1. 13 Apr, 2008 3 commits
    • Patrick McHardy's avatar
      [DCCP]: Fix skb->cb conflicts with IP · 028b0275
      Patrick McHardy authored
      dev_queue_xmit() and the other IP output functions expect to get a skb
      with clear or properly initialized skb->cb. Unlike TCP and UDP, the
      dccp_skb_cb doesn't contain a struct inet_skb_parm at the beginning,
      so the DCCP-specific data is interpreted by the IP output functions.
      This can cause false negatives for the conditional POST_ROUTING hook
      invocation, making the packet bypass the hook.
      
      Add a inet_skb_parm/inet6_skb_parm union to the beginning of
      dccp_skb_cb to avoid clashes. Also add a BUILD_BUG_ON to make
      sure it fits in the cb.
      
      [ Combined with patch from Gerrit Renker to remove two now unnecessary
        memsets of IPCB(skb)->opt ]
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Acked-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      028b0275
    • Pavel Emelyanov's avatar
      [AX25]: Potential ax25_uid_assoc-s leaks on module unload. · ae1b6a31
      Pavel Emelyanov authored
      The ax25_uid_free call walks the ax25_uid_list and releases entries
      from it. The problem is that after the fisrt call to hlist_del_init
      the hlist_for_each_entry (which hides behind the ax25_uid_for_each)
      will consider the current position to be the last and will return.
      
      Thus, the whole list will be left not freed.
      Signed-off-by: default avatarPavel Emelyanov <xemul@openvz.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ae1b6a31
    • Sergei Shtylyov's avatar
      tg3: fix MMIO for PPC 44x platforms · 2de58e30
      Sergei Shtylyov authored
      The driver stores the PCI resource addresses into 'unsigned long' variable
      before calling ioremap_nocache() on them. This warrants kernel oops when the
      registers are accessed on PPC 44x platforms which (being 32-bit) have PCI
      memory space mapped beyond 4 GB.
      
      The arch/ppc/ kernel has a fixup in ioremap() that creates an illusion that
      the PCI memory resource is mapped below 4 GB, but arch/powerpc/ code got rid
      of this trick, having instead CONFIG_RESOURCES_64BIT enabled.
      
      [ Bump driver version and release date -DaveM ]
      Signed-off-by: default avatarSergei Shtylyov <sshtylyov@ru.mvista.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2de58e30
  2. 12 Apr, 2008 10 commits
  3. 11 Apr, 2008 1 commit
  4. 10 Apr, 2008 1 commit
    • David S. Miller's avatar
      [IPV4]: Fix byte value boundary check in do_ip_getsockopt(). · 951e07c9
      David S. Miller authored
      This fixes kernel bugzilla 10371.
      
      As reported by M.Piechaczek@osmosys.tv, if we try to grab a
      char sized socket option value, as in:
      
        unsigned char ttl = 255;
        socklen_t     len = sizeof(ttl);
        setsockopt(socket, IPPROTO_IP, IP_MULTICAST_TTL, &ttl, &len);
      
        getsockopt(socket, IPPROTO_IP, IP_MULTICAST_TTL, &ttl, &len);
      
      The ttl returned will be wrong on big-endian, and on both little-
      endian and big-endian the next three bytes in userspace are written
      with garbage.
      
      It's because of this test in do_ip_getsockopt():
      
      	if (len < sizeof(int) && len > 0 && val>=0 && val<255) {
      
      It should allow a 'val' of 255 to pass here, but it doesn't so it
      copies a full 'int' back to userspace.
      
      On little-endian that will write the correct value into the location
      but it spams on the next three bytes in userspace.  On big endian it
      writes the wrong value into the location and spams the next three
      bytes.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      951e07c9
  5. 09 Apr, 2008 9 commits
  6. 08 Apr, 2008 10 commits
  7. 04 Apr, 2008 6 commits