aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
Diffstat (limited to 'net')
-rw-r--r--net/8021q/vlan_core.c14
-rw-r--r--net/atm/mpc.c2
-rw-r--r--net/bluetooth/l2cap.c62
-rw-r--r--net/bluetooth/rfcomm/sock.c4
-rw-r--r--net/caif/caif_socket.c21
-rw-r--r--net/core/ethtool.c8
-rw-r--r--net/core/stream.c8
-rw-r--r--net/ipv4/Kconfig3
-rw-r--r--net/ipv4/igmp.c14
-rw-r--r--net/ipv4/tcp_timer.c24
-rw-r--r--net/ipv6/route.c28
-rw-r--r--net/mac80211/agg-tx.c2
-rw-r--r--net/mac80211/rx.c4
-rw-r--r--net/mac80211/status.c4
-rw-r--r--net/phonet/pep.c3
-rw-r--r--net/rds/page.c27
-rw-r--r--net/sched/cls_u32.c2
-rw-r--r--net/sctp/auth.c8
-rw-r--r--net/sctp/socket.c13
19 files changed, 152 insertions, 99 deletions
diff --git a/net/8021q/vlan_core.c b/net/8021q/vlan_core.c
index 01ddb0472f86..0eb96f7e44be 100644
--- a/net/8021q/vlan_core.c
+++ b/net/8021q/vlan_core.c
@@ -24,8 +24,11 @@ int __vlan_hwaccel_rx(struct sk_buff *skb, struct vlan_group *grp,
24 24
25 if (vlan_dev) 25 if (vlan_dev)
26 skb->dev = vlan_dev; 26 skb->dev = vlan_dev;
27 else if (vlan_id) 27 else if (vlan_id) {
28 goto drop; 28 if (!(skb->dev->flags & IFF_PROMISC))
29 goto drop;
30 skb->pkt_type = PACKET_OTHERHOST;
31 }
29 32
30 return (polling ? netif_receive_skb(skb) : netif_rx(skb)); 33 return (polling ? netif_receive_skb(skb) : netif_rx(skb));
31 34
@@ -102,8 +105,11 @@ vlan_gro_common(struct napi_struct *napi, struct vlan_group *grp,
102 105
103 if (vlan_dev) 106 if (vlan_dev)
104 skb->dev = vlan_dev; 107 skb->dev = vlan_dev;
105 else if (vlan_id) 108 else if (vlan_id) {
106 goto drop; 109 if (!(skb->dev->flags & IFF_PROMISC))
110 goto drop;
111 skb->pkt_type = PACKET_OTHERHOST;
112 }
107 113
108 for (p = napi->gro_list; p; p = p->next) { 114 for (p = napi->gro_list; p; p = p->next) {
109 NAPI_GRO_CB(p)->same_flow = 115 NAPI_GRO_CB(p)->same_flow =
diff --git a/net/atm/mpc.c b/net/atm/mpc.c
index 622b471e14e0..74bcc662c3dd 100644
--- a/net/atm/mpc.c
+++ b/net/atm/mpc.c
@@ -778,7 +778,7 @@ static void mpc_push(struct atm_vcc *vcc, struct sk_buff *skb)
778 eg->packets_rcvd++; 778 eg->packets_rcvd++;
779 mpc->eg_ops->put(eg); 779 mpc->eg_ops->put(eg);
780 780
781 memset(ATM_SKB(skb), 0, sizeof(struct atm_skb_data)); 781 memset(ATM_SKB(new_skb), 0, sizeof(struct atm_skb_data));
782 netif_rx(new_skb); 782 netif_rx(new_skb);
783} 783}
784 784
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index fadf26b4ed7c..0b54b7dd8401 100644
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -1441,33 +1441,23 @@ static inline void l2cap_do_send(struct sock *sk, struct sk_buff *skb)
1441 1441
1442static void l2cap_streaming_send(struct sock *sk) 1442static void l2cap_streaming_send(struct sock *sk)
1443{ 1443{
1444 struct sk_buff *skb, *tx_skb; 1444 struct sk_buff *skb;
1445 struct l2cap_pinfo *pi = l2cap_pi(sk); 1445 struct l2cap_pinfo *pi = l2cap_pi(sk);
1446 u16 control, fcs; 1446 u16 control, fcs;
1447 1447
1448 while ((skb = sk->sk_send_head)) { 1448 while ((skb = skb_dequeue(TX_QUEUE(sk)))) {
1449 tx_skb = skb_clone(skb, GFP_ATOMIC); 1449 control = get_unaligned_le16(skb->data + L2CAP_HDR_SIZE);
1450
1451 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1452 control |= pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT; 1450 control |= pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
1453 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE); 1451 put_unaligned_le16(control, skb->data + L2CAP_HDR_SIZE);
1454 1452
1455 if (pi->fcs == L2CAP_FCS_CRC16) { 1453 if (pi->fcs == L2CAP_FCS_CRC16) {
1456 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2); 1454 fcs = crc16(0, (u8 *)skb->data, skb->len - 2);
1457 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2); 1455 put_unaligned_le16(fcs, skb->data + skb->len - 2);
1458 } 1456 }
1459 1457
1460 l2cap_do_send(sk, tx_skb); 1458 l2cap_do_send(sk, skb);
1461 1459
1462 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64; 1460 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
1463
1464 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1465 sk->sk_send_head = NULL;
1466 else
1467 sk->sk_send_head = skb_queue_next(TX_QUEUE(sk), skb);
1468
1469 skb = skb_dequeue(TX_QUEUE(sk));
1470 kfree_skb(skb);
1471 } 1461 }
1472} 1462}
1473 1463
@@ -1960,6 +1950,11 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __us
1960 1950
1961 switch (optname) { 1951 switch (optname) {
1962 case L2CAP_OPTIONS: 1952 case L2CAP_OPTIONS:
1953 if (sk->sk_state == BT_CONNECTED) {
1954 err = -EINVAL;
1955 break;
1956 }
1957
1963 opts.imtu = l2cap_pi(sk)->imtu; 1958 opts.imtu = l2cap_pi(sk)->imtu;
1964 opts.omtu = l2cap_pi(sk)->omtu; 1959 opts.omtu = l2cap_pi(sk)->omtu;
1965 opts.flush_to = l2cap_pi(sk)->flush_to; 1960 opts.flush_to = l2cap_pi(sk)->flush_to;
@@ -2771,10 +2766,10 @@ static int l2cap_parse_conf_rsp(struct sock *sk, void *rsp, int len, void *data,
2771 case L2CAP_CONF_MTU: 2766 case L2CAP_CONF_MTU:
2772 if (val < L2CAP_DEFAULT_MIN_MTU) { 2767 if (val < L2CAP_DEFAULT_MIN_MTU) {
2773 *result = L2CAP_CONF_UNACCEPT; 2768 *result = L2CAP_CONF_UNACCEPT;
2774 pi->omtu = L2CAP_DEFAULT_MIN_MTU; 2769 pi->imtu = L2CAP_DEFAULT_MIN_MTU;
2775 } else 2770 } else
2776 pi->omtu = val; 2771 pi->imtu = val;
2777 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu); 2772 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
2778 break; 2773 break;
2779 2774
2780 case L2CAP_CONF_FLUSH_TO: 2775 case L2CAP_CONF_FLUSH_TO:
@@ -3071,6 +3066,17 @@ static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hd
3071 return 0; 3066 return 0;
3072} 3067}
3073 3068
3069static inline void set_default_fcs(struct l2cap_pinfo *pi)
3070{
3071 /* FCS is enabled only in ERTM or streaming mode, if one or both
3072 * sides request it.
3073 */
3074 if (pi->mode != L2CAP_MODE_ERTM && pi->mode != L2CAP_MODE_STREAMING)
3075 pi->fcs = L2CAP_FCS_NONE;
3076 else if (!(pi->conf_state & L2CAP_CONF_NO_FCS_RECV))
3077 pi->fcs = L2CAP_FCS_CRC16;
3078}
3079
3074static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data) 3080static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3075{ 3081{
3076 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data; 3082 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
@@ -3088,14 +3094,8 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
3088 if (!sk) 3094 if (!sk)
3089 return -ENOENT; 3095 return -ENOENT;
3090 3096
3091 if (sk->sk_state != BT_CONFIG) { 3097 if (sk->sk_state == BT_DISCONN)
3092 struct l2cap_cmd_rej rej;
3093
3094 rej.reason = cpu_to_le16(0x0002);
3095 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
3096 sizeof(rej), &rej);
3097 goto unlock; 3098 goto unlock;
3098 }
3099 3099
3100 /* Reject if config buffer is too small. */ 3100 /* Reject if config buffer is too small. */
3101 len = cmd_len - sizeof(*req); 3101 len = cmd_len - sizeof(*req);
@@ -3135,9 +3135,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
3135 goto unlock; 3135 goto unlock;
3136 3136
3137 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_INPUT_DONE) { 3137 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_INPUT_DONE) {
3138 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_NO_FCS_RECV) || 3138 set_default_fcs(l2cap_pi(sk));
3139 l2cap_pi(sk)->fcs != L2CAP_FCS_NONE)
3140 l2cap_pi(sk)->fcs = L2CAP_FCS_CRC16;
3141 3139
3142 sk->sk_state = BT_CONNECTED; 3140 sk->sk_state = BT_CONNECTED;
3143 3141
@@ -3225,9 +3223,7 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr
3225 l2cap_pi(sk)->conf_state |= L2CAP_CONF_INPUT_DONE; 3223 l2cap_pi(sk)->conf_state |= L2CAP_CONF_INPUT_DONE;
3226 3224
3227 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE) { 3225 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE) {
3228 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_NO_FCS_RECV) || 3226 set_default_fcs(l2cap_pi(sk));
3229 l2cap_pi(sk)->fcs != L2CAP_FCS_NONE)
3230 l2cap_pi(sk)->fcs = L2CAP_FCS_CRC16;
3231 3227
3232 sk->sk_state = BT_CONNECTED; 3228 sk->sk_state = BT_CONNECTED;
3233 l2cap_pi(sk)->next_tx_seq = 0; 3229 l2cap_pi(sk)->next_tx_seq = 0;
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index 44a623275951..194b3a04cfd3 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -82,11 +82,14 @@ static void rfcomm_sk_data_ready(struct rfcomm_dlc *d, struct sk_buff *skb)
82static void rfcomm_sk_state_change(struct rfcomm_dlc *d, int err) 82static void rfcomm_sk_state_change(struct rfcomm_dlc *d, int err)
83{ 83{
84 struct sock *sk = d->owner, *parent; 84 struct sock *sk = d->owner, *parent;
85 unsigned long flags;
86
85 if (!sk) 87 if (!sk)
86 return; 88 return;
87 89
88 BT_DBG("dlc %p state %ld err %d", d, d->state, err); 90 BT_DBG("dlc %p state %ld err %d", d, d->state, err);
89 91
92 local_irq_save(flags);
90 bh_lock_sock(sk); 93 bh_lock_sock(sk);
91 94
92 if (err) 95 if (err)
@@ -108,6 +111,7 @@ static void rfcomm_sk_state_change(struct rfcomm_dlc *d, int err)
108 } 111 }
109 112
110 bh_unlock_sock(sk); 113 bh_unlock_sock(sk);
114 local_irq_restore(flags);
111 115
112 if (parent && sock_flag(sk, SOCK_ZAPPED)) { 116 if (parent && sock_flag(sk, SOCK_ZAPPED)) {
113 /* We have to drop DLC lock here, otherwise 117 /* We have to drop DLC lock here, otherwise
diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
index 8ce904786116..4bf28f25f368 100644
--- a/net/caif/caif_socket.c
+++ b/net/caif/caif_socket.c
@@ -827,6 +827,7 @@ static int caif_connect(struct socket *sock, struct sockaddr *uaddr,
827 long timeo; 827 long timeo;
828 int err; 828 int err;
829 int ifindex, headroom, tailroom; 829 int ifindex, headroom, tailroom;
830 unsigned int mtu;
830 struct net_device *dev; 831 struct net_device *dev;
831 832
832 lock_sock(sk); 833 lock_sock(sk);
@@ -896,15 +897,23 @@ static int caif_connect(struct socket *sock, struct sockaddr *uaddr,
896 cf_sk->sk.sk_state = CAIF_DISCONNECTED; 897 cf_sk->sk.sk_state = CAIF_DISCONNECTED;
897 goto out; 898 goto out;
898 } 899 }
899 dev = dev_get_by_index(sock_net(sk), ifindex); 900
901 err = -ENODEV;
902 rcu_read_lock();
903 dev = dev_get_by_index_rcu(sock_net(sk), ifindex);
904 if (!dev) {
905 rcu_read_unlock();
906 goto out;
907 }
900 cf_sk->headroom = LL_RESERVED_SPACE_EXTRA(dev, headroom); 908 cf_sk->headroom = LL_RESERVED_SPACE_EXTRA(dev, headroom);
909 mtu = dev->mtu;
910 rcu_read_unlock();
911
901 cf_sk->tailroom = tailroom; 912 cf_sk->tailroom = tailroom;
902 cf_sk->maxframe = dev->mtu - (headroom + tailroom); 913 cf_sk->maxframe = mtu - (headroom + tailroom);
903 dev_put(dev);
904 if (cf_sk->maxframe < 1) { 914 if (cf_sk->maxframe < 1) {
905 pr_warning("CAIF: %s(): CAIF Interface MTU too small (%d)\n", 915 pr_warning("CAIF: %s(): CAIF Interface MTU too small (%u)\n",
906 __func__, dev->mtu); 916 __func__, mtu);
907 err = -ENODEV;
908 goto out; 917 goto out;
909 } 918 }
910 919
diff --git a/net/core/ethtool.c b/net/core/ethtool.c
index 7a85367b3c2f..8451ab481095 100644
--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -348,7 +348,7 @@ static noinline_for_stack int ethtool_get_rxnfc(struct net_device *dev,
348 if (info.cmd == ETHTOOL_GRXCLSRLALL) { 348 if (info.cmd == ETHTOOL_GRXCLSRLALL) {
349 if (info.rule_cnt > 0) { 349 if (info.rule_cnt > 0) {
350 if (info.rule_cnt <= KMALLOC_MAX_SIZE / sizeof(u32)) 350 if (info.rule_cnt <= KMALLOC_MAX_SIZE / sizeof(u32))
351 rule_buf = kmalloc(info.rule_cnt * sizeof(u32), 351 rule_buf = kzalloc(info.rule_cnt * sizeof(u32),
352 GFP_USER); 352 GFP_USER);
353 if (!rule_buf) 353 if (!rule_buf)
354 return -ENOMEM; 354 return -ENOMEM;
@@ -397,7 +397,7 @@ static noinline_for_stack int ethtool_get_rxfh_indir(struct net_device *dev,
397 (KMALLOC_MAX_SIZE - sizeof(*indir)) / sizeof(*indir->ring_index)) 397 (KMALLOC_MAX_SIZE - sizeof(*indir)) / sizeof(*indir->ring_index))
398 return -ENOMEM; 398 return -ENOMEM;
399 full_size = sizeof(*indir) + sizeof(*indir->ring_index) * table_size; 399 full_size = sizeof(*indir) + sizeof(*indir->ring_index) * table_size;
400 indir = kmalloc(full_size, GFP_USER); 400 indir = kzalloc(full_size, GFP_USER);
401 if (!indir) 401 if (!indir)
402 return -ENOMEM; 402 return -ENOMEM;
403 403
@@ -538,7 +538,7 @@ static int ethtool_get_rx_ntuple(struct net_device *dev, void __user *useraddr)
538 538
539 gstrings.len = ret; 539 gstrings.len = ret;
540 540
541 data = kmalloc(gstrings.len * ETH_GSTRING_LEN, GFP_USER); 541 data = kzalloc(gstrings.len * ETH_GSTRING_LEN, GFP_USER);
542 if (!data) 542 if (!data)
543 return -ENOMEM; 543 return -ENOMEM;
544 544
@@ -775,7 +775,7 @@ static int ethtool_get_regs(struct net_device *dev, char __user *useraddr)
775 if (regs.len > reglen) 775 if (regs.len > reglen)
776 regs.len = reglen; 776 regs.len = reglen;
777 777
778 regbuf = kmalloc(reglen, GFP_USER); 778 regbuf = kzalloc(reglen, GFP_USER);
779 if (!regbuf) 779 if (!regbuf)
780 return -ENOMEM; 780 return -ENOMEM;
781 781
diff --git a/net/core/stream.c b/net/core/stream.c
index d959e0f41528..f5df85dcd20b 100644
--- a/net/core/stream.c
+++ b/net/core/stream.c
@@ -141,10 +141,10 @@ int sk_stream_wait_memory(struct sock *sk, long *timeo_p)
141 141
142 set_bit(SOCK_NOSPACE, &sk->sk_socket->flags); 142 set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
143 sk->sk_write_pending++; 143 sk->sk_write_pending++;
144 sk_wait_event(sk, &current_timeo, !sk->sk_err && 144 sk_wait_event(sk, &current_timeo, sk->sk_err ||
145 !(sk->sk_shutdown & SEND_SHUTDOWN) && 145 (sk->sk_shutdown & SEND_SHUTDOWN) ||
146 sk_stream_memory_free(sk) && 146 (sk_stream_memory_free(sk) &&
147 vm_wait); 147 !vm_wait));
148 sk->sk_write_pending--; 148 sk->sk_write_pending--;
149 149
150 if (vm_wait) { 150 if (vm_wait) {
diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig
index 571f8950ed06..7cd7760144f7 100644
--- a/net/ipv4/Kconfig
+++ b/net/ipv4/Kconfig
@@ -217,6 +217,7 @@ config NET_IPIP
217 217
218config NET_IPGRE 218config NET_IPGRE
219 tristate "IP: GRE tunnels over IP" 219 tristate "IP: GRE tunnels over IP"
220 depends on IPV6 || IPV6=n
220 help 221 help
221 Tunneling means encapsulating data of one protocol type within 222 Tunneling means encapsulating data of one protocol type within
222 another protocol and sending it over a channel that understands the 223 another protocol and sending it over a channel that understands the
@@ -412,7 +413,7 @@ config INET_XFRM_MODE_BEET
412 If unsure, say Y. 413 If unsure, say Y.
413 414
414config INET_LRO 415config INET_LRO
415 bool "Large Receive Offload (ipv4/tcp)" 416 tristate "Large Receive Offload (ipv4/tcp)"
416 default y 417 default y
417 ---help--- 418 ---help---
418 Support for Large Receive Offload (ipv4/tcp). 419 Support for Large Receive Offload (ipv4/tcp).
diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
index 1fdcacd36ce7..2a4bb76f2132 100644
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -834,7 +834,7 @@ static void igmp_heard_query(struct in_device *in_dev, struct sk_buff *skb,
834 int mark = 0; 834 int mark = 0;
835 835
836 836
837 if (len == 8 || IGMP_V2_SEEN(in_dev)) { 837 if (len == 8) {
838 if (ih->code == 0) { 838 if (ih->code == 0) {
839 /* Alas, old v1 router presents here. */ 839 /* Alas, old v1 router presents here. */
840 840
@@ -856,6 +856,18 @@ static void igmp_heard_query(struct in_device *in_dev, struct sk_buff *skb,
856 igmpv3_clear_delrec(in_dev); 856 igmpv3_clear_delrec(in_dev);
857 } else if (len < 12) { 857 } else if (len < 12) {
858 return; /* ignore bogus packet; freed by caller */ 858 return; /* ignore bogus packet; freed by caller */
859 } else if (IGMP_V1_SEEN(in_dev)) {
860 /* This is a v3 query with v1 queriers present */
861 max_delay = IGMP_Query_Response_Interval;
862 group = 0;
863 } else if (IGMP_V2_SEEN(in_dev)) {
864 /* this is a v3 query with v2 queriers present;
865 * Interpretation of the max_delay code is problematic here.
866 * A real v2 host would use ih_code directly, while v3 has a
867 * different encoding. We use the v3 encoding as more likely
868 * to be intended in a v3 query.
869 */
870 max_delay = IGMPV3_MRC(ih3->code)*(HZ/IGMP_TIMER_SCALE);
859 } else { /* v3 */ 871 } else { /* v3 */
860 if (!pskb_may_pull(skb, sizeof(struct igmpv3_query))) 872 if (!pskb_may_pull(skb, sizeof(struct igmpv3_query)))
861 return; 873 return;
diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
index c35b469e851c..74c54b30600f 100644
--- a/net/ipv4/tcp_timer.c
+++ b/net/ipv4/tcp_timer.c
@@ -135,13 +135,16 @@ static void tcp_mtu_probing(struct inet_connection_sock *icsk, struct sock *sk)
135 135
136/* This function calculates a "timeout" which is equivalent to the timeout of a 136/* This function calculates a "timeout" which is equivalent to the timeout of a
137 * TCP connection after "boundary" unsuccessful, exponentially backed-off 137 * TCP connection after "boundary" unsuccessful, exponentially backed-off
138 * retransmissions with an initial RTO of TCP_RTO_MIN. 138 * retransmissions with an initial RTO of TCP_RTO_MIN or TCP_TIMEOUT_INIT if
139 * syn_set flag is set.
139 */ 140 */
140static bool retransmits_timed_out(struct sock *sk, 141static bool retransmits_timed_out(struct sock *sk,
141 unsigned int boundary) 142 unsigned int boundary,
143 bool syn_set)
142{ 144{
143 unsigned int timeout, linear_backoff_thresh; 145 unsigned int timeout, linear_backoff_thresh;
144 unsigned int start_ts; 146 unsigned int start_ts;
147 unsigned int rto_base = syn_set ? TCP_TIMEOUT_INIT : TCP_RTO_MIN;
145 148
146 if (!inet_csk(sk)->icsk_retransmits) 149 if (!inet_csk(sk)->icsk_retransmits)
147 return false; 150 return false;
@@ -151,12 +154,12 @@ static bool retransmits_timed_out(struct sock *sk,
151 else 154 else
152 start_ts = tcp_sk(sk)->retrans_stamp; 155 start_ts = tcp_sk(sk)->retrans_stamp;
153 156
154 linear_backoff_thresh = ilog2(TCP_RTO_MAX/TCP_RTO_MIN); 157 linear_backoff_thresh = ilog2(TCP_RTO_MAX/rto_base);
155 158
156 if (boundary <= linear_backoff_thresh) 159 if (boundary <= linear_backoff_thresh)
157 timeout = ((2 << boundary) - 1) * TCP_RTO_MIN; 160 timeout = ((2 << boundary) - 1) * rto_base;
158 else 161 else
159 timeout = ((2 << linear_backoff_thresh) - 1) * TCP_RTO_MIN + 162 timeout = ((2 << linear_backoff_thresh) - 1) * rto_base +
160 (boundary - linear_backoff_thresh) * TCP_RTO_MAX; 163 (boundary - linear_backoff_thresh) * TCP_RTO_MAX;
161 164
162 return (tcp_time_stamp - start_ts) >= timeout; 165 return (tcp_time_stamp - start_ts) >= timeout;
@@ -167,14 +170,15 @@ static int tcp_write_timeout(struct sock *sk)
167{ 170{
168 struct inet_connection_sock *icsk = inet_csk(sk); 171 struct inet_connection_sock *icsk = inet_csk(sk);
169 int retry_until; 172 int retry_until;
170 bool do_reset; 173 bool do_reset, syn_set = 0;
171 174
172 if ((1 << sk->sk_state) & (TCPF_SYN_SENT | TCPF_SYN_RECV)) { 175 if ((1 << sk->sk_state) & (TCPF_SYN_SENT | TCPF_SYN_RECV)) {
173 if (icsk->icsk_retransmits) 176 if (icsk->icsk_retransmits)
174 dst_negative_advice(sk); 177 dst_negative_advice(sk);
175 retry_until = icsk->icsk_syn_retries ? : sysctl_tcp_syn_retries; 178 retry_until = icsk->icsk_syn_retries ? : sysctl_tcp_syn_retries;
179 syn_set = 1;
176 } else { 180 } else {
177 if (retransmits_timed_out(sk, sysctl_tcp_retries1)) { 181 if (retransmits_timed_out(sk, sysctl_tcp_retries1, 0)) {
178 /* Black hole detection */ 182 /* Black hole detection */
179 tcp_mtu_probing(icsk, sk); 183 tcp_mtu_probing(icsk, sk);
180 184
@@ -187,14 +191,14 @@ static int tcp_write_timeout(struct sock *sk)
187 191
188 retry_until = tcp_orphan_retries(sk, alive); 192 retry_until = tcp_orphan_retries(sk, alive);
189 do_reset = alive || 193 do_reset = alive ||
190 !retransmits_timed_out(sk, retry_until); 194 !retransmits_timed_out(sk, retry_until, 0);
191 195
192 if (tcp_out_of_resources(sk, do_reset)) 196 if (tcp_out_of_resources(sk, do_reset))
193 return 1; 197 return 1;
194 } 198 }
195 } 199 }
196 200
197 if (retransmits_timed_out(sk, retry_until)) { 201 if (retransmits_timed_out(sk, retry_until, syn_set)) {
198 /* Has it gone just too far? */ 202 /* Has it gone just too far? */
199 tcp_write_err(sk); 203 tcp_write_err(sk);
200 return 1; 204 return 1;
@@ -436,7 +440,7 @@ out_reset_timer:
436 icsk->icsk_rto = min(icsk->icsk_rto << 1, TCP_RTO_MAX); 440 icsk->icsk_rto = min(icsk->icsk_rto << 1, TCP_RTO_MAX);
437 } 441 }
438 inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS, icsk->icsk_rto, TCP_RTO_MAX); 442 inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS, icsk->icsk_rto, TCP_RTO_MAX);
439 if (retransmits_timed_out(sk, sysctl_tcp_retries1 + 1)) 443 if (retransmits_timed_out(sk, sysctl_tcp_retries1 + 1, 0))
440 __sk_dst_reset(sk); 444 __sk_dst_reset(sk);
441 445
442out:; 446out:;
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 8323136bdc54..a275c6e1e25c 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -1556,14 +1556,13 @@ out:
1556 * i.e. Path MTU discovery 1556 * i.e. Path MTU discovery
1557 */ 1557 */
1558 1558
1559void rt6_pmtu_discovery(struct in6_addr *daddr, struct in6_addr *saddr, 1559static void rt6_do_pmtu_disc(struct in6_addr *daddr, struct in6_addr *saddr,
1560 struct net_device *dev, u32 pmtu) 1560 struct net *net, u32 pmtu, int ifindex)
1561{ 1561{
1562 struct rt6_info *rt, *nrt; 1562 struct rt6_info *rt, *nrt;
1563 struct net *net = dev_net(dev);
1564 int allfrag = 0; 1563 int allfrag = 0;
1565 1564
1566 rt = rt6_lookup(net, daddr, saddr, dev->ifindex, 0); 1565 rt = rt6_lookup(net, daddr, saddr, ifindex, 0);
1567 if (rt == NULL) 1566 if (rt == NULL)
1568 return; 1567 return;
1569 1568
@@ -1631,6 +1630,27 @@ out:
1631 dst_release(&rt->dst); 1630 dst_release(&rt->dst);
1632} 1631}
1633 1632
1633void rt6_pmtu_discovery(struct in6_addr *daddr, struct in6_addr *saddr,
1634 struct net_device *dev, u32 pmtu)
1635{
1636 struct net *net = dev_net(dev);
1637
1638 /*
1639 * RFC 1981 states that a node "MUST reduce the size of the packets it
1640 * is sending along the path" that caused the Packet Too Big message.
1641 * Since it's not possible in the general case to determine which
1642 * interface was used to send the original packet, we update the MTU
1643 * on the interface that will be used to send future packets. We also
1644 * update the MTU on the interface that received the Packet Too Big in
1645 * case the original packet was forced out that interface with
1646 * SO_BINDTODEVICE or similar. This is the next best thing to the
1647 * correct behaviour, which would be to update the MTU on all
1648 * interfaces.
1649 */
1650 rt6_do_pmtu_disc(daddr, saddr, net, pmtu, 0);
1651 rt6_do_pmtu_disc(daddr, saddr, net, pmtu, dev->ifindex);
1652}
1653
1634/* 1654/*
1635 * Misc support functions 1655 * Misc support functions
1636 */ 1656 */
diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c
index c893f236acea..8f23401832b7 100644
--- a/net/mac80211/agg-tx.c
+++ b/net/mac80211/agg-tx.c
@@ -175,6 +175,8 @@ int ___ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid,
175 175
176 set_bit(HT_AGG_STATE_STOPPING, &tid_tx->state); 176 set_bit(HT_AGG_STATE_STOPPING, &tid_tx->state);
177 177
178 del_timer_sync(&tid_tx->addba_resp_timer);
179
178 /* 180 /*
179 * After this packets are no longer handed right through 181 * After this packets are no longer handed right through
180 * to the driver but are put onto tid_tx->pending instead, 182 * to the driver but are put onto tid_tx->pending instead,
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index fa0f37e4afe4..28624282c5f3 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -2199,9 +2199,6 @@ static void ieee80211_rx_cooked_monitor(struct ieee80211_rx_data *rx,
2199 struct net_device *prev_dev = NULL; 2199 struct net_device *prev_dev = NULL;
2200 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 2200 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
2201 2201
2202 if (status->flag & RX_FLAG_INTERNAL_CMTR)
2203 goto out_free_skb;
2204
2205 if (skb_headroom(skb) < sizeof(*rthdr) && 2202 if (skb_headroom(skb) < sizeof(*rthdr) &&
2206 pskb_expand_head(skb, sizeof(*rthdr), 0, GFP_ATOMIC)) 2203 pskb_expand_head(skb, sizeof(*rthdr), 0, GFP_ATOMIC))
2207 goto out_free_skb; 2204 goto out_free_skb;
@@ -2260,7 +2257,6 @@ static void ieee80211_rx_cooked_monitor(struct ieee80211_rx_data *rx,
2260 } else 2257 } else
2261 goto out_free_skb; 2258 goto out_free_skb;
2262 2259
2263 status->flag |= RX_FLAG_INTERNAL_CMTR;
2264 return; 2260 return;
2265 2261
2266 out_free_skb: 2262 out_free_skb:
diff --git a/net/mac80211/status.c b/net/mac80211/status.c
index 10caec5ea8fa..34da67995d94 100644
--- a/net/mac80211/status.c
+++ b/net/mac80211/status.c
@@ -377,7 +377,7 @@ void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb)
377 skb2 = skb_clone(skb, GFP_ATOMIC); 377 skb2 = skb_clone(skb, GFP_ATOMIC);
378 if (skb2) { 378 if (skb2) {
379 skb2->dev = prev_dev; 379 skb2->dev = prev_dev;
380 netif_receive_skb(skb2); 380 netif_rx(skb2);
381 } 381 }
382 } 382 }
383 383
@@ -386,7 +386,7 @@ void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb)
386 } 386 }
387 if (prev_dev) { 387 if (prev_dev) {
388 skb->dev = prev_dev; 388 skb->dev = prev_dev;
389 netif_receive_skb(skb); 389 netif_rx(skb);
390 skb = NULL; 390 skb = NULL;
391 } 391 }
392 rcu_read_unlock(); 392 rcu_read_unlock();
diff --git a/net/phonet/pep.c b/net/phonet/pep.c
index b2a3ae6cad78..15003021f4f0 100644
--- a/net/phonet/pep.c
+++ b/net/phonet/pep.c
@@ -225,12 +225,13 @@ static void pipe_grant_credits(struct sock *sk)
225static int pipe_rcv_status(struct sock *sk, struct sk_buff *skb) 225static int pipe_rcv_status(struct sock *sk, struct sk_buff *skb)
226{ 226{
227 struct pep_sock *pn = pep_sk(sk); 227 struct pep_sock *pn = pep_sk(sk);
228 struct pnpipehdr *hdr = pnp_hdr(skb); 228 struct pnpipehdr *hdr;
229 int wake = 0; 229 int wake = 0;
230 230
231 if (!pskb_may_pull(skb, sizeof(*hdr) + 4)) 231 if (!pskb_may_pull(skb, sizeof(*hdr) + 4))
232 return -EINVAL; 232 return -EINVAL;
233 233
234 hdr = pnp_hdr(skb);
234 if (hdr->data[0] != PN_PEP_TYPE_COMMON) { 235 if (hdr->data[0] != PN_PEP_TYPE_COMMON) {
235 LIMIT_NETDEBUG(KERN_DEBUG"Phonet unknown PEP type: %u\n", 236 LIMIT_NETDEBUG(KERN_DEBUG"Phonet unknown PEP type: %u\n",
236 (unsigned)hdr->data[0]); 237 (unsigned)hdr->data[0]);
diff --git a/net/rds/page.c b/net/rds/page.c
index 595a952d4b17..1dfbfea12e9b 100644
--- a/net/rds/page.c
+++ b/net/rds/page.c
@@ -57,30 +57,17 @@ int rds_page_copy_user(struct page *page, unsigned long offset,
57 unsigned long ret; 57 unsigned long ret;
58 void *addr; 58 void *addr;
59 59
60 if (to_user) 60 addr = kmap(page);
61 if (to_user) {
61 rds_stats_add(s_copy_to_user, bytes); 62 rds_stats_add(s_copy_to_user, bytes);
62 else 63 ret = copy_to_user(ptr, addr + offset, bytes);
64 } else {
63 rds_stats_add(s_copy_from_user, bytes); 65 rds_stats_add(s_copy_from_user, bytes);
64 66 ret = copy_from_user(addr + offset, ptr, bytes);
65 addr = kmap_atomic(page, KM_USER0);
66 if (to_user)
67 ret = __copy_to_user_inatomic(ptr, addr + offset, bytes);
68 else
69 ret = __copy_from_user_inatomic(addr + offset, ptr, bytes);
70 kunmap_atomic(addr, KM_USER0);
71
72 if (ret) {
73 addr = kmap(page);
74 if (to_user)
75 ret = copy_to_user(ptr, addr + offset, bytes);
76 else
77 ret = copy_from_user(addr + offset, ptr, bytes);
78 kunmap(page);
79 if (ret)
80 return -EFAULT;
81 } 67 }
68 kunmap(page);
82 69
83 return 0; 70 return ret ? -EFAULT : 0;
84} 71}
85EXPORT_SYMBOL_GPL(rds_page_copy_user); 72EXPORT_SYMBOL_GPL(rds_page_copy_user);
86 73
diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c
index 7416a5c73b2a..b0c2a82178af 100644
--- a/net/sched/cls_u32.c
+++ b/net/sched/cls_u32.c
@@ -137,7 +137,7 @@ next_knode:
137 int toff = off + key->off + (off2 & key->offmask); 137 int toff = off + key->off + (off2 & key->offmask);
138 __be32 *data, _data; 138 __be32 *data, _data;
139 139
140 if (skb_headroom(skb) + toff < 0) 140 if (skb_headroom(skb) + toff > INT_MAX)
141 goto out; 141 goto out;
142 142
143 data = skb_header_pointer(skb, toff, 4, &_data); 143 data = skb_header_pointer(skb, toff, 4, &_data);
diff --git a/net/sctp/auth.c b/net/sctp/auth.c
index 86366390038a..ddbbf7c81fa1 100644
--- a/net/sctp/auth.c
+++ b/net/sctp/auth.c
@@ -543,16 +543,20 @@ struct sctp_hmac *sctp_auth_asoc_get_hmac(const struct sctp_association *asoc)
543 id = ntohs(hmacs->hmac_ids[i]); 543 id = ntohs(hmacs->hmac_ids[i]);
544 544
545 /* Check the id is in the supported range */ 545 /* Check the id is in the supported range */
546 if (id > SCTP_AUTH_HMAC_ID_MAX) 546 if (id > SCTP_AUTH_HMAC_ID_MAX) {
547 id = 0;
547 continue; 548 continue;
549 }
548 550
549 /* See is we support the id. Supported IDs have name and 551 /* See is we support the id. Supported IDs have name and
550 * length fields set, so that we can allocated and use 552 * length fields set, so that we can allocated and use
551 * them. We can safely just check for name, for without the 553 * them. We can safely just check for name, for without the
552 * name, we can't allocate the TFM. 554 * name, we can't allocate the TFM.
553 */ 555 */
554 if (!sctp_hmac_list[id].hmac_name) 556 if (!sctp_hmac_list[id].hmac_name) {
557 id = 0;
555 continue; 558 continue;
559 }
556 560
557 break; 561 break;
558 } 562 }
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index ca44917872d2..fbb70770ad05 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -916,6 +916,11 @@ SCTP_STATIC int sctp_setsockopt_bindx(struct sock* sk,
916 /* Walk through the addrs buffer and count the number of addresses. */ 916 /* Walk through the addrs buffer and count the number of addresses. */
917 addr_buf = kaddrs; 917 addr_buf = kaddrs;
918 while (walk_size < addrs_size) { 918 while (walk_size < addrs_size) {
919 if (walk_size + sizeof(sa_family_t) > addrs_size) {
920 kfree(kaddrs);
921 return -EINVAL;
922 }
923
919 sa_addr = (struct sockaddr *)addr_buf; 924 sa_addr = (struct sockaddr *)addr_buf;
920 af = sctp_get_af_specific(sa_addr->sa_family); 925 af = sctp_get_af_specific(sa_addr->sa_family);
921 926
@@ -1002,9 +1007,13 @@ static int __sctp_connect(struct sock* sk,
1002 /* Walk through the addrs buffer and count the number of addresses. */ 1007 /* Walk through the addrs buffer and count the number of addresses. */
1003 addr_buf = kaddrs; 1008 addr_buf = kaddrs;
1004 while (walk_size < addrs_size) { 1009 while (walk_size < addrs_size) {
1010 if (walk_size + sizeof(sa_family_t) > addrs_size) {
1011 err = -EINVAL;
1012 goto out_free;
1013 }
1014
1005 sa_addr = (union sctp_addr *)addr_buf; 1015 sa_addr = (union sctp_addr *)addr_buf;
1006 af = sctp_get_af_specific(sa_addr->sa.sa_family); 1016 af = sctp_get_af_specific(sa_addr->sa.sa_family);
1007 port = ntohs(sa_addr->v4.sin_port);
1008 1017
1009 /* If the address family is not supported or if this address 1018 /* If the address family is not supported or if this address
1010 * causes the address buffer to overflow return EINVAL. 1019 * causes the address buffer to overflow return EINVAL.
@@ -1014,6 +1023,8 @@ static int __sctp_connect(struct sock* sk,
1014 goto out_free; 1023 goto out_free;
1015 } 1024 }
1016 1025
1026 port = ntohs(sa_addr->v4.sin_port);
1027
1017 /* Save current address so we can work with it */ 1028 /* Save current address so we can work with it */
1018 memcpy(&to, sa_addr, af->sockaddr_len); 1029 memcpy(&to, sa_addr, af->sockaddr_len);
1019 1030
generated by cgit v1.2.2 (git 2.25.0) at 2025-12-26 13:30:05 -0500