<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux.git/net/core, branch v2.6.37</title>
<subtitle>Linux kernel source tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/'/>
<entry>
<title>Revert "ipv4: Allow configuring subnets as local addresses"</title>
<updated>2010-12-23T20:03:57+00:00</updated>
<author>
<name>David S. Miller</name>
<email>davem@davemloft.net</email>
</author>
<published>2010-12-23T20:03:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=e058464990c2ef1f3ecd6b83a154913c3c06f02a'/>
<id>e058464990c2ef1f3ecd6b83a154913c3c06f02a</id>
<content type='text'>
This reverts commit 4465b469008bc03b98a1b8df4e9ae501b6c69d4b.

Conflicts:

	net/ipv4/fib_frontend.c

As reported by Ben Greear, this causes regressions:

&gt; Change 4465b469008bc03b98a1b8df4e9ae501b6c69d4b caused rules
&gt; to stop matching the input device properly because the
&gt; FLOWI_FLAG_MATCH_ANY_IIF is always defined in ip_dev_find().
&gt;
&gt; This breaks rules such as:
&gt;
&gt; ip rule add pref 512 lookup local
&gt; ip rule del pref 0 lookup local
&gt; ip link set eth2 up
&gt; ip -4 addr add 172.16.0.102/24 broadcast 172.16.0.255 dev eth2
&gt; ip rule add to 172.16.0.102 iif eth2 lookup local pref 10
&gt; ip rule add iif eth2 lookup 10001 pref 20
&gt; ip route add 172.16.0.0/24 dev eth2 table 10001
&gt; ip route add unreachable 0/0 table 10001
&gt;
&gt; If you had a second interface 'eth0' that was on a different
&gt; subnet, pinging a system on that interface would fail:
&gt;
&gt;   [root@ct503-60 ~]# ping 192.168.100.1
&gt;   connect: Invalid argument

Reported-by: Ben Greear &lt;greearb@candelatech.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This reverts commit 4465b469008bc03b98a1b8df4e9ae501b6c69d4b.

Conflicts:

	net/ipv4/fib_frontend.c

As reported by Ben Greear, this causes regressions:

&gt; Change 4465b469008bc03b98a1b8df4e9ae501b6c69d4b caused rules
&gt; to stop matching the input device properly because the
&gt; FLOWI_FLAG_MATCH_ANY_IIF is always defined in ip_dev_find().
&gt;
&gt; This breaks rules such as:
&gt;
&gt; ip rule add pref 512 lookup local
&gt; ip rule del pref 0 lookup local
&gt; ip link set eth2 up
&gt; ip -4 addr add 172.16.0.102/24 broadcast 172.16.0.255 dev eth2
&gt; ip rule add to 172.16.0.102 iif eth2 lookup local pref 10
&gt; ip rule add iif eth2 lookup 10001 pref 20
&gt; ip route add 172.16.0.0/24 dev eth2 table 10001
&gt; ip route add unreachable 0/0 table 10001
&gt;
&gt; If you had a second interface 'eth0' that was on a different
&gt; subnet, pinging a system on that interface would fail:
&gt;
&gt;   [root@ct503-60 ~]# ping 192.168.100.1
&gt;   connect: Invalid argument

Reported-by: Ben Greear &lt;greearb@candelatech.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: fix nulls list corruptions in sk_prot_alloc</title>
<updated>2010-12-16T22:26:56+00:00</updated>
<author>
<name>Octavian Purdila</name>
<email>opurdila@ixiacom.com</email>
</author>
<published>2010-12-16T22:26:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=fcbdf09d9652c8919dcf47072e3ae7dcb4eb98ac'/>
<id>fcbdf09d9652c8919dcf47072e3ae7dcb4eb98ac</id>
<content type='text'>
Special care is taken inside sk_port_alloc to avoid overwriting
skc_node/skc_nulls_node. We should also avoid overwriting
skc_bind_node/skc_portaddr_node.

The patch fixes the following crash:

 BUG: unable to handle kernel paging request at fffffffffffffff0
 IP: [&lt;ffffffff812ec6dd&gt;] udp4_lib_lookup2+0xad/0x370
 [&lt;ffffffff812ecc22&gt;] __udp4_lib_lookup+0x282/0x360
 [&lt;ffffffff812ed63e&gt;] __udp4_lib_rcv+0x31e/0x700
 [&lt;ffffffff812bba45&gt;] ? ip_local_deliver_finish+0x65/0x190
 [&lt;ffffffff812bbbf8&gt;] ? ip_local_deliver+0x88/0xa0
 [&lt;ffffffff812eda35&gt;] udp_rcv+0x15/0x20
 [&lt;ffffffff812bba45&gt;] ip_local_deliver_finish+0x65/0x190
 [&lt;ffffffff812bbbf8&gt;] ip_local_deliver+0x88/0xa0
 [&lt;ffffffff812bb2cd&gt;] ip_rcv_finish+0x32d/0x6f0
 [&lt;ffffffff8128c14c&gt;] ? netif_receive_skb+0x99c/0x11c0
 [&lt;ffffffff812bb94b&gt;] ip_rcv+0x2bb/0x350
 [&lt;ffffffff8128c14c&gt;] netif_receive_skb+0x99c/0x11c0

Signed-off-by: Leonard Crestez &lt;lcrestez@ixiacom.com&gt;
Signed-off-by: Octavian Purdila &lt;opurdila@ixiacom.com&gt;
Acked-by: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Special care is taken inside sk_port_alloc to avoid overwriting
skc_node/skc_nulls_node. We should also avoid overwriting
skc_bind_node/skc_portaddr_node.

The patch fixes the following crash:

 BUG: unable to handle kernel paging request at fffffffffffffff0
 IP: [&lt;ffffffff812ec6dd&gt;] udp4_lib_lookup2+0xad/0x370
 [&lt;ffffffff812ecc22&gt;] __udp4_lib_lookup+0x282/0x360
 [&lt;ffffffff812ed63e&gt;] __udp4_lib_rcv+0x31e/0x700
 [&lt;ffffffff812bba45&gt;] ? ip_local_deliver_finish+0x65/0x190
 [&lt;ffffffff812bbbf8&gt;] ? ip_local_deliver+0x88/0xa0
 [&lt;ffffffff812eda35&gt;] udp_rcv+0x15/0x20
 [&lt;ffffffff812bba45&gt;] ip_local_deliver_finish+0x65/0x190
 [&lt;ffffffff812bbbf8&gt;] ip_local_deliver+0x88/0xa0
 [&lt;ffffffff812bb2cd&gt;] ip_rcv_finish+0x32d/0x6f0
 [&lt;ffffffff8128c14c&gt;] ? netif_receive_skb+0x99c/0x11c0
 [&lt;ffffffff812bb94b&gt;] ip_rcv+0x2bb/0x350
 [&lt;ffffffff8128c14c&gt;] netif_receive_skb+0x99c/0x11c0

Signed-off-by: Leonard Crestez &lt;lcrestez@ixiacom.com&gt;
Signed-off-by: Octavian Purdila &lt;opurdila@ixiacom.com&gt;
Acked-by: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: fix skb_defer_rx_timestamp()</title>
<updated>2010-12-11T00:20:56+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>eric.dumazet@gmail.com</email>
</author>
<published>2010-12-05T18:50:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=a19faf0250e09b16cac169354126404bc8aa342b'/>
<id>a19faf0250e09b16cac169354126404bc8aa342b</id>
<content type='text'>
After commit c1f19b51d1d8 (net: support time stamping in phy devices.),
kernel might crash if CONFIG_NETWORK_PHY_TIMESTAMPING=y and
skb_defer_rx_timestamp() handles a packet without an ethernet header.

Fixes kernel bugzilla #24102

Reference: https://bugzilla.kernel.org/show_bug.cgi?id=24102
Reported-and-tested-by: Andrew Watts &lt;akwatts@ymail.com&gt;
Signed-off-by: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
After commit c1f19b51d1d8 (net: support time stamping in phy devices.),
kernel might crash if CONFIG_NETWORK_PHY_TIMESTAMPING=y and
skb_defer_rx_timestamp() handles a packet without an ethernet header.

Fixes kernel bugzilla #24102

Reference: https://bugzilla.kernel.org/show_bug.cgi?id=24102
Reported-and-tested-by: Andrew Watts &lt;akwatts@ymail.com&gt;
Signed-off-by: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>filter: fix sk_filter rcu handling</title>
<updated>2010-12-06T17:29:43+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>eric.dumazet@gmail.com</email>
</author>
<published>2010-12-06T17:29:43+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=46bcf14f44d8f31ecfdc8b6708ec15a3b33316d9'/>
<id>46bcf14f44d8f31ecfdc8b6708ec15a3b33316d9</id>
<content type='text'>
Pavel Emelyanov tried to fix a race between sk_filter_(de|at)tach and
sk_clone() in commit 47e958eac280c263397

Problem is we can have several clones sharing a common sk_filter, and
these clones might want to sk_filter_attach() their own filters at the
same time, and can overwrite old_filter-&gt;rcu, corrupting RCU queues.

We can not use filter-&gt;rcu without being sure no other thread could do
the same thing.

Switch code to a more conventional ref-counting technique : Do the
atomic decrement immediately and queue one rcu call back when last
reference is released.

Signed-off-by: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pavel Emelyanov tried to fix a race between sk_filter_(de|at)tach and
sk_clone() in commit 47e958eac280c263397

Problem is we can have several clones sharing a common sk_filter, and
these clones might want to sk_filter_attach() their own filters at the
same time, and can overwrite old_filter-&gt;rcu, corrupting RCU queues.

We can not use filter-&gt;rcu without being sure no other thread could do
the same thing.

Switch code to a more conventional ref-counting technique : Do the
atomic decrement immediately and queue one rcu call back when last
reference is released.

Signed-off-by: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: allow GFP_HIGHMEM in __vmalloc()</title>
<updated>2010-11-21T18:04:04+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>eric.dumazet@gmail.com</email>
</author>
<published>2010-11-20T07:46:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=7a1c8e5ab120a5f352e78bbc1fa5bb64e6f23639'/>
<id>7a1c8e5ab120a5f352e78bbc1fa5bb64e6f23639</id>
<content type='text'>
We forgot to use __GFP_HIGHMEM in several __vmalloc() calls.

In ceph, add the missing flag.

In fib_trie.c, xfrm_hash.c and request_sock.c, using vzalloc() is
cleaner and allows using HIGHMEM pages as well.

Signed-off-by: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
We forgot to use __GFP_HIGHMEM in several __vmalloc() calls.

In ceph, add the missing flag.

In fib_trie.c, xfrm_hash.c and request_sock.c, using vzalloc() is
cleaner and allows using HIGHMEM pages as well.

Signed-off-by: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: fix kernel-doc for sk_filter_rcu_release</title>
<updated>2010-11-19T17:27:15+00:00</updated>
<author>
<name>Randy Dunlap</name>
<email>randy.dunlap@oracle.com</email>
</author>
<published>2010-11-18T13:02:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=0302b8622ce696af1cda22fcf207d3793350e896'/>
<id>0302b8622ce696af1cda22fcf207d3793350e896</id>
<content type='text'>
Fix kernel-doc warning for sk_filter_rcu_release():

Warning(net/core/filter.c:586): missing initial short description on line:
 * 	sk_filter_rcu_release: Release a socket filter by rcu_head

Signed-off-by: Randy Dunlap &lt;randy.dunlap@oracle.com&gt;
Cc:	"David S. Miller" &lt;davem@davemloft.net&gt;
Cc:	netdev@vger.kernel.org
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Fix kernel-doc warning for sk_filter_rcu_release():

Warning(net/core/filter.c:586): missing initial short description on line:
 * 	sk_filter_rcu_release: Release a socket filter by rcu_head

Signed-off-by: Randy Dunlap &lt;randy.dunlap@oracle.com&gt;
Cc:	"David S. Miller" &lt;davem@davemloft.net&gt;
Cc:	netdev@vger.kernel.org
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: zero kobject in rx_queue_release</title>
<updated>2010-11-18T17:41:40+00:00</updated>
<author>
<name>John Fastabend</name>
<email>john.r.fastabend@intel.com</email>
</author>
<published>2010-11-16T19:42:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=7d8e76bf9ac3604897f0ce12e8bf09b68c2a2c89'/>
<id>7d8e76bf9ac3604897f0ce12e8bf09b68c2a2c89</id>
<content type='text'>
netif_set_real_num_rx_queues() can decrement and increment
the number of rx queues. For example ixgbe does this as
features and offloads are toggled. Presumably this could
also happen across down/up on most devices if the available
resources changed (cpu offlined).

The kobject needs to be zero'd in this case so that the
state is not preserved across kobject_put()/kobject_init_and_add().

This resolves the following error report.

ixgbe 0000:03:00.0: eth2: NIC Link is Up 10 Gbps, Flow Control: RX/TX
kobject (ffff880324b83210): tried to init an initialized object, something is seriously wrong.
Pid: 1972, comm: lldpad Not tainted 2.6.37-rc18021qaz+ #169
Call Trace:
 [&lt;ffffffff8121c940&gt;] kobject_init+0x3a/0x83
 [&lt;ffffffff8121cf77&gt;] kobject_init_and_add+0x23/0x57
 [&lt;ffffffff8107b800&gt;] ? mark_lock+0x21/0x267
 [&lt;ffffffff813c6d11&gt;] net_rx_queue_update_kobjects+0x63/0xc6
 [&lt;ffffffff813b5e0e&gt;] netif_set_real_num_rx_queues+0x5f/0x78
 [&lt;ffffffffa0261d49&gt;] ixgbe_set_num_queues+0x1c6/0x1ca [ixgbe]
 [&lt;ffffffffa0262509&gt;] ixgbe_init_interrupt_scheme+0x1e/0x79c [ixgbe]
 [&lt;ffffffffa0274596&gt;] ixgbe_dcbnl_set_state+0x167/0x189 [ixgbe]

Signed-off-by: John Fastabend &lt;john.r.fastabend@intel.com&gt;
Acked-by: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
netif_set_real_num_rx_queues() can decrement and increment
the number of rx queues. For example ixgbe does this as
features and offloads are toggled. Presumably this could
also happen across down/up on most devices if the available
resources changed (cpu offlined).

The kobject needs to be zero'd in this case so that the
state is not preserved across kobject_put()/kobject_init_and_add().

This resolves the following error report.

ixgbe 0000:03:00.0: eth2: NIC Link is Up 10 Gbps, Flow Control: RX/TX
kobject (ffff880324b83210): tried to init an initialized object, something is seriously wrong.
Pid: 1972, comm: lldpad Not tainted 2.6.37-rc18021qaz+ #169
Call Trace:
 [&lt;ffffffff8121c940&gt;] kobject_init+0x3a/0x83
 [&lt;ffffffff8121cf77&gt;] kobject_init_and_add+0x23/0x57
 [&lt;ffffffff8107b800&gt;] ? mark_lock+0x21/0x267
 [&lt;ffffffff813c6d11&gt;] net_rx_queue_update_kobjects+0x63/0xc6
 [&lt;ffffffff813b5e0e&gt;] netif_set_real_num_rx_queues+0x5f/0x78
 [&lt;ffffffffa0261d49&gt;] ixgbe_set_num_queues+0x1c6/0x1ca [ixgbe]
 [&lt;ffffffffa0262509&gt;] ixgbe_init_interrupt_scheme+0x1e/0x79c [ixgbe]
 [&lt;ffffffffa0274596&gt;] ixgbe_dcbnl_set_state+0x167/0x189 [ixgbe]

Signed-off-by: John Fastabend &lt;john.r.fastabend@intel.com&gt;
Acked-by: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>rtnetlink: Fix message size calculation for link messages</title>
<updated>2010-11-12T18:53:09+00:00</updated>
<author>
<name>Thomas Graf</name>
<email>tgraf@infradead.org</email>
</author>
<published>2010-11-11T15:47:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=369cf77a6a3e41b1110506ddf43d45804103bfde'/>
<id>369cf77a6a3e41b1110506ddf43d45804103bfde</id>
<content type='text'>
nlmsg_total_size() calculates the length of a netlink message
including header and alignment. nla_total_size() calculates the
space an individual attribute consumes which was meant to be used
in this context.

Also, ensure to account for the attribute header for the
IFLA_INFO_XSTATS attribute as implementations of get_xstats_size()
seem to assume that we do so.

The addition of two message headers minus the missing attribute
header resulted in a calculated message size that was larger than
required. Therefore we never risked running out of skb tailroom.

Signed-off-by: Thomas Graf &lt;tgraf@infradead.org&gt;
Acked-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
nlmsg_total_size() calculates the length of a netlink message
including header and alignment. nla_total_size() calculates the
space an individual attribute consumes which was meant to be used
in this context.

Also, ensure to account for the attribute header for the
IFLA_INFO_XSTATS attribute as implementations of get_xstats_size()
seem to assume that we do so.

The addition of two message headers minus the missing attribute
header resulted in a calculated message size that was larger than
required. Therefore we never risked running out of skb tailroom.

Signed-off-by: Thomas Graf &lt;tgraf@infradead.org&gt;
Acked-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: avoid limits overflow</title>
<updated>2010-11-10T20:12:00+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>eric.dumazet@gmail.com</email>
</author>
<published>2010-11-09T23:24:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=8d987e5c75107ca7515fa19e857cfa24aab6ec8f'/>
<id>8d987e5c75107ca7515fa19e857cfa24aab6ec8f</id>
<content type='text'>
Robin Holt tried to boot a 16TB machine and found some limits were
reached : sysctl_tcp_mem[2], sysctl_udp_mem[2]

We can switch infrastructure to use long "instead" of "int", now
atomic_long_t primitives are available for free.

Signed-off-by: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Reported-by: Robin Holt &lt;holt@sgi.com&gt;
Reviewed-by: Robin Holt &lt;holt@sgi.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Robin Holt tried to boot a 16TB machine and found some limits were
reached : sysctl_tcp_mem[2], sysctl_udp_mem[2]

We can switch infrastructure to use long "instead" of "int", now
atomic_long_t primitives are available for free.

Signed-off-by: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Reported-by: Robin Holt &lt;holt@sgi.com&gt;
Reviewed-by: Robin Holt &lt;holt@sgi.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>filter: make sure filters dont read uninitialized memory</title>
<updated>2010-11-10T18:38:24+00:00</updated>
<author>
<name>David S. Miller</name>
<email>davem@davemloft.net</email>
</author>
<published>2010-11-10T18:38:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=57fe93b374a6b8711995c2d466c502af9f3a08bb'/>
<id>57fe93b374a6b8711995c2d466c502af9f3a08bb</id>
<content type='text'>
There is a possibility malicious users can get limited information about
uninitialized stack mem array. Even if sk_run_filter() result is bound
to packet length (0 .. 65535), we could imagine this can be used by
hostile user.

Initializing mem[] array, like Dan Rosenberg suggested in his patch is
expensive since most filters dont even use this array.

Its hard to make the filter validation in sk_chk_filter(), because of
the jumps. This might be done later.

In this patch, I use a bitmap (a single long var) so that only filters
using mem[] loads/stores pay the price of added security checks.

For other filters, additional cost is a single instruction.

[ Since we access fentry-&gt;k a lot now, cache it in a local variable
  and mark filter entry pointer as const. -DaveM ]

Reported-by: Dan Rosenberg &lt;drosenberg@vsecurity.com&gt;
Signed-off-by: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
There is a possibility malicious users can get limited information about
uninitialized stack mem array. Even if sk_run_filter() result is bound
to packet length (0 .. 65535), we could imagine this can be used by
hostile user.

Initializing mem[] array, like Dan Rosenberg suggested in his patch is
expensive since most filters dont even use this array.

Its hard to make the filter validation in sk_chk_filter(), because of
the jumps. This might be done later.

In this patch, I use a bitmap (a single long var) so that only filters
using mem[] loads/stores pay the price of added security checks.

For other filters, additional cost is a single instruction.

[ Since we access fentry-&gt;k a lot now, cache it in a local variable
  and mark filter entry pointer as const. -DaveM ]

Reported-by: Dan Rosenberg &lt;drosenberg@vsecurity.com&gt;
Signed-off-by: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
</feed>
