git://ftp.safe.ca
/
safe
/
jmp
/
linux-2.6
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
cfg80211: fix NULL ptr deref
[safe/jmp/linux-2.6]
/
net
/
socket.c
diff --git
a/net/socket.c
b/net/socket.c
index
91d0c02
..
7565536
100644
(file)
--- a/
net/socket.c
+++ b/
net/socket.c
@@
-86,6
+86,7
@@
#include <linux/audit.h>
#include <linux/wireless.h>
#include <linux/nsproxy.h>
#include <linux/audit.h>
#include <linux/wireless.h>
#include <linux/nsproxy.h>
+#include <linux/magic.h>
#include <asm/uaccess.h>
#include <asm/unistd.h>
#include <asm/uaccess.h>
#include <asm/unistd.h>
@@
-235,8
+236,6
@@
int move_addr_to_user(struct sockaddr *kaddr, int klen, void __user *uaddr,
return __put_user(klen, ulen);
}
return __put_user(klen, ulen);
}
-#define SOCKFS_MAGIC 0x534F434B
-
static struct kmem_cache *sock_inode_cachep __read_mostly;
static struct inode *sock_alloc_inode(struct super_block *sb)
static struct kmem_cache *sock_inode_cachep __read_mostly;
static struct inode *sock_alloc_inode(struct super_block *sb)
@@
-285,7
+284,7
@@
static int init_inodecache(void)
return 0;
}
return 0;
}
-static struct super_operations sockfs_ops = {
+static
const
struct super_operations sockfs_ops = {
.alloc_inode = sock_alloc_inode,
.destroy_inode =sock_destroy_inode,
.statfs = simple_statfs,
.alloc_inode = sock_alloc_inode,
.destroy_inode =sock_destroy_inode,
.statfs = simple_statfs,
@@
-489,12
+488,12
@@
static struct socket *sock_alloc(void)
sock = SOCKET_I(inode);
sock = SOCKET_I(inode);
+ kmemcheck_annotate_bitfield(sock, type);
inode->i_mode = S_IFSOCK | S_IRWXUGO;
inode->i_uid = current_fsuid();
inode->i_gid = current_fsgid();
inode->i_mode = S_IFSOCK | S_IRWXUGO;
inode->i_uid = current_fsuid();
inode->i_gid = current_fsgid();
- get_cpu_var(sockets_in_use)++;
- put_cpu_var(sockets_in_use);
+ percpu_add(sockets_in_use, 1);
return sock;
}
return sock;
}
@@
-536,8
+535,7
@@
void sock_release(struct socket *sock)
if (sock->fasync_list)
printk(KERN_ERR "sock_release: fasync list not empty!\n");
if (sock->fasync_list)
printk(KERN_ERR "sock_release: fasync list not empty!\n");
- get_cpu_var(sockets_in_use)--;
- put_cpu_var(sockets_in_use);
+ percpu_sub(sockets_in_use, 1);
if (!sock->file) {
iput(SOCK_INODE(sock));
return;
if (!sock->file) {
iput(SOCK_INODE(sock));
return;
@@
-738,7
+736,7
@@
static ssize_t sock_sendpage(struct file *file, struct page *page,
if (more)
flags |= MSG_MORE;
if (more)
flags |= MSG_MORE;
- return
sock->ops->
sendpage(sock, page, offset, size, flags);
+ return
kernel_
sendpage(sock, page, offset, size, flags);
}
static ssize_t sock_splice_read(struct file *file, loff_t *ppos,
}
static ssize_t sock_splice_read(struct file *file, loff_t *ppos,
@@
-2100,12
+2098,17
@@
SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args)
unsigned long a[6];
unsigned long a0, a1;
int err;
unsigned long a[6];
unsigned long a0, a1;
int err;
+ unsigned int len;
if (call < 1 || call > SYS_ACCEPT4)
return -EINVAL;
if (call < 1 || call > SYS_ACCEPT4)
return -EINVAL;
+ len = nargs[call];
+ if (len > sizeof(a))
+ return -EINVAL;
+
/* copy_from_user should be SMP safe. */
/* copy_from_user should be SMP safe. */
- if (copy_from_user(a, args,
nargs[call]
))
+ if (copy_from_user(a, args,
len
))
return -EFAULT;
audit_socketcall(nargs[call] / sizeof(unsigned long), a);
return -EFAULT;
audit_socketcall(nargs[call] / sizeof(unsigned long), a);
@@
-2388,7
+2391,7
@@
int kernel_getsockopt(struct socket *sock, int level, int optname,
}
int kernel_setsockopt(struct socket *sock, int level, int optname,
}
int kernel_setsockopt(struct socket *sock, int level, int optname,
- char *optval, int optlen)
+ char *optval,
unsigned
int optlen)
{
mm_segment_t oldfs = get_fs();
int err;
{
mm_segment_t oldfs = get_fs();
int err;