11 files changed, 52 insertions, 22 deletions

diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index ec7a91d9e865..e048ec62d109 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -836,7 +836,7 @@ static int ipv6_create_tempaddr(struct inet6_ifaddr *ifp, struct inet6_ifaddr *i
 {
         struct inet6_dev *idev = ifp->idev;
         struct in6_addr addr, *tmpaddr;
-        unsigned long tmp_prefered_lft, tmp_valid_lft, tmp_cstamp, tmp_tstamp;
+        unsigned long tmp_prefered_lft, tmp_valid_lft, tmp_cstamp, tmp_tstamp, age;
         unsigned long regen_advance;
         int tmp_plen;
         int ret = 0;
@@ -886,12 +886,13 @@ retry:
                 goto out;
         }
         memcpy(&addr.s6_addr[8], idev->rndid, 8);
+        age = (jiffies - ifp->tstamp) / HZ;
         tmp_valid_lft = min_t(__u32,
                               ifp->valid_lft,
-                              idev->cnf.temp_valid_lft);
+                              idev->cnf.temp_valid_lft + age);
         tmp_prefered_lft = min_t(__u32,
                                  ifp->prefered_lft,
-                                 idev->cnf.temp_prefered_lft -
+                                 idev->cnf.temp_prefered_lft + age -
                                  idev->cnf.max_desync_factor);
         tmp_plen = ifp->prefix_len;
         max_addresses = idev->cnf.max_addresses;
@@ -1426,8 +1427,10 @@ void addrconf_dad_failure(struct inet6_ifaddr *ifp)
 {
         struct inet6_dev *idev = ifp->idev;
 
-        if (addrconf_dad_end(ifp))
+        if (addrconf_dad_end(ifp)) {
+                in6_ifa_put(ifp);
                 return;
+        }
 
         if (net_ratelimit())
                 printk(KERN_INFO "%s: IPv6 duplicate address %pI6c detected!\n",
@@ -2021,10 +2024,11 @@ ok:
                                         ipv6_ifa_notify(0, ift);
                         }
 
-                        if (create && in6_dev->cnf.use_tempaddr > 0) {
+                        if ((create || list_empty(&in6_dev->tempaddr_list)) && in6_dev->cnf.use_tempaddr > 0) {
                                 /*
                                  * When a new public address is created as described in [ADDRCONF],
-                                 * also create a new temporary address.
+                                 * also create a new temporary address. Also create a temporary
+                                 * address if it's enabled but no temporary address currently exists.
                                  */
                                 read_unlock_bh(&in6_dev->lock);
                                 ipv6_create_tempaddr(ifp, NULL);
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index c2c0f89397b1..2a59610c2a58 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1284,6 +1284,7 @@ ip6_tnl_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
                                 t = netdev_priv(dev);
 
                         ip6_tnl_unlink(ip6n, t);
+                        synchronize_net();
                         err = ip6_tnl_change(t, &p);
                         ip6_tnl_link(ip6n, t);
                         netdev_state_change(dev);
@@ -1371,6 +1372,7 @@ static void ip6_tnl_dev_setup(struct net_device *dev)
         dev->flags |= IFF_NOARP;
         dev->addr_len = sizeof(struct in6_addr);
         dev->features |= NETIF_F_NETNS_LOCAL;
+        dev->priv_flags &= ~IFF_XMIT_DST_RELEASE;
 }
 
 
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index 0553867a317f..d1770e061c08 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -343,6 +343,10 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
                 break;
 
         case IPV6_TRANSPARENT:
+                if (!capable(CAP_NET_ADMIN)) {
+                        retv = -EPERM;
+                        break;
+                }
                 if (optlen < sizeof(int))
                         goto e_inval;
                 /* we don't have a separate transparent bit for IPV6 we use the one in the IPv4 socket */
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index 44d2eeac089b..448464844a25 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -5,10 +5,15 @@
 menu "IPv6: Netfilter Configuration"
         depends on INET && IPV6 && NETFILTER
 
+config NF_DEFRAG_IPV6
+        tristate
+        default n
+
 config NF_CONNTRACK_IPV6
         tristate "IPv6 connection tracking support"
         depends on INET && IPV6 && NF_CONNTRACK
         default m if NETFILTER_ADVANCED=n
+        select NF_DEFRAG_IPV6
         ---help---
           Connection tracking keeps a record of what packets have passed
           through your machine, in order to figure out how they are related
diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile
index 3f8e4a3d83ce..0a432c9b0795 100644
--- a/net/ipv6/netfilter/Makefile
+++ b/net/ipv6/netfilter/Makefile
@@ -12,11 +12,14 @@ obj-$(CONFIG_IP6_NF_SECURITY) += ip6table_security.o
 
 # objects for l3 independent conntrack
 nf_conntrack_ipv6-objs  :=  nf_conntrack_l3proto_ipv6.o nf_conntrack_proto_icmpv6.o
-nf_defrag_ipv6-objs := nf_defrag_ipv6_hooks.o nf_conntrack_reasm.o
 
 # l3 independent conntrack
 obj-$(CONFIG_NF_CONNTRACK_IPV6) += nf_conntrack_ipv6.o nf_defrag_ipv6.o
 
+# defrag
+nf_defrag_ipv6-objs := nf_defrag_ipv6_hooks.o nf_conntrack_reasm.o
+obj-$(CONFIG_NF_DEFRAG_IPV6) += nf_defrag_ipv6.o
+
 # matches
 obj-$(CONFIG_IP6_NF_MATCH_AH) += ip6t_ah.o
 obj-$(CONFIG_IP6_NF_MATCH_EUI64) += ip6t_eui64.o
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index 489d71b844ac..3a3f129a44cb 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -625,21 +625,24 @@ int nf_ct_frag6_init(void)
         inet_frags_init_net(&nf_init_frags);
         inet_frags_init(&nf_frags);
 
+#ifdef CONFIG_SYSCTL
         nf_ct_frag6_sysctl_header = register_sysctl_paths(nf_net_netfilter_sysctl_path,
                                                           nf_ct_frag6_sysctl_table);
         if (!nf_ct_frag6_sysctl_header) {
                 inet_frags_fini(&nf_frags);
                 return -ENOMEM;
         }
+#endif
 
         return 0;
 }
 
 void nf_ct_frag6_cleanup(void)
 {
+#ifdef CONFIG_SYSCTL
         unregister_sysctl_table(nf_ct_frag6_sysctl_header);
         nf_ct_frag6_sysctl_header = NULL;
-
+#endif
         inet_frags_fini(&nf_frags);
 
         nf_init_frags.low_thresh = 0;
diff --git a/net/ipv6/protocol.c b/net/ipv6/protocol.c
index 9bb936ae2452..9a7978fdc02a 100644
--- a/net/ipv6/protocol.c
+++ b/net/ipv6/protocol.c
@@ -25,13 +25,14 @@
 #include <linux/spinlock.h>
 #include <net/protocol.h>
 
-const struct inet6_protocol *inet6_protos[MAX_INET_PROTOS] __read_mostly;
+const struct inet6_protocol __rcu *inet6_protos[MAX_INET_PROTOS] __read_mostly;
 
 int inet6_add_protocol(const struct inet6_protocol *prot, unsigned char protocol)
 {
         int hash = protocol & (MAX_INET_PROTOS - 1);
 
-        return !cmpxchg(&inet6_protos[hash], NULL, prot) ? 0 : -1;
+        return !cmpxchg((const struct inet6_protocol **)&inet6_protos[hash],
+                        NULL, prot) ? 0 : -1;
 }
 EXPORT_SYMBOL(inet6_add_protocol);
 
@@ -43,7 +44,8 @@ int inet6_del_protocol(const struct inet6_protocol *prot, unsigned char protocol
 {
         int ret, hash = protocol & (MAX_INET_PROTOS - 1);
 
-        ret = (cmpxchg(&inet6_protos[hash], prot, NULL) == prot) ? 0 : -1;
+        ret = (cmpxchg((const struct inet6_protocol **)&inet6_protos[hash],
+                       prot, NULL) == prot) ? 0 : -1;
 
         synchronize_net();
 
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index 45e6efb7f171..86c39526ba5e 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -373,7 +373,7 @@ void raw6_icmp_error(struct sk_buff *skb, int nexthdr,
 
 static inline int rawv6_rcv_skb(struct sock * sk, struct sk_buff * skb)
 {
-        if ((raw6_sk(sk)->checksum || sk->sk_filter) &&
+        if ((raw6_sk(sk)->checksum || rcu_dereference_raw(sk->sk_filter)) &&
             skb_checksum_complete(skb)) {
                 atomic_inc(&sk->sk_drops);
                 kfree_skb(skb);
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index 367a6cc584cc..d6bfaec3bbbf 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -963,6 +963,7 @@ ipip6_tunnel_ioctl (struct net_device *dev, struct ifreq *ifr, int cmd)
                                 }
                                 t = netdev_priv(dev);
                                 ipip6_tunnel_unlink(sitn, t);
+                                synchronize_net();
                                 t->parms.iph.saddr = p.iph.saddr;
                                 t->parms.iph.daddr = p.iph.daddr;
                                 memcpy(dev->dev_addr, &p.iph.saddr, 4);
diff --git a/net/ipv6/tunnel6.c b/net/ipv6/tunnel6.c
index d9864725d0c6..4f3cec12aa85 100644
--- a/net/ipv6/tunnel6.c
+++ b/net/ipv6/tunnel6.c
@@ -30,23 +30,26 @@
 #include <net/protocol.h>
 #include <net/xfrm.h>
 
-static struct xfrm6_tunnel *tunnel6_handlers __read_mostly;
-static struct xfrm6_tunnel *tunnel46_handlers __read_mostly;
+static struct xfrm6_tunnel __rcu *tunnel6_handlers __read_mostly;
+static struct xfrm6_tunnel __rcu *tunnel46_handlers __read_mostly;
 static DEFINE_MUTEX(tunnel6_mutex);
 
 int xfrm6_tunnel_register(struct xfrm6_tunnel *handler, unsigned short family)
 {
-        struct xfrm6_tunnel **pprev;
+        struct xfrm6_tunnel __rcu **pprev;
+        struct xfrm6_tunnel *t;
         int ret = -EEXIST;
         int priority = handler->priority;
 
         mutex_lock(&tunnel6_mutex);
 
         for (pprev = (family == AF_INET6) ? &tunnel6_handlers : &tunnel46_handlers;
-             *pprev; pprev = &(*pprev)->next) {
-                if ((*pprev)->priority > priority)
+             (t = rcu_dereference_protected(*pprev,
+                        lockdep_is_held(&tunnel6_mutex))) != NULL;
+             pprev = &t->next) {
+                if (t->priority > priority)
                         break;
-                if ((*pprev)->priority == priority)
+                if (t->priority == priority)
                         goto err;
         }
 
@@ -65,14 +68,17 @@ EXPORT_SYMBOL(xfrm6_tunnel_register);
 
 int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler, unsigned short family)
 {
-        struct xfrm6_tunnel **pprev;
+        struct xfrm6_tunnel __rcu **pprev;
+        struct xfrm6_tunnel *t;
         int ret = -ENOENT;
 
         mutex_lock(&tunnel6_mutex);
 
         for (pprev = (family == AF_INET6) ? &tunnel6_handlers : &tunnel46_handlers;
-             *pprev; pprev = &(*pprev)->next) {
-                if (*pprev == handler) {
+             (t = rcu_dereference_protected(*pprev,
+                        lockdep_is_held(&tunnel6_mutex))) != NULL;
+             pprev = &t->next) {
+                if (t == handler) {
                         *pprev = handler->next;
                         ret = 0;
                         break;
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index c84dad432114..91def93bec85 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -527,7 +527,7 @@ int udpv6_queue_rcv_skb(struct sock * sk, struct sk_buff *skb)
                 }
         }
 
-        if (sk->sk_filter) {
+        if (rcu_dereference_raw(sk->sk_filter)) {
                 if (udp_lib_checksum_complete(skb))
                         goto drop;
         }