Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Pull networking fixes from David Miller: 1) Validate iov ranges before feeding them into iov_iter_init(), from Al Viro. 2) We changed copy_from_msghdr_from_user() to zero out the msg_namelen is a NULL pointer is given for the msg_name. Do the same in the compat code too. From Catalin Marinas. 3) Fix partially initialized tuples in netfilter conntrack helper, from Ian Wilson. 4) Missing continue; statement in nft_hash walker can lead to crashes, from Herbert Xu. 5) tproxy_tg6_check looks for IP6T_INV_PROTO in ->flags instead of ->invflags, fix from Pablo Neira Ayuso. 6) Incorrect memory account of TCP FINs can result in negative socket memory accounting values. Fix from Josh Hunt. 7) Don't allow virtual functions to enable VLAN promiscuous mode in be2net driver, from Vasundhara Volam. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: netfilter: nft_compat: set IP6T_F_PROTO flag if protocol is set cx82310_eth: wait for firmware to become ready net: validate the range we feed to iov_iter_init() in sys_sendto/sys_recvfrom net: compat: Update get_compat_msghdr() to match copy_msghdr_from_user() behaviour be2net: use PCI MMIO read instead of config read for errors be2net: restrict MODIFY_EQ_DELAY cmd to a max of 8 EQs be2net: Prevent VFs from enabling VLAN promiscuous mode tcp: fix tcp fin memory accounting ipv6: fix backtracking for throw routes net: ethernet: pcnet32: Setup the SRAM and NOUFLO on Am79C97{3, 5} ipv6: call ipv6_proxy_select_ident instead of ipv6_select_ident in udp6_ufo_fragment netfilter: xt_TPROXY: fix invflags check in tproxy_tg6_check() netfilter: restore rule tracing via nfnetlink_log netfilter: nf_tables: allow to change chain policy without hook if it exists netfilter: Fix potential crash in nft_hash walker netfilter: Zero the tuple in nfnl_cthelper_parse_tuple()
author: Linus Torvalds <torvalds@linux-foundation.org> 2015-03-23 13:16:13 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2015-03-23 13:16:13 -0400
commit: 90a5a895cc8b284ac522757a01de15e36710c2b9 (patch)
tree: 7cb8101288c07be921e360495d3856764892a6fe /net
parent: d5049617a05239873109575922ce7c0adb3e0769 (diff)
parent: c0e41fa76c5f3775c9479f6babcb94d54da08a51 (diff)
14 files changed, 67 insertions, 23 deletions
diff --git a/net/compat.c b/net/compat.c
index 94d3d5e97883..f7bd286a8280 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -49,6 +49,13 @@ ssize_t get_compat_msghdr(struct msghdr *kmsg,
            __get_user(kmsg->msg_controllen, &umsg->msg_controllen) ||
            __get_user(kmsg->msg_flags, &umsg->msg_flags))
                return -EFAULT;
+        if (!uaddr)
+                kmsg->msg_namelen = 0;
+        if (kmsg->msg_namelen < 0)
+                return -EINVAL;
        if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
                kmsg->msg_namelen = sizeof(struct sockaddr_storage);
        kmsg->msg_control = compat_ptr(tmp3);
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 99e810f84671..cf5e82f39d3b 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -272,9 +272,9 @@ static void trace_packet(const struct sk_buff *skb,
                    &chainname, &comment, &rulenum) != 0)
                        break;
-        nf_log_packet(net, AF_INET, hook, skb, in, out, &trace_loginfo,
+        nf_log_trace(net, AF_INET, hook, skb, in, out, &trace_loginfo,
-                      "TRACE: %s:%s:%s:%u ",
+                     "TRACE: %s:%s:%s:%u ",
-                      tablename, chainname, comment, rulenum);
+                     tablename, chainname, comment, rulenum);
 }
 #endif
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index a2a796c5536b..1db253e36045 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2773,15 +2773,11 @@ void tcp_send_fin(struct sock *sk)
        } else {
                /* Socket is locked, keep trying until memory is available. */
                for (;;) {
-                        skb = alloc_skb_fclone(MAX_TCP_HEADER,
+                        skb = sk_stream_alloc_skb(sk, 0, sk->sk_allocation);
-                                               sk->sk_allocation);
                        if (skb)
                                break;
                        yield();
                }
-                /* Reserve space for headers and prepare control bits. */
-                skb_reserve(skb, MAX_TCP_HEADER);
                /* FIN eats a sequence byte, write_seq advanced by tcp_queue_skb(). */
                tcp_init_nondata_skb(skb, tp->write_seq,
                                     TCPHDR_ACK | TCPHDR_FIN);
diff --git a/net/ipv6/fib6_rules.c b/net/ipv6/fib6_rules.c
index b4d5e1d97c1b..27ca79682efb 100644
--- a/net/ipv6/fib6_rules.c
+++ b/net/ipv6/fib6_rules.c
@@ -104,6 +104,7 @@ static int fib6_rule_action(struct fib_rule *rule, struct flowi *flp,
                                goto again;
                        flp6->saddr = saddr;
                }
+                err = rt->dst.error;
                goto out;
        }
 again:
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index e080fbbbc0e5..bb00c6f2a885 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -298,9 +298,9 @@ static void trace_packet(const struct sk_buff *skb,
                    &chainname, &comment, &rulenum) != 0)
                        break;
-        nf_log_packet(net, AF_INET6, hook, skb, in, out, &trace_loginfo,
+        nf_log_trace(net, AF_INET6, hook, skb, in, out, &trace_loginfo,
-                      "TRACE: %s:%s:%s:%u ",
+                     "TRACE: %s:%s:%s:%u ",
-                      tablename, chainname, comment, rulenum);
+                     tablename, chainname, comment, rulenum);
 }
 #endif
diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c
index ab889bb16b3c..be2c0ba82c85 100644
--- a/net/ipv6/udp_offload.c
+++ b/net/ipv6/udp_offload.c
@@ -112,11 +112,9 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
                fptr = (struct frag_hdr *)(skb_network_header(skb) + unfrag_ip6hlen);
                fptr->nexthdr = nexthdr;
                fptr->reserved = 0;
-                if (skb_shinfo(skb)->ip6_frag_id)
+                if (!skb_shinfo(skb)->ip6_frag_id)
-                        fptr->identification = skb_shinfo(skb)->ip6_frag_id;
+                        ipv6_proxy_select_ident(skb);
-                else
+                fptr->identification = skb_shinfo(skb)->ip6_frag_id;
-                        ipv6_select_ident(fptr,
-                                          (struct rt6_info *)skb_dst(skb));
                /* Fragment the skb. ipv6 header and the remaining fields of the
                 * fragment header are updated in ipv6_gso_segment()
diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
index 0d8448f19dfe..675d12c69e32 100644
--- a/net/netfilter/nf_log.c
+++ b/net/netfilter/nf_log.c
@@ -212,6 +212,30 @@ void nf_log_packet(struct net *net,
 }
 EXPORT_SYMBOL(nf_log_packet);
+void nf_log_trace(struct net *net,
+                  u_int8_t pf,
+                  unsigned int hooknum,
+                  const struct sk_buff *skb,
+                  const struct net_device *in,
+                  const struct net_device *out,
+                  const struct nf_loginfo *loginfo, const char *fmt, ...)
+{
+        va_list args;
+        char prefix[NF_LOG_PREFIXLEN];
+        const struct nf_logger *logger;
+        rcu_read_lock();
+        logger = rcu_dereference(net->nf.nf_loggers[pf]);
+        if (logger) {
+                va_start(args, fmt);
+                vsnprintf(prefix, sizeof(prefix), fmt, args);
+                va_end(args);
+                logger->logfn(net, pf, hooknum, skb, in, out, loginfo, prefix);
+        }
+        rcu_read_unlock();
+}
+EXPORT_SYMBOL(nf_log_trace);
 #define S_SIZE (1024 - (sizeof(unsigned int) + 1))
 struct nf_log_buf {
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 6ab777912237..ac1a9528dbf2 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1225,7 +1225,10 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
        if (nla[NFTA_CHAIN_POLICY]) {
                if ((chain != NULL &&
-                    !(chain->flags & NFT_BASE_CHAIN)) ||
+                    !(chain->flags & NFT_BASE_CHAIN)))
+                        return -EOPNOTSUPP;
+                if (chain == NULL &&
                    nla[NFTA_CHAIN_HOOK] == NULL)
                        return -EOPNOTSUPP;
diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
index 3b90eb2b2c55..2d298dccb6dd 100644
--- a/net/netfilter/nf_tables_core.c
+++ b/net/netfilter/nf_tables_core.c
@@ -94,10 +94,10 @@ static void nft_trace_packet(const struct nft_pktinfo *pkt,
 {
        struct net *net = dev_net(pkt->in ? pkt->in : pkt->out);
-        nf_log_packet(net, pkt->xt.family, pkt->ops->hooknum, pkt->skb, pkt->in,
+        nf_log_trace(net, pkt->xt.family, pkt->ops->hooknum, pkt->skb, pkt->in,
-                      pkt->out, &trace_loginfo, "TRACE: %s:%s:%s:%u ",
+                     pkt->out, &trace_loginfo, "TRACE: %s:%s:%s:%u ",
-                      chain->table->name, chain->name, comments[type],
+                     chain->table->name, chain->name, comments[type],
-                      rulenum);
+                     rulenum);
 }
 unsigned int
diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c
index a5599fc51a6f..54330fb5efaf 100644
--- a/net/netfilter/nfnetlink_cthelper.c
+++ b/net/netfilter/nfnetlink_cthelper.c
@@ -77,6 +77,9 @@ nfnl_cthelper_parse_tuple(struct nf_conntrack_tuple *tuple,
        if (!tb[NFCTH_TUPLE_L3PROTONUM] || !tb[NFCTH_TUPLE_L4PROTONUM])
                return -EINVAL;
+        /* Not all fields are initialized so first zero the tuple */
+        memset(tuple, 0, sizeof(struct nf_conntrack_tuple));
        tuple->src.l3num = ntohs(nla_get_be16(tb[NFCTH_TUPLE_L3PROTONUM]));
        tuple->dst.protonum = nla_get_u8(tb[NFCTH_TUPLE_L4PROTONUM]);
diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index 213584cf04b3..65f3e2b6be44 100644
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -133,6 +133,9 @@ nft_target_set_tgchk_param(struct xt_tgchk_param *par,
                entry->e4.ip.invflags = inv ? IPT_INV_PROTO : 0;
                break;
        case AF_INET6:
+                if (proto)
+                        entry->e6.ipv6.flags |= IP6T_F_PROTO;
                entry->e6.ipv6.proto = proto;
                entry->e6.ipv6.invflags = inv ? IP6T_INV_PROTO : 0;
                break;
@@ -344,6 +347,9 @@ nft_match_set_mtchk_param(struct xt_mtchk_param *par, const struct nft_ctx *ctx,
                entry->e4.ip.invflags = inv ? IPT_INV_PROTO : 0;
                break;
        case AF_INET6:
+                if (proto)
+                        entry->e6.ipv6.flags |= IP6T_F_PROTO;
                entry->e6.ipv6.proto = proto;
                entry->e6.ipv6.invflags = inv ? IP6T_INV_PROTO : 0;
                break;
diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c
index c82df0a48fcd..37c15e674884 100644
--- a/net/netfilter/nft_hash.c
+++ b/net/netfilter/nft_hash.c
@@ -153,6 +153,8 @@ static void nft_hash_walk(const struct nft_ctx *ctx, const struct nft_set *set,
                                iter->err = err;
                                goto out;
                        }
+                        continue;
                }
                if (iter->count < iter->skip)
diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c
index ef8a926752a9..50e1e5aaf4ce 100644
--- a/net/netfilter/xt_TPROXY.c
+++ b/net/netfilter/xt_TPROXY.c
@@ -513,8 +513,8 @@ static int tproxy_tg6_check(const struct xt_tgchk_param *par)
 {
        const struct ip6t_ip6 *i = par->entryinfo;
-        if ((i->proto == IPPROTO_TCP || i->proto == IPPROTO_UDP)
+        if ((i->proto == IPPROTO_TCP || i->proto == IPPROTO_UDP) &&
-            && !(i->flags & IP6T_INV_PROTO))
+            !(i->invflags & IP6T_INV_PROTO))
                return 0;
        pr_info("Can be used only in combination with "
diff --git a/net/socket.c b/net/socket.c
index bbedbfcb42c2..245330ca0015 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -1702,6 +1702,8 @@ SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len,
        if (len > INT_MAX)
                len = INT_MAX;
+        if (unlikely(!access_ok(VERIFY_READ, buff, len)))
+                return -EFAULT;
        sock = sockfd_lookup_light(fd, &err, &fput_needed);
        if (!sock)
                goto out;
@@ -1760,6 +1762,8 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
        if (size > INT_MAX)
                size = INT_MAX;
+        if (unlikely(!access_ok(VERIFY_WRITE, ubuf, size)))
+                return -EFAULT;
        sock = sockfd_lookup_light(fd, &err, &fput_needed);
        if (!sock)
                goto out;
author	Linus Torvalds <torvalds@linux-foundation.org>	2015-03-23 13:16:13 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2015-03-23 13:16:13 -0400
commit	90a5a895cc8b284ac522757a01de15e36710c2b9 (patch)
tree	7cb8101288c07be921e360495d3856764892a6fe /net
parent	d5049617a05239873109575922ce7c0adb3e0769 (diff)
parent	c0e41fa76c5f3775c9479f6babcb94d54da08a51 (diff)