diff options
| author | Srinivasarao P <spathi@codeaurora.org> | 2019-05-23 14:05:20 +0530 |
|---|---|---|
| committer | Srinivasarao P <spathi@codeaurora.org> | 2019-05-23 14:22:20 +0530 |
| commit | 780ec0d562724e68ed866498dedc7c2ef229609f (patch) | |
| tree | 2809bda61108d547b8794ba2495978311d4b7e72 /net | |
| parent | d1a5c038050401f5dbd7de222c43a1262083e027 (diff) | |
| parent | 71cb827c0249e87c62139bd4d5897cf59f51cb55 (diff) | |
Merge android-4.4.180 (71cb827) into msm-4.4
* refs/heads/tmp-71cb827
Linux 4.4.180
powerpc/lib: fix book3s/32 boot failure due to code patching
powerpc/booke64: set RI in default MSR
drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl
drivers/virt/fsl_hypervisor.c: dereferencing error pointers in ioctl
bonding: fix arp_validate toggling in active-backup mode
ipv4: Fix raw socket lookup for local traffic
vrf: sit mtu should not be updated when vrf netdev is the link
vlan: disable SIOCSHWTSTAMP in container
packet: Fix error path in packet_init
net: ucc_geth - fix Oops when changing number of buffers in the ring
bridge: Fix error path for kobject_init_and_add()
powerpc/64s: Include cpu header
USB: serial: fix unthrottle races
USB: serial: use variable for status
x86/bugs: Change L1TF mitigation string to match upstream
x86/speculation/mds: Fix documentation typo
Documentation: Correct the possible MDS sysfs values
x86/mds: Add MDSUM variant to the MDS documentation
x86/speculation/mds: Add 'mitigations=' support for MDS
x86/speculation: Support 'mitigations=' cmdline option
cpu/speculation: Add 'mitigations=' cmdline option
x86/speculation/mds: Print SMT vulnerable on MSBDS with mitigations off
x86/speculation/mds: Fix comment
x86/speculation/mds: Add SMT warning message
x86/speculation: Move arch_smt_update() call to after mitigation decisions
x86/cpu/bugs: Use __initconst for 'const' init data
Documentation: Add MDS vulnerability documentation
Documentation: Move L1TF to separate directory
x86/speculation/mds: Add mitigation mode VMWERV
x86/speculation/mds: Add sysfs reporting for MDS
x86/speculation/l1tf: Document l1tf in sysfs
x86/speculation/mds: Add mitigation control for MDS
x86/speculation/mds: Conditionally clear CPU buffers on idle entry
x86/speculation/mds: Clear CPU buffers on exit to user
x86/speculation/mds: Add mds_clear_cpu_buffers()
x86/kvm: Expose X86_FEATURE_MD_CLEAR to guests
x86/speculation/mds: Add BUG_MSBDS_ONLY
x86/speculation/mds: Add basic bug infrastructure for MDS
x86/speculation: Consolidate CPU whitelists
x86/msr-index: Cleanup bit defines
kvm: x86: Report STIBP on GET_SUPPORTED_CPUID
x86/speculation: Provide IBPB always command line options
x86/speculation: Add seccomp Spectre v2 user space protection mode
x86/speculation: Enable prctl mode for spectre_v2_user
x86/speculation: Add prctl() control for indirect branch speculation
x86/speculation: Prevent stale SPEC_CTRL msr content
x86/speculation: Prepare arch_smt_update() for PRCTL mode
x86/speculation: Split out TIF update
x86/speculation: Prepare for conditional IBPB in switch_mm()
x86/speculation: Avoid __switch_to_xtra() calls
x86/process: Consolidate and simplify switch_to_xtra() code
x86/speculation: Prepare for per task indirect branch speculation control
x86/speculation: Add command line control for indirect branch speculation
x86/speculation: Unify conditional spectre v2 print functions
x86/speculataion: Mark command line parser data __initdata
x86/speculation: Mark string arrays const correctly
x86/speculation: Reorder the spec_v2 code
x86/speculation: Rework SMT state change
sched: Add sched_smt_active()
x86/Kconfig: Select SCHED_SMT if SMP enabled
x86/speculation: Reorganize speculation control MSRs update
x86/speculation: Rename SSBD update functions
x86/speculation: Disable STIBP when enhanced IBRS is in use
x86/speculation: Move STIPB/IBPB string conditionals out of cpu_show_common()
x86/speculation: Remove unnecessary ret variable in cpu_show_common()
x86/speculation: Clean up spectre_v2_parse_cmdline()
x86/speculation: Update the TIF_SSBD comment
x86/speculation: Propagate information about RSB filling mitigation to sysfs
x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation
x86/speculation: Apply IBPB more strictly to avoid cross-process data leak
x86/mm: Use WRITE_ONCE() when setting PTEs
KVM: x86: SVM: Call x86_spec_ctrl_set_guest/host() with interrupts disabled
x86/cpu: Sanitize FAM6_ATOM naming
x86/microcode: Update the new microcode revision unconditionally
x86/microcode: Make sure boot_cpu_data.microcode is up-to-date
x86/speculation: Remove SPECTRE_V2_IBRS in enum spectre_v2_mitigation
x86/bugs: Fix the AMD SSBD usage of the SPEC_CTRL MSR
locking/atomics, asm-generic: Move some macros from <linux/bitops.h> to a new <linux/bits.h> file
x86/bugs: Switch the selection of mitigation from CPU vendor to CPU features
x86/bugs: Add AMD's SPEC_CTRL MSR usage
x86/bugs: Add AMD's variant of SSB_NO
x86/speculation: Simplify the CPU bug detection logic
x86/speculation: Support Enhanced IBRS on future CPUs
x86/cpufeatures: Hide AMD-specific speculation flags
x86/MCE: Save microcode revision in machine check records
x86/microcode/intel: Check microcode revision before updating sibling threads
bitops: avoid integer overflow in GENMASK(_ULL)
x86: stop exporting msr-index.h to userland
x86/microcode/intel: Add a helper which gives the microcode revision
locking/static_keys: Provide DECLARE and well as DEFINE macros
Don't jump to compute_result state from check_result state
x86/vdso: Pass --eh-frame-hdr to the linker
cw1200: fix missing unlock on error in cw1200_hw_scan()
gpu: ipu-v3: dp: fix CSC handling
selftests/net: correct the return value for run_netsocktests
s390: ctcm: fix ctcm_new_device error return code
ipvs: do not schedule icmp errors from tunnels
init: initialize jump labels before command line option parsing
tools lib traceevent: Fix missing equality check for strcmp
KVM: x86: avoid misreporting level-triggered irqs as edge-triggered in tracing
s390/3270: fix lockdep false positive on view->lock
s390/dasd: Fix capacity calculation for large volumes
libnvdimm/btt: Fix a kmemdup failure check
HID: input: add mapping for keyboard Brightness Up/Down/Toggle keys
HID: input: add mapping for Expose/Overview key
iio: adc: xilinx: fix potential use-after-free on remove
platform/x86: sony-laptop: Fix unintentional fall-through
netfilter: compat: initialize all fields in xt_init
timer/debug: Change /proc/timer_stats from 0644 to 0600
ASoC: Intel: avoid Oops if DMA setup fails
ipv6: fix a potential deadlock in do_ipv6_setsockopt()
UAS: fix alignment of scatter/gather segments
Bluetooth: Align minimum encryption key size for LE and BR/EDR connections
Bluetooth: hidp: fix buffer overflow
scsi: qla2xxx: Fix incorrect region-size setting in optrom SYSFS routines
usb: dwc3: Fix default lpm_nyet_threshold value
genirq: Prevent use-after-free and work list corruption
iommu/amd: Set exclusion range correctly
scsi: csiostor: fix missing data copy in csio_scsi_err_handler()
perf/x86/intel: Fix handling of wakeup_events for multi-entry PEBS
ASoC: tlv320aic32x4: Fix Common Pins
ASoC: cs4270: Set auto-increment bit for register writes
ASoC:soc-pcm:fix a codec fixup issue in TDM case
scsi: libsas: fix a race condition when smp task timeout
media: v4l2: i2c: ov7670: Fix PLL bypass register values
x86/mce: Improve error message when kernel cannot recover, p2
selinux: never allow relabeling on context mounts
Input: snvs_pwrkey - initialize necessary driver data before enabling IRQ
staging: iio: adt7316: fix the dac write calculation
staging: iio: adt7316: fix the dac read calculation
staging: iio: adt7316: allow adt751x to use internal vref for all dacs
usb: usbip: fix isoc packet num validation in get_pipe
ARM: iop: don't use using 64-bit DMA masks
ARM: orion: don't use using 64-bit DMA masks
xsysace: Fix error handling in ace_setup
hugetlbfs: fix memory leak for resv_map
net: hns: Fix WARNING when remove HNS driver with SMMU enabled
net: hns: Use NAPI_POLL_WEIGHT for hns driver
scsi: storvsc: Fix calculation of sub-channel count
vfio/pci: use correct format characters
rtc: da9063: set uie_unsupported when relevant
debugfs: fix use-after-free on symlink traversal
jffs2: fix use-after-free on symlink traversal
bonding: show full hw address in sysfs for slave entries
igb: Fix WARN_ONCE on runtime suspend
rtc: sh: Fix invalid alarm warning for non-enabled alarm
HID: debug: fix race condition with between rdesc_show() and device removal
USB: core: Fix bug caused by duplicate interface PM usage counter
USB: core: Fix unterminated string returned by usb_string()
USB: w1 ds2490: Fix bug caused by improper use of altsetting array
USB: yurex: Fix protection fault after device removal
packet: validate msg_namelen in send directly
bnxt_en: Improve multicast address setup logic.
ipv6: invert flowlabel sharing check in process and user mode
ipv6/flowlabel: wait rcu grace period before put_pid()
ipv4: ip_do_fragment: Preserve skb_iif during fragmentation
ALSA: line6: use dynamic buffers
vfio/type1: Limit DMA mappings per container
kconfig/[mn]conf: handle backspace (^H) key
libata: fix using DMA buffers on stack
scsi: zfcp: reduce flood of fcrscn1 trace records on multi-element RSCN
ceph: fix use-after-free on symlink traversal
usb: u132-hcd: fix resource leak
scsi: qla4xxx: fix a potential NULL pointer dereference
net: ethernet: ti: fix possible object reference leak
net: ibm: fix possible object reference leak
net: xilinx: fix possible object reference leak
net: ks8851: Set initial carrier state to down
net: ks8851: Delay requesting IRQ until opened
net: ks8851: Reassert reset pin if chip ID check fails
net: ks8851: Dequeue RX packets explicitly
ARM: dts: pfla02: increase phy reset duration
usb: gadget: net2272: Fix net2272_dequeue()
usb: gadget: net2280: Fix net2280_dequeue()
usb: gadget: net2280: Fix overrun of OUT messages
sc16is7xx: missing unregister/delete driver on error in sc16is7xx_init()
netfilter: bridge: set skb transport_header before entering NF_INET_PRE_ROUTING
qlcnic: Avoid potential NULL pointer dereference
usbnet: ipheth: fix potential null pointer dereference in ipheth_carrier_set
usbnet: ipheth: prevent TX queue timeouts when device not ready
Documentation: Add nospectre_v1 parameter
powerpc/fsl: Add FSL_PPC_BOOK3E as supported arch for nospectre_v2 boot arg
powerpc/fsl: Fixed warning: orphan section `__btb_flush_fixup'
powerpc/fsl: Sanitize the syscall table for NXP PowerPC 32 bit platforms
powerpc/fsl: Flush the branch predictor at each kernel entry (32 bit)
powerpc/fsl: Emulate SPRN_BUCSR register
powerpc/fsl: Flush branch predictor when entering KVM
powerpc/fsl: Enable runtime patching if nospectre_v2 boot arg is used
ipv4: set the tcp_min_rtt_wlen range from 0 to one day
net: stmmac: move stmmac_check_ether_addr() to driver probe
team: fix possible recursive locking when add slaves
ipv4: add sanity checks in ipv4_link_failure()
Revert "block/loop: Use global lock for ioctl() operation."
bpf: reject wrong sized filters earlier
tipc: check link name with right length in tipc_nl_compat_link_set
tipc: check bearer name with right length in tipc_nl_compat_bearer_enable
netfilter: ebtables: CONFIG_COMPAT: drop a bogus WARN_ON
NFS: Forbid setting AF_INET6 to "struct sockaddr_in"->sin_family.
fs/proc/proc_sysctl.c: Fix a NULL pointer dereference
intel_th: gth: Fix an off-by-one in output unassigning
slip: make slhc_free() silently accept an error pointer
tipc: handle the err returned from cmd header function
powerpc/fsl: Fix the flush of branch predictor.
powerpc/security: Fix spectre_v2 reporting
powerpc/fsl: Update Spectre v2 reporting
powerpc/fsl: Flush the branch predictor at each kernel entry (64bit)
powerpc/fsl: Add nospectre_v2 command line argument
powerpc/fsl: Fix spectre_v2 mitigations reporting
powerpc/fsl: Add macro to flush the branch predictor
powerpc/fsl: Add infrastructure to fixup branch predictor flush
powerpc: Avoid code patching freed init sections
powerpc/powernv: Query firmware for count cache flush settings
powerpc/pseries: Query hypervisor for count cache flush settings
powerpc/64s: Add support for software count cache flush
powerpc/64s: Add new security feature flags for count cache flush
powerpc/asm: Add a patch_site macro & helpers for patching instructions
powerpc/fsl: Add barrier_nospec implementation for NXP PowerPC Book3E
powerpc/64: Make meltdown reporting Book3S 64 specific
powerpc/64: Call setup_barrier_nospec() from setup_arch()
powerpc/64: Add CONFIG_PPC_BARRIER_NOSPEC
powerpc/64: Make stf barrier PPC_BOOK3S_64 specific.
powerpc/64: Disable the speculation barrier from the command line
powerpc64s: Show ori31 availability in spectre_v1 sysfs file not v2
powerpc/64s: Enhance the information in cpu_show_spectre_v1()
powerpc: Use barrier_nospec in copy_from_user()
powerpc/64: Use barrier_nospec in syscall entry
powerpc/64s: Enable barrier_nospec based on firmware settings
powerpc/64s: Patch barrier_nospec in modules
powerpc/64s: Add support for ori barrier_nospec patching
powerpc/64s: Add barrier_nospec
powerpc/64s: Add support for a store forwarding barrier at kernel entry/exit
powerpc/64s: Fix section mismatch warnings from setup_rfi_flush()
powerpc/pseries: Restore default security feature flags on setup
powerpc: Move default security feature flags
powerpc/pseries: Fix clearing of security feature flags
powerpc/64s: Wire up cpu_show_spectre_v2()
powerpc/64s: Wire up cpu_show_spectre_v1()
powerpc/pseries: Use the security flags in pseries_setup_rfi_flush()
powerpc/powernv: Use the security flags in pnv_setup_rfi_flush()
powerpc/64s: Enhance the information in cpu_show_meltdown()
powerpc/64s: Move cpu_show_meltdown()
powerpc/powernv: Set or clear security feature flags
powerpc/pseries: Set or clear security feature flags
powerpc: Add security feature flags for Spectre/Meltdown
powerpc/rfi-flush: Call setup_rfi_flush() after LPM migration
powerpc/pseries: Add new H_GET_CPU_CHARACTERISTICS flags
powerpc/rfi-flush: Differentiate enabled and patched flush types
powerpc/rfi-flush: Always enable fallback flush on pseries
powerpc/rfi-flush: Make it possible to call setup_rfi_flush() again
powerpc/rfi-flush: Move the logic to avoid a redo into the debugfs code
powerpc/powernv: Support firmware disable of RFI flush
powerpc/pseries: Support firmware disable of RFI flush
powerpc/64s: Improve RFI L1-D cache flush fallback
powerpc/xmon: Add RFI flush related fields to paca dump
USB: Consolidate LPM checks to avoid enabling LPM twice
USB: Add new USB LPM helpers
sunrpc: don't mark uninitialised items as VALID.
nfsd: Don't release the callback slot unless it was actually held
ceph: fix ci->i_head_snapc leak
ceph: ensure d_name stability in ceph_dentry_hash()
sched/numa: Fix a possible divide-by-zero
trace: Fix preempt_enable_no_resched() abuse
MIPS: scall64-o32: Fix indirect syscall number load
cifs: do not attempt cifs operation on smb2+ rename error
KVM: fail KVM_SET_VCPU_EVENTS with invalid exception number
kbuild: simplify ld-option implementation
ANDROID: cuttlefish_defconfig: Disable DEVTMPFS
ANDROID: Move from clang r349610 to r353983c.
f2fs: fix to avoid accessing xattr across the boundary
f2fs: fix to avoid potential race on sbi->unusable_block_count access/update
f2fs: add tracepoint for f2fs_filemap_fault()
f2fs: introduce DATA_GENERIC_ENHANCE
f2fs: fix to handle error in f2fs_disable_checkpoint()
f2fs: remove redundant check in f2fs_file_write_iter()
f2fs: fix to be aware of readonly device in write_checkpoint()
f2fs: fix to skip recovery on readonly device
f2fs: fix to consider multiple device for readonly check
f2fs: relocate chksum_offset for large_nat_bitmap feature
f2fs: allow unfixed f2fs_checkpoint.checksum_offset
f2fs: Replace spaces with tab
f2fs: insert space before the open parenthesis '('
f2fs: allow address pointer number of dnode aligning to specified size
f2fs: introduce f2fs_read_single_page() for cleanup
f2fs: mark is_extension_exist() inline
f2fs: fix to set FI_UPDATE_WRITE correctly
f2fs: fix to avoid panic in f2fs_inplace_write_data()
f2fs: fix to do sanity check on valid block count of segment
f2fs: fix to do sanity check on valid node/block count
f2fs: fix to avoid panic in do_recover_data()
f2fs: fix to do sanity check on free nid
f2fs: fix to do checksum even if inode page is uptodate
f2fs: fix to avoid panic in f2fs_remove_inode_page()
f2fs: fix to clear dirty inode in error path of f2fs_iget()
f2fs: remove new blank line of f2fs kernel message
f2fs: fix wrong __is_meta_io() macro
f2fs: fix to avoid panic in dec_valid_node_count()
f2fs: fix to avoid panic in dec_valid_block_count()
f2fs: fix to use inline space only if inline_xattr is enable
f2fs: fix to retrieve inline xattr space
f2fs: fix error path of recovery
f2fs: fix to avoid deadloop in foreground GC
f2fs: data: fix warning Using plain integer as NULL pointer
f2fs: add tracepoint for f2fs_file_write_iter()
f2fs: add comment for conditional compilation statement
f2fs: fix potential recursive call when enabling data_flush
f2fs: improve discard handling with multi-device volumes
f2fs: Reduce zoned block device memory usage
f2fs: Fix use of number of devices
Sleepable function handle_lmk_event() is called in atomic context,
so ignored the commit "ANDROID: Communicates LMK events to userland
where they can be logged"
Conflicts:
arch/powerpc/include/asm/uaccess.h
kernel/cpu.c
kernel/irq/manage.c
kernel/time/timer_stats.c
net/ipv4/sysctl_net_ipv4.c
Change-Id: I3e5bd447057b44a28fc5000403198ae0fd644480
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
Diffstat (limited to 'net')
| -rw-r--r-- | net/8021q/vlan_dev.c | 4 | ||||
| -rw-r--r-- | net/bluetooth/hci_conn.c | 8 | ||||
| -rw-r--r-- | net/bluetooth/hidp/sock.c | 1 | ||||
| -rw-r--r-- | net/bridge/br_if.c | 13 | ||||
| -rw-r--r-- | net/bridge/br_netfilter_hooks.c | 1 | ||||
| -rw-r--r-- | net/bridge/br_netfilter_ipv6.c | 2 | ||||
| -rw-r--r-- | net/bridge/netfilter/ebtables.c | 3 | ||||
| -rw-r--r-- | net/core/filter.c | 23 | ||||
| -rw-r--r-- | net/ipv4/ip_output.c | 1 | ||||
| -rw-r--r-- | net/ipv4/raw.c | 4 | ||||
| -rw-r--r-- | net/ipv4/route.c | 32 | ||||
| -rw-r--r-- | net/ipv4/sysctl_net_ipv4.c | 5 | ||||
| -rw-r--r-- | net/ipv6/ip6_flowlabel.c | 22 | ||||
| -rw-r--r-- | net/ipv6/ipv6_sockglue.c | 3 | ||||
| -rw-r--r-- | net/ipv6/mcast.c | 17 | ||||
| -rw-r--r-- | net/ipv6/sit.c | 2 | ||||
| -rw-r--r-- | net/netfilter/ipvs/ip_vs_core.c | 2 | ||||
| -rw-r--r-- | net/netfilter/x_tables.c | 2 | ||||
| -rw-r--r-- | net/packet/af_packet.c | 48 | ||||
| -rw-r--r-- | net/sunrpc/cache.c | 3 | ||||
| -rw-r--r-- | net/tipc/netlink_compat.c | 24 |
21 files changed, 156 insertions, 64 deletions
diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c index ac9791dd4768..5139c4ebb96b 100644 --- a/net/8021q/vlan_dev.c +++ b/net/8021q/vlan_dev.c @@ -363,10 +363,12 @@ static int vlan_dev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) ifrr.ifr_ifru = ifr->ifr_ifru; switch (cmd) { + case SIOCSHWTSTAMP: + if (!net_eq(dev_net(dev), &init_net)) + break; case SIOCGMIIPHY: case SIOCGMIIREG: case SIOCSMIIREG: - case SIOCSHWTSTAMP: case SIOCGHWTSTAMP: if (netif_device_present(real_dev) && ops->ndo_do_ioctl) err = ops->ndo_do_ioctl(real_dev, &ifrr, cmd); diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index 1588d913c7a0..ccddf348924b 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c @@ -1177,6 +1177,14 @@ int hci_conn_check_link_mode(struct hci_conn *conn) !test_bit(HCI_CONN_ENCRYPT, &conn->flags)) return 0; + /* The minimum encryption key size needs to be enforced by the + * host stack before establishing any L2CAP connections. The + * specification in theory allows a minimum of 1, but to align + * BR/EDR and LE transports, a minimum of 7 is chosen. + */ + if (conn->enc_key_size < HCI_MIN_ENC_KEY_SIZE) + return 0; + return 1; } diff --git a/net/bluetooth/hidp/sock.c b/net/bluetooth/hidp/sock.c index c06f9a0107d6..cb2df55492bb 100644 --- a/net/bluetooth/hidp/sock.c +++ b/net/bluetooth/hidp/sock.c @@ -76,6 +76,7 @@ static int hidp_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long sockfd_put(csock); return err; } + ca.name[sizeof(ca.name)-1] = 0; err = hidp_connection_add(&ca, csock, isock); if (!err && copy_to_user(argp, &ca, sizeof(ca))) diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c index 50e84e634dfe..c7a281549d91 100644 --- a/net/bridge/br_if.c +++ b/net/bridge/br_if.c @@ -471,13 +471,15 @@ int br_add_if(struct net_bridge *br, struct net_device *dev) call_netdevice_notifiers(NETDEV_JOIN, dev); err = dev_set_allmulti(dev, 1); - if (err) - goto put_back; + if (err) { + kfree(p); /* kobject not yet init'd, manually free */ + goto err1; + } err = kobject_init_and_add(&p->kobj, &brport_ktype, &(dev->dev.kobj), SYSFS_BRIDGE_PORT_ATTR); if (err) - goto err1; + goto err2; err = br_sysfs_addif(p); if (err) @@ -551,12 +553,9 @@ err3: sysfs_remove_link(br->ifobj, p->dev->name); err2: kobject_put(&p->kobj); - p = NULL; /* kobject_put frees */ -err1: dev_set_allmulti(dev, -1); -put_back: +err1: dev_put(dev); - kfree(p); return err; } diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c index 93b5525bcccf..2ae0451fd634 100644 --- a/net/bridge/br_netfilter_hooks.c +++ b/net/bridge/br_netfilter_hooks.c @@ -507,6 +507,7 @@ static unsigned int br_nf_pre_routing(void *priv, nf_bridge->ipv4_daddr = ip_hdr(skb)->daddr; skb->protocol = htons(ETH_P_IP); + skb->transport_header = skb->network_header + ip_hdr(skb)->ihl * 4; NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, state->net, state->sk, skb, skb->dev, NULL, diff --git a/net/bridge/br_netfilter_ipv6.c b/net/bridge/br_netfilter_ipv6.c index 69dfd212e50d..f94c83f5cc37 100644 --- a/net/bridge/br_netfilter_ipv6.c +++ b/net/bridge/br_netfilter_ipv6.c @@ -237,6 +237,8 @@ unsigned int br_nf_pre_routing_ipv6(void *priv, nf_bridge->ipv6_daddr = ipv6_hdr(skb)->daddr; skb->protocol = htons(ETH_P_IPV6); + skb->transport_header = skb->network_header + sizeof(struct ipv6hdr); + NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, state->net, state->sk, skb, skb->dev, NULL, br_nf_pre_routing_finish_ipv6); diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index f13402d407e4..1a87cf78fadc 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c @@ -2046,7 +2046,8 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32, if (match_kern) match_kern->match_size = ret; - if (WARN_ON(type == EBT_COMPAT_TARGET && size_left)) + /* rule should have no remaining data after target */ + if (type == EBT_COMPAT_TARGET && size_left) return -EINVAL; match32 = (struct compat_ebt_entry_mwt *) buf; diff --git a/net/core/filter.c b/net/core/filter.c index 1a9ded6af138..3c5f51198c41 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -742,6 +742,17 @@ static bool chk_code_allowed(u16 code_to_probe) return codes[code_to_probe]; } +static bool bpf_check_basics_ok(const struct sock_filter *filter, + unsigned int flen) +{ + if (filter == NULL) + return false; + if (flen == 0 || flen > BPF_MAXINSNS) + return false; + + return true; +} + /** * bpf_check_classic - verify socket filter code * @filter: filter to verify @@ -762,9 +773,6 @@ static int bpf_check_classic(const struct sock_filter *filter, bool anc_found; int pc; - if (flen == 0 || flen > BPF_MAXINSNS) - return -EINVAL; - /* Check the filter code now */ for (pc = 0; pc < flen; pc++) { const struct sock_filter *ftest = &filter[pc]; @@ -1057,7 +1065,7 @@ int bpf_prog_create(struct bpf_prog **pfp, struct sock_fprog_kern *fprog) struct bpf_prog *fp; /* Make sure new filter is there and in the right amounts. */ - if (fprog->filter == NULL) + if (!bpf_check_basics_ok(fprog->filter, fprog->len)) return -EINVAL; fp = bpf_prog_alloc(bpf_prog_size(fprog->len), 0); @@ -1104,7 +1112,7 @@ int bpf_prog_create_from_user(struct bpf_prog **pfp, struct sock_fprog *fprog, int err; /* Make sure new filter is there and in the right amounts. */ - if (fprog->filter == NULL) + if (!bpf_check_basics_ok(fprog->filter, fprog->len)) return -EINVAL; fp = bpf_prog_alloc(bpf_prog_size(fprog->len), 0); @@ -1184,7 +1192,6 @@ int __sk_attach_filter(struct sock_fprog *fprog, struct sock *sk, bool locked) { unsigned int fsize = bpf_classic_proglen(fprog); - unsigned int bpf_fsize = bpf_prog_size(fprog->len); struct bpf_prog *prog; int err; @@ -1192,10 +1199,10 @@ int __sk_attach_filter(struct sock_fprog *fprog, struct sock *sk, return -EPERM; /* Make sure new filter is there and in the right amounts. */ - if (fprog->filter == NULL) + if (!bpf_check_basics_ok(fprog->filter, fprog->len)) return -EINVAL; - prog = bpf_prog_alloc(bpf_fsize, 0); + prog = bpf_prog_alloc(bpf_prog_size(fprog->len), 0); if (!prog) return -ENOMEM; diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c index ac2966f02d07..c2380bb1fdab 100644 --- a/net/ipv4/ip_output.c +++ b/net/ipv4/ip_output.c @@ -475,6 +475,7 @@ static void ip_copy_metadata(struct sk_buff *to, struct sk_buff *from) to->pkt_type = from->pkt_type; to->priority = from->priority; to->protocol = from->protocol; + to->skb_iif = from->skb_iif; skb_dst_drop(to); skb_dst_copy(to, from); to->dev = from->dev; diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c index 7541427537d0..69e1a11f4ca8 100644 --- a/net/ipv4/raw.c +++ b/net/ipv4/raw.c @@ -167,6 +167,7 @@ static int icmp_filter(const struct sock *sk, const struct sk_buff *skb) */ static int raw_v4_input(struct sk_buff *skb, const struct iphdr *iph, int hash) { + int dif = inet_iif(skb); struct sock *sk; struct hlist_head *head; int delivered = 0; @@ -179,8 +180,7 @@ static int raw_v4_input(struct sk_buff *skb, const struct iphdr *iph, int hash) net = dev_net(skb->dev); sk = __raw_v4_lookup(net, __sk_head(head), iph->protocol, - iph->saddr, iph->daddr, - skb->dev->ifindex); + iph->saddr, iph->daddr, dif); while (sk) { delivered = 1; diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 773c71771ffd..2c661934e557 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -1168,25 +1168,39 @@ static struct dst_entry *ipv4_dst_check(struct dst_entry *dst, u32 cookie) return dst; } -static void ipv4_link_failure(struct sk_buff *skb) +static void ipv4_send_dest_unreach(struct sk_buff *skb) { struct ip_options opt; - struct rtable *rt; int res; /* Recompile ip options since IPCB may not be valid anymore. + * Also check we have a reasonable ipv4 header. */ - memset(&opt, 0, sizeof(opt)); - opt.optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr); + if (!pskb_network_may_pull(skb, sizeof(struct iphdr)) || + ip_hdr(skb)->version != 4 || ip_hdr(skb)->ihl < 5) + return; - rcu_read_lock(); - res = __ip_options_compile(dev_net(skb->dev), &opt, skb, NULL); - rcu_read_unlock(); + memset(&opt, 0, sizeof(opt)); + if (ip_hdr(skb)->ihl > 5) { + if (!pskb_network_may_pull(skb, ip_hdr(skb)->ihl * 4)) + return; + opt.optlen = ip_hdr(skb)->ihl * 4 - sizeof(struct iphdr); - if (res) - return; + rcu_read_lock(); + res = __ip_options_compile(dev_net(skb->dev), &opt, skb, NULL); + rcu_read_unlock(); + if (res) + return; + } __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0, &opt); +} + +static void ipv4_link_failure(struct sk_buff *skb) +{ + struct rtable *rt; + + ipv4_send_dest_unreach(skb); rt = skb_rtable(skb); if (rt) diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c index 5d563615718d..81739ffc4168 100644 --- a/net/ipv4/sysctl_net_ipv4.c +++ b/net/ipv4/sysctl_net_ipv4.c @@ -46,6 +46,7 @@ static int tcp_delack_seg_min = TCP_DELACK_MIN; static int tcp_delack_seg_max = 60; static int tcp_use_userconfig_min; static int tcp_use_userconfig_max = 1; +static int one_day_secs = 24 * 3600; /* Update system visible IP port range */ static void set_local_port_range(struct net *net, int range[2]) @@ -616,7 +617,9 @@ static struct ctl_table ipv4_table[] = { .data = &sysctl_tcp_min_rtt_wlen, .maxlen = sizeof(int), .mode = 0644, - .proc_handler = proc_dointvec + .proc_handler = proc_dointvec_minmax, + .extra1 = &zero, + .extra2 = &one_day_secs }, { .procname = "tcp_low_latency", diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c index f3a0a9c0f61e..c6061f7343f1 100644 --- a/net/ipv6/ip6_flowlabel.c +++ b/net/ipv6/ip6_flowlabel.c @@ -94,15 +94,21 @@ static struct ip6_flowlabel *fl_lookup(struct net *net, __be32 label) return fl; } +static void fl_free_rcu(struct rcu_head *head) +{ + struct ip6_flowlabel *fl = container_of(head, struct ip6_flowlabel, rcu); + + if (fl->share == IPV6_FL_S_PROCESS) + put_pid(fl->owner.pid); + kfree(fl->opt); + kfree(fl); +} + static void fl_free(struct ip6_flowlabel *fl) { - if (fl) { - if (fl->share == IPV6_FL_S_PROCESS) - put_pid(fl->owner.pid); - kfree(fl->opt); - kfree_rcu(fl, rcu); - } + if (fl) + call_rcu(&fl->rcu, fl_free_rcu); } static void fl_release(struct ip6_flowlabel *fl) @@ -633,9 +639,9 @@ recheck: if (fl1->share == IPV6_FL_S_EXCL || fl1->share != fl->share || ((fl1->share == IPV6_FL_S_PROCESS) && - (fl1->owner.pid == fl->owner.pid)) || + (fl1->owner.pid != fl->owner.pid)) || ((fl1->share == IPV6_FL_S_USER) && - uid_eq(fl1->owner.uid, fl->owner.uid))) + !uid_eq(fl1->owner.uid, fl->owner.uid))) goto release; err = -ENOMEM; diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c index 8d11a034ca3f..71263754b19b 100644 --- a/net/ipv6/ipv6_sockglue.c +++ b/net/ipv6/ipv6_sockglue.c @@ -121,6 +121,7 @@ struct ipv6_txoptions *ipv6_update_options(struct sock *sk, static bool setsockopt_needs_rtnl(int optname) { switch (optname) { + case IPV6_ADDRFORM: case IPV6_ADD_MEMBERSHIP: case IPV6_DROP_MEMBERSHIP: case IPV6_JOIN_ANYCAST: @@ -199,7 +200,7 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname, } fl6_free_socklist(sk); - ipv6_sock_mc_close(sk); + __ipv6_sock_mc_close(sk); /* * Sock is moving from IPv6 to IPv4 (sk_prot), so diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c index a5ec9a0cbb80..976c8133a281 100644 --- a/net/ipv6/mcast.c +++ b/net/ipv6/mcast.c @@ -276,16 +276,14 @@ static struct inet6_dev *ip6_mc_find_dev_rcu(struct net *net, return idev; } -void ipv6_sock_mc_close(struct sock *sk) +void __ipv6_sock_mc_close(struct sock *sk) { struct ipv6_pinfo *np = inet6_sk(sk); struct ipv6_mc_socklist *mc_lst; struct net *net = sock_net(sk); - if (!rcu_access_pointer(np->ipv6_mc_list)) - return; + ASSERT_RTNL(); - rtnl_lock(); while ((mc_lst = rtnl_dereference(np->ipv6_mc_list)) != NULL) { struct net_device *dev; @@ -303,8 +301,17 @@ void ipv6_sock_mc_close(struct sock *sk) atomic_sub(sizeof(*mc_lst), &sk->sk_omem_alloc); kfree_rcu(mc_lst, rcu); - } +} + +void ipv6_sock_mc_close(struct sock *sk) +{ + struct ipv6_pinfo *np = inet6_sk(sk); + + if (!rcu_access_pointer(np->ipv6_mc_list)) + return; + rtnl_lock(); + __ipv6_sock_mc_close(sk); rtnl_unlock(); } diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c index 77736190dc15..5039486c4f86 100644 --- a/net/ipv6/sit.c +++ b/net/ipv6/sit.c @@ -1076,7 +1076,7 @@ static void ipip6_tunnel_bind_dev(struct net_device *dev) if (!tdev && tunnel->parms.link) tdev = __dev_get_by_index(tunnel->net, tunnel->parms.link); - if (tdev) { + if (tdev && !netif_is_l3_master(tdev)) { int t_hlen = tunnel->hlen + sizeof(struct iphdr); dev->hard_header_len = tdev->hard_header_len + sizeof(struct iphdr); diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c index ac212542a217..c4509a10ce52 100644 --- a/net/netfilter/ipvs/ip_vs_core.c +++ b/net/netfilter/ipvs/ip_vs_core.c @@ -1484,7 +1484,7 @@ ip_vs_in_icmp(struct netns_ipvs *ipvs, struct sk_buff *skb, int *related, if (!cp) { int v; - if (!sysctl_schedule_icmp(ipvs)) + if (ipip || !sysctl_schedule_icmp(ipvs)) return NF_ACCEPT; if (!ip_vs_try_to_schedule(ipvs, AF_INET, skb, pd, &v, &cp, &ciph)) diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index b6e72af15237..cdafbd38a456 100644 --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_tables.c @@ -1699,7 +1699,7 @@ static int __init xt_init(void) seqcount_init(&per_cpu(xt_recseq, i)); } - xt = kmalloc(sizeof(struct xt_af) * NFPROTO_NUMPROTO, GFP_KERNEL); + xt = kcalloc(NFPROTO_NUMPROTO, sizeof(struct xt_af), GFP_KERNEL); if (!xt) return -ENOMEM; diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index 7d93228ba1e1..c78bcc13ebab 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -2490,8 +2490,8 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) void *ph; DECLARE_SOCKADDR(struct sockaddr_ll *, saddr, msg->msg_name); bool need_wait = !(msg->msg_flags & MSG_DONTWAIT); + unsigned char *addr = NULL; int tp_len, size_max; - unsigned char *addr; int len_sum = 0; int status = TP_STATUS_AVAILABLE; int hlen, tlen; @@ -2511,10 +2511,13 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) sll_addr))) goto out; proto = saddr->sll_protocol; - addr = saddr->sll_halen ? saddr->sll_addr : NULL; dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex); - if (addr && dev && saddr->sll_halen < dev->addr_len) - goto out_put; + if (po->sk.sk_socket->type == SOCK_DGRAM) { + if (dev && msg->msg_namelen < dev->addr_len + + offsetof(struct sockaddr_ll, sll_addr)) + goto out_put; + addr = saddr->sll_addr; + } } err = -ENXIO; @@ -2652,7 +2655,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) struct sk_buff *skb; struct net_device *dev; __be16 proto; - unsigned char *addr; + unsigned char *addr = NULL; int err, reserve = 0; struct sockcm_cookie sockc; struct virtio_net_hdr vnet_hdr = { 0 }; @@ -2672,7 +2675,6 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) if (likely(saddr == NULL)) { dev = packet_cached_dev_get(po); proto = po->num; - addr = NULL; } else { err = -EINVAL; if (msg->msg_namelen < sizeof(struct sockaddr_ll)) @@ -2680,10 +2682,13 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) if (msg->msg_namelen < (saddr->sll_halen + offsetof(struct sockaddr_ll, sll_addr))) goto out; proto = saddr->sll_protocol; - addr = saddr->sll_halen ? saddr->sll_addr : NULL; dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex); - if (addr && dev && saddr->sll_halen < dev->addr_len) - goto out_unlock; + if (sock->type == SOCK_DGRAM) { + if (dev && msg->msg_namelen < dev->addr_len + + offsetof(struct sockaddr_ll, sll_addr)) + goto out_unlock; + addr = saddr->sll_addr; + } } err = -ENXIO; @@ -4518,14 +4523,29 @@ static void __exit packet_exit(void) static int __init packet_init(void) { - int rc = proto_register(&packet_proto, 0); + int rc; - if (rc != 0) + rc = proto_register(&packet_proto, 0); + if (rc) goto out; + rc = sock_register(&packet_family_ops); + if (rc) + goto out_proto; + rc = register_pernet_subsys(&packet_net_ops); + if (rc) + goto out_sock; + rc = register_netdevice_notifier(&packet_netdev_notifier); + if (rc) + goto out_pernet; - sock_register(&packet_family_ops); - register_pernet_subsys(&packet_net_ops); - register_netdevice_notifier(&packet_netdev_notifier); + return 0; + +out_pernet: + unregister_pernet_subsys(&packet_net_ops); +out_sock: + sock_unregister(PF_PACKET); +out_proto: + proto_unregister(&packet_proto); out: return rc; } diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c index af17b00145e1..a8ab98b53a3a 100644 --- a/net/sunrpc/cache.c +++ b/net/sunrpc/cache.c @@ -54,6 +54,7 @@ static void cache_init(struct cache_head *h, struct cache_detail *detail) h->last_refresh = now; } +static inline int cache_is_valid(struct cache_head *h); static void cache_fresh_locked(struct cache_head *head, time_t expiry, struct cache_detail *detail); static void cache_fresh_unlocked(struct cache_head *head, @@ -100,6 +101,8 @@ struct cache_head *sunrpc_cache_lookup(struct cache_detail *detail, if (cache_is_expired(detail, tmp)) { hlist_del_init(&tmp->cache_list); detail->entries --; + if (cache_is_valid(tmp) == -EAGAIN) + set_bit(CACHE_NEGATIVE, &tmp->flags); cache_fresh_locked(tmp, 0, detail); freeme = tmp; break; diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c index e9653c42cdd1..8400211537a2 100644 --- a/net/tipc/netlink_compat.c +++ b/net/tipc/netlink_compat.c @@ -262,8 +262,14 @@ static int tipc_nl_compat_dumpit(struct tipc_nl_compat_cmd_dump *cmd, if (msg->rep_type) tipc_tlv_init(msg->rep, msg->rep_type); - if (cmd->header) - (*cmd->header)(msg); + if (cmd->header) { + err = (*cmd->header)(msg); + if (err) { + kfree_skb(msg->rep); + msg->rep = NULL; + return err; + } + } arg = nlmsg_new(0, GFP_KERNEL); if (!arg) { @@ -382,7 +388,12 @@ static int tipc_nl_compat_bearer_enable(struct tipc_nl_compat_cmd_doit *cmd, if (!bearer) return -EMSGSIZE; - len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_BEARER_NAME); + len = TLV_GET_DATA_LEN(msg->req); + len -= offsetof(struct tipc_bearer_config, name); + if (len <= 0) + return -EINVAL; + + len = min_t(int, len, TIPC_MAX_BEARER_NAME); if (!string_is_valid(b->name, len)) return -EINVAL; @@ -727,7 +738,12 @@ static int tipc_nl_compat_link_set(struct tipc_nl_compat_cmd_doit *cmd, lc = (struct tipc_link_config *)TLV_DATA(msg->req); - len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME); + len = TLV_GET_DATA_LEN(msg->req); + len -= offsetof(struct tipc_link_config, name); + if (len <= 0) + return -EINVAL; + + len = min_t(int, len, TIPC_MAX_LINK_NAME); if (!string_is_valid(lc->name, len)) return -EINVAL; |