Commit e9296e89 authored by Linus Torvalds's avatar Linus Torvalds

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Pull networking fixes from David Miller:
 "Some more fixes trickled in over the past few days:

   1) PIM device names can overflow the IFNAMSIZ buffer unless we
      properly limit the allowed indexes, fix from Eric Dumazet.

   2) Under heavy load we can OOPS in icmp reply processing due to an
      unchecked inet_putpeer() call.  Fix from Neal Cardwell.

   3) SCTP round trip calculations need to use 64-bit math to avoid
      overflows, fix from Schoch Christian.

   4) Fix a memory leak and an error return flub in SCTP and IRDA
      triggerable by userspace.  Fix from Tommi Rantala and found by the
      syscall fuzzer (trinity).

   5) MLX4 driver gives bogus size to memcpy() call, fix from Amir
      Vadai.

   6) Fix length calculation in VHOST descriptor translation, from
      Michael S Tsirkin.

   7) Ambassador ATM driver loops forever while loading firmware, fix
      from Dan Carpenter.

   8) Over MTU packets in openvswitch warn about wrong device, fix from
      Jesse Gross.

   9) Netfilter IPSET's netlink code can overrun a string buffer because
      it's not properly limited to IFNAMSIZ.  Fix from Florian Westphal.

  10) PCAN USB driver sets wrong timestamp in SKB, from Oliver Hartkopp.

  11) Make sure the RX ifindex always has a valid value in the CAN BCM
      driver, even if we haven't received a frame yet.  Fix also from
      Oliver Hartkopp."

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
  team: fix hw_features setup
  atm: forever loop loading ambassador firmware
  vhost: fix length for cross region descriptor
  irda: irttp: fix memory leak in irttp_open_tsap() error path
  net: qmi_wwan: add Huawei E173
  net/mlx4_en: Can set maxrate only for TC0
  sctp: Error in calculation of RTTvar
  sctp: fix -ENOMEM result with invalid user space pointer in sendto() syscall
  sctp: fix memory leak in sctp_datamsg_from_user() when copy from user space fails
  net: ipmr: limit MRT_TABLE identifiers
  ipv4: avoid passing NULL to inet_putpeer() in icmpv4_xrlim_allow()
  can: bcm: initialize ifindex for timeouts without previous frame reception
  can: peak_usb: fix hwtstamp assignment
  netfilter: ipset: fix netiface set name overflow
  openvswitch: Store flow key len if ARP opcode is not request or reply.
  openvswitch: Print device when warning about over MTU packets.
parents 4b05a1c7 a45085f6
...@@ -1961,6 +1961,7 @@ static int __devinit ucode_init (loader_block * lb, amb_dev * dev) { ...@@ -1961,6 +1961,7 @@ static int __devinit ucode_init (loader_block * lb, amb_dev * dev) {
res = loader_verify(lb, dev, rec); res = loader_verify(lb, dev, rec);
if (res) if (res)
break; break;
rec = ihex_next_binrec(rec);
} }
release_firmware(fw); release_firmware(fw);
if (!res) if (!res)
......
...@@ -519,8 +519,10 @@ static int pcan_usb_decode_error(struct pcan_usb_msg_context *mc, u8 n, ...@@ -519,8 +519,10 @@ static int pcan_usb_decode_error(struct pcan_usb_msg_context *mc, u8 n,
mc->pdev->dev.can.state = new_state; mc->pdev->dev.can.state = new_state;
if (status_len & PCAN_USB_STATUSLEN_TIMESTAMP) { if (status_len & PCAN_USB_STATUSLEN_TIMESTAMP) {
struct skb_shared_hwtstamps *hwts = skb_hwtstamps(skb);
peak_usb_get_ts_tv(&mc->pdev->time_ref, mc->ts16, &tv); peak_usb_get_ts_tv(&mc->pdev->time_ref, mc->ts16, &tv);
skb->tstamp = timeval_to_ktime(tv); hwts->hwtstamp = timeval_to_ktime(tv);
} }
netif_rx(skb); netif_rx(skb);
...@@ -605,6 +607,7 @@ static int pcan_usb_decode_data(struct pcan_usb_msg_context *mc, u8 status_len) ...@@ -605,6 +607,7 @@ static int pcan_usb_decode_data(struct pcan_usb_msg_context *mc, u8 status_len)
struct sk_buff *skb; struct sk_buff *skb;
struct can_frame *cf; struct can_frame *cf;
struct timeval tv; struct timeval tv;
struct skb_shared_hwtstamps *hwts;
skb = alloc_can_skb(mc->netdev, &cf); skb = alloc_can_skb(mc->netdev, &cf);
if (!skb) if (!skb)
...@@ -652,7 +655,8 @@ static int pcan_usb_decode_data(struct pcan_usb_msg_context *mc, u8 status_len) ...@@ -652,7 +655,8 @@ static int pcan_usb_decode_data(struct pcan_usb_msg_context *mc, u8 status_len)
/* convert timestamp into kernel time */ /* convert timestamp into kernel time */
peak_usb_get_ts_tv(&mc->pdev->time_ref, mc->ts16, &tv); peak_usb_get_ts_tv(&mc->pdev->time_ref, mc->ts16, &tv);
skb->tstamp = timeval_to_ktime(tv); hwts = skb_hwtstamps(skb);
hwts->hwtstamp = timeval_to_ktime(tv);
/* push the skb */ /* push the skb */
netif_rx(skb); netif_rx(skb);
......
...@@ -532,6 +532,7 @@ static int pcan_usb_pro_handle_canmsg(struct pcan_usb_pro_interface *usb_if, ...@@ -532,6 +532,7 @@ static int pcan_usb_pro_handle_canmsg(struct pcan_usb_pro_interface *usb_if,
struct can_frame *can_frame; struct can_frame *can_frame;
struct sk_buff *skb; struct sk_buff *skb;
struct timeval tv; struct timeval tv;
struct skb_shared_hwtstamps *hwts;
skb = alloc_can_skb(netdev, &can_frame); skb = alloc_can_skb(netdev, &can_frame);
if (!skb) if (!skb)
...@@ -549,7 +550,8 @@ static int pcan_usb_pro_handle_canmsg(struct pcan_usb_pro_interface *usb_if, ...@@ -549,7 +550,8 @@ static int pcan_usb_pro_handle_canmsg(struct pcan_usb_pro_interface *usb_if,
memcpy(can_frame->data, rx->data, can_frame->can_dlc); memcpy(can_frame->data, rx->data, can_frame->can_dlc);
peak_usb_get_ts_tv(&usb_if->time_ref, le32_to_cpu(rx->ts32), &tv); peak_usb_get_ts_tv(&usb_if->time_ref, le32_to_cpu(rx->ts32), &tv);
skb->tstamp = timeval_to_ktime(tv); hwts = skb_hwtstamps(skb);
hwts->hwtstamp = timeval_to_ktime(tv);
netif_rx(skb); netif_rx(skb);
netdev->stats.rx_packets++; netdev->stats.rx_packets++;
...@@ -570,6 +572,7 @@ static int pcan_usb_pro_handle_error(struct pcan_usb_pro_interface *usb_if, ...@@ -570,6 +572,7 @@ static int pcan_usb_pro_handle_error(struct pcan_usb_pro_interface *usb_if,
u8 err_mask = 0; u8 err_mask = 0;
struct sk_buff *skb; struct sk_buff *skb;
struct timeval tv; struct timeval tv;
struct skb_shared_hwtstamps *hwts;
/* nothing should be sent while in BUS_OFF state */ /* nothing should be sent while in BUS_OFF state */
if (dev->can.state == CAN_STATE_BUS_OFF) if (dev->can.state == CAN_STATE_BUS_OFF)
...@@ -664,7 +667,8 @@ static int pcan_usb_pro_handle_error(struct pcan_usb_pro_interface *usb_if, ...@@ -664,7 +667,8 @@ static int pcan_usb_pro_handle_error(struct pcan_usb_pro_interface *usb_if,
dev->can.state = new_state; dev->can.state = new_state;
peak_usb_get_ts_tv(&usb_if->time_ref, le32_to_cpu(er->ts32), &tv); peak_usb_get_ts_tv(&usb_if->time_ref, le32_to_cpu(er->ts32), &tv);
skb->tstamp = timeval_to_ktime(tv); hwts = skb_hwtstamps(skb);
hwts->hwtstamp = timeval_to_ktime(tv);
netif_rx(skb); netif_rx(skb);
netdev->stats.rx_packets++; netdev->stats.rx_packets++;
netdev->stats.rx_bytes += can_frame->can_dlc; netdev->stats.rx_bytes += can_frame->can_dlc;
......
...@@ -237,7 +237,7 @@ static int mlx4_en_dcbnl_ieee_setmaxrate(struct net_device *dev, ...@@ -237,7 +237,7 @@ static int mlx4_en_dcbnl_ieee_setmaxrate(struct net_device *dev,
if (err) if (err)
return err; return err;
memcpy(priv->maxrate, tmp, sizeof(*priv->maxrate)); memcpy(priv->maxrate, tmp, sizeof(priv->maxrate));
return 0; return 0;
} }
......
...@@ -1794,10 +1794,12 @@ static void team_setup(struct net_device *dev) ...@@ -1794,10 +1794,12 @@ static void team_setup(struct net_device *dev)
dev->features |= NETIF_F_LLTX; dev->features |= NETIF_F_LLTX;
dev->features |= NETIF_F_GRO; dev->features |= NETIF_F_GRO;
dev->hw_features = NETIF_F_HW_VLAN_TX | dev->hw_features = TEAM_VLAN_FEATURES |
NETIF_F_HW_VLAN_TX |
NETIF_F_HW_VLAN_RX | NETIF_F_HW_VLAN_RX |
NETIF_F_HW_VLAN_FILTER; NETIF_F_HW_VLAN_FILTER;
dev->hw_features &= ~(NETIF_F_ALL_CSUM & ~NETIF_F_HW_CSUM);
dev->features |= dev->hw_features; dev->features |= dev->hw_features;
} }
......
...@@ -385,6 +385,7 @@ static const struct usb_device_id products[] = { ...@@ -385,6 +385,7 @@ static const struct usb_device_id products[] = {
}, },
/* 3. Combined interface devices matching on interface number */ /* 3. Combined interface devices matching on interface number */
{QMI_FIXED_INTF(0x12d1, 0x140c, 1)}, /* Huawei E173 */
{QMI_FIXED_INTF(0x19d2, 0x0002, 1)}, {QMI_FIXED_INTF(0x19d2, 0x0002, 1)},
{QMI_FIXED_INTF(0x19d2, 0x0012, 1)}, {QMI_FIXED_INTF(0x19d2, 0x0012, 1)},
{QMI_FIXED_INTF(0x19d2, 0x0017, 3)}, {QMI_FIXED_INTF(0x19d2, 0x0017, 3)},
......
...@@ -1076,7 +1076,7 @@ static int translate_desc(struct vhost_dev *dev, u64 addr, u32 len, ...@@ -1076,7 +1076,7 @@ static int translate_desc(struct vhost_dev *dev, u64 addr, u32 len,
} }
_iov = iov + ret; _iov = iov + ret;
size = reg->memory_size - addr + reg->guest_phys_addr; size = reg->memory_size - addr + reg->guest_phys_addr;
_iov->iov_len = min((u64)len, size); _iov->iov_len = min((u64)len - s, size);
_iov->iov_base = (void __user *)(unsigned long) _iov->iov_base = (void __user *)(unsigned long)
(reg->userspace_addr + addr - reg->guest_phys_addr); (reg->userspace_addr + addr - reg->guest_phys_addr);
s += size; s += size;
......
...@@ -1084,6 +1084,9 @@ static int bcm_rx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg, ...@@ -1084,6 +1084,9 @@ static int bcm_rx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
op->sk = sk; op->sk = sk;
op->ifindex = ifindex; op->ifindex = ifindex;
/* ifindex for timeout events w/o previous frame reception */
op->rx_ifindex = ifindex;
/* initialize uninitialized (kzalloc) structure */ /* initialize uninitialized (kzalloc) structure */
hrtimer_init(&op->timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL); hrtimer_init(&op->timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
op->timer.function = bcm_rx_timeout_handler; op->timer.function = bcm_rx_timeout_handler;
......
...@@ -257,6 +257,7 @@ static inline bool icmpv4_xrlim_allow(struct net *net, struct rtable *rt, ...@@ -257,6 +257,7 @@ static inline bool icmpv4_xrlim_allow(struct net *net, struct rtable *rt,
struct inet_peer *peer = inet_getpeer_v4(net->ipv4.peers, fl4->daddr, 1); struct inet_peer *peer = inet_getpeer_v4(net->ipv4.peers, fl4->daddr, 1);
rc = inet_peer_xrlim_allow(peer, rc = inet_peer_xrlim_allow(peer,
net->ipv4.sysctl_icmp_ratelimit); net->ipv4.sysctl_icmp_ratelimit);
if (peer)
inet_putpeer(peer); inet_putpeer(peer);
} }
out: out:
......
...@@ -1318,6 +1318,10 @@ int ip_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, unsi ...@@ -1318,6 +1318,10 @@ int ip_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, unsi
if (get_user(v, (u32 __user *)optval)) if (get_user(v, (u32 __user *)optval))
return -EFAULT; return -EFAULT;
/* "pimreg%u" should not exceed 16 bytes (IFNAMSIZ) */
if (v != RT_TABLE_DEFAULT && v >= 1000000000)
return -EINVAL;
rtnl_lock(); rtnl_lock();
ret = 0; ret = 0;
if (sk == rtnl_dereference(mrt->mroute_sk)) { if (sk == rtnl_dereference(mrt->mroute_sk)) {
......
...@@ -441,6 +441,7 @@ struct tsap_cb *irttp_open_tsap(__u8 stsap_sel, int credit, notify_t *notify) ...@@ -441,6 +441,7 @@ struct tsap_cb *irttp_open_tsap(__u8 stsap_sel, int credit, notify_t *notify)
lsap = irlmp_open_lsap(stsap_sel, &ttp_notify, 0); lsap = irlmp_open_lsap(stsap_sel, &ttp_notify, 0);
if (lsap == NULL) { if (lsap == NULL) {
IRDA_DEBUG(0, "%s: unable to allocate LSAP!!\n", __func__); IRDA_DEBUG(0, "%s: unable to allocate LSAP!!\n", __func__);
__irttp_close_tsap(self);
return NULL; return NULL;
} }
......
...@@ -793,7 +793,7 @@ static struct ip_set_type hash_netiface_type __read_mostly = { ...@@ -793,7 +793,7 @@ static struct ip_set_type hash_netiface_type __read_mostly = {
[IPSET_ATTR_IP] = { .type = NLA_NESTED }, [IPSET_ATTR_IP] = { .type = NLA_NESTED },
[IPSET_ATTR_IP_TO] = { .type = NLA_NESTED }, [IPSET_ATTR_IP_TO] = { .type = NLA_NESTED },
[IPSET_ATTR_IFACE] = { .type = NLA_NUL_STRING, [IPSET_ATTR_IFACE] = { .type = NLA_NUL_STRING,
.len = IPSET_MAXNAMELEN - 1 }, .len = IFNAMSIZ - 1 },
[IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 }, [IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 },
[IPSET_ATTR_CIDR] = { .type = NLA_U8 }, [IPSET_ATTR_CIDR] = { .type = NLA_U8 },
[IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },
......
...@@ -702,16 +702,12 @@ int ovs_flow_extract(struct sk_buff *skb, u16 in_port, struct sw_flow_key *key, ...@@ -702,16 +702,12 @@ int ovs_flow_extract(struct sk_buff *skb, u16 in_port, struct sw_flow_key *key,
/* We only match on the lower 8 bits of the opcode. */ /* We only match on the lower 8 bits of the opcode. */
if (ntohs(arp->ar_op) <= 0xff) if (ntohs(arp->ar_op) <= 0xff)
key->ip.proto = ntohs(arp->ar_op); key->ip.proto = ntohs(arp->ar_op);
if (key->ip.proto == ARPOP_REQUEST
|| key->ip.proto == ARPOP_REPLY) {
memcpy(&key->ipv4.addr.src, arp->ar_sip, sizeof(key->ipv4.addr.src)); memcpy(&key->ipv4.addr.src, arp->ar_sip, sizeof(key->ipv4.addr.src));
memcpy(&key->ipv4.addr.dst, arp->ar_tip, sizeof(key->ipv4.addr.dst)); memcpy(&key->ipv4.addr.dst, arp->ar_tip, sizeof(key->ipv4.addr.dst));
memcpy(key->ipv4.arp.sha, arp->ar_sha, ETH_ALEN); memcpy(key->ipv4.arp.sha, arp->ar_sha, ETH_ALEN);
memcpy(key->ipv4.arp.tha, arp->ar_tha, ETH_ALEN); memcpy(key->ipv4.arp.tha, arp->ar_tha, ETH_ALEN);
key_len = SW_FLOW_KEY_OFFSET(ipv4.arp); key_len = SW_FLOW_KEY_OFFSET(ipv4.arp);
} }
}
} else if (key->eth.type == htons(ETH_P_IPV6)) { } else if (key->eth.type == htons(ETH_P_IPV6)) {
int nh_len; /* IPv6 Header + Extensions */ int nh_len; /* IPv6 Header + Extensions */
......
...@@ -158,7 +158,7 @@ static int netdev_send(struct vport *vport, struct sk_buff *skb) ...@@ -158,7 +158,7 @@ static int netdev_send(struct vport *vport, struct sk_buff *skb)
if (unlikely(packet_length(skb) > mtu && !skb_is_gso(skb))) { if (unlikely(packet_length(skb) > mtu && !skb_is_gso(skb))) {
net_warn_ratelimited("%s: dropped over-mtu packet: %d > %d\n", net_warn_ratelimited("%s: dropped over-mtu packet: %d > %d\n",
ovs_dp_name(vport->dp), netdev_vport->dev->name,
packet_length(skb), mtu); packet_length(skb), mtu);
goto error; goto error;
} }
......
...@@ -183,7 +183,7 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc, ...@@ -183,7 +183,7 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc,
msg = sctp_datamsg_new(GFP_KERNEL); msg = sctp_datamsg_new(GFP_KERNEL);
if (!msg) if (!msg)
return NULL; return ERR_PTR(-ENOMEM);
/* Note: Calculate this outside of the loop, so that all fragments /* Note: Calculate this outside of the loop, so that all fragments
* have the same expiration. * have the same expiration.
...@@ -280,11 +280,14 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc, ...@@ -280,11 +280,14 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc,
chunk = sctp_make_datafrag_empty(asoc, sinfo, len, frag, 0); chunk = sctp_make_datafrag_empty(asoc, sinfo, len, frag, 0);
if (!chunk) if (!chunk) {
err = -ENOMEM;
goto errout; goto errout;
}
err = sctp_user_addto_chunk(chunk, offset, len, msgh->msg_iov); err = sctp_user_addto_chunk(chunk, offset, len, msgh->msg_iov);
if (err < 0) if (err < 0)
goto errout; goto errout_chunk_free;
offset += len; offset += len;
...@@ -315,8 +318,10 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc, ...@@ -315,8 +318,10 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc,
chunk = sctp_make_datafrag_empty(asoc, sinfo, over, frag, 0); chunk = sctp_make_datafrag_empty(asoc, sinfo, over, frag, 0);
if (!chunk) if (!chunk) {
err = -ENOMEM;
goto errout; goto errout;
}
err = sctp_user_addto_chunk(chunk, offset, over,msgh->msg_iov); err = sctp_user_addto_chunk(chunk, offset, over,msgh->msg_iov);
...@@ -324,7 +329,7 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc, ...@@ -324,7 +329,7 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc,
__skb_pull(chunk->skb, (__u8 *)chunk->chunk_hdr __skb_pull(chunk->skb, (__u8 *)chunk->chunk_hdr
- (__u8 *)chunk->skb->data); - (__u8 *)chunk->skb->data);
if (err < 0) if (err < 0)
goto errout; goto errout_chunk_free;
sctp_datamsg_assign(msg, chunk); sctp_datamsg_assign(msg, chunk);
list_add_tail(&chunk->frag_list, &msg->chunks); list_add_tail(&chunk->frag_list, &msg->chunks);
...@@ -332,6 +337,9 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc, ...@@ -332,6 +337,9 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc,
return msg; return msg;
errout_chunk_free:
sctp_chunk_free(chunk);
errout: errout:
list_for_each_safe(pos, temp, &msg->chunks) { list_for_each_safe(pos, temp, &msg->chunks) {
list_del_init(pos); list_del_init(pos);
...@@ -339,7 +347,7 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc, ...@@ -339,7 +347,7 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc,
sctp_chunk_free(chunk); sctp_chunk_free(chunk);
} }
sctp_datamsg_put(msg); sctp_datamsg_put(msg);
return NULL; return ERR_PTR(err);
} }
/* Check whether this message has expired. */ /* Check whether this message has expired. */
......
...@@ -1915,8 +1915,8 @@ SCTP_STATIC int sctp_sendmsg(struct kiocb *iocb, struct sock *sk, ...@@ -1915,8 +1915,8 @@ SCTP_STATIC int sctp_sendmsg(struct kiocb *iocb, struct sock *sk,
/* Break the message into multiple chunks of maximum size. */ /* Break the message into multiple chunks of maximum size. */
datamsg = sctp_datamsg_from_user(asoc, sinfo, msg, msg_len); datamsg = sctp_datamsg_from_user(asoc, sinfo, msg, msg_len);
if (!datamsg) { if (IS_ERR(datamsg)) {
err = -ENOMEM; err = PTR_ERR(datamsg);
goto out_free; goto out_free;
} }
......
...@@ -331,7 +331,7 @@ void sctp_transport_update_rto(struct sctp_transport *tp, __u32 rtt) ...@@ -331,7 +331,7 @@ void sctp_transport_update_rto(struct sctp_transport *tp, __u32 rtt)
* 1/8, rto_alpha would be expressed as 3. * 1/8, rto_alpha would be expressed as 3.
*/ */
tp->rttvar = tp->rttvar - (tp->rttvar >> net->sctp.rto_beta) tp->rttvar = tp->rttvar - (tp->rttvar >> net->sctp.rto_beta)
+ ((abs(tp->srtt - rtt)) >> net->sctp.rto_beta); + (((__u32)abs64((__s64)tp->srtt - (__s64)rtt)) >> net->sctp.rto_beta);
tp->srtt = tp->srtt - (tp->srtt >> net->sctp.rto_alpha) tp->srtt = tp->srtt - (tp->srtt >> net->sctp.rto_alpha)
+ (rtt >> net->sctp.rto_alpha); + (rtt >> net->sctp.rto_alpha);
} else { } else {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment