--- /dev/null
+From foo@baz Mon Apr 14 15:32:12 PDT 2014
+From: Linus Lüssing <linus.luessing@web.de>
+Date: Tue, 4 Mar 2014 03:57:35 +0100
+Subject: bridge: multicast: add sanity check for query source addresses
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Lüssing <linus.luessing@web.de>
+
+[ Upstream commit 6565b9eeef194afbb3beec80d6dd2447f4091f8c ]
+
+MLD queries are supposed to have an IPv6 link-local source address
+according to RFC2710, section 4 and RFC3810, section 5.1.14. This patch
+adds a sanity check to ignore such broken MLD queries.
+
+Without this check, such malformed MLD queries can result in a
+denial of service: The queries are ignored by any MLD listener
+therefore they will not respond with an MLD report. However,
+without this patch these malformed MLD queries would enable the
+snooping part in the bridge code, potentially shutting down the
+according ports towards these hosts for multicast traffic as the
+bridge did not learn about these listeners.
+
+Reported-by: Jan Stancek <jstancek@redhat.com>
+Signed-off-by: Linus Lüssing <linus.luessing@web.de>
+Reviewed-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_multicast.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/bridge/br_multicast.c
++++ b/net/bridge/br_multicast.c
+@@ -1138,6 +1138,12 @@ static int br_ip6_multicast_query(struct
+
+ br_multicast_query_received(br, port, !ipv6_addr_any(&ip6h->saddr));
+
++ /* RFC2710+RFC3810 (MLDv1+MLDv2) require link-local source addresses */
++ if (!(ipv6_addr_type(&ip6h->saddr) & IPV6_ADDR_LINKLOCAL)) {
++ err = -EINVAL;
++ goto out;
++ }
++
+ if (skb->len == sizeof(*mld)) {
+ if (!pskb_may_pull(skb, sizeof(*mld))) {
+ err = -EINVAL;
--- /dev/null
+From foo@baz Mon Apr 14 15:32:12 PDT 2014
+From: Heiner Kallweit <heiner.kallweit@web.de>
+Date: Wed, 12 Mar 2014 22:13:19 +0100
+Subject: ipv6: Avoid unnecessary temporary addresses being generated
+
+From: Heiner Kallweit <heiner.kallweit@web.de>
+
+[ Upstream commit ecab67015ef6e3f3635551dcc9971cf363cc1cd5 ]
+
+tmp_prefered_lft is an offset to ifp->tstamp, not now. Therefore
+age needs to be added to the condition.
+
+Age calculation in ipv6_create_tempaddr is different from the one
+in addrconf_verify and doesn't consider ADDRCONF_TIMER_FUZZ_MINUS.
+This can cause age in ipv6_create_tempaddr to be less than the one
+in addrconf_verify and therefore unnecessary temporary address to
+be generated.
+Use age calculation as in addrconf_modify to avoid this.
+
+Signed-off-by: Heiner Kallweit <heiner.kallweit@web.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/addrconf.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -897,8 +897,11 @@ retry:
+ * Lifetime is greater than REGEN_ADVANCE time units. In particular,
+ * an implementation must not create a temporary address with a zero
+ * Preferred Lifetime.
++ * Use age calculation as in addrconf_verify to avoid unnecessary
++ * temporary addresses being generated.
+ */
+- if (tmp_prefered_lft <= regen_advance) {
++ age = (now - tmp_tstamp + ADDRCONF_TIMER_FUZZ_MINUS) / HZ;
++ if (tmp_prefered_lft <= regen_advance + age) {
+ in6_ifa_put(ifp);
+ in6_dev_put(idev);
+ ret = -1;
--- /dev/null
+From foo@baz Mon Apr 14 15:32:12 PDT 2014
+From: Sabrina Dubroca <sd@queasysnail.net>
+Date: Thu, 6 Mar 2014 17:51:57 +0100
+Subject: ipv6: don't set DST_NOCOUNT for remotely added routes
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit c88507fbad8055297c1d1e21e599f46960cbee39 ]
+
+DST_NOCOUNT should only be used if an authorized user adds routes
+locally. In case of routes which are added on behalf of router
+advertisments this flag must not get used as it allows an unlimited
+number of routes getting added remotely.
+
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/route.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -1302,7 +1302,7 @@ int ip6_route_add(struct fib6_config *cf
+ if (!table)
+ goto out;
+
+- rt = ip6_dst_alloc(&net->ipv6.ip6_dst_ops, NULL, DST_NOCOUNT);
++ rt = ip6_dst_alloc(&net->ipv6.ip6_dst_ops, NULL, (cfg->fc_flags & RTF_ADDRCONF) ? 0 : DST_NOCOUNT);
+
+ if (!rt) {
+ err = -ENOMEM;
--- /dev/null
+From foo@baz Mon Apr 14 15:32:12 PDT 2014
+From: lucien <lucien.xin@gmail.com>
+Date: Mon, 17 Mar 2014 12:51:01 +0800
+Subject: ipv6: ip6_append_data_mtu do not handle the mtu of the second fragment properly
+
+From: lucien <lucien.xin@gmail.com>
+
+[ Upstream commit e367c2d03dba4c9bcafad24688fadb79dd95b218 ]
+
+In ip6_append_data_mtu(), when the xfrm mode is not tunnel(such as
+transport),the ipsec header need to be added in the first fragment, so the mtu
+will decrease to reserve space for it, then the second fragment come, the mtu
+should be turn back, as the commit 0c1833797a5a6ec23ea9261d979aa18078720b74
+said. however, in the commit a493e60ac4bbe2e977e7129d6d8cbb0dd236be, it use
+*mtu = min(*mtu, ...) to change the mtu, which lead to the new mtu is alway
+equal with the first fragment's. and cannot turn back.
+
+when I test through ping6 -c1 -s5000 $ip (mtu=1280):
+...frag (0|1232) ESP(spi=0x00002000,seq=0xb), length 1232
+...frag (1232|1216)
+...frag (2448|1216)
+...frag (3664|1216)
+...frag (4880|164)
+
+which should be:
+...frag (0|1232) ESP(spi=0x00001000,seq=0x1), length 1232
+...frag (1232|1232)
+...frag (2464|1232)
+...frag (3696|1232)
+...frag (4928|116)
+
+so delete the min() when change back the mtu.
+
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Fixes: 75a493e60ac4bb ("ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size")
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_output.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1194,21 +1194,19 @@ static void ip6_append_data_mtu(unsigned
+ unsigned int fragheaderlen,
+ struct sk_buff *skb,
+ struct rt6_info *rt,
+- bool pmtuprobe)
++ unsigned int orig_mtu)
+ {
+ if (!(rt->dst.flags & DST_XFRM_TUNNEL)) {
+ if (skb == NULL) {
+ /* first fragment, reserve header_len */
+- *mtu = *mtu - rt->dst.header_len;
++ *mtu = orig_mtu - rt->dst.header_len;
+
+ } else {
+ /*
+ * this fragment is not first, the headers
+ * space is regarded as data space.
+ */
+- *mtu = min(*mtu, pmtuprobe ?
+- rt->dst.dev->mtu :
+- dst_mtu(rt->dst.path));
++ *mtu = orig_mtu;
+ }
+ *maxfraglen = ((*mtu - fragheaderlen) & ~7)
+ + fragheaderlen - sizeof(struct frag_hdr);
+@@ -1225,7 +1223,7 @@ int ip6_append_data(struct sock *sk, int
+ struct ipv6_pinfo *np = inet6_sk(sk);
+ struct inet_cork *cork;
+ struct sk_buff *skb, *skb_prev = NULL;
+- unsigned int maxfraglen, fragheaderlen, mtu;
++ unsigned int maxfraglen, fragheaderlen, mtu, orig_mtu;
+ int exthdrlen;
+ int dst_exthdrlen;
+ int hh_len;
+@@ -1310,6 +1308,7 @@ int ip6_append_data(struct sock *sk, int
+ dst_exthdrlen = 0;
+ mtu = cork->fragsize;
+ }
++ orig_mtu = mtu;
+
+ hh_len = LL_RESERVED_SPACE(rt->dst.dev);
+
+@@ -1392,8 +1391,7 @@ alloc_new_skb:
+ if (skb == NULL || skb_prev == NULL)
+ ip6_append_data_mtu(&mtu, &maxfraglen,
+ fragheaderlen, skb, rt,
+- np->pmtudisc ==
+- IPV6_PMTUDISC_PROBE);
++ orig_mtu);
+
+ skb_prev = skb;
+
--- /dev/null
+From foo@baz Mon Apr 14 15:32:12 PDT 2014
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Mon, 31 Mar 2014 20:14:10 +0200
+Subject: ipv6: some ipv6 statistic counters failed to disable bh
+
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+
+[ Upstream commit 43a43b6040165f7b40b5b489fe61a4cb7f8c4980 ]
+
+After commit c15b1ccadb323ea ("ipv6: move DAD and addrconf_verify
+processing to workqueue") some counters are now updated in process context
+and thus need to disable bh before doing so, otherwise deadlocks can
+happen on 32-bit archs. Fabio Estevam noticed this while while mounting
+a NFS volume on an ARM board.
+
+As a compensation for missing this I looked after the other *_STATS_BH
+and found three other calls which need updating:
+
+1) icmp6_send: ip6_fragment -> icmpv6_send -> icmp6_send (error handling)
+2) ip6_push_pending_frames: rawv6_sendmsg -> rawv6_push_pending_frames -> ...
+ (only in case of icmp protocol with raw sockets in error handling)
+3) ping6_v6_sendmsg (error handling)
+
+Fixes: c15b1ccadb323ea ("ipv6: move DAD and addrconf_verify processing to workqueue")
+Reported-by: Fabio Estevam <festevam@gmail.com>
+Tested-by: Fabio Estevam <fabio.estevam@freescale.com>
+Cc: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/icmp.c | 2 +-
+ net/ipv6/ip6_output.c | 4 ++--
+ net/ipv6/mcast.c | 11 ++++++-----
+ 3 files changed, 9 insertions(+), 8 deletions(-)
+
+--- a/net/ipv6/icmp.c
++++ b/net/ipv6/icmp.c
+@@ -501,7 +501,7 @@ void icmpv6_send(struct sk_buff *skb, u8
+ np->tclass, NULL, &fl6, (struct rt6_info*)dst,
+ MSG_DONTWAIT, np->dontfrag);
+ if (err) {
+- ICMP6_INC_STATS_BH(net, idev, ICMP6_MIB_OUTERRORS);
++ ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTERRORS);
+ ip6_flush_pending_frames(sk);
+ } else {
+ err = icmpv6_push_pending_frames(sk, &fl6, &tmp_hdr,
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1661,8 +1661,8 @@ int ip6_push_pending_frames(struct sock
+ if (proto == IPPROTO_ICMPV6) {
+ struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb));
+
+- ICMP6MSGOUT_INC_STATS_BH(net, idev, icmp6_hdr(skb)->icmp6_type);
+- ICMP6_INC_STATS_BH(net, idev, ICMP6_MIB_OUTMSGS);
++ ICMP6MSGOUT_INC_STATS(net, idev, icmp6_hdr(skb)->icmp6_type);
++ ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTMSGS);
+ }
+
+ err = ip6_local_out(skb);
+--- a/net/ipv6/mcast.c
++++ b/net/ipv6/mcast.c
+@@ -1430,11 +1430,12 @@ static void mld_sendpack(struct sk_buff
+ dst_output);
+ out:
+ if (!err) {
+- ICMP6MSGOUT_INC_STATS_BH(net, idev, ICMPV6_MLD2_REPORT);
+- ICMP6_INC_STATS_BH(net, idev, ICMP6_MIB_OUTMSGS);
+- IP6_UPD_PO_STATS_BH(net, idev, IPSTATS_MIB_OUTMCAST, payload_len);
+- } else
+- IP6_INC_STATS_BH(net, idev, IPSTATS_MIB_OUTDISCARDS);
++ ICMP6MSGOUT_INC_STATS(net, idev, ICMPV6_MLD2_REPORT);
++ ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTMSGS);
++ IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUTMCAST, payload_len);
++ } else {
++ IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS);
++ }
+
+ rcu_read_unlock();
+ return;
--- /dev/null
+From foo@baz Mon Apr 14 15:32:12 PDT 2014
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 8 Apr 2014 12:23:09 +0300
+Subject: isdnloop: several buffer overflows
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 7563487cbf865284dcd35e9ef5a95380da046737 ]
+
+There are three buffer overflows addressed in this patch.
+
+1) In isdnloop_fake_err() we add an 'E' to a 60 character string and
+then copy it into a 60 character buffer. I have made the destination
+buffer 64 characters and I'm changed the sprintf() to a snprintf().
+
+2) In isdnloop_parse_cmd(), p points to a 6 characters into a 60
+character buffer so we have 54 characters. The ->eazlist[] is 11
+characters long. I have modified the code to return if the source
+buffer is too long.
+
+3) In isdnloop_command() the cbuf[] array was 60 characters long but the
+max length of the string then can be up to 79 characters. I made the
+cbuf array 80 characters long and changed the sprintf() to snprintf().
+I also removed the temporary "dial" buffer and changed it to use "p"
+directly.
+
+Unfortunately, we pass the "cbuf" string from isdnloop_command() to
+isdnloop_writecmd() which truncates anything over 60 characters to make
+it fit in card->omsg[]. (It can accept values up to 255 characters so
+long as there is a '\n' character every 60 characters). For now I have
+just fixed the memory corruption bug and left the other problems in this
+driver alone.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/isdn/isdnloop/isdnloop.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+--- a/drivers/isdn/isdnloop/isdnloop.c
++++ b/drivers/isdn/isdnloop/isdnloop.c
+@@ -518,9 +518,9 @@ static isdnloop_stat isdnloop_cmd_table[
+ static void
+ isdnloop_fake_err(isdnloop_card *card)
+ {
+- char buf[60];
++ char buf[64];
+
+- sprintf(buf, "E%s", card->omsg);
++ snprintf(buf, sizeof(buf), "E%s", card->omsg);
+ isdnloop_fake(card, buf, -1);
+ isdnloop_fake(card, "NAK", -1);
+ }
+@@ -903,6 +903,8 @@ isdnloop_parse_cmd(isdnloop_card *card)
+ case 7:
+ /* 0x;EAZ */
+ p += 3;
++ if (strlen(p) >= sizeof(card->eazlist[0]))
++ break;
+ strcpy(card->eazlist[ch - 1], p);
+ break;
+ case 8:
+@@ -1133,7 +1135,7 @@ isdnloop_command(isdn_ctrl *c, isdnloop_
+ {
+ ulong a;
+ int i;
+- char cbuf[60];
++ char cbuf[80];
+ isdn_ctrl cmd;
+ isdnloop_cdef cdef;
+
+@@ -1198,7 +1200,6 @@ isdnloop_command(isdn_ctrl *c, isdnloop_
+ break;
+ if ((c->arg & 255) < ISDNLOOP_BCH) {
+ char *p;
+- char dial[50];
+ char dcode[4];
+
+ a = c->arg;
+@@ -1210,10 +1211,10 @@ isdnloop_command(isdn_ctrl *c, isdnloop_
+ } else
+ /* Normal Dial */
+ strcpy(dcode, "CAL");
+- strcpy(dial, p);
+- sprintf(cbuf, "%02d;D%s_R%s,%02d,%02d,%s\n", (int) (a + 1),
+- dcode, dial, c->parm.setup.si1,
+- c->parm.setup.si2, c->parm.setup.eazmsn);
++ snprintf(cbuf, sizeof(cbuf),
++ "%02d;D%s_R%s,%02d,%02d,%s\n", (int) (a + 1),
++ dcode, p, c->parm.setup.si1,
++ c->parm.setup.si2, c->parm.setup.eazmsn);
+ i = isdnloop_writecmd(cbuf, strlen(cbuf), 0, card);
+ }
+ break;
--- /dev/null
+From foo@baz Mon Apr 14 15:32:12 PDT 2014
+From: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+Date: Wed, 2 Apr 2014 12:48:42 +0900
+Subject: isdnloop: Validate NUL-terminated strings from user.
+
+From: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+
+[ Upstream commit 77bc6bed7121936bb2e019a8c336075f4c8eef62 ]
+
+Return -EINVAL unless all of user-given strings are correctly
+NUL-terminated.
+
+Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/isdn/isdnloop/isdnloop.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/isdn/isdnloop/isdnloop.c
++++ b/drivers/isdn/isdnloop/isdnloop.c
+@@ -1070,6 +1070,12 @@ isdnloop_start(isdnloop_card *card, isdn
+ return -EBUSY;
+ if (copy_from_user((char *) &sdef, (char *) sdefp, sizeof(sdef)))
+ return -EFAULT;
++
++ for (i = 0; i < 3; i++) {
++ if (!memchr(sdef.num[i], 0, sizeof(sdef.num[i])))
++ return -EINVAL;
++ }
++
+ spin_lock_irqsave(&card->isdnloop_lock, flags);
+ switch (sdef.ptype) {
+ case ISDN_PTYPE_EURO:
--- /dev/null
+From foo@baz Mon Apr 14 15:32:12 PDT 2014
+From: Daniel Borkmann <dborkman@redhat.com>
+Date: Tue, 4 Mar 2014 16:35:51 +0100
+Subject: net: sctp: fix skb leakage in COOKIE ECHO path of chunk->auth_chunk
+
+From: Daniel Borkmann <dborkman@redhat.com>
+
+[ Upstream commit c485658bae87faccd7aed540fd2ca3ab37992310 ]
+
+While working on ec0223ec48a9 ("net: sctp: fix sctp_sf_do_5_1D_ce to
+verify if we/peer is AUTH capable"), we noticed that there's a skb
+memory leakage in the error path.
+
+Running the same reproducer as in ec0223ec48a9 and by unconditionally
+jumping to the error label (to simulate an error condition) in
+sctp_sf_do_5_1D_ce() receive path lets kmemleak detector bark about
+the unfreed chunk->auth_chunk skb clone:
+
+Unreferenced object 0xffff8800b8f3a000 (size 256):
+ comm "softirq", pid 0, jiffies 4294769856 (age 110.757s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 89 ab 75 5e d4 01 58 13 00 00 00 00 00 00 00 00 ..u^..X.........
+ backtrace:
+ [<ffffffff816660be>] kmemleak_alloc+0x4e/0xb0
+ [<ffffffff8119f328>] kmem_cache_alloc+0xc8/0x210
+ [<ffffffff81566929>] skb_clone+0x49/0xb0
+ [<ffffffffa0467459>] sctp_endpoint_bh_rcv+0x1d9/0x230 [sctp]
+ [<ffffffffa046fdbc>] sctp_inq_push+0x4c/0x70 [sctp]
+ [<ffffffffa047e8de>] sctp_rcv+0x82e/0x9a0 [sctp]
+ [<ffffffff815abd38>] ip_local_deliver_finish+0xa8/0x210
+ [<ffffffff815a64af>] nf_reinject+0xbf/0x180
+ [<ffffffffa04b4762>] nfqnl_recv_verdict+0x1d2/0x2b0 [nfnetlink_queue]
+ [<ffffffffa04aa40b>] nfnetlink_rcv_msg+0x14b/0x250 [nfnetlink]
+ [<ffffffff815a3269>] netlink_rcv_skb+0xa9/0xc0
+ [<ffffffffa04aa7cf>] nfnetlink_rcv+0x23f/0x408 [nfnetlink]
+ [<ffffffff815a2bd8>] netlink_unicast+0x168/0x250
+ [<ffffffff815a2fa1>] netlink_sendmsg+0x2e1/0x3f0
+ [<ffffffff8155cc6b>] sock_sendmsg+0x8b/0xc0
+ [<ffffffff8155d449>] ___sys_sendmsg+0x369/0x380
+
+What happens is that commit bbd0d59809f9 clones the skb containing
+the AUTH chunk in sctp_endpoint_bh_rcv() when having the edge case
+that an endpoint requires COOKIE-ECHO chunks to be authenticated:
+
+ ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
+ <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
+ ------------------ AUTH; COOKIE-ECHO ---------------->
+ <-------------------- COOKIE-ACK ---------------------
+
+When we enter sctp_sf_do_5_1D_ce() and before we actually get to
+the point where we process (and subsequently free) a non-NULL
+chunk->auth_chunk, we could hit the "goto nomem_init" path from
+an error condition and thus leave the cloned skb around w/o
+freeing it.
+
+The fix is to centrally free such clones in sctp_chunk_destroy()
+handler that is invoked from sctp_chunk_free() after all refs have
+dropped; and also move both kfree_skb(chunk->auth_chunk) there,
+so that chunk->auth_chunk is either NULL (since sctp_chunkify()
+allocs new chunks through kmem_cache_zalloc()) or non-NULL with
+a valid skb pointer. chunk->skb and chunk->auth_chunk are the
+only skbs in the sctp_chunk structure that need to be handeled.
+
+While at it, we should use consume_skb() for both. It is the same
+as dev_kfree_skb() but more appropriately named as we are not
+a device but a protocol. Also, this effectively replaces the
+kfree_skb() from both invocations into consume_skb(). Functions
+are the same only that kfree_skb() assumes that the frame was
+being dropped after a failure (e.g. for tools like drop monitor),
+usage of consume_skb() seems more appropriate in function
+sctp_chunk_destroy() though.
+
+Fixes: bbd0d59809f9 ("[SCTP]: Implement the receive and verification of AUTH chunk")
+Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+Cc: Vlad Yasevich <yasevich@gmail.com>
+Cc: Neil Horman <nhorman@tuxdriver.com>
+Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/sm_make_chunk.c | 4 ++--
+ net/sctp/sm_statefuns.c | 5 -----
+ 2 files changed, 2 insertions(+), 7 deletions(-)
+
+--- a/net/sctp/sm_make_chunk.c
++++ b/net/sctp/sm_make_chunk.c
+@@ -1366,8 +1366,8 @@ static void sctp_chunk_destroy(struct sc
+ BUG_ON(!list_empty(&chunk->list));
+ list_del_init(&chunk->transmitted_list);
+
+- /* Free the chunk skb data and the SCTP_chunk stub itself. */
+- dev_kfree_skb(chunk->skb);
++ consume_skb(chunk->skb);
++ consume_skb(chunk->auth_chunk);
+
+ SCTP_DBG_OBJCNT_DEC(chunk);
+ kmem_cache_free(sctp_chunk_cachep, chunk);
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -749,7 +749,6 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(co
+
+ /* Make sure that we and the peer are AUTH capable */
+ if (!sctp_auth_enable || !new_asoc->peer.auth_capable) {
+- kfree_skb(chunk->auth_chunk);
+ sctp_association_free(new_asoc);
+ return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
+ }
+@@ -764,10 +763,6 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(co
+ auth.transport = chunk->transport;
+
+ ret = sctp_sf_authenticate(ep, new_asoc, type, &auth);
+-
+- /* We can now safely free the auth_chunk clone */
+- kfree_skb(chunk->auth_chunk);
+-
+ if (ret != SCTP_IERROR_NO_ERROR) {
+ sctp_association_free(new_asoc);
+ return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
--- /dev/null
+From foo@baz Mon Apr 14 15:32:12 PDT 2014
+From: Matthew Leach <matthew.leach@arm.com>
+Date: Tue, 11 Mar 2014 11:58:27 +0000
+Subject: net: socket: error on a negative msg_namelen
+
+From: Matthew Leach <matthew.leach@arm.com>
+
+[ Upstream commit dbb490b96584d4e958533fb637f08b557f505657 ]
+
+When copying in a struct msghdr from the user, if the user has set the
+msg_namelen parameter to a negative value it gets clamped to a valid
+size due to a comparison between signed and unsigned values.
+
+Ensure the syscall errors when the user passes in a negative value.
+
+Signed-off-by: Matthew Leach <matthew.leach@arm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/socket.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -1907,6 +1907,10 @@ static int copy_msghdr_from_user(struct
+ {
+ if (copy_from_user(kmsg, umsg, sizeof(struct msghdr)))
+ return -EFAULT;
++
++ if (kmsg->msg_namelen < 0)
++ return -EINVAL;
++
+ if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
+ kmsg->msg_namelen = sizeof(struct sockaddr_storage);
+ return 0;
--- /dev/null
+From foo@baz Mon Apr 14 15:32:12 PDT 2014
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 25 Mar 2014 18:42:27 -0700
+Subject: net: unix: non blocking recvmsg() should not return -EINTR
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit de1443916791d75fdd26becb116898277bb0273f ]
+
+Some applications didn't expect recvmsg() on a non blocking socket
+could return -EINTR. This possibility was added as a side effect
+of commit b3ca9b02b00704 ("net: fix multithreaded signal handling in
+unix recv routines").
+
+To hit this bug, you need to be a bit unlucky, as the u->readlock
+mutex is usually held for very small periods.
+
+Fixes: b3ca9b02b00704 ("net: fix multithreaded signal handling in unix recv routines")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Rainer Weikusat <rweikusat@mobileactivedefense.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/unix/af_unix.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -1787,8 +1787,11 @@ static int unix_dgram_recvmsg(struct kio
+ goto out;
+
+ err = mutex_lock_interruptible(&u->readlock);
+- if (err) {
+- err = sock_intr_errno(sock_rcvtimeo(sk, noblock));
++ if (unlikely(err)) {
++ /* recvmsg() in non blocking mode is supposed to return -EAGAIN
++ * sk_rcvtimeo is not honored by mutex_lock_interruptible()
++ */
++ err = noblock ? -EAGAIN : -ERESTARTSYS;
+ goto out;
+ }
+
+@@ -1910,6 +1913,7 @@ static int unix_stream_recvmsg(struct ki
+ struct unix_sock *u = unix_sk(sk);
+ struct sockaddr_un *sunaddr = msg->msg_name;
+ int copied = 0;
++ int noblock = flags & MSG_DONTWAIT;
+ int check_creds = 0;
+ int target;
+ int err = 0;
+@@ -1925,7 +1929,7 @@ static int unix_stream_recvmsg(struct ki
+ goto out;
+
+ target = sock_rcvlowat(sk, flags&MSG_WAITALL, size);
+- timeo = sock_rcvtimeo(sk, flags&MSG_DONTWAIT);
++ timeo = sock_rcvtimeo(sk, noblock);
+
+ /* Lock the socket to prevent queue disordering
+ * while sleeps in memcpy_tomsg
+@@ -1937,8 +1941,11 @@ static int unix_stream_recvmsg(struct ki
+ }
+
+ err = mutex_lock_interruptible(&u->readlock);
+- if (err) {
+- err = sock_intr_errno(timeo);
++ if (unlikely(err)) {
++ /* recvmsg() in non blocking mode is supposed to return -EAGAIN
++ * sk_rcvtimeo is not honored by mutex_lock_interruptible()
++ */
++ err = noblock ? -EAGAIN : -ERESTARTSYS;
+ goto out;
+ }
+
--- /dev/null
+From foo@baz Mon Apr 14 15:32:12 PDT 2014
+From: Pablo Neira <pablo@netfilter.org>
+Date: Tue, 1 Apr 2014 19:38:44 +0200
+Subject: netlink: don't compare the nul-termination in nla_strcmp
+
+From: Pablo Neira <pablo@netfilter.org>
+
+[ Upstream commit 8b7b932434f5eee495b91a2804f5b64ebb2bc835 ]
+
+nla_strcmp compares the string length plus one, so it's implicitly
+including the nul-termination in the comparison.
+
+ int nla_strcmp(const struct nlattr *nla, const char *str)
+ {
+ int len = strlen(str) + 1;
+ ...
+ d = memcmp(nla_data(nla), str, len);
+
+However, if NLA_STRING is used, userspace can send us a string without
+the nul-termination. This is a problem since the string
+comparison will not match as the last byte may be not the
+nul-termination.
+
+Fix this by skipping the comparison of the nul-termination if the
+attribute data is nul-terminated. Suggested by Thomas Graf.
+
+Cc: Florian Westphal <fw@strlen.de>
+Cc: Thomas Graf <tgraf@suug.ch>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/nlattr.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/lib/nlattr.c
++++ b/lib/nlattr.c
+@@ -299,9 +299,15 @@ int nla_memcmp(const struct nlattr *nla,
+ */
+ int nla_strcmp(const struct nlattr *nla, const char *str)
+ {
+- int len = strlen(str) + 1;
+- int d = nla_len(nla) - len;
++ int len = strlen(str);
++ char *buf = nla_data(nla);
++ int attrlen = nla_len(nla);
++ int d;
+
++ if (attrlen > 0 && buf[attrlen - 1] == '\0')
++ attrlen--;
++
++ d = attrlen - len;
+ if (d == 0)
+ d = memcmp(nla_data(nla), str, len);
+
--- /dev/null
+From foo@baz Mon Apr 14 15:32:12 PDT 2014
+From: Sasha Levin <sasha.levin@oracle.com>
+Date: Sat, 29 Mar 2014 20:39:35 -0400
+Subject: rds: prevent dereference of a NULL device in rds_iw_laddr_check
+
+From: Sasha Levin <sasha.levin@oracle.com>
+
+[ Upstream commit bf39b4247b8799935ea91d90db250ab608a58e50 ]
+
+Binding might result in a NULL device which is later dereferenced
+without checking.
+
+Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/iw.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/rds/iw.c
++++ b/net/rds/iw.c
+@@ -239,7 +239,8 @@ static int rds_iw_laddr_check(__be32 add
+ ret = rdma_bind_addr(cm_id, (struct sockaddr *)&sin);
+ /* due to this, we will claim to support IB devices unless we
+ check node_type. */
+- if (ret || cm_id->device->node_type != RDMA_NODE_RNIC)
++ if (ret || !cm_id->device ||
++ cm_id->device->node_type != RDMA_NODE_RNIC)
+ ret = -EADDRNOTAVAIL;
+
+ rdsdebug("addr %pI4 ret %d node type %d\n",
--- /dev/null
+net-sctp-fix-skb-leakage-in-cookie-echo-path-of-chunk-auth_chunk.patch
+bridge-multicast-add-sanity-check-for-query-source-addresses.patch
+net-unix-non-blocking-recvmsg-should-not-return-eintr.patch
+ipv6-don-t-set-dst_nocount-for-remotely-added-routes.patch
+vlan-set-correct-source-mac-address-with-tx-vlan-offload-enabled.patch
+net-socket-error-on-a-negative-msg_namelen.patch
+ipv6-avoid-unnecessary-temporary-addresses-being-generated.patch
+ipv6-ip6_append_data_mtu-do-not-handle-the-mtu-of-the-second-fragment-properly.patch
+vhost-fix-total-length-when-packets-are-too-short.patch
+vhost-validate-vhost_get_vq_desc-return-value.patch
+xen-netback-remove-pointless-clause-from-if-statement.patch
+ipv6-some-ipv6-statistic-counters-failed-to-disable-bh.patch
+netlink-don-t-compare-the-nul-termination-in-nla_strcmp.patch
+isdnloop-validate-nul-terminated-strings-from-user.patch
+isdnloop-several-buffer-overflows.patch
+rds-prevent-dereference-of-a-null-device-in-rds_iw_laddr_check.patch
--- /dev/null
+From foo@baz Mon Apr 14 15:32:12 PDT 2014
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Thu, 27 Mar 2014 12:00:26 +0200
+Subject: vhost: fix total length when packets are too short
+
+From: "Michael S. Tsirkin" <mst@redhat.com>
+
+[ Upstream commit d8316f3991d207fe32881a9ac20241be8fa2bad0 ]
+
+When mergeable buffers are disabled, and the
+incoming packet is too large for the rx buffer,
+get_rx_bufs returns success.
+
+This was intentional in order for make recvmsg
+truncate the packet and then handle_rx would
+detect err != sock_len and drop it.
+
+Unfortunately we pass the original sock_len to
+recvmsg - which means we use parts of iov not fully
+validated.
+
+Fix this up by detecting this overrun and doing packet drop
+immediately.
+
+CVE-2014-0077
+
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/net.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/vhost/net.c
++++ b/drivers/vhost/net.c
+@@ -351,6 +351,12 @@ static int get_rx_bufs(struct vhost_virt
+ *iovcount = seg;
+ if (unlikely(log))
+ *log_num = nlogs;
++
++ /* Detect overrun */
++ if (unlikely(datalen > 0)) {
++ r = UIO_MAXIOV + 1;
++ goto err;
++ }
+ return headcount;
+ err:
+ vhost_discard_vq_desc(vq, headcount);
+@@ -405,6 +411,14 @@ static void handle_rx(struct vhost_net *
+ /* On error, stop handling until the next kick. */
+ if (unlikely(headcount < 0))
+ break;
++ /* On overrun, truncate and discard */
++ if (unlikely(headcount > UIO_MAXIOV)) {
++ msg.msg_iovlen = 1;
++ err = sock->ops->recvmsg(NULL, sock, &msg,
++ 1, MSG_DONTWAIT | MSG_TRUNC);
++ pr_debug("Discarded rx packet: len %zd\n", sock_len);
++ continue;
++ }
+ /* OK, now we need to know about added descriptors. */
+ if (!headcount) {
+ if (unlikely(vhost_enable_notify(&net->dev, vq))) {
--- /dev/null
+From foo@baz Mon Apr 14 15:32:12 PDT 2014
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Thu, 27 Mar 2014 12:53:37 +0200
+Subject: vhost: validate vhost_get_vq_desc return value
+
+From: "Michael S. Tsirkin" <mst@redhat.com>
+
+[ Upstream commit a39ee449f96a2cd44ce056d8a0a112211a9b1a1f ]
+
+vhost fails to validate negative error code
+from vhost_get_vq_desc causing
+a crash: we are using -EFAULT which is 0xfffffff2
+as vector size, which exceeds the allocated size.
+
+The code in question was introduced in commit
+8dd014adfea6f173c1ef6378f7e5e7924866c923
+ vhost-net: mergeable buffers support
+
+CVE-2014-0055
+
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/net.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/vhost/net.c
++++ b/drivers/vhost/net.c
+@@ -324,9 +324,13 @@ static int get_rx_bufs(struct vhost_virt
+ r = -ENOBUFS;
+ goto err;
+ }
+- d = vhost_get_vq_desc(vq->dev, vq, vq->iov + seg,
++ r = vhost_get_vq_desc(vq->dev, vq, vq->iov + seg,
+ ARRAY_SIZE(vq->iov) - seg, &out,
+ &in, log, log_num);
++ if (unlikely(r < 0))
++ goto err;
++
++ d = r;
+ if (d == vq->num) {
+ r = 0;
+ goto err;
--- /dev/null
+From foo@baz Mon Apr 14 15:32:12 PDT 2014
+From: Peter Boström <peter.bostrom@netrounds.com>
+Date: Mon, 10 Mar 2014 16:17:15 +0100
+Subject: vlan: Set correct source MAC address with TX VLAN offload enabled
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Peter Boström <peter.bostrom@netrounds.com>
+
+[ Upstream commit dd38743b4cc2f86be250eaf156cf113ba3dd531a ]
+
+With TX VLAN offload enabled the source MAC address for frames sent using the
+VLAN interface is currently set to the address of the real interface. This is
+wrong since the VLAN interface may be configured with a different address.
+
+The bug was introduced in commit 2205369a314e12fcec4781cc73ac9c08fc2b47de
+("vlan: Fix header ops passthru when doing TX VLAN offload.").
+
+This patch sets the source address before calling the create function of the
+real interface.
+
+Signed-off-by: Peter Boström <peter.bostrom@netrounds.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/8021q/vlan_dev.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/8021q/vlan_dev.c
++++ b/net/8021q/vlan_dev.c
+@@ -533,6 +533,9 @@ static int vlan_passthru_hard_header(str
+ struct vlan_dev_priv *vlan = vlan_dev_priv(dev);
+ struct net_device *real_dev = vlan->real_dev;
+
++ if (saddr == NULL)
++ saddr = dev->dev_addr;
++
+ return dev_hard_header(skb, real_dev, type, daddr, saddr, len);
+ }
+
--- /dev/null
+From foo@baz Mon Apr 14 15:32:12 PDT 2014
+From: Paul Durrant <Paul.Durrant@citrix.com>
+Date: Fri, 28 Mar 2014 11:39:05 +0000
+Subject: xen-netback: remove pointless clause from if statement
+
+From: Paul Durrant <Paul.Durrant@citrix.com>
+
+[ Upstream commit 0576eddf24df716d8570ef8ca11452a9f98eaab2 ]
+
+This patch removes a test in start_new_rx_buffer() that checks whether
+a copy operation is less than MAX_BUFFER_OFFSET in length, since
+MAX_BUFFER_OFFSET is defined to be PAGE_SIZE and the only caller of
+start_new_rx_buffer() already limits copy operations to PAGE_SIZE or less.
+
+Signed-off-by: Paul Durrant <paul.durrant@citrix.com>
+Cc: Ian Campbell <ian.campbell@citrix.com>
+Cc: Wei Liu <wei.liu2@citrix.com>
+Cc: Sander Eikelenboom <linux@eikelenboom.it>
+Reported-By: Sander Eikelenboom <linux@eikelenboom.it>
+Tested-By: Sander Eikelenboom <linux@eikelenboom.it>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/xen-netback/netback.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/xen-netback/netback.c
++++ b/drivers/net/xen-netback/netback.c
+@@ -338,8 +338,8 @@ static bool start_new_rx_buffer(int offs
+ * into multiple copies tend to give large frags their
+ * own buffers as before.
+ */
+- if ((offset + size > MAX_BUFFER_OFFSET) &&
+- (size <= MAX_BUFFER_OFFSET) && offset && !head)
++ BUG_ON(size > MAX_BUFFER_OFFSET);
++ if ((offset + size > MAX_BUFFER_OFFSET) && offset && !head)
+ return true;
+
+ return false;
projects / thirdparty / kernel / stable-queue.git / commitdiff
