Merge branch 'sched/urgent' into sched/core, to merge fixes before applying new changes

Signed-off-by: Ingo Molnar <mingo@kernel.org>
author: Ingo Molnar <mingo@kernel.org> 2014-07-28 04:03:00 -0400
committer: Ingo Molnar <mingo@kernel.org> 2014-07-28 04:03:00 -0400
commit: ca5bc6cd5de5b53eb8fd6fea39aa3fe2a1e8c3d9 (patch)
tree: 75beaae2d4b6bc654eb28994dd5906d8dcf5ef46 /net
parent: c1221321b7c25b53204447cff9949a6d5a7ddddc (diff)
parent: d8d28c8f00e84a72e8bee39a85835635417bee49 (diff)
46 files changed, 474 insertions, 309 deletions
diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
index ad2ac3c00398..dd11f612e03e 100644
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -627,8 +627,6 @@ static void vlan_dev_uninit(struct net_device *dev)
        struct vlan_dev_priv *vlan = vlan_dev_priv(dev);
        int i;
-        free_percpu(vlan->vlan_pcpu_stats);
-        vlan->vlan_pcpu_stats = NULL;
        for (i = 0; i < ARRAY_SIZE(vlan->egress_priority_map); i++) {
                while ((pm = vlan->egress_priority_map[i]) != NULL) {
                        vlan->egress_priority_map[i] = pm->next;
@@ -785,6 +783,15 @@ static const struct net_device_ops vlan_netdev_ops = {
        .ndo_get_lock_subclass  = vlan_dev_get_lock_subclass,
 };
+static void vlan_dev_free(struct net_device *dev)
+{
+        struct vlan_dev_priv *vlan = vlan_dev_priv(dev);
+        free_percpu(vlan->vlan_pcpu_stats);
+        vlan->vlan_pcpu_stats = NULL;
+        free_netdev(dev);
+}
 void vlan_setup(struct net_device *dev)
 {
        ether_setup(dev);
@@ -794,7 +801,7 @@ void vlan_setup(struct net_device *dev)
        dev->tx_queue_len       = 0;
        dev->netdev_ops         = &vlan_netdev_ops;
-        dev->destructor         = free_netdev;
+        dev->destructor         = vlan_dev_free;
        dev->ethtool_ops        = &vlan_ethtool_ops;
        memset(dev->broadcast, 0, ETH_ALEN);
diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c
index 01a1082e02b3..bfcf6be1d665 100644
--- a/net/appletalk/ddp.c
+++ b/net/appletalk/ddp.c
@@ -1489,8 +1489,6 @@ static int atalk_rcv(struct sk_buff *skb, struct net_device *dev,
                goto drop;
        /* Queue packet (standard) */
-        skb->sk = sock;
        if (sock_queue_rcv_skb(sock, skb) < 0)
                goto drop;
@@ -1644,7 +1642,6 @@ static int atalk_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr
        if (!skb)
                goto out;
-        skb->sk = sk;
        skb_reserve(skb, ddp_dl->header_length);
        skb_reserve(skb, dev->hard_header_len);
        skb->dev = dev;
diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
index 6f0d9ec37950..a957c8140721 100644
--- a/net/batman-adv/bridge_loop_avoidance.c
+++ b/net/batman-adv/bridge_loop_avoidance.c
@@ -800,11 +800,6 @@ static int batadv_check_claim_group(struct batadv_priv *bat_priv,
        bla_dst = (struct batadv_bla_claim_dst *)hw_dst;
        bla_dst_own = &bat_priv->bla.claim_dest;
-        /* check if it is a claim packet in general */
-        if (memcmp(bla_dst->magic, bla_dst_own->magic,
-                   sizeof(bla_dst->magic)) != 0)
-                return 0;
        /* if announcement packet, use the source,
         * otherwise assume it is in the hw_src
         */
@@ -866,12 +861,13 @@ static int batadv_bla_process_claim(struct batadv_priv *bat_priv,
                                    struct batadv_hard_iface *primary_if,
                                    struct sk_buff *skb)
 {
-        struct batadv_bla_claim_dst *bla_dst;
+        struct batadv_bla_claim_dst *bla_dst, *bla_dst_own;
        uint8_t *hw_src, *hw_dst;
-        struct vlan_ethhdr *vhdr;
+        struct vlan_hdr *vhdr, vhdr_buf;
        struct ethhdr *ethhdr;
        struct arphdr *arphdr;
        unsigned short vid;
+        int vlan_depth = 0;
        __be16 proto;
        int headlen;
        int ret;
@@ -882,9 +878,24 @@ static int batadv_bla_process_claim(struct batadv_priv *bat_priv,
        proto = ethhdr->h_proto;
        headlen = ETH_HLEN;
        if (vid & BATADV_VLAN_HAS_TAG) {
-                vhdr = vlan_eth_hdr(skb);
+                /* Traverse the VLAN/Ethertypes.
-                proto = vhdr->h_vlan_encapsulated_proto;
+                 *
-                headlen += VLAN_HLEN;
+                 * At this point it is known that the first protocol is a VLAN
+                 * header, so start checking at the encapsulated protocol.
+                 *
+                 * The depth of the VLAN headers is recorded to drop BLA claim
+                 * frames encapsulated into multiple VLAN headers (QinQ).
+                 */
+                do {
+                        vhdr = skb_header_pointer(skb, headlen, VLAN_HLEN,
+                                                  &vhdr_buf);
+                        if (!vhdr)
+                                return 0;
+                        proto = vhdr->h_vlan_encapsulated_proto;
+                        headlen += VLAN_HLEN;
+                        vlan_depth++;
+                } while (proto == htons(ETH_P_8021Q));
        }
        if (proto != htons(ETH_P_ARP))
@@ -914,6 +925,19 @@ static int batadv_bla_process_claim(struct batadv_priv *bat_priv,
        hw_src = (uint8_t *)arphdr + sizeof(struct arphdr);
        hw_dst = hw_src + ETH_ALEN + 4;
        bla_dst = (struct batadv_bla_claim_dst *)hw_dst;
+        bla_dst_own = &bat_priv->bla.claim_dest;
+        /* check if it is a claim frame in general */
+        if (memcmp(bla_dst->magic, bla_dst_own->magic,
+                   sizeof(bla_dst->magic)) != 0)
+                return 0;
+        /* check if there is a claim frame encapsulated deeper in (QinQ) and
+         * drop that, as this is not supported by BLA but should also not be
+         * sent via the mesh.
+         */
+        if (vlan_depth > 1)
+                return 1;
        /* check if it is a claim frame. */
        ret = batadv_check_claim_group(bat_priv, primary_if, hw_src, hw_dst,
diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
index e7ee65dc20bf..cbd677f48c00 100644
--- a/net/batman-adv/soft-interface.c
+++ b/net/batman-adv/soft-interface.c
@@ -448,10 +448,15 @@ out:
 *  possibly free it
 * @softif_vlan: the vlan object to release
 */
-void batadv_softif_vlan_free_ref(struct batadv_softif_vlan *softif_vlan)
+void batadv_softif_vlan_free_ref(struct batadv_softif_vlan *vlan)
 {
-        if (atomic_dec_and_test(&softif_vlan->refcount))
+        if (atomic_dec_and_test(&vlan->refcount)) {
-                kfree_rcu(softif_vlan, rcu);
+                spin_lock_bh(&vlan->bat_priv->softif_vlan_list_lock);
+                hlist_del_rcu(&vlan->list);
+                spin_unlock_bh(&vlan->bat_priv->softif_vlan_list_lock);
+                kfree_rcu(vlan, rcu);
+        }
 }
 /**
@@ -505,6 +510,7 @@ int batadv_softif_create_vlan(struct batadv_priv *bat_priv, unsigned short vid)
        if (!vlan)
                return -ENOMEM;
+        vlan->bat_priv = bat_priv;
        vlan->vid = vid;
        atomic_set(&vlan->refcount, 1);
@@ -516,6 +522,10 @@ int batadv_softif_create_vlan(struct batadv_priv *bat_priv, unsigned short vid)
                return err;
        }
+        spin_lock_bh(&bat_priv->softif_vlan_list_lock);
+        hlist_add_head_rcu(&vlan->list, &bat_priv->softif_vlan_list);
+        spin_unlock_bh(&bat_priv->softif_vlan_list_lock);
        /* add a new TT local entry. This one will be marked with the NOPURGE
         * flag
         */
@@ -523,10 +533,6 @@ int batadv_softif_create_vlan(struct batadv_priv *bat_priv, unsigned short vid)
                            bat_priv->soft_iface->dev_addr, vid,
                            BATADV_NULL_IFINDEX, BATADV_NO_MARK);
-        spin_lock_bh(&bat_priv->softif_vlan_list_lock);
-        hlist_add_head_rcu(&vlan->list, &bat_priv->softif_vlan_list);
-        spin_unlock_bh(&bat_priv->softif_vlan_list_lock);
        return 0;
 }
@@ -538,18 +544,13 @@ int batadv_softif_create_vlan(struct batadv_priv *bat_priv, unsigned short vid)
 static void batadv_softif_destroy_vlan(struct batadv_priv *bat_priv,
                                       struct batadv_softif_vlan *vlan)
 {
-        spin_lock_bh(&bat_priv->softif_vlan_list_lock);
-        hlist_del_rcu(&vlan->list);
-        spin_unlock_bh(&bat_priv->softif_vlan_list_lock);
-        batadv_sysfs_del_vlan(bat_priv, vlan);
        /* explicitly remove the associated TT local entry because it is marked
         * with the NOPURGE flag
         */
        batadv_tt_local_remove(bat_priv, bat_priv->soft_iface->dev_addr,
                               vlan->vid, "vlan interface destroyed", false);
+        batadv_sysfs_del_vlan(bat_priv, vlan);
        batadv_softif_vlan_free_ref(vlan);
 }
@@ -567,6 +568,8 @@ static int batadv_interface_add_vid(struct net_device *dev, __be16 proto,
                                    unsigned short vid)
 {
        struct batadv_priv *bat_priv = netdev_priv(dev);
+        struct batadv_softif_vlan *vlan;
+        int ret;
        /* only 802.1Q vlans are supported.
         * batman-adv does not know how to handle other types
@@ -576,7 +579,36 @@ static int batadv_interface_add_vid(struct net_device *dev, __be16 proto,
        vid |= BATADV_VLAN_HAS_TAG;
-        return batadv_softif_create_vlan(bat_priv, vid);
+        /* if a new vlan is getting created and it already exists, it means that
+         * it was not deleted yet. batadv_softif_vlan_get() increases the
+         * refcount in order to revive the object.
+         *
+         * if it does not exist then create it.
+         */
+        vlan = batadv_softif_vlan_get(bat_priv, vid);
+        if (!vlan)
+                return batadv_softif_create_vlan(bat_priv, vid);
+        /* recreate the sysfs object if it was already destroyed (and it should
+         * be since we received a kill_vid() for this vlan
+         */
+        if (!vlan->kobj) {
+                ret = batadv_sysfs_add_vlan(bat_priv->soft_iface, vlan);
+                if (ret) {
+                        batadv_softif_vlan_free_ref(vlan);
+                        return ret;
+                }
+        }
+        /* add a new TT local entry. This one will be marked with the NOPURGE
+         * flag. This must be added again, even if the vlan object already
+         * exists, because the entry was deleted by kill_vid()
+         */
+        batadv_tt_local_add(bat_priv->soft_iface,
+                            bat_priv->soft_iface->dev_addr, vid,
+                            BATADV_NULL_IFINDEX, BATADV_NO_MARK);
+        return 0;
 }
 /**
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
index d636bde72c9a..5f59e7f899a0 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -511,6 +511,7 @@ bool batadv_tt_local_add(struct net_device *soft_iface, const uint8_t *addr,
        struct batadv_priv *bat_priv = netdev_priv(soft_iface);
        struct batadv_tt_local_entry *tt_local;
        struct batadv_tt_global_entry *tt_global = NULL;
+        struct batadv_softif_vlan *vlan;
        struct net_device *in_dev = NULL;
        struct hlist_head *head;
        struct batadv_tt_orig_list_entry *orig_entry;
@@ -572,6 +573,9 @@ bool batadv_tt_local_add(struct net_device *soft_iface, const uint8_t *addr,
        if (!tt_local)
                goto out;
+        /* increase the refcounter of the related vlan */
+        vlan = batadv_softif_vlan_get(bat_priv, vid);
        batadv_dbg(BATADV_DBG_TT, bat_priv,
                   "Creating new local tt entry: %pM (vid: %d, ttvn: %d)\n",
                   addr, BATADV_PRINT_VID(vid),
@@ -604,6 +608,7 @@ bool batadv_tt_local_add(struct net_device *soft_iface, const uint8_t *addr,
        if (unlikely(hash_added != 0)) {
                /* remove the reference for the hash */
                batadv_tt_local_entry_free_ref(tt_local);
+                batadv_softif_vlan_free_ref(vlan);
                goto out;
        }
@@ -1009,6 +1014,7 @@ uint16_t batadv_tt_local_remove(struct batadv_priv *bat_priv,
 {
        struct batadv_tt_local_entry *tt_local_entry;
        uint16_t flags, curr_flags = BATADV_NO_FLAGS;
+        struct batadv_softif_vlan *vlan;
        tt_local_entry = batadv_tt_local_hash_find(bat_priv, addr, vid);
        if (!tt_local_entry)
@@ -1039,6 +1045,11 @@ uint16_t batadv_tt_local_remove(struct batadv_priv *bat_priv,
        hlist_del_rcu(&tt_local_entry->common.hash_entry);
        batadv_tt_local_entry_free_ref(tt_local_entry);
+        /* decrease the reference held for this vlan */
+        vlan = batadv_softif_vlan_get(bat_priv, vid);
+        batadv_softif_vlan_free_ref(vlan);
+        batadv_softif_vlan_free_ref(vlan);
 out:
        if (tt_local_entry)
                batadv_tt_local_entry_free_ref(tt_local_entry);
@@ -1111,6 +1122,7 @@ static void batadv_tt_local_table_free(struct batadv_priv *bat_priv)
        spinlock_t *list_lock; /* protects write access to the hash lists */
        struct batadv_tt_common_entry *tt_common_entry;
        struct batadv_tt_local_entry *tt_local;
+        struct batadv_softif_vlan *vlan;
        struct hlist_node *node_tmp;
        struct hlist_head *head;
        uint32_t i;
@@ -1131,6 +1143,13 @@ static void batadv_tt_local_table_free(struct batadv_priv *bat_priv)
                        tt_local = container_of(tt_common_entry,
                                                struct batadv_tt_local_entry,
                                                common);
+                        /* decrease the reference held for this vlan */
+                        vlan = batadv_softif_vlan_get(bat_priv,
+                                                      tt_common_entry->vid);
+                        batadv_softif_vlan_free_ref(vlan);
+                        batadv_softif_vlan_free_ref(vlan);
                        batadv_tt_local_entry_free_ref(tt_local);
                }
                spin_unlock_bh(list_lock);
@@ -3139,6 +3158,7 @@ static void batadv_tt_local_purge_pending_clients(struct batadv_priv *bat_priv)
        struct batadv_hashtable *hash = bat_priv->tt.local_hash;
        struct batadv_tt_common_entry *tt_common;
        struct batadv_tt_local_entry *tt_local;
+        struct batadv_softif_vlan *vlan;
        struct hlist_node *node_tmp;
        struct hlist_head *head;
        spinlock_t *list_lock; /* protects write access to the hash lists */
@@ -3167,6 +3187,12 @@ static void batadv_tt_local_purge_pending_clients(struct batadv_priv *bat_priv)
                        tt_local = container_of(tt_common,
                                                struct batadv_tt_local_entry,
                                                common);
+                        /* decrease the reference held for this vlan */
+                        vlan = batadv_softif_vlan_get(bat_priv, tt_common->vid);
+                        batadv_softif_vlan_free_ref(vlan);
+                        batadv_softif_vlan_free_ref(vlan);
                        batadv_tt_local_entry_free_ref(tt_local);
                }
                spin_unlock_bh(list_lock);
diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
index 34891a56773f..8854c05622a9 100644
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -687,6 +687,7 @@ struct batadv_priv_nc {
 /**
 * struct batadv_softif_vlan - per VLAN attributes set
+ * @bat_priv: pointer to the mesh object
 * @vid: VLAN identifier
 * @kobj: kobject for sysfs vlan subdirectory
 * @ap_isolation: AP isolation state
@@ -696,6 +697,7 @@ struct batadv_priv_nc {
 * @rcu: struct used for freeing in a RCU-safe manner
 */
 struct batadv_softif_vlan {
+        struct batadv_priv *bat_priv;
        unsigned short vid;
        struct kobject *kobj;
        atomic_t ap_isolation;          /* boolean */
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index ca01d1861854..a7a27bc2c0b1 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -289,10 +289,20 @@ static void hci_conn_timeout(struct work_struct *work)
 {
        struct hci_conn *conn = container_of(work, struct hci_conn,
                                             disc_work.work);
+        int refcnt = atomic_read(&conn->refcnt);
        BT_DBG("hcon %p state %s", conn, state_to_string(conn->state));
-        if (atomic_read(&conn->refcnt))
+        WARN_ON(refcnt < 0);
+        /* FIXME: It was observed that in pairing failed scenario, refcnt
+         * drops below 0. Probably this is because l2cap_conn_del calls
+         * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is
+         * dropped. After that loop hci_chan_del is called which also drops
+         * conn. For now make sure that ACL is alive if refcnt is higher then 0,
+         * otherwise drop it.
+         */
+        if (refcnt > 0)
                return;
        switch (conn->state) {
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index f2829a7932e2..e33a982161c1 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -385,6 +385,16 @@ static const u8 gen_method[5][5] = {
        { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
 };
+static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
+{
+        /* If either side has unknown io_caps, use JUST WORKS */
+        if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
+            remote_io > SMP_IO_KEYBOARD_DISPLAY)
+                return JUST_WORKS;
+        return gen_method[remote_io][local_io];
+}
 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
                                                u8 local_io, u8 remote_io)
 {
@@ -401,14 +411,11 @@ static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
        BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
        /* If neither side wants MITM, use JUST WORKS */
-        /* If either side has unknown io_caps, use JUST WORKS */
        /* Otherwise, look up method from the table */
-        if (!(auth & SMP_AUTH_MITM) ||
+        if (!(auth & SMP_AUTH_MITM))
-            local_io > SMP_IO_KEYBOARD_DISPLAY ||
-            remote_io > SMP_IO_KEYBOARD_DISPLAY)
                method = JUST_WORKS;
        else
-                method = gen_method[remote_io][local_io];
+                method = get_auth_method(smp, local_io, remote_io);
        /* If not bonding, don't ask user to confirm a Zero TK */
        if (!(auth & SMP_AUTH_BONDING) && method == JUST_CFM)
@@ -669,7 +676,7 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
 {
        struct smp_cmd_pairing rsp, *req = (void *) skb->data;
        struct smp_chan *smp;
-        u8 key_size, auth;
+        u8 key_size, auth, sec_level;
        int ret;
        BT_DBG("conn %p", conn);
@@ -695,7 +702,19 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
        /* We didn't start the pairing, so match remote */
        auth = req->auth_req;
-        conn->hcon->pending_sec_level = authreq_to_seclevel(auth);
+        sec_level = authreq_to_seclevel(auth);
+        if (sec_level > conn->hcon->pending_sec_level)
+                conn->hcon->pending_sec_level = sec_level;
+        /* If we need MITM check that it can be acheived */
+        if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
+                u8 method;
+                method = get_auth_method(smp, conn->hcon->io_capability,
+                                         req->io_capability);
+                if (method == JUST_WORKS || method == JUST_CFM)
+                        return SMP_AUTH_REQUIREMENTS;
+        }
        build_pairing_cmd(conn, req, &rsp, auth);
@@ -743,6 +762,16 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
        if (check_enc_key_size(conn, key_size))
                return SMP_ENC_KEY_SIZE;
+        /* If we need MITM check that it can be acheived */
+        if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
+                u8 method;
+                method = get_auth_method(smp, req->io_capability,
+                                         rsp->io_capability);
+                if (method == JUST_WORKS || method == JUST_CFM)
+                        return SMP_AUTH_REQUIREMENTS;
+        }
        get_random_bytes(smp->prnd, sizeof(smp->prnd));
        smp->prsp[0] = SMP_CMD_PAIRING_RSP;
@@ -838,6 +867,7 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
        struct smp_cmd_pairing cp;
        struct hci_conn *hcon = conn->hcon;
        struct smp_chan *smp;
+        u8 sec_level;
        BT_DBG("conn %p", conn);
@@ -847,7 +877,9 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
        if (!(conn->hcon->link_mode & HCI_LM_MASTER))
                return SMP_CMD_NOTSUPP;
-        hcon->pending_sec_level = authreq_to_seclevel(rp->auth_req);
+        sec_level = authreq_to_seclevel(rp->auth_req);
+        if (sec_level > hcon->pending_sec_level)
+                hcon->pending_sec_level = sec_level;
        if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
                return 0;
@@ -901,9 +933,12 @@ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
        if (smp_sufficient_security(hcon, sec_level))
                return 1;
+        if (sec_level > hcon->pending_sec_level)
+                hcon->pending_sec_level = sec_level;
        if (hcon->link_mode & HCI_LM_MASTER)
-                if (smp_ltk_encrypt(conn, sec_level))
+                if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
-                        goto done;
+                        return 0;
        if (test_and_set_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
                return 0;
@@ -918,7 +953,7 @@ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
         * requires it.
         */
        if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
-            sec_level > BT_SECURITY_MEDIUM)
+            hcon->pending_sec_level > BT_SECURITY_MEDIUM)
                authreq |= SMP_AUTH_MITM;
        if (hcon->link_mode & HCI_LM_MASTER) {
@@ -937,9 +972,6 @@ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
        set_bit(SMP_FLAG_INITIATOR, &smp->flags);
-done:
-        hcon->pending_sec_level = sec_level;
        return 0;
 }
diff --git a/net/core/dev.c b/net/core/dev.c
index 30eedf677913..367a586d0c8a 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -148,6 +148,9 @@ struct list_head ptype_all __read_mostly;	/* Taps */
 static struct list_head offload_base __read_mostly;
 static int netif_rx_internal(struct sk_buff *skb);
+static int call_netdevice_notifiers_info(unsigned long val,
+                                         struct net_device *dev,
+                                         struct netdev_notifier_info *info);
 /*
 * The @dev_base_head list is protected by @dev_base_lock and the rtnl
@@ -1207,7 +1210,11 @@ EXPORT_SYMBOL(netdev_features_change);
 void netdev_state_change(struct net_device *dev)
 {
        if (dev->flags & IFF_UP) {
-                call_netdevice_notifiers(NETDEV_CHANGE, dev);
+                struct netdev_notifier_change_info change_info;
+                change_info.flags_changed = 0;
+                call_netdevice_notifiers_info(NETDEV_CHANGE, dev,
+                                              &change_info.info);
                rtmsg_ifinfo(RTM_NEWLINK, dev, 0, GFP_KERNEL);
        }
 }
@@ -4089,6 +4096,8 @@ static void napi_reuse_skb(struct napi_struct *napi, struct sk_buff *skb)
        skb->vlan_tci = 0;
        skb->dev = napi->dev;
        skb->skb_iif = 0;
+        skb->encapsulation = 0;
+        skb_shinfo(skb)->gso_type = 0;
        skb->truesize = SKB_TRUESIZE(skb_end_offset(skb));
        napi->skb = skb;
@@ -4227,9 +4236,8 @@ static int process_backlog(struct napi_struct *napi, int quota)
 #endif
        napi->weight = weight_p;
        local_irq_disable();
-        while (work < quota) {
+        while (1) {
                struct sk_buff *skb;
-                unsigned int qlen;
                while ((skb = __skb_dequeue(&sd->process_queue))) {
                        local_irq_enable();
@@ -4243,24 +4251,24 @@ static int process_backlog(struct napi_struct *napi, int quota)
                }
                rps_lock(sd);
-                qlen = skb_queue_len(&sd->input_pkt_queue);
+                if (skb_queue_empty(&sd->input_pkt_queue)) {
-                if (qlen)
-                        skb_queue_splice_tail_init(&sd->input_pkt_queue,
-                                                   &sd->process_queue);
-                if (qlen < quota - work) {
                        /*
                         * Inline a custom version of __napi_complete().
                         * only current cpu owns and manipulates this napi,
-                         * and NAPI_STATE_SCHED is the only possible flag set on backlog.
+                         * and NAPI_STATE_SCHED is the only possible flag set
-                         * we can use a plain write instead of clear_bit(),
+                         * on backlog.
+                         * We can use a plain write instead of clear_bit(),
                         * and we dont need an smp_mb() memory barrier.
                         */
                        list_del(&napi->poll_list);
                        napi->state = 0;
+                        rps_unlock(sd);
-                        quota = work + qlen;
+                        break;
                }
+                skb_queue_splice_tail_init(&sd->input_pkt_queue,
+                                           &sd->process_queue);
                rps_unlock(sd);
        }
        local_irq_enable();
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index 32d872eec7f5..559890b0f0a2 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -3059,11 +3059,12 @@ int neigh_sysctl_register(struct net_device *dev, struct neigh_parms *p,
                memset(&t->neigh_vars[NEIGH_VAR_GC_INTERVAL], 0,
                       sizeof(t->neigh_vars[NEIGH_VAR_GC_INTERVAL]));
        } else {
+                struct neigh_table *tbl = p->tbl;
                dev_name_source = "default";
-                t->neigh_vars[NEIGH_VAR_GC_INTERVAL].data = (int *)(p + 1);
+                t->neigh_vars[NEIGH_VAR_GC_INTERVAL].data = &tbl->gc_interval;
-                t->neigh_vars[NEIGH_VAR_GC_THRESH1].data = (int *)(p + 1) + 1;
+                t->neigh_vars[NEIGH_VAR_GC_THRESH1].data = &tbl->gc_thresh1;
-                t->neigh_vars[NEIGH_VAR_GC_THRESH2].data = (int *)(p + 1) + 2;
+                t->neigh_vars[NEIGH_VAR_GC_THRESH2].data = &tbl->gc_thresh2;
-                t->neigh_vars[NEIGH_VAR_GC_THRESH3].data = (int *)(p + 1) + 3;
+                t->neigh_vars[NEIGH_VAR_GC_THRESH3].data = &tbl->gc_thresh3;
        }
        if (handler) {
diff --git a/net/dns_resolver/dns_query.c b/net/dns_resolver/dns_query.c
index 9acec61f5433..dd8696a3dbec 100644
--- a/net/dns_resolver/dns_query.c
+++ b/net/dns_resolver/dns_query.c
@@ -150,7 +150,7 @@ int dns_query(const char *type, const char *name, size_t namelen,
                goto put;
        memcpy(*_result, upayload->data, len);
-        *_result[len] = '\0';
+        (*_result)[len] = '\0';
        if (_expiry)
                *_expiry = rkey->expiry;
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index d5e6836cf772..d156b3c5f363 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -1429,6 +1429,9 @@ static int inet_gro_complete(struct sk_buff *skb, int nhoff)
        int proto = iph->protocol;
        int err = -ENOSYS;
+        if (skb->encapsulation)
+                skb_set_inner_network_header(skb, nhoff);
        csum_replace2(&iph->check, iph->tot_len, newlen);
        iph->tot_len = newlen;
diff --git a/net/ipv4/gre_demux.c b/net/ipv4/gre_demux.c
index 4e9619bca732..0485bf7f8f03 100644
--- a/net/ipv4/gre_demux.c
+++ b/net/ipv4/gre_demux.c
@@ -68,6 +68,7 @@ void gre_build_header(struct sk_buff *skb, const struct tnl_ptk_info *tpi,
        skb_push(skb, hdr_len);
+        skb_reset_transport_header(skb);
        greh = (struct gre_base_hdr *)skb->data;
        greh->flags = tnl_flags_to_gre_flags(tpi->flags);
        greh->protocol = tpi->proto;
diff --git a/net/ipv4/gre_offload.c b/net/ipv4/gre_offload.c
index eb92deb12666..f0bdd47bbbcb 100644
--- a/net/ipv4/gre_offload.c
+++ b/net/ipv4/gre_offload.c
@@ -263,6 +263,9 @@ static int gre_gro_complete(struct sk_buff *skb, int nhoff)
        int err = -ENOENT;
        __be16 type;
+        skb->encapsulation = 1;
+        skb_shinfo(skb)->gso_type = SKB_GSO_GRE;
        type = greh->protocol;
        if (greh->flags & GRE_KEY)
                grehlen += GRE_HEADER_SECTION;
diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index 79c3d947a481..42b7bcf8045b 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -739,8 +739,6 @@ static void icmp_unreach(struct sk_buff *skb)
                                /* fall through */
                        case 0:
                                info = ntohs(icmph->un.frag.mtu);
-                                if (!info)
-                                        goto out;
                        }
                        break;
                case ICMP_SR_FAILED:
diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
index 6748d420f714..db710b059bab 100644
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -1944,6 +1944,10 @@ int ip_mc_leave_group(struct sock *sk, struct ip_mreqn *imr)
        rtnl_lock();
        in_dev = ip_mc_find_dev(net, imr);
+        if (!in_dev) {
+                ret = -ENODEV;
+                goto out;
+        }
        ifindex = imr->imr_ifindex;
        for (imlp = &inet->mc_list;
             (iml = rtnl_dereference(*imlp)) != NULL;
@@ -1961,16 +1965,14 @@ int ip_mc_leave_group(struct sock *sk, struct ip_mreqn *imr)
                *imlp = iml->next_rcu;
-                if (in_dev)
+                ip_mc_dec_group(in_dev, group);
-                        ip_mc_dec_group(in_dev, group);
                rtnl_unlock();
                /* decrease mem now to avoid the memleak warning */
                atomic_sub(sizeof(*iml), &sk->sk_omem_alloc);
                kfree_rcu(iml, rcu);
                return 0;
        }
-        if (!in_dev)
+out:
-                ret = -ENODEV;
        rtnl_unlock();
        return ret;
 }
diff --git a/net/ipv4/ip_options.c b/net/ipv4/ip_options.c
index 5e7aecea05cd..ad382499bace 100644
--- a/net/ipv4/ip_options.c
+++ b/net/ipv4/ip_options.c
@@ -288,6 +288,10 @@ int ip_options_compile(struct net *net,
                        optptr++;
                        continue;
                }
+                if (unlikely(l < 2)) {
+                        pp_ptr = optptr;
+                        goto error;
+                }
                optlen = optptr[1];
                if (optlen < 2 || optlen > l) {
                        pp_ptr = optptr;
diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
index 54b6731dab55..6f9de61dce5f 100644
--- a/net/ipv4/ip_tunnel.c
+++ b/net/ipv4/ip_tunnel.c
@@ -169,6 +169,7 @@ struct ip_tunnel *ip_tunnel_lookup(struct ip_tunnel_net *itn,
        hlist_for_each_entry_rcu(t, head, hash_node) {
                if (remote != t->parms.iph.daddr ||
+                    t->parms.iph.saddr != 0 ||
                    !(t->dev->flags & IFF_UP))
                        continue;
@@ -185,10 +186,11 @@ struct ip_tunnel *ip_tunnel_lookup(struct ip_tunnel_net *itn,
        head = &itn->tunnels[hash];
        hlist_for_each_entry_rcu(t, head, hash_node) {
-                if ((local != t->parms.iph.saddr &&
+                if ((local != t->parms.iph.saddr || t->parms.iph.daddr != 0) &&
-                     (local != t->parms.iph.daddr ||
+                    (local != t->parms.iph.daddr || !ipv4_is_multicast(local)))
-                      !ipv4_is_multicast(local))) ||
+                        continue;
-                    !(t->dev->flags & IFF_UP))
+                if (!(t->dev->flags & IFF_UP))
                        continue;
                if (!ip_tunnel_key_match(&t->parms, flags, key))
@@ -205,6 +207,8 @@ struct ip_tunnel *ip_tunnel_lookup(struct ip_tunnel_net *itn,
        hlist_for_each_entry_rcu(t, head, hash_node) {
                if (t->parms.i_key != key ||
+                    t->parms.iph.saddr != 0 ||
+                    t->parms.iph.daddr != 0 ||
                    !(t->dev->flags & IFF_UP))
                        continue;
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 082239ffe34a..3162ea923ded 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1010,7 +1010,7 @@ void ipv4_sk_update_pmtu(struct sk_buff *skb, struct sock *sk, u32 mtu)
        const struct iphdr *iph = (const struct iphdr *) skb->data;
        struct flowi4 fl4;
        struct rtable *rt;
-        struct dst_entry *dst;
+        struct dst_entry *odst = NULL;
        bool new = false;
        bh_lock_sock(sk);
@@ -1018,16 +1018,17 @@ void ipv4_sk_update_pmtu(struct sk_buff *skb, struct sock *sk, u32 mtu)
        if (!ip_sk_accept_pmtu(sk))
                goto out;
-        rt = (struct rtable *) __sk_dst_get(sk);
+        odst = sk_dst_get(sk);
-        if (sock_owned_by_user(sk) || !rt) {
+        if (sock_owned_by_user(sk) || !odst) {
                __ipv4_sk_update_pmtu(skb, sk, mtu);
                goto out;
        }
        __build_flow_key(&fl4, sk, iph, 0, 0, 0, 0, 0);
-        if (!__sk_dst_check(sk, 0)) {
+        rt = (struct rtable *)odst;
+        if (odst->obsolete && odst->ops->check(odst, 0) == NULL) {
                rt = ip_route_output_flow(sock_net(sk), &fl4, sk);
                if (IS_ERR(rt))
                        goto out;
@@ -1037,8 +1038,7 @@ void ipv4_sk_update_pmtu(struct sk_buff *skb, struct sock *sk, u32 mtu)
        __ip_rt_update_pmtu((struct rtable *) rt->dst.path, &fl4, mtu);
-        dst = dst_check(&rt->dst, 0);
+        if (!dst_check(&rt->dst, 0)) {
-        if (!dst) {
                if (new)
                        dst_release(&rt->dst);
@@ -1050,10 +1050,11 @@ void ipv4_sk_update_pmtu(struct sk_buff *skb, struct sock *sk, u32 mtu)
        }
        if (new)
-                __sk_dst_set(sk, &rt->dst);
+                sk_dst_set(sk, &rt->dst);
 out:
        bh_unlock_sock(sk);
+        dst_release(odst);
 }
 EXPORT_SYMBOL_GPL(ipv4_sk_update_pmtu);
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index eb1dde37e678..9d2118e5fbc7 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -1108,7 +1108,7 @@ int tcp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
        if (unlikely(tp->repair)) {
                if (tp->repair_queue == TCP_RECV_QUEUE) {
                        copied = tcp_send_rcvq(sk, msg, size);
-                        goto out;
+                        goto out_nopush;
                }
                err = -EINVAL;
@@ -1282,6 +1282,7 @@ wait_for_memory:
 out:
        if (copied)
                tcp_push(sk, flags, mss_now, tp->nonagle, size_goal);
+out_nopush:
        release_sock(sk);
        return copied + copied_syn;
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index b5c23756965a..40639c288dc2 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -1106,7 +1106,7 @@ static bool tcp_check_dsack(struct sock *sk, const struct sk_buff *ack_skb,
        }
        /* D-SACK for already forgotten data... Do dumb counting. */
-        if (dup_sack && tp->undo_marker && tp->undo_retrans &&
+        if (dup_sack && tp->undo_marker && tp->undo_retrans > 0 &&
            !after(end_seq_0, prior_snd_una) &&
            after(end_seq_0, tp->undo_marker))
                tp->undo_retrans--;
@@ -1187,7 +1187,7 @@ static u8 tcp_sacktag_one(struct sock *sk,
        /* Account D-SACK for retransmitted packet. */
        if (dup_sack && (sacked & TCPCB_RETRANS)) {
-                if (tp->undo_marker && tp->undo_retrans &&
+                if (tp->undo_marker && tp->undo_retrans > 0 &&
                    after(end_seq, tp->undo_marker))
                        tp->undo_retrans--;
                if (sacked & TCPCB_SACKED_ACKED)
@@ -1893,7 +1893,7 @@ static void tcp_clear_retrans_partial(struct tcp_sock *tp)
        tp->lost_out = 0;
        tp->undo_marker = 0;
-        tp->undo_retrans = 0;
+        tp->undo_retrans = -1;
 }
 void tcp_clear_retrans(struct tcp_sock *tp)
@@ -2665,7 +2665,7 @@ static void tcp_enter_recovery(struct sock *sk, bool ece_ack)
        tp->prior_ssthresh = 0;
        tp->undo_marker = tp->snd_una;
-        tp->undo_retrans = tp->retrans_out;
+        tp->undo_retrans = tp->retrans_out ? : -1;
        if (inet_csk(sk)->icsk_ca_state < TCP_CA_CWR) {
                if (!ece_ack)
diff --git a/net/ipv4/tcp_offload.c b/net/ipv4/tcp_offload.c
index 4e86c59ec7f7..55046ecd083e 100644
--- a/net/ipv4/tcp_offload.c
+++ b/net/ipv4/tcp_offload.c
@@ -309,7 +309,7 @@ static int tcp4_gro_complete(struct sk_buff *skb, int thoff)
        th->check = ~tcp_v4_check(skb->len - thoff, iph->saddr,
                                  iph->daddr, 0);
-        skb_shinfo(skb)->gso_type = SKB_GSO_TCPV4;
+        skb_shinfo(skb)->gso_type |= SKB_GSO_TCPV4;
        return tcp_gro_complete(skb);
 }
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index d92bce0ea24e..179b51e6bda3 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2525,8 +2525,6 @@ int tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb)
                if (!tp->retrans_stamp)
                        tp->retrans_stamp = TCP_SKB_CB(skb)->when;
-                tp->undo_retrans += tcp_skb_pcount(skb);
                /* snd_nxt is stored to detect loss of retransmitted segment,
                 * see tcp_input.c tcp_sacktag_write_queue().
                 */
@@ -2534,6 +2532,10 @@ int tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb)
        } else if (err != -EBUSY) {
                NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPRETRANSFAIL);
        }
+        if (tp->undo_retrans < 0)
+                tp->undo_retrans = 0;
+        tp->undo_retrans += tcp_skb_pcount(skb);
        return err;
 }
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index d92f94b7e402..7d5a8661df76 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1588,8 +1588,11 @@ int udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
                goto csum_error;
-        if (sk_rcvqueues_full(sk, skb, sk->sk_rcvbuf))
+        if (sk_rcvqueues_full(sk, skb, sk->sk_rcvbuf)) {
+                UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS,
+                                 is_udplite);
                goto drop;
+        }
        rc = 0;
diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
index 08b367c6b9cf..617f0958e164 100644
--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -1301,8 +1301,17 @@ int igmp6_event_query(struct sk_buff *skb)
        len = ntohs(ipv6_hdr(skb)->payload_len) + sizeof(struct ipv6hdr);
        len -= skb_network_header_len(skb);
-        /* Drop queries with not link local source */
+        /* RFC3810 6.2
-        if (!(ipv6_addr_type(&ipv6_hdr(skb)->saddr) & IPV6_ADDR_LINKLOCAL))
+         * Upon reception of an MLD message that contains a Query, the node
+         * checks if the source address of the message is a valid link-local
+         * address, if the Hop Limit is set to 1, and if the Router Alert
+         * option is present in the Hop-By-Hop Options header of the IPv6
+         * packet.  If any of these checks fails, the packet is dropped.
+         */
+        if (!(ipv6_addr_type(&ipv6_hdr(skb)->saddr) & IPV6_ADDR_LINKLOCAL) ||
+            ipv6_hdr(skb)->hop_limit != 1 ||
+            !(IP6CB(skb)->flags & IP6SKB_ROUTERALERT) ||
+            IP6CB(skb)->ra != htons(IPV6_OPT_ROUTERALERT_MLD))
                return -EINVAL;
        idev = __in6_dev_get(skb->dev);
diff --git a/net/ipv6/tcpv6_offload.c b/net/ipv6/tcpv6_offload.c
index 8517d3cd1aed..01b0ff9a0c2c 100644
--- a/net/ipv6/tcpv6_offload.c
+++ b/net/ipv6/tcpv6_offload.c
@@ -73,7 +73,7 @@ static int tcp6_gro_complete(struct sk_buff *skb, int thoff)
        th->check = ~tcp_v6_check(skb->len - thoff, &iph->saddr,
                                  &iph->daddr, 0);
-        skb_shinfo(skb)->gso_type = SKB_GSO_TCPV6;
+        skb_shinfo(skb)->gso_type |= SKB_GSO_TCPV6;
        return tcp_gro_complete(skb);
 }
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 95c834799288..7092ff78fd84 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -674,8 +674,11 @@ int udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
                        goto csum_error;
        }
-        if (sk_rcvqueues_full(sk, skb, sk->sk_rcvbuf))
+        if (sk_rcvqueues_full(sk, skb, sk->sk_rcvbuf)) {
+                UDP6_INC_STATS_BH(sock_net(sk),
+                                  UDP_MIB_RCVBUFERRORS, is_udplite);
                goto drop;
+        }
        skb_dst_drop(skb);
@@ -690,6 +693,7 @@ int udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
        bh_unlock_sock(sk);
        return rc;
 csum_error:
        UDP6_INC_STATS_BH(sock_net(sk), UDP_MIB_CSUMERRORS, is_udplite);
 drop:
diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
index 950909f04ee6..13752d96275e 100644
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -1365,7 +1365,7 @@ static int pppol2tp_setsockopt(struct socket *sock, int level, int optname,
        int err;
        if (level != SOL_PPPOL2TP)
-                return udp_prot.setsockopt(sk, level, optname, optval, optlen);
+                return -EINVAL;
        if (optlen < sizeof(int))
                return -EINVAL;
@@ -1491,7 +1491,7 @@ static int pppol2tp_getsockopt(struct socket *sock, int level, int optname,
        struct pppol2tp_session *ps;
        if (level != SOL_PPPOL2TP)
-                return udp_prot.getsockopt(sk, level, optname, optval, optlen);
+                return -EINVAL;
        if (get_user(len, optlen))
                return -EFAULT;
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 6886601afe1c..a6cda52ed920 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -1096,11 +1096,12 @@ void ieee80211_send_auth(struct ieee80211_sub_if_data *sdata,
        int err;
        /* 24 + 6 = header + auth_algo + auth_transaction + status_code */
-        skb = dev_alloc_skb(local->hw.extra_tx_headroom + 24 + 6 + extra_len);
+        skb = dev_alloc_skb(local->hw.extra_tx_headroom + IEEE80211_WEP_IV_LEN +
+                            24 + 6 + extra_len + IEEE80211_WEP_ICV_LEN);
        if (!skb)
                return;
-        skb_reserve(skb, local->hw.extra_tx_headroom);
+        skb_reserve(skb, local->hw.extra_tx_headroom + IEEE80211_WEP_IV_LEN);
        mgmt = (struct ieee80211_mgmt *) skb_put(skb, 24 + 6);
        memset(mgmt, 0, 24 + 6);
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index ab4566cfcbe4..8746ff9a8357 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -35,7 +35,7 @@ int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
 {
        INIT_LIST_HEAD(&afi->tables);
        nfnl_lock(NFNL_SUBSYS_NFTABLES);
-        list_add_tail(&afi->list, &net->nft.af_info);
+        list_add_tail_rcu(&afi->list, &net->nft.af_info);
        nfnl_unlock(NFNL_SUBSYS_NFTABLES);
        return 0;
 }
@@ -51,7 +51,7 @@ EXPORT_SYMBOL_GPL(nft_register_afinfo);
 void nft_unregister_afinfo(struct nft_af_info *afi)
 {
        nfnl_lock(NFNL_SUBSYS_NFTABLES);
-        list_del(&afi->list);
+        list_del_rcu(&afi->list);
        nfnl_unlock(NFNL_SUBSYS_NFTABLES);
 }
 EXPORT_SYMBOL_GPL(nft_unregister_afinfo);
@@ -277,11 +277,14 @@ static int nf_tables_dump_tables(struct sk_buff *skb,
        struct net *net = sock_net(skb->sk);
        int family = nfmsg->nfgen_family;
-        list_for_each_entry(afi, &net->nft.af_info, list) {
+        rcu_read_lock();
+        cb->seq = net->nft.base_seq;
+        list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
                if (family != NFPROTO_UNSPEC && family != afi->family)
                        continue;
-                list_for_each_entry(table, &afi->tables, list) {
+                list_for_each_entry_rcu(table, &afi->tables, list) {
                        if (idx < s_idx)
                                goto cont;
                        if (idx > s_idx)
@@ -294,11 +297,14 @@ static int nf_tables_dump_tables(struct sk_buff *skb,
                                                      NLM_F_MULTI,
                                                      afi->family, table) < 0)
                                goto done;
+                        nl_dump_check_consistent(cb, nlmsg_hdr(skb));
 cont:
                        idx++;
                }
        }
 done:
+        rcu_read_unlock();
        cb->args[0] = idx;
        return skb->len;
 }
@@ -407,6 +413,9 @@ static int nf_tables_updtable(struct nft_ctx *ctx)
        if (flags & ~NFT_TABLE_F_DORMANT)
                return -EINVAL;
+        if (flags == ctx->table->flags)
+                return 0;
        trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
                                sizeof(struct nft_trans_table));
        if (trans == NULL)
@@ -514,7 +523,7 @@ static int nf_tables_newtable(struct sock *nlsk, struct sk_buff *skb,
                module_put(afi->owner);
                return err;
        }
-        list_add_tail(&table->list, &afi->tables);
+        list_add_tail_rcu(&table->list, &afi->tables);
        return 0;
 }
@@ -546,7 +555,7 @@ static int nf_tables_deltable(struct sock *nlsk, struct sk_buff *skb,
        if (err < 0)
                return err;
-        list_del(&table->list);
+        list_del_rcu(&table->list);
        return 0;
 }
@@ -635,13 +644,20 @@ static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
 {
        struct nft_stats *cpu_stats, total;
        struct nlattr *nest;
+        unsigned int seq;
+        u64 pkts, bytes;
        int cpu;
        memset(&total, 0, sizeof(total));
        for_each_possible_cpu(cpu) {
                cpu_stats = per_cpu_ptr(stats, cpu);
-                total.pkts += cpu_stats->pkts;
+                do {
-                total.bytes += cpu_stats->bytes;
+                        seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
+                        pkts = cpu_stats->pkts;
+                        bytes = cpu_stats->bytes;
+                } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
+                total.pkts += pkts;
+                total.bytes += bytes;
        }
        nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
        if (nest == NULL)
@@ -761,12 +777,15 @@ static int nf_tables_dump_chains(struct sk_buff *skb,
        struct net *net = sock_net(skb->sk);
        int family = nfmsg->nfgen_family;
-        list_for_each_entry(afi, &net->nft.af_info, list) {
+        rcu_read_lock();
+        cb->seq = net->nft.base_seq;
+        list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
                if (family != NFPROTO_UNSPEC && family != afi->family)
                        continue;
-                list_for_each_entry(table, &afi->tables, list) {
+                list_for_each_entry_rcu(table, &afi->tables, list) {
-                        list_for_each_entry(chain, &table->chains, list) {
+                        list_for_each_entry_rcu(chain, &table->chains, list) {
                                if (idx < s_idx)
                                        goto cont;
                                if (idx > s_idx)
@@ -778,17 +797,19 @@ static int nf_tables_dump_chains(struct sk_buff *skb,
                                                              NLM_F_MULTI,
                                                              afi->family, table, chain) < 0)
                                        goto done;
+                                nl_dump_check_consistent(cb, nlmsg_hdr(skb));
 cont:
                                idx++;
                        }
                }
        }
 done:
+        rcu_read_unlock();
        cb->args[0] = idx;
        return skb->len;
 }
 static int nf_tables_getchain(struct sock *nlsk, struct sk_buff *skb,
                              const struct nlmsghdr *nlh,
                              const struct nlattr * const nla[])
@@ -861,7 +882,7 @@ static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
        if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
                return ERR_PTR(-EINVAL);
-        newstats = alloc_percpu(struct nft_stats);
+        newstats = netdev_alloc_pcpu_stats(struct nft_stats);
        if (newstats == NULL)
                return ERR_PTR(-ENOMEM);
@@ -1077,7 +1098,7 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
                        }
                        basechain->stats = stats;
                } else {
-                        stats = alloc_percpu(struct nft_stats);
+                        stats = netdev_alloc_pcpu_stats(struct nft_stats);
                        if (IS_ERR(stats)) {
                                module_put(type->owner);
                                kfree(basechain);
@@ -1130,7 +1151,7 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
                goto err2;
        table->use++;
-        list_add_tail(&chain->list, &table->chains);
+        list_add_tail_rcu(&chain->list, &table->chains);
        return 0;
 err2:
        if (!(table->flags & NFT_TABLE_F_DORMANT) &&
@@ -1180,7 +1201,7 @@ static int nf_tables_delchain(struct sock *nlsk, struct sk_buff *skb,
                return err;
        table->use--;
-        list_del(&chain->list);
+        list_del_rcu(&chain->list);
        return 0;
 }
@@ -1199,9 +1220,9 @@ int nft_register_expr(struct nft_expr_type *type)
 {
        nfnl_lock(NFNL_SUBSYS_NFTABLES);
        if (type->family == NFPROTO_UNSPEC)
-                list_add_tail(&type->list, &nf_tables_expressions);
+                list_add_tail_rcu(&type->list, &nf_tables_expressions);
        else
-                list_add(&type->list, &nf_tables_expressions);
+                list_add_rcu(&type->list, &nf_tables_expressions);
        nfnl_unlock(NFNL_SUBSYS_NFTABLES);
        return 0;
 }
@@ -1216,7 +1237,7 @@ EXPORT_SYMBOL_GPL(nft_register_expr);
 void nft_unregister_expr(struct nft_expr_type *type)
 {
        nfnl_lock(NFNL_SUBSYS_NFTABLES);
-        list_del(&type->list);
+        list_del_rcu(&type->list);
        nfnl_unlock(NFNL_SUBSYS_NFTABLES);
 }
 EXPORT_SYMBOL_GPL(nft_unregister_expr);
@@ -1549,16 +1570,17 @@ static int nf_tables_dump_rules(struct sk_buff *skb,
        unsigned int idx = 0, s_idx = cb->args[0];
        struct net *net = sock_net(skb->sk);
        int family = nfmsg->nfgen_family;
-        u8 genctr = ACCESS_ONCE(net->nft.genctr);
-        u8 gencursor = ACCESS_ONCE(net->nft.gencursor);
-        list_for_each_entry(afi, &net->nft.af_info, list) {
+        rcu_read_lock();
+        cb->seq = net->nft.base_seq;
+        list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
                if (family != NFPROTO_UNSPEC && family != afi->family)
                        continue;
-                list_for_each_entry(table, &afi->tables, list) {
+                list_for_each_entry_rcu(table, &afi->tables, list) {
-                        list_for_each_entry(chain, &table->chains, list) {
+                        list_for_each_entry_rcu(chain, &table->chains, list) {
-                                list_for_each_entry(rule, &chain->rules, list) {
+                                list_for_each_entry_rcu(rule, &chain->rules, list) {
                                        if (!nft_rule_is_active(net, rule))
                                                goto cont;
                                        if (idx < s_idx)
@@ -1572,6 +1594,8 @@ static int nf_tables_dump_rules(struct sk_buff *skb,
                                                                      NLM_F_MULTI | NLM_F_APPEND,
                                                                      afi->family, table, chain, rule) < 0)
                                                goto done;
+                                        nl_dump_check_consistent(cb, nlmsg_hdr(skb));
 cont:
                                        idx++;
                                }
@@ -1579,9 +1603,7 @@ cont:
                }
        }
 done:
-        /* Invalidate this dump, a transition to the new generation happened */
+        rcu_read_unlock();
-        if (gencursor != net->nft.gencursor || genctr != net->nft.genctr)
-                return -EBUSY;
        cb->args[0] = idx;
        return skb->len;
@@ -1932,7 +1954,7 @@ static LIST_HEAD(nf_tables_set_ops);
 int nft_register_set(struct nft_set_ops *ops)
 {
        nfnl_lock(NFNL_SUBSYS_NFTABLES);
-        list_add_tail(&ops->list, &nf_tables_set_ops);
+        list_add_tail_rcu(&ops->list, &nf_tables_set_ops);
        nfnl_unlock(NFNL_SUBSYS_NFTABLES);
        return 0;
 }
@@ -1941,7 +1963,7 @@ EXPORT_SYMBOL_GPL(nft_register_set);
 void nft_unregister_set(struct nft_set_ops *ops)
 {
        nfnl_lock(NFNL_SUBSYS_NFTABLES);
-        list_del(&ops->list);
+        list_del_rcu(&ops->list);
        nfnl_unlock(NFNL_SUBSYS_NFTABLES);
 }
 EXPORT_SYMBOL_GPL(nft_unregister_set);
@@ -2234,7 +2256,10 @@ static int nf_tables_dump_sets_table(struct nft_ctx *ctx, struct sk_buff *skb,
        if (cb->args[1])
                return skb->len;
-        list_for_each_entry(set, &ctx->table->sets, list) {
+        rcu_read_lock();
+        cb->seq = ctx->net->nft.base_seq;
+        list_for_each_entry_rcu(set, &ctx->table->sets, list) {
                if (idx < s_idx)
                        goto cont;
                if (nf_tables_fill_set(skb, ctx, set, NFT_MSG_NEWSET,
@@ -2242,11 +2267,13 @@ static int nf_tables_dump_sets_table(struct nft_ctx *ctx, struct sk_buff *skb,
                        cb->args[0] = idx;
                        goto done;
                }
+                nl_dump_check_consistent(cb, nlmsg_hdr(skb));
 cont:
                idx++;
        }
        cb->args[1] = 1;
 done:
+        rcu_read_unlock();
        return skb->len;
 }
@@ -2260,7 +2287,10 @@ static int nf_tables_dump_sets_family(struct nft_ctx *ctx, struct sk_buff *skb,
        if (cb->args[1])
                return skb->len;
-        list_for_each_entry(table, &ctx->afi->tables, list) {
+        rcu_read_lock();
+        cb->seq = ctx->net->nft.base_seq;
+        list_for_each_entry_rcu(table, &ctx->afi->tables, list) {
                if (cur_table) {
                        if (cur_table != table)
                                continue;
@@ -2269,7 +2299,7 @@ static int nf_tables_dump_sets_family(struct nft_ctx *ctx, struct sk_buff *skb,
                }
                ctx->table = table;
                idx = 0;
-                list_for_each_entry(set, &ctx->table->sets, list) {
+                list_for_each_entry_rcu(set, &ctx->table->sets, list) {
                        if (idx < s_idx)
                                goto cont;
                        if (nf_tables_fill_set(skb, ctx, set, NFT_MSG_NEWSET,
@@ -2278,12 +2308,14 @@ static int nf_tables_dump_sets_family(struct nft_ctx *ctx, struct sk_buff *skb,
                                cb->args[2] = (unsigned long) table;
                                goto done;
                        }
+                        nl_dump_check_consistent(cb, nlmsg_hdr(skb));
 cont:
                        idx++;
                }
        }
        cb->args[1] = 1;
 done:
+        rcu_read_unlock();
        return skb->len;
 }
@@ -2300,7 +2332,10 @@ static int nf_tables_dump_sets_all(struct nft_ctx *ctx, struct sk_buff *skb,
        if (cb->args[1])
                return skb->len;
-        list_for_each_entry(afi, &net->nft.af_info, list) {
+        rcu_read_lock();
+        cb->seq = net->nft.base_seq;
+        list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
                if (cur_family) {
                        if (afi->family != cur_family)
                                continue;
@@ -2308,7 +2343,7 @@ static int nf_tables_dump_sets_all(struct nft_ctx *ctx, struct sk_buff *skb,
                        cur_family = 0;
                }
-                list_for_each_entry(table, &afi->tables, list) {
+                list_for_each_entry_rcu(table, &afi->tables, list) {
                        if (cur_table) {
                                if (cur_table != table)
                                        continue;
@@ -2319,7 +2354,7 @@ static int nf_tables_dump_sets_all(struct nft_ctx *ctx, struct sk_buff *skb,
                        ctx->table = table;
                        ctx->afi = afi;
                        idx = 0;
-                        list_for_each_entry(set, &ctx->table->sets, list) {
+                        list_for_each_entry_rcu(set, &ctx->table->sets, list) {
                                if (idx < s_idx)
                                        goto cont;
                                if (nf_tables_fill_set(skb, ctx, set,
@@ -2330,6 +2365,7 @@ static int nf_tables_dump_sets_all(struct nft_ctx *ctx, struct sk_buff *skb,
                                        cb->args[3] = afi->family;
                                        goto done;
                                }
+                                nl_dump_check_consistent(cb, nlmsg_hdr(skb));
 cont:
                                idx++;
                        }
@@ -2339,6 +2375,7 @@ cont:
        }
        cb->args[1] = 1;
 done:
+        rcu_read_unlock();
        return skb->len;
 }
@@ -2597,7 +2634,7 @@ static int nf_tables_newset(struct sock *nlsk, struct sk_buff *skb,
        if (err < 0)
                goto err2;
-        list_add_tail(&set->list, &table->sets);
+        list_add_tail_rcu(&set->list, &table->sets);
        table->use++;
        return 0;
@@ -2617,7 +2654,7 @@ static void nft_set_destroy(struct nft_set *set)
 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
 {
-        list_del(&set->list);
+        list_del_rcu(&set->list);
        nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC);
        nft_set_destroy(set);
 }
@@ -2652,7 +2689,7 @@ static int nf_tables_delset(struct sock *nlsk, struct sk_buff *skb,
        if (err < 0)
                return err;
-        list_del(&set->list);
+        list_del_rcu(&set->list);
        ctx.table->use--;
        return 0;
 }
@@ -2704,14 +2741,14 @@ int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
        }
 bind:
        binding->chain = ctx->chain;
-        list_add_tail(&binding->list, &set->bindings);
+        list_add_tail_rcu(&binding->list, &set->bindings);
        return 0;
 }
 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
                          struct nft_set_binding *binding)
 {
-        list_del(&binding->list);
+        list_del_rcu(&binding->list);
        if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS &&
            !(set->flags & NFT_SET_INACTIVE))
@@ -3346,7 +3383,7 @@ static int nf_tables_commit(struct sk_buff *skb)
        struct nft_set *set;
        /* Bump generation counter, invalidate any dump in progress */
-        net->nft.genctr++;
+        while (++net->nft.base_seq == 0);
        /* A new generation has just started */
        net->nft.gencursor = gencursor_next(net);
@@ -3491,12 +3528,12 @@ static int nf_tables_abort(struct sk_buff *skb)
                                }
                                nft_trans_destroy(trans);
                        } else {
-                                list_del(&trans->ctx.table->list);
+                                list_del_rcu(&trans->ctx.table->list);
                        }
                        break;
                case NFT_MSG_DELTABLE:
-                        list_add_tail(&trans->ctx.table->list,
+                        list_add_tail_rcu(&trans->ctx.table->list,
-                                      &trans->ctx.afi->tables);
+                                          &trans->ctx.afi->tables);
                        nft_trans_destroy(trans);
                        break;
                case NFT_MSG_NEWCHAIN:
@@ -3507,7 +3544,7 @@ static int nf_tables_abort(struct sk_buff *skb)
                                nft_trans_destroy(trans);
                        } else {
                                trans->ctx.table->use--;
-                                list_del(&trans->ctx.chain->list);
+                                list_del_rcu(&trans->ctx.chain->list);
                                if (!(trans->ctx.table->flags & NFT_TABLE_F_DORMANT) &&
                                    trans->ctx.chain->flags & NFT_BASE_CHAIN) {
                                        nf_unregister_hooks(nft_base_chain(trans->ctx.chain)->ops,
@@ -3517,8 +3554,8 @@ static int nf_tables_abort(struct sk_buff *skb)
                        break;
                case NFT_MSG_DELCHAIN:
                        trans->ctx.table->use++;
-                        list_add_tail(&trans->ctx.chain->list,
+                        list_add_tail_rcu(&trans->ctx.chain->list,
-                                      &trans->ctx.table->chains);
+                                          &trans->ctx.table->chains);
                        nft_trans_destroy(trans);
                        break;
                case NFT_MSG_NEWRULE:
@@ -3532,12 +3569,12 @@ static int nf_tables_abort(struct sk_buff *skb)
                        break;
                case NFT_MSG_NEWSET:
                        trans->ctx.table->use--;
-                        list_del(&nft_trans_set(trans)->list);
+                        list_del_rcu(&nft_trans_set(trans)->list);
                        break;
                case NFT_MSG_DELSET:
                        trans->ctx.table->use++;
-                        list_add_tail(&nft_trans_set(trans)->list,
+                        list_add_tail_rcu(&nft_trans_set(trans)->list,
-                                      &trans->ctx.table->sets);
+                                          &trans->ctx.table->sets);
                        nft_trans_destroy(trans);
                        break;
                case NFT_MSG_NEWSETELEM:
@@ -3951,6 +3988,7 @@ static int nf_tables_init_net(struct net *net)
 {
        INIT_LIST_HEAD(&net->nft.af_info);
        INIT_LIST_HEAD(&net->nft.commit_list);
+        net->nft.base_seq = 1;
        return 0;
 }
diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
index 345acfb1720b..3b90eb2b2c55 100644
--- a/net/netfilter/nf_tables_core.c
+++ b/net/netfilter/nf_tables_core.c
@@ -109,7 +109,7 @@ nft_do_chain(struct nft_pktinfo *pkt, const struct nf_hook_ops *ops)
        struct nft_data data[NFT_REG_MAX + 1];
        unsigned int stackptr = 0;
        struct nft_jumpstack jumpstack[NFT_JUMP_STACK_SIZE];
-        struct nft_stats __percpu *stats;
+        struct nft_stats *stats;
        int rulenum;
        /*
         * Cache cursor to avoid problems in case that the cursor is updated
@@ -205,9 +205,11 @@ next_rule:
                nft_trace_packet(pkt, basechain, -1, NFT_TRACE_POLICY);
        rcu_read_lock_bh();
-        stats = rcu_dereference(nft_base_chain(basechain)->stats);
+        stats = this_cpu_ptr(rcu_dereference(nft_base_chain(basechain)->stats));
-        __this_cpu_inc(stats->pkts);
+        u64_stats_update_begin(&stats->syncp);
-        __this_cpu_add(stats->bytes, pkt->skb->len);
+        stats->pkts++;
+        stats->bytes += pkt->skb->len;
+        u64_stats_update_end(&stats->syncp);
        rcu_read_unlock_bh();
        return nft_base_chain(basechain)->policy;
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 15c731f03fa6..e6fac7e3db52 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -636,7 +636,7 @@ static unsigned int netlink_poll(struct file *file, struct socket *sock,
                while (nlk->cb_running && netlink_dump_space(nlk)) {
                        err = netlink_dump(sk);
                        if (err < 0) {
-                                sk->sk_err = err;
+                                sk->sk_err = -err;
                                sk->sk_error_report(sk);
                                break;
                        }
@@ -2483,7 +2483,7 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock,
            atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf / 2) {
                ret = netlink_dump(sk);
                if (ret) {
-                        sk->sk_err = ret;
+                        sk->sk_err = -ret;
                        sk->sk_error_report(sk);
                }
        }
diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c
index c36856a457ca..e70d8b18e962 100644
--- a/net/openvswitch/actions.c
+++ b/net/openvswitch/actions.c
@@ -551,6 +551,8 @@ static int do_execute_actions(struct datapath *dp, struct sk_buff *skb,
                case OVS_ACTION_ATTR_SAMPLE:
                        err = sample(dp, skb, a);
+                        if (unlikely(err)) /* skb already freed. */
+                                return err;
                        break;
                }
diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
index 0d407bca81e3..9db4bf6740d1 100644
--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2007-2013 Nicira, Inc.
+ * Copyright (c) 2007-2014 Nicira, Inc.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of version 2 of the GNU General Public
@@ -276,7 +276,7 @@ void ovs_dp_process_received_packet(struct vport *p, struct sk_buff *skb)
        OVS_CB(skb)->flow = flow;
        OVS_CB(skb)->pkt_key = &key;
-        ovs_flow_stats_update(OVS_CB(skb)->flow, skb);
+        ovs_flow_stats_update(OVS_CB(skb)->flow, key.tp.flags, skb);
        ovs_execute_actions(dp, skb);
        stats_counter = &stats->n_hit;
@@ -889,8 +889,11 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info)
                }
                /* The unmasked key has to be the same for flow updates. */
                if (unlikely(!ovs_flow_cmp_unmasked_key(flow, &match))) {
-                        error = -EEXIST;
+                        flow = ovs_flow_tbl_lookup_exact(&dp->table, &match);
-                        goto err_unlock_ovs;
+                        if (!flow) {
+                                error = -ENOENT;
+                                goto err_unlock_ovs;
+                        }
                }
                /* Update actions. */
                old_acts = ovsl_dereference(flow->sf_acts);
@@ -981,16 +984,12 @@ static int ovs_flow_cmd_set(struct sk_buff *skb, struct genl_info *info)
                goto err_unlock_ovs;
        }
        /* Check that the flow exists. */
-        flow = ovs_flow_tbl_lookup(&dp->table, &key);
+        flow = ovs_flow_tbl_lookup_exact(&dp->table, &match);
        if (unlikely(!flow)) {
                error = -ENOENT;
                goto err_unlock_ovs;
        }
-        /* The unmasked key has to be the same for flow updates. */
-        if (unlikely(!ovs_flow_cmp_unmasked_key(flow, &match))) {
-                error = -EEXIST;
-                goto err_unlock_ovs;
-        }
        /* Update actions, if present. */
        if (likely(acts)) {
                old_acts = ovsl_dereference(flow->sf_acts);
@@ -1063,8 +1062,8 @@ static int ovs_flow_cmd_get(struct sk_buff *skb, struct genl_info *info)
                goto unlock;
        }
-        flow = ovs_flow_tbl_lookup(&dp->table, &key);
+        flow = ovs_flow_tbl_lookup_exact(&dp->table, &match);
-        if (!flow || !ovs_flow_cmp_unmasked_key(flow, &match)) {
+        if (!flow) {
                err = -ENOENT;
                goto unlock;
        }
@@ -1113,8 +1112,8 @@ static int ovs_flow_cmd_del(struct sk_buff *skb, struct genl_info *info)
                goto unlock;
        }
-        flow = ovs_flow_tbl_lookup(&dp->table, &key);
+        flow = ovs_flow_tbl_lookup_exact(&dp->table, &match);
-        if (unlikely(!flow || !ovs_flow_cmp_unmasked_key(flow, &match))) {
+        if (unlikely(!flow)) {
                err = -ENOENT;
                goto unlock;
        }
diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c
index 334751cb1528..d07ab538fc9d 100644
--- a/net/openvswitch/flow.c
+++ b/net/openvswitch/flow.c
@@ -61,10 +61,10 @@ u64 ovs_flow_used_time(unsigned long flow_jiffies)
 #define TCP_FLAGS_BE16(tp) (*(__be16 *)&tcp_flag_word(tp) & htons(0x0FFF))
-void ovs_flow_stats_update(struct sw_flow *flow, struct sk_buff *skb)
+void ovs_flow_stats_update(struct sw_flow *flow, __be16 tcp_flags,
+                           struct sk_buff *skb)
 {
        struct flow_stats *stats;
-        __be16 tcp_flags = flow->key.tp.flags;
        int node = numa_node_id();
        stats = rcu_dereference(flow->stats[node]);
diff --git a/net/openvswitch/flow.h b/net/openvswitch/flow.h
index ac395d2cd821..5e5aaed3a85b 100644
--- a/net/openvswitch/flow.h
+++ b/net/openvswitch/flow.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2007-2013 Nicira, Inc.
+ * Copyright (c) 2007-2014 Nicira, Inc.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of version 2 of the GNU General Public
@@ -180,7 +180,8 @@ struct arp_eth_header {
        unsigned char       ar_tip[4];          /* target IP address        */
 } __packed;
-void ovs_flow_stats_update(struct sw_flow *, struct sk_buff *);
+void ovs_flow_stats_update(struct sw_flow *, __be16 tcp_flags,
+                           struct sk_buff *);
 void ovs_flow_stats_get(const struct sw_flow *, struct ovs_flow_stats *,
                        unsigned long *used, __be16 *tcp_flags);
 void ovs_flow_stats_clear(struct sw_flow *);
diff --git a/net/openvswitch/flow_table.c b/net/openvswitch/flow_table.c
index 574c3abc9b30..cf2d853646f0 100644
--- a/net/openvswitch/flow_table.c
+++ b/net/openvswitch/flow_table.c
@@ -456,6 +456,22 @@ struct sw_flow *ovs_flow_tbl_lookup(struct flow_table *tbl,
        return ovs_flow_tbl_lookup_stats(tbl, key, &n_mask_hit);
 }
+struct sw_flow *ovs_flow_tbl_lookup_exact(struct flow_table *tbl,
+                                          struct sw_flow_match *match)
+{
+        struct table_instance *ti = rcu_dereference_ovsl(tbl->ti);
+        struct sw_flow_mask *mask;
+        struct sw_flow *flow;
+        /* Always called under ovs-mutex. */
+        list_for_each_entry(mask, &tbl->mask_list, list) {
+                flow = masked_flow_lookup(ti, match->key, mask);
+                if (flow && ovs_flow_cmp_unmasked_key(flow, match))  /* Found */
+                        return flow;
+        }
+        return NULL;
+}
 int ovs_flow_tbl_num_masks(const struct flow_table *table)
 {
        struct sw_flow_mask *mask;
diff --git a/net/openvswitch/flow_table.h b/net/openvswitch/flow_table.h
index ca8a5820f615..5918bff7f3f6 100644
--- a/net/openvswitch/flow_table.h
+++ b/net/openvswitch/flow_table.h
@@ -76,7 +76,8 @@ struct sw_flow *ovs_flow_tbl_lookup_stats(struct flow_table *,
                                    u32 *n_mask_hit);
 struct sw_flow *ovs_flow_tbl_lookup(struct flow_table *,
                                    const struct sw_flow_key *);
+struct sw_flow *ovs_flow_tbl_lookup_exact(struct flow_table *tbl,
+                                          struct sw_flow_match *match);
 bool ovs_flow_cmp_unmasked_key(const struct sw_flow *flow,
                               struct sw_flow_match *match);
diff --git a/net/openvswitch/vport-gre.c b/net/openvswitch/vport-gre.c
index 35ec4fed09e2..f49148a07da2 100644
--- a/net/openvswitch/vport-gre.c
+++ b/net/openvswitch/vport-gre.c
@@ -110,6 +110,22 @@ static int gre_rcv(struct sk_buff *skb,
        return PACKET_RCVD;
 }
+/* Called with rcu_read_lock and BH disabled. */
+static int gre_err(struct sk_buff *skb, u32 info,
+                   const struct tnl_ptk_info *tpi)
+{
+        struct ovs_net *ovs_net;
+        struct vport *vport;
+        ovs_net = net_generic(dev_net(skb->dev), ovs_net_id);
+        vport = rcu_dereference(ovs_net->vport_net.gre_vport);
+        if (unlikely(!vport))
+                return PACKET_REJECT;
+        else
+                return PACKET_RCVD;
+}
 static int gre_tnl_send(struct vport *vport, struct sk_buff *skb)
 {
        struct net *net = ovs_dp_get_net(vport->dp);
@@ -186,6 +202,7 @@ error:
 static struct gre_cisco_protocol gre_protocol = {
        .handler        = gre_rcv,
+        .err_handler    = gre_err,
        .priority       = 1,
 };
diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c
index c39b583ace32..70c0be8d0121 100644
--- a/net/sched/cls_u32.c
+++ b/net/sched/cls_u32.c
@@ -38,6 +38,7 @@
 #include <linux/errno.h>
 #include <linux/rtnetlink.h>
 #include <linux/skbuff.h>
+#include <linux/bitmap.h>
 #include <net/netlink.h>
 #include <net/act_api.h>
 #include <net/pkt_cls.h>
@@ -460,17 +461,25 @@ static int u32_delete(struct tcf_proto *tp, unsigned long arg)
        return 0;
 }
+#define NR_U32_NODE (1<<12)
 static u32 gen_new_kid(struct tc_u_hnode *ht, u32 handle)
 {
        struct tc_u_knode *n;
-        unsigned int i = 0x7FF;
+        unsigned long i;
+        unsigned long *bitmap = kzalloc(BITS_TO_LONGS(NR_U32_NODE) * sizeof(unsigned long),
+                                        GFP_KERNEL);
+        if (!bitmap)
+                return handle | 0xFFF;
        for (n = ht->ht[TC_U32_HASH(handle)]; n; n = n->next)
-                if (i < TC_U32_NODE(n->handle))
+                set_bit(TC_U32_NODE(n->handle), bitmap);
-                        i = TC_U32_NODE(n->handle);
-        i++;
-        return handle | (i > 0xFFF ? 0xFFF : i);
+        i = find_next_zero_bit(bitmap, NR_U32_NODE, 0x800);
+        if (i >= NR_U32_NODE)
+                i = find_next_zero_bit(bitmap, NR_U32_NODE, 1);
+        kfree(bitmap);
+        return handle | (i >= NR_U32_NODE ? 0xFFF : i);
 }
 static const struct nla_policy u32_policy[TCA_U32_MAX + 1] = {
diff --git a/net/sctp/ulpevent.c b/net/sctp/ulpevent.c
index 85c64658bd0b..b6842fdb53d4 100644
--- a/net/sctp/ulpevent.c
+++ b/net/sctp/ulpevent.c
@@ -366,9 +366,10 @@ fail:
 * specification [SCTP] and any extensions for a list of possible
 * error formats.
 */
-struct sctp_ulpevent *sctp_ulpevent_make_remote_error(
+struct sctp_ulpevent *
-        const struct sctp_association *asoc, struct sctp_chunk *chunk,
+sctp_ulpevent_make_remote_error(const struct sctp_association *asoc,
-        __u16 flags, gfp_t gfp)
+                                struct sctp_chunk *chunk, __u16 flags,
+                                gfp_t gfp)
 {
        struct sctp_ulpevent *event;
        struct sctp_remote_error *sre;
@@ -387,8 +388,7 @@ struct sctp_ulpevent *sctp_ulpevent_make_remote_error(
        /* Copy the skb to a new skb with room for us to prepend
         * notification with.
         */
-        skb = skb_copy_expand(chunk->skb, sizeof(struct sctp_remote_error),
+        skb = skb_copy_expand(chunk->skb, sizeof(*sre), 0, gfp);
-                              0, gfp);
        /* Pull off the rest of the cause TLV from the chunk.  */
        skb_pull(chunk->skb, elen);
@@ -399,62 +399,21 @@ struct sctp_ulpevent *sctp_ulpevent_make_remote_error(
        event = sctp_skb2event(skb);
        sctp_ulpevent_init(event, MSG_NOTIFICATION, skb->truesize);
-        sre = (struct sctp_remote_error *)
+        sre = (struct sctp_remote_error *) skb_push(skb, sizeof(*sre));
-                skb_push(skb, sizeof(struct sctp_remote_error));
        /* Trim the buffer to the right length.  */
-        skb_trim(skb, sizeof(struct sctp_remote_error) + elen);
+        skb_trim(skb, sizeof(*sre) + elen);
-        /* Socket Extensions for SCTP
+        /* RFC6458, Section 6.1.3. SCTP_REMOTE_ERROR */
-         * 5.3.1.3 SCTP_REMOTE_ERROR
+        memset(sre, 0, sizeof(*sre));
-         *
-         * sre_type:
-         *   It should be SCTP_REMOTE_ERROR.
-         */
        sre->sre_type = SCTP_REMOTE_ERROR;
-        /*
-         * Socket Extensions for SCTP
-         * 5.3.1.3 SCTP_REMOTE_ERROR
-         *
-         * sre_flags: 16 bits (unsigned integer)
-         *   Currently unused.
-         */
        sre->sre_flags = 0;
-        /* Socket Extensions for SCTP
-         * 5.3.1.3 SCTP_REMOTE_ERROR
-         *
-         * sre_length: sizeof (__u32)
-         *
-         * This field is the total length of the notification data,
-         * including the notification header.
-         */
        sre->sre_length = skb->len;
-        /* Socket Extensions for SCTP
-         * 5.3.1.3 SCTP_REMOTE_ERROR
-         *
-         * sre_error: 16 bits (unsigned integer)
-         * This value represents one of the Operational Error causes defined in
-         * the SCTP specification, in network byte order.
-         */
        sre->sre_error = cause;
-        /* Socket Extensions for SCTP
-         * 5.3.1.3 SCTP_REMOTE_ERROR
-         *
-         * sre_assoc_id: sizeof (sctp_assoc_t)
-         *
-         * The association id field, holds the identifier for the association.
-         * All notifications for a given association have the same association
-         * identifier.  For TCP style socket, this field is ignored.
-         */
        sctp_ulpevent_set_owner(event, asoc);
        sre->sre_assoc_id = sctp_assoc2id(asoc);
        return event;
 fail:
        return NULL;
 }
@@ -899,7 +858,9 @@ __u16 sctp_ulpevent_get_notification_type(const struct sctp_ulpevent *event)
        return notification->sn_header.sn_type;
 }
-/* Copy out the sndrcvinfo into a msghdr.  */
+/* RFC6458, Section 5.3.2. SCTP Header Information Structure
+ * (SCTP_SNDRCV, DEPRECATED)
+ */
 void sctp_ulpevent_read_sndrcvinfo(const struct sctp_ulpevent *event,
                                   struct msghdr *msghdr)
 {
@@ -908,74 +869,21 @@ void sctp_ulpevent_read_sndrcvinfo(const struct sctp_ulpevent *event,
        if (sctp_ulpevent_is_notification(event))
                return;
-        /* Sockets API Extensions for SCTP
+        memset(&sinfo, 0, sizeof(sinfo));
-         * Section 5.2.2 SCTP Header Information Structure (SCTP_SNDRCV)
-         *
-         * sinfo_stream: 16 bits (unsigned integer)
-         *
-         * For recvmsg() the SCTP stack places the message's stream number in
-         * this value.
-        */
        sinfo.sinfo_stream = event->stream;
-        /* sinfo_ssn: 16 bits (unsigned integer)
-         *
-         * For recvmsg() this value contains the stream sequence number that
-         * the remote endpoint placed in the DATA chunk.  For fragmented
-         * messages this is the same number for all deliveries of the message
-         * (if more than one recvmsg() is needed to read the message).
-         */
        sinfo.sinfo_ssn = event->ssn;
-        /* sinfo_ppid: 32 bits (unsigned integer)
-         *
-         * In recvmsg() this value is
-         * the same information that was passed by the upper layer in the peer
-         * application.  Please note that byte order issues are NOT accounted
-         * for and this information is passed opaquely by the SCTP stack from
-         * one end to the other.
-         */
        sinfo.sinfo_ppid = event->ppid;
-        /* sinfo_flags: 16 bits (unsigned integer)
-         *
-         * This field may contain any of the following flags and is composed of
-         * a bitwise OR of these values.
-         *
-         * recvmsg() flags:
-         *
-         * SCTP_UNORDERED - This flag is present when the message was sent
-         *                 non-ordered.
-         */
        sinfo.sinfo_flags = event->flags;
-        /* sinfo_tsn: 32 bit (unsigned integer)
-         *
-         * For the receiving side, this field holds a TSN that was
-         * assigned to one of the SCTP Data Chunks.
-         */
        sinfo.sinfo_tsn = event->tsn;
-        /* sinfo_cumtsn: 32 bit (unsigned integer)
-         *
-         * This field will hold the current cumulative TSN as
-         * known by the underlying SCTP layer.  Note this field is
-         * ignored when sending and only valid for a receive
-         * operation when sinfo_flags are set to SCTP_UNORDERED.
-         */
        sinfo.sinfo_cumtsn = event->cumtsn;
-        /* sinfo_assoc_id: sizeof (sctp_assoc_t)
-         *
-         * The association handle field, sinfo_assoc_id, holds the identifier
-         * for the association announced in the COMMUNICATION_UP notification.
-         * All notifications for a given association have the same identifier.
-         * Ignored for one-to-one style sockets.
-         */
        sinfo.sinfo_assoc_id = sctp_assoc2id(event->asoc);
+        /* Context value that is set via SCTP_CONTEXT socket option. */
-        /* context value that is set via SCTP_CONTEXT socket option. */
        sinfo.sinfo_context = event->asoc->default_rcv_context;
        /* These fields are not used while receiving. */
        sinfo.sinfo_timetolive = 0;
        put_cmsg(msghdr, IPPROTO_SCTP, SCTP_SNDRCV,
-                 sizeof(struct sctp_sndrcvinfo), (void *)&sinfo);
+                 sizeof(sinfo), &sinfo);
 }
 /* Do accounting for bytes received and hold a reference to the association
diff --git a/net/tipc/bcast.c b/net/tipc/bcast.c
index 26631679a1fa..55c6c9d3e1ce 100644
--- a/net/tipc/bcast.c
+++ b/net/tipc/bcast.c
@@ -559,6 +559,7 @@ receive:
                buf = node->bclink.deferred_head;
                node->bclink.deferred_head = buf->next;
+                buf->next = NULL;
                node->bclink.deferred_size--;
                goto receive;
        }
diff --git a/net/tipc/msg.c b/net/tipc/msg.c
index 8be6e94a1ca9..0a37a472c29f 100644
--- a/net/tipc/msg.c
+++ b/net/tipc/msg.c
@@ -101,9 +101,11 @@ int tipc_msg_build(struct tipc_msg *hdr, struct iovec const *msg_sect,
 }
 /* tipc_buf_append(): Append a buffer to the fragment list of another buffer
- * Let first buffer become head buffer
+ * @*headbuf: in:  NULL for first frag, otherwise value returned from prev call
- * Returns 1 and sets *buf to headbuf if chain is complete, otherwise 0
+ *            out: set when successful non-complete reassembly, otherwise NULL
- * Leaves headbuf pointer at NULL if failure
+ * @*buf:     in:  the buffer to append. Always defined
+ *            out: head buf after sucessful complete reassembly, otherwise NULL
+ * Returns 1 when reassembly complete, otherwise 0
 */
 int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf)
 {
@@ -122,6 +124,7 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf)
                        goto out_free;
                head = *headbuf = frag;
                skb_frag_list_init(head);
+                *buf = NULL;
                return 0;
        }
        if (!head)
@@ -150,5 +153,7 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf)
 out_free:
        pr_warn_ratelimited("Unable to build fragment list\n");
        kfree_skb(*buf);
+        kfree_skb(*headbuf);
+        *buf = *headbuf = NULL;
        return 0;
 }
diff --git a/net/wireless/core.h b/net/wireless/core.h
index e9afbf10e756..7e3a3cef7df9 100644
--- a/net/wireless/core.h
+++ b/net/wireless/core.h
@@ -424,7 +424,7 @@ static inline unsigned int elapsed_jiffies_msecs(unsigned long start)
        if (end >= start)
                return jiffies_to_msecs(end - start);
-        return jiffies_to_msecs(end + (MAX_JIFFY_OFFSET - start) + 1);
+        return jiffies_to_msecs(end + (ULONG_MAX - start) + 1);
 }
 void
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index ba4f1723c83a..6668daf69326 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -1497,18 +1497,17 @@ static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
                }
                CMD(start_p2p_device, START_P2P_DEVICE);
                CMD(set_mcast_rate, SET_MCAST_RATE);
+#ifdef CONFIG_NL80211_TESTMODE
+                CMD(testmode_cmd, TESTMODE);
+#endif
                if (state->split) {
                        CMD(crit_proto_start, CRIT_PROTOCOL_START);
                        CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
                        if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
                                CMD(channel_switch, CHANNEL_SWITCH);
+                        CMD(set_qos_map, SET_QOS_MAP);
                }
-                CMD(set_qos_map, SET_QOS_MAP);
+                /* add into the if now */
-#ifdef CONFIG_NL80211_TESTMODE
-                CMD(testmode_cmd, TESTMODE);
-#endif
 #undef CMD
                if (rdev->ops->connect || rdev->ops->auth) {
diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index 558b0e3a02d8..1afdf45db38f 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -935,7 +935,7 @@ freq_reg_info_regd(struct wiphy *wiphy, u32 center_freq,
                if (!band_rule_found)
                        band_rule_found = freq_in_rule_band(fr, center_freq);
-                bw_fits = reg_does_bw_fit(fr, center_freq, MHZ_TO_KHZ(5));
+                bw_fits = reg_does_bw_fit(fr, center_freq, MHZ_TO_KHZ(20));
                if (band_rule_found && bw_fits)
                        return rr;
@@ -1019,10 +1019,10 @@ static void chan_reg_rule_print_dbg(const struct ieee80211_regdomain *regd,
 }
 #endif
-/* Find an ieee80211_reg_rule such that a 5MHz channel with frequency
+/*
- * chan->center_freq fits there.
+ * Note that right now we assume the desired channel bandwidth
- * If there is no such reg_rule, disable the channel, otherwise set the
+ * is always 20 MHz for each individual channel (HT40 uses 20 MHz
- * flags corresponding to the bandwidths allowed in the particular reg_rule
+ * per channel, the primary and the extension channel).
 */
 static void handle_channel(struct wiphy *wiphy,
                           enum nl80211_reg_initiator initiator,
@@ -1083,12 +1083,8 @@ static void handle_channel(struct wiphy *wiphy,
        if (reg_rule->flags & NL80211_RRF_AUTO_BW)
                max_bandwidth_khz = reg_get_max_bandwidth(regd, reg_rule);
-        if (max_bandwidth_khz < MHZ_TO_KHZ(10))
-                bw_flags = IEEE80211_CHAN_NO_10MHZ;
-        if (max_bandwidth_khz < MHZ_TO_KHZ(20))
-                bw_flags |= IEEE80211_CHAN_NO_20MHZ;
        if (max_bandwidth_khz < MHZ_TO_KHZ(40))
-                bw_flags |= IEEE80211_CHAN_NO_HT40;
+                bw_flags = IEEE80211_CHAN_NO_HT40;
        if (max_bandwidth_khz < MHZ_TO_KHZ(80))
                bw_flags |= IEEE80211_CHAN_NO_80MHZ;
        if (max_bandwidth_khz < MHZ_TO_KHZ(160))
@@ -1522,12 +1518,8 @@ static void handle_channel_custom(struct wiphy *wiphy,
        if (reg_rule->flags & NL80211_RRF_AUTO_BW)
                max_bandwidth_khz = reg_get_max_bandwidth(regd, reg_rule);
-        if (max_bandwidth_khz < MHZ_TO_KHZ(10))
-                bw_flags = IEEE80211_CHAN_NO_10MHZ;
-        if (max_bandwidth_khz < MHZ_TO_KHZ(20))
-                bw_flags |= IEEE80211_CHAN_NO_20MHZ;
        if (max_bandwidth_khz < MHZ_TO_KHZ(40))
-                bw_flags |= IEEE80211_CHAN_NO_HT40;
+                bw_flags = IEEE80211_CHAN_NO_HT40;
        if (max_bandwidth_khz < MHZ_TO_KHZ(80))
                bw_flags |= IEEE80211_CHAN_NO_80MHZ;
        if (max_bandwidth_khz < MHZ_TO_KHZ(160))
author	Ingo Molnar <mingo@kernel.org>	2014-07-28 04:03:00 -0400
committer	Ingo Molnar <mingo@kernel.org>	2014-07-28 04:03:00 -0400
commit	ca5bc6cd5de5b53eb8fd6fea39aa3fe2a1e8c3d9 (patch)
tree	75beaae2d4b6bc654eb28994dd5906d8dcf5ef46 /net
parent	c1221321b7c25b53204447cff9949a6d5a7ddddc (diff)
parent	d8d28c8f00e84a72e8bee39a85835635417bee49 (diff)