From 42c5e15f18d63c1ecf79d52bdaf4ea31cd22416d Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Thu, 2 Feb 2006 16:53:26 -0800 Subject: [NET] snap: needs hardware checksum fix The SNAP code pops off it's 5 byte header, but doesn't adjust the checksum. This would cause problems when using device that does IP over SNAP and hardware receive checksums. Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller --- net/802/psnap.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/802/psnap.c b/net/802/psnap.c index 4d638944d933..34e42968b477 100644 --- a/net/802/psnap.c +++ b/net/802/psnap.c @@ -59,8 +59,10 @@ static int snap_rcv(struct sk_buff *skb, struct net_device *dev, proto = find_snap_client(skb->h.raw); if (proto) { /* Pass the frame on. */ + u8 *hdr = skb->data; skb->h.raw += 5; skb_pull(skb, 5); + skb_postpull_rcsum(skb, hdr, 5); rc = proto->rcvfunc(skb, dev, &snap_packet_type, orig_dev); } else { skb->sk = NULL; -- cgit v1.2.3-55-g7522 From 4641e7a334adf6856300a98e7296dfc886c446af Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Thu, 2 Feb 2006 16:55:45 -0800 Subject: [IPV6]: Don't hold extra ref count in ipv6_ifa_notify Currently the logic in ipv6_ifa_notify is to hold an extra reference count for addrconf dst's that get added to the routing table. Thus, when addrconf dst entries are taken out of the routing table, we need to drop that dst. However, addrconf dst entries may be removed from the routing table by means other than __ipv6_ifa_notify. So we're faced with the choice of either fixing up all places where addrconf dst entries are removed, or dropping the extra reference count altogether. I chose the latter because the ifp itself always holds a dst reference count of 1 while it's alive. This is dropped just before we kfree the ifp object. Therefore we know that in __ipv6_ifa_notify we will always hold that count. This bug was found by Eric W. Biederman. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller --- net/ipv6/addrconf.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index d328d5986143..1db50487916b 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -3321,9 +3321,7 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp) switch (event) { case RTM_NEWADDR: - dst_hold(&ifp->rt->u.dst); - if (ip6_ins_rt(ifp->rt, NULL, NULL, NULL)) - dst_release(&ifp->rt->u.dst); + ip6_ins_rt(ifp->rt, NULL, NULL, NULL); if (ifp->idev->cnf.forwarding) addrconf_join_anycast(ifp); break; @@ -3334,8 +3332,6 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp) dst_hold(&ifp->rt->u.dst); if (ip6_del_rt(ifp->rt, NULL, NULL, NULL)) dst_free(&ifp->rt->u.dst); - else - dst_release(&ifp->rt->u.dst); break; } } -- cgit v1.2.3-55-g7522 From 27852c26baab8b95fc9a2b3e8a18770ecd553f10 Mon Sep 17 00:00:00 2001 From: Vlad Yasevich Date: Thu, 2 Feb 2006 16:57:31 -0800 Subject: [SCTP]: Fix 'fast retransmit' to send a TSN only once. SCTP used to "fast retransmit" a TSN every time we hit the number of missing reports for the TSN. However the Implementers Guide specifies that we should only "fast retransmit" a given TSN once. Subsequent retransmits should be timeouts only. Also change the number of missing reports to 3 as per the latest IG(similar to TCP). Signed-off-by: Vlad Yasevich Signed-off-by: Sridhar Samudrala Signed-off-by: David S. Miller --- include/net/sctp/structs.h | 2 +- net/sctp/output.c | 2 +- net/sctp/outqueue.c | 12 +++++++----- 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h index 8c522ae031bb..072f407848a6 100644 --- a/include/net/sctp/structs.h +++ b/include/net/sctp/structs.h @@ -700,7 +700,7 @@ struct sctp_chunk { __u8 ecn_ce_done; /* Have we processed the ECN CE bit? */ __u8 pdiscard; /* Discard the whole packet now? */ __u8 tsn_gap_acked; /* Is this chunk acked by a GAP ACK? */ - __u8 fast_retransmit; /* Is this chunk fast retransmitted? */ + __s8 fast_retransmit; /* Is this chunk fast retransmitted? */ __u8 tsn_missing_report; /* Data chunk missing counter. */ }; diff --git a/net/sctp/output.c b/net/sctp/output.c index a40991ef72c9..437cba7260a4 100644 --- a/net/sctp/output.c +++ b/net/sctp/output.c @@ -608,7 +608,7 @@ static sctp_xmit_t sctp_packet_append_data(struct sctp_packet *packet, * When a Fast Retransmit is being performed the sender SHOULD * ignore the value of cwnd and SHOULD NOT delay retransmission. */ - if (!chunk->fast_retransmit) + if (chunk->fast_retransmit <= 0) if (transport->flight_size >= transport->cwnd) { retval = SCTP_XMIT_RWND_FULL; goto finish; diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c index efb72faba20c..f148f9576dd2 100644 --- a/net/sctp/outqueue.c +++ b/net/sctp/outqueue.c @@ -406,7 +406,7 @@ void sctp_retransmit_mark(struct sctp_outq *q, * chunks that are not yet acked should be added to the * retransmit queue. */ - if ((fast_retransmit && chunk->fast_retransmit) || + if ((fast_retransmit && (chunk->fast_retransmit > 0)) || (!fast_retransmit && !chunk->tsn_gap_acked)) { /* RFC 2960 6.2.1 Processing a Received SACK * @@ -603,7 +603,8 @@ static int sctp_outq_flush_rtx(struct sctp_outq *q, struct sctp_packet *pkt, /* Mark the chunk as ineligible for fast retransmit * after it is retransmitted. */ - chunk->fast_retransmit = 0; + if (chunk->fast_retransmit > 0) + chunk->fast_retransmit = -1; *start_timer = 1; q->empty = 0; @@ -621,7 +622,8 @@ static int sctp_outq_flush_rtx(struct sctp_outq *q, struct sctp_packet *pkt, list_for_each(lchunk1, lqueue) { chunk1 = list_entry(lchunk1, struct sctp_chunk, transmitted_list); - chunk1->fast_retransmit = 0; + if (chunk1->fast_retransmit > 0) + chunk1->fast_retransmit = -1; } } } @@ -1562,11 +1564,11 @@ static void sctp_mark_missing(struct sctp_outq *q, /* * M4) If any DATA chunk is found to have a * 'TSN.Missing.Report' - * value larger than or equal to 4, mark that chunk for + * value larger than or equal to 3, mark that chunk for * retransmission and start the fast retransmit procedure. */ - if (chunk->tsn_missing_report >= 4) { + if (chunk->tsn_missing_report >= 3) { chunk->fast_retransmit = 1; do_fast_retransmit = 1; } -- cgit v1.2.3-55-g7522 From f8addb3215bf58154f189017d934dfc06b62c75e Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Thu, 2 Feb 2006 16:59:16 -0800 Subject: [IPV4] multipath_wrandom: Fix softirq-unsafe spin lock usage The spin locks in multipath_wrandom may be obtained from either process context or softirq context depending on whether the packet is locally or remotely generated. Therefore we need to disable BH processing when taking these locks. This bug was found by Ingo's lock validator. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller --- net/ipv4/multipath_wrandom.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/net/ipv4/multipath_wrandom.c b/net/ipv4/multipath_wrandom.c index d34a9fa608e0..342d0b9098f5 100644 --- a/net/ipv4/multipath_wrandom.c +++ b/net/ipv4/multipath_wrandom.c @@ -228,7 +228,7 @@ static void wrandom_set_nhinfo(__u32 network, struct multipath_dest *d, *target_dest = NULL; /* store the weight information for a certain route */ - spin_lock(&state[state_idx].lock); + spin_lock_bh(&state[state_idx].lock); /* find state entry for gateway or add one if necessary */ list_for_each_entry_rcu(r, &state[state_idx].head, list) { @@ -276,7 +276,7 @@ static void wrandom_set_nhinfo(__u32 network, * we are finished */ - spin_unlock(&state[state_idx].lock); + spin_unlock_bh(&state[state_idx].lock); } static void __multipath_free(struct rcu_head *head) @@ -302,7 +302,7 @@ static void wrandom_flush(void) for (i = 0; i < MULTIPATH_STATE_SIZE; ++i) { struct multipath_route *r; - spin_lock(&state[i].lock); + spin_lock_bh(&state[i].lock); list_for_each_entry_rcu(r, &state[i].head, list) { struct multipath_dest *d; list_for_each_entry_rcu(d, &r->dests, list) { @@ -315,7 +315,7 @@ static void wrandom_flush(void) __multipath_free); } - spin_unlock(&state[i].lock); + spin_unlock_bh(&state[i].lock); } } -- cgit v1.2.3-55-g7522 From 6f4b6ec1cffcbb12cc47244381496d59b6a5a790 Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Thu, 2 Feb 2006 17:01:13 -0800 Subject: [IPV6]: Fix illegal dst locking in softirq context. On Tue, Jan 31, 2006 at 10:24:32PM +0100, Ingo Molnar wrote: > > [] _write_lock+0x8/0x10 > [] inet6_destroy_sock+0x25/0x100 > [] tcp_v6_destroy_sock+0x12/0x20 > [] inet_csk_destroy_sock+0x4a/0x150 > [] tcp_rcv_state_process+0xd4c/0xdd0 > [] tcp_v4_do_rcv+0xa9/0x340 > [] tcp_v4_rcv+0x8eb/0x9d0 OK this is definitely broken. We should never touch the dst lock in softirq context. Since inet6_destroy_sock may be called from that context due to the asynchronous nature of sockets, we can't take the lock there. In fact this sk_dst_reset is totally redundant since all IPv6 sockets use inet_sock_destruct as their socket destructor which always cleans up the dst anyway. So the solution is to simply remove the call. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller --- net/ipv6/af_inet6.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c index 064ffab82a9f..6c9711ac1c03 100644 --- a/net/ipv6/af_inet6.c +++ b/net/ipv6/af_inet6.c @@ -369,12 +369,6 @@ int inet6_destroy_sock(struct sock *sk) struct sk_buff *skb; struct ipv6_txoptions *opt; - /* - * Release destination entry - */ - - sk_dst_reset(sk); - /* Release rx options */ if ((skb = xchg(&np->pktoptions, NULL)) != NULL) -- cgit v1.2.3-55-g7522 From 95f7daf1c058dc6afbc2d33b6a65ce1bae132dc8 Mon Sep 17 00:00:00 2001 From: Horms Date: Thu, 2 Feb 2006 17:02:25 -0800 Subject: [IPV4]: Document icmp_errors_use_inbound_ifaddr sysctl Taken largely from the commit of the patch that added this feature: 1c2fb7f93cb20621772bf304f3dba0849942e5db I'm not sure about the ordering of the options in sysctl.txt, so I took a wild guess about where it fits. Signed-Off-By: Horms Signed-off-by: David S. Miller --- Documentation/networking/ip-sysctl.txt | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt index 2b7cf19a06ad..26364d06ae92 100644 --- a/Documentation/networking/ip-sysctl.txt +++ b/Documentation/networking/ip-sysctl.txt @@ -427,6 +427,23 @@ icmp_ignore_bogus_error_responses - BOOLEAN will avoid log file clutter. Default: FALSE +icmp_errors_use_inbound_ifaddr - BOOLEAN + + If zero, icmp error messages are sent with the primary address of + the exiting interface. + + If non-zero, the message will be sent with the primary address of + the interface that received the packet that caused the icmp error. + This is the behaviour network many administrators will expect from + a router. And it can make debugging complicated network layouts + much easier. + + Note that if no primary address exists for the interface selected, + then the primary address of the first non-loopback interface that + has one will be used regarldess of this setting. + + Default: 0 + igmp_max_memberships - INTEGER Change the maximum number of multicast groups we can subscribe to. Default: 20 -- cgit v1.2.3-55-g7522 From f00c401b9b5f0a90e2eb05705f5988fbda0b082b Mon Sep 17 00:00:00 2001 From: Horms Date: Thu, 2 Feb 2006 17:03:18 -0800 Subject: [IPV4]: Remove suprious use of goto out: in icmp_reply This seems to be an artifact of the follwoing commit in February '02. e7e173af42dbf37b1d946f9ee00219cb3b2bea6a In a nutshell, goto out and return actually do the same thing, and both are called in this function. This patch removes out. Signed-Off-By: Horms Signed-off-by: David S. Miller --- net/ipv4/icmp.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c index 105039eb7629..6bc0887b0834 100644 --- a/net/ipv4/icmp.c +++ b/net/ipv4/icmp.c @@ -385,7 +385,7 @@ static void icmp_reply(struct icmp_bxm *icmp_param, struct sk_buff *skb) u32 daddr; if (ip_options_echo(&icmp_param->replyopts, skb)) - goto out; + return; if (icmp_xmit_lock()) return; @@ -416,7 +416,6 @@ static void icmp_reply(struct icmp_bxm *icmp_param, struct sk_buff *skb) ip_rt_put(rt); out_unlock: icmp_xmit_unlock(); -out:; } -- cgit v1.2.3-55-g7522 From 3f330317ab4973178423aba750d6d0ca5ce0024a Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Thu, 2 Feb 2006 17:15:41 -0800 Subject: [TEXTSEARCH]: Fix broken good shift array calculation in Boyer-Moore The current logic does not calculate correctly the good shift array: Let x be the pattern that is being searched. Let y be the block of data. The good shift array aligns the segment: x[i+1 ... m-1] = y[i+j+1 ... j+m-1] with its rightmost occurrence in x that fulfils x[i] neq y[i+j]. In previous version, the good shift array for the pattern ANPANMAN is: [1, 8, 3, 8, 8, 8, 8, 8] and should be: [1, 8, 3, 6, 6, 6, 6, 6] Signed-off-by: Pablo Neira Ayuso Signed-off-by: David S. Miller --- lib/ts_bm.c | 40 +++++++++++++++++++++++++--------------- 1 file changed, 25 insertions(+), 15 deletions(-) diff --git a/lib/ts_bm.c b/lib/ts_bm.c index 8a8b3a16133e..c4c1ac5fbd1a 100644 --- a/lib/ts_bm.c +++ b/lib/ts_bm.c @@ -94,10 +94,28 @@ next: bs = bm->bad_shift[text[shift-i]]; return UINT_MAX; } +static int subpattern(u8 *pattern, int i, int j, int g) +{ + int x = i+g-1, y = j+g-1, ret = 0; + + while(pattern[x--] == pattern[y--]) { + if (y < 0) { + ret = 1; + break; + } + if (--g == 0) { + ret = pattern[i-1] != pattern[j-1]; + break; + } + } + + return ret; +} + static void compute_prefix_tbl(struct ts_bm *bm, const u8 *pattern, unsigned int len) { - int i, j, ended, l[ASIZE]; + int i, j, g; for (i = 0; i < ASIZE; i++) bm->bad_shift[i] = len; @@ -106,23 +124,15 @@ static void compute_prefix_tbl(struct ts_bm *bm, const u8 *pattern, /* Compute the good shift array, used to match reocurrences * of a subpattern */ - for (i = 1; i < bm->patlen; i++) { - for (j = 0; j < bm->patlen && bm->pattern[bm->patlen - 1 - j] - == bm->pattern[bm->patlen - 1 - i - j]; j++); - l[i] = j; - } - bm->good_shift[0] = 1; for (i = 1; i < bm->patlen; i++) bm->good_shift[i] = bm->patlen; - for (i = bm->patlen - 1; i > 0; i--) - bm->good_shift[l[i]] = i; - ended = 0; - for (i = 0; i < bm->patlen; i++) { - if (l[i] == bm->patlen - 1 - i) - ended = i; - if (ended) - bm->good_shift[i] = ended; + for (i = bm->patlen-1, g = 1; i > 0; g++, i--) { + for (j = i-1; j >= 1-g ; j--) + if (subpattern(bm->pattern, i, j, g)) { + bm->good_shift[g] = bm->patlen-j-g; + break; + } } } -- cgit v1.2.3-55-g7522 From 7faa006f94fda56a587242b2a22fa19abf840222 Mon Sep 17 00:00:00 2001 From: Michael Chan Date: Thu, 2 Feb 2006 17:29:28 -0800 Subject: [TG3]: Flush tg3_reset_task() Make sure tg3_reset_task() is flushed in the close and suspend paths as noted by Jeff Garzik. In the close path, calling flush_scheduled_work() may cause deadlock if linkwatch_event() is on the workqueue. linkwatch_event() will try to get the rtnl_lock() which is already held by tg3_close(). So instead, we set a flag in tg3_reset_task() and tg3_close() polls the flag until it is cleared. Signed-off-by: Michael Chan Signed-off-by: David S. Miller --- drivers/net/tg3.c | 26 ++++++++++++++++++++++++-- drivers/net/tg3.h | 1 + 2 files changed, 25 insertions(+), 2 deletions(-) diff --git a/drivers/net/tg3.c b/drivers/net/tg3.c index f2d1dafde087..6fb29ca3fd30 100644 --- a/drivers/net/tg3.c +++ b/drivers/net/tg3.c @@ -3482,6 +3482,17 @@ static void tg3_reset_task(void *_data) struct tg3 *tp = _data; unsigned int restart_timer; + tg3_full_lock(tp, 0); + tp->tg3_flags |= TG3_FLAG_IN_RESET_TASK; + + if (!netif_running(tp->dev)) { + tp->tg3_flags &= ~TG3_FLAG_IN_RESET_TASK; + tg3_full_unlock(tp); + return; + } + + tg3_full_unlock(tp); + tg3_netif_stop(tp); tg3_full_lock(tp, 1); @@ -3494,10 +3505,12 @@ static void tg3_reset_task(void *_data) tg3_netif_start(tp); - tg3_full_unlock(tp); - if (restart_timer) mod_timer(&tp->timer, jiffies + 1); + + tp->tg3_flags &= ~TG3_FLAG_IN_RESET_TASK; + + tg3_full_unlock(tp); } static void tg3_tx_timeout(struct net_device *dev) @@ -6786,6 +6799,13 @@ static int tg3_close(struct net_device *dev) { struct tg3 *tp = netdev_priv(dev); + /* Calling flush_scheduled_work() may deadlock because + * linkwatch_event() may be on the workqueue and it will try to get + * the rtnl_lock which we are holding. + */ + while (tp->tg3_flags & TG3_FLAG_IN_RESET_TASK) + msleep(1); + netif_stop_queue(dev); del_timer_sync(&tp->timer); @@ -10880,6 +10900,7 @@ static void __devexit tg3_remove_one(struct pci_dev *pdev) if (dev) { struct tg3 *tp = netdev_priv(dev); + flush_scheduled_work(); unregister_netdev(dev); if (tp->regs) { iounmap(tp->regs); @@ -10901,6 +10922,7 @@ static int tg3_suspend(struct pci_dev *pdev, pm_message_t state) if (!netif_running(dev)) return 0; + flush_scheduled_work(); tg3_netif_stop(tp); del_timer_sync(&tp->timer); diff --git a/drivers/net/tg3.h b/drivers/net/tg3.h index e8243305f0e8..7f4b7f6ac40d 100644 --- a/drivers/net/tg3.h +++ b/drivers/net/tg3.h @@ -2162,6 +2162,7 @@ struct tg3 { #define TG3_FLAG_JUMBO_RING_ENABLE 0x00800000 #define TG3_FLAG_10_100_ONLY 0x01000000 #define TG3_FLAG_PAUSE_AUTONEG 0x02000000 +#define TG3_FLAG_IN_RESET_TASK 0x04000000 #define TG3_FLAG_BROKEN_CHECKSUMS 0x10000000 #define TG3_FLAG_GOT_SERDES_FLOWCTL 0x20000000 #define TG3_FLAG_SPLIT_MODE 0x40000000 -- cgit v1.2.3-55-g7522 From 6e2be3ea4fab4d1c02e369719311e8d7ae6cc7c1 Mon Sep 17 00:00:00 2001 From: David S. Miller Date: Thu, 2 Feb 2006 17:29:59 -0800 Subject: [TG3]: Update driver version and release date. Signed-off-by: David S. Miller --- drivers/net/tg3.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/tg3.c b/drivers/net/tg3.c index 6fb29ca3fd30..e7dc653d5bd6 100644 --- a/drivers/net/tg3.c +++ b/drivers/net/tg3.c @@ -69,8 +69,8 @@ #define DRV_MODULE_NAME "tg3" #define PFX DRV_MODULE_NAME ": " -#define DRV_MODULE_VERSION "3.48" -#define DRV_MODULE_RELDATE "Jan 16, 2006" +#define DRV_MODULE_VERSION "3.49" +#define DRV_MODULE_RELDATE "Feb 2, 2006" #define TG3_DEF_MAC_MODE 0 #define TG3_DEF_RX_MODE 0 -- cgit v1.2.3-55-g7522 From 0dec456d1fe73e0539625f0973ee8ef8fb805943 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Thu, 2 Feb 2006 20:40:09 -0800 Subject: [NET]: Add CONFIG_NETDEBUG to suppress bad packet messages. If you are on a hostile network, or are running protocol tests, you can easily get the logged swamped by messages about bad UDP and ICMP packets. This turns those messages off unless a config option is enabled. Signed-off-by: Stephen Hemminger Acked-by: Dave Jones Signed-off-by: David S. Miller --- include/net/sock.h | 8 ++++---- net/Kconfig | 7 +++++++ 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/include/net/sock.h b/include/net/sock.h index 1806e5b61419..30758035d616 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -1354,12 +1354,12 @@ extern int sock_get_timestamp(struct sock *, struct timeval __user *); * Enable debug/info messages */ -#if 0 -#define NETDEBUG(fmt, args...) do { } while (0) -#define LIMIT_NETDEBUG(fmt, args...) do { } while(0) -#else +#ifdef CONFIG_NETDEBUG #define NETDEBUG(fmt, args...) printk(fmt,##args) #define LIMIT_NETDEBUG(fmt, args...) do { if (net_ratelimit()) printk(fmt,##args); } while(0) +#else +#define NETDEBUG(fmt, args...) do { } while (0) +#define LIMIT_NETDEBUG(fmt, args...) do { } while(0) #endif /* diff --git a/net/Kconfig b/net/Kconfig index bc603d9aea56..5126f58d9c44 100644 --- a/net/Kconfig +++ b/net/Kconfig @@ -27,6 +27,13 @@ if NET menu "Networking options" +config NETDEBUG + bool "Network packet debugging" + help + You can say Y here if you want to get additional messages useful in + debugging bad packets, but can overwhelm logs under denial of service + attacks. + source "net/packet/Kconfig" source "net/unix/Kconfig" source "net/xfrm/Kconfig" -- cgit v1.2.3-55-g7522