refs/heads/tmp-28ec98b:
Linux 4.4.55
ext4: don't BUG when truncating encrypted inodes on the orphan list
dm: flush queued bios when process blocks to avoid deadlock
nfit, libnvdimm: fix interleave set cookie calculation
s390/kdump: Use "LINUX" ELF note name instead of "CORE"
KVM: s390: Fix guest migration for huge guests resulting in panic
mvsas: fix misleading indentation
serial: samsung: Continue to work if DMA request fails
USB: serial: io_ti: fix information leak in completion handler
USB: serial: io_ti: fix NULL-deref in interrupt callback
USB: iowarrior: fix NULL-deref in write
USB: iowarrior: fix NULL-deref at probe
USB: serial: omninet: fix reference leaks at open
USB: serial: safe_serial: fix information leak in completion handler
usb: host: xhci-plat: Fix timeout on removal of hot pluggable xhci controllers
usb: host: xhci-dbg: HCIVERSION should be a binary number
usb: gadget: function: f_fs: pass companion descriptor along
usb: dwc3: gadget: make Set Endpoint Configuration macros safe
usb: gadget: dummy_hcd: clear usb_gadget region before registration
powerpc: Emulation support for load/store instructions on LE
tracing: Add #undef to fix compile error
MIPS: Netlogic: Fix CP0_EBASE redefinition warnings
MIPS: DEC: Avoid la pseudo-instruction in delay slots
mm: memcontrol: avoid unused function warning
cpmac: remove hopeless #warning
MIPS: ralink: Remove unused rt*_wdt_reset functions
MIPS: ralink: Cosmetic change to prom_init().
mtd: pmcmsp: use kstrndup instead of kmalloc+strncpy
MIPS: Update lemote2f_defconfig for CPU_FREQ_STAT change
MIPS: ip22: Fix ip28 build for modern gcc
MIPS: Update ip27_defconfig for SCSI_DH change
MIPS: ip27: Disable qlge driver in defconfig
MIPS: Update defconfigs for NF_CT_PROTO_DCCP/UDPLITE change
crypto: improve gcc optimization flags for serpent and wp512
USB: serial: digi_acceleport: fix OOB-event processing
USB: serial: digi_acceleport: fix OOB data sanity check
Linux 4.4.54
drivers: hv: Turn off write permission on the hypercall page
fat: fix using uninitialized fields of fat_inode/fsinfo_inode
libceph: use BUG() instead of BUG_ON(1)
drm/i915/dsi: Do not clear DPOUNIT_CLOCK_GATE_DISABLE from vlv_init_display_clock_gating
fakelb: fix schedule while atomic
drm/atomic: fix an error code in mode_fixup()
drm/ttm: Make sure BOs being swapped out are cacheable
drm/edid: Add EDID_QUIRK_FORCE_8BPC quirk for Rotel RSX-1058
drm/ast: Fix AST2400 POST failure without BMC FW or VBIOS
drm/ast: Call open_key before enable_mmio in POST code
drm/ast: Fix test for VGA enabled
drm/amdgpu: add more cases to DCE11 possible crtc mask setup
mac80211: flush delayed work when entering suspend
xtensa: move parse_tag_fdt out of #ifdef CONFIG_BLK_DEV_INITRD
pwm: pca9685: Fix period change with same duty cycle
nlm: Ensure callback code also checks that the files match
target: Fix NULL dereference during LUN lookup + active I/O shutdown
ceph: remove req from unsafe list when unregistering it
ktest: Fix child exit code processing
IB/srp: Fix race conditions related to task management
IB/srp: Avoid that duplicate responses trigger a kernel bug
IB/IPoIB: Add destination address when re-queue packet
IB/ipoib: Fix deadlock between rmmod and set_mode
mnt: Tuck mounts under others instead of creating shadow/side mounts.
net: mvpp2: fix DMA address calculation in mvpp2_txq_inc_put()
s390: use correct input data address for setup_randomness
s390: make setup_randomness work
s390: TASK_SIZE for kernel threads
s390/dcssblk: fix device size calculation in dcssblk_direct_access()
s390/qdio: clear DSCI prior to scanning multiple input queues
Bluetooth: Add another AR3012 04ca:3018 device
KVM: VMX: use correct vmcs_read/write for guest segment selector/base
KVM: s390: Disable dirty log retrieval for UCONTROL guests
serial: 8250_pci: Add MKS Tenta SCOM-0800 and SCOM-0801 cards
tty: n_hdlc: get rid of racy n_hdlc.tbuf
TTY: n_hdlc, fix lockdep false positive
Linux 4.4.53
scsi: lpfc: Correct WQ creation for pagesize
MIPS: IP22: Fix build error due to binutils 2.25 uselessnes.
MIPS: IP22: Reformat inline assembler code to modern standards.
powerpc/xmon: Fix data-breakpoint
dmaengine: ipu: Make sure the interrupt routine checks all interrupts.
bcma: use (get|put)_device when probing/removing device driver
md linear: fix a race between linear_add() and linear_congested()
rtc: sun6i: Switch to the external oscillator
rtc: sun6i: Add some locking
NFSv4: fix getacl ERANGE for some ACL buffer sizes
NFSv4: fix getacl head length estimation
NFSv4: Fix memory and state leak in _nfs4_open_and_get_state
nfsd: special case truncates some more
nfsd: minor nfsd_setattr cleanup
rtlwifi: rtl8192c-common: Fix "BUG: KASAN:
rtlwifi: Fix alignment issues
gfs2: Add missing rcu locking for glock lookup
rdma_cm: fail iwarp accepts w/o connection params
RDMA/core: Fix incorrect structure packing for booleans
Drivers: hv: util: Backup: Fix a rescind processing issue
Drivers: hv: util: Fcopy: Fix a rescind processing issue
Drivers: hv: util: kvp: Fix a rescind processing issue
hv: init percpu_list in hv_synic_alloc()
hv: allocate synic pages for all present CPUs
usb: gadget: udc: fsl: Add missing complete function.
usb: host: xhci: plat: check hcc_params after add hcd
usb: musb: da8xx: Remove CPPI 3.0 quirk and methods
w1: ds2490: USB transfer buffers need to be DMAable
w1: don't leak refcount on slave attach failure in w1_attach_slave_device()
can: usb_8dev: Fix memory leak of priv->cmd_msg_buffer
iio: pressure: mpl3115: do not rely on structure field ordering
iio: pressure: mpl115: do not rely on structure field ordering
arm/arm64: KVM: Enforce unconditional flush to PoC when mapping to stage-2
fuse: add missing FR_FORCE
crypto: testmgr - Pad aes_ccm_enc_tv_template vector
ath9k: use correct OTP register offsets for the AR9340 and AR9550
ath9k: fix race condition in enabling/disabling IRQs
ath5k: drop bogus warning on drv_set_key with unsupported cipher
target: Fix multi-session dynamic se_node_acl double free OOPs
target: Obtain se_node_acl->acl_kref during get_initiator_node_acl
samples/seccomp: fix 64-bit comparison macros
ext4: return EROFS if device is r/o and journal replay is needed
ext4: preserve the needs_recovery flag when the journal is aborted
ext4: fix inline data error paths
ext4: fix data corruption in data=journal mode
ext4: trim allocation requests to group size
ext4: do not polute the extents cache while shifting extents
ext4: Include forgotten start block on fallocate insert range
loop: fix LO_FLAGS_PARTSCAN hang
block/loop: fix race between I/O and set_status
jbd2: don't leak modified metadata buffers on an aborted journal
Fix: Disable sys_membarrier when nohz_full is enabled
sd: get disk reference in sd_check_events()
scsi: use 'scsi_device_from_queue()' for scsi_dh
scsi: aacraid: Reorder Adapter status check
scsi: storvsc: properly set residual data length on errors
scsi: storvsc: properly handle SRB_ERROR when sense message is present
scsi: storvsc: use tagged SRB requests if supported by the device
dm stats: fix a leaked s->histogram_boundaries array
dm cache: fix corruption seen when using cache > 2TB
ipc/shm: Fix shmat mmap nil-page protection
mm: do not access page->mapping directly on page_endio
mm: vmpressure: fix sending wrong events on underflow
mm/page_alloc: fix nodes for reclaim in fast path
iommu/vt-d: Tylersburg isoch identity map check is done too late.
iommu/vt-d: Fix some macros that are incorrectly specified in intel-iommu
regulator: Fix regulator_summary for deviceless consumers
staging: rtl: fix possible NULL pointer dereference
ALSA: hda - Fix micmute hotkey problem for a lenovo AIO machine
ALSA: hda - Add subwoofer support for Dell Inspiron 17 7000 Gaming
ALSA: seq: Fix link corruption by event error handling
ALSA: ctxfi: Fallback DMA mask to 32bit
ALSA: timer: Reject user params with too small ticks
ALSA: hda - fix Lewisburg audio issue
ALSA: hda/realtek - Cannot adjust speaker's volume on a Dell AIO
ARM: dts: at91: Enable DMA on sama5d2_xplained console
ARM: dts: at91: Enable DMA on sama5d4_xplained console
ARM: at91: define LPDDR types
media: fix dm1105.c build error
uvcvideo: Fix a wrong macro
am437x-vpfe: always assign bpp variable
MIPS: Handle microMIPS jumps in the same way as MIPS32/MIPS64 jumps
MIPS: Calculate microMIPS ra properly when unwinding the stack
MIPS: Fix is_jump_ins() handling of 16b microMIPS instructions
MIPS: Fix get_frame_info() handling of microMIPS function size
MIPS: Prevent unaligned accesses during stack unwinding
MIPS: Clear ISA bit correctly in get_frame_info()
MIPS: Lantiq: Keep ethernet enabled during boot
MIPS: OCTEON: Fix copy_from_user fault handling for large buffers
MIPS: BCM47XX: Fix button inversion for Asus WL-500W
MIPS: Fix special case in 64 bit IP checksumming.
samples: move mic/mpssd example code from Documentation
Linux 4.4.52
kvm: vmx: ensure VMCS is current while enabling PML
Revert "usb: chipidea: imx: enable CI_HDRC_SET_NON_ZERO_TTHA"
rtlwifi: rtl_usb: Fix for URB leaking when doing ifconfig up/down
block: fix double-free in the failure path of cgwb_bdi_init()
goldfish: Sanitize the broken interrupt handler
x86/platform/goldfish: Prevent unconditional loading
USB: serial: ark3116: fix register-accessor error handling
USB: serial: opticon: fix CTS retrieval at open
USB: serial: spcp8x5: fix modem-status handling
USB: serial: ftdi_sio: fix line-status over-reporting
USB: serial: ftdi_sio: fix extreme low-latency setting
USB: serial: ftdi_sio: fix modem-status error handling
USB: serial: cp210x: add new IDs for GE Bx50v3 boards
USB: serial: mos7840: fix another NULL-deref at open
tty: serial: msm: Fix module autoload
net: socket: fix recvmmsg not returning error from sock_error
ip: fix IP_CHECKSUM handling
irda: Fix lockdep annotations in hashbin_delete().
dccp: fix freeing skb too early for IPV6_RECVPKTINFO
packet: Do not call fanout_release from atomic contexts
packet: fix races in fanout_add()
net/llc: avoid BUG_ON() in skb_orphan()
blk-mq: really fix plug list flushing for nomerge queues
rtc: interface: ignore expired timers when enqueuing new timers
rtlwifi: rtl_usb: Fix missing entry in USB driver's private data
Linux 4.4.51
mmc: core: fix multi-bit bus width without high-speed mode
bcache: Make gc wakeup sane, remove set_task_state()
ntb_transport: Pick an unused queue
NTB: ntb_transport: fix debugfs_remove_recursive
printk: use rcuidle console tracepoint
ARM: 8658/1: uaccess: fix zeroing of 64-bit get_user()
futex: Move futex_init() to core_initcall
drm/dp/mst: fix kernel oops when turning off secondary monitor
drm/radeon: Use mode h/vdisplay fields to hide out of bounds HW cursor
Input: elan_i2c - add ELAN0605 to the ACPI table
Fix missing sanity check in /dev/sg
scsi: don't BUG_ON() empty DMA transfers
fuse: fix use after free issue in fuse_dev_do_read()
siano: make it work again with CONFIG_VMAP_STACK
vfs: fix uninitialized flags in splice_to_pipe()
Linux 4.4.50
l2tp: do not use udp_ioctl()
ping: fix a null pointer dereference
packet: round up linear to header len
net: introduce device min_header_len
sit: fix a double free on error path
sctp: avoid BUG_ON on sctp_wait_for_sndbuf
mlx4: Invoke softirqs after napi_reschedule
macvtap: read vnet_hdr_size once
tun: read vnet_hdr_sz once
tcp: avoid infinite loop in tcp_splice_read()
ipv6: tcp: add a missing tcp_v6_restore_cb()
ip6_gre: fix ip6gre_err() invalid reads
netlabel: out of bound access in cipso_v4_validate()
ipv4: keep skb->dst around in presence of IP options
net: use a work queue to defer net_disable_timestamp() work
tcp: fix 0 divide in __tcp_select_window()
ipv6: pointer math error in ip6_tnl_parse_tlv_enc_lim()
ipv6: fix ip6_tnl_parse_tlv_enc_lim()
can: Fix kernel panic at security_sock_rcv_skb
Conflicts:
drivers/scsi/sd.c
drivers/usb/gadget/function/f_fs.c
drivers/usb/host/xhci-plat.c
CRs-Fixed: 2023471
Change-Id: I396051a8de30271af77b3890d4b19787faa1c31e
Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org>
[ Upstream commit 72fb96e7bdbbdd4421b0726992496531060f3636 ]
udp_ioctl(), as its name suggests, is used by UDP protocols,
but is also used by L2TP :(
L2TP should use its own handler, because it really does not
look the same.
SIOCINQ for instance should not assume UDP checksum or headers.
Thanks to Andrey and syzkaller team for providing the report
and a nice reproducer.
While crashes only happen on recent kernels (after commit
7c13f97ffde6 ("udp: do fwd memory scheduling on dequeue")), this
probably needs to be backported to older kernels.
Fixes: 7c13f97ffde6 ("udp: do fwd memory scheduling on dequeue")
Fixes: 8558467201 ("udp: Fix udp_poll() and ioctl()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
- Use the UID in routing lookups made by protocol connect() and
sendmsg() functions.
- Make sure that routing lookups triggered by incoming packets
(e.g., Path MTU discovery) take the UID of the socket into
account.
- For packets not associated with a userspace socket, (e.g., ping
replies) use UID 0 inside the user namespace corresponding to
the network namespace the socket belongs to. This allows
all namespaces to apply routing and iptables rules to
kernel-originated traffic in that namespaces by matching UID 0.
This is better than using the UID of the kernel socket that is
sending the traffic, because the UID of kernel sockets created
at namespace creation time (e.g., the per-processor ICMP and
TCP sockets) is the UID of the user that created the socket,
which might not be mapped in the namespace.
Bug: 16355602
Change-Id: I910504b508948057912bc188fd1e8aca28294de3
Tested: compiles allnoconfig, allyesconfig, allmodconfig
Tested: https://android-review.googlesource.com/253302
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[AmitP: A little bit of refactoring because of LTS cherry-pick commit
e5abc10d19 ("tcp: fix NULL deref in tcp_v4_send_ack()")
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
[ Upstream commit be447f305494e019dfc37ea4cdf3b0e4200b4eba ]
pskb_may_pull() can change skb->data, so we have to load ptr/optr at the
right place.
Signed-off-by: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch addresses multiple problems :
UDP/RAW sendmsg() need to get a stable struct ipv6_txoptions
while socket is not locked : Other threads can change np->opt
concurrently. Dmitry posted a syzkaller
(http://github.com/google/syzkaller) program desmonstrating
use-after-free.
Starting with TCP/DCCP lockless listeners, tcp_v6_syn_recv_sock()
and dccp_v6_request_recv_sock() also need to use RCU protection
to dereference np->opt once (before calling ipv6_dup_options())
This patch adds full RCU protection to np->opt
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
When creating a IP encapsulated tunnel the necessary l2tp module
should be loaded. It already works for UDP encapsulation, it just
doesn't work for direct IP encap.
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
After TIPC doesn't depend on iocb argument in its internal
implementations of sendmsg() and recvmsg() hooks defined in proto
structure, no any user is using iocb argument in them at all now.
Then we can drop the redundant iocb argument completely from kinds of
implementations of both sendmsg() and recvmsg() in the entire
networking stack.
Cc: Christoph Hellwig <hch@lst.de>
Suggested-by: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This encapsulates all of the skb_copy_datagram_iovec() callers
with call argument signature "skb, offset, msghdr->msg_iov, length".
When we move to iov_iters in the networking, the iov_iter object will
sit in the msghdr.
Having a helper like this means there will be less places to touch
during that transformation.
Based upon descriptions and patch from Al Viro.
Signed-off-by: David S. Miller <davem@davemloft.net>
It doesn't seem like an protocols are setting anything other
than the default, and allowing to arbitrarily disable checksums
for a whole protocol seems dangerous. This can be done on a per
socket basis.
Signed-off-by: Tom Herbert <therbert@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This replaces 6 identical code snippets with a call to a new
static inline function.
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Some ipv6 protocols cannot handle ipv4 addresses, so we must not allow
connecting and binding to them. sendmsg logic does already check msg->name
for this but must trust already connected sockets which could be set up
for connection to ipv4 address family.
Per-socket flag ipv6only is of no use here, as it is under users control
by setsockopt.
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
This is a follow-up patch to f3d3342602 ("net: rework recvmsg
handler msg_name and msg_namelen logic").
DECLARE_SOCKADDR validates that the structure we use for writing the
name information to is not larger than the buffer which is reserved
for msg->msg_name (which is 128 bytes). Also use DECLARE_SOCKADDR
consistently in sendmsg code paths.
Signed-off-by: Steffen Hurrle <steffen@hurrle.net>
Suggested-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Steffen Klassert says:
====================
pull request (net-next): ipsec-next 2013-12-19
1) Use the user supplied policy index instead of a generated one
if present. From Fan Du.
2) Make xfrm migration namespace aware. From Fan Du.
3) Make the xfrm state and policy locks namespace aware. From Fan Du.
4) Remove ancient sleeping when the SA is in acquire state,
we now queue packets to the policy instead. This replaces the
sleeping code.
5) Remove FLOWI_FLAG_CAN_SLEEP. This was used to notify xfrm about the
posibility to sleep. The sleeping code is gone, so remove it.
6) Check user specified spi for IPComp. Thr spi for IPcomp is only
16 bit wide, so check for a valid value. From Fan Du.
7) Export verify_userspi_info to check for valid user supplied spi ranges
with pfkey and netlink. From Fan Du.
8) RFC3173 states that if the total size of a compressed payload and the IPComp
header is not smaller than the size of the original payload, the IP datagram
must be sent in the original non-compressed form. These packets are dropped
by the inbound policy check because they are not transformed. Document the need
to set 'level use' for IPcomp to receive such packets anyway. From Fan Du.
Please pull or let me know if there are problems.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
This patch is following b579035ff7
"ipv6: remove old conditions on flow label sharing"
Since there is no reason to restrict a label to a
destination, we should not erase the destination value of a
socket with the value contained in the flow label storage.
This patch allows to really have the same flow label to more
than one destination.
Signed-off-by: Florent Fourcot <florent.fourcot@enst-bretagne.fr>
Reviewed-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
FLOWI_FLAG_CAN_SLEEP was used to notify xfrm about the posibility
to sleep until the needed states are resolved. This code is gone,
so FLOWI_FLAG_CAN_SLEEP is not needed anymore.
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Commit bceaa90240 ("inet: prevent leakage
of uninitialized memory to user in recv syscalls") conditionally updated
addr_len if the msg_name is written to. The recv_error and rxpmtu
functions relied on the recvmsg functions to set up addr_len before.
As this does not happen any more we have to pass addr_len to those
functions as well and set it to the size of the corresponding sockaddr
length.
This broke traceroute and such.
Fixes: bceaa90240 ("inet: prevent leakage of uninitialized memory to user in recv syscalls")
Reported-by: Brad Spengler <spender@grsecurity.net>
Reported-by: Tom Labanowski
Cc: mpb <mpb.mail@gmail.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
TCP listener refactoring, part 4 :
To speed up inet lookups, we moved IPv4 addresses from inet to struct
sock_common
Now is time to do the same for IPv6, because it permits us to have fast
lookups for all kind of sockets, including upcoming SYN_RECV.
Getting IPv6 addresses in TCP lookups currently requires two extra cache
lines, plus a dereference (and memory stall).
inet6_sk(sk) does the dereference of inet_sk(__sk)->pinet6
This patch is way bigger than its IPv4 counter part, because for IPv4,
we could add aliases (inet_daddr, inet_rcv_saddr), while on IPv6,
it's not doable easily.
inet6_sk(sk)->daddr becomes sk->sk_v6_daddr
inet6_sk(sk)->rcv_saddr becomes sk->sk_v6_rcv_saddr
And timewait socket also have tw->tw_v6_daddr & tw->tw_v6_rcv_saddr
at the same offset.
We get rid of INET6_TW_MATCH() as INET6_MATCH() is now the generic
macro.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The L2TP code for IPv6 fails to initialize the l2tp_conn_id member of
struct sockaddr_l2tpip6 and therefore leaks four bytes kernel stack
in l2tp_ip6_recvmsg() in case msg_name is set.
Initialize l2tp_conn_id with 0 to avoid the info leak.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
l2tp_core hooks UDP's .destroy handler to gain advance warning of a tunnel
socket being closed from userspace. We need to do the same thing for
IP-encapsulation sockets.
Signed-off-by: Tom Parkin <tparkin@katalix.com>
Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
I'm not sure why, but the hlist for each entry iterators were conceived
list_for_each_entry(pos, head, member)
The hlist ones were greedy and wanted an extra parameter:
hlist_for_each_entry(tpos, pos, head, member)
Why did they need an extra pos parameter? I'm not quite sure. Not only
they don't really need it, it also prevents the iterator from looking
exactly like the list iterator, which is unfortunate.
Besides the semantic patch, there was some manual work required:
- Fix up the actual hlist iterators in linux/list.h
- Fix up the declaration of other iterators based on the hlist ones.
- A very small amount of places were using the 'node' parameter, this
was modified to use 'obj->member' instead.
- Coccinelle didn't handle the hlist_for_each_entry_safe iterator
properly, so those had to be fixed up manually.
The semantic patch which is mostly the work of Peter Senna Tschudin is here:
@@
iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;
type T;
expression a,c,d,e;
identifier b;
statement S;
@@
-T b;
<+... when != b
(
hlist_for_each_entry(a,
- b,
c, d) S
|
hlist_for_each_entry_continue(a,
- b,
c) S
|
hlist_for_each_entry_from(a,
- b,
c) S
|
hlist_for_each_entry_rcu(a,
- b,
c, d) S
|
hlist_for_each_entry_rcu_bh(a,
- b,
c, d) S
|
hlist_for_each_entry_continue_rcu_bh(a,
- b,
c) S
|
for_each_busy_worker(a, c,
- b,
d) S
|
ax25_uid_for_each(a,
- b,
c) S
|
ax25_for_each(a,
- b,
c) S
|
inet_bind_bucket_for_each(a,
- b,
c) S
|
sctp_for_each_hentry(a,
- b,
c) S
|
sk_for_each(a,
- b,
c) S
|
sk_for_each_rcu(a,
- b,
c) S
|
sk_for_each_from
-(a, b)
+(a)
S
+ sk_for_each_from(a) S
|
sk_for_each_safe(a,
- b,
c, d) S
|
sk_for_each_bound(a,
- b,
c) S
|
hlist_for_each_entry_safe(a,
- b,
c, d, e) S
|
hlist_for_each_entry_continue_rcu(a,
- b,
c) S
|
nr_neigh_for_each(a,
- b,
c) S
|
nr_neigh_for_each_safe(a,
- b,
c, d) S
|
nr_node_for_each(a,
- b,
c) S
|
nr_node_for_each_safe(a,
- b,
c, d) S
|
- for_each_gfn_sp(a, c, d, b) S
+ for_each_gfn_sp(a, c, d) S
|
- for_each_gfn_indirect_valid_sp(a, c, d, b) S
+ for_each_gfn_indirect_valid_sp(a, c, d) S
|
for_each_host(a,
- b,
c) S
|
for_each_host_safe(a,
- b,
c, d) S
|
for_each_mesh_entry(a,
- b,
c, d) S
)
...+>
[akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
[akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
[akpm@linux-foundation.org: checkpatch fixes]
[akpm@linux-foundation.org: fix warnings]
[akpm@linux-foudnation.org: redo intrusive kvm changes]
Tested-by: Peter Senna Tschudin <peter.senna@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
l2tp_ip6 is incorrectly using the IPv4-specific ip_cmsg_recv to handle
ancillary data. This means that socket options such as IPV6_RECVPKTINFO are
not honoured in userspace.
Convert l2tp_ip6 to use the IPv6-specific handler.
Ref: net/ipv6/udp.c
Signed-off-by: Tom Parkin <tparkin@katalix.com>
Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: Chris Elston <celston@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The datagram_*_ctl functions in net/ipv6/datagram.c are IPv6-specific. Since
datagram_send_ctl is publicly exported it should be appropriately named to
reflect the fact that it's for IPv6 only.
Signed-off-by: Tom Parkin <tparkin@katalix.com>
Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The L2TP code for IPv6 fails to initialize the l2tp_unused member of
struct sockaddr_l2tpip6 and that for leaks two bytes kernel stack via
the getsockname() syscall. Initialize l2tp_unused with 0 to avoid the
info leak.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
An application may call connect() to disconnect a socket using an
address with family AF_UNSPEC. The L2TP IP sockets were not handling
this case when the socket is not bound and an attempt to connect()
using AF_UNSPEC in such cases would result in an oops. This patch
addresses the problem by protecting the sk_prot->disconnect() call
against trying to unhash the socket before it is bound.
The L2TP IPv4 and IPv6 sockets have the same problem. Both are fixed
by this patch.
The patch also adds more checks that the sockaddr supplied to bind()
and connect() calls is valid.
RIP: 0010:[<ffffffff82e133b0>] [<ffffffff82e133b0>] inet_unhash+0x50/0xd0
RSP: 0018:ffff88001989be28 EFLAGS: 00010293
Stack:
ffff8800407a8000 0000000000000000 ffff88001989be78 ffffffff82e3a249
ffffffff82e3a050 ffff88001989bec8 ffff88001989be88 ffff8800407a8000
0000000000000010 ffff88001989bec8 ffff88001989bea8 ffffffff82e42639
Call Trace:
[<ffffffff82e3a249>] udp_disconnect+0x1f9/0x290
[<ffffffff82e42639>] inet_dgram_connect+0x29/0x80
[<ffffffff82d012fc>] sys_connect+0x9c/0x100
Reported-by: Sasha Levin <levinsasha928@gmail.com>
Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Use more current logging styles.
Add pr_fmt to prefix output appropriately.
Convert printks to pr_<level>.
Convert PRINTK macros to new l2tp_<level> macros.
Neaten some <foo>_refcount debugging macros.
Use print_hex_dump_bytes instead of hand-coded loops.
Coalesce formats and align arguments.
Some KERN_DEBUG output is not now emitted unless
dynamic_debugging is enabled.
Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
L2TPv3 defines an IP encapsulation packet format where data is carried
directly over IP (no UDP). The kernel already has support for L2TP IP
encapsulation over IPv4 (l2tp_ip). This patch introduces support for
L2TP IP encapsulation over IPv6.
The implementation is derived from ipv6/raw and ipv4/l2tp_ip.
Signed-off-by: Chris Elston <celston@katalix.com>
Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
