1. 22 Mar, 2011 5 commits
    • Arnd Bergmann's avatar
      net/appletalk: fix atalk_release use after free · b20e7bbf
      Arnd Bergmann authored
      The BKL removal in appletalk introduced a use-after-free problem,
      where atalk_destroy_socket frees a sock, but we still release
      the socket lock on it.
      
      An easy fix is to take an extra reference on the sock and sock_put
      it when returning from atalk_release.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b20e7bbf
    • Eric Dumazet's avatar
      ipx: fix ipx_release() · 674f2115
      Eric Dumazet authored
      Commit b0d0d915 (remove the BKL) added a regression, because
      sock_put() can free memory while we are going to use it later.
      
      Fix is to delay sock_put() _after_ release_sock().
      Reported-by: default avatarIngo Molnar <mingo@elte.hu>
      Tested-by: default avatarIngo Molnar <mingo@elte.hu>
      Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Acked-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      674f2115
    • Eric Dumazet's avatar
      snmp: SNMP_UPD_PO_STATS_BH() always called from softirq · 20246a80
      Eric Dumazet authored
      We dont need to test if we run from softirq context, we definitely are.
      
      This saves few instructions in ip_rcv() & ip_rcv_finish()
      Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      20246a80
    • James Chapman's avatar
      l2tp: fix possible oops on l2tp_eth module unload · 8aa525a9
      James Chapman authored
      A struct used in the l2tp_eth driver for registering network namespace
      ops was incorrectly marked as __net_initdata, leading to oops when
      module unloaded.
      
      BUG: unable to handle kernel paging request at ffffffffa00ec098
      IP: [<ffffffff8123dbd8>] ops_exit_list+0x7/0x4b
      PGD 142d067 PUD 1431063 PMD 195da8067 PTE 0
      Oops: 0000 [#1] SMP 
      last sysfs file: /sys/module/l2tp_eth/refcnt
      Call Trace:
       [<ffffffff8123dc94>] ? unregister_pernet_operations+0x32/0x93
       [<ffffffff8123dd20>] ? unregister_pernet_device+0x2b/0x38
       [<ffffffff81068b6e>] ? sys_delete_module+0x1b8/0x222
       [<ffffffff810c7300>] ? do_munmap+0x254/0x318
       [<ffffffff812c64e5>] ? page_fault+0x25/0x30
       [<ffffffff812c6952>] ? system_call_fastpath+0x16/0x1b
      Signed-off-by: default avatarJames Chapman <jchapman@katalix.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8aa525a9
    • Wei Yongjun's avatar
      xfrm: Fix initialize repl field of struct xfrm_state · a454f0cc
      Wei Yongjun authored
      Commit 'xfrm: Move IPsec replay detection functions to a separate file'
        (9fdc4883)
      introduce repl field to struct xfrm_state, and only initialize it
      under SA's netlink create path, the other path, such as pf_key,
      ipcomp/ipcomp6 etc, the repl field remaining uninitialize. So if
      the SA is created by pf_key, any input packet with SA's encryption
      algorithm will cause panic.
      
          int xfrm_input()
          {
              ...
              x->repl->advance(x, seq);
              ...
          }
      
      This patch fixed it by introduce new function __xfrm_init_state().
      
      Pid: 0, comm: swapper Not tainted 2.6.38-next+ #14 Bochs Bochs
      EIP: 0060:[<c078e5d5>] EFLAGS: 00010206 CPU: 0
      EIP is at xfrm_input+0x31c/0x4cc
      EAX: dd839c00 EBX: 00000084 ECX: 00000000 EDX: 01000000
      ESI: dd839c00 EDI: de3a0780 EBP: dec1de88 ESP: dec1de64
       DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
      Process swapper (pid: 0, ti=dec1c000 task=c09c0f20 task.ti=c0992000)
      Stack:
       00000000 00000000 00000002 c0ba27c0 00100000 01000000 de3a0798 c0ba27c0
       00000033 dec1de98 c0786848 00000000 de3a0780 dec1dea4 c0786868 00000000
       dec1debc c074ee56 e1da6b8c de3a0780 c074ed44 de3a07a8 dec1decc c074ef32
      Call Trace:
       [<c0786848>] xfrm4_rcv_encap+0x22/0x27
       [<c0786868>] xfrm4_rcv+0x1b/0x1d
       [<c074ee56>] ip_local_deliver_finish+0x112/0x1b1
       [<c074ed44>] ? ip_local_deliver_finish+0x0/0x1b1
       [<c074ef32>] NF_HOOK.clone.1+0x3d/0x44
       [<c074ef77>] ip_local_deliver+0x3e/0x44
       [<c074ed44>] ? ip_local_deliver_finish+0x0/0x1b1
       [<c074ec03>] ip_rcv_finish+0x30a/0x332
       [<c074e8f9>] ? ip_rcv_finish+0x0/0x332
       [<c074ef32>] NF_HOOK.clone.1+0x3d/0x44
       [<c074f188>] ip_rcv+0x20b/0x247
       [<c074e8f9>] ? ip_rcv_finish+0x0/0x332
       [<c072797d>] __netif_receive_skb+0x373/0x399
       [<c0727bc1>] netif_receive_skb+0x4b/0x51
       [<e0817e2a>] cp_rx_poll+0x210/0x2c4 [8139cp]
       [<c072818f>] net_rx_action+0x9a/0x17d
       [<c0445b5c>] __do_softirq+0xa1/0x149
       [<c0445abb>] ? __do_softirq+0x0/0x149
      Signed-off-by: default avatarWei Yongjun <yjwei@cn.fujitsu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a454f0cc
  2. 20 Mar, 2011 7 commits
    • David S. Miller's avatar
    • David S. Miller's avatar
    • Vasiliy Kulikov's avatar
      netfilter: ipt_CLUSTERIP: fix buffer overflow · 961ed183
      Vasiliy Kulikov authored
      'buffer' string is copied from userspace.  It is not checked whether it is
      zero terminated.  This may lead to overflow inside of simple_strtoul().
      Changli Gao suggested to copy not more than user supplied 'size' bytes.
      
      It was introduced before the git epoch.  Files "ipt_CLUSTERIP/*" are
      root writable only by default, however, on some setups permissions might be
      relaxed to e.g. network admin user.
      Signed-off-by: default avatarVasiliy Kulikov <segoon@openwall.com>
      Acked-by: default avatarChangli Gao <xiaosuo@gmail.com>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      961ed183
    • Eric Dumazet's avatar
      netfilter: xtables: fix reentrancy · db856674
      Eric Dumazet authored
      commit f3c5c1bf (make ip_tables reentrant) introduced a race in
      handling the stackptr restore, at the end of ipt_do_table()
      
      We should do it before the call to xt_info_rdunlock_bh(), or we allow
      cpu preemption and another cpu overwrites stackptr of original one.
      
      A second fix is to change the underflow test to check the origptr value
      instead of 0 to detect underflow, or else we allow a jump from different
      hooks.
      Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Cc: Jan Engelhardt <jengelh@medozas.de>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      db856674
    • Jozsef Kadlecsik's avatar
      netfilter: ipset: fix checking the type revision at create command · 5c1aba46
      Jozsef Kadlecsik authored
      The revision of the set type was not checked at the create command: if the
      userspace sent a valid set type but with not supported revision number,
      it'd create a loop.
      Signed-off-by: default avatarJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      5c1aba46
    • Jozsef Kadlecsik's avatar
      netfilter: ipset: fix address ranges at hash:*port* types · 5e0c1eb7
      Jozsef Kadlecsik authored
      The hash:*port* types with IPv4 silently ignored when address ranges
      with non TCP/UDP were added/deleted from the set and used the first
      address from the range only.
      Signed-off-by: default avatarJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      5e0c1eb7
    • David S. Miller's avatar
      niu: Rename NIU parent platform device name to fix conflict. · a769f496
      David S. Miller authored
      When the OF device driver bits were converted over to the platform
      device infrastructure in commit 74888760
      ("dt/net: Eliminate users of of_platform_{,un}register_driver") we
      inadvertantly created probing problems in the OF case.
      
      The NIU driver creates a dummy platform device to represent the
      board that contains one or more child NIU devices.  Unfortunately
      we use the same name, "niu", as the OF device driver itself uses.
      
      The result is that we try to probe the dummy "niu" parent device we
      create, and since it has a NULL ofdevice pointer etc. everything
      explodes:
      
      [783019.128243] niu: niu.c:v1.1 (Apr 22, 2010)
      [783019.128810] Unable to handle kernel NULL pointer dereference
      [783019.128949] tsk->{mm,active_mm}->context = 000000000000039e
      [783019.129078] tsk->{mm,active_mm}->pgd = fffff803afc5a000
      [783019.129206]               \|/ ____ \|/
      [783019.129213]               "@'/ .. \`@"
      [783019.129220]               /_| \__/ |_\
      [783019.129226]                  \__U_/
      [783019.129378] modprobe(2004): Oops [#1]
      [783019.129423] TSTATE: 0000000011001602 TPC: 0000000010052ff8 TNPC: 000000000061bbb4 Y: 00000000    Not tainted
      [783019.129542] TPC: <niu_of_probe+0x3c/0x2dc [niu]>
      [783019.129624] g0: 8080000000000000 g1: 0000000000000000 g2: 0000000010056000 g3: 0000000000000002
      [783019.129733] g4: fffff803fc1da0c0 g5: fffff800441e2000 g6: fffff803fba84000 g7: 0000000000000000
      [783019.129842] o0: fffff803fe7df010 o1: 0000000010055700 o2: 0000000000000000 o3: fffff803fbacaca0
      [783019.129951] o4: 0000000000000080 o5: 0000000000777908 sp: fffff803fba866e1 ret_pc: 0000000010052ff4
      [783019.130083] RPC: <niu_of_probe+0x38/0x2dc [niu]>
      [783019.130165] l0: fffff803fe7df010 l1: fffff803fbacafc0 l2: fffff803fbacaca0 l3: ffffffffffffffed
      [783019.130273] l4: 0000000000000000 l5: 000000007fffffff l6: fffff803fba86f40 l7: 0000000000000001
      [783019.130382] i0: fffff803fe7df000 i1: fffff803fc20aba0 i2: 0000000000000000 i3: 0000000000000001
      [783019.130490] i4: 0000000000000000 i5: 0000000000000000 i6: fffff803fba867a1 i7: 000000000062038c
      [783019.130614] I7: <platform_drv_probe+0xc/0x20>
      
      Fix by simply renaming the parent device to "niu-board".
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a769f496
  3. 19 Mar, 2011 3 commits
  4. 18 Mar, 2011 25 commits