commit 080504003ae82a76cf3c9b4e7dc6cc5f25cbe95c Author: Greg Kroah-Hartman Date: Fri Nov 16 08:36:42 2007 -0800 Linux 2.6.23.4 commit ef0811638110d6309c4b498a33a9815d694fb6bc Author: John W. Linville Date: Fri Oct 26 17:04:35 2007 -0400 mac80211: make ieee802_11_parse_elems return void patch 67a4cce4a89718d252b61aaf58882c69c0e2f6e3 in mainline. Some APs send management frames with junk padding after the last IE. We already account for a similar problem with some Apple Airport devices, but at least one device is known to send more than a single extra byte. The device in question is the Draytek Vigor2900: http://www.draytek.com.au/products/Vigor2900.php The junk in question looks like an IE that runs off the end of the frame. This cause us to return ParseFailed. Since the frame in question is an association response, this causes us to fail to associate with this AP. The return code from ieee802_11_parse_elems is superfluous. All callers still check for the presence of the specific IEs that interest them anyway. So, remove the return code so the parse never "fails". Acked-by: Michael Wu Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit f08fdbd7f5f6c0cafce7cdcda8df4e605d065cd6 Author: John W. Linville Date: Fri Oct 26 17:04:34 2007 -0400 mac80211: only honor IW_SCAN_THIS_ESSID in STA, IBSS, and AP modes patch d114f399b4da6fa7f9da3bbf1fb841370c11e788 in mainline. The previous IW_SCAN_THIS_ESSID patch left a hole allowing scan requests on interfaces in inappropriate modes. Signed-off-by: John W. Linville Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f4d709e397f075b94649907554ca390738b9c58e Author: Bill Moss Date: Fri Oct 26 17:04:33 2007 -0400 mac80211: honor IW_SCAN_THIS_ESSID in siwscan ioctl patch 107acb23ba763197d390ae9ffd347f3e2a524d39 in mainline. This patch fixes the problem of associating with wpa_secured hidden AP. Please try out. The original author of this patch is Bill Moss Signed-off-by: Abhijeet Kolekar Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 75fc21b4d27c9e265614690a10b1fb6d2104e004 Author: John W. Linville Date: Fri Oct 26 17:04:32 2007 -0400 mac80211: store SSID in sta_bss_list patch cffdd30d20d163343b1c6de25bcb0cc978a1ebf9 in mainline. Some AP equipment "in the wild" services multiple SSIDs using the same BSSID. This patch changes the key of sta_bss_list to include the SSID as well as the BSSID and the channel so as to prevent one SSID from eclipsing another SSID with the same BSSID. Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 66bc3f66854fdfb09035fa247c936524d19b7454 Author: John W. Linville Date: Fri Oct 26 17:04:31 2007 -0400 mac80211: store channel info in sta_bss_list patch 65c107ab3befc37b21d1c970a6159525bc0121b8 in mainline. Some AP equipment "in the wild" uses the same BSSID on multiple channels (particularly "a" vs. "b/g"). This patch changes the key of sta_bss_list to include both the BSSID and the channel so as to prevent a BSSID on one channel from eclipsing the same BSSID on another channel. Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 20bf97cfbf4beb8d16f1cd62fdd4befdb2ca39f9 Author: Johannes Berg Date: Fri Oct 26 17:04:30 2007 -0400 mac80211: reorder association debug output patch 1dd84aa213d0f98a91a1ec9be2f750f5f48e75a0 in mainline. There's no reason to warn about an invalid AID field when the association was denied. Signed-off-by: Johannes Berg Acked-by: Michael Wu Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 31a1d25a569e52f5dc05b6b63a30ea9dcc95677b Author: Johannes Berg Date: Fri Oct 26 17:04:29 2007 -0400 ieee80211: fix TKIP QoS bug patch e797aa1b7da6bfcb2e19a10ae5ead9aa7aea732b in mainline. The commit 65b6a277 titled "ieee80211: Fix header->qos_ctl endian issue" *introduced* an endianness bug. Partially revert it. Signed-off-by: Johannes Berg Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 0ac38060c5e1e12e851ed3e281597286b57f9ad1 Author: Jozsef Kadlecsik Date: Mon Nov 5 12:37:55 2007 +0100 NETFILTER: nf_conntrack_tcp: fix connection reopening Upstream commits: 17311393 + bc34b841 merged together. Merge done by Patrick McHardy [NETFILTER]: nf_conntrack_tcp: fix connection reopening With your description I could reproduce the bug and actually you were completely right: the code above is incorrect. Somehow I was able to misread RFC1122 and mixed the roles :-(: When a connection is >>closed actively<<, it MUST linger in TIME-WAIT state for a time 2xMSL (Maximum Segment Lifetime). However, it MAY >>accept<< a new SYN from the remote TCP to reopen the connection directly from TIME-WAIT state, if it: [...] The fix is as follows: if the receiver initiated an active close, then the sender may reopen the connection - otherwise try to figure out if we hold a dead connection. Signed-off-by: Jozsef Kadlecsik Tested-by: Krzysztof Piotr Oledzki Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c6736fd46ba478b59f8293457648432154f0f422 Author: Patrick McHardy Date: Tue Nov 13 03:03:00 2007 -0800 Fix netlink timeouts. [NETLINK]: Fix unicast timeouts [ Upstream commit: c3d8d1e30cace31fed6186a4b8c6b1401836d89c ] Commit ed6dcf4a in the history.git tree broke netlink_unicast timeouts by moving the schedule_timeout() call to a new function that doesn't propagate the remaining timeout back to the caller. This means on each retry we start with the full timeout again. ipc/mqueue.c seems to actually want to wait indefinitely so this behaviour is retained. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit be8962a15857ee7b43bc66f718d7e8987f484fc8 Author: Herbert Xu Date: Tue Nov 13 02:48:28 2007 -0800 Fix crypto_alloc_comp() error checking. [IPSEC]: Fix crypto_alloc_comp error checking [ Upstream commit: 4999f3621f4da622e77931b3d33ada6c7083c705 ] The function crypto_alloc_comp returns an errno instead of NULL to indicate error. So it needs to be tested with IS_ERR. This is based on a patch by Vicenç Beltran Querol. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9def747b654622c8ce0936ccb0f4670f978c138e Author: Patrick McHardy Date: Tue Nov 13 00:13:37 2007 -0800 Fix SET_VLAN_INGRESS_PRIORITY_CMD error return. patch fffe470a803e7f7b74c016291e542a0162761209 in mainline. [VLAN]: Fix SET_VLAN_INGRESS_PRIORITY_CMD ioctl Based on report and patch by Doug Kehn : vconfig returns the following error when attempting to execute the set_ingress_map command: vconfig: socket or ioctl error for set_ingress_map: Operation not permitted In vlan.c, vlan_ioctl_handler for SET_VLAN_INGRESS_PRIORITY_CMD sets err = -EPERM and calls vlan_dev_set_ingress_priority. vlan_dev_set_ingress_priority is a void function so err remains at -EPERM and results in the vconfig error (even though the ingress map was set). Fix by setting err = 0 after the vlan_dev_set_ingress_priority call. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit dae1e6e82707b560430ef0a9a24c57724cfdb8ae Author: Patrick McHardy Date: Tue Nov 13 00:11:51 2007 -0800 Fix VLAN address syncing. patch d932e04a5e7b146c5f9bf517714b986a432a7594 in mainline. [PATCH] [VLAN]: Don't synchronize addresses while the vlan device is down While the VLAN device is down, the unicast addresses are not configured on the underlying device, so we shouldn't attempt to sync them. Noticed by Dmitry Butskoy Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e809e9c0da32b047f2c91b907ae33a00b1e782f3 Author: Radu Rendec Date: Tue Nov 13 00:09:56 2007 -0800 Fix endianness bug in U32 classifier. changeset 543821c6f5dea5221426eaf1eac98b100249c7ac in mainline. [PKT_SCHED] CLS_U32: Fix endianness problem with u32 classifier hash masks. While trying to implement u32 hashes in my shaping machine I ran into a possible bug in the u32 hash/bucket computing algorithm (net/sched/cls_u32.c). The problem occurs only with hash masks that extend over the octet boundary, on little endian machines (where htonl() actually does something). Let's say that I would like to use 0x3fc0 as the hash mask. This means 8 contiguous "1" bits starting at b6. With such a mask, the expected (and logical) behavior is to hash any address in, for instance, 192.168.0.0/26 in bucket 0, then any address in 192.168.0.64/26 in bucket 1, then 192.168.0.128/26 in bucket 2 and so on. This is exactly what would happen on a big endian machine, but on little endian machines, what would actually happen with current implementation is 0x3fc0 being reversed (into 0xc03f0000) by htonl() in the userspace tool and then applied to 192.168.x.x in the u32 classifier. When shifting right by 16 bits (rank of first "1" bit in the reversed mask) and applying the divisor mask (0xff for divisor 256), what would actually remain is 0x3f applied on the "168" octet of the address. One could say is this can be easily worked around by taking endianness into account in userspace and supplying an appropriate mask (0xfc03) that would be turned into contiguous "1" bits when reversed (0x03fc0000). But the actual problem is the network address (inside the packet) not being converted to host order, but used as a host-order value when computing the bucket. Let's say the network address is written as n31 n30 ... n0, with n0 being the least significant bit. When used directly (without any conversion) on a little endian machine, it becomes n7 ... n0 n8 ..n15 etc in the machine's registers. Thus bits n7 and n8 would no longer be adjacent and 192.168.64.0/26 and 192.168.128.0/26 would no longer be consecutive. The fix is to apply ntohl() on the hmask before computing fshift, and in u32_hash_fold() convert the packet data to host order before shifting down by fshift. With helpful feedback from Jamal Hadi Salim and Jarek Poplawski. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 61254a93643f43956a4b16c935ca5e058ef761b0 Author: Evgeniy Polyakov Date: Tue Nov 13 00:07:45 2007 -0800 Fix TEQL oops. [PKT_SCHED]: Fix OOPS when removing devices from a teql queuing discipline [ Upstream commit: 4f9f8311a08c0d95c70261264a2b47f2ae99683a ] tecl_reset() is called from deactivate and qdisc is set to noop already, but subsequent teql_xmit does not know about it and dereference private data as teql qdisc and thus oopses. not catch it first :) Signed-off-by: Evgeniy Polyakov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c669e2ad32c2ab2bf4133ce8f7b96775b9c3db2b Author: David Miller Date: Tue Nov 13 00:02:56 2007 -0800 Fix error returns in sys_socketpair() patch bf3c23d171e35e6e168074a1514b0acd59cfd81a in mainline. [NET]: Fix error reporting in sys_socketpair(). If either of the two sock_alloc_fd() calls fail, we forget to update 'err' and thus we'll erroneously return zero in these cases. Based upon a report and patch from Rich Paul, and commentary from Chuck Ebbert. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit eeb4e8c2aeda4f366bc14bea2a3a2e10cb7bc66d Author: Johannes Berg Date: Thu Oct 25 22:16:23 2007 +0200 softmac: fix wext MLME request reason code endianness patch 94e10bfb8a7372df3ef2759c9ec2a37de2f24aca in mainline. The MLME request reason code is host-endian and our passing it to the low level functions is host-endian as well since they do the swapping. I noticed that the reason code 768 was sent (0x300) rather than 3 when wpa_supplicant terminates. This removes the superfluous cpu_to_le16() call. Signed-off-by: Johannes Berg Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit cfebbe5fa7f4a2ec9f3b9edd56b877dc5c06f6a0 Author: Tony Battersby Date: Tue Oct 23 03:10:10 2007 -0700 Fix kernel_accept() return handling. patch fa8705b00aeca19d91a1437b8a5cf865999b28f6 in mainline. [NET]: sanitize kernel_accept() error path If kernel_accept() returns an error, it may pass back a pointer to freed memory (which the caller should ignore). Make it pass back NULL instead for better safety. Signed-off-by: Tony Battersby Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9fcba4716e6ebbb0d7e0ec84bff6dd2c36c847b3 Author: Herbert Xu Date: Wed Nov 14 15:45:21 2007 -0800 TCP: Fix size calculation in sk_stream_alloc_pskb [TCP]: Fix size calculation in sk_stream_alloc_pskb [ Upstream commit: fb93134dfc2a6e6fbedc7c270a31da03fce88db9 ] We round up the header size in sk_stream_alloc_pskb so that TSO packets get zero tail room. Unfortunately this rounding up is not coordinated with the select_size() function used by TCP to calculate the second parameter of sk_stream_alloc_pskb. As a result, we may allocate more than a page of data in the non-TSO case when exactly one page is desired. In fact, rounding up the head room is detrimental in the non-TSO case because it makes memory that would otherwise be available to the payload head room. TSO doesn't need this either, all it wants is the guarantee that there is no tail room. So this patch fixes this by adjusting the skb_reserve call so that exactly the requested amount (which all callers have calculated in a precise way) is made available as tail room. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8522b496f9d0e76a8b7e0b3a742f98ca6d182571 Author: Herbert Xu Date: Tue Oct 23 03:08:26 2007 -0700 Fix SKB_WITH_OVERHEAD calculations. patch deea84b0ae3d26b41502ae0a39fe7fe134e703d0 in mainline. [NET]: Fix SKB_WITH_OVERHEAD calculation The calculation in SKB_WITH_OVERHEAD is incorrect in that it can cause an overflow across a page boundary which is what it's meant to prevent. In particular, the header length (X) should not be lumped together with skb_shared_info. The latter needs to be aligned properly while the header has no choice but to sit in front of wherever the payload is. Therefore the correct calculation is to take away the aligned size of skb_shared_info, and then subtract the header length. The resulting quantity L satisfies the following inequality: SKB_DATA_ALIGN(L + X) + sizeof(struct skb_shared_info) <= PAGE_SIZE This is the quantity used by alloc_skb to do the actual allocation. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b354057389dd96fde7af3161e383150128579bc9 Author: Ingo Molnar Date: Tue Oct 23 03:13:00 2007 -0700 Fix 9P protocol build patch 092e9d93b3728d484a4e73df9852dc4002cf9923 in mainline. [9P]: build fix with !CONFIG_SYSCTL found via make randconfig build testing: net/built-in.o: In function `init_p9': mod.c:(.init.text+0x3b39): undefined reference to `p9_sysctl_register' net/built-in.o: In function `exit_p9': mod.c:(.exit.text+0x36b): undefined reference to `p9_sysctl_unregister' Signed-off-by: Ingo Molnar Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e20e6446bdf5afd61b1139efca510a187b3d1c38 Author: Patrick McHardy Date: Tue Oct 23 20:55:01 2007 -0700 Fix advertised packet scheduler timer resolution patch 3c0cfc135829b98f7a4894938652f9ef78e24237 in mainline The fourth parameter of /proc/net/psched is supposed to show the timer resultion and is used by HTB userspace to calculate the necessary burst rate. Currently we show the clock resolution, which results in a too low burst rate when the two differ. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d876cd16fb5c5c98f1fd0c2cb8d5d1122de51ae8 Author: Andy Green Date: Tue Oct 9 22:46:33 2007 -0400 Add get_unaligned to ieee80211_get_radiotap_len patch dfe6e81deaa79c85086c0cc8d85b229e444ab97f in mainline. ieee80211_get_radiotap_len() tries to dereference radiotap length without taking care that it is completely unaligned and get_unaligned() is required. Signed-off-by: Andy Green Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 1e3bfd1413e453b29517e72a9d8f16f22733a847 Author: Andy Green Date: Tue Oct 9 22:46:34 2007 -0400 mac80211: Improve sanity checks on injected packets patch 9b8a74e3482f9fc077a88c13fa0ceca8feb0b772 in mainline. Michael Wu noticed that the skb length checking is not taken care of enough when a packet is presented on the Monitor interface for injection. This patch improves the sanity checking and removes fake offsets placed into the skb network and transport header. Signed-off-by: Andy Green Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit be3d7bec26e083b9e42acd5944ad8293b94b06b2 Author: John W. Linville Date: Tue Oct 9 22:46:35 2007 -0400 mac80211: filter locally-originated multicast frames patch b331615722779b078822988843ddffd4eaec9f83 in mainline. In STA mode, the AP will echo our traffic. This includes multicast traffic. Receiving these frames confuses some protocols and applications, notably IPv6 Duplicate Address Detection. Signed-off-by: John W. Linville Signed-off-by: Johannes Berg Acked-by: Michael Wu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman