aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2012-09-21 17:32:55 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2012-09-21 17:32:55 -0400
commitabef3bd71029b80ec1bdd6c6244b5b0b99f56633 (patch)
tree5645e6f4eb637fa8e290a1eab1f40436deb15338 /net
parent6219844e72ecc7a7c9efed8b4e41a6c6064a4967 (diff)
parenta630844d898ae8a0b4a3db84af061150682e0d3c (diff)
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull networking updates from David Miller: "More bug fixes, nothing gets past these guys" 1) More kernel info leaks found by Mathias Krause, this time in the IPSEC configuration layers. 2) When IPSEC policies change, we do not properly make sure that cached routes (which could now be stale) throughout the system will be revalidated. Fix this by generalizing the generation count invalidation scheme used by ipv4. From Nicolas Dichtel. 3) When repairing TCP sockets, we need to allow to restore not just the send window scale, but the receive one too. Extend the existing interface to achieve this in a backwards compatible way. From Andrey Vagin. 4) A fix for FCOE scatter gather feature validation erroneously caused scatter gather to be disabled for things like AOE too. From Ed L Cashin. 5) Several cases of mishandling of error pointers, from Mathias Krause, Wei Yongjun, and Devendra Naga. 6) Fix gianfar build, from Richard Cochran. 7) CAP_NET_* failures should return -EPERM not -EACCES, from Zhao Hongjiang. 8) Hardware reset fix in janz-ican3 CAN driver, from Ira W Snyder. 9) Fix oops during rmmod in ti_hecc CAN driver, from Marc Kleine-Budde. 10) The removal of the conditional compilation of the clk support code in the stmmac driver broke things. This is because the interfaces used are the ones that don't also perform the enable/disable of the clk. Fix from Stefan Roese. 11) The QFQ packet scheduler can record out of range virtual start times, resulting later in misbehavior and even crashes. Fix from Paolo Valente. 12) If MSG_WAITALL is used with IOAT DMA under TCP, we can wedge the receiver when the advertised receive window goes to zero. Detect this case and force the processing of the IOAT DMA queue when it happens to avoid getting stuck. Fix from Michal Kubecek. 13) batman-adv assumes that test_bit() returns only 0 or 1, but this is not true for x86 (which returns -1 or 0, via the 'sbb' instruction). Fix from Linus Lussing. 14) Fix small packet corruption in e1000, from Tushar Dave. 15) make_blackhole() in the IPSEC policy code can do one read unlock too many, fix from Li RongQing. 16) The new tcp_try_coalesce() code introduced a bug in TCP URG handling, fix from Eric Dumazet. 17) Fix memory leak in __netif_receive_skb() when doing zerocopy and when hit an OOM condition. From Michael S Tsirkin. 18) netxen blindly deferences pdev->bus->self, which is not guarenteed to be non-NULL. Fix from Nikolay Aleksandrov. 19) Fix a performance regression caused by mistakes in ipv6 checksum validation in the bnx2x driver, fix from Michal Schmidt. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (45 commits) net/stmmac: Use clk_prepare_enable and clk_disable_unprepare net: change return values from -EACCES to -EPERM net/irda: sh_sir: fix return value check in sh_sir_set_baudrate() stmmac: fix return value check in stmmac_open_ext_timer() gianfar: fix phc index build failure ipv6: fix return value check in fib6_add() bnx2x: remove false warning regarding interrupt number can: ti_hecc: fix oops during rmmod can: janz-ican3: fix support for older hardware revisions net: do not disable sg for packets requiring no checksum aoe: assert AoE packets marked as requiring no checksum at91ether: return PTR_ERR if call to clk_get fails xfrm_user: don't copy esn replay window twice for new states xfrm_user: ensure user supplied esn replay window is valid xfrm_user: fix info leak in copy_to_user_tmpl() xfrm_user: fix info leak in copy_to_user_policy() xfrm_user: fix info leak in copy_to_user_state() xfrm_user: fix info leak in copy_to_user_auth() net: qmi_wwan: adding Huawei E367, ZTE MF683 and Pantech P4200 tcp: restore rcv_wscale in a repair mode (v2) ...
Diffstat (limited to 'net')
-rw-r--r--net/batman-adv/bitarray.h6
-rw-r--r--net/bluetooth/bnep/sock.c4
-rw-r--r--net/bluetooth/cmtp/sock.c4
-rw-r--r--net/bluetooth/hci_sock.c16
-rw-r--r--net/bluetooth/hidp/sock.c4
-rw-r--r--net/core/dev.c5
-rw-r--r--net/core/skbuff.c4
-rw-r--r--net/ipv4/arp.c2
-rw-r--r--net/ipv4/devinet.c10
-rw-r--r--net/ipv4/fib_frontend.c20
-rw-r--r--net/ipv4/fib_rules.c2
-rw-r--r--net/ipv4/fib_trie.c6
-rw-r--r--net/ipv4/route.c43
-rw-r--r--net/ipv4/tcp.c23
-rw-r--r--net/ipv4/tcp_input.c5
-rw-r--r--net/ipv6/inet6_connection_sock.c23
-rw-r--r--net/ipv6/ip6_fib.c4
-rw-r--r--net/ipv6/route.c19
-rw-r--r--net/netrom/af_netrom.c2
-rw-r--r--net/sched/sch_qfq.c5
-rw-r--r--net/xfrm/xfrm_policy.c3
-rw-r--r--net/xfrm/xfrm_user.c57
22 files changed, 134 insertions, 133 deletions
diff --git a/net/batman-adv/bitarray.h b/net/batman-adv/bitarray.h
index a081ce1c0514..cebaae7e148b 100644
--- a/net/batman-adv/bitarray.h
+++ b/net/batman-adv/bitarray.h
@@ -20,8 +20,8 @@
20#ifndef _NET_BATMAN_ADV_BITARRAY_H_ 20#ifndef _NET_BATMAN_ADV_BITARRAY_H_
21#define _NET_BATMAN_ADV_BITARRAY_H_ 21#define _NET_BATMAN_ADV_BITARRAY_H_
22 22
23/* returns true if the corresponding bit in the given seq_bits indicates true 23/* Returns 1 if the corresponding bit in the given seq_bits indicates true
24 * and curr_seqno is within range of last_seqno 24 * and curr_seqno is within range of last_seqno. Otherwise returns 0.
25 */ 25 */
26static inline int batadv_test_bit(const unsigned long *seq_bits, 26static inline int batadv_test_bit(const unsigned long *seq_bits,
27 uint32_t last_seqno, uint32_t curr_seqno) 27 uint32_t last_seqno, uint32_t curr_seqno)
@@ -32,7 +32,7 @@ static inline int batadv_test_bit(const unsigned long *seq_bits,
32 if (diff < 0 || diff >= BATADV_TQ_LOCAL_WINDOW_SIZE) 32 if (diff < 0 || diff >= BATADV_TQ_LOCAL_WINDOW_SIZE)
33 return 0; 33 return 0;
34 else 34 else
35 return test_bit(diff, seq_bits); 35 return test_bit(diff, seq_bits) != 0;
36} 36}
37 37
38/* turn corresponding bit on, so we can remember that we got the packet */ 38/* turn corresponding bit on, so we can remember that we got the packet */
diff --git a/net/bluetooth/bnep/sock.c b/net/bluetooth/bnep/sock.c
index 5e5f5b410e0b..1eaacf10d19d 100644
--- a/net/bluetooth/bnep/sock.c
+++ b/net/bluetooth/bnep/sock.c
@@ -58,7 +58,7 @@ static int bnep_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
58 switch (cmd) { 58 switch (cmd) {
59 case BNEPCONNADD: 59 case BNEPCONNADD:
60 if (!capable(CAP_NET_ADMIN)) 60 if (!capable(CAP_NET_ADMIN))
61 return -EACCES; 61 return -EPERM;
62 62
63 if (copy_from_user(&ca, argp, sizeof(ca))) 63 if (copy_from_user(&ca, argp, sizeof(ca)))
64 return -EFAULT; 64 return -EFAULT;
@@ -84,7 +84,7 @@ static int bnep_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
84 84
85 case BNEPCONNDEL: 85 case BNEPCONNDEL:
86 if (!capable(CAP_NET_ADMIN)) 86 if (!capable(CAP_NET_ADMIN))
87 return -EACCES; 87 return -EPERM;
88 88
89 if (copy_from_user(&cd, argp, sizeof(cd))) 89 if (copy_from_user(&cd, argp, sizeof(cd)))
90 return -EFAULT; 90 return -EFAULT;
diff --git a/net/bluetooth/cmtp/sock.c b/net/bluetooth/cmtp/sock.c
index 311668d14571..32dc83dcb6b2 100644
--- a/net/bluetooth/cmtp/sock.c
+++ b/net/bluetooth/cmtp/sock.c
@@ -72,7 +72,7 @@ static int cmtp_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
72 switch (cmd) { 72 switch (cmd) {
73 case CMTPCONNADD: 73 case CMTPCONNADD:
74 if (!capable(CAP_NET_ADMIN)) 74 if (!capable(CAP_NET_ADMIN))
75 return -EACCES; 75 return -EPERM;
76 76
77 if (copy_from_user(&ca, argp, sizeof(ca))) 77 if (copy_from_user(&ca, argp, sizeof(ca)))
78 return -EFAULT; 78 return -EFAULT;
@@ -97,7 +97,7 @@ static int cmtp_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
97 97
98 case CMTPCONNDEL: 98 case CMTPCONNDEL:
99 if (!capable(CAP_NET_ADMIN)) 99 if (!capable(CAP_NET_ADMIN))
100 return -EACCES; 100 return -EPERM;
101 101
102 if (copy_from_user(&cd, argp, sizeof(cd))) 102 if (copy_from_user(&cd, argp, sizeof(cd)))
103 return -EFAULT; 103 return -EFAULT;
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index 19fdac78e555..d5ace1eda3ed 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -490,7 +490,7 @@ static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd,
490 switch (cmd) { 490 switch (cmd) {
491 case HCISETRAW: 491 case HCISETRAW:
492 if (!capable(CAP_NET_ADMIN)) 492 if (!capable(CAP_NET_ADMIN))
493 return -EACCES; 493 return -EPERM;
494 494
495 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks)) 495 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
496 return -EPERM; 496 return -EPERM;
@@ -510,12 +510,12 @@ static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd,
510 510
511 case HCIBLOCKADDR: 511 case HCIBLOCKADDR:
512 if (!capable(CAP_NET_ADMIN)) 512 if (!capable(CAP_NET_ADMIN))
513 return -EACCES; 513 return -EPERM;
514 return hci_sock_blacklist_add(hdev, (void __user *) arg); 514 return hci_sock_blacklist_add(hdev, (void __user *) arg);
515 515
516 case HCIUNBLOCKADDR: 516 case HCIUNBLOCKADDR:
517 if (!capable(CAP_NET_ADMIN)) 517 if (!capable(CAP_NET_ADMIN))
518 return -EACCES; 518 return -EPERM;
519 return hci_sock_blacklist_del(hdev, (void __user *) arg); 519 return hci_sock_blacklist_del(hdev, (void __user *) arg);
520 520
521 default: 521 default:
@@ -546,22 +546,22 @@ static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
546 546
547 case HCIDEVUP: 547 case HCIDEVUP:
548 if (!capable(CAP_NET_ADMIN)) 548 if (!capable(CAP_NET_ADMIN))
549 return -EACCES; 549 return -EPERM;
550 return hci_dev_open(arg); 550 return hci_dev_open(arg);
551 551
552 case HCIDEVDOWN: 552 case HCIDEVDOWN:
553 if (!capable(CAP_NET_ADMIN)) 553 if (!capable(CAP_NET_ADMIN))
554 return -EACCES; 554 return -EPERM;
555 return hci_dev_close(arg); 555 return hci_dev_close(arg);
556 556
557 case HCIDEVRESET: 557 case HCIDEVRESET:
558 if (!capable(CAP_NET_ADMIN)) 558 if (!capable(CAP_NET_ADMIN))
559 return -EACCES; 559 return -EPERM;
560 return hci_dev_reset(arg); 560 return hci_dev_reset(arg);
561 561
562 case HCIDEVRESTAT: 562 case HCIDEVRESTAT:
563 if (!capable(CAP_NET_ADMIN)) 563 if (!capable(CAP_NET_ADMIN))
564 return -EACCES; 564 return -EPERM;
565 return hci_dev_reset_stat(arg); 565 return hci_dev_reset_stat(arg);
566 566
567 case HCISETSCAN: 567 case HCISETSCAN:
@@ -573,7 +573,7 @@ static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
573 case HCISETACLMTU: 573 case HCISETACLMTU:
574 case HCISETSCOMTU: 574 case HCISETSCOMTU:
575 if (!capable(CAP_NET_ADMIN)) 575 if (!capable(CAP_NET_ADMIN))
576 return -EACCES; 576 return -EPERM;
577 return hci_dev_cmd(cmd, argp); 577 return hci_dev_cmd(cmd, argp);
578 578
579 case HCIINQUIRY: 579 case HCIINQUIRY:
diff --git a/net/bluetooth/hidp/sock.c b/net/bluetooth/hidp/sock.c
index 18b3f6892a36..b24fb3bd8625 100644
--- a/net/bluetooth/hidp/sock.c
+++ b/net/bluetooth/hidp/sock.c
@@ -56,7 +56,7 @@ static int hidp_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
56 switch (cmd) { 56 switch (cmd) {
57 case HIDPCONNADD: 57 case HIDPCONNADD:
58 if (!capable(CAP_NET_ADMIN)) 58 if (!capable(CAP_NET_ADMIN))
59 return -EACCES; 59 return -EPERM;
60 60
61 if (copy_from_user(&ca, argp, sizeof(ca))) 61 if (copy_from_user(&ca, argp, sizeof(ca)))
62 return -EFAULT; 62 return -EFAULT;
@@ -91,7 +91,7 @@ static int hidp_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
91 91
92 case HIDPCONNDEL: 92 case HIDPCONNDEL:
93 if (!capable(CAP_NET_ADMIN)) 93 if (!capable(CAP_NET_ADMIN))
94 return -EACCES; 94 return -EPERM;
95 95
96 if (copy_from_user(&cd, argp, sizeof(cd))) 96 if (copy_from_user(&cd, argp, sizeof(cd)))
97 return -EFAULT; 97 return -EFAULT;
diff --git a/net/core/dev.c b/net/core/dev.c
index d7fe32c946c1..89e33a5d4d93 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2134,7 +2134,8 @@ static bool can_checksum_protocol(netdev_features_t features, __be16 protocol)
2134static netdev_features_t harmonize_features(struct sk_buff *skb, 2134static netdev_features_t harmonize_features(struct sk_buff *skb,
2135 __be16 protocol, netdev_features_t features) 2135 __be16 protocol, netdev_features_t features)
2136{ 2136{
2137 if (!can_checksum_protocol(features, protocol)) { 2137 if (skb->ip_summed != CHECKSUM_NONE &&
2138 !can_checksum_protocol(features, protocol)) {
2138 features &= ~NETIF_F_ALL_CSUM; 2139 features &= ~NETIF_F_ALL_CSUM;
2139 features &= ~NETIF_F_SG; 2140 features &= ~NETIF_F_SG;
2140 } else if (illegal_highdma(skb->dev, skb)) { 2141 } else if (illegal_highdma(skb->dev, skb)) {
@@ -3322,7 +3323,7 @@ ncls:
3322 3323
3323 if (pt_prev) { 3324 if (pt_prev) {
3324 if (unlikely(skb_orphan_frags(skb, GFP_ATOMIC))) 3325 if (unlikely(skb_orphan_frags(skb, GFP_ATOMIC)))
3325 ret = -ENOMEM; 3326 goto drop;
3326 else 3327 else
3327 ret = pt_prev->func(skb, skb->dev, pt_prev, orig_dev); 3328 ret = pt_prev->func(skb, skb->dev, pt_prev, orig_dev);
3328 } else { 3329 } else {
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index fe00d1208167..e33ebae519c8 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -3502,7 +3502,9 @@ bool skb_try_coalesce(struct sk_buff *to, struct sk_buff *from,
3502 if (!skb_cloned(from)) 3502 if (!skb_cloned(from))
3503 skb_shinfo(from)->nr_frags = 0; 3503 skb_shinfo(from)->nr_frags = 0;
3504 3504
3505 /* if the skb is cloned this does nothing since we set nr_frags to 0 */ 3505 /* if the skb is not cloned this does nothing
3506 * since we set nr_frags to 0.
3507 */
3506 for (i = 0; i < skb_shinfo(from)->nr_frags; i++) 3508 for (i = 0; i < skb_shinfo(from)->nr_frags; i++)
3507 skb_frag_ref(from, i); 3509 skb_frag_ref(from, i);
3508 3510
diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
index 77e87aff419a..47800459e4cb 100644
--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -1225,7 +1225,7 @@ static int arp_netdev_event(struct notifier_block *this, unsigned long event,
1225 switch (event) { 1225 switch (event) {
1226 case NETDEV_CHANGEADDR: 1226 case NETDEV_CHANGEADDR:
1227 neigh_changeaddr(&arp_tbl, dev); 1227 neigh_changeaddr(&arp_tbl, dev);
1228 rt_cache_flush(dev_net(dev), 0); 1228 rt_cache_flush(dev_net(dev));
1229 break; 1229 break;
1230 default: 1230 default:
1231 break; 1231 break;
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index 44bf82e3aef7..e12fad773852 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -725,7 +725,7 @@ int devinet_ioctl(struct net *net, unsigned int cmd, void __user *arg)
725 break; 725 break;
726 726
727 case SIOCSIFFLAGS: 727 case SIOCSIFFLAGS:
728 ret = -EACCES; 728 ret = -EPERM;
729 if (!capable(CAP_NET_ADMIN)) 729 if (!capable(CAP_NET_ADMIN))
730 goto out; 730 goto out;
731 break; 731 break;
@@ -733,7 +733,7 @@ int devinet_ioctl(struct net *net, unsigned int cmd, void __user *arg)
733 case SIOCSIFBRDADDR: /* Set the broadcast address */ 733 case SIOCSIFBRDADDR: /* Set the broadcast address */
734 case SIOCSIFDSTADDR: /* Set the destination address */ 734 case SIOCSIFDSTADDR: /* Set the destination address */
735 case SIOCSIFNETMASK: /* Set the netmask for the interface */ 735 case SIOCSIFNETMASK: /* Set the netmask for the interface */
736 ret = -EACCES; 736 ret = -EPERM;
737 if (!capable(CAP_NET_ADMIN)) 737 if (!capable(CAP_NET_ADMIN))
738 goto out; 738 goto out;
739 ret = -EINVAL; 739 ret = -EINVAL;
@@ -1503,7 +1503,7 @@ static int devinet_conf_proc(ctl_table *ctl, int write,
1503 if (i == IPV4_DEVCONF_ACCEPT_LOCAL - 1 || 1503 if (i == IPV4_DEVCONF_ACCEPT_LOCAL - 1 ||
1504 i == IPV4_DEVCONF_ROUTE_LOCALNET - 1) 1504 i == IPV4_DEVCONF_ROUTE_LOCALNET - 1)
1505 if ((new_value == 0) && (old_value != 0)) 1505 if ((new_value == 0) && (old_value != 0))
1506 rt_cache_flush(net, 0); 1506 rt_cache_flush(net);
1507 } 1507 }
1508 1508
1509 return ret; 1509 return ret;
@@ -1537,7 +1537,7 @@ static int devinet_sysctl_forward(ctl_table *ctl, int write,
1537 dev_disable_lro(idev->dev); 1537 dev_disable_lro(idev->dev);
1538 } 1538 }
1539 rtnl_unlock(); 1539 rtnl_unlock();
1540 rt_cache_flush(net, 0); 1540 rt_cache_flush(net);
1541 } 1541 }
1542 } 1542 }
1543 1543
@@ -1554,7 +1554,7 @@ static int ipv4_doint_and_flush(ctl_table *ctl, int write,
1554 struct net *net = ctl->extra2; 1554 struct net *net = ctl->extra2;
1555 1555
1556 if (write && *valp != val) 1556 if (write && *valp != val)
1557 rt_cache_flush(net, 0); 1557 rt_cache_flush(net);
1558 1558
1559 return ret; 1559 return ret;
1560} 1560}
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index c43ae3fba792..8e2b475da9fa 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -148,7 +148,7 @@ static void fib_flush(struct net *net)
148 } 148 }
149 149
150 if (flushed) 150 if (flushed)
151 rt_cache_flush(net, -1); 151 rt_cache_flush(net);
152} 152}
153 153
154/* 154/*
@@ -999,11 +999,11 @@ static void nl_fib_lookup_exit(struct net *net)
999 net->ipv4.fibnl = NULL; 999 net->ipv4.fibnl = NULL;
1000} 1000}
1001 1001
1002static void fib_disable_ip(struct net_device *dev, int force, int delay) 1002static void fib_disable_ip(struct net_device *dev, int force)
1003{ 1003{
1004 if (fib_sync_down_dev(dev, force)) 1004 if (fib_sync_down_dev(dev, force))
1005 fib_flush(dev_net(dev)); 1005 fib_flush(dev_net(dev));
1006 rt_cache_flush(dev_net(dev), delay); 1006 rt_cache_flush(dev_net(dev));
1007 arp_ifdown(dev); 1007 arp_ifdown(dev);
1008} 1008}
1009 1009
@@ -1020,7 +1020,7 @@ static int fib_inetaddr_event(struct notifier_block *this, unsigned long event,
1020 fib_sync_up(dev); 1020 fib_sync_up(dev);
1021#endif 1021#endif
1022 atomic_inc(&net->ipv4.dev_addr_genid); 1022 atomic_inc(&net->ipv4.dev_addr_genid);
1023 rt_cache_flush(dev_net(dev), -1); 1023 rt_cache_flush(dev_net(dev));
1024 break; 1024 break;
1025 case NETDEV_DOWN: 1025 case NETDEV_DOWN:
1026 fib_del_ifaddr(ifa, NULL); 1026 fib_del_ifaddr(ifa, NULL);
@@ -1029,9 +1029,9 @@ static int fib_inetaddr_event(struct notifier_block *this, unsigned long event,
1029 /* Last address was deleted from this interface. 1029 /* Last address was deleted from this interface.
1030 * Disable IP. 1030 * Disable IP.
1031 */ 1031 */
1032 fib_disable_ip(dev, 1, 0); 1032 fib_disable_ip(dev, 1);
1033 } else { 1033 } else {
1034 rt_cache_flush(dev_net(dev), -1); 1034 rt_cache_flush(dev_net(dev));
1035 } 1035 }
1036 break; 1036 break;
1037 } 1037 }
@@ -1045,7 +1045,7 @@ static int fib_netdev_event(struct notifier_block *this, unsigned long event, vo
1045 struct net *net = dev_net(dev); 1045 struct net *net = dev_net(dev);
1046 1046
1047 if (event == NETDEV_UNREGISTER) { 1047 if (event == NETDEV_UNREGISTER) {
1048 fib_disable_ip(dev, 2, -1); 1048 fib_disable_ip(dev, 2);
1049 rt_flush_dev(dev); 1049 rt_flush_dev(dev);
1050 return NOTIFY_DONE; 1050 return NOTIFY_DONE;
1051 } 1051 }
@@ -1062,14 +1062,14 @@ static int fib_netdev_event(struct notifier_block *this, unsigned long event, vo
1062 fib_sync_up(dev); 1062 fib_sync_up(dev);
1063#endif 1063#endif
1064 atomic_inc(&net->ipv4.dev_addr_genid); 1064 atomic_inc(&net->ipv4.dev_addr_genid);
1065 rt_cache_flush(dev_net(dev), -1); 1065 rt_cache_flush(dev_net(dev));
1066 break; 1066 break;
1067 case NETDEV_DOWN: 1067 case NETDEV_DOWN:
1068 fib_disable_ip(dev, 0, 0); 1068 fib_disable_ip(dev, 0);
1069 break; 1069 break;
1070 case NETDEV_CHANGEMTU: 1070 case NETDEV_CHANGEMTU:
1071 case NETDEV_CHANGE: 1071 case NETDEV_CHANGE:
1072 rt_cache_flush(dev_net(dev), 0); 1072 rt_cache_flush(dev_net(dev));
1073 break; 1073 break;
1074 case NETDEV_UNREGISTER_BATCH: 1074 case NETDEV_UNREGISTER_BATCH:
1075 break; 1075 break;
diff --git a/net/ipv4/fib_rules.c b/net/ipv4/fib_rules.c
index a83d74e498d2..274309d3aded 100644
--- a/net/ipv4/fib_rules.c
+++ b/net/ipv4/fib_rules.c
@@ -259,7 +259,7 @@ static size_t fib4_rule_nlmsg_payload(struct fib_rule *rule)
259 259
260static void fib4_rule_flush_cache(struct fib_rules_ops *ops) 260static void fib4_rule_flush_cache(struct fib_rules_ops *ops)
261{ 261{
262 rt_cache_flush(ops->fro_net, -1); 262 rt_cache_flush(ops->fro_net);
263} 263}
264 264
265static const struct fib_rules_ops __net_initdata fib4_rules_ops_template = { 265static const struct fib_rules_ops __net_initdata fib4_rules_ops_template = {
diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index 57bd978483e1..d1b93595b4a7 100644
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -1286,7 +1286,7 @@ int fib_table_insert(struct fib_table *tb, struct fib_config *cfg)
1286 1286
1287 fib_release_info(fi_drop); 1287 fib_release_info(fi_drop);
1288 if (state & FA_S_ACCESSED) 1288 if (state & FA_S_ACCESSED)
1289 rt_cache_flush(cfg->fc_nlinfo.nl_net, -1); 1289 rt_cache_flush(cfg->fc_nlinfo.nl_net);
1290 rtmsg_fib(RTM_NEWROUTE, htonl(key), new_fa, plen, 1290 rtmsg_fib(RTM_NEWROUTE, htonl(key), new_fa, plen,
1291 tb->tb_id, &cfg->fc_nlinfo, NLM_F_REPLACE); 1291 tb->tb_id, &cfg->fc_nlinfo, NLM_F_REPLACE);
1292 1292
@@ -1333,7 +1333,7 @@ int fib_table_insert(struct fib_table *tb, struct fib_config *cfg)
1333 list_add_tail_rcu(&new_fa->fa_list, 1333 list_add_tail_rcu(&new_fa->fa_list,
1334 (fa ? &fa->fa_list : fa_head)); 1334 (fa ? &fa->fa_list : fa_head));
1335 1335
1336 rt_cache_flush(cfg->fc_nlinfo.nl_net, -1); 1336 rt_cache_flush(cfg->fc_nlinfo.nl_net);
1337 rtmsg_fib(RTM_NEWROUTE, htonl(key), new_fa, plen, tb->tb_id, 1337 rtmsg_fib(RTM_NEWROUTE, htonl(key), new_fa, plen, tb->tb_id,
1338 &cfg->fc_nlinfo, 0); 1338 &cfg->fc_nlinfo, 0);
1339succeeded: 1339succeeded:
@@ -1708,7 +1708,7 @@ int fib_table_delete(struct fib_table *tb, struct fib_config *cfg)
1708 trie_leaf_remove(t, l); 1708 trie_leaf_remove(t, l);
1709 1709
1710 if (fa->fa_state & FA_S_ACCESSED) 1710 if (fa->fa_state & FA_S_ACCESSED)
1711 rt_cache_flush(cfg->fc_nlinfo.nl_net, -1); 1711 rt_cache_flush(cfg->fc_nlinfo.nl_net);
1712 1712
1713 fib_release_info(fa->fa_info); 1713 fib_release_info(fa->fa_info);
1714 alias_free_mem_rcu(fa); 1714 alias_free_mem_rcu(fa);
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 82cf2a722b23..fd9af60397b5 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -202,11 +202,6 @@ EXPORT_SYMBOL(ip_tos2prio);
202static DEFINE_PER_CPU(struct rt_cache_stat, rt_cache_stat); 202static DEFINE_PER_CPU(struct rt_cache_stat, rt_cache_stat);
203#define RT_CACHE_STAT_INC(field) __this_cpu_inc(rt_cache_stat.field) 203#define RT_CACHE_STAT_INC(field) __this_cpu_inc(rt_cache_stat.field)
204 204
205static inline int rt_genid(struct net *net)
206{
207 return atomic_read(&net->ipv4.rt_genid);
208}
209
210#ifdef CONFIG_PROC_FS 205#ifdef CONFIG_PROC_FS
211static void *rt_cache_seq_start(struct seq_file *seq, loff_t *pos) 206static void *rt_cache_seq_start(struct seq_file *seq, loff_t *pos)
212{ 207{
@@ -447,27 +442,9 @@ static inline bool rt_is_expired(const struct rtable *rth)
447 return rth->rt_genid != rt_genid(dev_net(rth->dst.dev)); 442 return rth->rt_genid != rt_genid(dev_net(rth->dst.dev));
448} 443}
449 444
450/* 445void rt_cache_flush(struct net *net)
451 * Perturbation of rt_genid by a small quantity [1..256]
452 * Using 8 bits of shuffling ensure we can call rt_cache_invalidate()
453 * many times (2^24) without giving recent rt_genid.
454 * Jenkins hash is strong enough that litle changes of rt_genid are OK.
455 */
456static void rt_cache_invalidate(struct net *net)
457{ 446{
458 unsigned char shuffle; 447 rt_genid_bump(net);
459
460 get_random_bytes(&shuffle, sizeof(shuffle));
461 atomic_add(shuffle + 1U, &net->ipv4.rt_genid);
462}
463
464/*
465 * delay < 0 : invalidate cache (fast : entries will be deleted later)
466 * delay >= 0 : invalidate & flush cache (can be long)
467 */
468void rt_cache_flush(struct net *net, int delay)
469{
470 rt_cache_invalidate(net);
471} 448}
472 449
473static struct neighbour *ipv4_neigh_lookup(const struct dst_entry *dst, 450static struct neighbour *ipv4_neigh_lookup(const struct dst_entry *dst,
@@ -2345,7 +2322,7 @@ int ip_rt_dump(struct sk_buff *skb, struct netlink_callback *cb)
2345 2322
2346void ip_rt_multicast_event(struct in_device *in_dev) 2323void ip_rt_multicast_event(struct in_device *in_dev)
2347{ 2324{
2348 rt_cache_flush(dev_net(in_dev->dev), 0); 2325 rt_cache_flush(dev_net(in_dev->dev));
2349} 2326}
2350 2327
2351#ifdef CONFIG_SYSCTL 2328#ifdef CONFIG_SYSCTL
@@ -2354,16 +2331,7 @@ static int ipv4_sysctl_rtcache_flush(ctl_table *__ctl, int write,
2354 size_t *lenp, loff_t *ppos) 2331 size_t *lenp, loff_t *ppos)
2355{ 2332{
2356 if (write) { 2333 if (write) {
2357 int flush_delay; 2334 rt_cache_flush((struct net *)__ctl->extra1);
2358 ctl_table ctl;
2359 struct net *net;
2360
2361 memcpy(&ctl, __ctl, sizeof(ctl));
2362 ctl.data = &flush_delay;
2363 proc_dointvec(&ctl, write, buffer, lenp, ppos);
2364
2365 net = (struct net *)__ctl->extra1;
2366 rt_cache_flush(net, flush_delay);
2367 return 0; 2335 return 0;
2368 } 2336 }
2369 2337
@@ -2533,8 +2501,7 @@ static __net_initdata struct pernet_operations sysctl_route_ops = {
2533 2501
2534static __net_init int rt_genid_init(struct net *net) 2502static __net_init int rt_genid_init(struct net *net)
2535{ 2503{
2536 get_random_bytes(&net->ipv4.rt_genid, 2504 atomic_set(&net->rt_genid, 0);
2537 sizeof(net->ipv4.rt_genid));
2538 get_random_bytes(&net->ipv4.dev_addr_genid, 2505 get_random_bytes(&net->ipv4.dev_addr_genid,
2539 sizeof(net->ipv4.dev_addr_genid)); 2506 sizeof(net->ipv4.dev_addr_genid));
2540 return 0; 2507 return 0;
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 2109ff4a1daf..5f6419341821 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -1762,8 +1762,14 @@ int tcp_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
1762 } 1762 }
1763 1763
1764#ifdef CONFIG_NET_DMA 1764#ifdef CONFIG_NET_DMA
1765 if (tp->ucopy.dma_chan) 1765 if (tp->ucopy.dma_chan) {
1766 dma_async_memcpy_issue_pending(tp->ucopy.dma_chan); 1766 if (tp->rcv_wnd == 0 &&
1767 !skb_queue_empty(&sk->sk_async_wait_queue)) {
1768 tcp_service_net_dma(sk, true);
1769 tcp_cleanup_rbuf(sk, copied);
1770 } else
1771 dma_async_memcpy_issue_pending(tp->ucopy.dma_chan);
1772 }
1767#endif 1773#endif
1768 if (copied >= target) { 1774 if (copied >= target) {
1769 /* Do not sleep, just process backlog. */ 1775 /* Do not sleep, just process backlog. */
@@ -2325,10 +2331,17 @@ static int tcp_repair_options_est(struct tcp_sock *tp,
2325 tp->rx_opt.mss_clamp = opt.opt_val; 2331 tp->rx_opt.mss_clamp = opt.opt_val;
2326 break; 2332 break;
2327 case TCPOPT_WINDOW: 2333 case TCPOPT_WINDOW:
2328 if (opt.opt_val > 14) 2334 {
2329 return -EFBIG; 2335 u16 snd_wscale = opt.opt_val & 0xFFFF;
2336 u16 rcv_wscale = opt.opt_val >> 16;
2337
2338 if (snd_wscale > 14 || rcv_wscale > 14)
2339 return -EFBIG;
2330 2340
2331 tp->rx_opt.snd_wscale = opt.opt_val; 2341 tp->rx_opt.snd_wscale = snd_wscale;
2342 tp->rx_opt.rcv_wscale = rcv_wscale;
2343 tp->rx_opt.wscale_ok = 1;
2344 }
2332 break; 2345 break;
2333 case TCPOPT_SACK_PERM: 2346 case TCPOPT_SACK_PERM:
2334 if (opt.opt_val != 0) 2347 if (opt.opt_val != 0)
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 6e38c6c23caa..d377f4854cb8 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -4661,7 +4661,7 @@ queue_and_out:
4661 4661
4662 if (eaten > 0) 4662 if (eaten > 0)
4663 kfree_skb_partial(skb, fragstolen); 4663 kfree_skb_partial(skb, fragstolen);
4664 else if (!sock_flag(sk, SOCK_DEAD)) 4664 if (!sock_flag(sk, SOCK_DEAD))
4665 sk->sk_data_ready(sk, 0); 4665 sk->sk_data_ready(sk, 0);
4666 return; 4666 return;
4667 } 4667 }
@@ -5556,8 +5556,7 @@ no_ack:
5556#endif 5556#endif
5557 if (eaten) 5557 if (eaten)
5558 kfree_skb_partial(skb, fragstolen); 5558 kfree_skb_partial(skb, fragstolen);
5559 else 5559 sk->sk_data_ready(sk, 0);
5560 sk->sk_data_ready(sk, 0);
5561 return 0; 5560 return 0;
5562 } 5561 }
5563 } 5562 }
diff --git a/net/ipv6/inet6_connection_sock.c b/net/ipv6/inet6_connection_sock.c
index 0251a6005be8..c4f934176cab 100644
--- a/net/ipv6/inet6_connection_sock.c
+++ b/net/ipv6/inet6_connection_sock.c
@@ -175,33 +175,12 @@ void __inet6_csk_dst_store(struct sock *sk, struct dst_entry *dst,
175 const struct in6_addr *saddr) 175 const struct in6_addr *saddr)
176{ 176{
177 __ip6_dst_store(sk, dst, daddr, saddr); 177 __ip6_dst_store(sk, dst, daddr, saddr);
178
179#ifdef CONFIG_XFRM
180 {
181 struct rt6_info *rt = (struct rt6_info *)dst;
182 rt->rt6i_flow_cache_genid = atomic_read(&flow_cache_genid);
183 }
184#endif
185} 178}
186 179
187static inline 180static inline
188struct dst_entry *__inet6_csk_dst_check(struct sock *sk, u32 cookie) 181struct dst_entry *__inet6_csk_dst_check(struct sock *sk, u32 cookie)
189{ 182{
190 struct dst_entry *dst; 183 return __sk_dst_check(sk, cookie);
191
192 dst = __sk_dst_check(sk, cookie);
193
194#ifdef CONFIG_XFRM
195 if (dst) {
196 struct rt6_info *rt = (struct rt6_info *)dst;
197 if (rt->rt6i_flow_cache_genid != atomic_read(&flow_cache_genid)) {
198 __sk_dst_reset(sk);
199 dst = NULL;
200 }
201 }
202#endif
203
204 return dst;
205} 184}
206 185
207static struct dst_entry *inet6_csk_route_socket(struct sock *sk, 186static struct dst_entry *inet6_csk_route_socket(struct sock *sk,
diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index 13690d650c3e..286acfc21250 100644
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -819,6 +819,10 @@ int fib6_add(struct fib6_node *root, struct rt6_info *rt, struct nl_info *info)
819 offsetof(struct rt6_info, rt6i_src), 819 offsetof(struct rt6_info, rt6i_src),
820 allow_create, replace_required); 820 allow_create, replace_required);
821 821
822 if (IS_ERR(sn)) {
823 err = PTR_ERR(sn);
824 sn = NULL;
825 }
822 if (!sn) { 826 if (!sn) {
823 /* If it is failed, discard just allocated 827 /* If it is failed, discard just allocated
824 root, and then (in st_failure) stale node 828 root, and then (in st_failure) stale node
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 8e80fd279100..854e4018d205 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -226,7 +226,7 @@ static struct rt6_info ip6_null_entry_template = {
226 .dst = { 226 .dst = {
227 .__refcnt = ATOMIC_INIT(1), 227 .__refcnt = ATOMIC_INIT(1),
228 .__use = 1, 228 .__use = 1,
229 .obsolete = -1, 229 .obsolete = DST_OBSOLETE_FORCE_CHK,
230 .error = -ENETUNREACH, 230 .error = -ENETUNREACH,
231 .input = ip6_pkt_discard, 231 .input = ip6_pkt_discard,
232 .output = ip6_pkt_discard_out, 232 .output = ip6_pkt_discard_out,
@@ -246,7 +246,7 @@ static struct rt6_info ip6_prohibit_entry_template = {
246 .dst = { 246 .dst = {
247 .__refcnt = ATOMIC_INIT(1), 247 .__refcnt = ATOMIC_INIT(1),
248 .__use = 1, 248 .__use = 1,
249 .obsolete = -1, 249 .obsolete = DST_OBSOLETE_FORCE_CHK,
250 .error = -EACCES, 250 .error = -EACCES,
251 .input = ip6_pkt_prohibit, 251 .input = ip6_pkt_prohibit,
252 .output = ip6_pkt_prohibit_out, 252 .output = ip6_pkt_prohibit_out,
@@ -261,7 +261,7 @@ static struct rt6_info ip6_blk_hole_entry_template = {
261 .dst = { 261 .dst = {
262 .__refcnt = ATOMIC_INIT(1), 262 .__refcnt = ATOMIC_INIT(1),
263 .__use = 1, 263 .__use = 1,
264 .obsolete = -1, 264 .obsolete = DST_OBSOLETE_FORCE_CHK,
265 .error = -EINVAL, 265 .error = -EINVAL,
266 .input = dst_discard, 266 .input = dst_discard,
267 .output = dst_discard, 267 .output = dst_discard,
@@ -281,13 +281,14 @@ static inline struct rt6_info *ip6_dst_alloc(struct net *net,
281 struct fib6_table *table) 281 struct fib6_table *table)
282{ 282{
283 struct rt6_info *rt = dst_alloc(&net->ipv6.ip6_dst_ops, dev, 283 struct rt6_info *rt = dst_alloc(&net->ipv6.ip6_dst_ops, dev,
284 0, DST_OBSOLETE_NONE, flags); 284 0, DST_OBSOLETE_FORCE_CHK, flags);
285 285
286 if (rt) { 286 if (rt) {
287 struct dst_entry *dst = &rt->dst; 287 struct dst_entry *dst = &rt->dst;
288 288
289 memset(dst + 1, 0, sizeof(*rt) - sizeof(*dst)); 289 memset(dst + 1, 0, sizeof(*rt) - sizeof(*dst));
290 rt6_init_peer(rt, table ? &table->tb6_peers : net->ipv6.peers); 290 rt6_init_peer(rt, table ? &table->tb6_peers : net->ipv6.peers);
291 rt->rt6i_genid = rt_genid(net);
291 } 292 }
292 return rt; 293 return rt;
293} 294}
@@ -1031,6 +1032,13 @@ static struct dst_entry *ip6_dst_check(struct dst_entry *dst, u32 cookie)
1031 1032
1032 rt = (struct rt6_info *) dst; 1033 rt = (struct rt6_info *) dst;
1033 1034
1035 /* All IPV6 dsts are created with ->obsolete set to the value
1036 * DST_OBSOLETE_FORCE_CHK which forces validation calls down
1037 * into this function always.
1038 */
1039 if (rt->rt6i_genid != rt_genid(dev_net(rt->dst.dev)))
1040 return NULL;
1041
1034 if (rt->rt6i_node && (rt->rt6i_node->fn_sernum == cookie)) { 1042 if (rt->rt6i_node && (rt->rt6i_node->fn_sernum == cookie)) {
1035 if (rt->rt6i_peer_genid != rt6_peer_genid()) { 1043 if (rt->rt6i_peer_genid != rt6_peer_genid()) {
1036 if (!rt6_has_peer(rt)) 1044 if (!rt6_has_peer(rt))
@@ -1397,8 +1405,6 @@ int ip6_route_add(struct fib6_config *cfg)
1397 goto out; 1405 goto out;
1398 } 1406 }
1399 1407
1400 rt->dst.obsolete = -1;
1401
1402 if (cfg->fc_flags & RTF_EXPIRES) 1408 if (cfg->fc_flags & RTF_EXPIRES)
1403 rt6_set_expires(rt, jiffies + 1409 rt6_set_expires(rt, jiffies +
1404 clock_t_to_jiffies(cfg->fc_expires)); 1410 clock_t_to_jiffies(cfg->fc_expires));
@@ -2080,7 +2086,6 @@ struct rt6_info *addrconf_dst_alloc(struct inet6_dev *idev,
2080 rt->dst.input = ip6_input; 2086 rt->dst.input = ip6_input;
2081 rt->dst.output = ip6_output; 2087 rt->dst.output = ip6_output;
2082 rt->rt6i_idev = idev; 2088 rt->rt6i_idev = idev;
2083 rt->dst.obsolete = -1;
2084 2089
2085 rt->rt6i_flags = RTF_UP | RTF_NONEXTHOP; 2090 rt->rt6i_flags = RTF_UP | RTF_NONEXTHOP;
2086 if (anycast) 2091 if (anycast)
diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
index 1b9024ee963c..7261eb81974f 100644
--- a/net/netrom/af_netrom.c
+++ b/net/netrom/af_netrom.c
@@ -601,7 +601,7 @@ static int nr_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
601 if (!capable(CAP_NET_BIND_SERVICE)) { 601 if (!capable(CAP_NET_BIND_SERVICE)) {
602 dev_put(dev); 602 dev_put(dev);
603 release_sock(sk); 603 release_sock(sk);
604 return -EACCES; 604 return -EPERM;
605 } 605 }
606 nr->user_addr = addr->fsa_digipeater[0]; 606 nr->user_addr = addr->fsa_digipeater[0];
607 nr->source_addr = addr->fsa_ax25.sax25_call; 607 nr->source_addr = addr->fsa_ax25.sax25_call;
diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
index e4723d31fdd5..211a21217045 100644
--- a/net/sched/sch_qfq.c
+++ b/net/sched/sch_qfq.c
@@ -865,7 +865,10 @@ static void qfq_update_start(struct qfq_sched *q, struct qfq_class *cl)
865 if (mask) { 865 if (mask) {
866 struct qfq_group *next = qfq_ffs(q, mask); 866 struct qfq_group *next = qfq_ffs(q, mask);
867 if (qfq_gt(roundedF, next->F)) { 867 if (qfq_gt(roundedF, next->F)) {
868 cl->S = next->F; 868 if (qfq_gt(limit, next->F))
869 cl->S = next->F;
870 else /* preserve timestamp correctness */
871 cl->S = limit;
869 return; 872 return;
870 } 873 }
871 } 874 }
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 5a2aa17e4d3c..387848e90078 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -585,6 +585,7 @@ int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl)
585 xfrm_pol_hold(policy); 585 xfrm_pol_hold(policy);
586 net->xfrm.policy_count[dir]++; 586 net->xfrm.policy_count[dir]++;
587 atomic_inc(&flow_cache_genid); 587 atomic_inc(&flow_cache_genid);
588 rt_genid_bump(net);
588 if (delpol) 589 if (delpol)
589 __xfrm_policy_unlink(delpol, dir); 590 __xfrm_policy_unlink(delpol, dir);
590 policy->index = delpol ? delpol->index : xfrm_gen_index(net, dir); 591 policy->index = delpol ? delpol->index : xfrm_gen_index(net, dir);
@@ -1763,7 +1764,7 @@ static struct dst_entry *make_blackhole(struct net *net, u16 family,
1763 1764
1764 if (!afinfo) { 1765 if (!afinfo) {
1765 dst_release(dst_orig); 1766 dst_release(dst_orig);
1766 ret = ERR_PTR(-EINVAL); 1767 return ERR_PTR(-EINVAL);
1767 } else { 1768 } else {
1768 ret = afinfo->blackhole_route(net, dst_orig); 1769 ret = afinfo->blackhole_route(net, dst_orig);
1769 } 1770 }
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index e75d8e47f35c..289f4bf18ff0 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -123,9 +123,21 @@ static inline int verify_replay(struct xfrm_usersa_info *p,
123 struct nlattr **attrs) 123 struct nlattr **attrs)
124{ 124{
125 struct nlattr *rt = attrs[XFRMA_REPLAY_ESN_VAL]; 125 struct nlattr *rt = attrs[XFRMA_REPLAY_ESN_VAL];
126 struct xfrm_replay_state_esn *rs;
126 127
127 if ((p->flags & XFRM_STATE_ESN) && !rt) 128 if (p->flags & XFRM_STATE_ESN) {
128 return -EINVAL; 129 if (!rt)
130 return -EINVAL;
131
132 rs = nla_data(rt);
133
134 if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8)
135 return -EINVAL;
136
137 if (nla_len(rt) < xfrm_replay_state_esn_len(rs) &&
138 nla_len(rt) != sizeof(*rs))
139 return -EINVAL;
140 }
129 141
130 if (!rt) 142 if (!rt)
131 return 0; 143 return 0;
@@ -370,14 +382,15 @@ static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_es
370 struct nlattr *rp) 382 struct nlattr *rp)
371{ 383{
372 struct xfrm_replay_state_esn *up; 384 struct xfrm_replay_state_esn *up;
385 int ulen;
373 386
374 if (!replay_esn || !rp) 387 if (!replay_esn || !rp)
375 return 0; 388 return 0;
376 389
377 up = nla_data(rp); 390 up = nla_data(rp);
391 ulen = xfrm_replay_state_esn_len(up);
378 392
379 if (xfrm_replay_state_esn_len(replay_esn) != 393 if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
380 xfrm_replay_state_esn_len(up))
381 return -EINVAL; 394 return -EINVAL;
382 395
383 return 0; 396 return 0;
@@ -388,22 +401,28 @@ static int xfrm_alloc_replay_state_esn(struct xfrm_replay_state_esn **replay_esn
388 struct nlattr *rta) 401 struct nlattr *rta)
389{ 402{
390 struct xfrm_replay_state_esn *p, *pp, *up; 403 struct xfrm_replay_state_esn *p, *pp, *up;
404 int klen, ulen;
391 405
392 if (!rta) 406 if (!rta)
393 return 0; 407 return 0;
394 408
395 up = nla_data(rta); 409 up = nla_data(rta);
410 klen = xfrm_replay_state_esn_len(up);
411 ulen = nla_len(rta) >= klen ? klen : sizeof(*up);
396 412
397 p = kmemdup(up, xfrm_replay_state_esn_len(up), GFP_KERNEL); 413 p = kzalloc(klen, GFP_KERNEL);
398 if (!p) 414 if (!p)
399 return -ENOMEM; 415 return -ENOMEM;
400 416
401 pp = kmemdup(up, xfrm_replay_state_esn_len(up), GFP_KERNEL); 417 pp = kzalloc(klen, GFP_KERNEL);
402 if (!pp) { 418 if (!pp) {
403 kfree(p); 419 kfree(p);
404 return -ENOMEM; 420 return -ENOMEM;
405 } 421 }
406 422
423 memcpy(p, up, ulen);
424 memcpy(pp, up, ulen);
425
407 *replay_esn = p; 426 *replay_esn = p;
408 *preplay_esn = pp; 427 *preplay_esn = pp;
409 428
@@ -442,10 +461,11 @@ static void copy_from_user_state(struct xfrm_state *x, struct xfrm_usersa_info *
442 * somehow made shareable and move it to xfrm_state.c - JHS 461 * somehow made shareable and move it to xfrm_state.c - JHS
443 * 462 *
444*/ 463*/
445static void xfrm_update_ae_params(struct xfrm_state *x, struct nlattr **attrs) 464static void xfrm_update_ae_params(struct xfrm_state *x, struct nlattr **attrs,
465 int update_esn)
446{ 466{
447 struct nlattr *rp = attrs[XFRMA_REPLAY_VAL]; 467 struct nlattr *rp = attrs[XFRMA_REPLAY_VAL];
448 struct nlattr *re = attrs[XFRMA_REPLAY_ESN_VAL]; 468 struct nlattr *re = update_esn ? attrs[XFRMA_REPLAY_ESN_VAL] : NULL;
449 struct nlattr *lt = attrs[XFRMA_LTIME_VAL]; 469 struct nlattr *lt = attrs[XFRMA_LTIME_VAL];
450 struct nlattr *et = attrs[XFRMA_ETIMER_THRESH]; 470 struct nlattr *et = attrs[XFRMA_ETIMER_THRESH];
451 struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH]; 471 struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH];
@@ -555,7 +575,7 @@ static struct xfrm_state *xfrm_state_construct(struct net *net,
555 goto error; 575 goto error;
556 576
557 /* override default values from above */ 577 /* override default values from above */
558 xfrm_update_ae_params(x, attrs); 578 xfrm_update_ae_params(x, attrs, 0);
559 579
560 return x; 580 return x;
561 581
@@ -689,6 +709,7 @@ out:
689 709
690static void copy_to_user_state(struct xfrm_state *x, struct xfrm_usersa_info *p) 710static void copy_to_user_state(struct xfrm_state *x, struct xfrm_usersa_info *p)
691{ 711{
712 memset(p, 0, sizeof(*p));
692 memcpy(&p->id, &x->id, sizeof(p->id)); 713 memcpy(&p->id, &x->id, sizeof(p->id));
693 memcpy(&p->sel, &x->sel, sizeof(p->sel)); 714 memcpy(&p->sel, &x->sel, sizeof(p->sel));
694 memcpy(&p->lft, &x->lft, sizeof(p->lft)); 715 memcpy(&p->lft, &x->lft, sizeof(p->lft));
@@ -742,7 +763,7 @@ static int copy_to_user_auth(struct xfrm_algo_auth *auth, struct sk_buff *skb)
742 return -EMSGSIZE; 763 return -EMSGSIZE;
743 764
744 algo = nla_data(nla); 765 algo = nla_data(nla);
745 strcpy(algo->alg_name, auth->alg_name); 766 strncpy(algo->alg_name, auth->alg_name, sizeof(algo->alg_name));
746 memcpy(algo->alg_key, auth->alg_key, (auth->alg_key_len + 7) / 8); 767 memcpy(algo->alg_key, auth->alg_key, (auth->alg_key_len + 7) / 8);
747 algo->alg_key_len = auth->alg_key_len; 768 algo->alg_key_len = auth->alg_key_len;
748 769
@@ -878,6 +899,7 @@ static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb,
878{ 899{
879 struct xfrm_dump_info info; 900 struct xfrm_dump_info info;
880 struct sk_buff *skb; 901 struct sk_buff *skb;
902 int err;
881 903
882 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 904 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
883 if (!skb) 905 if (!skb)
@@ -888,9 +910,10 @@ static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb,
888 info.nlmsg_seq = seq; 910 info.nlmsg_seq = seq;
889 info.nlmsg_flags = 0; 911 info.nlmsg_flags = 0;
890 912
891 if (dump_one_state(x, 0, &info)) { 913 err = dump_one_state(x, 0, &info);
914 if (err) {
892 kfree_skb(skb); 915 kfree_skb(skb);
893 return NULL; 916 return ERR_PTR(err);
894 } 917 }
895 918
896 return skb; 919 return skb;
@@ -1317,6 +1340,7 @@ static void copy_from_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy
1317 1340
1318static void copy_to_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy_info *p, int dir) 1341static void copy_to_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy_info *p, int dir)
1319{ 1342{
1343 memset(p, 0, sizeof(*p));
1320 memcpy(&p->sel, &xp->selector, sizeof(p->sel)); 1344 memcpy(&p->sel, &xp->selector, sizeof(p->sel));
1321 memcpy(&p->lft, &xp->lft, sizeof(p->lft)); 1345 memcpy(&p->lft, &xp->lft, sizeof(p->lft));
1322 memcpy(&p->curlft, &xp->curlft, sizeof(p->curlft)); 1346 memcpy(&p->curlft, &xp->curlft, sizeof(p->curlft));
@@ -1421,6 +1445,7 @@ static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb)
1421 struct xfrm_user_tmpl *up = &vec[i]; 1445 struct xfrm_user_tmpl *up = &vec[i];
1422 struct xfrm_tmpl *kp = &xp->xfrm_vec[i]; 1446 struct xfrm_tmpl *kp = &xp->xfrm_vec[i];
1423 1447
1448 memset(up, 0, sizeof(*up));
1424 memcpy(&up->id, &kp->id, sizeof(up->id)); 1449 memcpy(&up->id, &kp->id, sizeof(up->id));
1425 up->family = kp->encap_family; 1450 up->family = kp->encap_family;
1426 memcpy(&up->saddr, &kp->saddr, sizeof(up->saddr)); 1451 memcpy(&up->saddr, &kp->saddr, sizeof(up->saddr));
@@ -1546,6 +1571,7 @@ static struct sk_buff *xfrm_policy_netlink(struct sk_buff *in_skb,
1546{ 1571{
1547 struct xfrm_dump_info info; 1572 struct xfrm_dump_info info;
1548 struct sk_buff *skb; 1573 struct sk_buff *skb;
1574 int err;
1549 1575
1550 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 1576 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1551 if (!skb) 1577 if (!skb)
@@ -1556,9 +1582,10 @@ static struct sk_buff *xfrm_policy_netlink(struct sk_buff *in_skb,
1556 info.nlmsg_seq = seq; 1582 info.nlmsg_seq = seq;
1557 info.nlmsg_flags = 0; 1583 info.nlmsg_flags = 0;
1558 1584
1559 if (dump_one_policy(xp, dir, 0, &info) < 0) { 1585 err = dump_one_policy(xp, dir, 0, &info);
1586 if (err) {
1560 kfree_skb(skb); 1587 kfree_skb(skb);
1561 return NULL; 1588 return ERR_PTR(err);
1562 } 1589 }
1563 1590
1564 return skb; 1591 return skb;
@@ -1822,7 +1849,7 @@ static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh,
1822 goto out; 1849 goto out;
1823 1850
1824 spin_lock_bh(&x->lock); 1851 spin_lock_bh(&x->lock);
1825 xfrm_update_ae_params(x, attrs); 1852 xfrm_update_ae_params(x, attrs, 1);
1826 spin_unlock_bh(&x->lock); 1853 spin_unlock_bh(&x->lock);
1827 1854
1828 c.event = nlh->nlmsg_type; 1855 c.event = nlh->nlmsg_type;
generated by cgit v1.2.2 (git 2.25.0) at 2025-08-16 07:17:46 -0400