Please add the following networking fixes to 2.6.38-stable Thanks!
From 30ae9139dc3b44d14a56fbbc2a3f8f63aa586a17 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Linus=20L=C3=BCssing?= <[email protected]> Date: Tue, 22 Mar 2011 11:40:32 +0000 Subject: [PATCH 01/13] bridge: Fix possibly wrong MLD queries' ethernet source address MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit
[ Upstream commit a7bff75b087e7a355838a32efe61707cfa73c194 ] The ipv6_dev_get_saddr() is currently called with an uninitialized destination address. Although in tests it usually seemed to nevertheless always fetch the right source address, there seems to be a possible race condition. Therefore this commit changes this, first setting the destination address and only after that fetching the source address. Reported-by: Jan Beulich <[email protected]> Signed-off-by: Linus Lüssing <[email protected]> Signed-off-by: David S. Miller <[email protected]> --- net/bridge/br_multicast.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c index 030a002..f61eb2e 100644 --- a/net/bridge/br_multicast.c +++ b/net/bridge/br_multicast.c @@ -445,9 +445,9 @@ static struct sk_buff *br_ip6_multicast_alloc_query(struct net_bridge *br, ip6h->payload_len = htons(8 + sizeof(*mldq)); ip6h->nexthdr = IPPROTO_HOPOPTS; ip6h->hop_limit = 1; + ipv6_addr_set(&ip6h->daddr, htonl(0xff020000), 0, 0, htonl(1)); ipv6_dev_get_saddr(dev_net(br->dev), br->dev, &ip6h->daddr, 0, &ip6h->saddr); - ipv6_addr_set(&ip6h->daddr, htonl(0xff020000), 0, 0, htonl(1)); ipv6_eth_mc_map(&ip6h->daddr, eth->h_dest); hopopt = (u8 *)(ip6h + 1); -- 1.7.4.3 From 228f4d04e7d7a239b4c44e6f329aaec88f40e54a Mon Sep 17 00:00:00 2001 From: Eric Dumazet <[email protected]> Date: Wed, 30 Mar 2011 16:57:46 -0700 Subject: [PATCH 02/13] fib: add rtnl locking in ip_fib_net_exit [ Upstream commit e2666f84958adb3a034b98e99699b55705117e01 ] Daniel J Blueman reported a lockdep splat in trie_firstleaf(), caused by RTNL being not locked before a call to fib_table_flush() Reported-by: Daniel J Blueman <[email protected]> Signed-off-by: Eric Dumazet <[email protected]> Signed-off-by: David S. Miller <[email protected]> --- net/ipv4/fib_frontend.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c index 1d2cdd4..8725e78 100644 --- a/net/ipv4/fib_frontend.c +++ b/net/ipv4/fib_frontend.c @@ -1041,6 +1041,7 @@ static void ip_fib_net_exit(struct net *net) fib4_rules_exit(net); #endif + rtnl_lock(); for (i = 0; i < FIB_TABLE_HASHSZ; i++) { struct fib_table *tb; struct hlist_head *head; @@ -1053,6 +1054,7 @@ static void ip_fib_net_exit(struct net *net) fib_free_table(tb); } } + rtnl_unlock(); kfree(net->ipv4.fib_table_hash); } -- 1.7.4.3 From 4dbd99fd8453ae681dad8fc1e7aa2c05e16b0cc1 Mon Sep 17 00:00:00 2001 From: Alex Dubov <[email protected]> Date: Wed, 16 Mar 2011 17:57:13 +0000 Subject: [PATCH 03/13] gianfar: Fall back to software tcp/udp checksum on older controllers [ Upstream commit 4363c2fddb1399b728ef21ee8101c148a311ea45 ] As specified by errata eTSEC49 of MPC8548 and errata eTSEC12 of MPC83xx, older revisions of gianfar controllers will be unable to calculate a TCP/UDP packet checksum for some alignments of the appropriate FCB. This patch checks for FCB alignment on such controllers and falls back to software checksumming if the alignment is known to be bad. Signed-off-by: Alex Dubov <[email protected]> Signed-off-by: David S. Miller <[email protected]> --- drivers/net/gianfar.c | 16 ++++++++++++++-- drivers/net/gianfar.h | 1 + 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/drivers/net/gianfar.c b/drivers/net/gianfar.c index 5ed8f9f..3da19a5 100644 --- a/drivers/net/gianfar.c +++ b/drivers/net/gianfar.c @@ -950,6 +950,11 @@ static void gfar_detect_errata(struct gfar_private *priv) (pvr == 0x80861010 && (mod & 0xfff9) == 0x80c0)) priv->errata |= GFAR_ERRATA_A002; + /* MPC8313 Rev < 2.0, MPC8548 rev 2.0 */ + if ((pvr == 0x80850010 && mod == 0x80b0 && rev < 0x0020) || + (pvr == 0x80210020 && mod == 0x8030 && rev == 0x0020)) + priv->errata |= GFAR_ERRATA_12; + if (priv->errata) dev_info(dev, "enabled errata workarounds, flags: 0x%x\n", priv->errata); @@ -2156,8 +2161,15 @@ static int gfar_start_xmit(struct sk_buff *skb, struct net_device *dev) /* Set up checksumming */ if (CHECKSUM_PARTIAL == skb->ip_summed) { fcb = gfar_add_fcb(skb); - lstatus |= BD_LFLAG(TXBD_TOE); - gfar_tx_checksum(skb, fcb); + /* as specified by errata */ + if (unlikely(gfar_has_errata(priv, GFAR_ERRATA_12) + && ((unsigned long)fcb % 0x20) > 0x18)) { + __skb_pull(skb, GMAC_FCB_LEN); + skb_checksum_help(skb); + } else { + lstatus |= BD_LFLAG(TXBD_TOE); + gfar_tx_checksum(skb, fcb); + } } if (vlan_tx_tag_present(skb)) { diff --git a/drivers/net/gianfar.h b/drivers/net/gianfar.h index 54de413..ec5d595 100644 --- a/drivers/net/gianfar.h +++ b/drivers/net/gianfar.h @@ -1039,6 +1039,7 @@ enum gfar_errata { GFAR_ERRATA_74 = 0x01, GFAR_ERRATA_76 = 0x02, GFAR_ERRATA_A002 = 0x04, + GFAR_ERRATA_12 = 0x08, /* a.k.a errata eTSEC49 */ }; /* Struct stolen almost completely (and shamelessly) from the FCC enet source -- 1.7.4.3 From 2f288c99c4ba53a7ddbb5a7a77e42ae72d6da3b9 Mon Sep 17 00:00:00 2001 From: James Chapman <[email protected]> Date: Mon, 21 Mar 2011 18:10:25 -0700 Subject: [PATCH 04/13] l2tp: fix possible oops on l2tp_eth module unload [ Upstream commit 8aa525a9340da4227797a06221ca08399006635f ] A struct used in the l2tp_eth driver for registering network namespace ops was incorrectly marked as __net_initdata, leading to oops when module unloaded. BUG: unable to handle kernel paging request at ffffffffa00ec098 IP: [<ffffffff8123dbd8>] ops_exit_list+0x7/0x4b PGD 142d067 PUD 1431063 PMD 195da8067 PTE 0 Oops: 0000 [#1] SMP last sysfs file: /sys/module/l2tp_eth/refcnt Call Trace: [<ffffffff8123dc94>] ? unregister_pernet_operations+0x32/0x93 [<ffffffff8123dd20>] ? unregister_pernet_device+0x2b/0x38 [<ffffffff81068b6e>] ? sys_delete_module+0x1b8/0x222 [<ffffffff810c7300>] ? do_munmap+0x254/0x318 [<ffffffff812c64e5>] ? page_fault+0x25/0x30 [<ffffffff812c6952>] ? system_call_fastpath+0x16/0x1b Signed-off-by: James Chapman <[email protected]> Signed-off-by: David S. Miller <[email protected]> --- net/l2tp/l2tp_eth.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/net/l2tp/l2tp_eth.c b/net/l2tp/l2tp_eth.c index 8d9ce0a..a8193f5 100644 --- a/net/l2tp/l2tp_eth.c +++ b/net/l2tp/l2tp_eth.c @@ -283,7 +283,7 @@ static __net_init int l2tp_eth_init_net(struct net *net) return 0; } -static __net_initdata struct pernet_operations l2tp_eth_net_ops = { +static struct pernet_operations l2tp_eth_net_ops = { .init = l2tp_eth_init_net, .id = &l2tp_eth_net_id, .size = sizeof(struct l2tp_eth_net), -- 1.7.4.3 From c751cf0998164651824e1f68d124110d448d5ec3 Mon Sep 17 00:00:00 2001 From: Eric W. Biederman <[email protected]> Date: Mon, 21 Mar 2011 18:23:34 -0700 Subject: [PATCH 05/13] net ipv6: Fix duplicate /proc/sys/net/ipv6/neigh directory entries. [ Upstream commit 9d2a8fa96a44ba242de3a6f56acaef7a40a97b97 ] When I was fixing issues with unregisgtering tables under /proc/sys/net/ipv6/neigh by adding a mount point it appears I missed a critical ordering issue, in the ipv6 initialization. I had not realized that ipv6_sysctl_register is called at the very end of the ipv6 initialization and in particular after we call neigh_sysctl_register from ndisc_init. "neigh" needs to be initialized in ipv6_static_sysctl_register which is the first ipv6 table to initialized, and definitely before ndisc_init. This removes the weirdness of duplicate tables while still providing a "neigh" mount point which prevents races in sysctl unregistering. This was initially reported at https://bugzilla.kernel.org/show_bug.cgi?id=31232 Reported-by: [email protected] Signed-off-by: Eric W. Biederman <[email protected]> Signed-off-by: David S. Miller <[email protected]> --- net/ipv6/sysctl_net_ipv6.c | 18 +++++++++++------- 1 files changed, 11 insertions(+), 7 deletions(-) diff --git a/net/ipv6/sysctl_net_ipv6.c b/net/ipv6/sysctl_net_ipv6.c index 7cb65ef..6dcf5e7 100644 --- a/net/ipv6/sysctl_net_ipv6.c +++ b/net/ipv6/sysctl_net_ipv6.c @@ -17,6 +17,16 @@ static struct ctl_table empty[1]; +static ctl_table ipv6_static_skeleton[] = { + { + .procname = "neigh", + .maxlen = 0, + .mode = 0555, + .child = empty, + }, + { } +}; + static ctl_table ipv6_table_template[] = { { .procname = "route", @@ -37,12 +47,6 @@ static ctl_table ipv6_table_template[] = { .mode = 0644, .proc_handler = proc_dointvec }, - { - .procname = "neigh", - .maxlen = 0, - .mode = 0555, - .child = empty, - }, { } }; @@ -160,7 +164,7 @@ static struct ctl_table_header *ip6_base; int ipv6_static_sysctl_register(void) { - ip6_base = register_sysctl_paths(net_ipv6_ctl_path, empty); + ip6_base = register_sysctl_paths(net_ipv6_ctl_path, ipv6_static_skeleton); if (ip6_base == NULL) return -ENOMEM; return 0; -- 1.7.4.3 From f041eaa28a108f73cf02e7059cf0616dfd43b232 Mon Sep 17 00:00:00 2001 From: Dan Siemon <[email protected]> Date: Tue, 15 Mar 2011 13:56:07 +0000 Subject: [PATCH 06/13] net_sched: fix ip_tos2prio MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit 4a2b9c3756077c05dd8666e458a751d2248b61b6 ] ECN support incorrectly maps ECN BESTEFFORT packets to TC_PRIO_FILLER (1) instead of TC_PRIO_BESTEFFORT (0) This means ECN enabled flows are placed in pfifo_fast/prio low priority band, giving ECN enabled flows [ECT(0) and CE codepoints] higher drop probabilities. This is rather unfortunate, given we would like ECN being more widely used. Ref : http://www.coverfire.com/archives/2011/03/13/pfifo_fast-and-ecn/ Signed-off-by: Dan Siemon <[email protected]> Signed-off-by: Eric Dumazet <[email protected]> Cc: Dave Täht <[email protected]> Cc: Jonathan Morton <[email protected]> Signed-off-by: David S. Miller <[email protected]> --- net/ipv4/route.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 6ed6603..fabfe81 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -171,7 +171,7 @@ static struct dst_ops ipv4_dst_ops = { const __u8 ip_tos2prio[16] = { TC_PRIO_BESTEFFORT, - ECN_OR_COST(FILLER), + ECN_OR_COST(BESTEFFORT), TC_PRIO_BESTEFFORT, ECN_OR_COST(BESTEFFORT), TC_PRIO_BULK, -- 1.7.4.3 From 1a3ea69b2cb514439d4a5f6cabac89a845204f1b Mon Sep 17 00:00:00 2001 From: Ulrich Weber <[email protected]> Date: Wed, 6 Apr 2011 14:04:49 -0700 Subject: [PATCH 07/13] pppoe: drop PPPOX_ZOMBIEs in pppoe_flush_dev [ Upstream commit ae07b0b221b6ab2edf9e3abd518aec6cd3f1ba66 ] otherwise we loop forever if a PPPoE socket was set to PPPOX_ZOMBIE state by a PADT message when the ethernet device is going down afterwards. Signed-off-by: Ulrich Weber <[email protected]> Signed-off-by: David S. Miller <[email protected]> --- drivers/net/pppoe.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/drivers/net/pppoe.c b/drivers/net/pppoe.c index 78c0e3c..71b1d8f 100644 --- a/drivers/net/pppoe.c +++ b/drivers/net/pppoe.c @@ -317,7 +317,7 @@ static void pppoe_flush_dev(struct net_device *dev) lock_sock(sk); if (po->pppoe_dev == dev && - sk->sk_state & (PPPOX_CONNECTED | PPPOX_BOUND)) { + sk->sk_state & (PPPOX_CONNECTED | PPPOX_BOUND | PPPOX_ZOMBIE)) { pppox_unbind_sock(sk); sk->sk_state = PPPOX_ZOMBIE; sk->sk_state_change(sk); -- 1.7.4.3 From b51d6615ff5f9fc7c55727740b565b4eeafb7c4c Mon Sep 17 00:00:00 2001 From: David S. Miller <[email protected]> Date: Wed, 30 Mar 2011 17:51:36 -0700 Subject: [PATCH 08/13] sctp: Pass __GFP_NOWARN to hash table allocation attempts. [ Upstream commit a84b50ceb7d640437d0dc28a2bef0d0de054de89 ] Like DCCP and other similar pieces of code, there are mechanisms here to try allocating smaller hash tables if the allocation fails. So pass in __GFP_NOWARN like the others do instead of emitting a scary message. Reported-by: Dave Jones <[email protected]> Signed-off-by: David S. Miller <[email protected]> --- net/sctp/protocol.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c index e58f947..dec012d 100644 --- a/net/sctp/protocol.c +++ b/net/sctp/protocol.c @@ -1204,7 +1204,7 @@ SCTP_STATIC __init int sctp_init(void) if ((sctp_assoc_hashsize > (64 * 1024)) && order > 0) continue; sctp_assoc_hashtable = (struct sctp_hashbucket *) - __get_free_pages(GFP_ATOMIC, order); + __get_free_pages(GFP_ATOMIC|__GFP_NOWARN, order); } while (!sctp_assoc_hashtable && --order > 0); if (!sctp_assoc_hashtable) { pr_err("Failed association hash alloc\n"); @@ -1237,7 +1237,7 @@ SCTP_STATIC __init int sctp_init(void) if ((sctp_port_hashsize > (64 * 1024)) && order > 0) continue; sctp_port_hashtable = (struct sctp_bind_hashbucket *) - __get_free_pages(GFP_ATOMIC, order); + __get_free_pages(GFP_ATOMIC|__GFP_NOWARN, order); } while (!sctp_port_hashtable && --order > 0); if (!sctp_port_hashtable) { pr_err("Failed bind hash alloc\n"); -- 1.7.4.3 From bd59e4b2b325a4f0fcd491a8ec55a619fef91ded Mon Sep 17 00:00:00 2001 From: Yuchung Cheng <[email protected]> Date: Mon, 14 Mar 2011 10:57:03 +0000 Subject: [PATCH 09/13] tcp: avoid cwnd moderation in undo [ Upstream commit 67d4120a1793138bc9f4a6eb61d0fc5298ed97e0 ] In the current undo logic, cwnd is moderated after it was restored to the value prior entering fast-recovery. It was moderated first in tcp_try_undo_recovery then again in tcp_complete_cwr. Since the undo indicates recovery was false, these moderations are not necessary. If the undo is triggered when most of the outstanding data have been acknowledged, the (restored) cwnd is falsely pulled down to a small value. This patch removes these cwnd moderations if cwnd is undone a) during fast-recovery b) by receiving DSACKs past fast-recovery Signed-off-by: Yuchung Cheng <[email protected]> Signed-off-by: David S. Miller <[email protected]> --- net/ipv4/tcp_input.c | 12 +++++++----- 1 files changed, 7 insertions(+), 5 deletions(-) diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index 65f6c04..5f1ea7c 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -2659,7 +2659,7 @@ static void DBGUNDO(struct sock *sk, const char *msg) #define DBGUNDO(x...) do { } while (0) #endif -static void tcp_undo_cwr(struct sock *sk, const int undo) +static void tcp_undo_cwr(struct sock *sk, const int undo_ssthresh) { struct tcp_sock *tp = tcp_sk(sk); @@ -2671,14 +2671,13 @@ static void tcp_undo_cwr(struct sock *sk, const int undo) else tp->snd_cwnd = max(tp->snd_cwnd, tp->snd_ssthresh << 1); - if (undo && tp->prior_ssthresh > tp->snd_ssthresh) { + if (undo_ssthresh && tp->prior_ssthresh > tp->snd_ssthresh) { tp->snd_ssthresh = tp->prior_ssthresh; TCP_ECN_withdraw_cwr(tp); } } else { tp->snd_cwnd = max(tp->snd_cwnd, tp->snd_ssthresh); } - tcp_moderate_cwnd(tp); tp->snd_cwnd_stamp = tcp_time_stamp; } @@ -2822,8 +2821,11 @@ static int tcp_try_undo_loss(struct sock *sk) static inline void tcp_complete_cwr(struct sock *sk) { struct tcp_sock *tp = tcp_sk(sk); - tp->snd_cwnd = min(tp->snd_cwnd, tp->snd_ssthresh); - tp->snd_cwnd_stamp = tcp_time_stamp; + /* Do not moderate cwnd if it's already undone in cwr or recovery */ + if (tp->undo_marker && tp->snd_cwnd > tp->snd_ssthresh) { + tp->snd_cwnd = tp->snd_ssthresh; + tp->snd_cwnd_stamp = tcp_time_stamp; + } tcp_ca_event(sk, CA_EVENT_COMPLETE_CWR); } -- 1.7.4.3 From 6677647340a5d58b48b792af078701f4068be4b4 Mon Sep 17 00:00:00 2001 From: Steffen Klassert <[email protected]> Date: Tue, 15 Mar 2011 21:12:49 +0000 Subject: [PATCH 10/13] xfrm: Refcount destination entry on xfrm_lookup MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit fbd5060875d25f7764fd1c3d35b83a8ed1d88d7b ] We return a destination entry without refcount if a socket policy is found in xfrm_lookup. This triggers a warning on a negative refcount when freeeing this dst entry. So take a refcount in this case to fix it. This refcount was forgotten when xfrm changed to cache bundles instead of policies for outgoing flows. Signed-off-by: Steffen Klassert <[email protected]> Acked-by: Timo Teräs <[email protected]> Signed-off-by: David S. Miller <[email protected]> --- net/xfrm/xfrm_policy.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 6459588..8da2741 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -1778,6 +1778,8 @@ restart: goto no_transform; } + dst_hold(&xdst->u.dst); + spin_lock_bh(&xfrm_policy_sk_bundle_lock); xdst->u.dst.next = xfrm_policy_sk_bundles; xfrm_policy_sk_bundles = &xdst->u.dst; -- 1.7.4.3 From caee7ff2b797002ca8ab16bb44d3ecc909b7d55c Mon Sep 17 00:00:00 2001 From: Vasiliy Kulikov <[email protected]> Date: Thu, 17 Mar 2011 01:40:10 +0000 Subject: [PATCH 11/13] econet: 4 byte infoleak to the network [ Upstream commit 67c5c6cb8129c595f21e88254a3fc6b3b841ae8e ] struct aunhdr has 4 padding bytes between 'pad' and 'handle' fields on x86_64. These bytes are not initialized in the variable 'ah' before sending 'ah' to the network. This leads to 4 bytes kernel stack infoleak. This bug was introduced before the git epoch. Signed-off-by: Vasiliy Kulikov <[email protected]> Acked-by: Phil Blundell <[email protected]> Signed-off-by: David S. Miller <[email protected]> --- net/econet/af_econet.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c index 0c28263..116d3fd 100644 --- a/net/econet/af_econet.c +++ b/net/econet/af_econet.c @@ -435,10 +435,10 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock, udpdest.sin_addr.s_addr = htonl(network | addr.station); } + memset(&ah, 0, sizeof(ah)); ah.port = port; ah.cb = cb & 0x7f; ah.code = 2; /* magic */ - ah.pad = 0; /* tack our header on the front of the iovec */ size = sizeof(struct aunhdr); -- 1.7.4.3 From c0fd11cf45228241f8b3fb42020b1c9493dcdac7 Mon Sep 17 00:00:00 2001 From: Eric Dumazet <[email protected]> Date: Fri, 18 Mar 2011 00:27:27 +0000 Subject: [PATCH 12/13] vlan: should take into account needed_headroom [ Upstream commit d870bfb9d366c5d466c0f5419a4ec95a3f71ea8a ] Commit c95b819ad7 (gre: Use needed_headroom) made gre use needed_headroom instead of hard_header_len This uncover a bug in vlan code. We should make sure vlan devices take into account their real_dev->needed_headroom or we risk a crash in ipgre_header(), because we dont have enough room to push IP header in skb. Reported-by: Diddi Oscarsson <[email protected]> Signed-off-by: Eric Dumazet <[email protected]> Cc: Patrick McHardy <[email protected]> Cc: Herbert Xu <[email protected]> Acked-by: Herbert Xu <[email protected]> Signed-off-by: David S. Miller <[email protected]> --- net/8021q/vlan_dev.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c index be73753..ed68d07 100644 --- a/net/8021q/vlan_dev.c +++ b/net/8021q/vlan_dev.c @@ -707,6 +707,7 @@ static int vlan_dev_init(struct net_device *dev) dev->fcoe_ddp_xid = real_dev->fcoe_ddp_xid; #endif + dev->needed_headroom = real_dev->needed_headroom; if (real_dev->features & NETIF_F_HW_VLAN_TX) { dev->header_ops = real_dev->header_ops; dev->hard_header_len = real_dev->hard_header_len; -- 1.7.4.3 From 0589d1f7a527e5f4c4c6d16b734cfed4e3608f1c Mon Sep 17 00:00:00 2001 From: Herbert Xu <[email protected]> Date: Fri, 18 Mar 2011 05:27:28 +0000 Subject: [PATCH 13/13] bridge: Reset IPCB when entering IP stack on NF_FORWARD [ Upstream commit 6b1e960fdbd75dcd9bcc3ba5ff8898ff1ad30b6e ] Whenever we enter the IP stack proper from bridge netfilter we need to ensure that the skb is in a form the IP stack expects it to be in. The entry point on NF_FORWARD did not meet the requirements of the IP stack, therefore leading to potential crashes/panics. This patch fixes the problem. Signed-off-by: Herbert Xu <[email protected]> Acked-by: Stephen Hemminger <[email protected]> Signed-off-by: David S. Miller <[email protected]> --- net/bridge/br_netfilter.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c index 4b5b66d..49d50ea 100644 --- a/net/bridge/br_netfilter.c +++ b/net/bridge/br_netfilter.c @@ -741,6 +741,9 @@ static unsigned int br_nf_forward_ip(unsigned int hook, struct sk_buff *skb, nf_bridge->mask |= BRNF_PKT_TYPE; } + if (br_parse_ip_options(skb)) + return NF_DROP; + /* The physdev module checks on this */ nf_bridge->mask |= BRNF_BRIDGED; nf_bridge->physoutdev = skb->dev; -- 1.7.4.3
_______________________________________________ stable mailing list [email protected] http://linux.kernel.org/mailman/listinfo/stable
