Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: netns: Don't receive new packets in a dead network namespace. sctp: Make sure N * sizeof(union sctp_addr) does not overflow. pppoe: warning fix ipv6: Drop packets for loopback address from outside of the box. ipv6: Remove options header when setsockopt's optlen is 0 mac80211: detect driver tx bugs
author: Linus Torvalds <torvalds@linux-foundation.org> 2008-06-21 11:44:08 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2008-06-21 11:44:08 -0400
commit: a19214430d27a3af6f1672ec26f3c893ef899ede (patch)
tree: ecd998eaf216f6e195c65cb050f4335db86b26f6
parent: b732d9680b7a2968823851f1163507ad9c45c8cb (diff)
parent: b9f75f45a6b46a0ab4eb0857d437a0845871f314 (diff)
9 files changed, 52 insertions, 7 deletions
diff --git a/drivers/net/pppoe.c b/drivers/net/pppoe.c
index bafb69b6f7cb..fc6f4b8c64b3 100644
--- a/drivers/net/pppoe.c
+++ b/drivers/net/pppoe.c
@@ -942,7 +942,7 @@ static int pppoe_recvmsg(struct kiocb *iocb, struct socket *sock,
        m->msg_namelen = 0;
        if (skb) {
-                total_len = min(total_len, skb->len);
+                total_len = min_t(size_t, total_len, skb->len);
                error = skb_copy_datagram_iovec(skb, 0, m->msg_iov, total_len);
                if (error == 0)
                        error = total_len;
diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index e0a612bc9c4e..f422f7218e1c 100644
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -367,6 +367,12 @@ static inline int ipv6_addr_any(const struct in6_addr *a)
                 a->s6_addr32[2] | a->s6_addr32[3] ) == 0); 
 }
+static inline int ipv6_addr_loopback(const struct in6_addr *a)
+{
+        return ((a->s6_addr32[0] | a->s6_addr32[1] |
+                 a->s6_addr32[2] | (a->s6_addr32[3] ^ htonl(1))) == 0);
+}
 static inline int ipv6_addr_v4mapped(const struct in6_addr *a)
 {
        return ((a->s6_addr32[0] | a->s6_addr32[1] |
diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
index aa540e6be502..d9dd0f707296 100644
--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
@@ -95,6 +95,11 @@ extern struct list_head net_namespace_list;
 #ifdef CONFIG_NET_NS
 extern void __put_net(struct net *net);
+static inline int net_alive(struct net *net)
+{
+        return net && atomic_read(&net->count);
+}
 static inline struct net *get_net(struct net *net)
 {
        atomic_inc(&net->count);
@@ -125,6 +130,12 @@ int net_eq(const struct net *net1, const struct net *net2)
        return net1 == net2;
 }
 #else
+static inline int net_alive(struct net *net)
+{
+        return 1;
+}
 static inline struct net *get_net(struct net *net)
 {
        return net;
diff --git a/net/core/dev.c b/net/core/dev.c
index 68d8df0992ab..c421a1f8f0b9 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2077,6 +2077,10 @@ int netif_receive_skb(struct sk_buff *skb)
        rcu_read_lock();
+        /* Don't receive packets in an exiting network namespace */
+        if (!net_alive(dev_net(skb->dev)))
+                goto out;
 #ifdef CONFIG_NET_CLS_ACT
        if (skb->tc_verd & TC_NCLS) {
                skb->tc_verd = CLR_TC_NCLS(skb->tc_verd);
diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
index 72b4c184dd84..7c52fe277b62 100644
--- a/net/core/net_namespace.c
+++ b/net/core/net_namespace.c
@@ -140,6 +140,9 @@ static void cleanup_net(struct work_struct *work)
        struct pernet_operations *ops;
        struct net *net;
+        /* Be very certain incoming network packets will not find us */
+        rcu_barrier();
        net = container_of(work, struct net, work);
        mutex_lock(&net_mutex);
diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
index 4e5c8615832c..17eb48b8e329 100644
--- a/net/ipv6/ip6_input.c
+++ b/net/ipv6/ip6_input.c
@@ -102,6 +102,15 @@ int ipv6_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt
        if (hdr->version != 6)
                goto err;
+        /*
+         * RFC4291 2.5.3
+         * A packet received on an interface with a destination address
+         * of loopback must be dropped.
+         */
+        if (!(dev->flags & IFF_LOOPBACK) &&
+            ipv6_addr_loopback(&hdr->daddr))
+                goto err;
        skb->transport_header = skb->network_header + sizeof(*hdr);
        IP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr);
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index c042ce19bd14..86e28a75267f 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -345,18 +345,21 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
        case IPV6_DSTOPTS:
        {
                struct ipv6_txoptions *opt;
+                /* remove any sticky options header with a zero option
+                 * length, per RFC3542.
+                 */
                if (optlen == 0)
                        optval = NULL;
+                else if (optlen < sizeof(struct ipv6_opt_hdr) ||
+                         optlen & 0x7 || optlen > 8 * 255)
+                        goto e_inval;
                /* hop-by-hop / destination options are privileged option */
                retv = -EPERM;
                if (optname != IPV6_RTHDR && !capable(CAP_NET_RAW))
                        break;
-                if (optlen < sizeof(struct ipv6_opt_hdr) ||
-                    optlen & 0x7 || optlen > 8 * 255)
-                        goto e_inval;
                opt = ipv6_renew_options(sk, np->opt, optname,
                                         (struct ipv6_opt_hdr __user *)optval,
                                         optlen);
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 28d8bd53bd3a..c80d5899f279 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -1132,7 +1132,7 @@ static int ieee80211_tx(struct net_device *dev, struct sk_buff *skb,
        ieee80211_tx_handler *handler;
        struct ieee80211_tx_data tx;
        ieee80211_tx_result res = TX_DROP, res_prepare;
-        int ret, i;
+        int ret, i, retries = 0;
        WARN_ON(__ieee80211_queue_pending(local, control->queue));
@@ -1216,6 +1216,13 @@ retry:
                if (!__ieee80211_queue_stopped(local, control->queue)) {
                        clear_bit(IEEE80211_LINK_STATE_PENDING,
                                  &local->state[control->queue]);
+                        retries++;
+                        /*
+                         * Driver bug, it's rejecting packets but
+                         * not stopping queues.
+                         */
+                        if (WARN_ON_ONCE(retries > 5))
+                                goto drop;
                        goto retry;
                }
                memcpy(&store->control, control,
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index e7e3baf7009e..0dbcde6758ea 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -4401,7 +4401,9 @@ static int sctp_getsockopt_local_addrs_old(struct sock *sk, int len,
        if (copy_from_user(&getaddrs, optval, len))
                return -EFAULT;
-        if (getaddrs.addr_num <= 0) return -EINVAL;
+        if (getaddrs.addr_num <= 0 ||
+            getaddrs.addr_num >= (INT_MAX / sizeof(union sctp_addr)))
+                return -EINVAL;
        /*
         *  For UDP-style sockets, id specifies the association to query.
         *  If the id field is set to the value '0' then the locally bound
author	Linus Torvalds <torvalds@linux-foundation.org>	2008-06-21 11:44:08 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2008-06-21 11:44:08 -0400
commit	a19214430d27a3af6f1672ec26f3c893ef899ede (patch)
tree	ecd998eaf216f6e195c65cb050f4335db86b26f6
parent	b732d9680b7a2968823851f1163507ad9c45c8cb (diff)
parent	b9f75f45a6b46a0ab4eb0857d437a0845871f314 (diff)