openwrtv3/target/linux/ar71xx/patches-4.4/910-unaligned_access_hacks.patch
Jo-Philipp Wich f4a4f324cb kernel: update kernel 4.4 to 4.4.71
Fixes the following security vulnerabilities:

CVE-2017-8890
The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the
Linux kernel through 4.10.15 allows attackers to cause a denial of service
(double free) or possibly have unspecified other impact by leveraging use
of the accept system call.

CVE-2017-9074
The IPv6 fragmentation implementation in the Linux kernel through 4.11.1
does not consider that the nexthdr field may be associated with an invalid
option, which allows local users to cause a denial of service (out-of-bounds
read and BUG) or possibly have unspecified other impact via crafted socket
and send system calls.

CVE-2017-9075
The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel
through 4.11.1 mishandles inheritance, which allows local users to cause a
denial of service or possibly have unspecified other impact via crafted
system calls, a related issue to CVE-2017-8890.

CVE-2017-9076
The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux
kernel through 4.11.1 mishandles inheritance, which allows local users to
cause a denial of service or possibly have unspecified other impact via
crafted system calls, a related issue to CVE-2017-8890.

CVE-2017-9077
The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel
through 4.11.1 mishandles inheritance, which allows local users to cause a
denial of service or possibly have unspecified other impact via crafted
system calls, a related issue to CVE-2017-8890.

CVE-2017-9242
The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel
through 4.11.3 is too late in checking whether an overwrite of an skb data
structure may occur, which allows local users to cause a denial of service
(system crash) via crafted system calls.

Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8890
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9074
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9075
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9076
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9077
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9242
Ref: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.71

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-06-07 21:40:42 +02:00

931 lines
27 KiB
Diff

--- a/arch/mips/include/asm/checksum.h
+++ b/arch/mips/include/asm/checksum.h
@@ -134,26 +134,30 @@ static inline __sum16 ip_fast_csum(const
const unsigned int *stop = word + ihl;
unsigned int csum;
int carry;
+ unsigned int w;
- csum = word[0];
- csum += word[1];
- carry = (csum < word[1]);
+ csum = net_hdr_word(word++);
+
+ w = net_hdr_word(word++);
+ csum += w;
+ carry = (csum < w);
csum += carry;
- csum += word[2];
- carry = (csum < word[2]);
+ w = net_hdr_word(word++);
+ csum += w;
+ carry = (csum < w);
csum += carry;
- csum += word[3];
- carry = (csum < word[3]);
+ w = net_hdr_word(word++);
+ csum += w;
+ carry = (csum < w);
csum += carry;
- word += 4;
do {
- csum += *word;
- carry = (csum < *word);
+ w = net_hdr_word(word++);
+ csum += w;
+ carry = (csum < w);
csum += carry;
- word++;
} while (word != stop);
return csum_fold(csum);
@@ -214,73 +218,6 @@ static inline __sum16 ip_compute_csum(co
return csum_fold(csum_partial(buff, len, 0));
}
-#define _HAVE_ARCH_IPV6_CSUM
-static __inline__ __sum16 csum_ipv6_magic(const struct in6_addr *saddr,
- const struct in6_addr *daddr,
- __u32 len, unsigned short proto,
- __wsum sum)
-{
- __wsum tmp;
-
- __asm__(
- " .set push # csum_ipv6_magic\n"
- " .set noreorder \n"
- " .set noat \n"
- " addu %0, %5 # proto (long in network byte order)\n"
- " sltu $1, %0, %5 \n"
- " addu %0, $1 \n"
-
- " addu %0, %6 # csum\n"
- " sltu $1, %0, %6 \n"
- " lw %1, 0(%2) # four words source address\n"
- " addu %0, $1 \n"
- " addu %0, %1 \n"
- " sltu $1, %0, %1 \n"
-
- " lw %1, 4(%2) \n"
- " addu %0, $1 \n"
- " addu %0, %1 \n"
- " sltu $1, %0, %1 \n"
-
- " lw %1, 8(%2) \n"
- " addu %0, $1 \n"
- " addu %0, %1 \n"
- " sltu $1, %0, %1 \n"
-
- " lw %1, 12(%2) \n"
- " addu %0, $1 \n"
- " addu %0, %1 \n"
- " sltu $1, %0, %1 \n"
-
- " lw %1, 0(%3) \n"
- " addu %0, $1 \n"
- " addu %0, %1 \n"
- " sltu $1, %0, %1 \n"
-
- " lw %1, 4(%3) \n"
- " addu %0, $1 \n"
- " addu %0, %1 \n"
- " sltu $1, %0, %1 \n"
-
- " lw %1, 8(%3) \n"
- " addu %0, $1 \n"
- " addu %0, %1 \n"
- " sltu $1, %0, %1 \n"
-
- " lw %1, 12(%3) \n"
- " addu %0, $1 \n"
- " addu %0, %1 \n"
- " sltu $1, %0, %1 \n"
-
- " addu %0, $1 # Add final carry\n"
- " .set pop"
- : "=&r" (sum), "=&r" (tmp)
- : "r" (saddr), "r" (daddr),
- "0" (htonl(len)), "r" (htonl(proto)), "r" (sum));
-
- return csum_fold(sum);
-}
-
#include <asm-generic/checksum.h>
#endif /* CONFIG_GENERIC_CSUM */
--- a/include/uapi/linux/ip.h
+++ b/include/uapi/linux/ip.h
@@ -102,7 +102,7 @@ struct iphdr {
__be32 saddr;
__be32 daddr;
/*The options start here. */
-};
+} __attribute__((packed, aligned(2)));
struct ip_auth_hdr {
--- a/include/uapi/linux/ipv6.h
+++ b/include/uapi/linux/ipv6.h
@@ -129,7 +129,7 @@ struct ipv6hdr {
struct in6_addr saddr;
struct in6_addr daddr;
-};
+} __attribute__((packed, aligned(2)));
/* index values for the variables in ipv6_devconf */
--- a/include/uapi/linux/tcp.h
+++ b/include/uapi/linux/tcp.h
@@ -54,7 +54,7 @@ struct tcphdr {
__be16 window;
__sum16 check;
__be16 urg_ptr;
-};
+} __attribute__((packed, aligned(2)));
/*
* The union cast uses a gcc extension to avoid aliasing problems
@@ -64,7 +64,7 @@ struct tcphdr {
union tcp_word_hdr {
struct tcphdr hdr;
__be32 words[5];
-};
+} __attribute__((packed, aligned(2)));
#define tcp_flag_word(tp) ( ((union tcp_word_hdr *)(tp))->words [3])
--- a/include/uapi/linux/udp.h
+++ b/include/uapi/linux/udp.h
@@ -24,7 +24,7 @@ struct udphdr {
__be16 dest;
__be16 len;
__sum16 check;
-};
+} __attribute__((packed, aligned(2)));
/* UDP socket options */
#define UDP_CORK 1 /* Never send partially complete segments */
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -41,8 +41,8 @@ static bool ipv4_pkt_to_tuple(const stru
if (ap == NULL)
return false;
- tuple->src.u3.ip = ap[0];
- tuple->dst.u3.ip = ap[1];
+ tuple->src.u3.ip = net_hdr_word(ap++);
+ tuple->dst.u3.ip = net_hdr_word(ap);
return true;
}
--- a/include/uapi/linux/icmp.h
+++ b/include/uapi/linux/icmp.h
@@ -80,7 +80,7 @@ struct icmphdr {
__be16 mtu;
} frag;
} un;
-};
+} __attribute__((packed, aligned(2)));
/*
--- a/include/uapi/linux/in6.h
+++ b/include/uapi/linux/in6.h
@@ -42,7 +42,7 @@ struct in6_addr {
#define s6_addr16 in6_u.u6_addr16
#define s6_addr32 in6_u.u6_addr32
#endif
-};
+} __attribute__((packed, aligned(2)));
#endif /* __UAPI_DEF_IN6_ADDR */
#if __UAPI_DEF_SOCKADDR_IN6
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -39,6 +39,7 @@
#include <linux/ipsec.h>
#include <linux/times.h>
#include <linux/slab.h>
+#include <asm/unaligned.h>
#include <linux/uaccess.h>
#include <linux/ipv6.h>
#include <linux/icmpv6.h>
@@ -781,10 +782,10 @@ static void tcp_v6_send_response(const s
topt = (__be32 *)(t1 + 1);
if (tsecr) {
- *topt++ = htonl((TCPOPT_NOP << 24) | (TCPOPT_NOP << 16) |
- (TCPOPT_TIMESTAMP << 8) | TCPOLEN_TIMESTAMP);
- *topt++ = htonl(tsval);
- *topt++ = htonl(tsecr);
+ put_unaligned_be32((TCPOPT_NOP << 24) | (TCPOPT_NOP << 16) |
+ (TCPOPT_TIMESTAMP << 8) | TCPOLEN_TIMESTAMP, topt++);
+ put_unaligned_be32(tsval, topt++);
+ put_unaligned_be32(tsecr, topt++);
}
#ifdef CONFIG_TCP_MD5SIG
--- a/include/linux/ipv6.h
+++ b/include/linux/ipv6.h
@@ -5,6 +5,7 @@
#define ipv6_optlen(p) (((p)->hdrlen+1) << 3)
#define ipv6_authlen(p) (((p)->hdrlen+2) << 2)
+
/*
* This structure contains configuration options per IPv6 link.
*/
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -429,7 +429,7 @@ int ipv6_recv_error(struct sock *sk, str
ipv6_iface_scope_id(&sin->sin6_addr,
IP6CB(skb)->iif);
} else {
- ipv6_addr_set_v4mapped(*(__be32 *)(nh + serr->addr_offset),
+ ipv6_addr_set_v4mapped(net_hdr_word(nh + serr->addr_offset),
&sin->sin6_addr);
sin->sin6_scope_id = 0;
}
@@ -766,12 +766,12 @@ int ip6_datagram_send_ctl(struct net *ne
}
if (fl6->flowlabel&IPV6_FLOWINFO_MASK) {
- if ((fl6->flowlabel^*(__be32 *)CMSG_DATA(cmsg))&~IPV6_FLOWINFO_MASK) {
+ if ((fl6->flowlabel^net_hdr_word(CMSG_DATA(cmsg)))&~IPV6_FLOWINFO_MASK) {
err = -EINVAL;
goto exit_f;
}
}
- fl6->flowlabel = IPV6_FLOWINFO_MASK & *(__be32 *)CMSG_DATA(cmsg);
+ fl6->flowlabel = IPV6_FLOWINFO_MASK & net_hdr_word(CMSG_DATA(cmsg));
break;
case IPV6_2292HOPOPTS:
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -395,7 +395,7 @@ static void ip6gre_err(struct sk_buff *s
return;
ipv6h = (const struct ipv6hdr *)skb->data;
greh = (const struct gre_base_hdr *)(skb->data + offset);
- key = key_off ? *(__be32 *)(skb->data + key_off) : 0;
+ key = key_off ? net_hdr_word((__be32 *)(skb->data + key_off)) : 0;
t = ip6gre_tunnel_lookup(skb->dev, &ipv6h->daddr, &ipv6h->saddr,
key, greh->protocol);
@@ -479,11 +479,11 @@ static int ip6gre_rcv(struct sk_buff *sk
offset += 4;
}
if (flags&GRE_KEY) {
- key = *(__be32 *)(h + offset);
+ key = net_hdr_word(h + offset);
offset += 4;
}
if (flags&GRE_SEQ) {
- seqno = ntohl(*(__be32 *)(h + offset));
+ seqno = ntohl(net_hdr_word(h + offset));
offset += 4;
}
}
@@ -745,7 +745,7 @@ static netdev_tx_t ip6gre_xmit2(struct s
if (tunnel->parms.o_flags&GRE_SEQ) {
++tunnel->o_seqno;
- *ptr = htonl(tunnel->o_seqno);
+ net_hdr_word(ptr) = htonl(tunnel->o_seqno);
ptr--;
}
if (tunnel->parms.o_flags&GRE_KEY) {
@@ -841,7 +841,7 @@ static inline int ip6gre_xmit_ipv6(struc
dsfield = ipv6_get_dsfield(ipv6h);
if (t->parms.flags & IP6_TNL_F_USE_ORIG_TCLASS)
- fl6.flowlabel |= (*(__be32 *) ipv6h & IPV6_TCLASS_MASK);
+ fl6.flowlabel |= net_hdr_word(ipv6h) & IPV6_TCLASS_MASK;
if (t->parms.flags & IP6_TNL_F_USE_ORIG_FLOWLABEL)
fl6.flowlabel |= ip6_flowlabel(ipv6h);
if (t->parms.flags & IP6_TNL_F_USE_ORIG_FWMARK)
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1409,7 +1409,7 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, str
dsfield = ipv6_get_dsfield(ipv6h);
if (t->parms.flags & IP6_TNL_F_USE_ORIG_TCLASS)
- fl6.flowlabel |= (*(__be32 *) ipv6h & IPV6_TCLASS_MASK);
+ fl6.flowlabel |= net_hdr_word(ipv6h) & IPV6_TCLASS_MASK;
if (t->parms.flags & IP6_TNL_F_USE_ORIG_FLOWLABEL)
fl6.flowlabel |= ip6_flowlabel(ipv6h);
if (t->parms.flags & IP6_TNL_F_USE_ORIG_FWMARK)
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -573,7 +573,7 @@ static bool ipv6_hop_jumbo(struct sk_buf
goto drop;
}
- pkt_len = ntohl(*(__be32 *)(nh + optoff + 2));
+ pkt_len = ntohl(net_hdr_word(nh + optoff + 2));
if (pkt_len <= IPV6_MAXPLEN) {
IP6_INC_STATS_BH(net, ipv6_skb_idev(skb),
IPSTATS_MIB_INHDRERRORS);
--- a/include/linux/types.h
+++ b/include/linux/types.h
@@ -232,5 +232,11 @@ typedef void (*call_rcu_func_t)(struct r
/* clocksource cycle base type */
typedef u64 cycle_t;
+struct net_hdr_word {
+ u32 words[1];
+} __attribute__((packed, aligned(2)));
+
+#define net_hdr_word(_p) (((struct net_hdr_word *) (_p))->words[0])
+
#endif /* __ASSEMBLY__ */
#endif /* _LINUX_TYPES_H */
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -1321,8 +1321,8 @@ static struct sk_buff **inet_gro_receive
if (unlikely(ip_fast_csum((u8 *)iph, 5)))
goto out_unlock;
- id = ntohl(*(__be32 *)&iph->id);
- flush = (u16)((ntohl(*(__be32 *)iph) ^ skb_gro_len(skb)) | (id & ~IP_DF));
+ id = ntohl(net_hdr_word(&iph->id));
+ flush = (u16)((ntohl(net_hdr_word(iph)) ^ skb_gro_len(skb)) | (id & ~IP_DF));
id >>= 16;
for (p = *head; p; p = p->next) {
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -458,7 +458,7 @@ static struct neighbour *ipv4_neigh_look
else if (skb)
pkey = &ip_hdr(skb)->daddr;
- n = __ipv4_neigh_lookup(dev, *(__force u32 *)pkey);
+ n = __ipv4_neigh_lookup(dev, net_hdr_word(pkey));
if (n)
return n;
return neigh_create(&arp_tbl, pkey, dev);
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -451,48 +451,53 @@ static void tcp_options_write(__be32 *pt
u16 options = opts->options; /* mungable copy */
if (unlikely(OPTION_MD5 & options)) {
- *ptr++ = htonl((TCPOPT_NOP << 24) | (TCPOPT_NOP << 16) |
- (TCPOPT_MD5SIG << 8) | TCPOLEN_MD5SIG);
+ net_hdr_word(ptr++) =
+ htonl((TCPOPT_NOP << 24) | (TCPOPT_NOP << 16) |
+ (TCPOPT_MD5SIG << 8) | TCPOLEN_MD5SIG);
/* overload cookie hash location */
opts->hash_location = (__u8 *)ptr;
ptr += 4;
}
if (unlikely(opts->mss)) {
- *ptr++ = htonl((TCPOPT_MSS << 24) |
- (TCPOLEN_MSS << 16) |
- opts->mss);
+ net_hdr_word(ptr++) =
+ htonl((TCPOPT_MSS << 24) | (TCPOLEN_MSS << 16) |
+ opts->mss);
}
if (likely(OPTION_TS & options)) {
if (unlikely(OPTION_SACK_ADVERTISE & options)) {
- *ptr++ = htonl((TCPOPT_SACK_PERM << 24) |
- (TCPOLEN_SACK_PERM << 16) |
- (TCPOPT_TIMESTAMP << 8) |
- TCPOLEN_TIMESTAMP);
+ net_hdr_word(ptr++) =
+ htonl((TCPOPT_SACK_PERM << 24) |
+ (TCPOLEN_SACK_PERM << 16) |
+ (TCPOPT_TIMESTAMP << 8) |
+ TCPOLEN_TIMESTAMP);
options &= ~OPTION_SACK_ADVERTISE;
} else {
- *ptr++ = htonl((TCPOPT_NOP << 24) |
- (TCPOPT_NOP << 16) |
- (TCPOPT_TIMESTAMP << 8) |
- TCPOLEN_TIMESTAMP);
+ net_hdr_word(ptr++) =
+ htonl((TCPOPT_NOP << 24) |
+ (TCPOPT_NOP << 16) |
+ (TCPOPT_TIMESTAMP << 8) |
+ TCPOLEN_TIMESTAMP);
}
- *ptr++ = htonl(opts->tsval);
- *ptr++ = htonl(opts->tsecr);
+ net_hdr_word(ptr++) = htonl(opts->tsval);
+ net_hdr_word(ptr++) = htonl(opts->tsecr);
}
if (unlikely(OPTION_SACK_ADVERTISE & options)) {
- *ptr++ = htonl((TCPOPT_NOP << 24) |
- (TCPOPT_NOP << 16) |
- (TCPOPT_SACK_PERM << 8) |
- TCPOLEN_SACK_PERM);
+ net_hdr_word(ptr++) =
+ htonl((TCPOPT_NOP << 24) |
+ (TCPOPT_NOP << 16) |
+ (TCPOPT_SACK_PERM << 8) |
+ TCPOLEN_SACK_PERM);
}
if (unlikely(OPTION_WSCALE & options)) {
- *ptr++ = htonl((TCPOPT_NOP << 24) |
- (TCPOPT_WINDOW << 16) |
- (TCPOLEN_WINDOW << 8) |
- opts->ws);
+ net_hdr_word(ptr++) =
+ htonl((TCPOPT_NOP << 24) |
+ (TCPOPT_WINDOW << 16) |
+ (TCPOLEN_WINDOW << 8) |
+ opts->ws);
}
if (unlikely(opts->num_sack_blocks)) {
@@ -500,16 +505,17 @@ static void tcp_options_write(__be32 *pt
tp->duplicate_sack : tp->selective_acks;
int this_sack;
- *ptr++ = htonl((TCPOPT_NOP << 24) |
- (TCPOPT_NOP << 16) |
- (TCPOPT_SACK << 8) |
- (TCPOLEN_SACK_BASE + (opts->num_sack_blocks *
+ net_hdr_word(ptr++) =
+ htonl((TCPOPT_NOP << 24) |
+ (TCPOPT_NOP << 16) |
+ (TCPOPT_SACK << 8) |
+ (TCPOLEN_SACK_BASE + (opts->num_sack_blocks *
TCPOLEN_SACK_PERBLOCK)));
for (this_sack = 0; this_sack < opts->num_sack_blocks;
++this_sack) {
- *ptr++ = htonl(sp[this_sack].start_seq);
- *ptr++ = htonl(sp[this_sack].end_seq);
+ net_hdr_word(ptr++) = htonl(sp[this_sack].start_seq);
+ net_hdr_word(ptr++) = htonl(sp[this_sack].end_seq);
}
tp->rx_opt.dsack = 0;
@@ -522,13 +528,14 @@ static void tcp_options_write(__be32 *pt
if (foc->exp) {
len = TCPOLEN_EXP_FASTOPEN_BASE + foc->len;
- *ptr = htonl((TCPOPT_EXP << 24) | (len << 16) |
+ net_hdr_word(ptr) =
+ htonl((TCPOPT_EXP << 24) | (len << 16) |
TCPOPT_FASTOPEN_MAGIC);
p += TCPOLEN_EXP_FASTOPEN_BASE;
} else {
len = TCPOLEN_FASTOPEN_BASE + foc->len;
- *p++ = TCPOPT_FASTOPEN;
- *p++ = len;
+ net_hdr_word(p++) = TCPOPT_FASTOPEN;
+ net_hdr_word(p++) = len;
}
memcpy(p, foc->val, foc->len);
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -505,7 +505,7 @@ static struct sk_buff *add_grec(struct s
if (!skb)
return NULL;
psrc = (__be32 *)skb_put(skb, sizeof(__be32));
- *psrc = psf->sf_inaddr;
+ net_hdr_word(psrc) = psf->sf_inaddr;
scount++; stotal++;
if ((type == IGMPV3_ALLOW_NEW_SOURCES ||
type == IGMPV3_BLOCK_OLD_SOURCES) && psf->sf_crcount) {
--- a/include/uapi/linux/igmp.h
+++ b/include/uapi/linux/igmp.h
@@ -32,7 +32,7 @@ struct igmphdr {
__u8 code; /* For newer IGMP */
__sum16 csum;
__be32 group;
-};
+} __attribute__((packed, aligned(2)));
/* V3 group record types [grec_type] */
#define IGMPV3_MODE_IS_INCLUDE 1
@@ -48,7 +48,7 @@ struct igmpv3_grec {
__be16 grec_nsrcs;
__be32 grec_mca;
__be32 grec_src[0];
-};
+} __attribute__((packed, aligned(2)));
struct igmpv3_report {
__u8 type;
@@ -57,7 +57,7 @@ struct igmpv3_report {
__be16 resv2;
__be16 ngrec;
struct igmpv3_grec grec[0];
-};
+} __attribute__((packed, aligned(2)));
struct igmpv3_query {
__u8 type;
@@ -78,7 +78,7 @@ struct igmpv3_query {
__u8 qqic;
__be16 nsrcs;
__be32 srcs[0];
-};
+} __attribute__((packed, aligned(2)));
#define IGMP_HOST_MEMBERSHIP_QUERY 0x11 /* From RFC1112 */
#define IGMP_HOST_MEMBERSHIP_REPORT 0x12 /* Ditto */
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -95,7 +95,7 @@ __be32 __skb_flow_get_ports(const struct
ports = __skb_header_pointer(skb, thoff + poff,
sizeof(_ports), data, hlen, &_ports);
if (ports)
- return *ports;
+ return (__be32)net_hdr_word(ports);
}
return 0;
--- a/include/uapi/linux/icmpv6.h
+++ b/include/uapi/linux/icmpv6.h
@@ -76,7 +76,7 @@ struct icmp6hdr {
#define icmp6_addrconf_other icmp6_dataun.u_nd_ra.other
#define icmp6_rt_lifetime icmp6_dataun.u_nd_ra.rt_lifetime
#define icmp6_router_pref icmp6_dataun.u_nd_ra.router_pref
-};
+} __attribute__((packed, aligned(2)));
#define ICMPV6_ROUTER_PREF_LOW 0x3
--- a/include/net/ndisc.h
+++ b/include/net/ndisc.h
@@ -76,7 +76,7 @@ struct ra_msg {
struct icmp6hdr icmph;
__be32 reachable_time;
__be32 retrans_timer;
-};
+} __attribute__((packed, aligned(2)));
struct rd_msg {
struct icmp6hdr icmph;
@@ -148,10 +148,10 @@ static inline u32 ndisc_hashfn(const voi
{
const u32 *p32 = pkey;
- return (((p32[0] ^ hash32_ptr(dev)) * hash_rnd[0]) +
- (p32[1] * hash_rnd[1]) +
- (p32[2] * hash_rnd[2]) +
- (p32[3] * hash_rnd[3]));
+ return (((net_hdr_word(&p32[0]) ^ hash32_ptr(dev)) * hash_rnd[0]) +
+ (net_hdr_word(&p32[1]) * hash_rnd[1]) +
+ (net_hdr_word(&p32[2]) * hash_rnd[2]) +
+ (net_hdr_word(&p32[3]) * hash_rnd[3]));
}
static inline struct neighbour *__ipv6_neigh_lookup_noref(struct net_device *dev, const void *pkey)
--- a/net/sched/cls_u32.c
+++ b/net/sched/cls_u32.c
@@ -151,7 +151,7 @@ next_knode:
data = skb_header_pointer(skb, toff, 4, &hdata);
if (!data)
goto out;
- if ((*data ^ key->val) & key->mask) {
+ if ((net_hdr_word(data) ^ key->val) & key->mask) {
n = rcu_dereference_bh(n->next);
goto next_knode;
}
@@ -204,8 +204,8 @@ check_terminal:
&hdata);
if (!data)
goto out;
- sel = ht->divisor & u32_hash_fold(*data, &n->sel,
- n->fshift);
+ sel = ht->divisor & u32_hash_fold(net_hdr_word(data),
+ &n->sel, n->fshift);
}
if (!(n->sel.flags & (TC_U32_VAROFFSET | TC_U32_OFFSET | TC_U32_EAT)))
goto next_ht;
--- a/net/ipv6/ip6_offload.c
+++ b/net/ipv6/ip6_offload.c
@@ -223,7 +223,7 @@ static struct sk_buff **ipv6_gro_receive
continue;
iph2 = (struct ipv6hdr *)(p->data + off);
- first_word = *(__be32 *)iph ^ *(__be32 *)iph2;
+ first_word = net_hdr_word(iph) ^ net_hdr_word(iph2);
/* All fields must match except length and Traffic Class.
* XXX skbs on the gro_list have all been parsed and pulled
--- a/include/net/addrconf.h
+++ b/include/net/addrconf.h
@@ -45,7 +45,7 @@ struct prefix_info {
__be32 reserved2;
struct in6_addr prefix;
-};
+} __attribute__((packed, aligned(2)));
#include <linux/netdevice.h>
--- a/include/net/inet_ecn.h
+++ b/include/net/inet_ecn.h
@@ -124,9 +124,9 @@ static inline int IP6_ECN_set_ce(struct
if (INET_ECN_is_not_ect(ipv6_get_dsfield(iph)))
return 0;
- from = *(__be32 *)iph;
+ from = net_hdr_word(iph);
to = from | htonl(INET_ECN_CE << 20);
- *(__be32 *)iph = to;
+ net_hdr_word(iph) = to;
if (skb->ip_summed == CHECKSUM_COMPLETE)
skb->csum = csum_add(csum_sub(skb->csum, from), to);
return 1;
@@ -134,7 +134,7 @@ static inline int IP6_ECN_set_ce(struct
static inline void IP6_ECN_clear(struct ipv6hdr *iph)
{
- *(__be32*)iph &= ~htonl(INET_ECN_MASK << 20);
+ net_hdr_word(iph) &= ~htonl(INET_ECN_MASK << 20);
}
static inline void ipv6_copy_dscp(unsigned int dscp, struct ipv6hdr *inner)
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -107,7 +107,7 @@ struct frag_hdr {
__u8 reserved;
__be16 frag_off;
__be32 identification;
-};
+} __attribute__((packed, aligned(2)));
#define IP6_MF 0x0001
#define IP6_OFFSET 0xFFF8
@@ -417,8 +417,8 @@ static inline void __ipv6_addr_set_half(
}
#endif
#endif
- addr[0] = wh;
- addr[1] = wl;
+ net_hdr_word(&addr[0]) = wh;
+ net_hdr_word(&addr[1]) = wl;
}
static inline void ipv6_addr_set(struct in6_addr *addr,
@@ -477,6 +477,8 @@ static inline bool ipv6_prefix_equal(con
const __be32 *a1 = addr1->s6_addr32;
const __be32 *a2 = addr2->s6_addr32;
unsigned int pdw, pbi;
+ /* Used for last <32-bit fraction of prefix */
+ u32 pbia1, pbia2;
/* check complete u32 in prefix */
pdw = prefixlen >> 5;
@@ -485,7 +487,9 @@ static inline bool ipv6_prefix_equal(con
/* check incomplete u32 in prefix */
pbi = prefixlen & 0x1f;
- if (pbi && ((a1[pdw] ^ a2[pdw]) & htonl((0xffffffff) << (32 - pbi))))
+ pbia1 = net_hdr_word(&a1[pdw]);
+ pbia2 = net_hdr_word(&a2[pdw]);
+ if (pbi && ((pbia1 ^ pbia2) & htonl((0xffffffff) << (32 - pbi))))
return false;
return true;
@@ -629,13 +633,13 @@ static inline void ipv6_addr_set_v4mappe
*/
static inline int __ipv6_addr_diff32(const void *token1, const void *token2, int addrlen)
{
- const __be32 *a1 = token1, *a2 = token2;
+ const struct in6_addr *a1 = token1, *a2 = token2;
int i;
addrlen >>= 2;
for (i = 0; i < addrlen; i++) {
- __be32 xb = a1[i] ^ a2[i];
+ __be32 xb = a1->s6_addr32[i] ^ a2->s6_addr32[i];
if (xb)
return i * 32 + 31 - __fls(ntohl(xb));
}
@@ -799,17 +803,18 @@ static inline int ip6_default_np_autolab
static inline void ip6_flow_hdr(struct ipv6hdr *hdr, unsigned int tclass,
__be32 flowlabel)
{
- *(__be32 *)hdr = htonl(0x60000000 | (tclass << 20)) | flowlabel;
+ net_hdr_word((__be32 *)hdr) =
+ htonl(0x60000000 | (tclass << 20)) | flowlabel;
}
static inline __be32 ip6_flowinfo(const struct ipv6hdr *hdr)
{
- return *(__be32 *)hdr & IPV6_FLOWINFO_MASK;
+ return net_hdr_word((__be32 *)hdr) & IPV6_FLOWINFO_MASK;
}
static inline __be32 ip6_flowlabel(const struct ipv6hdr *hdr)
{
- return *(__be32 *)hdr & IPV6_FLOWLABEL_MASK;
+ return net_hdr_word((__be32 *)hdr) & IPV6_FLOWLABEL_MASK;
}
static inline u8 ip6_tclass(__be32 flowinfo)
--- a/include/net/secure_seq.h
+++ b/include/net/secure_seq.h
@@ -2,6 +2,7 @@
#define _NET_SECURE_SEQ
#include <linux/types.h>
+#include <linux/in6.h>
u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport);
u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
--- a/include/uapi/linux/in.h
+++ b/include/uapi/linux/in.h
@@ -83,7 +83,7 @@ enum {
/* Internet address. */
struct in_addr {
__be32 s_addr;
-};
+} __attribute__((packed, aligned(2)));
#endif
#define IP_TOS 1
--- a/net/core/secure_seq.c
+++ b/net/core/secure_seq.c
@@ -46,11 +46,12 @@ __u32 secure_tcpv6_sequence_number(const
u32 secret[MD5_MESSAGE_BYTES / 4];
u32 hash[MD5_DIGEST_WORDS];
u32 i;
+ const struct in6_addr *daddr6 = (struct in6_addr *) daddr;
net_secret_init();
memcpy(hash, saddr, 16);
for (i = 0; i < 4; i++)
- secret[i] = net_secret[i] + (__force u32)daddr[i];
+ secret[i] = net_secret[i] + (__force u32)daddr6->s6_addr32[i];
secret[4] = net_secret[4] +
(((__force u16)sport << 16) + (__force u16)dport);
for (i = 5; i < MD5_MESSAGE_BYTES / 4; i++)
@@ -68,11 +69,12 @@ u32 secure_ipv6_port_ephemeral(const __b
u32 secret[MD5_MESSAGE_BYTES / 4];
u32 hash[MD5_DIGEST_WORDS];
u32 i;
+ const struct in6_addr *daddr6 = (struct in6_addr *) daddr;
net_secret_init();
memcpy(hash, saddr, 16);
for (i = 0; i < 4; i++)
- secret[i] = net_secret[i] + (__force u32) daddr[i];
+ secret[i] = net_secret[i] + (__force u32) daddr6->s6_addr32[i];
secret[4] = net_secret[4] + (__force u32)dport;
for (i = 5; i < MD5_MESSAGE_BYTES / 4; i++)
secret[i] = net_secret[i];
@@ -146,6 +148,7 @@ EXPORT_SYMBOL(secure_dccp_sequence_numbe
u64 secure_dccpv6_sequence_number(__be32 *saddr, __be32 *daddr,
__be16 sport, __be16 dport)
{
+ const struct in6_addr *daddr6 = (struct in6_addr *) daddr;
u32 secret[MD5_MESSAGE_BYTES / 4];
u32 hash[MD5_DIGEST_WORDS];
u64 seq;
@@ -154,7 +157,7 @@ u64 secure_dccpv6_sequence_number(__be32
net_secret_init();
memcpy(hash, saddr, 16);
for (i = 0; i < 4; i++)
- secret[i] = net_secret[i] + (__force u32)daddr[i];
+ secret[i] = net_secret[i] + (__force u32)daddr6->s6_addr32[i];
secret[4] = net_secret[4] +
(((__force u16)sport << 16) + (__force u16)dport);
for (i = 5; i < MD5_MESSAGE_BYTES / 4; i++)
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -138,7 +138,7 @@ static __be32 addr_bit_set(const void *t
* See include/asm-generic/bitops/le.h.
*/
return (__force __be32)(1 << ((~fn_bit ^ BITOP_BE32_SWIZZLE) & 0x1f)) &
- addr[fn_bit >> 5];
+ net_hdr_word(&addr[fn_bit >> 5]);
}
static struct fib6_node *node_alloc(void)
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -456,7 +456,7 @@ static void tcp_sack(const struct sk_buf
/* Fast path for timestamp-only option */
if (length == TCPOLEN_TSTAMP_ALIGNED
- && *(__be32 *)ptr == htonl((TCPOPT_NOP << 24)
+ && net_hdr_word(ptr) == htonl((TCPOPT_NOP << 24)
| (TCPOPT_NOP << 16)
| (TCPOPT_TIMESTAMP << 8)
| TCPOLEN_TIMESTAMP))
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -154,8 +154,8 @@ int xfrm_parse_spi(struct sk_buff *skb,
if (!pskb_may_pull(skb, hlen))
return -EINVAL;
- *spi = *(__be32 *)(skb_transport_header(skb) + offset);
- *seq = *(__be32 *)(skb_transport_header(skb) + offset_seq);
+ *spi = net_hdr_word(skb_transport_header(skb) + offset);
+ *seq = net_hdr_word(skb_transport_header(skb) + offset_seq);
return 0;
}
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -3819,14 +3819,16 @@ static bool tcp_parse_aligned_timestamp(
{
const __be32 *ptr = (const __be32 *)(th + 1);
- if (*ptr == htonl((TCPOPT_NOP << 24) | (TCPOPT_NOP << 16)
- | (TCPOPT_TIMESTAMP << 8) | TCPOLEN_TIMESTAMP)) {
+ if (net_hdr_word(ptr) ==
+ htonl((TCPOPT_NOP << 24) | (TCPOPT_NOP << 16) |
+ (TCPOPT_TIMESTAMP << 8) | TCPOLEN_TIMESTAMP)) {
tp->rx_opt.saw_tstamp = 1;
++ptr;
- tp->rx_opt.rcv_tsval = ntohl(*ptr);
+ tp->rx_opt.rcv_tsval = get_unaligned_be32(ptr);
++ptr;
- if (*ptr)
- tp->rx_opt.rcv_tsecr = ntohl(*ptr) - tp->tsoffset;
+ if (net_hdr_word(ptr))
+ tp->rx_opt.rcv_tsecr = get_unaligned_be32(ptr) -
+ tp->tsoffset;
else
tp->rx_opt.rcv_tsecr = 0;
return true;
--- a/include/uapi/linux/if_pppox.h
+++ b/include/uapi/linux/if_pppox.h
@@ -47,6 +47,7 @@ struct pppoe_addr {
*/
struct pptp_addr {
__u16 call_id;
+ __u16 pad;
struct in_addr sin_addr;
};
--- a/net/ipv6/netfilter/nf_log_ipv6.c
+++ b/net/ipv6/netfilter/nf_log_ipv6.c
@@ -66,9 +66,9 @@ static void dump_ipv6_packet(struct nf_l
/* Max length: 44 "LEN=65535 TC=255 HOPLIMIT=255 FLOWLBL=FFFFF " */
nf_log_buf_add(m, "LEN=%Zu TC=%u HOPLIMIT=%u FLOWLBL=%u ",
ntohs(ih->payload_len) + sizeof(struct ipv6hdr),
- (ntohl(*(__be32 *)ih) & 0x0ff00000) >> 20,
+ (ntohl(net_hdr_word(ih)) & 0x0ff00000) >> 20,
ih->hop_limit,
- (ntohl(*(__be32 *)ih) & 0x000fffff));
+ (ntohl(net_hdr_word(ih)) & 0x000fffff));
fragment = 0;
ptr = ip6hoff + sizeof(struct ipv6hdr);
--- a/include/net/neighbour.h
+++ b/include/net/neighbour.h
@@ -263,8 +263,10 @@ static inline bool neigh_key_eq128(const
const u32 *n32 = (const u32 *)n->primary_key;
const u32 *p32 = pkey;
- return ((n32[0] ^ p32[0]) | (n32[1] ^ p32[1]) |
- (n32[2] ^ p32[2]) | (n32[3] ^ p32[3])) == 0;
+ return ((n32[0] ^ net_hdr_word(&p32[0])) |
+ (n32[1] ^ net_hdr_word(&p32[1])) |
+ (n32[2] ^ net_hdr_word(&p32[2])) |
+ (n32[3] ^ net_hdr_word(&p32[3]))) == 0;
}
static inline struct neighbour *___neigh_lookup_noref(
--- a/include/uapi/linux/netfilter_arp/arp_tables.h
+++ b/include/uapi/linux/netfilter_arp/arp_tables.h
@@ -68,7 +68,7 @@ struct arpt_arp {
__u8 flags;
/* Inverse flags */
__u16 invflags;
-};
+} __attribute__((aligned(4)));
/* Values for "flag" field in struct arpt_ip (general arp structure).
* No flags defined yet.
--- a/net/core/utils.c
+++ b/net/core/utils.c
@@ -321,8 +321,14 @@ void inet_proto_csum_replace16(__sum16 *
bool pseudohdr)
{
__be32 diff[] = {
- ~from[0], ~from[1], ~from[2], ~from[3],
- to[0], to[1], to[2], to[3],
+ ~net_hdr_word(&from[0]),
+ ~net_hdr_word(&from[1]),
+ ~net_hdr_word(&from[2]),
+ ~net_hdr_word(&from[3]),
+ net_hdr_word(&to[0]),
+ net_hdr_word(&to[1]),
+ net_hdr_word(&to[2]),
+ net_hdr_word(&to[3]),
};
if (skb->ip_summed != CHECKSUM_PARTIAL) {
*sum = csum_fold(csum_partial(diff, sizeof(diff),