Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Pull networking fixes from David Miller: 1) Fix list tests in netfilter ingress support, from Florian Westphal. 2) Fix reversal of input and output interfaces in ingress hook invocation, from Pablo Neira Ayuso. 3) We have a use after free in r8169, caught by Dave Jones, fixed by Francois Romieu. 4) Splice use-after-free fix in AF_UNIX frmo Hannes Frederic Sowa. 5) Three ipv6 route handling bug fixes from Martin KaFai Lau: a) Don't create clone routes not managed by the fib6 tree b) Don't forget to check expiration of DST_NOCACHE routes. c) Handle rt->dst.from == NULL properly. 6) Several AF_PACKET fixes wrt transport header setting and SKB protocol setting, from Daniel Borkmann. 7) Fix thunder driver crash on shutdown, from Pavel Fedin. 8) Several Mellanox driver fixes (max MTU calculations, use of correct DMA unmap in TX path, etc.) from Saeed Mahameed, Tariq Toukan, Doron Tsur, Achiad Shochat, Eran Ben Elisha, and Noa Osherovich. 9) Several mv88e6060 DSA driver fixes (wrong bit definitions for certain registers, etc.) from Neil Armstrong. 10) Make sure to disable preemption while updating per-cpu stats of ip tunnels, from Jason A. Donenfeld. 11) Various ARM64 bpf JIT fixes, from Yang Shi. 12) Flush icache properly in ARM JITs, from Daniel Borkmann. 13) Fix masking of RX and TX interrupts in ravb driver, from Masaru Nagai. 14) Fix netdev feature propagation for devices not implementing ->ndo_set_features(). From Nikolay Aleksandrov. 15) Big endian fix in vmxnet3 driver, from Shrikrishna Khare. 16) RAW socket code increments incorrect SNMP counters, fix from Ben Cartwright-Cox. 17) IPv6 multicast SNMP counters are bumped twice, fix from Neil Horman. 18) Fix handling of VLAN headers on stacked devices when REORDER is disabled. From Vlad Yasevich. 19) Fix SKB leaks and use-after-free in ipvlan and macvlan drivers, from Sabrina Dubroca. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (83 commits) MAINTAINERS: Update Mellanox's Eth NIC driver entries net/core: revert "net: fix __netdev_update_features return.." and add comment af_unix: take receive queue lock while appending new skb rtnetlink: fix frame size warning in rtnl_fill_ifinfo net: use skb_clone to avoid alloc_pages failure. packet: Use PAGE_ALIGNED macro packet: Don't check frames_per_block against negative values net: phy: Use interrupts when available in NOLINK state phy: marvell: Add support for 88E1540 PHY arm64: bpf: make BPF prologue and epilogue align with ARM64 AAPCS macvlan: fix leak in macvlan_handle_frame ipvlan: fix use after free of skb ipvlan: fix leak in ipvlan_rcv_frame vlan: Do not put vlan headers back on bridge and macvlan ports vlan: Fix untag operations of stacked vlans with REORDER_HEADER off via-velocity: unconditionally drop frames with bad l2 length ipg: Remove ipg driver dl2k: Add support for IP1000A-based cards snmp: Remove duplicate OUTMCAST stat increment net: thunder: Check for driver data in nicvf_remove() ...
author: Linus Torvalds <torvalds@linux-foundation.org> 2015-11-17 16:52:59 -0500
committer: Linus Torvalds <torvalds@linux-foundation.org> 2015-11-17 16:52:59 -0500
commit: 7f151f1d8abb7d5930b49d4796b463dca1673cb7 (patch)
tree: f995b6444729c105fe0a123b8240ef3dc3f1bf4a /net
parent: a18ab2f6cb79eeccedea61b8c7bf71d24e087d42 (diff)
parent: e7523a497d48a9921983a80670f7a02dc4639d41 (diff)
31 files changed, 437 insertions, 318 deletions
diff --git a/net/8021q/vlan_core.c b/net/8021q/vlan_core.c
index 496b27588493..e2ed69850489 100644
--- a/net/8021q/vlan_core.c
+++ b/net/8021q/vlan_core.c
@@ -30,7 +30,9 @@ bool vlan_do_receive(struct sk_buff **skbp)
                        skb->pkt_type = PACKET_HOST;
        }
-        if (!(vlan_dev_priv(vlan_dev)->flags & VLAN_FLAG_REORDER_HDR)) {
+        if (!(vlan_dev_priv(vlan_dev)->flags & VLAN_FLAG_REORDER_HDR) &&
+            !netif_is_macvlan_port(vlan_dev) &&
+            !netif_is_bridge_port(vlan_dev)) {
                unsigned int offset = skb->data - skb_mac_header(skb);
                /*
diff --git a/net/bridge/br_stp.c b/net/bridge/br_stp.c
index f7e8dee64fc8..5f3f64553179 100644
--- a/net/bridge/br_stp.c
+++ b/net/bridge/br_stp.c
@@ -48,7 +48,7 @@ void br_set_state(struct net_bridge_port *p, unsigned int state)
        p->state = state;
        err = switchdev_port_attr_set(p->dev, &attr);
-        if (err)
+        if (err && err != -EOPNOTSUPP)
                br_warn(p->br, "error setting offload STP state on port %u(%s)\n",
                                (unsigned int) p->port_no, p->dev->name);
 }
diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c
index fa53d7a89f48..5396ff08af32 100644
--- a/net/bridge/br_stp_if.c
+++ b/net/bridge/br_stp_if.c
@@ -50,7 +50,7 @@ void br_init_port(struct net_bridge_port *p)
        p->config_pending = 0;
        err = switchdev_port_attr_set(p->dev, &attr);
-        if (err)
+        if (err && err != -EOPNOTSUPP)
                netdev_err(p->dev, "failed to set HW ageing time\n");
 }
diff --git a/net/core/dev.c b/net/core/dev.c
index ab9b8d0d115e..ae00b894e675 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2403,17 +2403,20 @@ static void skb_warn_bad_offload(const struct sk_buff *skb)
 {
        static const netdev_features_t null_features = 0;
        struct net_device *dev = skb->dev;
-        const char *driver = "";
+        const char *name = "";
        if (!net_ratelimit())
                return;
-        if (dev && dev->dev.parent)
+        if (dev) {
-                driver = dev_driver_string(dev->dev.parent);
+                if (dev->dev.parent)
+                        name = dev_driver_string(dev->dev.parent);
+                else
+                        name = netdev_name(dev);
+        }
        WARN(1, "%s: caps=(%pNF, %pNF) len=%d data_len=%d gso_size=%d "
             "gso_type=%d ip_summed=%d\n",
-             driver, dev ? &dev->features : &null_features,
+             name, dev ? &dev->features : &null_features,
             skb->sk ? &skb->sk->sk_route_caps : &null_features,
             skb->len, skb->data_len, skb_shinfo(skb)->gso_size,
             skb_shinfo(skb)->gso_type, skb->ip_summed);
@@ -6426,11 +6429,16 @@ int __netdev_update_features(struct net_device *dev)
        if (dev->netdev_ops->ndo_set_features)
                err = dev->netdev_ops->ndo_set_features(dev, features);
+        else
+                err = 0;
        if (unlikely(err < 0)) {
                netdev_err(dev,
                        "set_features() failed (%d); wanted %pNF, left %pNF\n",
                        err, &features, &dev->features);
+                /* return non-0 since some features might have changed and
+                 * it's better to fire a spurious notification than miss it
+                 */
                return -1;
        }
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index 1aa8437ed6c4..e6af42da28d9 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -857,7 +857,7 @@ static void neigh_probe(struct neighbour *neigh)
        struct sk_buff *skb = skb_peek_tail(&neigh->arp_queue);
        /* keep skb alive even if arp_queue overflows */
        if (skb)
-                skb = skb_copy(skb, GFP_ATOMIC);
+                skb = skb_clone(skb, GFP_ATOMIC);
        write_unlock(&neigh->lock);
        neigh->ops->solicit(neigh, skb);
        atomic_inc(&neigh->probes);
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 504bd17b7456..34ba7a08876d 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1045,15 +1045,156 @@ static int rtnl_phys_switch_id_fill(struct sk_buff *skb, struct net_device *dev)
        return 0;
 }
+static noinline_for_stack int rtnl_fill_stats(struct sk_buff *skb,
+                                              struct net_device *dev)
+{
+        const struct rtnl_link_stats64 *stats;
+        struct rtnl_link_stats64 temp;
+        struct nlattr *attr;
+        stats = dev_get_stats(dev, &temp);
+        attr = nla_reserve(skb, IFLA_STATS,
+                           sizeof(struct rtnl_link_stats));
+        if (!attr)
+                return -EMSGSIZE;
+        copy_rtnl_link_stats(nla_data(attr), stats);
+        attr = nla_reserve(skb, IFLA_STATS64,
+                           sizeof(struct rtnl_link_stats64));
+        if (!attr)
+                return -EMSGSIZE;
+        copy_rtnl_link_stats64(nla_data(attr), stats);
+        return 0;
+}
+static noinline_for_stack int rtnl_fill_vfinfo(struct sk_buff *skb,
+                                               struct net_device *dev,
+                                               int vfs_num,
+                                               struct nlattr *vfinfo)
+{
+        struct ifla_vf_rss_query_en vf_rss_query_en;
+        struct ifla_vf_link_state vf_linkstate;
+        struct ifla_vf_spoofchk vf_spoofchk;
+        struct ifla_vf_tx_rate vf_tx_rate;
+        struct ifla_vf_stats vf_stats;
+        struct ifla_vf_trust vf_trust;
+        struct ifla_vf_vlan vf_vlan;
+        struct ifla_vf_rate vf_rate;
+        struct nlattr *vf, *vfstats;
+        struct ifla_vf_mac vf_mac;
+        struct ifla_vf_info ivi;
+        /* Not all SR-IOV capable drivers support the
+         * spoofcheck and "RSS query enable" query.  Preset to
+         * -1 so the user space tool can detect that the driver
+         * didn't report anything.
+         */
+        ivi.spoofchk = -1;
+        ivi.rss_query_en = -1;
+        ivi.trusted = -1;
+        memset(ivi.mac, 0, sizeof(ivi.mac));
+        /* The default value for VF link state is "auto"
+         * IFLA_VF_LINK_STATE_AUTO which equals zero
+         */
+        ivi.linkstate = 0;
+        if (dev->netdev_ops->ndo_get_vf_config(dev, vfs_num, &ivi))
+                return 0;
+        vf_mac.vf =
+                vf_vlan.vf =
+                vf_rate.vf =
+                vf_tx_rate.vf =
+                vf_spoofchk.vf =
+                vf_linkstate.vf =
+                vf_rss_query_en.vf =
+                vf_trust.vf = ivi.vf;
+        memcpy(vf_mac.mac, ivi.mac, sizeof(ivi.mac));
+        vf_vlan.vlan = ivi.vlan;
+        vf_vlan.qos = ivi.qos;
+        vf_tx_rate.rate = ivi.max_tx_rate;
+        vf_rate.min_tx_rate = ivi.min_tx_rate;
+        vf_rate.max_tx_rate = ivi.max_tx_rate;
+        vf_spoofchk.setting = ivi.spoofchk;
+        vf_linkstate.link_state = ivi.linkstate;
+        vf_rss_query_en.setting = ivi.rss_query_en;
+        vf_trust.setting = ivi.trusted;
+        vf = nla_nest_start(skb, IFLA_VF_INFO);
+        if (!vf) {
+                nla_nest_cancel(skb, vfinfo);
+                return -EMSGSIZE;
+        }
+        if (nla_put(skb, IFLA_VF_MAC, sizeof(vf_mac), &vf_mac) ||
+            nla_put(skb, IFLA_VF_VLAN, sizeof(vf_vlan), &vf_vlan) ||
+            nla_put(skb, IFLA_VF_RATE, sizeof(vf_rate),
+                    &vf_rate) ||
+            nla_put(skb, IFLA_VF_TX_RATE, sizeof(vf_tx_rate),
+                    &vf_tx_rate) ||
+            nla_put(skb, IFLA_VF_SPOOFCHK, sizeof(vf_spoofchk),
+                    &vf_spoofchk) ||
+            nla_put(skb, IFLA_VF_LINK_STATE, sizeof(vf_linkstate),
+                    &vf_linkstate) ||
+            nla_put(skb, IFLA_VF_RSS_QUERY_EN,
+                    sizeof(vf_rss_query_en),
+                    &vf_rss_query_en) ||
+            nla_put(skb, IFLA_VF_TRUST,
+                    sizeof(vf_trust), &vf_trust))
+                return -EMSGSIZE;
+        memset(&vf_stats, 0, sizeof(vf_stats));
+        if (dev->netdev_ops->ndo_get_vf_stats)
+                dev->netdev_ops->ndo_get_vf_stats(dev, vfs_num,
+                                                &vf_stats);
+        vfstats = nla_nest_start(skb, IFLA_VF_STATS);
+        if (!vfstats) {
+                nla_nest_cancel(skb, vf);
+                nla_nest_cancel(skb, vfinfo);
+                return -EMSGSIZE;
+        }
+        if (nla_put_u64(skb, IFLA_VF_STATS_RX_PACKETS,
+                        vf_stats.rx_packets) ||
+            nla_put_u64(skb, IFLA_VF_STATS_TX_PACKETS,
+                        vf_stats.tx_packets) ||
+            nla_put_u64(skb, IFLA_VF_STATS_RX_BYTES,
+                        vf_stats.rx_bytes) ||
+            nla_put_u64(skb, IFLA_VF_STATS_TX_BYTES,
+                        vf_stats.tx_bytes) ||
+            nla_put_u64(skb, IFLA_VF_STATS_BROADCAST,
+                        vf_stats.broadcast) ||
+            nla_put_u64(skb, IFLA_VF_STATS_MULTICAST,
+                        vf_stats.multicast))
+                return -EMSGSIZE;
+        nla_nest_end(skb, vfstats);
+        nla_nest_end(skb, vf);
+        return 0;
+}
+static int rtnl_fill_link_ifmap(struct sk_buff *skb, struct net_device *dev)
+{
+        struct rtnl_link_ifmap map = {
+                .mem_start   = dev->mem_start,
+                .mem_end     = dev->mem_end,
+                .base_addr   = dev->base_addr,
+                .irq         = dev->irq,
+                .dma         = dev->dma,
+                .port        = dev->if_port,
+        };
+        if (nla_put(skb, IFLA_MAP, sizeof(map), &map))
+                return -EMSGSIZE;
+        return 0;
+}
 static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev,
                            int type, u32 pid, u32 seq, u32 change,
                            unsigned int flags, u32 ext_filter_mask)
 {
        struct ifinfomsg *ifm;
        struct nlmsghdr *nlh;
-        struct rtnl_link_stats64 temp;
+        struct nlattr *af_spec;
-        const struct rtnl_link_stats64 *stats;
-        struct nlattr *attr, *af_spec;
        struct rtnl_af_ops *af_ops;
        struct net_device *upper_dev = netdev_master_upper_dev_get(dev);
@@ -1096,18 +1237,8 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev,
            nla_put_u8(skb, IFLA_PROTO_DOWN, dev->proto_down))
                goto nla_put_failure;
-        if (1) {
+        if (rtnl_fill_link_ifmap(skb, dev))
-                struct rtnl_link_ifmap map = {
+                goto nla_put_failure;
-                        .mem_start   = dev->mem_start,
-                        .mem_end     = dev->mem_end,
-                        .base_addr   = dev->base_addr,
-                        .irq         = dev->irq,
-                        .dma         = dev->dma,
-                        .port        = dev->if_port,
-                };
-                if (nla_put(skb, IFLA_MAP, sizeof(map), &map))
-                        goto nla_put_failure;
-        }
        if (dev->addr_len) {
                if (nla_put(skb, IFLA_ADDRESS, dev->addr_len, dev->dev_addr) ||
@@ -1124,128 +1255,27 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev,
        if (rtnl_phys_switch_id_fill(skb, dev))
                goto nla_put_failure;
-        attr = nla_reserve(skb, IFLA_STATS,
+        if (rtnl_fill_stats(skb, dev))
-                        sizeof(struct rtnl_link_stats));
-        if (attr == NULL)
-                goto nla_put_failure;
-        stats = dev_get_stats(dev, &temp);
-        copy_rtnl_link_stats(nla_data(attr), stats);
-        attr = nla_reserve(skb, IFLA_STATS64,
-                        sizeof(struct rtnl_link_stats64));
-        if (attr == NULL)
                goto nla_put_failure;
-        copy_rtnl_link_stats64(nla_data(attr), stats);
        if (dev->dev.parent && (ext_filter_mask & RTEXT_FILTER_VF) &&
            nla_put_u32(skb, IFLA_NUM_VF, dev_num_vf(dev->dev.parent)))
                goto nla_put_failure;
-        if (dev->netdev_ops->ndo_get_vf_config && dev->dev.parent
+        if (dev->netdev_ops->ndo_get_vf_config && dev->dev.parent &&
-            && (ext_filter_mask & RTEXT_FILTER_VF)) {
+            ext_filter_mask & RTEXT_FILTER_VF) {
                int i;
+                struct nlattr *vfinfo;
-                struct nlattr *vfinfo, *vf, *vfstats;
                int num_vfs = dev_num_vf(dev->dev.parent);
                vfinfo = nla_nest_start(skb, IFLA_VFINFO_LIST);
                if (!vfinfo)
                        goto nla_put_failure;
                for (i = 0; i < num_vfs; i++) {
-                        struct ifla_vf_info ivi;
+                        if (rtnl_fill_vfinfo(skb, dev, i, vfinfo))
-                        struct ifla_vf_mac vf_mac;
-                        struct ifla_vf_vlan vf_vlan;
-                        struct ifla_vf_rate vf_rate;
-                        struct ifla_vf_tx_rate vf_tx_rate;
-                        struct ifla_vf_spoofchk vf_spoofchk;
-                        struct ifla_vf_link_state vf_linkstate;
-                        struct ifla_vf_rss_query_en vf_rss_query_en;
-                        struct ifla_vf_stats vf_stats;
-                        struct ifla_vf_trust vf_trust;
-                        /*
-                         * Not all SR-IOV capable drivers support the
-                         * spoofcheck and "RSS query enable" query.  Preset to
-                         * -1 so the user space tool can detect that the driver
-                         * didn't report anything.
-                         */
-                        ivi.spoofchk = -1;
-                        ivi.rss_query_en = -1;
-                        ivi.trusted = -1;
-                        memset(ivi.mac, 0, sizeof(ivi.mac));
-                        /* The default value for VF link state is "auto"
-                         * IFLA_VF_LINK_STATE_AUTO which equals zero
-                         */
-                        ivi.linkstate = 0;
-                        if (dev->netdev_ops->ndo_get_vf_config(dev, i, &ivi))
-                                break;
-                        vf_mac.vf =
-                                vf_vlan.vf =
-                                vf_rate.vf =
-                                vf_tx_rate.vf =
-                                vf_spoofchk.vf =
-                                vf_linkstate.vf =
-                                vf_rss_query_en.vf =
-                                vf_trust.vf = ivi.vf;
-                        memcpy(vf_mac.mac, ivi.mac, sizeof(ivi.mac));
-                        vf_vlan.vlan = ivi.vlan;
-                        vf_vlan.qos = ivi.qos;
-                        vf_tx_rate.rate = ivi.max_tx_rate;
-                        vf_rate.min_tx_rate = ivi.min_tx_rate;
-                        vf_rate.max_tx_rate = ivi.max_tx_rate;
-                        vf_spoofchk.setting = ivi.spoofchk;
-                        vf_linkstate.link_state = ivi.linkstate;
-                        vf_rss_query_en.setting = ivi.rss_query_en;
-                        vf_trust.setting = ivi.trusted;
-                        vf = nla_nest_start(skb, IFLA_VF_INFO);
-                        if (!vf) {
-                                nla_nest_cancel(skb, vfinfo);
-                                goto nla_put_failure;
-                        }
-                        if (nla_put(skb, IFLA_VF_MAC, sizeof(vf_mac), &vf_mac) ||
-                            nla_put(skb, IFLA_VF_VLAN, sizeof(vf_vlan), &vf_vlan) ||
-                            nla_put(skb, IFLA_VF_RATE, sizeof(vf_rate),
-                                    &vf_rate) ||
-                            nla_put(skb, IFLA_VF_TX_RATE, sizeof(vf_tx_rate),
-                                    &vf_tx_rate) ||
-                            nla_put(skb, IFLA_VF_SPOOFCHK, sizeof(vf_spoofchk),
-                                    &vf_spoofchk) ||
-                            nla_put(skb, IFLA_VF_LINK_STATE, sizeof(vf_linkstate),
-                                    &vf_linkstate) ||
-                            nla_put(skb, IFLA_VF_RSS_QUERY_EN,
-                                    sizeof(vf_rss_query_en),
-                                    &vf_rss_query_en) ||
-                            nla_put(skb, IFLA_VF_TRUST,
-                                    sizeof(vf_trust), &vf_trust))
                                goto nla_put_failure;
-                        memset(&vf_stats, 0, sizeof(vf_stats));
-                        if (dev->netdev_ops->ndo_get_vf_stats)
-                                dev->netdev_ops->ndo_get_vf_stats(dev, i,
-                                                                  &vf_stats);
-                        vfstats = nla_nest_start(skb, IFLA_VF_STATS);
-                        if (!vfstats) {
-                                nla_nest_cancel(skb, vf);
-                                nla_nest_cancel(skb, vfinfo);
-                                goto nla_put_failure;
-                        }
-                        if (nla_put_u64(skb, IFLA_VF_STATS_RX_PACKETS,
-                                        vf_stats.rx_packets) ||
-                            nla_put_u64(skb, IFLA_VF_STATS_TX_PACKETS,
-                                        vf_stats.tx_packets) ||
-                            nla_put_u64(skb, IFLA_VF_STATS_RX_BYTES,
-                                        vf_stats.rx_bytes) ||
-                            nla_put_u64(skb, IFLA_VF_STATS_TX_BYTES,
-                                        vf_stats.tx_bytes) ||
-                            nla_put_u64(skb, IFLA_VF_STATS_BROADCAST,
-                                        vf_stats.broadcast) ||
-                            nla_put_u64(skb, IFLA_VF_STATS_MULTICAST,
-                                        vf_stats.multicast))
-                                goto nla_put_failure;
-                        nla_nest_end(skb, vfstats);
-                        nla_nest_end(skb, vf);
                }
                nla_nest_end(skb, vfinfo);
        }
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index aa41e6dd6429..152b9c70e252 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -4268,7 +4268,8 @@ static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb)
                return NULL;
        }
-        memmove(skb->data - ETH_HLEN, skb->data - VLAN_ETH_HLEN, 2 * ETH_ALEN);
+        memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len,
+                2 * ETH_ALEN);
        skb->mac_header += VLAN_HLEN;
        return skb;
 }
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index 1feb15f23de8..46b9c887bede 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -563,7 +563,7 @@ static void reqsk_timer_handler(unsigned long data)
        int max_retries, thresh;
        u8 defer_accept;
-        if (sk_listener->sk_state != TCP_LISTEN)
+        if (sk_state_load(sk_listener) != TCP_LISTEN)
                goto drop;
        max_retries = icsk->icsk_syn_retries ? : sysctl_tcp_synack_retries;
@@ -749,7 +749,7 @@ int inet_csk_listen_start(struct sock *sk, int backlog)
         * It is OK, because this socket enters to hash table only
         * after validation is complete.
         */
-        sk->sk_state = TCP_LISTEN;
+        sk_state_store(sk, TCP_LISTEN);
        if (!sk->sk_prot->get_port(sk, inet->inet_num)) {
                inet->inet_sport = htons(inet->inet_num);
diff --git a/net/ipv4/netfilter/nf_nat_pptp.c b/net/ipv4/netfilter/nf_nat_pptp.c
index 657d2307f031..b3ca21b2ba9b 100644
--- a/net/ipv4/netfilter/nf_nat_pptp.c
+++ b/net/ipv4/netfilter/nf_nat_pptp.c
@@ -45,7 +45,7 @@ static void pptp_nat_expected(struct nf_conn *ct,
        struct net *net = nf_ct_net(ct);
        const struct nf_conn *master = ct->master;
        struct nf_conntrack_expect *other_exp;
-        struct nf_conntrack_tuple t;
+        struct nf_conntrack_tuple t = {};
        const struct nf_ct_pptp_master *ct_pptp_info;
        const struct nf_nat_pptp *nat_pptp_info;
        struct nf_nat_range range;
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index 8c0d0bdc2a7c..63e5be0abd86 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -406,10 +406,12 @@ static int raw_send_hdrinc(struct sock *sk, struct flowi4 *fl4,
                        ip_select_ident(net, skb, NULL);
                iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl);
+                skb->transport_header += iphlen;
+                if (iph->protocol == IPPROTO_ICMP &&
+                    length >= iphlen + sizeof(struct icmphdr))
+                        icmp_out_count(net, ((struct icmphdr *)
+                                skb_transport_header(skb))->type);
        }
-        if (iph->protocol == IPPROTO_ICMP)
-                icmp_out_count(net, ((struct icmphdr *)
-                        skb_transport_header(skb))->type);
        err = NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT,
                      net, sk, skb, NULL, rt->dst.dev,
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 0cfa7c0c1e80..c1728771cf89 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -451,11 +451,14 @@ unsigned int tcp_poll(struct file *file, struct socket *sock, poll_table *wait)
        unsigned int mask;
        struct sock *sk = sock->sk;
        const struct tcp_sock *tp = tcp_sk(sk);
+        int state;
        sock_rps_record_flow(sk);
        sock_poll_wait(file, sk_sleep(sk), wait);
-        if (sk->sk_state == TCP_LISTEN)
+        state = sk_state_load(sk);
+        if (state == TCP_LISTEN)
                return inet_csk_listen_poll(sk);
        /* Socket is not locked. We are protected from async events
@@ -492,14 +495,14 @@ unsigned int tcp_poll(struct file *file, struct socket *sock, poll_table *wait)
         * NOTE. Check for TCP_CLOSE is added. The goal is to prevent
         * blocking on fresh not-connected or disconnected socket. --ANK
         */
-        if (sk->sk_shutdown == SHUTDOWN_MASK || sk->sk_state == TCP_CLOSE)
+        if (sk->sk_shutdown == SHUTDOWN_MASK || state == TCP_CLOSE)
                mask |= POLLHUP;
        if (sk->sk_shutdown & RCV_SHUTDOWN)
                mask |= POLLIN | POLLRDNORM | POLLRDHUP;
        /* Connected or passive Fast Open socket? */
-        if (sk->sk_state != TCP_SYN_SENT &&
+        if (state != TCP_SYN_SENT &&
-            (sk->sk_state != TCP_SYN_RECV || tp->fastopen_rsk)) {
+            (state != TCP_SYN_RECV || tp->fastopen_rsk)) {
                int target = sock_rcvlowat(sk, 0, INT_MAX);
                if (tp->urg_seq == tp->copied_seq &&
@@ -507,9 +510,6 @@ unsigned int tcp_poll(struct file *file, struct socket *sock, poll_table *wait)
                    tp->urg_data)
                        target++;
-                /* Potential race condition. If read of tp below will
-                 * escape above sk->sk_state, we can be illegally awaken
-                 * in SYN_* states. */
                if (tp->rcv_nxt - tp->copied_seq >= target)
                        mask |= POLLIN | POLLRDNORM;
@@ -1934,7 +1934,7 @@ void tcp_set_state(struct sock *sk, int state)
        /* Change state AFTER socket is unhashed to avoid closed
         * socket sitting in hash tables.
         */
-        sk->sk_state = state;
+        sk_state_store(sk, state);
 #ifdef STATE_TRACE
        SOCK_DEBUG(sk, "TCP sk=%p, State %s -> %s\n", sk, statename[oldstate], statename[state]);
@@ -2644,7 +2644,8 @@ void tcp_get_info(struct sock *sk, struct tcp_info *info)
        if (sk->sk_type != SOCK_STREAM)
                return;
-        info->tcpi_state = sk->sk_state;
+        info->tcpi_state = sk_state_load(sk);
        info->tcpi_ca_state = icsk->icsk_ca_state;
        info->tcpi_retransmits = icsk->icsk_retransmits;
        info->tcpi_probes = icsk->icsk_probes_out;
@@ -2672,7 +2673,7 @@ void tcp_get_info(struct sock *sk, struct tcp_info *info)
        info->tcpi_snd_mss = tp->mss_cache;
        info->tcpi_rcv_mss = icsk->icsk_ack.rcv_mss;
-        if (sk->sk_state == TCP_LISTEN) {
+        if (info->tcpi_state == TCP_LISTEN) {
                info->tcpi_unacked = sk->sk_ack_backlog;
                info->tcpi_sacked = sk->sk_max_ack_backlog;
        } else {
diff --git a/net/ipv4/tcp_diag.c b/net/ipv4/tcp_diag.c
index 479f34946177..b31604086edd 100644
--- a/net/ipv4/tcp_diag.c
+++ b/net/ipv4/tcp_diag.c
@@ -21,7 +21,7 @@ static void tcp_diag_get_info(struct sock *sk, struct inet_diag_msg *r,
 {
        struct tcp_info *info = _info;
-        if (sk->sk_state == TCP_LISTEN) {
+        if (sk_state_load(sk) == TCP_LISTEN) {
                r->idiag_rqueue = sk->sk_ack_backlog;
                r->idiag_wqueue = sk->sk_max_ack_backlog;
        } else if (sk->sk_type == SOCK_STREAM) {
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 950e28c0cdf2..ba09016d1bfd 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -2158,6 +2158,7 @@ static void get_tcp4_sock(struct sock *sk, struct seq_file *f, int i)
        __u16 destp = ntohs(inet->inet_dport);
        __u16 srcp = ntohs(inet->inet_sport);
        int rx_queue;
+        int state;
        if (icsk->icsk_pending == ICSK_TIME_RETRANS ||
            icsk->icsk_pending == ICSK_TIME_EARLY_RETRANS ||
@@ -2175,17 +2176,18 @@ static void get_tcp4_sock(struct sock *sk, struct seq_file *f, int i)
                timer_expires = jiffies;
        }
-        if (sk->sk_state == TCP_LISTEN)
+        state = sk_state_load(sk);
+        if (state == TCP_LISTEN)
                rx_queue = sk->sk_ack_backlog;
        else
-                /*
+                /* Because we don't lock the socket,
-                 * because we dont lock socket, we might find a transient negative value
+                 * we might find a transient negative value.
                 */
                rx_queue = max_t(int, tp->rcv_nxt - tp->copied_seq, 0);
        seq_printf(f, "%4d: %08X:%04X %08X:%04X %02X %08X:%08X %02X:%08lX "
                        "%08X %5u %8d %lu %d %pK %lu %lu %u %u %d",
-                i, src, srcp, dest, destp, sk->sk_state,
+                i, src, srcp, dest, destp, state,
                tp->write_seq - tp->snd_una,
                rx_queue,
                timer_active,
@@ -2199,8 +2201,8 @@ static void get_tcp4_sock(struct sock *sk, struct seq_file *f, int i)
                jiffies_to_clock_t(icsk->icsk_ack.ato),
                (icsk->icsk_ack.quick << 1) | icsk->icsk_ack.pingpong,
                tp->snd_cwnd,
-                sk->sk_state == TCP_LISTEN ?
+                state == TCP_LISTEN ?
-                    (fastopenq ? fastopenq->max_qlen : 0) :
+                    fastopenq->max_qlen :
                    (tcp_in_initial_slowstart(tp) ? -1 : tp->snd_ssthresh));
 }
diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
index 124338a39e29..5ee56d0a8699 100644
--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -1651,7 +1651,6 @@ out:
        if (!err) {
                ICMP6MSGOUT_INC_STATS(net, idev, ICMPV6_MLD2_REPORT);
                ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTMSGS);
-                IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUTMCAST, payload_len);
        } else {
                IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS);
        }
@@ -2015,7 +2014,6 @@ out:
        if (!err) {
                ICMP6MSGOUT_INC_STATS(net, idev, type);
                ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTMSGS);
-                IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUTMCAST, full_len);
        } else
                IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS);
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index c8bc9b4ac328..6f01fe122abd 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -404,6 +404,14 @@ static void ip6_dst_ifdown(struct dst_entry *dst, struct net_device *dev,
        }
 }
+static bool __rt6_check_expired(const struct rt6_info *rt)
+{
+        if (rt->rt6i_flags & RTF_EXPIRES)
+                return time_after(jiffies, rt->dst.expires);
+        else
+                return false;
+}
 static bool rt6_check_expired(const struct rt6_info *rt)
 {
        if (rt->rt6i_flags & RTF_EXPIRES) {
@@ -1252,7 +1260,8 @@ static struct dst_entry *rt6_check(struct rt6_info *rt, u32 cookie)
 static struct dst_entry *rt6_dst_from_check(struct rt6_info *rt, u32 cookie)
 {
-        if (rt->dst.obsolete == DST_OBSOLETE_FORCE_CHK &&
+        if (!__rt6_check_expired(rt) &&
+            rt->dst.obsolete == DST_OBSOLETE_FORCE_CHK &&
            rt6_check((struct rt6_info *)(rt->dst.from), cookie))
                return &rt->dst;
        else
@@ -1272,7 +1281,8 @@ static struct dst_entry *ip6_dst_check(struct dst_entry *dst, u32 cookie)
        rt6_dst_from_metrics_check(rt);
-        if ((rt->rt6i_flags & RTF_PCPU) || unlikely(dst->flags & DST_NOCACHE))
+        if (rt->rt6i_flags & RTF_PCPU ||
+            (unlikely(dst->flags & DST_NOCACHE) && rt->dst.from))
                return rt6_dst_from_check(rt, cookie);
        else
                return rt6_check(rt, cookie);
@@ -1322,6 +1332,12 @@ static void rt6_do_update_pmtu(struct rt6_info *rt, u32 mtu)
        rt6_update_expires(rt, net->ipv6.sysctl.ip6_rt_mtu_expires);
 }
+static bool rt6_cache_allowed_for_pmtu(const struct rt6_info *rt)
+{
+        return !(rt->rt6i_flags & RTF_CACHE) &&
+                (rt->rt6i_flags & RTF_PCPU || rt->rt6i_node);
+}
 static void __ip6_rt_update_pmtu(struct dst_entry *dst, const struct sock *sk,
                                 const struct ipv6hdr *iph, u32 mtu)
 {
@@ -1335,7 +1351,7 @@ static void __ip6_rt_update_pmtu(struct dst_entry *dst, const struct sock *sk,
        if (mtu >= dst_mtu(dst))
                return;
-        if (rt6->rt6i_flags & RTF_CACHE) {
+        if (!rt6_cache_allowed_for_pmtu(rt6)) {
                rt6_do_update_pmtu(rt6, mtu);
        } else {
                const struct in6_addr *daddr, *saddr;
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 5baa8e754e41..c5429a636f1a 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1690,6 +1690,8 @@ static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
        const struct tcp_sock *tp = tcp_sk(sp);
        const struct inet_connection_sock *icsk = inet_csk(sp);
        const struct fastopen_queue *fastopenq = &icsk->icsk_accept_queue.fastopenq;
+        int rx_queue;
+        int state;
        dest  = &sp->sk_v6_daddr;
        src   = &sp->sk_v6_rcv_saddr;
@@ -1710,6 +1712,15 @@ static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
                timer_expires = jiffies;
        }
+        state = sk_state_load(sp);
+        if (state == TCP_LISTEN)
+                rx_queue = sp->sk_ack_backlog;
+        else
+                /* Because we don't lock the socket,
+                 * we might find a transient negative value.
+                 */
+                rx_queue = max_t(int, tp->rcv_nxt - tp->copied_seq, 0);
        seq_printf(seq,
                   "%4d: %08X%08X%08X%08X:%04X %08X%08X%08X%08X:%04X "
                   "%02X %08X:%08X %02X:%08lX %08X %5u %8d %lu %d %pK %lu %lu %u %u %d\n",
@@ -1718,9 +1729,9 @@ static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
                   src->s6_addr32[2], src->s6_addr32[3], srcp,
                   dest->s6_addr32[0], dest->s6_addr32[1],
                   dest->s6_addr32[2], dest->s6_addr32[3], destp,
-                   sp->sk_state,
+                   state,
-                   tp->write_seq-tp->snd_una,
+                   tp->write_seq - tp->snd_una,
-                   (sp->sk_state == TCP_LISTEN) ? sp->sk_ack_backlog : (tp->rcv_nxt - tp->copied_seq),
+                   rx_queue,
                   timer_active,
                   jiffies_delta_to_clock_t(timer_expires - jiffies),
                   icsk->icsk_retransmits,
@@ -1732,7 +1743,7 @@ static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
                   jiffies_to_clock_t(icsk->icsk_ack.ato),
                   (icsk->icsk_ack.quick << 1) | icsk->icsk_ack.pingpong,
                   tp->snd_cwnd,
-                   sp->sk_state == TCP_LISTEN ?
+                   state == TCP_LISTEN ?
                        fastopenq->max_qlen :
                        (tcp_in_initial_slowstart(tp) ? -1 : tp->snd_ssthresh)
                   );
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index e22349ea7256..4692782b5280 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -869,7 +869,7 @@ config NETFILTER_XT_TARGET_TEE
        depends on IPV6 || IPV6=n
        depends on !NF_CONNTRACK || NF_CONNTRACK
        select NF_DUP_IPV4
-        select NF_DUP_IPV6 if IP6_NF_IPTABLES
+        select NF_DUP_IPV6 if IP6_NF_IPTABLES != n
        ---help---
        This option adds a "TEE" target with which a packet can be cloned and
        this clone be rerouted to another nexthop.
@@ -882,7 +882,7 @@ config NETFILTER_XT_TARGET_TPROXY
        depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
        depends on IP_NF_MANGLE
        select NF_DEFRAG_IPV4
-        select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
+        select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
        help
          This option adds a `TPROXY' target, which is somewhat similar to
          REDIRECT.  It can only be used in the mangle table and is useful
@@ -1375,7 +1375,7 @@ config NETFILTER_XT_MATCH_SOCKET
        depends on IPV6 || IPV6=n
        depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
        select NF_DEFRAG_IPV4
-        select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
+        select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
        help
          This option adds a `socket' match, which can be used to match
          packets for which a TCP or UDP socket lookup finds a valid socket.
diff --git a/net/netfilter/ipset/ip_set_bitmap_gen.h b/net/netfilter/ipset/ip_set_bitmap_gen.h
index d05e759ed0fa..b0bc475f641e 100644
--- a/net/netfilter/ipset/ip_set_bitmap_gen.h
+++ b/net/netfilter/ipset/ip_set_bitmap_gen.h
@@ -33,7 +33,7 @@
 #define mtype_gc                IPSET_TOKEN(MTYPE, _gc)
 #define mtype                   MTYPE
-#define get_ext(set, map, id)   ((map)->extensions + (set)->dsize * (id))
+#define get_ext(set, map, id)   ((map)->extensions + ((set)->dsize * (id)))
 static void
 mtype_gc_init(struct ip_set *set, void (*gc)(unsigned long ul_set))
@@ -67,12 +67,9 @@ mtype_destroy(struct ip_set *set)
                del_timer_sync(&map->gc);
        ip_set_free(map->members);
-        if (set->dsize) {
+        if (set->dsize && set->extensions & IPSET_EXT_DESTROY)
-                if (set->extensions & IPSET_EXT_DESTROY)
+                mtype_ext_cleanup(set);
-                        mtype_ext_cleanup(set);
+        ip_set_free(map);
-                ip_set_free(map->extensions);
-        }
-        kfree(map);
        set->data = NULL;
 }
@@ -92,16 +89,14 @@ mtype_head(struct ip_set *set, struct sk_buff *skb)
 {
        const struct mtype *map = set->data;
        struct nlattr *nested;
+        size_t memsize = sizeof(*map) + map->memsize;
        nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
        if (!nested)
                goto nla_put_failure;
        if (mtype_do_head(skb, map) ||
            nla_put_net32(skb, IPSET_ATTR_REFERENCES, htonl(set->ref - 1)) ||
-            nla_put_net32(skb, IPSET_ATTR_MEMSIZE,
+            nla_put_net32(skb, IPSET_ATTR_MEMSIZE, htonl(memsize)))
-                          htonl(sizeof(*map) +
-                                map->memsize +
-                                set->dsize * map->elements)))
                goto nla_put_failure;
        if (unlikely(ip_set_put_flags(skb, set)))
                goto nla_put_failure;
diff --git a/net/netfilter/ipset/ip_set_bitmap_ip.c b/net/netfilter/ipset/ip_set_bitmap_ip.c
index 64a564334418..4783efff0bde 100644
--- a/net/netfilter/ipset/ip_set_bitmap_ip.c
+++ b/net/netfilter/ipset/ip_set_bitmap_ip.c
@@ -41,7 +41,6 @@ MODULE_ALIAS("ip_set_bitmap:ip");
 /* Type structure */
 struct bitmap_ip {
        void *members;          /* the set members */
-        void *extensions;       /* data extensions */
        u32 first_ip;           /* host byte order, included in range */
        u32 last_ip;            /* host byte order, included in range */
        u32 elements;           /* number of max elements in the set */
@@ -49,6 +48,8 @@ struct bitmap_ip {
        size_t memsize;         /* members size */
        u8 netmask;             /* subnet netmask */
        struct timer_list gc;   /* garbage collection */
+        unsigned char extensions[0]     /* data extensions */
+                __aligned(__alignof__(u64));
 };
 /* ADT structure for generic function args */
@@ -224,13 +225,6 @@ init_map_ip(struct ip_set *set, struct bitmap_ip *map,
        map->members = ip_set_alloc(map->memsize);
        if (!map->members)
                return false;
-        if (set->dsize) {
-                map->extensions = ip_set_alloc(set->dsize * elements);
-                if (!map->extensions) {
-                        kfree(map->members);
-                        return false;
-                }
-        }
        map->first_ip = first_ip;
        map->last_ip = last_ip;
        map->elements = elements;
@@ -316,13 +310,13 @@ bitmap_ip_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
        pr_debug("hosts %u, elements %llu\n",
                 hosts, (unsigned long long)elements);
-        map = kzalloc(sizeof(*map), GFP_KERNEL);
+        set->dsize = ip_set_elem_len(set, tb, 0, 0);
+        map = ip_set_alloc(sizeof(*map) + elements * set->dsize);
        if (!map)
                return -ENOMEM;
        map->memsize = bitmap_bytes(0, elements - 1);
        set->variant = &bitmap_ip;
-        set->dsize = ip_set_elem_len(set, tb, 0);
        if (!init_map_ip(set, map, first_ip, last_ip,
                         elements, hosts, netmask)) {
                kfree(map);
diff --git a/net/netfilter/ipset/ip_set_bitmap_ipmac.c b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
index 1430535118fb..29dde208381d 100644
--- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c
+++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
@@ -47,24 +47,26 @@ enum {
 /* Type structure */
 struct bitmap_ipmac {
        void *members;          /* the set members */
-        void *extensions;       /* MAC + data extensions */
        u32 first_ip;           /* host byte order, included in range */
        u32 last_ip;            /* host byte order, included in range */
        u32 elements;           /* number of max elements in the set */
        size_t memsize;         /* members size */
        struct timer_list gc;   /* garbage collector */
+        unsigned char extensions[0]     /* MAC + data extensions */
+                __aligned(__alignof__(u64));
 };
 /* ADT structure for generic function args */
 struct bitmap_ipmac_adt_elem {
+        unsigned char ether[ETH_ALEN] __aligned(2);
        u16 id;
-        unsigned char *ether;
+        u16 add_mac;
 };
 struct bitmap_ipmac_elem {
        unsigned char ether[ETH_ALEN];
        unsigned char filled;
-} __attribute__ ((aligned));
+} __aligned(__alignof__(u64));
 static inline u32
 ip_to_id(const struct bitmap_ipmac *m, u32 ip)
@@ -72,11 +74,11 @@ ip_to_id(const struct bitmap_ipmac *m, u32 ip)
        return ip - m->first_ip;
 }
-static inline struct bitmap_ipmac_elem *
+#define get_elem(extensions, id, dsize)         \
-get_elem(void *extensions, u16 id, size_t dsize)
+        (struct bitmap_ipmac_elem *)(extensions + (id) * (dsize))
-{
-        return (struct bitmap_ipmac_elem *)(extensions + id * dsize);
+#define get_const_elem(extensions, id, dsize)   \
-}
+        (const struct bitmap_ipmac_elem *)(extensions + (id) * (dsize))
 /* Common functions */
@@ -88,10 +90,9 @@ bitmap_ipmac_do_test(const struct bitmap_ipmac_adt_elem *e,
        if (!test_bit(e->id, map->members))
                return 0;
-        elem = get_elem(map->extensions, e->id, dsize);
+        elem = get_const_elem(map->extensions, e->id, dsize);
-        if (elem->filled == MAC_FILLED)
+        if (e->add_mac && elem->filled == MAC_FILLED)
-                return !e->ether ||
+                return ether_addr_equal(e->ether, elem->ether);
-                       ether_addr_equal(e->ether, elem->ether);
        /* Trigger kernel to fill out the ethernet address */
        return -EAGAIN;
 }
@@ -103,7 +104,7 @@ bitmap_ipmac_gc_test(u16 id, const struct bitmap_ipmac *map, size_t dsize)
        if (!test_bit(id, map->members))
                return 0;
-        elem = get_elem(map->extensions, id, dsize);
+        elem = get_const_elem(map->extensions, id, dsize);
        /* Timer not started for the incomplete elements */
        return elem->filled == MAC_FILLED;
 }
@@ -133,7 +134,7 @@ bitmap_ipmac_add_timeout(unsigned long *timeout,
                 * and we can reuse it later when MAC is filled out,
                 * possibly by the kernel
                 */
-                if (e->ether)
+                if (e->add_mac)
                        ip_set_timeout_set(timeout, t);
                else
                        *timeout = t;
@@ -150,7 +151,7 @@ bitmap_ipmac_do_add(const struct bitmap_ipmac_adt_elem *e,
        elem = get_elem(map->extensions, e->id, dsize);
        if (test_bit(e->id, map->members)) {
                if (elem->filled == MAC_FILLED) {
-                        if (e->ether &&
+                        if (e->add_mac &&
                            (flags & IPSET_FLAG_EXIST) &&
                            !ether_addr_equal(e->ether, elem->ether)) {
                                /* memcpy isn't atomic */
@@ -159,7 +160,7 @@ bitmap_ipmac_do_add(const struct bitmap_ipmac_adt_elem *e,
                                ether_addr_copy(elem->ether, e->ether);
                        }
                        return IPSET_ADD_FAILED;
-                } else if (!e->ether)
+                } else if (!e->add_mac)
                        /* Already added without ethernet address */
                        return IPSET_ADD_FAILED;
                /* Fill the MAC address and trigger the timer activation */
@@ -168,7 +169,7 @@ bitmap_ipmac_do_add(const struct bitmap_ipmac_adt_elem *e,
                ether_addr_copy(elem->ether, e->ether);
                elem->filled = MAC_FILLED;
                return IPSET_ADD_START_STORED_TIMEOUT;
-        } else if (e->ether) {
+        } else if (e->add_mac) {
                /* We can store MAC too */
                ether_addr_copy(elem->ether, e->ether);
                elem->filled = MAC_FILLED;
@@ -191,7 +192,7 @@ bitmap_ipmac_do_list(struct sk_buff *skb, const struct bitmap_ipmac *map,
                     u32 id, size_t dsize)
 {
        const struct bitmap_ipmac_elem *elem =
-                get_elem(map->extensions, id, dsize);
+                get_const_elem(map->extensions, id, dsize);
        return nla_put_ipaddr4(skb, IPSET_ATTR_IP,
                               htonl(map->first_ip + id)) ||
@@ -213,7 +214,7 @@ bitmap_ipmac_kadt(struct ip_set *set, const struct sk_buff *skb,
 {
        struct bitmap_ipmac *map = set->data;
        ipset_adtfn adtfn = set->variant->adt[adt];
-        struct bitmap_ipmac_adt_elem e = { .id = 0 };
+        struct bitmap_ipmac_adt_elem e = { .id = 0, .add_mac = 1 };
        struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set);
        u32 ip;
@@ -231,7 +232,7 @@ bitmap_ipmac_kadt(struct ip_set *set, const struct sk_buff *skb,
                return -EINVAL;
        e.id = ip_to_id(map, ip);
-        e.ether = eth_hdr(skb)->h_source;
+        memcpy(e.ether, eth_hdr(skb)->h_source, ETH_ALEN);
        return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags);
 }
@@ -265,11 +266,10 @@ bitmap_ipmac_uadt(struct ip_set *set, struct nlattr *tb[],
                return -IPSET_ERR_BITMAP_RANGE;
        e.id = ip_to_id(map, ip);
-        if (tb[IPSET_ATTR_ETHER])
+        if (tb[IPSET_ATTR_ETHER]) {
-                e.ether = nla_data(tb[IPSET_ATTR_ETHER]);
+                memcpy(e.ether, nla_data(tb[IPSET_ATTR_ETHER]), ETH_ALEN);
-        else
+                e.add_mac = 1;
-                e.ether = NULL;
+        }
        ret = adtfn(set, &e, &ext, &ext, flags);
        return ip_set_eexist(ret, flags) ? 0 : ret;
@@ -300,13 +300,6 @@ init_map_ipmac(struct ip_set *set, struct bitmap_ipmac *map,
        map->members = ip_set_alloc(map->memsize);
        if (!map->members)
                return false;
-        if (set->dsize) {
-                map->extensions = ip_set_alloc(set->dsize * elements);
-                if (!map->extensions) {
-                        kfree(map->members);
-                        return false;
-                }
-        }
        map->first_ip = first_ip;
        map->last_ip = last_ip;
        map->elements = elements;
@@ -361,14 +354,15 @@ bitmap_ipmac_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
        if (elements > IPSET_BITMAP_MAX_RANGE + 1)
                return -IPSET_ERR_BITMAP_RANGE_SIZE;
-        map = kzalloc(sizeof(*map), GFP_KERNEL);
+        set->dsize = ip_set_elem_len(set, tb,
+                                     sizeof(struct bitmap_ipmac_elem),
+                                     __alignof__(struct bitmap_ipmac_elem));
+        map = ip_set_alloc(sizeof(*map) + elements * set->dsize);
        if (!map)
                return -ENOMEM;
        map->memsize = bitmap_bytes(0, elements - 1);
        set->variant = &bitmap_ipmac;
-        set->dsize = ip_set_elem_len(set, tb,
-                                     sizeof(struct bitmap_ipmac_elem));
        if (!init_map_ipmac(set, map, first_ip, last_ip, elements)) {
                kfree(map);
                return -ENOMEM;
diff --git a/net/netfilter/ipset/ip_set_bitmap_port.c b/net/netfilter/ipset/ip_set_bitmap_port.c
index 5338ccd5da46..7f0c733358a4 100644
--- a/net/netfilter/ipset/ip_set_bitmap_port.c
+++ b/net/netfilter/ipset/ip_set_bitmap_port.c
@@ -35,12 +35,13 @@ MODULE_ALIAS("ip_set_bitmap:port");
 /* Type structure */
 struct bitmap_port {
        void *members;          /* the set members */
-        void *extensions;       /* data extensions */
        u16 first_port;         /* host byte order, included in range */
        u16 last_port;          /* host byte order, included in range */
        u32 elements;           /* number of max elements in the set */
        size_t memsize;         /* members size */
        struct timer_list gc;   /* garbage collection */
+        unsigned char extensions[0]     /* data extensions */
+                __aligned(__alignof__(u64));
 };
 /* ADT structure for generic function args */
@@ -209,13 +210,6 @@ init_map_port(struct ip_set *set, struct bitmap_port *map,
        map->members = ip_set_alloc(map->memsize);
        if (!map->members)
                return false;
-        if (set->dsize) {
-                map->extensions = ip_set_alloc(set->dsize * map->elements);
-                if (!map->extensions) {
-                        kfree(map->members);
-                        return false;
-                }
-        }
        map->first_port = first_port;
        map->last_port = last_port;
        set->timeout = IPSET_NO_TIMEOUT;
@@ -232,6 +226,7 @@ bitmap_port_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
 {
        struct bitmap_port *map;
        u16 first_port, last_port;
+        u32 elements;
        if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
                     !ip_set_attr_netorder(tb, IPSET_ATTR_PORT_TO) ||
@@ -248,14 +243,15 @@ bitmap_port_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
                last_port = tmp;
        }
-        map = kzalloc(sizeof(*map), GFP_KERNEL);
+        elements = last_port - first_port + 1;
+        set->dsize = ip_set_elem_len(set, tb, 0, 0);
+        map = ip_set_alloc(sizeof(*map) + elements * set->dsize);
        if (!map)
                return -ENOMEM;
-        map->elements = last_port - first_port + 1;
+        map->elements = elements;
        map->memsize = bitmap_bytes(0, map->elements);
        set->variant = &bitmap_port;
-        set->dsize = ip_set_elem_len(set, tb, 0);
        if (!init_map_port(set, map, first_port, last_port)) {
                kfree(map);
                return -ENOMEM;
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 69ab9c2634e1..54f3d7cb23e6 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -364,25 +364,27 @@ add_extension(enum ip_set_ext_id id, u32 flags, struct nlattr *tb[])
 }
 size_t
-ip_set_elem_len(struct ip_set *set, struct nlattr *tb[], size_t len)
+ip_set_elem_len(struct ip_set *set, struct nlattr *tb[], size_t len,
+                size_t align)
 {
        enum ip_set_ext_id id;
-        size_t offset = len;
        u32 cadt_flags = 0;
        if (tb[IPSET_ATTR_CADT_FLAGS])
                cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
        if (cadt_flags & IPSET_FLAG_WITH_FORCEADD)
                set->flags |= IPSET_CREATE_FLAG_FORCEADD;
+        if (!align)
+                align = 1;
        for (id = 0; id < IPSET_EXT_ID_MAX; id++) {
                if (!add_extension(id, cadt_flags, tb))
                        continue;
-                offset = ALIGN(offset, ip_set_extensions[id].align);
+                len = ALIGN(len, ip_set_extensions[id].align);
-                set->offset[id] = offset;
+                set->offset[id] = len;
                set->extensions |= ip_set_extensions[id].type;
-                offset += ip_set_extensions[id].len;
+                len += ip_set_extensions[id].len;
        }
-        return offset;
+        return ALIGN(len, align);
 }
 EXPORT_SYMBOL_GPL(ip_set_elem_len);
diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h
index 691b54fcaf2a..e5336ab36d67 100644
--- a/net/netfilter/ipset/ip_set_hash_gen.h
+++ b/net/netfilter/ipset/ip_set_hash_gen.h
@@ -72,8 +72,9 @@ struct hbucket {
        DECLARE_BITMAP(used, AHASH_MAX_TUNED);
        u8 size;                /* size of the array */
        u8 pos;                 /* position of the first free entry */
-        unsigned char value[0]; /* the array of the values */
+        unsigned char value[0]  /* the array of the values */
-} __attribute__ ((aligned));
+                __aligned(__alignof__(u64));
+};
 /* The hash table: the table size stored here in order to make resizing easy */
 struct htable {
@@ -475,7 +476,7 @@ static void
 mtype_expire(struct ip_set *set, struct htype *h, u8 nets_length, size_t dsize)
 {
        struct htable *t;
-        struct hbucket *n;
+        struct hbucket *n, *tmp;
        struct mtype_elem *data;
        u32 i, j, d;
 #ifdef IP_SET_HASH_WITH_NETS
@@ -510,9 +511,14 @@ mtype_expire(struct ip_set *set, struct htype *h, u8 nets_length, size_t dsize)
                        }
                }
                if (d >= AHASH_INIT_SIZE) {
-                        struct hbucket *tmp = kzalloc(sizeof(*tmp) +
+                        if (d >= n->size) {
-                                        (n->size - AHASH_INIT_SIZE) * dsize,
+                                rcu_assign_pointer(hbucket(t, i), NULL);
-                                        GFP_ATOMIC);
+                                kfree_rcu(n, rcu);
+                                continue;
+                        }
+                        tmp = kzalloc(sizeof(*tmp) +
+                                      (n->size - AHASH_INIT_SIZE) * dsize,
+                                      GFP_ATOMIC);
                        if (!tmp)
                                /* Still try to delete expired elements */
                                continue;
@@ -522,7 +528,7 @@ mtype_expire(struct ip_set *set, struct htype *h, u8 nets_length, size_t dsize)
                                        continue;
                                data = ahash_data(n, j, dsize);
                                memcpy(tmp->value + d * dsize, data, dsize);
-                                set_bit(j, tmp->used);
+                                set_bit(d, tmp->used);
                                d++;
                        }
                        tmp->pos = d;
@@ -1323,12 +1329,14 @@ IPSET_TOKEN(HTYPE, _create)(struct net *net, struct ip_set *set,
 #endif
                set->variant = &IPSET_TOKEN(HTYPE, 4_variant);
                set->dsize = ip_set_elem_len(set, tb,
-                                sizeof(struct IPSET_TOKEN(HTYPE, 4_elem)));
+                        sizeof(struct IPSET_TOKEN(HTYPE, 4_elem)),
+                        __alignof__(struct IPSET_TOKEN(HTYPE, 4_elem)));
 #ifndef IP_SET_PROTO_UNDEF
        } else {
                set->variant = &IPSET_TOKEN(HTYPE, 6_variant);
                set->dsize = ip_set_elem_len(set, tb,
-                                sizeof(struct IPSET_TOKEN(HTYPE, 6_elem)));
+                        sizeof(struct IPSET_TOKEN(HTYPE, 6_elem)),
+                        __alignof__(struct IPSET_TOKEN(HTYPE, 6_elem)));
        }
 #endif
        if (tb[IPSET_ATTR_TIMEOUT]) {
diff --git a/net/netfilter/ipset/ip_set_list_set.c b/net/netfilter/ipset/ip_set_list_set.c
index 5a30ce6e8c90..bbede95c9f68 100644
--- a/net/netfilter/ipset/ip_set_list_set.c
+++ b/net/netfilter/ipset/ip_set_list_set.c
@@ -31,7 +31,7 @@ struct set_elem {
        struct rcu_head rcu;
        struct list_head list;
        ip_set_id_t id;
-};
+} __aligned(__alignof__(u64));
 struct set_adt_elem {
        ip_set_id_t id;
@@ -618,7 +618,8 @@ list_set_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
                size = IP_SET_LIST_MIN_SIZE;
        set->variant = &set_variant;
-        set->dsize = ip_set_elem_len(set, tb, sizeof(struct set_elem));
+        set->dsize = ip_set_elem_len(set, tb, sizeof(struct set_elem),
+                                     __alignof__(struct set_elem));
        if (!init_list_set(net, set, size))
                return -ENOMEM;
        if (tb[IPSET_ATTR_TIMEOUT]) {
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index 1e24fff53e4b..f57b4dcdb233 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -1176,6 +1176,7 @@ ip_vs_out(struct netns_ipvs *ipvs, unsigned int hooknum, struct sk_buff *skb, in
        struct ip_vs_protocol *pp;
        struct ip_vs_proto_data *pd;
        struct ip_vs_conn *cp;
+        struct sock *sk;
        EnterFunction(11);
@@ -1183,13 +1184,12 @@ ip_vs_out(struct netns_ipvs *ipvs, unsigned int hooknum, struct sk_buff *skb, in
        if (skb->ipvs_property)
                return NF_ACCEPT;
+        sk = skb_to_full_sk(skb);
        /* Bad... Do not break raw sockets */
-        if (unlikely(skb->sk != NULL && hooknum == NF_INET_LOCAL_OUT &&
+        if (unlikely(sk && hooknum == NF_INET_LOCAL_OUT &&
                     af == AF_INET)) {
-                struct sock *sk = skb->sk;
-                struct inet_sock *inet = inet_sk(skb->sk);
-                if (inet && sk->sk_family == PF_INET && inet->nodefrag)
+                if (sk->sk_family == PF_INET && inet_sk(sk)->nodefrag)
                        return NF_ACCEPT;
        }
@@ -1681,6 +1681,7 @@ ip_vs_in(struct netns_ipvs *ipvs, unsigned int hooknum, struct sk_buff *skb, int
        struct ip_vs_conn *cp;
        int ret, pkts;
        int conn_reuse_mode;
+        struct sock *sk;
        /* Already marked as IPVS request or reply? */
        if (skb->ipvs_property)
@@ -1708,12 +1709,11 @@ ip_vs_in(struct netns_ipvs *ipvs, unsigned int hooknum, struct sk_buff *skb, int
        ip_vs_fill_iph_skb(af, skb, false, &iph);
        /* Bad... Do not break raw sockets */
-        if (unlikely(skb->sk != NULL && hooknum == NF_INET_LOCAL_OUT &&
+        sk = skb_to_full_sk(skb);
+        if (unlikely(sk && hooknum == NF_INET_LOCAL_OUT &&
                     af == AF_INET)) {
-                struct sock *sk = skb->sk;
-                struct inet_sock *inet = inet_sk(skb->sk);
-                if (inet && sk->sk_family == PF_INET && inet->nodefrag)
+                if (sk->sk_family == PF_INET && inet_sk(sk)->nodefrag)
                        return NF_ACCEPT;
        }
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index 06eb48fceb42..740cce4685ac 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -825,7 +825,7 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
        struct net *net = sock_net(ctnl);
        struct nfnl_log_net *log = nfnl_log_pernet(net);
        int ret = 0;
-        u16 flags;
+        u16 flags = 0;
        if (nfula[NFULA_CFG_CMD]) {
                u_int8_t pf = nfmsg->nfgen_family;
diff --git a/net/netfilter/nft_counter.c b/net/netfilter/nft_counter.c
index 1067fb4c1ffa..c7808fc19719 100644
--- a/net/netfilter/nft_counter.c
+++ b/net/netfilter/nft_counter.c
@@ -47,27 +47,34 @@ static void nft_counter_eval(const struct nft_expr *expr,
        local_bh_enable();
 }
-static int nft_counter_dump(struct sk_buff *skb, const struct nft_expr *expr)
+static void nft_counter_fetch(const struct nft_counter_percpu __percpu *counter,
+                              struct nft_counter *total)
 {
-        struct nft_counter_percpu_priv *priv = nft_expr_priv(expr);
+        const struct nft_counter_percpu *cpu_stats;
-        struct nft_counter_percpu *cpu_stats;
-        struct nft_counter total;
        u64 bytes, packets;
        unsigned int seq;
        int cpu;
-        memset(&total, 0, sizeof(total));
+        memset(total, 0, sizeof(*total));
        for_each_possible_cpu(cpu) {
-                cpu_stats = per_cpu_ptr(priv->counter, cpu);
+                cpu_stats = per_cpu_ptr(counter, cpu);
                do {
                        seq     = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
                        bytes   = cpu_stats->counter.bytes;
                        packets = cpu_stats->counter.packets;
                } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
-                total.packets += packets;
+                total->packets += packets;
-                total.bytes += bytes;
+                total->bytes += bytes;
        }
+}
+static int nft_counter_dump(struct sk_buff *skb, const struct nft_expr *expr)
+{
+        struct nft_counter_percpu_priv *priv = nft_expr_priv(expr);
+        struct nft_counter total;
+        nft_counter_fetch(priv->counter, &total);
        if (nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes)) ||
            nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.packets)))
@@ -118,6 +125,31 @@ static void nft_counter_destroy(const struct nft_ctx *ctx,
        free_percpu(priv->counter);
 }
+static int nft_counter_clone(struct nft_expr *dst, const struct nft_expr *src)
+{
+        struct nft_counter_percpu_priv *priv = nft_expr_priv(src);
+        struct nft_counter_percpu_priv *priv_clone = nft_expr_priv(dst);
+        struct nft_counter_percpu __percpu *cpu_stats;
+        struct nft_counter_percpu *this_cpu;
+        struct nft_counter total;
+        nft_counter_fetch(priv->counter, &total);
+        cpu_stats = __netdev_alloc_pcpu_stats(struct nft_counter_percpu,
+                                              GFP_ATOMIC);
+        if (cpu_stats == NULL)
+                return ENOMEM;
+        preempt_disable();
+        this_cpu = this_cpu_ptr(cpu_stats);
+        this_cpu->counter.packets = total.packets;
+        this_cpu->counter.bytes = total.bytes;
+        preempt_enable();
+        priv_clone->counter = cpu_stats;
+        return 0;
+}
 static struct nft_expr_type nft_counter_type;
 static const struct nft_expr_ops nft_counter_ops = {
        .type           = &nft_counter_type,
@@ -126,6 +158,7 @@ static const struct nft_expr_ops nft_counter_ops = {
        .init           = nft_counter_init,
        .destroy        = nft_counter_destroy,
        .dump           = nft_counter_dump,
+        .clone          = nft_counter_clone,
 };
 static struct nft_expr_type nft_counter_type __read_mostly = {
diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
index 513a8ef60a59..9dec3bd1b63c 100644
--- a/net/netfilter/nft_dynset.c
+++ b/net/netfilter/nft_dynset.c
@@ -50,8 +50,9 @@ static void *nft_dynset_new(struct nft_set *set, const struct nft_expr *expr,
        }
        ext = nft_set_elem_ext(set, elem);
-        if (priv->expr != NULL)
+        if (priv->expr != NULL &&
-                nft_expr_clone(nft_set_ext_expr(ext), priv->expr);
+            nft_expr_clone(nft_set_ext_expr(ext), priv->expr) < 0)
+                return NULL;
        return elem;
 }
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index af399cac5205..1cf928fb573e 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1741,6 +1741,20 @@ static void fanout_release(struct sock *sk)
                kfree_rcu(po->rollover, rcu);
 }
+static bool packet_extra_vlan_len_allowed(const struct net_device *dev,
+                                          struct sk_buff *skb)
+{
+        /* Earlier code assumed this would be a VLAN pkt, double-check
+         * this now that we have the actual packet in hand. We can only
+         * do this check on Ethernet devices.
+         */
+        if (unlikely(dev->type != ARPHRD_ETHER))
+                return false;
+        skb_reset_mac_header(skb);
+        return likely(eth_hdr(skb)->h_proto == htons(ETH_P_8021Q));
+}
 static const struct proto_ops packet_ops;
 static const struct proto_ops packet_ops_spkt;
@@ -1902,18 +1916,10 @@ retry:
                goto retry;
        }
-        if (len > (dev->mtu + dev->hard_header_len + extra_len)) {
+        if (len > (dev->mtu + dev->hard_header_len + extra_len) &&
-                /* Earlier code assumed this would be a VLAN pkt,
+            !packet_extra_vlan_len_allowed(dev, skb)) {
-                 * double-check this now that we have the actual
+                err = -EMSGSIZE;
-                 * packet in hand.
+                goto out_unlock;
-                 */
-                struct ethhdr *ehdr;
-                skb_reset_mac_header(skb);
-                ehdr = eth_hdr(skb);
-                if (ehdr->h_proto != htons(ETH_P_8021Q)) {
-                        err = -EMSGSIZE;
-                        goto out_unlock;
-                }
        }
        skb->protocol = proto;
@@ -2332,6 +2338,15 @@ static bool ll_header_truncated(const struct net_device *dev, int len)
        return false;
 }
+static void tpacket_set_protocol(const struct net_device *dev,
+                                 struct sk_buff *skb)
+{
+        if (dev->type == ARPHRD_ETHER) {
+                skb_reset_mac_header(skb);
+                skb->protocol = eth_hdr(skb)->h_proto;
+        }
+}
 static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb,
                void *frame, struct net_device *dev, int size_max,
                __be16 proto, unsigned char *addr, int hlen)
@@ -2368,8 +2383,6 @@ static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb,
        skb_reserve(skb, hlen);
        skb_reset_network_header(skb);
-        if (!packet_use_direct_xmit(po))
-                skb_probe_transport_header(skb, 0);
        if (unlikely(po->tp_tx_has_off)) {
                int off_min, off_max, off;
                off_min = po->tp_hdrlen - sizeof(struct sockaddr_ll);
@@ -2415,6 +2428,8 @@ static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb,
                                dev->hard_header_len);
                if (unlikely(err))
                        return err;
+                if (!skb->protocol)
+                        tpacket_set_protocol(dev, skb);
                data += dev->hard_header_len;
                to_write -= dev->hard_header_len;
@@ -2449,6 +2464,8 @@ static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb,
                len = ((to_write > len_max) ? len_max : to_write);
        }
+        skb_probe_transport_header(skb, 0);
        return tp_len;
 }
@@ -2493,12 +2510,13 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
        if (unlikely(!(dev->flags & IFF_UP)))
                goto out_put;
-        reserve = dev->hard_header_len + VLAN_HLEN;
+        if (po->sk.sk_socket->type == SOCK_RAW)
+                reserve = dev->hard_header_len;
        size_max = po->tx_ring.frame_size
                - (po->tp_hdrlen - sizeof(struct sockaddr_ll));
-        if (size_max > dev->mtu + reserve)
+        if (size_max > dev->mtu + reserve + VLAN_HLEN)
-                size_max = dev->mtu + reserve;
+                size_max = dev->mtu + reserve + VLAN_HLEN;
        do {
                ph = packet_current_frame(po, &po->tx_ring,
@@ -2525,18 +2543,10 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
                tp_len = tpacket_fill_skb(po, skb, ph, dev, size_max, proto,
                                          addr, hlen);
                if (likely(tp_len >= 0) &&
-                    tp_len > dev->mtu + dev->hard_header_len) {
+                    tp_len > dev->mtu + reserve &&
-                        struct ethhdr *ehdr;
+                    !packet_extra_vlan_len_allowed(dev, skb))
-                        /* Earlier code assumed this would be a VLAN pkt,
+                        tp_len = -EMSGSIZE;
-                         * double-check this now that we have the actual
-                         * packet in hand.
-                         */
-                        skb_reset_mac_header(skb);
-                        ehdr = eth_hdr(skb);
-                        if (ehdr->h_proto != htons(ETH_P_8021Q))
-                                tp_len = -EMSGSIZE;
-                }
                if (unlikely(tp_len < 0)) {
                        if (po->tp_loss) {
                                __packet_set_status(po, ph,
@@ -2765,18 +2775,10 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
        sock_tx_timestamp(sk, &skb_shinfo(skb)->tx_flags);
-        if (!gso_type && (len > dev->mtu + reserve + extra_len)) {
+        if (!gso_type && (len > dev->mtu + reserve + extra_len) &&
-                /* Earlier code assumed this would be a VLAN pkt,
+            !packet_extra_vlan_len_allowed(dev, skb)) {
-                 * double-check this now that we have the actual
+                err = -EMSGSIZE;
-                 * packet in hand.
+                goto out_free;
-                 */
-                struct ethhdr *ehdr;
-                skb_reset_mac_header(skb);
-                ehdr = eth_hdr(skb);
-                if (ehdr->h_proto != htons(ETH_P_8021Q)) {
-                        err = -EMSGSIZE;
-                        goto out_free;
-                }
        }
        skb->protocol = proto;
@@ -2807,8 +2809,8 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
                len += vnet_hdr_len;
        }
-        if (!packet_use_direct_xmit(po))
+        skb_probe_transport_header(skb, reserve);
-                skb_probe_transport_header(skb, reserve);
        if (unlikely(extra_len == 4))
                skb->no_fcs = 1;
@@ -4107,7 +4109,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
                err = -EINVAL;
                if (unlikely((int)req->tp_block_size <= 0))
                        goto out;
-                if (unlikely(req->tp_block_size & (PAGE_SIZE - 1)))
+                if (unlikely(!PAGE_ALIGNED(req->tp_block_size)))
                        goto out;
                if (po->tp_version >= TPACKET_V3 &&
                    (int)(req->tp_block_size -
@@ -4119,8 +4121,8 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
                if (unlikely(req->tp_frame_size & (TPACKET_ALIGNMENT - 1)))
                        goto out;
-                rb->frames_per_block = req->tp_block_size/req->tp_frame_size;
+                rb->frames_per_block = req->tp_block_size / req->tp_frame_size;
-                if (unlikely(rb->frames_per_block <= 0))
+                if (unlikely(rb->frames_per_block == 0))
                        goto out;
                if (unlikely((rb->frames_per_block * req->tp_block_nr) !=
                                        req->tp_frame_nr))
diff --git a/net/sctp/auth.c b/net/sctp/auth.c
index 4f15b7d730e1..1543e39f47c3 100644
--- a/net/sctp/auth.c
+++ b/net/sctp/auth.c
@@ -809,8 +809,8 @@ int sctp_auth_ep_set_hmacs(struct sctp_endpoint *ep,
        if (!has_sha1)
                return -EINVAL;
-        memcpy(ep->auth_hmacs_list->hmac_ids, &hmacs->shmac_idents[0],
+        for (i = 0; i < hmacs->shmac_num_idents; i++)
-                hmacs->shmac_num_idents * sizeof(__u16));
+                ep->auth_hmacs_list->hmac_ids[i] = htons(hmacs->shmac_idents[i]);
        ep->auth_hmacs_list->param_hdr.length = htons(sizeof(sctp_paramhdr_t) +
                                hmacs->shmac_num_idents * sizeof(__u16));
        return 0;
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index aaa0b58d6aba..955ec152cb71 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -441,6 +441,7 @@ static void unix_release_sock(struct sock *sk, int embrion)
                if (state == TCP_LISTEN)
                        unix_release_sock(skb->sk, 1);
                /* passed fds are erased in the kfree_skb hook        */
+                UNIXCB(skb).consumed = skb->len;
                kfree_skb(skb);
        }
@@ -1799,6 +1800,7 @@ alloc_skb:
                 * this - does no harm
                 */
                consume_skb(newskb);
+                newskb = NULL;
        }
        if (skb_append_pagefrags(skb, page, offset, size)) {
@@ -1811,8 +1813,11 @@ alloc_skb:
        skb->truesize += size;
        atomic_add(size, &sk->sk_wmem_alloc);
-        if (newskb)
+        if (newskb) {
+                spin_lock(&other->sk_receive_queue.lock);
                __skb_queue_tail(&other->sk_receive_queue, newskb);
+                spin_unlock(&other->sk_receive_queue.lock);
+        }
        unix_state_unlock(other);
        mutex_unlock(&unix_sk(other)->readlock);
@@ -2072,6 +2077,7 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state)
        do {
                int chunk;
+                bool drop_skb;
                struct sk_buff *skb, *last;
                unix_state_lock(sk);
@@ -2152,7 +2158,11 @@ unlock:
                }
                chunk = min_t(unsigned int, unix_skb_len(skb) - skip, size);
+                skb_get(skb);
                chunk = state->recv_actor(skb, skip, chunk, state);
+                drop_skb = !unix_skb_len(skb);
+                /* skb is only safe to use if !drop_skb */
+                consume_skb(skb);
                if (chunk < 0) {
                        if (copied == 0)
                                copied = -EFAULT;
@@ -2161,6 +2171,18 @@ unlock:
                copied += chunk;
                size -= chunk;
+                if (drop_skb) {
+                        /* the skb was touched by a concurrent reader;
+                         * we should not expect anything from this skb
+                         * anymore and assume it invalid - we can be
+                         * sure it was dropped from the socket queue
+                         *
+                         * let's report a short read
+                         */
+                        err = 0;
+                        break;
+                }
                /* Mark read part of skb as used */
                if (!(flags & MSG_PEEK)) {
                        UNIXCB(skb).consumed += chunk;
author	Linus Torvalds <torvalds@linux-foundation.org>	2015-11-17 16:52:59 -0500
committer	Linus Torvalds <torvalds@linux-foundation.org>	2015-11-17 16:52:59 -0500
commit	7f151f1d8abb7d5930b49d4796b463dca1673cb7 (patch)
tree	f995b6444729c105fe0a123b8240ef3dc3f1bf4a /net
parent	a18ab2f6cb79eeccedea61b8c7bf71d24e087d42 (diff)
parent	e7523a497d48a9921983a80670f7a02dc4639d41 (diff)