tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (30 commits)
xfrm: Restrict extended sequence numbers to esp
xfrm: Check for esn buffer len in xfrm_new_ae
xfrm: Assign esn pointers when cloning a state
xfrm: Move the test on replay window size into the replay check functions
netdev: bfin_mac: document TE setting in RMII modes
drivers net: Fix declaration ordering in inline functions.
cxgb3: Apply interrupt coalescing settings to all queues
net: Always allocate at least 16 skb frags regardless of page size
ipv4: Don't ip_rt_put() an error pointer in RAW sockets.
net: fix ethtool->set_flags not intended -EINVAL return value
mlx4_en: Fix loss of promiscuity
tg3: Fix inline keyword usage
tg3: use <linux/io.h> and <linux/uaccess.h> instead <asm/io.h> and <asm/uaccess.h>
net: use CHECKSUM_NONE instead of magic number
Net / jme: Do not use legacy PCI power management
myri10ge: small rx_done refactoring
bridge: notify applications if address of bridge device changes
ipv4: Fix IP timestamp option (IPOPT_TS_PRESPEC) handling in ip_options_echo()
can: c_can: Fix tx_bytes accounting
can: c_can_platform: fix irq check in probe
...

Linus Torvalds cb1817b3 89078d57

+326 -189
unified split
+11 -2
drivers/net/bfin_mac.c
··· 1237 1237 1238 1238 if (phydev->interface == PHY_INTERFACE_MODE_RMII) { 1239 1239 opmode |= RMII; /* For Now only 100MBit are supported */ 1240 - #if (defined(CONFIG_BF537) || defined(CONFIG_BF536)) && CONFIG_BF_REV_0_2 1241 - opmode |= TE; 1240 + #if defined(CONFIG_BF537) || defined(CONFIG_BF536) 1241 + if (__SILICON_REVISION__ < 3) { 1242 + /* 1243 + * This isn't publicly documented (fun times!), but in 1244 + * silicon <=0.2, the RX and TX pins are clocked together. 1245 + * So in order to recv, we must enable the transmit side 1246 + * as well. This will cause a spurious TX interrupt too, 1247 + * but we can easily consume that. 1248 + */ 1249 + opmode |= TE; 1250 + } 1242 1251 #endif 1243 1252 } 1244 1253
+1 -1
drivers/net/bnx2.c
··· 8317 8317 #endif 8318 8318 }; 8319 8319 8320 - static void inline vlan_features_add(struct net_device *dev, u32 flags) 8320 + static inline void vlan_features_add(struct net_device *dev, u32 flags) 8321 8321 { 8322 8322 dev->vlan_features |= flags; 8323 8323 }
+5 -11
drivers/net/can/c_can/c_can.c
··· 588 588 { 589 589 struct c_can_priv *priv = netdev_priv(dev); 590 590 591 - if (priv->can.ctrlmode & CAN_CTRLMODE_ONE_SHOT) 592 - /* disable automatic retransmission */ 593 - priv->write_reg(priv, &priv->regs->control, 594 - CONTROL_DISABLE_AR); 595 - else 596 - /* enable automatic retransmission */ 597 - priv->write_reg(priv, &priv->regs->control, 598 - CONTROL_ENABLE_AR); 591 + /* enable automatic retransmission */ 592 + priv->write_reg(priv, &priv->regs->control, 593 + CONTROL_ENABLE_AR); 599 594 600 595 if (priv->can.ctrlmode & (CAN_CTRLMODE_LISTENONLY & 601 596 CAN_CTRLMODE_LOOPBACK)) { ··· 699 704 700 705 for (/* nix */; (priv->tx_next - priv->tx_echo) > 0; priv->tx_echo++) { 701 706 msg_obj_no = get_tx_echo_msg_obj(priv); 702 - c_can_inval_msg_object(dev, 0, msg_obj_no); 703 707 val = c_can_read_reg32(priv, &priv->regs->txrqst1); 704 708 if (!(val & (1 << msg_obj_no))) { 705 709 can_get_echo_skb(dev, ··· 707 713 &priv->regs->ifregs[0].msg_cntrl) 708 714 & IF_MCONT_DLC_MASK; 709 715 stats->tx_packets++; 716 + c_can_inval_msg_object(dev, 0, msg_obj_no); 710 717 } 711 718 } 712 719 ··· 1107 1112 priv->can.bittiming_const = &c_can_bittiming_const; 1108 1113 priv->can.do_set_mode = c_can_set_mode; 1109 1114 priv->can.do_get_berr_counter = c_can_get_berr_counter; 1110 - priv->can.ctrlmode_supported = CAN_CTRLMODE_ONE_SHOT | 1111 - CAN_CTRLMODE_LOOPBACK | 1115 + priv->can.ctrlmode_supported = CAN_CTRLMODE_LOOPBACK | 1112 1116 CAN_CTRLMODE_LISTENONLY | 1113 1117 CAN_CTRLMODE_BERR_REPORTING; 1114 1118
+5 -4
drivers/net/can/c_can/c_can_platform.c
··· 73 73 void __iomem *addr; 74 74 struct net_device *dev; 75 75 struct c_can_priv *priv; 76 - struct resource *mem, *irq; 76 + struct resource *mem; 77 + int irq; 77 78 #ifdef CONFIG_HAVE_CLK 78 79 struct clk *clk; 79 80 ··· 89 88 90 89 /* get the platform data */ 91 90 mem = platform_get_resource(pdev, IORESOURCE_MEM, 0); 92 - irq = platform_get_resource(pdev, IORESOURCE_IRQ, 0); 93 - if (!mem || (irq <= 0)) { 91 + irq = platform_get_irq(pdev, 0); 92 + if (!mem || irq <= 0) { 94 93 ret = -ENODEV; 95 94 goto exit_free_clk; 96 95 } ··· 118 117 119 118 priv = netdev_priv(dev); 120 119 121 - dev->irq = irq->start; 120 + dev->irq = irq; 122 121 priv->regs = addr; 123 122 #ifdef CONFIG_HAVE_CLK 124 123 priv->can.clock.freq = clk_get_rate(clk);
+10 -4
drivers/net/cxgb3/cxgb3_main.c
··· 1983 1983 { 1984 1984 struct port_info *pi = netdev_priv(dev); 1985 1985 struct adapter *adapter = pi->adapter; 1986 - struct qset_params *qsp = &adapter->params.sge.qset[0]; 1987 - struct sge_qset *qs = &adapter->sge.qs[0]; 1986 + struct qset_params *qsp; 1987 + struct sge_qset *qs; 1988 + int i; 1988 1989 1989 1990 if (c->rx_coalesce_usecs * 10 > M_NEWTIMER) 1990 1991 return -EINVAL; 1991 1992 1992 - qsp->coalesce_usecs = c->rx_coalesce_usecs; 1993 - t3_update_qset_coalesce(qs, qsp); 1993 + for (i = 0; i < pi->nqsets; i++) { 1994 + qsp = &adapter->params.sge.qset[i]; 1995 + qs = &adapter->sge.qs[i]; 1996 + qsp->coalesce_usecs = c->rx_coalesce_usecs; 1997 + t3_update_qset_coalesce(qs, qsp); 1998 + } 1999 + 1994 2000 return 0; 1995 2001 } 1996 2002
+16 -14
drivers/net/jme.c
··· 273 273 { 274 274 jwrite32(jme, JME_PMCS, 0xFFFF0000 | jme->reg_pmcs); 275 275 pci_set_power_state(jme->pdev, PCI_D0); 276 - pci_enable_wake(jme->pdev, PCI_D0, false); 276 + device_set_wakeup_enable(&jme->pdev->dev, false); 277 277 } 278 278 279 279 static int ··· 2538 2538 2539 2539 jwrite32(jme, JME_PMCS, jme->reg_pmcs); 2540 2540 2541 + device_set_wakeup_enable(&jme->pdev->dev, jme->reg_pmcs); 2542 + 2541 2543 return 0; 2542 2544 } 2543 2545 ··· 3174 3172 } 3175 3173 3176 3174 #ifdef CONFIG_PM 3177 - static int 3178 - jme_suspend(struct pci_dev *pdev, pm_message_t state) 3175 + static int jme_suspend(struct device *dev) 3179 3176 { 3177 + struct pci_dev *pdev = to_pci_dev(dev); 3180 3178 struct net_device *netdev = pci_get_drvdata(pdev); 3181 3179 struct jme_adapter *jme = netdev_priv(netdev); 3182 3180 ··· 3208 3206 tasklet_hi_enable(&jme->rxclean_task); 3209 3207 tasklet_hi_enable(&jme->rxempty_task); 3210 3208 3211 - pci_save_state(pdev); 3212 3209 jme_powersave_phy(jme); 3213 - pci_enable_wake(jme->pdev, PCI_D3hot, true); 3214 - pci_set_power_state(pdev, PCI_D3hot); 3215 3210 3216 3211 return 0; 3217 3212 } 3218 3213 3219 - static int 3220 - jme_resume(struct pci_dev *pdev) 3214 + static int jme_resume(struct device *dev) 3221 3215 { 3216 + struct pci_dev *pdev = to_pci_dev(dev); 3222 3217 struct net_device *netdev = pci_get_drvdata(pdev); 3223 3218 struct jme_adapter *jme = netdev_priv(netdev); 3224 3219 3225 - jme_clear_pm(jme); 3226 - pci_restore_state(pdev); 3220 + jwrite32(jme, JME_PMCS, 0xFFFF0000 | jme->reg_pmcs); 3227 3221 3228 3222 jme_phy_on(jme); 3229 3223 if (test_bit(JME_FLAG_SSET, &jme->flags)) ··· 3236 3238 3237 3239 return 0; 3238 3240 } 3241 + 3242 + static SIMPLE_DEV_PM_OPS(jme_pm_ops, jme_suspend, jme_resume); 3243 + #define JME_PM_OPS (&jme_pm_ops) 3244 + 3245 + #else 3246 + 3247 + #define JME_PM_OPS NULL 3239 3248 #endif 3240 3249 3241 3250 static DEFINE_PCI_DEVICE_TABLE(jme_pci_tbl) = { ··· 3256 3251 .id_table = jme_pci_tbl, 3257 3252 .probe = jme_init_one, 3258 3253 .remove = __devexit_p(jme_remove_one), 3259 - #ifdef CONFIG_PM 3260 - .suspend = jme_suspend, 3261 - .resume = jme_resume, 3262 - #endif /* CONFIG_PM */ 3263 3254 .shutdown = jme_shutdown, 3255 + .driver.pm = JME_PM_OPS, 3264 3256 }; 3265 3257 3266 3258 static int __init
+1 -1
drivers/net/ksz884x.c
··· 4898 4898 goto unlock; 4899 4899 } 4900 4900 skb_copy_and_csum_dev(org_skb, skb->data); 4901 - org_skb->ip_summed = 0; 4901 + org_skb->ip_summed = CHECKSUM_NONE; 4902 4902 skb->len = org_skb->len; 4903 4903 copy_old_skb(org_skb, skb); 4904 4904 }
+3
drivers/net/mlx4/en_netdev.c
··· 742 742 0, MLX4_PROT_ETH)) 743 743 mlx4_warn(mdev, "Failed Attaching Broadcast\n"); 744 744 745 + /* Must redo promiscuous mode setup. */ 746 + priv->flags &= ~(MLX4_EN_FLAG_PROMISC | MLX4_EN_FLAG_MC_PROMISC); 747 + 745 748 /* Schedule multicast task to populate multicast list */ 746 749 queue_work(mdev->workqueue, &priv->mcast_task); 747 750
+23 -14
drivers/net/myri10ge/myri10ge.c
··· 1312 1312 * page into an skb */ 1313 1313 1314 1314 static inline int 1315 - myri10ge_rx_done(struct myri10ge_slice_state *ss, struct myri10ge_rx_buf *rx, 1316 - int bytes, int len, __wsum csum) 1315 + myri10ge_rx_done(struct myri10ge_slice_state *ss, int len, __wsum csum, 1316 + int lro_enabled) 1317 1317 { 1318 1318 struct myri10ge_priv *mgp = ss->mgp; 1319 1319 struct sk_buff *skb; 1320 1320 struct skb_frag_struct rx_frags[MYRI10GE_MAX_FRAGS_PER_FRAME]; 1321 - int i, idx, hlen, remainder; 1321 + struct myri10ge_rx_buf *rx; 1322 + int i, idx, hlen, remainder, bytes; 1322 1323 struct pci_dev *pdev = mgp->pdev; 1323 1324 struct net_device *dev = mgp->dev; 1324 1325 u8 *va; 1326 + 1327 + if (len <= mgp->small_bytes) { 1328 + rx = &ss->rx_small; 1329 + bytes = mgp->small_bytes; 1330 + } else { 1331 + rx = &ss->rx_big; 1332 + bytes = mgp->big_bytes; 1333 + } 1325 1334 1326 1335 len += MXGEFW_PAD; 1327 1336 idx = rx->cnt & rx->mask; ··· 1350 1341 remainder -= MYRI10GE_ALLOC_SIZE; 1351 1342 } 1352 1343 1353 - if (dev->features & NETIF_F_LRO) { 1344 + if (lro_enabled) { 1354 1345 rx_frags[0].page_offset += MXGEFW_PAD; 1355 1346 rx_frags[0].size -= MXGEFW_PAD; 1356 1347 len -= MXGEFW_PAD; ··· 1472 1463 { 1473 1464 struct myri10ge_rx_done *rx_done = &ss->rx_done; 1474 1465 struct myri10ge_priv *mgp = ss->mgp; 1475 - struct net_device *netdev = mgp->dev; 1466 + 1476 1467 unsigned long rx_bytes = 0; 1477 1468 unsigned long rx_packets = 0; 1478 1469 unsigned long rx_ok; ··· 1483 1474 u16 length; 1484 1475 __wsum checksum; 1485 1476 1477 + /* 1478 + * Prevent compiler from generating more than one ->features memory 1479 + * access to avoid theoretical race condition with functions that 1480 + * change NETIF_F_LRO flag at runtime. 1481 + */ 1482 + bool lro_enabled = ACCESS_ONCE(mgp->dev->features) & NETIF_F_LRO; 1483 + 1486 1484 while (rx_done->entry[idx].length != 0 && work_done < budget) { 1487 1485 length = ntohs(rx_done->entry[idx].length); 1488 1486 rx_done->entry[idx].length = 0; 1489 1487 checksum = csum_unfold(rx_done->entry[idx].checksum); 1490 - if (length <= mgp->small_bytes) 1491 - rx_ok = myri10ge_rx_done(ss, &ss->rx_small, 1492 - mgp->small_bytes, 1493 - length, checksum); 1494 - else 1495 - rx_ok = myri10ge_rx_done(ss, &ss->rx_big, 1496 - mgp->big_bytes, 1497 - length, checksum); 1488 + rx_ok = myri10ge_rx_done(ss, length, checksum, lro_enabled); 1498 1489 rx_packets += rx_ok; 1499 1490 rx_bytes += rx_ok * (unsigned long)length; 1500 1491 cnt++; ··· 1506 1497 ss->stats.rx_packets += rx_packets; 1507 1498 ss->stats.rx_bytes += rx_bytes; 1508 1499 1509 - if (netdev->features & NETIF_F_LRO) 1500 + if (lro_enabled) 1510 1501 lro_flush_all(&rx_done->lro_mgr); 1511 1502 1512 1503 /* restock receive rings if needed */
+1 -1
drivers/net/netxen/netxen_nic_ethtool.c
··· 871 871 struct netxen_adapter *adapter = netdev_priv(netdev); 872 872 int hw_lro; 873 873 874 - if (data & ~ETH_FLAG_LRO) 874 + if (ethtool_invalid_flags(netdev, data, ETH_FLAG_LRO)) 875 875 return -EINVAL; 876 876 877 877 if (!(adapter->capabilities & NX_FW_CAPABILITY_HW_LRO))
+1 -1
drivers/net/qlcnic/qlcnic_ethtool.c
··· 1003 1003 struct qlcnic_adapter *adapter = netdev_priv(netdev); 1004 1004 int hw_lro; 1005 1005 1006 - if (data & ~ETH_FLAG_LRO) 1006 + if (ethtool_invalid_flags(netdev, data, ETH_FLAG_LRO)) 1007 1007 return -EINVAL; 1008 1008 1009 1009 if (!(adapter->capabilities & QLCNIC_FW_CAPABILITY_HW_LRO))
+1 -1
drivers/net/s2io.c
··· 6726 6726 int rc = 0; 6727 6727 int changed = 0; 6728 6728 6729 - if (data & ~ETH_FLAG_LRO) 6729 + if (ethtool_invalid_flags(dev, data, ETH_FLAG_LRO)) 6730 6730 return -EINVAL; 6731 6731 6732 6732 if (data & ETH_FLAG_LRO) {
+3 -3
drivers/net/tg3.c
··· 48 48 #include <net/ip.h> 49 49 50 50 #include <asm/system.h> 51 - #include <asm/io.h> 51 + #include <linux/io.h> 52 52 #include <asm/byteorder.h> 53 - #include <asm/uaccess.h> 53 + #include <linux/uaccess.h> 54 54 55 55 #ifdef CONFIG_SPARC 56 56 #include <asm/idprom.h> ··· 13118 13118 13119 13119 static struct pci_dev * __devinit tg3_find_peer(struct tg3 *); 13120 13120 13121 - static void inline vlan_features_add(struct net_device *dev, unsigned long flags) 13121 + static inline void vlan_features_add(struct net_device *dev, unsigned long flags) 13122 13122 { 13123 13123 dev->vlan_features |= flags; 13124 13124 }
+2 -2
drivers/net/vmxnet3/vmxnet3_ethtool.c
··· 304 304 u8 lro_present = (netdev->features & NETIF_F_LRO) == 0 ? 0 : 1; 305 305 unsigned long flags; 306 306 307 - if (data & ~ETH_FLAG_LRO) 308 - return -EOPNOTSUPP; 307 + if (ethtool_invalid_flags(netdev, data, ETH_FLAG_LRO)) 308 + return -EINVAL; 309 309 310 310 if (lro_requested ^ lro_present) { 311 311 /* toggle the LRO feature*/
+2 -2
drivers/net/vxge/vxge-ethtool.c
··· 1117 1117 struct vxgedev *vdev = netdev_priv(dev); 1118 1118 enum vxge_hw_status status; 1119 1119 1120 - if (data & ~ETH_FLAG_RXHASH) 1121 - return -EOPNOTSUPP; 1120 + if (ethtool_invalid_flags(dev, data, ETH_FLAG_RXHASH)) 1121 + return -EINVAL; 1122 1122 1123 1123 if (!!(data & ETH_FLAG_RXHASH) == vdev->devh->config.rth_en) 1124 1124 return 0;
+5 -4
include/linux/can/core.h
··· 36 36 * @prot: pointer to struct proto structure. 37 37 */ 38 38 struct can_proto { 39 - int type; 40 - int protocol; 41 - struct proto_ops *ops; 42 - struct proto *prot; 39 + int type; 40 + int protocol; 41 + const struct proto_ops *ops; 42 + struct proto *prot; 43 43 }; 44 44 45 45 /* function prototypes for the CAN networklayer core (af_can.c) */ ··· 58 58 void *data); 59 59 60 60 extern int can_send(struct sk_buff *skb, int loop); 61 + extern int can_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg); 61 62 62 63 #endif /* CAN_CORE_H */
+1
include/linux/ethtool.h
··· 680 680 u32 ethtool_op_get_flags(struct net_device *dev); 681 681 int ethtool_op_set_flags(struct net_device *dev, u32 data, u32 supported); 682 682 void ethtool_ntuple_flush(struct net_device *dev); 683 + bool ethtool_invalid_flags(struct net_device *dev, u32 data, u32 supported); 683 684 684 685 /** 685 686 * &ethtool_ops - Alter and report network device settings
+7 -1
include/linux/skbuff.h
··· 122 122 123 123 struct sk_buff; 124 124 125 - /* To allow 64K frame to be packed as single skb without frag_list */ 125 + /* To allow 64K frame to be packed as single skb without frag_list. Since 126 + * GRO uses frags we allocate at least 16 regardless of page size. 127 + */ 128 + #if (65536/PAGE_SIZE + 2) < 16 129 + #define MAX_SKB_FRAGS 16 130 + #else 126 131 #define MAX_SKB_FRAGS (65536/PAGE_SIZE + 2) 132 + #endif 127 133 128 134 typedef struct skb_frag_struct skb_frag_t; 129 135
+1 -1
include/net/dst.h
··· 345 345 346 346 static inline struct dst_entry *skb_dst_pop(struct sk_buff *skb) 347 347 { 348 - struct dst_entry *child = skb_dst(skb)->child; 348 + struct dst_entry *child = dst_clone(skb_dst(skb)->child); 349 349 350 350 skb_dst_drop(skb); 351 351 return child;
+7 -1
include/net/rose.h
··· 14 14 15 15 #define ROSE_MIN_LEN 3 16 16 17 + #define ROSE_CALL_REQ_ADDR_LEN_OFF 3 18 + #define ROSE_CALL_REQ_ADDR_LEN_VAL 0xAA /* each address is 10 digits */ 19 + #define ROSE_CALL_REQ_DEST_ADDR_OFF 4 20 + #define ROSE_CALL_REQ_SRC_ADDR_OFF 9 21 + #define ROSE_CALL_REQ_FACILITIES_OFF 14 22 + 17 23 #define ROSE_GFI 0x10 18 24 #define ROSE_Q_BIT 0x80 19 25 #define ROSE_D_BIT 0x40 ··· 220 214 extern int rose_validate_nr(struct sock *, unsigned short); 221 215 extern void rose_write_internal(struct sock *, int); 222 216 extern int rose_decode(struct sk_buff *, int *, int *, int *, int *, int *); 223 - extern int rose_parse_facilities(unsigned char *, struct rose_facilities_struct *); 217 + extern int rose_parse_facilities(unsigned char *, unsigned int, struct rose_facilities_struct *); 224 218 extern void rose_disconnect(struct sock *, int, int, int); 225 219 226 220 /* rose_timer.c */
+22
include/net/xfrm.h
··· 1601 1601 } 1602 1602 1603 1603 #ifdef CONFIG_XFRM_MIGRATE 1604 + static inline int xfrm_replay_clone(struct xfrm_state *x, 1605 + struct xfrm_state *orig) 1606 + { 1607 + x->replay_esn = kzalloc(xfrm_replay_state_esn_len(orig->replay_esn), 1608 + GFP_KERNEL); 1609 + if (!x->replay_esn) 1610 + return -ENOMEM; 1611 + 1612 + x->replay_esn->bmp_len = orig->replay_esn->bmp_len; 1613 + x->replay_esn->replay_window = orig->replay_esn->replay_window; 1614 + 1615 + x->preplay_esn = kmemdup(x->replay_esn, 1616 + xfrm_replay_state_esn_len(x->replay_esn), 1617 + GFP_KERNEL); 1618 + if (!x->preplay_esn) { 1619 + kfree(x->replay_esn); 1620 + return -ENOMEM; 1621 + } 1622 + 1623 + return 0; 1624 + } 1625 + 1604 1626 static inline struct xfrm_algo *xfrm_algo_clone(struct xfrm_algo *orig) 1605 1627 { 1606 1628 return kmemdup(orig, xfrm_alg_len(orig), GFP_KERNEL);
+5 -1
net/bridge/br_if.c
··· 389 389 { 390 390 struct net_bridge_port *p; 391 391 int err = 0; 392 + bool changed_addr; 392 393 393 394 /* Don't allow bridging non-ethernet like devices */ 394 395 if ((dev->flags & IFF_LOOPBACK) || ··· 447 446 list_add_rcu(&p->list, &br->port_list); 448 447 449 448 spin_lock_bh(&br->lock); 450 - br_stp_recalculate_bridge_id(br); 449 + changed_addr = br_stp_recalculate_bridge_id(br); 451 450 br_features_recompute(br); 452 451 453 452 if ((dev->flags & IFF_UP) && netif_carrier_ok(dev) && ··· 456 455 spin_unlock_bh(&br->lock); 457 456 458 457 br_ifinfo_notify(RTM_NEWLINK, p); 458 + 459 + if (changed_addr) 460 + call_netdevice_notifiers(NETDEV_CHANGEADDR, dev); 459 461 460 462 dev_set_mtu(br->dev, br_min_mtu(br)); 461 463
+1 -1
net/bridge/br_private.h
··· 497 497 extern void br_stp_set_enabled(struct net_bridge *br, unsigned long val); 498 498 extern void br_stp_enable_port(struct net_bridge_port *p); 499 499 extern void br_stp_disable_port(struct net_bridge_port *p); 500 - extern void br_stp_recalculate_bridge_id(struct net_bridge *br); 500 + extern bool br_stp_recalculate_bridge_id(struct net_bridge *br); 501 501 extern void br_stp_change_bridge_id(struct net_bridge *br, const unsigned char *a); 502 502 extern void br_stp_set_bridge_priority(struct net_bridge *br, 503 503 u16 newprio);
+6 -3
net/bridge/br_stp_if.c
··· 204 204 static const unsigned short br_mac_zero_aligned[ETH_ALEN >> 1]; 205 205 206 206 /* called under bridge lock */ 207 - void br_stp_recalculate_bridge_id(struct net_bridge *br) 207 + bool br_stp_recalculate_bridge_id(struct net_bridge *br) 208 208 { 209 209 const unsigned char *br_mac_zero = 210 210 (const unsigned char *)br_mac_zero_aligned; ··· 222 222 223 223 } 224 224 225 - if (compare_ether_addr(br->bridge_id.addr, addr)) 226 - br_stp_change_bridge_id(br, addr); 225 + if (compare_ether_addr(br->bridge_id.addr, addr) == 0) 226 + return false; /* no change */ 227 + 228 + br_stp_change_bridge_id(br, addr); 229 + return true; 227 230 } 228 231 229 232 /* called under bridge lock */
+3 -6
net/can/af_can.c
··· 95 95 * af_can socket functions 96 96 */ 97 97 98 - static int can_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) 98 + int can_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) 99 99 { 100 100 struct sock *sk = sock->sk; 101 101 ··· 108 108 return -ENOIOCTLCMD; 109 109 } 110 110 } 111 + EXPORT_SYMBOL(can_ioctl); 111 112 112 113 static void can_sock_destruct(struct sock *sk) 113 114 { ··· 699 698 printk(KERN_ERR "can: protocol %d already registered\n", 700 699 proto); 701 700 err = -EBUSY; 702 - } else { 701 + } else 703 702 proto_tab[proto] = cp; 704 703 705 - /* use generic ioctl function if not defined by module */ 706 - if (!cp->ops->ioctl) 707 - cp->ops->ioctl = can_ioctl; 708 - } 709 704 spin_unlock(&proto_tab_lock); 710 705 711 706 if (err < 0)
+2 -2
net/can/bcm.c
··· 1569 1569 return size; 1570 1570 } 1571 1571 1572 - static struct proto_ops bcm_ops __read_mostly = { 1572 + static const struct proto_ops bcm_ops = { 1573 1573 .family = PF_CAN, 1574 1574 .release = bcm_release, 1575 1575 .bind = sock_no_bind, ··· 1578 1578 .accept = sock_no_accept, 1579 1579 .getname = sock_no_getname, 1580 1580 .poll = datagram_poll, 1581 - .ioctl = NULL, /* use can_ioctl() from af_can.c */ 1581 + .ioctl = can_ioctl, /* use can_ioctl() from af_can.c */ 1582 1582 .listen = sock_no_listen, 1583 1583 .shutdown = sock_no_shutdown, 1584 1584 .setsockopt = sock_no_setsockopt,
+2 -2
net/can/raw.c
··· 742 742 return size; 743 743 } 744 744 745 - static struct proto_ops raw_ops __read_mostly = { 745 + static const struct proto_ops raw_ops = { 746 746 .family = PF_CAN, 747 747 .release = raw_release, 748 748 .bind = raw_bind, ··· 751 751 .accept = sock_no_accept, 752 752 .getname = raw_getname, 753 753 .poll = datagram_poll, 754 - .ioctl = NULL, /* use can_ioctl() from af_can.c */ 754 + .ioctl = can_ioctl, /* use can_ioctl() from af_can.c */ 755 755 .listen = sock_no_listen, 756 756 .shutdown = sock_no_shutdown, 757 757 .setsockopt = raw_setsockopt,
+1 -54
net/core/dev.c
··· 1140 1140 1141 1141 ASSERT_RTNL(); 1142 1142 1143 - /* 1144 - * Is it even present? 1145 - */ 1146 1143 if (!netif_device_present(dev)) 1147 1144 return -ENODEV; 1148 1145 ··· 1148 1151 if (ret) 1149 1152 return ret; 1150 1153 1151 - /* 1152 - * Call device private open method 1153 - */ 1154 1154 set_bit(__LINK_STATE_START, &dev->state); 1155 1155 1156 1156 if (ops->ndo_validate_addr) ··· 1156 1162 if (!ret && ops->ndo_open) 1157 1163 ret = ops->ndo_open(dev); 1158 1164 1159 - /* 1160 - * If it went open OK then: 1161 - */ 1162 - 1163 1165 if (ret) 1164 1166 clear_bit(__LINK_STATE_START, &dev->state); 1165 1167 else { 1166 - /* 1167 - * Set the flags. 1168 - */ 1169 1168 dev->flags |= IFF_UP; 1170 - 1171 - /* 1172 - * Enable NET_DMA 1173 - */ 1174 1169 net_dmaengine_get(); 1175 - 1176 - /* 1177 - * Initialize multicasting status 1178 - */ 1179 1170 dev_set_rx_mode(dev); 1180 - 1181 - /* 1182 - * Wakeup transmit queue engine 1183 - */ 1184 1171 dev_activate(dev); 1185 1172 } 1186 1173 ··· 1184 1209 { 1185 1210 int ret; 1186 1211 1187 - /* 1188 - * Is it already up? 1189 - */ 1190 1212 if (dev->flags & IFF_UP) 1191 1213 return 0; 1192 1214 1193 - /* 1194 - * Open device 1195 - */ 1196 1215 ret = __dev_open(dev); 1197 1216 if (ret < 0) 1198 1217 return ret; 1199 1218 1200 - /* 1201 - * ... and announce new interface. 1202 - */ 1203 1219 rtmsg_ifinfo(RTM_NEWLINK, dev, IFF_UP|IFF_RUNNING); 1204 1220 call_netdevice_notifiers(NETDEV_UP, dev); 1205 1221 ··· 1206 1240 might_sleep(); 1207 1241 1208 1242 list_for_each_entry(dev, head, unreg_list) { 1209 - /* 1210 - * Tell people we are going down, so that they can 1211 - * prepare to death, when device is still operating. 1212 - */ 1213 1243 call_netdevice_notifiers(NETDEV_GOING_DOWN, dev); 1214 1244 1215 1245 clear_bit(__LINK_STATE_START, &dev->state); ··· 1234 1272 if (ops->ndo_stop) 1235 1273 ops->ndo_stop(dev); 1236 1274 1237 - /* 1238 - * Device is now down. 1239 - */ 1240 - 1241 1275 dev->flags &= ~IFF_UP; 1242 - 1243 - /* 1244 - * Shutdown NET_DMA 1245 - */ 1246 1276 net_dmaengine_put(); 1247 1277 } 1248 1278 ··· 1263 1309 1264 1310 __dev_close_many(head); 1265 1311 1266 - /* 1267 - * Tell people we are down 1268 - */ 1269 1312 list_for_each_entry(dev, head, unreg_list) { 1270 1313 rtmsg_ifinfo(RTM_NEWLINK, dev, IFF_UP|IFF_RUNNING); 1271 1314 call_netdevice_notifiers(NETDEV_DOWN, dev); ··· 1321 1370 1322 1371 1323 1372 static int dev_boot_phase = 1; 1324 - 1325 - /* 1326 - * Device change register/unregister. These are not inline or static 1327 - * as we export them to the world. 1328 - */ 1329 1373 1330 1374 /** 1331 1375 * register_netdevice_notifier - register a network notifier block ··· 1423 1477 ASSERT_RTNL(); 1424 1478 return raw_notifier_call_chain(&netdev_chain, val, dev); 1425 1479 } 1480 + EXPORT_SYMBOL(call_netdevice_notifiers); 1426 1481 1427 1482 /* When > 0 there are consumers of rx skb time stamps */ 1428 1483 static atomic_t netstamp_needed = ATOMIC_INIT(0);
+16 -1
net/core/ethtool.c
··· 141 141 } 142 142 EXPORT_SYMBOL(ethtool_op_get_flags); 143 143 144 + /* Check if device can enable (or disable) particular feature coded in "data" 145 + * argument. Flags "supported" describe features that can be toggled by device. 146 + * If feature can not be toggled, it state (enabled or disabled) must match 147 + * hardcoded device features state, otherwise flags are marked as invalid. 148 + */ 149 + bool ethtool_invalid_flags(struct net_device *dev, u32 data, u32 supported) 150 + { 151 + u32 features = dev->features & flags_dup_features; 152 + /* "data" can contain only flags_dup_features bits, 153 + * see __ethtool_set_flags */ 154 + 155 + return (features & ~supported) != (data & ~supported); 156 + } 157 + EXPORT_SYMBOL(ethtool_invalid_flags); 158 + 144 159 int ethtool_op_set_flags(struct net_device *dev, u32 data, u32 supported) 145 160 { 146 - if (data & ~supported) 161 + if (ethtool_invalid_flags(dev, data, supported)) 147 162 return -EINVAL; 148 163 149 164 dev->features = ((dev->features & ~flags_dup_features) |
+2 -2
net/ipv4/fib_trie.c
··· 1365 1365 err = fib_props[fa->fa_type].error; 1366 1366 if (err) { 1367 1367 #ifdef CONFIG_IP_FIB_TRIE_STATS 1368 - t->stats.semantic_match_miss++; 1368 + t->stats.semantic_match_passed++; 1369 1369 #endif 1370 - return 1; 1370 + return err; 1371 1371 } 1372 1372 if (fi->fib_flags & RTNH_F_DEAD) 1373 1373 continue;
+3 -3
net/ipv4/ip_options.c
··· 140 140 } else { 141 141 dopt->ts_needtime = 0; 142 142 143 - if (soffset + 8 <= optlen) { 143 + if (soffset + 7 <= optlen) { 144 144 __be32 addr; 145 145 146 - memcpy(&addr, sptr+soffset-1, 4); 147 - if (inet_addr_type(dev_net(skb_dst(skb)->dev), addr) != RTN_LOCAL) { 146 + memcpy(&addr, dptr+soffset-1, 4); 147 + if (inet_addr_type(dev_net(skb_dst(skb)->dev), addr) != RTN_UNICAST) { 148 148 dopt->ts_needtime = 1; 149 149 soffset += 8; 150 150 }
+1
net/ipv4/raw.c
··· 569 569 rt = ip_route_output_flow(sock_net(sk), &fl4, sk); 570 570 if (IS_ERR(rt)) { 571 571 err = PTR_ERR(rt); 572 + rt = NULL; 572 573 goto done; 573 574 } 574 575 }
+1 -1
net/ipv6/ip6mr.c
··· 663 663 skb_pull(skb, (u8 *)encap - skb->data); 664 664 skb_reset_network_header(skb); 665 665 skb->protocol = htons(ETH_P_IPV6); 666 - skb->ip_summed = 0; 666 + skb->ip_summed = CHECKSUM_NONE; 667 667 skb->pkt_type = PACKET_HOST; 668 668 669 669 skb_tunnel_rx(skb, reg_dev);
+6
net/irda/iriap.c
··· 656 656 n = 1; 657 657 658 658 name_len = fp[n++]; 659 + 660 + IRDA_ASSERT(name_len < IAS_MAX_CLASSNAME + 1, return;); 661 + 659 662 memcpy(name, fp+n, name_len); n+=name_len; 660 663 name[name_len] = '\0'; 661 664 662 665 attr_len = fp[n++]; 666 + 667 + IRDA_ASSERT(attr_len < IAS_MAX_ATTRIBNAME + 1, return;); 668 + 663 669 memcpy(attr, fp+n, attr_len); n+=attr_len; 664 670 attr[attr_len] = '\0'; 665 671
+3
net/irda/irnet/irnet_ppp.c
··· 105 105 while(isspace(start[length - 1])) 106 106 length--; 107 107 108 + DABORT(length < 5 || length > NICKNAME_MAX_LEN + 5, 109 + -EINVAL, CTRL_ERROR, "Invalid nickname.\n"); 110 + 108 111 /* Copy the name for later reuse */ 109 112 memcpy(ap->rname, start + 5, length - 5); 110 113 ap->rname[length - 5] = '\0';
+4 -4
net/rose/af_rose.c
··· 978 978 struct sock *make; 979 979 struct rose_sock *make_rose; 980 980 struct rose_facilities_struct facilities; 981 - int n, len; 981 + int n; 982 982 983 983 skb->sk = NULL; /* Initially we don't know who it's for */ 984 984 ··· 987 987 */ 988 988 memset(&facilities, 0x00, sizeof(struct rose_facilities_struct)); 989 989 990 - len = (((skb->data[3] >> 4) & 0x0F) + 1) >> 1; 991 - len += (((skb->data[3] >> 0) & 0x0F) + 1) >> 1; 992 - if (!rose_parse_facilities(skb->data + len + 4, &facilities)) { 990 + if (!rose_parse_facilities(skb->data + ROSE_CALL_REQ_FACILITIES_OFF, 991 + skb->len - ROSE_CALL_REQ_FACILITIES_OFF, 992 + &facilities)) { 993 993 rose_transmit_clear_request(neigh, lci, ROSE_INVALID_FACILITY, 76); 994 994 return 0; 995 995 }
+12 -1
net/rose/rose_loopback.c
··· 73 73 unsigned int lci_i, lci_o; 74 74 75 75 while ((skb = skb_dequeue(&loopback_queue)) != NULL) { 76 + if (skb->len < ROSE_MIN_LEN) { 77 + kfree_skb(skb); 78 + continue; 79 + } 76 80 lci_i = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) & 0x0FF); 77 81 frametype = skb->data[2]; 78 - dest = (rose_address *)(skb->data + 4); 82 + if (frametype == ROSE_CALL_REQUEST && 83 + (skb->len <= ROSE_CALL_REQ_FACILITIES_OFF || 84 + skb->data[ROSE_CALL_REQ_ADDR_LEN_OFF] != 85 + ROSE_CALL_REQ_ADDR_LEN_VAL)) { 86 + kfree_skb(skb); 87 + continue; 88 + } 89 + dest = (rose_address *)(skb->data + ROSE_CALL_REQ_DEST_ADDR_OFF); 79 90 lci_o = ROSE_DEFAULT_MAXVC + 1 - lci_i; 80 91 81 92 skb_reset_transport_header(skb);
+13 -7
net/rose/rose_route.c
··· 861 861 unsigned int lci, new_lci; 862 862 unsigned char cause, diagnostic; 863 863 struct net_device *dev; 864 - int len, res = 0; 864 + int res = 0; 865 865 char buf[11]; 866 866 867 867 #if 0 ··· 869 869 return res; 870 870 #endif 871 871 872 + if (skb->len < ROSE_MIN_LEN) 873 + return res; 872 874 frametype = skb->data[2]; 873 875 lci = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) & 0x0FF); 874 - src_addr = (rose_address *)(skb->data + 9); 875 - dest_addr = (rose_address *)(skb->data + 4); 876 + if (frametype == ROSE_CALL_REQUEST && 877 + (skb->len <= ROSE_CALL_REQ_FACILITIES_OFF || 878 + skb->data[ROSE_CALL_REQ_ADDR_LEN_OFF] != 879 + ROSE_CALL_REQ_ADDR_LEN_VAL)) 880 + return res; 881 + src_addr = (rose_address *)(skb->data + ROSE_CALL_REQ_SRC_ADDR_OFF); 882 + dest_addr = (rose_address *)(skb->data + ROSE_CALL_REQ_DEST_ADDR_OFF); 876 883 877 884 spin_lock_bh(&rose_neigh_list_lock); 878 885 spin_lock_bh(&rose_route_list_lock); ··· 1017 1010 goto out; 1018 1011 } 1019 1012 1020 - len = (((skb->data[3] >> 4) & 0x0F) + 1) >> 1; 1021 - len += (((skb->data[3] >> 0) & 0x0F) + 1) >> 1; 1022 - 1023 1013 memset(&facilities, 0x00, sizeof(struct rose_facilities_struct)); 1024 1014 1025 - if (!rose_parse_facilities(skb->data + len + 4, &facilities)) { 1015 + if (!rose_parse_facilities(skb->data + ROSE_CALL_REQ_FACILITIES_OFF, 1016 + skb->len - ROSE_CALL_REQ_FACILITIES_OFF, 1017 + &facilities)) { 1026 1018 rose_transmit_clear_request(rose_neigh, lci, ROSE_INVALID_FACILITY, 76); 1027 1019 goto out; 1028 1020 }
+66 -29
net/rose/rose_subr.c
··· 142 142 *dptr++ = ROSE_GFI | lci1; 143 143 *dptr++ = lci2; 144 144 *dptr++ = frametype; 145 - *dptr++ = 0xAA; 145 + *dptr++ = ROSE_CALL_REQ_ADDR_LEN_VAL; 146 146 memcpy(dptr, &rose->dest_addr, ROSE_ADDR_LEN); 147 147 dptr += ROSE_ADDR_LEN; 148 148 memcpy(dptr, &rose->source_addr, ROSE_ADDR_LEN); ··· 246 246 do { 247 247 switch (*p & 0xC0) { 248 248 case 0x00: 249 + if (len < 2) 250 + return -1; 249 251 p += 2; 250 252 n += 2; 251 253 len -= 2; 252 254 break; 253 255 254 256 case 0x40: 257 + if (len < 3) 258 + return -1; 255 259 if (*p == FAC_NATIONAL_RAND) 256 260 facilities->rand = ((p[1] << 8) & 0xFF00) + ((p[2] << 0) & 0x00FF); 257 261 p += 3; ··· 264 260 break; 265 261 266 262 case 0x80: 263 + if (len < 4) 264 + return -1; 267 265 p += 4; 268 266 n += 4; 269 267 len -= 4; 270 268 break; 271 269 272 270 case 0xC0: 271 + if (len < 2) 272 + return -1; 273 273 l = p[1]; 274 + if (len < 2 + l) 275 + return -1; 274 276 if (*p == FAC_NATIONAL_DEST_DIGI) { 275 277 if (!fac_national_digis_received) { 278 + if (l < AX25_ADDR_LEN) 279 + return -1; 276 280 memcpy(&facilities->source_digis[0], p + 2, AX25_ADDR_LEN); 277 281 facilities->source_ndigis = 1; 278 282 } 279 283 } 280 284 else if (*p == FAC_NATIONAL_SRC_DIGI) { 281 285 if (!fac_national_digis_received) { 286 + if (l < AX25_ADDR_LEN) 287 + return -1; 282 288 memcpy(&facilities->dest_digis[0], p + 2, AX25_ADDR_LEN); 283 289 facilities->dest_ndigis = 1; 284 290 } 285 291 } 286 292 else if (*p == FAC_NATIONAL_FAIL_CALL) { 293 + if (l < AX25_ADDR_LEN) 294 + return -1; 287 295 memcpy(&facilities->fail_call, p + 2, AX25_ADDR_LEN); 288 296 } 289 297 else if (*p == FAC_NATIONAL_FAIL_ADD) { 298 + if (l < 1 + ROSE_ADDR_LEN) 299 + return -1; 290 300 memcpy(&facilities->fail_addr, p + 3, ROSE_ADDR_LEN); 291 301 } 292 302 else if (*p == FAC_NATIONAL_DIGIS) { 303 + if (l % AX25_ADDR_LEN) 304 + return -1; 293 305 fac_national_digis_received = 1; 294 306 facilities->source_ndigis = 0; 295 307 facilities->dest_ndigis = 0; 296 308 for (pt = p + 2, lg = 0 ; lg < l ; pt += AX25_ADDR_LEN, lg += AX25_ADDR_LEN) { 297 - if (pt[6] & AX25_HBIT) 309 + if (pt[6] & AX25_HBIT) { 310 + if (facilities->dest_ndigis >= ROSE_MAX_DIGIS) 311 + return -1; 298 312 memcpy(&facilities->dest_digis[facilities->dest_ndigis++], pt, AX25_ADDR_LEN); 299 - else 313 + } else { 314 + if (facilities->source_ndigis >= ROSE_MAX_DIGIS) 315 + return -1; 300 316 memcpy(&facilities->source_digis[facilities->source_ndigis++], pt, AX25_ADDR_LEN); 317 + } 301 318 } 302 319 } 303 320 p += l + 2; ··· 339 314 do { 340 315 switch (*p & 0xC0) { 341 316 case 0x00: 317 + if (len < 2) 318 + return -1; 342 319 p += 2; 343 320 n += 2; 344 321 len -= 2; 345 322 break; 346 323 347 324 case 0x40: 325 + if (len < 3) 326 + return -1; 348 327 p += 3; 349 328 n += 3; 350 329 len -= 3; 351 330 break; 352 331 353 332 case 0x80: 333 + if (len < 4) 334 + return -1; 354 335 p += 4; 355 336 n += 4; 356 337 len -= 4; 357 338 break; 358 339 359 340 case 0xC0: 341 + if (len < 2) 342 + return -1; 360 343 l = p[1]; 344 + 345 + /* Prevent overflows*/ 346 + if (l < 10 || l > 20) 347 + return -1; 348 + 361 349 if (*p == FAC_CCITT_DEST_NSAP) { 362 350 memcpy(&facilities->source_addr, p + 7, ROSE_ADDR_LEN); 363 351 memcpy(callsign, p + 12, l - 10); ··· 393 355 return n; 394 356 } 395 357 396 - int rose_parse_facilities(unsigned char *p, 358 + int rose_parse_facilities(unsigned char *p, unsigned packet_len, 397 359 struct rose_facilities_struct *facilities) 398 360 { 399 361 int facilities_len, len; 400 362 401 363 facilities_len = *p++; 402 364 403 - if (facilities_len == 0) 365 + if (facilities_len == 0 || (unsigned)facilities_len > packet_len) 404 366 return 0; 405 367 406 - while (facilities_len > 0) { 407 - if (*p == 0x00) { 408 - facilities_len--; 409 - p++; 368 + while (facilities_len >= 3 && *p == 0x00) { 369 + facilities_len--; 370 + p++; 410 371 411 - switch (*p) { 412 - case FAC_NATIONAL: /* National */ 413 - len = rose_parse_national(p + 1, facilities, facilities_len - 1); 414 - facilities_len -= len + 1; 415 - p += len + 1; 416 - break; 372 + switch (*p) { 373 + case FAC_NATIONAL: /* National */ 374 + len = rose_parse_national(p + 1, facilities, facilities_len - 1); 375 + break; 417 376 418 - case FAC_CCITT: /* CCITT */ 419 - len = rose_parse_ccitt(p + 1, facilities, facilities_len - 1); 420 - facilities_len -= len + 1; 421 - p += len + 1; 422 - break; 377 + case FAC_CCITT: /* CCITT */ 378 + len = rose_parse_ccitt(p + 1, facilities, facilities_len - 1); 379 + break; 423 380 424 - default: 425 - printk(KERN_DEBUG "ROSE: rose_parse_facilities - unknown facilities family %02X\n", *p); 426 - facilities_len--; 427 - p++; 428 - break; 429 - } 430 - } else 431 - break; /* Error in facilities format */ 381 + default: 382 + printk(KERN_DEBUG "ROSE: rose_parse_facilities - unknown facilities family %02X\n", *p); 383 + len = 1; 384 + break; 385 + } 386 + 387 + if (len < 0) 388 + return 0; 389 + if (WARN_ON(len >= facilities_len)) 390 + return 0; 391 + facilities_len -= len + 1; 392 + p += len + 1; 432 393 } 433 394 434 - return 1; 395 + return facilities_len == 0; 435 396 } 436 397 437 398 static int rose_create_facilities(unsigned char *buffer, struct rose_sock *rose)
+3 -1
net/xfrm/xfrm_input.c
··· 173 173 goto drop_unlock; 174 174 } 175 175 176 - if (x->props.replay_window && x->repl->check(x, skb, seq)) { 176 + if (x->repl->check(x, skb, seq)) { 177 177 XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATESEQERROR); 178 178 goto drop_unlock; 179 179 } ··· 189 189 190 190 XFRM_SKB_CB(skb)->seq.input.low = seq; 191 191 XFRM_SKB_CB(skb)->seq.input.hi = seq_hi; 192 + 193 + skb_dst_force(skb); 192 194 193 195 nexthdr = x->type->input(x, skb); 194 196
+3 -1
net/xfrm/xfrm_output.c
··· 78 78 79 79 spin_unlock_bh(&x->lock); 80 80 81 + skb_dst_force(skb); 82 + 81 83 err = x->type->output(x, skb); 82 84 if (err == -EINPROGRESS) 83 85 goto out_exit; ··· 96 94 err = -EHOSTUNREACH; 97 95 goto error_nolock; 98 96 } 99 - skb_dst_set(skb, dst_clone(dst)); 97 + skb_dst_set(skb, dst); 100 98 x = dst->xfrm; 101 99 } while (x && !(x->outer_mode->flags & XFRM_MODE_FLAG_TUNNEL)); 102 100
+15 -2
net/xfrm/xfrm_replay.c
··· 118 118 u32 diff; 119 119 u32 seq = ntohl(net_seq); 120 120 121 + if (!x->props.replay_window) 122 + return 0; 123 + 121 124 if (unlikely(seq == 0)) 122 125 goto err; 123 126 ··· 196 193 { 197 194 unsigned int bitnr, nr; 198 195 struct xfrm_replay_state_esn *replay_esn = x->replay_esn; 196 + u32 pos; 199 197 u32 seq = ntohl(net_seq); 200 198 u32 diff = replay_esn->seq - seq; 201 - u32 pos = (replay_esn->seq - 1) % replay_esn->replay_window; 199 + 200 + if (!replay_esn->replay_window) 201 + return 0; 202 + 203 + pos = (replay_esn->seq - 1) % replay_esn->replay_window; 202 204 203 205 if (unlikely(seq == 0)) 204 206 goto err; ··· 381 373 unsigned int bitnr, nr; 382 374 u32 diff; 383 375 struct xfrm_replay_state_esn *replay_esn = x->replay_esn; 376 + u32 pos; 384 377 u32 seq = ntohl(net_seq); 385 - u32 pos = (replay_esn->seq - 1) % replay_esn->replay_window; 386 378 u32 wsize = replay_esn->replay_window; 387 379 u32 top = replay_esn->seq; 388 380 u32 bottom = top - wsize + 1; 381 + 382 + if (!wsize) 383 + return 0; 384 + 385 + pos = (replay_esn->seq - 1) % replay_esn->replay_window; 389 386 390 387 if (unlikely(seq == 0 && replay_esn->seq_hi == 0 && 391 388 (replay_esn->seq < replay_esn->replay_window - 1)))
+6
net/xfrm/xfrm_state.c
··· 1181 1181 goto error; 1182 1182 } 1183 1183 1184 + if (orig->replay_esn) { 1185 + err = xfrm_replay_clone(x, orig); 1186 + if (err) 1187 + goto error; 1188 + } 1189 + 1184 1190 memcpy(&x->mark, &orig->mark, sizeof(x->mark)); 1185 1191 1186 1192 err = xfrm_init_state(x);
+24
net/xfrm/xfrm_user.c
··· 127 127 if (!rt) 128 128 return 0; 129 129 130 + if (p->id.proto != IPPROTO_ESP) 131 + return -EINVAL; 132 + 130 133 if (p->replay_window != 0) 131 134 return -EINVAL; 132 135 ··· 360 357 361 358 strcpy(p->alg_name, algo->name); 362 359 *algpp = p; 360 + return 0; 361 + } 362 + 363 + static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_esn, 364 + struct nlattr *rp) 365 + { 366 + struct xfrm_replay_state_esn *up; 367 + 368 + if (!replay_esn || !rp) 369 + return 0; 370 + 371 + up = nla_data(rp); 372 + 373 + if (xfrm_replay_state_esn_len(replay_esn) != 374 + xfrm_replay_state_esn_len(up)) 375 + return -EINVAL; 376 + 363 377 return 0; 364 378 } 365 379 ··· 1784 1764 return -ESRCH; 1785 1765 1786 1766 if (x->km.state != XFRM_STATE_VALID) 1767 + goto out; 1768 + 1769 + err = xfrm_replay_verify_len(x->replay_esn, rp); 1770 + if (err) 1787 1771 goto out; 1788 1772 1789 1773 spin_lock_bh(&x->lock);