1. 19 Mar, 2006 1 commit
    • Ralf Baechle DL5RB's avatar
      [AX.25]: Fix potencial memory hole. · c7c694d1
      Ralf Baechle DL5RB authored
      If the AX.25 dialect chosen by the sysadmin is set to DAMA master / 3
      (or DAMA slave / 2, if CONFIG_AX25_DAMA_SLAVE=n) ax25_kick() will fall
      through the switch statement without calling ax25_send_iframe() or any
      other function that would eventually free skbn thus leaking the packet.
      
      Fix by restricting the sysctl inferface to allow only actually supported
      AX.25 dialects.
      
      The system administration mistake needed for this to happen is rather
      unlikely, so this is an uncritical hole.
      
      Coverity #651.
      Signed-off-by: default avatarRalf Baechle DL5RB <ralf@linux-mips.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c7c694d1
  2. 15 Mar, 2006 2 commits
  3. 14 Mar, 2006 2 commits
  4. 13 Mar, 2006 1 commit
  5. 12 Mar, 2006 7 commits
  6. 11 Mar, 2006 3 commits
  7. 08 Mar, 2006 1 commit
    • Dipankar Sarma's avatar
      [PATCH] fix file counting · 529bf6be
      Dipankar Sarma authored
      I have benchmarked this on an x86_64 NUMA system and see no significant
      performance difference on kernbench.  Tested on both x86_64 and powerpc.
      
      The way we do file struct accounting is not very suitable for batched
      freeing.  For scalability reasons, file accounting was
      constructor/destructor based.  This meant that nr_files was decremented
      only when the object was removed from the slab cache.  This is susceptible
      to slab fragmentation.  With RCU based file structure, consequent batched
      freeing and a test program like Serge's, we just speed this up and end up
      with a very fragmented slab -
      
      llm22:~ # cat /proc/sys/fs/file-nr
      587730  0       758844
      
      At the same time, I see only a 2000+ objects in filp cache.  The following
      patch I fixes this problem.
      
      This patch changes the file counting by removing the filp_count_lock.
      Instead we use a separate percpu counter, nr_files, for now and all
      accesses to it are through get_nr_files() api.  In the sysctl handler for
      nr_files, we populate files_stat.nr_files before returning to user.
      
      Counting files as an when they are created and destroyed (as opposed to
      inside slab) allows us to correctly count open files with RCU.
      Signed-off-by: default avatarDipankar Sarma <dipankar@in.ibm.com>
      Cc: "Paul E. McKenney" <paulmck@us.ibm.com>
      Cc: "David S. Miller" <davem@davemloft.net>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      529bf6be
  8. 07 Mar, 2006 1 commit
  9. 04 Mar, 2006 5 commits
  10. 27 Feb, 2006 10 commits
  11. 24 Feb, 2006 2 commits
  12. 23 Feb, 2006 5 commits
    • Herbert Xu's avatar
      [IPSEC]: Use TOS when doing tunnel lookups · 4da3089f
      Herbert Xu authored
      We should use the TOS because it's one of the routing keys.  It also
      means that we update the correct routing cache entry when PMTU occurs.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4da3089f
    • Jamal Hadi Salim's avatar
      [NET] ethernet: Fix first packet goes out with MAC 00:00:00:00:00:00 · f8d0e3f1
      Jamal Hadi Salim authored
      When you turn off ARP on a netdevice then the first packet always goes
      out with a dstMAC of all zeroes. This is because the first packet is
      used to resolve ARP entries. Even though the ARP entry may be resolved
      (I tried by setting a static ARP entry for a host i was pinging from),
      it gets overwritten by virtue of having the netdevice disabling ARP.
      
      Subsequent packets go out fine with correct dstMAC address (which may
      be why people have ignored reporting this issue).
      
      To cut the story short: 
      
      the culprit code is in net/ethernet/eth.c::eth_header()
      
      ----
              /*
               *      Anyway, the loopback-device should never use this
      function...
               */
      
              if (dev->flags & (IFF_LOOPBACK|IFF_NOARP))
              {
                      memset(eth->h_dest, 0, dev->addr_len);
                      return ETH_HLEN;
              }
      
      	if(daddr)
              {
                      memcpy(eth->h_dest,daddr,dev->addr_len);
                      return ETH_HLEN;
              }
      
      ----
      
      Note how the h_dest is being reset when device has IFF_NOARP.
      
      As a note:
      All devices including loopback pass a daddr. loopback in fact passes
      a 0 all the time ;-> 
      This means i can delete the check totaly or i can remove the IFF_NOARP
      
      Alexey says:
      --------------------
      I think, it was me who did this crap. It was so long ago I do not remember
      why it was made.
      
      I remember some troubles with dummy device. It tried to resolve
      addresses, apparently, without success and generated errors instead of
      blackholing. I think the problem was eventually solved at neighbour
      level.
      
      After some thinking I suspect the deletion of this chunk could change
      behaviour of some parts which do not use neighbour cache f.e. packet
      socket.
      
      I think safer approach would be to move this chunk after if (daddr).
      And the possibility to remove this completely could be analyzed later.
      --------------------
      
      Patch updated with Alexey's safer suggestions.
      Signed-off-by: default avatarJamal Hadi Salim <hadi@cyberus.ca>
      Acked-by: default avatarAlexey Kuznetsov <kuznet@ms2.inr.ac.ru>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f8d0e3f1
    • Herbert Xu's avatar
      [XFRM]: Eliminate refcounting confusion by creating __xfrm_state_put(). · 21380b81
      Herbert Xu authored
      We often just do an atomic_dec(&x->refcnt) on an xfrm_state object
      because we know there is more than 1 reference remaining and thus
      we can elide the heavier xfrm_state_put() call.
      
      Do this behind an inline function called __xfrm_state_put() so that is
      more obvious and also to allow us to more cleanly add refcount
      debugging later.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      21380b81
    • Suresh Bhogavilli's avatar
      [IPV4]: Fix garbage collection of multipath route entries · 85259878
      Suresh Bhogavilli authored
      When garbage collecting route cache entries of multipath routes
      in rt_garbage_collect(), entries were deleted from the hash bucket
      'i' while holding a spin lock on bucket 'k' resulting in a system
      hang.  Delete entries, if any, from bucket 'k' instead.
      Signed-off-by: default avatarSuresh Bhogavilli <sbhogavilli@verisign.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      85259878
    • Patrick McHardy's avatar
      [NETFILTER]: Fix bridge netfilter related in xfrm_lookup · 42cf93cd
      Patrick McHardy authored
      The bridge-netfilter code attaches a fake dst_entry with dst->ops == NULL
      to purely bridged packets. When these packets are SNATed and a policy
      lookup is done, xfrm_lookup crashes because it tries to dereference
      dst->ops.
      
      Change xfrm_lookup not to dereference dst->ops before checking for the
      DST_NOXFRM flag and set this flag in the fake dst_entry.
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      42cf93cd