--- /dev/null
+From 0597d1b99fcfc2c0eada09a698f85ed413d4ba84 Mon Sep 17 00:00:00 2001
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+Date: Wed, 10 Nov 2010 12:10:30 +0000
+Subject: can-bcm: fix minor heap overflow
+
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+
+commit 0597d1b99fcfc2c0eada09a698f85ed413d4ba84 upstream.
+
+On 64-bit platforms the ASCII representation of a pointer may be up to 17
+bytes long. This patch increases the length of the buffer accordingly.
+
+http://marc.info/?l=linux-netdev&m=128872251418192&w=2
+
+Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+CC: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/can/bcm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -121,7 +121,7 @@ struct bcm_sock {
+ struct list_head tx_ops;
+ unsigned long dropped_usr_msgs;
+ struct proc_dir_entry *bcm_proc_read;
+- char procname [9]; /* pointer printed in ASCII with \0 */
++ char procname [20]; /* pointer printed in ASCII with \0 */
+ };
+
+ static inline struct bcm_sock *bcm_sk(const struct sock *sk)
--- /dev/null
+From c92b544bd5d8e7ed7d81c77bbecab6df2a95aa53 Mon Sep 17 00:00:00 2001
+From: Shan Wei <shanwei@cn.fujitsu.com>
+Date: Tue, 26 Jan 2010 02:40:38 +0000
+Subject: ipv6: conntrack: Add member of user to nf_ct_frag6_queue structure
+
+From: Shan Wei <shanwei@cn.fujitsu.com>
+
+commit c92b544bd5d8e7ed7d81c77bbecab6df2a95aa53 upstream.
+
+The commit 0b5ccb2(title:ipv6: reassembly: use seperate reassembly queues for
+conntrack and local delivery) has broken the saddr&&daddr member of
+nf_ct_frag6_queue when creating new queue. And then hash value
+generated by nf_hashfn() was not equal with that generated by fq_find().
+So, a new received fragment can't be inserted to right queue.
+
+The patch fixes the bug with adding member of user to nf_ct_frag6_queue structure.
+
+Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com>
+Acked-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Cc: Pascal Hambourg <pascal@plouf.fr.eu.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv6/netfilter/nf_conntrack_reasm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
++++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
+@@ -64,6 +64,7 @@ struct nf_ct_frag6_queue
+ struct inet_frag_queue q;
+
+ __be32 id; /* fragment id */
++ u32 user;
+ struct in6_addr saddr;
+ struct in6_addr daddr;
+
--- /dev/null
+From 92988de9edaa8e54456640dbcd866e74c558c911 Mon Sep 17 00:00:00 2001
+From: Robin Holt <holt@sgi.com>
+Date: Wed, 20 Oct 2010 02:03:37 +0000
+Subject: Limit sysctl_tcp_mem and sysctl_udp_mem initializers to prevent integer overflows.
+
+From: Robin Holt <holt@sgi.com>
+
+[ Problem was fixed differently upstream. -DaveM ]
+
+On a 16TB x86_64 machine, sysctl_tcp_mem[2], sysctl_udp_mem[2], and
+sysctl_sctp_mem[2] can integer overflow. Set limit such that they are
+maximized without overflowing.
+
+Signed-off-by: Robin Holt <holt@sgi.com>
+To: "David S. Miller" <davem@davemloft.net>
+Cc: Willy Tarreau <w@1wt.eu>
+Cc: linux-kernel@vger.kernel.org
+Cc: netdev@vger.kernel.org
+Cc: linux-sctp@vger.kernel.org
+Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
+Cc: "Pekka Savola (ipv6)" <pekkas@netcore.fi>
+Cc: James Morris <jmorris@namei.org>
+Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
+Cc: Patrick McHardy <kaber@trash.net>
+Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
+Cc: Sridhar Samudrala <sri@us.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/ipv4/tcp.c | 4 +++-
+ net/ipv4/udp.c | 4 +++-
+ net/sctp/protocol.c | 4 +++-
+ 3 files changed, 9 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2754,12 +2754,14 @@ void __init tcp_init(void)
+
+ /* Set the pressure threshold to be a fraction of global memory that
+ * is up to 1/2 at 256 MB, decreasing toward zero with the amount of
+- * memory, with a floor of 128 pages.
++ * memory, with a floor of 128 pages, and a ceiling that prevents an
++ * integer overflow.
+ */
+ nr_pages = totalram_pages - totalhigh_pages;
+ limit = min(nr_pages, 1UL<<(28-PAGE_SHIFT)) >> (20-PAGE_SHIFT);
+ limit = (limit * (nr_pages >> (20-PAGE_SHIFT))) >> (PAGE_SHIFT-11);
+ limit = max(limit, 128UL);
++ limit = min(limit, INT_MAX * 4UL / 3 / 2);
+ sysctl_tcp_mem[0] = limit / 4 * 3;
+ sysctl_tcp_mem[1] = limit;
+ sysctl_tcp_mem[2] = sysctl_tcp_mem[0] * 2;
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -1722,11 +1722,13 @@ void __init udp_init(void)
+
+ /* Set the pressure threshold up by the same strategy of TCP. It is a
+ * fraction of global memory that is up to 1/2 at 256 MB, decreasing
+- * toward zero with the amount of memory, with a floor of 128 pages.
++ * toward zero with the amount of memory, with a floor of 128 pages,
++ * and a ceiling that prevents an integer overflow.
+ */
+ limit = min(nr_all_pages, 1UL<<(28-PAGE_SHIFT)) >> (20-PAGE_SHIFT);
+ limit = (limit * (nr_all_pages >> (20-PAGE_SHIFT))) >> (PAGE_SHIFT-11);
+ limit = max(limit, 128UL);
++ limit = min(limit, INT_MAX * 4UL / 3 / 2);
+ sysctl_udp_mem[0] = limit / 4 * 3;
+ sysctl_udp_mem[1] = limit;
+ sysctl_udp_mem[2] = sysctl_udp_mem[0] * 2;
+--- a/net/sctp/protocol.c
++++ b/net/sctp/protocol.c
+@@ -1179,7 +1179,8 @@ SCTP_STATIC __init int sctp_init(void)
+
+ /* Set the pressure threshold to be a fraction of global memory that
+ * is up to 1/2 at 256 MB, decreasing toward zero with the amount of
+- * memory, with a floor of 128 pages.
++ * memory, with a floor of 128 pages, and a ceiling that prevents an
++ * integer overflow.
+ * Note this initalizes the data in sctpv6_prot too
+ * Unabashedly stolen from tcp_init
+ */
+@@ -1187,6 +1188,7 @@ SCTP_STATIC __init int sctp_init(void)
+ limit = min(nr_pages, 1UL<<(28-PAGE_SHIFT)) >> (20-PAGE_SHIFT);
+ limit = (limit * (nr_pages >> (20-PAGE_SHIFT))) >> (PAGE_SHIFT-11);
+ limit = max(limit, 128UL);
++ limit = min(limit, INT_MAX * 4UL / 3 / 2);
+ sysctl_sctp_mem[0] = limit / 4 * 3;
+ sysctl_sctp_mem[1] = limit;
+ sysctl_sctp_mem[2] = sysctl_sctp_mem[0] * 2;
--- /dev/null
+From a6331d6f9a4298173b413cf99a40cc86a9d92c37 Mon Sep 17 00:00:00 2001
+From: andrew hendry <andrew.hendry@gmail.com>
+Date: Wed, 3 Nov 2010 12:54:53 +0000
+Subject: memory corruption in X.25 facilities parsing
+
+From: andrew hendry <andrew.hendry@gmail.com>
+
+commit a6331d6f9a4298173b413cf99a40cc86a9d92c37 upstream.
+
+Signed-of-by: Andrew Hendry <andrew.hendry@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/x25/x25_facilities.c | 8 ++++----
+ net/x25/x25_in.c | 2 ++
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+--- a/net/x25/x25_facilities.c
++++ b/net/x25/x25_facilities.c
+@@ -134,15 +134,15 @@ int x25_parse_facilities(struct sk_buff
+ case X25_FAC_CLASS_D:
+ switch (*p) {
+ case X25_FAC_CALLING_AE:
+- if (p[1] > X25_MAX_DTE_FACIL_LEN)
+- break;
++ if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
++ return 0;
+ dte_facs->calling_len = p[2];
+ memcpy(dte_facs->calling_ae, &p[3], p[1] - 1);
+ *vc_fac_mask |= X25_MASK_CALLING_AE;
+ break;
+ case X25_FAC_CALLED_AE:
+- if (p[1] > X25_MAX_DTE_FACIL_LEN)
+- break;
++ if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
++ return 0;
+ dte_facs->called_len = p[2];
+ memcpy(dte_facs->called_ae, &p[3], p[1] - 1);
+ *vc_fac_mask |= X25_MASK_CALLED_AE;
+--- a/net/x25/x25_in.c
++++ b/net/x25/x25_in.c
+@@ -118,6 +118,8 @@ static int x25_state1_machine(struct soc
+ &x25->vc_facil_mask);
+ if (len > 0)
+ skb_pull(skb, len);
++ else
++ return -1;
+ /*
+ * Copy any Call User Data.
+ */
--- /dev/null
+From 60f901d85f51dc73ac0427798e5c534c7320b742 Mon Sep 17 00:00:00 2001
+From: Kees Cook <kees.cook@canonical.com>
+Date: Mon, 1 Nov 2010 08:19:00 -0700
+Subject: net: clear heap allocations for privileged ethtool actions
+
+
+From: Kees Cook <kees.cook@canonical.com>
+
+[ Upstream commit b00916b189d13a615ff05c9242201135992fcda3 ]
+
+Several other ethtool functions leave heap uncleared (potentially) by
+drivers. Some interfaces appear safe (eeprom, etc), in that the sizes
+are well controlled. In some situations (e.g. unchecked error conditions),
+the heap will remain unchanged in areas before copying back to userspace.
+Note that these are less of an issue since these all require CAP_NET_ADMIN.
+
+Cc: stable@kernel.org
+Signed-off-by: Kees Cook <kees.cook@canonical.com>
+Acked-by: Ben Hutchings <bhutchings@solarflare.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/core/ethtool.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/ethtool.c
++++ b/net/core/ethtool.c
+@@ -256,7 +256,7 @@ static int ethtool_get_regs(struct net_d
+ if (regs.len > reglen)
+ regs.len = reglen;
+
+- regbuf = kmalloc(reglen, GFP_USER);
++ regbuf = kzalloc(reglen, GFP_USER);
+ if (!regbuf)
+ return -ENOMEM;
+
--- /dev/null
+From 6c852c2dd993a7c13bf706af42ae697fcf094fae Mon Sep 17 00:00:00 2001
+From: Maciej Żenczykowski <maze@google.com>
+Date: Sun, 3 Oct 2010 14:49:00 -0700
+Subject: net: Fix IPv6 PMTU disc. w/ asymmetric routes
+
+From: Maciej Żenczykowski <maze@google.com>
+
+[ Upstream commit ae878ae280bea286ff2b1e1cb6e609dd8cb4501d ]
+
+Signed-off-by: Maciej Żenczykowski <maze@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/ipv6/route.c | 28 ++++++++++++++++++++++++----
+ 1 file changed, 24 insertions(+), 4 deletions(-)
+
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -1507,14 +1507,13 @@ out:
+ * i.e. Path MTU discovery
+ */
+
+-void rt6_pmtu_discovery(struct in6_addr *daddr, struct in6_addr *saddr,
+- struct net_device *dev, u32 pmtu)
++static void rt6_do_pmtu_disc(struct in6_addr *daddr, struct in6_addr *saddr,
++ struct net *net, u32 pmtu, int ifindex)
+ {
+ struct rt6_info *rt, *nrt;
+- struct net *net = dev_net(dev);
+ int allfrag = 0;
+
+- rt = rt6_lookup(net, daddr, saddr, dev->ifindex, 0);
++ rt = rt6_lookup(net, daddr, saddr, ifindex, 0);
+ if (rt == NULL)
+ return;
+
+@@ -1582,6 +1581,27 @@ out:
+ dst_release(&rt->u.dst);
+ }
+
++void rt6_pmtu_discovery(struct in6_addr *daddr, struct in6_addr *saddr,
++ struct net_device *dev, u32 pmtu)
++{
++ struct net *net = dev_net(dev);
++
++ /*
++ * RFC 1981 states that a node "MUST reduce the size of the packets it
++ * is sending along the path" that caused the Packet Too Big message.
++ * Since it's not possible in the general case to determine which
++ * interface was used to send the original packet, we update the MTU
++ * on the interface that will be used to send future packets. We also
++ * update the MTU on the interface that received the Packet Too Big in
++ * case the original packet was forced out that interface with
++ * SO_BINDTODEVICE or similar. This is the next best thing to the
++ * correct behaviour, which would be to update the MTU on all
++ * interfaces.
++ */
++ rt6_do_pmtu_disc(daddr, saddr, net, pmtu, 0);
++ rt6_do_pmtu_disc(daddr, saddr, net, pmtu, dev->ifindex);
++}
++
+ /*
+ * Misc support functions
+ */
--- /dev/null
+From bcd127108a3ea649bac24527a48e2217a921e801 Mon Sep 17 00:00:00 2001
+From: Nagendra Tomar <tomer_iisc@yahoo.com>
+Date: Sat, 2 Oct 2010 23:45:06 +0000
+Subject: net: Fix the condition passed to sk_wait_event()
+
+
+From: Nagendra Tomar <tomer_iisc@yahoo.com>
+
+[ Upstream commit 482964e56e1320cb7952faa1932d8ecf59c4bf75 ]
+
+This patch fixes the condition (3rd arg) passed to sk_wait_event() in
+sk_stream_wait_memory(). The incorrect check in sk_stream_wait_memory()
+causes the following soft lockup in tcp_sendmsg() when the global tcp
+memory pool has exhausted.
+
+>>> snip <<<
+
+localhost kernel: BUG: soft lockup - CPU#3 stuck for 11s! [sshd:6429]
+localhost kernel: CPU 3:
+localhost kernel: RIP: 0010:[sk_stream_wait_memory+0xcd/0x200] [sk_stream_wait_memory+0xcd/0x200] sk_stream_wait_memory+0xcd/0x200
+localhost kernel:
+localhost kernel: Call Trace:
+localhost kernel: [sk_stream_wait_memory+0x1b1/0x200] sk_stream_wait_memory+0x1b1/0x200
+localhost kernel: [<ffffffff802557c0>] autoremove_wake_function+0x0/0x40
+localhost kernel: [ipv6:tcp_sendmsg+0x6e6/0xe90] tcp_sendmsg+0x6e6/0xce0
+localhost kernel: [sock_aio_write+0x126/0x140] sock_aio_write+0x126/0x140
+localhost kernel: [xfs:do_sync_write+0xf1/0x130] do_sync_write+0xf1/0x130
+localhost kernel: [<ffffffff802557c0>] autoremove_wake_function+0x0/0x40
+localhost kernel: [hrtimer_start+0xe3/0x170] hrtimer_start+0xe3/0x170
+localhost kernel: [vfs_write+0x185/0x190] vfs_write+0x185/0x190
+localhost kernel: [sys_write+0x50/0x90] sys_write+0x50/0x90
+localhost kernel: [system_call+0x7e/0x83] system_call+0x7e/0x83
+
+>>> snip <<<
+
+What is happening is, that the sk_wait_event() condition passed from
+sk_stream_wait_memory() evaluates to true for the case of tcp global memory
+exhaustion. This is because both sk_stream_memory_free() and vm_wait are true
+which causes sk_wait_event() to *not* call schedule_timeout().
+Hence sk_stream_wait_memory() returns immediately to the caller w/o sleeping.
+This causes the caller to again try allocation, which again fails and again
+calls sk_stream_wait_memory(), and so on.
+
+[ Bug introduced by commit c1cbe4b7ad0bc4b1d98ea708a3fecb7362aa4088
+ ("[NET]: Avoid atomic xchg() for non-error case") -DaveM ]
+
+Signed-off-by: Nagendra Singh Tomar <tomer_iisc@yahoo.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/core/stream.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/core/stream.c
++++ b/net/core/stream.c
+@@ -139,10 +139,10 @@ int sk_stream_wait_memory(struct sock *s
+
+ set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
+ sk->sk_write_pending++;
+- sk_wait_event(sk, ¤t_timeo, !sk->sk_err &&
+- !(sk->sk_shutdown & SEND_SHUTDOWN) &&
+- sk_stream_memory_free(sk) &&
+- vm_wait);
++ sk_wait_event(sk, ¤t_timeo, sk->sk_err ||
++ (sk->sk_shutdown & SEND_SHUTDOWN) ||
++ (sk_stream_memory_free(sk) &&
++ !vm_wait));
+ sk->sk_write_pending--;
+
+ if (vm_wait) {
--- /dev/null
+From 253eacc070b114c2ec1f81b067d2fed7305467b0 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Sat, 30 Oct 2010 16:43:10 -0700
+Subject: net: Truncate recvfrom and sendto length to INT_MAX.
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 253eacc070b114c2ec1f81b067d2fed7305467b0 upstream.
+
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/socket.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -1691,6 +1691,8 @@ SYSCALL_DEFINE6(sendto, int, fd, void __
+ struct iovec iov;
+ int fput_needed;
+
++ if (len > INT_MAX)
++ len = INT_MAX;
+ sock = sockfd_lookup_light(fd, &err, &fput_needed);
+ if (!sock)
+ goto out;
+@@ -1748,6 +1750,8 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void
+ int err, err2;
+ int fput_needed;
+
++ if (size > INT_MAX)
++ size = INT_MAX;
+ sock = sockfd_lookup_light(fd, &err, &fput_needed);
+ if (!sock)
+ goto out;
--- /dev/null
+From 34e098a21b709f12c63f98eded0af87e28581eb0 Mon Sep 17 00:00:00 2001
+From: David S. Miller <davem@davemloft.net>
+Date: Mon, 20 Sep 2010 15:40:35 -0700
+Subject: rose: Fix signedness issues wrt. digi count.
+
+
+From: David S. Miller <davem@davemloft.net>
+
+[ Upstream commit 9828e6e6e3f19efcb476c567b9999891d051f52f ]
+
+Just use explicit casts, since we really can't change the
+types of structures exported to userspace which have been
+around for 15 years or so.
+
+Reported-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/rose/af_rose.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -680,7 +680,7 @@ static int rose_bind(struct socket *sock
+ if (addr_len == sizeof(struct sockaddr_rose) && addr->srose_ndigis > 1)
+ return -EINVAL;
+
+- if (addr->srose_ndigis > ROSE_MAX_DIGIS)
++ if ((unsigned int) addr->srose_ndigis > ROSE_MAX_DIGIS)
+ return -EINVAL;
+
+ if ((dev = rose_dev_get(&addr->srose_addr)) == NULL) {
+@@ -740,7 +740,7 @@ static int rose_connect(struct socket *s
+ if (addr_len == sizeof(struct sockaddr_rose) && addr->srose_ndigis > 1)
+ return -EINVAL;
+
+- if (addr->srose_ndigis > ROSE_MAX_DIGIS)
++ if ((unsigned int) addr->srose_ndigis > ROSE_MAX_DIGIS)
+ return -EINVAL;
+
+ /* Source + Destination digis should not exceed ROSE_MAX_DIGIS */
do_exit-make-sure-that-we-run-with-get_fs-user_ds.patch
decnet-don-t-leak-uninitialized-stack-byte.patch
arm-6482-2-fix-find_next_zero_bit-and-related-assembly.patch
+net-clear-heap-allocations-for-privileged-ethtool-actions.patch
+xfrm4-strip-ecn-and-ip-precedence-bits-in-policy-lookup.patch
+net-fix-ipv6-pmtu-disc.-w-asymmetric-routes.patch
+rose-fix-signedness-issues-wrt.-digi-count.patch
+net-fix-the-condition-passed-to-sk_wait_event.patch
+limit-sysctl_tcp_mem-and-sysctl_udp_mem-initializers-to-prevent-integer-overflows.patch
+tcp-fix-race-in-tcp_poll.patch
+net-truncate-recvfrom-and-sendto-length-to-int_max.patch
+ipv6-conntrack-add-member-of-user-to-nf_ct_frag6_queue-structure.patch
+x25-patch-to-fix-bug-15678-x25-accesses-fields-beyond-end-of-packet.patch
+memory-corruption-in-x.25-facilities-parsing.patch
+can-bcm-fix-minor-heap-overflow.patch
+v4l-dvb-ivtvfb-prevent-reading-uninitialized-stack-memory.patch
+x25-prevent-crashing-when-parsing-bad-x.25-facilities.patch
--- /dev/null
+From 7938b8515a9ed0a49b160b4c95ef3ed8bccbeb11 Mon Sep 17 00:00:00 2001
+From: Tom Marshall <tdm.code@gmail.com>
+Date: Mon, 20 Sep 2010 15:42:05 -0700
+Subject: tcp: Fix race in tcp_poll
+
+
+From: Tom Marshall <tdm.code@gmail.com>
+
+[ Upstream commit a4d258036ed9b2a1811c3670c6099203a0f284a0 ]
+
+If a RST comes in immediately after checking sk->sk_err, tcp_poll will
+return POLLIN but not POLLOUT. Fix this by checking sk->sk_err at the end
+of tcp_poll. Additionally, ensure the correct order of operations on SMP
+machines with memory barriers.
+
+Signed-off-by: Tom Marshall <tdm.code@gmail.com>
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/ipv4/tcp.c | 7 +++++--
+ net/ipv4/tcp_input.c | 2 ++
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -347,8 +347,6 @@ unsigned int tcp_poll(struct file *file,
+ */
+
+ mask = 0;
+- if (sk->sk_err)
+- mask = POLLERR;
+
+ /*
+ * POLLHUP is certainly not done right. But poll() doesn't
+@@ -413,6 +411,11 @@ unsigned int tcp_poll(struct file *file,
+ if (tp->urg_data & TCP_URG_VALID)
+ mask |= POLLPRI;
+ }
++ /* This barrier is coupled with smp_wmb() in tcp_reset() */
++ smp_rmb();
++ if (sk->sk_err)
++ mask |= POLLERR;
++
+ return mask;
+ }
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -3617,6 +3617,8 @@ static void tcp_reset(struct sock *sk)
+ default:
+ sk->sk_err = ECONNRESET;
+ }
++ /* This barrier is coupled with smp_rmb() in tcp_poll() */
++ smp_wmb();
+
+ if (!sock_flag(sk, SOCK_DEAD))
+ sk->sk_error_report(sk);
--- /dev/null
+From 405707985594169cfd0b1d97d29fcb4b4c6f2ac9 Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+Date: Wed, 15 Sep 2010 18:44:22 -0300
+Subject: V4L/DVB: ivtvfb: prevent reading uninitialized stack memory
+
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+
+commit 405707985594169cfd0b1d97d29fcb4b4c6f2ac9 upstream.
+
+The FBIOGET_VBLANK device ioctl allows unprivileged users to read 16
+bytes of uninitialized stack memory, because the "reserved" member of
+the fb_vblank struct declared on the stack is not altered or zeroed
+before being copied back to the user. This patch takes care of it.
+
+Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
+Signed-off-by: Andy Walls <awalls@md.metrocast.net>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/media/video/ivtv/ivtvfb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/video/ivtv/ivtvfb.c
++++ b/drivers/media/video/ivtv/ivtvfb.c
+@@ -460,6 +460,8 @@ static int ivtvfb_ioctl(struct fb_info *
+ struct fb_vblank vblank;
+ u32 trace;
+
++ memset(&vblank, 0, sizeof(struct fb_vblank));
++
+ vblank.flags = FB_VBLANK_HAVE_COUNT |FB_VBLANK_HAVE_VCOUNT |
+ FB_VBLANK_HAVE_VSYNC;
+ trace = read_reg(0x028c0) >> 16;
--- /dev/null
+From f5eb917b861828da18dc28854308068c66d1449a Mon Sep 17 00:00:00 2001
+From: John Hughes <john@calva.com>
+Date: Wed, 7 Apr 2010 21:29:25 -0700
+Subject: x25: Patch to fix bug 15678 - x25 accesses fields beyond end of packet.
+
+From: John Hughes <john@calva.com>
+
+commit f5eb917b861828da18dc28854308068c66d1449a upstream.
+
+Here is a patch to stop X.25 examining fields beyond the end of the packet.
+
+For example, when a simple CALL ACCEPTED was received:
+
+ 10 10 0f
+
+x25_parse_facilities was attempting to decode the FACILITIES field, but this
+packet contains no facilities field.
+
+Signed-off-by: John Hughes <john@calva.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/net/x25.h | 4 ++++
+ net/x25/af_x25.c | 47 ++++++++++++++++++++++++++++++++++++++++++++++-
+ net/x25/x25_facilities.c | 12 +++++++++++-
+ net/x25/x25_in.c | 15 +++++++++++----
+ 4 files changed, 72 insertions(+), 6 deletions(-)
+
+--- a/include/net/x25.h
++++ b/include/net/x25.h
+@@ -182,6 +182,10 @@ extern int sysctl_x25_clear_request_tim
+ extern int sysctl_x25_ack_holdback_timeout;
+ extern int sysctl_x25_forward;
+
++extern int x25_parse_address_block(struct sk_buff *skb,
++ struct x25_address *called_addr,
++ struct x25_address *calling_addr);
++
+ extern int x25_addr_ntoa(unsigned char *, struct x25_address *,
+ struct x25_address *);
+ extern int x25_addr_aton(unsigned char *, struct x25_address *,
+--- a/net/x25/af_x25.c
++++ b/net/x25/af_x25.c
+@@ -80,6 +80,41 @@ struct compat_x25_subscrip_struct {
+ };
+ #endif
+
++
++int x25_parse_address_block(struct sk_buff *skb,
++ struct x25_address *called_addr,
++ struct x25_address *calling_addr)
++{
++ unsigned char len;
++ int needed;
++ int rc;
++
++ if (skb->len < 1) {
++ /* packet has no address block */
++ rc = 0;
++ goto empty;
++ }
++
++ len = *skb->data;
++ needed = 1 + (len >> 4) + (len & 0x0f);
++
++ if (skb->len < needed) {
++ /* packet is too short to hold the addresses it claims
++ to hold */
++ rc = -1;
++ goto empty;
++ }
++
++ return x25_addr_ntoa(skb->data, called_addr, calling_addr);
++
++empty:
++ *called_addr->x25_addr = 0;
++ *calling_addr->x25_addr = 0;
++
++ return rc;
++}
++
++
+ int x25_addr_ntoa(unsigned char *p, struct x25_address *called_addr,
+ struct x25_address *calling_addr)
+ {
+@@ -871,16 +906,26 @@ int x25_rx_call_request(struct sk_buff *
+ /*
+ * Extract the X.25 addresses and convert them to ASCII strings,
+ * and remove them.
++ *
++ * Address block is mandatory in call request packets
+ */
+- addr_len = x25_addr_ntoa(skb->data, &source_addr, &dest_addr);
++ addr_len = x25_parse_address_block(skb, &source_addr, &dest_addr);
++ if (addr_len <= 0)
++ goto out_clear_request;
+ skb_pull(skb, addr_len);
+
+ /*
+ * Get the length of the facilities, skip past them for the moment
+ * get the call user data because this is needed to determine
+ * the correct listener
++ *
++ * Facilities length is mandatory in call request packets
+ */
++ if (skb->len < 1)
++ goto out_clear_request;
+ len = skb->data[0] + 1;
++ if (skb->len < len)
++ goto out_clear_request;
+ skb_pull(skb,len);
+
+ /*
+--- a/net/x25/x25_facilities.c
++++ b/net/x25/x25_facilities.c
+@@ -35,7 +35,7 @@ int x25_parse_facilities(struct sk_buff
+ struct x25_dte_facilities *dte_facs, unsigned long *vc_fac_mask)
+ {
+ unsigned char *p = skb->data;
+- unsigned int len = *p++;
++ unsigned int len;
+
+ *vc_fac_mask = 0;
+
+@@ -50,6 +50,14 @@ int x25_parse_facilities(struct sk_buff
+ memset(dte_facs->called_ae, '\0', sizeof(dte_facs->called_ae));
+ memset(dte_facs->calling_ae, '\0', sizeof(dte_facs->calling_ae));
+
++ if (skb->len < 1)
++ return 0;
++
++ len = *p++;
++
++ if (len >= skb->len)
++ return -1;
++
+ while (len > 0) {
+ switch (*p & X25_FAC_CLASS_MASK) {
+ case X25_FAC_CLASS_A:
+@@ -247,6 +255,8 @@ int x25_negotiate_facilities(struct sk_b
+ memcpy(new, ours, sizeof(*new));
+
+ len = x25_parse_facilities(skb, &theirs, dte, &x25->vc_facil_mask);
++ if (len < 0)
++ return len;
+
+ /*
+ * They want reverse charging, we won't accept it.
+--- a/net/x25/x25_in.c
++++ b/net/x25/x25_in.c
+@@ -89,6 +89,7 @@ static int x25_queue_rx_frame(struct soc
+ static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametype)
+ {
+ struct x25_address source_addr, dest_addr;
++ int len;
+
+ switch (frametype) {
+ case X25_CALL_ACCEPTED: {
+@@ -106,11 +107,17 @@ static int x25_state1_machine(struct soc
+ * Parse the data in the frame.
+ */
+ skb_pull(skb, X25_STD_MIN_LEN);
+- skb_pull(skb, x25_addr_ntoa(skb->data, &source_addr, &dest_addr));
+- skb_pull(skb,
+- x25_parse_facilities(skb, &x25->facilities,
++
++ len = x25_parse_address_block(skb, &source_addr,
++ &dest_addr);
++ if (len > 0)
++ skb_pull(skb, len);
++
++ len = x25_parse_facilities(skb, &x25->facilities,
+ &x25->dte_facilities,
+- &x25->vc_facil_mask));
++ &x25->vc_facil_mask);
++ if (len > 0)
++ skb_pull(skb, len);
+ /*
+ * Copy any Call User Data.
+ */
--- /dev/null
+From 5ef41308f94dcbb3b7afc56cdef1c2ba53fa5d2f Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+Date: Fri, 12 Nov 2010 12:44:42 -0800
+Subject: x25: Prevent crashing when parsing bad X.25 facilities
+
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+
+commit 5ef41308f94dcbb3b7afc56cdef1c2ba53fa5d2f upstream.
+
+Now with improved comma support.
+
+On parsing malformed X.25 facilities, decrementing the remaining length
+may cause it to underflow. Since the length is an unsigned integer,
+this will result in the loop continuing until the kernel crashes.
+
+This patch adds checks to ensure decrementing the remaining length does
+not cause it to wrap around.
+
+Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/x25/x25_facilities.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/net/x25/x25_facilities.c
++++ b/net/x25/x25_facilities.c
+@@ -61,6 +61,8 @@ int x25_parse_facilities(struct sk_buff
+ while (len > 0) {
+ switch (*p & X25_FAC_CLASS_MASK) {
+ case X25_FAC_CLASS_A:
++ if (len < 2)
++ return 0;
+ switch (*p) {
+ case X25_FAC_REVERSE:
+ if((p[1] & 0x81) == 0x81) {
+@@ -104,6 +106,8 @@ int x25_parse_facilities(struct sk_buff
+ len -= 2;
+ break;
+ case X25_FAC_CLASS_B:
++ if (len < 3)
++ return 0;
+ switch (*p) {
+ case X25_FAC_PACKET_SIZE:
+ facilities->pacsize_in = p[1];
+@@ -125,6 +129,8 @@ int x25_parse_facilities(struct sk_buff
+ len -= 3;
+ break;
+ case X25_FAC_CLASS_C:
++ if (len < 4)
++ return 0;
+ printk(KERN_DEBUG "X.25: unknown facility %02X, "
+ "values %02X, %02X, %02X\n",
+ p[0], p[1], p[2], p[3]);
+@@ -132,6 +138,8 @@ int x25_parse_facilities(struct sk_buff
+ len -= 4;
+ break;
+ case X25_FAC_CLASS_D:
++ if (len < p[1] + 2)
++ return 0;
+ switch (*p) {
+ case X25_FAC_CALLING_AE:
+ if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
+@@ -149,9 +157,7 @@ int x25_parse_facilities(struct sk_buff
+ break;
+ default:
+ printk(KERN_DEBUG "X.25: unknown facility %02X,"
+- "length %d, values %02X, %02X, "
+- "%02X, %02X\n",
+- p[0], p[1], p[2], p[3], p[4], p[5]);
++ "length %d\n", p[0], p[1]);
+ break;
+ }
+ len -= p[1] + 2;
--- /dev/null
+From fcdd62b6ef24edd5c99410182c829bd41d684ed6 Mon Sep 17 00:00:00 2001
+From: Ulrich Weber <uweber@astaro.com>
+Date: Mon, 1 Nov 2010 08:23:04 -0700
+Subject: xfrm4: strip ECN and IP Precedence bits in policy lookup
+
+
+From: Ulrich Weber <uweber@astaro.com>
+
+[ Upstream commit 94e2238969e89f5112297ad2a00103089dde7e8f ]
+
+dont compare ECN and IP Precedence bits in find_bundle
+and use ECN bit stripped TOS value in xfrm_lookup
+
+Signed-off-by: Ulrich Weber <uweber@astaro.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/ipv4/xfrm4_policy.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/xfrm4_policy.c
++++ b/net/ipv4/xfrm4_policy.c
+@@ -69,7 +69,7 @@ __xfrm4_find_bundle(struct flowi *fl, st
+ if (xdst->u.rt.fl.oif == fl->oif && /*XXX*/
+ xdst->u.rt.fl.fl4_dst == fl->fl4_dst &&
+ xdst->u.rt.fl.fl4_src == fl->fl4_src &&
+- xdst->u.rt.fl.fl4_tos == fl->fl4_tos &&
++ !((xdst->u.rt.fl.fl4_tos ^ fl->fl4_tos) & IPTOS_RT_MASK) &&
+ xfrm_bundle_ok(policy, xdst, fl, AF_INET, 0)) {
+ dst_clone(dst);
+ break;
+@@ -81,7 +81,7 @@ __xfrm4_find_bundle(struct flowi *fl, st
+
+ static int xfrm4_get_tos(struct flowi *fl)
+ {
+- return fl->fl4_tos;
++ return IPTOS_RT_MASK & fl->fl4_tos; /* Strip ECN bits */
+ }
+
+ static int xfrm4_init_path(struct xfrm_dst *path, struct dst_entry *dst,
projects / thirdparty / kernel / stable-queue.git / commitdiff
