kernel26-magellan/patches-2.6.25-r4/0112-2.6.25.13-all-fixes.patch

diff --git a/Documentation/networking/udplite.txt b/Documentation/networking/udplite.txt
index 3870f28..855d8da 100644
--- a/Documentation/networking/udplite.txt
+++ b/Documentation/networking/udplite.txt
@@ -148,7 +148,7 @@
         getsockopt(sockfd, SOL_SOCKET, SO_NO_CHECK, &value, ...);
 
   is meaningless (as in TCP). Packets with a zero checksum field are
-  illegal (cf. RFC 3828, sec. 3.1) will be silently discarded.
+  illegal (cf. RFC 3828, sec. 3.1) and will be silently discarded.
 
   4) Fragmentation
 
diff --git a/drivers/net/hamradio/hdlcdrv.c b/drivers/net/hamradio/hdlcdrv.c
index ae9629f..c258a05 100644
--- a/drivers/net/hamradio/hdlcdrv.c
+++ b/drivers/net/hamradio/hdlcdrv.c
@@ -88,6 +88,7 @@
 static inline void append_crc_ccitt(unsigned char *buffer, int len)
 {
  	unsigned int crc = crc_ccitt(0xffff, buffer, len) ^ 0xffff;
+	buffer += len;
 	*buffer++ = crc;
 	*buffer++ = crc >> 8;
 }
diff --git a/drivers/net/pppoe.c b/drivers/net/pppoe.c
index ac0ac98..6bc58dd 100644
--- a/drivers/net/pppoe.c
+++ b/drivers/net/pppoe.c
@@ -341,12 +341,6 @@ static int pppoe_rcv_core(struct sock *sk, struct sk_buff *skb)
 	struct pppox_sock *relay_po;
 
 	if (sk->sk_state & PPPOX_BOUND) {
-		struct pppoe_hdr *ph = pppoe_hdr(skb);
-		int len = ntohs(ph->length);
-		skb_pull_rcsum(skb, sizeof(struct pppoe_hdr));
-		if (pskb_trim_rcsum(skb, len))
-			goto abort_kfree;
-
 		ppp_input(&po->chan, skb);
 	} else if (sk->sk_state & PPPOX_RELAY) {
 		relay_po = get_item_by_addr(&po->pppoe_relay);
@@ -357,7 +351,6 @@ static int pppoe_rcv_core(struct sock *sk, struct sk_buff *skb)
 		if ((sk_pppox(relay_po)->sk_state & PPPOX_CONNECTED) == 0)
 			goto abort_put;
 
-		skb_pull(skb, sizeof(struct pppoe_hdr));
 		if (!__pppoe_xmit(sk_pppox(relay_po), skb))
 			goto abort_put;
 	} else {
@@ -388,6 +381,7 @@ static int pppoe_rcv(struct sk_buff *skb,
 {
 	struct pppoe_hdr *ph;
 	struct pppox_sock *po;
+	int len;
 
 	if (!(skb = skb_share_check(skb, GFP_ATOMIC)))
 		goto out;
@@ -399,10 +393,21 @@ static int pppoe_rcv(struct sk_buff *skb,
 		goto drop;
 
 	ph = pppoe_hdr(skb);
+	len = ntohs(ph->length);
+
+	skb_pull_rcsum(skb, sizeof(*ph));
+	if (skb->len < len)
+		goto drop;
 
 	po = get_item(ph->sid, eth_hdr(skb)->h_source, dev->ifindex);
-	if (po != NULL)
-		return sk_receive_skb(sk_pppox(po), skb, 0);
+	if (!po)
+		goto drop;
+
+	if (pskb_trim_rcsum(skb, len))
+		goto drop;
+
+	return sk_receive_skb(sk_pppox(po), skb, 0);
+
 drop:
 	kfree_skb(skb);
 out:
@@ -427,12 +432,12 @@ static int pppoe_disc_rcv(struct sk_buff *skb,
 	if (dev->nd_net != &init_net)
 		goto abort;
 
-	if (!pskb_may_pull(skb, sizeof(struct pppoe_hdr)))
-		goto abort;
-
 	if (!(skb = skb_share_check(skb, GFP_ATOMIC)))
 		goto out;
 
+	if (!pskb_may_pull(skb, sizeof(struct pppoe_hdr)))
+		goto abort;
+
 	ph = pppoe_hdr(skb);
 	if (ph->code != PADT_CODE)
 		goto abort;
@@ -937,12 +942,10 @@ static int pppoe_recvmsg(struct kiocb *iocb, struct socket *sock,
 	m->msg_namelen = 0;
 
 	if (skb) {
-		struct pppoe_hdr *ph = pppoe_hdr(skb);
-		const int len = ntohs(ph->length);
-
-		error = memcpy_toiovec(m->msg_iov, (unsigned char *) &ph->tag[0], len);
+		total_len = min_t(size_t, total_len, skb->len);
+		error = skb_copy_datagram_iovec(skb, 0, m->msg_iov, total_len);
 		if (error == 0)
-			error = len;
+			error = total_len;
 	}
 
 	kfree_skb(skb);
diff --git a/drivers/net/pppol2tp.c b/drivers/net/pppol2tp.c
index a629355..a3e1d22 100644
--- a/drivers/net/pppol2tp.c
+++ b/drivers/net/pppol2tp.c
@@ -783,14 +783,18 @@ static int pppol2tp_recvmsg(struct kiocb *iocb, struct socket *sock,
 	err = 0;
 	skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT,
 				flags & MSG_DONTWAIT, &err);
-	if (skb) {
-		err = memcpy_toiovec(msg->msg_iov, (unsigned char *) skb->data,
-				     skb->len);
-		if (err < 0)
-			goto do_skb_free;
-		err = skb->len;
-	}
-do_skb_free:
+	if (!skb)
+		goto end;
+
+	if (len > skb->len)
+		len = skb->len;
+	else if (len < skb->len)
+		msg->msg_flags |= MSG_TRUNC;
+
+	err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, len);
+	if (likely(err == 0))
+		err = len;
+
 	kfree_skb(skb);
 end:
 	return err;
diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
index 134c8e5..2584306 100644
--- a/include/linux/ipv6.h
+++ b/include/linux/ipv6.h
@@ -123,6 +123,7 @@ struct ipv6hdr {
 	struct	in6_addr	daddr;
 };
 
+#ifdef __KERNEL__
 /*
  * This structure contains configuration options per IPv6 link.
  */
@@ -162,6 +163,7 @@ struct ipv6_devconf {
 #endif
 	void		*sysctl;
 };
+#endif
 
 /* index values for the variables in ipv6_devconf */
 enum {
diff --git a/include/linux/kernel.h b/include/linux/kernel.h
index 2df44e7..6890264 100644
--- a/include/linux/kernel.h
+++ b/include/linux/kernel.h
@@ -20,6 +20,7 @@
 extern const char linux_banner[];
 extern const char linux_proc_banner[];
 
+#define USHORT_MAX	((u16)(~0U))
 #define INT_MAX		((int)(~0U>>1))
 #define INT_MIN		(-INT_MAX - 1)
 #define UINT_MAX	(~0U)
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index a3002fe..37801ae 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -936,7 +936,7 @@ static void raw_sock_seq_show(struct seq_file *seq, struct sock *sp, int i)
 	      srcp  = inet->num;
 
 	seq_printf(seq, "%4d: %08X:%04X %08X:%04X"
-		" %02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %p %d",
+		" %02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %p %d\n",
 		i, src, srcp, dest, destp, sp->sk_state,
 		atomic_read(&sp->sk_wmem_alloc),
 		atomic_read(&sp->sk_rmem_alloc),
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 1704c14..9703c87 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1325,6 +1325,8 @@ int udp_lib_setsockopt(struct sock *sk, int level, int optname,
 			return -ENOPROTOOPT;
 		if (val != 0 && val < 8) /* Illegal coverage: use default (8) */
 			val = 8;
+		else if (val > USHORT_MAX)
+			val = USHORT_MAX;
 		up->pcslen = val;
 		up->pcflag |= UDPLITE_SEND_CC;
 		break;
@@ -1337,6 +1339,8 @@ int udp_lib_setsockopt(struct sock *sk, int level, int optname,
 			return -ENOPROTOOPT;
 		if (val != 0 && val < 8) /* Avoid silly minimal values.       */
 			val = 8;
+		else if (val > USHORT_MAX)
+			val = USHORT_MAX;
 		up->pcrlen = val;
 		up->pcflag |= UDPLITE_RECV_CC;
 		break;
diff --git a/net/ipv4/xfrm4_mode_tunnel.c b/net/ipv4/xfrm4_mode_tunnel.c
index 584e6d7..7135279 100644
--- a/net/ipv4/xfrm4_mode_tunnel.c
+++ b/net/ipv4/xfrm4_mode_tunnel.c
@@ -52,7 +52,7 @@ static int xfrm4_mode_tunnel_output(struct xfrm_state *x, struct sk_buff *skb)
 		IP_ECN_clear(top_iph);
 
 	top_iph->frag_off = (flags & XFRM_STATE_NOPMTUDISC) ?
-			    0 : XFRM_MODE_SKB_CB(skb)->frag_off;
+		0 : (XFRM_MODE_SKB_CB(skb)->frag_off & htons(IP_DF));
 	ip_select_ident(top_iph, dst->child, NULL);
 
 	top_iph->ttl = dst_metric(dst->child, RTAX_HOPLIMIT);
diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index bab72b6..dee7fea 100644
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -679,7 +679,7 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct rt6_info *rt,
 
 static __inline__ void fib6_start_gc(struct rt6_info *rt)
 {
-	if (ip6_fib_timer.expires == 0 &&
+	if (!timer_pending(&ip6_fib_timer) &&
 	    (rt->rt6i_flags & (RTF_EXPIRES|RTF_CACHE)))
 		mod_timer(&ip6_fib_timer, jiffies +
 			  init_net.ipv6.sysctl.ip6_rt_gc_interval);
@@ -687,7 +687,7 @@ static __inline__ void fib6_start_gc(struct rt6_info *rt)
 
 void fib6_force_start_gc(void)
 {
-	if (ip6_fib_timer.expires == 0)
+	if (!timer_pending(&ip6_fib_timer))
 		mod_timer(&ip6_fib_timer, jiffies +
 			  init_net.ipv6.sysctl.ip6_rt_gc_interval);
 }
1	diff --git a/Documentation/networking/udplite.txt b/Documentation/networking/udplite.txt
2	index 3870f28..855d8da 100644
3	--- a/Documentation/networking/udplite.txt
4	+++ b/Documentation/networking/udplite.txt
5	@@ -148,7 +148,7 @@
6	getsockopt(sockfd, SOL_SOCKET, SO_NO_CHECK, &value, ...);
7
8	is meaningless (as in TCP). Packets with a zero checksum field are
9	- illegal (cf. RFC 3828, sec. 3.1) will be silently discarded.
10	+ illegal (cf. RFC 3828, sec. 3.1) and will be silently discarded.
11
12	4) Fragmentation
13
14	diff --git a/drivers/net/hamradio/hdlcdrv.c b/drivers/net/hamradio/hdlcdrv.c
15	index ae9629f..c258a05 100644
16	--- a/drivers/net/hamradio/hdlcdrv.c
17	+++ b/drivers/net/hamradio/hdlcdrv.c
18	@@ -88,6 +88,7 @@
19	static inline void append_crc_ccitt(unsigned char *buffer, int len)
20	{
21	unsigned int crc = crc_ccitt(0xffff, buffer, len) ^ 0xffff;
22	+ buffer += len;
23	*buffer++ = crc;
24	*buffer++ = crc >> 8;
25	}
26	diff --git a/drivers/net/pppoe.c b/drivers/net/pppoe.c
27	index ac0ac98..6bc58dd 100644
28	--- a/drivers/net/pppoe.c
29	+++ b/drivers/net/pppoe.c
30	@@ -341,12 +341,6 @@ static int pppoe_rcv_core(struct sock sk, struct sk_buff skb)
31	struct pppox_sock *relay_po;
32
33	if (sk->sk_state & PPPOX_BOUND) {
34	- struct pppoe_hdr *ph = pppoe_hdr(skb);
35	- int len = ntohs(ph->length);
36	- skb_pull_rcsum(skb, sizeof(struct pppoe_hdr));
37	- if (pskb_trim_rcsum(skb, len))
38	- goto abort_kfree;
39	-
40	ppp_input(&po->chan, skb);
41	} else if (sk->sk_state & PPPOX_RELAY) {
42	relay_po = get_item_by_addr(&po->pppoe_relay);
43	@@ -357,7 +351,6 @@ static int pppoe_rcv_core(struct sock sk, struct sk_buff skb)
44	if ((sk_pppox(relay_po)->sk_state & PPPOX_CONNECTED) == 0)
45	goto abort_put;
46
47	- skb_pull(skb, sizeof(struct pppoe_hdr));
48	if (!__pppoe_xmit(sk_pppox(relay_po), skb))
49	goto abort_put;
50	} else {
51	@@ -388,6 +381,7 @@ static int pppoe_rcv(struct sk_buff *skb,
52	{
53	struct pppoe_hdr *ph;
54	struct pppox_sock *po;
55	+ int len;
56
57	if (!(skb = skb_share_check(skb, GFP_ATOMIC)))
58	goto out;
59	@@ -399,10 +393,21 @@ static int pppoe_rcv(struct sk_buff *skb,
60	goto drop;
61
62	ph = pppoe_hdr(skb);
63	+ len = ntohs(ph->length);
64	+
65	+ skb_pull_rcsum(skb, sizeof(*ph));
66	+ if (skb->len < len)
67	+ goto drop;
68
69	po = get_item(ph->sid, eth_hdr(skb)->h_source, dev->ifindex);
70	- if (po != NULL)
71	- return sk_receive_skb(sk_pppox(po), skb, 0);
72	+ if (!po)
73	+ goto drop;
74	+
75	+ if (pskb_trim_rcsum(skb, len))
76	+ goto drop;
77	+
78	+ return sk_receive_skb(sk_pppox(po), skb, 0);
79	+
80	drop:
81	kfree_skb(skb);
82	out:
83	@@ -427,12 +432,12 @@ static int pppoe_disc_rcv(struct sk_buff *skb,
84	if (dev->nd_net != &init_net)
85	goto abort;
86
87	- if (!pskb_may_pull(skb, sizeof(struct pppoe_hdr)))
88	- goto abort;
89	-
90	if (!(skb = skb_share_check(skb, GFP_ATOMIC)))
91	goto out;
92
93	+ if (!pskb_may_pull(skb, sizeof(struct pppoe_hdr)))
94	+ goto abort;
95	+
96	ph = pppoe_hdr(skb);
97	if (ph->code != PADT_CODE)
98	goto abort;
99	@@ -937,12 +942,10 @@ static int pppoe_recvmsg(struct kiocb iocb, struct socket sock,
100	m->msg_namelen = 0;
101
102	if (skb) {
103	- struct pppoe_hdr *ph = pppoe_hdr(skb);
104	- const int len = ntohs(ph->length);
105	-
106	- error = memcpy_toiovec(m->msg_iov, (unsigned char *) &ph->tag[0], len);
107	+ total_len = min_t(size_t, total_len, skb->len);
108	+ error = skb_copy_datagram_iovec(skb, 0, m->msg_iov, total_len);
109	if (error == 0)
110	- error = len;
111	+ error = total_len;
112	}
113
114	kfree_skb(skb);
115	diff --git a/drivers/net/pppol2tp.c b/drivers/net/pppol2tp.c
116	index a629355..a3e1d22 100644
117	--- a/drivers/net/pppol2tp.c
118	+++ b/drivers/net/pppol2tp.c
119	@@ -783,14 +783,18 @@ static int pppol2tp_recvmsg(struct kiocb iocb, struct socket sock,
120	err = 0;
121	skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT,
122	flags & MSG_DONTWAIT, &err);
123	- if (skb) {
124	- err = memcpy_toiovec(msg->msg_iov, (unsigned char *) skb->data,
125	- skb->len);
126	- if (err < 0)
127	- goto do_skb_free;
128	- err = skb->len;
129	- }
130	-do_skb_free:
131	+ if (!skb)
132	+ goto end;
133	+
134	+ if (len > skb->len)
135	+ len = skb->len;
136	+ else if (len < skb->len)
137	+ msg->msg_flags \|= MSG_TRUNC;
138	+
139	+ err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, len);
140	+ if (likely(err == 0))
141	+ err = len;
142	+
143	kfree_skb(skb);
144	end:
145	return err;
146	diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
147	index 134c8e5..2584306 100644
148	--- a/include/linux/ipv6.h
149	+++ b/include/linux/ipv6.h
150	@@ -123,6 +123,7 @@ struct ipv6hdr {
151	struct in6_addr daddr;
152	};
153
154	+#ifdef __KERNEL__
155	/*
156	* This structure contains configuration options per IPv6 link.
157	*/
158	@@ -162,6 +163,7 @@ struct ipv6_devconf {
159	#endif
160	void *sysctl;
161	};
162	+#endif
163
164	/* index values for the variables in ipv6_devconf */
165	enum {
166	diff --git a/include/linux/kernel.h b/include/linux/kernel.h
167	index 2df44e7..6890264 100644
168	--- a/include/linux/kernel.h
169	+++ b/include/linux/kernel.h
170	@@ -20,6 +20,7 @@
171	extern const char linux_banner[];
172	extern const char linux_proc_banner[];
173
174	+#define USHORT_MAX ((u16)(~0U))
175	#define INT_MAX ((int)(~0U>>1))
176	#define INT_MIN (-INT_MAX - 1)
177	#define UINT_MAX (~0U)
178	diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
179	index a3002fe..37801ae 100644
180	--- a/net/ipv4/raw.c
181	+++ b/net/ipv4/raw.c
182	@@ -936,7 +936,7 @@ static void raw_sock_seq_show(struct seq_file seq, struct sock sp, int i)
183	srcp = inet->num;
184
185	seq_printf(seq, "%4d: %08X:%04X %08X:%04X"
186	- " %02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %p %d",
187	+ " %02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %p %d\n",
188	i, src, srcp, dest, destp, sp->sk_state,
189	atomic_read(&sp->sk_wmem_alloc),
190	atomic_read(&sp->sk_rmem_alloc),
191	diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
192	index 1704c14..9703c87 100644
193	--- a/net/ipv4/udp.c
194	+++ b/net/ipv4/udp.c
195	@@ -1325,6 +1325,8 @@ int udp_lib_setsockopt(struct sock *sk, int level, int optname,
196	return -ENOPROTOOPT;
197	if (val != 0 && val < 8) /* Illegal coverage: use default (8) */
198	val = 8;
199	+ else if (val > USHORT_MAX)
200	+ val = USHORT_MAX;
201	up->pcslen = val;
202	up->pcflag \|= UDPLITE_SEND_CC;
203	break;
204	@@ -1337,6 +1339,8 @@ int udp_lib_setsockopt(struct sock *sk, int level, int optname,
205	return -ENOPROTOOPT;
206	if (val != 0 && val < 8) /* Avoid silly minimal values. */
207	val = 8;
208	+ else if (val > USHORT_MAX)
209	+ val = USHORT_MAX;
210	up->pcrlen = val;
211	up->pcflag \|= UDPLITE_RECV_CC;
212	break;
213	diff --git a/net/ipv4/xfrm4_mode_tunnel.c b/net/ipv4/xfrm4_mode_tunnel.c
214	index 584e6d7..7135279 100644
215	--- a/net/ipv4/xfrm4_mode_tunnel.c
216	+++ b/net/ipv4/xfrm4_mode_tunnel.c
217	@@ -52,7 +52,7 @@ static int xfrm4_mode_tunnel_output(struct xfrm_state x, struct sk_buff skb)
218	IP_ECN_clear(top_iph);
219
220	top_iph->frag_off = (flags & XFRM_STATE_NOPMTUDISC) ?
221	- 0 : XFRM_MODE_SKB_CB(skb)->frag_off;
222	+ 0 : (XFRM_MODE_SKB_CB(skb)->frag_off & htons(IP_DF));
223	ip_select_ident(top_iph, dst->child, NULL);
224
225	top_iph->ttl = dst_metric(dst->child, RTAX_HOPLIMIT);
226	diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
227	index bab72b6..dee7fea 100644
228	--- a/net/ipv6/ip6_fib.c
229	+++ b/net/ipv6/ip6_fib.c
230	@@ -679,7 +679,7 @@ static int fib6_add_rt2node(struct fib6_node fn, struct rt6_info rt,
231
232	static __inline__ void fib6_start_gc(struct rt6_info *rt)
233	{
234	- if (ip6_fib_timer.expires == 0 &&
235	+ if (!timer_pending(&ip6_fib_timer) &&
236	(rt->rt6i_flags & (RTF_EXPIRES\|RTF_CACHE)))
237	mod_timer(&ip6_fib_timer, jiffies +
238	init_net.ipv6.sysctl.ip6_rt_gc_interval);
239	@@ -687,7 +687,7 @@ static __inline__ void fib6_start_gc(struct rt6_info *rt)
240
241	void fib6_force_start_gc(void)
242	{
243	- if (ip6_fib_timer.expires == 0)
244	+ if (!timer_pending(&ip6_fib_timer))
245	mod_timer(&ip6_fib_timer, jiffies +
246	init_net.ipv6.sysctl.ip6_rt_gc_interval);
247	}