From 463d305bc51b8f5d0750a17ec0c9caf5181ec6d4 Mon Sep 17 00:00:00 2001 From: Michael Chan Date: Mon, 22 May 2006 16:36:27 -0700 Subject: [PATCH 1/7] [TG3]: Add some missing rx error counters Add some missing rx error counters for 5705 and newer chips. Update version to 3.58. Signed-off-by: Michael Chan Signed-off-by: David S. Miller --- drivers/net/tg3.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/net/tg3.c b/drivers/net/tg3.c index e1b33a25a25..49ad60b7265 100644 --- a/drivers/net/tg3.c +++ b/drivers/net/tg3.c @@ -69,8 +69,8 @@ #define DRV_MODULE_NAME "tg3" #define PFX DRV_MODULE_NAME ": " -#define DRV_MODULE_VERSION "3.57" -#define DRV_MODULE_RELDATE "Apr 28, 2006" +#define DRV_MODULE_VERSION "3.58" +#define DRV_MODULE_RELDATE "May 22, 2006" #define TG3_DEF_MAC_MODE 0 #define TG3_DEF_RX_MODE 0 @@ -6488,6 +6488,10 @@ static void tg3_periodic_fetch_stats(struct tg3 *tp) TG3_STAT_ADD32(&sp->rx_frame_too_long_errors, MAC_RX_STATS_FRAME_TOO_LONG); TG3_STAT_ADD32(&sp->rx_jabbers, MAC_RX_STATS_JABBERS); TG3_STAT_ADD32(&sp->rx_undersize_packets, MAC_RX_STATS_UNDERSIZE); + + TG3_STAT_ADD32(&sp->rxbds_empty, RCVLPC_NO_RCV_BD_CNT); + TG3_STAT_ADD32(&sp->rx_discards, RCVLPC_IN_DISCARDS_CNT); + TG3_STAT_ADD32(&sp->rx_errors, RCVLPC_IN_ERRORS_CNT); } static void tg3_timer(unsigned long __opaque) From bae25761c92c5eec781b6ea72bbe7e98fc8382a0 Mon Sep 17 00:00:00 2001 From: Michael Chan Date: Mon, 22 May 2006 16:38:38 -0700 Subject: [PATCH 2/7] [BNX2]: Fix bug in bnx2_nvram_write() Fix a bug in bnx2_nvram_write() caused by a counter variable not correctly incremented by 4. Signed-off-by: Michael Chan Signed-off-by: David S. Miller --- drivers/net/bnx2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/bnx2.c b/drivers/net/bnx2.c index 5ca99e26660..509f104ec3d 100644 --- a/drivers/net/bnx2.c +++ b/drivers/net/bnx2.c @@ -3061,7 +3061,7 @@ bnx2_nvram_write(struct bnx2 *bp, u32 offset, u8 *data_buf, } /* Loop to write the new data from data_start to data_end */ - for (addr = data_start; addr < data_end; addr += 4, i++) { + for (addr = data_start; addr < data_end; addr += 4, i += 4) { if ((addr == page_end - 4) || ((bp->flash_info->buffered) && (addr == data_end - 4))) { From ae181bc44c65fdc93d0d2d908534b22e43f60f56 Mon Sep 17 00:00:00 2001 From: Michael Chan Date: Mon, 22 May 2006 16:39:20 -0700 Subject: [PATCH 3/7] [BNX2]: Use kmalloc instead of array Use kmalloc() instead of a local array in bnx2_nvram_write(). Update version to 1.4.40. Signed-off-by: Michael Chan Signed-off-by: David S. Miller --- drivers/net/bnx2.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/drivers/net/bnx2.c b/drivers/net/bnx2.c index 509f104ec3d..54161aef3ca 100644 --- a/drivers/net/bnx2.c +++ b/drivers/net/bnx2.c @@ -55,8 +55,8 @@ #define DRV_MODULE_NAME "bnx2" #define PFX DRV_MODULE_NAME ": " -#define DRV_MODULE_VERSION "1.4.39" -#define DRV_MODULE_RELDATE "March 22, 2006" +#define DRV_MODULE_VERSION "1.4.40" +#define DRV_MODULE_RELDATE "May 22, 2006" #define RUN_AT(x) (jiffies + (x)) @@ -2945,7 +2945,7 @@ bnx2_nvram_write(struct bnx2 *bp, u32 offset, u8 *data_buf, int buf_size) { u32 written, offset32, len32; - u8 *buf, start[4], end[4]; + u8 *buf, start[4], end[4], *flash_buffer = NULL; int rc = 0; int align_start, align_end; @@ -2985,12 +2985,19 @@ bnx2_nvram_write(struct bnx2 *bp, u32 offset, u8 *data_buf, memcpy(buf + align_start, data_buf, buf_size); } + if (bp->flash_info->buffered == 0) { + flash_buffer = kmalloc(264, GFP_KERNEL); + if (flash_buffer == NULL) { + rc = -ENOMEM; + goto nvram_write_end; + } + } + written = 0; while ((written < len32) && (rc == 0)) { u32 page_start, page_end, data_start, data_end; u32 addr, cmd_flags; int i; - u8 flash_buffer[264]; /* Find the page_start addr */ page_start = offset32 + written; @@ -3109,6 +3116,9 @@ bnx2_nvram_write(struct bnx2 *bp, u32 offset, u8 *data_buf, } nvram_write_end: + if (bp->flash_info->buffered == 0) + kfree(flash_buffer); + if (align_start || align_end) kfree(buf); return rc; From 4195f81453b9727f82bb8ceae03411b7fe52a994 Mon Sep 17 00:00:00 2001 From: Alexey Dobriyan Date: Mon, 22 May 2006 16:53:22 -0700 Subject: [PATCH 4/7] [NET]: Fix "ntohl(ntohs" bugs Signed-off-by: Alexey Dobriyan Signed-off-by: David S. Miller --- net/ipv4/ipcomp.c | 2 +- net/ipv4/xfrm4_policy.c | 2 +- net/ipv6/ipcomp6.c | 2 +- net/xfrm/xfrm_input.c | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/net/ipv4/ipcomp.c b/net/ipv4/ipcomp.c index cd810f41af1..95278b22b66 100644 --- a/net/ipv4/ipcomp.c +++ b/net/ipv4/ipcomp.c @@ -210,7 +210,7 @@ static void ipcomp4_err(struct sk_buff *skb, u32 info) skb->h.icmph->code != ICMP_FRAG_NEEDED) return; - spi = ntohl(ntohs(ipch->cpi)); + spi = htonl(ntohs(ipch->cpi)); x = xfrm_state_lookup((xfrm_address_t *)&iph->daddr, spi, IPPROTO_COMP, AF_INET); if (!x) diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c index f285bbf296e..8604c747bca 100644 --- a/net/ipv4/xfrm4_policy.c +++ b/net/ipv4/xfrm4_policy.c @@ -221,7 +221,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl) if (pskb_may_pull(skb, xprth + 4 - skb->data)) { u16 *ipcomp_hdr = (u16 *)xprth; - fl->fl_ipsec_spi = ntohl(ntohs(ipcomp_hdr[1])); + fl->fl_ipsec_spi = htonl(ntohs(ipcomp_hdr[1])); } break; default: diff --git a/net/ipv6/ipcomp6.c b/net/ipv6/ipcomp6.c index 05eb67def39..48636436028 100644 --- a/net/ipv6/ipcomp6.c +++ b/net/ipv6/ipcomp6.c @@ -208,7 +208,7 @@ static void ipcomp6_err(struct sk_buff *skb, struct inet6_skb_parm *opt, if (type != ICMPV6_DEST_UNREACH && type != ICMPV6_PKT_TOOBIG) return; - spi = ntohl(ntohs(ipcomph->cpi)); + spi = htonl(ntohs(ipcomph->cpi)); x = xfrm_state_lookup((xfrm_address_t *)&iph->daddr, spi, IPPROTO_COMP, AF_INET6); if (!x) return; diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c index b54971059f1..891a6090cc0 100644 --- a/net/xfrm/xfrm_input.c +++ b/net/xfrm/xfrm_input.c @@ -62,7 +62,7 @@ int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, u32 *spi, u32 *seq) case IPPROTO_COMP: if (!pskb_may_pull(skb, sizeof(struct ip_comp_hdr))) return -EINVAL; - *spi = ntohl(ntohs(*(u16*)(skb->h.raw + 2))); + *spi = htonl(ntohs(*(u16*)(skb->h.raw + 2))); *seq = 0; return 0; default: From 405a42c5c8bd5731087c0ff01310731a3c1c9c24 Mon Sep 17 00:00:00 2001 From: Alexey Dobriyan Date: Mon, 22 May 2006 16:54:08 -0700 Subject: [PATCH 5/7] [IRDA]: fix 16/32 bit confusion Signed-off-by: Alexey Dobriyan Signed-off-by: David S. Miller --- net/irda/iriap.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/irda/iriap.c b/net/irda/iriap.c index 254f9074690..2d2e2b1919f 100644 --- a/net/irda/iriap.c +++ b/net/irda/iriap.c @@ -544,7 +544,8 @@ static void iriap_getvaluebyclass_response(struct iriap_cb *self, { struct sk_buff *tx_skb; int n; - __u32 tmp_be32, tmp_be16; + __u32 tmp_be32; + __be16 tmp_be16; __u8 *fp; IRDA_DEBUG(4, "%s()\n", __FUNCTION__); From f5565f4a90bdfea99e4bcd8411ff5272ebdbdbf8 Mon Sep 17 00:00:00 2001 From: Alexey Dobriyan Date: Mon, 22 May 2006 16:54:30 -0700 Subject: [PATCH 6/7] [IRDA]: fixup type of ->lsap_state Signed-off-by: Alexey Dobriyan Signed-off-by: David S. Miller --- include/net/irda/irlmp.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/net/irda/irlmp.h b/include/net/irda/irlmp.h index 86aefb1fda5..c0c895d379b 100644 --- a/include/net/irda/irlmp.h +++ b/include/net/irda/irlmp.h @@ -112,7 +112,7 @@ struct lsap_cb { struct timer_list watchdog_timer; - IRLMP_STATE lsap_state; /* Connection state */ + LSAP_STATE lsap_state; /* Connection state */ notify_t notify; /* Indication/Confirm entry points */ struct qos_info qos; /* QoS for this connection */ From f41d5bb1d9f49b03af7126d07a511facbe283a92 Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Mon, 22 May 2006 16:55:14 -0700 Subject: [PATCH 7/7] [NETFILTER]: SNMP NAT: fix memory corruption Fix memory corruption caused by snmp_trap_decode: - When snmp_trap_decode fails before the id and address are allocated, the pointers contain random memory, but are freed by the caller (snmp_parse_mangle). - When snmp_trap_decode fails after allocating just the ID, it tries to free both address and ID, but the address pointer still contains random memory. The caller frees both ID and random memory again. - When snmp_trap_decode fails after allocating both, it frees both, and the callers frees both again. The corruption can be triggered remotely when the ip_nat_snmp_basic module is loaded and traffic on port 161 or 162 is NATed. Found by multiple testcases of the trap-app and trap-enc groups of the PROTOS c06-snmpv1 testsuite. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- net/ipv4/netfilter/ip_nat_snmp_basic.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/net/ipv4/netfilter/ip_nat_snmp_basic.c b/net/ipv4/netfilter/ip_nat_snmp_basic.c index c6225384553..688a2f29fad 100644 --- a/net/ipv4/netfilter/ip_nat_snmp_basic.c +++ b/net/ipv4/netfilter/ip_nat_snmp_basic.c @@ -1003,12 +1003,12 @@ static unsigned char snmp_trap_decode(struct asn1_ctx *ctx, return 1; +err_addr_free: + kfree((unsigned long *)trap->ip_address); + err_id_free: kfree(trap->id); -err_addr_free: - kfree((unsigned long *)trap->ip_address); - return 0; } @@ -1126,11 +1126,10 @@ static int snmp_parse_mangle(unsigned char *msg, struct snmp_v1_trap trap; unsigned char ret = snmp_trap_decode(&ctx, &trap, map, check); - /* Discard trap allocations regardless */ - kfree(trap.id); - kfree((unsigned long *)trap.ip_address); - - if (!ret) + if (ret) { + kfree(trap.id); + kfree((unsigned long *)trap.ip_address); + } else return ret; } else {