linux-toradex.git/net/ipv6, branch v2.6.18.3 Linux kernel for Apalis and Colibri modules [PATCH] IPV6: fix lockup via /proc/net/ip6_flowlabel [CVE-2006-5619] 2006-11-04T01:33:50+00:00 James Morris jmorris@namei.org 2006-10-30T23:11:21+00:00 d0239f35c7ae63dbe715b1cc66e4860c2cb33154 There's a bug in the seqfile handling for /proc/net/ip6_flowlabel, where, after finding a flowlabel, the code will loop forever not finding any further flowlabels, first traversing the rest of the hash bucket then just looping. This patch fixes the problem by breaking after the hash bucket has been traversed. Note that this bug can cause lockups and oopses, and is trivially invoked by an unpriveleged user. Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org> 
There's a bug in the seqfile handling for /proc/net/ip6_flowlabel, where,
after finding a flowlabel, the code will loop forever not finding any
further flowlabels, first traversing the rest of the hash bucket then just
looping.

This patch fixes the problem by breaking after the hash bucket has been
traversed.

Note that this bug can cause lockups and oopses, and is trivially invoked
by an unpriveleged user.

Signed-off-by: James Morris <jmorris@namei.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
IPV6: Disable SG for GSO unless we have checksum 2006-10-13T20:23:27+00:00 David Miller davem@davemloft.net 2006-09-28T02:04:35+00:00 92a86ee1f6027881b77b75d48a09e3a946a93d13 Because the system won't turn off the SG flag for us we need to do this manually on the IPv6 path. Otherwise we will throw IPv6 packets with bad checksums at the hardware. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
Because the system won't turn off the SG flag for us we
need to do this manually on the IPv6 path.  Otherwise we
will throw IPv6 packets with bad checksums at the hardware.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
IPV6: bh_lock_sock_nested on tcp_v6_rcv 2006-10-13T20:23:26+00:00 Fabio Olive Leite fleite@redhat.com 2006-09-26T05:29:54+00:00 5bf91bbc9f8da83f2c7c971aeb1bc1c4c73e554c A while ago Ingo patched tcp_v4_rcv on net/ipv4/tcp_ipv4.c to use bh_lock_sock_nested and silence a lock validator warning. This fixed it for IPv4, but recently I saw a report of the same warning on IPv6. Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
A while ago Ingo patched tcp_v4_rcv on net/ipv4/tcp_ipv4.c to use
bh_lock_sock_nested and silence a lock validator warning. This fixed
it for IPv4, but recently I saw a report of the same warning on IPv6.

Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
[IPV6]: Accept -1 for IPV6_TCLASS 2006-09-18T06:21:08+00:00 Remi Denis-Courmont rdenis@simphalempin.com 2006-09-14T03:08:07+00:00 d0ee011f7290b51974e4d058cf4455a5ef91177d This patch should add support for -1 as "default" IPv6 traffic class, as specified in IETF RFC3542 §6.5. Within the kernel, it seems tclass < 0 is already handled, but setsockopt, getsockopt and recvmsg calls won't accept it from userland. Signed-off-by: Remi Denis-Courmont <rdenis@simphalempin.com> Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
This patch should add support for -1 as "default" IPv6 traffic class,
as specified in IETF RFC3542 §6.5. Within the kernel, it seems tclass
< 0 is already handled, but setsockopt, getsockopt and recvmsg calls
won't accept it from userland.

Signed-off-by: Remi Denis-Courmont <rdenis@simphalempin.com>
Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[IPV6]: Fix tclass setting for raw sockets. 2006-09-18T06:21:07+00:00 YOSHIFUJI Hideaki yoshfuji@linux-ipv6.org 2006-09-14T03:01:28+00:00 e012d51cbc41c5e603d7850c82acb0dad9e450dd np->cork.tclass is used only in cork'ed context. Otherwise, np->tclass should be used. Bug#7096 reported by Remi Denis-Courmont <rdenis@simphalempin.com>. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
np->cork.tclass is used only in cork'ed context.
Otherwise, np->tclass should be used.

Bug#7096 reported by Remi Denis-Courmont <rdenis@simphalempin.com>.

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[IPV6]: Fix kernel OOPs when setting sticky socket options. 2006-08-31T21:52:17+00:00 YOSHIFUJI Hideaki yoshfuji@linux-ipv6.org 2006-08-31T21:52:17+00:00 99c7bc0133b875280fdd2bf78e4ffbd58cc609e3 Bug noticed by Remi Denis-Courmont <rdenis@simphalempin.com>. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
Bug noticed by Remi Denis-Courmont <rdenis@simphalempin.com>.

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[IPV6]: ipv6_add_addr should install dstentry earlier 2006-08-30T04:22:18+00:00 Keir Fraser keir.fraser@cl.cam.ac.uk 2006-08-29T09:43:49+00:00 57f5f544f58ffa1d6c38630d0522c9c0be67c533 ipv6_add_addr allocates a struct inet6_ifaddr and a dstentry, but it doesn't install the dstentry in ifa->rt until after it releases the addrconf_hash_lock. This means other CPUs will be able to see the new address while it hasn't been initialized completely yet. One possible fix would be to grab the ifp->lock spinlock when creating the address struct; a simpler fix is to just move the assignment. Acked-by: jbeulich@novell.com Acked-by: okir@suse.de Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
ipv6_add_addr allocates a struct inet6_ifaddr and a dstentry, but it
doesn't install the dstentry in ifa->rt until after it releases the
addrconf_hash_lock. This means other CPUs will be able to see the new
address while it hasn't been initialized completely yet.

One possible fix would be to grab the ifp->lock spinlock when
creating the address struct; a simpler fix is to just move the
assignment.

Acked-by: jbeulich@novell.com
Acked-by: okir@suse.de
Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[IPV6]: SNMPv2 "ipv6IfStatsInAddrErrors" counter error 2006-08-30T04:22:15+00:00 Lv Liangying lvly@nanjing-fnst.com 2006-08-29T07:00:47+00:00 76d0cc1b64e1686b2b53e081c94142dd99f01ec5 When I tested Linux kernel 2.6.17.7 about statistics "ipv6IfStatsInAddrErrors", found that this counter couldn't increase correctly. The criteria is RFC2465: ipv6IfStatsInAddrErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of input datagrams discarded because the IPv6 address in their IPv6 header's destination field was not a valid address to be received at this entity. This count includes invalid addresses (e.g., ::0) and unsupported addresses (e.g., addresses with unallocated prefixes). For entities which are not IPv6 routers and therefore do not forward datagrams, this counter includes datagrams discarded because the destination address was not a local address." ::= { ipv6IfStatsEntry 5 } When I send packet to host with destination that is ether invalid address(::0) or unsupported addresses(1::1), the Linux kernel just discard the packet, and the counter doesn't increase(in the function ip6_pkt_discard). Signed-off-by: Lv Liangying <lvly@nanjing-fnst.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
   When I tested Linux kernel 2.6.17.7 about statistics
"ipv6IfStatsInAddrErrors", found that this counter couldn't increase
correctly. The criteria is RFC2465:
 ipv6IfStatsInAddrErrors OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
         "The number of input datagrams discarded because
         the IPv6 address in their IPv6 header's destination
         field was not a valid address to be received at
         this entity.  This count includes invalid
         addresses (e.g., ::0) and unsupported addresses
         (e.g., addresses with unallocated prefixes).  For
         entities which are not IPv6 routers and therefore
         do not forward datagrams, this counter includes
         datagrams discarded because the destination address
         was not a local address."
      ::= { ipv6IfStatsEntry 5 }

When I send packet to host with destination that is ether invalid
address(::0) or unsupported addresses(1::1), the Linux kernel just
discard the packet, and the counter doesn't increase(in the function
ip6_pkt_discard).

Signed-off-by: Lv Liangying <lvly@nanjing-fnst.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[IPV6]: Segmentation offload not set correctly on TCP children 2006-08-27T01:42:01+00:00 Stephen Hemminger shemminger@osdl.org 2006-08-25T22:55:43+00:00 59eed279c5daa88d95e429782ddb8ef87e52c44b TCP over IPV6 would incorrectly inherit the GSO settings. This would cause kernel to send Tcp Segmentation Offload packets for IPV6 data to devices that can't handle it. It caused the sky2 driver to lock http://bugzilla.kernel.org/show_bug.cgi?id=7050 and the e1000 would generate bogus packets. I can't blame the hardware for gagging if the upper layers feed it garbage. This was a new bug in 2.6.18 introduced with GSO support. Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
TCP over IPV6 would incorrectly inherit the GSO settings.
This would cause kernel to send Tcp Segmentation Offload packets for
IPV6 data to devices that can't handle it. It caused the sky2 driver
to lock http://bugzilla.kernel.org/show_bug.cgi?id=7050
and the e1000 would generate bogus packets. I can't blame the
hardware for gagging if the upper layers feed it garbage.

This was a new bug in 2.6.18 introduced with GSO support.

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[MCAST]: Fix filter leak on device removal. 2006-08-17T23:29:57+00:00 David L Stevens dlstevens@us.ibm.com 2006-08-17T23:27:39+00:00 acd6e00b8e4db542cb6bc9ddfbb4e18bbe29ce4d This fixes source filter leakage when a device is removed and a process leaves the group thereafter. This also includes corresponding fixes for IPv6 multicast source filters on device removal. Signed-off-by: David L Stevens <dlstevens@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
This fixes source filter leakage when a device is removed and a
process leaves the group thereafter.

This also includes corresponding fixes for IPv6 multicast source
filters on device removal.

Signed-off-by: David L Stevens <dlstevens@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>