aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorMauro Carvalho Chehab <mchehab@redhat.com>2012-12-11 08:18:45 -0500
committerMauro Carvalho Chehab <mchehab@redhat.com>2012-12-11 08:18:45 -0500
commit9374020a78fce13a1cf2edf3d26f6dd7231b5c3d (patch)
tree50c8629e6c6222c5b9681506b52afbde818c5e56 /net
parentd2a0db1ee01aea154ccc460e45a16857e32c4427 (diff)
parent29594404d7fe73cd80eaa4ee8c43dcc53970c60e (diff)
Merge tag 'v3.7' into v4l_for_linus
Linux 3.7 * tag 'v3.7': (1545 commits) Linux 3.7 Input: matrix-keymap - provide proper module license Revert "revert "Revert "mm: remove __GFP_NO_KSWAPD""" and associated damage ipv4: ip_check_defrag must not modify skb before unsharing Revert "mm: avoid waking kswapd for THP allocations when compaction is deferred or contended" inet_diag: validate port comparison byte code to prevent unsafe reads inet_diag: avoid unsafe and nonsensical prefix matches in inet_diag_bc_run() inet_diag: validate byte code to prevent oops in inet_diag_bc_run() inet_diag: fix oops for IPv4 AF_INET6 TCP SYN-RECV state mm: vmscan: fix inappropriate zone congestion clearing vfs: fix O_DIRECT read past end of block device net: gro: fix possible panic in skb_gro_receive() tcp: bug fix Fast Open client retransmission tmpfs: fix shared mempolicy leak mm: vmscan: do not keep kswapd looping forever due to individual uncompactable zones mm: compaction: validate pfn range passed to isolate_freepages_block mmc: sh-mmcif: avoid oops on spurious interrupts (second try) Revert misapplied "mmc: sh-mmcif: avoid oops on spurious interrupts" mmc: sdhci-s3c: fix missing clock for gpio card-detect lib/Makefile: Fix oid_registry build dependency ...
Diffstat (limited to 'net')
-rw-r--r--net/8021q/vlan.c4
-rw-r--r--net/8021q/vlan_core.c9
-rw-r--r--net/batman-adv/bridge_loop_avoidance.c27
-rw-r--r--net/batman-adv/routing.c8
-rw-r--r--net/batman-adv/soft-interface.c12
-rw-r--r--net/batman-adv/translation-table.c15
-rw-r--r--net/batman-adv/types.h2
-rw-r--r--net/bluetooth/hci_core.c4
-rw-r--r--net/bluetooth/mgmt.c12
-rw-r--r--net/bluetooth/smp.c8
-rw-r--r--net/can/bcm.c3
-rw-r--r--net/ceph/messenger.c6
-rw-r--r--net/core/dev.c8
-rw-r--r--net/core/dev_addr_lists.c3
-rw-r--r--net/core/net-sysfs.c20
-rw-r--r--net/core/rtnetlink.c3
-rw-r--r--net/core/skbuff.c12
-rw-r--r--net/ipv4/icmp.c3
-rw-r--r--net/ipv4/inet_diag.c159
-rw-r--r--net/ipv4/ip_fragment.c19
-rw-r--r--net/ipv4/ip_sockglue.c35
-rw-r--r--net/ipv4/ip_vti.c5
-rw-r--r--net/ipv4/ipmr.c4
-rw-r--r--net/ipv4/netfilter/iptable_nat.c4
-rw-r--r--net/ipv4/route.c18
-rw-r--r--net/ipv4/tcp.c29
-rw-r--r--net/ipv4/tcp_illinois.c8
-rw-r--r--net/ipv4/tcp_input.c37
-rw-r--r--net/ipv4/tcp_ipv4.c1
-rw-r--r--net/ipv4/tcp_metrics.c14
-rw-r--r--net/ipv4/tcp_minisocks.c1
-rw-r--r--net/ipv4/tcp_output.c19
-rw-r--r--net/ipv4/tcp_timer.c4
-rw-r--r--net/ipv4/xfrm4_policy.c13
-rw-r--r--net/ipv6/addrconf.c15
-rw-r--r--net/ipv6/inet6_connection_sock.c3
-rw-r--r--net/ipv6/ip6_gre.c8
-rw-r--r--net/ipv6/ipv6_sockglue.c1
-rw-r--r--net/ipv6/ndisc.c3
-rw-r--r--net/ipv6/netfilter/ip6table_nat.c4
-rw-r--r--net/ipv6/netfilter/nf_conntrack_reasm.c4
-rw-r--r--net/ipv6/route.c4
-rw-r--r--net/irda/ircomm/ircomm_tty.c2
-rw-r--r--net/irda/irttp.c1
-rw-r--r--net/l2tp/l2tp_eth.c1
-rw-r--r--net/mac80211/cfg.c3
-rw-r--r--net/mac80211/ibss.c10
-rw-r--r--net/mac80211/ieee80211_i.h2
-rw-r--r--net/mac80211/iface.c2
-rw-r--r--net/mac80211/main.c6
-rw-r--r--net/mac80211/mlme.c35
-rw-r--r--net/mac80211/offchannel.c2
-rw-r--r--net/mac80211/rx.c74
-rw-r--r--net/mac80211/scan.c2
-rw-r--r--net/mac80211/sta_info.c15
-rw-r--r--net/mac80211/status.c9
-rw-r--r--net/mac80211/tx.c9
-rw-r--r--net/mac80211/util.c48
-rw-r--r--net/mac80211/wpa.c14
-rw-r--r--net/netfilter/ipset/ip_set_hash_ip.c4
-rw-r--r--net/netfilter/ipset/ip_set_hash_ipport.c7
-rw-r--r--net/netfilter/ipset/ip_set_hash_ipportip.c7
-rw-r--r--net/netfilter/ipset/ip_set_hash_ipportnet.c7
-rw-r--r--net/netfilter/ipset/ip_set_hash_netiface.c2
-rw-r--r--net/netfilter/ipvs/ip_vs_ctl.c3
-rw-r--r--net/netfilter/nf_conntrack_h323_main.c3
-rw-r--r--net/netfilter/nfnetlink_cttimeout.c3
-rw-r--r--net/netfilter/xt_CT.c10
-rw-r--r--net/netfilter/xt_TEE.c1
-rw-r--r--net/netfilter/xt_nat.c8
-rw-r--r--net/netlink/af_netlink.c19
-rw-r--r--net/nfc/llcp/llcp.c2
-rw-r--r--net/openvswitch/flow.c14
-rw-r--r--net/openvswitch/vport-netdev.c2
-rw-r--r--net/sched/sch_qfq.c109
-rw-r--r--net/sctp/chunk.c20
-rw-r--r--net/sctp/proc.c8
-rw-r--r--net/sctp/sm_sideeffect.c3
-rw-r--r--net/sctp/socket.c6
-rw-r--r--net/sctp/transport.c2
-rw-r--r--net/sunrpc/backchannel_rqst.c2
-rw-r--r--net/sunrpc/cache.c4
-rw-r--r--net/sunrpc/xprtsock.c41
-rw-r--r--net/tipc/handler.c1
-rw-r--r--net/wireless/core.c3
-rw-r--r--net/wireless/mlme.c12
-rw-r--r--net/wireless/reg.c10
-rw-r--r--net/wireless/util.c14
88 files changed, 758 insertions, 375 deletions
diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c
index 9096bcb08132..ee070722a3a3 100644
--- a/net/8021q/vlan.c
+++ b/net/8021q/vlan.c
@@ -463,7 +463,9 @@ static int vlan_device_event(struct notifier_block *unused, unsigned long event,
463 463
464 case NETDEV_PRE_TYPE_CHANGE: 464 case NETDEV_PRE_TYPE_CHANGE:
465 /* Forbid underlaying device to change its type. */ 465 /* Forbid underlaying device to change its type. */
466 return NOTIFY_BAD; 466 if (vlan_uses_dev(dev))
467 return NOTIFY_BAD;
468 break;
467 469
468 case NETDEV_NOTIFY_PEERS: 470 case NETDEV_NOTIFY_PEERS:
469 case NETDEV_BONDING_FAILOVER: 471 case NETDEV_BONDING_FAILOVER:
diff --git a/net/8021q/vlan_core.c b/net/8021q/vlan_core.c
index fbbf1fa00940..65e06abe023f 100644
--- a/net/8021q/vlan_core.c
+++ b/net/8021q/vlan_core.c
@@ -366,6 +366,13 @@ EXPORT_SYMBOL(vlan_vids_del_by_dev);
366 366
367bool vlan_uses_dev(const struct net_device *dev) 367bool vlan_uses_dev(const struct net_device *dev)
368{ 368{
369 return rtnl_dereference(dev->vlan_info) ? true : false; 369 struct vlan_info *vlan_info;
370
371 ASSERT_RTNL();
372
373 vlan_info = rtnl_dereference(dev->vlan_info);
374 if (!vlan_info)
375 return false;
376 return vlan_info->grp.nr_vlan_devs ? true : false;
370} 377}
371EXPORT_SYMBOL(vlan_uses_dev); 378EXPORT_SYMBOL(vlan_uses_dev);
diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
index 0a9084ad19a6..fd8d5afec0dd 100644
--- a/net/batman-adv/bridge_loop_avoidance.c
+++ b/net/batman-adv/bridge_loop_avoidance.c
@@ -1167,6 +1167,8 @@ int batadv_bla_init(struct batadv_priv *bat_priv)
1167 uint16_t crc; 1167 uint16_t crc;
1168 unsigned long entrytime; 1168 unsigned long entrytime;
1169 1169
1170 spin_lock_init(&bat_priv->bla.bcast_duplist_lock);
1171
1170 batadv_dbg(BATADV_DBG_BLA, bat_priv, "bla hash registering\n"); 1172 batadv_dbg(BATADV_DBG_BLA, bat_priv, "bla hash registering\n");
1171 1173
1172 /* setting claim destination address */ 1174 /* setting claim destination address */
@@ -1210,8 +1212,8 @@ int batadv_bla_init(struct batadv_priv *bat_priv)
1210/** 1212/**
1211 * batadv_bla_check_bcast_duplist 1213 * batadv_bla_check_bcast_duplist
1212 * @bat_priv: the bat priv with all the soft interface information 1214 * @bat_priv: the bat priv with all the soft interface information
1213 * @bcast_packet: originator mac address 1215 * @bcast_packet: encapsulated broadcast frame plus batman header
1214 * @hdr_size: maximum length of the frame 1216 * @bcast_packet_len: length of encapsulated broadcast frame plus batman header
1215 * 1217 *
1216 * check if it is on our broadcast list. Another gateway might 1218 * check if it is on our broadcast list. Another gateway might
1217 * have sent the same packet because it is connected to the same backbone, 1219 * have sent the same packet because it is connected to the same backbone,
@@ -1224,20 +1226,22 @@ int batadv_bla_init(struct batadv_priv *bat_priv)
1224 */ 1226 */
1225int batadv_bla_check_bcast_duplist(struct batadv_priv *bat_priv, 1227int batadv_bla_check_bcast_duplist(struct batadv_priv *bat_priv,
1226 struct batadv_bcast_packet *bcast_packet, 1228 struct batadv_bcast_packet *bcast_packet,
1227 int hdr_size) 1229 int bcast_packet_len)
1228{ 1230{
1229 int i, length, curr; 1231 int i, length, curr, ret = 0;
1230 uint8_t *content; 1232 uint8_t *content;
1231 uint16_t crc; 1233 uint16_t crc;
1232 struct batadv_bcast_duplist_entry *entry; 1234 struct batadv_bcast_duplist_entry *entry;
1233 1235
1234 length = hdr_size - sizeof(*bcast_packet); 1236 length = bcast_packet_len - sizeof(*bcast_packet);
1235 content = (uint8_t *)bcast_packet; 1237 content = (uint8_t *)bcast_packet;
1236 content += sizeof(*bcast_packet); 1238 content += sizeof(*bcast_packet);
1237 1239
1238 /* calculate the crc ... */ 1240 /* calculate the crc ... */
1239 crc = crc16(0, content, length); 1241 crc = crc16(0, content, length);
1240 1242
1243 spin_lock_bh(&bat_priv->bla.bcast_duplist_lock);
1244
1241 for (i = 0; i < BATADV_DUPLIST_SIZE; i++) { 1245 for (i = 0; i < BATADV_DUPLIST_SIZE; i++) {
1242 curr = (bat_priv->bla.bcast_duplist_curr + i); 1246 curr = (bat_priv->bla.bcast_duplist_curr + i);
1243 curr %= BATADV_DUPLIST_SIZE; 1247 curr %= BATADV_DUPLIST_SIZE;
@@ -1259,9 +1263,12 @@ int batadv_bla_check_bcast_duplist(struct batadv_priv *bat_priv,
1259 /* this entry seems to match: same crc, not too old, 1263 /* this entry seems to match: same crc, not too old,
1260 * and from another gw. therefore return 1 to forbid it. 1264 * and from another gw. therefore return 1 to forbid it.
1261 */ 1265 */
1262 return 1; 1266 ret = 1;
1267 goto out;
1263 } 1268 }
1264 /* not found, add a new entry (overwrite the oldest entry) */ 1269 /* not found, add a new entry (overwrite the oldest entry)
1270 * and allow it, its the first occurence.
1271 */
1265 curr = (bat_priv->bla.bcast_duplist_curr + BATADV_DUPLIST_SIZE - 1); 1272 curr = (bat_priv->bla.bcast_duplist_curr + BATADV_DUPLIST_SIZE - 1);
1266 curr %= BATADV_DUPLIST_SIZE; 1273 curr %= BATADV_DUPLIST_SIZE;
1267 entry = &bat_priv->bla.bcast_duplist[curr]; 1274 entry = &bat_priv->bla.bcast_duplist[curr];
@@ -1270,8 +1277,10 @@ int batadv_bla_check_bcast_duplist(struct batadv_priv *bat_priv,
1270 memcpy(entry->orig, bcast_packet->orig, ETH_ALEN); 1277 memcpy(entry->orig, bcast_packet->orig, ETH_ALEN);
1271 bat_priv->bla.bcast_duplist_curr = curr; 1278 bat_priv->bla.bcast_duplist_curr = curr;
1272 1279
1273 /* allow it, its the first occurence. */ 1280out:
1274 return 0; 1281 spin_unlock_bh(&bat_priv->bla.bcast_duplist_lock);
1282
1283 return ret;
1275} 1284}
1276 1285
1277 1286
diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c
index 939fc01371df..376b4cc6ca82 100644
--- a/net/batman-adv/routing.c
+++ b/net/batman-adv/routing.c
@@ -1124,8 +1124,14 @@ int batadv_recv_bcast_packet(struct sk_buff *skb,
1124 1124
1125 spin_unlock_bh(&orig_node->bcast_seqno_lock); 1125 spin_unlock_bh(&orig_node->bcast_seqno_lock);
1126 1126
1127 /* keep skb linear for crc calculation */
1128 if (skb_linearize(skb) < 0)
1129 goto out;
1130
1131 bcast_packet = (struct batadv_bcast_packet *)skb->data;
1132
1127 /* check whether this has been sent by another originator before */ 1133 /* check whether this has been sent by another originator before */
1128 if (batadv_bla_check_bcast_duplist(bat_priv, bcast_packet, hdr_size)) 1134 if (batadv_bla_check_bcast_duplist(bat_priv, bcast_packet, skb->len))
1129 goto out; 1135 goto out;
1130 1136
1131 /* rebroadcast packet */ 1137 /* rebroadcast packet */
diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
index b9a28d2dd3e8..ce0684a1fc83 100644
--- a/net/batman-adv/soft-interface.c
+++ b/net/batman-adv/soft-interface.c
@@ -325,6 +325,12 @@ void batadv_interface_rx(struct net_device *soft_iface,
325 325
326 soft_iface->last_rx = jiffies; 326 soft_iface->last_rx = jiffies;
327 327
328 /* Let the bridge loop avoidance check the packet. If will
329 * not handle it, we can safely push it up.
330 */
331 if (batadv_bla_rx(bat_priv, skb, vid, is_bcast))
332 goto out;
333
328 if (orig_node) 334 if (orig_node)
329 batadv_tt_add_temporary_global_entry(bat_priv, orig_node, 335 batadv_tt_add_temporary_global_entry(bat_priv, orig_node,
330 ethhdr->h_source); 336 ethhdr->h_source);
@@ -332,12 +338,6 @@ void batadv_interface_rx(struct net_device *soft_iface,
332 if (batadv_is_ap_isolated(bat_priv, ethhdr->h_source, ethhdr->h_dest)) 338 if (batadv_is_ap_isolated(bat_priv, ethhdr->h_source, ethhdr->h_dest))
333 goto dropped; 339 goto dropped;
334 340
335 /* Let the bridge loop avoidance check the packet. If will
336 * not handle it, we can safely push it up.
337 */
338 if (batadv_bla_rx(bat_priv, skb, vid, is_bcast))
339 goto out;
340
341 netif_rx(skb); 341 netif_rx(skb);
342 goto out; 342 goto out;
343 343
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
index 112edd371b2f..baae71585804 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -769,6 +769,12 @@ int batadv_tt_global_add(struct batadv_priv *bat_priv,
769 */ 769 */
770 tt_global_entry->common.flags &= ~BATADV_TT_CLIENT_TEMP; 770 tt_global_entry->common.flags &= ~BATADV_TT_CLIENT_TEMP;
771 771
772 /* the change can carry possible "attribute" flags like the
773 * TT_CLIENT_WIFI, therefore they have to be copied in the
774 * client entry
775 */
776 tt_global_entry->common.flags |= flags;
777
772 /* If there is the BATADV_TT_CLIENT_ROAM flag set, there is only 778 /* If there is the BATADV_TT_CLIENT_ROAM flag set, there is only
773 * one originator left in the list and we previously received a 779 * one originator left in the list and we previously received a
774 * delete + roaming change for this originator. 780 * delete + roaming change for this originator.
@@ -1496,7 +1502,7 @@ batadv_tt_response_fill_table(uint16_t tt_len, uint8_t ttvn,
1496 1502
1497 memcpy(tt_change->addr, tt_common_entry->addr, 1503 memcpy(tt_change->addr, tt_common_entry->addr,
1498 ETH_ALEN); 1504 ETH_ALEN);
1499 tt_change->flags = BATADV_NO_FLAGS; 1505 tt_change->flags = tt_common_entry->flags;
1500 1506
1501 tt_count++; 1507 tt_count++;
1502 tt_change++; 1508 tt_change++;
@@ -2450,6 +2456,13 @@ bool batadv_tt_add_temporary_global_entry(struct batadv_priv *bat_priv,
2450{ 2456{
2451 bool ret = false; 2457 bool ret = false;
2452 2458
2459 /* if the originator is a backbone node (meaning it belongs to the same
2460 * LAN of this node) the temporary client must not be added because to
2461 * reach such destination the node must use the LAN instead of the mesh
2462 */
2463 if (batadv_bla_is_backbone_gw_orig(bat_priv, orig_node->orig))
2464 goto out;
2465
2453 if (!batadv_tt_global_add(bat_priv, orig_node, addr, 2466 if (!batadv_tt_global_add(bat_priv, orig_node, addr,
2454 BATADV_TT_CLIENT_TEMP, 2467 BATADV_TT_CLIENT_TEMP,
2455 atomic_read(&orig_node->last_ttvn))) 2468 atomic_read(&orig_node->last_ttvn)))
diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
index 2ed82caacdca..ac1e07a80454 100644
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -205,6 +205,8 @@ struct batadv_priv_bla {
205 struct batadv_hashtable *backbone_hash; 205 struct batadv_hashtable *backbone_hash;
206 struct batadv_bcast_duplist_entry bcast_duplist[BATADV_DUPLIST_SIZE]; 206 struct batadv_bcast_duplist_entry bcast_duplist[BATADV_DUPLIST_SIZE];
207 int bcast_duplist_curr; 207 int bcast_duplist_curr;
208 /* protects bcast_duplist and bcast_duplist_curr */
209 spinlock_t bcast_duplist_lock;
208 struct batadv_bla_claim_dst claim_dest; 210 struct batadv_bla_claim_dst claim_dest;
209 struct delayed_work work; 211 struct delayed_work work;
210}; 212};
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 8a0ce706aebd..a0a2f97b9c62 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1754,11 +1754,11 @@ int hci_register_dev(struct hci_dev *hdev)
1754 if (hdev->dev_type != HCI_AMP) 1754 if (hdev->dev_type != HCI_AMP)
1755 set_bit(HCI_AUTO_OFF, &hdev->dev_flags); 1755 set_bit(HCI_AUTO_OFF, &hdev->dev_flags);
1756 1756
1757 schedule_work(&hdev->power_on);
1758
1759 hci_notify(hdev, HCI_DEV_REG); 1757 hci_notify(hdev, HCI_DEV_REG);
1760 hci_dev_hold(hdev); 1758 hci_dev_hold(hdev);
1761 1759
1760 schedule_work(&hdev->power_on);
1761
1762 return id; 1762 return id;
1763 1763
1764err_wqueue: 1764err_wqueue:
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index aa2ea0a8142c..91de4239da66 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -326,7 +326,7 @@ static int read_index_list(struct sock *sk, struct hci_dev *hdev, void *data,
326 struct hci_dev *d; 326 struct hci_dev *d;
327 size_t rp_len; 327 size_t rp_len;
328 u16 count; 328 u16 count;
329 int i, err; 329 int err;
330 330
331 BT_DBG("sock %p", sk); 331 BT_DBG("sock %p", sk);
332 332
@@ -347,9 +347,7 @@ static int read_index_list(struct sock *sk, struct hci_dev *hdev, void *data,
347 return -ENOMEM; 347 return -ENOMEM;
348 } 348 }
349 349
350 rp->num_controllers = cpu_to_le16(count); 350 count = 0;
351
352 i = 0;
353 list_for_each_entry(d, &hci_dev_list, list) { 351 list_for_each_entry(d, &hci_dev_list, list) {
354 if (test_bit(HCI_SETUP, &d->dev_flags)) 352 if (test_bit(HCI_SETUP, &d->dev_flags))
355 continue; 353 continue;
@@ -357,10 +355,13 @@ static int read_index_list(struct sock *sk, struct hci_dev *hdev, void *data,
357 if (!mgmt_valid_hdev(d)) 355 if (!mgmt_valid_hdev(d))
358 continue; 356 continue;
359 357
360 rp->index[i++] = cpu_to_le16(d->id); 358 rp->index[count++] = cpu_to_le16(d->id);
361 BT_DBG("Added hci%u", d->id); 359 BT_DBG("Added hci%u", d->id);
362 } 360 }
363 361
362 rp->num_controllers = cpu_to_le16(count);
363 rp_len = sizeof(*rp) + (2 * count);
364
364 read_unlock(&hci_dev_list_lock); 365 read_unlock(&hci_dev_list_lock);
365 366
366 err = cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_INDEX_LIST, 0, rp, 367 err = cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_INDEX_LIST, 0, rp,
@@ -1366,6 +1367,7 @@ static int remove_uuid(struct sock *sk, struct hci_dev *hdev, void *data,
1366 continue; 1367 continue;
1367 1368
1368 list_del(&match->list); 1369 list_del(&match->list);
1370 kfree(match);
1369 found++; 1371 found++;
1370 } 1372 }
1371 1373
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 8c225ef349cd..a5923378bdf0 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -32,6 +32,8 @@
32 32
33#define SMP_TIMEOUT msecs_to_jiffies(30000) 33#define SMP_TIMEOUT msecs_to_jiffies(30000)
34 34
35#define AUTH_REQ_MASK 0x07
36
35static inline void swap128(u8 src[16], u8 dst[16]) 37static inline void swap128(u8 src[16], u8 dst[16])
36{ 38{
37 int i; 39 int i;
@@ -230,7 +232,7 @@ static void build_pairing_cmd(struct l2cap_conn *conn,
230 req->max_key_size = SMP_MAX_ENC_KEY_SIZE; 232 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
231 req->init_key_dist = 0; 233 req->init_key_dist = 0;
232 req->resp_key_dist = dist_keys; 234 req->resp_key_dist = dist_keys;
233 req->auth_req = authreq; 235 req->auth_req = (authreq & AUTH_REQ_MASK);
234 return; 236 return;
235 } 237 }
236 238
@@ -239,7 +241,7 @@ static void build_pairing_cmd(struct l2cap_conn *conn,
239 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE; 241 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
240 rsp->init_key_dist = 0; 242 rsp->init_key_dist = 0;
241 rsp->resp_key_dist = req->resp_key_dist & dist_keys; 243 rsp->resp_key_dist = req->resp_key_dist & dist_keys;
242 rsp->auth_req = authreq; 244 rsp->auth_req = (authreq & AUTH_REQ_MASK);
243} 245}
244 246
245static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size) 247static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
@@ -265,7 +267,7 @@ static void smp_failure(struct l2cap_conn *conn, u8 reason, u8 send)
265 267
266 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->hcon->flags); 268 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->hcon->flags);
267 mgmt_auth_failed(conn->hcon->hdev, conn->dst, hcon->type, 269 mgmt_auth_failed(conn->hcon->hdev, conn->dst, hcon->type,
268 hcon->dst_type, reason); 270 hcon->dst_type, HCI_ERROR_AUTH_FAILURE);
269 271
270 cancel_delayed_work_sync(&conn->security_timer); 272 cancel_delayed_work_sync(&conn->security_timer);
271 273
diff --git a/net/can/bcm.c b/net/can/bcm.c
index 6f747582718e..969b7cdff59d 100644
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -1084,6 +1084,9 @@ static int bcm_rx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
1084 op->sk = sk; 1084 op->sk = sk;
1085 op->ifindex = ifindex; 1085 op->ifindex = ifindex;
1086 1086
1087 /* ifindex for timeout events w/o previous frame reception */
1088 op->rx_ifindex = ifindex;
1089
1087 /* initialize uninitialized (kzalloc) structure */ 1090 /* initialize uninitialized (kzalloc) structure */
1088 hrtimer_init(&op->timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL); 1091 hrtimer_init(&op->timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
1089 op->timer.function = bcm_rx_timeout_handler; 1092 op->timer.function = bcm_rx_timeout_handler;
diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index 159aa8bef9e7..3ef1759403b4 100644
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -2300,10 +2300,11 @@ restart:
2300 mutex_unlock(&con->mutex); 2300 mutex_unlock(&con->mutex);
2301 return; 2301 return;
2302 } else { 2302 } else {
2303 con->ops->put(con);
2304 dout("con_work %p FAILED to back off %lu\n", con, 2303 dout("con_work %p FAILED to back off %lu\n", con,
2305 con->delay); 2304 con->delay);
2305 set_bit(CON_FLAG_BACKOFF, &con->flags);
2306 } 2306 }
2307 goto done;
2307 } 2308 }
2308 2309
2309 if (con->state == CON_STATE_STANDBY) { 2310 if (con->state == CON_STATE_STANDBY) {
@@ -2749,7 +2750,8 @@ static int ceph_con_in_msg_alloc(struct ceph_connection *con, int *skip)
2749 msg = con->ops->alloc_msg(con, hdr, skip); 2750 msg = con->ops->alloc_msg(con, hdr, skip);
2750 mutex_lock(&con->mutex); 2751 mutex_lock(&con->mutex);
2751 if (con->state != CON_STATE_OPEN) { 2752 if (con->state != CON_STATE_OPEN) {
2752 ceph_msg_put(msg); 2753 if (msg)
2754 ceph_msg_put(msg);
2753 return -EAGAIN; 2755 return -EAGAIN;
2754 } 2756 }
2755 con->in_msg = msg; 2757 con->in_msg = msg;
diff --git a/net/core/dev.c b/net/core/dev.c
index 09cb3f6dc40c..e5942bf45a6d 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1666,7 +1666,7 @@ static inline int deliver_skb(struct sk_buff *skb,
1666 1666
1667static inline bool skb_loop_sk(struct packet_type *ptype, struct sk_buff *skb) 1667static inline bool skb_loop_sk(struct packet_type *ptype, struct sk_buff *skb)
1668{ 1668{
1669 if (ptype->af_packet_priv == NULL) 1669 if (!ptype->af_packet_priv || !skb->sk)
1670 return false; 1670 return false;
1671 1671
1672 if (ptype->id_match) 1672 if (ptype->id_match)
@@ -2818,8 +2818,10 @@ static int get_rps_cpu(struct net_device *dev, struct sk_buff *skb,
2818 if (unlikely(tcpu != next_cpu) && 2818 if (unlikely(tcpu != next_cpu) &&
2819 (tcpu == RPS_NO_CPU || !cpu_online(tcpu) || 2819 (tcpu == RPS_NO_CPU || !cpu_online(tcpu) ||
2820 ((int)(per_cpu(softnet_data, tcpu).input_queue_head - 2820 ((int)(per_cpu(softnet_data, tcpu).input_queue_head -
2821 rflow->last_qtail)) >= 0)) 2821 rflow->last_qtail)) >= 0)) {
2822 tcpu = next_cpu;
2822 rflow = set_rps_cpu(dev, skb, rflow, next_cpu); 2823 rflow = set_rps_cpu(dev, skb, rflow, next_cpu);
2824 }
2823 2825
2824 if (tcpu != RPS_NO_CPU && cpu_online(tcpu)) { 2826 if (tcpu != RPS_NO_CPU && cpu_online(tcpu)) {
2825 *rflowp = rflow; 2827 *rflowp = rflow;
@@ -3449,6 +3451,8 @@ static int napi_gro_complete(struct sk_buff *skb)
3449 struct list_head *head = &ptype_base[ntohs(type) & PTYPE_HASH_MASK]; 3451 struct list_head *head = &ptype_base[ntohs(type) & PTYPE_HASH_MASK];
3450 int err = -ENOENT; 3452 int err = -ENOENT;
3451 3453
3454 BUILD_BUG_ON(sizeof(struct napi_gro_cb) > sizeof(skb->cb));
3455
3452 if (NAPI_GRO_CB(skb)->count == 1) { 3456 if (NAPI_GRO_CB(skb)->count == 1) {
3453 skb_shinfo(skb)->gso_size = 0; 3457 skb_shinfo(skb)->gso_size = 0;
3454 goto out; 3458 goto out;
diff --git a/net/core/dev_addr_lists.c b/net/core/dev_addr_lists.c
index 87cc17db2d56..b079c7bbc157 100644
--- a/net/core/dev_addr_lists.c
+++ b/net/core/dev_addr_lists.c
@@ -319,7 +319,8 @@ int dev_addr_del(struct net_device *dev, const unsigned char *addr,
319 */ 319 */
320 ha = list_first_entry(&dev->dev_addrs.list, 320 ha = list_first_entry(&dev->dev_addrs.list,
321 struct netdev_hw_addr, list); 321 struct netdev_hw_addr, list);
322 if (ha->addr == dev->dev_addr && ha->refcount == 1) 322 if (!memcmp(ha->addr, addr, dev->addr_len) &&
323 ha->type == addr_type && ha->refcount == 1)
323 return -ENOENT; 324 return -ENOENT;
324 325
325 err = __hw_addr_del(&dev->dev_addrs, addr, dev->addr_len, 326 err = __hw_addr_del(&dev->dev_addrs, addr, dev->addr_len,
diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
index bcf02f608cbf..017a8bacfb27 100644
--- a/net/core/net-sysfs.c
+++ b/net/core/net-sysfs.c
@@ -429,6 +429,17 @@ static struct attribute_group netstat_group = {
429 .name = "statistics", 429 .name = "statistics",
430 .attrs = netstat_attrs, 430 .attrs = netstat_attrs,
431}; 431};
432
433#if IS_ENABLED(CONFIG_WIRELESS_EXT) || IS_ENABLED(CONFIG_CFG80211)
434static struct attribute *wireless_attrs[] = {
435 NULL
436};
437
438static struct attribute_group wireless_group = {
439 .name = "wireless",
440 .attrs = wireless_attrs,
441};
442#endif
432#endif /* CONFIG_SYSFS */ 443#endif /* CONFIG_SYSFS */
433 444
434#ifdef CONFIG_RPS 445#ifdef CONFIG_RPS
@@ -1409,6 +1420,15 @@ int netdev_register_kobject(struct net_device *net)
1409 groups++; 1420 groups++;
1410 1421
1411 *groups++ = &netstat_group; 1422 *groups++ = &netstat_group;
1423
1424#if IS_ENABLED(CONFIG_WIRELESS_EXT) || IS_ENABLED(CONFIG_CFG80211)
1425 if (net->ieee80211_ptr)
1426 *groups++ = &wireless_group;
1427#if IS_ENABLED(CONFIG_WIRELESS_EXT)
1428 else if (net->wireless_handlers)
1429 *groups++ = &wireless_group;
1430#endif
1431#endif
1412#endif /* CONFIG_SYSFS */ 1432#endif /* CONFIG_SYSFS */
1413 1433
1414 error = device_add(dev); 1434 error = device_add(dev);
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 76d4c2c3c89b..fad649ae4dec 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -2192,7 +2192,8 @@ static int nlmsg_populate_fdb(struct sk_buff *skb,
2192 goto skip; 2192 goto skip;
2193 2193
2194 err = nlmsg_populate_fdb_fill(skb, dev, ha->addr, 2194 err = nlmsg_populate_fdb_fill(skb, dev, ha->addr,
2195 portid, seq, 0, NTF_SELF); 2195 portid, seq,
2196 RTM_NEWNEIGH, NTF_SELF);
2196 if (err < 0) 2197 if (err < 0)
2197 return err; 2198 return err;
2198skip: 2199skip:
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 6e04b1fa11f2..3f0636cd76cd 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -3004,7 +3004,7 @@ int skb_gro_receive(struct sk_buff **head, struct sk_buff *skb)
3004 skb_shinfo(nskb)->gso_size = pinfo->gso_size; 3004 skb_shinfo(nskb)->gso_size = pinfo->gso_size;
3005 pinfo->gso_size = 0; 3005 pinfo->gso_size = 0;
3006 skb_header_release(p); 3006 skb_header_release(p);
3007 nskb->prev = p; 3007 NAPI_GRO_CB(nskb)->last = p;
3008 3008
3009 nskb->data_len += p->len; 3009 nskb->data_len += p->len;
3010 nskb->truesize += p->truesize; 3010 nskb->truesize += p->truesize;
@@ -3030,8 +3030,8 @@ merge:
3030 3030
3031 __skb_pull(skb, offset); 3031 __skb_pull(skb, offset);
3032 3032
3033 p->prev->next = skb; 3033 NAPI_GRO_CB(p)->last->next = skb;
3034 p->prev = skb; 3034 NAPI_GRO_CB(p)->last = skb;
3035 skb_header_release(skb); 3035 skb_header_release(skb);
3036 3036
3037done: 3037done:
@@ -3379,10 +3379,12 @@ EXPORT_SYMBOL(__skb_warn_lro_forwarding);
3379 3379
3380void kfree_skb_partial(struct sk_buff *skb, bool head_stolen) 3380void kfree_skb_partial(struct sk_buff *skb, bool head_stolen)
3381{ 3381{
3382 if (head_stolen) 3382 if (head_stolen) {
3383 skb_release_head_state(skb);
3383 kmem_cache_free(skbuff_head_cache, skb); 3384 kmem_cache_free(skbuff_head_cache, skb);
3384 else 3385 } else {
3385 __kfree_skb(skb); 3386 __kfree_skb(skb);
3387 }
3386} 3388}
3387EXPORT_SYMBOL(kfree_skb_partial); 3389EXPORT_SYMBOL(kfree_skb_partial);
3388 3390
diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index f2eccd531746..17ff9fd7cdda 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -257,7 +257,8 @@ static inline bool icmpv4_xrlim_allow(struct net *net, struct rtable *rt,
257 struct inet_peer *peer = inet_getpeer_v4(net->ipv4.peers, fl4->daddr, 1); 257 struct inet_peer *peer = inet_getpeer_v4(net->ipv4.peers, fl4->daddr, 1);
258 rc = inet_peer_xrlim_allow(peer, 258 rc = inet_peer_xrlim_allow(peer,
259 net->ipv4.sysctl_icmp_ratelimit); 259 net->ipv4.sysctl_icmp_ratelimit);
260 inet_putpeer(peer); 260 if (peer)
261 inet_putpeer(peer);
261 } 262 }
262out: 263out:
263 return rc; 264 return rc;
diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
index 535584c00f91..e23e16dc501d 100644
--- a/net/ipv4/inet_diag.c
+++ b/net/ipv4/inet_diag.c
@@ -44,6 +44,10 @@ struct inet_diag_entry {
44 u16 dport; 44 u16 dport;
45 u16 family; 45 u16 family;
46 u16 userlocks; 46 u16 userlocks;
47#if IS_ENABLED(CONFIG_IPV6)
48 struct in6_addr saddr_storage; /* for IPv4-mapped-IPv6 addresses */
49 struct in6_addr daddr_storage; /* for IPv4-mapped-IPv6 addresses */
50#endif
47}; 51};
48 52
49static DEFINE_MUTEX(inet_diag_table_mutex); 53static DEFINE_MUTEX(inet_diag_table_mutex);
@@ -428,25 +432,31 @@ static int inet_diag_bc_run(const struct nlattr *_bc,
428 break; 432 break;
429 } 433 }
430 434
431 if (cond->prefix_len == 0)
432 break;
433
434 if (op->code == INET_DIAG_BC_S_COND) 435 if (op->code == INET_DIAG_BC_S_COND)
435 addr = entry->saddr; 436 addr = entry->saddr;
436 else 437 else
437 addr = entry->daddr; 438 addr = entry->daddr;
438 439
440 if (cond->family != AF_UNSPEC &&
441 cond->family != entry->family) {
442 if (entry->family == AF_INET6 &&
443 cond->family == AF_INET) {
444 if (addr[0] == 0 && addr[1] == 0 &&
445 addr[2] == htonl(0xffff) &&
446 bitstring_match(addr + 3,
447 cond->addr,
448 cond->prefix_len))
449 break;
450 }
451 yes = 0;
452 break;
453 }
454
455 if (cond->prefix_len == 0)
456 break;
439 if (bitstring_match(addr, cond->addr, 457 if (bitstring_match(addr, cond->addr,
440 cond->prefix_len)) 458 cond->prefix_len))
441 break; 459 break;
442 if (entry->family == AF_INET6 &&
443 cond->family == AF_INET) {
444 if (addr[0] == 0 && addr[1] == 0 &&
445 addr[2] == htonl(0xffff) &&
446 bitstring_match(addr + 3, cond->addr,
447 cond->prefix_len))
448 break;
449 }
450 yes = 0; 460 yes = 0;
451 break; 461 break;
452 } 462 }
@@ -509,6 +519,55 @@ static int valid_cc(const void *bc, int len, int cc)
509 return 0; 519 return 0;
510} 520}
511 521
522/* Validate an inet_diag_hostcond. */
523static bool valid_hostcond(const struct inet_diag_bc_op *op, int len,
524 int *min_len)
525{
526 int addr_len;
527 struct inet_diag_hostcond *cond;
528
529 /* Check hostcond space. */
530 *min_len += sizeof(struct inet_diag_hostcond);
531 if (len < *min_len)
532 return false;
533 cond = (struct inet_diag_hostcond *)(op + 1);
534
535 /* Check address family and address length. */
536 switch (cond->family) {
537 case AF_UNSPEC:
538 addr_len = 0;
539 break;
540 case AF_INET:
541 addr_len = sizeof(struct in_addr);
542 break;
543 case AF_INET6:
544 addr_len = sizeof(struct in6_addr);
545 break;
546 default:
547 return false;
548 }
549 *min_len += addr_len;
550 if (len < *min_len)
551 return false;
552
553 /* Check prefix length (in bits) vs address length (in bytes). */
554 if (cond->prefix_len > 8 * addr_len)
555 return false;
556
557 return true;
558}
559
560/* Validate a port comparison operator. */
561static inline bool valid_port_comparison(const struct inet_diag_bc_op *op,
562 int len, int *min_len)
563{
564 /* Port comparisons put the port in a follow-on inet_diag_bc_op. */
565 *min_len += sizeof(struct inet_diag_bc_op);
566 if (len < *min_len)
567 return false;
568 return true;
569}
570
512static int inet_diag_bc_audit(const void *bytecode, int bytecode_len) 571static int inet_diag_bc_audit(const void *bytecode, int bytecode_len)
513{ 572{
514 const void *bc = bytecode; 573 const void *bc = bytecode;
@@ -516,29 +575,39 @@ static int inet_diag_bc_audit(const void *bytecode, int bytecode_len)
516 575
517 while (len > 0) { 576 while (len > 0) {
518 const struct inet_diag_bc_op *op = bc; 577 const struct inet_diag_bc_op *op = bc;
578 int min_len = sizeof(struct inet_diag_bc_op);
519 579
520//printk("BC: %d %d %d {%d} / %d\n", op->code, op->yes, op->no, op[1].no, len); 580//printk("BC: %d %d %d {%d} / %d\n", op->code, op->yes, op->no, op[1].no, len);
521 switch (op->code) { 581 switch (op->code) {
522 case INET_DIAG_BC_AUTO:
523 case INET_DIAG_BC_S_COND: 582 case INET_DIAG_BC_S_COND:
524 case INET_DIAG_BC_D_COND: 583 case INET_DIAG_BC_D_COND:
584 if (!valid_hostcond(bc, len, &min_len))
585 return -EINVAL;
586 break;
525 case INET_DIAG_BC_S_GE: 587 case INET_DIAG_BC_S_GE:
526 case INET_DIAG_BC_S_LE: 588 case INET_DIAG_BC_S_LE:
527 case INET_DIAG_BC_D_GE: 589 case INET_DIAG_BC_D_GE:
528 case INET_DIAG_BC_D_LE: 590 case INET_DIAG_BC_D_LE:
529 case INET_DIAG_BC_JMP: 591 if (!valid_port_comparison(bc, len, &min_len))
530 if (op->no < 4 || op->no > len + 4 || op->no & 3)
531 return -EINVAL;
532 if (op->no < len &&
533 !valid_cc(bytecode, bytecode_len, len - op->no))
534 return -EINVAL; 592 return -EINVAL;
535 break; 593 break;
594 case INET_DIAG_BC_AUTO:
595 case INET_DIAG_BC_JMP:
536 case INET_DIAG_BC_NOP: 596 case INET_DIAG_BC_NOP:
537 break; 597 break;
538 default: 598 default:
539 return -EINVAL; 599 return -EINVAL;
540 } 600 }
541 if (op->yes < 4 || op->yes > len + 4 || op->yes & 3) 601
602 if (op->code != INET_DIAG_BC_NOP) {
603 if (op->no < min_len || op->no > len + 4 || op->no & 3)
604 return -EINVAL;
605 if (op->no < len &&
606 !valid_cc(bytecode, bytecode_len, len - op->no))
607 return -EINVAL;
608 }
609
610 if (op->yes < min_len || op->yes > len + 4 || op->yes & 3)
542 return -EINVAL; 611 return -EINVAL;
543 bc += op->yes; 612 bc += op->yes;
544 len -= op->yes; 613 len -= op->yes;
@@ -596,6 +665,36 @@ static int inet_twsk_diag_dump(struct inet_timewait_sock *tw,
596 cb->nlh->nlmsg_seq, NLM_F_MULTI, cb->nlh); 665 cb->nlh->nlmsg_seq, NLM_F_MULTI, cb->nlh);
597} 666}
598 667
668/* Get the IPv4, IPv6, or IPv4-mapped-IPv6 local and remote addresses
669 * from a request_sock. For IPv4-mapped-IPv6 we must map IPv4 to IPv6.
670 */
671static inline void inet_diag_req_addrs(const struct sock *sk,
672 const struct request_sock *req,
673 struct inet_diag_entry *entry)
674{
675 struct inet_request_sock *ireq = inet_rsk(req);
676
677#if IS_ENABLED(CONFIG_IPV6)
678 if (sk->sk_family == AF_INET6) {
679 if (req->rsk_ops->family == AF_INET6) {
680 entry->saddr = inet6_rsk(req)->loc_addr.s6_addr32;
681 entry->daddr = inet6_rsk(req)->rmt_addr.s6_addr32;
682 } else if (req->rsk_ops->family == AF_INET) {
683 ipv6_addr_set_v4mapped(ireq->loc_addr,
684 &entry->saddr_storage);
685 ipv6_addr_set_v4mapped(ireq->rmt_addr,
686 &entry->daddr_storage);
687 entry->saddr = entry->saddr_storage.s6_addr32;
688 entry->daddr = entry->daddr_storage.s6_addr32;
689 }
690 } else
691#endif
692 {
693 entry->saddr = &ireq->loc_addr;
694 entry->daddr = &ireq->rmt_addr;
695 }
696}
697
599static int inet_diag_fill_req(struct sk_buff *skb, struct sock *sk, 698static int inet_diag_fill_req(struct sk_buff *skb, struct sock *sk,
600 struct request_sock *req, 699 struct request_sock *req,
601 struct user_namespace *user_ns, 700 struct user_namespace *user_ns,
@@ -637,8 +736,10 @@ static int inet_diag_fill_req(struct sk_buff *skb, struct sock *sk,
637 r->idiag_inode = 0; 736 r->idiag_inode = 0;
638#if IS_ENABLED(CONFIG_IPV6) 737#if IS_ENABLED(CONFIG_IPV6)
639 if (r->idiag_family == AF_INET6) { 738 if (r->idiag_family == AF_INET6) {
640 *(struct in6_addr *)r->id.idiag_src = inet6_rsk(req)->loc_addr; 739 struct inet_diag_entry entry;
641 *(struct in6_addr *)r->id.idiag_dst = inet6_rsk(req)->rmt_addr; 740 inet_diag_req_addrs(sk, req, &entry);
741 memcpy(r->id.idiag_src, entry.saddr, sizeof(struct in6_addr));
742 memcpy(r->id.idiag_dst, entry.daddr, sizeof(struct in6_addr));
642 } 743 }
643#endif 744#endif
644 745
@@ -691,18 +792,7 @@ static int inet_diag_dump_reqs(struct sk_buff *skb, struct sock *sk,
691 continue; 792 continue;
692 793
693 if (bc) { 794 if (bc) {
694 entry.saddr = 795 inet_diag_req_addrs(sk, req, &entry);
695#if IS_ENABLED(CONFIG_IPV6)
696 (entry.family == AF_INET6) ?
697 inet6_rsk(req)->loc_addr.s6_addr32 :
698#endif
699 &ireq->loc_addr;
700 entry.daddr =
701#if IS_ENABLED(CONFIG_IPV6)
702 (entry.family == AF_INET6) ?
703 inet6_rsk(req)->rmt_addr.s6_addr32 :
704#endif
705 &ireq->rmt_addr;
706 entry.dport = ntohs(ireq->rmt_port); 796 entry.dport = ntohs(ireq->rmt_port);
707 797
708 if (!inet_diag_bc_run(bc, &entry)) 798 if (!inet_diag_bc_run(bc, &entry))
@@ -892,13 +982,16 @@ static int __inet_diag_dump(struct sk_buff *skb, struct netlink_callback *cb,
892 struct inet_diag_req_v2 *r, struct nlattr *bc) 982 struct inet_diag_req_v2 *r, struct nlattr *bc)
893{ 983{
894 const struct inet_diag_handler *handler; 984 const struct inet_diag_handler *handler;
985 int err = 0;
895 986
896 handler = inet_diag_lock_handler(r->sdiag_protocol); 987 handler = inet_diag_lock_handler(r->sdiag_protocol);
897 if (!IS_ERR(handler)) 988 if (!IS_ERR(handler))
898 handler->dump(skb, cb, r, bc); 989 handler->dump(skb, cb, r, bc);
990 else
991 err = PTR_ERR(handler);
899 inet_diag_unlock_handler(handler); 992 inet_diag_unlock_handler(handler);
900 993
901 return skb->len; 994 return err ? : skb->len;
902} 995}
903 996
904static int inet_diag_dump(struct sk_buff *skb, struct netlink_callback *cb) 997static int inet_diag_dump(struct sk_buff *skb, struct netlink_callback *cb)
diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
index 448e68546827..8d5cc75dac88 100644
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -707,28 +707,27 @@ EXPORT_SYMBOL(ip_defrag);
707 707
708struct sk_buff *ip_check_defrag(struct sk_buff *skb, u32 user) 708struct sk_buff *ip_check_defrag(struct sk_buff *skb, u32 user)
709{ 709{
710 const struct iphdr *iph; 710 struct iphdr iph;
711 u32 len; 711 u32 len;
712 712
713 if (skb->protocol != htons(ETH_P_IP)) 713 if (skb->protocol != htons(ETH_P_IP))
714 return skb; 714 return skb;
715 715
716 if (!pskb_may_pull(skb, sizeof(struct iphdr))) 716 if (!skb_copy_bits(skb, 0, &iph, sizeof(iph)))
717 return skb; 717 return skb;
718 718
719 iph = ip_hdr(skb); 719 if (iph.ihl < 5 || iph.version != 4)
720 if (iph->ihl < 5 || iph->version != 4)
721 return skb; 720 return skb;
722 if (!pskb_may_pull(skb, iph->ihl*4)) 721
723 return skb; 722 len = ntohs(iph.tot_len);
724 iph = ip_hdr(skb); 723 if (skb->len < len || len < (iph.ihl * 4))
725 len = ntohs(iph->tot_len);
726 if (skb->len < len || len < (iph->ihl * 4))
727 return skb; 724 return skb;
728 725
729 if (ip_is_fragment(ip_hdr(skb))) { 726 if (ip_is_fragment(&iph)) {
730 skb = skb_share_check(skb, GFP_ATOMIC); 727 skb = skb_share_check(skb, GFP_ATOMIC);
731 if (skb) { 728 if (skb) {
729 if (!pskb_may_pull(skb, iph.ihl*4))
730 return skb;
732 if (pskb_trim_rcsum(skb, len)) 731 if (pskb_trim_rcsum(skb, len))
733 return skb; 732 return skb;
734 memset(IPCB(skb), 0, sizeof(struct inet_skb_parm)); 733 memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 5eea4a811042..14bbfcf717ac 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -457,19 +457,28 @@ static int do_ip_setsockopt(struct sock *sk, int level,
457 struct inet_sock *inet = inet_sk(sk); 457 struct inet_sock *inet = inet_sk(sk);
458 int val = 0, err; 458 int val = 0, err;
459 459
460 if (((1<<optname) & ((1<<IP_PKTINFO) | (1<<IP_RECVTTL) | 460 switch (optname) {
461 (1<<IP_RECVOPTS) | (1<<IP_RECVTOS) | 461 case IP_PKTINFO:
462 (1<<IP_RETOPTS) | (1<<IP_TOS) | 462 case IP_RECVTTL:
463 (1<<IP_TTL) | (1<<IP_HDRINCL) | 463 case IP_RECVOPTS:
464 (1<<IP_MTU_DISCOVER) | (1<<IP_RECVERR) | 464 case IP_RECVTOS:
465 (1<<IP_ROUTER_ALERT) | (1<<IP_FREEBIND) | 465 case IP_RETOPTS:
466 (1<<IP_PASSSEC) | (1<<IP_TRANSPARENT) | 466 case IP_TOS:
467 (1<<IP_MINTTL) | (1<<IP_NODEFRAG))) || 467 case IP_TTL:
468 optname == IP_UNICAST_IF || 468 case IP_HDRINCL:
469 optname == IP_MULTICAST_TTL || 469 case IP_MTU_DISCOVER:
470 optname == IP_MULTICAST_ALL || 470 case IP_RECVERR:
471 optname == IP_MULTICAST_LOOP || 471 case IP_ROUTER_ALERT:
472 optname == IP_RECVORIGDSTADDR) { 472 case IP_FREEBIND:
473 case IP_PASSSEC:
474 case IP_TRANSPARENT:
475 case IP_MINTTL:
476 case IP_NODEFRAG:
477 case IP_UNICAST_IF:
478 case IP_MULTICAST_TTL:
479 case IP_MULTICAST_ALL:
480 case IP_MULTICAST_LOOP:
481 case IP_RECVORIGDSTADDR:
473 if (optlen >= sizeof(int)) { 482 if (optlen >= sizeof(int)) {
474 if (get_user(val, (int __user *) optval)) 483 if (get_user(val, (int __user *) optval))
475 return -EFAULT; 484 return -EFAULT;
diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
index 1831092f999f..858fddf6482a 100644
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -338,12 +338,17 @@ static int vti_rcv(struct sk_buff *skb)
338 if (tunnel != NULL) { 338 if (tunnel != NULL) {
339 struct pcpu_tstats *tstats; 339 struct pcpu_tstats *tstats;
340 340
341 if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb))
342 return -1;
343
341 tstats = this_cpu_ptr(tunnel->dev->tstats); 344 tstats = this_cpu_ptr(tunnel->dev->tstats);
342 u64_stats_update_begin(&tstats->syncp); 345 u64_stats_update_begin(&tstats->syncp);
343 tstats->rx_packets++; 346 tstats->rx_packets++;
344 tstats->rx_bytes += skb->len; 347 tstats->rx_bytes += skb->len;
345 u64_stats_update_end(&tstats->syncp); 348 u64_stats_update_end(&tstats->syncp);
346 349
350 skb->mark = 0;
351 secpath_reset(skb);
347 skb->dev = tunnel->dev; 352 skb->dev = tunnel->dev;
348 return 1; 353 return 1;
349 } 354 }
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
index 6168c4dc58b1..3eab2b2ffd34 100644
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -1318,6 +1318,10 @@ int ip_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, unsi
1318 if (get_user(v, (u32 __user *)optval)) 1318 if (get_user(v, (u32 __user *)optval))
1319 return -EFAULT; 1319 return -EFAULT;
1320 1320
1321 /* "pimreg%u" should not exceed 16 bytes (IFNAMSIZ) */
1322 if (v != RT_TABLE_DEFAULT && v >= 1000000000)
1323 return -EINVAL;
1324
1321 rtnl_lock(); 1325 rtnl_lock();
1322 ret = 0; 1326 ret = 0;
1323 if (sk == rtnl_dereference(mrt->mroute_sk)) { 1327 if (sk == rtnl_dereference(mrt->mroute_sk)) {
diff --git a/net/ipv4/netfilter/iptable_nat.c b/net/ipv4/netfilter/iptable_nat.c
index 9e0ffaf1d942..a82047282dbb 100644
--- a/net/ipv4/netfilter/iptable_nat.c
+++ b/net/ipv4/netfilter/iptable_nat.c
@@ -184,7 +184,8 @@ nf_nat_ipv4_out(unsigned int hooknum,
184 184
185 if ((ct->tuplehash[dir].tuple.src.u3.ip != 185 if ((ct->tuplehash[dir].tuple.src.u3.ip !=
186 ct->tuplehash[!dir].tuple.dst.u3.ip) || 186 ct->tuplehash[!dir].tuple.dst.u3.ip) ||
187 (ct->tuplehash[dir].tuple.src.u.all != 187 (ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMP &&
188 ct->tuplehash[dir].tuple.src.u.all !=
188 ct->tuplehash[!dir].tuple.dst.u.all)) 189 ct->tuplehash[!dir].tuple.dst.u.all))
189 if (nf_xfrm_me_harder(skb, AF_INET) < 0) 190 if (nf_xfrm_me_harder(skb, AF_INET) < 0)
190 ret = NF_DROP; 191 ret = NF_DROP;
@@ -221,6 +222,7 @@ nf_nat_ipv4_local_fn(unsigned int hooknum,
221 } 222 }
222#ifdef CONFIG_XFRM 223#ifdef CONFIG_XFRM
223 else if (!(IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) && 224 else if (!(IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) &&
225 ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMP &&
224 ct->tuplehash[dir].tuple.dst.u.all != 226 ct->tuplehash[dir].tuple.dst.u.all !=
225 ct->tuplehash[!dir].tuple.src.u.all) 227 ct->tuplehash[!dir].tuple.src.u.all)
226 if (nf_xfrm_me_harder(skb, AF_INET) < 0) 228 if (nf_xfrm_me_harder(skb, AF_INET) < 0)
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 432f4bb77238..df251424d816 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1163,8 +1163,12 @@ static bool rt_bind_exception(struct rtable *rt, struct fib_nh_exception *fnhe,
1163 spin_lock_bh(&fnhe_lock); 1163 spin_lock_bh(&fnhe_lock);
1164 1164
1165 if (daddr == fnhe->fnhe_daddr) { 1165 if (daddr == fnhe->fnhe_daddr) {
1166 struct rtable *orig; 1166 struct rtable *orig = rcu_dereference(fnhe->fnhe_rth);
1167 1167 if (orig && rt_is_expired(orig)) {
1168 fnhe->fnhe_gw = 0;
1169 fnhe->fnhe_pmtu = 0;
1170 fnhe->fnhe_expires = 0;
1171 }
1168 if (fnhe->fnhe_pmtu) { 1172 if (fnhe->fnhe_pmtu) {
1169 unsigned long expires = fnhe->fnhe_expires; 1173 unsigned long expires = fnhe->fnhe_expires;
1170 unsigned long diff = expires - jiffies; 1174 unsigned long diff = expires - jiffies;
@@ -1181,7 +1185,6 @@ static bool rt_bind_exception(struct rtable *rt, struct fib_nh_exception *fnhe,
1181 } else if (!rt->rt_gateway) 1185 } else if (!rt->rt_gateway)
1182 rt->rt_gateway = daddr; 1186 rt->rt_gateway = daddr;
1183 1187
1184 orig = rcu_dereference(fnhe->fnhe_rth);
1185 rcu_assign_pointer(fnhe->fnhe_rth, rt); 1188 rcu_assign_pointer(fnhe->fnhe_rth, rt);
1186 if (orig) 1189 if (orig)
1187 rt_free(orig); 1190 rt_free(orig);
@@ -1782,6 +1785,7 @@ static struct rtable *__mkroute_output(const struct fib_result *res,
1782 if (dev_out->flags & IFF_LOOPBACK) 1785 if (dev_out->flags & IFF_LOOPBACK)
1783 flags |= RTCF_LOCAL; 1786 flags |= RTCF_LOCAL;
1784 1787
1788 do_cache = true;
1785 if (type == RTN_BROADCAST) { 1789 if (type == RTN_BROADCAST) {
1786 flags |= RTCF_BROADCAST | RTCF_LOCAL; 1790 flags |= RTCF_BROADCAST | RTCF_LOCAL;
1787 fi = NULL; 1791 fi = NULL;
@@ -1790,6 +1794,8 @@ static struct rtable *__mkroute_output(const struct fib_result *res,
1790 if (!ip_check_mc_rcu(in_dev, fl4->daddr, fl4->saddr, 1794 if (!ip_check_mc_rcu(in_dev, fl4->daddr, fl4->saddr,
1791 fl4->flowi4_proto)) 1795 fl4->flowi4_proto))
1792 flags &= ~RTCF_LOCAL; 1796 flags &= ~RTCF_LOCAL;
1797 else
1798 do_cache = false;
1793 /* If multicast route do not exist use 1799 /* If multicast route do not exist use
1794 * default one, but do not gateway in this case. 1800 * default one, but do not gateway in this case.
1795 * Yes, it is hack. 1801 * Yes, it is hack.
@@ -1799,8 +1805,8 @@ static struct rtable *__mkroute_output(const struct fib_result *res,
1799 } 1805 }
1800 1806
1801 fnhe = NULL; 1807 fnhe = NULL;
1802 do_cache = fi != NULL; 1808 do_cache &= fi != NULL;
1803 if (fi) { 1809 if (do_cache) {
1804 struct rtable __rcu **prth; 1810 struct rtable __rcu **prth;
1805 struct fib_nh *nh = &FIB_RES_NH(*res); 1811 struct fib_nh *nh = &FIB_RES_NH(*res);
1806 1812
@@ -2594,7 +2600,7 @@ int __init ip_rt_init(void)
2594 pr_err("Unable to create route proc files\n"); 2600 pr_err("Unable to create route proc files\n");
2595#ifdef CONFIG_XFRM 2601#ifdef CONFIG_XFRM
2596 xfrm_init(); 2602 xfrm_init();
2597 xfrm4_init(ip_rt_max_size); 2603 xfrm4_init();
2598#endif 2604#endif
2599 rtnl_register(PF_INET, RTM_GETROUTE, inet_rtm_getroute, NULL, NULL); 2605 rtnl_register(PF_INET, RTM_GETROUTE, inet_rtm_getroute, NULL, NULL);
2600 2606
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index f32c02e2a543..e457c7ab2e28 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -549,14 +549,12 @@ int tcp_ioctl(struct sock *sk, int cmd, unsigned long arg)
549 !tp->urg_data || 549 !tp->urg_data ||
550 before(tp->urg_seq, tp->copied_seq) || 550 before(tp->urg_seq, tp->copied_seq) ||
551 !before(tp->urg_seq, tp->rcv_nxt)) { 551 !before(tp->urg_seq, tp->rcv_nxt)) {
552 struct sk_buff *skb;
553 552
554 answ = tp->rcv_nxt - tp->copied_seq; 553 answ = tp->rcv_nxt - tp->copied_seq;
555 554
556 /* Subtract 1, if FIN is in queue. */ 555 /* Subtract 1, if FIN was received */
557 skb = skb_peek_tail(&sk->sk_receive_queue); 556 if (answ && sock_flag(sk, SOCK_DONE))
558 if (answ && skb) 557 answ--;
559 answ -= tcp_hdr(skb)->fin;
560 } else 558 } else
561 answ = tp->urg_seq - tp->copied_seq; 559 answ = tp->urg_seq - tp->copied_seq;
562 release_sock(sk); 560 release_sock(sk);
@@ -832,8 +830,8 @@ static int tcp_send_mss(struct sock *sk, int *size_goal, int flags)
832 return mss_now; 830 return mss_now;
833} 831}
834 832
835static ssize_t do_tcp_sendpages(struct sock *sk, struct page **pages, int poffset, 833static ssize_t do_tcp_sendpages(struct sock *sk, struct page *page, int offset,
836 size_t psize, int flags) 834 size_t size, int flags)
837{ 835{
838 struct tcp_sock *tp = tcp_sk(sk); 836 struct tcp_sock *tp = tcp_sk(sk);
839 int mss_now, size_goal; 837 int mss_now, size_goal;
@@ -860,12 +858,9 @@ static ssize_t do_tcp_sendpages(struct sock *sk, struct page **pages, int poffse
860 if (sk->sk_err || (sk->sk_shutdown & SEND_SHUTDOWN)) 858 if (sk->sk_err || (sk->sk_shutdown & SEND_SHUTDOWN))
861 goto out_err; 859 goto out_err;
862 860
863 while (psize > 0) { 861 while (size > 0) {
864 struct sk_buff *skb = tcp_write_queue_tail(sk); 862 struct sk_buff *skb = tcp_write_queue_tail(sk);
865 struct page *page = pages[poffset / PAGE_SIZE];
866 int copy, i; 863 int copy, i;
867 int offset = poffset % PAGE_SIZE;
868 int size = min_t(size_t, psize, PAGE_SIZE - offset);
869 bool can_coalesce; 864 bool can_coalesce;
870 865
871 if (!tcp_send_head(sk) || (copy = size_goal - skb->len) <= 0) { 866 if (!tcp_send_head(sk) || (copy = size_goal - skb->len) <= 0) {
@@ -914,8 +909,8 @@ new_segment:
914 TCP_SKB_CB(skb)->tcp_flags &= ~TCPHDR_PSH; 909 TCP_SKB_CB(skb)->tcp_flags &= ~TCPHDR_PSH;
915 910
916 copied += copy; 911 copied += copy;
917 poffset += copy; 912 offset += copy;
918 if (!(psize -= copy)) 913 if (!(size -= copy))
919 goto out; 914 goto out;
920 915
921 if (skb->len < size_goal || (flags & MSG_OOB)) 916 if (skb->len < size_goal || (flags & MSG_OOB))
@@ -962,7 +957,7 @@ int tcp_sendpage(struct sock *sk, struct page *page, int offset,
962 flags); 957 flags);
963 958
964 lock_sock(sk); 959 lock_sock(sk);
965 res = do_tcp_sendpages(sk, &page, offset, size, flags); 960 res = do_tcp_sendpages(sk, page, offset, size, flags);
966 release_sock(sk); 961 release_sock(sk);
967 return res; 962 return res;
968} 963}
@@ -1214,7 +1209,7 @@ new_segment:
1214wait_for_sndbuf: 1209wait_for_sndbuf:
1215 set_bit(SOCK_NOSPACE, &sk->sk_socket->flags); 1210 set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
1216wait_for_memory: 1211wait_for_memory:
1217 if (copied && likely(!tp->repair)) 1212 if (copied)
1218 tcp_push(sk, flags & ~MSG_MORE, mss_now, TCP_NAGLE_PUSH); 1213 tcp_push(sk, flags & ~MSG_MORE, mss_now, TCP_NAGLE_PUSH);
1219 1214
1220 if ((err = sk_stream_wait_memory(sk, &timeo)) != 0) 1215 if ((err = sk_stream_wait_memory(sk, &timeo)) != 0)
@@ -1225,7 +1220,7 @@ wait_for_memory:
1225 } 1220 }
1226 1221
1227out: 1222out:
1228 if (copied && likely(!tp->repair)) 1223 if (copied)
1229 tcp_push(sk, flags, mss_now, tp->nonagle); 1224 tcp_push(sk, flags, mss_now, tp->nonagle);
1230 release_sock(sk); 1225 release_sock(sk);
1231 return copied + copied_syn; 1226 return copied + copied_syn;
@@ -2766,6 +2761,8 @@ void tcp_get_info(const struct sock *sk, struct tcp_info *info)
2766 info->tcpi_options |= TCPI_OPT_ECN; 2761 info->tcpi_options |= TCPI_OPT_ECN;
2767 if (tp->ecn_flags & TCP_ECN_SEEN) 2762 if (tp->ecn_flags & TCP_ECN_SEEN)
2768 info->tcpi_options |= TCPI_OPT_ECN_SEEN; 2763 info->tcpi_options |= TCPI_OPT_ECN_SEEN;
2764 if (tp->syn_data_acked)
2765 info->tcpi_options |= TCPI_OPT_SYN_DATA;
2769 2766
2770 info->tcpi_rto = jiffies_to_usecs(icsk->icsk_rto); 2767 info->tcpi_rto = jiffies_to_usecs(icsk->icsk_rto);
2771 info->tcpi_ato = jiffies_to_usecs(icsk->icsk_ack.ato); 2768 info->tcpi_ato = jiffies_to_usecs(icsk->icsk_ack.ato);
diff --git a/net/ipv4/tcp_illinois.c b/net/ipv4/tcp_illinois.c
index 813b43a76fec..834857f3c871 100644
--- a/net/ipv4/tcp_illinois.c
+++ b/net/ipv4/tcp_illinois.c
@@ -313,11 +313,13 @@ static void tcp_illinois_info(struct sock *sk, u32 ext,
313 .tcpv_rttcnt = ca->cnt_rtt, 313 .tcpv_rttcnt = ca->cnt_rtt,
314 .tcpv_minrtt = ca->base_rtt, 314 .tcpv_minrtt = ca->base_rtt,
315 }; 315 };
316 u64 t = ca->sum_rtt;
317 316
318 do_div(t, ca->cnt_rtt); 317 if (info.tcpv_rttcnt > 0) {
319 info.tcpv_rtt = t; 318 u64 t = ca->sum_rtt;
320 319
320 do_div(t, info.tcpv_rttcnt);
321 info.tcpv_rtt = t;
322 }
321 nla_put(skb, INET_DIAG_VEGASINFO, sizeof(info), &info); 323 nla_put(skb, INET_DIAG_VEGASINFO, sizeof(info), &info);
322 } 324 }
323} 325}
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 432c36649db3..181fc8234a52 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -4529,6 +4529,9 @@ int tcp_send_rcvq(struct sock *sk, struct msghdr *msg, size_t size)
4529 struct tcphdr *th; 4529 struct tcphdr *th;
4530 bool fragstolen; 4530 bool fragstolen;
4531 4531
4532 if (size == 0)
4533 return 0;
4534
4532 skb = alloc_skb(size + sizeof(*th), sk->sk_allocation); 4535 skb = alloc_skb(size + sizeof(*th), sk->sk_allocation);
4533 if (!skb) 4536 if (!skb)
4534 goto err; 4537 goto err;
@@ -5310,11 +5313,6 @@ static bool tcp_validate_incoming(struct sock *sk, struct sk_buff *skb,
5310 goto discard; 5313 goto discard;
5311 } 5314 }
5312 5315
5313 /* ts_recent update must be made after we are sure that the packet
5314 * is in window.
5315 */
5316 tcp_replace_ts_recent(tp, TCP_SKB_CB(skb)->seq);
5317
5318 /* step 3: check security and precedence [ignored] */ 5316 /* step 3: check security and precedence [ignored] */
5319 5317
5320 /* step 4: Check for a SYN 5318 /* step 4: Check for a SYN
@@ -5549,6 +5547,11 @@ step5:
5549 if (th->ack && tcp_ack(sk, skb, FLAG_SLOWPATH) < 0) 5547 if (th->ack && tcp_ack(sk, skb, FLAG_SLOWPATH) < 0)
5550 goto discard; 5548 goto discard;
5551 5549
5550 /* ts_recent update must be made after we are sure that the packet
5551 * is in window.
5552 */
5553 tcp_replace_ts_recent(tp, TCP_SKB_CB(skb)->seq);
5554
5552 tcp_rcv_rtt_measure_ts(sk, skb); 5555 tcp_rcv_rtt_measure_ts(sk, skb);
5553 5556
5554 /* Process urgent data. */ 5557 /* Process urgent data. */
@@ -5642,10 +5645,15 @@ static bool tcp_rcv_fastopen_synack(struct sock *sk, struct sk_buff *synack,
5642 tcp_fastopen_cache_set(sk, mss, cookie, syn_drop); 5645 tcp_fastopen_cache_set(sk, mss, cookie, syn_drop);
5643 5646
5644 if (data) { /* Retransmit unacked data in SYN */ 5647 if (data) { /* Retransmit unacked data in SYN */
5645 tcp_retransmit_skb(sk, data); 5648 tcp_for_write_queue_from(data, sk) {
5649 if (data == tcp_send_head(sk) ||
5650 __tcp_retransmit_skb(sk, data))
5651 break;
5652 }
5646 tcp_rearm_rto(sk); 5653 tcp_rearm_rto(sk);
5647 return true; 5654 return true;
5648 } 5655 }
5656 tp->syn_data_acked = tp->syn_data;
5649 return false; 5657 return false;
5650} 5658}
5651 5659
@@ -5963,7 +5971,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
5963 5971
5964 req = tp->fastopen_rsk; 5972 req = tp->fastopen_rsk;
5965 if (req != NULL) { 5973 if (req != NULL) {
5966 BUG_ON(sk->sk_state != TCP_SYN_RECV && 5974 WARN_ON_ONCE(sk->sk_state != TCP_SYN_RECV &&
5967 sk->sk_state != TCP_FIN_WAIT1); 5975 sk->sk_state != TCP_FIN_WAIT1);
5968 5976
5969 if (tcp_check_req(sk, skb, req, NULL, true) == NULL) 5977 if (tcp_check_req(sk, skb, req, NULL, true) == NULL)
@@ -6052,7 +6060,15 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
6052 * ACK we have received, this would have acknowledged 6060 * ACK we have received, this would have acknowledged
6053 * our SYNACK so stop the SYNACK timer. 6061 * our SYNACK so stop the SYNACK timer.
6054 */ 6062 */
6055 if (acceptable && req != NULL) { 6063 if (req != NULL) {
6064 /* Return RST if ack_seq is invalid.
6065 * Note that RFC793 only says to generate a
6066 * DUPACK for it but for TCP Fast Open it seems
6067 * better to treat this case like TCP_SYN_RECV
6068 * above.
6069 */
6070 if (!acceptable)
6071 return 1;
6056 /* We no longer need the request sock. */ 6072 /* We no longer need the request sock. */
6057 reqsk_fastopen_remove(sk, req, false); 6073 reqsk_fastopen_remove(sk, req, false);
6058 tcp_rearm_rto(sk); 6074 tcp_rearm_rto(sk);
@@ -6118,6 +6134,11 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
6118 } else 6134 } else
6119 goto discard; 6135 goto discard;
6120 6136
6137 /* ts_recent update must be made after we are sure that the packet
6138 * is in window.
6139 */
6140 tcp_replace_ts_recent(tp, TCP_SKB_CB(skb)->seq);
6141
6121 /* step 6: check the URG bit */ 6142 /* step 6: check the URG bit */
6122 tcp_urg(sk, skb, th); 6143 tcp_urg(sk, skb, th);
6123 6144
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index ef998b008a57..0c4a64355603 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1461,6 +1461,7 @@ static int tcp_v4_conn_req_fastopen(struct sock *sk,
1461 skb_set_owner_r(skb, child); 1461 skb_set_owner_r(skb, child);
1462 __skb_queue_tail(&child->sk_receive_queue, skb); 1462 __skb_queue_tail(&child->sk_receive_queue, skb);
1463 tp->rcv_nxt = TCP_SKB_CB(skb)->end_seq; 1463 tp->rcv_nxt = TCP_SKB_CB(skb)->end_seq;
1464 tp->syn_data_acked = 1;
1464 } 1465 }
1465 sk->sk_data_ready(sk, 0); 1466 sk->sk_data_ready(sk, 0);
1466 bh_unlock_sock(child); 1467 bh_unlock_sock(child);
diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c
index 4c752a6e0bcd..f696d7c2e9fa 100644
--- a/net/ipv4/tcp_metrics.c
+++ b/net/ipv4/tcp_metrics.c
@@ -1,7 +1,6 @@
1#include <linux/rcupdate.h> 1#include <linux/rcupdate.h>
2#include <linux/spinlock.h> 2#include <linux/spinlock.h>
3#include <linux/jiffies.h> 3#include <linux/jiffies.h>
4#include <linux/bootmem.h>
5#include <linux/module.h> 4#include <linux/module.h>
6#include <linux/cache.h> 5#include <linux/cache.h>
7#include <linux/slab.h> 6#include <linux/slab.h>
@@ -9,6 +8,7 @@
9#include <linux/tcp.h> 8#include <linux/tcp.h>
10#include <linux/hash.h> 9#include <linux/hash.h>
11#include <linux/tcp_metrics.h> 10#include <linux/tcp_metrics.h>
11#include <linux/vmalloc.h>
12 12
13#include <net/inet_connection_sock.h> 13#include <net/inet_connection_sock.h>
14#include <net/net_namespace.h> 14#include <net/net_namespace.h>
@@ -864,7 +864,7 @@ static int parse_nl_addr(struct genl_info *info, struct inetpeer_addr *addr,
864 } 864 }
865 a = info->attrs[TCP_METRICS_ATTR_ADDR_IPV6]; 865 a = info->attrs[TCP_METRICS_ATTR_ADDR_IPV6];
866 if (a) { 866 if (a) {
867 if (nla_len(a) != sizeof(sizeof(struct in6_addr))) 867 if (nla_len(a) != sizeof(struct in6_addr))
868 return -EINVAL; 868 return -EINVAL;
869 addr->family = AF_INET6; 869 addr->family = AF_INET6;
870 memcpy(addr->addr.a6, nla_data(a), sizeof(addr->addr.a6)); 870 memcpy(addr->addr.a6, nla_data(a), sizeof(addr->addr.a6));
@@ -1034,7 +1034,10 @@ static int __net_init tcp_net_metrics_init(struct net *net)
1034 net->ipv4.tcp_metrics_hash_log = order_base_2(slots); 1034 net->ipv4.tcp_metrics_hash_log = order_base_2(slots);
1035 size = sizeof(struct tcpm_hash_bucket) << net->ipv4.tcp_metrics_hash_log; 1035 size = sizeof(struct tcpm_hash_bucket) << net->ipv4.tcp_metrics_hash_log;
1036 1036
1037 net->ipv4.tcp_metrics_hash = kzalloc(size, GFP_KERNEL); 1037 net->ipv4.tcp_metrics_hash = kzalloc(size, GFP_KERNEL | __GFP_NOWARN);
1038 if (!net->ipv4.tcp_metrics_hash)
1039 net->ipv4.tcp_metrics_hash = vzalloc(size);
1040
1038 if (!net->ipv4.tcp_metrics_hash) 1041 if (!net->ipv4.tcp_metrics_hash)
1039 return -ENOMEM; 1042 return -ENOMEM;
1040 1043
@@ -1055,7 +1058,10 @@ static void __net_exit tcp_net_metrics_exit(struct net *net)
1055 tm = next; 1058 tm = next;
1056 } 1059 }
1057 } 1060 }
1058 kfree(net->ipv4.tcp_metrics_hash); 1061 if (is_vmalloc_addr(net->ipv4.tcp_metrics_hash))
1062 vfree(net->ipv4.tcp_metrics_hash);
1063 else
1064 kfree(net->ipv4.tcp_metrics_hash);
1059} 1065}
1060 1066
1061static __net_initdata struct pernet_operations tcp_net_metrics_ops = { 1067static __net_initdata struct pernet_operations tcp_net_metrics_ops = {
diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index 27536ba16c9d..a7302d974f32 100644
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -510,6 +510,7 @@ struct sock *tcp_create_openreq_child(struct sock *sk, struct request_sock *req,
510 newtp->rx_opt.mss_clamp = req->mss; 510 newtp->rx_opt.mss_clamp = req->mss;
511 TCP_ECN_openreq_child(newtp, req); 511 TCP_ECN_openreq_child(newtp, req);
512 newtp->fastopen_rsk = NULL; 512 newtp->fastopen_rsk = NULL;
513 newtp->syn_data_acked = 0;
513 514
514 TCP_INC_STATS_BH(sock_net(sk), TCP_MIB_PASSIVEOPENS); 515 TCP_INC_STATS_BH(sock_net(sk), TCP_MIB_PASSIVEOPENS);
515 } 516 }
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index cfe6ffe1c177..948ac275b9b5 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -1986,6 +1986,9 @@ static bool tcp_write_xmit(struct sock *sk, unsigned int mss_now, int nonagle,
1986 tso_segs = tcp_init_tso_segs(sk, skb, mss_now); 1986 tso_segs = tcp_init_tso_segs(sk, skb, mss_now);
1987 BUG_ON(!tso_segs); 1987 BUG_ON(!tso_segs);
1988 1988
1989 if (unlikely(tp->repair) && tp->repair_queue == TCP_SEND_QUEUE)
1990 goto repair; /* Skip network transmission */
1991
1989 cwnd_quota = tcp_cwnd_test(tp, skb); 1992 cwnd_quota = tcp_cwnd_test(tp, skb);
1990 if (!cwnd_quota) 1993 if (!cwnd_quota)
1991 break; 1994 break;
@@ -2026,6 +2029,7 @@ static bool tcp_write_xmit(struct sock *sk, unsigned int mss_now, int nonagle,
2026 if (unlikely(tcp_transmit_skb(sk, skb, 1, gfp))) 2029 if (unlikely(tcp_transmit_skb(sk, skb, 1, gfp)))
2027 break; 2030 break;
2028 2031
2032repair:
2029 /* Advance the send_head. This one is sent out. 2033 /* Advance the send_head. This one is sent out.
2030 * This call will increment packets_out. 2034 * This call will increment packets_out.
2031 */ 2035 */
@@ -2305,12 +2309,11 @@ static void tcp_retrans_try_collapse(struct sock *sk, struct sk_buff *to,
2305 * state updates are done by the caller. Returns non-zero if an 2309 * state updates are done by the caller. Returns non-zero if an
2306 * error occurred which prevented the send. 2310 * error occurred which prevented the send.
2307 */ 2311 */
2308int tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb) 2312int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb)
2309{ 2313{
2310 struct tcp_sock *tp = tcp_sk(sk); 2314 struct tcp_sock *tp = tcp_sk(sk);
2311 struct inet_connection_sock *icsk = inet_csk(sk); 2315 struct inet_connection_sock *icsk = inet_csk(sk);
2312 unsigned int cur_mss; 2316 unsigned int cur_mss;
2313 int err;
2314 2317
2315 /* Inconslusive MTU probe */ 2318 /* Inconslusive MTU probe */
2316 if (icsk->icsk_mtup.probe_size) { 2319 if (icsk->icsk_mtup.probe_size) {
@@ -2383,11 +2386,17 @@ int tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb)
2383 if (unlikely(NET_IP_ALIGN && ((unsigned long)skb->data & 3))) { 2386 if (unlikely(NET_IP_ALIGN && ((unsigned long)skb->data & 3))) {
2384 struct sk_buff *nskb = __pskb_copy(skb, MAX_TCP_HEADER, 2387 struct sk_buff *nskb = __pskb_copy(skb, MAX_TCP_HEADER,
2385 GFP_ATOMIC); 2388 GFP_ATOMIC);
2386 err = nskb ? tcp_transmit_skb(sk, nskb, 0, GFP_ATOMIC) : 2389 return nskb ? tcp_transmit_skb(sk, nskb, 0, GFP_ATOMIC) :
2387 -ENOBUFS; 2390 -ENOBUFS;
2388 } else { 2391 } else {
2389 err = tcp_transmit_skb(sk, skb, 1, GFP_ATOMIC); 2392 return tcp_transmit_skb(sk, skb, 1, GFP_ATOMIC);
2390 } 2393 }
2394}
2395
2396int tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb)
2397{
2398 struct tcp_sock *tp = tcp_sk(sk);
2399 int err = __tcp_retransmit_skb(sk, skb);
2391 2400
2392 if (err == 0) { 2401 if (err == 0) {
2393 /* Update global TCP statistics. */ 2402 /* Update global TCP statistics. */
diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
index fc04711e80c8..d47c1b4421a3 100644
--- a/net/ipv4/tcp_timer.c
+++ b/net/ipv4/tcp_timer.c
@@ -347,8 +347,8 @@ void tcp_retransmit_timer(struct sock *sk)
347 return; 347 return;
348 } 348 }
349 if (tp->fastopen_rsk) { 349 if (tp->fastopen_rsk) {
350 BUG_ON(sk->sk_state != TCP_SYN_RECV && 350 WARN_ON_ONCE(sk->sk_state != TCP_SYN_RECV &&
351 sk->sk_state != TCP_FIN_WAIT1); 351 sk->sk_state != TCP_FIN_WAIT1);
352 tcp_fastopen_synack_timer(sk); 352 tcp_fastopen_synack_timer(sk);
353 /* Before we receive ACK to our SYN-ACK don't retransmit 353 /* Before we receive ACK to our SYN-ACK don't retransmit
354 * anything else (e.g., data or FIN segments). 354 * anything else (e.g., data or FIN segments).
diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
index 05c5ab8d983c..3be0ac2c1920 100644
--- a/net/ipv4/xfrm4_policy.c
+++ b/net/ipv4/xfrm4_policy.c
@@ -279,19 +279,8 @@ static void __exit xfrm4_policy_fini(void)
279 xfrm_policy_unregister_afinfo(&xfrm4_policy_afinfo); 279 xfrm_policy_unregister_afinfo(&xfrm4_policy_afinfo);
280} 280}
281 281
282void __init xfrm4_init(int rt_max_size) 282void __init xfrm4_init(void)
283{ 283{
284 /*
285 * Select a default value for the gc_thresh based on the main route
286 * table hash size. It seems to me the worst case scenario is when
287 * we have ipsec operating in transport mode, in which we create a
288 * dst_entry per socket. The xfrm gc algorithm starts trying to remove
289 * entries at gc_thresh, and prevents new allocations as 2*gc_thresh
290 * so lets set an initial xfrm gc_thresh value at the rt_max_size/2.
291 * That will let us store an ipsec connection per route table entry,
292 * and start cleaning when were 1/2 full
293 */
294 xfrm4_dst_ops.gc_thresh = rt_max_size/2;
295 dst_entries_init(&xfrm4_dst_ops); 284 dst_entries_init(&xfrm4_dst_ops);
296 285
297 xfrm4_state_init(); 286 xfrm4_state_init();
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index d7c56f8a5b4e..0424e4e27414 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -3064,14 +3064,15 @@ static struct inet6_ifaddr *if6_get_first(struct seq_file *seq, loff_t pos)
3064 struct hlist_node *n; 3064 struct hlist_node *n;
3065 hlist_for_each_entry_rcu_bh(ifa, n, &inet6_addr_lst[state->bucket], 3065 hlist_for_each_entry_rcu_bh(ifa, n, &inet6_addr_lst[state->bucket],
3066 addr_lst) { 3066 addr_lst) {
3067 if (!net_eq(dev_net(ifa->idev->dev), net))
3068 continue;
3067 /* sync with offset */ 3069 /* sync with offset */
3068 if (p < state->offset) { 3070 if (p < state->offset) {
3069 p++; 3071 p++;
3070 continue; 3072 continue;
3071 } 3073 }
3072 state->offset++; 3074 state->offset++;
3073 if (net_eq(dev_net(ifa->idev->dev), net)) 3075 return ifa;
3074 return ifa;
3075 } 3076 }
3076 3077
3077 /* prepare for next bucket */ 3078 /* prepare for next bucket */
@@ -3089,18 +3090,20 @@ static struct inet6_ifaddr *if6_get_next(struct seq_file *seq,
3089 struct hlist_node *n = &ifa->addr_lst; 3090 struct hlist_node *n = &ifa->addr_lst;
3090 3091
3091 hlist_for_each_entry_continue_rcu_bh(ifa, n, addr_lst) { 3092 hlist_for_each_entry_continue_rcu_bh(ifa, n, addr_lst) {
3093 if (!net_eq(dev_net(ifa->idev->dev), net))
3094 continue;
3092 state->offset++; 3095 state->offset++;
3093 if (net_eq(dev_net(ifa->idev->dev), net)) 3096 return ifa;
3094 return ifa;
3095 } 3097 }
3096 3098
3097 while (++state->bucket < IN6_ADDR_HSIZE) { 3099 while (++state->bucket < IN6_ADDR_HSIZE) {
3098 state->offset = 0; 3100 state->offset = 0;
3099 hlist_for_each_entry_rcu_bh(ifa, n, 3101 hlist_for_each_entry_rcu_bh(ifa, n,
3100 &inet6_addr_lst[state->bucket], addr_lst) { 3102 &inet6_addr_lst[state->bucket], addr_lst) {
3103 if (!net_eq(dev_net(ifa->idev->dev), net))
3104 continue;
3101 state->offset++; 3105 state->offset++;
3102 if (net_eq(dev_net(ifa->idev->dev), net)) 3106 return ifa;
3103 return ifa;
3104 } 3107 }
3105 } 3108 }
3106 3109
diff --git a/net/ipv6/inet6_connection_sock.c b/net/ipv6/inet6_connection_sock.c
index c4f934176cab..30647857a375 100644
--- a/net/ipv6/inet6_connection_sock.c
+++ b/net/ipv6/inet6_connection_sock.c
@@ -252,6 +252,7 @@ struct dst_entry *inet6_csk_update_pmtu(struct sock *sk, u32 mtu)
252 return NULL; 252 return NULL;
253 dst->ops->update_pmtu(dst, sk, NULL, mtu); 253 dst->ops->update_pmtu(dst, sk, NULL, mtu);
254 254
255 return inet6_csk_route_socket(sk, &fl6); 255 dst = inet6_csk_route_socket(sk, &fl6);
256 return IS_ERR(dst) ? NULL : dst;
256} 257}
257EXPORT_SYMBOL_GPL(inet6_csk_update_pmtu); 258EXPORT_SYMBOL_GPL(inet6_csk_update_pmtu);
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index 0185679c5f53..d5cb3c4e66f8 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -1633,9 +1633,9 @@ static size_t ip6gre_get_size(const struct net_device *dev)
1633 /* IFLA_GRE_OKEY */ 1633 /* IFLA_GRE_OKEY */
1634 nla_total_size(4) + 1634 nla_total_size(4) +
1635 /* IFLA_GRE_LOCAL */ 1635 /* IFLA_GRE_LOCAL */
1636 nla_total_size(4) + 1636 nla_total_size(sizeof(struct in6_addr)) +
1637 /* IFLA_GRE_REMOTE */ 1637 /* IFLA_GRE_REMOTE */
1638 nla_total_size(4) + 1638 nla_total_size(sizeof(struct in6_addr)) +
1639 /* IFLA_GRE_TTL */ 1639 /* IFLA_GRE_TTL */
1640 nla_total_size(1) + 1640 nla_total_size(1) +
1641 /* IFLA_GRE_TOS */ 1641 /* IFLA_GRE_TOS */
@@ -1659,8 +1659,8 @@ static int ip6gre_fill_info(struct sk_buff *skb, const struct net_device *dev)
1659 nla_put_be16(skb, IFLA_GRE_OFLAGS, p->o_flags) || 1659 nla_put_be16(skb, IFLA_GRE_OFLAGS, p->o_flags) ||
1660 nla_put_be32(skb, IFLA_GRE_IKEY, p->i_key) || 1660 nla_put_be32(skb, IFLA_GRE_IKEY, p->i_key) ||
1661 nla_put_be32(skb, IFLA_GRE_OKEY, p->o_key) || 1661 nla_put_be32(skb, IFLA_GRE_OKEY, p->o_key) ||
1662 nla_put(skb, IFLA_GRE_LOCAL, sizeof(struct in6_addr), &p->raddr) || 1662 nla_put(skb, IFLA_GRE_LOCAL, sizeof(struct in6_addr), &p->laddr) ||
1663 nla_put(skb, IFLA_GRE_REMOTE, sizeof(struct in6_addr), &p->laddr) || 1663 nla_put(skb, IFLA_GRE_REMOTE, sizeof(struct in6_addr), &p->raddr) ||
1664 nla_put_u8(skb, IFLA_GRE_TTL, p->hop_limit) || 1664 nla_put_u8(skb, IFLA_GRE_TTL, p->hop_limit) ||
1665 /*nla_put_u8(skb, IFLA_GRE_TOS, t->priority) ||*/ 1665 /*nla_put_u8(skb, IFLA_GRE_TOS, t->priority) ||*/
1666 nla_put_u8(skb, IFLA_GRE_ENCAP_LIMIT, p->encap_limit) || 1666 nla_put_u8(skb, IFLA_GRE_ENCAP_LIMIT, p->encap_limit) ||
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index ba6d13d1f1e1..e02faed6d17e 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -827,6 +827,7 @@ pref_skip_coa:
827 if (val < 0 || val > 255) 827 if (val < 0 || val > 255)
828 goto e_inval; 828 goto e_inval;
829 np->min_hopcount = val; 829 np->min_hopcount = val;
830 retv = 0;
830 break; 831 break;
831 case IPV6_DONTFRAG: 832 case IPV6_DONTFRAG:
832 np->dontfrag = valbool; 833 np->dontfrag = valbool;
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index ff36194a71aa..2edce30ef733 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -535,7 +535,7 @@ static void ndisc_send_unsol_na(struct net_device *dev)
535{ 535{
536 struct inet6_dev *idev; 536 struct inet6_dev *idev;
537 struct inet6_ifaddr *ifa; 537 struct inet6_ifaddr *ifa;
538 struct in6_addr mcaddr; 538 struct in6_addr mcaddr = IN6ADDR_LINKLOCAL_ALLNODES_INIT;
539 539
540 idev = in6_dev_get(dev); 540 idev = in6_dev_get(dev);
541 if (!idev) 541 if (!idev)
@@ -543,7 +543,6 @@ static void ndisc_send_unsol_na(struct net_device *dev)
543 543
544 read_lock_bh(&idev->lock); 544 read_lock_bh(&idev->lock);
545 list_for_each_entry(ifa, &idev->addr_list, if_list) { 545 list_for_each_entry(ifa, &idev->addr_list, if_list) {
546 addrconf_addr_solict_mult(&ifa->addr, &mcaddr);
547 ndisc_send_na(dev, NULL, &mcaddr, &ifa->addr, 546 ndisc_send_na(dev, NULL, &mcaddr, &ifa->addr,
548 /*router=*/ !!idev->cnf.forwarding, 547 /*router=*/ !!idev->cnf.forwarding,
549 /*solicited=*/ false, /*override=*/ true, 548 /*solicited=*/ false, /*override=*/ true,
diff --git a/net/ipv6/netfilter/ip6table_nat.c b/net/ipv6/netfilter/ip6table_nat.c
index e418bd6350a4..d57dab17a182 100644
--- a/net/ipv6/netfilter/ip6table_nat.c
+++ b/net/ipv6/netfilter/ip6table_nat.c
@@ -186,7 +186,8 @@ nf_nat_ipv6_out(unsigned int hooknum,
186 186
187 if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.src.u3, 187 if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.src.u3,
188 &ct->tuplehash[!dir].tuple.dst.u3) || 188 &ct->tuplehash[!dir].tuple.dst.u3) ||
189 (ct->tuplehash[dir].tuple.src.u.all != 189 (ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMPV6 &&
190 ct->tuplehash[dir].tuple.src.u.all !=
190 ct->tuplehash[!dir].tuple.dst.u.all)) 191 ct->tuplehash[!dir].tuple.dst.u.all))
191 if (nf_xfrm_me_harder(skb, AF_INET6) < 0) 192 if (nf_xfrm_me_harder(skb, AF_INET6) < 0)
192 ret = NF_DROP; 193 ret = NF_DROP;
@@ -222,6 +223,7 @@ nf_nat_ipv6_local_fn(unsigned int hooknum,
222 } 223 }
223#ifdef CONFIG_XFRM 224#ifdef CONFIG_XFRM
224 else if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) && 225 else if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) &&
226 ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMPV6 &&
225 ct->tuplehash[dir].tuple.dst.u.all != 227 ct->tuplehash[dir].tuple.dst.u.all !=
226 ct->tuplehash[!dir].tuple.src.u.all) 228 ct->tuplehash[!dir].tuple.src.u.all)
227 if (nf_xfrm_me_harder(skb, AF_INET6)) 229 if (nf_xfrm_me_harder(skb, AF_INET6))
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index 18bd9bbbd1c6..22c8ea951185 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -85,7 +85,7 @@ static struct ctl_table nf_ct_frag6_sysctl_table[] = {
85 { } 85 { }
86}; 86};
87 87
88static int __net_init nf_ct_frag6_sysctl_register(struct net *net) 88static int nf_ct_frag6_sysctl_register(struct net *net)
89{ 89{
90 struct ctl_table *table; 90 struct ctl_table *table;
91 struct ctl_table_header *hdr; 91 struct ctl_table_header *hdr;
@@ -127,7 +127,7 @@ static void __net_exit nf_ct_frags6_sysctl_unregister(struct net *net)
127} 127}
128 128
129#else 129#else
130static int __net_init nf_ct_frag6_sysctl_register(struct net *net) 130static int nf_ct_frag6_sysctl_register(struct net *net)
131{ 131{
132 return 0; 132 return 0;
133} 133}
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 7c7e963260e1..b1e6cf0b95fd 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -219,7 +219,7 @@ static struct dst_ops ip6_dst_blackhole_ops = {
219}; 219};
220 220
221static const u32 ip6_template_metrics[RTAX_MAX] = { 221static const u32 ip6_template_metrics[RTAX_MAX] = {
222 [RTAX_HOPLIMIT - 1] = 255, 222 [RTAX_HOPLIMIT - 1] = 0,
223}; 223};
224 224
225static const struct rt6_info ip6_null_entry_template = { 225static const struct rt6_info ip6_null_entry_template = {
@@ -1232,7 +1232,7 @@ struct dst_entry *icmp6_dst_alloc(struct net_device *dev,
1232 rt->rt6i_dst.addr = fl6->daddr; 1232 rt->rt6i_dst.addr = fl6->daddr;
1233 rt->rt6i_dst.plen = 128; 1233 rt->rt6i_dst.plen = 128;
1234 rt->rt6i_idev = idev; 1234 rt->rt6i_idev = idev;
1235 dst_metric_set(&rt->dst, RTAX_HOPLIMIT, 255); 1235 dst_metric_set(&rt->dst, RTAX_HOPLIMIT, 0);
1236 1236
1237 spin_lock_bh(&icmp6_dst_lock); 1237 spin_lock_bh(&icmp6_dst_lock);
1238 rt->dst.next = icmp6_dst_gc_list; 1238 rt->dst.next = icmp6_dst_gc_list;
diff --git a/net/irda/ircomm/ircomm_tty.c b/net/irda/ircomm/ircomm_tty.c
index 95a3a7a336ba..496ce2cebcd7 100644
--- a/net/irda/ircomm/ircomm_tty.c
+++ b/net/irda/ircomm/ircomm_tty.c
@@ -421,6 +421,8 @@ static int ircomm_tty_install(struct tty_driver *driver, struct tty_struct *tty)
421 hashbin_insert(ircomm_tty, (irda_queue_t *) self, line, NULL); 421 hashbin_insert(ircomm_tty, (irda_queue_t *) self, line, NULL);
422 } 422 }
423 423
424 tty->driver_data = self;
425
424 return tty_port_install(&self->port, driver, tty); 426 return tty_port_install(&self->port, driver, tty);
425} 427}
426 428
diff --git a/net/irda/irttp.c b/net/irda/irttp.c
index 1002e3396f72..ae43c62f9045 100644
--- a/net/irda/irttp.c
+++ b/net/irda/irttp.c
@@ -441,6 +441,7 @@ struct tsap_cb *irttp_open_tsap(__u8 stsap_sel, int credit, notify_t *notify)
441 lsap = irlmp_open_lsap(stsap_sel, &ttp_notify, 0); 441 lsap = irlmp_open_lsap(stsap_sel, &ttp_notify, 0);
442 if (lsap == NULL) { 442 if (lsap == NULL) {
443 IRDA_DEBUG(0, "%s: unable to allocate LSAP!!\n", __func__); 443 IRDA_DEBUG(0, "%s: unable to allocate LSAP!!\n", __func__);
444 __irttp_close_tsap(self);
444 return NULL; 445 return NULL;
445 } 446 }
446 447
diff --git a/net/l2tp/l2tp_eth.c b/net/l2tp/l2tp_eth.c
index 37b8b8ba31f7..76125c57ee6d 100644
--- a/net/l2tp/l2tp_eth.c
+++ b/net/l2tp/l2tp_eth.c
@@ -291,6 +291,7 @@ static int l2tp_eth_create(struct net *net, u32 tunnel_id, u32 session_id, u32 p
291 291
292out_del_dev: 292out_del_dev:
293 free_netdev(dev); 293 free_netdev(dev);
294 spriv->dev = NULL;
294out_del_session: 295out_del_session:
295 l2tp_session_delete(session); 296 l2tp_session_delete(session);
296out: 297out:
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 05f3a313db88..7371f676cf41 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -2594,6 +2594,9 @@ static void ieee80211_mgmt_frame_register(struct wiphy *wiphy,
2594 else 2594 else
2595 local->probe_req_reg--; 2595 local->probe_req_reg--;
2596 2596
2597 if (!local->open_count)
2598 break;
2599
2597 ieee80211_queue_work(&local->hw, &local->reconfig_filter); 2600 ieee80211_queue_work(&local->hw, &local->reconfig_filter);
2598 break; 2601 break;
2599 default: 2602 default:
diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
index 5f3620f0bc0a..c21e33d1abd0 100644
--- a/net/mac80211/ibss.c
+++ b/net/mac80211/ibss.c
@@ -1108,7 +1108,7 @@ int ieee80211_ibss_join(struct ieee80211_sub_if_data *sdata,
1108 sdata->u.ibss.state = IEEE80211_IBSS_MLME_SEARCH; 1108 sdata->u.ibss.state = IEEE80211_IBSS_MLME_SEARCH;
1109 sdata->u.ibss.ibss_join_req = jiffies; 1109 sdata->u.ibss.ibss_join_req = jiffies;
1110 1110
1111 memcpy(sdata->u.ibss.ssid, params->ssid, IEEE80211_MAX_SSID_LEN); 1111 memcpy(sdata->u.ibss.ssid, params->ssid, params->ssid_len);
1112 sdata->u.ibss.ssid_len = params->ssid_len; 1112 sdata->u.ibss.ssid_len = params->ssid_len;
1113 1113
1114 mutex_unlock(&sdata->u.ibss.mtx); 1114 mutex_unlock(&sdata->u.ibss.mtx);
@@ -1151,10 +1151,6 @@ int ieee80211_ibss_leave(struct ieee80211_sub_if_data *sdata)
1151 1151
1152 mutex_lock(&sdata->u.ibss.mtx); 1152 mutex_lock(&sdata->u.ibss.mtx);
1153 1153
1154 sdata->u.ibss.state = IEEE80211_IBSS_MLME_SEARCH;
1155 memset(sdata->u.ibss.bssid, 0, ETH_ALEN);
1156 sdata->u.ibss.ssid_len = 0;
1157
1158 active_ibss = ieee80211_sta_active_ibss(sdata); 1154 active_ibss = ieee80211_sta_active_ibss(sdata);
1159 1155
1160 if (!active_ibss && !is_zero_ether_addr(ifibss->bssid)) { 1156 if (!active_ibss && !is_zero_ether_addr(ifibss->bssid)) {
@@ -1175,6 +1171,10 @@ int ieee80211_ibss_leave(struct ieee80211_sub_if_data *sdata)
1175 } 1171 }
1176 } 1172 }
1177 1173
1174 ifibss->state = IEEE80211_IBSS_MLME_SEARCH;
1175 memset(ifibss->bssid, 0, ETH_ALEN);
1176 ifibss->ssid_len = 0;
1177
1178 sta_info_flush(sdata->local, sdata); 1178 sta_info_flush(sdata->local, sdata);
1179 1179
1180 spin_lock_bh(&ifibss->incomplete_lock); 1180 spin_lock_bh(&ifibss->incomplete_lock);
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index 8c804550465b..156e5835e37f 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -1314,6 +1314,8 @@ netdev_tx_t ieee80211_monitor_start_xmit(struct sk_buff *skb,
1314 struct net_device *dev); 1314 struct net_device *dev);
1315netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb, 1315netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
1316 struct net_device *dev); 1316 struct net_device *dev);
1317void ieee80211_purge_tx_queue(struct ieee80211_hw *hw,
1318 struct sk_buff_head *skbs);
1317 1319
1318/* HT */ 1320/* HT */
1319void ieee80211_apply_htcap_overrides(struct ieee80211_sub_if_data *sdata, 1321void ieee80211_apply_htcap_overrides(struct ieee80211_sub_if_data *sdata,
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index 6f8a73c64fb3..7de7717ad67d 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -853,7 +853,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
853 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); 853 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
854 if (info->control.vif == &sdata->vif) { 854 if (info->control.vif == &sdata->vif) {
855 __skb_unlink(skb, &local->pending[i]); 855 __skb_unlink(skb, &local->pending[i]);
856 dev_kfree_skb_irq(skb); 856 ieee80211_free_txskb(&local->hw, skb);
857 } 857 }
858 } 858 }
859 } 859 }
diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index c80c4490351c..f57f597972f8 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -871,8 +871,10 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
871 local->hw.wiphy->cipher_suites, 871 local->hw.wiphy->cipher_suites,
872 sizeof(u32) * local->hw.wiphy->n_cipher_suites, 872 sizeof(u32) * local->hw.wiphy->n_cipher_suites,
873 GFP_KERNEL); 873 GFP_KERNEL);
874 if (!suites) 874 if (!suites) {
875 return -ENOMEM; 875 result = -ENOMEM;
876 goto fail_wiphy_register;
877 }
876 for (r = 0; r < local->hw.wiphy->n_cipher_suites; r++) { 878 for (r = 0; r < local->hw.wiphy->n_cipher_suites; r++) {
877 u32 suite = local->hw.wiphy->cipher_suites[r]; 879 u32 suite = local->hw.wiphy->cipher_suites[r];
878 if (suite == WLAN_CIPHER_SUITE_WEP40 || 880 if (suite == WLAN_CIPHER_SUITE_WEP40 ||
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index e714ed8bb198..1b7eed252fe9 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -3099,22 +3099,32 @@ static int ieee80211_prep_channel(struct ieee80211_sub_if_data *sdata,
3099 ht_cfreq, ht_oper->primary_chan, 3099 ht_cfreq, ht_oper->primary_chan,
3100 cbss->channel->band); 3100 cbss->channel->band);
3101 ht_oper = NULL; 3101 ht_oper = NULL;
3102 } else {
3103 channel_type = NL80211_CHAN_HT20;
3102 } 3104 }
3103 } 3105 }
3104 3106
3105 if (ht_oper) { 3107 if (ht_oper && sband->ht_cap.cap & IEEE80211_HT_CAP_SUP_WIDTH_20_40) {
3106 channel_type = NL80211_CHAN_HT20; 3108 /*
3109 * cfg80211 already verified that the channel itself can
3110 * be used, but it didn't check that we can do the right
3111 * HT type, so do that here as well. If HT40 isn't allowed
3112 * on this channel, disable 40 MHz operation.
3113 */
3107 3114
3108 if (sband->ht_cap.cap & IEEE80211_HT_CAP_SUP_WIDTH_20_40) { 3115 switch (ht_oper->ht_param & IEEE80211_HT_PARAM_CHA_SEC_OFFSET) {
3109 switch (ht_oper->ht_param & 3116 case IEEE80211_HT_PARAM_CHA_SEC_ABOVE:
3110 IEEE80211_HT_PARAM_CHA_SEC_OFFSET) { 3117 if (cbss->channel->flags & IEEE80211_CHAN_NO_HT40PLUS)
3111 case IEEE80211_HT_PARAM_CHA_SEC_ABOVE: 3118 ifmgd->flags |= IEEE80211_STA_DISABLE_40MHZ;
3119 else
3112 channel_type = NL80211_CHAN_HT40PLUS; 3120 channel_type = NL80211_CHAN_HT40PLUS;
3113 break; 3121 break;
3114 case IEEE80211_HT_PARAM_CHA_SEC_BELOW: 3122 case IEEE80211_HT_PARAM_CHA_SEC_BELOW:
3123 if (cbss->channel->flags & IEEE80211_CHAN_NO_HT40MINUS)
3124 ifmgd->flags |= IEEE80211_STA_DISABLE_40MHZ;
3125 else
3115 channel_type = NL80211_CHAN_HT40MINUS; 3126 channel_type = NL80211_CHAN_HT40MINUS;
3116 break; 3127 break;
3117 }
3118 } 3128 }
3119 } 3129 }
3120 3130
@@ -3549,6 +3559,7 @@ int ieee80211_mgd_deauth(struct ieee80211_sub_if_data *sdata,
3549{ 3559{
3550 struct ieee80211_if_managed *ifmgd = &sdata->u.mgd; 3560 struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
3551 u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN]; 3561 u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
3562 bool tx = !req->local_state_change;
3552 3563
3553 mutex_lock(&ifmgd->mtx); 3564 mutex_lock(&ifmgd->mtx);
3554 3565
@@ -3565,12 +3576,12 @@ int ieee80211_mgd_deauth(struct ieee80211_sub_if_data *sdata,
3565 if (ifmgd->associated && 3576 if (ifmgd->associated &&
3566 ether_addr_equal(ifmgd->associated->bssid, req->bssid)) { 3577 ether_addr_equal(ifmgd->associated->bssid, req->bssid)) {
3567 ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH, 3578 ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH,
3568 req->reason_code, true, frame_buf); 3579 req->reason_code, tx, frame_buf);
3569 } else { 3580 } else {
3570 drv_mgd_prepare_tx(sdata->local, sdata); 3581 drv_mgd_prepare_tx(sdata->local, sdata);
3571 ieee80211_send_deauth_disassoc(sdata, req->bssid, 3582 ieee80211_send_deauth_disassoc(sdata, req->bssid,
3572 IEEE80211_STYPE_DEAUTH, 3583 IEEE80211_STYPE_DEAUTH,
3573 req->reason_code, true, 3584 req->reason_code, tx,
3574 frame_buf); 3585 frame_buf);
3575 } 3586 }
3576 3587
diff --git a/net/mac80211/offchannel.c b/net/mac80211/offchannel.c
index 83608ac16780..2c84185dfdb0 100644
--- a/net/mac80211/offchannel.c
+++ b/net/mac80211/offchannel.c
@@ -458,8 +458,6 @@ void ieee80211_roc_purge(struct ieee80211_sub_if_data *sdata)
458 list_move_tail(&roc->list, &tmp_list); 458 list_move_tail(&roc->list, &tmp_list);
459 roc->abort = true; 459 roc->abort = true;
460 } 460 }
461
462 ieee80211_start_next_roc(local);
463 mutex_unlock(&local->mtx); 461 mutex_unlock(&local->mtx);
464 462
465 list_for_each_entry_safe(roc, tmp, &tmp_list, list) { 463 list_for_each_entry_safe(roc, tmp, &tmp_list, list) {
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 61c621e9273f..00ade7feb2e3 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -531,6 +531,11 @@ ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx)
531 531
532 if (ieee80211_is_action(hdr->frame_control)) { 532 if (ieee80211_is_action(hdr->frame_control)) {
533 u8 category; 533 u8 category;
534
535 /* make sure category field is present */
536 if (rx->skb->len < IEEE80211_MIN_ACTION_SIZE)
537 return RX_DROP_MONITOR;
538
534 mgmt = (struct ieee80211_mgmt *)hdr; 539 mgmt = (struct ieee80211_mgmt *)hdr;
535 category = mgmt->u.action.category; 540 category = mgmt->u.action.category;
536 if (category != WLAN_CATEGORY_MESH_ACTION && 541 if (category != WLAN_CATEGORY_MESH_ACTION &&
@@ -883,14 +888,16 @@ ieee80211_rx_h_check(struct ieee80211_rx_data *rx)
883 */ 888 */
884 if (rx->sta && rx->sdata->vif.type == NL80211_IFTYPE_STATION && 889 if (rx->sta && rx->sdata->vif.type == NL80211_IFTYPE_STATION &&
885 ieee80211_is_data_present(hdr->frame_control)) { 890 ieee80211_is_data_present(hdr->frame_control)) {
886 u16 ethertype; 891 unsigned int hdrlen;
887 u8 *payload; 892 __be16 ethertype;
888 893
889 payload = rx->skb->data + 894 hdrlen = ieee80211_hdrlen(hdr->frame_control);
890 ieee80211_hdrlen(hdr->frame_control); 895
891 ethertype = (payload[6] << 8) | payload[7]; 896 if (rx->skb->len < hdrlen + 8)
892 if (cpu_to_be16(ethertype) == 897 return RX_DROP_MONITOR;
893 rx->sdata->control_port_protocol) 898
899 skb_copy_bits(rx->skb, hdrlen + 6, &ethertype, 2);
900 if (ethertype == rx->sdata->control_port_protocol)
894 return RX_CONTINUE; 901 return RX_CONTINUE;
895 } 902 }
896 903
@@ -1462,11 +1469,14 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
1462 1469
1463 hdr = (struct ieee80211_hdr *)rx->skb->data; 1470 hdr = (struct ieee80211_hdr *)rx->skb->data;
1464 fc = hdr->frame_control; 1471 fc = hdr->frame_control;
1472
1473 if (ieee80211_is_ctl(fc))
1474 return RX_CONTINUE;
1475
1465 sc = le16_to_cpu(hdr->seq_ctrl); 1476 sc = le16_to_cpu(hdr->seq_ctrl);
1466 frag = sc & IEEE80211_SCTL_FRAG; 1477 frag = sc & IEEE80211_SCTL_FRAG;
1467 1478
1468 if (likely((!ieee80211_has_morefrags(fc) && frag == 0) || 1479 if (likely((!ieee80211_has_morefrags(fc) && frag == 0) ||
1469 (rx->skb)->len < 24 ||
1470 is_multicast_ether_addr(hdr->addr1))) { 1480 is_multicast_ether_addr(hdr->addr1))) {
1471 /* not fragmented */ 1481 /* not fragmented */
1472 goto out; 1482 goto out;
@@ -1889,6 +1899,20 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
1889 1899
1890 hdr = (struct ieee80211_hdr *) skb->data; 1900 hdr = (struct ieee80211_hdr *) skb->data;
1891 hdrlen = ieee80211_hdrlen(hdr->frame_control); 1901 hdrlen = ieee80211_hdrlen(hdr->frame_control);
1902
1903 /* make sure fixed part of mesh header is there, also checks skb len */
1904 if (!pskb_may_pull(rx->skb, hdrlen + 6))
1905 return RX_DROP_MONITOR;
1906
1907 mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen);
1908
1909 /* make sure full mesh header is there, also checks skb len */
1910 if (!pskb_may_pull(rx->skb,
1911 hdrlen + ieee80211_get_mesh_hdrlen(mesh_hdr)))
1912 return RX_DROP_MONITOR;
1913
1914 /* reload pointers */
1915 hdr = (struct ieee80211_hdr *) skb->data;
1892 mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen); 1916 mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen);
1893 1917
1894 /* frame is in RMC, don't forward */ 1918 /* frame is in RMC, don't forward */
@@ -1897,7 +1921,8 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
1897 mesh_rmc_check(hdr->addr3, mesh_hdr, rx->sdata)) 1921 mesh_rmc_check(hdr->addr3, mesh_hdr, rx->sdata))
1898 return RX_DROP_MONITOR; 1922 return RX_DROP_MONITOR;
1899 1923
1900 if (!ieee80211_is_data(hdr->frame_control)) 1924 if (!ieee80211_is_data(hdr->frame_control) ||
1925 !(status->rx_flags & IEEE80211_RX_RA_MATCH))
1901 return RX_CONTINUE; 1926 return RX_CONTINUE;
1902 1927
1903 if (!mesh_hdr->ttl) 1928 if (!mesh_hdr->ttl)
@@ -1911,9 +1936,12 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
1911 if (is_multicast_ether_addr(hdr->addr1)) { 1936 if (is_multicast_ether_addr(hdr->addr1)) {
1912 mpp_addr = hdr->addr3; 1937 mpp_addr = hdr->addr3;
1913 proxied_addr = mesh_hdr->eaddr1; 1938 proxied_addr = mesh_hdr->eaddr1;
1914 } else { 1939 } else if (mesh_hdr->flags & MESH_FLAGS_AE_A5_A6) {
1940 /* has_a4 already checked in ieee80211_rx_mesh_check */
1915 mpp_addr = hdr->addr4; 1941 mpp_addr = hdr->addr4;
1916 proxied_addr = mesh_hdr->eaddr2; 1942 proxied_addr = mesh_hdr->eaddr2;
1943 } else {
1944 return RX_DROP_MONITOR;
1917 } 1945 }
1918 1946
1919 rcu_read_lock(); 1947 rcu_read_lock();
@@ -1941,12 +1969,9 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
1941 } 1969 }
1942 skb_set_queue_mapping(skb, q); 1970 skb_set_queue_mapping(skb, q);
1943 1971
1944 if (!(status->rx_flags & IEEE80211_RX_RA_MATCH))
1945 goto out;
1946
1947 if (!--mesh_hdr->ttl) { 1972 if (!--mesh_hdr->ttl) {
1948 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_ttl); 1973 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_ttl);
1949 return RX_DROP_MONITOR; 1974 goto out;
1950 } 1975 }
1951 1976
1952 if (!ifmsh->mshcfg.dot11MeshForwarding) 1977 if (!ifmsh->mshcfg.dot11MeshForwarding)
@@ -2353,6 +2378,10 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
2353 } 2378 }
2354 break; 2379 break;
2355 case WLAN_CATEGORY_SELF_PROTECTED: 2380 case WLAN_CATEGORY_SELF_PROTECTED:
2381 if (len < (IEEE80211_MIN_ACTION_SIZE +
2382 sizeof(mgmt->u.action.u.self_prot.action_code)))
2383 break;
2384
2356 switch (mgmt->u.action.u.self_prot.action_code) { 2385 switch (mgmt->u.action.u.self_prot.action_code) {
2357 case WLAN_SP_MESH_PEERING_OPEN: 2386 case WLAN_SP_MESH_PEERING_OPEN:
2358 case WLAN_SP_MESH_PEERING_CLOSE: 2387 case WLAN_SP_MESH_PEERING_CLOSE:
@@ -2371,6 +2400,10 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
2371 } 2400 }
2372 break; 2401 break;
2373 case WLAN_CATEGORY_MESH_ACTION: 2402 case WLAN_CATEGORY_MESH_ACTION:
2403 if (len < (IEEE80211_MIN_ACTION_SIZE +
2404 sizeof(mgmt->u.action.u.mesh_action.action_code)))
2405 break;
2406
2374 if (!ieee80211_vif_is_mesh(&sdata->vif)) 2407 if (!ieee80211_vif_is_mesh(&sdata->vif))
2375 break; 2408 break;
2376 if (mesh_action_is_path_sel(mgmt) && 2409 if (mesh_action_is_path_sel(mgmt) &&
@@ -2913,10 +2946,15 @@ static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw,
2913 if (ieee80211_is_data(fc) || ieee80211_is_mgmt(fc)) 2946 if (ieee80211_is_data(fc) || ieee80211_is_mgmt(fc))
2914 local->dot11ReceivedFragmentCount++; 2947 local->dot11ReceivedFragmentCount++;
2915 2948
2916 if (ieee80211_is_mgmt(fc)) 2949 if (ieee80211_is_mgmt(fc)) {
2917 err = skb_linearize(skb); 2950 /* drop frame if too short for header */
2918 else 2951 if (skb->len < ieee80211_hdrlen(fc))
2952 err = -ENOBUFS;
2953 else
2954 err = skb_linearize(skb);
2955 } else {
2919 err = !pskb_may_pull(skb, ieee80211_hdrlen(fc)); 2956 err = !pskb_may_pull(skb, ieee80211_hdrlen(fc));
2957 }
2920 2958
2921 if (err) { 2959 if (err) {
2922 dev_kfree_skb(skb); 2960 dev_kfree_skb(skb);
diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
index c4cdbde24fd3..43e60b5a7546 100644
--- a/net/mac80211/scan.c
+++ b/net/mac80211/scan.c
@@ -917,7 +917,7 @@ int ieee80211_request_sched_scan_start(struct ieee80211_sub_if_data *sdata,
917 struct cfg80211_sched_scan_request *req) 917 struct cfg80211_sched_scan_request *req)
918{ 918{
919 struct ieee80211_local *local = sdata->local; 919 struct ieee80211_local *local = sdata->local;
920 struct ieee80211_sched_scan_ies sched_scan_ies; 920 struct ieee80211_sched_scan_ies sched_scan_ies = {};
921 int ret, i; 921 int ret, i;
922 922
923 mutex_lock(&local->mtx); 923 mutex_lock(&local->mtx);
diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index 797dd36a220d..d2eb64e12353 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -117,8 +117,8 @@ static void free_sta_work(struct work_struct *wk)
117 117
118 for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) { 118 for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
119 local->total_ps_buffered -= skb_queue_len(&sta->ps_tx_buf[ac]); 119 local->total_ps_buffered -= skb_queue_len(&sta->ps_tx_buf[ac]);
120 __skb_queue_purge(&sta->ps_tx_buf[ac]); 120 ieee80211_purge_tx_queue(&local->hw, &sta->ps_tx_buf[ac]);
121 __skb_queue_purge(&sta->tx_filtered[ac]); 121 ieee80211_purge_tx_queue(&local->hw, &sta->tx_filtered[ac]);
122 } 122 }
123 123
124#ifdef CONFIG_MAC80211_MESH 124#ifdef CONFIG_MAC80211_MESH
@@ -141,7 +141,7 @@ static void free_sta_work(struct work_struct *wk)
141 tid_tx = rcu_dereference_raw(sta->ampdu_mlme.tid_tx[i]); 141 tid_tx = rcu_dereference_raw(sta->ampdu_mlme.tid_tx[i]);
142 if (!tid_tx) 142 if (!tid_tx)
143 continue; 143 continue;
144 __skb_queue_purge(&tid_tx->pending); 144 ieee80211_purge_tx_queue(&local->hw, &tid_tx->pending);
145 kfree(tid_tx); 145 kfree(tid_tx);
146 } 146 }
147 147
@@ -650,7 +650,7 @@ static bool sta_info_cleanup_expire_buffered_ac(struct ieee80211_local *local,
650 */ 650 */
651 if (!skb) 651 if (!skb)
652 break; 652 break;
653 dev_kfree_skb(skb); 653 ieee80211_free_txskb(&local->hw, skb);
654 } 654 }
655 655
656 /* 656 /*
@@ -679,7 +679,7 @@ static bool sta_info_cleanup_expire_buffered_ac(struct ieee80211_local *local,
679 local->total_ps_buffered--; 679 local->total_ps_buffered--;
680 ps_dbg(sta->sdata, "Buffered frame expired (STA %pM)\n", 680 ps_dbg(sta->sdata, "Buffered frame expired (STA %pM)\n",
681 sta->sta.addr); 681 sta->sta.addr);
682 dev_kfree_skb(skb); 682 ieee80211_free_txskb(&local->hw, skb);
683 } 683 }
684 684
685 /* 685 /*
@@ -961,6 +961,7 @@ void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta)
961 struct ieee80211_local *local = sdata->local; 961 struct ieee80211_local *local = sdata->local;
962 struct sk_buff_head pending; 962 struct sk_buff_head pending;
963 int filtered = 0, buffered = 0, ac; 963 int filtered = 0, buffered = 0, ac;
964 unsigned long flags;
964 965
965 clear_sta_flag(sta, WLAN_STA_SP); 966 clear_sta_flag(sta, WLAN_STA_SP);
966 967
@@ -976,12 +977,16 @@ void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta)
976 for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) { 977 for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
977 int count = skb_queue_len(&pending), tmp; 978 int count = skb_queue_len(&pending), tmp;
978 979
980 spin_lock_irqsave(&sta->tx_filtered[ac].lock, flags);
979 skb_queue_splice_tail_init(&sta->tx_filtered[ac], &pending); 981 skb_queue_splice_tail_init(&sta->tx_filtered[ac], &pending);
982 spin_unlock_irqrestore(&sta->tx_filtered[ac].lock, flags);
980 tmp = skb_queue_len(&pending); 983 tmp = skb_queue_len(&pending);
981 filtered += tmp - count; 984 filtered += tmp - count;
982 count = tmp; 985 count = tmp;
983 986
987 spin_lock_irqsave(&sta->ps_tx_buf[ac].lock, flags);
984 skb_queue_splice_tail_init(&sta->ps_tx_buf[ac], &pending); 988 skb_queue_splice_tail_init(&sta->ps_tx_buf[ac], &pending);
989 spin_unlock_irqrestore(&sta->ps_tx_buf[ac].lock, flags);
985 tmp = skb_queue_len(&pending); 990 tmp = skb_queue_len(&pending);
986 buffered += tmp - count; 991 buffered += tmp - count;
987 } 992 }
diff --git a/net/mac80211/status.c b/net/mac80211/status.c
index 3af0cc4130f1..101eb88a2b78 100644
--- a/net/mac80211/status.c
+++ b/net/mac80211/status.c
@@ -668,3 +668,12 @@ void ieee80211_free_txskb(struct ieee80211_hw *hw, struct sk_buff *skb)
668 dev_kfree_skb_any(skb); 668 dev_kfree_skb_any(skb);
669} 669}
670EXPORT_SYMBOL(ieee80211_free_txskb); 670EXPORT_SYMBOL(ieee80211_free_txskb);
671
672void ieee80211_purge_tx_queue(struct ieee80211_hw *hw,
673 struct sk_buff_head *skbs)
674{
675 struct sk_buff *skb;
676
677 while ((skb = __skb_dequeue(skbs)))
678 ieee80211_free_txskb(hw, skb);
679}
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index c9bf83f36657..b858ebe41fda 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -1358,7 +1358,7 @@ static int invoke_tx_handlers(struct ieee80211_tx_data *tx)
1358 if (tx->skb) 1358 if (tx->skb)
1359 ieee80211_free_txskb(&tx->local->hw, tx->skb); 1359 ieee80211_free_txskb(&tx->local->hw, tx->skb);
1360 else 1360 else
1361 __skb_queue_purge(&tx->skbs); 1361 ieee80211_purge_tx_queue(&tx->local->hw, &tx->skbs);
1362 return -1; 1362 return -1;
1363 } else if (unlikely(res == TX_QUEUED)) { 1363 } else if (unlikely(res == TX_QUEUED)) {
1364 I802_DEBUG_INC(tx->local->tx_handlers_queued); 1364 I802_DEBUG_INC(tx->local->tx_handlers_queued);
@@ -2120,10 +2120,13 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
2120 */ 2120 */
2121void ieee80211_clear_tx_pending(struct ieee80211_local *local) 2121void ieee80211_clear_tx_pending(struct ieee80211_local *local)
2122{ 2122{
2123 struct sk_buff *skb;
2123 int i; 2124 int i;
2124 2125
2125 for (i = 0; i < local->hw.queues; i++) 2126 for (i = 0; i < local->hw.queues; i++) {
2126 skb_queue_purge(&local->pending[i]); 2127 while ((skb = skb_dequeue(&local->pending[i])) != NULL)
2128 ieee80211_free_txskb(&local->hw, skb);
2129 }
2127} 2130}
2128 2131
2129/* 2132/*
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 22ca35054dd0..0151ae33c4cd 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -406,7 +406,7 @@ void ieee80211_add_pending_skb(struct ieee80211_local *local,
406 int queue = info->hw_queue; 406 int queue = info->hw_queue;
407 407
408 if (WARN_ON(!info->control.vif)) { 408 if (WARN_ON(!info->control.vif)) {
409 kfree_skb(skb); 409 ieee80211_free_txskb(&local->hw, skb);
410 return; 410 return;
411 } 411 }
412 412
@@ -431,7 +431,7 @@ void ieee80211_add_pending_skbs_fn(struct ieee80211_local *local,
431 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); 431 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
432 432
433 if (WARN_ON(!info->control.vif)) { 433 if (WARN_ON(!info->control.vif)) {
434 kfree_skb(skb); 434 ieee80211_free_txskb(&local->hw, skb);
435 continue; 435 continue;
436 } 436 }
437 437
@@ -643,13 +643,41 @@ u32 ieee802_11_parse_elems_crc(u8 *start, size_t len,
643 break; 643 break;
644 } 644 }
645 645
646 if (id != WLAN_EID_VENDOR_SPECIFIC && 646 switch (id) {
647 id != WLAN_EID_QUIET && 647 case WLAN_EID_SSID:
648 test_bit(id, seen_elems)) { 648 case WLAN_EID_SUPP_RATES:
649 elems->parse_error = true; 649 case WLAN_EID_FH_PARAMS:
650 left -= elen; 650 case WLAN_EID_DS_PARAMS:
651 pos += elen; 651 case WLAN_EID_CF_PARAMS:
652 continue; 652 case WLAN_EID_TIM:
653 case WLAN_EID_IBSS_PARAMS:
654 case WLAN_EID_CHALLENGE:
655 case WLAN_EID_RSN:
656 case WLAN_EID_ERP_INFO:
657 case WLAN_EID_EXT_SUPP_RATES:
658 case WLAN_EID_HT_CAPABILITY:
659 case WLAN_EID_HT_OPERATION:
660 case WLAN_EID_VHT_CAPABILITY:
661 case WLAN_EID_VHT_OPERATION:
662 case WLAN_EID_MESH_ID:
663 case WLAN_EID_MESH_CONFIG:
664 case WLAN_EID_PEER_MGMT:
665 case WLAN_EID_PREQ:
666 case WLAN_EID_PREP:
667 case WLAN_EID_PERR:
668 case WLAN_EID_RANN:
669 case WLAN_EID_CHANNEL_SWITCH:
670 case WLAN_EID_EXT_CHANSWITCH_ANN:
671 case WLAN_EID_COUNTRY:
672 case WLAN_EID_PWR_CONSTRAINT:
673 case WLAN_EID_TIMEOUT_INTERVAL:
674 if (test_bit(id, seen_elems)) {
675 elems->parse_error = true;
676 left -= elen;
677 pos += elen;
678 continue;
679 }
680 break;
653 } 681 }
654 682
655 if (calc_crc && id < 64 && (filter & (1ULL << id))) 683 if (calc_crc && id < 64 && (filter & (1ULL << id)))
@@ -1463,6 +1491,8 @@ int ieee80211_reconfig(struct ieee80211_local *local)
1463 list_for_each_entry(sdata, &local->interfaces, list) { 1491 list_for_each_entry(sdata, &local->interfaces, list) {
1464 if (sdata->vif.type != NL80211_IFTYPE_STATION) 1492 if (sdata->vif.type != NL80211_IFTYPE_STATION)
1465 continue; 1493 continue;
1494 if (!sdata->u.mgd.associated)
1495 continue;
1466 1496
1467 ieee80211_send_nullfunc(local, sdata, 0); 1497 ieee80211_send_nullfunc(local, sdata, 0);
1468 } 1498 }
diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c
index bdb53aba888e..8bd2f5c6a56e 100644
--- a/net/mac80211/wpa.c
+++ b/net/mac80211/wpa.c
@@ -106,7 +106,8 @@ ieee80211_rx_h_michael_mic_verify(struct ieee80211_rx_data *rx)
106 if (status->flag & RX_FLAG_MMIC_ERROR) 106 if (status->flag & RX_FLAG_MMIC_ERROR)
107 goto mic_fail; 107 goto mic_fail;
108 108
109 if (!(status->flag & RX_FLAG_IV_STRIPPED) && rx->key) 109 if (!(status->flag & RX_FLAG_IV_STRIPPED) && rx->key &&
110 rx->key->conf.cipher == WLAN_CIPHER_SUITE_TKIP)
110 goto update_iv; 111 goto update_iv;
111 112
112 return RX_CONTINUE; 113 return RX_CONTINUE;
@@ -545,14 +546,19 @@ ieee80211_crypto_ccmp_decrypt(struct ieee80211_rx_data *rx)
545 546
546static void bip_aad(struct sk_buff *skb, u8 *aad) 547static void bip_aad(struct sk_buff *skb, u8 *aad)
547{ 548{
549 __le16 mask_fc;
550 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
551
548 /* BIP AAD: FC(masked) || A1 || A2 || A3 */ 552 /* BIP AAD: FC(masked) || A1 || A2 || A3 */
549 553
550 /* FC type/subtype */ 554 /* FC type/subtype */
551 aad[0] = skb->data[0];
552 /* Mask FC Retry, PwrMgt, MoreData flags to zero */ 555 /* Mask FC Retry, PwrMgt, MoreData flags to zero */
553 aad[1] = skb->data[1] & ~(BIT(4) | BIT(5) | BIT(6)); 556 mask_fc = hdr->frame_control;
557 mask_fc &= ~cpu_to_le16(IEEE80211_FCTL_RETRY | IEEE80211_FCTL_PM |
558 IEEE80211_FCTL_MOREDATA);
559 put_unaligned(mask_fc, (__le16 *) &aad[0]);
554 /* A1 || A2 || A3 */ 560 /* A1 || A2 || A3 */
555 memcpy(aad + 2, skb->data + 4, 3 * ETH_ALEN); 561 memcpy(aad + 2, &hdr->addr1, 3 * ETH_ALEN);
556} 562}
557 563
558 564
diff --git a/net/netfilter/ipset/ip_set_hash_ip.c b/net/netfilter/ipset/ip_set_hash_ip.c
index ec3dba5dcd62..5c0b78528e55 100644
--- a/net/netfilter/ipset/ip_set_hash_ip.c
+++ b/net/netfilter/ipset/ip_set_hash_ip.c
@@ -173,6 +173,7 @@ hash_ip4_uadt(struct ip_set *set, struct nlattr *tb[],
173 return adtfn(set, &nip, timeout, flags); 173 return adtfn(set, &nip, timeout, flags);
174 } 174 }
175 175
176 ip_to = ip;
176 if (tb[IPSET_ATTR_IP_TO]) { 177 if (tb[IPSET_ATTR_IP_TO]) {
177 ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to); 178 ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
178 if (ret) 179 if (ret)
@@ -185,8 +186,7 @@ hash_ip4_uadt(struct ip_set *set, struct nlattr *tb[],
185 if (!cidr || cidr > 32) 186 if (!cidr || cidr > 32)
186 return -IPSET_ERR_INVALID_CIDR; 187 return -IPSET_ERR_INVALID_CIDR;
187 ip_set_mask_from_to(ip, ip_to, cidr); 188 ip_set_mask_from_to(ip, ip_to, cidr);
188 } else 189 }
189 ip_to = ip;
190 190
191 hosts = h->netmask == 32 ? 1 : 2 << (32 - h->netmask - 1); 191 hosts = h->netmask == 32 ? 1 : 2 << (32 - h->netmask - 1);
192 192
diff --git a/net/netfilter/ipset/ip_set_hash_ipport.c b/net/netfilter/ipset/ip_set_hash_ipport.c
index 0171f7502fa5..6283351f4eeb 100644
--- a/net/netfilter/ipset/ip_set_hash_ipport.c
+++ b/net/netfilter/ipset/ip_set_hash_ipport.c
@@ -162,7 +162,7 @@ hash_ipport4_uadt(struct ip_set *set, struct nlattr *tb[],
162 const struct ip_set_hash *h = set->data; 162 const struct ip_set_hash *h = set->data;
163 ipset_adtfn adtfn = set->variant->adt[adt]; 163 ipset_adtfn adtfn = set->variant->adt[adt];
164 struct hash_ipport4_elem data = { }; 164 struct hash_ipport4_elem data = { };
165 u32 ip, ip_to = 0, p = 0, port, port_to; 165 u32 ip, ip_to, p = 0, port, port_to;
166 u32 timeout = h->timeout; 166 u32 timeout = h->timeout;
167 bool with_ports = false; 167 bool with_ports = false;
168 int ret; 168 int ret;
@@ -210,7 +210,7 @@ hash_ipport4_uadt(struct ip_set *set, struct nlattr *tb[],
210 return ip_set_eexist(ret, flags) ? 0 : ret; 210 return ip_set_eexist(ret, flags) ? 0 : ret;
211 } 211 }
212 212
213 ip = ntohl(data.ip); 213 ip_to = ip = ntohl(data.ip);
214 if (tb[IPSET_ATTR_IP_TO]) { 214 if (tb[IPSET_ATTR_IP_TO]) {
215 ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to); 215 ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
216 if (ret) 216 if (ret)
@@ -223,8 +223,7 @@ hash_ipport4_uadt(struct ip_set *set, struct nlattr *tb[],
223 if (!cidr || cidr > 32) 223 if (!cidr || cidr > 32)
224 return -IPSET_ERR_INVALID_CIDR; 224 return -IPSET_ERR_INVALID_CIDR;
225 ip_set_mask_from_to(ip, ip_to, cidr); 225 ip_set_mask_from_to(ip, ip_to, cidr);
226 } else 226 }
227 ip_to = ip;
228 227
229 port_to = port = ntohs(data.port); 228 port_to = port = ntohs(data.port);
230 if (with_ports && tb[IPSET_ATTR_PORT_TO]) { 229 if (with_ports && tb[IPSET_ATTR_PORT_TO]) {
diff --git a/net/netfilter/ipset/ip_set_hash_ipportip.c b/net/netfilter/ipset/ip_set_hash_ipportip.c
index 6344ef551ec8..6a21271c8d5a 100644
--- a/net/netfilter/ipset/ip_set_hash_ipportip.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportip.c
@@ -166,7 +166,7 @@ hash_ipportip4_uadt(struct ip_set *set, struct nlattr *tb[],
166 const struct ip_set_hash *h = set->data; 166 const struct ip_set_hash *h = set->data;
167 ipset_adtfn adtfn = set->variant->adt[adt]; 167 ipset_adtfn adtfn = set->variant->adt[adt];
168 struct hash_ipportip4_elem data = { }; 168 struct hash_ipportip4_elem data = { };
169 u32 ip, ip_to = 0, p = 0, port, port_to; 169 u32 ip, ip_to, p = 0, port, port_to;
170 u32 timeout = h->timeout; 170 u32 timeout = h->timeout;
171 bool with_ports = false; 171 bool with_ports = false;
172 int ret; 172 int ret;
@@ -218,7 +218,7 @@ hash_ipportip4_uadt(struct ip_set *set, struct nlattr *tb[],
218 return ip_set_eexist(ret, flags) ? 0 : ret; 218 return ip_set_eexist(ret, flags) ? 0 : ret;
219 } 219 }
220 220
221 ip = ntohl(data.ip); 221 ip_to = ip = ntohl(data.ip);
222 if (tb[IPSET_ATTR_IP_TO]) { 222 if (tb[IPSET_ATTR_IP_TO]) {
223 ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to); 223 ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
224 if (ret) 224 if (ret)
@@ -231,8 +231,7 @@ hash_ipportip4_uadt(struct ip_set *set, struct nlattr *tb[],
231 if (!cidr || cidr > 32) 231 if (!cidr || cidr > 32)
232 return -IPSET_ERR_INVALID_CIDR; 232 return -IPSET_ERR_INVALID_CIDR;
233 ip_set_mask_from_to(ip, ip_to, cidr); 233 ip_set_mask_from_to(ip, ip_to, cidr);
234 } else 234 }
235 ip_to = ip;
236 235
237 port_to = port = ntohs(data.port); 236 port_to = port = ntohs(data.port);
238 if (with_ports && tb[IPSET_ATTR_PORT_TO]) { 237 if (with_ports && tb[IPSET_ATTR_PORT_TO]) {
diff --git a/net/netfilter/ipset/ip_set_hash_ipportnet.c b/net/netfilter/ipset/ip_set_hash_ipportnet.c
index cb71f9a774e7..2d5cd4ee30eb 100644
--- a/net/netfilter/ipset/ip_set_hash_ipportnet.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportnet.c
@@ -215,8 +215,8 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
215 const struct ip_set_hash *h = set->data; 215 const struct ip_set_hash *h = set->data;
216 ipset_adtfn adtfn = set->variant->adt[adt]; 216 ipset_adtfn adtfn = set->variant->adt[adt];
217 struct hash_ipportnet4_elem data = { .cidr = HOST_MASK - 1 }; 217 struct hash_ipportnet4_elem data = { .cidr = HOST_MASK - 1 };
218 u32 ip, ip_to = 0, p = 0, port, port_to; 218 u32 ip, ip_to, p = 0, port, port_to;
219 u32 ip2_from = 0, ip2_to, ip2_last, ip2; 219 u32 ip2_from, ip2_to, ip2_last, ip2;
220 u32 timeout = h->timeout; 220 u32 timeout = h->timeout;
221 bool with_ports = false; 221 bool with_ports = false;
222 u8 cidr; 222 u8 cidr;
@@ -286,6 +286,7 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
286 return ip_set_eexist(ret, flags) ? 0 : ret; 286 return ip_set_eexist(ret, flags) ? 0 : ret;
287 } 287 }
288 288
289 ip_to = ip;
289 if (tb[IPSET_ATTR_IP_TO]) { 290 if (tb[IPSET_ATTR_IP_TO]) {
290 ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to); 291 ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
291 if (ret) 292 if (ret)
@@ -306,6 +307,8 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
306 if (port > port_to) 307 if (port > port_to)
307 swap(port, port_to); 308 swap(port, port_to);
308 } 309 }
310
311 ip2_to = ip2_from;
309 if (tb[IPSET_ATTR_IP2_TO]) { 312 if (tb[IPSET_ATTR_IP2_TO]) {
310 ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP2_TO], &ip2_to); 313 ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP2_TO], &ip2_to);
311 if (ret) 314 if (ret)
diff --git a/net/netfilter/ipset/ip_set_hash_netiface.c b/net/netfilter/ipset/ip_set_hash_netiface.c
index b9a63381e349..45a101439bc5 100644
--- a/net/netfilter/ipset/ip_set_hash_netiface.c
+++ b/net/netfilter/ipset/ip_set_hash_netiface.c
@@ -793,7 +793,7 @@ static struct ip_set_type hash_netiface_type __read_mostly = {
793 [IPSET_ATTR_IP] = { .type = NLA_NESTED }, 793 [IPSET_ATTR_IP] = { .type = NLA_NESTED },
794 [IPSET_ATTR_IP_TO] = { .type = NLA_NESTED }, 794 [IPSET_ATTR_IP_TO] = { .type = NLA_NESTED },
795 [IPSET_ATTR_IFACE] = { .type = NLA_NUL_STRING, 795 [IPSET_ATTR_IFACE] = { .type = NLA_NUL_STRING,
796 .len = IPSET_MAXNAMELEN - 1 }, 796 .len = IFNAMSIZ - 1 },
797 [IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 }, 797 [IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 },
798 [IPSET_ATTR_CIDR] = { .type = NLA_U8 }, 798 [IPSET_ATTR_CIDR] = { .type = NLA_U8 },
799 [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, 799 [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 7e7198b51c06..c4ee43710aab 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -2589,6 +2589,8 @@ __ip_vs_get_timeouts(struct net *net, struct ip_vs_timeout_user *u)
2589 struct ip_vs_proto_data *pd; 2589 struct ip_vs_proto_data *pd;
2590#endif 2590#endif
2591 2591
2592 memset(u, 0, sizeof (*u));
2593
2592#ifdef CONFIG_IP_VS_PROTO_TCP 2594#ifdef CONFIG_IP_VS_PROTO_TCP
2593 pd = ip_vs_proto_data_get(net, IPPROTO_TCP); 2595 pd = ip_vs_proto_data_get(net, IPPROTO_TCP);
2594 u->tcp_timeout = pd->timeout_table[IP_VS_TCP_S_ESTABLISHED] / HZ; 2596 u->tcp_timeout = pd->timeout_table[IP_VS_TCP_S_ESTABLISHED] / HZ;
@@ -2766,7 +2768,6 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
2766 { 2768 {
2767 struct ip_vs_timeout_user t; 2769 struct ip_vs_timeout_user t;
2768 2770
2769 memset(&t, 0, sizeof(t));
2770 __ip_vs_get_timeouts(net, &t); 2771 __ip_vs_get_timeouts(net, &t);
2771 if (copy_to_user(user, &t, sizeof(t)) != 0) 2772 if (copy_to_user(user, &t, sizeof(t)) != 0)
2772 ret = -EFAULT; 2773 ret = -EFAULT;
diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c
index 1b30b0dee708..962795e839ab 100644
--- a/net/netfilter/nf_conntrack_h323_main.c
+++ b/net/netfilter/nf_conntrack_h323_main.c
@@ -753,7 +753,8 @@ static int callforward_do_filter(const union nf_inet_addr *src,
753 flowi4_to_flowi(&fl1), false)) { 753 flowi4_to_flowi(&fl1), false)) {
754 if (!afinfo->route(&init_net, (struct dst_entry **)&rt2, 754 if (!afinfo->route(&init_net, (struct dst_entry **)&rt2,
755 flowi4_to_flowi(&fl2), false)) { 755 flowi4_to_flowi(&fl2), false)) {
756 if (rt1->rt_gateway == rt2->rt_gateway && 756 if (rt_nexthop(rt1, fl1.daddr) ==
757 rt_nexthop(rt2, fl2.daddr) &&
757 rt1->dst.dev == rt2->dst.dev) 758 rt1->dst.dev == rt2->dst.dev)
758 ret = 1; 759 ret = 1;
759 dst_release(&rt2->dst); 760 dst_release(&rt2->dst);
diff --git a/net/netfilter/nfnetlink_cttimeout.c b/net/netfilter/nfnetlink_cttimeout.c
index 8847b4d8be06..701c88a20fea 100644
--- a/net/netfilter/nfnetlink_cttimeout.c
+++ b/net/netfilter/nfnetlink_cttimeout.c
@@ -41,7 +41,8 @@ MODULE_DESCRIPTION("cttimeout: Extended Netfilter Connection Tracking timeout tu
41static LIST_HEAD(cttimeout_list); 41static LIST_HEAD(cttimeout_list);
42 42
43static const struct nla_policy cttimeout_nla_policy[CTA_TIMEOUT_MAX+1] = { 43static const struct nla_policy cttimeout_nla_policy[CTA_TIMEOUT_MAX+1] = {
44 [CTA_TIMEOUT_NAME] = { .type = NLA_NUL_STRING }, 44 [CTA_TIMEOUT_NAME] = { .type = NLA_NUL_STRING,
45 .len = CTNL_TIMEOUT_NAME_MAX - 1},
45 [CTA_TIMEOUT_L3PROTO] = { .type = NLA_U16 }, 46 [CTA_TIMEOUT_L3PROTO] = { .type = NLA_U16 },
46 [CTA_TIMEOUT_L4PROTO] = { .type = NLA_U8 }, 47 [CTA_TIMEOUT_L4PROTO] = { .type = NLA_U8 },
47 [CTA_TIMEOUT_DATA] = { .type = NLA_NESTED }, 48 [CTA_TIMEOUT_DATA] = { .type = NLA_NESTED },
diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
index 16c712563860..ae7f5daeee43 100644
--- a/net/netfilter/xt_CT.c
+++ b/net/netfilter/xt_CT.c
@@ -180,9 +180,9 @@ xt_ct_set_timeout(struct nf_conn *ct, const struct xt_tgchk_param *par,
180 typeof(nf_ct_timeout_find_get_hook) timeout_find_get; 180 typeof(nf_ct_timeout_find_get_hook) timeout_find_get;
181 struct ctnl_timeout *timeout; 181 struct ctnl_timeout *timeout;
182 struct nf_conn_timeout *timeout_ext; 182 struct nf_conn_timeout *timeout_ext;
183 const struct ipt_entry *e = par->entryinfo;
184 struct nf_conntrack_l4proto *l4proto; 183 struct nf_conntrack_l4proto *l4proto;
185 int ret = 0; 184 int ret = 0;
185 u8 proto;
186 186
187 rcu_read_lock(); 187 rcu_read_lock();
188 timeout_find_get = rcu_dereference(nf_ct_timeout_find_get_hook); 188 timeout_find_get = rcu_dereference(nf_ct_timeout_find_get_hook);
@@ -192,9 +192,11 @@ xt_ct_set_timeout(struct nf_conn *ct, const struct xt_tgchk_param *par,
192 goto out; 192 goto out;
193 } 193 }
194 194
195 if (e->ip.invflags & IPT_INV_PROTO) { 195 proto = xt_ct_find_proto(par);
196 if (!proto) {
196 ret = -EINVAL; 197 ret = -EINVAL;
197 pr_info("You cannot use inversion on L4 protocol\n"); 198 pr_info("You must specify a L4 protocol, and not use "
199 "inversions on it.\n");
198 goto out; 200 goto out;
199 } 201 }
200 202
@@ -214,7 +216,7 @@ xt_ct_set_timeout(struct nf_conn *ct, const struct xt_tgchk_param *par,
214 /* Make sure the timeout policy matches any existing protocol tracker, 216 /* Make sure the timeout policy matches any existing protocol tracker,
215 * otherwise default to generic. 217 * otherwise default to generic.
216 */ 218 */
217 l4proto = __nf_ct_l4proto_find(par->family, e->ip.proto); 219 l4proto = __nf_ct_l4proto_find(par->family, proto);
218 if (timeout->l4proto->l4proto != l4proto->l4proto) { 220 if (timeout->l4proto->l4proto != l4proto->l4proto) {
219 ret = -EINVAL; 221 ret = -EINVAL;
220 pr_info("Timeout policy `%s' can only be used by L4 protocol " 222 pr_info("Timeout policy `%s' can only be used by L4 protocol "
diff --git a/net/netfilter/xt_TEE.c b/net/netfilter/xt_TEE.c
index ee2e5bc5a8c7..bd93e51d30ac 100644
--- a/net/netfilter/xt_TEE.c
+++ b/net/netfilter/xt_TEE.c
@@ -70,6 +70,7 @@ tee_tg_route4(struct sk_buff *skb, const struct xt_tee_tginfo *info)
70 fl4.daddr = info->gw.ip; 70 fl4.daddr = info->gw.ip;
71 fl4.flowi4_tos = RT_TOS(iph->tos); 71 fl4.flowi4_tos = RT_TOS(iph->tos);
72 fl4.flowi4_scope = RT_SCOPE_UNIVERSE; 72 fl4.flowi4_scope = RT_SCOPE_UNIVERSE;
73 fl4.flowi4_flags = FLOWI_FLAG_KNOWN_NH;
73 rt = ip_route_output_key(net, &fl4); 74 rt = ip_route_output_key(net, &fl4);
74 if (IS_ERR(rt)) 75 if (IS_ERR(rt))
75 return false; 76 return false;
diff --git a/net/netfilter/xt_nat.c b/net/netfilter/xt_nat.c
index 81aafa8e4fef..bea7464cc43f 100644
--- a/net/netfilter/xt_nat.c
+++ b/net/netfilter/xt_nat.c
@@ -111,7 +111,7 @@ static struct xt_target xt_nat_target_reg[] __read_mostly = {
111 .family = NFPROTO_IPV4, 111 .family = NFPROTO_IPV4,
112 .table = "nat", 112 .table = "nat",
113 .hooks = (1 << NF_INET_POST_ROUTING) | 113 .hooks = (1 << NF_INET_POST_ROUTING) |
114 (1 << NF_INET_LOCAL_OUT), 114 (1 << NF_INET_LOCAL_IN),
115 .me = THIS_MODULE, 115 .me = THIS_MODULE,
116 }, 116 },
117 { 117 {
@@ -123,7 +123,7 @@ static struct xt_target xt_nat_target_reg[] __read_mostly = {
123 .family = NFPROTO_IPV4, 123 .family = NFPROTO_IPV4,
124 .table = "nat", 124 .table = "nat",
125 .hooks = (1 << NF_INET_PRE_ROUTING) | 125 .hooks = (1 << NF_INET_PRE_ROUTING) |
126 (1 << NF_INET_LOCAL_IN), 126 (1 << NF_INET_LOCAL_OUT),
127 .me = THIS_MODULE, 127 .me = THIS_MODULE,
128 }, 128 },
129 { 129 {
@@ -133,7 +133,7 @@ static struct xt_target xt_nat_target_reg[] __read_mostly = {
133 .targetsize = sizeof(struct nf_nat_range), 133 .targetsize = sizeof(struct nf_nat_range),
134 .table = "nat", 134 .table = "nat",
135 .hooks = (1 << NF_INET_POST_ROUTING) | 135 .hooks = (1 << NF_INET_POST_ROUTING) |
136 (1 << NF_INET_LOCAL_OUT), 136 (1 << NF_INET_LOCAL_IN),
137 .me = THIS_MODULE, 137 .me = THIS_MODULE,
138 }, 138 },
139 { 139 {
@@ -143,7 +143,7 @@ static struct xt_target xt_nat_target_reg[] __read_mostly = {
143 .targetsize = sizeof(struct nf_nat_range), 143 .targetsize = sizeof(struct nf_nat_range),
144 .table = "nat", 144 .table = "nat",
145 .hooks = (1 << NF_INET_PRE_ROUTING) | 145 .hooks = (1 << NF_INET_PRE_ROUTING) |
146 (1 << NF_INET_LOCAL_IN), 146 (1 << NF_INET_LOCAL_OUT),
147 .me = THIS_MODULE, 147 .me = THIS_MODULE,
148 }, 148 },
149}; 149};
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 01e944a017a4..4da797fa5ec5 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -138,6 +138,8 @@ static int netlink_dump(struct sock *sk);
138static DEFINE_RWLOCK(nl_table_lock); 138static DEFINE_RWLOCK(nl_table_lock);
139static atomic_t nl_table_users = ATOMIC_INIT(0); 139static atomic_t nl_table_users = ATOMIC_INIT(0);
140 140
141#define nl_deref_protected(X) rcu_dereference_protected(X, lockdep_is_held(&nl_table_lock));
142
141static ATOMIC_NOTIFIER_HEAD(netlink_chain); 143static ATOMIC_NOTIFIER_HEAD(netlink_chain);
142 144
143static inline u32 netlink_group_mask(u32 group) 145static inline u32 netlink_group_mask(u32 group)
@@ -345,6 +347,11 @@ netlink_update_listeners(struct sock *sk)
345 struct hlist_node *node; 347 struct hlist_node *node;
346 unsigned long mask; 348 unsigned long mask;
347 unsigned int i; 349 unsigned int i;
350 struct listeners *listeners;
351
352 listeners = nl_deref_protected(tbl->listeners);
353 if (!listeners)
354 return;
348 355
349 for (i = 0; i < NLGRPLONGS(tbl->groups); i++) { 356 for (i = 0; i < NLGRPLONGS(tbl->groups); i++) {
350 mask = 0; 357 mask = 0;
@@ -352,7 +359,7 @@ netlink_update_listeners(struct sock *sk)
352 if (i < NLGRPLONGS(nlk_sk(sk)->ngroups)) 359 if (i < NLGRPLONGS(nlk_sk(sk)->ngroups))
353 mask |= nlk_sk(sk)->groups[i]; 360 mask |= nlk_sk(sk)->groups[i];
354 } 361 }
355 tbl->listeners->masks[i] = mask; 362 listeners->masks[i] = mask;
356 } 363 }
357 /* this function is only called with the netlink table "grabbed", which 364 /* this function is only called with the netlink table "grabbed", which
358 * makes sure updates are visible before bind or setsockopt return. */ 365 * makes sure updates are visible before bind or setsockopt return. */
@@ -536,7 +543,11 @@ static int netlink_release(struct socket *sock)
536 if (netlink_is_kernel(sk)) { 543 if (netlink_is_kernel(sk)) {
537 BUG_ON(nl_table[sk->sk_protocol].registered == 0); 544 BUG_ON(nl_table[sk->sk_protocol].registered == 0);
538 if (--nl_table[sk->sk_protocol].registered == 0) { 545 if (--nl_table[sk->sk_protocol].registered == 0) {
539 kfree(nl_table[sk->sk_protocol].listeners); 546 struct listeners *old;
547
548 old = nl_deref_protected(nl_table[sk->sk_protocol].listeners);
549 RCU_INIT_POINTER(nl_table[sk->sk_protocol].listeners, NULL);
550 kfree_rcu(old, rcu);
540 nl_table[sk->sk_protocol].module = NULL; 551 nl_table[sk->sk_protocol].module = NULL;
541 nl_table[sk->sk_protocol].bind = NULL; 552 nl_table[sk->sk_protocol].bind = NULL;
542 nl_table[sk->sk_protocol].flags = 0; 553 nl_table[sk->sk_protocol].flags = 0;
@@ -982,7 +993,7 @@ int netlink_has_listeners(struct sock *sk, unsigned int group)
982 rcu_read_lock(); 993 rcu_read_lock();
983 listeners = rcu_dereference(nl_table[sk->sk_protocol].listeners); 994 listeners = rcu_dereference(nl_table[sk->sk_protocol].listeners);
984 995
985 if (group - 1 < nl_table[sk->sk_protocol].groups) 996 if (listeners && group - 1 < nl_table[sk->sk_protocol].groups)
986 res = test_bit(group - 1, listeners->masks); 997 res = test_bit(group - 1, listeners->masks);
987 998
988 rcu_read_unlock(); 999 rcu_read_unlock();
@@ -1625,7 +1636,7 @@ int __netlink_change_ngroups(struct sock *sk, unsigned int groups)
1625 new = kzalloc(sizeof(*new) + NLGRPSZ(groups), GFP_ATOMIC); 1636 new = kzalloc(sizeof(*new) + NLGRPSZ(groups), GFP_ATOMIC);
1626 if (!new) 1637 if (!new)
1627 return -ENOMEM; 1638 return -ENOMEM;
1628 old = rcu_dereference_protected(tbl->listeners, 1); 1639 old = nl_deref_protected(tbl->listeners);
1629 memcpy(new->masks, old->masks, NLGRPSZ(tbl->groups)); 1640 memcpy(new->masks, old->masks, NLGRPSZ(tbl->groups));
1630 rcu_assign_pointer(tbl->listeners, new); 1641 rcu_assign_pointer(tbl->listeners, new);
1631 1642
diff --git a/net/nfc/llcp/llcp.c b/net/nfc/llcp/llcp.c
index cc10d073c338..9e8f4b2801f6 100644
--- a/net/nfc/llcp/llcp.c
+++ b/net/nfc/llcp/llcp.c
@@ -1210,7 +1210,7 @@ int nfc_llcp_register_device(struct nfc_dev *ndev)
1210 local->remote_miu = LLCP_DEFAULT_MIU; 1210 local->remote_miu = LLCP_DEFAULT_MIU;
1211 local->remote_lto = LLCP_DEFAULT_LTO; 1211 local->remote_lto = LLCP_DEFAULT_LTO;
1212 1212
1213 list_add(&llcp_devices, &local->list); 1213 list_add(&local->list, &llcp_devices);
1214 1214
1215 return 0; 1215 return 0;
1216} 1216}
diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c
index 98c70630ad06..733cbf49ed1f 100644
--- a/net/openvswitch/flow.c
+++ b/net/openvswitch/flow.c
@@ -702,15 +702,11 @@ int ovs_flow_extract(struct sk_buff *skb, u16 in_port, struct sw_flow_key *key,
702 /* We only match on the lower 8 bits of the opcode. */ 702 /* We only match on the lower 8 bits of the opcode. */
703 if (ntohs(arp->ar_op) <= 0xff) 703 if (ntohs(arp->ar_op) <= 0xff)
704 key->ip.proto = ntohs(arp->ar_op); 704 key->ip.proto = ntohs(arp->ar_op);
705 705 memcpy(&key->ipv4.addr.src, arp->ar_sip, sizeof(key->ipv4.addr.src));
706 if (key->ip.proto == ARPOP_REQUEST 706 memcpy(&key->ipv4.addr.dst, arp->ar_tip, sizeof(key->ipv4.addr.dst));
707 || key->ip.proto == ARPOP_REPLY) { 707 memcpy(key->ipv4.arp.sha, arp->ar_sha, ETH_ALEN);
708 memcpy(&key->ipv4.addr.src, arp->ar_sip, sizeof(key->ipv4.addr.src)); 708 memcpy(key->ipv4.arp.tha, arp->ar_tha, ETH_ALEN);
709 memcpy(&key->ipv4.addr.dst, arp->ar_tip, sizeof(key->ipv4.addr.dst)); 709 key_len = SW_FLOW_KEY_OFFSET(ipv4.arp);
710 memcpy(key->ipv4.arp.sha, arp->ar_sha, ETH_ALEN);
711 memcpy(key->ipv4.arp.tha, arp->ar_tha, ETH_ALEN);
712 key_len = SW_FLOW_KEY_OFFSET(ipv4.arp);
713 }
714 } 710 }
715 } else if (key->eth.type == htons(ETH_P_IPV6)) { 711 } else if (key->eth.type == htons(ETH_P_IPV6)) {
716 int nh_len; /* IPv6 Header + Extensions */ 712 int nh_len; /* IPv6 Header + Extensions */
diff --git a/net/openvswitch/vport-netdev.c b/net/openvswitch/vport-netdev.c
index 3c1e58ba714b..a9033481fa5e 100644
--- a/net/openvswitch/vport-netdev.c
+++ b/net/openvswitch/vport-netdev.c
@@ -158,7 +158,7 @@ static int netdev_send(struct vport *vport, struct sk_buff *skb)
158 158
159 if (unlikely(packet_length(skb) > mtu && !skb_is_gso(skb))) { 159 if (unlikely(packet_length(skb) > mtu && !skb_is_gso(skb))) {
160 net_warn_ratelimited("%s: dropped over-mtu packet: %d > %d\n", 160 net_warn_ratelimited("%s: dropped over-mtu packet: %d > %d\n",
161 ovs_dp_name(vport->dp), 161 netdev_vport->dev->name,
162 packet_length(skb), mtu); 162 packet_length(skb), mtu);
163 goto error; 163 goto error;
164 } 164 }
diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
index f0dd83cff906..9687fa1c2275 100644
--- a/net/sched/sch_qfq.c
+++ b/net/sched/sch_qfq.c
@@ -84,18 +84,19 @@
84 * grp->index is the index of the group; and grp->slot_shift 84 * grp->index is the index of the group; and grp->slot_shift
85 * is the shift for the corresponding (scaled) sigma_i. 85 * is the shift for the corresponding (scaled) sigma_i.
86 */ 86 */
87#define QFQ_MAX_INDEX 19 87#define QFQ_MAX_INDEX 24
88#define QFQ_MAX_WSHIFT 16 88#define QFQ_MAX_WSHIFT 12
89 89
90#define QFQ_MAX_WEIGHT (1<<QFQ_MAX_WSHIFT) 90#define QFQ_MAX_WEIGHT (1<<QFQ_MAX_WSHIFT)
91#define QFQ_MAX_WSUM (2*QFQ_MAX_WEIGHT) 91#define QFQ_MAX_WSUM (16*QFQ_MAX_WEIGHT)
92 92
93#define FRAC_BITS 30 /* fixed point arithmetic */ 93#define FRAC_BITS 30 /* fixed point arithmetic */
94#define ONE_FP (1UL << FRAC_BITS) 94#define ONE_FP (1UL << FRAC_BITS)
95#define IWSUM (ONE_FP/QFQ_MAX_WSUM) 95#define IWSUM (ONE_FP/QFQ_MAX_WSUM)
96 96
97#define QFQ_MTU_SHIFT 11 97#define QFQ_MTU_SHIFT 16 /* to support TSO/GSO */
98#define QFQ_MIN_SLOT_SHIFT (FRAC_BITS + QFQ_MTU_SHIFT - QFQ_MAX_INDEX) 98#define QFQ_MIN_SLOT_SHIFT (FRAC_BITS + QFQ_MTU_SHIFT - QFQ_MAX_INDEX)
99#define QFQ_MIN_LMAX 256 /* min possible lmax for a class */
99 100
100/* 101/*
101 * Possible group states. These values are used as indexes for the bitmaps 102 * Possible group states. These values are used as indexes for the bitmaps
@@ -231,6 +232,32 @@ static void qfq_update_class_params(struct qfq_sched *q, struct qfq_class *cl,
231 q->wsum += delta_w; 232 q->wsum += delta_w;
232} 233}
233 234
235static void qfq_update_reactivate_class(struct qfq_sched *q,
236 struct qfq_class *cl,
237 u32 inv_w, u32 lmax, int delta_w)
238{
239 bool need_reactivation = false;
240 int i = qfq_calc_index(inv_w, lmax);
241
242 if (&q->groups[i] != cl->grp && cl->qdisc->q.qlen > 0) {
243 /*
244 * shift cl->F back, to not charge the
245 * class for the not-yet-served head
246 * packet
247 */
248 cl->F = cl->S;
249 /* remove class from its slot in the old group */
250 qfq_deactivate_class(q, cl);
251 need_reactivation = true;
252 }
253
254 qfq_update_class_params(q, cl, lmax, inv_w, delta_w);
255
256 if (need_reactivation) /* activate in new group */
257 qfq_activate_class(q, cl, qdisc_peek_len(cl->qdisc));
258}
259
260
234static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid, 261static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
235 struct nlattr **tca, unsigned long *arg) 262 struct nlattr **tca, unsigned long *arg)
236{ 263{
@@ -238,7 +265,7 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
238 struct qfq_class *cl = (struct qfq_class *)*arg; 265 struct qfq_class *cl = (struct qfq_class *)*arg;
239 struct nlattr *tb[TCA_QFQ_MAX + 1]; 266 struct nlattr *tb[TCA_QFQ_MAX + 1];
240 u32 weight, lmax, inv_w; 267 u32 weight, lmax, inv_w;
241 int i, err; 268 int err;
242 int delta_w; 269 int delta_w;
243 270
244 if (tca[TCA_OPTIONS] == NULL) { 271 if (tca[TCA_OPTIONS] == NULL) {
@@ -270,16 +297,14 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
270 297
271 if (tb[TCA_QFQ_LMAX]) { 298 if (tb[TCA_QFQ_LMAX]) {
272 lmax = nla_get_u32(tb[TCA_QFQ_LMAX]); 299 lmax = nla_get_u32(tb[TCA_QFQ_LMAX]);
273 if (!lmax || lmax > (1UL << QFQ_MTU_SHIFT)) { 300 if (lmax < QFQ_MIN_LMAX || lmax > (1UL << QFQ_MTU_SHIFT)) {
274 pr_notice("qfq: invalid max length %u\n", lmax); 301 pr_notice("qfq: invalid max length %u\n", lmax);
275 return -EINVAL; 302 return -EINVAL;
276 } 303 }
277 } else 304 } else
278 lmax = 1UL << QFQ_MTU_SHIFT; 305 lmax = psched_mtu(qdisc_dev(sch));
279 306
280 if (cl != NULL) { 307 if (cl != NULL) {
281 bool need_reactivation = false;
282
283 if (tca[TCA_RATE]) { 308 if (tca[TCA_RATE]) {
284 err = gen_replace_estimator(&cl->bstats, &cl->rate_est, 309 err = gen_replace_estimator(&cl->bstats, &cl->rate_est,
285 qdisc_root_sleeping_lock(sch), 310 qdisc_root_sleeping_lock(sch),
@@ -291,24 +316,8 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
291 if (lmax == cl->lmax && inv_w == cl->inv_w) 316 if (lmax == cl->lmax && inv_w == cl->inv_w)
292 return 0; /* nothing to update */ 317 return 0; /* nothing to update */
293 318
294 i = qfq_calc_index(inv_w, lmax);
295 sch_tree_lock(sch); 319 sch_tree_lock(sch);
296 if (&q->groups[i] != cl->grp && cl->qdisc->q.qlen > 0) { 320 qfq_update_reactivate_class(q, cl, inv_w, lmax, delta_w);
297 /*
298 * shift cl->F back, to not charge the
299 * class for the not-yet-served head
300 * packet
301 */
302 cl->F = cl->S;
303 /* remove class from its slot in the old group */
304 qfq_deactivate_class(q, cl);
305 need_reactivation = true;
306 }
307
308 qfq_update_class_params(q, cl, lmax, inv_w, delta_w);
309
310 if (need_reactivation) /* activate in new group */
311 qfq_activate_class(q, cl, qdisc_peek_len(cl->qdisc));
312 sch_tree_unlock(sch); 321 sch_tree_unlock(sch);
313 322
314 return 0; 323 return 0;
@@ -663,15 +672,48 @@ static void qfq_make_eligible(struct qfq_sched *q, u64 old_V)
663 672
664 673
665/* 674/*
666 * XXX we should make sure that slot becomes less than 32. 675 * If the weight and lmax (max_pkt_size) of the classes do not change,
667 * This is guaranteed by the input values. 676 * then QFQ guarantees that the slot index is never higher than
668 * roundedS is always cl->S rounded on grp->slot_shift bits. 677 * 2 + ((1<<QFQ_MTU_SHIFT)/QFQ_MIN_LMAX) * (QFQ_MAX_WEIGHT/QFQ_MAX_WSUM).
678 *
679 * With the current values of the above constants, the index is
680 * then guaranteed to never be higher than 2 + 256 * (1 / 16) = 18.
681 *
682 * When the weight of a class is increased or the lmax of the class is
683 * decreased, a new class with smaller slot size may happen to be
684 * activated. The activation of this class should be properly delayed
685 * to when the service of the class has finished in the ideal system
686 * tracked by QFQ. If the activation of the class is not delayed to
687 * this reference time instant, then this class may be unjustly served
688 * before other classes waiting for service. This may cause
689 * (unfrequently) the above bound to the slot index to be violated for
690 * some of these unlucky classes.
691 *
692 * Instead of delaying the activation of the new class, which is quite
693 * complex, the following inaccurate but simple solution is used: if
694 * the slot index is higher than QFQ_MAX_SLOTS-2, then the timestamps
695 * of the class are shifted backward so as to let the slot index
696 * become equal to QFQ_MAX_SLOTS-2. This threshold is used because, if
697 * the slot index is above it, then the data structure implementing
698 * the bucket list either gets immediately corrupted or may get
699 * corrupted on a possible next packet arrival that causes the start
700 * time of the group to be shifted backward.
669 */ 701 */
670static void qfq_slot_insert(struct qfq_group *grp, struct qfq_class *cl, 702static void qfq_slot_insert(struct qfq_group *grp, struct qfq_class *cl,
671 u64 roundedS) 703 u64 roundedS)
672{ 704{
673 u64 slot = (roundedS - grp->S) >> grp->slot_shift; 705 u64 slot = (roundedS - grp->S) >> grp->slot_shift;
674 unsigned int i = (grp->front + slot) % QFQ_MAX_SLOTS; 706 unsigned int i; /* slot index in the bucket list */
707
708 if (unlikely(slot > QFQ_MAX_SLOTS - 2)) {
709 u64 deltaS = roundedS - grp->S -
710 ((u64)(QFQ_MAX_SLOTS - 2)<<grp->slot_shift);
711 cl->S -= deltaS;
712 cl->F -= deltaS;
713 slot = QFQ_MAX_SLOTS - 2;
714 }
715
716 i = (grp->front + slot) % QFQ_MAX_SLOTS;
675 717
676 hlist_add_head(&cl->next, &grp->slots[i]); 718 hlist_add_head(&cl->next, &grp->slots[i]);
677 __set_bit(slot, &grp->full_slots); 719 __set_bit(slot, &grp->full_slots);
@@ -892,6 +934,13 @@ static int qfq_enqueue(struct sk_buff *skb, struct Qdisc *sch)
892 } 934 }
893 pr_debug("qfq_enqueue: cl = %x\n", cl->common.classid); 935 pr_debug("qfq_enqueue: cl = %x\n", cl->common.classid);
894 936
937 if (unlikely(cl->lmax < qdisc_pkt_len(skb))) {
938 pr_debug("qfq: increasing maxpkt from %u to %u for class %u",
939 cl->lmax, qdisc_pkt_len(skb), cl->common.classid);
940 qfq_update_reactivate_class(q, cl, cl->inv_w,
941 qdisc_pkt_len(skb), 0);
942 }
943
895 err = qdisc_enqueue(skb, cl->qdisc); 944 err = qdisc_enqueue(skb, cl->qdisc);
896 if (unlikely(err != NET_XMIT_SUCCESS)) { 945 if (unlikely(err != NET_XMIT_SUCCESS)) {
897 pr_debug("qfq_enqueue: enqueue failed %d\n", err); 946 pr_debug("qfq_enqueue: enqueue failed %d\n", err);
diff --git a/net/sctp/chunk.c b/net/sctp/chunk.c
index 7c2df9c33df3..69ce21e3716f 100644
--- a/net/sctp/chunk.c
+++ b/net/sctp/chunk.c
@@ -183,7 +183,7 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc,
183 183
184 msg = sctp_datamsg_new(GFP_KERNEL); 184 msg = sctp_datamsg_new(GFP_KERNEL);
185 if (!msg) 185 if (!msg)
186 return NULL; 186 return ERR_PTR(-ENOMEM);
187 187
188 /* Note: Calculate this outside of the loop, so that all fragments 188 /* Note: Calculate this outside of the loop, so that all fragments
189 * have the same expiration. 189 * have the same expiration.
@@ -280,11 +280,14 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc,
280 280
281 chunk = sctp_make_datafrag_empty(asoc, sinfo, len, frag, 0); 281 chunk = sctp_make_datafrag_empty(asoc, sinfo, len, frag, 0);
282 282
283 if (!chunk) 283 if (!chunk) {
284 err = -ENOMEM;
284 goto errout; 285 goto errout;
286 }
287
285 err = sctp_user_addto_chunk(chunk, offset, len, msgh->msg_iov); 288 err = sctp_user_addto_chunk(chunk, offset, len, msgh->msg_iov);
286 if (err < 0) 289 if (err < 0)
287 goto errout; 290 goto errout_chunk_free;
288 291
289 offset += len; 292 offset += len;
290 293
@@ -315,8 +318,10 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc,
315 318
316 chunk = sctp_make_datafrag_empty(asoc, sinfo, over, frag, 0); 319 chunk = sctp_make_datafrag_empty(asoc, sinfo, over, frag, 0);
317 320
318 if (!chunk) 321 if (!chunk) {
322 err = -ENOMEM;
319 goto errout; 323 goto errout;
324 }
320 325
321 err = sctp_user_addto_chunk(chunk, offset, over,msgh->msg_iov); 326 err = sctp_user_addto_chunk(chunk, offset, over,msgh->msg_iov);
322 327
@@ -324,7 +329,7 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc,
324 __skb_pull(chunk->skb, (__u8 *)chunk->chunk_hdr 329 __skb_pull(chunk->skb, (__u8 *)chunk->chunk_hdr
325 - (__u8 *)chunk->skb->data); 330 - (__u8 *)chunk->skb->data);
326 if (err < 0) 331 if (err < 0)
327 goto errout; 332 goto errout_chunk_free;
328 333
329 sctp_datamsg_assign(msg, chunk); 334 sctp_datamsg_assign(msg, chunk);
330 list_add_tail(&chunk->frag_list, &msg->chunks); 335 list_add_tail(&chunk->frag_list, &msg->chunks);
@@ -332,6 +337,9 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc,
332 337
333 return msg; 338 return msg;
334 339
340errout_chunk_free:
341 sctp_chunk_free(chunk);
342
335errout: 343errout:
336 list_for_each_safe(pos, temp, &msg->chunks) { 344 list_for_each_safe(pos, temp, &msg->chunks) {
337 list_del_init(pos); 345 list_del_init(pos);
@@ -339,7 +347,7 @@ errout:
339 sctp_chunk_free(chunk); 347 sctp_chunk_free(chunk);
340 } 348 }
341 sctp_datamsg_put(msg); 349 sctp_datamsg_put(msg);
342 return NULL; 350 return ERR_PTR(err);
343} 351}
344 352
345/* Check whether this message has expired. */ 353/* Check whether this message has expired. */
diff --git a/net/sctp/proc.c b/net/sctp/proc.c
index c3bea269faf4..9966e7b16451 100644
--- a/net/sctp/proc.c
+++ b/net/sctp/proc.c
@@ -102,7 +102,7 @@ static const struct file_operations sctp_snmp_seq_fops = {
102 .open = sctp_snmp_seq_open, 102 .open = sctp_snmp_seq_open,
103 .read = seq_read, 103 .read = seq_read,
104 .llseek = seq_lseek, 104 .llseek = seq_lseek,
105 .release = single_release, 105 .release = single_release_net,
106}; 106};
107 107
108/* Set up the proc fs entry for 'snmp' object. */ 108/* Set up the proc fs entry for 'snmp' object. */
@@ -251,7 +251,7 @@ static const struct file_operations sctp_eps_seq_fops = {
251 .open = sctp_eps_seq_open, 251 .open = sctp_eps_seq_open,
252 .read = seq_read, 252 .read = seq_read,
253 .llseek = seq_lseek, 253 .llseek = seq_lseek,
254 .release = seq_release, 254 .release = seq_release_net,
255}; 255};
256 256
257/* Set up the proc fs entry for 'eps' object. */ 257/* Set up the proc fs entry for 'eps' object. */
@@ -372,7 +372,7 @@ static const struct file_operations sctp_assocs_seq_fops = {
372 .open = sctp_assocs_seq_open, 372 .open = sctp_assocs_seq_open,
373 .read = seq_read, 373 .read = seq_read,
374 .llseek = seq_lseek, 374 .llseek = seq_lseek,
375 .release = seq_release, 375 .release = seq_release_net,
376}; 376};
377 377
378/* Set up the proc fs entry for 'assocs' object. */ 378/* Set up the proc fs entry for 'assocs' object. */
@@ -517,7 +517,7 @@ static const struct file_operations sctp_remaddr_seq_fops = {
517 .open = sctp_remaddr_seq_open, 517 .open = sctp_remaddr_seq_open,
518 .read = seq_read, 518 .read = seq_read,
519 .llseek = seq_lseek, 519 .llseek = seq_lseek,
520 .release = seq_release, 520 .release = seq_release_net,
521}; 521};
522 522
523int __net_init sctp_remaddr_proc_init(struct net *net) 523int __net_init sctp_remaddr_proc_init(struct net *net)
diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c
index 57f7de839b03..6773d7803627 100644
--- a/net/sctp/sm_sideeffect.c
+++ b/net/sctp/sm_sideeffect.c
@@ -1642,8 +1642,9 @@ static int sctp_cmd_interpreter(sctp_event_t event_type,
1642 asoc->outqueue.outstanding_bytes; 1642 asoc->outqueue.outstanding_bytes;
1643 sackh.num_gap_ack_blocks = 0; 1643 sackh.num_gap_ack_blocks = 0;
1644 sackh.num_dup_tsns = 0; 1644 sackh.num_dup_tsns = 0;
1645 chunk->subh.sack_hdr = &sackh;
1645 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK, 1646 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK,
1646 SCTP_SACKH(&sackh)); 1647 SCTP_CHUNK(chunk));
1647 break; 1648 break;
1648 1649
1649 case SCTP_CMD_DISCARD_PACKET: 1650 case SCTP_CMD_DISCARD_PACKET:
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 59d16ea927f0..406d957d08fb 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -974,7 +974,7 @@ SCTP_STATIC int sctp_setsockopt_bindx(struct sock* sk,
974 void *addr_buf; 974 void *addr_buf;
975 struct sctp_af *af; 975 struct sctp_af *af;
976 976
977 SCTP_DEBUG_PRINTK("sctp_setsocktopt_bindx: sk %p addrs %p" 977 SCTP_DEBUG_PRINTK("sctp_setsockopt_bindx: sk %p addrs %p"
978 " addrs_size %d opt %d\n", sk, addrs, addrs_size, op); 978 " addrs_size %d opt %d\n", sk, addrs, addrs_size, op);
979 979
980 if (unlikely(addrs_size <= 0)) 980 if (unlikely(addrs_size <= 0))
@@ -1915,8 +1915,8 @@ SCTP_STATIC int sctp_sendmsg(struct kiocb *iocb, struct sock *sk,
1915 1915
1916 /* Break the message into multiple chunks of maximum size. */ 1916 /* Break the message into multiple chunks of maximum size. */
1917 datamsg = sctp_datamsg_from_user(asoc, sinfo, msg, msg_len); 1917 datamsg = sctp_datamsg_from_user(asoc, sinfo, msg, msg_len);
1918 if (!datamsg) { 1918 if (IS_ERR(datamsg)) {
1919 err = -ENOMEM; 1919 err = PTR_ERR(datamsg);
1920 goto out_free; 1920 goto out_free;
1921 } 1921 }
1922 1922
diff --git a/net/sctp/transport.c b/net/sctp/transport.c
index 953c21e4af97..206cf5238fd3 100644
--- a/net/sctp/transport.c
+++ b/net/sctp/transport.c
@@ -331,7 +331,7 @@ void sctp_transport_update_rto(struct sctp_transport *tp, __u32 rtt)
331 * 1/8, rto_alpha would be expressed as 3. 331 * 1/8, rto_alpha would be expressed as 3.
332 */ 332 */
333 tp->rttvar = tp->rttvar - (tp->rttvar >> net->sctp.rto_beta) 333 tp->rttvar = tp->rttvar - (tp->rttvar >> net->sctp.rto_beta)
334 + ((abs(tp->srtt - rtt)) >> net->sctp.rto_beta); 334 + (((__u32)abs64((__s64)tp->srtt - (__s64)rtt)) >> net->sctp.rto_beta);
335 tp->srtt = tp->srtt - (tp->srtt >> net->sctp.rto_alpha) 335 tp->srtt = tp->srtt - (tp->srtt >> net->sctp.rto_alpha)
336 + (rtt >> net->sctp.rto_alpha); 336 + (rtt >> net->sctp.rto_alpha);
337 } else { 337 } else {
diff --git a/net/sunrpc/backchannel_rqst.c b/net/sunrpc/backchannel_rqst.c
index 5a3d675d2f2f..a9c0bbccad6b 100644
--- a/net/sunrpc/backchannel_rqst.c
+++ b/net/sunrpc/backchannel_rqst.c
@@ -172,7 +172,7 @@ out_free:
172 xprt_free_allocation(req); 172 xprt_free_allocation(req);
173 173
174 dprintk("RPC: setup backchannel transport failed\n"); 174 dprintk("RPC: setup backchannel transport failed\n");
175 return -1; 175 return -ENOMEM;
176} 176}
177EXPORT_SYMBOL_GPL(xprt_setup_backchannel); 177EXPORT_SYMBOL_GPL(xprt_setup_backchannel);
178 178
diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c
index 2a68bb3db772..fc2f7aa4dca7 100644
--- a/net/sunrpc/cache.c
+++ b/net/sunrpc/cache.c
@@ -1409,11 +1409,11 @@ static ssize_t read_flush(struct file *file, char __user *buf,
1409 size_t count, loff_t *ppos, 1409 size_t count, loff_t *ppos,
1410 struct cache_detail *cd) 1410 struct cache_detail *cd)
1411{ 1411{
1412 char tbuf[20]; 1412 char tbuf[22];
1413 unsigned long p = *ppos; 1413 unsigned long p = *ppos;
1414 size_t len; 1414 size_t len;
1415 1415
1416 sprintf(tbuf, "%lu\n", convert_to_wallclock(cd->flush_time)); 1416 snprintf(tbuf, sizeof(tbuf), "%lu\n", convert_to_wallclock(cd->flush_time));
1417 len = strlen(tbuf); 1417 len = strlen(tbuf);
1418 if (p >= len) 1418 if (p >= len)
1419 return 0; 1419 return 0;
diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c
index aaaadfbe36e9..75853cabf4c9 100644
--- a/net/sunrpc/xprtsock.c
+++ b/net/sunrpc/xprtsock.c
@@ -254,7 +254,6 @@ struct sock_xprt {
254 void (*old_data_ready)(struct sock *, int); 254 void (*old_data_ready)(struct sock *, int);
255 void (*old_state_change)(struct sock *); 255 void (*old_state_change)(struct sock *);
256 void (*old_write_space)(struct sock *); 256 void (*old_write_space)(struct sock *);
257 void (*old_error_report)(struct sock *);
258}; 257};
259 258
260/* 259/*
@@ -737,10 +736,10 @@ static int xs_tcp_send_request(struct rpc_task *task)
737 dprintk("RPC: sendmsg returned unrecognized error %d\n", 736 dprintk("RPC: sendmsg returned unrecognized error %d\n",
738 -status); 737 -status);
739 case -ECONNRESET: 738 case -ECONNRESET:
740 case -EPIPE:
741 xs_tcp_shutdown(xprt); 739 xs_tcp_shutdown(xprt);
742 case -ECONNREFUSED: 740 case -ECONNREFUSED:
743 case -ENOTCONN: 741 case -ENOTCONN:
742 case -EPIPE:
744 clear_bit(SOCK_ASYNC_NOSPACE, &transport->sock->flags); 743 clear_bit(SOCK_ASYNC_NOSPACE, &transport->sock->flags);
745 } 744 }
746 745
@@ -781,7 +780,6 @@ static void xs_save_old_callbacks(struct sock_xprt *transport, struct sock *sk)
781 transport->old_data_ready = sk->sk_data_ready; 780 transport->old_data_ready = sk->sk_data_ready;
782 transport->old_state_change = sk->sk_state_change; 781 transport->old_state_change = sk->sk_state_change;
783 transport->old_write_space = sk->sk_write_space; 782 transport->old_write_space = sk->sk_write_space;
784 transport->old_error_report = sk->sk_error_report;
785} 783}
786 784
787static void xs_restore_old_callbacks(struct sock_xprt *transport, struct sock *sk) 785static void xs_restore_old_callbacks(struct sock_xprt *transport, struct sock *sk)
@@ -789,7 +787,6 @@ static void xs_restore_old_callbacks(struct sock_xprt *transport, struct sock *s
789 sk->sk_data_ready = transport->old_data_ready; 787 sk->sk_data_ready = transport->old_data_ready;
790 sk->sk_state_change = transport->old_state_change; 788 sk->sk_state_change = transport->old_state_change;
791 sk->sk_write_space = transport->old_write_space; 789 sk->sk_write_space = transport->old_write_space;
792 sk->sk_error_report = transport->old_error_report;
793} 790}
794 791
795static void xs_reset_transport(struct sock_xprt *transport) 792static void xs_reset_transport(struct sock_xprt *transport)
@@ -1453,7 +1450,7 @@ static void xs_tcp_cancel_linger_timeout(struct rpc_xprt *xprt)
1453 xprt_clear_connecting(xprt); 1450 xprt_clear_connecting(xprt);
1454} 1451}
1455 1452
1456static void xs_sock_mark_closed(struct rpc_xprt *xprt) 1453static void xs_sock_reset_connection_flags(struct rpc_xprt *xprt)
1457{ 1454{
1458 smp_mb__before_clear_bit(); 1455 smp_mb__before_clear_bit();
1459 clear_bit(XPRT_CONNECTION_ABORT, &xprt->state); 1456 clear_bit(XPRT_CONNECTION_ABORT, &xprt->state);
@@ -1461,6 +1458,11 @@ static void xs_sock_mark_closed(struct rpc_xprt *xprt)
1461 clear_bit(XPRT_CLOSE_WAIT, &xprt->state); 1458 clear_bit(XPRT_CLOSE_WAIT, &xprt->state);
1462 clear_bit(XPRT_CLOSING, &xprt->state); 1459 clear_bit(XPRT_CLOSING, &xprt->state);
1463 smp_mb__after_clear_bit(); 1460 smp_mb__after_clear_bit();
1461}
1462
1463static void xs_sock_mark_closed(struct rpc_xprt *xprt)
1464{
1465 xs_sock_reset_connection_flags(xprt);
1464 /* Mark transport as closed and wake up all pending tasks */ 1466 /* Mark transport as closed and wake up all pending tasks */
1465 xprt_disconnect_done(xprt); 1467 xprt_disconnect_done(xprt);
1466} 1468}
@@ -1516,6 +1518,7 @@ static void xs_tcp_state_change(struct sock *sk)
1516 case TCP_CLOSE_WAIT: 1518 case TCP_CLOSE_WAIT:
1517 /* The server initiated a shutdown of the socket */ 1519 /* The server initiated a shutdown of the socket */
1518 xprt->connect_cookie++; 1520 xprt->connect_cookie++;
1521 clear_bit(XPRT_CONNECTED, &xprt->state);
1519 xs_tcp_force_close(xprt); 1522 xs_tcp_force_close(xprt);
1520 case TCP_CLOSING: 1523 case TCP_CLOSING:
1521 /* 1524 /*
@@ -1540,25 +1543,6 @@ static void xs_tcp_state_change(struct sock *sk)
1540 read_unlock_bh(&sk->sk_callback_lock); 1543 read_unlock_bh(&sk->sk_callback_lock);
1541} 1544}
1542 1545
1543/**
1544 * xs_error_report - callback mainly for catching socket errors
1545 * @sk: socket
1546 */
1547static void xs_error_report(struct sock *sk)
1548{
1549 struct rpc_xprt *xprt;
1550
1551 read_lock_bh(&sk->sk_callback_lock);
1552 if (!(xprt = xprt_from_sock(sk)))
1553 goto out;
1554 dprintk("RPC: %s client %p...\n"
1555 "RPC: error %d\n",
1556 __func__, xprt, sk->sk_err);
1557 xprt_wake_pending_tasks(xprt, -EAGAIN);
1558out:
1559 read_unlock_bh(&sk->sk_callback_lock);
1560}
1561
1562static void xs_write_space(struct sock *sk) 1546static void xs_write_space(struct sock *sk)
1563{ 1547{
1564 struct socket *sock; 1548 struct socket *sock;
@@ -1858,7 +1842,6 @@ static int xs_local_finish_connecting(struct rpc_xprt *xprt,
1858 sk->sk_user_data = xprt; 1842 sk->sk_user_data = xprt;
1859 sk->sk_data_ready = xs_local_data_ready; 1843 sk->sk_data_ready = xs_local_data_ready;
1860 sk->sk_write_space = xs_udp_write_space; 1844 sk->sk_write_space = xs_udp_write_space;
1861 sk->sk_error_report = xs_error_report;
1862 sk->sk_allocation = GFP_ATOMIC; 1845 sk->sk_allocation = GFP_ATOMIC;
1863 1846
1864 xprt_clear_connected(xprt); 1847 xprt_clear_connected(xprt);
@@ -1983,7 +1966,6 @@ static void xs_udp_finish_connecting(struct rpc_xprt *xprt, struct socket *sock)
1983 sk->sk_user_data = xprt; 1966 sk->sk_user_data = xprt;
1984 sk->sk_data_ready = xs_udp_data_ready; 1967 sk->sk_data_ready = xs_udp_data_ready;
1985 sk->sk_write_space = xs_udp_write_space; 1968 sk->sk_write_space = xs_udp_write_space;
1986 sk->sk_error_report = xs_error_report;
1987 sk->sk_no_check = UDP_CSUM_NORCV; 1969 sk->sk_no_check = UDP_CSUM_NORCV;
1988 sk->sk_allocation = GFP_ATOMIC; 1970 sk->sk_allocation = GFP_ATOMIC;
1989 1971
@@ -2050,10 +2032,8 @@ static void xs_abort_connection(struct sock_xprt *transport)
2050 any.sa_family = AF_UNSPEC; 2032 any.sa_family = AF_UNSPEC;
2051 result = kernel_connect(transport->sock, &any, sizeof(any), 0); 2033 result = kernel_connect(transport->sock, &any, sizeof(any), 0);
2052 if (!result) 2034 if (!result)
2053 xs_sock_mark_closed(&transport->xprt); 2035 xs_sock_reset_connection_flags(&transport->xprt);
2054 else 2036 dprintk("RPC: AF_UNSPEC connect return code %d\n", result);
2055 dprintk("RPC: AF_UNSPEC connect return code %d\n",
2056 result);
2057} 2037}
2058 2038
2059static void xs_tcp_reuse_connection(struct sock_xprt *transport) 2039static void xs_tcp_reuse_connection(struct sock_xprt *transport)
@@ -2098,7 +2078,6 @@ static int xs_tcp_finish_connecting(struct rpc_xprt *xprt, struct socket *sock)
2098 sk->sk_data_ready = xs_tcp_data_ready; 2078 sk->sk_data_ready = xs_tcp_data_ready;
2099 sk->sk_state_change = xs_tcp_state_change; 2079 sk->sk_state_change = xs_tcp_state_change;
2100 sk->sk_write_space = xs_tcp_write_space; 2080 sk->sk_write_space = xs_tcp_write_space;
2101 sk->sk_error_report = xs_error_report;
2102 sk->sk_allocation = GFP_ATOMIC; 2081 sk->sk_allocation = GFP_ATOMIC;
2103 2082
2104 /* socket options */ 2083 /* socket options */
diff --git a/net/tipc/handler.c b/net/tipc/handler.c
index 111ff8300ae5..b36f0fcd9bdf 100644
--- a/net/tipc/handler.c
+++ b/net/tipc/handler.c
@@ -116,7 +116,6 @@ void tipc_handler_stop(void)
116 return; 116 return;
117 117
118 handler_enabled = 0; 118 handler_enabled = 0;
119 tasklet_disable(&tipc_tasklet);
120 tasklet_kill(&tipc_tasklet); 119 tasklet_kill(&tipc_tasklet);
121 120
122 spin_lock_bh(&qitem_lock); 121 spin_lock_bh(&qitem_lock);
diff --git a/net/wireless/core.c b/net/wireless/core.c
index 443d4d7deea2..3f7253052088 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -526,8 +526,7 @@ int wiphy_register(struct wiphy *wiphy)
526 for (i = 0; i < sband->n_channels; i++) { 526 for (i = 0; i < sband->n_channels; i++) {
527 sband->channels[i].orig_flags = 527 sband->channels[i].orig_flags =
528 sband->channels[i].flags; 528 sband->channels[i].flags;
529 sband->channels[i].orig_mag = 529 sband->channels[i].orig_mag = INT_MAX;
530 sband->channels[i].max_antenna_gain;
531 sband->channels[i].orig_mpwr = 530 sband->channels[i].orig_mpwr =
532 sband->channels[i].max_power; 531 sband->channels[i].max_power;
533 sband->channels[i].band = band; 532 sband->channels[i].band = band;
diff --git a/net/wireless/mlme.c b/net/wireless/mlme.c
index 8016fee0752b..904a7f368325 100644
--- a/net/wireless/mlme.c
+++ b/net/wireless/mlme.c
@@ -457,20 +457,14 @@ int __cfg80211_mlme_deauth(struct cfg80211_registered_device *rdev,
457 .reason_code = reason, 457 .reason_code = reason,
458 .ie = ie, 458 .ie = ie,
459 .ie_len = ie_len, 459 .ie_len = ie_len,
460 .local_state_change = local_state_change,
460 }; 461 };
461 462
462 ASSERT_WDEV_LOCK(wdev); 463 ASSERT_WDEV_LOCK(wdev);
463 464
464 if (local_state_change) { 465 if (local_state_change && (!wdev->current_bss ||
465 if (wdev->current_bss && 466 !ether_addr_equal(wdev->current_bss->pub.bssid, bssid)))
466 ether_addr_equal(wdev->current_bss->pub.bssid, bssid)) {
467 cfg80211_unhold_bss(wdev->current_bss);
468 cfg80211_put_bss(&wdev->current_bss->pub);
469 wdev->current_bss = NULL;
470 }
471
472 return 0; 467 return 0;
473 }
474 468
475 return rdev->ops->deauth(&rdev->wiphy, dev, &req); 469 return rdev->ops->deauth(&rdev->wiphy, dev, &req);
476} 470}
diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index 3b8cbbc214db..b75756b05af7 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -141,9 +141,8 @@ static const struct ieee80211_regdomain world_regdom = {
141 .reg_rules = { 141 .reg_rules = {
142 /* IEEE 802.11b/g, channels 1..11 */ 142 /* IEEE 802.11b/g, channels 1..11 */
143 REG_RULE(2412-10, 2462+10, 40, 6, 20, 0), 143 REG_RULE(2412-10, 2462+10, 40, 6, 20, 0),
144 /* IEEE 802.11b/g, channels 12..13. No HT40 144 /* IEEE 802.11b/g, channels 12..13. */
145 * channel fits here. */ 145 REG_RULE(2467-10, 2472+10, 40, 6, 20,
146 REG_RULE(2467-10, 2472+10, 20, 6, 20,
147 NL80211_RRF_PASSIVE_SCAN | 146 NL80211_RRF_PASSIVE_SCAN |
148 NL80211_RRF_NO_IBSS), 147 NL80211_RRF_NO_IBSS),
149 /* IEEE 802.11 channel 14 - Only JP enables 148 /* IEEE 802.11 channel 14 - Only JP enables
@@ -908,7 +907,7 @@ static void handle_channel(struct wiphy *wiphy,
908 map_regdom_flags(reg_rule->flags) | bw_flags; 907 map_regdom_flags(reg_rule->flags) | bw_flags;
909 chan->max_antenna_gain = chan->orig_mag = 908 chan->max_antenna_gain = chan->orig_mag =
910 (int) MBI_TO_DBI(power_rule->max_antenna_gain); 909 (int) MBI_TO_DBI(power_rule->max_antenna_gain);
911 chan->max_power = chan->orig_mpwr = 910 chan->max_reg_power = chan->max_power = chan->orig_mpwr =
912 (int) MBM_TO_DBM(power_rule->max_eirp); 911 (int) MBM_TO_DBM(power_rule->max_eirp);
913 return; 912 return;
914 } 913 }
@@ -1331,7 +1330,8 @@ static void handle_channel_custom(struct wiphy *wiphy,
1331 1330
1332 chan->flags |= map_regdom_flags(reg_rule->flags) | bw_flags; 1331 chan->flags |= map_regdom_flags(reg_rule->flags) | bw_flags;
1333 chan->max_antenna_gain = (int) MBI_TO_DBI(power_rule->max_antenna_gain); 1332 chan->max_antenna_gain = (int) MBI_TO_DBI(power_rule->max_antenna_gain);
1334 chan->max_power = (int) MBM_TO_DBM(power_rule->max_eirp); 1333 chan->max_reg_power = chan->max_power =
1334 (int) MBM_TO_DBM(power_rule->max_eirp);
1335} 1335}
1336 1336
1337static void handle_band_custom(struct wiphy *wiphy, enum ieee80211_band band, 1337static void handle_band_custom(struct wiphy *wiphy, enum ieee80211_band band,
diff --git a/net/wireless/util.c b/net/wireless/util.c
index ef35f4ef2aa6..2762e8329986 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -309,23 +309,21 @@ unsigned int ieee80211_get_hdrlen_from_skb(const struct sk_buff *skb)
309} 309}
310EXPORT_SYMBOL(ieee80211_get_hdrlen_from_skb); 310EXPORT_SYMBOL(ieee80211_get_hdrlen_from_skb);
311 311
312static int ieee80211_get_mesh_hdrlen(struct ieee80211s_hdr *meshhdr) 312unsigned int ieee80211_get_mesh_hdrlen(struct ieee80211s_hdr *meshhdr)
313{ 313{
314 int ae = meshhdr->flags & MESH_FLAGS_AE; 314 int ae = meshhdr->flags & MESH_FLAGS_AE;
315 /* 7.1.3.5a.2 */ 315 /* 802.11-2012, 8.2.4.7.3 */
316 switch (ae) { 316 switch (ae) {
317 default:
317 case 0: 318 case 0:
318 return 6; 319 return 6;
319 case MESH_FLAGS_AE_A4: 320 case MESH_FLAGS_AE_A4:
320 return 12; 321 return 12;
321 case MESH_FLAGS_AE_A5_A6: 322 case MESH_FLAGS_AE_A5_A6:
322 return 18; 323 return 18;
323 case (MESH_FLAGS_AE_A4 | MESH_FLAGS_AE_A5_A6):
324 return 24;
325 default:
326 return 6;
327 } 324 }
328} 325}
326EXPORT_SYMBOL(ieee80211_get_mesh_hdrlen);
329 327
330int ieee80211_data_to_8023(struct sk_buff *skb, const u8 *addr, 328int ieee80211_data_to_8023(struct sk_buff *skb, const u8 *addr,
331 enum nl80211_iftype iftype) 329 enum nl80211_iftype iftype)
@@ -373,6 +371,8 @@ int ieee80211_data_to_8023(struct sk_buff *skb, const u8 *addr,
373 /* make sure meshdr->flags is on the linear part */ 371 /* make sure meshdr->flags is on the linear part */
374 if (!pskb_may_pull(skb, hdrlen + 1)) 372 if (!pskb_may_pull(skb, hdrlen + 1))
375 return -1; 373 return -1;
374 if (meshdr->flags & MESH_FLAGS_AE_A4)
375 return -1;
376 if (meshdr->flags & MESH_FLAGS_AE_A5_A6) { 376 if (meshdr->flags & MESH_FLAGS_AE_A5_A6) {
377 skb_copy_bits(skb, hdrlen + 377 skb_copy_bits(skb, hdrlen +
378 offsetof(struct ieee80211s_hdr, eaddr1), 378 offsetof(struct ieee80211s_hdr, eaddr1),
@@ -397,6 +397,8 @@ int ieee80211_data_to_8023(struct sk_buff *skb, const u8 *addr,
397 /* make sure meshdr->flags is on the linear part */ 397 /* make sure meshdr->flags is on the linear part */
398 if (!pskb_may_pull(skb, hdrlen + 1)) 398 if (!pskb_may_pull(skb, hdrlen + 1))
399 return -1; 399 return -1;
400 if (meshdr->flags & MESH_FLAGS_AE_A5_A6)
401 return -1;
400 if (meshdr->flags & MESH_FLAGS_AE_A4) 402 if (meshdr->flags & MESH_FLAGS_AE_A4)
401 skb_copy_bits(skb, hdrlen + 403 skb_copy_bits(skb, hdrlen +
402 offsetof(struct ieee80211s_hdr, eaddr1), 404 offsetof(struct ieee80211s_hdr, eaddr1),
generated by cgit v1.2.2 (git 2.25.0) at 2025-08-15 09:37:48 -0400