Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (27 commits) af_unix: limit recursion level pch_gbe driver: The wrong of initializer entry pch_gbe dreiver: chang author ucc_geth: fix ucc halt problem in half duplex mode inet: Fix __inet_inherit_port() to correctly increment bsockets and num_owners ehea: Add some info messages and fix an issue hso: fix disable_net NET: wan/x25_asy, move lapb_unregister to x25_asy_close_tty cxgb4vf: fix setting unicast/multicast addresses ... net, ppp: Report correct error code if unit allocation failed DECnet: don't leak uninitialized stack byte au1000_eth: fix invalid address accessing the MAC enable register dccp: fix error in updating the GAR tcp: restrict net.ipv4.tcp_adv_win_scale (#20312) netns: Don't leak others' openreq-s in proc Net: ceph: Makefile: Remove unnessary code vhost/net: fix rcu check usage econet: fix CVE-2010-3848 econet: fix CVE-2010-3850 econet: disallow NULL remote addr for sendmsg(), fixes CVE-2010-3849 ...
author: Linus Torvalds <torvalds@linux-foundation.org> 2010-11-29 17:36:33 -0500
committer: Linus Torvalds <torvalds@linux-foundation.org> 2010-11-29 17:36:33 -0500
commit: a01af8e4a4ee1135598f157051959982418c38f8 (patch)
tree: 76c78a7cbd02204afbe7404880dfbf312ebd51a5 /net
parent: a9735c81a43054a7e8cb8771c8e04c01fcacde10 (diff)
parent: 25888e30319f8896fc656fc68643e6a078263060 (diff)
10 files changed, 96 insertions, 83 deletions
diff --git a/net/ceph/Makefile b/net/ceph/Makefile
index aab1cabb8035..5f19415ec9c0 100644
--- a/net/ceph/Makefile
+++ b/net/ceph/Makefile
@@ -1,9 +1,6 @@
 #
 # Makefile for CEPH filesystem.
 #
-ifneq ($(KERNELRELEASE),)
 obj-$(CONFIG_CEPH_LIB) += libceph.o
 libceph-objs := ceph_common.o messenger.o msgpool.o buffer.o pagelist.o \
@@ -16,22 +13,3 @@ libceph-objs := ceph_common.o messenger.o msgpool.o buffer.o pagelist.o \
        ceph_fs.o ceph_strings.o ceph_hash.o \
        pagevec.o
-else
-#Otherwise we were called directly from the command
-# line; invoke the kernel build system.
-KERNELDIR ?= /lib/modules/$(shell uname -r)/build
-PWD := $(shell pwd)
-default: all
-all:
-        $(MAKE) -C $(KERNELDIR) M=$(PWD) CONFIG_CEPH_LIB=m modules
-modules_install:
-        $(MAKE) -C $(KERNELDIR) M=$(PWD) CONFIG_CEPH_LIB=m modules_install
-clean:
-        $(MAKE) -C $(KERNELDIR) M=$(PWD) clean
-endif
diff --git a/net/dccp/input.c b/net/dccp/input.c
index 265985370fa1..e424a09e83f6 100644
--- a/net/dccp/input.c
+++ b/net/dccp/input.c
@@ -239,7 +239,8 @@ static int dccp_check_seqno(struct sock *sk, struct sk_buff *skb)
                dccp_update_gsr(sk, seqno);
                if (dh->dccph_type != DCCP_PKT_SYNC &&
-                    (ackno != DCCP_PKT_WITHOUT_ACK_SEQ))
+                    ackno != DCCP_PKT_WITHOUT_ACK_SEQ &&
+                    after48(ackno, dp->dccps_gar))
                        dp->dccps_gar = ackno;
        } else {
                unsigned long now = jiffies;
diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
index a76b78de679f..6f97268ed85f 100644
--- a/net/decnet/af_decnet.c
+++ b/net/decnet/af_decnet.c
@@ -1556,6 +1556,8 @@ static int __dn_getsockopt(struct socket *sock, int level,int optname, char __us
                        if (r_len > sizeof(struct linkinfo_dn))
                                r_len = sizeof(struct linkinfo_dn);
+                        memset(&link, 0, sizeof(link));
                        switch(sock->state) {
                                case SS_CONNECTING:
                                        link.idn_linkstate = LL_CONNECTING;
diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
index f8c1ae4b41f0..13992e1d2726 100644
--- a/net/econet/af_econet.c
+++ b/net/econet/af_econet.c
@@ -31,6 +31,7 @@
 #include <linux/skbuff.h>
 #include <linux/udp.h>
 #include <linux/slab.h>
+#include <linux/vmalloc.h>
 #include <net/sock.h>
 #include <net/inet_common.h>
 #include <linux/stat.h>
@@ -276,12 +277,12 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
 #endif
 #ifdef CONFIG_ECONET_AUNUDP
        struct msghdr udpmsg;
-        struct iovec iov[msg->msg_iovlen+1];
+        struct iovec iov[2];
        struct aunhdr ah;
        struct sockaddr_in udpdest;
        __kernel_size_t size;
-        int i;
        mm_segment_t oldfs;
+        char *userbuf;
 #endif
        /*
@@ -297,23 +298,14 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
        mutex_lock(&econet_mutex);
-        if (saddr == NULL) {
+        if (saddr == NULL || msg->msg_namelen < sizeof(struct sockaddr_ec)) {
-                struct econet_sock *eo = ec_sk(sk);
+                mutex_unlock(&econet_mutex);
+                return -EINVAL;
-                addr.station = eo->station;
+        }
-                addr.net     = eo->net;
+        addr.station = saddr->addr.station;
-                port         = eo->port;
+        addr.net = saddr->addr.net;
-                cb           = eo->cb;
+        port = saddr->port;
-        } else {
+        cb = saddr->cb;
-                if (msg->msg_namelen < sizeof(struct sockaddr_ec)) {
-                        mutex_unlock(&econet_mutex);
-                        return -EINVAL;
-                }
-                addr.station = saddr->addr.station;
-                addr.net = saddr->addr.net;
-                port = saddr->port;
-                cb = saddr->cb;
-        }
        /* Look for a device with the right network number. */
        dev = net2dev_map[addr.net];
@@ -328,17 +320,17 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
                }
        }
-        if (len + 15 > dev->mtu) {
-                mutex_unlock(&econet_mutex);
-                return -EMSGSIZE;
-        }
        if (dev->type == ARPHRD_ECONET) {
                /* Real hardware Econet.  We're not worthy etc. */
 #ifdef CONFIG_ECONET_NATIVE
                unsigned short proto = 0;
                int res;
+                if (len + 15 > dev->mtu) {
+                        mutex_unlock(&econet_mutex);
+                        return -EMSGSIZE;
+                }
                dev_hold(dev);
                skb = sock_alloc_send_skb(sk, len+LL_ALLOCATED_SPACE(dev),
@@ -351,7 +343,6 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
                eb = (struct ec_cb *)&skb->cb;
-                /* BUG: saddr may be NULL */
                eb->cookie = saddr->cookie;
                eb->sec = *saddr;
                eb->sent = ec_tx_done;
@@ -415,6 +406,11 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
                return -ENETDOWN;               /* No socket - can't send */
        }
+        if (len > 32768) {
+                err = -E2BIG;
+                goto error;
+        }
        /* Make up a UDP datagram and hand it off to some higher intellect. */
        memset(&udpdest, 0, sizeof(udpdest));
@@ -446,36 +442,26 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
        /* tack our header on the front of the iovec */
        size = sizeof(struct aunhdr);
-        /*
-         * XXX: that is b0rken.  We can't mix userland and kernel pointers
-         * in iovec, since on a lot of platforms copy_from_user() will
-         * *not* work with the kernel and userland ones at the same time,
-         * regardless of what we do with set_fs().  And we are talking about
-         * econet-over-ethernet here, so "it's only ARM anyway" doesn't
-         * apply.  Any suggestions on fixing that code?         -- AV
-         */
        iov[0].iov_base = (void *)&ah;
        iov[0].iov_len = size;
-        for (i = 0; i < msg->msg_iovlen; i++) {
-                void __user *base = msg->msg_iov[i].iov_base;
+        userbuf = vmalloc(len);
-                size_t iov_len = msg->msg_iov[i].iov_len;
+        if (userbuf == NULL) {
-                /* Check it now since we switch to KERNEL_DS later. */
+                err = -ENOMEM;
-                if (!access_ok(VERIFY_READ, base, iov_len)) {
+                goto error;
-                        mutex_unlock(&econet_mutex);
-                        return -EFAULT;
-                }
-                iov[i+1].iov_base = base;
-                iov[i+1].iov_len = iov_len;
-                size += iov_len;
        }
+        iov[1].iov_base = userbuf;
+        iov[1].iov_len = len;
+        err = memcpy_fromiovec(userbuf, msg->msg_iov, len);
+        if (err)
+                goto error_free_buf;
        /* Get a skbuff (no data, just holds our cb information) */
        if ((skb = sock_alloc_send_skb(sk, 0,
                                       msg->msg_flags & MSG_DONTWAIT,
-                                       &err)) == NULL) {
+                                       &err)) == NULL)
-                mutex_unlock(&econet_mutex);
+                goto error_free_buf;
-                return err;
-        }
        eb = (struct ec_cb *)&skb->cb;
@@ -491,7 +477,7 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
        udpmsg.msg_name = (void *)&udpdest;
        udpmsg.msg_namelen = sizeof(udpdest);
        udpmsg.msg_iov = &iov[0];
-        udpmsg.msg_iovlen = msg->msg_iovlen + 1;
+        udpmsg.msg_iovlen = 2;
        udpmsg.msg_control = NULL;
        udpmsg.msg_controllen = 0;
        udpmsg.msg_flags=0;
@@ -499,9 +485,13 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
        oldfs = get_fs(); set_fs(KERNEL_DS);    /* More privs :-) */
        err = sock_sendmsg(udpsock, &udpmsg, size);
        set_fs(oldfs);
+error_free_buf:
+        vfree(userbuf);
 #else
        err = -EPROTOTYPE;
 #endif
+        error:
        mutex_unlock(&econet_mutex);
        return err;
@@ -671,6 +661,9 @@ static int ec_dev_ioctl(struct socket *sock, unsigned int cmd, void __user *arg)
        err = 0;
        switch (cmd) {
        case SIOCSIFADDR:
+                if (!capable(CAP_NET_ADMIN))
+                        return -EPERM;
                edev = dev->ec_ptr;
                if (edev == NULL) {
                        /* Magic up a new one. */
diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
index 1b344f30b463..3c0369a3a663 100644
--- a/net/ipv4/inet_hashtables.c
+++ b/net/ipv4/inet_hashtables.c
@@ -133,8 +133,7 @@ int __inet_inherit_port(struct sock *sk, struct sock *child)
                        }
                }
        }
-        sk_add_bind_node(child, &tb->owners);
+        inet_bind_hash(child, tb, port);
-        inet_csk(child)->icsk_bind_hash = tb;
        spin_unlock(&head->lock);
        return 0;
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index e91911d7aae2..1b4ec21497a4 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -26,6 +26,8 @@ static int zero;
 static int tcp_retr1_max = 255;
 static int ip_local_port_range_min[] = { 1, 1 };
 static int ip_local_port_range_max[] = { 65535, 65535 };
+static int tcp_adv_win_scale_min = -31;
+static int tcp_adv_win_scale_max = 31;
 /* Update system visible IP port range */
 static void set_local_port_range(int range[2])
@@ -426,7 +428,9 @@ static struct ctl_table ipv4_table[] = {
                .data           = &sysctl_tcp_adv_win_scale,
                .maxlen         = sizeof(int),
                .mode           = 0644,
-                .proc_handler   = proc_dointvec
+                .proc_handler   = proc_dointvec_minmax,
+                .extra1         = &tcp_adv_win_scale_min,
+                .extra2         = &tcp_adv_win_scale_max,
        },
        {
                .procname       = "tcp_tw_reuse",
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 081419969485..f15c36a706ec 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2246,7 +2246,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level,
                /* Values greater than interface MTU won't take effect. However
                 * at the point when this call is done we typically don't yet
                 * know which interface is going to be used */
-                if (val < 64 || val > MAX_TCP_WINDOW) {
+                if (val < TCP_MIN_MSS || val > MAX_TCP_WINDOW) {
                        err = -EINVAL;
                        break;
                }
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 69ccbc1dde9c..e13da6de1fc7 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -2043,7 +2043,9 @@ get_req:
        }
 get_sk:
        sk_nulls_for_each_from(sk, node) {
-                if (sk->sk_family == st->family && net_eq(sock_net(sk), net)) {
+                if (!net_eq(sock_net(sk), net))
+                        continue;
+                if (sk->sk_family == st->family) {
                        cur = sk;
                        goto out;
                }
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 3c95304a0817..2268e6798124 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1343,9 +1343,25 @@ static void unix_destruct_scm(struct sk_buff *skb)
        sock_wfree(skb);
 }
+#define MAX_RECURSION_LEVEL 4
 static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
 {
        int i;
+        unsigned char max_level = 0;
+        int unix_sock_count = 0;
+        for (i = scm->fp->count - 1; i >= 0; i--) {
+                struct sock *sk = unix_get_socket(scm->fp->fp[i]);
+                if (sk) {
+                        unix_sock_count++;
+                        max_level = max(max_level,
+                                        unix_sk(sk)->recursion_level);
+                }
+        }
+        if (unlikely(max_level > MAX_RECURSION_LEVEL))
+                return -ETOOMANYREFS;
        /*
         * Need to duplicate file references for the sake of garbage
@@ -1356,9 +1372,11 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
        if (!UNIXCB(skb).fp)
                return -ENOMEM;
-        for (i = scm->fp->count-1; i >= 0; i--)
+        if (unix_sock_count) {
-                unix_inflight(scm->fp->fp[i]);
+                for (i = scm->fp->count - 1; i >= 0; i--)
-        return 0;
+                        unix_inflight(scm->fp->fp[i]);
+        }
+        return max_level;
 }
 static int unix_scm_to_skb(struct scm_cookie *scm, struct sk_buff *skb, bool send_fds)
@@ -1393,6 +1411,7 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
        struct sk_buff *skb;
        long timeo;
        struct scm_cookie tmp_scm;
+        int max_level;
        if (NULL == siocb->scm)
                siocb->scm = &tmp_scm;
@@ -1431,8 +1450,9 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
                goto out;
        err = unix_scm_to_skb(siocb->scm, skb, true);
-        if (err)
+        if (err < 0)
                goto out_free;
+        max_level = err + 1;
        unix_get_secdata(siocb->scm, skb);
        skb_reset_transport_header(skb);
@@ -1514,6 +1534,8 @@ restart:
        if (sock_flag(other, SOCK_RCVTSTAMP))
                __net_timestamp(skb);
        skb_queue_tail(&other->sk_receive_queue, skb);
+        if (max_level > unix_sk(other)->recursion_level)
+                unix_sk(other)->recursion_level = max_level;
        unix_state_unlock(other);
        other->sk_data_ready(other, len);
        sock_put(other);
@@ -1544,6 +1566,7 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
        int sent = 0;
        struct scm_cookie tmp_scm;
        bool fds_sent = false;
+        int max_level;
        if (NULL == siocb->scm)
                siocb->scm = &tmp_scm;
@@ -1607,10 +1630,11 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
                /* Only send the fds in the first buffer */
                err = unix_scm_to_skb(siocb->scm, skb, !fds_sent);
-                if (err) {
+                if (err < 0) {
                        kfree_skb(skb);
                        goto out_err;
                }
+                max_level = err + 1;
                fds_sent = true;
                err = memcpy_fromiovec(skb_put(skb, size), msg->msg_iov, size);
@@ -1626,6 +1650,8 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
                        goto pipe_err_free;
                skb_queue_tail(&other->sk_receive_queue, skb);
+                if (max_level > unix_sk(other)->recursion_level)
+                        unix_sk(other)->recursion_level = max_level;
                unix_state_unlock(other);
                other->sk_data_ready(other, size);
                sent += size;
@@ -1845,6 +1871,7 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
                unix_state_lock(sk);
                skb = skb_dequeue(&sk->sk_receive_queue);
                if (skb == NULL) {
+                        unix_sk(sk)->recursion_level = 0;
                        if (copied >= target)
                                goto unlock;
diff --git a/net/unix/garbage.c b/net/unix/garbage.c
index c8df6fda0b1f..f89f83bf828e 100644
--- a/net/unix/garbage.c
+++ b/net/unix/garbage.c
@@ -96,7 +96,7 @@ static DECLARE_WAIT_QUEUE_HEAD(unix_gc_wait);
 unsigned int unix_tot_inflight;
-static struct sock *unix_get_socket(struct file *filp)
+struct sock *unix_get_socket(struct file *filp)
 {
        struct sock *u_sock = NULL;
        struct inode *inode = filp->f_path.dentry->d_inode;
@@ -259,9 +259,16 @@ static void inc_inflight_move_tail(struct unix_sock *u)
 }
 static bool gc_in_progress = false;
+#define UNIX_INFLIGHT_TRIGGER_GC 16000
 void wait_for_unix_gc(void)
 {
+        /*
+         * If number of inflight sockets is insane,
+         * force a garbage collect right now.
+         */
+        if (unix_tot_inflight > UNIX_INFLIGHT_TRIGGER_GC && !gc_in_progress)
+                unix_gc();
        wait_event(unix_gc_wait, gc_in_progress == false);
 }
author	Linus Torvalds <torvalds@linux-foundation.org>	2010-11-29 17:36:33 -0500
committer	Linus Torvalds <torvalds@linux-foundation.org>	2010-11-29 17:36:33 -0500
commit	a01af8e4a4ee1135598f157051959982418c38f8 (patch)
tree	76c78a7cbd02204afbe7404880dfbf312ebd51a5 /net
parent	a9735c81a43054a7e8cb8771c8e04c01fcacde10 (diff)
parent	25888e30319f8896fc656fc68643e6a078263060 (diff)

diff --git a/net/ceph/Makefile b/net/ceph/Makefile index aab1cabb8035..5f19415ec9c0 100644 --- a/net/ceph/Makefile +++ b/net/ceph/Makefile
@@ -1,9 +1,6 @@
1	#	1	#
2	# Makefile for CEPH filesystem.	2	# Makefile for CEPH filesystem.
3	#	3	#
4
5	ifneq ($(KERNELRELEASE),)
6
7	obj-$(CONFIG_CEPH_LIB) += libceph.o	4	obj-$(CONFIG_CEPH_LIB) += libceph.o
8		5
9	libceph-objs := ceph_common.o messenger.o msgpool.o buffer.o pagelist.o \	6	libceph-objs := ceph_common.o messenger.o msgpool.o buffer.o pagelist.o \
@@ -16,22 +13,3 @@ libceph-objs := ceph_common.o messenger.o msgpool.o buffer.o pagelist.o \
16	ceph_fs.o ceph_strings.o ceph_hash.o \	13	ceph_fs.o ceph_strings.o ceph_hash.o \
17	pagevec.o	14	pagevec.o
18		15
19	else
20	#Otherwise we were called directly from the command
21	# line; invoke the kernel build system.
22
23	KERNELDIR ?= /lib/modules/$(shell uname -r)/build
24	PWD := $(shell pwd)
25
26	default: all
27
28	all:
29	$(MAKE) -C $(KERNELDIR) M=$(PWD) CONFIG_CEPH_LIB=m modules
30
31	modules_install:
32	$(MAKE) -C $(KERNELDIR) M=$(PWD) CONFIG_CEPH_LIB=m modules_install
33
34	clean:
35	$(MAKE) -C $(KERNELDIR) M=$(PWD) clean
36
37	endif


diff --git a/net/dccp/input.c b/net/dccp/input.c index 265985370fa1..e424a09e83f6 100644 --- a/net/dccp/input.c +++ b/net/dccp/input.c
@@ -239,7 +239,8 @@ static int dccp_check_seqno(struct sock sk, struct sk_buff skb)
239	dccp_update_gsr(sk, seqno);	239	dccp_update_gsr(sk, seqno);
240		240
241	if (dh->dccph_type != DCCP_PKT_SYNC &&	241	if (dh->dccph_type != DCCP_PKT_SYNC &&
242	(ackno != DCCP_PKT_WITHOUT_ACK_SEQ))	242	ackno != DCCP_PKT_WITHOUT_ACK_SEQ &&
		243	after48(ackno, dp->dccps_gar))
243	dp->dccps_gar = ackno;	244	dp->dccps_gar = ackno;
244	} else {	245	} else {
245	unsigned long now = jiffies;	246	unsigned long now = jiffies;


diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c index a76b78de679f..6f97268ed85f 100644 --- a/net/decnet/af_decnet.c +++ b/net/decnet/af_decnet.c
@@ -1556,6 +1556,8 @@ static int __dn_getsockopt(struct socket *sock, int level,int optname, char __us
1556	if (r_len > sizeof(struct linkinfo_dn))	1556	if (r_len > sizeof(struct linkinfo_dn))
1557	r_len = sizeof(struct linkinfo_dn);	1557	r_len = sizeof(struct linkinfo_dn);
1558		1558
		1559	memset(&link, 0, sizeof(link));
		1560
1559	switch(sock->state) {	1561	switch(sock->state) {
1560	case SS_CONNECTING:	1562	case SS_CONNECTING:
1561	link.idn_linkstate = LL_CONNECTING;	1563	link.idn_linkstate = LL_CONNECTING;


diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c index f8c1ae4b41f0..13992e1d2726 100644 --- a/net/econet/af_econet.c +++ b/net/econet/af_econet.c
@@ -31,6 +31,7 @@
31	#include <linux/skbuff.h>	31	#include <linux/skbuff.h>
32	#include <linux/udp.h>	32	#include <linux/udp.h>
33	#include <linux/slab.h>	33	#include <linux/slab.h>
		34	#include <linux/vmalloc.h>
34	#include <net/sock.h>	35	#include <net/sock.h>
35	#include <net/inet_common.h>	36	#include <net/inet_common.h>
36	#include <linux/stat.h>	37	#include <linux/stat.h>
@@ -276,12 +277,12 @@ static int econet_sendmsg(struct kiocb iocb, struct socket sock,
276	#endif	277	#endif
277	#ifdef CONFIG_ECONET_AUNUDP	278	#ifdef CONFIG_ECONET_AUNUDP
278	struct msghdr udpmsg;	279	struct msghdr udpmsg;
279	struct iovec iov[msg->msg_iovlen+1];	280	struct iovec iov[2];
280	struct aunhdr ah;	281	struct aunhdr ah;
281	struct sockaddr_in udpdest;	282	struct sockaddr_in udpdest;
282	__kernel_size_t size;	283	__kernel_size_t size;
283	int i;
284	mm_segment_t oldfs;	284	mm_segment_t oldfs;
		285	char *userbuf;
285	#endif	286	#endif
286		287
287	/*	288	/*
@@ -297,23 +298,14 @@ static int econet_sendmsg(struct kiocb iocb, struct socket sock,
297		298
298	mutex_lock(&econet_mutex);	299	mutex_lock(&econet_mutex);
299		300
300	if (saddr == NULL) {	301	if (saddr == NULL \|\| msg->msg_namelen < sizeof(struct sockaddr_ec)) {
301	struct econet_sock *eo = ec_sk(sk);	302	mutex_unlock(&econet_mutex);
302		303	return -EINVAL;
303	addr.station = eo->station;	304	}
304	addr.net = eo->net;	305	addr.station = saddr->addr.station;
305	port = eo->port;	306	addr.net = saddr->addr.net;
306	cb = eo->cb;	307	port = saddr->port;
307	} else {	308	cb = saddr->cb;
308	if (msg->msg_namelen < sizeof(struct sockaddr_ec)) {
309	mutex_unlock(&econet_mutex);
310	return -EINVAL;
311	}
312	addr.station = saddr->addr.station;
313	addr.net = saddr->addr.net;
314	port = saddr->port;
315	cb = saddr->cb;
316	}
317		309
318	/* Look for a device with the right network number. */	310	/* Look for a device with the right network number. */
319	dev = net2dev_map[addr.net];	311	dev = net2dev_map[addr.net];
@@ -328,17 +320,17 @@ static int econet_sendmsg(struct kiocb iocb, struct socket sock,
328	}	320	}
329	}	321	}
330		322
331	if (len + 15 > dev->mtu) {
332	mutex_unlock(&econet_mutex);
333	return -EMSGSIZE;
334	}
335
336	if (dev->type == ARPHRD_ECONET) {	323	if (dev->type == ARPHRD_ECONET) {
337	/* Real hardware Econet. We're not worthy etc. */	324	/* Real hardware Econet. We're not worthy etc. */
338	#ifdef CONFIG_ECONET_NATIVE	325	#ifdef CONFIG_ECONET_NATIVE
339	unsigned short proto = 0;	326	unsigned short proto = 0;
340	int res;	327	int res;
341		328
		329	if (len + 15 > dev->mtu) {
		330	mutex_unlock(&econet_mutex);
		331	return -EMSGSIZE;
		332	}
		333
342	dev_hold(dev);	334	dev_hold(dev);
343		335
344	skb = sock_alloc_send_skb(sk, len+LL_ALLOCATED_SPACE(dev),	336	skb = sock_alloc_send_skb(sk, len+LL_ALLOCATED_SPACE(dev),
@@ -351,7 +343,6 @@ static int econet_sendmsg(struct kiocb iocb, struct socket sock,
351		343
352	eb = (struct ec_cb *)&skb->cb;	344	eb = (struct ec_cb *)&skb->cb;
353		345
354	/* BUG: saddr may be NULL */
355	eb->cookie = saddr->cookie;	346	eb->cookie = saddr->cookie;
356	eb->sec = *saddr;	347	eb->sec = *saddr;
357	eb->sent = ec_tx_done;	348	eb->sent = ec_tx_done;
@@ -415,6 +406,11 @@ static int econet_sendmsg(struct kiocb iocb, struct socket sock,
415	return -ENETDOWN; /* No socket - can't send */	406	return -ENETDOWN; /* No socket - can't send */
416	}	407	}
417		408
		409	if (len > 32768) {
		410	err = -E2BIG;
		411	goto error;
		412	}
		413
418	/* Make up a UDP datagram and hand it off to some higher intellect. */	414	/* Make up a UDP datagram and hand it off to some higher intellect. */
419		415
420	memset(&udpdest, 0, sizeof(udpdest));	416	memset(&udpdest, 0, sizeof(udpdest));
@@ -446,36 +442,26 @@ static int econet_sendmsg(struct kiocb iocb, struct socket sock,
446		442
447	/* tack our header on the front of the iovec */	443	/* tack our header on the front of the iovec */
448	size = sizeof(struct aunhdr);	444	size = sizeof(struct aunhdr);
449	/*
450	* XXX: that is b0rken. We can't mix userland and kernel pointers
451	* in iovec, since on a lot of platforms copy_from_user() will
452	* not work with the kernel and userland ones at the same time,
453	* regardless of what we do with set_fs(). And we are talking about
454	* econet-over-ethernet here, so "it's only ARM anyway" doesn't
455	* apply. Any suggestions on fixing that code? -- AV
456	*/
457	iov[0].iov_base = (void *)&ah;	445	iov[0].iov_base = (void *)&ah;
458	iov[0].iov_len = size;	446	iov[0].iov_len = size;
459	for (i = 0; i < msg->msg_iovlen; i++) {	447
460	void __user *base = msg->msg_iov[i].iov_base;	448	userbuf = vmalloc(len);
461	size_t iov_len = msg->msg_iov[i].iov_len;	449	if (userbuf == NULL) {
462	/* Check it now since we switch to KERNEL_DS later. */	450	err = -ENOMEM;
463	if (!access_ok(VERIFY_READ, base, iov_len)) {	451	goto error;
464	mutex_unlock(&econet_mutex);
465	return -EFAULT;
466	}
467	iov[i+1].iov_base = base;
468	iov[i+1].iov_len = iov_len;
469	size += iov_len;
470	}	452	}
471		453
		454	iov[1].iov_base = userbuf;
		455	iov[1].iov_len = len;
		456	err = memcpy_fromiovec(userbuf, msg->msg_iov, len);
		457	if (err)
		458	goto error_free_buf;
		459
472	/* Get a skbuff (no data, just holds our cb information) */	460	/* Get a skbuff (no data, just holds our cb information) */
473	if ((skb = sock_alloc_send_skb(sk, 0,	461	if ((skb = sock_alloc_send_skb(sk, 0,
474	msg->msg_flags & MSG_DONTWAIT,	462	msg->msg_flags & MSG_DONTWAIT,
475	&err)) == NULL) {	463	&err)) == NULL)
476	mutex_unlock(&econet_mutex);	464	goto error_free_buf;
477	return err;
478	}
479		465
480	eb = (struct ec_cb *)&skb->cb;	466	eb = (struct ec_cb *)&skb->cb;
481		467
@@ -491,7 +477,7 @@ static int econet_sendmsg(struct kiocb iocb, struct socket sock,
491	udpmsg.msg_name = (void *)&udpdest;	477	udpmsg.msg_name = (void *)&udpdest;
492	udpmsg.msg_namelen = sizeof(udpdest);	478	udpmsg.msg_namelen = sizeof(udpdest);
493	udpmsg.msg_iov = &iov[0];	479	udpmsg.msg_iov = &iov[0];
494	udpmsg.msg_iovlen = msg->msg_iovlen + 1;	480	udpmsg.msg_iovlen = 2;
495	udpmsg.msg_control = NULL;	481	udpmsg.msg_control = NULL;
496	udpmsg.msg_controllen = 0;	482	udpmsg.msg_controllen = 0;
497	udpmsg.msg_flags=0;	483	udpmsg.msg_flags=0;
@@ -499,9 +485,13 @@ static int econet_sendmsg(struct kiocb iocb, struct socket sock,
499	oldfs = get_fs(); set_fs(KERNEL_DS); /* More privs :-) */	485	oldfs = get_fs(); set_fs(KERNEL_DS); /* More privs :-) */
500	err = sock_sendmsg(udpsock, &udpmsg, size);	486	err = sock_sendmsg(udpsock, &udpmsg, size);
501	set_fs(oldfs);	487	set_fs(oldfs);
		488
		489	error_free_buf:
		490	vfree(userbuf);
502	#else	491	#else
503	err = -EPROTOTYPE;	492	err = -EPROTOTYPE;
504	#endif	493	#endif
		494	error:
505	mutex_unlock(&econet_mutex);	495	mutex_unlock(&econet_mutex);
506		496
507	return err;	497	return err;
@@ -671,6 +661,9 @@ static int ec_dev_ioctl(struct socket sock, unsigned int cmd, void __user arg)
671	err = 0;	661	err = 0;
672	switch (cmd) {	662	switch (cmd) {
673	case SIOCSIFADDR:	663	case SIOCSIFADDR:
		664	if (!capable(CAP_NET_ADMIN))
		665	return -EPERM;
		666
674	edev = dev->ec_ptr;	667	edev = dev->ec_ptr;
675	if (edev == NULL) {	668	if (edev == NULL) {
676	/* Magic up a new one. */	669	/* Magic up a new one. */


diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c index 1b344f30b463..3c0369a3a663 100644 --- a/net/ipv4/inet_hashtables.c +++ b/net/ipv4/inet_hashtables.c
@@ -133,8 +133,7 @@ int __inet_inherit_port(struct sock sk, struct sock child)
133	}	133	}
134	}	134	}
135	}	135	}
136	sk_add_bind_node(child, &tb->owners);	136	inet_bind_hash(child, tb, port);
137	inet_csk(child)->icsk_bind_hash = tb;
138	spin_unlock(&head->lock);	137	spin_unlock(&head->lock);
139		138
140	return 0;	139	return 0;


diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c index e91911d7aae2..1b4ec21497a4 100644 --- a/net/ipv4/sysctl_net_ipv4.c +++ b/net/ipv4/sysctl_net_ipv4.c
@@ -26,6 +26,8 @@ static int zero;
26	static int tcp_retr1_max = 255;	26	static int tcp_retr1_max = 255;
27	static int ip_local_port_range_min[] = { 1, 1 };	27	static int ip_local_port_range_min[] = { 1, 1 };
28	static int ip_local_port_range_max[] = { 65535, 65535 };	28	static int ip_local_port_range_max[] = { 65535, 65535 };
		29	static int tcp_adv_win_scale_min = -31;
		30	static int tcp_adv_win_scale_max = 31;
29		31
30	/* Update system visible IP port range */	32	/* Update system visible IP port range */
31	static void set_local_port_range(int range[2])	33	static void set_local_port_range(int range[2])
@@ -426,7 +428,9 @@ static struct ctl_table ipv4_table[] = {
426	.data = &sysctl_tcp_adv_win_scale,	428	.data = &sysctl_tcp_adv_win_scale,
427	.maxlen = sizeof(int),	429	.maxlen = sizeof(int),
428	.mode = 0644,	430	.mode = 0644,
429	.proc_handler = proc_dointvec	431	.proc_handler = proc_dointvec_minmax,
		432	.extra1 = &tcp_adv_win_scale_min,
		433	.extra2 = &tcp_adv_win_scale_max,
430	},	434	},
431	{	435	{
432	.procname = "tcp_tw_reuse",	436	.procname = "tcp_tw_reuse",


diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 081419969485..f15c36a706ec 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c
@@ -2246,7 +2246,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level,
2246	/* Values greater than interface MTU won't take effect. However	2246	/* Values greater than interface MTU won't take effect. However
2247	* at the point when this call is done we typically don't yet	2247	* at the point when this call is done we typically don't yet
2248	* know which interface is going to be used */	2248	* know which interface is going to be used */
2249	if (val < 64 \|\| val > MAX_TCP_WINDOW) {	2249	if (val < TCP_MIN_MSS \|\| val > MAX_TCP_WINDOW) {
2250	err = -EINVAL;	2250	err = -EINVAL;
2251	break;	2251	break;
2252	}	2252	}


diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 69ccbc1dde9c..e13da6de1fc7 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c
@@ -2043,7 +2043,9 @@ get_req:
2043	}	2043	}
2044	get_sk:	2044	get_sk:
2045	sk_nulls_for_each_from(sk, node) {	2045	sk_nulls_for_each_from(sk, node) {
2046	if (sk->sk_family == st->family && net_eq(sock_net(sk), net)) {	2046	if (!net_eq(sock_net(sk), net))
		2047	continue;
		2048	if (sk->sk_family == st->family) {
2047	cur = sk;	2049	cur = sk;
2048	goto out;	2050	goto out;
2049	}	2051	}


diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index 3c95304a0817..2268e6798124 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c
@@ -1343,9 +1343,25 @@ static void unix_destruct_scm(struct sk_buff *skb)
1343	sock_wfree(skb);	1343	sock_wfree(skb);
1344	}	1344	}
1345		1345
		1346	#define MAX_RECURSION_LEVEL 4
		1347
1346	static int unix_attach_fds(struct scm_cookie scm, struct sk_buff skb)	1348	static int unix_attach_fds(struct scm_cookie scm, struct sk_buff skb)
1347	{	1349	{
1348	int i;	1350	int i;
		1351	unsigned char max_level = 0;
		1352	int unix_sock_count = 0;
		1353
		1354	for (i = scm->fp->count - 1; i >= 0; i--) {
		1355	struct sock *sk = unix_get_socket(scm->fp->fp[i]);
		1356
		1357	if (sk) {
		1358	unix_sock_count++;
		1359	max_level = max(max_level,
		1360	unix_sk(sk)->recursion_level);
		1361	}
		1362	}
		1363	if (unlikely(max_level > MAX_RECURSION_LEVEL))
		1364	return -ETOOMANYREFS;
1349		1365
1350	/*	1366	/*
1351	* Need to duplicate file references for the sake of garbage	1367	* Need to duplicate file references for the sake of garbage
@@ -1356,9 +1372,11 @@ static int unix_attach_fds(struct scm_cookie scm, struct sk_buff skb)
1356	if (!UNIXCB(skb).fp)	1372	if (!UNIXCB(skb).fp)
1357	return -ENOMEM;	1373	return -ENOMEM;
1358		1374
1359	for (i = scm->fp->count-1; i >= 0; i--)	1375	if (unix_sock_count) {
1360	unix_inflight(scm->fp->fp[i]);	1376	for (i = scm->fp->count - 1; i >= 0; i--)
1361	return 0;	1377	unix_inflight(scm->fp->fp[i]);
		1378	}
		1379	return max_level;
1362	}	1380	}
1363		1381
1364	static int unix_scm_to_skb(struct scm_cookie scm, struct sk_buff skb, bool send_fds)	1382	static int unix_scm_to_skb(struct scm_cookie scm, struct sk_buff skb, bool send_fds)
@@ -1393,6 +1411,7 @@ static int unix_dgram_sendmsg(struct kiocb kiocb, struct socket sock,
1393	struct sk_buff *skb;	1411	struct sk_buff *skb;
1394	long timeo;	1412	long timeo;
1395	struct scm_cookie tmp_scm;	1413	struct scm_cookie tmp_scm;
		1414	int max_level;
1396		1415
1397	if (NULL == siocb->scm)	1416	if (NULL == siocb->scm)
1398	siocb->scm = &tmp_scm;	1417	siocb->scm = &tmp_scm;
@@ -1431,8 +1450,9 @@ static int unix_dgram_sendmsg(struct kiocb kiocb, struct socket sock,
1431	goto out;	1450	goto out;
1432		1451
1433	err = unix_scm_to_skb(siocb->scm, skb, true);	1452	err = unix_scm_to_skb(siocb->scm, skb, true);
1434	if (err)	1453	if (err < 0)
1435	goto out_free;	1454	goto out_free;
		1455	max_level = err + 1;
1436	unix_get_secdata(siocb->scm, skb);	1456	unix_get_secdata(siocb->scm, skb);
1437		1457
1438	skb_reset_transport_header(skb);	1458	skb_reset_transport_header(skb);
@@ -1514,6 +1534,8 @@ restart:
1514	if (sock_flag(other, SOCK_RCVTSTAMP))	1534	if (sock_flag(other, SOCK_RCVTSTAMP))
1515	__net_timestamp(skb);	1535	__net_timestamp(skb);
1516	skb_queue_tail(&other->sk_receive_queue, skb);	1536	skb_queue_tail(&other->sk_receive_queue, skb);
		1537	if (max_level > unix_sk(other)->recursion_level)
		1538	unix_sk(other)->recursion_level = max_level;
1517	unix_state_unlock(other);	1539	unix_state_unlock(other);
1518	other->sk_data_ready(other, len);	1540	other->sk_data_ready(other, len);
1519	sock_put(other);	1541	sock_put(other);
@@ -1544,6 +1566,7 @@ static int unix_stream_sendmsg(struct kiocb kiocb, struct socket sock,
1544	int sent = 0;	1566	int sent = 0;
1545	struct scm_cookie tmp_scm;	1567	struct scm_cookie tmp_scm;
1546	bool fds_sent = false;	1568	bool fds_sent = false;
		1569	int max_level;
1547		1570
1548	if (NULL == siocb->scm)	1571	if (NULL == siocb->scm)
1549	siocb->scm = &tmp_scm;	1572	siocb->scm = &tmp_scm;
@@ -1607,10 +1630,11 @@ static int unix_stream_sendmsg(struct kiocb kiocb, struct socket sock,
1607		1630
1608	/* Only send the fds in the first buffer */	1631	/* Only send the fds in the first buffer */
1609	err = unix_scm_to_skb(siocb->scm, skb, !fds_sent);	1632	err = unix_scm_to_skb(siocb->scm, skb, !fds_sent);
1610	if (err) {	1633	if (err < 0) {
1611	kfree_skb(skb);	1634	kfree_skb(skb);
1612	goto out_err;	1635	goto out_err;
1613	}	1636	}
		1637	max_level = err + 1;
1614	fds_sent = true;	1638	fds_sent = true;
1615		1639
1616	err = memcpy_fromiovec(skb_put(skb, size), msg->msg_iov, size);	1640	err = memcpy_fromiovec(skb_put(skb, size), msg->msg_iov, size);
@@ -1626,6 +1650,8 @@ static int unix_stream_sendmsg(struct kiocb kiocb, struct socket sock,
1626	goto pipe_err_free;	1650	goto pipe_err_free;
1627		1651
1628	skb_queue_tail(&other->sk_receive_queue, skb);	1652	skb_queue_tail(&other->sk_receive_queue, skb);
		1653	if (max_level > unix_sk(other)->recursion_level)
		1654	unix_sk(other)->recursion_level = max_level;
1629	unix_state_unlock(other);	1655	unix_state_unlock(other);
1630	other->sk_data_ready(other, size);	1656	other->sk_data_ready(other, size);
1631	sent += size;	1657	sent += size;
@@ -1845,6 +1871,7 @@ static int unix_stream_recvmsg(struct kiocb iocb, struct socket sock,
1845	unix_state_lock(sk);	1871	unix_state_lock(sk);
1846	skb = skb_dequeue(&sk->sk_receive_queue);	1872	skb = skb_dequeue(&sk->sk_receive_queue);
1847	if (skb == NULL) {	1873	if (skb == NULL) {
		1874	unix_sk(sk)->recursion_level = 0;
1848	if (copied >= target)	1875	if (copied >= target)
1849	goto unlock;	1876	goto unlock;
1850		1877


diff --git a/net/unix/garbage.c b/net/unix/garbage.c index c8df6fda0b1f..f89f83bf828e 100644 --- a/net/unix/garbage.c +++ b/net/unix/garbage.c
@@ -96,7 +96,7 @@ static DECLARE_WAIT_QUEUE_HEAD(unix_gc_wait);
96	unsigned int unix_tot_inflight;	96	unsigned int unix_tot_inflight;
97		97
98		98
99	static struct sock unix_get_socket(struct file filp)	99	struct sock unix_get_socket(struct file filp)
100	{	100	{
101	struct sock *u_sock = NULL;	101	struct sock *u_sock = NULL;
102	struct inode *inode = filp->f_path.dentry->d_inode;	102	struct inode *inode = filp->f_path.dentry->d_inode;
@@ -259,9 +259,16 @@ static void inc_inflight_move_tail(struct unix_sock *u)
259	}	259	}
260		260
261	static bool gc_in_progress = false;	261	static bool gc_in_progress = false;
		262	#define UNIX_INFLIGHT_TRIGGER_GC 16000
262		263
263	void wait_for_unix_gc(void)	264	void wait_for_unix_gc(void)
264	{	265	{
		266	/*
		267	* If number of inflight sockets is insane,
		268	* force a garbage collect right now.
		269	*/
		270	if (unix_tot_inflight > UNIX_INFLIGHT_TRIGGER_GC && !gc_in_progress)
		271	unix_gc();
265	wait_event(unix_gc_wait, gc_in_progress == false);	272	wait_event(unix_gc_wait, gc_in_progress == false);
266	}	273	}
267		274