Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
fib_rules: fix unresolved_rules counting
r8169: fix wrong eee setting for rlt8111evl
r8169: fix driver shutdown WoL regression.
ehea: Change maintainer to me
pptp: pptp_rcv_core() misses pskb_may_pull() call
tproxy: copy transparent flag when creating a time wait
pptp: fix skb leak in pptp_xmit()
bonding: use local function pointer of bond->recv_probe in bond_handle_frame
smsc911x: Add support for SMSC LAN89218
tg3: negate USE_PHYLIB flag check
netconsole: enable netconsole can make net_device refcnt incorrent
bluetooth: Properly clone LSM attributes to newly created child connections
l2tp: fix a potential skb leak in l2tp_xmit_skb()
bridge: fix hang on removal of bridge via netlink
x25: Prevent skb overreads when checking call user data
x25: Handle undersized/fragmented skbs
x25: Validate incoming call user data lengths
udplite: fast-path computation of checksum coverage
IPVS netns shutdown/startup dead-lock
netfilter: nf_conntrack: fix event flooding in GRE protocol tracker
+335
-160
+1
-1
MAINTAINERS
+1
-1
MAINTAINERS
···
2460
2460
F: drivers/infiniband/hw/ehca/
2461
2461
2462
2462
EHEA (IBM pSeries eHEA 10Gb ethernet adapter) DRIVER
2463
-
M: Breno Leitao <leitao@linux.vnet.ibm.com>
2463
+
M: Thadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com>
2464
2464
L: netdev@vger.kernel.org
2465
2465
S: Maintained
2466
2466
F: drivers/net/ehea/
+5
-2
drivers/net/bonding/bond_main.c
+5
-2
drivers/net/bonding/bond_main.c
···
1435
1435
struct sk_buff *skb = *pskb;
1436
1436
struct slave *slave;
1437
1437
struct bonding *bond;
1438
+
void (*recv_probe)(struct sk_buff *, struct bonding *,
1439
+
struct slave *);
1438
1440
1439
1441
skb = skb_share_check(skb, GFP_ATOMIC);
1440
1442
if (unlikely(!skb))
···
1450
1448
if (bond->params.arp_interval)
1451
1449
slave->dev->last_rx = jiffies;
1452
1450
1453
-
if (bond->recv_probe) {
1451
+
recv_probe = ACCESS_ONCE(bond->recv_probe);
1452
+
if (recv_probe) {
1454
1453
struct sk_buff *nskb = skb_clone(skb, GFP_ATOMIC);
1455
1454
1456
1455
if (likely(nskb)) {
1457
-
bond->recv_probe(nskb, bond, slave);
1456
+
recv_probe(nskb, bond, slave);
1458
1457
dev_kfree_skb(nskb);
1459
1458
}
1460
1459
}
+5
drivers/net/netconsole.c
+5
drivers/net/netconsole.c
···
307
307
return err;
308
308
if (enabled < 0 || enabled > 1)
309
309
return -EINVAL;
310
+
if (enabled == nt->enabled) {
311
+
printk(KERN_INFO "netconsole: network logging has already %s\n",
312
+
nt->enabled ? "started" : "stopped");
313
+
return -EINVAL;
314
+
}
310
315
311
316
if (enabled) { /* 1 */
312
317
+14
-8
drivers/net/pptp.c
+14
-8
drivers/net/pptp.c
···
285
285
ip_send_check(iph);
286
286
287
287
ip_local_out(skb);
288
+
return 1;
288
289
289
290
tx_error:
291
+
kfree_skb(skb);
290
292
return 1;
291
293
}
292
294
···
307
305
}
308
306
309
307
header = (struct pptp_gre_header *)(skb->data);
308
+
headersize = sizeof(*header);
310
309
311
310
/* test if acknowledgement present */
312
311
if (PPTP_GRE_IS_A(header->ver)) {
313
-
__u32 ack = (PPTP_GRE_IS_S(header->flags)) ?
314
-
header->ack : header->seq; /* ack in different place if S = 0 */
312
+
__u32 ack;
313
+
314
+
if (!pskb_may_pull(skb, headersize))
315
+
goto drop;
316
+
header = (struct pptp_gre_header *)(skb->data);
317
+
318
+
/* ack in different place if S = 0 */
319
+
ack = PPTP_GRE_IS_S(header->flags) ? header->ack : header->seq;
315
320
316
321
ack = ntohl(ack);
317
322
···
327
318
/* also handle sequence number wrap-around */
328
319
if (WRAPPED(ack, opt->ack_recv))
329
320
opt->ack_recv = ack;
321
+
} else {
322
+
headersize -= sizeof(header->ack);
330
323
}
331
-
332
324
/* test if payload present */
333
325
if (!PPTP_GRE_IS_S(header->flags))
334
326
goto drop;
335
327
336
-
headersize = sizeof(*header);
337
328
payload_len = ntohs(header->payload_len);
338
329
seq = ntohl(header->seq);
339
330
340
-
/* no ack present? */
341
-
if (!PPTP_GRE_IS_A(header->ver))
342
-
headersize -= sizeof(header->ack);
343
331
/* check for incomplete packet (length smaller than expected) */
344
-
if (skb->len - headersize < payload_len)
332
+
if (!pskb_may_pull(skb, headersize + payload_len))
345
333
goto drop;
346
334
347
335
payload = skb->data + headersize;
+57
-33
drivers/net/r8169.c
+57
-33
drivers/net/r8169.c
···
2859
2859
rtl_writephy(tp, 0x1f, 0x0004);
2860
2860
rtl_writephy(tp, 0x1f, 0x0007);
2861
2861
rtl_writephy(tp, 0x1e, 0x0020);
2862
-
rtl_w1w0_phy(tp, 0x06, 0x0000, 0x0100);
2862
+
rtl_w1w0_phy(tp, 0x15, 0x0000, 0x0100);
2863
2863
rtl_writephy(tp, 0x1f, 0x0002);
2864
2864
rtl_writephy(tp, 0x1f, 0x0000);
2865
2865
rtl_writephy(tp, 0x0d, 0x0007);
···
3316
3316
}
3317
3317
}
3318
3318
3319
+
static void rtl_wol_suspend_quirk(struct rtl8169_private *tp)
3320
+
{
3321
+
void __iomem *ioaddr = tp->mmio_addr;
3322
+
3323
+
switch (tp->mac_version) {
3324
+
case RTL_GIGA_MAC_VER_29:
3325
+
case RTL_GIGA_MAC_VER_30:
3326
+
case RTL_GIGA_MAC_VER_32:
3327
+
case RTL_GIGA_MAC_VER_33:
3328
+
case RTL_GIGA_MAC_VER_34:
3329
+
RTL_W32(RxConfig, RTL_R32(RxConfig) |
3330
+
AcceptBroadcast | AcceptMulticast | AcceptMyPhys);
3331
+
break;
3332
+
default:
3333
+
break;
3334
+
}
3335
+
}
3336
+
3337
+
static bool rtl_wol_pll_power_down(struct rtl8169_private *tp)
3338
+
{
3339
+
if (!(__rtl8169_get_wol(tp) & WAKE_ANY))
3340
+
return false;
3341
+
3342
+
rtl_writephy(tp, 0x1f, 0x0000);
3343
+
rtl_writephy(tp, MII_BMCR, 0x0000);
3344
+
3345
+
rtl_wol_suspend_quirk(tp);
3346
+
3347
+
return true;
3348
+
}
3349
+
3319
3350
static void r810x_phy_power_down(struct rtl8169_private *tp)
3320
3351
{
3321
3352
rtl_writephy(tp, 0x1f, 0x0000);
···
3361
3330
3362
3331
static void r810x_pll_power_down(struct rtl8169_private *tp)
3363
3332
{
3364
-
void __iomem *ioaddr = tp->mmio_addr;
3365
-
3366
-
if (__rtl8169_get_wol(tp) & WAKE_ANY) {
3367
-
rtl_writephy(tp, 0x1f, 0x0000);
3368
-
rtl_writephy(tp, MII_BMCR, 0x0000);
3369
-
3370
-
if (tp->mac_version == RTL_GIGA_MAC_VER_29 ||
3371
-
tp->mac_version == RTL_GIGA_MAC_VER_30)
3372
-
RTL_W32(RxConfig, RTL_R32(RxConfig) | AcceptBroadcast |
3373
-
AcceptMulticast | AcceptMyPhys);
3333
+
if (rtl_wol_pll_power_down(tp))
3374
3334
return;
3375
-
}
3376
3335
3377
3336
r810x_phy_power_down(tp);
3378
3337
}
···
3451
3430
tp->mac_version == RTL_GIGA_MAC_VER_33)
3452
3431
rtl_ephy_write(ioaddr, 0x19, 0xff64);
3453
3432
3454
-
if (__rtl8169_get_wol(tp) & WAKE_ANY) {
3455
-
rtl_writephy(tp, 0x1f, 0x0000);
3456
-
rtl_writephy(tp, MII_BMCR, 0x0000);
3457
-
3458
-
if (tp->mac_version == RTL_GIGA_MAC_VER_32 ||
3459
-
tp->mac_version == RTL_GIGA_MAC_VER_33 ||
3460
-
tp->mac_version == RTL_GIGA_MAC_VER_34)
3461
-
RTL_W32(RxConfig, RTL_R32(RxConfig) | AcceptBroadcast |
3462
-
AcceptMulticast | AcceptMyPhys);
3433
+
if (rtl_wol_pll_power_down(tp))
3463
3434
return;
3464
-
}
3465
3435
3466
3436
r8168_phy_power_down(tp);
3467
3437
···
5800
5788
5801
5789
#endif /* !CONFIG_PM */
5802
5790
5791
+
static void rtl_wol_shutdown_quirk(struct rtl8169_private *tp)
5792
+
{
5793
+
void __iomem *ioaddr = tp->mmio_addr;
5794
+
5795
+
/* WoL fails with 8168b when the receiver is disabled. */
5796
+
switch (tp->mac_version) {
5797
+
case RTL_GIGA_MAC_VER_11:
5798
+
case RTL_GIGA_MAC_VER_12:
5799
+
case RTL_GIGA_MAC_VER_17:
5800
+
pci_clear_master(tp->pci_dev);
5801
+
5802
+
RTL_W8(ChipCmd, CmdRxEnb);
5803
+
/* PCI commit */
5804
+
RTL_R8(ChipCmd);
5805
+
break;
5806
+
default:
5807
+
break;
5808
+
}
5809
+
}
5810
+
5803
5811
static void rtl_shutdown(struct pci_dev *pdev)
5804
5812
{
5805
5813
struct net_device *dev = pci_get_drvdata(pdev);
5806
5814
struct rtl8169_private *tp = netdev_priv(dev);
5807
-
void __iomem *ioaddr = tp->mmio_addr;
5808
5815
5809
5816
rtl8169_net_suspend(dev);
5810
5817
···
5837
5806
spin_unlock_irq(&tp->lock);
5838
5807
5839
5808
if (system_state == SYSTEM_POWER_OFF) {
5840
-
/* WoL fails with 8168b when the receiver is disabled. */
5841
-
if ((tp->mac_version == RTL_GIGA_MAC_VER_11 ||
5842
-
tp->mac_version == RTL_GIGA_MAC_VER_12 ||
5843
-
tp->mac_version == RTL_GIGA_MAC_VER_17) &&
5844
-
(tp->features & RTL_FEATURE_WOL)) {
5845
-
pci_clear_master(pdev);
5846
-
5847
-
RTL_W8(ChipCmd, CmdRxEnb);
5848
-
/* PCI commit */
5849
-
RTL_R8(ChipCmd);
5809
+
if (__rtl8169_get_wol(tp) & WAKE_ANY) {
5810
+
rtl_wol_suspend_quirk(tp);
5811
+
rtl_wol_shutdown_quirk(tp);
5850
5812
}
5851
5813
5852
5814
pci_wake_from_d3(pdev, true);
+2
drivers/net/smsc911x.c
+2
drivers/net/smsc911x.c
···
26
26
* LAN9215, LAN9216, LAN9217, LAN9218
27
27
* LAN9210, LAN9211
28
28
* LAN9220, LAN9221
29
+
* LAN89218
29
30
*
30
31
*/
31
32
···
1984
1983
case 0x01170000:
1985
1984
case 0x01160000:
1986
1985
case 0x01150000:
1986
+
case 0x218A0000:
1987
1987
/* LAN911[5678] family */
1988
1988
pdata->generation = pdata->idrev & 0x0000FFFF;
1989
1989
break;
+1
-1
drivers/net/tg3.c
+1
-1
drivers/net/tg3.c
+1
include/net/ip_vs.h
+1
include/net/ip_vs.h
+34
-35
include/net/udplite.h
+34
-35
include/net/udplite.h
···
66
66
return 0;
67
67
}
68
68
69
-
static inline int udplite_sender_cscov(struct udp_sock *up, struct udphdr *uh)
70
-
{
71
-
int cscov = up->len;
72
-
73
-
/*
74
-
* Sender has set `partial coverage' option on UDP-Lite socket
75
-
*/
76
-
if (up->pcflag & UDPLITE_SEND_CC) {
77
-
if (up->pcslen < up->len) {
78
-
/* up->pcslen == 0 means that full coverage is required,
79
-
* partial coverage only if 0 < up->pcslen < up->len */
80
-
if (0 < up->pcslen) {
81
-
cscov = up->pcslen;
82
-
}
83
-
uh->len = htons(up->pcslen);
84
-
}
85
-
/*
86
-
* NOTE: Causes for the error case `up->pcslen > up->len':
87
-
* (i) Application error (will not be penalized).
88
-
* (ii) Payload too big for send buffer: data is split
89
-
* into several packets, each with its own header.
90
-
* In this case (e.g. last segment), coverage may
91
-
* exceed packet length.
92
-
* Since packets with coverage length > packet length are
93
-
* illegal, we fall back to the defaults here.
94
-
*/
95
-
}
96
-
return cscov;
97
-
}
98
-
69
+
/* Slow-path computation of checksum. Socket is locked. */
99
70
static inline __wsum udplite_csum_outgoing(struct sock *sk, struct sk_buff *skb)
100
71
{
101
-
int cscov = udplite_sender_cscov(udp_sk(sk), udp_hdr(skb));
72
+
const struct udp_sock *up = udp_sk(skb->sk);
73
+
int cscov = up->len;
102
74
__wsum csum = 0;
75
+
76
+
if (up->pcflag & UDPLITE_SEND_CC) {
77
+
/*
78
+
* Sender has set `partial coverage' option on UDP-Lite socket.
79
+
* The special case "up->pcslen == 0" signifies full coverage.
80
+
*/
81
+
if (up->pcslen < up->len) {
82
+
if (0 < up->pcslen)
83
+
cscov = up->pcslen;
84
+
udp_hdr(skb)->len = htons(up->pcslen);
85
+
}
86
+
/*
87
+
* NOTE: Causes for the error case `up->pcslen > up->len':
88
+
* (i) Application error (will not be penalized).
89
+
* (ii) Payload too big for send buffer: data is split
90
+
* into several packets, each with its own header.
91
+
* In this case (e.g. last segment), coverage may
92
+
* exceed packet length.
93
+
* Since packets with coverage length > packet length are
94
+
* illegal, we fall back to the defaults here.
95
+
*/
96
+
}
103
97
104
98
skb->ip_summed = CHECKSUM_NONE; /* no HW support for checksumming */
105
99
···
109
115
return csum;
110
116
}
111
117
118
+
/* Fast-path computation of checksum. Socket may not be locked. */
112
119
static inline __wsum udplite_csum(struct sk_buff *skb)
113
120
{
114
-
struct sock *sk = skb->sk;
115
-
int cscov = udplite_sender_cscov(udp_sk(sk), udp_hdr(skb));
121
+
const struct udp_sock *up = udp_sk(skb->sk);
116
122
const int off = skb_transport_offset(skb);
117
-
const int len = skb->len - off;
123
+
int len = skb->len - off;
118
124
125
+
if ((up->pcflag & UDPLITE_SEND_CC) && up->pcslen < len) {
126
+
if (0 < up->pcslen)
127
+
len = up->pcslen;
128
+
udp_hdr(skb)->len = htons(up->pcslen);
129
+
}
119
130
skb->ip_summed = CHECKSUM_NONE; /* no HW support for checksumming */
120
131
121
-
return skb_checksum(skb, off, min(cscov, len), 0);
132
+
return skb_checksum(skb, off, len, 0);
122
133
}
123
134
124
135
extern void udplite4_register(void);
+4
net/bluetooth/l2cap_sock.c
+4
net/bluetooth/l2cap_sock.c
···
26
26
27
27
/* Bluetooth L2CAP sockets. */
28
28
29
+
#include <linux/security.h>
30
+
29
31
#include <net/bluetooth/bluetooth.h>
30
32
#include <net/bluetooth/hci_core.h>
31
33
#include <net/bluetooth/l2cap.h>
···
935
933
chan->force_reliable = pchan->force_reliable;
936
934
chan->flushable = pchan->flushable;
937
935
chan->force_active = pchan->force_active;
936
+
937
+
security_sk_clone(parent, sk);
938
938
} else {
939
939
940
940
switch (sk->sk_type) {
+3
net/bluetooth/rfcomm/sock.c
+3
net/bluetooth/rfcomm/sock.c
···
42
42
#include <linux/device.h>
43
43
#include <linux/debugfs.h>
44
44
#include <linux/seq_file.h>
45
+
#include <linux/security.h>
45
46
#include <net/sock.h>
46
47
47
48
#include <asm/system.h>
···
265
264
266
265
pi->sec_level = rfcomm_pi(parent)->sec_level;
267
266
pi->role_switch = rfcomm_pi(parent)->role_switch;
267
+
268
+
security_sk_clone(parent, sk);
268
269
} else {
269
270
pi->dlc->defer_setup = 0;
270
271
+4
-1
net/bluetooth/sco.c
+4
-1
net/bluetooth/sco.c
···
41
41
#include <linux/debugfs.h>
42
42
#include <linux/seq_file.h>
43
43
#include <linux/list.h>
44
+
#include <linux/security.h>
44
45
#include <net/sock.h>
45
46
46
47
#include <asm/system.h>
···
404
403
{
405
404
BT_DBG("sk %p", sk);
406
405
407
-
if (parent)
406
+
if (parent) {
408
407
sk->sk_type = parent->sk_type;
408
+
security_sk_clone(parent, sk);
409
+
}
409
410
}
410
411
411
412
static struct proto sco_proto = {
+5
-4
net/bridge/br_if.c
+5
-4
net/bridge/br_if.c
···
161
161
call_rcu(&p->rcu, destroy_nbp_rcu);
162
162
}
163
163
164
-
/* called with RTNL */
165
-
static void del_br(struct net_bridge *br, struct list_head *head)
164
+
/* Delete bridge device */
165
+
void br_dev_delete(struct net_device *dev, struct list_head *head)
166
166
{
167
+
struct net_bridge *br = netdev_priv(dev);
167
168
struct net_bridge_port *p, *n;
168
169
169
170
list_for_each_entry_safe(p, n, &br->port_list, list) {
···
269
268
}
270
269
271
270
else
272
-
del_br(netdev_priv(dev), NULL);
271
+
br_dev_delete(dev, NULL);
273
272
274
273
rtnl_unlock();
275
274
return ret;
···
450
449
rtnl_lock();
451
450
for_each_netdev(net, dev)
452
451
if (dev->priv_flags & IFF_EBRIDGE)
453
-
del_br(netdev_priv(dev), &list);
452
+
br_dev_delete(dev, &list);
454
453
455
454
unregister_netdevice_many(&list);
456
455
rtnl_unlock();
+1
net/bridge/br_netlink.c
+1
net/bridge/br_netlink.c
+1
net/bridge/br_private.h
+1
net/bridge/br_private.h
···
294
294
295
295
/* br_device.c */
296
296
extern void br_dev_setup(struct net_device *dev);
297
+
extern void br_dev_delete(struct net_device *dev, struct list_head *list);
297
298
extern netdev_tx_t br_dev_xmit(struct sk_buff *skb,
298
299
struct net_device *dev);
299
300
#ifdef CONFIG_NET_POLL_CONTROLLER
+4
-1
net/core/fib_rules.c
+4
-1
net/core/fib_rules.c
···
475
475
476
476
list_del_rcu(&rule->list);
477
477
478
-
if (rule->action == FR_ACT_GOTO)
478
+
if (rule->action == FR_ACT_GOTO) {
479
479
ops->nr_goto_rules--;
480
+
if (rtnl_dereference(rule->ctarget) == NULL)
481
+
ops->unresolved_rules--;
482
+
}
480
483
481
484
/*
482
485
* Check if this rule is a target to any of them. If so,
+1
net/ipv4/tcp_minisocks.c
+1
net/ipv4/tcp_minisocks.c
···
328
328
struct tcp_timewait_sock *tcptw = tcp_twsk((struct sock *)tw);
329
329
const int rto = (icsk->icsk_rto << 2) - (icsk->icsk_rto >> 1);
330
330
331
+
tw->tw_transparent = inet_sk(sk)->transparent;
331
332
tw->tw_rcv_wscale = tp->rx_opt.rcv_wscale;
332
333
tcptw->tw_rcv_nxt = tp->rcv_nxt;
333
334
tcptw->tw_snd_nxt = tp->snd_nxt;
+3
-1
net/l2tp/l2tp_core.c
+3
-1
net/l2tp/l2tp_core.c
···
1045
1045
headroom = NET_SKB_PAD + sizeof(struct iphdr) +
1046
1046
uhlen + hdr_len;
1047
1047
old_headroom = skb_headroom(skb);
1048
-
if (skb_cow_head(skb, headroom))
1048
+
if (skb_cow_head(skb, headroom)) {
1049
+
dev_kfree_skb(skb);
1049
1050
goto abort;
1051
+
}
1050
1052
1051
1053
new_headroom = skb_headroom(skb);
1052
1054
skb_orphan(skb);
+82
-53
net/netfilter/ipvs/ip_vs_ctl.c
+82
-53
net/netfilter/ipvs/ip_vs_ctl.c
···
2283
2283
struct ip_vs_service *svc;
2284
2284
struct ip_vs_dest_user *udest_compat;
2285
2285
struct ip_vs_dest_user_kern udest;
2286
+
struct netns_ipvs *ipvs = net_ipvs(net);
2286
2287
2287
2288
if (!capable(CAP_NET_ADMIN))
2288
2289
return -EPERM;
···
2304
2303
/* increase the module use count */
2305
2304
ip_vs_use_count_inc();
2306
2305
2306
+
/* Handle daemons since they have another lock */
2307
+
if (cmd == IP_VS_SO_SET_STARTDAEMON ||
2308
+
cmd == IP_VS_SO_SET_STOPDAEMON) {
2309
+
struct ip_vs_daemon_user *dm = (struct ip_vs_daemon_user *)arg;
2310
+
2311
+
if (mutex_lock_interruptible(&ipvs->sync_mutex)) {
2312
+
ret = -ERESTARTSYS;
2313
+
goto out_dec;
2314
+
}
2315
+
if (cmd == IP_VS_SO_SET_STARTDAEMON)
2316
+
ret = start_sync_thread(net, dm->state, dm->mcast_ifn,
2317
+
dm->syncid);
2318
+
else
2319
+
ret = stop_sync_thread(net, dm->state);
2320
+
mutex_unlock(&ipvs->sync_mutex);
2321
+
goto out_dec;
2322
+
}
2323
+
2307
2324
if (mutex_lock_interruptible(&__ip_vs_mutex)) {
2308
2325
ret = -ERESTARTSYS;
2309
2326
goto out_dec;
···
2334
2315
} else if (cmd == IP_VS_SO_SET_TIMEOUT) {
2335
2316
/* Set timeout values for (tcp tcpfin udp) */
2336
2317
ret = ip_vs_set_timeout(net, (struct ip_vs_timeout_user *)arg);
2337
-
goto out_unlock;
2338
-
} else if (cmd == IP_VS_SO_SET_STARTDAEMON) {
2339
-
struct ip_vs_daemon_user *dm = (struct ip_vs_daemon_user *)arg;
2340
-
ret = start_sync_thread(net, dm->state, dm->mcast_ifn,
2341
-
dm->syncid);
2342
-
goto out_unlock;
2343
-
} else if (cmd == IP_VS_SO_SET_STOPDAEMON) {
2344
-
struct ip_vs_daemon_user *dm = (struct ip_vs_daemon_user *)arg;
2345
-
ret = stop_sync_thread(net, dm->state);
2346
2318
goto out_unlock;
2347
2319
}
2348
2320
···
2594
2584
2595
2585
if (copy_from_user(arg, user, copylen) != 0)
2596
2586
return -EFAULT;
2587
+
/*
2588
+
* Handle daemons first since it has its own locking
2589
+
*/
2590
+
if (cmd == IP_VS_SO_GET_DAEMON) {
2591
+
struct ip_vs_daemon_user d[2];
2592
+
2593
+
memset(&d, 0, sizeof(d));
2594
+
if (mutex_lock_interruptible(&ipvs->sync_mutex))
2595
+
return -ERESTARTSYS;
2596
+
2597
+
if (ipvs->sync_state & IP_VS_STATE_MASTER) {
2598
+
d[0].state = IP_VS_STATE_MASTER;
2599
+
strlcpy(d[0].mcast_ifn, ipvs->master_mcast_ifn,
2600
+
sizeof(d[0].mcast_ifn));
2601
+
d[0].syncid = ipvs->master_syncid;
2602
+
}
2603
+
if (ipvs->sync_state & IP_VS_STATE_BACKUP) {
2604
+
d[1].state = IP_VS_STATE_BACKUP;
2605
+
strlcpy(d[1].mcast_ifn, ipvs->backup_mcast_ifn,
2606
+
sizeof(d[1].mcast_ifn));
2607
+
d[1].syncid = ipvs->backup_syncid;
2608
+
}
2609
+
if (copy_to_user(user, &d, sizeof(d)) != 0)
2610
+
ret = -EFAULT;
2611
+
mutex_unlock(&ipvs->sync_mutex);
2612
+
return ret;
2613
+
}
2597
2614
2598
2615
if (mutex_lock_interruptible(&__ip_vs_mutex))
2599
2616
return -ERESTARTSYS;
···
2714
2677
2715
2678
__ip_vs_get_timeouts(net, &t);
2716
2679
if (copy_to_user(user, &t, sizeof(t)) != 0)
2717
-
ret = -EFAULT;
2718
-
}
2719
-
break;
2720
-
2721
-
case IP_VS_SO_GET_DAEMON:
2722
-
{
2723
-
struct ip_vs_daemon_user d[2];
2724
-
2725
-
memset(&d, 0, sizeof(d));
2726
-
if (ipvs->sync_state & IP_VS_STATE_MASTER) {
2727
-
d[0].state = IP_VS_STATE_MASTER;
2728
-
strlcpy(d[0].mcast_ifn, ipvs->master_mcast_ifn,
2729
-
sizeof(d[0].mcast_ifn));
2730
-
d[0].syncid = ipvs->master_syncid;
2731
-
}
2732
-
if (ipvs->sync_state & IP_VS_STATE_BACKUP) {
2733
-
d[1].state = IP_VS_STATE_BACKUP;
2734
-
strlcpy(d[1].mcast_ifn, ipvs->backup_mcast_ifn,
2735
-
sizeof(d[1].mcast_ifn));
2736
-
d[1].syncid = ipvs->backup_syncid;
2737
-
}
2738
-
if (copy_to_user(user, &d, sizeof(d)) != 0)
2739
2680
ret = -EFAULT;
2740
2681
}
2741
2682
break;
···
3220
3205
struct net *net = skb_sknet(skb);
3221
3206
struct netns_ipvs *ipvs = net_ipvs(net);
3222
3207
3223
-
mutex_lock(&__ip_vs_mutex);
3208
+
mutex_lock(&ipvs->sync_mutex);
3224
3209
if ((ipvs->sync_state & IP_VS_STATE_MASTER) && !cb->args[0]) {
3225
3210
if (ip_vs_genl_dump_daemon(skb, IP_VS_STATE_MASTER,
3226
3211
ipvs->master_mcast_ifn,
···
3240
3225
}
3241
3226
3242
3227
nla_put_failure:
3243
-
mutex_unlock(&__ip_vs_mutex);
3228
+
mutex_unlock(&ipvs->sync_mutex);
3244
3229
3245
3230
return skb->len;
3246
3231
}
···
3286
3271
return ip_vs_set_timeout(net, &t);
3287
3272
}
3288
3273
3274
+
static int ip_vs_genl_set_daemon(struct sk_buff *skb, struct genl_info *info)
3275
+
{
3276
+
int ret = 0, cmd;
3277
+
struct net *net;
3278
+
struct netns_ipvs *ipvs;
3279
+
3280
+
net = skb_sknet(skb);
3281
+
ipvs = net_ipvs(net);
3282
+
cmd = info->genlhdr->cmd;
3283
+
3284
+
if (cmd == IPVS_CMD_NEW_DAEMON || cmd == IPVS_CMD_DEL_DAEMON) {
3285
+
struct nlattr *daemon_attrs[IPVS_DAEMON_ATTR_MAX + 1];
3286
+
3287
+
mutex_lock(&ipvs->sync_mutex);
3288
+
if (!info->attrs[IPVS_CMD_ATTR_DAEMON] ||
3289
+
nla_parse_nested(daemon_attrs, IPVS_DAEMON_ATTR_MAX,
3290
+
info->attrs[IPVS_CMD_ATTR_DAEMON],
3291
+
ip_vs_daemon_policy)) {
3292
+
ret = -EINVAL;
3293
+
goto out;
3294
+
}
3295
+
3296
+
if (cmd == IPVS_CMD_NEW_DAEMON)
3297
+
ret = ip_vs_genl_new_daemon(net, daemon_attrs);
3298
+
else
3299
+
ret = ip_vs_genl_del_daemon(net, daemon_attrs);
3300
+
out:
3301
+
mutex_unlock(&ipvs->sync_mutex);
3302
+
}
3303
+
return ret;
3304
+
}
3305
+
3289
3306
static int ip_vs_genl_set_cmd(struct sk_buff *skb, struct genl_info *info)
3290
3307
{
3291
3308
struct ip_vs_service *svc = NULL;
···
3339
3292
goto out;
3340
3293
} else if (cmd == IPVS_CMD_SET_CONFIG) {
3341
3294
ret = ip_vs_genl_set_config(net, info->attrs);
3342
-
goto out;
3343
-
} else if (cmd == IPVS_CMD_NEW_DAEMON ||
3344
-
cmd == IPVS_CMD_DEL_DAEMON) {
3345
-
3346
-
struct nlattr *daemon_attrs[IPVS_DAEMON_ATTR_MAX + 1];
3347
-
3348
-
if (!info->attrs[IPVS_CMD_ATTR_DAEMON] ||
3349
-
nla_parse_nested(daemon_attrs, IPVS_DAEMON_ATTR_MAX,
3350
-
info->attrs[IPVS_CMD_ATTR_DAEMON],
3351
-
ip_vs_daemon_policy)) {
3352
-
ret = -EINVAL;
3353
-
goto out;
3354
-
}
3355
-
3356
-
if (cmd == IPVS_CMD_NEW_DAEMON)
3357
-
ret = ip_vs_genl_new_daemon(net, daemon_attrs);
3358
-
else
3359
-
ret = ip_vs_genl_del_daemon(net, daemon_attrs);
3360
3295
goto out;
3361
3296
} else if (cmd == IPVS_CMD_ZERO &&
3362
3297
!info->attrs[IPVS_CMD_ATTR_SERVICE]) {
···
3565
3536
.cmd = IPVS_CMD_NEW_DAEMON,
3566
3537
.flags = GENL_ADMIN_PERM,
3567
3538
.policy = ip_vs_cmd_policy,
3568
-
.doit = ip_vs_genl_set_cmd,
3539
+
.doit = ip_vs_genl_set_daemon,
3569
3540
},
3570
3541
{
3571
3542
.cmd = IPVS_CMD_DEL_DAEMON,
3572
3543
.flags = GENL_ADMIN_PERM,
3573
3544
.policy = ip_vs_cmd_policy,
3574
-
.doit = ip_vs_genl_set_cmd,
3545
+
.doit = ip_vs_genl_set_daemon,
3575
3546
},
3576
3547
{
3577
3548
.cmd = IPVS_CMD_GET_DAEMON,
+6
net/netfilter/ipvs/ip_vs_sync.c
+6
net/netfilter/ipvs/ip_vs_sync.c
···
61
61
62
62
#define SYNC_PROTO_VER 1 /* Protocol version in header */
63
63
64
+
static struct lock_class_key __ipvs_sync_key;
64
65
/*
65
66
* IPVS sync connection entry
66
67
* Version 0, i.e. original version.
···
1546
1545
IP_VS_DBG(7, "Each ip_vs_sync_conn entry needs %Zd bytes\n",
1547
1546
sizeof(struct ip_vs_sync_conn_v0));
1548
1547
1548
+
1549
1549
if (state == IP_VS_STATE_MASTER) {
1550
1550
if (ipvs->master_thread)
1551
1551
return -EEXIST;
···
1669
1667
{
1670
1668
struct netns_ipvs *ipvs = net_ipvs(net);
1671
1669
1670
+
__mutex_init(&ipvs->sync_mutex, "ipvs->sync_mutex", &__ipvs_sync_key);
1672
1671
INIT_LIST_HEAD(&ipvs->sync_queue);
1673
1672
spin_lock_init(&ipvs->sync_lock);
1674
1673
spin_lock_init(&ipvs->sync_buff_lock);
···
1683
1680
void ip_vs_sync_net_cleanup(struct net *net)
1684
1681
{
1685
1682
int retc;
1683
+
struct netns_ipvs *ipvs = net_ipvs(net);
1686
1684
1685
+
mutex_lock(&ipvs->sync_mutex);
1687
1686
retc = stop_sync_thread(net, IP_VS_STATE_MASTER);
1688
1687
if (retc && retc != -ESRCH)
1689
1688
pr_err("Failed to stop Master Daemon\n");
···
1693
1688
retc = stop_sync_thread(net, IP_VS_STATE_BACKUP);
1694
1689
if (retc && retc != -ESRCH)
1695
1690
pr_err("Failed to stop Backup Daemon\n");
1691
+
mutex_unlock(&ipvs->sync_mutex);
1696
1692
}
+2
-2
net/netfilter/nf_conntrack_proto_gre.c
+2
-2
net/netfilter/nf_conntrack_proto_gre.c
···
241
241
nf_ct_refresh_acct(ct, ctinfo, skb,
242
242
ct->proto.gre.stream_timeout);
243
243
/* Also, more likely to be important, and not a probe. */
244
-
set_bit(IPS_ASSURED_BIT, &ct->status);
245
-
nf_conntrack_event_cache(IPCT_ASSURED, ct);
244
+
if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status))
245
+
nf_conntrack_event_cache(IPCT_ASSURED, ct);
246
246
} else
247
247
nf_ct_refresh_acct(ct, ctinfo, skb,
248
248
ct->proto.gre.timeout);
+32
-8
net/x25/af_x25.c
+32
-8
net/x25/af_x25.c
···
91
91
int needed;
92
92
int rc;
93
93
94
-
if (skb->len < 1) {
94
+
if (!pskb_may_pull(skb, 1)) {
95
95
/* packet has no address block */
96
96
rc = 0;
97
97
goto empty;
···
100
100
len = *skb->data;
101
101
needed = 1 + (len >> 4) + (len & 0x0f);
102
102
103
-
if (skb->len < needed) {
103
+
if (!pskb_may_pull(skb, needed)) {
104
104
/* packet is too short to hold the addresses it claims
105
105
to hold */
106
106
rc = -1;
···
295
295
* Found a listening socket, now check the incoming
296
296
* call user data vs this sockets call user data
297
297
*/
298
-
if(skb->len > 0 && x25_sk(s)->cudmatchlength > 0) {
298
+
if (x25_sk(s)->cudmatchlength > 0 &&
299
+
skb->len >= x25_sk(s)->cudmatchlength) {
299
300
if((memcmp(x25_sk(s)->calluserdata.cuddata,
300
301
skb->data,
301
302
x25_sk(s)->cudmatchlength)) == 0) {
···
952
951
*
953
952
* Facilities length is mandatory in call request packets
954
953
*/
955
-
if (skb->len < 1)
954
+
if (!pskb_may_pull(skb, 1))
956
955
goto out_clear_request;
957
956
len = skb->data[0] + 1;
958
-
if (skb->len < len)
957
+
if (!pskb_may_pull(skb, len))
959
958
goto out_clear_request;
960
959
skb_pull(skb,len);
960
+
961
+
/*
962
+
* Ensure that the amount of call user data is valid.
963
+
*/
964
+
if (skb->len > X25_MAX_CUD_LEN)
965
+
goto out_clear_request;
966
+
967
+
/*
968
+
* Get all the call user data so it can be used in
969
+
* x25_find_listener and skb_copy_from_linear_data up ahead.
970
+
*/
971
+
if (!pskb_may_pull(skb, skb->len))
972
+
goto out_clear_request;
961
973
962
974
/*
963
975
* Find a listener for the particular address/cud pair.
···
1180
1166
* byte of the user data is the logical value of the Q Bit.
1181
1167
*/
1182
1168
if (test_bit(X25_Q_BIT_FLAG, &x25->flags)) {
1169
+
if (!pskb_may_pull(skb, 1))
1170
+
goto out_kfree_skb;
1171
+
1183
1172
qbit = skb->data[0];
1184
1173
skb_pull(skb, 1);
1185
1174
}
···
1261
1244
struct x25_sock *x25 = x25_sk(sk);
1262
1245
struct sockaddr_x25 *sx25 = (struct sockaddr_x25 *)msg->msg_name;
1263
1246
size_t copied;
1264
-
int qbit;
1247
+
int qbit, header_len = x25->neighbour->extended ?
1248
+
X25_EXT_MIN_LEN : X25_STD_MIN_LEN;
1249
+
1265
1250
struct sk_buff *skb;
1266
1251
unsigned char *asmptr;
1267
1252
int rc = -ENOTCONN;
···
1283
1264
goto out;
1284
1265
1285
1266
skb = skb_dequeue(&x25->interrupt_in_queue);
1267
+
1268
+
if (!pskb_may_pull(skb, X25_STD_MIN_LEN))
1269
+
goto out_free_dgram;
1286
1270
1287
1271
skb_pull(skb, X25_STD_MIN_LEN);
1288
1272
···
1307
1285
if (!skb)
1308
1286
goto out;
1309
1287
1288
+
if (!pskb_may_pull(skb, header_len))
1289
+
goto out_free_dgram;
1290
+
1310
1291
qbit = (skb->data[0] & X25_Q_BIT) == X25_Q_BIT;
1311
1292
1312
-
skb_pull(skb, x25->neighbour->extended ?
1313
-
X25_EXT_MIN_LEN : X25_STD_MIN_LEN);
1293
+
skb_pull(skb, header_len);
1314
1294
1315
1295
if (test_bit(X25_Q_BIT_FLAG, &x25->flags)) {
1316
1296
asmptr = skb_push(skb, 1);
+6
net/x25/x25_dev.c
+6
net/x25/x25_dev.c
···
32
32
unsigned short frametype;
33
33
unsigned int lci;
34
34
35
+
if (!pskb_may_pull(skb, X25_STD_MIN_LEN))
36
+
return 0;
37
+
35
38
frametype = skb->data[2];
36
39
lci = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) & 0x0FF);
37
40
···
117
114
printk(KERN_DEBUG "X.25: unknown neighbour - %s\n", dev->name);
118
115
goto drop;
119
116
}
117
+
118
+
if (!pskb_may_pull(skb, 1))
119
+
return 0;
120
120
121
121
switch (skb->data[0]) {
122
122
+6
-4
net/x25/x25_facilities.c
+6
-4
net/x25/x25_facilities.c
···
44
44
int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
45
45
struct x25_dte_facilities *dte_facs, unsigned long *vc_fac_mask)
46
46
{
47
-
unsigned char *p = skb->data;
47
+
unsigned char *p;
48
48
unsigned int len;
49
49
50
50
*vc_fac_mask = 0;
···
60
60
memset(dte_facs->called_ae, '\0', sizeof(dte_facs->called_ae));
61
61
memset(dte_facs->calling_ae, '\0', sizeof(dte_facs->calling_ae));
62
62
63
-
if (skb->len < 1)
63
+
if (!pskb_may_pull(skb, 1))
64
64
return 0;
65
65
66
-
len = *p++;
66
+
len = skb->data[0];
67
67
68
-
if (len >= skb->len)
68
+
if (!pskb_may_pull(skb, 1 + len))
69
69
return -1;
70
+
71
+
p = skb->data + 1;
70
72
71
73
while (len > 0) {
72
74
switch (*p & X25_FAC_CLASS_MASK) {
+38
-5
net/x25/x25_in.c
+38
-5
net/x25/x25_in.c
···
107
107
/*
108
108
* Parse the data in the frame.
109
109
*/
110
+
if (!pskb_may_pull(skb, X25_STD_MIN_LEN))
111
+
goto out_clear;
110
112
skb_pull(skb, X25_STD_MIN_LEN);
111
113
112
114
len = x25_parse_address_block(skb, &source_addr,
···
129
127
* Copy any Call User Data.
130
128
*/
131
129
if (skb->len > 0) {
132
-
skb_copy_from_linear_data(skb,
133
-
x25->calluserdata.cuddata,
134
-
skb->len);
130
+
if (skb->len > X25_MAX_CUD_LEN)
131
+
goto out_clear;
132
+
133
+
skb_copy_bits(skb, 0, x25->calluserdata.cuddata,
134
+
skb->len);
135
135
x25->calluserdata.cudlength = skb->len;
136
136
}
137
137
if (!sock_flag(sk, SOCK_DEAD))
···
141
137
break;
142
138
}
143
139
case X25_CLEAR_REQUEST:
140
+
if (!pskb_may_pull(skb, X25_STD_MIN_LEN + 2))
141
+
goto out_clear;
142
+
144
143
x25_write_internal(sk, X25_CLEAR_CONFIRMATION);
145
144
x25_disconnect(sk, ECONNREFUSED, skb->data[3], skb->data[4]);
146
145
break;
···
171
164
switch (frametype) {
172
165
173
166
case X25_CLEAR_REQUEST:
167
+
if (!pskb_may_pull(skb, X25_STD_MIN_LEN + 2))
168
+
goto out_clear;
169
+
174
170
x25_write_internal(sk, X25_CLEAR_CONFIRMATION);
175
171
x25_disconnect(sk, 0, skb->data[3], skb->data[4]);
176
172
break;
···
186
176
break;
187
177
}
188
178
179
+
return 0;
180
+
181
+
out_clear:
182
+
x25_write_internal(sk, X25_CLEAR_REQUEST);
183
+
x25_start_t23timer(sk);
189
184
return 0;
190
185
}
191
186
···
221
206
break;
222
207
223
208
case X25_CLEAR_REQUEST:
209
+
if (!pskb_may_pull(skb, X25_STD_MIN_LEN + 2))
210
+
goto out_clear;
211
+
224
212
x25_write_internal(sk, X25_CLEAR_CONFIRMATION);
225
213
x25_disconnect(sk, 0, skb->data[3], skb->data[4]);
226
214
break;
···
322
304
}
323
305
324
306
return queued;
307
+
308
+
out_clear:
309
+
x25_write_internal(sk, X25_CLEAR_REQUEST);
310
+
x25->state = X25_STATE_2;
311
+
x25_start_t23timer(sk);
312
+
return 0;
325
313
}
326
314
327
315
/*
···
337
313
*/
338
314
static int x25_state4_machine(struct sock *sk, struct sk_buff *skb, int frametype)
339
315
{
316
+
struct x25_sock *x25 = x25_sk(sk);
317
+
340
318
switch (frametype) {
341
319
342
320
case X25_RESET_REQUEST:
343
321
x25_write_internal(sk, X25_RESET_CONFIRMATION);
344
322
case X25_RESET_CONFIRMATION: {
345
-
struct x25_sock *x25 = x25_sk(sk);
346
-
347
323
x25_stop_timer(sk);
348
324
x25->condition = 0x00;
349
325
x25->va = 0;
···
355
331
break;
356
332
}
357
333
case X25_CLEAR_REQUEST:
334
+
if (!pskb_may_pull(skb, X25_STD_MIN_LEN + 2))
335
+
goto out_clear;
336
+
358
337
x25_write_internal(sk, X25_CLEAR_CONFIRMATION);
359
338
x25_disconnect(sk, 0, skb->data[3], skb->data[4]);
360
339
break;
···
366
339
break;
367
340
}
368
341
342
+
return 0;
343
+
344
+
out_clear:
345
+
x25_write_internal(sk, X25_CLEAR_REQUEST);
346
+
x25->state = X25_STATE_2;
347
+
x25_start_t23timer(sk);
369
348
return 0;
370
349
}
371
350
+3
net/x25/x25_link.c
+3
net/x25/x25_link.c
+13
-1
net/x25/x25_subr.c
+13
-1
net/x25/x25_subr.c
···
269
269
int *d, int *m)
270
270
{
271
271
struct x25_sock *x25 = x25_sk(sk);
272
-
unsigned char *frame = skb->data;
272
+
unsigned char *frame;
273
+
274
+
if (!pskb_may_pull(skb, X25_STD_MIN_LEN))
275
+
return X25_ILLEGAL;
276
+
frame = skb->data;
273
277
274
278
*ns = *nr = *q = *d = *m = 0;
275
279
···
298
294
if (frame[2] == X25_RR ||
299
295
frame[2] == X25_RNR ||
300
296
frame[2] == X25_REJ) {
297
+
if (!pskb_may_pull(skb, X25_EXT_MIN_LEN))
298
+
return X25_ILLEGAL;
299
+
frame = skb->data;
300
+
301
301
*nr = (frame[3] >> 1) & 0x7F;
302
302
return frame[2];
303
303
}
···
316
308
317
309
if (x25->neighbour->extended) {
318
310
if ((frame[2] & 0x01) == X25_DATA) {
311
+
if (!pskb_may_pull(skb, X25_EXT_MIN_LEN))
312
+
return X25_ILLEGAL;
313
+
frame = skb->data;
314
+
319
315
*q = (frame[0] & X25_Q_BIT) == X25_Q_BIT;
320
316
*d = (frame[0] & X25_D_BIT) == X25_D_BIT;
321
317
*m = (frame[3] & X25_EXT_M_BIT) == X25_EXT_M_BIT;