Merge tetrachloride.(none):/mnt/raid/src/kernel/2.5/bk-linus

into tetrachloride.(none):/mnt/raid/src/kernel/2.5/agpgart

drivers/net/arcnet/arc-rawmode.c

@@ -53,10 +53,12 @@ struct ArcProto rawmode_proto =
 };
 
 
-void arcnet_raw_init(void)
+static int __init arcnet_raw_init(void)
 {
 	int count;
 
+	printk(VERSION);
+
 	for (count = 0; count < 256; count++)
 		if (arc_proto_map[count] == arc_proto_default)
 			arc_proto_map[count] = &rawmode_proto;
@@ -66,26 +68,18 @@ void arcnet_raw_init(void)
 		arc_bcast_proto = &rawmode_proto;
 
 	arc_proto_default = &rawmode_proto;
-}
-
-
-#ifdef MODULE
-
-int __init init_module(void)
-{
-	printk(VERSION);
-	arcnet_raw_init();
 	return 0;
 }
 
-void cleanup_module(void)
+static void __exit arcnet_raw_exit(void)
 {
 	arcnet_unregister_proto(&rawmode_proto);
 }
 
-MODULE_LICENSE("GPL");
-#endif				/* MODULE */
+module_init(arcnet_raw_init);
+module_exit(arcnet_raw_exit);
 
+MODULE_LICENSE("GPL");
 
 
 /* packet receiver */

drivers/net/arcnet/arcnet.c

@@ -106,13 +106,15 @@ static int arcnet_rebuild_header(struct sk_buff *skb);
 static struct net_device_stats *arcnet_get_stats(struct net_device *dev);
 static int go_tx(struct net_device *dev);
 
-void __init arcnet_init(void)
+static int debug = ARCNET_DEBUG;
+MODULE_PARM(debug, "i");
+MODULE_LICENSE("GPL");
+
+static int __init arcnet_init(void)
 {
-	static int arcnet_inited;
 	int count;
 
-	if (arcnet_inited++)
-		return;
+	arcnet_debug = debug;
 
 	printk(VERSION);
 
@@ -138,47 +140,15 @@ void __init arcnet_init(void)
 		sizeof(struct arc_rfc1051), sizeof(struct arc_eth_encap),
 		   sizeof(struct archdr));
 
-#ifdef CONFIG_ARCNET		/* We're not built as a module */
-	printk("arcnet: Available protocols:");
-#ifdef CONFIG_ARCNET_1201
-	printk(" RFC1201");
-	arcnet_rfc1201_init();
-#endif
-#ifdef CONFIG_ARCNET_1051
-	printk(" RFC1051");
-	arcnet_rfc1051_init();
-#endif
-#ifdef CONFIG_ARCNET_RAW
-	printk(" RAW");
-	arcnet_raw_init();
-#endif
-	printk("\n");
-#ifdef CONFIG_ARCNET_COM90xx
-	com90xx_probe(NULL);
-#endif
-#endif
-}
-
-
-#ifdef MODULE
-
-static int debug = ARCNET_DEBUG;
-MODULE_PARM(debug, "i");
-MODULE_LICENSE("GPL");
-
-int __init init_module(void)
-{
-	arcnet_debug = debug;
-	arcnet_init();
 	return 0;
 }
 
-void cleanup_module(void)
+static void __exit arcnet_exit(void)
 {
 }
 
-#endif
-
+module_init(arcnet_init);
+module_exit(arcnet_exit);
 
 /*
  * Dump the contents of an sk_buff

drivers/net/arcnet/com20020-isa.c

@@ -54,10 +54,6 @@ static int __init com20020isa_probe(struct net_device *dev)
 	unsigned long airqmask;
 	struct arcnet_local *lp = dev->priv;
 
-#ifndef MODULE
-	arcnet_init();
-#endif
-
 	BUGLVL(D_NORMAL) printk(VERSION);
 
 	ioaddr = dev->base_addr;

drivers/net/arcnet/com20020-pci.c

@@ -183,9 +183,6 @@ static struct pci_driver com20020pci_driver = {
 static int __init com20020pci_init(void)
 {
 	BUGLVL(D_NORMAL) printk(VERSION);
-#ifndef MODULE
-	arcnet_init();
-#endif
 	return pci_module_init(&com20020pci_driver);
 }
 

drivers/net/arcnet/com90io.c

@@ -151,10 +151,6 @@ static int __init com90io_probe(struct net_device *dev)
 	int ioaddr = dev->base_addr, status;
 	unsigned long airqmask;
 
-#ifndef MODULE
-	arcnet_init();
-#endif
-
 	BUGLVL(D_NORMAL) printk(VERSION);
 	BUGLVL(D_NORMAL) printk("E-mail me if you actually test this driver, please!\n");
 

drivers/net/arcnet/com90xx.c

@@ -29,7 +29,6 @@
 #include <linux/ioport.h>
 #include <linux/delay.h>
 #include <linux/netdevice.h>
-#include <linux/bootmem.h>
 #include <asm/io.h>
 #include <linux/arcdevice.h>
 
@@ -100,7 +99,7 @@ static int numcards;
 
 static int com90xx_skip_probe __initdata = 0;
 
-int __init com90xx_probe(struct net_device *dev)
+static int __init com90xx_probe(struct net_device *dev)
 {
 	int count, status, ioaddr, numprint, airq, retval = -ENODEV,
 	 openparen = 0;
@@ -115,10 +114,6 @@ int __init com90xx_probe(struct net_device *dev)
 	if (!dev && com90xx_skip_probe)
 		return -ENODEV;
 
-#ifndef MODULE
-	arcnet_init();
-#endif
-
 	BUGLVL(D_NORMAL) printk(VERSION);
 
 	/* set up the arrays where we'll store the possible probe addresses */
@@ -603,9 +598,6 @@ static void com90xx_copy_from_card(struct net_device *dev, int bufnum, int offse
 }
 
 
-
-#ifdef MODULE
-
 /* Module parameters */
 
 static int io;			/* use the insmod io= irq= shmem= options */
@@ -619,7 +611,7 @@ MODULE_PARM(shmem, "i");
 MODULE_PARM(device, "s");
 MODULE_LICENSE("GPL");
 
-int init_module(void)
+static int __init com90xx_init(void)
 {
 	struct net_device *dev;
 	int err;
@@ -642,8 +634,7 @@ int init_module(void)
 	return 0;
 }
 
-
-void cleanup_module(void)
+static void __exit com90xx_exit(void)
 {
 	struct net_device *dev;
 	struct arcnet_local *lp;
@@ -663,44 +654,38 @@ void cleanup_module(void)
 	}
 }
 
-#else
+module_init(com90xx_init);
+module_exit(com90xx_exit);
 
+#ifndef MODULE
 static int __init com90xx_setup(char *s)
 {
-	struct net_device *dev;
 	int ints[8];
 
-	com90xx_skip_probe = 1;
-
 	s = get_options(s, 8, ints);
 	if (!ints[0] && !*s) {
 		printk("com90xx: Disabled.\n");
 		return 1;
 	}
-	dev = alloc_bootmem(sizeof(struct net_device));
-	memset(dev, 0, sizeof(struct net_device));
-	dev->init = com90xx_probe;
 
 	switch (ints[0]) {
 	default:		/* ERROR */
 		printk("com90xx: Too many arguments.\n");
 	case 3:		/* Mem address */
-		dev->mem_start = ints[3];
+		shmem = ints[3];
 	case 2:		/* IRQ */
-		dev->irq = ints[2];
+		irq = ints[2];
 	case 1:		/* IO address */
-		dev->base_addr = ints[1];
+		io = ints[1];
 	}
+
 	if (*s)
-		strncpy(dev->name, s, 9);
+		strncpy(device, s, 9);
 	else
-		strcpy(dev->name, "arc%d");
-	if (register_netdev(dev))
-		printk(KERN_ERR "com90xx: Cannot register arcnet device\n");
+		strcpy(device, "arc%d");
 
 	return 1;
 }
 
 __setup("com90xx=", com90xx_setup);
-
-#endif				/* MODULE */
+#endif

drivers/net/arcnet/rfc1051.c

@@ -53,8 +53,10 @@ struct ArcProto rfc1051_proto =
 };
 
 
-void __init arcnet_rfc1051_init(void)
+static int __init arcnet_rfc1051_init(void)
 {
+	printk(VERSION);
+
 	arc_proto_map[ARC_P_IP_RFC1051]
 	    = arc_proto_map[ARC_P_ARP_RFC1051]
 	    = &rfc1051_proto;
@@ -63,27 +65,18 @@ void __init arcnet_rfc1051_init(void)
 	if (arc_bcast_proto == arc_proto_default)
 		arc_bcast_proto = &rfc1051_proto;
 
-}
-
-
-#ifdef MODULE
-
-MODULE_LICENSE("GPL");
-
-int __init init_module(void)
-{
-	printk(VERSION);
-	arcnet_rfc1051_init();
 	return 0;
 }
 
-void cleanup_module(void)
+static void __exit arcnet_rfc1051_exit(void)
 {
 	arcnet_unregister_proto(&rfc1051_proto);
 }
 
-#endif				/* MODULE */
+module_init(arcnet_rfc1051_init);
+module_exit(arcnet_rfc1051_exit);
 
+MODULE_LICENSE("GPL");
 
 /*
  * Determine a packet's protocol ID.

drivers/net/arcnet/rfc1201.c

@@ -53,8 +53,10 @@ struct ArcProto rfc1201_proto =
 };
 
 
-void __init arcnet_rfc1201_init(void)
+static int __init arcnet_rfc1201_init(void)
 {
+	printk(VERSION);
+
 	arc_proto_map[ARC_P_IP]
 	    = arc_proto_map[ARC_P_IPV6]
 	    = arc_proto_map[ARC_P_ARP]
@@ -66,27 +68,17 @@ void __init arcnet_rfc1201_init(void)
 	/* if someone else already owns the broadcast, we won't take it */
 	if (arc_bcast_proto == arc_proto_default)
 		arc_bcast_proto = &rfc1201_proto;
-}
-
-
-#ifdef MODULE
 
-MODULE_LICENSE("GPL");
-
-int __init init_module(void)
-{
-	printk(VERSION);
-	arcnet_rfc1201_init();
 	return 0;
 }
 
-void cleanup_module(void)
+static void __exit arcnet_rfc1201_exit(void)
 {
 	arcnet_unregister_proto(&rfc1201_proto);
 }
 
-#endif				/* MODULE */
-
+module_init(arcnet_rfc1201_init);
+module_exit(arcnet_rfc1201_exit);
 
 /*
  * Determine a packet's protocol ID.

drivers/net/setup.c

@@ -11,7 +11,6 @@
 
 extern int dmascc_init(void);
 
-extern int arcnet_init(void); 
 extern int scc_enet_init(void); 
 extern int fec_enet_init(void); 
 extern int sdla_setup(void); 
@@ -42,9 +41,6 @@ static struct net_probe pci_probes[] __initdata = {
 #if defined(CONFIG_SDLA)
 	{sdla_c_setup, 0},
 #endif
-#if defined(CONFIG_ARCNET)
-	{arcnet_init, 0},
-#endif
 #if defined(CONFIG_SCC_ENET)
         {scc_enet_init, 0},
 #endif

drivers/scsi/aic7xxx/aic7xxx_osm.c

@@ -1837,7 +1837,7 @@ ahc_linux_register_host(struct ahc_softc *ahc, Scsi_Host_Template *template)
 }
 
 uint64_t
-ahc_linux_get_memsize()
+ahc_linux_get_memsize(void)
 {
 	struct sysinfo si;
 
@@ -1852,7 +1852,7 @@ ahc_linux_get_memsize()
  * scenario.
  */
 static int
-ahc_linux_next_unit()
+ahc_linux_next_unit(void)
 {
 	struct ahc_softc *ahc;
 	int unit;

drivers/scsi/sg.c

@@ -2658,7 +2658,7 @@ sg_allow_access(unsigned char opcode, char dev_type)
 
 #ifdef CONFIG_PROC_FS
 static int
-sg_last_dev()
+sg_last_dev(void)
 {
 	int k;
 	unsigned long iflags;
@@ -2770,7 +2770,7 @@ static struct sg_proc_leaf sg_proc_leaf_arr[] = {
 extern struct proc_dir_entry *proc_scsi;
 
 static int
-sg_proc_init()
+sg_proc_init(void)
 {
 	int k, mask;
 	int num_leaves =
@@ -2798,7 +2798,7 @@ sg_proc_init()
 }
 
 static void
-sg_proc_cleanup()
+sg_proc_cleanup(void)
 {
 	int k;
 	int num_leaves =

include/linux/arcdevice.h

@@ -333,14 +333,5 @@ void arcnet_interrupt(int irq, void *dev_id, struct pt_regs *regs);
 void arcdev_setup(struct net_device *dev);
 void arcnet_rx(struct net_device *dev, int bufnum);
 
-void arcnet_init(void);
-
-void arcnet_rfc1201_init(void);
-void arcnet_rfc1051_init(void);
-void arcnet_raw_init(void);
-
-int com90xx_probe(struct net_device *dev);
-
 #endif				/* __KERNEL__ */
-
 #endif				/* _LINUX_ARCDEVICE_H */

include/linux/netfilter_ipv4/ip_tables.h

@@ -347,13 +347,14 @@ struct ipt_match
 
 	/* Return true or false: return FALSE and set *hotdrop = 1 to
            force immediate packet drop. */
+	/* Arguments changed since 2.4, as this must now handle
+           non-linear skbs, using skb_copy_bits and
+           skb_ip_make_writable. */
 	int (*match)(const struct sk_buff *skb,
 		     const struct net_device *in,
 		     const struct net_device *out,
 		     const void *matchinfo,
 		     int offset,
-		     const void *hdr,
-		     u_int16_t datalen,
 		     int *hotdrop);
 
 	/* Called when user tries to insert an entry of this type. */
@@ -367,7 +368,7 @@ struct ipt_match
 	/* Called when entry of this type deleted. */
 	void (*destroy)(void *matchinfo, unsigned int matchinfosize);
 
-	/* Set this to THIS_MODULE if you are a module, otherwise NULL */
+	/* Set this to THIS_MODULE. */
 	struct module *me;
 };
 
@@ -378,14 +379,6 @@ struct ipt_target
 
 	const char name[IPT_FUNCTION_MAXNAMELEN];
 
-	/* Returns verdict. */
-	unsigned int (*target)(struct sk_buff **pskb,
-			       unsigned int hooknum,
-			       const struct net_device *in,
-			       const struct net_device *out,
-			       const void *targinfo,
-			       void *userdata);
-
 	/* Called when user tries to insert an entry of this type:
            hook_mask is a bitmask of hooks from which it can be
            called. */
@@ -399,7 +392,17 @@ struct ipt_target
 	/* Called when entry of this type deleted. */
 	void (*destroy)(void *targinfo, unsigned int targinfosize);
 
-	/* Set this to THIS_MODULE if you are a module, otherwise NULL */
+	/* Returns verdict.  Argument order changed since 2.4, as this
+           must now handle non-linear skbs, using skb_copy_bits and
+           skb_ip_make_writable. */
+	unsigned int (*target)(struct sk_buff **pskb,
+			       const struct net_device *in,
+			       const struct net_device *out,
+			       unsigned int hooknum,
+			       const void *targinfo,
+			       void *userdata);
+
+	/* Set this to THIS_MODULE. */
 	struct module *me;
 };
 
@@ -429,7 +432,7 @@ struct ipt_table
 	/* Man behind the curtain... */
 	struct ipt_table_info *private;
 
-	/* Set this to THIS_MODULE if you are a module, otherwise NULL */
+	/* Set to THIS_MODULE. */
 	struct module *me;
 };
 

include/net/ip.h

@@ -295,7 +295,6 @@ extern void	ip_icmp_error(struct sock *sk, struct sk_buff *skb, int err,
 extern void	ip_local_error(struct sock *sk, int err, u32 daddr, u16 dport,
 			       u32 info);
 
-extern int ip_seq_release(struct inode *inode, struct file *file);
 extern int ipv4_proc_init(void);
 
 /* sysctl helpers - any sysctl which holds a value that ends up being

include/net/transp_v6.h

@@ -16,7 +16,6 @@ extern struct proto tcpv6_prot;
 struct flowi;
 
 /* extention headers */
-extern void				ipv6_hopopts_init(void);
 extern void				ipv6_rthdr_init(void);
 extern void				ipv6_frag_init(void);
 extern void				ipv6_nodata_init(void);

net/core/dev.c

@@ -2863,9 +2863,6 @@ int unregister_netdevice(struct net_device *dev)
 
 extern void net_device_init(void);
 extern void ip_auto_config(void);
-#ifdef CONFIG_NET_DIVERT
-extern void dv_init(void);
-#endif /* CONFIG_NET_DIVERT */
 
 
 /*
@@ -2889,10 +2886,6 @@ static int __init net_dev_init(void)
 	for (i = 0; i < 16; i++) 
 		INIT_LIST_HEAD(&ptype_base[i]);
 
-#ifdef CONFIG_NET_DIVERT
-	dv_init();
-#endif /* CONFIG_NET_DIVERT */
-
 	/*
 	 *	Initialise the packet receive queues.
 	 */

net/core/dst.c

@@ -123,6 +123,7 @@ void * dst_alloc(struct dst_ops * ops)
 	if (!dst)
 		return NULL;
 	memset(dst, 0, ops->entry_size);
+	atomic_set(&dst->__refcnt, 0);
 	dst->ops = ops;
 	dst->lastuse = jiffies;
 	dst->path = dst;

net/core/dv.c

@@ -40,11 +40,12 @@
 
 const char sysctl_divert_version[32]="0.46";	/* Current version */
 
-int __init dv_init(void)
+static int __init dv_init(void)
 {
 	printk(KERN_INFO "NET4: Frame Diverter %s\n", sysctl_divert_version);
 	return 0;
 }
+module_init(dv_init);
 
 /*
  * Allocate a divert_blk for a device. This must be an ethernet nic.

net/core/rtnetlink.c

@@ -52,7 +52,7 @@
 
 DECLARE_MUTEX(rtnl_sem);
 
-void rtnl_lock()
+void rtnl_lock(void)
 {
 	rtnl_shlock();
 	rtnl_exlock();

net/ipv4/arp.c

@@ -1389,7 +1389,7 @@ static struct file_operations arp_seq_fops = {
 	.open           = arp_seq_open,
 	.read           = seq_read,
 	.llseek         = seq_lseek,
-	.release	= ip_seq_release,
+	.release	= seq_release_private,
 };
 
 static int __init arp_proc_init(void)

net/ipv4/fib_hash.c

@@ -1069,7 +1069,7 @@ static struct file_operations fib_seq_fops = {
 	.open           = fib_seq_open,
 	.read           = seq_read,
 	.llseek         = seq_lseek,
-	.release	= ip_seq_release,
+	.release	= seq_release_private,
 };
 
 int __init fib_proc_init(void)

net/ipv4/netfilter/ip_nat_rule.c

@@ -111,9 +111,9 @@ static struct ipt_table nat_table = {
 
 /* Source NAT */
 static unsigned int ipt_snat_target(struct sk_buff **pskb,
-				    unsigned int hooknum,
 				    const struct net_device *in,
 				    const struct net_device *out,
+				    unsigned int hooknum,
 				    const void *targinfo,
 				    void *userinfo)
 {
@@ -132,9 +132,9 @@ static unsigned int ipt_snat_target(struct sk_buff **pskb,
 }
 
 static unsigned int ipt_dnat_target(struct sk_buff **pskb,
-				    unsigned int hooknum,
 				    const struct net_device *in,
 				    const struct net_device *out,
+				    unsigned int hooknum,
 				    const void *targinfo,
 				    void *userinfo)
 {

net/ipv4/netfilter/ip_tables.c

@@ -214,9 +214,9 @@ ip_checkentry(const struct ipt_ip *ip)
 
 static unsigned int
 ipt_error(struct sk_buff **pskb,
-	  unsigned int hooknum,
 	  const struct net_device *in,
 	  const struct net_device *out,
+	  unsigned int hooknum,
 	  const void *targinfo,
 	  void *userinfo)
 {
@@ -232,13 +232,10 @@ int do_match(struct ipt_entry_match *m,
 	     const struct net_device *in,
 	     const struct net_device *out,
 	     int offset,
-	     const void *hdr,
-	     u_int16_t datalen,
 	     int *hotdrop)
 {
 	/* Stop iteration if it doesn't match */
-	if (!m->u.kernel.match->match(skb, in, out, m->data,
-				      offset, hdr, datalen, hotdrop))
+	if (!m->u.kernel.match->match(skb, in, out, m->data, offset, hotdrop))
 		return 1;
 	else
 		return 0;
@@ -262,7 +259,6 @@ ipt_do_table(struct sk_buff **pskb,
 	static const char nulldevname[IFNAMSIZ] = { 0 };
 	u_int16_t offset;
 	struct iphdr *ip;
-	void *protohdr;
 	u_int16_t datalen;
 	int hotdrop = 0;
 	/* Initializing verdict to NF_DROP keeps gcc happy. */
@@ -271,13 +267,8 @@ ipt_do_table(struct sk_buff **pskb,
 	void *table_base;
 	struct ipt_entry *e, *back;
 
-	/* FIXME: Push down to extensions --RR */
-	if (skb_is_nonlinear(*pskb) && skb_linearize(*pskb, GFP_ATOMIC) != 0)
-		return NF_DROP;
-
 	/* Initialization */
 	ip = (*pskb)->nh.iph;
-	protohdr = (u_int32_t *)ip + ip->ihl;
 	datalen = (*pskb)->len - ip->ihl * 4;
 	indev = in ? in->name : nulldevname;
 	outdev = out ? out->name : nulldevname;
@@ -320,8 +311,7 @@ ipt_do_table(struct sk_buff **pskb,
 
 			if (IPT_MATCH_ITERATE(e, do_match,
 					      *pskb, in, out,
-					      offset, protohdr,
-					      datalen, &hotdrop) != 0)
+					      offset, &hotdrop) != 0)
 				goto no_match;
 
 			ADD_COUNTER(e->counters, ntohs(ip->tot_len), 1);
@@ -364,8 +354,8 @@ ipt_do_table(struct sk_buff **pskb,
 					= 0xeeeeeeec;
 #endif
 				verdict = t->u.kernel.target->target(pskb,
-								     hook,
 								     in, out,
+								     hook,
 								     t->data,
 								     userdata);
 
@@ -382,7 +372,6 @@ ipt_do_table(struct sk_buff **pskb,
 #endif
 				/* Target might have changed stuff. */
 				ip = (*pskb)->nh.iph;
-				protohdr = (u_int32_t *)ip + ip->ihl;
 				datalen = (*pskb)->len - ip->ihl * 4;
 
 				if (verdict == IPT_CONTINUE)
@@ -1458,22 +1447,24 @@ port_match(u_int16_t min, u_int16_t max, u_int16_t port, int invert)
 
 static int
 tcp_find_option(u_int8_t option,
-		const struct tcphdr *tcp,
-		u_int16_t datalen,
+		const struct sk_buff *skb,
+		unsigned int optlen,
 		int invert,
 		int *hotdrop)
 {
-	unsigned int i = sizeof(struct tcphdr);
-	const u_int8_t *opt = (u_int8_t *)tcp;
+	/* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */
+	char opt[60 - sizeof(struct tcphdr)];
+	unsigned int i;
 
 	duprintf("tcp_match: finding option\n");
 	/* If we don't have the whole header, drop packet. */
-	if (tcp->doff * 4 > datalen) {
+	if (skb_copy_bits(skb, skb->nh.iph->ihl*4 + sizeof(struct tcphdr),
+			  opt, optlen) < 0) {
 		*hotdrop = 1;
 		return 0;
 	}
 
-	while (i < tcp->doff * 4) {
+	for (i = 0; i < optlen; ) {
 		if (opt[i] == option) return !invert;
 		if (opt[i] < 2) i++;
 		else i += opt[i+1]?:1;
@@ -1488,25 +1479,29 @@ tcp_match(const struct sk_buff *skb,
 	  const struct net_device *out,
 	  const void *matchinfo,
 	  int offset,
-	  const void *hdr,
-	  u_int16_t datalen,
 	  int *hotdrop)
 {
-	const struct tcphdr *tcp = hdr;
+	struct tcphdr tcph;
 	const struct ipt_tcp *tcpinfo = matchinfo;
 
-	/* To quote Alan:
-
-	   Don't allow a fragment of TCP 8 bytes in. Nobody normal
-	   causes this. Its a cracker trying to break in by doing a
-	   flag overwrite to pass the direction checks.
-	*/
+	if (offset) {
+		/* To quote Alan:
 
-	if (offset == 1) {
-		duprintf("Dropping evil TCP offset=1 frag.\n");
-		*hotdrop = 1;
+		   Don't allow a fragment of TCP 8 bytes in. Nobody normal
+		   causes this. Its a cracker trying to break in by doing a
+		   flag overwrite to pass the direction checks.
+		*/
+		if (offset == 1) {
+			duprintf("Dropping evil TCP offset=1 frag.\n");
+			*hotdrop = 1;
+		}
+		/* Must not be a fragment. */
 		return 0;
-	} else if (offset == 0 && datalen < sizeof(struct tcphdr)) {
+	}
+
+#define FWINVTCP(bool,invflg) ((bool) ^ !!(tcpinfo->invflags & invflg))
+
+	if (skb_copy_bits(skb, skb->nh.iph->ihl*4, &tcph, sizeof(tcph)) < 0) {
 		/* We've been asked to examine this packet, and we
 		   can't.  Hence, no choice but to drop. */
 		duprintf("Dropping evil TCP offset=0 tinygram.\n");
@@ -1514,27 +1509,24 @@ tcp_match(const struct sk_buff *skb,
 		return 0;
 	}
 
-	/* FIXME: Try tcp doff >> packet len against various stacks --RR */
-
-#define FWINVTCP(bool,invflg) ((bool) ^ !!(tcpinfo->invflags & invflg))
-
-	/* Must not be a fragment. */
-	return !offset
-		&& port_match(tcpinfo->spts[0], tcpinfo->spts[1],
-			      ntohs(tcp->source),
-			      !!(tcpinfo->invflags & IPT_TCP_INV_SRCPT))
-		&& port_match(tcpinfo->dpts[0], tcpinfo->dpts[1],
-			      ntohs(tcp->dest),
-			      !!(tcpinfo->invflags & IPT_TCP_INV_DSTPT))
-		&& FWINVTCP((((unsigned char *)tcp)[13]
-			     & tcpinfo->flg_mask)
-			    == tcpinfo->flg_cmp,
-			    IPT_TCP_INV_FLAGS)
-		&& (!tcpinfo->option
-		    || tcp_find_option(tcpinfo->option, tcp, datalen,
-				       tcpinfo->invflags
-				       & IPT_TCP_INV_OPTION,
-				       hotdrop));
+	if (!port_match(tcpinfo->spts[0], tcpinfo->spts[1],
+			ntohs(tcph.source),
+			!!(tcpinfo->invflags & IPT_TCP_INV_SRCPT)))
+		return 0;
+	if (!port_match(tcpinfo->dpts[0], tcpinfo->dpts[1],
+			ntohs(tcph.dest),
+			!!(tcpinfo->invflags & IPT_TCP_INV_DSTPT)))
+		return 0;
+	if (!FWINVTCP((((unsigned char *)&tcph)[13] & tcpinfo->flg_mask)
+		      == tcpinfo->flg_cmp,
+		      IPT_TCP_INV_FLAGS))
+		return 0;
+	if (tcpinfo->option &&
+	    !tcp_find_option(tcpinfo->option, skb, tcph.doff*4 - sizeof(tcph),
+			     tcpinfo->invflags & IPT_TCP_INV_OPTION,
+			     hotdrop))
+		return 0;
+	return 1;
 }
 
 /* Called when user tries to insert an entry of this type. */
@@ -1560,14 +1552,16 @@ udp_match(const struct sk_buff *skb,
 	  const struct net_device *out,
 	  const void *matchinfo,
 	  int offset,
-	  const void *hdr,
-	  u_int16_t datalen,
 	  int *hotdrop)
 {
-	const struct udphdr *udp = hdr;
+	struct udphdr udph;
 	const struct ipt_udp *udpinfo = matchinfo;
 
-	if (offset == 0 && datalen < sizeof(struct udphdr)) {
+	/* Must not be a fragment. */
+	if (offset)
+		return 0;
+
+	if (skb_copy_bits(skb, skb->nh.iph->ihl*4, &udph, sizeof(udph)) < 0) {
 		/* We've been asked to examine this packet, and we
 		   can't.  Hence, no choice but to drop. */
 		duprintf("Dropping evil UDP tinygram.\n");
@@ -1575,13 +1569,11 @@ udp_match(const struct sk_buff *skb,
 		return 0;
 	}
 
-	/* Must not be a fragment. */
-	return !offset
-		&& port_match(udpinfo->spts[0], udpinfo->spts[1],
-			      ntohs(udp->source),
-			      !!(udpinfo->invflags & IPT_UDP_INV_SRCPT))
+	return port_match(udpinfo->spts[0], udpinfo->spts[1],
+			  ntohs(udph.source),
+			  !!(udpinfo->invflags & IPT_UDP_INV_SRCPT))
 		&& port_match(udpinfo->dpts[0], udpinfo->dpts[1],
-			      ntohs(udp->dest),
+			      ntohs(udph.dest),
 			      !!(udpinfo->invflags & IPT_UDP_INV_DSTPT));
 }
 
@@ -1631,14 +1623,16 @@ icmp_match(const struct sk_buff *skb,
 	   const struct net_device *out,
 	   const void *matchinfo,
 	   int offset,
-	   const void *hdr,
-	   u_int16_t datalen,
 	   int *hotdrop)
 {
-	const struct icmphdr *icmp = hdr;
+	struct icmphdr icmph;
 	const struct ipt_icmp *icmpinfo = matchinfo;
 
-	if (offset == 0 && datalen < 2) {
+	/* Must not be a fragment. */
+	if (offset)
+		return 0;
+
+	if (skb_copy_bits(skb, skb->nh.iph->ihl*4, &icmph, sizeof(icmph)) < 0){
 		/* We've been asked to examine this packet, and we
 		   can't.  Hence, no choice but to drop. */
 		duprintf("Dropping evil ICMP tinygram.\n");
@@ -1646,13 +1640,11 @@ icmp_match(const struct sk_buff *skb,
 		return 0;
 	}
 
-	/* Must not be a fragment. */
-	return !offset
-		&& icmp_type_code_match(icmpinfo->type,
-					icmpinfo->code[0],
-					icmpinfo->code[1],
-					icmp->type, icmp->code,
-					!!(icmpinfo->invflags&IPT_ICMP_INV));
+	return icmp_type_code_match(icmpinfo->type,
+				    icmpinfo->code[0],
+				    icmpinfo->code[1],
+				    icmph.type, icmph.code,
+				    !!(icmpinfo->invflags&IPT_ICMP_INV));
 }
 
 /* Called when user tries to insert an entry of this type. */

net/ipv4/netfilter/ipt_DSCP.c

@@ -23,37 +23,31 @@ MODULE_LICENSE("GPL");
 
 static unsigned int
 target(struct sk_buff **pskb,
-       unsigned int hooknum,
        const struct net_device *in,
        const struct net_device *out,
+       unsigned int hooknum,
        const void *targinfo,
        void *userinfo)
 {
-	struct iphdr *iph = (*pskb)->nh.iph;
 	const struct ipt_DSCP_info *dinfo = targinfo;
 	u_int8_t sh_dscp = ((dinfo->dscp << IPT_DSCP_SHIFT) & IPT_DSCP_MASK);
 
 
-	if ((iph->tos & IPT_DSCP_MASK) != sh_dscp) {
+	if (((*pskb)->nh.iph->tos & IPT_DSCP_MASK) != sh_dscp) {
 		u_int16_t diffs[2];
 
-		/* raw socket (tcpdump) may have clone of incoming
-		 * skb: don't disturb it --RR */
-		if (skb_cloned(*pskb) && !(*pskb)->sk) {
-			struct sk_buff *nskb = skb_copy(*pskb, GFP_ATOMIC);
-			if (!nskb)
-				return NF_DROP;
-			kfree_skb(*pskb);
-			*pskb = nskb;
-			iph = (*pskb)->nh.iph;
-		}
-
-		diffs[0] = htons(iph->tos) ^ 0xFFFF;
-		iph->tos = (iph->tos & ~IPT_DSCP_MASK) | sh_dscp;
-		diffs[1] = htons(iph->tos);
-		iph->check = csum_fold(csum_partial((char *)diffs,
-		                                    sizeof(diffs),
-		                                    iph->check^0xFFFF));
+		if (!skb_ip_make_writable(pskb, sizeof(struct iphdr)))
+			return NF_DROP;
+
+		diffs[0] = htons((*pskb)->nh.iph->tos) ^ 0xFFFF;
+		(*pskb)->nh.iph->tos = ((*pskb)->nh.iph->tos & ~IPT_DSCP_MASK)
+			| sh_dscp;
+		diffs[1] = htons((*pskb)->nh.iph->tos);
+		(*pskb)->nh.iph->check
+			= csum_fold(csum_partial((char *)diffs,
+						 sizeof(diffs),
+						 (*pskb)->nh.iph->check
+						 ^ 0xFFFF));
 		(*pskb)->nfcache |= NFC_ALTERED;
 	}
 	return IPT_CONTINUE;

net/ipv4/netfilter/ipt_ECN.c

@@ -19,105 +19,85 @@
 MODULE_LICENSE("GPL");
 
 /* set ECT codepoint from IP header.
- * 	return 0 in case there was no ECT codepoint
- * 	return 1 in case ECT codepoint has been overwritten
- * 	return < 0 in case there was error */
+ * 	return 0 if there was an error. */
 static inline int
-set_ect_ip(struct sk_buff **pskb, struct iphdr *iph,
-	   const struct ipt_ECN_info *einfo)
+set_ect_ip(struct sk_buff **pskb, const struct ipt_ECN_info *einfo)
 {
-	if ((iph->tos & IPT_ECN_IP_MASK)
+	if (((*pskb)->nh.iph->tos & IPT_ECN_IP_MASK)
 	    != (einfo->ip_ect & IPT_ECN_IP_MASK)) {
 		u_int16_t diffs[2];
 
-		/* raw socket (tcpdump) may have clone of incoming
-		 * skb: don't disturb it --RR */
-		if (skb_cloned(*pskb) && !(*pskb)->sk) {
-			struct sk_buff *nskb = skb_copy(*pskb, GFP_ATOMIC);
-			if (!nskb)
-				return NF_DROP;
-			kfree_skb(*pskb);
-			*pskb = nskb;
-			iph = (*pskb)->nh.iph;
-		}
-
-		diffs[0] = htons(iph->tos) ^ 0xFFFF;
-		iph->tos = iph->tos & ~IPT_ECN_IP_MASK;
-		iph->tos = iph->tos | (einfo->ip_ect & IPT_ECN_IP_MASK);
-		diffs[1] = htons(iph->tos);
-		iph->check = csum_fold(csum_partial((char *)diffs,
-		                                    sizeof(diffs),
-		                                    iph->check^0xFFFF));
+		if (!skb_ip_make_writable(pskb, sizeof(struct iphdr)))
+			return 0;
+
+		diffs[0] = htons((*pskb)->nh.iph->tos) ^ 0xFFFF;
+		(*pskb)->nh.iph->tos &= ~IPT_ECN_IP_MASK;
+		(*pskb)->nh.iph->tos |= (einfo->ip_ect & IPT_ECN_IP_MASK);
+		diffs[1] = htons((*pskb)->nh.iph->tos);
+		(*pskb)->nh.iph->check
+			= csum_fold(csum_partial((char *)diffs,
+						 sizeof(diffs),
+						 (*pskb)->nh.iph->check
+						 ^0xFFFF));
 		(*pskb)->nfcache |= NFC_ALTERED;
-
-		return 1;
 	} 
-	return 0;
+	return 1;
 }
 
+/* Return 0 if there was an error. */
 static inline int
-set_ect_tcp(struct sk_buff **pskb, struct iphdr *iph,
-	    const struct ipt_ECN_info *einfo)
+set_ect_tcp(struct sk_buff **pskb, const struct ipt_ECN_info *einfo)
 {
-
-	struct tcphdr *tcph = (void *) iph + iph->ihl * 4;
-	u_int16_t *tcpflags = (u_int16_t *)tcph + 6;
+	struct tcphdr tcph;
 	u_int16_t diffs[2];
 
-	/* raw socket (tcpdump) may have clone of incoming
-	 * skb: don't disturb it --RR */
-	if (skb_cloned(*pskb) && !(*pskb)->sk) {
-		struct sk_buff *nskb = skb_copy(*pskb, GFP_ATOMIC);
-		if (!nskb)
-			return NF_DROP;
-		kfree_skb(*pskb);
-		*pskb = nskb;
-		iph = (*pskb)->nh.iph;
-	}
+	/* Not enought header? */
+	if (skb_copy_bits(*pskb, (*pskb)->nh.iph->ihl*4, &tcph, sizeof(tcph))
+	    < 0)
+		return 0;
 
-	diffs[0] = *tcpflags;
+	diffs[0] = ((u_int16_t *)&tcph)[6];
+	if (einfo->operation & IPT_ECN_OP_SET_ECE)
+		tcph.ece = einfo->proto.tcp.ece;
 
-	if (einfo->operation & IPT_ECN_OP_SET_ECE
-	    && tcph->ece != einfo->proto.tcp.ece) {
-		tcph->ece = einfo->proto.tcp.ece;
-	}
+	if (einfo->operation & IPT_ECN_OP_SET_CWR)
+		tcph.cwr = einfo->proto.tcp.cwr;
+	diffs[1] = ((u_int16_t *)&tcph)[6];
 
-	if (einfo->operation & IPT_ECN_OP_SET_CWR
-	    && tcph->cwr != einfo->proto.tcp.cwr) {
-		tcph->cwr = einfo->proto.tcp.cwr;
-	}
-	
-	if (diffs[0] != *tcpflags) {
+	/* Only mangle if it's changed. */
+	if (diffs[0] != diffs[1]) {
 		diffs[0] = diffs[0] ^ 0xFFFF;
-		diffs[1] = *tcpflags;
-		tcph->check = csum_fold(csum_partial((char *)diffs,
+		if (!skb_ip_make_writable(pskb,
+					  (*pskb)->nh.iph->ihl*4+sizeof(tcph)))
+			return 0;
+		tcph.check = csum_fold(csum_partial((char *)diffs,
 		                                    sizeof(diffs),
-		                                    tcph->check^0xFFFF));
+		                                    tcph.check^0xFFFF));
+		memcpy((*pskb)->data + (*pskb)->nh.iph->ihl*4,
+		       &tcph, sizeof(tcph));
 		(*pskb)->nfcache |= NFC_ALTERED;
-
-		return 1;
 	}
-
-	return 0;
+	return 1;
 }
 
 static unsigned int
 target(struct sk_buff **pskb,
-       unsigned int hooknum,
        const struct net_device *in,
        const struct net_device *out,
+       unsigned int hooknum,
        const void *targinfo,
        void *userinfo)
 {
-	struct iphdr *iph = (*pskb)->nh.iph;
 	const struct ipt_ECN_info *einfo = targinfo;
 
 	if (einfo->operation & IPT_ECN_OP_SET_IP)
-		set_ect_ip(pskb, iph, einfo);
+		if (!set_ect_ip(pskb, einfo))
+			return NF_DROP;
 
 	if (einfo->operation & (IPT_ECN_OP_SET_ECE | IPT_ECN_OP_SET_CWR)
-	    && iph->protocol == IPPROTO_TCP)
-		set_ect_tcp(pskb, iph, einfo);
+	    && (*pskb)->nh.iph->protocol == IPPROTO_TCP)
+		if (!set_ect_tcp(pskb, einfo))
+			return NF_DROP;
 
 	return IPT_CONTINUE;
 }

net/ipv4/netfilter/ipt_MARK.c

@@ -9,9 +9,9 @@
 
 static unsigned int
 target(struct sk_buff **pskb,
-       unsigned int hooknum,
        const struct net_device *in,
        const struct net_device *out,
+       unsigned int hooknum,
        const void *targinfo,
        void *userinfo)
 {

net/ipv4/netfilter/ipt_MASQUERADE.c

@@ -57,9 +57,9 @@ masquerade_check(const char *tablename,
 
 static unsigned int
 masquerade_target(struct sk_buff **pskb,
-		  unsigned int hooknum,
 		  const struct net_device *in,
 		  const struct net_device *out,
+		  unsigned int hooknum,
 		  const void *targinfo,
 		  void *userinfo)
 {

net/ipv4/netfilter/ipt_MIRROR.c

@@ -65,18 +65,22 @@ static int route_mirror(struct sk_buff *skb)
 	return 0;
 }
 
-static void
-ip_rewrite(struct sk_buff *skb)
+static int ip_rewrite(struct sk_buff **pskb)
 {
-	struct iphdr *iph = skb->nh.iph;
-	u32 odaddr = iph->saddr;
-	u32 osaddr = iph->daddr;
+	u32 odaddr, osaddr;
 
-	skb->nfcache |= NFC_ALTERED;
+	if (!skb_ip_make_writable(pskb, sizeof(struct iphdr)))
+		return 0;
+
+	odaddr = (*pskb)->nh.iph->saddr;
+	osaddr = (*pskb)->nh.iph->daddr;
+
+	(*pskb)->nfcache |= NFC_ALTERED;
 
 	/* Rewrite IP header */
-	iph->daddr = odaddr;
-	iph->saddr = osaddr;
+	(*pskb)->nh.iph->daddr = odaddr;
+	(*pskb)->nh.iph->saddr = osaddr;
+	return 1;
 }
 
 /* Stolen from ip_finish_output2 */
@@ -100,29 +104,28 @@ static void ip_direct_send(struct sk_buff *skb)
 }
 
 static unsigned int ipt_mirror_target(struct sk_buff **pskb,
-				      unsigned int hooknum,
 				      const struct net_device *in,
 				      const struct net_device *out,
+				      unsigned int hooknum,
 				      const void *targinfo,
 				      void *userinfo)
 {
-	if (((*pskb)->dst != NULL) &&
-	    route_mirror(*pskb)) {
-
-		ip_rewrite(*pskb);
+	if (((*pskb)->dst != NULL) && route_mirror(*pskb)) {
+		if (!ip_rewrite(pskb))
+			return NF_DROP;
 
 		/* If we are not at FORWARD hook (INPUT/PREROUTING),
 		 * the TTL isn't decreased by the IP stack */
 		if (hooknum != NF_IP_FORWARD) {
-			struct iphdr *iph = (*pskb)->nh.iph;
-			if (iph->ttl <= 1) {
+			if ((*pskb)->nh.iph->ttl <= 1) {
 				/* this will traverse normal stack, and 
 				 * thus call conntrack on the icmp packet */
 				icmp_send(*pskb, ICMP_TIME_EXCEEDED, 
 					  ICMP_EXC_TTL, 0);
 				return NF_DROP;
 			}
-			ip_decrease_ttl(iph);
+			/* Made writable by ip_rewrite */
+			ip_decrease_ttl((*pskb)->nh.iph);
 		}
 
 		/* Don't let conntrack code see this packet:

net/ipv4/netfilter/ipt_REDIRECT.c

@@ -53,9 +53,9 @@ redirect_check(const char *tablename,
 
 static unsigned int
 redirect_target(struct sk_buff **pskb,
-		unsigned int hooknum,
 		const struct net_device *in,
 		const struct net_device *out,
+		unsigned int hooknum,
 		const void *targinfo,
 		void *userinfo)
 {

net/ipv4/netfilter/ipt_TCPMSS.c

@@ -36,9 +36,9 @@ optlen(const u_int8_t *opt, unsigned int offset)
 
 static unsigned int
 ipt_tcpmss_target(struct sk_buff **pskb,
-		  unsigned int hooknum,
 		  const struct net_device *in,
 		  const struct net_device *out,
+		  unsigned int hooknum,
 		  const void *targinfo,
 		  void *userinfo)
 {
@@ -49,15 +49,8 @@ ipt_tcpmss_target(struct sk_buff **pskb,
 	unsigned int i;
 	u_int8_t *opt;
 
-	/* raw socket (tcpdump) may have clone of incoming skb: don't
-	   disturb it --RR */
-	if (skb_cloned(*pskb) && !(*pskb)->sk) {
-		struct sk_buff *nskb = skb_copy(*pskb, GFP_ATOMIC);
-		if (!nskb)
-			return NF_DROP;
-		kfree_skb(*pskb);
-		*pskb = nskb;
-	}
+	if (!skb_ip_make_writable(pskb, (*pskb)->len))
+		return NF_DROP;
 
 	iph = (*pskb)->nh.iph;
 	tcplen = (*pskb)->len - iph->ihl*4;

net/ipv4/netfilter/ipt_TOS.c

@@ -9,35 +9,30 @@
 
 static unsigned int
 target(struct sk_buff **pskb,
-       unsigned int hooknum,
        const struct net_device *in,
        const struct net_device *out,
+       unsigned int hooknum,
        const void *targinfo,
        void *userinfo)
 {
-	struct iphdr *iph = (*pskb)->nh.iph;
 	const struct ipt_tos_target_info *tosinfo = targinfo;
 
-	if ((iph->tos & IPTOS_TOS_MASK) != tosinfo->tos) {
+	if (((*pskb)->nh.iph->tos & IPTOS_TOS_MASK) != tosinfo->tos) {
 		u_int16_t diffs[2];
 
-		/* raw socket (tcpdump) may have clone of incoming
-                   skb: don't disturb it --RR */
-		if (skb_cloned(*pskb) && !(*pskb)->sk) {
-			struct sk_buff *nskb = skb_copy(*pskb, GFP_ATOMIC);
-			if (!nskb)
-				return NF_DROP;
-			kfree_skb(*pskb);
-			*pskb = nskb;
-			iph = (*pskb)->nh.iph;
-		}
+		if (!skb_ip_make_writable(pskb, sizeof(struct iphdr)))
+			return NF_DROP;
 
-		diffs[0] = htons(iph->tos) ^ 0xFFFF;
-		iph->tos = (iph->tos & IPTOS_PREC_MASK) | tosinfo->tos;
-		diffs[1] = htons(iph->tos);
-		iph->check = csum_fold(csum_partial((char *)diffs,
-		                                    sizeof(diffs),
-		                                    iph->check^0xFFFF));
+		diffs[0] = htons((*pskb)->nh.iph->tos) ^ 0xFFFF;
+		(*pskb)->nh.iph->tos
+			= ((*pskb)->nh.iph->tos & IPTOS_PREC_MASK)
+			| tosinfo->tos;
+		diffs[1] = htons((*pskb)->nh.iph->tos);
+		(*pskb)->nh.iph->check
+			= csum_fold(csum_partial((char *)diffs,
+						 sizeof(diffs),
+						 (*pskb)->nh.iph->check
+						 ^0xFFFF));
 		(*pskb)->nfcache |= NFC_ALTERED;
 	}
 	return IPT_CONTINUE;

net/ipv4/netfilter/ipt_ULOG.c

@@ -155,9 +155,9 @@ struct sk_buff *ulog_alloc_skb(unsigned int size)
 }
 
 static unsigned int ipt_ulog_target(struct sk_buff **pskb,
-				    unsigned int hooknum,
 				    const struct net_device *in,
 				    const struct net_device *out,
+				    unsigned int hooknum,
 				    const void *targinfo, void *userinfo)
 {
 	ulog_buff_t *ub;
@@ -238,8 +238,9 @@ static unsigned int ipt_ulog_target(struct sk_buff **pskb,
 	else
 		pm->outdev_name[0] = '\0';
 
-	if (copy_len)
-		memcpy(pm->payload, (*pskb)->data, copy_len);
+	/* copy_len <= (*pskb)->len, so can't fail. */
+	if (skb_copy_bits(*pskb, 0, pm->payload, copy_len) < 0)
+		BUG();
 	
 	/* check if we are building multi-part messages */
 	if (ub->qlen > 1) {

net/ipv4/netfilter/ipt_ah.c

@@ -35,14 +35,16 @@ match(const struct sk_buff *skb,
       const struct net_device *out,
       const void *matchinfo,
       int offset,
-      const void *hdr,
-      u_int16_t datalen,
       int *hotdrop)
 {
-	const struct ahhdr *ah = hdr;
+	struct ahhdr ah;
 	const struct ipt_ah *ahinfo = matchinfo;
 
-	if (offset == 0 && datalen < sizeof(struct ahhdr)) {
+	/* Must not be a fragment. */
+	if (offset)
+		return 0;
+
+	if (skb_copy_bits(skb, skb->nh.iph->ihl*4, &ah, sizeof(ah)) < 0) {
 		/* We've been asked to examine this packet, and we
 		   can't.  Hence, no choice but to drop. */
 		duprintf("Dropping evil AH tinygram.\n");
@@ -50,11 +52,9 @@ match(const struct sk_buff *skb,
 		return 0;
 	}
 
-	/* Must not be a fragment. */
-	return !offset
-		&& spi_match(ahinfo->spis[0], ahinfo->spis[1],
-			      ntohl(ah->spi),
-			      !!(ahinfo->invflags & IPT_AH_INV_SPI));
+	return spi_match(ahinfo->spis[0], ahinfo->spis[1],
+			 ntohl(ah.spi),
+			 !!(ahinfo->invflags & IPT_AH_INV_SPI));
 }
 
 /* Called when user tries to insert an entry of this type. */

net/ipv4/netfilter/ipt_conntrack.c

@@ -14,8 +14,6 @@ match(const struct sk_buff *skb,
       const struct net_device *out,
       const void *matchinfo,
       int offset,
-      const void *hdr,
-      u_int16_t datalen,
       int *hotdrop)
 {
 	const struct ipt_conntrack_info *sinfo = matchinfo;

net/ipv4/netfilter/ipt_dscp.c

@@ -19,8 +19,7 @@ MODULE_LICENSE("GPL");
 
 static int match(const struct sk_buff *skb, const struct net_device *in,
 		 const struct net_device *out, const void *matchinfo,
-		 int offset, const void *hdr, u_int16_t datalen,
-		 int *hotdrop)
+		 int offset, int *hotdrop)
 {
 	const struct ipt_dscp_info *info = matchinfo;
 	const struct iphdr *iph = skb->nh.iph;

net/ipv4/netfilter/ipt_ecn.c

@@ -19,34 +19,40 @@ MODULE_DESCRIPTION("IP tables ECN matching module");
 MODULE_LICENSE("GPL");
 
 static inline int match_ip(const struct sk_buff *skb,
-			   const struct iphdr *iph,
 			   const struct ipt_ecn_info *einfo)
 {
-	return ((iph->tos&IPT_ECN_IP_MASK) == einfo->ip_ect);
+	return ((skb->nh.iph->tos&IPT_ECN_IP_MASK) == einfo->ip_ect);
 }
 
 static inline int match_tcp(const struct sk_buff *skb,
-			    const struct iphdr *iph,
-			    const struct ipt_ecn_info *einfo)
+			    const struct ipt_ecn_info *einfo,
+			    int *hotdrop)
 {
-	struct tcphdr *tcph = (void *)iph + iph->ihl*4;
+	struct tcphdr tcph;
+
+	/* In practice, TCP match does this, so can't fail.  But let's
+           be good citizens. */
+	if (skb_copy_bits(skb, skb->nh.iph->ihl*4, &tcph, sizeof(tcph)) < 0) {
+		*hotdrop = 0;
+		return 0;
+	}
 
 	if (einfo->operation & IPT_ECN_OP_MATCH_ECE) {
 		if (einfo->invert & IPT_ECN_OP_MATCH_ECE) {
-			if (tcph->ece == 1)
+			if (tcph.ece == 1)
 				return 0;
 		} else {
-			if (tcph->ece == 0)
+			if (tcph.ece == 0)
 				return 0;
 		}
 	}
 
 	if (einfo->operation & IPT_ECN_OP_MATCH_CWR) {
 		if (einfo->invert & IPT_ECN_OP_MATCH_CWR) {
-			if (tcph->cwr == 1)
+			if (tcph.cwr == 1)
 				return 0;
 		} else {
-			if (tcph->cwr == 0)
+			if (tcph.cwr == 0)
 				return 0;
 		}
 	}
@@ -56,20 +62,18 @@ static inline int match_tcp(const struct sk_buff *skb,
 
 static int match(const struct sk_buff *skb, const struct net_device *in,
 		 const struct net_device *out, const void *matchinfo,
-		 int offset, const void *hdr, u_int16_t datalen,
-		 int *hotdrop)
+		 int offset, int *hotdrop)
 {
 	const struct ipt_ecn_info *info = matchinfo;
-	const struct iphdr *iph = skb->nh.iph;
 
 	if (info->operation & IPT_ECN_OP_MATCH_IP)
-		if (!match_ip(skb, iph, info))
+		if (!match_ip(skb, info))
 			return 0;
 
 	if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) {
-		if (iph->protocol != IPPROTO_TCP)
+		if (skb->nh.iph->protocol != IPPROTO_TCP)
 			return 0;
-		if (!match_tcp(skb, iph, info))
+		if (!match_tcp(skb, info, hotdrop))
 			return 0;
 	}
 

net/ipv4/netfilter/ipt_esp.c

@@ -35,14 +35,16 @@ match(const struct sk_buff *skb,
       const struct net_device *out,
       const void *matchinfo,
       int offset,
-      const void *hdr,
-      u_int16_t datalen,
       int *hotdrop)
 {
-	const struct esphdr *esp = hdr;
+	struct esphdr esp;
 	const struct ipt_esp *espinfo = matchinfo;
 
-	if (offset == 0 && datalen < sizeof(struct esphdr)) {
+	/* Must not be a fragment. */
+	if (offset)
+		return 0;
+
+	if (skb_copy_bits(skb, skb->nh.iph->ihl*4, &esp, sizeof(esp)) < 0) {
 		/* We've been asked to examine this packet, and we
 		   can't.  Hence, no choice but to drop. */
 		duprintf("Dropping evil ESP tinygram.\n");
@@ -50,11 +52,9 @@ match(const struct sk_buff *skb,
 		return 0;
 	}
 
-	/* Must not be a fragment. */
-	return !offset
-		&& spi_match(espinfo->spis[0], espinfo->spis[1],
-			      ntohl(esp->spi),
-			      !!(espinfo->invflags & IPT_ESP_INV_SPI));
+	return spi_match(espinfo->spis[0], espinfo->spis[1],
+			 ntohl(esp.spi),
+			 !!(espinfo->invflags & IPT_ESP_INV_SPI));
 }
 
 /* Called when user tries to insert an entry of this type. */

net/ipv4/netfilter/ipt_helper.c

@@ -28,8 +28,6 @@ match(const struct sk_buff *skb,
       const struct net_device *out,
       const void *matchinfo,
       int offset,
-      const void *hdr,
-      u_int16_t datalen,
       int *hotdrop)
 {
 	const struct ipt_helper_info *info = matchinfo;

net/ipv4/netfilter/ipt_length.c

@@ -15,8 +15,6 @@ match(const struct sk_buff *skb,
       const struct net_device *out,
       const void *matchinfo,
       int offset,
-      const void *hdr,
-      u_int16_t datalen,
       int *hotdrop)
 {
 	const struct ipt_length_info *info = matchinfo;

net/ipv4/netfilter/ipt_limit.c

@@ -47,8 +47,6 @@ ipt_limit_match(const struct sk_buff *skb,
 		const struct net_device *out,
 		const void *matchinfo,
 		int offset,
-		const void *hdr,
-		u_int16_t datalen,
 		int *hotdrop)
 {
 	struct ipt_rateinfo *r = ((struct ipt_rateinfo *)matchinfo)->master;

net/ipv4/netfilter/ipt_mac.c

@@ -12,8 +12,6 @@ match(const struct sk_buff *skb,
       const struct net_device *out,
       const void *matchinfo,
       int offset,
-      const void *hdr,
-      u_int16_t datalen,
       int *hotdrop)
 {
     const struct ipt_mac_info *info = matchinfo;

net/ipv4/netfilter/ipt_mark.c

@@ -11,8 +11,6 @@ match(const struct sk_buff *skb,
       const struct net_device *out,
       const void *matchinfo,
       int offset,
-      const void *hdr,
-      u_int16_t datalen,
       int *hotdrop)
 {
 	const struct ipt_mark_info *info = matchinfo;

net/ipv4/netfilter/ipt_multiport.c

@@ -39,15 +39,18 @@ match(const struct sk_buff *skb,
       const struct net_device *out,
       const void *matchinfo,
       int offset,
-      const void *hdr,
-      u_int16_t datalen,
       int *hotdrop)
 {
-	const struct udphdr *udp = hdr;
+	u16 ports[2];
 	const struct ipt_multiport *multiinfo = matchinfo;
 
-	/* Must be big enough to read ports. */
-	if (offset == 0 && datalen < sizeof(struct udphdr)) {
+	/* Must not be a fragment. */
+	if (offset)
+		return 0;
+
+	/* Must be big enough to read ports (both UDP and TCP have
+           them at the start). */
+	if (skb_copy_bits(skb, skb->nh.iph->ihl*4, ports, sizeof(ports)) < 0) {
 		/* We've been asked to examine this packet, and we
 		   can't.  Hence, no choice but to drop. */
 			duprintf("ipt_multiport:"
@@ -56,11 +59,9 @@ match(const struct sk_buff *skb,
 			return 0;
 	}
 
-	/* Must not be a fragment. */
-	return !offset
-		&& ports_match(multiinfo->ports,
-			       multiinfo->flags, multiinfo->count,
-			       ntohs(udp->source), ntohs(udp->dest));
+	return ports_match(multiinfo->ports,
+			   multiinfo->flags, multiinfo->count,
+			   ntohs(ports[0]), ntohs(ports[1]));
 }
 
 /* Called when user tries to insert an entry of this type. */

net/ipv4/netfilter/ipt_owner.c

@@ -115,8 +115,6 @@ match(const struct sk_buff *skb,
       const struct net_device *out,
       const void *matchinfo,
       int offset,
-      const void *hdr,
-      u_int16_t datalen,
       int *hotdrop)
 {
 	const struct ipt_owner_info *info = matchinfo;
@@ -170,8 +168,11 @@ checkentry(const char *tablename,
                 return 0;
         }
 
-	if (matchsize != IPT_ALIGN(sizeof(struct ipt_owner_info)))
+	if (matchsize != IPT_ALIGN(sizeof(struct ipt_owner_info))) {
+		printk("Matchsize %u != %Zu\n", matchsize,
+		       IPT_ALIGN(sizeof(struct ipt_owner_info)));
 		return 0;
+	}
 
 	return 1;
 }

net/ipv4/netfilter/ipt_physdev.c

@@ -14,8 +14,6 @@ match(const struct sk_buff *skb,
       const struct net_device *out,
       const void *matchinfo,
       int offset,
-      const void *hdr,
-      u_int16_t datalen,
       int *hotdrop)
 {
 	int i;

net/ipv4/netfilter/ipt_pkttype.c

@@ -13,8 +13,6 @@ static int match(const struct sk_buff *skb,
       const struct net_device *out,
       const void *matchinfo,
       int offset,
-      const void *hdr,
-      u_int16_t datalen,
       int *hotdrop)
 {
     const struct ipt_pkttype_info *info = matchinfo;

net/ipv4/netfilter/ipt_state.c

@@ -13,8 +13,6 @@ match(const struct sk_buff *skb,
       const struct net_device *out,
       const void *matchinfo,
       int offset,
-      const void *hdr,
-      u_int16_t datalen,
       int *hotdrop)
 {
 	const struct ipt_state_info *sinfo = matchinfo;

net/ipv4/netfilter/ipt_tcpmss.c

@@ -11,24 +11,32 @@
 /* Returns 1 if the mss option is set and matched by the range, 0 otherwise */
 static inline int
 mssoption_match(u_int16_t min, u_int16_t max,
-		const struct tcphdr *tcp,
-		u_int16_t datalen,
+		const struct sk_buff *skb,
 		int invert,
 		int *hotdrop)
 {
-	unsigned int i;
-	const u_int8_t *opt = (u_int8_t *)tcp;
+	struct tcphdr tcph;
+	/* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */
+	u8 opt[15 * 4 - sizeof(tcph)];
+	unsigned int i, optlen;
 
 	/* If we don't have the whole header, drop packet. */
-	if (tcp->doff * 4 > datalen) {
-		*hotdrop = 1;
-		return 0;
-	}
-
-	for (i = sizeof(struct tcphdr); i < tcp->doff * 4; ) {
-		if ((opt[i] == TCPOPT_MSS)
-		    && ((tcp->doff * 4 - i) >= TCPOLEN_MSS)
-		    && (opt[i+1] == TCPOLEN_MSS)) {
+	if (skb_copy_bits(skb, skb->nh.iph->ihl*4, &tcph, sizeof(tcph)) < 0)
+		goto dropit;
+
+	/* Malformed. */
+	if (tcph.doff*4 < sizeof(tcph))
+		goto dropit;
+
+	optlen = tcph.doff*4 - sizeof(tcph);
+	/* Truncated options. */
+	if (skb_copy_bits(skb, skb->nh.iph->ihl*4+sizeof(tcph), opt, optlen)<0)
+		goto dropit;
+
+	for (i = 0; i < optlen; ) {
+		if (opt[i] == TCPOPT_MSS
+		    && (optlen - i) >= TCPOLEN_MSS
+		    && opt[i+1] == TCPOLEN_MSS) {
 			u_int16_t mssval;
 
 			mssval = (opt[i+2] << 8) | opt[i+3];
@@ -38,8 +46,11 @@ mssoption_match(u_int16_t min, u_int16_t max,
 		if (opt[i] < 2) i++;
 		else i += opt[i+1]?:1;
 	}
-
 	return invert;
+
+ dropit:
+	*hotdrop = 1;
+	return 0;
 }
 
 static int
@@ -48,15 +59,11 @@ match(const struct sk_buff *skb,
       const struct net_device *out,
       const void *matchinfo,
       int offset,
-      const void *hdr,
-      u_int16_t datalen,
       int *hotdrop)
 {
 	const struct ipt_tcpmss_match_info *info = matchinfo;
-	const struct tcphdr *tcph = (void *)skb->nh.iph + skb->nh.iph->ihl*4;
 
-	return mssoption_match(info->mss_min, info->mss_max, tcph,
-			       skb->len - skb->nh.iph->ihl*4,
+	return mssoption_match(info->mss_min, info->mss_max, skb,
 			       info->invert, hotdrop);
 }
 

net/ipv4/netfilter/ipt_tos.c

@@ -11,14 +11,11 @@ match(const struct sk_buff *skb,
       const struct net_device *out,
       const void *matchinfo,
       int offset,
-      const void *hdr,
-      u_int16_t datalen,
       int *hotdrop)
 {
 	const struct ipt_tos_info *info = matchinfo;
-	const struct iphdr *iph = skb->nh.iph;
 
-	return (iph->tos == info->tos) ^ info->invert;
+	return (skb->nh.iph->tos == info->tos) ^ info->invert;
 }
 
 static int

net/ipv4/netfilter/ipt_ttl.c

@@ -19,24 +19,22 @@ MODULE_LICENSE("GPL");
 
 static int match(const struct sk_buff *skb, const struct net_device *in,
 		 const struct net_device *out, const void *matchinfo,
-		 int offset, const void *hdr, u_int16_t datalen,
-		 int *hotdrop)
+		 int offset, int *hotdrop)
 {
 	const struct ipt_ttl_info *info = matchinfo;
-	const struct iphdr *iph = skb->nh.iph;
 
 	switch (info->mode) {
 		case IPT_TTL_EQ:
-			return (iph->ttl == info->ttl);
+			return (skb->nh.iph->ttl == info->ttl);
 			break;
 		case IPT_TTL_NE:
-			return (!(iph->ttl == info->ttl));
+			return (!(skb->nh.iph->ttl == info->ttl));
 			break;
 		case IPT_TTL_LT:
-			return (iph->ttl < info->ttl);
+			return (skb->nh.iph->ttl < info->ttl);
 			break;
 		case IPT_TTL_GT:
-			return (iph->ttl > info->ttl);
+			return (skb->nh.iph->ttl > info->ttl);
 			break;
 		default:
 			printk(KERN_WARNING "ipt_ttl: unknown mode %d\n", 

net/ipv4/proc.c

@@ -265,11 +265,3 @@ int __init ip_misc_proc_init(void)
 	goto out;
 }
 
-int ip_seq_release(struct inode *inode, struct file *file)
-{
-	struct seq_file *seq = (struct seq_file *)file->private_data;
-
-	kfree(seq->private);
-	seq->private = NULL;
-	return seq_release(inode, file);
-}

net/ipv4/route.c

@@ -386,7 +386,7 @@ static struct file_operations rt_cache_seq_fops = {
 	.open	 = rt_cache_seq_open,
 	.read	 = seq_read,
 	.llseek	 = seq_lseek,
-	.release = ip_seq_release,
+	.release = seq_release_private,
 };
 
 int __init rt_cache_proc_init(void)

net/ipv4/tcp_ipv4.c

@@ -2568,7 +2568,7 @@ static struct file_operations tcp_seq_fops = {
 	.open		=	tcp_seq_open,
 	.read		=	seq_read,
 	.llseek		=	seq_lseek,
-	.release	=	ip_seq_release,
+	.release	=	seq_release_private,
 };
 
 int __init tcp_proc_init(void)

net/ipv4/udp.c

@@ -1479,7 +1479,7 @@ static struct file_operations udp_seq_fops = {
 	.open           = udp_seq_open,
 	.read           = seq_read,
 	.llseek         = seq_lseek,
-	.release	= ip_seq_release,
+	.release	= seq_release_private,
 };
 
 /* ------------------------------------------------------------------------ */

net/ipv6/anycast.c

@@ -127,8 +127,8 @@ int ipv6_sock_ac_join(struct sock *sk, int ifindex, struct in6_addr *addr)
 			dev_hold(dev);
 			dst_release(&rt->u.dst);
 		} else if (ishost) {
-			sock_kfree_s(sk, pac, sizeof(*pac));
-			return -EADDRNOTAVAIL;
+			err = -EADDRNOTAVAIL;
+			goto out_free_pac;
 		} else {
 			/* router, no matching interface: just pick one */
 
@@ -138,18 +138,17 @@ int ipv6_sock_ac_join(struct sock *sk, int ifindex, struct in6_addr *addr)
 		dev = dev_get_by_index(ifindex);
 
 	if (dev == NULL) {
-		sock_kfree_s(sk, pac, sizeof(*pac));
-		return -ENODEV;
+		err = -ENODEV;
+		goto out_free_pac;
 	}
 
 	idev = in6_dev_get(dev);
 	if (!idev) {
-		sock_kfree_s(sk, pac, sizeof(*pac));
-		dev_put(dev);
 		if (ifindex)
-			return -ENODEV;
+			err = -ENODEV;
 		else
-			return -EADDRNOTAVAIL;
+			err = -EADDRNOTAVAIL;
+		goto out_dev_put;
 	}
 	/* reset ishost, now that we have a specific device */
 	ishost = !idev->cnf.forwarding;
@@ -170,21 +169,17 @@ int ipv6_sock_ac_join(struct sock *sk, int ifindex, struct in6_addr *addr)
 			err = -EADDRNOTAVAIL;
 		else if (!capable(CAP_NET_ADMIN))
 			err = -EPERM;
-		if (err) {
-			sock_kfree_s(sk, pac, sizeof(*pac));
-			dev_put(dev);
-			return err;
-		}
+		if (err)
+			goto out_dev_put;
 	} else if (!(ipv6_addr_type(addr) & IPV6_ADDR_ANYCAST) &&
-		   !capable(CAP_NET_ADMIN))
-		return -EPERM;
+		   !capable(CAP_NET_ADMIN)) {
+		err = -EPERM;
+		goto out_dev_put;
+	}
 
 	err = ipv6_dev_ac_inc(dev, addr);
-	if (err) {
-		sock_kfree_s(sk, pac, sizeof(*pac));
-		dev_put(dev);
-		return err;
-	}
+	if (err)
+		goto out_dev_put;
 
 	write_lock_bh(&ipv6_sk_ac_lock);
 	pac->acl_next = np->ipv6_ac_list;
@@ -194,6 +189,12 @@ int ipv6_sock_ac_join(struct sock *sk, int ifindex, struct in6_addr *addr)
 	dev_put(dev);
 
 	return 0;
+
+out_dev_put:
+	dev_put(dev);
+out_free_pac:
+	sock_kfree_s(sk, pac, sizeof(*pac));
+	return err;
 }
 
 /*

net/ipv6/ndisc.c

@@ -441,8 +441,10 @@ static void ndisc_send_na(struct net_device *dev, struct neighbour *neigh,
 		src_addr = solicited_addr;
 		in6_ifa_put(ifp);
 	} else {
-		if (ipv6_dev_get_saddr(dev, daddr, &tmpaddr, 0))
+		if (ipv6_dev_get_saddr(dev, daddr, &tmpaddr, 0)) {
+			dst_free(dst);
 			return;
+		}
 		src_addr = &tmpaddr;
 	}
 
@@ -450,11 +452,10 @@ static void ndisc_send_na(struct net_device *dev, struct neighbour *neigh,
 	ndisc_rt_init(rt, dev, neigh);	
 
 	dst = (struct dst_entry*)rt;
-	dst_clone(dst);
 
 	err = xfrm_lookup(&dst, &fl, NULL, 0);
 	if (err < 0) {
-		dst_release(dst);
+		dst_free(dst);
 		return;
 	}
 
@@ -470,6 +471,7 @@ static void ndisc_send_na(struct net_device *dev, struct neighbour *neigh,
 
 	if (skb == NULL) {
 		ND_PRINTK1("send_na: alloc skb failed\n");
+		dst_free(dst);
 		return;
 	}
 

net/xfrm/xfrm_policy.c

@@ -314,7 +314,7 @@ struct xfrm_policy *xfrm_policy_byid(int dir, u32 id, int delete)
 	return pol;
 }
 
-void xfrm_policy_flush()
+void xfrm_policy_flush(void)
 {
 	struct xfrm_policy *xp;
 	int dir;