From 3663c306609a9322a484fba28b3da66142c50ee9 Mon Sep 17 00:00:00 2001 From: Vlad Yasevich Date: Tue, 3 Jul 2007 12:43:12 -0400 Subject: [PATCH 1/7] SCTP: Fix thinko in sctp_copy_laddrs() Correctly dereference bytes_copied in sctp_copy_laddrs(). I totally must have spaced when doing this. Signed-off-by: Vlad Yasevich Signed-off-by: David S. Miller --- net/sctp/socket.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/sctp/socket.c b/net/sctp/socket.c index 67861a8f00cb..1e788279bb22 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -4170,7 +4170,7 @@ static int sctp_copy_laddrs(struct sock *sk, __u16 port, void *to, to += addrlen; cnt ++; space_left -= addrlen; - bytes_copied += addrlen; + *bytes_copied += addrlen; } return cnt; From f50f95cab735ebe2993e8d1549f0615bad05f3f2 Mon Sep 17 00:00:00 2001 From: Vlad Yasevich Date: Tue, 3 Jul 2007 12:47:40 -0400 Subject: [PATCH 2/7] SCTP: Check to make sure file is valid before setting timeout In-kernel sockets created with sock_create_kern don't usually have a file and file descriptor allocated to them. As a result, when SCTP tries to check the non-blocking flag, we Oops when dereferencing a NULL file pointer. Signed-off-by: Vlad Yasevich Signed-off-by: David S. Miller --- net/sctp/socket.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/net/sctp/socket.c b/net/sctp/socket.c index 1e788279bb22..b1917f68723c 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -980,6 +980,7 @@ static int __sctp_connect(struct sock* sk, union sctp_addr *sa_addr; void *addr_buf; unsigned short port; + unsigned int f_flags = 0; sp = sctp_sk(sk); ep = sp->ep; @@ -1106,7 +1107,14 @@ static int __sctp_connect(struct sock* sk, af->to_sk_daddr(&to, sk); sk->sk_err = 0; - timeo = sock_sndtimeo(sk, sk->sk_socket->file->f_flags & O_NONBLOCK); + /* in-kernel sockets don't generally have a file allocated to them + * if all they do is call sock_create_kern(). + */ + if (sk->sk_socket->file) + f_flags = sk->sk_socket->file->f_flags; + + timeo = sock_sndtimeo(sk, f_flags & O_NONBLOCK); + err = sctp_wait_for_connect(asoc, &timeo); /* Don't free association on exit. */ From 1669d857a25d62c6d0a6d9216e01c21287a7c844 Mon Sep 17 00:00:00 2001 From: Vlad Yasevich Date: Tue, 3 Jul 2007 14:29:23 -0400 Subject: [PATCH 3/7] SCTP: Add scope_id validation for link-local binds SCTP currently permits users to bind to link-local addresses, but doesn't verify that the scope id specified at bind matches the interface that the address is configured on. It was report that this can hang a system. Signed-off-by: Vlad Yasevich Signed-off-by: David S. Miller --- net/sctp/ipv6.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c index 84cd53635fe8..2c29394fd92e 100644 --- a/net/sctp/ipv6.c +++ b/net/sctp/ipv6.c @@ -844,6 +844,10 @@ static int sctp_inet6_bind_verify(struct sctp_sock *opt, union sctp_addr *addr) dev = dev_get_by_index(addr->v6.sin6_scope_id); if (!dev) return 0; + if (!ipv6_chk_addr(&addr->v6.sin6_addr, dev, 0)) { + dev_put(dev); + return 0; + } dev_put(dev); } af = opt->pf->af; From 2cd052e44329dd2b42eb958f8f346b053de6e2cd Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Thu, 5 Jul 2007 17:03:09 -0700 Subject: [PATCH 4/7] [NET] skbuff: remove export of static symbol skb_clone_fraglist is static so it shouldn't be exported. Signed-off-by: Johannes Berg Signed-off-by: David S. Miller --- net/core/skbuff.c | 1 - 1 file changed, 1 deletion(-) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 27cfe5fe4bb9..3943c3ad9145 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -2211,7 +2211,6 @@ EXPORT_SYMBOL(pskb_copy); EXPORT_SYMBOL(pskb_expand_head); EXPORT_SYMBOL(skb_checksum); EXPORT_SYMBOL(skb_clone); -EXPORT_SYMBOL(skb_clone_fraglist); EXPORT_SYMBOL(skb_copy); EXPORT_SYMBOL(skb_copy_and_csum_bits); EXPORT_SYMBOL(skb_copy_and_csum_dev); From 25845b5155b55cd77e42655ec24161ba3feffa47 Mon Sep 17 00:00:00 2001 From: Jing Min Zhao Date: Thu, 5 Jul 2007 17:05:01 -0700 Subject: [PATCH 5/7] [NETFILTER]: nf_conntrack_h323: add checking of out-of-range on choices' index values Choices' index values may be out of range while still encoded in the fixed length bit-field. This bug may cause access to undefined types (NULL pointers) and thus crashes (Reported by Zhongling Wen). This patch also adds checking of decode flag when decoding SEQUENCEs. Signed-off-by: Jing Min Zhao Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- net/netfilter/nf_conntrack_h323_asn1.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c index f6fad713d484..6b7eaa019d4c 100644 --- a/net/netfilter/nf_conntrack_h323_asn1.c +++ b/net/netfilter/nf_conntrack_h323_asn1.c @@ -518,7 +518,7 @@ int decode_seq(bitstr_t * bs, field_t * f, char *base, int level) CHECK_BOUND(bs, 2); len = get_len(bs); CHECK_BOUND(bs, len); - if (!base) { + if (!base || !(son->attr & DECODE)) { PRINT("%*.s%s\n", (level + 1) * TAB_SIZE, " ", son->name); bs->cur += len; @@ -704,6 +704,8 @@ int decode_choice(bitstr_t * bs, field_t * f, char *base, int level) } else { ext = 0; type = get_bits(bs, f->sz); + if (type >= f->lb) + return H323_ERROR_RANGE; } /* Write Type */ From 94b83419e5b56a87410fd9c9939f0081fc155d65 Mon Sep 17 00:00:00 2001 From: Adrian Bunk Date: Thu, 5 Jul 2007 17:06:21 -0700 Subject: [PATCH 6/7] [NET]: net/core/netevent.c should #include Every file should include the headers containing the prototypes for its global functions. Signed-off-by: Adrian Bunk Signed-off-by: David S. Miller --- net/core/netevent.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/core/netevent.c b/net/core/netevent.c index 35d02c38554e..95f81de87502 100644 --- a/net/core/netevent.c +++ b/net/core/netevent.c @@ -15,6 +15,7 @@ #include #include +#include static ATOMIC_NOTIFIER_HEAD(netevent_notif_chain); From 25442cafb8cc3d979418caccabc91260707a0947 Mon Sep 17 00:00:00 2001 From: Jarek Poplawski Date: Thu, 5 Jul 2007 17:42:44 -0700 Subject: [PATCH 7/7] [NETPOLL]: Fixups for 'fix soft lockup when removing module' >From my recent patch: > > #1 > > Until kernel ver. 2.6.21 (including) cancel_rearming_delayed_work() > > required a work function should always (unconditionally) rearm with > > delay > 0 - otherwise it would endlessly loop. This patch replaces > > this function with cancel_delayed_work(). Later kernel versions don't > > require this, so here it's only for uniformity. But Oleg Nesterov found: > But 2.6.22 doesn't need this change, why it was merged? > > In fact, I suspect this change adds a race, ... His description was right (thanks), so this patch reverts #1. Signed-off-by: Jarek Poplawski Signed-off-by: David S. Miller --- net/core/netpoll.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/net/core/netpoll.c b/net/core/netpoll.c index cf40ff91ac01..a0efdd7a6b37 100644 --- a/net/core/netpoll.c +++ b/net/core/netpoll.c @@ -72,8 +72,7 @@ static void queue_process(struct work_struct *work) netif_tx_unlock(dev); local_irq_restore(flags); - if (atomic_read(&npinfo->refcnt)) - schedule_delayed_work(&npinfo->tx_work, HZ/10); + schedule_delayed_work(&npinfo->tx_work, HZ/10); return; } netif_tx_unlock(dev); @@ -786,8 +785,7 @@ void netpoll_cleanup(struct netpoll *np) if (atomic_dec_and_test(&npinfo->refcnt)) { skb_queue_purge(&npinfo->arp_tx); skb_queue_purge(&npinfo->txq); - cancel_delayed_work(&npinfo->tx_work); - flush_scheduled_work(); + cancel_rearming_delayed_work(&npinfo->tx_work); /* clean after last, unfinished work */ if (!skb_queue_empty(&npinfo->txq)) {