Linux kernel source tree https://git.amat.us/linux/atom/net?h=v2.6.27.9 2008-12-13T23:29:17Z 2008-12-13T23:29:17Z Chas Williams chas@cmf.nrl.navy.mil 2008-12-04T22:58:13Z urn:sha1:408ed10553e708166cdee751cf0e1babc602ee17 commit 17b24b3c97498935a2ef9777370b1151dfed3f6f upstream. As reported by Hugo Dias that it is possible to cause a local denial of service attack by calling the svc_listen function twice on the same socket and reading /proc/net/atm/*vc Signed-off-by: Chas Williams <chas@cmf.nrl.navy.mil> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2008-12-13T23:29:12Z Eric Dumazet dada1@cosmosbay.com 2008-12-08T10:12:16Z urn:sha1:6e7f7429b1f5a151943d920e52fdd59b5e7d13ba [ Upstream commit 920a46115ca3fa88990276d98520abab85495b2d ] Current UDP multicast delivery is not namespace aware. Signed-off-by: Eric Dumazet <dada1@cosmosbay.com> Acked-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2008-12-13T23:29:11Z Jianjun Kong jianjun@zeuux.org 2008-11-02T04:37:27Z urn:sha1:0a2093552fba5f5e06bd81e413f62f60880dd182 [ Upstream commit 48dcc33e5e11de0f76b65b113988dbc930d17395 ] fix problem of return value net/unix/af_unix.c: unix_net_init() when error appears, it should return 'error', not always return 0. Signed-off-by: Jianjun Kong <jianjun@zeuux.org> Signed-off-by: David S. Miller <davem@davemloft.net> 2008-12-05T18:55:25Z dann frazier dannf@hp.com 2008-11-26T23:32:27Z urn:sha1:d7fc504d906a210ae3e24741e45504c1df87035f commit 5f23b734963ec7eaa3ebcd9050da0c9b7d143dd3 upstream. This is an implementation of David Miller's suggested fix in: https://bugzilla.redhat.com/show_bug.cgi?id=470201 It has been updated to use wait_event() instead of wait_event_interruptible(). Paraphrasing the description from the above report, it makes sendmsg() block while UNIX garbage collection is in progress. This avoids a situation where child processes continue to queue new FDs over a AF_UNIX socket to a parent which is in the exit path and running garbage collection on these FDs. This contention can result in soft lockups and oom-killing of unrelated processes. Signed-off-by: dann frazier <dannf@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2008-11-20T22:54:48Z Eric Dumazet dada1@cosmosbay.com 2008-11-11T05:43:08Z urn:sha1:861ea9ffa58a2c2cd55bc87b59e8eb77fb635b28 commit b971e7ac834e9f4bda96d5a96ae9abccd01c1dd8 upstream. icmpmsg_put() can happily corrupt kernel memory, using a static table and forgetting to reset an array index in a loop. Remove the static array since its not safe without proper locking. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Eric Dumazet <dada1@cosmosbay.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2008-11-13T17:55:58Z Miklos Szeredi mszeredi@suse.cz 2008-11-09T19:50:02Z urn:sha1:dc56d50c44eb80aca5ce60e881c6444f39c82461 commit 6209344f5a3795d34b7f2c0061f49802283b6bdd upstream Previously I assumed that the receive queues of candidates don't change during the GC. This is only half true, nothing can be received from the queues (see comment in unix_gc()), but buffers could be added through the other half of the socket pair, which may still have file descriptors referring to it. This can result in inc_inflight_move_tail() erronously increasing the "inflight" counter for a unix socket for which dec_inflight() wasn't previously called. This in turn can trigger the "BUG_ON(total_refs < inflight_refs)" in a later garbage collection run. Fix this by only manipulating the "inflight" counter for sockets which are candidates themselves. Duplicating the file references in unix_attach_fds() is also needed to prevent a socket becoming a candidate for GC while the skb that contains it is not yet queued. Reported-by: Andrea Bittau <a.bittau@cs.ucl.ac.uk> Signed-off-by: Miklos Szeredi <mszeredi@suse.cz> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2008-11-07T17:55:19Z David Miller davem@davemloft.net 2008-11-06T08:37:40Z urn:sha1:1dbbd0bf5d15397a4e4a1ae3e3e82e0fe4f83c3a commit f8d570a4745835f2238a33b537218a1bb03fc671 and 3b53fbf4314594fa04544b02b2fc6e607912da18 upstream (because once wasn't good enough...) __scm_destroy() walks the list of file descriptors in the scm_fp_list pointed to by the scm_cookie argument. Those, in turn, can close sockets and invoke __scm_destroy() again. There is nothing which limits how deeply this can occur. The idea for how to fix this is from Linus. Basically, we do all of the fput()s at the top level by collecting all of the scm_fp_list objects hit by an fput(). Inside of the initial __scm_destroy() we keep running the list until it is empty. Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2008-11-07T03:05:41Z Jarek Poplawski jarkao2@gmail.com 2008-10-20T06:37:47Z urn:sha1:9a8eac41549d7ae0e40744177edd8dc8d59592e4 [ Upstream commit 9f3ffae0dbce491a3e9871b686342fd5aa854f05 ] After these commands: # modprobe sch_teql # tc qdisc add dev eth0 root teql0 # tc qdisc del dev eth0 root we get an oops in teql_destroy() when spin_lock is taken from a null qdisc_sleeping pointer. It's because at the moment teql0 dev haven't been activated yet, and a qdisc_root_sleeping() is pointing to noop qdisc's netdev_queue with qdisc_sleeping uninitialized. This patch fixes this both for noop and noqueue netdev_queues to avoid similar problems in the future. Signed-off-by: Jarek Poplawski <jarkao2@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2008-11-07T03:05:41Z Ilpo Järvinen ilpo.jarvinen@helsinki.fi 2008-10-08T21:36:33Z urn:sha1:a331c85a4d4b4d150d1cd9217aec376cabedd0bf [ Upstream commit 53b125779fb0b29e5b316bf3dc7d199e6dcea567 ] More breakage :-), part of timestamps just were previously overwritten. Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2008-11-07T03:05:41Z Ilpo Järvinen ilpo.jarvinen@helsinki.fi 2008-10-23T21:06:35Z urn:sha1:d4c9dac18e980a46ab767b2fd0182e58f8e44279 [ Upstream commit fd6149d332973bafa50f03ddb0ea9513e67f4517 ] This is not our bug! Sadly some devices cannot cope with the change of TCP option ordering which was a result of the recent rewrite of the option code (not that there was some particular reason steming from the rewrite for the reordering) though any ordering of TCP options is perfectly legal. Thus we restore the original ordering to allow interoperability with/through such broken devices and add some warning about this trap. Since the reordering just happened without any particular reason, this change shouldn't cost us anything. There are already couple of known failure reports (within close proximity of the last release), so the problem might be more wide-spread than a single device. And other reports which may be due to the same problem though the symptoms were less obvious. Analysis of one of the case revealed (with very high probability) that sack capability cannot be negotiated as the first option (SYN never got a response). Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> Reported-by: Aldo Maggi <sentiniate@tiscali.it> Tested-by: Aldo Maggi <sentiniate@tiscali.it> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>