net: ipmr/ip6mr: fix potential out-of-bounds vif_table access

[safe/jmp/linux-2.6] / net / dccp / probe.c

diff --git a/net/dccp/probe.c b/net/dccp/probe.c
index 5e6ec8b..f5b3464 100644 (file)
--- a/net/dccp/probe.c
+++ b/net/dccp/probe.c
@@ -43,7 +43,7 @@ static int bufsize = 64 * 1024;
 static const char procname[] = "dccpprobe";
 
 static struct {
-       struct kfifo      *fifo;
+       struct kfifo      fifo;
        spinlock_t        lock;
        wait_queue_head_t wait;
        struct timespec   tstart;
@@ -67,7 +67,7 @@ static void printl(const char *fmt, ...)
        len += vscnprintf(tbuf+len, sizeof(tbuf)-len, fmt, args);
        va_end(args);
 
-       kfifo_put(dccpw.fifo, tbuf, len);
+       kfifo_in_locked(&dccpw.fifo, tbuf, len, &dccpw.lock);
        wake_up(&dccpw.wait);
 }
 
@@ -80,19 +80,20 @@ static int jdccp_sendmsg(struct kiocb *iocb, struct sock *sk,
        if (ccid_get_current_tx_ccid(dccp_sk(sk)) == DCCPC_CCID3)
                hc = ccid3_hc_tx_sk(sk);
 
-       if (port == 0 || ntohs(inet->dport) == port ||
-           ntohs(inet->sport) == port) {
+       if (port == 0 || ntohs(inet->inet_dport) == port ||
+           ntohs(inet->inet_sport) == port) {
                if (hc)
                        printl("%pI4:%u %pI4:%u %d %d %d %d %u %llu %llu %d\n",
-                              &inet->saddr, ntohs(inet->sport),
-                              &inet->daddr, ntohs(inet->dport), size,
+                              &inet->inet_saddr, ntohs(inet->inet_sport),
+                              &inet->inet_daddr, ntohs(inet->inet_dport), size,
                               hc->tx_s, hc->tx_rtt, hc->tx_p,
                               hc->tx_x_calc, hc->tx_x_recv >> 6,
                               hc->tx_x >> 6, hc->tx_t_ipi);
                else
                        printl("%pI4:%u %pI4:%u %d\n",
-                              &inet->saddr, ntohs(inet->sport),
-                              &inet->daddr, ntohs(inet->dport), size);
+                              &inet->inet_saddr, ntohs(inet->inet_sport),
+                              &inet->inet_daddr, ntohs(inet->inet_dport),
+                              size);
        }
 
        jprobe_return();
@@ -108,7 +109,7 @@ static struct jprobe dccp_send_probe = {
 
 static int dccpprobe_open(struct inode *inode, struct file *file)
 {
-       kfifo_reset(dccpw.fifo);
+       kfifo_reset(&dccpw.fifo);
        getnstimeofday(&dccpw.tstart);
        return 0;
 }
@@ -130,11 +131,11 @@ static ssize_t dccpprobe_read(struct file *file, char __user *buf,
                return -ENOMEM;
 
        error = wait_event_interruptible(dccpw.wait,
-                                        __kfifo_len(dccpw.fifo) != 0);
+                                        kfifo_len(&dccpw.fifo) != 0);
        if (error)
                goto out_free;
 
-       cnt = kfifo_get(dccpw.fifo, tbuf, len);
+       cnt = kfifo_out_locked(&dccpw.fifo, tbuf, len, &dccpw.lock);
        error = copy_to_user(buf, tbuf, cnt) ? -EFAULT : 0;
 
 out_free:
@@ -155,14 +156,13 @@ static __init int dccpprobe_init(void)
 
        init_waitqueue_head(&dccpw.wait);
        spin_lock_init(&dccpw.lock);
-       dccpw.fifo = kfifo_alloc(bufsize, GFP_KERNEL, &dccpw.lock);
-       if (IS_ERR(dccpw.fifo))
-               return PTR_ERR(dccpw.fifo);
-
+       if (kfifo_alloc(&dccpw.fifo, bufsize, GFP_KERNEL))
+               return ret;
        if (!proc_net_fops_create(&init_net, procname, S_IRUSR, &dccpprobe_fops))
                goto err0;
 
-       ret = register_jprobe(&dccp_send_probe);
+       try_then_request_module((ret = register_jprobe(&dccp_send_probe)) == 0,
+                               "dccp");
        if (ret)
                goto err1;
 
@@ -171,14 +171,14 @@ static __init int dccpprobe_init(void)
 err1:
        proc_net_remove(&init_net, procname);
 err0:
-       kfifo_free(dccpw.fifo);
+       kfifo_free(&dccpw.fifo);
        return ret;
 }
 module_init(dccpprobe_init);
 
 static __exit void dccpprobe_exit(void)
 {
-       kfifo_free(dccpw.fifo);
+       kfifo_free(&dccpw.fifo);
        proc_net_remove(&init_net, procname);
        unregister_jprobe(&dccp_send_probe);