From d258131aaea8a3979f82c0313b9a583130b29981 Mon Sep 17 00:00:00 2001 From: Jerome Borsboom Date: Fri, 22 Jun 2007 14:08:17 -0700 Subject: [PATCH 01/11] [NETFILTER]: nf_conntrack_sip: add missing message types containing RTP info Signed-off-by: Jerome Borsboom Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- net/netfilter/nf_conntrack_sip.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c index 7aaa8c91b293..1b5c6c1055f7 100644 --- a/net/netfilter/nf_conntrack_sip.c +++ b/net/netfilter/nf_conntrack_sip.c @@ -442,6 +442,9 @@ static int sip_help(struct sk_buff **pskb, /* RTP info only in some SDP pkts */ if (memcmp(dptr, "INVITE", sizeof("INVITE") - 1) != 0 && + memcmp(dptr, "UPDATE", sizeof("UPDATE") - 1) != 0 && + memcmp(dptr, "SIP/2.0 180", sizeof("SIP/2.0 180") - 1) != 0 && + memcmp(dptr, "SIP/2.0 183", sizeof("SIP/2.0 183") - 1) != 0 && memcmp(dptr, "SIP/2.0 200", sizeof("SIP/2.0 200") - 1) != 0) { goto out; } From e2d8e314ad18d4302b3b7ea21ab8b2cb72f2b152 Mon Sep 17 00:00:00 2001 From: Yasuyuki Kozakai Date: Fri, 22 Jun 2007 14:10:22 -0700 Subject: [PATCH 02/11] [NETFILTER]: nfctnetlink: Don't allow to change helper There is no realistic situation to change helper (Who wants IRC helper to track FTP traffic ?). Moreover, if we want to do that, we need to fix race issue by nfctnetlink and running helper. That will add overhead to packet processing. It wouldn't pay. So this rejects the request to change helper. The requests to add or remove helper are accepted as ever. Signed-off-by: Yasuyuki Kozakai Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- net/netfilter/nf_conntrack_netlink.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 3f73327794ab..d0fe3d769828 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -869,8 +869,7 @@ ctnetlink_change_helper(struct nf_conn *ct, struct nfattr *cda[]) return 0; if (help->helper) - /* we had a helper before ... */ - nf_ct_remove_expectations(ct); + return -EBUSY; /* need to zero data of old helper */ memset(&help->help, 0, sizeof(help->help)); From 6d5b78cdd5a17665674429400b3ed10e3ec60684 Mon Sep 17 00:00:00 2001 From: YOSHIFUJI Hideaki Date: Fri, 22 Jun 2007 16:07:04 -0700 Subject: [PATCH 03/11] [IPV6] NDISC: Fix thinko to control Router Preference support. Bug reported by Haruhito Watanabe . Signed-off-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller --- net/ipv6/ndisc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c index d8b36451bada..0358e6066a4e 100644 --- a/net/ipv6/ndisc.c +++ b/net/ipv6/ndisc.c @@ -1062,7 +1062,7 @@ static void ndisc_router_discovery(struct sk_buff *skb) pref = ra_msg->icmph.icmp6_router_pref; /* 10b is handled as if it were 00b (medium) */ if (pref == ICMPV6_ROUTER_PREF_INVALID || - in6_dev->cnf.accept_ra_rtr_pref) + !in6_dev->cnf.accept_ra_rtr_pref) pref = ICMPV6_ROUTER_PREF_MEDIUM; #endif From 8bfe6d68391af6171df789124fc3dfefeb392d9c Mon Sep 17 00:00:00 2001 From: Satyam Sharma Date: Fri, 22 Jun 2007 17:04:27 -0700 Subject: [PATCH 04/11] [IPV4]: include sysctl.h from inetdevice.h When CONFIG_INET=y and CONFIG_SYSCTL=n: In file included from net/core/netpoll.c:16: include/linux/inetdevice.h:15: error: '__NET_IPV4_CONF_MAX' undeclared here (not in a function) make[2]: *** [net/core/netpoll.o] Error 1 make[1]: *** [net/core] Error 2 make: *** [net] Error 2 So #include sysctl.h from inetdevice.h. Signed-off-by: Satyam Sharma Signed-off-by: David S. Miller --- include/linux/inetdevice.h | 1 + 1 file changed, 1 insertion(+) diff --git a/include/linux/inetdevice.h b/include/linux/inetdevice.h index ae04901aa09a..d83fee2dc643 100644 --- a/include/linux/inetdevice.h +++ b/include/linux/inetdevice.h @@ -8,6 +8,7 @@ #include #include #include +#include struct ipv4_devconf { From dbbeb2f9917792b989b6269ebfe24257f9aa1618 Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Sat, 23 Jun 2007 22:58:34 -0700 Subject: [PATCH 05/11] [SKBUFF]: Fix incorrect config #ifdef around skb_copy_secmark secmark doesn't depend on CONFIG_NET_SCHED. Signed-off-by: Patrick McHardy Acked-by: James Morris Signed-off-by: David S. Miller --- net/core/skbuff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 7c6a34e21eee..8d43ae6979e5 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -434,8 +434,8 @@ struct sk_buff *skb_clone(struct sk_buff *skb, gfp_t gfp_mask) n->tc_verd = CLR_TC_MUNGED(n->tc_verd); C(iif); #endif - skb_copy_secmark(n, skb); #endif + skb_copy_secmark(n, skb); C(truesize); atomic_set(&n->users, 1); C(head); From 64beb8f3eb3c724add64ca3272915528e10213c1 Mon Sep 17 00:00:00 2001 From: Florian Westphal Date: Sat, 23 Jun 2007 22:59:40 -0700 Subject: [PATCH 06/11] [TIPC]: Fix infinite loop in netlink handler The tipc netlink config handler uses the nlmsg_pid from the request header as destination for its reply. If the application initialized nlmsg_pid to 0, the reply is looped back to the kernel, causing hangup. Fix: use nlmsg_pid of the skb that triggered the request. Signed-off-by: Florian Westphal Signed-off-by: David S. Miller --- net/tipc/netlink.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/tipc/netlink.c b/net/tipc/netlink.c index 4cdafa2d1d4d..6a7f7b4c2595 100644 --- a/net/tipc/netlink.c +++ b/net/tipc/netlink.c @@ -60,7 +60,7 @@ static int handle_cmd(struct sk_buff *skb, struct genl_info *info) rep_nlh = nlmsg_hdr(rep_buf); memcpy(rep_nlh, req_nlh, hdr_space); rep_nlh->nlmsg_len = rep_buf->len; - genlmsg_unicast(rep_buf, req_nlh->nlmsg_pid); + genlmsg_unicast(rep_buf, NETLINK_CB(skb).pid); } return 0; From 7e4a6da7c2a1e0df06b71dc4ddc31910229ba9d9 Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Sat, 23 Jun 2007 23:04:11 -0700 Subject: [PATCH 07/11] [PPP]: Revert 606f585e363527da9feaed79465132c0c661fd9e This can cause packet buffer overflows in certain cases, the real bug will be fixed differently in a followon changeset. Signed-off-by: David S. Miller --- drivers/net/ppp_mppe.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/net/ppp_mppe.c b/drivers/net/ppp_mppe.c index 5ae80bbe2edc..d5bdd2574659 100644 --- a/drivers/net/ppp_mppe.c +++ b/drivers/net/ppp_mppe.c @@ -493,14 +493,14 @@ mppe_decompress(void *arg, unsigned char *ibuf, int isize, unsigned char *obuf, /* * Make sure we have enough room to decrypt the packet. - * To account for possible PFC we should only subtract 1 - * byte whereas in mppe_compress() we added 2 bytes (+MPPE_OVHD); - * However, we assume no PFC, thus subtracting 2 bytes. + * Note that for our test we only subtract 1 byte whereas in + * mppe_compress() we added 2 bytes (+MPPE_OVHD); + * this is to account for possible PFC. */ - if (osize < isize - MPPE_OVHD - 2) { + if (osize < isize - MPPE_OVHD - 1) { printk(KERN_DEBUG "mppe_decompress[%d]: osize too small! " "(have: %d need: %d)\n", state->unit, - osize, isize - MPPE_OVHD - 2); + osize, isize - MPPE_OVHD - 1); return DECOMP_ERROR; } osize = isize - MPPE_OVHD - 2; /* assume no PFC */ From 4b2a8fb3a7f7935f62a7bbdc851789fb7c2da032 Mon Sep 17 00:00:00 2001 From: Konstantin Sharlaimov Date: Sat, 23 Jun 2007 23:05:54 -0700 Subject: [PATCH 08/11] [PPP]: Fix osize too small errors when decoding mppe. The mppe_decompress() function required a buffer that is 1 byte too small when receiving a message of mru size. This fixes buffer allocation to prevent this from occurring. Signed-off-by: Konstantin Sharlaimov Signed-off-by: David S. Miller --- drivers/net/ppp_generic.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/drivers/net/ppp_generic.c b/drivers/net/ppp_generic.c index 541168713f1f..3ef0092dc09c 100644 --- a/drivers/net/ppp_generic.c +++ b/drivers/net/ppp_generic.c @@ -1708,7 +1708,18 @@ ppp_decompress_frame(struct ppp *ppp, struct sk_buff *skb) goto err; if (proto == PPP_COMP) { - ns = dev_alloc_skb(ppp->mru + PPP_HDRLEN); + int obuff_size; + + switch(ppp->rcomp->compress_proto) { + case CI_MPPE: + obuff_size = ppp->mru + PPP_HDRLEN + 1; + break; + default: + obuff_size = ppp->mru + PPP_HDRLEN; + break; + } + + ns = dev_alloc_skb(obuff_size); if (ns == 0) { printk(KERN_ERR "ppp_decompress_frame: no memory\n"); goto err; From ddb61a57bb6df673986e6476407f97d28b02031f Mon Sep 17 00:00:00 2001 From: Jens Axboe Date: Sat, 23 Jun 2007 23:07:50 -0700 Subject: [PATCH 09/11] [TCP] tcp_read_sock: Allow recv_actor() return return negative error value. tcp_read_sock() currently assumes that the recv_actor() only returns number of bytes copied. For network splice receive, we may have to return an error in some cases. So allow the actor to return a negative error value. Signed-off-by: Jens Axboe Signed-off-by: David S. Miller --- net/ipv4/tcp.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index cd3c7e95de9e..450f44bb2c8e 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -1064,7 +1064,11 @@ int tcp_read_sock(struct sock *sk, read_descriptor_t *desc, break; } used = recv_actor(desc, skb, offset, len); - if (used <= len) { + if (used < 0) { + if (!copied) + copied = used; + break; + } else if (used <= len) { seq += used; copied += used; offset += used; @@ -1086,7 +1090,7 @@ int tcp_read_sock(struct sock *sk, read_descriptor_t *desc, tcp_rcv_space_adjust(sk); /* Clean up data we have read: This will do ACK frames. */ - if (copied) + if (copied > 0) tcp_cleanup_rbuf(sk, copied); return copied; } From 515e06c4556bd8388db6b2bb2cd8859126932946 Mon Sep 17 00:00:00 2001 From: Shannon Nelson Date: Sat, 23 Jun 2007 23:09:23 -0700 Subject: [PATCH 10/11] [NET]: Re-enable irqs before pushing pending DMA requests This moves the local_irq_enable() call in net_rx_action() to before calling the CONFIG_NET_DMA's dma_async_memcpy_issue_pending() rather than after. This shortens the irq disabled window and allows for DMA drivers that need to do their own irq hold. Signed-off-by: Shannon Nelson Signed-off-by: David S. Miller --- net/core/dev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/core/dev.c b/net/core/dev.c index 26090621ea6b..ee051bb398a0 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -2009,6 +2009,7 @@ static void net_rx_action(struct softirq_action *h) } } out: + local_irq_enable(); #ifdef CONFIG_NET_DMA /* * There may not be any more sk_buffs coming right now, so push @@ -2022,7 +2023,6 @@ out: rcu_read_unlock(); } #endif - local_irq_enable(); return; softnet_break: From 5b5a60da281c767196427ce8144deae6ec46b389 Mon Sep 17 00:00:00 2001 From: Olaf Kirch Date: Sat, 23 Jun 2007 23:11:52 -0700 Subject: [PATCH 11/11] [NET]: Make skb_seq_read unmap the last fragment Having walked through the entire skbuff, skb_seq_read would leave the last fragment mapped. As a consequence, the unwary caller would leak kmaps, and proceed with preempt_count off by one. The only (kind of non-intuitive) workaround is to use skb_seq_read_abort. This patch makes sure skb_seq_read always unmaps frag_data after having cycled through the skb's paged part. Signed-off-by: Olaf Kirch Signed-off-by: David S. Miller --- net/core/skbuff.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 8d43ae6979e5..27cfe5fe4bb9 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -1706,6 +1706,11 @@ next_skb: st->stepped_offset += frag->size; } + if (st->frag_data) { + kunmap_skb_frag(st->frag_data); + st->frag_data = NULL; + } + if (st->cur_skb->next) { st->cur_skb = st->cur_skb->next; st->frag_idx = 0;