Annotation of /trunk/kernel-alx/patches-4.9/0162-4.9.63-all-fixes.patch
Parent Directory | Revision Log
Revision 3047 -
(hide annotations)
(download)
Wed Dec 20 11:49:36 2017 UTC (6 years, 9 months ago) by niro
File size: 56453 byte(s)
Wed Dec 20 11:49:36 2017 UTC (6 years, 9 months ago) by niro
File size: 56453 byte(s)
-linux-4.9.63
1 | niro | 3047 | diff --git a/Makefile b/Makefile |
2 | index 8ab48891d088..339d4a85ffba 100644 | ||
3 | --- a/Makefile | ||
4 | +++ b/Makefile | ||
5 | @@ -1,6 +1,6 @@ | ||
6 | VERSION = 4 | ||
7 | PATCHLEVEL = 9 | ||
8 | -SUBLEVEL = 62 | ||
9 | +SUBLEVEL = 63 | ||
10 | EXTRAVERSION = | ||
11 | NAME = Roaring Lionus | ||
12 | |||
13 | diff --git a/arch/arm/boot/dts/imx53-qsb-common.dtsi b/arch/arm/boot/dts/imx53-qsb-common.dtsi | ||
14 | index 40b3e31935d0..c05e7cfd0cbc 100644 | ||
15 | --- a/arch/arm/boot/dts/imx53-qsb-common.dtsi | ||
16 | +++ b/arch/arm/boot/dts/imx53-qsb-common.dtsi | ||
17 | @@ -215,16 +215,16 @@ | ||
18 | |||
19 | pinctrl_fec: fecgrp { | ||
20 | fsl,pins = < | ||
21 | - MX53_PAD_FEC_MDC__FEC_MDC 0x4 | ||
22 | - MX53_PAD_FEC_MDIO__FEC_MDIO 0x1fc | ||
23 | - MX53_PAD_FEC_REF_CLK__FEC_TX_CLK 0x180 | ||
24 | - MX53_PAD_FEC_RX_ER__FEC_RX_ER 0x180 | ||
25 | - MX53_PAD_FEC_CRS_DV__FEC_RX_DV 0x180 | ||
26 | - MX53_PAD_FEC_RXD1__FEC_RDATA_1 0x180 | ||
27 | - MX53_PAD_FEC_RXD0__FEC_RDATA_0 0x180 | ||
28 | - MX53_PAD_FEC_TX_EN__FEC_TX_EN 0x4 | ||
29 | - MX53_PAD_FEC_TXD1__FEC_TDATA_1 0x4 | ||
30 | - MX53_PAD_FEC_TXD0__FEC_TDATA_0 0x4 | ||
31 | + MX53_PAD_FEC_MDC__FEC_MDC 0x80000000 | ||
32 | + MX53_PAD_FEC_MDIO__FEC_MDIO 0x80000000 | ||
33 | + MX53_PAD_FEC_REF_CLK__FEC_TX_CLK 0x80000000 | ||
34 | + MX53_PAD_FEC_RX_ER__FEC_RX_ER 0x80000000 | ||
35 | + MX53_PAD_FEC_CRS_DV__FEC_RX_DV 0x80000000 | ||
36 | + MX53_PAD_FEC_RXD1__FEC_RDATA_1 0x80000000 | ||
37 | + MX53_PAD_FEC_RXD0__FEC_RDATA_0 0x80000000 | ||
38 | + MX53_PAD_FEC_TX_EN__FEC_TX_EN 0x80000000 | ||
39 | + MX53_PAD_FEC_TXD1__FEC_TDATA_1 0x80000000 | ||
40 | + MX53_PAD_FEC_TXD0__FEC_TDATA_0 0x80000000 | ||
41 | >; | ||
42 | }; | ||
43 | |||
44 | diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig | ||
45 | index 8f01f21e78f1..6eda5abbd719 100644 | ||
46 | --- a/arch/powerpc/Kconfig | ||
47 | +++ b/arch/powerpc/Kconfig | ||
48 | @@ -1087,11 +1087,6 @@ source "arch/powerpc/Kconfig.debug" | ||
49 | |||
50 | source "security/Kconfig" | ||
51 | |||
52 | -config KEYS_COMPAT | ||
53 | - bool | ||
54 | - depends on COMPAT && KEYS | ||
55 | - default y | ||
56 | - | ||
57 | source "crypto/Kconfig" | ||
58 | |||
59 | config PPC_LIB_RHEAP | ||
60 | diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig | ||
61 | index 426481d4cc86..9aa0d04c9dcc 100644 | ||
62 | --- a/arch/s390/Kconfig | ||
63 | +++ b/arch/s390/Kconfig | ||
64 | @@ -359,9 +359,6 @@ config COMPAT | ||
65 | config SYSVIPC_COMPAT | ||
66 | def_bool y if COMPAT && SYSVIPC | ||
67 | |||
68 | -config KEYS_COMPAT | ||
69 | - def_bool y if COMPAT && KEYS | ||
70 | - | ||
71 | config SMP | ||
72 | def_bool y | ||
73 | prompt "Symmetric multi-processing support" | ||
74 | diff --git a/arch/sparc/Kconfig b/arch/sparc/Kconfig | ||
75 | index b27e48e25841..8b4152f3a764 100644 | ||
76 | --- a/arch/sparc/Kconfig | ||
77 | +++ b/arch/sparc/Kconfig | ||
78 | @@ -568,9 +568,6 @@ config SYSVIPC_COMPAT | ||
79 | depends on COMPAT && SYSVIPC | ||
80 | default y | ||
81 | |||
82 | -config KEYS_COMPAT | ||
83 | - def_bool y if COMPAT && KEYS | ||
84 | - | ||
85 | endmenu | ||
86 | |||
87 | source "net/Kconfig" | ||
88 | diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig | ||
89 | index bada636d1065..b9c546a305a4 100644 | ||
90 | --- a/arch/x86/Kconfig | ||
91 | +++ b/arch/x86/Kconfig | ||
92 | @@ -2732,10 +2732,6 @@ config COMPAT_FOR_U64_ALIGNMENT | ||
93 | config SYSVIPC_COMPAT | ||
94 | def_bool y | ||
95 | depends on SYSVIPC | ||
96 | - | ||
97 | -config KEYS_COMPAT | ||
98 | - def_bool y | ||
99 | - depends on KEYS | ||
100 | endif | ||
101 | |||
102 | endmenu | ||
103 | diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c | ||
104 | index f4e8fbec6a94..b5304e264881 100644 | ||
105 | --- a/drivers/input/misc/ims-pcu.c | ||
106 | +++ b/drivers/input/misc/ims-pcu.c | ||
107 | @@ -1635,13 +1635,25 @@ ims_pcu_get_cdc_union_desc(struct usb_interface *intf) | ||
108 | return NULL; | ||
109 | } | ||
110 | |||
111 | - while (buflen > 0) { | ||
112 | + while (buflen >= sizeof(*union_desc)) { | ||
113 | union_desc = (struct usb_cdc_union_desc *)buf; | ||
114 | |||
115 | + if (union_desc->bLength > buflen) { | ||
116 | + dev_err(&intf->dev, "Too large descriptor\n"); | ||
117 | + return NULL; | ||
118 | + } | ||
119 | + | ||
120 | if (union_desc->bDescriptorType == USB_DT_CS_INTERFACE && | ||
121 | union_desc->bDescriptorSubType == USB_CDC_UNION_TYPE) { | ||
122 | dev_dbg(&intf->dev, "Found union header\n"); | ||
123 | - return union_desc; | ||
124 | + | ||
125 | + if (union_desc->bLength >= sizeof(*union_desc)) | ||
126 | + return union_desc; | ||
127 | + | ||
128 | + dev_err(&intf->dev, | ||
129 | + "Union descriptor to short (%d vs %zd\n)", | ||
130 | + union_desc->bLength, sizeof(*union_desc)); | ||
131 | + return NULL; | ||
132 | } | ||
133 | |||
134 | buflen -= union_desc->bLength; | ||
135 | diff --git a/drivers/misc/panel.c b/drivers/misc/panel.c | ||
136 | index 6030ac5b8c63..a9fa4c0ac220 100644 | ||
137 | --- a/drivers/misc/panel.c | ||
138 | +++ b/drivers/misc/panel.c | ||
139 | @@ -1423,17 +1423,25 @@ static ssize_t lcd_write(struct file *file, | ||
140 | |||
141 | static int lcd_open(struct inode *inode, struct file *file) | ||
142 | { | ||
143 | + int ret; | ||
144 | + | ||
145 | + ret = -EBUSY; | ||
146 | if (!atomic_dec_and_test(&lcd_available)) | ||
147 | - return -EBUSY; /* open only once at a time */ | ||
148 | + goto fail; /* open only once at a time */ | ||
149 | |||
150 | + ret = -EPERM; | ||
151 | if (file->f_mode & FMODE_READ) /* device is write-only */ | ||
152 | - return -EPERM; | ||
153 | + goto fail; | ||
154 | |||
155 | if (lcd.must_clear) { | ||
156 | lcd_clear_display(); | ||
157 | lcd.must_clear = false; | ||
158 | } | ||
159 | return nonseekable_open(inode, file); | ||
160 | + | ||
161 | + fail: | ||
162 | + atomic_inc(&lcd_available); | ||
163 | + return ret; | ||
164 | } | ||
165 | |||
166 | static int lcd_release(struct inode *inode, struct file *file) | ||
167 | @@ -1696,14 +1704,21 @@ static ssize_t keypad_read(struct file *file, | ||
168 | |||
169 | static int keypad_open(struct inode *inode, struct file *file) | ||
170 | { | ||
171 | + int ret; | ||
172 | + | ||
173 | + ret = -EBUSY; | ||
174 | if (!atomic_dec_and_test(&keypad_available)) | ||
175 | - return -EBUSY; /* open only once at a time */ | ||
176 | + goto fail; /* open only once at a time */ | ||
177 | |||
178 | + ret = -EPERM; | ||
179 | if (file->f_mode & FMODE_WRITE) /* device is read-only */ | ||
180 | - return -EPERM; | ||
181 | + goto fail; | ||
182 | |||
183 | keypad_buflen = 0; /* flush the buffer on opening */ | ||
184 | return 0; | ||
185 | + fail: | ||
186 | + atomic_inc(&keypad_available); | ||
187 | + return ret; | ||
188 | } | ||
189 | |||
190 | static int keypad_release(struct inode *inode, struct file *file) | ||
191 | diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c | ||
192 | index adea6f5a4d71..9da9db17fc36 100644 | ||
193 | --- a/drivers/net/macvtap.c | ||
194 | +++ b/drivers/net/macvtap.c | ||
195 | @@ -559,6 +559,10 @@ static int macvtap_open(struct inode *inode, struct file *file) | ||
196 | &macvtap_proto, 0); | ||
197 | if (!q) | ||
198 | goto err; | ||
199 | + if (skb_array_init(&q->skb_array, dev->tx_queue_len, GFP_KERNEL)) { | ||
200 | + sk_free(&q->sk); | ||
201 | + goto err; | ||
202 | + } | ||
203 | |||
204 | RCU_INIT_POINTER(q->sock.wq, &q->wq); | ||
205 | init_waitqueue_head(&q->wq.wait); | ||
206 | @@ -582,22 +586,18 @@ static int macvtap_open(struct inode *inode, struct file *file) | ||
207 | if ((dev->features & NETIF_F_HIGHDMA) && (dev->features & NETIF_F_SG)) | ||
208 | sock_set_flag(&q->sk, SOCK_ZEROCOPY); | ||
209 | |||
210 | - err = -ENOMEM; | ||
211 | - if (skb_array_init(&q->skb_array, dev->tx_queue_len, GFP_KERNEL)) | ||
212 | - goto err_array; | ||
213 | - | ||
214 | err = macvtap_set_queue(dev, file, q); | ||
215 | - if (err) | ||
216 | - goto err_queue; | ||
217 | + if (err) { | ||
218 | + /* macvtap_sock_destruct() will take care of freeing skb_array */ | ||
219 | + goto err_put; | ||
220 | + } | ||
221 | |||
222 | dev_put(dev); | ||
223 | |||
224 | rtnl_unlock(); | ||
225 | return err; | ||
226 | |||
227 | -err_queue: | ||
228 | - skb_array_cleanup(&q->skb_array); | ||
229 | -err_array: | ||
230 | +err_put: | ||
231 | sock_put(&q->sk); | ||
232 | err: | ||
233 | if (dev) | ||
234 | @@ -1077,6 +1077,8 @@ static long macvtap_ioctl(struct file *file, unsigned int cmd, | ||
235 | case TUNSETSNDBUF: | ||
236 | if (get_user(s, sp)) | ||
237 | return -EFAULT; | ||
238 | + if (s <= 0) | ||
239 | + return -EINVAL; | ||
240 | |||
241 | q->sk.sk_sndbuf = s; | ||
242 | return 0; | ||
243 | diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c | ||
244 | index 96fa0e61d3af..440d5f42810f 100644 | ||
245 | --- a/drivers/net/ppp/ppp_generic.c | ||
246 | +++ b/drivers/net/ppp/ppp_generic.c | ||
247 | @@ -1338,7 +1338,17 @@ ppp_get_stats64(struct net_device *dev, struct rtnl_link_stats64 *stats64) | ||
248 | |||
249 | static int ppp_dev_init(struct net_device *dev) | ||
250 | { | ||
251 | + struct ppp *ppp; | ||
252 | + | ||
253 | netdev_lockdep_set_classes(dev); | ||
254 | + | ||
255 | + ppp = netdev_priv(dev); | ||
256 | + /* Let the netdevice take a reference on the ppp file. This ensures | ||
257 | + * that ppp_destroy_interface() won't run before the device gets | ||
258 | + * unregistered. | ||
259 | + */ | ||
260 | + atomic_inc(&ppp->file.refcnt); | ||
261 | + | ||
262 | return 0; | ||
263 | } | ||
264 | |||
265 | @@ -1361,6 +1371,15 @@ static void ppp_dev_uninit(struct net_device *dev) | ||
266 | wake_up_interruptible(&ppp->file.rwait); | ||
267 | } | ||
268 | |||
269 | +static void ppp_dev_priv_destructor(struct net_device *dev) | ||
270 | +{ | ||
271 | + struct ppp *ppp; | ||
272 | + | ||
273 | + ppp = netdev_priv(dev); | ||
274 | + if (atomic_dec_and_test(&ppp->file.refcnt)) | ||
275 | + ppp_destroy_interface(ppp); | ||
276 | +} | ||
277 | + | ||
278 | static const struct net_device_ops ppp_netdev_ops = { | ||
279 | .ndo_init = ppp_dev_init, | ||
280 | .ndo_uninit = ppp_dev_uninit, | ||
281 | @@ -1386,6 +1405,7 @@ static void ppp_setup(struct net_device *dev) | ||
282 | dev->tx_queue_len = 3; | ||
283 | dev->type = ARPHRD_PPP; | ||
284 | dev->flags = IFF_POINTOPOINT | IFF_NOARP | IFF_MULTICAST; | ||
285 | + dev->destructor = ppp_dev_priv_destructor; | ||
286 | netif_keep_dst(dev); | ||
287 | } | ||
288 | |||
289 | diff --git a/drivers/net/tun.c b/drivers/net/tun.c | ||
290 | index ba7f9e054c4a..518cbfbc8b65 100644 | ||
291 | --- a/drivers/net/tun.c | ||
292 | +++ b/drivers/net/tun.c | ||
293 | @@ -1787,6 +1787,9 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr) | ||
294 | |||
295 | if (!dev) | ||
296 | return -ENOMEM; | ||
297 | + err = dev_get_valid_name(net, dev, name); | ||
298 | + if (err < 0) | ||
299 | + goto err_free_dev; | ||
300 | |||
301 | dev_net_set(dev, net); | ||
302 | dev->rtnl_link_ops = &tun_link_ops; | ||
303 | @@ -2180,6 +2183,10 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd, | ||
304 | ret = -EFAULT; | ||
305 | break; | ||
306 | } | ||
307 | + if (sndbuf <= 0) { | ||
308 | + ret = -EINVAL; | ||
309 | + break; | ||
310 | + } | ||
311 | |||
312 | tun->sndbuf = sndbuf; | ||
313 | tun_set_sndbuf(tun); | ||
314 | diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | ||
315 | index 425a89c635d0..fc844a1f6c3f 100644 | ||
316 | --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | ||
317 | +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | ||
318 | @@ -4754,9 +4754,6 @@ static int brcmf_cfg80211_stop_ap(struct wiphy *wiphy, struct net_device *ndev) | ||
319 | err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_AP, 0); | ||
320 | if (err < 0) | ||
321 | brcmf_err("setting AP mode failed %d\n", err); | ||
322 | - err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_INFRA, 0); | ||
323 | - if (err < 0) | ||
324 | - brcmf_err("setting INFRA mode failed %d\n", err); | ||
325 | if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_MBSS)) | ||
326 | brcmf_fil_iovar_int_set(ifp, "mbss", 0); | ||
327 | brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_REGULATORY, | ||
328 | diff --git a/drivers/scsi/qla2xxx/tcm_qla2xxx.c b/drivers/scsi/qla2xxx/tcm_qla2xxx.c | ||
329 | index 6643f6fc7795..0ad8ecef1e30 100644 | ||
330 | --- a/drivers/scsi/qla2xxx/tcm_qla2xxx.c | ||
331 | +++ b/drivers/scsi/qla2xxx/tcm_qla2xxx.c | ||
332 | @@ -484,7 +484,6 @@ static int tcm_qla2xxx_handle_cmd(scsi_qla_host_t *vha, struct qla_tgt_cmd *cmd, | ||
333 | static void tcm_qla2xxx_handle_data_work(struct work_struct *work) | ||
334 | { | ||
335 | struct qla_tgt_cmd *cmd = container_of(work, struct qla_tgt_cmd, work); | ||
336 | - unsigned long flags; | ||
337 | |||
338 | /* | ||
339 | * Ensure that the complete FCP WRITE payload has been received. | ||
340 | @@ -492,17 +491,6 @@ static void tcm_qla2xxx_handle_data_work(struct work_struct *work) | ||
341 | */ | ||
342 | cmd->cmd_in_wq = 0; | ||
343 | |||
344 | - spin_lock_irqsave(&cmd->cmd_lock, flags); | ||
345 | - cmd->cmd_flags |= CMD_FLAG_DATA_WORK; | ||
346 | - if (cmd->aborted) { | ||
347 | - cmd->cmd_flags |= CMD_FLAG_DATA_WORK_FREE; | ||
348 | - spin_unlock_irqrestore(&cmd->cmd_lock, flags); | ||
349 | - | ||
350 | - tcm_qla2xxx_free_cmd(cmd); | ||
351 | - return; | ||
352 | - } | ||
353 | - spin_unlock_irqrestore(&cmd->cmd_lock, flags); | ||
354 | - | ||
355 | cmd->vha->tgt_counters.qla_core_ret_ctio++; | ||
356 | if (!cmd->write_data_transferred) { | ||
357 | /* | ||
358 | @@ -682,34 +670,13 @@ static void tcm_qla2xxx_queue_tm_rsp(struct se_cmd *se_cmd) | ||
359 | qlt_xmit_tm_rsp(mcmd); | ||
360 | } | ||
361 | |||
362 | - | ||
363 | -#define DATA_WORK_NOT_FREE(_flags) \ | ||
364 | - (( _flags & (CMD_FLAG_DATA_WORK|CMD_FLAG_DATA_WORK_FREE)) == \ | ||
365 | - CMD_FLAG_DATA_WORK) | ||
366 | static void tcm_qla2xxx_aborted_task(struct se_cmd *se_cmd) | ||
367 | { | ||
368 | struct qla_tgt_cmd *cmd = container_of(se_cmd, | ||
369 | struct qla_tgt_cmd, se_cmd); | ||
370 | - unsigned long flags; | ||
371 | |||
372 | if (qlt_abort_cmd(cmd)) | ||
373 | return; | ||
374 | - | ||
375 | - spin_lock_irqsave(&cmd->cmd_lock, flags); | ||
376 | - if ((cmd->state == QLA_TGT_STATE_NEW)|| | ||
377 | - ((cmd->state == QLA_TGT_STATE_DATA_IN) && | ||
378 | - DATA_WORK_NOT_FREE(cmd->cmd_flags)) ) { | ||
379 | - | ||
380 | - cmd->cmd_flags |= CMD_FLAG_DATA_WORK_FREE; | ||
381 | - spin_unlock_irqrestore(&cmd->cmd_lock, flags); | ||
382 | - /* Cmd have not reached firmware. | ||
383 | - * Use this trigger to free it. */ | ||
384 | - tcm_qla2xxx_free_cmd(cmd); | ||
385 | - return; | ||
386 | - } | ||
387 | - spin_unlock_irqrestore(&cmd->cmd_lock, flags); | ||
388 | - return; | ||
389 | - | ||
390 | } | ||
391 | |||
392 | static void tcm_qla2xxx_clear_sess_lookup(struct tcm_qla2xxx_lport *, | ||
393 | diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c | ||
394 | index e49fcd5e61f7..f3c9d18e9dc5 100644 | ||
395 | --- a/drivers/target/iscsi/iscsi_target.c | ||
396 | +++ b/drivers/target/iscsi/iscsi_target.c | ||
397 | @@ -1940,7 +1940,7 @@ iscsit_handle_task_mgt_cmd(struct iscsi_conn *conn, struct iscsi_cmd *cmd, | ||
398 | struct iscsi_tm *hdr; | ||
399 | int out_of_order_cmdsn = 0, ret; | ||
400 | bool sess_ref = false; | ||
401 | - u8 function; | ||
402 | + u8 function, tcm_function = TMR_UNKNOWN; | ||
403 | |||
404 | hdr = (struct iscsi_tm *) buf; | ||
405 | hdr->flags &= ~ISCSI_FLAG_CMD_FINAL; | ||
406 | @@ -1986,10 +1986,6 @@ iscsit_handle_task_mgt_cmd(struct iscsi_conn *conn, struct iscsi_cmd *cmd, | ||
407 | * LIO-Target $FABRIC_MOD | ||
408 | */ | ||
409 | if (function != ISCSI_TM_FUNC_TASK_REASSIGN) { | ||
410 | - | ||
411 | - u8 tcm_function; | ||
412 | - int ret; | ||
413 | - | ||
414 | transport_init_se_cmd(&cmd->se_cmd, &iscsi_ops, | ||
415 | conn->sess->se_sess, 0, DMA_NONE, | ||
416 | TCM_SIMPLE_TAG, cmd->sense_buffer + 2); | ||
417 | @@ -2025,15 +2021,14 @@ iscsit_handle_task_mgt_cmd(struct iscsi_conn *conn, struct iscsi_cmd *cmd, | ||
418 | return iscsit_add_reject_cmd(cmd, | ||
419 | ISCSI_REASON_BOOKMARK_NO_RESOURCES, buf); | ||
420 | } | ||
421 | - | ||
422 | - ret = core_tmr_alloc_req(&cmd->se_cmd, cmd->tmr_req, | ||
423 | - tcm_function, GFP_KERNEL); | ||
424 | - if (ret < 0) | ||
425 | - return iscsit_add_reject_cmd(cmd, | ||
426 | + } | ||
427 | + ret = core_tmr_alloc_req(&cmd->se_cmd, cmd->tmr_req, tcm_function, | ||
428 | + GFP_KERNEL); | ||
429 | + if (ret < 0) | ||
430 | + return iscsit_add_reject_cmd(cmd, | ||
431 | ISCSI_REASON_BOOKMARK_NO_RESOURCES, buf); | ||
432 | |||
433 | - cmd->tmr_req->se_tmr_req = cmd->se_cmd.se_tmr_req; | ||
434 | - } | ||
435 | + cmd->tmr_req->se_tmr_req = cmd->se_cmd.se_tmr_req; | ||
436 | |||
437 | cmd->iscsi_opcode = ISCSI_OP_SCSI_TMFUNC; | ||
438 | cmd->i_state = ISTATE_SEND_TASKMGTRSP; | ||
439 | diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c | ||
440 | index d94927e5623b..e31f72b3a22c 100644 | ||
441 | --- a/drivers/usb/misc/usbtest.c | ||
442 | +++ b/drivers/usb/misc/usbtest.c | ||
443 | @@ -209,12 +209,13 @@ get_endpoints(struct usbtest_dev *dev, struct usb_interface *intf) | ||
444 | return tmp; | ||
445 | } | ||
446 | |||
447 | - if (in) { | ||
448 | + if (in) | ||
449 | dev->in_pipe = usb_rcvbulkpipe(udev, | ||
450 | in->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK); | ||
451 | + if (out) | ||
452 | dev->out_pipe = usb_sndbulkpipe(udev, | ||
453 | out->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK); | ||
454 | - } | ||
455 | + | ||
456 | if (iso_in) { | ||
457 | dev->iso_in = &iso_in->desc; | ||
458 | dev->in_iso_pipe = usb_rcvisocpipe(udev, | ||
459 | diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h | ||
460 | index 23db1ae37464..47c7f5b8f675 100644 | ||
461 | --- a/include/linux/netdevice.h | ||
462 | +++ b/include/linux/netdevice.h | ||
463 | @@ -3742,6 +3742,9 @@ struct net_device *alloc_netdev_mqs(int sizeof_priv, const char *name, | ||
464 | unsigned char name_assign_type, | ||
465 | void (*setup)(struct net_device *), | ||
466 | unsigned int txqs, unsigned int rxqs); | ||
467 | +int dev_get_valid_name(struct net *net, struct net_device *dev, | ||
468 | + const char *name); | ||
469 | + | ||
470 | #define alloc_netdev(sizeof_priv, name, name_assign_type, setup) \ | ||
471 | alloc_netdev_mqs(sizeof_priv, name, name_assign_type, setup, 1, 1) | ||
472 | |||
473 | diff --git a/include/net/inet_sock.h b/include/net/inet_sock.h | ||
474 | index 236a81034fef..0464b207d0cf 100644 | ||
475 | --- a/include/net/inet_sock.h | ||
476 | +++ b/include/net/inet_sock.h | ||
477 | @@ -96,7 +96,7 @@ struct inet_request_sock { | ||
478 | kmemcheck_bitfield_end(flags); | ||
479 | u32 ir_mark; | ||
480 | union { | ||
481 | - struct ip_options_rcu *opt; | ||
482 | + struct ip_options_rcu __rcu *ireq_opt; | ||
483 | #if IS_ENABLED(CONFIG_IPV6) | ||
484 | struct { | ||
485 | struct ipv6_txoptions *ipv6_opt; | ||
486 | @@ -132,6 +132,12 @@ static inline int inet_request_bound_dev_if(const struct sock *sk, | ||
487 | return sk->sk_bound_dev_if; | ||
488 | } | ||
489 | |||
490 | +static inline struct ip_options_rcu *ireq_opt_deref(const struct inet_request_sock *ireq) | ||
491 | +{ | ||
492 | + return rcu_dereference_check(ireq->ireq_opt, | ||
493 | + atomic_read(&ireq->req.rsk_refcnt) > 0); | ||
494 | +} | ||
495 | + | ||
496 | struct inet_cork { | ||
497 | unsigned int flags; | ||
498 | __be32 addr; | ||
499 | diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h | ||
500 | index d9d52c020a70..9ae819e27940 100644 | ||
501 | --- a/include/net/netfilter/nf_conntrack.h | ||
502 | +++ b/include/net/netfilter/nf_conntrack.h | ||
503 | @@ -17,7 +17,6 @@ | ||
504 | #include <linux/bitops.h> | ||
505 | #include <linux/compiler.h> | ||
506 | #include <linux/atomic.h> | ||
507 | -#include <linux/rhashtable.h> | ||
508 | |||
509 | #include <linux/netfilter/nf_conntrack_tcp.h> | ||
510 | #include <linux/netfilter/nf_conntrack_dccp.h> | ||
511 | @@ -101,7 +100,7 @@ struct nf_conn { | ||
512 | possible_net_t ct_net; | ||
513 | |||
514 | #if IS_ENABLED(CONFIG_NF_NAT) | ||
515 | - struct rhlist_head nat_bysource; | ||
516 | + struct hlist_node nat_bysource; | ||
517 | #endif | ||
518 | /* all members below initialized via memset */ | ||
519 | u8 __nfct_init_offset[0]; | ||
520 | diff --git a/include/net/netfilter/nf_nat.h b/include/net/netfilter/nf_nat.h | ||
521 | index c327a431a6f3..02515f7ed4cc 100644 | ||
522 | --- a/include/net/netfilter/nf_nat.h | ||
523 | +++ b/include/net/netfilter/nf_nat.h | ||
524 | @@ -1,6 +1,5 @@ | ||
525 | #ifndef _NF_NAT_H | ||
526 | #define _NF_NAT_H | ||
527 | -#include <linux/rhashtable.h> | ||
528 | #include <linux/netfilter_ipv4.h> | ||
529 | #include <linux/netfilter/nf_nat.h> | ||
530 | #include <net/netfilter/nf_conntrack_tuple.h> | ||
531 | diff --git a/include/net/tcp.h b/include/net/tcp.h | ||
532 | index 123979fe12bf..fba4fc46871d 100644 | ||
533 | --- a/include/net/tcp.h | ||
534 | +++ b/include/net/tcp.h | ||
535 | @@ -1681,12 +1681,12 @@ static inline void tcp_highest_sack_reset(struct sock *sk) | ||
536 | tcp_sk(sk)->highest_sack = tcp_write_queue_head(sk); | ||
537 | } | ||
538 | |||
539 | -/* Called when old skb is about to be deleted (to be combined with new skb) */ | ||
540 | -static inline void tcp_highest_sack_combine(struct sock *sk, | ||
541 | +/* Called when old skb is about to be deleted and replaced by new skb */ | ||
542 | +static inline void tcp_highest_sack_replace(struct sock *sk, | ||
543 | struct sk_buff *old, | ||
544 | struct sk_buff *new) | ||
545 | { | ||
546 | - if (tcp_sk(sk)->sacked_out && (old == tcp_sk(sk)->highest_sack)) | ||
547 | + if (old == tcp_highest_sack(sk)) | ||
548 | tcp_sk(sk)->highest_sack = new; | ||
549 | } | ||
550 | |||
551 | diff --git a/include/target/target_core_base.h b/include/target/target_core_base.h | ||
552 | index 0383c601e17c..a87e8940fe57 100644 | ||
553 | --- a/include/target/target_core_base.h | ||
554 | +++ b/include/target/target_core_base.h | ||
555 | @@ -197,6 +197,7 @@ enum tcm_tmreq_table { | ||
556 | TMR_LUN_RESET = 5, | ||
557 | TMR_TARGET_WARM_RESET = 6, | ||
558 | TMR_TARGET_COLD_RESET = 7, | ||
559 | + TMR_UNKNOWN = 0xff, | ||
560 | }; | ||
561 | |||
562 | /* fabric independent task management response values */ | ||
563 | diff --git a/net/core/dev.c b/net/core/dev.c | ||
564 | index 7f2caad46a3d..c37891828e4e 100644 | ||
565 | --- a/net/core/dev.c | ||
566 | +++ b/net/core/dev.c | ||
567 | @@ -1115,9 +1115,8 @@ static int dev_alloc_name_ns(struct net *net, | ||
568 | return ret; | ||
569 | } | ||
570 | |||
571 | -static int dev_get_valid_name(struct net *net, | ||
572 | - struct net_device *dev, | ||
573 | - const char *name) | ||
574 | +int dev_get_valid_name(struct net *net, struct net_device *dev, | ||
575 | + const char *name) | ||
576 | { | ||
577 | BUG_ON(!net); | ||
578 | |||
579 | @@ -1133,6 +1132,7 @@ static int dev_get_valid_name(struct net *net, | ||
580 | |||
581 | return 0; | ||
582 | } | ||
583 | +EXPORT_SYMBOL(dev_get_valid_name); | ||
584 | |||
585 | /** | ||
586 | * dev_change_name - change name of a device | ||
587 | diff --git a/net/core/sock.c b/net/core/sock.c | ||
588 | index 231c38d91855..e3b60460dc9c 100644 | ||
589 | --- a/net/core/sock.c | ||
590 | +++ b/net/core/sock.c | ||
591 | @@ -1526,6 +1526,7 @@ struct sock *sk_clone_lock(const struct sock *sk, const gfp_t priority) | ||
592 | newsk->sk_userlocks = sk->sk_userlocks & ~SOCK_BINDPORT_LOCK; | ||
593 | |||
594 | sock_reset_flag(newsk, SOCK_DONE); | ||
595 | + cgroup_sk_alloc(&newsk->sk_cgrp_data); | ||
596 | skb_queue_head_init(&newsk->sk_error_queue); | ||
597 | |||
598 | filter = rcu_dereference_protected(newsk->sk_filter, 1); | ||
599 | @@ -1560,8 +1561,6 @@ struct sock *sk_clone_lock(const struct sock *sk, const gfp_t priority) | ||
600 | atomic64_set(&newsk->sk_cookie, 0); | ||
601 | |||
602 | mem_cgroup_sk_alloc(newsk); | ||
603 | - cgroup_sk_alloc(&newsk->sk_cgrp_data); | ||
604 | - | ||
605 | /* | ||
606 | * Before updating sk_refcnt, we must commit prior changes to memory | ||
607 | * (Documentation/RCU/rculist_nulls.txt for details) | ||
608 | diff --git a/net/core/sock_reuseport.c b/net/core/sock_reuseport.c | ||
609 | index 9a1a352fd1eb..77f396b679ce 100644 | ||
610 | --- a/net/core/sock_reuseport.c | ||
611 | +++ b/net/core/sock_reuseport.c | ||
612 | @@ -36,9 +36,14 @@ int reuseport_alloc(struct sock *sk) | ||
613 | * soft irq of receive path or setsockopt from process context | ||
614 | */ | ||
615 | spin_lock_bh(&reuseport_lock); | ||
616 | - WARN_ONCE(rcu_dereference_protected(sk->sk_reuseport_cb, | ||
617 | - lockdep_is_held(&reuseport_lock)), | ||
618 | - "multiple allocations for the same socket"); | ||
619 | + | ||
620 | + /* Allocation attempts can occur concurrently via the setsockopt path | ||
621 | + * and the bind/hash path. Nothing to do when we lose the race. | ||
622 | + */ | ||
623 | + if (rcu_dereference_protected(sk->sk_reuseport_cb, | ||
624 | + lockdep_is_held(&reuseport_lock))) | ||
625 | + goto out; | ||
626 | + | ||
627 | reuse = __reuseport_alloc(INIT_SOCKS); | ||
628 | if (!reuse) { | ||
629 | spin_unlock_bh(&reuseport_lock); | ||
630 | @@ -49,6 +54,7 @@ int reuseport_alloc(struct sock *sk) | ||
631 | reuse->num_socks = 1; | ||
632 | rcu_assign_pointer(sk->sk_reuseport_cb, reuse); | ||
633 | |||
634 | +out: | ||
635 | spin_unlock_bh(&reuseport_lock); | ||
636 | |||
637 | return 0; | ||
638 | diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c | ||
639 | index 8fc160098e11..8c7799cdd3cf 100644 | ||
640 | --- a/net/dccp/ipv4.c | ||
641 | +++ b/net/dccp/ipv4.c | ||
642 | @@ -414,8 +414,7 @@ struct sock *dccp_v4_request_recv_sock(const struct sock *sk, | ||
643 | sk_daddr_set(newsk, ireq->ir_rmt_addr); | ||
644 | sk_rcv_saddr_set(newsk, ireq->ir_loc_addr); | ||
645 | newinet->inet_saddr = ireq->ir_loc_addr; | ||
646 | - newinet->inet_opt = ireq->opt; | ||
647 | - ireq->opt = NULL; | ||
648 | + RCU_INIT_POINTER(newinet->inet_opt, rcu_dereference(ireq->ireq_opt)); | ||
649 | newinet->mc_index = inet_iif(skb); | ||
650 | newinet->mc_ttl = ip_hdr(skb)->ttl; | ||
651 | newinet->inet_id = jiffies; | ||
652 | @@ -430,7 +429,10 @@ struct sock *dccp_v4_request_recv_sock(const struct sock *sk, | ||
653 | if (__inet_inherit_port(sk, newsk) < 0) | ||
654 | goto put_and_exit; | ||
655 | *own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash)); | ||
656 | - | ||
657 | + if (*own_req) | ||
658 | + ireq->ireq_opt = NULL; | ||
659 | + else | ||
660 | + newinet->inet_opt = NULL; | ||
661 | return newsk; | ||
662 | |||
663 | exit_overflow: | ||
664 | @@ -441,6 +443,7 @@ struct sock *dccp_v4_request_recv_sock(const struct sock *sk, | ||
665 | __NET_INC_STATS(sock_net(sk), LINUX_MIB_LISTENDROPS); | ||
666 | return NULL; | ||
667 | put_and_exit: | ||
668 | + newinet->inet_opt = NULL; | ||
669 | inet_csk_prepare_forced_close(newsk); | ||
670 | dccp_done(newsk); | ||
671 | goto exit; | ||
672 | @@ -492,7 +495,7 @@ static int dccp_v4_send_response(const struct sock *sk, struct request_sock *req | ||
673 | ireq->ir_rmt_addr); | ||
674 | err = ip_build_and_send_pkt(skb, sk, ireq->ir_loc_addr, | ||
675 | ireq->ir_rmt_addr, | ||
676 | - ireq->opt); | ||
677 | + ireq_opt_deref(ireq)); | ||
678 | err = net_xmit_eval(err); | ||
679 | } | ||
680 | |||
681 | @@ -548,7 +551,7 @@ static void dccp_v4_ctl_send_reset(const struct sock *sk, struct sk_buff *rxskb) | ||
682 | static void dccp_v4_reqsk_destructor(struct request_sock *req) | ||
683 | { | ||
684 | dccp_feat_list_purge(&dccp_rsk(req)->dreq_featneg); | ||
685 | - kfree(inet_rsk(req)->opt); | ||
686 | + kfree(rcu_dereference_protected(inet_rsk(req)->ireq_opt, 1)); | ||
687 | } | ||
688 | |||
689 | void dccp_syn_ack_timeout(const struct request_sock *req) | ||
690 | diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c | ||
691 | index ae206163c273..972353cd1778 100644 | ||
692 | --- a/net/ipv4/cipso_ipv4.c | ||
693 | +++ b/net/ipv4/cipso_ipv4.c | ||
694 | @@ -1943,7 +1943,7 @@ int cipso_v4_req_setattr(struct request_sock *req, | ||
695 | buf = NULL; | ||
696 | |||
697 | req_inet = inet_rsk(req); | ||
698 | - opt = xchg(&req_inet->opt, opt); | ||
699 | + opt = xchg((__force struct ip_options_rcu **)&req_inet->ireq_opt, opt); | ||
700 | if (opt) | ||
701 | kfree_rcu(opt, rcu); | ||
702 | |||
703 | @@ -1965,11 +1965,13 @@ int cipso_v4_req_setattr(struct request_sock *req, | ||
704 | * values on failure. | ||
705 | * | ||
706 | */ | ||
707 | -static int cipso_v4_delopt(struct ip_options_rcu **opt_ptr) | ||
708 | +static int cipso_v4_delopt(struct ip_options_rcu __rcu **opt_ptr) | ||
709 | { | ||
710 | + struct ip_options_rcu *opt = rcu_dereference_protected(*opt_ptr, 1); | ||
711 | int hdr_delta = 0; | ||
712 | - struct ip_options_rcu *opt = *opt_ptr; | ||
713 | |||
714 | + if (!opt || opt->opt.cipso == 0) | ||
715 | + return 0; | ||
716 | if (opt->opt.srr || opt->opt.rr || opt->opt.ts || opt->opt.router_alert) { | ||
717 | u8 cipso_len; | ||
718 | u8 cipso_off; | ||
719 | @@ -2031,14 +2033,10 @@ static int cipso_v4_delopt(struct ip_options_rcu **opt_ptr) | ||
720 | */ | ||
721 | void cipso_v4_sock_delattr(struct sock *sk) | ||
722 | { | ||
723 | - int hdr_delta; | ||
724 | - struct ip_options_rcu *opt; | ||
725 | struct inet_sock *sk_inet; | ||
726 | + int hdr_delta; | ||
727 | |||
728 | sk_inet = inet_sk(sk); | ||
729 | - opt = rcu_dereference_protected(sk_inet->inet_opt, 1); | ||
730 | - if (!opt || opt->opt.cipso == 0) | ||
731 | - return; | ||
732 | |||
733 | hdr_delta = cipso_v4_delopt(&sk_inet->inet_opt); | ||
734 | if (sk_inet->is_icsk && hdr_delta > 0) { | ||
735 | @@ -2058,15 +2056,7 @@ void cipso_v4_sock_delattr(struct sock *sk) | ||
736 | */ | ||
737 | void cipso_v4_req_delattr(struct request_sock *req) | ||
738 | { | ||
739 | - struct ip_options_rcu *opt; | ||
740 | - struct inet_request_sock *req_inet; | ||
741 | - | ||
742 | - req_inet = inet_rsk(req); | ||
743 | - opt = req_inet->opt; | ||
744 | - if (!opt || opt->opt.cipso == 0) | ||
745 | - return; | ||
746 | - | ||
747 | - cipso_v4_delopt(&req_inet->opt); | ||
748 | + cipso_v4_delopt(&inet_rsk(req)->ireq_opt); | ||
749 | } | ||
750 | |||
751 | /** | ||
752 | diff --git a/net/ipv4/gre_offload.c b/net/ipv4/gre_offload.c | ||
753 | index d5cac99170b1..8c72034df28e 100644 | ||
754 | --- a/net/ipv4/gre_offload.c | ||
755 | +++ b/net/ipv4/gre_offload.c | ||
756 | @@ -98,7 +98,7 @@ static struct sk_buff *gre_gso_segment(struct sk_buff *skb, | ||
757 | greh = (struct gre_base_hdr *)skb_transport_header(skb); | ||
758 | pcsum = (__sum16 *)(greh + 1); | ||
759 | |||
760 | - if (gso_partial) { | ||
761 | + if (gso_partial && skb_is_gso(skb)) { | ||
762 | unsigned int partial_adj; | ||
763 | |||
764 | /* Adjust checksum to account for the fact that | ||
765 | diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c | ||
766 | index cf3d5674846a..d1cab49393e2 100644 | ||
767 | --- a/net/ipv4/inet_connection_sock.c | ||
768 | +++ b/net/ipv4/inet_connection_sock.c | ||
769 | @@ -407,9 +407,11 @@ struct dst_entry *inet_csk_route_req(const struct sock *sk, | ||
770 | { | ||
771 | const struct inet_request_sock *ireq = inet_rsk(req); | ||
772 | struct net *net = read_pnet(&ireq->ireq_net); | ||
773 | - struct ip_options_rcu *opt = ireq->opt; | ||
774 | + struct ip_options_rcu *opt; | ||
775 | struct rtable *rt; | ||
776 | |||
777 | + opt = ireq_opt_deref(ireq); | ||
778 | + | ||
779 | flowi4_init_output(fl4, ireq->ir_iif, ireq->ir_mark, | ||
780 | RT_CONN_FLAGS(sk), RT_SCOPE_UNIVERSE, | ||
781 | sk->sk_protocol, inet_sk_flowi_flags(sk), | ||
782 | @@ -443,10 +445,9 @@ struct dst_entry *inet_csk_route_child_sock(const struct sock *sk, | ||
783 | struct flowi4 *fl4; | ||
784 | struct rtable *rt; | ||
785 | |||
786 | + opt = rcu_dereference(ireq->ireq_opt); | ||
787 | fl4 = &newinet->cork.fl.u.ip4; | ||
788 | |||
789 | - rcu_read_lock(); | ||
790 | - opt = rcu_dereference(newinet->inet_opt); | ||
791 | flowi4_init_output(fl4, ireq->ir_iif, ireq->ir_mark, | ||
792 | RT_CONN_FLAGS(sk), RT_SCOPE_UNIVERSE, | ||
793 | sk->sk_protocol, inet_sk_flowi_flags(sk), | ||
794 | @@ -459,13 +460,11 @@ struct dst_entry *inet_csk_route_child_sock(const struct sock *sk, | ||
795 | goto no_route; | ||
796 | if (opt && opt->opt.is_strictroute && rt->rt_uses_gateway) | ||
797 | goto route_err; | ||
798 | - rcu_read_unlock(); | ||
799 | return &rt->dst; | ||
800 | |||
801 | route_err: | ||
802 | ip_rt_put(rt); | ||
803 | no_route: | ||
804 | - rcu_read_unlock(); | ||
805 | __IP_INC_STATS(net, IPSTATS_MIB_OUTNOROUTES); | ||
806 | return NULL; | ||
807 | } | ||
808 | diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c | ||
809 | index ca97835bfec4..b9bcf3db3af9 100644 | ||
810 | --- a/net/ipv4/inet_hashtables.c | ||
811 | +++ b/net/ipv4/inet_hashtables.c | ||
812 | @@ -455,10 +455,7 @@ static int inet_reuseport_add_sock(struct sock *sk, | ||
813 | return reuseport_add_sock(sk, sk2); | ||
814 | } | ||
815 | |||
816 | - /* Initial allocation may have already happened via setsockopt */ | ||
817 | - if (!rcu_access_pointer(sk->sk_reuseport_cb)) | ||
818 | - return reuseport_alloc(sk); | ||
819 | - return 0; | ||
820 | + return reuseport_alloc(sk); | ||
821 | } | ||
822 | |||
823 | int __inet_hash(struct sock *sk, struct sock *osk, | ||
824 | diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c | ||
825 | index c9392589c415..56d71a004dce 100644 | ||
826 | --- a/net/ipv4/ipip.c | ||
827 | +++ b/net/ipv4/ipip.c | ||
828 | @@ -128,43 +128,68 @@ static struct rtnl_link_ops ipip_link_ops __read_mostly; | ||
829 | |||
830 | static int ipip_err(struct sk_buff *skb, u32 info) | ||
831 | { | ||
832 | - | ||
833 | -/* All the routers (except for Linux) return only | ||
834 | - 8 bytes of packet payload. It means, that precise relaying of | ||
835 | - ICMP in the real Internet is absolutely infeasible. | ||
836 | - */ | ||
837 | + /* All the routers (except for Linux) return only | ||
838 | + * 8 bytes of packet payload. It means, that precise relaying of | ||
839 | + * ICMP in the real Internet is absolutely infeasible. | ||
840 | + */ | ||
841 | struct net *net = dev_net(skb->dev); | ||
842 | struct ip_tunnel_net *itn = net_generic(net, ipip_net_id); | ||
843 | const struct iphdr *iph = (const struct iphdr *)skb->data; | ||
844 | - struct ip_tunnel *t; | ||
845 | - int err; | ||
846 | const int type = icmp_hdr(skb)->type; | ||
847 | const int code = icmp_hdr(skb)->code; | ||
848 | + struct ip_tunnel *t; | ||
849 | + int err = 0; | ||
850 | + | ||
851 | + switch (type) { | ||
852 | + case ICMP_DEST_UNREACH: | ||
853 | + switch (code) { | ||
854 | + case ICMP_SR_FAILED: | ||
855 | + /* Impossible event. */ | ||
856 | + goto out; | ||
857 | + default: | ||
858 | + /* All others are translated to HOST_UNREACH. | ||
859 | + * rfc2003 contains "deep thoughts" about NET_UNREACH, | ||
860 | + * I believe they are just ether pollution. --ANK | ||
861 | + */ | ||
862 | + break; | ||
863 | + } | ||
864 | + break; | ||
865 | + | ||
866 | + case ICMP_TIME_EXCEEDED: | ||
867 | + if (code != ICMP_EXC_TTL) | ||
868 | + goto out; | ||
869 | + break; | ||
870 | + | ||
871 | + case ICMP_REDIRECT: | ||
872 | + break; | ||
873 | + | ||
874 | + default: | ||
875 | + goto out; | ||
876 | + } | ||
877 | |||
878 | - err = -ENOENT; | ||
879 | t = ip_tunnel_lookup(itn, skb->dev->ifindex, TUNNEL_NO_KEY, | ||
880 | iph->daddr, iph->saddr, 0); | ||
881 | - if (!t) | ||
882 | + if (!t) { | ||
883 | + err = -ENOENT; | ||
884 | goto out; | ||
885 | + } | ||
886 | |||
887 | if (type == ICMP_DEST_UNREACH && code == ICMP_FRAG_NEEDED) { | ||
888 | - ipv4_update_pmtu(skb, dev_net(skb->dev), info, | ||
889 | - t->parms.link, 0, iph->protocol, 0); | ||
890 | - err = 0; | ||
891 | + ipv4_update_pmtu(skb, net, info, t->parms.link, 0, | ||
892 | + iph->protocol, 0); | ||
893 | goto out; | ||
894 | } | ||
895 | |||
896 | if (type == ICMP_REDIRECT) { | ||
897 | - ipv4_redirect(skb, dev_net(skb->dev), t->parms.link, 0, | ||
898 | - iph->protocol, 0); | ||
899 | - err = 0; | ||
900 | + ipv4_redirect(skb, net, t->parms.link, 0, iph->protocol, 0); | ||
901 | goto out; | ||
902 | } | ||
903 | |||
904 | - if (t->parms.iph.daddr == 0) | ||
905 | + if (t->parms.iph.daddr == 0) { | ||
906 | + err = -ENOENT; | ||
907 | goto out; | ||
908 | + } | ||
909 | |||
910 | - err = 0; | ||
911 | if (t->parms.iph.ttl == 0 && type == ICMP_TIME_EXCEEDED) | ||
912 | goto out; | ||
913 | |||
914 | diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c | ||
915 | index b6f710d515d0..0597ad73a1fa 100644 | ||
916 | --- a/net/ipv4/syncookies.c | ||
917 | +++ b/net/ipv4/syncookies.c | ||
918 | @@ -354,7 +354,7 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb) | ||
919 | /* We throwed the options of the initial SYN away, so we hope | ||
920 | * the ACK carries the same options again (see RFC1122 4.2.3.8) | ||
921 | */ | ||
922 | - ireq->opt = tcp_v4_save_options(skb); | ||
923 | + RCU_INIT_POINTER(ireq->ireq_opt, tcp_v4_save_options(skb)); | ||
924 | |||
925 | if (security_inet_conn_request(sk, skb, req)) { | ||
926 | reqsk_free(req); | ||
927 | diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c | ||
928 | index c03850771a4e..8fcd0c642742 100644 | ||
929 | --- a/net/ipv4/tcp_input.c | ||
930 | +++ b/net/ipv4/tcp_input.c | ||
931 | @@ -6237,7 +6237,7 @@ struct request_sock *inet_reqsk_alloc(const struct request_sock_ops *ops, | ||
932 | struct inet_request_sock *ireq = inet_rsk(req); | ||
933 | |||
934 | kmemcheck_annotate_bitfield(ireq, flags); | ||
935 | - ireq->opt = NULL; | ||
936 | + ireq->ireq_opt = NULL; | ||
937 | #if IS_ENABLED(CONFIG_IPV6) | ||
938 | ireq->pktopts = NULL; | ||
939 | #endif | ||
940 | diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c | ||
941 | index 6988566dc72f..d577ec07a0d8 100644 | ||
942 | --- a/net/ipv4/tcp_ipv4.c | ||
943 | +++ b/net/ipv4/tcp_ipv4.c | ||
944 | @@ -861,7 +861,7 @@ static int tcp_v4_send_synack(const struct sock *sk, struct dst_entry *dst, | ||
945 | |||
946 | err = ip_build_and_send_pkt(skb, sk, ireq->ir_loc_addr, | ||
947 | ireq->ir_rmt_addr, | ||
948 | - ireq->opt); | ||
949 | + ireq_opt_deref(ireq)); | ||
950 | err = net_xmit_eval(err); | ||
951 | } | ||
952 | |||
953 | @@ -873,7 +873,7 @@ static int tcp_v4_send_synack(const struct sock *sk, struct dst_entry *dst, | ||
954 | */ | ||
955 | static void tcp_v4_reqsk_destructor(struct request_sock *req) | ||
956 | { | ||
957 | - kfree(inet_rsk(req)->opt); | ||
958 | + kfree(rcu_dereference_protected(inet_rsk(req)->ireq_opt, 1)); | ||
959 | } | ||
960 | |||
961 | #ifdef CONFIG_TCP_MD5SIG | ||
962 | @@ -1199,7 +1199,7 @@ static void tcp_v4_init_req(struct request_sock *req, | ||
963 | |||
964 | sk_rcv_saddr_set(req_to_sk(req), ip_hdr(skb)->daddr); | ||
965 | sk_daddr_set(req_to_sk(req), ip_hdr(skb)->saddr); | ||
966 | - ireq->opt = tcp_v4_save_options(skb); | ||
967 | + RCU_INIT_POINTER(ireq->ireq_opt, tcp_v4_save_options(skb)); | ||
968 | } | ||
969 | |||
970 | static struct dst_entry *tcp_v4_route_req(const struct sock *sk, | ||
971 | @@ -1295,10 +1295,9 @@ struct sock *tcp_v4_syn_recv_sock(const struct sock *sk, struct sk_buff *skb, | ||
972 | sk_daddr_set(newsk, ireq->ir_rmt_addr); | ||
973 | sk_rcv_saddr_set(newsk, ireq->ir_loc_addr); | ||
974 | newsk->sk_bound_dev_if = ireq->ir_iif; | ||
975 | - newinet->inet_saddr = ireq->ir_loc_addr; | ||
976 | - inet_opt = ireq->opt; | ||
977 | - rcu_assign_pointer(newinet->inet_opt, inet_opt); | ||
978 | - ireq->opt = NULL; | ||
979 | + newinet->inet_saddr = ireq->ir_loc_addr; | ||
980 | + inet_opt = rcu_dereference(ireq->ireq_opt); | ||
981 | + RCU_INIT_POINTER(newinet->inet_opt, inet_opt); | ||
982 | newinet->mc_index = inet_iif(skb); | ||
983 | newinet->mc_ttl = ip_hdr(skb)->ttl; | ||
984 | newinet->rcv_tos = ip_hdr(skb)->tos; | ||
985 | @@ -1346,9 +1345,12 @@ struct sock *tcp_v4_syn_recv_sock(const struct sock *sk, struct sk_buff *skb, | ||
986 | if (__inet_inherit_port(sk, newsk) < 0) | ||
987 | goto put_and_exit; | ||
988 | *own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash)); | ||
989 | - if (*own_req) | ||
990 | + if (likely(*own_req)) { | ||
991 | tcp_move_syn(newtp, req); | ||
992 | - | ||
993 | + ireq->ireq_opt = NULL; | ||
994 | + } else { | ||
995 | + newinet->inet_opt = NULL; | ||
996 | + } | ||
997 | return newsk; | ||
998 | |||
999 | exit_overflow: | ||
1000 | @@ -1359,6 +1361,7 @@ struct sock *tcp_v4_syn_recv_sock(const struct sock *sk, struct sk_buff *skb, | ||
1001 | tcp_listendrop(sk); | ||
1002 | return NULL; | ||
1003 | put_and_exit: | ||
1004 | + newinet->inet_opt = NULL; | ||
1005 | inet_csk_prepare_forced_close(newsk); | ||
1006 | tcp_done(newsk); | ||
1007 | goto exit; | ||
1008 | diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c | ||
1009 | index 85920707c4d3..566b43afe378 100644 | ||
1010 | --- a/net/ipv4/tcp_output.c | ||
1011 | +++ b/net/ipv4/tcp_output.c | ||
1012 | @@ -1996,6 +1996,7 @@ static int tcp_mtu_probe(struct sock *sk) | ||
1013 | nskb->ip_summed = skb->ip_summed; | ||
1014 | |||
1015 | tcp_insert_write_queue_before(nskb, skb, sk); | ||
1016 | + tcp_highest_sack_replace(sk, skb, nskb); | ||
1017 | |||
1018 | len = 0; | ||
1019 | tcp_for_write_queue_from_safe(skb, next, sk) { | ||
1020 | @@ -2535,7 +2536,7 @@ static void tcp_collapse_retrans(struct sock *sk, struct sk_buff *skb) | ||
1021 | |||
1022 | BUG_ON(tcp_skb_pcount(skb) != 1 || tcp_skb_pcount(next_skb) != 1); | ||
1023 | |||
1024 | - tcp_highest_sack_combine(sk, next_skb, skb); | ||
1025 | + tcp_highest_sack_replace(sk, next_skb, skb); | ||
1026 | |||
1027 | tcp_unlink_write_queue(next_skb, sk); | ||
1028 | |||
1029 | diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c | ||
1030 | index 4363b1e89bdf..bef4a94ce1a0 100644 | ||
1031 | --- a/net/ipv4/udp.c | ||
1032 | +++ b/net/ipv4/udp.c | ||
1033 | @@ -222,10 +222,7 @@ static int udp_reuseport_add_sock(struct sock *sk, struct udp_hslot *hslot, | ||
1034 | } | ||
1035 | } | ||
1036 | |||
1037 | - /* Initial allocation may have already happened via setsockopt */ | ||
1038 | - if (!rcu_access_pointer(sk->sk_reuseport_cb)) | ||
1039 | - return reuseport_alloc(sk); | ||
1040 | - return 0; | ||
1041 | + return reuseport_alloc(sk); | ||
1042 | } | ||
1043 | |||
1044 | /** | ||
1045 | diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c | ||
1046 | index 0932c85b42af..6401574cd638 100644 | ||
1047 | --- a/net/ipv4/udp_offload.c | ||
1048 | +++ b/net/ipv4/udp_offload.c | ||
1049 | @@ -122,7 +122,7 @@ static struct sk_buff *__skb_udp_tunnel_segment(struct sk_buff *skb, | ||
1050 | * will be using a length value equal to only one MSS sized | ||
1051 | * segment instead of the entire frame. | ||
1052 | */ | ||
1053 | - if (gso_partial) { | ||
1054 | + if (gso_partial && skb_is_gso(skb)) { | ||
1055 | uh->len = htons(skb_shinfo(skb)->gso_size + | ||
1056 | SKB_GSO_CB(skb)->data_offset + | ||
1057 | skb->head - (unsigned char *)uh); | ||
1058 | diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c | ||
1059 | index cc101b1be903..a4fb90c4819f 100644 | ||
1060 | --- a/net/ipv6/addrconf.c | ||
1061 | +++ b/net/ipv6/addrconf.c | ||
1062 | @@ -3299,6 +3299,7 @@ static void addrconf_permanent_addr(struct net_device *dev) | ||
1063 | if ((ifp->flags & IFA_F_PERMANENT) && | ||
1064 | fixup_permanent_addr(idev, ifp) < 0) { | ||
1065 | write_unlock_bh(&idev->lock); | ||
1066 | + in6_ifa_hold(ifp); | ||
1067 | ipv6_del_addr(ifp); | ||
1068 | write_lock_bh(&idev->lock); | ||
1069 | |||
1070 | diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c | ||
1071 | index b912f0dbaf72..b82e439804d1 100644 | ||
1072 | --- a/net/ipv6/ip6_flowlabel.c | ||
1073 | +++ b/net/ipv6/ip6_flowlabel.c | ||
1074 | @@ -315,6 +315,7 @@ struct ipv6_txoptions *fl6_merge_options(struct ipv6_txoptions *opt_space, | ||
1075 | } | ||
1076 | opt_space->dst1opt = fopt->dst1opt; | ||
1077 | opt_space->opt_flen = fopt->opt_flen; | ||
1078 | + opt_space->tot_len = fopt->tot_len; | ||
1079 | return opt_space; | ||
1080 | } | ||
1081 | EXPORT_SYMBOL_GPL(fl6_merge_options); | ||
1082 | diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c | ||
1083 | index 41c10486cf7e..e9b14e3493f2 100644 | ||
1084 | --- a/net/ipv6/ip6_gre.c | ||
1085 | +++ b/net/ipv6/ip6_gre.c | ||
1086 | @@ -408,13 +408,16 @@ static void ip6gre_err(struct sk_buff *skb, struct inet6_skb_parm *opt, | ||
1087 | case ICMPV6_DEST_UNREACH: | ||
1088 | net_dbg_ratelimited("%s: Path to destination invalid or inactive!\n", | ||
1089 | t->parms.name); | ||
1090 | - break; | ||
1091 | + if (code != ICMPV6_PORT_UNREACH) | ||
1092 | + break; | ||
1093 | + return; | ||
1094 | case ICMPV6_TIME_EXCEED: | ||
1095 | if (code == ICMPV6_EXC_HOPLIMIT) { | ||
1096 | net_dbg_ratelimited("%s: Too small hop limit or routing loop in tunnel!\n", | ||
1097 | t->parms.name); | ||
1098 | + break; | ||
1099 | } | ||
1100 | - break; | ||
1101 | + return; | ||
1102 | case ICMPV6_PARAMPROB: | ||
1103 | teli = 0; | ||
1104 | if (code == ICMPV6_HDR_FIELD) | ||
1105 | @@ -430,7 +433,7 @@ static void ip6gre_err(struct sk_buff *skb, struct inet6_skb_parm *opt, | ||
1106 | net_dbg_ratelimited("%s: Recipient unable to parse tunneled packet!\n", | ||
1107 | t->parms.name); | ||
1108 | } | ||
1109 | - break; | ||
1110 | + return; | ||
1111 | case ICMPV6_PKT_TOOBIG: | ||
1112 | mtu = be32_to_cpu(info) - offset - t->tun_hlen; | ||
1113 | if (t->dev->type == ARPHRD_ETHER) | ||
1114 | @@ -438,7 +441,7 @@ static void ip6gre_err(struct sk_buff *skb, struct inet6_skb_parm *opt, | ||
1115 | if (mtu < IPV6_MIN_MTU) | ||
1116 | mtu = IPV6_MIN_MTU; | ||
1117 | t->dev->mtu = mtu; | ||
1118 | - break; | ||
1119 | + return; | ||
1120 | } | ||
1121 | |||
1122 | if (time_before(jiffies, t->err_time + IP6TUNNEL_ERR_TIMEO)) | ||
1123 | @@ -505,8 +508,8 @@ static netdev_tx_t __gre6_xmit(struct sk_buff *skb, | ||
1124 | __u32 *pmtu, __be16 proto) | ||
1125 | { | ||
1126 | struct ip6_tnl *tunnel = netdev_priv(dev); | ||
1127 | - __be16 protocol = (dev->type == ARPHRD_ETHER) ? | ||
1128 | - htons(ETH_P_TEB) : proto; | ||
1129 | + struct dst_entry *dst = skb_dst(skb); | ||
1130 | + __be16 protocol; | ||
1131 | |||
1132 | if (dev->type == ARPHRD_ETHER) | ||
1133 | IPCB(skb)->flags = 0; | ||
1134 | @@ -520,9 +523,14 @@ static netdev_tx_t __gre6_xmit(struct sk_buff *skb, | ||
1135 | tunnel->o_seqno++; | ||
1136 | |||
1137 | /* Push GRE header. */ | ||
1138 | + protocol = (dev->type == ARPHRD_ETHER) ? htons(ETH_P_TEB) : proto; | ||
1139 | gre_build_header(skb, tunnel->tun_hlen, tunnel->parms.o_flags, | ||
1140 | protocol, tunnel->parms.o_key, htonl(tunnel->o_seqno)); | ||
1141 | |||
1142 | + /* TooBig packet may have updated dst->dev's mtu */ | ||
1143 | + if (dst && dst_mtu(dst) > dst->dev->mtu) | ||
1144 | + dst->ops->update_pmtu(dst, NULL, skb, dst->dev->mtu); | ||
1145 | + | ||
1146 | return ip6_tnl_xmit(skb, dev, dsfield, fl6, encap_limit, pmtu, | ||
1147 | NEXTHDR_GRE); | ||
1148 | } | ||
1149 | diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c | ||
1150 | index 424fbe1f8978..649f4d87b318 100644 | ||
1151 | --- a/net/ipv6/ip6_offload.c | ||
1152 | +++ b/net/ipv6/ip6_offload.c | ||
1153 | @@ -105,7 +105,7 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb, | ||
1154 | |||
1155 | for (skb = segs; skb; skb = skb->next) { | ||
1156 | ipv6h = (struct ipv6hdr *)(skb_mac_header(skb) + nhoff); | ||
1157 | - if (gso_partial) | ||
1158 | + if (gso_partial && skb_is_gso(skb)) | ||
1159 | payload_len = skb_shinfo(skb)->gso_size + | ||
1160 | SKB_GSO_CB(skb)->data_offset + | ||
1161 | skb->head - (unsigned char *)(ipv6h + 1); | ||
1162 | diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c | ||
1163 | index e0236e902ea7..6e01c9a8dfd3 100644 | ||
1164 | --- a/net/ipv6/ip6_output.c | ||
1165 | +++ b/net/ipv6/ip6_output.c | ||
1166 | @@ -1215,11 +1215,11 @@ static int ip6_setup_cork(struct sock *sk, struct inet_cork_full *cork, | ||
1167 | if (WARN_ON(v6_cork->opt)) | ||
1168 | return -EINVAL; | ||
1169 | |||
1170 | - v6_cork->opt = kzalloc(opt->tot_len, sk->sk_allocation); | ||
1171 | + v6_cork->opt = kzalloc(sizeof(*opt), sk->sk_allocation); | ||
1172 | if (unlikely(!v6_cork->opt)) | ||
1173 | return -ENOBUFS; | ||
1174 | |||
1175 | - v6_cork->opt->tot_len = opt->tot_len; | ||
1176 | + v6_cork->opt->tot_len = sizeof(*opt); | ||
1177 | v6_cork->opt->opt_flen = opt->opt_flen; | ||
1178 | v6_cork->opt->opt_nflen = opt->opt_nflen; | ||
1179 | |||
1180 | diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c | ||
1181 | index 1696f1fd5877..163f1fa53917 100644 | ||
1182 | --- a/net/l2tp/l2tp_ppp.c | ||
1183 | +++ b/net/l2tp/l2tp_ppp.c | ||
1184 | @@ -993,6 +993,9 @@ static int pppol2tp_session_ioctl(struct l2tp_session *session, | ||
1185 | session->name, cmd, arg); | ||
1186 | |||
1187 | sk = ps->sock; | ||
1188 | + if (!sk) | ||
1189 | + return -EBADR; | ||
1190 | + | ||
1191 | sock_hold(sk); | ||
1192 | |||
1193 | switch (cmd) { | ||
1194 | diff --git a/net/mac80211/key.c b/net/mac80211/key.c | ||
1195 | index edd6f2945f69..4c625a325ce2 100644 | ||
1196 | --- a/net/mac80211/key.c | ||
1197 | +++ b/net/mac80211/key.c | ||
1198 | @@ -4,7 +4,7 @@ | ||
1199 | * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz> | ||
1200 | * Copyright 2007-2008 Johannes Berg <johannes@sipsolutions.net> | ||
1201 | * Copyright 2013-2014 Intel Mobile Communications GmbH | ||
1202 | - * Copyright 2015 Intel Deutschland GmbH | ||
1203 | + * Copyright 2015-2017 Intel Deutschland GmbH | ||
1204 | * | ||
1205 | * This program is free software; you can redistribute it and/or modify | ||
1206 | * it under the terms of the GNU General Public License version 2 as | ||
1207 | @@ -19,6 +19,7 @@ | ||
1208 | #include <linux/slab.h> | ||
1209 | #include <linux/export.h> | ||
1210 | #include <net/mac80211.h> | ||
1211 | +#include <crypto/algapi.h> | ||
1212 | #include <asm/unaligned.h> | ||
1213 | #include "ieee80211_i.h" | ||
1214 | #include "driver-ops.h" | ||
1215 | @@ -608,6 +609,39 @@ void ieee80211_key_free_unused(struct ieee80211_key *key) | ||
1216 | ieee80211_key_free_common(key); | ||
1217 | } | ||
1218 | |||
1219 | +static bool ieee80211_key_identical(struct ieee80211_sub_if_data *sdata, | ||
1220 | + struct ieee80211_key *old, | ||
1221 | + struct ieee80211_key *new) | ||
1222 | +{ | ||
1223 | + u8 tkip_old[WLAN_KEY_LEN_TKIP], tkip_new[WLAN_KEY_LEN_TKIP]; | ||
1224 | + u8 *tk_old, *tk_new; | ||
1225 | + | ||
1226 | + if (!old || new->conf.keylen != old->conf.keylen) | ||
1227 | + return false; | ||
1228 | + | ||
1229 | + tk_old = old->conf.key; | ||
1230 | + tk_new = new->conf.key; | ||
1231 | + | ||
1232 | + /* | ||
1233 | + * In station mode, don't compare the TX MIC key, as it's never used | ||
1234 | + * and offloaded rekeying may not care to send it to the host. This | ||
1235 | + * is the case in iwlwifi, for example. | ||
1236 | + */ | ||
1237 | + if (sdata->vif.type == NL80211_IFTYPE_STATION && | ||
1238 | + new->conf.cipher == WLAN_CIPHER_SUITE_TKIP && | ||
1239 | + new->conf.keylen == WLAN_KEY_LEN_TKIP && | ||
1240 | + !(new->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE)) { | ||
1241 | + memcpy(tkip_old, tk_old, WLAN_KEY_LEN_TKIP); | ||
1242 | + memcpy(tkip_new, tk_new, WLAN_KEY_LEN_TKIP); | ||
1243 | + memset(tkip_old + NL80211_TKIP_DATA_OFFSET_TX_MIC_KEY, 0, 8); | ||
1244 | + memset(tkip_new + NL80211_TKIP_DATA_OFFSET_TX_MIC_KEY, 0, 8); | ||
1245 | + tk_old = tkip_old; | ||
1246 | + tk_new = tkip_new; | ||
1247 | + } | ||
1248 | + | ||
1249 | + return !crypto_memneq(tk_old, tk_new, new->conf.keylen); | ||
1250 | +} | ||
1251 | + | ||
1252 | int ieee80211_key_link(struct ieee80211_key *key, | ||
1253 | struct ieee80211_sub_if_data *sdata, | ||
1254 | struct sta_info *sta) | ||
1255 | @@ -619,9 +653,6 @@ int ieee80211_key_link(struct ieee80211_key *key, | ||
1256 | |||
1257 | pairwise = key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE; | ||
1258 | idx = key->conf.keyidx; | ||
1259 | - key->local = sdata->local; | ||
1260 | - key->sdata = sdata; | ||
1261 | - key->sta = sta; | ||
1262 | |||
1263 | mutex_lock(&sdata->local->key_mtx); | ||
1264 | |||
1265 | @@ -632,6 +663,20 @@ int ieee80211_key_link(struct ieee80211_key *key, | ||
1266 | else | ||
1267 | old_key = key_mtx_dereference(sdata->local, sdata->keys[idx]); | ||
1268 | |||
1269 | + /* | ||
1270 | + * Silently accept key re-installation without really installing the | ||
1271 | + * new version of the key to avoid nonce reuse or replay issues. | ||
1272 | + */ | ||
1273 | + if (ieee80211_key_identical(sdata, old_key, key)) { | ||
1274 | + ieee80211_key_free_unused(key); | ||
1275 | + ret = 0; | ||
1276 | + goto out; | ||
1277 | + } | ||
1278 | + | ||
1279 | + key->local = sdata->local; | ||
1280 | + key->sdata = sdata; | ||
1281 | + key->sta = sta; | ||
1282 | + | ||
1283 | increment_tailroom_need_count(sdata); | ||
1284 | |||
1285 | ieee80211_key_replace(sdata, sta, pairwise, old_key, key); | ||
1286 | @@ -647,6 +692,7 @@ int ieee80211_key_link(struct ieee80211_key *key, | ||
1287 | ret = 0; | ||
1288 | } | ||
1289 | |||
1290 | + out: | ||
1291 | mutex_unlock(&sdata->local->key_mtx); | ||
1292 | |||
1293 | return ret; | ||
1294 | diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c | ||
1295 | index ed9ce7c63252..750b8bf13e60 100644 | ||
1296 | --- a/net/netfilter/nf_conntrack_core.c | ||
1297 | +++ b/net/netfilter/nf_conntrack_core.c | ||
1298 | @@ -689,7 +689,7 @@ static int nf_ct_resolve_clash(struct net *net, struct sk_buff *skb, | ||
1299 | |||
1300 | l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct)); | ||
1301 | if (l4proto->allow_clash && | ||
1302 | - !nfct_nat(ct) && | ||
1303 | + ((ct->status & IPS_NAT_DONE_MASK) == 0) && | ||
1304 | !nf_ct_is_dying(ct) && | ||
1305 | atomic_inc_not_zero(&ct->ct_general.use)) { | ||
1306 | nf_ct_acct_merge(ct, ctinfo, (struct nf_conn *)skb->nfct); | ||
1307 | diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c | ||
1308 | index 2916f4815c9c..624d6e4dcd5c 100644 | ||
1309 | --- a/net/netfilter/nf_nat_core.c | ||
1310 | +++ b/net/netfilter/nf_nat_core.c | ||
1311 | @@ -30,19 +30,17 @@ | ||
1312 | #include <net/netfilter/nf_conntrack_zones.h> | ||
1313 | #include <linux/netfilter/nf_nat.h> | ||
1314 | |||
1315 | +static DEFINE_SPINLOCK(nf_nat_lock); | ||
1316 | + | ||
1317 | static DEFINE_MUTEX(nf_nat_proto_mutex); | ||
1318 | static const struct nf_nat_l3proto __rcu *nf_nat_l3protos[NFPROTO_NUMPROTO] | ||
1319 | __read_mostly; | ||
1320 | static const struct nf_nat_l4proto __rcu **nf_nat_l4protos[NFPROTO_NUMPROTO] | ||
1321 | __read_mostly; | ||
1322 | |||
1323 | -struct nf_nat_conn_key { | ||
1324 | - const struct net *net; | ||
1325 | - const struct nf_conntrack_tuple *tuple; | ||
1326 | - const struct nf_conntrack_zone *zone; | ||
1327 | -}; | ||
1328 | - | ||
1329 | -static struct rhltable nf_nat_bysource_table; | ||
1330 | +static struct hlist_head *nf_nat_bysource __read_mostly; | ||
1331 | +static unsigned int nf_nat_htable_size __read_mostly; | ||
1332 | +static unsigned int nf_nat_hash_rnd __read_mostly; | ||
1333 | |||
1334 | inline const struct nf_nat_l3proto * | ||
1335 | __nf_nat_l3proto_find(u8 family) | ||
1336 | @@ -121,17 +119,19 @@ int nf_xfrm_me_harder(struct net *net, struct sk_buff *skb, unsigned int family) | ||
1337 | EXPORT_SYMBOL(nf_xfrm_me_harder); | ||
1338 | #endif /* CONFIG_XFRM */ | ||
1339 | |||
1340 | -static u32 nf_nat_bysource_hash(const void *data, u32 len, u32 seed) | ||
1341 | +/* We keep an extra hash for each conntrack, for fast searching. */ | ||
1342 | +static inline unsigned int | ||
1343 | +hash_by_src(const struct net *n, const struct nf_conntrack_tuple *tuple) | ||
1344 | { | ||
1345 | - const struct nf_conntrack_tuple *t; | ||
1346 | - const struct nf_conn *ct = data; | ||
1347 | + unsigned int hash; | ||
1348 | + | ||
1349 | + get_random_once(&nf_nat_hash_rnd, sizeof(nf_nat_hash_rnd)); | ||
1350 | |||
1351 | - t = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple; | ||
1352 | /* Original src, to ensure we map it consistently if poss. */ | ||
1353 | + hash = jhash2((u32 *)&tuple->src, sizeof(tuple->src) / sizeof(u32), | ||
1354 | + tuple->dst.protonum ^ nf_nat_hash_rnd ^ net_hash_mix(n)); | ||
1355 | |||
1356 | - seed ^= net_hash_mix(nf_ct_net(ct)); | ||
1357 | - return jhash2((const u32 *)&t->src, sizeof(t->src) / sizeof(u32), | ||
1358 | - t->dst.protonum ^ seed); | ||
1359 | + return reciprocal_scale(hash, nf_nat_htable_size); | ||
1360 | } | ||
1361 | |||
1362 | /* Is this tuple already taken? (not by us) */ | ||
1363 | @@ -187,28 +187,6 @@ same_src(const struct nf_conn *ct, | ||
1364 | t->src.u.all == tuple->src.u.all); | ||
1365 | } | ||
1366 | |||
1367 | -static int nf_nat_bysource_cmp(struct rhashtable_compare_arg *arg, | ||
1368 | - const void *obj) | ||
1369 | -{ | ||
1370 | - const struct nf_nat_conn_key *key = arg->key; | ||
1371 | - const struct nf_conn *ct = obj; | ||
1372 | - | ||
1373 | - if (!same_src(ct, key->tuple) || | ||
1374 | - !net_eq(nf_ct_net(ct), key->net) || | ||
1375 | - !nf_ct_zone_equal(ct, key->zone, IP_CT_DIR_ORIGINAL)) | ||
1376 | - return 1; | ||
1377 | - | ||
1378 | - return 0; | ||
1379 | -} | ||
1380 | - | ||
1381 | -static struct rhashtable_params nf_nat_bysource_params = { | ||
1382 | - .head_offset = offsetof(struct nf_conn, nat_bysource), | ||
1383 | - .obj_hashfn = nf_nat_bysource_hash, | ||
1384 | - .obj_cmpfn = nf_nat_bysource_cmp, | ||
1385 | - .nelem_hint = 256, | ||
1386 | - .min_size = 1024, | ||
1387 | -}; | ||
1388 | - | ||
1389 | /* Only called for SRC manip */ | ||
1390 | static int | ||
1391 | find_appropriate_src(struct net *net, | ||
1392 | @@ -219,26 +197,22 @@ find_appropriate_src(struct net *net, | ||
1393 | struct nf_conntrack_tuple *result, | ||
1394 | const struct nf_nat_range *range) | ||
1395 | { | ||
1396 | + unsigned int h = hash_by_src(net, tuple); | ||
1397 | const struct nf_conn *ct; | ||
1398 | - struct nf_nat_conn_key key = { | ||
1399 | - .net = net, | ||
1400 | - .tuple = tuple, | ||
1401 | - .zone = zone | ||
1402 | - }; | ||
1403 | - struct rhlist_head *hl, *h; | ||
1404 | - | ||
1405 | - hl = rhltable_lookup(&nf_nat_bysource_table, &key, | ||
1406 | - nf_nat_bysource_params); | ||
1407 | |||
1408 | - rhl_for_each_entry_rcu(ct, h, hl, nat_bysource) { | ||
1409 | - nf_ct_invert_tuplepr(result, | ||
1410 | - &ct->tuplehash[IP_CT_DIR_REPLY].tuple); | ||
1411 | - result->dst = tuple->dst; | ||
1412 | - | ||
1413 | - if (in_range(l3proto, l4proto, result, range)) | ||
1414 | - return 1; | ||
1415 | + hlist_for_each_entry_rcu(ct, &nf_nat_bysource[h], nat_bysource) { | ||
1416 | + if (same_src(ct, tuple) && | ||
1417 | + net_eq(net, nf_ct_net(ct)) && | ||
1418 | + nf_ct_zone_equal(ct, zone, IP_CT_DIR_ORIGINAL)) { | ||
1419 | + /* Copy source part from reply tuple. */ | ||
1420 | + nf_ct_invert_tuplepr(result, | ||
1421 | + &ct->tuplehash[IP_CT_DIR_REPLY].tuple); | ||
1422 | + result->dst = tuple->dst; | ||
1423 | + | ||
1424 | + if (in_range(l3proto, l4proto, result, range)) | ||
1425 | + return 1; | ||
1426 | + } | ||
1427 | } | ||
1428 | - | ||
1429 | return 0; | ||
1430 | } | ||
1431 | |||
1432 | @@ -411,6 +385,7 @@ nf_nat_setup_info(struct nf_conn *ct, | ||
1433 | const struct nf_nat_range *range, | ||
1434 | enum nf_nat_manip_type maniptype) | ||
1435 | { | ||
1436 | + struct net *net = nf_ct_net(ct); | ||
1437 | struct nf_conntrack_tuple curr_tuple, new_tuple; | ||
1438 | struct nf_conn_nat *nat; | ||
1439 | |||
1440 | @@ -452,19 +427,16 @@ nf_nat_setup_info(struct nf_conn *ct, | ||
1441 | } | ||
1442 | |||
1443 | if (maniptype == NF_NAT_MANIP_SRC) { | ||
1444 | - struct nf_nat_conn_key key = { | ||
1445 | - .net = nf_ct_net(ct), | ||
1446 | - .tuple = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple, | ||
1447 | - .zone = nf_ct_zone(ct), | ||
1448 | - }; | ||
1449 | - int err; | ||
1450 | - | ||
1451 | - err = rhltable_insert_key(&nf_nat_bysource_table, | ||
1452 | - &key, | ||
1453 | - &ct->nat_bysource, | ||
1454 | - nf_nat_bysource_params); | ||
1455 | - if (err) | ||
1456 | - return NF_DROP; | ||
1457 | + unsigned int srchash; | ||
1458 | + | ||
1459 | + srchash = hash_by_src(net, | ||
1460 | + &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); | ||
1461 | + spin_lock_bh(&nf_nat_lock); | ||
1462 | + /* nf_conntrack_alter_reply might re-allocate extension aera */ | ||
1463 | + nat = nfct_nat(ct); | ||
1464 | + hlist_add_head_rcu(&ct->nat_bysource, | ||
1465 | + &nf_nat_bysource[srchash]); | ||
1466 | + spin_unlock_bh(&nf_nat_lock); | ||
1467 | } | ||
1468 | |||
1469 | /* It's done. */ | ||
1470 | @@ -550,10 +522,6 @@ struct nf_nat_proto_clean { | ||
1471 | static int nf_nat_proto_remove(struct nf_conn *i, void *data) | ||
1472 | { | ||
1473 | const struct nf_nat_proto_clean *clean = data; | ||
1474 | - struct nf_conn_nat *nat = nfct_nat(i); | ||
1475 | - | ||
1476 | - if (!nat) | ||
1477 | - return 0; | ||
1478 | |||
1479 | if ((clean->l3proto && nf_ct_l3num(i) != clean->l3proto) || | ||
1480 | (clean->l4proto && nf_ct_protonum(i) != clean->l4proto)) | ||
1481 | @@ -564,12 +532,10 @@ static int nf_nat_proto_remove(struct nf_conn *i, void *data) | ||
1482 | |||
1483 | static int nf_nat_proto_clean(struct nf_conn *ct, void *data) | ||
1484 | { | ||
1485 | - struct nf_conn_nat *nat = nfct_nat(ct); | ||
1486 | - | ||
1487 | if (nf_nat_proto_remove(ct, data)) | ||
1488 | return 1; | ||
1489 | |||
1490 | - if (!nat) | ||
1491 | + if ((ct->status & IPS_SRC_NAT_DONE) == 0) | ||
1492 | return 0; | ||
1493 | |||
1494 | /* This netns is being destroyed, and conntrack has nat null binding. | ||
1495 | @@ -578,9 +544,10 @@ static int nf_nat_proto_clean(struct nf_conn *ct, void *data) | ||
1496 | * Else, when the conntrack is destoyed, nf_nat_cleanup_conntrack() | ||
1497 | * will delete entry from already-freed table. | ||
1498 | */ | ||
1499 | + spin_lock_bh(&nf_nat_lock); | ||
1500 | + hlist_del_rcu(&ct->nat_bysource); | ||
1501 | ct->status &= ~IPS_NAT_DONE_MASK; | ||
1502 | - rhltable_remove(&nf_nat_bysource_table, &ct->nat_bysource, | ||
1503 | - nf_nat_bysource_params); | ||
1504 | + spin_unlock_bh(&nf_nat_lock); | ||
1505 | |||
1506 | /* don't delete conntrack. Although that would make things a lot | ||
1507 | * simpler, we'd end up flushing all conntracks on nat rmmod. | ||
1508 | @@ -705,13 +672,11 @@ EXPORT_SYMBOL_GPL(nf_nat_l3proto_unregister); | ||
1509 | /* No one using conntrack by the time this called. */ | ||
1510 | static void nf_nat_cleanup_conntrack(struct nf_conn *ct) | ||
1511 | { | ||
1512 | - struct nf_conn_nat *nat = nf_ct_ext_find(ct, NF_CT_EXT_NAT); | ||
1513 | - | ||
1514 | - if (!nat) | ||
1515 | - return; | ||
1516 | - | ||
1517 | - rhltable_remove(&nf_nat_bysource_table, &ct->nat_bysource, | ||
1518 | - nf_nat_bysource_params); | ||
1519 | + if (ct->status & IPS_SRC_NAT_DONE) { | ||
1520 | + spin_lock_bh(&nf_nat_lock); | ||
1521 | + hlist_del_rcu(&ct->nat_bysource); | ||
1522 | + spin_unlock_bh(&nf_nat_lock); | ||
1523 | + } | ||
1524 | } | ||
1525 | |||
1526 | static struct nf_ct_ext_type nat_extend __read_mostly = { | ||
1527 | @@ -846,13 +811,16 @@ static int __init nf_nat_init(void) | ||
1528 | { | ||
1529 | int ret; | ||
1530 | |||
1531 | - ret = rhltable_init(&nf_nat_bysource_table, &nf_nat_bysource_params); | ||
1532 | - if (ret) | ||
1533 | - return ret; | ||
1534 | + /* Leave them the same for the moment. */ | ||
1535 | + nf_nat_htable_size = nf_conntrack_htable_size; | ||
1536 | + | ||
1537 | + nf_nat_bysource = nf_ct_alloc_hashtable(&nf_nat_htable_size, 0); | ||
1538 | + if (!nf_nat_bysource) | ||
1539 | + return -ENOMEM; | ||
1540 | |||
1541 | ret = nf_ct_extend_register(&nat_extend); | ||
1542 | if (ret < 0) { | ||
1543 | - rhltable_destroy(&nf_nat_bysource_table); | ||
1544 | + nf_ct_free_hashtable(nf_nat_bysource, nf_nat_htable_size); | ||
1545 | printk(KERN_ERR "nf_nat_core: Unable to register extension\n"); | ||
1546 | return ret; | ||
1547 | } | ||
1548 | @@ -876,7 +844,7 @@ static int __init nf_nat_init(void) | ||
1549 | return 0; | ||
1550 | |||
1551 | cleanup_extend: | ||
1552 | - rhltable_destroy(&nf_nat_bysource_table); | ||
1553 | + nf_ct_free_hashtable(nf_nat_bysource, nf_nat_htable_size); | ||
1554 | nf_ct_extend_unregister(&nat_extend); | ||
1555 | return ret; | ||
1556 | } | ||
1557 | @@ -896,8 +864,8 @@ static void __exit nf_nat_cleanup(void) | ||
1558 | |||
1559 | for (i = 0; i < NFPROTO_NUMPROTO; i++) | ||
1560 | kfree(nf_nat_l4protos[i]); | ||
1561 | - | ||
1562 | - rhltable_destroy(&nf_nat_bysource_table); | ||
1563 | + synchronize_net(); | ||
1564 | + nf_ct_free_hashtable(nf_nat_bysource, nf_nat_htable_size); | ||
1565 | } | ||
1566 | |||
1567 | MODULE_LICENSE("GPL"); | ||
1568 | diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c | ||
1569 | index 2a5775f8a6ca..a1dca3b169a1 100644 | ||
1570 | --- a/net/netlink/af_netlink.c | ||
1571 | +++ b/net/netlink/af_netlink.c | ||
1572 | @@ -2207,16 +2207,17 @@ int __netlink_dump_start(struct sock *ssk, struct sk_buff *skb, | ||
1573 | cb->min_dump_alloc = control->min_dump_alloc; | ||
1574 | cb->skb = skb; | ||
1575 | |||
1576 | + if (cb->start) { | ||
1577 | + ret = cb->start(cb); | ||
1578 | + if (ret) | ||
1579 | + goto error_unlock; | ||
1580 | + } | ||
1581 | + | ||
1582 | nlk->cb_running = true; | ||
1583 | |||
1584 | mutex_unlock(nlk->cb_mutex); | ||
1585 | |||
1586 | - ret = 0; | ||
1587 | - if (cb->start) | ||
1588 | - ret = cb->start(cb); | ||
1589 | - | ||
1590 | - if (!ret) | ||
1591 | - ret = netlink_dump(sk); | ||
1592 | + ret = netlink_dump(sk); | ||
1593 | |||
1594 | sock_put(sk); | ||
1595 | |||
1596 | diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c | ||
1597 | index b17f9097c6fe..e7f6657269e0 100644 | ||
1598 | --- a/net/packet/af_packet.c | ||
1599 | +++ b/net/packet/af_packet.c | ||
1600 | @@ -1720,7 +1720,7 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags) | ||
1601 | |||
1602 | out: | ||
1603 | if (err && rollover) { | ||
1604 | - kfree(rollover); | ||
1605 | + kfree_rcu(rollover, rcu); | ||
1606 | po->rollover = NULL; | ||
1607 | } | ||
1608 | mutex_unlock(&fanout_mutex); | ||
1609 | @@ -1747,8 +1747,10 @@ static struct packet_fanout *fanout_release(struct sock *sk) | ||
1610 | else | ||
1611 | f = NULL; | ||
1612 | |||
1613 | - if (po->rollover) | ||
1614 | + if (po->rollover) { | ||
1615 | kfree_rcu(po->rollover, rcu); | ||
1616 | + po->rollover = NULL; | ||
1617 | + } | ||
1618 | } | ||
1619 | mutex_unlock(&fanout_mutex); | ||
1620 | |||
1621 | @@ -3851,6 +3853,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, | ||
1622 | void *data = &val; | ||
1623 | union tpacket_stats_u st; | ||
1624 | struct tpacket_rollover_stats rstats; | ||
1625 | + struct packet_rollover *rollover; | ||
1626 | |||
1627 | if (level != SOL_PACKET) | ||
1628 | return -ENOPROTOOPT; | ||
1629 | @@ -3929,13 +3932,18 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, | ||
1630 | 0); | ||
1631 | break; | ||
1632 | case PACKET_ROLLOVER_STATS: | ||
1633 | - if (!po->rollover) | ||
1634 | + rcu_read_lock(); | ||
1635 | + rollover = rcu_dereference(po->rollover); | ||
1636 | + if (rollover) { | ||
1637 | + rstats.tp_all = atomic_long_read(&rollover->num); | ||
1638 | + rstats.tp_huge = atomic_long_read(&rollover->num_huge); | ||
1639 | + rstats.tp_failed = atomic_long_read(&rollover->num_failed); | ||
1640 | + data = &rstats; | ||
1641 | + lv = sizeof(rstats); | ||
1642 | + } | ||
1643 | + rcu_read_unlock(); | ||
1644 | + if (!rollover) | ||
1645 | return -EINVAL; | ||
1646 | - rstats.tp_all = atomic_long_read(&po->rollover->num); | ||
1647 | - rstats.tp_huge = atomic_long_read(&po->rollover->num_huge); | ||
1648 | - rstats.tp_failed = atomic_long_read(&po->rollover->num_failed); | ||
1649 | - data = &rstats; | ||
1650 | - lv = sizeof(rstats); | ||
1651 | break; | ||
1652 | case PACKET_TX_HAS_OFF: | ||
1653 | val = po->tp_tx_has_off; | ||
1654 | diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c | ||
1655 | index 195a3b2d9afc..ea13df1be067 100644 | ||
1656 | --- a/net/sched/sch_api.c | ||
1657 | +++ b/net/sched/sch_api.c | ||
1658 | @@ -296,6 +296,8 @@ struct Qdisc *qdisc_lookup(struct net_device *dev, u32 handle) | ||
1659 | { | ||
1660 | struct Qdisc *q; | ||
1661 | |||
1662 | + if (!handle) | ||
1663 | + return NULL; | ||
1664 | q = qdisc_match_from_root(dev->qdisc, handle); | ||
1665 | if (q) | ||
1666 | goto out; | ||
1667 | diff --git a/net/sctp/input.c b/net/sctp/input.c | ||
1668 | index 6c79915c7dbc..68b84d3a7cac 100644 | ||
1669 | --- a/net/sctp/input.c | ||
1670 | +++ b/net/sctp/input.c | ||
1671 | @@ -421,7 +421,7 @@ void sctp_icmp_redirect(struct sock *sk, struct sctp_transport *t, | ||
1672 | { | ||
1673 | struct dst_entry *dst; | ||
1674 | |||
1675 | - if (!t) | ||
1676 | + if (sock_owned_by_user(sk) || !t) | ||
1677 | return; | ||
1678 | dst = sctp_transport_dst_check(t); | ||
1679 | if (dst) | ||
1680 | diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c | ||
1681 | index ca4a63e3eadd..f7f00d012888 100644 | ||
1682 | --- a/net/sctp/ipv6.c | ||
1683 | +++ b/net/sctp/ipv6.c | ||
1684 | @@ -881,8 +881,10 @@ static int sctp_inet6_bind_verify(struct sctp_sock *opt, union sctp_addr *addr) | ||
1685 | net = sock_net(&opt->inet.sk); | ||
1686 | rcu_read_lock(); | ||
1687 | dev = dev_get_by_index_rcu(net, addr->v6.sin6_scope_id); | ||
1688 | - if (!dev || | ||
1689 | - !ipv6_chk_addr(net, &addr->v6.sin6_addr, dev, 0)) { | ||
1690 | + if (!dev || !(opt->inet.freebind || | ||
1691 | + net->ipv6.sysctl.ip_nonlocal_bind || | ||
1692 | + ipv6_chk_addr(net, &addr->v6.sin6_addr, | ||
1693 | + dev, 0))) { | ||
1694 | rcu_read_unlock(); | ||
1695 | return 0; | ||
1696 | } | ||
1697 | diff --git a/net/sctp/socket.c b/net/sctp/socket.c | ||
1698 | index 3ef725229449..ffcc8aa78db7 100644 | ||
1699 | --- a/net/sctp/socket.c | ||
1700 | +++ b/net/sctp/socket.c | ||
1701 | @@ -168,6 +168,36 @@ static inline void sctp_set_owner_w(struct sctp_chunk *chunk) | ||
1702 | sk_mem_charge(sk, chunk->skb->truesize); | ||
1703 | } | ||
1704 | |||
1705 | +static void sctp_clear_owner_w(struct sctp_chunk *chunk) | ||
1706 | +{ | ||
1707 | + skb_orphan(chunk->skb); | ||
1708 | +} | ||
1709 | + | ||
1710 | +static void sctp_for_each_tx_datachunk(struct sctp_association *asoc, | ||
1711 | + void (*cb)(struct sctp_chunk *)) | ||
1712 | + | ||
1713 | +{ | ||
1714 | + struct sctp_outq *q = &asoc->outqueue; | ||
1715 | + struct sctp_transport *t; | ||
1716 | + struct sctp_chunk *chunk; | ||
1717 | + | ||
1718 | + list_for_each_entry(t, &asoc->peer.transport_addr_list, transports) | ||
1719 | + list_for_each_entry(chunk, &t->transmitted, transmitted_list) | ||
1720 | + cb(chunk); | ||
1721 | + | ||
1722 | + list_for_each_entry(chunk, &q->retransmit, list) | ||
1723 | + cb(chunk); | ||
1724 | + | ||
1725 | + list_for_each_entry(chunk, &q->sacked, list) | ||
1726 | + cb(chunk); | ||
1727 | + | ||
1728 | + list_for_each_entry(chunk, &q->abandoned, list) | ||
1729 | + cb(chunk); | ||
1730 | + | ||
1731 | + list_for_each_entry(chunk, &q->out_chunk_list, list) | ||
1732 | + cb(chunk); | ||
1733 | +} | ||
1734 | + | ||
1735 | /* Verify that this is a valid address. */ | ||
1736 | static inline int sctp_verify_addr(struct sock *sk, union sctp_addr *addr, | ||
1737 | int len) | ||
1738 | @@ -7826,7 +7856,9 @@ static void sctp_sock_migrate(struct sock *oldsk, struct sock *newsk, | ||
1739 | * paths won't try to lock it and then oldsk. | ||
1740 | */ | ||
1741 | lock_sock_nested(newsk, SINGLE_DEPTH_NESTING); | ||
1742 | + sctp_for_each_tx_datachunk(assoc, sctp_clear_owner_w); | ||
1743 | sctp_assoc_migrate(assoc, newsk); | ||
1744 | + sctp_for_each_tx_datachunk(assoc, sctp_set_owner_w); | ||
1745 | |||
1746 | /* If the association on the newsk is already closed before accept() | ||
1747 | * is called, set RCV_SHUTDOWN flag. | ||
1748 | diff --git a/net/unix/diag.c b/net/unix/diag.c | ||
1749 | index 4d9679701a6d..384c84e83462 100644 | ||
1750 | --- a/net/unix/diag.c | ||
1751 | +++ b/net/unix/diag.c | ||
1752 | @@ -257,6 +257,8 @@ static int unix_diag_get_exact(struct sk_buff *in_skb, | ||
1753 | err = -ENOENT; | ||
1754 | if (sk == NULL) | ||
1755 | goto out_nosk; | ||
1756 | + if (!net_eq(sock_net(sk), net)) | ||
1757 | + goto out; | ||
1758 | |||
1759 | err = sock_diag_check_cookie(sk, req->udiag_cookie); | ||
1760 | if (err) | ||
1761 | diff --git a/security/keys/Kconfig b/security/keys/Kconfig | ||
1762 | index e0a39781b10f..0832f6368955 100644 | ||
1763 | --- a/security/keys/Kconfig | ||
1764 | +++ b/security/keys/Kconfig | ||
1765 | @@ -20,6 +20,10 @@ config KEYS | ||
1766 | |||
1767 | If you are unsure as to whether this is required, answer N. | ||
1768 | |||
1769 | +config KEYS_COMPAT | ||
1770 | + def_bool y | ||
1771 | + depends on COMPAT && KEYS | ||
1772 | + | ||
1773 | config PERSISTENT_KEYRINGS | ||
1774 | bool "Enable register of persistent per-UID keyrings" | ||
1775 | depends on KEYS | ||
1776 | diff --git a/sound/core/seq/seq_device.c b/sound/core/seq/seq_device.c | ||
1777 | index c4acf17e9f5e..e40a2cba5002 100644 | ||
1778 | --- a/sound/core/seq/seq_device.c | ||
1779 | +++ b/sound/core/seq/seq_device.c | ||
1780 | @@ -148,8 +148,10 @@ void snd_seq_device_load_drivers(void) | ||
1781 | flush_work(&autoload_work); | ||
1782 | } | ||
1783 | EXPORT_SYMBOL(snd_seq_device_load_drivers); | ||
1784 | +#define cancel_autoload_drivers() cancel_work_sync(&autoload_work) | ||
1785 | #else | ||
1786 | #define queue_autoload_drivers() /* NOP */ | ||
1787 | +#define cancel_autoload_drivers() /* NOP */ | ||
1788 | #endif | ||
1789 | |||
1790 | /* | ||
1791 | @@ -159,6 +161,7 @@ static int snd_seq_device_dev_free(struct snd_device *device) | ||
1792 | { | ||
1793 | struct snd_seq_device *dev = device->device_data; | ||
1794 | |||
1795 | + cancel_autoload_drivers(); | ||
1796 | put_device(&dev->dev); | ||
1797 | return 0; | ||
1798 | } |