From 6c3607676c12d77d70cc712310f52fbc6af5895d Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Sun, 26 Jun 2005 15:20:20 -0700 Subject: [PATCH 1/6] [IPV4]: Fix thinko in TCP_CONG_BIC default. Since it is tristate when we offer it as a choice, we should definte it also as tristate when forcing it as the default. Otherwise kconfig warns. Signed-off-by: David S. Miller --- net/ipv4/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig index 34708343312..7342a9afe01 100644 --- a/net/ipv4/Kconfig +++ b/net/ipv4/Kconfig @@ -549,7 +549,7 @@ config TCP_CONG_SCALABLE endmenu config TCP_CONG_BIC - boolean + tristate depends on !TCP_CONG_ADVANCED default y From 60fe7403209179fccd6629172c4b36acc69c5db6 Mon Sep 17 00:00:00 2001 From: Adrian Bunk Date: Sun, 26 Jun 2005 15:21:15 -0700 Subject: [PATCH 2/6] [TCP]: Let TCP_CONG_ADVANCED default to n It doesn't seem to make much sense to let an "If unsure, say N." option default to y. Signed-off-by: Adrian Bunk Signed-off-by: David S. Miller --- net/ipv4/Kconfig | 1 - 1 file changed, 1 deletion(-) diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig index 7342a9afe01..3e63123f7bb 100644 --- a/net/ipv4/Kconfig +++ b/net/ipv4/Kconfig @@ -448,7 +448,6 @@ config IP_TCPDIAG_IPV6 config TCP_CONG_ADVANCED bool "TCP: advanced congestion control" depends on INET - default y ---help--- Support for selection of various TCP congestion control modules. From 64053beeb5a5f9cd79903a8c3dd35d1ef0a4685f Mon Sep 17 00:00:00 2001 From: Robert Olsson Date: Sun, 26 Jun 2005 15:27:10 -0700 Subject: [PATCH 3/6] [PKTGEN]: Fix random packet sizes causing panic Signed-off-by: Robert Olsson Signed-off-by: David S. Miller --- net/core/pktgen.c | 29 +++++++++++++---------------- 1 file changed, 13 insertions(+), 16 deletions(-) diff --git a/net/core/pktgen.c b/net/core/pktgen.c index c57b06bc79f..975d651312d 100644 --- a/net/core/pktgen.c +++ b/net/core/pktgen.c @@ -151,7 +151,7 @@ #include -#define VERSION "pktgen v2.61: Packet Generator for packet performance testing.\n" +#define VERSION "pktgen v2.62: Packet Generator for packet performance testing.\n" /* #define PG_DEBUG(a) a */ #define PG_DEBUG(a) @@ -1921,6 +1921,11 @@ static struct sk_buff *fill_packet_ipv4(struct net_device *odev, struct iphdr *iph; struct pktgen_hdr *pgh = NULL; + /* Update any of the values, used when we're incrementing various + * fields. + */ + mod_cur_headers(pkt_dev); + skb = alloc_skb(pkt_dev->cur_pkt_size + 64 + 16, GFP_ATOMIC); if (!skb) { sprintf(pkt_dev->result, "No memory"); @@ -1934,11 +1939,6 @@ static struct sk_buff *fill_packet_ipv4(struct net_device *odev, iph = (struct iphdr *)skb_put(skb, sizeof(struct iphdr)); udph = (struct udphdr *)skb_put(skb, sizeof(struct udphdr)); - /* Update any of the values, used when we're incrementing various - * fields. - */ - mod_cur_headers(pkt_dev); - memcpy(eth, pkt_dev->hh, 12); *(u16*)ð[12] = __constant_htons(ETH_P_IP); @@ -2192,7 +2192,12 @@ static struct sk_buff *fill_packet_ipv6(struct net_device *odev, int datalen; struct ipv6hdr *iph; struct pktgen_hdr *pgh = NULL; - + + /* Update any of the values, used when we're incrementing various + * fields. + */ + mod_cur_headers(pkt_dev); + skb = alloc_skb(pkt_dev->cur_pkt_size + 64 + 16, GFP_ATOMIC); if (!skb) { sprintf(pkt_dev->result, "No memory"); @@ -2206,17 +2211,9 @@ static struct sk_buff *fill_packet_ipv6(struct net_device *odev, iph = (struct ipv6hdr *)skb_put(skb, sizeof(struct ipv6hdr)); udph = (struct udphdr *)skb_put(skb, sizeof(struct udphdr)); - - /* Update any of the values, used when we're incrementing various - * fields. - */ - mod_cur_headers(pkt_dev); - - memcpy(eth, pkt_dev->hh, 12); *(u16*)ð[12] = __constant_htons(ETH_P_IPV6); - - + datalen = pkt_dev->cur_pkt_size-14- sizeof(struct ipv6hdr)-sizeof(struct udphdr); /* Eth + IPh + UDPh */ From 32e9e25ef20789c24ffa1f41489a13932cf82c77 Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Sun, 26 Jun 2005 15:28:10 -0700 Subject: [PATCH 4/6] [ATALK]: Include asm/byteorder.h in linux/atalk.h We're using __be16 in userland visible types, so we have to include asm/byteorder.h so that works. Signed-off-by: David S. Miller --- include/linux/atalk.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/linux/atalk.h b/include/linux/atalk.h index 09a1451c115..911c09cb9bf 100644 --- a/include/linux/atalk.h +++ b/include/linux/atalk.h @@ -1,6 +1,8 @@ #ifndef __LINUX_ATALK_H__ #define __LINUX_ATALK_H__ +#include + /* * AppleTalk networking structures * From d470e3b483dcf79c16463bc740738dca76a035a9 Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Sun, 26 Jun 2005 15:31:51 -0700 Subject: [PATCH 5/6] [NETLINK]: Fix two socket hashing bugs. 1) netlink_release() should only decrement the hash entry count if the socket was actually hashed. This was causing hash->entries to underflow, which resulting in all kinds of troubles. On 64-bit systems, this would cause the following conditional to erroneously trigger: err = -ENOMEM; if (BITS_PER_LONG > 32 && unlikely(hash->entries >= UINT_MAX)) goto err; 2) netlink_autobind() needs to propagate the error return from netlink_insert(). Otherwise, callers will not see the error as they should and thus try to operate on a socket with a zero pid, which is very bad. However, it should not propagate -EBUSY. If two threads race to autobind the socket, that is fine. This is consistent with the autobind behavior in other protocols. So bug #1 above, combined with this one, resulted in hangs on netlink_sendmsg() calls to the rtnetlink socket. We'd try to do the user sendmsg() with the socket's pid set to zero, later we do a socket lookup using that pid (via the value we stashed away in NETLINK_CB(skb).pid), but that won't give us the user socket, it will give us the rtnetlink socket. So when we try to wake up the receive queue, we dive back into rtnetlink_rcv() which tries to recursively take the rtnetlink semaphore. Thanks to Jakub Jelink for providing backtraces. Also, thanks to Herbert Xu for supplying debugging patches to help track this down, and also finding a mistake in an earlier version of this fix. Signed-off-by: David S. Miller --- net/netlink/af_netlink.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index 70bcd4744d9..fc456a7aaec 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -315,8 +315,8 @@ err: static void netlink_remove(struct sock *sk) { netlink_table_grab(); - nl_table[sk->sk_protocol].hash.entries--; - sk_del_node_init(sk); + if (sk_del_node_init(sk)) + nl_table[sk->sk_protocol].hash.entries--; if (nlk_sk(sk)->groups) __sk_del_bind_node(sk); netlink_table_ungrab(); @@ -429,7 +429,12 @@ retry: err = netlink_insert(sk, pid); if (err == -EADDRINUSE) goto retry; - return 0; + + /* If 2 threads race to autobind, that is fine. */ + if (err == -EBUSY) + err = 0; + + return err; } static inline int netlink_capable(struct socket *sock, unsigned int flag) From 4da62fc70d7cbcf8fa606a8c806d9dc8faa0ceae Mon Sep 17 00:00:00 2001 From: pageexec Date: Sun, 26 Jun 2005 16:00:19 -0700 Subject: [PATCH 6/6] [IPVS]: Fix for overflows From: $subject was fixed in 2.4 already, 2.6 needs it as well. The impact of the bugs is a kernel stack overflow and privilege escalation from CAP_NET_ADMIN via the IP_VS_SO_SET_STARTDAEMON/IP_VS_SO_GET_DAEMON ioctls. People running with 'root=all caps' (i.e., most users) are not really affected (there's nothing to escalate), but SELinux and similar users should take it seriously if they grant CAP_NET_ADMIN to other users. Signed-off-by: Andrew Morton Signed-off-by: David S. Miller --- net/ipv4/ipvs/ip_vs_ctl.c | 8 +++++--- net/ipv4/ipvs/ip_vs_sync.c | 4 ++-- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/net/ipv4/ipvs/ip_vs_ctl.c b/net/ipv4/ipvs/ip_vs_ctl.c index 218d9701036..12a82e91d22 100644 --- a/net/ipv4/ipvs/ip_vs_ctl.c +++ b/net/ipv4/ipvs/ip_vs_ctl.c @@ -2059,7 +2059,7 @@ ip_vs_copy_service(struct ip_vs_service_entry *dst, struct ip_vs_service *src) dst->addr = src->addr; dst->port = src->port; dst->fwmark = src->fwmark; - strcpy(dst->sched_name, src->scheduler->name); + strlcpy(dst->sched_name, src->scheduler->name, sizeof(dst->sched_name)); dst->flags = src->flags; dst->timeout = src->timeout / HZ; dst->netmask = src->netmask; @@ -2080,6 +2080,7 @@ __ip_vs_get_service_entries(const struct ip_vs_get_services *get, list_for_each_entry(svc, &ip_vs_svc_table[idx], s_list) { if (count >= get->num_services) goto out; + memset(&entry, 0, sizeof(entry)); ip_vs_copy_service(&entry, svc); if (copy_to_user(&uptr->entrytable[count], &entry, sizeof(entry))) { @@ -2094,6 +2095,7 @@ __ip_vs_get_service_entries(const struct ip_vs_get_services *get, list_for_each_entry(svc, &ip_vs_svc_fwm_table[idx], f_list) { if (count >= get->num_services) goto out; + memset(&entry, 0, sizeof(entry)); ip_vs_copy_service(&entry, svc); if (copy_to_user(&uptr->entrytable[count], &entry, sizeof(entry))) { @@ -2304,12 +2306,12 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) memset(&d, 0, sizeof(d)); if (ip_vs_sync_state & IP_VS_STATE_MASTER) { d[0].state = IP_VS_STATE_MASTER; - strcpy(d[0].mcast_ifn, ip_vs_master_mcast_ifn); + strlcpy(d[0].mcast_ifn, ip_vs_master_mcast_ifn, sizeof(d[0].mcast_ifn)); d[0].syncid = ip_vs_master_syncid; } if (ip_vs_sync_state & IP_VS_STATE_BACKUP) { d[1].state = IP_VS_STATE_BACKUP; - strcpy(d[1].mcast_ifn, ip_vs_backup_mcast_ifn); + strlcpy(d[1].mcast_ifn, ip_vs_backup_mcast_ifn, sizeof(d[1].mcast_ifn)); d[1].syncid = ip_vs_backup_syncid; } if (copy_to_user(user, &d, sizeof(d)) != 0) diff --git a/net/ipv4/ipvs/ip_vs_sync.c b/net/ipv4/ipvs/ip_vs_sync.c index 25c479550a3..574d1f509b4 100644 --- a/net/ipv4/ipvs/ip_vs_sync.c +++ b/net/ipv4/ipvs/ip_vs_sync.c @@ -839,10 +839,10 @@ int start_sync_thread(int state, char *mcast_ifn, __u8 syncid) ip_vs_sync_state |= state; if (state == IP_VS_STATE_MASTER) { - strcpy(ip_vs_master_mcast_ifn, mcast_ifn); + strlcpy(ip_vs_master_mcast_ifn, mcast_ifn, sizeof(ip_vs_master_mcast_ifn)); ip_vs_master_syncid = syncid; } else { - strcpy(ip_vs_backup_mcast_ifn, mcast_ifn); + strlcpy(ip_vs_backup_mcast_ifn, mcast_ifn, sizeof(ip_vs_backup_mcast_ifn)); ip_vs_backup_syncid = syncid; }