sctp_localaddr_list is modified dynamically via NETDEV_UP
and NETDEV_DOWN events, but there is not synchronization
between writer (even handler) and readers.  As a result,
the readers can access an entry that has been freed and
crash the sytem.
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>
Acked-by: NPaul E. McKenney <paulmck@linux.vnet.ibm.com>
Acked-by: NSridhar Samdurala <sri@us.ibm.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

If an INIT with invalid parameter length look like this:
Parameter Type : 1
Parameter Length: 800
and not contain any payload, SCTP will ignore this  parameter and send
back a INIT-ACK.
This patch is fix to handle this invalid parameter length correctly.
Signed-off-by: NWei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>

Currently we abort on the INIT chunk we our backlog is currenlty
exceeded.  Delay this about untill COOKIE-ECHO to give the user
time to accept the socket.  Also, make sure that we treat
sk_max_backlog of 0 as no connections allowed.
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>

Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>

When performing a retransmit, do not include the chunk if
it was sent less then 1 rtt ago.  The reason is that we
may receive the SACK very soon and wouldn't retransmit.
Suggested by Randy Stewart.
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>

Do not set Unconfirmed transports to Inactive state.  This may
result in an inactive association being destroyed since we start
counting errors on "inactive" transports against the association.
This was found at the SCTP interop event.
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>

sctp_bindx() allows the use of unspecified port.  The problem is
that every address we bind to ends up selecting a new port if
the user specified port 0.  This patch allows re-use of the
already selected port when the port from bindx was 0.
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>

When multi bundling SHUTDOWN-ACK message is received in ESTAB state,
this will cause "sctp protocol violation state" message print many times.
If SHUTDOWN-ACK is bundled 300 times in one packet, message will be
print 300 times. The same problem also exists when received unexpected
HEARTBEAT-ACK message which is bundled message times.

This patch used net_ratelimit() to suppress error messages print too fast.
Signed-off-by: NWei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>

PROTOCOL VIOLATION error cause in ABORT is bad encode when make abort
chunk. When SCTP encode ABORT chunk with PROTOCOL VIOLATION error cause,
it just add the error messages to PROTOCOL VIOLATION error cause, the
rest four bytes(struct sctp_paramhdr) is just add to the chunk, not
change the length of error cause. This cause the ABORT chunk to be a bad
format. The chunk is like this:

ABORT chunk
  Chunk type: ABORT (6)
  Chunk flags: 0x00
  Chunk length: 72 (*1)
  Protocol violation cause
    Cause code: Protocol violation (0x000d)
    Cause length: 62 (*2)
    Cause information: 5468652063756D756C61746976652074736E2061636B2062...
    Cause padding: 0000
[Needless] 00030010
Chunk Length(*1) = 72 but Cause length(*2) only 62, not include the
extend 4 bytes.
((72 - sizeof(chunk_hdr)) = 68) != (62 +3) / 4 * 4
Signed-off-by: NWei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>

At function sctp_addto_chunk(), it do pad before add payload to chunk if
chunk length is not 4-byte alignment. But it do pad with a bad length.
This patch fixed this probleam.
Signed-off-by: NWei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>

Currently we only assign the sequence number to a packet that
we are about to transmit.  This however breaks the Partial
Reliability extensions, because it's possible for us to
never transmit a packet, i.e. it expires before we get to send
it.  In such cases, if the message contained multiple SCTP
fragments, and we did manage to send the first part of the
message, the Stream sequence numbers would get into invalid
state and cause receiver to stall.
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>

When we recieve a FWD-TSN (meaning the peer has abandoned the data),
we need to clean up any partially received messages that may be
hanging out on the re-assembly or re-ordering queues.  This is
a MUST requirement that was not properly done before.
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com.>

Some code in function sctp_init_cause() seem useless, this patch remove
them.
Signed-off-by: NWei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>

We need to drop the SACK if the peer is attempting to acknowledge
unset data, i.e.  the CTSN in the SACK is greater or equal to the
next TSN we will send.

Example:
Endpoint A                                      Endpoint B
                             <---------------   DATA (TSN=1)
SACK(TSN=1) ---------------> 
                             <---------------   DATA (TSN=2)
                             <---------------   DATA (TSN=3)
                             <---------------   DATA (TSN=4)
                             <---------------   DATA (TSN=5)
SACK(TSN=1000) --------------->
                             <---------------   DATA (TSN=6)
                             <---------------   DATA (TSN=7)
Signed-off-by: NWei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>

When issuing a connect call on an AF_INET6 sctp socket with
a IPv4-mapped destination, the peer address that is returned
by getpeeraddr() should be v4-mapped as well.
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>

An accept() call on a SCTPv6 socket that returns due to connection of
a IPv4 mapped peer will fill out the 'struct sockaddr' with a zero
IPv6 address instead of the IPv4 mapped address of the peer.

This is due to the v4mapped flag not getting copied into the new
socket on accept() as well as a missing check for INET6 socket type in
sctp_v4_to_sk_*addr().
Signed-off-by: NDave Johnson <djohnson@sw.starentnetworks.com>
Cc: Srinivas Akkipeddi <sakkiped@starentnetworks.com>
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>

net/sctp/tsnmap.c:164:16: warning: symbol '_end' shadows an earlier one
include/asm-generic/sections.h:13:13: originally declared here

Renamed renamed _end to end_ and _start (for consistence).
Signed-off-by: NSebastian Siewior <sebastian@breakpoint.cc>
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>

unlock the reader lock in error case.
Signed-off-by: NSebastian Siewior <sebastian@breakpoint.cc>
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>

Fixes the following sparse warnings:
net/sctp/sm_make_chunk.c:1457:9: warning: symbol 'len' shadows an earlier one
net/sctp/sm_make_chunk.c:1356:23: originally declared here
net/sctp/socket.c:1534:22: warning: symbol 'chunk' shadows an earlier one
net/sctp/socket.c:1387:20: originally declared here
Signed-off-by: NSebastian Siewior <sebastian@breakpoint.cc>
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>

sctp_chunk_cachep & sctp_bucket_cachep is used module global, so move it
to a header file.
Signed-off-by: NSebastian Siewior <sebastian@breakpoint.cc>
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>

Forward declarion is static, the function itself is not. Make it
consistent.
Signed-off-by: NSebastian Siewior <sebastian@breakpoint.cc>
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>

Slab destructors were no longer supported after Christoph's
c59def9f change. They've been
BUGs for both slab and slub, and slob never supported them
either.

This rips out support for the dtor pointer from kmem_cache_create()
completely and fixes up every single callsite in the kernel (there were
about 224, not including the slab allocator definitions themselves,
or the documentation references).
Signed-off-by: NPaul Mundt <lethal@linux-sh.org>

Signed-off-by: NYOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>

Make all initialized struct seq_operations in net/ const
Signed-off-by: NPhilippe De Muyter <phdm@macqel.be>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

SCTP currently permits users to bind to link-local addresses,
but doesn't verify that the scope id specified at bind matches
the interface that the address is configured on.  It was report
that this can hang a system.
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

In-kernel sockets created with sock_create_kern don't usually
have a file and file descriptor allocated to them.  As a result,
when SCTP tries to check the non-blocking flag, we Oops when
dereferencing a NULL file pointer.
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Correctly dereference bytes_copied in sctp_copy_laddrs().
I totally must have spaced when doing this.
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

sctp_sock_migrate() grabs the socket lock on a newly allocated socket while
holding the socket lock on an old socket.  lockdep worries that this might
be a recursive lock attempt.

 task/3026 is trying to acquire lock:
  (sk_lock-AF_INET){--..}, at: [<ffffffff88105b8c>] sctp_sock_migrate+0x2e3/0x327 [sctp]
 but task is already holding lock:
  (sk_lock-AF_INET){--..}, at: [<ffffffff8810891f>] sctp_accept+0xdf/0x1e3 [sctp]

This patch tells lockdep that this locking is safe by using
lock_sock_nested().
Signed-off-by: NZach Brown <zach.brown@oracle.com>
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>

	This is the split out of the patch that we agreed I should split
out from my last patch.  It changes space_left to be computed in the same
way the to variable is.  I know we talked about changing space_left to an
int, but I think size_t is more appropriate, since we should never have
negative space in our buffer, and computing using offsetof means space_left
should now never drop below zero.
Signed-off-by: NNeil Horman <nhorman@tuxdriver.com>
Acked-by: NSridhar Samudrala <sri@us.ibm.com>
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>

	I noted the other day while looking at a bug that was ostensibly
in some perl networking library, that we strictly avoid allowing getsockopt
operations to complete if we pass in oversized buffers.  This seems to make
libraries like Perl::NET malfunction since it seems to allocate oversized
buffers for use in several operations.  It also seems to be out of line with
the way udp, tcp and ip getsockopt routines handle buffer input (since the
*optlen pointer in both an input and an output and gets set to the length
of the data that we copy into the buffer).  This patch brings our getsockopt
helpers into line with other protocols, and allows us to accept oversized
buffers for our getsockopt operations.  Tested by me with good results.
Signed-off-by: NNeil Horman <nhorman@tuxdriver.com>
Acked-by: NSridhar Samudrala <sri@us.ibm.com>
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>

Right now, when we receive a mtu estimate smaller then minim
threshold in the ICMP message, we disable the path mtu discovery
on the transport.  This leads to the never increasing sctp fragmentation
point even when the real path mtu has increased.
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>

Currently, if the socket is owned by the user, we drop the ICMP
message.  As a result SCTP forgets that path MTU changed and
never adjusting it's estimate.  This causes all subsequent
packets to be fragmented.  With this patch, we'll flag the association
that it needs to udpate it's estimate based on the already updated
routing information.
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>
Acked-by: NSridhar Samudrala <sri@us.ibm.com>

Introduce new function sctp_transport_update_pmtu that updates
the transports and destination caches view of the path mtu.
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>
Acked-by: NSridhar Samudrala <sri@us.ibm.com>

If the copy_to_user or copy_user calls fail in sctp_getsockopt_local_addrs(),
the function should free locally allocated storage before returning error.
Spotted by Coverity.
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>
Acked-by: NSridhar Samudrala <sri@us.ibm.com>

Allow sctp_bindx() to accept multiple address with
unspecified port.  In this case, all addresses inherit
the first bound port.  We still catch full mis-matches.
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>
Acked-by: NSridhar Samudrala <sri@us.ibm.com>

During peeloff of AF_INET6 socket, the inet6_sk(sk)->daddr
wasn't set correctly since the code was assuming IPv4 only.
Now we use a correct call to set the destination address.
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>
Acked-by: NSridhar Samudrala <sri@us.ibm.com>

Recent gcc versions emit warnings when unsigned variables are
compared < 0 or >= 0.
Signed-off-by: NBill Nottingham <notting@redhat.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Use menuconfigs instead of menus, so the whole menu can be disabled at
once instead of going through all options.
Signed-off-by: NJan Engelhardt <jengelh@gmx.de>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

The socket API draft is unclear about whether to include the
chunk header or not.  Recent discussion on the sctp implementors
mailing list clarified that the chunk header shouldn't be included,
but the error parameter header still needs to be there.
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

I broke the  non-wildcard case recently.  This is to fixes it.
Now, explictitly bound addresses can ge retrieved using the API.
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>