Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Pull networking fixes from David Miller: 1) Don't race in IPSEC dumps, from Yuejie Shi. 2) Verify lengths properly in IPSEC reqeusts, from Herbert Xu. 3) Fix out of bounds access in ipv6 segment routing code, from David Lebrun. 4) Don't write into the header of cloned SKBs in smsc95xx driver, from James Hughes. 5) Several other drivers have this bug too, fix them. From Eric Dumazet. 6) Fix access to uninitialized data in TC action cookie code, from Wolfgang Bumiller. 7) Fix double free in IPV6 segment routing, again from David Lebrun. 8) Don't let userspace set the RTF_PCPU flag, oops. From David Ahern. 9) Fix use after free in qrtr code, from Dan Carpenter. 10) Don't double-destroy devices in ip6mr code, from Nikolay Aleksandrov. 11) Don't pass out-of-range TX queue indices into drivers, from Tushar Dave. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (30 commits) netpoll: Check for skb->queue_mapping ip6mr: fix notification device destruction bpf, doc: update bpf maintainers entry net: qrtr: potential use after free in qrtr_sendmsg() bpf: Fix values type used in test_maps net: ipv6: RTF_PCPU should not be settable from userspace gso: Validate assumption of frag_list segementation kaweth: use skb_cow_head() to deal with cloned skbs ch9200: use skb_cow_head() to deal with cloned skbs lan78xx: use skb_cow_head() to deal with cloned skbs sr9700: use skb_cow_head() to deal with cloned skbs cx82310_eth: use skb_cow_head() to deal with cloned skbs smsc75xx: use skb_cow_head() to deal with cloned skbs ipv6: sr: fix double free of skb after handling invalid SRH MAINTAINERS: Add "B:" field for networking. net sched actions: allocate act cookie early qed: Fix issue in populating the PFC config paramters. qed: Fix possible system hang in the dcbnl-getdcbx() path. qed: Fix sending an invalid PFC error mask to MFW. qed: Fix possible error in populating max_tc field. ...
author: Linus Torvalds <torvalds@linux-foundation.org> 2017-04-21 16:20:47 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2017-04-21 16:20:47 -0400
commit: 057a650bdcb05ec5947558b6baa5305a3cb15f17 (patch)
tree: 92ed7c7d193690a8ee5b6930548d478d2fd54872 /net/key
parent: 92b4fc75636be07af00b1c085513ce98e6bab324 (diff)
parent: c70b17b775edb21280e9de7531acf6db3b365274 (diff)
1 files changed, 64 insertions, 29 deletions
diff --git a/net/key/af_key.c b/net/key/af_key.c
index c6252ed42c1d..be8cecc65002 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -63,8 +63,13 @@ struct pfkey_sock {
                } u;
                struct sk_buff  *skb;
        } dump;
+        struct mutex dump_lock;
 };
+static int parse_sockaddr_pair(struct sockaddr *sa, int ext_len,
+                               xfrm_address_t *saddr, xfrm_address_t *daddr,
+                               u16 *family);
 static inline struct pfkey_sock *pfkey_sk(struct sock *sk)
 {
        return (struct pfkey_sock *)sk;
@@ -139,6 +144,7 @@ static int pfkey_create(struct net *net, struct socket *sock, int protocol,
 {
        struct netns_pfkey *net_pfkey = net_generic(net, pfkey_net_id);
        struct sock *sk;
+        struct pfkey_sock *pfk;
        int err;
        if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
@@ -153,6 +159,9 @@ static int pfkey_create(struct net *net, struct socket *sock, int protocol,
        if (sk == NULL)
                goto out;
+        pfk = pfkey_sk(sk);
+        mutex_init(&pfk->dump_lock);
        sock->ops = &pfkey_ops;
        sock_init_data(sock, sk);
@@ -281,13 +290,23 @@ static int pfkey_do_dump(struct pfkey_sock *pfk)
        struct sadb_msg *hdr;
        int rc;
+        mutex_lock(&pfk->dump_lock);
+        if (!pfk->dump.dump) {
+                rc = 0;
+                goto out;
+        }
        rc = pfk->dump.dump(pfk);
-        if (rc == -ENOBUFS)
+        if (rc == -ENOBUFS) {
-                return 0;
+                rc = 0;
+                goto out;
+        }
        if (pfk->dump.skb) {
-                if (!pfkey_can_dump(&pfk->sk))
+                if (!pfkey_can_dump(&pfk->sk)) {
-                        return 0;
+                        rc = 0;
+                        goto out;
+                }
                hdr = (struct sadb_msg *) pfk->dump.skb->data;
                hdr->sadb_msg_seq = 0;
@@ -298,6 +317,9 @@ static int pfkey_do_dump(struct pfkey_sock *pfk)
        }
        pfkey_terminate_dump(pfk);
+out:
+        mutex_unlock(&pfk->dump_lock);
        return rc;
 }
@@ -1793,19 +1815,26 @@ static int pfkey_dump(struct sock *sk, struct sk_buff *skb, const struct sadb_ms
        struct xfrm_address_filter *filter = NULL;
        struct pfkey_sock *pfk = pfkey_sk(sk);
-        if (pfk->dump.dump != NULL)
+        mutex_lock(&pfk->dump_lock);
+        if (pfk->dump.dump != NULL) {
+                mutex_unlock(&pfk->dump_lock);
                return -EBUSY;
+        }
        proto = pfkey_satype2proto(hdr->sadb_msg_satype);
-        if (proto == 0)
+        if (proto == 0) {
+                mutex_unlock(&pfk->dump_lock);
                return -EINVAL;
+        }
        if (ext_hdrs[SADB_X_EXT_FILTER - 1]) {
                struct sadb_x_filter *xfilter = ext_hdrs[SADB_X_EXT_FILTER - 1];
                filter = kmalloc(sizeof(*filter), GFP_KERNEL);
-                if (filter == NULL)
+                if (filter == NULL) {
+                        mutex_unlock(&pfk->dump_lock);
                        return -ENOMEM;
+                }
                memcpy(&filter->saddr, &xfilter->sadb_x_filter_saddr,
                       sizeof(xfrm_address_t));
@@ -1821,6 +1850,7 @@ static int pfkey_dump(struct sock *sk, struct sk_buff *skb, const struct sadb_ms
        pfk->dump.dump = pfkey_dump_sa;
        pfk->dump.done = pfkey_dump_sa_done;
        xfrm_state_walk_init(&pfk->dump.u.state, proto, filter);
+        mutex_unlock(&pfk->dump_lock);
        return pfkey_do_dump(pfk);
 }
@@ -1913,19 +1943,14 @@ parse_ipsecrequest(struct xfrm_policy *xp, struct sadb_x_ipsecrequest *rq)
        /* addresses present only in tunnel mode */
        if (t->mode == XFRM_MODE_TUNNEL) {
-                u8 *sa = (u8 *) (rq + 1);
+                int err;
-                int family, socklen;
-                family = pfkey_sockaddr_extract((struct sockaddr *)sa,
+                err = parse_sockaddr_pair(
-                                                &t->saddr);
+                        (struct sockaddr *)(rq + 1),
-                if (!family)
+                        rq->sadb_x_ipsecrequest_len - sizeof(*rq),
-                        return -EINVAL;
+                        &t->saddr, &t->id.daddr, &t->encap_family);
+                if (err)
-                socklen = pfkey_sockaddr_len(family);
+                        return err;
-                if (pfkey_sockaddr_extract((struct sockaddr *)(sa + socklen),
-                                           &t->id.daddr) != family)
-                        return -EINVAL;
-                t->encap_family = family;
        } else
                t->encap_family = xp->family;
@@ -1945,7 +1970,11 @@ parse_ipsecrequests(struct xfrm_policy *xp, struct sadb_x_policy *pol)
        if (pol->sadb_x_policy_len * 8 < sizeof(struct sadb_x_policy))
                return -EINVAL;
-        while (len >= sizeof(struct sadb_x_ipsecrequest)) {
+        while (len >= sizeof(*rq)) {
+                if (len < rq->sadb_x_ipsecrequest_len ||
+                    rq->sadb_x_ipsecrequest_len < sizeof(*rq))
+                        return -EINVAL;
                if ((err = parse_ipsecrequest(xp, rq)) < 0)
                        return err;
                len -= rq->sadb_x_ipsecrequest_len;
@@ -2408,7 +2437,6 @@ out:
        return err;
 }
-#ifdef CONFIG_NET_KEY_MIGRATE
 static int pfkey_sockaddr_pair_size(sa_family_t family)
 {
        return PFKEY_ALIGN8(pfkey_sockaddr_len(family) * 2);
@@ -2420,7 +2448,7 @@ static int parse_sockaddr_pair(struct sockaddr *sa, int ext_len,
 {
        int af, socklen;
-        if (ext_len < pfkey_sockaddr_pair_size(sa->sa_family))
+        if (ext_len < 2 || ext_len < pfkey_sockaddr_pair_size(sa->sa_family))
                return -EINVAL;
        af = pfkey_sockaddr_extract(sa, saddr);
@@ -2436,6 +2464,7 @@ static int parse_sockaddr_pair(struct sockaddr *sa, int ext_len,
        return 0;
 }
+#ifdef CONFIG_NET_KEY_MIGRATE
 static int ipsecrequests_to_migrate(struct sadb_x_ipsecrequest *rq1, int len,
                                    struct xfrm_migrate *m)
 {
@@ -2443,13 +2472,14 @@ static int ipsecrequests_to_migrate(struct sadb_x_ipsecrequest *rq1, int len,
        struct sadb_x_ipsecrequest *rq2;
        int mode;
-        if (len <= sizeof(struct sadb_x_ipsecrequest) ||
+        if (len < sizeof(*rq1) ||
-            len < rq1->sadb_x_ipsecrequest_len)
+            len < rq1->sadb_x_ipsecrequest_len ||
+            rq1->sadb_x_ipsecrequest_len < sizeof(*rq1))
                return -EINVAL;
        /* old endoints */
        err = parse_sockaddr_pair((struct sockaddr *)(rq1 + 1),
-                                  rq1->sadb_x_ipsecrequest_len,
+                                  rq1->sadb_x_ipsecrequest_len - sizeof(*rq1),
                                  &m->old_saddr, &m->old_daddr,
                                  &m->old_family);
        if (err)
@@ -2458,13 +2488,14 @@ static int ipsecrequests_to_migrate(struct sadb_x_ipsecrequest *rq1, int len,
        rq2 = (struct sadb_x_ipsecrequest *)((u8 *)rq1 + rq1->sadb_x_ipsecrequest_len);
        len -= rq1->sadb_x_ipsecrequest_len;
-        if (len <= sizeof(struct sadb_x_ipsecrequest) ||
+        if (len <= sizeof(*rq2) ||
-            len < rq2->sadb_x_ipsecrequest_len)
+            len < rq2->sadb_x_ipsecrequest_len ||
+            rq2->sadb_x_ipsecrequest_len < sizeof(*rq2))
                return -EINVAL;
        /* new endpoints */
        err = parse_sockaddr_pair((struct sockaddr *)(rq2 + 1),
-                                  rq2->sadb_x_ipsecrequest_len,
+                                  rq2->sadb_x_ipsecrequest_len - sizeof(*rq2),
                                  &m->new_saddr, &m->new_daddr,
                                  &m->new_family);
        if (err)
@@ -2679,14 +2710,18 @@ static int pfkey_spddump(struct sock *sk, struct sk_buff *skb, const struct sadb
 {
        struct pfkey_sock *pfk = pfkey_sk(sk);
-        if (pfk->dump.dump != NULL)
+        mutex_lock(&pfk->dump_lock);
+        if (pfk->dump.dump != NULL) {
+                mutex_unlock(&pfk->dump_lock);
                return -EBUSY;
+        }
        pfk->dump.msg_version = hdr->sadb_msg_version;
        pfk->dump.msg_portid = hdr->sadb_msg_pid;
        pfk->dump.dump = pfkey_dump_sp;
        pfk->dump.done = pfkey_dump_sp_done;
        xfrm_policy_walk_init(&pfk->dump.u.policy, XFRM_POLICY_TYPE_MAIN);
+        mutex_unlock(&pfk->dump_lock);
        return pfkey_do_dump(pfk);
 }
author	Linus Torvalds <torvalds@linux-foundation.org>	2017-04-21 16:20:47 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2017-04-21 16:20:47 -0400
commit	057a650bdcb05ec5947558b6baa5305a3cb15f17 (patch)
tree	92ed7c7d193690a8ee5b6930548d478d2fd54872 /net/key
parent	92b4fc75636be07af00b1c085513ce98e6bab324 (diff)
parent	c70b17b775edb21280e9de7531acf6db3b365274 (diff)

diff --git a/net/key/af_key.c b/net/key/af_key.c index c6252ed42c1d..be8cecc65002 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c
@@ -63,8 +63,13 @@ struct pfkey_sock {
63	} u;	63	} u;
64	struct sk_buff *skb;	64	struct sk_buff *skb;
65	} dump;	65	} dump;
		66	struct mutex dump_lock;
66	};	67	};
67		68
		69	static int parse_sockaddr_pair(struct sockaddr *sa, int ext_len,
		70	xfrm_address_t saddr, xfrm_address_t daddr,
		71	u16 *family);
		72
68	static inline struct pfkey_sock pfkey_sk(struct sock sk)	73	static inline struct pfkey_sock pfkey_sk(struct sock sk)
69	{	74	{
70	return (struct pfkey_sock *)sk;	75	return (struct pfkey_sock *)sk;
@@ -139,6 +144,7 @@ static int pfkey_create(struct net net, struct socket sock, int protocol,
139	{	144	{
140	struct netns_pfkey *net_pfkey = net_generic(net, pfkey_net_id);	145	struct netns_pfkey *net_pfkey = net_generic(net, pfkey_net_id);
141	struct sock *sk;	146	struct sock *sk;
		147	struct pfkey_sock *pfk;
142	int err;	148	int err;
143		149
144	if (!ns_capable(net->user_ns, CAP_NET_ADMIN))	150	if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
@@ -153,6 +159,9 @@ static int pfkey_create(struct net net, struct socket sock, int protocol,
153	if (sk == NULL)	159	if (sk == NULL)
154	goto out;	160	goto out;
155		161
		162	pfk = pfkey_sk(sk);
		163	mutex_init(&pfk->dump_lock);
		164
156	sock->ops = &pfkey_ops;	165	sock->ops = &pfkey_ops;
157	sock_init_data(sock, sk);	166	sock_init_data(sock, sk);
158		167
@@ -281,13 +290,23 @@ static int pfkey_do_dump(struct pfkey_sock *pfk)
281	struct sadb_msg *hdr;	290	struct sadb_msg *hdr;
282	int rc;	291	int rc;
283		292
		293	mutex_lock(&pfk->dump_lock);
		294	if (!pfk->dump.dump) {
		295	rc = 0;
		296	goto out;
		297	}
		298
284	rc = pfk->dump.dump(pfk);	299	rc = pfk->dump.dump(pfk);
285	if (rc == -ENOBUFS)	300	if (rc == -ENOBUFS) {
286	return 0;	301	rc = 0;
		302	goto out;
		303	}
287		304
288	if (pfk->dump.skb) {	305	if (pfk->dump.skb) {
289	if (!pfkey_can_dump(&pfk->sk))	306	if (!pfkey_can_dump(&pfk->sk)) {
290	return 0;	307	rc = 0;
		308	goto out;
		309	}
291		310
292	hdr = (struct sadb_msg *) pfk->dump.skb->data;	311	hdr = (struct sadb_msg *) pfk->dump.skb->data;
293	hdr->sadb_msg_seq = 0;	312	hdr->sadb_msg_seq = 0;
@@ -298,6 +317,9 @@ static int pfkey_do_dump(struct pfkey_sock *pfk)
298	}	317	}
299		318
300	pfkey_terminate_dump(pfk);	319	pfkey_terminate_dump(pfk);
		320
		321	out:
		322	mutex_unlock(&pfk->dump_lock);
301	return rc;	323	return rc;
302	}	324	}
303		325
@@ -1793,19 +1815,26 @@ static int pfkey_dump(struct sock sk, struct sk_buff skb, const struct sadb_ms
1793	struct xfrm_address_filter *filter = NULL;	1815	struct xfrm_address_filter *filter = NULL;
1794	struct pfkey_sock *pfk = pfkey_sk(sk);	1816	struct pfkey_sock *pfk = pfkey_sk(sk);
1795		1817
1796	if (pfk->dump.dump != NULL)	1818	mutex_lock(&pfk->dump_lock);
		1819	if (pfk->dump.dump != NULL) {
		1820	mutex_unlock(&pfk->dump_lock);
1797	return -EBUSY;	1821	return -EBUSY;
		1822	}
1798		1823
1799	proto = pfkey_satype2proto(hdr->sadb_msg_satype);	1824	proto = pfkey_satype2proto(hdr->sadb_msg_satype);
1800	if (proto == 0)	1825	if (proto == 0) {
		1826	mutex_unlock(&pfk->dump_lock);
1801	return -EINVAL;	1827	return -EINVAL;
		1828	}
1802		1829
1803	if (ext_hdrs[SADB_X_EXT_FILTER - 1]) {	1830	if (ext_hdrs[SADB_X_EXT_FILTER - 1]) {
1804	struct sadb_x_filter *xfilter = ext_hdrs[SADB_X_EXT_FILTER - 1];	1831	struct sadb_x_filter *xfilter = ext_hdrs[SADB_X_EXT_FILTER - 1];
1805		1832
1806	filter = kmalloc(sizeof(*filter), GFP_KERNEL);	1833	filter = kmalloc(sizeof(*filter), GFP_KERNEL);
1807	if (filter == NULL)	1834	if (filter == NULL) {
		1835	mutex_unlock(&pfk->dump_lock);
1808	return -ENOMEM;	1836	return -ENOMEM;
		1837	}
1809		1838
1810	memcpy(&filter->saddr, &xfilter->sadb_x_filter_saddr,	1839	memcpy(&filter->saddr, &xfilter->sadb_x_filter_saddr,
1811	sizeof(xfrm_address_t));	1840	sizeof(xfrm_address_t));
@@ -1821,6 +1850,7 @@ static int pfkey_dump(struct sock sk, struct sk_buff skb, const struct sadb_ms
1821	pfk->dump.dump = pfkey_dump_sa;	1850	pfk->dump.dump = pfkey_dump_sa;
1822	pfk->dump.done = pfkey_dump_sa_done;	1851	pfk->dump.done = pfkey_dump_sa_done;
1823	xfrm_state_walk_init(&pfk->dump.u.state, proto, filter);	1852	xfrm_state_walk_init(&pfk->dump.u.state, proto, filter);
		1853	mutex_unlock(&pfk->dump_lock);
1824		1854
1825	return pfkey_do_dump(pfk);	1855	return pfkey_do_dump(pfk);
1826	}	1856	}
@@ -1913,19 +1943,14 @@ parse_ipsecrequest(struct xfrm_policy xp, struct sadb_x_ipsecrequest rq)
1913		1943
1914	/* addresses present only in tunnel mode */	1944	/* addresses present only in tunnel mode */
1915	if (t->mode == XFRM_MODE_TUNNEL) {	1945	if (t->mode == XFRM_MODE_TUNNEL) {
1916	u8 sa = (u8 ) (rq + 1);	1946	int err;
1917	int family, socklen;
1918		1947
1919	family = pfkey_sockaddr_extract((struct sockaddr *)sa,	1948	err = parse_sockaddr_pair(
1920	&t->saddr);	1949	(struct sockaddr *)(rq + 1),
1921	if (!family)	1950	rq->sadb_x_ipsecrequest_len - sizeof(*rq),
1922	return -EINVAL;	1951	&t->saddr, &t->id.daddr, &t->encap_family);
1923		1952	if (err)
1924	socklen = pfkey_sockaddr_len(family);	1953	return err;
1925	if (pfkey_sockaddr_extract((struct sockaddr *)(sa + socklen),
1926	&t->id.daddr) != family)
1927	return -EINVAL;
1928	t->encap_family = family;
1929	} else	1954	} else
1930	t->encap_family = xp->family;	1955	t->encap_family = xp->family;
1931		1956
@@ -1945,7 +1970,11 @@ parse_ipsecrequests(struct xfrm_policy xp, struct sadb_x_policy pol)
1945	if (pol->sadb_x_policy_len * 8 < sizeof(struct sadb_x_policy))	1970	if (pol->sadb_x_policy_len * 8 < sizeof(struct sadb_x_policy))
1946	return -EINVAL;	1971	return -EINVAL;
1947		1972
1948	while (len >= sizeof(struct sadb_x_ipsecrequest)) {	1973	while (len >= sizeof(*rq)) {
		1974	if (len < rq->sadb_x_ipsecrequest_len \|\|
		1975	rq->sadb_x_ipsecrequest_len < sizeof(*rq))
		1976	return -EINVAL;
		1977
1949	if ((err = parse_ipsecrequest(xp, rq)) < 0)	1978	if ((err = parse_ipsecrequest(xp, rq)) < 0)
1950	return err;	1979	return err;
1951	len -= rq->sadb_x_ipsecrequest_len;	1980	len -= rq->sadb_x_ipsecrequest_len;
@@ -2408,7 +2437,6 @@ out:
2408	return err;	2437	return err;
2409	}	2438	}
2410		2439
2411	#ifdef CONFIG_NET_KEY_MIGRATE
2412	static int pfkey_sockaddr_pair_size(sa_family_t family)	2440	static int pfkey_sockaddr_pair_size(sa_family_t family)
2413	{	2441	{
2414	return PFKEY_ALIGN8(pfkey_sockaddr_len(family) * 2);	2442	return PFKEY_ALIGN8(pfkey_sockaddr_len(family) * 2);
@@ -2420,7 +2448,7 @@ static int parse_sockaddr_pair(struct sockaddr *sa, int ext_len,
2420	{	2448	{
2421	int af, socklen;	2449	int af, socklen;
2422		2450
2423	if (ext_len < pfkey_sockaddr_pair_size(sa->sa_family))	2451	if (ext_len < 2 \|\| ext_len < pfkey_sockaddr_pair_size(sa->sa_family))
2424	return -EINVAL;	2452	return -EINVAL;
2425		2453
2426	af = pfkey_sockaddr_extract(sa, saddr);	2454	af = pfkey_sockaddr_extract(sa, saddr);
@@ -2436,6 +2464,7 @@ static int parse_sockaddr_pair(struct sockaddr *sa, int ext_len,
2436	return 0;	2464	return 0;
2437	}	2465	}
2438		2466
		2467	#ifdef CONFIG_NET_KEY_MIGRATE
2439	static int ipsecrequests_to_migrate(struct sadb_x_ipsecrequest *rq1, int len,	2468	static int ipsecrequests_to_migrate(struct sadb_x_ipsecrequest *rq1, int len,
2440	struct xfrm_migrate *m)	2469	struct xfrm_migrate *m)
2441	{	2470	{
@@ -2443,13 +2472,14 @@ static int ipsecrequests_to_migrate(struct sadb_x_ipsecrequest *rq1, int len,
2443	struct sadb_x_ipsecrequest *rq2;	2472	struct sadb_x_ipsecrequest *rq2;
2444	int mode;	2473	int mode;
2445		2474
2446	if (len <= sizeof(struct sadb_x_ipsecrequest) \|\|	2475	if (len < sizeof(*rq1) \|\|
2447	len < rq1->sadb_x_ipsecrequest_len)	2476	len < rq1->sadb_x_ipsecrequest_len \|\|
		2477	rq1->sadb_x_ipsecrequest_len < sizeof(*rq1))
2448	return -EINVAL;	2478	return -EINVAL;
2449		2479
2450	/* old endoints */	2480	/* old endoints */
2451	err = parse_sockaddr_pair((struct sockaddr *)(rq1 + 1),	2481	err = parse_sockaddr_pair((struct sockaddr *)(rq1 + 1),
2452	rq1->sadb_x_ipsecrequest_len,	2482	rq1->sadb_x_ipsecrequest_len - sizeof(*rq1),
2453	&m->old_saddr, &m->old_daddr,	2483	&m->old_saddr, &m->old_daddr,
2454	&m->old_family);	2484	&m->old_family);
2455	if (err)	2485	if (err)
@@ -2458,13 +2488,14 @@ static int ipsecrequests_to_migrate(struct sadb_x_ipsecrequest *rq1, int len,
2458	rq2 = (struct sadb_x_ipsecrequest )((u8 )rq1 + rq1->sadb_x_ipsecrequest_len);	2488	rq2 = (struct sadb_x_ipsecrequest )((u8 )rq1 + rq1->sadb_x_ipsecrequest_len);
2459	len -= rq1->sadb_x_ipsecrequest_len;	2489	len -= rq1->sadb_x_ipsecrequest_len;
2460		2490
2461	if (len <= sizeof(struct sadb_x_ipsecrequest) \|\|	2491	if (len <= sizeof(*rq2) \|\|
2462	len < rq2->sadb_x_ipsecrequest_len)	2492	len < rq2->sadb_x_ipsecrequest_len \|\|
		2493	rq2->sadb_x_ipsecrequest_len < sizeof(*rq2))
2463	return -EINVAL;	2494	return -EINVAL;
2464		2495
2465	/* new endpoints */	2496	/* new endpoints */
2466	err = parse_sockaddr_pair((struct sockaddr *)(rq2 + 1),	2497	err = parse_sockaddr_pair((struct sockaddr *)(rq2 + 1),
2467	rq2->sadb_x_ipsecrequest_len,	2498	rq2->sadb_x_ipsecrequest_len - sizeof(*rq2),
2468	&m->new_saddr, &m->new_daddr,	2499	&m->new_saddr, &m->new_daddr,
2469	&m->new_family);	2500	&m->new_family);
2470	if (err)	2501	if (err)
@@ -2679,14 +2710,18 @@ static int pfkey_spddump(struct sock sk, struct sk_buff skb, const struct sadb
2679	{	2710	{
2680	struct pfkey_sock *pfk = pfkey_sk(sk);	2711	struct pfkey_sock *pfk = pfkey_sk(sk);
2681		2712
2682	if (pfk->dump.dump != NULL)	2713	mutex_lock(&pfk->dump_lock);
		2714	if (pfk->dump.dump != NULL) {
		2715	mutex_unlock(&pfk->dump_lock);
2683	return -EBUSY;	2716	return -EBUSY;
		2717	}
2684		2718
2685	pfk->dump.msg_version = hdr->sadb_msg_version;	2719	pfk->dump.msg_version = hdr->sadb_msg_version;
2686	pfk->dump.msg_portid = hdr->sadb_msg_pid;	2720	pfk->dump.msg_portid = hdr->sadb_msg_pid;
2687	pfk->dump.dump = pfkey_dump_sp;	2721	pfk->dump.dump = pfkey_dump_sp;
2688	pfk->dump.done = pfkey_dump_sp_done;	2722	pfk->dump.done = pfkey_dump_sp_done;
2689	xfrm_policy_walk_init(&pfk->dump.u.policy, XFRM_POLICY_TYPE_MAIN);	2723	xfrm_policy_walk_init(&pfk->dump.u.policy, XFRM_POLICY_TYPE_MAIN);
		2724	mutex_unlock(&pfk->dump_lock);
2690		2725
2691	return pfkey_do_dump(pfk);	2726	return pfkey_do_dump(pfk);
2692	}	2727	}