Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Pull networking fixes from David Miller: "Some more fixes trickled in over the past few days: 1) PIM device names can overflow the IFNAMSIZ buffer unless we properly limit the allowed indexes, fix from Eric Dumazet. 2) Under heavy load we can OOPS in icmp reply processing due to an unchecked inet_putpeer() call. Fix from Neal Cardwell. 3) SCTP round trip calculations need to use 64-bit math to avoid overflows, fix from Schoch Christian. 4) Fix a memory leak and an error return flub in SCTP and IRDA triggerable by userspace. Fix from Tommi Rantala and found by the syscall fuzzer (trinity). 5) MLX4 driver gives bogus size to memcpy() call, fix from Amir Vadai. 6) Fix length calculation in VHOST descriptor translation, from Michael S Tsirkin. 7) Ambassador ATM driver loops forever while loading firmware, fix from Dan Carpenter. 8) Over MTU packets in openvswitch warn about wrong device, fix from Jesse Gross. 9) Netfilter IPSET's netlink code can overrun a string buffer because it's not properly limited to IFNAMSIZ. Fix from Florian Westphal. 10) PCAN USB driver sets wrong timestamp in SKB, from Oliver Hartkopp. 11) Make sure the RX ifindex always has a valid value in the CAN BCM driver, even if we haven't received a frame yet. Fix also from Oliver Hartkopp." * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: team: fix hw_features setup atm: forever loop loading ambassador firmware vhost: fix length for cross region descriptor irda: irttp: fix memory leak in irttp_open_tsap() error path net: qmi_wwan: add Huawei E173 net/mlx4_en: Can set maxrate only for TC0 sctp: Error in calculation of RTTvar sctp: fix -ENOMEM result with invalid user space pointer in sendto() syscall sctp: fix memory leak in sctp_datamsg_from_user() when copy from user space fails net: ipmr: limit MRT_TABLE identifiers ipv4: avoid passing NULL to inet_putpeer() in icmpv4_xrlim_allow() can: bcm: initialize ifindex for timeouts without previous frame reception can: peak_usb: fix hwtstamp assignment netfilter: ipset: fix netiface set name overflow openvswitch: Store flow key len if ARP opcode is not request or reply. openvswitch: Print device when warning about over MTU packets.
author: Linus Torvalds <torvalds@linux-foundation.org> 2012-11-29 00:54:07 -0500
committer: Linus Torvalds <torvalds@linux-foundation.org> 2012-11-29 00:54:07 -0500
commit: e9296e89b85604862bd9ec2d54dc43edad775c0d (patch)
tree: 5379a58a740674e1f740008e36cb1c4fbe2011b9 /net
parent: 4b05a1c74d1cfae37cf6ff293ee928350f031418 (diff)
parent: a45085f6a7801f95cd5682290195224e268627fd (diff)
10 files changed, 34 insertions, 21 deletions
diff --git a/net/can/bcm.c b/net/can/bcm.c
index 6f747582718e..969b7cdff59d 100644
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -1084,6 +1084,9 @@ static int bcm_rx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
                op->sk = sk;
                op->ifindex = ifindex;
+                /* ifindex for timeout events w/o previous frame reception */
+                op->rx_ifindex = ifindex;
                /* initialize uninitialized (kzalloc) structure */
                hrtimer_init(&op->timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
                op->timer.function = bcm_rx_timeout_handler;
diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index f2eccd531746..17ff9fd7cdda 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -257,7 +257,8 @@ static inline bool icmpv4_xrlim_allow(struct net *net, struct rtable *rt,
                struct inet_peer *peer = inet_getpeer_v4(net->ipv4.peers, fl4->daddr, 1);
                rc = inet_peer_xrlim_allow(peer,
                                           net->ipv4.sysctl_icmp_ratelimit);
-                inet_putpeer(peer);
+                if (peer)
+                        inet_putpeer(peer);
        }
 out:
        return rc;
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
index 6168c4dc58b1..3eab2b2ffd34 100644
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -1318,6 +1318,10 @@ int ip_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, unsi
                if (get_user(v, (u32 __user *)optval))
                        return -EFAULT;
+                /* "pimreg%u" should not exceed 16 bytes (IFNAMSIZ) */
+                if (v != RT_TABLE_DEFAULT && v >= 1000000000)
+                        return -EINVAL;
                rtnl_lock();
                ret = 0;
                if (sk == rtnl_dereference(mrt->mroute_sk)) {
diff --git a/net/irda/irttp.c b/net/irda/irttp.c
index 1002e3396f72..ae43c62f9045 100644
--- a/net/irda/irttp.c
+++ b/net/irda/irttp.c
@@ -441,6 +441,7 @@ struct tsap_cb *irttp_open_tsap(__u8 stsap_sel, int credit, notify_t *notify)
        lsap = irlmp_open_lsap(stsap_sel, &ttp_notify, 0);
        if (lsap == NULL) {
                IRDA_DEBUG(0, "%s: unable to allocate LSAP!!\n", __func__);
+                __irttp_close_tsap(self);
                return NULL;
        }
diff --git a/net/netfilter/ipset/ip_set_hash_netiface.c b/net/netfilter/ipset/ip_set_hash_netiface.c
index b9a63381e349..45a101439bc5 100644
--- a/net/netfilter/ipset/ip_set_hash_netiface.c
+++ b/net/netfilter/ipset/ip_set_hash_netiface.c
@@ -793,7 +793,7 @@ static struct ip_set_type hash_netiface_type __read_mostly = {
                [IPSET_ATTR_IP]         = { .type = NLA_NESTED },
                [IPSET_ATTR_IP_TO]      = { .type = NLA_NESTED },
                [IPSET_ATTR_IFACE]      = { .type = NLA_NUL_STRING,
-                                            .len = IPSET_MAXNAMELEN - 1 },
+                                            .len  = IFNAMSIZ - 1 },
                [IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 },
                [IPSET_ATTR_CIDR]       = { .type = NLA_U8 },
                [IPSET_ATTR_TIMEOUT]    = { .type = NLA_U32 },
diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c
index 98c70630ad06..733cbf49ed1f 100644
--- a/net/openvswitch/flow.c
+++ b/net/openvswitch/flow.c
@@ -702,15 +702,11 @@ int ovs_flow_extract(struct sk_buff *skb, u16 in_port, struct sw_flow_key *key,
                        /* We only match on the lower 8 bits of the opcode. */
                        if (ntohs(arp->ar_op) <= 0xff)
                                key->ip.proto = ntohs(arp->ar_op);
+                        memcpy(&key->ipv4.addr.src, arp->ar_sip, sizeof(key->ipv4.addr.src));
-                        if (key->ip.proto == ARPOP_REQUEST
+                        memcpy(&key->ipv4.addr.dst, arp->ar_tip, sizeof(key->ipv4.addr.dst));
-                                        || key->ip.proto == ARPOP_REPLY) {
+                        memcpy(key->ipv4.arp.sha, arp->ar_sha, ETH_ALEN);
-                                memcpy(&key->ipv4.addr.src, arp->ar_sip, sizeof(key->ipv4.addr.src));
+                        memcpy(key->ipv4.arp.tha, arp->ar_tha, ETH_ALEN);
-                                memcpy(&key->ipv4.addr.dst, arp->ar_tip, sizeof(key->ipv4.addr.dst));
+                        key_len = SW_FLOW_KEY_OFFSET(ipv4.arp);
-                                memcpy(key->ipv4.arp.sha, arp->ar_sha, ETH_ALEN);
-                                memcpy(key->ipv4.arp.tha, arp->ar_tha, ETH_ALEN);
-                                key_len = SW_FLOW_KEY_OFFSET(ipv4.arp);
-                        }
                }
        } else if (key->eth.type == htons(ETH_P_IPV6)) {
                int nh_len;             /* IPv6 Header + Extensions */
diff --git a/net/openvswitch/vport-netdev.c b/net/openvswitch/vport-netdev.c
index 3c1e58ba714b..a9033481fa5e 100644
--- a/net/openvswitch/vport-netdev.c
+++ b/net/openvswitch/vport-netdev.c
@@ -158,7 +158,7 @@ static int netdev_send(struct vport *vport, struct sk_buff *skb)
        if (unlikely(packet_length(skb) > mtu && !skb_is_gso(skb))) {
                net_warn_ratelimited("%s: dropped over-mtu packet: %d > %d\n",
-                                     ovs_dp_name(vport->dp),
+                                     netdev_vport->dev->name,
                                     packet_length(skb), mtu);
                goto error;
        }
diff --git a/net/sctp/chunk.c b/net/sctp/chunk.c
index 7c2df9c33df3..69ce21e3716f 100644
--- a/net/sctp/chunk.c
+++ b/net/sctp/chunk.c
@@ -183,7 +183,7 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc,
        msg = sctp_datamsg_new(GFP_KERNEL);
        if (!msg)
-                return NULL;
+                return ERR_PTR(-ENOMEM);
        /* Note: Calculate this outside of the loop, so that all fragments
         * have the same expiration.
@@ -280,11 +280,14 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc,
                chunk = sctp_make_datafrag_empty(asoc, sinfo, len, frag, 0);
-                if (!chunk)
+                if (!chunk) {
+                        err = -ENOMEM;
                        goto errout;
+                }
                err = sctp_user_addto_chunk(chunk, offset, len, msgh->msg_iov);
                if (err < 0)
-                        goto errout;
+                        goto errout_chunk_free;
                offset += len;
@@ -315,8 +318,10 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc,
                chunk = sctp_make_datafrag_empty(asoc, sinfo, over, frag, 0);
-                if (!chunk)
+                if (!chunk) {
+                        err = -ENOMEM;
                        goto errout;
+                }
                err = sctp_user_addto_chunk(chunk, offset, over,msgh->msg_iov);
@@ -324,7 +329,7 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc,
                __skb_pull(chunk->skb, (__u8 *)chunk->chunk_hdr
                           - (__u8 *)chunk->skb->data);
                if (err < 0)
-                        goto errout;
+                        goto errout_chunk_free;
                sctp_datamsg_assign(msg, chunk);
                list_add_tail(&chunk->frag_list, &msg->chunks);
@@ -332,6 +337,9 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc,
        return msg;
+errout_chunk_free:
+        sctp_chunk_free(chunk);
 errout:
        list_for_each_safe(pos, temp, &msg->chunks) {
                list_del_init(pos);
@@ -339,7 +347,7 @@ errout:
                sctp_chunk_free(chunk);
        }
        sctp_datamsg_put(msg);
-        return NULL;
+        return ERR_PTR(err);
 }
 /* Check whether this message has expired. */
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index a60d1f8b41c5..406d957d08fb 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -1915,8 +1915,8 @@ SCTP_STATIC int sctp_sendmsg(struct kiocb *iocb, struct sock *sk,
        /* Break the message into multiple chunks of maximum size. */
        datamsg = sctp_datamsg_from_user(asoc, sinfo, msg, msg_len);
-        if (!datamsg) {
+        if (IS_ERR(datamsg)) {
-                err = -ENOMEM;
+                err = PTR_ERR(datamsg);
                goto out_free;
        }
diff --git a/net/sctp/transport.c b/net/sctp/transport.c
index 953c21e4af97..206cf5238fd3 100644
--- a/net/sctp/transport.c
+++ b/net/sctp/transport.c
@@ -331,7 +331,7 @@ void sctp_transport_update_rto(struct sctp_transport *tp, __u32 rtt)
                 * 1/8, rto_alpha would be expressed as 3.
                 */
                tp->rttvar = tp->rttvar - (tp->rttvar >> net->sctp.rto_beta)
-                        + ((abs(tp->srtt - rtt)) >> net->sctp.rto_beta);
+                        + (((__u32)abs64((__s64)tp->srtt - (__s64)rtt)) >> net->sctp.rto_beta);
                tp->srtt = tp->srtt - (tp->srtt >> net->sctp.rto_alpha)
                        + (rtt >> net->sctp.rto_alpha);
        } else {
author	Linus Torvalds <torvalds@linux-foundation.org>	2012-11-29 00:54:07 -0500
committer	Linus Torvalds <torvalds@linux-foundation.org>	2012-11-29 00:54:07 -0500
commit	e9296e89b85604862bd9ec2d54dc43edad775c0d (patch)
tree	5379a58a740674e1f740008e36cb1c4fbe2011b9 /net
parent	4b05a1c74d1cfae37cf6ff293ee928350f031418 (diff)
parent	a45085f6a7801f95cd5682290195224e268627fd (diff)

diff --git a/net/can/bcm.c b/net/can/bcm.c index 6f747582718e..969b7cdff59d 100644 --- a/net/can/bcm.c +++ b/net/can/bcm.c
@@ -1084,6 +1084,9 @@ static int bcm_rx_setup(struct bcm_msg_head msg_head, struct msghdr msg,
1084	op->sk = sk;	1084	op->sk = sk;
1085	op->ifindex = ifindex;	1085	op->ifindex = ifindex;
1086		1086
		1087	/* ifindex for timeout events w/o previous frame reception */
		1088	op->rx_ifindex = ifindex;
		1089
1087	/* initialize uninitialized (kzalloc) structure */	1090	/* initialize uninitialized (kzalloc) structure */
1088	hrtimer_init(&op->timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL);	1091	hrtimer_init(&op->timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
1089	op->timer.function = bcm_rx_timeout_handler;	1092	op->timer.function = bcm_rx_timeout_handler;


diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c index f2eccd531746..17ff9fd7cdda 100644 --- a/net/ipv4/icmp.c +++ b/net/ipv4/icmp.c
@@ -257,7 +257,8 @@ static inline bool icmpv4_xrlim_allow(struct net net, struct rtable rt,
257	struct inet_peer *peer = inet_getpeer_v4(net->ipv4.peers, fl4->daddr, 1);	257	struct inet_peer *peer = inet_getpeer_v4(net->ipv4.peers, fl4->daddr, 1);
258	rc = inet_peer_xrlim_allow(peer,	258	rc = inet_peer_xrlim_allow(peer,
259	net->ipv4.sysctl_icmp_ratelimit);	259	net->ipv4.sysctl_icmp_ratelimit);
260	inet_putpeer(peer);	260	if (peer)
		261	inet_putpeer(peer);
261	}	262	}
262	out:	263	out:
263	return rc;	264	return rc;


diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c index 6168c4dc58b1..3eab2b2ffd34 100644 --- a/net/ipv4/ipmr.c +++ b/net/ipv4/ipmr.c
@@ -1318,6 +1318,10 @@ int ip_mroute_setsockopt(struct sock sk, int optname, char __user optval, unsi
1318	if (get_user(v, (u32 __user *)optval))	1318	if (get_user(v, (u32 __user *)optval))
1319	return -EFAULT;	1319	return -EFAULT;
1320		1320
		1321	/* "pimreg%u" should not exceed 16 bytes (IFNAMSIZ) */
		1322	if (v != RT_TABLE_DEFAULT && v >= 1000000000)
		1323	return -EINVAL;
		1324
1321	rtnl_lock();	1325	rtnl_lock();
1322	ret = 0;	1326	ret = 0;
1323	if (sk == rtnl_dereference(mrt->mroute_sk)) {	1327	if (sk == rtnl_dereference(mrt->mroute_sk)) {


diff --git a/net/irda/irttp.c b/net/irda/irttp.c index 1002e3396f72..ae43c62f9045 100644 --- a/net/irda/irttp.c +++ b/net/irda/irttp.c
@@ -441,6 +441,7 @@ struct tsap_cb irttp_open_tsap(__u8 stsap_sel, int credit, notify_t notify)
441	lsap = irlmp_open_lsap(stsap_sel, &ttp_notify, 0);	441	lsap = irlmp_open_lsap(stsap_sel, &ttp_notify, 0);
442	if (lsap == NULL) {	442	if (lsap == NULL) {
443	IRDA_DEBUG(0, "%s: unable to allocate LSAP!!\n", __func__);	443	IRDA_DEBUG(0, "%s: unable to allocate LSAP!!\n", __func__);
		444	__irttp_close_tsap(self);
444	return NULL;	445	return NULL;
445	}	446	}
446		447


diff --git a/net/netfilter/ipset/ip_set_hash_netiface.c b/net/netfilter/ipset/ip_set_hash_netiface.c index b9a63381e349..45a101439bc5 100644 --- a/net/netfilter/ipset/ip_set_hash_netiface.c +++ b/net/netfilter/ipset/ip_set_hash_netiface.c
@@ -793,7 +793,7 @@ static struct ip_set_type hash_netiface_type __read_mostly = {
793	[IPSET_ATTR_IP] = { .type = NLA_NESTED },	793	[IPSET_ATTR_IP] = { .type = NLA_NESTED },
794	[IPSET_ATTR_IP_TO] = { .type = NLA_NESTED },	794	[IPSET_ATTR_IP_TO] = { .type = NLA_NESTED },
795	[IPSET_ATTR_IFACE] = { .type = NLA_NUL_STRING,	795	[IPSET_ATTR_IFACE] = { .type = NLA_NUL_STRING,
796	.len = IPSET_MAXNAMELEN - 1 },	796	.len = IFNAMSIZ - 1 },
797	[IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 },	797	[IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 },
798	[IPSET_ATTR_CIDR] = { .type = NLA_U8 },	798	[IPSET_ATTR_CIDR] = { .type = NLA_U8 },
799	[IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },	799	[IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },


diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c index 98c70630ad06..733cbf49ed1f 100644 --- a/net/openvswitch/flow.c +++ b/net/openvswitch/flow.c
@@ -702,15 +702,11 @@ int ovs_flow_extract(struct sk_buff skb, u16 in_port, struct sw_flow_key key,
702	/* We only match on the lower 8 bits of the opcode. */	702	/* We only match on the lower 8 bits of the opcode. */
703	if (ntohs(arp->ar_op) <= 0xff)	703	if (ntohs(arp->ar_op) <= 0xff)
704	key->ip.proto = ntohs(arp->ar_op);	704	key->ip.proto = ntohs(arp->ar_op);
705		705	memcpy(&key->ipv4.addr.src, arp->ar_sip, sizeof(key->ipv4.addr.src));
706	if (key->ip.proto == ARPOP_REQUEST	706	memcpy(&key->ipv4.addr.dst, arp->ar_tip, sizeof(key->ipv4.addr.dst));
707	\|\| key->ip.proto == ARPOP_REPLY) {	707	memcpy(key->ipv4.arp.sha, arp->ar_sha, ETH_ALEN);
708	memcpy(&key->ipv4.addr.src, arp->ar_sip, sizeof(key->ipv4.addr.src));	708	memcpy(key->ipv4.arp.tha, arp->ar_tha, ETH_ALEN);
709	memcpy(&key->ipv4.addr.dst, arp->ar_tip, sizeof(key->ipv4.addr.dst));	709	key_len = SW_FLOW_KEY_OFFSET(ipv4.arp);
710	memcpy(key->ipv4.arp.sha, arp->ar_sha, ETH_ALEN);
711	memcpy(key->ipv4.arp.tha, arp->ar_tha, ETH_ALEN);
712	key_len = SW_FLOW_KEY_OFFSET(ipv4.arp);
713	}
714	}	710	}
715	} else if (key->eth.type == htons(ETH_P_IPV6)) {	711	} else if (key->eth.type == htons(ETH_P_IPV6)) {
716	int nh_len; /* IPv6 Header + Extensions */	712	int nh_len; /* IPv6 Header + Extensions */


diff --git a/net/openvswitch/vport-netdev.c b/net/openvswitch/vport-netdev.c index 3c1e58ba714b..a9033481fa5e 100644 --- a/net/openvswitch/vport-netdev.c +++ b/net/openvswitch/vport-netdev.c
@@ -158,7 +158,7 @@ static int netdev_send(struct vport vport, struct sk_buff skb)
158		158
159	if (unlikely(packet_length(skb) > mtu && !skb_is_gso(skb))) {	159	if (unlikely(packet_length(skb) > mtu && !skb_is_gso(skb))) {
160	net_warn_ratelimited("%s: dropped over-mtu packet: %d > %d\n",	160	net_warn_ratelimited("%s: dropped over-mtu packet: %d > %d\n",
161	ovs_dp_name(vport->dp),	161	netdev_vport->dev->name,
162	packet_length(skb), mtu);	162	packet_length(skb), mtu);
163	goto error;	163	goto error;
164	}	164	}


diff --git a/net/sctp/chunk.c b/net/sctp/chunk.c index 7c2df9c33df3..69ce21e3716f 100644 --- a/net/sctp/chunk.c +++ b/net/sctp/chunk.c
@@ -183,7 +183,7 @@ struct sctp_datamsg sctp_datamsg_from_user(struct sctp_association asoc,
183		183
184	msg = sctp_datamsg_new(GFP_KERNEL);	184	msg = sctp_datamsg_new(GFP_KERNEL);
185	if (!msg)	185	if (!msg)
186	return NULL;	186	return ERR_PTR(-ENOMEM);
187		187
188	/* Note: Calculate this outside of the loop, so that all fragments	188	/* Note: Calculate this outside of the loop, so that all fragments
189	* have the same expiration.	189	* have the same expiration.
@@ -280,11 +280,14 @@ struct sctp_datamsg sctp_datamsg_from_user(struct sctp_association asoc,
280		280
281	chunk = sctp_make_datafrag_empty(asoc, sinfo, len, frag, 0);	281	chunk = sctp_make_datafrag_empty(asoc, sinfo, len, frag, 0);
282		282
283	if (!chunk)	283	if (!chunk) {
		284	err = -ENOMEM;
284	goto errout;	285	goto errout;
		286	}
		287
285	err = sctp_user_addto_chunk(chunk, offset, len, msgh->msg_iov);	288	err = sctp_user_addto_chunk(chunk, offset, len, msgh->msg_iov);
286	if (err < 0)	289	if (err < 0)
287	goto errout;	290	goto errout_chunk_free;
288		291
289	offset += len;	292	offset += len;
290		293
@@ -315,8 +318,10 @@ struct sctp_datamsg sctp_datamsg_from_user(struct sctp_association asoc,
315		318
316	chunk = sctp_make_datafrag_empty(asoc, sinfo, over, frag, 0);	319	chunk = sctp_make_datafrag_empty(asoc, sinfo, over, frag, 0);
317		320
318	if (!chunk)	321	if (!chunk) {
		322	err = -ENOMEM;
319	goto errout;	323	goto errout;
		324	}
320		325
321	err = sctp_user_addto_chunk(chunk, offset, over,msgh->msg_iov);	326	err = sctp_user_addto_chunk(chunk, offset, over,msgh->msg_iov);
322		327
@@ -324,7 +329,7 @@ struct sctp_datamsg sctp_datamsg_from_user(struct sctp_association asoc,
324	__skb_pull(chunk->skb, (__u8 *)chunk->chunk_hdr	329	__skb_pull(chunk->skb, (__u8 *)chunk->chunk_hdr
325	- (__u8 *)chunk->skb->data);	330	- (__u8 *)chunk->skb->data);
326	if (err < 0)	331	if (err < 0)
327	goto errout;	332	goto errout_chunk_free;
328		333
329	sctp_datamsg_assign(msg, chunk);	334	sctp_datamsg_assign(msg, chunk);
330	list_add_tail(&chunk->frag_list, &msg->chunks);	335	list_add_tail(&chunk->frag_list, &msg->chunks);
@@ -332,6 +337,9 @@ struct sctp_datamsg sctp_datamsg_from_user(struct sctp_association asoc,
332		337
333	return msg;	338	return msg;
334		339
		340	errout_chunk_free:
		341	sctp_chunk_free(chunk);
		342
335	errout:	343	errout:
336	list_for_each_safe(pos, temp, &msg->chunks) {	344	list_for_each_safe(pos, temp, &msg->chunks) {
337	list_del_init(pos);	345	list_del_init(pos);
@@ -339,7 +347,7 @@ errout:
339	sctp_chunk_free(chunk);	347	sctp_chunk_free(chunk);
340	}	348	}
341	sctp_datamsg_put(msg);	349	sctp_datamsg_put(msg);
342	return NULL;	350	return ERR_PTR(err);
343	}	351	}
344		352
345	/* Check whether this message has expired. */	353	/* Check whether this message has expired. */


diff --git a/net/sctp/socket.c b/net/sctp/socket.c index a60d1f8b41c5..406d957d08fb 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c
@@ -1915,8 +1915,8 @@ SCTP_STATIC int sctp_sendmsg(struct kiocb iocb, struct sock sk,
1915		1915
1916	/* Break the message into multiple chunks of maximum size. */	1916	/* Break the message into multiple chunks of maximum size. */
1917	datamsg = sctp_datamsg_from_user(asoc, sinfo, msg, msg_len);	1917	datamsg = sctp_datamsg_from_user(asoc, sinfo, msg, msg_len);
1918	if (!datamsg) {	1918	if (IS_ERR(datamsg)) {
1919	err = -ENOMEM;	1919	err = PTR_ERR(datamsg);
1920	goto out_free;	1920	goto out_free;
1921	}	1921	}
1922		1922


diff --git a/net/sctp/transport.c b/net/sctp/transport.c index 953c21e4af97..206cf5238fd3 100644 --- a/net/sctp/transport.c +++ b/net/sctp/transport.c
@@ -331,7 +331,7 @@ void sctp_transport_update_rto(struct sctp_transport *tp, __u32 rtt)
331	* 1/8, rto_alpha would be expressed as 3.	331	* 1/8, rto_alpha would be expressed as 3.
332	*/	332	*/
333	tp->rttvar = tp->rttvar - (tp->rttvar >> net->sctp.rto_beta)	333	tp->rttvar = tp->rttvar - (tp->rttvar >> net->sctp.rto_beta)
334	+ ((abs(tp->srtt - rtt)) >> net->sctp.rto_beta);	334	+ (((__u32)abs64((__s64)tp->srtt - (__s64)rtt)) >> net->sctp.rto_beta);
335	tp->srtt = tp->srtt - (tp->srtt >> net->sctp.rto_alpha)	335	tp->srtt = tp->srtt - (tp->srtt >> net->sctp.rto_alpha)
336	+ (rtt >> net->sctp.rto_alpha);	336	+ (rtt >> net->sctp.rto_alpha);
337	} else {	337	} else {