Unnamed repository; edit this file 'description' to name the repository. https://git.kobert.dev/pm24.git/atom?h=v3.7-rc8 2012-12-02T01:39:16Z 2012-12-02T01:39:16Z Eric Dumazet edumazet@google.com 2012-12-01T13:07:02Z urn:sha1:64022d0b4e93ea432e95db55a72b8a1c5775f3c0 Recent network changes allowed high order pages being used for skb fragments. This uncovered a bug in do_tcp_sendpages() which was assuming its caller provided an array of order-0 page pointers. We only have to deal with a single page in this function, and its order is irrelevant. Reported-by: Willy Tarreau <w@1wt.eu> Tested-by: Willy Tarreau <w@1wt.eu> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2012-11-30T16:27:32Z John W. Linville linville@tuxdriver.com 2012-11-30T16:27:32Z urn:sha1:9f8933e960f98d27742727445061b0ece934e5cf 2012-11-28T23:00:47Z David S. Miller davem@davemloft.net 2012-11-28T23:00:47Z urn:sha1:a45085f6a7801f95cd5682290195224e268627fd Two small openswitch fixes from Jesse Gross. Signed-off-by: David S. Miller <davem@davemloft.net> 2012-11-28T16:29:43Z David S. Miller davem@davemloft.net 2012-11-28T16:29:43Z urn:sha1:52f2ede1ced85040f00d0dc70dad2d4ae7c46aa6 An interface name overflow fix in netfilter via Pablo Neira Ayuso. Signed-off-by: David S. Miller <davem@davemloft.net> 2012-11-28T16:25:29Z Tommi Rantala tt.rantala@gmail.com 2012-11-26T04:16:44Z urn:sha1:c3b2c2581988d304127c2aa218430b5fca88ce56 Cleanup the memory we allocated earlier in irttp_open_tsap() when we hit this error path. The leak goes back to at least 1da177e4 ("Linux-2.6.12-rc2"). Discovered with Trinity (the syscall fuzzer). Signed-off-by: Tommi Rantala <tt.rantala@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2012-11-28T16:13:40Z Schoch Christian e0326715@student.tuwien.ac.at 2012-11-28T05:18:29Z urn:sha1:92d64c261e77cb2a6117887617e2a629fea6b67c The calculation of RTTVAR involves the subtraction of two unsigned numbers which may causes rollover and results in very high values of RTTVAR when RTT > SRTT. With this patch it is possible to set RTOmin = 1 to get the minimum of RTO at 4 times the clock granularity. Change Notes: v2) *Replaced abs() by abs64() and long by __s64, changed patch description. Signed-off-by: Christian Schoch <e0326715@student.tuwien.ac.at> CC: Vlad Yasevich <vyasevich@gmail.com> CC: Sridhar Samudrala <sri@us.ibm.com> CC: Neil Horman <nhorman@tuxdriver.com> CC: linux-sctp@vger.kernel.org Acked-by: Vlad Yasevich <vyasevich@gmail.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2012-11-28T16:11:17Z Tommi Rantala tt.rantala@gmail.com 2012-11-22T03:23:16Z urn:sha1:6e51fe7572590d8d86e93b547fab6693d305fd0d Consider the following program, that sets the second argument to the sendto() syscall incorrectly: #include <string.h> #include <arpa/inet.h> #include <sys/socket.h> int main(void) { int fd; struct sockaddr_in sa; fd = socket(AF_INET, SOCK_STREAM, 132 /*IPPROTO_SCTP*/); if (fd < 0) return 1; memset(&sa, 0, sizeof(sa)); sa.sin_family = AF_INET; sa.sin_addr.s_addr = inet_addr("127.0.0.1"); sa.sin_port = htons(11111); sendto(fd, NULL, 1, 0, (struct sockaddr *)&sa, sizeof(sa)); return 0; } We get -ENOMEM: $ strace -e sendto ./demo sendto(3, NULL, 1, 0, {sa_family=AF_INET, sin_port=htons(11111), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 ENOMEM (Cannot allocate memory) Propagate the error code from sctp_user_addto_chunk(), so that we will tell user space what actually went wrong: $ strace -e sendto ./demo sendto(3, NULL, 1, 0, {sa_family=AF_INET, sin_port=htons(11111), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EFAULT (Bad address) Noticed while running Trinity (the syscall fuzzer). Signed-off-by: Tommi Rantala <tt.rantala@gmail.com> Acked-by: Vlad Yasevich <vyasevich@gmail.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2012-11-28T16:10:09Z Tommi Rantala tt.rantala@gmail.com 2012-11-27T04:01:46Z urn:sha1:be364c8c0f17a3dd42707b5a090b318028538eb9 Trinity (the syscall fuzzer) discovered a memory leak in SCTP, reproducible e.g. with the sendto() syscall by passing invalid user space pointer in the second argument: #include <string.h> #include <arpa/inet.h> #include <sys/socket.h> int main(void) { int fd; struct sockaddr_in sa; fd = socket(AF_INET, SOCK_STREAM, 132 /*IPPROTO_SCTP*/); if (fd < 0) return 1; memset(&sa, 0, sizeof(sa)); sa.sin_family = AF_INET; sa.sin_addr.s_addr = inet_addr("127.0.0.1"); sa.sin_port = htons(11111); sendto(fd, NULL, 1, 0, (struct sockaddr *)&sa, sizeof(sa)); return 0; } As far as I can tell, the leak has been around since ~2003. Signed-off-by: Tommi Rantala <tt.rantala@gmail.com> Acked-by: Vlad Yasevich <vyasevich@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2012-11-26T22:36:59Z Eric Dumazet edumazet@google.com 2012-11-25T09:44:29Z urn:sha1:b49d3c1e1c948d76d64790abe9acffa9fa747d19 Name of pimreg devices are built from following format : char name[IFNAMSIZ]; // IFNAMSIZ == 16 sprintf(name, "pimreg%u", mrt->id); We must therefore limit mrt->id to 9 decimal digits or risk a buffer overflow and a crash. Restrict table identifiers in [0 ... 999999999] interval. Reported-by: Chen Gang <gang.chen@asianux.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2012-11-26T22:24:41Z Neal Cardwell ncardwell@google.com 2012-11-24T18:54:37Z urn:sha1:e1a676424c290b1c8d757e3860170ac7ecd89af4 inet_getpeer_v4() can return NULL under OOM conditions, and while inet_peer_xrlim_allow() is OK with a NULL peer, inet_putpeer() will crash. This code path now uses the same idiom as the others from: 1d861aa4b3fb08822055345f480850205ffe6170 ("inet: Minimize use of cached route inetpeer."). Signed-off-by: Neal Cardwell <ncardwell@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>