Linux kernel source tree https://git.amat.us/linux/atom/net?h=v2.6.16.44 2007-03-11T06:43:46Z 2007-03-11T06:43:46Z Chris Wright chrisw@sous-sol.org 2007-03-11T06:43:46Z urn:sha1:3c872db41104b651851b10784b0a99c8e268c89c User supplied len < 0 can cause leak of kernel memory. Use unsigned compare instead. Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de> 2007-03-11T06:42:33Z Olaf Kirch olaf.kirch@oracle.com 2007-03-11T06:42:33Z urn:sha1:6d2c0df71d1ecc0ed52f0631c6aee8d7f992cc43 I came across this bug in http://bugzilla.kernel.org/show_bug.cgi?id=8155 Signed-off-by: Olaf Kirch <olaf.kirch@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de> 2007-03-09T06:15:40Z David S. Miller davem@davemloft.net 2007-03-09T06:15:40Z urn:sha1:5edf0f4dfbc697487add3c6eaecca1c9bf285d84 Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de> 2007-03-08T07:43:47Z Arnaldo Carvalho de Melo acme@redhat.com 2007-03-08T07:43:47Z urn:sha1:e62a305abfd6ec65c6d5aab05ed94109408f4c5c On 2/28/07, KOVACS Krisztian <hidden@balabit.hu> wrote: > > Hi, > > While reading TCP minisock code I've found this suspiciously looking > code fragment: > > - 8< - > struct sock *tcp_create_openreq_child(struct sock *sk, struct request_sock *req, struct sk_buff *skb) > { > struct sock *newsk = inet_csk_clone(sk, req, GFP_ATOMIC); > > if (newsk != NULL) { > const struct inet_request_sock *ireq = inet_rsk(req); > struct tcp_request_sock *treq = tcp_rsk(req); > struct inet_connection_sock *newicsk = inet_csk(sk); > struct tcp_sock *newtp; > - 8< - > > The above code initializes newicsk to inet_csk(sk), isn't that supposed > to be inet_csk(newsk)? As far as I can tell this might leave > icsk_ack.last_seg_size zero even if we do have received data. Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de> 2007-03-08T07:40:07Z David Stevens dlstevens@us.ibm.com 2007-03-08T07:40:07Z urn:sha1:42e1e229bad37376acf033f14baad9fca2e8584f Reading /proc/net/anycast6 when there is no anycast address on an interface results in an ever-increasing inet6_dev reference count, as well as a reference to the netdevice you can't get rid of. Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de> 2007-03-08T07:38:52Z Michal Wrobel xmxwx@asn.pl 2007-03-08T07:38:52Z urn:sha1:6ba50d10b7b7d8d0b6ef7150b705897dbfd05507 This patch fixes a bug in Linux IPv6 stack which caused anycast address to be added to a device prior DAD has been completed. This led to incorrect reference count which resulted in infinite wait for unregister_netdevice completion on interface removal. Signed-off-by: Michal Wrobel <xmxwx@asn.pl> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de> 2007-03-08T07:21:15Z Herbert Xu herbert@gondor.apana.org.au 2007-03-08T07:21:15Z urn:sha1:822f952f2ab27ca3f06d6fb3e57c34195b1e0583 The header may have moved when trimming. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de> 2007-02-26T22:47:11Z Patrick McHardy kaber@trash.net 2007-02-26T22:47:11Z urn:sha1:b2afa146899caaa55e49839a21e0c98f504e05ad Dave Jones wrote: > sfuzz D 724EF62A 2828 28717 28691 (NOTLB) > cd69fe98 00000082 0000012d 724ef62a 0001971a 00000010 00000007 df6d22b0 > dfd81080 725bbc5e 0001971a 000cc634 00000001 df6d23bc c140e260 00000202 > de1d5ba0 cd69fea0 de1d5ba0 00000000 00000000 de1d5b60 de1d5b8c de1d5ba0 > Call Trace: > [<c05b1708>] lock_sock+0x75/0xa6 > [<e0b0b604>] dn_getname+0x18/0x5f [decnet] > [<c05b083b>] sys_getsockname+0x5c/0xb0 > [<c05b0b46>] sys_socketcall+0xef/0x261 > [<c0403f97>] syscall_call+0x7/0xb > DWARF2 unwinder stuck at syscall_call+0x7/0xb > > I wonder if the plethora of lockdep related changes inadvertantly broke something? Looks like unbalanced locking. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de> 2007-02-26T00:36:47Z Ilpo Järvinen ilpo.jarvinen@helsinki.fi 2007-02-26T00:36:47Z urn:sha1:9586568a59bf51bc50768f00a076a1e03e55eebc TCP may advertize up to 16-bits window in SYN packets (no window scaling allowed). At the same time, TCP may have rcv_wnd (32-bits) that does not fit to 16-bits without window scaling resulting in pseudo garbage into advertized window from the low-order bits of rcv_wnd. This can happen at least when mss <= (1<<wscale) (see tcp_select_initial_window). This patch fixes the handling of SYN advertized windows (compile tested only). In worst case (which is unlikely to occur though), the receiver advertized window could be just couple of bytes. I'm not sure that such situation would be handled very well at all by the receiver!? Fortunately, the situation normalizes after the first non-SYN ACK is received because it has the correct, scaled window. Alternatively, tcp_select_initial_window could be changed to prevent too large rcv_wnd in the first place. [ tcp_make_synack() has the same bug, and I've added a fix for that to this patch -DaveM ] Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de> 2007-02-26T00:31:58Z Alexey Dobriyan adobriyan@openvz.org 2007-02-26T00:31:58Z urn:sha1:666ebed8390d4cf3d0411163c6c2e0098e6a148e add_grhead() allocates memory with GFP_ATOMIC and in at least two places skb from it passed to skb_put() without checking. Adrian Bunk: backported to 2.6.16 Signed-off-by: Alexey Dobriyan <adobriyan@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>