Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Pull networking fixes from David Miller: 1) Include fixes for netrom and dsa (Fabian Frederick and Florian Fainelli) 2) Fix FIXED_PHY support in stmmac, from Giuseppe CAVALLARO. 3) Several SKB use after free fixes (vxlan, openvswitch, vxlan, ip_tunnel, fou), from Li ROngQing. 4) fec driver PTP support fixes from Luwei Zhou and Nimrod Andy. 5) Use after free in virtio_net, from Michael S Tsirkin. 6) Fix flow mask handling for megaflows in openvswitch, from Pravin B Shelar. 7) ISDN gigaset and capi bug fixes from Tilman Schmidt. 8) Fix route leak in ip_send_unicast_reply(), from Vasily Averin. 9) Fix two eBPF JIT bugs on x86, from Alexei Starovoitov. 10) TCP_SKB_CB() reorganization caused a few regressions, fixed by Cong Wang and Eric Dumazet. 11) Don't overwrite end of SKB when parsing malformed sctp ASCONF chunks, from Daniel Borkmann. 12) Don't call sock_kfree_s() with NULL pointers, this function also has the side effect of adjusting the socket memory usage. From Cong Wang. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (90 commits) bna: fix skb->truesize underestimation net: dsa: add includes for ethtool and phy_fixed definitions openvswitch: Set flow-key members. netrom: use linux/uaccess.h dsa: Fix conversion from host device to mii bus tipc: fix bug in bundled buffer reception ipv6: introduce tcp_v6_iif() sfc: add support for skb->xmit_more r8152: return -EBUSY for runtime suspend ipv4: fix a potential use after free in fou.c ipv4: fix a potential use after free in ip_tunnel_core.c hyperv: Add handling of IP header with option field in netvsc_set_hash() openvswitch: Create right mask with disabled megaflows vxlan: fix a free after use openvswitch: fix a use after free ipv4: dst_entry leak in ip_send_unicast_reply() ipv4: clean up cookie_v4_check() ipv4: share tcp_v4_save_options() with cookie_v4_check() ipv4: call __ip_options_echo() in cookie_v4_check() atm: simplify lanai.c by using module_pci_driver ...
author: Linus Torvalds <torvalds@linux-foundation.org> 2014-10-18 12:31:37 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2014-10-18 12:31:37 -0400
commit: 2e923b0251932ad4a82cc87ec1443a1f1d17073e (patch)
tree: d12032bc9bcfbb8a57659275d1b9b582f23f2ecc /net
parent: ffd8221bc348f8c282d1271883dbe629ea8ae289 (diff)
parent: f2d9da1a8375cbe53df5b415d059429013a3a79f (diff)
34 files changed, 265 insertions, 202 deletions
diff --git a/net/caif/caif_usb.c b/net/caif/caif_usb.c
index ba02db022900..5cd44f001f64 100644
--- a/net/caif/caif_usb.c
+++ b/net/caif/caif_usb.c
@@ -87,13 +87,12 @@ static struct cflayer *cfusbl_create(int phyid, u8 ethaddr[ETH_ALEN],
 {
        struct cfusbl *this = kmalloc(sizeof(struct cfusbl), GFP_ATOMIC);
-        if (!this) {
+        if (!this)
-                pr_warn("Out of memory\n");
                return NULL;
-        }
        caif_assert(offsetof(struct cfusbl, layer) == 0);
-        memset(this, 0, sizeof(struct cflayer));
+        memset(&this->layer, 0, sizeof(this->layer));
        this->layer.receive = cfusbl_receive;
        this->layer.transmit = cfusbl_transmit;
        this->layer.ctrlcmd = cfusbl_ctrlcmd;
diff --git a/net/caif/cfmuxl.c b/net/caif/cfmuxl.c
index 8c5d6386319f..510aa5a753f0 100644
--- a/net/caif/cfmuxl.c
+++ b/net/caif/cfmuxl.c
@@ -47,10 +47,10 @@ static struct cflayer *get_up(struct cfmuxl *muxl, u16 id);
 struct cflayer *cfmuxl_create(void)
 {
-        struct cfmuxl *this = kmalloc(sizeof(struct cfmuxl), GFP_ATOMIC);
+        struct cfmuxl *this = kzalloc(sizeof(struct cfmuxl), GFP_ATOMIC);
        if (!this)
                return NULL;
-        memset(this, 0, sizeof(*this));
        this->layer.receive = cfmuxl_receive;
        this->layer.transmit = cfmuxl_transmit;
        this->layer.ctrlcmd = cfmuxl_ctrlcmd;
diff --git a/net/core/dev.c b/net/core/dev.c
index 6470716ddba4..b793e3521a36 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2675,7 +2675,7 @@ static struct sk_buff *validate_xmit_skb(struct sk_buff *skb, struct net_device
        if (skb->encapsulation)
                features &= dev->hw_enc_features;
-        if (netif_needs_gso(skb, features)) {
+        if (netif_needs_gso(dev, skb, features)) {
                struct sk_buff *segs;
                segs = skb_gso_segment(skb, features);
diff --git a/net/core/sock.c b/net/core/sock.c
index b4f3ea2fce60..15e0c67b1069 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1718,6 +1718,8 @@ EXPORT_SYMBOL(sock_kmalloc);
 */
 void sock_kfree_s(struct sock *sk, void *mem, int size)
 {
+        if (WARN_ON_ONCE(!mem))
+                return;
        kfree(mem);
        atomic_sub(size, &sk->sk_omem_alloc);
 }
diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index ad2acfe1ca61..6bcaa33cd804 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -757,7 +757,8 @@ static int dccp_v6_rcv(struct sk_buff *skb)
        /* Step 2:
         *      Look up flow ID in table and get corresponding socket */
        sk = __inet6_lookup_skb(&dccp_hashinfo, skb,
-                                dh->dccph_sport, dh->dccph_dport);
+                                dh->dccph_sport, dh->dccph_dport,
+                                inet6_iif(skb));
        /*
         * Step 2:
         *      If no socket ...
diff --git a/net/dsa/slave.c b/net/dsa/slave.c
index 8030489d9cbe..a851e9f14118 100644
--- a/net/dsa/slave.c
+++ b/net/dsa/slave.c
@@ -11,6 +11,7 @@
 #include <linux/list.h>
 #include <linux/etherdevice.h>
 #include <linux/phy.h>
+#include <linux/phy_fixed.h>
 #include <linux/of_net.h>
 #include <linux/of_mdio.h>
 #include "dsa_priv.h"
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index 5b6efb3d2308..f99f41bd15b8 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -537,7 +537,7 @@ int fib_nh_match(struct fib_config *cfg, struct fib_info *fi)
                        return 1;
                attrlen = rtnh_attrlen(rtnh);
-                if (attrlen < 0) {
+                if (attrlen > 0) {
                        struct nlattr *nla, *attrs = rtnh_attrs(rtnh);
                        nla = nla_find(attrs, attrlen, RTA_GATEWAY);
diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c
index efa70ad44906..32e78924e246 100644
--- a/net/ipv4/fou.c
+++ b/net/ipv4/fou.c
@@ -87,6 +87,9 @@ static int gue_udp_recv(struct sock *sk, struct sk_buff *skb)
        if (!pskb_may_pull(skb, len))
                goto drop;
+        uh = udp_hdr(skb);
+        guehdr = (struct guehdr *)&uh[1];
        if (guehdr->version != 0)
                goto drop;
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index e35b71289156..88e5ef2c7f51 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -1535,6 +1535,7 @@ void ip_send_unicast_reply(struct net *net, struct sk_buff *skb,
        struct sk_buff *nskb;
        struct sock *sk;
        struct inet_sock *inet;
+        int err;
        if (__ip_options_echo(&replyopts.opt.opt, skb, sopt))
                return;
@@ -1574,8 +1575,13 @@ void ip_send_unicast_reply(struct net *net, struct sk_buff *skb,
        sock_net_set(sk, net);
        __skb_queue_head_init(&sk->sk_write_queue);
        sk->sk_sndbuf = sysctl_wmem_default;
-        ip_append_data(sk, &fl4, ip_reply_glue_bits, arg->iov->iov_base, len, 0,
+        err = ip_append_data(sk, &fl4, ip_reply_glue_bits, arg->iov->iov_base,
-                       &ipc, &rt, MSG_DONTWAIT);
+                             len, 0, &ipc, &rt, MSG_DONTWAIT);
+        if (unlikely(err)) {
+                ip_flush_pending_frames(sk);
+                goto out;
+        }
        nskb = skb_peek(&sk->sk_write_queue);
        if (nskb) {
                if (arg->csumoffset >= 0)
@@ -1587,7 +1593,7 @@ void ip_send_unicast_reply(struct net *net, struct sk_buff *skb,
                skb_set_queue_mapping(nskb, skb_get_queue_mapping(skb));
                ip_push_pending_frames(sk, &fl4);
        }
+out:
        put_cpu_var(unicast_sock);
        ip_rt_put(rt);
diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c
index f4c987bb7e94..88c386cf7d85 100644
--- a/net/ipv4/ip_tunnel_core.c
+++ b/net/ipv4/ip_tunnel_core.c
@@ -91,11 +91,12 @@ int iptunnel_pull_header(struct sk_buff *skb, int hdr_len, __be16 inner_proto)
        skb_pull_rcsum(skb, hdr_len);
        if (inner_proto == htons(ETH_P_TEB)) {
-                struct ethhdr *eh = (struct ethhdr *)skb->data;
+                struct ethhdr *eh;
                if (unlikely(!pskb_may_pull(skb, ETH_HLEN)))
                        return -ENOMEM;
+                eh = (struct ethhdr *)skb->data;
                if (likely(ntohs(eh->h_proto) >= ETH_P_802_3_MIN))
                        skb->protocol = eh->h_proto;
                else
diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
index af660030e3c7..32b98d0207b4 100644
--- a/net/ipv4/syncookies.c
+++ b/net/ipv4/syncookies.c
@@ -255,9 +255,9 @@ bool cookie_check_timestamp(struct tcp_options_received *tcp_opt,
 }
 EXPORT_SYMBOL(cookie_check_timestamp);
-struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
+struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
-                             struct ip_options *opt)
 {
+        struct ip_options *opt = &TCP_SKB_CB(skb)->header.h4.opt;
        struct tcp_options_received tcp_opt;
        struct inet_request_sock *ireq;
        struct tcp_request_sock *treq;
@@ -317,15 +317,7 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
        /* We throwed the options of the initial SYN away, so we hope
         * the ACK carries the same options again (see RFC1122 4.2.3.8)
         */
-        if (opt && opt->optlen) {
+        ireq->opt = tcp_v4_save_options(skb);
-                int opt_size = sizeof(struct ip_options_rcu) + opt->optlen;
-                ireq->opt = kmalloc(opt_size, GFP_ATOMIC);
-                if (ireq->opt != NULL && ip_options_echo(&ireq->opt->opt, skb)) {
-                        kfree(ireq->opt);
-                        ireq->opt = NULL;
-                }
-        }
        if (security_inet_conn_request(sk, skb, req)) {
                reqsk_free(req);
@@ -344,7 +336,7 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
        flowi4_init_output(&fl4, sk->sk_bound_dev_if, ireq->ir_mark,
                           RT_CONN_FLAGS(sk), RT_SCOPE_UNIVERSE, IPPROTO_TCP,
                           inet_sk_flowi_flags(sk),
-                           (opt && opt->srr) ? opt->faddr : ireq->ir_rmt_addr,
+                           opt->srr ? opt->faddr : ireq->ir_rmt_addr,
                           ireq->ir_loc_addr, th->source, th->dest);
        security_req_classify_flow(req, flowi4_to_flowi(&fl4));
        rt = ip_route_output_key(sock_net(sk), &fl4);
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 00a41499d52c..a12b455928e5 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -68,6 +68,7 @@
 #include <linux/module.h>
 #include <linux/sysctl.h>
 #include <linux/kernel.h>
+#include <linux/prefetch.h>
 #include <net/dst.h>
 #include <net/tcp.h>
 #include <net/inet_common.h>
@@ -3029,6 +3030,21 @@ static u32 tcp_tso_acked(struct sock *sk, struct sk_buff *skb)
        return packets_acked;
 }
+static void tcp_ack_tstamp(struct sock *sk, struct sk_buff *skb,
+                           u32 prior_snd_una)
+{
+        const struct skb_shared_info *shinfo;
+        /* Avoid cache line misses to get skb_shinfo() and shinfo->tx_flags */
+        if (likely(!(sk->sk_tsflags & SOF_TIMESTAMPING_TX_ACK)))
+                return;
+        shinfo = skb_shinfo(skb);
+        if ((shinfo->tx_flags & SKBTX_ACK_TSTAMP) &&
+            between(shinfo->tskey, prior_snd_una, tcp_sk(sk)->snd_una - 1))
+                __skb_tstamp_tx(skb, NULL, sk, SCM_TSTAMP_ACK);
+}
 /* Remove acknowledged frames from the retransmission queue. If our packet
 * is before the ack sequence we can discard it as it's confirmed to have
 * arrived at the other end.
@@ -3052,14 +3068,11 @@ static int tcp_clean_rtx_queue(struct sock *sk, int prior_fackets,
        first_ackt.v64 = 0;
        while ((skb = tcp_write_queue_head(sk)) && skb != tcp_send_head(sk)) {
-                struct skb_shared_info *shinfo = skb_shinfo(skb);
                struct tcp_skb_cb *scb = TCP_SKB_CB(skb);
                u8 sacked = scb->sacked;
                u32 acked_pcount;
-                if (unlikely(shinfo->tx_flags & SKBTX_ACK_TSTAMP) &&
+                tcp_ack_tstamp(sk, skb, prior_snd_una);
-                    between(shinfo->tskey, prior_snd_una, tp->snd_una - 1))
-                        __skb_tstamp_tx(skb, NULL, sk, SCM_TSTAMP_ACK);
                /* Determine how many packets and what bytes were acked, tso and else */
                if (after(scb->end_seq, tp->snd_una)) {
@@ -3073,10 +3086,12 @@ static int tcp_clean_rtx_queue(struct sock *sk, int prior_fackets,
                        fully_acked = false;
                } else {
+                        /* Speedup tcp_unlink_write_queue() and next loop */
+                        prefetchw(skb->next);
                        acked_pcount = tcp_skb_pcount(skb);
                }
-                if (sacked & TCPCB_RETRANS) {
+                if (unlikely(sacked & TCPCB_RETRANS)) {
                        if (sacked & TCPCB_SACKED_RETRANS)
                                tp->retrans_out -= acked_pcount;
                        flag |= FLAG_RETRANS_DATA_ACKED;
@@ -3107,7 +3122,7 @@ static int tcp_clean_rtx_queue(struct sock *sk, int prior_fackets,
                 * connection startup slow start one packet too
                 * quickly.  This is severely frowned upon behavior.
                 */
-                if (!(scb->tcp_flags & TCPHDR_SYN)) {
+                if (likely(!(scb->tcp_flags & TCPHDR_SYN))) {
                        flag |= FLAG_DATA_ACKED;
                } else {
                        flag |= FLAG_SYN_ACKED;
@@ -3119,9 +3134,9 @@ static int tcp_clean_rtx_queue(struct sock *sk, int prior_fackets,
                tcp_unlink_write_queue(skb, sk);
                sk_wmem_free_skb(sk, skb);
-                if (skb == tp->retransmit_skb_hint)
+                if (unlikely(skb == tp->retransmit_skb_hint))
                        tp->retransmit_skb_hint = NULL;
-                if (skb == tp->lost_skb_hint)
+                if (unlikely(skb == tp->lost_skb_hint))
                        tp->lost_skb_hint = NULL;
        }
@@ -3132,7 +3147,7 @@ static int tcp_clean_rtx_queue(struct sock *sk, int prior_fackets,
                flag |= FLAG_SACK_RENEGING;
        skb_mstamp_get(&now);
-        if (first_ackt.v64) {
+        if (likely(first_ackt.v64)) {
                seq_rtt_us = skb_mstamp_us_delta(&now, &first_ackt);
                ca_seq_rtt_us = skb_mstamp_us_delta(&now, &last_ackt);
        }
@@ -3394,6 +3409,9 @@ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag)
        int acked = 0; /* Number of packets newly acked */
        long sack_rtt_us = -1L;
+        /* We very likely will need to access write queue head. */
+        prefetchw(sk->sk_write_queue.next);
        /* If the ack is older than previous acks
         * then we can probably ignore it.
         */
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 552e87e3c269..94d1a7757ff7 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -880,26 +880,6 @@ bool tcp_syn_flood_action(struct sock *sk,
 }
 EXPORT_SYMBOL(tcp_syn_flood_action);
-/*
- * Save and compile IPv4 options into the request_sock if needed.
- */
-static struct ip_options_rcu *tcp_v4_save_options(struct sk_buff *skb)
-{
-        const struct ip_options *opt = &TCP_SKB_CB(skb)->header.h4.opt;
-        struct ip_options_rcu *dopt = NULL;
-        if (opt && opt->optlen) {
-                int opt_size = sizeof(*dopt) + opt->optlen;
-                dopt = kmalloc(opt_size, GFP_ATOMIC);
-                if (dopt && __ip_options_echo(&dopt->opt, skb, opt)) {
-                        kfree(dopt);
-                        dopt = NULL;
-                }
-        }
-        return dopt;
-}
 #ifdef CONFIG_TCP_MD5SIG
 /*
 * RFC2385 MD5 checksumming requires a mapping of
@@ -1428,7 +1408,7 @@ static struct sock *tcp_v4_hnd_req(struct sock *sk, struct sk_buff *skb)
 #ifdef CONFIG_SYN_COOKIES
        if (!th->syn)
-                sk = cookie_v4_check(sk, skb, &TCP_SKB_CB(skb)->header.h4.opt);
+                sk = cookie_v4_check(sk, skb);
 #endif
        return sk;
 }
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index becd98ce9a1c..3af21296d967 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -839,26 +839,38 @@ void tcp_wfree(struct sk_buff *skb)
 {
        struct sock *sk = skb->sk;
        struct tcp_sock *tp = tcp_sk(sk);
+        int wmem;
+        /* Keep one reference on sk_wmem_alloc.
+         * Will be released by sk_free() from here or tcp_tasklet_func()
+         */
+        wmem = atomic_sub_return(skb->truesize - 1, &sk->sk_wmem_alloc);
+        /* If this softirq is serviced by ksoftirqd, we are likely under stress.
+         * Wait until our queues (qdisc + devices) are drained.
+         * This gives :
+         * - less callbacks to tcp_write_xmit(), reducing stress (batches)
+         * - chance for incoming ACK (processed by another cpu maybe)
+         *   to migrate this flow (skb->ooo_okay will be eventually set)
+         */
+        if (wmem >= SKB_TRUESIZE(1) && this_cpu_ksoftirqd() == current)
+                goto out;
        if (test_and_clear_bit(TSQ_THROTTLED, &tp->tsq_flags) &&
            !test_and_set_bit(TSQ_QUEUED, &tp->tsq_flags)) {
                unsigned long flags;
                struct tsq_tasklet *tsq;
-                /* Keep a ref on socket.
-                 * This last ref will be released in tcp_tasklet_func()
-                 */
-                atomic_sub(skb->truesize - 1, &sk->sk_wmem_alloc);
                /* queue this socket to tasklet queue */
                local_irq_save(flags);
                tsq = this_cpu_ptr(&tsq_tasklet);
                list_add(&tp->tsq_node, &tsq->head);
                tasklet_schedule(&tsq->tasklet);
                local_irq_restore(flags);
-        } else {
+                return;
-                sock_wfree(skb);
        }
+out:
+        sk_free(sk);
 }
 /* This routine actually transmits TCP packets queued in by
@@ -914,9 +926,13 @@ static int tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, int clone_it,
                tcp_ca_event(sk, CA_EVENT_TX_START);
        /* if no packet is in qdisc/device queue, then allow XPS to select
-         * another queue.
+         * another queue. We can be called from tcp_tsq_handler()
+         * which holds one reference to sk_wmem_alloc.
+         *
+         * TODO: Ideally, in-flight pure ACK packets should not matter here.
+         * One way to get this would be to set skb->truesize = 2 on them.
         */
-        skb->ooo_okay = sk_wmem_alloc_get(sk) == 0;
+        skb->ooo_okay = sk_wmem_alloc_get(sk) < SKB_TRUESIZE(1);
        skb_push(skb, tcp_header_size);
        skb_reset_transport_header(skb);
diff --git a/net/ipv6/anycast.c b/net/ipv6/anycast.c
index f5e319a8d4e2..baf2742d1ec4 100644
--- a/net/ipv6/anycast.c
+++ b/net/ipv6/anycast.c
@@ -235,7 +235,6 @@ static struct ifacaddr6 *aca_alloc(struct rt6_info *rt,
        /* aca_tstamp should be updated upon changes */
        aca->aca_cstamp = aca->aca_tstamp = jiffies;
        atomic_set(&aca->aca_refcnt, 1);
-        spin_lock_init(&aca->aca_lock);
        return aca;
 }
diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c
index e25b633266c3..2f25cb6347ca 100644
--- a/net/ipv6/syncookies.c
+++ b/net/ipv6/syncookies.c
@@ -214,7 +214,7 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
        /* So that link locals have meaning */
        if (!sk->sk_bound_dev_if &&
            ipv6_addr_type(&ireq->ir_v6_rmt_addr) & IPV6_ADDR_LINKLOCAL)
-                ireq->ir_iif = inet6_iif(skb);
+                ireq->ir_iif = tcp_v6_iif(skb);
        ireq->ir_mark = inet_request_mark(sk, skb);
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index cf2e45ab2fa4..831495529b82 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -424,6 +424,7 @@ static void tcp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
                if (sock_owned_by_user(sk))
                        goto out;
+                /* Note : We use inet6_iif() here, not tcp_v6_iif() */
                req = inet6_csk_search_req(sk, &prev, th->dest, &hdr->daddr,
                                           &hdr->saddr, inet6_iif(skb));
                if (!req)
@@ -738,7 +739,7 @@ static void tcp_v6_init_req(struct request_sock *req, struct sock *sk,
        /* So that link locals have meaning */
        if (!sk->sk_bound_dev_if &&
            ipv6_addr_type(&ireq->ir_v6_rmt_addr) & IPV6_ADDR_LINKLOCAL)
-                ireq->ir_iif = inet6_iif(skb);
+                ireq->ir_iif = tcp_v6_iif(skb);
        if (!TCP_SKB_CB(skb)->tcp_tw_isn &&
            (ipv6_opt_accepted(sk, skb, &TCP_SKB_CB(skb)->header.h6) ||
@@ -860,7 +861,7 @@ static void tcp_v6_send_response(struct sk_buff *skb, u32 seq, u32 ack, u32 win,
        fl6.flowi6_proto = IPPROTO_TCP;
        if (rt6_need_strict(&fl6.daddr) && !oif)
-                fl6.flowi6_oif = inet6_iif(skb);
+                fl6.flowi6_oif = tcp_v6_iif(skb);
        else
                fl6.flowi6_oif = oif;
        fl6.flowi6_mark = IP6_REPLY_MARK(net, skb->mark);
@@ -918,7 +919,7 @@ static void tcp_v6_send_reset(struct sock *sk, struct sk_buff *skb)
                sk1 = inet6_lookup_listener(dev_net(skb_dst(skb)->dev),
                                           &tcp_hashinfo, &ipv6h->saddr,
                                           th->source, &ipv6h->daddr,
-                                           ntohs(th->source), inet6_iif(skb));
+                                           ntohs(th->source), tcp_v6_iif(skb));
                if (!sk1)
                        return;
@@ -1000,13 +1001,14 @@ static struct sock *tcp_v6_hnd_req(struct sock *sk, struct sk_buff *skb)
        /* Find possible connection requests. */
        req = inet6_csk_search_req(sk, &prev, th->source,
                                   &ipv6_hdr(skb)->saddr,
-                                   &ipv6_hdr(skb)->daddr, inet6_iif(skb));
+                                   &ipv6_hdr(skb)->daddr, tcp_v6_iif(skb));
        if (req)
                return tcp_check_req(sk, skb, req, prev, false);
        nsk = __inet6_lookup_established(sock_net(sk), &tcp_hashinfo,
-                        &ipv6_hdr(skb)->saddr, th->source,
+                                         &ipv6_hdr(skb)->saddr, th->source,
-                        &ipv6_hdr(skb)->daddr, ntohs(th->dest), inet6_iif(skb));
+                                         &ipv6_hdr(skb)->daddr, ntohs(th->dest),
+                                         tcp_v6_iif(skb));
        if (nsk) {
                if (nsk->sk_state != TCP_TIME_WAIT) {
@@ -1090,7 +1092,7 @@ static struct sock *tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
                newnp->ipv6_fl_list = NULL;
                newnp->pktoptions  = NULL;
                newnp->opt         = NULL;
-                newnp->mcast_oif   = inet6_iif(skb);
+                newnp->mcast_oif   = tcp_v6_iif(skb);
                newnp->mcast_hops  = ipv6_hdr(skb)->hop_limit;
                newnp->rcv_flowinfo = ip6_flowinfo(ipv6_hdr(skb));
                if (np->repflow)
@@ -1174,7 +1176,7 @@ static struct sock *tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
                        skb_set_owner_r(newnp->pktoptions, newsk);
        }
        newnp->opt        = NULL;
-        newnp->mcast_oif  = inet6_iif(skb);
+        newnp->mcast_oif  = tcp_v6_iif(skb);
        newnp->mcast_hops = ipv6_hdr(skb)->hop_limit;
        newnp->rcv_flowinfo = ip6_flowinfo(ipv6_hdr(skb));
        if (np->repflow)
@@ -1360,7 +1362,7 @@ ipv6_pktoptions:
        if (TCP_SKB_CB(opt_skb)->end_seq == tp->rcv_nxt &&
            !((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN))) {
                if (np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo)
-                        np->mcast_oif = inet6_iif(opt_skb);
+                        np->mcast_oif = tcp_v6_iif(opt_skb);
                if (np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim)
                        np->mcast_hops = ipv6_hdr(opt_skb)->hop_limit;
                if (np->rxopt.bits.rxflow || np->rxopt.bits.rxtclass)
@@ -1427,7 +1429,8 @@ static int tcp_v6_rcv(struct sk_buff *skb)
        TCP_SKB_CB(skb)->ip_dsfield = ipv6_get_dsfield(hdr);
        TCP_SKB_CB(skb)->sacked = 0;
-        sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
+        sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest,
+                                tcp_v6_iif(skb));
        if (!sk)
                goto no_tcp_socket;
@@ -1514,7 +1517,7 @@ do_time_wait:
                sk2 = inet6_lookup_listener(dev_net(skb->dev), &tcp_hashinfo,
                                            &ipv6_hdr(skb)->saddr, th->source,
                                            &ipv6_hdr(skb)->daddr,
-                                            ntohs(th->dest), inet6_iif(skb));
+                                            ntohs(th->dest), tcp_v6_iif(skb));
                if (sk2 != NULL) {
                        struct inet_timewait_sock *tw = inet_twsk(sk);
                        inet_twsk_deschedule(tw, &tcp_death_row);
@@ -1553,6 +1556,7 @@ static void tcp_v6_early_demux(struct sk_buff *skb)
        if (th->doff < sizeof(struct tcphdr) / 4)
                return;
+        /* Note : We use inet6_iif() here, not tcp_v6_iif() */
        sk = __inet6_lookup_established(dev_net(skb->dev), &tcp_hashinfo,
                                        &hdr->saddr, th->source,
                                        &hdr->daddr, ntohs(th->dest),
diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
index 71cf1bffea06..1b06a1fcf3e8 100644
--- a/net/netrom/af_netrom.c
+++ b/net/netrom/af_netrom.c
@@ -30,7 +30,7 @@
 #include <linux/skbuff.h>
 #include <net/net_namespace.h>
 #include <net/sock.h>
-#include <asm/uaccess.h>
+#include <linux/uaccess.h>
 #include <linux/fcntl.h>
 #include <linux/termios.h>      /* For TIOCINQ/OUTQ */
 #include <linux/mm.h>
diff --git a/net/netrom/nr_dev.c b/net/netrom/nr_dev.c
index 743262becd6e..6ae063cebf7d 100644
--- a/net/netrom/nr_dev.c
+++ b/net/netrom/nr_dev.c
@@ -20,8 +20,8 @@
 #include <linux/in.h>
 #include <linux/if_ether.h>     /* For the statistics structure. */
 #include <linux/slab.h>
+#include <linux/uaccess.h>
-#include <asm/uaccess.h>
 #include <asm/io.h>
 #include <linux/inet.h>
diff --git a/net/netrom/nr_in.c b/net/netrom/nr_in.c
index c3073a2ef634..80dbd0beb516 100644
--- a/net/netrom/nr_in.c
+++ b/net/netrom/nr_in.c
@@ -23,7 +23,7 @@
 #include <linux/skbuff.h>
 #include <net/sock.h>
 #include <net/tcp_states.h>
-#include <asm/uaccess.h>
+#include <linux/uaccess.h>
 #include <linux/fcntl.h>
 #include <linux/mm.h>
 #include <linux/interrupt.h>
diff --git a/net/netrom/nr_out.c b/net/netrom/nr_out.c
index 0b4bcb2bf38f..00fbf1419ec6 100644
--- a/net/netrom/nr_out.c
+++ b/net/netrom/nr_out.c
@@ -22,7 +22,7 @@
 #include <linux/netdevice.h>
 #include <linux/skbuff.h>
 #include <net/sock.h>
-#include <asm/uaccess.h>
+#include <linux/uaccess.h>
 #include <linux/fcntl.h>
 #include <linux/mm.h>
 #include <linux/interrupt.h>
diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c
index b976d5eff2de..96b64d2f6dbf 100644
--- a/net/netrom/nr_route.c
+++ b/net/netrom/nr_route.c
@@ -25,7 +25,7 @@
 #include <linux/if_arp.h>
 #include <linux/skbuff.h>
 #include <net/sock.h>
-#include <asm/uaccess.h>
+#include <linux/uaccess.h>
 #include <linux/fcntl.h>
 #include <linux/termios.h>      /* For TIOCINQ/OUTQ */
 #include <linux/mm.h>
diff --git a/net/netrom/nr_subr.c b/net/netrom/nr_subr.c
index ca40e2298f5a..029c8bb90f4c 100644
--- a/net/netrom/nr_subr.c
+++ b/net/netrom/nr_subr.c
@@ -22,7 +22,7 @@
 #include <linux/skbuff.h>
 #include <net/sock.h>
 #include <net/tcp_states.h>
-#include <asm/uaccess.h>
+#include <linux/uaccess.h>
 #include <linux/fcntl.h>
 #include <linux/mm.h>
 #include <linux/interrupt.h>
diff --git a/net/netrom/nr_timer.c b/net/netrom/nr_timer.c
index ff2c1b142f57..94d05806a9a2 100644
--- a/net/netrom/nr_timer.c
+++ b/net/netrom/nr_timer.c
@@ -23,7 +23,7 @@
 #include <linux/skbuff.h>
 #include <net/sock.h>
 #include <net/tcp_states.h>
-#include <asm/uaccess.h>
+#include <linux/uaccess.h>
 #include <linux/fcntl.h>
 #include <linux/mm.h>
 #include <linux/interrupt.h>
diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c
index 62db02ba36bc..2b78789ea7c5 100644
--- a/net/openvswitch/flow.c
+++ b/net/openvswitch/flow.c
@@ -274,6 +274,8 @@ static int parse_ipv6hdr(struct sk_buff *skb, struct sw_flow_key *key)
                        key->ip.frag = OVS_FRAG_TYPE_LATER;
                else
                        key->ip.frag = OVS_FRAG_TYPE_FIRST;
+        } else {
+                key->ip.frag = OVS_FRAG_TYPE_NONE;
        }
        nh_len = payload_ofs - nh_ofs;
@@ -358,6 +360,7 @@ static int parse_icmpv6(struct sk_buff *skb, struct sw_flow_key *key,
         */
        key->tp.src = htons(icmp->icmp6_type);
        key->tp.dst = htons(icmp->icmp6_code);
+        memset(&key->ipv6.nd, 0, sizeof(key->ipv6.nd));
        if (icmp->icmp6_code == 0 &&
            (icmp->icmp6_type == NDISC_NEIGHBOUR_SOLICITATION ||
@@ -557,10 +560,11 @@ static int key_extract(struct sk_buff *skb, struct sw_flow_key *key)
        } else if (key->eth.type == htons(ETH_P_ARP) ||
                   key->eth.type == htons(ETH_P_RARP)) {
                struct arp_eth_header *arp;
+                bool arp_available = arphdr_ok(skb);
                arp = (struct arp_eth_header *)skb_network_header(skb);
-                if (arphdr_ok(skb) &&
+                if (arp_available &&
                    arp->ar_hrd == htons(ARPHRD_ETHER) &&
                    arp->ar_pro == htons(ETH_P_IP) &&
                    arp->ar_hln == ETH_ALEN &&
@@ -673,9 +677,6 @@ int ovs_flow_key_extract(struct ovs_tunnel_info *tun_info,
        key->ovs_flow_hash = 0;
        key->recirc_id = 0;
-        /* Flags are always used as part of stats */
-        key->tp.flags = 0;
        return key_extract(skb, key);
 }
diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
index 368f23307911..939bcb32100f 100644
--- a/net/openvswitch/flow_netlink.c
+++ b/net/openvswitch/flow_netlink.c
@@ -103,10 +103,19 @@ static void update_range__(struct sw_flow_match *match,
        SW_FLOW_KEY_MEMCPY_OFFSET(match, offsetof(struct sw_flow_key, field), \
                                  value_p, len, is_mask)
-static u16 range_n_bytes(const struct sw_flow_key_range *range)
+#define SW_FLOW_KEY_MEMSET_FIELD(match, field, value, is_mask) \
-{
+        do { \
-        return range->end - range->start;
+                update_range__(match, offsetof(struct sw_flow_key, field),  \
-}
+                                     sizeof((match)->key->field), is_mask); \
+                if (is_mask) {                                              \
+                        if ((match)->mask)                                  \
+                                memset((u8 *)&(match)->mask->key.field, value,\
+                                       sizeof((match)->mask->key.field));   \
+                } else {                                                    \
+                        memset((u8 *)&(match)->key->field, value,           \
+                               sizeof((match)->key->field));                \
+                }                                                           \
+        } while (0)
 static bool match_validate(const struct sw_flow_match *match,
                           u64 key_attrs, u64 mask_attrs)
@@ -809,13 +818,26 @@ static int ovs_key_from_nlattrs(struct sw_flow_match *match, u64 attrs,
        return 0;
 }
-static void sw_flow_mask_set(struct sw_flow_mask *mask,
+static void nlattr_set(struct nlattr *attr, u8 val, bool is_attr_mask_key)
-                             struct sw_flow_key_range *range, u8 val)
 {
-        u8 *m = (u8 *)&mask->key + range->start;
+        struct nlattr *nla;
+        int rem;
+        /* The nlattr stream should already have been validated */
+        nla_for_each_nested(nla, attr, rem) {
+                /* We assume that ovs_key_lens[type] == -1 means that type is a
+                 * nested attribute
+                 */
+                if (is_attr_mask_key && ovs_key_lens[nla_type(nla)] == -1)
+                        nlattr_set(nla, val, false);
+                else
+                        memset(nla_data(nla), val, nla_len(nla));
+        }
+}
-        mask->range = *range;
+static void mask_set_nlattr(struct nlattr *attr, u8 val)
-        memset(m, val, range_n_bytes(range));
+{
+        nlattr_set(attr, val, true);
 }
 /**
@@ -836,6 +858,7 @@ int ovs_nla_get_match(struct sw_flow_match *match,
 {
        const struct nlattr *a[OVS_KEY_ATTR_MAX + 1];
        const struct nlattr *encap;
+        struct nlattr *newmask = NULL;
        u64 key_attrs = 0;
        u64 mask_attrs = 0;
        bool encap_valid = false;
@@ -882,18 +905,44 @@ int ovs_nla_get_match(struct sw_flow_match *match,
        if (err)
                return err;
+        if (match->mask && !mask) {
+                /* Create an exact match mask. We need to set to 0xff all the
+                 * 'match->mask' fields that have been touched in 'match->key'.
+                 * We cannot simply memset 'match->mask', because padding bytes
+                 * and fields not specified in 'match->key' should be left to 0.
+                 * Instead, we use a stream of netlink attributes, copied from
+                 * 'key' and set to 0xff: ovs_key_from_nlattrs() will take care
+                 * of filling 'match->mask' appropriately.
+                 */
+                newmask = kmemdup(key, nla_total_size(nla_len(key)),
+                                  GFP_KERNEL);
+                if (!newmask)
+                        return -ENOMEM;
+                mask_set_nlattr(newmask, 0xff);
+                /* The userspace does not send tunnel attributes that are 0,
+                 * but we should not wildcard them nonetheless.
+                 */
+                if (match->key->tun_key.ipv4_dst)
+                        SW_FLOW_KEY_MEMSET_FIELD(match, tun_key, 0xff, true);
+                mask = newmask;
+        }
        if (mask) {
                err = parse_flow_mask_nlattrs(mask, a, &mask_attrs);
                if (err)
-                        return err;
+                        goto free_newmask;
-                if (mask_attrs & 1 << OVS_KEY_ATTR_ENCAP)  {
+                if (mask_attrs & 1 << OVS_KEY_ATTR_ENCAP) {
                        __be16 eth_type = 0;
                        __be16 tci = 0;
                        if (!encap_valid) {
                                OVS_NLERR("Encap mask attribute is set for non-VLAN frame.\n");
-                                return  -EINVAL;
+                                err = -EINVAL;
+                                goto free_newmask;
                        }
                        mask_attrs &= ~(1 << OVS_KEY_ATTR_ENCAP);
@@ -904,10 +953,13 @@ int ovs_nla_get_match(struct sw_flow_match *match,
                                mask_attrs &= ~(1 << OVS_KEY_ATTR_ETHERTYPE);
                                encap = a[OVS_KEY_ATTR_ENCAP];
                                err = parse_flow_mask_nlattrs(encap, a, &mask_attrs);
+                                if (err)
+                                        goto free_newmask;
                        } else {
                                OVS_NLERR("VLAN frames must have an exact match on the TPID (mask=%x).\n",
                                                ntohs(eth_type));
-                                return -EINVAL;
+                                err = -EINVAL;
+                                goto free_newmask;
                        }
                        if (a[OVS_KEY_ATTR_VLAN])
@@ -915,23 +967,22 @@ int ovs_nla_get_match(struct sw_flow_match *match,
                        if (!(tci & htons(VLAN_TAG_PRESENT))) {
                                OVS_NLERR("VLAN tag present bit must have an exact match (tci_mask=%x).\n", ntohs(tci));
-                                return -EINVAL;
+                                err = -EINVAL;
+                                goto free_newmask;
                        }
                }
                err = ovs_key_from_nlattrs(match, mask_attrs, a, true);
                if (err)
-                        return err;
+                        goto free_newmask;
-        } else {
-                /* Populate exact match flow's key mask. */
-                if (match->mask)
-                        sw_flow_mask_set(match->mask, &match->range, 0xff);
        }
        if (!match_validate(match, key_attrs, mask_attrs))
-                return -EINVAL;
+                err = -EINVAL;
-        return 0;
+free_newmask:
+        kfree(newmask);
+        return err;
 }
 /**
diff --git a/net/openvswitch/vport-geneve.c b/net/openvswitch/vport-geneve.c
index 910b3ef2c0d5..106a9d80b663 100644
--- a/net/openvswitch/vport-geneve.c
+++ b/net/openvswitch/vport-geneve.c
@@ -30,7 +30,7 @@
 /**
 * struct geneve_port - Keeps track of open UDP ports
- * @sock: The socket created for this port number.
+ * @gs: The socket created for this port number.
 * @name: vport name.
 */
 struct geneve_port {
diff --git a/net/openvswitch/vport.c b/net/openvswitch/vport.c
index 53001b020ca7..6015802ebe6f 100644
--- a/net/openvswitch/vport.c
+++ b/net/openvswitch/vport.c
@@ -408,13 +408,13 @@ int ovs_vport_get_upcall_portids(const struct vport *vport,
 *
 * Returns the portid of the target socket.  Must be called with rcu_read_lock.
 */
-u32 ovs_vport_find_upcall_portid(const struct vport *p, struct sk_buff *skb)
+u32 ovs_vport_find_upcall_portid(const struct vport *vport, struct sk_buff *skb)
 {
        struct vport_portids *ids;
        u32 ids_index;
        u32 hash;
-        ids = rcu_dereference(p->upcall_portids);
+        ids = rcu_dereference(vport->upcall_portids);
        if (ids->n_ids == 1 && ids->ids[0] == 0)
                return 0;
diff --git a/net/rds/rdma.c b/net/rds/rdma.c
index 4e37c1cbe8b2..40084d843e9f 100644
--- a/net/rds/rdma.c
+++ b/net/rds/rdma.c
@@ -564,12 +564,12 @@ int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm,
        if (rs->rs_bound_addr == 0) {
                ret = -ENOTCONN; /* XXX not a great errno */
-                goto out;
+                goto out_ret;
        }
        if (args->nr_local > UIO_MAXIOV) {
                ret = -EMSGSIZE;
-                goto out;
+                goto out_ret;
        }
        /* Check whether to allocate the iovec area */
@@ -578,7 +578,7 @@ int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm,
                iovs = sock_kmalloc(rds_rs_to_sk(rs), iov_size, GFP_KERNEL);
                if (!iovs) {
                        ret = -ENOMEM;
-                        goto out;
+                        goto out_ret;
                }
        }
@@ -696,6 +696,7 @@ out:
        if (iovs != iovstack)
                sock_kfree_s(rds_rs_to_sk(rs), iovs, iov_size);
        kfree(pages);
+out_ret:
        if (ret)
                rds_rdma_free_op(op);
        else
diff --git a/net/sctp/associola.c b/net/sctp/associola.c
index a88b8524846e..f791edd64d6c 100644
--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -1668,6 +1668,8 @@ struct sctp_chunk *sctp_assoc_lookup_asconf_ack(
         * ack chunk whose serial number matches that of the request.
         */
        list_for_each_entry(ack, &asoc->asconf_ack_list, transmitted_list) {
+                if (sctp_chunk_pending(ack))
+                        continue;
                if (ack->subh.addip_hdr->serial == serial) {
                        sctp_chunk_hold(ack);
                        return ack;
diff --git a/net/sctp/inqueue.c b/net/sctp/inqueue.c
index 4de12afa13d4..7e8a16c77039 100644
--- a/net/sctp/inqueue.c
+++ b/net/sctp/inqueue.c
@@ -140,18 +140,9 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue)
                } else {
                        /* Nothing to do. Next chunk in the packet, please. */
                        ch = (sctp_chunkhdr_t *) chunk->chunk_end;
                        /* Force chunk->skb->data to chunk->chunk_end.  */
-                        skb_pull(chunk->skb,
+                        skb_pull(chunk->skb, chunk->chunk_end - chunk->skb->data);
-                                 chunk->chunk_end - chunk->skb->data);
+                        /* We are guaranteed to pull a SCTP header. */
-                        /* Verify that we have at least chunk headers
-                         * worth of buffer left.
-                         */
-                        if (skb_headlen(chunk->skb) < sizeof(sctp_chunkhdr_t)) {
-                                sctp_chunk_free(chunk);
-                                chunk = queue->in_progress = NULL;
-                        }
                }
        }
@@ -187,24 +178,14 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue)
        skb_pull(chunk->skb, sizeof(sctp_chunkhdr_t));
        chunk->subh.v = NULL; /* Subheader is no longer valid.  */
-        if (chunk->chunk_end < skb_tail_pointer(chunk->skb)) {
+        if (chunk->chunk_end + sizeof(sctp_chunkhdr_t) <
+            skb_tail_pointer(chunk->skb)) {
                /* This is not a singleton */
                chunk->singleton = 0;
        } else if (chunk->chunk_end > skb_tail_pointer(chunk->skb)) {
-                /* RFC 2960, Section 6.10  Bundling
+                /* Discard inside state machine. */
-                 *
+                chunk->pdiscard = 1;
-                 * Partial chunks MUST NOT be placed in an SCTP packet.
+                chunk->chunk_end = skb_tail_pointer(chunk->skb);
-                 * If the receiver detects a partial chunk, it MUST drop
-                 * the chunk.
-                 *
-                 * Since the end of the chunk is past the end of our buffer
-                 * (which contains the whole packet, we can freely discard
-                 * the whole packet.
-                 */
-                sctp_chunk_free(chunk);
-                chunk = queue->in_progress = NULL;
-                return NULL;
        } else {
                /* We are at the end of the packet, so mark the chunk
                 * in case we need to send a SACK.
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index ae0e616a7ca5..ab734be8cb20 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -3110,50 +3110,63 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc,
        return SCTP_ERROR_NO_ERROR;
 }
-/* Verify the ASCONF packet before we process it.  */
+/* Verify the ASCONF packet before we process it. */
-int sctp_verify_asconf(const struct sctp_association *asoc,
+bool sctp_verify_asconf(const struct sctp_association *asoc,
-                       struct sctp_paramhdr *param_hdr, void *chunk_end,
+                        struct sctp_chunk *chunk, bool addr_param_needed,
-                       struct sctp_paramhdr **errp) {
+                        struct sctp_paramhdr **errp)
-        sctp_addip_param_t *asconf_param;
+{
+        sctp_addip_chunk_t *addip = (sctp_addip_chunk_t *) chunk->chunk_hdr;
        union sctp_params param;
-        int length, plen;
+        bool addr_param_seen = false;
-        param.v = (sctp_paramhdr_t *) param_hdr;
-        while (param.v <= chunk_end - sizeof(sctp_paramhdr_t)) {
-                length = ntohs(param.p->length);
-                *errp = param.p;
-                if (param.v > chunk_end - length ||
+        sctp_walk_params(param, addip, addip_hdr.params) {
-                    length < sizeof(sctp_paramhdr_t))
+                size_t length = ntohs(param.p->length);
-                        return 0;
+                *errp = param.p;
                switch (param.p->type) {
+                case SCTP_PARAM_ERR_CAUSE:
+                        break;
+                case SCTP_PARAM_IPV4_ADDRESS:
+                        if (length != sizeof(sctp_ipv4addr_param_t))
+                                return false;
+                        addr_param_seen = true;
+                        break;
+                case SCTP_PARAM_IPV6_ADDRESS:
+                        if (length != sizeof(sctp_ipv6addr_param_t))
+                                return false;
+                        addr_param_seen = true;
+                        break;
                case SCTP_PARAM_ADD_IP:
                case SCTP_PARAM_DEL_IP:
                case SCTP_PARAM_SET_PRIMARY:
-                        asconf_param = (sctp_addip_param_t *)param.v;
+                        /* In ASCONF chunks, these need to be first. */
-                        plen = ntohs(asconf_param->param_hdr.length);
+                        if (addr_param_needed && !addr_param_seen)
-                        if (plen < sizeof(sctp_addip_param_t) +
+                                return false;
-                            sizeof(sctp_paramhdr_t))
+                        length = ntohs(param.addip->param_hdr.length);
-                                return 0;
+                        if (length < sizeof(sctp_addip_param_t) +
+                                     sizeof(sctp_paramhdr_t))
+                                return false;
                        break;
                case SCTP_PARAM_SUCCESS_REPORT:
                case SCTP_PARAM_ADAPTATION_LAYER_IND:
                        if (length != sizeof(sctp_addip_param_t))
-                                return 0;
+                                return false;
                        break;
                default:
-                        break;
+                        /* This is unkown to us, reject! */
+                        return false;
                }
-                param.v += WORD_ROUND(length);
        }
-        if (param.v != chunk_end)
+        /* Remaining sanity checks. */
-                return 0;
+        if (addr_param_needed && !addr_param_seen)
+                return false;
+        if (!addr_param_needed && addr_param_seen)
+                return false;
+        if (param.v != chunk->chunk_end)
+                return false;
-        return 1;
+        return true;
 }
 /* Process an incoming ASCONF chunk with the next expected serial no. and
@@ -3162,16 +3175,17 @@ int sctp_verify_asconf(const struct sctp_association *asoc,
 struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc,
                                       struct sctp_chunk *asconf)
 {
+        sctp_addip_chunk_t *addip = (sctp_addip_chunk_t *) asconf->chunk_hdr;
+        bool all_param_pass = true;
+        union sctp_params param;
        sctp_addiphdr_t         *hdr;
        union sctp_addr_param   *addr_param;
        sctp_addip_param_t      *asconf_param;
        struct sctp_chunk       *asconf_ack;
        __be16  err_code;
        int     length = 0;
        int     chunk_len;
        __u32   serial;
-        int     all_param_pass = 1;
        chunk_len = ntohs(asconf->chunk_hdr->length) - sizeof(sctp_chunkhdr_t);
        hdr = (sctp_addiphdr_t *)asconf->skb->data;
@@ -3199,9 +3213,14 @@ struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc,
                goto done;
        /* Process the TLVs contained within the ASCONF chunk. */
-        while (chunk_len > 0) {
+        sctp_walk_params(param, addip, addip_hdr.params) {
+                /* Skip preceeding address parameters. */
+                if (param.p->type == SCTP_PARAM_IPV4_ADDRESS ||
+                    param.p->type == SCTP_PARAM_IPV6_ADDRESS)
+                        continue;
                err_code = sctp_process_asconf_param(asoc, asconf,
-                                                     asconf_param);
+                                                     param.addip);
                /* ADDIP 4.1 A7)
                 * If an error response is received for a TLV parameter,
                 * all TLVs with no response before the failed TLV are
@@ -3209,28 +3228,20 @@ struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc,
                 * the failed response are considered unsuccessful unless
                 * a specific success indication is present for the parameter.
                 */
-                if (SCTP_ERROR_NO_ERROR != err_code)
+                if (err_code != SCTP_ERROR_NO_ERROR)
-                        all_param_pass = 0;
+                        all_param_pass = false;
                if (!all_param_pass)
-                        sctp_add_asconf_response(asconf_ack,
+                        sctp_add_asconf_response(asconf_ack, param.addip->crr_id,
-                                                 asconf_param->crr_id, err_code,
+                                                 err_code, param.addip);
-                                                 asconf_param);
                /* ADDIP 4.3 D11) When an endpoint receiving an ASCONF to add
                 * an IP address sends an 'Out of Resource' in its response, it
                 * MUST also fail any subsequent add or delete requests bundled
                 * in the ASCONF.
                 */
-                if (SCTP_ERROR_RSRC_LOW == err_code)
+                if (err_code == SCTP_ERROR_RSRC_LOW)
                        goto done;
-                /* Move to the next ASCONF param. */
-                length = ntohs(asconf_param->param_hdr.length);
-                asconf_param = (void *)asconf_param + length;
-                chunk_len -= length;
        }
 done:
        asoc->peer.addip_serial++;
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index c8f606324134..3ee27b7704ff 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -170,6 +170,9 @@ sctp_chunk_length_valid(struct sctp_chunk *chunk,
 {
        __u16 chunk_length = ntohs(chunk->chunk_hdr->length);
+        /* Previously already marked? */
+        if (unlikely(chunk->pdiscard))
+                return 0;
        if (unlikely(chunk_length < required_length))
                return 0;
@@ -3591,9 +3594,7 @@ sctp_disposition_t sctp_sf_do_asconf(struct net *net,
        struct sctp_chunk       *asconf_ack = NULL;
        struct sctp_paramhdr    *err_param = NULL;
        sctp_addiphdr_t         *hdr;
-        union sctp_addr_param   *addr_param;
        __u32                   serial;
-        int                     length;
        if (!sctp_vtag_verify(chunk, asoc)) {
                sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
@@ -3618,17 +3619,8 @@ sctp_disposition_t sctp_sf_do_asconf(struct net *net,
        hdr = (sctp_addiphdr_t *)chunk->skb->data;
        serial = ntohl(hdr->serial);
-        addr_param = (union sctp_addr_param *)hdr->params;
-        length = ntohs(addr_param->p.length);
-        if (length < sizeof(sctp_paramhdr_t))
-                return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
-                           (void *)addr_param, commands);
        /* Verify the ASCONF chunk before processing it. */
-        if (!sctp_verify_asconf(asoc,
+        if (!sctp_verify_asconf(asoc, chunk, true, &err_param))
-                            (sctp_paramhdr_t *)((void *)addr_param + length),
-                            (void *)chunk->chunk_end,
-                            &err_param))
                return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
                                                  (void *)err_param, commands);
@@ -3745,10 +3737,7 @@ sctp_disposition_t sctp_sf_do_asconf_ack(struct net *net,
        rcvd_serial = ntohl(addip_hdr->serial);
        /* Verify the ASCONF-ACK chunk before processing it. */
-        if (!sctp_verify_asconf(asoc,
+        if (!sctp_verify_asconf(asoc, asconf_ack, false, &err_param))
-            (sctp_paramhdr_t *)addip_hdr->params,
-            (void *)asconf_ack->chunk_end,
-            &err_param))
                return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
                           (void *)err_param, commands);
diff --git a/net/tipc/link.c b/net/tipc/link.c
index 65410e18b8a6..1db162aa64a5 100644
--- a/net/tipc/link.c
+++ b/net/tipc/link.c
@@ -1924,7 +1924,12 @@ void tipc_link_bundle_rcv(struct sk_buff *buf)
                }
                omsg = buf_msg(obuf);
                pos += align(msg_size(omsg));
-                if (msg_isdata(omsg) || (msg_user(omsg) == CONN_MANAGER)) {
+                if (msg_isdata(omsg)) {
+                        if (unlikely(msg_type(omsg) == TIPC_MCAST_MSG))
+                                tipc_sk_mcast_rcv(obuf);
+                        else
+                                tipc_sk_rcv(obuf);
+                } else if (msg_user(omsg) == CONN_MANAGER) {
                        tipc_sk_rcv(obuf);
                } else if (msg_user(omsg) == NAME_DISTRIBUTOR) {
                        tipc_named_rcv(obuf);
author	Linus Torvalds <torvalds@linux-foundation.org>	2014-10-18 12:31:37 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2014-10-18 12:31:37 -0400
commit	2e923b0251932ad4a82cc87ec1443a1f1d17073e (patch)
tree	d12032bc9bcfbb8a57659275d1b9b582f23f2ecc /net
parent	ffd8221bc348f8c282d1271883dbe629ea8ae289 (diff)
parent	f2d9da1a8375cbe53df5b415d059429013a3a79f (diff)