Commit Graph

5617 Commits

Author SHA1 Message Date
Vlad Yasevich 2930354799 [SCTP]: Add RCU synchronization around sctp_localaddr_list
sctp_localaddr_list is modified dynamically via NETDEV_UP
and NETDEV_DOWN events, but there is not synchronization
between writer (even handler) and readers.  As a result,
the readers can access an entry that has been freed and
crash the sytem.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Acked-by: Sridhar Samdurala <sri@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-09-16 16:02:12 -07:00
Satyam Sharma ddeee3ce7f [PKT_SCHED]: sch_cbq.c: Shut up uninitialized variable warning
net/sched/sch_cbq.c: In function 'cbq_enqueue':
net/sched/sch_cbq.c:383: warning: 'ret' may be used uninitialized in this function

has been verified to be a bogus case. So let's shut it up.

Signed-off-by: Satyam Sharma <satyam@infradead.org>
Acked-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-09-16 14:54:05 -07:00
Adit Ranadive ce5d0b47f1 [PKTGEN]: srcmac fix
From: Adit Ranadive <adit.262@gmail.com>

Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-09-16 14:52:15 -07:00
Jiri Kosina 6ae5f983cf [IPV6]: Fix source address selection.
The commit 95c385 broke proper source address selection for cases in which 
there is a address which is makred 'deprecated'. The commit mistakenly 
changed ifa->flags to ifa_result->flags (probably copy/paste error from a 
few lines above) in the 'Rule 3' address selection code.

The patch restores the previous RFC-compliant behavior.

Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-09-16 14:48:21 -07:00
YOSHIFUJI Hideaki 2a0c6c980d [IPV4]: Just increment OutDatagrams once per a datagram.
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-09-14 17:15:19 -07:00
YOSHIFUJI Hideaki cd562c9859 [IPV6]: Just increment OutDatagrams once per a datagram.
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-09-14 17:15:01 -07:00
YOSHIFUJI Hideaki 3ef9d943d2 [IPV6]: Fix unbalanced socket reference with MSG_CONFIRM.
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-09-14 16:45:40 -07:00
Jamal Hadi Salim e1e992e52f [NET_SCHED] protect action config/dump from irqs
(with no apologies to C Heston)

On Mon, 2007-10-09 at 21:00 +0800, Herbert Xu wrote:
On Sun, Sep 02, 2007 at 01:11:29PM +0000, Christian Kujau wrote:
> >
> > after upgrading to 2.6.23-rc5 (and applying davem's fix [0]), lockdep
> > was quite noisy when I tried to shape my external (wireless) interface:
> >
> > [ 6400.534545] FahCore_78.exe/3552 just changed the state of lock:
> > [ 6400.534713]  (&dev->ingress_lock){-+..}, at: [<c038d595>]
> > netif_receive_skb+0x2d5/0x3c0
> > [ 6400.534941] but this lock took another, soft-read-irq-unsafe lock in the
> > past:
> > [ 6400.535145]  (police_lock){-.--}
>
> This is a genuine dead-lock.  The police lock can be taken
> for reading with softirqs on.  If a second CPU tries to take
> the police lock for writing, while holding the ingress lock,
> then a softirq on the first CPU can dead-lock when it tries
> to get the ingress lock.

Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-09-14 16:43:05 -07:00
David S. Miller 4878809f71 [NET]: Fix two issues wrt. SO_BINDTODEVICE.
1) Comments suggest that setting optlen to zero will unbind
   the socket from whatever device it might be attached to.  This
   hasn't been the case since at least 2.2.x because the first thing
   this function does is return -EINVAL if 'optlen' is less than
   sizeof(int).

   This check also means that passing in a two byte string doesn't
   work so well.  It's almost as if this code was testing with "eth?"
   patterned strings and nothing else :-)

   Fix this by breaking the logic of this facility out into a
   seperate function which validates optlen more appropriately.

   The optlen==0 and small string cases now work properly.

2) We should reset the cached route of the socket after we have made
   the device binding changes, not before.

Reported by Ben Greear.

Signed-off-by: David S. Miller <davem@davemloft.net>
2007-09-14 16:41:03 -07:00
Neil Brown 7a1fa065a0 Correctly close old nfsd/lockd sockets.
Commit aaf68cfbf2 added a bias
to sk_inuse, so this test for an unused socket now fails.  So no
sockets get closed because they are old (they might get closed
if the client closed them).

This bug has existed since 2.6.21-rc1.

Thanks to Wolfgang Walter for finding and reporting the bug.

Cc: Wolfgang Walter <wolfgang.walter@studentenwerk.mhn.de>
Signed-off-by: Neil Brown <neilb@suse.de>
Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-09-14 13:58:11 -07:00
David S. Miller 1da97f83a8 [BLUETOOTH]: Fix non-COMPAT build of hci_sock.c
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-09-12 14:10:58 +02:00
Patrick McHardy 0a9c730144 [INET_DIAG]: Fix oops in netlink_rcv_skb
netlink_run_queue() doesn't handle multiple processes processing the
queue concurrently. Serialize queue processing in inet_diag to fix
a oops in netlink_rcv_skb caused by netlink_run_queue passing a
NULL for the skb.

BUG: unable to handle kernel NULL pointer dereference at virtual address 00000054
[349587.500454]  printing eip:
[349587.500457] c03318ae
[349587.500459] *pde = 00000000
[349587.500464] Oops: 0000 [#1]
[349587.500466] PREEMPT SMP
[349587.500474] Modules linked in: w83627hf hwmon_vid i2c_isa
[349587.500483] CPU:    0
[349587.500485] EIP:    0060:[<c03318ae>]    Not tainted VLI
[349587.500487] EFLAGS: 00010246   (2.6.22.3 #1)
[349587.500499] EIP is at netlink_rcv_skb+0xa/0x7e
[349587.500506] eax: 00000000   ebx: 00000000   ecx: c148d2a0   edx: c0398819
[349587.500510] esi: 00000000   edi: c0398819   ebp: c7a21c8c   esp: c7a21c80
[349587.500517] ds: 007b   es: 007b   fs: 00d8  gs: 0033  ss: 0068
[349587.500521] Process oidentd (pid: 17943, ti=c7a20000 task=cee231c0 task.ti=c7a20000)
[349587.500527] Stack: 00000000 c7a21cac f7c8ba78 c7a21ca4 c0331962 c0398819 f7c8ba00 0000004c
[349587.500542]        f736f000 c7a21cb4 c03988e3 00000001 f7c8ba00 c7a21cc4 c03312a5 0000004c
[349587.500558]        f7c8ba00 c7a21cd4 c0330681 f7c8ba00 e4695280 c7a21d00 c03307c6 7fffffff
[349587.500578] Call Trace:
[349587.500581]  [<c010361a>] show_trace_log_lvl+0x1c/0x33
[349587.500591]  [<c01036d4>] show_stack_log_lvl+0x8d/0xaa
[349587.500595]  [<c010390e>] show_registers+0x1cb/0x321
[349587.500604]  [<c0103bff>] die+0x112/0x1e1
[349587.500607]  [<c01132d2>] do_page_fault+0x229/0x565
[349587.500618]  [<c03c8d3a>] error_code+0x72/0x78
[349587.500625]  [<c0331962>] netlink_run_queue+0x40/0x76
[349587.500632]  [<c03988e3>] inet_diag_rcv+0x1f/0x2c
[349587.500639]  [<c03312a5>] netlink_data_ready+0x57/0x59
[349587.500643]  [<c0330681>] netlink_sendskb+0x24/0x45
[349587.500651]  [<c03307c6>] netlink_unicast+0x100/0x116
[349587.500656]  [<c0330f83>] netlink_sendmsg+0x1c2/0x280
[349587.500664]  [<c02fcce9>] sock_sendmsg+0xba/0xd5
[349587.500671]  [<c02fe4d1>] sys_sendmsg+0x17b/0x1e8
[349587.500676]  [<c02fe92d>] sys_socketcall+0x230/0x24d
[349587.500684]  [<c01028d2>] syscall_call+0x7/0xb
[349587.500691]  =======================
[349587.500693] Code: f0 ff 4e 18 0f 94 c0 84 c0 0f 84 66 ff ff ff 89 f0 e8 86 e2 fc ff e9 5a ff ff ff f0 ff 40 10 eb be 55 89 e5 57 89 d7 56 89 c6 53 <8b> 50 54 83 fa 10 72 55 8b 9e 9c 00 00 00 31 c9 8b 03 83 f8 0f

Reported by Athanasius <link@miggy.org>

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-09-11 11:33:28 +02:00
YOSHIFUJI Hideaki e1f52208bb [IPv6]: Fix NULL pointer dereference in ip6_flush_pending_frames
Some of skbs in sk->write_queue do not have skb->dst because
we do not fill skb->dst when we allocate new skb in append_data().

BTW, I think we may not need to (or we should not) increment some stats
when using corking; if 100 sendmsg() (with MSG_MORE) result in 2 packets,
how many should we increment?

If 100, we should set skb->dst for every queued skbs.

If 1 (or 2 (*)), we increment the stats for the first queued skb and
we should just skip incrementing OutDiscards for the rest of queued skbs,
adn we should also impelement this semantics in other places;
e.g., we should increment other stats just once, not 100 times.

*: depends on the place we are discarding the datagram.

I guess should just increment by 1 (or 2).

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-09-11 11:31:43 +02:00
Neil Horman 16fcec35e7 [NETFILTER]: Fix/improve deadlock condition on module removal netfilter
So I've had a deadlock reported to me.  I've found that the sequence of
events goes like this:

1) process A (modprobe) runs to remove ip_tables.ko

2) process B (iptables-restore) runs and calls setsockopt on a netfilter socket,
increasing the ip_tables socket_ops use count

3) process A acquires a file lock on the file ip_tables.ko, calls remove_module
in the kernel, which in turn executes the ip_tables module cleanup routine,
which calls nf_unregister_sockopt

4) nf_unregister_sockopt, seeing that the use count is non-zero, puts the
calling process into uninterruptible sleep, expecting the process using the
socket option code to wake it up when it exits the kernel

4) the user of the socket option code (process B) in do_ipt_get_ctl, calls
ipt_find_table_lock, which in this case calls request_module to load
ip_tables_nat.ko

5) request_module forks a copy of modprobe (process C) to load the module and
blocks until modprobe exits.

6) Process C. forked by request_module process the dependencies of
ip_tables_nat.ko, of which ip_tables.ko is one.

7) Process C attempts to lock the request module and all its dependencies, it
blocks when it attempts to lock ip_tables.ko (which was previously locked in
step 3)

Theres not really any great permanent solution to this that I can see, but I've
developed a two part solution that corrects the problem

Part 1) Modifies the nf_sockopt registration code so that, instead of using a
use counter internal to the nf_sockopt_ops structure, we instead use a pointer
to the registering modules owner to do module reference counting when nf_sockopt
calls a modules set/get routine.  This prevents the deadlock by preventing set 4
from happening.

Part 2) Enhances the modprobe utilty so that by default it preforms non-blocking
remove operations (the same way rmmod does), and add an option to explicity
request blocking operation.  So if you select blocking operation in modprobe you
can still cause the above deadlock, but only if you explicity try (and since
root can do any old stupid thing it would like....  :)  ).

Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-09-11 11:28:26 +02:00
Patrick McHardy 0fb9670137 [NETFILTER]: nf_conntrack_ipv4: fix "Frag of proto ..." messages
Since we're now using a generic tuple decoding function in ICMP
connection tracking, ipv4_get_l4proto() might get called with a
fragmented packet from within an ICMP error. Remove the error
message we used to print when this happens.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-09-11 11:27:01 +02:00
David S. Miller 66eb50d5c9 Merge master.kernel.org:/pub/scm/linux/kernel/git/holtmann/bluetooth-2.6 2007-09-11 11:15:30 +02:00
Denis V. Lunev 9e3be4b343 [IPV6]: Freeing alive inet6 address
From: Denis V. Lunev <den@openvz.org>

addrconf_dad_failure calls addrconf_dad_stop which takes referenced address
and drops the count. So, in6_ifa_put perrformed at out: is extra. This
results in message: "Freeing alive inet6 address" and not released dst entries.

Signed-off-by: Denis V. Lunev <den@openvz.org>
Signed-off-by: Alexey Dobriyan <adobriyan@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-09-11 11:04:49 +02:00
Patrick McHardy a2221f308d [DECNET]: Fix interface address listing regression.
Not all are listed, same as the IPV4 devinet bug.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-09-11 10:45:15 +02:00
Stephen Hemminger 596e415095 [IPV4] devinet: show all addresses assigned to interface
Bug: http://bugzilla.kernel.org/show_bug.cgi?id=8876

Not all ips are shown by "ip addr show" command when IPs number assigned to an
interface is more than 60-80 (in fact it depends on broadcast/label etc
presence on each address).

Steps to reproduce:
It's terribly simple to reproduce:

# for i in $(seq 1 100); do ip ad add 10.0.$i.1/24 dev eth10 ; done
# ip addr show

this will _not_ show all IPs.
Looks like the problem is in netlink/ipv4 message processing.

This is fix from bug submitter, it looks correct.

Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-09-11 10:41:04 +02:00
Herbert Xu ef8aef55ce [NET]: Do not dereference iov if length is zero
When msg_iovlen is zero we shouldn't try to dereference
msg_iov.  Right now the only thing that tries to do so
is skb_copy_and_csum_datagram_iovec.  Since the total
length should also be zero if msg_iovlen is zero, it's
sufficient to check the total length there and simply
return if it's zero.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-09-11 10:29:07 +02:00
Marcel Holtmann 89f2783ded [Bluetooth] Fix parameter list for event filter command
On device initialization the event filters are cleared. In case of
clearing the filters the extra condition type shall be omitted.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2007-09-09 08:39:49 +02:00
Marcel Holtmann 7c631a6760 [Bluetooth] Update security filter for Bluetooth 2.1
This patch updates the HCI security filter with support for the
Bluetooth 2.1 commands and events.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2007-09-09 08:39:43 +02:00
Marcel Holtmann 767c5eb5d3 [Bluetooth] Add compat handling for timestamp structure
The timestamp structure needs special handling in case of compat
programs. Use the same wrapping method the network core uses.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2007-09-09 08:39:34 +02:00
David S. Miller 5c127c58ae [TCP]: 'dst' can be NULL in tcp_rto_min()
Reported by Rick Jones.

Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-31 14:39:44 -07:00
Pavel Emelyanov 88282c6ecf [PKTGEN]: Remove write-only variable.
The pktgen_thread.pid is set to current->pid and is never used
after this. So remove this at all.

Found during isolating the explicit pid/tgid usage.

Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Acked-by: Sukadev Bhattiprolu <sukadev@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-30 22:46:36 -07:00
Jesper Bengtsson a289d70d74 [NETFILTER]: xt_tcpudp: fix wrong struct in udp_checkentry
It doesn't seem to have any effect on the x86 architecture but it does
have effect on the Axis CRIS architecture.

Signed-off-by: Jesper Bengtsson <jesper.bengtsson@axis.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-30 22:36:43 -07:00
Lucas Nussbaum dbaaa07a60 [NET_SCHED] sch_prio.c: remove duplicate call of tc_classify()
When CONFIG_NET_CLS_ACT is enabled, tc_classify() is called twice in
prio_classify(). This causes "interesting" behaviour: with the setup
below, packets are duplicated, sent twice to ifb0, and then loop in and
out of ifb0.

The patch uses the previously calculated return value in the switch,
which is probably what Patrick had in mind in commit
bdba91ec70 -- maybe Patrick can
double-check this?

-- example setup --
ifconfig ifb0 up
tc qdisc add dev ifb0 root netem delay 2s
tc qdisc add dev $ETH root handle 1: prio
tc filter add dev $ETH parent 1: protocol ip prio 10 u32 \
 match ip dst 172.24.110.6/32 flowid 1:1 \
 action mirred egress redirect dev ifb0
ping -c1 172.24.110.6

Signed-off-by: Lucas Nussbaum <lucas.nussbaum@imag.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-30 22:35:46 -07:00
Stephen Hemminger b4a488d182 [BRIDGE]: Fix OOPS when bridging device without ethtool.
Bridge code calls ethtool to get speed. The conversion to using
only ethtool_ops broke the case of devices without ethtool_ops.
This is a new regression in 2.6.23.

Rearranged the switch to a logical order, and use gcc initializer.

Ps: speed should have been part of the network device structure from
    the start rather than burying it in ethtool.

Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
Acked-by: Matthew Wilcox <matthew@wil.cx>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-30 22:16:22 -07:00
Stephen Hemminger df1c0b8468 [BRIDGE]: Packets leaking out of disabled/blocked ports.
This patch fixes some packet leakage in bridge.  The bridging code was
allowing forward table entries to be generated even if a device was
being blocked. The fix is to not add forwarding database entries
unless the port is active.

The bug arose as part of the conversion to processing STP frames
through normal receive path (in 2.6.17).

Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
Acked-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-30 22:15:35 -07:00
David S. Miller b91ddd8437 Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/vxy/lksctp-dev 2007-08-30 22:11:31 -07:00
David S. Miller 05bb1fad1c [TCP]: Allow minimum RTO to be configurable via routing metrics.
Cell phone networks do link layer retransmissions and other
things that cause unnecessary timeout retransmits.  So allow
the minimum RTO to be inflated per-route to deal with this.

Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-30 22:10:28 -07:00
Wei Yongjun cb243a1a9f SCTP: Fix to handle invalid parameter length correctly
If an INIT with invalid parameter length look like this:
Parameter Type : 1
Parameter Length: 800
and not contain any payload, SCTP will ignore this  parameter and send
back a INIT-ACK.
This patch is fix to handle this invalid parameter length correctly.

Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
2007-08-30 16:44:27 -04:00
Vlad Yasevich 609ee4679b SCTP: Abort on COOKIE-ECHO if backlog is exceeded.
Currently we abort on the INIT chunk we our backlog is currenlty
exceeded.  Delay this about untill COOKIE-ECHO to give the user
time to accept the socket.  Also, make sure that we treat
sk_max_backlog of 0 as no connections allowed.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
2007-08-30 14:12:25 -04:00
Vlad Yasevich 498d63071e SCTP: Correctly disable listening when backlog is 0.
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
2007-08-30 14:03:58 -04:00
Vlad Yasevich d0ce92910b SCTP: Do not retransmit chunks that are newer then rtt.
When performing a retransmit, do not include the chunk if
it was sent less then 1 rtt ago.  The reason is that we
may receive the SACK very soon and wouldn't retransmit.
Suggested by Randy Stewart.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
2007-08-30 13:56:06 -04:00
Vlad Yasevich cc75689a4c SCTP: Uncomfirmed transports can't become Inactive
Do not set Unconfirmed transports to Inactive state.  This may
result in an inactive association being destroyed since we start
counting errors on "inactive" transports against the association.
This was found at the SCTP interop event.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
2007-08-30 13:55:41 -04:00
Vlad Yasevich 2772b495ef SCTP: Pick the correct port when binding to 0.
sctp_bindx() allows the use of unspecified port.  The problem is
that every address we bind to ends up selecting a new port if
the user specified port 0.  This patch allows re-use of the
already selected port when the port from bindx was 0.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
2007-08-30 13:55:20 -04:00
Wei Yongjun d99fa42963 SCTP: Use net_ratelimit to suppress error messages print too fast
When multi bundling SHUTDOWN-ACK message is received in ESTAB state,
this will cause "sctp protocol violation state" message print many times.
If SHUTDOWN-ACK is bundled 300 times in one packet, message will be
print 300 times. The same problem also exists when received unexpected
HEARTBEAT-ACK message which is bundled message times.

This patch used net_ratelimit() to suppress error messages print too fast.

Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
2007-08-30 13:52:56 -04:00
Wei Yongjun 00f1c2df2a SCTP: Fix to encode PROTOCOL VIOLATION error cause correctly
PROTOCOL VIOLATION error cause in ABORT is bad encode when make abort
chunk. When SCTP encode ABORT chunk with PROTOCOL VIOLATION error cause,
it just add the error messages to PROTOCOL VIOLATION error cause, the
rest four bytes(struct sctp_paramhdr) is just add to the chunk, not
change the length of error cause. This cause the ABORT chunk to be a bad
format. The chunk is like this:

ABORT chunk
  Chunk type: ABORT (6)
  Chunk flags: 0x00
  Chunk length: 72 (*1)
  Protocol violation cause
    Cause code: Protocol violation (0x000d)
    Cause length: 62 (*2)
    Cause information: 5468652063756D756C61746976652074736E2061636B2062...
    Cause padding: 0000
[Needless] 00030010
Chunk Length(*1) = 72 but Cause length(*2) only 62, not include the
extend 4 bytes.
((72 - sizeof(chunk_hdr)) = 68) != (62 +3) / 4 * 4

Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
2007-08-30 13:50:48 -04:00
Wei Yongjun 8d614ade51 SCTP: Fix sctp_addto_chunk() to add pad with correct length
At function sctp_addto_chunk(), it do pad before add payload to chunk if
chunk length is not 4-byte alignment. But it do pad with a bad length.
This patch fixed this probleam.

Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
2007-08-30 11:56:17 -04:00
Vlad Yasevich ab3e5e7b65 SCTP: Assign stream sequence numbers to the entire message
Currently we only assign the sequence number to a packet that
we are about to transmit.  This however breaks the Partial
Reliability extensions, because it's possible for us to
never transmit a packet, i.e. it expires before we get to send
it.  In such cases, if the message contained multiple SCTP
fragments, and we did manage to send the first part of the
message, the Stream sequence numbers would get into invalid
state and cause receiver to stall.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
2007-08-29 13:34:34 -04:00
Vlad Yasevich ea2dfb3733 SCTP: properly clean up fragment and ordering queues during FWD-TSN.
When we recieve a FWD-TSN (meaning the peer has abandoned the data),
we need to clean up any partially received messages that may be
hanging out on the re-assembly or re-ordering queues.  This is
a MUST requirement that was not properly done before.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com.>
2007-08-29 13:34:33 -04:00
Robert Olsson 378be2c083 [PKTGEN]: Fix multiqueue oops.
Initially pkt_dev can be NULL this causes netif_subqueue_stopped to 
oops. The patch below should cure it. But maybe the pktgen TX logic 
should be reworked to better support the new multiqueue support. 

Signed-off-by: Robert Olsson <robert.olsson@its.uu.se>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-28 15:43:14 -07:00
Evgeniy Polyakov e7c243c925 [VLAN/BRIDGE]: Fix "skb_pull_rcsum - Fatal exception in interrupt"
I tried to preserve bridging code as it was before, but logic is quite
strange - I think we should free skb on error, since it is already
unshared and thus will just leak.

Herbert Xu states:

> +	if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL)
> +		goto out;

If this happens it'll be a double-free on skb since we'll
return NF_DROP which makes the caller free it too.

We could return NF_STOLEN to prevent that but I'm not sure
whether that's correct netfilter semantics.  Patrick, could
you please make a call on this?

Patrick McHardy states:

NF_STOLEN should work fine here.

Signed-off-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-26 18:35:47 -07:00
Benjamin Thery aaa53c4aba [NET]: Fix crash in dev_mc_sync()/dev_mc_unsync()
This patch fixes a crash that may occur when the routine dev_mc_sync()
deletes an address from the list it is currently going through. It
saves the pointer to the next element before deleting the current one.
The problem may also exist in dev_mc_unsync().

Signed-off-by: Benjamin Thery <benjamin.thery@bull.net>
Acked-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-26 18:35:43 -07:00
vignesh babu c3609d510f [NET]: is_power_of_2 in net/core/neighbour.c
Replacing n & (n - 1) for power of 2 check by is_power_of_2(n)

Signed-off-by: vignesh babu <vignesh.babu@wipro.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-26 18:35:37 -07:00
David S. Miller 26722873a4 [TCP]: Describe tcp_init_cwnd() thoroughly in a comment.
People often get tripped up by this function and think that
it does not implemented the prescribed algorithms from
RFC2414 and RFC3390, even though it does.

So add a comment to head off such misunderstandings in the
future.

Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-26 18:35:36 -07:00
Flavio Leitner a96fb49be3 [NET]: Fix IP_ADD/DROP_MEMBERSHIP to handle only connectionless
Fix IP[V6]_ADD_MEMBERSHIP and IP[V6]_DROP_MEMBERSHIP to
return -EPROTO for connection oriented sockets.

Signed-off-by: Flavio Leitner <fleitner@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-26 18:35:35 -07:00
Nick Bowler 96fe1c0237 [IPSEC] AH4: Update IPv4 options handling to conform to RFC 4302.
In testing our ESP/AH offload hardware, I discovered an issue with how
AH handles mutable fields in IPv4.  RFC 4302 (AH) states the following
on the subject:

        For IPv4, the entire option is viewed as a unit; so even
        though the type and length fields within most options are immutable
        in transit, if an option is classified as mutable, the entire option
        is zeroed for ICV computation purposes.

The current implementation does not zero the type and length fields,
resulting in authentication failures when communicating with hosts
that do (i.e. FreeBSD).

I have tested record route and timestamp options (ping -R and ping -T)
on a small network involving Windows XP, FreeBSD 6.2, and Linux hosts,
with one router.  In the presence of these options, the FreeBSD and
Linux hosts (with the patch or with the hardware) can communicate.
The Windows XP host simply fails to accept these packets with or
without the patch.

I have also been trying to test source routing options (using
traceroute -g), but haven't had much luck getting this option to work
*without* AH, let alone with.

Signed-off-by: Nick Bowler <nbowler@ellipticsemi.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-26 18:35:33 -07:00
Linus Torvalds 0542170dec Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ericvh/v9fs
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ericvh/v9fs:
  9p: fix bad error path in conversion routines
  9p: remove deprecated v9fs_fid_lookup_remove()
  9p: update maintainers and documentation
  9p: fix use after free
2007-08-23 21:38:21 -07:00
Mariusz Kozlowski 02881d9478 9p: fix bad error path in conversion routines
When buf_check_overflow() returns != 0 we will hit kfree(ERR_PTR(err))
and it will not be happy about it.

Signed-off-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
Signed-off-by: Eric Van Hensbergen <ericvh@gmail.com>
2007-08-23 10:25:05 -05:00
Eric Van Hensbergen 1a3cac6c6d 9p: fix use after free
On 7/22/07, Adrian Bunk <bunk@stusta.de> wrote:
     The Coverity checker spotted the following use-after-free
     in net/9p/mux.c:

     <--  snip  -->

     ...
     struct p9_conn *p9_conn_create(struct p9_transport *trans, int msize,
                                         unsigned char *extended)
     {
     ...
             if (!m->tagpool) {
                     kfree(m);
                     return ERR_PTR(PTR_ERR(m->tagpool));
             }
     ...

     <--  snip  -->

Also spotted was a leak of the same structure further down in the function.

Signed-off-by: Eric Van Hensbergen <ericvh@gmail.com>
2007-08-23 10:12:48 -05:00
Andy Whitcroft 22117ea4fe [IRDA] irda_nl_get_mode: always results in failure
It seems an extraneous trailing ';' has slipped in to the error handling for a
name registration failure causing the error path to trigger unconditionally.

Signed-off-by: Andy Whitcroft <apw@shadowen.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Samuel Ortiz <samuel@sortiz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-21 21:23:39 -07:00
Jesper Juhl 2c20d72aaa [IRDA]: Avoid a label defined but not used warning in irda_init()
Easily avoidable compiler warnings bug me.

Building irmod without CONFIG_SYSCTL currently results in :
 net/irda/irmod.c:132: warning: label 'out_err_2' defined but not used

But that can easily be avoided by simply moving the label inside
the existing "#ifdef CONFIG_SYSCTL" one line above it.

This patch moves the label and buys us one less warning with no
ill effects.

Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-21 20:59:30 -07:00
Wei Yongjun 8984e41d18 [IPV6]: Fix kernel panic while send SCTP data with IP fragments
If ICMP6 message with "Packet Too Big" is received after send SCTP DATA,
kernel panic will occur when SCTP DATA is send again.

This is because of a bad dest address when call to skb_copy_bits().

The messages sequence is like this:

Endpoint A                             Endpoint B
                               <-------  SCTP DATA (size=1432)
ICMP6 message ------->
(Packet Too Big pmtu=1280)
                               <-------  Resend SCTP DATA (size=1432)
------------kernel panic---------------

 printing eip:
c05be62a
*pde = 00000000
Oops: 0002 [#1]
SMP
Modules linked in: scomm l2cap bluetooth ipv6 dm_mirror dm_mod video output sbs battery lp floppy sg i2c_piix4 i2c_core pcnet32 mii button ac parport_pc parport ide_cd cdrom serio_raw mptspi mptscsih mptbase scsi_transport_spi sd_mod scsi_mod ext3 jbd ehci_hcd ohci_hcd uhci_hcd
CPU:    0
EIP:    0060:[<c05be62a>]    Not tainted VLI
EFLAGS: 00010282   (2.6.23-rc2 #1)
EIP is at skb_copy_bits+0x4f/0x1ef
eax: 000004d0   ebx: ce12a980   ecx: 00000134   edx: cfd5a880
esi: c8246858   edi: 00000000   ebp: c0759b14   esp: c0759adc
ds: 007b   es: 007b   fs: 00d8  gs: 0000  ss: 0068
Process swapper (pid: 0, ti=c0759000 task=c06d0340 task.ti=c0713000)
Stack: c0759b88 c0405867 ce12a980 c8bff838 c789c084 00000000 00000028 cfd5a880
       d09f1890 000005dc 0000007b ce12a980 cfd5a880 c8bff838 c0759b88 d09bc521
       000004d0 fffff96c 00000200 00000100 c0759b50 cfd5a880 00000246 c0759bd4
Call Trace:
 [<c0405e1d>] show_trace_log_lvl+0x1a/0x2f
 [<c0405ecd>] show_stack_log_lvl+0x9b/0xa3
 [<c040608d>] show_registers+0x1b8/0x289
 [<c0406271>] die+0x113/0x246
 [<c0625dbc>] do_page_fault+0x4ad/0x57e
 [<c0624642>] error_code+0x72/0x78
 [<d09bc521>] ip6_output+0x8e5/0xab2 [ipv6]
 [<d09bcec1>] ip6_xmit+0x2ea/0x3a3 [ipv6]
 [<d0a3f2ca>] sctp_v6_xmit+0x248/0x253 [sctp]
 [<d0a3c934>] sctp_packet_transmit+0x53f/0x5ae [sctp]
 [<d0a34bf8>] sctp_outq_flush+0x555/0x587 [sctp]
 [<d0a34d3c>] sctp_retransmit+0xf8/0x10f [sctp]
 [<d0a3d183>] sctp_icmp_frag_needed+0x57/0x5b [sctp]
 [<d0a3ece2>] sctp_v6_err+0xcd/0x148 [sctp]
 [<d09cf1ce>] icmpv6_notify+0xe6/0x167 [ipv6]
 [<d09d009a>] icmpv6_rcv+0x7d7/0x849 [ipv6]
 [<d09be240>] ip6_input+0x1dc/0x310 [ipv6]
 [<d09be965>] ipv6_rcv+0x294/0x2df [ipv6]
 [<c05c3789>] netif_receive_skb+0x2d2/0x335
 [<c05c5733>] process_backlog+0x7f/0xd0
 [<c05c58f6>] net_rx_action+0x96/0x17e
 [<c042e722>] __do_softirq+0x64/0xcd
 [<c0406f37>] do_softirq+0x5c/0xac
 =======================
Code: 00 00 29 ca 89 d0 2b 45 e0 89 55 ec 85 c0 7e 35 39 45 08 8b 55 e4 0f 4e 45 08 8b 75 e0 8b 7d dc 89 c1 c1 e9 02 03 b2 a0 00 00 00 <f3> a5 89 c1 83 e1 03 74 02 f3 a4 29 45 08 0f 84 7b 01 00 00 01
EIP: [<c05be62a>] skb_copy_bits+0x4f/0x1ef SS:ESP 0068:c0759adc
Kernel panic - not syncing: Fatal exception in interrupt

Arnaldo says:
====================
Thanks! I'm to blame for this one, problem was introduced in:

b0e380b1d8

@@ -761,7 +762,7 @@ slow_path:
                /*
                 *      Copy a block of the IP datagram.
                 */
-               if (skb_copy_bits(skb, ptr, frag->h.raw, len))
+               if (skb_copy_bits(skb, ptr, skb_transport_header(skb),
len))
                        BUG();
                left -= len;
====================

Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-21 20:59:08 -07:00
Herbert Xu d92a7db710 [SNAP]: Check packet length before reading
The snap_rcv code reads 5 bytes so we should make sure that
we have 5 bytes in the head before proceeding.

Based on diagnosis and fix by Evgeniy Polyakov, reported by
Alan J. Wylie.

Patch also kills the skb->sk assignment before kfree_skb
since it's redundant.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-21 20:58:13 -07:00
Gerrit Renker 39dad26c37 [DCCP]: Allocation in atomic context
This fixes the following bug reported in syslog:

[ 4039.051658] BUG: sleeping function called from invalid context at /usr/src/davem-2.6/mm/slab.c:3032
[ 4039.051668] in_atomic():1, irqs_disabled():0
[ 4039.051670] INFO: lockdep is turned off.
[ 4039.051674]  [<c0104c0f>] show_trace_log_lvl+0x1a/0x30
[ 4039.051687]  [<c0104d4d>] show_trace+0x12/0x14
[ 4039.051691]  [<c0104d65>] dump_stack+0x16/0x18
[ 4039.051695]  [<c011371e>] __might_sleep+0xaf/0xbe
[ 4039.051700]  [<c0157b66>] __kmalloc+0xb1/0xd0
[ 4039.051706]  [<f090416f>] ccid2_hc_tx_alloc_seq+0x35/0xc3 [dccp_ccid2]
[ 4039.051717]  [<f09048d6>] ccid2_hc_tx_packet_sent+0x27f/0x2d9 [dccp_ccid2]
[ 4039.051723]  [<f085486b>] dccp_write_xmit+0x1eb/0x338 [dccp]
[ 4039.051741]  [<f085603d>] dccp_sendmsg+0x113/0x18f [dccp]
[ 4039.051750]  [<c03907fc>] inet_sendmsg+0x2e/0x4c
[ 4039.051758]  [<c033a47d>] sock_aio_write+0xd5/0x107
[ 4039.051766]  [<c015abc1>] do_sync_write+0xcd/0x11c
[ 4039.051772]  [<c015b296>] vfs_write+0x118/0x11f
[ 4039.051840]  [<c015b932>] sys_write+0x3d/0x64
[ 4039.051845]  [<c0103e7c>] syscall_call+0x7/0xb
[ 4039.051848]  =======================

The problem was that GFP_KERNEL was used; fixed by using gfp_any().

Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Signed-off-by: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-21 20:58:06 -07:00
Al Viro 35b426c329 missing return in bridge sysfs code
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-08-19 10:32:31 -07:00
Ilpo Järvinen 660adc6e60 [IPv6]: Invalid semicolon after if statement
A similar fix to netfilter from Eric Dumazet inspired me to
look around a bit by using some grep/sed stuff as looking for
this kind of bugs seemed easy to automate. This is one of them
I found where it looks like this semicolon is not valid.

Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-15 15:07:30 -07:00
Herbert Xu 3b18552550 [NET]: Fix unbalanced rcu_read_unlock in __sock_create
The recent RCU work created an unbalanced rcu_read_unlock
in __sock_create.  This patch fixes that.  Reported by
oleg 123.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-15 14:46:02 -07:00
David S. Miller cd8d60f28f Merge branch 'fixes-davem' of master.kernel.org:/pub/scm/linux/kernel/git/linville/wireless-2.6 2007-08-14 18:32:20 -07:00
Adrian Bunk 16f3051b16 [VLAN] net/8021q/vlanproc.c: fix check-after-use
The Coverity checker spotted that we'd have already oops'ed if
"vlandev" was NULL.

Signed-off-by: Adrian Bunk <bunk@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-14 17:39:43 -07:00
Adrian Bunk 6f93b9c283 [NET]: Unexport dev_ethtool
This patch removes the no longer used EXPORT_SYMBOL(dev_ethtool).

Signed-off-by: Adrian Bunk <bunk@kernel.org>
Acked-by: Matthew Wilcox <matthew@wil.cx>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-14 17:38:44 -07:00
Alexey Dobriyan 9c29a377f9 [ECONET]: remove econet_packet_type on unload
Steps to reproduce:

	modprobe econet
	rmmod econet
	modprobe econet

Unable to handle kernel paging request at ffffffff8870a098 RIP: 
 [<ffffffff8040bfb8>] dev_add_pack+0x48/0x90
PGD 203067 PUD 207063 PMD 7817f067 PTE 0
Oops: 0002 [1] PREEMPT SMP 
CPU 1 
Modules linked in: econet [maaaany]
Pid: 10671, comm: modprobe Not tainted 2.6.23-rc3-bloat #6
RIP: 0010:[<ffffffff8040bfb8>]  [<ffffffff8040bfb8>] dev_add_pack+0x48/0x90
RSP: 0000:ffff810076293df8  EFLAGS: 00010202
RAX: ffffffff88659090 RBX: ffffffff88659060 RCX: ffffffff8870a090
RDX: 0000000000000080 RSI: ffffffff805ec660 RDI: ffff810078ce4680
RBP: ffff810076293e08 R08: 0000000000000002 R09: 0000000000000000
R10: ffffffff8040bf88 R11: 0000000000000001 R12: ffff810076293e18
R13: 000000000000001b R14: ffff810076dd06b0 R15: ffffffff886590c0
FS:  00002b96a525dae0(0000) GS:ffff81007e0e2138(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: ffffffff8870a098 CR3: 000000007bb67000 CR4: 00000000000026e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process modprobe (pid: 10671, threadinfo ffff810076292000, task ffff810078ce4680)
Stack:  ffff810076dd06b0 0000000000000000 ffff810076293e38 ffffffff8865b180
 0000000000800000 0000000000000000 ffffffff886590c0 ffff810076dd01c8
 ffff810076293f78 ffffffff8026723c ffff810076293e48 ffffffff886590d8
Call Trace:
 [<ffffffff8865b180>] :econet:econet_proto_init+0x180/0x1da
 [<ffffffff8026723c>] sys_init_module+0x15c/0x19e0
 [<ffffffff8020c13e>] system_call+0x7e/0x83


Code: 48 89 41 08 48 89 82 e0 c5 5e 80 48 c7 c7 a0 08 5d 80 e8 f1 
RIP  [<ffffffff8040bfb8>] dev_add_pack+0x48/0x90
 RSP <ffff810076293df8>
CR2: ffffffff8870a098

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-14 17:25:20 -07:00
Alexey Dobriyan 9ac0be9d4f [AX25]: don't free pointers to statically allocated data
commit 8d5cf596d1 started to add statically
allocated ax25_protocol's to list. However kfree() was still in place waiting
for unsuspecting ones on module removal.

Steps to reproduce:

	modprobe netrom
	rmmod netrom

P.S.: code would benefit greatly from list_add/list_del usage

kernel BUG at mm/slab.c:592!
invalid opcode: 0000 [1] PREEMPT SMP 
CPU 0 
Modules linked in: netrom ax25 af_packet usbcore rtc_cmos rtc_core rtc_lib
Pid: 4477, comm: rmmod Not tainted 2.6.23-rc3-bloat #2
RIP: 0010:[<ffffffff802ac646>]  [<ffffffff802ac646>] kfree+0x1c6/0x260
RSP: 0000:ffff810079a05e48  EFLAGS: 00010046
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff81000000c000
RDX: ffff81007e552458 RSI: 0000000000000000 RDI: 000000000000805d
RBP: ffff810079a05e88 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffffffff8805d080
R13: ffffffff8805d080 R14: 0000000000000000 R15: 0000000000000282
FS:  00002b73fc98aae0(0000) GS:ffffffff805dc000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 000000000053f3b8 CR3: 0000000079ff2000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process rmmod (pid: 4477, threadinfo ffff810079a04000, task ffff8100775aa480)
Stack:  ffff810079a05e68 0000000000000246 ffffffff8804eca0 0000000000000000
 ffffffff8805d080 00000000000000cf 0000000000000000 0000000000000880
 ffff810079a05eb8 ffffffff8803ec90 ffff810079a05eb8 0000000000000000
Call Trace:
 [<ffffffff8803ec90>] :ax25:ax25_protocol_release+0xa0/0xb0
 [<ffffffff88056ecb>] :netrom:nr_exit+0x6b/0xf0
 [<ffffffff80268bf0>] sys_delete_module+0x170/0x1f0
 [<ffffffff8025da35>] trace_hardirqs_on+0xd5/0x170
 [<ffffffff804835aa>] trace_hardirqs_on_thunk+0x35/0x37
 [<ffffffff8020c13e>] system_call+0x7e/0x83


Code: 0f 0b eb fe 66 66 90 66 66 90 48 8b 52 10 48 8b 02 25 00 40 
RIP  [<ffffffff802ac646>] kfree+0x1c6/0x260
 RSP <ffff810079a05e48>
Kernel panic - not syncing: Fatal exception

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-14 17:24:05 -07:00
John W. Linville b9bf1e60a2 [PATCH] mac80211: probe for hidden SSIDs in pre-auth scan
Probe for hidden SSIDs if initiating pre-authentication scan and SSID
is set for STA interface.

Signed-off-by: John W. Linville <linville@tuxdriver.com>
2007-08-14 16:48:23 -04:00
Johannes Berg 7b7ed87925 [PATCH] mac80211: fix tx status frame code
When I added the monitor for outgoing frames somehow a break
statement slipped in. Remove it.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2007-08-14 16:48:23 -04:00
Jussi Kivilinna 02f44315dc [BRIDGE]: Fix typo in net/bridge/br_stp_if.c
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
Acked-by: Stephen Hemminger <shemminger@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-14 13:22:58 -07:00
Stephen Hemminger 17120889b0 [BRIDGE]: sysfs locking fix.
The stp change code generates "sleeping function called from invalid
context" because rtnl_lock() called with BH disabled. This fixes it by
not acquiring then dropping the bridge lock.

Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-14 13:21:34 -07:00
Patrick McHardy 45241a7a07 [NETFILTER]: nf_nat_sip: don't drop short packets
Don't drop packets shorter than "SIP/2.0", just ignore them. Keep-alives
can validly be shorter for example.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-14 13:14:58 -07:00
Patrick McHardy aa584eda5d [NETFILTER]: nf_conntrack_sip: fix SIP-URI parsing
The userinfo component of a SIP-URI is optional, continue parsing at the
beginning of the SIP-URI in case its not found.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-14 13:14:35 -07:00
Patrick McHardy 465f90a486 [NETFILTER]: nf_conntrack_sip: check sname != NULL before calling strncmp
The check got lost during the conversion to nf_conntrack.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-14 13:13:54 -07:00
Eric Dumazet 35019539d7 [NETFILTER]: netfilter: xt_u32 bug correction
An extraneous ";" makes xt_u32 match useless

Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-14 13:13:28 -07:00
Heiko Carstens cae7ca3d3d [IPVS]: Use IP_VS_WAIT_WHILE when encessary.
For architectures that don't have a volatile atomic_ts constructs like
while (atomic_read(&something)); might result in endless loops since a
barrier() is missing which forces the compiler to generate code that
actually reads memory contents.
Fix this in ipvs by using the IP_VS_WAIT_WHILE macro which resolves to
while (expr) { cpu_relax(); }
(why isn't this open coded btw?)

Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Simon Horman <horms@verge.net.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-13 22:52:15 -07:00
Herbert Xu 7f353bf29e [NET]: Share correct feature code between bridging and bonding
http://bugzilla.kernel.org/show_bug.cgi?id=8797 shows that the
bonding driver may produce bogus combinations of the checksum
flags and SG/TSO.

For example, if you bond devices with NETIF_F_HW_CSUM and
NETIF_F_IP_CSUM you'll end up with a bonding device that
has neither flag set.  If both have TSO then this produces
an illegal combination.

The bridge device on the other hand has the correct code to
deal with this.

In fact, the same code can be used for both.  So this patch
moves that logic into net/core/dev.c and uses it for both
bonding and bridging.

In the process I've made small adjustments such as only
setting GSO_ROBUST if at least one constituent device
supports it.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-13 22:52:14 -07:00
Jesper Juhl e576de82ee [DCCP]: fix memory leak and clean up style - dccp_feat_empty_confirm()
There's a memory leak in net/dccp/feat.c::dccp_feat_empty_confirm().  If we
hit the 'default:' case of the 'switch' statement, then we return without
freeing 'opt', thus leaking 'struct dccp_opt_pend' bytes.

The leak is fixed easily enough by adding a kfree(opt); before the return
statement.

The patch also changes the layout of the 'switch' to be more in line with
CodingStyle.

Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>
Acked-by: Ian McDonald <ian.mcdonald@jandi.co.nz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-13 22:52:10 -07:00
Oleg Nesterov d725fdc802 [DCCP]: fix theoretical ccids_{read,write}_lock() race
Make sure that spin_unlock_wait() is properly ordered wrt atomic_inc().

(akpm: can't we convert this code to use rwlocks?)

Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-13 22:52:09 -07:00
Jesper Juhl b5890d8ba4 [XFRM]: Clean up duplicate includes in net/xfrm/
This patch cleans up duplicate includes in
	net/xfrm/

Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-13 22:52:08 -07:00
Jesper Juhl 897c77cab0 [TIPC]: Clean up duplicate includes in net/tipc/
This patch cleans up duplicate includes in
	net/tipc/

Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-13 22:52:07 -07:00
Jesper Juhl 08dd2e2946 [SUNRPC]: Clean up duplicate includes in net/sunrpc/
This patch cleans up duplicate includes in
	net/sunrpc/

Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-13 22:52:05 -07:00
Jesper Juhl 0a26f4cdc2 [PKT_SCHED]: Clean up duplicate includes in net/sched/
This patch cleans up duplicate includes in
	net/sched/

Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-13 22:52:04 -07:00
Jesper Juhl 703310e645 [IPV6]: Clean up duplicate includes in net/ipv6/
This patch cleans up duplicate includes in
	net/ipv6/

Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-13 22:52:03 -07:00
Jesper Juhl f49f9967b2 [IPV4]: Clean up duplicate includes in net/ipv4/
This patch cleans up duplicate includes in
	net/ipv4/

Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-13 22:52:02 -07:00
Jesper Juhl 6869a35b36 [ATM]: Clean up duplicate includes in net/atm/
This patch cleans up duplicate includes in
	net/atm/

Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-13 22:52:01 -07:00
Joakim Tjernlund dcbdc93c6c [IPCONFIG]: ip_auto_config fix
The following commandline:

 root=/dev/mtdblock6 rw rootfstype=jffs2 ip=192.168.1.10:::255.255.255.0:localhost.localdomain:eth1:off console=ttyS0,115200

makes ip_auto_config fall back to DHCP and complain "IP-Config: Incomplete
network configuration information." depending on if CONFIG_IP_PNP_DHCP is
set or not.

The only way I can make ip_auto_config accept my IP config is to add an
entry for the server IP:

ip=192.168.1.10:192.168.1.15::255.255.255.0:localhost.localdomain:eth1:off

I think this is a bug since I am not using a NFS root FS.

The following patch fixes the above problem.

From: Andrew Morton <akpm@linux-foundation.org>

Davem said (in February!):

  Well, first of all the change in question is not in 2.4.x either.  I just
  checked the current 2.4.x GIT tree and the test is exactly:

	if (ic_myaddr == INADDR_NONE ||
#ifdef CONFIG_ROOT_NFS
	    (MAJOR(ROOT_DEV) == UNNAMED_MAJOR
	     && root_server_addr == INADDR_NONE
	     && ic_servaddr == INADDR_NONE) ||
#endif
	    ic_first_dev->next) {

  which matches 2.6.x

  I even checked 2.4.x when it was branched for 2.5.x and the test was the
  same at the point in time too.

  Looking at the proposed change a bit it appears that it is probably
  correct, as it's trying to check that ROOT_DEV is nfs root.  But if it is
  correct then the UNNAMED_MAJOR comparison in the same code block should be
  removed as it becomes superfluous.

  I'm happy to apply this patch with that modification made.

Signed-off-by: Joakim Tjernlund <joakim.tjernlund@transmode.se>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-13 22:51:59 -07:00
Linus Torvalds 8b80fc02b8 Merge git://git.linux-nfs.org/pub/linux/nfs-2.6
* git://git.linux-nfs.org/pub/linux/nfs-2.6:
  SUNRPC: Replace flush_workqueue() with cancel_work_sync() and friends
  NFS: Replace flush_scheduled_work with cancel_work_sync() and friends
  SUNRPC: Don't call gss_delete_sec_context() from an rcu context
  NFSv4: Don't call put_rpccred() from an rcu callback
  NFS: Fix NFSv4 open stateid regressions
  NFSv4: Fix a locking regression in nfs4_set_mode_locked()
  NFS: Fix put_nfs_open_context
  SUNRPC: Fix a race in rpciod_down()
2007-08-09 08:38:14 -07:00
Linus Torvalds 660ca5317d Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
* 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6:
  [TCP]: H-TCP maxRTT estimation at startup
  [NETFILTER]: nf_nat: add symbolic dependency on IPv4 conntrack
  [NETFILTER]: ctnetlink: return EEXIST instead of EINVAL for existing nat'ed conntracks
  [NETFILTER]: ipt_recent: avoid a possible NULL pointer deref in recent_seq_open()
  [NET] net/core/utils: fix sparse warning
  [NetLabel]: add missing rcu_dereference() calls in the LSM domain mapping hash table
  [PATCH] mac80211: don't allow scanning in monitor mode
  [PATCH] mac80211: Fix sparse error for sta_last_seq_ctrl_read
  [PATCH] mac80211: use do { } while (0) for multi-line macros
  [PATCH] mac80211: missing dev_put in ieee80211_master_start_xmit
2007-08-09 08:31:03 -07:00
Stephen Hemminger f34d1955df [TCP]: H-TCP maxRTT estimation at startup
Small patch to H-TCP from Douglas Leith. 

Fix estimation of maxRTT.  The original code ignores rtt measurements
during slow start (via the check tp->snd_ssthresh < 0xFFFF) yet this
is probably a good time to try to estimate max rtt as delayed acking
is disabled and slow start will only exit on a loss which presumably
corresponds to a maxrtt measurement.  Second, the original code (via
the check htcp_ccount(ca) > 3) ignores rtt data during what it
estimates to be the first 3 round-trip times.  This seems like an
unnecessary check now that the RCV timestamp are no longer used
for rtt estimation.

Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-07 18:29:05 -07:00
Patrick McHardy 591e620693 [NETFILTER]: nf_nat: add symbolic dependency on IPv4 conntrack
Loading nf_nat causes the conntrack core to be loaded, but we need IPv4 as
well.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-07 18:12:01 -07:00
Pablo Neira Ayuso ff4ca8273e [NETFILTER]: ctnetlink: return EEXIST instead of EINVAL for existing nat'ed conntracks
ctnetlink must return EEXIST for existing nat'ed conntracks instead of
EINVAL. Only return EINVAL if we try to update a conntrack with NAT
handlings (that is not allowed).

Decadence:libnetfilter_conntrack/utils# ./conntrack_create_nat
TEST: create conntrack (0)(Success)
Decadence:libnetfilter_conntrack/utils# ./conntrack_create_nat
TEST: create conntrack (-1)(Invalid argument)

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-07 18:11:26 -07:00
Jesper Juhl 3af8e31cf5 [NETFILTER]: ipt_recent: avoid a possible NULL pointer deref in recent_seq_open()
If the call to seq_open() returns != 0 then the code calls 
kfree(st) but then on the very next line proceeds to 
dereference the pointer - not good.

Problem spotted by the Coverity checker.

Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-07 18:10:54 -07:00
David S. Miller 864c5a4d37 Merge branch 'fixes-davem' of master.kernel.org:/pub/scm/linux/kernel/git/linville/wireless-2.6 2007-08-07 18:07:35 -07:00
Johannes Berg 14ae856645 [NET] net/core/utils: fix sparse warning
net_msg_warn is not defined because it is in net/sock.h which isn't
included.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-07 18:02:43 -07:00
Paul Moore 3482fd9099 [NetLabel]: add missing rcu_dereference() calls in the LSM domain mapping hash table
The LSM domain mapping head table pointer was not being referenced via the RCU
safe dereferencing function, rcu_dereference().  This patch adds those missing
calls to the NetLabel code.

This has been tested using recent linux-2.6 git kernels with no visible
regressions.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-07 17:53:10 -07:00
Trond Myklebust 4011cd9788 SUNRPC: Replace flush_workqueue() with cancel_work_sync() and friends
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
2007-08-07 16:13:01 -04:00
Trond Myklebust a4deb81ba8 SUNRPC: Don't call gss_delete_sec_context() from an rcu context
Doing so may not be safe...

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
2007-08-07 15:16:24 -04:00
Trond Myklebust b247bbf1da SUNRPC: Fix a race in rpciod_down()
The commit 4ada539ed7 lead to the unpleasant
possibility of an asynchronous rpc_task being required to call
rpciod_down() when it is complete. This again means that the rpciod
workqueue may get to call destroy_workqueue on itself -> hang...

Change rpciod_up/rpciod_down to just get/put the module, and then
create/destroy the workqueues on module load/unload.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
2007-08-07 15:13:16 -04:00
Daniel Drake f27b62d3e7 [PATCH] mac80211: don't allow scanning in monitor mode
zd1211rw gets confused when the user asks for a scan when the device is
in monitor mode. This patch tightens up the SIWSCAN handler to deny the scan
under these conditions.

Signed-off-by: Daniel Drake <dsd@gentoo.org>
Signed-off-by: Jiri Benc <jbenc@suse.cz>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2007-08-06 15:39:15 -04:00
Zhu Yi ba9b07d08b [PATCH] mac80211: Fix sparse error for sta_last_seq_ctrl_read
Fix sparse error for sta_last_seq_ctrl_read.

Signed-off-by: Zhu Yi <yi.zhu@intel.com>
Signed-off-by: Jiri Benc <jbenc@suse.cz>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2007-08-06 15:39:01 -04:00
Zhu Yi 21887b2f18 [PATCH] mac80211: use do { } while (0) for multi-line macros
Use do { } while (0) for multi-line macros

Signed-off-by: Zhu Yi <yi.zhu@intel.com>
Signed-off-by: Jiri Benc <jbenc@suse.cz>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2007-08-06 15:38:48 -04:00
Daniel Drake 0e7088de6c [PATCH] mac80211: missing dev_put in ieee80211_master_start_xmit
Fixes an unlikely reference leak condition.

Signed-off-by: Daniel Drake <dsd@gentoo.org>
Signed-off-by: Jiri Benc <jbenc@suse.cz>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2007-08-06 15:37:56 -04:00
Michael Buesch fdc8f43b5e [PATCH] softmac: Fix deadlock of wx_set_essid with assoc work
The essid wireless extension does deadlock against the assoc mutex,
as we don't unlock the assoc mutex when flushing the workqueue, which
also holds the lock.

Signed-off-by: Michael Buesch <mb@bu3sch.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2007-08-06 15:06:03 -04:00
Ilpo Järvinen 49ff4bb4cd [TCP]: DSACK signals data receival, be conservative
In case a DSACK is received, it's better to lower cwnd as it's
a sign of data receival.

Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-02 19:47:59 -07:00
Ilpo Järvinen 2e6052941a [TCP]: Also handle snd_una changes in tcp_cwnd_down
tcp_cwnd_down must check for it too as it should be conservative
in case of collapse stuff and also when receiver is trying to
lie (though that wouldn't be very successful/useful anyway).

Note:
- Separated also is_dupack and do_lost in fast_retransalert
	* Much cleaner look-and-feel now
	* This time it really fixes cumulative ACK with many new
	  SACK blocks recovery entry (I claimed this fixes with
	  last patch but it wasn't). TCP will now call
	  tcp_update_scoreboard regardless of is_dupack when
	  in recovery as long as there is enough fackets_out.
- Introduce FLAG_SND_UNA_ADVANCED
	* Some prior_snd_una arguments are unnecessary after it
- Added helper FLAG_ANY_PROGRESS to avoid long FLAG...|FLAG...
  constructs

Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-02 19:46:58 -07:00
David S. Miller 3a97aeb5c1 Merge davem@master.kernel.org:/pub/scm/linux/kernel/git/vxy/lksctp-dev 2007-08-02 19:44:43 -07:00
Florian Westphal d788d8056f [TIPC]: Fix two minor sparse warnings.
fix two warnings generated by sparse:

link.c:2386 symbol 'msgcount' shadows an earlier one
node.c:244 symbol 'addr_string' shadows an earlier one

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-02 19:42:31 -07:00
Florian Westphal 248bbf3821 [TIPC]: Make function tipc_nameseq_subscribe static.
make needlessly global function tipc_nameseq_subscribe static.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-02 19:42:30 -07:00
Joy Latten 4a4b6271a8 [PF_KEY]: Fix ipsec not working in 2.6.23-rc1-git10
Although an ipsec SA was established, kernel couldn't seem to find it.

I think since we are now using "x->sel.family" instead of "family" in
the xfrm_selector_match() called in xfrm_state_find(), af_key needs to
set this field too, just as xfrm_user.

In af_key.c, x->sel.family only gets set when there's an
ext_hdrs[SADB_EXT_ADDRESS_PROXY-1] which I think is for tunnel.

I think pfkey needs to also set the x->sel.family field when it is 0.

Tested with below patch, and ipsec worked when using pfkey.

Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-02 19:42:29 -07:00
David S. Miller 3516ffb0fe [TCP]: Invoke tcp_sendmsg() directly, do not use inet_sendmsg().
As discovered by Evegniy Polyakov, if we try to sendmsg after
a connection reset, we can do incredibly stupid things.

The core issue is that inet_sendmsg() tries to autobind the
socket, but we should never do that for TCP.  Instead we should
just go straight into TCP's sendmsg() code which will do all
of the necessary state and pending socket error checks.

TCP's sendpage already directly vectors to tcp_sendpage(), so this
merely brings sendmsg() in line with that.

Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-02 19:42:28 -07:00
Mariusz Kozlowski 1bcabbdb0b [IPV4] route.c: mostly kmalloc + memset conversion to k[cz]alloc
Signed-off-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-02 19:42:27 -07:00
Mariusz Kozlowski 4487b2f657 [IPV4] raw.c: kmalloc + memset conversion to kzalloc
Signed-off-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-02 19:42:26 -07:00
Mariusz Kozlowski 8adc546552 [NETFILTER] nf_conntrack_l3proto_ipv4_compat.c: kmalloc + memset conversion to kzalloc
Signed-off-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-02 19:42:24 -07:00
Mariusz Kozlowski 9f0d1a004d [NETFILTER] nf_conntrack_expect.c: kmalloc + memset conversion to kzalloc
Signed-off-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-02 19:42:23 -07:00
Michal Piotrowski 2f0812350e [NET]: Removal of duplicated include net/wanrouter/wanmain.c
Signed-off-by: Michal Piotrowski <michal.k.k.piotrowski@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-08-02 19:42:22 -07:00
Paul Moore e6e0871cce Net/Security: fix memory leaks from security_secid_to_secctx()
The security_secid_to_secctx() function returns memory that must be freed
by a call to security_release_secctx() which was not always happening.  This
patch fixes two of these problems (all that I could find in the kernel source
at present).

Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
2007-08-02 11:52:26 -04:00
Wei Yongjun 5f8f1c3c87 SCTP: remove useless code in function sctp_init_cause
Some code in function sctp_init_cause() seem useless, this patch remove
them.

Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
2007-08-02 10:56:07 -04:00
Wei Yongjun aecedeab6f SCTP: drop SACK if ctsn is not less than the next tsn of assoc
We need to drop the SACK if the peer is attempting to acknowledge
unset data, i.e.  the CTSN in the SACK is greater or equal to the
next TSN we will send.

Example:
Endpoint A                                      Endpoint B
                             <---------------   DATA (TSN=1)
SACK(TSN=1) ---------------> 
                             <---------------   DATA (TSN=2)
                             <---------------   DATA (TSN=3)
                             <---------------   DATA (TSN=4)
                             <---------------   DATA (TSN=5)
SACK(TSN=1000) --------------->
                             <---------------   DATA (TSN=6)
                             <---------------   DATA (TSN=7)

Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
2007-08-02 10:41:18 -04:00
Vlad Yasevich e4d1feab5d SCTP: IPv4 mapped addr not returned in SCTPv6 accept()
When issuing a connect call on an AF_INET6 sctp socket with
a IPv4-mapped destination, the peer address that is returned
by getpeeraddr() should be v4-mapped as well.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
2007-08-01 11:19:06 -04:00
Dave Johnson b225b884a1 SCTP: IPv4 mapped addr not returned in SCTPv6 accept()
An accept() call on a SCTPv6 socket that returns due to connection of
a IPv4 mapped peer will fill out the 'struct sockaddr' with a zero
IPv6 address instead of the IPv4 mapped address of the peer.

This is due to the v4mapped flag not getting copied into the new
socket on accept() as well as a missing check for INET6 socket type in
sctp_v4_to_sk_*addr().

Signed-off-by: Dave Johnson <djohnson@sw.starentnetworks.com>
Cc: Srinivas Akkipeddi <sakkiped@starentnetworks.com>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
2007-08-01 11:19:06 -04:00
Sebastian Siewior cc121fa87a sctp: fix shadow symbol in net/sctp/tsnmap.c
net/sctp/tsnmap.c:164:16: warning: symbol '_end' shadows an earlier one
include/asm-generic/sections.h:13:13: originally declared here

Renamed renamed _end to end_ and _start (for consistence).

Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
2007-08-01 11:19:06 -04:00
Sebastian Siewior d6f9fdaf64 sctp: try to fix readlock
unlock the reader lock in error case.

Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
2007-08-01 11:19:06 -04:00
sebastian@breakpoint.cc c86dabcf00 sctp: remove shadowed symbols
Fixes the following sparse warnings:
net/sctp/sm_make_chunk.c:1457:9: warning: symbol 'len' shadows an earlier one
net/sctp/sm_make_chunk.c:1356:23: originally declared here
net/sctp/socket.c:1534:22: warning: symbol 'chunk' shadows an earlier one
net/sctp/socket.c:1387:20: originally declared here

Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
2007-08-01 11:19:06 -04:00
sebastian@breakpoint.cc 0a5fcb9cf8 sctp: move global declaration to header file.
sctp_chunk_cachep & sctp_bucket_cachep is used module global, so move it
to a header file.

Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
2007-08-01 11:19:06 -04:00
sebastian@breakpoint.cc 046752104c sctp: make locally used function static
Forward declarion is static, the function itself is not. Make it
consistent.

Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
2007-08-01 11:19:05 -04:00
Linus Torvalds 0d6caa1795 Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
* 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6: (41 commits)
  [RTNETLINK]: Fix warning for !CONFIG_KMOD
  [IPV4] ip_options.c: kmalloc + memset conversion to kzalloc
  [DECNET]: kmalloc + memset conversion to kzalloc
  [NET]: ethtool_perm_addr only has one implementation
  [NET]: ethtool ops are the only way
  [PPPOE]: Improve hashing function in hash_item().
  [XFRM]: State selection update to use inner addresses.
  [IPSEC]: Ensure that state inner family is set
  [TCP]: Bidir flow must not disregard SACK blocks for lost marking
  [TCP]: Fix ratehalving with bidirectional flows
  [PPPOL2TP]: Add CONFIG_INET Kconfig dependency.
  [NET]: Page offsets and lengths need to be __u32.
  [AF_UNIX]: Make code static.
  [NETFILTER]: Make nf_ct_ipv6_skip_exthdr() static.
  [PKTGEN]: make get_ipsec_sa() static and non-inline
  [PPPoE]: move lock_sock() in pppoe_sendmsg() to the right location
  [PPPoX/E]: return ENOTTY on unknown ioctl requests
  [IPV6]: ipv6_addr_type() doesn't know about RFC4193 addresses.
  [NET]: Fix prio_tune() handling of root qdisc.
  [NET]: Fix sch_api to properly set sch->parent on the root.
  ...
2007-07-31 15:51:00 -07:00
Mariusz Kozlowski bbe06f6bf7 fs: 9p/conv.c error path fix
When buf_check_overflow() returns != 0 we will hit kfree(ERR_PTR(err)) and
it will not be happy about it.

Signed-off-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
Cc: Latchesar Ionkov <lucho@ionkov.net>
Cc: Eric Van Hensbergen <ericvh@ericvh.myip.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-07-31 15:39:42 -07:00
Thomas Graf 8072f085d7 [RTNETLINK]: Fix warning for !CONFIG_KMOD
replay label is unused otherwise.

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-07-31 14:13:50 -07:00
Mariusz Kozlowski 376407039c [IPV4] ip_options.c: kmalloc + memset conversion to kzalloc
Signed-off-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-07-31 14:06:45 -07:00
Mariusz Kozlowski f87966541e [DECNET]: kmalloc + memset conversion to kzalloc
Signed-off-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-07-31 14:05:56 -07:00
Matthew Wilcox 313674afa8 [NET]: ethtool_perm_addr only has one implementation
All drivers implement ethtool get_perm_addr the same way -- by calling
the generic function.  So we can inline the generic function into the
caller and avoid going through the drivers.

Signed-off-by: Matthew Wilcox <matthew@wil.cx>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-07-31 14:00:29 -07:00
Matthew Wilcox 61a44b9c4b [NET]: ethtool ops are the only way
During the transition to the ethtool_ops way of doing things, we supported
calling the device's ->do_ioctl method to allow unconverted drivers to
continue working.  Those days are long behind us, all in-tree drivers
use the ethtool_ops way, and so we no longer need to support this.

The bonding driver is the biggest beneficiary of this; it no longer
needs to call ioctl() as a fallback if ethtool_ops aren't supported.

Also put a proper copyright statement on ethtool.c.

Signed-off-by: Matthew Wilcox <matthew@wil.cx>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-07-31 14:00:02 -07:00
Joakim Koskela 48b8d78315 [XFRM]: State selection update to use inner addresses.
This patch modifies the xfrm state selection logic to use the inner
addresses where the outer have been (incorrectly) used. This is
required for beet mode in general and interfamily setups in both
tunnel and beet mode.

Signed-off-by: Joakim Koskela <jookos@gmail.com>
Signed-off-by: Herbert Xu     <herbert@gondor.apana.org.au>
Signed-off-by: Diego Beltrami <diego.beltrami@gmail.com>
Signed-off-by: Miika Komu     <miika@iki.fi>
Acked-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-07-31 02:28:33 -07:00
Herbert Xu 196b003620 [IPSEC]: Ensure that state inner family is set
Similar to the issue we had with template families which
specified the inner families of policies, we need to set
the inner families of states as the main xfrm user Openswan
leaves it as zero.

af_key is unaffected because the inner family is set by it
and not the KM.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-07-31 02:28:32 -07:00
Ilpo Järvinen b8ed601cef [TCP]: Bidir flow must not disregard SACK blocks for lost marking
It's possible that new SACK blocks that should trigger new LOST
markings arrive with new data (which previously made is_dupack
false). In addition, I think this fixes a case where we get
a cumulative ACK with enough SACK blocks to trigger the fast
recovery (is_dupack would be false there too).

I'm not completely pleased with this solution because readability
of the code is somewhat questionable as 'is_dupack' in SACK case
is no longer about dupacks only but would mean something like
'lost_marker_work_todo' too... But because of Eifel stuff done
in CA_Recovery, the FLAG_DATA_SACKED check cannot be placed to
the if statement which seems attractive solution. Nevertheless,
I didn't like adding another variable just for that either... :-)

Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-07-31 02:28:31 -07:00
Ilpo Järvinen 1e757f9996 [TCP]: Fix ratehalving with bidirectional flows
Actually, the ratehalving seems to work too well, as cwnd is
reduced on every second ACK even though the packets in flight
remains unchanged. Recoveries in a bidirectional flows suffer
quite badly because of this, both NewReno and SACK are affected.

After this patch, rate halving is performed for ACK only if
packets in flight was supposedly changed too.

Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-07-31 02:28:30 -07:00
Adrian Bunk 131116989b [AF_UNIX]: Make code static.
The following code can now become static:
- struct unix_socket_table
- unix_table_lock

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-07-31 02:28:27 -07:00
Adrian Bunk 1a3a206f7f [NETFILTER]: Make nf_ct_ipv6_skip_exthdr() static.
nf_ct_ipv6_skip_exthdr() can now become static.

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-07-31 02:28:26 -07:00
Adrian Bunk fea1ab0fcf [PKTGEN]: make get_ipsec_sa() static and non-inline
Non-static inline code usually doesn't makes sense.

In this case making is static and non-inline is the correct solution.

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-07-31 02:28:25 -07:00
Dave Johnson c61a7d10ef [IPV6]: ipv6_addr_type() doesn't know about RFC4193 addresses.
ipv6_addr_type() doesn't check for 'Unique Local IPv6 Unicast
Addresses' (RFC4193) and returns IPV6_ADDR_RESERVED for that range.

SCTP uses this function and will fail bind() and connect() calls that
use RFC4193 addresses, SCTP will also ignore inbound connections from
RFC4193 addresses if listening on IPV6_ADDR_ANY.

There may be other users of ipv6_addr_type() that could also have
problems.

Signed-off-by: Dave Johnson <djohnson@sw.starentnetworks.com>
Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-07-31 02:28:21 -07:00
Peter P Waskiewicz Jr 0773192b0f [NET]: Fix prio_tune() handling of root qdisc.
Fix the check in prio_tune() to see if sch->parent is TC_H_ROOT instead of
sch->handle to load or reject the qdisc for multiqueue devices.

Signed-off-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>
Acked-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-07-31 02:28:20 -07:00
Patrick McHardy ffc8fefaf2 [NET]: Fix sch_api to properly set sch->parent on the root.
Fix sch_api to correctly set sch->parent for both ingress and egress
qdiscs in qdisc_create().

Signed-off-by: Patrick McHardy <trash@kaber.net>
Signed-off-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-07-31 02:28:19 -07:00
Patrick McHardy bdba91ec70 [NET_SCHED]: Fix prio/ingress classification logic error
Fix handling of empty or completely non-matching filter chains. In
that case -1 is returned and tcf_result is uninitialized, the
qdisc should fall back to default classification in that case.

Noticed by PJ Waskiewicz <peter.p.waskiewicz.jr@intel.com>.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-07-31 02:28:18 -07:00
Herbert Xu b217d616a1 [IPV4/IPV6]: Fail registration if inet device construction fails
Now that netdev notifications can fail, we can use this to signal
errors during registration for IPv4/IPv6.  In particular, if we
fail to allocate memory for the inet device, we can fail the netdev
registration.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-07-31 02:28:16 -07:00
Herbert Xu fcc5a03ac4 [NET]: Allow netdev REGISTER/CHANGENAME events to fail
This patch adds code to allow errors to be passed up from event
handlers of NETDEV_REGISTER and NETDEV_CHANGENAME.  It also adds
the notifier_from_errno/notifier_to_errnor helpers to pass the
errno value up to the notifier caller.

If an error is detected when a device is registered, it causes
that operation to fail.  A NETDEV_UNREGISTER will be sent to
all event handlers.

Similarly if NETDEV_CHANGENAME fails the original name is restored
and a new NETDEV_CHANGENAME event is sent.

As such all event handlers must be idempotent with respect to
these events.

When an event handler is registered NETDEV_REGISTER events are
sent for all devices currently registered.  Should any of them
fail, we will send NETDEV_GOING_DOWN/NETDEV_DOWN/NETDEV_UNREGISTER
events to that handler for the devices which have already been
registered with it.  The handler registration itself will fail.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-07-31 02:28:15 -07:00
Herbert Xu 7f988eab57 [NET]: Take dev_base_lock when moving device name hash list entry
When we added name-based hashing the dev_base_lock was designated as the
lock to take when changing the name hash list.  Unfortunately, because
it was a preexisting lock that just happened to be taken in the right
spots we neglected to take it in dev_change_name.

The race can affect calles of __dev_get_by_name that do so without taking
the RTNL.  They may end up walking down the wrong hash chain and end up
missing the device that they're looking for.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-07-31 02:28:13 -07:00
Herbert Xu 7ce1b0edcb [NET]: Call uninit if necessary in register_netdevice
This patch makes register_netdevice call dev->uninit if the regsitration
fails after dev->init has completed successfully.  Very few drivers use
the init/uninit calls but at least one (drivers/net/wan/sealevel.c) may
leak without this change.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-07-31 02:28:12 -07:00
Herbert Xu ccc7911fbd [IPVS]: Use skb_forward_csum
As a path that forwards packets, IPVS should be using
skb_forward_csum instead of directly setting ip_summed
to CHECKSUM_NONE.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-07-31 02:28:11 -07:00
David S. Miller 25a8b2545b [PKTGEN]: Add missing KERN_* tags to printk()s.
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-07-31 02:28:10 -07:00
Al Viro d83852822c [BLUETOOTH] l2cap: don't mangle cmd.len
Since nobody uses it after we convert it to host-endian,
no need to do that at all.  At that point l2cap is endian-clean.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-07-31 02:28:09 -07:00
Al Viro 88219a0f65 [BLUETOOTH]: pass (host-endian) cmd length as explicit argument to l2cap_conf_req()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-07-31 02:28:08 -07:00