aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorDavid S. Miller <davem@davemloft.net>2018-12-20 13:53:28 -0500
committerDavid S. Miller <davem@davemloft.net>2018-12-20 14:53:36 -0500
commit2be09de7d6a06f58e768de1255a687c9aaa66606 (patch)
tree298f9e04caf105873d987e807eccba27710a49cc /net
parent44a7b3b6e3a458f9549c2cc28e74ecdc470e42f1 (diff)
parent1d51b4b1d3f2db0d6d144175e31a84e472fbd99a (diff)
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Lots of conflicts, by happily all cases of overlapping changes, parallel adds, things of that nature. Thanks to Stephen Rothwell, Saeed Mahameed, and others for their guidance in these resolutions. Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/can/raw.c2
-rw-r--r--net/core/flow_dissector.c6
-rw-r--r--net/core/gro_cells.c1
-rw-r--r--net/core/neighbour.c7
-rw-r--r--net/core/sysctl_net_core.c20
-rw-r--r--net/ipv4/devinet.c5
-rw-r--r--net/ipv4/ip_forward.c1
-rw-r--r--net/ipv4/ip_fragment.c18
-rw-r--r--net/ipv4/ipconfig.c2
-rw-r--r--net/ipv4/ipmr.c4
-rw-r--r--net/ipv4/raw.c2
-rw-r--r--net/ipv6/ip6_output.c1
-rw-r--r--net/ipv6/ip6_udp_tunnel.c3
-rw-r--r--net/ipv6/ip6mr.c4
-rw-r--r--net/ipv6/raw.c2
-rw-r--r--net/mac80211/iface.c3
-rw-r--r--net/mac80211/main.c2
-rw-r--r--net/mac80211/status.c5
-rw-r--r--net/netfilter/ipset/ip_set_list_set.c2
-rw-r--r--net/netfilter/nf_conncount.c2
-rw-r--r--net/netfilter/nf_conntrack_seqadj.c7
-rw-r--r--net/netfilter/nf_nat_core.c3
-rw-r--r--net/netfilter/nf_tables_api.c21
-rw-r--r--net/netfilter/nf_tables_core.c2
-rw-r--r--net/netlink/af_netlink.c4
-rw-r--r--net/packet/af_packet.c6
-rw-r--r--net/rds/message.c24
-rw-r--r--net/rds/rdma.c75
-rw-r--r--net/rds/rds.h23
-rw-r--r--net/rds/send.c61
-rw-r--r--net/sched/cls_flower.c7
-rw-r--r--net/sctp/ipv6.c1
-rw-r--r--net/smc/af_smc.c14
-rw-r--r--net/smc/smc.h4
-rw-r--r--net/sunrpc/clnt.c1
-rw-r--r--net/sunrpc/xprt.c35
-rw-r--r--net/sunrpc/xprtsock.c10
-rw-r--r--net/tipc/socket.c40
-rw-r--r--net/tipc/udp_media.c9
-rw-r--r--net/tls/tls_main.c44
-rw-r--r--net/vmw_vsock/af_vsock.c7
-rw-r--r--net/vmw_vsock/vmci_transport.c67
-rw-r--r--net/wireless/nl80211.c4
-rw-r--r--net/xfrm/xfrm_input.c7
-rw-r--r--net/xfrm/xfrm_output.c1
-rw-r--r--net/xfrm/xfrm_state.c10
-rw-r--r--net/xfrm/xfrm_user.c4
47 files changed, 381 insertions, 202 deletions
diff --git a/net/can/raw.c b/net/can/raw.c
index 3aab7664933f..c70207537488 100644
--- a/net/can/raw.c
+++ b/net/can/raw.c
@@ -771,7 +771,7 @@ static int raw_sendmsg(struct socket *sock, struct msghdr *msg, size_t size)
771 if (err < 0) 771 if (err < 0)
772 goto free_skb; 772 goto free_skb;
773 773
774 sock_tx_timestamp(sk, sk->sk_tsflags, &skb_shinfo(skb)->tx_flags); 774 skb_setup_tx_timestamp(skb, sk->sk_tsflags);
775 775
776 skb->dev = dev; 776 skb->dev = dev;
777 skb->sk = sk; 777 skb->sk = sk;
diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
index 2e8d91e54179..9f2840510e63 100644
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -783,6 +783,7 @@ bool __skb_flow_dissect(const struct sk_buff *skb,
783 /* Pass parameters to the BPF program */ 783 /* Pass parameters to the BPF program */
784 cb->qdisc_cb.flow_keys = &flow_keys; 784 cb->qdisc_cb.flow_keys = &flow_keys;
785 flow_keys.nhoff = nhoff; 785 flow_keys.nhoff = nhoff;
786 flow_keys.thoff = nhoff;
786 787
787 bpf_compute_data_pointers((struct sk_buff *)skb); 788 bpf_compute_data_pointers((struct sk_buff *)skb);
788 result = BPF_PROG_RUN(attached, skb); 789 result = BPF_PROG_RUN(attached, skb);
@@ -790,9 +791,12 @@ bool __skb_flow_dissect(const struct sk_buff *skb,
790 /* Restore state */ 791 /* Restore state */
791 memcpy(cb, &cb_saved, sizeof(cb_saved)); 792 memcpy(cb, &cb_saved, sizeof(cb_saved));
792 793
794 flow_keys.nhoff = clamp_t(u16, flow_keys.nhoff, 0, skb->len);
795 flow_keys.thoff = clamp_t(u16, flow_keys.thoff,
796 flow_keys.nhoff, skb->len);
797
793 __skb_flow_bpf_to_target(&flow_keys, flow_dissector, 798 __skb_flow_bpf_to_target(&flow_keys, flow_dissector,
794 target_container); 799 target_container);
795 key_control->thoff = min_t(u16, key_control->thoff, skb->len);
796 rcu_read_unlock(); 800 rcu_read_unlock();
797 return result == BPF_OK; 801 return result == BPF_OK;
798 } 802 }
diff --git a/net/core/gro_cells.c b/net/core/gro_cells.c
index 4b54e5f107c6..acf45ddbe924 100644
--- a/net/core/gro_cells.c
+++ b/net/core/gro_cells.c
@@ -84,6 +84,7 @@ void gro_cells_destroy(struct gro_cells *gcells)
84 for_each_possible_cpu(i) { 84 for_each_possible_cpu(i) {
85 struct gro_cell *cell = per_cpu_ptr(gcells->cells, i); 85 struct gro_cell *cell = per_cpu_ptr(gcells->cells, i);
86 86
87 napi_disable(&cell->napi);
87 netif_napi_del(&cell->napi); 88 netif_napi_del(&cell->napi);
88 __skb_queue_purge(&cell->napi_skbs); 89 __skb_queue_purge(&cell->napi_skbs);
89 } 90 }
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index 8baa9ab01db6..fa384f775f1a 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -2629,11 +2629,16 @@ static int neigh_valid_dump_req(const struct nlmsghdr *nlh,
2629 2629
2630 ndm = nlmsg_data(nlh); 2630 ndm = nlmsg_data(nlh);
2631 if (ndm->ndm_pad1 || ndm->ndm_pad2 || ndm->ndm_ifindex || 2631 if (ndm->ndm_pad1 || ndm->ndm_pad2 || ndm->ndm_ifindex ||
2632 ndm->ndm_state || ndm->ndm_flags || ndm->ndm_type) { 2632 ndm->ndm_state || ndm->ndm_type) {
2633 NL_SET_ERR_MSG(extack, "Invalid values in header for neighbor dump request"); 2633 NL_SET_ERR_MSG(extack, "Invalid values in header for neighbor dump request");
2634 return -EINVAL; 2634 return -EINVAL;
2635 } 2635 }
2636 2636
2637 if (ndm->ndm_flags & ~NTF_PROXY) {
2638 NL_SET_ERR_MSG(extack, "Invalid flags in header for neighbor dump request");
2639 return -EINVAL;
2640 }
2641
2637 err = nlmsg_parse_strict(nlh, sizeof(struct ndmsg), tb, NDA_MAX, 2642 err = nlmsg_parse_strict(nlh, sizeof(struct ndmsg), tb, NDA_MAX,
2638 nda_policy, extack); 2643 nda_policy, extack);
2639 } else { 2644 } else {
diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
index 37b4667128a3..d67ec17f2cc8 100644
--- a/net/core/sysctl_net_core.c
+++ b/net/core/sysctl_net_core.c
@@ -28,6 +28,8 @@ static int two __maybe_unused = 2;
28static int min_sndbuf = SOCK_MIN_SNDBUF; 28static int min_sndbuf = SOCK_MIN_SNDBUF;
29static int min_rcvbuf = SOCK_MIN_RCVBUF; 29static int min_rcvbuf = SOCK_MIN_RCVBUF;
30static int max_skb_frags = MAX_SKB_FRAGS; 30static int max_skb_frags = MAX_SKB_FRAGS;
31static long long_one __maybe_unused = 1;
32static long long_max __maybe_unused = LONG_MAX;
31 33
32static int net_msg_warn; /* Unused, but still a sysctl */ 34static int net_msg_warn; /* Unused, but still a sysctl */
33 35
@@ -289,6 +291,17 @@ proc_dointvec_minmax_bpf_restricted(struct ctl_table *table, int write,
289 291
290 return proc_dointvec_minmax(table, write, buffer, lenp, ppos); 292 return proc_dointvec_minmax(table, write, buffer, lenp, ppos);
291} 293}
294
295static int
296proc_dolongvec_minmax_bpf_restricted(struct ctl_table *table, int write,
297 void __user *buffer, size_t *lenp,
298 loff_t *ppos)
299{
300 if (!capable(CAP_SYS_ADMIN))
301 return -EPERM;
302
303 return proc_doulongvec_minmax(table, write, buffer, lenp, ppos);
304}
292#endif 305#endif
293 306
294static struct ctl_table net_core_table[] = { 307static struct ctl_table net_core_table[] = {
@@ -398,10 +411,11 @@ static struct ctl_table net_core_table[] = {
398 { 411 {
399 .procname = "bpf_jit_limit", 412 .procname = "bpf_jit_limit",
400 .data = &bpf_jit_limit, 413 .data = &bpf_jit_limit,
401 .maxlen = sizeof(int), 414 .maxlen = sizeof(long),
402 .mode = 0600, 415 .mode = 0600,
403 .proc_handler = proc_dointvec_minmax_bpf_restricted, 416 .proc_handler = proc_dolongvec_minmax_bpf_restricted,
404 .extra1 = &one, 417 .extra1 = &long_one,
418 .extra2 = &long_max,
405 }, 419 },
406#endif 420#endif
407 { 421 {
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index 5b9b6d497f71..04ba321ae5ce 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -952,17 +952,18 @@ static int inet_abc_len(__be32 addr)
952{ 952{
953 int rc = -1; /* Something else, probably a multicast. */ 953 int rc = -1; /* Something else, probably a multicast. */
954 954
955 if (ipv4_is_zeronet(addr)) 955 if (ipv4_is_zeronet(addr) || ipv4_is_lbcast(addr))
956 rc = 0; 956 rc = 0;
957 else { 957 else {
958 __u32 haddr = ntohl(addr); 958 __u32 haddr = ntohl(addr);
959
960 if (IN_CLASSA(haddr)) 959 if (IN_CLASSA(haddr))
961 rc = 8; 960 rc = 8;
962 else if (IN_CLASSB(haddr)) 961 else if (IN_CLASSB(haddr))
963 rc = 16; 962 rc = 16;
964 else if (IN_CLASSC(haddr)) 963 else if (IN_CLASSC(haddr))
965 rc = 24; 964 rc = 24;
965 else if (IN_CLASSE(haddr))
966 rc = 32;
966 } 967 }
967 968
968 return rc; 969 return rc;
diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c
index 06ee4696703c..00ec819f949b 100644
--- a/net/ipv4/ip_forward.c
+++ b/net/ipv4/ip_forward.c
@@ -79,6 +79,7 @@ static int ip_forward_finish(struct net *net, struct sock *sk, struct sk_buff *s
79 if (unlikely(opt->optlen)) 79 if (unlikely(opt->optlen))
80 ip_forward_options(skb); 80 ip_forward_options(skb);
81 81
82 skb->tstamp = 0;
82 return dst_output(net, sk, skb); 83 return dst_output(net, sk, skb);
83} 84}
84 85
diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
index aa0b22697998..867be8f7f1fa 100644
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -346,10 +346,10 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb)
346 struct net *net = container_of(qp->q.net, struct net, ipv4.frags); 346 struct net *net = container_of(qp->q.net, struct net, ipv4.frags);
347 struct rb_node **rbn, *parent; 347 struct rb_node **rbn, *parent;
348 struct sk_buff *skb1, *prev_tail; 348 struct sk_buff *skb1, *prev_tail;
349 int ihl, end, skb1_run_end;
349 struct net_device *dev; 350 struct net_device *dev;
350 unsigned int fragsize; 351 unsigned int fragsize;
351 int flags, offset; 352 int flags, offset;
352 int ihl, end;
353 int err = -ENOENT; 353 int err = -ENOENT;
354 u8 ecn; 354 u8 ecn;
355 355
@@ -419,7 +419,9 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb)
419 * overlapping fragment, the entire datagram (and any constituent 419 * overlapping fragment, the entire datagram (and any constituent
420 * fragments) MUST be silently discarded. 420 * fragments) MUST be silently discarded.
421 * 421 *
422 * We do the same here for IPv4 (and increment an snmp counter). 422 * We do the same here for IPv4 (and increment an snmp counter) but
423 * we do not want to drop the whole queue in response to a duplicate
424 * fragment.
423 */ 425 */
424 426
425 err = -EINVAL; 427 err = -EINVAL;
@@ -444,13 +446,17 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb)
444 do { 446 do {
445 parent = *rbn; 447 parent = *rbn;
446 skb1 = rb_to_skb(parent); 448 skb1 = rb_to_skb(parent);
449 skb1_run_end = skb1->ip_defrag_offset +
450 FRAG_CB(skb1)->frag_run_len;
447 if (end <= skb1->ip_defrag_offset) 451 if (end <= skb1->ip_defrag_offset)
448 rbn = &parent->rb_left; 452 rbn = &parent->rb_left;
449 else if (offset >= skb1->ip_defrag_offset + 453 else if (offset >= skb1_run_end)
450 FRAG_CB(skb1)->frag_run_len)
451 rbn = &parent->rb_right; 454 rbn = &parent->rb_right;
452 else /* Found an overlap with skb1. */ 455 else if (offset >= skb1->ip_defrag_offset &&
453 goto overlap; 456 end <= skb1_run_end)
457 goto err; /* No new data, potential duplicate */
458 else
459 goto overlap; /* Found an overlap */
454 } while (*rbn); 460 } while (*rbn);
455 /* Here we have parent properly set, and rbn pointing to 461 /* Here we have parent properly set, and rbn pointing to
456 * one of its NULL left/right children. Insert skb. 462 * one of its NULL left/right children. Insert skb.
diff --git a/net/ipv4/ipconfig.c b/net/ipv4/ipconfig.c
index 208a5b4419c6..b9a9873c25c6 100644
--- a/net/ipv4/ipconfig.c
+++ b/net/ipv4/ipconfig.c
@@ -429,6 +429,8 @@ static int __init ic_defaults(void)
429 ic_netmask = htonl(IN_CLASSB_NET); 429 ic_netmask = htonl(IN_CLASSB_NET);
430 else if (IN_CLASSC(ntohl(ic_myaddr))) 430 else if (IN_CLASSC(ntohl(ic_myaddr)))
431 ic_netmask = htonl(IN_CLASSC_NET); 431 ic_netmask = htonl(IN_CLASSC_NET);
432 else if (IN_CLASSE(ntohl(ic_myaddr)))
433 ic_netmask = htonl(IN_CLASSE_NET);
432 else { 434 else {
433 pr_err("IP-Config: Unable to guess netmask for address %pI4\n", 435 pr_err("IP-Config: Unable to guess netmask for address %pI4\n",
434 &ic_myaddr); 436 &ic_myaddr);
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
index 75c654924532..ddbf8c9a1abb 100644
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -69,6 +69,8 @@
69#include <net/nexthop.h> 69#include <net/nexthop.h>
70#include <net/switchdev.h> 70#include <net/switchdev.h>
71 71
72#include <linux/nospec.h>
73
72struct ipmr_rule { 74struct ipmr_rule {
73 struct fib_rule common; 75 struct fib_rule common;
74}; 76};
@@ -1612,6 +1614,7 @@ int ipmr_ioctl(struct sock *sk, int cmd, void __user *arg)
1612 return -EFAULT; 1614 return -EFAULT;
1613 if (vr.vifi >= mrt->maxvif) 1615 if (vr.vifi >= mrt->maxvif)
1614 return -EINVAL; 1616 return -EINVAL;
1617 vr.vifi = array_index_nospec(vr.vifi, mrt->maxvif);
1615 read_lock(&mrt_lock); 1618 read_lock(&mrt_lock);
1616 vif = &mrt->vif_table[vr.vifi]; 1619 vif = &mrt->vif_table[vr.vifi];
1617 if (VIF_EXISTS(mrt, vr.vifi)) { 1620 if (VIF_EXISTS(mrt, vr.vifi)) {
@@ -1686,6 +1689,7 @@ int ipmr_compat_ioctl(struct sock *sk, unsigned int cmd, void __user *arg)
1686 return -EFAULT; 1689 return -EFAULT;
1687 if (vr.vifi >= mrt->maxvif) 1690 if (vr.vifi >= mrt->maxvif)
1688 return -EINVAL; 1691 return -EINVAL;
1692 vr.vifi = array_index_nospec(vr.vifi, mrt->maxvif);
1689 read_lock(&mrt_lock); 1693 read_lock(&mrt_lock);
1690 vif = &mrt->vif_table[vr.vifi]; 1694 vif = &mrt->vif_table[vr.vifi];
1691 if (VIF_EXISTS(mrt, vr.vifi)) { 1695 if (VIF_EXISTS(mrt, vr.vifi)) {
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index 076f51646d26..c55a5432cf37 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -390,7 +390,7 @@ static int raw_send_hdrinc(struct sock *sk, struct flowi4 *fl4,
390 390
391 skb->ip_summed = CHECKSUM_NONE; 391 skb->ip_summed = CHECKSUM_NONE;
392 392
393 sock_tx_timestamp(sk, sockc->tsflags, &skb_shinfo(skb)->tx_flags); 393 skb_setup_tx_timestamp(skb, sockc->tsflags);
394 394
395 if (flags & MSG_CONFIRM) 395 if (flags & MSG_CONFIRM)
396 skb_set_dst_pending_confirm(skb, 1); 396 skb_set_dst_pending_confirm(skb, 1);
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 703a8e801c5c..5f9fa0302b5a 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -385,6 +385,7 @@ static inline int ip6_forward_finish(struct net *net, struct sock *sk,
385 } 385 }
386#endif 386#endif
387 387
388 skb->tstamp = 0;
388 return dst_output(net, sk, skb); 389 return dst_output(net, sk, skb);
389} 390}
390 391
diff --git a/net/ipv6/ip6_udp_tunnel.c b/net/ipv6/ip6_udp_tunnel.c
index 3965d5396b0a..ad1a9ccd4b44 100644
--- a/net/ipv6/ip6_udp_tunnel.c
+++ b/net/ipv6/ip6_udp_tunnel.c
@@ -15,7 +15,7 @@
15int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg, 15int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg,
16 struct socket **sockp) 16 struct socket **sockp)
17{ 17{
18 struct sockaddr_in6 udp6_addr; 18 struct sockaddr_in6 udp6_addr = {};
19 int err; 19 int err;
20 struct socket *sock = NULL; 20 struct socket *sock = NULL;
21 21
@@ -58,6 +58,7 @@ int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg,
58 goto error; 58 goto error;
59 59
60 if (cfg->peer_udp_port) { 60 if (cfg->peer_udp_port) {
61 memset(&udp6_addr, 0, sizeof(udp6_addr));
61 udp6_addr.sin6_family = AF_INET6; 62 udp6_addr.sin6_family = AF_INET6;
62 memcpy(&udp6_addr.sin6_addr, &cfg->peer_ip6, 63 memcpy(&udp6_addr.sin6_addr, &cfg->peer_ip6,
63 sizeof(udp6_addr.sin6_addr)); 64 sizeof(udp6_addr.sin6_addr));
diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
index 34b8a90e6be2..8276f1224f16 100644
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -52,6 +52,8 @@
52#include <net/ip6_checksum.h> 52#include <net/ip6_checksum.h>
53#include <linux/netconf.h> 53#include <linux/netconf.h>
54 54
55#include <linux/nospec.h>
56
55struct ip6mr_rule { 57struct ip6mr_rule {
56 struct fib_rule common; 58 struct fib_rule common;
57}; 59};
@@ -1841,6 +1843,7 @@ int ip6mr_ioctl(struct sock *sk, int cmd, void __user *arg)
1841 return -EFAULT; 1843 return -EFAULT;
1842 if (vr.mifi >= mrt->maxvif) 1844 if (vr.mifi >= mrt->maxvif)
1843 return -EINVAL; 1845 return -EINVAL;
1846 vr.mifi = array_index_nospec(vr.mifi, mrt->maxvif);
1844 read_lock(&mrt_lock); 1847 read_lock(&mrt_lock);
1845 vif = &mrt->vif_table[vr.mifi]; 1848 vif = &mrt->vif_table[vr.mifi];
1846 if (VIF_EXISTS(mrt, vr.mifi)) { 1849 if (VIF_EXISTS(mrt, vr.mifi)) {
@@ -1915,6 +1918,7 @@ int ip6mr_compat_ioctl(struct sock *sk, unsigned int cmd, void __user *arg)
1915 return -EFAULT; 1918 return -EFAULT;
1916 if (vr.mifi >= mrt->maxvif) 1919 if (vr.mifi >= mrt->maxvif)
1917 return -EINVAL; 1920 return -EINVAL;
1921 vr.mifi = array_index_nospec(vr.mifi, mrt->maxvif);
1918 read_lock(&mrt_lock); 1922 read_lock(&mrt_lock);
1919 vif = &mrt->vif_table[vr.mifi]; 1923 vif = &mrt->vif_table[vr.mifi];
1920 if (VIF_EXISTS(mrt, vr.mifi)) { 1924 if (VIF_EXISTS(mrt, vr.mifi)) {
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index aed7eb5c2123..5a426226c762 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -657,6 +657,8 @@ static int rawv6_send_hdrinc(struct sock *sk, struct msghdr *msg, int length,
657 657
658 skb->ip_summed = CHECKSUM_NONE; 658 skb->ip_summed = CHECKSUM_NONE;
659 659
660 skb_setup_tx_timestamp(skb, sockc->tsflags);
661
660 if (flags & MSG_CONFIRM) 662 if (flags & MSG_CONFIRM)
661 skb_set_dst_pending_confirm(skb, 1); 663 skb_set_dst_pending_confirm(skb, 1);
662 664
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index e9652e623a31..4a6ff1482a9f 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -7,6 +7,7 @@
7 * Copyright 2008, Johannes Berg <johannes@sipsolutions.net> 7 * Copyright 2008, Johannes Berg <johannes@sipsolutions.net>
8 * Copyright 2013-2014 Intel Mobile Communications GmbH 8 * Copyright 2013-2014 Intel Mobile Communications GmbH
9 * Copyright (c) 2016 Intel Deutschland GmbH 9 * Copyright (c) 2016 Intel Deutschland GmbH
10 * Copyright (C) 2018 Intel Corporation
10 * 11 *
11 * This program is free software; you can redistribute it and/or modify 12 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License version 2 as 13 * it under the terms of the GNU General Public License version 2 as
@@ -1949,6 +1950,8 @@ void ieee80211_remove_interfaces(struct ieee80211_local *local)
1949 WARN(local->open_count, "%s: open count remains %d\n", 1950 WARN(local->open_count, "%s: open count remains %d\n",
1950 wiphy_name(local->hw.wiphy), local->open_count); 1951 wiphy_name(local->hw.wiphy), local->open_count);
1951 1952
1953 ieee80211_txq_teardown_flows(local);
1954
1952 mutex_lock(&local->iflist_mtx); 1955 mutex_lock(&local->iflist_mtx);
1953 list_for_each_entry_safe(sdata, tmp, &local->interfaces, list) { 1956 list_for_each_entry_safe(sdata, tmp, &local->interfaces, list) {
1954 list_del(&sdata->list); 1957 list_del(&sdata->list);
diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index ada8e16d52d2..87a729926734 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -1264,7 +1264,6 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
1264 rtnl_unlock(); 1264 rtnl_unlock();
1265 ieee80211_led_exit(local); 1265 ieee80211_led_exit(local);
1266 ieee80211_wep_free(local); 1266 ieee80211_wep_free(local);
1267 ieee80211_txq_teardown_flows(local);
1268 fail_flows: 1267 fail_flows:
1269 destroy_workqueue(local->workqueue); 1268 destroy_workqueue(local->workqueue);
1270 fail_workqueue: 1269 fail_workqueue:
@@ -1290,7 +1289,6 @@ void ieee80211_unregister_hw(struct ieee80211_hw *hw)
1290#if IS_ENABLED(CONFIG_IPV6) 1289#if IS_ENABLED(CONFIG_IPV6)
1291 unregister_inet6addr_notifier(&local->ifa6_notifier); 1290 unregister_inet6addr_notifier(&local->ifa6_notifier);
1292#endif 1291#endif
1293 ieee80211_txq_teardown_flows(local);
1294 1292
1295 rtnl_lock(); 1293 rtnl_lock();
1296 1294
diff --git a/net/mac80211/status.c b/net/mac80211/status.c
index a794ca729000..3f0b96e1e02f 100644
--- a/net/mac80211/status.c
+++ b/net/mac80211/status.c
@@ -556,6 +556,11 @@ static void ieee80211_report_used_skb(struct ieee80211_local *local,
556 } 556 }
557 557
558 ieee80211_led_tx(local); 558 ieee80211_led_tx(local);
559
560 if (skb_has_frag_list(skb)) {
561 kfree_skb_list(skb_shinfo(skb)->frag_list);
562 skb_shinfo(skb)->frag_list = NULL;
563 }
559} 564}
560 565
561/* 566/*
diff --git a/net/netfilter/ipset/ip_set_list_set.c b/net/netfilter/ipset/ip_set_list_set.c
index 4eef55da0878..8da228da53ae 100644
--- a/net/netfilter/ipset/ip_set_list_set.c
+++ b/net/netfilter/ipset/ip_set_list_set.c
@@ -531,8 +531,8 @@ nla_put_failure:
531 ret = -EMSGSIZE; 531 ret = -EMSGSIZE;
532 } else { 532 } else {
533 cb->args[IPSET_CB_ARG0] = i; 533 cb->args[IPSET_CB_ARG0] = i;
534 ipset_nest_end(skb, atd);
534 } 535 }
535 ipset_nest_end(skb, atd);
536out: 536out:
537 rcu_read_unlock(); 537 rcu_read_unlock();
538 return ret; 538 return ret;
diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
index b6d0f6deea86..9cd180bda092 100644
--- a/net/netfilter/nf_conncount.c
+++ b/net/netfilter/nf_conncount.c
@@ -427,7 +427,7 @@ insert_tree(struct net *net,
427 count = 1; 427 count = 1;
428 rbconn->list.count = count; 428 rbconn->list.count = count;
429 429
430 rb_link_node(&rbconn->node, parent, rbnode); 430 rb_link_node_rcu(&rbconn->node, parent, rbnode);
431 rb_insert_color(&rbconn->node, root); 431 rb_insert_color(&rbconn->node, root);
432out_unlock: 432out_unlock:
433 spin_unlock_bh(&nf_conncount_locks[hash % CONNCOUNT_LOCK_SLOTS]); 433 spin_unlock_bh(&nf_conncount_locks[hash % CONNCOUNT_LOCK_SLOTS]);
diff --git a/net/netfilter/nf_conntrack_seqadj.c b/net/netfilter/nf_conntrack_seqadj.c
index a975efd6b8c3..9da303461069 100644
--- a/net/netfilter/nf_conntrack_seqadj.c
+++ b/net/netfilter/nf_conntrack_seqadj.c
@@ -115,12 +115,12 @@ static void nf_ct_sack_block_adjust(struct sk_buff *skb,
115/* TCP SACK sequence number adjustment */ 115/* TCP SACK sequence number adjustment */
116static unsigned int nf_ct_sack_adjust(struct sk_buff *skb, 116static unsigned int nf_ct_sack_adjust(struct sk_buff *skb,
117 unsigned int protoff, 117 unsigned int protoff,
118 struct tcphdr *tcph,
119 struct nf_conn *ct, 118 struct nf_conn *ct,
120 enum ip_conntrack_info ctinfo) 119 enum ip_conntrack_info ctinfo)
121{ 120{
122 unsigned int dir, optoff, optend; 121 struct tcphdr *tcph = (void *)skb->data + protoff;
123 struct nf_conn_seqadj *seqadj = nfct_seqadj(ct); 122 struct nf_conn_seqadj *seqadj = nfct_seqadj(ct);
123 unsigned int dir, optoff, optend;
124 124
125 optoff = protoff + sizeof(struct tcphdr); 125 optoff = protoff + sizeof(struct tcphdr);
126 optend = protoff + tcph->doff * 4; 126 optend = protoff + tcph->doff * 4;
@@ -128,6 +128,7 @@ static unsigned int nf_ct_sack_adjust(struct sk_buff *skb,
128 if (!skb_make_writable(skb, optend)) 128 if (!skb_make_writable(skb, optend))
129 return 0; 129 return 0;
130 130
131 tcph = (void *)skb->data + protoff;
131 dir = CTINFO2DIR(ctinfo); 132 dir = CTINFO2DIR(ctinfo);
132 133
133 while (optoff < optend) { 134 while (optoff < optend) {
@@ -207,7 +208,7 @@ int nf_ct_seq_adjust(struct sk_buff *skb,
207 ntohl(newack)); 208 ntohl(newack));
208 tcph->ack_seq = newack; 209 tcph->ack_seq = newack;
209 210
210 res = nf_ct_sack_adjust(skb, protoff, tcph, ct, ctinfo); 211 res = nf_ct_sack_adjust(skb, protoff, ct, ctinfo);
211out: 212out:
212 spin_unlock_bh(&ct->lock); 213 spin_unlock_bh(&ct->lock);
213 214
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index e2b196054dfc..2268b10a9dcf 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -117,7 +117,8 @@ int nf_xfrm_me_harder(struct net *net, struct sk_buff *skb, unsigned int family)
117 dst = skb_dst(skb); 117 dst = skb_dst(skb);
118 if (dst->xfrm) 118 if (dst->xfrm)
119 dst = ((struct xfrm_dst *)dst)->route; 119 dst = ((struct xfrm_dst *)dst)->route;
120 dst_hold(dst); 120 if (!dst_hold_safe(dst))
121 return -EHOSTUNREACH;
121 122
122 if (sk && !net_eq(net, sock_net(sk))) 123 if (sk && !net_eq(net, sock_net(sk)))
123 sk = NULL; 124 sk = NULL;
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 2e61aab6ed73..6e548d7c9f67 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1216,7 +1216,8 @@ static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1216 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name)) 1216 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1217 goto nla_put_failure; 1217 goto nla_put_failure;
1218 1218
1219 if (basechain->stats && nft_dump_stats(skb, basechain->stats)) 1219 if (rcu_access_pointer(basechain->stats) &&
1220 nft_dump_stats(skb, rcu_dereference(basechain->stats)))
1220 goto nla_put_failure; 1221 goto nla_put_failure;
1221 } 1222 }
1222 1223
@@ -1392,7 +1393,8 @@ static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1392 return newstats; 1393 return newstats;
1393} 1394}
1394 1395
1395static void nft_chain_stats_replace(struct nft_base_chain *chain, 1396static void nft_chain_stats_replace(struct net *net,
1397 struct nft_base_chain *chain,
1396 struct nft_stats __percpu *newstats) 1398 struct nft_stats __percpu *newstats)
1397{ 1399{
1398 struct nft_stats __percpu *oldstats; 1400 struct nft_stats __percpu *oldstats;
@@ -1400,8 +1402,9 @@ static void nft_chain_stats_replace(struct nft_base_chain *chain,
1400 if (newstats == NULL) 1402 if (newstats == NULL)
1401 return; 1403 return;
1402 1404
1403 if (chain->stats) { 1405 if (rcu_access_pointer(chain->stats)) {
1404 oldstats = nfnl_dereference(chain->stats, NFNL_SUBSYS_NFTABLES); 1406 oldstats = rcu_dereference_protected(chain->stats,
1407 lockdep_commit_lock_is_held(net));
1405 rcu_assign_pointer(chain->stats, newstats); 1408 rcu_assign_pointer(chain->stats, newstats);
1406 synchronize_rcu(); 1409 synchronize_rcu();
1407 free_percpu(oldstats); 1410 free_percpu(oldstats);
@@ -1439,9 +1442,10 @@ static void nf_tables_chain_destroy(struct nft_ctx *ctx)
1439 struct nft_base_chain *basechain = nft_base_chain(chain); 1442 struct nft_base_chain *basechain = nft_base_chain(chain);
1440 1443
1441 module_put(basechain->type->owner); 1444 module_put(basechain->type->owner);
1442 free_percpu(basechain->stats); 1445 if (rcu_access_pointer(basechain->stats)) {
1443 if (basechain->stats)
1444 static_branch_dec(&nft_counters_enabled); 1446 static_branch_dec(&nft_counters_enabled);
1447 free_percpu(rcu_dereference_raw(basechain->stats));
1448 }
1445 kfree(chain->name); 1449 kfree(chain->name);
1446 kfree(basechain); 1450 kfree(basechain);
1447 } else { 1451 } else {
@@ -1590,7 +1594,7 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1590 kfree(basechain); 1594 kfree(basechain);
1591 return PTR_ERR(stats); 1595 return PTR_ERR(stats);
1592 } 1596 }
1593 basechain->stats = stats; 1597 rcu_assign_pointer(basechain->stats, stats);
1594 static_branch_inc(&nft_counters_enabled); 1598 static_branch_inc(&nft_counters_enabled);
1595 } 1599 }
1596 1600
@@ -6180,7 +6184,8 @@ static void nft_chain_commit_update(struct nft_trans *trans)
6180 return; 6184 return;
6181 6185
6182 basechain = nft_base_chain(trans->ctx.chain); 6186 basechain = nft_base_chain(trans->ctx.chain);
6183 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans)); 6187 nft_chain_stats_replace(trans->ctx.net, basechain,
6188 nft_trans_chain_stats(trans));
6184 6189
6185 switch (nft_trans_chain_policy(trans)) { 6190 switch (nft_trans_chain_policy(trans)) {
6186 case NF_DROP: 6191 case NF_DROP:
diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
index 3fbce3b9c5ec..a50500232b0a 100644
--- a/net/netfilter/nf_tables_core.c
+++ b/net/netfilter/nf_tables_core.c
@@ -101,7 +101,7 @@ static noinline void nft_update_chain_stats(const struct nft_chain *chain,
101 struct nft_stats *stats; 101 struct nft_stats *stats;
102 102
103 base_chain = nft_base_chain(chain); 103 base_chain = nft_base_chain(chain);
104 if (!base_chain->stats) 104 if (!rcu_access_pointer(base_chain->stats))
105 return; 105 return;
106 106
107 local_bh_disable(); 107 local_bh_disable();
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 6bb9f3cde0b0..3c023d6120f6 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1706,7 +1706,7 @@ static int netlink_setsockopt(struct socket *sock, int level, int optname,
1706 nlk->flags &= ~NETLINK_F_EXT_ACK; 1706 nlk->flags &= ~NETLINK_F_EXT_ACK;
1707 err = 0; 1707 err = 0;
1708 break; 1708 break;
1709 case NETLINK_DUMP_STRICT_CHK: 1709 case NETLINK_GET_STRICT_CHK:
1710 if (val) 1710 if (val)
1711 nlk->flags |= NETLINK_F_STRICT_CHK; 1711 nlk->flags |= NETLINK_F_STRICT_CHK;
1712 else 1712 else
@@ -1806,7 +1806,7 @@ static int netlink_getsockopt(struct socket *sock, int level, int optname,
1806 return -EFAULT; 1806 return -EFAULT;
1807 err = 0; 1807 err = 0;
1808 break; 1808 break;
1809 case NETLINK_DUMP_STRICT_CHK: 1809 case NETLINK_GET_STRICT_CHK:
1810 if (len < sizeof(int)) 1810 if (len < sizeof(int))
1811 return -EINVAL; 1811 return -EINVAL;
1812 len = sizeof(int); 1812 len = sizeof(int);
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index a74650e98f42..6655793765b2 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1965,7 +1965,7 @@ retry:
1965 skb->mark = sk->sk_mark; 1965 skb->mark = sk->sk_mark;
1966 skb->tstamp = sockc.transmit_time; 1966 skb->tstamp = sockc.transmit_time;
1967 1967
1968 sock_tx_timestamp(sk, sockc.tsflags, &skb_shinfo(skb)->tx_flags); 1968 skb_setup_tx_timestamp(skb, sockc.tsflags);
1969 1969
1970 if (unlikely(extra_len == 4)) 1970 if (unlikely(extra_len == 4))
1971 skb->no_fcs = 1; 1971 skb->no_fcs = 1;
@@ -2460,7 +2460,7 @@ static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb,
2460 skb->priority = po->sk.sk_priority; 2460 skb->priority = po->sk.sk_priority;
2461 skb->mark = po->sk.sk_mark; 2461 skb->mark = po->sk.sk_mark;
2462 skb->tstamp = sockc->transmit_time; 2462 skb->tstamp = sockc->transmit_time;
2463 sock_tx_timestamp(&po->sk, sockc->tsflags, &skb_shinfo(skb)->tx_flags); 2463 skb_setup_tx_timestamp(skb, sockc->tsflags);
2464 skb_zcopy_set_nouarg(skb, ph.raw); 2464 skb_zcopy_set_nouarg(skb, ph.raw);
2465 2465
2466 skb_reserve(skb, hlen); 2466 skb_reserve(skb, hlen);
@@ -2898,7 +2898,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
2898 goto out_free; 2898 goto out_free;
2899 } 2899 }
2900 2900
2901 sock_tx_timestamp(sk, sockc.tsflags, &skb_shinfo(skb)->tx_flags); 2901 skb_setup_tx_timestamp(skb, sockc.tsflags);
2902 2902
2903 if (!vnet_hdr.gso_type && (len > dev->mtu + reserve + extra_len) && 2903 if (!vnet_hdr.gso_type && (len > dev->mtu + reserve + extra_len) &&
2904 !packet_extra_vlan_len_allowed(dev, skb)) { 2904 !packet_extra_vlan_len_allowed(dev, skb)) {
diff --git a/net/rds/message.c b/net/rds/message.c
index 4b00b1152a5f..f139420ba1f6 100644
--- a/net/rds/message.c
+++ b/net/rds/message.c
@@ -308,16 +308,27 @@ out:
308/* 308/*
309 * RDS ops use this to grab SG entries from the rm's sg pool. 309 * RDS ops use this to grab SG entries from the rm's sg pool.
310 */ 310 */
311struct scatterlist *rds_message_alloc_sgs(struct rds_message *rm, int nents) 311struct scatterlist *rds_message_alloc_sgs(struct rds_message *rm, int nents,
312 int *ret)
312{ 313{
313 struct scatterlist *sg_first = (struct scatterlist *) &rm[1]; 314 struct scatterlist *sg_first = (struct scatterlist *) &rm[1];
314 struct scatterlist *sg_ret; 315 struct scatterlist *sg_ret;
315 316
316 WARN_ON(rm->m_used_sgs + nents > rm->m_total_sgs); 317 if (WARN_ON(!ret))
317 WARN_ON(!nents); 318 return NULL;
318 319
319 if (rm->m_used_sgs + nents > rm->m_total_sgs) 320 if (nents <= 0) {
321 pr_warn("rds: alloc sgs failed! nents <= 0\n");
322 *ret = -EINVAL;
320 return NULL; 323 return NULL;
324 }
325
326 if (rm->m_used_sgs + nents > rm->m_total_sgs) {
327 pr_warn("rds: alloc sgs failed! total %d used %d nents %d\n",
328 rm->m_total_sgs, rm->m_used_sgs, nents);
329 *ret = -ENOMEM;
330 return NULL;
331 }
321 332
322 sg_ret = &sg_first[rm->m_used_sgs]; 333 sg_ret = &sg_first[rm->m_used_sgs];
323 sg_init_table(sg_ret, nents); 334 sg_init_table(sg_ret, nents);
@@ -332,6 +343,7 @@ struct rds_message *rds_message_map_pages(unsigned long *page_addrs, unsigned in
332 unsigned int i; 343 unsigned int i;
333 int num_sgs = ceil(total_len, PAGE_SIZE); 344 int num_sgs = ceil(total_len, PAGE_SIZE);
334 int extra_bytes = num_sgs * sizeof(struct scatterlist); 345 int extra_bytes = num_sgs * sizeof(struct scatterlist);
346 int ret;
335 347
336 rm = rds_message_alloc(extra_bytes, GFP_NOWAIT); 348 rm = rds_message_alloc(extra_bytes, GFP_NOWAIT);
337 if (!rm) 349 if (!rm)
@@ -340,10 +352,10 @@ struct rds_message *rds_message_map_pages(unsigned long *page_addrs, unsigned in
340 set_bit(RDS_MSG_PAGEVEC, &rm->m_flags); 352 set_bit(RDS_MSG_PAGEVEC, &rm->m_flags);
341 rm->m_inc.i_hdr.h_len = cpu_to_be32(total_len); 353 rm->m_inc.i_hdr.h_len = cpu_to_be32(total_len);
342 rm->data.op_nents = ceil(total_len, PAGE_SIZE); 354 rm->data.op_nents = ceil(total_len, PAGE_SIZE);
343 rm->data.op_sg = rds_message_alloc_sgs(rm, num_sgs); 355 rm->data.op_sg = rds_message_alloc_sgs(rm, num_sgs, &ret);
344 if (!rm->data.op_sg) { 356 if (!rm->data.op_sg) {
345 rds_message_put(rm); 357 rds_message_put(rm);
346 return ERR_PTR(-ENOMEM); 358 return ERR_PTR(ret);
347 } 359 }
348 360
349 for (i = 0; i < rm->data.op_nents; ++i) { 361 for (i = 0; i < rm->data.op_nents; ++i) {
diff --git a/net/rds/rdma.c b/net/rds/rdma.c
index 98237feb607a..182ab8430594 100644
--- a/net/rds/rdma.c
+++ b/net/rds/rdma.c
@@ -517,9 +517,10 @@ static int rds_rdma_pages(struct rds_iovec iov[], int nr_iovecs)
517 return tot_pages; 517 return tot_pages;
518} 518}
519 519
520int rds_rdma_extra_size(struct rds_rdma_args *args) 520int rds_rdma_extra_size(struct rds_rdma_args *args,
521 struct rds_iov_vector *iov)
521{ 522{
522 struct rds_iovec vec; 523 struct rds_iovec *vec;
523 struct rds_iovec __user *local_vec; 524 struct rds_iovec __user *local_vec;
524 int tot_pages = 0; 525 int tot_pages = 0;
525 unsigned int nr_pages; 526 unsigned int nr_pages;
@@ -530,13 +531,23 @@ int rds_rdma_extra_size(struct rds_rdma_args *args)
530 if (args->nr_local == 0) 531 if (args->nr_local == 0)
531 return -EINVAL; 532 return -EINVAL;
532 533
534 iov->iov = kcalloc(args->nr_local,
535 sizeof(struct rds_iovec),
536 GFP_KERNEL);
537 if (!iov->iov)
538 return -ENOMEM;
539
540 vec = &iov->iov[0];
541
542 if (copy_from_user(vec, local_vec, args->nr_local *
543 sizeof(struct rds_iovec)))
544 return -EFAULT;
545 iov->len = args->nr_local;
546
533 /* figure out the number of pages in the vector */ 547 /* figure out the number of pages in the vector */
534 for (i = 0; i < args->nr_local; i++) { 548 for (i = 0; i < args->nr_local; i++, vec++) {
535 if (copy_from_user(&vec, &local_vec[i],
536 sizeof(struct rds_iovec)))
537 return -EFAULT;
538 549
539 nr_pages = rds_pages_in_vec(&vec); 550 nr_pages = rds_pages_in_vec(vec);
540 if (nr_pages == 0) 551 if (nr_pages == 0)
541 return -EINVAL; 552 return -EINVAL;
542 553
@@ -558,15 +569,15 @@ int rds_rdma_extra_size(struct rds_rdma_args *args)
558 * Extract all arguments and set up the rdma_op 569 * Extract all arguments and set up the rdma_op
559 */ 570 */
560int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm, 571int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm,
561 struct cmsghdr *cmsg) 572 struct cmsghdr *cmsg,
573 struct rds_iov_vector *vec)
562{ 574{
563 struct rds_rdma_args *args; 575 struct rds_rdma_args *args;
564 struct rm_rdma_op *op = &rm->rdma; 576 struct rm_rdma_op *op = &rm->rdma;
565 int nr_pages; 577 int nr_pages;
566 unsigned int nr_bytes; 578 unsigned int nr_bytes;
567 struct page **pages = NULL; 579 struct page **pages = NULL;
568 struct rds_iovec iovstack[UIO_FASTIOV], *iovs = iovstack; 580 struct rds_iovec *iovs;
569 int iov_size;
570 unsigned int i, j; 581 unsigned int i, j;
571 int ret = 0; 582 int ret = 0;
572 583
@@ -586,31 +597,23 @@ int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm,
586 goto out_ret; 597 goto out_ret;
587 } 598 }
588 599
589 /* Check whether to allocate the iovec area */ 600 if (vec->len != args->nr_local) {
590 iov_size = args->nr_local * sizeof(struct rds_iovec); 601 ret = -EINVAL;
591 if (args->nr_local > UIO_FASTIOV) { 602 goto out_ret;
592 iovs = sock_kmalloc(rds_rs_to_sk(rs), iov_size, GFP_KERNEL);
593 if (!iovs) {
594 ret = -ENOMEM;
595 goto out_ret;
596 }
597 } 603 }
598 604
599 if (copy_from_user(iovs, (struct rds_iovec __user *)(unsigned long) args->local_vec_addr, iov_size)) { 605 iovs = vec->iov;
600 ret = -EFAULT;
601 goto out;
602 }
603 606
604 nr_pages = rds_rdma_pages(iovs, args->nr_local); 607 nr_pages = rds_rdma_pages(iovs, args->nr_local);
605 if (nr_pages < 0) { 608 if (nr_pages < 0) {
606 ret = -EINVAL; 609 ret = -EINVAL;
607 goto out; 610 goto out_ret;
608 } 611 }
609 612
610 pages = kcalloc(nr_pages, sizeof(struct page *), GFP_KERNEL); 613 pages = kcalloc(nr_pages, sizeof(struct page *), GFP_KERNEL);
611 if (!pages) { 614 if (!pages) {
612 ret = -ENOMEM; 615 ret = -ENOMEM;
613 goto out; 616 goto out_ret;
614 } 617 }
615 618
616 op->op_write = !!(args->flags & RDS_RDMA_READWRITE); 619 op->op_write = !!(args->flags & RDS_RDMA_READWRITE);
@@ -620,11 +623,9 @@ int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm,
620 op->op_active = 1; 623 op->op_active = 1;
621 op->op_recverr = rs->rs_recverr; 624 op->op_recverr = rs->rs_recverr;
622 WARN_ON(!nr_pages); 625 WARN_ON(!nr_pages);
623 op->op_sg = rds_message_alloc_sgs(rm, nr_pages); 626 op->op_sg = rds_message_alloc_sgs(rm, nr_pages, &ret);
624 if (!op->op_sg) { 627 if (!op->op_sg)
625 ret = -ENOMEM; 628 goto out_pages;
626 goto out;
627 }
628 629
629 if (op->op_notify || op->op_recverr) { 630 if (op->op_notify || op->op_recverr) {
630 /* We allocate an uninitialized notifier here, because 631 /* We allocate an uninitialized notifier here, because
@@ -635,7 +636,7 @@ int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm,
635 op->op_notifier = kmalloc(sizeof(struct rds_notifier), GFP_KERNEL); 636 op->op_notifier = kmalloc(sizeof(struct rds_notifier), GFP_KERNEL);
636 if (!op->op_notifier) { 637 if (!op->op_notifier) {
637 ret = -ENOMEM; 638 ret = -ENOMEM;
638 goto out; 639 goto out_pages;
639 } 640 }
640 op->op_notifier->n_user_token = args->user_token; 641 op->op_notifier->n_user_token = args->user_token;
641 op->op_notifier->n_status = RDS_RDMA_SUCCESS; 642 op->op_notifier->n_status = RDS_RDMA_SUCCESS;
@@ -681,7 +682,7 @@ int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm,
681 */ 682 */
682 ret = rds_pin_pages(iov->addr, nr, pages, !op->op_write); 683 ret = rds_pin_pages(iov->addr, nr, pages, !op->op_write);
683 if (ret < 0) 684 if (ret < 0)
684 goto out; 685 goto out_pages;
685 else 686 else
686 ret = 0; 687 ret = 0;
687 688
@@ -714,13 +715,11 @@ int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm,
714 nr_bytes, 715 nr_bytes,
715 (unsigned int) args->remote_vec.bytes); 716 (unsigned int) args->remote_vec.bytes);
716 ret = -EINVAL; 717 ret = -EINVAL;
717 goto out; 718 goto out_pages;
718 } 719 }
719 op->op_bytes = nr_bytes; 720 op->op_bytes = nr_bytes;
720 721
721out: 722out_pages:
722 if (iovs != iovstack)
723 sock_kfree_s(rds_rs_to_sk(rs), iovs, iov_size);
724 kfree(pages); 723 kfree(pages);
725out_ret: 724out_ret:
726 if (ret) 725 if (ret)
@@ -838,11 +837,9 @@ int rds_cmsg_atomic(struct rds_sock *rs, struct rds_message *rm,
838 rm->atomic.op_silent = !!(args->flags & RDS_RDMA_SILENT); 837 rm->atomic.op_silent = !!(args->flags & RDS_RDMA_SILENT);
839 rm->atomic.op_active = 1; 838 rm->atomic.op_active = 1;
840 rm->atomic.op_recverr = rs->rs_recverr; 839 rm->atomic.op_recverr = rs->rs_recverr;
841 rm->atomic.op_sg = rds_message_alloc_sgs(rm, 1); 840 rm->atomic.op_sg = rds_message_alloc_sgs(rm, 1, &ret);
842 if (!rm->atomic.op_sg) { 841 if (!rm->atomic.op_sg)
843 ret = -ENOMEM;
844 goto err; 842 goto err;
845 }
846 843
847 /* verify 8 byte-aligned */ 844 /* verify 8 byte-aligned */
848 if (args->local_addr & 0x7) { 845 if (args->local_addr & 0x7) {
diff --git a/net/rds/rds.h b/net/rds/rds.h
index 6bfaf05b63b2..02ec4a3b2799 100644
--- a/net/rds/rds.h
+++ b/net/rds/rds.h
@@ -386,6 +386,18 @@ static inline void rds_message_zcopy_queue_init(struct rds_msg_zcopy_queue *q)
386 INIT_LIST_HEAD(&q->zcookie_head); 386 INIT_LIST_HEAD(&q->zcookie_head);
387} 387}
388 388
389struct rds_iov_vector {
390 struct rds_iovec *iov;
391 int len;
392};
393
394struct rds_iov_vector_arr {
395 struct rds_iov_vector *vec;
396 int len;
397 int indx;
398 int incr;
399};
400
389struct rds_message { 401struct rds_message {
390 refcount_t m_refcount; 402 refcount_t m_refcount;
391 struct list_head m_sock_item; 403 struct list_head m_sock_item;
@@ -827,7 +839,8 @@ rds_conn_connecting(struct rds_connection *conn)
827 839
828/* message.c */ 840/* message.c */
829struct rds_message *rds_message_alloc(unsigned int nents, gfp_t gfp); 841struct rds_message *rds_message_alloc(unsigned int nents, gfp_t gfp);
830struct scatterlist *rds_message_alloc_sgs(struct rds_message *rm, int nents); 842struct scatterlist *rds_message_alloc_sgs(struct rds_message *rm, int nents,
843 int *ret);
831int rds_message_copy_from_user(struct rds_message *rm, struct iov_iter *from, 844int rds_message_copy_from_user(struct rds_message *rm, struct iov_iter *from,
832 bool zcopy); 845 bool zcopy);
833struct rds_message *rds_message_map_pages(unsigned long *page_addrs, unsigned int total_len); 846struct rds_message *rds_message_map_pages(unsigned long *page_addrs, unsigned int total_len);
@@ -904,13 +917,13 @@ int rds_get_mr(struct rds_sock *rs, char __user *optval, int optlen);
904int rds_get_mr_for_dest(struct rds_sock *rs, char __user *optval, int optlen); 917int rds_get_mr_for_dest(struct rds_sock *rs, char __user *optval, int optlen);
905int rds_free_mr(struct rds_sock *rs, char __user *optval, int optlen); 918int rds_free_mr(struct rds_sock *rs, char __user *optval, int optlen);
906void rds_rdma_drop_keys(struct rds_sock *rs); 919void rds_rdma_drop_keys(struct rds_sock *rs);
907int rds_rdma_extra_size(struct rds_rdma_args *args); 920int rds_rdma_extra_size(struct rds_rdma_args *args,
908int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm, 921 struct rds_iov_vector *iov);
909 struct cmsghdr *cmsg);
910int rds_cmsg_rdma_dest(struct rds_sock *rs, struct rds_message *rm, 922int rds_cmsg_rdma_dest(struct rds_sock *rs, struct rds_message *rm,
911 struct cmsghdr *cmsg); 923 struct cmsghdr *cmsg);
912int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm, 924int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm,
913 struct cmsghdr *cmsg); 925 struct cmsghdr *cmsg,
926 struct rds_iov_vector *vec);
914int rds_cmsg_rdma_map(struct rds_sock *rs, struct rds_message *rm, 927int rds_cmsg_rdma_map(struct rds_sock *rs, struct rds_message *rm,
915 struct cmsghdr *cmsg); 928 struct cmsghdr *cmsg);
916void rds_rdma_free_op(struct rm_rdma_op *ro); 929void rds_rdma_free_op(struct rm_rdma_op *ro);
diff --git a/net/rds/send.c b/net/rds/send.c
index fe785ee819dd..3d822bad7de9 100644
--- a/net/rds/send.c
+++ b/net/rds/send.c
@@ -876,13 +876,18 @@ out:
876 * rds_message is getting to be quite complicated, and we'd like to allocate 876 * rds_message is getting to be quite complicated, and we'd like to allocate
877 * it all in one go. This figures out how big it needs to be up front. 877 * it all in one go. This figures out how big it needs to be up front.
878 */ 878 */
879static int rds_rm_size(struct msghdr *msg, int num_sgs) 879static int rds_rm_size(struct msghdr *msg, int num_sgs,
880 struct rds_iov_vector_arr *vct)
880{ 881{
881 struct cmsghdr *cmsg; 882 struct cmsghdr *cmsg;
882 int size = 0; 883 int size = 0;
883 int cmsg_groups = 0; 884 int cmsg_groups = 0;
884 int retval; 885 int retval;
885 bool zcopy_cookie = false; 886 bool zcopy_cookie = false;
887 struct rds_iov_vector *iov, *tmp_iov;
888
889 if (num_sgs < 0)
890 return -EINVAL;
886 891
887 for_each_cmsghdr(cmsg, msg) { 892 for_each_cmsghdr(cmsg, msg) {
888 if (!CMSG_OK(msg, cmsg)) 893 if (!CMSG_OK(msg, cmsg))
@@ -893,8 +898,24 @@ static int rds_rm_size(struct msghdr *msg, int num_sgs)
893 898
894 switch (cmsg->cmsg_type) { 899 switch (cmsg->cmsg_type) {
895 case RDS_CMSG_RDMA_ARGS: 900 case RDS_CMSG_RDMA_ARGS:
901 if (vct->indx >= vct->len) {
902 vct->len += vct->incr;
903 tmp_iov =
904 krealloc(vct->vec,
905 vct->len *
906 sizeof(struct rds_iov_vector),
907 GFP_KERNEL);
908 if (!tmp_iov) {
909 vct->len -= vct->incr;
910 return -ENOMEM;
911 }
912 vct->vec = tmp_iov;
913 }
914 iov = &vct->vec[vct->indx];
915 memset(iov, 0, sizeof(struct rds_iov_vector));
916 vct->indx++;
896 cmsg_groups |= 1; 917 cmsg_groups |= 1;
897 retval = rds_rdma_extra_size(CMSG_DATA(cmsg)); 918 retval = rds_rdma_extra_size(CMSG_DATA(cmsg), iov);
898 if (retval < 0) 919 if (retval < 0)
899 return retval; 920 return retval;
900 size += retval; 921 size += retval;
@@ -951,10 +972,11 @@ static int rds_cmsg_zcopy(struct rds_sock *rs, struct rds_message *rm,
951} 972}
952 973
953static int rds_cmsg_send(struct rds_sock *rs, struct rds_message *rm, 974static int rds_cmsg_send(struct rds_sock *rs, struct rds_message *rm,
954 struct msghdr *msg, int *allocated_mr) 975 struct msghdr *msg, int *allocated_mr,
976 struct rds_iov_vector_arr *vct)
955{ 977{
956 struct cmsghdr *cmsg; 978 struct cmsghdr *cmsg;
957 int ret = 0; 979 int ret = 0, ind = 0;
958 980
959 for_each_cmsghdr(cmsg, msg) { 981 for_each_cmsghdr(cmsg, msg) {
960 if (!CMSG_OK(msg, cmsg)) 982 if (!CMSG_OK(msg, cmsg))
@@ -968,7 +990,10 @@ static int rds_cmsg_send(struct rds_sock *rs, struct rds_message *rm,
968 */ 990 */
969 switch (cmsg->cmsg_type) { 991 switch (cmsg->cmsg_type) {
970 case RDS_CMSG_RDMA_ARGS: 992 case RDS_CMSG_RDMA_ARGS:
971 ret = rds_cmsg_rdma_args(rs, rm, cmsg); 993 if (ind >= vct->indx)
994 return -ENOMEM;
995 ret = rds_cmsg_rdma_args(rs, rm, cmsg, &vct->vec[ind]);
996 ind++;
972 break; 997 break;
973 998
974 case RDS_CMSG_RDMA_DEST: 999 case RDS_CMSG_RDMA_DEST:
@@ -1084,6 +1109,13 @@ int rds_sendmsg(struct socket *sock, struct msghdr *msg, size_t payload_len)
1084 sock_flag(rds_rs_to_sk(rs), SOCK_ZEROCOPY)); 1109 sock_flag(rds_rs_to_sk(rs), SOCK_ZEROCOPY));
1085 int num_sgs = ceil(payload_len, PAGE_SIZE); 1110 int num_sgs = ceil(payload_len, PAGE_SIZE);
1086 int namelen; 1111 int namelen;
1112 struct rds_iov_vector_arr vct;
1113 int ind;
1114
1115 memset(&vct, 0, sizeof(vct));
1116
1117 /* expect 1 RDMA CMSG per rds_sendmsg. can still grow if more needed. */
1118 vct.incr = 1;
1087 1119
1088 /* Mirror Linux UDP mirror of BSD error message compatibility */ 1120 /* Mirror Linux UDP mirror of BSD error message compatibility */
1089 /* XXX: Perhaps MSG_MORE someday */ 1121 /* XXX: Perhaps MSG_MORE someday */
@@ -1220,7 +1252,7 @@ int rds_sendmsg(struct socket *sock, struct msghdr *msg, size_t payload_len)
1220 num_sgs = iov_iter_npages(&msg->msg_iter, INT_MAX); 1252 num_sgs = iov_iter_npages(&msg->msg_iter, INT_MAX);
1221 } 1253 }
1222 /* size of rm including all sgs */ 1254 /* size of rm including all sgs */
1223 ret = rds_rm_size(msg, num_sgs); 1255 ret = rds_rm_size(msg, num_sgs, &vct);
1224 if (ret < 0) 1256 if (ret < 0)
1225 goto out; 1257 goto out;
1226 1258
@@ -1232,11 +1264,9 @@ int rds_sendmsg(struct socket *sock, struct msghdr *msg, size_t payload_len)
1232 1264
1233 /* Attach data to the rm */ 1265 /* Attach data to the rm */
1234 if (payload_len) { 1266 if (payload_len) {
1235 rm->data.op_sg = rds_message_alloc_sgs(rm, num_sgs); 1267 rm->data.op_sg = rds_message_alloc_sgs(rm, num_sgs, &ret);
1236 if (!rm->data.op_sg) { 1268 if (!rm->data.op_sg)
1237 ret = -ENOMEM;
1238 goto out; 1269 goto out;
1239 }
1240 ret = rds_message_copy_from_user(rm, &msg->msg_iter, zcopy); 1270 ret = rds_message_copy_from_user(rm, &msg->msg_iter, zcopy);
1241 if (ret) 1271 if (ret)
1242 goto out; 1272 goto out;
@@ -1270,7 +1300,7 @@ int rds_sendmsg(struct socket *sock, struct msghdr *msg, size_t payload_len)
1270 rm->m_conn_path = cpath; 1300 rm->m_conn_path = cpath;
1271 1301
1272 /* Parse any control messages the user may have included. */ 1302 /* Parse any control messages the user may have included. */
1273 ret = rds_cmsg_send(rs, rm, msg, &allocated_mr); 1303 ret = rds_cmsg_send(rs, rm, msg, &allocated_mr, &vct);
1274 if (ret) { 1304 if (ret) {
1275 /* Trigger connection so that its ready for the next retry */ 1305 /* Trigger connection so that its ready for the next retry */
1276 if (ret == -EAGAIN) 1306 if (ret == -EAGAIN)
@@ -1348,9 +1378,18 @@ int rds_sendmsg(struct socket *sock, struct msghdr *msg, size_t payload_len)
1348 if (ret) 1378 if (ret)
1349 goto out; 1379 goto out;
1350 rds_message_put(rm); 1380 rds_message_put(rm);
1381
1382 for (ind = 0; ind < vct.indx; ind++)
1383 kfree(vct.vec[ind].iov);
1384 kfree(vct.vec);
1385
1351 return payload_len; 1386 return payload_len;
1352 1387
1353out: 1388out:
1389 for (ind = 0; ind < vct.indx; ind++)
1390 kfree(vct.vec[ind].iov);
1391 kfree(vct.vec);
1392
1354 /* If the user included a RDMA_MAP cmsg, we allocated a MR on the fly. 1393 /* If the user included a RDMA_MAP cmsg, we allocated a MR on the fly.
1355 * If the sendmsg goes through, we keep the MR. If it fails with EAGAIN 1394 * If the sendmsg goes through, we keep the MR. If it fails with EAGAIN
1356 * or in any other way, we need to destroy the MR again */ 1395 * or in any other way, we need to destroy the MR again */
diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c
index 1eb2e2c31dd5..dad04e710493 100644
--- a/net/sched/cls_flower.c
+++ b/net/sched/cls_flower.c
@@ -1372,10 +1372,9 @@ static int fl_change(struct net *net, struct sk_buff *in_skb,
1372 fnew->flags |= TCA_CLS_FLAGS_NOT_IN_HW; 1372 fnew->flags |= TCA_CLS_FLAGS_NOT_IN_HW;
1373 1373
1374 if (fold) { 1374 if (fold) {
1375 if (!tc_skip_sw(fold->flags)) 1375 rhashtable_remove_fast(&fold->mask->ht,
1376 rhashtable_remove_fast(&fold->mask->ht, 1376 &fold->ht_node,
1377 &fold->ht_node, 1377 fold->mask->filter_ht_params);
1378 fold->mask->filter_ht_params);
1379 if (!tc_skip_hw(fold->flags)) 1378 if (!tc_skip_hw(fold->flags))
1380 fl_hw_destroy_filter(tp, fold, NULL); 1379 fl_hw_destroy_filter(tp, fold, NULL);
1381 } 1380 }
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
index 6e27c62646e9..b9ed271b7ef7 100644
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -101,6 +101,7 @@ static int sctp_inet6addr_event(struct notifier_block *this, unsigned long ev,
101 if (addr) { 101 if (addr) {
102 addr->a.v6.sin6_family = AF_INET6; 102 addr->a.v6.sin6_family = AF_INET6;
103 addr->a.v6.sin6_port = 0; 103 addr->a.v6.sin6_port = 0;
104 addr->a.v6.sin6_flowinfo = 0;
104 addr->a.v6.sin6_addr = ifa->addr; 105 addr->a.v6.sin6_addr = ifa->addr;
105 addr->a.v6.sin6_scope_id = ifa->idev->dev->ifindex; 106 addr->a.v6.sin6_scope_id = ifa->idev->dev->ifindex;
106 addr->valid = 1; 107 addr->valid = 1;
diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
index 63f08b4e51d6..c4da4a78d369 100644
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -147,8 +147,14 @@ static int smc_release(struct socket *sock)
147 sk->sk_shutdown |= SHUTDOWN_MASK; 147 sk->sk_shutdown |= SHUTDOWN_MASK;
148 } 148 }
149 if (smc->clcsock) { 149 if (smc->clcsock) {
150 if (smc->use_fallback && sk->sk_state == SMC_LISTEN) {
151 /* wake up clcsock accept */
152 rc = kernel_sock_shutdown(smc->clcsock, SHUT_RDWR);
153 }
154 mutex_lock(&smc->clcsock_release_lock);
150 sock_release(smc->clcsock); 155 sock_release(smc->clcsock);
151 smc->clcsock = NULL; 156 smc->clcsock = NULL;
157 mutex_unlock(&smc->clcsock_release_lock);
152 } 158 }
153 if (smc->use_fallback) { 159 if (smc->use_fallback) {
154 if (sk->sk_state != SMC_LISTEN && sk->sk_state != SMC_INIT) 160 if (sk->sk_state != SMC_LISTEN && sk->sk_state != SMC_INIT)
@@ -205,6 +211,7 @@ static struct sock *smc_sock_alloc(struct net *net, struct socket *sock,
205 spin_lock_init(&smc->conn.send_lock); 211 spin_lock_init(&smc->conn.send_lock);
206 sk->sk_prot->hash(sk); 212 sk->sk_prot->hash(sk);
207 sk_refcnt_debug_inc(sk); 213 sk_refcnt_debug_inc(sk);
214 mutex_init(&smc->clcsock_release_lock);
208 215
209 return sk; 216 return sk;
210} 217}
@@ -824,7 +831,7 @@ static int smc_clcsock_accept(struct smc_sock *lsmc, struct smc_sock **new_smc)
824 struct socket *new_clcsock = NULL; 831 struct socket *new_clcsock = NULL;
825 struct sock *lsk = &lsmc->sk; 832 struct sock *lsk = &lsmc->sk;
826 struct sock *new_sk; 833 struct sock *new_sk;
827 int rc; 834 int rc = -EINVAL;
828 835
829 release_sock(lsk); 836 release_sock(lsk);
830 new_sk = smc_sock_alloc(sock_net(lsk), NULL, lsk->sk_protocol); 837 new_sk = smc_sock_alloc(sock_net(lsk), NULL, lsk->sk_protocol);
@@ -837,7 +844,10 @@ static int smc_clcsock_accept(struct smc_sock *lsmc, struct smc_sock **new_smc)
837 } 844 }
838 *new_smc = smc_sk(new_sk); 845 *new_smc = smc_sk(new_sk);
839 846
840 rc = kernel_accept(lsmc->clcsock, &new_clcsock, 0); 847 mutex_lock(&lsmc->clcsock_release_lock);
848 if (lsmc->clcsock)
849 rc = kernel_accept(lsmc->clcsock, &new_clcsock, 0);
850 mutex_unlock(&lsmc->clcsock_release_lock);
841 lock_sock(lsk); 851 lock_sock(lsk);
842 if (rc < 0) 852 if (rc < 0)
843 lsk->sk_err = -rc; 853 lsk->sk_err = -rc;
diff --git a/net/smc/smc.h b/net/smc/smc.h
index 08786ace6010..5721416d0605 100644
--- a/net/smc/smc.h
+++ b/net/smc/smc.h
@@ -219,6 +219,10 @@ struct smc_sock { /* smc sock container */
219 * started, waiting for unsent 219 * started, waiting for unsent
220 * data to be sent 220 * data to be sent
221 */ 221 */
222 struct mutex clcsock_release_lock;
223 /* protects clcsock of a listen
224 * socket
225 * */
222}; 226};
223 227
224static inline struct smc_sock *smc_sk(const struct sock *sk) 228static inline struct smc_sock *smc_sk(const struct sock *sk)
diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
index c6782aa47525..24cbddc44c88 100644
--- a/net/sunrpc/clnt.c
+++ b/net/sunrpc/clnt.c
@@ -1952,6 +1952,7 @@ call_connect_status(struct rpc_task *task)
1952 /* retry with existing socket, after a delay */ 1952 /* retry with existing socket, after a delay */
1953 rpc_delay(task, 3*HZ); 1953 rpc_delay(task, 3*HZ);
1954 /* fall through */ 1954 /* fall through */
1955 case -ENOTCONN:
1955 case -EAGAIN: 1956 case -EAGAIN:
1956 /* Check for timeouts before looping back to call_bind */ 1957 /* Check for timeouts before looping back to call_bind */
1957 case -ETIMEDOUT: 1958 case -ETIMEDOUT:
diff --git a/net/sunrpc/xprt.c b/net/sunrpc/xprt.c
index ce927002862a..73547d17d3c6 100644
--- a/net/sunrpc/xprt.c
+++ b/net/sunrpc/xprt.c
@@ -67,7 +67,6 @@
67 */ 67 */
68static void xprt_init(struct rpc_xprt *xprt, struct net *net); 68static void xprt_init(struct rpc_xprt *xprt, struct net *net);
69static __be32 xprt_alloc_xid(struct rpc_xprt *xprt); 69static __be32 xprt_alloc_xid(struct rpc_xprt *xprt);
70static void xprt_connect_status(struct rpc_task *task);
71static void xprt_destroy(struct rpc_xprt *xprt); 70static void xprt_destroy(struct rpc_xprt *xprt);
72 71
73static DEFINE_SPINLOCK(xprt_list_lock); 72static DEFINE_SPINLOCK(xprt_list_lock);
@@ -680,7 +679,9 @@ void xprt_force_disconnect(struct rpc_xprt *xprt)
680 /* Try to schedule an autoclose RPC call */ 679 /* Try to schedule an autoclose RPC call */
681 if (test_and_set_bit(XPRT_LOCKED, &xprt->state) == 0) 680 if (test_and_set_bit(XPRT_LOCKED, &xprt->state) == 0)
682 queue_work(xprtiod_workqueue, &xprt->task_cleanup); 681 queue_work(xprtiod_workqueue, &xprt->task_cleanup);
683 xprt_wake_pending_tasks(xprt, -EAGAIN); 682 else if (xprt->snd_task)
683 rpc_wake_up_queued_task_set_status(&xprt->pending,
684 xprt->snd_task, -ENOTCONN);
684 spin_unlock_bh(&xprt->transport_lock); 685 spin_unlock_bh(&xprt->transport_lock);
685} 686}
686EXPORT_SYMBOL_GPL(xprt_force_disconnect); 687EXPORT_SYMBOL_GPL(xprt_force_disconnect);
@@ -820,7 +821,7 @@ void xprt_connect(struct rpc_task *task)
820 if (!xprt_connected(xprt)) { 821 if (!xprt_connected(xprt)) {
821 task->tk_timeout = task->tk_rqstp->rq_timeout; 822 task->tk_timeout = task->tk_rqstp->rq_timeout;
822 task->tk_rqstp->rq_connect_cookie = xprt->connect_cookie; 823 task->tk_rqstp->rq_connect_cookie = xprt->connect_cookie;
823 rpc_sleep_on(&xprt->pending, task, xprt_connect_status); 824 rpc_sleep_on(&xprt->pending, task, NULL);
824 825
825 if (test_bit(XPRT_CLOSING, &xprt->state)) 826 if (test_bit(XPRT_CLOSING, &xprt->state))
826 return; 827 return;
@@ -839,34 +840,6 @@ void xprt_connect(struct rpc_task *task)
839 xprt_release_write(xprt, task); 840 xprt_release_write(xprt, task);
840} 841}
841 842
842static void xprt_connect_status(struct rpc_task *task)
843{
844 switch (task->tk_status) {
845 case 0:
846 dprintk("RPC: %5u xprt_connect_status: connection established\n",
847 task->tk_pid);
848 break;
849 case -ECONNREFUSED:
850 case -ECONNRESET:
851 case -ECONNABORTED:
852 case -ENETUNREACH:
853 case -EHOSTUNREACH:
854 case -EPIPE:
855 case -EAGAIN:
856 dprintk("RPC: %5u xprt_connect_status: retrying\n", task->tk_pid);
857 break;
858 case -ETIMEDOUT:
859 dprintk("RPC: %5u xprt_connect_status: connect attempt timed "
860 "out\n", task->tk_pid);
861 break;
862 default:
863 dprintk("RPC: %5u xprt_connect_status: error %d connecting to "
864 "server %s\n", task->tk_pid, -task->tk_status,
865 task->tk_rqstp->rq_xprt->servername);
866 task->tk_status = -EIO;
867 }
868}
869
870enum xprt_xid_rb_cmp { 843enum xprt_xid_rb_cmp {
871 XID_RB_EQUAL, 844 XID_RB_EQUAL,
872 XID_RB_LEFT, 845 XID_RB_LEFT,
diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c
index 8a5e823e0b33..f0b3700cec95 100644
--- a/net/sunrpc/xprtsock.c
+++ b/net/sunrpc/xprtsock.c
@@ -1217,6 +1217,8 @@ static void xs_reset_transport(struct sock_xprt *transport)
1217 1217
1218 trace_rpc_socket_close(xprt, sock); 1218 trace_rpc_socket_close(xprt, sock);
1219 sock_release(sock); 1219 sock_release(sock);
1220
1221 xprt_disconnect_done(xprt);
1220} 1222}
1221 1223
1222/** 1224/**
@@ -1237,8 +1239,6 @@ static void xs_close(struct rpc_xprt *xprt)
1237 1239
1238 xs_reset_transport(transport); 1240 xs_reset_transport(transport);
1239 xprt->reestablish_timeout = 0; 1241 xprt->reestablish_timeout = 0;
1240
1241 xprt_disconnect_done(xprt);
1242} 1242}
1243 1243
1244static void xs_inject_disconnect(struct rpc_xprt *xprt) 1244static void xs_inject_disconnect(struct rpc_xprt *xprt)
@@ -1489,8 +1489,6 @@ static void xs_tcp_state_change(struct sock *sk)
1489 &transport->sock_state)) 1489 &transport->sock_state))
1490 xprt_clear_connecting(xprt); 1490 xprt_clear_connecting(xprt);
1491 clear_bit(XPRT_CLOSING, &xprt->state); 1491 clear_bit(XPRT_CLOSING, &xprt->state);
1492 if (sk->sk_err)
1493 xprt_wake_pending_tasks(xprt, -sk->sk_err);
1494 /* Trigger the socket release */ 1492 /* Trigger the socket release */
1495 xs_tcp_force_close(xprt); 1493 xs_tcp_force_close(xprt);
1496 } 1494 }
@@ -2092,8 +2090,8 @@ static void xs_udp_setup_socket(struct work_struct *work)
2092 trace_rpc_socket_connect(xprt, sock, 0); 2090 trace_rpc_socket_connect(xprt, sock, 0);
2093 status = 0; 2091 status = 0;
2094out: 2092out:
2095 xprt_unlock_connect(xprt, transport);
2096 xprt_clear_connecting(xprt); 2093 xprt_clear_connecting(xprt);
2094 xprt_unlock_connect(xprt, transport);
2097 xprt_wake_pending_tasks(xprt, status); 2095 xprt_wake_pending_tasks(xprt, status);
2098} 2096}
2099 2097
@@ -2329,8 +2327,8 @@ static void xs_tcp_setup_socket(struct work_struct *work)
2329 } 2327 }
2330 status = -EAGAIN; 2328 status = -EAGAIN;
2331out: 2329out:
2332 xprt_unlock_connect(xprt, transport);
2333 xprt_clear_connecting(xprt); 2330 xprt_clear_connecting(xprt);
2331 xprt_unlock_connect(xprt, transport);
2334 xprt_wake_pending_tasks(xprt, status); 2332 xprt_wake_pending_tasks(xprt, status);
2335} 2333}
2336 2334
diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 291d6bbe85f4..1217c90a363b 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -889,7 +889,6 @@ static int tipc_send_group_unicast(struct socket *sock, struct msghdr *m,
889 DECLARE_SOCKADDR(struct sockaddr_tipc *, dest, m->msg_name); 889 DECLARE_SOCKADDR(struct sockaddr_tipc *, dest, m->msg_name);
890 int blks = tsk_blocks(GROUP_H_SIZE + dlen); 890 int blks = tsk_blocks(GROUP_H_SIZE + dlen);
891 struct tipc_sock *tsk = tipc_sk(sk); 891 struct tipc_sock *tsk = tipc_sk(sk);
892 struct tipc_group *grp = tsk->group;
893 struct net *net = sock_net(sk); 892 struct net *net = sock_net(sk);
894 struct tipc_member *mb = NULL; 893 struct tipc_member *mb = NULL;
895 u32 node, port; 894 u32 node, port;
@@ -903,7 +902,9 @@ static int tipc_send_group_unicast(struct socket *sock, struct msghdr *m,
903 /* Block or return if destination link or member is congested */ 902 /* Block or return if destination link or member is congested */
904 rc = tipc_wait_for_cond(sock, &timeout, 903 rc = tipc_wait_for_cond(sock, &timeout,
905 !tipc_dest_find(&tsk->cong_links, node, 0) && 904 !tipc_dest_find(&tsk->cong_links, node, 0) &&
906 !tipc_group_cong(grp, node, port, blks, &mb)); 905 tsk->group &&
906 !tipc_group_cong(tsk->group, node, port, blks,
907 &mb));
907 if (unlikely(rc)) 908 if (unlikely(rc))
908 return rc; 909 return rc;
909 910
@@ -933,7 +934,6 @@ static int tipc_send_group_anycast(struct socket *sock, struct msghdr *m,
933 struct tipc_sock *tsk = tipc_sk(sk); 934 struct tipc_sock *tsk = tipc_sk(sk);
934 struct list_head *cong_links = &tsk->cong_links; 935 struct list_head *cong_links = &tsk->cong_links;
935 int blks = tsk_blocks(GROUP_H_SIZE + dlen); 936 int blks = tsk_blocks(GROUP_H_SIZE + dlen);
936 struct tipc_group *grp = tsk->group;
937 struct tipc_msg *hdr = &tsk->phdr; 937 struct tipc_msg *hdr = &tsk->phdr;
938 struct tipc_member *first = NULL; 938 struct tipc_member *first = NULL;
939 struct tipc_member *mbr = NULL; 939 struct tipc_member *mbr = NULL;
@@ -950,9 +950,10 @@ static int tipc_send_group_anycast(struct socket *sock, struct msghdr *m,
950 type = msg_nametype(hdr); 950 type = msg_nametype(hdr);
951 inst = dest->addr.name.name.instance; 951 inst = dest->addr.name.name.instance;
952 scope = msg_lookup_scope(hdr); 952 scope = msg_lookup_scope(hdr);
953 exclude = tipc_group_exclude(grp);
954 953
955 while (++lookups < 4) { 954 while (++lookups < 4) {
955 exclude = tipc_group_exclude(tsk->group);
956
956 first = NULL; 957 first = NULL;
957 958
958 /* Look for a non-congested destination member, if any */ 959 /* Look for a non-congested destination member, if any */
@@ -961,7 +962,8 @@ static int tipc_send_group_anycast(struct socket *sock, struct msghdr *m,
961 &dstcnt, exclude, false)) 962 &dstcnt, exclude, false))
962 return -EHOSTUNREACH; 963 return -EHOSTUNREACH;
963 tipc_dest_pop(&dsts, &node, &port); 964 tipc_dest_pop(&dsts, &node, &port);
964 cong = tipc_group_cong(grp, node, port, blks, &mbr); 965 cong = tipc_group_cong(tsk->group, node, port, blks,
966 &mbr);
965 if (!cong) 967 if (!cong)
966 break; 968 break;
967 if (mbr == first) 969 if (mbr == first)
@@ -980,7 +982,8 @@ static int tipc_send_group_anycast(struct socket *sock, struct msghdr *m,
980 /* Block or return if destination link or member is congested */ 982 /* Block or return if destination link or member is congested */
981 rc = tipc_wait_for_cond(sock, &timeout, 983 rc = tipc_wait_for_cond(sock, &timeout,
982 !tipc_dest_find(cong_links, node, 0) && 984 !tipc_dest_find(cong_links, node, 0) &&
983 !tipc_group_cong(grp, node, port, 985 tsk->group &&
986 !tipc_group_cong(tsk->group, node, port,
984 blks, &mbr)); 987 blks, &mbr));
985 if (unlikely(rc)) 988 if (unlikely(rc))
986 return rc; 989 return rc;
@@ -1015,8 +1018,7 @@ static int tipc_send_group_bcast(struct socket *sock, struct msghdr *m,
1015 struct sock *sk = sock->sk; 1018 struct sock *sk = sock->sk;
1016 struct net *net = sock_net(sk); 1019 struct net *net = sock_net(sk);
1017 struct tipc_sock *tsk = tipc_sk(sk); 1020 struct tipc_sock *tsk = tipc_sk(sk);
1018 struct tipc_group *grp = tsk->group; 1021 struct tipc_nlist *dsts;
1019 struct tipc_nlist *dsts = tipc_group_dests(grp);
1020 struct tipc_mc_method *method = &tsk->mc_method; 1022 struct tipc_mc_method *method = &tsk->mc_method;
1021 bool ack = method->mandatory && method->rcast; 1023 bool ack = method->mandatory && method->rcast;
1022 int blks = tsk_blocks(MCAST_H_SIZE + dlen); 1024 int blks = tsk_blocks(MCAST_H_SIZE + dlen);
@@ -1025,15 +1027,17 @@ static int tipc_send_group_bcast(struct socket *sock, struct msghdr *m,
1025 struct sk_buff_head pkts; 1027 struct sk_buff_head pkts;
1026 int rc = -EHOSTUNREACH; 1028 int rc = -EHOSTUNREACH;
1027 1029
1028 if (!dsts->local && !dsts->remote)
1029 return -EHOSTUNREACH;
1030
1031 /* Block or return if any destination link or member is congested */ 1030 /* Block or return if any destination link or member is congested */
1032 rc = tipc_wait_for_cond(sock, &timeout, !tsk->cong_link_cnt && 1031 rc = tipc_wait_for_cond(sock, &timeout,
1033 !tipc_group_bc_cong(grp, blks)); 1032 !tsk->cong_link_cnt && tsk->group &&
1033 !tipc_group_bc_cong(tsk->group, blks));
1034 if (unlikely(rc)) 1034 if (unlikely(rc))
1035 return rc; 1035 return rc;
1036 1036
1037 dsts = tipc_group_dests(tsk->group);
1038 if (!dsts->local && !dsts->remote)
1039 return -EHOSTUNREACH;
1040
1037 /* Complete message header */ 1041 /* Complete message header */
1038 if (dest) { 1042 if (dest) {
1039 msg_set_type(hdr, TIPC_GRP_MCAST_MSG); 1043 msg_set_type(hdr, TIPC_GRP_MCAST_MSG);
@@ -1045,7 +1049,7 @@ static int tipc_send_group_bcast(struct socket *sock, struct msghdr *m,
1045 msg_set_hdr_sz(hdr, GROUP_H_SIZE); 1049 msg_set_hdr_sz(hdr, GROUP_H_SIZE);
1046 msg_set_destport(hdr, 0); 1050 msg_set_destport(hdr, 0);
1047 msg_set_destnode(hdr, 0); 1051 msg_set_destnode(hdr, 0);
1048 msg_set_grp_bc_seqno(hdr, tipc_group_bc_snd_nxt(grp)); 1052 msg_set_grp_bc_seqno(hdr, tipc_group_bc_snd_nxt(tsk->group));
1049 1053
1050 /* Avoid getting stuck with repeated forced replicasts */ 1054 /* Avoid getting stuck with repeated forced replicasts */
1051 msg_set_grp_bc_ack_req(hdr, ack); 1055 msg_set_grp_bc_ack_req(hdr, ack);
@@ -2757,11 +2761,15 @@ void tipc_sk_reinit(struct net *net)
2757 rhashtable_walk_start(&iter); 2761 rhashtable_walk_start(&iter);
2758 2762
2759 while ((tsk = rhashtable_walk_next(&iter)) && !IS_ERR(tsk)) { 2763 while ((tsk = rhashtable_walk_next(&iter)) && !IS_ERR(tsk)) {
2760 spin_lock_bh(&tsk->sk.sk_lock.slock); 2764 sock_hold(&tsk->sk);
2765 rhashtable_walk_stop(&iter);
2766 lock_sock(&tsk->sk);
2761 msg = &tsk->phdr; 2767 msg = &tsk->phdr;
2762 msg_set_prevnode(msg, tipc_own_addr(net)); 2768 msg_set_prevnode(msg, tipc_own_addr(net));
2763 msg_set_orignode(msg, tipc_own_addr(net)); 2769 msg_set_orignode(msg, tipc_own_addr(net));
2764 spin_unlock_bh(&tsk->sk.sk_lock.slock); 2770 release_sock(&tsk->sk);
2771 rhashtable_walk_start(&iter);
2772 sock_put(&tsk->sk);
2765 } 2773 }
2766 2774
2767 rhashtable_walk_stop(&iter); 2775 rhashtable_walk_stop(&iter);
diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
index 10dc59ce9c82..4d85d71f16e2 100644
--- a/net/tipc/udp_media.c
+++ b/net/tipc/udp_media.c
@@ -245,10 +245,8 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
245 } 245 }
246 246
247 err = tipc_udp_xmit(net, _skb, ub, src, &rcast->addr); 247 err = tipc_udp_xmit(net, _skb, ub, src, &rcast->addr);
248 if (err) { 248 if (err)
249 kfree_skb(_skb);
250 goto out; 249 goto out;
251 }
252 } 250 }
253 err = 0; 251 err = 0;
254out: 252out:
@@ -681,6 +679,11 @@ static int tipc_udp_enable(struct net *net, struct tipc_bearer *b,
681 if (err) 679 if (err)
682 goto err; 680 goto err;
683 681
682 if (remote.proto != local.proto) {
683 err = -EINVAL;
684 goto err;
685 }
686
684 /* Checking remote ip address */ 687 /* Checking remote ip address */
685 rmcast = tipc_udp_is_mcast_addr(&remote); 688 rmcast = tipc_udp_is_mcast_addr(&remote);
686 689
diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
index 311cec8e533d..28887cf628b8 100644
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -56,7 +56,7 @@ enum {
56static struct proto *saved_tcpv6_prot; 56static struct proto *saved_tcpv6_prot;
57static DEFINE_MUTEX(tcpv6_prot_mutex); 57static DEFINE_MUTEX(tcpv6_prot_mutex);
58static LIST_HEAD(device_list); 58static LIST_HEAD(device_list);
59static DEFINE_MUTEX(device_mutex); 59static DEFINE_SPINLOCK(device_spinlock);
60static struct proto tls_prots[TLS_NUM_PROTS][TLS_NUM_CONFIG][TLS_NUM_CONFIG]; 60static struct proto tls_prots[TLS_NUM_PROTS][TLS_NUM_CONFIG][TLS_NUM_CONFIG];
61static struct proto_ops tls_sw_proto_ops; 61static struct proto_ops tls_sw_proto_ops;
62 62
@@ -538,11 +538,14 @@ static struct tls_context *create_ctx(struct sock *sk)
538 struct inet_connection_sock *icsk = inet_csk(sk); 538 struct inet_connection_sock *icsk = inet_csk(sk);
539 struct tls_context *ctx; 539 struct tls_context *ctx;
540 540
541 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); 541 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
542 if (!ctx) 542 if (!ctx)
543 return NULL; 543 return NULL;
544 544
545 icsk->icsk_ulp_data = ctx; 545 icsk->icsk_ulp_data = ctx;
546 ctx->setsockopt = sk->sk_prot->setsockopt;
547 ctx->getsockopt = sk->sk_prot->getsockopt;
548 ctx->sk_proto_close = sk->sk_prot->close;
546 return ctx; 549 return ctx;
547} 550}
548 551
@@ -552,7 +555,7 @@ static int tls_hw_prot(struct sock *sk)
552 struct tls_device *dev; 555 struct tls_device *dev;
553 int rc = 0; 556 int rc = 0;
554 557
555 mutex_lock(&device_mutex); 558 spin_lock_bh(&device_spinlock);
556 list_for_each_entry(dev, &device_list, dev_list) { 559 list_for_each_entry(dev, &device_list, dev_list) {
557 if (dev->feature && dev->feature(dev)) { 560 if (dev->feature && dev->feature(dev)) {
558 ctx = create_ctx(sk); 561 ctx = create_ctx(sk);
@@ -570,7 +573,7 @@ static int tls_hw_prot(struct sock *sk)
570 } 573 }
571 } 574 }
572out: 575out:
573 mutex_unlock(&device_mutex); 576 spin_unlock_bh(&device_spinlock);
574 return rc; 577 return rc;
575} 578}
576 579
@@ -579,12 +582,17 @@ static void tls_hw_unhash(struct sock *sk)
579 struct tls_context *ctx = tls_get_ctx(sk); 582 struct tls_context *ctx = tls_get_ctx(sk);
580 struct tls_device *dev; 583 struct tls_device *dev;
581 584
582 mutex_lock(&device_mutex); 585 spin_lock_bh(&device_spinlock);
583 list_for_each_entry(dev, &device_list, dev_list) { 586 list_for_each_entry(dev, &device_list, dev_list) {
584 if (dev->unhash) 587 if (dev->unhash) {
588 kref_get(&dev->kref);
589 spin_unlock_bh(&device_spinlock);
585 dev->unhash(dev, sk); 590 dev->unhash(dev, sk);
591 kref_put(&dev->kref, dev->release);
592 spin_lock_bh(&device_spinlock);
593 }
586 } 594 }
587 mutex_unlock(&device_mutex); 595 spin_unlock_bh(&device_spinlock);
588 ctx->unhash(sk); 596 ctx->unhash(sk);
589} 597}
590 598
@@ -595,12 +603,17 @@ static int tls_hw_hash(struct sock *sk)
595 int err; 603 int err;
596 604
597 err = ctx->hash(sk); 605 err = ctx->hash(sk);
598 mutex_lock(&device_mutex); 606 spin_lock_bh(&device_spinlock);
599 list_for_each_entry(dev, &device_list, dev_list) { 607 list_for_each_entry(dev, &device_list, dev_list) {
600 if (dev->hash) 608 if (dev->hash) {
609 kref_get(&dev->kref);
610 spin_unlock_bh(&device_spinlock);
601 err |= dev->hash(dev, sk); 611 err |= dev->hash(dev, sk);
612 kref_put(&dev->kref, dev->release);
613 spin_lock_bh(&device_spinlock);
614 }
602 } 615 }
603 mutex_unlock(&device_mutex); 616 spin_unlock_bh(&device_spinlock);
604 617
605 if (err) 618 if (err)
606 tls_hw_unhash(sk); 619 tls_hw_unhash(sk);
@@ -675,9 +688,6 @@ static int tls_init(struct sock *sk)
675 rc = -ENOMEM; 688 rc = -ENOMEM;
676 goto out; 689 goto out;
677 } 690 }
678 ctx->setsockopt = sk->sk_prot->setsockopt;
679 ctx->getsockopt = sk->sk_prot->getsockopt;
680 ctx->sk_proto_close = sk->sk_prot->close;
681 691
682 /* Build IPv6 TLS whenever the address of tcpv6 _prot changes */ 692 /* Build IPv6 TLS whenever the address of tcpv6 _prot changes */
683 if (ip_ver == TLSV6 && 693 if (ip_ver == TLSV6 &&
@@ -699,17 +709,17 @@ out:
699 709
700void tls_register_device(struct tls_device *device) 710void tls_register_device(struct tls_device *device)
701{ 711{
702 mutex_lock(&device_mutex); 712 spin_lock_bh(&device_spinlock);
703 list_add_tail(&device->dev_list, &device_list); 713 list_add_tail(&device->dev_list, &device_list);
704 mutex_unlock(&device_mutex); 714 spin_unlock_bh(&device_spinlock);
705} 715}
706EXPORT_SYMBOL(tls_register_device); 716EXPORT_SYMBOL(tls_register_device);
707 717
708void tls_unregister_device(struct tls_device *device) 718void tls_unregister_device(struct tls_device *device)
709{ 719{
710 mutex_lock(&device_mutex); 720 spin_lock_bh(&device_spinlock);
711 list_del(&device->dev_list); 721 list_del(&device->dev_list);
712 mutex_unlock(&device_mutex); 722 spin_unlock_bh(&device_spinlock);
713} 723}
714EXPORT_SYMBOL(tls_unregister_device); 724EXPORT_SYMBOL(tls_unregister_device);
715 725
diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
index ab27a2872935..43a1dec08825 100644
--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
@@ -107,6 +107,7 @@
107#include <linux/mutex.h> 107#include <linux/mutex.h>
108#include <linux/net.h> 108#include <linux/net.h>
109#include <linux/poll.h> 109#include <linux/poll.h>
110#include <linux/random.h>
110#include <linux/skbuff.h> 111#include <linux/skbuff.h>
111#include <linux/smp.h> 112#include <linux/smp.h>
112#include <linux/socket.h> 113#include <linux/socket.h>
@@ -504,9 +505,13 @@ out:
504static int __vsock_bind_stream(struct vsock_sock *vsk, 505static int __vsock_bind_stream(struct vsock_sock *vsk,
505 struct sockaddr_vm *addr) 506 struct sockaddr_vm *addr)
506{ 507{
507 static u32 port = LAST_RESERVED_PORT + 1; 508 static u32 port = 0;
508 struct sockaddr_vm new_addr; 509 struct sockaddr_vm new_addr;
509 510
511 if (!port)
512 port = LAST_RESERVED_PORT + 1 +
513 prandom_u32_max(U32_MAX - LAST_RESERVED_PORT);
514
510 vsock_addr_init(&new_addr, addr->svm_cid, addr->svm_port); 515 vsock_addr_init(&new_addr, addr->svm_cid, addr->svm_port);
511 516
512 if (addr->svm_port == VMADDR_PORT_ANY) { 517 if (addr->svm_port == VMADDR_PORT_ANY) {
diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
index cb332adb84cd..c361ce782412 100644
--- a/net/vmw_vsock/vmci_transport.c
+++ b/net/vmw_vsock/vmci_transport.c
@@ -264,6 +264,31 @@ vmci_transport_send_control_pkt_bh(struct sockaddr_vm *src,
264} 264}
265 265
266static int 266static int
267vmci_transport_alloc_send_control_pkt(struct sockaddr_vm *src,
268 struct sockaddr_vm *dst,
269 enum vmci_transport_packet_type type,
270 u64 size,
271 u64 mode,
272 struct vmci_transport_waiting_info *wait,
273 u16 proto,
274 struct vmci_handle handle)
275{
276 struct vmci_transport_packet *pkt;
277 int err;
278
279 pkt = kmalloc(sizeof(*pkt), GFP_KERNEL);
280 if (!pkt)
281 return -ENOMEM;
282
283 err = __vmci_transport_send_control_pkt(pkt, src, dst, type, size,
284 mode, wait, proto, handle,
285 true);
286 kfree(pkt);
287
288 return err;
289}
290
291static int
267vmci_transport_send_control_pkt(struct sock *sk, 292vmci_transport_send_control_pkt(struct sock *sk,
268 enum vmci_transport_packet_type type, 293 enum vmci_transport_packet_type type,
269 u64 size, 294 u64 size,
@@ -272,9 +297,7 @@ vmci_transport_send_control_pkt(struct sock *sk,
272 u16 proto, 297 u16 proto,
273 struct vmci_handle handle) 298 struct vmci_handle handle)
274{ 299{
275 struct vmci_transport_packet *pkt;
276 struct vsock_sock *vsk; 300 struct vsock_sock *vsk;
277 int err;
278 301
279 vsk = vsock_sk(sk); 302 vsk = vsock_sk(sk);
280 303
@@ -284,17 +307,10 @@ vmci_transport_send_control_pkt(struct sock *sk,
284 if (!vsock_addr_bound(&vsk->remote_addr)) 307 if (!vsock_addr_bound(&vsk->remote_addr))
285 return -EINVAL; 308 return -EINVAL;
286 309
287 pkt = kmalloc(sizeof(*pkt), GFP_KERNEL); 310 return vmci_transport_alloc_send_control_pkt(&vsk->local_addr,
288 if (!pkt) 311 &vsk->remote_addr,
289 return -ENOMEM; 312 type, size, mode,
290 313 wait, proto, handle);
291 err = __vmci_transport_send_control_pkt(pkt, &vsk->local_addr,
292 &vsk->remote_addr, type, size,
293 mode, wait, proto, handle,
294 true);
295 kfree(pkt);
296
297 return err;
298} 314}
299 315
300static int vmci_transport_send_reset_bh(struct sockaddr_vm *dst, 316static int vmci_transport_send_reset_bh(struct sockaddr_vm *dst,
@@ -312,12 +328,29 @@ static int vmci_transport_send_reset_bh(struct sockaddr_vm *dst,
312static int vmci_transport_send_reset(struct sock *sk, 328static int vmci_transport_send_reset(struct sock *sk,
313 struct vmci_transport_packet *pkt) 329 struct vmci_transport_packet *pkt)
314{ 330{
331 struct sockaddr_vm *dst_ptr;
332 struct sockaddr_vm dst;
333 struct vsock_sock *vsk;
334
315 if (pkt->type == VMCI_TRANSPORT_PACKET_TYPE_RST) 335 if (pkt->type == VMCI_TRANSPORT_PACKET_TYPE_RST)
316 return 0; 336 return 0;
317 return vmci_transport_send_control_pkt(sk, 337
318 VMCI_TRANSPORT_PACKET_TYPE_RST, 338 vsk = vsock_sk(sk);
319 0, 0, NULL, VSOCK_PROTO_INVALID, 339
320 VMCI_INVALID_HANDLE); 340 if (!vsock_addr_bound(&vsk->local_addr))
341 return -EINVAL;
342
343 if (vsock_addr_bound(&vsk->remote_addr)) {
344 dst_ptr = &vsk->remote_addr;
345 } else {
346 vsock_addr_init(&dst, pkt->dg.src.context,
347 pkt->src_port);
348 dst_ptr = &dst;
349 }
350 return vmci_transport_alloc_send_control_pkt(&vsk->local_addr, dst_ptr,
351 VMCI_TRANSPORT_PACKET_TYPE_RST,
352 0, 0, NULL, VSOCK_PROTO_INVALID,
353 VMCI_INVALID_HANDLE);
321} 354}
322 355
323static int vmci_transport_send_negotiate(struct sock *sk, size_t size) 356static int vmci_transport_send_negotiate(struct sock *sk, size_t size)
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 10ec05589795..5e49492d5911 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -9152,8 +9152,10 @@ static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
9152 if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) { 9152 if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
9153 int r = validate_pae_over_nl80211(rdev, info); 9153 int r = validate_pae_over_nl80211(rdev, info);
9154 9154
9155 if (r < 0) 9155 if (r < 0) {
9156 kzfree(connkeys);
9156 return r; 9157 return r;
9158 }
9157 9159
9158 ibss.control_port_over_nl80211 = true; 9160 ibss.control_port_over_nl80211 = true;
9159 } 9161 }
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 6bc817359b58..b3b613660d44 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -315,6 +315,12 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
315 315
316 sp->xvec[sp->len++] = x; 316 sp->xvec[sp->len++] = x;
317 317
318 skb_dst_force(skb);
319 if (!skb_dst(skb)) {
320 XFRM_INC_STATS(net, LINUX_MIB_XFRMINERROR);
321 goto drop;
322 }
323
318lock: 324lock:
319 spin_lock(&x->lock); 325 spin_lock(&x->lock);
320 326
@@ -354,7 +360,6 @@ lock:
354 XFRM_SKB_CB(skb)->seq.input.low = seq; 360 XFRM_SKB_CB(skb)->seq.input.low = seq;
355 XFRM_SKB_CB(skb)->seq.input.hi = seq_hi; 361 XFRM_SKB_CB(skb)->seq.input.hi = seq_hi;
356 362
357 skb_dst_force(skb);
358 dev_hold(skb->dev); 363 dev_hold(skb->dev);
359 364
360 if (crypto_done) 365 if (crypto_done)
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
index 757c4d11983b..9333153bafda 100644
--- a/net/xfrm/xfrm_output.c
+++ b/net/xfrm/xfrm_output.c
@@ -102,6 +102,7 @@ static int xfrm_output_one(struct sk_buff *skb, int err)
102 skb_dst_force(skb); 102 skb_dst_force(skb);
103 if (!skb_dst(skb)) { 103 if (!skb_dst(skb)) {
104 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR); 104 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR);
105 err = -EHOSTUNREACH;
105 goto error_nolock; 106 goto error_nolock;
106 } 107 }
107 108
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index dc4a9f1fb941..23c92891758a 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -426,6 +426,12 @@ static void xfrm_put_mode(struct xfrm_mode *mode)
426 module_put(mode->owner); 426 module_put(mode->owner);
427} 427}
428 428
429void xfrm_state_free(struct xfrm_state *x)
430{
431 kmem_cache_free(xfrm_state_cache, x);
432}
433EXPORT_SYMBOL(xfrm_state_free);
434
429static void xfrm_state_gc_destroy(struct xfrm_state *x) 435static void xfrm_state_gc_destroy(struct xfrm_state *x)
430{ 436{
431 tasklet_hrtimer_cancel(&x->mtimer); 437 tasklet_hrtimer_cancel(&x->mtimer);
@@ -452,7 +458,7 @@ static void xfrm_state_gc_destroy(struct xfrm_state *x)
452 } 458 }
453 xfrm_dev_state_free(x); 459 xfrm_dev_state_free(x);
454 security_xfrm_state_free(x); 460 security_xfrm_state_free(x);
455 kmem_cache_free(xfrm_state_cache, x); 461 xfrm_state_free(x);
456} 462}
457 463
458static void xfrm_state_gc_task(struct work_struct *work) 464static void xfrm_state_gc_task(struct work_struct *work)
@@ -788,7 +794,7 @@ void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si)
788{ 794{
789 spin_lock_bh(&net->xfrm.xfrm_state_lock); 795 spin_lock_bh(&net->xfrm.xfrm_state_lock);
790 si->sadcnt = net->xfrm.state_num; 796 si->sadcnt = net->xfrm.state_num;
791 si->sadhcnt = net->xfrm.state_hmask; 797 si->sadhcnt = net->xfrm.state_hmask + 1;
792 si->sadhmcnt = xfrm_state_hashmax; 798 si->sadhmcnt = xfrm_state_hashmax;
793 spin_unlock_bh(&net->xfrm.xfrm_state_lock); 799 spin_unlock_bh(&net->xfrm.xfrm_state_lock);
794} 800}
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index c9a84e22f5d5..277c1c46fe94 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2288,13 +2288,13 @@ static int xfrm_add_acquire(struct sk_buff *skb, struct nlmsghdr *nlh,
2288 2288
2289 } 2289 }
2290 2290
2291 kfree(x); 2291 xfrm_state_free(x);
2292 kfree(xp); 2292 kfree(xp);
2293 2293
2294 return 0; 2294 return 0;
2295 2295
2296free_state: 2296free_state:
2297 kfree(x); 2297 xfrm_state_free(x);
2298nomem: 2298nomem:
2299 return err; 2299 return err;
2300} 2300}
generated by cgit v1.2.2 (git 2.25.0) at 2026-04-23 06:17:21 -0400