Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Pull networking fixes from David Miller: "A decent batch of fixes here. I'd say about half are for problems that have existed for a while, and half are for new regressions added in the 4.20 merge window. 1) Fix 10G SFP phy module detection in mvpp2, from Baruch Siach. 2) Revert bogus emac driver change, from Benjamin Herrenschmidt. 3) Handle BPF exported data structure with pointers when building 32-bit userland, from Daniel Borkmann. 4) Memory leak fix in act_police, from Davide Caratti. 5) Check RX checksum offload in RX descriptors properly in aquantia driver, from Dmitry Bogdanov. 6) SKB unlink fix in various spots, from Edward Cree. 7) ndo_dflt_fdb_dump() only works with ethernet, enforce this, from Eric Dumazet. 8) Fix FID leak in mlxsw driver, from Ido Schimmel. 9) IOTLB locking fix in vhost, from Jean-Philippe Brucker. 10) Fix SKB truesize accounting in ipv4/ipv6/netfilter frag memory limits otherwise namespace exit can hang. From Jiri Wiesner. 11) Address block parsing length fixes in x25 from Martin Schiller. 12) IRQ and ring accounting fixes in bnxt_en, from Michael Chan. 13) For tun interfaces, only iface delete works with rtnl ops, enforce this by disallowing add. From Nicolas Dichtel. 14) Use after free in liquidio, from Pan Bian. 15) Fix SKB use after passing to netif_receive_skb(), from Prashant Bhole. 16) Static key accounting and other fixes in XPS from Sabrina Dubroca. 17) Partially initialized flow key passed to ip6_route_output(), from Shmulik Ladkani. 18) Fix RTNL deadlock during reset in ibmvnic driver, from Thomas Falcon. 19) Several small TCP fixes (off-by-one on window probe abort, NULL deref in tail loss probe, SNMP mis-estimations) from Yuchung Cheng" * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (93 commits) net/sched: cls_flower: Reject duplicated rules also under skip_sw bnxt_en: Fix _bnxt_get_max_rings() for 57500 chips. bnxt_en: Fix NQ/CP rings accounting on the new 57500 chips. bnxt_en: Keep track of reserved IRQs. bnxt_en: Fix CNP CoS queue regression. net/mlx4_core: Correctly set PFC param if global pause is turned off. Revert "net/ibm/emac: wrong bit is used for STA control" neighbour: Avoid writing before skb->head in neigh_hh_output() ipv6: Check available headroom in ip6_xmit() even without options tcp: lack of available data can also cause TSO defer ipv6: sr: properly initialize flowi6 prior passing to ip6_route_output mlxsw: spectrum_switchdev: Fix VLAN device deletion via ioctl mlxsw: spectrum_router: Relax GRE decap matching check mlxsw: spectrum_switchdev: Avoid leaking FID's reference count mlxsw: spectrum_nve: Remove easily triggerable warnings ipv4: ipv6: netfilter: Adjust the frag mem limit when truesize changes sctp: frag_point sanity check tcp: fix NULL ref in tail loss probe tcp: Do not underestimate rwnd_limited net: use skb_list_del_init() to remove from RX sublists ...
author: Linus Torvalds <torvalds@linux-foundation.org> 2018-12-09 18:12:33 -0500
committer: Linus Torvalds <torvalds@linux-foundation.org> 2018-12-09 18:12:33 -0500
commit: d48f782e4fb20dc7ec935ca0ca41ae31e4a69362 (patch)
tree: 482270b85d4ab9b1284e07e4cb439b4dc7af919f /net
parent: 8586ca8a214471e4573d76356aabe890bfecdc8a (diff)
parent: 35cc3cefc4de90001c9137e2d01dd9d06b11acfb (diff)
35 files changed, 278 insertions, 176 deletions
diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
index c89c22c49015..25001913d03b 100644
--- a/net/bpf/test_run.c
+++ b/net/bpf/test_run.c
@@ -28,12 +28,13 @@ static __always_inline u32 bpf_test_run_one(struct bpf_prog *prog, void *ctx,
        return ret;
 }
-static u32 bpf_test_run(struct bpf_prog *prog, void *ctx, u32 repeat, u32 *time)
+static int bpf_test_run(struct bpf_prog *prog, void *ctx, u32 repeat, u32 *ret,
+                        u32 *time)
 {
        struct bpf_cgroup_storage *storage[MAX_BPF_CGROUP_STORAGE_TYPE] = { 0 };
        enum bpf_cgroup_storage_type stype;
        u64 time_start, time_spent = 0;
-        u32 ret = 0, i;
+        u32 i;
        for_each_cgroup_storage_type(stype) {
                storage[stype] = bpf_cgroup_storage_alloc(prog, stype);
@@ -49,7 +50,7 @@ static u32 bpf_test_run(struct bpf_prog *prog, void *ctx, u32 repeat, u32 *time)
                repeat = 1;
        time_start = ktime_get_ns();
        for (i = 0; i < repeat; i++) {
-                ret = bpf_test_run_one(prog, ctx, storage);
+                *ret = bpf_test_run_one(prog, ctx, storage);
                if (need_resched()) {
                        if (signal_pending(current))
                                break;
@@ -65,7 +66,7 @@ static u32 bpf_test_run(struct bpf_prog *prog, void *ctx, u32 repeat, u32 *time)
        for_each_cgroup_storage_type(stype)
                bpf_cgroup_storage_free(storage[stype]);
-        return ret;
+        return 0;
 }
 static int bpf_test_finish(const union bpf_attr *kattr,
@@ -165,7 +166,12 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
                __skb_push(skb, hh_len);
        if (is_direct_pkt_access)
                bpf_compute_data_pointers(skb);
-        retval = bpf_test_run(prog, skb, repeat, &duration);
+        ret = bpf_test_run(prog, skb, repeat, &retval, &duration);
+        if (ret) {
+                kfree_skb(skb);
+                kfree(sk);
+                return ret;
+        }
        if (!is_l2) {
                if (skb_headroom(skb) < hh_len) {
                        int nhead = HH_DATA_ALIGN(hh_len - skb_headroom(skb));
@@ -212,11 +218,14 @@ int bpf_prog_test_run_xdp(struct bpf_prog *prog, const union bpf_attr *kattr,
        rxqueue = __netif_get_rx_queue(current->nsproxy->net_ns->loopback_dev, 0);
        xdp.rxq = &rxqueue->xdp_rxq;
-        retval = bpf_test_run(prog, &xdp, repeat, &duration);
+        ret = bpf_test_run(prog, &xdp, repeat, &retval, &duration);
+        if (ret)
+                goto out;
        if (xdp.data != data + XDP_PACKET_HEADROOM + NET_IP_ALIGN ||
            xdp.data_end != xdp.data + size)
                size = xdp.data_end - xdp.data;
        ret = bpf_test_finish(kattr, uattr, xdp.data, size, retval, duration);
+out:
        kfree(data);
        return ret;
 }
diff --git a/net/core/dev.c b/net/core/dev.c
index ddc551f24ba2..722d50dbf8a4 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2175,6 +2175,20 @@ static bool remove_xps_queue_cpu(struct net_device *dev,
        return active;
 }
+static void reset_xps_maps(struct net_device *dev,
+                           struct xps_dev_maps *dev_maps,
+                           bool is_rxqs_map)
+{
+        if (is_rxqs_map) {
+                static_key_slow_dec_cpuslocked(&xps_rxqs_needed);
+                RCU_INIT_POINTER(dev->xps_rxqs_map, NULL);
+        } else {
+                RCU_INIT_POINTER(dev->xps_cpus_map, NULL);
+        }
+        static_key_slow_dec_cpuslocked(&xps_needed);
+        kfree_rcu(dev_maps, rcu);
+}
 static void clean_xps_maps(struct net_device *dev, const unsigned long *mask,
                           struct xps_dev_maps *dev_maps, unsigned int nr_ids,
                           u16 offset, u16 count, bool is_rxqs_map)
@@ -2186,18 +2200,15 @@ static void clean_xps_maps(struct net_device *dev, const unsigned long *mask,
             j < nr_ids;)
                active |= remove_xps_queue_cpu(dev, dev_maps, j, offset,
                                               count);
-        if (!active) {
+        if (!active)
-                if (is_rxqs_map) {
+                reset_xps_maps(dev, dev_maps, is_rxqs_map);
-                        RCU_INIT_POINTER(dev->xps_rxqs_map, NULL);
-                } else {
-                        RCU_INIT_POINTER(dev->xps_cpus_map, NULL);
-                        for (i = offset + (count - 1); count--; i--)
+        if (!is_rxqs_map) {
-                                netdev_queue_numa_node_write(
+                for (i = offset + (count - 1); count--; i--) {
-                                        netdev_get_tx_queue(dev, i),
+                        netdev_queue_numa_node_write(
-                                                        NUMA_NO_NODE);
+                                netdev_get_tx_queue(dev, i),
+                                NUMA_NO_NODE);
                }
-                kfree_rcu(dev_maps, rcu);
        }
 }
@@ -2234,10 +2245,6 @@ static void netif_reset_xps_queues(struct net_device *dev, u16 offset,
                       false);
 out_no_maps:
-        if (static_key_enabled(&xps_rxqs_needed))
-                static_key_slow_dec_cpuslocked(&xps_rxqs_needed);
-        static_key_slow_dec_cpuslocked(&xps_needed);
        mutex_unlock(&xps_map_mutex);
        cpus_read_unlock();
 }
@@ -2355,9 +2362,12 @@ int __netif_set_xps_queue(struct net_device *dev, const unsigned long *mask,
        if (!new_dev_maps)
                goto out_no_new_maps;
-        static_key_slow_inc_cpuslocked(&xps_needed);
+        if (!dev_maps) {
-        if (is_rxqs_map)
+                /* Increment static keys at most once per type */
-                static_key_slow_inc_cpuslocked(&xps_rxqs_needed);
+                static_key_slow_inc_cpuslocked(&xps_needed);
+                if (is_rxqs_map)
+                        static_key_slow_inc_cpuslocked(&xps_rxqs_needed);
+        }
        for (j = -1; j = netif_attrmask_next(j, possible_mask, nr_ids),
             j < nr_ids;) {
@@ -2455,13 +2465,8 @@ out_no_new_maps:
        }
        /* free map if not active */
-        if (!active) {
+        if (!active)
-                if (is_rxqs_map)
+                reset_xps_maps(dev, dev_maps, is_rxqs_map);
-                        RCU_INIT_POINTER(dev->xps_rxqs_map, NULL);
-                else
-                        RCU_INIT_POINTER(dev->xps_cpus_map, NULL);
-                kfree_rcu(dev_maps, rcu);
-        }
 out_no_maps:
        mutex_unlock(&xps_map_mutex);
@@ -5009,7 +5014,7 @@ static void __netif_receive_skb_list_core(struct list_head *head, bool pfmemallo
                struct net_device *orig_dev = skb->dev;
                struct packet_type *pt_prev = NULL;
-                list_del(&skb->list);
+                skb_list_del_init(skb);
                __netif_receive_skb_core(skb, pfmemalloc, &pt_prev);
                if (!pt_prev)
                        continue;
@@ -5165,7 +5170,7 @@ static void netif_receive_skb_list_internal(struct list_head *head)
        INIT_LIST_HEAD(&sublist);
        list_for_each_entry_safe(skb, next, head, list) {
                net_timestamp_check(netdev_tstamp_prequeue, skb);
-                list_del(&skb->list);
+                skb_list_del_init(skb);
                if (!skb_defer_rx_timestamp(skb))
                        list_add_tail(&skb->list, &sublist);
        }
@@ -5176,7 +5181,7 @@ static void netif_receive_skb_list_internal(struct list_head *head)
                rcu_read_lock();
                list_for_each_entry_safe(skb, next, head, list) {
                        xdp_prog = rcu_dereference(skb->dev->xdp_prog);
-                        list_del(&skb->list);
+                        skb_list_del_init(skb);
                        if (do_xdp_generic(xdp_prog, skb) == XDP_PASS)
                                list_add_tail(&skb->list, &sublist);
                }
@@ -5195,7 +5200,7 @@ static void netif_receive_skb_list_internal(struct list_head *head)
                        if (cpu >= 0) {
                                /* Will be handled, remove from list */
-                                list_del(&skb->list);
+                                skb_list_del_init(skb);
                                enqueue_to_backlog(skb, cpu, &rflow->last_qtail);
                        }
                }
@@ -6204,8 +6209,8 @@ void netif_napi_add(struct net_device *dev, struct napi_struct *napi,
        napi->skb = NULL;
        napi->poll = poll;
        if (weight > NAPI_POLL_WEIGHT)
-                pr_err_once("netif_napi_add() called with weight %d on device %s\n",
+                netdev_err_once(dev, "%s() called with weight %d\n", __func__,
-                            weight, dev->name);
+                                weight);
        napi->weight = weight;
        list_add(&napi->dev_list, &dev->napi_list);
        napi->dev = dev;
diff --git a/net/core/filter.c b/net/core/filter.c
index 9a1327eb25fa..8d2c629501e2 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -4890,22 +4890,23 @@ bpf_sk_lookup(struct sk_buff *skb, struct bpf_sock_tuple *tuple, u32 len,
        struct net *net;
        family = len == sizeof(tuple->ipv4) ? AF_INET : AF_INET6;
-        if (unlikely(family == AF_UNSPEC || netns_id > U32_MAX || flags))
+        if (unlikely(family == AF_UNSPEC || flags ||
+                     !((s32)netns_id < 0 || netns_id <= S32_MAX)))
                goto out;
        if (skb->dev)
                caller_net = dev_net(skb->dev);
        else
                caller_net = sock_net(skb->sk);
-        if (netns_id) {
+        if ((s32)netns_id < 0) {
+                net = caller_net;
+                sk = sk_lookup(net, tuple, skb, family, proto);
+        } else {
                net = get_net_ns_by_id(caller_net, netns_id);
                if (unlikely(!net))
                        goto out;
                sk = sk_lookup(net, tuple, skb, family, proto);
                put_net(net);
-        } else {
-                net = caller_net;
-                sk = sk_lookup(net, tuple, skb, family, proto);
        }
        if (sk)
@@ -5435,8 +5436,8 @@ static bool bpf_skb_is_valid_access(int off, int size, enum bpf_access_type type
                if (size != size_default)
                        return false;
                break;
-        case bpf_ctx_range(struct __sk_buff, flow_keys):
+        case bpf_ctx_range_ptr(struct __sk_buff, flow_keys):
-                if (size != sizeof(struct bpf_flow_keys *))
+                if (size != sizeof(__u64))
                        return false;
                break;
        default:
@@ -5464,7 +5465,7 @@ static bool sk_filter_is_valid_access(int off, int size,
        case bpf_ctx_range(struct __sk_buff, data):
        case bpf_ctx_range(struct __sk_buff, data_meta):
        case bpf_ctx_range(struct __sk_buff, data_end):
-        case bpf_ctx_range(struct __sk_buff, flow_keys):
+        case bpf_ctx_range_ptr(struct __sk_buff, flow_keys):
        case bpf_ctx_range_till(struct __sk_buff, family, local_port):
                return false;
        }
@@ -5489,7 +5490,7 @@ static bool cg_skb_is_valid_access(int off, int size,
        switch (off) {
        case bpf_ctx_range(struct __sk_buff, tc_classid):
        case bpf_ctx_range(struct __sk_buff, data_meta):
-        case bpf_ctx_range(struct __sk_buff, flow_keys):
+        case bpf_ctx_range_ptr(struct __sk_buff, flow_keys):
                return false;
        case bpf_ctx_range(struct __sk_buff, data):
        case bpf_ctx_range(struct __sk_buff, data_end):
@@ -5530,7 +5531,7 @@ static bool lwt_is_valid_access(int off, int size,
        case bpf_ctx_range(struct __sk_buff, tc_classid):
        case bpf_ctx_range_till(struct __sk_buff, family, local_port):
        case bpf_ctx_range(struct __sk_buff, data_meta):
-        case bpf_ctx_range(struct __sk_buff, flow_keys):
+        case bpf_ctx_range_ptr(struct __sk_buff, flow_keys):
                return false;
        }
@@ -5756,7 +5757,7 @@ static bool tc_cls_act_is_valid_access(int off, int size,
        case bpf_ctx_range(struct __sk_buff, data_end):
                info->reg_type = PTR_TO_PACKET_END;
                break;
-        case bpf_ctx_range(struct __sk_buff, flow_keys):
+        case bpf_ctx_range_ptr(struct __sk_buff, flow_keys):
        case bpf_ctx_range_till(struct __sk_buff, family, local_port):
                return false;
        }
@@ -5958,7 +5959,7 @@ static bool sk_skb_is_valid_access(int off, int size,
        switch (off) {
        case bpf_ctx_range(struct __sk_buff, tc_classid):
        case bpf_ctx_range(struct __sk_buff, data_meta):
-        case bpf_ctx_range(struct __sk_buff, flow_keys):
+        case bpf_ctx_range_ptr(struct __sk_buff, flow_keys):
                return false;
        }
@@ -6039,7 +6040,7 @@ static bool flow_dissector_is_valid_access(int off, int size,
        case bpf_ctx_range(struct __sk_buff, data_end):
                info->reg_type = PTR_TO_PACKET_END;
                break;
-        case bpf_ctx_range(struct __sk_buff, flow_keys):
+        case bpf_ctx_range_ptr(struct __sk_buff, flow_keys):
                info->reg_type = PTR_TO_FLOW_KEYS;
                break;
        case bpf_ctx_range(struct __sk_buff, tc_classid):
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 33d9227a8b80..7819f7804eeb 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -3800,6 +3800,9 @@ int ndo_dflt_fdb_dump(struct sk_buff *skb,
 {
        int err;
+        if (dev->type != ARPHRD_ETHER)
+                return -EINVAL;
        netif_addr_lock_bh(dev);
        err = nlmsg_populate_fdb(skb, cb, dev, idx, &dev->uc);
        if (err)
diff --git a/net/dsa/master.c b/net/dsa/master.c
index c90ee3227dea..5e8c9bef78bd 100644
--- a/net/dsa/master.c
+++ b/net/dsa/master.c
@@ -158,8 +158,31 @@ static void dsa_master_ethtool_teardown(struct net_device *dev)
        cpu_dp->orig_ethtool_ops = NULL;
 }
+static ssize_t tagging_show(struct device *d, struct device_attribute *attr,
+                            char *buf)
+{
+        struct net_device *dev = to_net_dev(d);
+        struct dsa_port *cpu_dp = dev->dsa_ptr;
+        return sprintf(buf, "%s\n",
+                       dsa_tag_protocol_to_str(cpu_dp->tag_ops));
+}
+static DEVICE_ATTR_RO(tagging);
+static struct attribute *dsa_slave_attrs[] = {
+        &dev_attr_tagging.attr,
+        NULL
+};
+static const struct attribute_group dsa_group = {
+        .name   = "dsa",
+        .attrs  = dsa_slave_attrs,
+};
 int dsa_master_setup(struct net_device *dev, struct dsa_port *cpu_dp)
 {
+        int ret;
        /* If we use a tagging format that doesn't have an ethertype
         * field, make sure that all packets from this point on get
         * sent to the tag format's receive function.
@@ -168,11 +191,20 @@ int dsa_master_setup(struct net_device *dev, struct dsa_port *cpu_dp)
        dev->dsa_ptr = cpu_dp;
-        return dsa_master_ethtool_setup(dev);
+        ret = dsa_master_ethtool_setup(dev);
+        if (ret)
+                return ret;
+        ret = sysfs_create_group(&dev->dev.kobj, &dsa_group);
+        if (ret)
+                dsa_master_ethtool_teardown(dev);
+        return ret;
 }
 void dsa_master_teardown(struct net_device *dev)
 {
+        sysfs_remove_group(&dev->dev.kobj, &dsa_group);
        dsa_master_ethtool_teardown(dev);
        dev->dsa_ptr = NULL;
diff --git a/net/dsa/slave.c b/net/dsa/slave.c
index 7d0c19e7edcf..aec78f5aca72 100644
--- a/net/dsa/slave.c
+++ b/net/dsa/slave.c
@@ -1058,27 +1058,6 @@ static struct device_type dsa_type = {
        .name   = "dsa",
 };
-static ssize_t tagging_show(struct device *d, struct device_attribute *attr,
-                            char *buf)
-{
-        struct net_device *dev = to_net_dev(d);
-        struct dsa_port *dp = dsa_slave_to_port(dev);
-        return sprintf(buf, "%s\n",
-                       dsa_tag_protocol_to_str(dp->cpu_dp->tag_ops));
-}
-static DEVICE_ATTR_RO(tagging);
-static struct attribute *dsa_slave_attrs[] = {
-        &dev_attr_tagging.attr,
-        NULL
-};
-static const struct attribute_group dsa_group = {
-        .name   = "dsa",
-        .attrs  = dsa_slave_attrs,
-};
 static void dsa_slave_phylink_validate(struct net_device *dev,
                                       unsigned long *supported,
                                       struct phylink_link_state *state)
@@ -1374,14 +1353,8 @@ int dsa_slave_create(struct dsa_port *port)
                goto out_phy;
        }
-        ret = sysfs_create_group(&slave_dev->dev.kobj, &dsa_group);
-        if (ret)
-                goto out_unreg;
        return 0;
-out_unreg:
-        unregister_netdev(slave_dev);
 out_phy:
        rtnl_lock();
        phylink_disconnect_phy(p->dp->pl);
@@ -1405,7 +1378,6 @@ void dsa_slave_destroy(struct net_device *slave_dev)
        rtnl_unlock();
        dsa_slave_notify(slave_dev, DSA_PORT_UNREGISTER);
-        sysfs_remove_group(&slave_dev->dev.kobj, &dsa_group);
        unregister_netdev(slave_dev);
        phylink_destroy(dp->pl);
        free_percpu(p->stats64);
diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
index d6ee343fdb86..aa0b22697998 100644
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -515,6 +515,7 @@ static int ip_frag_reasm(struct ipq *qp, struct sk_buff *skb,
        struct rb_node *rbn;
        int len;
        int ihlen;
+        int delta;
        int err;
        u8 ecn;
@@ -556,10 +557,16 @@ static int ip_frag_reasm(struct ipq *qp, struct sk_buff *skb,
        if (len > 65535)
                goto out_oversize;
+        delta = - head->truesize;
        /* Head of list must not be cloned. */
        if (skb_unclone(head, GFP_ATOMIC))
                goto out_nomem;
+        delta += head->truesize;
+        if (delta)
+                add_frag_mem_limit(qp->q.net, delta);
        /* If the first fragment is fragmented itself, we split
         * it to two chunks: the first with data and paged part
         * and the second, holding only fragments. */
diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
index 35a786c0aaa0..e609b08c9df4 100644
--- a/net/ipv4/ip_input.c
+++ b/net/ipv4/ip_input.c
@@ -547,7 +547,7 @@ static void ip_list_rcv_finish(struct net *net, struct sock *sk,
        list_for_each_entry_safe(skb, next, head, list) {
                struct dst_entry *dst;
-                list_del(&skb->list);
+                skb_list_del_init(skb);
                /* if ingress device is enslaved to an L3 master device pass the
                 * skb to its handler for processing
                 */
@@ -594,7 +594,7 @@ void ip_list_rcv(struct list_head *head, struct packet_type *pt,
                struct net_device *dev = skb->dev;
                struct net *net = dev_net(dev);
-                list_del(&skb->list);
+                skb_list_del_init(skb);
                skb = ip_rcv_core(skb, net);
                if (skb == NULL)
                        continue;
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 3f510cad0b3e..d1676d8a6ed7 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -1904,7 +1904,9 @@ static int tso_fragment(struct sock *sk, enum tcp_queue tcp_queue,
 * This algorithm is from John Heffner.
 */
 static bool tcp_tso_should_defer(struct sock *sk, struct sk_buff *skb,
-                                 bool *is_cwnd_limited, u32 max_segs)
+                                 bool *is_cwnd_limited,
+                                 bool *is_rwnd_limited,
+                                 u32 max_segs)
 {
        const struct inet_connection_sock *icsk = inet_csk(sk);
        u32 age, send_win, cong_win, limit, in_flight;
@@ -1912,9 +1914,6 @@ static bool tcp_tso_should_defer(struct sock *sk, struct sk_buff *skb,
        struct sk_buff *head;
        int win_divisor;
-        if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN)
-                goto send_now;
        if (icsk->icsk_ca_state >= TCP_CA_Recovery)
                goto send_now;
@@ -1973,10 +1972,27 @@ static bool tcp_tso_should_defer(struct sock *sk, struct sk_buff *skb,
        if (age < (tp->srtt_us >> 4))
                goto send_now;
-        /* Ok, it looks like it is advisable to defer. */
+        /* Ok, it looks like it is advisable to defer.
+         * Three cases are tracked :
+         * 1) We are cwnd-limited
+         * 2) We are rwnd-limited
+         * 3) We are application limited.
+         */
+        if (cong_win < send_win) {
+                if (cong_win <= skb->len) {
+                        *is_cwnd_limited = true;
+                        return true;
+                }
+        } else {
+                if (send_win <= skb->len) {
+                        *is_rwnd_limited = true;
+                        return true;
+                }
+        }
-        if (cong_win < send_win && cong_win <= skb->len)
+        /* If this packet won't get more data, do not wait. */
-                *is_cwnd_limited = true;
+        if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN)
+                goto send_now;
        return true;
@@ -2356,7 +2372,7 @@ static bool tcp_write_xmit(struct sock *sk, unsigned int mss_now, int nonagle,
                } else {
                        if (!push_one &&
                            tcp_tso_should_defer(sk, skb, &is_cwnd_limited,
-                                                 max_segs))
+                                                 &is_rwnd_limited, max_segs))
                                break;
                }
@@ -2494,15 +2510,18 @@ void tcp_send_loss_probe(struct sock *sk)
                goto rearm_timer;
        }
        skb = skb_rb_last(&sk->tcp_rtx_queue);
+        if (unlikely(!skb)) {
+                WARN_ONCE(tp->packets_out,
+                          "invalid inflight: %u state %u cwnd %u mss %d\n",
+                          tp->packets_out, sk->sk_state, tp->snd_cwnd, mss);
+                inet_csk(sk)->icsk_pending = 0;
+                return;
+        }
        /* At most one outstanding TLP retransmission. */
        if (tp->tlp_high_seq)
                goto rearm_timer;
-        /* Retransmit last segment. */
-        if (WARN_ON(!skb))
-                goto rearm_timer;
        if (skb_still_in_host_queue(sk, skb))
                goto rearm_timer;
@@ -2920,7 +2939,7 @@ int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb, int segs)
                TCP_SKB_CB(skb)->sacked |= TCPCB_EVER_RETRANS;
                trace_tcp_retransmit_skb(sk, skb);
        } else if (err != -EBUSY) {
-                NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPRETRANSFAIL);
+                NET_ADD_STATS(sock_net(sk), LINUX_MIB_TCPRETRANSFAIL, segs);
        }
        return err;
 }
diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
index 091c53925e4d..f87dbc78b6bc 100644
--- a/net/ipv4/tcp_timer.c
+++ b/net/ipv4/tcp_timer.c
@@ -378,7 +378,7 @@ static void tcp_probe_timer(struct sock *sk)
                        return;
        }
-        if (icsk->icsk_probes_out > max_probes) {
+        if (icsk->icsk_probes_out >= max_probes) {
 abort:          tcp_write_err(sk);
        } else {
                /* Only send another probe if we didn't close things up. */
@@ -484,11 +484,12 @@ void tcp_retransmit_timer(struct sock *sk)
                goto out_reset_timer;
        }
+        __NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPTIMEOUTS);
        if (tcp_write_timeout(sk))
                goto out;
        if (icsk->icsk_retransmits == 0) {
-                int mib_idx;
+                int mib_idx = 0;
                if (icsk->icsk_ca_state == TCP_CA_Recovery) {
                        if (tcp_is_sack(tp))
@@ -503,10 +504,9 @@ void tcp_retransmit_timer(struct sock *sk)
                                mib_idx = LINUX_MIB_TCPSACKFAILURES;
                        else
                                mib_idx = LINUX_MIB_TCPRENOFAILURES;
-                } else {
-                        mib_idx = LINUX_MIB_TCPTIMEOUTS;
                }
-                __NET_INC_STATS(sock_net(sk), mib_idx);
+                if (mib_idx)
+                        __NET_INC_STATS(sock_net(sk), mib_idx);
        }
        tcp_enter_loss(sk);
diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
index 96577e742afd..c1d85830c906 100644
--- a/net/ipv6/ip6_input.c
+++ b/net/ipv6/ip6_input.c
@@ -95,7 +95,7 @@ static void ip6_list_rcv_finish(struct net *net, struct sock *sk,
        list_for_each_entry_safe(skb, next, head, list) {
                struct dst_entry *dst;
-                list_del(&skb->list);
+                skb_list_del_init(skb);
                /* if ingress device is enslaved to an L3 master device pass the
                 * skb to its handler for processing
                 */
@@ -296,7 +296,7 @@ void ipv6_list_rcv(struct list_head *head, struct packet_type *pt,
                struct net_device *dev = skb->dev;
                struct net *net = dev_net(dev);
-                list_del(&skb->list);
+                skb_list_del_init(skb);
                skb = ip6_rcv_core(skb, dev, net);
                if (skb == NULL)
                        continue;
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 827a3f5ff3bb..fcd3c66ded16 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -195,37 +195,37 @@ int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6,
        const struct ipv6_pinfo *np = inet6_sk(sk);
        struct in6_addr *first_hop = &fl6->daddr;
        struct dst_entry *dst = skb_dst(skb);
+        unsigned int head_room;
        struct ipv6hdr *hdr;
        u8  proto = fl6->flowi6_proto;
        int seg_len = skb->len;
        int hlimit = -1;
        u32 mtu;
-        if (opt) {
+        head_room = sizeof(struct ipv6hdr) + LL_RESERVED_SPACE(dst->dev);
-                unsigned int head_room;
+        if (opt)
+                head_room += opt->opt_nflen + opt->opt_flen;
-                /* First: exthdrs may take lots of space (~8K for now)
+        if (unlikely(skb_headroom(skb) < head_room)) {
-                   MAX_HEADER is not enough.
+                struct sk_buff *skb2 = skb_realloc_headroom(skb, head_room);
-                 */
+                if (!skb2) {
-                head_room = opt->opt_nflen + opt->opt_flen;
+                        IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
-                seg_len += head_room;
+                                      IPSTATS_MIB_OUTDISCARDS);
-                head_room += sizeof(struct ipv6hdr) + LL_RESERVED_SPACE(dst->dev);
+                        kfree_skb(skb);
+                        return -ENOBUFS;
-                if (skb_headroom(skb) < head_room) {
-                        struct sk_buff *skb2 = skb_realloc_headroom(skb, head_room);
-                        if (!skb2) {
-                                IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
-                                              IPSTATS_MIB_OUTDISCARDS);
-                                kfree_skb(skb);
-                                return -ENOBUFS;
-                        }
-                        if (skb->sk)
-                                skb_set_owner_w(skb2, skb->sk);
-                        consume_skb(skb);
-                        skb = skb2;
                }
+                if (skb->sk)
+                        skb_set_owner_w(skb2, skb->sk);
+                consume_skb(skb);
+                skb = skb2;
+        }
+        if (opt) {
+                seg_len += opt->opt_nflen + opt->opt_flen;
                if (opt->opt_flen)
                        ipv6_push_frag_opts(skb, opt, &proto);
                if (opt->opt_nflen)
                        ipv6_push_nfrag_opts(skb, opt, &proto, &first_hop,
                                             &fl6->saddr);
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index d219979c3e52..181da2c40f9a 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -341,7 +341,7 @@ static bool
 nf_ct_frag6_reasm(struct frag_queue *fq, struct sk_buff *prev,  struct net_device *dev)
 {
        struct sk_buff *fp, *head = fq->q.fragments;
-        int    payload_len;
+        int    payload_len, delta;
        u8 ecn;
        inet_frag_kill(&fq->q);
@@ -363,10 +363,16 @@ nf_ct_frag6_reasm(struct frag_queue *fq, struct sk_buff *prev,  struct net_devic
                return false;
        }
+        delta = - head->truesize;
        /* Head of list must not be cloned. */
        if (skb_unclone(head, GFP_ATOMIC))
                return false;
+        delta += head->truesize;
+        if (delta)
+                add_frag_mem_limit(fq->q.net, delta);
        /* If the first fragment is fragmented itself, we split
         * it to two chunks: the first with data and paged part
         * and the second, holding only fragments. */
diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
index 5c3c92713096..aa26c45486d9 100644
--- a/net/ipv6/reassembly.c
+++ b/net/ipv6/reassembly.c
@@ -281,7 +281,7 @@ static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *prev,
 {
        struct net *net = container_of(fq->q.net, struct net, ipv6.frags);
        struct sk_buff *fp, *head = fq->q.fragments;
-        int    payload_len;
+        int    payload_len, delta;
        unsigned int nhoff;
        int sum_truesize;
        u8 ecn;
@@ -322,10 +322,16 @@ static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *prev,
        if (payload_len > IPV6_MAXPLEN)
                goto out_oversize;
+        delta = - head->truesize;
        /* Head of list must not be cloned. */
        if (skb_unclone(head, GFP_ATOMIC))
                goto out_oom;
+        delta += head->truesize;
+        if (delta)
+                add_frag_mem_limit(fq->q.net, delta);
        /* If the first fragment is fragmented itself, we split
         * it to two chunks: the first with data and paged part
         * and the second, holding only fragments. */
diff --git a/net/ipv6/seg6_iptunnel.c b/net/ipv6/seg6_iptunnel.c
index a8854dd3e9c5..8181ee7e1e27 100644
--- a/net/ipv6/seg6_iptunnel.c
+++ b/net/ipv6/seg6_iptunnel.c
@@ -347,6 +347,7 @@ static int seg6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
                struct ipv6hdr *hdr = ipv6_hdr(skb);
                struct flowi6 fl6;
+                memset(&fl6, 0, sizeof(fl6));
                fl6.daddr = hdr->daddr;
                fl6.saddr = hdr->saddr;
                fl6.flowlabel = ip6_flowinfo(hdr);
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 51622333d460..818aa0060349 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -2891,7 +2891,7 @@ cfg80211_beacon_dup(struct cfg80211_beacon_data *beacon)
        len = beacon->head_len + beacon->tail_len + beacon->beacon_ies_len +
              beacon->proberesp_ies_len + beacon->assocresp_ies_len +
-              beacon->probe_resp_len;
+              beacon->probe_resp_len + beacon->lci_len + beacon->civicloc_len;
        new_beacon = kzalloc(sizeof(*new_beacon) + len, GFP_KERNEL);
        if (!new_beacon)
@@ -2934,8 +2934,9 @@ cfg80211_beacon_dup(struct cfg80211_beacon_data *beacon)
                memcpy(pos, beacon->probe_resp, beacon->probe_resp_len);
                pos += beacon->probe_resp_len;
        }
-        if (beacon->ftm_responder)
-                new_beacon->ftm_responder = beacon->ftm_responder;
+        /* might copy -1, meaning no changes requested */
+        new_beacon->ftm_responder = beacon->ftm_responder;
        if (beacon->lci) {
                new_beacon->lci_len = beacon->lci_len;
                new_beacon->lci = pos;
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index 5836ddeac9e3..5f3c81e705c7 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -1015,6 +1015,8 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
        if (local->open_count == 0)
                ieee80211_clear_tx_pending(local);
+        sdata->vif.bss_conf.beacon_int = 0;
        /*
         * If the interface goes down while suspended, presumably because
         * the device was unplugged and that happens before our resume,
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index d2bc8d57c87e..bcf5ffc1567a 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -2766,6 +2766,7 @@ static bool ieee80211_mark_sta_auth(struct ieee80211_sub_if_data *sdata,
 {
        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
        struct sta_info *sta;
+        bool result = true;
        sdata_info(sdata, "authenticated\n");
        ifmgd->auth_data->done = true;
@@ -2778,15 +2779,18 @@ static bool ieee80211_mark_sta_auth(struct ieee80211_sub_if_data *sdata,
        sta = sta_info_get(sdata, bssid);
        if (!sta) {
                WARN_ONCE(1, "%s: STA %pM not found", sdata->name, bssid);
-                return false;
+                result = false;
+                goto out;
        }
        if (sta_info_move_state(sta, IEEE80211_STA_AUTH)) {
                sdata_info(sdata, "failed moving %pM to auth\n", bssid);
-                return false;
+                result = false;
+                goto out;
        }
-        mutex_unlock(&sdata->local->sta_mtx);
-        return true;
+out:
+        mutex_unlock(&sdata->local->sta_mtx);
+        return result;
 }
 static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata,
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 3bd3b5769797..428f7ad5f9b5 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -1403,6 +1403,7 @@ ieee80211_rx_h_check_dup(struct ieee80211_rx_data *rx)
                return RX_CONTINUE;
        if (ieee80211_is_ctl(hdr->frame_control) ||
+            ieee80211_is_nullfunc(hdr->frame_control) ||
            ieee80211_is_qos_nullfunc(hdr->frame_control) ||
            is_multicast_ether_addr(hdr->addr1))
                return RX_CONTINUE;
@@ -3063,7 +3064,7 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
                        cfg80211_sta_opmode_change_notify(sdata->dev,
                                                          rx->sta->addr,
                                                          &sta_opmode,
-                                                          GFP_KERNEL);
+                                                          GFP_ATOMIC);
                        goto handled;
                }
                case WLAN_HT_ACTION_NOTIFY_CHANWIDTH: {
@@ -3100,7 +3101,7 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
                        cfg80211_sta_opmode_change_notify(sdata->dev,
                                                          rx->sta->addr,
                                                          &sta_opmode,
-                                                          GFP_KERNEL);
+                                                          GFP_ATOMIC);
                        goto handled;
                }
                default:
diff --git a/net/mac80211/status.c b/net/mac80211/status.c
index aa4afbf0abaf..a794ca729000 100644
--- a/net/mac80211/status.c
+++ b/net/mac80211/status.c
@@ -964,6 +964,8 @@ void ieee80211_tx_status_ext(struct ieee80211_hw *hw,
                        /* Track when last TDLS packet was ACKed */
                        if (test_sta_flag(sta, WLAN_STA_TDLS_PEER_AUTH))
                                sta->status_stats.last_tdls_pkt_time = jiffies;
+                } else if (test_sta_flag(sta, WLAN_STA_PS_STA)) {
+                        return;
                } else {
                        ieee80211_lost_packet(sta, info);
                }
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index e0ccee23fbcd..1f536ba573b4 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -439,8 +439,8 @@ ieee80211_tx_h_multicast_ps_buf(struct ieee80211_tx_data *tx)
        if (ieee80211_hw_check(&tx->local->hw, QUEUE_CONTROL))
                info->hw_queue = tx->sdata->vif.cab_queue;
-        /* no stations in PS mode */
+        /* no stations in PS mode and no buffered packets */
-        if (!atomic_read(&ps->num_sta_ps))
+        if (!atomic_read(&ps->num_sta_ps) && skb_queue_empty(&ps->bc_buf))
                return TX_CONTINUE;
        info->flags |= IEEE80211_TX_CTL_SEND_AFTER_DTIM;
diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
index a4660c48ff01..cd94f925495a 100644
--- a/net/openvswitch/conntrack.c
+++ b/net/openvswitch/conntrack.c
@@ -1166,7 +1166,7 @@ static int ovs_ct_commit(struct net *net, struct sw_flow_key *key,
                                &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
                        if (err) {
                                net_warn_ratelimited("openvswitch: zone: %u "
-                                        "execeeds conntrack limit\n",
+                                        "exceeds conntrack limit\n",
                                        info->zone.id);
                                return err;
                        }
diff --git a/net/sched/act_police.c b/net/sched/act_police.c
index 37c9b8f0e10f..ec8ec55e0fe8 100644
--- a/net/sched/act_police.c
+++ b/net/sched/act_police.c
@@ -85,7 +85,7 @@ static int tcf_police_init(struct net *net, struct nlattr *nla,
                               int ovr, int bind, bool rtnl_held,
                               struct netlink_ext_ack *extack)
 {
-        int ret = 0, err;
+        int ret = 0, tcfp_result = TC_ACT_OK, err, size;
        struct nlattr *tb[TCA_POLICE_MAX + 1];
        struct tc_police *parm;
        struct tcf_police *police;
@@ -93,7 +93,6 @@ static int tcf_police_init(struct net *net, struct nlattr *nla,
        struct tc_action_net *tn = net_generic(net, police_net_id);
        struct tcf_police_params *new;
        bool exists = false;
-        int size;
        if (nla == NULL)
                return -EINVAL;
@@ -160,6 +159,16 @@ static int tcf_police_init(struct net *net, struct nlattr *nla,
                goto failure;
        }
+        if (tb[TCA_POLICE_RESULT]) {
+                tcfp_result = nla_get_u32(tb[TCA_POLICE_RESULT]);
+                if (TC_ACT_EXT_CMP(tcfp_result, TC_ACT_GOTO_CHAIN)) {
+                        NL_SET_ERR_MSG(extack,
+                                       "goto chain not allowed on fallback");
+                        err = -EINVAL;
+                        goto failure;
+                }
+        }
        new = kzalloc(sizeof(*new), GFP_KERNEL);
        if (unlikely(!new)) {
                err = -ENOMEM;
@@ -167,6 +176,7 @@ static int tcf_police_init(struct net *net, struct nlattr *nla,
        }
        /* No failure allowed after this point */
+        new->tcfp_result = tcfp_result;
        new->tcfp_mtu = parm->mtu;
        if (!new->tcfp_mtu) {
                new->tcfp_mtu = ~0;
@@ -196,16 +206,6 @@ static int tcf_police_init(struct net *net, struct nlattr *nla,
        if (tb[TCA_POLICE_AVRATE])
                new->tcfp_ewma_rate = nla_get_u32(tb[TCA_POLICE_AVRATE]);
-        if (tb[TCA_POLICE_RESULT]) {
-                new->tcfp_result = nla_get_u32(tb[TCA_POLICE_RESULT]);
-                if (TC_ACT_EXT_CMP(new->tcfp_result, TC_ACT_GOTO_CHAIN)) {
-                        NL_SET_ERR_MSG(extack,
-                                       "goto chain not allowed on fallback");
-                        err = -EINVAL;
-                        goto failure;
-                }
-        }
        spin_lock_bh(&police->tcf_lock);
        spin_lock_bh(&police->tcfp_lock);
        police->tcfp_t_c = ktime_get_ns();
diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c
index c6c327874abc..71312d7bd8f4 100644
--- a/net/sched/cls_flower.c
+++ b/net/sched/cls_flower.c
@@ -1238,18 +1238,16 @@ static int fl_change(struct net *net, struct sk_buff *in_skb,
        if (err)
                goto errout_idr;
-        if (!tc_skip_sw(fnew->flags)) {
+        if (!fold && fl_lookup(fnew->mask, &fnew->mkey)) {
-                if (!fold && fl_lookup(fnew->mask, &fnew->mkey)) {
+                err = -EEXIST;
-                        err = -EEXIST;
+                goto errout_mask;
-                        goto errout_mask;
-                }
-                err = rhashtable_insert_fast(&fnew->mask->ht, &fnew->ht_node,
-                                             fnew->mask->filter_ht_params);
-                if (err)
-                        goto errout_mask;
        }
+        err = rhashtable_insert_fast(&fnew->mask->ht, &fnew->ht_node,
+                                     fnew->mask->filter_ht_params);
+        if (err)
+                goto errout_mask;
        if (!tc_skip_hw(fnew->flags)) {
                err = fl_hw_replace_filter(tp, fnew, extack);
                if (err)
@@ -1303,9 +1301,8 @@ static int fl_delete(struct tcf_proto *tp, void *arg, bool *last,
        struct cls_fl_head *head = rtnl_dereference(tp->root);
        struct cls_fl_filter *f = arg;
-        if (!tc_skip_sw(f->flags))
+        rhashtable_remove_fast(&f->mask->ht, &f->ht_node,
-                rhashtable_remove_fast(&f->mask->ht, &f->ht_node,
+                               f->mask->filter_ht_params);
-                                       f->mask->filter_ht_params);
        __fl_delete(tp, f, extack);
        *last = list_empty(&head->masks);
        return 0;
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index 2c38e3d07924..22cd46a60057 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -431,6 +431,9 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch,
        int count = 1;
        int rc = NET_XMIT_SUCCESS;
+        /* Do not fool qdisc_drop_all() */
+        skb->prev = NULL;
        /* Random duplication */
        if (q->duplicate && q->duplicate >= get_crandom(&q->dup_cor))
                ++count;
diff --git a/net/sctp/associola.c b/net/sctp/associola.c
index 6a28b96e779e..914750b819b2 100644
--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -118,9 +118,6 @@ static struct sctp_association *sctp_association_init(
        asoc->flowlabel = sp->flowlabel;
        asoc->dscp = sp->dscp;
-        /* Initialize default path MTU. */
-        asoc->pathmtu = sp->pathmtu;
        /* Set association default SACK delay */
        asoc->sackdelay = msecs_to_jiffies(sp->sackdelay);
        asoc->sackfreq = sp->sackfreq;
@@ -252,6 +249,10 @@ static struct sctp_association *sctp_association_init(
                             0, gfp))
                goto fail_init;
+        /* Initialize default path MTU. */
+        asoc->pathmtu = sp->pathmtu;
+        sctp_assoc_update_frag_point(asoc);
        /* Assume that peer would support both address types unless we are
         * told otherwise.
         */
@@ -434,7 +435,7 @@ static void sctp_association_destroy(struct sctp_association *asoc)
        WARN_ON(atomic_read(&asoc->rmem_alloc));
-        kfree(asoc);
+        kfree_rcu(asoc, rcu);
        SCTP_DBG_OBJCNT_DEC(assoc);
 }
diff --git a/net/sctp/chunk.c b/net/sctp/chunk.c
index ce8087846f05..d2048de86e7c 100644
--- a/net/sctp/chunk.c
+++ b/net/sctp/chunk.c
@@ -191,6 +191,12 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc,
         * the packet
         */
        max_data = asoc->frag_point;
+        if (unlikely(!max_data)) {
+                max_data = sctp_min_frag_point(sctp_sk(asoc->base.sk),
+                                               sctp_datachk_len(&asoc->stream));
+                pr_warn_ratelimited("%s: asoc:%p frag_point is zero, forcing max_data to default minimum (%Zu)",
+                                    __func__, asoc, max_data);
+        }
        /* If the the peer requested that we authenticate DATA chunks
         * we need to account for bundling of the AUTH chunks along with
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index 4a4fd1971255..f4ac6c592e13 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -2462,6 +2462,9 @@ int sctp_process_init(struct sctp_association *asoc, struct sctp_chunk *chunk,
                             asoc->c.sinit_max_instreams, gfp))
                goto clean_up;
+        /* Update frag_point when stream_interleave may get changed. */
+        sctp_assoc_update_frag_point(asoc);
        if (!asoc->temp && sctp_assoc_set_id(asoc, gfp))
                goto clean_up;
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index bf618d1b41fd..b8cebd5a87e5 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -3324,8 +3324,7 @@ static int sctp_setsockopt_maxseg(struct sock *sk, char __user *optval, unsigned
                __u16 datasize = asoc ? sctp_datachk_len(&asoc->stream) :
                                 sizeof(struct sctp_data_chunk);
-                min_len = sctp_mtu_payload(sp, SCTP_DEFAULT_MINSEGMENT,
+                min_len = sctp_min_frag_point(sp, datasize);
-                                           datasize);
                max_len = SCTP_MAX_CHUNK_LEN - datasize;
                if (val < min_len || val > max_len)
diff --git a/net/wireless/mlme.c b/net/wireless/mlme.c
index 12b3edf70a7b..1615e503f8e3 100644
--- a/net/wireless/mlme.c
+++ b/net/wireless/mlme.c
@@ -272,11 +272,11 @@ void cfg80211_oper_and_ht_capa(struct ieee80211_ht_cap *ht_capa,
        p1 = (u8*)(ht_capa);
        p2 = (u8*)(ht_capa_mask);
-        for (i = 0; i<sizeof(*ht_capa); i++)
+        for (i = 0; i < sizeof(*ht_capa); i++)
                p1[i] &= p2[i];
 }
-/*  Do a logical ht_capa &= ht_capa_mask.  */
+/*  Do a logical vht_capa &= vht_capa_mask.  */
 void cfg80211_oper_and_vht_capa(struct ieee80211_vht_cap *vht_capa,
                                const struct ieee80211_vht_cap *vht_capa_mask)
 {
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 744b5851bbf9..8d763725498c 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -7870,6 +7870,7 @@ static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
        }
        memset(&params, 0, sizeof(params));
+        params.beacon_csa.ftm_responder = -1;
        if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
            !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
diff --git a/net/wireless/sme.c b/net/wireless/sme.c
index d536b07582f8..f741d8376a46 100644
--- a/net/wireless/sme.c
+++ b/net/wireless/sme.c
@@ -642,11 +642,15 @@ static bool cfg80211_is_all_idle(void)
         * All devices must be idle as otherwise if you are actively
         * scanning some new beacon hints could be learned and would
         * count as new regulatory hints.
+         * Also if there is any other active beaconing interface we
+         * need not issue a disconnect hint and reset any info such
+         * as chan dfs state, etc.
         */
        list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
                list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
                        wdev_lock(wdev);
-                        if (wdev->conn || wdev->current_bss)
+                        if (wdev->conn || wdev->current_bss ||
+                            cfg80211_beaconing_iface_active(wdev))
                                is_all_idle = false;
                        wdev_unlock(wdev);
                }
@@ -1171,6 +1175,8 @@ int cfg80211_connect(struct cfg80211_registered_device *rdev,
        cfg80211_oper_and_ht_capa(&connect->ht_capa_mask,
                                  rdev->wiphy.ht_capa_mod_mask);
+        cfg80211_oper_and_vht_capa(&connect->vht_capa_mask,
+                                   rdev->wiphy.vht_capa_mod_mask);
        if (connkeys && connkeys->def >= 0) {
                int idx;
diff --git a/net/wireless/util.c b/net/wireless/util.c
index ef14d80ca03e..d473bd135da8 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -1421,6 +1421,8 @@ size_t ieee80211_ie_split_ric(const u8 *ies, size_t ielen,
                                                          ies[pos + ext],
                                                          ext == 2))
                                        pos = skip_ie(ies, ielen, pos);
+                                else
+                                        break;
                        }
                } else {
                        pos = skip_ie(ies, ielen, pos);
diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
index d49aa79b7997..5121729b8b63 100644
--- a/net/x25/af_x25.c
+++ b/net/x25/af_x25.c
@@ -100,7 +100,7 @@ int x25_parse_address_block(struct sk_buff *skb,
        }
        len = *skb->data;
-        needed = 1 + (len >> 4) + (len & 0x0f);
+        needed = 1 + ((len >> 4) + (len & 0x0f) + 1) / 2;
        if (!pskb_may_pull(skb, needed)) {
                /* packet is too short to hold the addresses it claims
@@ -288,7 +288,7 @@ static struct sock *x25_find_listener(struct x25_address *addr,
        sk_for_each(s, &x25_list)
                if ((!strcmp(addr->x25_addr,
                        x25_sk(s)->source_addr.x25_addr) ||
-                                !strcmp(addr->x25_addr,
+                                !strcmp(x25_sk(s)->source_addr.x25_addr,
                                        null_x25_address.x25_addr)) &&
                                        s->sk_state == TCP_LISTEN) {
                        /*
@@ -688,11 +688,15 @@ static int x25_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
                goto out;
        }
-        len = strlen(addr->sx25_addr.x25_addr);
+        /* check for the null_x25_address */
-        for (i = 0; i < len; i++) {
+        if (strcmp(addr->sx25_addr.x25_addr, null_x25_address.x25_addr)) {
-                if (!isdigit(addr->sx25_addr.x25_addr[i])) {
-                        rc = -EINVAL;
+                len = strlen(addr->sx25_addr.x25_addr);
-                        goto out;
+                for (i = 0; i < len; i++) {
+                        if (!isdigit(addr->sx25_addr.x25_addr[i])) {
+                                rc = -EINVAL;
+                                goto out;
+                        }
                }
        }
diff --git a/net/x25/x25_in.c b/net/x25/x25_in.c
index 3c12cae32001..afb26221d8a8 100644
--- a/net/x25/x25_in.c
+++ b/net/x25/x25_in.c
@@ -142,6 +142,15 @@ static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametyp
                        sk->sk_state_change(sk);
                break;
        }
+        case X25_CALL_REQUEST:
+                /* call collision */
+                x25->causediag.cause      = 0x01;
+                x25->causediag.diagnostic = 0x48;
+                x25_write_internal(sk, X25_CLEAR_REQUEST);
+                x25_disconnect(sk, EISCONN, 0x01, 0x48);
+                break;
        case X25_CLEAR_REQUEST:
                if (!pskb_may_pull(skb, X25_STD_MIN_LEN + 2))
                        goto out_clear;
author	Linus Torvalds <torvalds@linux-foundation.org>	2018-12-09 18:12:33 -0500
committer	Linus Torvalds <torvalds@linux-foundation.org>	2018-12-09 18:12:33 -0500
commit	d48f782e4fb20dc7ec935ca0ca41ae31e4a69362 (patch)
tree	482270b85d4ab9b1284e07e4cb439b4dc7af919f /net
parent	8586ca8a214471e4573d76356aabe890bfecdc8a (diff)
parent	35cc3cefc4de90001c9137e2d01dd9d06b11acfb (diff)