&asoc->outqueue, sack); + sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(sack)); /* Stop the SACK timer. */ sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, From 9d0f7d29f38d4f7bf66d38d448a7d23e0bed9074 Mon Sep 17 00:00:00 2001 From: Andrew Hendry Date: Mon, 15 Jan 2007 19:29:31 -0800 Subject: [PATCH 12/23] [X.25]: Add missing sock_put in x25_receive_data __x25_find_socket does a sock_hold. This adds a missing sock_put in x25_receive_data. Signed-off-by: Andrew Hendry Signed-off-by: David S. Miller --- net/x25/x25_dev.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/x25/x25_dev.c b/net/x25/x25_dev.c index 47b68a301677..328d80f000ad 100644 --- a/net/x25/x25_dev.c +++ b/net/x25/x25_dev.c @@ -56,6 +56,7 @@ static int x25_receive_data(struct sk_buff *skb, struct x25_neigh *nb) sk_add_backlog(sk, skb); } bh_unlock_sock(sk); + sock_put(sk); return queued; } From 3958fb34ef18529c1e4a3eca44b7aaf94d4f4697 Mon Sep 17 00:00:00 2001 From: Samuel Ortiz Date: Mon, 15 Jan 2007 19:37:25 -0800 Subject: [PATCH 13/23] [IrDA]: irda-usb TX path optimization (was Re: IrDA spams logfiles - since 2.6.19) Since we stop using dev_alloc_skb on the IrDA TX frame, we constantly run into the case of the skb headroom being 0, and thus we call skb_cow for every IrDA TX frame. This patch uses a local buffer and memcpy the skb to it, saving us a kmalloc for each of those IrDA TX frames. Signed-off-by: Samuel Ortiz Signed-off-by: David S. Miller --- drivers/net/irda/irda-usb.c | 43 +++++++++++++++++-------------------- drivers/net/irda/irda-usb.h | 1 + 2 files changed, 21 insertions(+), 23 deletions(-) diff --git a/drivers/net/irda/irda-usb.c b/drivers/net/irda/irda-usb.c index 3ca1082ec776..80cbf3f80432 100644 --- a/drivers/net/irda/irda-usb.c +++ b/drivers/net/irda/irda-usb.c @@ -441,25 +441,13 @@ static int irda_usb_hard_xmit(struct sk_buff *skb, struct net_device *netdev) goto drop; } - /* Make sure there is room for IrDA-USB header. The actual - * allocation will be done lower in skb_push(). - * Also, we don't use directly skb_cow(), because it require - * headroom >= 16, which force unnecessary copies - Jean II */ - if (skb_headroom(skb) < self->header_length) { - IRDA_DEBUG(0, "%s(), Insuficient skb headroom.\n", __FUNCTION__); - if (skb_cow(skb, self->header_length)) { - IRDA_WARNING("%s(), failed skb_cow() !!!\n", __FUNCTION__); - goto drop; - } - } + memcpy(self->tx_buff + self->header_length, skb->data, skb->len); /* Change setting for next frame */ - if (self->capability & IUC_STIR421X) { __u8 turnaround_time; - __u8* frame; + __u8* frame = self->tx_buff; turnaround_time = get_turnaround_time( skb ); - frame= skb_push(skb, self->header_length); irda_usb_build_header(self, frame, 0); frame[2] = turnaround_time; if ((skb->len != 0) && @@ -472,17 +460,17 @@ static int irda_usb_hard_xmit(struct sk_buff *skb, struct net_device *netdev) frame[1] = 0; } } else { - irda_usb_build_header(self, skb_push(skb, self->header_length), 0); + irda_usb_build_header(self, self->tx_buff, 0); } /* FIXME: Make macro out of this one */ ((struct irda_skb_cb *)skb->cb)->context = self; - usb_fill_bulk_urb(urb, self->usbdev, + usb_fill_bulk_urb(urb, self->usbdev, usb_sndbulkpipe(self->usbdev, self->bulk_out_ep), - skb->data, IRDA_SKB_MAX_MTU, + self->tx_buff, skb->len + self->header_length, write_bulk_callback, skb); - urb->transfer_buffer_length = skb->len; + /* This flag (URB_ZERO_PACKET) indicates that what we send is not * a continuous stream of data but separate packets. * In this case, the USB layer will insert an empty USB frame (TD) @@ -1455,6 +1443,9 @@ static inline void irda_usb_close(struct irda_usb_cb *self) /* Remove the speed buffer */ kfree(self->speed_buff); self->speed_buff = NULL; + + kfree(self->tx_buff); + self->tx_buff = NULL; } /********************** USB CONFIG SUBROUTINES **********************/ @@ -1753,9 +1744,14 @@ static int irda_usb_probe(struct usb_interface *intf, memset(self->speed_buff, 0, IRDA_USB_SPEED_MTU); + self->tx_buff = kzalloc(IRDA_SKB_MAX_MTU + self->header_length, + GFP_KERNEL); + if (self->tx_buff == NULL) + goto err_out_4; + ret = irda_usb_open(self); if (ret) - goto err_out_4; + goto err_out_5; IRDA_MESSAGE("IrDA: Registered device %s\n", net->name); usb_set_intfdata(intf, self); @@ -1766,14 +1762,14 @@ static int irda_usb_probe(struct usb_interface *intf, self->needspatch = (ret < 0); if (self->needspatch) { IRDA_ERROR("STIR421X: Couldn't upload patch\n"); - goto err_out_5; + goto err_out_6; } /* replace IrDA class descriptor with what patched device is now reporting */ irda_desc = irda_usb_find_class_desc (self->usbintf); if (irda_desc == NULL) { ret = -ENODEV; - goto err_out_5; + goto err_out_6; } if (self->irda_desc) kfree (self->irda_desc); @@ -1782,9 +1778,10 @@ static int irda_usb_probe(struct usb_interface *intf, } return 0; - -err_out_5: +err_out_6: unregister_netdev(self->netdev); +err_out_5: + kfree(self->tx_buff); err_out_4: kfree(self->speed_buff); err_out_3: diff --git a/drivers/net/irda/irda-usb.h b/drivers/net/irda/irda-usb.h index 6b2271f18e77..e846c38224a3 100644 --- a/drivers/net/irda/irda-usb.h +++ b/drivers/net/irda/irda-usb.h @@ -156,6 +156,7 @@ struct irda_usb_cb { struct irlap_cb *irlap; /* The link layer we are binded to */ struct qos_info qos; char *speed_buff; /* Buffer for speed changes */ + char *tx_buff; struct timeval stamp; struct timeval now; From 8f1adb5f27d352c776ac34648cc277d1f8199dba Mon Sep 17 00:00:00 2001 From: Samuel Ortiz Date: Mon, 15 Jan 2007 19:40:34 -0800 Subject: [PATCH 14/23] [IrDA]: Removed incorrect IRDA_ASSERT() With USB2.0 bulk out MTU can be 512 bytes, so checking it only for 64 bytes is incorrect. Signed-off-by: Samuel Ortiz Signed-off-by: David S. Miller --- drivers/net/irda/irda-usb.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/drivers/net/irda/irda-usb.c b/drivers/net/irda/irda-usb.c index 80cbf3f80432..340ee99652eb 100644 --- a/drivers/net/irda/irda-usb.c +++ b/drivers/net/irda/irda-usb.c @@ -1515,8 +1515,6 @@ static inline int irda_usb_parse_endpoints(struct irda_usb_cb *self, struct usb_ IRDA_DEBUG(0, "%s(), And our endpoints are : in=%02X, out=%02X (%d), int=%02X\n", __FUNCTION__, self->bulk_in_ep, self->bulk_out_ep, self->bulk_out_mtu, self->bulk_int_ep); - /* Should be 8, 16, 32 or 64 bytes */ - IRDA_ASSERT(self->bulk_out_mtu == 64, ;); return((self->bulk_in_ep != 0) && (self->bulk_out_ep != 0)); } From a6c7ab55dda3e16ab5a3cf6f39585aee5876ac3a Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Tue, 16 Jan 2007 16:52:02 -0800 Subject: [PATCH 15/23] [IPSEC]: Policy list disorder The recent hashing introduced an off-by-one bug in policy list insertion. Instead of adding after the last entry with a lesser or equal priority, we're adding after the successor of that entry. This patch fixes this and also adds a warning if we detect a duplicate entry in the policy list. This should never happen due to this if clause. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller --- net/xfrm/xfrm_policy.c | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index bebd40e5a62e..b7e537fe2d75 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -650,19 +650,18 @@ int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl) struct xfrm_policy *pol; struct xfrm_policy *delpol; struct hlist_head *chain; - struct hlist_node *entry, *newpos, *last; + struct hlist_node *entry, *newpos; struct dst_entry *gc_list; write_lock_bh(&xfrm_policy_lock); chain = policy_hash_bysel(&policy->selector, policy->family, dir); delpol = NULL; newpos = NULL; - last = NULL; hlist_for_each_entry(pol, entry, chain, bydst) { - if (!delpol && - pol->type == policy->type && + if (pol->type == policy->type && !selector_cmp(&pol->selector, &policy->selector) && - xfrm_sec_ctx_match(pol->security, policy->security)) { + xfrm_sec_ctx_match(pol->security, policy->security) && + !WARN_ON(delpol)) { if (excl) { write_unlock_bh(&xfrm_policy_lock); return -EEXIST; @@ -671,17 +670,12 @@ int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl) if (policy->priority > pol->priority) continue; } else if (policy->priority >= pol->priority) { - last = &pol->bydst; + newpos = &pol->bydst; continue; } - if (!newpos) - newpos = &pol->bydst; if (delpol) break; - last = &pol->bydst; } - if (!newpos) - newpos = last; if (newpos) hlist_add_after(newpos, &policy->bydst); else From fb7e2399ec17f1004c0e0ccfd17439f8759ede01 Mon Sep 17 00:00:00 2001 From: Masayuki Nakagawa Date: Tue, 23 Jan 2007 20:15:06 -0800 Subject: [PATCH 16/23] [TCP]: skb is unexpectedly freed. I encountered a kernel panic with my test program, which is a very simple IPv6 client-server program. The server side sets IPV6_RECVPKTINFO on a listening socket, and the client side just sends a message to the server. Then the kernel panic occurs on the server. (If you need the test program, please let me know. I can provide it.) This problem happens because a skb is forcibly freed in tcp_rcv_state_process(). When a socket in listening state(TCP_LISTEN) receives a syn packet, then tcp_v6_conn_request() will be called from tcp_rcv_state_process(). If the tcp_v6_conn_request() successfully returns, the skb would be discarded by __kfree_skb(). However, in case of a listening socket which was already set IPV6_RECVPKTINFO, an address of the skb will be stored in treq->pktopts and a ref count of the skb will be incremented in tcp_v6_conn_request(). But, even if the skb is still in use, the skb will be freed. Then someone still using the freed skb will cause the kernel panic. I suggest to use kfree_skb() instead of __kfree_skb(). Signed-off-by: Masayuki Nakagawa Signed-off-by: David S. Miller --- net/ipv4/tcp_input.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index c701f6abbfc1..5c16e24a6061 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -4420,9 +4420,11 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, * But, this leaves one open to an easy denial of * service attack, and SYN cookies can't defend * against this problem. So, we drop the data - * in the interest of security over speed. + * in the interest of security over speed unless + * it's still in use. */ - goto discard; + kfree_skb(skb); + return 0; } goto discard; From 778a43fd626b710faca32038afc7460f314ba82a Mon Sep 17 00:00:00 2001 From: Adrian Bunk Date: Tue, 23 Jan 2007 21:16:40 -0800 Subject: [PATCH 17/23] [IRDA] vlsi_ir.{h,c}: remove kernel 2.4 code This patch removes kernel 2.4 compatibility code. Signed-off-by: Adrian Bunk Acked-by: Samuel Ortiz Signed-off-by: David S. Miller --- drivers/net/irda/vlsi_ir.c | 16 ++++++++-------- drivers/net/irda/vlsi_ir.h | 33 --------------------------------- 2 files changed, 8 insertions(+), 41 deletions(-) diff --git a/drivers/net/irda/vlsi_ir.c b/drivers/net/irda/vlsi_ir.c index 18c68193bf14..e2b1af618450 100644 --- a/drivers/net/irda/vlsi_ir.c +++ b/drivers/net/irda/vlsi_ir.c @@ -166,7 +166,7 @@ static void vlsi_proc_pdev(struct seq_file *seq, struct pci_dev *pdev) unsigned i; seq_printf(seq, "\n%s (vid/did: %04x/%04x)\n", - PCIDEV_NAME(pdev), (int)pdev->vendor, (int)pdev->device); + pci_name(pdev), (int)pdev->vendor, (int)pdev->device); seq_printf(seq, "pci-power-state: %u\n", (unsigned) pdev->current_state); seq_printf(seq, "resources: irq=%u / io=0x%04x / dma_mask=0x%016Lx\n", pdev->irq, (unsigned)pci_resource_start(pdev, 0), (unsigned long long)pdev->dma_mask); @@ -1401,7 +1401,7 @@ static void vlsi_tx_timeout(struct net_device *ndev) if (vlsi_start_hw(idev)) IRDA_ERROR("%s: failed to restart hw - %s(%s) unusable!\n", - __FUNCTION__, PCIDEV_NAME(idev->pdev), ndev->name); + __FUNCTION__, pci_name(idev->pdev), ndev->name); else netif_start_queue(ndev); } @@ -1643,7 +1643,7 @@ vlsi_irda_probe(struct pci_dev *pdev, const struct pci_device_id *id) pdev->current_state = 0; /* hw must be running now */ IRDA_MESSAGE("%s: IrDA PCI controller %s detected\n", - drivername, PCIDEV_NAME(pdev)); + drivername, pci_name(pdev)); if ( !pci_resource_start(pdev,0) || !(pci_resource_flags(pdev,0) & IORESOURCE_IO) ) { @@ -1728,7 +1728,7 @@ static void __devexit vlsi_irda_remove(struct pci_dev *pdev) pci_set_drvdata(pdev, NULL); - IRDA_MESSAGE("%s: %s removed\n", drivername, PCIDEV_NAME(pdev)); + IRDA_MESSAGE("%s: %s removed\n", drivername, pci_name(pdev)); } #ifdef CONFIG_PM @@ -1748,7 +1748,7 @@ static int vlsi_irda_suspend(struct pci_dev *pdev, pm_message_t state) if (!ndev) { IRDA_ERROR("%s - %s: no netdevice \n", - __FUNCTION__, PCIDEV_NAME(pdev)); + __FUNCTION__, pci_name(pdev)); return 0; } idev = ndev->priv; @@ -1759,7 +1759,7 @@ static int vlsi_irda_suspend(struct pci_dev *pdev, pm_message_t state) pdev->current_state = state.event; } else - IRDA_ERROR("%s - %s: invalid suspend request %u -> %u\n", __FUNCTION__, PCIDEV_NAME(pdev), pdev->current_state, state.event); + IRDA_ERROR("%s - %s: invalid suspend request %u -> %u\n", __FUNCTION__, pci_name(pdev), pdev->current_state, state.event); up(&idev->sem); return 0; } @@ -1787,7 +1787,7 @@ static int vlsi_irda_resume(struct pci_dev *pdev) if (!ndev) { IRDA_ERROR("%s - %s: no netdevice \n", - __FUNCTION__, PCIDEV_NAME(pdev)); + __FUNCTION__, pci_name(pdev)); return 0; } idev = ndev->priv; @@ -1795,7 +1795,7 @@ static int vlsi_irda_resume(struct pci_dev *pdev) if (pdev->current_state == 0) { up(&idev->sem); IRDA_WARNING("%s - %s: already resumed\n", - __FUNCTION__, PCIDEV_NAME(pdev)); + __FUNCTION__, pci_name(pdev)); return 0; } diff --git a/drivers/net/irda/vlsi_ir.h b/drivers/net/irda/vlsi_ir.h index c37f0bc4c7f9..2d3b773d8e35 100644 --- a/drivers/net/irda/vlsi_ir.h +++ b/drivers/net/irda/vlsi_ir.h @@ -41,39 +41,6 @@ #define PCI_CLASS_SUBCLASS_MASK 0xffff #endif -/* in recent 2.5 interrupt handlers have non-void return value */ -#ifndef IRQ_RETVAL -typedef void irqreturn_t; -#define IRQ_NONE -#define IRQ_HANDLED -#define IRQ_RETVAL(x) -#endif - -/* some stuff need to check kernelversion. Not all 2.5 stuff was present - * in early 2.5.x - the test is merely to separate 2.4 from 2.5 - */ -#include - -#if LINUX_VERSION_CODE < KERNEL_VERSION(2,5,0) - -/* PDE() introduced in 2.5.4 */ -#ifdef CONFIG_PROC_FS -#define PDE(inode) ((inode)->i_private) -#endif - -/* irda crc16 calculation exported in 2.5.42 */ -#define irda_calc_crc16(fcs,buf,len) (GOOD_FCS) - -/* we use this for unified pci device name access */ -#define PCIDEV_NAME(pdev) ((pdev)->name) - -#else /* 2.5 or later */ - -/* whatever we get from the associated struct device - bus:slot:dev.fn id */ -#define PCIDEV_NAME(pdev) (pci_name(pdev)) - -#endif - /* ================================================================ */ /* non-standard PCI registers */ From 2748e5dec7ca8a3804852c7c4171f9156384d15c Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Tue, 23 Jan 2007 22:00:13 -0800 Subject: [PATCH 18/23] [NETFILTER]: Fix iptables ABI breakage on (at least) CRIS With the introduction of x_tables we accidentally broke compatibility by defining IPT_TABLE_MAXNAMELEN to XT_FUNCTION_MAXNAMELEN instead of XT_TABLE_MAXNAMELEN, which is two bytes larger. On most architectures it doesn't really matter since we don't have any tables with names that long in the kernel and the structure layout didn't change because of alignment requirements of following members. On CRIS however (and other architectures that don't align data) this changed the structure layout and thus broke compatibility with old iptables binaries. Changing it back will break compatibility with binaries compiled against recent kernels again, but since the breakage has only been there for three releases this seems like the better choice. Spotted by Jonas Berlin . Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/linux/netfilter_ipv4/ip_tables.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h index 4f06dad0bde9..98d566c5e32a 100644 --- a/include/linux/netfilter_ipv4/ip_tables.h +++ b/include/linux/netfilter_ipv4/ip_tables.h @@ -28,7 +28,7 @@ #include #define IPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN -#define IPT_TABLE_MAXNAMELEN XT_FUNCTION_MAXNAMELEN +#define IPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN #define ipt_match xt_match #define ipt_target xt_target #define ipt_table xt_table From bf1c1ee88008fd639ebb5c74f0555fd414369bdc Mon Sep 17 00:00:00 2001 From: Adrian Bunk Date: Tue, 23 Jan 2007 22:04:35 -0800 Subject: [PATCH 19/23] [NET]: Process include/linux/if_{addr,link}.h with unifdef After commit d3dcc077bf88806201093f86325ec656e4dbfbce, include/linux/if_{addr,link}.h should be processed with unifdef. Signed-off-by: Adrian Bunk Signed-off-by: David S. Miller --- include/linux/Kbuild | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/linux/Kbuild b/include/linux/Kbuild index 8c634f9df39f..157db77a7170 100644 --- a/include/linux/Kbuild +++ b/include/linux/Kbuild @@ -69,7 +69,6 @@ header-y += hysdn_if.h header-y += i2c-dev.h header-y += i8k.h header-y += icmp.h -header-y += if_addr.h header-y += if_arcnet.h header-y += if_arp.h header-y += if_bonding.h @@ -79,7 +78,6 @@ header-y += if_fddi.h header-y += if.h header-y += if_hippi.h header-y += if_infiniband.h -header-y += if_link.h header-y += if_packet.h header-y += if_plip.h header-y += if_ppp.h @@ -213,6 +211,7 @@ unifdef-y += hpet.h unifdef-y += i2c.h unifdef-y += i2o-dev.h unifdef-y += icmpv6.h +unifdef-y += if_addr.h unifdef-y += if_bridge.h unifdef-y += if_ec.h unifdef-y += if_eql.h @@ -220,6 +219,7 @@ unifdef-y += if_ether.h unifdef-y += if_fddi.h unifdef-y += if_frad.h unifdef-y += if_ltalk.h +unifdef-y += if_link.h unifdef-y += if_pppox.h unifdef-y += if_shaper.h unifdef-y += if_tr.h From 52d570aabe921663a987b2e4bae2bdc411cee480 Mon Sep 17 00:00:00 2001 From: Jarek Poplawski Date: Tue, 23 Jan 2007 22:07:12 -0800 Subject: [PATCH 20/23] [TCP]: rare bad TCP checksum with 2.6.19 The patch "Replace CHECKSUM_HW by CHECKSUM_PARTIAL/CHECKSUM_COMPLETE" changed to unconditional copying of ip_summed field from collapsed skb. This patch reverts this change. The majority of substantial work including heavy testing and diagnosing by: Michael Tokarev Possible reasons pointed by: Herbert Xu and Patrick McHardy. Signed-off-by: Jarek Poplawski Acked-by: Herbert Xu Signed-off-by: David S. Miller --- net/ipv4/tcp_output.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index 32c1a972fa31..23e32c806916 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -1650,7 +1650,8 @@ static void tcp_retrans_try_collapse(struct sock *sk, struct sk_buff *skb, int m memcpy(skb_put(skb, next_skb_size), next_skb->data, next_skb_size); - skb->ip_summed = next_skb->ip_summed; + if (next_skb->ip_summed == CHECKSUM_PARTIAL) + skb->ip_summed = CHECKSUM_PARTIAL; if (skb->ip_summed != CHECKSUM_PARTIAL) skb->csum = csum_block_add(skb->csum, next_skb->csum, skb_size); From 6a2b9ce0a383059492c93682bc094cce0f705fff Mon Sep 17 00:00:00 2001 From: Noriaki TAKAMIYA Date: Tue, 23 Jan 2007 22:09:41 -0800 Subject: [PATCH 21/23] [IPV6]: Fixed the size of the netlink message notified by inet6_rt_notify(). I think the return value of rt6_nlmsg_size() should includes the amount of RTA_METRICS. Signed-off-by: Noriaki TAKAMIYA Acked-by: Thomas Graf Signed-off-by: David S. Miller --- net/ipv6/route.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/ipv6/route.c b/net/ipv6/route.c index 8c3d56871b50..5f0043c30b70 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c @@ -2017,6 +2017,7 @@ static inline size_t rt6_nlmsg_size(void) + nla_total_size(4) /* RTA_IIF */ + nla_total_size(4) /* RTA_OIF */ + nla_total_size(4) /* RTA_PRIORITY */ + + RTAX_MAX * nla_total_size(4) /* RTA_METRICS */ + nla_total_size(sizeof(struct rta_cacheinfo)); } From 6fd8bb881509c6bdc3469b3ed16ec25a3b7cad0e Mon Sep 17 00:00:00 2001 From: Masahide NAKAMURA Date: Tue, 23 Jan 2007 22:17:23 -0800 Subject: [PATCH 22/23] [IP] TUNNEL: Fix to be built with user application. include/linux/if_tunnel.h is broken for user application because it was changed to use __be32 which is required to include linux/types.h in advance but didn't. (This issue is found when building MIPL2 daemon. We are not sure this is the last header to be fixed about __be32.) Signed-off-by: Masahide NAKAMURA Signed-off-by: TAKAMIYA Noriaki Signed-off-by: David S. Miller --- include/linux/if_tunnel.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/linux/if_tunnel.h b/include/linux/if_tunnel.h index 8de079ba1107..660b5010c2d9 100644 --- a/include/linux/if_tunnel.h +++ b/include/linux/if_tunnel.h @@ -1,6 +1,8 @@ #ifndef _IF_TUNNEL_H_ #define _IF_TUNNEL_H_ +#include + #define SIOCGETTUNNEL (SIOCDEVPRIVATE + 0) #define SIOCADDTUNNEL (SIOCDEVPRIVATE + 1) #define SIOCDELTUNNEL (SIOCDEVPRIVATE + 2) From 1e5c11fc89ef6663aaa14db1e9e27477f07c24e0 Mon Sep 17 00:00:00 2001 From: Brian Haley Date: Tue, 23 Jan 2007 22:32:23 -0800 Subject: [PATCH 23/23] [SCTP]: Fix compiler warning. > --- a/net/sctp/sm_statefuns.c > +++ b/net/sctp/sm_statefuns.c > @@ -462,24 +461,6 @@ sctp_disposition_t sctp_sf_do_5_1C_ack(const struct sctp_endpoint *ep, > - if (!init_tag) { > - struct sctp_chunk *reply = sctp_make_abort(asoc, chunk, 0); > - if (!reply) > - goto nomem; This introduced a compiler warning, easily fixed. Signed-off-by: Brian Haley Signed-off-by: David S. Miller --- net/sctp/sm_statefuns.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index fce1f602cde2..fbbc9e6a3b78 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -531,9 +531,6 @@ sctp_disposition_t sctp_sf_do_5_1C_ack(const struct sctp_endpoint *ep, SCTP_CHUNK(err_chunk)); return SCTP_DISPOSITION_CONSUME; - -nomem: - return SCTP_DISPOSITION_NOMEM; } /*