Commit Graph

11358 Commits

Author SHA1 Message Date
Vlad Yasevich
ae53b5bd77 sctp: Fix another socket race during accept/peeloff
There is a race between sctp_rcv() and sctp_accept() where we
have moved the association from the listening socket to the
accepted socket, but sctp_rcv() processing cached the old
socket and continues to use it.

The easy solution is to check for the socket mismatch once we've
grabed the socket lock.  If we hit a mis-match, that means
that were are currently holding the lock on the listening socket,
but the association is refrencing a newly accepted socket.  We need
to drop the lock on the old socket and grab the lock on the new one.

A more proper solution might be to create accepted sockets when
the new association is established, similar to TCP.  That would
eliminate the race for 1-to-1 style sockets, but it would still
existing for 1-to-many sockets where a user wished to peeloff an
association.  For now, we'll live with this easy solution as
it addresses the problem.

Reported-by: Michal Hocko <mhocko@suse.cz>
Reported-by: Karsten Keil <kkeil@suse.de>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-01-22 14:53:23 -08:00
Vlad Yasevich
759af00ebe sctp: Properly timestamp outgoing data chunks for rtx purposes
Recent changes to the retransmit code exposed a long standing
bug where it was possible for a chunk to be time stamped
after the retransmit timer was reset.  This caused a rare
situation where the retrnamist timer has expired, but
nothing was marked for retrnasmission because all of
timesamps on data were less then 1 rto ago.  As result,
the timer was never restarted since nothing was retransmitted,
and this resulted in a hung association that did couldn't
complete the data transfer.  The solution is to timestamp
the chunk when it's added to the packet for transmission
purposes.  After the packet is trsnmitted the rtx timer
is restarted.  This guarantees that when the timer expires,
there will be data to retransmit.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-01-22 14:53:01 -08:00
Vlad Yasevich
6574df9a89 sctp: Correctly start rtx timer on new packet transmissions.
Commit 62aeaff5cc
(sctp: Start T3-RTX timer when fast retransmitting lowest TSN)
introduced a regression where it was possible to forcibly
restart the sctp retransmit timer at the transmission of any
new chunk.  This resulted in much longer timeout times and
sometimes hung sctp connections.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-01-22 14:52:43 -08:00
Christian Lamparter
391429c18f mac80211: fix slot time debug message
wlan0: switched to short barker preamble (BSSID=00:01:aa:bb:cc:dd)
wlan0: switched to short slot (BSSID=) <something is missing here>

should be:

wlan0: switched to short barker preamble (BSSID=00:01:aa:bb:cc:dd)
wlan0: switched to short slot (BSSID=00:01:aa:bb:cc:dd)

Signed-off-by: Christian Lamparter <chunkeey@web.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-01-22 13:55:01 -05:00
Brian Cavagnolo
5dc306f3bd mac80211: decrement ref count to netdev after launching mesh discovery
After launching mesh discovery in tx path, reference count was not being
decremented.  This was preventing module unload.

Signed-off-by: Brian Cavagnolo <brian@cozybit.com>
Signed-off-by: Andrey Yurovsky <andrey@cozybit.com>
Acked-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-01-22 13:55:00 -05:00
Patrick McHardy
748085fcbe netfilter: ctnetlink: fix scheduling while atomic
Caused by call to request_module() while holding nf_conntrack_lock.

Reported-and-tested-by: Kövesdi György <kgy@teledigit.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-01-21 12:19:49 -08:00
Herbert Xu
37fe4732b9 gro: Fix merging of paged packets
The previous fix to paged packets broke the merging because it
reset the skb->len before we added it to the merged packet.  This
wasn't detected because it simply resulted in the truncation of
the packet while the missing bit is subsequently retransmitted.

The fix is to store skb->len before we clobber it.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-01-20 14:44:03 -08:00
Herbert Xu
9a8e47ffd9 gro: Fix error handling on extremely short frags
When a frag is shorter than an Ethernet header, we'd return a
zeroed packet instead of aborting.  This patch fixes that.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-01-20 14:44:02 -08:00
Herbert Xu
ebad18e93f gro: Fix handling of complete checksums in IPv6
We need to perform skb_postpull_rcsum after pulling the IPv6
header in order to maintain the correctness of the complete
checksum.

This patch also adds a missing iph reload after pulling.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-01-20 14:44:01 -08:00
Jiri Slaby
357f5b0b91 NET: net_namespace, fix lock imbalance
register_pernet_gen_subsys omits mutex_unlock in one fail path.
Fix it.

Signed-off-by: Jiri Slaby <jirislaby@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-01-20 14:39:31 -08:00
David S. Miller
518aa1b544 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 2009-01-20 14:37:10 -08:00
David S. Miller
66f9a2590a Revert "xfrm: For 32/64 compatability wrt. xfrm_usersa_info"
This reverts commit fc8c7dc1b2.

As indicated by Jiri Klimes, this won't work.  These numbers are
not only used the size validation, they are also used to locate
attributes sitting after the message.

Signed-off-by: David S. Miller <davem@davemloft.net>
2009-01-20 09:49:51 -08:00
Jarek Poplawski
8b9d372897 net: Fix data corruption when splicing from sockets.
The trick in socket splicing where we try to convert the skb->data
into a page based reference using virt_to_page() does not work so
well.

The idea is to pass the virt_to_page() reference via the pipe
buffer, and refcount the buffer using a SKB reference.

But if we are splicing from a socket to a socket (via sendpage)
this doesn't work.

The from side processing will grab the page (and SKB) references.
The sendpage() calls will grab page references only, return, and
then the from side processing completes and drops the SKB ref.

The page based reference to skb->data is not enough to keep the
kmalloc() buffer backing it from being reused.  Yet, that is
all that the socket send side has at this point.

This leads to data corruption if the skb->data buffer is reused
by SLAB before the send side socket actually gets the TX packet
out to the device.

The fix employed here is to simply allocate a page and copy the
skb->data bytes into that page.

This will hurt performance, but there is no clear way to fix this
properly without a copy at the present time, and it is important
to get rid of the data corruption.

With fixes from Herbert Xu.

Tested-by: Willy Tarreau <w@1wt.eu>
Foreseen-by: Changli Gao <xiaosuo@gmail.com>
Diagnosed-by: Willy Tarreau <w@1wt.eu>
Reported-by: Willy Tarreau <w@1wt.eu>
Fixed-by: Jens Axboe <jens.axboe@oracle.com>
Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-01-19 17:03:56 -08:00
Herbert Xu
67fd1a731f net: Add debug info to track down GSO checksum bug
I'm trying to track down why people're hitting the checksum warning
in skb_gso_segment.  As the problem seems to be hitting lots of
people and I can't reproduce it or locate the bug, here is a patch
to print out more details which hopefully should help us to track
this down.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-01-19 16:26:44 -08:00
Roel Kluin
24e94de41e net/9p: fid->fid is used uninitialized
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-01-19 16:20:15 -08:00
Luis R. Rodriguez
02e68a3da0 cfg80211: Fix parsed country IE info for 5 GHz
The country IE number of channels on 5 GHz specifies the number
of 5 GHz channels, not the number of sequential channel numbers.
For example, if in a country IEs if the first channel given is 36
and the number of channels passed is 4 then the individual channel
numbers defined for the 5 GHz PHY by these parameters

are: 36, 40, 44, 48
not: 36, 37, 38, 39

See: http://tinyurl.com/11d-clarification

Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Acked-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-01-16 17:08:24 -05:00
Luis R. Rodriguez
0c7dc45d21 cfg80211: Fix regression with 11d on bands
This fixes a regression on disallowing bands introduced with the new
802.11d support. The issue is that IEEE-802.11 allows APs to send
a subset of what a country regulatory domain defines. This was clarified
in this document:

http://tinyurl.com/11d-clarification

As such it is possible, and this is what is done in practice, that a
single band 2.4 GHz AP will only send 2.4 GHz band regulatory information
through the 802.11 country information element and then the current
intersection with what CRDA provided yields a regulatory domain with
no 5 GHz information -- even though that country may actually allow
5 GHz operation. We correct this by only applying the intersection rules
on a channel if the the intersection yields a regulatory rule on the
same band the channel is on.

Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Acked-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-01-16 17:08:24 -05:00
Luis R. Rodriguez
a92a3ce724 cfg80211: make handle_band() and handle_channel() wiphy specific
This allows us to make more wiphy specific judgements when
handling the channels later on.

Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Acked-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-01-16 17:08:24 -05:00
Randy Dunlap
b6b50a2162 mac80211: more kernel-doc fixes
Fix (delete) more mac80211 kernel-doc:

Warning(linux-2.6.28-git13//include/net/mac80211.h:375): Excess struct/union/enum/typedef member 'retry_count' description in 'ieee80211_tx_info'
Warning(linux-2.6.28-git13//net/mac80211/sta_info.h:308): Excess struct/union/enum/typedef member 'last_txrate' description in 'sta_info'

Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-01-16 17:08:23 -05:00
Linus Torvalds
3feeba1e53 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (95 commits)
  b44: GFP_DMA skb should not escape from driver
  korina: do not use IRQF_SHARED with IRQF_DISABLED
  korina: do not stop queue here
  korina: fix handling tx_chain_tail
  korina: do tx at the right position
  korina: do schedule napi after testing for it
  korina: rework korina_rx() for use with napi
  korina: disable napi on close and restart
  korina: reset resource buffer size to 1536
  korina: fix usage of driver_data
  bnx2x: First slow path interrupt race
  bnx2x: MTU Filter
  bnx2x: Indirection table initialization index
  bnx2x: Missing brackets
  bnx2x: Fixing the doorbell size
  bnx2x: Endianness issues
  bnx2x: VLAN tagged packets without VLAN offload
  bnx2x: Protecting the link change indication
  bnx2x: Flow control updated before reporting the link
  bnx2x: Missing mask when calculating flow control
  ...
2009-01-15 16:53:15 -08:00
Roland Dreier
6364853dab 9p: disallow RDMA if RDMA CM isn't available
If INET=y and INFINIBAND=y, but IPV6=m then INFINIBAND_ADDR_TRANS is set
to n and the RDMA CM functions rdma_connect() et al are not built.
However, the current config dependencies allow NET_9P_RDMA to be selected
in this, which leads to a build failure.  Fix this by adding a dependency
on INFINIBAND_ADDR_TRANS to disallow NET_9P_RDMA in this case.

Reported-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
Acked-by: Randy Dunlap <randy.dunlap@oracle.com>
Tested-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-01-15 16:39:42 -08:00
Oliver Hartkopp
c53a6ee88b can: fix slowpath issue in hrtimer callback function
Due to the loopback functionality in can_send() we can not invoke it
from hardirq context which was done inside the
bcm_tx_timeout_handler() hrtimer callback:

[  700.361154]  [<c012228c>] warn_slowpath+0x80/0xb6
[  700.361163]  [<c013d559>] valid_state+0x125/0x136
[  700.361171]  [<c013d858>] mark_lock+0x18e/0x332
[  700.361180]  [<c013e300>] __lock_acquire+0x12e/0xb1e
[  700.361189]  [<f8ab5915>] bcm_tx_timeout_handler+0x0/0xbc [can_bcm]
[  700.361198]  [<c031e20a>] dev_queue_xmit+0x191/0x479
[  700.361206]  [<c01262a7>] __local_bh_disable+0x2b/0x64
[  700.361213]  [<c031e20a>] dev_queue_xmit+0x191/0x479
[  700.361225]  [<f8aa69a1>] can_send+0xd7/0x11a [can]
[  700.361235]  [<f8ab522b>] bcm_can_tx+0x9d/0xd9 [can_bcm]
[  700.361245]  [<f8ab597f>] bcm_tx_timeout_handler+0x6a/0xbc [can_bcm]
[  700.361255]  [<f8ab5915>] bcm_tx_timeout_handler+0x0/0xbc [can_bcm]
[  700.361263]  [<c0134143>] __run_hrtimer+0x5a/0x86
[  700.361273]  [<f8ab5915>] bcm_tx_timeout_handler+0x0/0xbc [can_bcm]
[  700.361282]  [<c0134a50>] hrtimer_interrupt+0xb9/0x110

This patch moves the rest of the functionality from the hrtimer
callback to the already existing tasklet to fix this slowpath problem.

Signed-off-by: Oliver Hartkopp <oliver@hartkopp.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-01-14 21:06:55 -08:00
Benjamin Herrenschmidt
937f1ba56b net: Add init_dummy_netdev() and fix EMAC driver using it
This adds an init_dummy_netdev() function that gets a network device
structure (allocation and lifetime entirely under caller's control) and
initialize the minimum amount of fields so it can be used to schedule
NAPI polls without registering a full blown interface. This is to be
used by drivers that need to tie several hardware interfaces to a single
NAPI poll scheduler due to HW limitations.

It also updates the ibm_newemac driver to use that, this fixing the
oops on 2.6.29 due to passing NULL as "dev" to netif_napi_add()

Symbol is exported GPL only a I don't think we want binary drivers doing
that sort of acrobatics (if we want them at all).

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Tested-by: Geert Uytterhoeven <Geert.Uytterhoeven@sonycom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-01-14 21:05:05 -08:00
Herbert Xu
4e704ee3c2 gso: Ensure that the packet is long enough
When we get a GSO packet from an untrusted source, we need to
ensure that it is sufficiently long so that we don't end up
crashing.

Based on discovery and patch by Ian Campbell.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Tested-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-01-14 20:41:12 -08:00
Herbert Xu
f557206800 gro: Fix page ref count for skbs freed normally
When an skb with page frags is merged into an existing one, we
cannibalise its reference count.  This is OK when the skb is
reused because we set nr_frags to zero in that case.  However,
for the case where the skb is freed through kfree_skb, we didn't
clear nr_frags which causes the page to be freed prematurely.

This is fixed by moving the skb resetting into skb_gro_receive.

Reported-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-01-14 20:40:03 -08:00
David S. Miller
fc8c7dc1b2 xfrm: For 32/64 compatability wrt. xfrm_usersa_info
Reported by Jiri Klimes.

Fix suggested by Patrick McHardy.

Signed-off-by: David S. Miller <davem@davemloft.net>
2009-01-14 14:55:35 -08:00
Herbert Xu
f17f5c91ae gro: Check for GSO packets and packets with frag_list
As GRO cannot be applied to packets with frag_list we need to
make sure that we reject such packets if they are fed to us,
e.g., through a tunnel device.

Also there is no point in applying GRO on GSO packets so they
too should be rejected.  This allows GRO to be used in virtio-net
which may produce GSO packets directly but may still benefit
from GRO if the other end of it doesn't support GSO.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-01-14 14:36:12 -08:00
Heiko Carstens
3e0fa65f8b [CVE-2009-0029] System call wrappers part 22
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
2009-01-14 14:15:27 +01:00
Heiko Carstens
20f37034fb [CVE-2009-0029] System call wrappers part 21
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
2009-01-14 14:15:26 +01:00
Heiko Carstens
754fe8d297 [CVE-2009-0029] System call wrappers part 07
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
2009-01-14 14:15:20 +01:00
Herbert Xu
7891cc8189 ipv6: Fix fib6_dump_table walker leak
When a fib6 table dump is prematurely ended, we won't unlink
its walker from the list.  This causes all sorts of grief for
other users of the list later.

Reported-by: Chris Caputo <ccaputo@alt.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-01-13 22:17:51 -08:00
Willy Tarreau
33966dd0e2 tcp: splice as many packets as possible at once
As spotted by Willy Tarreau, current splice() from tcp socket to pipe is not
optimal. It processes at most one segment per call.
This results in low performance and very high overhead due to syscall rate
when splicing from interfaces which do not support LRO.

Willy provided a patch inside tcp_splice_read(), but a better fix
is to let tcp_read_sock() process as many segments as possible, so
that tcp_rcv_space_adjust() and tcp_cleanup_rbuf() are called less
often.

With this change, splice() behaves like tcp_recvmsg(), being able
to consume many skbs in one system call. With typical 1460 bytes
of payload per frame, that means splice(SPLICE_F_NONBLOCK) can return
16*1460 = 23360 bytes.

Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-01-13 16:04:36 -08:00
David S. Miller
9a0811ca4e Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 2009-01-13 12:22:26 -08:00
John W. Linville
85b9e4fe13 mac80211: fix "‘ret’ may be used uninitialized" warning
net/mac80211/ht.c: In function ‘ieee80211_start_tx_ba_session’:
net/mac80211/ht.c:472: warning: ‘ret’ may be used uninitialized in this function

Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-01-13 10:25:45 -05:00
Jarek Poplawski
a73be04065 pkt_sched: sch_htb: Break all htb_do_events() after 2 jiffies
Currently htb_do_events() breaks events recounting for a level after 2
jiffies, but there is no reason to repeat this for next levels and
increase delays even more (with softirqs disabled). htb_dequeue_tree()
can add to this too, btw. In such a case q->now time is invalid anyway.

Thanks to Patrick McHardy for spotting an error around earlier version
of this patch.

Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-01-12 21:54:40 -08:00
Jarek Poplawski
c085134719 pkt_sched: sch_htb: Consider used jiffies in htb_do_events()
Next event time should consider jiffies used for recounting. Otherwise
qdisc_watchdog_schedule() triggers hrtimer immediately with the event
in the past, and may cause very high ksoftirqd cpu usage (if highres
is on).

There is also removed checking "event" for zero in htb_dequeue(): it's
always true in this place.

Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-01-12 21:54:16 -08:00
Jan Engelhardt
e6210f3be5 netfilter 08/09: xt_time: print timezone for user information
netfilter: xt_time: print timezone for user information

Let users have a way to figure out if their distro set the kernel
timezone at all.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-01-12 21:18:36 -08:00
Julia Lawall
cd7fcbf1cb netfilter 07/09: simplify nf_conntrack_alloc() error handling
nf_conntrack_alloc cannot return NULL, so there is no need to check for
NULL before using the value.  I have also removed the initialization of ct
to NULL in nf_conntrack_alloc, since the value is never used, and since
perhaps it might lead one to think that return ct at the end might return
NULL.

The semantic patch that finds this problem is as follows:
(http://www.emn.fr/x-info/coccinelle/)

// <smpl>
@match exists@
expression x, E;
position p1,p2;
statement S1, S2;
@@

x@p1 = nf_conntrack_alloc(...)
... when != x = E
(
  if (x@p2 == NULL || ...) S1 else S2
|
  if (x@p2 == NULL && ...) S1 else S2
)

@other_match exists@
expression match.x, E1, E2;
position p1!=match.p1,match.p2;
@@

x@p1 = E1
... when != x = E2
x@p2

@ script:python depends on !other_match@
p1 << match.p1;
p2 << match.p2;
@@

print "%s: call to nf_conntrack_alloc %s bad test %s" % (p1[0].file,p1[0].line,p2[0].line)
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-01-12 21:18:36 -08:00
Patrick McHardy
71320afcdb netfilter 06/09: nf_conntrack: fix ICMP/ICMPv6 timeout sysctls on big-endian
An old bug crept back into the ICMP/ICMPv6 conntrack protocols: the timeout
values are defined as unsigned longs, the sysctl's maxsize is set to
sizeof(unsigned int). Use unsigned int for the timeout values as in the
other conntrack protocols.

Reported-by: Jean-Mickael Guerin <jean-mickael.guerin@6wind.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-01-12 21:18:35 -08:00
Jan Engelhardt
d61ba9fd55 netfilter 05/09: ebtables: fix inversion in match code
Commit 8cc784ee (netfilter: change return types of match functions
for ebtables extensions) broke ebtables matches by inverting the
sense of match/nomatch.

Reported-by: Matt Cross <matthltc@us.ibm.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-01-12 21:18:35 -08:00
Patrick McHardy
656caff20e netfilter 04/09: x_tables: fix match/target revision lookup
Commit 55b69e91 (netfilter: implement NFPROTO_UNSPEC as a wildcard
for extensions) broke revision probing for matches and targets that
are registered with NFPROTO_UNSPEC.

Fix by continuing the search on the NFPROTO_UNSPEC list if nothing
is found on the af-specific lists.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-01-12 21:18:34 -08:00
Herbert Xu
47e0e1ca13 netfilter 03/09: bridge: Disable PPPOE/VLAN processing by default
The PPPOE/VLAN processing code in the bridge netfilter is broken
by design.  The VLAN tag and the PPPOE session ID are an integral
part of the packet flow information, yet they're completely
ignored by the bridge netfilter.  This is potentially a security
hole as it treats all VLANs and PPPOE sessions as the same.

What's more, it's actually broken for PPPOE as the bridge netfilter
tries to trim the packets to the IP length without adjusting the
PPPOE header (and adjusting the PPPOE header isn't much better
since the PPPOE peer may require the padding to be present).

Therefore we should disable this by default.

It does mean that people relying on this feature may lose networking
depending on how their bridge netfilter rules are configured.
However, IMHO the problems this code causes are serious enough to
warrant this.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-01-12 21:18:34 -08:00
Herbert Xu
a2bd40ad31 netfilter 02/09: bridge: Fix handling of non-IP packets in FORWARD/POST_ROUTING
Currently the bridge FORWARD/POST_ROUTING chains treats all
non-IPv4 packets as IPv6.  This packet fixes that by returning
NF_ACCEPT on non-IP packets instead, just as is done in PRE_ROUTING.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-01-12 21:18:33 -08:00
Patrick McHardy
88843104a1 netfilter 01/09: remove "happy cracking" message
Don't spam logs for locally generated short packets. these can only
be generated by root.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-01-12 21:18:33 -08:00
Christian Lamparter
b973c31a92 mac80211: initialize RC data for all mesh links upon allocation
This patch fixes a panic that might occur, if the device is part of a mesh
and tries to send with a higher rate index than "0".

kernel BUG at net/mac80211/rate.c:239!
invalid opcode: 0000 [#1] SMP
[...]
 Call Trace:
 <IRQ> <0> ? invoke_tx_handlers+0x474/0xb57 [mac80211]
 ? __ieee80211_tx_prepare+0x260/0x2a8 [mac80211]
 ? ieee80211_master_start_xmit+0x300/0x43a [mac80211]
 ? __qdisc_run+0xde/0x1da
 ? net_tx_action+0xb4/0x102
 Kernel panic - not syncing: Fatal exception in interrupt

Signed-off-by: Christian Lamparter <chunkeey@web.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-01-12 14:24:57 -05:00
Pavel Roskin
dcebf45cdc mac80211: allow mode change if IBSS is not allowed
Changing mode on an interface is not allowed if IBSS is disabled for the
current channel.  That restriction should only apply when switching to
the ad-hoc mode, as it was prior to "cfg80211: handle SIOCGIWMODE/SIOCSIWMODE".

Signed-off-by: Pavel Roskin <proski@gnu.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-01-12 14:24:56 -05:00
Christian Lamparter
d57854bb1d minstrel: fix warning if lowest supported rate index is not 0
This patch fixes the following WARNING (caused by rix_to_ndx): "
>WARNING: at net/mac80211/rc80211_minstrel.c:69 minstrel_rate_init+0xd2/0x33a [mac80211]()
>[...]
>Call Trace:
> warn_on_slowpath+0x51/0x75
> _format_mac_addr+0x4c/0x88
> minstrel_rate_init+0xd2/0x33a [mac80211]
> print_mac+0x16/0x1b
> schedule_hrtimeout_range+0xdc/0x107
> ieee80211_add_station+0x158/0x1bd [mac80211]
> nl80211_new_station+0x1b3/0x20b [cfg80211]

The reason is that I'm experimenting with "g" only mode on a 802.11 b/g card.

Therefore rate_lowest_index returns 4 (= 6Mbit, instead of usual 0 = 1Mbit).
Since mi->r array is initialized with zeros in minstrel_alloc_sta,
rix_to_ndx has a hard time to find the 6Mbit entry and will trigged the WARNING.

Signed-off-by: Christian Lamparter <chunkeey@web.de>
Acked-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-01-12 14:24:55 -05:00
Dan Williams
649274d993 net_dma: acquire/release dma channels on ifup/ifdown
The recent dmaengine rework removed the capability to remove dma device
driver modules while net_dma is active.  Rather than notify
dmaengine-clients that channels are trying to be removed, we now rely on
clients to notify dmaengine when they no longer have a need for
channels.  Teach net_dma to release channels by taking dmaengine
references at netdevice open and dropping references at netdevice close.

Acked-by: Maciej Sosnowski <maciej.sosnowski@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-01-11 00:20:39 -08:00
Gerrit Renker
4dbc242ed3 dccp ccid-3: Fix RFC reference
Thanks to Wei and Arnaldo for pointing out the correct
new reference for CCID-3.

Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-01-11 00:17:22 -08:00
Leonardo Potenza
1b6725dea7 net: fix section mismatch warnings in dccp/ccids/lib/tfrc.c
Removed the __exit annotation of tfrc_lib_exit(), in order to suppress the following section mismatch messages:

WARNING: net/dccp/dccp.o(.text+0xd9): Section mismatch in reference from the function ccid_cleanup_builtins() to the function .exit.text:tfrc_lib_exit()
The function ccid_cleanup_builtins() references a function in an exit section.
Often the function tfrc_lib_exit() has valid usage outside the exit section
and the fix is to remove the __exit annotation of tfrc_lib_exit.

WARNING: net/dccp/dccp.o(.init.text+0x48): Section mismatch in reference from the function ccid_initialize_builtins() to the function .exit.text:tfrc_lib_exit()
The function __init ccid_initialize_builtins() references
a function __exit tfrc_lib_exit().
This is often seen when error handling in the init function
uses functionality in the exit path.
The fix is often to remove the __exit annotation of
tfrc_lib_exit() so it may be used outside an exit section.

Signed-off-by: Leonardo Potenza <lpotenza@inwind.it>
Acked-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Acked-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-01-11 00:11:28 -08:00