aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
Diffstat (limited to 'net')
-rw-r--r--net/8021q/vlan.c8
-rw-r--r--net/8021q/vlan.h2
-rw-r--r--net/8021q/vlan_dev.c20
-rw-r--r--net/9p/client.c4
-rw-r--r--net/ax25/ax25_subr.c2
-rw-r--r--net/bluetooth/hci_sock.c3
-rw-r--r--net/bluetooth/smp.c35
-rw-r--r--net/bridge/br_input.c1
-rw-r--r--net/bridge/br_netfilter_hooks.c21
-rw-r--r--net/bridge/br_netlink.c38
-rw-r--r--net/bridge/br_stp_if.c2
-rw-r--r--net/bridge/br_stp_timer.c2
-rw-r--r--net/caif/cfpkt_skbuff.c6
-rw-r--r--net/can/af_can.c12
-rw-r--r--net/can/af_can.h3
-rw-r--r--net/can/bcm.c27
-rw-r--r--net/can/gw.c2
-rw-r--r--net/can/raw.c4
-rw-r--r--net/ceph/messenger.c6
-rw-r--r--net/ceph/osdmap.c1
-rw-r--r--net/core/dev.c135
-rw-r--r--net/core/dev_ioctl.c1
-rw-r--r--net/core/dst.c37
-rw-r--r--net/core/ethtool.c9
-rw-r--r--net/core/neighbour.c3
-rw-r--r--net/core/netpoll.c10
-rw-r--r--net/core/rtnetlink.c46
-rw-r--r--net/core/skbuff.c30
-rw-r--r--net/core/sock.c28
-rw-r--r--net/dccp/ccids/ccid2.c1
-rw-r--r--net/dccp/feat.c7
-rw-r--r--net/dccp/input.c3
-rw-r--r--net/dccp/ipv4.c4
-rw-r--r--net/dccp/ipv6.c15
-rw-r--r--net/dccp/minisocks.c25
-rw-r--r--net/decnet/dn_route.c14
-rw-r--r--net/decnet/netfilter/dn_rtmsg.c4
-rw-r--r--net/dsa/slave.c8
-rw-r--r--net/ethernet/eth.c1
-rw-r--r--net/ipv4/af_inet.c2
-rw-r--r--net/ipv4/arp.c12
-rw-r--r--net/ipv4/cipso_ipv4.c4
-rw-r--r--net/ipv4/fib_frontend.c27
-rw-r--r--net/ipv4/fib_semantics.c28
-rw-r--r--net/ipv4/fib_trie.c26
-rw-r--r--net/ipv4/igmp.c22
-rw-r--r--net/ipv4/inet_connection_sock.c2
-rw-r--r--net/ipv4/ip_output.c7
-rw-r--r--net/ipv4/ip_sockglue.c17
-rw-r--r--net/ipv4/ping.c7
-rw-r--r--net/ipv4/raw.c3
-rw-r--r--net/ipv4/route.c18
-rw-r--r--net/ipv4/syncookies.c1
-rw-r--r--net/ipv4/tcp.c16
-rw-r--r--net/ipv4/tcp_cong.c1
-rw-r--r--net/ipv4/tcp_fastopen.c3
-rw-r--r--net/ipv4/tcp_input.c27
-rw-r--r--net/ipv4/tcp_ipv4.c10
-rw-r--r--net/ipv4/tcp_lp.c6
-rw-r--r--net/ipv4/tcp_minisocks.c2
-rw-r--r--net/ipv4/tcp_output.c28
-rw-r--r--net/ipv4/tcp_timer.c9
-rw-r--r--net/ipv4/udp.c2
-rw-r--r--net/ipv4/udp_offload.c2
-rw-r--r--net/ipv6/addrconf.c111
-rw-r--r--net/ipv6/datagram.c14
-rw-r--r--net/ipv6/fib6_rules.c22
-rw-r--r--net/ipv6/ip6_fib.c10
-rw-r--r--net/ipv6/ip6_gre.c41
-rw-r--r--net/ipv6/ip6_offload.c9
-rw-r--r--net/ipv6/ip6_output.c43
-rw-r--r--net/ipv6/ip6_tunnel.c68
-rw-r--r--net/ipv6/ip6_vti.c4
-rw-r--r--net/ipv6/ip6mr.c13
-rw-r--r--net/ipv6/ndisc.c2
-rw-r--r--net/ipv6/output_core.c20
-rw-r--r--net/ipv6/ping.c2
-rw-r--r--net/ipv6/raw.c7
-rw-r--r--net/ipv6/route.c56
-rw-r--r--net/ipv6/sit.c1
-rw-r--r--net/ipv6/syncookies.c1
-rw-r--r--net/ipv6/tcp_ipv6.c45
-rw-r--r--net/ipv6/udp.c4
-rw-r--r--net/ipv6/udp_offload.c8
-rw-r--r--net/ipv6/xfrm6_mode_ro.c2
-rw-r--r--net/ipv6/xfrm6_mode_transport.c2
-rw-r--r--net/ipx/af_ipx.c5
-rw-r--r--net/irda/irqueue.c34
-rw-r--r--net/key/af_key.c110
-rw-r--r--net/l2tp/l2tp_core.c8
-rw-r--r--net/l2tp/l2tp_core.h4
-rw-r--r--net/l2tp/l2tp_debugfs.c10
-rw-r--r--net/l2tp/l2tp_ip.c29
-rw-r--r--net/l2tp/l2tp_ip6.c2
-rw-r--r--net/l2tp/l2tp_netlink.c7
-rw-r--r--net/l2tp/l2tp_ppp.c19
-rw-r--r--net/llc/llc_conn.c3
-rw-r--r--net/llc/llc_sap.c3
-rw-r--r--net/mac80211/agg-rx.c29
-rw-r--r--net/mac80211/agg-tx.c53
-rw-r--r--net/mac80211/driver-ops.c10
-rw-r--r--net/mac80211/driver-ops.h4
-rw-r--r--net/mac80211/ibss.c6
-rw-r--r--net/mac80211/main.c13
-rw-r--r--net/mac80211/mesh.c2
-rw-r--r--net/mac80211/pm.c1
-rw-r--r--net/mac80211/rx.c27
-rw-r--r--net/mac80211/trace.h43
-rw-r--r--net/mac80211/wpa.c9
-rw-r--r--net/mpls/af_mpls.c1
-rw-r--r--net/netfilter/ipvs/ip_vs_core.c19
-rw-r--r--net/netfilter/nf_conntrack_extend.c13
-rw-r--r--net/netfilter/nf_conntrack_netlink.c4
-rw-r--r--net/netfilter/xt_IDLETIMER.c4
-rw-r--r--net/netfilter/xt_TCPMSS.c6
-rw-r--r--net/netfilter/xt_qtaguid.c24
-rw-r--r--net/netlink/Kconfig9
-rw-r--r--net/netlink/af_netlink.c753
-rw-r--r--net/netlink/af_netlink.h15
-rw-r--r--net/netlink/diag.c39
-rw-r--r--net/nfc/core.c31
-rw-r--r--net/nfc/llcp_sock.c9
-rw-r--r--net/nfc/nci/core.c3
-rw-r--r--net/nfc/netlink.c4
-rw-r--r--net/openvswitch/conntrack.c10
-rw-r--r--net/openvswitch/flow_netlink.c2
-rw-r--r--net/packet/af_packet.c110
-rw-r--r--net/rds/cong.c4
-rw-r--r--net/rds/tcp_listen.c2
-rw-r--r--net/rpmsg/rpmsg_proto.c19
-rw-r--r--net/rxrpc/ar-key.c64
-rw-r--r--net/sched/act_api.c5
-rw-r--r--net/sched/act_connmark.c3
-rw-r--r--net/sched/act_ipt.c2
-rw-r--r--net/sched/act_mirred.c5
-rw-r--r--net/sched/sch_api.c3
-rw-r--r--net/sched/sch_hhf.c8
-rw-r--r--net/sched/sch_mq.c10
-rw-r--r--net/sched/sch_mqprio.c19
-rw-r--r--net/sched/sch_sfq.c3
-rw-r--r--net/sctp/input.c16
-rw-r--r--net/sctp/ipv6.c49
-rw-r--r--net/sctp/socket.c16
-rw-r--r--net/socket.c8
-rw-r--r--net/sunrpc/auth_gss/auth_gss.c7
-rw-r--r--net/sunrpc/auth_gss/gss_rpc_xdr.c2
-rw-r--r--net/sunrpc/clnt.c5
-rw-r--r--net/sunrpc/sunrpc_syms.c1
-rw-r--r--net/tipc/bearer.c13
-rw-r--r--net/tipc/bearer.h13
-rw-r--r--net/tipc/core.c1
-rw-r--r--net/tipc/core.h3
-rw-r--r--net/tipc/name_distr.c24
-rw-r--r--net/tipc/node.c28
-rw-r--r--net/tipc/server.c13
-rw-r--r--net/tipc/socket.c56
-rw-r--r--net/tipc/udp_media.c7
-rw-r--r--net/unix/af_unix.c34
-rw-r--r--net/unix/garbage.c17
-rw-r--r--net/vmw_vsock/vmci_transport.c4
-rw-r--r--net/wireless/nl80211.c129
-rw-r--r--net/xfrm/xfrm_policy.c66
-rw-r--r--net/xfrm/xfrm_user.c9
163 files changed, 1695 insertions, 1807 deletions
diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c
index ad8d6e6b87ca..5e4199d5a388 100644
--- a/net/8021q/vlan.c
+++ b/net/8021q/vlan.c
@@ -278,7 +278,8 @@ static int register_vlan_device(struct net_device *real_dev, u16 vlan_id)
278 return 0; 278 return 0;
279 279
280out_free_newdev: 280out_free_newdev:
281 free_netdev(new_dev); 281 if (new_dev->reg_state == NETREG_UNINITIALIZED)
282 free_netdev(new_dev);
282 return err; 283 return err;
283} 284}
284 285
@@ -291,6 +292,10 @@ static void vlan_sync_address(struct net_device *dev,
291 if (ether_addr_equal(vlan->real_dev_addr, dev->dev_addr)) 292 if (ether_addr_equal(vlan->real_dev_addr, dev->dev_addr))
292 return; 293 return;
293 294
295 /* vlan continues to inherit address of lower device */
296 if (vlan_dev_inherit_address(vlandev, dev))
297 goto out;
298
294 /* vlan address was different from the old address and is equal to 299 /* vlan address was different from the old address and is equal to
295 * the new address */ 300 * the new address */
296 if (!ether_addr_equal(vlandev->dev_addr, vlan->real_dev_addr) && 301 if (!ether_addr_equal(vlandev->dev_addr, vlan->real_dev_addr) &&
@@ -303,6 +308,7 @@ static void vlan_sync_address(struct net_device *dev,
303 !ether_addr_equal(vlandev->dev_addr, dev->dev_addr)) 308 !ether_addr_equal(vlandev->dev_addr, dev->dev_addr))
304 dev_uc_add(dev, vlandev->dev_addr); 309 dev_uc_add(dev, vlandev->dev_addr);
305 310
311out:
306 ether_addr_copy(vlan->real_dev_addr, dev->dev_addr); 312 ether_addr_copy(vlan->real_dev_addr, dev->dev_addr);
307} 313}
308 314
diff --git a/net/8021q/vlan.h b/net/8021q/vlan.h
index 9d010a09ab98..cc1557978066 100644
--- a/net/8021q/vlan.h
+++ b/net/8021q/vlan.h
@@ -109,6 +109,8 @@ int vlan_check_real_dev(struct net_device *real_dev,
109void vlan_setup(struct net_device *dev); 109void vlan_setup(struct net_device *dev);
110int register_vlan_dev(struct net_device *dev); 110int register_vlan_dev(struct net_device *dev);
111void unregister_vlan_dev(struct net_device *dev, struct list_head *head); 111void unregister_vlan_dev(struct net_device *dev, struct list_head *head);
112bool vlan_dev_inherit_address(struct net_device *dev,
113 struct net_device *real_dev);
112 114
113static inline u32 vlan_get_ingress_priority(struct net_device *dev, 115static inline u32 vlan_get_ingress_priority(struct net_device *dev,
114 u16 vlan_tci) 116 u16 vlan_tci)
diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
index fded86508117..ca4dc9031073 100644
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -244,6 +244,17 @@ void vlan_dev_get_realdev_name(const struct net_device *dev, char *result)
244 strncpy(result, vlan_dev_priv(dev)->real_dev->name, 23); 244 strncpy(result, vlan_dev_priv(dev)->real_dev->name, 23);
245} 245}
246 246
247bool vlan_dev_inherit_address(struct net_device *dev,
248 struct net_device *real_dev)
249{
250 if (dev->addr_assign_type != NET_ADDR_STOLEN)
251 return false;
252
253 ether_addr_copy(dev->dev_addr, real_dev->dev_addr);
254 call_netdevice_notifiers(NETDEV_CHANGEADDR, dev);
255 return true;
256}
257
247static int vlan_dev_open(struct net_device *dev) 258static int vlan_dev_open(struct net_device *dev)
248{ 259{
249 struct vlan_dev_priv *vlan = vlan_dev_priv(dev); 260 struct vlan_dev_priv *vlan = vlan_dev_priv(dev);
@@ -254,7 +265,8 @@ static int vlan_dev_open(struct net_device *dev)
254 !(vlan->flags & VLAN_FLAG_LOOSE_BINDING)) 265 !(vlan->flags & VLAN_FLAG_LOOSE_BINDING))
255 return -ENETDOWN; 266 return -ENETDOWN;
256 267
257 if (!ether_addr_equal(dev->dev_addr, real_dev->dev_addr)) { 268 if (!ether_addr_equal(dev->dev_addr, real_dev->dev_addr) &&
269 !vlan_dev_inherit_address(dev, real_dev)) {
258 err = dev_uc_add(real_dev, dev->dev_addr); 270 err = dev_uc_add(real_dev, dev->dev_addr);
259 if (err < 0) 271 if (err < 0)
260 goto out; 272 goto out;
@@ -558,8 +570,10 @@ static int vlan_dev_init(struct net_device *dev)
558 /* ipv6 shared card related stuff */ 570 /* ipv6 shared card related stuff */
559 dev->dev_id = real_dev->dev_id; 571 dev->dev_id = real_dev->dev_id;
560 572
561 if (is_zero_ether_addr(dev->dev_addr)) 573 if (is_zero_ether_addr(dev->dev_addr)) {
562 eth_hw_addr_inherit(dev, real_dev); 574 ether_addr_copy(dev->dev_addr, real_dev->dev_addr);
575 dev->addr_assign_type = NET_ADDR_STOLEN;
576 }
563 if (is_zero_ether_addr(dev->broadcast)) 577 if (is_zero_ether_addr(dev->broadcast))
564 memcpy(dev->broadcast, real_dev->broadcast, dev->addr_len); 578 memcpy(dev->broadcast, real_dev->broadcast, dev->addr_len);
565 579
diff --git a/net/9p/client.c b/net/9p/client.c
index ea79ee9a7348..f5feac4ff4ec 100644
--- a/net/9p/client.c
+++ b/net/9p/client.c
@@ -2101,6 +2101,10 @@ int p9_client_readdir(struct p9_fid *fid, char *data, u32 count, u64 offset)
2101 trace_9p_protocol_dump(clnt, req->rc); 2101 trace_9p_protocol_dump(clnt, req->rc);
2102 goto free_and_error; 2102 goto free_and_error;
2103 } 2103 }
2104 if (rsize < count) {
2105 pr_err("bogus RREADDIR count (%d > %d)\n", count, rsize);
2106 count = rsize;
2107 }
2104 2108
2105 p9_debug(P9_DEBUG_9P, "<<< RREADDIR count %d\n", count); 2109 p9_debug(P9_DEBUG_9P, "<<< RREADDIR count %d\n", count);
2106 2110
diff --git a/net/ax25/ax25_subr.c b/net/ax25/ax25_subr.c
index 655a7d4c96e1..983f0b5e14f1 100644
--- a/net/ax25/ax25_subr.c
+++ b/net/ax25/ax25_subr.c
@@ -264,7 +264,7 @@ void ax25_disconnect(ax25_cb *ax25, int reason)
264{ 264{
265 ax25_clear_queues(ax25); 265 ax25_clear_queues(ax25);
266 266
267 if (!sock_flag(ax25->sk, SOCK_DESTROY)) 267 if (!ax25->sk || !sock_flag(ax25->sk, SOCK_DESTROY))
268 ax25_stop_heartbeat(ax25); 268 ax25_stop_heartbeat(ax25);
269 ax25_stop_t1timer(ax25); 269 ax25_stop_t1timer(ax25);
270 ax25_stop_t2timer(ax25); 270 ax25_stop_t2timer(ax25);
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index b1eb8c09a660..c842f40c1173 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -1164,7 +1164,8 @@ static int hci_sock_sendmsg(struct socket *sock, struct msghdr *msg,
1164 if (msg->msg_flags & MSG_OOB) 1164 if (msg->msg_flags & MSG_OOB)
1165 return -EOPNOTSUPP; 1165 return -EOPNOTSUPP;
1166 1166
1167 if (msg->msg_flags & ~(MSG_DONTWAIT|MSG_NOSIGNAL|MSG_ERRQUEUE)) 1167 if (msg->msg_flags & ~(MSG_DONTWAIT|MSG_NOSIGNAL|MSG_ERRQUEUE|
1168 MSG_CMSG_COMPAT))
1168 return -EINVAL; 1169 return -EINVAL;
1169 1170
1170 if (len < 4 || len > HCI_MAX_FRAME_SIZE) 1171 if (len < 4 || len > HCI_MAX_FRAME_SIZE)
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 4b175df35184..906f88550cd8 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -23,6 +23,7 @@
23#include <linux/debugfs.h> 23#include <linux/debugfs.h>
24#include <linux/crypto.h> 24#include <linux/crypto.h>
25#include <linux/scatterlist.h> 25#include <linux/scatterlist.h>
26#include <crypto/algapi.h>
26#include <crypto/b128ops.h> 27#include <crypto/b128ops.h>
27 28
28#include <net/bluetooth/bluetooth.h> 29#include <net/bluetooth/bluetooth.h>
@@ -524,7 +525,7 @@ bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
524 if (err) 525 if (err)
525 return false; 526 return false;
526 527
527 return !memcmp(bdaddr->b, hash, 3); 528 return !crypto_memneq(bdaddr->b, hash, 3);
528} 529}
529 530
530int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa) 531int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
@@ -577,7 +578,7 @@ int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
577 /* This is unlikely, but we need to check that 578 /* This is unlikely, but we need to check that
578 * we didn't accidentially generate a debug key. 579 * we didn't accidentially generate a debug key.
579 */ 580 */
580 if (memcmp(smp->local_sk, debug_sk, 32)) 581 if (crypto_memneq(smp->local_sk, debug_sk, 32))
581 break; 582 break;
582 } 583 }
583 smp->debug_key = false; 584 smp->debug_key = false;
@@ -991,7 +992,7 @@ static u8 smp_random(struct smp_chan *smp)
991 if (ret) 992 if (ret)
992 return SMP_UNSPECIFIED; 993 return SMP_UNSPECIFIED;
993 994
994 if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) { 995 if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
995 BT_ERR("Pairing failed (confirmation values mismatch)"); 996 BT_ERR("Pairing failed (confirmation values mismatch)");
996 return SMP_CONFIRM_FAILED; 997 return SMP_CONFIRM_FAILED;
997 } 998 }
@@ -1491,7 +1492,7 @@ static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1491 smp->rrnd, r, cfm)) 1492 smp->rrnd, r, cfm))
1492 return SMP_UNSPECIFIED; 1493 return SMP_UNSPECIFIED;
1493 1494
1494 if (memcmp(smp->pcnf, cfm, 16)) 1495 if (crypto_memneq(smp->pcnf, cfm, 16))
1495 return SMP_CONFIRM_FAILED; 1496 return SMP_CONFIRM_FAILED;
1496 1497
1497 smp->passkey_round++; 1498 smp->passkey_round++;
@@ -1875,7 +1876,7 @@ static u8 sc_send_public_key(struct smp_chan *smp)
1875 /* This is unlikely, but we need to check that 1876 /* This is unlikely, but we need to check that
1876 * we didn't accidentially generate a debug key. 1877 * we didn't accidentially generate a debug key.
1877 */ 1878 */
1878 if (memcmp(smp->local_sk, debug_sk, 32)) 1879 if (crypto_memneq(smp->local_sk, debug_sk, 32))
1879 break; 1880 break;
1880 } 1881 }
1881 } 1882 }
@@ -2140,7 +2141,7 @@ static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2140 if (err) 2141 if (err)
2141 return SMP_UNSPECIFIED; 2142 return SMP_UNSPECIFIED;
2142 2143
2143 if (memcmp(smp->pcnf, cfm, 16)) 2144 if (crypto_memneq(smp->pcnf, cfm, 16))
2144 return SMP_CONFIRM_FAILED; 2145 return SMP_CONFIRM_FAILED;
2145 } else { 2146 } else {
2146 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 2147 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
@@ -2621,7 +2622,7 @@ static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2621 if (err) 2622 if (err)
2622 return SMP_UNSPECIFIED; 2623 return SMP_UNSPECIFIED;
2623 2624
2624 if (memcmp(cfm.confirm_val, smp->pcnf, 16)) 2625 if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2625 return SMP_CONFIRM_FAILED; 2626 return SMP_CONFIRM_FAILED;
2626 } 2627 }
2627 2628
@@ -2654,7 +2655,7 @@ static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2654 else 2655 else
2655 hcon->pending_sec_level = BT_SECURITY_FIPS; 2656 hcon->pending_sec_level = BT_SECURITY_FIPS;
2656 2657
2657 if (!memcmp(debug_pk, smp->remote_pk, 64)) 2658 if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2658 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags); 2659 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2659 2660
2660 if (smp->method == DSP_PASSKEY) { 2661 if (smp->method == DSP_PASSKEY) {
@@ -2753,7 +2754,7 @@ static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2753 if (err) 2754 if (err)
2754 return SMP_UNSPECIFIED; 2755 return SMP_UNSPECIFIED;
2755 2756
2756 if (memcmp(check->e, e, 16)) 2757 if (crypto_memneq(check->e, e, 16))
2757 return SMP_DHKEY_CHECK_FAILED; 2758 return SMP_DHKEY_CHECK_FAILED;
2758 2759
2759 if (!hcon->out) { 2760 if (!hcon->out) {
@@ -3463,7 +3464,7 @@ static int __init test_ah(struct crypto_blkcipher *tfm_aes)
3463 if (err) 3464 if (err)
3464 return err; 3465 return err;
3465 3466
3466 if (memcmp(res, exp, 3)) 3467 if (crypto_memneq(res, exp, 3))
3467 return -EINVAL; 3468 return -EINVAL;
3468 3469
3469 return 0; 3470 return 0;
@@ -3493,7 +3494,7 @@ static int __init test_c1(struct crypto_blkcipher *tfm_aes)
3493 if (err) 3494 if (err)
3494 return err; 3495 return err;
3495 3496
3496 if (memcmp(res, exp, 16)) 3497 if (crypto_memneq(res, exp, 16))
3497 return -EINVAL; 3498 return -EINVAL;
3498 3499
3499 return 0; 3500 return 0;
@@ -3518,7 +3519,7 @@ static int __init test_s1(struct crypto_blkcipher *tfm_aes)
3518 if (err) 3519 if (err)
3519 return err; 3520 return err;
3520 3521
3521 if (memcmp(res, exp, 16)) 3522 if (crypto_memneq(res, exp, 16))
3522 return -EINVAL; 3523 return -EINVAL;
3523 3524
3524 return 0; 3525 return 0;
@@ -3550,7 +3551,7 @@ static int __init test_f4(struct crypto_hash *tfm_cmac)
3550 if (err) 3551 if (err)
3551 return err; 3552 return err;
3552 3553
3553 if (memcmp(res, exp, 16)) 3554 if (crypto_memneq(res, exp, 16))
3554 return -EINVAL; 3555 return -EINVAL;
3555 3556
3556 return 0; 3557 return 0;
@@ -3584,10 +3585,10 @@ static int __init test_f5(struct crypto_hash *tfm_cmac)
3584 if (err) 3585 if (err)
3585 return err; 3586 return err;
3586 3587
3587 if (memcmp(mackey, exp_mackey, 16)) 3588 if (crypto_memneq(mackey, exp_mackey, 16))
3588 return -EINVAL; 3589 return -EINVAL;
3589 3590
3590 if (memcmp(ltk, exp_ltk, 16)) 3591 if (crypto_memneq(ltk, exp_ltk, 16))
3591 return -EINVAL; 3592 return -EINVAL;
3592 3593
3593 return 0; 3594 return 0;
@@ -3620,7 +3621,7 @@ static int __init test_f6(struct crypto_hash *tfm_cmac)
3620 if (err) 3621 if (err)
3621 return err; 3622 return err;
3622 3623
3623 if (memcmp(res, exp, 16)) 3624 if (crypto_memneq(res, exp, 16))
3624 return -EINVAL; 3625 return -EINVAL;
3625 3626
3626 return 0; 3627 return 0;
@@ -3674,7 +3675,7 @@ static int __init test_h6(struct crypto_hash *tfm_cmac)
3674 if (err) 3675 if (err)
3675 return err; 3676 return err;
3676 3677
3677 if (memcmp(res, exp, 16)) 3678 if (crypto_memneq(res, exp, 16))
3678 return -EINVAL; 3679 return -EINVAL;
3679 3680
3680 return 0; 3681 return 0;
diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
index f7fba74108a9..e24754a0e052 100644
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -29,6 +29,7 @@ EXPORT_SYMBOL(br_should_route_hook);
29static int 29static int
30br_netif_receive_skb(struct net *net, struct sock *sk, struct sk_buff *skb) 30br_netif_receive_skb(struct net *net, struct sock *sk, struct sk_buff *skb)
31{ 31{
32 br_drop_fake_rtable(skb);
32 return netif_receive_skb(skb); 33 return netif_receive_skb(skb);
33} 34}
34 35
diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index 7ddbe7ec81d6..97fc19f001bf 100644
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -516,21 +516,6 @@ static unsigned int br_nf_pre_routing(void *priv,
516} 516}
517 517
518 518
519/* PF_BRIDGE/LOCAL_IN ************************************************/
520/* The packet is locally destined, which requires a real
521 * dst_entry, so detach the fake one. On the way up, the
522 * packet would pass through PRE_ROUTING again (which already
523 * took place when the packet entered the bridge), but we
524 * register an IPv4 PRE_ROUTING 'sabotage' hook that will
525 * prevent this from happening. */
526static unsigned int br_nf_local_in(void *priv,
527 struct sk_buff *skb,
528 const struct nf_hook_state *state)
529{
530 br_drop_fake_rtable(skb);
531 return NF_ACCEPT;
532}
533
534/* PF_BRIDGE/FORWARD *************************************************/ 519/* PF_BRIDGE/FORWARD *************************************************/
535static int br_nf_forward_finish(struct net *net, struct sock *sk, struct sk_buff *skb) 520static int br_nf_forward_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
536{ 521{
@@ -901,12 +886,6 @@ static struct nf_hook_ops br_nf_ops[] __read_mostly = {
901 .priority = NF_BR_PRI_BRNF, 886 .priority = NF_BR_PRI_BRNF,
902 }, 887 },
903 { 888 {
904 .hook = br_nf_local_in,
905 .pf = NFPROTO_BRIDGE,
906 .hooknum = NF_BR_LOCAL_IN,
907 .priority = NF_BR_PRI_BRNF,
908 },
909 {
910 .hook = br_nf_forward_ip, 889 .hook = br_nf_forward_ip,
911 .pf = NFPROTO_BRIDGE, 890 .pf = NFPROTO_BRIDGE,
912 .hooknum = NF_BR_FORWARD, 891 .hooknum = NF_BR_FORWARD,
diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
index 40197ff8918a..ff8bb41d713f 100644
--- a/net/bridge/br_netlink.c
+++ b/net/bridge/br_netlink.c
@@ -768,23 +768,16 @@ static int br_validate(struct nlattr *tb[], struct nlattr *data[])
768 return -EPROTONOSUPPORT; 768 return -EPROTONOSUPPORT;
769 } 769 }
770 } 770 }
771#endif
772 771
773 return 0; 772 if (data[IFLA_BR_VLAN_DEFAULT_PVID]) {
774} 773 __u16 defpvid = nla_get_u16(data[IFLA_BR_VLAN_DEFAULT_PVID]);
775
776static int br_dev_newlink(struct net *src_net, struct net_device *dev,
777 struct nlattr *tb[], struct nlattr *data[])
778{
779 struct net_bridge *br = netdev_priv(dev);
780 774
781 if (tb[IFLA_ADDRESS]) { 775 if (defpvid >= VLAN_VID_MASK)
782 spin_lock_bh(&br->lock); 776 return -EINVAL;
783 br_stp_change_bridge_id(br, nla_data(tb[IFLA_ADDRESS]));
784 spin_unlock_bh(&br->lock);
785 } 777 }
778#endif
786 779
787 return register_netdevice(dev); 780 return 0;
788} 781}
789 782
790static int br_port_slave_changelink(struct net_device *brdev, 783static int br_port_slave_changelink(struct net_device *brdev,
@@ -1068,6 +1061,25 @@ static int br_changelink(struct net_device *brdev, struct nlattr *tb[],
1068 return 0; 1061 return 0;
1069} 1062}
1070 1063
1064static int br_dev_newlink(struct net *src_net, struct net_device *dev,
1065 struct nlattr *tb[], struct nlattr *data[])
1066{
1067 struct net_bridge *br = netdev_priv(dev);
1068 int err;
1069
1070 if (tb[IFLA_ADDRESS]) {
1071 spin_lock_bh(&br->lock);
1072 br_stp_change_bridge_id(br, nla_data(tb[IFLA_ADDRESS]));
1073 spin_unlock_bh(&br->lock);
1074 }
1075
1076 err = br_changelink(dev, tb, data);
1077 if (err)
1078 return err;
1079
1080 return register_netdevice(dev);
1081}
1082
1071static size_t br_get_size(const struct net_device *brdev) 1083static size_t br_get_size(const struct net_device *brdev)
1072{ 1084{
1073 return nla_total_size(sizeof(u32)) + /* IFLA_BR_FORWARD_DELAY */ 1085 return nla_total_size(sizeof(u32)) + /* IFLA_BR_FORWARD_DELAY */
diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c
index 8a7ada8bb947..bcb4559e735d 100644
--- a/net/bridge/br_stp_if.c
+++ b/net/bridge/br_stp_if.c
@@ -166,6 +166,8 @@ static void br_stp_start(struct net_bridge *br)
166 br_debug(br, "using kernel STP\n"); 166 br_debug(br, "using kernel STP\n");
167 167
168 /* To start timers on any ports left in blocking */ 168 /* To start timers on any ports left in blocking */
169 if (br->dev->flags & IFF_UP)
170 mod_timer(&br->hello_timer, jiffies + br->hello_time);
169 br_port_state_selection(br); 171 br_port_state_selection(br);
170 } 172 }
171 173
diff --git a/net/bridge/br_stp_timer.c b/net/bridge/br_stp_timer.c
index 5f0f5af0ec35..7dbe6a5c31eb 100644
--- a/net/bridge/br_stp_timer.c
+++ b/net/bridge/br_stp_timer.c
@@ -40,7 +40,7 @@ static void br_hello_timer_expired(unsigned long arg)
40 if (br->dev->flags & IFF_UP) { 40 if (br->dev->flags & IFF_UP) {
41 br_config_bpdu_generation(br); 41 br_config_bpdu_generation(br);
42 42
43 if (br->stp_enabled != BR_USER_STP) 43 if (br->stp_enabled == BR_KERNEL_STP)
44 mod_timer(&br->hello_timer, 44 mod_timer(&br->hello_timer,
45 round_jiffies(jiffies + br->hello_time)); 45 round_jiffies(jiffies + br->hello_time));
46 } 46 }
diff --git a/net/caif/cfpkt_skbuff.c b/net/caif/cfpkt_skbuff.c
index 59ce1fcc220c..71b6ab240dea 100644
--- a/net/caif/cfpkt_skbuff.c
+++ b/net/caif/cfpkt_skbuff.c
@@ -81,11 +81,7 @@ static struct cfpkt *cfpkt_create_pfx(u16 len, u16 pfx)
81{ 81{
82 struct sk_buff *skb; 82 struct sk_buff *skb;
83 83
84 if (likely(in_interrupt())) 84 skb = alloc_skb(len + pfx, GFP_ATOMIC);
85 skb = alloc_skb(len + pfx, GFP_ATOMIC);
86 else
87 skb = alloc_skb(len + pfx, GFP_KERNEL);
88
89 if (unlikely(skb == NULL)) 85 if (unlikely(skb == NULL))
90 return NULL; 86 return NULL;
91 87
diff --git a/net/can/af_can.c b/net/can/af_can.c
index 166d436196c1..928f58064098 100644
--- a/net/can/af_can.c
+++ b/net/can/af_can.c
@@ -445,6 +445,7 @@ static struct hlist_head *find_rcv_list(canid_t *can_id, canid_t *mask,
445 * @func: callback function on filter match 445 * @func: callback function on filter match
446 * @data: returned parameter for callback function 446 * @data: returned parameter for callback function
447 * @ident: string for calling module identification 447 * @ident: string for calling module identification
448 * @sk: socket pointer (might be NULL)
448 * 449 *
449 * Description: 450 * Description:
450 * Invokes the callback function with the received sk_buff and the given 451 * Invokes the callback function with the received sk_buff and the given
@@ -468,7 +469,7 @@ static struct hlist_head *find_rcv_list(canid_t *can_id, canid_t *mask,
468 */ 469 */
469int can_rx_register(struct net_device *dev, canid_t can_id, canid_t mask, 470int can_rx_register(struct net_device *dev, canid_t can_id, canid_t mask,
470 void (*func)(struct sk_buff *, void *), void *data, 471 void (*func)(struct sk_buff *, void *), void *data,
471 char *ident) 472 char *ident, struct sock *sk)
472{ 473{
473 struct receiver *r; 474 struct receiver *r;
474 struct hlist_head *rl; 475 struct hlist_head *rl;
@@ -496,6 +497,7 @@ int can_rx_register(struct net_device *dev, canid_t can_id, canid_t mask,
496 r->func = func; 497 r->func = func;
497 r->data = data; 498 r->data = data;
498 r->ident = ident; 499 r->ident = ident;
500 r->sk = sk;
499 501
500 hlist_add_head_rcu(&r->list, rl); 502 hlist_add_head_rcu(&r->list, rl);
501 d->entries++; 503 d->entries++;
@@ -520,8 +522,11 @@ EXPORT_SYMBOL(can_rx_register);
520static void can_rx_delete_receiver(struct rcu_head *rp) 522static void can_rx_delete_receiver(struct rcu_head *rp)
521{ 523{
522 struct receiver *r = container_of(rp, struct receiver, rcu); 524 struct receiver *r = container_of(rp, struct receiver, rcu);
525 struct sock *sk = r->sk;
523 526
524 kmem_cache_free(rcv_cache, r); 527 kmem_cache_free(rcv_cache, r);
528 if (sk)
529 sock_put(sk);
525} 530}
526 531
527/** 532/**
@@ -596,8 +601,11 @@ void can_rx_unregister(struct net_device *dev, canid_t can_id, canid_t mask,
596 spin_unlock(&can_rcvlists_lock); 601 spin_unlock(&can_rcvlists_lock);
597 602
598 /* schedule the receiver item for deletion */ 603 /* schedule the receiver item for deletion */
599 if (r) 604 if (r) {
605 if (r->sk)
606 sock_hold(r->sk);
600 call_rcu(&r->rcu, can_rx_delete_receiver); 607 call_rcu(&r->rcu, can_rx_delete_receiver);
608 }
601} 609}
602EXPORT_SYMBOL(can_rx_unregister); 610EXPORT_SYMBOL(can_rx_unregister);
603 611
diff --git a/net/can/af_can.h b/net/can/af_can.h
index fca0fe9fc45a..b86f5129e838 100644
--- a/net/can/af_can.h
+++ b/net/can/af_can.h
@@ -50,13 +50,14 @@
50 50
51struct receiver { 51struct receiver {
52 struct hlist_node list; 52 struct hlist_node list;
53 struct rcu_head rcu;
54 canid_t can_id; 53 canid_t can_id;
55 canid_t mask; 54 canid_t mask;
56 unsigned long matches; 55 unsigned long matches;
57 void (*func)(struct sk_buff *, void *); 56 void (*func)(struct sk_buff *, void *);
58 void *data; 57 void *data;
59 char *ident; 58 char *ident;
59 struct sock *sk;
60 struct rcu_head rcu;
60}; 61};
61 62
62#define CAN_SFF_RCV_ARRAY_SZ (1 << CAN_SFF_ID_BITS) 63#define CAN_SFF_RCV_ARRAY_SZ (1 << CAN_SFF_ID_BITS)
diff --git a/net/can/bcm.c b/net/can/bcm.c
index 8ef1afacad82..4ccfd356baed 100644
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -710,14 +710,23 @@ static struct bcm_op *bcm_find_op(struct list_head *ops, canid_t can_id,
710 710
711static void bcm_remove_op(struct bcm_op *op) 711static void bcm_remove_op(struct bcm_op *op)
712{ 712{
713 hrtimer_cancel(&op->timer); 713 if (op->tsklet.func) {
714 hrtimer_cancel(&op->thrtimer); 714 while (test_bit(TASKLET_STATE_SCHED, &op->tsklet.state) ||
715 715 test_bit(TASKLET_STATE_RUN, &op->tsklet.state) ||
716 if (op->tsklet.func) 716 hrtimer_active(&op->timer)) {
717 tasklet_kill(&op->tsklet); 717 hrtimer_cancel(&op->timer);
718 tasklet_kill(&op->tsklet);
719 }
720 }
718 721
719 if (op->thrtsklet.func) 722 if (op->thrtsklet.func) {
720 tasklet_kill(&op->thrtsklet); 723 while (test_bit(TASKLET_STATE_SCHED, &op->thrtsklet.state) ||
724 test_bit(TASKLET_STATE_RUN, &op->thrtsklet.state) ||
725 hrtimer_active(&op->thrtimer)) {
726 hrtimer_cancel(&op->thrtimer);
727 tasklet_kill(&op->thrtsklet);
728 }
729 }
721 730
722 if ((op->frames) && (op->frames != &op->sframe)) 731 if ((op->frames) && (op->frames != &op->sframe))
723 kfree(op->frames); 732 kfree(op->frames);
@@ -1170,7 +1179,7 @@ static int bcm_rx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
1170 err = can_rx_register(dev, op->can_id, 1179 err = can_rx_register(dev, op->can_id,
1171 REGMASK(op->can_id), 1180 REGMASK(op->can_id),
1172 bcm_rx_handler, op, 1181 bcm_rx_handler, op,
1173 "bcm"); 1182 "bcm", sk);
1174 1183
1175 op->rx_reg_dev = dev; 1184 op->rx_reg_dev = dev;
1176 dev_put(dev); 1185 dev_put(dev);
@@ -1179,7 +1188,7 @@ static int bcm_rx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
1179 } else 1188 } else
1180 err = can_rx_register(NULL, op->can_id, 1189 err = can_rx_register(NULL, op->can_id,
1181 REGMASK(op->can_id), 1190 REGMASK(op->can_id),
1182 bcm_rx_handler, op, "bcm"); 1191 bcm_rx_handler, op, "bcm", sk);
1183 if (err) { 1192 if (err) {
1184 /* this bcm rx op is broken -> remove it */ 1193 /* this bcm rx op is broken -> remove it */
1185 list_del(&op->list); 1194 list_del(&op->list);
diff --git a/net/can/gw.c b/net/can/gw.c
index 455168718c2e..77c8af4047ef 100644
--- a/net/can/gw.c
+++ b/net/can/gw.c
@@ -442,7 +442,7 @@ static inline int cgw_register_filter(struct cgw_job *gwj)
442{ 442{
443 return can_rx_register(gwj->src.dev, gwj->ccgw.filter.can_id, 443 return can_rx_register(gwj->src.dev, gwj->ccgw.filter.can_id,
444 gwj->ccgw.filter.can_mask, can_can_gw_rcv, 444 gwj->ccgw.filter.can_mask, can_can_gw_rcv,
445 gwj, "gw"); 445 gwj, "gw", NULL);
446} 446}
447 447
448static inline void cgw_unregister_filter(struct cgw_job *gwj) 448static inline void cgw_unregister_filter(struct cgw_job *gwj)
diff --git a/net/can/raw.c b/net/can/raw.c
index 56af689ca999..e9403a26a1d5 100644
--- a/net/can/raw.c
+++ b/net/can/raw.c
@@ -190,7 +190,7 @@ static int raw_enable_filters(struct net_device *dev, struct sock *sk,
190 for (i = 0; i < count; i++) { 190 for (i = 0; i < count; i++) {
191 err = can_rx_register(dev, filter[i].can_id, 191 err = can_rx_register(dev, filter[i].can_id,
192 filter[i].can_mask, 192 filter[i].can_mask,
193 raw_rcv, sk, "raw"); 193 raw_rcv, sk, "raw", sk);
194 if (err) { 194 if (err) {
195 /* clean up successfully registered filters */ 195 /* clean up successfully registered filters */
196 while (--i >= 0) 196 while (--i >= 0)
@@ -211,7 +211,7 @@ static int raw_enable_errfilter(struct net_device *dev, struct sock *sk,
211 211
212 if (err_mask) 212 if (err_mask)
213 err = can_rx_register(dev, 0, err_mask | CAN_ERR_FLAG, 213 err = can_rx_register(dev, 0, err_mask | CAN_ERR_FLAG,
214 raw_rcv, sk, "raw"); 214 raw_rcv, sk, "raw", sk);
215 215
216 return err; 216 return err;
217} 217}
diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index b8d927c56494..a6b2f2138c9d 100644
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -7,6 +7,7 @@
7#include <linux/kthread.h> 7#include <linux/kthread.h>
8#include <linux/net.h> 8#include <linux/net.h>
9#include <linux/nsproxy.h> 9#include <linux/nsproxy.h>
10#include <linux/sched.h>
10#include <linux/slab.h> 11#include <linux/slab.h>
11#include <linux/socket.h> 12#include <linux/socket.h>
12#include <linux/string.h> 13#include <linux/string.h>
@@ -478,11 +479,16 @@ static int ceph_tcp_connect(struct ceph_connection *con)
478{ 479{
479 struct sockaddr_storage *paddr = &con->peer_addr.in_addr; 480 struct sockaddr_storage *paddr = &con->peer_addr.in_addr;
480 struct socket *sock; 481 struct socket *sock;
482 unsigned int noio_flag;
481 int ret; 483 int ret;
482 484
483 BUG_ON(con->sock); 485 BUG_ON(con->sock);
486
487 /* sock_create_kern() allocates with GFP_KERNEL */
488 noio_flag = memalloc_noio_save();
484 ret = sock_create_kern(read_pnet(&con->msgr->net), paddr->ss_family, 489 ret = sock_create_kern(read_pnet(&con->msgr->net), paddr->ss_family,
485 SOCK_STREAM, IPPROTO_TCP, &sock); 490 SOCK_STREAM, IPPROTO_TCP, &sock);
491 memalloc_noio_restore(noio_flag);
486 if (ret) 492 if (ret)
487 return ret; 493 return ret;
488 sock->sk->sk_allocation = GFP_NOFS; 494 sock->sk->sk_allocation = GFP_NOFS;
diff --git a/net/ceph/osdmap.c b/net/ceph/osdmap.c
index ddc3573894b0..bc95e48d5cfb 100644
--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -1265,7 +1265,6 @@ static int decode_new_up_state_weight(void **p, void *end,
1265 if ((map->osd_state[osd] & CEPH_OSD_EXISTS) && 1265 if ((map->osd_state[osd] & CEPH_OSD_EXISTS) &&
1266 (xorstate & CEPH_OSD_EXISTS)) { 1266 (xorstate & CEPH_OSD_EXISTS)) {
1267 pr_info("osd%d does not exist\n", osd); 1267 pr_info("osd%d does not exist\n", osd);
1268 map->osd_weight[osd] = CEPH_OSD_IN;
1269 ret = set_primary_affinity(map, osd, 1268 ret = set_primary_affinity(map, osd,
1270 CEPH_OSD_DEFAULT_PRIMARY_AFFINITY); 1269 CEPH_OSD_DEFAULT_PRIMARY_AFFINITY);
1271 if (ret) 1270 if (ret)
diff --git a/net/core/dev.c b/net/core/dev.c
index 6f203c7fb166..24d243084aab 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -182,7 +182,7 @@ EXPORT_SYMBOL(dev_base_lock);
182/* protects napi_hash addition/deletion and napi_gen_id */ 182/* protects napi_hash addition/deletion and napi_gen_id */
183static DEFINE_SPINLOCK(napi_hash_lock); 183static DEFINE_SPINLOCK(napi_hash_lock);
184 184
185static unsigned int napi_gen_id; 185static unsigned int napi_gen_id = NR_CPUS;
186static DEFINE_HASHTABLE(napi_hash, 8); 186static DEFINE_HASHTABLE(napi_hash, 8);
187 187
188static seqcount_t devnet_rename_seq; 188static seqcount_t devnet_rename_seq;
@@ -1246,8 +1246,9 @@ int dev_set_alias(struct net_device *dev, const char *alias, size_t len)
1246 if (!new_ifalias) 1246 if (!new_ifalias)
1247 return -ENOMEM; 1247 return -ENOMEM;
1248 dev->ifalias = new_ifalias; 1248 dev->ifalias = new_ifalias;
1249 memcpy(dev->ifalias, alias, len);
1250 dev->ifalias[len] = 0;
1249 1251
1250 strlcpy(dev->ifalias, alias, len+1);
1251 return len; 1252 return len;
1252} 1253}
1253 1254
@@ -1676,37 +1677,59 @@ EXPORT_SYMBOL_GPL(net_dec_ingress_queue);
1676 1677
1677static struct static_key netstamp_needed __read_mostly; 1678static struct static_key netstamp_needed __read_mostly;
1678#ifdef HAVE_JUMP_LABEL 1679#ifdef HAVE_JUMP_LABEL
1679/* We are not allowed to call static_key_slow_dec() from irq context
1680 * If net_disable_timestamp() is called from irq context, defer the
1681 * static_key_slow_dec() calls.
1682 */
1683static atomic_t netstamp_needed_deferred; 1680static atomic_t netstamp_needed_deferred;
1681static atomic_t netstamp_wanted;
1682static void netstamp_clear(struct work_struct *work)
1683{
1684 int deferred = atomic_xchg(&netstamp_needed_deferred, 0);
1685 int wanted;
1686
1687 wanted = atomic_add_return(deferred, &netstamp_wanted);
1688 if (wanted > 0)
1689 static_key_enable(&netstamp_needed);
1690 else
1691 static_key_disable(&netstamp_needed);
1692}
1693static DECLARE_WORK(netstamp_work, netstamp_clear);
1684#endif 1694#endif
1685 1695
1686void net_enable_timestamp(void) 1696void net_enable_timestamp(void)
1687{ 1697{
1688#ifdef HAVE_JUMP_LABEL 1698#ifdef HAVE_JUMP_LABEL
1689 int deferred = atomic_xchg(&netstamp_needed_deferred, 0); 1699 int wanted;
1690 1700
1691 if (deferred) { 1701 while (1) {
1692 while (--deferred) 1702 wanted = atomic_read(&netstamp_wanted);
1693 static_key_slow_dec(&netstamp_needed); 1703 if (wanted <= 0)
1694 return; 1704 break;
1705 if (atomic_cmpxchg(&netstamp_wanted, wanted, wanted + 1) == wanted)
1706 return;
1695 } 1707 }
1696#endif 1708 atomic_inc(&netstamp_needed_deferred);
1709 schedule_work(&netstamp_work);
1710#else
1697 static_key_slow_inc(&netstamp_needed); 1711 static_key_slow_inc(&netstamp_needed);
1712#endif
1698} 1713}
1699EXPORT_SYMBOL(net_enable_timestamp); 1714EXPORT_SYMBOL(net_enable_timestamp);
1700 1715
1701void net_disable_timestamp(void) 1716void net_disable_timestamp(void)
1702{ 1717{
1703#ifdef HAVE_JUMP_LABEL 1718#ifdef HAVE_JUMP_LABEL
1704 if (in_interrupt()) { 1719 int wanted;
1705 atomic_inc(&netstamp_needed_deferred); 1720
1706 return; 1721 while (1) {
1722 wanted = atomic_read(&netstamp_wanted);
1723 if (wanted <= 1)
1724 break;
1725 if (atomic_cmpxchg(&netstamp_wanted, wanted, wanted - 1) == wanted)
1726 return;
1707 } 1727 }
1708#endif 1728 atomic_dec(&netstamp_needed_deferred);
1729 schedule_work(&netstamp_work);
1730#else
1709 static_key_slow_dec(&netstamp_needed); 1731 static_key_slow_dec(&netstamp_needed);
1732#endif
1710} 1733}
1711EXPORT_SYMBOL(net_disable_timestamp); 1734EXPORT_SYMBOL(net_disable_timestamp);
1712 1735
@@ -2527,9 +2550,10 @@ EXPORT_SYMBOL(skb_mac_gso_segment);
2527static inline bool skb_needs_check(struct sk_buff *skb, bool tx_path) 2550static inline bool skb_needs_check(struct sk_buff *skb, bool tx_path)
2528{ 2551{
2529 if (tx_path) 2552 if (tx_path)
2530 return skb->ip_summed != CHECKSUM_PARTIAL; 2553 return skb->ip_summed != CHECKSUM_PARTIAL &&
2531 else 2554 skb->ip_summed != CHECKSUM_UNNECESSARY;
2532 return skb->ip_summed == CHECKSUM_NONE; 2555
2556 return skb->ip_summed == CHECKSUM_NONE;
2533} 2557}
2534 2558
2535/** 2559/**
@@ -2548,11 +2572,12 @@ static inline bool skb_needs_check(struct sk_buff *skb, bool tx_path)
2548struct sk_buff *__skb_gso_segment(struct sk_buff *skb, 2572struct sk_buff *__skb_gso_segment(struct sk_buff *skb,
2549 netdev_features_t features, bool tx_path) 2573 netdev_features_t features, bool tx_path)
2550{ 2574{
2575 struct sk_buff *segs;
2576
2551 if (unlikely(skb_needs_check(skb, tx_path))) { 2577 if (unlikely(skb_needs_check(skb, tx_path))) {
2552 int err; 2578 int err;
2553 2579
2554 skb_warn_bad_offload(skb); 2580 /* We're going to init ->check field in TCP or UDP header */
2555
2556 err = skb_cow_head(skb, 0); 2581 err = skb_cow_head(skb, 0);
2557 if (err < 0) 2582 if (err < 0)
2558 return ERR_PTR(err); 2583 return ERR_PTR(err);
@@ -2567,7 +2592,12 @@ struct sk_buff *__skb_gso_segment(struct sk_buff *skb,
2567 skb_reset_mac_header(skb); 2592 skb_reset_mac_header(skb);
2568 skb_reset_mac_len(skb); 2593 skb_reset_mac_len(skb);
2569 2594
2570 return skb_mac_gso_segment(skb, features); 2595 segs = skb_mac_gso_segment(skb, features);
2596
2597 if (unlikely(skb_needs_check(skb, tx_path)))
2598 skb_warn_bad_offload(skb);
2599
2600 return segs;
2571} 2601}
2572EXPORT_SYMBOL(__skb_gso_segment); 2602EXPORT_SYMBOL(__skb_gso_segment);
2573 2603
@@ -2650,9 +2680,9 @@ static netdev_features_t harmonize_features(struct sk_buff *skb,
2650 if (skb->ip_summed != CHECKSUM_NONE && 2680 if (skb->ip_summed != CHECKSUM_NONE &&
2651 !can_checksum_protocol(features, type)) { 2681 !can_checksum_protocol(features, type)) {
2652 features &= ~NETIF_F_ALL_CSUM; 2682 features &= ~NETIF_F_ALL_CSUM;
2653 } else if (illegal_highdma(skb->dev, skb)) {
2654 features &= ~NETIF_F_SG;
2655 } 2683 }
2684 if (illegal_highdma(skb->dev, skb))
2685 features &= ~NETIF_F_SG;
2656 2686
2657 return features; 2687 return features;
2658} 2688}
@@ -3027,7 +3057,9 @@ struct netdev_queue *netdev_pick_tx(struct net_device *dev,
3027 int queue_index = 0; 3057 int queue_index = 0;
3028 3058
3029#ifdef CONFIG_XPS 3059#ifdef CONFIG_XPS
3030 if (skb->sender_cpu == 0) 3060 u32 sender_cpu = skb->sender_cpu - 1;
3061
3062 if (sender_cpu >= (u32)NR_CPUS)
3031 skb->sender_cpu = raw_smp_processor_id() + 1; 3063 skb->sender_cpu = raw_smp_processor_id() + 1;
3032#endif 3064#endif
3033 3065
@@ -4350,6 +4382,12 @@ struct packet_offload *gro_find_complete_by_type(__be16 type)
4350} 4382}
4351EXPORT_SYMBOL(gro_find_complete_by_type); 4383EXPORT_SYMBOL(gro_find_complete_by_type);
4352 4384
4385static void napi_skb_free_stolen_head(struct sk_buff *skb)
4386{
4387 skb_dst_drop(skb);
4388 kmem_cache_free(skbuff_head_cache, skb);
4389}
4390
4353static gro_result_t napi_skb_finish(gro_result_t ret, struct sk_buff *skb) 4391static gro_result_t napi_skb_finish(gro_result_t ret, struct sk_buff *skb)
4354{ 4392{
4355 switch (ret) { 4393 switch (ret) {
@@ -4363,12 +4401,10 @@ static gro_result_t napi_skb_finish(gro_result_t ret, struct sk_buff *skb)
4363 break; 4401 break;
4364 4402
4365 case GRO_MERGED_FREE: 4403 case GRO_MERGED_FREE:
4366 if (NAPI_GRO_CB(skb)->free == NAPI_GRO_FREE_STOLEN_HEAD) { 4404 if (NAPI_GRO_CB(skb)->free == NAPI_GRO_FREE_STOLEN_HEAD)
4367 skb_dst_drop(skb); 4405 napi_skb_free_stolen_head(skb);
4368 kmem_cache_free(skbuff_head_cache, skb); 4406 else
4369 } else {
4370 __kfree_skb(skb); 4407 __kfree_skb(skb);
4371 }
4372 break; 4408 break;
4373 4409
4374 case GRO_HELD: 4410 case GRO_HELD:
@@ -4434,10 +4470,16 @@ static gro_result_t napi_frags_finish(struct napi_struct *napi,
4434 break; 4470 break;
4435 4471
4436 case GRO_DROP: 4472 case GRO_DROP:
4437 case GRO_MERGED_FREE:
4438 napi_reuse_skb(napi, skb); 4473 napi_reuse_skb(napi, skb);
4439 break; 4474 break;
4440 4475
4476 case GRO_MERGED_FREE:
4477 if (NAPI_GRO_CB(skb)->free == NAPI_GRO_FREE_STOLEN_HEAD)
4478 napi_skb_free_stolen_head(skb);
4479 else
4480 napi_reuse_skb(napi, skb);
4481 break;
4482
4441 case GRO_MERGED: 4483 case GRO_MERGED:
4442 break; 4484 break;
4443 } 4485 }
@@ -4704,25 +4746,22 @@ EXPORT_SYMBOL_GPL(napi_by_id);
4704 4746
4705void napi_hash_add(struct napi_struct *napi) 4747void napi_hash_add(struct napi_struct *napi)
4706{ 4748{
4707 if (!test_and_set_bit(NAPI_STATE_HASHED, &napi->state)) { 4749 if (test_and_set_bit(NAPI_STATE_HASHED, &napi->state))
4750 return;
4708 4751
4709 spin_lock(&napi_hash_lock); 4752 spin_lock(&napi_hash_lock);
4710 4753
4711 /* 0 is not a valid id, we also skip an id that is taken 4754 /* 0..NR_CPUS+1 range is reserved for sender_cpu use */
4712 * we expect both events to be extremely rare 4755 do {
4713 */ 4756 if (unlikely(++napi_gen_id < NR_CPUS + 1))
4714 napi->napi_id = 0; 4757 napi_gen_id = NR_CPUS + 1;
4715 while (!napi->napi_id) { 4758 } while (napi_by_id(napi_gen_id));
4716 napi->napi_id = ++napi_gen_id; 4759 napi->napi_id = napi_gen_id;
4717 if (napi_by_id(napi->napi_id))
4718 napi->napi_id = 0;
4719 }
4720 4760
4721 hlist_add_head_rcu(&napi->napi_hash_node, 4761 hlist_add_head_rcu(&napi->napi_hash_node,
4722 &napi_hash[napi->napi_id % HASH_SIZE(napi_hash)]); 4762 &napi_hash[napi->napi_id % HASH_SIZE(napi_hash)]);
4723 4763
4724 spin_unlock(&napi_hash_lock); 4764 spin_unlock(&napi_hash_lock);
4725 }
4726} 4765}
4727EXPORT_SYMBOL_GPL(napi_hash_add); 4766EXPORT_SYMBOL_GPL(napi_hash_add);
4728 4767
@@ -7030,8 +7069,8 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev,
7030 } else { 7069 } else {
7031 netdev_stats_to_stats64(storage, &dev->stats); 7070 netdev_stats_to_stats64(storage, &dev->stats);
7032 } 7071 }
7033 storage->rx_dropped += atomic_long_read(&dev->rx_dropped); 7072 storage->rx_dropped += (unsigned long)atomic_long_read(&dev->rx_dropped);
7034 storage->tx_dropped += atomic_long_read(&dev->tx_dropped); 7073 storage->tx_dropped += (unsigned long)atomic_long_read(&dev->tx_dropped);
7035 return storage; 7074 return storage;
7036} 7075}
7037EXPORT_SYMBOL(dev_get_stats); 7076EXPORT_SYMBOL(dev_get_stats);
diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c
index 183ef95db502..2bded3ecf03d 100644
--- a/net/core/dev_ioctl.c
+++ b/net/core/dev_ioctl.c
@@ -28,6 +28,7 @@ static int dev_ifname(struct net *net, struct ifreq __user *arg)
28 28
29 if (copy_from_user(&ifr, arg, sizeof(struct ifreq))) 29 if (copy_from_user(&ifr, arg, sizeof(struct ifreq)))
30 return -EFAULT; 30 return -EFAULT;
31 ifr.ifr_name[IFNAMSIZ-1] = 0;
31 32
32 error = netdev_get_name(net, ifr.ifr_name, ifr.ifr_ifindex); 33 error = netdev_get_name(net, ifr.ifr_name, ifr.ifr_ifindex);
33 if (error) 34 if (error)
diff --git a/net/core/dst.c b/net/core/dst.c
index a1656e3b8d72..e72d706f8d0c 100644
--- a/net/core/dst.c
+++ b/net/core/dst.c
@@ -151,13 +151,13 @@ int dst_discard_out(struct net *net, struct sock *sk, struct sk_buff *skb)
151} 151}
152EXPORT_SYMBOL(dst_discard_out); 152EXPORT_SYMBOL(dst_discard_out);
153 153
154const u32 dst_default_metrics[RTAX_MAX + 1] = { 154const struct dst_metrics dst_default_metrics = {
155 /* This initializer is needed to force linker to place this variable 155 /* This initializer is needed to force linker to place this variable
156 * into const section. Otherwise it might end into bss section. 156 * into const section. Otherwise it might end into bss section.
157 * We really want to avoid false sharing on this variable, and catch 157 * We really want to avoid false sharing on this variable, and catch
158 * any writes on it. 158 * any writes on it.
159 */ 159 */
160 [RTAX_MAX] = 0xdeadbeef, 160 .refcnt = ATOMIC_INIT(1),
161}; 161};
162 162
163void dst_init(struct dst_entry *dst, struct dst_ops *ops, 163void dst_init(struct dst_entry *dst, struct dst_ops *ops,
@@ -169,7 +169,7 @@ void dst_init(struct dst_entry *dst, struct dst_ops *ops,
169 if (dev) 169 if (dev)
170 dev_hold(dev); 170 dev_hold(dev);
171 dst->ops = ops; 171 dst->ops = ops;
172 dst_init_metrics(dst, dst_default_metrics, true); 172 dst_init_metrics(dst, dst_default_metrics.metrics, true);
173 dst->expires = 0UL; 173 dst->expires = 0UL;
174 dst->path = dst; 174 dst->path = dst;
175 dst->from = NULL; 175 dst->from = NULL;
@@ -315,25 +315,30 @@ EXPORT_SYMBOL(dst_release);
315 315
316u32 *dst_cow_metrics_generic(struct dst_entry *dst, unsigned long old) 316u32 *dst_cow_metrics_generic(struct dst_entry *dst, unsigned long old)
317{ 317{
318 u32 *p = kmalloc(sizeof(u32) * RTAX_MAX, GFP_ATOMIC); 318 struct dst_metrics *p = kmalloc(sizeof(*p), GFP_ATOMIC);
319 319
320 if (p) { 320 if (p) {
321 u32 *old_p = __DST_METRICS_PTR(old); 321 struct dst_metrics *old_p = (struct dst_metrics *)__DST_METRICS_PTR(old);
322 unsigned long prev, new; 322 unsigned long prev, new;
323 323
324 memcpy(p, old_p, sizeof(u32) * RTAX_MAX); 324 atomic_set(&p->refcnt, 1);
325 memcpy(p->metrics, old_p->metrics, sizeof(p->metrics));
325 326
326 new = (unsigned long) p; 327 new = (unsigned long) p;
327 prev = cmpxchg(&dst->_metrics, old, new); 328 prev = cmpxchg(&dst->_metrics, old, new);
328 329
329 if (prev != old) { 330 if (prev != old) {
330 kfree(p); 331 kfree(p);
331 p = __DST_METRICS_PTR(prev); 332 p = (struct dst_metrics *)__DST_METRICS_PTR(prev);
332 if (prev & DST_METRICS_READ_ONLY) 333 if (prev & DST_METRICS_READ_ONLY)
333 p = NULL; 334 p = NULL;
335 } else if (prev & DST_METRICS_REFCOUNTED) {
336 if (atomic_dec_and_test(&old_p->refcnt))
337 kfree(old_p);
334 } 338 }
335 } 339 }
336 return p; 340 BUILD_BUG_ON(offsetof(struct dst_metrics, metrics) != 0);
341 return (u32 *)p;
337} 342}
338EXPORT_SYMBOL(dst_cow_metrics_generic); 343EXPORT_SYMBOL(dst_cow_metrics_generic);
339 344
@@ -342,7 +347,7 @@ void __dst_destroy_metrics_generic(struct dst_entry *dst, unsigned long old)
342{ 347{
343 unsigned long prev, new; 348 unsigned long prev, new;
344 349
345 new = ((unsigned long) dst_default_metrics) | DST_METRICS_READ_ONLY; 350 new = ((unsigned long) &dst_default_metrics) | DST_METRICS_READ_ONLY;
346 prev = cmpxchg(&dst->_metrics, old, new); 351 prev = cmpxchg(&dst->_metrics, old, new);
347 if (prev == old) 352 if (prev == old)
348 kfree(__DST_METRICS_PTR(old)); 353 kfree(__DST_METRICS_PTR(old));
@@ -457,6 +462,20 @@ static int dst_dev_event(struct notifier_block *this, unsigned long event,
457 spin_lock_bh(&dst_garbage.lock); 462 spin_lock_bh(&dst_garbage.lock);
458 dst = dst_garbage.list; 463 dst = dst_garbage.list;
459 dst_garbage.list = NULL; 464 dst_garbage.list = NULL;
465 /* The code in dst_ifdown places a hold on the loopback device.
466 * If the gc entry processing is set to expire after a lengthy
467 * interval, this hold can cause netdev_wait_allrefs() to hang
468 * out and wait for a long time -- until the the loopback
469 * interface is released. If we're really unlucky, it'll emit
470 * pr_emerg messages to console too. Reset the interval here,
471 * so dst cleanups occur in a more timely fashion.
472 */
473 if (dst_garbage.timer_inc > DST_GC_INC) {
474 dst_garbage.timer_inc = DST_GC_INC;
475 dst_garbage.timer_expires = DST_GC_MIN;
476 mod_delayed_work(system_wq, &dst_gc_work,
477 dst_garbage.timer_expires);
478 }
460 spin_unlock_bh(&dst_garbage.lock); 479 spin_unlock_bh(&dst_garbage.lock);
461 480
462 if (last) 481 if (last)
diff --git a/net/core/ethtool.c b/net/core/ethtool.c
index 29edf74846fc..b6bca625b0d2 100644
--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -886,9 +886,12 @@ static int ethtool_get_regs(struct net_device *dev, char __user *useraddr)
886 if (regs.len > reglen) 886 if (regs.len > reglen)
887 regs.len = reglen; 887 regs.len = reglen;
888 888
889 regbuf = vzalloc(reglen); 889 regbuf = NULL;
890 if (reglen && !regbuf) 890 if (reglen) {
891 return -ENOMEM; 891 regbuf = vzalloc(reglen);
892 if (!regbuf)
893 return -ENOMEM;
894 }
892 895
893 ops->get_regs(dev, &regs, regbuf); 896 ops->get_regs(dev, &regs, regbuf);
894 897
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index 769cece9b00b..ae92131c4f89 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -859,7 +859,8 @@ static void neigh_probe(struct neighbour *neigh)
859 if (skb) 859 if (skb)
860 skb = skb_clone(skb, GFP_ATOMIC); 860 skb = skb_clone(skb, GFP_ATOMIC);
861 write_unlock(&neigh->lock); 861 write_unlock(&neigh->lock);
862 neigh->ops->solicit(neigh, skb); 862 if (neigh->ops->solicit)
863 neigh->ops->solicit(neigh, skb);
863 atomic_inc(&neigh->probes); 864 atomic_inc(&neigh->probes);
864 kfree_skb(skb); 865 kfree_skb(skb);
865} 866}
diff --git a/net/core/netpoll.c b/net/core/netpoll.c
index 94acfc89ad97..440aa9f6e0a8 100644
--- a/net/core/netpoll.c
+++ b/net/core/netpoll.c
@@ -105,15 +105,21 @@ static void queue_process(struct work_struct *work)
105 while ((skb = skb_dequeue(&npinfo->txq))) { 105 while ((skb = skb_dequeue(&npinfo->txq))) {
106 struct net_device *dev = skb->dev; 106 struct net_device *dev = skb->dev;
107 struct netdev_queue *txq; 107 struct netdev_queue *txq;
108 unsigned int q_index;
108 109
109 if (!netif_device_present(dev) || !netif_running(dev)) { 110 if (!netif_device_present(dev) || !netif_running(dev)) {
110 kfree_skb(skb); 111 kfree_skb(skb);
111 continue; 112 continue;
112 } 113 }
113 114
114 txq = skb_get_tx_queue(dev, skb);
115
116 local_irq_save(flags); 115 local_irq_save(flags);
116 /* check if skb->queue_mapping is still valid */
117 q_index = skb_get_queue_mapping(skb);
118 if (unlikely(q_index >= dev->real_num_tx_queues)) {
119 q_index = q_index % dev->real_num_tx_queues;
120 skb_set_queue_mapping(skb, q_index);
121 }
122 txq = netdev_get_tx_queue(dev, q_index);
117 HARD_TX_LOCK(dev, txq, smp_processor_id()); 123 HARD_TX_LOCK(dev, txq, smp_processor_id());
118 if (netif_xmit_frozen_or_stopped(txq) || 124 if (netif_xmit_frozen_or_stopped(txq) ||
119 netpoll_start_xmit(skb, dev, txq) != NETDEV_TX_OK) { 125 netpoll_start_xmit(skb, dev, txq) != NETDEV_TX_OK) {
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index b94e165a4f79..5b3d611d8b5f 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -897,6 +897,7 @@ static noinline size_t if_nlmsg_size(const struct net_device *dev,
897 + nla_total_size(1) /* IFLA_LINKMODE */ 897 + nla_total_size(1) /* IFLA_LINKMODE */
898 + nla_total_size(4) /* IFLA_CARRIER_CHANGES */ 898 + nla_total_size(4) /* IFLA_CARRIER_CHANGES */
899 + nla_total_size(4) /* IFLA_LINK_NETNSID */ 899 + nla_total_size(4) /* IFLA_LINK_NETNSID */
900 + nla_total_size(4) /* IFLA_GROUP */
900 + nla_total_size(ext_filter_mask 901 + nla_total_size(ext_filter_mask
901 & RTEXT_FILTER_VF ? 4 : 0) /* IFLA_NUM_VF */ 902 & RTEXT_FILTER_VF ? 4 : 0) /* IFLA_NUM_VF */
902 + rtnl_vfinfo_size(dev, ext_filter_mask) /* IFLA_VFINFO_LIST */ 903 + rtnl_vfinfo_size(dev, ext_filter_mask) /* IFLA_VFINFO_LIST */
@@ -1018,7 +1019,7 @@ static int rtnl_phys_port_name_fill(struct sk_buff *skb, struct net_device *dev)
1018 return err; 1019 return err;
1019 } 1020 }
1020 1021
1021 if (nla_put(skb, IFLA_PHYS_PORT_NAME, strlen(name), name)) 1022 if (nla_put_string(skb, IFLA_PHYS_PORT_NAME, name))
1022 return -EMSGSIZE; 1023 return -EMSGSIZE;
1023 1024
1024 return 0; 1025 return 0;
@@ -1089,6 +1090,8 @@ static noinline_for_stack int rtnl_fill_vfinfo(struct sk_buff *skb,
1089 struct ifla_vf_mac vf_mac; 1090 struct ifla_vf_mac vf_mac;
1090 struct ifla_vf_info ivi; 1091 struct ifla_vf_info ivi;
1091 1092
1093 memset(&ivi, 0, sizeof(ivi));
1094
1092 /* Not all SR-IOV capable drivers support the 1095 /* Not all SR-IOV capable drivers support the
1093 * spoofcheck and "RSS query enable" query. Preset to 1096 * spoofcheck and "RSS query enable" query. Preset to
1094 * -1 so the user space tool can detect that the driver 1097 * -1 so the user space tool can detect that the driver
@@ -1097,7 +1100,6 @@ static noinline_for_stack int rtnl_fill_vfinfo(struct sk_buff *skb,
1097 ivi.spoofchk = -1; 1100 ivi.spoofchk = -1;
1098 ivi.rss_query_en = -1; 1101 ivi.rss_query_en = -1;
1099 ivi.trusted = -1; 1102 ivi.trusted = -1;
1100 memset(ivi.mac, 0, sizeof(ivi.mac));
1101 /* The default value for VF link state is "auto" 1103 /* The default value for VF link state is "auto"
1102 * IFLA_VF_LINK_STATE_AUTO which equals zero 1104 * IFLA_VF_LINK_STATE_AUTO which equals zero
1103 */ 1105 */
@@ -1370,6 +1372,7 @@ static const struct nla_policy ifla_policy[IFLA_MAX+1] = {
1370 [IFLA_PHYS_SWITCH_ID] = { .type = NLA_BINARY, .len = MAX_PHYS_ITEM_ID_LEN }, 1372 [IFLA_PHYS_SWITCH_ID] = { .type = NLA_BINARY, .len = MAX_PHYS_ITEM_ID_LEN },
1371 [IFLA_LINK_NETNSID] = { .type = NLA_S32 }, 1373 [IFLA_LINK_NETNSID] = { .type = NLA_S32 },
1372 [IFLA_PROTO_DOWN] = { .type = NLA_U8 }, 1374 [IFLA_PROTO_DOWN] = { .type = NLA_U8 },
1375 [IFLA_GROUP] = { .type = NLA_U32 },
1373}; 1376};
1374 1377
1375static const struct nla_policy ifla_info_policy[IFLA_INFO_MAX+1] = { 1378static const struct nla_policy ifla_info_policy[IFLA_INFO_MAX+1] = {
@@ -1458,13 +1461,13 @@ static int rtnl_dump_ifinfo(struct sk_buff *skb, struct netlink_callback *cb)
1458 cb->nlh->nlmsg_seq, 0, 1461 cb->nlh->nlmsg_seq, 0,
1459 NLM_F_MULTI, 1462 NLM_F_MULTI,
1460 ext_filter_mask); 1463 ext_filter_mask);
1461 /* If we ran out of room on the first message,
1462 * we're in trouble
1463 */
1464 WARN_ON((err == -EMSGSIZE) && (skb->len == 0));
1465 1464
1466 if (err < 0) 1465 if (err < 0) {
1467 goto out; 1466 if (likely(skb->len))
1467 goto out;
1468
1469 goto out_err;
1470 }
1468 1471
1469 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 1472 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1470cont: 1473cont:
@@ -1472,10 +1475,12 @@ cont:
1472 } 1475 }
1473 } 1476 }
1474out: 1477out:
1478 err = skb->len;
1479out_err:
1475 cb->args[1] = idx; 1480 cb->args[1] = idx;
1476 cb->args[0] = h; 1481 cb->args[0] = h;
1477 1482
1478 return skb->len; 1483 return err;
1479} 1484}
1480 1485
1481int rtnl_nla_parse_ifla(struct nlattr **tb, const struct nlattr *head, int len) 1486int rtnl_nla_parse_ifla(struct nlattr **tb, const struct nlattr *head, int len)
@@ -1737,7 +1742,8 @@ static int do_setlink(const struct sk_buff *skb,
1737 struct sockaddr *sa; 1742 struct sockaddr *sa;
1738 int len; 1743 int len;
1739 1744
1740 len = sizeof(sa_family_t) + dev->addr_len; 1745 len = sizeof(sa_family_t) + max_t(size_t, dev->addr_len,
1746 sizeof(*sa));
1741 sa = kmalloc(len, GFP_KERNEL); 1747 sa = kmalloc(len, GFP_KERNEL);
1742 if (!sa) { 1748 if (!sa) {
1743 err = -ENOMEM; 1749 err = -ENOMEM;
@@ -3127,8 +3133,12 @@ static int rtnl_bridge_getlink(struct sk_buff *skb, struct netlink_callback *cb)
3127 err = br_dev->netdev_ops->ndo_bridge_getlink( 3133 err = br_dev->netdev_ops->ndo_bridge_getlink(
3128 skb, portid, seq, dev, 3134 skb, portid, seq, dev,
3129 filter_mask, NLM_F_MULTI); 3135 filter_mask, NLM_F_MULTI);
3130 if (err < 0 && err != -EOPNOTSUPP) 3136 if (err < 0 && err != -EOPNOTSUPP) {
3131 break; 3137 if (likely(skb->len))
3138 break;
3139
3140 goto out_err;
3141 }
3132 } 3142 }
3133 idx++; 3143 idx++;
3134 } 3144 }
@@ -3139,16 +3149,22 @@ static int rtnl_bridge_getlink(struct sk_buff *skb, struct netlink_callback *cb)
3139 seq, dev, 3149 seq, dev,
3140 filter_mask, 3150 filter_mask,
3141 NLM_F_MULTI); 3151 NLM_F_MULTI);
3142 if (err < 0 && err != -EOPNOTSUPP) 3152 if (err < 0 && err != -EOPNOTSUPP) {
3143 break; 3153 if (likely(skb->len))
3154 break;
3155
3156 goto out_err;
3157 }
3144 } 3158 }
3145 idx++; 3159 idx++;
3146 } 3160 }
3147 } 3161 }
3162 err = skb->len;
3163out_err:
3148 rcu_read_unlock(); 3164 rcu_read_unlock();
3149 cb->args[0] = idx; 3165 cb->args[0] = idx;
3150 3166
3151 return skb->len; 3167 return err;
3152} 3168}
3153 3169
3154static inline size_t bridge_nlmsg_size(void) 3170static inline size_t bridge_nlmsg_size(void)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 4968b5ddea69..73dfd7729bc9 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -3678,13 +3678,14 @@ void skb_complete_tx_timestamp(struct sk_buff *skb,
3678 if (!skb_may_tx_timestamp(sk, false)) 3678 if (!skb_may_tx_timestamp(sk, false))
3679 return; 3679 return;
3680 3680
3681 /* take a reference to prevent skb_orphan() from freeing the socket */ 3681 /* Take a reference to prevent skb_orphan() from freeing the socket,
3682 sock_hold(sk); 3682 * but only if the socket refcount is not zero.
3683 3683 */
3684 *skb_hwtstamps(skb) = *hwtstamps; 3684 if (likely(atomic_inc_not_zero(&sk->sk_refcnt))) {
3685 __skb_complete_tx_timestamp(skb, sk, SCM_TSTAMP_SND); 3685 *skb_hwtstamps(skb) = *hwtstamps;
3686 3686 __skb_complete_tx_timestamp(skb, sk, SCM_TSTAMP_SND);
3687 sock_put(sk); 3687 sock_put(sk);
3688 }
3688} 3689}
3689EXPORT_SYMBOL_GPL(skb_complete_tx_timestamp); 3690EXPORT_SYMBOL_GPL(skb_complete_tx_timestamp);
3690 3691
@@ -3735,7 +3736,7 @@ void skb_complete_wifi_ack(struct sk_buff *skb, bool acked)
3735{ 3736{
3736 struct sock *sk = skb->sk; 3737 struct sock *sk = skb->sk;
3737 struct sock_exterr_skb *serr; 3738 struct sock_exterr_skb *serr;
3738 int err; 3739 int err = 1;
3739 3740
3740 skb->wifi_acked_valid = 1; 3741 skb->wifi_acked_valid = 1;
3741 skb->wifi_acked = acked; 3742 skb->wifi_acked = acked;
@@ -3745,14 +3746,15 @@ void skb_complete_wifi_ack(struct sk_buff *skb, bool acked)
3745 serr->ee.ee_errno = ENOMSG; 3746 serr->ee.ee_errno = ENOMSG;
3746 serr->ee.ee_origin = SO_EE_ORIGIN_TXSTATUS; 3747 serr->ee.ee_origin = SO_EE_ORIGIN_TXSTATUS;
3747 3748
3748 /* take a reference to prevent skb_orphan() from freeing the socket */ 3749 /* Take a reference to prevent skb_orphan() from freeing the socket,
3749 sock_hold(sk); 3750 * but only if the socket refcount is not zero.
3750 3751 */
3751 err = sock_queue_err_skb(sk, skb); 3752 if (likely(atomic_inc_not_zero(&sk->sk_refcnt))) {
3753 err = sock_queue_err_skb(sk, skb);
3754 sock_put(sk);
3755 }
3752 if (err) 3756 if (err)
3753 kfree_skb(skb); 3757 kfree_skb(skb);
3754
3755 sock_put(sk);
3756} 3758}
3757EXPORT_SYMBOL_GPL(skb_complete_wifi_ack); 3759EXPORT_SYMBOL_GPL(skb_complete_wifi_ack);
3758 3760
diff --git a/net/core/sock.c b/net/core/sock.c
index f367df38c264..2871364e4420 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1459,6 +1459,11 @@ void sk_destruct(struct sock *sk)
1459 pr_debug("%s: optmem leakage (%d bytes) detected\n", 1459 pr_debug("%s: optmem leakage (%d bytes) detected\n",
1460 __func__, atomic_read(&sk->sk_omem_alloc)); 1460 __func__, atomic_read(&sk->sk_omem_alloc));
1461 1461
1462 if (sk->sk_frag.page) {
1463 put_page(sk->sk_frag.page);
1464 sk->sk_frag.page = NULL;
1465 }
1466
1462 if (sk->sk_peer_cred) 1467 if (sk->sk_peer_cred)
1463 put_cred(sk->sk_peer_cred); 1468 put_cred(sk->sk_peer_cred);
1464 put_pid(sk->sk_peer_pid); 1469 put_pid(sk->sk_peer_pid);
@@ -1552,6 +1557,12 @@ struct sock *sk_clone_lock(const struct sock *sk, const gfp_t priority)
1552 is_charged = sk_filter_charge(newsk, filter); 1557 is_charged = sk_filter_charge(newsk, filter);
1553 1558
1554 if (unlikely(!is_charged || xfrm_sk_clone_policy(newsk, sk))) { 1559 if (unlikely(!is_charged || xfrm_sk_clone_policy(newsk, sk))) {
1560 /* We need to make sure that we don't uncharge the new
1561 * socket if we couldn't charge it in the first place
1562 * as otherwise we uncharge the parent's filter.
1563 */
1564 if (!is_charged)
1565 RCU_INIT_POINTER(newsk->sk_filter, NULL);
1555 /* It is still raw copy of parent, so invalidate 1566 /* It is still raw copy of parent, so invalidate
1556 * destructor and make plain sk_free() */ 1567 * destructor and make plain sk_free() */
1557 newsk->sk_destruct = NULL; 1568 newsk->sk_destruct = NULL;
@@ -1679,17 +1690,17 @@ EXPORT_SYMBOL(skb_set_owner_w);
1679 1690
1680void skb_orphan_partial(struct sk_buff *skb) 1691void skb_orphan_partial(struct sk_buff *skb)
1681{ 1692{
1682 /* TCP stack sets skb->ooo_okay based on sk_wmem_alloc,
1683 * so we do not completely orphan skb, but transfert all
1684 * accounted bytes but one, to avoid unexpected reorders.
1685 */
1686 if (skb->destructor == sock_wfree 1693 if (skb->destructor == sock_wfree
1687#ifdef CONFIG_INET 1694#ifdef CONFIG_INET
1688 || skb->destructor == tcp_wfree 1695 || skb->destructor == tcp_wfree
1689#endif 1696#endif
1690 ) { 1697 ) {
1691 atomic_sub(skb->truesize - 1, &skb->sk->sk_wmem_alloc); 1698 struct sock *sk = skb->sk;
1692 skb->truesize = 1; 1699
1700 if (atomic_inc_not_zero(&sk->sk_refcnt)) {
1701 atomic_sub(skb->truesize, &sk->sk_wmem_alloc);
1702 skb->destructor = sock_efree;
1703 }
1693 } else { 1704 } else {
1694 skb_orphan(skb); 1705 skb_orphan(skb);
1695 } 1706 }
@@ -2694,11 +2705,6 @@ void sk_common_release(struct sock *sk)
2694 2705
2695 sk_refcnt_debug_release(sk); 2706 sk_refcnt_debug_release(sk);
2696 2707
2697 if (sk->sk_frag.page) {
2698 put_page(sk->sk_frag.page);
2699 sk->sk_frag.page = NULL;
2700 }
2701
2702 sock_put(sk); 2708 sock_put(sk);
2703} 2709}
2704EXPORT_SYMBOL(sk_common_release); 2710EXPORT_SYMBOL(sk_common_release);
diff --git a/net/dccp/ccids/ccid2.c b/net/dccp/ccids/ccid2.c
index f053198e730c..5e3a7302f774 100644
--- a/net/dccp/ccids/ccid2.c
+++ b/net/dccp/ccids/ccid2.c
@@ -749,6 +749,7 @@ static void ccid2_hc_tx_exit(struct sock *sk)
749 for (i = 0; i < hc->tx_seqbufc; i++) 749 for (i = 0; i < hc->tx_seqbufc; i++)
750 kfree(hc->tx_seqbuf[i]); 750 kfree(hc->tx_seqbuf[i]);
751 hc->tx_seqbufc = 0; 751 hc->tx_seqbufc = 0;
752 dccp_ackvec_parsed_cleanup(&hc->tx_av_chunks);
752} 753}
753 754
754static void ccid2_hc_rx_packet_recv(struct sock *sk, struct sk_buff *skb) 755static void ccid2_hc_rx_packet_recv(struct sock *sk, struct sk_buff *skb)
diff --git a/net/dccp/feat.c b/net/dccp/feat.c
index 1704948e6a12..f227f002c73d 100644
--- a/net/dccp/feat.c
+++ b/net/dccp/feat.c
@@ -1471,9 +1471,12 @@ int dccp_feat_init(struct sock *sk)
1471 * singleton values (which always leads to failure). 1471 * singleton values (which always leads to failure).
1472 * These settings can still (later) be overridden via sockopts. 1472 * These settings can still (later) be overridden via sockopts.
1473 */ 1473 */
1474 if (ccid_get_builtin_ccids(&tx.val, &tx.len) || 1474 if (ccid_get_builtin_ccids(&tx.val, &tx.len))
1475 ccid_get_builtin_ccids(&rx.val, &rx.len))
1476 return -ENOBUFS; 1475 return -ENOBUFS;
1476 if (ccid_get_builtin_ccids(&rx.val, &rx.len)) {
1477 kfree(tx.val);
1478 return -ENOBUFS;
1479 }
1477 1480
1478 if (!dccp_feat_prefer(sysctl_dccp_tx_ccid, tx.val, tx.len) || 1481 if (!dccp_feat_prefer(sysctl_dccp_tx_ccid, tx.val, tx.len) ||
1479 !dccp_feat_prefer(sysctl_dccp_rx_ccid, rx.val, rx.len)) 1482 !dccp_feat_prefer(sysctl_dccp_rx_ccid, rx.val, rx.len))
diff --git a/net/dccp/input.c b/net/dccp/input.c
index 3bd14e885396..dbe2573f6ba1 100644
--- a/net/dccp/input.c
+++ b/net/dccp/input.c
@@ -606,7 +606,8 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
606 if (inet_csk(sk)->icsk_af_ops->conn_request(sk, 606 if (inet_csk(sk)->icsk_af_ops->conn_request(sk,
607 skb) < 0) 607 skb) < 0)
608 return 1; 608 return 1;
609 goto discard; 609 consume_skb(skb);
610 return 0;
610 } 611 }
611 if (dh->dccph_type == DCCP_PKT_RESET) 612 if (dh->dccph_type == DCCP_PKT_RESET)
612 goto discard; 613 goto discard;
diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
index 0759f5b9180e..e217f17997a4 100644
--- a/net/dccp/ipv4.c
+++ b/net/dccp/ipv4.c
@@ -289,7 +289,8 @@ static void dccp_v4_err(struct sk_buff *skb, u32 info)
289 289
290 switch (type) { 290 switch (type) {
291 case ICMP_REDIRECT: 291 case ICMP_REDIRECT:
292 dccp_do_redirect(skb, sk); 292 if (!sock_owned_by_user(sk))
293 dccp_do_redirect(skb, sk);
293 goto out; 294 goto out;
294 case ICMP_SOURCE_QUENCH: 295 case ICMP_SOURCE_QUENCH:
295 /* Just silently ignore these. */ 296 /* Just silently ignore these. */
@@ -634,6 +635,7 @@ int dccp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
634 goto drop_and_free; 635 goto drop_and_free;
635 636
636 inet_csk_reqsk_queue_hash_add(sk, req, DCCP_TIMEOUT_INIT); 637 inet_csk_reqsk_queue_hash_add(sk, req, DCCP_TIMEOUT_INIT);
638 reqsk_put(req);
637 return 0; 639 return 0;
638 640
639drop_and_free: 641drop_and_free:
diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index 27c4e81efa24..09a9ab65f4e1 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -122,10 +122,12 @@ static void dccp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
122 np = inet6_sk(sk); 122 np = inet6_sk(sk);
123 123
124 if (type == NDISC_REDIRECT) { 124 if (type == NDISC_REDIRECT) {
125 struct dst_entry *dst = __sk_dst_check(sk, np->dst_cookie); 125 if (!sock_owned_by_user(sk)) {
126 struct dst_entry *dst = __sk_dst_check(sk, np->dst_cookie);
126 127
127 if (dst) 128 if (dst)
128 dst->ops->redirect(dst, sk, skb); 129 dst->ops->redirect(dst, sk, skb);
130 }
129 goto out; 131 goto out;
130 } 132 }
131 133
@@ -374,6 +376,7 @@ static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
374 goto drop_and_free; 376 goto drop_and_free;
375 377
376 inet_csk_reqsk_queue_hash_add(sk, req, DCCP_TIMEOUT_INIT); 378 inet_csk_reqsk_queue_hash_add(sk, req, DCCP_TIMEOUT_INIT);
379 reqsk_put(req);
377 return 0; 380 return 0;
378 381
379drop_and_free: 382drop_and_free:
@@ -420,6 +423,9 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk,
420 newsk->sk_backlog_rcv = dccp_v4_do_rcv; 423 newsk->sk_backlog_rcv = dccp_v4_do_rcv;
421 newnp->pktoptions = NULL; 424 newnp->pktoptions = NULL;
422 newnp->opt = NULL; 425 newnp->opt = NULL;
426 newnp->ipv6_mc_list = NULL;
427 newnp->ipv6_ac_list = NULL;
428 newnp->ipv6_fl_list = NULL;
423 newnp->mcast_oif = inet6_iif(skb); 429 newnp->mcast_oif = inet6_iif(skb);
424 newnp->mcast_hops = ipv6_hdr(skb)->hop_limit; 430 newnp->mcast_hops = ipv6_hdr(skb)->hop_limit;
425 431
@@ -484,6 +490,9 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk,
484 /* Clone RX bits */ 490 /* Clone RX bits */
485 newnp->rxopt.all = np->rxopt.all; 491 newnp->rxopt.all = np->rxopt.all;
486 492
493 newnp->ipv6_mc_list = NULL;
494 newnp->ipv6_ac_list = NULL;
495 newnp->ipv6_fl_list = NULL;
487 newnp->pktoptions = NULL; 496 newnp->pktoptions = NULL;
488 newnp->opt = NULL; 497 newnp->opt = NULL;
489 newnp->mcast_oif = inet6_iif(skb); 498 newnp->mcast_oif = inet6_iif(skb);
diff --git a/net/dccp/minisocks.c b/net/dccp/minisocks.c
index 1994f8af646b..68eed344b471 100644
--- a/net/dccp/minisocks.c
+++ b/net/dccp/minisocks.c
@@ -122,6 +122,7 @@ struct sock *dccp_create_openreq_child(const struct sock *sk,
122 /* It is still raw copy of parent, so invalidate 122 /* It is still raw copy of parent, so invalidate
123 * destructor and make plain sk_free() */ 123 * destructor and make plain sk_free() */
124 newsk->sk_destruct = NULL; 124 newsk->sk_destruct = NULL;
125 bh_unlock_sock(newsk);
125 sk_free(newsk); 126 sk_free(newsk);
126 return NULL; 127 return NULL;
127 } 128 }
@@ -145,6 +146,13 @@ struct sock *dccp_check_req(struct sock *sk, struct sk_buff *skb,
145 struct dccp_request_sock *dreq = dccp_rsk(req); 146 struct dccp_request_sock *dreq = dccp_rsk(req);
146 bool own_req; 147 bool own_req;
147 148
149 /* TCP/DCCP listeners became lockless.
150 * DCCP stores complex state in its request_sock, so we need
151 * a protection for them, now this code runs without being protected
152 * by the parent (listener) lock.
153 */
154 spin_lock_bh(&dreq->dreq_lock);
155
148 /* Check for retransmitted REQUEST */ 156 /* Check for retransmitted REQUEST */
149 if (dccp_hdr(skb)->dccph_type == DCCP_PKT_REQUEST) { 157 if (dccp_hdr(skb)->dccph_type == DCCP_PKT_REQUEST) {
150 158
@@ -159,7 +167,7 @@ struct sock *dccp_check_req(struct sock *sk, struct sk_buff *skb,
159 inet_rtx_syn_ack(sk, req); 167 inet_rtx_syn_ack(sk, req);
160 } 168 }
161 /* Network Duplicate, discard packet */ 169 /* Network Duplicate, discard packet */
162 return NULL; 170 goto out;
163 } 171 }
164 172
165 DCCP_SKB_CB(skb)->dccpd_reset_code = DCCP_RESET_CODE_PACKET_ERROR; 173 DCCP_SKB_CB(skb)->dccpd_reset_code = DCCP_RESET_CODE_PACKET_ERROR;
@@ -185,20 +193,20 @@ struct sock *dccp_check_req(struct sock *sk, struct sk_buff *skb,
185 193
186 child = inet_csk(sk)->icsk_af_ops->syn_recv_sock(sk, skb, req, NULL, 194 child = inet_csk(sk)->icsk_af_ops->syn_recv_sock(sk, skb, req, NULL,
187 req, &own_req); 195 req, &own_req);
188 if (!child) 196 if (child) {
189 goto listen_overflow; 197 child = inet_csk_complete_hashdance(sk, child, req, own_req);
190 198 goto out;
191 return inet_csk_complete_hashdance(sk, child, req, own_req); 199 }
192 200
193listen_overflow:
194 dccp_pr_debug("listen_overflow!\n");
195 DCCP_SKB_CB(skb)->dccpd_reset_code = DCCP_RESET_CODE_TOO_BUSY; 201 DCCP_SKB_CB(skb)->dccpd_reset_code = DCCP_RESET_CODE_TOO_BUSY;
196drop: 202drop:
197 if (dccp_hdr(skb)->dccph_type != DCCP_PKT_RESET) 203 if (dccp_hdr(skb)->dccph_type != DCCP_PKT_RESET)
198 req->rsk_ops->send_reset(sk, skb); 204 req->rsk_ops->send_reset(sk, skb);
199 205
200 inet_csk_reqsk_queue_drop(sk, req); 206 inet_csk_reqsk_queue_drop(sk, req);
201 return NULL; 207out:
208 spin_unlock_bh(&dreq->dreq_lock);
209 return child;
202} 210}
203 211
204EXPORT_SYMBOL_GPL(dccp_check_req); 212EXPORT_SYMBOL_GPL(dccp_check_req);
@@ -249,6 +257,7 @@ int dccp_reqsk_init(struct request_sock *req,
249{ 257{
250 struct dccp_request_sock *dreq = dccp_rsk(req); 258 struct dccp_request_sock *dreq = dccp_rsk(req);
251 259
260 spin_lock_init(&dreq->dreq_lock);
252 inet_rsk(req)->ir_rmt_port = dccp_hdr(skb)->dccph_sport; 261 inet_rsk(req)->ir_rmt_port = dccp_hdr(skb)->dccph_sport;
253 inet_rsk(req)->ir_num = ntohs(dccp_hdr(skb)->dccph_dport); 262 inet_rsk(req)->ir_num = ntohs(dccp_hdr(skb)->dccph_dport);
254 inet_rsk(req)->acked = 0; 263 inet_rsk(req)->acked = 0;
diff --git a/net/decnet/dn_route.c b/net/decnet/dn_route.c
index b1dc096d22f8..403593bd2b83 100644
--- a/net/decnet/dn_route.c
+++ b/net/decnet/dn_route.c
@@ -188,12 +188,6 @@ static inline void dnrt_free(struct dn_route *rt)
188 call_rcu_bh(&rt->dst.rcu_head, dst_rcu_free); 188 call_rcu_bh(&rt->dst.rcu_head, dst_rcu_free);
189} 189}
190 190
191static inline void dnrt_drop(struct dn_route *rt)
192{
193 dst_release(&rt->dst);
194 call_rcu_bh(&rt->dst.rcu_head, dst_rcu_free);
195}
196
197static void dn_dst_check_expire(unsigned long dummy) 191static void dn_dst_check_expire(unsigned long dummy)
198{ 192{
199 int i; 193 int i;
@@ -248,7 +242,7 @@ static int dn_dst_gc(struct dst_ops *ops)
248 } 242 }
249 *rtp = rt->dst.dn_next; 243 *rtp = rt->dst.dn_next;
250 rt->dst.dn_next = NULL; 244 rt->dst.dn_next = NULL;
251 dnrt_drop(rt); 245 dnrt_free(rt);
252 break; 246 break;
253 } 247 }
254 spin_unlock_bh(&dn_rt_hash_table[i].lock); 248 spin_unlock_bh(&dn_rt_hash_table[i].lock);
@@ -350,7 +344,7 @@ static int dn_insert_route(struct dn_route *rt, unsigned int hash, struct dn_rou
350 dst_use(&rth->dst, now); 344 dst_use(&rth->dst, now);
351 spin_unlock_bh(&dn_rt_hash_table[hash].lock); 345 spin_unlock_bh(&dn_rt_hash_table[hash].lock);
352 346
353 dnrt_drop(rt); 347 dst_free(&rt->dst);
354 *rp = rth; 348 *rp = rth;
355 return 0; 349 return 0;
356 } 350 }
@@ -380,7 +374,7 @@ static void dn_run_flush(unsigned long dummy)
380 for(; rt; rt = next) { 374 for(; rt; rt = next) {
381 next = rcu_dereference_raw(rt->dst.dn_next); 375 next = rcu_dereference_raw(rt->dst.dn_next);
382 RCU_INIT_POINTER(rt->dst.dn_next, NULL); 376 RCU_INIT_POINTER(rt->dst.dn_next, NULL);
383 dst_free((struct dst_entry *)rt); 377 dnrt_free(rt);
384 } 378 }
385 379
386nothing_to_declare: 380nothing_to_declare:
@@ -1187,7 +1181,7 @@ make_route:
1187 if (dev_out->flags & IFF_LOOPBACK) 1181 if (dev_out->flags & IFF_LOOPBACK)
1188 flags |= RTCF_LOCAL; 1182 flags |= RTCF_LOCAL;
1189 1183
1190 rt = dst_alloc(&dn_dst_ops, dev_out, 1, DST_OBSOLETE_NONE, DST_HOST); 1184 rt = dst_alloc(&dn_dst_ops, dev_out, 0, DST_OBSOLETE_NONE, DST_HOST);
1191 if (rt == NULL) 1185 if (rt == NULL)
1192 goto e_nobufs; 1186 goto e_nobufs;
1193 1187
diff --git a/net/decnet/netfilter/dn_rtmsg.c b/net/decnet/netfilter/dn_rtmsg.c
index 85f2fdc360c2..29246bc9a7b4 100644
--- a/net/decnet/netfilter/dn_rtmsg.c
+++ b/net/decnet/netfilter/dn_rtmsg.c
@@ -102,7 +102,9 @@ static inline void dnrmg_receive_user_skb(struct sk_buff *skb)
102{ 102{
103 struct nlmsghdr *nlh = nlmsg_hdr(skb); 103 struct nlmsghdr *nlh = nlmsg_hdr(skb);
104 104
105 if (nlh->nlmsg_len < sizeof(*nlh) || skb->len < nlh->nlmsg_len) 105 if (skb->len < sizeof(*nlh) ||
106 nlh->nlmsg_len < sizeof(*nlh) ||
107 skb->len < nlh->nlmsg_len)
106 return; 108 return;
107 109
108 if (!netlink_capable(skb, CAP_NET_ADMIN)) 110 if (!netlink_capable(skb, CAP_NET_ADMIN))
diff --git a/net/dsa/slave.c b/net/dsa/slave.c
index 7bc787b095c8..554c2a961ad5 100644
--- a/net/dsa/slave.c
+++ b/net/dsa/slave.c
@@ -1006,10 +1006,8 @@ static int dsa_slave_phy_connect(struct dsa_slave_priv *p,
1006 /* Use already configured phy mode */ 1006 /* Use already configured phy mode */
1007 if (p->phy_interface == PHY_INTERFACE_MODE_NA) 1007 if (p->phy_interface == PHY_INTERFACE_MODE_NA)
1008 p->phy_interface = p->phy->interface; 1008 p->phy_interface = p->phy->interface;
1009 phy_connect_direct(slave_dev, p->phy, dsa_slave_adjust_link, 1009 return phy_connect_direct(slave_dev, p->phy, dsa_slave_adjust_link,
1010 p->phy_interface); 1010 p->phy_interface);
1011
1012 return 0;
1013} 1011}
1014 1012
1015static int dsa_slave_phy_setup(struct dsa_slave_priv *p, 1013static int dsa_slave_phy_setup(struct dsa_slave_priv *p,
@@ -1101,6 +1099,8 @@ int dsa_slave_suspend(struct net_device *slave_dev)
1101{ 1099{
1102 struct dsa_slave_priv *p = netdev_priv(slave_dev); 1100 struct dsa_slave_priv *p = netdev_priv(slave_dev);
1103 1101
1102 netif_device_detach(slave_dev);
1103
1104 if (p->phy) { 1104 if (p->phy) {
1105 phy_stop(p->phy); 1105 phy_stop(p->phy);
1106 p->old_pause = -1; 1106 p->old_pause = -1;
diff --git a/net/ethernet/eth.c b/net/ethernet/eth.c
index de85d4e1cf43..52dcd414c2af 100644
--- a/net/ethernet/eth.c
+++ b/net/ethernet/eth.c
@@ -353,6 +353,7 @@ void ether_setup(struct net_device *dev)
353 dev->header_ops = &eth_header_ops; 353 dev->header_ops = &eth_header_ops;
354 dev->type = ARPHRD_ETHER; 354 dev->type = ARPHRD_ETHER;
355 dev->hard_header_len = ETH_HLEN; 355 dev->hard_header_len = ETH_HLEN;
356 dev->min_header_len = ETH_HLEN;
356 dev->mtu = ETH_DATA_LEN; 357 dev->mtu = ETH_DATA_LEN;
357 dev->addr_len = ETH_ALEN; 358 dev->addr_len = ETH_ALEN;
358 dev->tx_queue_len = 1000; /* Ethernet wants good queues */ 359 dev->tx_queue_len = 1000; /* Ethernet wants good queues */
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index 68bf7bdf7fdb..b25a1b1ee657 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -1029,7 +1029,7 @@ static struct inet_protosw inetsw_array[] =
1029 .type = SOCK_DGRAM, 1029 .type = SOCK_DGRAM,
1030 .protocol = IPPROTO_ICMP, 1030 .protocol = IPPROTO_ICMP,
1031 .prot = &ping_prot, 1031 .prot = &ping_prot,
1032 .ops = &inet_dgram_ops, 1032 .ops = &inet_sockraw_ops,
1033 .flags = INET_PROTOSW_REUSE, 1033 .flags = INET_PROTOSW_REUSE,
1034 }, 1034 },
1035 1035
diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
index 59b3e0e8fd51..711b4dfa17c3 100644
--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -1250,7 +1250,7 @@ void __init arp_init(void)
1250/* 1250/*
1251 * ax25 -> ASCII conversion 1251 * ax25 -> ASCII conversion
1252 */ 1252 */
1253static char *ax2asc2(ax25_address *a, char *buf) 1253static void ax2asc2(ax25_address *a, char *buf)
1254{ 1254{
1255 char c, *s; 1255 char c, *s;
1256 int n; 1256 int n;
@@ -1272,10 +1272,10 @@ static char *ax2asc2(ax25_address *a, char *buf)
1272 *s++ = n + '0'; 1272 *s++ = n + '0';
1273 *s++ = '\0'; 1273 *s++ = '\0';
1274 1274
1275 if (*buf == '\0' || *buf == '-') 1275 if (*buf == '\0' || *buf == '-') {
1276 return "*"; 1276 buf[0] = '*';
1277 1277 buf[1] = '\0';
1278 return buf; 1278 }
1279} 1279}
1280#endif /* CONFIG_AX25 */ 1280#endif /* CONFIG_AX25 */
1281 1281
@@ -1309,7 +1309,7 @@ static void arp_format_neigh_entry(struct seq_file *seq,
1309 } 1309 }
1310#endif 1310#endif
1311 sprintf(tbuf, "%pI4", n->primary_key); 1311 sprintf(tbuf, "%pI4", n->primary_key);
1312 seq_printf(seq, "%-16s 0x%-10x0x%-10x%s * %s\n", 1312 seq_printf(seq, "%-16s 0x%-10x0x%-10x%-17s * %s\n",
1313 tbuf, hatype, arp_state_to_flags(n), hbuffer, dev->name); 1313 tbuf, hatype, arp_state_to_flags(n), hbuffer, dev->name);
1314 read_unlock(&n->lock); 1314 read_unlock(&n->lock);
1315} 1315}
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index bdb2a07ec363..6cc3e1d602fb 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -1657,6 +1657,10 @@ int cipso_v4_validate(const struct sk_buff *skb, unsigned char **option)
1657 goto validate_return_locked; 1657 goto validate_return_locked;
1658 } 1658 }
1659 1659
1660 if (opt_iter + 1 == opt_len) {
1661 err_offset = opt_iter;
1662 goto validate_return_locked;
1663 }
1660 tag_len = tag[1]; 1664 tag_len = tag[1];
1661 if (tag_len > (opt_len - opt_iter)) { 1665 if (tag_len > (opt_len - opt_iter)) {
1662 err_offset = opt_iter + 1; 1666 err_offset = opt_iter + 1;
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index 7e30c7b50a28..ee94bd32d6dc 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -758,7 +758,7 @@ static int inet_dump_fib(struct sk_buff *skb, struct netlink_callback *cb)
758 unsigned int e = 0, s_e; 758 unsigned int e = 0, s_e;
759 struct fib_table *tb; 759 struct fib_table *tb;
760 struct hlist_head *head; 760 struct hlist_head *head;
761 int dumped = 0; 761 int dumped = 0, err;
762 762
763 if (nlmsg_len(cb->nlh) >= sizeof(struct rtmsg) && 763 if (nlmsg_len(cb->nlh) >= sizeof(struct rtmsg) &&
764 ((struct rtmsg *) nlmsg_data(cb->nlh))->rtm_flags & RTM_F_CLONED) 764 ((struct rtmsg *) nlmsg_data(cb->nlh))->rtm_flags & RTM_F_CLONED)
@@ -778,20 +778,27 @@ static int inet_dump_fib(struct sk_buff *skb, struct netlink_callback *cb)
778 if (dumped) 778 if (dumped)
779 memset(&cb->args[2], 0, sizeof(cb->args) - 779 memset(&cb->args[2], 0, sizeof(cb->args) -
780 2 * sizeof(cb->args[0])); 780 2 * sizeof(cb->args[0]));
781 if (fib_table_dump(tb, skb, cb) < 0) 781 err = fib_table_dump(tb, skb, cb);
782 goto out; 782 if (err < 0) {
783 if (likely(skb->len))
784 goto out;
785
786 goto out_err;
787 }
783 dumped = 1; 788 dumped = 1;
784next: 789next:
785 e++; 790 e++;
786 } 791 }
787 } 792 }
788out: 793out:
794 err = skb->len;
795out_err:
789 rcu_read_unlock(); 796 rcu_read_unlock();
790 797
791 cb->args[1] = e; 798 cb->args[1] = e;
792 cb->args[0] = h; 799 cb->args[0] = h;
793 800
794 return skb->len; 801 return err;
795} 802}
796 803
797/* Prepare and feed intra-kernel routing request. 804/* Prepare and feed intra-kernel routing request.
@@ -1081,7 +1088,8 @@ static void nl_fib_input(struct sk_buff *skb)
1081 1088
1082 net = sock_net(skb->sk); 1089 net = sock_net(skb->sk);
1083 nlh = nlmsg_hdr(skb); 1090 nlh = nlmsg_hdr(skb);
1084 if (skb->len < NLMSG_HDRLEN || skb->len < nlh->nlmsg_len || 1091 if (skb->len < nlmsg_total_size(sizeof(*frn)) ||
1092 skb->len < nlh->nlmsg_len ||
1085 nlmsg_len(nlh) < sizeof(*frn)) 1093 nlmsg_len(nlh) < sizeof(*frn))
1086 return; 1094 return;
1087 1095
@@ -1312,13 +1320,14 @@ static struct pernet_operations fib_net_ops = {
1312 1320
1313void __init ip_fib_init(void) 1321void __init ip_fib_init(void)
1314{ 1322{
1315 rtnl_register(PF_INET, RTM_NEWROUTE, inet_rtm_newroute, NULL, NULL); 1323 fib_trie_init();
1316 rtnl_register(PF_INET, RTM_DELROUTE, inet_rtm_delroute, NULL, NULL);
1317 rtnl_register(PF_INET, RTM_GETROUTE, NULL, inet_dump_fib, NULL);
1318 1324
1319 register_pernet_subsys(&fib_net_ops); 1325 register_pernet_subsys(&fib_net_ops);
1326
1320 register_netdevice_notifier(&fib_netdev_notifier); 1327 register_netdevice_notifier(&fib_netdev_notifier);
1321 register_inetaddr_notifier(&fib_inetaddr_notifier); 1328 register_inetaddr_notifier(&fib_inetaddr_notifier);
1322 1329
1323 fib_trie_init(); 1330 rtnl_register(PF_INET, RTM_NEWROUTE, inet_rtm_newroute, NULL, NULL);
1331 rtnl_register(PF_INET, RTM_DELROUTE, inet_rtm_delroute, NULL, NULL);
1332 rtnl_register(PF_INET, RTM_GETROUTE, NULL, inet_dump_fib, NULL);
1324} 1333}
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index 840b450aab46..b2504712259f 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -204,6 +204,7 @@ static void rt_fibinfo_free_cpus(struct rtable __rcu * __percpu *rtp)
204static void free_fib_info_rcu(struct rcu_head *head) 204static void free_fib_info_rcu(struct rcu_head *head)
205{ 205{
206 struct fib_info *fi = container_of(head, struct fib_info, rcu); 206 struct fib_info *fi = container_of(head, struct fib_info, rcu);
207 struct dst_metrics *m;
207 208
208 change_nexthops(fi) { 209 change_nexthops(fi) {
209 if (nexthop_nh->nh_dev) 210 if (nexthop_nh->nh_dev)
@@ -214,8 +215,9 @@ static void free_fib_info_rcu(struct rcu_head *head)
214 rt_fibinfo_free(&nexthop_nh->nh_rth_input); 215 rt_fibinfo_free(&nexthop_nh->nh_rth_input);
215 } endfor_nexthops(fi); 216 } endfor_nexthops(fi);
216 217
217 if (fi->fib_metrics != (u32 *) dst_default_metrics) 218 m = fi->fib_metrics;
218 kfree(fi->fib_metrics); 219 if (m != &dst_default_metrics && atomic_dec_and_test(&m->refcnt))
220 kfree(m);
219 kfree(fi); 221 kfree(fi);
220} 222}
221 223
@@ -982,11 +984,11 @@ fib_convert_metrics(struct fib_info *fi, const struct fib_config *cfg)
982 val = 255; 984 val = 255;
983 if (type == RTAX_FEATURES && (val & ~RTAX_FEATURE_MASK)) 985 if (type == RTAX_FEATURES && (val & ~RTAX_FEATURE_MASK))
984 return -EINVAL; 986 return -EINVAL;
985 fi->fib_metrics[type - 1] = val; 987 fi->fib_metrics->metrics[type - 1] = val;
986 } 988 }
987 989
988 if (ecn_ca) 990 if (ecn_ca)
989 fi->fib_metrics[RTAX_FEATURES - 1] |= DST_FEATURE_ECN_CA; 991 fi->fib_metrics->metrics[RTAX_FEATURES - 1] |= DST_FEATURE_ECN_CA;
990 992
991 return 0; 993 return 0;
992} 994}
@@ -1044,11 +1046,12 @@ struct fib_info *fib_create_info(struct fib_config *cfg)
1044 goto failure; 1046 goto failure;
1045 fib_info_cnt++; 1047 fib_info_cnt++;
1046 if (cfg->fc_mx) { 1048 if (cfg->fc_mx) {
1047 fi->fib_metrics = kzalloc(sizeof(u32) * RTAX_MAX, GFP_KERNEL); 1049 fi->fib_metrics = kzalloc(sizeof(*fi->fib_metrics), GFP_KERNEL);
1048 if (!fi->fib_metrics) 1050 if (!fi->fib_metrics)
1049 goto failure; 1051 goto failure;
1052 atomic_set(&fi->fib_metrics->refcnt, 1);
1050 } else 1053 } else
1051 fi->fib_metrics = (u32 *) dst_default_metrics; 1054 fi->fib_metrics = (struct dst_metrics *)&dst_default_metrics;
1052 1055
1053 fi->fib_net = net; 1056 fi->fib_net = net;
1054 fi->fib_protocol = cfg->fc_protocol; 1057 fi->fib_protocol = cfg->fc_protocol;
@@ -1251,7 +1254,7 @@ int fib_dump_info(struct sk_buff *skb, u32 portid, u32 seq, int event,
1251 if (fi->fib_priority && 1254 if (fi->fib_priority &&
1252 nla_put_u32(skb, RTA_PRIORITY, fi->fib_priority)) 1255 nla_put_u32(skb, RTA_PRIORITY, fi->fib_priority))
1253 goto nla_put_failure; 1256 goto nla_put_failure;
1254 if (rtnetlink_put_metrics(skb, fi->fib_metrics) < 0) 1257 if (rtnetlink_put_metrics(skb, fi->fib_metrics->metrics) < 0)
1255 goto nla_put_failure; 1258 goto nla_put_failure;
1256 1259
1257 if (fi->fib_prefsrc && 1260 if (fi->fib_prefsrc &&
@@ -1277,8 +1280,9 @@ int fib_dump_info(struct sk_buff *skb, u32 portid, u32 seq, int event,
1277 nla_put_u32(skb, RTA_FLOW, fi->fib_nh[0].nh_tclassid)) 1280 nla_put_u32(skb, RTA_FLOW, fi->fib_nh[0].nh_tclassid))
1278 goto nla_put_failure; 1281 goto nla_put_failure;
1279#endif 1282#endif
1280 if (fi->fib_nh->nh_lwtstate) 1283 if (fi->fib_nh->nh_lwtstate &&
1281 lwtunnel_fill_encap(skb, fi->fib_nh->nh_lwtstate); 1284 lwtunnel_fill_encap(skb, fi->fib_nh->nh_lwtstate) < 0)
1285 goto nla_put_failure;
1282 } 1286 }
1283#ifdef CONFIG_IP_ROUTE_MULTIPATH 1287#ifdef CONFIG_IP_ROUTE_MULTIPATH
1284 if (fi->fib_nhs > 1) { 1288 if (fi->fib_nhs > 1) {
@@ -1314,8 +1318,10 @@ int fib_dump_info(struct sk_buff *skb, u32 portid, u32 seq, int event,
1314 nla_put_u32(skb, RTA_FLOW, nh->nh_tclassid)) 1318 nla_put_u32(skb, RTA_FLOW, nh->nh_tclassid))
1315 goto nla_put_failure; 1319 goto nla_put_failure;
1316#endif 1320#endif
1317 if (nh->nh_lwtstate) 1321 if (nh->nh_lwtstate &&
1318 lwtunnel_fill_encap(skb, nh->nh_lwtstate); 1322 lwtunnel_fill_encap(skb, nh->nh_lwtstate) < 0)
1323 goto nla_put_failure;
1324
1319 /* length of rtnetlink header + attributes */ 1325 /* length of rtnetlink header + attributes */
1320 rtnh->rtnh_len = nlmsg_get_pos(skb) - (void *) rtnh; 1326 rtnh->rtnh_len = nlmsg_get_pos(skb) - (void *) rtnh;
1321 } endfor_nexthops(fi); 1327 } endfor_nexthops(fi);
diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index 7c52afb98c42..5c598f99a500 100644
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -1906,6 +1906,8 @@ static int fn_trie_dump_leaf(struct key_vector *l, struct fib_table *tb,
1906 1906
1907 /* rcu_read_lock is hold by caller */ 1907 /* rcu_read_lock is hold by caller */
1908 hlist_for_each_entry_rcu(fa, &l->leaf, fa_list) { 1908 hlist_for_each_entry_rcu(fa, &l->leaf, fa_list) {
1909 int err;
1910
1909 if (i < s_i) { 1911 if (i < s_i) {
1910 i++; 1912 i++;
1911 continue; 1913 continue;
@@ -1916,17 +1918,14 @@ static int fn_trie_dump_leaf(struct key_vector *l, struct fib_table *tb,
1916 continue; 1918 continue;
1917 } 1919 }
1918 1920
1919 if (fib_dump_info(skb, NETLINK_CB(cb->skb).portid, 1921 err = fib_dump_info(skb, NETLINK_CB(cb->skb).portid,
1920 cb->nlh->nlmsg_seq, 1922 cb->nlh->nlmsg_seq, RTM_NEWROUTE,
1921 RTM_NEWROUTE, 1923 tb->tb_id, fa->fa_type,
1922 tb->tb_id, 1924 xkey, KEYLENGTH - fa->fa_slen,
1923 fa->fa_type, 1925 fa->fa_tos, fa->fa_info, NLM_F_MULTI);
1924 xkey, 1926 if (err < 0) {
1925 KEYLENGTH - fa->fa_slen,
1926 fa->fa_tos,
1927 fa->fa_info, NLM_F_MULTI) < 0) {
1928 cb->args[4] = i; 1927 cb->args[4] = i;
1929 return -1; 1928 return err;
1930 } 1929 }
1931 i++; 1930 i++;
1932 } 1931 }
@@ -1948,10 +1947,13 @@ int fib_table_dump(struct fib_table *tb, struct sk_buff *skb,
1948 t_key key = cb->args[3]; 1947 t_key key = cb->args[3];
1949 1948
1950 while ((l = leaf_walk_rcu(&tp, key)) != NULL) { 1949 while ((l = leaf_walk_rcu(&tp, key)) != NULL) {
1951 if (fn_trie_dump_leaf(l, tb, skb, cb) < 0) { 1950 int err;
1951
1952 err = fn_trie_dump_leaf(l, tb, skb, cb);
1953 if (err < 0) {
1952 cb->args[3] = key; 1954 cb->args[3] = key;
1953 cb->args[2] = count; 1955 cb->args[2] = count;
1954 return -1; 1956 return err;
1955 } 1957 }
1956 1958
1957 ++count; 1959 ++count;
diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
index 17adfdaf5795..3809d523d012 100644
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -1102,6 +1102,7 @@ static void igmpv3_add_delrec(struct in_device *in_dev, struct ip_mc_list *im)
1102 pmc = kzalloc(sizeof(*pmc), GFP_KERNEL); 1102 pmc = kzalloc(sizeof(*pmc), GFP_KERNEL);
1103 if (!pmc) 1103 if (!pmc)
1104 return; 1104 return;
1105 spin_lock_init(&pmc->lock);
1105 spin_lock_bh(&im->lock); 1106 spin_lock_bh(&im->lock);
1106 pmc->interface = im->interface; 1107 pmc->interface = im->interface;
1107 in_dev_hold(in_dev); 1108 in_dev_hold(in_dev);
@@ -2026,21 +2027,26 @@ static int ip_mc_add_src(struct in_device *in_dev, __be32 *pmca, int sfmode,
2026 2027
2027static void ip_mc_clear_src(struct ip_mc_list *pmc) 2028static void ip_mc_clear_src(struct ip_mc_list *pmc)
2028{ 2029{
2029 struct ip_sf_list *psf, *nextpsf; 2030 struct ip_sf_list *psf, *nextpsf, *tomb, *sources;
2030 2031
2031 for (psf = pmc->tomb; psf; psf = nextpsf) { 2032 spin_lock_bh(&pmc->lock);
2033 tomb = pmc->tomb;
2034 pmc->tomb = NULL;
2035 sources = pmc->sources;
2036 pmc->sources = NULL;
2037 pmc->sfmode = MCAST_EXCLUDE;
2038 pmc->sfcount[MCAST_INCLUDE] = 0;
2039 pmc->sfcount[MCAST_EXCLUDE] = 1;
2040 spin_unlock_bh(&pmc->lock);
2041
2042 for (psf = tomb; psf; psf = nextpsf) {
2032 nextpsf = psf->sf_next; 2043 nextpsf = psf->sf_next;
2033 kfree(psf); 2044 kfree(psf);
2034 } 2045 }
2035 pmc->tomb = NULL; 2046 for (psf = sources; psf; psf = nextpsf) {
2036 for (psf = pmc->sources; psf; psf = nextpsf) {
2037 nextpsf = psf->sf_next; 2047 nextpsf = psf->sf_next;
2038 kfree(psf); 2048 kfree(psf);
2039 } 2049 }
2040 pmc->sources = NULL;
2041 pmc->sfmode = MCAST_EXCLUDE;
2042 pmc->sfcount[MCAST_INCLUDE] = 0;
2043 pmc->sfcount[MCAST_EXCLUDE] = 1;
2044} 2050}
2045 2051
2046/* Join a multicast group 2052/* Join a multicast group
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index c97a2108cd61..a7e7aa1f6a47 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -669,6 +669,8 @@ struct sock *inet_csk_clone_lock(const struct sock *sk,
669 inet_sk(newsk)->inet_sport = htons(inet_rsk(req)->ir_num); 669 inet_sk(newsk)->inet_sport = htons(inet_rsk(req)->ir_num);
670 newsk->sk_write_space = sk_stream_write_space; 670 newsk->sk_write_space = sk_stream_write_space;
671 671
672 inet_sk(newsk)->mc_list = NULL;
673
672 newsk->sk_mark = inet_rsk(req)->ir_mark; 674 newsk->sk_mark = inet_rsk(req)->ir_mark;
673 atomic64_set(&newsk->sk_cookie, 675 atomic64_set(&newsk->sk_cookie,
674 atomic64_read(&inet_rsk(req)->ir_cookie)); 676 atomic64_read(&inet_rsk(req)->ir_cookie));
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 661bda968594..62e41d38da78 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -922,10 +922,12 @@ static int __ip_append_data(struct sock *sk,
922 csummode = CHECKSUM_PARTIAL; 922 csummode = CHECKSUM_PARTIAL;
923 923
924 cork->length += length; 924 cork->length += length;
925 if (((length > mtu) || (skb && skb_is_gso(skb))) && 925 if ((skb && skb_is_gso(skb)) ||
926 (((length + (skb ? skb->len : fragheaderlen)) > mtu) &&
927 (skb_queue_len(queue) <= 1) &&
926 (sk->sk_protocol == IPPROTO_UDP) && 928 (sk->sk_protocol == IPPROTO_UDP) &&
927 (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len && 929 (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len &&
928 (sk->sk_type == SOCK_DGRAM) && !sk->sk_no_check_tx) { 930 (sk->sk_type == SOCK_DGRAM) && !sk->sk_no_check_tx)) {
929 err = ip_ufo_append_data(sk, queue, getfrag, from, length, 931 err = ip_ufo_append_data(sk, queue, getfrag, from, length,
930 hh_len, fragheaderlen, transhdrlen, 932 hh_len, fragheaderlen, transhdrlen,
931 maxfraglen, flags); 933 maxfraglen, flags);
@@ -1241,6 +1243,7 @@ ssize_t ip_append_page(struct sock *sk, struct flowi4 *fl4, struct page *page,
1241 return -EINVAL; 1243 return -EINVAL;
1242 1244
1243 if ((size + skb->len > mtu) && 1245 if ((size + skb->len > mtu) &&
1246 (skb_queue_len(&sk->sk_write_queue) == 1) &&
1244 (sk->sk_protocol == IPPROTO_UDP) && 1247 (sk->sk_protocol == IPPROTO_UDP) &&
1245 (rt->dst.dev->features & NETIF_F_UFO)) { 1248 (rt->dst.dev->features & NETIF_F_UFO)) {
1246 if (skb->ip_summed != CHECKSUM_PARTIAL) 1249 if (skb->ip_summed != CHECKSUM_PARTIAL)
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 9ce202549e7a..f300d1cbfa91 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -105,10 +105,10 @@ static void ip_cmsg_recv_checksum(struct msghdr *msg, struct sk_buff *skb,
105 if (skb->ip_summed != CHECKSUM_COMPLETE) 105 if (skb->ip_summed != CHECKSUM_COMPLETE)
106 return; 106 return;
107 107
108 if (offset != 0) 108 if (offset != 0) {
109 csum = csum_sub(csum, 109 int tend_off = skb_transport_offset(skb) + tlen;
110 csum_partial(skb->data + tlen, 110 csum = csum_sub(csum, skb_checksum(skb, tend_off, offset, 0));
111 offset, 0)); 111 }
112 112
113 put_cmsg(msg, SOL_IP, IP_CHECKSUM, sizeof(__wsum), &csum); 113 put_cmsg(msg, SOL_IP, IP_CHECKSUM, sizeof(__wsum), &csum);
114} 114}
@@ -1192,7 +1192,14 @@ void ipv4_pktinfo_prepare(const struct sock *sk, struct sk_buff *skb)
1192 pktinfo->ipi_ifindex = 0; 1192 pktinfo->ipi_ifindex = 0;
1193 pktinfo->ipi_spec_dst.s_addr = 0; 1193 pktinfo->ipi_spec_dst.s_addr = 0;
1194 } 1194 }
1195 skb_dst_drop(skb); 1195 /* We need to keep the dst for __ip_options_echo()
1196 * We could restrict the test to opt.ts_needtime || opt.srr,
1197 * but the following is good enough as IP options are not often used.
1198 */
1199 if (unlikely(IPCB(skb)->opt.optlen))
1200 skb_dst_force(skb);
1201 else
1202 skb_dst_drop(skb);
1196} 1203}
1197 1204
1198int ip_setsockopt(struct sock *sk, int level, 1205int ip_setsockopt(struct sock *sk, int level,
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
index 495fefe6a898..a989aba861e0 100644
--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
@@ -154,17 +154,18 @@ void ping_hash(struct sock *sk)
154void ping_unhash(struct sock *sk) 154void ping_unhash(struct sock *sk)
155{ 155{
156 struct inet_sock *isk = inet_sk(sk); 156 struct inet_sock *isk = inet_sk(sk);
157
157 pr_debug("ping_unhash(isk=%p,isk->num=%u)\n", isk, isk->inet_num); 158 pr_debug("ping_unhash(isk=%p,isk->num=%u)\n", isk, isk->inet_num);
159 write_lock_bh(&ping_table.lock);
158 if (sk_hashed(sk)) { 160 if (sk_hashed(sk)) {
159 write_lock_bh(&ping_table.lock);
160 hlist_nulls_del(&sk->sk_nulls_node); 161 hlist_nulls_del(&sk->sk_nulls_node);
161 sk_nulls_node_init(&sk->sk_nulls_node); 162 sk_nulls_node_init(&sk->sk_nulls_node);
162 sock_put(sk); 163 sock_put(sk);
163 isk->inet_num = 0; 164 isk->inet_num = 0;
164 isk->inet_sport = 0; 165 isk->inet_sport = 0;
165 sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1); 166 sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
166 write_unlock_bh(&ping_table.lock);
167 } 167 }
168 write_unlock_bh(&ping_table.lock);
168} 169}
169EXPORT_SYMBOL_GPL(ping_unhash); 170EXPORT_SYMBOL_GPL(ping_unhash);
170 171
@@ -645,6 +646,8 @@ static int ping_v4_push_pending_frames(struct sock *sk, struct pingfakehdr *pfh,
645{ 646{
646 struct sk_buff *skb = skb_peek(&sk->sk_write_queue); 647 struct sk_buff *skb = skb_peek(&sk->sk_write_queue);
647 648
649 if (!skb)
650 return 0;
648 pfh->wcheck = csum_partial((char *)&pfh->icmph, 651 pfh->wcheck = csum_partial((char *)&pfh->icmph,
649 sizeof(struct icmphdr), pfh->wcheck); 652 sizeof(struct icmphdr), pfh->wcheck);
650 pfh->icmph.checksum = csum_fold(pfh->wcheck); 653 pfh->icmph.checksum = csum_fold(pfh->wcheck);
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index 6287418c1dfe..ca1031411aa7 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -354,6 +354,9 @@ static int raw_send_hdrinc(struct sock *sk, struct flowi4 *fl4,
354 rt->dst.dev->mtu); 354 rt->dst.dev->mtu);
355 return -EMSGSIZE; 355 return -EMSGSIZE;
356 } 356 }
357 if (length < sizeof(struct iphdr))
358 return -EINVAL;
359
357 if (flags&MSG_PROBE) 360 if (flags&MSG_PROBE)
358 goto out; 361 goto out;
359 362
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 3708ff083211..fd15e55b28d1 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -792,6 +792,7 @@ static void ip_do_redirect(struct dst_entry *dst, struct sock *sk, struct sk_buf
792 struct rtable *rt; 792 struct rtable *rt;
793 struct flowi4 fl4; 793 struct flowi4 fl4;
794 const struct iphdr *iph = (const struct iphdr *) skb->data; 794 const struct iphdr *iph = (const struct iphdr *) skb->data;
795 struct net *net = dev_net(skb->dev);
795 int oif = skb->dev->ifindex; 796 int oif = skb->dev->ifindex;
796 u8 tos = RT_TOS(iph->tos); 797 u8 tos = RT_TOS(iph->tos);
797 u8 prot = iph->protocol; 798 u8 prot = iph->protocol;
@@ -799,7 +800,7 @@ static void ip_do_redirect(struct dst_entry *dst, struct sock *sk, struct sk_buf
799 800
800 rt = (struct rtable *) dst; 801 rt = (struct rtable *) dst;
801 802
802 __build_flow_key(sock_net(sk), &fl4, sk, iph, oif, tos, prot, mark, 0); 803 __build_flow_key(net, &fl4, sk, iph, oif, tos, prot, mark, 0);
803 __ip_do_redirect(rt, skb, &fl4, true); 804 __ip_do_redirect(rt, skb, &fl4, true);
804} 805}
805 806
@@ -1361,8 +1362,12 @@ static void rt_add_uncached_list(struct rtable *rt)
1361 1362
1362static void ipv4_dst_destroy(struct dst_entry *dst) 1363static void ipv4_dst_destroy(struct dst_entry *dst)
1363{ 1364{
1365 struct dst_metrics *p = (struct dst_metrics *)DST_METRICS_PTR(dst);
1364 struct rtable *rt = (struct rtable *) dst; 1366 struct rtable *rt = (struct rtable *) dst;
1365 1367
1368 if (p != &dst_default_metrics && atomic_dec_and_test(&p->refcnt))
1369 kfree(p);
1370
1366 if (!list_empty(&rt->rt_uncached)) { 1371 if (!list_empty(&rt->rt_uncached)) {
1367 struct uncached_list *ul = rt->rt_uncached_list; 1372 struct uncached_list *ul = rt->rt_uncached_list;
1368 1373
@@ -1414,7 +1419,11 @@ static void rt_set_nexthop(struct rtable *rt, __be32 daddr,
1414 rt->rt_gateway = nh->nh_gw; 1419 rt->rt_gateway = nh->nh_gw;
1415 rt->rt_uses_gateway = 1; 1420 rt->rt_uses_gateway = 1;
1416 } 1421 }
1417 dst_init_metrics(&rt->dst, fi->fib_metrics, true); 1422 dst_init_metrics(&rt->dst, fi->fib_metrics->metrics, true);
1423 if (fi->fib_metrics != &dst_default_metrics) {
1424 rt->dst._metrics |= DST_METRICS_REFCOUNTED;
1425 atomic_inc(&fi->fib_metrics->refcnt);
1426 }
1418#ifdef CONFIG_IP_ROUTE_CLASSID 1427#ifdef CONFIG_IP_ROUTE_CLASSID
1419 rt->dst.tclassid = nh->nh_tclassid; 1428 rt->dst.tclassid = nh->nh_tclassid;
1420#endif 1429#endif
@@ -1963,6 +1972,7 @@ int ip_route_input_noref(struct sk_buff *skb, __be32 daddr, __be32 saddr,
1963{ 1972{
1964 int res; 1973 int res;
1965 1974
1975 tos &= IPTOS_RT_MASK;
1966 rcu_read_lock(); 1976 rcu_read_lock();
1967 1977
1968 /* Multicast recognition logic is moved from route cache to here. 1978 /* Multicast recognition logic is moved from route cache to here.
@@ -2435,7 +2445,7 @@ static int rt_fill_info(struct net *net, __be32 dst, __be32 src, u32 table_id,
2435 r->rtm_dst_len = 32; 2445 r->rtm_dst_len = 32;
2436 r->rtm_src_len = 0; 2446 r->rtm_src_len = 0;
2437 r->rtm_tos = fl4->flowi4_tos; 2447 r->rtm_tos = fl4->flowi4_tos;
2438 r->rtm_table = table_id; 2448 r->rtm_table = table_id < 256 ? table_id : RT_TABLE_COMPAT;
2439 if (nla_put_u32(skb, RTA_TABLE, table_id)) 2449 if (nla_put_u32(skb, RTA_TABLE, table_id))
2440 goto nla_put_failure; 2450 goto nla_put_failure;
2441 r->rtm_type = rt->rt_type; 2451 r->rtm_type = rt->rt_type;
@@ -2569,7 +2579,7 @@ static int inet_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh)
2569 skb_reset_network_header(skb); 2579 skb_reset_network_header(skb);
2570 2580
2571 /* Bugfix: need to give ip_route_input enough of an IP header to not gag. */ 2581 /* Bugfix: need to give ip_route_input enough of an IP header to not gag. */
2572 ip_hdr(skb)->protocol = IPPROTO_ICMP; 2582 ip_hdr(skb)->protocol = IPPROTO_UDP;
2573 skb_reserve(skb, MAX_HEADER + sizeof(struct iphdr)); 2583 skb_reserve(skb, MAX_HEADER + sizeof(struct iphdr));
2574 2584
2575 src = tb[RTA_SRC] ? nla_get_in_addr(tb[RTA_SRC]) : 0; 2585 src = tb[RTA_SRC] ? nla_get_in_addr(tb[RTA_SRC]) : 0;
diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
index 2dc982b15df8..a2e1142145df 100644
--- a/net/ipv4/syncookies.c
+++ b/net/ipv4/syncookies.c
@@ -337,6 +337,7 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
337 treq = tcp_rsk(req); 337 treq = tcp_rsk(req);
338 treq->rcv_isn = ntohl(th->seq) - 1; 338 treq->rcv_isn = ntohl(th->seq) - 1;
339 treq->snt_isn = cookie; 339 treq->snt_isn = cookie;
340 treq->txhash = net_tx_rndhash();
340 req->mss = mss; 341 req->mss = mss;
341 ireq->ir_num = ntohs(th->dest); 342 ireq->ir_num = ntohs(th->dest);
342 ireq->ir_rmt_port = th->source; 343 ireq->ir_rmt_port = th->source;
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index dc173e0d2184..48e6509426b0 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -783,6 +783,12 @@ ssize_t tcp_splice_read(struct socket *sock, loff_t *ppos,
783 ret = -EAGAIN; 783 ret = -EAGAIN;
784 break; 784 break;
785 } 785 }
786 /* if __tcp_splice_read() got nothing while we have
787 * an skb in receive queue, we do not want to loop.
788 * This might happen with URG data.
789 */
790 if (!skb_queue_empty(&sk->sk_receive_queue))
791 break;
786 sk_wait_data(sk, &timeo, NULL); 792 sk_wait_data(sk, &timeo, NULL);
787 if (signal_pending(current)) { 793 if (signal_pending(current)) {
788 ret = sock_intr_errno(timeo); 794 ret = sock_intr_errno(timeo);
@@ -1065,9 +1071,12 @@ static int tcp_sendmsg_fastopen(struct sock *sk, struct msghdr *msg,
1065 int *copied, size_t size) 1071 int *copied, size_t size)
1066{ 1072{
1067 struct tcp_sock *tp = tcp_sk(sk); 1073 struct tcp_sock *tp = tcp_sk(sk);
1074 struct sockaddr *uaddr = msg->msg_name;
1068 int err, flags; 1075 int err, flags;
1069 1076
1070 if (!(sysctl_tcp_fastopen & TFO_CLIENT_ENABLE)) 1077 if (!(sysctl_tcp_fastopen & TFO_CLIENT_ENABLE) ||
1078 (uaddr && msg->msg_namelen >= sizeof(uaddr->sa_family) &&
1079 uaddr->sa_family == AF_UNSPEC))
1071 return -EOPNOTSUPP; 1080 return -EOPNOTSUPP;
1072 if (tp->fastopen_req) 1081 if (tp->fastopen_req)
1073 return -EALREADY; /* Another Fast Open is in progress */ 1082 return -EALREADY; /* Another Fast Open is in progress */
@@ -1080,7 +1089,7 @@ static int tcp_sendmsg_fastopen(struct sock *sk, struct msghdr *msg,
1080 tp->fastopen_req->size = size; 1089 tp->fastopen_req->size = size;
1081 1090
1082 flags = (msg->msg_flags & MSG_DONTWAIT) ? O_NONBLOCK : 0; 1091 flags = (msg->msg_flags & MSG_DONTWAIT) ? O_NONBLOCK : 0;
1083 err = __inet_stream_connect(sk->sk_socket, msg->msg_name, 1092 err = __inet_stream_connect(sk->sk_socket, uaddr,
1084 msg->msg_namelen, flags); 1093 msg->msg_namelen, flags);
1085 *copied = tp->fastopen_req->copied; 1094 *copied = tp->fastopen_req->copied;
1086 tcp_free_fastopen_req(tp); 1095 tcp_free_fastopen_req(tp);
@@ -2254,6 +2263,9 @@ int tcp_disconnect(struct sock *sk, int flags)
2254 tcp_init_send_head(sk); 2263 tcp_init_send_head(sk);
2255 memset(&tp->rx_opt, 0, sizeof(tp->rx_opt)); 2264 memset(&tp->rx_opt, 0, sizeof(tp->rx_opt));
2256 __sk_dst_reset(sk); 2265 __sk_dst_reset(sk);
2266 dst_release(sk->sk_rx_dst);
2267 sk->sk_rx_dst = NULL;
2268 tcp_saved_syn_free(tp);
2257 2269
2258 WARN_ON(inet->inet_num && !icsk->icsk_bind_hash); 2270 WARN_ON(inet->inet_num && !icsk->icsk_bind_hash);
2259 2271
diff --git a/net/ipv4/tcp_cong.c b/net/ipv4/tcp_cong.c
index 882caa4e72bc..aafe68134763 100644
--- a/net/ipv4/tcp_cong.c
+++ b/net/ipv4/tcp_cong.c
@@ -183,6 +183,7 @@ void tcp_init_congestion_control(struct sock *sk)
183{ 183{
184 const struct inet_connection_sock *icsk = inet_csk(sk); 184 const struct inet_connection_sock *icsk = inet_csk(sk);
185 185
186 tcp_sk(sk)->prior_ssthresh = 0;
186 if (icsk->icsk_ca_ops->init) 187 if (icsk->icsk_ca_ops->init)
187 icsk->icsk_ca_ops->init(sk); 188 icsk->icsk_ca_ops->init(sk);
188 if (tcp_ca_needs_ecn(sk)) 189 if (tcp_ca_needs_ecn(sk))
diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c
index 55be6ac70cff..fca618272a01 100644
--- a/net/ipv4/tcp_fastopen.c
+++ b/net/ipv4/tcp_fastopen.c
@@ -112,7 +112,7 @@ static bool tcp_fastopen_cookie_gen(struct request_sock *req,
112 struct tcp_fastopen_cookie tmp; 112 struct tcp_fastopen_cookie tmp;
113 113
114 if (__tcp_fastopen_cookie_gen(&ip6h->saddr, &tmp)) { 114 if (__tcp_fastopen_cookie_gen(&ip6h->saddr, &tmp)) {
115 struct in6_addr *buf = (struct in6_addr *) tmp.val; 115 struct in6_addr *buf = &tmp.addr;
116 int i; 116 int i;
117 117
118 for (i = 0; i < 4; i++) 118 for (i = 0; i < 4; i++)
@@ -161,6 +161,7 @@ static struct sock *tcp_fastopen_create_child(struct sock *sk,
161 * scaled. So correct it appropriately. 161 * scaled. So correct it appropriately.
162 */ 162 */
163 tp->snd_wnd = ntohs(tcp_hdr(skb)->window); 163 tp->snd_wnd = ntohs(tcp_hdr(skb)->window);
164 tp->max_window = tp->snd_wnd;
164 165
165 /* Activate the retrans timer so that SYNACK can be retransmitted. 166 /* Activate the retrans timer so that SYNACK can be retransmitted.
166 * The request socket is not added to the ehash 167 * The request socket is not added to the ehash
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 35e97ff3054a..b6d99c308bef 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -1135,13 +1135,14 @@ static int tcp_match_skb_to_sack(struct sock *sk, struct sk_buff *skb,
1135 */ 1135 */
1136 if (pkt_len > mss) { 1136 if (pkt_len > mss) {
1137 unsigned int new_len = (pkt_len / mss) * mss; 1137 unsigned int new_len = (pkt_len / mss) * mss;
1138 if (!in_sack && new_len < pkt_len) { 1138 if (!in_sack && new_len < pkt_len)
1139 new_len += mss; 1139 new_len += mss;
1140 if (new_len >= skb->len)
1141 return 0;
1142 }
1143 pkt_len = new_len; 1140 pkt_len = new_len;
1144 } 1141 }
1142
1143 if (pkt_len >= skb->len && !in_sack)
1144 return 0;
1145
1145 err = tcp_fragment(sk, skb, pkt_len, mss, GFP_ATOMIC); 1146 err = tcp_fragment(sk, skb, pkt_len, mss, GFP_ATOMIC);
1146 if (err < 0) 1147 if (err < 0)
1147 return err; 1148 return err;
@@ -2165,8 +2166,7 @@ static void tcp_mark_head_lost(struct sock *sk, int packets, int mark_head)
2165{ 2166{
2166 struct tcp_sock *tp = tcp_sk(sk); 2167 struct tcp_sock *tp = tcp_sk(sk);
2167 struct sk_buff *skb; 2168 struct sk_buff *skb;
2168 int cnt, oldcnt; 2169 int cnt, oldcnt, lost;
2169 int err;
2170 unsigned int mss; 2170 unsigned int mss;
2171 /* Use SACK to deduce losses of new sequences sent during recovery */ 2171 /* Use SACK to deduce losses of new sequences sent during recovery */
2172 const u32 loss_high = tcp_is_sack(tp) ? tp->snd_nxt : tp->high_seq; 2172 const u32 loss_high = tcp_is_sack(tp) ? tp->snd_nxt : tp->high_seq;
@@ -2206,9 +2206,10 @@ static void tcp_mark_head_lost(struct sock *sk, int packets, int mark_head)
2206 break; 2206 break;
2207 2207
2208 mss = tcp_skb_mss(skb); 2208 mss = tcp_skb_mss(skb);
2209 err = tcp_fragment(sk, skb, (packets - oldcnt) * mss, 2209 /* If needed, chop off the prefix to mark as lost. */
2210 mss, GFP_ATOMIC); 2210 lost = (packets - oldcnt) * mss;
2211 if (err < 0) 2211 if (lost < skb->len &&
2212 tcp_fragment(sk, skb, lost, mss, GFP_ATOMIC) < 0)
2212 break; 2213 break;
2213 cnt = packets; 2214 cnt = packets;
2214 } 2215 }
@@ -2503,8 +2504,8 @@ static inline void tcp_end_cwnd_reduction(struct sock *sk)
2503 struct tcp_sock *tp = tcp_sk(sk); 2504 struct tcp_sock *tp = tcp_sk(sk);
2504 2505
2505 /* Reset cwnd to ssthresh in CWR or Recovery (unless it's undone) */ 2506 /* Reset cwnd to ssthresh in CWR or Recovery (unless it's undone) */
2506 if (inet_csk(sk)->icsk_ca_state == TCP_CA_CWR || 2507 if (tp->snd_ssthresh < TCP_INFINITE_SSTHRESH &&
2507 (tp->undo_marker && tp->snd_ssthresh < TCP_INFINITE_SSTHRESH)) { 2508 (inet_csk(sk)->icsk_ca_state == TCP_CA_CWR || tp->undo_marker)) {
2508 tp->snd_cwnd = tp->snd_ssthresh; 2509 tp->snd_cwnd = tp->snd_ssthresh;
2509 tp->snd_cwnd_stamp = tcp_time_stamp; 2510 tp->snd_cwnd_stamp = tcp_time_stamp;
2510 } 2511 }
@@ -3220,7 +3221,7 @@ static int tcp_clean_rtx_queue(struct sock *sk, int prior_fackets,
3220 int delta; 3221 int delta;
3221 3222
3222 /* Non-retransmitted hole got filled? That's reordering */ 3223 /* Non-retransmitted hole got filled? That's reordering */
3223 if (reord < prior_fackets) 3224 if (reord < prior_fackets && reord <= tp->fackets_out)
3224 tcp_update_reordering(sk, tp->fackets_out - reord, 0); 3225 tcp_update_reordering(sk, tp->fackets_out - reord, 0);
3225 3226
3226 delta = tcp_is_fack(tp) ? pkts_acked : 3227 delta = tcp_is_fack(tp) ? pkts_acked :
@@ -5436,6 +5437,7 @@ void tcp_finish_connect(struct sock *sk, struct sk_buff *skb)
5436 struct inet_connection_sock *icsk = inet_csk(sk); 5437 struct inet_connection_sock *icsk = inet_csk(sk);
5437 5438
5438 tcp_set_state(sk, TCP_ESTABLISHED); 5439 tcp_set_state(sk, TCP_ESTABLISHED);
5440 icsk->icsk_ack.lrcvtime = tcp_time_stamp;
5439 5441
5440 if (skb) { 5442 if (skb) {
5441 icsk->icsk_af_ops->sk_rx_dst_set(sk, skb); 5443 icsk->icsk_af_ops->sk_rx_dst_set(sk, skb);
@@ -5648,7 +5650,6 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb,
5648 * to stand against the temptation 8) --ANK 5650 * to stand against the temptation 8) --ANK
5649 */ 5651 */
5650 inet_csk_schedule_ack(sk); 5652 inet_csk_schedule_ack(sk);
5651 icsk->icsk_ack.lrcvtime = tcp_time_stamp;
5652 tcp_enter_quickack_mode(sk); 5653 tcp_enter_quickack_mode(sk);
5653 inet_csk_reset_xmit_timer(sk, ICSK_TIME_DACK, 5654 inet_csk_reset_xmit_timer(sk, ICSK_TIME_DACK,
5654 TCP_DELACK_MAX, TCP_RTO_MAX); 5655 TCP_DELACK_MAX, TCP_RTO_MAX);
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 25309b137c43..a84f74af22f7 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -271,10 +271,13 @@ EXPORT_SYMBOL(tcp_v4_connect);
271 */ 271 */
272void tcp_v4_mtu_reduced(struct sock *sk) 272void tcp_v4_mtu_reduced(struct sock *sk)
273{ 273{
274 struct dst_entry *dst;
275 struct inet_sock *inet = inet_sk(sk); 274 struct inet_sock *inet = inet_sk(sk);
276 u32 mtu = tcp_sk(sk)->mtu_info; 275 struct dst_entry *dst;
276 u32 mtu;
277 277
278 if ((1 << sk->sk_state) & (TCPF_LISTEN | TCPF_CLOSE))
279 return;
280 mtu = tcp_sk(sk)->mtu_info;
278 dst = inet_csk_update_pmtu(sk, mtu); 281 dst = inet_csk_update_pmtu(sk, mtu);
279 if (!dst) 282 if (!dst)
280 return; 283 return;
@@ -420,7 +423,8 @@ void tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
420 423
421 switch (type) { 424 switch (type) {
422 case ICMP_REDIRECT: 425 case ICMP_REDIRECT:
423 do_redirect(icmp_skb, sk); 426 if (!sock_owned_by_user(sk))
427 do_redirect(icmp_skb, sk);
424 goto out; 428 goto out;
425 case ICMP_SOURCE_QUENCH: 429 case ICMP_SOURCE_QUENCH:
426 /* Just silently ignore these. */ 430 /* Just silently ignore these. */
diff --git a/net/ipv4/tcp_lp.c b/net/ipv4/tcp_lp.c
index 1e70fa8fa793..3861dedd5365 100644
--- a/net/ipv4/tcp_lp.c
+++ b/net/ipv4/tcp_lp.c
@@ -264,13 +264,15 @@ static void tcp_lp_pkts_acked(struct sock *sk, u32 num_acked, s32 rtt_us)
264{ 264{
265 struct tcp_sock *tp = tcp_sk(sk); 265 struct tcp_sock *tp = tcp_sk(sk);
266 struct lp *lp = inet_csk_ca(sk); 266 struct lp *lp = inet_csk_ca(sk);
267 u32 delta;
267 268
268 if (rtt_us > 0) 269 if (rtt_us > 0)
269 tcp_lp_rtt_sample(sk, rtt_us); 270 tcp_lp_rtt_sample(sk, rtt_us);
270 271
271 /* calc inference */ 272 /* calc inference */
272 if (tcp_time_stamp > tp->rx_opt.rcv_tsecr) 273 delta = tcp_time_stamp - tp->rx_opt.rcv_tsecr;
273 lp->inference = 3 * (tcp_time_stamp - tp->rx_opt.rcv_tsecr); 274 if ((s32)delta > 0)
275 lp->inference = 3 * delta;
274 276
275 /* test if within inference */ 277 /* test if within inference */
276 if (lp->last_drop && (tcp_time_stamp - lp->last_drop < lp->inference)) 278 if (lp->last_drop && (tcp_time_stamp - lp->last_drop < lp->inference))
diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index 9475a2748a9a..4c1c94fa8f08 100644
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -472,6 +472,7 @@ struct sock *tcp_create_openreq_child(const struct sock *sk,
472 newtp->mdev_us = jiffies_to_usecs(TCP_TIMEOUT_INIT); 472 newtp->mdev_us = jiffies_to_usecs(TCP_TIMEOUT_INIT);
473 newtp->rtt_min[0].rtt = ~0U; 473 newtp->rtt_min[0].rtt = ~0U;
474 newicsk->icsk_rto = TCP_TIMEOUT_INIT; 474 newicsk->icsk_rto = TCP_TIMEOUT_INIT;
475 newicsk->icsk_ack.lrcvtime = tcp_time_stamp;
475 476
476 newtp->packets_out = 0; 477 newtp->packets_out = 0;
477 newtp->retrans_out = 0; 478 newtp->retrans_out = 0;
@@ -546,6 +547,7 @@ struct sock *tcp_create_openreq_child(const struct sock *sk,
546 newicsk->icsk_ack.last_seg_size = skb->len - newtp->tcp_header_len; 547 newicsk->icsk_ack.last_seg_size = skb->len - newtp->tcp_header_len;
547 newtp->rx_opt.mss_clamp = req->mss; 548 newtp->rx_opt.mss_clamp = req->mss;
548 tcp_ecn_openreq_child(newtp, req); 549 tcp_ecn_openreq_child(newtp, req);
550 newtp->fastopen_req = NULL;
549 newtp->fastopen_rsk = NULL; 551 newtp->fastopen_rsk = NULL;
550 newtp->syn_data_acked = 0; 552 newtp->syn_data_acked = 0;
551 newtp->rack.mstamp.v64 = 0; 553 newtp->rack.mstamp.v64 = 0;
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index ca3731721d81..4e88f93f71c8 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -1221,7 +1221,7 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len,
1221 * eventually). The difference is that pulled data not copied, but 1221 * eventually). The difference is that pulled data not copied, but
1222 * immediately discarded. 1222 * immediately discarded.
1223 */ 1223 */
1224static void __pskb_trim_head(struct sk_buff *skb, int len) 1224static int __pskb_trim_head(struct sk_buff *skb, int len)
1225{ 1225{
1226 struct skb_shared_info *shinfo; 1226 struct skb_shared_info *shinfo;
1227 int i, k, eat; 1227 int i, k, eat;
@@ -1231,7 +1231,7 @@ static void __pskb_trim_head(struct sk_buff *skb, int len)
1231 __skb_pull(skb, eat); 1231 __skb_pull(skb, eat);
1232 len -= eat; 1232 len -= eat;
1233 if (!len) 1233 if (!len)
1234 return; 1234 return 0;
1235 } 1235 }
1236 eat = len; 1236 eat = len;
1237 k = 0; 1237 k = 0;
@@ -1257,23 +1257,28 @@ static void __pskb_trim_head(struct sk_buff *skb, int len)
1257 skb_reset_tail_pointer(skb); 1257 skb_reset_tail_pointer(skb);
1258 skb->data_len -= len; 1258 skb->data_len -= len;
1259 skb->len = skb->data_len; 1259 skb->len = skb->data_len;
1260 return len;
1260} 1261}
1261 1262
1262/* Remove acked data from a packet in the transmit queue. */ 1263/* Remove acked data from a packet in the transmit queue. */
1263int tcp_trim_head(struct sock *sk, struct sk_buff *skb, u32 len) 1264int tcp_trim_head(struct sock *sk, struct sk_buff *skb, u32 len)
1264{ 1265{
1266 u32 delta_truesize;
1267
1265 if (skb_unclone(skb, GFP_ATOMIC)) 1268 if (skb_unclone(skb, GFP_ATOMIC))
1266 return -ENOMEM; 1269 return -ENOMEM;
1267 1270
1268 __pskb_trim_head(skb, len); 1271 delta_truesize = __pskb_trim_head(skb, len);
1269 1272
1270 TCP_SKB_CB(skb)->seq += len; 1273 TCP_SKB_CB(skb)->seq += len;
1271 skb->ip_summed = CHECKSUM_PARTIAL; 1274 skb->ip_summed = CHECKSUM_PARTIAL;
1272 1275
1273 skb->truesize -= len; 1276 if (delta_truesize) {
1274 sk->sk_wmem_queued -= len; 1277 skb->truesize -= delta_truesize;
1275 sk_mem_uncharge(sk, len); 1278 sk->sk_wmem_queued -= delta_truesize;
1276 sock_set_flag(sk, SOCK_QUEUE_SHRUNK); 1279 sk_mem_uncharge(sk, delta_truesize);
1280 sock_set_flag(sk, SOCK_QUEUE_SHRUNK);
1281 }
1277 1282
1278 /* Any change of skb->len requires recalculation of tso factor. */ 1283 /* Any change of skb->len requires recalculation of tso factor. */
1279 if (tcp_skb_pcount(skb) > 1) 1284 if (tcp_skb_pcount(skb) > 1)
@@ -2383,9 +2388,11 @@ u32 __tcp_select_window(struct sock *sk)
2383 int full_space = min_t(int, tp->window_clamp, allowed_space); 2388 int full_space = min_t(int, tp->window_clamp, allowed_space);
2384 int window; 2389 int window;
2385 2390
2386 if (mss > full_space) 2391 if (unlikely(mss > full_space)) {
2387 mss = full_space; 2392 mss = full_space;
2388 2393 if (mss <= 0)
2394 return 0;
2395 }
2389 if (free_space < (full_space >> 1)) { 2396 if (free_space < (full_space >> 1)) {
2390 icsk->icsk_ack.quick = 0; 2397 icsk->icsk_ack.quick = 0;
2391 2398
@@ -3249,6 +3256,9 @@ int tcp_connect(struct sock *sk)
3249 struct sk_buff *buff; 3256 struct sk_buff *buff;
3250 int err; 3257 int err;
3251 3258
3259 if (inet_csk(sk)->icsk_af_ops->rebuild_header(sk))
3260 return -EHOSTUNREACH; /* Routing failure or similar. */
3261
3252 tcp_connect_init(sk); 3262 tcp_connect_init(sk);
3253 3263
3254 if (unlikely(tp->repair)) { 3264 if (unlikely(tp->repair)) {
diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
index 193ba1fa8a9a..1ec12a4f327e 100644
--- a/net/ipv4/tcp_timer.c
+++ b/net/ipv4/tcp_timer.c
@@ -223,7 +223,8 @@ void tcp_delack_timer_handler(struct sock *sk)
223 223
224 sk_mem_reclaim_partial(sk); 224 sk_mem_reclaim_partial(sk);
225 225
226 if (sk->sk_state == TCP_CLOSE || !(icsk->icsk_ack.pending & ICSK_ACK_TIMER)) 226 if (((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN)) ||
227 !(icsk->icsk_ack.pending & ICSK_ACK_TIMER))
227 goto out; 228 goto out;
228 229
229 if (time_after(icsk->icsk_ack.timeout, jiffies)) { 230 if (time_after(icsk->icsk_ack.timeout, jiffies)) {
@@ -504,7 +505,8 @@ void tcp_write_timer_handler(struct sock *sk)
504 struct inet_connection_sock *icsk = inet_csk(sk); 505 struct inet_connection_sock *icsk = inet_csk(sk);
505 int event; 506 int event;
506 507
507 if (sk->sk_state == TCP_CLOSE || !icsk->icsk_pending) 508 if (((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN)) ||
509 !icsk->icsk_pending)
508 goto out; 510 goto out;
509 511
510 if (time_after(icsk->icsk_timeout, jiffies)) { 512 if (time_after(icsk->icsk_timeout, jiffies)) {
@@ -604,7 +606,8 @@ static void tcp_keepalive_timer (unsigned long data)
604 goto death; 606 goto death;
605 } 607 }
606 608
607 if (!sock_flag(sk, SOCK_KEEPOPEN) || sk->sk_state == TCP_CLOSE) 609 if (!sock_flag(sk, SOCK_KEEPOPEN) ||
610 ((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_SYN_SENT)))
608 goto out; 611 goto out;
609 612
610 elapsed = keepalive_time_when(tp); 613 elapsed = keepalive_time_when(tp);
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index ad3d1534c524..9ee5087b9b5e 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -819,7 +819,7 @@ static int udp_send_skb(struct sk_buff *skb, struct flowi4 *fl4)
819 if (is_udplite) /* UDP-Lite */ 819 if (is_udplite) /* UDP-Lite */
820 csum = udplite_csum(skb); 820 csum = udplite_csum(skb);
821 821
822 else if (sk->sk_no_check_tx) { /* UDP csum disabled */ 822 else if (sk->sk_no_check_tx && !skb_is_gso(skb)) { /* UDP csum off */
823 823
824 skb->ip_summed = CHECKSUM_NONE; 824 skb->ip_summed = CHECKSUM_NONE;
825 goto send; 825 goto send;
diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c
index 6396f1c80ae9..6dfc3daf7c21 100644
--- a/net/ipv4/udp_offload.c
+++ b/net/ipv4/udp_offload.c
@@ -231,7 +231,7 @@ static struct sk_buff *udp4_ufo_fragment(struct sk_buff *skb,
231 if (uh->check == 0) 231 if (uh->check == 0)
232 uh->check = CSUM_MANGLED_0; 232 uh->check = CSUM_MANGLED_0;
233 233
234 skb->ip_summed = CHECKSUM_NONE; 234 skb->ip_summed = CHECKSUM_UNNECESSARY;
235 235
236 /* Fragment the skb. IP headers of the fragments are updated in 236 /* Fragment the skb. IP headers of the fragments are updated in
237 * inet_gso_segment() 237 * inet_gso_segment()
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 1e541578a66d..2d2241006d35 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -112,6 +112,27 @@ static inline u32 cstamp_delta(unsigned long cstamp)
112 return (cstamp - INITIAL_JIFFIES) * 100UL / HZ; 112 return (cstamp - INITIAL_JIFFIES) * 100UL / HZ;
113} 113}
114 114
115static inline s32 rfc3315_s14_backoff_init(s32 irt)
116{
117 /* multiply 'initial retransmission time' by 0.9 .. 1.1 */
118 u64 tmp = (900000 + prandom_u32() % 200001) * (u64)irt;
119 do_div(tmp, 1000000);
120 return (s32)tmp;
121}
122
123static inline s32 rfc3315_s14_backoff_update(s32 rt, s32 mrt)
124{
125 /* multiply 'retransmission timeout' by 1.9 .. 2.1 */
126 u64 tmp = (1900000 + prandom_u32() % 200001) * (u64)rt;
127 do_div(tmp, 1000000);
128 if ((s32)tmp > mrt) {
129 /* multiply 'maximum retransmission time' by 0.9 .. 1.1 */
130 tmp = (900000 + prandom_u32() % 200001) * (u64)mrt;
131 do_div(tmp, 1000000);
132 }
133 return (s32)tmp;
134}
135
115#ifdef CONFIG_SYSCTL 136#ifdef CONFIG_SYSCTL
116static int addrconf_sysctl_register(struct inet6_dev *idev); 137static int addrconf_sysctl_register(struct inet6_dev *idev);
117static void addrconf_sysctl_unregister(struct inet6_dev *idev); 138static void addrconf_sysctl_unregister(struct inet6_dev *idev);
@@ -187,6 +208,7 @@ static struct ipv6_devconf ipv6_devconf __read_mostly = {
187 .dad_transmits = 1, 208 .dad_transmits = 1,
188 .rtr_solicits = MAX_RTR_SOLICITATIONS, 209 .rtr_solicits = MAX_RTR_SOLICITATIONS,
189 .rtr_solicit_interval = RTR_SOLICITATION_INTERVAL, 210 .rtr_solicit_interval = RTR_SOLICITATION_INTERVAL,
211 .rtr_solicit_max_interval = RTR_SOLICITATION_MAX_INTERVAL,
190 .rtr_solicit_delay = MAX_RTR_SOLICITATION_DELAY, 212 .rtr_solicit_delay = MAX_RTR_SOLICITATION_DELAY,
191 .use_tempaddr = 0, 213 .use_tempaddr = 0,
192 .temp_valid_lft = TEMP_VALID_LIFETIME, 214 .temp_valid_lft = TEMP_VALID_LIFETIME,
@@ -202,6 +224,7 @@ static struct ipv6_devconf ipv6_devconf __read_mostly = {
202 .accept_ra_rtr_pref = 1, 224 .accept_ra_rtr_pref = 1,
203 .rtr_probe_interval = 60 * HZ, 225 .rtr_probe_interval = 60 * HZ,
204#ifdef CONFIG_IPV6_ROUTE_INFO 226#ifdef CONFIG_IPV6_ROUTE_INFO
227 .accept_ra_rt_info_min_plen = 0,
205 .accept_ra_rt_info_max_plen = 0, 228 .accept_ra_rt_info_max_plen = 0,
206#endif 229#endif
207#endif 230#endif
@@ -232,6 +255,7 @@ static struct ipv6_devconf ipv6_devconf_dflt __read_mostly = {
232 .dad_transmits = 1, 255 .dad_transmits = 1,
233 .rtr_solicits = MAX_RTR_SOLICITATIONS, 256 .rtr_solicits = MAX_RTR_SOLICITATIONS,
234 .rtr_solicit_interval = RTR_SOLICITATION_INTERVAL, 257 .rtr_solicit_interval = RTR_SOLICITATION_INTERVAL,
258 .rtr_solicit_max_interval = RTR_SOLICITATION_MAX_INTERVAL,
235 .rtr_solicit_delay = MAX_RTR_SOLICITATION_DELAY, 259 .rtr_solicit_delay = MAX_RTR_SOLICITATION_DELAY,
236 .use_tempaddr = 0, 260 .use_tempaddr = 0,
237 .temp_valid_lft = TEMP_VALID_LIFETIME, 261 .temp_valid_lft = TEMP_VALID_LIFETIME,
@@ -247,6 +271,7 @@ static struct ipv6_devconf ipv6_devconf_dflt __read_mostly = {
247 .accept_ra_rtr_pref = 1, 271 .accept_ra_rtr_pref = 1,
248 .rtr_probe_interval = 60 * HZ, 272 .rtr_probe_interval = 60 * HZ,
249#ifdef CONFIG_IPV6_ROUTE_INFO 273#ifdef CONFIG_IPV6_ROUTE_INFO
274 .accept_ra_rt_info_min_plen = 0,
250 .accept_ra_rt_info_max_plen = 0, 275 .accept_ra_rt_info_max_plen = 0,
251#endif 276#endif
252#endif 277#endif
@@ -293,9 +318,9 @@ static void addrconf_mod_rs_timer(struct inet6_dev *idev,
293static void addrconf_mod_dad_work(struct inet6_ifaddr *ifp, 318static void addrconf_mod_dad_work(struct inet6_ifaddr *ifp,
294 unsigned long delay) 319 unsigned long delay)
295{ 320{
296 if (!delayed_work_pending(&ifp->dad_work)) 321 in6_ifa_hold(ifp);
297 in6_ifa_hold(ifp); 322 if (mod_delayed_work(addrconf_wq, &ifp->dad_work, delay))
298 mod_delayed_work(addrconf_wq, &ifp->dad_work, delay); 323 in6_ifa_put(ifp);
299} 324}
300 325
301static int snmp6_alloc_dev(struct inet6_dev *idev) 326static int snmp6_alloc_dev(struct inet6_dev *idev)
@@ -1774,17 +1799,7 @@ struct inet6_ifaddr *ipv6_get_ifaddr(struct net *net, const struct in6_addr *add
1774 1799
1775static void addrconf_dad_stop(struct inet6_ifaddr *ifp, int dad_failed) 1800static void addrconf_dad_stop(struct inet6_ifaddr *ifp, int dad_failed)
1776{ 1801{
1777 if (ifp->flags&IFA_F_PERMANENT) { 1802 if (ifp->flags&IFA_F_TEMPORARY) {
1778 spin_lock_bh(&ifp->lock);
1779 addrconf_del_dad_work(ifp);
1780 ifp->flags |= IFA_F_TENTATIVE;
1781 if (dad_failed)
1782 ifp->flags |= IFA_F_DADFAILED;
1783 spin_unlock_bh(&ifp->lock);
1784 if (dad_failed)
1785 ipv6_ifa_notify(0, ifp);
1786 in6_ifa_put(ifp);
1787 } else if (ifp->flags&IFA_F_TEMPORARY) {
1788 struct inet6_ifaddr *ifpub; 1803 struct inet6_ifaddr *ifpub;
1789 spin_lock_bh(&ifp->lock); 1804 spin_lock_bh(&ifp->lock);
1790 ifpub = ifp->ifpub; 1805 ifpub = ifp->ifpub;
@@ -1797,6 +1812,16 @@ static void addrconf_dad_stop(struct inet6_ifaddr *ifp, int dad_failed)
1797 spin_unlock_bh(&ifp->lock); 1812 spin_unlock_bh(&ifp->lock);
1798 } 1813 }
1799 ipv6_del_addr(ifp); 1814 ipv6_del_addr(ifp);
1815 } else if (ifp->flags&IFA_F_PERMANENT || !dad_failed) {
1816 spin_lock_bh(&ifp->lock);
1817 addrconf_del_dad_work(ifp);
1818 ifp->flags |= IFA_F_TENTATIVE;
1819 if (dad_failed)
1820 ifp->flags |= IFA_F_DADFAILED;
1821 spin_unlock_bh(&ifp->lock);
1822 if (dad_failed)
1823 ipv6_ifa_notify(0, ifp);
1824 in6_ifa_put(ifp);
1800 } else { 1825 } else {
1801 ipv6_del_addr(ifp); 1826 ipv6_del_addr(ifp);
1802 } 1827 }
@@ -3170,6 +3195,7 @@ static int addrconf_notify(struct notifier_block *this, unsigned long event,
3170{ 3195{
3171 struct net_device *dev = netdev_notifier_info_to_dev(ptr); 3196 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
3172 struct inet6_dev *idev = __in6_dev_get(dev); 3197 struct inet6_dev *idev = __in6_dev_get(dev);
3198 struct net *net = dev_net(dev);
3173 int run_pending = 0; 3199 int run_pending = 0;
3174 int err; 3200 int err;
3175 3201
@@ -3185,7 +3211,7 @@ static int addrconf_notify(struct notifier_block *this, unsigned long event,
3185 case NETDEV_CHANGEMTU: 3211 case NETDEV_CHANGEMTU:
3186 /* if MTU under IPV6_MIN_MTU stop IPv6 on this interface. */ 3212 /* if MTU under IPV6_MIN_MTU stop IPv6 on this interface. */
3187 if (dev->mtu < IPV6_MIN_MTU) { 3213 if (dev->mtu < IPV6_MIN_MTU) {
3188 addrconf_ifdown(dev, 1); 3214 addrconf_ifdown(dev, dev != net->loopback_dev);
3189 break; 3215 break;
3190 } 3216 }
3191 3217
@@ -3238,9 +3264,15 @@ static int addrconf_notify(struct notifier_block *this, unsigned long event,
3238 } 3264 }
3239 3265
3240 if (idev) { 3266 if (idev) {
3241 if (idev->if_flags & IF_READY) 3267 if (idev->if_flags & IF_READY) {
3242 /* device is already configured. */ 3268 /* device is already configured -
3269 * but resend MLD reports, we might
3270 * have roamed and need to update
3271 * multicast snooping switches
3272 */
3273 ipv6_mc_up(idev);
3243 break; 3274 break;
3275 }
3244 idev->if_flags |= IF_READY; 3276 idev->if_flags |= IF_READY;
3245 } 3277 }
3246 3278
@@ -3292,7 +3324,7 @@ static int addrconf_notify(struct notifier_block *this, unsigned long event,
3292 * IPV6_MIN_MTU stop IPv6 on this interface. 3324 * IPV6_MIN_MTU stop IPv6 on this interface.
3293 */ 3325 */
3294 if (dev->mtu < IPV6_MIN_MTU) 3326 if (dev->mtu < IPV6_MIN_MTU)
3295 addrconf_ifdown(dev, 1); 3327 addrconf_ifdown(dev, dev != net->loopback_dev);
3296 } 3328 }
3297 break; 3329 break;
3298 3330
@@ -3333,6 +3365,7 @@ static int addrconf_notify(struct notifier_block *this, unsigned long event,
3333 */ 3365 */
3334static struct notifier_block ipv6_dev_notf = { 3366static struct notifier_block ipv6_dev_notf = {
3335 .notifier_call = addrconf_notify, 3367 .notifier_call = addrconf_notify,
3368 .priority = ADDRCONF_NOTIFY_PRIORITY,
3336}; 3369};
3337 3370
3338static void addrconf_type_change(struct net_device *dev, unsigned long event) 3371static void addrconf_type_change(struct net_device *dev, unsigned long event)
@@ -3485,7 +3518,7 @@ static void addrconf_rs_timer(unsigned long data)
3485 if (idev->if_flags & IF_RA_RCVD) 3518 if (idev->if_flags & IF_RA_RCVD)
3486 goto out; 3519 goto out;
3487 3520
3488 if (idev->rs_probes++ < idev->cnf.rtr_solicits) { 3521 if (idev->rs_probes++ < idev->cnf.rtr_solicits || idev->cnf.rtr_solicits < 0) {
3489 write_unlock(&idev->lock); 3522 write_unlock(&idev->lock);
3490 if (!ipv6_get_lladdr(dev, &lladdr, IFA_F_TENTATIVE)) 3523 if (!ipv6_get_lladdr(dev, &lladdr, IFA_F_TENTATIVE))
3491 ndisc_send_rs(dev, &lladdr, 3524 ndisc_send_rs(dev, &lladdr,
@@ -3494,11 +3527,13 @@ static void addrconf_rs_timer(unsigned long data)
3494 goto put; 3527 goto put;
3495 3528
3496 write_lock(&idev->lock); 3529 write_lock(&idev->lock);
3530 idev->rs_interval = rfc3315_s14_backoff_update(
3531 idev->rs_interval, idev->cnf.rtr_solicit_max_interval);
3497 /* The wait after the last probe can be shorter */ 3532 /* The wait after the last probe can be shorter */
3498 addrconf_mod_rs_timer(idev, (idev->rs_probes == 3533 addrconf_mod_rs_timer(idev, (idev->rs_probes ==
3499 idev->cnf.rtr_solicits) ? 3534 idev->cnf.rtr_solicits) ?
3500 idev->cnf.rtr_solicit_delay : 3535 idev->cnf.rtr_solicit_delay :
3501 idev->cnf.rtr_solicit_interval); 3536 idev->rs_interval);
3502 } else { 3537 } else {
3503 /* 3538 /*
3504 * Note: we do not support deprecated "all on-link" 3539 * Note: we do not support deprecated "all on-link"
@@ -3726,7 +3761,7 @@ static void addrconf_dad_completed(struct inet6_ifaddr *ifp)
3726 send_mld = ifp->scope == IFA_LINK && ipv6_lonely_lladdr(ifp); 3761 send_mld = ifp->scope == IFA_LINK && ipv6_lonely_lladdr(ifp);
3727 send_rs = send_mld && 3762 send_rs = send_mld &&
3728 ipv6_accept_ra(ifp->idev) && 3763 ipv6_accept_ra(ifp->idev) &&
3729 ifp->idev->cnf.rtr_solicits > 0 && 3764 ifp->idev->cnf.rtr_solicits != 0 &&
3730 (dev->flags&IFF_LOOPBACK) == 0; 3765 (dev->flags&IFF_LOOPBACK) == 0;
3731 read_unlock_bh(&ifp->idev->lock); 3766 read_unlock_bh(&ifp->idev->lock);
3732 3767
@@ -3748,10 +3783,11 @@ static void addrconf_dad_completed(struct inet6_ifaddr *ifp)
3748 3783
3749 write_lock_bh(&ifp->idev->lock); 3784 write_lock_bh(&ifp->idev->lock);
3750 spin_lock(&ifp->lock); 3785 spin_lock(&ifp->lock);
3786 ifp->idev->rs_interval = rfc3315_s14_backoff_init(
3787 ifp->idev->cnf.rtr_solicit_interval);
3751 ifp->idev->rs_probes = 1; 3788 ifp->idev->rs_probes = 1;
3752 ifp->idev->if_flags |= IF_RS_SENT; 3789 ifp->idev->if_flags |= IF_RS_SENT;
3753 addrconf_mod_rs_timer(ifp->idev, 3790 addrconf_mod_rs_timer(ifp->idev, ifp->idev->rs_interval);
3754 ifp->idev->cnf.rtr_solicit_interval);
3755 spin_unlock(&ifp->lock); 3791 spin_unlock(&ifp->lock);
3756 write_unlock_bh(&ifp->idev->lock); 3792 write_unlock_bh(&ifp->idev->lock);
3757 } 3793 }
@@ -4668,6 +4704,8 @@ static inline void ipv6_store_devconf(struct ipv6_devconf *cnf,
4668 array[DEVCONF_RTR_SOLICITS] = cnf->rtr_solicits; 4704 array[DEVCONF_RTR_SOLICITS] = cnf->rtr_solicits;
4669 array[DEVCONF_RTR_SOLICIT_INTERVAL] = 4705 array[DEVCONF_RTR_SOLICIT_INTERVAL] =
4670 jiffies_to_msecs(cnf->rtr_solicit_interval); 4706 jiffies_to_msecs(cnf->rtr_solicit_interval);
4707 array[DEVCONF_RTR_SOLICIT_MAX_INTERVAL] =
4708 jiffies_to_msecs(cnf->rtr_solicit_max_interval);
4671 array[DEVCONF_RTR_SOLICIT_DELAY] = 4709 array[DEVCONF_RTR_SOLICIT_DELAY] =
4672 jiffies_to_msecs(cnf->rtr_solicit_delay); 4710 jiffies_to_msecs(cnf->rtr_solicit_delay);
4673 array[DEVCONF_FORCE_MLD_VERSION] = cnf->force_mld_version; 4711 array[DEVCONF_FORCE_MLD_VERSION] = cnf->force_mld_version;
@@ -4689,6 +4727,7 @@ static inline void ipv6_store_devconf(struct ipv6_devconf *cnf,
4689 array[DEVCONF_RTR_PROBE_INTERVAL] = 4727 array[DEVCONF_RTR_PROBE_INTERVAL] =
4690 jiffies_to_msecs(cnf->rtr_probe_interval); 4728 jiffies_to_msecs(cnf->rtr_probe_interval);
4691#ifdef CONFIG_IPV6_ROUTE_INFO 4729#ifdef CONFIG_IPV6_ROUTE_INFO
4730 array[DEVCONF_ACCEPT_RA_RT_INFO_MIN_PLEN] = cnf->accept_ra_rt_info_min_plen;
4692 array[DEVCONF_ACCEPT_RA_RT_INFO_MAX_PLEN] = cnf->accept_ra_rt_info_max_plen; 4731 array[DEVCONF_ACCEPT_RA_RT_INFO_MAX_PLEN] = cnf->accept_ra_rt_info_max_plen;
4693#endif 4732#endif
4694#endif 4733#endif
@@ -4876,7 +4915,7 @@ static int inet6_set_iftoken(struct inet6_dev *idev, struct in6_addr *token)
4876 return -EINVAL; 4915 return -EINVAL;
4877 if (!ipv6_accept_ra(idev)) 4916 if (!ipv6_accept_ra(idev))
4878 return -EINVAL; 4917 return -EINVAL;
4879 if (idev->cnf.rtr_solicits <= 0) 4918 if (idev->cnf.rtr_solicits == 0)
4880 return -EINVAL; 4919 return -EINVAL;
4881 4920
4882 write_lock_bh(&idev->lock); 4921 write_lock_bh(&idev->lock);
@@ -4901,8 +4940,10 @@ static int inet6_set_iftoken(struct inet6_dev *idev, struct in6_addr *token)
4901 4940
4902 if (update_rs) { 4941 if (update_rs) {
4903 idev->if_flags |= IF_RS_SENT; 4942 idev->if_flags |= IF_RS_SENT;
4943 idev->rs_interval = rfc3315_s14_backoff_init(
4944 idev->cnf.rtr_solicit_interval);
4904 idev->rs_probes = 1; 4945 idev->rs_probes = 1;
4905 addrconf_mod_rs_timer(idev, idev->cnf.rtr_solicit_interval); 4946 addrconf_mod_rs_timer(idev, idev->rs_interval);
4906 } 4947 }
4907 4948
4908 /* Well, that's kinda nasty ... */ 4949 /* Well, that's kinda nasty ... */
@@ -5272,8 +5313,7 @@ static void addrconf_disable_change(struct net *net, __s32 newf)
5272 struct net_device *dev; 5313 struct net_device *dev;
5273 struct inet6_dev *idev; 5314 struct inet6_dev *idev;
5274 5315
5275 rcu_read_lock(); 5316 for_each_netdev(net, dev) {
5276 for_each_netdev_rcu(net, dev) {
5277 idev = __in6_dev_get(dev); 5317 idev = __in6_dev_get(dev);
5278 if (idev) { 5318 if (idev) {
5279 int changed = (!idev->cnf.disable_ipv6) ^ (!newf); 5319 int changed = (!idev->cnf.disable_ipv6) ^ (!newf);
@@ -5282,7 +5322,6 @@ static void addrconf_disable_change(struct net *net, __s32 newf)
5282 dev_disable_change(idev); 5322 dev_disable_change(idev);
5283 } 5323 }
5284 } 5324 }
5285 rcu_read_unlock();
5286} 5325}
5287 5326
5288static int addrconf_disable_ipv6(struct ctl_table *table, int *p, int newf) 5327static int addrconf_disable_ipv6(struct ctl_table *table, int *p, int newf)
@@ -5542,6 +5581,13 @@ static struct addrconf_sysctl_table
5542 .proc_handler = proc_dointvec_jiffies, 5581 .proc_handler = proc_dointvec_jiffies,
5543 }, 5582 },
5544 { 5583 {
5584 .procname = "router_solicitation_max_interval",
5585 .data = &ipv6_devconf.rtr_solicit_max_interval,
5586 .maxlen = sizeof(int),
5587 .mode = 0644,
5588 .proc_handler = proc_dointvec_jiffies,
5589 },
5590 {
5545 .procname = "router_solicitation_delay", 5591 .procname = "router_solicitation_delay",
5546 .data = &ipv6_devconf.rtr_solicit_delay, 5592 .data = &ipv6_devconf.rtr_solicit_delay,
5547 .maxlen = sizeof(int), 5593 .maxlen = sizeof(int),
@@ -5651,6 +5697,13 @@ static struct addrconf_sysctl_table
5651 }, 5697 },
5652#ifdef CONFIG_IPV6_ROUTE_INFO 5698#ifdef CONFIG_IPV6_ROUTE_INFO
5653 { 5699 {
5700 .procname = "accept_ra_rt_info_min_plen",
5701 .data = &ipv6_devconf.accept_ra_rt_info_min_plen,
5702 .maxlen = sizeof(int),
5703 .mode = 0644,
5704 .proc_handler = proc_dointvec,
5705 },
5706 {
5654 .procname = "accept_ra_rt_info_max_plen", 5707 .procname = "accept_ra_rt_info_max_plen",
5655 .data = &ipv6_devconf.accept_ra_rt_info_max_plen, 5708 .data = &ipv6_devconf.accept_ra_rt_info_max_plen,
5656 .maxlen = sizeof(int), 5709 .maxlen = sizeof(int),
@@ -5977,6 +6030,8 @@ int __init addrconf_init(void)
5977 goto errlo; 6030 goto errlo;
5978 } 6031 }
5979 6032
6033 ip6_route_init_special_entries();
6034
5980 for (i = 0; i < IN6_ADDR_HSIZE; i++) 6035 for (i = 0; i < IN6_ADDR_HSIZE; i++)
5981 INIT_HLIST_HEAD(&inet6_addr_lst[i]); 6036 INIT_HLIST_HEAD(&inet6_addr_lst[i]);
5982 6037
diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
index cf2dfb222230..56528e9f3e01 100644
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -76,18 +76,22 @@ static int __ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int a
76 } 76 }
77 } 77 }
78 78
79 addr_type = ipv6_addr_type(&usin->sin6_addr); 79 if (ipv6_addr_any(&usin->sin6_addr)) {
80
81 if (addr_type == IPV6_ADDR_ANY) {
82 /* 80 /*
83 * connect to self 81 * connect to self
84 */ 82 */
85 usin->sin6_addr.s6_addr[15] = 0x01; 83 if (ipv6_addr_v4mapped(&sk->sk_v6_rcv_saddr))
84 ipv6_addr_set_v4mapped(htonl(INADDR_LOOPBACK),
85 &usin->sin6_addr);
86 else
87 usin->sin6_addr = in6addr_loopback;
86 } 88 }
87 89
90 addr_type = ipv6_addr_type(&usin->sin6_addr);
91
88 daddr = &usin->sin6_addr; 92 daddr = &usin->sin6_addr;
89 93
90 if (addr_type == IPV6_ADDR_MAPPED) { 94 if (addr_type & IPV6_ADDR_MAPPED) {
91 struct sockaddr_in sin; 95 struct sockaddr_in sin;
92 96
93 if (__ipv6_only_sock(sk)) { 97 if (__ipv6_only_sock(sk)) {
diff --git a/net/ipv6/fib6_rules.c b/net/ipv6/fib6_rules.c
index ed33abf57abd..9ac4f0cef27d 100644
--- a/net/ipv6/fib6_rules.c
+++ b/net/ipv6/fib6_rules.c
@@ -32,7 +32,6 @@ struct fib6_rule {
32struct dst_entry *fib6_rule_lookup(struct net *net, struct flowi6 *fl6, 32struct dst_entry *fib6_rule_lookup(struct net *net, struct flowi6 *fl6,
33 int flags, pol_lookup_t lookup) 33 int flags, pol_lookup_t lookup)
34{ 34{
35 struct rt6_info *rt;
36 struct fib_lookup_arg arg = { 35 struct fib_lookup_arg arg = {
37 .lookup_ptr = lookup, 36 .lookup_ptr = lookup,
38 .flags = FIB_LOOKUP_NOREF, 37 .flags = FIB_LOOKUP_NOREF,
@@ -41,21 +40,11 @@ struct dst_entry *fib6_rule_lookup(struct net *net, struct flowi6 *fl6,
41 fib_rules_lookup(net->ipv6.fib6_rules_ops, 40 fib_rules_lookup(net->ipv6.fib6_rules_ops,
42 flowi6_to_flowi(fl6), flags, &arg); 41 flowi6_to_flowi(fl6), flags, &arg);
43 42
44 rt = arg.result; 43 if (arg.result)
44 return arg.result;
45 45
46 if (!rt) { 46 dst_hold(&net->ipv6.ip6_null_entry->dst);
47 dst_hold(&net->ipv6.ip6_null_entry->dst); 47 return &net->ipv6.ip6_null_entry->dst;
48 return &net->ipv6.ip6_null_entry->dst;
49 }
50
51 if (rt->rt6i_flags & RTF_REJECT &&
52 rt->dst.error == -EAGAIN) {
53 ip6_rt_put(rt);
54 rt = net->ipv6.ip6_null_entry;
55 dst_hold(&rt->dst);
56 }
57
58 return &rt->dst;
59} 48}
60 49
61static int fib6_rule_action(struct fib_rule *rule, struct flowi *flp, 50static int fib6_rule_action(struct fib_rule *rule, struct flowi *flp,
@@ -116,7 +105,8 @@ static int fib6_rule_action(struct fib_rule *rule, struct flowi *flp,
116 flp6->saddr = saddr; 105 flp6->saddr = saddr;
117 } 106 }
118 err = rt->dst.error; 107 err = rt->dst.error;
119 goto out; 108 if (err != -EAGAIN)
109 goto out;
120 } 110 }
121again: 111again:
122 ip6_rt_put(rt); 112 ip6_rt_put(rt);
diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index 34cf46d74554..f60e8caea767 100644
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -290,8 +290,7 @@ struct dst_entry *fib6_rule_lookup(struct net *net, struct flowi6 *fl6,
290 struct rt6_info *rt; 290 struct rt6_info *rt;
291 291
292 rt = lookup(net, net->ipv6.fib6_main_tbl, fl6, flags); 292 rt = lookup(net, net->ipv6.fib6_main_tbl, fl6, flags);
293 if (rt->rt6i_flags & RTF_REJECT && 293 if (rt->dst.error == -EAGAIN) {
294 rt->dst.error == -EAGAIN) {
295 ip6_rt_put(rt); 294 ip6_rt_put(rt);
296 rt = net->ipv6.ip6_null_entry; 295 rt = net->ipv6.ip6_null_entry;
297 dst_hold(&rt->dst); 296 dst_hold(&rt->dst);
@@ -768,10 +767,7 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct rt6_info *rt,
768 goto next_iter; 767 goto next_iter;
769 } 768 }
770 769
771 if (iter->dst.dev == rt->dst.dev && 770 if (rt6_duplicate_nexthop(iter, rt)) {
772 iter->rt6i_idev == rt->rt6i_idev &&
773 ipv6_addr_equal(&iter->rt6i_gateway,
774 &rt->rt6i_gateway)) {
775 if (rt->rt6i_nsiblings) 771 if (rt->rt6i_nsiblings)
776 rt->rt6i_nsiblings = 0; 772 rt->rt6i_nsiblings = 0;
777 if (!(iter->rt6i_flags & RTF_EXPIRES)) 773 if (!(iter->rt6i_flags & RTF_EXPIRES))
@@ -903,6 +899,8 @@ add:
903 ins = &rt->dst.rt6_next; 899 ins = &rt->dst.rt6_next;
904 iter = *ins; 900 iter = *ins;
905 while (iter) { 901 while (iter) {
902 if (iter->rt6i_metric > rt->rt6i_metric)
903 break;
906 if (rt6_qualify_for_ecmp(iter)) { 904 if (rt6_qualify_for_ecmp(iter)) {
907 *ins = iter->dst.rt6_next; 905 *ins = iter->dst.rt6_next;
908 fib6_purge_rt(iter, fn, info->nl_net); 906 fib6_purge_rt(iter, fn, info->nl_net);
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index eba61b42cd42..ab0efaca4a78 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -55,6 +55,7 @@
55#include <net/ip6_fib.h> 55#include <net/ip6_fib.h>
56#include <net/ip6_route.h> 56#include <net/ip6_route.h>
57#include <net/ip6_tunnel.h> 57#include <net/ip6_tunnel.h>
58#include <net/gre.h>
58 59
59 60
60static bool log_ecn_error = true; 61static bool log_ecn_error = true;
@@ -367,35 +368,37 @@ static void ip6gre_tunnel_uninit(struct net_device *dev)
367 368
368 369
369static void ip6gre_err(struct sk_buff *skb, struct inet6_skb_parm *opt, 370static void ip6gre_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
370 u8 type, u8 code, int offset, __be32 info) 371 u8 type, u8 code, int offset, __be32 info)
371{ 372{
372 const struct ipv6hdr *ipv6h = (const struct ipv6hdr *)skb->data; 373 const struct gre_base_hdr *greh;
373 __be16 *p = (__be16 *)(skb->data + offset); 374 const struct ipv6hdr *ipv6h;
374 int grehlen = offset + 4; 375 int grehlen = sizeof(*greh);
375 struct ip6_tnl *t; 376 struct ip6_tnl *t;
377 int key_off = 0;
376 __be16 flags; 378 __be16 flags;
379 __be32 key;
377 380
378 flags = p[0]; 381 if (!pskb_may_pull(skb, offset + grehlen))
379 if (flags&(GRE_CSUM|GRE_KEY|GRE_SEQ|GRE_ROUTING|GRE_VERSION)) { 382 return;
380 if (flags&(GRE_VERSION|GRE_ROUTING)) 383 greh = (const struct gre_base_hdr *)(skb->data + offset);
381 return; 384 flags = greh->flags;
382 if (flags&GRE_KEY) { 385 if (flags & (GRE_VERSION | GRE_ROUTING))
383 grehlen += 4; 386 return;
384 if (flags&GRE_CSUM) 387 if (flags & GRE_CSUM)
385 grehlen += 4; 388 grehlen += 4;
386 } 389 if (flags & GRE_KEY) {
390 key_off = grehlen + offset;
391 grehlen += 4;
387 } 392 }
388 393
389 /* If only 8 bytes returned, keyed message will be dropped here */ 394 if (!pskb_may_pull(skb, offset + grehlen))
390 if (!pskb_may_pull(skb, grehlen))
391 return; 395 return;
392 ipv6h = (const struct ipv6hdr *)skb->data; 396 ipv6h = (const struct ipv6hdr *)skb->data;
393 p = (__be16 *)(skb->data + offset); 397 greh = (const struct gre_base_hdr *)(skb->data + offset);
398 key = key_off ? *(__be32 *)(skb->data + key_off) : 0;
394 399
395 t = ip6gre_tunnel_lookup(skb->dev, &ipv6h->daddr, &ipv6h->saddr, 400 t = ip6gre_tunnel_lookup(skb->dev, &ipv6h->daddr, &ipv6h->saddr,
396 flags & GRE_KEY ? 401 key, greh->protocol);
397 *(((__be32 *)p) + (grehlen / 4) - 1) : 0,
398 p[1]);
399 if (!t) 402 if (!t)
400 return; 403 return;
401 404
diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c
index 225f5f7f26ba..9e2ea4ae840d 100644
--- a/net/ipv6/ip6_offload.c
+++ b/net/ipv6/ip6_offload.c
@@ -62,7 +62,6 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb,
62 const struct net_offload *ops; 62 const struct net_offload *ops;
63 int proto; 63 int proto;
64 struct frag_hdr *fptr; 64 struct frag_hdr *fptr;
65 unsigned int unfrag_ip6hlen;
66 u8 *prevhdr; 65 u8 *prevhdr;
67 int offset = 0; 66 int offset = 0;
68 bool encap, udpfrag; 67 bool encap, udpfrag;
@@ -121,8 +120,12 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb,
121 skb->network_header = (u8 *)ipv6h - skb->head; 120 skb->network_header = (u8 *)ipv6h - skb->head;
122 121
123 if (udpfrag) { 122 if (udpfrag) {
124 unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr); 123 int err = ip6_find_1stfragopt(skb, &prevhdr);
125 fptr = (struct frag_hdr *)((u8 *)ipv6h + unfrag_ip6hlen); 124 if (err < 0) {
125 kfree_skb_list(segs);
126 return ERR_PTR(err);
127 }
128 fptr = (struct frag_hdr *)((u8 *)ipv6h + err);
126 fptr->frag_off = htons(offset); 129 fptr->frag_off = htons(offset);
127 if (skb->next) 130 if (skb->next)
128 fptr->frag_off |= htons(IP6_MF); 131 fptr->frag_off |= htons(IP6_MF);
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 58900c21e4e4..e22339fad10b 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -571,7 +571,10 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
571 int ptr, offset = 0, err = 0; 571 int ptr, offset = 0, err = 0;
572 u8 *prevhdr, nexthdr = 0; 572 u8 *prevhdr, nexthdr = 0;
573 573
574 hlen = ip6_find_1stfragopt(skb, &prevhdr); 574 err = ip6_find_1stfragopt(skb, &prevhdr);
575 if (err < 0)
576 goto fail;
577 hlen = err;
575 nexthdr = *prevhdr; 578 nexthdr = *prevhdr;
576 579
577 mtu = ip6_skb_dst_mtu(skb); 580 mtu = ip6_skb_dst_mtu(skb);
@@ -644,8 +647,6 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
644 *prevhdr = NEXTHDR_FRAGMENT; 647 *prevhdr = NEXTHDR_FRAGMENT;
645 tmp_hdr = kmemdup(skb_network_header(skb), hlen, GFP_ATOMIC); 648 tmp_hdr = kmemdup(skb_network_header(skb), hlen, GFP_ATOMIC);
646 if (!tmp_hdr) { 649 if (!tmp_hdr) {
647 IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
648 IPSTATS_MIB_FRAGFAILS);
649 err = -ENOMEM; 650 err = -ENOMEM;
650 goto fail; 651 goto fail;
651 } 652 }
@@ -742,13 +743,14 @@ slow_path:
742 * Fragment the datagram. 743 * Fragment the datagram.
743 */ 744 */
744 745
745 *prevhdr = NEXTHDR_FRAGMENT;
746 troom = rt->dst.dev->needed_tailroom; 746 troom = rt->dst.dev->needed_tailroom;
747 747
748 /* 748 /*
749 * Keep copying data until we run out. 749 * Keep copying data until we run out.
750 */ 750 */
751 while (left > 0) { 751 while (left > 0) {
752 u8 *fragnexthdr_offset;
753
752 len = left; 754 len = left;
753 /* IF: it doesn't fit, use 'mtu' - the data space left */ 755 /* IF: it doesn't fit, use 'mtu' - the data space left */
754 if (len > mtu) 756 if (len > mtu)
@@ -763,8 +765,6 @@ slow_path:
763 frag = alloc_skb(len + hlen + sizeof(struct frag_hdr) + 765 frag = alloc_skb(len + hlen + sizeof(struct frag_hdr) +
764 hroom + troom, GFP_ATOMIC); 766 hroom + troom, GFP_ATOMIC);
765 if (!frag) { 767 if (!frag) {
766 IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
767 IPSTATS_MIB_FRAGFAILS);
768 err = -ENOMEM; 768 err = -ENOMEM;
769 goto fail; 769 goto fail;
770 } 770 }
@@ -793,6 +793,10 @@ slow_path:
793 */ 793 */
794 skb_copy_from_linear_data(skb, skb_network_header(frag), hlen); 794 skb_copy_from_linear_data(skb, skb_network_header(frag), hlen);
795 795
796 fragnexthdr_offset = skb_network_header(frag);
797 fragnexthdr_offset += prevhdr - skb_network_header(skb);
798 *fragnexthdr_offset = NEXTHDR_FRAGMENT;
799
796 /* 800 /*
797 * Build fragment header. 801 * Build fragment header.
798 */ 802 */
@@ -996,6 +1000,11 @@ static int ip6_dst_lookup_tail(struct net *net, const struct sock *sk,
996 } 1000 }
997 } 1001 }
998#endif 1002#endif
1003 if (ipv6_addr_v4mapped(&fl6->saddr) &&
1004 !(ipv6_addr_v4mapped(&fl6->daddr) || ipv6_addr_any(&fl6->daddr))) {
1005 err = -EAFNOSUPPORT;
1006 goto out_err_release;
1007 }
999 1008
1000 return 0; 1009 return 0;
1001 1010
@@ -1348,11 +1357,12 @@ emsgsize:
1348 */ 1357 */
1349 1358
1350 cork->length += length; 1359 cork->length += length;
1351 if (((length > mtu) || 1360 if ((skb && skb_is_gso(skb)) ||
1352 (skb && skb_is_gso(skb))) && 1361 (((length + (skb ? skb->len : headersize)) > mtu) &&
1362 (skb_queue_len(queue) <= 1) &&
1353 (sk->sk_protocol == IPPROTO_UDP) && 1363