<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/include/net, branch v2.6.32.60</title>
<subtitle>Linux kernel source tree</subtitle>
<id>https://git.amat.us/linux/atom/include/net?h=v2.6.32.60</id>
<link rel='self' href='https://git.amat.us/linux/atom/include/net?h=v2.6.32.60'/>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/'/>
<updated>2012-10-07T21:37:20Z</updated>
<entry>
<title>rose: Add length checks to CALL_REQUEST parsing</title>
<updated>2012-10-07T21:37:20Z</updated>
<author>
<name>Ben Hutchings</name>
<email>ben@decadent.org.uk</email>
</author>
<published>2011-03-20T06:48:05Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=db9faaa340c78618685038d36e368de738ed3d16'/>
<id>urn:sha1:db9faaa340c78618685038d36e368de738ed3d16</id>
<content type='text'>
commit e0bccd315db0c2f919e7fcf9cb60db21d9986f52 upstream

Define some constant offsets for CALL_REQUEST based on the description
at &lt;http://www.techfest.com/networking/wan/x25plp.htm&gt; and the
definition of ROSE as using 10-digit (5-byte) addresses.  Use them
consistently.  Validate all implicit and explicit facilities lengths.
Validate the address length byte rather than either trusting or
assuming its value.

Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
[dannf: backported to Debian's 2.6.32]
Signed-off-by: Willy Tarreau &lt;w@1wt.eu&gt;
</content>
</entry>
<entry>
<title>net: sock_queue_err_skb() dont mess with sk_forward_alloc</title>
<updated>2012-02-13T19:28:51Z</updated>
<author>
<name>Eric Dumazet</name>
<email>eric.dumazet@gmail.com</email>
</author>
<published>2010-06-01T06:44:05Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=a77912b9bce47661279f4f1a5be10b15d40b402d'/>
<id>urn:sha1:a77912b9bce47661279f4f1a5be10b15d40b402d</id>
<content type='text'>
commit b1faf5666438090a4dc4fceac8502edc7788b7e3 upstream.

Correct sk_forward_alloc handling for error_queue would need to use a
backlog of frames that softirq handler could not deliver because socket
is owned by user thread. Or extend backlog processing to be able to
process normal and error packets.

Another possibility is to not use mem charge for error queue, this is
what I implemented in this patch.

Note: this reverts commit 29030374
(net: fix sk_forward_alloc corruptions), since we dont need to lock
socket anymore.

Signed-off-by: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Cc: 单卫 &lt;shanwei88@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>scm: lower SCM_MAX_FD</title>
<updated>2011-11-07T20:32:45Z</updated>
<author>
<name>Eric Dumazet</name>
<email>eric.dumazet@gmail.com</email>
</author>
<published>2010-11-23T14:09:15Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=6719bac67645ca27b2e74726387705b589a89a24'/>
<id>urn:sha1:6719bac67645ca27b2e74726387705b589a89a24</id>
<content type='text'>
commit bba14de98753cb6599a2dae0e520714b2153522d upstream.

Lower SCM_MAX_FD from 255 to 253 so that allocations for scm_fp_list are
halved. (commit f8d570a4 added two pointers in this structure)

scm_fp_dup() should not copy whole structure (and trigger kmemcheck
warnings), but only the used part. While we are at it, only allocate
needed size.

Signed-off-by: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>net: Compute protocol sequence numbers and fragment IDs using MD5.</title>
<updated>2011-08-16T01:57:20Z</updated>
<author>
<name>David S. Miller</name>
<email>davem@davemloft.net</email>
</author>
<published>2011-08-04T03:50:44Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=263b89378807581c501e4673634fee5253126812'/>
<id>urn:sha1:263b89378807581c501e4673634fee5253126812</id>
<content type='text'>
Computers have become a lot faster since we compromised on the
partial MD4 hash which we use currently for performance reasons.

MD5 is a much safer choice, and is inline with both RFC1948 and
other ISS generators (OpenBSD, Solaris, etc.)

Furthermore, only having 24-bits of the sequence number be truly
unpredictable is a very serious limitation.  So the periodic
regeneration and 8-bit counter have been removed.  We compute and
use a full 32-bit sequence number.

For ipv6, DCCP was found to use a 32-bit truncated initial sequence
number (it needs 43-bits) and that is fixed here as well.

Reported-by: Dan Kaminsky &lt;dan@doxpara.com&gt;
Tested-by: Willy Tarreau &lt;w@1wt.eu&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;
</content>
</entry>
<entry>
<title>netlink: Make nlmsg_find_attr take a const nlmsghdr*.</title>
<updated>2011-07-13T03:29:26Z</updated>
<author>
<name>Nelson Elhage</name>
<email>nelhage@ksplice.com</email>
</author>
<published>2010-11-03T16:35:40Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=d91b1971d6f5f72e638123f30684332473c5e07a'/>
<id>urn:sha1:d91b1971d6f5f72e638123f30684332473c5e07a</id>
<content type='text'>
commit 6b8c92ba07287578718335ce409de8e8d7217e40 upstream.

This will let us use it on a nlmsghdr stored inside a netlink_callback.

Signed-off-by: Nelson Elhage &lt;nelhage@ksplice.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>af_unix: limit recursion level</title>
<updated>2011-05-09T22:55:36Z</updated>
<author>
<name>Eric Dumazet</name>
<email>eric.dumazet@gmail.com</email>
</author>
<published>2010-11-25T04:11:39Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=6019f3837946cd5872ed473cd492d90c49228ee3'/>
<id>urn:sha1:6019f3837946cd5872ed473cd492d90c49228ee3</id>
<content type='text'>
commit 25888e30319f8896fc656fc68643e6a078263060 upstream.

Its easy to eat all kernel memory and trigger NMI watchdog, using an
exploit program that queues unix sockets on top of others.

lkml ref : http://lkml.org/lkml/2010/11/25/8

This mechanism is used in applications, one choice we have is to have a
recursion limit.

Other limits might be needed as well (if we queue other types of files),
since the passfd mechanism is currently limited by socket receive queue
sizes only.

Add a recursion_level to unix socket, allowing up to 4 levels.

Each time we send an unix socket through sendfd mechanism, we copy its
recursion level (plus one) to receiver. This recursion level is cleared
when socket receive queue is emptied.

Reported-by: Марк Коренберг &lt;socketpair@gmail.com&gt;
Signed-off-by: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
[bwh: Adjust for 2.6.32]
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;
</content>
</entry>
<entry>
<title>mac80211: Add define for TX headroom reserved by mac80211 itself.</title>
<updated>2011-05-09T22:55:22Z</updated>
<author>
<name>Gertjan van Wingerde</name>
<email>gwingerde@gmail.com</email>
</author>
<published>2010-10-10T18:25:33Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=2b5f7f94872ef2ed281783017e1a6ac787b8c107'/>
<id>urn:sha1:2b5f7f94872ef2ed281783017e1a6ac787b8c107</id>
<content type='text'>
commit d24deb2580823ab0b8425790c6f5d18e2ff749d8 upstream.

Add a definition of the amount of TX headroom reserved by mac80211 itself
for its own purposes. Also add BUILD_BUG_ON to validate the value.
This define can then be used by drivers to request additional TX headroom
in the most efficient manner.

Signed-off-by: Gertjan van Wingerde &lt;gwingerde@gmail.com&gt;
Acked-by: Johannes Berg &lt;johannes@sipsolutions.net&gt;
Signed-off-by: John W. Linville &lt;linville@tuxdriver.com&gt;
[bwh: Adjust context for 2.6.32]
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;
</content>
</entry>
<entry>
<title>sctp: Fix oops when sending queued ASCONF chunks</title>
<updated>2011-03-07T23:17:55Z</updated>
<author>
<name>Vlad Yasevich</name>
<email>vladislav.yasevich@hp.com</email>
</author>
<published>2010-04-28T08:47:22Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=d96cb2c94c9ad41a97ca3f295b25881b96899614'/>
<id>urn:sha1:d96cb2c94c9ad41a97ca3f295b25881b96899614</id>
<content type='text'>
commit c0786693404cffd80ca3cb6e75ee7b35186b2825 upstream.

When we finish processing ASCONF_ACK chunk, we try to send
the next queued ASCONF.  This action runs the sctp state
machine recursively and it's not prepared to do so.

kernel BUG at kernel/timer.c:790!
invalid opcode: 0000 [#1] SMP
last sysfs file: /sys/module/ipv6/initstate
Modules linked in: sha256_generic sctp libcrc32c ipv6 dm_multipath
uinput 8139too i2c_piix4 8139cp mii i2c_core pcspkr virtio_net joydev
floppy virtio_blk virtio_pci [last unloaded: scsi_wait_scan]

Pid: 0, comm: swapper Not tainted 2.6.34-rc4 #15 /Bochs
EIP: 0060:[&lt;c044a2ef&gt;] EFLAGS: 00010286 CPU: 0
EIP is at add_timer+0xd/0x1b
EAX: cecbab14 EBX: 000000f0 ECX: c0957b1c EDX: 03595cf4
ESI: cecba800 EDI: cf276f00 EBP: c0957aa0 ESP: c0957aa0
 DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
Process swapper (pid: 0, ti=c0956000 task=c0988ba0 task.ti=c0956000)
Stack:
 c0957ae0 d1851214 c0ab62e4 c0ab5f26 0500ffff 00000004 00000005 00000004
&lt;0&gt; 00000000 d18694fd 00000004 1666b892 cecba800 cecba800 c0957b14
00000004
&lt;0&gt; c0957b94 d1851b11 ceda8b00 cecba800 cf276f00 00000001 c0957b14
000000d0
Call Trace:
 [&lt;d1851214&gt;] ? sctp_side_effects+0x607/0xdfc [sctp]
 [&lt;d1851b11&gt;] ? sctp_do_sm+0x108/0x159 [sctp]
 [&lt;d1863386&gt;] ? sctp_pname+0x0/0x1d [sctp]
 [&lt;d1861a56&gt;] ? sctp_primitive_ASCONF+0x36/0x3b [sctp]
 [&lt;d185657c&gt;] ? sctp_process_asconf_ack+0x2a4/0x2d3 [sctp]
 [&lt;d184e35c&gt;] ? sctp_sf_do_asconf_ack+0x1dd/0x2b4 [sctp]
 [&lt;d1851ac1&gt;] ? sctp_do_sm+0xb8/0x159 [sctp]
 [&lt;d1863334&gt;] ? sctp_cname+0x0/0x52 [sctp]
 [&lt;d1854377&gt;] ? sctp_assoc_bh_rcv+0xac/0xe1 [sctp]
 [&lt;d1858f0f&gt;] ? sctp_inq_push+0x2d/0x30 [sctp]
 [&lt;d186329d&gt;] ? sctp_rcv+0x797/0x82e [sctp]

Tested-by: Wei Yongjun &lt;yjwei@cn.fujitsu.com&gt;
Signed-off-by: Yuansong Qiao &lt;ysqiao@research.ait.ie&gt;
Signed-off-by: Shuaijun Zhang &lt;szhang@research.ait.ie&gt;
Signed-off-by: Vlad Yasevich &lt;vladislav.yasevich@hp.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Cc: maximilian attems &lt;max@stro.at&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>sctp: Fix a race between ICMP protocol unreachable and connect()</title>
<updated>2011-01-07T22:43:18Z</updated>
<author>
<name>Vlad Yasevich</name>
<email>vladislav.yasevich@hp.com</email>
</author>
<published>2010-05-06T07:56:07Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=6552df6df2fcfc281c64dea191fef144d5a188c5'/>
<id>urn:sha1:6552df6df2fcfc281c64dea191fef144d5a188c5</id>
<content type='text'>
commit 50b5d6ad63821cea324a5a7a19854d4de1a0a819 upstream.

ICMP protocol unreachable handling completely disregarded
the fact that the user may have locked the socket.  It proceeded
to destroy the association, even though the user may have
held the lock and had a ref on the association.  This resulted
in the following:

Attempt to release alive inet socket f6afcc00

=========================
[ BUG: held lock freed! ]
-------------------------
somenu/2672 is freeing memory f6afcc00-f6afcfff, with a lock still held
there!
 (sk_lock-AF_INET){+.+.+.}, at: [&lt;c122098a&gt;] sctp_connect+0x13/0x4c
1 lock held by somenu/2672:
 #0:  (sk_lock-AF_INET){+.+.+.}, at: [&lt;c122098a&gt;] sctp_connect+0x13/0x4c

stack backtrace:
Pid: 2672, comm: somenu Not tainted 2.6.32-telco #55
Call Trace:
 [&lt;c1232266&gt;] ? printk+0xf/0x11
 [&lt;c1038553&gt;] debug_check_no_locks_freed+0xce/0xff
 [&lt;c10620b4&gt;] kmem_cache_free+0x21/0x66
 [&lt;c1185f25&gt;] __sk_free+0x9d/0xab
 [&lt;c1185f9c&gt;] sk_free+0x1c/0x1e
 [&lt;c1216e38&gt;] sctp_association_put+0x32/0x89
 [&lt;c1220865&gt;] __sctp_connect+0x36d/0x3f4
 [&lt;c122098a&gt;] ? sctp_connect+0x13/0x4c
 [&lt;c102d073&gt;] ? autoremove_wake_function+0x0/0x33
 [&lt;c12209a8&gt;] sctp_connect+0x31/0x4c
 [&lt;c11d1e80&gt;] inet_dgram_connect+0x4b/0x55
 [&lt;c11834fa&gt;] sys_connect+0x54/0x71
 [&lt;c103a3a2&gt;] ? lock_release_non_nested+0x88/0x239
 [&lt;c1054026&gt;] ? might_fault+0x42/0x7c
 [&lt;c1054026&gt;] ? might_fault+0x42/0x7c
 [&lt;c11847ab&gt;] sys_socketcall+0x6d/0x178
 [&lt;c10da994&gt;] ? trace_hardirqs_on_thunk+0xc/0x10
 [&lt;c1002959&gt;] syscall_call+0x7/0xb

This was because the sctp_wait_for_connect() would aqcure the socket
lock and then proceed to release the last reference count on the
association, thus cause the fully destruction path to finish freeing
the socket.

The simplest solution is to start a very short timer in case the socket
is owned by user.  When the timer expires, we can do some verification
and be able to do the release properly.

Signed-off-by: Vlad Yasevich &lt;vladislav.yasevich@hp.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>x25: Patch to fix bug 15678 - x25 accesses fields beyond end of packet.</title>
<updated>2010-12-09T21:27:09Z</updated>
<author>
<name>John Hughes</name>
<email>john@calva.com</email>
</author>
<published>2010-04-08T04:29:25Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=7281524c6476cbb85cd5156bde7c12df793bfeb3'/>
<id>urn:sha1:7281524c6476cbb85cd5156bde7c12df793bfeb3</id>
<content type='text'>
commit f5eb917b861828da18dc28854308068c66d1449a upstream.

Here is a patch to stop X.25 examining fields beyond the end of the packet.

For example, when a simple CALL ACCEPTED was received:

	10 10 0f

x25_parse_facilities was attempting to decode the FACILITIES field, but this
packet contains no facilities field.

Signed-off-by: John Hughes &lt;john@calva.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
</feed>
