Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Signed-off-by: David S. Miller <davem@davemloft.net>

9 files changed, 46 insertions, 16 deletions

diff --git a/net/compat.c b/net/compat.c
index 9a76eaf63184..bc8aeefddf3f 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -85,7 +85,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov,
 {
         int tot_len;
 
-        if (kern_msg->msg_namelen) {
+        if (kern_msg->msg_name && kern_msg->msg_namelen) {
                 if (mode == VERIFY_READ) {
                         int err = move_addr_to_kernel(kern_msg->msg_name,
                                                       kern_msg->msg_namelen,
@@ -93,10 +93,11 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov,
                         if (err < 0)
                                 return err;
                 }
-                if (kern_msg->msg_name)
-                        kern_msg->msg_name = kern_address;
-        } else
+                kern_msg->msg_name = kern_address;
+        } else {
                 kern_msg->msg_name = NULL;
+                kern_msg->msg_namelen = 0;
+        }
 
         tot_len = iov_from_user_compat_to_kern(kern_iov,
                                           (struct compat_iovec __user *)kern_msg->msg_iov,
diff --git a/net/core/iovec.c b/net/core/iovec.c
index 827dd6beb49c..e1ec45ab1e63 100644
--- a/net/core/iovec.c
+++ b/net/core/iovec.c
@@ -39,7 +39,7 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr_storage *a
 {
         int size, ct, err;
 
-        if (m->msg_namelen) {
+        if (m->msg_name && m->msg_namelen) {
                 if (mode == VERIFY_READ) {
                         void __user *namep;
                         namep = (void __user __force *) m->msg_name;
@@ -48,10 +48,10 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr_storage *a
                         if (err < 0)
                                 return err;
                 }
-                if (m->msg_name)
-                        m->msg_name = address;
+                m->msg_name = address;
         } else {
                 m->msg_name = NULL;
+                m->msg_namelen = 0;
         }
 
         size = m->msg_iovlen * sizeof(struct iovec);
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index 559890b0f0a2..ef31fef25e5a 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -2249,7 +2249,7 @@ static int pneigh_fill_info(struct sk_buff *skb, struct pneigh_entry *pn,
         ndm->ndm_pad1    = 0;
         ndm->ndm_pad2    = 0;
         ndm->ndm_flags   = pn->flags | NTF_PROXY;
-        ndm->ndm_type    = NDA_DST;
+        ndm->ndm_type    = RTN_UNICAST;
         ndm->ndm_ifindex = pn->dev->ifindex;
         ndm->ndm_state   = NUD_NONE;
 
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 3162ea923ded..190199851c9a 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -457,8 +457,31 @@ static struct neighbour *ipv4_neigh_lookup(const struct dst_entry *dst,
         return neigh_create(&arp_tbl, pkey, dev);
 }
 
-atomic_t *ip_idents __read_mostly;
-EXPORT_SYMBOL(ip_idents);
+#define IP_IDENTS_SZ 2048u
+struct ip_ident_bucket {
+        atomic_t        id;
+        u32             stamp32;
+};
+
+static struct ip_ident_bucket *ip_idents __read_mostly;
+
+/* In order to protect privacy, we add a perturbation to identifiers
+ * if one generator is seldom used. This makes hard for an attacker
+ * to infer how many packets were sent between two points in time.
+ */
+u32 ip_idents_reserve(u32 hash, int segs)
+{
+        struct ip_ident_bucket *bucket = ip_idents + hash % IP_IDENTS_SZ;
+        u32 old = ACCESS_ONCE(bucket->stamp32);
+        u32 now = (u32)jiffies;
+        u32 delta = 0;
+
+        if (old != now && cmpxchg(&bucket->stamp32, old, now) == old)
+                delta = prandom_u32_max(now - old);
+
+        return atomic_add_return(segs + delta, &bucket->id) - segs;
+}
+EXPORT_SYMBOL(ip_idents_reserve);
 
 void __ip_select_ident(struct iphdr *iph, int segs)
 {
@@ -467,7 +490,10 @@ void __ip_select_ident(struct iphdr *iph, int segs)
 
         net_get_random_once(&ip_idents_hashrnd, sizeof(ip_idents_hashrnd));
 
-        hash = jhash_1word((__force u32)iph->daddr, ip_idents_hashrnd);
+        hash = jhash_3words((__force u32)iph->daddr,
+                            (__force u32)iph->saddr,
+                            iph->protocol,
+                            ip_idents_hashrnd);
         id = ip_idents_reserve(hash, segs);
         iph->id = htons(id);
 }
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 2e339d241b69..f5dafe609f8b 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -546,6 +546,8 @@ static void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt)
         net_get_random_once(&ip6_idents_hashrnd, sizeof(ip6_idents_hashrnd));
 
         hash = __ipv6_addr_jhash(&rt->rt6i_dst.addr, ip6_idents_hashrnd);
+        hash = __ipv6_addr_jhash(&rt->rt6i_src.addr, hash);
+
         id = ip_idents_reserve(hash, 1);
         fhdr->identification = htonl(id);
 }
diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c
index a8eb0a89326a..610e19c0e13f 100644
--- a/net/netfilter/ipvs/ip_vs_conn.c
+++ b/net/netfilter/ipvs/ip_vs_conn.c
@@ -797,7 +797,6 @@ static void ip_vs_conn_expire(unsigned long data)
                         ip_vs_control_del(cp);
 
                 if (cp->flags & IP_VS_CONN_F_NFCT) {
-                        ip_vs_conn_drop_conntrack(cp);
                         /* Do not access conntracks during subsys cleanup
                          * because nf_conntrack_find_get can not be used after
                          * conntrack cleanup for the net.
diff --git a/net/sctp/associola.c b/net/sctp/associola.c
index 9de23a222d3f..06a9ee6b2d3a 100644
--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -1097,6 +1097,7 @@ void sctp_assoc_update(struct sctp_association *asoc,
         asoc->c = new->c;
         asoc->peer.rwnd = new->peer.rwnd;
         asoc->peer.sack_needed = new->peer.sack_needed;
+        asoc->peer.auth_capable = new->peer.auth_capable;
         asoc->peer.i = new->peer.i;
         sctp_tsnmap_init(&asoc->peer.tsn_map, SCTP_TSN_MAP_INITIAL,
                          asoc->peer.i.initial_tsn, GFP_ATOMIC);
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index a8ef5108e0d8..0525d78ba328 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -2097,6 +2097,8 @@ struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig,
                                 goto no_transform;
                         }
 
+                        dst_hold(&xdst->u.dst);
+                        xdst->u.dst.flags |= DST_NOCACHE;
                         route = xdst->route;
                 }
         }
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 412d9dc3a873..d4db6ebb089d 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -177,9 +177,7 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
                     attrs[XFRMA_ALG_AEAD]       ||
                     attrs[XFRMA_ALG_CRYPT]      ||
                     attrs[XFRMA_ALG_COMP]       ||
-                    attrs[XFRMA_TFCPAD]         ||
-                    (ntohl(p->id.spi) >= 0x10000))
-
+                    attrs[XFRMA_TFCPAD])
                         goto out;
                 break;
 
@@ -207,7 +205,8 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
                     attrs[XFRMA_ALG_AUTH]       ||
                     attrs[XFRMA_ALG_AUTH_TRUNC] ||
                     attrs[XFRMA_ALG_CRYPT]      ||
-                    attrs[XFRMA_TFCPAD])
+                    attrs[XFRMA_TFCPAD]         ||
+                    (ntohl(p->id.spi) >= 0x10000))
                         goto out;
                 break;