aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorSean Paul <seanpaul@chromium.org>2018-04-16 10:47:13 -0400
committerSean Paul <seanpaul@chromium.org>2018-04-16 10:47:13 -0400
commit8089f9f5a32938ddefb1767b8ee14bb7996e5e2f (patch)
treec6c8924fda51c7f54bebffa63a41ae15954995bf /net
parentc0db1b677e1d584fab5d7ac76a32e1c0157542e0 (diff)
parenta10beabba213924d876f2d10ca9351aeab93f58a (diff)
Merge airlied/drm-next into drm-misc-fixes
Fast forwarding -fixes for 4.17. Signed-off-by: Sean Paul <seanpaul@chromium.org>
Diffstat (limited to 'net')
-rw-r--r--net/8021q/vlan_core.c4
-rw-r--r--net/batman-adv/distributed-arp-table.c2
-rw-r--r--net/batman-adv/icmp_socket.c1
-rw-r--r--net/batman-adv/log.c1
-rw-r--r--net/batman-adv/multicast.c4
-rw-r--r--net/batman-adv/routing.c25
-rw-r--r--net/bluetooth/smp.c8
-rw-r--r--net/bridge/netfilter/ebt_among.c34
-rw-r--r--net/bridge/netfilter/ebtables.c6
-rw-r--r--net/core/dev.c22
-rw-r--r--net/core/dev_ioctl.c7
-rw-r--r--net/core/devlink.c16
-rw-r--r--net/core/filter.c60
-rw-r--r--net/core/skbuff.c11
-rw-r--r--net/core/sock.c21
-rw-r--r--net/core/sock_diag.c12
-rw-r--r--net/dccp/proto.c5
-rw-r--r--net/dsa/legacy.c2
-rw-r--r--net/ieee802154/6lowpan/core.c12
-rw-r--r--net/ipv4/inet_diag.c3
-rw-r--r--net/ipv4/inet_fragment.c3
-rw-r--r--net/ipv4/ip_sockglue.c6
-rw-r--r--net/ipv4/route.c47
-rw-r--r--net/ipv4/tcp.c1
-rw-r--r--net/ipv4/tcp_timer.c1
-rw-r--r--net/ipv4/xfrm4_mode_tunnel.c3
-rw-r--r--net/ipv4/xfrm4_policy.c5
-rw-r--r--net/ipv6/datagram.c21
-rw-r--r--net/ipv6/ip6_gre.c8
-rw-r--r--net/ipv6/ndisc.c3
-rw-r--r--net/ipv6/route.c76
-rw-r--r--net/ipv6/seg6_iptunnel.c7
-rw-r--r--net/ipv6/xfrm6_mode_tunnel.c3
-rw-r--r--net/ipv6/xfrm6_policy.c5
-rw-r--r--net/iucv/af_iucv.c4
-rw-r--r--net/kcm/kcmsock.c33
-rw-r--r--net/l2tp/l2tp_core.c46
-rw-r--r--net/l2tp/l2tp_core.h3
-rw-r--r--net/mac80211/debugfs.c1
-rw-r--r--net/mac80211/mlme.c3
-rw-r--r--net/netfilter/nf_tables_api.c1
-rw-r--r--net/netfilter/nft_set_hash.c2
-rw-r--r--net/netfilter/x_tables.c30
-rw-r--r--net/netfilter/xt_hashlimit.c16
-rw-r--r--net/netfilter/xt_recent.c6
-rw-r--r--net/netlink/genetlink.c2
-rw-r--r--net/openvswitch/meter.c12
-rw-r--r--net/sched/act_bpf.c2
-rw-r--r--net/sched/act_csum.c5
-rw-r--r--net/sched/act_ipt.c9
-rw-r--r--net/sched/act_pedit.c2
-rw-r--r--net/sched/act_police.c2
-rw-r--r--net/sched/act_sample.c3
-rw-r--r--net/sched/act_simple.c2
-rw-r--r--net/sched/act_skbmod.c5
-rw-r--r--net/sched/act_tunnel_key.c10
-rw-r--r--net/sched/act_vlan.c5
-rw-r--r--net/sched/sch_generic.c22
-rw-r--r--net/sched/sch_netem.c2
-rw-r--r--net/sctp/input.c8
-rw-r--r--net/sctp/inqueue.c2
-rw-r--r--net/sctp/offload.c2
-rw-r--r--net/smc/af_smc.c4
-rw-r--r--net/smc/smc_close.c25
-rw-r--r--net/socket.c5
-rw-r--r--net/xfrm/xfrm_ipcomp.c2
-rw-r--r--net/xfrm/xfrm_policy.c13
-rw-r--r--net/xfrm/xfrm_replay.c2
-rw-r--r--net/xfrm/xfrm_state.c5
-rw-r--r--net/xfrm/xfrm_user.c21
70 files changed, 493 insertions, 269 deletions
diff --git a/net/8021q/vlan_core.c b/net/8021q/vlan_core.c
index 64aa9f755e1d..45c9bf5ff3a0 100644
--- a/net/8021q/vlan_core.c
+++ b/net/8021q/vlan_core.c
@@ -48,8 +48,8 @@ bool vlan_do_receive(struct sk_buff **skbp)
48 * original position later 48 * original position later
49 */ 49 */
50 skb_push(skb, offset); 50 skb_push(skb, offset);
51 skb = *skbp = vlan_insert_tag(skb, skb->vlan_proto, 51 skb = *skbp = vlan_insert_inner_tag(skb, skb->vlan_proto,
52 skb->vlan_tci); 52 skb->vlan_tci, skb->mac_len);
53 if (!skb) 53 if (!skb)
54 return false; 54 return false;
55 skb_pull(skb, offset + VLAN_HLEN); 55 skb_pull(skb, offset + VLAN_HLEN);
diff --git a/net/batman-adv/distributed-arp-table.c b/net/batman-adv/distributed-arp-table.c
index 9703c791ffc5..87cd962d28d5 100644
--- a/net/batman-adv/distributed-arp-table.c
+++ b/net/batman-adv/distributed-arp-table.c
@@ -393,7 +393,7 @@ static void batadv_dbg_arp(struct batadv_priv *bat_priv, struct sk_buff *skb,
393 batadv_arp_hw_src(skb, hdr_size), &ip_src, 393 batadv_arp_hw_src(skb, hdr_size), &ip_src,
394 batadv_arp_hw_dst(skb, hdr_size), &ip_dst); 394 batadv_arp_hw_dst(skb, hdr_size), &ip_dst);
395 395
396 if (hdr_size == 0) 396 if (hdr_size < sizeof(struct batadv_unicast_packet))
397 return; 397 return;
398 398
399 unicast_4addr_packet = (struct batadv_unicast_4addr_packet *)skb->data; 399 unicast_4addr_packet = (struct batadv_unicast_4addr_packet *)skb->data;
diff --git a/net/batman-adv/icmp_socket.c b/net/batman-adv/icmp_socket.c
index e91f29c7c638..5daa3d50da17 100644
--- a/net/batman-adv/icmp_socket.c
+++ b/net/batman-adv/icmp_socket.c
@@ -24,6 +24,7 @@
24#include <linux/debugfs.h> 24#include <linux/debugfs.h>
25#include <linux/errno.h> 25#include <linux/errno.h>
26#include <linux/etherdevice.h> 26#include <linux/etherdevice.h>
27#include <linux/eventpoll.h>
27#include <linux/export.h> 28#include <linux/export.h>
28#include <linux/fcntl.h> 29#include <linux/fcntl.h>
29#include <linux/fs.h> 30#include <linux/fs.h>
diff --git a/net/batman-adv/log.c b/net/batman-adv/log.c
index dc9fa37ddd14..cdbe0e5e208b 100644
--- a/net/batman-adv/log.c
+++ b/net/batman-adv/log.c
@@ -22,6 +22,7 @@
22#include <linux/compiler.h> 22#include <linux/compiler.h>
23#include <linux/debugfs.h> 23#include <linux/debugfs.h>
24#include <linux/errno.h> 24#include <linux/errno.h>
25#include <linux/eventpoll.h>
25#include <linux/export.h> 26#include <linux/export.h>
26#include <linux/fcntl.h> 27#include <linux/fcntl.h>
27#include <linux/fs.h> 28#include <linux/fs.h>
diff --git a/net/batman-adv/multicast.c b/net/batman-adv/multicast.c
index cbdeb47ec3f6..d70640135e3a 100644
--- a/net/batman-adv/multicast.c
+++ b/net/batman-adv/multicast.c
@@ -543,8 +543,8 @@ update:
543 bat_priv->mcast.enabled = true; 543 bat_priv->mcast.enabled = true;
544 } 544 }
545 545
546 return !(mcast_data.flags & 546 return !(mcast_data.flags & BATADV_MCAST_WANT_ALL_IPV4 &&
547 (BATADV_MCAST_WANT_ALL_IPV4 | BATADV_MCAST_WANT_ALL_IPV6)); 547 mcast_data.flags & BATADV_MCAST_WANT_ALL_IPV6);
548} 548}
549 549
550/** 550/**
diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c
index b6891e8b741c..e61dc1293bb5 100644
--- a/net/batman-adv/routing.c
+++ b/net/batman-adv/routing.c
@@ -759,6 +759,7 @@ free_skb:
759/** 759/**
760 * batadv_reroute_unicast_packet() - update the unicast header for re-routing 760 * batadv_reroute_unicast_packet() - update the unicast header for re-routing
761 * @bat_priv: the bat priv with all the soft interface information 761 * @bat_priv: the bat priv with all the soft interface information
762 * @skb: unicast packet to process
762 * @unicast_packet: the unicast header to be updated 763 * @unicast_packet: the unicast header to be updated
763 * @dst_addr: the payload destination 764 * @dst_addr: the payload destination
764 * @vid: VLAN identifier 765 * @vid: VLAN identifier
@@ -770,7 +771,7 @@ free_skb:
770 * Return: true if the packet header has been updated, false otherwise 771 * Return: true if the packet header has been updated, false otherwise
771 */ 772 */
772static bool 773static bool
773batadv_reroute_unicast_packet(struct batadv_priv *bat_priv, 774batadv_reroute_unicast_packet(struct batadv_priv *bat_priv, struct sk_buff *skb,
774 struct batadv_unicast_packet *unicast_packet, 775 struct batadv_unicast_packet *unicast_packet,
775 u8 *dst_addr, unsigned short vid) 776 u8 *dst_addr, unsigned short vid)
776{ 777{
@@ -799,8 +800,10 @@ batadv_reroute_unicast_packet(struct batadv_priv *bat_priv,
799 } 800 }
800 801
801 /* update the packet header */ 802 /* update the packet header */
803 skb_postpull_rcsum(skb, unicast_packet, sizeof(*unicast_packet));
802 ether_addr_copy(unicast_packet->dest, orig_addr); 804 ether_addr_copy(unicast_packet->dest, orig_addr);
803 unicast_packet->ttvn = orig_ttvn; 805 unicast_packet->ttvn = orig_ttvn;
806 skb_postpush_rcsum(skb, unicast_packet, sizeof(*unicast_packet));
804 807
805 ret = true; 808 ret = true;
806out: 809out:
@@ -841,7 +844,7 @@ static bool batadv_check_unicast_ttvn(struct batadv_priv *bat_priv,
841 * the packet to 844 * the packet to
842 */ 845 */
843 if (batadv_tt_local_client_is_roaming(bat_priv, ethhdr->h_dest, vid)) { 846 if (batadv_tt_local_client_is_roaming(bat_priv, ethhdr->h_dest, vid)) {
844 if (batadv_reroute_unicast_packet(bat_priv, unicast_packet, 847 if (batadv_reroute_unicast_packet(bat_priv, skb, unicast_packet,
845 ethhdr->h_dest, vid)) 848 ethhdr->h_dest, vid))
846 batadv_dbg_ratelimited(BATADV_DBG_TT, 849 batadv_dbg_ratelimited(BATADV_DBG_TT,
847 bat_priv, 850 bat_priv,
@@ -887,7 +890,7 @@ static bool batadv_check_unicast_ttvn(struct batadv_priv *bat_priv,
887 * destination can possibly be updated and forwarded towards the new 890 * destination can possibly be updated and forwarded towards the new
888 * target host 891 * target host
889 */ 892 */
890 if (batadv_reroute_unicast_packet(bat_priv, unicast_packet, 893 if (batadv_reroute_unicast_packet(bat_priv, skb, unicast_packet,
891 ethhdr->h_dest, vid)) { 894 ethhdr->h_dest, vid)) {
892 batadv_dbg_ratelimited(BATADV_DBG_TT, bat_priv, 895 batadv_dbg_ratelimited(BATADV_DBG_TT, bat_priv,
893 "Rerouting unicast packet to %pM (dst=%pM): TTVN mismatch old_ttvn=%u new_ttvn=%u\n", 896 "Rerouting unicast packet to %pM (dst=%pM): TTVN mismatch old_ttvn=%u new_ttvn=%u\n",
@@ -910,12 +913,14 @@ static bool batadv_check_unicast_ttvn(struct batadv_priv *bat_priv,
910 if (!primary_if) 913 if (!primary_if)
911 return false; 914 return false;
912 915
916 /* update the packet header */
917 skb_postpull_rcsum(skb, unicast_packet, sizeof(*unicast_packet));
913 ether_addr_copy(unicast_packet->dest, primary_if->net_dev->dev_addr); 918 ether_addr_copy(unicast_packet->dest, primary_if->net_dev->dev_addr);
919 unicast_packet->ttvn = curr_ttvn;
920 skb_postpush_rcsum(skb, unicast_packet, sizeof(*unicast_packet));
914 921
915 batadv_hardif_put(primary_if); 922 batadv_hardif_put(primary_if);
916 923
917 unicast_packet->ttvn = curr_ttvn;
918
919 return true; 924 return true;
920} 925}
921 926
@@ -968,14 +973,10 @@ int batadv_recv_unicast_packet(struct sk_buff *skb,
968 struct batadv_orig_node *orig_node = NULL, *orig_node_gw = NULL; 973 struct batadv_orig_node *orig_node = NULL, *orig_node_gw = NULL;
969 int check, hdr_size = sizeof(*unicast_packet); 974 int check, hdr_size = sizeof(*unicast_packet);
970 enum batadv_subtype subtype; 975 enum batadv_subtype subtype;
971 struct ethhdr *ethhdr;
972 int ret = NET_RX_DROP; 976 int ret = NET_RX_DROP;
973 bool is4addr, is_gw; 977 bool is4addr, is_gw;
974 978
975 unicast_packet = (struct batadv_unicast_packet *)skb->data; 979 unicast_packet = (struct batadv_unicast_packet *)skb->data;
976 unicast_4addr_packet = (struct batadv_unicast_4addr_packet *)skb->data;
977 ethhdr = eth_hdr(skb);
978
979 is4addr = unicast_packet->packet_type == BATADV_UNICAST_4ADDR; 980 is4addr = unicast_packet->packet_type == BATADV_UNICAST_4ADDR;
980 /* the caller function should have already pulled 2 bytes */ 981 /* the caller function should have already pulled 2 bytes */
981 if (is4addr) 982 if (is4addr)
@@ -995,12 +996,14 @@ int batadv_recv_unicast_packet(struct sk_buff *skb,
995 if (!batadv_check_unicast_ttvn(bat_priv, skb, hdr_size)) 996 if (!batadv_check_unicast_ttvn(bat_priv, skb, hdr_size))
996 goto free_skb; 997 goto free_skb;
997 998
999 unicast_packet = (struct batadv_unicast_packet *)skb->data;
1000
998 /* packet for me */ 1001 /* packet for me */
999 if (batadv_is_my_mac(bat_priv, unicast_packet->dest)) { 1002 if (batadv_is_my_mac(bat_priv, unicast_packet->dest)) {
1000 /* If this is a unicast packet from another backgone gw, 1003 /* If this is a unicast packet from another backgone gw,
1001 * drop it. 1004 * drop it.
1002 */ 1005 */
1003 orig_addr_gw = ethhdr->h_source; 1006 orig_addr_gw = eth_hdr(skb)->h_source;
1004 orig_node_gw = batadv_orig_hash_find(bat_priv, orig_addr_gw); 1007 orig_node_gw = batadv_orig_hash_find(bat_priv, orig_addr_gw);
1005 if (orig_node_gw) { 1008 if (orig_node_gw) {
1006 is_gw = batadv_bla_is_backbone_gw(skb, orig_node_gw, 1009 is_gw = batadv_bla_is_backbone_gw(skb, orig_node_gw,
@@ -1015,6 +1018,8 @@ int batadv_recv_unicast_packet(struct sk_buff *skb,
1015 } 1018 }
1016 1019
1017 if (is4addr) { 1020 if (is4addr) {
1021 unicast_4addr_packet =
1022 (struct batadv_unicast_4addr_packet *)skb->data;
1018 subtype = unicast_4addr_packet->subtype; 1023 subtype = unicast_4addr_packet->subtype;
1019 batadv_dat_inc_counter(bat_priv, subtype); 1024 batadv_dat_inc_counter(bat_priv, subtype);
1020 1025
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 01117ae84f1d..a2ddae2f37d7 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -2296,8 +2296,14 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2296 else 2296 else
2297 sec_level = authreq_to_seclevel(auth); 2297 sec_level = authreq_to_seclevel(auth);
2298 2298
2299 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) 2299 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
2300 /* If link is already encrypted with sufficient security we
2301 * still need refresh encryption as per Core Spec 5.0 Vol 3,
2302 * Part H 2.4.6
2303 */
2304 smp_ltk_encrypt(conn, hcon->sec_level);
2300 return 0; 2305 return 0;
2306 }
2301 2307
2302 if (sec_level > hcon->pending_sec_level) 2308 if (sec_level > hcon->pending_sec_level)
2303 hcon->pending_sec_level = sec_level; 2309 hcon->pending_sec_level = sec_level;
diff --git a/net/bridge/netfilter/ebt_among.c b/net/bridge/netfilter/ebt_among.c
index c5afb4232ecb..620e54f08296 100644
--- a/net/bridge/netfilter/ebt_among.c
+++ b/net/bridge/netfilter/ebt_among.c
@@ -177,6 +177,28 @@ static bool poolsize_invalid(const struct ebt_mac_wormhash *w)
177 return w && w->poolsize >= (INT_MAX / sizeof(struct ebt_mac_wormhash_tuple)); 177 return w && w->poolsize >= (INT_MAX / sizeof(struct ebt_mac_wormhash_tuple));
178} 178}
179 179
180static bool wormhash_offset_invalid(int off, unsigned int len)
181{
182 if (off == 0) /* not present */
183 return false;
184
185 if (off < (int)sizeof(struct ebt_among_info) ||
186 off % __alignof__(struct ebt_mac_wormhash))
187 return true;
188
189 off += sizeof(struct ebt_mac_wormhash);
190
191 return off > len;
192}
193
194static bool wormhash_sizes_valid(const struct ebt_mac_wormhash *wh, int a, int b)
195{
196 if (a == 0)
197 a = sizeof(struct ebt_among_info);
198
199 return ebt_mac_wormhash_size(wh) + a == b;
200}
201
180static int ebt_among_mt_check(const struct xt_mtchk_param *par) 202static int ebt_among_mt_check(const struct xt_mtchk_param *par)
181{ 203{
182 const struct ebt_among_info *info = par->matchinfo; 204 const struct ebt_among_info *info = par->matchinfo;
@@ -189,6 +211,10 @@ static int ebt_among_mt_check(const struct xt_mtchk_param *par)
189 if (expected_length > em->match_size) 211 if (expected_length > em->match_size)
190 return -EINVAL; 212 return -EINVAL;
191 213
214 if (wormhash_offset_invalid(info->wh_dst_ofs, em->match_size) ||
215 wormhash_offset_invalid(info->wh_src_ofs, em->match_size))
216 return -EINVAL;
217
192 wh_dst = ebt_among_wh_dst(info); 218 wh_dst = ebt_among_wh_dst(info);
193 if (poolsize_invalid(wh_dst)) 219 if (poolsize_invalid(wh_dst))
194 return -EINVAL; 220 return -EINVAL;
@@ -201,6 +227,14 @@ static int ebt_among_mt_check(const struct xt_mtchk_param *par)
201 if (poolsize_invalid(wh_src)) 227 if (poolsize_invalid(wh_src))
202 return -EINVAL; 228 return -EINVAL;
203 229
230 if (info->wh_src_ofs < info->wh_dst_ofs) {
231 if (!wormhash_sizes_valid(wh_src, info->wh_src_ofs, info->wh_dst_ofs))
232 return -EINVAL;
233 } else {
234 if (!wormhash_sizes_valid(wh_dst, info->wh_dst_ofs, info->wh_src_ofs))
235 return -EINVAL;
236 }
237
204 expected_length += ebt_mac_wormhash_size(wh_src); 238 expected_length += ebt_mac_wormhash_size(wh_src);
205 239
206 if (em->match_size != EBT_ALIGN(expected_length)) { 240 if (em->match_size != EBT_ALIGN(expected_length)) {
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 254ef9f49567..a94d23b0a9af 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -2119,8 +2119,12 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
2119 * offsets are relative to beginning of struct ebt_entry (i.e., 0). 2119 * offsets are relative to beginning of struct ebt_entry (i.e., 0).
2120 */ 2120 */
2121 for (i = 0; i < 4 ; ++i) { 2121 for (i = 0; i < 4 ; ++i) {
2122 if (offsets[i] >= *total) 2122 if (offsets[i] > *total)
2123 return -EINVAL; 2123 return -EINVAL;
2124
2125 if (i < 3 && offsets[i] == *total)
2126 return -EINVAL;
2127
2124 if (i == 0) 2128 if (i == 0)
2125 continue; 2129 continue;
2126 if (offsets[i-1] > offsets[i]) 2130 if (offsets[i-1] > offsets[i])
diff --git a/net/core/dev.c b/net/core/dev.c
index 2cedf520cb28..12be20535714 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3278,15 +3278,23 @@ static inline int __dev_xmit_skb(struct sk_buff *skb, struct Qdisc *q,
3278#if IS_ENABLED(CONFIG_CGROUP_NET_PRIO) 3278#if IS_ENABLED(CONFIG_CGROUP_NET_PRIO)
3279static void skb_update_prio(struct sk_buff *skb) 3279static void skb_update_prio(struct sk_buff *skb)
3280{ 3280{
3281 struct netprio_map *map = rcu_dereference_bh(skb->dev->priomap); 3281 const struct netprio_map *map;
3282 const struct sock *sk;
3283 unsigned int prioidx;
3282 3284
3283 if (!skb->priority && skb->sk && map) { 3285 if (skb->priority)
3284 unsigned int prioidx = 3286 return;
3285 sock_cgroup_prioidx(&skb->sk->sk_cgrp_data); 3287 map = rcu_dereference_bh(skb->dev->priomap);
3288 if (!map)
3289 return;
3290 sk = skb_to_full_sk(skb);
3291 if (!sk)
3292 return;
3286 3293
3287 if (prioidx < map->priomap_len) 3294 prioidx = sock_cgroup_prioidx(&sk->sk_cgrp_data);
3288 skb->priority = map->priomap[prioidx]; 3295
3289 } 3296 if (prioidx < map->priomap_len)
3297 skb->priority = map->priomap[prioidx];
3290} 3298}
3291#else 3299#else
3292#define skb_update_prio(skb) 3300#define skb_update_prio(skb)
diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c
index 0ab1af04296c..a04e1e88bf3a 100644
--- a/net/core/dev_ioctl.c
+++ b/net/core/dev_ioctl.c
@@ -402,8 +402,6 @@ int dev_ioctl(struct net *net, unsigned int cmd, struct ifreq *ifr, bool *need_c
402 if (colon) 402 if (colon)
403 *colon = 0; 403 *colon = 0;
404 404
405 dev_load(net, ifr->ifr_name);
406
407 /* 405 /*
408 * See which interface the caller is talking about. 406 * See which interface the caller is talking about.
409 */ 407 */
@@ -423,6 +421,7 @@ int dev_ioctl(struct net *net, unsigned int cmd, struct ifreq *ifr, bool *need_c
423 case SIOCGIFMAP: 421 case SIOCGIFMAP:
424 case SIOCGIFINDEX: 422 case SIOCGIFINDEX:
425 case SIOCGIFTXQLEN: 423 case SIOCGIFTXQLEN:
424 dev_load(net, ifr->ifr_name);
426 rcu_read_lock(); 425 rcu_read_lock();
427 ret = dev_ifsioc_locked(net, ifr, cmd); 426 ret = dev_ifsioc_locked(net, ifr, cmd);
428 rcu_read_unlock(); 427 rcu_read_unlock();
@@ -431,6 +430,7 @@ int dev_ioctl(struct net *net, unsigned int cmd, struct ifreq *ifr, bool *need_c
431 return ret; 430 return ret;
432 431
433 case SIOCETHTOOL: 432 case SIOCETHTOOL:
433 dev_load(net, ifr->ifr_name);
434 rtnl_lock(); 434 rtnl_lock();
435 ret = dev_ethtool(net, ifr); 435 ret = dev_ethtool(net, ifr);
436 rtnl_unlock(); 436 rtnl_unlock();
@@ -447,6 +447,7 @@ int dev_ioctl(struct net *net, unsigned int cmd, struct ifreq *ifr, bool *need_c
447 case SIOCGMIIPHY: 447 case SIOCGMIIPHY:
448 case SIOCGMIIREG: 448 case SIOCGMIIREG:
449 case SIOCSIFNAME: 449 case SIOCSIFNAME:
450 dev_load(net, ifr->ifr_name);
450 if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) 451 if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
451 return -EPERM; 452 return -EPERM;
452 rtnl_lock(); 453 rtnl_lock();
@@ -494,6 +495,7 @@ int dev_ioctl(struct net *net, unsigned int cmd, struct ifreq *ifr, bool *need_c
494 /* fall through */ 495 /* fall through */
495 case SIOCBONDSLAVEINFOQUERY: 496 case SIOCBONDSLAVEINFOQUERY:
496 case SIOCBONDINFOQUERY: 497 case SIOCBONDINFOQUERY:
498 dev_load(net, ifr->ifr_name);
497 rtnl_lock(); 499 rtnl_lock();
498 ret = dev_ifsioc(net, ifr, cmd); 500 ret = dev_ifsioc(net, ifr, cmd);
499 rtnl_unlock(); 501 rtnl_unlock();
@@ -518,6 +520,7 @@ int dev_ioctl(struct net *net, unsigned int cmd, struct ifreq *ifr, bool *need_c
518 cmd == SIOCGHWTSTAMP || 520 cmd == SIOCGHWTSTAMP ||
519 (cmd >= SIOCDEVPRIVATE && 521 (cmd >= SIOCDEVPRIVATE &&
520 cmd <= SIOCDEVPRIVATE + 15)) { 522 cmd <= SIOCDEVPRIVATE + 15)) {
523 dev_load(net, ifr->ifr_name);
521 rtnl_lock(); 524 rtnl_lock();
522 ret = dev_ifsioc(net, ifr, cmd); 525 ret = dev_ifsioc(net, ifr, cmd);
523 rtnl_unlock(); 526 rtnl_unlock();
diff --git a/net/core/devlink.c b/net/core/devlink.c
index 2f2307d94787..effd4848c2b4 100644
--- a/net/core/devlink.c
+++ b/net/core/devlink.c
@@ -1798,7 +1798,7 @@ send_done:
1798 if (!nlh) { 1798 if (!nlh) {
1799 err = devlink_dpipe_send_and_alloc_skb(&skb, info); 1799 err = devlink_dpipe_send_and_alloc_skb(&skb, info);
1800 if (err) 1800 if (err)
1801 goto err_skb_send_alloc; 1801 return err;
1802 goto send_done; 1802 goto send_done;
1803 } 1803 }
1804 1804
@@ -1807,7 +1807,6 @@ send_done:
1807nla_put_failure: 1807nla_put_failure:
1808 err = -EMSGSIZE; 1808 err = -EMSGSIZE;
1809err_table_put: 1809err_table_put:
1810err_skb_send_alloc:
1811 genlmsg_cancel(skb, hdr); 1810 genlmsg_cancel(skb, hdr);
1812 nlmsg_free(skb); 1811 nlmsg_free(skb);
1813 return err; 1812 return err;
@@ -2073,7 +2072,7 @@ static int devlink_dpipe_entries_fill(struct genl_info *info,
2073 table->counters_enabled, 2072 table->counters_enabled,
2074 &dump_ctx); 2073 &dump_ctx);
2075 if (err) 2074 if (err)
2076 goto err_entries_dump; 2075 return err;
2077 2076
2078send_done: 2077send_done:
2079 nlh = nlmsg_put(dump_ctx.skb, info->snd_portid, info->snd_seq, 2078 nlh = nlmsg_put(dump_ctx.skb, info->snd_portid, info->snd_seq,
@@ -2081,16 +2080,10 @@ send_done:
2081 if (!nlh) { 2080 if (!nlh) {
2082 err = devlink_dpipe_send_and_alloc_skb(&dump_ctx.skb, info); 2081 err = devlink_dpipe_send_and_alloc_skb(&dump_ctx.skb, info);
2083 if (err) 2082 if (err)
2084 goto err_skb_send_alloc; 2083 return err;
2085 goto send_done; 2084 goto send_done;
2086 } 2085 }
2087 return genlmsg_reply(dump_ctx.skb, info); 2086 return genlmsg_reply(dump_ctx.skb, info);
2088
2089err_entries_dump:
2090err_skb_send_alloc:
2091 genlmsg_cancel(dump_ctx.skb, dump_ctx.hdr);
2092 nlmsg_free(dump_ctx.skb);
2093 return err;
2094} 2087}
2095 2088
2096static int devlink_nl_cmd_dpipe_entries_get(struct sk_buff *skb, 2089static int devlink_nl_cmd_dpipe_entries_get(struct sk_buff *skb,
@@ -2229,7 +2222,7 @@ send_done:
2229 if (!nlh) { 2222 if (!nlh) {
2230 err = devlink_dpipe_send_and_alloc_skb(&skb, info); 2223 err = devlink_dpipe_send_and_alloc_skb(&skb, info);
2231 if (err) 2224 if (err)
2232 goto err_skb_send_alloc; 2225 return err;
2233 goto send_done; 2226 goto send_done;
2234 } 2227 }
2235 return genlmsg_reply(skb, info); 2228 return genlmsg_reply(skb, info);
@@ -2237,7 +2230,6 @@ send_done:
2237nla_put_failure: 2230nla_put_failure:
2238 err = -EMSGSIZE; 2231 err = -EMSGSIZE;
2239err_table_put: 2232err_table_put:
2240err_skb_send_alloc:
2241 genlmsg_cancel(skb, hdr); 2233 genlmsg_cancel(skb, hdr);
2242 nlmsg_free(skb); 2234 nlmsg_free(skb);
2243 return err; 2235 return err;
diff --git a/net/core/filter.c b/net/core/filter.c
index 0c121adbdbaa..48aa7c7320db 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2087,6 +2087,10 @@ static int bpf_skb_proto_4_to_6(struct sk_buff *skb)
2087 u32 off = skb_mac_header_len(skb); 2087 u32 off = skb_mac_header_len(skb);
2088 int ret; 2088 int ret;
2089 2089
2090 /* SCTP uses GSO_BY_FRAGS, thus cannot adjust it. */
2091 if (skb_is_gso(skb) && unlikely(skb_is_gso_sctp(skb)))
2092 return -ENOTSUPP;
2093
2090 ret = skb_cow(skb, len_diff); 2094 ret = skb_cow(skb, len_diff);
2091 if (unlikely(ret < 0)) 2095 if (unlikely(ret < 0))
2092 return ret; 2096 return ret;
@@ -2096,19 +2100,21 @@ static int bpf_skb_proto_4_to_6(struct sk_buff *skb)
2096 return ret; 2100 return ret;
2097 2101
2098 if (skb_is_gso(skb)) { 2102 if (skb_is_gso(skb)) {
2103 struct skb_shared_info *shinfo = skb_shinfo(skb);
2104
2099 /* SKB_GSO_TCPV4 needs to be changed into 2105 /* SKB_GSO_TCPV4 needs to be changed into
2100 * SKB_GSO_TCPV6. 2106 * SKB_GSO_TCPV6.
2101 */ 2107 */
2102 if (skb_shinfo(skb)->gso_type & SKB_GSO_TCPV4) { 2108 if (shinfo->gso_type & SKB_GSO_TCPV4) {
2103 skb_shinfo(skb)->gso_type &= ~SKB_GSO_TCPV4; 2109 shinfo->gso_type &= ~SKB_GSO_TCPV4;
2104 skb_shinfo(skb)->gso_type |= SKB_GSO_TCPV6; 2110 shinfo->gso_type |= SKB_GSO_TCPV6;
2105 } 2111 }
2106 2112
2107 /* Due to IPv6 header, MSS needs to be downgraded. */ 2113 /* Due to IPv6 header, MSS needs to be downgraded. */
2108 skb_shinfo(skb)->gso_size -= len_diff; 2114 skb_decrease_gso_size(shinfo, len_diff);
2109 /* Header must be checked, and gso_segs recomputed. */ 2115 /* Header must be checked, and gso_segs recomputed. */
2110 skb_shinfo(skb)->gso_type |= SKB_GSO_DODGY; 2116 shinfo->gso_type |= SKB_GSO_DODGY;
2111 skb_shinfo(skb)->gso_segs = 0; 2117 shinfo->gso_segs = 0;
2112 } 2118 }
2113 2119
2114 skb->protocol = htons(ETH_P_IPV6); 2120 skb->protocol = htons(ETH_P_IPV6);
@@ -2123,6 +2129,10 @@ static int bpf_skb_proto_6_to_4(struct sk_buff *skb)
2123 u32 off = skb_mac_header_len(skb); 2129 u32 off = skb_mac_header_len(skb);
2124 int ret; 2130 int ret;
2125 2131
2132 /* SCTP uses GSO_BY_FRAGS, thus cannot adjust it. */
2133 if (skb_is_gso(skb) && unlikely(skb_is_gso_sctp(skb)))
2134 return -ENOTSUPP;
2135
2126 ret = skb_unclone(skb, GFP_ATOMIC); 2136 ret = skb_unclone(skb, GFP_ATOMIC);
2127 if (unlikely(ret < 0)) 2137 if (unlikely(ret < 0))
2128 return ret; 2138 return ret;
@@ -2132,19 +2142,21 @@ static int bpf_skb_proto_6_to_4(struct sk_buff *skb)
2132 return ret; 2142 return ret;
2133 2143
2134 if (skb_is_gso(skb)) { 2144 if (skb_is_gso(skb)) {
2145 struct skb_shared_info *shinfo = skb_shinfo(skb);
2146
2135 /* SKB_GSO_TCPV6 needs to be changed into 2147 /* SKB_GSO_TCPV6 needs to be changed into
2136 * SKB_GSO_TCPV4. 2148 * SKB_GSO_TCPV4.
2137 */ 2149 */
2138 if (skb_shinfo(skb)->gso_type & SKB_GSO_TCPV6) { 2150 if (shinfo->gso_type & SKB_GSO_TCPV6) {
2139 skb_shinfo(skb)->gso_type &= ~SKB_GSO_TCPV6; 2151 shinfo->gso_type &= ~SKB_GSO_TCPV6;
2140 skb_shinfo(skb)->gso_type |= SKB_GSO_TCPV4; 2152 shinfo->gso_type |= SKB_GSO_TCPV4;
2141 } 2153 }
2142 2154
2143 /* Due to IPv4 header, MSS can be upgraded. */ 2155 /* Due to IPv4 header, MSS can be upgraded. */
2144 skb_shinfo(skb)->gso_size += len_diff; 2156 skb_increase_gso_size(shinfo, len_diff);
2145 /* Header must be checked, and gso_segs recomputed. */ 2157 /* Header must be checked, and gso_segs recomputed. */
2146 skb_shinfo(skb)->gso_type |= SKB_GSO_DODGY; 2158 shinfo->gso_type |= SKB_GSO_DODGY;
2147 skb_shinfo(skb)->gso_segs = 0; 2159 shinfo->gso_segs = 0;
2148 } 2160 }
2149 2161
2150 skb->protocol = htons(ETH_P_IP); 2162 skb->protocol = htons(ETH_P_IP);
@@ -2243,6 +2255,10 @@ static int bpf_skb_net_grow(struct sk_buff *skb, u32 len_diff)
2243 u32 off = skb_mac_header_len(skb) + bpf_skb_net_base_len(skb); 2255 u32 off = skb_mac_header_len(skb) + bpf_skb_net_base_len(skb);
2244 int ret; 2256 int ret;
2245 2257
2258 /* SCTP uses GSO_BY_FRAGS, thus cannot adjust it. */
2259 if (skb_is_gso(skb) && unlikely(skb_is_gso_sctp(skb)))
2260 return -ENOTSUPP;
2261
2246 ret = skb_cow(skb, len_diff); 2262 ret = skb_cow(skb, len_diff);
2247 if (unlikely(ret < 0)) 2263 if (unlikely(ret < 0))
2248 return ret; 2264 return ret;
@@ -2252,11 +2268,13 @@ static int bpf_skb_net_grow(struct sk_buff *skb, u32 len_diff)
2252 return ret; 2268 return ret;
2253 2269
2254 if (skb_is_gso(skb)) { 2270 if (skb_is_gso(skb)) {
2271 struct skb_shared_info *shinfo = skb_shinfo(skb);
2272
2255 /* Due to header grow, MSS needs to be downgraded. */ 2273 /* Due to header grow, MSS needs to be downgraded. */
2256 skb_shinfo(skb)->gso_size -= len_diff; 2274 skb_decrease_gso_size(shinfo, len_diff);
2257 /* Header must be checked, and gso_segs recomputed. */ 2275 /* Header must be checked, and gso_segs recomputed. */
2258 skb_shinfo(skb)->gso_type |= SKB_GSO_DODGY; 2276 shinfo->gso_type |= SKB_GSO_DODGY;
2259 skb_shinfo(skb)->gso_segs = 0; 2277 shinfo->gso_segs = 0;
2260 } 2278 }
2261 2279
2262 return 0; 2280 return 0;
@@ -2267,6 +2285,10 @@ static int bpf_skb_net_shrink(struct sk_buff *skb, u32 len_diff)
2267 u32 off = skb_mac_header_len(skb) + bpf_skb_net_base_len(skb); 2285 u32 off = skb_mac_header_len(skb) + bpf_skb_net_base_len(skb);
2268 int ret; 2286 int ret;
2269 2287
2288 /* SCTP uses GSO_BY_FRAGS, thus cannot adjust it. */
2289 if (skb_is_gso(skb) && unlikely(skb_is_gso_sctp(skb)))
2290 return -ENOTSUPP;
2291
2270 ret = skb_unclone(skb, GFP_ATOMIC); 2292 ret = skb_unclone(skb, GFP_ATOMIC);
2271 if (unlikely(ret < 0)) 2293 if (unlikely(ret < 0))
2272 return ret; 2294 return ret;
@@ -2276,11 +2298,13 @@ static int bpf_skb_net_shrink(struct sk_buff *skb, u32 len_diff)
2276 return ret; 2298 return ret;
2277 2299
2278 if (skb_is_gso(skb)) { 2300 if (skb_is_gso(skb)) {
2301 struct skb_shared_info *shinfo = skb_shinfo(skb);
2302
2279 /* Due to header shrink, MSS can be upgraded. */ 2303 /* Due to header shrink, MSS can be upgraded. */
2280 skb_shinfo(skb)->gso_size += len_diff; 2304 skb_increase_gso_size(shinfo, len_diff);
2281 /* Header must be checked, and gso_segs recomputed. */ 2305 /* Header must be checked, and gso_segs recomputed. */
2282 skb_shinfo(skb)->gso_type |= SKB_GSO_DODGY; 2306 shinfo->gso_type |= SKB_GSO_DODGY;
2283 skb_shinfo(skb)->gso_segs = 0; 2307 shinfo->gso_segs = 0;
2284 } 2308 }
2285 2309
2286 return 0; 2310 return 0;
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 0bb0d8877954..1e7acdc30732 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -4179,7 +4179,7 @@ int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb)
4179 4179
4180 skb_queue_tail(&sk->sk_error_queue, skb); 4180 skb_queue_tail(&sk->sk_error_queue, skb);
4181 if (!sock_flag(sk, SOCK_DEAD)) 4181 if (!sock_flag(sk, SOCK_DEAD))
4182 sk->sk_data_ready(sk); 4182 sk->sk_error_report(sk);
4183 return 0; 4183 return 0;
4184} 4184}
4185EXPORT_SYMBOL(sock_queue_err_skb); 4185EXPORT_SYMBOL(sock_queue_err_skb);
@@ -4904,7 +4904,7 @@ static unsigned int skb_gso_transport_seglen(const struct sk_buff *skb)
4904 thlen += inner_tcp_hdrlen(skb); 4904 thlen += inner_tcp_hdrlen(skb);
4905 } else if (likely(shinfo->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6))) { 4905 } else if (likely(shinfo->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6))) {
4906 thlen = tcp_hdrlen(skb); 4906 thlen = tcp_hdrlen(skb);
4907 } else if (unlikely(shinfo->gso_type & SKB_GSO_SCTP)) { 4907 } else if (unlikely(skb_is_gso_sctp(skb))) {
4908 thlen = sizeof(struct sctphdr); 4908 thlen = sizeof(struct sctphdr);
4909 } 4909 }
4910 /* UFO sets gso_size to the size of the fragmentation 4910 /* UFO sets gso_size to the size of the fragmentation
@@ -5020,13 +5020,16 @@ EXPORT_SYMBOL_GPL(skb_gso_validate_mac_len);
5020 5020
5021static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb) 5021static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb)
5022{ 5022{
5023 int mac_len;
5024
5023 if (skb_cow(skb, skb_headroom(skb)) < 0) { 5025 if (skb_cow(skb, skb_headroom(skb)) < 0) {
5024 kfree_skb(skb); 5026 kfree_skb(skb);
5025 return NULL; 5027 return NULL;
5026 } 5028 }
5027 5029
5028 memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len - VLAN_HLEN, 5030 mac_len = skb->data - skb_mac_header(skb);
5029 2 * ETH_ALEN); 5031 memmove(skb_mac_header(skb) + VLAN_HLEN, skb_mac_header(skb),
5032 mac_len - VLAN_HLEN - ETH_TLEN);
5030 skb->mac_header += VLAN_HLEN; 5033 skb->mac_header += VLAN_HLEN;
5031 return skb; 5034 return skb;
5032} 5035}
diff --git a/net/core/sock.c b/net/core/sock.c
index c501499a04fe..85b0b64e7f9d 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -3261,6 +3261,27 @@ void proto_unregister(struct proto *prot)
3261} 3261}
3262EXPORT_SYMBOL(proto_unregister); 3262EXPORT_SYMBOL(proto_unregister);
3263 3263
3264int sock_load_diag_module(int family, int protocol)
3265{
3266 if (!protocol) {
3267 if (!sock_is_registered(family))
3268 return -ENOENT;
3269
3270 return request_module("net-pf-%d-proto-%d-type-%d", PF_NETLINK,
3271 NETLINK_SOCK_DIAG, family);
3272 }
3273
3274#ifdef CONFIG_INET
3275 if (family == AF_INET &&
3276 !rcu_access_pointer(inet_protos[protocol]))
3277 return -ENOENT;
3278#endif
3279
3280 return request_module("net-pf-%d-proto-%d-type-%d-%d", PF_NETLINK,
3281 NETLINK_SOCK_DIAG, family, protocol);
3282}
3283EXPORT_SYMBOL(sock_load_diag_module);
3284
3264#ifdef CONFIG_PROC_FS 3285#ifdef CONFIG_PROC_FS
3265static void *proto_seq_start(struct seq_file *seq, loff_t *pos) 3286static void *proto_seq_start(struct seq_file *seq, loff_t *pos)
3266 __acquires(proto_list_mutex) 3287 __acquires(proto_list_mutex)
diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
index 146b50e30659..c37b5be7c5e4 100644
--- a/net/core/sock_diag.c
+++ b/net/core/sock_diag.c
@@ -220,8 +220,7 @@ static int __sock_diag_cmd(struct sk_buff *skb, struct nlmsghdr *nlh)
220 return -EINVAL; 220 return -EINVAL;
221 221
222 if (sock_diag_handlers[req->sdiag_family] == NULL) 222 if (sock_diag_handlers[req->sdiag_family] == NULL)
223 request_module("net-pf-%d-proto-%d-type-%d", PF_NETLINK, 223 sock_load_diag_module(req->sdiag_family, 0);
224 NETLINK_SOCK_DIAG, req->sdiag_family);
225 224
226 mutex_lock(&sock_diag_table_mutex); 225 mutex_lock(&sock_diag_table_mutex);
227 hndl = sock_diag_handlers[req->sdiag_family]; 226 hndl = sock_diag_handlers[req->sdiag_family];
@@ -247,8 +246,7 @@ static int sock_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
247 case TCPDIAG_GETSOCK: 246 case TCPDIAG_GETSOCK:
248 case DCCPDIAG_GETSOCK: 247 case DCCPDIAG_GETSOCK:
249 if (inet_rcv_compat == NULL) 248 if (inet_rcv_compat == NULL)
250 request_module("net-pf-%d-proto-%d-type-%d", PF_NETLINK, 249 sock_load_diag_module(AF_INET, 0);
251 NETLINK_SOCK_DIAG, AF_INET);
252 250
253 mutex_lock(&sock_diag_table_mutex); 251 mutex_lock(&sock_diag_table_mutex);
254 if (inet_rcv_compat != NULL) 252 if (inet_rcv_compat != NULL)
@@ -281,14 +279,12 @@ static int sock_diag_bind(struct net *net, int group)
281 case SKNLGRP_INET_TCP_DESTROY: 279 case SKNLGRP_INET_TCP_DESTROY:
282 case SKNLGRP_INET_UDP_DESTROY: 280 case SKNLGRP_INET_UDP_DESTROY:
283 if (!sock_diag_handlers[AF_INET]) 281 if (!sock_diag_handlers[AF_INET])
284 request_module("net-pf-%d-proto-%d-type-%d", PF_NETLINK, 282 sock_load_diag_module(AF_INET, 0);
285 NETLINK_SOCK_DIAG, AF_INET);
286 break; 283 break;
287 case SKNLGRP_INET6_TCP_DESTROY: 284 case SKNLGRP_INET6_TCP_DESTROY:
288 case SKNLGRP_INET6_UDP_DESTROY: 285 case SKNLGRP_INET6_UDP_DESTROY:
289 if (!sock_diag_handlers[AF_INET6]) 286 if (!sock_diag_handlers[AF_INET6])
290 request_module("net-pf-%d-proto-%d-type-%d", PF_NETLINK, 287 sock_load_diag_module(AF_INET6, 0);
291 NETLINK_SOCK_DIAG, AF_INET6);
292 break; 288 break;
293 } 289 }
294 return 0; 290 return 0;
diff --git a/net/dccp/proto.c b/net/dccp/proto.c
index 15bdc002d90c..84cd4e3fd01b 100644
--- a/net/dccp/proto.c
+++ b/net/dccp/proto.c
@@ -794,6 +794,11 @@ int dccp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
794 if (skb == NULL) 794 if (skb == NULL)
795 goto out_release; 795 goto out_release;
796 796
797 if (sk->sk_state == DCCP_CLOSED) {
798 rc = -ENOTCONN;
799 goto out_discard;
800 }
801
797 skb_reserve(skb, sk->sk_prot->max_header); 802 skb_reserve(skb, sk->sk_prot->max_header);
798 rc = memcpy_from_msg(skb_put(skb, len), msg, len); 803 rc = memcpy_from_msg(skb_put(skb, len), msg, len);
799 if (rc != 0) 804 if (rc != 0)
diff --git a/net/dsa/legacy.c b/net/dsa/legacy.c
index cb54b81d0bd9..42a7b85b84e1 100644
--- a/net/dsa/legacy.c
+++ b/net/dsa/legacy.c
@@ -194,7 +194,7 @@ static int dsa_switch_setup_one(struct dsa_switch *ds,
194 ds->ports[i].dn = cd->port_dn[i]; 194 ds->ports[i].dn = cd->port_dn[i];
195 ds->ports[i].cpu_dp = dst->cpu_dp; 195 ds->ports[i].cpu_dp = dst->cpu_dp;
196 196
197 if (dsa_is_user_port(ds, i)) 197 if (!dsa_is_user_port(ds, i))
198 continue; 198 continue;
199 199
200 ret = dsa_slave_create(&ds->ports[i]); 200 ret = dsa_slave_create(&ds->ports[i]);
diff --git a/net/ieee802154/6lowpan/core.c b/net/ieee802154/6lowpan/core.c
index 974765b7d92a..e9f0489e4229 100644
--- a/net/ieee802154/6lowpan/core.c
+++ b/net/ieee802154/6lowpan/core.c
@@ -206,9 +206,13 @@ static inline void lowpan_netlink_fini(void)
206static int lowpan_device_event(struct notifier_block *unused, 206static int lowpan_device_event(struct notifier_block *unused,
207 unsigned long event, void *ptr) 207 unsigned long event, void *ptr)
208{ 208{
209 struct net_device *wdev = netdev_notifier_info_to_dev(ptr); 209 struct net_device *ndev = netdev_notifier_info_to_dev(ptr);
210 struct wpan_dev *wpan_dev;
210 211
211 if (wdev->type != ARPHRD_IEEE802154) 212 if (ndev->type != ARPHRD_IEEE802154)
213 return NOTIFY_DONE;
214 wpan_dev = ndev->ieee802154_ptr;
215 if (!wpan_dev)
212 return NOTIFY_DONE; 216 return NOTIFY_DONE;
213 217
214 switch (event) { 218 switch (event) {
@@ -217,8 +221,8 @@ static int lowpan_device_event(struct notifier_block *unused,
217 * also delete possible lowpan interfaces which belongs 221 * also delete possible lowpan interfaces which belongs
218 * to the wpan interface. 222 * to the wpan interface.
219 */ 223 */
220 if (wdev->ieee802154_ptr->lowpan_dev) 224 if (wpan_dev->lowpan_dev)
221 lowpan_dellink(wdev->ieee802154_ptr->lowpan_dev, NULL); 225 lowpan_dellink(wpan_dev->lowpan_dev, NULL);
222 break; 226 break;
223 default: 227 default:
224 return NOTIFY_DONE; 228 return NOTIFY_DONE;
diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
index a383f299ce24..4e5bc4b2f14e 100644
--- a/net/ipv4/inet_diag.c
+++ b/net/ipv4/inet_diag.c
@@ -53,8 +53,7 @@ static DEFINE_MUTEX(inet_diag_table_mutex);
53static const struct inet_diag_handler *inet_diag_lock_handler(int proto) 53static const struct inet_diag_handler *inet_diag_lock_handler(int proto)
54{ 54{
55 if (!inet_diag_table[proto]) 55 if (!inet_diag_table[proto])
56 request_module("net-pf-%d-proto-%d-type-%d-%d", PF_NETLINK, 56 sock_load_diag_module(AF_INET, proto);
57 NETLINK_SOCK_DIAG, AF_INET, proto);
58 57
59 mutex_lock(&inet_diag_table_mutex); 58 mutex_lock(&inet_diag_table_mutex);
60 if (!inet_diag_table[proto]) 59 if (!inet_diag_table[proto])
diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c
index 26a3d0315728..e8ec28999f5c 100644
--- a/net/ipv4/inet_fragment.c
+++ b/net/ipv4/inet_fragment.c
@@ -119,6 +119,9 @@ out:
119 119
120static bool inet_fragq_should_evict(const struct inet_frag_queue *q) 120static bool inet_fragq_should_evict(const struct inet_frag_queue *q)
121{ 121{
122 if (!hlist_unhashed(&q->list_evictor))
123 return false;
124
122 return q->net->low_thresh == 0 || 125 return q->net->low_thresh == 0 ||
123 frag_mem_limit(q->net) >= q->net->low_thresh; 126 frag_mem_limit(q->net) >= q->net->low_thresh;
124} 127}
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 9c41a0cef1a5..74c962b9b09c 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -258,7 +258,8 @@ int ip_cmsg_send(struct sock *sk, struct msghdr *msg, struct ipcm_cookie *ipc,
258 src_info = (struct in6_pktinfo *)CMSG_DATA(cmsg); 258 src_info = (struct in6_pktinfo *)CMSG_DATA(cmsg);
259 if (!ipv6_addr_v4mapped(&src_info->ipi6_addr)) 259 if (!ipv6_addr_v4mapped(&src_info->ipi6_addr))
260 return -EINVAL; 260 return -EINVAL;
261 ipc->oif = src_info->ipi6_ifindex; 261 if (src_info->ipi6_ifindex)
262 ipc->oif = src_info->ipi6_ifindex;
262 ipc->addr = src_info->ipi6_addr.s6_addr32[3]; 263 ipc->addr = src_info->ipi6_addr.s6_addr32[3];
263 continue; 264 continue;
264 } 265 }
@@ -288,7 +289,8 @@ int ip_cmsg_send(struct sock *sk, struct msghdr *msg, struct ipcm_cookie *ipc,
288 if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct in_pktinfo))) 289 if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct in_pktinfo)))
289 return -EINVAL; 290 return -EINVAL;
290 info = (struct in_pktinfo *)CMSG_DATA(cmsg); 291 info = (struct in_pktinfo *)CMSG_DATA(cmsg);
291 ipc->oif = info->ipi_ifindex; 292 if (info->ipi_ifindex)
293 ipc->oif = info->ipi_ifindex;
292 ipc->addr = info->ipi_spec_dst.s_addr; 294 ipc->addr = info->ipi_spec_dst.s_addr;
293 break; 295 break;
294 } 296 }
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 860b3fd2f54b..299e247b2032 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -634,6 +634,7 @@ static inline u32 fnhe_hashfun(__be32 daddr)
634static void fill_route_from_fnhe(struct rtable *rt, struct fib_nh_exception *fnhe) 634static void fill_route_from_fnhe(struct rtable *rt, struct fib_nh_exception *fnhe)
635{ 635{
636 rt->rt_pmtu = fnhe->fnhe_pmtu; 636 rt->rt_pmtu = fnhe->fnhe_pmtu;
637 rt->rt_mtu_locked = fnhe->fnhe_mtu_locked;
637 rt->dst.expires = fnhe->fnhe_expires; 638 rt->dst.expires = fnhe->fnhe_expires;
638 639
639 if (fnhe->fnhe_gw) { 640 if (fnhe->fnhe_gw) {
@@ -644,7 +645,7 @@ static void fill_route_from_fnhe(struct rtable *rt, struct fib_nh_exception *fnh
644} 645}
645 646
646static void update_or_create_fnhe(struct fib_nh *nh, __be32 daddr, __be32 gw, 647static void update_or_create_fnhe(struct fib_nh *nh, __be32 daddr, __be32 gw,
647 u32 pmtu, unsigned long expires) 648 u32 pmtu, bool lock, unsigned long expires)
648{ 649{
649 struct fnhe_hash_bucket *hash; 650 struct fnhe_hash_bucket *hash;
650 struct fib_nh_exception *fnhe; 651 struct fib_nh_exception *fnhe;
@@ -681,8 +682,10 @@ static void update_or_create_fnhe(struct fib_nh *nh, __be32 daddr, __be32 gw,
681 fnhe->fnhe_genid = genid; 682 fnhe->fnhe_genid = genid;
682 if (gw) 683 if (gw)
683 fnhe->fnhe_gw = gw; 684 fnhe->fnhe_gw = gw;
684 if (pmtu) 685 if (pmtu) {
685 fnhe->fnhe_pmtu = pmtu; 686 fnhe->fnhe_pmtu = pmtu;
687 fnhe->fnhe_mtu_locked = lock;
688 }
686 fnhe->fnhe_expires = max(1UL, expires); 689 fnhe->fnhe_expires = max(1UL, expires);
687 /* Update all cached dsts too */ 690 /* Update all cached dsts too */
688 rt = rcu_dereference(fnhe->fnhe_rth_input); 691 rt = rcu_dereference(fnhe->fnhe_rth_input);
@@ -706,6 +709,7 @@ static void update_or_create_fnhe(struct fib_nh *nh, __be32 daddr, __be32 gw,
706 fnhe->fnhe_daddr = daddr; 709 fnhe->fnhe_daddr = daddr;
707 fnhe->fnhe_gw = gw; 710 fnhe->fnhe_gw = gw;
708 fnhe->fnhe_pmtu = pmtu; 711 fnhe->fnhe_pmtu = pmtu;
712 fnhe->fnhe_mtu_locked = lock;
709 fnhe->fnhe_expires = expires; 713 fnhe->fnhe_expires = expires;
710 714
711 /* Exception created; mark the cached routes for the nexthop 715 /* Exception created; mark the cached routes for the nexthop
@@ -787,7 +791,8 @@ static void __ip_do_redirect(struct rtable *rt, struct sk_buff *skb, struct flow
787 struct fib_nh *nh = &FIB_RES_NH(res); 791 struct fib_nh *nh = &FIB_RES_NH(res);
788 792
789 update_or_create_fnhe(nh, fl4->daddr, new_gw, 793 update_or_create_fnhe(nh, fl4->daddr, new_gw,
790 0, jiffies + ip_rt_gc_timeout); 794 0, false,
795 jiffies + ip_rt_gc_timeout);
791 } 796 }
792 if (kill_route) 797 if (kill_route)
793 rt->dst.obsolete = DST_OBSOLETE_KILL; 798 rt->dst.obsolete = DST_OBSOLETE_KILL;
@@ -1009,15 +1014,18 @@ static void __ip_rt_update_pmtu(struct rtable *rt, struct flowi4 *fl4, u32 mtu)
1009{ 1014{
1010 struct dst_entry *dst = &rt->dst; 1015 struct dst_entry *dst = &rt->dst;
1011 struct fib_result res; 1016 struct fib_result res;
1017 bool lock = false;
1012 1018
1013 if (dst_metric_locked(dst, RTAX_MTU)) 1019 if (ip_mtu_locked(dst))
1014 return; 1020 return;
1015 1021
1016 if (ipv4_mtu(dst) < mtu) 1022 if (ipv4_mtu(dst) < mtu)
1017 return; 1023 return;
1018 1024
1019 if (mtu < ip_rt_min_pmtu) 1025 if (mtu < ip_rt_min_pmtu) {
1026 lock = true;
1020 mtu = ip_rt_min_pmtu; 1027 mtu = ip_rt_min_pmtu;
1028 }
1021 1029
1022 if (rt->rt_pmtu == mtu && 1030 if (rt->rt_pmtu == mtu &&
1023 time_before(jiffies, dst->expires - ip_rt_mtu_expires / 2)) 1031 time_before(jiffies, dst->expires - ip_rt_mtu_expires / 2))
@@ -1027,7 +1035,7 @@ static void __ip_rt_update_pmtu(struct rtable *rt, struct flowi4 *fl4, u32 mtu)
1027 if (fib_lookup(dev_net(dst->dev), fl4, &res, 0) == 0) { 1035 if (fib_lookup(dev_net(dst->dev), fl4, &res, 0) == 0) {
1028 struct fib_nh *nh = &FIB_RES_NH(res); 1036 struct fib_nh *nh = &FIB_RES_NH(res);
1029 1037
1030 update_or_create_fnhe(nh, fl4->daddr, 0, mtu, 1038 update_or_create_fnhe(nh, fl4->daddr, 0, mtu, lock,
1031 jiffies + ip_rt_mtu_expires); 1039 jiffies + ip_rt_mtu_expires);
1032 } 1040 }
1033 rcu_read_unlock(); 1041 rcu_read_unlock();
@@ -1280,7 +1288,7 @@ static unsigned int ipv4_mtu(const struct dst_entry *dst)
1280 1288
1281 mtu = READ_ONCE(dst->dev->mtu); 1289 mtu = READ_ONCE(dst->dev->mtu);
1282 1290
1283 if (unlikely(dst_metric_locked(dst, RTAX_MTU))) { 1291 if (unlikely(ip_mtu_locked(dst))) {
1284 if (rt->rt_uses_gateway && mtu > 576) 1292 if (rt->rt_uses_gateway && mtu > 576)
1285 mtu = 576; 1293 mtu = 576;
1286 } 1294 }
@@ -1393,7 +1401,7 @@ struct uncached_list {
1393 1401
1394static DEFINE_PER_CPU_ALIGNED(struct uncached_list, rt_uncached_list); 1402static DEFINE_PER_CPU_ALIGNED(struct uncached_list, rt_uncached_list);
1395 1403
1396static void rt_add_uncached_list(struct rtable *rt) 1404void rt_add_uncached_list(struct rtable *rt)
1397{ 1405{
1398 struct uncached_list *ul = raw_cpu_ptr(&rt_uncached_list); 1406 struct uncached_list *ul = raw_cpu_ptr(&rt_uncached_list);
1399 1407
@@ -1404,14 +1412,8 @@ static void rt_add_uncached_list(struct rtable *rt)
1404 spin_unlock_bh(&ul->lock); 1412 spin_unlock_bh(&ul->lock);
1405} 1413}
1406 1414
1407static void ipv4_dst_destroy(struct dst_entry *dst) 1415void rt_del_uncached_list(struct rtable *rt)
1408{ 1416{
1409 struct dst_metrics *p = (struct dst_metrics *)DST_METRICS_PTR(dst);
1410 struct rtable *rt = (struct rtable *) dst;
1411
1412 if (p != &dst_default_metrics && refcount_dec_and_test(&p->refcnt))
1413 kfree(p);
1414
1415 if (!list_empty(&rt->rt_uncached)) { 1417 if (!list_empty(&rt->rt_uncached)) {
1416 struct uncached_list *ul = rt->rt_uncached_list; 1418 struct uncached_list *ul = rt->rt_uncached_list;
1417 1419
@@ -1421,6 +1423,17 @@ static void ipv4_dst_destroy(struct dst_entry *dst)
1421 } 1423 }
1422} 1424}
1423 1425
1426static void ipv4_dst_destroy(struct dst_entry *dst)
1427{
1428 struct dst_metrics *p = (struct dst_metrics *)DST_METRICS_PTR(dst);
1429 struct rtable *rt = (struct rtable *)dst;
1430
1431 if (p != &dst_default_metrics && refcount_dec_and_test(&p->refcnt))
1432 kfree(p);
1433
1434 rt_del_uncached_list(rt);
1435}
1436
1424void rt_flush_dev(struct net_device *dev) 1437void rt_flush_dev(struct net_device *dev)
1425{ 1438{
1426 struct net *net = dev_net(dev); 1439 struct net *net = dev_net(dev);
@@ -1516,6 +1529,7 @@ struct rtable *rt_dst_alloc(struct net_device *dev,
1516 rt->rt_is_input = 0; 1529 rt->rt_is_input = 0;
1517 rt->rt_iif = 0; 1530 rt->rt_iif = 0;
1518 rt->rt_pmtu = 0; 1531 rt->rt_pmtu = 0;
1532 rt->rt_mtu_locked = 0;
1519 rt->rt_gateway = 0; 1533 rt->rt_gateway = 0;
1520 rt->rt_uses_gateway = 0; 1534 rt->rt_uses_gateway = 0;
1521 rt->rt_table_id = 0; 1535 rt->rt_table_id = 0;
@@ -2541,6 +2555,7 @@ struct dst_entry *ipv4_blackhole_route(struct net *net, struct dst_entry *dst_or
2541 rt->rt_is_input = ort->rt_is_input; 2555 rt->rt_is_input = ort->rt_is_input;
2542 rt->rt_iif = ort->rt_iif; 2556 rt->rt_iif = ort->rt_iif;
2543 rt->rt_pmtu = ort->rt_pmtu; 2557 rt->rt_pmtu = ort->rt_pmtu;
2558 rt->rt_mtu_locked = ort->rt_mtu_locked;
2544 2559
2545 rt->rt_genid = rt_genid_ipv4(net); 2560 rt->rt_genid = rt_genid_ipv4(net);
2546 rt->rt_flags = ort->rt_flags; 2561 rt->rt_flags = ort->rt_flags;
@@ -2643,6 +2658,8 @@ static int rt_fill_info(struct net *net, __be32 dst, __be32 src, u32 table_id,
2643 memcpy(metrics, dst_metrics_ptr(&rt->dst), sizeof(metrics)); 2658 memcpy(metrics, dst_metrics_ptr(&rt->dst), sizeof(metrics));
2644 if (rt->rt_pmtu && expires) 2659 if (rt->rt_pmtu && expires)
2645 metrics[RTAX_MTU - 1] = rt->rt_pmtu; 2660 metrics[RTAX_MTU - 1] = rt->rt_pmtu;
2661 if (rt->rt_mtu_locked && expires)
2662 metrics[RTAX_LOCK - 1] |= BIT(RTAX_MTU);
2646 if (rtnetlink_put_metrics(skb, metrics) < 0) 2663 if (rtnetlink_put_metrics(skb, metrics) < 0)
2647 goto nla_put_failure; 2664 goto nla_put_failure;
2648 2665
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 48636aee23c3..8b8059b7af4d 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -3566,6 +3566,7 @@ int tcp_abort(struct sock *sk, int err)
3566 3566
3567 bh_unlock_sock(sk); 3567 bh_unlock_sock(sk);
3568 local_bh_enable(); 3568 local_bh_enable();
3569 tcp_write_queue_purge(sk);
3569 release_sock(sk); 3570 release_sock(sk);
3570 return 0; 3571 return 0;
3571} 3572}
diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
index 71fc60f1b326..f7d944855f8e 100644
--- a/net/ipv4/tcp_timer.c
+++ b/net/ipv4/tcp_timer.c
@@ -34,6 +34,7 @@ static void tcp_write_err(struct sock *sk)
34 sk->sk_err = sk->sk_err_soft ? : ETIMEDOUT; 34 sk->sk_err = sk->sk_err_soft ? : ETIMEDOUT;
35 sk->sk_error_report(sk); 35 sk->sk_error_report(sk);
36 36
37 tcp_write_queue_purge(sk);
37 tcp_done(sk); 38 tcp_done(sk);
38 __NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPABORTONTIMEOUT); 39 __NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPABORTONTIMEOUT);
39} 40}
diff --git a/net/ipv4/xfrm4_mode_tunnel.c b/net/ipv4/xfrm4_mode_tunnel.c
index 63faeee989a9..2a9764bd1719 100644
--- a/net/ipv4/xfrm4_mode_tunnel.c
+++ b/net/ipv4/xfrm4_mode_tunnel.c
@@ -92,7 +92,8 @@ static int xfrm4_mode_tunnel_input(struct xfrm_state *x, struct sk_buff *skb)
92 92
93 skb_reset_network_header(skb); 93 skb_reset_network_header(skb);
94 skb_mac_header_rebuild(skb); 94 skb_mac_header_rebuild(skb);
95 eth_hdr(skb)->h_proto = skb->protocol; 95 if (skb->mac_len)
96 eth_hdr(skb)->h_proto = skb->protocol;
96 97
97 err = 0; 98 err = 0;
98 99
diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
index 05017e2c849c..fbebda67ac1b 100644
--- a/net/ipv4/xfrm4_policy.c
+++ b/net/ipv4/xfrm4_policy.c
@@ -100,8 +100,10 @@ static int xfrm4_fill_dst(struct xfrm_dst *xdst, struct net_device *dev,
100 xdst->u.rt.rt_gateway = rt->rt_gateway; 100 xdst->u.rt.rt_gateway = rt->rt_gateway;
101 xdst->u.rt.rt_uses_gateway = rt->rt_uses_gateway; 101 xdst->u.rt.rt_uses_gateway = rt->rt_uses_gateway;
102 xdst->u.rt.rt_pmtu = rt->rt_pmtu; 102 xdst->u.rt.rt_pmtu = rt->rt_pmtu;
103 xdst->u.rt.rt_mtu_locked = rt->rt_mtu_locked;
103 xdst->u.rt.rt_table_id = rt->rt_table_id; 104 xdst->u.rt.rt_table_id = rt->rt_table_id;
104 INIT_LIST_HEAD(&xdst->u.rt.rt_uncached); 105 INIT_LIST_HEAD(&xdst->u.rt.rt_uncached);
106 rt_add_uncached_list(&xdst->u.rt);
105 107
106 return 0; 108 return 0;
107} 109}
@@ -241,7 +243,8 @@ static void xfrm4_dst_destroy(struct dst_entry *dst)
241 struct xfrm_dst *xdst = (struct xfrm_dst *)dst; 243 struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
242 244
243 dst_destroy_metrics_generic(dst); 245 dst_destroy_metrics_generic(dst);
244 246 if (xdst->u.rt.rt_uncached_list)
247 rt_del_uncached_list(&xdst->u.rt);
245 xfrm_dst_destroy(xdst); 248 xfrm_dst_destroy(xdst);
246} 249}
247 250
diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
index fbf08ce3f5ab..a9f7eca0b6a3 100644
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -146,10 +146,12 @@ int __ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr,
146 struct sockaddr_in6 *usin = (struct sockaddr_in6 *) uaddr; 146 struct sockaddr_in6 *usin = (struct sockaddr_in6 *) uaddr;
147 struct inet_sock *inet = inet_sk(sk); 147 struct inet_sock *inet = inet_sk(sk);
148 struct ipv6_pinfo *np = inet6_sk(sk); 148 struct ipv6_pinfo *np = inet6_sk(sk);
149 struct in6_addr *daddr; 149 struct in6_addr *daddr, old_daddr;
150 __be32 fl6_flowlabel = 0;
151 __be32 old_fl6_flowlabel;
152 __be16 old_dport;
150 int addr_type; 153 int addr_type;
151 int err; 154 int err;
152 __be32 fl6_flowlabel = 0;
153 155
154 if (usin->sin6_family == AF_INET) { 156 if (usin->sin6_family == AF_INET) {
155 if (__ipv6_only_sock(sk)) 157 if (__ipv6_only_sock(sk))
@@ -238,9 +240,13 @@ ipv4_connected:
238 } 240 }
239 } 241 }
240 242
243 /* save the current peer information before updating it */
244 old_daddr = sk->sk_v6_daddr;
245 old_fl6_flowlabel = np->flow_label;
246 old_dport = inet->inet_dport;
247
241 sk->sk_v6_daddr = *daddr; 248 sk->sk_v6_daddr = *daddr;
242 np->flow_label = fl6_flowlabel; 249 np->flow_label = fl6_flowlabel;
243
244 inet->inet_dport = usin->sin6_port; 250 inet->inet_dport = usin->sin6_port;
245 251
246 /* 252 /*
@@ -250,11 +256,12 @@ ipv4_connected:
250 256
251 err = ip6_datagram_dst_update(sk, true); 257 err = ip6_datagram_dst_update(sk, true);
252 if (err) { 258 if (err) {
253 /* Reset daddr and dport so that udp_v6_early_demux() 259 /* Restore the socket peer info, to keep it consistent with
254 * fails to find this socket 260 * the old socket state
255 */ 261 */
256 memset(&sk->sk_v6_daddr, 0, sizeof(sk->sk_v6_daddr)); 262 sk->sk_v6_daddr = old_daddr;
257 inet->inet_dport = 0; 263 np->flow_label = old_fl6_flowlabel;
264 inet->inet_dport = old_dport;
258 goto out; 265 goto out;
259 } 266 }
260 267
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index 3c353125546d..1bbd0930063e 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -126,7 +126,8 @@ static struct ip6_tnl *ip6gre_tunnel_lookup(struct net_device *dev,
126 struct ip6_tnl *t, *cand = NULL; 126 struct ip6_tnl *t, *cand = NULL;
127 struct ip6gre_net *ign = net_generic(net, ip6gre_net_id); 127 struct ip6gre_net *ign = net_generic(net, ip6gre_net_id);
128 int dev_type = (gre_proto == htons(ETH_P_TEB) || 128 int dev_type = (gre_proto == htons(ETH_P_TEB) ||
129 gre_proto == htons(ETH_P_ERSPAN)) ? 129 gre_proto == htons(ETH_P_ERSPAN) ||
130 gre_proto == htons(ETH_P_ERSPAN2)) ?
130 ARPHRD_ETHER : ARPHRD_IP6GRE; 131 ARPHRD_ETHER : ARPHRD_IP6GRE;
131 int score, cand_score = 4; 132 int score, cand_score = 4;
132 133
@@ -902,6 +903,9 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb,
902 truncate = true; 903 truncate = true;
903 } 904 }
904 905
906 if (skb_cow_head(skb, dev->needed_headroom))
907 goto tx_err;
908
905 t->parms.o_flags &= ~TUNNEL_KEY; 909 t->parms.o_flags &= ~TUNNEL_KEY;
906 IPCB(skb)->flags = 0; 910 IPCB(skb)->flags = 0;
907 911
@@ -944,6 +948,8 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb,
944 md->u.md2.dir, 948 md->u.md2.dir,
945 get_hwid(&md->u.md2), 949 get_hwid(&md->u.md2),
946 truncate, false); 950 truncate, false);
951 } else {
952 goto tx_err;
947 } 953 }
948 } else { 954 } else {
949 switch (skb->protocol) { 955 switch (skb->protocol) {
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index f61a5b613b52..ba5e04c6ae17 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -1554,7 +1554,8 @@ static void ndisc_fill_redirect_hdr_option(struct sk_buff *skb,
1554 *(opt++) = (rd_len >> 3); 1554 *(opt++) = (rd_len >> 3);
1555 opt += 6; 1555 opt += 6;
1556 1556
1557 memcpy(opt, ipv6_hdr(orig_skb), rd_len - 8); 1557 skb_copy_bits(orig_skb, skb_network_offset(orig_skb), opt,
1558 rd_len - 8);
1558} 1559}
1559 1560
1560void ndisc_send_redirect(struct sk_buff *skb, const struct in6_addr *target) 1561void ndisc_send_redirect(struct sk_buff *skb, const struct in6_addr *target)
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 9dcfadddd800..b0d5c64e1978 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -128,7 +128,7 @@ struct uncached_list {
128 128
129static DEFINE_PER_CPU_ALIGNED(struct uncached_list, rt6_uncached_list); 129static DEFINE_PER_CPU_ALIGNED(struct uncached_list, rt6_uncached_list);
130 130
131static void rt6_uncached_list_add(struct rt6_info *rt) 131void rt6_uncached_list_add(struct rt6_info *rt)
132{ 132{
133 struct uncached_list *ul = raw_cpu_ptr(&rt6_uncached_list); 133 struct uncached_list *ul = raw_cpu_ptr(&rt6_uncached_list);
134 134
@@ -139,7 +139,7 @@ static void rt6_uncached_list_add(struct rt6_info *rt)
139 spin_unlock_bh(&ul->lock); 139 spin_unlock_bh(&ul->lock);
140} 140}
141 141
142static void rt6_uncached_list_del(struct rt6_info *rt) 142void rt6_uncached_list_del(struct rt6_info *rt)
143{ 143{
144 if (!list_empty(&rt->rt6i_uncached)) { 144 if (!list_empty(&rt->rt6i_uncached)) {
145 struct uncached_list *ul = rt->rt6i_uncached_list; 145 struct uncached_list *ul = rt->rt6i_uncached_list;
@@ -1509,7 +1509,30 @@ static void rt6_exceptions_remove_prefsrc(struct rt6_info *rt)
1509 } 1509 }
1510} 1510}
1511 1511
1512static void rt6_exceptions_update_pmtu(struct rt6_info *rt, int mtu) 1512static bool rt6_mtu_change_route_allowed(struct inet6_dev *idev,
1513 struct rt6_info *rt, int mtu)
1514{
1515 /* If the new MTU is lower than the route PMTU, this new MTU will be the
1516 * lowest MTU in the path: always allow updating the route PMTU to
1517 * reflect PMTU decreases.
1518 *
1519 * If the new MTU is higher, and the route PMTU is equal to the local
1520 * MTU, this means the old MTU is the lowest in the path, so allow
1521 * updating it: if other nodes now have lower MTUs, PMTU discovery will
1522 * handle this.
1523 */
1524
1525 if (dst_mtu(&rt->dst) >= mtu)
1526 return true;
1527
1528 if (dst_mtu(&rt->dst) == idev->cnf.mtu6)
1529 return true;
1530
1531 return false;
1532}
1533
1534static void rt6_exceptions_update_pmtu(struct inet6_dev *idev,
1535 struct rt6_info *rt, int mtu)
1513{ 1536{
1514 struct rt6_exception_bucket *bucket; 1537 struct rt6_exception_bucket *bucket;
1515 struct rt6_exception *rt6_ex; 1538 struct rt6_exception *rt6_ex;
@@ -1518,20 +1541,22 @@ static void rt6_exceptions_update_pmtu(struct rt6_info *rt, int mtu)
1518 bucket = rcu_dereference_protected(rt->rt6i_exception_bucket, 1541 bucket = rcu_dereference_protected(rt->rt6i_exception_bucket,
1519 lockdep_is_held(&rt6_exception_lock)); 1542 lockdep_is_held(&rt6_exception_lock));
1520 1543
1521 if (bucket) { 1544 if (!bucket)
1522 for (i = 0; i < FIB6_EXCEPTION_BUCKET_SIZE; i++) { 1545 return;
1523 hlist_for_each_entry(rt6_ex, &bucket->chain, hlist) { 1546
1524 struct rt6_info *entry = rt6_ex->rt6i; 1547 for (i = 0; i < FIB6_EXCEPTION_BUCKET_SIZE; i++) {
1525 /* For RTF_CACHE with rt6i_pmtu == 0 1548 hlist_for_each_entry(rt6_ex, &bucket->chain, hlist) {
1526 * (i.e. a redirected route), 1549 struct rt6_info *entry = rt6_ex->rt6i;
1527 * the metrics of its rt->dst.from has already 1550
1528 * been updated. 1551 /* For RTF_CACHE with rt6i_pmtu == 0 (i.e. a redirected
1529 */ 1552 * route), the metrics of its rt->dst.from have already
1530 if (entry->rt6i_pmtu && entry->rt6i_pmtu > mtu) 1553 * been updated.
1531 entry->rt6i_pmtu = mtu; 1554 */
1532 } 1555 if (entry->rt6i_pmtu &&
1533 bucket++; 1556 rt6_mtu_change_route_allowed(idev, entry, mtu))
1557 entry->rt6i_pmtu = mtu;
1534 } 1558 }
1559 bucket++;
1535 } 1560 }
1536} 1561}
1537 1562
@@ -3809,25 +3834,13 @@ static int rt6_mtu_change_route(struct rt6_info *rt, void *p_arg)
3809 Since RFC 1981 doesn't include administrative MTU increase 3834 Since RFC 1981 doesn't include administrative MTU increase
3810 update PMTU increase is a MUST. (i.e. jumbo frame) 3835 update PMTU increase is a MUST. (i.e. jumbo frame)
3811 */ 3836 */
3812 /*
3813 If new MTU is less than route PMTU, this new MTU will be the
3814 lowest MTU in the path, update the route PMTU to reflect PMTU
3815 decreases; if new MTU is greater than route PMTU, and the
3816 old MTU is the lowest MTU in the path, update the route PMTU
3817 to reflect the increase. In this case if the other nodes' MTU
3818 also have the lowest MTU, TOO BIG MESSAGE will be lead to
3819 PMTU discovery.
3820 */
3821 if (rt->dst.dev == arg->dev && 3837 if (rt->dst.dev == arg->dev &&
3822 dst_metric_raw(&rt->dst, RTAX_MTU) &&
3823 !dst_metric_locked(&rt->dst, RTAX_MTU)) { 3838 !dst_metric_locked(&rt->dst, RTAX_MTU)) {
3824 spin_lock_bh(&rt6_exception_lock); 3839 spin_lock_bh(&rt6_exception_lock);
3825 if (dst_mtu(&rt->dst) >= arg->mtu || 3840 if (dst_metric_raw(&rt->dst, RTAX_MTU) &&
3826 (dst_mtu(&rt->dst) < arg->mtu && 3841 rt6_mtu_change_route_allowed(idev, rt, arg->mtu))
3827 dst_mtu(&rt->dst) == idev->cnf.mtu6)) {
3828 dst_metric_set(&rt->dst, RTAX_MTU, arg->mtu); 3842 dst_metric_set(&rt->dst, RTAX_MTU, arg->mtu);
3829 } 3843 rt6_exceptions_update_pmtu(idev, rt, arg->mtu);
3830 rt6_exceptions_update_pmtu(rt, arg->mtu);
3831 spin_unlock_bh(&rt6_exception_lock); 3844 spin_unlock_bh(&rt6_exception_lock);
3832 } 3845 }
3833 return 0; 3846 return 0;
@@ -4099,6 +4112,7 @@ static int ip6_route_multipath_add(struct fib6_config *cfg,
4099 r_cfg.fc_encap_type = nla_get_u16(nla); 4112 r_cfg.fc_encap_type = nla_get_u16(nla);
4100 } 4113 }
4101 4114
4115 r_cfg.fc_flags |= (rtnh->rtnh_flags & RTNH_F_ONLINK);
4102 rt = ip6_route_info_create(&r_cfg, extack); 4116 rt = ip6_route_info_create(&r_cfg, extack);
4103 if (IS_ERR(rt)) { 4117 if (IS_ERR(rt)) {
4104 err = PTR_ERR(rt); 4118 err = PTR_ERR(rt);
diff --git a/net/ipv6/seg6_iptunnel.c b/net/ipv6/seg6_iptunnel.c
index bd6cc688bd19..7a78dcfda68a 100644
--- a/net/ipv6/seg6_iptunnel.c
+++ b/net/ipv6/seg6_iptunnel.c
@@ -93,7 +93,8 @@ static void set_tun_src(struct net *net, struct net_device *dev,
93/* encapsulate an IPv6 packet within an outer IPv6 header with a given SRH */ 93/* encapsulate an IPv6 packet within an outer IPv6 header with a given SRH */
94int seg6_do_srh_encap(struct sk_buff *skb, struct ipv6_sr_hdr *osrh, int proto) 94int seg6_do_srh_encap(struct sk_buff *skb, struct ipv6_sr_hdr *osrh, int proto)
95{ 95{
96 struct net *net = dev_net(skb_dst(skb)->dev); 96 struct dst_entry *dst = skb_dst(skb);
97 struct net *net = dev_net(dst->dev);
97 struct ipv6hdr *hdr, *inner_hdr; 98 struct ipv6hdr *hdr, *inner_hdr;
98 struct ipv6_sr_hdr *isrh; 99 struct ipv6_sr_hdr *isrh;
99 int hdrlen, tot_len, err; 100 int hdrlen, tot_len, err;
@@ -134,7 +135,7 @@ int seg6_do_srh_encap(struct sk_buff *skb, struct ipv6_sr_hdr *osrh, int proto)
134 isrh->nexthdr = proto; 135 isrh->nexthdr = proto;
135 136
136 hdr->daddr = isrh->segments[isrh->first_segment]; 137 hdr->daddr = isrh->segments[isrh->first_segment];
137 set_tun_src(net, skb->dev, &hdr->daddr, &hdr->saddr); 138 set_tun_src(net, ip6_dst_idev(dst)->dev, &hdr->daddr, &hdr->saddr);
138 139
139#ifdef CONFIG_IPV6_SEG6_HMAC 140#ifdef CONFIG_IPV6_SEG6_HMAC
140 if (sr_has_hmac(isrh)) { 141 if (sr_has_hmac(isrh)) {
@@ -418,7 +419,7 @@ static int seg6_build_state(struct nlattr *nla,
418 419
419 slwt = seg6_lwt_lwtunnel(newts); 420 slwt = seg6_lwt_lwtunnel(newts);
420 421
421 err = dst_cache_init(&slwt->cache, GFP_KERNEL); 422 err = dst_cache_init(&slwt->cache, GFP_ATOMIC);
422 if (err) { 423 if (err) {
423 kfree(newts); 424 kfree(newts);
424 return err; 425 return err;
diff --git a/net/ipv6/xfrm6_mode_tunnel.c b/net/ipv6/xfrm6_mode_tunnel.c
index bb935a3b7fea..de1b0b8c53b0 100644
--- a/net/ipv6/xfrm6_mode_tunnel.c
+++ b/net/ipv6/xfrm6_mode_tunnel.c
@@ -92,7 +92,8 @@ static int xfrm6_mode_tunnel_input(struct xfrm_state *x, struct sk_buff *skb)
92 92
93 skb_reset_network_header(skb); 93 skb_reset_network_header(skb);
94 skb_mac_header_rebuild(skb); 94 skb_mac_header_rebuild(skb);
95 eth_hdr(skb)->h_proto = skb->protocol; 95 if (skb->mac_len)
96 eth_hdr(skb)->h_proto = skb->protocol;
96 97
97 err = 0; 98 err = 0;
98 99
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index 09fb44ee3b45..416fe67271a9 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -113,6 +113,9 @@ static int xfrm6_fill_dst(struct xfrm_dst *xdst, struct net_device *dev,
113 xdst->u.rt6.rt6i_gateway = rt->rt6i_gateway; 113 xdst->u.rt6.rt6i_gateway = rt->rt6i_gateway;
114 xdst->u.rt6.rt6i_dst = rt->rt6i_dst; 114 xdst->u.rt6.rt6i_dst = rt->rt6i_dst;
115 xdst->u.rt6.rt6i_src = rt->rt6i_src; 115 xdst->u.rt6.rt6i_src = rt->rt6i_src;
116 INIT_LIST_HEAD(&xdst->u.rt6.rt6i_uncached);
117 rt6_uncached_list_add(&xdst->u.rt6);
118 atomic_inc(&dev_net(dev)->ipv6.rt6_stats->fib_rt_uncache);
116 119
117 return 0; 120 return 0;
118} 121}
@@ -244,6 +247,8 @@ static void xfrm6_dst_destroy(struct dst_entry *dst)
244 if (likely(xdst->u.rt6.rt6i_idev)) 247 if (likely(xdst->u.rt6.rt6i_idev))
245 in6_dev_put(xdst->u.rt6.rt6i_idev); 248 in6_dev_put(xdst->u.rt6.rt6i_idev);
246 dst_destroy_metrics_generic(dst); 249 dst_destroy_metrics_generic(dst);
250 if (xdst->u.rt6.rt6i_uncached_list)
251 rt6_uncached_list_del(&xdst->u.rt6);
247 xfrm_dst_destroy(xdst); 252 xfrm_dst_destroy(xdst);
248} 253}
249 254
diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
index 1e8cc7bcbca3..9e2643ab4ccb 100644
--- a/net/iucv/af_iucv.c
+++ b/net/iucv/af_iucv.c
@@ -2433,9 +2433,11 @@ static int afiucv_iucv_init(void)
2433 af_iucv_dev->driver = &af_iucv_driver; 2433 af_iucv_dev->driver = &af_iucv_driver;
2434 err = device_register(af_iucv_dev); 2434 err = device_register(af_iucv_dev);
2435 if (err) 2435 if (err)
2436 goto out_driver; 2436 goto out_iucv_dev;
2437 return 0; 2437 return 0;
2438 2438
2439out_iucv_dev:
2440 put_device(af_iucv_dev);
2439out_driver: 2441out_driver:
2440 driver_unregister(&af_iucv_driver); 2442 driver_unregister(&af_iucv_driver);
2441out_iucv: 2443out_iucv:
diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
index f297d53a11aa..34355fd19f27 100644
--- a/net/kcm/kcmsock.c
+++ b/net/kcm/kcmsock.c
@@ -1381,24 +1381,32 @@ static int kcm_attach(struct socket *sock, struct socket *csock,
1381 .parse_msg = kcm_parse_func_strparser, 1381 .parse_msg = kcm_parse_func_strparser,
1382 .read_sock_done = kcm_read_sock_done, 1382 .read_sock_done = kcm_read_sock_done,
1383 }; 1383 };
1384 int err; 1384 int err = 0;
1385 1385
1386 csk = csock->sk; 1386 csk = csock->sk;
1387 if (!csk) 1387 if (!csk)
1388 return -EINVAL; 1388 return -EINVAL;
1389 1389
1390 lock_sock(csk);
1391
1390 /* Only allow TCP sockets to be attached for now */ 1392 /* Only allow TCP sockets to be attached for now */
1391 if ((csk->sk_family != AF_INET && csk->sk_family != AF_INET6) || 1393 if ((csk->sk_family != AF_INET && csk->sk_family != AF_INET6) ||
1392 csk->sk_protocol != IPPROTO_TCP) 1394 csk->sk_protocol != IPPROTO_TCP) {
1393 return -EOPNOTSUPP; 1395 err = -EOPNOTSUPP;
1396 goto out;
1397 }
1394 1398
1395 /* Don't allow listeners or closed sockets */ 1399 /* Don't allow listeners or closed sockets */
1396 if (csk->sk_state == TCP_LISTEN || csk->sk_state == TCP_CLOSE) 1400 if (csk->sk_state == TCP_LISTEN || csk->sk_state == TCP_CLOSE) {
1397 return -EOPNOTSUPP; 1401 err = -EOPNOTSUPP;
1402 goto out;
1403 }
1398 1404
1399 psock = kmem_cache_zalloc(kcm_psockp, GFP_KERNEL); 1405 psock = kmem_cache_zalloc(kcm_psockp, GFP_KERNEL);
1400 if (!psock) 1406 if (!psock) {
1401 return -ENOMEM; 1407 err = -ENOMEM;
1408 goto out;
1409 }
1402 1410
1403 psock->mux = mux; 1411 psock->mux = mux;
1404 psock->sk = csk; 1412 psock->sk = csk;
@@ -1407,7 +1415,7 @@ static int kcm_attach(struct socket *sock, struct socket *csock,
1407 err = strp_init(&psock->strp, csk, &cb); 1415 err = strp_init(&psock->strp, csk, &cb);
1408 if (err) { 1416 if (err) {
1409 kmem_cache_free(kcm_psockp, psock); 1417 kmem_cache_free(kcm_psockp, psock);
1410 return err; 1418 goto out;
1411 } 1419 }
1412 1420
1413 write_lock_bh(&csk->sk_callback_lock); 1421 write_lock_bh(&csk->sk_callback_lock);
@@ -1419,7 +1427,8 @@ static int kcm_attach(struct socket *sock, struct socket *csock,
1419 write_unlock_bh(&csk->sk_callback_lock); 1427 write_unlock_bh(&csk->sk_callback_lock);
1420 strp_done(&psock->strp); 1428 strp_done(&psock->strp);
1421 kmem_cache_free(kcm_psockp, psock); 1429 kmem_cache_free(kcm_psockp, psock);
1422 return -EALREADY; 1430 err = -EALREADY;
1431 goto out;
1423 } 1432 }
1424 1433
1425 psock->save_data_ready = csk->sk_data_ready; 1434 psock->save_data_ready = csk->sk_data_ready;
@@ -1455,7 +1464,10 @@ static int kcm_attach(struct socket *sock, struct socket *csock,
1455 /* Schedule RX work in case there are already bytes queued */ 1464 /* Schedule RX work in case there are already bytes queued */
1456 strp_check_rcv(&psock->strp); 1465 strp_check_rcv(&psock->strp);
1457 1466
1458 return 0; 1467out:
1468 release_sock(csk);
1469
1470 return err;
1459} 1471}
1460 1472
1461static int kcm_attach_ioctl(struct socket *sock, struct kcm_attach *info) 1473static int kcm_attach_ioctl(struct socket *sock, struct kcm_attach *info)
@@ -1507,6 +1519,7 @@ static void kcm_unattach(struct kcm_psock *psock)
1507 1519
1508 if (WARN_ON(psock->rx_kcm)) { 1520 if (WARN_ON(psock->rx_kcm)) {
1509 write_unlock_bh(&csk->sk_callback_lock); 1521 write_unlock_bh(&csk->sk_callback_lock);
1522 release_sock(csk);
1510 return; 1523 return;
1511 } 1524 }
1512 1525
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 83421c6f0bef..14b67dfacc4b 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -111,6 +111,13 @@ struct l2tp_net {
111 spinlock_t l2tp_session_hlist_lock; 111 spinlock_t l2tp_session_hlist_lock;
112}; 112};
113 113
114#if IS_ENABLED(CONFIG_IPV6)
115static bool l2tp_sk_is_v6(struct sock *sk)
116{
117 return sk->sk_family == PF_INET6 &&
118 !ipv6_addr_v4mapped(&sk->sk_v6_daddr);
119}
120#endif
114 121
115static inline struct l2tp_tunnel *l2tp_tunnel(struct sock *sk) 122static inline struct l2tp_tunnel *l2tp_tunnel(struct sock *sk)
116{ 123{
@@ -1049,7 +1056,7 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb,
1049 /* Queue the packet to IP for output */ 1056 /* Queue the packet to IP for output */
1050 skb->ignore_df = 1; 1057 skb->ignore_df = 1;
1051#if IS_ENABLED(CONFIG_IPV6) 1058#if IS_ENABLED(CONFIG_IPV6)
1052 if (tunnel->sock->sk_family == PF_INET6 && !tunnel->v4mapped) 1059 if (l2tp_sk_is_v6(tunnel->sock))
1053 error = inet6_csk_xmit(tunnel->sock, skb, NULL); 1060 error = inet6_csk_xmit(tunnel->sock, skb, NULL);
1054 else 1061 else
1055#endif 1062#endif
@@ -1112,6 +1119,15 @@ int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len
1112 goto out_unlock; 1119 goto out_unlock;
1113 } 1120 }
1114 1121
1122 /* The user-space may change the connection status for the user-space
1123 * provided socket at run time: we must check it under the socket lock
1124 */
1125 if (tunnel->fd >= 0 && sk->sk_state != TCP_ESTABLISHED) {
1126 kfree_skb(skb);
1127 ret = NET_XMIT_DROP;
1128 goto out_unlock;
1129 }
1130
1115 /* Get routing info from the tunnel socket */ 1131 /* Get routing info from the tunnel socket */
1116 skb_dst_drop(skb); 1132 skb_dst_drop(skb);
1117 skb_dst_set(skb, dst_clone(__sk_dst_check(sk, 0))); 1133 skb_dst_set(skb, dst_clone(__sk_dst_check(sk, 0)));
@@ -1131,7 +1147,7 @@ int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len
1131 1147
1132 /* Calculate UDP checksum if configured to do so */ 1148 /* Calculate UDP checksum if configured to do so */
1133#if IS_ENABLED(CONFIG_IPV6) 1149#if IS_ENABLED(CONFIG_IPV6)
1134 if (sk->sk_family == PF_INET6 && !tunnel->v4mapped) 1150 if (l2tp_sk_is_v6(sk))
1135 udp6_set_csum(udp_get_no_check6_tx(sk), 1151 udp6_set_csum(udp_get_no_check6_tx(sk),
1136 skb, &inet6_sk(sk)->saddr, 1152 skb, &inet6_sk(sk)->saddr,
1137 &sk->sk_v6_daddr, udp_len); 1153 &sk->sk_v6_daddr, udp_len);
@@ -1457,9 +1473,14 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
1457 encap = cfg->encap; 1473 encap = cfg->encap;
1458 1474
1459 /* Quick sanity checks */ 1475 /* Quick sanity checks */
1476 err = -EPROTONOSUPPORT;
1477 if (sk->sk_type != SOCK_DGRAM) {
1478 pr_debug("tunl %hu: fd %d wrong socket type\n",
1479 tunnel_id, fd);
1480 goto err;
1481 }
1460 switch (encap) { 1482 switch (encap) {
1461 case L2TP_ENCAPTYPE_UDP: 1483 case L2TP_ENCAPTYPE_UDP:
1462 err = -EPROTONOSUPPORT;
1463 if (sk->sk_protocol != IPPROTO_UDP) { 1484 if (sk->sk_protocol != IPPROTO_UDP) {
1464 pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n", 1485 pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
1465 tunnel_id, fd, sk->sk_protocol, IPPROTO_UDP); 1486 tunnel_id, fd, sk->sk_protocol, IPPROTO_UDP);
@@ -1467,7 +1488,6 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
1467 } 1488 }
1468 break; 1489 break;
1469 case L2TP_ENCAPTYPE_IP: 1490 case L2TP_ENCAPTYPE_IP:
1470 err = -EPROTONOSUPPORT;
1471 if (sk->sk_protocol != IPPROTO_L2TP) { 1491 if (sk->sk_protocol != IPPROTO_L2TP) {
1472 pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n", 1492 pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
1473 tunnel_id, fd, sk->sk_protocol, IPPROTO_L2TP); 1493 tunnel_id, fd, sk->sk_protocol, IPPROTO_L2TP);
@@ -1507,24 +1527,6 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
1507 if (cfg != NULL) 1527 if (cfg != NULL)
1508 tunnel->debug = cfg->debug; 1528 tunnel->debug = cfg->debug;
1509 1529
1510#if IS_ENABLED(CONFIG_IPV6)
1511 if (sk->sk_family == PF_INET6) {
1512 struct ipv6_pinfo *np = inet6_sk(sk);
1513
1514 if (ipv6_addr_v4mapped(&np->saddr) &&
1515 ipv6_addr_v4mapped(&sk->sk_v6_daddr)) {
1516 struct inet_sock *inet = inet_sk(sk);
1517
1518 tunnel->v4mapped = true;
1519 inet->inet_saddr = np->saddr.s6_addr32[3];
1520 inet->inet_rcv_saddr = sk->sk_v6_rcv_saddr.s6_addr32[3];
1521 inet->inet_daddr = sk->sk_v6_daddr.s6_addr32[3];
1522 } else {
1523 tunnel->v4mapped = false;
1524 }
1525 }
1526#endif
1527
1528 /* Mark socket as an encapsulation socket. See net/ipv4/udp.c */ 1530 /* Mark socket as an encapsulation socket. See net/ipv4/udp.c */
1529 tunnel->encap = encap; 1531 tunnel->encap = encap;
1530 if (encap == L2TP_ENCAPTYPE_UDP) { 1532 if (encap == L2TP_ENCAPTYPE_UDP) {
diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h
index a1aa9550f04e..2718d0b284d0 100644
--- a/net/l2tp/l2tp_core.h
+++ b/net/l2tp/l2tp_core.h
@@ -188,9 +188,6 @@ struct l2tp_tunnel {
188 struct sock *sock; /* Parent socket */ 188 struct sock *sock; /* Parent socket */
189 int fd; /* Parent fd, if tunnel socket 189 int fd; /* Parent fd, if tunnel socket
190 * was created by userspace */ 190 * was created by userspace */
191#if IS_ENABLED(CONFIG_IPV6)
192 bool v4mapped;
193#endif
194 191
195 struct work_struct del_work; 192 struct work_struct del_work;
196 193
diff --git a/net/mac80211/debugfs.c b/net/mac80211/debugfs.c
index 1f466d12a6bc..94c7ee9df33b 100644
--- a/net/mac80211/debugfs.c
+++ b/net/mac80211/debugfs.c
@@ -212,6 +212,7 @@ static const char *hw_flag_names[] = {
212 FLAG(REPORTS_LOW_ACK), 212 FLAG(REPORTS_LOW_ACK),
213 FLAG(SUPPORTS_TX_FRAG), 213 FLAG(SUPPORTS_TX_FRAG),
214 FLAG(SUPPORTS_TDLS_BUFFER_STA), 214 FLAG(SUPPORTS_TDLS_BUFFER_STA),
215 FLAG(DOESNT_SUPPORT_QOS_NDP),
215#undef FLAG 216#undef FLAG
216}; 217};
217 218
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 39b660b9a908..5f303abac5ad 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -896,7 +896,8 @@ void ieee80211_send_nullfunc(struct ieee80211_local *local,
896 struct ieee80211_hdr_3addr *nullfunc; 896 struct ieee80211_hdr_3addr *nullfunc;
897 struct ieee80211_if_managed *ifmgd = &sdata->u.mgd; 897 struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
898 898
899 skb = ieee80211_nullfunc_get(&local->hw, &sdata->vif, true); 899 skb = ieee80211_nullfunc_get(&local->hw, &sdata->vif,
900 !ieee80211_hw_check(&local->hw, DOESNT_SUPPORT_QOS_NDP));
900 if (!skb) 901 if (!skb)
901 return; 902 return;
902 903
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 558593e6a0a3..c4acc7340eb1 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -5423,6 +5423,7 @@ err:
5423static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable) 5423static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
5424{ 5424{
5425 cancel_delayed_work_sync(&flowtable->data.gc_work); 5425 cancel_delayed_work_sync(&flowtable->data.gc_work);
5426 kfree(flowtable->ops);
5426 kfree(flowtable->name); 5427 kfree(flowtable->name);
5427 flowtable->data.type->free(&flowtable->data); 5428 flowtable->data.type->free(&flowtable->data);
5428 rhashtable_destroy(&flowtable->data.rhashtable); 5429 rhashtable_destroy(&flowtable->data.rhashtable);
diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c
index 3f1624ee056f..d40591fe1b2f 100644
--- a/net/netfilter/nft_set_hash.c
+++ b/net/netfilter/nft_set_hash.c
@@ -674,7 +674,7 @@ static const struct nft_set_ops *
674nft_hash_select_ops(const struct nft_ctx *ctx, const struct nft_set_desc *desc, 674nft_hash_select_ops(const struct nft_ctx *ctx, const struct nft_set_desc *desc,
675 u32 flags) 675 u32 flags)
676{ 676{
677 if (desc->size) { 677 if (desc->size && !(flags & NFT_SET_TIMEOUT)) {
678 switch (desc->klen) { 678 switch (desc->klen) {
679 case 4: 679 case 4:
680 return &nft_hash_fast_ops; 680 return &nft_hash_fast_ops;
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index fa1655aff8d3..4aa01c90e9d1 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -423,6 +423,36 @@ textify_hooks(char *buf, size_t size, unsigned int mask, uint8_t nfproto)
423 return buf; 423 return buf;
424} 424}
425 425
426/**
427 * xt_check_proc_name - check that name is suitable for /proc file creation
428 *
429 * @name: file name candidate
430 * @size: length of buffer
431 *
432 * some x_tables modules wish to create a file in /proc.
433 * This function makes sure that the name is suitable for this
434 * purpose, it checks that name is NUL terminated and isn't a 'special'
435 * name, like "..".
436 *
437 * returns negative number on error or 0 if name is useable.
438 */
439int xt_check_proc_name(const char *name, unsigned int size)
440{
441 if (name[0] == '\0')
442 return -EINVAL;
443
444 if (strnlen(name, size) == size)
445 return -ENAMETOOLONG;
446
447 if (strcmp(name, ".") == 0 ||
448 strcmp(name, "..") == 0 ||
449 strchr(name, '/'))
450 return -EINVAL;
451
452 return 0;
453}
454EXPORT_SYMBOL(xt_check_proc_name);
455
426int xt_check_match(struct xt_mtchk_param *par, 456int xt_check_match(struct xt_mtchk_param *par,
427 unsigned int size, u_int8_t proto, bool inv_proto) 457 unsigned int size, u_int8_t proto, bool inv_proto)
428{ 458{
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index 66f5aca62a08..3360f13dc208 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -917,8 +917,9 @@ static int hashlimit_mt_check_v1(const struct xt_mtchk_param *par)
917 struct hashlimit_cfg3 cfg = {}; 917 struct hashlimit_cfg3 cfg = {};
918 int ret; 918 int ret;
919 919
920 if (info->name[sizeof(info->name) - 1] != '\0') 920 ret = xt_check_proc_name(info->name, sizeof(info->name));
921 return -EINVAL; 921 if (ret)
922 return ret;
922 923
923 ret = cfg_copy(&cfg, (void *)&info->cfg, 1); 924 ret = cfg_copy(&cfg, (void *)&info->cfg, 1);
924 925
@@ -935,8 +936,9 @@ static int hashlimit_mt_check_v2(const struct xt_mtchk_param *par)
935 struct hashlimit_cfg3 cfg = {}; 936 struct hashlimit_cfg3 cfg = {};
936 int ret; 937 int ret;
937 938
938 if (info->name[sizeof(info->name) - 1] != '\0') 939 ret = xt_check_proc_name(info->name, sizeof(info->name));
939 return -EINVAL; 940 if (ret)
941 return ret;
940 942
941 ret = cfg_copy(&cfg, (void *)&info->cfg, 2); 943 ret = cfg_copy(&cfg, (void *)&info->cfg, 2);
942 944
@@ -950,9 +952,11 @@ static int hashlimit_mt_check_v2(const struct xt_mtchk_param *par)
950static int hashlimit_mt_check(const struct xt_mtchk_param *par) 952static int hashlimit_mt_check(const struct xt_mtchk_param *par)
951{ 953{
952 struct xt_hashlimit_mtinfo3 *info = par->matchinfo; 954 struct xt_hashlimit_mtinfo3 *info = par->matchinfo;
955 int ret;
953 956
954 if (info->name[sizeof(info->name) - 1] != '\0') 957 ret = xt_check_proc_name(info->name, sizeof(info->name));
955 return -EINVAL; 958 if (ret)
959 return ret;
956 960
957 return hashlimit_mt_check_common(par, &info->hinfo, &info->cfg, 961 return hashlimit_mt_check_common(par, &info->hinfo, &info->cfg,
958 info->name, 3); 962 info->name, 3);
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
index 6d232d18faff..81ee1d6543b2 100644
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -361,9 +361,9 @@ static int recent_mt_check(const struct xt_mtchk_param *par,
361 info->hit_count, XT_RECENT_MAX_NSTAMPS - 1); 361 info->hit_count, XT_RECENT_MAX_NSTAMPS - 1);
362 return -EINVAL; 362 return -EINVAL;
363 } 363 }
364 if (info->name[0] == '\0' || 364 ret = xt_check_proc_name(info->name, sizeof(info->name));
365 strnlen(info->name, XT_RECENT_NAME_LEN) == XT_RECENT_NAME_LEN) 365 if (ret)
366 return -EINVAL; 366 return ret;
367 367
368 if (ip_pkt_list_tot && info->hit_count < ip_pkt_list_tot) 368 if (ip_pkt_list_tot && info->hit_count < ip_pkt_list_tot)
369 nstamp_mask = roundup_pow_of_two(ip_pkt_list_tot) - 1; 369 nstamp_mask = roundup_pow_of_two(ip_pkt_list_tot) - 1;
diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c
index 6f02499ef007..b9ce82c9440f 100644
--- a/net/netlink/genetlink.c
+++ b/net/netlink/genetlink.c
@@ -1106,7 +1106,7 @@ static int genlmsg_mcast(struct sk_buff *skb, u32 portid, unsigned long group,
1106 if (!err) 1106 if (!err)
1107 delivered = true; 1107 delivered = true;
1108 else if (err != -ESRCH) 1108 else if (err != -ESRCH)
1109 goto error; 1109 return err;
1110 return delivered ? 0 : -ESRCH; 1110 return delivered ? 0 : -ESRCH;
1111 error: 1111 error:
1112 kfree_skb(skb); 1112 kfree_skb(skb);
diff --git a/net/openvswitch/meter.c b/net/openvswitch/meter.c
index 04b94281a30b..b891a91577f8 100644
--- a/net/openvswitch/meter.c
+++ b/net/openvswitch/meter.c
@@ -242,14 +242,20 @@ static struct dp_meter *dp_meter_create(struct nlattr **a)
242 242
243 band->type = nla_get_u32(attr[OVS_BAND_ATTR_TYPE]); 243 band->type = nla_get_u32(attr[OVS_BAND_ATTR_TYPE]);
244 band->rate = nla_get_u32(attr[OVS_BAND_ATTR_RATE]); 244 band->rate = nla_get_u32(attr[OVS_BAND_ATTR_RATE]);
245 if (band->rate == 0) {
246 err = -EINVAL;
247 goto exit_free_meter;
248 }
249
245 band->burst_size = nla_get_u32(attr[OVS_BAND_ATTR_BURST]); 250 band->burst_size = nla_get_u32(attr[OVS_BAND_ATTR_BURST]);
246 /* Figure out max delta_t that is enough to fill any bucket. 251 /* Figure out max delta_t that is enough to fill any bucket.
247 * Keep max_delta_t size to the bucket units: 252 * Keep max_delta_t size to the bucket units:
248 * pkts => 1/1000 packets, kilobits => bits. 253 * pkts => 1/1000 packets, kilobits => bits.
254 *
255 * Start with a full bucket.
249 */ 256 */
250 band_max_delta_t = (band->burst_size + band->rate) * 1000; 257 band->bucket = (band->burst_size + band->rate) * 1000;
251 /* Start with a full bucket. */ 258 band_max_delta_t = band->bucket / band->rate;
252 band->bucket = band_max_delta_t;
253 if (band_max_delta_t > meter->max_delta_t) 259 if (band_max_delta_t > meter->max_delta_t)
254 meter->max_delta_t = band_max_delta_t; 260 meter->max_delta_t = band_max_delta_t;
255 band++; 261 band++;
diff --git a/net/sched/act_bpf.c b/net/sched/act_bpf.c
index b3f2c15affa7..9d2cabf1dc7e 100644
--- a/net/sched/act_bpf.c
+++ b/net/sched/act_bpf.c
@@ -352,7 +352,7 @@ static int tcf_bpf_init(struct net *net, struct nlattr *nla,
352 return res; 352 return res;
353out: 353out:
354 if (res == ACT_P_CREATED) 354 if (res == ACT_P_CREATED)
355 tcf_idr_cleanup(*act, est); 355 tcf_idr_release(*act, bind);
356 356
357 return ret; 357 return ret;
358} 358}
diff --git a/net/sched/act_csum.c b/net/sched/act_csum.c
index b7ba9b06b147..2a5c8fd860cf 100644
--- a/net/sched/act_csum.c
+++ b/net/sched/act_csum.c
@@ -350,7 +350,7 @@ static int tcf_csum_sctp(struct sk_buff *skb, unsigned int ihl,
350{ 350{
351 struct sctphdr *sctph; 351 struct sctphdr *sctph;
352 352
353 if (skb_is_gso(skb) && skb_shinfo(skb)->gso_type & SKB_GSO_SCTP) 353 if (skb_is_gso(skb) && skb_is_gso_sctp(skb))
354 return 1; 354 return 1;
355 355
356 sctph = tcf_csum_skb_nextlayer(skb, ihl, ipl, sizeof(*sctph)); 356 sctph = tcf_csum_skb_nextlayer(skb, ihl, ipl, sizeof(*sctph));
@@ -626,7 +626,8 @@ static void tcf_csum_cleanup(struct tc_action *a)
626 struct tcf_csum_params *params; 626 struct tcf_csum_params *params;
627 627
628 params = rcu_dereference_protected(p->params, 1); 628 params = rcu_dereference_protected(p->params, 1);
629 kfree_rcu(params, rcu); 629 if (params)
630 kfree_rcu(params, rcu);
630} 631}
631 632
632static int tcf_csum_walker(struct net *net, struct sk_buff *skb, 633static int tcf_csum_walker(struct net *net, struct sk_buff *skb,
diff --git a/net/sched/act_ipt.c b/net/sched/act_ipt.c
index 06e380ae0928..7e06b9b62613 100644
--- a/net/sched/act_ipt.c
+++ b/net/sched/act_ipt.c
@@ -80,9 +80,12 @@ static void ipt_destroy_target(struct xt_entry_target *t)
80static void tcf_ipt_release(struct tc_action *a) 80static void tcf_ipt_release(struct tc_action *a)
81{ 81{
82 struct tcf_ipt *ipt = to_ipt(a); 82 struct tcf_ipt *ipt = to_ipt(a);
83 ipt_destroy_target(ipt->tcfi_t); 83
84 if (ipt->tcfi_t) {
85 ipt_destroy_target(ipt->tcfi_t);
86 kfree(ipt->tcfi_t);
87 }
84 kfree(ipt->tcfi_tname); 88 kfree(ipt->tcfi_tname);
85 kfree(ipt->tcfi_t);
86} 89}
87 90
88static const struct nla_policy ipt_policy[TCA_IPT_MAX + 1] = { 91static const struct nla_policy ipt_policy[TCA_IPT_MAX + 1] = {
@@ -187,7 +190,7 @@ err2:
187 kfree(tname); 190 kfree(tname);
188err1: 191err1:
189 if (ret == ACT_P_CREATED) 192 if (ret == ACT_P_CREATED)
190 tcf_idr_cleanup(*a, est); 193 tcf_idr_release(*a, bind);
191 return err; 194 return err;
192} 195}
193 196
diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
index 349beaffb29e..fef08835f26d 100644
--- a/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -176,7 +176,7 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla,
176 p = to_pedit(*a); 176 p = to_pedit(*a);
177 keys = kmalloc(ksize, GFP_KERNEL); 177 keys = kmalloc(ksize, GFP_KERNEL);
178 if (keys == NULL) { 178 if (keys == NULL) {
179 tcf_idr_cleanup(*a, est); 179 tcf_idr_release(*a, bind);
180 kfree(keys_ex); 180 kfree(keys_ex);
181 return -ENOMEM; 181 return -ENOMEM;
182 } 182 }
diff --git a/net/sched/act_police.c b/net/sched/act_police.c
index 95d3c9097b25..faebf82b99f1 100644
--- a/net/sched/act_police.c
+++ b/net/sched/act_police.c
@@ -194,7 +194,7 @@ failure:
194 qdisc_put_rtab(P_tab); 194 qdisc_put_rtab(P_tab);
195 qdisc_put_rtab(R_tab); 195 qdisc_put_rtab(R_tab);
196 if (ret == ACT_P_CREATED) 196 if (ret == ACT_P_CREATED)
197 tcf_idr_cleanup(*a, est); 197 tcf_idr_release(*a, bind);
198 return err; 198 return err;
199} 199}
200 200
diff --git a/net/sched/act_sample.c b/net/sched/act_sample.c
index 1ba0df238756..74c5d7e6a0fa 100644
--- a/net/sched/act_sample.c
+++ b/net/sched/act_sample.c
@@ -103,7 +103,8 @@ static void tcf_sample_cleanup(struct tc_action *a)
103 103
104 psample_group = rtnl_dereference(s->psample_group); 104 psample_group = rtnl_dereference(s->psample_group);
105 RCU_INIT_POINTER(s->psample_group, NULL); 105 RCU_INIT_POINTER(s->psample_group, NULL);
106 psample_group_put(psample_group); 106 if (psample_group)
107 psample_group_put(psample_group);
107} 108}
108 109
109static bool tcf_sample_dev_ok_push(struct net_device *dev) 110static bool tcf_sample_dev_ok_push(struct net_device *dev)
diff --git a/net/sched/act_simple.c b/net/sched/act_simple.c
index 425eac11f6da..b1f38063ada0 100644
--- a/net/sched/act_simple.c
+++ b/net/sched/act_simple.c
@@ -121,7 +121,7 @@ static int tcf_simp_init(struct net *net, struct nlattr *nla,
121 d = to_defact(*a); 121 d = to_defact(*a);
122 ret = alloc_defdata(d, defdata); 122 ret = alloc_defdata(d, defdata);
123 if (ret < 0) { 123 if (ret < 0) {
124 tcf_idr_cleanup(*a, est); 124 tcf_idr_release(*a, bind);
125 return ret; 125 return ret;
126 } 126 }
127 d->tcf_action = parm->action; 127 d->tcf_action = parm->action;
diff --git a/net/sched/act_skbmod.c b/net/sched/act_skbmod.c
index fa975262dbac..7b0700f52b50 100644
--- a/net/sched/act_skbmod.c
+++ b/net/sched/act_skbmod.c
@@ -152,7 +152,7 @@ static int tcf_skbmod_init(struct net *net, struct nlattr *nla,
152 ASSERT_RTNL(); 152 ASSERT_RTNL();
153 p = kzalloc(sizeof(struct tcf_skbmod_params), GFP_KERNEL); 153 p = kzalloc(sizeof(struct tcf_skbmod_params), GFP_KERNEL);
154 if (unlikely(!p)) { 154 if (unlikely(!p)) {
155 if (ovr) 155 if (ret == ACT_P_CREATED)
156 tcf_idr_release(*a, bind); 156 tcf_idr_release(*a, bind);
157 return -ENOMEM; 157 return -ENOMEM;
158 } 158 }
@@ -190,7 +190,8 @@ static void tcf_skbmod_cleanup(struct tc_action *a)
190 struct tcf_skbmod_params *p; 190 struct tcf_skbmod_params *p;
191 191
192 p = rcu_dereference_protected(d->skbmod_p, 1); 192 p = rcu_dereference_protected(d->skbmod_p, 1);
193 kfree_rcu(p, rcu); 193 if (p)
194 kfree_rcu(p, rcu);
194} 195}
195 196
196static int tcf_skbmod_dump(struct sk_buff *skb, struct tc_action *a, 197static int tcf_skbmod_dump(struct sk_buff *skb, struct tc_action *a,
diff --git a/net/sched/act_tunnel_key.c b/net/sched/act_tunnel_key.c
index 0e23aac09ad6..1281ca463727 100644
--- a/net/sched/act_tunnel_key.c
+++ b/net/sched/act_tunnel_key.c
@@ -153,6 +153,7 @@ static int tunnel_key_init(struct net *net, struct nlattr *nla,
153 metadata->u.tun_info.mode |= IP_TUNNEL_INFO_TX; 153 metadata->u.tun_info.mode |= IP_TUNNEL_INFO_TX;
154 break; 154 break;
155 default: 155 default:
156 ret = -EINVAL;
156 goto err_out; 157 goto err_out;
157 } 158 }
158 159
@@ -207,11 +208,12 @@ static void tunnel_key_release(struct tc_action *a)
207 struct tcf_tunnel_key_params *params; 208 struct tcf_tunnel_key_params *params;
208 209
209 params = rcu_dereference_protected(t->params, 1); 210 params = rcu_dereference_protected(t->params, 1);
211 if (params) {
212 if (params->tcft_action == TCA_TUNNEL_KEY_ACT_SET)
213 dst_release(&params->tcft_enc_metadata->dst);
210 214
211 if (params->tcft_action == TCA_TUNNEL_KEY_ACT_SET) 215 kfree_rcu(params, rcu);
212 dst_release(&params->tcft_enc_metadata->dst); 216 }
213
214 kfree_rcu(params, rcu);
215} 217}
216 218
217static int tunnel_key_dump_addresses(struct sk_buff *skb, 219static int tunnel_key_dump_addresses(struct sk_buff *skb,
diff --git a/net/sched/act_vlan.c b/net/sched/act_vlan.c
index e1a1b3f3983a..c49cb61adedf 100644
--- a/net/sched/act_vlan.c
+++ b/net/sched/act_vlan.c
@@ -195,7 +195,7 @@ static int tcf_vlan_init(struct net *net, struct nlattr *nla,
195 ASSERT_RTNL(); 195 ASSERT_RTNL();
196 p = kzalloc(sizeof(*p), GFP_KERNEL); 196 p = kzalloc(sizeof(*p), GFP_KERNEL);
197 if (!p) { 197 if (!p) {
198 if (ovr) 198 if (ret == ACT_P_CREATED)
199 tcf_idr_release(*a, bind); 199 tcf_idr_release(*a, bind);
200 return -ENOMEM; 200 return -ENOMEM;
201 } 201 }
@@ -225,7 +225,8 @@ static void tcf_vlan_cleanup(struct tc_action *a)
225 struct tcf_vlan_params *p; 225 struct tcf_vlan_params *p;
226 226
227 p = rcu_dereference_protected(v->vlan_p, 1); 227 p = rcu_dereference_protected(v->vlan_p, 1);
228 kfree_rcu(p, rcu); 228 if (p)
229 kfree_rcu(p, rcu);
229} 230}
230 231
231static int tcf_vlan_dump(struct sk_buff *skb, struct tc_action *a, 232static int tcf_vlan_dump(struct sk_buff *skb, struct tc_action *a,
diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
index 190570f21b20..7e3fbe9cc936 100644
--- a/net/sched/sch_generic.c
+++ b/net/sched/sch_generic.c
@@ -106,6 +106,14 @@ static inline void qdisc_enqueue_skb_bad_txq(struct Qdisc *q,
106 106
107 __skb_queue_tail(&q->skb_bad_txq, skb); 107 __skb_queue_tail(&q->skb_bad_txq, skb);
108 108
109 if (qdisc_is_percpu_stats(q)) {
110 qdisc_qstats_cpu_backlog_inc(q, skb);
111 qdisc_qstats_cpu_qlen_inc(q);
112 } else {
113 qdisc_qstats_backlog_inc(q, skb);
114 q->q.qlen++;
115 }
116
109 if (lock) 117 if (lock)
110 spin_unlock(lock); 118 spin_unlock(lock);
111} 119}
@@ -196,14 +204,6 @@ static void try_bulk_dequeue_skb_slow(struct Qdisc *q,
196 break; 204 break;
197 if (unlikely(skb_get_queue_mapping(nskb) != mapping)) { 205 if (unlikely(skb_get_queue_mapping(nskb) != mapping)) {
198 qdisc_enqueue_skb_bad_txq(q, nskb); 206 qdisc_enqueue_skb_bad_txq(q, nskb);
199
200 if (qdisc_is_percpu_stats(q)) {
201 qdisc_qstats_cpu_backlog_inc(q, nskb);
202 qdisc_qstats_cpu_qlen_inc(q);
203 } else {
204 qdisc_qstats_backlog_inc(q, nskb);
205 q->q.qlen++;
206 }
207 break; 207 break;
208 } 208 }
209 skb->next = nskb; 209 skb->next = nskb;
@@ -628,6 +628,7 @@ static int pfifo_fast_enqueue(struct sk_buff *skb, struct Qdisc *qdisc,
628 int band = prio2band[skb->priority & TC_PRIO_MAX]; 628 int band = prio2band[skb->priority & TC_PRIO_MAX];
629 struct pfifo_fast_priv *priv = qdisc_priv(qdisc); 629 struct pfifo_fast_priv *priv = qdisc_priv(qdisc);
630 struct skb_array *q = band2list(priv, band); 630 struct skb_array *q = band2list(priv, band);
631 unsigned int pkt_len = qdisc_pkt_len(skb);
631 int err; 632 int err;
632 633
633 err = skb_array_produce(q, skb); 634 err = skb_array_produce(q, skb);
@@ -636,7 +637,10 @@ static int pfifo_fast_enqueue(struct sk_buff *skb, struct Qdisc *qdisc,
636 return qdisc_drop_cpu(skb, qdisc, to_free); 637 return qdisc_drop_cpu(skb, qdisc, to_free);
637 638
638 qdisc_qstats_cpu_qlen_inc(qdisc); 639 qdisc_qstats_cpu_qlen_inc(qdisc);
639 qdisc_qstats_cpu_backlog_inc(qdisc, skb); 640 /* Note: skb can not be used after skb_array_produce(),
641 * so we better not use qdisc_qstats_cpu_backlog_inc()
642 */
643 this_cpu_add(qdisc->cpu_qstats->backlog, pkt_len);
640 return NET_XMIT_SUCCESS; 644 return NET_XMIT_SUCCESS;
641} 645}
642 646
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index 7c179addebcd..7d6801fc5340 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -509,7 +509,7 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch,
509 } 509 }
510 510
511 if (unlikely(sch->q.qlen >= sch->limit)) 511 if (unlikely(sch->q.qlen >= sch->limit))
512 return qdisc_drop(skb, sch, to_free); 512 return qdisc_drop_all(skb, sch, to_free);
513 513
514 qdisc_qstats_backlog_inc(sch, skb); 514 qdisc_qstats_backlog_inc(sch, skb);
515 515
diff --git a/net/sctp/input.c b/net/sctp/input.c
index 0247cc432e02..b381d78548ac 100644
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -106,6 +106,7 @@ int sctp_rcv(struct sk_buff *skb)
106 int family; 106 int family;
107 struct sctp_af *af; 107 struct sctp_af *af;
108 struct net *net = dev_net(skb->dev); 108 struct net *net = dev_net(skb->dev);
109 bool is_gso = skb_is_gso(skb) && skb_is_gso_sctp(skb);
109 110
110 if (skb->pkt_type != PACKET_HOST) 111 if (skb->pkt_type != PACKET_HOST)
111 goto discard_it; 112 goto discard_it;
@@ -123,8 +124,7 @@ int sctp_rcv(struct sk_buff *skb)
123 * it's better to just linearize it otherwise crc computing 124 * it's better to just linearize it otherwise crc computing
124 * takes longer. 125 * takes longer.
125 */ 126 */
126 if ((!(skb_shinfo(skb)->gso_type & SKB_GSO_SCTP) && 127 if ((!is_gso && skb_linearize(skb)) ||
127 skb_linearize(skb)) ||
128 !pskb_may_pull(skb, sizeof(struct sctphdr))) 128 !pskb_may_pull(skb, sizeof(struct sctphdr)))
129 goto discard_it; 129 goto discard_it;
130 130
@@ -135,7 +135,7 @@ int sctp_rcv(struct sk_buff *skb)
135 if (skb_csum_unnecessary(skb)) 135 if (skb_csum_unnecessary(skb))
136 __skb_decr_checksum_unnecessary(skb); 136 __skb_decr_checksum_unnecessary(skb);
137 else if (!sctp_checksum_disable && 137 else if (!sctp_checksum_disable &&
138 !(skb_shinfo(skb)->gso_type & SKB_GSO_SCTP) && 138 !is_gso &&
139 sctp_rcv_checksum(net, skb) < 0) 139 sctp_rcv_checksum(net, skb) < 0)
140 goto discard_it; 140 goto discard_it;
141 skb->csum_valid = 1; 141 skb->csum_valid = 1;
@@ -1218,7 +1218,7 @@ static struct sctp_association *__sctp_rcv_lookup_harder(struct net *net,
1218 * issue as packets hitting this are mostly INIT or INIT-ACK and 1218 * issue as packets hitting this are mostly INIT or INIT-ACK and
1219 * those cannot be on GSO-style anyway. 1219 * those cannot be on GSO-style anyway.
1220 */ 1220 */
1221 if ((skb_shinfo(skb)->gso_type & SKB_GSO_SCTP) == SKB_GSO_SCTP) 1221 if (skb_is_gso(skb) && skb_is_gso_sctp(skb))
1222 return NULL; 1222 return NULL;
1223 1223
1224 ch = (struct sctp_chunkhdr *)skb->data; 1224 ch = (struct sctp_chunkhdr *)skb->data;
diff --git a/net/sctp/inqueue.c b/net/sctp/inqueue.c
index 48392552ee7c..23ebc5318edc 100644
--- a/net/sctp/inqueue.c
+++ b/net/sctp/inqueue.c
@@ -170,7 +170,7 @@ next_chunk:
170 170
171 chunk = list_entry(entry, struct sctp_chunk, list); 171 chunk = list_entry(entry, struct sctp_chunk, list);
172 172
173 if ((skb_shinfo(chunk->skb)->gso_type & SKB_GSO_SCTP) == SKB_GSO_SCTP) { 173 if (skb_is_gso(chunk->skb) && skb_is_gso_sctp(chunk->skb)) {
174 /* GSO-marked skbs but without frags, handle 174 /* GSO-marked skbs but without frags, handle
175 * them normally 175 * them normally
176 */ 176 */
diff --git a/net/sctp/offload.c b/net/sctp/offload.c
index 35bc7106d182..123e9f2dc226 100644
--- a/net/sctp/offload.c
+++ b/net/sctp/offload.c
@@ -45,7 +45,7 @@ static struct sk_buff *sctp_gso_segment(struct sk_buff *skb,
45 struct sk_buff *segs = ERR_PTR(-EINVAL); 45 struct sk_buff *segs = ERR_PTR(-EINVAL);
46 struct sctphdr *sh; 46 struct sctphdr *sh;
47 47
48 if (!(skb_shinfo(skb)->gso_type & SKB_GSO_SCTP)) 48 if (!skb_is_gso_sctp(skb))
49 goto out; 49 goto out;
50 50
51 sh = sctp_hdr(skb); 51 sh = sctp_hdr(skb);
diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
index 8cc97834d4f6..1e0d780855c3 100644
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -978,10 +978,6 @@ out:
978 lsmc->clcsock = NULL; 978 lsmc->clcsock = NULL;
979 } 979 }
980 release_sock(lsk); 980 release_sock(lsk);
981 /* no more listening, wake up smc_close_wait_listen_clcsock and
982 * accept
983 */
984 lsk->sk_state_change(lsk);
985 sock_put(&lsmc->sk); /* sock_hold in smc_listen */ 981 sock_put(&lsmc->sk); /* sock_hold in smc_listen */
986} 982}
987 983
diff --git a/net/smc/smc_close.c b/net/smc/smc_close.c
index e339c0186dcf..fa41d9881741 100644
--- a/net/smc/smc_close.c
+++ b/net/smc/smc_close.c
@@ -30,27 +30,6 @@ static void smc_close_cleanup_listen(struct sock *parent)
30 smc_close_non_accepted(sk); 30 smc_close_non_accepted(sk);
31} 31}
32 32
33static void smc_close_wait_listen_clcsock(struct smc_sock *smc)
34{
35 DEFINE_WAIT_FUNC(wait, woken_wake_function);
36 struct sock *sk = &smc->sk;
37 signed long timeout;
38
39 timeout = SMC_CLOSE_WAIT_LISTEN_CLCSOCK_TIME;
40 add_wait_queue(sk_sleep(sk), &wait);
41 do {
42 release_sock(sk);
43 if (smc->clcsock)
44 timeout = wait_woken(&wait, TASK_UNINTERRUPTIBLE,
45 timeout);
46 sched_annotate_sleep();
47 lock_sock(sk);
48 if (!smc->clcsock)
49 break;
50 } while (timeout);
51 remove_wait_queue(sk_sleep(sk), &wait);
52}
53
54/* wait for sndbuf data being transmitted */ 33/* wait for sndbuf data being transmitted */
55static void smc_close_stream_wait(struct smc_sock *smc, long timeout) 34static void smc_close_stream_wait(struct smc_sock *smc, long timeout)
56{ 35{
@@ -204,9 +183,11 @@ again:
204 rc = kernel_sock_shutdown(smc->clcsock, SHUT_RDWR); 183 rc = kernel_sock_shutdown(smc->clcsock, SHUT_RDWR);
205 /* wake up kernel_accept of smc_tcp_listen_worker */ 184 /* wake up kernel_accept of smc_tcp_listen_worker */
206 smc->clcsock->sk->sk_data_ready(smc->clcsock->sk); 185 smc->clcsock->sk->sk_data_ready(smc->clcsock->sk);
207 smc_close_wait_listen_clcsock(smc);
208 } 186 }
209 smc_close_cleanup_listen(sk); 187 smc_close_cleanup_listen(sk);
188 release_sock(sk);
189 flush_work(&smc->tcp_listen_work);
190 lock_sock(sk);
210 break; 191 break;
211 case SMC_ACTIVE: 192 case SMC_ACTIVE:
212 smc_close_stream_wait(smc, timeout); 193 smc_close_stream_wait(smc, timeout);
diff --git a/net/socket.c b/net/socket.c
index a93c99b518ca..08847c3b8c39 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -2587,6 +2587,11 @@ void sock_unregister(int family)
2587} 2587}
2588EXPORT_SYMBOL(sock_unregister); 2588EXPORT_SYMBOL(sock_unregister);
2589 2589
2590bool sock_is_registered(int family)
2591{
2592 return family < NPROTO && rcu_access_pointer(net_families[family]);
2593}
2594
2590static int __init sock_init(void) 2595static int __init sock_init(void)
2591{ 2596{
2592 int err; 2597 int err;
diff --git a/net/xfrm/xfrm_ipcomp.c b/net/xfrm/xfrm_ipcomp.c
index ccfdc7115a83..a00ec715aa46 100644
--- a/net/xfrm/xfrm_ipcomp.c
+++ b/net/xfrm/xfrm_ipcomp.c
@@ -283,7 +283,7 @@ static struct crypto_comp * __percpu *ipcomp_alloc_tfms(const char *alg_name)
283 struct crypto_comp *tfm; 283 struct crypto_comp *tfm;
284 284
285 /* This can be any valid CPU ID so we don't need locking. */ 285 /* This can be any valid CPU ID so we don't need locking. */
286 tfm = __this_cpu_read(*pos->tfms); 286 tfm = this_cpu_read(*pos->tfms);
287 287
288 if (!strcmp(crypto_comp_name(tfm), alg_name)) { 288 if (!strcmp(crypto_comp_name(tfm), alg_name)) {
289 pos->users++; 289 pos->users++;
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 7a23078132cf..625b3fca5704 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1458,10 +1458,13 @@ xfrm_tmpl_resolve(struct xfrm_policy **pols, int npols, const struct flowi *fl,
1458static int xfrm_get_tos(const struct flowi *fl, int family) 1458static int xfrm_get_tos(const struct flowi *fl, int family)
1459{ 1459{
1460 const struct xfrm_policy_afinfo *afinfo; 1460 const struct xfrm_policy_afinfo *afinfo;
1461 int tos = 0; 1461 int tos;
1462 1462
1463 afinfo = xfrm_policy_get_afinfo(family); 1463 afinfo = xfrm_policy_get_afinfo(family);
1464 tos = afinfo ? afinfo->get_tos(fl) : 0; 1464 if (!afinfo)
1465 return 0;
1466
1467 tos = afinfo->get_tos(fl);
1465 1468
1466 rcu_read_unlock(); 1469 rcu_read_unlock();
1467 1470
@@ -1891,7 +1894,7 @@ static void xfrm_policy_queue_process(struct timer_list *t)
1891 spin_unlock(&pq->hold_queue.lock); 1894 spin_unlock(&pq->hold_queue.lock);
1892 1895
1893 dst_hold(xfrm_dst_path(dst)); 1896 dst_hold(xfrm_dst_path(dst));
1894 dst = xfrm_lookup(net, xfrm_dst_path(dst), &fl, sk, 0); 1897 dst = xfrm_lookup(net, xfrm_dst_path(dst), &fl, sk, XFRM_LOOKUP_QUEUE);
1895 if (IS_ERR(dst)) 1898 if (IS_ERR(dst))
1896 goto purge_queue; 1899 goto purge_queue;
1897 1900
@@ -2729,14 +2732,14 @@ static const void *xfrm_get_dst_nexthop(const struct dst_entry *dst,
2729 while (dst->xfrm) { 2732 while (dst->xfrm) {
2730 const struct xfrm_state *xfrm = dst->xfrm; 2733 const struct xfrm_state *xfrm = dst->xfrm;
2731 2734
2735 dst = xfrm_dst_child(dst);
2736
2732 if (xfrm->props.mode == XFRM_MODE_TRANSPORT) 2737 if (xfrm->props.mode == XFRM_MODE_TRANSPORT)
2733 continue; 2738 continue;
2734 if (xfrm->type->flags & XFRM_TYPE_REMOTE_COADDR) 2739 if (xfrm->type->flags & XFRM_TYPE_REMOTE_COADDR)
2735 daddr = xfrm->coaddr; 2740 daddr = xfrm->coaddr;
2736 else if (!(xfrm->type->flags & XFRM_TYPE_LOCAL_COADDR)) 2741 else if (!(xfrm->type->flags & XFRM_TYPE_LOCAL_COADDR))
2737 daddr = &xfrm->id.daddr; 2742 daddr = &xfrm->id.daddr;
2738
2739 dst = xfrm_dst_child(dst);
2740 } 2743 }
2741 return daddr; 2744 return daddr;
2742} 2745}
diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c
index 1d38c6acf8af..9e3a5e85f828 100644
--- a/net/xfrm/xfrm_replay.c
+++ b/net/xfrm/xfrm_replay.c
@@ -660,7 +660,7 @@ static int xfrm_replay_overflow_offload_esn(struct xfrm_state *x, struct sk_buff
660 } else { 660 } else {
661 XFRM_SKB_CB(skb)->seq.output.low = oseq + 1; 661 XFRM_SKB_CB(skb)->seq.output.low = oseq + 1;
662 XFRM_SKB_CB(skb)->seq.output.hi = oseq_hi; 662 XFRM_SKB_CB(skb)->seq.output.hi = oseq_hi;
663 xo->seq.low = oseq = oseq + 1; 663 xo->seq.low = oseq + 1;
664 xo->seq.hi = oseq_hi; 664 xo->seq.hi = oseq_hi;
665 oseq += skb_shinfo(skb)->gso_segs; 665 oseq += skb_shinfo(skb)->gso_segs;
666 } 666 }
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 54e21f19d722..f9d2f2233f09 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -2056,6 +2056,11 @@ int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen
2056 struct xfrm_mgr *km; 2056 struct xfrm_mgr *km;
2057 struct xfrm_policy *pol = NULL; 2057 struct xfrm_policy *pol = NULL;
2058 2058
2059#ifdef CONFIG_COMPAT
2060 if (in_compat_syscall())
2061 return -EOPNOTSUPP;
2062#endif
2063
2059 if (!optval && !optlen) { 2064 if (!optval && !optlen) {
2060 xfrm_sk_policy_insert(sk, XFRM_POLICY_IN, NULL); 2065 xfrm_sk_policy_insert(sk, XFRM_POLICY_IN, NULL);
2061 xfrm_sk_policy_insert(sk, XFRM_POLICY_OUT, NULL); 2066 xfrm_sk_policy_insert(sk, XFRM_POLICY_OUT, NULL);
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 7f52b8eb177d..080035f056d9 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -121,22 +121,17 @@ static inline int verify_replay(struct xfrm_usersa_info *p,
121 struct nlattr *rt = attrs[XFRMA_REPLAY_ESN_VAL]; 121 struct nlattr *rt = attrs[XFRMA_REPLAY_ESN_VAL];
122 struct xfrm_replay_state_esn *rs; 122 struct xfrm_replay_state_esn *rs;
123 123
124 if (p->flags & XFRM_STATE_ESN) { 124 if (!rt)
125 if (!rt) 125 return (p->flags & XFRM_STATE_ESN) ? -EINVAL : 0;
126 return -EINVAL;
127 126
128 rs = nla_data(rt); 127 rs = nla_data(rt);
129 128
130 if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8) 129 if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8)
131 return -EINVAL; 130 return -EINVAL;
132
133 if (nla_len(rt) < (int)xfrm_replay_state_esn_len(rs) &&
134 nla_len(rt) != sizeof(*rs))
135 return -EINVAL;
136 }
137 131
138 if (!rt) 132 if (nla_len(rt) < (int)xfrm_replay_state_esn_len(rs) &&
139 return 0; 133 nla_len(rt) != sizeof(*rs))
134 return -EINVAL;
140 135
141 /* As only ESP and AH support ESN feature. */ 136 /* As only ESP and AH support ESN feature. */
142 if ((p->id.proto != IPPROTO_ESP) && (p->id.proto != IPPROTO_AH)) 137 if ((p->id.proto != IPPROTO_ESP) && (p->id.proto != IPPROTO_AH))
generated by cgit v1.2.2 (git 2.25.0) at 2025-08-24 10:15:18 -0400