Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Conflicts: include/net/inetpeer.h net/ipv6/output_core.c Changes in net were fixing bugs in code removed in net-next. Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2014-06-04 02:32:12 -0400
committer: David S. Miller <davem@davemloft.net> 2014-06-04 02:32:12 -0400
commit: c99f7abf0e69987e4add567e155e042cb1f2a20b (patch)
tree: d23898dc30ed25c1dae9bb6325041027d412397a /net
parent: 92ff71b8fe9cd9c673615fc6f3870af7376d7c84 (diff)
parent: d8b0426af5b67973585712c9af36b86f6ea97815 (diff)
13 files changed, 131 insertions, 44 deletions
diff --git a/net/batman-adv/multicast.c b/net/batman-adv/multicast.c
index 8c7ca811de6e..96b66fd30f96 100644
--- a/net/batman-adv/multicast.c
+++ b/net/batman-adv/multicast.c
@@ -415,7 +415,7 @@ batadv_mcast_forw_ipv4_node_get(struct batadv_priv *bat_priv)
        hlist_for_each_entry_rcu(tmp_orig_node,
                                 &bat_priv->mcast.want_all_ipv4_list,
                                 mcast_want_all_ipv4_node) {
-                if (!atomic_inc_not_zero(&orig_node->refcount))
+                if (!atomic_inc_not_zero(&tmp_orig_node->refcount))
                        continue;
                orig_node = tmp_orig_node;
@@ -442,7 +442,7 @@ batadv_mcast_forw_ipv6_node_get(struct batadv_priv *bat_priv)
        hlist_for_each_entry_rcu(tmp_orig_node,
                                 &bat_priv->mcast.want_all_ipv6_list,
                                 mcast_want_all_ipv6_node) {
-                if (!atomic_inc_not_zero(&orig_node->refcount))
+                if (!atomic_inc_not_zero(&tmp_orig_node->refcount))
                        continue;
                orig_node = tmp_orig_node;
@@ -493,7 +493,7 @@ batadv_mcast_forw_unsnoop_node_get(struct batadv_priv *bat_priv)
        hlist_for_each_entry_rcu(tmp_orig_node,
                                 &bat_priv->mcast.want_all_unsnoopables_list,
                                 mcast_want_all_unsnoopables_node) {
-                if (!atomic_inc_not_zero(&orig_node->refcount))
+                if (!atomic_inc_not_zero(&tmp_orig_node->refcount))
                        continue;
                orig_node = tmp_orig_node;
diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
index 2c45c069ea1a..b524c36c1273 100644
--- a/net/bridge/br_fdb.c
+++ b/net/bridge/br_fdb.c
@@ -538,6 +538,7 @@ void br_fdb_update(struct net_bridge *br, struct net_bridge_port *source,
 {
        struct hlist_head *head = &br->hash[br_mac_hash(addr, vid)];
        struct net_bridge_fdb_entry *fdb;
+        bool fdb_modified = false;
        /* some users want to always flood. */
        if (hold_time(br) == 0)
@@ -558,10 +559,15 @@ void br_fdb_update(struct net_bridge *br, struct net_bridge_port *source,
                                        source->dev->name);
                } else {
                        /* fastpath: update of existing entry */
-                        fdb->dst = source;
+                        if (unlikely(source != fdb->dst)) {
+                                fdb->dst = source;
+                                fdb_modified = true;
+                        }
                        fdb->updated = jiffies;
                        if (unlikely(added_by_user))
                                fdb->added_by_user = 1;
+                        if (unlikely(fdb_modified))
+                                fdb_notify(br, fdb, RTM_NEWNEIGH);
                }
        } else {
                spin_lock(&br->hash_lock);
diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
index 7985deaff52f..04d6348fd530 100644
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -147,8 +147,8 @@ static int br_handle_local_finish(struct sk_buff *skb)
        struct net_bridge_port *p = br_port_get_rcu(skb->dev);
        u16 vid = 0;
-        br_vlan_get_tag(skb, &vid);
+        /* check if vlan is allowed, to avoid spoofing */
-        if (p->flags & BR_LEARNING)
+        if (p->flags & BR_LEARNING && br_should_learn(p, skb, &vid))
                br_fdb_update(p->br, p, eth_hdr(skb)->h_source, vid, false);
        return 0;        /* process further */
 }
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index 53d6e32965fc..bc17210d4c52 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -589,6 +589,7 @@ bool br_allowed_ingress(struct net_bridge *br, struct net_port_vlans *v,
                        struct sk_buff *skb, u16 *vid);
 bool br_allowed_egress(struct net_bridge *br, const struct net_port_vlans *v,
                       const struct sk_buff *skb);
+bool br_should_learn(struct net_bridge_port *p, struct sk_buff *skb, u16 *vid);
 struct sk_buff *br_handle_vlan(struct net_bridge *br,
                               const struct net_port_vlans *v,
                               struct sk_buff *skb);
@@ -660,6 +661,12 @@ static inline bool br_allowed_egress(struct net_bridge *br,
        return true;
 }
+static inline bool br_should_learn(struct net_bridge_port *p,
+                                   struct sk_buff *skb, u16 *vid)
+{
+        return true;
+}
 static inline struct sk_buff *br_handle_vlan(struct net_bridge *br,
                                             const struct net_port_vlans *v,
                                             struct sk_buff *skb)
diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c
index 24c5cc55589f..fcc95390f862 100644
--- a/net/bridge/br_vlan.c
+++ b/net/bridge/br_vlan.c
@@ -241,6 +241,34 @@ bool br_allowed_egress(struct net_bridge *br,
        return false;
 }
+/* Called under RCU */
+bool br_should_learn(struct net_bridge_port *p, struct sk_buff *skb, u16 *vid)
+{
+        struct net_bridge *br = p->br;
+        struct net_port_vlans *v;
+        if (!br->vlan_enabled)
+                return true;
+        v = rcu_dereference(p->vlan_info);
+        if (!v)
+                return false;
+        br_vlan_get_tag(skb, vid);
+        if (!*vid) {
+                *vid = br_get_pvid(v);
+                if (*vid == VLAN_N_VID)
+                        return false;
+                return true;
+        }
+        if (test_bit(*vid, v->vlan_bitmap))
+                return true;
+        return false;
+}
 /* Must be protected by RTNL.
 * Must be called with vid in range from 1 to 4094 inclusive.
 */
diff --git a/net/core/dev.c b/net/core/dev.c
index 1ba2cfe3f8e8..5367bfba0947 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2289,8 +2289,8 @@ EXPORT_SYMBOL(skb_checksum_help);
 __be16 skb_network_protocol(struct sk_buff *skb, int *depth)
 {
+        unsigned int vlan_depth = skb->mac_len;
        __be16 type = skb->protocol;
-        int vlan_depth = skb->mac_len;
        /* Tunnel gso handlers can set protocol to ethernet. */
        if (type == htons(ETH_P_TEB)) {
@@ -2303,15 +2303,30 @@ __be16 skb_network_protocol(struct sk_buff *skb, int *depth)
                type = eth->h_proto;
        }
-        while (type == htons(ETH_P_8021Q) || type == htons(ETH_P_8021AD)) {
+        /* if skb->protocol is 802.1Q/AD then the header should already be
-                struct vlan_hdr *vh;
+         * present at mac_len - VLAN_HLEN (if mac_len > 0), or at
+         * ETH_HLEN otherwise
-                if (unlikely(!pskb_may_pull(skb, vlan_depth + VLAN_HLEN)))
+         */
-                        return 0;
+        if (type == htons(ETH_P_8021Q) || type == htons(ETH_P_8021AD)) {
+                if (vlan_depth) {
-                vh = (struct vlan_hdr *)(skb->data + vlan_depth);
+                        if (unlikely(WARN_ON(vlan_depth < VLAN_HLEN)))
-                type = vh->h_vlan_encapsulated_proto;
+                                return 0;
-                vlan_depth += VLAN_HLEN;
+                        vlan_depth -= VLAN_HLEN;
+                } else {
+                        vlan_depth = ETH_HLEN;
+                }
+                do {
+                        struct vlan_hdr *vh;
+                        if (unlikely(!pskb_may_pull(skb,
+                                                    vlan_depth + VLAN_HLEN)))
+                                return 0;
+                        vh = (struct vlan_hdr *)(skb->data + vlan_depth);
+                        type = vh->h_vlan_encapsulated_proto;
+                        vlan_depth += VLAN_HLEN;
+                } while (type == htons(ETH_P_8021Q) ||
+                         type == htons(ETH_P_8021AD));
        }
        *depth = vlan_depth;
diff --git a/net/core/filter.c b/net/core/filter.c
index 842f8393121d..9de0c25323b4 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -1492,8 +1492,13 @@ static struct sk_filter *__sk_prepare_filter(struct sk_filter *fp,
        fp->jited = 0;
        err = sk_chk_filter(fp->insns, fp->len);
-        if (err)
+        if (err) {
+                if (sk != NULL)
+                        sk_filter_uncharge(sk, fp);
+                else
+                        kfree(fp);
                return ERR_PTR(err);
+        }
        /* Probe if we can JIT compile the filter and if so, do
         * the compilation of the filter.
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index f31268dbc0d1..741b22c62acf 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -2045,11 +2045,15 @@ replay:
                if (ops->newlink) {
                        err = ops->newlink(net, dev, tb, data);
                        /* Drivers should call free_netdev() in ->destructor
-                         * and unregister it on failure so that device could be
+                         * and unregister it on failure after registration
-                         * finally freed in rtnl_unlock.
+                         * so that device could be finally freed in rtnl_unlock.
                         */
-                        if (err < 0)
+                        if (err < 0) {
+                                /* If device is not registered at all, free it now */
+                                if (dev->reg_state == NETREG_UNINITIALIZED)
+                                        free_netdev(dev);
                                goto out;
+                        }
                } else {
                        err = register_netdevice(dev);
                        if (err < 0) {
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 350b2072f0ab..931529d5daa2 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -2684,13 +2684,12 @@ static void tcp_process_loss(struct sock *sk, int flag, bool is_dupack)
        bool recovered = !before(tp->snd_una, tp->high_seq);
        if (tp->frto) { /* F-RTO RFC5682 sec 3.1 (sack enhanced version). */
-                if (flag & FLAG_ORIG_SACK_ACKED) {
+                /* Step 3.b. A timeout is spurious if not all data are
-                        /* Step 3.b. A timeout is spurious if not all data are
+                 * lost, i.e., never-retransmitted data are (s)acked.
-                         * lost, i.e., never-retransmitted data are (s)acked.
+                 */
-                         */
+                if (tcp_try_undo_loss(sk, flag & FLAG_ORIG_SACK_ACKED))
-                        tcp_try_undo_loss(sk, true);
                        return;
-                }
                if (after(tp->snd_nxt, tp->high_seq) &&
                    (flag & FLAG_DATA_SACKED || is_dupack)) {
                        tp->frto = 0; /* Loss was real: 2nd part of step 3.a */
diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
index 6179ac186ab9..ffa029305a09 100644
--- a/net/ipv6/output_core.c
+++ b/net/ipv6/output_core.c
@@ -8,7 +8,6 @@
 #include <net/addrconf.h>
 #include <net/secure_seq.h>
 int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
 {
        u16 offset = sizeof(struct ipv6hdr);
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index d9da8c448c76..e6836755c45d 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -1392,15 +1392,19 @@ ip_vs_in_icmp(struct sk_buff *skb, int *related, unsigned int hooknum)
        if (ipip) {
                __be32 info = ic->un.gateway;
+                __u8 type = ic->type;
+                __u8 code = ic->code;
                /* Update the MTU */
                if (ic->type == ICMP_DEST_UNREACH &&
                    ic->code == ICMP_FRAG_NEEDED) {
                        struct ip_vs_dest *dest = cp->dest;
                        u32 mtu = ntohs(ic->un.frag.mtu);
+                        __be16 frag_off = cih->frag_off;
                        /* Strip outer IP and ICMP, go to IPIP header */
-                        __skb_pull(skb, ihl + sizeof(_icmph));
+                        if (pskb_pull(skb, ihl + sizeof(_icmph)) == NULL)
+                                goto ignore_ipip;
                        offset2 -= ihl + sizeof(_icmph);
                        skb_reset_network_header(skb);
                        IP_VS_DBG(12, "ICMP for IPIP %pI4->%pI4: mtu=%u\n",
@@ -1408,7 +1412,7 @@ ip_vs_in_icmp(struct sk_buff *skb, int *related, unsigned int hooknum)
                        ipv4_update_pmtu(skb, dev_net(skb->dev),
                                         mtu, 0, 0, 0, 0);
                        /* Client uses PMTUD? */
-                        if (!(cih->frag_off & htons(IP_DF)))
+                        if (!(frag_off & htons(IP_DF)))
                                goto ignore_ipip;
                        /* Prefer the resulting PMTU */
                        if (dest) {
@@ -1427,12 +1431,13 @@ ip_vs_in_icmp(struct sk_buff *skb, int *related, unsigned int hooknum)
                /* Strip outer IP, ICMP and IPIP, go to IP header of
                 * original request.
                 */
-                __skb_pull(skb, offset2);
+                if (pskb_pull(skb, offset2) == NULL)
+                        goto ignore_ipip;
                skb_reset_network_header(skb);
                IP_VS_DBG(12, "Sending ICMP for %pI4->%pI4: t=%u, c=%u, i=%u\n",
                        &ip_hdr(skb)->saddr, &ip_hdr(skb)->daddr,
-                        ic->type, ic->code, ntohl(info));
+                        type, code, ntohl(info));
-                icmp_send(skb, ic->type, ic->code, info);
+                icmp_send(skb, type, code, info);
                /* ICMP can be shorter but anyways, account it */
                ip_vs_out_stats(cp, skb);
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index e0ccd84d4d67..15c731f03fa6 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1377,7 +1377,9 @@ retry:
 bool __netlink_ns_capable(const struct netlink_skb_parms *nsp,
                        struct user_namespace *user_ns, int cap)
 {
-        return sk_ns_capable(nsp->sk, user_ns, cap);
+        return ((nsp->flags & NETLINK_SKB_DST) ||
+                file_ns_capable(nsp->sk->sk_socket->file, user_ns, cap)) &&
+                ns_capable(user_ns, cap);
 }
 EXPORT_SYMBOL(__netlink_ns_capable);
@@ -2323,6 +2325,7 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
        struct sk_buff *skb;
        int err;
        struct scm_cookie scm;
+        u32 netlink_skb_flags = 0;
        if (msg->msg_flags&MSG_OOB)
                return -EOPNOTSUPP;
@@ -2344,6 +2347,7 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
                if ((dst_group || dst_portid) &&
                    !netlink_allowed(sock, NL_CFG_F_NONROOT_SEND))
                        goto out;
+                netlink_skb_flags |= NETLINK_SKB_DST;
        } else {
                dst_portid = nlk->dst_portid;
                dst_group = nlk->dst_group;
@@ -2373,6 +2377,7 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
        NETLINK_CB(skb).portid  = nlk->portid;
        NETLINK_CB(skb).dst_group = dst_group;
        NETLINK_CB(skb).creds   = siocb->scm->creds;
+        NETLINK_CB(skb).flags   = netlink_skb_flags;
        err = -EFAULT;
        if (memcpy_fromiovec(skb_put(skb, len), msg->msg_iov, len)) {
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index fd9a16a6d1de..412d9dc3a873 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -947,6 +947,20 @@ static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb,
        return skb;
 }
+/* A wrapper for nlmsg_multicast() checking that nlsk is still available.
+ * Must be called with RCU read lock.
+ */
+static inline int xfrm_nlmsg_multicast(struct net *net, struct sk_buff *skb,
+                                       u32 pid, unsigned int group)
+{
+        struct sock *nlsk = rcu_dereference(net->xfrm.nlsk);
+        if (nlsk)
+                return nlmsg_multicast(nlsk, skb, pid, group, GFP_ATOMIC);
+        else
+                return -1;
+}
 static inline size_t xfrm_spdinfo_msgsize(void)
 {
        return NLMSG_ALIGN(4)
@@ -2228,7 +2242,7 @@ static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
        if (build_migrate(skb, m, num_migrate, k, sel, dir, type) < 0)
                BUG();
-        return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_MIGRATE, GFP_ATOMIC);
+        return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_MIGRATE);
 }
 #else
 static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
@@ -2419,7 +2433,7 @@ static int xfrm_exp_state_notify(struct xfrm_state *x, const struct km_event *c)
                return -EMSGSIZE;
        }
-        return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_EXPIRE, GFP_ATOMIC);
+        return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_EXPIRE);
 }
 static int xfrm_aevent_state_notify(struct xfrm_state *x, const struct km_event *c)
@@ -2434,7 +2448,7 @@ static int xfrm_aevent_state_notify(struct xfrm_state *x, const struct km_event
        if (build_aevent(skb, x, c) < 0)
                BUG();
-        return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_AEVENTS, GFP_ATOMIC);
+        return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_AEVENTS);
 }
 static int xfrm_notify_sa_flush(const struct km_event *c)
@@ -2460,7 +2474,7 @@ static int xfrm_notify_sa_flush(const struct km_event *c)
        nlmsg_end(skb, nlh);
-        return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_SA, GFP_ATOMIC);
+        return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_SA);
 }
 static inline size_t xfrm_sa_len(struct xfrm_state *x)
@@ -2547,7 +2561,7 @@ static int xfrm_notify_sa(struct xfrm_state *x, const struct km_event *c)
        nlmsg_end(skb, nlh);
-        return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_SA, GFP_ATOMIC);
+        return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_SA);
 out_free_skb:
        kfree_skb(skb);
@@ -2638,7 +2652,7 @@ static int xfrm_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *xt,
        if (build_acquire(skb, x, xt, xp) < 0)
                BUG();
-        return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_ACQUIRE, GFP_ATOMIC);
+        return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_ACQUIRE);
 }
 /* User gives us xfrm_user_policy_info followed by an array of 0
@@ -2752,7 +2766,7 @@ static int xfrm_exp_policy_notify(struct xfrm_policy *xp, int dir, const struct
        if (build_polexpire(skb, xp, dir, c) < 0)
                BUG();
-        return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_EXPIRE, GFP_ATOMIC);
+        return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_EXPIRE);
 }
 static int xfrm_notify_policy(struct xfrm_policy *xp, int dir, const struct km_event *c)
@@ -2814,7 +2828,7 @@ static int xfrm_notify_policy(struct xfrm_policy *xp, int dir, const struct km_e
        nlmsg_end(skb, nlh);
-        return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_POLICY, GFP_ATOMIC);
+        return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_POLICY);
 out_free_skb:
        kfree_skb(skb);
@@ -2842,7 +2856,7 @@ static int xfrm_notify_policy_flush(const struct km_event *c)
        nlmsg_end(skb, nlh);
-        return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_POLICY, GFP_ATOMIC);
+        return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_POLICY);
 out_free_skb:
        kfree_skb(skb);
@@ -2911,7 +2925,7 @@ static int xfrm_send_report(struct net *net, u8 proto,
        if (build_report(skb, proto, sel, addr) < 0)
                BUG();
-        return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_REPORT, GFP_ATOMIC);
+        return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_REPORT);
 }
 static inline size_t xfrm_mapping_msgsize(void)
@@ -2963,7 +2977,7 @@ static int xfrm_send_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr,
        if (build_mapping(skb, x, ipaddr, sport) < 0)
                BUG();
-        return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_MAPPING, GFP_ATOMIC);
+        return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_MAPPING);
 }
 static bool xfrm_is_alive(const struct km_event *c)
author	David S. Miller <davem@davemloft.net>	2014-06-04 02:32:12 -0400
committer	David S. Miller <davem@davemloft.net>	2014-06-04 02:32:12 -0400
commit	c99f7abf0e69987e4add567e155e042cb1f2a20b (patch)
tree	d23898dc30ed25c1dae9bb6325041027d412397a /net
parent	92ff71b8fe9cd9c673615fc6f3870af7376d7c84 (diff)
parent	d8b0426af5b67973585712c9af36b86f6ea97815 (diff)