1. 30 Aug, 2012 1 commit
    • Pablo Neira Ayuso's avatar
      netfilter: nf_nat_sip: fix incorrect handling of EBUSY for RTCP expectation · 3f509c68
      Pablo Neira Ayuso authored
      
      
      We're hitting bug while trying to reinsert an already existing
      expectation:
      
      kernel BUG at kernel/timer.c:895!
      invalid opcode: 0000 [#1] SMP
      [...]
      Call Trace:
       <IRQ>
       [<ffffffffa0069563>] nf_ct_expect_related_report+0x4a0/0x57a [nf_conntrack]
       [<ffffffff812d423a>] ? in4_pton+0x72/0x131
       [<ffffffffa00ca69e>] ip_nat_sdp_media+0xeb/0x185 [nf_nat_sip]
       [<ffffffffa00b5b9b>] set_expected_rtp_rtcp+0x32d/0x39b [nf_conntrack_sip]
       [<ffffffffa00b5f15>] process_sdp+0x30c/0x3ec [nf_conntrack_sip]
       [<ffffffff8103f1eb>] ? irq_exit+0x9a/0x9c
       [<ffffffffa00ca738>] ? ip_nat_sdp_media+0x185/0x185 [nf_nat_sip]
      
      We have to remove the RTP expectation if the RTCP expectation hits EBUSY
      since we keep trying with other ports until we succeed.
      Reported-by: default avatarRafal Fitt <rafalf@aplusc.com.pl>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      3f509c68
  2. 29 Aug, 2012 3 commits
  3. 20 Aug, 2012 6 commits
    • Patrick McHardy's avatar
      netfilter: nfnetlink_log: fix NLA_PUT macro removal bug · 2dba62c3
      Patrick McHardy authored
      Commit 1db20a52
      
       (nfnetlink_log: Stop using NLA_PUT*().) incorrectly
      converted a NLA_PUT_BE16 macro to nla_put_be32() in nfnetlink_log:
      
      -               NLA_PUT_BE16(inst->skb, NFULA_HWTYPE, htons(skb->dev->type));
      +               if (nla_put_be32(inst->skb, NFULA_HWTYPE, htons(skb->dev->type))
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      2dba62c3
    • Neal Cardwell's avatar
      net: tcp: move sk_rx_dst_set call after tcp_create_openreq_child() · fae6ef87
      Neal Cardwell authored
      
      
      This commit removes the sk_rx_dst_set calls from
      tcp_create_openreq_child(), because at that point the icsk_af_ops
      field of ipv6_mapped TCP sockets has not been set to its proper final
      value.
      
      Instead, to make sure we get the right sk_rx_dst_set variant
      appropriate for the address family of the new connection, we have
      tcp_v{4,6}_syn_recv_sock() directly call the appropriate function
      shortly after the call to tcp_create_openreq_child() returns.
      
      This also moves inet6_sk_rx_dst_set() to avoid a forward declaration
      with the new approach.
      Signed-off-by: default avatarNeal Cardwell <ncardwell@google.com>
      Reported-by: default avatarArtem Savkov <artem.savkov@gmail.com>
      Cc: Eric Dumazet <edumazet@google.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fae6ef87
    • Randy Dunlap's avatar
      net/core/dev.c: fix kernel-doc warning · 3de7a37b
      Randy Dunlap authored
      
      
      Fix kernel-doc warning:
      
      Warning(net/core/dev.c:5745): No description found for parameter 'dev'
      Signed-off-by: default avatarRandy Dunlap <rdunlap@xenotime.net>
      Cc:	"David S. Miller" <davem@davemloft.net>
      Cc:	netdev@vger.kernel.org
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3de7a37b
    • Patrick McHardy's avatar
      net: ipv6: fix oops in inet_putpeer() · 9d7b0fc1
      Patrick McHardy authored
      Commit 97bab73f
      
       (inet: Hide route peer accesses behind helpers.) introduced
      a bug in xfrm6_policy_destroy(). The xfrm_dst's _rt6i_peer member is not
      initialized, causing a false positive result from inetpeer_ptr_is_peer(),
      which in turn causes a NULL pointer dereference in inet_putpeer().
      
      Pid: 314, comm: kworker/0:1 Not tainted 3.6.0-rc1+ #17 To Be Filled By O.E.M. To Be Filled By O.E.M./P4S800D-X
      EIP: 0060:[<c03abf93>] EFLAGS: 00010246 CPU: 0
      EIP is at inet_putpeer+0xe/0x16
      EAX: 00000000 EBX: f3481700 ECX: 00000000 EDX: 000dd641
      ESI: f3481700 EDI: c05e949c EBP: f551def4 ESP: f551def4
       DS: 007b ES: 007b FS: 0000 GS: 00e0 SS: 0068
      CR0: 8005003b CR2: 00000070 CR3: 3243d000 CR4: 00000750
      DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
      DR6: ffff0ff0 DR7: 00000400
       f551df04 c0423de1 00000000 f3481700 f551df18 c038d5f7 f254b9f8 f551df28
       f34f85d8 f551df20 c03ef48d f551df3c c0396870 f30697e8 f24e1738 c05e98f4
       f5509540 c05cd2b4 f551df7c c0142d2b c043feb5 f5509540 00000000 c05cd2e8
       [<c0423de1>] xfrm6_dst_destroy+0x42/0xdb
       [<c038d5f7>] dst_destroy+0x1d/0xa4
       [<c03ef48d>] xfrm_bundle_flo_delete+0x2b/0x36
       [<c0396870>] flow_cache_gc_task+0x85/0x9f
       [<c0142d2b>] process_one_work+0x122/0x441
       [<c043feb5>] ? apic_timer_interrupt+0x31/0x38
       [<c03967eb>] ? flow_cache_new_hashrnd+0x2b/0x2b
       [<c0143e2d>] worker_thread+0x113/0x3cc
      
      Fix by adding a init_dst() callback to struct xfrm_policy_afinfo to
      properly initialize the dst's peer pointer.
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9d7b0fc1
    • Jesper Juhl's avatar
      caif: Do not dereference NULL in chnl_recv_cb() · d92c7f8a
      Jesper Juhl authored
      
      
      In net/caif/chnl_net.c::chnl_recv_cb() we call skb_header_pointer()
      which may return NULL, but we do not check for a NULL pointer before
      dereferencing it.
      This patch adds such a NULL check and properly free's allocated memory
      and return an error (-EINVAL) on failure - much better than crashing..
      Signed-off-by: default avatarJesper Juhl <jj@chaosbits.net>
      Acked-by: default avatarSjur Brændeland <sjur.brandeland@stericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d92c7f8a
    • Eric Leblond's avatar
      af_packet: don't emit packet on orig fanout group · c0de08d0
      Eric Leblond authored
      
      
      If a packet is emitted on one socket in one group of fanout sockets,
      it is transmitted again. It is thus read again on one of the sockets
      of the fanout group. This result in a loop for software which
      generate packets when receiving one.
      This retransmission is not the intended behavior: a fanout group
      must behave like a single socket. The packet should not be
      transmitted on a socket if it originates from a socket belonging
      to the same fanout group.
      
      This patch fixes the issue by changing the transmission check to
      take fanout group info account.
      Reported-by: default avatarAleksandr Kotov <a1k@mail.ru>
      Signed-off-by: default avatarEric Leblond <eric@regit.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c0de08d0
  4. 16 Aug, 2012 5 commits
  5. 15 Aug, 2012 15 commits
  6. 14 Aug, 2012 10 commits