summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* | ipv4: Remove unused declaration from include/net/tcp.h.Rami Rosen2008-06-101-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | - The tcp_unhash() method in /include/net/tcp.h is no more needed, as the unhash method in tcp_prot structure is now inet_unhash (instead of tcp_unhash in the past); see tcp_prot structure in net/ipv4/tcp_ipv4.c. - So, this patch removes tcp_unhash() declaration from include/net/tcp.h Signed-off-by: Rami Rosen <ramirose@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | l2tp: Fix potential memory corruption in pppol2tp_recvmsg()James Chapman2008-06-101-8/+12
|/ | | | | | | | | | | | | | | | This patch fixes a potential memory corruption in pppol2tp_recvmsg(). If skb->len is bigger than the caller's buffer length, memcpy_toiovec() will go into unintialized data on the kernel heap, interpret it as an iovec and start modifying memory. The fix is to change the memcpy_toiovec() call to skb_copy_datagram_iovec() so that paged packets (rare for PPPOL2TP) are handled properly. Also check that the caller's buffer is big enough for the data and set the MSG_TRUNC flag if it is not so. Reported-by: Ilja <ilja@netric.org> Signed-off-by: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* ipv6 netns: init net is used to set bindv6only for new sockPavel Emelyanov2008-06-091-1/+1
| | | | | | | | | | | The bindv6only is tuned via sysctl. It is already on a struct net and per-net sysctls allow for its modification (ipv6_sysctl_net_init). Despite this the value configured in the init net is used for the rest of them. Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* irda: net/irda build fix: mcs7780Ingo Molnar2008-06-091-0/+1
| | | | | | | | | | | | | | | | | | | -tip testing found the following build error: drivers/built-in.o: In function `mcs_receive_irq': mcs7780.c:(.text+0x4e429): undefined reference to `crc32_le' drivers/built-in.o: In function `mcs_hard_xmit': mcs7780.c:(.text+0x4e9af): undefined reference to `crc32_le' with: http://redhat.com/~mingo/misc/config-Sun_Jun__8_22_56_14_CEST_2008.bad the reason is a missing enablement of the CRC32 library in the Kconfig. Signed-off-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Samuel Ortiz <samuel@sortiz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* tg3: Update version to 3.92.1Matt Carlson2008-06-091-2/+2
| | | | | | | | This patch increments the version to 3.92.1. Signed-off-by: Matt Carlson <mcarlson@broadcom.com> Signed-off-by: Michael Chan <mchan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* tg3: Fix 5761 WOLMatt Carlson2008-06-091-0/+24
| | | | | | | | | | | | | | | | | | | On 5761 non-e devices, two problems prevent the administrator from overriding the WOL settings in the device's NVRAM. The first problem is that GPIO 0 and GPIO 2 have been swapped. This change prevented the administrator from turning on WOL when it is disabled in NVRAM. The fix is to add a new path for the 5761 that swaps the two GPIOs in the code as well. The second problem is that GPIO 1 could not be toggled by the driver because the GPIO is shared with the debug UART GPIO. This will prevent the administrator from being able to turn WOL off if it was enabled in NVRAM. The fix is to always disable the debug UART after a GRC reset. Signed-off-by: Matt Carlson <mcarlson@broadcom.com> Signed-off-by: Michael Chan <mchan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* tg3: Fix a flags typoMatt Carlson2008-06-091-1/+1
| | | | | | | | | This patch fixes a problem where the TG3_FLAG_10_100_ONLY flag was testing against the wrong flags variable. Signed-off-by: Matt Carlson <mcarlson@broadcom.com> Signed-off-by: Michael Chan <mchan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* tg3: Fix 5714S / 5715S / 5780S link failuresMatt Carlson2008-06-091-2/+1
| | | | | | | | | | | | | | | | The git commit ef167e27039eeaea6d3cdd5c547b082e89840bdd entitled "Fix supporting flowctrl code" introduced a bug that prevents 5714S, 5715S and 5780S devices from falling back to a forced link mode. The problem is that the added flow control check will always fail if flow control is set to autoneg and either RX or TX (or both) flow control is enabled. The driver defaults to setting flow control to autoneg and advertises both RX and TX flow control. The fix is to remove the errant check. Signed-off-by: Matt Carlson <mcarlson@broadcom.com> Signed-off-by: Michael Chan <mchan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* iwlwifi: fix oops in iwl3945_led_brightness_setMarcin Slusarz2008-06-091-2/+3
| | | | | | | | | | | | | | | | | | | | | | | fix race between: ieee80211_open->ieee80211_led_radio->led_trigger_event->led_set_brightness->iwl3945_led_brightness_set (which assumes that "led->priv" is not NULL) and iwl3945_pci_probe->iwl3945_setup_deferred_work->(...)->iwl3945_bg_alive_start->iwl3945_alive_start->iwl3945_led_register->iwl3945_led_register_led which sets priv field in struct iwl3945_led after led->led_dev.brightness_set = iwl3945_led_brightness_set; (...) led_classdev_register(device, &led->led_dev); http://kerneloops.org/guilty.php?guilty=iwl3945_led_brightness_set&version=2.6.25-release&start=1671168&end=1703935&class=oops Signed-off-by: Marcin Slusarz <marcin.slusarz@gmail.com> Cc: Zhu Yi <yi.zhu@intel.com> Cc: Reinette Chatre <reinette.chatre@intel.com> Cc: Tomas Winkler <tomas.winkler@intel.com> Cc: linux-wireless@vger.kernel.org Cc: ipw3945-devel@lists.sourceforge.net Signed-off-by: John W. Linville <linville@tuxdriver.com>
* include/linux/ssb/ssb_driver_gige.h typo fixAdrian Bunk2008-06-091-1/+1
| | | | | | | | | This patch fixes a typo in the name of a config variable. Reported-by: Robert P. J. Day <rpjday@crashcourse.ca> Signed-off-by: Adrian Bunk <bunk@kernel.org> Reviewed-by: Michael Buesch <mb@bu3sch.de> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* mac80211: Checking IBSS support while changing channel in ad-hoc modeAssaf Krauss2008-06-093-12/+16
| | | | | | | | | | | | This patch adds a check to the set_channel flow. When attempting to change the channel while in IBSS mode, and the new channel does not support IBSS mode, the flow return with an error value with no consequences on the mac80211 and driver state. Signed-off-by: Assaf Krauss <assaf.krauss@intel.com> Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com> Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* mac80211: decrease IBSS creation latencyDan Williams2008-06-091-1/+1
| | | | | | | | | | Sufficient scans (at least 2 or 3) should have been done within 7 seconds to find an existing IBSS to join. This should improve IBSS creation latency; and since IBSS merging is still in effect, shouldn't have detrimental effects on eventual IBSS convergence. Signed-off-by: Dan Williams <dcbw@redhat.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* zd1211rw: Fix data padding for QoSMichael Buesch2008-06-091-1/+1
| | | | | | | | | This patch fixes a data alignment issue in the zd1211rw driver. The IEEE80211_STYPE_QOS_DATA bit should be used as a bitwise test to test for the presence of the 2 byte QoS control field. Signed-off-by: Michael Buesch <mb@bu3sch.de> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* mac80211: Fixing slow IBSS rejoinAssaf Krauss2008-06-091-0/+1
| | | | | | | | | | | | | | | | | | This patch fixes the issue of slow reconnection to an IBSS cell after disconnection from it. Now the interface's bssid is reset upon ifdown. ieee80211_sta_find_ibss: if (found && memcmp(ifsta->bssid, bssid, ETH_ALEN) != 0 && (bss = ieee80211_rx_bss_get(dev, bssid, local->hw.conf.channel->center_freq, ifsta->ssid, ifsta->ssid_len))) Note: In general disconnection is still not handled properly in mac80211 Signed-off-by: Assaf Krauss <assaf.krauss@intel.com> Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* libertas: fix sleep confirmationHolger Schurig2008-06-092-2/+5
| | | | | | | | | | | | | | | | | This fixes an issus that made "iwconfig eth1 power on" non-working. When we get a "PS sleep" event, we have to confirm this to the firmware. The confirm happens with a command, but this command is special: the firmware won't send us a response. if_cs_host_to_card() is setting priv->dnld_sent anyway, so this variable stayed at DNLD_DATA_SENT and was never cleared back. Now I put the special knowledge that the CMD_802_11_PS_MODE with CMD_SUBCMD_SLEEP_CONFIRMED doesn't need to need a response by directly clearing the dnld_sent state in lbs_send_confirmsleep(). Signed-off-by: Holger Schurig <hs4233@mail.mn-solutions.de> Acked-by: Dan Williams <dcbw@redhat.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* mac80211: send association event on IBSS createDan Williams2008-06-091-0/+5
| | | | | | | Otherwise userspace has no idea the IBSS creation succeeded. Signed-off-by: Dan Williams <dcbw@redhat.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* ipw2200: queue direct scansDan Williams2008-06-092-95/+87
| | | | | | | | | | | | | | | | When another scan is in progress, a direct scan gets dropped on the floor. However, that direct scan is usually the scan that's really needed by userspace, and gets stomped on by all the broadcast scans the ipw2200 driver issues internally. Make sure the direct scan happens eventually, and as a bonus ensure that the passive scan worker is cleaned up when appropriate. The change of request_passive_scan form a struct work to struct delayed_work is only to make the set_wx_scan() code a bit simpler, it's still only used with a delay of 0 to match previous behavior. Signed-off-by: Dan Williams <dcbw@redhat.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* l2tp: Fix possible oops if transmitting or receiving when tunnel goes downJames Chapman2008-06-041-23/+78
| | | | | | | | | | | | | | | | | | Some problems have been experienced in the field which cause an oops in the pppol2tp driver if L2TP tunnels fail while passing data. The pppol2tp driver uses private data that is referenced via the sk->sk_user_data of its UDP and PPPoL2TP sockets. This patch makes sure that the driver uses sock_hold() when it holds a reference to the sk pointer. This affects its sendmsg(), recvmsg(), getname(), [gs]etsockopt() and ioctl() handlers. Tested by ISP where problem was seen. System has been up 10 days with no oops since running this patch. Without the patch, an oops would occur every 1-2 days. Signed-off-by: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* tcp: Fix for race due to temporary drop of the socket lock in skb_splice_bits.Octavian Purdila2008-06-042-3/+11
| | | | | | | | | | | | | | | | | skb_splice_bits temporary drops the socket lock while iterating over the socket queue in order to break a reverse locking condition which happens with sendfile. This, however, opens a window of opportunity for tcp_collapse() to aggregate skbs and thus potentially free the current skb used in skb_splice_bits and tcp_read_sock. This patch fixes the problem by (re-)getting the same "logical skb" after the lock has been temporary dropped. Based on idea and initial patch from Evgeniy Polyakov. Signed-off-by: Octavian Purdila <opurdila@ixiacom.com> Acked-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru> Signed-off-by: David S. Miller <davem@davemloft.net>
* tcp: Increment OUTRSTS in tcp_send_active_reset()Sridhar Samudrala2008-06-041-0/+2
| | | | | | | | TCP "resets sent" counter is not incremented when a TCP Reset is sent via tcp_send_active_reset(). Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* raw: Raw socket leak.Denis V. Lunev2008-06-042-0/+18
| | | | | | | | | | | | | | | | | | | | | | | | The program below just leaks the raw kernel socket int main() { int fd = socket(PF_INET, SOCK_RAW, IPPROTO_UDP); struct sockaddr_in addr; memset(&addr, 0, sizeof(addr)); inet_aton("127.0.0.1", &addr.sin_addr); addr.sin_family = AF_INET; addr.sin_port = htons(2048); sendto(fd, "a", 1, MSG_MORE, &addr, sizeof(addr)); return 0; } Corked packet is allocated via sock_wmalloc which holds the owner socket, so one should uncork it and flush all pending data on close. Do this in the same way as in UDP. Signed-off-by: Denis V. Lunev <den@openvz.org> Acked-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> Signed-off-by: David S. Miller <davem@davemloft.net>
* lt2p: Fix possible WARN_ON from socket code when UDP socket is closedJames Chapman2008-06-041-0/+10
| | | | | | | | | | | | | | | | | | | | | | | | | If an L2TP daemon closes a tunnel socket while packets are queued in the tunnel's reorder queue, a kernel warning is logged because the socket is closed while skbs are still referencing it. The fix is to purge the queue in the socket's release handler. WARNING: at include/net/sock.h:351 udp_lib_unhash+0x41/0x68() Pid: 12998, comm: openl2tpd Not tainted 2.6.25 #8 [<c0423c58>] warn_on_slowpath+0x41/0x51 [<c05d33a7>] udp_lib_unhash+0x41/0x68 [<c059424d>] sk_common_release+0x23/0x90 [<c05d16be>] udp_lib_close+0x8/0xa [<c05d8684>] inet_release+0x42/0x48 [<c0592599>] sock_release+0x14/0x60 [<c059299f>] sock_close+0x29/0x30 [<c046ef52>] __fput+0xad/0x15b [<c046f1d9>] fput+0x17/0x19 [<c046c8c4>] filp_close+0x50/0x5a [<c046da06>] sys_close+0x69/0x9f [<c04048ce>] syscall_call+0x7/0xb Signed-off-by: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* Merge branch 'master' of ↵David S. Miller2008-06-046-15/+40
|\ | | | | | | master.kernel.org:/pub/scm/linux/kernel/git/linville/wireless-2.6
| * USB ID for Philips CPWUA054/00 Wireless USB Adapter 11gFelix Homann2008-06-041-0/+1
| | | | | | | | | | | | | | | | Enable the Philips CPWUA054/00 in p54usb. Cc: Jeff Garzik <jeff@garzik.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * ssb: Fix context assertion in ssb_pcicore_dev_irqvecs_enableMichael Buesch2008-06-041-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | This fixes a context assertion in ssb that makes b44 print out warnings on resume. This fixes the following kernel oops: http://www.kerneloops.org/oops.php?number=12732 http://www.kerneloops.org/oops.php?number=11410 Signed-off-by: Michael Buesch <mb@bu3sch.de> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * libertas: fix command size for CMD_802_11_SUBSCRIBE_EVENTHolger Schurig2008-06-041-2/+2
| | | | | | | | | | | | | | The size was two small by two bytes. Signed-off-by: Holger Schurig Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * ipw2200: expire and use oldest BSS on adhoc createDan Williams2008-06-041-2/+25
| | | | | | | | | | | | | | | | | | | | | | | | If there are no networks on the free list, expire the oldest one when creating a new adhoc network. Because ipw2200 and the ieee80211 stack don't actually cull old networks and place them back on the free list unless they are needed for new probe responses, over time the free list would become empty and creating an adhoc network would fail due to the ! list_empty(...) check. Signed-off-by: Dan Williams <dcbw@redhat.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * airo warning fixAndrew Morton2008-06-041-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | WARNING: space prohibited between function name and open parenthesis '(' #22: FILE: drivers/net/wireless/airo.c:2907: + while ((IN4500 (ai, COMMAND) & COMMAND_BUSY) && (delay < 10000)) { total: 0 errors, 1 warnings, 8 lines checked ./patches/wireless-airo-waitbusy-wont-delay.patch has style problems, please review. If any of these errors are false positives report them to the maintainer, see CHECKPATCH in MAINTAINERS. Please run checkpatch prior to sending patches Cc: Dan Williams <dcbw@redhat.com> Cc: Roel Kluin <roel.kluin@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * b43legacy: Fix controller restart crashMichael Buesch2008-06-041-8/+9
| | | | | | | | | | | | | | | | This fixes a kernel crash on rmmod, in the case where the controller was restarted before doing the rmmod. Signed-off-by: Michael Buesch <mb@bu3sch.de> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* | sctp: Fix ECN markings for IPv6Vlad Yasevich2008-06-044-1/+14
| | | | | | | | | | | | | | | | | | | | | | Commit e9df2e8fd8fbc95c57dbd1d33dada66c4627b44c ("[IPV6]: Use appropriate sock tclass setting for routing lookup.") also changed the way that ECN capable transports mark this capability in IPv6. As a result, SCTP was not marking ECN capablity because the traffic class was never set. This patch brings back the markings for IPv6 traffic. Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | sctp: Flush the queue only once during fast retransmit.Vlad Yasevich2008-06-041-34/+48
| | | | | | | | | | | | | | | | | | | | | | | | When fast retransmit is triggered by a sack, we should flush the queue only once so that only 1 retransmit happens. Also, since we could potentially have non-fast-rtx chunks on the retransmit queue, we need make sure any chunks eligable for fast retransmit are sent first during fast retransmission. Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Tested-by: Wei Yongjun <yjwei@cn.fujitsu.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | sctp: Start T3-RTX timer when fast retransmitting lowest TSNVlad Yasevich2008-06-043-14/+37
| | | | | | | | | | | | | | | | | | | | When we are trying to fast retransmit the lowest outstanding TSN, we need to restart the T3-RTX timer, so that subsequent timeouts will correctly tag all the packets necessary for retransmissions. Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Tested-by: Wei Yongjun <yjwei@cn.fujitsu.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | sctp: Correctly implement Fast Recovery cwnd manipulations.Vlad Yasevich2008-06-042-13/+39
| | | | | | | | | | | | | | | | | | Correctly keep track of Fast Recovery state and do not reduce congestion window multiple times during sucht state. Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Tested-by: Wei Yongjun <yjwei@cn.fujitsu.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | sctp: Move sctp_v4_dst_saddr out of loopGui Jianfeng2008-06-041-1/+1
| | | | | | | | | | | | | | | | | | There's no need to execute sctp_v4_dst_saddr() for each iteration, just move it out of loop. Signed-off-by: Gui Jianfeng <guijianfeng@cn.fujitsu.com> Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | sctp: retran_path update bug fixGui Jianfeng2008-06-041-9/+12
| | | | | | | | | | | | | | | | | | If the current retran_path is the only active one, it should update it to the the next inactive one. Signed-off-by: Gui Jianfeng <guijianfeng@cn.fujitsu.com> Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | Merge branch 'net-2.6-misc-20080605a' of ↵David S. Miller2008-06-0417-97/+146
|\ \ | | | | | | | | | git://git.linux-ipv6.org/gitroot/yoshfuji/linux-2.6-fix
| * | [IPV6]: Do not change protocol for UDPv6 sockets with pending sent data.Denis V. Lunev2008-06-051-3/+8
| | | | | | | | | | | | | | | Signed-off-by: Denis V. Lunev <den@openvz.org> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
| * | [IPV6]: inet_sk(sk)->cork.opt leakDenis V. Lunev2008-06-053-2/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | IPv6 UDP sockets wth IPv4 mapped address use udp_sendmsg to send the data actually. In this case ip_flush_pending_frames should be called instead of ip6_flush_pending_frames. Signed-off-by: Denis V. Lunev <den@openvz.org> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
| * | [IPV6]: Do not change protocol for raw IPv6 sockets.Denis V. Lunev2008-06-051-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | It is not allowed to change underlying protocol for int fd = socket(PF_INET6, SOCK_RAW, IPPROTO_UDP); Signed-off-by: Denis V. Lunev <den@openvz.org> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
| * | [IPV6] NETNS: Handle ancillary data in appropriate namespace.YOSHIFUJI Hideaki2008-06-056-8/+10
| | | | | | | | | | | | Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
| * | [IPV6]: Check outgoing interface even if source address is unspecified.YOSHIFUJI Hideaki2008-06-051-20/+22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The outgoing interface index (ipi6_ifindex) in IPV6_PKTINFO ancillary data, is not checked if the source address (ipi6_addr) is unspecified. If the ipi6_ifindex is the not-exist interface, it should be fail. Based on patch from Shan Wei <shanwei@cn.fujitsu.com> and Brian Haley <brian.haley@hp.com>. Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com> Signed-off-by: Brian Haley <brian.haley@hp.com> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
| * | [IPV6]: Fix the data length of get destination options with short lengthYang Hongyang2008-06-051-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If get destination options with length which is not enough for that option,getsockopt() will still return the real length of the option, which is larger then the buffer space. This is because ipv6_getsockopt_sticky() returns the real length of the option. This patch fix this problem. Signed-off-by: Yang Hongyang <yanghy@cn.fujitsu.com> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
| * | [IPV6]: Fix the return value of get destination options with NULL data pointerYang Hongyang2008-06-051-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If we pass NULL data buffer to getsockopt(), it will return 0, and the option length is set to -EFAULT: getsockopt(sk, IPPROTO_IPV6, IPV6_DSTOPTS, NULL, &len); This is because ipv6_getsockopt_sticky() will return -EFAULT or -EINVAL if some error occur. This patch fix this problem. Signed-off-by: Yang Hongyang <yanghy@cn.fujitsu.com> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
| * | [IPV6] ADDRCONF: Allow longer lifetime on 64bit archs.YOSHIFUJI Hideaki2008-06-053-56/+75
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Allow longer lifetimes (>= 0x7fffffff/HZ) on 64bit archs by using unsigned long. - Shadow this arithmetic overflow workaround by introducing helper functions: addrconf_timeout_fixup() and addrconf_finite_timeout(). Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
| * | [IPV4] TUNNEL4: Fix incoming packet length check for inter-protocol tunnel.YOSHIFUJI Hideaki2008-06-051-1/+1
| | | | | | | | | | | | Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
| * | [IPV6] TUNNEL6: Fix incoming packet length check for inter-protocol tunnel.Colin2008-06-051-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | I discover a strange behavior in [ipv4 in ipv6] tunnel. When IPv6 tunnel payload is less than 40(0x28), packet can be sent to network, received in physical interface, but not seen in IP tunnel interface. No counter increase in tunnel interface. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
| * | [IPV6] ADDRCONF: Check range of prefix lengthThomas Graf2008-06-051-2/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As of now, the prefix length is not vaildated when adding or deleting addresses. The value is passed directly into the inet6_ifaddr structure and later passed on to memcmp() as length indicator which relies on the value never to exceed 128 (bits). Due to the missing check, the currently code allows for any 8 bit value to be passed on as prefix length while using the netlink interface, and any 32 bit value while using the ioctl interface. [Use unsigned int instead to generate better code - yoshfuji] Signed-off-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
| * | [IPV6] UDP: Possible dst leak in udpv6_sendmsg.YOSHIFUJI Hideaki2008-06-051-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ip6_sk_dst_lookup returns held dst entry. It should be released on all paths beyond this point. Add missed release when up->pending is set. Bug report and initial patch by Denis V. Lunev <den@openvz.org>. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Acked-by: Denis V. Lunev <den@openvz.org>
| * | [SCTP]: Fix NULL dereference of asoc.YOSHIFUJI Hideaki2008-06-054-5/+8
| |/ | | | | | | | | | | | | | | | | Commit 7cbca67c073263c179f605bdbbdc565ab29d801d ("[IPV6]: Support Source Address Selection API (RFC5014)") introduced NULL dereference of asoc to sctp_v6_get_saddr in net/sctp/ipv6.c. Pointed out by Johann Felix Soden <johfel@users.sourceforge.net>. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
* | tcp: fix skb vs fack_count out-of-sync conditionIlpo Järvinen2008-06-041-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This bug is able to corrupt fackets_out in very rare cases. In order for this to cause corruption: 1) DSACK in the middle of previous SACK block must be generated. 2) In order to take that particular branch, part or all of the DSACKed segment must already be SACKed so that we have that in cache in the first place. 3) The new info must be top enough so that fackets_out will be updated on this iteration. ...then fack_count is updated while skb wasn't, then we walk again that particular segment thus updating fack_count twice for a single skb and finally that value is assigned to fackets_out by tcp_sacktag_one. It is safe to call tcp_sacktag_one just once for a segment (at DSACK), no need to call again for plain SACK. Potential problem of the miscount are limited to premature entry to recovery and to inflated reordering metric (which could even cancel each other out in the most the luckiest scenarios :-)). Both are quite insignificant in worst case too and there exists also code to reset them (fackets_out once sacked_out becomes zero and reordering metric on RTO). This has been reported by a number of people, because it occurred quite rarely, it has been very evasive. Andy Furniss was able to get it to occur couple of times so that a bit more info was collected about the problem using a debug patch, though it still required lot of checking around. Thanks also to others who have tried to help here. This is listed as Bugzilla #10346. The bug was introduced by me in commit 68f8353b48 ([TCP]: Rewrite SACK block processing & sack_recv_cache use), I probably thought back then that there's need to scan that entry twice or didn't dare to make it go through it just once there. Going through twice would have required restoring fack_count after the walk but as noted above, I chose to drop the additional walk step altogether here. Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> Signed-off-by: David S. Miller <davem@davemloft.net>