Linux kernel source tree https://git.amat.us/linux/atom/net/ipv4?h=v2.6.35 2010-07-19T19:43:49Z 2010-07-19T19:43:49Z Ilpo Järvinen ilpo.jarvinen@helsinki.fi 2010-07-19T01:16:18Z urn:sha1:45e77d314585869dfe43c82679f7e08c9b35b898 It can happen that there are no packets in queue while calling tcp_xmit_retransmit_queue(). tcp_write_queue_head() then returns NULL and that gets deref'ed to get sacked into a local var. There is no work to do if no packets are outstanding so we just exit early. This oops was introduced by 08ebd1721ab8fd (tcp: remove tp->lost_out guard to make joining diff nicer). Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> Reported-by: Lennart Schulte <lennart.schulte@nets.rwth-aachen.de> Tested-by: Lennart Schulte <lennart.schulte@nets.rwth-aachen.de> Signed-off-by: David S. Miller <davem@davemloft.net> 2010-07-16T05:38:43Z Ben Greear greearb@candelatech.com 2010-07-15T13:22:33Z urn:sha1:e40dbc51fbcc3281bb52ecf0f5bec693d36e2aea This was detected using two mcast router tables. The pimreg for the second interface did not have a specific mrule, so packets received by it were handled by the default table, which had nothing configured. This caused the ipmr_fib_lookup to fail, causing the memory leak. Signed-off-by: Ben Greear <greearb@candelatech.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2010-07-14T21:45:15Z Changli Gao xiaosuo@gmail.com 2010-07-12T21:00:12Z urn:sha1:3a047bf87b1b6f69c62ab9fb28072c639cb7e2fa rfs: call sock_rps_record_flow() in tcp_splice_read() call sock_rps_record_flow() in tcp_splice_read(), so the applications using splice(2) or sendfile(2) can utilize RFS. Signed-off-by: Changli Gao <xiaosuo@gmail.com> ---- net/ipv4/tcp.c | 1 + 1 file changed, 1 insertion(+) Signed-off-by: David S. Miller <davem@davemloft.net> 2010-07-04T18:46:07Z Peter Kosyh p.kosyh@gmail.com 2010-07-02T07:47:55Z urn:sha1:44b451f1633896de15d2d52e1a2bd462e80b7814 While using xfrm by MARK feature in 2.6.34 - 2.6.35 kernels, the mark is always cleared in flowi structure via memset in _decode_session4 (net/ipv4/xfrm4_policy.c), so the policy lookup fails. IPv6 code is affected by this bug too. Signed-off-by: Peter Kosyh <p.kosyh@gmail.com> Acked-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2010-06-21T20:57:34Z Herbert Xu herbert@gondor.apana.org.au 2010-06-15T01:52:25Z urn:sha1:26cde9f7e2747b6d254b704594eed87ab959afa5 It has been reported that the new UFO software fallback path fails under certain conditions with NFS. I tracked the problem down to the generation of UFO packets that are smaller than the MTU. The software fallback path simply discards these packets. This patch fixes the problem by not generating such packets on the UFO path. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2010-06-07T09:57:14Z Eric Dumazet eric.dumazet@gmail.com 2010-06-06T23:48:40Z urn:sha1:035320d54758e21227987e3aae0d46e7a04f4ddc ipmr_rules_exit() and ip6mr_rules_exit() free a list of items, but forget to properly remove these items from list. List head is not changed and still points to freed memory. This can trigger a fault later when icmpv6_sk_exit() is called. Fix is to either reinit list, or use list_del() to properly remove items from list before freeing them. bugzilla report : https://bugzilla.kernel.org/show_bug.cgi?id=16120 Introduced by commit d1db275dd3f6e4 (ipv6: ip6mr: support multiple tables) and commit f0ad0860d01e (ipv4: ipmr: support multiple tables) Reported-by: Alex Zhavnerchik <alex.vizor@gmail.com> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> CC: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 2010-06-04T22:56:03Z Eric Dumazet eric.dumazet@gmail.com 2010-06-03T05:45:47Z urn:sha1:c44649216522cd607a4027d2ebf4a8147d3fa94c Its better to make a route lookup in appropriate namespace. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2010-06-04T22:56:02Z Eric Dumazet eric.dumazet@gmail.com 2010-06-03T09:03:58Z urn:sha1:ca55158c6ecb7832a6ad80ac44a14d23bab8cdfc I believe a moderate SYN flood attack can corrupt RFS flow table (rps_sock_flow_table), making RPS/RFS much less effective. Even in a normal situation, server handling short lived sessions suffer from bad steering for the first data packet of a session, if another SYN packet is received for another session. We do following action in tcp_v4_rcv() : sock_rps_save_rxhash(sk, skb->rxhash); We should _not_ do this if sk is a LISTEN socket, as about each packet received on a LISTEN socket has a different rxhash than previous one. -> RPS_NO_CPU markers are spread all over rps_sock_flow_table. Also, it makes sense to protect sk->rxhash field changes with socket lock (We currently can change it even if user thread owns the lock and might use rxhash) This patch moves sock_rps_save_rxhash() to a sock locked section, and only for non LISTEN sockets. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2010-06-04T22:56:01Z Florian Westphal fw@strlen.de 2010-06-03T00:42:30Z urn:sha1:57f1553ee5d9f093660cc49098f494e17ed11668 syncookies default to on since e994b7c901ded7200b525a707c6da71f2cf6d4bb (tcp: Don't make syn cookies initial setting depend on CONFIG_SYSCTL). Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: David S. Miller <davem@davemloft.net> 2010-06-02T14:15:48Z Daniele Lacamera root@danielinux.net 2010-06-02T02:02:04Z urn:sha1:edafe502404f3669d364b6e96d79b54067b634b4 For large values of rtt, 2^rho operation may overflow u32. Clamp down the increment to 2^16. Signed-off-by: Daniele Lacamera <root@danielinux.net> Signed-off-by: David S. Miller <davem@davemloft.net>