aboutsummaryrefslogtreecommitdiff
path: root/net
AgeCommit message (Collapse)Author
2006-06-30[PATCH] NETFILTER: SCTP conntrack: fix crash triggered by packet without ↵Patrick McHardy
chunks [CVE-2006-2934] When a packet without any chunks is received, the newconntrack variable in sctp_packet contains an out of bounds value that is used to look up an pointer from the array of timeouts, which is then dereferenced, resulting in a crash. Make sure at least a single chunk is present. Problem noticed by George A. Theall <theall@tenablesecurity.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-06-20[PATCH] xt_sctp: fix endless loop caused by 0 chunk length (CVE-2006-3085)Patrick McHardy
Fix endless loop in the SCTP match similar to those already fixed in the SCTP conntrack helper (was CVE-2006-1527). Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2006-05-30[PATCH] NETFILTER: Fix small information leak in SO_ORIGINAL_DST (CVE-2006-1343)Marcel Holtmann
It appears that sockaddr_in.sin_zero is not zeroed during getsockopt(...SO_ORIGINAL_DST...) operation. This can lead to an information leak (CVE-2006-1343). Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2006-05-22[PATCH] NETFILTER: SNMP NAT: fix memory corruption (CVE-2006-2444)Patrick McHardy
CVE-2006-2444 - Potential remote DoS in SNMP NAT helper. Fix memory corruption caused by snmp_trap_decode: - When snmp_trap_decode fails before the id and address are allocated, the pointers contain random memory, but are freed by the caller (snmp_parse_mangle). - When snmp_trap_decode fails after allocating just the ID, it tries to free both address and ID, but the address pointer still contains random memory. The caller frees both ID and random memory again. - When snmp_trap_decode fails after allocating both, it frees both, and the callers frees both again. The corruption can be triggered remotely when the ip_nat_snmp_basic module is loaded and traffic on port 161 or 162 is NATed. Found by multiple testcases of the trap-app and trap-enc groups of the PROTOS c06-snmpv1 testsuite. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2006-05-20[PATCH] SCTP: Validate the parameter length in HB-ACK chunk (CVE-2006-1857)Vladislav Yasevich
If SCTP receives a badly formatted HB-ACK chunk, it is possible that we may access invalid memory and potentially have a buffer overflow. We should really make sure that the chunk format is what we expect, before attempting to touch the data. Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2006-05-20[PATCH] Netfilter: do_add_counters race, possible oops or info leak ↵Chris Wright
(CVE-2006-0039) Solar Designer found a race condition in do_add_counters(). The beginning of paddc is supposed to be the same as tmp which was sanity-checked above, but it might not be the same in reality. In case the integer overflow and/or the race condition are triggered, paddc->num_counters might not match the allocation size for paddc. If the check below (t->private->number != paddc->num_counters) nevertheless passes (perhaps this requires the race condition to be triggered), IPT_ENTRY_ITERATE() would read kernel memory beyond the allocation size, potentially causing an oops or leaking sensitive data (e.g., passwords from host system or from another VPS) via counter increments. This requires CAP_NET_ADMIN. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=191698 Cc: Solar Designer <solar@openwall.com> Cc: Kirill Korotaev <dev@sw.ru> Cc: Patrick McHardy <kaber@trash.net> (chrisw: rebase of Kirill's patch to 2.6.16.16) Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-05-09[PATCH] SCTP: Prevent possible infinite recursion with multiple bundled ↵Vladislav Yasevich
DATA. (CVE-2006-2274) There is a rare situation that causes lksctp to go into infinite recursion and crash the system. The trigger is a packet that contains at least the first two DATA fragments of a message bundled together. The recursion is triggered when the user data buffer is smaller that the full data message. The problem is that we clone the skb for every fragment in the message. When reassembling the full message, we try to link skbs from the "first fragment" clone using the frag_list. However, since the frag_list is shared between two clones in this rare situation, we end up setting the frag_list pointer of the second fragment to point to itself. This causes sctp_skb_pull() to potentially recurse indefinitely. Proposed solution is to make a copy of the skb when attempting to link things using frag_list. Signed-off-by: Vladislav Yasevich <vladsilav.yasevich@hp.com> Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2006-05-09[PATCH] SCTP: Allow spillover of receive buffer to avoid deadlock. ↵Neil Horman
(CVE-2006-2275) This patch fixes a deadlock situation in the receive path by allowing temporary spillover of the receive buffer. - If the chunk we receive has a tsn that immediately follows the ctsn, accept it even if we run out of receive buffer space and renege data with higher TSNs. - Once we accept one chunk in a packet, accept all the remaining chunks even if we run out of receive buffer space. Signed-off-by: Neil Horman <nhorman@tuxdriver.com> Acked-by: Mark Butler <butlerm@middle.net> Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2006-05-09[PATCH] SCTP: Fix state table entries for chunks received in CLOSED state. ↵Sridhar Samudrala
(CVE-2006-2271) Discard an unexpected chunk in CLOSED state rather can calling BUG(). Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2006-05-09[PATCH] SCTP: Fix panic's when receiving fragmented SCTP control chunks. ↵Sridhar Samudrala
(CVE-2006-2272) Use pskb_pull() to handle incoming COOKIE_ECHO and HEARTBEAT chunks that are received as skb's with fragment list. Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2006-05-02[PATCH] NETFILTER: SCTP conntrack: fix infinite loop (CVE-2006-1527)Patrick McHardy
[NETFILTER]: SCTP conntrack: fix infinite loop fix infinite loop in the SCTP-netfilter code: check SCTP chunk size to guarantee progress of for_each_sctp_chunk(). (all other uses of for_each_sctp_chunk() are preceded by do_basic_checks(), so this fix should be complete.) Based on patch from Ingo Molnar <mingo@elte.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] IPV6: XFRM: Fix decoding session with preceding extension header(s).YOSHIFUJI Hideaki / $B5HF#1QL@(B
[IPV6] XFRM: Fix decoding session with preceding extension header(s). We did not correctly decode session with preceding extension header(s). This was because we had already pulled preceding headers, skb->nh.raw + 40 + 1 - skb->data was minus, and pskb_may_pull() failed. We now have IP6CB(skb)->nhoff and skb->h.raw, and we can start parsing / decoding upper layer protocol from current position. Tracked down by Noriaki TAKAMIYA <takamiya@po.ntts.co.jp> and tested by Kazunori Miyazawa <kazunori@miyazawa.org>. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] IPV6: XFRM: Don't use old copy of pointer after pskb_may_pull().YOSHIFUJI Hideaki / $B5HF#1QL@(B
[IPV6] XFRM: Don't use old copy of pointer after pskb_may_pull(). Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] IPV6: Ensure to have hop-by-hop options in our header of &sk_buff.YOSHIFUJI Hideaki / $B5HF#1QL@(B
[IPV6]: Ensure to have hop-by-hop options in our header of &sk_buff. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] Fix hotplug race during device registrationThomas de Grenier de Latour
On Sun, 9 Apr 2006 21:56:59 +0400, Sergey Vlasov <vsu@altlinux.ru> wrote: > However, show_address() does not output anything unless > dev->reg_state == NETREG_REGISTERED - and this state is set by > netdev_run_todo() only after netdev_register_sysfs() returns, so in > the meantime (while netdev_register_sysfs() is busy adding the > "statistics" attribute group) some process may see an empty "address" > attribute. I've tried the attached patch, suggested by Sergey Vlasov on hotplug-devel@, and as far as i can test it works just fine. Signed-off-by: Alexander Patrakov <patrakov@ums.usu.ru> Signed-off-by: David Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-24[PATCH] Fix truesize underflowHerbert Xu
[TCP]: Fix truesize underflow There is a problem with the TSO packet trimming code. The cause of this lies in the tcp_fragment() function. When we allocate a fragment for a completely non-linear packet the truesize is calculated for a payload length of zero. This means that truesize could in fact be less than the real payload length. When that happens the TSO packet trimming can cause truesize to become negative. This in turn can cause sk_forward_alloc to be -n * PAGE_SIZE which would trigger the warning. I've copied the code DaveM used in tso_fragment which should work here. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-18[PATCH] ip_route_input panic fix (CVE-2006-1525)Stephen Hemminger
This fixes http://bugzilla.kernel.org/show_bug.cgi?id=6388 The bug is caused by ip_route_input dereferencing skb->nh.protocol of the dummy skb passed dow from inet_rtm_getroute (Thanks Thomas for seeing it). It only happens if the route requested is for a multicast IP address. Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-17[PATCH] atm: clip causes unregister hangStephen Hemminger
If Classical IP over ATM module is loaded, its neighbor table gets populated when permanent neighbor entries are created; but these entries are not flushed when the device is removed. Since the entry never gets flushed the unregister of the network device never completes. This version of the patch also adds locking around the reference to the atm arp daemon to avoid races with events and daemon state changes. (Note: barrier() was never really safe) Bug-reference: http://bugzilla.kernel.org/show_bug.cgi?id=6295 Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-17[PATCH] NETFILTER: Fix fragmentation issues with bridge netfilterPatrick McHardy
[NETFILTER]: Fix fragmentation issues with bridge netfilter The conntrack code doesn't do re-fragmentation of defragmented packets anymore but relies on fragmentation in the IP layer. Purely bridged packets don't pass through the IP layer, so the bridge netfilter code needs to take care of fragmentation itself. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-07[PATCH] fib_trie.c node freeing fixDavid S. Miller
Please apply to 2.6.{14,15,16} -stable, thanks a lot. From: Robert Olsson <robert.olsson@its.uu.se> [FIB_TRIE]: Fix leaf freeing. Seems like leaf (end-nodes) has been freed by __tnode_free_rcu and not by __leaf_free_rcu. This fixes the problem. Only tnode_free is now used which checks for appropriate node type. free_leaf can be removed. Signed-off-by: Robert Olsson <robert.olsson@its.uu.se> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-04-07[PATCH] {ip, nf}_conntrack_netlink: fix expectation notifier unregistrationMartin Josefsson
[NETFILTER]: {ip,nf}_conntrack_netlink: fix expectation notifier unregistration This patch fixes expectation notifier unregistration on module unload to use ip_conntrack_expect_unregister_notifier(). This bug causes a soft lockup at the first expectation created after a rmmod ; insmod of this module. Should go into -stable as well. Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-03-27[PATCH] NET: Ensure device name passed to SO_BINDTODEVICE is NULL terminated.David S. Miller
The user can pass us arbitrary garbage so we should ensure the string they give us is null terminated before we pass it on to dev_get_by_index() et al. Found by Solar Designer. Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-03-27[PATCH] TCP: Do not use inet->id of global tcp_socket when sending RST ↵Alexey Kuznetsov
(CVE-2006-1242) The problem is in ip_push_pending_frames(), which uses: if (!df) { __ip_select_ident(iph, &rt->u.dst, 0); } else { iph->id = htons(inet->id++); } instead of ip_select_ident(). Right now I think the code is a nonsense. Most likely, I copied it from old ip_build_xmit(), where it was really special, we had to decide whether to generate unique ID when generating the first (well, the last) fragment. In ip_push_pending_frames() it does not make sense, it should use plain ip_select_ident() instead. Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-03-19[AX.25]: Fix potencial memory hole.Ralf Baechle DL5RB
If the AX.25 dialect chosen by the sysadmin is set to DAMA master / 3 (or DAMA slave / 2, if CONFIG_AX25_DAMA_SLAVE=n) ax25_kick() will fall through the switch statement without calling ax25_send_iframe() or any other function that would eventually free skbn thus leaking the packet. Fix by restricting the sysctl inferface to allow only actually supported AX.25 dialects. The system administration mistake needed for this to happen is rather unlikely, so this is an uncritical hole. Coverity #651. Signed-off-by: Ralf Baechle DL5RB <ralf@linux-mips.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-15[PATCH] ieee80211: Fix QoS is not active problemHong Liu
Fix QoS is not active even the network and the card is QOS enabled. The problem is we pass the wrong ieee80211_network address to ipw_handle_beacon/ipw_handle_probe_response, thus the ieee80211_network->qos_data.active will not be set, causing the driver not sending QoS frames at all. Signed-off-by: Hong Liu <hong.liu@intel.com> Signed-off-by: Zhu Yi <yi.zhu@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2006-03-15[PATCH] ieee80211: Fix CCMP decryption problem when QoS is enabledZhu Yi
Use the correct STYPE for Qos data. Signed-off-by: Zhu Yi <yi.zhu@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2006-03-14[PATCH] SUNRPC: Fix potential deadlock in RPC codeTrond Myklebust
In rpc_wake_up() and rpc_wake_up_status(), it is possible for the call to __rpc_wake_up_task() to fail if another thread happens to be calling rpc_wake_up_task() on the same rpc_task. Problem noticed by Bruno Faccini. Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-14[PATCH] SUNRPC: fix a NULL pointer dereference in net/sunrpc/clnt.cAdrian Bunk
The Coverity checker spotted this possible NULL pointer dereference in rpc_new_client(). Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-13[TCP]: Fix zero port problem in IPv6Herbert Xu
When we link a socket into the hash table, we need to make sure that we set the num/port fields so that it shows us with a non-zero port value in proc/netlink and on the wire. This code and comment is copied over from the IPv4 stack as is. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2006-03-12[NETFILTER]: arp_tables: fix NULL pointer dereferencePatrick McHardy
The check is wrong and lets NULL-ptrs slip through since !IS_ERR(NULL) is true. Coverity #190 Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-12[IPV4/6]: Fix UFO error propagationPatrick McHardy
When ufo_append_data fails err is uninitialized, but returned back. Strangely gcc doesn't notice it. Coverity #901 and #902 Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-12[TCP]: tcp_highspeed: fix AIMD table out-of-bounds accessPatrick McHardy
Covertiy #547 Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-12[NETLINK]: Fix use-after-free in netlink_recvmsgPatrick McHardy
The skb given to netlink_cmsg_recv_pktinfo is already freed, move it up a few lines. Coverity #948 Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-12[XFRM]: Fix leak in ah6_inputPatrick McHardy
tmp_hdr is not freed when ipv6_clear_mutable_options fails. Coverity #650 Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-12[NET_SCHED]: act_api: fix skb leak in error pathPatrick McHardy
The skb is allocated by the function, so it needs to be freed instead of trimmed on overrun. Coverity #614 Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-12[NETFILTER]: nfnetlink_queue: fix possible NULL-ptr dereferencePatrick McHardy
Fix NULL-ptr dereference when a config message for a non-existant queue containing only an NFQA_CFG_PARAMS attribute is received. Coverity #433 Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-11[TCP]: Fix tcp_tso_should_defer() when limit>=65536David S. Miller
That's >= a full sized TSO frame, so we should always return 0 in that case. Based upon a report and initial patch from Lachlan Andrew, final patch suggested by Herbert Xu. Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-11[NETFILTER]: Fix wrong option spelling in Makefile for CONFIG_BRIDGE_EBT_ULOGGregor Maier
Signed-off-by: Gregor Maier <gregor@net.in.tum.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-11[IPV6]: fix ipv6_saddr_score struct elementBrian Haley
The scope element in the ipv6_saddr_score struct used in ipv6_dev_get_saddr() is an unsigned integer, but __ipv6_addr_src_scope() returns a signed integer (and can return -1). Signed-off-by: Brian Haley <brian.haley@hp.com> Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-08[PATCH] fix file countingDipankar Sarma
I have benchmarked this on an x86_64 NUMA system and see no significant performance difference on kernbench. Tested on both x86_64 and powerpc. The way we do file struct accounting is not very suitable for batched freeing. For scalability reasons, file accounting was constructor/destructor based. This meant that nr_files was decremented only when the object was removed from the slab cache. This is susceptible to slab fragmentation. With RCU based file structure, consequent batched freeing and a test program like Serge's, we just speed this up and end up with a very fragmented slab - llm22:~ # cat /proc/sys/fs/file-nr 587730 0 758844 At the same time, I see only a 2000+ objects in filp cache. The following patch I fixes this problem. This patch changes the file counting by removing the filp_count_lock. Instead we use a separate percpu counter, nr_files, for now and all accesses to it are through get_nr_files() api. In the sysctl handler for nr_files, we populate files_stat.nr_files before returning to user. Counting files as an when they are created and destroyed (as opposed to inside slab) allows us to correctly count open files with RCU. Signed-off-by: Dipankar Sarma <dipankar@in.ibm.com> Cc: "Paul E. McKenney" <paulmck@us.ibm.com> Cc: "David S. Miller" <davem@davemloft.net> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-07[NETFILTER] ip_queue: Fix wrong skb->len == nlmsg_len assumptionThomas Graf
The size of the skb carrying the netlink message is not equivalent to the length of the actual netlink message due to padding. ip_queue matches the length of the payload against the original packet size to determine if packet mangling is desired, due to the above wrong assumption arbitary packets may not be mangled depening on their original size. Signed-off-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-04[DCCP] ccid3: Divide by zero fixIan McDonald
In rare circumstances 0 is returned by dccp_li_hist_calc_i_mean which leads to a divide by zero in ccid3_hc_rx_packet_recv. Explicitly check for zero return now. Update copyright notice at same time. Found by Arnaldo. Signed-off-by: Ian McDonald <imcdnzl@gmail.com> Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-04[ATM]: keep atmsvc failure messages quietChas Williams
Signed-off-by: Chas Williams <chas@cmf.nrl.navy.mil> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-04[BRIDGE]: generate kobject remove eventStephen Hemminger
The earlier round of kobject/sysfs changes to bridge caused it not to generate a uevent on removal. Don't think any application cares (not sure about Xen) but since it generates add uevent it should generate remove as well. Signed-off-by: Stephen Hemminger <shemmigner@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-04[BRIDGE]: port timer initializationStephen Hemminger
Initialize the STP timers for a port when it is created, rather than when it is enabled. This will prevent future race conditions where timer gets started before port is enabled. Signed-off-by: Stephen Hemminger <shemmigner@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-04[BRIDGE]: fix crash in STPStephen Hemminger
Bridge would crash because of uninitailized timer if STP is used and device was inserted into a bridge before bridge was up. This got introduced when the delayed port checking was added. Fix is to not enable STP on port unless bridge is up. Bugzilla: http://bugzilla.kernel.org/show_bug.cgi?id=6140 Dup: http://bugzilla.kernel.org/show_bug.cgi?id=6156 Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-02-28Merge branch 'upstream-fixes' of ↵Jeff Garzik
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6
2006-02-27[PATCH] ieee80211_rx.c: is_beaconPete Zaitcev
Fix broken is_beacon(). Signed-off-by: Pete Zaitcev <zaitcev@redhat.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2006-02-27[REQSK]: Don't reset rskq_defer_accept in reqsk_queue_allocArnaldo Carvalho de Melo
In 295f7324ff8d9ea58b4d3ec93b1aaa1d80e048a9 I moved defer_accept from tcp_sock to request_queue and mistakingly reset it at reqsl_queue_alloc, causing calls to setsockopt(TCP_DEFER_ACCEPT ) to be lost after bind, the fix is to remove the zeroing of rskq_defer_accept from reqsl_queue_alloc. Thanks to Alexandra N. Kossovsky <Alexandra.Kossovsky@oktetlabs.ru> for reporting and testing the suggested fix. Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-02-27[NETFILTER]: Restore {ipt,ip6t,ebt}_LOG compatibilityPatrick McHardy
The nfnetlink_log infrastructure changes broke compatiblity of the LOG targets. They currently use whatever log backend was registered first, which means that if ipt_ULOG was loaded first, no messages will be printed to the ring buffer anymore. Restore compatiblity by using the old log functions by default and only use the nf_log backend if the user explicitly said so. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>