Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next

This merges (3f509c6 netfilter: nf_nat_sip: fix incorrect handling
of EBUSY for RTCP expectation) to Patrick McHardy's IPv6 NAT changes.

7 files changed, 152 insertions, 34 deletions

diff --git a/net/core/dev.c b/net/core/dev.c
index 0640d2a859c6..b1e6d6385516 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1466,8 +1466,7 @@ EXPORT_SYMBOL(unregister_netdevice_notifier);
 
 int call_netdevice_notifiers(unsigned long val, struct net_device *dev)
 {
-        if (val != NETDEV_UNREGISTER_FINAL)
-                ASSERT_RTNL();
+        ASSERT_RTNL();
         return raw_notifier_call_chain(&netdev_chain, val, dev);
 }
 EXPORT_SYMBOL(call_netdevice_notifiers);
@@ -2185,9 +2184,7 @@ EXPORT_SYMBOL(netif_skb_features);
 /*
  * Returns true if either:
  *      1. skb has frag_list and the device doesn't support FRAGLIST, or
- *      2. skb is fragmented and the device does not support SG, or if
- *         at least one of fragments is in highmem and device does not
- *         support DMA from it.
+ *      2. skb is fragmented and the device does not support SG.
  */
 static inline int skb_needs_linearize(struct sk_buff *skb,
                                       int features)
@@ -4521,8 +4518,8 @@ static void dev_change_rx_flags(struct net_device *dev, int flags)
 static int __dev_set_promiscuity(struct net_device *dev, int inc)
 {
         unsigned int old_flags = dev->flags;
-        uid_t uid;
-        gid_t gid;
+        kuid_t uid;
+        kgid_t gid;
 
         ASSERT_RTNL();
 
@@ -4554,7 +4551,8 @@ static int __dev_set_promiscuity(struct net_device *dev, int inc)
                                 dev->name, (dev->flags & IFF_PROMISC),
                                 (old_flags & IFF_PROMISC),
                                 audit_get_loginuid(current),
-                                uid, gid,
+                                from_kuid(&init_user_ns, uid),
+                                from_kgid(&init_user_ns, gid),
                                 audit_get_sessionid(current));
                 }
 
@@ -5649,6 +5647,8 @@ int register_netdevice(struct net_device *dev)
 
         set_bit(__LINK_STATE_PRESENT, &dev->state);
 
+        linkwatch_init_dev(dev);
+
         dev_init_scheduler(dev);
         dev_hold(dev);
         list_netdevice(dev);
@@ -5782,7 +5782,11 @@ static void netdev_wait_allrefs(struct net_device *dev)
 
                         /* Rebroadcast unregister notification */
                         call_netdevice_notifiers(NETDEV_UNREGISTER, dev);
+
+                        __rtnl_unlock();
                         rcu_barrier();
+                        rtnl_lock();
+
                         call_netdevice_notifiers(NETDEV_UNREGISTER_FINAL, dev);
                         if (test_bit(__LINK_STATE_LINKWATCH_PENDING,
                                      &dev->state)) {
@@ -5855,7 +5859,9 @@ void netdev_run_todo(void)
                         = list_first_entry(&list, struct net_device, todo_list);
                 list_del(&dev->todo_list);
 
+                rtnl_lock();
                 call_netdevice_notifiers(NETDEV_UNREGISTER_FINAL, dev);
+                __rtnl_unlock();
 
                 if (unlikely(dev->reg_state != NETREG_UNREGISTERING)) {
                         pr_err("network todo '%s' but state %d\n",
@@ -6251,6 +6257,8 @@ int dev_change_net_namespace(struct net_device *dev, struct net *net, const char
            the device is just moving and can keep their slaves up.
         */
         call_netdevice_notifiers(NETDEV_UNREGISTER, dev);
+        rcu_barrier();
+        call_netdevice_notifiers(NETDEV_UNREGISTER_FINAL, dev);
         rtmsg_ifinfo(RTM_DELLINK, dev, ~0U);
 
         /*
diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
index 585093755c23..ab7db83236c9 100644
--- a/net/core/fib_rules.c
+++ b/net/core/fib_rules.c
@@ -711,16 +711,15 @@ static int fib_rules_event(struct notifier_block *this, unsigned long event,
         struct net *net = dev_net(dev);
         struct fib_rules_ops *ops;
 
+        ASSERT_RTNL();
 
         switch (event) {
         case NETDEV_REGISTER:
-                ASSERT_RTNL();
                 list_for_each_entry(ops, &net->rules_ops, list)
                         attach_rules(&ops->rules_list, dev);
                 break;
 
         case NETDEV_UNREGISTER:
-                ASSERT_RTNL();
                 list_for_each_entry(ops, &net->rules_ops, list)
                         detach_rules(&ops->rules_list, dev);
                 break;
diff --git a/net/core/link_watch.c b/net/core/link_watch.c
index c3519c6d1b16..a01922219a23 100644
--- a/net/core/link_watch.c
+++ b/net/core/link_watch.c
@@ -76,6 +76,14 @@ static void rfc2863_policy(struct net_device *dev)
 }
 
 
+void linkwatch_init_dev(struct net_device *dev)
+{
+        /* Handle pre-registration link state changes */
+        if (!netif_carrier_ok(dev) || netif_dormant(dev))
+                rfc2863_policy(dev);
+}
+
+
 static bool linkwatch_urgent_event(struct net_device *dev)
 {
         if (!netif_running(dev))
diff --git a/net/core/netpoll.c b/net/core/netpoll.c
index 346b1eb83a1f..dd67818025d1 100644
--- a/net/core/netpoll.c
+++ b/net/core/netpoll.c
@@ -168,24 +168,16 @@ static void poll_napi(struct net_device *dev)
         struct napi_struct *napi;
         int budget = 16;
 
-        WARN_ON_ONCE(!irqs_disabled());
-
         list_for_each_entry(napi, &dev->napi_list, dev_list) {
-                local_irq_enable();
                 if (napi->poll_owner != smp_processor_id() &&
                     spin_trylock(&napi->poll_lock)) {
-                        rcu_read_lock_bh();
                         budget = poll_one_napi(rcu_dereference_bh(dev->npinfo),
                                                napi, budget);
-                        rcu_read_unlock_bh();
                         spin_unlock(&napi->poll_lock);
 
-                        if (!budget) {
-                                local_irq_disable();
+                        if (!budget)
                                 break;
-                        }
                 }
-                local_irq_disable();
         }
 }
 
@@ -388,6 +380,7 @@ void netpoll_send_udp(struct netpoll *np, const char *msg, int len)
         struct udphdr *udph;
         struct iphdr *iph;
         struct ethhdr *eth;
+        static atomic_t ip_ident;
 
         udp_len = len + sizeof(*udph);
         ip_len = udp_len + sizeof(*iph);
@@ -423,7 +416,7 @@ void netpoll_send_udp(struct netpoll *np, const char *msg, int len)
         put_unaligned(0x45, (unsigned char *)iph);
         iph->tos      = 0;
         put_unaligned(htons(ip_len), &(iph->tot_len));
-        iph->id       = 0;
+        iph->id       = htons(atomic_inc_return(&ip_ident));
         iph->frag_off = 0;
         iph->ttl      = 64;
         iph->protocol = IPPROTO_UDP;
diff --git a/net/core/request_sock.c b/net/core/request_sock.c
index 9b570a6a33c5..c31d9e8668c3 100644
--- a/net/core/request_sock.c
+++ b/net/core/request_sock.c
@@ -15,6 +15,7 @@
 #include <linux/random.h>
 #include <linux/slab.h>
 #include <linux/string.h>
+#include <linux/tcp.h>
 #include <linux/vmalloc.h>
 
 #include <net/request_sock.h>
@@ -130,3 +131,97 @@ void reqsk_queue_destroy(struct request_sock_queue *queue)
                 kfree(lopt);
 }
 
+/*
+ * This function is called to set a Fast Open socket's "fastopen_rsk" field
+ * to NULL when a TFO socket no longer needs to access the request_sock.
+ * This happens only after 3WHS has been either completed or aborted (e.g.,
+ * RST is received).
+ *
+ * Before TFO, a child socket is created only after 3WHS is completed,
+ * hence it never needs to access the request_sock. things get a lot more
+ * complex with TFO. A child socket, accepted or not, has to access its
+ * request_sock for 3WHS processing, e.g., to retransmit SYN-ACK pkts,
+ * until 3WHS is either completed or aborted. Afterwards the req will stay
+ * until either the child socket is accepted, or in the rare case when the
+ * listener is closed before the child is accepted.
+ *
+ * In short, a request socket is only freed after BOTH 3WHS has completed
+ * (or aborted) and the child socket has been accepted (or listener closed).
+ * When a child socket is accepted, its corresponding req->sk is set to
+ * NULL since it's no longer needed. More importantly, "req->sk == NULL"
+ * will be used by the code below to determine if a child socket has been
+ * accepted or not, and the check is protected by the fastopenq->lock
+ * described below.
+ *
+ * Note that fastopen_rsk is only accessed from the child socket's context
+ * with its socket lock held. But a request_sock (req) can be accessed by
+ * both its child socket through fastopen_rsk, and a listener socket through
+ * icsk_accept_queue.rskq_accept_head. To protect the access a simple spin
+ * lock per listener "icsk->icsk_accept_queue.fastopenq->lock" is created.
+ * only in the rare case when both the listener and the child locks are held,
+ * e.g., in inet_csk_listen_stop() do we not need to acquire the lock.
+ * The lock also protects other fields such as fastopenq->qlen, which is
+ * decremented by this function when fastopen_rsk is no longer needed.
+ *
+ * Note that another solution was to simply use the existing socket lock
+ * from the listener. But first socket lock is difficult to use. It is not
+ * a simple spin lock - one must consider sock_owned_by_user() and arrange
+ * to use sk_add_backlog() stuff. But what really makes it infeasible is the
+ * locking hierarchy violation. E.g., inet_csk_listen_stop() may try to
+ * acquire a child's lock while holding listener's socket lock. A corner
+ * case might also exist in tcp_v4_hnd_req() that will trigger this locking
+ * order.
+ *
+ * When a TFO req is created, it needs to sock_hold its listener to prevent
+ * the latter data structure from going away.
+ *
+ * This function also sets "treq->listener" to NULL and unreference listener
+ * socket. treq->listener is used by the listener so it is protected by the
+ * fastopenq->lock in this function.
+ */
+void reqsk_fastopen_remove(struct sock *sk, struct request_sock *req,
+                           bool reset)
+{
+        struct sock *lsk = tcp_rsk(req)->listener;
+        struct fastopen_queue *fastopenq =
+            inet_csk(lsk)->icsk_accept_queue.fastopenq;
+
+        BUG_ON(!spin_is_locked(&sk->sk_lock.slock) && !sock_owned_by_user(sk));
+
+        tcp_sk(sk)->fastopen_rsk = NULL;
+        spin_lock_bh(&fastopenq->lock);
+        fastopenq->qlen--;
+        tcp_rsk(req)->listener = NULL;
+        if (req->sk)    /* the child socket hasn't been accepted yet */
+                goto out;
+
+        if (!reset || lsk->sk_state != TCP_LISTEN) {
+                /* If the listener has been closed don't bother with the
+                 * special RST handling below.
+                 */
+                spin_unlock_bh(&fastopenq->lock);
+                sock_put(lsk);
+                reqsk_free(req);
+                return;
+        }
+        /* Wait for 60secs before removing a req that has triggered RST.
+         * This is a simple defense against TFO spoofing attack - by
+         * counting the req against fastopen.max_qlen, and disabling
+         * TFO when the qlen exceeds max_qlen.
+         *
+         * For more details see CoNext'11 "TCP Fast Open" paper.
+         */
+        req->expires = jiffies + 60*HZ;
+        if (fastopenq->rskq_rst_head == NULL)
+                fastopenq->rskq_rst_head = req;
+        else
+                fastopenq->rskq_rst_tail->dl_next = req;
+
+        req->dl_next = NULL;
+        fastopenq->rskq_rst_tail = req;
+        fastopenq->qlen++;
+out:
+        spin_unlock_bh(&fastopenq->lock);
+        sock_put(lsk);
+        return;
+}
diff --git a/net/core/scm.c b/net/core/scm.c
index 040cebeed45b..6ab491d6c26f 100644
--- a/net/core/scm.c
+++ b/net/core/scm.c
@@ -45,12 +45,17 @@
 static __inline__ int scm_check_creds(struct ucred *creds)
 {
         const struct cred *cred = current_cred();
+        kuid_t uid = make_kuid(cred->user_ns, creds->uid);
+        kgid_t gid = make_kgid(cred->user_ns, creds->gid);
+
+        if (!uid_valid(uid) || !gid_valid(gid))
+                return -EINVAL;
 
         if ((creds->pid == task_tgid_vnr(current) || capable(CAP_SYS_ADMIN)) &&
-            ((creds->uid == cred->uid   || creds->uid == cred->euid ||
-              creds->uid == cred->suid) || capable(CAP_SETUID)) &&
-            ((creds->gid == cred->gid   || creds->gid == cred->egid ||
-              creds->gid == cred->sgid) || capable(CAP_SETGID))) {
+            ((uid_eq(uid, cred->uid)   || uid_eq(uid, cred->euid) ||
+              uid_eq(uid, cred->suid)) || capable(CAP_SETUID)) &&
+            ((gid_eq(gid, cred->gid)   || gid_eq(gid, cred->egid) ||
+              gid_eq(gid, cred->sgid)) || capable(CAP_SETGID))) {
                return 0;
         }
         return -EPERM;
@@ -149,6 +154,9 @@ int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *p)
                                 goto error;
                         break;
                 case SCM_CREDENTIALS:
+                {
+                        kuid_t uid;
+                        kgid_t gid;
                         if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct ucred)))
                                 goto error;
                         memcpy(&p->creds, CMSG_DATA(cmsg), sizeof(struct ucred));
@@ -166,22 +174,29 @@ int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *p)
                                 p->pid = pid;
                         }
 
+                        err = -EINVAL;
+                        uid = make_kuid(current_user_ns(), p->creds.uid);
+                        gid = make_kgid(current_user_ns(), p->creds.gid);
+                        if (!uid_valid(uid) || !gid_valid(gid))
+                                goto error;
+
                         if (!p->cred ||
-                            (p->cred->euid != p->creds.uid) ||
-                            (p->cred->egid != p->creds.gid)) {
+                            !uid_eq(p->cred->euid, uid) ||
+                            !gid_eq(p->cred->egid, gid)) {
                                 struct cred *cred;
                                 err = -ENOMEM;
                                 cred = prepare_creds();
                                 if (!cred)
                                         goto error;
 
-                                cred->uid = cred->euid = p->creds.uid;
-                                cred->gid = cred->egid = p->creds.gid;
+                                cred->uid = cred->euid = uid;
+                                cred->gid = cred->egid = gid;
                                 if (p->cred)
                                         put_cred(p->cred);
                                 p->cred = cred;
                         }
                         break;
+                }
                 default:
                         goto error;
                 }
diff --git a/net/core/sock.c b/net/core/sock.c
index 8f67ced8d6a8..d765156eab65 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -868,8 +868,8 @@ void cred_to_ucred(struct pid *pid, const struct cred *cred,
         if (cred) {
                 struct user_namespace *current_ns = current_user_ns();
 
-                ucred->uid = from_kuid(current_ns, cred->euid);
-                ucred->gid = from_kgid(current_ns, cred->egid);
+                ucred->uid = from_kuid_munged(current_ns, cred->euid);
+                ucred->gid = from_kgid_munged(current_ns, cred->egid);
         }
 }
 EXPORT_SYMBOL_GPL(cred_to_ucred);
@@ -1230,7 +1230,7 @@ void sock_update_classid(struct sock *sk)
         rcu_read_lock();  /* doing current task, which cannot vanish. */
         classid = task_cls_classid(current);
         rcu_read_unlock();
-        if (classid && classid != sk->sk_classid)
+        if (classid != sk->sk_classid)
                 sk->sk_classid = classid;
 }
 EXPORT_SYMBOL(sock_update_classid);
@@ -1527,12 +1527,12 @@ void sock_edemux(struct sk_buff *skb)
 }
 EXPORT_SYMBOL(sock_edemux);
 
-int sock_i_uid(struct sock *sk)
+kuid_t sock_i_uid(struct sock *sk)
 {
-        int uid;
+        kuid_t uid;
 
         read_lock_bh(&sk->sk_callback_lock);
-        uid = sk->sk_socket ? SOCK_INODE(sk->sk_socket)->i_uid : 0;
+        uid = sk->sk_socket ? SOCK_INODE(sk->sk_socket)->i_uid : GLOBAL_ROOT_UID;
         read_unlock_bh(&sk->sk_callback_lock);
         return uid;
 }