aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
Diffstat (limited to 'net')
-rw-r--r--net/8021q/vlan.c2
-rw-r--r--net/8021q/vlan_dev.c5
-rw-r--r--net/bluetooth/hci_conn.c9
-rw-r--r--net/bluetooth/hci_event.c18
-rw-r--r--net/bluetooth/hidp/core.c18
-rw-r--r--net/bluetooth/hidp/hidp.h1
-rw-r--r--net/bluetooth/l2cap_core.c26
-rw-r--r--net/bluetooth/l2cap_sock.c1
-rw-r--r--net/bluetooth/rfcomm/sock.c1
-rw-r--r--net/bluetooth/sco.c13
-rw-r--r--net/bridge/br_device.c5
-rw-r--r--net/bridge/br_input.c6
-rw-r--r--net/bridge/br_multicast.c9
-rw-r--r--net/caif/cfmuxl.c2
-rw-r--r--net/ceph/osd_client.c10
-rw-r--r--net/core/dst.c6
-rw-r--r--net/ieee802154/nl-phy.c3
-rw-r--r--net/ipv4/af_inet.c5
-rw-r--r--net/ipv4/inet_diag.c14
-rw-r--r--net/ipv4/ip_output.c19
-rw-r--r--net/ipv4/netfilter.c60
-rw-r--r--net/ipv4/netfilter/ip_queue.c3
-rw-r--r--net/ipv4/netfilter/ip_tables.c2
-rw-r--r--net/ipv4/netfilter/ipt_REJECT.c14
-rw-r--r--net/ipv4/netfilter/ipt_ecn.c7
-rw-r--r--net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c4
-rw-r--r--net/ipv4/ping.c1
-rw-r--r--net/ipv4/route.c4
-rw-r--r--net/ipv4/tcp.c10
-rw-r--r--net/ipv4/tcp_ipv4.c1
-rw-r--r--net/ipv4/udp.c13
-rw-r--r--net/ipv4/xfrm4_output.c7
-rw-r--r--net/ipv6/af_inet6.c2
-rw-r--r--net/ipv6/netfilter/ip6_queue.c3
-rw-r--r--net/ipv6/route.c25
-rw-r--r--net/ipv6/tcp_ipv6.c1
-rw-r--r--net/ipv6/udp.c5
-rw-r--r--net/mac80211/scan.c3
-rw-r--r--net/mac80211/wpa.c24
-rw-r--r--net/netfilter/ipvs/ip_vs_conn.c10
-rw-r--r--net/netfilter/ipvs/ip_vs_core.c1
-rw-r--r--net/netfilter/nfnetlink_log.c3
-rw-r--r--net/netfilter/nfnetlink_queue.c3
-rw-r--r--net/sctp/outqueue.c20
-rw-r--r--net/sctp/protocol.c11
-rw-r--r--net/sctp/sm_sideeffect.c20
-rw-r--r--net/sctp/sm_statefuns.c32
-rw-r--r--net/sctp/sm_statetable.c2
-rw-r--r--net/sctp/socket.c36
-rw-r--r--net/sctp/ulpevent.c16
-rw-r--r--net/sunrpc/auth_gss/auth_gss.c4
-rw-r--r--net/sunrpc/auth_gss/gss_krb5_mech.c3
-rw-r--r--net/sunrpc/clnt.c5
-rw-r--r--net/sunrpc/rpcb_clnt.c2
-rw-r--r--net/sunrpc/sched.c28
-rw-r--r--net/wireless/core.c12
-rw-r--r--net/wireless/core.h2
-rw-r--r--net/wireless/nl80211.c27
-rw-r--r--net/wireless/scan.c10
-rw-r--r--net/xfrm/xfrm_policy.c6
-rw-r--r--net/xfrm/xfrm_state.c2
61 files changed, 382 insertions, 235 deletions
diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c
index c7a581a96894..917ecb93ea28 100644
--- a/net/8021q/vlan.c
+++ b/net/8021q/vlan.c
@@ -205,7 +205,7 @@ int register_vlan_dev(struct net_device *dev)
205 grp->nr_vlans++; 205 grp->nr_vlans++;
206 206
207 if (ngrp) { 207 if (ngrp) {
208 if (ops->ndo_vlan_rx_register) 208 if (ops->ndo_vlan_rx_register && (real_dev->features & NETIF_F_HW_VLAN_RX))
209 ops->ndo_vlan_rx_register(real_dev, ngrp); 209 ops->ndo_vlan_rx_register(real_dev, ngrp);
210 rcu_assign_pointer(real_dev->vlgrp, ngrp); 210 rcu_assign_pointer(real_dev->vlgrp, ngrp);
211 } 211 }
diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
index 7ea5cf9ea08a..86bff9b1ac47 100644
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -586,9 +586,14 @@ static void vlan_dev_uninit(struct net_device *dev)
586static u32 vlan_dev_fix_features(struct net_device *dev, u32 features) 586static u32 vlan_dev_fix_features(struct net_device *dev, u32 features)
587{ 587{
588 struct net_device *real_dev = vlan_dev_info(dev)->real_dev; 588 struct net_device *real_dev = vlan_dev_info(dev)->real_dev;
589 u32 old_features = features;
589 590
590 features &= real_dev->features; 591 features &= real_dev->features;
591 features &= real_dev->vlan_features; 592 features &= real_dev->vlan_features;
593
594 if (old_features & NETIF_F_SOFT_FEATURES)
595 features |= old_features & NETIF_F_SOFT_FEATURES;
596
592 if (dev_ethtool_get_rx_csum(real_dev)) 597 if (dev_ethtool_get_rx_csum(real_dev))
593 features |= NETIF_F_RXCSUM; 598 features |= NETIF_F_RXCSUM;
594 features |= NETIF_F_LLTX; 599 features |= NETIF_F_LLTX;
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 3163330cd4f1..bcd158f40bb9 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -393,6 +393,9 @@ int hci_conn_del(struct hci_conn *conn)
393 393
394 hci_dev_put(hdev); 394 hci_dev_put(hdev);
395 395
396 if (conn->handle == 0)
397 kfree(conn);
398
396 return 0; 399 return 0;
397} 400}
398 401
@@ -608,11 +611,11 @@ int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
608 goto encrypt; 611 goto encrypt;
609 612
610auth: 613auth:
611 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend)) 614 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend))
612 return 0; 615 return 0;
613 616
614 hci_conn_auth(conn, sec_level, auth_type); 617 if (!hci_conn_auth(conn, sec_level, auth_type))
615 return 0; 618 return 0;
616 619
617encrypt: 620encrypt:
618 if (conn->link_mode & HCI_LM_ENCRYPT) 621 if (conn->link_mode & HCI_LM_ENCRYPT)
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index f13ddbf858ba..77930aa522e3 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -477,14 +477,16 @@ static void hci_setup_event_mask(struct hci_dev *hdev)
477 * command otherwise */ 477 * command otherwise */
478 u8 events[8] = { 0xff, 0xff, 0xfb, 0xff, 0x00, 0x00, 0x00, 0x00 }; 478 u8 events[8] = { 0xff, 0xff, 0xfb, 0xff, 0x00, 0x00, 0x00, 0x00 };
479 479
480 /* Events for 1.2 and newer controllers */ 480 /* CSR 1.1 dongles does not accept any bitfield so don't try to set
481 if (hdev->lmp_ver > 1) { 481 * any event mask for pre 1.2 devices */
482 events[4] |= 0x01; /* Flow Specification Complete */ 482 if (hdev->lmp_ver <= 1)
483 events[4] |= 0x02; /* Inquiry Result with RSSI */ 483 return;
484 events[4] |= 0x04; /* Read Remote Extended Features Complete */ 484
485 events[5] |= 0x08; /* Synchronous Connection Complete */ 485 events[4] |= 0x01; /* Flow Specification Complete */
486 events[5] |= 0x10; /* Synchronous Connection Changed */ 486 events[4] |= 0x02; /* Inquiry Result with RSSI */
487 } 487 events[4] |= 0x04; /* Read Remote Extended Features Complete */
488 events[5] |= 0x08; /* Synchronous Connection Complete */
489 events[5] |= 0x10; /* Synchronous Connection Changed */
488 490
489 if (hdev->features[3] & LMP_RSSI_INQ) 491 if (hdev->features[3] & LMP_RSSI_INQ)
490 events[4] |= 0x04; /* Inquiry Result with RSSI */ 492 events[4] |= 0x04; /* Inquiry Result with RSSI */
diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index c405a954a603..43b4c2deb7cc 100644
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -464,7 +464,8 @@ static void hidp_idle_timeout(unsigned long arg)
464{ 464{
465 struct hidp_session *session = (struct hidp_session *) arg; 465 struct hidp_session *session = (struct hidp_session *) arg;
466 466
467 kthread_stop(session->task); 467 atomic_inc(&session->terminate);
468 wake_up_process(session->task);
468} 469}
469 470
470static void hidp_set_timer(struct hidp_session *session) 471static void hidp_set_timer(struct hidp_session *session)
@@ -535,7 +536,8 @@ static void hidp_process_hid_control(struct hidp_session *session,
535 skb_queue_purge(&session->ctrl_transmit); 536 skb_queue_purge(&session->ctrl_transmit);
536 skb_queue_purge(&session->intr_transmit); 537 skb_queue_purge(&session->intr_transmit);
537 538
538 kthread_stop(session->task); 539 atomic_inc(&session->terminate);
540 wake_up_process(current);
539 } 541 }
540} 542}
541 543
@@ -706,9 +708,8 @@ static int hidp_session(void *arg)
706 add_wait_queue(sk_sleep(intr_sk), &intr_wait); 708 add_wait_queue(sk_sleep(intr_sk), &intr_wait);
707 session->waiting_for_startup = 0; 709 session->waiting_for_startup = 0;
708 wake_up_interruptible(&session->startup_queue); 710 wake_up_interruptible(&session->startup_queue);
709 while (!kthread_should_stop()) { 711 set_current_state(TASK_INTERRUPTIBLE);
710 set_current_state(TASK_INTERRUPTIBLE); 712 while (!atomic_read(&session->terminate)) {
711
712 if (ctrl_sk->sk_state != BT_CONNECTED || 713 if (ctrl_sk->sk_state != BT_CONNECTED ||
713 intr_sk->sk_state != BT_CONNECTED) 714 intr_sk->sk_state != BT_CONNECTED)
714 break; 715 break;
@@ -726,6 +727,7 @@ static int hidp_session(void *arg)
726 hidp_process_transmit(session); 727 hidp_process_transmit(session);
727 728
728 schedule(); 729 schedule();
730 set_current_state(TASK_INTERRUPTIBLE);
729 } 731 }
730 set_current_state(TASK_RUNNING); 732 set_current_state(TASK_RUNNING);
731 remove_wait_queue(sk_sleep(intr_sk), &intr_wait); 733 remove_wait_queue(sk_sleep(intr_sk), &intr_wait);
@@ -1060,7 +1062,8 @@ int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock,
1060err_add_device: 1062err_add_device:
1061 hid_destroy_device(session->hid); 1063 hid_destroy_device(session->hid);
1062 session->hid = NULL; 1064 session->hid = NULL;
1063 kthread_stop(session->task); 1065 atomic_inc(&session->terminate);
1066 wake_up_process(session->task);
1064 1067
1065unlink: 1068unlink:
1066 hidp_del_timer(session); 1069 hidp_del_timer(session);
@@ -1111,7 +1114,8 @@ int hidp_del_connection(struct hidp_conndel_req *req)
1111 skb_queue_purge(&session->ctrl_transmit); 1114 skb_queue_purge(&session->ctrl_transmit);
1112 skb_queue_purge(&session->intr_transmit); 1115 skb_queue_purge(&session->intr_transmit);
1113 1116
1114 kthread_stop(session->task); 1117 atomic_inc(&session->terminate);
1118 wake_up_process(session->task);
1115 } 1119 }
1116 } else 1120 } else
1117 err = -ENOENT; 1121 err = -ENOENT;
diff --git a/net/bluetooth/hidp/hidp.h b/net/bluetooth/hidp/hidp.h
index 19e95004b286..af1bcc823f26 100644
--- a/net/bluetooth/hidp/hidp.h
+++ b/net/bluetooth/hidp/hidp.h
@@ -142,6 +142,7 @@ struct hidp_session {
142 uint ctrl_mtu; 142 uint ctrl_mtu;
143 uint intr_mtu; 143 uint intr_mtu;
144 144
145 atomic_t terminate;
145 struct task_struct *task; 146 struct task_struct *task;
146 147
147 unsigned char keys[8]; 148 unsigned char keys[8];
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index e64a1c2df238..ebff14c69078 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -2323,7 +2323,8 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2323 2323
2324 sk = chan->sk; 2324 sk = chan->sk;
2325 2325
2326 if (sk->sk_state != BT_CONFIG) { 2326 if ((bt_sk(sk)->defer_setup && sk->sk_state != BT_CONNECT2) ||
2327 (!bt_sk(sk)->defer_setup && sk->sk_state != BT_CONFIG)) {
2327 struct l2cap_cmd_rej rej; 2328 struct l2cap_cmd_rej rej;
2328 2329
2329 rej.reason = cpu_to_le16(0x0002); 2330 rej.reason = cpu_to_le16(0x0002);
@@ -2334,7 +2335,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2334 2335
2335 /* Reject if config buffer is too small. */ 2336 /* Reject if config buffer is too small. */
2336 len = cmd_len - sizeof(*req); 2337 len = cmd_len - sizeof(*req);
2337 if (chan->conf_len + len > sizeof(chan->conf_req)) { 2338 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
2338 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, 2339 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2339 l2cap_build_conf_rsp(chan, rsp, 2340 l2cap_build_conf_rsp(chan, rsp,
2340 L2CAP_CONF_REJECT, flags), rsp); 2341 L2CAP_CONF_REJECT, flags), rsp);
@@ -4002,21 +4003,30 @@ static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
4002 } 4003 }
4003 } else if (sk->sk_state == BT_CONNECT2) { 4004 } else if (sk->sk_state == BT_CONNECT2) {
4004 struct l2cap_conn_rsp rsp; 4005 struct l2cap_conn_rsp rsp;
4005 __u16 result; 4006 __u16 res, stat;
4006 4007
4007 if (!status) { 4008 if (!status) {
4008 sk->sk_state = BT_CONFIG; 4009 if (bt_sk(sk)->defer_setup) {
4009 result = L2CAP_CR_SUCCESS; 4010 struct sock *parent = bt_sk(sk)->parent;
4011 res = L2CAP_CR_PEND;
4012 stat = L2CAP_CS_AUTHOR_PEND;
4013 parent->sk_data_ready(parent, 0);
4014 } else {
4015 sk->sk_state = BT_CONFIG;
4016 res = L2CAP_CR_SUCCESS;
4017 stat = L2CAP_CS_NO_INFO;
4018 }
4010 } else { 4019 } else {
4011 sk->sk_state = BT_DISCONN; 4020 sk->sk_state = BT_DISCONN;
4012 l2cap_sock_set_timer(sk, HZ / 10); 4021 l2cap_sock_set_timer(sk, HZ / 10);
4013 result = L2CAP_CR_SEC_BLOCK; 4022 res = L2CAP_CR_SEC_BLOCK;
4023 stat = L2CAP_CS_NO_INFO;
4014 } 4024 }
4015 4025
4016 rsp.scid = cpu_to_le16(chan->dcid); 4026 rsp.scid = cpu_to_le16(chan->dcid);
4017 rsp.dcid = cpu_to_le16(chan->scid); 4027 rsp.dcid = cpu_to_le16(chan->scid);
4018 rsp.result = cpu_to_le16(result); 4028 rsp.result = cpu_to_le16(res);
4019 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO); 4029 rsp.status = cpu_to_le16(stat);
4020 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, 4030 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4021 sizeof(rsp), &rsp); 4031 sizeof(rsp), &rsp);
4022 } 4032 }
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 18dc9888d8c2..8248303f44e8 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -413,6 +413,7 @@ static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __us
413 break; 413 break;
414 } 414 }
415 415
416 memset(&cinfo, 0, sizeof(cinfo));
416 cinfo.hci_handle = chan->conn->hcon->handle; 417 cinfo.hci_handle = chan->conn->hcon->handle;
417 memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3); 418 memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
418 419
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index 386cfaffd4b7..1b10727ce523 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -788,6 +788,7 @@ static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __u
788 788
789 l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk; 789 l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
790 790
791 memset(&cinfo, 0, sizeof(cinfo));
791 cinfo.hci_handle = conn->hcon->handle; 792 cinfo.hci_handle = conn->hcon->handle;
792 memcpy(cinfo.dev_class, conn->hcon->dev_class, 3); 793 memcpy(cinfo.dev_class, conn->hcon->dev_class, 3);
793 794
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index 42fdffd1d76c..cb4fb7837e5c 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -369,6 +369,15 @@ static void __sco_sock_close(struct sock *sk)
369 369
370 case BT_CONNECTED: 370 case BT_CONNECTED:
371 case BT_CONFIG: 371 case BT_CONFIG:
372 if (sco_pi(sk)->conn) {
373 sk->sk_state = BT_DISCONN;
374 sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT);
375 hci_conn_put(sco_pi(sk)->conn->hcon);
376 sco_pi(sk)->conn->hcon = NULL;
377 } else
378 sco_chan_del(sk, ECONNRESET);
379 break;
380
372 case BT_CONNECT: 381 case BT_CONNECT:
373 case BT_DISCONN: 382 case BT_DISCONN:
374 sco_chan_del(sk, ECONNRESET); 383 sco_chan_del(sk, ECONNRESET);
@@ -819,7 +828,9 @@ static void sco_chan_del(struct sock *sk, int err)
819 conn->sk = NULL; 828 conn->sk = NULL;
820 sco_pi(sk)->conn = NULL; 829 sco_pi(sk)->conn = NULL;
821 sco_conn_unlock(conn); 830 sco_conn_unlock(conn);
822 hci_conn_put(conn->hcon); 831
832 if (conn->hcon)
833 hci_conn_put(conn->hcon);
823 } 834 }
824 835
825 sk->sk_state = BT_CLOSED; 836 sk->sk_state = BT_CLOSED;
diff --git a/net/bridge/br_device.c b/net/bridge/br_device.c
index a6b2f86378c7..32b8f9f7f79e 100644
--- a/net/bridge/br_device.c
+++ b/net/bridge/br_device.c
@@ -49,7 +49,9 @@ netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev)
49 skb_pull(skb, ETH_HLEN); 49 skb_pull(skb, ETH_HLEN);
50 50
51 rcu_read_lock(); 51 rcu_read_lock();
52 if (is_multicast_ether_addr(dest)) { 52 if (is_broadcast_ether_addr(dest))
53 br_flood_deliver(br, skb);
54 else if (is_multicast_ether_addr(dest)) {
53 if (unlikely(netpoll_tx_running(dev))) { 55 if (unlikely(netpoll_tx_running(dev))) {
54 br_flood_deliver(br, skb); 56 br_flood_deliver(br, skb);
55 goto out; 57 goto out;
@@ -243,6 +245,7 @@ int br_netpoll_enable(struct net_bridge_port *p)
243 goto out; 245 goto out;
244 246
245 np->dev = p->dev; 247 np->dev = p->dev;
248 strlcpy(np->dev_name, p->dev->name, IFNAMSIZ);
246 249
247 err = __netpoll_setup(np); 250 err = __netpoll_setup(np);
248 if (err) { 251 if (err) {
diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
index f3ac1e858ee1..f06ee39c73fd 100644
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -60,7 +60,7 @@ int br_handle_frame_finish(struct sk_buff *skb)
60 br = p->br; 60 br = p->br;
61 br_fdb_update(br, p, eth_hdr(skb)->h_source); 61 br_fdb_update(br, p, eth_hdr(skb)->h_source);
62 62
63 if (is_multicast_ether_addr(dest) && 63 if (!is_broadcast_ether_addr(dest) && is_multicast_ether_addr(dest) &&
64 br_multicast_rcv(br, p, skb)) 64 br_multicast_rcv(br, p, skb))
65 goto drop; 65 goto drop;
66 66
@@ -77,7 +77,9 @@ int br_handle_frame_finish(struct sk_buff *skb)
77 77
78 dst = NULL; 78 dst = NULL;
79 79
80 if (is_multicast_ether_addr(dest)) { 80 if (is_broadcast_ether_addr(dest))
81 skb2 = skb;
82 else if (is_multicast_ether_addr(dest)) {
81 mdst = br_mdb_get(br, skb); 83 mdst = br_mdb_get(br, skb);
82 if (mdst || BR_INPUT_SKB_CB_MROUTERS_ONLY(skb)) { 84 if (mdst || BR_INPUT_SKB_CB_MROUTERS_ONLY(skb)) {
83 if ((mdst && mdst->mglist) || 85 if ((mdst && mdst->mglist) ||
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 2f14eafdeeab..2d85ca7111d3 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -1379,8 +1379,11 @@ static int br_multicast_ipv4_rcv(struct net_bridge *br,
1379 if (unlikely(ip_fast_csum((u8 *)iph, iph->ihl))) 1379 if (unlikely(ip_fast_csum((u8 *)iph, iph->ihl)))
1380 return -EINVAL; 1380 return -EINVAL;
1381 1381
1382 if (iph->protocol != IPPROTO_IGMP) 1382 if (iph->protocol != IPPROTO_IGMP) {
1383 if ((iph->daddr & IGMP_LOCAL_GROUP_MASK) != IGMP_LOCAL_GROUP)
1384 BR_INPUT_SKB_CB(skb)->mrouters_only = 1;
1383 return 0; 1385 return 0;
1386 }
1384 1387
1385 len = ntohs(iph->tot_len); 1388 len = ntohs(iph->tot_len);
1386 if (skb->len < len || len < ip_hdrlen(skb)) 1389 if (skb->len < len || len < ip_hdrlen(skb))
@@ -1424,7 +1427,7 @@ static int br_multicast_ipv4_rcv(struct net_bridge *br,
1424 switch (ih->type) { 1427 switch (ih->type) {
1425 case IGMP_HOST_MEMBERSHIP_REPORT: 1428 case IGMP_HOST_MEMBERSHIP_REPORT:
1426 case IGMPV2_HOST_MEMBERSHIP_REPORT: 1429 case IGMPV2_HOST_MEMBERSHIP_REPORT:
1427 BR_INPUT_SKB_CB(skb2)->mrouters_only = 1; 1430 BR_INPUT_SKB_CB(skb)->mrouters_only = 1;
1428 err = br_ip4_multicast_add_group(br, port, ih->group); 1431 err = br_ip4_multicast_add_group(br, port, ih->group);
1429 break; 1432 break;
1430 case IGMPV3_HOST_MEMBERSHIP_REPORT: 1433 case IGMPV3_HOST_MEMBERSHIP_REPORT:
@@ -1543,7 +1546,7 @@ static int br_multicast_ipv6_rcv(struct net_bridge *br,
1543 goto out; 1546 goto out;
1544 } 1547 }
1545 mld = (struct mld_msg *)skb_transport_header(skb2); 1548 mld = (struct mld_msg *)skb_transport_header(skb2);
1546 BR_INPUT_SKB_CB(skb2)->mrouters_only = 1; 1549 BR_INPUT_SKB_CB(skb)->mrouters_only = 1;
1547 err = br_ip6_multicast_add_group(br, port, &mld->mld_mca); 1550 err = br_ip6_multicast_add_group(br, port, &mld->mld_mca);
1548 break; 1551 break;
1549 } 1552 }
diff --git a/net/caif/cfmuxl.c b/net/caif/cfmuxl.c
index 3a66b8c10e09..c23979e79dfa 100644
--- a/net/caif/cfmuxl.c
+++ b/net/caif/cfmuxl.c
@@ -255,7 +255,7 @@ static void cfmuxl_ctrlcmd(struct cflayer *layr, enum caif_ctrlcmd ctrl,
255 255
256 if (cfsrvl_phyid_match(layer, phyid) && layer->ctrlcmd) { 256 if (cfsrvl_phyid_match(layer, phyid) && layer->ctrlcmd) {
257 257
258 if ((ctrl == _CAIF_CTRLCMD_PHYIF_FLOW_OFF_IND || 258 if ((ctrl == _CAIF_CTRLCMD_PHYIF_DOWN_IND ||
259 ctrl == CAIF_CTRLCMD_REMOTE_SHUTDOWN_IND) && 259 ctrl == CAIF_CTRLCMD_REMOTE_SHUTDOWN_IND) &&
260 layer->id != 0) { 260 layer->id != 0) {
261 261
diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c
index 9cb627a4073a..7330c2757c0c 100644
--- a/net/ceph/osd_client.c
+++ b/net/ceph/osd_client.c
@@ -477,8 +477,9 @@ struct ceph_osd_request *ceph_osdc_new_request(struct ceph_osd_client *osdc,
477 calc_layout(osdc, vino, layout, off, plen, req, ops); 477 calc_layout(osdc, vino, layout, off, plen, req, ops);
478 req->r_file_layout = *layout; /* keep a copy */ 478 req->r_file_layout = *layout; /* keep a copy */
479 479
480 /* in case it differs from natural alignment that calc_layout 480 /* in case it differs from natural (file) alignment that
481 filled in for us */ 481 calc_layout filled in for us */
482 req->r_num_pages = calc_pages_for(page_align, *plen);
482 req->r_page_alignment = page_align; 483 req->r_page_alignment = page_align;
483 484
484 ceph_osdc_build_request(req, off, plen, ops, 485 ceph_osdc_build_request(req, off, plen, ops,
@@ -2027,8 +2028,9 @@ static struct ceph_msg *get_reply(struct ceph_connection *con,
2027 int want = calc_pages_for(req->r_page_alignment, data_len); 2028 int want = calc_pages_for(req->r_page_alignment, data_len);
2028 2029
2029 if (unlikely(req->r_num_pages < want)) { 2030 if (unlikely(req->r_num_pages < want)) {
2030 pr_warning("tid %lld reply %d > expected %d pages\n", 2031 pr_warning("tid %lld reply has %d bytes %d pages, we"
2031 tid, want, m->nr_pages); 2032 " had only %d pages ready\n", tid, data_len,
2033 want, req->r_num_pages);
2032 *skip = 1; 2034 *skip = 1;
2033 ceph_msg_put(m); 2035 ceph_msg_put(m);
2034 m = NULL; 2036 m = NULL;
diff --git a/net/core/dst.c b/net/core/dst.c
index 9ccca038444f..6135f3671692 100644
--- a/net/core/dst.c
+++ b/net/core/dst.c
@@ -190,7 +190,8 @@ void *dst_alloc(struct dst_ops *ops, struct net_device *dev,
190 dst->lastuse = jiffies; 190 dst->lastuse = jiffies;
191 dst->flags = flags; 191 dst->flags = flags;
192 dst->next = NULL; 192 dst->next = NULL;
193 dst_entries_add(ops, 1); 193 if (!(flags & DST_NOCOUNT))
194 dst_entries_add(ops, 1);
194 return dst; 195 return dst;
195} 196}
196EXPORT_SYMBOL(dst_alloc); 197EXPORT_SYMBOL(dst_alloc);
@@ -243,7 +244,8 @@ again:
243 neigh_release(neigh); 244 neigh_release(neigh);
244 } 245 }
245 246
246 dst_entries_add(dst->ops, -1); 247 if (!(dst->flags & DST_NOCOUNT))
248 dst_entries_add(dst->ops, -1);
247 249
248 if (dst->ops->destroy) 250 if (dst->ops->destroy)
249 dst->ops->destroy(dst); 251 dst->ops->destroy(dst);
diff --git a/net/ieee802154/nl-phy.c b/net/ieee802154/nl-phy.c
index ed0eab39f531..02548b292b53 100644
--- a/net/ieee802154/nl-phy.c
+++ b/net/ieee802154/nl-phy.c
@@ -44,7 +44,7 @@ static int ieee802154_nl_fill_phy(struct sk_buff *msg, u32 pid,
44 pr_debug("%s\n", __func__); 44 pr_debug("%s\n", __func__);
45 45
46 if (!buf) 46 if (!buf)
47 goto out; 47 return -EMSGSIZE;
48 48
49 hdr = genlmsg_put(msg, 0, seq, &nl802154_family, flags, 49 hdr = genlmsg_put(msg, 0, seq, &nl802154_family, flags,
50 IEEE802154_LIST_PHY); 50 IEEE802154_LIST_PHY);
@@ -65,6 +65,7 @@ static int ieee802154_nl_fill_phy(struct sk_buff *msg, u32 pid,
65 pages * sizeof(uint32_t), buf); 65 pages * sizeof(uint32_t), buf);
66 66
67 mutex_unlock(&phy->pib_lock); 67 mutex_unlock(&phy->pib_lock);
68 kfree(buf);
68 return genlmsg_end(msg, hdr); 69 return genlmsg_end(msg, hdr);
69 70
70nla_put_failure: 71nla_put_failure:
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index 9c1926027a26..ef1528af7abf 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -465,8 +465,10 @@ int inet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
465 if (addr_len < sizeof(struct sockaddr_in)) 465 if (addr_len < sizeof(struct sockaddr_in))
466 goto out; 466 goto out;
467 467
468 if (addr->sin_family != AF_INET) 468 if (addr->sin_family != AF_INET) {
469 err = -EAFNOSUPPORT;
469 goto out; 470 goto out;
471 }
470 472
471 chk_addr_ret = inet_addr_type(sock_net(sk), addr->sin_addr.s_addr); 473 chk_addr_ret = inet_addr_type(sock_net(sk), addr->sin_addr.s_addr);
472 474
@@ -676,6 +678,7 @@ int inet_accept(struct socket *sock, struct socket *newsock, int flags)
676 678
677 lock_sock(sk2); 679 lock_sock(sk2);
678 680
681 sock_rps_record_flow(sk2);
679 WARN_ON(!((1 << sk2->sk_state) & 682 WARN_ON(!((1 << sk2->sk_state) &
680 (TCPF_ESTABLISHED | TCPF_CLOSE_WAIT | TCPF_CLOSE))); 683 (TCPF_ESTABLISHED | TCPF_CLOSE_WAIT | TCPF_CLOSE)));
681 684
diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
index 6ffe94ca5bc9..3267d3898437 100644
--- a/net/ipv4/inet_diag.c
+++ b/net/ipv4/inet_diag.c
@@ -437,7 +437,7 @@ static int valid_cc(const void *bc, int len, int cc)
437 return 0; 437 return 0;
438 if (cc == len) 438 if (cc == len)
439 return 1; 439 return 1;
440 if (op->yes < 4) 440 if (op->yes < 4 || op->yes & 3)
441 return 0; 441 return 0;
442 len -= op->yes; 442 len -= op->yes;
443 bc += op->yes; 443 bc += op->yes;
@@ -447,11 +447,11 @@ static int valid_cc(const void *bc, int len, int cc)
447 447
448static int inet_diag_bc_audit(const void *bytecode, int bytecode_len) 448static int inet_diag_bc_audit(const void *bytecode, int bytecode_len)
449{ 449{
450 const unsigned char *bc = bytecode; 450 const void *bc = bytecode;
451 int len = bytecode_len; 451 int len = bytecode_len;
452 452
453 while (len > 0) { 453 while (len > 0) {
454 struct inet_diag_bc_op *op = (struct inet_diag_bc_op *)bc; 454 const struct inet_diag_bc_op *op = bc;
455 455
456//printk("BC: %d %d %d {%d} / %d\n", op->code, op->yes, op->no, op[1].no, len); 456//printk("BC: %d %d %d {%d} / %d\n", op->code, op->yes, op->no, op[1].no, len);
457 switch (op->code) { 457 switch (op->code) {
@@ -462,22 +462,20 @@ static int inet_diag_bc_audit(const void *bytecode, int bytecode_len)
462 case INET_DIAG_BC_S_LE: 462 case INET_DIAG_BC_S_LE:
463 case INET_DIAG_BC_D_GE: 463 case INET_DIAG_BC_D_GE:
464 case INET_DIAG_BC_D_LE: 464 case INET_DIAG_BC_D_LE:
465 if (op->yes < 4 || op->yes > len + 4)
466 return -EINVAL;
467 case INET_DIAG_BC_JMP: 465 case INET_DIAG_BC_JMP:
468 if (op->no < 4 || op->no > len + 4) 466 if (op->no < 4 || op->no > len + 4 || op->no & 3)
469 return -EINVAL; 467 return -EINVAL;
470 if (op->no < len && 468 if (op->no < len &&
471 !valid_cc(bytecode, bytecode_len, len - op->no)) 469 !valid_cc(bytecode, bytecode_len, len - op->no))
472 return -EINVAL; 470 return -EINVAL;
473 break; 471 break;
474 case INET_DIAG_BC_NOP: 472 case INET_DIAG_BC_NOP:
475 if (op->yes < 4 || op->yes > len + 4)
476 return -EINVAL;
477 break; 473 break;
478 default: 474 default:
479 return -EINVAL; 475 return -EINVAL;
480 } 476 }
477 if (op->yes < 4 || op->yes > len + 4 || op->yes & 3)
478 return -EINVAL;
481 bc += op->yes; 479 bc += op->yes;
482 len -= op->yes; 480 len -= op->yes;
483 } 481 }
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index a8024eaa0e87..84f26e8e6c60 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -802,8 +802,6 @@ static int __ip_append_data(struct sock *sk,
802 skb = skb_peek_tail(queue); 802 skb = skb_peek_tail(queue);
803 803
804 exthdrlen = !skb ? rt->dst.header_len : 0; 804 exthdrlen = !skb ? rt->dst.header_len : 0;
805 length += exthdrlen;
806 transhdrlen += exthdrlen;
807 mtu = cork->fragsize; 805 mtu = cork->fragsize;
808 806
809 hh_len = LL_RESERVED_SPACE(rt->dst.dev); 807 hh_len = LL_RESERVED_SPACE(rt->dst.dev);
@@ -830,7 +828,7 @@ static int __ip_append_data(struct sock *sk,
830 cork->length += length; 828 cork->length += length;
831 if (((length > mtu) || (skb && skb_is_gso(skb))) && 829 if (((length > mtu) || (skb && skb_is_gso(skb))) &&
832 (sk->sk_protocol == IPPROTO_UDP) && 830 (sk->sk_protocol == IPPROTO_UDP) &&
833 (rt->dst.dev->features & NETIF_F_UFO)) { 831 (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len) {
834 err = ip_ufo_append_data(sk, queue, getfrag, from, length, 832 err = ip_ufo_append_data(sk, queue, getfrag, from, length,
835 hh_len, fragheaderlen, transhdrlen, 833 hh_len, fragheaderlen, transhdrlen,
836 mtu, flags); 834 mtu, flags);
@@ -883,17 +881,16 @@ alloc_new_skb:
883 else 881 else
884 alloclen = fraglen; 882 alloclen = fraglen;
885 883
884 alloclen += exthdrlen;
885
886 /* The last fragment gets additional space at tail. 886 /* The last fragment gets additional space at tail.
887 * Note, with MSG_MORE we overallocate on fragments, 887 * Note, with MSG_MORE we overallocate on fragments,
888 * because we have no idea what fragment will be 888 * because we have no idea what fragment will be
889 * the last. 889 * the last.
890 */ 890 */
891 if (datalen == length + fraggap) { 891 if (datalen == length + fraggap)
892 alloclen += rt->dst.trailer_len; 892 alloclen += rt->dst.trailer_len;
893 /* make sure mtu is not reached */ 893
894 if (datalen > mtu - fragheaderlen - rt->dst.trailer_len)
895 datalen -= ALIGN(rt->dst.trailer_len, 8);
896 }
897 if (transhdrlen) { 894 if (transhdrlen) {
898 skb = sock_alloc_send_skb(sk, 895 skb = sock_alloc_send_skb(sk,
899 alloclen + hh_len + 15, 896 alloclen + hh_len + 15,
@@ -926,11 +923,11 @@ alloc_new_skb:
926 /* 923 /*
927 * Find where to start putting bytes. 924 * Find where to start putting bytes.
928 */ 925 */
929 data = skb_put(skb, fraglen); 926 data = skb_put(skb, fraglen + exthdrlen);
930 skb_set_network_header(skb, exthdrlen); 927 skb_set_network_header(skb, exthdrlen);
931 skb->transport_header = (skb->network_header + 928 skb->transport_header = (skb->network_header +
932 fragheaderlen); 929 fragheaderlen);
933 data += fragheaderlen; 930 data += fragheaderlen + exthdrlen;
934 931
935 if (fraggap) { 932 if (fraggap) {
936 skb->csum = skb_copy_and_csum_bits( 933 skb->csum = skb_copy_and_csum_bits(
@@ -1064,7 +1061,7 @@ static int ip_setup_cork(struct sock *sk, struct inet_cork *cork,
1064 */ 1061 */
1065 *rtp = NULL; 1062 *rtp = NULL;
1066 cork->fragsize = inet->pmtudisc == IP_PMTUDISC_PROBE ? 1063 cork->fragsize = inet->pmtudisc == IP_PMTUDISC_PROBE ?
1067 rt->dst.dev->mtu : dst_mtu(rt->dst.path); 1064 rt->dst.dev->mtu : dst_mtu(&rt->dst);
1068 cork->dst = &rt->dst; 1065 cork->dst = &rt->dst;
1069 cork->length = 0; 1066 cork->length = 0;
1070 cork->tx_flags = ipc->tx_flags; 1067 cork->tx_flags = ipc->tx_flags;
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index 4614babdc45f..2e97e3ec1eb7 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -17,51 +17,35 @@ int ip_route_me_harder(struct sk_buff *skb, unsigned addr_type)
17 const struct iphdr *iph = ip_hdr(skb); 17 const struct iphdr *iph = ip_hdr(skb);
18 struct rtable *rt; 18 struct rtable *rt;
19 struct flowi4 fl4 = {}; 19 struct flowi4 fl4 = {};
20 unsigned long orefdst; 20 __be32 saddr = iph->saddr;
21 __u8 flags = 0;
21 unsigned int hh_len; 22 unsigned int hh_len;
22 unsigned int type;
23 23
24 type = inet_addr_type(net, iph->saddr); 24 if (!skb->sk && addr_type != RTN_LOCAL) {
25 if (skb->sk && inet_sk(skb->sk)->transparent) 25 if (addr_type == RTN_UNSPEC)
26 type = RTN_LOCAL; 26 addr_type = inet_addr_type(net, saddr);
27 if (addr_type == RTN_UNSPEC) 27 if (addr_type == RTN_LOCAL || addr_type == RTN_UNICAST)
28 addr_type = type; 28 flags |= FLOWI_FLAG_ANYSRC;
29 else
30 saddr = 0;
31 }
29 32
30 /* some non-standard hacks like ipt_REJECT.c:send_reset() can cause 33 /* some non-standard hacks like ipt_REJECT.c:send_reset() can cause
31 * packets with foreign saddr to appear on the NF_INET_LOCAL_OUT hook. 34 * packets with foreign saddr to appear on the NF_INET_LOCAL_OUT hook.
32 */ 35 */
33 if (addr_type == RTN_LOCAL) { 36 fl4.daddr = iph->daddr;
34 fl4.daddr = iph->daddr; 37 fl4.saddr = saddr;
35 if (type == RTN_LOCAL) 38 fl4.flowi4_tos = RT_TOS(iph->tos);
36 fl4.saddr = iph->saddr; 39 fl4.flowi4_oif = skb->sk ? skb->sk->sk_bound_dev_if : 0;
37 fl4.flowi4_tos = RT_TOS(iph->tos); 40 fl4.flowi4_mark = skb->mark;
38 fl4.flowi4_oif = skb->sk ? skb->sk->sk_bound_dev_if : 0; 41 fl4.flowi4_flags = skb->sk ? inet_sk_flowi_flags(skb->sk) : flags;
39 fl4.flowi4_mark = skb->mark; 42 rt = ip_route_output_key(net, &fl4);
40 fl4.flowi4_flags = skb->sk ? inet_sk_flowi_flags(skb->sk) : 0; 43 if (IS_ERR(rt))
41 rt = ip_route_output_key(net, &fl4); 44 return -1;
42 if (IS_ERR(rt))
43 return -1;
44
45 /* Drop old route. */
46 skb_dst_drop(skb);
47 skb_dst_set(skb, &rt->dst);
48 } else {
49 /* non-local src, find valid iif to satisfy
50 * rp-filter when calling ip_route_input. */
51 fl4.daddr = iph->saddr;
52 rt = ip_route_output_key(net, &fl4);
53 if (IS_ERR(rt))
54 return -1;
55 45
56 orefdst = skb->_skb_refdst; 46 /* Drop old route. */
57 if (ip_route_input(skb, iph->daddr, iph->saddr, 47 skb_dst_drop(skb);
58 RT_TOS(iph->tos), rt->dst.dev) != 0) { 48 skb_dst_set(skb, &rt->dst);
59 dst_release(&rt->dst);
60 return -1;
61 }
62 dst_release(&rt->dst);
63 refdst_drop(orefdst);
64 }
65 49
66 if (skb_dst(skb)->error) 50 if (skb_dst(skb)->error)
67 return -1; 51 return -1;
diff --git a/net/ipv4/netfilter/ip_queue.c b/net/ipv4/netfilter/ip_queue.c
index f7f9bd7ba12d..5c9b9d963918 100644
--- a/net/ipv4/netfilter/ip_queue.c
+++ b/net/ipv4/netfilter/ip_queue.c
@@ -203,7 +203,8 @@ ipq_build_packet_message(struct nf_queue_entry *entry, int *errp)
203 else 203 else
204 pmsg->outdev_name[0] = '\0'; 204 pmsg->outdev_name[0] = '\0';
205 205
206 if (entry->indev && entry->skb->dev) { 206 if (entry->indev && entry->skb->dev &&
207 entry->skb->mac_header != entry->skb->network_header) {
207 pmsg->hw_type = entry->skb->dev->type; 208 pmsg->hw_type = entry->skb->dev->type;
208 pmsg->hw_addrlen = dev_parse_header(entry->skb, 209 pmsg->hw_addrlen = dev_parse_header(entry->skb,
209 pmsg->hw_addr); 210 pmsg->hw_addr);
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 764743843503..24e556e83a3b 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -566,7 +566,7 @@ check_entry(const struct ipt_entry *e, const char *name)
566 const struct xt_entry_target *t; 566 const struct xt_entry_target *t;
567 567
568 if (!ip_checkentry(&e->ip)) { 568 if (!ip_checkentry(&e->ip)) {
569 duprintf("ip check failed %p %s.\n", e, par->match->name); 569 duprintf("ip check failed %p %s.\n", e, name);
570 return -EINVAL; 570 return -EINVAL;
571 } 571 }
572 572
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index 1ff79e557f96..51f13f8ec724 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -40,7 +40,6 @@ static void send_reset(struct sk_buff *oldskb, int hook)
40 struct iphdr *niph; 40 struct iphdr *niph;
41 const struct tcphdr *oth; 41 const struct tcphdr *oth;
42 struct tcphdr _otcph, *tcph; 42 struct tcphdr _otcph, *tcph;
43 unsigned int addr_type;
44 43
45 /* IP header checks: fragment. */ 44 /* IP header checks: fragment. */
46 if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET)) 45 if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET))
@@ -55,6 +54,9 @@ static void send_reset(struct sk_buff *oldskb, int hook)
55 if (oth->rst) 54 if (oth->rst)
56 return; 55 return;
57 56
57 if (skb_rtable(oldskb)->rt_flags & (RTCF_BROADCAST | RTCF_MULTICAST))
58 return;
59
58 /* Check checksum */ 60 /* Check checksum */
59 if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP)) 61 if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP))
60 return; 62 return;
@@ -101,19 +103,11 @@ static void send_reset(struct sk_buff *oldskb, int hook)
101 nskb->csum_start = (unsigned char *)tcph - nskb->head; 103 nskb->csum_start = (unsigned char *)tcph - nskb->head;
102 nskb->csum_offset = offsetof(struct tcphdr, check); 104 nskb->csum_offset = offsetof(struct tcphdr, check);
103 105
104 addr_type = RTN_UNSPEC;
105 if (hook != NF_INET_FORWARD
106#ifdef CONFIG_BRIDGE_NETFILTER
107 || (nskb->nf_bridge && nskb->nf_bridge->mask & BRNF_BRIDGED)
108#endif
109 )
110 addr_type = RTN_LOCAL;
111
112 /* ip_route_me_harder expects skb->dst to be set */ 106 /* ip_route_me_harder expects skb->dst to be set */
113 skb_dst_set_noref(nskb, skb_dst(oldskb)); 107 skb_dst_set_noref(nskb, skb_dst(oldskb));
114 108
115 nskb->protocol = htons(ETH_P_IP); 109 nskb->protocol = htons(ETH_P_IP);
116 if (ip_route_me_harder(nskb, addr_type)) 110 if (ip_route_me_harder(nskb, RTN_UNSPEC))
117 goto free_nskb; 111 goto free_nskb;
118 112
119 niph->ttl = ip4_dst_hoplimit(skb_dst(nskb)); 113 niph->ttl = ip4_dst_hoplimit(skb_dst(nskb));
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c
index af6e9c778345..2b57e52c746c 100644
--- a/net/ipv4/netfilter/ipt_ecn.c
+++ b/net/ipv4/netfilter/ipt_ecn.c
@@ -25,7 +25,8 @@ MODULE_LICENSE("GPL");
25static inline bool match_ip(const struct sk_buff *skb, 25static inline bool match_ip(const struct sk_buff *skb,
26 const struct ipt_ecn_info *einfo) 26 const struct ipt_ecn_info *einfo)
27{ 27{
28 return (ip_hdr(skb)->tos & IPT_ECN_IP_MASK) == einfo->ip_ect; 28 return ((ip_hdr(skb)->tos & IPT_ECN_IP_MASK) == einfo->ip_ect) ^
29 !!(einfo->invert & IPT_ECN_OP_MATCH_IP);
29} 30}
30 31
31static inline bool match_tcp(const struct sk_buff *skb, 32static inline bool match_tcp(const struct sk_buff *skb,
@@ -76,8 +77,6 @@ static bool ecn_mt(const struct sk_buff *skb, struct xt_action_param *par)
76 return false; 77 return false;
77 78
78 if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) { 79 if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) {
79 if (ip_hdr(skb)->protocol != IPPROTO_TCP)
80 return false;
81 if (!match_tcp(skb, info, &par->hotdrop)) 80 if (!match_tcp(skb, info, &par->hotdrop))
82 return false; 81 return false;
83 } 82 }
@@ -97,7 +96,7 @@ static int ecn_mt_check(const struct xt_mtchk_param *par)
97 return -EINVAL; 96 return -EINVAL;
98 97
99 if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR) && 98 if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR) &&
100 ip->proto != IPPROTO_TCP) { 99 (ip->proto != IPPROTO_TCP || ip->invflags & IPT_INV_PROTO)) {
101 pr_info("cannot match TCP bits in rule for non-tcp packets\n"); 100 pr_info("cannot match TCP bits in rule for non-tcp packets\n");
102 return -EINVAL; 101 return -EINVAL;
103 } 102 }
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index db10075dd88e..de9da21113a1 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -121,7 +121,9 @@ static unsigned int ipv4_confirm(unsigned int hooknum,
121 return ret; 121 return ret;
122 } 122 }
123 123
124 if (test_bit(IPS_SEQ_ADJUST_BIT, &ct->status)) { 124 /* adjust seqs for loopback traffic only in outgoing direction */
125 if (test_bit(IPS_SEQ_ADJUST_BIT, &ct->status) &&
126 !nf_is_loopback_packet(skb)) {
125 typeof(nf_nat_seq_adjust_hook) seq_adjust; 127 typeof(nf_nat_seq_adjust_hook) seq_adjust;
126 128
127 seq_adjust = rcu_dereference(nf_nat_seq_adjust_hook); 129 seq_adjust = rcu_dereference(nf_nat_seq_adjust_hook);
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
index 9aaa67165f42..39b403f854c6 100644
--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
@@ -41,7 +41,6 @@
41#include <linux/proc_fs.h> 41#include <linux/proc_fs.h>
42#include <net/sock.h> 42#include <net/sock.h>
43#include <net/ping.h> 43#include <net/ping.h>
44#include <net/icmp.h>
45#include <net/udp.h> 44#include <net/udp.h>
46#include <net/route.h> 45#include <net/route.h>
47#include <net/inet_common.h> 46#include <net/inet_common.h>
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 045f0ec6a4a0..aa13ef105110 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1902,9 +1902,7 @@ static int ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr,
1902 1902
1903 hash = rt_hash(daddr, saddr, dev->ifindex, rt_genid(dev_net(dev))); 1903 hash = rt_hash(daddr, saddr, dev->ifindex, rt_genid(dev_net(dev)));
1904 rth = rt_intern_hash(hash, rth, skb, dev->ifindex); 1904 rth = rt_intern_hash(hash, rth, skb, dev->ifindex);
1905 err = 0; 1905 return IS_ERR(rth) ? PTR_ERR(rth) : 0;
1906 if (IS_ERR(rth))
1907 err = PTR_ERR(rth);
1908 1906
1909e_nobufs: 1907e_nobufs:
1910 return -ENOBUFS; 1908 return -ENOBUFS;
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 054a59d21eb0..46febcacb729 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -3220,7 +3220,7 @@ __setup("thash_entries=", set_thash_entries);
3220void __init tcp_init(void) 3220void __init tcp_init(void)
3221{ 3221{
3222 struct sk_buff *skb = NULL; 3222 struct sk_buff *skb = NULL;
3223 unsigned long nr_pages, limit; 3223 unsigned long limit;
3224 int i, max_share, cnt; 3224 int i, max_share, cnt;
3225 unsigned long jiffy = jiffies; 3225 unsigned long jiffy = jiffies;
3226 3226
@@ -3277,13 +3277,7 @@ void __init tcp_init(void)
3277 sysctl_tcp_max_orphans = cnt / 2; 3277 sysctl_tcp_max_orphans = cnt / 2;
3278 sysctl_max_syn_backlog = max(128, cnt / 256); 3278 sysctl_max_syn_backlog = max(128, cnt / 256);
3279 3279
3280 /* Set the pressure threshold to be a fraction of global memory that 3280 limit = nr_free_buffer_pages() / 8;
3281 * is up to 1/2 at 256 MB, decreasing toward zero with the amount of
3282 * memory, with a floor of 128 pages.
3283 */
3284 nr_pages = totalram_pages - totalhigh_pages;
3285 limit = min(nr_pages, 1UL<<(28-PAGE_SHIFT)) >> (20-PAGE_SHIFT);
3286 limit = (limit * (nr_pages >> (20-PAGE_SHIFT))) >> (PAGE_SHIFT-11);
3287 limit = max(limit, 128UL); 3281 limit = max(limit, 128UL);
3288 sysctl_tcp_mem[0] = limit / 4 * 3; 3282 sysctl_tcp_mem[0] = limit / 4 * 3;
3289 sysctl_tcp_mem[1] = limit; 3283 sysctl_tcp_mem[1] = limit;
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index a7d6671e33b8..708dc203b034 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1589,6 +1589,7 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
1589 goto discard; 1589 goto discard;
1590 1590
1591 if (nsk != sk) { 1591 if (nsk != sk) {
1592 sock_rps_save_rxhash(nsk, skb->rxhash);
1592 if (tcp_child_process(sk, nsk, skb)) { 1593 if (tcp_child_process(sk, nsk, skb)) {
1593 rsk = nsk; 1594 rsk = nsk;
1594 goto reset; 1595 goto reset;
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index abca870d8ff6..198f75b7bdd3 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1249,6 +1249,9 @@ csum_copy_err:
1249 1249
1250 if (noblock) 1250 if (noblock)
1251 return -EAGAIN; 1251 return -EAGAIN;
1252
1253 /* starting over for a new packet */
1254 msg->msg_flags &= ~MSG_TRUNC;
1252 goto try_again; 1255 goto try_again;
1253} 1256}
1254 1257
@@ -2206,16 +2209,10 @@ void __init udp_table_init(struct udp_table *table, const char *name)
2206 2209
2207void __init udp_init(void) 2210void __init udp_init(void)
2208{ 2211{
2209 unsigned long nr_pages, limit; 2212 unsigned long limit;
2210 2213
2211 udp_table_init(&udp_table, "UDP"); 2214 udp_table_init(&udp_table, "UDP");
2212 /* Set the pressure threshold up by the same strategy of TCP. It is a 2215 limit = nr_free_buffer_pages() / 8;
2213 * fraction of global memory that is up to 1/2 at 256 MB, decreasing
2214 * toward zero with the amount of memory, with a floor of 128 pages.
2215 */
2216 nr_pages = totalram_pages - totalhigh_pages;
2217 limit = min(nr_pages, 1UL<<(28-PAGE_SHIFT)) >> (20-PAGE_SHIFT);
2218 limit = (limit * (nr_pages >> (20-PAGE_SHIFT))) >> (PAGE_SHIFT-11);
2219 limit = max(limit, 128UL); 2216 limit = max(limit, 128UL);
2220 sysctl_udp_mem[0] = limit / 4 * 3; 2217 sysctl_udp_mem[0] = limit / 4 * 3;
2221 sysctl_udp_mem[1] = limit; 2218 sysctl_udp_mem[1] = limit;
diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c
index 2d51840e53a1..327a617d594c 100644
--- a/net/ipv4/xfrm4_output.c
+++ b/net/ipv4/xfrm4_output.c
@@ -32,7 +32,12 @@ static int xfrm4_tunnel_check_size(struct sk_buff *skb)
32 dst = skb_dst(skb); 32 dst = skb_dst(skb);
33 mtu = dst_mtu(dst); 33 mtu = dst_mtu(dst);
34 if (skb->len > mtu) { 34 if (skb->len > mtu) {
35 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, htonl(mtu)); 35 if (skb->sk)
36 ip_local_error(skb->sk, EMSGSIZE, ip_hdr(skb)->daddr,
37 inet_sk(skb->sk)->inet_dport, mtu);
38 else
39 icmp_send(skb, ICMP_DEST_UNREACH,
40 ICMP_FRAG_NEEDED, htonl(mtu));
36 ret = -EMSGSIZE; 41 ret = -EMSGSIZE;
37 } 42 }
38out: 43out:
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index d450a2f9fc06..3b5669a2582d 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -274,7 +274,7 @@ int inet6_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
274 return -EINVAL; 274 return -EINVAL;
275 275
276 if (addr->sin6_family != AF_INET6) 276 if (addr->sin6_family != AF_INET6)
277 return -EINVAL; 277 return -EAFNOSUPPORT;
278 278
279 addr_type = ipv6_addr_type(&addr->sin6_addr); 279 addr_type = ipv6_addr_type(&addr->sin6_addr);
280 if ((addr_type & IPV6_ADDR_MULTICAST) && sock->type == SOCK_STREAM) 280 if ((addr_type & IPV6_ADDR_MULTICAST) && sock->type == SOCK_STREAM)
diff --git a/net/ipv6/netfilter/ip6_queue.c b/net/ipv6/netfilter/ip6_queue.c
index 065fe405fb58..249394863284 100644
--- a/net/ipv6/netfilter/ip6_queue.c
+++ b/net/ipv6/netfilter/ip6_queue.c
@@ -204,7 +204,8 @@ ipq_build_packet_message(struct nf_queue_entry *entry, int *errp)
204 else 204 else
205 pmsg->outdev_name[0] = '\0'; 205 pmsg->outdev_name[0] = '\0';
206 206
207 if (entry->indev && entry->skb->dev) { 207 if (entry->indev && entry->skb->dev &&
208 entry->skb->mac_header != entry->skb->network_header) {
208 pmsg->hw_type = entry->skb->dev->type; 209 pmsg->hw_type = entry->skb->dev->type;
209 pmsg->hw_addrlen = dev_parse_header(entry->skb, pmsg->hw_addr); 210 pmsg->hw_addrlen = dev_parse_header(entry->skb, pmsg->hw_addr);
210 } 211 }
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index de2b1decd786..0ef1f086feb8 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -228,9 +228,10 @@ static struct rt6_info ip6_blk_hole_entry_template = {
228 228
229/* allocate dst with ip6_dst_ops */ 229/* allocate dst with ip6_dst_ops */
230static inline struct rt6_info *ip6_dst_alloc(struct dst_ops *ops, 230static inline struct rt6_info *ip6_dst_alloc(struct dst_ops *ops,
231 struct net_device *dev) 231 struct net_device *dev,
232 int flags)
232{ 233{
233 struct rt6_info *rt = dst_alloc(ops, dev, 0, 0, 0); 234 struct rt6_info *rt = dst_alloc(ops, dev, 0, 0, flags);
234 235
235 memset(&rt->rt6i_table, 0, sizeof(*rt) - sizeof(struct dst_entry)); 236 memset(&rt->rt6i_table, 0, sizeof(*rt) - sizeof(struct dst_entry));
236 237
@@ -1042,7 +1043,7 @@ struct dst_entry *icmp6_dst_alloc(struct net_device *dev,
1042 if (unlikely(idev == NULL)) 1043 if (unlikely(idev == NULL))
1043 return NULL; 1044 return NULL;
1044 1045
1045 rt = ip6_dst_alloc(&net->ipv6.ip6_dst_ops, dev); 1046 rt = ip6_dst_alloc(&net->ipv6.ip6_dst_ops, dev, 0);
1046 if (unlikely(rt == NULL)) { 1047 if (unlikely(rt == NULL)) {
1047 in6_dev_put(idev); 1048 in6_dev_put(idev);
1048 goto out; 1049 goto out;
@@ -1062,14 +1063,6 @@ struct dst_entry *icmp6_dst_alloc(struct net_device *dev,
1062 dst_metric_set(&rt->dst, RTAX_HOPLIMIT, 255); 1063 dst_metric_set(&rt->dst, RTAX_HOPLIMIT, 255);
1063 rt->dst.output = ip6_output; 1064 rt->dst.output = ip6_output;
1064 1065
1065#if 0 /* there's no chance to use these for ndisc */
1066 rt->dst.flags = ipv6_addr_type(addr) & IPV6_ADDR_UNICAST
1067 ? DST_HOST
1068 : 0;
1069 ipv6_addr_copy(&rt->rt6i_dst.addr, addr);
1070 rt->rt6i_dst.plen = 128;
1071#endif
1072
1073 spin_lock_bh(&icmp6_dst_lock); 1066 spin_lock_bh(&icmp6_dst_lock);
1074 rt->dst.next = icmp6_dst_gc_list; 1067 rt->dst.next = icmp6_dst_gc_list;
1075 icmp6_dst_gc_list = &rt->dst; 1068 icmp6_dst_gc_list = &rt->dst;
@@ -1214,7 +1207,7 @@ int ip6_route_add(struct fib6_config *cfg)
1214 goto out; 1207 goto out;
1215 } 1208 }
1216 1209
1217 rt = ip6_dst_alloc(&net->ipv6.ip6_dst_ops, NULL); 1210 rt = ip6_dst_alloc(&net->ipv6.ip6_dst_ops, NULL, DST_NOCOUNT);
1218 1211
1219 if (rt == NULL) { 1212 if (rt == NULL) {
1220 err = -ENOMEM; 1213 err = -ENOMEM;
@@ -1244,7 +1237,7 @@ int ip6_route_add(struct fib6_config *cfg)
1244 ipv6_addr_prefix(&rt->rt6i_dst.addr, &cfg->fc_dst, cfg->fc_dst_len); 1237 ipv6_addr_prefix(&rt->rt6i_dst.addr, &cfg->fc_dst, cfg->fc_dst_len);
1245 rt->rt6i_dst.plen = cfg->fc_dst_len; 1238 rt->rt6i_dst.plen = cfg->fc_dst_len;
1246 if (rt->rt6i_dst.plen == 128) 1239 if (rt->rt6i_dst.plen == 128)
1247 rt->dst.flags = DST_HOST; 1240 rt->dst.flags |= DST_HOST;
1248 1241
1249#ifdef CONFIG_IPV6_SUBTREES 1242#ifdef CONFIG_IPV6_SUBTREES
1250 ipv6_addr_prefix(&rt->rt6i_src.addr, &cfg->fc_src, cfg->fc_src_len); 1243 ipv6_addr_prefix(&rt->rt6i_src.addr, &cfg->fc_src, cfg->fc_src_len);
@@ -1734,7 +1727,7 @@ static struct rt6_info * ip6_rt_copy(struct rt6_info *ort)
1734{ 1727{
1735 struct net *net = dev_net(ort->rt6i_dev); 1728 struct net *net = dev_net(ort->rt6i_dev);
1736 struct rt6_info *rt = ip6_dst_alloc(&net->ipv6.ip6_dst_ops, 1729 struct rt6_info *rt = ip6_dst_alloc(&net->ipv6.ip6_dst_ops,
1737 ort->dst.dev); 1730 ort->dst.dev, 0);
1738 1731
1739 if (rt) { 1732 if (rt) {
1740 rt->dst.input = ort->dst.input; 1733 rt->dst.input = ort->dst.input;
@@ -2013,7 +2006,7 @@ struct rt6_info *addrconf_dst_alloc(struct inet6_dev *idev,
2013{ 2006{
2014 struct net *net = dev_net(idev->dev); 2007 struct net *net = dev_net(idev->dev);
2015 struct rt6_info *rt = ip6_dst_alloc(&net->ipv6.ip6_dst_ops, 2008 struct rt6_info *rt = ip6_dst_alloc(&net->ipv6.ip6_dst_ops,
2016 net->loopback_dev); 2009 net->loopback_dev, 0);
2017 struct neighbour *neigh; 2010 struct neighbour *neigh;
2018 2011
2019 if (rt == NULL) { 2012 if (rt == NULL) {
@@ -2025,7 +2018,7 @@ struct rt6_info *addrconf_dst_alloc(struct inet6_dev *idev,
2025 2018
2026 in6_dev_hold(idev); 2019 in6_dev_hold(idev);
2027 2020
2028 rt->dst.flags = DST_HOST; 2021 rt->dst.flags |= DST_HOST;
2029 rt->dst.input = ip6_input; 2022 rt->dst.input = ip6_input;
2030 rt->dst.output = ip6_output; 2023 rt->dst.output = ip6_output;
2031 rt->rt6i_idev = idev; 2024 rt->rt6i_idev = idev;
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index d1fd28711ba5..87551ca568cd 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1644,6 +1644,7 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
1644 * the new socket.. 1644 * the new socket..
1645 */ 1645 */
1646 if(nsk != sk) { 1646 if(nsk != sk) {
1647 sock_rps_save_rxhash(nsk, skb->rxhash);
1647 if (tcp_child_process(sk, nsk, skb)) 1648 if (tcp_child_process(sk, nsk, skb))
1648 goto reset; 1649 goto reset;
1649 if (opt_skb) 1650 if (opt_skb)
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 41f8c9c08dba..328985c40883 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -453,8 +453,11 @@ csum_copy_err:
453 } 453 }
454 unlock_sock_fast(sk, slow); 454 unlock_sock_fast(sk, slow);
455 455
456 if (flags & MSG_DONTWAIT) 456 if (noblock)
457 return -EAGAIN; 457 return -EAGAIN;
458
459 /* starting over for a new packet */
460 msg->msg_flags &= ~MSG_TRUNC;
458 goto try_again; 461 goto try_again;
459} 462}
460 463
diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
index 58ffa7d069c7..669d2e32efb6 100644
--- a/net/mac80211/scan.c
+++ b/net/mac80211/scan.c
@@ -877,7 +877,8 @@ int ieee80211_request_sched_scan_start(struct ieee80211_sub_if_data *sdata,
877 for (i = 0; i < IEEE80211_NUM_BANDS; i++) { 877 for (i = 0; i < IEEE80211_NUM_BANDS; i++) {
878 local->sched_scan_ies.ie[i] = kzalloc(2 + 878 local->sched_scan_ies.ie[i] = kzalloc(2 +
879 IEEE80211_MAX_SSID_LEN + 879 IEEE80211_MAX_SSID_LEN +
880 local->scan_ies_len, 880 local->scan_ies_len +
881 req->ie_len,
881 GFP_KERNEL); 882 GFP_KERNEL);
882 if (!local->sched_scan_ies.ie[i]) { 883 if (!local->sched_scan_ies.ie[i]) {
883 ret = -ENOMEM; 884 ret = -ENOMEM;
diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c
index 9dc3b5f26e80..8f6a302d2ac3 100644
--- a/net/mac80211/wpa.c
+++ b/net/mac80211/wpa.c
@@ -86,6 +86,11 @@ ieee80211_rx_h_michael_mic_verify(struct ieee80211_rx_data *rx)
86 struct sk_buff *skb = rx->skb; 86 struct sk_buff *skb = rx->skb;
87 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 87 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
88 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; 88 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
89 int queue = rx->queue;
90
91 /* otherwise, TKIP is vulnerable to TID 0 vs. non-QoS replays */
92 if (rx->queue == NUM_RX_DATA_QUEUES - 1)
93 queue = 0;
89 94
90 /* 95 /*
91 * it makes no sense to check for MIC errors on anything other 96 * it makes no sense to check for MIC errors on anything other
@@ -148,13 +153,19 @@ ieee80211_rx_h_michael_mic_verify(struct ieee80211_rx_data *rx)
148 153
149update_iv: 154update_iv:
150 /* update IV in key information to be able to detect replays */ 155 /* update IV in key information to be able to detect replays */
151 rx->key->u.tkip.rx[rx->queue].iv32 = rx->tkip_iv32; 156 rx->key->u.tkip.rx[queue].iv32 = rx->tkip_iv32;
152 rx->key->u.tkip.rx[rx->queue].iv16 = rx->tkip_iv16; 157 rx->key->u.tkip.rx[queue].iv16 = rx->tkip_iv16;
153 158
154 return RX_CONTINUE; 159 return RX_CONTINUE;
155 160
156mic_fail: 161mic_fail:
157 mac80211_ev_michael_mic_failure(rx->sdata, rx->key->conf.keyidx, 162 /*
163 * In some cases the key can be unset - e.g. a multicast packet, in
164 * a driver that supports HW encryption. Send up the key idx only if
165 * the key is set.
166 */
167 mac80211_ev_michael_mic_failure(rx->sdata,
168 rx->key ? rx->key->conf.keyidx : -1,
158 (void *) skb->data, NULL, GFP_ATOMIC); 169 (void *) skb->data, NULL, GFP_ATOMIC);
159 return RX_DROP_UNUSABLE; 170 return RX_DROP_UNUSABLE;
160} 171}
@@ -235,6 +246,11 @@ ieee80211_crypto_tkip_decrypt(struct ieee80211_rx_data *rx)
235 struct ieee80211_key *key = rx->key; 246 struct ieee80211_key *key = rx->key;
236 struct sk_buff *skb = rx->skb; 247 struct sk_buff *skb = rx->skb;
237 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 248 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
249 int queue = rx->queue;
250
251 /* otherwise, TKIP is vulnerable to TID 0 vs. non-QoS replays */
252 if (rx->queue == NUM_RX_DATA_QUEUES - 1)
253 queue = 0;
238 254
239 hdrlen = ieee80211_hdrlen(hdr->frame_control); 255 hdrlen = ieee80211_hdrlen(hdr->frame_control);
240 256
@@ -255,7 +271,7 @@ ieee80211_crypto_tkip_decrypt(struct ieee80211_rx_data *rx)
255 res = ieee80211_tkip_decrypt_data(rx->local->wep_rx_tfm, 271 res = ieee80211_tkip_decrypt_data(rx->local->wep_rx_tfm,
256 key, skb->data + hdrlen, 272 key, skb->data + hdrlen,
257 skb->len - hdrlen, rx->sta->sta.addr, 273 skb->len - hdrlen, rx->sta->sta.addr,
258 hdr->addr1, hwaccel, rx->queue, 274 hdr->addr1, hwaccel, queue,
259 &rx->tkip_iv32, 275 &rx->tkip_iv32,
260 &rx->tkip_iv16); 276 &rx->tkip_iv16);
261 if (res != TKIP_DECRYPT_OK) 277 if (res != TKIP_DECRYPT_OK)
diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c
index bf28ac2fc99b..782db275ac53 100644
--- a/net/netfilter/ipvs/ip_vs_conn.c
+++ b/net/netfilter/ipvs/ip_vs_conn.c
@@ -776,8 +776,16 @@ static void ip_vs_conn_expire(unsigned long data)
776 if (cp->control) 776 if (cp->control)
777 ip_vs_control_del(cp); 777 ip_vs_control_del(cp);
778 778
779 if (cp->flags & IP_VS_CONN_F_NFCT) 779 if (cp->flags & IP_VS_CONN_F_NFCT) {
780 ip_vs_conn_drop_conntrack(cp); 780 ip_vs_conn_drop_conntrack(cp);
781 /* Do not access conntracks during subsys cleanup
782 * because nf_conntrack_find_get can not be used after
783 * conntrack cleanup for the net.
784 */
785 smp_rmb();
786 if (ipvs->enable)
787 ip_vs_conn_drop_conntrack(cp);
788 }
781 789
782 ip_vs_pe_put(cp->pe); 790 ip_vs_pe_put(cp->pe);
783 kfree(cp->pe_data); 791 kfree(cp->pe_data);
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index 55af2242bccd..24c28d238dcb 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -1945,6 +1945,7 @@ static void __net_exit __ip_vs_dev_cleanup(struct net *net)
1945{ 1945{
1946 EnterFunction(2); 1946 EnterFunction(2);
1947 net_ipvs(net)->enable = 0; /* Disable packet reception */ 1947 net_ipvs(net)->enable = 0; /* Disable packet reception */
1948 smp_wmb();
1948 __ip_vs_sync_cleanup(net); 1949 __ip_vs_sync_cleanup(net);
1949 LeaveFunction(2); 1950 LeaveFunction(2);
1950} 1951}
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index e0ee010935e7..2e7ccbb43ddb 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -456,7 +456,8 @@ __build_packet_message(struct nfulnl_instance *inst,
456 if (skb->mark) 456 if (skb->mark)
457 NLA_PUT_BE32(inst->skb, NFULA_MARK, htonl(skb->mark)); 457 NLA_PUT_BE32(inst->skb, NFULA_MARK, htonl(skb->mark));
458 458
459 if (indev && skb->dev) { 459 if (indev && skb->dev &&
460 skb->mac_header != skb->network_header) {
460 struct nfulnl_msg_packet_hw phw; 461 struct nfulnl_msg_packet_hw phw;
461 int len = dev_parse_header(skb, phw.hw_addr); 462 int len = dev_parse_header(skb, phw.hw_addr);
462 if (len > 0) { 463 if (len > 0) {
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index b83123f12b42..fdd2fafe0a14 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -335,7 +335,8 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
335 if (entskb->mark) 335 if (entskb->mark)
336 NLA_PUT_BE32(skb, NFQA_MARK, htonl(entskb->mark)); 336 NLA_PUT_BE32(skb, NFQA_MARK, htonl(entskb->mark));
337 337
338 if (indev && entskb->dev) { 338 if (indev && entskb->dev &&
339 entskb->mac_header != entskb->network_header) {
339 struct nfqnl_msg_packet_hw phw; 340 struct nfqnl_msg_packet_hw phw;
340 int len = dev_parse_header(entskb, phw.hw_addr); 341 int len = dev_parse_header(entskb, phw.hw_addr);
341 if (len) { 342 if (len) {
diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
index 1c88c8911dc5..d03682109b7a 100644
--- a/net/sctp/outqueue.c
+++ b/net/sctp/outqueue.c
@@ -1582,6 +1582,8 @@ static void sctp_check_transmitted(struct sctp_outq *q,
1582#endif /* SCTP_DEBUG */ 1582#endif /* SCTP_DEBUG */
1583 if (transport) { 1583 if (transport) {
1584 if (bytes_acked) { 1584 if (bytes_acked) {
1585 struct sctp_association *asoc = transport->asoc;
1586
1585 /* We may have counted DATA that was migrated 1587 /* We may have counted DATA that was migrated
1586 * to this transport due to DEL-IP operation. 1588 * to this transport due to DEL-IP operation.
1587 * Subtract those bytes, since the were never 1589 * Subtract those bytes, since the were never
@@ -1600,6 +1602,17 @@ static void sctp_check_transmitted(struct sctp_outq *q,
1600 transport->error_count = 0; 1602 transport->error_count = 0;
1601 transport->asoc->overall_error_count = 0; 1603 transport->asoc->overall_error_count = 0;
1602 1604
1605 /*
1606 * While in SHUTDOWN PENDING, we may have started
1607 * the T5 shutdown guard timer after reaching the
1608 * retransmission limit. Stop that timer as soon
1609 * as the receiver acknowledged any data.
1610 */
1611 if (asoc->state == SCTP_STATE_SHUTDOWN_PENDING &&
1612 del_timer(&asoc->timers
1613 [SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD]))
1614 sctp_association_put(asoc);
1615
1603 /* Mark the destination transport address as 1616 /* Mark the destination transport address as
1604 * active if it is not so marked. 1617 * active if it is not so marked.
1605 */ 1618 */
@@ -1629,10 +1642,15 @@ static void sctp_check_transmitted(struct sctp_outq *q,
1629 * A sender is doing zero window probing when the 1642 * A sender is doing zero window probing when the
1630 * receiver's advertised window is zero, and there is 1643 * receiver's advertised window is zero, and there is
1631 * only one data chunk in flight to the receiver. 1644 * only one data chunk in flight to the receiver.
1645 *
1646 * Allow the association to timeout while in SHUTDOWN
1647 * PENDING or SHUTDOWN RECEIVED in case the receiver
1648 * stays in zero window mode forever.
1632 */ 1649 */
1633 if (!q->asoc->peer.rwnd && 1650 if (!q->asoc->peer.rwnd &&
1634 !list_empty(&tlist) && 1651 !list_empty(&tlist) &&
1635 (sack_ctsn+2 == q->asoc->next_tsn)) { 1652 (sack_ctsn+2 == q->asoc->next_tsn) &&
1653 q->asoc->state < SCTP_STATE_SHUTDOWN_PENDING) {
1636 SCTP_DEBUG_PRINTK("%s: SACK received for zero " 1654 SCTP_DEBUG_PRINTK("%s: SACK received for zero "
1637 "window probe: %u\n", 1655 "window probe: %u\n",
1638 __func__, sack_ctsn); 1656 __func__, sack_ctsn);
diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c
index 67380a29e2e9..207175b2f40a 100644
--- a/net/sctp/protocol.c
+++ b/net/sctp/protocol.c
@@ -1058,7 +1058,6 @@ SCTP_STATIC __init int sctp_init(void)
1058 int status = -EINVAL; 1058 int status = -EINVAL;
1059 unsigned long goal; 1059 unsigned long goal;
1060 unsigned long limit; 1060 unsigned long limit;
1061 unsigned long nr_pages;
1062 int max_share; 1061 int max_share;
1063 int order; 1062 int order;
1064 1063
@@ -1148,15 +1147,7 @@ SCTP_STATIC __init int sctp_init(void)
1148 /* Initialize handle used for association ids. */ 1147 /* Initialize handle used for association ids. */
1149 idr_init(&sctp_assocs_id); 1148 idr_init(&sctp_assocs_id);
1150 1149
1151 /* Set the pressure threshold to be a fraction of global memory that 1150 limit = nr_free_buffer_pages() / 8;
1152 * is up to 1/2 at 256 MB, decreasing toward zero with the amount of
1153 * memory, with a floor of 128 pages.
1154 * Note this initializes the data in sctpv6_prot too
1155 * Unabashedly stolen from tcp_init
1156 */
1157 nr_pages = totalram_pages - totalhigh_pages;
1158 limit = min(nr_pages, 1UL<<(28-PAGE_SHIFT)) >> (20-PAGE_SHIFT);
1159 limit = (limit * (nr_pages >> (20-PAGE_SHIFT))) >> (PAGE_SHIFT-11);
1160 limit = max(limit, 128UL); 1151 limit = max(limit, 128UL);
1161 sysctl_sctp_mem[0] = limit / 4 * 3; 1152 sysctl_sctp_mem[0] = limit / 4 * 3;
1162 sysctl_sctp_mem[1] = limit; 1153 sysctl_sctp_mem[1] = limit;
diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c
index 534c2e5feb05..6e0f88295aaf 100644
--- a/net/sctp/sm_sideeffect.c
+++ b/net/sctp/sm_sideeffect.c
@@ -670,10 +670,19 @@ static void sctp_cmd_transport_on(sctp_cmd_seq_t *cmds,
670 /* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of the 670 /* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of the
671 * HEARTBEAT should clear the error counter of the destination 671 * HEARTBEAT should clear the error counter of the destination
672 * transport address to which the HEARTBEAT was sent. 672 * transport address to which the HEARTBEAT was sent.
673 * The association's overall error count is also cleared.
674 */ 673 */
675 t->error_count = 0; 674 t->error_count = 0;
676 t->asoc->overall_error_count = 0; 675
676 /*
677 * Although RFC4960 specifies that the overall error count must
678 * be cleared when a HEARTBEAT ACK is received, we make an
679 * exception while in SHUTDOWN PENDING. If the peer keeps its
680 * window shut forever, we may never be able to transmit our
681 * outstanding data and rely on the retransmission limit be reached
682 * to shutdown the association.
683 */
684 if (t->asoc->state != SCTP_STATE_SHUTDOWN_PENDING)
685 t->asoc->overall_error_count = 0;
677 686
678 /* Clear the hb_sent flag to signal that we had a good 687 /* Clear the hb_sent flag to signal that we had a good
679 * acknowledgement. 688 * acknowledgement.
@@ -1437,6 +1446,13 @@ static int sctp_cmd_interpreter(sctp_event_t event_type,
1437 sctp_cmd_setup_t2(commands, asoc, cmd->obj.ptr); 1446 sctp_cmd_setup_t2(commands, asoc, cmd->obj.ptr);
1438 break; 1447 break;
1439 1448
1449 case SCTP_CMD_TIMER_START_ONCE:
1450 timer = &asoc->timers[cmd->obj.to];
1451
1452 if (timer_pending(timer))
1453 break;
1454 /* fall through */
1455
1440 case SCTP_CMD_TIMER_START: 1456 case SCTP_CMD_TIMER_START:
1441 timer = &asoc->timers[cmd->obj.to]; 1457 timer = &asoc->timers[cmd->obj.to];
1442 timeout = asoc->timeouts[cmd->obj.to]; 1458 timeout = asoc->timeouts[cmd->obj.to];
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index a297283154d5..246117142b5c 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -5154,7 +5154,7 @@ sctp_disposition_t sctp_sf_do_9_2_start_shutdown(
5154 * The sender of the SHUTDOWN MAY also start an overall guard timer 5154 * The sender of the SHUTDOWN MAY also start an overall guard timer
5155 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence. 5155 * 'T5-shutdown-guard' to bound the overall time for shutdown sequence.
5156 */ 5156 */
5157 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START, 5157 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
5158 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD)); 5158 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5159 5159
5160 if (asoc->autoclose) 5160 if (asoc->autoclose)
@@ -5299,14 +5299,28 @@ sctp_disposition_t sctp_sf_do_6_3_3_rtx(const struct sctp_endpoint *ep,
5299 SCTP_INC_STATS(SCTP_MIB_T3_RTX_EXPIREDS); 5299 SCTP_INC_STATS(SCTP_MIB_T3_RTX_EXPIREDS);
5300 5300
5301 if (asoc->overall_error_count >= asoc->max_retrans) { 5301 if (asoc->overall_error_count >= asoc->max_retrans) {
5302 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, 5302 if (asoc->state == SCTP_STATE_SHUTDOWN_PENDING) {
5303 SCTP_ERROR(ETIMEDOUT)); 5303 /*
5304 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */ 5304 * We are here likely because the receiver had its rwnd
5305 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, 5305 * closed for a while and we have not been able to
5306 SCTP_PERR(SCTP_ERROR_NO_ERROR)); 5306 * transmit the locally queued data within the maximum
5307 SCTP_INC_STATS(SCTP_MIB_ABORTEDS); 5307 * retransmission attempts limit. Start the T5
5308 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); 5308 * shutdown guard timer to give the receiver one last
5309 return SCTP_DISPOSITION_DELETE_TCB; 5309 * chance and some additional time to recover before
5310 * aborting.
5311 */
5312 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START_ONCE,
5313 SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
5314 } else {
5315 sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
5316 SCTP_ERROR(ETIMEDOUT));
5317 /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
5318 sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
5319 SCTP_PERR(SCTP_ERROR_NO_ERROR));
5320 SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
5321 SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
5322 return SCTP_DISPOSITION_DELETE_TCB;
5323 }
5310 } 5324 }
5311 5325
5312 /* E1) For the destination address for which the timer 5326 /* E1) For the destination address for which the timer
diff --git a/net/sctp/sm_statetable.c b/net/sctp/sm_statetable.c
index 0338dc6fdc9d..7c211a7f90f4 100644
--- a/net/sctp/sm_statetable.c
+++ b/net/sctp/sm_statetable.c
@@ -827,7 +827,7 @@ static const sctp_sm_table_entry_t other_event_table[SCTP_NUM_OTHER_TYPES][SCTP_
827 /* SCTP_STATE_ESTABLISHED */ \ 827 /* SCTP_STATE_ESTABLISHED */ \
828 TYPE_SCTP_FUNC(sctp_sf_timer_ignore), \ 828 TYPE_SCTP_FUNC(sctp_sf_timer_ignore), \
829 /* SCTP_STATE_SHUTDOWN_PENDING */ \ 829 /* SCTP_STATE_SHUTDOWN_PENDING */ \
830 TYPE_SCTP_FUNC(sctp_sf_timer_ignore), \ 830 TYPE_SCTP_FUNC(sctp_sf_t5_timer_expire), \
831 /* SCTP_STATE_SHUTDOWN_SENT */ \ 831 /* SCTP_STATE_SHUTDOWN_SENT */ \
832 TYPE_SCTP_FUNC(sctp_sf_t5_timer_expire), \ 832 TYPE_SCTP_FUNC(sctp_sf_t5_timer_expire), \
833 /* SCTP_STATE_SHUTDOWN_RECEIVED */ \ 833 /* SCTP_STATE_SHUTDOWN_RECEIVED */ \
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 6766913a53e6..d3ccf7973c59 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -1384,6 +1384,7 @@ SCTP_STATIC void sctp_close(struct sock *sk, long timeout)
1384 struct sctp_endpoint *ep; 1384 struct sctp_endpoint *ep;
1385 struct sctp_association *asoc; 1385 struct sctp_association *asoc;
1386 struct list_head *pos, *temp; 1386 struct list_head *pos, *temp;
1387 unsigned int data_was_unread;
1387 1388
1388 SCTP_DEBUG_PRINTK("sctp_close(sk: 0x%p, timeout:%ld)\n", sk, timeout); 1389 SCTP_DEBUG_PRINTK("sctp_close(sk: 0x%p, timeout:%ld)\n", sk, timeout);
1389 1390
@@ -1393,6 +1394,10 @@ SCTP_STATIC void sctp_close(struct sock *sk, long timeout)
1393 1394
1394 ep = sctp_sk(sk)->ep; 1395 ep = sctp_sk(sk)->ep;
1395 1396
1397 /* Clean up any skbs sitting on the receive queue. */
1398 data_was_unread = sctp_queue_purge_ulpevents(&sk->sk_receive_queue);
1399 data_was_unread += sctp_queue_purge_ulpevents(&sctp_sk(sk)->pd_lobby);
1400
1396 /* Walk all associations on an endpoint. */ 1401 /* Walk all associations on an endpoint. */
1397 list_for_each_safe(pos, temp, &ep->asocs) { 1402 list_for_each_safe(pos, temp, &ep->asocs) {
1398 asoc = list_entry(pos, struct sctp_association, asocs); 1403 asoc = list_entry(pos, struct sctp_association, asocs);
@@ -1410,7 +1415,9 @@ SCTP_STATIC void sctp_close(struct sock *sk, long timeout)
1410 } 1415 }
1411 } 1416 }
1412 1417
1413 if (sock_flag(sk, SOCK_LINGER) && !sk->sk_lingertime) { 1418 if (data_was_unread || !skb_queue_empty(&asoc->ulpq.lobby) ||
1419 !skb_queue_empty(&asoc->ulpq.reasm) ||
1420 (sock_flag(sk, SOCK_LINGER) && !sk->sk_lingertime)) {
1414 struct sctp_chunk *chunk; 1421 struct sctp_chunk *chunk;
1415 1422
1416 chunk = sctp_make_abort_user(asoc, NULL, 0); 1423 chunk = sctp_make_abort_user(asoc, NULL, 0);
@@ -1420,10 +1427,6 @@ SCTP_STATIC void sctp_close(struct sock *sk, long timeout)
1420 sctp_primitive_SHUTDOWN(asoc, NULL); 1427 sctp_primitive_SHUTDOWN(asoc, NULL);
1421 } 1428 }
1422 1429
1423 /* Clean up any skbs sitting on the receive queue. */
1424 sctp_queue_purge_ulpevents(&sk->sk_receive_queue);
1425 sctp_queue_purge_ulpevents(&sctp_sk(sk)->pd_lobby);
1426
1427 /* On a TCP-style socket, block for at most linger_time if set. */ 1430 /* On a TCP-style socket, block for at most linger_time if set. */
1428 if (sctp_style(sk, TCP) && timeout) 1431 if (sctp_style(sk, TCP) && timeout)
1429 sctp_wait_for_close(sk, timeout); 1432 sctp_wait_for_close(sk, timeout);
@@ -2073,10 +2076,33 @@ static int sctp_setsockopt_disable_fragments(struct sock *sk,
2073static int sctp_setsockopt_events(struct sock *sk, char __user *optval, 2076static int sctp_setsockopt_events(struct sock *sk, char __user *optval,
2074 unsigned int optlen) 2077 unsigned int optlen)
2075{ 2078{
2079 struct sctp_association *asoc;
2080 struct sctp_ulpevent *event;
2081
2076 if (optlen > sizeof(struct sctp_event_subscribe)) 2082 if (optlen > sizeof(struct sctp_event_subscribe))
2077 return -EINVAL; 2083 return -EINVAL;
2078 if (copy_from_user(&sctp_sk(sk)->subscribe, optval, optlen)) 2084 if (copy_from_user(&sctp_sk(sk)->subscribe, optval, optlen))
2079 return -EFAULT; 2085 return -EFAULT;
2086
2087 /*
2088 * At the time when a user app subscribes to SCTP_SENDER_DRY_EVENT,
2089 * if there is no data to be sent or retransmit, the stack will
2090 * immediately send up this notification.
2091 */
2092 if (sctp_ulpevent_type_enabled(SCTP_SENDER_DRY_EVENT,
2093 &sctp_sk(sk)->subscribe)) {
2094 asoc = sctp_id2assoc(sk, 0);
2095
2096 if (asoc && sctp_outq_is_empty(&asoc->outqueue)) {
2097 event = sctp_ulpevent_make_sender_dry_event(asoc,
2098 GFP_ATOMIC);
2099 if (!event)
2100 return -ENOMEM;
2101
2102 sctp_ulpq_tail_event(&asoc->ulpq, event);
2103 }
2104 }
2105
2080 return 0; 2106 return 0;
2081} 2107}
2082 2108
diff --git a/net/sctp/ulpevent.c b/net/sctp/ulpevent.c
index e70e5fc87890..8a84017834c2 100644
--- a/net/sctp/ulpevent.c
+++ b/net/sctp/ulpevent.c
@@ -1081,9 +1081,19 @@ void sctp_ulpevent_free(struct sctp_ulpevent *event)
1081} 1081}
1082 1082
1083/* Purge the skb lists holding ulpevents. */ 1083/* Purge the skb lists holding ulpevents. */
1084void sctp_queue_purge_ulpevents(struct sk_buff_head *list) 1084unsigned int sctp_queue_purge_ulpevents(struct sk_buff_head *list)
1085{ 1085{
1086 struct sk_buff *skb; 1086 struct sk_buff *skb;
1087 while ((skb = skb_dequeue(list)) != NULL) 1087 unsigned int data_unread = 0;
1088 sctp_ulpevent_free(sctp_skb2event(skb)); 1088
1089 while ((skb = skb_dequeue(list)) != NULL) {
1090 struct sctp_ulpevent *event = sctp_skb2event(skb);
1091
1092 if (!sctp_ulpevent_is_notification(event))
1093 data_unread += skb->len;
1094
1095 sctp_ulpevent_free(event);
1096 }
1097
1098 return data_unread;
1089} 1099}
diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c
index 339ba64cce1e..5daf6cc4faea 100644
--- a/net/sunrpc/auth_gss/auth_gss.c
+++ b/net/sunrpc/auth_gss/auth_gss.c
@@ -577,13 +577,13 @@ retry:
577 } 577 }
578 inode = &gss_msg->inode->vfs_inode; 578 inode = &gss_msg->inode->vfs_inode;
579 for (;;) { 579 for (;;) {
580 prepare_to_wait(&gss_msg->waitqueue, &wait, TASK_INTERRUPTIBLE); 580 prepare_to_wait(&gss_msg->waitqueue, &wait, TASK_KILLABLE);
581 spin_lock(&inode->i_lock); 581 spin_lock(&inode->i_lock);
582 if (gss_msg->ctx != NULL || gss_msg->msg.errno < 0) { 582 if (gss_msg->ctx != NULL || gss_msg->msg.errno < 0) {
583 break; 583 break;
584 } 584 }
585 spin_unlock(&inode->i_lock); 585 spin_unlock(&inode->i_lock);
586 if (signalled()) { 586 if (fatal_signal_pending(current)) {
587 err = -ERESTARTSYS; 587 err = -ERESTARTSYS;
588 goto out_intr; 588 goto out_intr;
589 } 589 }
diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
index 0a9a2ec2e469..c3b75333b821 100644
--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -43,6 +43,7 @@
43#include <linux/sunrpc/gss_krb5.h> 43#include <linux/sunrpc/gss_krb5.h>
44#include <linux/sunrpc/xdr.h> 44#include <linux/sunrpc/xdr.h>
45#include <linux/crypto.h> 45#include <linux/crypto.h>
46#include <linux/sunrpc/gss_krb5_enctypes.h>
46 47
47#ifdef RPC_DEBUG 48#ifdef RPC_DEBUG
48# define RPCDBG_FACILITY RPCDBG_AUTH 49# define RPCDBG_FACILITY RPCDBG_AUTH
@@ -750,7 +751,7 @@ static struct gss_api_mech gss_kerberos_mech = {
750 .gm_ops = &gss_kerberos_ops, 751 .gm_ops = &gss_kerberos_ops,
751 .gm_pf_num = ARRAY_SIZE(gss_kerberos_pfs), 752 .gm_pf_num = ARRAY_SIZE(gss_kerberos_pfs),
752 .gm_pfs = gss_kerberos_pfs, 753 .gm_pfs = gss_kerberos_pfs,
753 .gm_upcall_enctypes = "18,17,16,23,3,1,2", 754 .gm_upcall_enctypes = KRB5_SUPPORTED_ENCTYPES,
754}; 755};
755 756
756static int __init init_kerberos_module(void) 757static int __init init_kerberos_module(void)
diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
index b84d7395535e..8c9141583d6f 100644
--- a/net/sunrpc/clnt.c
+++ b/net/sunrpc/clnt.c
@@ -1061,7 +1061,7 @@ call_allocate(struct rpc_task *task)
1061 1061
1062 dprintk("RPC: %5u rpc_buffer allocation failed\n", task->tk_pid); 1062 dprintk("RPC: %5u rpc_buffer allocation failed\n", task->tk_pid);
1063 1063
1064 if (RPC_IS_ASYNC(task) || !signalled()) { 1064 if (RPC_IS_ASYNC(task) || !fatal_signal_pending(current)) {
1065 task->tk_action = call_allocate; 1065 task->tk_action = call_allocate;
1066 rpc_delay(task, HZ>>4); 1066 rpc_delay(task, HZ>>4);
1067 return; 1067 return;
@@ -1175,6 +1175,9 @@ call_bind_status(struct rpc_task *task)
1175 status = -EOPNOTSUPP; 1175 status = -EOPNOTSUPP;
1176 break; 1176 break;
1177 } 1177 }
1178 if (task->tk_rebind_retry == 0)
1179 break;
1180 task->tk_rebind_retry--;
1178 rpc_delay(task, 3*HZ); 1181 rpc_delay(task, 3*HZ);
1179 goto retry_timeout; 1182 goto retry_timeout;
1180 case -ETIMEDOUT: 1183 case -ETIMEDOUT:
diff --git a/net/sunrpc/rpcb_clnt.c b/net/sunrpc/rpcb_clnt.c
index 9a80a922c527..e45d2fbbe5a8 100644
--- a/net/sunrpc/rpcb_clnt.c
+++ b/net/sunrpc/rpcb_clnt.c
@@ -597,7 +597,7 @@ void rpcb_getport_async(struct rpc_task *task)
597 u32 bind_version; 597 u32 bind_version;
598 struct rpc_xprt *xprt; 598 struct rpc_xprt *xprt;
599 struct rpc_clnt *rpcb_clnt; 599 struct rpc_clnt *rpcb_clnt;
600 static struct rpcbind_args *map; 600 struct rpcbind_args *map;
601 struct rpc_task *child; 601 struct rpc_task *child;
602 struct sockaddr_storage addr; 602 struct sockaddr_storage addr;
603 struct sockaddr *sap = (struct sockaddr *)&addr; 603 struct sockaddr *sap = (struct sockaddr *)&addr;
diff --git a/net/sunrpc/sched.c b/net/sunrpc/sched.c
index 6b43ee7221d5..4814e246a874 100644
--- a/net/sunrpc/sched.c
+++ b/net/sunrpc/sched.c
@@ -616,30 +616,25 @@ static void __rpc_execute(struct rpc_task *task)
616 BUG_ON(RPC_IS_QUEUED(task)); 616 BUG_ON(RPC_IS_QUEUED(task));
617 617
618 for (;;) { 618 for (;;) {
619 void (*do_action)(struct rpc_task *);
619 620
620 /* 621 /*
621 * Execute any pending callback. 622 * Execute any pending callback first.
622 */ 623 */
623 if (task->tk_callback) { 624 do_action = task->tk_callback;
624 void (*save_callback)(struct rpc_task *); 625 task->tk_callback = NULL;
625 626 if (do_action == NULL) {
626 /*
627 * We set tk_callback to NULL before calling it,
628 * in case it sets the tk_callback field itself:
629 */
630 save_callback = task->tk_callback;
631 task->tk_callback = NULL;
632 save_callback(task);
633 } else {
634 /* 627 /*
635 * Perform the next FSM step. 628 * Perform the next FSM step.
636 * tk_action may be NULL when the task has been killed 629 * tk_action may be NULL if the task has been killed.
637 * by someone else. 630 * In particular, note that rpc_killall_tasks may
631 * do this at any time, so beware when dereferencing.
638 */ 632 */
639 if (task->tk_action == NULL) 633 do_action = task->tk_action;
634 if (do_action == NULL)
640 break; 635 break;
641 task->tk_action(task);
642 } 636 }
637 do_action(task);
643 638
644 /* 639 /*
645 * Lockless check for whether task is sleeping or not. 640 * Lockless check for whether task is sleeping or not.
@@ -792,6 +787,7 @@ static void rpc_init_task(struct rpc_task *task, const struct rpc_task_setup *ta
792 /* Initialize retry counters */ 787 /* Initialize retry counters */
793 task->tk_garb_retry = 2; 788 task->tk_garb_retry = 2;
794 task->tk_cred_retry = 2; 789 task->tk_cred_retry = 2;
790 task->tk_rebind_retry = 2;
795 791
796 task->tk_priority = task_setup_data->priority - RPC_PRIORITY_LOW; 792 task->tk_priority = task_setup_data->priority - RPC_PRIORITY_LOW;
797 task->tk_owner = current->tgid; 793 task->tk_owner = current->tgid;
diff --git a/net/wireless/core.c b/net/wireless/core.c
index c22ef3492ee6..880dbe2e6f94 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -366,6 +366,7 @@ struct wiphy *wiphy_new(const struct cfg80211_ops *ops, int sizeof_priv)
366 366
367 mutex_init(&rdev->mtx); 367 mutex_init(&rdev->mtx);
368 mutex_init(&rdev->devlist_mtx); 368 mutex_init(&rdev->devlist_mtx);
369 mutex_init(&rdev->sched_scan_mtx);
369 INIT_LIST_HEAD(&rdev->netdev_list); 370 INIT_LIST_HEAD(&rdev->netdev_list);
370 spin_lock_init(&rdev->bss_lock); 371 spin_lock_init(&rdev->bss_lock);
371 INIT_LIST_HEAD(&rdev->bss_list); 372 INIT_LIST_HEAD(&rdev->bss_list);
@@ -701,6 +702,7 @@ void cfg80211_dev_free(struct cfg80211_registered_device *rdev)
701 rfkill_destroy(rdev->rfkill); 702 rfkill_destroy(rdev->rfkill);
702 mutex_destroy(&rdev->mtx); 703 mutex_destroy(&rdev->mtx);
703 mutex_destroy(&rdev->devlist_mtx); 704 mutex_destroy(&rdev->devlist_mtx);
705 mutex_destroy(&rdev->sched_scan_mtx);
704 list_for_each_entry_safe(scan, tmp, &rdev->bss_list, list) 706 list_for_each_entry_safe(scan, tmp, &rdev->bss_list, list)
705 cfg80211_put_bss(&scan->pub); 707 cfg80211_put_bss(&scan->pub);
706 cfg80211_rdev_free_wowlan(rdev); 708 cfg80211_rdev_free_wowlan(rdev);
@@ -737,12 +739,16 @@ static void wdev_cleanup_work(struct work_struct *work)
737 ___cfg80211_scan_done(rdev, true); 739 ___cfg80211_scan_done(rdev, true);
738 } 740 }
739 741
742 cfg80211_unlock_rdev(rdev);
743
744 mutex_lock(&rdev->sched_scan_mtx);
745
740 if (WARN_ON(rdev->sched_scan_req && 746 if (WARN_ON(rdev->sched_scan_req &&
741 rdev->sched_scan_req->dev == wdev->netdev)) { 747 rdev->sched_scan_req->dev == wdev->netdev)) {
742 __cfg80211_stop_sched_scan(rdev, false); 748 __cfg80211_stop_sched_scan(rdev, false);
743 } 749 }
744 750
745 cfg80211_unlock_rdev(rdev); 751 mutex_unlock(&rdev->sched_scan_mtx);
746 752
747 mutex_lock(&rdev->devlist_mtx); 753 mutex_lock(&rdev->devlist_mtx);
748 rdev->opencount--; 754 rdev->opencount--;
@@ -830,9 +836,9 @@ static int cfg80211_netdev_notifier_call(struct notifier_block * nb,
830 break; 836 break;
831 case NL80211_IFTYPE_P2P_CLIENT: 837 case NL80211_IFTYPE_P2P_CLIENT:
832 case NL80211_IFTYPE_STATION: 838 case NL80211_IFTYPE_STATION:
833 cfg80211_lock_rdev(rdev); 839 mutex_lock(&rdev->sched_scan_mtx);
834 __cfg80211_stop_sched_scan(rdev, false); 840 __cfg80211_stop_sched_scan(rdev, false);
835 cfg80211_unlock_rdev(rdev); 841 mutex_unlock(&rdev->sched_scan_mtx);
836 842
837 wdev_lock(wdev); 843 wdev_lock(wdev);
838#ifdef CONFIG_CFG80211_WEXT 844#ifdef CONFIG_CFG80211_WEXT
diff --git a/net/wireless/core.h b/net/wireless/core.h
index 3dce1f167eba..a570ff9214ec 100644
--- a/net/wireless/core.h
+++ b/net/wireless/core.h
@@ -65,6 +65,8 @@ struct cfg80211_registered_device {
65 struct work_struct scan_done_wk; 65 struct work_struct scan_done_wk;
66 struct work_struct sched_scan_results_wk; 66 struct work_struct sched_scan_results_wk;
67 67
68 struct mutex sched_scan_mtx;
69
68#ifdef CONFIG_NL80211_TESTMODE 70#ifdef CONFIG_NL80211_TESTMODE
69 struct genl_info *testmode_info; 71 struct genl_info *testmode_info;
70#endif 72#endif
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 98fa8eb6cc4b..cea338150d05 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -3461,9 +3461,6 @@ static int nl80211_start_sched_scan(struct sk_buff *skb,
3461 if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE])) 3461 if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
3462 return -EINVAL; 3462 return -EINVAL;
3463 3463
3464 if (rdev->sched_scan_req)
3465 return -EINPROGRESS;
3466
3467 if (!info->attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]) 3464 if (!info->attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
3468 return -EINVAL; 3465 return -EINVAL;
3469 3466
@@ -3502,12 +3499,21 @@ static int nl80211_start_sched_scan(struct sk_buff *skb,
3502 if (ie_len > wiphy->max_scan_ie_len) 3499 if (ie_len > wiphy->max_scan_ie_len)
3503 return -EINVAL; 3500 return -EINVAL;
3504 3501
3502 mutex_lock(&rdev->sched_scan_mtx);
3503
3504 if (rdev->sched_scan_req) {
3505 err = -EINPROGRESS;
3506 goto out;
3507 }
3508
3505 request = kzalloc(sizeof(*request) 3509 request = kzalloc(sizeof(*request)
3506 + sizeof(*request->ssids) * n_ssids 3510 + sizeof(*request->ssids) * n_ssids
3507 + sizeof(*request->channels) * n_channels 3511 + sizeof(*request->channels) * n_channels
3508 + ie_len, GFP_KERNEL); 3512 + ie_len, GFP_KERNEL);
3509 if (!request) 3513 if (!request) {
3510 return -ENOMEM; 3514 err = -ENOMEM;
3515 goto out;
3516 }
3511 3517
3512 if (n_ssids) 3518 if (n_ssids)
3513 request->ssids = (void *)&request->channels[n_channels]; 3519 request->ssids = (void *)&request->channels[n_channels];
@@ -3605,6 +3611,7 @@ static int nl80211_start_sched_scan(struct sk_buff *skb,
3605out_free: 3611out_free:
3606 kfree(request); 3612 kfree(request);
3607out: 3613out:
3614 mutex_unlock(&rdev->sched_scan_mtx);
3608 return err; 3615 return err;
3609} 3616}
3610 3617
@@ -3612,12 +3619,17 @@ static int nl80211_stop_sched_scan(struct sk_buff *skb,
3612 struct genl_info *info) 3619 struct genl_info *info)
3613{ 3620{
3614 struct cfg80211_registered_device *rdev = info->user_ptr[0]; 3621 struct cfg80211_registered_device *rdev = info->user_ptr[0];
3622 int err;
3615 3623
3616 if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) || 3624 if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
3617 !rdev->ops->sched_scan_stop) 3625 !rdev->ops->sched_scan_stop)
3618 return -EOPNOTSUPP; 3626 return -EOPNOTSUPP;
3619 3627
3620 return __cfg80211_stop_sched_scan(rdev, false); 3628 mutex_lock(&rdev->sched_scan_mtx);
3629 err = __cfg80211_stop_sched_scan(rdev, false);
3630 mutex_unlock(&rdev->sched_scan_mtx);
3631
3632 return err;
3621} 3633}
3622 3634
3623static int nl80211_send_bss(struct sk_buff *msg, u32 pid, u32 seq, int flags, 3635static int nl80211_send_bss(struct sk_buff *msg, u32 pid, u32 seq, int flags,
@@ -6463,7 +6475,8 @@ void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
6463 if (addr) 6475 if (addr)
6464 NLA_PUT(msg, NL80211_ATTR_MAC, ETH_ALEN, addr); 6476 NLA_PUT(msg, NL80211_ATTR_MAC, ETH_ALEN, addr);
6465 NLA_PUT_U32(msg, NL80211_ATTR_KEY_TYPE, key_type); 6477 NLA_PUT_U32(msg, NL80211_ATTR_KEY_TYPE, key_type);
6466 NLA_PUT_U8(msg, NL80211_ATTR_KEY_IDX, key_id); 6478 if (key_id != -1)
6479 NLA_PUT_U8(msg, NL80211_ATTR_KEY_IDX, key_id);
6467 if (tsc) 6480 if (tsc)
6468 NLA_PUT(msg, NL80211_ATTR_KEY_SEQ, 6, tsc); 6481 NLA_PUT(msg, NL80211_ATTR_KEY_SEQ, 6, tsc);
6469 6482
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 7a6c67667d70..ae0c2256ba3b 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -100,14 +100,14 @@ void __cfg80211_sched_scan_results(struct work_struct *wk)
100 rdev = container_of(wk, struct cfg80211_registered_device, 100 rdev = container_of(wk, struct cfg80211_registered_device,
101 sched_scan_results_wk); 101 sched_scan_results_wk);
102 102
103 cfg80211_lock_rdev(rdev); 103 mutex_lock(&rdev->sched_scan_mtx);
104 104
105 /* we don't have sched_scan_req anymore if the scan is stopping */ 105 /* we don't have sched_scan_req anymore if the scan is stopping */
106 if (rdev->sched_scan_req) 106 if (rdev->sched_scan_req)
107 nl80211_send_sched_scan_results(rdev, 107 nl80211_send_sched_scan_results(rdev,
108 rdev->sched_scan_req->dev); 108 rdev->sched_scan_req->dev);
109 109
110 cfg80211_unlock_rdev(rdev); 110 mutex_unlock(&rdev->sched_scan_mtx);
111} 111}
112 112
113void cfg80211_sched_scan_results(struct wiphy *wiphy) 113void cfg80211_sched_scan_results(struct wiphy *wiphy)
@@ -123,9 +123,9 @@ void cfg80211_sched_scan_stopped(struct wiphy *wiphy)
123{ 123{
124 struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy); 124 struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
125 125
126 cfg80211_lock_rdev(rdev); 126 mutex_lock(&rdev->sched_scan_mtx);
127 __cfg80211_stop_sched_scan(rdev, true); 127 __cfg80211_stop_sched_scan(rdev, true);
128 cfg80211_unlock_rdev(rdev); 128 mutex_unlock(&rdev->sched_scan_mtx);
129} 129}
130EXPORT_SYMBOL(cfg80211_sched_scan_stopped); 130EXPORT_SYMBOL(cfg80211_sched_scan_stopped);
131 131
@@ -135,7 +135,7 @@ int __cfg80211_stop_sched_scan(struct cfg80211_registered_device *rdev,
135 int err; 135 int err;
136 struct net_device *dev; 136 struct net_device *dev;
137 137
138 ASSERT_RDEV_LOCK(rdev); 138 lockdep_assert_held(&rdev->sched_scan_mtx);
139 139
140 if (!rdev->sched_scan_req) 140 if (!rdev->sched_scan_req)
141 return 0; 141 return 0;
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 9bec2e8a838c..5ce74a385525 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -50,7 +50,7 @@ static struct xfrm_policy_afinfo *xfrm_policy_get_afinfo(unsigned short family);
50static void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo); 50static void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo);
51static void xfrm_init_pmtu(struct dst_entry *dst); 51static void xfrm_init_pmtu(struct dst_entry *dst);
52static int stale_bundle(struct dst_entry *dst); 52static int stale_bundle(struct dst_entry *dst);
53static int xfrm_bundle_ok(struct xfrm_dst *xdst, int family); 53static int xfrm_bundle_ok(struct xfrm_dst *xdst);
54 54
55 55
56static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol, 56static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol,
@@ -2241,7 +2241,7 @@ static struct dst_entry *xfrm_dst_check(struct dst_entry *dst, u32 cookie)
2241 2241
2242static int stale_bundle(struct dst_entry *dst) 2242static int stale_bundle(struct dst_entry *dst)
2243{ 2243{
2244 return !xfrm_bundle_ok((struct xfrm_dst *)dst, AF_UNSPEC); 2244 return !xfrm_bundle_ok((struct xfrm_dst *)dst);
2245} 2245}
2246 2246
2247void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev) 2247void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev)
@@ -2313,7 +2313,7 @@ static void xfrm_init_pmtu(struct dst_entry *dst)
2313 * still valid. 2313 * still valid.
2314 */ 2314 */
2315 2315
2316static int xfrm_bundle_ok(struct xfrm_dst *first, int family) 2316static int xfrm_bundle_ok(struct xfrm_dst *first)
2317{ 2317{
2318 struct dst_entry *dst = &first->u.dst; 2318 struct dst_entry *dst = &first->u.dst;
2319 struct xfrm_dst *last; 2319 struct xfrm_dst *last;
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index d70f85eb7864..9414b9c5b1e4 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -1345,6 +1345,8 @@ out:
1345 xfrm_state_check_expire(x1); 1345 xfrm_state_check_expire(x1);
1346 1346
1347 err = 0; 1347 err = 0;
1348 x->km.state = XFRM_STATE_DEAD;
1349 __xfrm_state_put(x);
1348 } 1350 }
1349 spin_unlock_bh(&x1->lock); 1351 spin_unlock_bh(&x1->lock);
1350 1352
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-02 12:20:16 -0400