From 0d27b42739ee432a66104793e51a23807b372928 Mon Sep 17 00:00:00 2001 From: Brian Haley Date: Sat, 11 Mar 2006 18:50:14 -0800 Subject: [IPV6]: fix ipv6_saddr_score struct element The scope element in the ipv6_saddr_score struct used in ipv6_dev_get_saddr() is an unsigned integer, but __ipv6_addr_src_scope() returns a signed integer (and can return -1). Signed-off-by: Brian Haley Acked-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller --- net/ipv6/addrconf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'net') diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index b7d8822..19727d9 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -822,7 +822,7 @@ struct ipv6_saddr_score { int addr_type; unsigned int attrs; int matchlen; - unsigned int scope; + int scope; unsigned int rule; }; -- cgit v1.1 From c12743764129e40dc8461afc1096cf175c7c25f2 Mon Sep 17 00:00:00 2001 From: Gregor Maier Date: Sat, 11 Mar 2006 18:51:25 -0800 Subject: [NETFILTER]: Fix wrong option spelling in Makefile for CONFIG_BRIDGE_EBT_ULOG Signed-off-by: Gregor Maier Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- net/bridge/netfilter/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'net') diff --git a/net/bridge/netfilter/Makefile b/net/bridge/netfilter/Makefile index 8bf6d9f..905087e 100644 --- a/net/bridge/netfilter/Makefile +++ b/net/bridge/netfilter/Makefile @@ -29,4 +29,4 @@ obj-$(CONFIG_BRIDGE_EBT_SNAT) += ebt_snat.o # watchers obj-$(CONFIG_BRIDGE_EBT_LOG) += ebt_log.o -obj-$(CONFIG_BRIDGE_EBT_LOG) += ebt_ulog.o +obj-$(CONFIG_BRIDGE_EBT_ULOG) += ebt_ulog.o -- cgit v1.1 From ba244fe9005323452428fee4b4b7d0c70a06b627 Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Sat, 11 Mar 2006 18:51:49 -0800 Subject: [TCP]: Fix tcp_tso_should_defer() when limit>=65536 That's >= a full sized TSO frame, so we should always return 0 in that case. Based upon a report and initial patch from Lachlan Andrew, final patch suggested by Herbert Xu. Signed-off-by: David S. Miller --- net/ipv4/tcp_output.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'net') diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index a7623ea..9f498a6 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -1036,6 +1036,10 @@ static int tcp_tso_should_defer(struct sock *sk, struct tcp_sock *tp, struct sk_ limit = min(send_win, cong_win); + /* If a full-sized TSO skb can be sent, do it. */ + if (limit >= 65536) + return 0; + if (sysctl_tcp_tso_win_divisor) { u32 chunk = min(tp->snd_wnd, tp->snd_cwnd * tp->mss_cache); -- cgit v1.1 From 406dbfc9ae0e6b7eb4da4a52c0a6556a0d7e6a2f Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Sun, 12 Mar 2006 20:32:47 -0800 Subject: [NETFILTER]: nfnetlink_queue: fix possible NULL-ptr dereference Fix NULL-ptr dereference when a config message for a non-existant queue containing only an NFQA_CFG_PARAMS attribute is received. Coverity #433 Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- net/netfilter/nfnetlink_queue.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'net') diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index cac38b2..2cf5fb8 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -928,8 +928,12 @@ nfqnl_recv_config(struct sock *ctnl, struct sk_buff *skb, if (nfqa[NFQA_CFG_PARAMS-1]) { struct nfqnl_msg_config_params *params; - params = NFA_DATA(nfqa[NFQA_CFG_PARAMS-1]); + if (!queue) { + ret = -ENOENT; + goto out_put; + } + params = NFA_DATA(nfqa[NFQA_CFG_PARAMS-1]); nfqnl_set_mode(queue, params->copy_mode, ntohl(params->copy_range)); } -- cgit v1.1 From f6e57464df7ba0e91a23b0854adb56852dcd58a7 Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Sun, 12 Mar 2006 20:33:22 -0800 Subject: [NET_SCHED]: act_api: fix skb leak in error path The skb is allocated by the function, so it needs to be freed instead of trimmed on overrun. Coverity #614 Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- net/sched/act_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'net') diff --git a/net/sched/act_api.c b/net/sched/act_api.c index 792ce59..2ffa11c 100644 --- a/net/sched/act_api.c +++ b/net/sched/act_api.c @@ -707,7 +707,7 @@ static int tcf_add_notify(struct tc_action *a, u32 pid, u32 seq, int event, rtattr_failure: nlmsg_failure: - skb_trim(skb, b - skb->data); + kfree_skb(skb); return -1; } -- cgit v1.1 From f8dc01f543f28253abeef649987249210d8db3cc Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Sun, 12 Mar 2006 20:33:49 -0800 Subject: [XFRM]: Fix leak in ah6_input tmp_hdr is not freed when ipv6_clear_mutable_options fails. Coverity #650 Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- net/ipv6/ah6.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'net') diff --git a/net/ipv6/ah6.c b/net/ipv6/ah6.c index c7932cb..8496374 100644 --- a/net/ipv6/ah6.c +++ b/net/ipv6/ah6.c @@ -279,7 +279,7 @@ static int ah6_input(struct xfrm_state *x, struct xfrm_decap_state *decap, struc goto out; memcpy(tmp_hdr, skb->nh.raw, hdr_len); if (ipv6_clear_mutable_options(skb->nh.ipv6h, hdr_len)) - goto out; + goto free_out; skb->nh.ipv6h->priority = 0; skb->nh.ipv6h->flow_lbl[0] = 0; skb->nh.ipv6h->flow_lbl[1] = 0; -- cgit v1.1 From cc9a06cd8d6fbb69b4d3c46760c132cfe312fb85 Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Sun, 12 Mar 2006 20:34:27 -0800 Subject: [NETLINK]: Fix use-after-free in netlink_recvmsg The skb given to netlink_cmsg_recv_pktinfo is already freed, move it up a few lines. Coverity #948 Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- net/netlink/af_netlink.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'net') diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index 6b9772d..59dc7d1 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -1194,6 +1194,9 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock, msg->msg_namelen = sizeof(*addr); } + if (nlk->flags & NETLINK_RECV_PKTINFO) + netlink_cmsg_recv_pktinfo(msg, skb); + if (NULL == siocb->scm) { memset(&scm, 0, sizeof(scm)); siocb->scm = &scm; @@ -1205,8 +1208,6 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock, netlink_dump(sk); scm_recv(sock, msg, siocb->scm, flags); - if (nlk->flags & NETLINK_RECV_PKTINFO) - netlink_cmsg_recv_pktinfo(msg, skb); out: netlink_rcv_wake(sk); -- cgit v1.1 From 4a1ff6e2bde56cdf176bd54d557b2e15e819f810 Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Sun, 12 Mar 2006 20:34:53 -0800 Subject: [TCP]: tcp_highspeed: fix AIMD table out-of-bounds access Covertiy #547 Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- net/ipv4/tcp_highspeed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'net') diff --git a/net/ipv4/tcp_highspeed.c b/net/ipv4/tcp_highspeed.c index 63cf7e5..e0e9d13 100644 --- a/net/ipv4/tcp_highspeed.c +++ b/net/ipv4/tcp_highspeed.c @@ -125,7 +125,7 @@ static void hstcp_cong_avoid(struct sock *sk, u32 adk, u32 rtt, /* Update AIMD parameters */ if (tp->snd_cwnd > hstcp_aimd_vals[ca->ai].cwnd) { while (tp->snd_cwnd > hstcp_aimd_vals[ca->ai].cwnd && - ca->ai < HSTCP_AIMD_MAX) + ca->ai < HSTCP_AIMD_MAX - 1) ca->ai++; } else if (tp->snd_cwnd < hstcp_aimd_vals[ca->ai].cwnd) { while (tp->snd_cwnd > hstcp_aimd_vals[ca->ai].cwnd && -- cgit v1.1 From baa829d8926f02ab04be6ec37780810d221c5b4b Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Sun, 12 Mar 2006 20:35:12 -0800 Subject: [IPV4/6]: Fix UFO error propagation When ufo_append_data fails err is uninitialized, but returned back. Strangely gcc doesn't notice it. Coverity #901 and #902 Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- net/ipv4/ip_output.c | 7 ++++--- net/ipv6/ip6_output.c | 7 ++++--- 2 files changed, 8 insertions(+), 6 deletions(-) (limited to 'net') diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c index 57d290d..8ee4d01 100644 --- a/net/ipv4/ip_output.c +++ b/net/ipv4/ip_output.c @@ -847,10 +847,11 @@ int ip_append_data(struct sock *sk, if (((length > mtu) && (sk->sk_protocol == IPPROTO_UDP)) && (rt->u.dst.dev->features & NETIF_F_UFO)) { - if(ip_ufo_append_data(sk, getfrag, from, length, hh_len, - fragheaderlen, transhdrlen, mtu, flags)) + err = ip_ufo_append_data(sk, getfrag, from, length, hh_len, + fragheaderlen, transhdrlen, mtu, + flags); + if (err) goto error; - return 0; } diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index f999edd..5bf70b1 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -944,10 +944,11 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to, if (((length > mtu) && (sk->sk_protocol == IPPROTO_UDP)) && (rt->u.dst.dev->features & NETIF_F_UFO)) { - if(ip6_ufo_append_data(sk, getfrag, from, length, hh_len, - fragheaderlen, transhdrlen, mtu, flags)) + err = ip6_ufo_append_data(sk, getfrag, from, length, hh_len, + fragheaderlen, transhdrlen, mtu, + flags); + if (err) goto error; - return 0; } -- cgit v1.1 From 31fe4d331729e9687db84521c3ceb8e43390efcf Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Sun, 12 Mar 2006 20:40:43 -0800 Subject: [NETFILTER]: arp_tables: fix NULL pointer dereference The check is wrong and lets NULL-ptrs slip through since !IS_ERR(NULL) is true. Coverity #190 Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- net/ipv4/netfilter/arp_tables.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'net') diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index dd1048b..7d7ab94 100644 --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c @@ -771,7 +771,7 @@ static int get_entries(const struct arpt_get_entries *entries, struct arpt_table *t; t = xt_find_table_lock(NF_ARP, entries->name); - if (t || !IS_ERR(t)) { + if (t && !IS_ERR(t)) { struct xt_table_info *private = t->private; duprintf("t->private->number = %u\n", private->number); -- cgit v1.1 From 3759fa9c55923f719ae944a3f8fbb029b36f759d Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Mon, 13 Mar 2006 14:26:12 -0800 Subject: [TCP]: Fix zero port problem in IPv6 When we link a socket into the hash table, we need to make sure that we set the num/port fields so that it shows us with a non-zero port value in proc/netlink and on the wire. This code and comment is copied over from the IPv4 stack as is. Signed-off-by: Herbert Xu --- net/ipv6/inet6_hashtables.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'net') diff --git a/net/ipv6/inet6_hashtables.c b/net/ipv6/inet6_hashtables.c index 4154f3a..bb8ffb8 100644 --- a/net/ipv6/inet6_hashtables.c +++ b/net/ipv6/inet6_hashtables.c @@ -87,7 +87,7 @@ static int __inet6_check_established(struct inet_timewait_death_row *death_row, struct inet_timewait_sock **twp) { struct inet_hashinfo *hinfo = death_row->hashinfo; - const struct inet_sock *inet = inet_sk(sk); + struct inet_sock *inet = inet_sk(sk); const struct ipv6_pinfo *np = inet6_sk(sk); const struct in6_addr *daddr = &np->rcv_saddr; const struct in6_addr *saddr = &np->daddr; @@ -129,6 +129,10 @@ static int __inet6_check_established(struct inet_timewait_death_row *death_row, } unique: + /* Must record num and sport now. Otherwise we will see + * in hash table socket with a funny identity. */ + inet->num = lport; + inet->sport = htons(lport); BUG_TRAP(sk_unhashed(sk)); __sk_add_node(sk, &head->chain); sk->sk_hash = hash; -- cgit v1.1 From 712917d1c002f820b177683f4fd491289bde3c32 Mon Sep 17 00:00:00 2001 From: Adrian Bunk Date: Mon, 13 Mar 2006 21:20:47 -0800 Subject: [PATCH] SUNRPC: fix a NULL pointer dereference in net/sunrpc/clnt.c The Coverity checker spotted this possible NULL pointer dereference in rpc_new_client(). Signed-off-by: Adrian Bunk Signed-off-by: Trond Myklebust Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- net/sunrpc/clnt.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'net') diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c index d2f0550..d784797 100644 --- a/net/sunrpc/clnt.c +++ b/net/sunrpc/clnt.c @@ -113,7 +113,7 @@ rpc_new_client(struct rpc_xprt *xprt, char *servname, err = -EINVAL; if (!xprt) - goto out_err; + goto out_no_xprt; if (vers >= program->nrvers || !(version = program->version[vers])) goto out_err; @@ -182,6 +182,7 @@ out_no_path: kfree(clnt); out_err: xprt_destroy(xprt); +out_no_xprt: return ERR_PTR(err); } -- cgit v1.1 From e6d83d55698b73b4d5d55d3d7715a4c26030d577 Mon Sep 17 00:00:00 2001 From: Trond Myklebust Date: Mon, 13 Mar 2006 21:20:48 -0800 Subject: [PATCH] SUNRPC: Fix potential deadlock in RPC code In rpc_wake_up() and rpc_wake_up_status(), it is possible for the call to __rpc_wake_up_task() to fail if another thread happens to be calling rpc_wake_up_task() on the same rpc_task. Problem noticed by Bruno Faccini. Signed-off-by: Trond Myklebust Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- net/sunrpc/sched.c | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) (limited to 'net') diff --git a/net/sunrpc/sched.c b/net/sunrpc/sched.c index 802d4fe..e838d04 100644 --- a/net/sunrpc/sched.c +++ b/net/sunrpc/sched.c @@ -515,16 +515,14 @@ struct rpc_task * rpc_wake_up_next(struct rpc_wait_queue *queue) */ void rpc_wake_up(struct rpc_wait_queue *queue) { - struct rpc_task *task; - + struct rpc_task *task, *next; struct list_head *head; + spin_lock_bh(&queue->lock); head = &queue->tasks[queue->maxpriority]; for (;;) { - while (!list_empty(head)) { - task = list_entry(head->next, struct rpc_task, u.tk_wait.list); + list_for_each_entry_safe(task, next, head, u.tk_wait.list) __rpc_wake_up_task(task); - } if (head == &queue->tasks[0]) break; head--; @@ -541,14 +539,13 @@ void rpc_wake_up(struct rpc_wait_queue *queue) */ void rpc_wake_up_status(struct rpc_wait_queue *queue, int status) { + struct rpc_task *task, *next; struct list_head *head; - struct rpc_task *task; spin_lock_bh(&queue->lock); head = &queue->tasks[queue->maxpriority]; for (;;) { - while (!list_empty(head)) { - task = list_entry(head->next, struct rpc_task, u.tk_wait.list); + list_for_each_entry_safe(task, next, head, u.tk_wait.list) { task->tk_status = status; __rpc_wake_up_task(task); } -- cgit v1.1 From 0df7861240b3484dea52d1f5782c69fd95b6cf23 Mon Sep 17 00:00:00 2001 From: Zhu Yi Date: Tue, 28 Feb 2006 15:10:36 +0800 Subject: [PATCH] ieee80211: Fix CCMP decryption problem when QoS is enabled Use the correct STYPE for Qos data. Signed-off-by: Zhu Yi Signed-off-by: John W. Linville --- net/ieee80211/ieee80211_crypt_ccmp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'net') diff --git a/net/ieee80211/ieee80211_crypt_ccmp.c b/net/ieee80211/ieee80211_crypt_ccmp.c index 4702217..3840d19 100644 --- a/net/ieee80211/ieee80211_crypt_ccmp.c +++ b/net/ieee80211/ieee80211_crypt_ccmp.c @@ -131,7 +131,7 @@ static void ccmp_init_blocks(struct crypto_tfm *tfm, a4_included = ((fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) == (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)); qc_included = ((WLAN_FC_GET_TYPE(fc) == IEEE80211_FTYPE_DATA) && - (WLAN_FC_GET_STYPE(fc) & 0x08)); + (WLAN_FC_GET_STYPE(fc) & IEEE80211_STYPE_QOS_DATA)); aad_len = 22; if (a4_included) aad_len += 6; -- cgit v1.1 From 72df16f109b73be37977a26d342e9103e8851cb6 Mon Sep 17 00:00:00 2001 From: Hong Liu Date: Wed, 8 Mar 2006 10:50:20 +0800 Subject: [PATCH] ieee80211: Fix QoS is not active problem Fix QoS is not active even the network and the card is QOS enabled. The problem is we pass the wrong ieee80211_network address to ipw_handle_beacon/ipw_handle_probe_response, thus the ieee80211_network->qos_data.active will not be set, causing the driver not sending QoS frames at all. Signed-off-by: Hong Liu Signed-off-by: Zhu Yi Signed-off-by: John W. Linville --- net/ieee80211/ieee80211_rx.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'net') diff --git a/net/ieee80211/ieee80211_rx.c b/net/ieee80211/ieee80211_rx.c index b410ab8..7ac6a71 100644 --- a/net/ieee80211/ieee80211_rx.c +++ b/net/ieee80211/ieee80211_rx.c @@ -1417,10 +1417,10 @@ static void ieee80211_process_probe_response(struct ieee80211_device if (is_beacon(beacon->header.frame_ctl)) { if (ieee->handle_beacon != NULL) - ieee->handle_beacon(dev, beacon, &network); + ieee->handle_beacon(dev, beacon, target); } else { if (ieee->handle_probe_response != NULL) - ieee->handle_probe_response(dev, beacon, &network); + ieee->handle_probe_response(dev, beacon, target); } } -- cgit v1.1