aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2012-08-21 19:46:08 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2012-08-21 19:46:08 -0400
commit8f8ba75ee2065738644382667f833a4eb6f6db1d (patch)
tree06d58982c73239611f7e50fd40d865b84ff4fb84 /net
parent1456c75a80dfd3fd02b9ea44d1223bb51a5683d5 (diff)
parente0e3cea46d31d23dc40df0a49a7a2c04fe8edfea (diff)
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull networking update from David Miller: "A couple weeks of bug fixing in there. The largest chunk is all the broken crap Amerigo Wang found in the netpoll layer." 1) netpoll and it's users has several serious bugs: a) uses GFP_KERNEL with locks held b) interfaces requiring interrupts disabled are called with them enabled c) and vice versa d) VLAN tag demuxing, as per all other RX packet input paths, is not applied All from Amerigo Wang. 2) Hopefully cure the ipv4 mapped ipv6 address TCP early demux bugs for good, from Neal Cardwell. 3) Unlike AF_UNIX, AF_PACKET sockets don't set a default credentials when the user doesn't specify one explicitly during sendmsg(). Instead we attach an empty (zero) SCM credential block which is definitely not what we want. Fix from Eric Dumazet. 4) IPv6 illegally invokes netdevice notifiers with RCU lock held, fix from Ben Hutchings. 5) inet_csk_route_child_sock() checks wrong inet options pointer, fix from Christoph Paasch. 6) When AF_PACKET is used for transmit, packet loopback doesn't behave properly when a socket fanout is enabled, from Eric Leblond. 7) On bluetooth l2cap channel create failure, we leak the socket, from Jaganath Kanakkassery. 8) Fix all the netprio file handling bugs found by Al Viro, from John Fastabend. 9) Several error return and NULL deref bug fixes in networking drivers from Julia Lawall. 10) A large smattering of struct padding et al. kernel memory leaks to userspace found of Mathias Krause. 11) Conntrack expections in netfilter can access an uninitialized timer, fix from Pablo Neira Ayuso. 12) Several netfilter SIP tracker bug fixes from Patrick McHardy. 13) IPSEC ipv6 routes are not initialized correctly all the time, resulting in an OOPS in inet_putpeer(). Also from Patrick McHardy. 14) Bridging does rcu_dereference() outside of RCU protected area, from Stephen Hemminger. 15) Fix routing cache removal performance regression when looking up output routes that have a local destination. From Zheng Yan. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (87 commits) af_netlink: force credentials passing [CVE-2012-3520] ipv4: fix ip header ident selection in __ip_make_skb() ipv4: Use newinet->inet_opt in inet_csk_route_child_sock() tcp: fix possible socket refcount problem net: tcp: move sk_rx_dst_set call after tcp_create_openreq_child() net/core/dev.c: fix kernel-doc warning netconsole: remove a redundant netconsole_target_put() net: ipv6: fix oops in inet_putpeer() net/stmmac: fix issue of clk_get for Loongson1B. caif: Do not dereference NULL in chnl_recv_cb() af_packet: don't emit packet on orig fanout group drivers/net/irda: fix error return code drivers/net/wan/dscc4.c: fix error return code drivers/net/wimax/i2400m/fw.c: fix error return code smsc75xx: add missing entry to MAINTAINERS net: qmi_wwan: new devices: UML290 and K5006-Z net: sh_eth: Add eth support for R8A7779 device netdev/phy: skip disabled mdio-mux nodes dt: introduce for_each_available_child_of_node, of_get_next_available_child net: netprio: fix cgrp create and write priomap race ...
Diffstat (limited to 'net')
-rw-r--r--net/8021q/vlan_dev.c52
-rw-r--r--net/atm/common.c1
-rw-r--r--net/atm/pvc.c1
-rw-r--r--net/bluetooth/hci_event.c28
-rw-r--r--net/bluetooth/hci_sock.c2
-rw-r--r--net/bluetooth/l2cap_core.c1
-rw-r--r--net/bluetooth/l2cap_sock.c3
-rw-r--r--net/bluetooth/rfcomm/sock.c2
-rw-r--r--net/bluetooth/rfcomm/tty.c2
-rw-r--r--net/bluetooth/sco.c19
-rw-r--r--net/bluetooth/smp.c5
-rw-r--r--net/bridge/br_device.c30
-rw-r--r--net/bridge/br_forward.c2
-rw-r--r--net/bridge/br_if.c6
-rw-r--r--net/bridge/br_private.h4
-rw-r--r--net/caif/chnl_net.c4
-rw-r--r--net/core/dev.c17
-rw-r--r--net/core/netpoll.c109
-rw-r--r--net/core/netprio_cgroup.c30
-rw-r--r--net/core/scm.c4
-rw-r--r--net/dccp/ccid.h4
-rw-r--r--net/dccp/ccids/ccid3.c1
-rw-r--r--net/ipv4/inet_connection_sock.c7
-rw-r--r--net/ipv4/ip_output.c2
-rw-r--r--net/ipv4/netfilter/nf_nat_sip.c9
-rw-r--r--net/ipv4/route.c1
-rw-r--r--net/ipv4/tcp_ipv4.c9
-rw-r--r--net/ipv4/tcp_minisocks.c2
-rw-r--r--net/ipv4/tcp_output.c14
-rw-r--r--net/ipv4/tcp_timer.c6
-rw-r--r--net/ipv6/addrconf.c4
-rw-r--r--net/ipv6/proc.c4
-rw-r--r--net/ipv6/tcp_ipv6.c25
-rw-r--r--net/ipv6/xfrm6_policy.c8
-rw-r--r--net/l2tp/l2tp_ip6.c1
-rw-r--r--net/llc/af_llc.c8
-rw-r--r--net/llc/llc_input.c21
-rw-r--r--net/llc/llc_station.c23
-rw-r--r--net/netfilter/ipvs/ip_vs_ctl.c1
-rw-r--r--net/netfilter/nf_conntrack_expect.c29
-rw-r--r--net/netfilter/nf_conntrack_netlink.c7
-rw-r--r--net/netfilter/nf_conntrack_sip.c92
-rw-r--r--net/netlink/af_netlink.c2
-rw-r--r--net/packet/af_packet.c9
-rw-r--r--net/sched/act_mirred.c11
-rw-r--r--net/socket.c1
-rw-r--r--net/unix/af_unix.c4
-rw-r--r--net/xfrm/xfrm_policy.c2
48 files changed, 394 insertions, 235 deletions
diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
index 73a2a83ee2da..402442402af7 100644
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -137,9 +137,21 @@ static int vlan_dev_hard_header(struct sk_buff *skb, struct net_device *dev,
137 return rc; 137 return rc;
138} 138}
139 139
140static inline netdev_tx_t vlan_netpoll_send_skb(struct vlan_dev_priv *vlan, struct sk_buff *skb)
141{
142#ifdef CONFIG_NET_POLL_CONTROLLER
143 if (vlan->netpoll)
144 netpoll_send_skb(vlan->netpoll, skb);
145#else
146 BUG();
147#endif
148 return NETDEV_TX_OK;
149}
150
140static netdev_tx_t vlan_dev_hard_start_xmit(struct sk_buff *skb, 151static netdev_tx_t vlan_dev_hard_start_xmit(struct sk_buff *skb,
141 struct net_device *dev) 152 struct net_device *dev)
142{ 153{
154 struct vlan_dev_priv *vlan = vlan_dev_priv(dev);
143 struct vlan_ethhdr *veth = (struct vlan_ethhdr *)(skb->data); 155 struct vlan_ethhdr *veth = (struct vlan_ethhdr *)(skb->data);
144 unsigned int len; 156 unsigned int len;
145 int ret; 157 int ret;
@@ -150,29 +162,30 @@ static netdev_tx_t vlan_dev_hard_start_xmit(struct sk_buff *skb,
150 * OTHER THINGS LIKE FDDI/TokenRing/802.3 SNAPs... 162 * OTHER THINGS LIKE FDDI/TokenRing/802.3 SNAPs...
151 */ 163 */
152 if (veth->h_vlan_proto != htons(ETH_P_8021Q) || 164 if (veth->h_vlan_proto != htons(ETH_P_8021Q) ||
153 vlan_dev_priv(dev)->flags & VLAN_FLAG_REORDER_HDR) { 165 vlan->flags & VLAN_FLAG_REORDER_HDR) {
154 u16 vlan_tci; 166 u16 vlan_tci;
155 vlan_tci = vlan_dev_priv(dev)->vlan_id; 167 vlan_tci = vlan->vlan_id;
156 vlan_tci |= vlan_dev_get_egress_qos_mask(dev, skb); 168 vlan_tci |= vlan_dev_get_egress_qos_mask(dev, skb);
157 skb = __vlan_hwaccel_put_tag(skb, vlan_tci); 169 skb = __vlan_hwaccel_put_tag(skb, vlan_tci);
158 } 170 }
159 171
160 skb->dev = vlan_dev_priv(dev)->real_dev; 172 skb->dev = vlan->real_dev;
161 len = skb->len; 173 len = skb->len;
162 if (netpoll_tx_running(dev)) 174 if (unlikely(netpoll_tx_running(dev)))
163 return skb->dev->netdev_ops->ndo_start_xmit(skb, skb->dev); 175 return vlan_netpoll_send_skb(vlan, skb);
176
164 ret = dev_queue_xmit(skb); 177 ret = dev_queue_xmit(skb);
165 178
166 if (likely(ret == NET_XMIT_SUCCESS || ret == NET_XMIT_CN)) { 179 if (likely(ret == NET_XMIT_SUCCESS || ret == NET_XMIT_CN)) {
167 struct vlan_pcpu_stats *stats; 180 struct vlan_pcpu_stats *stats;
168 181
169 stats = this_cpu_ptr(vlan_dev_priv(dev)->vlan_pcpu_stats); 182 stats = this_cpu_ptr(vlan->vlan_pcpu_stats);
170 u64_stats_update_begin(&stats->syncp); 183 u64_stats_update_begin(&stats->syncp);
171 stats->tx_packets++; 184 stats->tx_packets++;
172 stats->tx_bytes += len; 185 stats->tx_bytes += len;
173 u64_stats_update_end(&stats->syncp); 186 u64_stats_update_end(&stats->syncp);
174 } else { 187 } else {
175 this_cpu_inc(vlan_dev_priv(dev)->vlan_pcpu_stats->tx_dropped); 188 this_cpu_inc(vlan->vlan_pcpu_stats->tx_dropped);
176 } 189 }
177 190
178 return ret; 191 return ret;
@@ -669,25 +682,26 @@ static void vlan_dev_poll_controller(struct net_device *dev)
669 return; 682 return;
670} 683}
671 684
672static int vlan_dev_netpoll_setup(struct net_device *dev, struct netpoll_info *npinfo) 685static int vlan_dev_netpoll_setup(struct net_device *dev, struct netpoll_info *npinfo,
686 gfp_t gfp)
673{ 687{
674 struct vlan_dev_priv *info = vlan_dev_priv(dev); 688 struct vlan_dev_priv *vlan = vlan_dev_priv(dev);
675 struct net_device *real_dev = info->real_dev; 689 struct net_device *real_dev = vlan->real_dev;
676 struct netpoll *netpoll; 690 struct netpoll *netpoll;
677 int err = 0; 691 int err = 0;
678 692
679 netpoll = kzalloc(sizeof(*netpoll), GFP_KERNEL); 693 netpoll = kzalloc(sizeof(*netpoll), gfp);
680 err = -ENOMEM; 694 err = -ENOMEM;
681 if (!netpoll) 695 if (!netpoll)
682 goto out; 696 goto out;
683 697
684 err = __netpoll_setup(netpoll, real_dev); 698 err = __netpoll_setup(netpoll, real_dev, gfp);
685 if (err) { 699 if (err) {
686 kfree(netpoll); 700 kfree(netpoll);
687 goto out; 701 goto out;
688 } 702 }
689 703
690 info->netpoll = netpoll; 704 vlan->netpoll = netpoll;
691 705
692out: 706out:
693 return err; 707 return err;
@@ -695,19 +709,15 @@ out:
695 709
696static void vlan_dev_netpoll_cleanup(struct net_device *dev) 710static void vlan_dev_netpoll_cleanup(struct net_device *dev)
697{ 711{
698 struct vlan_dev_priv *info = vlan_dev_priv(dev); 712 struct vlan_dev_priv *vlan= vlan_dev_priv(dev);
699 struct netpoll *netpoll = info->netpoll; 713 struct netpoll *netpoll = vlan->netpoll;
700 714
701 if (!netpoll) 715 if (!netpoll)
702 return; 716 return;
703 717
704 info->netpoll = NULL; 718 vlan->netpoll = NULL;
705
706 /* Wait for transmitting packets to finish before freeing. */
707 synchronize_rcu_bh();
708 719
709 __netpoll_cleanup(netpoll); 720 __netpoll_free_rcu(netpoll);
710 kfree(netpoll);
711} 721}
712#endif /* CONFIG_NET_POLL_CONTROLLER */ 722#endif /* CONFIG_NET_POLL_CONTROLLER */
713 723
diff --git a/net/atm/common.c b/net/atm/common.c
index b4b44dbed645..0c0ad930a632 100644
--- a/net/atm/common.c
+++ b/net/atm/common.c
@@ -812,6 +812,7 @@ int vcc_getsockopt(struct socket *sock, int level, int optname,
812 812
813 if (!vcc->dev || !test_bit(ATM_VF_ADDR, &vcc->flags)) 813 if (!vcc->dev || !test_bit(ATM_VF_ADDR, &vcc->flags))
814 return -ENOTCONN; 814 return -ENOTCONN;
815 memset(&pvc, 0, sizeof(pvc));
815 pvc.sap_family = AF_ATMPVC; 816 pvc.sap_family = AF_ATMPVC;
816 pvc.sap_addr.itf = vcc->dev->number; 817 pvc.sap_addr.itf = vcc->dev->number;
817 pvc.sap_addr.vpi = vcc->vpi; 818 pvc.sap_addr.vpi = vcc->vpi;
diff --git a/net/atm/pvc.c b/net/atm/pvc.c
index 3a734919c36c..ae0324021407 100644
--- a/net/atm/pvc.c
+++ b/net/atm/pvc.c
@@ -95,6 +95,7 @@ static int pvc_getname(struct socket *sock, struct sockaddr *sockaddr,
95 return -ENOTCONN; 95 return -ENOTCONN;
96 *sockaddr_len = sizeof(struct sockaddr_atmpvc); 96 *sockaddr_len = sizeof(struct sockaddr_atmpvc);
97 addr = (struct sockaddr_atmpvc *)sockaddr; 97 addr = (struct sockaddr_atmpvc *)sockaddr;
98 memset(addr, 0, sizeof(*addr));
98 addr->sap_family = AF_ATMPVC; 99 addr->sap_family = AF_ATMPVC;
99 addr->sap_addr.itf = vcc->dev->number; 100 addr->sap_addr.itf = vcc->dev->number;
100 addr->sap_addr.vpi = vcc->vpi; 101 addr->sap_addr.vpi = vcc->vpi;
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 41ff978a33f9..715d7e33fba0 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -1365,6 +1365,9 @@ static bool hci_resolve_next_name(struct hci_dev *hdev)
1365 return false; 1365 return false;
1366 1366
1367 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED); 1367 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
1368 if (!e)
1369 return false;
1370
1368 if (hci_resolve_name(hdev, e) == 0) { 1371 if (hci_resolve_name(hdev, e) == 0) {
1369 e->name_state = NAME_PENDING; 1372 e->name_state = NAME_PENDING;
1370 return true; 1373 return true;
@@ -1393,12 +1396,20 @@ static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
1393 return; 1396 return;
1394 1397
1395 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING); 1398 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
1396 if (e) { 1399 /* If the device was not found in a list of found devices names of which
1400 * are pending. there is no need to continue resolving a next name as it
1401 * will be done upon receiving another Remote Name Request Complete
1402 * Event */
1403 if (!e)
1404 return;
1405
1406 list_del(&e->list);
1407 if (name) {
1397 e->name_state = NAME_KNOWN; 1408 e->name_state = NAME_KNOWN;
1398 list_del(&e->list); 1409 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
1399 if (name) 1410 e->data.rssi, name, name_len);
1400 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, 1411 } else {
1401 e->data.rssi, name, name_len); 1412 e->name_state = NAME_NOT_KNOWN;
1402 } 1413 }
1403 1414
1404 if (hci_resolve_next_name(hdev)) 1415 if (hci_resolve_next_name(hdev))
@@ -1762,7 +1773,12 @@ static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1762 if (conn->type == ACL_LINK) { 1773 if (conn->type == ACL_LINK) {
1763 conn->state = BT_CONFIG; 1774 conn->state = BT_CONFIG;
1764 hci_conn_hold(conn); 1775 hci_conn_hold(conn);
1765 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 1776
1777 if (!conn->out && !hci_conn_ssp_enabled(conn) &&
1778 !hci_find_link_key(hdev, &ev->bdaddr))
1779 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
1780 else
1781 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
1766 } else 1782 } else
1767 conn->state = BT_CONNECTED; 1783 conn->state = BT_CONNECTED;
1768 1784
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index a7f04de03d79..19fdac78e555 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -694,6 +694,7 @@ static int hci_sock_getname(struct socket *sock, struct sockaddr *addr,
694 *addr_len = sizeof(*haddr); 694 *addr_len = sizeof(*haddr);
695 haddr->hci_family = AF_BLUETOOTH; 695 haddr->hci_family = AF_BLUETOOTH;
696 haddr->hci_dev = hdev->id; 696 haddr->hci_dev = hdev->id;
697 haddr->hci_channel= 0;
697 698
698 release_sock(sk); 699 release_sock(sk);
699 return 0; 700 return 0;
@@ -1009,6 +1010,7 @@ static int hci_sock_getsockopt(struct socket *sock, int level, int optname,
1009 { 1010 {
1010 struct hci_filter *f = &hci_pi(sk)->filter; 1011 struct hci_filter *f = &hci_pi(sk)->filter;
1011 1012
1013 memset(&uf, 0, sizeof(uf));
1012 uf.type_mask = f->type_mask; 1014 uf.type_mask = f->type_mask;
1013 uf.opcode = f->opcode; 1015 uf.opcode = f->opcode;
1014 uf.event_mask[0] = *((u32 *) f->event_mask + 0); 1016 uf.event_mask[0] = *((u32 *) f->event_mask + 0);
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index a8964db04bfb..daa149b7003c 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1181,6 +1181,7 @@ static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1181 sk = chan->sk; 1181 sk = chan->sk;
1182 1182
1183 hci_conn_hold(conn->hcon); 1183 hci_conn_hold(conn->hcon);
1184 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
1184 1185
1185 bacpy(&bt_sk(sk)->src, conn->src); 1186 bacpy(&bt_sk(sk)->src, conn->src);
1186 bacpy(&bt_sk(sk)->dst, conn->dst); 1187 bacpy(&bt_sk(sk)->dst, conn->dst);
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index a4bb27e8427e..1497edd191a2 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -245,6 +245,7 @@ static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *l
245 245
246 BT_DBG("sock %p, sk %p", sock, sk); 246 BT_DBG("sock %p, sk %p", sock, sk);
247 247
248 memset(la, 0, sizeof(struct sockaddr_l2));
248 addr->sa_family = AF_BLUETOOTH; 249 addr->sa_family = AF_BLUETOOTH;
249 *len = sizeof(struct sockaddr_l2); 250 *len = sizeof(struct sockaddr_l2);
250 251
@@ -1174,7 +1175,7 @@ static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int p
1174 1175
1175 chan = l2cap_chan_create(); 1176 chan = l2cap_chan_create();
1176 if (!chan) { 1177 if (!chan) {
1177 l2cap_sock_kill(sk); 1178 sk_free(sk);
1178 return NULL; 1179 return NULL;
1179 } 1180 }
1180 1181
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index 7e1e59645c05..1a17850d093c 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -528,6 +528,7 @@ static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int *
528 528
529 BT_DBG("sock %p, sk %p", sock, sk); 529 BT_DBG("sock %p, sk %p", sock, sk);
530 530
531 memset(sa, 0, sizeof(*sa));
531 sa->rc_family = AF_BLUETOOTH; 532 sa->rc_family = AF_BLUETOOTH;
532 sa->rc_channel = rfcomm_pi(sk)->channel; 533 sa->rc_channel = rfcomm_pi(sk)->channel;
533 if (peer) 534 if (peer)
@@ -822,6 +823,7 @@ static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, c
822 } 823 }
823 824
824 sec.level = rfcomm_pi(sk)->sec_level; 825 sec.level = rfcomm_pi(sk)->sec_level;
826 sec.key_size = 0;
825 827
826 len = min_t(unsigned int, len, sizeof(sec)); 828 len = min_t(unsigned int, len, sizeof(sec));
827 if (copy_to_user(optval, (char *) &sec, len)) 829 if (copy_to_user(optval, (char *) &sec, len))
diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
index cb960773c002..56f182393c4c 100644
--- a/net/bluetooth/rfcomm/tty.c
+++ b/net/bluetooth/rfcomm/tty.c
@@ -456,7 +456,7 @@ static int rfcomm_get_dev_list(void __user *arg)
456 456
457 size = sizeof(*dl) + dev_num * sizeof(*di); 457 size = sizeof(*dl) + dev_num * sizeof(*di);
458 458
459 dl = kmalloc(size, GFP_KERNEL); 459 dl = kzalloc(size, GFP_KERNEL);
460 if (!dl) 460 if (!dl)
461 return -ENOMEM; 461 return -ENOMEM;
462 462
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index 40bbe25dcff7..3589e21edb09 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -131,6 +131,15 @@ static int sco_conn_del(struct hci_conn *hcon, int err)
131 sco_sock_clear_timer(sk); 131 sco_sock_clear_timer(sk);
132 sco_chan_del(sk, err); 132 sco_chan_del(sk, err);
133 bh_unlock_sock(sk); 133 bh_unlock_sock(sk);
134
135 sco_conn_lock(conn);
136 conn->sk = NULL;
137 sco_pi(sk)->conn = NULL;
138 sco_conn_unlock(conn);
139
140 if (conn->hcon)
141 hci_conn_put(conn->hcon);
142
134 sco_sock_kill(sk); 143 sco_sock_kill(sk);
135 } 144 }
136 145
@@ -821,16 +830,6 @@ static void sco_chan_del(struct sock *sk, int err)
821 830
822 BT_DBG("sk %p, conn %p, err %d", sk, conn, err); 831 BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
823 832
824 if (conn) {
825 sco_conn_lock(conn);
826 conn->sk = NULL;
827 sco_pi(sk)->conn = NULL;
828 sco_conn_unlock(conn);
829
830 if (conn->hcon)
831 hci_conn_put(conn->hcon);
832 }
833
834 sk->sk_state = BT_CLOSED; 833 sk->sk_state = BT_CLOSED;
835 sk->sk_err = err; 834 sk->sk_err = err;
836 sk->sk_state_change(sk); 835 sk->sk_state_change(sk);
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 16ef0dc85a0a..901a616c8083 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -579,8 +579,11 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
579 579
580 if (!test_and_set_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) 580 if (!test_and_set_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags))
581 smp = smp_chan_create(conn); 581 smp = smp_chan_create(conn);
582 else
583 smp = conn->smp_chan;
582 584
583 smp = conn->smp_chan; 585 if (!smp)
586 return SMP_UNSPECIFIED;
584 587
585 smp->preq[0] = SMP_CMD_PAIRING_REQ; 588 smp->preq[0] = SMP_CMD_PAIRING_REQ;
586 memcpy(&smp->preq[1], req, sizeof(*req)); 589 memcpy(&smp->preq[1], req, sizeof(*req));
diff --git a/net/bridge/br_device.c b/net/bridge/br_device.c
index 333484537600..070e8a68cfc6 100644
--- a/net/bridge/br_device.c
+++ b/net/bridge/br_device.c
@@ -31,9 +31,11 @@ netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev)
31 struct net_bridge_mdb_entry *mdst; 31 struct net_bridge_mdb_entry *mdst;
32 struct br_cpu_netstats *brstats = this_cpu_ptr(br->stats); 32 struct br_cpu_netstats *brstats = this_cpu_ptr(br->stats);
33 33
34 rcu_read_lock();
34#ifdef CONFIG_BRIDGE_NETFILTER 35#ifdef CONFIG_BRIDGE_NETFILTER
35 if (skb->nf_bridge && (skb->nf_bridge->mask & BRNF_BRIDGED_DNAT)) { 36 if (skb->nf_bridge && (skb->nf_bridge->mask & BRNF_BRIDGED_DNAT)) {
36 br_nf_pre_routing_finish_bridge_slow(skb); 37 br_nf_pre_routing_finish_bridge_slow(skb);
38 rcu_read_unlock();
37 return NETDEV_TX_OK; 39 return NETDEV_TX_OK;
38 } 40 }
39#endif 41#endif
@@ -48,7 +50,6 @@ netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev)
48 skb_reset_mac_header(skb); 50 skb_reset_mac_header(skb);
49 skb_pull(skb, ETH_HLEN); 51 skb_pull(skb, ETH_HLEN);
50 52
51 rcu_read_lock();
52 if (is_broadcast_ether_addr(dest)) 53 if (is_broadcast_ether_addr(dest))
53 br_flood_deliver(br, skb); 54 br_flood_deliver(br, skb);
54 else if (is_multicast_ether_addr(dest)) { 55 else if (is_multicast_ether_addr(dest)) {
@@ -206,24 +207,23 @@ static void br_poll_controller(struct net_device *br_dev)
206static void br_netpoll_cleanup(struct net_device *dev) 207static void br_netpoll_cleanup(struct net_device *dev)
207{ 208{
208 struct net_bridge *br = netdev_priv(dev); 209 struct net_bridge *br = netdev_priv(dev);
209 struct net_bridge_port *p, *n; 210 struct net_bridge_port *p;
210 211
211 list_for_each_entry_safe(p, n, &br->port_list, list) { 212 list_for_each_entry(p, &br->port_list, list)
212 br_netpoll_disable(p); 213 br_netpoll_disable(p);
213 }
214} 214}
215 215
216static int br_netpoll_setup(struct net_device *dev, struct netpoll_info *ni) 216static int br_netpoll_setup(struct net_device *dev, struct netpoll_info *ni,
217 gfp_t gfp)
217{ 218{
218 struct net_bridge *br = netdev_priv(dev); 219 struct net_bridge *br = netdev_priv(dev);
219 struct net_bridge_port *p, *n; 220 struct net_bridge_port *p;
220 int err = 0; 221 int err = 0;
221 222
222 list_for_each_entry_safe(p, n, &br->port_list, list) { 223 list_for_each_entry(p, &br->port_list, list) {
223 if (!p->dev) 224 if (!p->dev)
224 continue; 225 continue;
225 226 err = br_netpoll_enable(p, gfp);
226 err = br_netpoll_enable(p);
227 if (err) 227 if (err)
228 goto fail; 228 goto fail;
229 } 229 }
@@ -236,17 +236,17 @@ fail:
236 goto out; 236 goto out;
237} 237}
238 238
239int br_netpoll_enable(struct net_bridge_port *p) 239int br_netpoll_enable(struct net_bridge_port *p, gfp_t gfp)
240{ 240{
241 struct netpoll *np; 241 struct netpoll *np;
242 int err = 0; 242 int err = 0;
243 243
244 np = kzalloc(sizeof(*p->np), GFP_KERNEL); 244 np = kzalloc(sizeof(*p->np), gfp);
245 err = -ENOMEM; 245 err = -ENOMEM;
246 if (!np) 246 if (!np)
247 goto out; 247 goto out;
248 248
249 err = __netpoll_setup(np, p->dev); 249 err = __netpoll_setup(np, p->dev, gfp);
250 if (err) { 250 if (err) {
251 kfree(np); 251 kfree(np);
252 goto out; 252 goto out;
@@ -267,11 +267,7 @@ void br_netpoll_disable(struct net_bridge_port *p)
267 267
268 p->np = NULL; 268 p->np = NULL;
269 269
270 /* Wait for transmitting packets to finish before freeing. */ 270 __netpoll_free_rcu(np);
271 synchronize_rcu_bh();
272
273 __netpoll_cleanup(np);
274 kfree(np);
275} 271}
276 272
277#endif 273#endif
diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c
index e9466d412707..02015a505d2a 100644
--- a/net/bridge/br_forward.c
+++ b/net/bridge/br_forward.c
@@ -65,7 +65,7 @@ static void __br_deliver(const struct net_bridge_port *to, struct sk_buff *skb)
65{ 65{
66 skb->dev = to->dev; 66 skb->dev = to->dev;
67 67
68 if (unlikely(netpoll_tx_running(to->dev))) { 68 if (unlikely(netpoll_tx_running(to->br->dev))) {
69 if (packet_length(skb) > skb->dev->mtu && !skb_is_gso(skb)) 69 if (packet_length(skb) > skb->dev->mtu && !skb_is_gso(skb))
70 kfree_skb(skb); 70 kfree_skb(skb);
71 else { 71 else {
diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
index e1144e1617be..1c8fdc3558cd 100644
--- a/net/bridge/br_if.c
+++ b/net/bridge/br_if.c
@@ -361,7 +361,7 @@ int br_add_if(struct net_bridge *br, struct net_device *dev)
361 if (err) 361 if (err)
362 goto err2; 362 goto err2;
363 363
364 if (br_netpoll_info(br) && ((err = br_netpoll_enable(p)))) 364 if (br_netpoll_info(br) && ((err = br_netpoll_enable(p, GFP_KERNEL))))
365 goto err3; 365 goto err3;
366 366
367 err = netdev_set_master(dev, br->dev); 367 err = netdev_set_master(dev, br->dev);
@@ -427,6 +427,10 @@ int br_del_if(struct net_bridge *br, struct net_device *dev)
427 if (!p || p->br != br) 427 if (!p || p->br != br)
428 return -EINVAL; 428 return -EINVAL;
429 429
430 /* Since more than one interface can be attached to a bridge,
431 * there still maybe an alternate path for netconsole to use;
432 * therefore there is no reason for a NETDEV_RELEASE event.
433 */
430 del_nbp(p); 434 del_nbp(p);
431 435
432 spin_lock_bh(&br->lock); 436 spin_lock_bh(&br->lock);
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index a768b2408edf..f507d2af9646 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -316,7 +316,7 @@ static inline void br_netpoll_send_skb(const struct net_bridge_port *p,
316 netpoll_send_skb(np, skb); 316 netpoll_send_skb(np, skb);
317} 317}
318 318
319extern int br_netpoll_enable(struct net_bridge_port *p); 319extern int br_netpoll_enable(struct net_bridge_port *p, gfp_t gfp);
320extern void br_netpoll_disable(struct net_bridge_port *p); 320extern void br_netpoll_disable(struct net_bridge_port *p);
321#else 321#else
322static inline struct netpoll_info *br_netpoll_info(struct net_bridge *br) 322static inline struct netpoll_info *br_netpoll_info(struct net_bridge *br)
@@ -329,7 +329,7 @@ static inline void br_netpoll_send_skb(const struct net_bridge_port *p,
329{ 329{
330} 330}
331 331
332static inline int br_netpoll_enable(struct net_bridge_port *p) 332static inline int br_netpoll_enable(struct net_bridge_port *p, gfp_t gfp)
333{ 333{
334 return 0; 334 return 0;
335} 335}
diff --git a/net/caif/chnl_net.c b/net/caif/chnl_net.c
index 69771c04ba8f..e597733affb8 100644
--- a/net/caif/chnl_net.c
+++ b/net/caif/chnl_net.c
@@ -94,6 +94,10 @@ static int chnl_recv_cb(struct cflayer *layr, struct cfpkt *pkt)
94 94
95 /* check the version of IP */ 95 /* check the version of IP */
96 ip_version = skb_header_pointer(skb, 0, 1, &buf); 96 ip_version = skb_header_pointer(skb, 0, 1, &buf);
97 if (!ip_version) {
98 kfree_skb(skb);
99 return -EINVAL;
100 }
97 101
98 switch (*ip_version >> 4) { 102 switch (*ip_version >> 4) {
99 case 4: 103 case 4:
diff --git a/net/core/dev.c b/net/core/dev.c
index a39354ee1432..83988362805e 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1642,6 +1642,19 @@ static inline int deliver_skb(struct sk_buff *skb,
1642 return pt_prev->func(skb, skb->dev, pt_prev, orig_dev); 1642 return pt_prev->func(skb, skb->dev, pt_prev, orig_dev);
1643} 1643}
1644 1644
1645static inline bool skb_loop_sk(struct packet_type *ptype, struct sk_buff *skb)
1646{
1647 if (ptype->af_packet_priv == NULL)
1648 return false;
1649
1650 if (ptype->id_match)
1651 return ptype->id_match(ptype, skb->sk);
1652 else if ((struct sock *)ptype->af_packet_priv == skb->sk)
1653 return true;
1654
1655 return false;
1656}
1657
1645/* 1658/*
1646 * Support routine. Sends outgoing frames to any network 1659 * Support routine. Sends outgoing frames to any network
1647 * taps currently in use. 1660 * taps currently in use.
@@ -1659,8 +1672,7 @@ static void dev_queue_xmit_nit(struct sk_buff *skb, struct net_device *dev)
1659 * they originated from - MvS (miquels@drinkel.ow.org) 1672 * they originated from - MvS (miquels@drinkel.ow.org)
1660 */ 1673 */
1661 if ((ptype->dev == dev || !ptype->dev) && 1674 if ((ptype->dev == dev || !ptype->dev) &&
1662 (ptype->af_packet_priv == NULL || 1675 (!skb_loop_sk(ptype, skb))) {
1663 (struct sock *)ptype->af_packet_priv != skb->sk)) {
1664 if (pt_prev) { 1676 if (pt_prev) {
1665 deliver_skb(skb2, pt_prev, skb->dev); 1677 deliver_skb(skb2, pt_prev, skb->dev);
1666 pt_prev = ptype; 1678 pt_prev = ptype;
@@ -5732,6 +5744,7 @@ EXPORT_SYMBOL(netdev_refcnt_read);
5732 5744
5733/** 5745/**
5734 * netdev_wait_allrefs - wait until all references are gone. 5746 * netdev_wait_allrefs - wait until all references are gone.
5747 * @dev: target net_device
5735 * 5748 *
5736 * This is called when unregistering network devices. 5749 * This is called when unregistering network devices.
5737 * 5750 *
diff --git a/net/core/netpoll.c b/net/core/netpoll.c
index b4c90e42b443..346b1eb83a1f 100644
--- a/net/core/netpoll.c
+++ b/net/core/netpoll.c
@@ -26,6 +26,7 @@
26#include <linux/workqueue.h> 26#include <linux/workqueue.h>
27#include <linux/slab.h> 27#include <linux/slab.h>
28#include <linux/export.h> 28#include <linux/export.h>
29#include <linux/if_vlan.h>
29#include <net/tcp.h> 30#include <net/tcp.h>
30#include <net/udp.h> 31#include <net/udp.h>
31#include <asm/unaligned.h> 32#include <asm/unaligned.h>
@@ -54,7 +55,7 @@ static atomic_t trapped;
54 MAX_UDP_CHUNK) 55 MAX_UDP_CHUNK)
55 56
56static void zap_completion_queue(void); 57static void zap_completion_queue(void);
57static void arp_reply(struct sk_buff *skb); 58static void netpoll_arp_reply(struct sk_buff *skb, struct netpoll_info *npinfo);
58 59
59static unsigned int carrier_timeout = 4; 60static unsigned int carrier_timeout = 4;
60module_param(carrier_timeout, uint, 0644); 61module_param(carrier_timeout, uint, 0644);
@@ -167,15 +168,24 @@ static void poll_napi(struct net_device *dev)
167 struct napi_struct *napi; 168 struct napi_struct *napi;
168 int budget = 16; 169 int budget = 16;
169 170
171 WARN_ON_ONCE(!irqs_disabled());
172
170 list_for_each_entry(napi, &dev->napi_list, dev_list) { 173 list_for_each_entry(napi, &dev->napi_list, dev_list) {
174 local_irq_enable();
171 if (napi->poll_owner != smp_processor_id() && 175 if (napi->poll_owner != smp_processor_id() &&
172 spin_trylock(&napi->poll_lock)) { 176 spin_trylock(&napi->poll_lock)) {
173 budget = poll_one_napi(dev->npinfo, napi, budget); 177 rcu_read_lock_bh();
178 budget = poll_one_napi(rcu_dereference_bh(dev->npinfo),
179 napi, budget);
180 rcu_read_unlock_bh();
174 spin_unlock(&napi->poll_lock); 181 spin_unlock(&napi->poll_lock);
175 182
176 if (!budget) 183 if (!budget) {
184 local_irq_disable();
177 break; 185 break;
186 }
178 } 187 }
188 local_irq_disable();
179 } 189 }
180} 190}
181 191
@@ -185,13 +195,14 @@ static void service_arp_queue(struct netpoll_info *npi)
185 struct sk_buff *skb; 195 struct sk_buff *skb;
186 196
187 while ((skb = skb_dequeue(&npi->arp_tx))) 197 while ((skb = skb_dequeue(&npi->arp_tx)))
188 arp_reply(skb); 198 netpoll_arp_reply(skb, npi);
189 } 199 }
190} 200}
191 201
192static void netpoll_poll_dev(struct net_device *dev) 202static void netpoll_poll_dev(struct net_device *dev)
193{ 203{
194 const struct net_device_ops *ops; 204 const struct net_device_ops *ops;
205 struct netpoll_info *ni = rcu_dereference_bh(dev->npinfo);
195 206
196 if (!dev || !netif_running(dev)) 207 if (!dev || !netif_running(dev))
197 return; 208 return;
@@ -206,17 +217,18 @@ static void netpoll_poll_dev(struct net_device *dev)
206 poll_napi(dev); 217 poll_napi(dev);
207 218
208 if (dev->flags & IFF_SLAVE) { 219 if (dev->flags & IFF_SLAVE) {
209 if (dev->npinfo) { 220 if (ni) {
210 struct net_device *bond_dev = dev->master; 221 struct net_device *bond_dev = dev->master;
211 struct sk_buff *skb; 222 struct sk_buff *skb;
212 while ((skb = skb_dequeue(&dev->npinfo->arp_tx))) { 223 struct netpoll_info *bond_ni = rcu_dereference_bh(bond_dev->npinfo);
224 while ((skb = skb_dequeue(&ni->arp_tx))) {
213 skb->dev = bond_dev; 225 skb->dev = bond_dev;
214 skb_queue_tail(&bond_dev->npinfo->arp_tx, skb); 226 skb_queue_tail(&bond_ni->arp_tx, skb);
215 } 227 }
216 } 228 }
217 } 229 }
218 230
219 service_arp_queue(dev->npinfo); 231 service_arp_queue(ni);
220 232
221 zap_completion_queue(); 233 zap_completion_queue();
222} 234}
@@ -302,6 +314,7 @@ static int netpoll_owner_active(struct net_device *dev)
302 return 0; 314 return 0;
303} 315}
304 316
317/* call with IRQ disabled */
305void netpoll_send_skb_on_dev(struct netpoll *np, struct sk_buff *skb, 318void netpoll_send_skb_on_dev(struct netpoll *np, struct sk_buff *skb,
306 struct net_device *dev) 319 struct net_device *dev)
307{ 320{
@@ -309,8 +322,11 @@ void netpoll_send_skb_on_dev(struct netpoll *np, struct sk_buff *skb,
309 unsigned long tries; 322 unsigned long tries;
310 const struct net_device_ops *ops = dev->netdev_ops; 323 const struct net_device_ops *ops = dev->netdev_ops;
311 /* It is up to the caller to keep npinfo alive. */ 324 /* It is up to the caller to keep npinfo alive. */
312 struct netpoll_info *npinfo = np->dev->npinfo; 325 struct netpoll_info *npinfo;
326
327 WARN_ON_ONCE(!irqs_disabled());
313 328
329 npinfo = rcu_dereference_bh(np->dev->npinfo);
314 if (!npinfo || !netif_running(dev) || !netif_device_present(dev)) { 330 if (!npinfo || !netif_running(dev) || !netif_device_present(dev)) {
315 __kfree_skb(skb); 331 __kfree_skb(skb);
316 return; 332 return;
@@ -319,16 +335,22 @@ void netpoll_send_skb_on_dev(struct netpoll *np, struct sk_buff *skb,
319 /* don't get messages out of order, and no recursion */ 335 /* don't get messages out of order, and no recursion */
320 if (skb_queue_len(&npinfo->txq) == 0 && !netpoll_owner_active(dev)) { 336 if (skb_queue_len(&npinfo->txq) == 0 && !netpoll_owner_active(dev)) {
321 struct netdev_queue *txq; 337 struct netdev_queue *txq;
322 unsigned long flags;
323 338
324 txq = netdev_get_tx_queue(dev, skb_get_queue_mapping(skb)); 339 txq = netdev_get_tx_queue(dev, skb_get_queue_mapping(skb));
325 340
326 local_irq_save(flags);
327 /* try until next clock tick */ 341 /* try until next clock tick */
328 for (tries = jiffies_to_usecs(1)/USEC_PER_POLL; 342 for (tries = jiffies_to_usecs(1)/USEC_PER_POLL;
329 tries > 0; --tries) { 343 tries > 0; --tries) {
330 if (__netif_tx_trylock(txq)) { 344 if (__netif_tx_trylock(txq)) {
331 if (!netif_xmit_stopped(txq)) { 345 if (!netif_xmit_stopped(txq)) {
346 if (vlan_tx_tag_present(skb) &&
347 !(netif_skb_features(skb) & NETIF_F_HW_VLAN_TX)) {
348 skb = __vlan_put_tag(skb, vlan_tx_tag_get(skb));
349 if (unlikely(!skb))
350 break;
351 skb->vlan_tci = 0;
352 }
353
332 status = ops->ndo_start_xmit(skb, dev); 354 status = ops->ndo_start_xmit(skb, dev);
333 if (status == NETDEV_TX_OK) 355 if (status == NETDEV_TX_OK)
334 txq_trans_update(txq); 356 txq_trans_update(txq);
@@ -347,10 +369,9 @@ void netpoll_send_skb_on_dev(struct netpoll *np, struct sk_buff *skb,
347 } 369 }
348 370
349 WARN_ONCE(!irqs_disabled(), 371 WARN_ONCE(!irqs_disabled(),
350 "netpoll_send_skb(): %s enabled interrupts in poll (%pF)\n", 372 "netpoll_send_skb_on_dev(): %s enabled interrupts in poll (%pF)\n",
351 dev->name, ops->ndo_start_xmit); 373 dev->name, ops->ndo_start_xmit);
352 374
353 local_irq_restore(flags);
354 } 375 }
355 376
356 if (status != NETDEV_TX_OK) { 377 if (status != NETDEV_TX_OK) {
@@ -423,9 +444,8 @@ void netpoll_send_udp(struct netpoll *np, const char *msg, int len)
423} 444}
424EXPORT_SYMBOL(netpoll_send_udp); 445EXPORT_SYMBOL(netpoll_send_udp);
425 446
426static void arp_reply(struct sk_buff *skb) 447static void netpoll_arp_reply(struct sk_buff *skb, struct netpoll_info *npinfo)
427{ 448{
428 struct netpoll_info *npinfo = skb->dev->npinfo;
429 struct arphdr *arp; 449 struct arphdr *arp;
430 unsigned char *arp_ptr; 450 unsigned char *arp_ptr;
431 int size, type = ARPOP_REPLY, ptype = ETH_P_ARP; 451 int size, type = ARPOP_REPLY, ptype = ETH_P_ARP;
@@ -543,13 +563,12 @@ static void arp_reply(struct sk_buff *skb)
543 spin_unlock_irqrestore(&npinfo->rx_lock, flags); 563 spin_unlock_irqrestore(&npinfo->rx_lock, flags);
544} 564}
545 565
546int __netpoll_rx(struct sk_buff *skb) 566int __netpoll_rx(struct sk_buff *skb, struct netpoll_info *npinfo)
547{ 567{
548 int proto, len, ulen; 568 int proto, len, ulen;
549 int hits = 0; 569 int hits = 0;
550 const struct iphdr *iph; 570 const struct iphdr *iph;
551 struct udphdr *uh; 571 struct udphdr *uh;
552 struct netpoll_info *npinfo = skb->dev->npinfo;
553 struct netpoll *np, *tmp; 572 struct netpoll *np, *tmp;
554 573
555 if (list_empty(&npinfo->rx_np)) 574 if (list_empty(&npinfo->rx_np))
@@ -565,6 +584,12 @@ int __netpoll_rx(struct sk_buff *skb)
565 return 1; 584 return 1;
566 } 585 }
567 586
587 if (skb->protocol == cpu_to_be16(ETH_P_8021Q)) {
588 skb = vlan_untag(skb);
589 if (unlikely(!skb))
590 goto out;
591 }
592
568 proto = ntohs(eth_hdr(skb)->h_proto); 593 proto = ntohs(eth_hdr(skb)->h_proto);
569 if (proto != ETH_P_IP) 594 if (proto != ETH_P_IP)
570 goto out; 595 goto out;
@@ -715,7 +740,7 @@ int netpoll_parse_options(struct netpoll *np, char *opt)
715} 740}
716EXPORT_SYMBOL(netpoll_parse_options); 741EXPORT_SYMBOL(netpoll_parse_options);
717 742
718int __netpoll_setup(struct netpoll *np, struct net_device *ndev) 743int __netpoll_setup(struct netpoll *np, struct net_device *ndev, gfp_t gfp)
719{ 744{
720 struct netpoll_info *npinfo; 745 struct netpoll_info *npinfo;
721 const struct net_device_ops *ops; 746 const struct net_device_ops *ops;
@@ -734,7 +759,7 @@ int __netpoll_setup(struct netpoll *np, struct net_device *ndev)
734 } 759 }
735 760
736 if (!ndev->npinfo) { 761 if (!ndev->npinfo) {
737 npinfo = kmalloc(sizeof(*npinfo), GFP_KERNEL); 762 npinfo = kmalloc(sizeof(*npinfo), gfp);
738 if (!npinfo) { 763 if (!npinfo) {
739 err = -ENOMEM; 764 err = -ENOMEM;
740 goto out; 765 goto out;
@@ -752,7 +777,7 @@ int __netpoll_setup(struct netpoll *np, struct net_device *ndev)
752 777
753 ops = np->dev->netdev_ops; 778 ops = np->dev->netdev_ops;
754 if (ops->ndo_netpoll_setup) { 779 if (ops->ndo_netpoll_setup) {
755 err = ops->ndo_netpoll_setup(ndev, npinfo); 780 err = ops->ndo_netpoll_setup(ndev, npinfo, gfp);
756 if (err) 781 if (err)
757 goto free_npinfo; 782 goto free_npinfo;
758 } 783 }
@@ -857,7 +882,7 @@ int netpoll_setup(struct netpoll *np)
857 refill_skbs(); 882 refill_skbs();
858 883
859 rtnl_lock(); 884 rtnl_lock();
860 err = __netpoll_setup(np, ndev); 885 err = __netpoll_setup(np, ndev, GFP_KERNEL);
861 rtnl_unlock(); 886 rtnl_unlock();
862 887
863 if (err) 888 if (err)
@@ -878,6 +903,24 @@ static int __init netpoll_init(void)
878} 903}
879core_initcall(netpoll_init); 904core_initcall(netpoll_init);
880 905
906static void rcu_cleanup_netpoll_info(struct rcu_head *rcu_head)
907{
908 struct netpoll_info *npinfo =
909 container_of(rcu_head, struct netpoll_info, rcu);
910
911 skb_queue_purge(&npinfo->arp_tx);
912 skb_queue_purge(&npinfo->txq);
913
914 /* we can't call cancel_delayed_work_sync here, as we are in softirq */
915 cancel_delayed_work(&npinfo->tx_work);
916
917 /* clean after last, unfinished work */
918 __skb_queue_purge(&npinfo->txq);
919 /* now cancel it again */
920 cancel_delayed_work(&npinfo->tx_work);
921 kfree(npinfo);
922}
923
881void __netpoll_cleanup(struct netpoll *np) 924void __netpoll_cleanup(struct netpoll *np)
882{ 925{
883 struct netpoll_info *npinfo; 926 struct netpoll_info *npinfo;
@@ -903,20 +946,24 @@ void __netpoll_cleanup(struct netpoll *np)
903 ops->ndo_netpoll_cleanup(np->dev); 946 ops->ndo_netpoll_cleanup(np->dev);
904 947
905 RCU_INIT_POINTER(np->dev->npinfo, NULL); 948 RCU_INIT_POINTER(np->dev->npinfo, NULL);
949 call_rcu_bh(&npinfo->rcu, rcu_cleanup_netpoll_info);
950 }
951}
952EXPORT_SYMBOL_GPL(__netpoll_cleanup);
906 953
907 /* avoid racing with NAPI reading npinfo */ 954static void rcu_cleanup_netpoll(struct rcu_head *rcu_head)
908 synchronize_rcu_bh(); 955{
956 struct netpoll *np = container_of(rcu_head, struct netpoll, rcu);
909 957
910 skb_queue_purge(&npinfo->arp_tx); 958 __netpoll_cleanup(np);
911 skb_queue_purge(&npinfo->txq); 959 kfree(np);
912 cancel_delayed_work_sync(&npinfo->tx_work); 960}
913 961
914 /* clean after last, unfinished work */ 962void __netpoll_free_rcu(struct netpoll *np)
915 __skb_queue_purge(&npinfo->txq); 963{
916 kfree(npinfo); 964 call_rcu_bh(&np->rcu, rcu_cleanup_netpoll);
917 }
918} 965}
919EXPORT_SYMBOL_GPL(__netpoll_cleanup); 966EXPORT_SYMBOL_GPL(__netpoll_free_rcu);
920 967
921void netpoll_cleanup(struct netpoll *np) 968void netpoll_cleanup(struct netpoll *np)
922{ 969{
diff --git a/net/core/netprio_cgroup.c b/net/core/netprio_cgroup.c
index ed0c0431fcd8..c75e3f9d060f 100644
--- a/net/core/netprio_cgroup.c
+++ b/net/core/netprio_cgroup.c
@@ -101,12 +101,10 @@ static int write_update_netdev_table(struct net_device *dev)
101 u32 max_len; 101 u32 max_len;
102 struct netprio_map *map; 102 struct netprio_map *map;
103 103
104 rtnl_lock();
105 max_len = atomic_read(&max_prioidx) + 1; 104 max_len = atomic_read(&max_prioidx) + 1;
106 map = rtnl_dereference(dev->priomap); 105 map = rtnl_dereference(dev->priomap);
107 if (!map || map->priomap_len < max_len) 106 if (!map || map->priomap_len < max_len)
108 ret = extend_netdev_table(dev, max_len); 107 ret = extend_netdev_table(dev, max_len);
109 rtnl_unlock();
110 108
111 return ret; 109 return ret;
112} 110}
@@ -256,17 +254,17 @@ static int write_priomap(struct cgroup *cgrp, struct cftype *cft,
256 if (!dev) 254 if (!dev)
257 goto out_free_devname; 255 goto out_free_devname;
258 256
257 rtnl_lock();
259 ret = write_update_netdev_table(dev); 258 ret = write_update_netdev_table(dev);
260 if (ret < 0) 259 if (ret < 0)
261 goto out_put_dev; 260 goto out_put_dev;
262 261
263 rcu_read_lock(); 262 map = rtnl_dereference(dev->priomap);
264 map = rcu_dereference(dev->priomap);
265 if (map) 263 if (map)
266 map->priomap[prioidx] = priority; 264 map->priomap[prioidx] = priority;
267 rcu_read_unlock();
268 265
269out_put_dev: 266out_put_dev:
267 rtnl_unlock();
270 dev_put(dev); 268 dev_put(dev);
271 269
272out_free_devname: 270out_free_devname:
@@ -277,12 +275,6 @@ out_free_devname:
277void net_prio_attach(struct cgroup *cgrp, struct cgroup_taskset *tset) 275void net_prio_attach(struct cgroup *cgrp, struct cgroup_taskset *tset)
278{ 276{
279 struct task_struct *p; 277 struct task_struct *p;
280 char *tmp = kzalloc(sizeof(char) * PATH_MAX, GFP_KERNEL);
281
282 if (!tmp) {
283 pr_warn("Unable to attach cgrp due to alloc failure!\n");
284 return;
285 }
286 278
287 cgroup_taskset_for_each(p, cgrp, tset) { 279 cgroup_taskset_for_each(p, cgrp, tset) {
288 unsigned int fd; 280 unsigned int fd;
@@ -296,32 +288,24 @@ void net_prio_attach(struct cgroup *cgrp, struct cgroup_taskset *tset)
296 continue; 288 continue;
297 } 289 }
298 290
299 rcu_read_lock(); 291 spin_lock(&files->file_lock);
300 fdt = files_fdtable(files); 292 fdt = files_fdtable(files);
301 for (fd = 0; fd < fdt->max_fds; fd++) { 293 for (fd = 0; fd < fdt->max_fds; fd++) {
302 char *path;
303 struct file *file; 294 struct file *file;
304 struct socket *sock; 295 struct socket *sock;
305 unsigned long s; 296 int err;
306 int rv, err = 0;
307 297
308 file = fcheck_files(files, fd); 298 file = fcheck_files(files, fd);
309 if (!file) 299 if (!file)
310 continue; 300 continue;
311 301
312 path = d_path(&file->f_path, tmp, PAGE_SIZE);
313 rv = sscanf(path, "socket:[%lu]", &s);
314 if (rv <= 0)
315 continue;
316
317 sock = sock_from_file(file, &err); 302 sock = sock_from_file(file, &err);
318 if (!err) 303 if (sock)
319 sock_update_netprioidx(sock->sk, p); 304 sock_update_netprioidx(sock->sk, p);
320 } 305 }
321 rcu_read_unlock(); 306 spin_unlock(&files->file_lock);
322 task_unlock(p); 307 task_unlock(p);
323 } 308 }
324 kfree(tmp);
325} 309}
326 310
327static struct cftype ss_files[] = { 311static struct cftype ss_files[] = {
diff --git a/net/core/scm.c b/net/core/scm.c
index 8f6ccfd68ef4..040cebeed45b 100644
--- a/net/core/scm.c
+++ b/net/core/scm.c
@@ -265,6 +265,7 @@ void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
265 for (i=0, cmfptr=(__force int __user *)CMSG_DATA(cm); i<fdmax; 265 for (i=0, cmfptr=(__force int __user *)CMSG_DATA(cm); i<fdmax;
266 i++, cmfptr++) 266 i++, cmfptr++)
267 { 267 {
268 struct socket *sock;
268 int new_fd; 269 int new_fd;
269 err = security_file_receive(fp[i]); 270 err = security_file_receive(fp[i]);
270 if (err) 271 if (err)
@@ -281,6 +282,9 @@ void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
281 } 282 }
282 /* Bump the usage count and install the file. */ 283 /* Bump the usage count and install the file. */
283 get_file(fp[i]); 284 get_file(fp[i]);
285 sock = sock_from_file(fp[i], &err);
286 if (sock)
287 sock_update_netprioidx(sock->sk, current);
284 fd_install(new_fd, fp[i]); 288 fd_install(new_fd, fp[i]);
285 } 289 }
286 290
diff --git a/net/dccp/ccid.h b/net/dccp/ccid.h
index 75c3582a7678..fb85d371a8de 100644
--- a/net/dccp/ccid.h
+++ b/net/dccp/ccid.h
@@ -246,7 +246,7 @@ static inline int ccid_hc_rx_getsockopt(struct ccid *ccid, struct sock *sk,
246 u32 __user *optval, int __user *optlen) 246 u32 __user *optval, int __user *optlen)
247{ 247{
248 int rc = -ENOPROTOOPT; 248 int rc = -ENOPROTOOPT;
249 if (ccid->ccid_ops->ccid_hc_rx_getsockopt != NULL) 249 if (ccid != NULL && ccid->ccid_ops->ccid_hc_rx_getsockopt != NULL)
250 rc = ccid->ccid_ops->ccid_hc_rx_getsockopt(sk, optname, len, 250 rc = ccid->ccid_ops->ccid_hc_rx_getsockopt(sk, optname, len,
251 optval, optlen); 251 optval, optlen);
252 return rc; 252 return rc;
@@ -257,7 +257,7 @@ static inline int ccid_hc_tx_getsockopt(struct ccid *ccid, struct sock *sk,
257 u32 __user *optval, int __user *optlen) 257 u32 __user *optval, int __user *optlen)
258{ 258{
259 int rc = -ENOPROTOOPT; 259 int rc = -ENOPROTOOPT;
260 if (ccid->ccid_ops->ccid_hc_tx_getsockopt != NULL) 260 if (ccid != NULL && ccid->ccid_ops->ccid_hc_tx_getsockopt != NULL)
261 rc = ccid->ccid_ops->ccid_hc_tx_getsockopt(sk, optname, len, 261 rc = ccid->ccid_ops->ccid_hc_tx_getsockopt(sk, optname, len,
262 optval, optlen); 262 optval, optlen);
263 return rc; 263 return rc;
diff --git a/net/dccp/ccids/ccid3.c b/net/dccp/ccids/ccid3.c
index d65e98798eca..119c04317d48 100644
--- a/net/dccp/ccids/ccid3.c
+++ b/net/dccp/ccids/ccid3.c
@@ -535,6 +535,7 @@ static int ccid3_hc_tx_getsockopt(struct sock *sk, const int optname, int len,
535 case DCCP_SOCKOPT_CCID_TX_INFO: 535 case DCCP_SOCKOPT_CCID_TX_INFO:
536 if (len < sizeof(tfrc)) 536 if (len < sizeof(tfrc))
537 return -EINVAL; 537 return -EINVAL;
538 memset(&tfrc, 0, sizeof(tfrc));
538 tfrc.tfrctx_x = hc->tx_x; 539 tfrc.tfrctx_x = hc->tx_x;
539 tfrc.tfrctx_x_recv = hc->tx_x_recv; 540 tfrc.tfrctx_x_recv = hc->tx_x_recv;
540 tfrc.tfrctx_x_calc = hc->tx_x_calc; 541 tfrc.tfrctx_x_calc = hc->tx_x_calc;
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index db0cf17c00f7..7f75f21d7b83 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -404,12 +404,15 @@ struct dst_entry *inet_csk_route_child_sock(struct sock *sk,
404{ 404{
405 const struct inet_request_sock *ireq = inet_rsk(req); 405 const struct inet_request_sock *ireq = inet_rsk(req);
406 struct inet_sock *newinet = inet_sk(newsk); 406 struct inet_sock *newinet = inet_sk(newsk);
407 struct ip_options_rcu *opt = ireq->opt; 407 struct ip_options_rcu *opt;
408 struct net *net = sock_net(sk); 408 struct net *net = sock_net(sk);
409 struct flowi4 *fl4; 409 struct flowi4 *fl4;
410 struct rtable *rt; 410 struct rtable *rt;
411 411
412 fl4 = &newinet->cork.fl.u.ip4; 412 fl4 = &newinet->cork.fl.u.ip4;
413
414 rcu_read_lock();
415 opt = rcu_dereference(newinet->inet_opt);
413 flowi4_init_output(fl4, sk->sk_bound_dev_if, sk->sk_mark, 416 flowi4_init_output(fl4, sk->sk_bound_dev_if, sk->sk_mark,
414 RT_CONN_FLAGS(sk), RT_SCOPE_UNIVERSE, 417 RT_CONN_FLAGS(sk), RT_SCOPE_UNIVERSE,
415 sk->sk_protocol, inet_sk_flowi_flags(sk), 418 sk->sk_protocol, inet_sk_flowi_flags(sk),
@@ -421,11 +424,13 @@ struct dst_entry *inet_csk_route_child_sock(struct sock *sk,
421 goto no_route; 424 goto no_route;
422 if (opt && opt->opt.is_strictroute && rt->rt_gateway) 425 if (opt && opt->opt.is_strictroute && rt->rt_gateway)
423 goto route_err; 426 goto route_err;
427 rcu_read_unlock();
424 return &rt->dst; 428 return &rt->dst;
425 429
426route_err: 430route_err:
427 ip_rt_put(rt); 431 ip_rt_put(rt);
428no_route: 432no_route:
433 rcu_read_unlock();
429 IP_INC_STATS_BH(net, IPSTATS_MIB_OUTNOROUTES); 434 IP_INC_STATS_BH(net, IPSTATS_MIB_OUTNOROUTES);
430 return NULL; 435 return NULL;
431} 436}
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 147ccc3e93db..c196d749daf2 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -1338,10 +1338,10 @@ struct sk_buff *__ip_make_skb(struct sock *sk,
1338 iph->ihl = 5; 1338 iph->ihl = 5;
1339 iph->tos = inet->tos; 1339 iph->tos = inet->tos;
1340 iph->frag_off = df; 1340 iph->frag_off = df;
1341 ip_select_ident(iph, &rt->dst, sk);
1342 iph->ttl = ttl; 1341 iph->ttl = ttl;
1343 iph->protocol = sk->sk_protocol; 1342 iph->protocol = sk->sk_protocol;
1344 ip_copy_addrs(iph, fl4); 1343 ip_copy_addrs(iph, fl4);
1344 ip_select_ident(iph, &rt->dst, sk);
1345 1345
1346 if (opt) { 1346 if (opt) {
1347 iph->ihl += opt->optlen>>2; 1347 iph->ihl += opt->optlen>>2;
diff --git a/net/ipv4/netfilter/nf_nat_sip.c b/net/ipv4/netfilter/nf_nat_sip.c
index ea4a23813d26..4ad9cf173992 100644
--- a/net/ipv4/netfilter/nf_nat_sip.c
+++ b/net/ipv4/netfilter/nf_nat_sip.c
@@ -148,7 +148,7 @@ static unsigned int ip_nat_sip(struct sk_buff *skb, unsigned int dataoff,
148 if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen, 148 if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen,
149 hdr, NULL, &matchoff, &matchlen, 149 hdr, NULL, &matchoff, &matchlen,
150 &addr, &port) > 0) { 150 &addr, &port) > 0) {
151 unsigned int matchend, poff, plen, buflen, n; 151 unsigned int olen, matchend, poff, plen, buflen, n;
152 char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")]; 152 char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
153 153
154 /* We're only interested in headers related to this 154 /* We're only interested in headers related to this
@@ -163,17 +163,18 @@ static unsigned int ip_nat_sip(struct sk_buff *skb, unsigned int dataoff,
163 goto next; 163 goto next;
164 } 164 }
165 165
166 olen = *datalen;
166 if (!map_addr(skb, dataoff, dptr, datalen, matchoff, matchlen, 167 if (!map_addr(skb, dataoff, dptr, datalen, matchoff, matchlen,
167 &addr, port)) 168 &addr, port))
168 return NF_DROP; 169 return NF_DROP;
169 170
170 matchend = matchoff + matchlen; 171 matchend = matchoff + matchlen + *datalen - olen;
171 172
172 /* The maddr= parameter (RFC 2361) specifies where to send 173 /* The maddr= parameter (RFC 2361) specifies where to send
173 * the reply. */ 174 * the reply. */
174 if (ct_sip_parse_address_param(ct, *dptr, matchend, *datalen, 175 if (ct_sip_parse_address_param(ct, *dptr, matchend, *datalen,
175 "maddr=", &poff, &plen, 176 "maddr=", &poff, &plen,
176 &addr) > 0 && 177 &addr, true) > 0 &&
177 addr.ip == ct->tuplehash[dir].tuple.src.u3.ip && 178 addr.ip == ct->tuplehash[dir].tuple.src.u3.ip &&
178 addr.ip != ct->tuplehash[!dir].tuple.dst.u3.ip) { 179 addr.ip != ct->tuplehash[!dir].tuple.dst.u3.ip) {
179 buflen = sprintf(buffer, "%pI4", 180 buflen = sprintf(buffer, "%pI4",
@@ -187,7 +188,7 @@ static unsigned int ip_nat_sip(struct sk_buff *skb, unsigned int dataoff,
187 * from which the server received the request. */ 188 * from which the server received the request. */
188 if (ct_sip_parse_address_param(ct, *dptr, matchend, *datalen, 189 if (ct_sip_parse_address_param(ct, *dptr, matchend, *datalen,
189 "received=", &poff, &plen, 190 "received=", &poff, &plen,
190 &addr) > 0 && 191 &addr, false) > 0 &&
191 addr.ip == ct->tuplehash[dir].tuple.dst.u3.ip && 192 addr.ip == ct->tuplehash[dir].tuple.dst.u3.ip &&
192 addr.ip != ct->tuplehash[!dir].tuple.src.u3.ip) { 193 addr.ip != ct->tuplehash[!dir].tuple.src.u3.ip) {
193 buflen = sprintf(buffer, "%pI4", 194 buflen = sprintf(buffer, "%pI4",
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index e4ba974f143c..fd9ecb52c66b 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -2028,7 +2028,6 @@ struct rtable *__ip_route_output_key(struct net *net, struct flowi4 *fl4)
2028 } 2028 }
2029 dev_out = net->loopback_dev; 2029 dev_out = net->loopback_dev;
2030 fl4->flowi4_oif = dev_out->ifindex; 2030 fl4->flowi4_oif = dev_out->ifindex;
2031 res.fi = NULL;
2032 flags |= RTCF_LOCAL; 2031 flags |= RTCF_LOCAL;
2033 goto make_route; 2032 goto make_route;
2034 } 2033 }
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 767823764016..00a748d14062 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -417,10 +417,12 @@ void tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
417 417
418 if (code == ICMP_FRAG_NEEDED) { /* PMTU discovery (RFC1191) */ 418 if (code == ICMP_FRAG_NEEDED) { /* PMTU discovery (RFC1191) */
419 tp->mtu_info = info; 419 tp->mtu_info = info;
420 if (!sock_owned_by_user(sk)) 420 if (!sock_owned_by_user(sk)) {
421 tcp_v4_mtu_reduced(sk); 421 tcp_v4_mtu_reduced(sk);
422 else 422 } else {
423 set_bit(TCP_MTU_REDUCED_DEFERRED, &tp->tsq_flags); 423 if (!test_and_set_bit(TCP_MTU_REDUCED_DEFERRED, &tp->tsq_flags))
424 sock_hold(sk);
425 }
424 goto out; 426 goto out;
425 } 427 }
426 428
@@ -1462,6 +1464,7 @@ struct sock *tcp_v4_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
1462 goto exit_nonewsk; 1464 goto exit_nonewsk;
1463 1465
1464 newsk->sk_gso_type = SKB_GSO_TCPV4; 1466 newsk->sk_gso_type = SKB_GSO_TCPV4;
1467 inet_sk_rx_dst_set(newsk, skb);
1465 1468
1466 newtp = tcp_sk(newsk); 1469 newtp = tcp_sk(newsk);
1467 newinet = inet_sk(newsk); 1470 newinet = inet_sk(newsk);
diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index d9c9dcef2de3..6ff7f10dce9d 100644
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -387,8 +387,6 @@ struct sock *tcp_create_openreq_child(struct sock *sk, struct request_sock *req,
387 struct tcp_sock *oldtp = tcp_sk(sk); 387 struct tcp_sock *oldtp = tcp_sk(sk);
388 struct tcp_cookie_values *oldcvp = oldtp->cookie_values; 388 struct tcp_cookie_values *oldcvp = oldtp->cookie_values;
389 389
390 newicsk->icsk_af_ops->sk_rx_dst_set(newsk, skb);
391
392 /* TCP Cookie Transactions require space for the cookie pair, 390 /* TCP Cookie Transactions require space for the cookie pair,
393 * as it differs for each connection. There is no need to 391 * as it differs for each connection. There is no need to
394 * copy any s_data_payload stored at the original socket. 392 * copy any s_data_payload stored at the original socket.
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 20dfd892c86f..d04632673a9e 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -910,14 +910,18 @@ void tcp_release_cb(struct sock *sk)
910 if (flags & (1UL << TCP_TSQ_DEFERRED)) 910 if (flags & (1UL << TCP_TSQ_DEFERRED))
911 tcp_tsq_handler(sk); 911 tcp_tsq_handler(sk);
912 912
913 if (flags & (1UL << TCP_WRITE_TIMER_DEFERRED)) 913 if (flags & (1UL << TCP_WRITE_TIMER_DEFERRED)) {
914 tcp_write_timer_handler(sk); 914 tcp_write_timer_handler(sk);
915 915 __sock_put(sk);
916 if (flags & (1UL << TCP_DELACK_TIMER_DEFERRED)) 916 }
917 if (flags & (1UL << TCP_DELACK_TIMER_DEFERRED)) {
917 tcp_delack_timer_handler(sk); 918 tcp_delack_timer_handler(sk);
918 919 __sock_put(sk);
919 if (flags & (1UL << TCP_MTU_REDUCED_DEFERRED)) 920 }
921 if (flags & (1UL << TCP_MTU_REDUCED_DEFERRED)) {
920 sk->sk_prot->mtu_reduced(sk); 922 sk->sk_prot->mtu_reduced(sk);
923 __sock_put(sk);
924 }
921} 925}
922EXPORT_SYMBOL(tcp_release_cb); 926EXPORT_SYMBOL(tcp_release_cb);
923 927
diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
index 6df36ad55a38..b774a03bd1dc 100644
--- a/net/ipv4/tcp_timer.c
+++ b/net/ipv4/tcp_timer.c
@@ -252,7 +252,8 @@ static void tcp_delack_timer(unsigned long data)
252 inet_csk(sk)->icsk_ack.blocked = 1; 252 inet_csk(sk)->icsk_ack.blocked = 1;
253 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_DELAYEDACKLOCKED); 253 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_DELAYEDACKLOCKED);
254 /* deleguate our work to tcp_release_cb() */ 254 /* deleguate our work to tcp_release_cb() */
255 set_bit(TCP_WRITE_TIMER_DEFERRED, &tcp_sk(sk)->tsq_flags); 255 if (!test_and_set_bit(TCP_DELACK_TIMER_DEFERRED, &tcp_sk(sk)->tsq_flags))
256 sock_hold(sk);
256 } 257 }
257 bh_unlock_sock(sk); 258 bh_unlock_sock(sk);
258 sock_put(sk); 259 sock_put(sk);
@@ -481,7 +482,8 @@ static void tcp_write_timer(unsigned long data)
481 tcp_write_timer_handler(sk); 482 tcp_write_timer_handler(sk);
482 } else { 483 } else {
483 /* deleguate our work to tcp_release_cb() */ 484 /* deleguate our work to tcp_release_cb() */
484 set_bit(TCP_WRITE_TIMER_DEFERRED, &tcp_sk(sk)->tsq_flags); 485 if (!test_and_set_bit(TCP_WRITE_TIMER_DEFERRED, &tcp_sk(sk)->tsq_flags))
486 sock_hold(sk);
485 } 487 }
486 bh_unlock_sock(sk); 488 bh_unlock_sock(sk);
487 sock_put(sk); 489 sock_put(sk);
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 79181819a24f..6bc85f7c31e3 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -494,8 +494,7 @@ static void addrconf_forward_change(struct net *net, __s32 newf)
494 struct net_device *dev; 494 struct net_device *dev;
495 struct inet6_dev *idev; 495 struct inet6_dev *idev;
496 496
497 rcu_read_lock(); 497 for_each_netdev(net, dev) {
498 for_each_netdev_rcu(net, dev) {
499 idev = __in6_dev_get(dev); 498 idev = __in6_dev_get(dev);
500 if (idev) { 499 if (idev) {
501 int changed = (!idev->cnf.forwarding) ^ (!newf); 500 int changed = (!idev->cnf.forwarding) ^ (!newf);
@@ -504,7 +503,6 @@ static void addrconf_forward_change(struct net *net, __s32 newf)
504 dev_forward_change(idev); 503 dev_forward_change(idev);
505 } 504 }
506 } 505 }
507 rcu_read_unlock();
508} 506}
509 507
510static int addrconf_fixup_forwarding(struct ctl_table *table, int *p, int newf) 508static int addrconf_fixup_forwarding(struct ctl_table *table, int *p, int newf)
diff --git a/net/ipv6/proc.c b/net/ipv6/proc.c
index da2e92d05c15..745a32042950 100644
--- a/net/ipv6/proc.c
+++ b/net/ipv6/proc.c
@@ -307,10 +307,10 @@ static int __net_init ipv6_proc_init_net(struct net *net)
307 goto proc_dev_snmp6_fail; 307 goto proc_dev_snmp6_fail;
308 return 0; 308 return 0;
309 309
310proc_dev_snmp6_fail:
311 proc_net_remove(net, "snmp6");
310proc_snmp6_fail: 312proc_snmp6_fail:
311 proc_net_remove(net, "sockstat6"); 313 proc_net_remove(net, "sockstat6");
312proc_dev_snmp6_fail:
313 proc_net_remove(net, "dev_snmp6");
314 return -ENOMEM; 314 return -ENOMEM;
315} 315}
316 316
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index bb9ce2b2f377..a3e60cc04a8a 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -94,6 +94,18 @@ static struct tcp_md5sig_key *tcp_v6_md5_do_lookup(struct sock *sk,
94} 94}
95#endif 95#endif
96 96
97static void inet6_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb)
98{
99 struct dst_entry *dst = skb_dst(skb);
100 const struct rt6_info *rt = (const struct rt6_info *)dst;
101
102 dst_hold(dst);
103 sk->sk_rx_dst = dst;
104 inet_sk(sk)->rx_dst_ifindex = skb->skb_iif;
105 if (rt->rt6i_node)
106 inet6_sk(sk)->rx_dst_cookie = rt->rt6i_node->fn_sernum;
107}
108
97static void tcp_v6_hash(struct sock *sk) 109static void tcp_v6_hash(struct sock *sk)
98{ 110{
99 if (sk->sk_state != TCP_CLOSE) { 111 if (sk->sk_state != TCP_CLOSE) {
@@ -1270,6 +1282,7 @@ static struct sock * tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
1270 1282
1271 newsk->sk_gso_type = SKB_GSO_TCPV6; 1283 newsk->sk_gso_type = SKB_GSO_TCPV6;
1272 __ip6_dst_store(newsk, dst, NULL, NULL); 1284 __ip6_dst_store(newsk, dst, NULL, NULL);
1285 inet6_sk_rx_dst_set(newsk, skb);
1273 1286
1274 newtcp6sk = (struct tcp6_sock *)newsk; 1287 newtcp6sk = (struct tcp6_sock *)newsk;
1275 inet_sk(newsk)->pinet6 = &newtcp6sk->inet6; 1288 inet_sk(newsk)->pinet6 = &newtcp6sk->inet6;
@@ -1729,18 +1742,6 @@ static struct timewait_sock_ops tcp6_timewait_sock_ops = {
1729 .twsk_destructor= tcp_twsk_destructor, 1742 .twsk_destructor= tcp_twsk_destructor,
1730}; 1743};
1731 1744
1732static void inet6_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb)
1733{
1734 struct dst_entry *dst = skb_dst(skb);
1735 const struct rt6_info *rt = (const struct rt6_info *)dst;
1736
1737 dst_hold(dst);
1738 sk->sk_rx_dst = dst;
1739 inet_sk(sk)->rx_dst_ifindex = skb->skb_iif;
1740 if (rt->rt6i_node)
1741 inet6_sk(sk)->rx_dst_cookie = rt->rt6i_node->fn_sernum;
1742}
1743
1744static const struct inet_connection_sock_af_ops ipv6_specific = { 1745static const struct inet_connection_sock_af_ops ipv6_specific = {
1745 .queue_xmit = inet6_csk_xmit, 1746 .queue_xmit = inet6_csk_xmit,
1746 .send_check = tcp_v6_send_check, 1747 .send_check = tcp_v6_send_check,
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index ef39812107b1..f8c4c08ffb60 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -73,6 +73,13 @@ static int xfrm6_get_tos(const struct flowi *fl)
73 return 0; 73 return 0;
74} 74}
75 75
76static void xfrm6_init_dst(struct net *net, struct xfrm_dst *xdst)
77{
78 struct rt6_info *rt = (struct rt6_info *)xdst;
79
80 rt6_init_peer(rt, net->ipv6.peers);
81}
82
76static int xfrm6_init_path(struct xfrm_dst *path, struct dst_entry *dst, 83static int xfrm6_init_path(struct xfrm_dst *path, struct dst_entry *dst,
77 int nfheader_len) 84 int nfheader_len)
78{ 85{
@@ -286,6 +293,7 @@ static struct xfrm_policy_afinfo xfrm6_policy_afinfo = {
286 .get_saddr = xfrm6_get_saddr, 293 .get_saddr = xfrm6_get_saddr,
287 .decode_session = _decode_session6, 294 .decode_session = _decode_session6,
288 .get_tos = xfrm6_get_tos, 295 .get_tos = xfrm6_get_tos,
296 .init_dst = xfrm6_init_dst,
289 .init_path = xfrm6_init_path, 297 .init_path = xfrm6_init_path,
290 .fill_dst = xfrm6_fill_dst, 298 .fill_dst = xfrm6_fill_dst,
291 .blackhole_route = ip6_blackhole_route, 299 .blackhole_route = ip6_blackhole_route,
diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
index 35e1e4bde587..927547171bc7 100644
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -410,6 +410,7 @@ static int l2tp_ip6_getname(struct socket *sock, struct sockaddr *uaddr,
410 lsa->l2tp_family = AF_INET6; 410 lsa->l2tp_family = AF_INET6;
411 lsa->l2tp_flowinfo = 0; 411 lsa->l2tp_flowinfo = 0;
412 lsa->l2tp_scope_id = 0; 412 lsa->l2tp_scope_id = 0;
413 lsa->l2tp_unused = 0;
413 if (peer) { 414 if (peer) {
414 if (!lsk->peer_conn_id) 415 if (!lsk->peer_conn_id)
415 return -ENOTCONN; 416 return -ENOTCONN;
diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
index f6fe4d400502..c2190005a114 100644
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -969,14 +969,13 @@ static int llc_ui_getname(struct socket *sock, struct sockaddr *uaddr,
969 struct sockaddr_llc sllc; 969 struct sockaddr_llc sllc;
970 struct sock *sk = sock->sk; 970 struct sock *sk = sock->sk;
971 struct llc_sock *llc = llc_sk(sk); 971 struct llc_sock *llc = llc_sk(sk);
972 int rc = 0; 972 int rc = -EBADF;
973 973
974 memset(&sllc, 0, sizeof(sllc)); 974 memset(&sllc, 0, sizeof(sllc));
975 lock_sock(sk); 975 lock_sock(sk);
976 if (sock_flag(sk, SOCK_ZAPPED)) 976 if (sock_flag(sk, SOCK_ZAPPED))
977 goto out; 977 goto out;
978 *uaddrlen = sizeof(sllc); 978 *uaddrlen = sizeof(sllc);
979 memset(uaddr, 0, *uaddrlen);
980 if (peer) { 979 if (peer) {
981 rc = -ENOTCONN; 980 rc = -ENOTCONN;
982 if (sk->sk_state != TCP_ESTABLISHED) 981 if (sk->sk_state != TCP_ESTABLISHED)
@@ -1206,7 +1205,7 @@ static int __init llc2_init(void)
1206 rc = llc_proc_init(); 1205 rc = llc_proc_init();
1207 if (rc != 0) { 1206 if (rc != 0) {
1208 printk(llc_proc_err_msg); 1207 printk(llc_proc_err_msg);
1209 goto out_unregister_llc_proto; 1208 goto out_station;
1210 } 1209 }
1211 rc = llc_sysctl_init(); 1210 rc = llc_sysctl_init();
1212 if (rc) { 1211 if (rc) {
@@ -1226,7 +1225,8 @@ out_sysctl:
1226 llc_sysctl_exit(); 1225 llc_sysctl_exit();
1227out_proc: 1226out_proc:
1228 llc_proc_exit(); 1227 llc_proc_exit();
1229out_unregister_llc_proto: 1228out_station:
1229 llc_station_exit();
1230 proto_unregister(&llc_proto); 1230 proto_unregister(&llc_proto);
1231 goto out; 1231 goto out;
1232} 1232}
diff --git a/net/llc/llc_input.c b/net/llc/llc_input.c
index e32cab44ea95..dd3e83328ad5 100644
--- a/net/llc/llc_input.c
+++ b/net/llc/llc_input.c
@@ -42,6 +42,7 @@ static void (*llc_type_handlers[2])(struct llc_sap *sap,
42void llc_add_pack(int type, void (*handler)(struct llc_sap *sap, 42void llc_add_pack(int type, void (*handler)(struct llc_sap *sap,
43 struct sk_buff *skb)) 43 struct sk_buff *skb))
44{ 44{
45 smp_wmb(); /* ensure initialisation is complete before it's called */
45 if (type == LLC_DEST_SAP || type == LLC_DEST_CONN) 46 if (type == LLC_DEST_SAP || type == LLC_DEST_CONN)
46 llc_type_handlers[type - 1] = handler; 47 llc_type_handlers[type - 1] = handler;
47} 48}
@@ -50,11 +51,19 @@ void llc_remove_pack(int type)
50{ 51{
51 if (type == LLC_DEST_SAP || type == LLC_DEST_CONN) 52 if (type == LLC_DEST_SAP || type == LLC_DEST_CONN)
52 llc_type_handlers[type - 1] = NULL; 53 llc_type_handlers[type - 1] = NULL;
54 synchronize_net();
53} 55}
54 56
55void llc_set_station_handler(void (*handler)(struct sk_buff *skb)) 57void llc_set_station_handler(void (*handler)(struct sk_buff *skb))
56{ 58{
59 /* Ensure initialisation is complete before it's called */
60 if (handler)
61 smp_wmb();
62
57 llc_station_handler = handler; 63 llc_station_handler = handler;
64
65 if (!handler)
66 synchronize_net();
58} 67}
59 68
60/** 69/**
@@ -150,6 +159,8 @@ int llc_rcv(struct sk_buff *skb, struct net_device *dev,
150 int dest; 159 int dest;
151 int (*rcv)(struct sk_buff *, struct net_device *, 160 int (*rcv)(struct sk_buff *, struct net_device *,
152 struct packet_type *, struct net_device *); 161 struct packet_type *, struct net_device *);
162 void (*sta_handler)(struct sk_buff *skb);
163 void (*sap_handler)(struct llc_sap *sap, struct sk_buff *skb);
153 164
154 if (!net_eq(dev_net(dev), &init_net)) 165 if (!net_eq(dev_net(dev), &init_net))
155 goto drop; 166 goto drop;
@@ -182,7 +193,8 @@ int llc_rcv(struct sk_buff *skb, struct net_device *dev,
182 */ 193 */
183 rcv = rcu_dereference(sap->rcv_func); 194 rcv = rcu_dereference(sap->rcv_func);
184 dest = llc_pdu_type(skb); 195 dest = llc_pdu_type(skb);
185 if (unlikely(!dest || !llc_type_handlers[dest - 1])) { 196 sap_handler = dest ? ACCESS_ONCE(llc_type_handlers[dest - 1]) : NULL;
197 if (unlikely(!sap_handler)) {
186 if (rcv) 198 if (rcv)
187 rcv(skb, dev, pt, orig_dev); 199 rcv(skb, dev, pt, orig_dev);
188 else 200 else
@@ -193,7 +205,7 @@ int llc_rcv(struct sk_buff *skb, struct net_device *dev,
193 if (cskb) 205 if (cskb)
194 rcv(cskb, dev, pt, orig_dev); 206 rcv(cskb, dev, pt, orig_dev);
195 } 207 }
196 llc_type_handlers[dest - 1](sap, skb); 208 sap_handler(sap, skb);
197 } 209 }
198 llc_sap_put(sap); 210 llc_sap_put(sap);
199out: 211out:
@@ -202,9 +214,10 @@ drop:
202 kfree_skb(skb); 214 kfree_skb(skb);
203 goto out; 215 goto out;
204handle_station: 216handle_station:
205 if (!llc_station_handler) 217 sta_handler = ACCESS_ONCE(llc_station_handler);
218 if (!sta_handler)
206 goto drop; 219 goto drop;
207 llc_station_handler(skb); 220 sta_handler(skb);
208 goto out; 221 goto out;
209} 222}
210 223
diff --git a/net/llc/llc_station.c b/net/llc/llc_station.c
index 6828e39ec2ec..b2f2bac2c2a2 100644
--- a/net/llc/llc_station.c
+++ b/net/llc/llc_station.c
@@ -687,12 +687,8 @@ static void llc_station_rcv(struct sk_buff *skb)
687 llc_station_state_process(skb); 687 llc_station_state_process(skb);
688} 688}
689 689
690int __init llc_station_init(void) 690void __init llc_station_init(void)
691{ 691{
692 int rc = -ENOBUFS;
693 struct sk_buff *skb;
694 struct llc_station_state_ev *ev;
695
696 skb_queue_head_init(&llc_main_station.mac_pdu_q); 692 skb_queue_head_init(&llc_main_station.mac_pdu_q);
697 skb_queue_head_init(&llc_main_station.ev_q.list); 693 skb_queue_head_init(&llc_main_station.ev_q.list);
698 spin_lock_init(&llc_main_station.ev_q.lock); 694 spin_lock_init(&llc_main_station.ev_q.lock);
@@ -700,23 +696,12 @@ int __init llc_station_init(void)
700 (unsigned long)&llc_main_station); 696 (unsigned long)&llc_main_station);
701 llc_main_station.ack_timer.expires = jiffies + 697 llc_main_station.ack_timer.expires = jiffies +
702 sysctl_llc_station_ack_timeout; 698 sysctl_llc_station_ack_timeout;
703 skb = alloc_skb(0, GFP_ATOMIC);
704 if (!skb)
705 goto out;
706 rc = 0;
707 llc_set_station_handler(llc_station_rcv);
708 ev = llc_station_ev(skb);
709 memset(ev, 0, sizeof(*ev));
710 llc_main_station.maximum_retry = 1; 699 llc_main_station.maximum_retry = 1;
711 llc_main_station.state = LLC_STATION_STATE_DOWN; 700 llc_main_station.state = LLC_STATION_STATE_UP;
712 ev->type = LLC_STATION_EV_TYPE_SIMPLE; 701 llc_set_station_handler(llc_station_rcv);
713 ev->prim_type = LLC_STATION_EV_ENABLE_WITHOUT_DUP_ADDR_CHECK;
714 rc = llc_station_next_state(skb);
715out:
716 return rc;
717} 702}
718 703
719void __exit llc_station_exit(void) 704void llc_station_exit(void)
720{ 705{
721 llc_set_station_handler(NULL); 706 llc_set_station_handler(NULL);
722} 707}
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 84444dda194b..72bf32a84874 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -2759,6 +2759,7 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
2759 { 2759 {
2760 struct ip_vs_timeout_user t; 2760 struct ip_vs_timeout_user t;
2761 2761
2762 memset(&t, 0, sizeof(t));
2762 __ip_vs_get_timeouts(net, &t); 2763 __ip_vs_get_timeouts(net, &t);
2763 if (copy_to_user(user, &t, sizeof(t)) != 0) 2764 if (copy_to_user(user, &t, sizeof(t)) != 0)
2764 ret = -EFAULT; 2765 ret = -EFAULT;
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index 45cf602a76bc..527651a53a45 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -361,23 +361,6 @@ static void evict_oldest_expect(struct nf_conn *master,
361 } 361 }
362} 362}
363 363
364static inline int refresh_timer(struct nf_conntrack_expect *i)
365{
366 struct nf_conn_help *master_help = nfct_help(i->master);
367 const struct nf_conntrack_expect_policy *p;
368
369 if (!del_timer(&i->timeout))
370 return 0;
371
372 p = &rcu_dereference_protected(
373 master_help->helper,
374 lockdep_is_held(&nf_conntrack_lock)
375 )->expect_policy[i->class];
376 i->timeout.expires = jiffies + p->timeout * HZ;
377 add_timer(&i->timeout);
378 return 1;
379}
380
381static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect) 364static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect)
382{ 365{
383 const struct nf_conntrack_expect_policy *p; 366 const struct nf_conntrack_expect_policy *p;
@@ -386,7 +369,7 @@ static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect)
386 struct nf_conn_help *master_help = nfct_help(master); 369 struct nf_conn_help *master_help = nfct_help(master);
387 struct nf_conntrack_helper *helper; 370 struct nf_conntrack_helper *helper;
388 struct net *net = nf_ct_exp_net(expect); 371 struct net *net = nf_ct_exp_net(expect);
389 struct hlist_node *n; 372 struct hlist_node *n, *next;
390 unsigned int h; 373 unsigned int h;
391 int ret = 1; 374 int ret = 1;
392 375
@@ -395,12 +378,12 @@ static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect)
395 goto out; 378 goto out;
396 } 379 }
397 h = nf_ct_expect_dst_hash(&expect->tuple); 380 h = nf_ct_expect_dst_hash(&expect->tuple);
398 hlist_for_each_entry(i, n, &net->ct.expect_hash[h], hnode) { 381 hlist_for_each_entry_safe(i, n, next, &net->ct.expect_hash[h], hnode) {
399 if (expect_matches(i, expect)) { 382 if (expect_matches(i, expect)) {
400 /* Refresh timer: if it's dying, ignore.. */ 383 if (del_timer(&i->timeout)) {
401 if (refresh_timer(i)) { 384 nf_ct_unlink_expect(i);
402 ret = 0; 385 nf_ct_expect_put(i);
403 goto out; 386 break;
404 } 387 }
405 } else if (expect_clash(i, expect)) { 388 } else if (expect_clash(i, expect)) {
406 ret = -EBUSY; 389 ret = -EBUSY;
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 14f67a2cbcb5..da4fc37a8578 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1896,10 +1896,15 @@ static int
1896ctnetlink_nfqueue_parse(const struct nlattr *attr, struct nf_conn *ct) 1896ctnetlink_nfqueue_parse(const struct nlattr *attr, struct nf_conn *ct)
1897{ 1897{
1898 struct nlattr *cda[CTA_MAX+1]; 1898 struct nlattr *cda[CTA_MAX+1];
1899 int ret;
1899 1900
1900 nla_parse_nested(cda, CTA_MAX, attr, ct_nla_policy); 1901 nla_parse_nested(cda, CTA_MAX, attr, ct_nla_policy);
1901 1902
1902 return ctnetlink_nfqueue_parse_ct((const struct nlattr **)cda, ct); 1903 spin_lock_bh(&nf_conntrack_lock);
1904 ret = ctnetlink_nfqueue_parse_ct((const struct nlattr **)cda, ct);
1905 spin_unlock_bh(&nf_conntrack_lock);
1906
1907 return ret;
1903} 1908}
1904 1909
1905static struct nfq_ct_hook ctnetlink_nfqueue_hook = { 1910static struct nfq_ct_hook ctnetlink_nfqueue_hook = {
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 758a1bacc126..5c0a112aeee6 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -183,12 +183,12 @@ static int media_len(const struct nf_conn *ct, const char *dptr,
183 return len + digits_len(ct, dptr, limit, shift); 183 return len + digits_len(ct, dptr, limit, shift);
184} 184}
185 185
186static int parse_addr(const struct nf_conn *ct, const char *cp, 186static int sip_parse_addr(const struct nf_conn *ct, const char *cp,
187 const char **endp, union nf_inet_addr *addr, 187 const char **endp, union nf_inet_addr *addr,
188 const char *limit) 188 const char *limit, bool delim)
189{ 189{
190 const char *end; 190 const char *end;
191 int ret = 0; 191 int ret;
192 192
193 if (!ct) 193 if (!ct)
194 return 0; 194 return 0;
@@ -197,16 +197,28 @@ static int parse_addr(const struct nf_conn *ct, const char *cp,
197 switch (nf_ct_l3num(ct)) { 197 switch (nf_ct_l3num(ct)) {
198 case AF_INET: 198 case AF_INET:
199 ret = in4_pton(cp, limit - cp, (u8 *)&addr->ip, -1, &end); 199 ret = in4_pton(cp, limit - cp, (u8 *)&addr->ip, -1, &end);
200 if (ret == 0)
201 return 0;
200 break; 202 break;
201 case AF_INET6: 203 case AF_INET6:
204 if (cp < limit && *cp == '[')
205 cp++;
206 else if (delim)
207 return 0;
208
202 ret = in6_pton(cp, limit - cp, (u8 *)&addr->ip6, -1, &end); 209 ret = in6_pton(cp, limit - cp, (u8 *)&addr->ip6, -1, &end);
210 if (ret == 0)
211 return 0;
212
213 if (end < limit && *end == ']')
214 end++;
215 else if (delim)
216 return 0;
203 break; 217 break;
204 default: 218 default:
205 BUG(); 219 BUG();
206 } 220 }
207 221
208 if (ret == 0 || end == cp)
209 return 0;
210 if (endp) 222 if (endp)
211 *endp = end; 223 *endp = end;
212 return 1; 224 return 1;
@@ -219,7 +231,7 @@ static int epaddr_len(const struct nf_conn *ct, const char *dptr,
219 union nf_inet_addr addr; 231 union nf_inet_addr addr;
220 const char *aux = dptr; 232 const char *aux = dptr;
221 233
222 if (!parse_addr(ct, dptr, &dptr, &addr, limit)) { 234 if (!sip_parse_addr(ct, dptr, &dptr, &addr, limit, true)) {
223 pr_debug("ip: %s parse failed.!\n", dptr); 235 pr_debug("ip: %s parse failed.!\n", dptr);
224 return 0; 236 return 0;
225 } 237 }
@@ -296,7 +308,7 @@ int ct_sip_parse_request(const struct nf_conn *ct,
296 return 0; 308 return 0;
297 dptr += shift; 309 dptr += shift;
298 310
299 if (!parse_addr(ct, dptr, &end, addr, limit)) 311 if (!sip_parse_addr(ct, dptr, &end, addr, limit, true))
300 return -1; 312 return -1;
301 if (end < limit && *end == ':') { 313 if (end < limit && *end == ':') {
302 end++; 314 end++;
@@ -550,7 +562,7 @@ int ct_sip_parse_header_uri(const struct nf_conn *ct, const char *dptr,
550 if (ret == 0) 562 if (ret == 0)
551 return ret; 563 return ret;
552 564
553 if (!parse_addr(ct, dptr + *matchoff, &c, addr, limit)) 565 if (!sip_parse_addr(ct, dptr + *matchoff, &c, addr, limit, true))
554 return -1; 566 return -1;
555 if (*c == ':') { 567 if (*c == ':') {
556 c++; 568 c++;
@@ -599,7 +611,7 @@ int ct_sip_parse_address_param(const struct nf_conn *ct, const char *dptr,
599 unsigned int dataoff, unsigned int datalen, 611 unsigned int dataoff, unsigned int datalen,
600 const char *name, 612 const char *name,
601 unsigned int *matchoff, unsigned int *matchlen, 613 unsigned int *matchoff, unsigned int *matchlen,
602 union nf_inet_addr *addr) 614 union nf_inet_addr *addr, bool delim)
603{ 615{
604 const char *limit = dptr + datalen; 616 const char *limit = dptr + datalen;
605 const char *start, *end; 617 const char *start, *end;
@@ -613,7 +625,7 @@ int ct_sip_parse_address_param(const struct nf_conn *ct, const char *dptr,
613 return 0; 625 return 0;
614 626
615 start += strlen(name); 627 start += strlen(name);
616 if (!parse_addr(ct, start, &end, addr, limit)) 628 if (!sip_parse_addr(ct, start, &end, addr, limit, delim))
617 return 0; 629 return 0;
618 *matchoff = start - dptr; 630 *matchoff = start - dptr;
619 *matchlen = end - start; 631 *matchlen = end - start;
@@ -675,6 +687,47 @@ static int ct_sip_parse_transport(struct nf_conn *ct, const char *dptr,
675 return 1; 687 return 1;
676} 688}
677 689
690static int sdp_parse_addr(const struct nf_conn *ct, const char *cp,
691 const char **endp, union nf_inet_addr *addr,
692 const char *limit)
693{
694 const char *end;
695 int ret;
696
697 memset(addr, 0, sizeof(*addr));
698 switch (nf_ct_l3num(ct)) {
699 case AF_INET:
700 ret = in4_pton(cp, limit - cp, (u8 *)&addr->ip, -1, &end);
701 break;
702 case AF_INET6:
703 ret = in6_pton(cp, limit - cp, (u8 *)&addr->ip6, -1, &end);
704 break;
705 default:
706 BUG();
707 }
708
709 if (ret == 0)
710 return 0;
711 if (endp)
712 *endp = end;
713 return 1;
714}
715
716/* skip ip address. returns its length. */
717static int sdp_addr_len(const struct nf_conn *ct, const char *dptr,
718 const char *limit, int *shift)
719{
720 union nf_inet_addr addr;
721 const char *aux = dptr;
722
723 if (!sdp_parse_addr(ct, dptr, &dptr, &addr, limit)) {
724 pr_debug("ip: %s parse failed.!\n", dptr);
725 return 0;
726 }
727
728 return dptr - aux;
729}
730
678/* SDP header parsing: a SDP session description contains an ordered set of 731/* SDP header parsing: a SDP session description contains an ordered set of
679 * headers, starting with a section containing general session parameters, 732 * headers, starting with a section containing general session parameters,
680 * optionally followed by multiple media descriptions. 733 * optionally followed by multiple media descriptions.
@@ -686,10 +739,10 @@ static int ct_sip_parse_transport(struct nf_conn *ct, const char *dptr,
686 */ 739 */
687static const struct sip_header ct_sdp_hdrs[] = { 740static const struct sip_header ct_sdp_hdrs[] = {
688 [SDP_HDR_VERSION] = SDP_HDR("v=", NULL, digits_len), 741 [SDP_HDR_VERSION] = SDP_HDR("v=", NULL, digits_len),
689 [SDP_HDR_OWNER_IP4] = SDP_HDR("o=", "IN IP4 ", epaddr_len), 742 [SDP_HDR_OWNER_IP4] = SDP_HDR("o=", "IN IP4 ", sdp_addr_len),
690 [SDP_HDR_CONNECTION_IP4] = SDP_HDR("c=", "IN IP4 ", epaddr_len), 743 [SDP_HDR_CONNECTION_IP4] = SDP_HDR("c=", "IN IP4 ", sdp_addr_len),
691 [SDP_HDR_OWNER_IP6] = SDP_HDR("o=", "IN IP6 ", epaddr_len), 744 [SDP_HDR_OWNER_IP6] = SDP_HDR("o=", "IN IP6 ", sdp_addr_len),
692 [SDP_HDR_CONNECTION_IP6] = SDP_HDR("c=", "IN IP6 ", epaddr_len), 745 [SDP_HDR_CONNECTION_IP6] = SDP_HDR("c=", "IN IP6 ", sdp_addr_len),
693 [SDP_HDR_MEDIA] = SDP_HDR("m=", NULL, media_len), 746 [SDP_HDR_MEDIA] = SDP_HDR("m=", NULL, media_len),
694}; 747};
695 748
@@ -775,8 +828,8 @@ static int ct_sip_parse_sdp_addr(const struct nf_conn *ct, const char *dptr,
775 if (ret <= 0) 828 if (ret <= 0)
776 return ret; 829 return ret;
777 830
778 if (!parse_addr(ct, dptr + *matchoff, NULL, addr, 831 if (!sdp_parse_addr(ct, dptr + *matchoff, NULL, addr,
779 dptr + *matchoff + *matchlen)) 832 dptr + *matchoff + *matchlen))
780 return -1; 833 return -1;
781 return 1; 834 return 1;
782} 835}
@@ -1515,7 +1568,6 @@ static int sip_help_udp(struct sk_buff *skb, unsigned int protoff,
1515} 1568}
1516 1569
1517static struct nf_conntrack_helper sip[MAX_PORTS][4] __read_mostly; 1570static struct nf_conntrack_helper sip[MAX_PORTS][4] __read_mostly;
1518static char sip_names[MAX_PORTS][4][sizeof("sip-65535")] __read_mostly;
1519 1571
1520static const struct nf_conntrack_expect_policy sip_exp_policy[SIP_EXPECT_MAX + 1] = { 1572static const struct nf_conntrack_expect_policy sip_exp_policy[SIP_EXPECT_MAX + 1] = {
1521 [SIP_EXPECT_SIGNALLING] = { 1573 [SIP_EXPECT_SIGNALLING] = {
@@ -1585,9 +1637,9 @@ static int __init nf_conntrack_sip_init(void)
1585 sip[i][j].me = THIS_MODULE; 1637 sip[i][j].me = THIS_MODULE;
1586 1638
1587 if (ports[i] == SIP_PORT) 1639 if (ports[i] == SIP_PORT)
1588 sprintf(sip_names[i][j], "sip"); 1640 sprintf(sip[i][j].name, "sip");
1589 else 1641 else
1590 sprintf(sip_names[i][j], "sip-%u", i); 1642 sprintf(sip[i][j].name, "sip-%u", i);
1591 1643
1592 pr_debug("port #%u: %u\n", i, ports[i]); 1644 pr_debug("port #%u: %u\n", i, ports[i]);
1593 1645
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 5463969da45b..1445d73533ed 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1362,7 +1362,7 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
1362 if (NULL == siocb->scm) 1362 if (NULL == siocb->scm)
1363 siocb->scm = &scm; 1363 siocb->scm = &scm;
1364 1364
1365 err = scm_send(sock, msg, siocb->scm); 1365 err = scm_send(sock, msg, siocb->scm, true);
1366 if (err < 0) 1366 if (err < 0)
1367 return err; 1367 return err;
1368 1368
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 8ac890a1a4c0..aee7196aac36 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1273,6 +1273,14 @@ static void __fanout_unlink(struct sock *sk, struct packet_sock *po)
1273 spin_unlock(&f->lock); 1273 spin_unlock(&f->lock);
1274} 1274}
1275 1275
1276bool match_fanout_group(struct packet_type *ptype, struct sock * sk)
1277{
1278 if (ptype->af_packet_priv == (void*)((struct packet_sock *)sk)->fanout)
1279 return true;
1280
1281 return false;
1282}
1283
1276static int fanout_add(struct sock *sk, u16 id, u16 type_flags) 1284static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
1277{ 1285{
1278 struct packet_sock *po = pkt_sk(sk); 1286 struct packet_sock *po = pkt_sk(sk);
@@ -1325,6 +1333,7 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
1325 match->prot_hook.dev = po->prot_hook.dev; 1333 match->prot_hook.dev = po->prot_hook.dev;
1326 match->prot_hook.func = packet_rcv_fanout; 1334 match->prot_hook.func = packet_rcv_fanout;
1327 match->prot_hook.af_packet_priv = match; 1335 match->prot_hook.af_packet_priv = match;
1336 match->prot_hook.id_match = match_fanout_group;
1328 dev_add_pack(&match->prot_hook); 1337 dev_add_pack(&match->prot_hook);
1329 list_add(&match->list, &fanout_list); 1338 list_add(&match->list, &fanout_list);
1330 } 1339 }
diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c
index fe81cc18e9e0..9c0fd0c78814 100644
--- a/net/sched/act_mirred.c
+++ b/net/sched/act_mirred.c
@@ -200,13 +200,12 @@ static int tcf_mirred(struct sk_buff *skb, const struct tc_action *a,
200out: 200out:
201 if (err) { 201 if (err) {
202 m->tcf_qstats.overlimits++; 202 m->tcf_qstats.overlimits++;
203 /* should we be asking for packet to be dropped? 203 if (m->tcfm_eaction != TCA_EGRESS_MIRROR)
204 * may make sense for redirect case only 204 retval = TC_ACT_SHOT;
205 */ 205 else
206 retval = TC_ACT_SHOT; 206 retval = m->tcf_action;
207 } else { 207 } else
208 retval = m->tcf_action; 208 retval = m->tcf_action;
209 }
210 spin_unlock(&m->tcf_lock); 209 spin_unlock(&m->tcf_lock);
211 210
212 return retval; 211 return retval;
diff --git a/net/socket.c b/net/socket.c
index dfe5b66c97e0..a5471f804d99 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -2657,6 +2657,7 @@ static int dev_ifconf(struct net *net, struct compat_ifconf __user *uifc32)
2657 if (copy_from_user(&ifc32, uifc32, sizeof(struct compat_ifconf))) 2657 if (copy_from_user(&ifc32, uifc32, sizeof(struct compat_ifconf)))
2658 return -EFAULT; 2658 return -EFAULT;
2659 2659
2660 memset(&ifc, 0, sizeof(ifc));
2660 if (ifc32.ifcbuf == 0) { 2661 if (ifc32.ifcbuf == 0) {
2661 ifc32.ifc_len = 0; 2662 ifc32.ifc_len = 0;
2662 ifc.ifc_len = 0; 2663 ifc.ifc_len = 0;
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index e4768c180da2..c5ee4ff61364 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1450,7 +1450,7 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
1450 if (NULL == siocb->scm) 1450 if (NULL == siocb->scm)
1451 siocb->scm = &tmp_scm; 1451 siocb->scm = &tmp_scm;
1452 wait_for_unix_gc(); 1452 wait_for_unix_gc();
1453 err = scm_send(sock, msg, siocb->scm); 1453 err = scm_send(sock, msg, siocb->scm, false);
1454 if (err < 0) 1454 if (err < 0)
1455 return err; 1455 return err;
1456 1456
@@ -1619,7 +1619,7 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
1619 if (NULL == siocb->scm) 1619 if (NULL == siocb->scm)
1620 siocb->scm = &tmp_scm; 1620 siocb->scm = &tmp_scm;
1621 wait_for_unix_gc(); 1621 wait_for_unix_gc();
1622 err = scm_send(sock, msg, siocb->scm); 1622 err = scm_send(sock, msg, siocb->scm, false);
1623 if (err < 0) 1623 if (err < 0)
1624 return err; 1624 return err;
1625 1625
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index c5a5165a5927..5a2aa17e4d3c 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1357,6 +1357,8 @@ static inline struct xfrm_dst *xfrm_alloc_dst(struct net *net, int family)
1357 1357
1358 memset(dst + 1, 0, sizeof(*xdst) - sizeof(*dst)); 1358 memset(dst + 1, 0, sizeof(*xdst) - sizeof(*dst));
1359 xdst->flo.ops = &xfrm_bundle_fc_ops; 1359 xdst->flo.ops = &xfrm_bundle_fc_ops;
1360 if (afinfo->init_dst)
1361 afinfo->init_dst(net, xdst);
1360 } else 1362 } else
1361 xdst = ERR_PTR(-ENOBUFS); 1363 xdst = ERR_PTR(-ENOBUFS);
1362 1364
generated by cgit v1.2.2 (git 2.25.0) at 2025-08-23 17:32:32 -0400