<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/net/ipv4, branch linux-2.6.17.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>Allow per-route window scale limiting</title>
<updated>2006-09-08T21:51:37+00:00</updated>
<author>
<name>Stephen Hemminger</name>
<email>shemminger@osdl.org</email>
</author>
<published>2006-08-22T07:10:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=31e8b3a3708f75d9e012e2c2ed2b9d6d69ad0491'/>
<id>31e8b3a3708f75d9e012e2c2ed2b9d6d69ad0491</id>
<content type='text'>
There are black box devices out there, routers and firewalls and
whatnot, that simply cannot grok the TCP window scaling option
correctly.

People should and do bark at the site running the device causing
the problems, but in the mean time folks do want a way to deal
with the problem.  We don't want them to turn off window scaling
completely as that hurts performance of connections that would run
just fine with window scaling enabled.

So give a way to do this on a per-route basis by limiting the
window scaling by the per-connection window clamp.  Stephen's
changelog message explains how to do this using a route metric.

[TCP]: Limit window scaling if window is clamped.

This small change allows for easy per-route workarounds for broken hosts or
middleboxes that are not compliant with TCP standards for window scaling.
Rather than having to turn off window scaling globally. This patch allows
reducing or disabling window scaling if window clamp is present.

Example: Mark Lord reported a problem with 2.6.17 kernel being unable to
access http://www.everymac.com

# ip route add 216.145.246.23/32 via 10.8.0.1 window 65535

Signed-off-by: Stephen Hemminger &lt;shemminger@osdl.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
There are black box devices out there, routers and firewalls and
whatnot, that simply cannot grok the TCP window scaling option
correctly.

People should and do bark at the site running the device causing
the problems, but in the mean time folks do want a way to deal
with the problem.  We don't want them to turn off window scaling
completely as that hurts performance of connections that would run
just fine with window scaling enabled.

So give a way to do this on a per-route basis by limiting the
window scaling by the per-connection window clamp.  Stephen's
changelog message explains how to do this using a route metric.

[TCP]: Limit window scaling if window is clamped.

This small change allows for easy per-route workarounds for broken hosts or
middleboxes that are not compliant with TCP standards for window scaling.
Rather than having to turn off window scaling globally. This patch allows
reducing or disabling window scaling if window clamp is present.

Example: Mark Lord reported a problem with 2.6.17 kernel being unable to
access http://www.everymac.com

# ip route add 216.145.246.23/32 via 10.8.0.1 window 65535

Signed-off-by: Stephen Hemminger &lt;shemminger@osdl.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Fix output framentation of paged-skbs</title>
<updated>2006-09-08T21:51:36+00:00</updated>
<author>
<name>Herbert Xu</name>
<email>herbert@gondor.apana.org.au</email>
</author>
<published>2006-08-22T20:41:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ea624f5adfb84678011dd39422fe1366440a978b'/>
<id>ea624f5adfb84678011dd39422fe1366440a978b</id>
<content type='text'>
[INET]: Use pskb_trim_unique when trimming paged unique skbs

The IPv4/IPv6 datagram output path was using skb_trim to trim paged
packets because they know that the packet has not been cloned yet
(since the packet hasn't been given to anything else in the system).

This broke because skb_trim no longer allows paged packets to be
trimmed.  Paged packets must be given to one of the pskb_trim functions
instead.

This patch adds a new pskb_trim_unique function to cover the IPv4/IPv6
datagram output path scenario and replaces the corresponding skb_trim
calls with it.

Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[INET]: Use pskb_trim_unique when trimming paged unique skbs

The IPv4/IPv6 datagram output path was using skb_trim to trim paged
packets because they know that the packet has not been cloned yet
(since the packet hasn't been given to anything else in the system).

This broke because skb_trim no longer allows paged packets to be
trimmed.  Paged packets must be given to one of the pskb_trim functions
instead.

This patch adds a new pskb_trim_unique function to cover the IPv4/IPv6
datagram output path scenario and replaces the corresponding skb_trim
calls with it.

Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Fix ipv4 routing locking bug</title>
<updated>2006-08-23T21:13:32+00:00</updated>
<author>
<name>Alexey Kuznetsov</name>
<email>kuznet@ms2.inr.ac.ru</email>
</author>
<published>2006-08-18T05:57:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=67ce628f410668c5ddee2f4c7424a1bd8a8fc64b'/>
<id>67ce628f410668c5ddee2f4c7424a1bd8a8fc64b</id>
<content type='text'>
[IPV4]: severe locking bug in fib_semantics.c

Found in 2.4 by Yixin Pan &lt;yxpan@hotmail.com&gt;.

&gt; When I read fib_semantics.c of Linux-2.4.32, write_lock(&amp;fib_info_lock) =
&gt; is used in fib_release_info() instead of write_lock_bh(&amp;fib_info_lock).  =
&gt; Is the following case possible: a BH interrupts fib_release_info() while =
&gt; holding the write lock, and calls ip_check_fib_default() which calls =
&gt; read_lock(&amp;fib_info_lock), and spin forever.

Signed-off-by: Alexey Kuznetsov &lt;kuznet@ms2.inr.ac.ru&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[IPV4]: severe locking bug in fib_semantics.c

Found in 2.4 by Yixin Pan &lt;yxpan@hotmail.com&gt;.

&gt; When I read fib_semantics.c of Linux-2.4.32, write_lock(&amp;fib_info_lock) =
&gt; is used in fib_release_info() instead of write_lock_bh(&amp;fib_info_lock).  =
&gt; Is the following case possible: a BH interrupts fib_release_info() while =
&gt; holding the write lock, and calls ip_check_fib_default() which calls =
&gt; read_lock(&amp;fib_info_lock), and spin forever.

Signed-off-by: Alexey Kuznetsov &lt;kuznet@ms2.inr.ac.ru&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>ip_tables: fix table locking in ipt_do_table</title>
<updated>2006-08-23T21:13:31+00:00</updated>
<author>
<name>Patrick McHardy</name>
<email>kaber@trash.net</email>
</author>
<published>2006-08-18T05:52:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0872a284963a642ba748cbd75842138dd9a3bd00'/>
<id>0872a284963a642ba748cbd75842138dd9a3bd00</id>
<content type='text'>
[NETFILTER]: ip_tables: fix table locking in ipt_do_table

table-&gt;private might change because of ruleset changes, don't use it without
holding the lock.

Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[NETFILTER]: ip_tables: fix table locking in ipt_do_table

table-&gt;private might change because of ruleset changes, don't use it without
holding the lock.

Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>ulog: fix panic on SMP kernels</title>
<updated>2006-08-23T21:13:31+00:00</updated>
<author>
<name>Mark Huang</name>
<email>mlhuang@cs.princeton.edu</email>
</author>
<published>2006-08-12T00:45:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=bb417c4bad96b07f075b98f874fb28cf258f8065'/>
<id>bb417c4bad96b07f075b98f874fb28cf258f8065</id>
<content type='text'>
[NETFILTER]: ulog: fix panic on SMP kernels

Fix kernel panic on various SMP machines. The culprit is a null
ub-&gt;skb in ulog_send(). If ulog_timer() has already been scheduled on
one CPU and is spinning on the lock, and ipt_ulog_packet() flushes the
queue on another CPU by calling ulog_send() right before it exits,
there will be no skbuff when ulog_timer() acquires the lock and calls
ulog_send(). Cancelling the timer in ulog_send() doesn't help because
it has already been scheduled and is running on the first CPU.

Similar problem exists in ebt_ulog.c and nfnetlink_log.c.

Signed-off-by: Mark Huang &lt;mlhuang@cs.princeton.edu&gt;
Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[NETFILTER]: ulog: fix panic on SMP kernels

Fix kernel panic on various SMP machines. The culprit is a null
ub-&gt;skb in ulog_send(). If ulog_timer() has already been scheduled on
one CPU and is spinning on the lock, and ipt_ulog_packet() flushes the
queue on another CPU by calling ulog_send() right before it exits,
there will be no skbuff when ulog_timer() acquires the lock and calls
ulog_send(). Cancelling the timer in ulog_send() doesn't help because
it has already been scheduled and is running on the first CPU.

Similar problem exists in ebt_ulog.c and nfnetlink_log.c.

Signed-off-by: Mark Huang &lt;mlhuang@cs.princeton.edu&gt;
Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Kill HASH_HIGHMEM from route cache hash sizing</title>
<updated>2006-08-23T21:13:30+00:00</updated>
<author>
<name>Kirill Korotaev</name>
<email>dev@sw.ru</email>
</author>
<published>2006-08-09T09:35:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b3b3410f3e2579314adcdd9366b5429ba06b07d7'/>
<id>b3b3410f3e2579314adcdd9366b5429ba06b07d7</id>
<content type='text'>
[IPV4]: Limit rt cache size properly.

During OpenVZ stress testing we found that UDP traffic with random src
can generate too much excessive rt hash growing leading finally to OOM
and kernel panics.

It was found that for 4GB i686 system (having 1048576 total pages and
225280 normal zone pages) kernel allocates the following route hash:
syslog: IP route cache hash table entries: 262144 (order: 8, 1048576
bytes) =&gt; ip_rt_max_size = 4194304 entries, i.e.  max rt size is
4194304 * 256b = 1Gb of RAM &gt; normal_zone

Attached the patch which removes HASH_HIGHMEM flag from
alloc_large_system_hash() call.

Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[IPV4]: Limit rt cache size properly.

During OpenVZ stress testing we found that UDP traffic with random src
can generate too much excessive rt hash growing leading finally to OOM
and kernel panics.

It was found that for 4GB i686 system (having 1048576 total pages and
225280 normal zone pages) kernel allocates the following route hash:
syslog: IP route cache hash table entries: 262144 (order: 8, 1048576
bytes) =&gt; ip_rt_max_size = 4194304 entries, i.e.  max rt size is
4194304 * 256b = 1Gb of RAM &gt; normal_zone

Attached the patch which removes HASH_HIGHMEM flag from
alloc_large_system_hash() call.

Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>H.323 helper: fix possible NULL-ptr dereference</title>
<updated>2006-08-07T03:52:13+00:00</updated>
<author>
<name>Patrick McHardy</name>
<email>kaber@trash.net</email>
</author>
<published>2006-07-25T00:31:14+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4f40508af128fc5ead71aab6e9932039d2a07fd4'/>
<id>4f40508af128fc5ead71aab6e9932039d2a07fd4</id>
<content type='text'>
[NETFILTER]: H.323 helper: fix possible NULL-ptr dereference

An RCF message containing a timeout results in a NULL-ptr dereference if
no RRQ has been seen before.

Noticed by the "SATURN tool", reported by Thomas Dillig &lt;tdillig@stanford.edu&gt;
and Isil Dillig &lt;isil@stanford.edu&gt;.

Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[NETFILTER]: H.323 helper: fix possible NULL-ptr dereference

An RCF message containing a timeout results in a NULL-ptr dereference if
no RRQ has been seen before.

Noticed by the "SATURN tool", reported by Thomas Dillig &lt;tdillig@stanford.edu&gt;
and Isil Dillig &lt;isil@stanford.edu&gt;.

Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Fix IPv4/DECnet routing rule dumping</title>
<updated>2006-07-25T03:35:27+00:00</updated>
<author>
<name>Patrick McHardy</name>
<email>kaber@trash.net</email>
</author>
<published>2006-07-08T20:39:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1e8cd841d65774e96f5a52b0faa898b7ffebcece'/>
<id>1e8cd841d65774e96f5a52b0faa898b7ffebcece</id>
<content type='text'>
When more rules are present than fit in a single skb, the remaining
rules are incorrectly skipped.

Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
When more rules are present than fit in a single skb, the remaining
rules are incorrectly skipped.

Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>[PATCH] NETFILTER: SCTP conntrack: fix crash triggered by packet without chunks [CVE-2006-2934]</title>
<updated>2006-06-30T17:37:31+00:00</updated>
<author>
<name>Patrick McHardy</name>
<email>kaber@trash.net</email>
</author>
<published>2006-06-30T03:33:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=9c48e1ea8cf8800cc5e2d39ccbb8b5ff9704f8e9'/>
<id>9c48e1ea8cf8800cc5e2d39ccbb8b5ff9704f8e9</id>
<content type='text'>
When a packet without any chunks is received, the newconntrack variable
in sctp_packet contains an out of bounds value that is used to look up an
pointer from the array of timeouts, which is then dereferenced, resulting
in a crash. Make sure at least a single chunk is present.

Problem noticed by George A. Theall &lt;theall@tenablesecurity.com&gt;

Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: Chris Wright &lt;chrisw@sous-sol.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
When a packet without any chunks is received, the newconntrack variable
in sctp_packet contains an out of bounds value that is used to look up an
pointer from the array of timeouts, which is then dereferenced, resulting
in a crash. Make sure at least a single chunk is present.

Problem noticed by George A. Theall &lt;theall@tenablesecurity.com&gt;

Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: Chris Wright &lt;chrisw@sous-sol.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[IPV4]: Increment ipInHdrErrors when TTL expires.</title>
<updated>2006-06-12T20:09:59+00:00</updated>
<author>
<name>Weidong</name>
<email>weid@nanjing-fnst.com</email>
</author>
<published>2006-06-12T20:09:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=42d1d52e695d87475846e9a09964cae1209eeecb'/>
<id>42d1d52e695d87475846e9a09964cae1209eeecb</id>
<content type='text'>
Signed-off-by: Weidong &lt;weid@nanjing-fnst.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Signed-off-by: Weidong &lt;weid@nanjing-fnst.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;

</pre>
</div>
</content>
</entry>
</feed>
