Commit Graph

26790 Commits

Author SHA1 Message Date
Herbert Xu
134af34632 [DCCP]: Fix sock_orphan dead lock
Calling sock_orphan inside bh_lock_sock in dccp_close can lead to dead
locks.  For example, the inet_diag code holds sk_callback_lock without
disabling BH.  If an inbound packet arrives during that admittedly tiny
window, it will cause a dead lock on bh_lock_sock.  Another possible
path would be through sock_wfree if the network device driver frees the
tx skb in process context with BH enabled.

We can fix this by moving sock_orphan out of bh_lock_sock.

The tricky bit is to work out when we need to destroy the socket
ourselves and when it has already been destroyed by someone else.

By moving sock_orphan before the release_sock we can solve this
problem.  This is because as long as we own the socket lock its
state cannot change.

So we simply record the socket state before the release_sock
and then check the state again after we regain the socket lock.
If the socket state has transitioned to DCCP_CLOSED in the time being,
we know that the socket has been destroyed.  Otherwise the socket is
still ours to keep.

This problem was discoverd by Ingo Molnar using his lock validator.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-05-05 17:09:13 -07:00
Stephen Hemminger
1c29fc4989 [BRIDGE]: keep track of received multicast packets
It makes sense to add this simple statistic to keep track of received
multicast packets.

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-05-05 17:07:13 -07:00
Sridhar Samudrala
35d63edb1c [SCTP]: Fix state table entries for chunks received in CLOSED state.
Discard an unexpected chunk in CLOSED state rather can calling BUG().

Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-05-05 17:05:23 -07:00
Sridhar Samudrala
62b08083ec [SCTP]: Fix panic's when receiving fragmented SCTP control chunks.
Use pskb_pull() to handle incoming COOKIE_ECHO and HEARTBEAT chunks that
are received as skb's with fragment list.

Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-05-05 17:04:43 -07:00
Vladislav Yasevich
672e7cca17 [SCTP]: Prevent possible infinite recursion with multiple bundled DATA.
There is a rare situation that causes lksctp to go into infinite recursion
and crash the system.  The trigger is a packet that contains at least the
first two DATA fragments of a message bundled together. The recursion is
triggered when the user data buffer is smaller that the full data message.
The problem is that we clone the skb for every fragment in the message.
When reassembling the full message, we try to link skbs from the "first
fragment" clone using the frag_list. However, since the frag_list is shared
between two clones in this rare situation, we end up setting the frag_list
pointer of the second fragment to point to itself.  This causes
sctp_skb_pull() to potentially recurse indefinitely.

Proposed solution is to make a copy of the skb when attempting to link
things using frag_list.

Signed-off-by: Vladislav Yasevich <vladsilav.yasevich@hp.com>
Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-05-05 17:03:49 -07:00
Neil Horman
7c3ceb4fb9 [SCTP]: Allow spillover of receive buffer to avoid deadlock.
This patch fixes a deadlock situation in the receive path by allowing
temporary spillover of the receive buffer.

- If the chunk we receive has a tsn that immediately follows the ctsn,
  accept it even if we run out of receive buffer space and renege data with
  higher TSNs.
- Once we accept one chunk in a packet, accept all the remaining chunks
  even if we run out of receive buffer space.

Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Mark Butler <butlerm@middle.net>
Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-05-05 17:02:09 -07:00
Linus Torvalds
91ef5d2d6e Merge master.kernel.org:/home/rmk/linux-2.6-mmc
* master.kernel.org:/home/rmk/linux-2.6-mmc:
  [BLOCK] Fix oops on removal of SD/MMC card
2006-05-05 14:53:48 -07:00
Dmitry Bazhenov
422138dd68 [JFFS2] Fix race in setting file attributes
It seems like there is a potential race in the function jffs2_do_setattr()
in the case when attributes of a symlink are updated. The symlink metadata
is read without having f->sem locked.

The following patch should fix the race.

Signed-off-by: Dmitry Bazhenov <atrey@emcraft.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2006-05-05 22:46:49 +01:00
Nicolas Pitre
568cb09b9d [ARM] 3495/1: EABI: undefine removed syscalls, but...
Patch from Nicolas Pitre

... but only for user space.

Signed-off-by: Nicolas Pitre <nico@cam.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2006-05-05 22:35:05 +01:00
Nicolas Pitre
99532559dc [ARM] 3500/1: fix PXA27x DMA allocation priority
Patch from Nicolas Pitre

Intel PXA27x developers manual section 5.4.1.1 lists a priority
distribution for the DMA channels differently than what the code
currently assumes.  This patch fixes that.

Noticed by Simon Vogl <vogl@soft.uni-linz.ac.at>

Signed-off-by: Nicolas Pitre <nico@cam.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2006-05-05 22:32:24 +01:00
George G. Davis
b7d7ef87e1 [ARM] 3499/1: Fix VFP FPSCR corruption for double exception case
Patch from George G. Davis

The ARM VFP FPSCR register is corrupted when a condition flags modifying
VFP instruction is followed by a non-condition flags modifying VFP
instruction and both instructions raise exceptions.  The fix is to
read the current FPSCR in between emulation of these two instructions
and use the current FPSCR value when handling the second exception.

Signed-off-by: George G. Davis <gdavis@mvista.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2006-05-05 22:32:23 +01:00
David Woodhouse
178e0cc5ff [PATCH] bcm43xx: Fix access to non-existent PHY registers
Fix the conditions under which we poke at the APHY registers in
bcm43xx_phy_initg() to avoid a machine check on chips where they don't
exist.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2006-05-05 16:55:23 -04:00
Michael Buesch
869aaab181 [PATCH] bcm43xx: Fix array overrun in bcm43xx_geo_init
The problem here is that the bcm34xx driver and the ieee80211
stack do not agree on what channels are possible for 802.11a.
The ieee80211 stack only wants channels between 34 and 165, while
the bcm43xx driver accepts anything from 0 to 200. I made the
bcm43xx driver comply with the ieee80211 stack expectations, by
using the proper constants.

Signed-off-by: Jean Delvare <jdelvare@suse.de>

[mb]: Reduce stack usage by kzalloc-ing ieee80211_geo

Signed-off-by: Michael Buesch <mb@bu3sch.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2006-05-05 16:55:23 -04:00
Stefano Brivio
f9f7b9602e [PATCH] bcm43xx: check for valid MAC address in SPROM
Check for valid MAC address in SPROM fields instead of relying on
PHY type while setting the MAC address in the networking subsystem,
as some devices have multiple PHYs.

Signed-off-by: Stefano Brivio <stefano.brivio@polimi.it>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2006-05-05 16:55:23 -04:00
Jean Delvare
f21709d70a [PATCH] ieee80211: Fix A band channel count (resent)
The channel count for 802.11a is still not right. We better
compute it from the min and max channel numbers, rather than
hardcoding it.

Signed-off-by: Jean Delvare <jdelvare@suse.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2006-05-05 16:55:23 -04:00
Michael Buesch
5b4b9775a0 [PATCH] bcm43xx: fix iwmode crash when down
This fixes a crash when

	iwconfig ethX mode foo

is done before

	ifconfig ethX up

or after

	ifconfig ethX down

Signed-off-by: Michael Buesch <mb@bu3sch.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2006-05-05 16:55:23 -04:00
Daniel Drake
d57336e3f2 [PATCH] softmac: make non-operational after being stopped
zd1211 with softmac and wpa_supplicant revealed an issue with softmac
and the use of workqueues. Some of the work functions actually
reschedule themselves, so this meant that there could still be
pending work after flush_scheduled_work() had been called during
ieee80211softmac_stop().

This patch introduces a "running" flag which is used to ensure that
rescheduling does not happen in this situation.

I also used this flag to ensure that softmac's hooks into ieee80211 are
non-operational once the stop operation has been started. This simply
makes softmac a little more robust, because I could crash it easily
by receiving frames in the short timeframe after shutting down softmac
and before turning off the ZD1211 radio. (ZD1211 is now fixed as well!)

Signed-off-by: Daniel Drake <dsd@gentoo.org>
Acked-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2006-05-05 16:55:22 -04:00
Daniel Drake
995c99268e [PATCH] softmac: don't reassociate if user asked for deauthentication
When wpa_supplicant exits, it uses SIOCSIWMLME to request
deauthentication.  softmac then tries to reassociate without any user
intervention, which isn't the desired behaviour of this signal.

This change makes softmac only attempt reassociation if the remote
network itself deauthenticated us.

Signed-off-by: Daniel Drake <dsd@gentoo.org>
Acked-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2006-05-05 16:55:22 -04:00
Jon Mason
913ed41eb5 [IA64] remove asm-ia64/bitops.h self-inclusion
asm-ia64/bitops.h includes itself.  The #ifndef _ASM_IA64_BITOPS_H
prevents this from being an issue, but it should still be removed.

Signed-off-by: Jon Mason <jdmason@us.ibm.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
2006-05-05 11:37:15 -07:00
Chen, Kenneth W
3e6e155646 [IA64] strcpy returns NULL pointer and not destination pointer
Bob Picco noted that 6edfba1b33
dropped the -ffreestanding compiler flag from the top level
Makefile, which allows the compiler to substitute memcpy() in
places where strcpy() is used with a known size source string.
But the ia64 memcpy() returns 0 for success, and "bytes copied"
for failure.

Fix to return the address of the destination string (like
stdlibc version, and other architectures).  There are no
places where ia64 specific code makes use of the non-standard
return value.

Signed-off-by: Ken Chen <kenneth.w.chen@intel.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
2006-05-05 11:34:55 -07:00
Russell King
56cf6504fc [BLOCK] Fix oops on removal of SD/MMC card
The block layer keeps a reference (driverfs_dev) to the struct
device associated with the block device, and uses it internally
for generating uevents in block_uevent.

Block device uevents include umounting the partition, which can
occur after the backing device has been removed.

Unfortunately, this reference is not counted.  This means that
if the struct device is removed from the device tree, the block
layers reference will become stale.

Guard against this by holding a reference to the struct device
in add_disk(), and only drop the reference when we're releasing
the gendisk kobject - in other words when we can be sure that no
further uevents will be generated for this block device.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Acked-by: Jens Axboe <axboe@suse.de>
2006-05-05 17:57:52 +01:00
Uwe Zeisberger
2eb9d31571 [ARM] 3496/1: more constants for asm-offsets.h
Patch from Uwe Zeisberger

added the following constants:
- MACHINFO_TYPE
- MACHINFO_NAME
- MACHINFO_PHYSIO
- MACHINFO_PGOFFIO
- PROCINFO_INITFUNC
- PROCINFO_MMUFLAGS

and removed their definition from head.S and head-nommu.S

Signed-off-by: Uwe Zeisberger <Uwe_Zeisberger@digi.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2006-05-05 15:11:14 +01:00
Nicolas Pitre
ff10952a54 [ARM] 3494/1: asm-arm/bug.h needs linux/stddef.h
Patch from Nicolas Pitre

... for the definition of NULL.

Signed-off-by: Nicolas Pitre <nico@cam.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2006-05-05 15:11:14 +01:00
Linus Torvalds
d98550e334 Merge branch 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/paulus/powerpc
* 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/paulus/powerpc:
  [PATCH] powerpc: Use the ibm,pa-features property if available
  powerpc: Fix incorrect might_sleep in __get_user/__put_user on kernel addresses
  [PATCH] ppc32 CPM_UART: fixes and improvements
  [PATCH] ppc32 CPM_UART: Fixed break send on SCC
  [PATCH] powerpc/kprobes: fix singlestep out-of-line
  [PATCH] powerpc/pseries: avoid crash in PCI code if mem system not up
2006-05-04 15:09:52 -07:00
Linus Torvalds
f9cc8475e7 Merge master.kernel.org:/home/rmk/linux-2.6-arm
* master.kernel.org:/home/rmk/linux-2.6-arm:
  [ARM] 3490/1: i.MX: move uart resources to board files
  [ARM] 3488/1: make icedcc_putc do the right thing
  [ARM] 3487/1: IXP4xx: Support non-PCI systems
  [ARM] 3486/1: Mark memory as clobbered by the ARM _syscallX() macros
2006-05-04 14:52:43 -07:00
Linus Torvalds
6fc56ccfe4 Merge master.kernel.org:/home/rmk/linux-2.6-mmc
* master.kernel.org:/home/rmk/linux-2.6-mmc:
  [MMC] Move set_ios debugging into mmc.c
  [MMC] Correct mmc_request_done comments
  [MMC] PXA: reduce the number of lines PXAMCI debug uses
  [MMC] PXA and i.MX: don't avoid sending stop command on error
  [MMC] extend data timeout for writes
  [ARM] 3485/1: i.MX: MX1 SD/MMC fix of unintentional double start possibility
2006-05-04 14:52:27 -07:00
Linus Torvalds
cbdf811c77 Merge branch 'splice' of git://brick.kernel.dk/data/git/linux-2.6-block
* 'splice' of git://brick.kernel.dk/data/git/linux-2.6-block:
  [PATCH] compat_sys_vmsplice: one-off in UIO_MAXIOV check
  [PATCH] splice: redo page lookup if add_to_page_cache() returns -EEXIST
  [PATCH] splice: rename remaining info variables to pipe
  [PATCH] splice: LRU fixups
  [PATCH] splice: fix unlocking of page on error ->prepare_write()
2006-05-04 13:25:40 -04:00
Linus Torvalds
936ef1d48a Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
* master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6:
  [DECNET]: Fix level1 router hello
  [TCP]: Fix sock_orphan dead lock
  [ROSE]: Eleminate HZ from ROSE kernel interfaces
  [NETROM]: Eleminate HZ from NET/ROM kernel interfaces
  [AX.25]: Eleminate HZ from AX.25 kernel interfaces
  [ROSE]: Fix routing table locking in rose_remove_neigh.
  [AX.25]: Move AX.25 symbol exports
  [HAMRADIO]: Remove remaining SET_MODULE_OWNER calls from hamradio drivers.
  [AX25, ROSE]: Remove useless SET_MODULE_OWNER calls.
  [AX.25]: Spelling fix
  [ROSE]: Remove useless prototype for rose_remove_neigh().
  [NETFILTER]: x_tables: don't use __copy_{from,to}_user on unchecked memory in compat layer
  [NETFILTER]: H.323 helper: Change author's email address
  [NETFILTER]: NAT: silence unused variable warnings with CONFIG_XFRM=n
  [NETFILTER]: H.323 helper: fix use of uninitialized data
  [NETFILTER]: H.323 helper: fix endless loop caused by invalid TPKT len
2006-05-04 13:25:19 -04:00
Linus Torvalds
0de2a93e80 Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/sparc-2.6
* master.kernel.org:/pub/scm/linux/kernel/git/davem/sparc-2.6:
  [SPARC]: Hook up vmsplice into syscall tables.
2006-05-04 13:25:05 -04:00
Linus Torvalds
fed3be9bd5 CREDITS file update (Tristan Greaves)
By request from Tristan.

Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-05-04 13:23:40 -04:00
Russell King
920e70c5c6 [MMC] Move set_ios debugging into mmc.c
Rather than having every driver duplicate the set_ios debugging,
provide a single version in mmc.c which can be expanded as we
add additional functionality.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2006-05-04 18:22:51 +01:00
Sascha Hauer
5b80234435 [ARM] 3490/1: i.MX: move uart resources to board files
Patch from Sascha Hauer

This patch moves the i.MX uart resources and the gpio pin setup to the
board files. This allows the boards to decide how many internal uarts
are connected to the outside world and whether they use rts/cts or
not.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2006-05-04 14:07:42 +01:00
Russell King
fe10c6abea [MMC] Correct mmc_request_done comments
mmc_request_done should be called at the end of handling a request, not
between the data and initial command parts of the request.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2006-05-04 13:51:45 +01:00
Jens Axboe
98232d504d [PATCH] compat_sys_vmsplice: one-off in UIO_MAXIOV check
nr_segs may not be > UIO_MAXIOV, however it may be equal to. This makes
the behaviour identical to the real sys_vmsplice(). The other foov
syscalls also agree that this is the way to go.

Signed-off-by: Jens Axboe <axboe@suse.de>
2006-05-04 09:13:49 +02:00
Patrick Caulfield
d1a6498388 [DECNET]: Fix level1 router hello
This patch fixes hello messages sent when a node is a level 1
router. Slightly contrary to the spec (maybe) VMS ignores hello
messages that do not name level2 routers that it also knows about.

So, here we simply name all the routers that the node knows about
rather just other level1 routers.  (I hope the patch is clearer than
the description. sorry).

Signed-off-by: Patrick Caulfield <patrick@tykepenguin.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-05-03 23:36:23 -07:00
Herbert Xu
75c2d9077c [TCP]: Fix sock_orphan dead lock
Calling sock_orphan inside bh_lock_sock in tcp_close can lead to dead
locks.  For example, the inet_diag code holds sk_callback_lock without
disabling BH.  If an inbound packet arrives during that admittedly tiny
window, it will cause a dead lock on bh_lock_sock.  Another possible
path would be through sock_wfree if the network device driver frees the
tx skb in process context with BH enabled.

We can fix this by moving sock_orphan out of bh_lock_sock.

The tricky bit is to work out when we need to destroy the socket
ourselves and when it has already been destroyed by someone else.

By moving sock_orphan before the release_sock we can solve this
problem.  This is because as long as we own the socket lock its
state cannot change.

So we simply record the socket state before the release_sock
and then check the state again after we regain the socket lock.
If the socket state has transitioned to TCP_CLOSE in the time being,
we know that the socket has been destroyed.  Otherwise the socket is
still ours to keep.

Note that I've also moved the increment on the orphan count forward.
This may look like a problem as we're increasing it even if the socket
is just about to be destroyed where it'll be decreased again.  However,
this simply enlarges a window that already exists.  This also changes
the orphan count test by one.

Considering what the orphan count is meant to do this is no big deal.

This problem was discoverd by Ingo Molnar using his lock validator.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-05-03 23:31:35 -07:00
Ralf Baechle
82e84249f0 [ROSE]: Eleminate HZ from ROSE kernel interfaces
Convert all ROSE sysctl time values from jiffies to ms as units.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-05-03 23:28:20 -07:00
Ralf Baechle
4d8937d0b1 [NETROM]: Eleminate HZ from NET/ROM kernel interfaces
Convert all NET/ROM sysctl time values from jiffies to ms as units.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-05-03 23:27:47 -07:00
Ralf Baechle
e1fdb5b396 [AX.25]: Eleminate HZ from AX.25 kernel interfaces
Convert all AX.25 sysctl time values from jiffies to ms as units.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-05-03 23:27:16 -07:00
Ralf Baechle
4cc7c2734e [ROSE]: Fix routing table locking in rose_remove_neigh.
The locking rule for rose_remove_neigh() are that the caller needs to
hold rose_neigh_list_lock, so we better don't take it yet again in
rose_neigh_list_lock.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-05-03 23:26:20 -07:00
Ralf Baechle
70868eace5 [AX.25]: Move AX.25 symbol exports
Move AX.25 symbol exports to next to their definitions where they're
supposed to be these days.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-05-03 23:25:17 -07:00
Ralf Baechle DL5RB
3ab33dcc82 [HAMRADIO]: Remove remaining SET_MODULE_OWNER calls from hamradio drivers.
Signed-off-by: Ralf Baechle DL5RB <ralf@linux-mips.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-05-03 23:24:35 -07:00
Ralf Baechle
86cfcb95ec [AX25, ROSE]: Remove useless SET_MODULE_OWNER calls.
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-05-03 23:23:48 -07:00
Ralf Baechle
3f072310d0 [AX.25]: Spelling fix
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-05-03 23:22:36 -07:00
Ralf Baechle
0cc5ae24af [ROSE]: Remove useless prototype for rose_remove_neigh().
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-05-03 23:22:01 -07:00
Patrick McHardy
7800007c1e [NETFILTER]: x_tables: don't use __copy_{from,to}_user on unchecked memory in compat layer
Noticed by Linus Torvalds <torvalds@osdl.org>

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-05-03 23:20:27 -07:00
Jing Min Zhao
7582e9d17e [NETFILTER]: H.323 helper: Change author's email address
Signed-off-by: Jing Min Zhao <zhaojingmin@users.sourceforge.net>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-05-03 23:19:59 -07:00
Patrick McHardy
2354feaeb2 [NETFILTER]: NAT: silence unused variable warnings with CONFIG_XFRM=n
net/ipv4/netfilter/ip_nat_standalone.c: In function 'ip_nat_out':
net/ipv4/netfilter/ip_nat_standalone.c:223: warning: unused variable 'ctinfo'
net/ipv4/netfilter/ip_nat_standalone.c:222: warning: unused variable 'ct'

Surprisingly no complaints so far ..

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-05-03 23:19:26 -07:00
Patrick McHardy
4228e2a989 [NETFILTER]: H.323 helper: fix use of uninitialized data
When a Choice element contains an unsupported choice no error is returned
and parsing continues normally, but the choice value is not set and
contains data from the last parsed message. This may in turn lead to
parsing of more stale data and following crashes.

Fixes a crash triggered by testcase 0003243 from the PROTOS c07-h2250v4
testsuite following random other testcases:

CPU:    0
EIP:    0060:[<c01a9554>]    Not tainted VLI
EFLAGS: 00210646   (2.6.17-rc2 #3)
EIP is at memmove+0x19/0x22
eax: d7be0307   ebx: d7be0307   ecx: e841fcf9   edx: d7be0307
esi: bfffffff   edi: bfffffff   ebp: da5eb980   esp: c0347e2c
ds: 007b   es: 007b   ss: 0068
Process events/0 (pid: 4, threadinfo=c0347000 task=dff86a90)
Stack: <0>00000006 c0347ea6 d7be0301 e09a6b2c 00000006 da5eb980 d7be003e d7be0052
       c0347f6c e09a6d9c 00000006 c0347ea6 00000006 00000000 d7b9a548 00000000
       c0347f6c d7b9a548 00000004 e0a1a119 0000028f 00000006 c0347ea6 00000006
Call Trace:
 [<e09a6b2c>] mangle_contents+0x40/0xd8 [ip_nat]
 [<e09a6d9c>] ip_nat_mangle_tcp_packet+0xa1/0x191 [ip_nat]
 [<e0a1a119>] set_addr+0x60/0x14d [ip_nat_h323]
 [<e0ab6e66>] q931_help+0x2da/0x71a [ip_conntrack_h323]
 [<e0ab6e98>] q931_help+0x30c/0x71a [ip_conntrack_h323]
 [<e09af242>] ip_conntrack_help+0x22/0x2f [ip_conntrack]
 [<c022934a>] nf_iterate+0x2e/0x5f
 [<c025d357>] xfrm4_output_finish+0x0/0x39f
 [<c02294ce>] nf_hook_slow+0x42/0xb0
 [<c025d357>] xfrm4_output_finish+0x0/0x39f
 [<c025d732>] xfrm4_output+0x3c/0x4e
 [<c025d357>] xfrm4_output_finish+0x0/0x39f
 [<c0230370>] ip_forward+0x1c2/0x1fa
 [<c022f417>] ip_rcv+0x388/0x3b5
 [<c02188f9>] netif_receive_skb+0x2bc/0x2ec
 [<c0218994>] process_backlog+0x6b/0xd0
 [<c021675a>] net_rx_action+0x4b/0xb7
 [<c0115606>] __do_softirq+0x35/0x7d
 [<c0104294>] do_softirq+0x38/0x3f

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-05-03 23:17:11 -07:00
Patrick McHardy
6fd737031e [NETFILTER]: H.323 helper: fix endless loop caused by invalid TPKT len
When the TPKT len included in the packet is below the lowest valid value
of 4 an underflow occurs which results in an endless loop.

Found by testcase 0000058 from the PROTOS c07-h2250v4 testsuite.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-05-03 23:16:29 -07:00