1. 20 Jul, 2009 11 commits
  2. 17 Jul, 2009 22 commits
  3. 16 Jul, 2009 2 commits
    • Eric Dumazet's avatar
      netfilter: nf_conntrack: nf_conntrack_alloc() fixes · 941297f4
      Eric Dumazet authored
      When a slab cache uses SLAB_DESTROY_BY_RCU, we must be careful when allocating
      objects, since slab allocator could give a freed object still used by lockless
      readers.
      
      In particular, nf_conntrack RCU lookups rely on ct->tuplehash[xxx].hnnode.next
      being always valid (ie containing a valid 'nulls' value, or a valid pointer to next
      object in hash chain.)
      
      kmem_cache_zalloc() setups object with NULL values, but a NULL value is not valid
      for ct->tuplehash[xxx].hnnode.next.
      
      Fix is to call kmem_cache_alloc() and do the zeroing ourself.
      
      As spotted by Patrick, we also need to make sure lookup keys are committed to
      memory before setting refcount to 1, or a lockless reader could get a reference
      on the old version of the object. Its key re-check could then pass the barrier.
      Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      941297f4
    • Patrick McHardy's avatar
      netfilter: xt_osf: fix nf_log_packet() arguments · aa6a03eb
      Patrick McHardy authored
      The first argument is the address family, the second one the hook
      number.
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      aa6a03eb
  4. 15 Jul, 2009 5 commits
    • Johannes Berg's avatar
      gianfar: remove unused DECLARE_MAC_BUF · c86ae826
      Johannes Berg authored
      The use of it was converted to %pM, but the variable
      stuck -- remove it now to not cause spurious warnings.
      Signed-off-by: default avatarJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c86ae826
    • Lothar Waßmann's avatar
      net/can: add module alias to can protocol drivers · b13bb2e9
      Lothar Waßmann authored
      Add appropriate MODULE_ALIAS() to facilitate autoloading of can protocol drivers
      Signed-off-by: default avatarLothar Wassmann <LW@KARO-electronics.de>
      Acked-by: default avatarOliver Hartkopp <oliver@hartkopp.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b13bb2e9
    • Lothar Waßmann's avatar
      net/can bugfix: use after free bug in can protocol drivers · f7e5cc0c
      Lothar Waßmann authored
      Fix a use after free bug in can protocol drivers
      
      The release functions of the can protocol drivers lack a call to
      sock_orphan() which leads to referencing freed memory under certain
      circumstances.
      
      This patch fixes a bug reported here:
      https://lists.berlios.de/pipermail/socketcan-users/2009-July/000985.htmlSigned-off-by: default avatarLothar Wassmann <LW@KARO-electronics.de>
      Acked-by: default avatarOliver Hartkopp <oliver@hartkopp.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f7e5cc0c
    • Johannes Berg's avatar
      net/compat/wext: send different messages to compat tasks · 1dacc76d
      Johannes Berg authored
      Wireless extensions have the unfortunate problem that events
      are multicast netlink messages, and are not independent of
      pointer size. Thus, currently 32-bit tasks on 64-bit platforms
      cannot properly receive events and fail with all kinds of
      strange problems, for instance wpa_supplicant never notices
      disassociations, due to the way the 64-bit event looks (to a
      32-bit process), the fact that the address is all zeroes is
      lost, it thinks instead it is 00:00:00:00:01:00.
      
      The same problem existed with the ioctls, until David Miller
      fixed those some time ago in an heroic effort.
      
      A different problem caused by this is that we cannot send the
      ASSOCREQIE/ASSOCRESPIE events because sending them causes a
      32-bit wpa_supplicant on a 64-bit system to overwrite its
      internal information, which is worse than it not getting the
      information at all -- so we currently resort to sending a
      custom string event that it then parses. This, however, has a
      severe size limitation we are frequently hitting with modern
      access points; this limitation would can be lifted after this
      patch by sending the correct binary, not custom, event.
      
      A similar problem apparently happens for some other netlink
      users on x86_64 with 32-bit tasks due to the alignment for
      64-bit quantities.
      
      In order to fix these problems, I have implemented a way to
      send compat messages to tasks. When sending an event, we send
      the non-compat event data together with a compat event data in
      skb_shinfo(main_skb)->frag_list. Then, when the event is read
      from the socket, the netlink code makes sure to pass out only
      the skb that is compatible with the task. This approach was
      suggested by David Miller, my original approach required
      always sending two skbs but that had various small problems.
      
      To determine whether compat is needed or not, I have used the
      MSG_CMSG_COMPAT flag, and adjusted the call path for recv and
      recvfrom to include it, even if those calls do not have a cmsg
      parameter.
      
      I have not solved one small part of the problem, and I don't
      think it is necessary to: if a 32-bit application uses read()
      rather than any form of recvmsg() it will still get the wrong
      (64-bit) event. However, neither do applications actually do
      this, nor would it be a regression.
      Signed-off-by: default avatarJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1dacc76d
    • Johannes Berg's avatar
      wext: optimise, comment and fix event sending · 4f45b2cd
      Johannes Berg authored
      The current function for sending events first allocates the
      event stream buffer, and then an skb to copy the event stream
      into. This can be done in one go. Also, the current function
      leaks kernel data to userspace in a 4 uninitialised bytes,
      initialise those explicitly. Finally also add a few useful
      comments, as opposed to the current comments.
      Signed-off-by: default avatarJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4f45b2cd