tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Pull networking fixes from David Miller:
"Things seem to be settling down as far as networking is concerned,
let's hope this trend continues...

1) Add iov_iter_revert() and use it to fix the behavior of
skb_copy_datagram_msg() et al., from Al Viro.

2) Fix the protocol used in the synthetic SKB we cons up for the
purposes of doing a simulated route lookup for RTM_GETROUTE
requests. From Florian Larysch.

3) Don't add noop_qdisc to the per-device qdisc hashes, from Cong
Wang.

4) Don't call netdev_change_features with the team lock held, from
Xin Long.

5) Revert TCP F-RTO extension to catch more spurious timeouts because
it interacts very badly with some middle-boxes. From Yuchung
Cheng.

6) Fix the loss of error values in l2tp {s,g}etsockopt calls, from
Guillaume Nault.

7) ctnetlink uses bit positions where it should be using bit masks,
fix from Liping Zhang.

8) Missing RCU locking in netfilter helper code, from Gao Feng.

9) Avoid double frees and use-after-frees in tcp_disconnect(), from
Eric Dumazet.

10) Don't do a changelink before we register the netdevice in
bridging, from Ido Schimmel.

11) Lock the ipv6 device address list properly, from Rabin Vincent"

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (29 commits)
netfilter: ipt_CLUSTERIP: Fix wrong conntrack netns refcnt usage
netfilter: nft_hash: do not dump the auto generated seed
drivers: net: usb: qmi_wwan: add QMI_QUIRK_SET_DTR for Telit PID 0x1201
ipv6: Fix idev->addr_list corruption
net: xdp: don't export dev_change_xdp_fd()
bridge: netlink: register netdevice before executing changelink
bridge: implement missing ndo_uninit()
bpf: reference may_access_skb() from __bpf_prog_run()
tcp: clear saved_syn in tcp_disconnect()
netfilter: nf_ct_expect: use proper RCU list traversal/update APIs
netfilter: ctnetlink: skip dumping expect when nfct_help(ct) is NULL
netfilter: make it safer during the inet6_dev->addr_list traversal
netfilter: ctnetlink: make it safer when checking the ct helper name
netfilter: helper: Add the rcu lock when call __nf_conntrack_helper_find
netfilter: ctnetlink: using bit to represent the ct event
netfilter: xt_TCPMSS: add more sanity tests on tcph->doff
net: tcp: Increase TCP_MIB_OUTRSTS even though fail to alloc skb
l2tp: don't mask errors in pppol2tp_getsockopt()
l2tp: don't mask errors in pppol2tp_setsockopt()
tcp: restrict F-RTO to work-around broken middle-boxes
...

Linus Torvalds 7e703ecc 91174391

+238 -91
+1 -1
drivers/net/can/ifi_canfd/ifi_canfd.c
··· 557 557 int work_done = 0; 558 558 559 559 u32 stcmd = readl(priv->base + IFI_CANFD_STCMD); 560 - u32 rxstcmd = readl(priv->base + IFI_CANFD_STCMD); 560 + u32 rxstcmd = readl(priv->base + IFI_CANFD_RXSTCMD); 561 561 u32 errctr = readl(priv->base + IFI_CANFD_ERROR_CTR); 562 562 563 563 /* Handle bus state changes */
+1 -2
drivers/net/can/rcar/rcar_can.c
··· 826 826 827 827 devm_can_led_init(ndev); 828 828 829 - dev_info(&pdev->dev, "device registered (regs @ %p, IRQ%d)\n", 830 - priv->regs, ndev->irq); 829 + dev_info(&pdev->dev, "device registered (IRQ%d)\n", ndev->irq); 831 830 832 831 return 0; 833 832 fail_candev:
+11 -8
drivers/net/team/team.c
··· 990 990 #define TEAM_ENC_FEATURES (NETIF_F_HW_CSUM | NETIF_F_SG | \ 991 991 NETIF_F_RXCSUM | NETIF_F_ALL_TSO) 992 992 993 - static void ___team_compute_features(struct team *team) 993 + static void __team_compute_features(struct team *team) 994 994 { 995 995 struct team_port *port; 996 996 u32 vlan_features = TEAM_VLAN_FEATURES & NETIF_F_ALL_FOR_ALL; ··· 1023 1023 team->dev->priv_flags |= IFF_XMIT_DST_RELEASE; 1024 1024 } 1025 1025 1026 - static void __team_compute_features(struct team *team) 1027 - { 1028 - ___team_compute_features(team); 1029 - netdev_change_features(team->dev); 1030 - } 1031 - 1032 1026 static void team_compute_features(struct team *team) 1033 1027 { 1034 1028 mutex_lock(&team->lock); 1035 - ___team_compute_features(team); 1029 + __team_compute_features(team); 1036 1030 mutex_unlock(&team->lock); 1037 1031 netdev_change_features(team->dev); 1038 1032 } ··· 1635 1641 team_notify_peers_fini(team); 1636 1642 team_queue_override_fini(team); 1637 1643 mutex_unlock(&team->lock); 1644 + netdev_change_features(dev); 1638 1645 } 1639 1646 1640 1647 static void team_destructor(struct net_device *dev) ··· 1923 1928 mutex_lock(&team->lock); 1924 1929 err = team_port_add(team, port_dev); 1925 1930 mutex_unlock(&team->lock); 1931 + 1932 + if (!err) 1933 + netdev_change_features(dev); 1934 + 1926 1935 return err; 1927 1936 } 1928 1937 ··· 1938 1939 mutex_lock(&team->lock); 1939 1940 err = team_port_del(team, port_dev); 1940 1941 mutex_unlock(&team->lock); 1942 + 1943 + if (!err) 1944 + netdev_change_features(dev); 1945 + 1941 1946 return err; 1942 1947 } 1943 1948
+1 -1
drivers/net/usb/qmi_wwan.c
··· 908 908 {QMI_FIXED_INTF(0x2357, 0x9000, 4)}, /* TP-LINK MA260 */ 909 909 {QMI_QUIRK_SET_DTR(0x1bc7, 0x1040, 2)}, /* Telit LE922A */ 910 910 {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */ 911 - {QMI_FIXED_INTF(0x1bc7, 0x1201, 2)}, /* Telit LE920 */ 911 + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1201, 2)}, /* Telit LE920, LE920A4 */ 912 912 {QMI_FIXED_INTF(0x1c9e, 0x9b01, 3)}, /* XS Stick W100-2 from 4G Systems */ 913 913 {QMI_FIXED_INTF(0x0b3c, 0xc000, 4)}, /* Olivetti Olicard 100 */ 914 914 {QMI_FIXED_INTF(0x0b3c, 0xc001, 4)}, /* Olivetti Olicard 120 */
+15 -4
drivers/net/usb/usbnet.c
··· 1929 1929 " value=0x%04x index=0x%04x size=%d\n", 1930 1930 cmd, reqtype, value, index, size); 1931 1931 1932 - if (data) { 1932 + if (size) { 1933 1933 buf = kmalloc(size, GFP_KERNEL); 1934 1934 if (!buf) 1935 1935 goto out; ··· 1938 1938 err = usb_control_msg(dev->udev, usb_rcvctrlpipe(dev->udev, 0), 1939 1939 cmd, reqtype, value, index, buf, size, 1940 1940 USB_CTRL_GET_TIMEOUT); 1941 - if (err > 0 && err <= size) 1942 - memcpy(data, buf, err); 1941 + if (err > 0 && err <= size) { 1942 + if (data) 1943 + memcpy(data, buf, err); 1944 + else 1945 + netdev_dbg(dev->net, 1946 + "Huh? Data requested but thrown away.\n"); 1947 + } 1943 1948 kfree(buf); 1944 1949 out: 1945 1950 return err; ··· 1965 1960 buf = kmemdup(data, size, GFP_KERNEL); 1966 1961 if (!buf) 1967 1962 goto out; 1968 - } 1963 + } else { 1964 + if (size) { 1965 + WARN_ON_ONCE(1); 1966 + err = -EINVAL; 1967 + goto out; 1968 + } 1969 + } 1969 1970 1970 1971 err = usb_control_msg(dev->udev, usb_sndctrlpipe(dev->udev, 0), 1971 1972 cmd, reqtype, value, index, buf, size,
+5 -1
include/linux/uio.h
··· 39 39 }; 40 40 union { 41 41 unsigned long nr_segs; 42 - int idx; 42 + struct { 43 + int idx; 44 + int start_idx; 45 + }; 43 46 }; 44 47 }; 45 48 ··· 84 81 size_t iov_iter_copy_from_user_atomic(struct page *page, 85 82 struct iov_iter *i, unsigned long offset, size_t bytes); 86 83 void iov_iter_advance(struct iov_iter *i, size_t bytes); 84 + void iov_iter_revert(struct iov_iter *i, size_t bytes); 87 85 int iov_iter_fault_in_readable(struct iov_iter *i, size_t bytes); 88 86 size_t iov_iter_single_seg_count(const struct iov_iter *i); 89 87 size_t copy_page_to_iter(struct page *page, size_t offset, size_t bytes,
+6 -6
kernel/bpf/core.c
··· 1162 1162 LD_ABS_W: /* BPF_R0 = ntohl(*(u32 *) (skb->data + imm32)) */ 1163 1163 off = IMM; 1164 1164 load_word: 1165 - /* BPF_LD + BPD_ABS and BPF_LD + BPF_IND insns are 1166 - * only appearing in the programs where ctx == 1167 - * skb. All programs keep 'ctx' in regs[BPF_REG_CTX] 1168 - * == BPF_R6, bpf_convert_filter() saves it in BPF_R6, 1169 - * internal BPF verifier will check that BPF_R6 == 1170 - * ctx. 1165 + /* BPF_LD + BPD_ABS and BPF_LD + BPF_IND insns are only 1166 + * appearing in the programs where ctx == skb 1167 + * (see may_access_skb() in the verifier). All programs 1168 + * keep 'ctx' in regs[BPF_REG_CTX] == BPF_R6, 1169 + * bpf_convert_filter() saves it in BPF_R6, internal BPF 1170 + * verifier will check that BPF_R6 == ctx. 1171 1171 * 1172 1172 * BPF_ABS and BPF_IND are wrappers of function calls, 1173 1173 * so they scratch BPF_R1-BPF_R5 registers, preserve
+63
lib/iov_iter.c
··· 786 786 } 787 787 EXPORT_SYMBOL(iov_iter_advance); 788 788 789 + void iov_iter_revert(struct iov_iter *i, size_t unroll) 790 + { 791 + if (!unroll) 792 + return; 793 + i->count += unroll; 794 + if (unlikely(i->type & ITER_PIPE)) { 795 + struct pipe_inode_info *pipe = i->pipe; 796 + int idx = i->idx; 797 + size_t off = i->iov_offset; 798 + while (1) { 799 + size_t n = off - pipe->bufs[idx].offset; 800 + if (unroll < n) { 801 + off -= (n - unroll); 802 + break; 803 + } 804 + unroll -= n; 805 + if (!unroll && idx == i->start_idx) { 806 + off = 0; 807 + break; 808 + } 809 + if (!idx--) 810 + idx = pipe->buffers - 1; 811 + off = pipe->bufs[idx].offset + pipe->bufs[idx].len; 812 + } 813 + i->iov_offset = off; 814 + i->idx = idx; 815 + pipe_truncate(i); 816 + return; 817 + } 818 + if (unroll <= i->iov_offset) { 819 + i->iov_offset -= unroll; 820 + return; 821 + } 822 + unroll -= i->iov_offset; 823 + if (i->type & ITER_BVEC) { 824 + const struct bio_vec *bvec = i->bvec; 825 + while (1) { 826 + size_t n = (--bvec)->bv_len; 827 + i->nr_segs++; 828 + if (unroll <= n) { 829 + i->bvec = bvec; 830 + i->iov_offset = n - unroll; 831 + return; 832 + } 833 + unroll -= n; 834 + } 835 + } else { /* same logics for iovec and kvec */ 836 + const struct iovec *iov = i->iov; 837 + while (1) { 838 + size_t n = (--iov)->iov_len; 839 + i->nr_segs++; 840 + if (unroll <= n) { 841 + i->iov = iov; 842 + i->iov_offset = n - unroll; 843 + return; 844 + } 845 + unroll -= n; 846 + } 847 + } 848 + } 849 + EXPORT_SYMBOL(iov_iter_revert); 850 + 789 851 /* 790 852 * Return the count of just the current iov_iter segment. 791 853 */ ··· 901 839 i->idx = (pipe->curbuf + pipe->nrbufs) & (pipe->buffers - 1); 902 840 i->iov_offset = 0; 903 841 i->count = count; 842 + i->start_idx = i->idx; 904 843 } 905 844 EXPORT_SYMBOL(iov_iter_pipe); 906 845
+11 -9
net/bridge/br_device.c
··· 119 119 return err; 120 120 } 121 121 122 + static void br_dev_uninit(struct net_device *dev) 123 + { 124 + struct net_bridge *br = netdev_priv(dev); 125 + 126 + br_multicast_uninit_stats(br); 127 + br_vlan_flush(br); 128 + free_percpu(br->stats); 129 + } 130 + 122 131 static int br_dev_open(struct net_device *dev) 123 132 { 124 133 struct net_bridge *br = netdev_priv(dev); ··· 341 332 .ndo_open = br_dev_open, 342 333 .ndo_stop = br_dev_stop, 343 334 .ndo_init = br_dev_init, 335 + .ndo_uninit = br_dev_uninit, 344 336 .ndo_start_xmit = br_dev_xmit, 345 337 .ndo_get_stats64 = br_get_stats64, 346 338 .ndo_set_mac_address = br_set_mac_address, ··· 366 356 .ndo_features_check = passthru_features_check, 367 357 }; 368 358 369 - static void br_dev_free(struct net_device *dev) 370 - { 371 - struct net_bridge *br = netdev_priv(dev); 372 - 373 - free_percpu(br->stats); 374 - free_netdev(dev); 375 - } 376 - 377 359 static struct device_type br_type = { 378 360 .name = "bridge", 379 361 }; ··· 378 376 ether_setup(dev); 379 377 380 378 dev->netdev_ops = &br_netdev_ops; 381 - dev->destructor = br_dev_free; 379 + dev->destructor = free_netdev; 382 380 dev->ethtool_ops = &br_ethtool_ops; 383 381 SET_NETDEV_DEVTYPE(dev, &br_type); 384 382 dev->priv_flags = IFF_EBRIDGE | IFF_NO_QUEUE;
-1
net/bridge/br_if.c
··· 311 311 312 312 br_fdb_delete_by_port(br, NULL, 0, 1); 313 313 314 - br_vlan_flush(br); 315 314 br_multicast_dev_del(br); 316 315 cancel_delayed_work_sync(&br->gc_work); 317 316
+5 -2
net/bridge/br_multicast.c
··· 2031 2031 2032 2032 out: 2033 2033 spin_unlock_bh(&br->multicast_lock); 2034 - 2035 - free_percpu(br->mcast_stats); 2036 2034 } 2037 2035 2038 2036 int br_multicast_set_router(struct net_bridge *br, unsigned long val) ··· 2527 2529 return -ENOMEM; 2528 2530 2529 2531 return 0; 2532 + } 2533 + 2534 + void br_multicast_uninit_stats(struct net_bridge *br) 2535 + { 2536 + free_percpu(br->mcast_stats); 2530 2537 } 2531 2538 2532 2539 static void mcast_stats_add_dir(u64 *dst, u64 *src)
+5 -2
net/bridge/br_netlink.c
··· 1165 1165 spin_unlock_bh(&br->lock); 1166 1166 } 1167 1167 1168 - err = br_changelink(dev, tb, data); 1168 + err = register_netdevice(dev); 1169 1169 if (err) 1170 1170 return err; 1171 1171 1172 - return register_netdevice(dev); 1172 + err = br_changelink(dev, tb, data); 1173 + if (err) 1174 + unregister_netdevice(dev); 1175 + return err; 1173 1176 } 1174 1177 1175 1178 static size_t br_get_size(const struct net_device *brdev)
+5
net/bridge/br_private.h
··· 620 620 void br_multicast_count(struct net_bridge *br, const struct net_bridge_port *p, 621 621 const struct sk_buff *skb, u8 type, u8 dir); 622 622 int br_multicast_init_stats(struct net_bridge *br); 623 + void br_multicast_uninit_stats(struct net_bridge *br); 623 624 void br_multicast_get_stats(const struct net_bridge *br, 624 625 const struct net_bridge_port *p, 625 626 struct br_mcast_stats *dest); ··· 759 758 static inline int br_multicast_init_stats(struct net_bridge *br) 760 759 { 761 760 return 0; 761 + } 762 + 763 + static inline void br_multicast_uninit_stats(struct net_bridge *br) 764 + { 762 765 } 763 766 764 767 static inline int br_multicast_igmp_type(const struct sk_buff *skb)
+14 -9
net/core/datagram.c
··· 398 398 struct iov_iter *to, int len) 399 399 { 400 400 int start = skb_headlen(skb); 401 - int i, copy = start - offset; 401 + int i, copy = start - offset, start_off = offset, n; 402 402 struct sk_buff *frag_iter; 403 403 404 404 trace_skb_copy_datagram_iovec(skb, len); ··· 407 407 if (copy > 0) { 408 408 if (copy > len) 409 409 copy = len; 410 - if (copy_to_iter(skb->data + offset, copy, to) != copy) 410 + n = copy_to_iter(skb->data + offset, copy, to); 411 + offset += n; 412 + if (n != copy) 411 413 goto short_copy; 412 414 if ((len -= copy) == 0) 413 415 return 0; 414 - offset += copy; 415 416 } 416 417 417 418 /* Copy paged appendix. Hmm... why does this look so complicated? */ ··· 426 425 if ((copy = end - offset) > 0) { 427 426 if (copy > len) 428 427 copy = len; 429 - if (copy_page_to_iter(skb_frag_page(frag), 428 + n = copy_page_to_iter(skb_frag_page(frag), 430 429 frag->page_offset + offset - 431 - start, copy, to) != copy) 430 + start, copy, to); 431 + offset += n; 432 + if (n != copy) 432 433 goto short_copy; 433 434 if (!(len -= copy)) 434 435 return 0; 435 - offset += copy; 436 436 } 437 437 start = end; 438 438 } ··· 465 463 */ 466 464 467 465 fault: 466 + iov_iter_revert(to, offset - start_off); 468 467 return -EFAULT; 469 468 470 469 short_copy: ··· 616 613 __wsum *csump) 617 614 { 618 615 int start = skb_headlen(skb); 619 - int i, copy = start - offset; 616 + int i, copy = start - offset, start_off = offset; 620 617 struct sk_buff *frag_iter; 621 618 int pos = 0; 622 619 int n; ··· 626 623 if (copy > len) 627 624 copy = len; 628 625 n = csum_and_copy_to_iter(skb->data + offset, copy, csump, to); 626 + offset += n; 629 627 if (n != copy) 630 628 goto fault; 631 629 if ((len -= copy) == 0) 632 630 return 0; 633 - offset += copy; 634 631 pos = copy; 635 632 } 636 633 ··· 652 649 offset - start, copy, 653 650 &csum2, to); 654 651 kunmap(page); 652 + offset += n; 655 653 if (n != copy) 656 654 goto fault; 657 655 *csump = csum_block_add(*csump, csum2, pos); 658 656 if (!(len -= copy)) 659 657 return 0; 660 - offset += copy; 661 658 pos += copy; 662 659 } 663 660 start = end; ··· 690 687 return 0; 691 688 692 689 fault: 690 + iov_iter_revert(to, offset - start_off); 693 691 return -EFAULT; 694 692 } 695 693 ··· 775 771 } 776 772 return 0; 777 773 csum_error: 774 + iov_iter_revert(&msg->msg_iter, chunk); 778 775 return -EINVAL; 779 776 fault: 780 777 return -EFAULT;
-1
net/core/dev.c
··· 6757 6757 6758 6758 return err; 6759 6759 } 6760 - EXPORT_SYMBOL(dev_change_xdp_fd); 6761 6760 6762 6761 /** 6763 6762 * dev_new_index - allocate an ifindex
+1 -1
net/ipv4/netfilter/ipt_CLUSTERIP.c
··· 461 461 462 462 clusterip_config_put(cipinfo->config); 463 463 464 - nf_ct_netns_get(par->net, par->family); 464 + nf_ct_netns_put(par->net, par->family); 465 465 } 466 466 467 467 #ifdef CONFIG_COMPAT
+1 -1
net/ipv4/route.c
··· 2620 2620 skb_reset_network_header(skb); 2621 2621 2622 2622 /* Bugfix: need to give ip_route_input enough of an IP header to not gag. */ 2623 - ip_hdr(skb)->protocol = IPPROTO_ICMP; 2623 + ip_hdr(skb)->protocol = IPPROTO_UDP; 2624 2624 skb_reserve(skb, MAX_HEADER + sizeof(struct iphdr)); 2625 2625 2626 2626 src = tb[RTA_SRC] ? nla_get_in_addr(tb[RTA_SRC]) : 0;
+1
net/ipv4/tcp.c
··· 2322 2322 tcp_init_send_head(sk); 2323 2323 memset(&tp->rx_opt, 0, sizeof(tp->rx_opt)); 2324 2324 __sk_dst_reset(sk); 2325 + tcp_saved_syn_free(tp); 2325 2326 2326 2327 /* Clean up fastopen related fields */ 2327 2328 tcp_free_fastopen_req(tp);
+12 -8
net/ipv4/tcp_input.c
··· 1935 1935 struct tcp_sock *tp = tcp_sk(sk); 1936 1936 struct net *net = sock_net(sk); 1937 1937 struct sk_buff *skb; 1938 + bool new_recovery = icsk->icsk_ca_state < TCP_CA_Recovery; 1938 1939 bool is_reneg; /* is receiver reneging on SACKs? */ 1939 1940 bool mark_lost; 1940 1941 ··· 1995 1994 tp->high_seq = tp->snd_nxt; 1996 1995 tcp_ecn_queue_cwr(tp); 1997 1996 1998 - /* F-RTO RFC5682 sec 3.1 step 1 mandates to disable F-RTO 1999 - * if a previous recovery is underway, otherwise it may incorrectly 2000 - * call a timeout spurious if some previously retransmitted packets 2001 - * are s/acked (sec 3.2). We do not apply that retriction since 2002 - * retransmitted skbs are permanently tagged with TCPCB_EVER_RETRANS 2003 - * so FLAG_ORIG_SACK_ACKED is always correct. But we do disable F-RTO 2004 - * on PTMU discovery to avoid sending new data. 1997 + /* F-RTO RFC5682 sec 3.1 step 1: retransmit SND.UNA if no previous 1998 + * loss recovery is underway except recurring timeout(s) on 1999 + * the same SND.UNA (sec 3.2). Disable F-RTO on path MTU probing 2000 + * 2001 + * In theory F-RTO can be used repeatedly during loss recovery. 2002 + * In practice this interacts badly with broken middle-boxes that 2003 + * falsely raise the receive window, which results in repeated 2004 + * timeouts and stop-and-go behavior. 2005 2005 */ 2006 - tp->frto = sysctl_tcp_frto && !inet_csk(sk)->icsk_mtup.probe_size; 2006 + tp->frto = sysctl_tcp_frto && 2007 + (new_recovery || icsk->icsk_retransmits) && 2008 + !inet_csk(sk)->icsk_mtup.probe_size; 2007 2009 } 2008 2010 2009 2011 /* If ACK arrived pointing to a remembered SACK, it means that our
+2 -2
net/ipv4/tcp_output.c
··· 2999 2999 { 3000 3000 struct sk_buff *skb; 3001 3001 3002 + TCP_INC_STATS(sock_net(sk), TCP_MIB_OUTRSTS); 3003 + 3002 3004 /* NOTE: No TCP options attached and we never retransmit this. */ 3003 3005 skb = alloc_skb(MAX_TCP_HEADER, priority); 3004 3006 if (!skb) { ··· 3016 3014 /* Send it off. */ 3017 3015 if (tcp_transmit_skb(sk, skb, 0, priority)) 3018 3016 NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPABORTFAILED); 3019 - 3020 - TCP_INC_STATS(sock_net(sk), TCP_MIB_OUTRSTS); 3021 3017 } 3022 3018 3023 3019 /* Send a crossed SYN-ACK during socket establishment.
+7 -4
net/ipv6/addrconf.c
··· 3626 3626 INIT_LIST_HEAD(&del_list); 3627 3627 list_for_each_entry_safe(ifa, tmp, &idev->addr_list, if_list) { 3628 3628 struct rt6_info *rt = NULL; 3629 + bool keep; 3629 3630 3630 3631 addrconf_del_dad_work(ifa); 3632 + 3633 + keep = keep_addr && (ifa->flags & IFA_F_PERMANENT) && 3634 + !addr_is_local(&ifa->addr); 3635 + if (!keep) 3636 + list_move(&ifa->if_list, &del_list); 3631 3637 3632 3638 write_unlock_bh(&idev->lock); 3633 3639 spin_lock_bh(&ifa->lock); 3634 3640 3635 - if (keep_addr && (ifa->flags & IFA_F_PERMANENT) && 3636 - !addr_is_local(&ifa->addr)) { 3641 + if (keep) { 3637 3642 /* set state to skip the notifier below */ 3638 3643 state = INET6_IFADDR_STATE_DEAD; 3639 3644 ifa->state = 0; ··· 3650 3645 } else { 3651 3646 state = ifa->state; 3652 3647 ifa->state = INET6_IFADDR_STATE_DEAD; 3653 - 3654 - list_move(&ifa->if_list, &del_list); 3655 3648 } 3656 3649 3657 3650 spin_unlock_bh(&ifa->lock);
+6 -3
net/l2tp/l2tp_ppp.c
··· 1383 1383 } else 1384 1384 err = pppol2tp_session_setsockopt(sk, session, optname, val); 1385 1385 1386 - err = 0; 1387 - 1388 1386 end_put_sess: 1389 1387 sock_put(sk); 1390 1388 end: ··· 1505 1507 1506 1508 err = pppol2tp_tunnel_getsockopt(sk, tunnel, optname, &val); 1507 1509 sock_put(ps->tunnel_sock); 1508 - } else 1510 + if (err) 1511 + goto end_put_sess; 1512 + } else { 1509 1513 err = pppol2tp_session_getsockopt(sk, session, optname, &val); 1514 + if (err) 1515 + goto end_put_sess; 1516 + } 1510 1517 1511 1518 err = -EFAULT; 1512 1519 if (put_user(len, optlen))
+2 -2
net/netfilter/nf_conntrack_expect.c
··· 57 57 hlist_del_rcu(&exp->hnode); 58 58 net->ct.expect_count--; 59 59 60 - hlist_del(&exp->lnode); 60 + hlist_del_rcu(&exp->lnode); 61 61 master_help->expecting[exp->class]--; 62 62 63 63 nf_ct_expect_event_report(IPEXP_DESTROY, exp, portid, report); ··· 363 363 /* two references : one for hash insert, one for the timer */ 364 364 atomic_add(2, &exp->use); 365 365 366 - hlist_add_head(&exp->lnode, &master_help->expectations); 366 + hlist_add_head_rcu(&exp->lnode, &master_help->expectations); 367 367 master_help->expecting[exp->class]++; 368 368 369 369 hlist_add_head_rcu(&exp->hnode, &nf_ct_expect_hash[h]);
+12 -5
net/netfilter/nf_conntrack_helper.c
··· 158 158 { 159 159 struct nf_conntrack_helper *h; 160 160 161 + rcu_read_lock(); 162 + 161 163 h = __nf_conntrack_helper_find(name, l3num, protonum); 162 164 #ifdef CONFIG_MODULES 163 165 if (h == NULL) { 164 - if (request_module("nfct-helper-%s", name) == 0) 166 + rcu_read_unlock(); 167 + if (request_module("nfct-helper-%s", name) == 0) { 168 + rcu_read_lock(); 165 169 h = __nf_conntrack_helper_find(name, l3num, protonum); 170 + } else { 171 + return h; 172 + } 166 173 } 167 174 #endif 168 175 if (h != NULL && !try_module_get(h->me)) 169 176 h = NULL; 177 + 178 + rcu_read_unlock(); 170 179 171 180 return h; 172 181 } ··· 320 311 } 321 312 EXPORT_SYMBOL_GPL(nf_ct_helper_expectfn_unregister); 322 313 314 + /* Caller should hold the rcu lock */ 323 315 struct nf_ct_helper_expectfn * 324 316 nf_ct_helper_expectfn_find_by_name(const char *name) 325 317 { 326 318 struct nf_ct_helper_expectfn *cur; 327 319 bool found = false; 328 320 329 - rcu_read_lock(); 330 321 list_for_each_entry_rcu(cur, &nf_ct_helper_expectfn_list, head) { 331 322 if (!strcmp(cur->name, name)) { 332 323 found = true; 333 324 break; 334 325 } 335 326 } 336 - rcu_read_unlock(); 337 327 return found ? cur : NULL; 338 328 } 339 329 EXPORT_SYMBOL_GPL(nf_ct_helper_expectfn_find_by_name); 340 330 331 + /* Caller should hold the rcu lock */ 341 332 struct nf_ct_helper_expectfn * 342 333 nf_ct_helper_expectfn_find_by_symbol(const void *symbol) 343 334 { 344 335 struct nf_ct_helper_expectfn *cur; 345 336 bool found = false; 346 337 347 - rcu_read_lock(); 348 338 list_for_each_entry_rcu(cur, &nf_ct_helper_expectfn_list, head) { 349 339 if (cur->expectfn == symbol) { 350 340 found = true; 351 341 break; 352 342 } 353 343 } 354 - rcu_read_unlock(); 355 344 return found ? cur : NULL; 356 345 } 357 346 EXPORT_SYMBOL_GPL(nf_ct_helper_expectfn_find_by_symbol);
+29 -12
net/netfilter/nf_conntrack_netlink.c
··· 1488 1488 * treat the second attempt as a no-op instead of returning 1489 1489 * an error. 1490 1490 */ 1491 - if (help && help->helper && 1492 - !strcmp(help->helper->name, helpname)) 1493 - return 0; 1494 - else 1495 - return -EBUSY; 1491 + err = -EBUSY; 1492 + if (help) { 1493 + rcu_read_lock(); 1494 + helper = rcu_dereference(help->helper); 1495 + if (helper && !strcmp(helper->name, helpname)) 1496 + err = 0; 1497 + rcu_read_unlock(); 1498 + } 1499 + 1500 + return err; 1496 1501 } 1497 1502 1498 1503 if (!strcmp(helpname, "")) { ··· 1934 1929 1935 1930 err = 0; 1936 1931 if (test_bit(IPS_EXPECTED_BIT, &ct->status)) 1937 - events = IPCT_RELATED; 1932 + events = 1 << IPCT_RELATED; 1938 1933 else 1939 - events = IPCT_NEW; 1934 + events = 1 << IPCT_NEW; 1940 1935 1941 1936 if (cda[CTA_LABELS] && 1942 1937 ctnetlink_attach_labels(ct, cda) == 0) ··· 2680 2675 last = (struct nf_conntrack_expect *)cb->args[1]; 2681 2676 for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) { 2682 2677 restart: 2683 - hlist_for_each_entry(exp, &nf_ct_expect_hash[cb->args[0]], 2684 - hnode) { 2678 + hlist_for_each_entry_rcu(exp, &nf_ct_expect_hash[cb->args[0]], 2679 + hnode) { 2685 2680 if (l3proto && exp->tuple.src.l3num != l3proto) 2686 2681 continue; 2687 2682 ··· 2732 2727 rcu_read_lock(); 2733 2728 last = (struct nf_conntrack_expect *)cb->args[1]; 2734 2729 restart: 2735 - hlist_for_each_entry(exp, &help->expectations, lnode) { 2730 + hlist_for_each_entry_rcu(exp, &help->expectations, lnode) { 2736 2731 if (l3proto && exp->tuple.src.l3num != l3proto) 2737 2732 continue; 2738 2733 if (cb->args[1]) { ··· 2794 2789 return -ENOENT; 2795 2790 2796 2791 ct = nf_ct_tuplehash_to_ctrack(h); 2792 + /* No expectation linked to this connection tracking. */ 2793 + if (!nfct_help(ct)) { 2794 + nf_ct_put(ct); 2795 + return 0; 2796 + } 2797 + 2797 2798 c.data = ct; 2798 2799 2799 2800 err = netlink_dump_start(ctnl, skb, nlh, &c); ··· 3144 3133 return -ENOENT; 3145 3134 ct = nf_ct_tuplehash_to_ctrack(h); 3146 3135 3136 + rcu_read_lock(); 3147 3137 if (cda[CTA_EXPECT_HELP_NAME]) { 3148 3138 const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]); 3149 3139 3150 3140 helper = __nf_conntrack_helper_find(helpname, u3, 3151 3141 nf_ct_protonum(ct)); 3152 3142 if (helper == NULL) { 3143 + rcu_read_unlock(); 3153 3144 #ifdef CONFIG_MODULES 3154 3145 if (request_module("nfct-helper-%s", helpname) < 0) { 3155 3146 err = -EOPNOTSUPP; 3156 3147 goto err_ct; 3157 3148 } 3149 + rcu_read_lock(); 3158 3150 helper = __nf_conntrack_helper_find(helpname, u3, 3159 3151 nf_ct_protonum(ct)); 3160 3152 if (helper) { 3161 3153 err = -EAGAIN; 3162 - goto err_ct; 3154 + goto err_rcu; 3163 3155 } 3156 + rcu_read_unlock(); 3164 3157 #endif 3165 3158 err = -EOPNOTSUPP; 3166 3159 goto err_ct; ··· 3174 3159 exp = ctnetlink_alloc_expect(cda, ct, helper, &tuple, &mask); 3175 3160 if (IS_ERR(exp)) { 3176 3161 err = PTR_ERR(exp); 3177 - goto err_ct; 3162 + goto err_rcu; 3178 3163 } 3179 3164 3180 3165 err = nf_ct_expect_related_report(exp, portid, report); 3181 3166 nf_ct_expect_put(exp); 3167 + err_rcu: 3168 + rcu_read_unlock(); 3182 3169 err_ct: 3183 3170 nf_ct_put(ct); 3184 3171 return err;
+2
net/netfilter/nf_nat_redirect.c
··· 101 101 rcu_read_lock(); 102 102 idev = __in6_dev_get(skb->dev); 103 103 if (idev != NULL) { 104 + read_lock_bh(&idev->lock); 104 105 list_for_each_entry(ifa, &idev->addr_list, if_list) { 105 106 newdst = ifa->addr; 106 107 addr = true; 107 108 break; 108 109 } 110 + read_unlock_bh(&idev->lock); 109 111 } 110 112 rcu_read_unlock(); 111 113
+7 -3
net/netfilter/nft_hash.c
··· 21 21 enum nft_registers sreg:8; 22 22 enum nft_registers dreg:8; 23 23 u8 len; 24 + bool autogen_seed:1; 24 25 u32 modulus; 25 26 u32 seed; 26 27 u32 offset; ··· 83 82 if (priv->offset + priv->modulus - 1 < priv->offset) 84 83 return -EOVERFLOW; 85 84 86 - if (tb[NFTA_HASH_SEED]) 85 + if (tb[NFTA_HASH_SEED]) { 87 86 priv->seed = ntohl(nla_get_be32(tb[NFTA_HASH_SEED])); 88 - else 87 + } else { 88 + priv->autogen_seed = true; 89 89 get_random_bytes(&priv->seed, sizeof(priv->seed)); 90 + } 90 91 91 92 return nft_validate_register_load(priv->sreg, len) && 92 93 nft_validate_register_store(ctx, priv->dreg, NULL, ··· 108 105 goto nla_put_failure; 109 106 if (nla_put_be32(skb, NFTA_HASH_MODULUS, htonl(priv->modulus))) 110 107 goto nla_put_failure; 111 - if (nla_put_be32(skb, NFTA_HASH_SEED, htonl(priv->seed))) 108 + if (!priv->autogen_seed && 109 + nla_put_be32(skb, NFTA_HASH_SEED, htonl(priv->seed))) 112 110 goto nla_put_failure; 113 111 if (priv->offset != 0) 114 112 if (nla_put_be32(skb, NFTA_HASH_OFFSET, htonl(priv->offset)))
+5 -1
net/netfilter/xt_TCPMSS.c
··· 104 104 tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff); 105 105 tcp_hdrlen = tcph->doff * 4; 106 106 107 - if (len < tcp_hdrlen) 107 + if (len < tcp_hdrlen || tcp_hdrlen < sizeof(struct tcphdr)) 108 108 return -1; 109 109 110 110 if (info->mss == XT_TCPMSS_CLAMP_PMTU) { ··· 150 150 * itself too large. Accept the packet unmodified instead. 151 151 */ 152 152 if (len > tcp_hdrlen) 153 + return 0; 154 + 155 + /* tcph->doff has 4 bits, do not wrap it to 0 */ 156 + if (tcp_hdrlen >= 15 * 4) 153 157 return 0; 154 158 155 159 /*
+4 -1
net/netfilter/xt_TPROXY.c
··· 393 393 394 394 rcu_read_lock(); 395 395 indev = __in6_dev_get(skb->dev); 396 - if (indev) 396 + if (indev) { 397 + read_lock_bh(&indev->lock); 397 398 list_for_each_entry(ifa, &indev->addr_list, if_list) { 398 399 if (ifa->flags & (IFA_F_TENTATIVE | IFA_F_DEPRECATED)) 399 400 continue; ··· 402 401 laddr = &ifa->addr; 403 402 break; 404 403 } 404 + read_unlock_bh(&indev->lock); 405 + } 405 406 rcu_read_unlock(); 406 407 407 408 return laddr ? laddr : daddr;
+1 -1
net/sched/sch_generic.c
··· 794 794 } 795 795 } 796 796 #ifdef CONFIG_NET_SCHED 797 - if (dev->qdisc) 797 + if (dev->qdisc != &noop_qdisc) 798 798 qdisc_hash_add(dev->qdisc); 799 799 #endif 800 800 }
+3
net/sctp/socket.c
··· 7034 7034 if (sock->state != SS_UNCONNECTED) 7035 7035 goto out; 7036 7036 7037 + if (!sctp_sstate(sk, LISTENING) && !sctp_sstate(sk, CLOSED)) 7038 + goto out; 7039 + 7037 7040 /* If backlog is zero, disable listening. */ 7038 7041 if (!backlog) { 7039 7042 if (sctp_sstate(sk, CLOSED))