Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Conflicts: drivers/net/usb/qmi_wwan.c include/net/dst.h Trivial merge conflicts, both were overlapping changes. Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2013-10-23 16:28:39 -0400
committer: David S. Miller <davem@davemloft.net> 2013-10-23 16:49:34 -0400
commit: c3fa32b9764dc45dcf8a2231b1c110abc4a63e0b (patch)
tree: 6cf2896a77b65bec64284681e1c3851eb3263e09 /net
parent: 34d92d5315b64a3e5292b7e9511c1bb617227fb6 (diff)
parent: 320437af954cbe66478f1f5e8b34cb5a8d072191 (diff)
40 files changed, 324 insertions, 169 deletions
diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
index ffd5874f2592..33e8f23acddd 100644
--- a/net/bridge/br_fdb.c
+++ b/net/bridge/br_fdb.c
@@ -700,7 +700,7 @@ int br_fdb_add(struct ndmsg *ndm, struct nlattr *tb[],
                vid = nla_get_u16(tb[NDA_VLAN]);
-                if (vid >= VLAN_N_VID) {
+                if (!vid || vid >= VLAN_VID_MASK) {
                        pr_info("bridge: RTM_NEWNEIGH with invalid vlan id %d\n",
                                vid);
                        return -EINVAL;
@@ -794,7 +794,7 @@ int br_fdb_delete(struct ndmsg *ndm, struct nlattr *tb[],
                vid = nla_get_u16(tb[NDA_VLAN]);
-                if (vid >= VLAN_N_VID) {
+                if (!vid || vid >= VLAN_VID_MASK) {
                        pr_info("bridge: RTM_NEWNEIGH with invalid vlan id %d\n",
                                vid);
                        return -EINVAL;
diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c
index 85a09bb5ca51..b7b1914dfa25 100644
--- a/net/bridge/br_mdb.c
+++ b/net/bridge/br_mdb.c
@@ -453,7 +453,7 @@ static int __br_mdb_del(struct net_bridge *br, struct br_mdb_entry *entry)
                call_rcu_bh(&p->rcu, br_multicast_free_pg);
                err = 0;
-                if (!mp->ports && !mp->mglist && mp->timer_armed &&
+                if (!mp->ports && !mp->mglist &&
                    netif_running(br->dev))
                        mod_timer(&mp->timer, jiffies);
                break;
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 005d876dd86c..0513ef3ce667 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -272,7 +272,7 @@ static void br_multicast_del_pg(struct net_bridge *br,
                del_timer(&p->timer);
                call_rcu_bh(&p->rcu, br_multicast_free_pg);
-                if (!mp->ports && !mp->mglist && mp->timer_armed &&
+                if (!mp->ports && !mp->mglist &&
                    netif_running(br->dev))
                        mod_timer(&mp->timer, jiffies);
@@ -620,7 +620,6 @@ rehash:
        mp->br = br;
        mp->addr = *group;
        setup_timer(&mp->timer, br_multicast_group_expired,
                    (unsigned long)mp);
@@ -660,6 +659,7 @@ static int br_multicast_add_group(struct net_bridge *br,
        struct net_bridge_mdb_entry *mp;
        struct net_bridge_port_group *p;
        struct net_bridge_port_group __rcu **pp;
+        unsigned long now = jiffies;
        int err;
        spin_lock(&br->multicast_lock);
@@ -674,6 +674,7 @@ static int br_multicast_add_group(struct net_bridge *br,
        if (!port) {
                mp->mglist = true;
+                mod_timer(&mp->timer, now + br->multicast_membership_interval);
                goto out;
        }
@@ -681,7 +682,7 @@ static int br_multicast_add_group(struct net_bridge *br,
             (p = mlock_dereference(*pp, br)) != NULL;
             pp = &p->next) {
                if (p->port == port)
-                        goto out;
+                        goto found;
                if ((unsigned long)p->port < (unsigned long)port)
                        break;
        }
@@ -692,6 +693,8 @@ static int br_multicast_add_group(struct net_bridge *br,
        rcu_assign_pointer(*pp, p);
        br_mdb_notify(br->dev, port, group, RTM_NEWMDB);
+found:
+        mod_timer(&p->timer, now + br->multicast_membership_interval);
 out:
        err = 0;
@@ -1191,9 +1194,6 @@ static int br_ip4_multicast_query(struct net_bridge *br,
        if (!mp)
                goto out;
-        mod_timer(&mp->timer, now + br->multicast_membership_interval);
-        mp->timer_armed = true;
        max_delay *= br->multicast_last_member_count;
        if (mp->mglist &&
@@ -1270,9 +1270,6 @@ static int br_ip6_multicast_query(struct net_bridge *br,
        if (!mp)
                goto out;
-        mod_timer(&mp->timer, now + br->multicast_membership_interval);
-        mp->timer_armed = true;
        max_delay *= br->multicast_last_member_count;
        if (mp->mglist &&
            (timer_pending(&mp->timer) ?
@@ -1358,7 +1355,7 @@ static void br_multicast_leave_group(struct net_bridge *br,
                        call_rcu_bh(&p->rcu, br_multicast_free_pg);
                        br_mdb_notify(br->dev, port, group, RTM_DELMDB);
-                        if (!mp->ports && !mp->mglist && mp->timer_armed &&
+                        if (!mp->ports && !mp->mglist &&
                            netif_running(br->dev))
                                mod_timer(&mp->timer, jiffies);
                }
@@ -1370,12 +1367,30 @@ static void br_multicast_leave_group(struct net_bridge *br,
                     br->multicast_last_member_interval;
        if (!port) {
-                if (mp->mglist && mp->timer_armed &&
+                if (mp->mglist &&
                    (timer_pending(&mp->timer) ?
                     time_after(mp->timer.expires, time) :
                     try_to_del_timer_sync(&mp->timer) >= 0)) {
                        mod_timer(&mp->timer, time);
                }
+                goto out;
+        }
+        for (p = mlock_dereference(mp->ports, br);
+             p != NULL;
+             p = mlock_dereference(p->next, br)) {
+                if (p->port != port)
+                        continue;
+                if (!hlist_unhashed(&p->mglist) &&
+                    (timer_pending(&p->timer) ?
+                     time_after(p->timer.expires, time) :
+                     try_to_del_timer_sync(&p->timer) >= 0)) {
+                        mod_timer(&p->timer, time);
+                }
+                break;
        }
 out:
        spin_unlock(&br->multicast_lock);
@@ -1798,7 +1813,6 @@ void br_multicast_stop(struct net_bridge *br)
                hlist_for_each_entry_safe(mp, n, &mdb->mhash[i],
                                          hlist[ver]) {
                        del_timer(&mp->timer);
-                        mp->timer_armed = false;
                        call_rcu_bh(&mp->rcu, br_multicast_free_group);
                }
        }
diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
index e74ddc1c29a8..f75d92e4f96b 100644
--- a/net/bridge/br_netlink.c
+++ b/net/bridge/br_netlink.c
@@ -243,7 +243,7 @@ static int br_afspec(struct net_bridge *br,
                vinfo = nla_data(tb[IFLA_BRIDGE_VLAN_INFO]);
-                if (vinfo->vid >= VLAN_N_VID)
+                if (!vinfo->vid || vinfo->vid >= VLAN_VID_MASK)
                        return -EINVAL;
                switch (cmd) {
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index 767c4dad8504..d1ca6d956633 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -126,7 +126,6 @@ struct net_bridge_mdb_entry
        struct timer_list               timer;
        struct br_ip                    addr;
        bool                            mglist;
-        bool                            timer_armed;
 };
 struct net_bridge_mdb_htable
@@ -624,9 +623,7 @@ static inline u16 br_get_pvid(const struct net_port_vlans *v)
         * vid wasn't set
         */
        smp_rmb();
-        return (v->pvid & VLAN_TAG_PRESENT) ?
+        return v->pvid ?: VLAN_N_VID;
-                        (v->pvid & ~VLAN_TAG_PRESENT) :
-                        VLAN_N_VID;
 }
 #else
diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c
index 108084a04671..656a6f3e40de 100644
--- a/net/bridge/br_stp_if.c
+++ b/net/bridge/br_stp_if.c
@@ -134,7 +134,7 @@ static void br_stp_start(struct net_bridge *br)
        if (br->bridge_forward_delay < BR_MIN_FORWARD_DELAY)
                __br_set_forward_delay(br, BR_MIN_FORWARD_DELAY);
-        else if (br->bridge_forward_delay < BR_MAX_FORWARD_DELAY)
+        else if (br->bridge_forward_delay > BR_MAX_FORWARD_DELAY)
                __br_set_forward_delay(br, BR_MAX_FORWARD_DELAY);
        if (r == 0) {
diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c
index 9a9ffe7e4019..53f0990eab58 100644
--- a/net/bridge/br_vlan.c
+++ b/net/bridge/br_vlan.c
@@ -45,37 +45,34 @@ static int __vlan_add(struct net_port_vlans *v, u16 vid, u16 flags)
                return 0;
        }
-        if (vid) {
+        if (v->port_idx) {
-                if (v->port_idx) {
+                p = v->parent.port;
-                        p = v->parent.port;
+                br = p->br;
-                        br = p->br;
+                dev = p->dev;
-                        dev = p->dev;
+        } else {
-                } else {
+                br = v->parent.br;
-                        br = v->parent.br;
+                dev = br->dev;
-                        dev = br->dev;
+        }
-                }
+        ops = dev->netdev_ops;
-                ops = dev->netdev_ops;
+        if (p && (dev->features & NETIF_F_HW_VLAN_CTAG_FILTER)) {
-                if (p && (dev->features & NETIF_F_HW_VLAN_CTAG_FILTER)) {
+                /* Add VLAN to the device filter if it is supported.
-                        /* Add VLAN to the device filter if it is supported.
+                 * Stricly speaking, this is not necessary now, since
-                         * Stricly speaking, this is not necessary now, since
+                 * devices are made promiscuous by the bridge, but if
-                         * devices are made promiscuous by the bridge, but if
+                 * that ever changes this code will allow tagged
-                         * that ever changes this code will allow tagged
+                 * traffic to enter the bridge.
-                         * traffic to enter the bridge.
+                 */
-                         */
+                err = ops->ndo_vlan_rx_add_vid(dev, htons(ETH_P_8021Q),
-                        err = ops->ndo_vlan_rx_add_vid(dev, htons(ETH_P_8021Q),
+                                               vid);
-                                                       vid);
+                if (err)
-                        if (err)
+                        return err;
-                                return err;
+        }
-                }
-                err = br_fdb_insert(br, p, dev->dev_addr, vid);
-                if (err) {
-                        br_err(br, "failed insert local address into bridge "
-                               "forwarding table\n");
-                        goto out_filt;
-                }
+        err = br_fdb_insert(br, p, dev->dev_addr, vid);
+        if (err) {
+                br_err(br, "failed insert local address into bridge "
+                       "forwarding table\n");
+                goto out_filt;
        }
        set_bit(vid, v->vlan_bitmap);
@@ -98,7 +95,7 @@ static int __vlan_del(struct net_port_vlans *v, u16 vid)
        __vlan_delete_pvid(v, vid);
        clear_bit(vid, v->untagged_bitmap);
-        if (v->port_idx && vid) {
+        if (v->port_idx) {
                struct net_device *dev = v->parent.port->dev;
                const struct net_device_ops *ops = dev->netdev_ops;
@@ -192,6 +189,8 @@ out:
 bool br_allowed_ingress(struct net_bridge *br, struct net_port_vlans *v,
                        struct sk_buff *skb, u16 *vid)
 {
+        int err;
        /* If VLAN filtering is disabled on the bridge, all packets are
         * permitted.
         */
@@ -204,20 +203,32 @@ bool br_allowed_ingress(struct net_bridge *br, struct net_port_vlans *v,
        if (!v)
                return false;
-        if (br_vlan_get_tag(skb, vid)) {
+        err = br_vlan_get_tag(skb, vid);
+        if (!*vid) {
                u16 pvid = br_get_pvid(v);
-                /* Frame did not have a tag.  See if pvid is set
+                /* Frame had a tag with VID 0 or did not have a tag.
-                 * on this port.  That tells us which vlan untagged
+                 * See if pvid is set on this port.  That tells us which
-                 * traffic belongs to.
+                 * vlan untagged or priority-tagged traffic belongs to.
                 */
                if (pvid == VLAN_N_VID)
                        return false;
-                /* PVID is set on this port.  Any untagged ingress
+                /* PVID is set on this port.  Any untagged or priority-tagged
-                 * frame is considered to belong to this vlan.
+                 * ingress frame is considered to belong to this vlan.
                 */
-                __vlan_hwaccel_put_tag(skb, htons(ETH_P_8021Q), pvid);
+                *vid = pvid;
+                if (likely(err))
+                        /* Untagged Frame. */
+                        __vlan_hwaccel_put_tag(skb, htons(ETH_P_8021Q), pvid);
+                else
+                        /* Priority-tagged Frame.
+                         * At this point, We know that skb->vlan_tci had
+                         * VLAN_TAG_PRESENT bit and its VID field was 0x000.
+                         * We update only VID field and preserve PCP field.
+                         */
+                        skb->vlan_tci |= pvid;
                return true;
        }
@@ -248,7 +259,9 @@ bool br_allowed_egress(struct net_bridge *br,
        return false;
 }
-/* Must be protected by RTNL */
+/* Must be protected by RTNL.
+ * Must be called with vid in range from 1 to 4094 inclusive.
+ */
 int br_vlan_add(struct net_bridge *br, u16 vid, u16 flags)
 {
        struct net_port_vlans *pv = NULL;
@@ -278,7 +291,9 @@ out:
        return err;
 }
-/* Must be protected by RTNL */
+/* Must be protected by RTNL.
+ * Must be called with vid in range from 1 to 4094 inclusive.
+ */
 int br_vlan_delete(struct net_bridge *br, u16 vid)
 {
        struct net_port_vlans *pv;
@@ -289,14 +304,9 @@ int br_vlan_delete(struct net_bridge *br, u16 vid)
        if (!pv)
                return -EINVAL;
-        if (vid) {
+        spin_lock_bh(&br->hash_lock);
-                /* If the VID !=0 remove fdb for this vid. VID 0 is special
+        fdb_delete_by_addr(br, br->dev->dev_addr, vid);
-                 * in that it's the default and is always there in the fdb.
+        spin_unlock_bh(&br->hash_lock);
-                 */
-                spin_lock_bh(&br->hash_lock);
-                fdb_delete_by_addr(br, br->dev->dev_addr, vid);
-                spin_unlock_bh(&br->hash_lock);
-        }
        __vlan_del(pv, vid);
        return 0;
@@ -329,7 +339,9 @@ unlock:
        return 0;
 }
-/* Must be protected by RTNL */
+/* Must be protected by RTNL.
+ * Must be called with vid in range from 1 to 4094 inclusive.
+ */
 int nbp_vlan_add(struct net_bridge_port *port, u16 vid, u16 flags)
 {
        struct net_port_vlans *pv = NULL;
@@ -363,7 +375,9 @@ clean_up:
        return err;
 }
-/* Must be protected by RTNL */
+/* Must be protected by RTNL.
+ * Must be called with vid in range from 1 to 4094 inclusive.
+ */
 int nbp_vlan_delete(struct net_bridge_port *port, u16 vid)
 {
        struct net_port_vlans *pv;
@@ -374,14 +388,9 @@ int nbp_vlan_delete(struct net_bridge_port *port, u16 vid)
        if (!pv)
                return -EINVAL;
-        if (vid) {
+        spin_lock_bh(&port->br->hash_lock);
-                /* If the VID !=0 remove fdb for this vid. VID 0 is special
+        fdb_delete_by_addr(port->br, port->dev->dev_addr, vid);
-                 * in that it's the default and is always there in the fdb.
+        spin_unlock_bh(&port->br->hash_lock);
-                 */
-                spin_lock_bh(&port->br->hash_lock);
-                fdb_delete_by_addr(port->br, port->dev->dev_addr, vid);
-                spin_unlock_bh(&port->br->hash_lock);
-        }
        return __vlan_del(pv, vid);
 }
diff --git a/net/core/secure_seq.c b/net/core/secure_seq.c
index 90e8a8250255..897da56f3aff 100644
--- a/net/core/secure_seq.c
+++ b/net/core/secure_seq.c
@@ -11,6 +11,7 @@
 #include <net/secure_seq.h>
+#if IS_ENABLED(CONFIG_IPV6) || IS_ENABLED(CONFIG_INET)
 #define NET_SECRET_SIZE (MD5_MESSAGE_BYTES / 4)
 static u32 net_secret[NET_SECRET_SIZE] ____cacheline_aligned;
@@ -19,6 +20,7 @@ static __always_inline void net_secret_init(void)
 {
        net_get_random_once(net_secret, sizeof(net_secret));
 }
+#endif
 #ifdef CONFIG_INET
 static u32 seq_scale(u32 seq)
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 7d8357bb2ba6..8fbac7de1e1b 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -772,15 +772,20 @@ static inline int ip_ufo_append_data(struct sock *sk,
                /* initialize protocol header pointer */
                skb->transport_header = skb->network_header + fragheaderlen;
-                skb->ip_summed = CHECKSUM_PARTIAL;
                skb->csum = 0;
-                /* specify the length of each IP datagram fragment */
-                skb_shinfo(skb)->gso_size = maxfraglen - fragheaderlen;
-                skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
                __skb_queue_tail(queue, skb);
+        } else if (skb_is_gso(skb)) {
+                goto append;
        }
+        skb->ip_summed = CHECKSUM_PARTIAL;
+        /* specify the length of each IP datagram fragment */
+        skb_shinfo(skb)->gso_size = maxfraglen - fragheaderlen;
+        skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
+append:
        return skb_append_datato_frags(sk, skb, getfrag, from,
                                       (length - transhdrlen));
 }
diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
index 91f69bc883fe..5d9c845d288a 100644
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -61,8 +61,17 @@ static int vti_rcv(struct sk_buff *skb)
                                  iph->saddr, iph->daddr, 0);
        if (tunnel != NULL) {
                struct pcpu_tstats *tstats;
+                u32 oldmark = skb->mark;
+                int ret;
-                if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb))
+                /* temporarily mark the skb with the tunnel o_key, to
+                 * only match policies with this mark.
+                 */
+                skb->mark = be32_to_cpu(tunnel->parms.o_key);
+                ret = xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb);
+                skb->mark = oldmark;
+                if (!ret)
                        return -1;
                tstats = this_cpu_ptr(tunnel->dev->tstats);
@@ -71,7 +80,6 @@ static int vti_rcv(struct sk_buff *skb)
                tstats->rx_bytes += skb->len;
                u64_stats_update_end(&tstats->syncp);
-                skb->mark = 0;
                secpath_reset(skb);
                skb->dev = tunnel->dev;
                return 1;
@@ -103,7 +111,7 @@ static netdev_tx_t vti_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
        memset(&fl4, 0, sizeof(fl4));
        flowi4_init_output(&fl4, tunnel->parms.link,
-                           be32_to_cpu(tunnel->parms.i_key), RT_TOS(tos),
+                           be32_to_cpu(tunnel->parms.o_key), RT_TOS(tos),
                           RT_SCOPE_UNIVERSE,
                           IPPROTO_IPIP, 0,
                           dst, tiph->saddr, 0, 0);
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index eb651a069a6c..b935397c703c 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -3338,7 +3338,7 @@ static void tcp_process_tlp_ack(struct sock *sk, u32 ack, int flag)
                        tcp_init_cwnd_reduction(sk, true);
                        tcp_set_ca_state(sk, TCP_CA_CWR);
                        tcp_end_cwnd_reduction(sk);
-                        tcp_set_ca_state(sk, TCP_CA_Open);
+                        tcp_try_keep_open(sk);
                        NET_INC_STATS_BH(sock_net(sk),
                                         LINUX_MIB_TCPLOSSPROBERECOVERY);
                }
@@ -5751,6 +5751,8 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
                } else
                        tcp_init_metrics(sk);
+                tcp_update_pacing_rate(sk);
                /* Prevent spurious tcp_cwnd_restart() on first data packet */
                tp->lsndtime = tcp_time_stamp;
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index ce7c4d9d9195..672854664ff5 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -986,8 +986,10 @@ static void tcp_queue_skb(struct sock *sk, struct sk_buff *skb)
 static void tcp_set_skb_tso_segs(const struct sock *sk, struct sk_buff *skb,
                                 unsigned int mss_now)
 {
-        if (skb->len <= mss_now || !sk_can_gso(sk) ||
+        /* Make sure we own this skb before messing gso_size/gso_segs */
-            skb->ip_summed == CHECKSUM_NONE) {
+        WARN_ON_ONCE(skb_cloned(skb));
+        if (skb->len <= mss_now || skb->ip_summed == CHECKSUM_NONE) {
                /* Avoid the costly divide in the normal
                 * non-TSO case.
                 */
@@ -1067,9 +1069,7 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len,
        if (nsize < 0)
                nsize = 0;
-        if (skb_cloned(skb) &&
+        if (skb_unclone(skb, GFP_ATOMIC))
-            skb_is_nonlinear(skb) &&
-            pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
                return -ENOMEM;
        /* Get a new skb... force flag on. */
@@ -2344,6 +2344,8 @@ int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb)
                int oldpcount = tcp_skb_pcount(skb);
                if (unlikely(oldpcount > 1)) {
+                        if (skb_unclone(skb, GFP_ATOMIC))
+                                return -ENOMEM;
                        tcp_init_tso_segs(sk, skb, cur_mss);
                        tcp_adjust_pcount(sk, skb, oldpcount - tcp_skb_pcount(skb));
                }
diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
index 9a459be24af7..ccde54248c8c 100644
--- a/net/ipv4/xfrm4_policy.c
+++ b/net/ipv4/xfrm4_policy.c
@@ -107,6 +107,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
        memset(fl4, 0, sizeof(struct flowi4));
        fl4->flowi4_mark = skb->mark;
+        fl4->flowi4_oif = skb_dst(skb)->dev->ifindex;
        if (!ip_is_fragment(iph)) {
                switch (iph->protocol) {
diff --git a/net/ipv6/ah6.c b/net/ipv6/ah6.c
index 73784c3d4642..82e1da3a40b9 100644
--- a/net/ipv6/ah6.c
+++ b/net/ipv6/ah6.c
@@ -618,8 +618,7 @@ static void ah6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
        struct ip_auth_hdr *ah = (struct ip_auth_hdr*)(skb->data+offset);
        struct xfrm_state *x;
-        if (type != ICMPV6_DEST_UNREACH &&
+        if (type != ICMPV6_PKT_TOOBIG &&
-            type != ICMPV6_PKT_TOOBIG &&
            type != NDISC_REDIRECT)
                return;
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index d3618a78fcac..e67e63f9858d 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -436,8 +436,7 @@ static void esp6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
        struct ip_esp_hdr *esph = (struct ip_esp_hdr *)(skb->data + offset);
        struct xfrm_state *x;
-        if (type != ICMPV6_DEST_UNREACH &&
+        if (type != ICMPV6_PKT_TOOBIG &&
-            type != ICMPV6_PKT_TOOBIG &&
            type != NDISC_REDIRECT)
                return;
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index 1ef1fa2b22a6..bf4a9a084de5 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -976,6 +976,7 @@ static void ip6gre_tnl_link_config(struct ip6_tnl *t, int set_mtu)
                if (t->parms.o_flags&GRE_SEQ)
                        addend += 4;
        }
+        t->hlen = addend;
        if (p->flags & IP6_TNL_F_CAP_XMIT) {
                int strict = (ipv6_addr_type(&p->raddr) &
@@ -1002,8 +1003,6 @@ static void ip6gre_tnl_link_config(struct ip6_tnl *t, int set_mtu)
                }
                ip6_rt_put(rt);
        }
-        t->hlen = addend;
 }
 static int ip6gre_tnl_change(struct ip6_tnl *t,
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index a54c45ce4a48..91fb4e8212f5 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -105,7 +105,7 @@ static int ip6_finish_output2(struct sk_buff *skb)
        }
        rcu_read_lock_bh();
-        nexthop = rt6_nexthop((struct rt6_info *)dst, &ipv6_hdr(skb)->daddr);
+        nexthop = rt6_nexthop((struct rt6_info *)dst);
        neigh = __ipv6_neigh_lookup_noref(dst->dev, nexthop);
        if (unlikely(!neigh))
                neigh = __neigh_create(&nd_tbl, nexthop, dst->dev, false);
@@ -874,7 +874,7 @@ static int ip6_dst_lookup_tail(struct sock *sk,
         */
        rt = (struct rt6_info *) *dst;
        rcu_read_lock_bh();
-        n = __ipv6_neigh_lookup_noref(rt->dst.dev, rt6_nexthop(rt, &fl6->daddr));
+        n = __ipv6_neigh_lookup_noref(rt->dst.dev, rt6_nexthop(rt));
        err = n && !(n->nud_state & NUD_VALID) ? -EINVAL : 0;
        rcu_read_unlock_bh();
@@ -1008,6 +1008,7 @@ static inline int ip6_ufo_append_data(struct sock *sk,
 {
        struct sk_buff *skb;
+        struct frag_hdr fhdr;
        int err;
        /* There is support for UDP large send offload by network
@@ -1015,8 +1016,6 @@ static inline int ip6_ufo_append_data(struct sock *sk,
         * udp datagram
         */
        if ((skb = skb_peek_tail(&sk->sk_write_queue)) == NULL) {
-                struct frag_hdr fhdr;
                skb = sock_alloc_send_skb(sk,
                        hh_len + fragheaderlen + transhdrlen + 20,
                        (flags & MSG_DONTWAIT), &err);
@@ -1036,20 +1035,24 @@ static inline int ip6_ufo_append_data(struct sock *sk,
                skb->transport_header = skb->network_header + fragheaderlen;
                skb->protocol = htons(ETH_P_IPV6);
-                skb->ip_summed = CHECKSUM_PARTIAL;
                skb->csum = 0;
-                /* Specify the length of each IPv6 datagram fragment.
-                 * It has to be a multiple of 8.
-                 */
-                skb_shinfo(skb)->gso_size = (mtu - fragheaderlen -
-                                             sizeof(struct frag_hdr)) & ~7;
-                skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
-                ipv6_select_ident(&fhdr, rt);
-                skb_shinfo(skb)->ip6_frag_id = fhdr.identification;
                __skb_queue_tail(&sk->sk_write_queue, skb);
+        } else if (skb_is_gso(skb)) {
+                goto append;
        }
+        skb->ip_summed = CHECKSUM_PARTIAL;
+        /* Specify the length of each IPv6 datagram fragment.
+         * It has to be a multiple of 8.
+         */
+        skb_shinfo(skb)->gso_size = (mtu - fragheaderlen -
+                                     sizeof(struct frag_hdr)) & ~7;
+        skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
+        ipv6_select_ident(&fhdr, rt);
+        skb_shinfo(skb)->ip6_frag_id = fhdr.identification;
+append:
        return skb_append_datato_frags(sk, skb, getfrag, from,
                                       (length - transhdrlen));
 }
diff --git a/net/ipv6/ipcomp6.c b/net/ipv6/ipcomp6.c
index 5636a912074a..ce507d9e1c90 100644
--- a/net/ipv6/ipcomp6.c
+++ b/net/ipv6/ipcomp6.c
@@ -64,8 +64,7 @@ static void ipcomp6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
                (struct ip_comp_hdr *)(skb->data + offset);
        struct xfrm_state *x;
-        if (type != ICMPV6_DEST_UNREACH &&
+        if (type != ICMPV6_PKT_TOOBIG &&
-            type != ICMPV6_PKT_TOOBIG &&
            type != NDISC_REDIRECT)
                return;
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index c3130ffc3bca..5dc6ca6b6686 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -476,6 +476,24 @@ out:
 }
 #ifdef CONFIG_IPV6_ROUTER_PREF
+struct __rt6_probe_work {
+        struct work_struct work;
+        struct in6_addr target;
+        struct net_device *dev;
+};
+static void rt6_probe_deferred(struct work_struct *w)
+{
+        struct in6_addr mcaddr;
+        struct __rt6_probe_work *work =
+                container_of(w, struct __rt6_probe_work, work);
+        addrconf_addr_solict_mult(&work->target, &mcaddr);
+        ndisc_send_ns(work->dev, NULL, &work->target, &mcaddr, NULL);
+        dev_put(work->dev);
+        kfree(w);
+}
 static void rt6_probe(struct rt6_info *rt)
 {
        struct neighbour *neigh;
@@ -499,17 +517,23 @@ static void rt6_probe(struct rt6_info *rt)
        if (!neigh ||
            time_after(jiffies, neigh->updated + rt->rt6i_idev->cnf.rtr_probe_interval)) {
-                struct in6_addr mcaddr;
+                struct __rt6_probe_work *work;
-                struct in6_addr *target;
-                if (neigh) {
+                work = kmalloc(sizeof(*work), GFP_ATOMIC);
+                if (neigh && work)
                        neigh->updated = jiffies;
+                if (neigh)
                        write_unlock(&neigh->lock);
-                }
-                target = (struct in6_addr *)&rt->rt6i_gateway;
+                if (work) {
-                addrconf_addr_solict_mult(target, &mcaddr);
+                        INIT_WORK(&work->work, rt6_probe_deferred);
-                ndisc_send_ns(rt->dst.dev, NULL, target, &mcaddr, NULL);
+                        work->target = rt->rt6i_gateway;
+                        dev_hold(rt->dst.dev);
+                        work->dev = rt->dst.dev;
+                        schedule_work(&work->work);
+                }
        } else {
 out:
                write_unlock(&neigh->lock);
@@ -851,7 +875,6 @@ static struct rt6_info *rt6_alloc_cow(struct rt6_info *ort,
                        if (ort->rt6i_dst.plen != 128 &&
                            ipv6_addr_equal(&ort->rt6i_dst.addr, daddr))
                                rt->rt6i_flags |= RTF_ANYCAST;
-                        rt->rt6i_gateway = *daddr;
                }
                rt->rt6i_flags |= RTF_CACHE;
@@ -1335,6 +1358,7 @@ struct dst_entry *icmp6_dst_alloc(struct net_device *dev,
        rt->dst.flags |= DST_HOST;
        rt->dst.output  = ip6_output;
        atomic_set(&rt->dst.__refcnt, 1);
+        rt->rt6i_gateway  = fl6->daddr;
        rt->rt6i_dst.addr = fl6->daddr;
        rt->rt6i_dst.plen = 128;
        rt->rt6i_idev     = idev;
@@ -1870,7 +1894,10 @@ static struct rt6_info *ip6_rt_copy(struct rt6_info *ort,
                        in6_dev_hold(rt->rt6i_idev);
                rt->dst.lastuse = jiffies;
-                rt->rt6i_gateway = ort->rt6i_gateway;
+                if (ort->rt6i_flags & RTF_GATEWAY)
+                        rt->rt6i_gateway = ort->rt6i_gateway;
+                else
+                        rt->rt6i_gateway = *dest;
                rt->rt6i_flags = ort->rt6i_flags;
                if ((ort->rt6i_flags & (RTF_DEFAULT | RTF_ADDRCONF)) ==
                    (RTF_DEFAULT | RTF_ADDRCONF))
@@ -2157,6 +2184,7 @@ struct rt6_info *addrconf_dst_alloc(struct inet6_dev *idev,
        else
                rt->rt6i_flags |= RTF_LOCAL;
+        rt->rt6i_gateway  = *addr;
        rt->rt6i_dst.addr = *addr;
        rt->rt6i_dst.plen = 128;
        rt->rt6i_table = fib6_get_table(net, RT6_TABLE_LOCAL);
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 44fc4e3d661f..f3893e897f72 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -1243,9 +1243,6 @@ do_udp_sendmsg:
        if (tclass < 0)
                tclass = np->tclass;
-        if (dontfrag < 0)
-                dontfrag = np->dontfrag;
        if (msg->msg_flags&MSG_CONFIRM)
                goto do_confirm;
 back_from_confirm:
@@ -1264,6 +1261,8 @@ back_from_confirm:
        up->pending = AF_INET6;
 do_append_data:
+        if (dontfrag < 0)
+                dontfrag = np->dontfrag;
        up->len += ulen;
        getfrag  =  is_udplite ?  udplite_getfrag : ip_generic_getfrag;
        err = ip6_append_data(sk, getfrag, msg->msg_iov, ulen,
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index 23ed03d786c8..08ed2772b7aa 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -138,6 +138,7 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
        memset(fl6, 0, sizeof(struct flowi6));
        fl6->flowi6_mark = skb->mark;
+        fl6->flowi6_oif = skb_dst(skb)->dev->ifindex;
        fl6->daddr = reverse ? hdr->saddr : hdr->daddr;
        fl6->saddr = reverse ? hdr->daddr : hdr->saddr;
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 9d585370c5b4..911ef03bf8fb 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1098,7 +1098,8 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct net *net,
        x->id.proto = proto;
        x->id.spi = sa->sadb_sa_spi;
-        x->props.replay_window = sa->sadb_sa_replay;
+        x->props.replay_window = min_t(unsigned int, sa->sadb_sa_replay,
+                                        (sizeof(x->replay.bitmap) * 8));
        if (sa->sadb_sa_flags & SADB_SAFLAGS_NOECN)
                x->props.flags |= XFRM_STATE_NOECN;
        if (sa->sadb_sa_flags & SADB_SAFLAGS_DECAP_DSCP)
diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
index f0a7adaef2ea..ffda81ef1a70 100644
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -353,7 +353,9 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh
                goto error_put_sess_tun;
        }
+        local_bh_disable();
        l2tp_xmit_skb(session, skb, session->hdr_len);
+        local_bh_enable();
        sock_put(ps->tunnel_sock);
        sock_put(sk);
@@ -422,7 +424,9 @@ static int pppol2tp_xmit(struct ppp_channel *chan, struct sk_buff *skb)
        skb->data[0] = ppph[0];
        skb->data[1] = ppph[1];
+        local_bh_disable();
        l2tp_xmit_skb(session, skb, session->hdr_len);
+        local_bh_enable();
        sock_put(sk_tun);
        sock_put(sk);
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index ac28af74a414..b0a651cc389f 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -3564,7 +3564,7 @@ static int ieee80211_probe_client(struct wiphy *wiphy, struct net_device *dev,
                return -EINVAL;
        }
        band = chanctx_conf->def.chan->band;
-        sta = sta_info_get(sdata, peer);
+        sta = sta_info_get_bss(sdata, peer);
        if (sta) {
                qos = test_sta_flag(sta, WLAN_STA_WME);
        } else {
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index 3a87c8976a32..e73cd0637f3b 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -893,6 +893,8 @@ struct tpt_led_trigger {
 *      that the scan completed.
 * @SCAN_ABORTED: Set for our scan work function when the driver reported
 *      a scan complete for an aborted scan.
+ * @SCAN_HW_CANCELLED: Set for our scan work function when the scan is being
+ *      cancelled.
 */
 enum {
        SCAN_SW_SCANNING,
@@ -900,6 +902,7 @@ enum {
        SCAN_ONCHANNEL_SCANNING,
        SCAN_COMPLETED,
        SCAN_ABORTED,
+        SCAN_HW_CANCELLED,
 };
 /**
diff --git a/net/mac80211/offchannel.c b/net/mac80211/offchannel.c
index acd1f71adc03..0c2a29484c07 100644
--- a/net/mac80211/offchannel.c
+++ b/net/mac80211/offchannel.c
@@ -394,6 +394,8 @@ void ieee80211_sw_roc_work(struct work_struct *work)
                if (started)
                        ieee80211_start_next_roc(local);
+                else if (list_empty(&local->roc_list))
+                        ieee80211_run_deferred_scan(local);
        }
 out_unlock:
diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
index ecb57b0bf74a..5ad66a83ef7f 100644
--- a/net/mac80211/scan.c
+++ b/net/mac80211/scan.c
@@ -238,6 +238,9 @@ static bool ieee80211_prep_hw_scan(struct ieee80211_local *local)
        enum ieee80211_band band;
        int i, ielen, n_chans;
+        if (test_bit(SCAN_HW_CANCELLED, &local->scanning))
+                return false;
        do {
                if (local->hw_scan_band == IEEE80211_NUM_BANDS)
                        return false;
@@ -939,7 +942,23 @@ void ieee80211_scan_cancel(struct ieee80211_local *local)
        if (!local->scan_req)
                goto out;
+        /*
+         * We have a scan running and the driver already reported completion,
+         * but the worker hasn't run yet or is stuck on the mutex - mark it as
+         * cancelled.
+         */
+        if (test_bit(SCAN_HW_SCANNING, &local->scanning) &&
+            test_bit(SCAN_COMPLETED, &local->scanning)) {
+                set_bit(SCAN_HW_CANCELLED, &local->scanning);
+                goto out;
+        }
        if (test_bit(SCAN_HW_SCANNING, &local->scanning)) {
+                /*
+                 * Make sure that __ieee80211_scan_completed doesn't trigger a
+                 * scan on another band.
+                 */
+                set_bit(SCAN_HW_CANCELLED, &local->scanning);
                if (local->ops->cancel_hw_scan)
                        drv_cancel_hw_scan(local,
                                rcu_dereference_protected(local->scan_sdata,
diff --git a/net/mac80211/status.c b/net/mac80211/status.c
index 368837fe3b80..78dc2e99027e 100644
--- a/net/mac80211/status.c
+++ b/net/mac80211/status.c
@@ -180,6 +180,9 @@ static void ieee80211_frame_acked(struct sta_info *sta, struct sk_buff *skb)
        struct ieee80211_local *local = sta->local;
        struct ieee80211_sub_if_data *sdata = sta->sdata;
+        if (local->hw.flags & IEEE80211_HW_REPORTS_TX_ACK_STATUS)
+                sta->last_rx = jiffies;
        if (ieee80211_is_data_qos(mgmt->frame_control)) {
                struct ieee80211_hdr *hdr = (void *) skb->data;
                u8 *qc = ieee80211_get_qos_ctl(hdr);
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 4fcbf634b548..9993fcb19ecd 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -1120,7 +1120,8 @@ ieee80211_tx_prepare(struct ieee80211_sub_if_data *sdata,
                tx->sta = rcu_dereference(sdata->u.vlan.sta);
                if (!tx->sta && sdata->dev->ieee80211_ptr->use_4addr)
                        return TX_DROP;
-        } else if (info->flags & IEEE80211_TX_CTL_INJECTED ||
+        } else if (info->flags & (IEEE80211_TX_CTL_INJECTED |
+                                  IEEE80211_TX_INTFL_NL80211_FRAME_TX) ||
                   tx->sdata->control_port_protocol == tx->skb->protocol) {
                tx->sta = sta_info_get_bss(sdata, hdr->addr1);
        }
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 1220f5afdb7e..aefb9d5b9620 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -2236,6 +2236,10 @@ u64 ieee80211_calculate_rx_timestamp(struct ieee80211_local *local,
        }
        rate = cfg80211_calculate_bitrate(&ri);
+        if (WARN_ONCE(!rate,
+                      "Invalid bitrate: flags=0x%x, idx=%d, vht_nss=%d\n",
+                      status->flag, status->rate_idx, status->vht_nss))
+                return 0;
        /* rewind from end of MPDU */
        if (status->flag & RX_FLAG_MACTIME_END)
diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c
index bdebd03bc8cd..70866d192efc 100644
--- a/net/netfilter/nf_conntrack_h323_main.c
+++ b/net/netfilter/nf_conntrack_h323_main.c
@@ -778,8 +778,8 @@ static int callforward_do_filter(const union nf_inet_addr *src,
                                   flowi6_to_flowi(&fl1), false)) {
                        if (!afinfo->route(&init_net, (struct dst_entry **)&rt2,
                                           flowi6_to_flowi(&fl2), false)) {
-                                if (!memcmp(&rt1->rt6i_gateway, &rt2->rt6i_gateway,
+                                if (ipv6_addr_equal(rt6_nexthop(rt1),
-                                            sizeof(rt1->rt6i_gateway)) &&
+                                                    rt6_nexthop(rt2)) &&
                                    rt1->dst.dev == rt2->dst.dev)
                                        ret = 1;
                                dst_release(&rt2->dst);
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index a6d788d45216..b87e83d07478 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -358,6 +358,21 @@ static psched_time_t packet_len_2_sched_time(unsigned int len, struct netem_sche
        return PSCHED_NS2TICKS(ticks);
 }
+static void tfifo_reset(struct Qdisc *sch)
+{
+        struct netem_sched_data *q = qdisc_priv(sch);
+        struct rb_node *p;
+        while ((p = rb_first(&q->t_root))) {
+                struct sk_buff *skb = netem_rb_to_skb(p);
+                rb_erase(p, &q->t_root);
+                skb->next = NULL;
+                skb->prev = NULL;
+                kfree_skb(skb);
+        }
+}
 static void tfifo_enqueue(struct sk_buff *nskb, struct Qdisc *sch)
 {
        struct netem_sched_data *q = qdisc_priv(sch);
@@ -520,6 +535,7 @@ static unsigned int netem_drop(struct Qdisc *sch)
                        skb->next = NULL;
                        skb->prev = NULL;
                        len = qdisc_pkt_len(skb);
+                        sch->qstats.backlog -= len;
                        kfree_skb(skb);
                }
        }
@@ -609,6 +625,7 @@ static void netem_reset(struct Qdisc *sch)
        struct netem_sched_data *q = qdisc_priv(sch);
        qdisc_reset_queue(sch);
+        tfifo_reset(sch);
        if (q->qdisc)
                qdisc_reset(q->qdisc);
        qdisc_watchdog_cancel(&q->watchdog);
diff --git a/net/sctp/output.c b/net/sctp/output.c
index 0ac3a65daccb..319137340d15 100644
--- a/net/sctp/output.c
+++ b/net/sctp/output.c
@@ -536,7 +536,8 @@ int sctp_packet_transmit(struct sctp_packet *packet)
         * by CRC32-C as described in <draft-ietf-tsvwg-sctpcsum-02.txt>.
         */
        if (!sctp_checksum_disable) {
-                if (!(dst->dev->features & NETIF_F_SCTP_CSUM)) {
+                if (!(dst->dev->features & NETIF_F_SCTP_CSUM) ||
+                    (dst_xfrm(dst) != NULL) || packet->ipfragok) {
                        __u32 crc32 = sctp_start_cksum((__u8 *)sh, cksum_buf_len);
                        /* 3) Put the resultant value into the checksum field in the
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 86de99ad2976..c1f403bed683 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1246,6 +1246,15 @@ static int unix_socketpair(struct socket *socka, struct socket *sockb)
        return 0;
 }
+static void unix_sock_inherit_flags(const struct socket *old,
+                                    struct socket *new)
+{
+        if (test_bit(SOCK_PASSCRED, &old->flags))
+                set_bit(SOCK_PASSCRED, &new->flags);
+        if (test_bit(SOCK_PASSSEC, &old->flags))
+                set_bit(SOCK_PASSSEC, &new->flags);
+}
 static int unix_accept(struct socket *sock, struct socket *newsock, int flags)
 {
        struct sock *sk = sock->sk;
@@ -1280,6 +1289,7 @@ static int unix_accept(struct socket *sock, struct socket *newsock, int flags)
        /* attach accepted sock to socket */
        unix_state_lock(tsk);
        newsock->state = SS_CONNECTED;
+        unix_sock_inherit_flags(sock, newsock);
        sock_graft(tsk, newsock);
        unix_state_unlock(tsk);
        return 0;
diff --git a/net/wireless/core.c b/net/wireless/core.c
index fe8d4f2be49b..aff959e5a1b3 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -958,8 +958,6 @@ static int cfg80211_netdev_notifier_call(struct notifier_block *nb,
        case NETDEV_PRE_UP:
                if (!(wdev->wiphy->interface_modes & BIT(wdev->iftype)))
                        return notifier_from_errno(-EOPNOTSUPP);
-                if (rfkill_blocked(rdev->rfkill))
-                        return notifier_from_errno(-ERFKILL);
                ret = cfg80211_can_add_interface(rdev, wdev->iftype);
                if (ret)
                        return notifier_from_errno(ret);
diff --git a/net/wireless/core.h b/net/wireless/core.h
index 74beff1e926f..af10e59af2d8 100644
--- a/net/wireless/core.h
+++ b/net/wireless/core.h
@@ -402,6 +402,9 @@ static inline int
 cfg80211_can_add_interface(struct cfg80211_registered_device *rdev,
                           enum nl80211_iftype iftype)
 {
+        if (rfkill_blocked(rdev->rfkill))
+                return -ERFKILL;
        return cfg80211_can_change_interface(rdev, NULL, iftype);
 }
diff --git a/net/wireless/radiotap.c b/net/wireless/radiotap.c
index 7d604c06c3dc..a271c27fac77 100644
--- a/net/wireless/radiotap.c
+++ b/net/wireless/radiotap.c
@@ -97,6 +97,10 @@ int ieee80211_radiotap_iterator_init(
        struct ieee80211_radiotap_header *radiotap_header,
        int max_length, const struct ieee80211_radiotap_vendor_namespaces *vns)
 {
+        /* check the radiotap header can actually be present */
+        if (max_length < sizeof(struct ieee80211_radiotap_header))
+                return -EINVAL;
        /* Linux only supports version 0 radiotap format */
        if (radiotap_header->it_version)
                return -EINVAL;
@@ -131,7 +135,8 @@ int ieee80211_radiotap_iterator_init(
                         */
                        if ((unsigned long)iterator->_arg -
-                            (unsigned long)iterator->_rtheader >
+                            (unsigned long)iterator->_rtheader +
+                            sizeof(uint32_t) >
                            (unsigned long)iterator->_max_length)
                                return -EINVAL;
                }
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index ed38d5d81f9e..76e1873811d4 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -334,7 +334,8 @@ static void xfrm_policy_kill(struct xfrm_policy *policy)
        atomic_inc(&policy->genid);
-        del_timer(&policy->polq.hold_timer);
+        if (del_timer(&policy->polq.hold_timer))
+                xfrm_pol_put(policy);
        xfrm_queue_purge(&policy->polq.hold_queue);
        if (del_timer(&policy->timer))
@@ -589,7 +590,8 @@ static void xfrm_policy_requeue(struct xfrm_policy *old,
        spin_lock_bh(&pq->hold_queue.lock);
        skb_queue_splice_init(&pq->hold_queue, &list);
-        del_timer(&pq->hold_timer);
+        if (del_timer(&pq->hold_timer))
+                xfrm_pol_put(old);
        spin_unlock_bh(&pq->hold_queue.lock);
        if (skb_queue_empty(&list))
@@ -600,7 +602,8 @@ static void xfrm_policy_requeue(struct xfrm_policy *old,
        spin_lock_bh(&pq->hold_queue.lock);
        skb_queue_splice(&list, &pq->hold_queue);
        pq->timeout = XFRM_QUEUE_TMO_MIN;
-        mod_timer(&pq->hold_timer, jiffies);
+        if (!mod_timer(&pq->hold_timer, jiffies))
+                xfrm_pol_hold(new);
        spin_unlock_bh(&pq->hold_queue.lock);
 }
@@ -1769,6 +1772,10 @@ static void xfrm_policy_queue_process(unsigned long arg)
        spin_lock(&pq->hold_queue.lock);
        skb = skb_peek(&pq->hold_queue);
+        if (!skb) {
+                spin_unlock(&pq->hold_queue.lock);
+                goto out;
+        }
        dst = skb_dst(skb);
        sk = skb->sk;
        xfrm_decode_session(skb, &fl, dst->ops->family);
@@ -1787,8 +1794,9 @@ static void xfrm_policy_queue_process(unsigned long arg)
                        goto purge_queue;
                pq->timeout = pq->timeout << 1;
-                mod_timer(&pq->hold_timer, jiffies + pq->timeout);
+                if (!mod_timer(&pq->hold_timer, jiffies + pq->timeout))
-                return;
+                        xfrm_pol_hold(pol);
+        goto out;
        }
        dst_release(dst);
@@ -1819,11 +1827,14 @@ static void xfrm_policy_queue_process(unsigned long arg)
                err = dst_output(skb);
        }
+out:
+        xfrm_pol_put(pol);
        return;
 purge_queue:
        pq->timeout = 0;
        xfrm_queue_purge(&pq->hold_queue);
+        xfrm_pol_put(pol);
 }
 static int xdst_queue_output(struct sk_buff *skb)
@@ -1831,7 +1842,8 @@ static int xdst_queue_output(struct sk_buff *skb)
        unsigned long sched_next;
        struct dst_entry *dst = skb_dst(skb);
        struct xfrm_dst *xdst = (struct xfrm_dst *) dst;
-        struct xfrm_policy_queue *pq = &xdst->pols[0]->polq;
+        struct xfrm_policy *pol = xdst->pols[0];
+        struct xfrm_policy_queue *pq = &pol->polq;
        if (pq->hold_queue.qlen > XFRM_MAX_QUEUE_LEN) {
                kfree_skb(skb);
@@ -1850,10 +1862,12 @@ static int xdst_queue_output(struct sk_buff *skb)
        if (del_timer(&pq->hold_timer)) {
                if (time_before(pq->hold_timer.expires, sched_next))
                        sched_next = pq->hold_timer.expires;
+                xfrm_pol_put(pol);
        }
        __skb_queue_tail(&pq->hold_queue, skb);
-        mod_timer(&pq->hold_timer, sched_next);
+        if (!mod_timer(&pq->hold_timer, sched_next))
+                xfrm_pol_hold(pol);
        spin_unlock_bh(&pq->hold_queue.lock);
diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c
index 8dafe6d3c6e4..dab57daae408 100644
--- a/net/xfrm/xfrm_replay.c
+++ b/net/xfrm/xfrm_replay.c
@@ -61,9 +61,9 @@ static void xfrm_replay_notify(struct xfrm_state *x, int event)
        switch (event) {
        case XFRM_REPLAY_UPDATE:
-                if (x->replay_maxdiff &&
+                if (!x->replay_maxdiff ||
-                    (x->replay.seq - x->preplay.seq < x->replay_maxdiff) &&
+                    ((x->replay.seq - x->preplay.seq < x->replay_maxdiff) &&
-                    (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff)) {
+                    (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff))) {
                        if (x->xflags & XFRM_TIME_DEFER)
                                event = XFRM_REPLAY_TIMEOUT;
                        else
@@ -129,8 +129,7 @@ static int xfrm_replay_check(struct xfrm_state *x,
                return 0;
        diff = x->replay.seq - seq;
-        if (diff >= min_t(unsigned int, x->props.replay_window,
+        if (diff >= x->props.replay_window) {
-                          sizeof(x->replay.bitmap) * 8)) {
                x->stats.replay_window++;
                goto err;
        }
@@ -302,9 +301,10 @@ static void xfrm_replay_notify_bmp(struct xfrm_state *x, int event)
        switch (event) {
        case XFRM_REPLAY_UPDATE:
-                if (x->replay_maxdiff &&
+                if (!x->replay_maxdiff ||
-                    (replay_esn->seq - preplay_esn->seq < x->replay_maxdiff) &&
+                    ((replay_esn->seq - preplay_esn->seq < x->replay_maxdiff) &&
-                    (replay_esn->oseq - preplay_esn->oseq < x->replay_maxdiff)) {
+                    (replay_esn->oseq - preplay_esn->oseq
+                     < x->replay_maxdiff))) {
                        if (x->xflags & XFRM_TIME_DEFER)
                                event = XFRM_REPLAY_TIMEOUT;
                        else
@@ -353,28 +353,30 @@ static void xfrm_replay_notify_esn(struct xfrm_state *x, int event)
        switch (event) {
        case XFRM_REPLAY_UPDATE:
-                if (!x->replay_maxdiff)
+                if (x->replay_maxdiff) {
-                        break;
+                        if (replay_esn->seq_hi == preplay_esn->seq_hi)
+                                seq_diff = replay_esn->seq - preplay_esn->seq;
-                if (replay_esn->seq_hi == preplay_esn->seq_hi)
+                        else
-                        seq_diff = replay_esn->seq - preplay_esn->seq;
+                                seq_diff = ~preplay_esn->seq + replay_esn->seq
-                else
+                                           + 1;
-                        seq_diff = ~preplay_esn->seq + replay_esn->seq + 1;
-                if (replay_esn->oseq_hi == preplay_esn->oseq_hi)
-                        oseq_diff = replay_esn->oseq - preplay_esn->oseq;
-                else
-                        oseq_diff = ~preplay_esn->oseq + replay_esn->oseq + 1;
-                if (seq_diff < x->replay_maxdiff &&
-                    oseq_diff < x->replay_maxdiff) {
-                        if (x->xflags & XFRM_TIME_DEFER)
+                        if (replay_esn->oseq_hi == preplay_esn->oseq_hi)
-                                event = XFRM_REPLAY_TIMEOUT;
+                                oseq_diff = replay_esn->oseq
+                                            - preplay_esn->oseq;
                        else
-                                return;
+                                oseq_diff = ~preplay_esn->oseq
+                                            + replay_esn->oseq + 1;
+                        if (seq_diff >= x->replay_maxdiff ||
+                            oseq_diff >= x->replay_maxdiff)
+                                break;
                }
+                if (x->xflags & XFRM_TIME_DEFER)
+                        event = XFRM_REPLAY_TIMEOUT;
+                else
+                        return;
                break;
        case XFRM_REPLAY_TIMEOUT:
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 3f565e495ac6..f964d4c00ffb 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -446,7 +446,8 @@ static void copy_from_user_state(struct xfrm_state *x, struct xfrm_usersa_info *
        memcpy(&x->sel, &p->sel, sizeof(x->sel));
        memcpy(&x->lft, &p->lft, sizeof(x->lft));
        x->props.mode = p->mode;
-        x->props.replay_window = p->replay_window;
+        x->props.replay_window = min_t(unsigned int, p->replay_window,
+                                        sizeof(x->replay.bitmap) * 8);
        x->props.reqid = p->reqid;
        x->props.family = p->family;
        memcpy(&x->props.saddr, &p->saddr, sizeof(x->props.saddr));
@@ -1856,7 +1857,7 @@ static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh,
        if (x->km.state != XFRM_STATE_VALID)
                goto out;
-        err = xfrm_replay_verify_len(x->replay_esn, rp);
+        err = xfrm_replay_verify_len(x->replay_esn, re);
        if (err)
                goto out;
author	David S. Miller <davem@davemloft.net>	2013-10-23 16:28:39 -0400
committer	David S. Miller <davem@davemloft.net>	2013-10-23 16:49:34 -0400
commit	c3fa32b9764dc45dcf8a2231b1c110abc4a63e0b (patch)
tree	6cf2896a77b65bec64284681e1c3851eb3263e09 /net
parent	34d92d5315b64a3e5292b7e9511c1bb617227fb6 (diff)
parent	320437af954cbe66478f1f5e8b34cb5a8d072191 (diff)