commit ae1cfb1174c87b43b0639e35e782b7b2c95fb4ff · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6:
af_key: Free dumping state on socket close
XFRM,IPv6: initialize ip6_dst_blackhole_ops.kmem_cachep
ipv6: NULL pointer dereferrence in tcp_v6_send_ack
tcp: Fix NULL dereference in tcp_4_send_ack()
sctp: Fix kernel panic while process protocol violation parameter
iucv: Fix mismerge again.
ipsec: Fix pskb_expand_head corruption in xfrm_state_check_space

Linus Torvalds 17 years ago ae1cfb11 de59985e

+96 -41

9 changed files

expand all

unified split

include

net

sctp

sm.h

net

ipv4

tcp_ipv4.c

ipv6

route.c

tcp_ipv6.c

iucv

iucv.c

key

af_key.c

sctp

sm_make_chunk.c

sm_statefuns.c

xfrm

xfrm_output.c

include/net/sctp/sm.h

··· 227 227 const struct sctp_chunk *, 228 228 const __u8 *, 229 229 const size_t ); 230 + struct sctp_chunk *sctp_make_violation_paramlen(const struct sctp_association *, 231 + const struct sctp_chunk *, 232 + struct sctp_paramhdr *); 230 233 struct sctp_chunk *sctp_make_heartbeat(const struct sctp_association *, 231 234 const struct sctp_transport *, 232 235 const void *payload,

+1 -1

net/ipv4/tcp_ipv4.c

··· 618 618 ]; 619 619 } rep; 620 620 struct ip_reply_arg arg; 621 - struct net *net = dev_net(skb->dev); 621 + struct net *net = dev_net(skb->dst->dev); 622 622 623 623 memset(&rep.th, 0, sizeof(struct tcphdr)); 624 624 memset(&arg, 0, sizeof(arg));

net/ipv6/route.c

··· 2688 2688 if (ret) 2689 2689 goto out_kmem_cache; 2690 2690 2691 + ip6_dst_blackhole_ops.kmem_cachep = ip6_dst_ops_template.kmem_cachep; 2692 + 2691 2693 /* Registering of the loopback is done before this portion of code, 2692 2694 * the loopback reference in rt6_info will not be taken, do it 2693 2695 * manually for init_net */

+1 -1

net/ipv6/tcp_ipv6.c

··· 1050 1050 struct tcphdr *th = tcp_hdr(skb), *t1; 1051 1051 struct sk_buff *buff; 1052 1052 struct flowi fl; 1053 - struct net *net = dev_net(skb->dev); 1053 + struct net *net = dev_net(skb->dst->dev); 1054 1054 struct sock *ctl_sk = net->ipv6.tcp_sk; 1055 1055 unsigned int tot_len = sizeof(struct tcphdr); 1056 1056 __be32 *topt;

+2 -1

net/iucv/iucv.c

··· 524 524 get_online_cpus(); 525 525 for_each_online_cpu(cpu) 526 526 smp_call_function_single(cpu, iucv_declare_cpu, NULL, 1); 527 - preempt_enable(); 528 527 if (cpus_empty(iucv_buffer_cpumask)) 529 528 /* No cpu could declare an iucv buffer. */ 530 529 goto out_path; ··· 546 547 */ 547 548 static void iucv_disable(void) 548 549 { 550 + get_online_cpus(); 549 551 on_each_cpu(iucv_retrieve_cpu, NULL, 1); 552 + put_online_cpus(); 550 553 kfree(iucv_path_table); 551 554 } 552 555

+19 -11

net/key/af_key.c

··· 73 73 return 0; 74 74 } 75 75 76 - static int pfkey_do_dump(struct pfkey_sock *pfk) 76 + static void pfkey_terminate_dump(struct pfkey_sock *pfk) 77 77 { 78 - int rc; 79 - 80 - rc = pfk->dump.dump(pfk); 81 - if (rc == -ENOBUFS) 82 - return 0; 83 - 84 - pfk->dump.done(pfk); 85 - pfk->dump.dump = NULL; 86 - pfk->dump.done = NULL; 87 - return rc; 78 + if (pfk->dump.dump) { 79 + pfk->dump.done(pfk); 80 + pfk->dump.dump = NULL; 81 + pfk->dump.done = NULL; 82 + } 88 83 } 89 84 90 85 static void pfkey_sock_destruct(struct sock *sk) 91 86 { 87 + pfkey_terminate_dump(pfkey_sk(sk)); 92 88 skb_queue_purge(&sk->sk_receive_queue); 93 89 94 90 if (!sock_flag(sk, SOCK_DEAD)) { ··· 304 308 kfree_skb(skb2); 305 309 kfree_skb(skb); 306 310 return err; 311 + } 312 + 313 + static int pfkey_do_dump(struct pfkey_sock *pfk) 314 + { 315 + int rc; 316 + 317 + rc = pfk->dump.dump(pfk); 318 + if (rc == -ENOBUFS) 319 + return 0; 320 + 321 + pfkey_terminate_dump(pfk); 322 + return rc; 307 323 } 308 324 309 325 static inline void pfkey_hdr_dup(struct sadb_msg *new, struct sadb_msg *orig)

+24 -13

net/sctp/sm_make_chunk.c

··· 1012 1012 return retval; 1013 1013 } 1014 1014 1015 + struct sctp_chunk *sctp_make_violation_paramlen( 1016 + const struct sctp_association *asoc, 1017 + const struct sctp_chunk *chunk, 1018 + struct sctp_paramhdr *param) 1019 + { 1020 + struct sctp_chunk *retval; 1021 + static const char error[] = "The following parameter had invalid length:"; 1022 + size_t payload_len = sizeof(error) + sizeof(sctp_errhdr_t) + 1023 + sizeof(sctp_paramhdr_t); 1024 + 1025 + retval = sctp_make_abort(asoc, chunk, payload_len); 1026 + if (!retval) 1027 + goto nodata; 1028 + 1029 + sctp_init_cause(retval, SCTP_ERROR_PROTO_VIOLATION, 1030 + sizeof(error) + sizeof(sctp_paramhdr_t)); 1031 + sctp_addto_chunk(retval, sizeof(error), error); 1032 + sctp_addto_param(retval, sizeof(sctp_paramhdr_t), param); 1033 + 1034 + nodata: 1035 + return retval; 1036 + } 1037 + 1015 1038 /* Make a HEARTBEAT chunk. */ 1016 1039 struct sctp_chunk *sctp_make_heartbeat(const struct sctp_association *asoc, 1017 1040 const struct sctp_transport *transport, ··· 1805 1782 const struct sctp_chunk *chunk, 1806 1783 struct sctp_chunk **errp) 1807 1784 { 1808 - static const char error[] = "The following parameter had invalid length:"; 1809 - size_t payload_len = WORD_ROUND(sizeof(error)) + 1810 - sizeof(sctp_paramhdr_t); 1811 - 1812 - 1813 1785 /* This is a fatal error. Any accumulated non-fatal errors are 1814 1786 * not reported. 1815 1787 */ ··· 1812 1794 sctp_chunk_free(*errp); 1813 1795 1814 1796 /* Create an error chunk and fill it in with our payload. */ 1815 - *errp = sctp_make_op_error_space(asoc, chunk, payload_len); 1816 - 1817 - if (*errp) { 1818 - sctp_init_cause(*errp, SCTP_ERROR_PROTO_VIOLATION, 1819 - sizeof(error) + sizeof(sctp_paramhdr_t)); 1820 - sctp_addto_chunk(*errp, sizeof(error), error); 1821 - sctp_addto_param(*errp, sizeof(sctp_paramhdr_t), param); 1822 - } 1797 + *errp = sctp_make_violation_paramlen(asoc, chunk, param); 1823 1798 1824 1799 return 0; 1825 1800 }

+37 -11

net/sctp/sm_statefuns.c

··· 119 119 const struct sctp_endpoint *ep, 120 120 const struct sctp_association *asoc, 121 121 const sctp_subtype_t type, 122 - void *arg, 122 + void *arg, void *ext, 123 123 sctp_cmd_seq_t *commands); 124 124 125 125 static sctp_disposition_t sctp_sf_violation_ctsn( ··· 3425 3425 addr_param = (union sctp_addr_param *)hdr->params; 3426 3426 length = ntohs(addr_param->p.length); 3427 3427 if (length < sizeof(sctp_paramhdr_t)) 3428 - return sctp_sf_violation_paramlen(ep, asoc, type, 3428 + return sctp_sf_violation_paramlen(ep, asoc, type, arg, 3429 3429 (void *)addr_param, commands); 3430 3430 3431 3431 /* Verify the ASCONF chunk before processing it. */ ··· 3433 3433 (sctp_paramhdr_t *)((void *)addr_param + length), 3434 3434 (void *)chunk->chunk_end, 3435 3435 &err_param)) 3436 - return sctp_sf_violation_paramlen(ep, asoc, type, 3437 - (void *)&err_param, commands); 3436 + return sctp_sf_violation_paramlen(ep, asoc, type, arg, 3437 + (void *)err_param, commands); 3438 3438 3439 3439 /* ADDIP 5.2 E1) Compare the value of the serial number to the value 3440 3440 * the endpoint stored in a new association variable ··· 3542 3542 (sctp_paramhdr_t *)addip_hdr->params, 3543 3543 (void *)asconf_ack->chunk_end, 3544 3544 &err_param)) 3545 - return sctp_sf_violation_paramlen(ep, asoc, type, 3546 - (void *)&err_param, commands); 3545 + return sctp_sf_violation_paramlen(ep, asoc, type, arg, 3546 + (void *)err_param, commands); 3547 3547 3548 3548 if (last_asconf) { 3549 3549 addip_hdr = (sctp_addiphdr_t *)last_asconf->subh.addip_hdr; ··· 4240 4240 const struct sctp_endpoint *ep, 4241 4241 const struct sctp_association *asoc, 4242 4242 const sctp_subtype_t type, 4243 - void *arg, 4244 - sctp_cmd_seq_t *commands) { 4245 - static const char err_str[] = "The following parameter had invalid length:"; 4243 + void *arg, void *ext, 4244 + sctp_cmd_seq_t *commands) 4245 + { 4246 + struct sctp_chunk *chunk = arg; 4247 + struct sctp_paramhdr *param = ext; 4248 + struct sctp_chunk *abort = NULL; 4246 4249 4247 - return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str, 4248 - sizeof(err_str)); 4250 + if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 4251 + goto discard; 4252 + 4253 + /* Make the abort chunk. */ 4254 + abort = sctp_make_violation_paramlen(asoc, chunk, param); 4255 + if (!abort) 4256 + goto nomem; 4257 + 4258 + sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); 4259 + SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); 4260 + 4261 + sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 4262 + SCTP_ERROR(ECONNABORTED)); 4263 + sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 4264 + SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); 4265 + SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 4266 + 4267 + discard: 4268 + sctp_sf_pdiscard(ep, asoc, SCTP_ST_CHUNK(0), arg, commands); 4269 + 4270 + SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 4271 + 4272 + return SCTP_DISPOSITION_ABORT; 4273 + nomem: 4274 + return SCTP_DISPOSITION_NOMEM; 4249 4275 } 4250 4276 4251 4277 /* Handle a protocol violation when the peer trying to advance the

+7 -3

net/xfrm/xfrm_output.c

··· 27 27 - skb_headroom(skb); 28 28 int ntail = dst->dev->needed_tailroom - skb_tailroom(skb); 29 29 30 - if (nhead > 0 || ntail > 0) 31 - return pskb_expand_head(skb, nhead, ntail, GFP_ATOMIC); 30 + if (nhead <= 0) { 31 + if (ntail <= 0) 32 + return 0; 33 + nhead = 0; 34 + } else if (ntail < 0) 35 + ntail = 0; 32 36 33 - return 0; 37 + return pskb_expand_head(skb, nhead, ntail, GFP_ATOMIC); 34 38 } 35 39 36 40 static int xfrm_output_one(struct sk_buff *skb, int err)