18 files changed, 137 insertions, 49 deletions
diff --git a/net/bridge/br.c b/net/bridge/br.c
index 9aac5213105a..e1241c76239a 100644
--- a/net/bridge/br.c
+++ b/net/bridge/br.c
@@ -93,7 +93,7 @@ static void __exit br_deinit(void)
        unregister_pernet_subsys(&br_net_ops);
-        synchronize_net();
+        rcu_barrier(); /* Wait for completion of call_rcu()'s */
        br_netfilter_fini();
 #if defined(CONFIG_ATM_LANE) || defined(CONFIG_ATM_LANE_MODULE)
diff --git a/net/core/dev.c b/net/core/dev.c
index 60b572812278..70c27e0c7c32 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2823,9 +2823,11 @@ static void net_rx_action(struct softirq_action *h)
                 * move the instance around on the list at-will.
                 */
                if (unlikely(work == weight)) {
-                        if (unlikely(napi_disable_pending(n)))
+                        if (unlikely(napi_disable_pending(n))) {
-                                __napi_complete(n);
+                                local_irq_enable();
-                        else
+                                napi_complete(n);
+                                local_irq_disable();
+                        } else
                                list_move_tail(&n->poll_list, list);
                }
diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
index d351b8db0df5..77d40289653c 100644
--- a/net/decnet/af_decnet.c
+++ b/net/decnet/af_decnet.c
@@ -2413,6 +2413,8 @@ static void __exit decnet_exit(void)
        proc_net_remove(&init_net, "decnet");
        proto_unregister(&dn_proto);
+        rcu_barrier_bh(); /* Wait for completion of call_rcu_bh()'s */
 }
 module_exit(decnet_exit);
 #endif
diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
index 490ce20faf38..db46b4b5b2b9 100644
--- a/net/ipv4/ip_input.c
+++ b/net/ipv4/ip_input.c
@@ -440,6 +440,9 @@ int ip_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt,
        /* Remove any debris in the socket control block */
        memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
+        /* Must drop socket now because of tproxy. */
+        skb_orphan(skb);
        return NF_HOOK(PF_INET, NF_INET_PRE_ROUTING, skb, dev, NULL,
                       ip_rcv_finish);
diff --git a/net/ipv4/netfilter/nf_nat_helper.c b/net/ipv4/netfilter/nf_nat_helper.c
index 155c008626c8..09172a65d9b6 100644
--- a/net/ipv4/netfilter/nf_nat_helper.c
+++ b/net/ipv4/netfilter/nf_nat_helper.c
@@ -191,7 +191,8 @@ nf_nat_mangle_tcp_packet(struct sk_buff *skb,
                                    ct, ctinfo);
                /* Tell TCP window tracking about seq change */
                nf_conntrack_tcp_update(skb, ip_hdrlen(skb),
-                                        ct, CTINFO2DIR(ctinfo));
+                                        ct, CTINFO2DIR(ctinfo),
+                                        (int)rep_len - (int)match_len);
                nf_conntrack_event_cache(IPCT_NATSEQADJ, ct);
        }
@@ -377,6 +378,7 @@ nf_nat_seq_adjust(struct sk_buff *skb,
        struct tcphdr *tcph;
        int dir;
        __be32 newseq, newack;
+        s16 seqoff, ackoff;
        struct nf_conn_nat *nat = nfct_nat(ct);
        struct nf_nat_seq *this_way, *other_way;
@@ -390,15 +392,18 @@ nf_nat_seq_adjust(struct sk_buff *skb,
        tcph = (void *)skb->data + ip_hdrlen(skb);
        if (after(ntohl(tcph->seq), this_way->correction_pos))
-                newseq = htonl(ntohl(tcph->seq) + this_way->offset_after);
+                seqoff = this_way->offset_after;
        else
-                newseq = htonl(ntohl(tcph->seq) + this_way->offset_before);
+                seqoff = this_way->offset_before;
        if (after(ntohl(tcph->ack_seq) - other_way->offset_before,
                  other_way->correction_pos))
-                newack = htonl(ntohl(tcph->ack_seq) - other_way->offset_after);
+                ackoff = other_way->offset_after;
        else
-                newack = htonl(ntohl(tcph->ack_seq) - other_way->offset_before);
+                ackoff = other_way->offset_before;
+        newseq = htonl(ntohl(tcph->seq) + seqoff);
+        newack = htonl(ntohl(tcph->ack_seq) - ackoff);
        inet_proto_csum_replace4(&tcph->check, skb, tcph->seq, newseq, 0);
        inet_proto_csum_replace4(&tcph->check, skb, tcph->ack_seq, newack, 0);
@@ -413,7 +418,7 @@ nf_nat_seq_adjust(struct sk_buff *skb,
        if (!nf_nat_sack_adjust(skb, tcph, ct, ctinfo))
                return 0;
-        nf_conntrack_tcp_update(skb, ip_hdrlen(skb), ct, dir);
+        nf_conntrack_tcp_update(skb, ip_hdrlen(skb), ct, dir, seqoff);
        return 1;
 }
diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index 43bbba7926ee..f8d67ccc64f3 100644
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -128,7 +128,8 @@ tcp_timewait_state_process(struct inet_timewait_sock *tw, struct sk_buff *skb,
                        goto kill_with_rst;
                /* Dup ACK? */
-                if (!after(TCP_SKB_CB(skb)->end_seq, tcptw->tw_rcv_nxt) ||
+                if (!th->ack ||
+                    !after(TCP_SKB_CB(skb)->end_seq, tcptw->tw_rcv_nxt) ||
                    TCP_SKB_CB(skb)->end_seq == TCP_SKB_CB(skb)->seq) {
                        inet_twsk_put(tw);
                        return TCP_TW_SUCCESS;
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 8c1e86afbbf5..3883b4036a74 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -3362,7 +3362,10 @@ static int inet6_fill_ifaddr(struct sk_buff *skb, struct inet6_ifaddr *ifa,
                valid = ifa->valid_lft;
                if (preferred != INFINITY_LIFE_TIME) {
                        long tval = (jiffies - ifa->tstamp)/HZ;
-                        preferred -= tval;
+                        if (preferred > tval)
+                                preferred -= tval;
+                        else
+                                preferred = 0;
                        if (valid != INFINITY_LIFE_TIME)
                                valid -= tval;
                }
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index 85b3d0036afd..caa0278d30a9 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -1284,6 +1284,8 @@ static void __exit inet6_exit(void)
        proto_unregister(&udplitev6_prot);
        proto_unregister(&udpv6_prot);
        proto_unregister(&tcpv6_prot);
+        rcu_barrier(); /* Wait for completion of call_rcu()'s */
 }
 module_exit(inet6_exit);
diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
index c3a07d75b5f5..6d6a4277c677 100644
--- a/net/ipv6/ip6_input.c
+++ b/net/ipv6/ip6_input.c
@@ -139,6 +139,9 @@ int ipv6_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt
        rcu_read_unlock();
+        /* Must drop socket now because of tproxy. */
+        skb_orphan(skb);
        return NF_HOOK(PF_INET6, NF_INET_PRE_ROUTING, skb, dev, NULL,
                       ip6_rcv_finish);
 err:
diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
index fc712e60705d..11cf45bce38a 100644
--- a/net/mac80211/mesh.c
+++ b/net/mac80211/mesh.c
@@ -494,7 +494,7 @@ void ieee80211_stop_mesh(struct ieee80211_sub_if_data *sdata)
         * should it be using the interface and enqueuing
         * frames at this very time on another CPU.
         */
-        synchronize_rcu();
+        rcu_barrier(); /* Wait for RX path and call_rcu()'s */
        skb_queue_purge(&sdata->u.mesh.skb_queue);
 }
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index afde8f991646..2032dfe25ca8 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -617,8 +617,10 @@ err1:
 void nf_conntrack_expect_fini(struct net *net)
 {
        exp_proc_remove(net);
-        if (net_eq(net, &init_net))
+        if (net_eq(net, &init_net)) {
+                rcu_barrier(); /* Wait for call_rcu() before destroy */
                kmem_cache_destroy(nf_ct_expect_cachep);
+        }
        nf_ct_free_hashtable(net->ct.expect_hash, net->ct.expect_vmalloc,
                             nf_ct_expect_hsize);
 }
diff --git a/net/netfilter/nf_conntrack_extend.c b/net/netfilter/nf_conntrack_extend.c
index 4b2c769d555f..fef95be334bd 100644
--- a/net/netfilter/nf_conntrack_extend.c
+++ b/net/netfilter/nf_conntrack_extend.c
@@ -186,6 +186,6 @@ void nf_ct_extend_unregister(struct nf_ct_ext_type *type)
        rcu_assign_pointer(nf_ct_ext_types[type->id], NULL);
        update_alloc_size(type);
        mutex_unlock(&nf_ct_ext_type_mutex);
-        synchronize_rcu();
+        rcu_barrier(); /* Wait for completion of call_rcu()'s */
 }
 EXPORT_SYMBOL_GPL(nf_ct_extend_unregister);
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 33fc0a443f3d..97a82ba75376 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -720,8 +720,8 @@ static bool tcp_in_window(const struct nf_conn *ct,
 /* Caller must linearize skb at tcp header. */
 void nf_conntrack_tcp_update(const struct sk_buff *skb,
                             unsigned int dataoff,
-                             struct nf_conn *ct,
+                             struct nf_conn *ct, int dir,
-                             int dir)
+                             s16 offset)
 {
        const struct tcphdr *tcph = (const void *)skb->data + dataoff;
        const struct ip_ct_tcp_state *sender = &ct->proto.tcp.seen[dir];
@@ -734,7 +734,7 @@ void nf_conntrack_tcp_update(const struct sk_buff *skb,
        /*
         * We have to worry for the ack in the reply packet only...
         */
-        if (after(end, ct->proto.tcp.seen[dir].td_end))
+        if (ct->proto.tcp.seen[dir].td_end + offset == end)
                ct->proto.tcp.seen[dir].td_end = end;
        ct->proto.tcp.last_end = end;
        spin_unlock_bh(&ct->lock);
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index 0b7139f3dd78..fc581800698e 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -129,7 +129,7 @@ conntrack_addrcmp(const union nf_inet_addr *kaddr,
 static inline bool
 conntrack_mt_origsrc(const struct nf_conn *ct,
-                     const struct xt_conntrack_mtinfo1 *info,
+                     const struct xt_conntrack_mtinfo2 *info,
                     u_int8_t family)
 {
        return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3,
@@ -138,7 +138,7 @@ conntrack_mt_origsrc(const struct nf_conn *ct,
 static inline bool
 conntrack_mt_origdst(const struct nf_conn *ct,
-                     const struct xt_conntrack_mtinfo1 *info,
+                     const struct xt_conntrack_mtinfo2 *info,
                     u_int8_t family)
 {
        return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3,
@@ -147,7 +147,7 @@ conntrack_mt_origdst(const struct nf_conn *ct,
 static inline bool
 conntrack_mt_replsrc(const struct nf_conn *ct,
-                     const struct xt_conntrack_mtinfo1 *info,
+                     const struct xt_conntrack_mtinfo2 *info,
                     u_int8_t family)
 {
        return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3,
@@ -156,7 +156,7 @@ conntrack_mt_replsrc(const struct nf_conn *ct,
 static inline bool
 conntrack_mt_repldst(const struct nf_conn *ct,
-                     const struct xt_conntrack_mtinfo1 *info,
+                     const struct xt_conntrack_mtinfo2 *info,
                     u_int8_t family)
 {
        return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3,
@@ -164,7 +164,7 @@ conntrack_mt_repldst(const struct nf_conn *ct,
 }
 static inline bool
-ct_proto_port_check(const struct xt_conntrack_mtinfo1 *info,
+ct_proto_port_check(const struct xt_conntrack_mtinfo2 *info,
                    const struct nf_conn *ct)
 {
        const struct nf_conntrack_tuple *tuple;
@@ -204,7 +204,7 @@ ct_proto_port_check(const struct xt_conntrack_mtinfo1 *info,
 static bool
 conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 {
-        const struct xt_conntrack_mtinfo1 *info = par->matchinfo;
+        const struct xt_conntrack_mtinfo2 *info = par->matchinfo;
        enum ip_conntrack_info ctinfo;
        const struct nf_conn *ct;
        unsigned int statebit;
@@ -278,6 +278,16 @@ conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        return true;
 }
+static bool
+conntrack_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
+{
+        const struct xt_conntrack_mtinfo2 *const *info = par->matchinfo;
+        struct xt_match_param newpar = *par;
+        newpar.matchinfo = *info;
+        return conntrack_mt(skb, &newpar);
+}
 static bool conntrack_mt_check(const struct xt_mtchk_param *par)
 {
        if (nf_ct_l3proto_try_module_get(par->family) < 0) {
@@ -288,11 +298,45 @@ static bool conntrack_mt_check(const struct xt_mtchk_param *par)
        return true;
 }
+static bool conntrack_mt_check_v1(const struct xt_mtchk_param *par)
+{
+        struct xt_conntrack_mtinfo1 *info = par->matchinfo;
+        struct xt_conntrack_mtinfo2 *up;
+        int ret = conntrack_mt_check(par);
+        if (ret < 0)
+                return ret;
+        up = kmalloc(sizeof(*up), GFP_KERNEL);
+        if (up == NULL) {
+                nf_ct_l3proto_module_put(par->family);
+                return -ENOMEM;
+        }
+        /*
+         * The strategy here is to minimize the overhead of v1 matching,
+         * by prebuilding a v2 struct and putting the pointer into the
+         * v1 dataspace.
+         */
+        memcpy(up, info, offsetof(typeof(*info), state_mask));
+        up->state_mask  = info->state_mask;
+        up->status_mask = info->status_mask;
+        *(void **)info  = up;
+        return true;
+}
 static void conntrack_mt_destroy(const struct xt_mtdtor_param *par)
 {
        nf_ct_l3proto_module_put(par->family);
 }
+static void conntrack_mt_destroy_v1(const struct xt_mtdtor_param *par)
+{
+        struct xt_conntrack_mtinfo2 **info = par->matchinfo;
+        kfree(*info);
+        conntrack_mt_destroy(par);
+}
 #ifdef CONFIG_COMPAT
 struct compat_xt_conntrack_info
 {
@@ -363,6 +407,16 @@ static struct xt_match conntrack_mt_reg[] __read_mostly = {
                .revision   = 1,
                .family     = NFPROTO_UNSPEC,
                .matchsize  = sizeof(struct xt_conntrack_mtinfo1),
+                .match      = conntrack_mt_v1,
+                .checkentry = conntrack_mt_check_v1,
+                .destroy    = conntrack_mt_destroy_v1,
+                .me         = THIS_MODULE,
+        },
+        {
+                .name       = "conntrack",
+                .revision   = 2,
+                .family     = NFPROTO_UNSPEC,
+                .matchsize  = sizeof(struct xt_conntrack_mtinfo2),
                .match      = conntrack_mt,
                .checkentry = conntrack_mt_check,
                .destroy    = conntrack_mt_destroy,
diff --git a/net/phonet/pn_dev.c b/net/phonet/pn_dev.c
index 80a322d77909..b0d6ddd82a9d 100644
--- a/net/phonet/pn_dev.c
+++ b/net/phonet/pn_dev.c
@@ -69,10 +69,27 @@ static struct phonet_device *__phonet_get(struct net_device *dev)
        return NULL;
 }
-static void __phonet_device_free(struct phonet_device *pnd)
+static void phonet_device_destroy(struct net_device *dev)
 {
-        list_del(&pnd->list);
+        struct phonet_device_list *pndevs = phonet_device_list(dev_net(dev));
-        kfree(pnd);
+        struct phonet_device *pnd;
+        ASSERT_RTNL();
+        spin_lock_bh(&pndevs->lock);
+        pnd = __phonet_get(dev);
+        if (pnd)
+                list_del(&pnd->list);
+        spin_unlock_bh(&pndevs->lock);
+        if (pnd) {
+                u8 addr;
+                for (addr = find_first_bit(pnd->addrs, 64); addr < 64;
+                        addr = find_next_bit(pnd->addrs, 64, 1+addr))
+                        phonet_address_notify(RTM_DELADDR, dev, addr);
+                kfree(pnd);
+        }
 }
 struct net_device *phonet_device_get(struct net *net)
@@ -126,8 +143,10 @@ int phonet_address_del(struct net_device *dev, u8 addr)
        pnd = __phonet_get(dev);
        if (!pnd || !test_and_clear_bit(addr >> 2, pnd->addrs))
                err = -EADDRNOTAVAIL;
-        else if (bitmap_empty(pnd->addrs, 64))
+        else if (bitmap_empty(pnd->addrs, 64)) {
-                __phonet_device_free(pnd);
+                list_del(&pnd->list);
+                kfree(pnd);
+        }
        spin_unlock_bh(&pndevs->lock);
        return err;
 }
@@ -181,18 +200,8 @@ static int phonet_device_notify(struct notifier_block *me, unsigned long what,
 {
        struct net_device *dev = arg;
-        if (what == NETDEV_UNREGISTER) {
+        if (what == NETDEV_UNREGISTER)
-                struct phonet_device_list *pndevs;
+                phonet_device_destroy(dev);
-                struct phonet_device *pnd;
-                /* Destroy phonet-specific device data */
-                pndevs = phonet_device_list(dev_net(dev));
-                spin_lock_bh(&pndevs->lock);
-                pnd = __phonet_get(dev);
-                if (pnd)
-                        __phonet_device_free(pnd);
-                spin_unlock_bh(&pndevs->lock);
-        }
        return 0;
 }
@@ -218,11 +227,12 @@ static int phonet_init_net(struct net *net)
 static void phonet_exit_net(struct net *net)
 {
        struct phonet_net *pnn = net_generic(net, phonet_net_id);
-        struct phonet_device *pnd, *n;
+        struct net_device *dev;
-        list_for_each_entry_safe(pnd, n, &pnn->pndevs.list, list)
-                __phonet_device_free(pnd);
+        rtnl_lock();
+        for_each_netdev(net, dev)
+                phonet_device_destroy(dev);
+        rtnl_unlock();
        kfree(pnn);
 }
diff --git a/net/phonet/pn_netlink.c b/net/phonet/pn_netlink.c
index cec4e5951681..f8b4cee434c2 100644
--- a/net/phonet/pn_netlink.c
+++ b/net/phonet/pn_netlink.c
@@ -32,7 +32,7 @@
 static int fill_addr(struct sk_buff *skb, struct net_device *dev, u8 addr,
                     u32 pid, u32 seq, int event);
-static void rtmsg_notify(int event, struct net_device *dev, u8 addr)
+void phonet_address_notify(int event, struct net_device *dev, u8 addr)
 {
        struct sk_buff *skb;
        int err = -ENOBUFS;
@@ -94,7 +94,7 @@ static int addr_doit(struct sk_buff *skb, struct nlmsghdr *nlh, void *attr)
        else
                err = phonet_address_del(dev, pnaddr);
        if (!err)
-                rtmsg_notify(nlh->nlmsg_type, dev, pnaddr);
+                phonet_address_notify(nlh->nlmsg_type, dev, pnaddr);
        return err;
 }
diff --git a/net/sunrpc/sunrpc_syms.c b/net/sunrpc/sunrpc_syms.c
index 843629f55763..adaa81982f74 100644
--- a/net/sunrpc/sunrpc_syms.c
+++ b/net/sunrpc/sunrpc_syms.c
@@ -66,6 +66,7 @@ cleanup_sunrpc(void)
 #ifdef CONFIG_PROC_FS
        rpc_proc_exit();
 #endif
+        rcu_barrier(); /* Wait for completion of call_rcu()'s */
 }
 MODULE_LICENSE("GPL");
 module_init(init_sunrpc);
diff --git a/net/xfrm/xfrm_algo.c b/net/xfrm/xfrm_algo.c
index d31ccb487730..faf54c6bf96b 100644
--- a/net/xfrm/xfrm_algo.c
+++ b/net/xfrm/xfrm_algo.c
@@ -292,8 +292,8 @@ static struct xfrm_algo_desc ealg_list[] = {
        }
 },
 {
-        .name = "cbc(cast128)",
+        .name = "cbc(cast5)",
-        .compat = "cast128",
+        .compat = "cast5",
        .uinfo = {
                .encr = {