Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Pull networking fixes from David Miller: 1) The sockmap code has to free socket memory on close if there is corked data, from John Fastabend. 2) Tunnel names coming from userspace need to be length validated. From Eric Dumazet. 3) arp_filter() has to take VRFs properly into account, from Miguel Fadon Perlines. 4) Fix oops in error path of tcf_bpf_init(), from Davide Caratti. 5) Missing idr_remove() in u32_delete_key(), from Cong Wang. 6) More syzbot stuff. Several use of uninitialized value fixes all over, from Eric Dumazet. 7) Do not leak kernel memory to userspace in sctp, also from Eric Dumazet. 8) Discard frames from unused ports in DSA, from Andrew Lunn. 9) Fix DMA mapping and reset/failover problems in ibmvnic, from Thomas Falcon. 10) Do not access dp83640 PHY registers prematurely after reset, from Esben Haabendal. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (46 commits) vhost-net: set packet weight of tx polling to 2 * vq size net: thunderx: rework mac addresses list to u64 array inetpeer: fix uninit-value in inet_getpeer dp83640: Ensure against premature access to PHY registers after reset devlink: convert occ_get op to separate registration ARM: dts: ls1021a: Specify TBIPA register address net/fsl_pq_mdio: Allow explicit speficition of TBIPA address ibmvnic: Do not reset CRQ for Mobility driver resets ibmvnic: Fix failover case for non-redundant configuration ibmvnic: Fix reset scheduler error handling ibmvnic: Zero used TX descriptor counter on reset ibmvnic: Fix DMA mapping mistakes tipc: use the right skb in tipc_sk_fill_sock_diag() sctp: sctp_sockaddr_af must check minimal addr length for AF_INET6 net: dsa: Discard frames from unused ports sctp: do not leak kernel memory to user space soreuseport: initialise timewait reuseport field ipv4: fix uninit-value in ip_route_output_key_hash_rcu() dccp: initialize ireq->ir_mark net: fix uninit-value in __hw_addr_add_ex() ...
author: Linus Torvalds <torvalds@linux-foundation.org> 2018-04-09 20:04:10 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2018-04-09 20:04:10 -0400
commit: c18bb396d3d261ebbb4efbc05129c5d354c541e4 (patch)
tree: 058a1413dd34fe4e1d9a998a43d56f3358b93e36 /net
parent: fd3b36d275660c905da9900b078eea341847d5e4 (diff)
parent: a2ac99905f1ea8b15997a6ec39af69aa28a3653b (diff)
28 files changed, 181 insertions, 67 deletions
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index a9682534c377..45ff5dc124cc 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -749,18 +749,31 @@ static bool conn_use_rpa(struct hci_conn *conn)
 }
 static void hci_req_add_le_create_conn(struct hci_request *req,
-                                       struct hci_conn *conn)
+                                       struct hci_conn *conn,
+                                       bdaddr_t *direct_rpa)
 {
        struct hci_cp_le_create_conn cp;
        struct hci_dev *hdev = conn->hdev;
        u8 own_addr_type;
-        /* Update random address, but set require_privacy to false so
+        /* If direct address was provided we use it instead of current
-         * that we never connect with an non-resolvable address.
+         * address.
         */
-        if (hci_update_random_address(req, false, conn_use_rpa(conn),
+        if (direct_rpa) {
-                                      &own_addr_type))
+                if (bacmp(&req->hdev->random_addr, direct_rpa))
-                return;
+                        hci_req_add(req, HCI_OP_LE_SET_RANDOM_ADDR, 6,
+                                                                direct_rpa);
+                /* direct address is always RPA */
+                own_addr_type = ADDR_LE_DEV_RANDOM;
+        } else {
+                /* Update random address, but set require_privacy to false so
+                 * that we never connect with an non-resolvable address.
+                 */
+                if (hci_update_random_address(req, false, conn_use_rpa(conn),
+                                              &own_addr_type))
+                        return;
+        }
        memset(&cp, 0, sizeof(cp));
@@ -825,7 +838,7 @@ static void hci_req_directed_advertising(struct hci_request *req,
 struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
                                u8 dst_type, u8 sec_level, u16 conn_timeout,
-                                u8 role)
+                                u8 role, bdaddr_t *direct_rpa)
 {
        struct hci_conn_params *params;
        struct hci_conn *conn;
@@ -940,7 +953,7 @@ struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
                hci_dev_set_flag(hdev, HCI_LE_SCAN_INTERRUPTED);
        }
-        hci_req_add_le_create_conn(&req, conn);
+        hci_req_add_le_create_conn(&req, conn, direct_rpa);
 create_conn:
        err = hci_req_run(&req, create_le_conn_complete);
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index cd3bbb766c24..139707cd9d35 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -4648,7 +4648,8 @@ static void hci_le_conn_update_complete_evt(struct hci_dev *hdev,
 /* This function requires the caller holds hdev->lock */
 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
                                              bdaddr_t *addr,
-                                              u8 addr_type, u8 adv_type)
+                                              u8 addr_type, u8 adv_type,
+                                              bdaddr_t *direct_rpa)
 {
        struct hci_conn *conn;
        struct hci_conn_params *params;
@@ -4699,7 +4700,8 @@ static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
        }
        conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW,
-                              HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER);
+                              HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER,
+                              direct_rpa);
        if (!IS_ERR(conn)) {
                /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
                 * by higher layer that tried to connect, if no then
@@ -4808,8 +4810,13 @@ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
                bdaddr_type = irk->addr_type;
        }
-        /* Check if we have been requested to connect to this device */
+        /* Check if we have been requested to connect to this device.
-        conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type);
+         *
+         * direct_addr is set only for directed advertising reports (it is NULL
+         * for advertising reports) and is already verified to be RPA above.
+         */
+        conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type,
+                                                                direct_addr);
        if (conn && type == LE_ADV_IND) {
                /* Store report for later inclusion by
                 * mgmt_device_connected
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index fc6615d59165..9b7907ebfa01 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -7156,7 +7156,7 @@ int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
                        hcon = hci_connect_le(hdev, dst, dst_type,
                                              chan->sec_level,
                                              HCI_LE_CONN_TIMEOUT,
-                                              HCI_ROLE_SLAVE);
+                                              HCI_ROLE_SLAVE, NULL);
                else
                        hcon = hci_connect_le_scan(hdev, dst, dst_type,
                                                   chan->sec_level,
diff --git a/net/core/dev.c b/net/core/dev.c
index 9b04a9fd1dfd..969462ebb296 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1027,7 +1027,7 @@ bool dev_valid_name(const char *name)
 {
        if (*name == '\0')
                return false;
-        if (strlen(name) >= IFNAMSIZ)
+        if (strnlen(name, IFNAMSIZ) == IFNAMSIZ)
                return false;
        if (!strcmp(name, ".") || !strcmp(name, ".."))
                return false;
diff --git a/net/core/dev_addr_lists.c b/net/core/dev_addr_lists.c
index c0548d268e1a..e3e6a3e2ca22 100644
--- a/net/core/dev_addr_lists.c
+++ b/net/core/dev_addr_lists.c
@@ -57,8 +57,8 @@ static int __hw_addr_add_ex(struct netdev_hw_addr_list *list,
                return -EINVAL;
        list_for_each_entry(ha, &list->list, list) {
-                if (!memcmp(ha->addr, addr, addr_len) &&
+                if (ha->type == addr_type &&
-                    ha->type == addr_type) {
+                    !memcmp(ha->addr, addr, addr_len)) {
                        if (global) {
                                /* check if addr is already used as global */
                                if (ha->global_use)
diff --git a/net/core/devlink.c b/net/core/devlink.c
index 9236e421bd62..ad1317376798 100644
--- a/net/core/devlink.c
+++ b/net/core/devlink.c
@@ -2405,6 +2405,16 @@ devlink_resource_size_params_put(struct devlink_resource *resource,
        return 0;
 }
+static int devlink_resource_occ_put(struct devlink_resource *resource,
+                                    struct sk_buff *skb)
+{
+        if (!resource->occ_get)
+                return 0;
+        return nla_put_u64_64bit(skb, DEVLINK_ATTR_RESOURCE_OCC,
+                                 resource->occ_get(resource->occ_get_priv),
+                                 DEVLINK_ATTR_PAD);
+}
 static int devlink_resource_put(struct devlink *devlink, struct sk_buff *skb,
                                struct devlink_resource *resource)
 {
@@ -2425,11 +2435,8 @@ static int devlink_resource_put(struct devlink *devlink, struct sk_buff *skb,
        if (resource->size != resource->size_new)
                nla_put_u64_64bit(skb, DEVLINK_ATTR_RESOURCE_SIZE_NEW,
                                  resource->size_new, DEVLINK_ATTR_PAD);
-        if (resource->resource_ops && resource->resource_ops->occ_get)
+        if (devlink_resource_occ_put(resource, skb))
-                if (nla_put_u64_64bit(skb, DEVLINK_ATTR_RESOURCE_OCC,
+                goto nla_put_failure;
-                                      resource->resource_ops->occ_get(devlink),
-                                      DEVLINK_ATTR_PAD))
-                        goto nla_put_failure;
        if (devlink_resource_size_params_put(resource, skb))
                goto nla_put_failure;
        if (list_empty(&resource->resource_list))
@@ -3162,15 +3169,13 @@ EXPORT_SYMBOL_GPL(devlink_dpipe_table_unregister);
 *      @resource_id: resource's id
 *      @parent_reosurce_id: resource's parent id
 *      @size params: size parameters
- *      @resource_ops: resource ops
 */
 int devlink_resource_register(struct devlink *devlink,
                              const char *resource_name,
                              u64 resource_size,
                              u64 resource_id,
                              u64 parent_resource_id,
-                              const struct devlink_resource_size_params *size_params,
+                              const struct devlink_resource_size_params *size_params)
-                              const struct devlink_resource_ops *resource_ops)
 {
        struct devlink_resource *resource;
        struct list_head *resource_list;
@@ -3213,7 +3218,6 @@ int devlink_resource_register(struct devlink *devlink,
        resource->size = resource_size;
        resource->size_new = resource_size;
        resource->id = resource_id;
-        resource->resource_ops = resource_ops;
        resource->size_valid = true;
        memcpy(&resource->size_params, size_params,
               sizeof(resource->size_params));
@@ -3315,6 +3319,58 @@ out:
 }
 EXPORT_SYMBOL_GPL(devlink_dpipe_table_resource_set);
+/**
+ *      devlink_resource_occ_get_register - register occupancy getter
+ *
+ *      @devlink: devlink
+ *      @resource_id: resource id
+ *      @occ_get: occupancy getter callback
+ *      @occ_get_priv: occupancy getter callback priv
+ */
+void devlink_resource_occ_get_register(struct devlink *devlink,
+                                       u64 resource_id,
+                                       devlink_resource_occ_get_t *occ_get,
+                                       void *occ_get_priv)
+{
+        struct devlink_resource *resource;
+        mutex_lock(&devlink->lock);
+        resource = devlink_resource_find(devlink, NULL, resource_id);
+        if (WARN_ON(!resource))
+                goto out;
+        WARN_ON(resource->occ_get);
+        resource->occ_get = occ_get;
+        resource->occ_get_priv = occ_get_priv;
+out:
+        mutex_unlock(&devlink->lock);
+}
+EXPORT_SYMBOL_GPL(devlink_resource_occ_get_register);
+/**
+ *      devlink_resource_occ_get_unregister - unregister occupancy getter
+ *
+ *      @devlink: devlink
+ *      @resource_id: resource id
+ */
+void devlink_resource_occ_get_unregister(struct devlink *devlink,
+                                         u64 resource_id)
+{
+        struct devlink_resource *resource;
+        mutex_lock(&devlink->lock);
+        resource = devlink_resource_find(devlink, NULL, resource_id);
+        if (WARN_ON(!resource))
+                goto out;
+        WARN_ON(!resource->occ_get);
+        resource->occ_get = NULL;
+        resource->occ_get_priv = NULL;
+out:
+        mutex_unlock(&devlink->lock);
+}
+EXPORT_SYMBOL_GPL(devlink_resource_occ_get_unregister);
 static int __init devlink_module_init(void)
 {
        return genl_register_family(&devlink_nl_family);
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 1bca1e0fc8f7..345b51837ca8 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -857,6 +857,7 @@ static struct sk_buff *__skb_clone(struct sk_buff *n, struct sk_buff *skb)
        n->hdr_len = skb->nohdr ? skb_headroom(skb) : skb->hdr_len;
        n->cloned = 1;
        n->nohdr = 0;
+        n->peeked = 0;
        n->destructor = NULL;
        C(tail);
        C(end);
diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
index e65fcb45c3f6..b08feb219b44 100644
--- a/net/dccp/ipv4.c
+++ b/net/dccp/ipv4.c
@@ -614,6 +614,7 @@ int dccp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
        ireq = inet_rsk(req);
        sk_rcv_saddr_set(req_to_sk(req), ip_hdr(skb)->daddr);
        sk_daddr_set(req_to_sk(req), ip_hdr(skb)->saddr);
+        ireq->ir_mark = inet_request_mark(sk, skb);
        ireq->ireq_family = AF_INET;
        ireq->ir_iif = sk->sk_bound_dev_if;
diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index 5df7857fc0f3..6344f1b18a6a 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -351,6 +351,7 @@ static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
        ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr;
        ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr;
        ireq->ireq_family = AF_INET6;
+        ireq->ir_mark = inet_request_mark(sk, skb);
        if (ipv6_opt_accepted(sk, skb, IP6CB(skb)) ||
            np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo ||
diff --git a/net/dsa/dsa_priv.h b/net/dsa/dsa_priv.h
index 70de7895e5b8..053731473c99 100644
--- a/net/dsa/dsa_priv.h
+++ b/net/dsa/dsa_priv.h
@@ -126,6 +126,7 @@ static inline struct net_device *dsa_master_find_slave(struct net_device *dev,
        struct dsa_port *cpu_dp = dev->dsa_ptr;
        struct dsa_switch_tree *dst = cpu_dp->dst;
        struct dsa_switch *ds;
+        struct dsa_port *slave_port;
        if (device < 0 || device >= DSA_MAX_SWITCHES)
                return NULL;
@@ -137,7 +138,12 @@ static inline struct net_device *dsa_master_find_slave(struct net_device *dev,
        if (port < 0 || port >= ds->num_ports)
                return NULL;
-        return ds->ports[port].slave;
+        slave_port = &ds->ports[port];
+        if (unlikely(slave_port->type != DSA_PORT_TYPE_USER))
+                return NULL;
+        return slave_port->slave;
 }
 /* port.c */
diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
index be4c595edccb..bf6c2d4d4fdc 100644
--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -437,7 +437,7 @@ static int arp_filter(__be32 sip, __be32 tip, struct net_device *dev)
        /*unsigned long now; */
        struct net *net = dev_net(dev);
-        rt = ip_route_output(net, sip, tip, 0, 0);
+        rt = ip_route_output(net, sip, tip, 0, l3mdev_master_ifindex_rcu(dev));
        if (IS_ERR(rt))
                return 1;
        if (rt->dst.dev != dev) {
diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c
index c3ea4906d237..88c5069b5d20 100644
--- a/net/ipv4/inet_timewait_sock.c
+++ b/net/ipv4/inet_timewait_sock.c
@@ -178,6 +178,7 @@ struct inet_timewait_sock *inet_twsk_alloc(const struct sock *sk,
                tw->tw_dport        = inet->inet_dport;
                tw->tw_family       = sk->sk_family;
                tw->tw_reuse        = sk->sk_reuse;
+                tw->tw_reuseport    = sk->sk_reuseport;
                tw->tw_hash         = sk->sk_hash;
                tw->tw_ipv6only     = 0;
                tw->tw_transparent  = inet->transparent;
diff --git a/net/ipv4/inetpeer.c b/net/ipv4/inetpeer.c
index 1f04bd91fc2e..d757b9642d0d 100644
--- a/net/ipv4/inetpeer.c
+++ b/net/ipv4/inetpeer.c
@@ -211,6 +211,7 @@ struct inet_peer *inet_getpeer(struct inet_peer_base *base,
                p = kmem_cache_alloc(peer_cachep, GFP_ATOMIC);
                if (p) {
                        p->daddr = *daddr;
+                        p->dtime = (__u32)jiffies;
                        refcount_set(&p->refcnt, 2);
                        atomic_set(&p->rid, 0);
                        p->metrics[RTAX_LOCK-1] = INETPEER_METRICS_NEW;
diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
index de6d94482fe7..6b0e362cc99b 100644
--- a/net/ipv4/ip_tunnel.c
+++ b/net/ipv4/ip_tunnel.c
@@ -253,13 +253,14 @@ static struct net_device *__ip_tunnel_create(struct net *net,
        struct net_device *dev;
        char name[IFNAMSIZ];
-        if (parms->name[0])
+        err = -E2BIG;
+        if (parms->name[0]) {
+                if (!dev_valid_name(parms->name))
+                        goto failed;
                strlcpy(name, parms->name, IFNAMSIZ);
-        else {
+        } else {
-                if (strlen(ops->kind) > (IFNAMSIZ - 3)) {
+                if (strlen(ops->kind) > (IFNAMSIZ - 3))
-                        err = -E2BIG;
                        goto failed;
-                }
                strlcpy(name, ops->kind, IFNAMSIZ);
                strncat(name, "%d", 2);
        }
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 594a1c605c92..ccb25d80f679 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -2296,13 +2296,14 @@ struct rtable *ip_route_output_key_hash(struct net *net, struct flowi4 *fl4,
                                        const struct sk_buff *skb)
 {
        __u8 tos = RT_FL_TOS(fl4);
-        struct fib_result res;
+        struct fib_result res = {
+                .type           = RTN_UNSPEC,
+                .fi             = NULL,
+                .table          = NULL,
+                .tclassid       = 0,
+        };
        struct rtable *rth;
-        res.tclassid    = 0;
-        res.fi          = NULL;
-        res.table       = NULL;
        fl4->flowi4_iif = LOOPBACK_IFINDEX;
        fl4->flowi4_tos = tos & IPTOS_RT_MASK;
        fl4->flowi4_scope = ((tos & RTO_ONLINK) ?
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index f8a103bdbd60..69727bc168cb 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -335,11 +335,13 @@ static struct ip6_tnl *ip6gre_tunnel_locate(struct net *net,
        if (t || !create)
                return t;
-        if (parms->name[0])
+        if (parms->name[0]) {
+                if (!dev_valid_name(parms->name))
+                        return NULL;
                strlcpy(name, parms->name, IFNAMSIZ);
-        else
+        } else {
                strcpy(name, "ip6gre%d");
+        }
        dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN,
                           ip6gre_tunnel_setup);
        if (!dev)
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index b8ee50e94af3..2e891d2c30ef 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -375,6 +375,11 @@ static int ip6_forward_proxy_check(struct sk_buff *skb)
 static inline int ip6_forward_finish(struct net *net, struct sock *sk,
                                     struct sk_buff *skb)
 {
+        struct dst_entry *dst = skb_dst(skb);
+        __IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTFORWDATAGRAMS);
+        __IP6_ADD_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTOCTETS, skb->len);
        return dst_output(net, sk, skb);
 }
@@ -569,8 +574,6 @@ int ip6_forward(struct sk_buff *skb)
        hdr->hop_limit--;
-        __IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTFORWDATAGRAMS);
-        __IP6_ADD_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTOCTETS, skb->len);
        return NF_HOOK(NFPROTO_IPV6, NF_INET_FORWARD,
                       net, NULL, skb, skb->dev, dst->dev,
                       ip6_forward_finish);
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index df4c29f7d59f..da66aaac51ce 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -297,13 +297,16 @@ static struct ip6_tnl *ip6_tnl_create(struct net *net, struct __ip6_tnl_parm *p)
        struct net_device *dev;
        struct ip6_tnl *t;
        char name[IFNAMSIZ];
-        int err = -ENOMEM;
+        int err = -E2BIG;
-        if (p->name[0])
+        if (p->name[0]) {
+                if (!dev_valid_name(p->name))
+                        goto failed;
                strlcpy(name, p->name, IFNAMSIZ);
-        else
+        } else {
                sprintf(name, "ip6tnl%%d");
+        }
+        err = -ENOMEM;
        dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN,
                           ip6_tnl_dev_setup);
        if (!dev)
diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
index 6ebb2e8777f4..c214ffec02f0 100644
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -212,10 +212,13 @@ static struct ip6_tnl *vti6_tnl_create(struct net *net, struct __ip6_tnl_parm *p
        char name[IFNAMSIZ];
        int err;
-        if (p->name[0])
+        if (p->name[0]) {
+                if (!dev_valid_name(p->name))
+                        goto failed;
                strlcpy(name, p->name, IFNAMSIZ);
-        else
+        } else {
                sprintf(name, "ip6_vti%%d");
+        }
        dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN, vti6_dev_setup);
        if (!dev)
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index 1522bcfd253f..2afce37a7177 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -250,11 +250,13 @@ static struct ip_tunnel *ipip6_tunnel_locate(struct net *net,
        if (!create)
                goto failed;
-        if (parms->name[0])
+        if (parms->name[0]) {
+                if (!dev_valid_name(parms->name))
+                        goto failed;
                strlcpy(name, parms->name, IFNAMSIZ);
-        else
+        } else {
                strcpy(name, "sit%d");
+        }
        dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN,
                           ipip6_tunnel_setup);
        if (!dev)
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index fa556fdef57d..55342c4d5cec 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1844,6 +1844,8 @@ static int netlink_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
        if (msg->msg_namelen) {
                err = -EINVAL;
+                if (msg->msg_namelen < sizeof(struct sockaddr_nl))
+                        goto out;
                if (addr->nl_family != AF_NETLINK)
                        goto out;
                dst_portid = addr->nl_pid;
diff --git a/net/sched/act_bpf.c b/net/sched/act_bpf.c
index 9092531d45d8..18089c02e557 100644
--- a/net/sched/act_bpf.c
+++ b/net/sched/act_bpf.c
@@ -248,10 +248,14 @@ static int tcf_bpf_init_from_efd(struct nlattr **tb, struct tcf_bpf_cfg *cfg)
 static void tcf_bpf_cfg_cleanup(const struct tcf_bpf_cfg *cfg)
 {
-        if (cfg->is_ebpf)
+        struct bpf_prog *filter = cfg->filter;
-                bpf_prog_put(cfg->filter);
-        else
+        if (filter) {
-                bpf_prog_destroy(cfg->filter);
+                if (cfg->is_ebpf)
+                        bpf_prog_put(filter);
+                else
+                        bpf_prog_destroy(filter);
+        }
        kfree(cfg->bpf_ops);
        kfree(cfg->bpf_name);
diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c
index ed8b6a24b9e9..bac47b5d18fd 100644
--- a/net/sched/cls_u32.c
+++ b/net/sched/cls_u32.c
@@ -489,6 +489,7 @@ static int u32_delete_key(struct tcf_proto *tp, struct tc_u_knode *key)
                                RCU_INIT_POINTER(*kp, key->next);
                                tcf_unbind_filter(tp, &key->res);
+                                idr_remove(&ht->handle_idr, key->handle);
                                tcf_exts_get_net(&key->exts);
                                call_rcu(&key->rcu, u32_delete_key_freepf_rcu);
                                return 0;
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
index 6dd976c8ab61..31083b5035ec 100644
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -757,8 +757,10 @@ static int sctp_v6_addr_to_user(struct sctp_sock *sp, union sctp_addr *addr)
                        sctp_v6_map_v4(addr);
        }
-        if (addr->sa.sa_family == AF_INET)
+        if (addr->sa.sa_family == AF_INET) {
+                memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero));
                return sizeof(struct sockaddr_in);
+        }
        return sizeof(struct sockaddr_in6);
 }
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 2a2e094560de..80835ac26d2c 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -357,11 +357,14 @@ static struct sctp_af *sctp_sockaddr_af(struct sctp_sock *opt,
        if (!opt->pf->af_supported(addr->sa.sa_family, opt))
                return NULL;
-        /* V4 mapped address are really of AF_INET family */
+        if (addr->sa.sa_family == AF_INET6) {
-        if (addr->sa.sa_family == AF_INET6 &&
+                if (len < SIN6_LEN_RFC2133)
-            ipv6_addr_v4mapped(&addr->v6.sin6_addr) &&
+                        return NULL;
-            !opt->pf->af_supported(AF_INET, opt))
+                /* V4 mapped address are really of AF_INET family */
-                return NULL;
+                if (ipv6_addr_v4mapped(&addr->v6.sin6_addr) &&
+                    !opt->pf->af_supported(AF_INET, opt))
+                        return NULL;
+        }
        /* If we get this far, af is valid. */
        af = sctp_get_af_specific(addr->sa.sa_family);
diff --git a/net/tipc/diag.c b/net/tipc/diag.c
index 46d9cd62f781..aaabb0b776dd 100644
--- a/net/tipc/diag.c
+++ b/net/tipc/diag.c
@@ -59,7 +59,7 @@ static int __tipc_add_sock_diag(struct sk_buff *skb,
        if (!nlh)
                return -EMSGSIZE;
-        err = tipc_sk_fill_sock_diag(skb, tsk, req->tidiag_states,
+        err = tipc_sk_fill_sock_diag(skb, cb, tsk, req->tidiag_states,
                                     __tipc_diag_gen_cookie);
        if (err)
                return err;
diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index cee6674a3bf4..1fd1c8b5ce03 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -3257,8 +3257,8 @@ out:
 }
 EXPORT_SYMBOL(tipc_nl_sk_walk);
-int tipc_sk_fill_sock_diag(struct sk_buff *skb, struct tipc_sock *tsk,
+int tipc_sk_fill_sock_diag(struct sk_buff *skb, struct netlink_callback *cb,
-                           u32 sk_filter_state,
+                           struct tipc_sock *tsk, u32 sk_filter_state,
                           u64 (*tipc_diag_gen_cookie)(struct sock *sk))
 {
        struct sock *sk = &tsk->sk;
@@ -3280,7 +3280,7 @@ int tipc_sk_fill_sock_diag(struct sk_buff *skb, struct tipc_sock *tsk,
            nla_put_u32(skb, TIPC_NLA_SOCK_TIPC_STATE, (u32)sk->sk_state) ||
            nla_put_u32(skb, TIPC_NLA_SOCK_INO, sock_i_ino(sk)) ||
            nla_put_u32(skb, TIPC_NLA_SOCK_UID,
-                        from_kuid_munged(sk_user_ns(NETLINK_CB(skb).sk),
+                        from_kuid_munged(sk_user_ns(NETLINK_CB(cb->skb).sk),
                                         sock_i_uid(sk))) ||
            nla_put_u64_64bit(skb, TIPC_NLA_SOCK_COOKIE,
                              tipc_diag_gen_cookie(sk),
diff --git a/net/tipc/socket.h b/net/tipc/socket.h
index aae3fd4cd06c..aff9b2ae5a1f 100644
--- a/net/tipc/socket.h
+++ b/net/tipc/socket.h
@@ -61,8 +61,8 @@ int tipc_sk_rht_init(struct net *net);
 void tipc_sk_rht_destroy(struct net *net);
 int tipc_nl_sk_dump(struct sk_buff *skb, struct netlink_callback *cb);
 int tipc_nl_publ_dump(struct sk_buff *skb, struct netlink_callback *cb);
-int tipc_sk_fill_sock_diag(struct sk_buff *skb, struct tipc_sock *tsk,
+int tipc_sk_fill_sock_diag(struct sk_buff *skb, struct netlink_callback *cb,
-                           u32 sk_filter_state,
+                           struct tipc_sock *tsk, u32 sk_filter_state,
                           u64 (*tipc_diag_gen_cookie)(struct sock *sk));
 int tipc_nl_sk_walk(struct sk_buff *skb, struct netlink_callback *cb,
                    int (*skb_handler)(struct sk_buff *skb,
author	Linus Torvalds <torvalds@linux-foundation.org>	2018-04-09 20:04:10 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2018-04-09 20:04:10 -0400
commit	c18bb396d3d261ebbb4efbc05129c5d354c541e4 (patch)
tree	058a1413dd34fe4e1d9a998a43d56f3358b93e36 /net
parent	fd3b36d275660c905da9900b078eea341847d5e4 (diff)
parent	a2ac99905f1ea8b15997a6ec39af69aa28a3653b (diff)