aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
Diffstat (limited to 'net')
-rw-r--r--net/8021q/vlan_dev.c52
-rw-r--r--net/atm/common.c1
-rw-r--r--net/atm/pvc.c1
-rw-r--r--net/batman-adv/bat_iv_ogm.c13
-rw-r--r--net/batman-adv/bitarray.h6
-rw-r--r--net/batman-adv/gateway_client.c6
-rw-r--r--net/batman-adv/soft-interface.c7
-rw-r--r--net/batman-adv/translation-table.c1
-rw-r--r--net/bluetooth/bnep/sock.c4
-rw-r--r--net/bluetooth/cmtp/sock.c4
-rw-r--r--net/bluetooth/hci_conn.c4
-rw-r--r--net/bluetooth/hci_core.c2
-rw-r--r--net/bluetooth/hci_event.c28
-rw-r--r--net/bluetooth/hci_sock.c18
-rw-r--r--net/bluetooth/hidp/sock.c4
-rw-r--r--net/bluetooth/l2cap_core.c14
-rw-r--r--net/bluetooth/l2cap_sock.c5
-rw-r--r--net/bluetooth/mgmt.c16
-rw-r--r--net/bluetooth/rfcomm/sock.c2
-rw-r--r--net/bluetooth/rfcomm/tty.c2
-rw-r--r--net/bluetooth/sco.c19
-rw-r--r--net/bluetooth/smp.c15
-rw-r--r--net/bridge/br_device.c30
-rw-r--r--net/bridge/br_forward.c2
-rw-r--r--net/bridge/br_if.c6
-rw-r--r--net/bridge/br_private.h4
-rw-r--r--net/bridge/netfilter/ebt_log.c2
-rw-r--r--net/caif/cfsrvl.c5
-rw-r--r--net/caif/chnl_net.c4
-rw-r--r--net/ceph/ceph_common.c1
-rw-r--r--net/ceph/debugfs.c4
-rw-r--r--net/ceph/messenger.c16
-rw-r--r--net/ceph/mon_client.c51
-rw-r--r--net/core/dev.c44
-rw-r--r--net/core/dst.c10
-rw-r--r--net/core/netpoll.c99
-rw-r--r--net/core/netprio_cgroup.c30
-rw-r--r--net/core/pktgen.c2
-rw-r--r--net/core/scm.c4
-rw-r--r--net/core/skbuff.c4
-rw-r--r--net/core/sock.c13
-rw-r--r--net/dccp/ccid.h4
-rw-r--r--net/dccp/ccids/ccid3.c1
-rw-r--r--net/ipv4/arp.c2
-rw-r--r--net/ipv4/devinet.c10
-rw-r--r--net/ipv4/fib_frontend.c20
-rw-r--r--net/ipv4/fib_rules.c2
-rw-r--r--net/ipv4/fib_trie.c8
-rw-r--r--net/ipv4/inet_connection_sock.c7
-rw-r--r--net/ipv4/ip_output.c10
-rw-r--r--net/ipv4/ipmr.c14
-rw-r--r--net/ipv4/netfilter/nf_nat_sip.c14
-rw-r--r--net/ipv4/raw.c14
-rw-r--r--net/ipv4/route.c54
-rw-r--r--net/ipv4/tcp.c27
-rw-r--r--net/ipv4/tcp_cong.c3
-rw-r--r--net/ipv4/tcp_input.c24
-rw-r--r--net/ipv4/tcp_ipv4.c23
-rw-r--r--net/ipv4/tcp_metrics.c12
-rw-r--r--net/ipv4/tcp_minisocks.c2
-rw-r--r--net/ipv4/tcp_output.c37
-rw-r--r--net/ipv4/tcp_timer.c6
-rw-r--r--net/ipv4/udp.c7
-rw-r--r--net/ipv6/addrconf.c4
-rw-r--r--net/ipv6/esp6.c6
-rw-r--r--net/ipv6/inet6_connection_sock.c23
-rw-r--r--net/ipv6/ip6_fib.c4
-rw-r--r--net/ipv6/mip6.c20
-rw-r--r--net/ipv6/proc.c4
-rw-r--r--net/ipv6/raw.c21
-rw-r--r--net/ipv6/route.c19
-rw-r--r--net/ipv6/tcp_ipv6.c34
-rw-r--r--net/ipv6/udp.c11
-rw-r--r--net/ipv6/xfrm6_policy.c8
-rw-r--r--net/l2tp/l2tp_core.c7
-rw-r--r--net/l2tp/l2tp_core.h1
-rw-r--r--net/l2tp/l2tp_eth.c2
-rw-r--r--net/l2tp/l2tp_ip6.c1
-rw-r--r--net/llc/af_llc.c8
-rw-r--r--net/llc/llc_input.c21
-rw-r--r--net/llc/llc_station.c29
-rw-r--r--net/mac80211/cfg.c9
-rw-r--r--net/mac80211/mesh.c3
-rw-r--r--net/mac80211/mlme.c6
-rw-r--r--net/mac80211/scan.c3
-rw-r--r--net/mac80211/tx.c38
-rw-r--r--net/netfilter/ipvs/ip_vs_ctl.c5
-rw-r--r--net/netfilter/nf_conntrack_core.c16
-rw-r--r--net/netfilter/nf_conntrack_expect.c29
-rw-r--r--net/netfilter/nf_conntrack_netlink.c10
-rw-r--r--net/netfilter/nf_conntrack_proto_tcp.c29
-rw-r--r--net/netfilter/nf_conntrack_sip.c92
-rw-r--r--net/netfilter/nfnetlink_log.c20
-rw-r--r--net/netfilter/xt_LOG.c37
-rw-r--r--net/netlink/af_netlink.c6
-rw-r--r--net/netrom/af_netrom.c9
-rw-r--r--net/openvswitch/actions.c2
-rw-r--r--net/openvswitch/datapath.c6
-rw-r--r--net/openvswitch/flow.h8
-rw-r--r--net/packet/af_packet.c12
-rw-r--r--net/sched/act_gact.c14
-rw-r--r--net/sched/act_ipt.c7
-rw-r--r--net/sched/act_mirred.c11
-rw-r--r--net/sched/act_pedit.c5
-rw-r--r--net/sched/act_simple.c5
-rw-r--r--net/sched/sch_cbq.c5
-rw-r--r--net/sched/sch_fq_codel.c2
-rw-r--r--net/sched/sch_gred.c38
-rw-r--r--net/sched/sch_qfq.c100
-rw-r--r--net/sctp/output.c21
-rw-r--r--net/socket.c5
-rw-r--r--net/sunrpc/svc_xprt.c10
-rw-r--r--net/sunrpc/svcsock.c2
-rw-r--r--net/sunrpc/xprt.c34
-rw-r--r--net/sunrpc/xprtrdma/transport.c1
-rw-r--r--net/sunrpc/xprtsock.c3
-rw-r--r--net/unix/af_unix.c4
-rw-r--r--net/wireless/core.c5
-rw-r--r--net/wireless/core.h1
-rw-r--r--net/wireless/nl80211.c4
-rw-r--r--net/wireless/reg.c31
-rw-r--r--net/wireless/util.c2
-rw-r--r--net/xfrm/xfrm_input.c2
-rw-r--r--net/xfrm/xfrm_policy.c5
-rw-r--r--net/xfrm/xfrm_replay.c15
-rw-r--r--net/xfrm/xfrm_state.c25
-rw-r--r--net/xfrm/xfrm_user.c57
127 files changed, 1172 insertions, 661 deletions
diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
index 73a2a83ee2da..402442402af7 100644
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -137,9 +137,21 @@ static int vlan_dev_hard_header(struct sk_buff *skb, struct net_device *dev,
137 return rc; 137 return rc;
138} 138}
139 139
140static inline netdev_tx_t vlan_netpoll_send_skb(struct vlan_dev_priv *vlan, struct sk_buff *skb)
141{
142#ifdef CONFIG_NET_POLL_CONTROLLER
143 if (vlan->netpoll)
144 netpoll_send_skb(vlan->netpoll, skb);
145#else
146 BUG();
147#endif
148 return NETDEV_TX_OK;
149}
150
140static netdev_tx_t vlan_dev_hard_start_xmit(struct sk_buff *skb, 151static netdev_tx_t vlan_dev_hard_start_xmit(struct sk_buff *skb,
141 struct net_device *dev) 152 struct net_device *dev)
142{ 153{
154 struct vlan_dev_priv *vlan = vlan_dev_priv(dev);
143 struct vlan_ethhdr *veth = (struct vlan_ethhdr *)(skb->data); 155 struct vlan_ethhdr *veth = (struct vlan_ethhdr *)(skb->data);
144 unsigned int len; 156 unsigned int len;
145 int ret; 157 int ret;
@@ -150,29 +162,30 @@ static netdev_tx_t vlan_dev_hard_start_xmit(struct sk_buff *skb,
150 * OTHER THINGS LIKE FDDI/TokenRing/802.3 SNAPs... 162 * OTHER THINGS LIKE FDDI/TokenRing/802.3 SNAPs...
151 */ 163 */
152 if (veth->h_vlan_proto != htons(ETH_P_8021Q) || 164 if (veth->h_vlan_proto != htons(ETH_P_8021Q) ||
153 vlan_dev_priv(dev)->flags & VLAN_FLAG_REORDER_HDR) { 165 vlan->flags & VLAN_FLAG_REORDER_HDR) {
154 u16 vlan_tci; 166 u16 vlan_tci;
155 vlan_tci = vlan_dev_priv(dev)->vlan_id; 167 vlan_tci = vlan->vlan_id;
156 vlan_tci |= vlan_dev_get_egress_qos_mask(dev, skb); 168 vlan_tci |= vlan_dev_get_egress_qos_mask(dev, skb);
157 skb = __vlan_hwaccel_put_tag(skb, vlan_tci); 169 skb = __vlan_hwaccel_put_tag(skb, vlan_tci);
158 } 170 }
159 171
160 skb->dev = vlan_dev_priv(dev)->real_dev; 172 skb->dev = vlan->real_dev;
161 len = skb->len; 173 len = skb->len;
162 if (netpoll_tx_running(dev)) 174 if (unlikely(netpoll_tx_running(dev)))
163 return skb->dev->netdev_ops->ndo_start_xmit(skb, skb->dev); 175 return vlan_netpoll_send_skb(vlan, skb);
176
164 ret = dev_queue_xmit(skb); 177 ret = dev_queue_xmit(skb);
165 178
166 if (likely(ret == NET_XMIT_SUCCESS || ret == NET_XMIT_CN)) { 179 if (likely(ret == NET_XMIT_SUCCESS || ret == NET_XMIT_CN)) {
167 struct vlan_pcpu_stats *stats; 180 struct vlan_pcpu_stats *stats;
168 181
169 stats = this_cpu_ptr(vlan_dev_priv(dev)->vlan_pcpu_stats); 182 stats = this_cpu_ptr(vlan->vlan_pcpu_stats);
170 u64_stats_update_begin(&stats->syncp); 183 u64_stats_update_begin(&stats->syncp);
171 stats->tx_packets++; 184 stats->tx_packets++;
172 stats->tx_bytes += len; 185 stats->tx_bytes += len;
173 u64_stats_update_end(&stats->syncp); 186 u64_stats_update_end(&stats->syncp);
174 } else { 187 } else {
175 this_cpu_inc(vlan_dev_priv(dev)->vlan_pcpu_stats->tx_dropped); 188 this_cpu_inc(vlan->vlan_pcpu_stats->tx_dropped);
176 } 189 }
177 190
178 return ret; 191 return ret;
@@ -669,25 +682,26 @@ static void vlan_dev_poll_controller(struct net_device *dev)
669 return; 682 return;
670} 683}
671 684
672static int vlan_dev_netpoll_setup(struct net_device *dev, struct netpoll_info *npinfo) 685static int vlan_dev_netpoll_setup(struct net_device *dev, struct netpoll_info *npinfo,
686 gfp_t gfp)
673{ 687{
674 struct vlan_dev_priv *info = vlan_dev_priv(dev); 688 struct vlan_dev_priv *vlan = vlan_dev_priv(dev);
675 struct net_device *real_dev = info->real_dev; 689 struct net_device *real_dev = vlan->real_dev;
676 struct netpoll *netpoll; 690 struct netpoll *netpoll;
677 int err = 0; 691 int err = 0;
678 692
679 netpoll = kzalloc(sizeof(*netpoll), GFP_KERNEL); 693 netpoll = kzalloc(sizeof(*netpoll), gfp);
680 err = -ENOMEM; 694 err = -ENOMEM;
681 if (!netpoll) 695 if (!netpoll)
682 goto out; 696 goto out;
683 697
684 err = __netpoll_setup(netpoll, real_dev); 698 err = __netpoll_setup(netpoll, real_dev, gfp);
685 if (err) { 699 if (err) {
686 kfree(netpoll); 700 kfree(netpoll);
687 goto out; 701 goto out;
688 } 702 }
689 703
690 info->netpoll = netpoll; 704 vlan->netpoll = netpoll;
691 705
692out: 706out:
693 return err; 707 return err;
@@ -695,19 +709,15 @@ out:
695 709
696static void vlan_dev_netpoll_cleanup(struct net_device *dev) 710static void vlan_dev_netpoll_cleanup(struct net_device *dev)
697{ 711{
698 struct vlan_dev_priv *info = vlan_dev_priv(dev); 712 struct vlan_dev_priv *vlan= vlan_dev_priv(dev);
699 struct netpoll *netpoll = info->netpoll; 713 struct netpoll *netpoll = vlan->netpoll;
700 714
701 if (!netpoll) 715 if (!netpoll)
702 return; 716 return;
703 717
704 info->netpoll = NULL; 718 vlan->netpoll = NULL;
705
706 /* Wait for transmitting packets to finish before freeing. */
707 synchronize_rcu_bh();
708 719
709 __netpoll_cleanup(netpoll); 720 __netpoll_free_rcu(netpoll);
710 kfree(netpoll);
711} 721}
712#endif /* CONFIG_NET_POLL_CONTROLLER */ 722#endif /* CONFIG_NET_POLL_CONTROLLER */
713 723
diff --git a/net/atm/common.c b/net/atm/common.c
index b4b44dbed645..0c0ad930a632 100644
--- a/net/atm/common.c
+++ b/net/atm/common.c
@@ -812,6 +812,7 @@ int vcc_getsockopt(struct socket *sock, int level, int optname,
812 812
813 if (!vcc->dev || !test_bit(ATM_VF_ADDR, &vcc->flags)) 813 if (!vcc->dev || !test_bit(ATM_VF_ADDR, &vcc->flags))
814 return -ENOTCONN; 814 return -ENOTCONN;
815 memset(&pvc, 0, sizeof(pvc));
815 pvc.sap_family = AF_ATMPVC; 816 pvc.sap_family = AF_ATMPVC;
816 pvc.sap_addr.itf = vcc->dev->number; 817 pvc.sap_addr.itf = vcc->dev->number;
817 pvc.sap_addr.vpi = vcc->vpi; 818 pvc.sap_addr.vpi = vcc->vpi;
diff --git a/net/atm/pvc.c b/net/atm/pvc.c
index 3a734919c36c..ae0324021407 100644
--- a/net/atm/pvc.c
+++ b/net/atm/pvc.c
@@ -95,6 +95,7 @@ static int pvc_getname(struct socket *sock, struct sockaddr *sockaddr,
95 return -ENOTCONN; 95 return -ENOTCONN;
96 *sockaddr_len = sizeof(struct sockaddr_atmpvc); 96 *sockaddr_len = sizeof(struct sockaddr_atmpvc);
97 addr = (struct sockaddr_atmpvc *)sockaddr; 97 addr = (struct sockaddr_atmpvc *)sockaddr;
98 memset(addr, 0, sizeof(*addr));
98 addr->sap_family = AF_ATMPVC; 99 addr->sap_family = AF_ATMPVC;
99 addr->sap_addr.itf = vcc->dev->number; 100 addr->sap_addr.itf = vcc->dev->number;
100 addr->sap_addr.vpi = vcc->vpi; 101 addr->sap_addr.vpi = vcc->vpi;
diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
index e877af8bdd1e..469daabd90c7 100644
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -642,7 +642,8 @@ batadv_iv_ogm_orig_update(struct batadv_priv *bat_priv,
642 struct batadv_neigh_node *router = NULL; 642 struct batadv_neigh_node *router = NULL;
643 struct batadv_orig_node *orig_node_tmp; 643 struct batadv_orig_node *orig_node_tmp;
644 struct hlist_node *node; 644 struct hlist_node *node;
645 uint8_t bcast_own_sum_orig, bcast_own_sum_neigh; 645 int if_num;
646 uint8_t sum_orig, sum_neigh;
646 uint8_t *neigh_addr; 647 uint8_t *neigh_addr;
647 648
648 batadv_dbg(BATADV_DBG_BATMAN, bat_priv, 649 batadv_dbg(BATADV_DBG_BATMAN, bat_priv,
@@ -727,17 +728,17 @@ batadv_iv_ogm_orig_update(struct batadv_priv *bat_priv,
727 if (router && (neigh_node->tq_avg == router->tq_avg)) { 728 if (router && (neigh_node->tq_avg == router->tq_avg)) {
728 orig_node_tmp = router->orig_node; 729 orig_node_tmp = router->orig_node;
729 spin_lock_bh(&orig_node_tmp->ogm_cnt_lock); 730 spin_lock_bh(&orig_node_tmp->ogm_cnt_lock);
730 bcast_own_sum_orig = 731 if_num = router->if_incoming->if_num;
731 orig_node_tmp->bcast_own_sum[if_incoming->if_num]; 732 sum_orig = orig_node_tmp->bcast_own_sum[if_num];
732 spin_unlock_bh(&orig_node_tmp->ogm_cnt_lock); 733 spin_unlock_bh(&orig_node_tmp->ogm_cnt_lock);
733 734
734 orig_node_tmp = neigh_node->orig_node; 735 orig_node_tmp = neigh_node->orig_node;
735 spin_lock_bh(&orig_node_tmp->ogm_cnt_lock); 736 spin_lock_bh(&orig_node_tmp->ogm_cnt_lock);
736 bcast_own_sum_neigh = 737 if_num = neigh_node->if_incoming->if_num;
737 orig_node_tmp->bcast_own_sum[if_incoming->if_num]; 738 sum_neigh = orig_node_tmp->bcast_own_sum[if_num];
738 spin_unlock_bh(&orig_node_tmp->ogm_cnt_lock); 739 spin_unlock_bh(&orig_node_tmp->ogm_cnt_lock);
739 740
740 if (bcast_own_sum_orig >= bcast_own_sum_neigh) 741 if (sum_orig >= sum_neigh)
741 goto update_tt; 742 goto update_tt;
742 } 743 }
743 744
diff --git a/net/batman-adv/bitarray.h b/net/batman-adv/bitarray.h
index a081ce1c0514..cebaae7e148b 100644
--- a/net/batman-adv/bitarray.h
+++ b/net/batman-adv/bitarray.h
@@ -20,8 +20,8 @@
20#ifndef _NET_BATMAN_ADV_BITARRAY_H_ 20#ifndef _NET_BATMAN_ADV_BITARRAY_H_
21#define _NET_BATMAN_ADV_BITARRAY_H_ 21#define _NET_BATMAN_ADV_BITARRAY_H_
22 22
23/* returns true if the corresponding bit in the given seq_bits indicates true 23/* Returns 1 if the corresponding bit in the given seq_bits indicates true
24 * and curr_seqno is within range of last_seqno 24 * and curr_seqno is within range of last_seqno. Otherwise returns 0.
25 */ 25 */
26static inline int batadv_test_bit(const unsigned long *seq_bits, 26static inline int batadv_test_bit(const unsigned long *seq_bits,
27 uint32_t last_seqno, uint32_t curr_seqno) 27 uint32_t last_seqno, uint32_t curr_seqno)
@@ -32,7 +32,7 @@ static inline int batadv_test_bit(const unsigned long *seq_bits,
32 if (diff < 0 || diff >= BATADV_TQ_LOCAL_WINDOW_SIZE) 32 if (diff < 0 || diff >= BATADV_TQ_LOCAL_WINDOW_SIZE)
33 return 0; 33 return 0;
34 else 34 else
35 return test_bit(diff, seq_bits); 35 return test_bit(diff, seq_bits) != 0;
36} 36}
37 37
38/* turn corresponding bit on, so we can remember that we got the packet */ 38/* turn corresponding bit on, so we can remember that we got the packet */
diff --git a/net/batman-adv/gateway_client.c b/net/batman-adv/gateway_client.c
index b421cc49d2cd..fc866f2e4528 100644
--- a/net/batman-adv/gateway_client.c
+++ b/net/batman-adv/gateway_client.c
@@ -200,11 +200,11 @@ void batadv_gw_election(struct batadv_priv *bat_priv)
200 if (atomic_read(&bat_priv->gw_mode) != BATADV_GW_MODE_CLIENT) 200 if (atomic_read(&bat_priv->gw_mode) != BATADV_GW_MODE_CLIENT)
201 goto out; 201 goto out;
202 202
203 if (!batadv_atomic_dec_not_zero(&bat_priv->gw_reselect))
204 goto out;
205
206 curr_gw = batadv_gw_get_selected_gw_node(bat_priv); 203 curr_gw = batadv_gw_get_selected_gw_node(bat_priv);
207 204
205 if (!batadv_atomic_dec_not_zero(&bat_priv->gw_reselect) && curr_gw)
206 goto out;
207
208 next_gw = batadv_gw_get_best_gw_node(bat_priv); 208 next_gw = batadv_gw_get_best_gw_node(bat_priv);
209 209
210 if (curr_gw == next_gw) 210 if (curr_gw == next_gw)
diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
index 109ea2aae96c..21c53577c8d6 100644
--- a/net/batman-adv/soft-interface.c
+++ b/net/batman-adv/soft-interface.c
@@ -100,18 +100,21 @@ static int batadv_interface_set_mac_addr(struct net_device *dev, void *p)
100{ 100{
101 struct batadv_priv *bat_priv = netdev_priv(dev); 101 struct batadv_priv *bat_priv = netdev_priv(dev);
102 struct sockaddr *addr = p; 102 struct sockaddr *addr = p;
103 uint8_t old_addr[ETH_ALEN];
103 104
104 if (!is_valid_ether_addr(addr->sa_data)) 105 if (!is_valid_ether_addr(addr->sa_data))
105 return -EADDRNOTAVAIL; 106 return -EADDRNOTAVAIL;
106 107
108 memcpy(old_addr, dev->dev_addr, ETH_ALEN);
109 memcpy(dev->dev_addr, addr->sa_data, ETH_ALEN);
110
107 /* only modify transtable if it has been initialized before */ 111 /* only modify transtable if it has been initialized before */
108 if (atomic_read(&bat_priv->mesh_state) == BATADV_MESH_ACTIVE) { 112 if (atomic_read(&bat_priv->mesh_state) == BATADV_MESH_ACTIVE) {
109 batadv_tt_local_remove(bat_priv, dev->dev_addr, 113 batadv_tt_local_remove(bat_priv, old_addr,
110 "mac address changed", false); 114 "mac address changed", false);
111 batadv_tt_local_add(dev, addr->sa_data, BATADV_NULL_IFINDEX); 115 batadv_tt_local_add(dev, addr->sa_data, BATADV_NULL_IFINDEX);
112 } 116 }
113 117
114 memcpy(dev->dev_addr, addr->sa_data, ETH_ALEN);
115 dev->addr_assign_type &= ~NET_ADDR_RANDOM; 118 dev->addr_assign_type &= ~NET_ADDR_RANDOM;
116 return 0; 119 return 0;
117} 120}
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
index a438f4b582fc..99dd8f75b3ff 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -197,6 +197,7 @@ static void batadv_tt_local_event(struct batadv_priv *bat_priv,
197del: 197del:
198 list_del(&entry->list); 198 list_del(&entry->list);
199 kfree(entry); 199 kfree(entry);
200 kfree(tt_change_node);
200 event_removed = true; 201 event_removed = true;
201 goto unlock; 202 goto unlock;
202 } 203 }
diff --git a/net/bluetooth/bnep/sock.c b/net/bluetooth/bnep/sock.c
index 5e5f5b410e0b..1eaacf10d19d 100644
--- a/net/bluetooth/bnep/sock.c
+++ b/net/bluetooth/bnep/sock.c
@@ -58,7 +58,7 @@ static int bnep_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
58 switch (cmd) { 58 switch (cmd) {
59 case BNEPCONNADD: 59 case BNEPCONNADD:
60 if (!capable(CAP_NET_ADMIN)) 60 if (!capable(CAP_NET_ADMIN))
61 return -EACCES; 61 return -EPERM;
62 62
63 if (copy_from_user(&ca, argp, sizeof(ca))) 63 if (copy_from_user(&ca, argp, sizeof(ca)))
64 return -EFAULT; 64 return -EFAULT;
@@ -84,7 +84,7 @@ static int bnep_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
84 84
85 case BNEPCONNDEL: 85 case BNEPCONNDEL:
86 if (!capable(CAP_NET_ADMIN)) 86 if (!capable(CAP_NET_ADMIN))
87 return -EACCES; 87 return -EPERM;
88 88
89 if (copy_from_user(&cd, argp, sizeof(cd))) 89 if (copy_from_user(&cd, argp, sizeof(cd)))
90 return -EFAULT; 90 return -EFAULT;
diff --git a/net/bluetooth/cmtp/sock.c b/net/bluetooth/cmtp/sock.c
index 311668d14571..32dc83dcb6b2 100644
--- a/net/bluetooth/cmtp/sock.c
+++ b/net/bluetooth/cmtp/sock.c
@@ -72,7 +72,7 @@ static int cmtp_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
72 switch (cmd) { 72 switch (cmd) {
73 case CMTPCONNADD: 73 case CMTPCONNADD:
74 if (!capable(CAP_NET_ADMIN)) 74 if (!capable(CAP_NET_ADMIN))
75 return -EACCES; 75 return -EPERM;
76 76
77 if (copy_from_user(&ca, argp, sizeof(ca))) 77 if (copy_from_user(&ca, argp, sizeof(ca)))
78 return -EFAULT; 78 return -EFAULT;
@@ -97,7 +97,7 @@ static int cmtp_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
97 97
98 case CMTPCONNDEL: 98 case CMTPCONNDEL:
99 if (!capable(CAP_NET_ADMIN)) 99 if (!capable(CAP_NET_ADMIN))
100 return -EACCES; 100 return -EPERM;
101 101
102 if (copy_from_user(&cd, argp, sizeof(cd))) 102 if (copy_from_user(&cd, argp, sizeof(cd)))
103 return -EFAULT; 103 return -EFAULT;
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 5ad7da217474..3c094e78dde9 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -29,6 +29,7 @@
29#include <net/bluetooth/bluetooth.h> 29#include <net/bluetooth/bluetooth.h>
30#include <net/bluetooth/hci_core.h> 30#include <net/bluetooth/hci_core.h>
31#include <net/bluetooth/a2mp.h> 31#include <net/bluetooth/a2mp.h>
32#include <net/bluetooth/smp.h>
32 33
33static void hci_le_connect(struct hci_conn *conn) 34static void hci_le_connect(struct hci_conn *conn)
34{ 35{
@@ -619,6 +620,9 @@ int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
619{ 620{
620 BT_DBG("hcon %p", conn); 621 BT_DBG("hcon %p", conn);
621 622
623 if (conn->type == LE_LINK)
624 return smp_conn_security(conn, sec_level);
625
622 /* For sdp we don't need the link key. */ 626 /* For sdp we don't need the link key. */
623 if (sec_level == BT_SECURITY_SDP) 627 if (sec_level == BT_SECURITY_SDP)
624 return 1; 628 return 1;
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index d4de5db18d5a..0b997c8f9655 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -734,6 +734,8 @@ static int hci_dev_do_close(struct hci_dev *hdev)
734 734
735 cancel_work_sync(&hdev->le_scan); 735 cancel_work_sync(&hdev->le_scan);
736 736
737 cancel_delayed_work(&hdev->power_off);
738
737 hci_req_cancel(hdev, ENODEV); 739 hci_req_cancel(hdev, ENODEV);
738 hci_req_lock(hdev); 740 hci_req_lock(hdev);
739 741
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 41ff978a33f9..715d7e33fba0 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -1365,6 +1365,9 @@ static bool hci_resolve_next_name(struct hci_dev *hdev)
1365 return false; 1365 return false;
1366 1366
1367 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED); 1367 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
1368 if (!e)
1369 return false;
1370
1368 if (hci_resolve_name(hdev, e) == 0) { 1371 if (hci_resolve_name(hdev, e) == 0) {
1369 e->name_state = NAME_PENDING; 1372 e->name_state = NAME_PENDING;
1370 return true; 1373 return true;
@@ -1393,12 +1396,20 @@ static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
1393 return; 1396 return;
1394 1397
1395 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING); 1398 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
1396 if (e) { 1399 /* If the device was not found in a list of found devices names of which
1400 * are pending. there is no need to continue resolving a next name as it
1401 * will be done upon receiving another Remote Name Request Complete
1402 * Event */
1403 if (!e)
1404 return;
1405
1406 list_del(&e->list);
1407 if (name) {
1397 e->name_state = NAME_KNOWN; 1408 e->name_state = NAME_KNOWN;
1398 list_del(&e->list); 1409 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
1399 if (name) 1410 e->data.rssi, name, name_len);
1400 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, 1411 } else {
1401 e->data.rssi, name, name_len); 1412 e->name_state = NAME_NOT_KNOWN;
1402 } 1413 }
1403 1414
1404 if (hci_resolve_next_name(hdev)) 1415 if (hci_resolve_next_name(hdev))
@@ -1762,7 +1773,12 @@ static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1762 if (conn->type == ACL_LINK) { 1773 if (conn->type == ACL_LINK) {
1763 conn->state = BT_CONFIG; 1774 conn->state = BT_CONFIG;
1764 hci_conn_hold(conn); 1775 hci_conn_hold(conn);
1765 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 1776
1777 if (!conn->out && !hci_conn_ssp_enabled(conn) &&
1778 !hci_find_link_key(hdev, &ev->bdaddr))
1779 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
1780 else
1781 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
1766 } else 1782 } else
1767 conn->state = BT_CONNECTED; 1783 conn->state = BT_CONNECTED;
1768 1784
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index a7f04de03d79..d5ace1eda3ed 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -490,7 +490,7 @@ static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd,
490 switch (cmd) { 490 switch (cmd) {
491 case HCISETRAW: 491 case HCISETRAW:
492 if (!capable(CAP_NET_ADMIN)) 492 if (!capable(CAP_NET_ADMIN))
493 return -EACCES; 493 return -EPERM;
494 494
495 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks)) 495 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
496 return -EPERM; 496 return -EPERM;
@@ -510,12 +510,12 @@ static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd,
510 510
511 case HCIBLOCKADDR: 511 case HCIBLOCKADDR:
512 if (!capable(CAP_NET_ADMIN)) 512 if (!capable(CAP_NET_ADMIN))
513 return -EACCES; 513 return -EPERM;
514 return hci_sock_blacklist_add(hdev, (void __user *) arg); 514 return hci_sock_blacklist_add(hdev, (void __user *) arg);
515 515
516 case HCIUNBLOCKADDR: 516 case HCIUNBLOCKADDR:
517 if (!capable(CAP_NET_ADMIN)) 517 if (!capable(CAP_NET_ADMIN))
518 return -EACCES; 518 return -EPERM;
519 return hci_sock_blacklist_del(hdev, (void __user *) arg); 519 return hci_sock_blacklist_del(hdev, (void __user *) arg);
520 520
521 default: 521 default:
@@ -546,22 +546,22 @@ static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
546 546
547 case HCIDEVUP: 547 case HCIDEVUP:
548 if (!capable(CAP_NET_ADMIN)) 548 if (!capable(CAP_NET_ADMIN))
549 return -EACCES; 549 return -EPERM;
550 return hci_dev_open(arg); 550 return hci_dev_open(arg);
551 551
552 case HCIDEVDOWN: 552 case HCIDEVDOWN:
553 if (!capable(CAP_NET_ADMIN)) 553 if (!capable(CAP_NET_ADMIN))
554 return -EACCES; 554 return -EPERM;
555 return hci_dev_close(arg); 555 return hci_dev_close(arg);
556 556
557 case HCIDEVRESET: 557 case HCIDEVRESET:
558 if (!capable(CAP_NET_ADMIN)) 558 if (!capable(CAP_NET_ADMIN))
559 return -EACCES; 559 return -EPERM;
560 return hci_dev_reset(arg); 560 return hci_dev_reset(arg);
561 561
562 case HCIDEVRESTAT: 562 case HCIDEVRESTAT:
563 if (!capable(CAP_NET_ADMIN)) 563 if (!capable(CAP_NET_ADMIN))
564 return -EACCES; 564 return -EPERM;
565 return hci_dev_reset_stat(arg); 565 return hci_dev_reset_stat(arg);
566 566
567 case HCISETSCAN: 567 case HCISETSCAN:
@@ -573,7 +573,7 @@ static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
573 case HCISETACLMTU: 573 case HCISETACLMTU:
574 case HCISETSCOMTU: 574 case HCISETSCOMTU:
575 if (!capable(CAP_NET_ADMIN)) 575 if (!capable(CAP_NET_ADMIN))
576 return -EACCES; 576 return -EPERM;
577 return hci_dev_cmd(cmd, argp); 577 return hci_dev_cmd(cmd, argp);
578 578
579 case HCIINQUIRY: 579 case HCIINQUIRY:
@@ -694,6 +694,7 @@ static int hci_sock_getname(struct socket *sock, struct sockaddr *addr,
694 *addr_len = sizeof(*haddr); 694 *addr_len = sizeof(*haddr);
695 haddr->hci_family = AF_BLUETOOTH; 695 haddr->hci_family = AF_BLUETOOTH;
696 haddr->hci_dev = hdev->id; 696 haddr->hci_dev = hdev->id;
697 haddr->hci_channel= 0;
697 698
698 release_sock(sk); 699 release_sock(sk);
699 return 0; 700 return 0;
@@ -1009,6 +1010,7 @@ static int hci_sock_getsockopt(struct socket *sock, int level, int optname,
1009 { 1010 {
1010 struct hci_filter *f = &hci_pi(sk)->filter; 1011 struct hci_filter *f = &hci_pi(sk)->filter;
1011 1012
1013 memset(&uf, 0, sizeof(uf));
1012 uf.type_mask = f->type_mask; 1014 uf.type_mask = f->type_mask;
1013 uf.opcode = f->opcode; 1015 uf.opcode = f->opcode;
1014 uf.event_mask[0] = *((u32 *) f->event_mask + 0); 1016 uf.event_mask[0] = *((u32 *) f->event_mask + 0);
diff --git a/net/bluetooth/hidp/sock.c b/net/bluetooth/hidp/sock.c
index 18b3f6892a36..b24fb3bd8625 100644
--- a/net/bluetooth/hidp/sock.c
+++ b/net/bluetooth/hidp/sock.c
@@ -56,7 +56,7 @@ static int hidp_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
56 switch (cmd) { 56 switch (cmd) {
57 case HIDPCONNADD: 57 case HIDPCONNADD:
58 if (!capable(CAP_NET_ADMIN)) 58 if (!capable(CAP_NET_ADMIN))
59 return -EACCES; 59 return -EPERM;
60 60
61 if (copy_from_user(&ca, argp, sizeof(ca))) 61 if (copy_from_user(&ca, argp, sizeof(ca)))
62 return -EFAULT; 62 return -EFAULT;
@@ -91,7 +91,7 @@ static int hidp_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
91 91
92 case HIDPCONNDEL: 92 case HIDPCONNDEL:
93 if (!capable(CAP_NET_ADMIN)) 93 if (!capable(CAP_NET_ADMIN))
94 return -EACCES; 94 return -EPERM;
95 95
96 if (copy_from_user(&cd, argp, sizeof(cd))) 96 if (copy_from_user(&cd, argp, sizeof(cd)))
97 return -EFAULT; 97 return -EFAULT;
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index a8964db04bfb..38c00f142203 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1008,7 +1008,7 @@ static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *c
1008 if (!conn) 1008 if (!conn)
1009 return; 1009 return;
1010 1010
1011 if (chan->mode == L2CAP_MODE_ERTM) { 1011 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1012 __clear_retrans_timer(chan); 1012 __clear_retrans_timer(chan);
1013 __clear_monitor_timer(chan); 1013 __clear_monitor_timer(chan);
1014 __clear_ack_timer(chan); 1014 __clear_ack_timer(chan);
@@ -1181,6 +1181,7 @@ static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1181 sk = chan->sk; 1181 sk = chan->sk;
1182 1182
1183 hci_conn_hold(conn->hcon); 1183 hci_conn_hold(conn->hcon);
1184 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
1184 1185
1185 bacpy(&bt_sk(sk)->src, conn->src); 1186 bacpy(&bt_sk(sk)->src, conn->src);
1186 bacpy(&bt_sk(sk)->dst, conn->dst); 1187 bacpy(&bt_sk(sk)->dst, conn->dst);
@@ -1198,14 +1199,15 @@ clean:
1198static void l2cap_conn_ready(struct l2cap_conn *conn) 1199static void l2cap_conn_ready(struct l2cap_conn *conn)
1199{ 1200{
1200 struct l2cap_chan *chan; 1201 struct l2cap_chan *chan;
1202 struct hci_conn *hcon = conn->hcon;
1201 1203
1202 BT_DBG("conn %p", conn); 1204 BT_DBG("conn %p", conn);
1203 1205
1204 if (!conn->hcon->out && conn->hcon->type == LE_LINK) 1206 if (!hcon->out && hcon->type == LE_LINK)
1205 l2cap_le_conn_ready(conn); 1207 l2cap_le_conn_ready(conn);
1206 1208
1207 if (conn->hcon->out && conn->hcon->type == LE_LINK) 1209 if (hcon->out && hcon->type == LE_LINK)
1208 smp_conn_security(conn, conn->hcon->pending_sec_level); 1210 smp_conn_security(hcon, hcon->pending_sec_level);
1209 1211
1210 mutex_lock(&conn->chan_lock); 1212 mutex_lock(&conn->chan_lock);
1211 1213
@@ -1218,8 +1220,8 @@ static void l2cap_conn_ready(struct l2cap_conn *conn)
1218 continue; 1220 continue;
1219 } 1221 }
1220 1222
1221 if (conn->hcon->type == LE_LINK) { 1223 if (hcon->type == LE_LINK) {
1222 if (smp_conn_security(conn, chan->sec_level)) 1224 if (smp_conn_security(hcon, chan->sec_level))
1223 l2cap_chan_ready(chan); 1225 l2cap_chan_ready(chan);
1224 1226
1225 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) { 1227 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index a4bb27e8427e..34bbe1c5e389 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -245,6 +245,7 @@ static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *l
245 245
246 BT_DBG("sock %p, sk %p", sock, sk); 246 BT_DBG("sock %p, sk %p", sock, sk);
247 247
248 memset(la, 0, sizeof(struct sockaddr_l2));
248 addr->sa_family = AF_BLUETOOTH; 249 addr->sa_family = AF_BLUETOOTH;
249 *len = sizeof(struct sockaddr_l2); 250 *len = sizeof(struct sockaddr_l2);
250 251
@@ -615,7 +616,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
615 break; 616 break;
616 } 617 }
617 618
618 if (smp_conn_security(conn, sec.level)) 619 if (smp_conn_security(conn->hcon, sec.level))
619 break; 620 break;
620 sk->sk_state = BT_CONFIG; 621 sk->sk_state = BT_CONFIG;
621 chan->state = BT_CONFIG; 622 chan->state = BT_CONFIG;
@@ -1174,7 +1175,7 @@ static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int p
1174 1175
1175 chan = l2cap_chan_create(); 1176 chan = l2cap_chan_create();
1176 if (!chan) { 1177 if (!chan) {
1177 l2cap_sock_kill(sk); 1178 sk_free(sk);
1178 return NULL; 1179 return NULL;
1179 } 1180 }
1180 1181
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index ad6613d17ca6..eba022de3c20 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -2875,6 +2875,22 @@ int mgmt_powered(struct hci_dev *hdev, u8 powered)
2875 if (scan) 2875 if (scan)
2876 hci_send_cmd(hdev, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan); 2876 hci_send_cmd(hdev, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
2877 2877
2878 if (test_bit(HCI_SSP_ENABLED, &hdev->dev_flags)) {
2879 u8 ssp = 1;
2880
2881 hci_send_cmd(hdev, HCI_OP_WRITE_SSP_MODE, 1, &ssp);
2882 }
2883
2884 if (test_bit(HCI_LE_ENABLED, &hdev->dev_flags)) {
2885 struct hci_cp_write_le_host_supported cp;
2886
2887 cp.le = 1;
2888 cp.simul = !!(hdev->features[6] & LMP_SIMUL_LE_BR);
2889
2890 hci_send_cmd(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED,
2891 sizeof(cp), &cp);
2892 }
2893
2878 update_class(hdev); 2894 update_class(hdev);
2879 update_name(hdev, hdev->dev_name); 2895 update_name(hdev, hdev->dev_name);
2880 update_eir(hdev); 2896 update_eir(hdev);
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index 7e1e59645c05..1a17850d093c 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -528,6 +528,7 @@ static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int *
528 528
529 BT_DBG("sock %p, sk %p", sock, sk); 529 BT_DBG("sock %p, sk %p", sock, sk);
530 530
531 memset(sa, 0, sizeof(*sa));
531 sa->rc_family = AF_BLUETOOTH; 532 sa->rc_family = AF_BLUETOOTH;
532 sa->rc_channel = rfcomm_pi(sk)->channel; 533 sa->rc_channel = rfcomm_pi(sk)->channel;
533 if (peer) 534 if (peer)
@@ -822,6 +823,7 @@ static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, c
822 } 823 }
823 824
824 sec.level = rfcomm_pi(sk)->sec_level; 825 sec.level = rfcomm_pi(sk)->sec_level;
826 sec.key_size = 0;
825 827
826 len = min_t(unsigned int, len, sizeof(sec)); 828 len = min_t(unsigned int, len, sizeof(sec));
827 if (copy_to_user(optval, (char *) &sec, len)) 829 if (copy_to_user(optval, (char *) &sec, len))
diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
index cb960773c002..56f182393c4c 100644
--- a/net/bluetooth/rfcomm/tty.c
+++ b/net/bluetooth/rfcomm/tty.c
@@ -456,7 +456,7 @@ static int rfcomm_get_dev_list(void __user *arg)
456 456
457 size = sizeof(*dl) + dev_num * sizeof(*di); 457 size = sizeof(*dl) + dev_num * sizeof(*di);
458 458
459 dl = kmalloc(size, GFP_KERNEL); 459 dl = kzalloc(size, GFP_KERNEL);
460 if (!dl) 460 if (!dl)
461 return -ENOMEM; 461 return -ENOMEM;
462 462
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index 40bbe25dcff7..3589e21edb09 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -131,6 +131,15 @@ static int sco_conn_del(struct hci_conn *hcon, int err)
131 sco_sock_clear_timer(sk); 131 sco_sock_clear_timer(sk);
132 sco_chan_del(sk, err); 132 sco_chan_del(sk, err);
133 bh_unlock_sock(sk); 133 bh_unlock_sock(sk);
134
135 sco_conn_lock(conn);
136 conn->sk = NULL;
137 sco_pi(sk)->conn = NULL;
138 sco_conn_unlock(conn);
139
140 if (conn->hcon)
141 hci_conn_put(conn->hcon);
142
134 sco_sock_kill(sk); 143 sco_sock_kill(sk);
135 } 144 }
136 145
@@ -821,16 +830,6 @@ static void sco_chan_del(struct sock *sk, int err)
821 830
822 BT_DBG("sk %p, conn %p, err %d", sk, conn, err); 831 BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
823 832
824 if (conn) {
825 sco_conn_lock(conn);
826 conn->sk = NULL;
827 sco_pi(sk)->conn = NULL;
828 sco_conn_unlock(conn);
829
830 if (conn->hcon)
831 hci_conn_put(conn->hcon);
832 }
833
834 sk->sk_state = BT_CLOSED; 833 sk->sk_state = BT_CLOSED;
835 sk->sk_err = err; 834 sk->sk_err = err;
836 sk->sk_state_change(sk); 835 sk->sk_state_change(sk);
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 16ef0dc85a0a..8c225ef349cd 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -267,10 +267,10 @@ static void smp_failure(struct l2cap_conn *conn, u8 reason, u8 send)
267 mgmt_auth_failed(conn->hcon->hdev, conn->dst, hcon->type, 267 mgmt_auth_failed(conn->hcon->hdev, conn->dst, hcon->type,
268 hcon->dst_type, reason); 268 hcon->dst_type, reason);
269 269
270 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) { 270 cancel_delayed_work_sync(&conn->security_timer);
271 cancel_delayed_work_sync(&conn->security_timer); 271
272 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags))
272 smp_chan_destroy(conn); 273 smp_chan_destroy(conn);
273 }
274} 274}
275 275
276#define JUST_WORKS 0x00 276#define JUST_WORKS 0x00
@@ -579,8 +579,11 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
579 579
580 if (!test_and_set_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) 580 if (!test_and_set_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags))
581 smp = smp_chan_create(conn); 581 smp = smp_chan_create(conn);
582 else
583 smp = conn->smp_chan;
582 584
583 smp = conn->smp_chan; 585 if (!smp)
586 return SMP_UNSPECIFIED;
584 587
585 smp->preq[0] = SMP_CMD_PAIRING_REQ; 588 smp->preq[0] = SMP_CMD_PAIRING_REQ;
586 memcpy(&smp->preq[1], req, sizeof(*req)); 589 memcpy(&smp->preq[1], req, sizeof(*req));
@@ -757,9 +760,9 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
757 return 0; 760 return 0;
758} 761}
759 762
760int smp_conn_security(struct l2cap_conn *conn, __u8 sec_level) 763int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
761{ 764{
762 struct hci_conn *hcon = conn->hcon; 765 struct l2cap_conn *conn = hcon->l2cap_data;
763 struct smp_chan *smp = conn->smp_chan; 766 struct smp_chan *smp = conn->smp_chan;
764 __u8 authreq; 767 __u8 authreq;
765 768
diff --git a/net/bridge/br_device.c b/net/bridge/br_device.c
index 333484537600..070e8a68cfc6 100644
--- a/net/bridge/br_device.c
+++ b/net/bridge/br_device.c
@@ -31,9 +31,11 @@ netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev)
31 struct net_bridge_mdb_entry *mdst; 31 struct net_bridge_mdb_entry *mdst;
32 struct br_cpu_netstats *brstats = this_cpu_ptr(br->stats); 32 struct br_cpu_netstats *brstats = this_cpu_ptr(br->stats);
33 33
34 rcu_read_lock();
34#ifdef CONFIG_BRIDGE_NETFILTER 35#ifdef CONFIG_BRIDGE_NETFILTER
35 if (skb->nf_bridge && (skb->nf_bridge->mask & BRNF_BRIDGED_DNAT)) { 36 if (skb->nf_bridge && (skb->nf_bridge->mask & BRNF_BRIDGED_DNAT)) {
36 br_nf_pre_routing_finish_bridge_slow(skb); 37 br_nf_pre_routing_finish_bridge_slow(skb);
38 rcu_read_unlock();
37 return NETDEV_TX_OK; 39 return NETDEV_TX_OK;
38 } 40 }
39#endif 41#endif
@@ -48,7 +50,6 @@ netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev)
48 skb_reset_mac_header(skb); 50 skb_reset_mac_header(skb);
49 skb_pull(skb, ETH_HLEN); 51 skb_pull(skb, ETH_HLEN);
50 52
51 rcu_read_lock();
52 if (is_broadcast_ether_addr(dest)) 53 if (is_broadcast_ether_addr(dest))
53 br_flood_deliver(br, skb); 54 br_flood_deliver(br, skb);
54 else if (is_multicast_ether_addr(dest)) { 55 else if (is_multicast_ether_addr(dest)) {
@@ -206,24 +207,23 @@ static void br_poll_controller(struct net_device *br_dev)
206static void br_netpoll_cleanup(struct net_device *dev) 207static void br_netpoll_cleanup(struct net_device *dev)
207{ 208{
208 struct net_bridge *br = netdev_priv(dev); 209 struct net_bridge *br = netdev_priv(dev);
209 struct net_bridge_port *p, *n; 210 struct net_bridge_port *p;
210 211
211 list_for_each_entry_safe(p, n, &br->port_list, list) { 212 list_for_each_entry(p, &br->port_list, list)
212 br_netpoll_disable(p); 213 br_netpoll_disable(p);
213 }
214} 214}
215 215
216static int br_netpoll_setup(struct net_device *dev, struct netpoll_info *ni) 216static int br_netpoll_setup(struct net_device *dev, struct netpoll_info *ni,
217 gfp_t gfp)
217{ 218{
218 struct net_bridge *br = netdev_priv(dev); 219 struct net_bridge *br = netdev_priv(dev);
219 struct net_bridge_port *p, *n; 220 struct net_bridge_port *p;
220 int err = 0; 221 int err = 0;
221 222
222 list_for_each_entry_safe(p, n, &br->port_list, list) { 223 list_for_each_entry(p, &br->port_list, list) {
223 if (!p->dev) 224 if (!p->dev)
224 continue; 225 continue;
225 226 err = br_netpoll_enable(p, gfp);
226 err = br_netpoll_enable(p);
227 if (err) 227 if (err)
228 goto fail; 228 goto fail;
229 } 229 }
@@ -236,17 +236,17 @@ fail:
236 goto out; 236 goto out;
237} 237}
238 238
239int br_netpoll_enable(struct net_bridge_port *p) 239int br_netpoll_enable(struct net_bridge_port *p, gfp_t gfp)
240{ 240{
241 struct netpoll *np; 241 struct netpoll *np;
242 int err = 0; 242 int err = 0;
243 243
244 np = kzalloc(sizeof(*p->np), GFP_KERNEL); 244 np = kzalloc(sizeof(*p->np), gfp);
245 err = -ENOMEM; 245 err = -ENOMEM;
246 if (!np) 246 if (!np)
247 goto out; 247 goto out;
248 248
249 err = __netpoll_setup(np, p->dev); 249 err = __netpoll_setup(np, p->dev, gfp);
250 if (err) { 250 if (err) {
251 kfree(np); 251 kfree(np);
252 goto out; 252 goto out;
@@ -267,11 +267,7 @@ void br_netpoll_disable(struct net_bridge_port *p)
267 267
268 p->np = NULL; 268 p->np = NULL;
269 269
270 /* Wait for transmitting packets to finish before freeing. */ 270 __netpoll_free_rcu(np);
271 synchronize_rcu_bh();
272
273 __netpoll_cleanup(np);
274 kfree(np);
275} 271}
276 272
277#endif 273#endif
diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c
index e9466d412707..02015a505d2a 100644
--- a/net/bridge/br_forward.c
+++ b/net/bridge/br_forward.c
@@ -65,7 +65,7 @@ static void __br_deliver(const struct net_bridge_port *to, struct sk_buff *skb)
65{ 65{
66 skb->dev = to->dev; 66 skb->dev = to->dev;
67 67
68 if (unlikely(netpoll_tx_running(to->dev))) { 68 if (unlikely(netpoll_tx_running(to->br->dev))) {
69 if (packet_length(skb) > skb->dev->mtu && !skb_is_gso(skb)) 69 if (packet_length(skb) > skb->dev->mtu && !skb_is_gso(skb))
70 kfree_skb(skb); 70 kfree_skb(skb);
71 else { 71 else {
diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
index e1144e1617be..1c8fdc3558cd 100644
--- a/net/bridge/br_if.c
+++ b/net/bridge/br_if.c
@@ -361,7 +361,7 @@ int br_add_if(struct net_bridge *br, struct net_device *dev)
361 if (err) 361 if (err)
362 goto err2; 362 goto err2;
363 363
364 if (br_netpoll_info(br) && ((err = br_netpoll_enable(p)))) 364 if (br_netpoll_info(br) && ((err = br_netpoll_enable(p, GFP_KERNEL))))
365 goto err3; 365 goto err3;
366 366
367 err = netdev_set_master(dev, br->dev); 367 err = netdev_set_master(dev, br->dev);
@@ -427,6 +427,10 @@ int br_del_if(struct net_bridge *br, struct net_device *dev)
427 if (!p || p->br != br) 427 if (!p || p->br != br)
428 return -EINVAL; 428 return -EINVAL;
429 429
430 /* Since more than one interface can be attached to a bridge,
431 * there still maybe an alternate path for netconsole to use;
432 * therefore there is no reason for a NETDEV_RELEASE event.
433 */
430 del_nbp(p); 434 del_nbp(p);
431 435
432 spin_lock_bh(&br->lock); 436 spin_lock_bh(&br->lock);
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index a768b2408edf..f507d2af9646 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -316,7 +316,7 @@ static inline void br_netpoll_send_skb(const struct net_bridge_port *p,
316 netpoll_send_skb(np, skb); 316 netpoll_send_skb(np, skb);
317} 317}
318 318
319extern int br_netpoll_enable(struct net_bridge_port *p); 319extern int br_netpoll_enable(struct net_bridge_port *p, gfp_t gfp);
320extern void br_netpoll_disable(struct net_bridge_port *p); 320extern void br_netpoll_disable(struct net_bridge_port *p);
321#else 321#else
322static inline struct netpoll_info *br_netpoll_info(struct net_bridge *br) 322static inline struct netpoll_info *br_netpoll_info(struct net_bridge *br)
@@ -329,7 +329,7 @@ static inline void br_netpoll_send_skb(const struct net_bridge_port *p,
329{ 329{
330} 330}
331 331
332static inline int br_netpoll_enable(struct net_bridge_port *p) 332static inline int br_netpoll_enable(struct net_bridge_port *p, gfp_t gfp)
333{ 333{
334 return 0; 334 return 0;
335} 335}
diff --git a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c
index f88ee537fb2b..92de5e5f9db2 100644
--- a/net/bridge/netfilter/ebt_log.c
+++ b/net/bridge/netfilter/ebt_log.c
@@ -80,7 +80,7 @@ ebt_log_packet(u_int8_t pf, unsigned int hooknum,
80 unsigned int bitmask; 80 unsigned int bitmask;
81 81
82 spin_lock_bh(&ebt_log_lock); 82 spin_lock_bh(&ebt_log_lock);
83 printk("<%c>%s IN=%s OUT=%s MAC source = %pM MAC dest = %pM proto = 0x%04x", 83 printk(KERN_SOH "%c%s IN=%s OUT=%s MAC source = %pM MAC dest = %pM proto = 0x%04x",
84 '0' + loginfo->u.log.level, prefix, 84 '0' + loginfo->u.log.level, prefix,
85 in ? in->name : "", out ? out->name : "", 85 in ? in->name : "", out ? out->name : "",
86 eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest, 86 eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
diff --git a/net/caif/cfsrvl.c b/net/caif/cfsrvl.c
index dd485f6128e8..ba217e90765e 100644
--- a/net/caif/cfsrvl.c
+++ b/net/caif/cfsrvl.c
@@ -211,9 +211,10 @@ void caif_client_register_refcnt(struct cflayer *adapt_layer,
211 void (*put)(struct cflayer *lyr)) 211 void (*put)(struct cflayer *lyr))
212{ 212{
213 struct cfsrvl *service; 213 struct cfsrvl *service;
214 service = container_of(adapt_layer->dn, struct cfsrvl, layer);
215 214
216 WARN_ON(adapt_layer == NULL || adapt_layer->dn == NULL); 215 if (WARN_ON(adapt_layer == NULL || adapt_layer->dn == NULL))
216 return;
217 service = container_of(adapt_layer->dn, struct cfsrvl, layer);
217 service->hold = hold; 218 service->hold = hold;
218 service->put = put; 219 service->put = put;
219} 220}
diff --git a/net/caif/chnl_net.c b/net/caif/chnl_net.c
index 69771c04ba8f..e597733affb8 100644
--- a/net/caif/chnl_net.c
+++ b/net/caif/chnl_net.c
@@ -94,6 +94,10 @@ static int chnl_recv_cb(struct cflayer *layr, struct cfpkt *pkt)
94 94
95 /* check the version of IP */ 95 /* check the version of IP */
96 ip_version = skb_header_pointer(skb, 0, 1, &buf); 96 ip_version = skb_header_pointer(skb, 0, 1, &buf);
97 if (!ip_version) {
98 kfree_skb(skb);
99 return -EINVAL;
100 }
97 101
98 switch (*ip_version >> 4) { 102 switch (*ip_version >> 4) {
99 case 4: 103 case 4:
diff --git a/net/ceph/ceph_common.c b/net/ceph/ceph_common.c
index 69e38db28e5f..a8020293f342 100644
--- a/net/ceph/ceph_common.c
+++ b/net/ceph/ceph_common.c
@@ -84,7 +84,6 @@ int ceph_check_fsid(struct ceph_client *client, struct ceph_fsid *fsid)
84 return -1; 84 return -1;
85 } 85 }
86 } else { 86 } else {
87 pr_info("client%lld fsid %pU\n", ceph_client_id(client), fsid);
88 memcpy(&client->fsid, fsid, sizeof(*fsid)); 87 memcpy(&client->fsid, fsid, sizeof(*fsid));
89 } 88 }
90 return 0; 89 return 0;
diff --git a/net/ceph/debugfs.c b/net/ceph/debugfs.c
index 54b531a01121..38b5dc1823d4 100644
--- a/net/ceph/debugfs.c
+++ b/net/ceph/debugfs.c
@@ -189,6 +189,9 @@ int ceph_debugfs_client_init(struct ceph_client *client)
189 snprintf(name, sizeof(name), "%pU.client%lld", &client->fsid, 189 snprintf(name, sizeof(name), "%pU.client%lld", &client->fsid,
190 client->monc.auth->global_id); 190 client->monc.auth->global_id);
191 191
192 dout("ceph_debugfs_client_init %p %s\n", client, name);
193
194 BUG_ON(client->debugfs_dir);
192 client->debugfs_dir = debugfs_create_dir(name, ceph_debugfs_dir); 195 client->debugfs_dir = debugfs_create_dir(name, ceph_debugfs_dir);
193 if (!client->debugfs_dir) 196 if (!client->debugfs_dir)
194 goto out; 197 goto out;
@@ -234,6 +237,7 @@ out:
234 237
235void ceph_debugfs_client_cleanup(struct ceph_client *client) 238void ceph_debugfs_client_cleanup(struct ceph_client *client)
236{ 239{
240 dout("ceph_debugfs_client_cleanup %p\n", client);
237 debugfs_remove(client->debugfs_osdmap); 241 debugfs_remove(client->debugfs_osdmap);
238 debugfs_remove(client->debugfs_monmap); 242 debugfs_remove(client->debugfs_monmap);
239 debugfs_remove(client->osdc.debugfs_file); 243 debugfs_remove(client->osdc.debugfs_file);
diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index b9796750034a..159aa8bef9e7 100644
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -915,7 +915,6 @@ static int prepare_write_connect(struct ceph_connection *con)
915 con->out_connect.authorizer_len = auth ? 915 con->out_connect.authorizer_len = auth ?
916 cpu_to_le32(auth->authorizer_buf_len) : 0; 916 cpu_to_le32(auth->authorizer_buf_len) : 0;
917 917
918 con_out_kvec_reset(con);
919 con_out_kvec_add(con, sizeof (con->out_connect), 918 con_out_kvec_add(con, sizeof (con->out_connect),
920 &con->out_connect); 919 &con->out_connect);
921 if (auth && auth->authorizer_buf_len) 920 if (auth && auth->authorizer_buf_len)
@@ -1074,16 +1073,13 @@ static int write_partial_msg_pages(struct ceph_connection *con)
1074 BUG_ON(kaddr == NULL); 1073 BUG_ON(kaddr == NULL);
1075 base = kaddr + con->out_msg_pos.page_pos + bio_offset; 1074 base = kaddr + con->out_msg_pos.page_pos + bio_offset;
1076 crc = crc32c(crc, base, len); 1075 crc = crc32c(crc, base, len);
1076 kunmap(page);
1077 msg->footer.data_crc = cpu_to_le32(crc); 1077 msg->footer.data_crc = cpu_to_le32(crc);
1078 con->out_msg_pos.did_page_crc = true; 1078 con->out_msg_pos.did_page_crc = true;
1079 } 1079 }
1080 ret = ceph_tcp_sendpage(con->sock, page, 1080 ret = ceph_tcp_sendpage(con->sock, page,
1081 con->out_msg_pos.page_pos + bio_offset, 1081 con->out_msg_pos.page_pos + bio_offset,
1082 len, 1); 1082 len, 1);
1083
1084 if (do_datacrc)
1085 kunmap(page);
1086
1087 if (ret <= 0) 1083 if (ret <= 0)
1088 goto out; 1084 goto out;
1089 1085
@@ -1557,6 +1553,7 @@ static int process_connect(struct ceph_connection *con)
1557 return -1; 1553 return -1;
1558 } 1554 }
1559 con->auth_retry = 1; 1555 con->auth_retry = 1;
1556 con_out_kvec_reset(con);
1560 ret = prepare_write_connect(con); 1557 ret = prepare_write_connect(con);
1561 if (ret < 0) 1558 if (ret < 0)
1562 return ret; 1559 return ret;
@@ -1577,6 +1574,7 @@ static int process_connect(struct ceph_connection *con)
1577 ENTITY_NAME(con->peer_name), 1574 ENTITY_NAME(con->peer_name),
1578 ceph_pr_addr(&con->peer_addr.in_addr)); 1575 ceph_pr_addr(&con->peer_addr.in_addr));
1579 reset_connection(con); 1576 reset_connection(con);
1577 con_out_kvec_reset(con);
1580 ret = prepare_write_connect(con); 1578 ret = prepare_write_connect(con);
1581 if (ret < 0) 1579 if (ret < 0)
1582 return ret; 1580 return ret;
@@ -1601,6 +1599,7 @@ static int process_connect(struct ceph_connection *con)
1601 le32_to_cpu(con->out_connect.connect_seq), 1599 le32_to_cpu(con->out_connect.connect_seq),
1602 le32_to_cpu(con->in_reply.connect_seq)); 1600 le32_to_cpu(con->in_reply.connect_seq));
1603 con->connect_seq = le32_to_cpu(con->in_reply.connect_seq); 1601 con->connect_seq = le32_to_cpu(con->in_reply.connect_seq);
1602 con_out_kvec_reset(con);
1604 ret = prepare_write_connect(con); 1603 ret = prepare_write_connect(con);
1605 if (ret < 0) 1604 if (ret < 0)
1606 return ret; 1605 return ret;
@@ -1617,6 +1616,7 @@ static int process_connect(struct ceph_connection *con)
1617 le32_to_cpu(con->in_reply.global_seq)); 1616 le32_to_cpu(con->in_reply.global_seq));
1618 get_global_seq(con->msgr, 1617 get_global_seq(con->msgr,
1619 le32_to_cpu(con->in_reply.global_seq)); 1618 le32_to_cpu(con->in_reply.global_seq));
1619 con_out_kvec_reset(con);
1620 ret = prepare_write_connect(con); 1620 ret = prepare_write_connect(con);
1621 if (ret < 0) 1621 if (ret < 0)
1622 return ret; 1622 return ret;
@@ -2135,7 +2135,11 @@ more:
2135 BUG_ON(con->state != CON_STATE_CONNECTING); 2135 BUG_ON(con->state != CON_STATE_CONNECTING);
2136 con->state = CON_STATE_NEGOTIATING; 2136 con->state = CON_STATE_NEGOTIATING;
2137 2137
2138 /* Banner is good, exchange connection info */ 2138 /*
2139 * Received banner is good, exchange connection info.
2140 * Do not reset out_kvec, as sending our banner raced
2141 * with receiving peer banner after connect completed.
2142 */
2139 ret = prepare_write_connect(con); 2143 ret = prepare_write_connect(con);
2140 if (ret < 0) 2144 if (ret < 0)
2141 goto out; 2145 goto out;
diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c
index 105d533b55f3..900ea0f043fc 100644
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -311,6 +311,17 @@ int ceph_monc_open_session(struct ceph_mon_client *monc)
311EXPORT_SYMBOL(ceph_monc_open_session); 311EXPORT_SYMBOL(ceph_monc_open_session);
312 312
313/* 313/*
314 * We require the fsid and global_id in order to initialize our
315 * debugfs dir.
316 */
317static bool have_debugfs_info(struct ceph_mon_client *monc)
318{
319 dout("have_debugfs_info fsid %d globalid %lld\n",
320 (int)monc->client->have_fsid, monc->auth->global_id);
321 return monc->client->have_fsid && monc->auth->global_id > 0;
322}
323
324/*
314 * The monitor responds with mount ack indicate mount success. The 325 * The monitor responds with mount ack indicate mount success. The
315 * included client ticket allows the client to talk to MDSs and OSDs. 326 * included client ticket allows the client to talk to MDSs and OSDs.
316 */ 327 */
@@ -320,9 +331,12 @@ static void ceph_monc_handle_map(struct ceph_mon_client *monc,
320 struct ceph_client *client = monc->client; 331 struct ceph_client *client = monc->client;
321 struct ceph_monmap *monmap = NULL, *old = monc->monmap; 332 struct ceph_monmap *monmap = NULL, *old = monc->monmap;
322 void *p, *end; 333 void *p, *end;
334 int had_debugfs_info, init_debugfs = 0;
323 335
324 mutex_lock(&monc->mutex); 336 mutex_lock(&monc->mutex);
325 337
338 had_debugfs_info = have_debugfs_info(monc);
339
326 dout("handle_monmap\n"); 340 dout("handle_monmap\n");
327 p = msg->front.iov_base; 341 p = msg->front.iov_base;
328 end = p + msg->front.iov_len; 342 end = p + msg->front.iov_len;
@@ -344,12 +358,22 @@ static void ceph_monc_handle_map(struct ceph_mon_client *monc,
344 358
345 if (!client->have_fsid) { 359 if (!client->have_fsid) {
346 client->have_fsid = true; 360 client->have_fsid = true;
361 if (!had_debugfs_info && have_debugfs_info(monc)) {
362 pr_info("client%lld fsid %pU\n",
363 ceph_client_id(monc->client),
364 &monc->client->fsid);
365 init_debugfs = 1;
366 }
347 mutex_unlock(&monc->mutex); 367 mutex_unlock(&monc->mutex);
348 /* 368
349 * do debugfs initialization without mutex to avoid 369 if (init_debugfs) {
350 * creating a locking dependency 370 /*
351 */ 371 * do debugfs initialization without mutex to avoid
352 ceph_debugfs_client_init(client); 372 * creating a locking dependency
373 */
374 ceph_debugfs_client_init(monc->client);
375 }
376
353 goto out_unlocked; 377 goto out_unlocked;
354 } 378 }
355out: 379out:
@@ -865,8 +889,10 @@ static void handle_auth_reply(struct ceph_mon_client *monc,
865{ 889{
866 int ret; 890 int ret;
867 int was_auth = 0; 891 int was_auth = 0;
892 int had_debugfs_info, init_debugfs = 0;
868 893
869 mutex_lock(&monc->mutex); 894 mutex_lock(&monc->mutex);
895 had_debugfs_info = have_debugfs_info(monc);
870 if (monc->auth->ops) 896 if (monc->auth->ops)
871 was_auth = monc->auth->ops->is_authenticated(monc->auth); 897 was_auth = monc->auth->ops->is_authenticated(monc->auth);
872 monc->pending_auth = 0; 898 monc->pending_auth = 0;
@@ -889,7 +915,22 @@ static void handle_auth_reply(struct ceph_mon_client *monc,
889 __send_subscribe(monc); 915 __send_subscribe(monc);
890 __resend_generic_request(monc); 916 __resend_generic_request(monc);
891 } 917 }
918
919 if (!had_debugfs_info && have_debugfs_info(monc)) {
920 pr_info("client%lld fsid %pU\n",
921 ceph_client_id(monc->client),
922 &monc->client->fsid);
923 init_debugfs = 1;
924 }
892 mutex_unlock(&monc->mutex); 925 mutex_unlock(&monc->mutex);
926
927 if (init_debugfs) {
928 /*
929 * do debugfs initialization without mutex to avoid
930 * creating a locking dependency
931 */
932 ceph_debugfs_client_init(monc->client);
933 }
893} 934}
894 935
895static int __validate_auth(struct ceph_mon_client *monc) 936static int __validate_auth(struct ceph_mon_client *monc)
diff --git a/net/core/dev.c b/net/core/dev.c
index 0cb3fe8d8e72..89e33a5d4d93 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1055,6 +1055,8 @@ rollback:
1055 */ 1055 */
1056int dev_set_alias(struct net_device *dev, const char *alias, size_t len) 1056int dev_set_alias(struct net_device *dev, const char *alias, size_t len)
1057{ 1057{
1058 char *new_ifalias;
1059
1058 ASSERT_RTNL(); 1060 ASSERT_RTNL();
1059 1061
1060 if (len >= IFALIASZ) 1062 if (len >= IFALIASZ)
@@ -1068,9 +1070,10 @@ int dev_set_alias(struct net_device *dev, const char *alias, size_t len)
1068 return 0; 1070 return 0;
1069 } 1071 }
1070 1072
1071 dev->ifalias = krealloc(dev->ifalias, len + 1, GFP_KERNEL); 1073 new_ifalias = krealloc(dev->ifalias, len + 1, GFP_KERNEL);
1072 if (!dev->ifalias) 1074 if (!new_ifalias)
1073 return -ENOMEM; 1075 return -ENOMEM;
1076 dev->ifalias = new_ifalias;
1074 1077
1075 strlcpy(dev->ifalias, alias, len+1); 1078 strlcpy(dev->ifalias, alias, len+1);
1076 return len; 1079 return len;
@@ -1639,6 +1642,19 @@ static inline int deliver_skb(struct sk_buff *skb,
1639 return pt_prev->func(skb, skb->dev, pt_prev, orig_dev); 1642 return pt_prev->func(skb, skb->dev, pt_prev, orig_dev);
1640} 1643}
1641 1644
1645static inline bool skb_loop_sk(struct packet_type *ptype, struct sk_buff *skb)
1646{
1647 if (ptype->af_packet_priv == NULL)
1648 return false;
1649
1650 if (ptype->id_match)
1651 return ptype->id_match(ptype, skb->sk);
1652 else if ((struct sock *)ptype->af_packet_priv == skb->sk)
1653 return true;
1654
1655 return false;
1656}
1657
1642/* 1658/*
1643 * Support routine. Sends outgoing frames to any network 1659 * Support routine. Sends outgoing frames to any network
1644 * taps currently in use. 1660 * taps currently in use.
@@ -1656,8 +1672,7 @@ static void dev_queue_xmit_nit(struct sk_buff *skb, struct net_device *dev)
1656 * they originated from - MvS (miquels@drinkel.ow.org) 1672 * they originated from - MvS (miquels@drinkel.ow.org)
1657 */ 1673 */
1658 if ((ptype->dev == dev || !ptype->dev) && 1674 if ((ptype->dev == dev || !ptype->dev) &&
1659 (ptype->af_packet_priv == NULL || 1675 (!skb_loop_sk(ptype, skb))) {
1660 (struct sock *)ptype->af_packet_priv != skb->sk)) {
1661 if (pt_prev) { 1676 if (pt_prev) {
1662 deliver_skb(skb2, pt_prev, skb->dev); 1677 deliver_skb(skb2, pt_prev, skb->dev);
1663 pt_prev = ptype; 1678 pt_prev = ptype;
@@ -2119,7 +2134,8 @@ static bool can_checksum_protocol(netdev_features_t features, __be16 protocol)
2119static netdev_features_t harmonize_features(struct sk_buff *skb, 2134static netdev_features_t harmonize_features(struct sk_buff *skb,
2120 __be16 protocol, netdev_features_t features) 2135 __be16 protocol, netdev_features_t features)
2121{ 2136{
2122 if (!can_checksum_protocol(features, protocol)) { 2137 if (skb->ip_summed != CHECKSUM_NONE &&
2138 !can_checksum_protocol(features, protocol)) {
2123 features &= ~NETIF_F_ALL_CSUM; 2139 features &= ~NETIF_F_ALL_CSUM;
2124 features &= ~NETIF_F_SG; 2140 features &= ~NETIF_F_SG;
2125 } else if (illegal_highdma(skb->dev, skb)) { 2141 } else if (illegal_highdma(skb->dev, skb)) {
@@ -2134,6 +2150,9 @@ netdev_features_t netif_skb_features(struct sk_buff *skb)
2134 __be16 protocol = skb->protocol; 2150 __be16 protocol = skb->protocol;
2135 netdev_features_t features = skb->dev->features; 2151 netdev_features_t features = skb->dev->features;
2136 2152
2153 if (skb_shinfo(skb)->gso_segs > skb->dev->gso_max_segs)
2154 features &= ~NETIF_F_GSO_MASK;
2155
2137 if (protocol == htons(ETH_P_8021Q)) { 2156 if (protocol == htons(ETH_P_8021Q)) {
2138 struct vlan_ethhdr *veh = (struct vlan_ethhdr *)skb->data; 2157 struct vlan_ethhdr *veh = (struct vlan_ethhdr *)skb->data;
2139 protocol = veh->h_vlan_encapsulated_proto; 2158 protocol = veh->h_vlan_encapsulated_proto;
@@ -2629,15 +2648,16 @@ void __skb_get_rxhash(struct sk_buff *skb)
2629 if (!skb_flow_dissect(skb, &keys)) 2648 if (!skb_flow_dissect(skb, &keys))
2630 return; 2649 return;
2631 2650
2632 if (keys.ports) { 2651 if (keys.ports)
2633 if ((__force u16)keys.port16[1] < (__force u16)keys.port16[0])
2634 swap(keys.port16[0], keys.port16[1]);
2635 skb->l4_rxhash = 1; 2652 skb->l4_rxhash = 1;
2636 }
2637 2653
2638 /* get a consistent hash (same value on both flow directions) */ 2654 /* get a consistent hash (same value on both flow directions) */
2639 if ((__force u32)keys.dst < (__force u32)keys.src) 2655 if (((__force u32)keys.dst < (__force u32)keys.src) ||
2656 (((__force u32)keys.dst == (__force u32)keys.src) &&
2657 ((__force u16)keys.port16[1] < (__force u16)keys.port16[0]))) {
2640 swap(keys.dst, keys.src); 2658 swap(keys.dst, keys.src);
2659 swap(keys.port16[0], keys.port16[1]);
2660 }
2641 2661
2642 hash = jhash_3words((__force u32)keys.dst, 2662 hash = jhash_3words((__force u32)keys.dst,
2643 (__force u32)keys.src, 2663 (__force u32)keys.src,
@@ -3303,7 +3323,7 @@ ncls:
3303 3323
3304 if (pt_prev) { 3324 if (pt_prev) {
3305 if (unlikely(skb_orphan_frags(skb, GFP_ATOMIC))) 3325 if (unlikely(skb_orphan_frags(skb, GFP_ATOMIC)))
3306 ret = -ENOMEM; 3326 goto drop;
3307 else 3327 else
3308 ret = pt_prev->func(skb, skb->dev, pt_prev, orig_dev); 3328 ret = pt_prev->func(skb, skb->dev, pt_prev, orig_dev);
3309 } else { 3329 } else {
@@ -5726,6 +5746,7 @@ EXPORT_SYMBOL(netdev_refcnt_read);
5726 5746
5727/** 5747/**
5728 * netdev_wait_allrefs - wait until all references are gone. 5748 * netdev_wait_allrefs - wait until all references are gone.
5749 * @dev: target net_device
5729 * 5750 *
5730 * This is called when unregistering network devices. 5751 * This is called when unregistering network devices.
5731 * 5752 *
@@ -5986,6 +6007,7 @@ struct net_device *alloc_netdev_mqs(int sizeof_priv, const char *name,
5986 dev_net_set(dev, &init_net); 6007 dev_net_set(dev, &init_net);
5987 6008
5988 dev->gso_max_size = GSO_MAX_SIZE; 6009 dev->gso_max_size = GSO_MAX_SIZE;
6010 dev->gso_max_segs = GSO_MAX_SEGS;
5989 6011
5990 INIT_LIST_HEAD(&dev->napi_list); 6012 INIT_LIST_HEAD(&dev->napi_list);
5991 INIT_LIST_HEAD(&dev->unreg_list); 6013 INIT_LIST_HEAD(&dev->unreg_list);
diff --git a/net/core/dst.c b/net/core/dst.c
index 069d51d29414..56d63612e1e4 100644
--- a/net/core/dst.c
+++ b/net/core/dst.c
@@ -149,7 +149,15 @@ int dst_discard(struct sk_buff *skb)
149} 149}
150EXPORT_SYMBOL(dst_discard); 150EXPORT_SYMBOL(dst_discard);
151 151
152const u32 dst_default_metrics[RTAX_MAX]; 152const u32 dst_default_metrics[RTAX_MAX + 1] = {
153 /* This initializer is needed to force linker to place this variable
154 * into const section. Otherwise it might end into bss section.
155 * We really want to avoid false sharing on this variable, and catch
156 * any writes on it.
157 */
158 [RTAX_MAX] = 0xdeadbeef,
159};
160
153 161
154void *dst_alloc(struct dst_ops *ops, struct net_device *dev, 162void *dst_alloc(struct dst_ops *ops, struct net_device *dev,
155 int initial_ref, int initial_obsolete, unsigned short flags) 163 int initial_ref, int initial_obsolete, unsigned short flags)
diff --git a/net/core/netpoll.c b/net/core/netpoll.c
index b4c90e42b443..e4ba3e70c174 100644
--- a/net/core/netpoll.c
+++ b/net/core/netpoll.c
@@ -26,6 +26,7 @@
26#include <linux/workqueue.h> 26#include <linux/workqueue.h>
27#include <linux/slab.h> 27#include <linux/slab.h>
28#include <linux/export.h> 28#include <linux/export.h>
29#include <linux/if_vlan.h>
29#include <net/tcp.h> 30#include <net/tcp.h>
30#include <net/udp.h> 31#include <net/udp.h>
31#include <asm/unaligned.h> 32#include <asm/unaligned.h>
@@ -54,7 +55,7 @@ static atomic_t trapped;
54 MAX_UDP_CHUNK) 55 MAX_UDP_CHUNK)
55 56
56static void zap_completion_queue(void); 57static void zap_completion_queue(void);
57static void arp_reply(struct sk_buff *skb); 58static void netpoll_arp_reply(struct sk_buff *skb, struct netpoll_info *npinfo);
58 59
59static unsigned int carrier_timeout = 4; 60static unsigned int carrier_timeout = 4;
60module_param(carrier_timeout, uint, 0644); 61module_param(carrier_timeout, uint, 0644);
@@ -170,7 +171,8 @@ static void poll_napi(struct net_device *dev)
170 list_for_each_entry(napi, &dev->napi_list, dev_list) { 171 list_for_each_entry(napi, &dev->napi_list, dev_list) {
171 if (napi->poll_owner != smp_processor_id() && 172 if (napi->poll_owner != smp_processor_id() &&
172 spin_trylock(&napi->poll_lock)) { 173 spin_trylock(&napi->poll_lock)) {
173 budget = poll_one_napi(dev->npinfo, napi, budget); 174 budget = poll_one_napi(rcu_dereference_bh(dev->npinfo),
175 napi, budget);
174 spin_unlock(&napi->poll_lock); 176 spin_unlock(&napi->poll_lock);
175 177
176 if (!budget) 178 if (!budget)
@@ -185,13 +187,14 @@ static void service_arp_queue(struct netpoll_info *npi)
185 struct sk_buff *skb; 187 struct sk_buff *skb;
186 188
187 while ((skb = skb_dequeue(&npi->arp_tx))) 189 while ((skb = skb_dequeue(&npi->arp_tx)))
188 arp_reply(skb); 190 netpoll_arp_reply(skb, npi);
189 } 191 }
190} 192}
191 193
192static void netpoll_poll_dev(struct net_device *dev) 194static void netpoll_poll_dev(struct net_device *dev)
193{ 195{
194 const struct net_device_ops *ops; 196 const struct net_device_ops *ops;
197 struct netpoll_info *ni = rcu_dereference_bh(dev->npinfo);
195 198
196 if (!dev || !netif_running(dev)) 199 if (!dev || !netif_running(dev))
197 return; 200 return;
@@ -206,17 +209,18 @@ static void netpoll_poll_dev(struct net_device *dev)
206 poll_napi(dev); 209 poll_napi(dev);
207 210
208 if (dev->flags & IFF_SLAVE) { 211 if (dev->flags & IFF_SLAVE) {
209 if (dev->npinfo) { 212 if (ni) {
210 struct net_device *bond_dev = dev->master; 213 struct net_device *bond_dev = dev->master;
211 struct sk_buff *skb; 214 struct sk_buff *skb;
212 while ((skb = skb_dequeue(&dev->npinfo->arp_tx))) { 215 struct netpoll_info *bond_ni = rcu_dereference_bh(bond_dev->npinfo);
216 while ((skb = skb_dequeue(&ni->arp_tx))) {
213 skb->dev = bond_dev; 217 skb->dev = bond_dev;
214 skb_queue_tail(&bond_dev->npinfo->arp_tx, skb); 218 skb_queue_tail(&bond_ni->arp_tx, skb);
215 } 219 }
216 } 220 }
217 } 221 }
218 222
219 service_arp_queue(dev->npinfo); 223 service_arp_queue(ni);
220 224
221 zap_completion_queue(); 225 zap_completion_queue();
222} 226}
@@ -302,6 +306,7 @@ static int netpoll_owner_active(struct net_device *dev)
302 return 0; 306 return 0;
303} 307}
304 308
309/* call with IRQ disabled */
305void netpoll_send_skb_on_dev(struct netpoll *np, struct sk_buff *skb, 310void netpoll_send_skb_on_dev(struct netpoll *np, struct sk_buff *skb,
306 struct net_device *dev) 311 struct net_device *dev)
307{ 312{
@@ -309,8 +314,11 @@ void netpoll_send_skb_on_dev(struct netpoll *np, struct sk_buff *skb,
309 unsigned long tries; 314 unsigned long tries;
310 const struct net_device_ops *ops = dev->netdev_ops; 315 const struct net_device_ops *ops = dev->netdev_ops;
311 /* It is up to the caller to keep npinfo alive. */ 316 /* It is up to the caller to keep npinfo alive. */
312 struct netpoll_info *npinfo = np->dev->npinfo; 317 struct netpoll_info *npinfo;
318
319 WARN_ON_ONCE(!irqs_disabled());
313 320
321 npinfo = rcu_dereference_bh(np->dev->npinfo);
314 if (!npinfo || !netif_running(dev) || !netif_device_present(dev)) { 322 if (!npinfo || !netif_running(dev) || !netif_device_present(dev)) {
315 __kfree_skb(skb); 323 __kfree_skb(skb);
316 return; 324 return;
@@ -319,16 +327,22 @@ void netpoll_send_skb_on_dev(struct netpoll *np, struct sk_buff *skb,
319 /* don't get messages out of order, and no recursion */ 327 /* don't get messages out of order, and no recursion */
320 if (skb_queue_len(&npinfo->txq) == 0 && !netpoll_owner_active(dev)) { 328 if (skb_queue_len(&npinfo->txq) == 0 && !netpoll_owner_active(dev)) {
321 struct netdev_queue *txq; 329 struct netdev_queue *txq;
322 unsigned long flags;
323 330
324 txq = netdev_get_tx_queue(dev, skb_get_queue_mapping(skb)); 331 txq = netdev_get_tx_queue(dev, skb_get_queue_mapping(skb));
325 332
326 local_irq_save(flags);
327 /* try until next clock tick */ 333 /* try until next clock tick */
328 for (tries = jiffies_to_usecs(1)/USEC_PER_POLL; 334 for (tries = jiffies_to_usecs(1)/USEC_PER_POLL;
329 tries > 0; --tries) { 335 tries > 0; --tries) {
330 if (__netif_tx_trylock(txq)) { 336 if (__netif_tx_trylock(txq)) {
331 if (!netif_xmit_stopped(txq)) { 337 if (!netif_xmit_stopped(txq)) {
338 if (vlan_tx_tag_present(skb) &&
339 !(netif_skb_features(skb) & NETIF_F_HW_VLAN_TX)) {
340 skb = __vlan_put_tag(skb, vlan_tx_tag_get(skb));
341 if (unlikely(!skb))
342 break;
343 skb->vlan_tci = 0;
344 }
345
332 status = ops->ndo_start_xmit(skb, dev); 346 status = ops->ndo_start_xmit(skb, dev);
333 if (status == NETDEV_TX_OK) 347 if (status == NETDEV_TX_OK)
334 txq_trans_update(txq); 348 txq_trans_update(txq);
@@ -347,10 +361,9 @@ void netpoll_send_skb_on_dev(struct netpoll *np, struct sk_buff *skb,
347 } 361 }
348 362
349 WARN_ONCE(!irqs_disabled(), 363 WARN_ONCE(!irqs_disabled(),
350 "netpoll_send_skb(): %s enabled interrupts in poll (%pF)\n", 364 "netpoll_send_skb_on_dev(): %s enabled interrupts in poll (%pF)\n",
351 dev->name, ops->ndo_start_xmit); 365 dev->name, ops->ndo_start_xmit);
352 366
353 local_irq_restore(flags);
354 } 367 }
355 368
356 if (status != NETDEV_TX_OK) { 369 if (status != NETDEV_TX_OK) {
@@ -423,9 +436,8 @@ void netpoll_send_udp(struct netpoll *np, const char *msg, int len)
423} 436}
424EXPORT_SYMBOL(netpoll_send_udp); 437EXPORT_SYMBOL(netpoll_send_udp);
425 438
426static void arp_reply(struct sk_buff *skb) 439static void netpoll_arp_reply(struct sk_buff *skb, struct netpoll_info *npinfo)
427{ 440{
428 struct netpoll_info *npinfo = skb->dev->npinfo;
429 struct arphdr *arp; 441 struct arphdr *arp;
430 unsigned char *arp_ptr; 442 unsigned char *arp_ptr;
431 int size, type = ARPOP_REPLY, ptype = ETH_P_ARP; 443 int size, type = ARPOP_REPLY, ptype = ETH_P_ARP;
@@ -543,13 +555,12 @@ static void arp_reply(struct sk_buff *skb)
543 spin_unlock_irqrestore(&npinfo->rx_lock, flags); 555 spin_unlock_irqrestore(&npinfo->rx_lock, flags);
544} 556}
545 557
546int __netpoll_rx(struct sk_buff *skb) 558int __netpoll_rx(struct sk_buff *skb, struct netpoll_info *npinfo)
547{ 559{
548 int proto, len, ulen; 560 int proto, len, ulen;
549 int hits = 0; 561 int hits = 0;
550 const struct iphdr *iph; 562 const struct iphdr *iph;
551 struct udphdr *uh; 563 struct udphdr *uh;
552 struct netpoll_info *npinfo = skb->dev->npinfo;
553 struct netpoll *np, *tmp; 564 struct netpoll *np, *tmp;
554 565
555 if (list_empty(&npinfo->rx_np)) 566 if (list_empty(&npinfo->rx_np))
@@ -565,6 +576,12 @@ int __netpoll_rx(struct sk_buff *skb)
565 return 1; 576 return 1;
566 } 577 }
567 578
579 if (skb->protocol == cpu_to_be16(ETH_P_8021Q)) {
580 skb = vlan_untag(skb);
581 if (unlikely(!skb))
582 goto out;
583 }
584
568 proto = ntohs(eth_hdr(skb)->h_proto); 585 proto = ntohs(eth_hdr(skb)->h_proto);
569 if (proto != ETH_P_IP) 586 if (proto != ETH_P_IP)
570 goto out; 587 goto out;
@@ -715,7 +732,7 @@ int netpoll_parse_options(struct netpoll *np, char *opt)
715} 732}
716EXPORT_SYMBOL(netpoll_parse_options); 733EXPORT_SYMBOL(netpoll_parse_options);
717 734
718int __netpoll_setup(struct netpoll *np, struct net_device *ndev) 735int __netpoll_setup(struct netpoll *np, struct net_device *ndev, gfp_t gfp)
719{ 736{
720 struct netpoll_info *npinfo; 737 struct netpoll_info *npinfo;
721 const struct net_device_ops *ops; 738 const struct net_device_ops *ops;
@@ -734,7 +751,7 @@ int __netpoll_setup(struct netpoll *np, struct net_device *ndev)
734 } 751 }
735 752
736 if (!ndev->npinfo) { 753 if (!ndev->npinfo) {
737 npinfo = kmalloc(sizeof(*npinfo), GFP_KERNEL); 754 npinfo = kmalloc(sizeof(*npinfo), gfp);
738 if (!npinfo) { 755 if (!npinfo) {
739 err = -ENOMEM; 756 err = -ENOMEM;
740 goto out; 757 goto out;
@@ -752,7 +769,7 @@ int __netpoll_setup(struct netpoll *np, struct net_device *ndev)
752 769
753 ops = np->dev->netdev_ops; 770 ops = np->dev->netdev_ops;
754 if (ops->ndo_netpoll_setup) { 771 if (ops->ndo_netpoll_setup) {
755 err = ops->ndo_netpoll_setup(ndev, npinfo); 772 err = ops->ndo_netpoll_setup(ndev, npinfo, gfp);
756 if (err) 773 if (err)
757 goto free_npinfo; 774 goto free_npinfo;
758 } 775 }
@@ -857,7 +874,7 @@ int netpoll_setup(struct netpoll *np)
857 refill_skbs(); 874 refill_skbs();
858 875
859 rtnl_lock(); 876 rtnl_lock();
860 err = __netpoll_setup(np, ndev); 877 err = __netpoll_setup(np, ndev, GFP_KERNEL);
861 rtnl_unlock(); 878 rtnl_unlock();
862 879
863 if (err) 880 if (err)
@@ -878,6 +895,24 @@ static int __init netpoll_init(void)
878} 895}
879core_initcall(netpoll_init); 896core_initcall(netpoll_init);
880 897
898static void rcu_cleanup_netpoll_info(struct rcu_head *rcu_head)
899{
900 struct netpoll_info *npinfo =
901 container_of(rcu_head, struct netpoll_info, rcu);
902
903 skb_queue_purge(&npinfo->arp_tx);
904 skb_queue_purge(&npinfo->txq);
905
906 /* we can't call cancel_delayed_work_sync here, as we are in softirq */
907 cancel_delayed_work(&npinfo->tx_work);
908
909 /* clean after last, unfinished work */
910 __skb_queue_purge(&npinfo->txq);
911 /* now cancel it again */
912 cancel_delayed_work(&npinfo->tx_work);
913 kfree(npinfo);
914}
915
881void __netpoll_cleanup(struct netpoll *np) 916void __netpoll_cleanup(struct netpoll *np)
882{ 917{
883 struct netpoll_info *npinfo; 918 struct netpoll_info *npinfo;
@@ -903,20 +938,24 @@ void __netpoll_cleanup(struct netpoll *np)
903 ops->ndo_netpoll_cleanup(np->dev); 938 ops->ndo_netpoll_cleanup(np->dev);
904 939
905 RCU_INIT_POINTER(np->dev->npinfo, NULL); 940 RCU_INIT_POINTER(np->dev->npinfo, NULL);
941 call_rcu_bh(&npinfo->rcu, rcu_cleanup_netpoll_info);
942 }
943}
944EXPORT_SYMBOL_GPL(__netpoll_cleanup);
906 945
907 /* avoid racing with NAPI reading npinfo */ 946static void rcu_cleanup_netpoll(struct rcu_head *rcu_head)
908 synchronize_rcu_bh(); 947{
948 struct netpoll *np = container_of(rcu_head, struct netpoll, rcu);
909 949
910 skb_queue_purge(&npinfo->arp_tx); 950 __netpoll_cleanup(np);
911 skb_queue_purge(&npinfo->txq); 951 kfree(np);
912 cancel_delayed_work_sync(&npinfo->tx_work); 952}
913 953
914 /* clean after last, unfinished work */ 954void __netpoll_free_rcu(struct netpoll *np)
915 __skb_queue_purge(&npinfo->txq); 955{
916 kfree(npinfo); 956 call_rcu_bh(&np->rcu, rcu_cleanup_netpoll);
917 }
918} 957}
919EXPORT_SYMBOL_GPL(__netpoll_cleanup); 958EXPORT_SYMBOL_GPL(__netpoll_free_rcu);
920 959
921void netpoll_cleanup(struct netpoll *np) 960void netpoll_cleanup(struct netpoll *np)
922{ 961{
diff --git a/net/core/netprio_cgroup.c b/net/core/netprio_cgroup.c
index ed0c0431fcd8..c75e3f9d060f 100644
--- a/net/core/netprio_cgroup.c
+++ b/net/core/netprio_cgroup.c
@@ -101,12 +101,10 @@ static int write_update_netdev_table(struct net_device *dev)
101 u32 max_len; 101 u32 max_len;
102 struct netprio_map *map; 102 struct netprio_map *map;
103 103
104 rtnl_lock();
105 max_len = atomic_read(&max_prioidx) + 1; 104 max_len = atomic_read(&max_prioidx) + 1;
106 map = rtnl_dereference(dev->priomap); 105 map = rtnl_dereference(dev->priomap);
107 if (!map || map->priomap_len < max_len) 106 if (!map || map->priomap_len < max_len)
108 ret = extend_netdev_table(dev, max_len); 107 ret = extend_netdev_table(dev, max_len);
109 rtnl_unlock();
110 108
111 return ret; 109 return ret;
112} 110}
@@ -256,17 +254,17 @@ static int write_priomap(struct cgroup *cgrp, struct cftype *cft,
256 if (!dev) 254 if (!dev)
257 goto out_free_devname; 255 goto out_free_devname;
258 256
257 rtnl_lock();
259 ret = write_update_netdev_table(dev); 258 ret = write_update_netdev_table(dev);
260 if (ret < 0) 259 if (ret < 0)
261 goto out_put_dev; 260 goto out_put_dev;
262 261
263 rcu_read_lock(); 262 map = rtnl_dereference(dev->priomap);
264 map = rcu_dereference(dev->priomap);
265 if (map) 263 if (map)
266 map->priomap[prioidx] = priority; 264 map->priomap[prioidx] = priority;
267 rcu_read_unlock();
268 265
269out_put_dev: 266out_put_dev:
267 rtnl_unlock();
270 dev_put(dev); 268 dev_put(dev);
271 269
272out_free_devname: 270out_free_devname:
@@ -277,12 +275,6 @@ out_free_devname:
277void net_prio_attach(struct cgroup *cgrp, struct cgroup_taskset *tset) 275void net_prio_attach(struct cgroup *cgrp, struct cgroup_taskset *tset)
278{ 276{
279 struct task_struct *p; 277 struct task_struct *p;
280 char *tmp = kzalloc(sizeof(char) * PATH_MAX, GFP_KERNEL);
281
282 if (!tmp) {
283 pr_warn("Unable to attach cgrp due to alloc failure!\n");
284 return;
285 }
286 278
287 cgroup_taskset_for_each(p, cgrp, tset) { 279 cgroup_taskset_for_each(p, cgrp, tset) {
288 unsigned int fd; 280 unsigned int fd;
@@ -296,32 +288,24 @@ void net_prio_attach(struct cgroup *cgrp, struct cgroup_taskset *tset)
296 continue; 288 continue;
297 } 289 }
298 290
299 rcu_read_lock(); 291 spin_lock(&files->file_lock);
300 fdt = files_fdtable(files); 292 fdt = files_fdtable(files);
301 for (fd = 0; fd < fdt->max_fds; fd++) { 293 for (fd = 0; fd < fdt->max_fds; fd++) {
302 char *path;
303 struct file *file; 294 struct file *file;
304 struct socket *sock; 295 struct socket *sock;
305 unsigned long s; 296 int err;
306 int rv, err = 0;
307 297
308 file = fcheck_files(files, fd); 298 file = fcheck_files(files, fd);
309 if (!file) 299 if (!file)
310 continue; 300 continue;
311 301
312 path = d_path(&file->f_path, tmp, PAGE_SIZE);
313 rv = sscanf(path, "socket:[%lu]", &s);
314 if (rv <= 0)
315 continue;
316
317 sock = sock_from_file(file, &err); 302 sock = sock_from_file(file, &err);
318 if (!err) 303 if (sock)
319 sock_update_netprioidx(sock->sk, p); 304 sock_update_netprioidx(sock->sk, p);
320 } 305 }
321 rcu_read_unlock(); 306 spin_unlock(&files->file_lock);
322 task_unlock(p); 307 task_unlock(p);
323 } 308 }
324 kfree(tmp);
325} 309}
326 310
327static struct cftype ss_files[] = { 311static struct cftype ss_files[] = {
diff --git a/net/core/pktgen.c b/net/core/pktgen.c
index cce9e53528b1..148e73d2c451 100644
--- a/net/core/pktgen.c
+++ b/net/core/pktgen.c
@@ -2721,7 +2721,7 @@ static struct sk_buff *fill_packet_ipv4(struct net_device *odev,
2721 /* Eth + IPh + UDPh + mpls */ 2721 /* Eth + IPh + UDPh + mpls */
2722 datalen = pkt_dev->cur_pkt_size - 14 - 20 - 8 - 2722 datalen = pkt_dev->cur_pkt_size - 14 - 20 - 8 -
2723 pkt_dev->pkt_overhead; 2723 pkt_dev->pkt_overhead;
2724 if (datalen < sizeof(struct pktgen_hdr)) 2724 if (datalen < 0 || datalen < sizeof(struct pktgen_hdr))
2725 datalen = sizeof(struct pktgen_hdr); 2725 datalen = sizeof(struct pktgen_hdr);
2726 2726
2727 udph->source = htons(pkt_dev->cur_udp_src); 2727 udph->source = htons(pkt_dev->cur_udp_src);
diff --git a/net/core/scm.c b/net/core/scm.c
index 8f6ccfd68ef4..040cebeed45b 100644
--- a/net/core/scm.c
+++ b/net/core/scm.c
@@ -265,6 +265,7 @@ void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
265 for (i=0, cmfptr=(__force int __user *)CMSG_DATA(cm); i<fdmax; 265 for (i=0, cmfptr=(__force int __user *)CMSG_DATA(cm); i<fdmax;
266 i++, cmfptr++) 266 i++, cmfptr++)
267 { 267 {
268 struct socket *sock;
268 int new_fd; 269 int new_fd;
269 err = security_file_receive(fp[i]); 270 err = security_file_receive(fp[i]);
270 if (err) 271 if (err)
@@ -281,6 +282,9 @@ void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
281 } 282 }
282 /* Bump the usage count and install the file. */ 283 /* Bump the usage count and install the file. */
283 get_file(fp[i]); 284 get_file(fp[i]);
285 sock = sock_from_file(fp[i], &err);
286 if (sock)
287 sock_update_netprioidx(sock->sk, current);
284 fd_install(new_fd, fp[i]); 288 fd_install(new_fd, fp[i]);
285 } 289 }
286 290
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index fe00d1208167..e33ebae519c8 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -3502,7 +3502,9 @@ bool skb_try_coalesce(struct sk_buff *to, struct sk_buff *from,
3502 if (!skb_cloned(from)) 3502 if (!skb_cloned(from))
3503 skb_shinfo(from)->nr_frags = 0; 3503 skb_shinfo(from)->nr_frags = 0;
3504 3504
3505 /* if the skb is cloned this does nothing since we set nr_frags to 0 */ 3505 /* if the skb is not cloned this does nothing
3506 * since we set nr_frags to 0.
3507 */
3506 for (i = 0; i < skb_shinfo(from)->nr_frags; i++) 3508 for (i = 0; i < skb_shinfo(from)->nr_frags; i++)
3507 skb_frag_ref(from, i); 3509 skb_frag_ref(from, i);
3508 3510
diff --git a/net/core/sock.c b/net/core/sock.c
index 6b654b3ddfda..a6000fbad294 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -691,7 +691,8 @@ set_rcvbuf:
691 691
692 case SO_KEEPALIVE: 692 case SO_KEEPALIVE:
693#ifdef CONFIG_INET 693#ifdef CONFIG_INET
694 if (sk->sk_protocol == IPPROTO_TCP) 694 if (sk->sk_protocol == IPPROTO_TCP &&
695 sk->sk_type == SOCK_STREAM)
695 tcp_set_keepalive(sk, valbool); 696 tcp_set_keepalive(sk, valbool);
696#endif 697#endif
697 sock_valbool_flag(sk, SOCK_KEEPOPEN, valbool); 698 sock_valbool_flag(sk, SOCK_KEEPOPEN, valbool);
@@ -1458,6 +1459,7 @@ void sk_setup_caps(struct sock *sk, struct dst_entry *dst)
1458 } else { 1459 } else {
1459 sk->sk_route_caps |= NETIF_F_SG | NETIF_F_HW_CSUM; 1460 sk->sk_route_caps |= NETIF_F_SG | NETIF_F_HW_CSUM;
1460 sk->sk_gso_max_size = dst->dev->gso_max_size; 1461 sk->sk_gso_max_size = dst->dev->gso_max_size;
1462 sk->sk_gso_max_segs = dst->dev->gso_max_segs;
1461 } 1463 }
1462 } 1464 }
1463} 1465}
@@ -1522,7 +1524,14 @@ EXPORT_SYMBOL(sock_rfree);
1522 1524
1523void sock_edemux(struct sk_buff *skb) 1525void sock_edemux(struct sk_buff *skb)
1524{ 1526{
1525 sock_put(skb->sk); 1527 struct sock *sk = skb->sk;
1528
1529#ifdef CONFIG_INET
1530 if (sk->sk_state == TCP_TIME_WAIT)
1531 inet_twsk_put(inet_twsk(sk));
1532 else
1533#endif
1534 sock_put(sk);
1526} 1535}
1527EXPORT_SYMBOL(sock_edemux); 1536EXPORT_SYMBOL(sock_edemux);
1528 1537
diff --git a/net/dccp/ccid.h b/net/dccp/ccid.h
index 75c3582a7678..fb85d371a8de 100644
--- a/net/dccp/ccid.h
+++ b/net/dccp/ccid.h
@@ -246,7 +246,7 @@ static inline int ccid_hc_rx_getsockopt(struct ccid *ccid, struct sock *sk,
246 u32 __user *optval, int __user *optlen) 246 u32 __user *optval, int __user *optlen)
247{ 247{
248 int rc = -ENOPROTOOPT; 248 int rc = -ENOPROTOOPT;
249 if (ccid->ccid_ops->ccid_hc_rx_getsockopt != NULL) 249 if (ccid != NULL && ccid->ccid_ops->ccid_hc_rx_getsockopt != NULL)
250 rc = ccid->ccid_ops->ccid_hc_rx_getsockopt(sk, optname, len, 250 rc = ccid->ccid_ops->ccid_hc_rx_getsockopt(sk, optname, len,
251 optval, optlen); 251 optval, optlen);
252 return rc; 252 return rc;
@@ -257,7 +257,7 @@ static inline int ccid_hc_tx_getsockopt(struct ccid *ccid, struct sock *sk,
257 u32 __user *optval, int __user *optlen) 257 u32 __user *optval, int __user *optlen)
258{ 258{
259 int rc = -ENOPROTOOPT; 259 int rc = -ENOPROTOOPT;
260 if (ccid->ccid_ops->ccid_hc_tx_getsockopt != NULL) 260 if (ccid != NULL && ccid->ccid_ops->ccid_hc_tx_getsockopt != NULL)
261 rc = ccid->ccid_ops->ccid_hc_tx_getsockopt(sk, optname, len, 261 rc = ccid->ccid_ops->ccid_hc_tx_getsockopt(sk, optname, len,
262 optval, optlen); 262 optval, optlen);
263 return rc; 263 return rc;
diff --git a/net/dccp/ccids/ccid3.c b/net/dccp/ccids/ccid3.c
index d65e98798eca..119c04317d48 100644
--- a/net/dccp/ccids/ccid3.c
+++ b/net/dccp/ccids/ccid3.c
@@ -535,6 +535,7 @@ static int ccid3_hc_tx_getsockopt(struct sock *sk, const int optname, int len,
535 case DCCP_SOCKOPT_CCID_TX_INFO: 535 case DCCP_SOCKOPT_CCID_TX_INFO:
536 if (len < sizeof(tfrc)) 536 if (len < sizeof(tfrc))
537 return -EINVAL; 537 return -EINVAL;
538 memset(&tfrc, 0, sizeof(tfrc));
538 tfrc.tfrctx_x = hc->tx_x; 539 tfrc.tfrctx_x = hc->tx_x;
539 tfrc.tfrctx_x_recv = hc->tx_x_recv; 540 tfrc.tfrctx_x_recv = hc->tx_x_recv;
540 tfrc.tfrctx_x_calc = hc->tx_x_calc; 541 tfrc.tfrctx_x_calc = hc->tx_x_calc;
diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
index 77e87aff419a..47800459e4cb 100644
--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -1225,7 +1225,7 @@ static int arp_netdev_event(struct notifier_block *this, unsigned long event,
1225 switch (event) { 1225 switch (event) {
1226 case NETDEV_CHANGEADDR: 1226 case NETDEV_CHANGEADDR:
1227 neigh_changeaddr(&arp_tbl, dev); 1227 neigh_changeaddr(&arp_tbl, dev);
1228 rt_cache_flush(dev_net(dev), 0); 1228 rt_cache_flush(dev_net(dev));
1229 break; 1229 break;
1230 default: 1230 default:
1231 break; 1231 break;
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index 44bf82e3aef7..e12fad773852 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -725,7 +725,7 @@ int devinet_ioctl(struct net *net, unsigned int cmd, void __user *arg)
725 break; 725 break;
726 726
727 case SIOCSIFFLAGS: 727 case SIOCSIFFLAGS:
728 ret = -EACCES; 728 ret = -EPERM;
729 if (!capable(CAP_NET_ADMIN)) 729 if (!capable(CAP_NET_ADMIN))
730 goto out; 730 goto out;
731 break; 731 break;
@@ -733,7 +733,7 @@ int devinet_ioctl(struct net *net, unsigned int cmd, void __user *arg)
733 case SIOCSIFBRDADDR: /* Set the broadcast address */ 733 case SIOCSIFBRDADDR: /* Set the broadcast address */
734 case SIOCSIFDSTADDR: /* Set the destination address */ 734 case SIOCSIFDSTADDR: /* Set the destination address */
735 case SIOCSIFNETMASK: /* Set the netmask for the interface */ 735 case SIOCSIFNETMASK: /* Set the netmask for the interface */
736 ret = -EACCES; 736 ret = -EPERM;
737 if (!capable(CAP_NET_ADMIN)) 737 if (!capable(CAP_NET_ADMIN))
738 goto out; 738 goto out;
739 ret = -EINVAL; 739 ret = -EINVAL;
@@ -1503,7 +1503,7 @@ static int devinet_conf_proc(ctl_table *ctl, int write,
1503 if (i == IPV4_DEVCONF_ACCEPT_LOCAL - 1 || 1503 if (i == IPV4_DEVCONF_ACCEPT_LOCAL - 1 ||
1504 i == IPV4_DEVCONF_ROUTE_LOCALNET - 1) 1504 i == IPV4_DEVCONF_ROUTE_LOCALNET - 1)
1505 if ((new_value == 0) && (old_value != 0)) 1505 if ((new_value == 0) && (old_value != 0))
1506 rt_cache_flush(net, 0); 1506 rt_cache_flush(net);
1507 } 1507 }
1508 1508
1509 return ret; 1509 return ret;
@@ -1537,7 +1537,7 @@ static int devinet_sysctl_forward(ctl_table *ctl, int write,
1537 dev_disable_lro(idev->dev); 1537 dev_disable_lro(idev->dev);
1538 } 1538 }
1539 rtnl_unlock(); 1539 rtnl_unlock();
1540 rt_cache_flush(net, 0); 1540 rt_cache_flush(net);
1541 } 1541 }
1542 } 1542 }
1543 1543
@@ -1554,7 +1554,7 @@ static int ipv4_doint_and_flush(ctl_table *ctl, int write,
1554 struct net *net = ctl->extra2; 1554 struct net *net = ctl->extra2;
1555 1555
1556 if (write && *valp != val) 1556 if (write && *valp != val)
1557 rt_cache_flush(net, 0); 1557 rt_cache_flush(net);
1558 1558
1559 return ret; 1559 return ret;
1560} 1560}
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index c43ae3fba792..8e2b475da9fa 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -148,7 +148,7 @@ static void fib_flush(struct net *net)
148 } 148 }
149 149
150 if (flushed) 150 if (flushed)
151 rt_cache_flush(net, -1); 151 rt_cache_flush(net);
152} 152}
153 153
154/* 154/*
@@ -999,11 +999,11 @@ static void nl_fib_lookup_exit(struct net *net)
999 net->ipv4.fibnl = NULL; 999 net->ipv4.fibnl = NULL;
1000} 1000}
1001 1001
1002static void fib_disable_ip(struct net_device *dev, int force, int delay) 1002static void fib_disable_ip(struct net_device *dev, int force)
1003{ 1003{
1004 if (fib_sync_down_dev(dev, force)) 1004 if (fib_sync_down_dev(dev, force))
1005 fib_flush(dev_net(dev)); 1005 fib_flush(dev_net(dev));
1006 rt_cache_flush(dev_net(dev), delay); 1006 rt_cache_flush(dev_net(dev));
1007 arp_ifdown(dev); 1007 arp_ifdown(dev);
1008} 1008}
1009 1009
@@ -1020,7 +1020,7 @@ static int fib_inetaddr_event(struct notifier_block *this, unsigned long event,
1020 fib_sync_up(dev); 1020 fib_sync_up(dev);
1021#endif 1021#endif
1022 atomic_inc(&net->ipv4.dev_addr_genid); 1022 atomic_inc(&net->ipv4.dev_addr_genid);
1023 rt_cache_flush(dev_net(dev), -1); 1023 rt_cache_flush(dev_net(dev));
1024 break; 1024 break;
1025 case NETDEV_DOWN: 1025 case NETDEV_DOWN:
1026 fib_del_ifaddr(ifa, NULL); 1026 fib_del_ifaddr(ifa, NULL);
@@ -1029,9 +1029,9 @@ static int fib_inetaddr_event(struct notifier_block *this, unsigned long event,
1029 /* Last address was deleted from this interface. 1029 /* Last address was deleted from this interface.
1030 * Disable IP. 1030 * Disable IP.
1031 */ 1031 */
1032 fib_disable_ip(dev, 1, 0); 1032 fib_disable_ip(dev, 1);
1033 } else { 1033 } else {
1034 rt_cache_flush(dev_net(dev), -1); 1034 rt_cache_flush(dev_net(dev));
1035 } 1035 }
1036 break; 1036 break;
1037 } 1037 }
@@ -1045,7 +1045,7 @@ static int fib_netdev_event(struct notifier_block *this, unsigned long event, vo
1045 struct net *net = dev_net(dev); 1045 struct net *net = dev_net(dev);
1046 1046
1047 if (event == NETDEV_UNREGISTER) { 1047 if (event == NETDEV_UNREGISTER) {
1048 fib_disable_ip(dev, 2, -1); 1048 fib_disable_ip(dev, 2);
1049 rt_flush_dev(dev); 1049 rt_flush_dev(dev);
1050 return NOTIFY_DONE; 1050 return NOTIFY_DONE;
1051 } 1051 }
@@ -1062,14 +1062,14 @@ static int fib_netdev_event(struct notifier_block *this, unsigned long event, vo
1062 fib_sync_up(dev); 1062 fib_sync_up(dev);
1063#endif 1063#endif
1064 atomic_inc(&net->ipv4.dev_addr_genid); 1064 atomic_inc(&net->ipv4.dev_addr_genid);
1065 rt_cache_flush(dev_net(dev), -1); 1065 rt_cache_flush(dev_net(dev));
1066 break; 1066 break;
1067 case NETDEV_DOWN: 1067 case NETDEV_DOWN:
1068 fib_disable_ip(dev, 0, 0); 1068 fib_disable_ip(dev, 0);
1069 break; 1069 break;
1070 case NETDEV_CHANGEMTU: 1070 case NETDEV_CHANGEMTU:
1071 case NETDEV_CHANGE: 1071 case NETDEV_CHANGE:
1072 rt_cache_flush(dev_net(dev), 0); 1072 rt_cache_flush(dev_net(dev));
1073 break; 1073 break;
1074 case NETDEV_UNREGISTER_BATCH: 1074 case NETDEV_UNREGISTER_BATCH:
1075 break; 1075 break;
diff --git a/net/ipv4/fib_rules.c b/net/ipv4/fib_rules.c
index a83d74e498d2..274309d3aded 100644
--- a/net/ipv4/fib_rules.c
+++ b/net/ipv4/fib_rules.c
@@ -259,7 +259,7 @@ static size_t fib4_rule_nlmsg_payload(struct fib_rule *rule)
259 259
260static void fib4_rule_flush_cache(struct fib_rules_ops *ops) 260static void fib4_rule_flush_cache(struct fib_rules_ops *ops)
261{ 261{
262 rt_cache_flush(ops->fro_net, -1); 262 rt_cache_flush(ops->fro_net);
263} 263}
264 264
265static const struct fib_rules_ops __net_initdata fib4_rules_ops_template = { 265static const struct fib_rules_ops __net_initdata fib4_rules_ops_template = {
diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index f0cdb30921c0..d1b93595b4a7 100644
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -367,7 +367,7 @@ static void __leaf_free_rcu(struct rcu_head *head)
367 367
368static inline void free_leaf(struct leaf *l) 368static inline void free_leaf(struct leaf *l)
369{ 369{
370 call_rcu_bh(&l->rcu, __leaf_free_rcu); 370 call_rcu(&l->rcu, __leaf_free_rcu);
371} 371}
372 372
373static inline void free_leaf_info(struct leaf_info *leaf) 373static inline void free_leaf_info(struct leaf_info *leaf)
@@ -1286,7 +1286,7 @@ int fib_table_insert(struct fib_table *tb, struct fib_config *cfg)
1286 1286
1287 fib_release_info(fi_drop); 1287 fib_release_info(fi_drop);
1288 if (state & FA_S_ACCESSED) 1288 if (state & FA_S_ACCESSED)
1289 rt_cache_flush(cfg->fc_nlinfo.nl_net, -1); 1289 rt_cache_flush(cfg->fc_nlinfo.nl_net);
1290 rtmsg_fib(RTM_NEWROUTE, htonl(key), new_fa, plen, 1290 rtmsg_fib(RTM_NEWROUTE, htonl(key), new_fa, plen,
1291 tb->tb_id, &cfg->fc_nlinfo, NLM_F_REPLACE); 1291 tb->tb_id, &cfg->fc_nlinfo, NLM_F_REPLACE);
1292 1292
@@ -1333,7 +1333,7 @@ int fib_table_insert(struct fib_table *tb, struct fib_config *cfg)
1333 list_add_tail_rcu(&new_fa->fa_list, 1333 list_add_tail_rcu(&new_fa->fa_list,
1334 (fa ? &fa->fa_list : fa_head)); 1334 (fa ? &fa->fa_list : fa_head));
1335 1335
1336 rt_cache_flush(cfg->fc_nlinfo.nl_net, -1); 1336 rt_cache_flush(cfg->fc_nlinfo.nl_net);
1337 rtmsg_fib(RTM_NEWROUTE, htonl(key), new_fa, plen, tb->tb_id, 1337 rtmsg_fib(RTM_NEWROUTE, htonl(key), new_fa, plen, tb->tb_id,
1338 &cfg->fc_nlinfo, 0); 1338 &cfg->fc_nlinfo, 0);
1339succeeded: 1339succeeded:
@@ -1708,7 +1708,7 @@ int fib_table_delete(struct fib_table *tb, struct fib_config *cfg)
1708 trie_leaf_remove(t, l); 1708 trie_leaf_remove(t, l);
1709 1709
1710 if (fa->fa_state & FA_S_ACCESSED) 1710 if (fa->fa_state & FA_S_ACCESSED)
1711 rt_cache_flush(cfg->fc_nlinfo.nl_net, -1); 1711 rt_cache_flush(cfg->fc_nlinfo.nl_net);
1712 1712
1713 fib_release_info(fa->fa_info); 1713 fib_release_info(fa->fa_info);
1714 alias_free_mem_rcu(fa); 1714 alias_free_mem_rcu(fa);
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index db0cf17c00f7..7f75f21d7b83 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -404,12 +404,15 @@ struct dst_entry *inet_csk_route_child_sock(struct sock *sk,
404{ 404{
405 const struct inet_request_sock *ireq = inet_rsk(req); 405 const struct inet_request_sock *ireq = inet_rsk(req);
406 struct inet_sock *newinet = inet_sk(newsk); 406 struct inet_sock *newinet = inet_sk(newsk);
407 struct ip_options_rcu *opt = ireq->opt; 407 struct ip_options_rcu *opt;
408 struct net *net = sock_net(sk); 408 struct net *net = sock_net(sk);
409 struct flowi4 *fl4; 409 struct flowi4 *fl4;
410 struct rtable *rt; 410 struct rtable *rt;
411 411
412 fl4 = &newinet->cork.fl.u.ip4; 412 fl4 = &newinet->cork.fl.u.ip4;
413
414 rcu_read_lock();
415 opt = rcu_dereference(newinet->inet_opt);
413 flowi4_init_output(fl4, sk->sk_bound_dev_if, sk->sk_mark, 416 flowi4_init_output(fl4, sk->sk_bound_dev_if, sk->sk_mark,
414 RT_CONN_FLAGS(sk), RT_SCOPE_UNIVERSE, 417 RT_CONN_FLAGS(sk), RT_SCOPE_UNIVERSE,
415 sk->sk_protocol, inet_sk_flowi_flags(sk), 418 sk->sk_protocol, inet_sk_flowi_flags(sk),
@@ -421,11 +424,13 @@ struct dst_entry *inet_csk_route_child_sock(struct sock *sk,
421 goto no_route; 424 goto no_route;
422 if (opt && opt->opt.is_strictroute && rt->rt_gateway) 425 if (opt && opt->opt.is_strictroute && rt->rt_gateway)
423 goto route_err; 426 goto route_err;
427 rcu_read_unlock();
424 return &rt->dst; 428 return &rt->dst;
425 429
426route_err: 430route_err:
427 ip_rt_put(rt); 431 ip_rt_put(rt);
428no_route: 432no_route:
433 rcu_read_unlock();
429 IP_INC_STATS_BH(net, IPSTATS_MIB_OUTNOROUTES); 434 IP_INC_STATS_BH(net, IPSTATS_MIB_OUTNOROUTES);
430 return NULL; 435 return NULL;
431} 436}
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index ba39a52d18c1..c196d749daf2 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -197,7 +197,7 @@ static inline int ip_finish_output2(struct sk_buff *skb)
197 neigh = __ipv4_neigh_lookup_noref(dev, nexthop); 197 neigh = __ipv4_neigh_lookup_noref(dev, nexthop);
198 if (unlikely(!neigh)) 198 if (unlikely(!neigh))
199 neigh = __neigh_create(&arp_tbl, &nexthop, dev, false); 199 neigh = __neigh_create(&arp_tbl, &nexthop, dev, false);
200 if (neigh) { 200 if (!IS_ERR(neigh)) {
201 int res = dst_neigh_output(dst, neigh, skb); 201 int res = dst_neigh_output(dst, neigh, skb);
202 202
203 rcu_read_unlock_bh(); 203 rcu_read_unlock_bh();
@@ -1338,10 +1338,10 @@ struct sk_buff *__ip_make_skb(struct sock *sk,
1338 iph->ihl = 5; 1338 iph->ihl = 5;
1339 iph->tos = inet->tos; 1339 iph->tos = inet->tos;
1340 iph->frag_off = df; 1340 iph->frag_off = df;
1341 ip_select_ident(iph, &rt->dst, sk);
1342 iph->ttl = ttl; 1341 iph->ttl = ttl;
1343 iph->protocol = sk->sk_protocol; 1342 iph->protocol = sk->sk_protocol;
1344 ip_copy_addrs(iph, fl4); 1343 ip_copy_addrs(iph, fl4);
1344 ip_select_ident(iph, &rt->dst, sk);
1345 1345
1346 if (opt) { 1346 if (opt) {
1347 iph->ihl += opt->optlen>>2; 1347 iph->ihl += opt->optlen>>2;
@@ -1366,9 +1366,8 @@ out:
1366 return skb; 1366 return skb;
1367} 1367}
1368 1368
1369int ip_send_skb(struct sk_buff *skb) 1369int ip_send_skb(struct net *net, struct sk_buff *skb)
1370{ 1370{
1371 struct net *net = sock_net(skb->sk);
1372 int err; 1371 int err;
1373 1372
1374 err = ip_local_out(skb); 1373 err = ip_local_out(skb);
@@ -1391,7 +1390,7 @@ int ip_push_pending_frames(struct sock *sk, struct flowi4 *fl4)
1391 return 0; 1390 return 0;
1392 1391
1393 /* Netfilter gets whole the not fragmented skb. */ 1392 /* Netfilter gets whole the not fragmented skb. */
1394 return ip_send_skb(skb); 1393 return ip_send_skb(sock_net(sk), skb);
1395} 1394}
1396 1395
1397/* 1396/*
@@ -1536,6 +1535,7 @@ void ip_send_unicast_reply(struct net *net, struct sk_buff *skb, __be32 daddr,
1536 arg->csumoffset) = csum_fold(csum_add(nskb->csum, 1535 arg->csumoffset) = csum_fold(csum_add(nskb->csum,
1537 arg->csum)); 1536 arg->csum));
1538 nskb->ip_summed = CHECKSUM_NONE; 1537 nskb->ip_summed = CHECKSUM_NONE;
1538 skb_orphan(nskb);
1539 skb_set_queue_mapping(nskb, skb_get_queue_mapping(skb)); 1539 skb_set_queue_mapping(nskb, skb_get_queue_mapping(skb));
1540 ip_push_pending_frames(sk, &fl4); 1540 ip_push_pending_frames(sk, &fl4);
1541 } 1541 }
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
index 8eec8f4a0536..ebdf06f938bf 100644
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -124,6 +124,8 @@ static DEFINE_SPINLOCK(mfc_unres_lock);
124static struct kmem_cache *mrt_cachep __read_mostly; 124static struct kmem_cache *mrt_cachep __read_mostly;
125 125
126static struct mr_table *ipmr_new_table(struct net *net, u32 id); 126static struct mr_table *ipmr_new_table(struct net *net, u32 id);
127static void ipmr_free_table(struct mr_table *mrt);
128
127static int ip_mr_forward(struct net *net, struct mr_table *mrt, 129static int ip_mr_forward(struct net *net, struct mr_table *mrt,
128 struct sk_buff *skb, struct mfc_cache *cache, 130 struct sk_buff *skb, struct mfc_cache *cache,
129 int local); 131 int local);
@@ -131,6 +133,7 @@ static int ipmr_cache_report(struct mr_table *mrt,
131 struct sk_buff *pkt, vifi_t vifi, int assert); 133 struct sk_buff *pkt, vifi_t vifi, int assert);
132static int __ipmr_fill_mroute(struct mr_table *mrt, struct sk_buff *skb, 134static int __ipmr_fill_mroute(struct mr_table *mrt, struct sk_buff *skb,
133 struct mfc_cache *c, struct rtmsg *rtm); 135 struct mfc_cache *c, struct rtmsg *rtm);
136static void mroute_clean_tables(struct mr_table *mrt);
134static void ipmr_expire_process(unsigned long arg); 137static void ipmr_expire_process(unsigned long arg);
135 138
136#ifdef CONFIG_IP_MROUTE_MULTIPLE_TABLES 139#ifdef CONFIG_IP_MROUTE_MULTIPLE_TABLES
@@ -271,7 +274,7 @@ static void __net_exit ipmr_rules_exit(struct net *net)
271 274
272 list_for_each_entry_safe(mrt, next, &net->ipv4.mr_tables, list) { 275 list_for_each_entry_safe(mrt, next, &net->ipv4.mr_tables, list) {
273 list_del(&mrt->list); 276 list_del(&mrt->list);
274 kfree(mrt); 277 ipmr_free_table(mrt);
275 } 278 }
276 fib_rules_unregister(net->ipv4.mr_rules_ops); 279 fib_rules_unregister(net->ipv4.mr_rules_ops);
277} 280}
@@ -299,7 +302,7 @@ static int __net_init ipmr_rules_init(struct net *net)
299 302
300static void __net_exit ipmr_rules_exit(struct net *net) 303static void __net_exit ipmr_rules_exit(struct net *net)
301{ 304{
302 kfree(net->ipv4.mrt); 305 ipmr_free_table(net->ipv4.mrt);
303} 306}
304#endif 307#endif
305 308
@@ -336,6 +339,13 @@ static struct mr_table *ipmr_new_table(struct net *net, u32 id)
336 return mrt; 339 return mrt;
337} 340}
338 341
342static void ipmr_free_table(struct mr_table *mrt)
343{
344 del_timer_sync(&mrt->ipmr_expire_timer);
345 mroute_clean_tables(mrt);
346 kfree(mrt);
347}
348
339/* Service routines creating virtual interfaces: DVMRP tunnels and PIMREG */ 349/* Service routines creating virtual interfaces: DVMRP tunnels and PIMREG */
340 350
341static void ipmr_del_tunnel(struct net_device *dev, struct vifctl *v) 351static void ipmr_del_tunnel(struct net_device *dev, struct vifctl *v)
diff --git a/net/ipv4/netfilter/nf_nat_sip.c b/net/ipv4/netfilter/nf_nat_sip.c
index ea4a23813d26..9c87cde28ff8 100644
--- a/net/ipv4/netfilter/nf_nat_sip.c
+++ b/net/ipv4/netfilter/nf_nat_sip.c
@@ -148,7 +148,7 @@ static unsigned int ip_nat_sip(struct sk_buff *skb, unsigned int dataoff,
148 if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen, 148 if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen,
149 hdr, NULL, &matchoff, &matchlen, 149 hdr, NULL, &matchoff, &matchlen,
150 &addr, &port) > 0) { 150 &addr, &port) > 0) {
151 unsigned int matchend, poff, plen, buflen, n; 151 unsigned int olen, matchend, poff, plen, buflen, n;
152 char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")]; 152 char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
153 153
154 /* We're only interested in headers related to this 154 /* We're only interested in headers related to this
@@ -163,17 +163,18 @@ static unsigned int ip_nat_sip(struct sk_buff *skb, unsigned int dataoff,
163 goto next; 163 goto next;
164 } 164 }
165 165
166 olen = *datalen;
166 if (!map_addr(skb, dataoff, dptr, datalen, matchoff, matchlen, 167 if (!map_addr(skb, dataoff, dptr, datalen, matchoff, matchlen,
167 &addr, port)) 168 &addr, port))
168 return NF_DROP; 169 return NF_DROP;
169 170
170 matchend = matchoff + matchlen; 171 matchend = matchoff + matchlen + *datalen - olen;
171 172
172 /* The maddr= parameter (RFC 2361) specifies where to send 173 /* The maddr= parameter (RFC 2361) specifies where to send
173 * the reply. */ 174 * the reply. */
174 if (ct_sip_parse_address_param(ct, *dptr, matchend, *datalen, 175 if (ct_sip_parse_address_param(ct, *dptr, matchend, *datalen,
175 "maddr=", &poff, &plen, 176 "maddr=", &poff, &plen,
176 &addr) > 0 && 177 &addr, true) > 0 &&
177 addr.ip == ct->tuplehash[dir].tuple.src.u3.ip && 178 addr.ip == ct->tuplehash[dir].tuple.src.u3.ip &&
178 addr.ip != ct->tuplehash[!dir].tuple.dst.u3.ip) { 179 addr.ip != ct->tuplehash[!dir].tuple.dst.u3.ip) {
179 buflen = sprintf(buffer, "%pI4", 180 buflen = sprintf(buffer, "%pI4",
@@ -187,7 +188,7 @@ static unsigned int ip_nat_sip(struct sk_buff *skb, unsigned int dataoff,
187 * from which the server received the request. */ 188 * from which the server received the request. */
188 if (ct_sip_parse_address_param(ct, *dptr, matchend, *datalen, 189 if (ct_sip_parse_address_param(ct, *dptr, matchend, *datalen,
189 "received=", &poff, &plen, 190 "received=", &poff, &plen,
190 &addr) > 0 && 191 &addr, false) > 0 &&
191 addr.ip == ct->tuplehash[dir].tuple.dst.u3.ip && 192 addr.ip == ct->tuplehash[dir].tuple.dst.u3.ip &&
192 addr.ip != ct->tuplehash[!dir].tuple.src.u3.ip) { 193 addr.ip != ct->tuplehash[!dir].tuple.src.u3.ip) {
193 buflen = sprintf(buffer, "%pI4", 194 buflen = sprintf(buffer, "%pI4",
@@ -501,7 +502,10 @@ static unsigned int ip_nat_sdp_media(struct sk_buff *skb, unsigned int dataoff,
501 ret = nf_ct_expect_related(rtcp_exp); 502 ret = nf_ct_expect_related(rtcp_exp);
502 if (ret == 0) 503 if (ret == 0)
503 break; 504 break;
504 else if (ret != -EBUSY) { 505 else if (ret == -EBUSY) {
506 nf_ct_unexpect_related(rtp_exp);
507 continue;
508 } else if (ret < 0) {
505 nf_ct_unexpect_related(rtp_exp); 509 nf_ct_unexpect_related(rtp_exp);
506 port = 0; 510 port = 0;
507 break; 511 break;
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index ff0f071969ea..d23c6571ba1c 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -131,18 +131,20 @@ found:
131 * 0 - deliver 131 * 0 - deliver
132 * 1 - block 132 * 1 - block
133 */ 133 */
134static __inline__ int icmp_filter(struct sock *sk, struct sk_buff *skb) 134static int icmp_filter(const struct sock *sk, const struct sk_buff *skb)
135{ 135{
136 int type; 136 struct icmphdr _hdr;
137 const struct icmphdr *hdr;
137 138
138 if (!pskb_may_pull(skb, sizeof(struct icmphdr))) 139 hdr = skb_header_pointer(skb, skb_transport_offset(skb),
140 sizeof(_hdr), &_hdr);
141 if (!hdr)
139 return 1; 142 return 1;
140 143
141 type = icmp_hdr(skb)->type; 144 if (hdr->type < 32) {
142 if (type < 32) {
143 __u32 data = raw_sk(sk)->filter.data; 145 __u32 data = raw_sk(sk)->filter.data;
144 146
145 return ((1 << type) & data) != 0; 147 return ((1U << hdr->type) & data) != 0;
146 } 148 }
147 149
148 /* Do not block unknown ICMP types */ 150 /* Do not block unknown ICMP types */
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index c035251beb07..fd9af60397b5 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -70,7 +70,6 @@
70#include <linux/types.h> 70#include <linux/types.h>
71#include <linux/kernel.h> 71#include <linux/kernel.h>
72#include <linux/mm.h> 72#include <linux/mm.h>
73#include <linux/bootmem.h>
74#include <linux/string.h> 73#include <linux/string.h>
75#include <linux/socket.h> 74#include <linux/socket.h>
76#include <linux/sockios.h> 75#include <linux/sockios.h>
@@ -80,7 +79,6 @@
80#include <linux/netdevice.h> 79#include <linux/netdevice.h>
81#include <linux/proc_fs.h> 80#include <linux/proc_fs.h>
82#include <linux/init.h> 81#include <linux/init.h>
83#include <linux/workqueue.h>
84#include <linux/skbuff.h> 82#include <linux/skbuff.h>
85#include <linux/inetdevice.h> 83#include <linux/inetdevice.h>
86#include <linux/igmp.h> 84#include <linux/igmp.h>
@@ -88,11 +86,9 @@
88#include <linux/mroute.h> 86#include <linux/mroute.h>
89#include <linux/netfilter_ipv4.h> 87#include <linux/netfilter_ipv4.h>
90#include <linux/random.h> 88#include <linux/random.h>
91#include <linux/jhash.h>
92#include <linux/rcupdate.h> 89#include <linux/rcupdate.h>
93#include <linux/times.h> 90#include <linux/times.h>
94#include <linux/slab.h> 91#include <linux/slab.h>
95#include <linux/prefetch.h>
96#include <net/dst.h> 92#include <net/dst.h>
97#include <net/net_namespace.h> 93#include <net/net_namespace.h>
98#include <net/protocol.h> 94#include <net/protocol.h>
@@ -206,11 +202,6 @@ EXPORT_SYMBOL(ip_tos2prio);
206static DEFINE_PER_CPU(struct rt_cache_stat, rt_cache_stat); 202static DEFINE_PER_CPU(struct rt_cache_stat, rt_cache_stat);
207#define RT_CACHE_STAT_INC(field) __this_cpu_inc(rt_cache_stat.field) 203#define RT_CACHE_STAT_INC(field) __this_cpu_inc(rt_cache_stat.field)
208 204
209static inline int rt_genid(struct net *net)
210{
211 return atomic_read(&net->ipv4.rt_genid);
212}
213
214#ifdef CONFIG_PROC_FS 205#ifdef CONFIG_PROC_FS
215static void *rt_cache_seq_start(struct seq_file *seq, loff_t *pos) 206static void *rt_cache_seq_start(struct seq_file *seq, loff_t *pos)
216{ 207{
@@ -451,27 +442,9 @@ static inline bool rt_is_expired(const struct rtable *rth)
451 return rth->rt_genid != rt_genid(dev_net(rth->dst.dev)); 442 return rth->rt_genid != rt_genid(dev_net(rth->dst.dev));
452} 443}
453 444
454/* 445void rt_cache_flush(struct net *net)
455 * Perturbation of rt_genid by a small quantity [1..256]
456 * Using 8 bits of shuffling ensure we can call rt_cache_invalidate()
457 * many times (2^24) without giving recent rt_genid.
458 * Jenkins hash is strong enough that litle changes of rt_genid are OK.
459 */
460static void rt_cache_invalidate(struct net *net)
461{
462 unsigned char shuffle;
463
464 get_random_bytes(&shuffle, sizeof(shuffle));
465 atomic_add(shuffle + 1U, &net->ipv4.rt_genid);
466}
467
468/*
469 * delay < 0 : invalidate cache (fast : entries will be deleted later)
470 * delay >= 0 : invalidate & flush cache (can be long)
471 */
472void rt_cache_flush(struct net *net, int delay)
473{ 446{
474 rt_cache_invalidate(net); 447 rt_genid_bump(net);
475} 448}
476 449
477static struct neighbour *ipv4_neigh_lookup(const struct dst_entry *dst, 450static struct neighbour *ipv4_neigh_lookup(const struct dst_entry *dst,
@@ -938,12 +911,14 @@ static u32 __ip_rt_update_pmtu(struct rtable *rt, struct flowi4 *fl4, u32 mtu)
938 if (mtu < ip_rt_min_pmtu) 911 if (mtu < ip_rt_min_pmtu)
939 mtu = ip_rt_min_pmtu; 912 mtu = ip_rt_min_pmtu;
940 913
914 rcu_read_lock();
941 if (fib_lookup(dev_net(rt->dst.dev), fl4, &res) == 0) { 915 if (fib_lookup(dev_net(rt->dst.dev), fl4, &res) == 0) {
942 struct fib_nh *nh = &FIB_RES_NH(res); 916 struct fib_nh *nh = &FIB_RES_NH(res);
943 917
944 update_or_create_fnhe(nh, fl4->daddr, 0, mtu, 918 update_or_create_fnhe(nh, fl4->daddr, 0, mtu,
945 jiffies + ip_rt_mtu_expires); 919 jiffies + ip_rt_mtu_expires);
946 } 920 }
921 rcu_read_unlock();
947 return mtu; 922 return mtu;
948} 923}
949 924
@@ -960,7 +935,7 @@ static void ip_rt_update_pmtu(struct dst_entry *dst, struct sock *sk,
960 dst->obsolete = DST_OBSOLETE_KILL; 935 dst->obsolete = DST_OBSOLETE_KILL;
961 } else { 936 } else {
962 rt->rt_pmtu = mtu; 937 rt->rt_pmtu = mtu;
963 dst_set_expires(&rt->dst, ip_rt_mtu_expires); 938 rt->dst.expires = max(1UL, jiffies + ip_rt_mtu_expires);
964 } 939 }
965} 940}
966 941
@@ -1267,7 +1242,7 @@ static void ipv4_dst_destroy(struct dst_entry *dst)
1267{ 1242{
1268 struct rtable *rt = (struct rtable *) dst; 1243 struct rtable *rt = (struct rtable *) dst;
1269 1244
1270 if (dst->flags & DST_NOCACHE) { 1245 if (!list_empty(&rt->rt_uncached)) {
1271 spin_lock_bh(&rt_uncached_lock); 1246 spin_lock_bh(&rt_uncached_lock);
1272 list_del(&rt->rt_uncached); 1247 list_del(&rt->rt_uncached);
1273 spin_unlock_bh(&rt_uncached_lock); 1248 spin_unlock_bh(&rt_uncached_lock);
@@ -2032,7 +2007,6 @@ struct rtable *__ip_route_output_key(struct net *net, struct flowi4 *fl4)
2032 } 2007 }
2033 dev_out = net->loopback_dev; 2008 dev_out = net->loopback_dev;
2034 fl4->flowi4_oif = dev_out->ifindex; 2009 fl4->flowi4_oif = dev_out->ifindex;
2035 res.fi = NULL;
2036 flags |= RTCF_LOCAL; 2010 flags |= RTCF_LOCAL;
2037 goto make_route; 2011 goto make_route;
2038 } 2012 }
@@ -2348,7 +2322,7 @@ int ip_rt_dump(struct sk_buff *skb, struct netlink_callback *cb)
2348 2322
2349void ip_rt_multicast_event(struct in_device *in_dev) 2323void ip_rt_multicast_event(struct in_device *in_dev)
2350{ 2324{
2351 rt_cache_flush(dev_net(in_dev->dev), 0); 2325 rt_cache_flush(dev_net(in_dev->dev));
2352} 2326}
2353 2327
2354#ifdef CONFIG_SYSCTL 2328#ifdef CONFIG_SYSCTL
@@ -2357,16 +2331,7 @@ static int ipv4_sysctl_rtcache_flush(ctl_table *__ctl, int write,
2357 size_t *lenp, loff_t *ppos) 2331 size_t *lenp, loff_t *ppos)
2358{ 2332{
2359 if (write) { 2333 if (write) {
2360 int flush_delay; 2334 rt_cache_flush((struct net *)__ctl->extra1);
2361 ctl_table ctl;
2362 struct net *net;
2363
2364 memcpy(&ctl, __ctl, sizeof(ctl));
2365 ctl.data = &flush_delay;
2366 proc_dointvec(&ctl, write, buffer, lenp, ppos);
2367
2368 net = (struct net *)__ctl->extra1;
2369 rt_cache_flush(net, flush_delay);
2370 return 0; 2335 return 0;
2371 } 2336 }
2372 2337
@@ -2536,8 +2501,7 @@ static __net_initdata struct pernet_operations sysctl_route_ops = {
2536 2501
2537static __net_init int rt_genid_init(struct net *net) 2502static __net_init int rt_genid_init(struct net *net)
2538{ 2503{
2539 get_random_bytes(&net->ipv4.rt_genid, 2504 atomic_set(&net->rt_genid, 0);
2540 sizeof(net->ipv4.rt_genid));
2541 get_random_bytes(&net->ipv4.dev_addr_genid, 2505 get_random_bytes(&net->ipv4.dev_addr_genid,
2542 sizeof(net->ipv4.dev_addr_genid)); 2506 sizeof(net->ipv4.dev_addr_genid));
2543 return 0; 2507 return 0;
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index e7e6eeae49c0..5f6419341821 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -811,7 +811,9 @@ static unsigned int tcp_xmit_size_goal(struct sock *sk, u32 mss_now,
811 old_size_goal + mss_now > xmit_size_goal)) { 811 old_size_goal + mss_now > xmit_size_goal)) {
812 xmit_size_goal = old_size_goal; 812 xmit_size_goal = old_size_goal;
813 } else { 813 } else {
814 tp->xmit_size_goal_segs = xmit_size_goal / mss_now; 814 tp->xmit_size_goal_segs =
815 min_t(u16, xmit_size_goal / mss_now,
816 sk->sk_gso_max_segs);
815 xmit_size_goal = tp->xmit_size_goal_segs * mss_now; 817 xmit_size_goal = tp->xmit_size_goal_segs * mss_now;
816 } 818 }
817 } 819 }
@@ -1760,8 +1762,14 @@ int tcp_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
1760 } 1762 }
1761 1763
1762#ifdef CONFIG_NET_DMA 1764#ifdef CONFIG_NET_DMA
1763 if (tp->ucopy.dma_chan) 1765 if (tp->ucopy.dma_chan) {
1764 dma_async_memcpy_issue_pending(tp->ucopy.dma_chan); 1766 if (tp->rcv_wnd == 0 &&
1767 !skb_queue_empty(&sk->sk_async_wait_queue)) {
1768 tcp_service_net_dma(sk, true);
1769 tcp_cleanup_rbuf(sk, copied);
1770 } else
1771 dma_async_memcpy_issue_pending(tp->ucopy.dma_chan);
1772 }
1765#endif 1773#endif
1766 if (copied >= target) { 1774 if (copied >= target) {
1767 /* Do not sleep, just process backlog. */ 1775 /* Do not sleep, just process backlog. */
@@ -2323,10 +2331,17 @@ static int tcp_repair_options_est(struct tcp_sock *tp,
2323 tp->rx_opt.mss_clamp = opt.opt_val; 2331 tp->rx_opt.mss_clamp = opt.opt_val;
2324 break; 2332 break;
2325 case TCPOPT_WINDOW: 2333 case TCPOPT_WINDOW:
2326 if (opt.opt_val > 14) 2334 {
2327 return -EFBIG; 2335 u16 snd_wscale = opt.opt_val & 0xFFFF;
2336 u16 rcv_wscale = opt.opt_val >> 16;
2337
2338 if (snd_wscale > 14 || rcv_wscale > 14)
2339 return -EFBIG;
2328 2340
2329 tp->rx_opt.snd_wscale = opt.opt_val; 2341 tp->rx_opt.snd_wscale = snd_wscale;
2342 tp->rx_opt.rcv_wscale = rcv_wscale;
2343 tp->rx_opt.wscale_ok = 1;
2344 }
2330 break; 2345 break;
2331 case TCPOPT_SACK_PERM: 2346 case TCPOPT_SACK_PERM:
2332 if (opt.opt_val != 0) 2347 if (opt.opt_val != 0)
diff --git a/net/ipv4/tcp_cong.c b/net/ipv4/tcp_cong.c
index 4d4db16e336e..1432cdb0644c 100644
--- a/net/ipv4/tcp_cong.c
+++ b/net/ipv4/tcp_cong.c
@@ -291,7 +291,8 @@ bool tcp_is_cwnd_limited(const struct sock *sk, u32 in_flight)
291 left = tp->snd_cwnd - in_flight; 291 left = tp->snd_cwnd - in_flight;
292 if (sk_can_gso(sk) && 292 if (sk_can_gso(sk) &&
293 left * sysctl_tcp_tso_win_divisor < tp->snd_cwnd && 293 left * sysctl_tcp_tso_win_divisor < tp->snd_cwnd &&
294 left * tp->mss_cache < sk->sk_gso_max_size) 294 left * tp->mss_cache < sk->sk_gso_max_size &&
295 left < sk->sk_gso_max_segs)
295 return true; 296 return true;
296 return left <= tcp_max_tso_deferred_mss(tp); 297 return left <= tcp_max_tso_deferred_mss(tp);
297} 298}
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 2fd2bc9e3c64..d377f4854cb8 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -2926,13 +2926,14 @@ static void tcp_enter_recovery(struct sock *sk, bool ece_ack)
2926 * tcp_xmit_retransmit_queue(). 2926 * tcp_xmit_retransmit_queue().
2927 */ 2927 */
2928static void tcp_fastretrans_alert(struct sock *sk, int pkts_acked, 2928static void tcp_fastretrans_alert(struct sock *sk, int pkts_acked,
2929 int newly_acked_sacked, bool is_dupack, 2929 int prior_sacked, bool is_dupack,
2930 int flag) 2930 int flag)
2931{ 2931{
2932 struct inet_connection_sock *icsk = inet_csk(sk); 2932 struct inet_connection_sock *icsk = inet_csk(sk);
2933 struct tcp_sock *tp = tcp_sk(sk); 2933 struct tcp_sock *tp = tcp_sk(sk);
2934 int do_lost = is_dupack || ((flag & FLAG_DATA_SACKED) && 2934 int do_lost = is_dupack || ((flag & FLAG_DATA_SACKED) &&
2935 (tcp_fackets_out(tp) > tp->reordering)); 2935 (tcp_fackets_out(tp) > tp->reordering));
2936 int newly_acked_sacked = 0;
2936 int fast_rexmit = 0; 2937 int fast_rexmit = 0;
2937 2938
2938 if (WARN_ON(!tp->packets_out && tp->sacked_out)) 2939 if (WARN_ON(!tp->packets_out && tp->sacked_out))
@@ -2992,6 +2993,7 @@ static void tcp_fastretrans_alert(struct sock *sk, int pkts_acked,
2992 tcp_add_reno_sack(sk); 2993 tcp_add_reno_sack(sk);
2993 } else 2994 } else
2994 do_lost = tcp_try_undo_partial(sk, pkts_acked); 2995 do_lost = tcp_try_undo_partial(sk, pkts_acked);
2996 newly_acked_sacked = pkts_acked + tp->sacked_out - prior_sacked;
2995 break; 2997 break;
2996 case TCP_CA_Loss: 2998 case TCP_CA_Loss:
2997 if (flag & FLAG_DATA_ACKED) 2999 if (flag & FLAG_DATA_ACKED)
@@ -3013,6 +3015,7 @@ static void tcp_fastretrans_alert(struct sock *sk, int pkts_acked,
3013 if (is_dupack) 3015 if (is_dupack)
3014 tcp_add_reno_sack(sk); 3016 tcp_add_reno_sack(sk);
3015 } 3017 }
3018 newly_acked_sacked = pkts_acked + tp->sacked_out - prior_sacked;
3016 3019
3017 if (icsk->icsk_ca_state <= TCP_CA_Disorder) 3020 if (icsk->icsk_ca_state <= TCP_CA_Disorder)
3018 tcp_try_undo_dsack(sk); 3021 tcp_try_undo_dsack(sk);
@@ -3590,7 +3593,6 @@ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag)
3590 int prior_packets; 3593 int prior_packets;
3591 int prior_sacked = tp->sacked_out; 3594 int prior_sacked = tp->sacked_out;
3592 int pkts_acked = 0; 3595 int pkts_acked = 0;
3593 int newly_acked_sacked = 0;
3594 bool frto_cwnd = false; 3596 bool frto_cwnd = false;
3595 3597
3596 /* If the ack is older than previous acks 3598 /* If the ack is older than previous acks
@@ -3666,8 +3668,6 @@ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag)
3666 flag |= tcp_clean_rtx_queue(sk, prior_fackets, prior_snd_una); 3668 flag |= tcp_clean_rtx_queue(sk, prior_fackets, prior_snd_una);
3667 3669
3668 pkts_acked = prior_packets - tp->packets_out; 3670 pkts_acked = prior_packets - tp->packets_out;
3669 newly_acked_sacked = (prior_packets - prior_sacked) -
3670 (tp->packets_out - tp->sacked_out);
3671 3671
3672 if (tp->frto_counter) 3672 if (tp->frto_counter)
3673 frto_cwnd = tcp_process_frto(sk, flag); 3673 frto_cwnd = tcp_process_frto(sk, flag);
@@ -3681,7 +3681,7 @@ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag)
3681 tcp_may_raise_cwnd(sk, flag)) 3681 tcp_may_raise_cwnd(sk, flag))
3682 tcp_cong_avoid(sk, ack, prior_in_flight); 3682 tcp_cong_avoid(sk, ack, prior_in_flight);
3683 is_dupack = !(flag & (FLAG_SND_UNA_ADVANCED | FLAG_NOT_DUP)); 3683 is_dupack = !(flag & (FLAG_SND_UNA_ADVANCED | FLAG_NOT_DUP));
3684 tcp_fastretrans_alert(sk, pkts_acked, newly_acked_sacked, 3684 tcp_fastretrans_alert(sk, pkts_acked, prior_sacked,
3685 is_dupack, flag); 3685 is_dupack, flag);
3686 } else { 3686 } else {
3687 if ((flag & FLAG_DATA_ACKED) && !frto_cwnd) 3687 if ((flag & FLAG_DATA_ACKED) && !frto_cwnd)
@@ -3698,7 +3698,7 @@ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag)
3698no_queue: 3698no_queue:
3699 /* If data was DSACKed, see if we can undo a cwnd reduction. */ 3699 /* If data was DSACKed, see if we can undo a cwnd reduction. */
3700 if (flag & FLAG_DSACKING_ACK) 3700 if (flag & FLAG_DSACKING_ACK)
3701 tcp_fastretrans_alert(sk, pkts_acked, newly_acked_sacked, 3701 tcp_fastretrans_alert(sk, pkts_acked, prior_sacked,
3702 is_dupack, flag); 3702 is_dupack, flag);
3703 /* If this ack opens up a zero window, clear backoff. It was 3703 /* If this ack opens up a zero window, clear backoff. It was
3704 * being used to time the probes, and is probably far higher than 3704 * being used to time the probes, and is probably far higher than
@@ -3718,8 +3718,7 @@ old_ack:
3718 */ 3718 */
3719 if (TCP_SKB_CB(skb)->sacked) { 3719 if (TCP_SKB_CB(skb)->sacked) {
3720 flag |= tcp_sacktag_write_queue(sk, skb, prior_snd_una); 3720 flag |= tcp_sacktag_write_queue(sk, skb, prior_snd_una);
3721 newly_acked_sacked = tp->sacked_out - prior_sacked; 3721 tcp_fastretrans_alert(sk, pkts_acked, prior_sacked,
3722 tcp_fastretrans_alert(sk, pkts_acked, newly_acked_sacked,
3723 is_dupack, flag); 3722 is_dupack, flag);
3724 } 3723 }
3725 3724
@@ -4662,7 +4661,7 @@ queue_and_out:
4662 4661
4663 if (eaten > 0) 4662 if (eaten > 0)
4664 kfree_skb_partial(skb, fragstolen); 4663 kfree_skb_partial(skb, fragstolen);
4665 else if (!sock_flag(sk, SOCK_DEAD)) 4664 if (!sock_flag(sk, SOCK_DEAD))
4666 sk->sk_data_ready(sk, 0); 4665 sk->sk_data_ready(sk, 0);
4667 return; 4666 return;
4668 } 4667 }
@@ -5392,6 +5391,8 @@ int tcp_rcv_established(struct sock *sk, struct sk_buff *skb,
5392{ 5391{
5393 struct tcp_sock *tp = tcp_sk(sk); 5392 struct tcp_sock *tp = tcp_sk(sk);
5394 5393
5394 if (unlikely(sk->sk_rx_dst == NULL))
5395 inet_csk(sk)->icsk_af_ops->sk_rx_dst_set(sk, skb);
5395 /* 5396 /*
5396 * Header prediction. 5397 * Header prediction.
5397 * The code loosely follows the one in the famous 5398 * The code loosely follows the one in the famous
@@ -5555,8 +5556,7 @@ no_ack:
5555#endif 5556#endif
5556 if (eaten) 5557 if (eaten)
5557 kfree_skb_partial(skb, fragstolen); 5558 kfree_skb_partial(skb, fragstolen);
5558 else 5559 sk->sk_data_ready(sk, 0);
5559 sk->sk_data_ready(sk, 0);
5560 return 0; 5560 return 0;
5561 } 5561 }
5562 } 5562 }
@@ -5605,7 +5605,7 @@ void tcp_finish_connect(struct sock *sk, struct sk_buff *skb)
5605 tcp_set_state(sk, TCP_ESTABLISHED); 5605 tcp_set_state(sk, TCP_ESTABLISHED);
5606 5606
5607 if (skb != NULL) { 5607 if (skb != NULL) {
5608 inet_sk_rx_dst_set(sk, skb); 5608 icsk->icsk_af_ops->sk_rx_dst_set(sk, skb);
5609 security_inet_conn_established(sk, skb); 5609 security_inet_conn_established(sk, skb);
5610 } 5610 }
5611 5611
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 42b2a6a73092..00a748d14062 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -417,10 +417,12 @@ void tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
417 417
418 if (code == ICMP_FRAG_NEEDED) { /* PMTU discovery (RFC1191) */ 418 if (code == ICMP_FRAG_NEEDED) { /* PMTU discovery (RFC1191) */
419 tp->mtu_info = info; 419 tp->mtu_info = info;
420 if (!sock_owned_by_user(sk)) 420 if (!sock_owned_by_user(sk)) {
421 tcp_v4_mtu_reduced(sk); 421 tcp_v4_mtu_reduced(sk);
422 else 422 } else {
423 set_bit(TCP_MTU_REDUCED_DEFERRED, &tp->tsq_flags); 423 if (!test_and_set_bit(TCP_MTU_REDUCED_DEFERRED, &tp->tsq_flags))
424 sock_hold(sk);
425 }
424 goto out; 426 goto out;
425 } 427 }
426 428
@@ -1462,6 +1464,7 @@ struct sock *tcp_v4_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
1462 goto exit_nonewsk; 1464 goto exit_nonewsk;
1463 1465
1464 newsk->sk_gso_type = SKB_GSO_TCPV4; 1466 newsk->sk_gso_type = SKB_GSO_TCPV4;
1467 inet_sk_rx_dst_set(newsk, skb);
1465 1468
1466 newtp = tcp_sk(newsk); 1469 newtp = tcp_sk(newsk);
1467 newinet = inet_sk(newsk); 1470 newinet = inet_sk(newsk);
@@ -1627,9 +1630,6 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
1627 sk->sk_rx_dst = NULL; 1630 sk->sk_rx_dst = NULL;
1628 } 1631 }
1629 } 1632 }
1630 if (unlikely(sk->sk_rx_dst == NULL))
1631 inet_sk_rx_dst_set(sk, skb);
1632
1633 if (tcp_rcv_established(sk, skb, tcp_hdr(skb), skb->len)) { 1633 if (tcp_rcv_established(sk, skb, tcp_hdr(skb), skb->len)) {
1634 rsk = sk; 1634 rsk = sk;
1635 goto reset; 1635 goto reset;
@@ -1872,10 +1872,21 @@ static struct timewait_sock_ops tcp_timewait_sock_ops = {
1872 .twsk_destructor= tcp_twsk_destructor, 1872 .twsk_destructor= tcp_twsk_destructor,
1873}; 1873};
1874 1874
1875void inet_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb)
1876{
1877 struct dst_entry *dst = skb_dst(skb);
1878
1879 dst_hold(dst);
1880 sk->sk_rx_dst = dst;
1881 inet_sk(sk)->rx_dst_ifindex = skb->skb_iif;
1882}
1883EXPORT_SYMBOL(inet_sk_rx_dst_set);
1884
1875const struct inet_connection_sock_af_ops ipv4_specific = { 1885const struct inet_connection_sock_af_ops ipv4_specific = {
1876 .queue_xmit = ip_queue_xmit, 1886 .queue_xmit = ip_queue_xmit,
1877 .send_check = tcp_v4_send_check, 1887 .send_check = tcp_v4_send_check,
1878 .rebuild_header = inet_sk_rebuild_header, 1888 .rebuild_header = inet_sk_rebuild_header,
1889 .sk_rx_dst_set = inet_sk_rx_dst_set,
1879 .conn_request = tcp_v4_conn_request, 1890 .conn_request = tcp_v4_conn_request,
1880 .syn_recv_sock = tcp_v4_syn_recv_sock, 1891 .syn_recv_sock = tcp_v4_syn_recv_sock,
1881 .net_header_len = sizeof(struct iphdr), 1892 .net_header_len = sizeof(struct iphdr),
diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c
index 2288a6399e1e..0abe67bb4d3a 100644
--- a/net/ipv4/tcp_metrics.c
+++ b/net/ipv4/tcp_metrics.c
@@ -731,6 +731,18 @@ static int __net_init tcp_net_metrics_init(struct net *net)
731 731
732static void __net_exit tcp_net_metrics_exit(struct net *net) 732static void __net_exit tcp_net_metrics_exit(struct net *net)
733{ 733{
734 unsigned int i;
735
736 for (i = 0; i < (1U << net->ipv4.tcp_metrics_hash_log) ; i++) {
737 struct tcp_metrics_block *tm, *next;
738
739 tm = rcu_dereference_protected(net->ipv4.tcp_metrics_hash[i].chain, 1);
740 while (tm) {
741 next = rcu_dereference_protected(tm->tcpm_next, 1);
742 kfree(tm);
743 tm = next;
744 }
745 }
734 kfree(net->ipv4.tcp_metrics_hash); 746 kfree(net->ipv4.tcp_metrics_hash);
735} 747}
736 748
diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index 232a90c3ec86..6ff7f10dce9d 100644
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -387,8 +387,6 @@ struct sock *tcp_create_openreq_child(struct sock *sk, struct request_sock *req,
387 struct tcp_sock *oldtp = tcp_sk(sk); 387 struct tcp_sock *oldtp = tcp_sk(sk);
388 struct tcp_cookie_values *oldcvp = oldtp->cookie_values; 388 struct tcp_cookie_values *oldcvp = oldtp->cookie_values;
389 389
390 inet_sk_rx_dst_set(newsk, skb);
391
392 /* TCP Cookie Transactions require space for the cookie pair, 390 /* TCP Cookie Transactions require space for the cookie pair,
393 * as it differs for each connection. There is no need to 391 * as it differs for each connection. There is no need to
394 * copy any s_data_payload stored at the original socket. 392 * copy any s_data_payload stored at the original socket.
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 3f1bcff0b10b..d04632673a9e 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -910,14 +910,18 @@ void tcp_release_cb(struct sock *sk)
910 if (flags & (1UL << TCP_TSQ_DEFERRED)) 910 if (flags & (1UL << TCP_TSQ_DEFERRED))
911 tcp_tsq_handler(sk); 911 tcp_tsq_handler(sk);
912 912
913 if (flags & (1UL << TCP_WRITE_TIMER_DEFERRED)) 913 if (flags & (1UL << TCP_WRITE_TIMER_DEFERRED)) {
914 tcp_write_timer_handler(sk); 914 tcp_write_timer_handler(sk);
915 915 __sock_put(sk);
916 if (flags & (1UL << TCP_DELACK_TIMER_DEFERRED)) 916 }
917 if (flags & (1UL << TCP_DELACK_TIMER_DEFERRED)) {
917 tcp_delack_timer_handler(sk); 918 tcp_delack_timer_handler(sk);
918 919 __sock_put(sk);
919 if (flags & (1UL << TCP_MTU_REDUCED_DEFERRED)) 920 }
921 if (flags & (1UL << TCP_MTU_REDUCED_DEFERRED)) {
920 sk->sk_prot->mtu_reduced(sk); 922 sk->sk_prot->mtu_reduced(sk);
923 __sock_put(sk);
924 }
921} 925}
922EXPORT_SYMBOL(tcp_release_cb); 926EXPORT_SYMBOL(tcp_release_cb);
923 927
@@ -940,7 +944,7 @@ void __init tcp_tasklet_init(void)
940 * We cant xmit new skbs from this context, as we might already 944 * We cant xmit new skbs from this context, as we might already
941 * hold qdisc lock. 945 * hold qdisc lock.
942 */ 946 */
943void tcp_wfree(struct sk_buff *skb) 947static void tcp_wfree(struct sk_buff *skb)
944{ 948{
945 struct sock *sk = skb->sk; 949 struct sock *sk = skb->sk;
946 struct tcp_sock *tp = tcp_sk(sk); 950 struct tcp_sock *tp = tcp_sk(sk);
@@ -1522,21 +1526,21 @@ static void tcp_cwnd_validate(struct sock *sk)
1522 * when we would be allowed to send the split-due-to-Nagle skb fully. 1526 * when we would be allowed to send the split-due-to-Nagle skb fully.
1523 */ 1527 */
1524static unsigned int tcp_mss_split_point(const struct sock *sk, const struct sk_buff *skb, 1528static unsigned int tcp_mss_split_point(const struct sock *sk, const struct sk_buff *skb,
1525 unsigned int mss_now, unsigned int cwnd) 1529 unsigned int mss_now, unsigned int max_segs)
1526{ 1530{
1527 const struct tcp_sock *tp = tcp_sk(sk); 1531 const struct tcp_sock *tp = tcp_sk(sk);
1528 u32 needed, window, cwnd_len; 1532 u32 needed, window, max_len;
1529 1533
1530 window = tcp_wnd_end(tp) - TCP_SKB_CB(skb)->seq; 1534 window = tcp_wnd_end(tp) - TCP_SKB_CB(skb)->seq;
1531 cwnd_len = mss_now * cwnd; 1535 max_len = mss_now * max_segs;
1532 1536
1533 if (likely(cwnd_len <= window && skb != tcp_write_queue_tail(sk))) 1537 if (likely(max_len <= window && skb != tcp_write_queue_tail(sk)))
1534 return cwnd_len; 1538 return max_len;
1535 1539
1536 needed = min(skb->len, window); 1540 needed = min(skb->len, window);
1537 1541
1538 if (cwnd_len <= needed) 1542 if (max_len <= needed)
1539 return cwnd_len; 1543 return max_len;
1540 1544
1541 return needed - needed % mss_now; 1545 return needed - needed % mss_now;
1542} 1546}
@@ -1765,7 +1769,8 @@ static bool tcp_tso_should_defer(struct sock *sk, struct sk_buff *skb)
1765 limit = min(send_win, cong_win); 1769 limit = min(send_win, cong_win);
1766 1770
1767 /* If a full-sized TSO skb can be sent, do it. */ 1771 /* If a full-sized TSO skb can be sent, do it. */
1768 if (limit >= sk->sk_gso_max_size) 1772 if (limit >= min_t(unsigned int, sk->sk_gso_max_size,
1773 sk->sk_gso_max_segs * tp->mss_cache))
1769 goto send_now; 1774 goto send_now;
1770 1775
1771 /* Middle in queue won't get any more data, full sendable already? */ 1776 /* Middle in queue won't get any more data, full sendable already? */
@@ -1999,7 +2004,9 @@ static bool tcp_write_xmit(struct sock *sk, unsigned int mss_now, int nonagle,
1999 limit = mss_now; 2004 limit = mss_now;
2000 if (tso_segs > 1 && !tcp_urg_mode(tp)) 2005 if (tso_segs > 1 && !tcp_urg_mode(tp))
2001 limit = tcp_mss_split_point(sk, skb, mss_now, 2006 limit = tcp_mss_split_point(sk, skb, mss_now,
2002 cwnd_quota); 2007 min_t(unsigned int,
2008 cwnd_quota,
2009 sk->sk_gso_max_segs));
2003 2010
2004 if (skb->len > limit && 2011 if (skb->len > limit &&
2005 unlikely(tso_fragment(sk, skb, limit, mss_now, gfp))) 2012 unlikely(tso_fragment(sk, skb, limit, mss_now, gfp)))
diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
index 6df36ad55a38..b774a03bd1dc 100644
--- a/net/ipv4/tcp_timer.c
+++ b/net/ipv4/tcp_timer.c
@@ -252,7 +252,8 @@ static void tcp_delack_timer(unsigned long data)
252 inet_csk(sk)->icsk_ack.blocked = 1; 252 inet_csk(sk)->icsk_ack.blocked = 1;
253 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_DELAYEDACKLOCKED); 253 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_DELAYEDACKLOCKED);
254 /* deleguate our work to tcp_release_cb() */ 254 /* deleguate our work to tcp_release_cb() */
255 set_bit(TCP_WRITE_TIMER_DEFERRED, &tcp_sk(sk)->tsq_flags); 255 if (!test_and_set_bit(TCP_DELACK_TIMER_DEFERRED, &tcp_sk(sk)->tsq_flags))
256 sock_hold(sk);
256 } 257 }
257 bh_unlock_sock(sk); 258 bh_unlock_sock(sk);
258 sock_put(sk); 259 sock_put(sk);
@@ -481,7 +482,8 @@ static void tcp_write_timer(unsigned long data)
481 tcp_write_timer_handler(sk); 482 tcp_write_timer_handler(sk);
482 } else { 483 } else {
483 /* deleguate our work to tcp_release_cb() */ 484 /* deleguate our work to tcp_release_cb() */
484 set_bit(TCP_WRITE_TIMER_DEFERRED, &tcp_sk(sk)->tsq_flags); 485 if (!test_and_set_bit(TCP_WRITE_TIMER_DEFERRED, &tcp_sk(sk)->tsq_flags))
486 sock_hold(sk);
485 } 487 }
486 bh_unlock_sock(sk); 488 bh_unlock_sock(sk);
487 sock_put(sk); 489 sock_put(sk);
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index b4c3582a991f..2814f66dac64 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -758,7 +758,7 @@ static int udp_send_skb(struct sk_buff *skb, struct flowi4 *fl4)
758 uh->check = CSUM_MANGLED_0; 758 uh->check = CSUM_MANGLED_0;
759 759
760send: 760send:
761 err = ip_send_skb(skb); 761 err = ip_send_skb(sock_net(sk), skb);
762 if (err) { 762 if (err) {
763 if (err == -ENOBUFS && !inet->recverr) { 763 if (err == -ENOBUFS && !inet->recverr) {
764 UDP_INC_STATS_USER(sock_net(sk), 764 UDP_INC_STATS_USER(sock_net(sk),
@@ -1226,6 +1226,11 @@ try_again:
1226 1226
1227 if (unlikely(err)) { 1227 if (unlikely(err)) {
1228 trace_kfree_skb(skb, udp_recvmsg); 1228 trace_kfree_skb(skb, udp_recvmsg);
1229 if (!peeked) {
1230 atomic_inc(&sk->sk_drops);
1231 UDP_INC_STATS_USER(sock_net(sk),
1232 UDP_MIB_INERRORS, is_udplite);
1233 }
1229 goto out_free; 1234 goto out_free;
1230 } 1235 }
1231 1236
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 79181819a24f..6bc85f7c31e3 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -494,8 +494,7 @@ static void addrconf_forward_change(struct net *net, __s32 newf)
494 struct net_device *dev; 494 struct net_device *dev;
495 struct inet6_dev *idev; 495 struct inet6_dev *idev;
496 496
497 rcu_read_lock(); 497 for_each_netdev(net, dev) {
498 for_each_netdev_rcu(net, dev) {
499 idev = __in6_dev_get(dev); 498 idev = __in6_dev_get(dev);
500 if (idev) { 499 if (idev) {
501 int changed = (!idev->cnf.forwarding) ^ (!newf); 500 int changed = (!idev->cnf.forwarding) ^ (!newf);
@@ -504,7 +503,6 @@ static void addrconf_forward_change(struct net *net, __s32 newf)
504 dev_forward_change(idev); 503 dev_forward_change(idev);
505 } 504 }
506 } 505 }
507 rcu_read_unlock();
508} 506}
509 507
510static int addrconf_fixup_forwarding(struct ctl_table *table, int *p, int newf) 508static int addrconf_fixup_forwarding(struct ctl_table *table, int *p, int newf)
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 6dc7fd353ef5..282f3723ee19 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -167,8 +167,6 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb)
167 struct esp_data *esp = x->data; 167 struct esp_data *esp = x->data;
168 168
169 /* skb is pure payload to encrypt */ 169 /* skb is pure payload to encrypt */
170 err = -ENOMEM;
171
172 aead = esp->aead; 170 aead = esp->aead;
173 alen = crypto_aead_authsize(aead); 171 alen = crypto_aead_authsize(aead);
174 172
@@ -203,8 +201,10 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb)
203 } 201 }
204 202
205 tmp = esp_alloc_tmp(aead, nfrags + sglists, seqhilen); 203 tmp = esp_alloc_tmp(aead, nfrags + sglists, seqhilen);
206 if (!tmp) 204 if (!tmp) {
205 err = -ENOMEM;
207 goto error; 206 goto error;
207 }
208 208
209 seqhi = esp_tmp_seqhi(tmp); 209 seqhi = esp_tmp_seqhi(tmp);
210 iv = esp_tmp_iv(aead, tmp, seqhilen); 210 iv = esp_tmp_iv(aead, tmp, seqhilen);
diff --git a/net/ipv6/inet6_connection_sock.c b/net/ipv6/inet6_connection_sock.c
index 0251a6005be8..c4f934176cab 100644
--- a/net/ipv6/inet6_connection_sock.c
+++ b/net/ipv6/inet6_connection_sock.c
@@ -175,33 +175,12 @@ void __inet6_csk_dst_store(struct sock *sk, struct dst_entry *dst,
175 const struct in6_addr *saddr) 175 const struct in6_addr *saddr)
176{ 176{
177 __ip6_dst_store(sk, dst, daddr, saddr); 177 __ip6_dst_store(sk, dst, daddr, saddr);
178
179#ifdef CONFIG_XFRM
180 {
181 struct rt6_info *rt = (struct rt6_info *)dst;
182 rt->rt6i_flow_cache_genid = atomic_read(&flow_cache_genid);
183 }
184#endif
185} 178}
186 179
187static inline 180static inline
188struct dst_entry *__inet6_csk_dst_check(struct sock *sk, u32 cookie) 181struct dst_entry *__inet6_csk_dst_check(struct sock *sk, u32 cookie)
189{ 182{
190 struct dst_entry *dst; 183 return __sk_dst_check(sk, cookie);
191
192 dst = __sk_dst_check(sk, cookie);
193
194#ifdef CONFIG_XFRM
195 if (dst) {
196 struct rt6_info *rt = (struct rt6_info *)dst;
197 if (rt->rt6i_flow_cache_genid != atomic_read(&flow_cache_genid)) {
198 __sk_dst_reset(sk);
199 dst = NULL;
200 }
201 }
202#endif
203
204 return dst;
205} 184}
206 185
207static struct dst_entry *inet6_csk_route_socket(struct sock *sk, 186static struct dst_entry *inet6_csk_route_socket(struct sock *sk,
diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index 13690d650c3e..286acfc21250 100644
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -819,6 +819,10 @@ int fib6_add(struct fib6_node *root, struct rt6_info *rt, struct nl_info *info)
819 offsetof(struct rt6_info, rt6i_src), 819 offsetof(struct rt6_info, rt6i_src),
820 allow_create, replace_required); 820 allow_create, replace_required);
821 821
822 if (IS_ERR(sn)) {
823 err = PTR_ERR(sn);
824 sn = NULL;
825 }
822 if (!sn) { 826 if (!sn) {
823 /* If it is failed, discard just allocated 827 /* If it is failed, discard just allocated
824 root, and then (in st_failure) stale node 828 root, and then (in st_failure) stale node
diff --git a/net/ipv6/mip6.c b/net/ipv6/mip6.c
index 5b087c31d87b..0f9bdc5ee9f3 100644
--- a/net/ipv6/mip6.c
+++ b/net/ipv6/mip6.c
@@ -86,28 +86,30 @@ static int mip6_mh_len(int type)
86 86
87static int mip6_mh_filter(struct sock *sk, struct sk_buff *skb) 87static int mip6_mh_filter(struct sock *sk, struct sk_buff *skb)
88{ 88{
89 struct ip6_mh *mh; 89 struct ip6_mh _hdr;
90 const struct ip6_mh *mh;
90 91
91 if (!pskb_may_pull(skb, (skb_transport_offset(skb)) + 8) || 92 mh = skb_header_pointer(skb, skb_transport_offset(skb),
92 !pskb_may_pull(skb, (skb_transport_offset(skb) + 93 sizeof(_hdr), &_hdr);
93 ((skb_transport_header(skb)[1] + 1) << 3)))) 94 if (!mh)
94 return -1; 95 return -1;
95 96
96 mh = (struct ip6_mh *)skb_transport_header(skb); 97 if (((mh->ip6mh_hdrlen + 1) << 3) > skb->len)
98 return -1;
97 99
98 if (mh->ip6mh_hdrlen < mip6_mh_len(mh->ip6mh_type)) { 100 if (mh->ip6mh_hdrlen < mip6_mh_len(mh->ip6mh_type)) {
99 LIMIT_NETDEBUG(KERN_DEBUG "mip6: MH message too short: %d vs >=%d\n", 101 LIMIT_NETDEBUG(KERN_DEBUG "mip6: MH message too short: %d vs >=%d\n",
100 mh->ip6mh_hdrlen, mip6_mh_len(mh->ip6mh_type)); 102 mh->ip6mh_hdrlen, mip6_mh_len(mh->ip6mh_type));
101 mip6_param_prob(skb, 0, ((&mh->ip6mh_hdrlen) - 103 mip6_param_prob(skb, 0, offsetof(struct ip6_mh, ip6mh_hdrlen) +
102 skb_network_header(skb))); 104 skb_network_header_len(skb));
103 return -1; 105 return -1;
104 } 106 }
105 107
106 if (mh->ip6mh_proto != IPPROTO_NONE) { 108 if (mh->ip6mh_proto != IPPROTO_NONE) {
107 LIMIT_NETDEBUG(KERN_DEBUG "mip6: MH invalid payload proto = %d\n", 109 LIMIT_NETDEBUG(KERN_DEBUG "mip6: MH invalid payload proto = %d\n",
108 mh->ip6mh_proto); 110 mh->ip6mh_proto);
109 mip6_param_prob(skb, 0, ((&mh->ip6mh_proto) - 111 mip6_param_prob(skb, 0, offsetof(struct ip6_mh, ip6mh_proto) +
110 skb_network_header(skb))); 112 skb_network_header_len(skb));
111 return -1; 113 return -1;
112 } 114 }
113 115
diff --git a/net/ipv6/proc.c b/net/ipv6/proc.c
index da2e92d05c15..745a32042950 100644
--- a/net/ipv6/proc.c
+++ b/net/ipv6/proc.c
@@ -307,10 +307,10 @@ static int __net_init ipv6_proc_init_net(struct net *net)
307 goto proc_dev_snmp6_fail; 307 goto proc_dev_snmp6_fail;
308 return 0; 308 return 0;
309 309
310proc_dev_snmp6_fail:
311 proc_net_remove(net, "snmp6");
310proc_snmp6_fail: 312proc_snmp6_fail:
311 proc_net_remove(net, "sockstat6"); 313 proc_net_remove(net, "sockstat6");
312proc_dev_snmp6_fail:
313 proc_net_remove(net, "dev_snmp6");
314 return -ENOMEM; 314 return -ENOMEM;
315} 315}
316 316
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index ef0579d5bca6..4a5f78b50495 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -107,21 +107,20 @@ found:
107 * 0 - deliver 107 * 0 - deliver
108 * 1 - block 108 * 1 - block
109 */ 109 */
110static __inline__ int icmpv6_filter(struct sock *sk, struct sk_buff *skb) 110static int icmpv6_filter(const struct sock *sk, const struct sk_buff *skb)
111{ 111{
112 struct icmp6hdr *icmph; 112 struct icmp6hdr *_hdr;
113 struct raw6_sock *rp = raw6_sk(sk); 113 const struct icmp6hdr *hdr;
114
115 if (pskb_may_pull(skb, sizeof(struct icmp6hdr))) {
116 __u32 *data = &rp->filter.data[0];
117 int bit_nr;
118 114
119 icmph = (struct icmp6hdr *) skb->data; 115 hdr = skb_header_pointer(skb, skb_transport_offset(skb),
120 bit_nr = icmph->icmp6_type; 116 sizeof(_hdr), &_hdr);
117 if (hdr) {
118 const __u32 *data = &raw6_sk(sk)->filter.data[0];
119 unsigned int type = hdr->icmp6_type;
121 120
122 return (data[bit_nr >> 5] & (1 << (bit_nr & 31))) != 0; 121 return (data[type >> 5] & (1U << (type & 31))) != 0;
123 } 122 }
124 return 0; 123 return 1;
125} 124}
126 125
127#if defined(CONFIG_IPV6_MIP6) || defined(CONFIG_IPV6_MIP6_MODULE) 126#if defined(CONFIG_IPV6_MIP6) || defined(CONFIG_IPV6_MIP6_MODULE)
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 8e80fd279100..854e4018d205 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -226,7 +226,7 @@ static struct rt6_info ip6_null_entry_template = {
226 .dst = { 226 .dst = {
227 .__refcnt = ATOMIC_INIT(1), 227 .__refcnt = ATOMIC_INIT(1),
228 .__use = 1, 228 .__use = 1,
229 .obsolete = -1, 229 .obsolete = DST_OBSOLETE_FORCE_CHK,
230 .error = -ENETUNREACH, 230 .error = -ENETUNREACH,
231 .input = ip6_pkt_discard, 231 .input = ip6_pkt_discard,
232 .output = ip6_pkt_discard_out, 232 .output = ip6_pkt_discard_out,
@@ -246,7 +246,7 @@ static struct rt6_info ip6_prohibit_entry_template = {
246 .dst = { 246 .dst = {
247 .__refcnt = ATOMIC_INIT(1), 247 .__refcnt = ATOMIC_INIT(1),
248 .__use = 1, 248 .__use = 1,
249 .obsolete = -1, 249 .obsolete = DST_OBSOLETE_FORCE_CHK,
250 .error = -EACCES, 250 .error = -EACCES,
251 .input = ip6_pkt_prohibit, 251 .input = ip6_pkt_prohibit,
252 .output = ip6_pkt_prohibit_out, 252 .output = ip6_pkt_prohibit_out,
@@ -261,7 +261,7 @@ static struct rt6_info ip6_blk_hole_entry_template = {
261 .dst = { 261 .dst = {
262 .__refcnt = ATOMIC_INIT(1), 262 .__refcnt = ATOMIC_INIT(1),
263 .__use = 1, 263 .__use = 1,
264 .obsolete = -1, 264 .obsolete = DST_OBSOLETE_FORCE_CHK,
265 .error = -EINVAL, 265 .error = -EINVAL,
266 .input = dst_discard, 266 .input = dst_discard,
267 .output = dst_discard, 267 .output = dst_discard,
@@ -281,13 +281,14 @@ static inline struct rt6_info *ip6_dst_alloc(struct net *net,
281 struct fib6_table *table) 281 struct fib6_table *table)
282{ 282{
283 struct rt6_info *rt = dst_alloc(&net->ipv6.ip6_dst_ops, dev, 283 struct rt6_info *rt = dst_alloc(&net->ipv6.ip6_dst_ops, dev,
284 0, DST_OBSOLETE_NONE, flags); 284 0, DST_OBSOLETE_FORCE_CHK, flags);
285 285
286 if (rt) { 286 if (rt) {
287 struct dst_entry *dst = &rt->dst; 287 struct dst_entry *dst = &rt->dst;
288 288
289 memset(dst + 1, 0, sizeof(*rt) - sizeof(*dst)); 289 memset(dst + 1, 0, sizeof(*rt) - sizeof(*dst));
290 rt6_init_peer(rt, table ? &table->tb6_peers : net->ipv6.peers); 290 rt6_init_peer(rt, table ? &table->tb6_peers : net->ipv6.peers);
291 rt->rt6i_genid = rt_genid(net);
291 } 292 }
292 return rt; 293 return rt;
293} 294}
@@ -1031,6 +1032,13 @@ static struct dst_entry *ip6_dst_check(struct dst_entry *dst, u32 cookie)
1031 1032
1032 rt = (struct rt6_info *) dst; 1033 rt = (struct rt6_info *) dst;
1033 1034
1035 /* All IPV6 dsts are created with ->obsolete set to the value
1036 * DST_OBSOLETE_FORCE_CHK which forces validation calls down
1037 * into this function always.
1038 */
1039 if (rt->rt6i_genid != rt_genid(dev_net(rt->dst.dev)))
1040 return NULL;
1041
1034 if (rt->rt6i_node && (rt->rt6i_node->fn_sernum == cookie)) { 1042 if (rt->rt6i_node && (rt->rt6i_node->fn_sernum == cookie)) {
1035 if (rt->rt6i_peer_genid != rt6_peer_genid()) { 1043 if (rt->rt6i_peer_genid != rt6_peer_genid()) {
1036 if (!rt6_has_peer(rt)) 1044 if (!rt6_has_peer(rt))
@@ -1397,8 +1405,6 @@ int ip6_route_add(struct fib6_config *cfg)
1397 goto out; 1405 goto out;
1398 } 1406 }
1399 1407
1400 rt->dst.obsolete = -1;
1401
1402 if (cfg->fc_flags & RTF_EXPIRES) 1408 if (cfg->fc_flags & RTF_EXPIRES)
1403 rt6_set_expires(rt, jiffies + 1409 rt6_set_expires(rt, jiffies +
1404 clock_t_to_jiffies(cfg->fc_expires)); 1410 clock_t_to_jiffies(cfg->fc_expires));
@@ -2080,7 +2086,6 @@ struct rt6_info *addrconf_dst_alloc(struct inet6_dev *idev,
2080 rt->dst.input = ip6_input; 2086 rt->dst.input = ip6_input;
2081 rt->dst.output = ip6_output; 2087 rt->dst.output = ip6_output;
2082 rt->rt6i_idev = idev; 2088 rt->rt6i_idev = idev;
2083 rt->dst.obsolete = -1;
2084 2089
2085 rt->rt6i_flags = RTF_UP | RTF_NONEXTHOP; 2090 rt->rt6i_flags = RTF_UP | RTF_NONEXTHOP;
2086 if (anycast) 2091 if (anycast)
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index c66b90f71c9b..acd32e3f1b68 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -94,6 +94,18 @@ static struct tcp_md5sig_key *tcp_v6_md5_do_lookup(struct sock *sk,
94} 94}
95#endif 95#endif
96 96
97static void inet6_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb)
98{
99 struct dst_entry *dst = skb_dst(skb);
100 const struct rt6_info *rt = (const struct rt6_info *)dst;
101
102 dst_hold(dst);
103 sk->sk_rx_dst = dst;
104 inet_sk(sk)->rx_dst_ifindex = skb->skb_iif;
105 if (rt->rt6i_node)
106 inet6_sk(sk)->rx_dst_cookie = rt->rt6i_node->fn_sernum;
107}
108
97static void tcp_v6_hash(struct sock *sk) 109static void tcp_v6_hash(struct sock *sk)
98{ 110{
99 if (sk->sk_state != TCP_CLOSE) { 111 if (sk->sk_state != TCP_CLOSE) {
@@ -391,8 +403,9 @@ static void tcp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
391 tp->mtu_info = ntohl(info); 403 tp->mtu_info = ntohl(info);
392 if (!sock_owned_by_user(sk)) 404 if (!sock_owned_by_user(sk))
393 tcp_v6_mtu_reduced(sk); 405 tcp_v6_mtu_reduced(sk);
394 else 406 else if (!test_and_set_bit(TCP_MTU_REDUCED_DEFERRED,
395 set_bit(TCP_MTU_REDUCED_DEFERRED, &tp->tsq_flags); 407 &tp->tsq_flags))
408 sock_hold(sk);
396 goto out; 409 goto out;
397 } 410 }
398 411
@@ -1270,6 +1283,7 @@ static struct sock * tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
1270 1283
1271 newsk->sk_gso_type = SKB_GSO_TCPV6; 1284 newsk->sk_gso_type = SKB_GSO_TCPV6;
1272 __ip6_dst_store(newsk, dst, NULL, NULL); 1285 __ip6_dst_store(newsk, dst, NULL, NULL);
1286 inet6_sk_rx_dst_set(newsk, skb);
1273 1287
1274 newtcp6sk = (struct tcp6_sock *)newsk; 1288 newtcp6sk = (struct tcp6_sock *)newsk;
1275 inet_sk(newsk)->pinet6 = &newtcp6sk->inet6; 1289 inet_sk(newsk)->pinet6 = &newtcp6sk->inet6;
@@ -1447,7 +1461,17 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
1447 opt_skb = skb_clone(skb, sk_gfp_atomic(sk, GFP_ATOMIC)); 1461 opt_skb = skb_clone(skb, sk_gfp_atomic(sk, GFP_ATOMIC));
1448 1462
1449 if (sk->sk_state == TCP_ESTABLISHED) { /* Fast path */ 1463 if (sk->sk_state == TCP_ESTABLISHED) { /* Fast path */
1464 struct dst_entry *dst = sk->sk_rx_dst;
1465
1450 sock_rps_save_rxhash(sk, skb); 1466 sock_rps_save_rxhash(sk, skb);
1467 if (dst) {
1468 if (inet_sk(sk)->rx_dst_ifindex != skb->skb_iif ||
1469 dst->ops->check(dst, np->rx_dst_cookie) == NULL) {
1470 dst_release(dst);
1471 sk->sk_rx_dst = NULL;
1472 }
1473 }
1474
1451 if (tcp_rcv_established(sk, skb, tcp_hdr(skb), skb->len)) 1475 if (tcp_rcv_established(sk, skb, tcp_hdr(skb), skb->len))
1452 goto reset; 1476 goto reset;
1453 if (opt_skb) 1477 if (opt_skb)
@@ -1705,9 +1729,9 @@ static void tcp_v6_early_demux(struct sk_buff *skb)
1705 struct dst_entry *dst = sk->sk_rx_dst; 1729 struct dst_entry *dst = sk->sk_rx_dst;
1706 struct inet_sock *icsk = inet_sk(sk); 1730 struct inet_sock *icsk = inet_sk(sk);
1707 if (dst) 1731 if (dst)
1708 dst = dst_check(dst, 0); 1732 dst = dst_check(dst, inet6_sk(sk)->rx_dst_cookie);
1709 if (dst && 1733 if (dst &&
1710 icsk->rx_dst_ifindex == inet6_iif(skb)) 1734 icsk->rx_dst_ifindex == skb->skb_iif)
1711 skb_dst_set_noref(skb, dst); 1735 skb_dst_set_noref(skb, dst);
1712 } 1736 }
1713 } 1737 }
@@ -1723,6 +1747,7 @@ static const struct inet_connection_sock_af_ops ipv6_specific = {
1723 .queue_xmit = inet6_csk_xmit, 1747 .queue_xmit = inet6_csk_xmit,
1724 .send_check = tcp_v6_send_check, 1748 .send_check = tcp_v6_send_check,
1725 .rebuild_header = inet6_sk_rebuild_header, 1749 .rebuild_header = inet6_sk_rebuild_header,
1750 .sk_rx_dst_set = inet6_sk_rx_dst_set,
1726 .conn_request = tcp_v6_conn_request, 1751 .conn_request = tcp_v6_conn_request,
1727 .syn_recv_sock = tcp_v6_syn_recv_sock, 1752 .syn_recv_sock = tcp_v6_syn_recv_sock,
1728 .net_header_len = sizeof(struct ipv6hdr), 1753 .net_header_len = sizeof(struct ipv6hdr),
@@ -1754,6 +1779,7 @@ static const struct inet_connection_sock_af_ops ipv6_mapped = {
1754 .queue_xmit = ip_queue_xmit, 1779 .queue_xmit = ip_queue_xmit,
1755 .send_check = tcp_v4_send_check, 1780 .send_check = tcp_v4_send_check,
1756 .rebuild_header = inet_sk_rebuild_header, 1781 .rebuild_header = inet_sk_rebuild_header,
1782 .sk_rx_dst_set = inet_sk_rx_dst_set,
1757 .conn_request = tcp_v6_conn_request, 1783 .conn_request = tcp_v6_conn_request,
1758 .syn_recv_sock = tcp_v6_syn_recv_sock, 1784 .syn_recv_sock = tcp_v6_syn_recv_sock,
1759 .net_header_len = sizeof(struct iphdr), 1785 .net_header_len = sizeof(struct iphdr),
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 99d0077b56b8..07e2bfef6845 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -394,6 +394,17 @@ try_again:
394 } 394 }
395 if (unlikely(err)) { 395 if (unlikely(err)) {
396 trace_kfree_skb(skb, udpv6_recvmsg); 396 trace_kfree_skb(skb, udpv6_recvmsg);
397 if (!peeked) {
398 atomic_inc(&sk->sk_drops);
399 if (is_udp4)
400 UDP_INC_STATS_USER(sock_net(sk),
401 UDP_MIB_INERRORS,
402 is_udplite);
403 else
404 UDP6_INC_STATS_USER(sock_net(sk),
405 UDP_MIB_INERRORS,
406 is_udplite);
407 }
397 goto out_free; 408 goto out_free;
398 } 409 }
399 if (!peeked) { 410 if (!peeked) {
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index ef39812107b1..f8c4c08ffb60 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -73,6 +73,13 @@ static int xfrm6_get_tos(const struct flowi *fl)
73 return 0; 73 return 0;
74} 74}
75 75
76static void xfrm6_init_dst(struct net *net, struct xfrm_dst *xdst)
77{
78 struct rt6_info *rt = (struct rt6_info *)xdst;
79
80 rt6_init_peer(rt, net->ipv6.peers);
81}
82
76static int xfrm6_init_path(struct xfrm_dst *path, struct dst_entry *dst, 83static int xfrm6_init_path(struct xfrm_dst *path, struct dst_entry *dst,
77 int nfheader_len) 84 int nfheader_len)
78{ 85{
@@ -286,6 +293,7 @@ static struct xfrm_policy_afinfo xfrm6_policy_afinfo = {
286 .get_saddr = xfrm6_get_saddr, 293 .get_saddr = xfrm6_get_saddr,
287 .decode_session = _decode_session6, 294 .decode_session = _decode_session6,
288 .get_tos = xfrm6_get_tos, 295 .get_tos = xfrm6_get_tos,
296 .init_dst = xfrm6_init_dst,
289 .init_path = xfrm6_init_path, 297 .init_path = xfrm6_init_path,
290 .fill_dst = xfrm6_fill_dst, 298 .fill_dst = xfrm6_fill_dst,
291 .blackhole_route = ip6_blackhole_route, 299 .blackhole_route = ip6_blackhole_route,
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 393355d37b47..1a9f3723c13c 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1347,11 +1347,10 @@ static void l2tp_tunnel_free(struct l2tp_tunnel *tunnel)
1347 /* Remove from tunnel list */ 1347 /* Remove from tunnel list */
1348 spin_lock_bh(&pn->l2tp_tunnel_list_lock); 1348 spin_lock_bh(&pn->l2tp_tunnel_list_lock);
1349 list_del_rcu(&tunnel->list); 1349 list_del_rcu(&tunnel->list);
1350 kfree_rcu(tunnel, rcu);
1350 spin_unlock_bh(&pn->l2tp_tunnel_list_lock); 1351 spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
1351 synchronize_rcu();
1352 1352
1353 atomic_dec(&l2tp_tunnel_count); 1353 atomic_dec(&l2tp_tunnel_count);
1354 kfree(tunnel);
1355} 1354}
1356 1355
1357/* Create a socket for the tunnel, if one isn't set up by 1356/* Create a socket for the tunnel, if one isn't set up by
@@ -1502,6 +1501,8 @@ out:
1502 return err; 1501 return err;
1503} 1502}
1504 1503
1504static struct lock_class_key l2tp_socket_class;
1505
1505int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32 peer_tunnel_id, struct l2tp_tunnel_cfg *cfg, struct l2tp_tunnel **tunnelp) 1506int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32 peer_tunnel_id, struct l2tp_tunnel_cfg *cfg, struct l2tp_tunnel **tunnelp)
1506{ 1507{
1507 struct l2tp_tunnel *tunnel = NULL; 1508 struct l2tp_tunnel *tunnel = NULL;
@@ -1606,6 +1607,8 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
1606 tunnel->old_sk_destruct = sk->sk_destruct; 1607 tunnel->old_sk_destruct = sk->sk_destruct;
1607 sk->sk_destruct = &l2tp_tunnel_destruct; 1608 sk->sk_destruct = &l2tp_tunnel_destruct;
1608 tunnel->sock = sk; 1609 tunnel->sock = sk;
1610 lockdep_set_class_and_name(&sk->sk_lock.slock, &l2tp_socket_class, "l2tp_sock");
1611
1609 sk->sk_allocation = GFP_ATOMIC; 1612 sk->sk_allocation = GFP_ATOMIC;
1610 1613
1611 /* Add tunnel to our list */ 1614 /* Add tunnel to our list */
diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h
index a38ec6cdeee1..56d583e083a7 100644
--- a/net/l2tp/l2tp_core.h
+++ b/net/l2tp/l2tp_core.h
@@ -163,6 +163,7 @@ struct l2tp_tunnel_cfg {
163 163
164struct l2tp_tunnel { 164struct l2tp_tunnel {
165 int magic; /* Should be L2TP_TUNNEL_MAGIC */ 165 int magic; /* Should be L2TP_TUNNEL_MAGIC */
166 struct rcu_head rcu;
166 rwlock_t hlist_lock; /* protect session_hlist */ 167 rwlock_t hlist_lock; /* protect session_hlist */
167 struct hlist_head session_hlist[L2TP_HASH_SIZE]; 168 struct hlist_head session_hlist[L2TP_HASH_SIZE];
168 /* hashed list of sessions, 169 /* hashed list of sessions,
diff --git a/net/l2tp/l2tp_eth.c b/net/l2tp/l2tp_eth.c
index f9ee74deeac2..3bfb34aaee29 100644
--- a/net/l2tp/l2tp_eth.c
+++ b/net/l2tp/l2tp_eth.c
@@ -153,7 +153,7 @@ static void l2tp_eth_dev_recv(struct l2tp_session *session, struct sk_buff *skb,
153 print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, skb->data, length); 153 print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, skb->data, length);
154 } 154 }
155 155
156 if (!pskb_may_pull(skb, sizeof(ETH_HLEN))) 156 if (!pskb_may_pull(skb, ETH_HLEN))
157 goto error; 157 goto error;
158 158
159 secpath_reset(skb); 159 secpath_reset(skb);
diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
index 35e1e4bde587..927547171bc7 100644
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -410,6 +410,7 @@ static int l2tp_ip6_getname(struct socket *sock, struct sockaddr *uaddr,
410 lsa->l2tp_family = AF_INET6; 410 lsa->l2tp_family = AF_INET6;
411 lsa->l2tp_flowinfo = 0; 411 lsa->l2tp_flowinfo = 0;
412 lsa->l2tp_scope_id = 0; 412 lsa->l2tp_scope_id = 0;
413 lsa->l2tp_unused = 0;
413 if (peer) { 414 if (peer) {
414 if (!lsk->peer_conn_id) 415 if (!lsk->peer_conn_id)
415 return -ENOTCONN; 416 return -ENOTCONN;
diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
index f6fe4d400502..c2190005a114 100644
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -969,14 +969,13 @@ static int llc_ui_getname(struct socket *sock, struct sockaddr *uaddr,
969 struct sockaddr_llc sllc; 969 struct sockaddr_llc sllc;
970 struct sock *sk = sock->sk; 970 struct sock *sk = sock->sk;
971 struct llc_sock *llc = llc_sk(sk); 971 struct llc_sock *llc = llc_sk(sk);
972 int rc = 0; 972 int rc = -EBADF;
973 973
974 memset(&sllc, 0, sizeof(sllc)); 974 memset(&sllc, 0, sizeof(sllc));
975 lock_sock(sk); 975 lock_sock(sk);
976 if (sock_flag(sk, SOCK_ZAPPED)) 976 if (sock_flag(sk, SOCK_ZAPPED))
977 goto out; 977 goto out;
978 *uaddrlen = sizeof(sllc); 978 *uaddrlen = sizeof(sllc);
979 memset(uaddr, 0, *uaddrlen);
980 if (peer) { 979 if (peer) {
981 rc = -ENOTCONN; 980 rc = -ENOTCONN;
982 if (sk->sk_state != TCP_ESTABLISHED) 981 if (sk->sk_state != TCP_ESTABLISHED)
@@ -1206,7 +1205,7 @@ static int __init llc2_init(void)
1206 rc = llc_proc_init(); 1205 rc = llc_proc_init();
1207 if (rc != 0) { 1206 if (rc != 0) {
1208 printk(llc_proc_err_msg); 1207 printk(llc_proc_err_msg);
1209 goto out_unregister_llc_proto; 1208 goto out_station;
1210 } 1209 }
1211 rc = llc_sysctl_init(); 1210 rc = llc_sysctl_init();
1212 if (rc) { 1211 if (rc) {
@@ -1226,7 +1225,8 @@ out_sysctl:
1226 llc_sysctl_exit(); 1225 llc_sysctl_exit();
1227out_proc: 1226out_proc:
1228 llc_proc_exit(); 1227 llc_proc_exit();
1229out_unregister_llc_proto: 1228out_station:
1229 llc_station_exit();
1230 proto_unregister(&llc_proto); 1230 proto_unregister(&llc_proto);
1231 goto out; 1231 goto out;
1232} 1232}
diff --git a/net/llc/llc_input.c b/net/llc/llc_input.c
index e32cab44ea95..dd3e83328ad5 100644
--- a/net/llc/llc_input.c
+++ b/net/llc/llc_input.c
@@ -42,6 +42,7 @@ static void (*llc_type_handlers[2])(struct llc_sap *sap,
42void llc_add_pack(int type, void (*handler)(struct llc_sap *sap, 42void llc_add_pack(int type, void (*handler)(struct llc_sap *sap,
43 struct sk_buff *skb)) 43 struct sk_buff *skb))
44{ 44{
45 smp_wmb(); /* ensure initialisation is complete before it's called */
45 if (type == LLC_DEST_SAP || type == LLC_DEST_CONN) 46 if (type == LLC_DEST_SAP || type == LLC_DEST_CONN)
46 llc_type_handlers[type - 1] = handler; 47 llc_type_handlers[type - 1] = handler;
47} 48}
@@ -50,11 +51,19 @@ void llc_remove_pack(int type)
50{ 51{
51 if (type == LLC_DEST_SAP || type == LLC_DEST_CONN) 52 if (type == LLC_DEST_SAP || type == LLC_DEST_CONN)
52 llc_type_handlers[type - 1] = NULL; 53 llc_type_handlers[type - 1] = NULL;
54 synchronize_net();
53} 55}
54 56
55void llc_set_station_handler(void (*handler)(struct sk_buff *skb)) 57void llc_set_station_handler(void (*handler)(struct sk_buff *skb))
56{ 58{
59 /* Ensure initialisation is complete before it's called */
60 if (handler)
61 smp_wmb();
62
57 llc_station_handler = handler; 63 llc_station_handler = handler;
64
65 if (!handler)
66 synchronize_net();
58} 67}
59 68
60/** 69/**
@@ -150,6 +159,8 @@ int llc_rcv(struct sk_buff *skb, struct net_device *dev,
150 int dest; 159 int dest;
151 int (*rcv)(struct sk_buff *, struct net_device *, 160 int (*rcv)(struct sk_buff *, struct net_device *,
152 struct packet_type *, struct net_device *); 161 struct packet_type *, struct net_device *);
162 void (*sta_handler)(struct sk_buff *skb);
163 void (*sap_handler)(struct llc_sap *sap, struct sk_buff *skb);
153 164
154 if (!net_eq(dev_net(dev), &init_net)) 165 if (!net_eq(dev_net(dev), &init_net))
155 goto drop; 166 goto drop;
@@ -182,7 +193,8 @@ int llc_rcv(struct sk_buff *skb, struct net_device *dev,
182 */ 193 */
183 rcv = rcu_dereference(sap->rcv_func); 194 rcv = rcu_dereference(sap->rcv_func);
184 dest = llc_pdu_type(skb); 195 dest = llc_pdu_type(skb);
185 if (unlikely(!dest || !llc_type_handlers[dest - 1])) { 196 sap_handler = dest ? ACCESS_ONCE(llc_type_handlers[dest - 1]) : NULL;
197 if (unlikely(!sap_handler)) {
186 if (rcv) 198 if (rcv)
187 rcv(skb, dev, pt, orig_dev); 199 rcv(skb, dev, pt, orig_dev);
188 else 200 else
@@ -193,7 +205,7 @@ int llc_rcv(struct sk_buff *skb, struct net_device *dev,
193 if (cskb) 205 if (cskb)
194 rcv(cskb, dev, pt, orig_dev); 206 rcv(cskb, dev, pt, orig_dev);
195 } 207 }
196 llc_type_handlers[dest - 1](sap, skb); 208 sap_handler(sap, skb);
197 } 209 }
198 llc_sap_put(sap); 210 llc_sap_put(sap);
199out: 211out:
@@ -202,9 +214,10 @@ drop:
202 kfree_skb(skb); 214 kfree_skb(skb);
203 goto out; 215 goto out;
204handle_station: 216handle_station:
205 if (!llc_station_handler) 217 sta_handler = ACCESS_ONCE(llc_station_handler);
218 if (!sta_handler)
206 goto drop; 219 goto drop;
207 llc_station_handler(skb); 220 sta_handler(skb);
208 goto out; 221 goto out;
209} 222}
210 223
diff --git a/net/llc/llc_station.c b/net/llc/llc_station.c
index 39a8d8924b9c..b2f2bac2c2a2 100644
--- a/net/llc/llc_station.c
+++ b/net/llc/llc_station.c
@@ -268,7 +268,7 @@ static int llc_station_ac_send_null_dsap_xid_c(struct sk_buff *skb)
268out: 268out:
269 return rc; 269 return rc;
270free: 270free:
271 kfree_skb(skb); 271 kfree_skb(nskb);
272 goto out; 272 goto out;
273} 273}
274 274
@@ -293,7 +293,7 @@ static int llc_station_ac_send_xid_r(struct sk_buff *skb)
293out: 293out:
294 return rc; 294 return rc;
295free: 295free:
296 kfree_skb(skb); 296 kfree_skb(nskb);
297 goto out; 297 goto out;
298} 298}
299 299
@@ -322,7 +322,7 @@ static int llc_station_ac_send_test_r(struct sk_buff *skb)
322out: 322out:
323 return rc; 323 return rc;
324free: 324free:
325 kfree_skb(skb); 325 kfree_skb(nskb);
326 goto out; 326 goto out;
327} 327}
328 328
@@ -687,12 +687,8 @@ static void llc_station_rcv(struct sk_buff *skb)
687 llc_station_state_process(skb); 687 llc_station_state_process(skb);
688} 688}
689 689
690int __init llc_station_init(void) 690void __init llc_station_init(void)
691{ 691{
692 int rc = -ENOBUFS;
693 struct sk_buff *skb;
694 struct llc_station_state_ev *ev;
695
696 skb_queue_head_init(&llc_main_station.mac_pdu_q); 692 skb_queue_head_init(&llc_main_station.mac_pdu_q);
697 skb_queue_head_init(&llc_main_station.ev_q.list); 693 skb_queue_head_init(&llc_main_station.ev_q.list);
698 spin_lock_init(&llc_main_station.ev_q.lock); 694 spin_lock_init(&llc_main_station.ev_q.lock);
@@ -700,23 +696,12 @@ int __init llc_station_init(void)
700 (unsigned long)&llc_main_station); 696 (unsigned long)&llc_main_station);
701 llc_main_station.ack_timer.expires = jiffies + 697 llc_main_station.ack_timer.expires = jiffies +
702 sysctl_llc_station_ack_timeout; 698 sysctl_llc_station_ack_timeout;
703 skb = alloc_skb(0, GFP_ATOMIC);
704 if (!skb)
705 goto out;
706 rc = 0;
707 llc_set_station_handler(llc_station_rcv);
708 ev = llc_station_ev(skb);
709 memset(ev, 0, sizeof(*ev));
710 llc_main_station.maximum_retry = 1; 699 llc_main_station.maximum_retry = 1;
711 llc_main_station.state = LLC_STATION_STATE_DOWN; 700 llc_main_station.state = LLC_STATION_STATE_UP;
712 ev->type = LLC_STATION_EV_TYPE_SIMPLE; 701 llc_set_station_handler(llc_station_rcv);
713 ev->prim_type = LLC_STATION_EV_ENABLE_WITHOUT_DUP_ADDR_CHECK;
714 rc = llc_station_next_state(skb);
715out:
716 return rc;
717} 702}
718 703
719void __exit llc_station_exit(void) 704void llc_station_exit(void)
720{ 705{
721 llc_set_station_handler(NULL); 706 llc_set_station_handler(NULL);
722} 707}
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index d41974aacf51..a58c0b649ba1 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1378,6 +1378,8 @@ static void mpath_set_pinfo(struct mesh_path *mpath, u8 *next_hop,
1378 else 1378 else
1379 memset(next_hop, 0, ETH_ALEN); 1379 memset(next_hop, 0, ETH_ALEN);
1380 1380
1381 memset(pinfo, 0, sizeof(*pinfo));
1382
1381 pinfo->generation = mesh_paths_generation; 1383 pinfo->generation = mesh_paths_generation;
1382 1384
1383 pinfo->filled = MPATH_INFO_FRAME_QLEN | 1385 pinfo->filled = MPATH_INFO_FRAME_QLEN |
@@ -1396,7 +1398,6 @@ static void mpath_set_pinfo(struct mesh_path *mpath, u8 *next_hop,
1396 pinfo->discovery_timeout = 1398 pinfo->discovery_timeout =
1397 jiffies_to_msecs(mpath->discovery_timeout); 1399 jiffies_to_msecs(mpath->discovery_timeout);
1398 pinfo->discovery_retries = mpath->discovery_retries; 1400 pinfo->discovery_retries = mpath->discovery_retries;
1399 pinfo->flags = 0;
1400 if (mpath->flags & MESH_PATH_ACTIVE) 1401 if (mpath->flags & MESH_PATH_ACTIVE)
1401 pinfo->flags |= NL80211_MPATH_FLAG_ACTIVE; 1402 pinfo->flags |= NL80211_MPATH_FLAG_ACTIVE;
1402 if (mpath->flags & MESH_PATH_RESOLVING) 1403 if (mpath->flags & MESH_PATH_RESOLVING)
@@ -1405,10 +1406,8 @@ static void mpath_set_pinfo(struct mesh_path *mpath, u8 *next_hop,
1405 pinfo->flags |= NL80211_MPATH_FLAG_SN_VALID; 1406 pinfo->flags |= NL80211_MPATH_FLAG_SN_VALID;
1406 if (mpath->flags & MESH_PATH_FIXED) 1407 if (mpath->flags & MESH_PATH_FIXED)
1407 pinfo->flags |= NL80211_MPATH_FLAG_FIXED; 1408 pinfo->flags |= NL80211_MPATH_FLAG_FIXED;
1408 if (mpath->flags & MESH_PATH_RESOLVING) 1409 if (mpath->flags & MESH_PATH_RESOLVED)
1409 pinfo->flags |= NL80211_MPATH_FLAG_RESOLVING; 1410 pinfo->flags |= NL80211_MPATH_FLAG_RESOLVED;
1410
1411 pinfo->flags = mpath->flags;
1412} 1411}
1413 1412
1414static int ieee80211_get_mpath(struct wiphy *wiphy, struct net_device *dev, 1413static int ieee80211_get_mpath(struct wiphy *wiphy, struct net_device *dev,
diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
index 6fac18c0423f..85572353a7e3 100644
--- a/net/mac80211/mesh.c
+++ b/net/mac80211/mesh.c
@@ -622,6 +622,7 @@ void ieee80211_stop_mesh(struct ieee80211_sub_if_data *sdata)
622 622
623 del_timer_sync(&sdata->u.mesh.housekeeping_timer); 623 del_timer_sync(&sdata->u.mesh.housekeeping_timer);
624 del_timer_sync(&sdata->u.mesh.mesh_path_root_timer); 624 del_timer_sync(&sdata->u.mesh.mesh_path_root_timer);
625 del_timer_sync(&sdata->u.mesh.mesh_path_timer);
625 /* 626 /*
626 * If the timer fired while we waited for it, it will have 627 * If the timer fired while we waited for it, it will have
627 * requeued the work. Now the work will be running again 628 * requeued the work. Now the work will be running again
@@ -634,6 +635,8 @@ void ieee80211_stop_mesh(struct ieee80211_sub_if_data *sdata)
634 local->fif_other_bss--; 635 local->fif_other_bss--;
635 atomic_dec(&local->iff_allmultis); 636 atomic_dec(&local->iff_allmultis);
636 ieee80211_configure_filter(local); 637 ieee80211_configure_filter(local);
638
639 sdata->u.mesh.timers_running = 0;
637} 640}
638 641
639static void ieee80211_mesh_rx_bcn_presp(struct ieee80211_sub_if_data *sdata, 642static void ieee80211_mesh_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index cef0c9e79aba..f76b83341cf9 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -1430,6 +1430,8 @@ static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata,
1430 del_timer_sync(&sdata->u.mgd.bcn_mon_timer); 1430 del_timer_sync(&sdata->u.mgd.bcn_mon_timer);
1431 del_timer_sync(&sdata->u.mgd.timer); 1431 del_timer_sync(&sdata->u.mgd.timer);
1432 del_timer_sync(&sdata->u.mgd.chswitch_timer); 1432 del_timer_sync(&sdata->u.mgd.chswitch_timer);
1433
1434 sdata->u.mgd.timers_running = 0;
1433} 1435}
1434 1436
1435void ieee80211_sta_rx_notify(struct ieee80211_sub_if_data *sdata, 1437void ieee80211_sta_rx_notify(struct ieee80211_sub_if_data *sdata,
@@ -3246,6 +3248,8 @@ int ieee80211_mgd_auth(struct ieee80211_sub_if_data *sdata,
3246 goto out_unlock; 3248 goto out_unlock;
3247 3249
3248 err_clear: 3250 err_clear:
3251 memset(ifmgd->bssid, 0, ETH_ALEN);
3252 ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BSSID);
3249 ifmgd->auth_data = NULL; 3253 ifmgd->auth_data = NULL;
3250 err_free: 3254 err_free:
3251 kfree(auth_data); 3255 kfree(auth_data);
@@ -3437,6 +3441,8 @@ int ieee80211_mgd_assoc(struct ieee80211_sub_if_data *sdata,
3437 err = 0; 3441 err = 0;
3438 goto out; 3442 goto out;
3439 err_clear: 3443 err_clear:
3444 memset(ifmgd->bssid, 0, ETH_ALEN);
3445 ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BSSID);
3440 ifmgd->assoc_data = NULL; 3446 ifmgd->assoc_data = NULL;
3441 err_free: 3447 err_free:
3442 kfree(assoc_data); 3448 kfree(assoc_data);
diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
index bcaee5d12839..839dd9737989 100644
--- a/net/mac80211/scan.c
+++ b/net/mac80211/scan.c
@@ -299,7 +299,7 @@ static void __ieee80211_scan_completed(struct ieee80211_hw *hw, bool aborted,
299 if (local->scan_req != local->int_scan_req) 299 if (local->scan_req != local->int_scan_req)
300 cfg80211_scan_done(local->scan_req, aborted); 300 cfg80211_scan_done(local->scan_req, aborted);
301 local->scan_req = NULL; 301 local->scan_req = NULL;
302 local->scan_sdata = NULL; 302 rcu_assign_pointer(local->scan_sdata, NULL);
303 303
304 local->scanning = 0; 304 local->scanning = 0;
305 local->scan_channel = NULL; 305 local->scan_channel = NULL;
@@ -984,7 +984,6 @@ int ieee80211_request_sched_scan_stop(struct ieee80211_sub_if_data *sdata)
984 kfree(local->sched_scan_ies.ie[i]); 984 kfree(local->sched_scan_ies.ie[i]);
985 985
986 drv_sched_scan_stop(local, sdata); 986 drv_sched_scan_stop(local, sdata);
987 rcu_assign_pointer(local->sched_scan_sdata, NULL);
988 } 987 }
989out: 988out:
990 mutex_unlock(&local->mtx); 989 mutex_unlock(&local->mtx);
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index acf712ffb5e6..c5e8c9c31f76 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -1811,37 +1811,31 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
1811 meshhdrlen = ieee80211_new_mesh_header(&mesh_hdr, 1811 meshhdrlen = ieee80211_new_mesh_header(&mesh_hdr,
1812 sdata, NULL, NULL); 1812 sdata, NULL, NULL);
1813 } else { 1813 } else {
1814 int is_mesh_mcast = 1; 1814 /* DS -> MBSS (802.11-2012 13.11.3.3).
1815 const u8 *mesh_da; 1815 * For unicast with unknown forwarding information,
1816 * destination might be in the MBSS or if that fails
1817 * forwarded to another mesh gate. In either case
1818 * resolution will be handled in ieee80211_xmit(), so
1819 * leave the original DA. This also works for mcast */
1820 const u8 *mesh_da = skb->data;
1821
1822 if (mppath)
1823 mesh_da = mppath->mpp;
1824 else if (mpath)
1825 mesh_da = mpath->dst;
1826 rcu_read_unlock();
1816 1827
1817 if (is_multicast_ether_addr(skb->data))
1818 /* DA TA mSA AE:SA */
1819 mesh_da = skb->data;
1820 else {
1821 static const u8 bcast[ETH_ALEN] =
1822 { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
1823 if (mppath) {
1824 /* RA TA mDA mSA AE:DA SA */
1825 mesh_da = mppath->mpp;
1826 is_mesh_mcast = 0;
1827 } else if (mpath) {
1828 mesh_da = mpath->dst;
1829 is_mesh_mcast = 0;
1830 } else {
1831 /* DA TA mSA AE:SA */
1832 mesh_da = bcast;
1833 }
1834 }
1835 hdrlen = ieee80211_fill_mesh_addresses(&hdr, &fc, 1828 hdrlen = ieee80211_fill_mesh_addresses(&hdr, &fc,
1836 mesh_da, sdata->vif.addr); 1829 mesh_da, sdata->vif.addr);
1837 rcu_read_unlock(); 1830 if (is_multicast_ether_addr(mesh_da))
1838 if (is_mesh_mcast) 1831 /* DA TA mSA AE:SA */
1839 meshhdrlen = 1832 meshhdrlen =
1840 ieee80211_new_mesh_header(&mesh_hdr, 1833 ieee80211_new_mesh_header(&mesh_hdr,
1841 sdata, 1834 sdata,
1842 skb->data + ETH_ALEN, 1835 skb->data + ETH_ALEN,
1843 NULL); 1836 NULL);
1844 else 1837 else
1838 /* RA TA mDA mSA AE:DA SA */
1845 meshhdrlen = 1839 meshhdrlen =
1846 ieee80211_new_mesh_header(&mesh_hdr, 1840 ieee80211_new_mesh_header(&mesh_hdr,
1847 sdata, 1841 sdata,
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 84444dda194b..f51013c07b9f 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -1171,8 +1171,10 @@ ip_vs_add_service(struct net *net, struct ip_vs_service_user_kern *u,
1171 goto out_err; 1171 goto out_err;
1172 } 1172 }
1173 svc->stats.cpustats = alloc_percpu(struct ip_vs_cpu_stats); 1173 svc->stats.cpustats = alloc_percpu(struct ip_vs_cpu_stats);
1174 if (!svc->stats.cpustats) 1174 if (!svc->stats.cpustats) {
1175 ret = -ENOMEM;
1175 goto out_err; 1176 goto out_err;
1177 }
1176 1178
1177 /* I'm the first user of the service */ 1179 /* I'm the first user of the service */
1178 atomic_set(&svc->usecnt, 0); 1180 atomic_set(&svc->usecnt, 0);
@@ -2759,6 +2761,7 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
2759 { 2761 {
2760 struct ip_vs_timeout_user t; 2762 struct ip_vs_timeout_user t;
2761 2763
2764 memset(&t, 0, sizeof(t));
2762 __ip_vs_get_timeouts(net, &t); 2765 __ip_vs_get_timeouts(net, &t);
2763 if (copy_to_user(user, &t, sizeof(t)) != 0) 2766 if (copy_to_user(user, &t, sizeof(t)) != 0)
2764 ret = -EFAULT; 2767 ret = -EFAULT;
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index cf4875565d67..2ceec64b19f9 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -249,12 +249,15 @@ static void death_by_event(unsigned long ul_conntrack)
249{ 249{
250 struct nf_conn *ct = (void *)ul_conntrack; 250 struct nf_conn *ct = (void *)ul_conntrack;
251 struct net *net = nf_ct_net(ct); 251 struct net *net = nf_ct_net(ct);
252 struct nf_conntrack_ecache *ecache = nf_ct_ecache_find(ct);
253
254 BUG_ON(ecache == NULL);
252 255
253 if (nf_conntrack_event(IPCT_DESTROY, ct) < 0) { 256 if (nf_conntrack_event(IPCT_DESTROY, ct) < 0) {
254 /* bad luck, let's retry again */ 257 /* bad luck, let's retry again */
255 ct->timeout.expires = jiffies + 258 ecache->timeout.expires = jiffies +
256 (random32() % net->ct.sysctl_events_retry_timeout); 259 (random32() % net->ct.sysctl_events_retry_timeout);
257 add_timer(&ct->timeout); 260 add_timer(&ecache->timeout);
258 return; 261 return;
259 } 262 }
260 /* we've got the event delivered, now it's dying */ 263 /* we've got the event delivered, now it's dying */
@@ -268,6 +271,9 @@ static void death_by_event(unsigned long ul_conntrack)
268void nf_ct_insert_dying_list(struct nf_conn *ct) 271void nf_ct_insert_dying_list(struct nf_conn *ct)
269{ 272{
270 struct net *net = nf_ct_net(ct); 273 struct net *net = nf_ct_net(ct);
274 struct nf_conntrack_ecache *ecache = nf_ct_ecache_find(ct);
275
276 BUG_ON(ecache == NULL);
271 277
272 /* add this conntrack to the dying list */ 278 /* add this conntrack to the dying list */
273 spin_lock_bh(&nf_conntrack_lock); 279 spin_lock_bh(&nf_conntrack_lock);
@@ -275,10 +281,10 @@ void nf_ct_insert_dying_list(struct nf_conn *ct)
275 &net->ct.dying); 281 &net->ct.dying);
276 spin_unlock_bh(&nf_conntrack_lock); 282 spin_unlock_bh(&nf_conntrack_lock);
277 /* set a new timer to retry event delivery */ 283 /* set a new timer to retry event delivery */
278 setup_timer(&ct->timeout, death_by_event, (unsigned long)ct); 284 setup_timer(&ecache->timeout, death_by_event, (unsigned long)ct);
279 ct->timeout.expires = jiffies + 285 ecache->timeout.expires = jiffies +
280 (random32() % net->ct.sysctl_events_retry_timeout); 286 (random32() % net->ct.sysctl_events_retry_timeout);
281 add_timer(&ct->timeout); 287 add_timer(&ecache->timeout);
282} 288}
283EXPORT_SYMBOL_GPL(nf_ct_insert_dying_list); 289EXPORT_SYMBOL_GPL(nf_ct_insert_dying_list);
284 290
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index 45cf602a76bc..527651a53a45 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -361,23 +361,6 @@ static void evict_oldest_expect(struct nf_conn *master,
361 } 361 }
362} 362}
363 363
364static inline int refresh_timer(struct nf_conntrack_expect *i)
365{
366 struct nf_conn_help *master_help = nfct_help(i->master);
367 const struct nf_conntrack_expect_policy *p;
368
369 if (!del_timer(&i->timeout))
370 return 0;
371
372 p = &rcu_dereference_protected(
373 master_help->helper,
374 lockdep_is_held(&nf_conntrack_lock)
375 )->expect_policy[i->class];
376 i->timeout.expires = jiffies + p->timeout * HZ;
377 add_timer(&i->timeout);
378 return 1;
379}
380
381static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect) 364static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect)
382{ 365{
383 const struct nf_conntrack_expect_policy *p; 366 const struct nf_conntrack_expect_policy *p;
@@ -386,7 +369,7 @@ static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect)
386 struct nf_conn_help *master_help = nfct_help(master); 369 struct nf_conn_help *master_help = nfct_help(master);
387 struct nf_conntrack_helper *helper; 370 struct nf_conntrack_helper *helper;
388 struct net *net = nf_ct_exp_net(expect); 371 struct net *net = nf_ct_exp_net(expect);
389 struct hlist_node *n; 372 struct hlist_node *n, *next;
390 unsigned int h; 373 unsigned int h;
391 int ret = 1; 374 int ret = 1;
392 375
@@ -395,12 +378,12 @@ static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect)
395 goto out; 378 goto out;
396 } 379 }
397 h = nf_ct_expect_dst_hash(&expect->tuple); 380 h = nf_ct_expect_dst_hash(&expect->tuple);
398 hlist_for_each_entry(i, n, &net->ct.expect_hash[h], hnode) { 381 hlist_for_each_entry_safe(i, n, next, &net->ct.expect_hash[h], hnode) {
399 if (expect_matches(i, expect)) { 382 if (expect_matches(i, expect)) {
400 /* Refresh timer: if it's dying, ignore.. */ 383 if (del_timer(&i->timeout)) {
401 if (refresh_timer(i)) { 384 nf_ct_unlink_expect(i);
402 ret = 0; 385 nf_ct_expect_put(i);
403 goto out; 386 break;
404 } 387 }
405 } else if (expect_clash(i, expect)) { 388 } else if (expect_clash(i, expect)) {
406 ret = -EBUSY; 389 ret = -EBUSY;
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 14f67a2cbcb5..9807f3278fcb 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1896,10 +1896,15 @@ static int
1896ctnetlink_nfqueue_parse(const struct nlattr *attr, struct nf_conn *ct) 1896ctnetlink_nfqueue_parse(const struct nlattr *attr, struct nf_conn *ct)
1897{ 1897{
1898 struct nlattr *cda[CTA_MAX+1]; 1898 struct nlattr *cda[CTA_MAX+1];
1899 int ret;
1899 1900
1900 nla_parse_nested(cda, CTA_MAX, attr, ct_nla_policy); 1901 nla_parse_nested(cda, CTA_MAX, attr, ct_nla_policy);
1901 1902
1902 return ctnetlink_nfqueue_parse_ct((const struct nlattr **)cda, ct); 1903 spin_lock_bh(&nf_conntrack_lock);
1904 ret = ctnetlink_nfqueue_parse_ct((const struct nlattr **)cda, ct);
1905 spin_unlock_bh(&nf_conntrack_lock);
1906
1907 return ret;
1903} 1908}
1904 1909
1905static struct nfq_ct_hook ctnetlink_nfqueue_hook = { 1910static struct nfq_ct_hook ctnetlink_nfqueue_hook = {
@@ -2785,7 +2790,8 @@ static int __init ctnetlink_init(void)
2785 goto err_unreg_subsys; 2790 goto err_unreg_subsys;
2786 } 2791 }
2787 2792
2788 if (register_pernet_subsys(&ctnetlink_net_ops)) { 2793 ret = register_pernet_subsys(&ctnetlink_net_ops);
2794 if (ret < 0) {
2789 pr_err("ctnetlink_init: cannot register pernet operations\n"); 2795 pr_err("ctnetlink_init: cannot register pernet operations\n");
2790 goto err_unreg_exp_subsys; 2796 goto err_unreg_exp_subsys;
2791 } 2797 }
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index a5ac11ebef33..e046b3756aab 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -158,21 +158,18 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
158 * sCL -> sSS 158 * sCL -> sSS
159 */ 159 */
160/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */ 160/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
161/*synack*/ { sIV, sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG, sSR }, 161/*synack*/ { sIV, sIV, sSR, sIV, sIV, sIV, sIV, sIV, sIV, sSR },
162/* 162/*
163 * sNO -> sIV Too late and no reason to do anything 163 * sNO -> sIV Too late and no reason to do anything
164 * sSS -> sIV Client can't send SYN and then SYN/ACK 164 * sSS -> sIV Client can't send SYN and then SYN/ACK
165 * sS2 -> sSR SYN/ACK sent to SYN2 in simultaneous open 165 * sS2 -> sSR SYN/ACK sent to SYN2 in simultaneous open
166 * sSR -> sIG 166 * sSR -> sSR Late retransmitted SYN/ACK in simultaneous open
167 * sES -> sIG Error: SYNs in window outside the SYN_SENT state 167 * sES -> sIV Invalid SYN/ACK packets sent by the client
168 * are errors. Receiver will reply with RST 168 * sFW -> sIV
169 * and close the connection. 169 * sCW -> sIV
170 * Or we are not in sync and hold a dead connection. 170 * sLA -> sIV
171 * sFW -> sIG 171 * sTW -> sIV
172 * sCW -> sIG 172 * sCL -> sIV
173 * sLA -> sIG
174 * sTW -> sIG
175 * sCL -> sIG
176 */ 173 */
177/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */ 174/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
178/*fin*/ { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV }, 175/*fin*/ { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV },
@@ -633,15 +630,9 @@ static bool tcp_in_window(const struct nf_conn *ct,
633 ack = sack = receiver->td_end; 630 ack = sack = receiver->td_end;
634 } 631 }
635 632
636 if (seq == end 633 if (tcph->rst && seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT)
637 && (!tcph->rst
638 || (seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT)))
639 /* 634 /*
640 * Packets contains no data: we assume it is valid 635 * RST sent answering SYN.
641 * and check the ack value only.
642 * However RST segments are always validated by their
643 * SEQ number, except when seq == 0 (reset sent answering
644 * SYN.
645 */ 636 */
646 seq = end = sender->td_end; 637 seq = end = sender->td_end;
647 638
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 758a1bacc126..5c0a112aeee6 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -183,12 +183,12 @@ static int media_len(const struct nf_conn *ct, const char *dptr,
183 return len + digits_len(ct, dptr, limit, shift); 183 return len + digits_len(ct, dptr, limit, shift);
184} 184}
185 185
186static int parse_addr(const struct nf_conn *ct, const char *cp, 186static int sip_parse_addr(const struct nf_conn *ct, const char *cp,
187 const char **endp, union nf_inet_addr *addr, 187 const char **endp, union nf_inet_addr *addr,
188 const char *limit) 188 const char *limit, bool delim)
189{ 189{
190 const char *end; 190 const char *end;
191 int ret = 0; 191 int ret;
192 192
193 if (!ct) 193 if (!ct)
194 return 0; 194 return 0;
@@ -197,16 +197,28 @@ static int parse_addr(const struct nf_conn *ct, const char *cp,
197 switch (nf_ct_l3num(ct)) { 197 switch (nf_ct_l3num(ct)) {
198 case AF_INET: 198 case AF_INET:
199 ret = in4_pton(cp, limit - cp, (u8 *)&addr->ip, -1, &end); 199 ret = in4_pton(cp, limit - cp, (u8 *)&addr->ip, -1, &end);
200 if (ret == 0)
201 return 0;
200 break; 202 break;
201 case AF_INET6: 203 case AF_INET6:
204 if (cp < limit && *cp == '[')
205 cp++;
206 else if (delim)
207 return 0;
208
202 ret = in6_pton(cp, limit - cp, (u8 *)&addr->ip6, -1, &end); 209 ret = in6_pton(cp, limit - cp, (u8 *)&addr->ip6, -1, &end);
210 if (ret == 0)
211 return 0;
212
213 if (end < limit && *end == ']')
214 end++;
215 else if (delim)
216 return 0;
203 break; 217 break;
204 default: 218 default:
205 BUG(); 219 BUG();
206 } 220 }
207 221
208 if (ret == 0 || end == cp)
209 return 0;
210 if (endp) 222 if (endp)
211 *endp = end; 223 *endp = end;
212 return 1; 224 return 1;
@@ -219,7 +231,7 @@ static int epaddr_len(const struct nf_conn *ct, const char *dptr,
219 union nf_inet_addr addr; 231 union nf_inet_addr addr;
220 const char *aux = dptr; 232 const char *aux = dptr;
221 233
222 if (!parse_addr(ct, dptr, &dptr, &addr, limit)) { 234 if (!sip_parse_addr(ct, dptr, &dptr, &addr, limit, true)) {
223 pr_debug("ip: %s parse failed.!\n", dptr); 235 pr_debug("ip: %s parse failed.!\n", dptr);
224 return 0; 236 return 0;
225 } 237 }
@@ -296,7 +308,7 @@ int ct_sip_parse_request(const struct nf_conn *ct,
296 return 0; 308 return 0;
297 dptr += shift; 309 dptr += shift;
298 310
299 if (!parse_addr(ct, dptr, &end, addr, limit)) 311 if (!sip_parse_addr(ct, dptr, &end, addr, limit, true))
300 return -1; 312 return -1;
301 if (end < limit && *end == ':') { 313 if (end < limit && *end == ':') {
302 end++; 314 end++;
@@ -550,7 +562,7 @@ int ct_sip_parse_header_uri(const struct nf_conn *ct, const char *dptr,
550 if (ret == 0) 562 if (ret == 0)
551 return ret; 563 return ret;
552 564
553 if (!parse_addr(ct, dptr + *matchoff, &c, addr, limit)) 565 if (!sip_parse_addr(ct, dptr + *matchoff, &c, addr, limit, true))
554 return -1; 566 return -1;
555 if (*c == ':') { 567 if (*c == ':') {
556 c++; 568 c++;
@@ -599,7 +611,7 @@ int ct_sip_parse_address_param(const struct nf_conn *ct, const char *dptr,
599 unsigned int dataoff, unsigned int datalen, 611 unsigned int dataoff, unsigned int datalen,
600 const char *name, 612 const char *name,
601 unsigned int *matchoff, unsigned int *matchlen, 613 unsigned int *matchoff, unsigned int *matchlen,
602 union nf_inet_addr *addr) 614 union nf_inet_addr *addr, bool delim)
603{ 615{
604 const char *limit = dptr + datalen; 616 const char *limit = dptr + datalen;
605 const char *start, *end; 617 const char *start, *end;
@@ -613,7 +625,7 @@ int ct_sip_parse_address_param(const struct nf_conn *ct, const char *dptr,
613 return 0; 625 return 0;
614 626
615 start += strlen(name); 627 start += strlen(name);
616 if (!parse_addr(ct, start, &end, addr, limit)) 628 if (!sip_parse_addr(ct, start, &end, addr, limit, delim))
617 return 0; 629 return 0;
618 *matchoff = start - dptr; 630 *matchoff = start - dptr;
619 *matchlen = end - start; 631 *matchlen = end - start;
@@ -675,6 +687,47 @@ static int ct_sip_parse_transport(struct nf_conn *ct, const char *dptr,
675 return 1; 687 return 1;
676} 688}
677 689
690static int sdp_parse_addr(const struct nf_conn *ct, const char *cp,
691 const char **endp, union nf_inet_addr *addr,
692 const char *limit)
693{
694 const char *end;
695 int ret;
696
697 memset(addr, 0, sizeof(*addr));
698 switch (nf_ct_l3num(ct)) {
699 case AF_INET:
700 ret = in4_pton(cp, limit - cp, (u8 *)&addr->ip, -1, &end);
701 break;
702 case AF_INET6:
703 ret = in6_pton(cp, limit - cp, (u8 *)&addr->ip6, -1, &end);
704 break;
705 default:
706 BUG();
707 }
708
709 if (ret == 0)
710 return 0;
711 if (endp)
712 *endp = end;
713 return 1;
714}
715
716/* skip ip address. returns its length. */
717static int sdp_addr_len(const struct nf_conn *ct, const char *dptr,
718 const char *limit, int *shift)
719{
720 union nf_inet_addr addr;
721 const char *aux = dptr;
722
723 if (!sdp_parse_addr(ct, dptr, &dptr, &addr, limit)) {
724 pr_debug("ip: %s parse failed.!\n", dptr);
725 return 0;
726 }
727
728 return dptr - aux;
729}
730
678/* SDP header parsing: a SDP session description contains an ordered set of 731/* SDP header parsing: a SDP session description contains an ordered set of
679 * headers, starting with a section containing general session parameters, 732 * headers, starting with a section containing general session parameters,
680 * optionally followed by multiple media descriptions. 733 * optionally followed by multiple media descriptions.
@@ -686,10 +739,10 @@ static int ct_sip_parse_transport(struct nf_conn *ct, const char *dptr,
686 */ 739 */
687static const struct sip_header ct_sdp_hdrs[] = { 740static const struct sip_header ct_sdp_hdrs[] = {
688 [SDP_HDR_VERSION] = SDP_HDR("v=", NULL, digits_len), 741 [SDP_HDR_VERSION] = SDP_HDR("v=", NULL, digits_len),
689 [SDP_HDR_OWNER_IP4] = SDP_HDR("o=", "IN IP4 ", epaddr_len), 742 [SDP_HDR_OWNER_IP4] = SDP_HDR("o=", "IN IP4 ", sdp_addr_len),
690 [SDP_HDR_CONNECTION_IP4] = SDP_HDR("c=", "IN IP4 ", epaddr_len), 743 [SDP_HDR_CONNECTION_IP4] = SDP_HDR("c=", "IN IP4 ", sdp_addr_len),
691 [SDP_HDR_OWNER_IP6] = SDP_HDR("o=", "IN IP6 ", epaddr_len), 744 [SDP_HDR_OWNER_IP6] = SDP_HDR("o=", "IN IP6 ", sdp_addr_len),
692 [SDP_HDR_CONNECTION_IP6] = SDP_HDR("c=", "IN IP6 ", epaddr_len), 745 [SDP_HDR_CONNECTION_IP6] = SDP_HDR("c=", "IN IP6 ", sdp_addr_len),
693 [SDP_HDR_MEDIA] = SDP_HDR("m=", NULL, media_len), 746 [SDP_HDR_MEDIA] = SDP_HDR("m=", NULL, media_len),
694}; 747};
695 748
@@ -775,8 +828,8 @@ static int ct_sip_parse_sdp_addr(const struct nf_conn *ct, const char *dptr,
775 if (ret <= 0) 828 if (ret <= 0)
776 return ret; 829 return ret;
777 830
778 if (!parse_addr(ct, dptr + *matchoff, NULL, addr, 831 if (!sdp_parse_addr(ct, dptr + *matchoff, NULL, addr,
779 dptr + *matchoff + *matchlen)) 832 dptr + *matchoff + *matchlen))
780 return -1; 833 return -1;
781 return 1; 834 return 1;
782} 835}
@@ -1515,7 +1568,6 @@ static int sip_help_udp(struct sk_buff *skb, unsigned int protoff,
1515} 1568}
1516 1569
1517static struct nf_conntrack_helper sip[MAX_PORTS][4] __read_mostly; 1570static struct nf_conntrack_helper sip[MAX_PORTS][4] __read_mostly;
1518static char sip_names[MAX_PORTS][4][sizeof("sip-65535")] __read_mostly;
1519 1571
1520static const struct nf_conntrack_expect_policy sip_exp_policy[SIP_EXPECT_MAX + 1] = { 1572static const struct nf_conntrack_expect_policy sip_exp_policy[SIP_EXPECT_MAX + 1] = {
1521 [SIP_EXPECT_SIGNALLING] = { 1573 [SIP_EXPECT_SIGNALLING] = {
@@ -1585,9 +1637,9 @@ static int __init nf_conntrack_sip_init(void)
1585 sip[i][j].me = THIS_MODULE; 1637 sip[i][j].me = THIS_MODULE;
1586 1638
1587 if (ports[i] == SIP_PORT) 1639 if (ports[i] == SIP_PORT)
1588 sprintf(sip_names[i][j], "sip"); 1640 sprintf(sip[i][j].name, "sip");
1589 else 1641 else
1590 sprintf(sip_names[i][j], "sip-%u", i); 1642 sprintf(sip[i][j].name, "sip-%u", i);
1591 1643
1592 pr_debug("port #%u: %u\n", i, ports[i]); 1644 pr_debug("port #%u: %u\n", i, ports[i]);
1593 1645
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index 169ab59ed9d4..5cfb5bedb2b8 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -381,6 +381,7 @@ __build_packet_message(struct nfulnl_instance *inst,
381 struct nlmsghdr *nlh; 381 struct nlmsghdr *nlh;
382 struct nfgenmsg *nfmsg; 382 struct nfgenmsg *nfmsg;
383 sk_buff_data_t old_tail = inst->skb->tail; 383 sk_buff_data_t old_tail = inst->skb->tail;
384 struct sock *sk;
384 385
385 nlh = nlmsg_put(inst->skb, 0, 0, 386 nlh = nlmsg_put(inst->skb, 0, 0,
386 NFNL_SUBSYS_ULOG << 8 | NFULNL_MSG_PACKET, 387 NFNL_SUBSYS_ULOG << 8 | NFULNL_MSG_PACKET,
@@ -480,7 +481,7 @@ __build_packet_message(struct nfulnl_instance *inst,
480 } 481 }
481 482
482 if (indev && skb_mac_header_was_set(skb)) { 483 if (indev && skb_mac_header_was_set(skb)) {
483 if (nla_put_be32(inst->skb, NFULA_HWTYPE, htons(skb->dev->type)) || 484 if (nla_put_be16(inst->skb, NFULA_HWTYPE, htons(skb->dev->type)) ||
484 nla_put_be16(inst->skb, NFULA_HWLEN, 485 nla_put_be16(inst->skb, NFULA_HWLEN,
485 htons(skb->dev->hard_header_len)) || 486 htons(skb->dev->hard_header_len)) ||
486 nla_put(inst->skb, NFULA_HWHEADER, skb->dev->hard_header_len, 487 nla_put(inst->skb, NFULA_HWHEADER, skb->dev->hard_header_len,
@@ -499,18 +500,19 @@ __build_packet_message(struct nfulnl_instance *inst,
499 } 500 }
500 501
501 /* UID */ 502 /* UID */
502 if (skb->sk) { 503 sk = skb->sk;
503 read_lock_bh(&skb->sk->sk_callback_lock); 504 if (sk && sk->sk_state != TCP_TIME_WAIT) {
504 if (skb->sk->sk_socket && skb->sk->sk_socket->file) { 505 read_lock_bh(&sk->sk_callback_lock);
505 struct file *file = skb->sk->sk_socket->file; 506 if (sk->sk_socket && sk->sk_socket->file) {
507 struct file *file = sk->sk_socket->file;
506 __be32 uid = htonl(file->f_cred->fsuid); 508 __be32 uid = htonl(file->f_cred->fsuid);
507 __be32 gid = htonl(file->f_cred->fsgid); 509 __be32 gid = htonl(file->f_cred->fsgid);
508 read_unlock_bh(&skb->sk->sk_callback_lock); 510 read_unlock_bh(&sk->sk_callback_lock);
509 if (nla_put_be32(inst->skb, NFULA_UID, uid) || 511 if (nla_put_be32(inst->skb, NFULA_UID, uid) ||
510 nla_put_be32(inst->skb, NFULA_GID, gid)) 512 nla_put_be32(inst->skb, NFULA_GID, gid))
511 goto nla_put_failure; 513 goto nla_put_failure;
512 } else 514 } else
513 read_unlock_bh(&skb->sk->sk_callback_lock); 515 read_unlock_bh(&sk->sk_callback_lock);
514 } 516 }
515 517
516 /* local sequence number */ 518 /* local sequence number */
@@ -996,8 +998,10 @@ static int __init nfnetlink_log_init(void)
996 998
997#ifdef CONFIG_PROC_FS 999#ifdef CONFIG_PROC_FS
998 if (!proc_create("nfnetlink_log", 0440, 1000 if (!proc_create("nfnetlink_log", 0440,
999 proc_net_netfilter, &nful_file_ops)) 1001 proc_net_netfilter, &nful_file_ops)) {
1002 status = -ENOMEM;
1000 goto cleanup_logger; 1003 goto cleanup_logger;
1004 }
1001#endif 1005#endif
1002 return status; 1006 return status;
1003 1007
diff --git a/net/netfilter/xt_LOG.c b/net/netfilter/xt_LOG.c
index ff5f75fddb15..91e9af4d1f42 100644
--- a/net/netfilter/xt_LOG.c
+++ b/net/netfilter/xt_LOG.c
@@ -145,6 +145,19 @@ static int dump_tcp_header(struct sbuff *m, const struct sk_buff *skb,
145 return 0; 145 return 0;
146} 146}
147 147
148static void dump_sk_uid_gid(struct sbuff *m, struct sock *sk)
149{
150 if (!sk || sk->sk_state == TCP_TIME_WAIT)
151 return;
152
153 read_lock_bh(&sk->sk_callback_lock);
154 if (sk->sk_socket && sk->sk_socket->file)
155 sb_add(m, "UID=%u GID=%u ",
156 sk->sk_socket->file->f_cred->fsuid,
157 sk->sk_socket->file->f_cred->fsgid);
158 read_unlock_bh(&sk->sk_callback_lock);
159}
160
148/* One level of recursion won't kill us */ 161/* One level of recursion won't kill us */
149static void dump_ipv4_packet(struct sbuff *m, 162static void dump_ipv4_packet(struct sbuff *m,
150 const struct nf_loginfo *info, 163 const struct nf_loginfo *info,
@@ -361,14 +374,8 @@ static void dump_ipv4_packet(struct sbuff *m,
361 } 374 }
362 375
363 /* Max length: 15 "UID=4294967295 " */ 376 /* Max length: 15 "UID=4294967295 " */
364 if ((logflags & XT_LOG_UID) && !iphoff && skb->sk) { 377 if ((logflags & XT_LOG_UID) && !iphoff)
365 read_lock_bh(&skb->sk->sk_callback_lock); 378 dump_sk_uid_gid(m, skb->sk);
366 if (skb->sk->sk_socket && skb->sk->sk_socket->file)
367 sb_add(m, "UID=%u GID=%u ",
368 skb->sk->sk_socket->file->f_cred->fsuid,
369 skb->sk->sk_socket->file->f_cred->fsgid);
370 read_unlock_bh(&skb->sk->sk_callback_lock);
371 }
372 379
373 /* Max length: 16 "MARK=0xFFFFFFFF " */ 380 /* Max length: 16 "MARK=0xFFFFFFFF " */
374 if (!iphoff && skb->mark) 381 if (!iphoff && skb->mark)
@@ -436,8 +443,8 @@ log_packet_common(struct sbuff *m,
436 const struct nf_loginfo *loginfo, 443 const struct nf_loginfo *loginfo,
437 const char *prefix) 444 const char *prefix)
438{ 445{
439 sb_add(m, "<%d>%sIN=%s OUT=%s ", loginfo->u.log.level, 446 sb_add(m, KERN_SOH "%c%sIN=%s OUT=%s ",
440 prefix, 447 '0' + loginfo->u.log.level, prefix,
441 in ? in->name : "", 448 in ? in->name : "",
442 out ? out->name : ""); 449 out ? out->name : "");
443#ifdef CONFIG_BRIDGE_NETFILTER 450#ifdef CONFIG_BRIDGE_NETFILTER
@@ -717,14 +724,8 @@ static void dump_ipv6_packet(struct sbuff *m,
717 } 724 }
718 725
719 /* Max length: 15 "UID=4294967295 " */ 726 /* Max length: 15 "UID=4294967295 " */
720 if ((logflags & XT_LOG_UID) && recurse && skb->sk) { 727 if ((logflags & XT_LOG_UID) && recurse)
721 read_lock_bh(&skb->sk->sk_callback_lock); 728 dump_sk_uid_gid(m, skb->sk);
722 if (skb->sk->sk_socket && skb->sk->sk_socket->file)
723 sb_add(m, "UID=%u GID=%u ",
724 skb->sk->sk_socket->file->f_cred->fsuid,
725 skb->sk->sk_socket->file->f_cred->fsgid);
726 read_unlock_bh(&skb->sk->sk_callback_lock);
727 }
728 729
729 /* Max length: 16 "MARK=0xFFFFFFFF " */ 730 /* Max length: 16 "MARK=0xFFFFFFFF " */
730 if (!recurse && skb->mark) 731 if (!recurse && skb->mark)
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 5463969da45b..527023823b5c 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1362,7 +1362,7 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
1362 if (NULL == siocb->scm) 1362 if (NULL == siocb->scm)
1363 siocb->scm = &scm; 1363 siocb->scm = &scm;
1364 1364
1365 err = scm_send(sock, msg, siocb->scm); 1365 err = scm_send(sock, msg, siocb->scm, true);
1366 if (err < 0) 1366 if (err < 0)
1367 return err; 1367 return err;
1368 1368
@@ -1373,7 +1373,8 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
1373 dst_pid = addr->nl_pid; 1373 dst_pid = addr->nl_pid;
1374 dst_group = ffs(addr->nl_groups); 1374 dst_group = ffs(addr->nl_groups);
1375 err = -EPERM; 1375 err = -EPERM;
1376 if (dst_group && !netlink_capable(sock, NL_NONROOT_SEND)) 1376 if ((dst_group || dst_pid) &&
1377 !netlink_capable(sock, NL_NONROOT_SEND))
1377 goto out; 1378 goto out;
1378 } else { 1379 } else {
1379 dst_pid = nlk->dst_pid; 1380 dst_pid = nlk->dst_pid;
@@ -2147,6 +2148,7 @@ static void __init netlink_add_usersock_entry(void)
2147 rcu_assign_pointer(nl_table[NETLINK_USERSOCK].listeners, listeners); 2148 rcu_assign_pointer(nl_table[NETLINK_USERSOCK].listeners, listeners);
2148 nl_table[NETLINK_USERSOCK].module = THIS_MODULE; 2149 nl_table[NETLINK_USERSOCK].module = THIS_MODULE;
2149 nl_table[NETLINK_USERSOCK].registered = 1; 2150 nl_table[NETLINK_USERSOCK].registered = 1;
2151 nl_table[NETLINK_USERSOCK].nl_nonroot = NL_NONROOT_SEND;
2150 2152
2151 netlink_table_ungrab(); 2153 netlink_table_ungrab();
2152} 2154}
diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
index 06592d8b4a2b..7261eb81974f 100644
--- a/net/netrom/af_netrom.c
+++ b/net/netrom/af_netrom.c
@@ -601,7 +601,7 @@ static int nr_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
601 if (!capable(CAP_NET_BIND_SERVICE)) { 601 if (!capable(CAP_NET_BIND_SERVICE)) {
602 dev_put(dev); 602 dev_put(dev);
603 release_sock(sk); 603 release_sock(sk);
604 return -EACCES; 604 return -EPERM;
605 } 605 }
606 nr->user_addr = addr->fsa_digipeater[0]; 606 nr->user_addr = addr->fsa_digipeater[0];
607 nr->source_addr = addr->fsa_ax25.sax25_call; 607 nr->source_addr = addr->fsa_ax25.sax25_call;
@@ -1169,7 +1169,12 @@ static int nr_recvmsg(struct kiocb *iocb, struct socket *sock,
1169 msg->msg_flags |= MSG_TRUNC; 1169 msg->msg_flags |= MSG_TRUNC;
1170 } 1170 }
1171 1171
1172 skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied); 1172 er = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
1173 if (er < 0) {
1174 skb_free_datagram(sk, skb);
1175 release_sock(sk);
1176 return er;
1177 }
1173 1178
1174 if (sax != NULL) { 1179 if (sax != NULL) {
1175 sax->sax25_family = AF_NETROM; 1180 sax->sax25_family = AF_NETROM;
diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c
index f3f96badf5aa..954405ceae9e 100644
--- a/net/openvswitch/actions.c
+++ b/net/openvswitch/actions.c
@@ -45,7 +45,7 @@ static int make_writable(struct sk_buff *skb, int write_len)
45 return pskb_expand_head(skb, 0, 0, GFP_ATOMIC); 45 return pskb_expand_head(skb, 0, 0, GFP_ATOMIC);
46} 46}
47 47
48/* remove VLAN header from packet and update csum accrodingly. */ 48/* remove VLAN header from packet and update csum accordingly. */
49static int __pop_vlan_tci(struct sk_buff *skb, __be16 *current_tci) 49static int __pop_vlan_tci(struct sk_buff *skb, __be16 *current_tci)
50{ 50{
51 struct vlan_hdr *vhdr; 51 struct vlan_hdr *vhdr;
diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
index d8277d29e710..cf58cedad083 100644
--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -425,10 +425,10 @@ static int validate_sample(const struct nlattr *attr,
425static int validate_tp_port(const struct sw_flow_key *flow_key) 425static int validate_tp_port(const struct sw_flow_key *flow_key)
426{ 426{
427 if (flow_key->eth.type == htons(ETH_P_IP)) { 427 if (flow_key->eth.type == htons(ETH_P_IP)) {
428 if (flow_key->ipv4.tp.src && flow_key->ipv4.tp.dst) 428 if (flow_key->ipv4.tp.src || flow_key->ipv4.tp.dst)
429 return 0; 429 return 0;
430 } else if (flow_key->eth.type == htons(ETH_P_IPV6)) { 430 } else if (flow_key->eth.type == htons(ETH_P_IPV6)) {
431 if (flow_key->ipv6.tp.src && flow_key->ipv6.tp.dst) 431 if (flow_key->ipv6.tp.src || flow_key->ipv6.tp.dst)
432 return 0; 432 return 0;
433 } 433 }
434 434
@@ -460,7 +460,7 @@ static int validate_set(const struct nlattr *a,
460 if (flow_key->eth.type != htons(ETH_P_IP)) 460 if (flow_key->eth.type != htons(ETH_P_IP))
461 return -EINVAL; 461 return -EINVAL;
462 462
463 if (!flow_key->ipv4.addr.src || !flow_key->ipv4.addr.dst) 463 if (!flow_key->ip.proto)
464 return -EINVAL; 464 return -EINVAL;
465 465
466 ipv4_key = nla_data(ovs_key); 466 ipv4_key = nla_data(ovs_key);
diff --git a/net/openvswitch/flow.h b/net/openvswitch/flow.h
index 9b75617ca4e0..c30df1a10c67 100644
--- a/net/openvswitch/flow.h
+++ b/net/openvswitch/flow.h
@@ -145,15 +145,17 @@ u64 ovs_flow_used_time(unsigned long flow_jiffies);
145 * OVS_KEY_ATTR_PRIORITY 4 -- 4 8 145 * OVS_KEY_ATTR_PRIORITY 4 -- 4 8
146 * OVS_KEY_ATTR_IN_PORT 4 -- 4 8 146 * OVS_KEY_ATTR_IN_PORT 4 -- 4 8
147 * OVS_KEY_ATTR_ETHERNET 12 -- 4 16 147 * OVS_KEY_ATTR_ETHERNET 12 -- 4 16
148 * OVS_KEY_ATTR_ETHERTYPE 2 2 4 8 (outer VLAN ethertype)
148 * OVS_KEY_ATTR_8021Q 4 -- 4 8 149 * OVS_KEY_ATTR_8021Q 4 -- 4 8
149 * OVS_KEY_ATTR_ETHERTYPE 2 2 4 8 150 * OVS_KEY_ATTR_ENCAP 0 -- 4 4 (VLAN encapsulation)
151 * OVS_KEY_ATTR_ETHERTYPE 2 2 4 8 (inner VLAN ethertype)
150 * OVS_KEY_ATTR_IPV6 40 -- 4 44 152 * OVS_KEY_ATTR_IPV6 40 -- 4 44
151 * OVS_KEY_ATTR_ICMPV6 2 2 4 8 153 * OVS_KEY_ATTR_ICMPV6 2 2 4 8
152 * OVS_KEY_ATTR_ND 28 -- 4 32 154 * OVS_KEY_ATTR_ND 28 -- 4 32
153 * ------------------------------------------------- 155 * -------------------------------------------------
154 * total 132 156 * total 144
155 */ 157 */
156#define FLOW_BUFSIZE 132 158#define FLOW_BUFSIZE 144
157 159
158int ovs_flow_to_nlattrs(const struct sw_flow_key *, struct sk_buff *); 160int ovs_flow_to_nlattrs(const struct sw_flow_key *, struct sk_buff *);
159int ovs_flow_from_nlattrs(struct sw_flow_key *swkey, int *key_lenp, 161int ovs_flow_from_nlattrs(struct sw_flow_key *swkey, int *key_lenp,
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index ceaca7c134a0..c5c9e2a54218 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1079,7 +1079,7 @@ static void *packet_current_rx_frame(struct packet_sock *po,
1079 default: 1079 default:
1080 WARN(1, "TPACKET version not supported\n"); 1080 WARN(1, "TPACKET version not supported\n");
1081 BUG(); 1081 BUG();
1082 return 0; 1082 return NULL;
1083 } 1083 }
1084} 1084}
1085 1085
@@ -1273,6 +1273,14 @@ static void __fanout_unlink(struct sock *sk, struct packet_sock *po)
1273 spin_unlock(&f->lock); 1273 spin_unlock(&f->lock);
1274} 1274}
1275 1275
1276static bool match_fanout_group(struct packet_type *ptype, struct sock * sk)
1277{
1278 if (ptype->af_packet_priv == (void*)((struct packet_sock *)sk)->fanout)
1279 return true;
1280
1281 return false;
1282}
1283
1276static int fanout_add(struct sock *sk, u16 id, u16 type_flags) 1284static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
1277{ 1285{
1278 struct packet_sock *po = pkt_sk(sk); 1286 struct packet_sock *po = pkt_sk(sk);
@@ -1325,6 +1333,7 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
1325 match->prot_hook.dev = po->prot_hook.dev; 1333 match->prot_hook.dev = po->prot_hook.dev;
1326 match->prot_hook.func = packet_rcv_fanout; 1334 match->prot_hook.func = packet_rcv_fanout;
1327 match->prot_hook.af_packet_priv = match; 1335 match->prot_hook.af_packet_priv = match;
1336 match->prot_hook.id_match = match_fanout_group;
1328 dev_add_pack(&match->prot_hook); 1337 dev_add_pack(&match->prot_hook);
1329 list_add(&match->list, &fanout_list); 1338 list_add(&match->list, &fanout_list);
1330 } 1339 }
@@ -1936,7 +1945,6 @@ static void tpacket_destruct_skb(struct sk_buff *skb)
1936 1945
1937 if (likely(po->tx_ring.pg_vec)) { 1946 if (likely(po->tx_ring.pg_vec)) {
1938 ph = skb_shinfo(skb)->destructor_arg; 1947 ph = skb_shinfo(skb)->destructor_arg;
1939 BUG_ON(__packet_get_status(po, ph) != TP_STATUS_SENDING);
1940 BUG_ON(atomic_read(&po->tx_ring.pending) == 0); 1948 BUG_ON(atomic_read(&po->tx_ring.pending) == 0);
1941 atomic_dec(&po->tx_ring.pending); 1949 atomic_dec(&po->tx_ring.pending);
1942 __packet_set_status(po, ph, TP_STATUS_AVAILABLE); 1950 __packet_set_status(po, ph, TP_STATUS_AVAILABLE);
diff --git a/net/sched/act_gact.c b/net/sched/act_gact.c
index f10fb8256442..05d60859d8e3 100644
--- a/net/sched/act_gact.c
+++ b/net/sched/act_gact.c
@@ -67,6 +67,9 @@ static int tcf_gact_init(struct nlattr *nla, struct nlattr *est,
67 struct tcf_common *pc; 67 struct tcf_common *pc;
68 int ret = 0; 68 int ret = 0;
69 int err; 69 int err;
70#ifdef CONFIG_GACT_PROB
71 struct tc_gact_p *p_parm = NULL;
72#endif
70 73
71 if (nla == NULL) 74 if (nla == NULL)
72 return -EINVAL; 75 return -EINVAL;
@@ -82,6 +85,12 @@ static int tcf_gact_init(struct nlattr *nla, struct nlattr *est,
82#ifndef CONFIG_GACT_PROB 85#ifndef CONFIG_GACT_PROB
83 if (tb[TCA_GACT_PROB] != NULL) 86 if (tb[TCA_GACT_PROB] != NULL)
84 return -EOPNOTSUPP; 87 return -EOPNOTSUPP;
88#else
89 if (tb[TCA_GACT_PROB]) {
90 p_parm = nla_data(tb[TCA_GACT_PROB]);
91 if (p_parm->ptype >= MAX_RAND)
92 return -EINVAL;
93 }
85#endif 94#endif
86 95
87 pc = tcf_hash_check(parm->index, a, bind, &gact_hash_info); 96 pc = tcf_hash_check(parm->index, a, bind, &gact_hash_info);
@@ -103,8 +112,7 @@ static int tcf_gact_init(struct nlattr *nla, struct nlattr *est,
103 spin_lock_bh(&gact->tcf_lock); 112 spin_lock_bh(&gact->tcf_lock);
104 gact->tcf_action = parm->action; 113 gact->tcf_action = parm->action;
105#ifdef CONFIG_GACT_PROB 114#ifdef CONFIG_GACT_PROB
106 if (tb[TCA_GACT_PROB] != NULL) { 115 if (p_parm) {
107 struct tc_gact_p *p_parm = nla_data(tb[TCA_GACT_PROB]);
108 gact->tcfg_paction = p_parm->paction; 116 gact->tcfg_paction = p_parm->paction;
109 gact->tcfg_pval = p_parm->pval; 117 gact->tcfg_pval = p_parm->pval;
110 gact->tcfg_ptype = p_parm->ptype; 118 gact->tcfg_ptype = p_parm->ptype;
@@ -133,7 +141,7 @@ static int tcf_gact(struct sk_buff *skb, const struct tc_action *a,
133 141
134 spin_lock(&gact->tcf_lock); 142 spin_lock(&gact->tcf_lock);
135#ifdef CONFIG_GACT_PROB 143#ifdef CONFIG_GACT_PROB
136 if (gact->tcfg_ptype && gact_rand[gact->tcfg_ptype] != NULL) 144 if (gact->tcfg_ptype)
137 action = gact_rand[gact->tcfg_ptype](gact); 145 action = gact_rand[gact->tcfg_ptype](gact);
138 else 146 else
139 action = gact->tcf_action; 147 action = gact->tcf_action;
diff --git a/net/sched/act_ipt.c b/net/sched/act_ipt.c
index 60e281ad0f07..58fb3c7aab9e 100644
--- a/net/sched/act_ipt.c
+++ b/net/sched/act_ipt.c
@@ -185,7 +185,12 @@ err3:
185err2: 185err2:
186 kfree(tname); 186 kfree(tname);
187err1: 187err1:
188 kfree(pc); 188 if (ret == ACT_P_CREATED) {
189 if (est)
190 gen_kill_estimator(&pc->tcfc_bstats,
191 &pc->tcfc_rate_est);
192 kfree_rcu(pc, tcfc_rcu);
193 }
189 return err; 194 return err;
190} 195}
191 196
diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c
index fe81cc18e9e0..9c0fd0c78814 100644
--- a/net/sched/act_mirred.c
+++ b/net/sched/act_mirred.c
@@ -200,13 +200,12 @@ static int tcf_mirred(struct sk_buff *skb, const struct tc_action *a,
200out: 200out:
201 if (err) { 201 if (err) {
202 m->tcf_qstats.overlimits++; 202 m->tcf_qstats.overlimits++;
203 /* should we be asking for packet to be dropped? 203 if (m->tcfm_eaction != TCA_EGRESS_MIRROR)
204 * may make sense for redirect case only 204 retval = TC_ACT_SHOT;
205 */ 205 else
206 retval = TC_ACT_SHOT; 206 retval = m->tcf_action;
207 } else { 207 } else
208 retval = m->tcf_action; 208 retval = m->tcf_action;
209 }
210 spin_unlock(&m->tcf_lock); 209 spin_unlock(&m->tcf_lock);
211 210
212 return retval; 211 return retval;
diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
index 26aa2f6ce257..45c53ab067a6 100644
--- a/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -74,7 +74,10 @@ static int tcf_pedit_init(struct nlattr *nla, struct nlattr *est,
74 p = to_pedit(pc); 74 p = to_pedit(pc);
75 keys = kmalloc(ksize, GFP_KERNEL); 75 keys = kmalloc(ksize, GFP_KERNEL);
76 if (keys == NULL) { 76 if (keys == NULL) {
77 kfree(pc); 77 if (est)
78 gen_kill_estimator(&pc->tcfc_bstats,
79 &pc->tcfc_rate_est);
80 kfree_rcu(pc, tcfc_rcu);
78 return -ENOMEM; 81 return -ENOMEM;
79 } 82 }
80 ret = ACT_P_CREATED; 83 ret = ACT_P_CREATED;
diff --git a/net/sched/act_simple.c b/net/sched/act_simple.c
index 3922f2a2821b..3714f60f0b3c 100644
--- a/net/sched/act_simple.c
+++ b/net/sched/act_simple.c
@@ -131,7 +131,10 @@ static int tcf_simp_init(struct nlattr *nla, struct nlattr *est,
131 d = to_defact(pc); 131 d = to_defact(pc);
132 ret = alloc_defdata(d, defdata); 132 ret = alloc_defdata(d, defdata);
133 if (ret < 0) { 133 if (ret < 0) {
134 kfree(pc); 134 if (est)
135 gen_kill_estimator(&pc->tcfc_bstats,
136 &pc->tcfc_rate_est);
137 kfree_rcu(pc, tcfc_rcu);
135 return ret; 138 return ret;
136 } 139 }
137 d->tcf_action = parm->action; 140 d->tcf_action = parm->action;
diff --git a/net/sched/sch_cbq.c b/net/sched/sch_cbq.c
index 6aabd77d1cfd..564b9fc8efd3 100644
--- a/net/sched/sch_cbq.c
+++ b/net/sched/sch_cbq.c
@@ -250,10 +250,11 @@ cbq_classify(struct sk_buff *skb, struct Qdisc *sch, int *qerr)
250 else if ((cl = defmap[res.classid & TC_PRIO_MAX]) == NULL) 250 else if ((cl = defmap[res.classid & TC_PRIO_MAX]) == NULL)
251 cl = defmap[TC_PRIO_BESTEFFORT]; 251 cl = defmap[TC_PRIO_BESTEFFORT];
252 252
253 if (cl == NULL || cl->level >= head->level) 253 if (cl == NULL)
254 goto fallback; 254 goto fallback;
255 } 255 }
256 256 if (cl->level >= head->level)
257 goto fallback;
257#ifdef CONFIG_NET_CLS_ACT 258#ifdef CONFIG_NET_CLS_ACT
258 switch (result) { 259 switch (result) {
259 case TC_ACT_QUEUED: 260 case TC_ACT_QUEUED:
diff --git a/net/sched/sch_fq_codel.c b/net/sched/sch_fq_codel.c
index 9fc1c62ec80e..4e606fcb2534 100644
--- a/net/sched/sch_fq_codel.c
+++ b/net/sched/sch_fq_codel.c
@@ -191,7 +191,6 @@ static int fq_codel_enqueue(struct sk_buff *skb, struct Qdisc *sch)
191 191
192 if (list_empty(&flow->flowchain)) { 192 if (list_empty(&flow->flowchain)) {
193 list_add_tail(&flow->flowchain, &q->new_flows); 193 list_add_tail(&flow->flowchain, &q->new_flows);
194 codel_vars_init(&flow->cvars);
195 q->new_flow_count++; 194 q->new_flow_count++;
196 flow->deficit = q->quantum; 195 flow->deficit = q->quantum;
197 flow->dropped = 0; 196 flow->dropped = 0;
@@ -418,6 +417,7 @@ static int fq_codel_init(struct Qdisc *sch, struct nlattr *opt)
418 struct fq_codel_flow *flow = q->flows + i; 417 struct fq_codel_flow *flow = q->flows + i;
419 418
420 INIT_LIST_HEAD(&flow->flowchain); 419 INIT_LIST_HEAD(&flow->flowchain);
420 codel_vars_init(&flow->cvars);
421 } 421 }
422 } 422 }
423 if (sch->limit >= 1) 423 if (sch->limit >= 1)
diff --git a/net/sched/sch_gred.c b/net/sched/sch_gred.c
index e901583e4ea5..d42234c0f13b 100644
--- a/net/sched/sch_gred.c
+++ b/net/sched/sch_gred.c
@@ -102,9 +102,8 @@ static inline int gred_wred_mode_check(struct Qdisc *sch)
102 if (q == NULL) 102 if (q == NULL)
103 continue; 103 continue;
104 104
105 for (n = 0; n < table->DPs; n++) 105 for (n = i + 1; n < table->DPs; n++)
106 if (table->tab[n] && table->tab[n] != q && 106 if (table->tab[n] && table->tab[n]->prio == q->prio)
107 table->tab[n]->prio == q->prio)
108 return 1; 107 return 1;
109 } 108 }
110 109
@@ -137,6 +136,7 @@ static inline void gred_store_wred_set(struct gred_sched *table,
137 struct gred_sched_data *q) 136 struct gred_sched_data *q)
138{ 137{
139 table->wred_set.qavg = q->vars.qavg; 138 table->wred_set.qavg = q->vars.qavg;
139 table->wred_set.qidlestart = q->vars.qidlestart;
140} 140}
141 141
142static inline int gred_use_ecn(struct gred_sched *t) 142static inline int gred_use_ecn(struct gred_sched *t)
@@ -176,7 +176,7 @@ static int gred_enqueue(struct sk_buff *skb, struct Qdisc *sch)
176 skb->tc_index = (skb->tc_index & ~GRED_VQ_MASK) | dp; 176 skb->tc_index = (skb->tc_index & ~GRED_VQ_MASK) | dp;
177 } 177 }
178 178
179 /* sum up all the qaves of prios <= to ours to get the new qave */ 179 /* sum up all the qaves of prios < ours to get the new qave */
180 if (!gred_wred_mode(t) && gred_rio_mode(t)) { 180 if (!gred_wred_mode(t) && gred_rio_mode(t)) {
181 int i; 181 int i;
182 182
@@ -260,16 +260,18 @@ static struct sk_buff *gred_dequeue(struct Qdisc *sch)
260 } else { 260 } else {
261 q->backlog -= qdisc_pkt_len(skb); 261 q->backlog -= qdisc_pkt_len(skb);
262 262
263 if (!q->backlog && !gred_wred_mode(t)) 263 if (gred_wred_mode(t)) {
264 red_start_of_idle_period(&q->vars); 264 if (!sch->qstats.backlog)
265 red_start_of_idle_period(&t->wred_set);
266 } else {
267 if (!q->backlog)
268 red_start_of_idle_period(&q->vars);
269 }
265 } 270 }
266 271
267 return skb; 272 return skb;
268 } 273 }
269 274
270 if (gred_wred_mode(t) && !red_is_idling(&t->wred_set))
271 red_start_of_idle_period(&t->wred_set);
272
273 return NULL; 275 return NULL;
274} 276}
275 277
@@ -291,19 +293,20 @@ static unsigned int gred_drop(struct Qdisc *sch)
291 q->backlog -= len; 293 q->backlog -= len;
292 q->stats.other++; 294 q->stats.other++;
293 295
294 if (!q->backlog && !gred_wred_mode(t)) 296 if (gred_wred_mode(t)) {
295 red_start_of_idle_period(&q->vars); 297 if (!sch->qstats.backlog)
298 red_start_of_idle_period(&t->wred_set);
299 } else {
300 if (!q->backlog)
301 red_start_of_idle_period(&q->vars);
302 }
296 } 303 }
297 304
298 qdisc_drop(skb, sch); 305 qdisc_drop(skb, sch);
299 return len; 306 return len;
300 } 307 }
301 308
302 if (gred_wred_mode(t) && !red_is_idling(&t->wred_set))
303 red_start_of_idle_period(&t->wred_set);
304
305 return 0; 309 return 0;
306
307} 310}
308 311
309static void gred_reset(struct Qdisc *sch) 312static void gred_reset(struct Qdisc *sch)
@@ -535,6 +538,7 @@ static int gred_dump(struct Qdisc *sch, struct sk_buff *skb)
535 for (i = 0; i < MAX_DPs; i++) { 538 for (i = 0; i < MAX_DPs; i++) {
536 struct gred_sched_data *q = table->tab[i]; 539 struct gred_sched_data *q = table->tab[i];
537 struct tc_gred_qopt opt; 540 struct tc_gred_qopt opt;
541 unsigned long qavg;
538 542
539 memset(&opt, 0, sizeof(opt)); 543 memset(&opt, 0, sizeof(opt));
540 544
@@ -566,7 +570,9 @@ static int gred_dump(struct Qdisc *sch, struct sk_buff *skb)
566 if (gred_wred_mode(table)) 570 if (gred_wred_mode(table))
567 gred_load_wred_set(table, q); 571 gred_load_wred_set(table, q);
568 572
569 opt.qave = red_calc_qavg(&q->parms, &q->vars, q->vars.qavg); 573 qavg = red_calc_qavg(&q->parms, &q->vars,
574 q->vars.qavg >> q->parms.Wlog);
575 opt.qave = qavg >> q->parms.Wlog;
570 576
571append_opt: 577append_opt:
572 if (nla_append(skb, sizeof(opt), &opt) < 0) 578 if (nla_append(skb, sizeof(opt), &opt) < 0)
diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
index 9af01f3df18c..211a21217045 100644
--- a/net/sched/sch_qfq.c
+++ b/net/sched/sch_qfq.c
@@ -203,6 +203,34 @@ out:
203 return index; 203 return index;
204} 204}
205 205
206/* Length of the next packet (0 if the queue is empty). */
207static unsigned int qdisc_peek_len(struct Qdisc *sch)
208{
209 struct sk_buff *skb;
210
211 skb = sch->ops->peek(sch);
212 return skb ? qdisc_pkt_len(skb) : 0;
213}
214
215static void qfq_deactivate_class(struct qfq_sched *, struct qfq_class *);
216static void qfq_activate_class(struct qfq_sched *q, struct qfq_class *cl,
217 unsigned int len);
218
219static void qfq_update_class_params(struct qfq_sched *q, struct qfq_class *cl,
220 u32 lmax, u32 inv_w, int delta_w)
221{
222 int i;
223
224 /* update qfq-specific data */
225 cl->lmax = lmax;
226 cl->inv_w = inv_w;
227 i = qfq_calc_index(cl->inv_w, cl->lmax);
228
229 cl->grp = &q->groups[i];
230
231 q->wsum += delta_w;
232}
233
206static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid, 234static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
207 struct nlattr **tca, unsigned long *arg) 235 struct nlattr **tca, unsigned long *arg)
208{ 236{
@@ -250,6 +278,8 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
250 lmax = 1UL << QFQ_MTU_SHIFT; 278 lmax = 1UL << QFQ_MTU_SHIFT;
251 279
252 if (cl != NULL) { 280 if (cl != NULL) {
281 bool need_reactivation = false;
282
253 if (tca[TCA_RATE]) { 283 if (tca[TCA_RATE]) {
254 err = gen_replace_estimator(&cl->bstats, &cl->rate_est, 284 err = gen_replace_estimator(&cl->bstats, &cl->rate_est,
255 qdisc_root_sleeping_lock(sch), 285 qdisc_root_sleeping_lock(sch),
@@ -258,12 +288,29 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
258 return err; 288 return err;
259 } 289 }
260 290
261 if (inv_w != cl->inv_w) { 291 if (lmax == cl->lmax && inv_w == cl->inv_w)
262 sch_tree_lock(sch); 292 return 0; /* nothing to update */
263 q->wsum += delta_w; 293
264 cl->inv_w = inv_w; 294 i = qfq_calc_index(inv_w, lmax);
265 sch_tree_unlock(sch); 295 sch_tree_lock(sch);
296 if (&q->groups[i] != cl->grp && cl->qdisc->q.qlen > 0) {
297 /*
298 * shift cl->F back, to not charge the
299 * class for the not-yet-served head
300 * packet
301 */
302 cl->F = cl->S;
303 /* remove class from its slot in the old group */
304 qfq_deactivate_class(q, cl);
305 need_reactivation = true;
266 } 306 }
307
308 qfq_update_class_params(q, cl, lmax, inv_w, delta_w);
309
310 if (need_reactivation) /* activate in new group */
311 qfq_activate_class(q, cl, qdisc_peek_len(cl->qdisc));
312 sch_tree_unlock(sch);
313
267 return 0; 314 return 0;
268 } 315 }
269 316
@@ -273,11 +320,8 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
273 320
274 cl->refcnt = 1; 321 cl->refcnt = 1;
275 cl->common.classid = classid; 322 cl->common.classid = classid;
276 cl->lmax = lmax;
277 cl->inv_w = inv_w;
278 i = qfq_calc_index(cl->inv_w, cl->lmax);
279 323
280 cl->grp = &q->groups[i]; 324 qfq_update_class_params(q, cl, lmax, inv_w, delta_w);
281 325
282 cl->qdisc = qdisc_create_dflt(sch->dev_queue, 326 cl->qdisc = qdisc_create_dflt(sch->dev_queue,
283 &pfifo_qdisc_ops, classid); 327 &pfifo_qdisc_ops, classid);
@@ -294,7 +338,6 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
294 return err; 338 return err;
295 } 339 }
296 } 340 }
297 q->wsum += weight;
298 341
299 sch_tree_lock(sch); 342 sch_tree_lock(sch);
300 qdisc_class_hash_insert(&q->clhash, &cl->common); 343 qdisc_class_hash_insert(&q->clhash, &cl->common);
@@ -711,15 +754,6 @@ static void qfq_update_eligible(struct qfq_sched *q, u64 old_V)
711 } 754 }
712} 755}
713 756
714/* What is length of next packet in queue (0 if queue is empty) */
715static unsigned int qdisc_peek_len(struct Qdisc *sch)
716{
717 struct sk_buff *skb;
718
719 skb = sch->ops->peek(sch);
720 return skb ? qdisc_pkt_len(skb) : 0;
721}
722
723/* 757/*
724 * Updates the class, returns true if also the group needs to be updated. 758 * Updates the class, returns true if also the group needs to be updated.
725 */ 759 */
@@ -831,7 +865,10 @@ static void qfq_update_start(struct qfq_sched *q, struct qfq_class *cl)
831 if (mask) { 865 if (mask) {
832 struct qfq_group *next = qfq_ffs(q, mask); 866 struct qfq_group *next = qfq_ffs(q, mask);
833 if (qfq_gt(roundedF, next->F)) { 867 if (qfq_gt(roundedF, next->F)) {
834 cl->S = next->F; 868 if (qfq_gt(limit, next->F))
869 cl->S = next->F;
870 else /* preserve timestamp correctness */
871 cl->S = limit;
835 return; 872 return;
836 } 873 }
837 } 874 }
@@ -843,11 +880,8 @@ static void qfq_update_start(struct qfq_sched *q, struct qfq_class *cl)
843static int qfq_enqueue(struct sk_buff *skb, struct Qdisc *sch) 880static int qfq_enqueue(struct sk_buff *skb, struct Qdisc *sch)
844{ 881{
845 struct qfq_sched *q = qdisc_priv(sch); 882 struct qfq_sched *q = qdisc_priv(sch);
846 struct qfq_group *grp;
847 struct qfq_class *cl; 883 struct qfq_class *cl;
848 int err; 884 int err;
849 u64 roundedS;
850 int s;
851 885
852 cl = qfq_classify(skb, sch, &err); 886 cl = qfq_classify(skb, sch, &err);
853 if (cl == NULL) { 887 if (cl == NULL) {
@@ -876,11 +910,25 @@ static int qfq_enqueue(struct sk_buff *skb, struct Qdisc *sch)
876 return err; 910 return err;
877 911
878 /* If reach this point, queue q was idle */ 912 /* If reach this point, queue q was idle */
879 grp = cl->grp; 913 qfq_activate_class(q, cl, qdisc_pkt_len(skb));
914
915 return err;
916}
917
918/*
919 * Handle class switch from idle to backlogged.
920 */
921static void qfq_activate_class(struct qfq_sched *q, struct qfq_class *cl,
922 unsigned int pkt_len)
923{
924 struct qfq_group *grp = cl->grp;
925 u64 roundedS;
926 int s;
927
880 qfq_update_start(q, cl); 928 qfq_update_start(q, cl);
881 929
882 /* compute new finish time and rounded start. */ 930 /* compute new finish time and rounded start. */
883 cl->F = cl->S + (u64)qdisc_pkt_len(skb) * cl->inv_w; 931 cl->F = cl->S + (u64)pkt_len * cl->inv_w;
884 roundedS = qfq_round_down(cl->S, grp->slot_shift); 932 roundedS = qfq_round_down(cl->S, grp->slot_shift);
885 933
886 /* 934 /*
@@ -917,8 +965,6 @@ static int qfq_enqueue(struct sk_buff *skb, struct Qdisc *sch)
917 965
918skip_update: 966skip_update:
919 qfq_slot_insert(grp, cl, roundedS); 967 qfq_slot_insert(grp, cl, roundedS);
920
921 return err;
922} 968}
923 969
924 970
diff --git a/net/sctp/output.c b/net/sctp/output.c
index 838e18b4d7ea..be50aa234dcd 100644
--- a/net/sctp/output.c
+++ b/net/sctp/output.c
@@ -364,6 +364,25 @@ finish:
364 return retval; 364 return retval;
365} 365}
366 366
367static void sctp_packet_release_owner(struct sk_buff *skb)
368{
369 sk_free(skb->sk);
370}
371
372static void sctp_packet_set_owner_w(struct sk_buff *skb, struct sock *sk)
373{
374 skb_orphan(skb);
375 skb->sk = sk;
376 skb->destructor = sctp_packet_release_owner;
377
378 /*
379 * The data chunks have already been accounted for in sctp_sendmsg(),
380 * therefore only reserve a single byte to keep socket around until
381 * the packet has been transmitted.
382 */
383 atomic_inc(&sk->sk_wmem_alloc);
384}
385
367/* All packets are sent to the network through this function from 386/* All packets are sent to the network through this function from
368 * sctp_outq_tail(). 387 * sctp_outq_tail().
369 * 388 *
@@ -405,7 +424,7 @@ int sctp_packet_transmit(struct sctp_packet *packet)
405 /* Set the owning socket so that we know where to get the 424 /* Set the owning socket so that we know where to get the
406 * destination IP address. 425 * destination IP address.
407 */ 426 */
408 skb_set_owner_w(nskb, sk); 427 sctp_packet_set_owner_w(nskb, sk);
409 428
410 if (!sctp_transport_dst_check(tp)) { 429 if (!sctp_transport_dst_check(tp)) {
411 sctp_transport_route(tp, NULL, sctp_sk(sk)); 430 sctp_transport_route(tp, NULL, sctp_sk(sk));
diff --git a/net/socket.c b/net/socket.c
index dfe5b66c97e0..edc3c4af9085 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -2604,7 +2604,7 @@ static int do_siocgstamp(struct net *net, struct socket *sock,
2604 err = sock_do_ioctl(net, sock, cmd, (unsigned long)&ktv); 2604 err = sock_do_ioctl(net, sock, cmd, (unsigned long)&ktv);
2605 set_fs(old_fs); 2605 set_fs(old_fs);
2606 if (!err) 2606 if (!err)
2607 err = compat_put_timeval(up, &ktv); 2607 err = compat_put_timeval(&ktv, up);
2608 2608
2609 return err; 2609 return err;
2610} 2610}
@@ -2620,7 +2620,7 @@ static int do_siocgstampns(struct net *net, struct socket *sock,
2620 err = sock_do_ioctl(net, sock, cmd, (unsigned long)&kts); 2620 err = sock_do_ioctl(net, sock, cmd, (unsigned long)&kts);
2621 set_fs(old_fs); 2621 set_fs(old_fs);
2622 if (!err) 2622 if (!err)
2623 err = compat_put_timespec(up, &kts); 2623 err = compat_put_timespec(&kts, up);
2624 2624
2625 return err; 2625 return err;
2626} 2626}
@@ -2657,6 +2657,7 @@ static int dev_ifconf(struct net *net, struct compat_ifconf __user *uifc32)
2657 if (copy_from_user(&ifc32, uifc32, sizeof(struct compat_ifconf))) 2657 if (copy_from_user(&ifc32, uifc32, sizeof(struct compat_ifconf)))
2658 return -EFAULT; 2658 return -EFAULT;
2659 2659
2660 memset(&ifc, 0, sizeof(ifc));
2660 if (ifc32.ifcbuf == 0) { 2661 if (ifc32.ifcbuf == 0) {
2661 ifc32.ifc_len = 0; 2662 ifc32.ifc_len = 0;
2662 ifc.ifc_len = 0; 2663 ifc.ifc_len = 0;
diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c
index 88f2bf671960..bac973a31367 100644
--- a/net/sunrpc/svc_xprt.c
+++ b/net/sunrpc/svc_xprt.c
@@ -316,7 +316,6 @@ static bool svc_xprt_has_something_to_do(struct svc_xprt *xprt)
316 */ 316 */
317void svc_xprt_enqueue(struct svc_xprt *xprt) 317void svc_xprt_enqueue(struct svc_xprt *xprt)
318{ 318{
319 struct svc_serv *serv = xprt->xpt_server;
320 struct svc_pool *pool; 319 struct svc_pool *pool;
321 struct svc_rqst *rqstp; 320 struct svc_rqst *rqstp;
322 int cpu; 321 int cpu;
@@ -362,8 +361,6 @@ void svc_xprt_enqueue(struct svc_xprt *xprt)
362 rqstp, rqstp->rq_xprt); 361 rqstp, rqstp->rq_xprt);
363 rqstp->rq_xprt = xprt; 362 rqstp->rq_xprt = xprt;
364 svc_xprt_get(xprt); 363 svc_xprt_get(xprt);
365 rqstp->rq_reserved = serv->sv_max_mesg;
366 atomic_add(rqstp->rq_reserved, &xprt->xpt_reserved);
367 pool->sp_stats.threads_woken++; 364 pool->sp_stats.threads_woken++;
368 wake_up(&rqstp->rq_wait); 365 wake_up(&rqstp->rq_wait);
369 } else { 366 } else {
@@ -640,8 +637,6 @@ int svc_recv(struct svc_rqst *rqstp, long timeout)
640 if (xprt) { 637 if (xprt) {
641 rqstp->rq_xprt = xprt; 638 rqstp->rq_xprt = xprt;
642 svc_xprt_get(xprt); 639 svc_xprt_get(xprt);
643 rqstp->rq_reserved = serv->sv_max_mesg;
644 atomic_add(rqstp->rq_reserved, &xprt->xpt_reserved);
645 640
646 /* As there is a shortage of threads and this request 641 /* As there is a shortage of threads and this request
647 * had to be queued, don't allow the thread to wait so 642 * had to be queued, don't allow the thread to wait so
@@ -738,6 +733,8 @@ int svc_recv(struct svc_rqst *rqstp, long timeout)
738 else 733 else
739 len = xprt->xpt_ops->xpo_recvfrom(rqstp); 734 len = xprt->xpt_ops->xpo_recvfrom(rqstp);
740 dprintk("svc: got len=%d\n", len); 735 dprintk("svc: got len=%d\n", len);
736 rqstp->rq_reserved = serv->sv_max_mesg;
737 atomic_add(rqstp->rq_reserved, &xprt->xpt_reserved);
741 } 738 }
742 svc_xprt_received(xprt); 739 svc_xprt_received(xprt);
743 740
@@ -794,7 +791,8 @@ int svc_send(struct svc_rqst *rqstp)
794 791
795 /* Grab mutex to serialize outgoing data. */ 792 /* Grab mutex to serialize outgoing data. */
796 mutex_lock(&xprt->xpt_mutex); 793 mutex_lock(&xprt->xpt_mutex);
797 if (test_bit(XPT_DEAD, &xprt->xpt_flags)) 794 if (test_bit(XPT_DEAD, &xprt->xpt_flags)
795 || test_bit(XPT_CLOSE, &xprt->xpt_flags))
798 len = -ENOTCONN; 796 len = -ENOTCONN;
799 else 797 else
800 len = xprt->xpt_ops->xpo_sendto(rqstp); 798 len = xprt->xpt_ops->xpo_sendto(rqstp);
diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c
index 18bc130255a7..998aa8c1807c 100644
--- a/net/sunrpc/svcsock.c
+++ b/net/sunrpc/svcsock.c
@@ -1129,9 +1129,9 @@ static int svc_tcp_recvfrom(struct svc_rqst *rqstp)
1129 if (len >= 0) 1129 if (len >= 0)
1130 svsk->sk_tcplen += len; 1130 svsk->sk_tcplen += len;
1131 if (len != want) { 1131 if (len != want) {
1132 svc_tcp_save_pages(svsk, rqstp);
1132 if (len < 0 && len != -EAGAIN) 1133 if (len < 0 && len != -EAGAIN)
1133 goto err_other; 1134 goto err_other;
1134 svc_tcp_save_pages(svsk, rqstp);
1135 dprintk("svc: incomplete TCP record (%d of %d)\n", 1135 dprintk("svc: incomplete TCP record (%d of %d)\n",
1136 svsk->sk_tcplen, svsk->sk_reclen); 1136 svsk->sk_tcplen, svsk->sk_reclen);
1137 goto err_noclose; 1137 goto err_noclose;
diff --git a/net/sunrpc/xprt.c b/net/sunrpc/xprt.c
index a5a402a7d21f..5d7f61d7559c 100644
--- a/net/sunrpc/xprt.c
+++ b/net/sunrpc/xprt.c
@@ -969,11 +969,11 @@ static bool xprt_dynamic_free_slot(struct rpc_xprt *xprt, struct rpc_rqst *req)
969 return false; 969 return false;
970} 970}
971 971
972static void xprt_alloc_slot(struct rpc_task *task) 972void xprt_alloc_slot(struct rpc_xprt *xprt, struct rpc_task *task)
973{ 973{
974 struct rpc_xprt *xprt = task->tk_xprt;
975 struct rpc_rqst *req; 974 struct rpc_rqst *req;
976 975
976 spin_lock(&xprt->reserve_lock);
977 if (!list_empty(&xprt->free)) { 977 if (!list_empty(&xprt->free)) {
978 req = list_entry(xprt->free.next, struct rpc_rqst, rq_list); 978 req = list_entry(xprt->free.next, struct rpc_rqst, rq_list);
979 list_del(&req->rq_list); 979 list_del(&req->rq_list);
@@ -994,12 +994,29 @@ static void xprt_alloc_slot(struct rpc_task *task)
994 default: 994 default:
995 task->tk_status = -EAGAIN; 995 task->tk_status = -EAGAIN;
996 } 996 }
997 spin_unlock(&xprt->reserve_lock);
997 return; 998 return;
998out_init_req: 999out_init_req:
999 task->tk_status = 0; 1000 task->tk_status = 0;
1000 task->tk_rqstp = req; 1001 task->tk_rqstp = req;
1001 xprt_request_init(task, xprt); 1002 xprt_request_init(task, xprt);
1003 spin_unlock(&xprt->reserve_lock);
1004}
1005EXPORT_SYMBOL_GPL(xprt_alloc_slot);
1006
1007void xprt_lock_and_alloc_slot(struct rpc_xprt *xprt, struct rpc_task *task)
1008{
1009 /* Note: grabbing the xprt_lock_write() ensures that we throttle
1010 * new slot allocation if the transport is congested (i.e. when
1011 * reconnecting a stream transport or when out of socket write
1012 * buffer space).
1013 */
1014 if (xprt_lock_write(xprt, task)) {
1015 xprt_alloc_slot(xprt, task);
1016 xprt_release_write(xprt, task);
1017 }
1002} 1018}
1019EXPORT_SYMBOL_GPL(xprt_lock_and_alloc_slot);
1003 1020
1004static void xprt_free_slot(struct rpc_xprt *xprt, struct rpc_rqst *req) 1021static void xprt_free_slot(struct rpc_xprt *xprt, struct rpc_rqst *req)
1005{ 1022{
@@ -1083,20 +1100,9 @@ void xprt_reserve(struct rpc_task *task)
1083 if (task->tk_rqstp != NULL) 1100 if (task->tk_rqstp != NULL)
1084 return; 1101 return;
1085 1102
1086 /* Note: grabbing the xprt_lock_write() here is not strictly needed,
1087 * but ensures that we throttle new slot allocation if the transport
1088 * is congested (e.g. if reconnecting or if we're out of socket
1089 * write buffer space).
1090 */
1091 task->tk_timeout = 0; 1103 task->tk_timeout = 0;
1092 task->tk_status = -EAGAIN; 1104 task->tk_status = -EAGAIN;
1093 if (!xprt_lock_write(xprt, task)) 1105 xprt->ops->alloc_slot(xprt, task);
1094 return;
1095
1096 spin_lock(&xprt->reserve_lock);
1097 xprt_alloc_slot(task);
1098 spin_unlock(&xprt->reserve_lock);
1099 xprt_release_write(xprt, task);
1100} 1106}
1101 1107
1102static inline __be32 xprt_alloc_xid(struct rpc_xprt *xprt) 1108static inline __be32 xprt_alloc_xid(struct rpc_xprt *xprt)
diff --git a/net/sunrpc/xprtrdma/transport.c b/net/sunrpc/xprtrdma/transport.c
index 06cdbff79e4a..5d9202dc7cb1 100644
--- a/net/sunrpc/xprtrdma/transport.c
+++ b/net/sunrpc/xprtrdma/transport.c
@@ -713,6 +713,7 @@ static void xprt_rdma_print_stats(struct rpc_xprt *xprt, struct seq_file *seq)
713static struct rpc_xprt_ops xprt_rdma_procs = { 713static struct rpc_xprt_ops xprt_rdma_procs = {
714 .reserve_xprt = xprt_rdma_reserve_xprt, 714 .reserve_xprt = xprt_rdma_reserve_xprt,
715 .release_xprt = xprt_release_xprt_cong, /* sunrpc/xprt.c */ 715 .release_xprt = xprt_release_xprt_cong, /* sunrpc/xprt.c */
716 .alloc_slot = xprt_alloc_slot,
716 .release_request = xprt_release_rqst_cong, /* ditto */ 717 .release_request = xprt_release_rqst_cong, /* ditto */
717 .set_retrans_timeout = xprt_set_retrans_timeout_def, /* ditto */ 718 .set_retrans_timeout = xprt_set_retrans_timeout_def, /* ditto */
718 .rpcbind = rpcb_getport_async, /* sunrpc/rpcb_clnt.c */ 719 .rpcbind = rpcb_getport_async, /* sunrpc/rpcb_clnt.c */
diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c
index 400567243f84..a35b8e52e551 100644
--- a/net/sunrpc/xprtsock.c
+++ b/net/sunrpc/xprtsock.c
@@ -2473,6 +2473,7 @@ static void bc_destroy(struct rpc_xprt *xprt)
2473static struct rpc_xprt_ops xs_local_ops = { 2473static struct rpc_xprt_ops xs_local_ops = {
2474 .reserve_xprt = xprt_reserve_xprt, 2474 .reserve_xprt = xprt_reserve_xprt,
2475 .release_xprt = xs_tcp_release_xprt, 2475 .release_xprt = xs_tcp_release_xprt,
2476 .alloc_slot = xprt_alloc_slot,
2476 .rpcbind = xs_local_rpcbind, 2477 .rpcbind = xs_local_rpcbind,
2477 .set_port = xs_local_set_port, 2478 .set_port = xs_local_set_port,
2478 .connect = xs_connect, 2479 .connect = xs_connect,
@@ -2489,6 +2490,7 @@ static struct rpc_xprt_ops xs_udp_ops = {
2489 .set_buffer_size = xs_udp_set_buffer_size, 2490 .set_buffer_size = xs_udp_set_buffer_size,
2490 .reserve_xprt = xprt_reserve_xprt_cong, 2491 .reserve_xprt = xprt_reserve_xprt_cong,
2491 .release_xprt = xprt_release_xprt_cong, 2492 .release_xprt = xprt_release_xprt_cong,
2493 .alloc_slot = xprt_alloc_slot,
2492 .rpcbind = rpcb_getport_async, 2494 .rpcbind = rpcb_getport_async,
2493 .set_port = xs_set_port, 2495 .set_port = xs_set_port,
2494 .connect = xs_connect, 2496 .connect = xs_connect,
@@ -2506,6 +2508,7 @@ static struct rpc_xprt_ops xs_udp_ops = {
2506static struct rpc_xprt_ops xs_tcp_ops = { 2508static struct rpc_xprt_ops xs_tcp_ops = {
2507 .reserve_xprt = xprt_reserve_xprt, 2509 .reserve_xprt = xprt_reserve_xprt,
2508 .release_xprt = xs_tcp_release_xprt, 2510 .release_xprt = xs_tcp_release_xprt,
2511 .alloc_slot = xprt_lock_and_alloc_slot,
2509 .rpcbind = rpcb_getport_async, 2512 .rpcbind = rpcb_getport_async,
2510 .set_port = xs_set_port, 2513 .set_port = xs_set_port,
2511 .connect = xs_connect, 2514 .connect = xs_connect,
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index e4768c180da2..c5ee4ff61364 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1450,7 +1450,7 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
1450 if (NULL == siocb->scm) 1450 if (NULL == siocb->scm)
1451 siocb->scm = &tmp_scm; 1451 siocb->scm = &tmp_scm;
1452 wait_for_unix_gc(); 1452 wait_for_unix_gc();
1453 err = scm_send(sock, msg, siocb->scm); 1453 err = scm_send(sock, msg, siocb->scm, false);
1454 if (err < 0) 1454 if (err < 0)
1455 return err; 1455 return err;
1456 1456
@@ -1619,7 +1619,7 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
1619 if (NULL == siocb->scm) 1619 if (NULL == siocb->scm)
1620 siocb->scm = &tmp_scm; 1620 siocb->scm = &tmp_scm;
1621 wait_for_unix_gc(); 1621 wait_for_unix_gc();
1622 err = scm_send(sock, msg, siocb->scm); 1622 err = scm_send(sock, msg, siocb->scm, false);
1623 if (err < 0) 1623 if (err < 0)
1624 return err; 1624 return err;
1625 1625
diff --git a/net/wireless/core.c b/net/wireless/core.c
index 31b40cc4a9c3..dcd64d5b07aa 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -952,6 +952,11 @@ static int cfg80211_netdev_notifier_call(struct notifier_block *nb,
952 */ 952 */
953 synchronize_rcu(); 953 synchronize_rcu();
954 INIT_LIST_HEAD(&wdev->list); 954 INIT_LIST_HEAD(&wdev->list);
955 /*
956 * Ensure that all events have been processed and
957 * freed.
958 */
959 cfg80211_process_wdev_events(wdev);
955 break; 960 break;
956 case NETDEV_PRE_UP: 961 case NETDEV_PRE_UP:
957 if (!(wdev->wiphy->interface_modes & BIT(wdev->iftype))) 962 if (!(wdev->wiphy->interface_modes & BIT(wdev->iftype)))
diff --git a/net/wireless/core.h b/net/wireless/core.h
index 5206c6844fd7..bc7430b54771 100644
--- a/net/wireless/core.h
+++ b/net/wireless/core.h
@@ -426,6 +426,7 @@ int cfg80211_change_iface(struct cfg80211_registered_device *rdev,
426 struct net_device *dev, enum nl80211_iftype ntype, 426 struct net_device *dev, enum nl80211_iftype ntype,
427 u32 *flags, struct vif_params *params); 427 u32 *flags, struct vif_params *params);
428void cfg80211_process_rdev_events(struct cfg80211_registered_device *rdev); 428void cfg80211_process_rdev_events(struct cfg80211_registered_device *rdev);
429void cfg80211_process_wdev_events(struct wireless_dev *wdev);
429 430
430int cfg80211_can_use_iftype_chan(struct cfg80211_registered_device *rdev, 431int cfg80211_can_use_iftype_chan(struct cfg80211_registered_device *rdev,
431 struct wireless_dev *wdev, 432 struct wireless_dev *wdev,
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 97026f3b215a..1e37dbf00cb3 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -5633,8 +5633,10 @@ static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
5633 sizeof(connect.ht_capa_mask)); 5633 sizeof(connect.ht_capa_mask));
5634 5634
5635 if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) { 5635 if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
5636 if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) 5636 if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
5637 kfree(connkeys);
5637 return -EINVAL; 5638 return -EINVAL;
5639 }
5638 memcpy(&connect.ht_capa, 5640 memcpy(&connect.ht_capa,
5639 nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]), 5641 nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
5640 sizeof(connect.ht_capa)); 5642 sizeof(connect.ht_capa));
diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index 2303ee73b50a..72d170ca3406 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -350,6 +350,9 @@ static void reg_regdb_search(struct work_struct *work)
350 struct reg_regdb_search_request *request; 350 struct reg_regdb_search_request *request;
351 const struct ieee80211_regdomain *curdom, *regdom; 351 const struct ieee80211_regdomain *curdom, *regdom;
352 int i, r; 352 int i, r;
353 bool set_reg = false;
354
355 mutex_lock(&cfg80211_mutex);
353 356
354 mutex_lock(&reg_regdb_search_mutex); 357 mutex_lock(&reg_regdb_search_mutex);
355 while (!list_empty(&reg_regdb_search_list)) { 358 while (!list_empty(&reg_regdb_search_list)) {
@@ -365,9 +368,7 @@ static void reg_regdb_search(struct work_struct *work)
365 r = reg_copy_regd(&regdom, curdom); 368 r = reg_copy_regd(&regdom, curdom);
366 if (r) 369 if (r)
367 break; 370 break;
368 mutex_lock(&cfg80211_mutex); 371 set_reg = true;
369 set_regdom(regdom);
370 mutex_unlock(&cfg80211_mutex);
371 break; 372 break;
372 } 373 }
373 } 374 }
@@ -375,6 +376,11 @@ static void reg_regdb_search(struct work_struct *work)
375 kfree(request); 376 kfree(request);
376 } 377 }
377 mutex_unlock(&reg_regdb_search_mutex); 378 mutex_unlock(&reg_regdb_search_mutex);
379
380 if (set_reg)
381 set_regdom(regdom);
382
383 mutex_unlock(&cfg80211_mutex);
378} 384}
379 385
380static DECLARE_WORK(reg_regdb_work, reg_regdb_search); 386static DECLARE_WORK(reg_regdb_work, reg_regdb_search);
@@ -680,6 +686,8 @@ static u32 map_regdom_flags(u32 rd_flags)
680 channel_flags |= IEEE80211_CHAN_NO_IBSS; 686 channel_flags |= IEEE80211_CHAN_NO_IBSS;
681 if (rd_flags & NL80211_RRF_DFS) 687 if (rd_flags & NL80211_RRF_DFS)
682 channel_flags |= IEEE80211_CHAN_RADAR; 688 channel_flags |= IEEE80211_CHAN_RADAR;
689 if (rd_flags & NL80211_RRF_NO_OFDM)
690 channel_flags |= IEEE80211_CHAN_NO_OFDM;
683 return channel_flags; 691 return channel_flags;
684} 692}
685 693
@@ -901,7 +909,21 @@ static void handle_channel(struct wiphy *wiphy,
901 chan->max_antenna_gain = min(chan->orig_mag, 909 chan->max_antenna_gain = min(chan->orig_mag,
902 (int) MBI_TO_DBI(power_rule->max_antenna_gain)); 910 (int) MBI_TO_DBI(power_rule->max_antenna_gain));
903 chan->max_reg_power = (int) MBM_TO_DBM(power_rule->max_eirp); 911 chan->max_reg_power = (int) MBM_TO_DBM(power_rule->max_eirp);
904 chan->max_power = min(chan->max_power, chan->max_reg_power); 912 if (chan->orig_mpwr) {
913 /*
914 * Devices that have their own custom regulatory domain
915 * but also use WIPHY_FLAG_STRICT_REGULATORY will follow the
916 * passed country IE power settings.
917 */
918 if (initiator == NL80211_REGDOM_SET_BY_COUNTRY_IE &&
919 wiphy->flags & WIPHY_FLAG_CUSTOM_REGULATORY &&
920 wiphy->flags & WIPHY_FLAG_STRICT_REGULATORY)
921 chan->max_power = chan->max_reg_power;
922 else
923 chan->max_power = min(chan->orig_mpwr,
924 chan->max_reg_power);
925 } else
926 chan->max_power = chan->max_reg_power;
905} 927}
906 928
907static void handle_band(struct wiphy *wiphy, 929static void handle_band(struct wiphy *wiphy,
@@ -1885,6 +1907,7 @@ static void restore_custom_reg_settings(struct wiphy *wiphy)
1885 chan->flags = chan->orig_flags; 1907 chan->flags = chan->orig_flags;
1886 chan->max_antenna_gain = chan->orig_mag; 1908 chan->max_antenna_gain = chan->orig_mag;
1887 chan->max_power = chan->orig_mpwr; 1909 chan->max_power = chan->orig_mpwr;
1910 chan->beacon_found = false;
1888 } 1911 }
1889 } 1912 }
1890} 1913}
diff --git a/net/wireless/util.c b/net/wireless/util.c
index 26f8cd30f712..994e2f0cc7a8 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -735,7 +735,7 @@ void cfg80211_upload_connect_keys(struct wireless_dev *wdev)
735 wdev->connect_keys = NULL; 735 wdev->connect_keys = NULL;
736} 736}
737 737
738static void cfg80211_process_wdev_events(struct wireless_dev *wdev) 738void cfg80211_process_wdev_events(struct wireless_dev *wdev)
739{ 739{
740 struct cfg80211_event *ev; 740 struct cfg80211_event *ev;
741 unsigned long flags; 741 unsigned long flags;
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 54a0dc2e2f8d..ab2bb42fe094 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -212,7 +212,7 @@ resume:
212 /* only the first xfrm gets the encap type */ 212 /* only the first xfrm gets the encap type */
213 encap_type = 0; 213 encap_type = 0;
214 214
215 if (async && x->repl->check(x, skb, seq)) { 215 if (async && x->repl->recheck(x, skb, seq)) {
216 XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATESEQERROR); 216 XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATESEQERROR);
217 goto drop_unlock; 217 goto drop_unlock;
218 } 218 }
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index c5a5165a5927..387848e90078 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -585,6 +585,7 @@ int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl)
585 xfrm_pol_hold(policy); 585 xfrm_pol_hold(policy);
586 net->xfrm.policy_count[dir]++; 586 net->xfrm.policy_count[dir]++;
587 atomic_inc(&flow_cache_genid); 587 atomic_inc(&flow_cache_genid);
588 rt_genid_bump(net);
588 if (delpol) 589 if (delpol)
589 __xfrm_policy_unlink(delpol, dir); 590 __xfrm_policy_unlink(delpol, dir);
590 policy->index = delpol ? delpol->index : xfrm_gen_index(net, dir); 591 policy->index = delpol ? delpol->index : xfrm_gen_index(net, dir);
@@ -1357,6 +1358,8 @@ static inline struct xfrm_dst *xfrm_alloc_dst(struct net *net, int family)
1357 1358
1358 memset(dst + 1, 0, sizeof(*xdst) - sizeof(*dst)); 1359 memset(dst + 1, 0, sizeof(*xdst) - sizeof(*dst));
1359 xdst->flo.ops = &xfrm_bundle_fc_ops; 1360 xdst->flo.ops = &xfrm_bundle_fc_ops;
1361 if (afinfo->init_dst)
1362 afinfo->init_dst(net, xdst);
1360 } else 1363 } else
1361 xdst = ERR_PTR(-ENOBUFS); 1364 xdst = ERR_PTR(-ENOBUFS);
1362 1365
@@ -1761,7 +1764,7 @@ static struct dst_entry *make_blackhole(struct net *net, u16 family,
1761 1764
1762 if (!afinfo) { 1765 if (!afinfo) {
1763 dst_release(dst_orig); 1766 dst_release(dst_orig);
1764 ret = ERR_PTR(-EINVAL); 1767 return ERR_PTR(-EINVAL);
1765 } else { 1768 } else {
1766 ret = afinfo->blackhole_route(net, dst_orig); 1769 ret = afinfo->blackhole_route(net, dst_orig);
1767 } 1770 }
diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c
index 2f6d11d04a2b..3efb07d3eb27 100644
--- a/net/xfrm/xfrm_replay.c
+++ b/net/xfrm/xfrm_replay.c
@@ -420,6 +420,18 @@ err:
420 return -EINVAL; 420 return -EINVAL;
421} 421}
422 422
423static int xfrm_replay_recheck_esn(struct xfrm_state *x,
424 struct sk_buff *skb, __be32 net_seq)
425{
426 if (unlikely(XFRM_SKB_CB(skb)->seq.input.hi !=
427 htonl(xfrm_replay_seqhi(x, net_seq)))) {
428 x->stats.replay_window++;
429 return -EINVAL;
430 }
431
432 return xfrm_replay_check_esn(x, skb, net_seq);
433}
434
423static void xfrm_replay_advance_esn(struct xfrm_state *x, __be32 net_seq) 435static void xfrm_replay_advance_esn(struct xfrm_state *x, __be32 net_seq)
424{ 436{
425 unsigned int bitnr, nr, i; 437 unsigned int bitnr, nr, i;
@@ -479,6 +491,7 @@ static void xfrm_replay_advance_esn(struct xfrm_state *x, __be32 net_seq)
479static struct xfrm_replay xfrm_replay_legacy = { 491static struct xfrm_replay xfrm_replay_legacy = {
480 .advance = xfrm_replay_advance, 492 .advance = xfrm_replay_advance,
481 .check = xfrm_replay_check, 493 .check = xfrm_replay_check,
494 .recheck = xfrm_replay_check,
482 .notify = xfrm_replay_notify, 495 .notify = xfrm_replay_notify,
483 .overflow = xfrm_replay_overflow, 496 .overflow = xfrm_replay_overflow,
484}; 497};
@@ -486,6 +499,7 @@ static struct xfrm_replay xfrm_replay_legacy = {
486static struct xfrm_replay xfrm_replay_bmp = { 499static struct xfrm_replay xfrm_replay_bmp = {
487 .advance = xfrm_replay_advance_bmp, 500 .advance = xfrm_replay_advance_bmp,
488 .check = xfrm_replay_check_bmp, 501 .check = xfrm_replay_check_bmp,
502 .recheck = xfrm_replay_check_bmp,
489 .notify = xfrm_replay_notify_bmp, 503 .notify = xfrm_replay_notify_bmp,
490 .overflow = xfrm_replay_overflow_bmp, 504 .overflow = xfrm_replay_overflow_bmp,
491}; 505};
@@ -493,6 +507,7 @@ static struct xfrm_replay xfrm_replay_bmp = {
493static struct xfrm_replay xfrm_replay_esn = { 507static struct xfrm_replay xfrm_replay_esn = {
494 .advance = xfrm_replay_advance_esn, 508 .advance = xfrm_replay_advance_esn,
495 .check = xfrm_replay_check_esn, 509 .check = xfrm_replay_check_esn,
510 .recheck = xfrm_replay_recheck_esn,
496 .notify = xfrm_replay_notify_bmp, 511 .notify = xfrm_replay_notify_bmp,
497 .overflow = xfrm_replay_overflow_esn, 512 .overflow = xfrm_replay_overflow_esn,
498}; 513};
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 5b228f97d4b3..210be48d8ae3 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -415,8 +415,17 @@ static enum hrtimer_restart xfrm_timer_handler(struct hrtimer * me)
415 if (x->lft.hard_add_expires_seconds) { 415 if (x->lft.hard_add_expires_seconds) {
416 long tmo = x->lft.hard_add_expires_seconds + 416 long tmo = x->lft.hard_add_expires_seconds +
417 x->curlft.add_time - now; 417 x->curlft.add_time - now;
418 if (tmo <= 0) 418 if (tmo <= 0) {
419 goto expired; 419 if (x->xflags & XFRM_SOFT_EXPIRE) {
420 /* enter hard expire without soft expire first?!
421 * setting a new date could trigger this.
422 * workarbound: fix x->curflt.add_time by below:
423 */
424 x->curlft.add_time = now - x->saved_tmo - 1;
425 tmo = x->lft.hard_add_expires_seconds - x->saved_tmo;
426 } else
427 goto expired;
428 }
420 if (tmo < next) 429 if (tmo < next)
421 next = tmo; 430 next = tmo;
422 } 431 }
@@ -433,10 +442,14 @@ static enum hrtimer_restart xfrm_timer_handler(struct hrtimer * me)
433 if (x->lft.soft_add_expires_seconds) { 442 if (x->lft.soft_add_expires_seconds) {
434 long tmo = x->lft.soft_add_expires_seconds + 443 long tmo = x->lft.soft_add_expires_seconds +
435 x->curlft.add_time - now; 444 x->curlft.add_time - now;
436 if (tmo <= 0) 445 if (tmo <= 0) {
437 warn = 1; 446 warn = 1;
438 else if (tmo < next) 447 x->xflags &= ~XFRM_SOFT_EXPIRE;
448 } else if (tmo < next) {
439 next = tmo; 449 next = tmo;
450 x->xflags |= XFRM_SOFT_EXPIRE;
451 x->saved_tmo = tmo;
452 }
440 } 453 }
441 if (x->lft.soft_use_expires_seconds) { 454 if (x->lft.soft_use_expires_seconds) {
442 long tmo = x->lft.soft_use_expires_seconds + 455 long tmo = x->lft.soft_use_expires_seconds +
@@ -1981,8 +1994,10 @@ int __xfrm_init_state(struct xfrm_state *x, bool init_replay)
1981 goto error; 1994 goto error;
1982 1995
1983 x->outer_mode = xfrm_get_mode(x->props.mode, family); 1996 x->outer_mode = xfrm_get_mode(x->props.mode, family);
1984 if (x->outer_mode == NULL) 1997 if (x->outer_mode == NULL) {
1998 err = -EPROTONOSUPPORT;
1985 goto error; 1999 goto error;
2000 }
1986 2001
1987 if (init_replay) { 2002 if (init_replay) {
1988 err = xfrm_init_replay(x); 2003 err = xfrm_init_replay(x);
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index e75d8e47f35c..289f4bf18ff0 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -123,9 +123,21 @@ static inline int verify_replay(struct xfrm_usersa_info *p,
123 struct nlattr **attrs) 123 struct nlattr **attrs)
124{ 124{
125 struct nlattr *rt = attrs[XFRMA_REPLAY_ESN_VAL]; 125 struct nlattr *rt = attrs[XFRMA_REPLAY_ESN_VAL];
126 struct xfrm_replay_state_esn *rs;
126 127
127 if ((p->flags & XFRM_STATE_ESN) && !rt) 128 if (p->flags & XFRM_STATE_ESN) {
128 return -EINVAL; 129 if (!rt)
130 return -EINVAL;
131
132 rs = nla_data(rt);
133
134 if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8)
135 return -EINVAL;
136
137 if (nla_len(rt) < xfrm_replay_state_esn_len(rs) &&
138 nla_len(rt) != sizeof(*rs))
139 return -EINVAL;
140 }
129 141
130 if (!rt) 142 if (!rt)
131 return 0; 143 return 0;
@@ -370,14 +382,15 @@ static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_es
370 struct nlattr *rp) 382 struct nlattr *rp)
371{ 383{
372 struct xfrm_replay_state_esn *up; 384 struct xfrm_replay_state_esn *up;
385 int ulen;
373 386
374 if (!replay_esn || !rp) 387 if (!replay_esn || !rp)
375 return 0; 388 return 0;
376 389
377 up = nla_data(rp); 390 up = nla_data(rp);
391 ulen = xfrm_replay_state_esn_len(up);
378 392
379 if (xfrm_replay_state_esn_len(replay_esn) != 393 if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
380 xfrm_replay_state_esn_len(up))
381 return -EINVAL; 394 return -EINVAL;
382 395
383 return 0; 396 return 0;
@@ -388,22 +401,28 @@ static int xfrm_alloc_replay_state_esn(struct xfrm_replay_state_esn **replay_esn
388 struct nlattr *rta) 401 struct nlattr *rta)
389{ 402{
390 struct xfrm_replay_state_esn *p, *pp, *up; 403 struct xfrm_replay_state_esn *p, *pp, *up;
404 int klen, ulen;
391 405
392 if (!rta) 406 if (!rta)
393 return 0; 407 return 0;
394 408
395 up = nla_data(rta); 409 up = nla_data(rta);
410 klen = xfrm_replay_state_esn_len(up);
411 ulen = nla_len(rta) >= klen ? klen : sizeof(*up);
396 412
397 p = kmemdup(up, xfrm_replay_state_esn_len(up), GFP_KERNEL); 413 p = kzalloc(klen, GFP_KERNEL);
398 if (!p) 414 if (!p)
399 return -ENOMEM; 415 return -ENOMEM;
400 416
401 pp = kmemdup(up, xfrm_replay_state_esn_len(up), GFP_KERNEL); 417 pp = kzalloc(klen, GFP_KERNEL);
402 if (!pp) { 418 if (!pp) {
403 kfree(p); 419 kfree(p);
404 return -ENOMEM; 420 return -ENOMEM;
405 } 421 }
406 422
423 memcpy(p, up, ulen);
424 memcpy(pp, up, ulen);
425
407 *replay_esn = p; 426 *replay_esn = p;
408 *preplay_esn = pp; 427 *preplay_esn = pp;
409 428
@@ -442,10 +461,11 @@ static void copy_from_user_state(struct xfrm_state *x, struct xfrm_usersa_info *
442 * somehow made shareable and move it to xfrm_state.c - JHS 461 * somehow made shareable and move it to xfrm_state.c - JHS
443 * 462 *
444*/ 463*/
445static void xfrm_update_ae_params(struct xfrm_state *x, struct nlattr **attrs) 464static void xfrm_update_ae_params(struct xfrm_state *x, struct nlattr **attrs,
465 int update_esn)
446{ 466{
447 struct nlattr *rp = attrs[XFRMA_REPLAY_VAL]; 467 struct nlattr *rp = attrs[XFRMA_REPLAY_VAL];
448 struct nlattr *re = attrs[XFRMA_REPLAY_ESN_VAL]; 468 struct nlattr *re = update_esn ? attrs[XFRMA_REPLAY_ESN_VAL] : NULL;
449 struct nlattr *lt = attrs[XFRMA_LTIME_VAL]; 469 struct nlattr *lt = attrs[XFRMA_LTIME_VAL];
450 struct nlattr *et = attrs[XFRMA_ETIMER_THRESH]; 470 struct nlattr *et = attrs[XFRMA_ETIMER_THRESH];
451 struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH]; 471 struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH];
@@ -555,7 +575,7 @@ static struct xfrm_state *xfrm_state_construct(struct net *net,
555 goto error; 575 goto error;
556 576
557 /* override default values from above */ 577 /* override default values from above */
558 xfrm_update_ae_params(x, attrs); 578 xfrm_update_ae_params(x, attrs, 0);
559 579
560 return x; 580 return x;
561 581
@@ -689,6 +709,7 @@ out:
689 709
690static void copy_to_user_state(struct xfrm_state *x, struct xfrm_usersa_info *p) 710static void copy_to_user_state(struct xfrm_state *x, struct xfrm_usersa_info *p)
691{ 711{
712 memset(p, 0, sizeof(*p));
692 memcpy(&p->id, &x->id, sizeof(p->id)); 713 memcpy(&p->id, &x->id, sizeof(p->id));
693 memcpy(&p->sel, &x->sel, sizeof(p->sel)); 714 memcpy(&p->sel, &x->sel, sizeof(p->sel));
694 memcpy(&p->lft, &x->lft, sizeof(p->lft)); 715 memcpy(&p->lft, &x->lft, sizeof(p->lft));
@@ -742,7 +763,7 @@ static int copy_to_user_auth(struct xfrm_algo_auth *auth, struct sk_buff *skb)
742 return -EMSGSIZE; 763 return -EMSGSIZE;
743 764
744 algo = nla_data(nla); 765 algo = nla_data(nla);
745 strcpy(algo->alg_name, auth->alg_name); 766 strncpy(algo->alg_name, auth->alg_name, sizeof(algo->alg_name));
746 memcpy(algo->alg_key, auth->alg_key, (auth->alg_key_len + 7) / 8); 767 memcpy(algo->alg_key, auth->alg_key, (auth->alg_key_len + 7) / 8);
747 algo->alg_key_len = auth->alg_key_len; 768 algo->alg_key_len = auth->alg_key_len;
748 769
@@ -878,6 +899,7 @@ static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb,
878{ 899{
879 struct xfrm_dump_info info; 900 struct xfrm_dump_info info;
880 struct sk_buff *skb; 901 struct sk_buff *skb;
902 int err;
881 903
882 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 904 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
883 if (!skb) 905 if (!skb)
@@ -888,9 +910,10 @@ static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb,
888 info.nlmsg_seq = seq; 910 info.nlmsg_seq = seq;
889 info.nlmsg_flags = 0; 911 info.nlmsg_flags = 0;
890 912
891 if (dump_one_state(x, 0, &info)) { 913 err = dump_one_state(x, 0, &info);
914 if (err) {
892 kfree_skb(skb); 915 kfree_skb(skb);
893 return NULL; 916 return ERR_PTR(err);
894 } 917 }
895 918
896 return skb; 919 return skb;
@@ -1317,6 +1340,7 @@ static void copy_from_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy
1317 1340
1318static void copy_to_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy_info *p, int dir) 1341static void copy_to_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy_info *p, int dir)
1319{ 1342{
1343 memset(p, 0, sizeof(*p));
1320 memcpy(&p->sel, &xp->selector, sizeof(p->sel)); 1344 memcpy(&p->sel, &xp->selector, sizeof(p->sel));
1321 memcpy(&p->lft, &xp->lft, sizeof(p->lft)); 1345 memcpy(&p->lft, &xp->lft, sizeof(p->lft));
1322 memcpy(&p->curlft, &xp->curlft, sizeof(p->curlft)); 1346 memcpy(&p->curlft, &xp->curlft, sizeof(p->curlft));
@@ -1421,6 +1445,7 @@ static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb)
1421 struct xfrm_user_tmpl *up = &vec[i]; 1445 struct xfrm_user_tmpl *up = &vec[i];
1422 struct xfrm_tmpl *kp = &xp->xfrm_vec[i]; 1446 struct xfrm_tmpl *kp = &xp->xfrm_vec[i];
1423 1447
1448 memset(up, 0, sizeof(*up));
1424 memcpy(&up->id, &kp->id, sizeof(up->id)); 1449 memcpy(&up->id, &kp->id, sizeof(up->id));
1425 up->family = kp->encap_family; 1450 up->family = kp->encap_family;
1426 memcpy(&up->saddr, &kp->saddr, sizeof(up->saddr)); 1451 memcpy(&up->saddr, &kp->saddr, sizeof(up->saddr));
@@ -1546,6 +1571,7 @@ static struct sk_buff *xfrm_policy_netlink(struct sk_buff *in_skb,
1546{ 1571{
1547 struct xfrm_dump_info info; 1572 struct xfrm_dump_info info;
1548 struct sk_buff *skb; 1573 struct sk_buff *skb;
1574 int err;
1549 1575
1550 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 1576 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1551 if (!skb) 1577 if (!skb)
@@ -1556,9 +1582,10 @@ static struct sk_buff *xfrm_policy_netlink(struct sk_buff *in_skb,
1556 info.nlmsg_seq = seq; 1582 info.nlmsg_seq = seq;
1557 info.nlmsg_flags = 0; 1583 info.nlmsg_flags = 0;
1558 1584
1559 if (dump_one_policy(xp, dir, 0, &info) < 0) { 1585 err = dump_one_policy(xp, dir, 0, &info);
1586 if (err) {
1560 kfree_skb(skb); 1587 kfree_skb(skb);
1561 return NULL; 1588 return ERR_PTR(err);
1562 } 1589 }
1563 1590
1564 return skb; 1591 return skb;
@@ -1822,7 +1849,7 @@ static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh,
1822 goto out; 1849 goto out;
1823 1850
1824 spin_lock_bh(&x->lock); 1851 spin_lock_bh(&x->lock);
1825 xfrm_update_ae_params(x, attrs); 1852 xfrm_update_ae_params(x, attrs, 1);
1826 spin_unlock_bh(&x->lock); 1853 spin_unlock_bh(&x->lock);
1827 1854
1828 c.event = nlh->nlmsg_type; 1855 c.event = nlh->nlmsg_type;
generated by cgit v1.2.2 (git 2.25.0) at 2025-03-21 12:27:28 -0400