diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2015-04-02 14:09:41 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2015-04-02 14:09:41 -0400 |
| commit | 8172ba51e257fdd353010cd7caaa37c8bc9eb44a (patch) | |
| tree | dc440db5d27a9846a00a5ff011f5bd557b861051 /net/ipv6/tcp_ipv6.c | |
| parent | d4039314d0b1b57aa602490b7b9ae505e2467a44 (diff) | |
| parent | f5f321c43150cb4db8f342c8479c6fbdbe20b338 (diff) | |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull networking fixes from David Miller:
1) Fix use-after-free with mac80211 RX A-MPDU reorder timer, from
Johannes Berg.
2) iwlwifi leaks memory every module load/unload cycles, fix from Larry
Finger.
3) Need to use for_each_netdev_safe() in rtnl_group_changelink()
otherwise we can crash, from WANG Cong.
4) mlx4 driver does register_netdev() too early in the probe sequence,
from Ido Shamay.
5) Don't allow router discovery hop limit to decrease the interface's
hop limit, from D.S. Ljungmark.
6) tx_packets and tx_bytes improperly accounted for certain classes of
USB network devices, fix from Ben Hutchings.
7) ip{6}mr_rules_init() mistakenly use plain kfree to release the ipmr
tables in the error path, they must instead use ip{6}mr_free_table().
Fix from WANG Cong.
8) cxgb4 doesn't properly quiesce all RX activity before unregistering
the netdevice. Fix from Hariprasad Shenai.
9) Fix hash corruptions in ipvlan driver, from Jiri Benc.
10) nla_memcpy(), like a real memcpy, should fully initialize the
destination buffer, even if the source attribute is smaller. Fix
from Jiri Benc.
11) Fix wrong error code returned from iucv_sock_sendmsg(). We should
use whatever sock_alloc_send_skb() put into 'err'. From Eugene
Crosser.
12) Fix slab object leak on module unload in TIPC, from Ying Xue.
13) Need a READ_ONCE() when reading the cached RX socket route in
tcp_v{4,6}_early_demux(). From Michal Kubecek.
14) Still too many problems with TPC support in the ath9k driver, so
disable it for now. From Felix Fietkau.
15) When in AP mode the rtlwifi driver can leak DMA mappings, fix from
Larry Finger.
16) Missing kzalloc() failure check in gs_usb CAN driver, from Colin Ian
King.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (52 commits)
cxgb4: Fix to dump devlog, even if FW is crashed
cxgb4: Firmware macro changes for fw verison 1.13.32.0
bnx2x: Fix kdump when iommu=on
bnx2x: Fix kdump on 4-port device
mac80211: fix RX A-MPDU session reorder timer deletion
MAINTAINERS: Update Intel Wired Ethernet Driver info
tipc: fix a slab object leak
net/usb/r8152: add device id for Lenovo TP USB 3.0 Ethernet
af_iucv: fix AF_IUCV sendmsg() errno
openvswitch: Return vport module ref before destruction
netlink: pad nla_memcpy dest buffer with zeroes
bonding: Bonding Overriding Configuration logic restored.
ipvlan: fix check for IP addresses in control path
ipvlan: do not use rcu operations for address list
ipvlan: protect against concurrent link removal
ipvlan: fix addr hash list corruption
net: fec: setup right value for mdio hold time
net: tcp6: fix double call of tcp_v6_fill_cb()
cxgb4vf: Fix sparse warnings
netns: don't clear nsid too early on removal
...
Diffstat (limited to 'net/ipv6/tcp_ipv6.c')
| -rw-r--r-- | net/ipv6/tcp_ipv6.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index 5d46832c6f72..1f5e62229aaa 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c | |||
| @@ -1411,6 +1411,15 @@ static void tcp_v6_fill_cb(struct sk_buff *skb, const struct ipv6hdr *hdr, | |||
| 1411 | TCP_SKB_CB(skb)->sacked = 0; | 1411 | TCP_SKB_CB(skb)->sacked = 0; |
| 1412 | } | 1412 | } |
| 1413 | 1413 | ||
| 1414 | static void tcp_v6_restore_cb(struct sk_buff *skb) | ||
| 1415 | { | ||
| 1416 | /* We need to move header back to the beginning if xfrm6_policy_check() | ||
| 1417 | * and tcp_v6_fill_cb() are going to be called again. | ||
| 1418 | */ | ||
| 1419 | memmove(IP6CB(skb), &TCP_SKB_CB(skb)->header.h6, | ||
| 1420 | sizeof(struct inet6_skb_parm)); | ||
| 1421 | } | ||
| 1422 | |||
| 1414 | static int tcp_v6_rcv(struct sk_buff *skb) | 1423 | static int tcp_v6_rcv(struct sk_buff *skb) |
| 1415 | { | 1424 | { |
| 1416 | const struct tcphdr *th; | 1425 | const struct tcphdr *th; |
| @@ -1543,6 +1552,7 @@ do_time_wait: | |||
| 1543 | inet_twsk_deschedule(tw, &tcp_death_row); | 1552 | inet_twsk_deschedule(tw, &tcp_death_row); |
| 1544 | inet_twsk_put(tw); | 1553 | inet_twsk_put(tw); |
| 1545 | sk = sk2; | 1554 | sk = sk2; |
| 1555 | tcp_v6_restore_cb(skb); | ||
| 1546 | goto process; | 1556 | goto process; |
| 1547 | } | 1557 | } |
| 1548 | /* Fall through to ACK */ | 1558 | /* Fall through to ACK */ |
| @@ -1551,6 +1561,7 @@ do_time_wait: | |||
| 1551 | tcp_v6_timewait_ack(sk, skb); | 1561 | tcp_v6_timewait_ack(sk, skb); |
| 1552 | break; | 1562 | break; |
| 1553 | case TCP_TW_RST: | 1563 | case TCP_TW_RST: |
| 1564 | tcp_v6_restore_cb(skb); | ||
| 1554 | goto no_tcp_socket; | 1565 | goto no_tcp_socket; |
| 1555 | case TCP_TW_SUCCESS: | 1566 | case TCP_TW_SUCCESS: |
| 1556 | ; | 1567 | ; |
| @@ -1585,7 +1596,7 @@ static void tcp_v6_early_demux(struct sk_buff *skb) | |||
| 1585 | skb->sk = sk; | 1596 | skb->sk = sk; |
| 1586 | skb->destructor = sock_edemux; | 1597 | skb->destructor = sock_edemux; |
| 1587 | if (sk->sk_state != TCP_TIME_WAIT) { | 1598 | if (sk->sk_state != TCP_TIME_WAIT) { |
| 1588 | struct dst_entry *dst = sk->sk_rx_dst; | 1599 | struct dst_entry *dst = READ_ONCE(sk->sk_rx_dst); |
| 1589 | 1600 | ||
| 1590 | if (dst) | 1601 | if (dst) |
| 1591 | dst = dst_check(dst, inet6_sk(sk)->rx_dst_cookie); | 1602 | dst = dst_check(dst, inet6_sk(sk)->rx_dst_cookie); |