18 files changed, 153 insertions, 79 deletions

diff --git a/net/802/mrp.c b/net/802/mrp.c
index a4cc3229952a..e085bcc754f6 100644
--- a/net/802/mrp.c
+++ b/net/802/mrp.c
@@ -870,8 +870,12 @@ void mrp_uninit_applicant(struct net_device *dev, struct mrp_application *appl)
          * all pending messages before the applicant is gone.
          */
         del_timer_sync(&app->join_timer);
+
+        spin_lock(&app->lock);
         mrp_mad_event(app, MRP_EVENT_TX);
         mrp_pdu_queue(app);
+        spin_unlock(&app->lock);
+
         mrp_queue_xmit(app);
 
         dev_mc_del(dev, appl->group_address);
diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
index ef1b91431c6b..459dab22b3f6 100644
--- a/net/bridge/br_if.c
+++ b/net/bridge/br_if.c
@@ -67,7 +67,8 @@ void br_port_carrier_check(struct net_bridge_port *p)
         struct net_device *dev = p->dev;
         struct net_bridge *br = p->br;
 
-        if (netif_running(dev) && netif_oper_up(dev))
+        if (!(p->flags & BR_ADMIN_COST) &&
+            netif_running(dev) && netif_oper_up(dev))
                 p->path_cost = port_cost(dev);
 
         if (!netif_running(br->dev))
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index 3cbf5beb3d4b..d2c043a857b6 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -156,6 +156,7 @@ struct net_bridge_port
 #define BR_BPDU_GUARD           0x00000002
 #define BR_ROOT_BLOCK           0x00000004
 #define BR_MULTICAST_FAST_LEAVE 0x00000008
+#define BR_ADMIN_COST           0x00000010
 
 #ifdef CONFIG_BRIDGE_IGMP_SNOOPING
         u32                             multicast_startup_queries_sent;
diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c
index 0bdb4ebd362b..d45e760141bb 100644
--- a/net/bridge/br_stp_if.c
+++ b/net/bridge/br_stp_if.c
@@ -288,6 +288,7 @@ int br_stp_set_path_cost(struct net_bridge_port *p, unsigned long path_cost)
             path_cost > BR_MAX_PATH_COST)
                 return -ERANGE;
 
+        p->flags |= BR_ADMIN_COST;
         p->path_cost = path_cost;
         br_configuration_update(p->br);
         br_port_state_selection(p->br);
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 3b4f0cd2e63e..4cfe34d4cc96 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -139,8 +139,6 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
 
         /* skb is pure payload to encrypt */
 
-        err = -ENOMEM;
-
         esp = x->data;
         aead = esp->aead;
         alen = crypto_aead_authsize(aead);
@@ -176,8 +174,10 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
         }
 
         tmp = esp_alloc_tmp(aead, nfrags + sglists, seqhilen);
-        if (!tmp)
+        if (!tmp) {
+                err = -ENOMEM;
                 goto error;
+        }
 
         seqhi = esp_tmp_seqhi(tmp);
         iv = esp_tmp_iv(aead, tmp, seqhilen);
diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
index a6445b843ef4..52c273ea05c3 100644
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -248,8 +248,7 @@ static void ip_expire(unsigned long arg)
                 if (!head->dev)
                         goto out_rcu_unlock;
 
-                /* skb dst is stale, drop it, and perform route lookup again */
-                skb_dst_drop(head);
+                /* skb has no dst, perform route lookup again */
                 iph = ip_hdr(head);
                 err = ip_route_input_noref(head, iph->daddr, iph->saddr,
                                            iph->tos, head->dev);
@@ -523,9 +522,16 @@ found:
                 qp->q.max_size = skb->len + ihl;
 
         if (qp->q.last_in == (INET_FRAG_FIRST_IN | INET_FRAG_LAST_IN) &&
-            qp->q.meat == qp->q.len)
-                return ip_frag_reasm(qp, prev, dev);
+            qp->q.meat == qp->q.len) {
+                unsigned long orefdst = skb->_skb_refdst;
 
+                skb->_skb_refdst = 0UL;
+                err = ip_frag_reasm(qp, prev, dev);
+                skb->_skb_refdst = orefdst;
+                return err;
+        }
+
+        skb_dst_drop(skb);
         inet_frag_lru_move(&qp->q);
         return -EINPROGRESS;
 
diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
index ef54377fb11c..397e0f69435f 100644
--- a/net/ipv4/syncookies.c
+++ b/net/ipv4/syncookies.c
@@ -349,8 +349,8 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
          * hasn't changed since we received the original syn, but I see
          * no easy way to do this.
          */
-        flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk),
-                           RT_SCOPE_UNIVERSE, IPPROTO_TCP,
+        flowi4_init_output(&fl4, sk->sk_bound_dev_if, sk->sk_mark,
+                           RT_CONN_FLAGS(sk), RT_SCOPE_UNIVERSE, IPPROTO_TCP,
                            inet_sk_flowi_flags(sk),
                            (opt && opt->srr) ? opt->faddr : ireq->rmt_addr,
                            ireq->loc_addr, th->source, th->dest);
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index b44cf81d8178..509912a5ff98 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2388,8 +2388,12 @@ int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb)
          */
         TCP_SKB_CB(skb)->when = tcp_time_stamp;
 
-        /* make sure skb->data is aligned on arches that require it */
-        if (unlikely(NET_IP_ALIGN && ((unsigned long)skb->data & 3))) {
+        /* make sure skb->data is aligned on arches that require it
+         * and check if ack-trimming & collapsing extended the headroom
+         * beyond what csum_start can cover.
+         */
+        if (unlikely((NET_IP_ALIGN && ((unsigned long)skb->data & 3)) ||
+                     skb_headroom(skb) >= 0xFFFF)) {
                 struct sk_buff *nskb = __pskb_copy(skb, MAX_TCP_HEADER,
                                                    GFP_ATOMIC);
                 return nskb ? tcp_transmit_skb(sk, nskb, 0, GFP_ATOMIC) :
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index a459c4f5b769..dae802c0af7c 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -168,8 +168,6 @@ static void inet6_prefix_notify(int event, struct inet6_dev *idev,
 static bool ipv6_chk_same_addr(struct net *net, const struct in6_addr *addr,
                                struct net_device *dev);
 
-static ATOMIC_NOTIFIER_HEAD(inet6addr_chain);
-
 static struct ipv6_devconf ipv6_devconf __read_mostly = {
         .forwarding             = 0,
         .hop_limit              = IPV6_DEFAULT_HOPLIMIT,
@@ -837,7 +835,7 @@ out2:
         rcu_read_unlock_bh();
 
         if (likely(err == 0))
-                atomic_notifier_call_chain(&inet6addr_chain, NETDEV_UP, ifa);
+                inet6addr_notifier_call_chain(NETDEV_UP, ifa);
         else {
                 kfree(ifa);
                 ifa = ERR_PTR(err);
@@ -927,7 +925,7 @@ static void ipv6_del_addr(struct inet6_ifaddr *ifp)
 
         ipv6_ifa_notify(RTM_DELADDR, ifp);
 
-        atomic_notifier_call_chain(&inet6addr_chain, NETDEV_DOWN, ifp);
+        inet6addr_notifier_call_chain(NETDEV_DOWN, ifp);
 
         /*
          * Purge or update corresponding prefix
@@ -2988,7 +2986,7 @@ static int addrconf_ifdown(struct net_device *dev, int how)
 
                 if (state != INET6_IFADDR_STATE_DEAD) {
                         __ipv6_ifa_notify(RTM_DELADDR, ifa);
-                        atomic_notifier_call_chain(&inet6addr_chain, NETDEV_DOWN, ifa);
+                        inet6addr_notifier_call_chain(NETDEV_DOWN, ifa);
                 }
                 in6_ifa_put(ifa);
 
@@ -4869,22 +4867,6 @@ static struct pernet_operations addrconf_ops = {
         .exit = addrconf_exit_net,
 };
 
-/*
- *      Device notifier
- */
-
-int register_inet6addr_notifier(struct notifier_block *nb)
-{
-        return atomic_notifier_chain_register(&inet6addr_chain, nb);
-}
-EXPORT_SYMBOL(register_inet6addr_notifier);
-
-int unregister_inet6addr_notifier(struct notifier_block *nb)
-{
-        return atomic_notifier_chain_unregister(&inet6addr_chain, nb);
-}
-EXPORT_SYMBOL(unregister_inet6addr_notifier);
-
 static struct rtnl_af_ops inet6_ops = {
         .family           = AF_INET6,
         .fill_link_af     = inet6_fill_link_af,
diff --git a/net/ipv6/addrconf_core.c b/net/ipv6/addrconf_core.c
index d051e5f4bf34..72104562c864 100644
--- a/net/ipv6/addrconf_core.c
+++ b/net/ipv6/addrconf_core.c
@@ -78,3 +78,22 @@ int __ipv6_addr_type(const struct in6_addr *addr)
 }
 EXPORT_SYMBOL(__ipv6_addr_type);
 
+static ATOMIC_NOTIFIER_HEAD(inet6addr_chain);
+
+int register_inet6addr_notifier(struct notifier_block *nb)
+{
+        return atomic_notifier_chain_register(&inet6addr_chain, nb);
+}
+EXPORT_SYMBOL(register_inet6addr_notifier);
+
+int unregister_inet6addr_notifier(struct notifier_block *nb)
+{
+        return atomic_notifier_chain_unregister(&inet6addr_chain, nb);
+}
+EXPORT_SYMBOL(unregister_inet6addr_notifier);
+
+int inet6addr_notifier_call_chain(unsigned long val, void *v)
+{
+        return atomic_notifier_call_chain(&inet6addr_chain, val, v);
+}
+EXPORT_SYMBOL(inet6addr_notifier_call_chain);
diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
index 196ab9347ad1..0ba10e53a629 100644
--- a/net/ipv6/reassembly.c
+++ b/net/ipv6/reassembly.c
@@ -330,9 +330,17 @@ found:
         }
 
         if (fq->q.last_in == (INET_FRAG_FIRST_IN | INET_FRAG_LAST_IN) &&
-            fq->q.meat == fq->q.len)
-                return ip6_frag_reasm(fq, prev, dev);
+            fq->q.meat == fq->q.len) {
+                int res;
+                unsigned long orefdst = skb->_skb_refdst;
+
+                skb->_skb_refdst = 0UL;
+                res = ip6_frag_reasm(fq, prev, dev);
+                skb->_skb_refdst = orefdst;
+                return res;
+        }
 
+        skb_dst_drop(skb);
         inet_frag_lru_move(&fq->q);
         return -1;
 
diff --git a/net/netfilter/ipset/ip_set_hash_ipportnet.c b/net/netfilter/ipset/ip_set_hash_ipportnet.c
index f2627226a087..10a30b4fc7db 100644
--- a/net/netfilter/ipset/ip_set_hash_ipportnet.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportnet.c
@@ -104,6 +104,15 @@ hash_ipportnet4_data_flags(struct hash_ipportnet4_elem *dst, u32 flags)
         dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
 }
 
+static inline void
+hash_ipportnet4_data_reset_flags(struct hash_ipportnet4_elem *dst, u32 *flags)
+{
+        if (dst->nomatch) {
+                *flags = IPSET_FLAG_NOMATCH;
+                dst->nomatch = 0;
+        }
+}
+
 static inline int
 hash_ipportnet4_data_match(const struct hash_ipportnet4_elem *elem)
 {
@@ -414,6 +423,15 @@ hash_ipportnet6_data_flags(struct hash_ipportnet6_elem *dst, u32 flags)
         dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
 }
 
+static inline void
+hash_ipportnet6_data_reset_flags(struct hash_ipportnet6_elem *dst, u32 *flags)
+{
+        if (dst->nomatch) {
+                *flags = IPSET_FLAG_NOMATCH;
+                dst->nomatch = 0;
+        }
+}
+
 static inline int
 hash_ipportnet6_data_match(const struct hash_ipportnet6_elem *elem)
 {
diff --git a/net/netfilter/ipset/ip_set_hash_net.c b/net/netfilter/ipset/ip_set_hash_net.c
index 4b677cf6bf7d..d6a59154d710 100644
--- a/net/netfilter/ipset/ip_set_hash_net.c
+++ b/net/netfilter/ipset/ip_set_hash_net.c
@@ -87,7 +87,16 @@ hash_net4_data_copy(struct hash_net4_elem *dst,
 static inline void
 hash_net4_data_flags(struct hash_net4_elem *dst, u32 flags)
 {
-        dst->nomatch = flags & IPSET_FLAG_NOMATCH;
+        dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
+}
+
+static inline void
+hash_net4_data_reset_flags(struct hash_net4_elem *dst, u32 *flags)
+{
+        if (dst->nomatch) {
+                *flags = IPSET_FLAG_NOMATCH;
+                dst->nomatch = 0;
+        }
 }
 
 static inline int
@@ -308,7 +317,16 @@ hash_net6_data_copy(struct hash_net6_elem *dst,
 static inline void
 hash_net6_data_flags(struct hash_net6_elem *dst, u32 flags)
 {
-        dst->nomatch = flags & IPSET_FLAG_NOMATCH;
+        dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
+}
+
+static inline void
+hash_net6_data_reset_flags(struct hash_net6_elem *dst, u32 *flags)
+{
+        if (dst->nomatch) {
+                *flags = IPSET_FLAG_NOMATCH;
+                dst->nomatch = 0;
+        }
 }
 
 static inline int
diff --git a/net/netfilter/ipset/ip_set_hash_netiface.c b/net/netfilter/ipset/ip_set_hash_netiface.c
index 6ba985f1c96f..f2b0a3c30130 100644
--- a/net/netfilter/ipset/ip_set_hash_netiface.c
+++ b/net/netfilter/ipset/ip_set_hash_netiface.c
@@ -198,7 +198,16 @@ hash_netiface4_data_copy(struct hash_netiface4_elem *dst,
 static inline void
 hash_netiface4_data_flags(struct hash_netiface4_elem *dst, u32 flags)
 {
-        dst->nomatch = flags & IPSET_FLAG_NOMATCH;
+        dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
+}
+
+static inline void
+hash_netiface4_data_reset_flags(struct hash_netiface4_elem *dst, u32 *flags)
+{
+        if (dst->nomatch) {
+                *flags = IPSET_FLAG_NOMATCH;
+                dst->nomatch = 0;
+        }
 }
 
 static inline int
@@ -494,7 +503,7 @@ hash_netiface6_data_copy(struct hash_netiface6_elem *dst,
 static inline void
 hash_netiface6_data_flags(struct hash_netiface6_elem *dst, u32 flags)
 {
-        dst->nomatch = flags & IPSET_FLAG_NOMATCH;
+        dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
 }
 
 static inline int
@@ -504,6 +513,15 @@ hash_netiface6_data_match(const struct hash_netiface6_elem *elem)
 }
 
 static inline void
+hash_netiface6_data_reset_flags(struct hash_netiface6_elem *dst, u32 *flags)
+{
+        if (dst->nomatch) {
+                *flags = IPSET_FLAG_NOMATCH;
+                dst->nomatch = 0;
+        }
+}
+
+static inline void
 hash_netiface6_data_zero_out(struct hash_netiface6_elem *elem)
 {
         elem->elem = 0;
diff --git a/net/netfilter/ipset/ip_set_hash_netport.c b/net/netfilter/ipset/ip_set_hash_netport.c
index af20c0c5ced2..349deb672a2d 100644
--- a/net/netfilter/ipset/ip_set_hash_netport.c
+++ b/net/netfilter/ipset/ip_set_hash_netport.c
@@ -104,6 +104,15 @@ hash_netport4_data_flags(struct hash_netport4_elem *dst, u32 flags)
         dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
 }
 
+static inline void
+hash_netport4_data_reset_flags(struct hash_netport4_elem *dst, u32 *flags)
+{
+        if (dst->nomatch) {
+                *flags = IPSET_FLAG_NOMATCH;
+                dst->nomatch = 0;
+        }
+}
+
 static inline int
 hash_netport4_data_match(const struct hash_netport4_elem *elem)
 {
@@ -375,6 +384,15 @@ hash_netport6_data_flags(struct hash_netport6_elem *dst, u32 flags)
         dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
 }
 
+static inline void
+hash_netport6_data_reset_flags(struct hash_netport6_elem *dst, u32 *flags)
+{
+        if (dst->nomatch) {
+                *flags = IPSET_FLAG_NOMATCH;
+                dst->nomatch = 0;
+        }
+}
+
 static inline int
 hash_netport6_data_match(const struct hash_netport6_elem *elem)
 {
diff --git a/net/netfilter/ipset/ip_set_list_set.c b/net/netfilter/ipset/ip_set_list_set.c
index 8371c2bac2e4..09c744aa8982 100644
--- a/net/netfilter/ipset/ip_set_list_set.c
+++ b/net/netfilter/ipset/ip_set_list_set.c
@@ -174,9 +174,13 @@ list_set_add(struct list_set *map, u32 i, ip_set_id_t id,
 {
         const struct set_elem *e = list_set_elem(map, i);
 
-        if (i == map->size - 1 && e->id != IPSET_INVALID_ID)
-                /* Last element replaced: e.g. add new,before,last */
-                ip_set_put_byindex(e->id);
+        if (e->id != IPSET_INVALID_ID) {
+                const struct set_elem *x = list_set_elem(map, map->size - 1);
+
+                /* Last element replaced or pushed off */
+                if (x->id != IPSET_INVALID_ID)
+                        ip_set_put_byindex(x->id);
+        }
         if (with_timeout(map->timeout))
                 list_elem_tadd(map, i, id, ip_set_timeout_set(timeout));
         else
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 0e7d423324c3..e0c4373b4747 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -1593,10 +1593,8 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
                 end += strlen("\r\n\r\n") + clen;
 
                 msglen = origlen = end - dptr;
-                if (msglen > datalen) {
-                        nf_ct_helper_log(skb, ct, "incomplete/bad SIP message");
-                        return NF_DROP;
-                }
+                if (msglen > datalen)
+                        return NF_ACCEPT;
 
                 ret = process_sip_msg(skb, ct, protoff, dataoff,
                                       &dptr, &msglen);
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index 8d5769c6d16e..ad24be070e53 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -467,33 +467,22 @@ EXPORT_SYMBOL_GPL(nf_nat_packet);
 struct nf_nat_proto_clean {
         u8      l3proto;
         u8      l4proto;
-        bool    hash;
 };
 
-/* Clear NAT section of all conntracks, in case we're loaded again. */
-static int nf_nat_proto_clean(struct nf_conn *i, void *data)
+/* kill conntracks with affected NAT section */
+static int nf_nat_proto_remove(struct nf_conn *i, void *data)
 {
         const struct nf_nat_proto_clean *clean = data;
         struct nf_conn_nat *nat = nfct_nat(i);
 
         if (!nat)
                 return 0;
-        if (!(i->status & IPS_SRC_NAT_DONE))
-                return 0;
+
         if ((clean->l3proto && nf_ct_l3num(i) != clean->l3proto) ||
             (clean->l4proto && nf_ct_protonum(i) != clean->l4proto))
                 return 0;
 
-        if (clean->hash) {
-                spin_lock_bh(&nf_nat_lock);
-                hlist_del_rcu(&nat->bysource);
-                spin_unlock_bh(&nf_nat_lock);
-        } else {
-                memset(nat, 0, sizeof(*nat));
-                i->status &= ~(IPS_NAT_MASK | IPS_NAT_DONE_MASK |
-                               IPS_SEQ_ADJUST);
-        }
-        return 0;
+        return i->status & IPS_NAT_MASK ? 1 : 0;
 }
 
 static void nf_nat_l4proto_clean(u8 l3proto, u8 l4proto)
@@ -505,16 +494,8 @@ static void nf_nat_l4proto_clean(u8 l3proto, u8 l4proto)
         struct net *net;
 
         rtnl_lock();
-        /* Step 1 - remove from bysource hash */
-        clean.hash = true;
         for_each_net(net)
-                nf_ct_iterate_cleanup(net, nf_nat_proto_clean, &clean);
-        synchronize_rcu();
-
-        /* Step 2 - clean NAT section */
-        clean.hash = false;
-        for_each_net(net)
-                nf_ct_iterate_cleanup(net, nf_nat_proto_clean, &clean);
+                nf_ct_iterate_cleanup(net, nf_nat_proto_remove, &clean);
         rtnl_unlock();
 }
 
@@ -526,16 +507,9 @@ static void nf_nat_l3proto_clean(u8 l3proto)
         struct net *net;
 
         rtnl_lock();
-        /* Step 1 - remove from bysource hash */
-        clean.hash = true;
-        for_each_net(net)
-                nf_ct_iterate_cleanup(net, nf_nat_proto_clean, &clean);
-        synchronize_rcu();
 
-        /* Step 2 - clean NAT section */
-        clean.hash = false;
         for_each_net(net)
-                nf_ct_iterate_cleanup(net, nf_nat_proto_clean, &clean);
+                nf_ct_iterate_cleanup(net, nf_nat_proto_remove, &clean);
         rtnl_unlock();
 }
 
@@ -773,7 +747,7 @@ static void __net_exit nf_nat_net_exit(struct net *net)
 {
         struct nf_nat_proto_clean clean = {};
 
-        nf_ct_iterate_cleanup(net, &nf_nat_proto_clean, &clean);
+        nf_ct_iterate_cleanup(net, &nf_nat_proto_remove, &clean);
         synchronize_rcu();
         nf_ct_free_hashtable(net->ct.nat_bysource, net->ct.nat_htable_size);
 }