Merge tag 'net-7.0-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

+8 -3

drivers/bluetooth/btintel.c

··· 251 251 252 252 bt_dev_err(hdev, "Hardware error 0x%2.2x", code); 253 253 254 + hci_req_sync_lock(hdev); 255 + 254 256 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT); 255 257 if (IS_ERR(skb)) { 256 258 bt_dev_err(hdev, "Reset after hardware error failed (%ld)", 257 259 PTR_ERR(skb)); 258 - return; 260 + goto unlock; 259 261 } 260 262 kfree_skb(skb); 261 263 ··· 265 263 if (IS_ERR(skb)) { 266 264 bt_dev_err(hdev, "Retrieving Intel exception info failed (%ld)", 267 265 PTR_ERR(skb)); 268 - return; 266 + goto unlock; 269 267 } 270 268 271 269 if (skb->len != 13) { 272 270 bt_dev_err(hdev, "Exception info size mismatch"); 273 271 kfree_skb(skb); 274 - return; 272 + goto unlock; 275 273 } 276 274 277 275 bt_dev_err(hdev, "Exception info %s", (char *)(skb->data + 1)); 278 276 279 277 kfree_skb(skb); 278 + 279 + unlock: 280 + hci_req_sync_unlock(hdev); 280 281 } 281 282 EXPORT_SYMBOL_GPL(btintel_hw_error); 282 283

+4 -1

drivers/bluetooth/btusb.c

··· 2376 2376 if (data->air_mode == HCI_NOTIFY_ENABLE_SCO_CVSD) { 2377 2377 if (hdev->voice_setting & 0x0020) { 2378 2378 static const int alts[3] = { 2, 4, 5 }; 2379 + unsigned int sco_idx; 2379 2380 2380 - new_alts = alts[data->sco_num - 1]; 2381 + sco_idx = min_t(unsigned int, data->sco_num - 1, 2382 + ARRAY_SIZE(alts) - 1); 2383 + new_alts = alts[sco_idx]; 2381 2384 } else { 2382 2385 new_alts = data->sco_num; 2383 2386 }

+2

drivers/bluetooth/hci_ll.c

··· 541 541 if (err || !fw->data || !fw->size) { 542 542 bt_dev_err(lldev->hu.hdev, "request_firmware failed(errno %d) for %s", 543 543 err, bts_scr_name); 544 + if (!err) 545 + release_firmware(fw); 544 546 return -EINVAL; 545 547 } 546 548 ptr = (void *)fw->data;

+3 -1

drivers/net/can/dev/netlink.c

··· 601 601 /* We need synchronization with dev->stop() */ 602 602 ASSERT_RTNL(); 603 603 604 - can_ctrlmode_changelink(dev, data, extack); 604 + err = can_ctrlmode_changelink(dev, data, extack); 605 + if (err) 606 + return err; 605 607 606 608 if (data[IFLA_CAN_BITTIMING]) { 607 609 struct can_bittiming bt;

+24 -5

drivers/net/can/spi/mcp251x.c

··· 1225 1225 } 1226 1226 1227 1227 mutex_lock(&priv->mcp_lock); 1228 - mcp251x_power_enable(priv->transceiver, 1); 1228 + ret = mcp251x_power_enable(priv->transceiver, 1); 1229 + if (ret) { 1230 + dev_err(&spi->dev, "failed to enable transceiver power: %pe\n", ERR_PTR(ret)); 1231 + goto out_close_candev; 1232 + } 1229 1233 1230 1234 priv->force_quit = 0; 1231 1235 priv->tx_skb = NULL; ··· 1276 1272 mcp251x_hw_sleep(spi); 1277 1273 out_close: 1278 1274 mcp251x_power_enable(priv->transceiver, 0); 1275 + out_close_candev: 1279 1276 close_candev(net); 1280 1277 mutex_unlock(&priv->mcp_lock); 1281 1278 if (release_irq) ··· 1521 1516 { 1522 1517 struct spi_device *spi = to_spi_device(dev); 1523 1518 struct mcp251x_priv *priv = spi_get_drvdata(spi); 1519 + int ret = 0; 1524 1520 1525 - if (priv->after_suspend & AFTER_SUSPEND_POWER) 1526 - mcp251x_power_enable(priv->power, 1); 1527 - if (priv->after_suspend & AFTER_SUSPEND_UP) 1528 - mcp251x_power_enable(priv->transceiver, 1); 1521 + if (priv->after_suspend & AFTER_SUSPEND_POWER) { 1522 + ret = mcp251x_power_enable(priv->power, 1); 1523 + if (ret) { 1524 + dev_err(dev, "failed to restore power: %pe\n", ERR_PTR(ret)); 1525 + return ret; 1526 + } 1527 + } 1528 + 1529 + if (priv->after_suspend & AFTER_SUSPEND_UP) { 1530 + ret = mcp251x_power_enable(priv->transceiver, 1); 1531 + if (ret) { 1532 + dev_err(dev, "failed to restore transceiver power: %pe\n", ERR_PTR(ret)); 1533 + if (priv->after_suspend & AFTER_SUSPEND_POWER) 1534 + mcp251x_power_enable(priv->power, 0); 1535 + return ret; 1536 + } 1537 + } 1529 1538 1530 1539 if (priv->after_suspend & (AFTER_SUSPEND_POWER | AFTER_SUSPEND_UP)) 1531 1540 queue_work(priv->wq, &priv->restart_work);

+2

drivers/net/ethernet/airoha/airoha_ppe.c

··· 227 227 if (!dev) 228 228 return -ENODEV; 229 229 230 + rcu_read_lock(); 230 231 err = dev_fill_forward_path(dev, addr, &stack); 232 + rcu_read_unlock(); 231 233 if (err) 232 234 return err; 233 235

+1 -1

drivers/net/ethernet/broadcom/Kconfig

··· 25 25 select SSB 26 26 select MII 27 27 select PHYLIB 28 - select FIXED_PHY if BCM47XX 28 + select FIXED_PHY 29 29 help 30 30 If you have a network (Ethernet) controller of this type, say Y 31 31 or M here.

+23 -18

drivers/net/ethernet/broadcom/asp2/bcmasp.c

··· 1152 1152 } 1153 1153 } 1154 1154 1155 - static void bcmasp_wol_irq_destroy(struct bcmasp_priv *priv) 1156 - { 1157 - if (priv->wol_irq > 0) 1158 - free_irq(priv->wol_irq, priv); 1159 - } 1160 - 1161 1155 static void bcmasp_eee_fixup(struct bcmasp_intf *intf, bool en) 1162 1156 { 1163 1157 u32 reg, phy_lpi_overwrite; ··· 1249 1255 if (priv->irq <= 0) 1250 1256 return -EINVAL; 1251 1257 1252 - priv->clk = devm_clk_get_optional_enabled(dev, "sw_asp"); 1258 + priv->clk = devm_clk_get_optional(dev, "sw_asp"); 1253 1259 if (IS_ERR(priv->clk)) 1254 1260 return dev_err_probe(dev, PTR_ERR(priv->clk), 1255 1261 "failed to request clock\n"); ··· 1277 1283 1278 1284 bcmasp_set_pdata(priv, pdata); 1279 1285 1286 + ret = clk_prepare_enable(priv->clk); 1287 + if (ret) 1288 + return dev_err_probe(dev, ret, "failed to start clock\n"); 1289 + 1280 1290 /* Enable all clocks to ensure successful probing */ 1281 1291 bcmasp_core_clock_set(priv, ASP_CTRL_CLOCK_CTRL_ASP_ALL_DISABLE, 0); 1282 1292 ··· 1292 1294 1293 1295 ret = devm_request_irq(&pdev->dev, priv->irq, bcmasp_isr, 0, 1294 1296 pdev->name, priv); 1295 - if (ret) 1296 - return dev_err_probe(dev, ret, "failed to request ASP interrupt: %d", ret); 1297 + if (ret) { 1298 + dev_err(dev, "Failed to request ASP interrupt: %d", ret); 1299 + goto err_clock_disable; 1300 + } 1297 1301 1298 1302 /* Register mdio child nodes */ 1299 1303 of_platform_populate(dev->of_node, bcmasp_mdio_of_match, NULL, dev); ··· 1307 1307 1308 1308 priv->mda_filters = devm_kcalloc(dev, priv->num_mda_filters, 1309 1309 sizeof(*priv->mda_filters), GFP_KERNEL); 1310 - if (!priv->mda_filters) 1311 - return -ENOMEM; 1310 + if (!priv->mda_filters) { 1311 + ret = -ENOMEM; 1312 + goto err_clock_disable; 1313 + } 1312 1314 1313 1315 priv->net_filters = devm_kcalloc(dev, priv->num_net_filters, 1314 1316 sizeof(*priv->net_filters), GFP_KERNEL); 1315 - if (!priv->net_filters) 1316 - return -ENOMEM; 1317 + if (!priv->net_filters) { 1318 + ret = -ENOMEM; 1319 + goto err_clock_disable; 1320 + } 1317 1321 1318 1322 bcmasp_core_init_filters(priv); 1319 1323 ··· 1326 1322 ports_node = of_find_node_by_name(dev->of_node, "ethernet-ports"); 1327 1323 if (!ports_node) { 1328 1324 dev_warn(dev, "No ports found\n"); 1329 - return -EINVAL; 1325 + ret = -EINVAL; 1326 + goto err_clock_disable; 1330 1327 } 1331 1328 1332 1329 i = 0; ··· 1349 1344 */ 1350 1345 bcmasp_core_clock_set(priv, 0, ASP_CTRL_CLOCK_CTRL_ASP_ALL_DISABLE); 1351 1346 1352 - clk_disable_unprepare(priv->clk); 1353 - 1354 1347 /* Now do the registration of the network ports which will take care 1355 1348 * of managing the clock properly. 1356 1349 */ ··· 1361 1358 count++; 1362 1359 } 1363 1360 1361 + clk_disable_unprepare(priv->clk); 1362 + 1364 1363 dev_info(dev, "Initialized %d port(s)\n", count); 1365 1364 1366 1365 return ret; 1367 1366 1368 1367 err_cleanup: 1369 - bcmasp_wol_irq_destroy(priv); 1370 1368 bcmasp_remove_intfs(priv); 1369 + err_clock_disable: 1370 + clk_disable_unprepare(priv->clk); 1371 1371 1372 1372 return ret; 1373 1373 } ··· 1382 1376 if (!priv) 1383 1377 return; 1384 1378 1385 - bcmasp_wol_irq_destroy(priv); 1386 1379 bcmasp_remove_intfs(priv); 1387 1380 } 1388 1381

+25 -16

drivers/net/ethernet/cadence/macb_main.c

··· 1071 1071 } 1072 1072 1073 1073 if (tx_skb->skb) { 1074 - napi_consume_skb(tx_skb->skb, budget); 1074 + dev_consume_skb_any(tx_skb->skb); 1075 1075 tx_skb->skb = NULL; 1076 1076 } 1077 1077 } ··· 3224 3224 spin_lock_irq(&bp->stats_lock); 3225 3225 gem_update_stats(bp); 3226 3226 memcpy(data, &bp->ethtool_stats, sizeof(u64) 3227 - * (GEM_STATS_LEN + QUEUE_STATS_LEN * MACB_MAX_QUEUES)); 3227 + * (GEM_STATS_LEN + QUEUE_STATS_LEN * bp->num_queues)); 3228 3228 spin_unlock_irq(&bp->stats_lock); 3229 3229 } 3230 3230 ··· 5776 5776 struct macb_queue *queue; 5777 5777 struct in_device *idev; 5778 5778 unsigned long flags; 5779 + u32 tmp, ifa_local; 5779 5780 unsigned int q; 5780 5781 int err; 5781 - u32 tmp; 5782 5782 5783 5783 if (!device_may_wakeup(&bp->dev->dev)) 5784 5784 phy_exit(bp->phy); ··· 5787 5787 return 0; 5788 5788 5789 5789 if (bp->wol & MACB_WOL_ENABLED) { 5790 - /* Check for IP address in WOL ARP mode */ 5791 - idev = __in_dev_get_rcu(bp->dev); 5792 - if (idev) 5793 - ifa = rcu_dereference(idev->ifa_list); 5794 - if ((bp->wolopts & WAKE_ARP) && !ifa) { 5795 - netdev_err(netdev, "IP address not assigned as required by WoL walk ARP\n"); 5796 - return -EOPNOTSUPP; 5790 + if (bp->wolopts & WAKE_ARP) { 5791 + /* Check for IP address in WOL ARP mode */ 5792 + rcu_read_lock(); 5793 + idev = __in_dev_get_rcu(bp->dev); 5794 + if (idev) 5795 + ifa = rcu_dereference(idev->ifa_list); 5796 + if (!ifa) { 5797 + rcu_read_unlock(); 5798 + netdev_err(netdev, "IP address not assigned as required by WoL walk ARP\n"); 5799 + return -EOPNOTSUPP; 5800 + } 5801 + ifa_local = be32_to_cpu(ifa->ifa_local); 5802 + rcu_read_unlock(); 5797 5803 } 5804 + 5798 5805 spin_lock_irqsave(&bp->lock, flags); 5799 5806 5800 5807 /* Disable Tx and Rx engines before disabling the queues, ··· 5840 5833 if (bp->wolopts & WAKE_ARP) { 5841 5834 tmp |= MACB_BIT(ARP); 5842 5835 /* write IP address into register */ 5843 - tmp |= MACB_BFEXT(IP, be32_to_cpu(ifa->ifa_local)); 5836 + tmp |= MACB_BFEXT(IP, ifa_local); 5844 5837 } 5838 + spin_unlock_irqrestore(&bp->lock, flags); 5845 5839 5846 5840 /* Change interrupt handler and 5847 5841 * Enable WoL IRQ on queue 0 ··· 5855 5847 dev_err(dev, 5856 5848 "Unable to request IRQ %d (error %d)\n", 5857 5849 bp->queues[0].irq, err); 5858 - spin_unlock_irqrestore(&bp->lock, flags); 5859 5850 return err; 5860 5851 } 5852 + spin_lock_irqsave(&bp->lock, flags); 5861 5853 queue_writel(bp->queues, IER, GEM_BIT(WOL)); 5862 5854 gem_writel(bp, WOL, tmp); 5855 + spin_unlock_irqrestore(&bp->lock, flags); 5863 5856 } else { 5864 5857 err = devm_request_irq(dev, bp->queues[0].irq, macb_wol_interrupt, 5865 5858 IRQF_SHARED, netdev->name, bp->queues); ··· 5868 5859 dev_err(dev, 5869 5860 "Unable to request IRQ %d (error %d)\n", 5870 5861 bp->queues[0].irq, err); 5871 - spin_unlock_irqrestore(&bp->lock, flags); 5872 5862 return err; 5873 5863 } 5864 + spin_lock_irqsave(&bp->lock, flags); 5874 5865 queue_writel(bp->queues, IER, MACB_BIT(WOL)); 5875 5866 macb_writel(bp, WOL, tmp); 5867 + spin_unlock_irqrestore(&bp->lock, flags); 5876 5868 } 5877 - spin_unlock_irqrestore(&bp->lock, flags); 5878 5869 5879 5870 enable_irq_wake(bp->queues[0].irq); 5880 5871 } ··· 5941 5932 queue_readl(bp->queues, ISR); 5942 5933 if (bp->caps & MACB_CAPS_ISR_CLEAR_ON_WRITE) 5943 5934 queue_writel(bp->queues, ISR, -1); 5935 + spin_unlock_irqrestore(&bp->lock, flags); 5936 + 5944 5937 /* Replace interrupt handler on queue 0 */ 5945 5938 devm_free_irq(dev, bp->queues[0].irq, bp->queues); 5946 5939 err = devm_request_irq(dev, bp->queues[0].irq, macb_interrupt, ··· 5951 5940 dev_err(dev, 5952 5941 "Unable to request IRQ %d (error %d)\n", 5953 5942 bp->queues[0].irq, err); 5954 - spin_unlock_irqrestore(&bp->lock, flags); 5955 5943 return err; 5956 5944 } 5957 - spin_unlock_irqrestore(&bp->lock, flags); 5958 5945 5959 5946 disable_irq_wake(bp->queues[0].irq); 5960 5947

+2

drivers/net/ethernet/freescale/enetc/enetc_ethtool.c

··· 813 813 { 814 814 struct enetc_ndev_priv *priv = netdev_priv(ndev); 815 815 816 + ring->rx_max_pending = priv->rx_bd_count; 817 + ring->tx_max_pending = priv->tx_bd_count; 816 818 ring->rx_pending = priv->rx_bd_count; 817 819 ring->tx_pending = priv->tx_bd_count; 818 820

+15 -16

drivers/net/ethernet/intel/iavf/iavf_ethtool.c

··· 313 313 { 314 314 /* Report the maximum number queues, even if not every queue is 315 315 * currently configured. Since allocation of queues is in pairs, 316 - * use netdev->real_num_tx_queues * 2. The real_num_tx_queues is set 317 - * at device creation and never changes. 316 + * use netdev->num_tx_queues * 2. The num_tx_queues is set at 317 + * device creation and never changes. 318 318 */ 319 319 320 320 if (sset == ETH_SS_STATS) 321 321 return IAVF_STATS_LEN + 322 - (IAVF_QUEUE_STATS_LEN * 2 * 323 - netdev->real_num_tx_queues); 322 + (IAVF_QUEUE_STATS_LEN * 2 * netdev->num_tx_queues); 324 323 else 325 324 return -EINVAL; 326 325 } ··· 344 345 iavf_add_ethtool_stats(&data, adapter, iavf_gstrings_stats); 345 346 346 347 rcu_read_lock(); 347 - /* As num_active_queues describe both tx and rx queues, we can use 348 - * it to iterate over rings' stats. 348 + /* Use num_tx_queues to report stats for the maximum number of queues. 349 + * Queues beyond num_active_queues will report zero. 349 350 */ 350 - for (i = 0; i < adapter->num_active_queues; i++) { 351 - struct iavf_ring *ring; 351 + for (i = 0; i < netdev->num_tx_queues; i++) { 352 + struct iavf_ring *tx_ring = NULL, *rx_ring = NULL; 352 353 353 - /* Tx rings stats */ 354 - ring = &adapter->tx_rings[i]; 355 - iavf_add_queue_stats(&data, ring); 354 + if (i < adapter->num_active_queues) { 355 + tx_ring = &adapter->tx_rings[i]; 356 + rx_ring = &adapter->rx_rings[i]; 357 + } 356 358 357 - /* Rx rings stats */ 358 - ring = &adapter->rx_rings[i]; 359 - iavf_add_queue_stats(&data, ring); 359 + iavf_add_queue_stats(&data, tx_ring); 360 + iavf_add_queue_stats(&data, rx_ring); 360 361 } 361 362 rcu_read_unlock(); 362 363 } ··· 375 376 iavf_add_stat_strings(&data, iavf_gstrings_stats); 376 377 377 378 /* Queues are always allocated in pairs, so we just use 378 - * real_num_tx_queues for both Tx and Rx queues. 379 + * num_tx_queues for both Tx and Rx queues. 379 380 */ 380 - for (i = 0; i < netdev->real_num_tx_queues; i++) { 381 + for (i = 0; i < netdev->num_tx_queues; i++) { 381 382 iavf_add_stat_strings(&data, iavf_gstrings_queue_stats, 382 383 "tx", i); 383 384 iavf_add_stat_strings(&data, iavf_gstrings_queue_stats,

+22

drivers/net/ethernet/intel/ice/ice.h

··· 840 840 } 841 841 842 842 /** 843 + * ice_get_max_txq - return the maximum number of Tx queues for in a PF 844 + * @pf: PF structure 845 + * 846 + * Return: maximum number of Tx queues 847 + */ 848 + static inline int ice_get_max_txq(struct ice_pf *pf) 849 + { 850 + return min(num_online_cpus(), pf->hw.func_caps.common_cap.num_txq); 851 + } 852 + 853 + /** 854 + * ice_get_max_rxq - return the maximum number of Rx queues for in a PF 855 + * @pf: PF structure 856 + * 857 + * Return: maximum number of Rx queues 858 + */ 859 + static inline int ice_get_max_rxq(struct ice_pf *pf) 860 + { 861 + return min(num_online_cpus(), pf->hw.func_caps.common_cap.num_rxq); 862 + } 863 + 864 + /** 843 865 * ice_get_main_vsi - Get the PF VSI 844 866 * @pf: PF instance 845 867 *

+11 -21

drivers/net/ethernet/intel/ice/ice_ethtool.c

··· 1930 1930 int i = 0; 1931 1931 char *p; 1932 1932 1933 + if (ice_is_port_repr_netdev(netdev)) { 1934 + ice_update_eth_stats(vsi); 1935 + 1936 + for (j = 0; j < ICE_VSI_STATS_LEN; j++) { 1937 + p = (char *)vsi + ice_gstrings_vsi_stats[j].stat_offset; 1938 + data[i++] = (ice_gstrings_vsi_stats[j].sizeof_stat == 1939 + sizeof(u64)) ? *(u64 *)p : *(u32 *)p; 1940 + } 1941 + return; 1942 + } 1943 + 1933 1944 ice_update_pf_stats(pf); 1934 1945 ice_update_vsi_stats(vsi); 1935 1946 ··· 1949 1938 data[i++] = (ice_gstrings_vsi_stats[j].sizeof_stat == 1950 1939 sizeof(u64)) ? *(u64 *)p : *(u32 *)p; 1951 1940 } 1952 - 1953 - if (ice_is_port_repr_netdev(netdev)) 1954 - return; 1955 1941 1956 1942 /* populate per queue stats */ 1957 1943 rcu_read_lock(); ··· 3779 3771 info->rx_filters = BIT(HWTSTAMP_FILTER_NONE) | BIT(HWTSTAMP_FILTER_ALL); 3780 3772 3781 3773 return 0; 3782 - } 3783 - 3784 - /** 3785 - * ice_get_max_txq - return the maximum number of Tx queues for in a PF 3786 - * @pf: PF structure 3787 - */ 3788 - static int ice_get_max_txq(struct ice_pf *pf) 3789 - { 3790 - return min(num_online_cpus(), pf->hw.func_caps.common_cap.num_txq); 3791 - } 3792 - 3793 - /** 3794 - * ice_get_max_rxq - return the maximum number of Rx queues for in a PF 3795 - * @pf: PF structure 3796 - */ 3797 - static int ice_get_max_rxq(struct ice_pf *pf) 3798 - { 3799 - return min(num_online_cpus(), pf->hw.func_caps.common_cap.num_rxq); 3800 3774 } 3801 3775 3802 3776 /**

+2 -2

drivers/net/ethernet/intel/ice/ice_main.c

··· 4699 4699 struct net_device *netdev; 4700 4700 u8 mac_addr[ETH_ALEN]; 4701 4701 4702 - netdev = alloc_etherdev_mqs(sizeof(*np), vsi->alloc_txq, 4703 - vsi->alloc_rxq); 4702 + netdev = alloc_etherdev_mqs(sizeof(*np), ice_get_max_txq(vsi->back), 4703 + ice_get_max_rxq(vsi->back)); 4704 4704 if (!netdev) 4705 4705 return -ENOMEM; 4706 4706

+3 -2

drivers/net/ethernet/intel/ice/ice_repr.c

··· 2 2 /* Copyright (C) 2019-2021, Intel Corporation. */ 3 3 4 4 #include "ice.h" 5 + #include "ice_lib.h" 5 6 #include "ice_eswitch.h" 6 7 #include "devlink/devlink.h" 7 8 #include "devlink/port.h" ··· 68 67 return; 69 68 vsi = repr->src_vsi; 70 69 71 - ice_update_vsi_stats(vsi); 70 + ice_update_eth_stats(vsi); 72 71 eth_stats = &vsi->eth_stats; 73 72 74 73 stats->tx_packets = eth_stats->tx_unicast + eth_stats->tx_broadcast + ··· 316 315 317 316 static int ice_repr_ready_vf(struct ice_repr *repr) 318 317 { 319 - return !ice_check_vf_ready_for_cfg(repr->vf); 318 + return ice_check_vf_ready_for_cfg(repr->vf); 320 319 } 321 320 322 321 static int ice_repr_ready_sf(struct ice_repr *repr)

+1 -1

drivers/net/ethernet/intel/idpf/idpf.h

··· 1066 1066 int idpf_idc_init(struct idpf_adapter *adapter); 1067 1067 int idpf_idc_init_aux_core_dev(struct idpf_adapter *adapter, 1068 1068 enum iidc_function_type ftype); 1069 - void idpf_idc_deinit_core_aux_device(struct iidc_rdma_core_dev_info *cdev_info); 1069 + void idpf_idc_deinit_core_aux_device(struct idpf_adapter *adapter); 1070 1070 void idpf_idc_deinit_vport_aux_device(struct iidc_rdma_vport_dev_info *vdev_info); 1071 1071 void idpf_idc_issue_reset_event(struct iidc_rdma_core_dev_info *cdev_info); 1072 1072 void idpf_idc_vdev_mtu_event(struct iidc_rdma_vport_dev_info *vdev_info,

+4 -2

drivers/net/ethernet/intel/idpf/idpf_idc.c

··· 470 470 471 471 /** 472 472 * idpf_idc_deinit_core_aux_device - de-initialize Auxiliary Device(s) 473 - * @cdev_info: IDC core device info pointer 473 + * @adapter: driver private data structure 474 474 */ 475 - void idpf_idc_deinit_core_aux_device(struct iidc_rdma_core_dev_info *cdev_info) 475 + void idpf_idc_deinit_core_aux_device(struct idpf_adapter *adapter) 476 476 { 477 + struct iidc_rdma_core_dev_info *cdev_info = adapter->cdev_info; 477 478 struct iidc_rdma_priv_dev_info *privd; 478 479 479 480 if (!cdev_info) ··· 486 485 kfree(privd->mapped_mem_regions); 487 486 kfree(privd); 488 487 kfree(cdev_info); 488 + adapter->cdev_info = NULL; 489 489 } 490 490 491 491 /**

+1 -1

drivers/net/ethernet/intel/idpf/idpf_txrx.c

··· 1860 1860 idpf_queue_assign(HSPLIT_EN, q, hs); 1861 1861 idpf_queue_assign(RSC_EN, q, rsc); 1862 1862 1863 - bufq_set->num_refillqs = num_rxq; 1864 1863 bufq_set->refillqs = kcalloc(num_rxq, swq_size, 1865 1864 GFP_KERNEL); 1866 1865 if (!bufq_set->refillqs) { 1867 1866 err = -ENOMEM; 1868 1867 goto err_alloc; 1869 1868 } 1869 + bufq_set->num_refillqs = num_rxq; 1870 1870 for (unsigned int k = 0; k < bufq_set->num_refillqs; k++) { 1871 1871 struct idpf_sw_queue *refillq = 1872 1872 &bufq_set->refillqs[k];

+1 -1

drivers/net/ethernet/intel/idpf/idpf_virtchnl.c

··· 3668 3668 3669 3669 idpf_ptp_release(adapter); 3670 3670 idpf_deinit_task(adapter); 3671 - idpf_idc_deinit_core_aux_device(adapter->cdev_info); 3671 + idpf_idc_deinit_core_aux_device(adapter); 3672 3672 idpf_rel_rx_pt_lkup(adapter); 3673 3673 idpf_intr_rel(adapter); 3674 3674

+5

drivers/net/ethernet/microchip/lan743x_main.c

··· 3053 3053 else if (speed == SPEED_100) 3054 3054 mac_cr |= MAC_CR_CFG_L_; 3055 3055 3056 + if (duplex == DUPLEX_FULL) 3057 + mac_cr |= MAC_CR_DPX_; 3058 + else 3059 + mac_cr &= ~MAC_CR_DPX_; 3060 + 3056 3061 lan743x_csr_write(adapter, MAC_CR, mac_cr); 3057 3062 3058 3063 lan743x_ptp_update_latency(adapter, speed);

+4 -2

drivers/net/ethernet/microsoft/mana/mana_en.c

··· 3425 3425 struct auxiliary_device *adev; 3426 3426 struct mana_adev *madev; 3427 3427 int ret; 3428 + int id; 3428 3429 3429 3430 madev = kzalloc_obj(*madev); 3430 3431 if (!madev) ··· 3435 3434 ret = mana_adev_idx_alloc(); 3436 3435 if (ret < 0) 3437 3436 goto idx_fail; 3438 - adev->id = ret; 3437 + id = ret; 3438 + adev->id = id; 3439 3439 3440 3440 adev->name = name; 3441 3441 adev->dev.parent = gd->gdma_context->dev; ··· 3462 3460 auxiliary_device_uninit(adev); 3463 3461 3464 3462 init_fail: 3465 - mana_adev_idx_free(adev->id); 3463 + mana_adev_idx_free(id); 3466 3464 3467 3465 idx_fail: 3468 3466 kfree(madev);

+11 -6

drivers/net/ethernet/pensando/ionic/ionic_lif.c

··· 1719 1719 if (ether_addr_equal(netdev->dev_addr, mac)) 1720 1720 return 0; 1721 1721 1722 - err = ionic_program_mac(lif, mac); 1723 - if (err < 0) 1724 - return err; 1722 + /* Only program macs for virtual functions to avoid losing the permanent 1723 + * Mac across warm reset/reboot. 1724 + */ 1725 + if (lif->ionic->pdev->is_virtfn) { 1726 + err = ionic_program_mac(lif, mac); 1727 + if (err < 0) 1728 + return err; 1725 1729 1726 - if (err > 0) 1727 - netdev_dbg(netdev, "%s: SET and GET ATTR Mac are not equal-due to old FW running\n", 1728 - __func__); 1730 + if (err > 0) 1731 + netdev_dbg(netdev, "%s: SET and GET ATTR Mac are not equal-due to old FW running\n", 1732 + __func__); 1733 + } 1729 1734 1730 1735 err = eth_prepare_mac_addr_change(netdev, addr); 1731 1736 if (err)

+2 -2

drivers/net/ethernet/ti/icssg/icssg_common.c

··· 962 962 pkt_len -= 4; 963 963 cppi5_desc_get_tags_ids(&desc_rx->hdr, &port_id, NULL); 964 964 psdata = cppi5_hdesc_get_psdata(desc_rx); 965 - k3_cppi_desc_pool_free(rx_chn->desc_pool, desc_rx); 966 965 count++; 967 966 xsk_buff_set_size(xdp, pkt_len); 968 967 xsk_buff_dma_sync_for_cpu(xdp); ··· 987 988 emac_dispatch_skb_zc(emac, xdp, psdata); 988 989 xsk_buff_free(xdp); 989 990 } 991 + k3_cppi_desc_pool_free(rx_chn->desc_pool, desc_rx); 990 992 } 991 993 992 994 if (xdp_status & ICSSG_XDP_REDIR) ··· 1057 1057 /* firmware adds 4 CRC bytes, strip them */ 1058 1058 pkt_len -= 4; 1059 1059 cppi5_desc_get_tags_ids(&desc_rx->hdr, &port_id, NULL); 1060 - k3_cppi_desc_pool_free(rx_chn->desc_pool, desc_rx); 1061 1060 1062 1061 /* if allocation fails we drop the packet but push the 1063 1062 * descriptor back to the ring with old page to prevent a stall ··· 1114 1115 ndev->stats.rx_packets++; 1115 1116 1116 1117 requeue: 1118 + k3_cppi_desc_pool_free(rx_chn->desc_pool, desc_rx); 1117 1119 /* queue another RX DMA */ 1118 1120 ret = prueth_dma_rx_push_mapped(emac, &emac->rx_chns, new_page, 1119 1121 PRUETH_MAX_PKT_SIZE);

+64 -1

drivers/net/team/team_core.c

··· 2058 2058 * rt netlink interface 2059 2059 ***********************/ 2060 2060 2061 + /* For tx path we need a linkup && enabled port and for parse any port 2062 + * suffices. 2063 + */ 2064 + static struct team_port *team_header_port_get_rcu(struct team *team, 2065 + bool txable) 2066 + { 2067 + struct team_port *port; 2068 + 2069 + list_for_each_entry_rcu(port, &team->port_list, list) { 2070 + if (!txable || team_port_txable(port)) 2071 + return port; 2072 + } 2073 + 2074 + return NULL; 2075 + } 2076 + 2077 + static int team_header_create(struct sk_buff *skb, struct net_device *team_dev, 2078 + unsigned short type, const void *daddr, 2079 + const void *saddr, unsigned int len) 2080 + { 2081 + struct team *team = netdev_priv(team_dev); 2082 + const struct header_ops *port_ops; 2083 + struct team_port *port; 2084 + int ret = 0; 2085 + 2086 + rcu_read_lock(); 2087 + port = team_header_port_get_rcu(team, true); 2088 + if (port) { 2089 + port_ops = READ_ONCE(port->dev->header_ops); 2090 + if (port_ops && port_ops->create) 2091 + ret = port_ops->create(skb, port->dev, 2092 + type, daddr, saddr, len); 2093 + } 2094 + rcu_read_unlock(); 2095 + return ret; 2096 + } 2097 + 2098 + static int team_header_parse(const struct sk_buff *skb, 2099 + const struct net_device *team_dev, 2100 + unsigned char *haddr) 2101 + { 2102 + struct team *team = netdev_priv(team_dev); 2103 + const struct header_ops *port_ops; 2104 + struct team_port *port; 2105 + int ret = 0; 2106 + 2107 + rcu_read_lock(); 2108 + port = team_header_port_get_rcu(team, false); 2109 + if (port) { 2110 + port_ops = READ_ONCE(port->dev->header_ops); 2111 + if (port_ops && port_ops->parse) 2112 + ret = port_ops->parse(skb, port->dev, haddr); 2113 + } 2114 + rcu_read_unlock(); 2115 + return ret; 2116 + } 2117 + 2118 + static const struct header_ops team_header_ops = { 2119 + .create = team_header_create, 2120 + .parse = team_header_parse, 2121 + }; 2122 + 2061 2123 static void team_setup_by_port(struct net_device *dev, 2062 2124 struct net_device *port_dev) 2063 2125 { ··· 2128 2066 if (port_dev->type == ARPHRD_ETHER) 2129 2067 dev->header_ops = team->header_ops_cache; 2130 2068 else 2131 - dev->header_ops = port_dev->header_ops; 2069 + dev->header_ops = port_dev->header_ops ? 2070 + &team_header_ops : NULL; 2132 2071 dev->type = port_dev->type; 2133 2072 dev->hard_header_len = port_dev->hard_header_len; 2134 2073 dev->needed_headroom = port_dev->needed_headroom;

+1 -1

drivers/net/tun_vnet.h

··· 244 244 245 245 if (virtio_net_hdr_tnl_from_skb(skb, tnl_hdr, has_tnl_offload, 246 246 tun_vnet_is_little_endian(flags), 247 - vlan_hlen, true)) { 247 + vlan_hlen, true, false)) { 248 248 struct virtio_net_hdr_v1 *hdr = &tnl_hdr->hash_hdr.hdr; 249 249 struct skb_shared_info *sinfo = skb_shinfo(skb); 250 250

+6 -1

drivers/net/virtio_net.c

··· 3267 3267 struct virtio_net_hdr_v1_hash_tunnel *hdr; 3268 3268 int num_sg; 3269 3269 unsigned hdr_len = vi->hdr_len; 3270 + bool feature_hdrlen; 3270 3271 bool can_push; 3272 + 3273 + feature_hdrlen = virtio_has_feature(vi->vdev, 3274 + VIRTIO_NET_F_GUEST_HDRLEN); 3271 3275 3272 3276 pr_debug("%s: xmit %p %pM\n", vi->dev->name, skb, dest); 3273 3277 ··· 3292 3288 3293 3289 if (virtio_net_hdr_tnl_from_skb(skb, hdr, vi->tx_tnl, 3294 3290 virtio_is_little_endian(vi->vdev), 0, 3295 - false)) 3291 + false, feature_hdrlen)) 3296 3292 return -EPROTO; 3297 3293 3298 3294 if (vi->mergeable_rx_bufs) ··· 3355 3351 /* Don't wait up for transmitted skbs to be freed. */ 3356 3352 if (!use_napi) { 3357 3353 skb_orphan(skb); 3354 + skb_dst_drop(skb); 3358 3355 nf_reset_ct(skb); 3359 3356 } 3360 3357

+49 -4

include/linux/virtio_net.h

··· 207 207 return __virtio_net_hdr_to_skb(skb, hdr, little_endian, hdr->gso_type); 208 208 } 209 209 210 + /* This function must be called after virtio_net_hdr_from_skb(). */ 211 + static inline void __virtio_net_set_hdrlen(const struct sk_buff *skb, 212 + struct virtio_net_hdr *hdr, 213 + bool little_endian) 214 + { 215 + u16 hdr_len; 216 + 217 + hdr_len = skb_transport_offset(skb); 218 + 219 + if (hdr->gso_type == VIRTIO_NET_HDR_GSO_UDP_L4) 220 + hdr_len += sizeof(struct udphdr); 221 + else 222 + hdr_len += tcp_hdrlen(skb); 223 + 224 + hdr->hdr_len = __cpu_to_virtio16(little_endian, hdr_len); 225 + } 226 + 227 + /* This function must be called after virtio_net_hdr_from_skb(). */ 228 + static inline void __virtio_net_set_tnl_hdrlen(const struct sk_buff *skb, 229 + struct virtio_net_hdr *hdr) 230 + { 231 + u16 hdr_len; 232 + 233 + hdr_len = skb_inner_transport_offset(skb); 234 + 235 + if (hdr->gso_type == VIRTIO_NET_HDR_GSO_UDP_L4) 236 + hdr_len += sizeof(struct udphdr); 237 + else 238 + hdr_len += inner_tcp_hdrlen(skb); 239 + 240 + hdr->hdr_len = __cpu_to_virtio16(true, hdr_len); 241 + } 242 + 210 243 static inline int virtio_net_hdr_from_skb(const struct sk_buff *skb, 211 244 struct virtio_net_hdr *hdr, 212 245 bool little_endian, ··· 418 385 bool tnl_hdr_negotiated, 419 386 bool little_endian, 420 387 int vlan_hlen, 421 - bool has_data_valid) 388 + bool has_data_valid, 389 + bool feature_hdrlen) 422 390 { 423 391 struct virtio_net_hdr *hdr = (struct virtio_net_hdr *)vhdr; 424 392 unsigned int inner_nh, outer_th; ··· 428 394 429 395 tnl_gso_type = skb_shinfo(skb)->gso_type & (SKB_GSO_UDP_TUNNEL | 430 396 SKB_GSO_UDP_TUNNEL_CSUM); 431 - if (!tnl_gso_type) 432 - return virtio_net_hdr_from_skb(skb, hdr, little_endian, 433 - has_data_valid, vlan_hlen); 397 + if (!tnl_gso_type) { 398 + ret = virtio_net_hdr_from_skb(skb, hdr, little_endian, 399 + has_data_valid, vlan_hlen); 400 + if (ret) 401 + return ret; 402 + 403 + if (feature_hdrlen && hdr->hdr_len) 404 + __virtio_net_set_hdrlen(skb, hdr, little_endian); 405 + 406 + return ret; 407 + } 434 408 435 409 /* Tunnel support not negotiated but skb ask for it. */ 436 410 if (!tnl_hdr_negotiated) ··· 455 413 skb_shinfo(skb)->gso_type |= tnl_gso_type; 456 414 if (ret) 457 415 return ret; 416 + 417 + if (feature_hdrlen && hdr->hdr_len) 418 + __virtio_net_set_tnl_hdrlen(skb, hdr); 458 419 459 420 if (skb->protocol == htons(ETH_P_IPV6)) 460 421 hdr->gso_type |= VIRTIO_NET_HDR_GSO_UDP_TUNNEL_IPV6;

+1

include/net/bluetooth/l2cap.h

··· 658 658 struct sk_buff *rx_skb; 659 659 __u32 rx_len; 660 660 struct ida tx_ida; 661 + __u8 tx_ident; 661 662 662 663 struct sk_buff_head pending_rx; 663 664 struct work_struct pending_rx_work;

+1

include/net/codel_impl.h

··· 158 158 bool drop; 159 159 160 160 if (!skb) { 161 + vars->first_above_time = 0; 161 162 vars->dropping = false; 162 163 return skb; 163 164 }

+14

include/net/inet_hashtables.h

··· 264 264 return &hinfo->bhash2[hash & (hinfo->bhash_size - 1)]; 265 265 } 266 266 267 + static inline bool inet_use_hash2_on_bind(const struct sock *sk) 268 + { 269 + #if IS_ENABLED(CONFIG_IPV6) 270 + if (sk->sk_family == AF_INET6) { 271 + if (ipv6_addr_any(&sk->sk_v6_rcv_saddr)) 272 + return false; 273 + 274 + if (!ipv6_addr_v4mapped(&sk->sk_v6_rcv_saddr)) 275 + return true; 276 + } 277 + #endif 278 + return sk->sk_rcv_saddr != htonl(INADDR_ANY); 279 + } 280 + 267 281 struct inet_bind_hashbucket * 268 282 inet_bhash2_addr_any_hashbucket(const struct sock *sk, const struct net *net, int port); 269 283

+20 -1

include/net/ip6_fib.h

··· 507 507 void inet6_rt_notify(int event, struct fib6_info *rt, struct nl_info *info, 508 508 unsigned int flags); 509 509 510 + void fib6_age_exceptions(struct fib6_info *rt, struct fib6_gc_args *gc_args, 511 + unsigned long now); 510 512 void fib6_run_gc(unsigned long expires, struct net *net, bool force); 511 - 512 513 void fib6_gc_cleanup(void); 513 514 514 515 int fib6_init(void); 515 516 517 + #if IS_ENABLED(CONFIG_IPV6) 516 518 /* Add the route to the gc list if it is not already there 517 519 * 518 520 * The callers should hold f6i->fib6_table->tb6_lock. ··· 546 544 if (!hlist_unhashed(&f6i->gc_link)) 547 545 hlist_del_init(&f6i->gc_link); 548 546 } 547 + 548 + static inline void fib6_may_remove_gc_list(struct net *net, 549 + struct fib6_info *f6i) 550 + { 551 + struct fib6_gc_args gc_args; 552 + 553 + if (hlist_unhashed(&f6i->gc_link)) 554 + return; 555 + 556 + gc_args.timeout = READ_ONCE(net->ipv6.sysctl.ip6_rt_gc_interval); 557 + gc_args.more = 0; 558 + 559 + rcu_read_lock(); 560 + fib6_age_exceptions(f6i, &gc_args, jiffies); 561 + rcu_read_unlock(); 562 + } 563 + #endif 549 564 550 565 struct ipv6_route_iter { 551 566 struct seq_net_private p;

+5

include/net/netfilter/nf_conntrack_core.h

··· 83 83 84 84 extern spinlock_t nf_conntrack_expect_lock; 85 85 86 + static inline void lockdep_nfct_expect_lock_held(void) 87 + { 88 + lockdep_assert_held(&nf_conntrack_expect_lock); 89 + } 90 + 86 91 /* ctnetlink code shared by both ctnetlink and nf_conntrack_bpf */ 87 92 88 93 static inline void __nf_ct_set_timeout(struct nf_conn *ct, u64 timeout)

+18 -2

include/net/netfilter/nf_conntrack_expect.h

··· 22 22 /* Hash member */ 23 23 struct hlist_node hnode; 24 24 25 + /* Network namespace */ 26 + possible_net_t net; 27 + 25 28 /* We expect this tuple, with the following mask */ 26 29 struct nf_conntrack_tuple tuple; 27 30 struct nf_conntrack_tuple_mask mask; 28 31 32 + #ifdef CONFIG_NF_CONNTRACK_ZONES 33 + struct nf_conntrack_zone zone; 34 + #endif 29 35 /* Usage count. */ 30 36 refcount_t use; 31 37 ··· 46 40 struct nf_conntrack_expect *this); 47 41 48 42 /* Helper to assign to new connection */ 49 - struct nf_conntrack_helper *helper; 43 + struct nf_conntrack_helper __rcu *helper; 50 44 51 45 /* The conntrack of the master connection */ 52 46 struct nf_conn *master; ··· 68 62 69 63 static inline struct net *nf_ct_exp_net(struct nf_conntrack_expect *exp) 70 64 { 71 - return nf_ct_net(exp->master); 65 + return read_pnet(&exp->net); 66 + } 67 + 68 + static inline bool nf_ct_exp_zone_equal_any(const struct nf_conntrack_expect *a, 69 + const struct nf_conntrack_zone *b) 70 + { 71 + #ifdef CONFIG_NF_CONNTRACK_ZONES 72 + return a->zone.id == b->id; 73 + #else 74 + return true; 75 + #endif 72 76 } 73 77 74 78 #define NF_CT_EXP_POLICY_NAME_LEN 16

+1 -1

include/net/netns/xfrm.h

··· 59 59 struct list_head inexact_bins; 60 60 61 61 62 - struct sock *nlsk; 62 + struct sock __rcu *nlsk; 63 63 struct sock *nlsk_stash; 64 64 65 65 u32 sysctl_aevent_etime;

+4

include/uapi/linux/netfilter/nf_conntrack_common.h

··· 159 159 #define NF_CT_EXPECT_INACTIVE 0x2 160 160 #define NF_CT_EXPECT_USERSPACE 0x4 161 161 162 + #ifdef __KERNEL__ 163 + #define NF_CT_EXPECT_MASK (NF_CT_EXPECT_PERMANENT | NF_CT_EXPECT_INACTIVE | \ 164 + NF_CT_EXPECT_USERSPACE) 165 + #endif 162 166 163 167 #endif /* _UAPI_NF_CONNTRACK_COMMON_H */

+1 -1

net/bluetooth/hci_conn.c

··· 3095 3095 * hci_connect_le serializes the connection attempts so only one 3096 3096 * connection can be in BT_CONNECT at time. 3097 3097 */ 3098 - if (conn->state == BT_CONNECT && hdev->req_status == HCI_REQ_PEND) { 3098 + if (conn->state == BT_CONNECT && READ_ONCE(hdev->req_status) == HCI_REQ_PEND) { 3099 3099 switch (hci_skb_event(hdev->sent_cmd)) { 3100 3100 case HCI_EV_CONN_COMPLETE: 3101 3101 case HCI_EV_LE_CONN_COMPLETE:

+1 -1

net/bluetooth/hci_core.c

··· 4126 4126 kfree_skb(skb); 4127 4127 } 4128 4128 4129 - if (hdev->req_status == HCI_REQ_PEND && 4129 + if (READ_ONCE(hdev->req_status) == HCI_REQ_PEND && 4130 4130 !hci_dev_test_and_set_flag(hdev, HCI_CMD_PENDING)) { 4131 4131 kfree_skb(hdev->req_skb); 4132 4132 hdev->req_skb = skb_clone(hdev->sent_cmd, GFP_KERNEL);

+10 -10

net/bluetooth/hci_sync.c

··· 25 25 { 26 26 bt_dev_dbg(hdev, "result 0x%2.2x", result); 27 27 28 - if (hdev->req_status != HCI_REQ_PEND) 28 + if (READ_ONCE(hdev->req_status) != HCI_REQ_PEND) 29 29 return; 30 30 31 31 hdev->req_result = result; 32 - hdev->req_status = HCI_REQ_DONE; 32 + WRITE_ONCE(hdev->req_status, HCI_REQ_DONE); 33 33 34 34 /* Free the request command so it is not used as response */ 35 35 kfree_skb(hdev->req_skb); ··· 167 167 168 168 hci_cmd_sync_add(&req, opcode, plen, param, event, sk); 169 169 170 - hdev->req_status = HCI_REQ_PEND; 170 + WRITE_ONCE(hdev->req_status, HCI_REQ_PEND); 171 171 172 172 err = hci_req_sync_run(&req); 173 173 if (err < 0) 174 174 return ERR_PTR(err); 175 175 176 176 err = wait_event_interruptible_timeout(hdev->req_wait_q, 177 - hdev->req_status != HCI_REQ_PEND, 177 + READ_ONCE(hdev->req_status) != HCI_REQ_PEND, 178 178 timeout); 179 179 180 180 if (err == -ERESTARTSYS) 181 181 return ERR_PTR(-EINTR); 182 182 183 - switch (hdev->req_status) { 183 + switch (READ_ONCE(hdev->req_status)) { 184 184 case HCI_REQ_DONE: 185 185 err = -bt_to_errno(hdev->req_result); 186 186 break; ··· 194 194 break; 195 195 } 196 196 197 - hdev->req_status = 0; 197 + WRITE_ONCE(hdev->req_status, 0); 198 198 hdev->req_result = 0; 199 199 skb = hdev->req_rsp; 200 200 hdev->req_rsp = NULL; ··· 665 665 { 666 666 bt_dev_dbg(hdev, "err 0x%2.2x", err); 667 667 668 - if (hdev->req_status == HCI_REQ_PEND) { 668 + if (READ_ONCE(hdev->req_status) == HCI_REQ_PEND) { 669 669 hdev->req_result = err; 670 - hdev->req_status = HCI_REQ_CANCELED; 670 + WRITE_ONCE(hdev->req_status, HCI_REQ_CANCELED); 671 671 672 672 queue_work(hdev->workqueue, &hdev->cmd_sync_cancel_work); 673 673 } ··· 683 683 { 684 684 bt_dev_dbg(hdev, "err 0x%2.2x", err); 685 685 686 - if (hdev->req_status == HCI_REQ_PEND) { 686 + if (READ_ONCE(hdev->req_status) == HCI_REQ_PEND) { 687 687 /* req_result is __u32 so error must be positive to be properly 688 688 * propagated. 689 689 */ 690 690 hdev->req_result = err < 0 ? -err : err; 691 - hdev->req_status = HCI_REQ_CANCELED; 691 + WRITE_ONCE(hdev->req_status, HCI_REQ_CANCELED); 692 692 693 693 wake_up_interruptible(&hdev->req_wait_q); 694 694 }

+53 -18

net/bluetooth/l2cap_core.c

··· 926 926 927 927 static int l2cap_get_ident(struct l2cap_conn *conn) 928 928 { 929 + u8 max; 930 + int ident; 931 + 929 932 /* LE link does not support tools like l2ping so use the full range */ 930 933 if (conn->hcon->type == LE_LINK) 931 - return ida_alloc_range(&conn->tx_ida, 1, 255, GFP_ATOMIC); 932 - 934 + max = 255; 933 935 /* Get next available identificator. 934 936 * 1 - 128 are used by kernel. 935 937 * 129 - 199 are reserved. 936 938 * 200 - 254 are used by utilities like l2ping, etc. 937 939 */ 938 - return ida_alloc_range(&conn->tx_ida, 1, 128, GFP_ATOMIC); 940 + else 941 + max = 128; 942 + 943 + /* Allocate ident using min as last used + 1 (cyclic) */ 944 + ident = ida_alloc_range(&conn->tx_ida, READ_ONCE(conn->tx_ident) + 1, 945 + max, GFP_ATOMIC); 946 + /* Force min 1 to start over */ 947 + if (ident <= 0) { 948 + ident = ida_alloc_range(&conn->tx_ida, 1, max, GFP_ATOMIC); 949 + if (ident <= 0) { 950 + /* If all idents are in use, log an error, this is 951 + * extremely unlikely to happen and would indicate a bug 952 + * in the code that idents are not being freed properly. 953 + */ 954 + BT_ERR("Unable to allocate ident: %d", ident); 955 + return 0; 956 + } 957 + } 958 + 959 + WRITE_ONCE(conn->tx_ident, ident); 960 + 961 + return ident; 939 962 } 940 963 941 964 static void l2cap_send_acl(struct l2cap_conn *conn, struct sk_buff *skb, ··· 1771 1748 1772 1749 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err); 1773 1750 1751 + disable_delayed_work_sync(&conn->info_timer); 1752 + disable_delayed_work_sync(&conn->id_addr_timer); 1753 + 1774 1754 mutex_lock(&conn->lock); 1775 1755 1776 1756 kfree_skb(conn->rx_skb); ··· 1788 1762 cancel_work_sync(&conn->pending_rx_work); 1789 1763 1790 1764 ida_destroy(&conn->tx_ida); 1791 - 1792 - cancel_delayed_work_sync(&conn->id_addr_timer); 1793 1765 1794 1766 l2cap_unregister_all_users(conn); 1795 1767 ··· 1806 1782 l2cap_chan_unlock(chan); 1807 1783 l2cap_chan_put(chan); 1808 1784 } 1809 - 1810 - if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) 1811 - cancel_delayed_work_sync(&conn->info_timer); 1812 1785 1813 1786 hci_chan_del(conn->hchan); 1814 1787 conn->hchan = NULL; ··· 2397 2376 2398 2377 /* Remote device may have requested smaller PDUs */ 2399 2378 pdu_len = min_t(size_t, pdu_len, chan->remote_mps); 2379 + 2380 + if (!pdu_len) 2381 + return -EINVAL; 2400 2382 2401 2383 if (len <= pdu_len) { 2402 2384 sar = L2CAP_SAR_UNSEGMENTED; ··· 4336 4312 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) { 4337 4313 set_default_fcs(chan); 4338 4314 4339 - if (chan->mode == L2CAP_MODE_ERTM || 4340 - chan->mode == L2CAP_MODE_STREAMING) 4341 - err = l2cap_ertm_init(chan); 4315 + if (chan->state != BT_CONNECTED) { 4316 + if (chan->mode == L2CAP_MODE_ERTM || 4317 + chan->mode == L2CAP_MODE_STREAMING) 4318 + err = l2cap_ertm_init(chan); 4342 4319 4343 - if (err < 0) 4344 - l2cap_send_disconn_req(chan, -err); 4345 - else 4346 - l2cap_chan_ready(chan); 4320 + if (err < 0) 4321 + l2cap_send_disconn_req(chan, -err); 4322 + else 4323 + l2cap_chan_ready(chan); 4324 + } 4347 4325 4348 4326 goto unlock; 4349 4327 } ··· 5107 5081 cmd_len -= sizeof(*req); 5108 5082 num_scid = cmd_len / sizeof(u16); 5109 5083 5110 - /* Always respond with the same number of scids as in the request */ 5111 - rsp_len = cmd_len; 5112 - 5113 5084 if (num_scid > L2CAP_ECRED_MAX_CID) { 5114 5085 result = L2CAP_CR_LE_INVALID_PARAMS; 5115 5086 goto response; 5116 5087 } 5088 + 5089 + /* Always respond with the same number of scids as in the request */ 5090 + rsp_len = cmd_len; 5117 5091 5118 5092 mtu = __le16_to_cpu(req->mtu); 5119 5093 mps = __le16_to_cpu(req->mps); ··· 6633 6607 struct l2cap_le_credits pkt; 6634 6608 u16 return_credits = l2cap_le_rx_credits(chan); 6635 6609 6610 + if (chan->mode != L2CAP_MODE_LE_FLOWCTL && 6611 + chan->mode != L2CAP_MODE_EXT_FLOWCTL) 6612 + return; 6613 + 6636 6614 if (chan->rx_credits >= return_credits) 6637 6615 return; 6638 6616 ··· 6719 6689 6720 6690 if (!chan->sdu) { 6721 6691 u16 sdu_len; 6692 + 6693 + if (!pskb_may_pull(skb, L2CAP_SDULEN_SIZE)) { 6694 + err = -EINVAL; 6695 + goto failed; 6696 + } 6722 6697 6723 6698 sdu_len = get_unaligned_le16(skb->data); 6724 6699 skb_pull(skb, L2CAP_SDULEN_SIZE);

+3

net/bluetooth/l2cap_sock.c

··· 1698 1698 struct sock *sk = chan->data; 1699 1699 struct sock *parent; 1700 1700 1701 + if (!sk) 1702 + return; 1703 + 1701 1704 lock_sock(sk); 1702 1705 1703 1706 parent = bt_sk(sk)->parent;

+1 -1

net/bluetooth/mgmt.c

··· 5355 5355 * hci_adv_monitors_clear is about to be called which will take care of 5356 5356 * freeing the adv_monitor instances. 5357 5357 */ 5358 - if (status == -ECANCELED && !mgmt_pending_valid(hdev, cmd)) 5358 + if (status == -ECANCELED || !mgmt_pending_valid(hdev, cmd)) 5359 5359 return; 5360 5360 5361 5361 monitor = cmd->user_data;

+7 -3

net/bluetooth/sco.c

··· 401 401 struct sock *sk; 402 402 403 403 sco_conn_lock(conn); 404 - sk = conn->sk; 404 + sk = sco_sock_hold(conn); 405 405 sco_conn_unlock(conn); 406 406 407 407 if (!sk) ··· 410 410 BT_DBG("sk %p len %u", sk, skb->len); 411 411 412 412 if (sk->sk_state != BT_CONNECTED) 413 - goto drop; 413 + goto drop_put; 414 414 415 - if (!sock_queue_rcv_skb(sk, skb)) 415 + if (!sock_queue_rcv_skb(sk, skb)) { 416 + sock_put(sk); 416 417 return; 418 + } 417 419 420 + drop_put: 421 + sock_put(sk); 418 422 drop: 419 423 kfree_skb(skb); 420 424 }

+2 -2

net/can/af_can.c

··· 469 469 470 470 rcv->can_id = can_id; 471 471 rcv->mask = mask; 472 - rcv->matches = 0; 472 + atomic_long_set(&rcv->matches, 0); 473 473 rcv->func = func; 474 474 rcv->data = data; 475 475 rcv->ident = ident; ··· 573 573 static inline void deliver(struct sk_buff *skb, struct receiver *rcv) 574 574 { 575 575 rcv->func(skb, rcv->data); 576 - rcv->matches++; 576 + atomic_long_inc(&rcv->matches); 577 577 } 578 578 579 579 static int can_rcv_filter(struct can_dev_rcv_lists *dev_rcv_lists, struct sk_buff *skb)

+1 -1

net/can/af_can.h

··· 52 52 struct hlist_node list; 53 53 canid_t can_id; 54 54 canid_t mask; 55 - unsigned long matches; 55 + atomic_long_t matches; 56 56 void (*func)(struct sk_buff *skb, void *data); 57 57 void *data; 58 58 char *ident;

+3 -3

net/can/gw.c

··· 375 375 return; 376 376 377 377 if (from <= to) { 378 - for (i = crc8->from_idx; i <= crc8->to_idx; i++) 378 + for (i = from; i <= to; i++) 379 379 crc = crc8->crctab[crc ^ cf->data[i]]; 380 380 } else { 381 - for (i = crc8->from_idx; i >= crc8->to_idx; i--) 381 + for (i = from; i >= to; i--) 382 382 crc = crc8->crctab[crc ^ cf->data[i]]; 383 383 } 384 384 ··· 397 397 break; 398 398 } 399 399 400 - cf->data[crc8->result_idx] = crc ^ crc8->final_xor_val; 400 + cf->data[res] = crc ^ crc8->final_xor_val; 401 401 } 402 402 403 403 static void cgw_csum_crc8_pos(struct canfd_frame *cf,

+18 -6

net/can/isotp.c

··· 1248 1248 so->ifindex = 0; 1249 1249 so->bound = 0; 1250 1250 1251 - if (so->rx.buf != so->rx.sbuf) 1252 - kfree(so->rx.buf); 1253 - 1254 - if (so->tx.buf != so->tx.sbuf) 1255 - kfree(so->tx.buf); 1256 - 1257 1251 sock_orphan(sk); 1258 1252 sock->sk = NULL; 1259 1253 ··· 1616 1622 return NOTIFY_DONE; 1617 1623 } 1618 1624 1625 + static void isotp_sock_destruct(struct sock *sk) 1626 + { 1627 + struct isotp_sock *so = isotp_sk(sk); 1628 + 1629 + /* do the standard CAN sock destruct work */ 1630 + can_sock_destruct(sk); 1631 + 1632 + /* free potential extended PDU buffers */ 1633 + if (so->rx.buf != so->rx.sbuf) 1634 + kfree(so->rx.buf); 1635 + 1636 + if (so->tx.buf != so->tx.sbuf) 1637 + kfree(so->tx.buf); 1638 + } 1639 + 1619 1640 static int isotp_init(struct sock *sk) 1620 1641 { 1621 1642 struct isotp_sock *so = isotp_sk(sk); ··· 1674 1665 spin_lock(&isotp_notifier_lock); 1675 1666 list_add_tail(&so->notifier, &isotp_notifier_list); 1676 1667 spin_unlock(&isotp_notifier_lock); 1668 + 1669 + /* re-assign default can_sock_destruct() reference */ 1670 + sk->sk_destruct = isotp_sock_destruct; 1677 1671 1678 1672 return 0; 1679 1673 }

+2 -1

net/can/proc.c

··· 196 196 " %-5s %03x %08x %pK %pK %8ld %s\n"; 197 197 198 198 seq_printf(m, fmt, DNAME(dev), r->can_id, r->mask, 199 - r->func, r->data, r->matches, r->ident); 199 + r->func, r->data, atomic_long_read(&r->matches), 200 + r->ident); 200 201 } 201 202 } 202 203

+17 -5

net/core/dev.c

··· 3769 3769 return vlan_features_check(skb, features); 3770 3770 } 3771 3771 3772 + static bool skb_gso_has_extension_hdr(const struct sk_buff *skb) 3773 + { 3774 + if (!skb->encapsulation) 3775 + return ((skb_shinfo(skb)->gso_type & SKB_GSO_TCPV6 || 3776 + (skb_shinfo(skb)->gso_type & SKB_GSO_UDP_L4 && 3777 + vlan_get_protocol(skb) == htons(ETH_P_IPV6))) && 3778 + skb_transport_header_was_set(skb) && 3779 + skb_network_header_len(skb) != sizeof(struct ipv6hdr)); 3780 + else 3781 + return (!skb_inner_network_header_was_set(skb) || 3782 + ((skb_shinfo(skb)->gso_type & SKB_GSO_TCPV6 || 3783 + (skb_shinfo(skb)->gso_type & SKB_GSO_UDP_L4 && 3784 + inner_ip_hdr(skb)->version == 6)) && 3785 + skb_inner_network_header_len(skb) != sizeof(struct ipv6hdr))); 3786 + } 3787 + 3772 3788 static netdev_features_t gso_features_check(const struct sk_buff *skb, 3773 3789 struct net_device *dev, 3774 3790 netdev_features_t features) ··· 3832 3816 * so neither does TSO that depends on it. 3833 3817 */ 3834 3818 if (features & NETIF_F_IPV6_CSUM && 3835 - (skb_shinfo(skb)->gso_type & SKB_GSO_TCPV6 || 3836 - (skb_shinfo(skb)->gso_type & SKB_GSO_UDP_L4 && 3837 - vlan_get_protocol(skb) == htons(ETH_P_IPV6))) && 3838 - skb_transport_header_was_set(skb) && 3839 - skb_network_header_len(skb) != sizeof(struct ipv6hdr)) 3819 + skb_gso_has_extension_hdr(skb)) 3840 3820 features &= ~(NETIF_F_IPV6_CSUM | NETIF_F_TSO6 | NETIF_F_GSO_UDP_L4); 3841 3821 3842 3822 return features;

+25 -3

net/core/rtnetlink.c

··· 629 629 unlock: 630 630 mutex_unlock(&link_ops_mutex); 631 631 632 + if (err) 633 + cleanup_srcu_struct(&ops->srcu); 634 + 632 635 return err; 633 636 } 634 637 EXPORT_SYMBOL_GPL(rtnl_link_register); ··· 710 707 goto out; 711 708 712 709 ops = master_dev->rtnl_link_ops; 713 - if (!ops || !ops->get_slave_size) 710 + if (!ops) 711 + goto out; 712 + size += nla_total_size(strlen(ops->kind) + 1); /* IFLA_INFO_SLAVE_KIND */ 713 + if (!ops->get_slave_size) 714 714 goto out; 715 715 /* IFLA_INFO_SLAVE_DATA + nested data */ 716 - size = nla_total_size(sizeof(struct nlattr)) + 717 - ops->get_slave_size(master_dev, dev); 716 + size += nla_total_size(sizeof(struct nlattr)) + 717 + ops->get_slave_size(master_dev, dev); 718 718 719 719 out: 720 720 rcu_read_unlock(); ··· 1273 1267 return size; 1274 1268 } 1275 1269 1270 + static size_t rtnl_dev_parent_size(const struct net_device *dev) 1271 + { 1272 + size_t size = 0; 1273 + 1274 + /* IFLA_PARENT_DEV_NAME */ 1275 + if (dev->dev.parent) 1276 + size += nla_total_size(strlen(dev_name(dev->dev.parent)) + 1); 1277 + 1278 + /* IFLA_PARENT_DEV_BUS_NAME */ 1279 + if (dev->dev.parent && dev->dev.parent->bus) 1280 + size += nla_total_size(strlen(dev->dev.parent->bus->name) + 1); 1281 + 1282 + return size; 1283 + } 1284 + 1276 1285 static noinline size_t if_nlmsg_size(const struct net_device *dev, 1277 1286 u32 ext_filter_mask) 1278 1287 { ··· 1349 1328 + nla_total_size(8) /* IFLA_MAX_PACING_OFFLOAD_HORIZON */ 1350 1329 + nla_total_size(2) /* IFLA_HEADROOM */ 1351 1330 + nla_total_size(2) /* IFLA_TAILROOM */ 1331 + + rtnl_dev_parent_size(dev) 1352 1332 + 0; 1353 1333 1354 1334 if (!(ext_filter_mask & RTEXT_FILTER_SKIP_STATS))

+6 -3

net/ipv4/esp4.c

··· 235 235 xfrm_dev_resume(skb); 236 236 } else { 237 237 if (!err && 238 - x->encap && x->encap->encap_type == TCP_ENCAP_ESPINTCP) 239 - esp_output_tail_tcp(x, skb); 240 - else 238 + x->encap && x->encap->encap_type == TCP_ENCAP_ESPINTCP) { 239 + err = esp_output_tail_tcp(x, skb); 240 + if (err != -EINPROGRESS) 241 + kfree_skb(skb); 242 + } else { 241 243 xfrm_output_resume(skb_to_full_sk(skb), skb, err); 244 + } 242 245 } 243 246 } 244 247

+3 -17

net/ipv4/inet_connection_sock.c

··· 154 154 } 155 155 EXPORT_SYMBOL(inet_sk_get_local_port_range); 156 156 157 - static bool inet_use_bhash2_on_bind(const struct sock *sk) 158 - { 159 - #if IS_ENABLED(CONFIG_IPV6) 160 - if (sk->sk_family == AF_INET6) { 161 - if (ipv6_addr_any(&sk->sk_v6_rcv_saddr)) 162 - return false; 163 - 164 - if (!ipv6_addr_v4mapped(&sk->sk_v6_rcv_saddr)) 165 - return true; 166 - } 167 - #endif 168 - return sk->sk_rcv_saddr != htonl(INADDR_ANY); 169 - } 170 - 171 157 static bool inet_bind_conflict(const struct sock *sk, struct sock *sk2, 172 158 kuid_t uid, bool relax, 173 159 bool reuseport_cb_ok, bool reuseport_ok) ··· 245 259 * checks separately because their spinlocks have to be acquired/released 246 260 * independently of each other, to prevent possible deadlocks 247 261 */ 248 - if (inet_use_bhash2_on_bind(sk)) 262 + if (inet_use_hash2_on_bind(sk)) 249 263 return tb2 && inet_bhash2_conflict(sk, tb2, uid, relax, 250 264 reuseport_cb_ok, reuseport_ok); 251 265 ··· 362 376 head = &hinfo->bhash[inet_bhashfn(net, port, 363 377 hinfo->bhash_size)]; 364 378 spin_lock_bh(&head->lock); 365 - if (inet_use_bhash2_on_bind(sk)) { 379 + if (inet_use_hash2_on_bind(sk)) { 366 380 if (inet_bhash2_addr_any_conflict(sk, port, l3mdev, relax, false)) 367 381 goto next_port; 368 382 } ··· 548 562 check_bind_conflict = false; 549 563 } 550 564 551 - if (check_bind_conflict && inet_use_bhash2_on_bind(sk)) { 565 + if (check_bind_conflict && inet_use_hash2_on_bind(sk)) { 552 566 if (inet_bhash2_addr_any_conflict(sk, port, l3mdev, true, true)) 553 567 goto fail_unlock; 554 568 }

+1 -1

net/ipv4/udp.c

··· 287 287 } else { 288 288 hslot = udp_hashslot(udptable, net, snum); 289 289 spin_lock_bh(&hslot->lock); 290 - if (hslot->count > 10) { 290 + if (inet_use_hash2_on_bind(sk) && hslot->count > 10) { 291 291 int exist; 292 292 unsigned int slot2 = udp_sk(sk)->udp_portaddr_hash ^ snum; 293 293

+2 -2

net/ipv6/addrconf.c

··· 2862 2862 fib6_add_gc_list(rt); 2863 2863 } else { 2864 2864 fib6_clean_expires(rt); 2865 - fib6_remove_gc_list(rt); 2865 + fib6_may_remove_gc_list(net, rt); 2866 2866 } 2867 2867 2868 2868 spin_unlock_bh(&table->tb6_lock); ··· 4840 4840 4841 4841 if (!(flags & RTF_EXPIRES)) { 4842 4842 fib6_clean_expires(f6i); 4843 - fib6_remove_gc_list(f6i); 4843 + fib6_may_remove_gc_list(net, f6i); 4844 4844 } else { 4845 4845 fib6_set_expires(f6i, expires); 4846 4846 fib6_add_gc_list(f6i);

+6 -3

net/ipv6/esp6.c

··· 271 271 xfrm_dev_resume(skb); 272 272 } else { 273 273 if (!err && 274 - x->encap && x->encap->encap_type == TCP_ENCAP_ESPINTCP) 275 - esp_output_tail_tcp(x, skb); 276 - else 274 + x->encap && x->encap->encap_type == TCP_ENCAP_ESPINTCP) { 275 + err = esp_output_tail_tcp(x, skb); 276 + if (err != -EINPROGRESS) 277 + kfree_skb(skb); 278 + } else { 277 279 xfrm_output_resume(skb_to_full_sk(skb), skb, err); 280 + } 278 281 } 279 282 } 280 283

+13 -2

net/ipv6/ip6_fib.c

··· 1133 1133 return -EEXIST; 1134 1134 if (!(rt->fib6_flags & RTF_EXPIRES)) { 1135 1135 fib6_clean_expires(iter); 1136 - fib6_remove_gc_list(iter); 1136 + fib6_may_remove_gc_list(info->nl_net, iter); 1137 1137 } else { 1138 1138 fib6_set_expires(iter, rt->expires); 1139 1139 fib6_add_gc_list(iter); ··· 2348 2348 /* 2349 2349 * Garbage collection 2350 2350 */ 2351 + void fib6_age_exceptions(struct fib6_info *rt, struct fib6_gc_args *gc_args, 2352 + unsigned long now) 2353 + { 2354 + bool may_expire = rt->fib6_flags & RTF_EXPIRES && rt->expires; 2355 + int old_more = gc_args->more; 2356 + 2357 + rt6_age_exceptions(rt, gc_args, now); 2358 + 2359 + if (!may_expire && old_more == gc_args->more) 2360 + fib6_remove_gc_list(rt); 2361 + } 2351 2362 2352 2363 static int fib6_age(struct fib6_info *rt, struct fib6_gc_args *gc_args) 2353 2364 { ··· 2381 2370 * Note, that clones are aged out 2382 2371 * only if they are not in use now. 2383 2372 */ 2384 - rt6_age_exceptions(rt, gc_args, now); 2373 + fib6_age_exceptions(rt, gc_args, now); 2385 2374 2386 2375 return 0; 2387 2376 }

+4

net/ipv6/netfilter/ip6t_rt.c

··· 157 157 pr_debug("unknown flags %X\n", rtinfo->invflags); 158 158 return -EINVAL; 159 159 } 160 + if (rtinfo->addrnr > IP6T_RT_HOPS) { 161 + pr_debug("too many addresses specified\n"); 162 + return -EINVAL; 163 + } 160 164 if ((rtinfo->flags & (IP6T_RT_RES | IP6T_RT_FST_MASK)) && 161 165 (!(rtinfo->flags & IP6T_RT_TYP) || 162 166 (rtinfo->rt_type != 0) ||

+1 -1

net/ipv6/route.c

··· 1033 1033 1034 1034 if (!addrconf_finite_timeout(lifetime)) { 1035 1035 fib6_clean_expires(rt); 1036 - fib6_remove_gc_list(rt); 1036 + fib6_may_remove_gc_list(net, rt); 1037 1037 } else { 1038 1038 fib6_set_expires(rt, jiffies + HZ * lifetime); 1039 1039 fib6_add_gc_list(rt);

+12 -7

net/key/af_key.c

··· 3518 3518 3519 3519 static int set_ipsecrequest(struct sk_buff *skb, 3520 3520 uint8_t proto, uint8_t mode, int level, 3521 - uint32_t reqid, uint8_t family, 3521 + uint32_t reqid, sa_family_t family, 3522 3522 const xfrm_address_t *src, const xfrm_address_t *dst) 3523 3523 { 3524 3524 struct sadb_x_ipsecrequest *rq; ··· 3583 3583 3584 3584 /* ipsecrequests */ 3585 3585 for (i = 0, mp = m; i < num_bundles; i++, mp++) { 3586 - /* old locator pair */ 3587 - size_pol += sizeof(struct sadb_x_ipsecrequest) + 3588 - pfkey_sockaddr_pair_size(mp->old_family); 3589 - /* new locator pair */ 3590 - size_pol += sizeof(struct sadb_x_ipsecrequest) + 3591 - pfkey_sockaddr_pair_size(mp->new_family); 3586 + int pair_size; 3587 + 3588 + pair_size = pfkey_sockaddr_pair_size(mp->old_family); 3589 + if (!pair_size) 3590 + return -EINVAL; 3591 + size_pol += sizeof(struct sadb_x_ipsecrequest) + pair_size; 3592 + 3593 + pair_size = pfkey_sockaddr_pair_size(mp->new_family); 3594 + if (!pair_size) 3595 + return -EINVAL; 3596 + size_pol += sizeof(struct sadb_x_ipsecrequest) + pair_size; 3592 3597 } 3593 3598 3594 3599 size += sizeof(struct sadb_msg) + size_pol;

+6 -2

net/netfilter/nf_conntrack_broadcast.c

··· 21 21 unsigned int timeout) 22 22 { 23 23 const struct nf_conntrack_helper *helper; 24 + struct net *net = read_pnet(&ct->ct_net); 24 25 struct nf_conntrack_expect *exp; 25 26 struct iphdr *iph = ip_hdr(skb); 26 27 struct rtable *rt = skb_rtable(skb); ··· 71 70 exp->expectfn = NULL; 72 71 exp->flags = NF_CT_EXPECT_PERMANENT; 73 72 exp->class = NF_CT_EXPECT_CLASS_DEFAULT; 74 - exp->helper = NULL; 75 - 73 + rcu_assign_pointer(exp->helper, helper); 74 + write_pnet(&exp->net, net); 75 + #ifdef CONFIG_NF_CONNTRACK_ZONES 76 + exp->zone = ct->zone; 77 + #endif 76 78 nf_ct_expect_related(exp, 0); 77 79 nf_ct_expect_put(exp); 78 80

+2

net/netfilter/nf_conntrack_ecache.c

··· 247 247 struct nf_ct_event_notifier *notify; 248 248 struct nf_conntrack_ecache *e; 249 249 250 + lockdep_nfct_expect_lock_held(); 251 + 250 252 rcu_read_lock(); 251 253 notify = rcu_dereference(net->ct.nf_conntrack_event_cb); 252 254 if (!notify)

+34 -5

net/netfilter/nf_conntrack_expect.c

··· 51 51 struct net *net = nf_ct_exp_net(exp); 52 52 struct nf_conntrack_net *cnet; 53 53 54 + lockdep_nfct_expect_lock_held(); 54 55 WARN_ON(!master_help); 55 56 WARN_ON(timer_pending(&exp->timeout)); 56 57 ··· 113 112 const struct net *net) 114 113 { 115 114 return nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask) && 116 - net_eq(net, nf_ct_net(i->master)) && 117 - nf_ct_zone_equal_any(i->master, zone); 115 + net_eq(net, read_pnet(&i->net)) && 116 + nf_ct_exp_zone_equal_any(i, zone); 118 117 } 119 118 120 119 bool nf_ct_remove_expect(struct nf_conntrack_expect *exp) 121 120 { 121 + lockdep_nfct_expect_lock_held(); 122 + 122 123 if (timer_delete(&exp->timeout)) { 123 124 nf_ct_unlink_expect(exp); 124 125 nf_ct_expect_put(exp); ··· 179 176 struct nf_conntrack_net *cnet = nf_ct_pernet(net); 180 177 struct nf_conntrack_expect *i, *exp = NULL; 181 178 unsigned int h; 179 + 180 + lockdep_nfct_expect_lock_held(); 182 181 183 182 if (!cnet->expect_count) 184 183 return NULL; ··· 314 309 } 315 310 EXPORT_SYMBOL_GPL(nf_ct_expect_alloc); 316 311 312 + /* This function can only be used from packet path, where accessing 313 + * master's helper is safe, because the packet holds a reference on 314 + * the conntrack object. Never use it from control plane. 315 + */ 317 316 void nf_ct_expect_init(struct nf_conntrack_expect *exp, unsigned int class, 318 317 u_int8_t family, 319 318 const union nf_inet_addr *saddr, 320 319 const union nf_inet_addr *daddr, 321 320 u_int8_t proto, const __be16 *src, const __be16 *dst) 322 321 { 322 + struct nf_conntrack_helper *helper = NULL; 323 + struct nf_conn *ct = exp->master; 324 + struct net *net = read_pnet(&ct->ct_net); 325 + struct nf_conn_help *help; 323 326 int len; 324 327 325 328 if (family == AF_INET) ··· 338 325 exp->flags = 0; 339 326 exp->class = class; 340 327 exp->expectfn = NULL; 341 - exp->helper = NULL; 328 + 329 + help = nfct_help(ct); 330 + if (help) 331 + helper = rcu_dereference(help->helper); 332 + 333 + rcu_assign_pointer(exp->helper, helper); 334 + write_pnet(&exp->net, net); 335 + #ifdef CONFIG_NF_CONNTRACK_ZONES 336 + exp->zone = ct->zone; 337 + #endif 342 338 exp->tuple.src.l3num = family; 343 339 exp->tuple.dst.protonum = proto; 344 340 ··· 464 442 unsigned int h; 465 443 int ret = 0; 466 444 445 + lockdep_nfct_expect_lock_held(); 446 + 467 447 if (!master_help) { 468 448 ret = -ESHUTDOWN; 469 449 goto out; ··· 522 498 523 499 nf_ct_expect_insert(expect); 524 500 525 - spin_unlock_bh(&nf_conntrack_expect_lock); 526 501 nf_ct_expect_event_report(IPEXP_NEW, expect, portid, report); 502 + spin_unlock_bh(&nf_conntrack_expect_lock); 503 + 527 504 return 0; 528 505 out: 529 506 spin_unlock_bh(&nf_conntrack_expect_lock); ··· 652 627 { 653 628 struct nf_conntrack_expect *expect; 654 629 struct nf_conntrack_helper *helper; 630 + struct net *net = seq_file_net(s); 655 631 struct hlist_node *n = v; 656 632 char *delim = ""; 657 633 658 634 expect = hlist_entry(n, struct nf_conntrack_expect, hnode); 635 + 636 + if (!net_eq(nf_ct_exp_net(expect), net)) 637 + return 0; 659 638 660 639 if (expect->timeout.function) 661 640 seq_printf(s, "%ld ", timer_pending(&expect->timeout) ··· 683 654 if (expect->flags & NF_CT_EXPECT_USERSPACE) 684 655 seq_printf(s, "%sUSERSPACE", delim); 685 656 686 - helper = rcu_dereference(nfct_help(expect->master)->helper); 657 + helper = rcu_dereference(expect->helper); 687 658 if (helper) { 688 659 seq_printf(s, "%s%s", expect->flags ? " " : "", helper->name); 689 660 if (helper->expect_policy[expect->class].name[0])

+6 -6

net/netfilter/nf_conntrack_h323_main.c

··· 643 643 &ct->tuplehash[!dir].tuple.src.u3, 644 644 &ct->tuplehash[!dir].tuple.dst.u3, 645 645 IPPROTO_TCP, NULL, &port); 646 - exp->helper = &nf_conntrack_helper_h245; 646 + rcu_assign_pointer(exp->helper, &nf_conntrack_helper_h245); 647 647 648 648 nathook = rcu_dereference(nfct_h323_nat_hook); 649 649 if (memcmp(&ct->tuplehash[dir].tuple.src.u3, ··· 767 767 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, nf_ct_l3num(ct), 768 768 &ct->tuplehash[!dir].tuple.src.u3, &addr, 769 769 IPPROTO_TCP, NULL, &port); 770 - exp->helper = nf_conntrack_helper_q931; 770 + rcu_assign_pointer(exp->helper, nf_conntrack_helper_q931); 771 771 772 772 nathook = rcu_dereference(nfct_h323_nat_hook); 773 773 if (memcmp(&ct->tuplehash[dir].tuple.src.u3, ··· 1234 1234 &ct->tuplehash[!dir].tuple.src.u3 : NULL, 1235 1235 &ct->tuplehash[!dir].tuple.dst.u3, 1236 1236 IPPROTO_TCP, NULL, &port); 1237 - exp->helper = nf_conntrack_helper_q931; 1237 + rcu_assign_pointer(exp->helper, nf_conntrack_helper_q931); 1238 1238 exp->flags = NF_CT_EXPECT_PERMANENT; /* Accept multiple calls */ 1239 1239 1240 1240 nathook = rcu_dereference(nfct_h323_nat_hook); ··· 1306 1306 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, nf_ct_l3num(ct), 1307 1307 &ct->tuplehash[!dir].tuple.src.u3, &addr, 1308 1308 IPPROTO_UDP, NULL, &port); 1309 - exp->helper = nf_conntrack_helper_ras; 1309 + rcu_assign_pointer(exp->helper, nf_conntrack_helper_ras); 1310 1310 1311 1311 if (nf_ct_expect_related(exp, 0) == 0) { 1312 1312 pr_debug("nf_ct_ras: expect RAS "); ··· 1523 1523 &ct->tuplehash[!dir].tuple.src.u3, &addr, 1524 1524 IPPROTO_TCP, NULL, &port); 1525 1525 exp->flags = NF_CT_EXPECT_PERMANENT; 1526 - exp->helper = nf_conntrack_helper_q931; 1526 + rcu_assign_pointer(exp->helper, nf_conntrack_helper_q931); 1527 1527 1528 1528 if (nf_ct_expect_related(exp, 0) == 0) { 1529 1529 pr_debug("nf_ct_ras: expect Q.931 "); ··· 1577 1577 &ct->tuplehash[!dir].tuple.src.u3, &addr, 1578 1578 IPPROTO_TCP, NULL, &port); 1579 1579 exp->flags = NF_CT_EXPECT_PERMANENT; 1580 - exp->helper = nf_conntrack_helper_q931; 1580 + rcu_assign_pointer(exp->helper, nf_conntrack_helper_q931); 1581 1581 1582 1582 if (nf_ct_expect_related(exp, 0) == 0) { 1583 1583 pr_debug("nf_ct_ras: expect Q.931 ");

+6 -5

net/netfilter/nf_conntrack_helper.c

··· 395 395 396 396 static bool expect_iter_me(struct nf_conntrack_expect *exp, void *data) 397 397 { 398 - struct nf_conn_help *help = nfct_help(exp->master); 399 398 const struct nf_conntrack_helper *me = data; 400 399 const struct nf_conntrack_helper *this; 401 400 402 - if (exp->helper == me) 403 - return true; 404 - 405 - this = rcu_dereference_protected(help->helper, 401 + this = rcu_dereference_protected(exp->helper, 406 402 lockdep_is_held(&nf_conntrack_expect_lock)); 407 403 return this == me; 408 404 } ··· 417 421 418 422 nf_ct_expect_iterate_destroy(expect_iter_me, NULL); 419 423 nf_ct_iterate_destroy(unhelp, me); 424 + 425 + /* nf_ct_iterate_destroy() does an unconditional synchronize_rcu() as 426 + * last step, this ensures rcu readers of exp->helper are done. 427 + * No need for another synchronize_rcu() here. 428 + */ 420 429 } 421 430 EXPORT_SYMBOL_GPL(nf_conntrack_helper_unregister); 422 431

+40 -35

net/netfilter/nf_conntrack_netlink.c

··· 910 910 }; 911 911 912 912 static const struct nla_policy cta_filter_nla_policy[CTA_FILTER_MAX + 1] = { 913 - [CTA_FILTER_ORIG_FLAGS] = { .type = NLA_U32 }, 914 - [CTA_FILTER_REPLY_FLAGS] = { .type = NLA_U32 }, 913 + [CTA_FILTER_ORIG_FLAGS] = NLA_POLICY_MASK(NLA_U32, CTA_FILTER_F_ALL), 914 + [CTA_FILTER_REPLY_FLAGS] = NLA_POLICY_MASK(NLA_U32, CTA_FILTER_F_ALL), 915 915 }; 916 916 917 917 static int ctnetlink_parse_filter(const struct nlattr *attr, ··· 925 925 if (ret) 926 926 return ret; 927 927 928 - if (tb[CTA_FILTER_ORIG_FLAGS]) { 928 + if (tb[CTA_FILTER_ORIG_FLAGS]) 929 929 filter->orig_flags = nla_get_u32(tb[CTA_FILTER_ORIG_FLAGS]); 930 - if (filter->orig_flags & ~CTA_FILTER_F_ALL) 931 - return -EOPNOTSUPP; 932 - } 933 930 934 - if (tb[CTA_FILTER_REPLY_FLAGS]) { 931 + if (tb[CTA_FILTER_REPLY_FLAGS]) 935 932 filter->reply_flags = nla_get_u32(tb[CTA_FILTER_REPLY_FLAGS]); 936 - if (filter->reply_flags & ~CTA_FILTER_F_ALL) 937 - return -EOPNOTSUPP; 938 - } 939 933 940 934 return 0; 941 935 } ··· 2628 2634 [CTA_EXPECT_HELP_NAME] = { .type = NLA_NUL_STRING, 2629 2635 .len = NF_CT_HELPER_NAME_LEN - 1 }, 2630 2636 [CTA_EXPECT_ZONE] = { .type = NLA_U16 }, 2631 - [CTA_EXPECT_FLAGS] = { .type = NLA_U32 }, 2637 + [CTA_EXPECT_FLAGS] = NLA_POLICY_MASK(NLA_BE32, NF_CT_EXPECT_MASK), 2632 2638 [CTA_EXPECT_CLASS] = { .type = NLA_U32 }, 2633 2639 [CTA_EXPECT_NAT] = { .type = NLA_NESTED }, 2634 2640 [CTA_EXPECT_FN] = { .type = NLA_NUL_STRING }, ··· 3006 3012 { 3007 3013 struct nf_conn *master = exp->master; 3008 3014 long timeout = ((long)exp->timeout.expires - (long)jiffies) / HZ; 3009 - struct nf_conn_help *help; 3015 + struct nf_conntrack_helper *helper; 3010 3016 #if IS_ENABLED(CONFIG_NF_NAT) 3011 3017 struct nlattr *nest_parms; 3012 3018 struct nf_conntrack_tuple nat_tuple = {}; ··· 3051 3057 nla_put_be32(skb, CTA_EXPECT_FLAGS, htonl(exp->flags)) || 3052 3058 nla_put_be32(skb, CTA_EXPECT_CLASS, htonl(exp->class))) 3053 3059 goto nla_put_failure; 3054 - help = nfct_help(master); 3055 - if (help) { 3056 - struct nf_conntrack_helper *helper; 3057 3060 3058 - helper = rcu_dereference(help->helper); 3059 - if (helper && 3060 - nla_put_string(skb, CTA_EXPECT_HELP_NAME, helper->name)) 3061 - goto nla_put_failure; 3062 - } 3061 + helper = rcu_dereference(exp->helper); 3062 + if (helper && 3063 + nla_put_string(skb, CTA_EXPECT_HELP_NAME, helper->name)) 3064 + goto nla_put_failure; 3065 + 3063 3066 expfn = nf_ct_helper_expectfn_find_by_symbol(exp->expectfn); 3064 3067 if (expfn != NULL && 3065 3068 nla_put_string(skb, CTA_EXPECT_FN, expfn->name)) ··· 3349 3358 if (err < 0) 3350 3359 return err; 3351 3360 3361 + skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 3362 + if (!skb2) 3363 + return -ENOMEM; 3364 + 3365 + spin_lock_bh(&nf_conntrack_expect_lock); 3352 3366 exp = nf_ct_expect_find_get(info->net, &zone, &tuple); 3353 - if (!exp) 3367 + if (!exp) { 3368 + spin_unlock_bh(&nf_conntrack_expect_lock); 3369 + kfree_skb(skb2); 3354 3370 return -ENOENT; 3371 + } 3355 3372 3356 3373 if (cda[CTA_EXPECT_ID]) { 3357 3374 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]); 3358 3375 3359 3376 if (id != nf_expect_get_id(exp)) { 3360 3377 nf_ct_expect_put(exp); 3378 + spin_unlock_bh(&nf_conntrack_expect_lock); 3379 + kfree_skb(skb2); 3361 3380 return -ENOENT; 3362 3381 } 3363 - } 3364 - 3365 - skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 3366 - if (!skb2) { 3367 - nf_ct_expect_put(exp); 3368 - return -ENOMEM; 3369 3382 } 3370 3383 3371 3384 rcu_read_lock(); ··· 3378 3383 exp); 3379 3384 rcu_read_unlock(); 3380 3385 nf_ct_expect_put(exp); 3386 + spin_unlock_bh(&nf_conntrack_expect_lock); 3387 + 3381 3388 if (err <= 0) { 3382 3389 kfree_skb(skb2); 3383 3390 return -ENOMEM; ··· 3391 3394 static bool expect_iter_name(struct nf_conntrack_expect *exp, void *data) 3392 3395 { 3393 3396 struct nf_conntrack_helper *helper; 3394 - const struct nf_conn_help *m_help; 3395 3397 const char *name = data; 3396 3398 3397 - m_help = nfct_help(exp->master); 3398 - 3399 - helper = rcu_dereference(m_help->helper); 3399 + helper = rcu_dereference(exp->helper); 3400 3400 if (!helper) 3401 3401 return false; 3402 3402 ··· 3426 3432 if (err < 0) 3427 3433 return err; 3428 3434 3435 + spin_lock_bh(&nf_conntrack_expect_lock); 3436 + 3429 3437 /* bump usage count to 2 */ 3430 3438 exp = nf_ct_expect_find_get(info->net, &zone, &tuple); 3431 - if (!exp) 3439 + if (!exp) { 3440 + spin_unlock_bh(&nf_conntrack_expect_lock); 3432 3441 return -ENOENT; 3442 + } 3433 3443 3434 3444 if (cda[CTA_EXPECT_ID]) { 3435 3445 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]); 3436 3446 3437 3447 if (id != nf_expect_get_id(exp)) { 3438 3448 nf_ct_expect_put(exp); 3449 + spin_unlock_bh(&nf_conntrack_expect_lock); 3439 3450 return -ENOENT; 3440 3451 } 3441 3452 } 3442 3453 3443 3454 /* after list removal, usage count == 1 */ 3444 - spin_lock_bh(&nf_conntrack_expect_lock); 3445 3455 if (timer_delete(&exp->timeout)) { 3446 3456 nf_ct_unlink_expect_report(exp, NETLINK_CB(skb).portid, 3447 3457 nlmsg_report(info->nlh)); ··· 3532 3534 struct nf_conntrack_tuple *tuple, 3533 3535 struct nf_conntrack_tuple *mask) 3534 3536 { 3535 - u_int32_t class = 0; 3537 + struct net *net = read_pnet(&ct->ct_net); 3536 3538 struct nf_conntrack_expect *exp; 3537 3539 struct nf_conn_help *help; 3540 + u32 class = 0; 3538 3541 int err; 3539 3542 3540 3543 help = nfct_help(ct); ··· 3572 3573 3573 3574 exp->class = class; 3574 3575 exp->master = ct; 3575 - exp->helper = helper; 3576 + write_pnet(&exp->net, net); 3577 + #ifdef CONFIG_NF_CONNTRACK_ZONES 3578 + exp->zone = ct->zone; 3579 + #endif 3580 + if (!helper) 3581 + helper = rcu_dereference(help->helper); 3582 + rcu_assign_pointer(exp->helper, helper); 3576 3583 exp->tuple = *tuple; 3577 3584 exp->mask.src.u3 = mask->src.u3; 3578 3585 exp->mask.src.u.all = mask->src.u.all;

+3 -7

net/netfilter/nf_conntrack_proto_tcp.c

··· 1385 1385 } 1386 1386 1387 1387 static const struct nla_policy tcp_nla_policy[CTA_PROTOINFO_TCP_MAX+1] = { 1388 - [CTA_PROTOINFO_TCP_STATE] = { .type = NLA_U8 }, 1389 - [CTA_PROTOINFO_TCP_WSCALE_ORIGINAL] = { .type = NLA_U8 }, 1390 - [CTA_PROTOINFO_TCP_WSCALE_REPLY] = { .type = NLA_U8 }, 1388 + [CTA_PROTOINFO_TCP_STATE] = NLA_POLICY_MAX(NLA_U8, TCP_CONNTRACK_SYN_SENT2), 1389 + [CTA_PROTOINFO_TCP_WSCALE_ORIGINAL] = NLA_POLICY_MAX(NLA_U8, TCP_MAX_WSCALE), 1390 + [CTA_PROTOINFO_TCP_WSCALE_REPLY] = NLA_POLICY_MAX(NLA_U8, TCP_MAX_WSCALE), 1391 1391 [CTA_PROTOINFO_TCP_FLAGS_ORIGINAL] = { .len = sizeof(struct nf_ct_tcp_flags) }, 1392 1392 [CTA_PROTOINFO_TCP_FLAGS_REPLY] = { .len = sizeof(struct nf_ct_tcp_flags) }, 1393 1393 }; ··· 1413 1413 tcp_nla_policy, NULL); 1414 1414 if (err < 0) 1415 1415 return err; 1416 - 1417 - if (tb[CTA_PROTOINFO_TCP_STATE] && 1418 - nla_get_u8(tb[CTA_PROTOINFO_TCP_STATE]) >= TCP_CONNTRACK_MAX) 1419 - return -EINVAL; 1420 1416 1421 1417 spin_lock_bh(&ct->lock); 1422 1418 if (tb[CTA_PROTOINFO_TCP_STATE])

+12 -6

net/netfilter/nf_conntrack_sip.c

··· 924 924 exp = __nf_ct_expect_find(net, nf_ct_zone(ct), &tuple); 925 925 926 926 if (!exp || exp->master == ct || 927 - nfct_help(exp->master)->helper != nfct_help(ct)->helper || 927 + exp->helper != nfct_help(ct)->helper || 928 928 exp->class != class) 929 929 break; 930 930 #if IS_ENABLED(CONFIG_NF_NAT) ··· 1040 1040 unsigned int port; 1041 1041 const struct sdp_media_type *t; 1042 1042 int ret = NF_ACCEPT; 1043 + bool have_rtp_addr = false; 1043 1044 1044 1045 hooks = rcu_dereference(nf_nat_sip_hooks); 1045 1046 ··· 1057 1056 caddr_len = 0; 1058 1057 if (ct_sip_parse_sdp_addr(ct, *dptr, sdpoff, *datalen, 1059 1058 SDP_HDR_CONNECTION, SDP_HDR_MEDIA, 1060 - &matchoff, &matchlen, &caddr) > 0) 1059 + &matchoff, &matchlen, &caddr) > 0) { 1061 1060 caddr_len = matchlen; 1061 + memcpy(&rtp_addr, &caddr, sizeof(rtp_addr)); 1062 + have_rtp_addr = true; 1063 + } 1062 1064 1063 1065 mediaoff = sdpoff; 1064 1066 for (i = 0; i < ARRAY_SIZE(sdp_media_types); ) { ··· 1095 1091 &matchoff, &matchlen, &maddr) > 0) { 1096 1092 maddr_len = matchlen; 1097 1093 memcpy(&rtp_addr, &maddr, sizeof(rtp_addr)); 1098 - } else if (caddr_len) 1094 + have_rtp_addr = true; 1095 + } else if (caddr_len) { 1099 1096 memcpy(&rtp_addr, &caddr, sizeof(rtp_addr)); 1100 - else { 1097 + have_rtp_addr = true; 1098 + } else { 1101 1099 nf_ct_helper_log(skb, ct, "cannot parse SDP message"); 1102 1100 return NF_DROP; 1103 1101 } ··· 1131 1125 1132 1126 /* Update session connection and owner addresses */ 1133 1127 hooks = rcu_dereference(nf_nat_sip_hooks); 1134 - if (hooks && ct->status & IPS_NAT_MASK) 1128 + if (hooks && ct->status & IPS_NAT_MASK && have_rtp_addr) 1135 1129 ret = hooks->sdp_session(skb, protoff, dataoff, 1136 1130 dptr, datalen, sdpoff, 1137 1131 &rtp_addr); ··· 1303 1297 nf_ct_expect_init(exp, SIP_EXPECT_SIGNALLING, nf_ct_l3num(ct), 1304 1298 saddr, &daddr, proto, NULL, &port); 1305 1299 exp->timeout.expires = sip_timeout * HZ; 1306 - exp->helper = helper; 1300 + rcu_assign_pointer(exp->helper, helper); 1307 1301 exp->flags = NF_CT_EXPECT_PERMANENT | NF_CT_EXPECT_INACTIVE; 1308 1302 1309 1303 hooks = rcu_dereference(nf_nat_sip_hooks);

+2 -6

net/netfilter/nfnetlink_log.c

··· 647 647 648 648 if (data_len) { 649 649 struct nlattr *nla; 650 - int size = nla_attr_size(data_len); 651 650 652 - if (skb_tailroom(inst->skb) < nla_total_size(data_len)) 651 + nla = nla_reserve(inst->skb, NFULA_PAYLOAD, data_len); 652 + if (!nla) 653 653 goto nla_put_failure; 654 - 655 - nla = skb_put(inst->skb, nla_total_size(data_len)); 656 - nla->nla_type = NFULA_PAYLOAD; 657 - nla->nla_len = size; 658 654 659 655 if (skb_copy_bits(skb, 0, nla_data(nla), data_len)) 660 656 BUG();

+10 -10

net/netfilter/nft_set_pipapo_avx2.c

··· 242 242 243 243 b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); 244 244 if (last) 245 - return b; 245 + ret = b; 246 246 247 247 if (unlikely(ret == -1)) 248 248 ret = b / XSAVE_YMM_SIZE; ··· 319 319 320 320 b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); 321 321 if (last) 322 - return b; 322 + ret = b; 323 323 324 324 if (unlikely(ret == -1)) 325 325 ret = b / XSAVE_YMM_SIZE; ··· 414 414 415 415 b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); 416 416 if (last) 417 - return b; 417 + ret = b; 418 418 419 419 if (unlikely(ret == -1)) 420 420 ret = b / XSAVE_YMM_SIZE; ··· 505 505 506 506 b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); 507 507 if (last) 508 - return b; 508 + ret = b; 509 509 510 510 if (unlikely(ret == -1)) 511 511 ret = b / XSAVE_YMM_SIZE; ··· 641 641 642 642 b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); 643 643 if (last) 644 - return b; 644 + ret = b; 645 645 646 646 if (unlikely(ret == -1)) 647 647 ret = b / XSAVE_YMM_SIZE; ··· 699 699 700 700 b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); 701 701 if (last) 702 - return b; 702 + ret = b; 703 703 704 704 if (unlikely(ret == -1)) 705 705 ret = b / XSAVE_YMM_SIZE; ··· 764 764 765 765 b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); 766 766 if (last) 767 - return b; 767 + ret = b; 768 768 769 769 if (unlikely(ret == -1)) 770 770 ret = b / XSAVE_YMM_SIZE; ··· 839 839 840 840 b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); 841 841 if (last) 842 - return b; 842 + ret = b; 843 843 844 844 if (unlikely(ret == -1)) 845 845 ret = b / XSAVE_YMM_SIZE; ··· 925 925 926 926 b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); 927 927 if (last) 928 - return b; 928 + ret = b; 929 929 930 930 if (unlikely(ret == -1)) 931 931 ret = b / XSAVE_YMM_SIZE; ··· 1019 1019 1020 1020 b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); 1021 1021 if (last) 1022 - return b; 1022 + ret = b; 1023 1023 1024 1024 if (unlikely(ret == -1)) 1025 1025 ret = b / XSAVE_YMM_SIZE;

+75 -17

net/netfilter/nft_set_rbtree.c

··· 572 572 return array; 573 573 } 574 574 575 - #define NFT_ARRAY_EXTRA_SIZE 10240 576 - 577 575 /* Similar to nft_rbtree_{u,k}size to hide details to userspace, but consider 578 576 * packed representation coming from userspace for anonymous sets too. 579 577 */ 580 578 static u32 nft_array_elems(const struct nft_set *set) 581 579 { 582 - u32 nelems = atomic_read(&set->nelems); 580 + u32 nelems = atomic_read(&set->nelems) - set->ndeact; 583 581 584 582 /* Adjacent intervals are represented with a single start element in 585 583 * anonymous sets, use the current element counter as is. ··· 593 595 return (nelems / 2) + 2; 594 596 } 595 597 596 - static int nft_array_may_resize(const struct nft_set *set) 598 + #define NFT_ARRAY_INITIAL_SIZE 1024 599 + #define NFT_ARRAY_INITIAL_ANON_SIZE 16 600 + #define NFT_ARRAY_INITIAL_ANON_THRESH (8192U / sizeof(struct nft_array_interval)) 601 + 602 + static int nft_array_may_resize(const struct nft_set *set, bool flush) 597 603 { 598 - u32 nelems = nft_array_elems(set), new_max_intervals; 604 + u32 initial_intervals, max_intervals, new_max_intervals, delta; 605 + u32 shrinked_max_intervals, nelems = nft_array_elems(set); 599 606 struct nft_rbtree *priv = nft_set_priv(set); 600 607 struct nft_array *array; 601 608 602 - if (!priv->array_next) { 603 - array = nft_array_alloc(nelems + NFT_ARRAY_EXTRA_SIZE); 609 + if (nft_set_is_anonymous(set)) 610 + initial_intervals = NFT_ARRAY_INITIAL_ANON_SIZE; 611 + else 612 + initial_intervals = NFT_ARRAY_INITIAL_SIZE; 613 + 614 + if (priv->array_next) { 615 + max_intervals = priv->array_next->max_intervals; 616 + new_max_intervals = priv->array_next->max_intervals; 617 + } else { 618 + if (priv->array) { 619 + max_intervals = priv->array->max_intervals; 620 + new_max_intervals = priv->array->max_intervals; 621 + } else { 622 + max_intervals = 0; 623 + new_max_intervals = initial_intervals; 624 + } 625 + } 626 + 627 + if (nft_set_is_anonymous(set)) 628 + goto maybe_grow; 629 + 630 + if (flush) { 631 + /* Set flush just started, nelems still report elements.*/ 632 + nelems = 0; 633 + new_max_intervals = NFT_ARRAY_INITIAL_SIZE; 634 + goto realloc_array; 635 + } 636 + 637 + if (check_add_overflow(new_max_intervals, new_max_intervals, 638 + &shrinked_max_intervals)) 639 + return -EOVERFLOW; 640 + 641 + shrinked_max_intervals = DIV_ROUND_UP(shrinked_max_intervals, 3); 642 + 643 + if (shrinked_max_intervals > NFT_ARRAY_INITIAL_SIZE && 644 + nelems < shrinked_max_intervals) { 645 + new_max_intervals = shrinked_max_intervals; 646 + goto realloc_array; 647 + } 648 + maybe_grow: 649 + if (nelems > new_max_intervals) { 650 + if (nft_set_is_anonymous(set) && 651 + new_max_intervals < NFT_ARRAY_INITIAL_ANON_THRESH) { 652 + new_max_intervals <<= 1; 653 + } else { 654 + delta = new_max_intervals >> 1; 655 + if (check_add_overflow(new_max_intervals, delta, 656 + &new_max_intervals)) 657 + return -EOVERFLOW; 658 + } 659 + } 660 + 661 + realloc_array: 662 + if (WARN_ON_ONCE(nelems > new_max_intervals)) 663 + return -ENOMEM; 664 + 665 + if (priv->array_next) { 666 + if (max_intervals == new_max_intervals) 667 + return 0; 668 + 669 + if (nft_array_intervals_alloc(priv->array_next, new_max_intervals) < 0) 670 + return -ENOMEM; 671 + } else { 672 + array = nft_array_alloc(new_max_intervals); 604 673 if (!array) 605 674 return -ENOMEM; 606 675 607 676 priv->array_next = array; 608 677 } 609 - 610 - if (nelems < priv->array_next->max_intervals) 611 - return 0; 612 - 613 - new_max_intervals = priv->array_next->max_intervals + NFT_ARRAY_EXTRA_SIZE; 614 - if (nft_array_intervals_alloc(priv->array_next, new_max_intervals) < 0) 615 - return -ENOMEM; 616 678 617 679 return 0; 618 680 } ··· 688 630 689 631 nft_rbtree_maybe_reset_start_cookie(priv, tstamp); 690 632 691 - if (nft_array_may_resize(set) < 0) 633 + if (nft_array_may_resize(set, false) < 0) 692 634 return -ENOMEM; 693 635 694 636 do { ··· 799 741 nft_rbtree_interval_null(set, this)) 800 742 priv->start_rbe_cookie = 0; 801 743 802 - if (nft_array_may_resize(set) < 0) 744 + if (nft_array_may_resize(set, false) < 0) 803 745 return NULL; 804 746 805 747 while (parent != NULL) { ··· 869 811 870 812 switch (iter->type) { 871 813 case NFT_ITER_UPDATE_CLONE: 872 - if (nft_array_may_resize(set) < 0) { 814 + if (nft_array_may_resize(set, true) < 0) { 873 815 iter->err = -ENOMEM; 874 816 break; 875 817 }

+6 -4

net/nfc/nci/core.c

··· 579 579 skb_queue_purge(&ndev->rx_q); 580 580 skb_queue_purge(&ndev->tx_q); 581 581 582 - /* Flush RX and TX wq */ 583 - flush_workqueue(ndev->rx_wq); 582 + /* Flush TX wq, RX wq flush can't be under the lock */ 584 583 flush_workqueue(ndev->tx_wq); 585 584 586 585 /* Reset device */ ··· 591 592 msecs_to_jiffies(NCI_RESET_TIMEOUT)); 592 593 593 594 /* After this point our queues are empty 594 - * and no works are scheduled. 595 + * rx work may be running but will see that NCI_UP was cleared 595 596 */ 596 597 ndev->ops->close(ndev); 597 598 598 599 clear_bit(NCI_INIT, &ndev->flags); 599 600 600 - /* Flush cmd wq */ 601 + /* Flush cmd and tx wq */ 601 602 flush_workqueue(ndev->cmd_wq); 602 603 603 604 timer_delete_sync(&ndev->cmd_timer); ··· 611 612 ndev->flags &= BIT(NCI_UNREG); 612 613 613 614 mutex_unlock(&ndev->req_lock); 615 + 616 + /* rx_work may take req_lock via nci_deactivate_target */ 617 + flush_workqueue(ndev->rx_wq); 614 618 615 619 return 0; 616 620 }

+2

net/openvswitch/flow_netlink.c

··· 2953 2953 case OVS_KEY_ATTR_MPLS: 2954 2954 if (!eth_p_mpls(eth_type)) 2955 2955 return -EINVAL; 2956 + if (key_len != sizeof(struct ovs_key_mpls)) 2957 + return -EINVAL; 2956 2958 break; 2957 2959 2958 2960 case OVS_KEY_ATTR_SCTP:

+8 -3

net/openvswitch/vport-netdev.c

··· 151 151 void ovs_netdev_detach_dev(struct vport *vport) 152 152 { 153 153 ASSERT_RTNL(); 154 - vport->dev->priv_flags &= ~IFF_OVS_DATAPATH; 155 154 netdev_rx_handler_unregister(vport->dev); 156 155 netdev_upper_dev_unlink(vport->dev, 157 156 netdev_master_upper_dev_get(vport->dev)); 158 157 dev_set_promiscuity(vport->dev, -1); 158 + 159 + /* paired with smp_mb() in netdev_destroy() */ 160 + smp_wmb(); 161 + 162 + vport->dev->priv_flags &= ~IFF_OVS_DATAPATH; 159 163 } 160 164 161 165 static void netdev_destroy(struct vport *vport) ··· 178 174 rtnl_unlock(); 179 175 } 180 176 177 + /* paired with smp_wmb() in ovs_netdev_detach_dev() */ 178 + smp_mb(); 179 + 181 180 call_rcu(&vport->rcu, vport_netdev_free); 182 181 } 183 182 ··· 196 189 */ 197 190 if (vport->dev->reg_state == NETREG_REGISTERED) 198 191 rtnl_delete_link(vport->dev, 0, NULL); 199 - netdev_put(vport->dev, &vport->dev_tracker); 200 - vport->dev = NULL; 201 192 rtnl_unlock(); 202 193 203 194 call_rcu(&vport->rcu, vport_netdev_free);

+1

net/packet/af_packet.c

··· 3135 3135 3136 3136 spin_lock(&po->bind_lock); 3137 3137 unregister_prot_hook(sk, false); 3138 + WRITE_ONCE(po->num, 0); 3138 3139 packet_cached_dev_reset(po); 3139 3140 3140 3141 if (po->prot_hook.dev) {

+8 -1

net/smc/smc_rx.c

··· 135 135 sock_put(sk); 136 136 } 137 137 138 + static bool smc_rx_pipe_buf_get(struct pipe_inode_info *pipe, 139 + struct pipe_buffer *buf) 140 + { 141 + /* smc_spd_priv in buf->private is not shareable; disallow cloning. */ 142 + return false; 143 + } 144 + 138 145 static const struct pipe_buf_operations smc_pipe_ops = { 139 146 .release = smc_rx_pipe_buf_release, 140 - .get = generic_pipe_buf_get 147 + .get = smc_rx_pipe_buf_get, 141 148 }; 142 149 143 150 static void smc_rx_spd_release(struct splice_pipe_desc *spd,

+1 -1

net/tls/tls_sw.c

··· 246 246 crypto_wait_req(-EINPROGRESS, &ctx->async_wait); 247 247 atomic_inc(&ctx->decrypt_pending); 248 248 249 + __skb_queue_purge(&ctx->async_hold); 249 250 return ctx->async_wait.err; 250 251 } 251 252 ··· 2226 2225 2227 2226 /* Wait for all previously submitted records to be decrypted */ 2228 2227 ret = tls_decrypt_async_wait(ctx); 2229 - __skb_queue_purge(&ctx->async_hold); 2230 2228 2231 2229 if (ret) { 2232 2230 if (err >= 0 || err == -EINPROGRESS)

+4 -1

net/xfrm/xfrm_input.c

··· 75 75 76 76 spin_lock_bh(&xfrm_input_afinfo_lock); 77 77 if (likely(xfrm_input_afinfo[afinfo->is_ipip][afinfo->family])) { 78 - if (unlikely(xfrm_input_afinfo[afinfo->is_ipip][afinfo->family] != afinfo)) 78 + const struct xfrm_input_afinfo *cur; 79 + 80 + cur = rcu_access_pointer(xfrm_input_afinfo[afinfo->is_ipip][afinfo->family]); 81 + if (unlikely(cur != afinfo)) 79 82 err = -EINVAL; 80 83 else 81 84 RCU_INIT_POINTER(xfrm_input_afinfo[afinfo->is_ipip][afinfo->family], NULL);

+14 -3

net/xfrm/xfrm_iptfs.c

··· 901 901 iptfs_skb_can_add_frags(newskb, fragwalk, data, copylen)) { 902 902 iptfs_skb_add_frags(newskb, fragwalk, data, copylen); 903 903 } else { 904 + if (skb_linearize(newskb)) { 905 + XFRM_INC_STATS(xs_net(xtfs->x), 906 + LINUX_MIB_XFRMINBUFFERERROR); 907 + goto abandon; 908 + } 909 + 904 910 /* copy fragment data into newskb */ 905 911 if (skb_copy_seq_read(st, data, skb_put(newskb, copylen), 906 912 copylen)) { ··· 997 991 998 992 iplen = be16_to_cpu(iph->tot_len); 999 993 iphlen = iph->ihl << 2; 994 + if (iplen < iphlen || iphlen < sizeof(*iph)) { 995 + XFRM_INC_STATS(net, 996 + LINUX_MIB_XFRMINHDRERROR); 997 + goto done; 998 + } 1000 999 protocol = cpu_to_be16(ETH_P_IP); 1001 1000 XFRM_MODE_SKB_CB(skbseq->root_skb)->tos = iph->tos; 1002 1001 } else if (iph->version == 0x6) { ··· 2664 2653 if (!xtfs) 2665 2654 return -ENOMEM; 2666 2655 2667 - x->mode_data = xtfs; 2668 - xtfs->x = x; 2669 - 2670 2656 xtfs->ra_newskb = NULL; 2671 2657 if (xtfs->cfg.reorder_win_size) { 2672 2658 xtfs->w_saved = kzalloc_objs(*xtfs->w_saved, ··· 2673 2665 return -ENOMEM; 2674 2666 } 2675 2667 } 2668 + 2669 + x->mode_data = xtfs; 2670 + xtfs->x = x; 2676 2671 2677 2672 return 0; 2678 2673 }

+1 -1

net/xfrm/xfrm_nat_keepalive.c

··· 261 261 262 262 int xfrm_nat_keepalive_net_fini(struct net *net) 263 263 { 264 - cancel_delayed_work_sync(&net->xfrm.nat_keepalive_work); 264 + disable_delayed_work_sync(&net->xfrm.nat_keepalive_work); 265 265 return 0; 266 266 } 267 267

+7 -5

net/xfrm/xfrm_policy.c

··· 4156 4156 int i; 4157 4157 4158 4158 for (i = 0; i < ARRAY_SIZE(xfrm_policy_afinfo); i++) { 4159 - if (xfrm_policy_afinfo[i] != afinfo) 4159 + if (rcu_access_pointer(xfrm_policy_afinfo[i]) != afinfo) 4160 4160 continue; 4161 4161 RCU_INIT_POINTER(xfrm_policy_afinfo[i], NULL); 4162 4162 break; ··· 4242 4242 net->xfrm.policy_count[XFRM_POLICY_MAX + dir] = 0; 4243 4243 4244 4244 htab = &net->xfrm.policy_bydst[dir]; 4245 - htab->table = xfrm_hash_alloc(sz); 4245 + rcu_assign_pointer(htab->table, xfrm_hash_alloc(sz)); 4246 4246 if (!htab->table) 4247 4247 goto out_bydst; 4248 4248 htab->hmask = hmask; ··· 4269 4269 struct xfrm_policy_hash *htab; 4270 4270 4271 4271 htab = &net->xfrm.policy_bydst[dir]; 4272 - xfrm_hash_free(htab->table, sz); 4272 + xfrm_hash_free(rcu_dereference_protected(htab->table, true), sz); 4273 4273 } 4274 4274 xfrm_hash_free(net->xfrm.policy_byidx, sz); 4275 4275 out_byidx: ··· 4281 4281 struct xfrm_pol_inexact_bin *b, *t; 4282 4282 unsigned int sz; 4283 4283 int dir; 4284 + 4285 + disable_work_sync(&net->xfrm.policy_hthresh.work); 4284 4286 4285 4287 flush_work(&net->xfrm.policy_hash_work); 4286 4288 #ifdef CONFIG_XFRM_SUB_POLICY ··· 4297 4295 4298 4296 htab = &net->xfrm.policy_bydst[dir]; 4299 4297 sz = (htab->hmask + 1) * sizeof(struct hlist_head); 4300 - WARN_ON(!hlist_empty(htab->table)); 4301 - xfrm_hash_free(htab->table, sz); 4298 + WARN_ON(!hlist_empty(rcu_dereference_protected(htab->table, true))); 4299 + xfrm_hash_free(rcu_dereference_protected(htab->table, true), sz); 4302 4300 } 4303 4301 4304 4302 sz = (net->xfrm.policy_idx_hmask + 1) * sizeof(struct hlist_head);

+64 -52

net/xfrm/xfrm_state.c

··· 53 53 static HLIST_HEAD(xfrm_state_gc_list); 54 54 static HLIST_HEAD(xfrm_state_dev_gc_list); 55 55 56 - static inline bool xfrm_state_hold_rcu(struct xfrm_state __rcu *x) 56 + static inline bool xfrm_state_hold_rcu(struct xfrm_state *x) 57 57 { 58 58 return refcount_inc_not_zero(&x->refcnt); 59 59 } ··· 870 870 for (i = 0; i <= net->xfrm.state_hmask; i++) { 871 871 struct xfrm_state *x; 872 872 873 - hlist_for_each_entry(x, net->xfrm.state_bydst+i, bydst) { 873 + hlist_for_each_entry(x, xfrm_state_deref_prot(net->xfrm.state_bydst, net) + i, bydst) { 874 874 if (xfrm_id_proto_match(x->id.proto, proto) && 875 875 (err = security_xfrm_state_delete(x)) != 0) { 876 876 xfrm_audit_state_delete(x, 0, task_valid); ··· 891 891 struct xfrm_state *x; 892 892 struct xfrm_dev_offload *xso; 893 893 894 - hlist_for_each_entry(x, net->xfrm.state_bydst+i, bydst) { 894 + hlist_for_each_entry(x, xfrm_state_deref_prot(net->xfrm.state_bydst, net) + i, bydst) { 895 895 xso = &x->xso; 896 896 897 897 if (xso->dev == dev && ··· 931 931 for (i = 0; i <= net->xfrm.state_hmask; i++) { 932 932 struct xfrm_state *x; 933 933 restart: 934 - hlist_for_each_entry(x, net->xfrm.state_bydst+i, bydst) { 934 + hlist_for_each_entry(x, xfrm_state_deref_prot(net->xfrm.state_bydst, net) + i, bydst) { 935 935 if (!xfrm_state_kern(x) && 936 936 xfrm_id_proto_match(x->id.proto, proto)) { 937 937 xfrm_state_hold(x); ··· 973 973 err = -ESRCH; 974 974 for (i = 0; i <= net->xfrm.state_hmask; i++) { 975 975 restart: 976 - hlist_for_each_entry(x, net->xfrm.state_bydst+i, bydst) { 976 + hlist_for_each_entry(x, xfrm_state_deref_prot(net->xfrm.state_bydst, net) + i, bydst) { 977 977 xso = &x->xso; 978 978 979 979 if (!xfrm_state_kern(x) && xso->dev == dev) { ··· 1563 1563 list_add(&x->km.all, &net->xfrm.state_all); 1564 1564 h = xfrm_dst_hash(net, daddr, saddr, tmpl->reqid, encap_family); 1565 1565 XFRM_STATE_INSERT(bydst, &x->bydst, 1566 - net->xfrm.state_bydst + h, 1566 + xfrm_state_deref_prot(net->xfrm.state_bydst, net) + h, 1567 1567 x->xso.type); 1568 1568 h = xfrm_src_hash(net, daddr, saddr, encap_family); 1569 1569 XFRM_STATE_INSERT(bysrc, &x->bysrc, 1570 - net->xfrm.state_bysrc + h, 1570 + xfrm_state_deref_prot(net->xfrm.state_bysrc, net) + h, 1571 1571 x->xso.type); 1572 1572 INIT_HLIST_NODE(&x->state_cache); 1573 1573 if (x->id.spi) { 1574 1574 h = xfrm_spi_hash(net, &x->id.daddr, x->id.spi, x->id.proto, encap_family); 1575 1575 XFRM_STATE_INSERT(byspi, &x->byspi, 1576 - net->xfrm.state_byspi + h, 1576 + xfrm_state_deref_prot(net->xfrm.state_byspi, net) + h, 1577 1577 x->xso.type); 1578 1578 } 1579 1579 if (x->km.seq) { 1580 1580 h = xfrm_seq_hash(net, x->km.seq); 1581 1581 XFRM_STATE_INSERT(byseq, &x->byseq, 1582 - net->xfrm.state_byseq + h, 1582 + xfrm_state_deref_prot(net->xfrm.state_byseq, net) + h, 1583 1583 x->xso.type); 1584 1584 } 1585 1585 x->lft.hard_add_expires_seconds = net->xfrm.sysctl_acq_expires; ··· 1652 1652 1653 1653 spin_lock_bh(&net->xfrm.xfrm_state_lock); 1654 1654 h = xfrm_dst_hash(net, daddr, saddr, reqid, family); 1655 - hlist_for_each_entry(x, net->xfrm.state_bydst+h, bydst) { 1655 + hlist_for_each_entry(x, xfrm_state_deref_prot(net->xfrm.state_bydst, net) + h, bydst) { 1656 1656 if (x->props.family == family && 1657 1657 x->props.reqid == reqid && 1658 1658 (mark & x->mark.m) == x->mark.v && ··· 1703 1703 struct xfrm_state *x; 1704 1704 unsigned int i; 1705 1705 1706 - rcu_read_lock(); 1707 1706 for (i = 0; i <= net->xfrm.state_hmask; i++) { 1708 - hlist_for_each_entry_rcu(x, &net->xfrm.state_byspi[i], byspi) { 1709 - if (x->id.spi == spi && x->id.proto == proto) { 1710 - if (!xfrm_state_hold_rcu(x)) 1711 - continue; 1712 - rcu_read_unlock(); 1707 + hlist_for_each_entry(x, xfrm_state_deref_prot(net->xfrm.state_byspi, net) + i, byspi) { 1708 + if (x->id.spi == spi && x->id.proto == proto) 1713 1709 return x; 1714 - } 1715 1710 } 1716 1711 } 1717 - rcu_read_unlock(); 1718 1712 return NULL; 1719 1713 } 1720 1714 ··· 1724 1730 1725 1731 h = xfrm_dst_hash(net, &x->id.daddr, &x->props.saddr, 1726 1732 x->props.reqid, x->props.family); 1727 - XFRM_STATE_INSERT(bydst, &x->bydst, net->xfrm.state_bydst + h, 1733 + XFRM_STATE_INSERT(bydst, &x->bydst, 1734 + xfrm_state_deref_prot(net->xfrm.state_bydst, net) + h, 1728 1735 x->xso.type); 1729 1736 1730 1737 h = xfrm_src_hash(net, &x->id.daddr, &x->props.saddr, x->props.family); 1731 - XFRM_STATE_INSERT(bysrc, &x->bysrc, net->xfrm.state_bysrc + h, 1738 + XFRM_STATE_INSERT(bysrc, &x->bysrc, 1739 + xfrm_state_deref_prot(net->xfrm.state_bysrc, net) + h, 1732 1740 x->xso.type); 1733 1741 1734 1742 if (x->id.spi) { 1735 1743 h = xfrm_spi_hash(net, &x->id.daddr, x->id.spi, x->id.proto, 1736 1744 x->props.family); 1737 1745 1738 - XFRM_STATE_INSERT(byspi, &x->byspi, net->xfrm.state_byspi + h, 1746 + XFRM_STATE_INSERT(byspi, &x->byspi, 1747 + xfrm_state_deref_prot(net->xfrm.state_byspi, net) + h, 1739 1748 x->xso.type); 1740 1749 } 1741 1750 1742 1751 if (x->km.seq) { 1743 1752 h = xfrm_seq_hash(net, x->km.seq); 1744 1753 1745 - XFRM_STATE_INSERT(byseq, &x->byseq, net->xfrm.state_byseq + h, 1754 + XFRM_STATE_INSERT(byseq, &x->byseq, 1755 + xfrm_state_deref_prot(net->xfrm.state_byseq, net) + h, 1746 1756 x->xso.type); 1747 1757 } 1748 1758 ··· 1773 1775 u32 cpu_id = xnew->pcpu_num; 1774 1776 1775 1777 h = xfrm_dst_hash(net, &xnew->id.daddr, &xnew->props.saddr, reqid, family); 1776 - hlist_for_each_entry(x, net->xfrm.state_bydst+h, bydst) { 1778 + hlist_for_each_entry(x, xfrm_state_deref_prot(net->xfrm.state_bydst, net) + h, bydst) { 1777 1779 if (x->props.family == family && 1778 1780 x->props.reqid == reqid && 1779 1781 x->if_id == if_id && ··· 1809 1811 struct xfrm_state *x; 1810 1812 u32 mark = m->v & m->m; 1811 1813 1812 - hlist_for_each_entry(x, net->xfrm.state_bydst+h, bydst) { 1814 + hlist_for_each_entry(x, xfrm_state_deref_prot(net->xfrm.state_bydst, net) + h, bydst) { 1813 1815 if (x->props.reqid != reqid || 1814 1816 x->props.mode != mode || 1815 1817 x->props.family != family || ··· 1866 1868 ktime_set(net->xfrm.sysctl_acq_expires, 0), 1867 1869 HRTIMER_MODE_REL_SOFT); 1868 1870 list_add(&x->km.all, &net->xfrm.state_all); 1869 - XFRM_STATE_INSERT(bydst, &x->bydst, net->xfrm.state_bydst + h, 1871 + XFRM_STATE_INSERT(bydst, &x->bydst, 1872 + xfrm_state_deref_prot(net->xfrm.state_bydst, net) + h, 1870 1873 x->xso.type); 1871 1874 h = xfrm_src_hash(net, daddr, saddr, family); 1872 - XFRM_STATE_INSERT(bysrc, &x->bysrc, net->xfrm.state_bysrc + h, 1875 + XFRM_STATE_INSERT(bysrc, &x->bysrc, 1876 + xfrm_state_deref_prot(net->xfrm.state_bysrc, net) + h, 1873 1877 x->xso.type); 1874 1878 1875 1879 net->xfrm.state_num++; ··· 2091 2091 if (m->reqid) { 2092 2092 h = xfrm_dst_hash(net, &m->old_daddr, &m->old_saddr, 2093 2093 m->reqid, m->old_family); 2094 - hlist_for_each_entry(x, net->xfrm.state_bydst+h, bydst) { 2094 + hlist_for_each_entry(x, xfrm_state_deref_prot(net->xfrm.state_bydst, net) + h, bydst) { 2095 2095 if (x->props.mode != m->mode || 2096 2096 x->id.proto != m->proto) 2097 2097 continue; ··· 2110 2110 } else { 2111 2111 h = xfrm_src_hash(net, &m->old_daddr, &m->old_saddr, 2112 2112 m->old_family); 2113 - hlist_for_each_entry(x, net->xfrm.state_bysrc+h, bysrc) { 2113 + hlist_for_each_entry(x, xfrm_state_deref_prot(net->xfrm.state_bysrc, net) + h, bysrc) { 2114 2114 if (x->props.mode != m->mode || 2115 2115 x->id.proto != m->proto) 2116 2116 continue; ··· 2264 2264 2265 2265 err = 0; 2266 2266 x->km.state = XFRM_STATE_DEAD; 2267 + xfrm_dev_state_delete(x); 2267 2268 __xfrm_state_put(x); 2268 2269 } 2269 2270 ··· 2313 2312 2314 2313 spin_lock_bh(&net->xfrm.xfrm_state_lock); 2315 2314 for (i = 0; i <= net->xfrm.state_hmask; i++) { 2316 - hlist_for_each_entry(x, net->xfrm.state_bydst + i, bydst) 2315 + hlist_for_each_entry(x, xfrm_state_deref_prot(net->xfrm.state_bydst, net) + i, bydst) 2317 2316 xfrm_dev_state_update_stats(x); 2318 2317 } 2319 2318 spin_unlock_bh(&net->xfrm.xfrm_state_lock); ··· 2504 2503 unsigned int h = xfrm_seq_hash(net, seq); 2505 2504 struct xfrm_state *x; 2506 2505 2507 - hlist_for_each_entry_rcu(x, net->xfrm.state_byseq + h, byseq) { 2506 + hlist_for_each_entry(x, xfrm_state_deref_prot(net->xfrm.state_byseq, net) + h, byseq) { 2508 2507 if (x->km.seq == seq && 2509 2508 (mark & x->mark.m) == x->mark.v && 2510 2509 x->pcpu_num == pcpu_num && ··· 2603 2602 if (!x0) { 2604 2603 x->id.spi = newspi; 2605 2604 h = xfrm_spi_hash(net, &x->id.daddr, newspi, x->id.proto, x->props.family); 2606 - XFRM_STATE_INSERT(byspi, &x->byspi, net->xfrm.state_byspi + h, x->xso.type); 2605 + XFRM_STATE_INSERT(byspi, &x->byspi, 2606 + xfrm_state_deref_prot(net->xfrm.state_byspi, net) + h, 2607 + x->xso.type); 2607 2608 spin_unlock_bh(&net->xfrm.xfrm_state_lock); 2608 2609 err = 0; 2609 2610 goto unlock; 2610 2611 } 2611 - xfrm_state_put(x0); 2612 2612 spin_unlock_bh(&net->xfrm.xfrm_state_lock); 2613 2613 2614 2614 next: ··· 3260 3258 3261 3259 int __net_init xfrm_state_init(struct net *net) 3262 3260 { 3261 + struct hlist_head *ndst, *nsrc, *nspi, *nseq; 3263 3262 unsigned int sz; 3264 3263 3265 3264 if (net_eq(net, &init_net)) ··· 3271 3268 3272 3269 sz = sizeof(struct hlist_head) * 8; 3273 3270 3274 - net->xfrm.state_bydst = xfrm_hash_alloc(sz); 3275 - if (!net->xfrm.state_bydst) 3271 + ndst = xfrm_hash_alloc(sz); 3272 + if (!ndst) 3276 3273 goto out_bydst; 3277 - net->xfrm.state_bysrc = xfrm_hash_alloc(sz); 3278 - if (!net->xfrm.state_bysrc) 3274 + rcu_assign_pointer(net->xfrm.state_bydst, ndst); 3275 + 3276 + nsrc = xfrm_hash_alloc(sz); 3277 + if (!nsrc) 3279 3278 goto out_bysrc; 3280 - net->xfrm.state_byspi = xfrm_hash_alloc(sz); 3281 - if (!net->xfrm.state_byspi) 3279 + rcu_assign_pointer(net->xfrm.state_bysrc, nsrc); 3280 + 3281 + nspi = xfrm_hash_alloc(sz); 3282 + if (!nspi) 3282 3283 goto out_byspi; 3283 - net->xfrm.state_byseq = xfrm_hash_alloc(sz); 3284 - if (!net->xfrm.state_byseq) 3284 + rcu_assign_pointer(net->xfrm.state_byspi, nspi); 3285 + 3286 + nseq = xfrm_hash_alloc(sz); 3287 + if (!nseq) 3285 3288 goto out_byseq; 3289 + rcu_assign_pointer(net->xfrm.state_byseq, nseq); 3286 3290 3287 3291 net->xfrm.state_cache_input = alloc_percpu(struct hlist_head); 3288 3292 if (!net->xfrm.state_cache_input) ··· 3305 3295 return 0; 3306 3296 3307 3297 out_state_cache_input: 3308 - xfrm_hash_free(net->xfrm.state_byseq, sz); 3298 + xfrm_hash_free(nseq, sz); 3309 3299 out_byseq: 3310 - xfrm_hash_free(net->xfrm.state_byspi, sz); 3300 + xfrm_hash_free(nspi, sz); 3311 3301 out_byspi: 3312 - xfrm_hash_free(net->xfrm.state_bysrc, sz); 3302 + xfrm_hash_free(nsrc, sz); 3313 3303 out_bysrc: 3314 - xfrm_hash_free(net->xfrm.state_bydst, sz); 3304 + xfrm_hash_free(ndst, sz); 3315 3305 out_bydst: 3316 3306 return -ENOMEM; 3317 3307 } 3318 3308 3309 + #define xfrm_state_deref_netexit(table) \ 3310 + rcu_dereference_protected((table), true /* netns is going away */) 3319 3311 void xfrm_state_fini(struct net *net) 3320 3312 { 3321 3313 unsigned int sz; ··· 3330 3318 WARN_ON(!list_empty(&net->xfrm.state_all)); 3331 3319 3332 3320 for (i = 0; i <= net->xfrm.state_hmask; i++) { 3333 - WARN_ON(!hlist_empty(net->xfrm.state_byseq + i)); 3334 - WARN_ON(!hlist_empty(net->xfrm.state_byspi + i)); 3335 - WARN_ON(!hlist_empty(net->xfrm.state_bysrc + i)); 3336 - WARN_ON(!hlist_empty(net->xfrm.state_bydst + i)); 3321 + WARN_ON(!hlist_empty(xfrm_state_deref_netexit(net->xfrm.state_byseq) + i)); 3322 + WARN_ON(!hlist_empty(xfrm_state_deref_netexit(net->xfrm.state_byspi) + i)); 3323 + WARN_ON(!hlist_empty(xfrm_state_deref_netexit(net->xfrm.state_bysrc) + i)); 3324 + WARN_ON(!hlist_empty(xfrm_state_deref_netexit(net->xfrm.state_bydst) + i)); 3337 3325 } 3338 3326 3339 3327 sz = (net->xfrm.state_hmask + 1) * sizeof(struct hlist_head); 3340 - xfrm_hash_free(net->xfrm.state_byseq, sz); 3341 - xfrm_hash_free(net->xfrm.state_byspi, sz); 3342 - xfrm_hash_free(net->xfrm.state_bysrc, sz); 3343 - xfrm_hash_free(net->xfrm.state_bydst, sz); 3328 + xfrm_hash_free(xfrm_state_deref_netexit(net->xfrm.state_byseq), sz); 3329 + xfrm_hash_free(xfrm_state_deref_netexit(net->xfrm.state_byspi), sz); 3330 + xfrm_hash_free(xfrm_state_deref_netexit(net->xfrm.state_bysrc), sz); 3331 + xfrm_hash_free(xfrm_state_deref_netexit(net->xfrm.state_bydst), sz); 3344 3332 free_percpu(net->xfrm.state_cache_input); 3345 3333 } 3346 3334

+22 -10

net/xfrm/xfrm_user.c

··· 35 35 #endif 36 36 #include <linux/unaligned.h> 37 37 38 + static struct sock *xfrm_net_nlsk(const struct net *net, const struct sk_buff *skb) 39 + { 40 + /* get the source of this request, see netlink_unicast_kernel */ 41 + const struct sock *sk = NETLINK_CB(skb).sk; 42 + 43 + /* sk is refcounted, the netns stays alive and nlsk with it */ 44 + return rcu_dereference_protected(net->xfrm.nlsk, sk->sk_net_refcnt); 45 + } 46 + 38 47 static int verify_one_alg(struct nlattr **attrs, enum xfrm_attr_type_t type, 39 48 struct netlink_ext_ack *extack) 40 49 { ··· 1736 1727 err = build_spdinfo(r_skb, net, sportid, seq, *flags); 1737 1728 BUG_ON(err < 0); 1738 1729 1739 - return nlmsg_unicast(net->xfrm.nlsk, r_skb, sportid); 1730 + return nlmsg_unicast(xfrm_net_nlsk(net, skb), r_skb, sportid); 1740 1731 } 1741 1732 1742 1733 static inline unsigned int xfrm_sadinfo_msgsize(void) ··· 1796 1787 err = build_sadinfo(r_skb, net, sportid, seq, *flags); 1797 1788 BUG_ON(err < 0); 1798 1789 1799 - return nlmsg_unicast(net->xfrm.nlsk, r_skb, sportid); 1790 + return nlmsg_unicast(xfrm_net_nlsk(net, skb), r_skb, sportid); 1800 1791 } 1801 1792 1802 1793 static int xfrm_get_sa(struct sk_buff *skb, struct nlmsghdr *nlh, ··· 1816 1807 if (IS_ERR(resp_skb)) { 1817 1808 err = PTR_ERR(resp_skb); 1818 1809 } else { 1819 - err = nlmsg_unicast(net->xfrm.nlsk, resp_skb, NETLINK_CB(skb).portid); 1810 + err = nlmsg_unicast(xfrm_net_nlsk(net, skb), resp_skb, NETLINK_CB(skb).portid); 1820 1811 } 1821 1812 xfrm_state_put(x); 1822 1813 out_noput: ··· 1859 1850 pcpu_num = nla_get_u32(attrs[XFRMA_SA_PCPU]); 1860 1851 if (pcpu_num >= num_possible_cpus()) { 1861 1852 err = -EINVAL; 1853 + NL_SET_ERR_MSG(extack, "pCPU number too big"); 1862 1854 goto out_noput; 1863 1855 } 1864 1856 } ··· 1907 1897 } 1908 1898 } 1909 1899 1910 - err = nlmsg_unicast(net->xfrm.nlsk, resp_skb, NETLINK_CB(skb).portid); 1900 + err = nlmsg_unicast(xfrm_net_nlsk(net, skb), resp_skb, NETLINK_CB(skb).portid); 1911 1901 1912 1902 out: 1913 1903 xfrm_state_put(x); ··· 2552 2542 r_up->out = net->xfrm.policy_default[XFRM_POLICY_OUT]; 2553 2543 nlmsg_end(r_skb, r_nlh); 2554 2544 2555 - return nlmsg_unicast(net->xfrm.nlsk, r_skb, portid); 2545 + return nlmsg_unicast(xfrm_net_nlsk(net, skb), r_skb, portid); 2556 2546 } 2557 2547 2558 2548 static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh, ··· 2618 2608 if (IS_ERR(resp_skb)) { 2619 2609 err = PTR_ERR(resp_skb); 2620 2610 } else { 2621 - err = nlmsg_unicast(net->xfrm.nlsk, resp_skb, 2611 + err = nlmsg_unicast(xfrm_net_nlsk(net, skb), resp_skb, 2622 2612 NETLINK_CB(skb).portid); 2623 2613 } 2624 2614 } else { ··· 2791 2781 err = build_aevent(r_skb, x, &c); 2792 2782 BUG_ON(err < 0); 2793 2783 2794 - err = nlmsg_unicast(net->xfrm.nlsk, r_skb, NETLINK_CB(skb).portid); 2784 + err = nlmsg_unicast(xfrm_net_nlsk(net, skb), r_skb, NETLINK_CB(skb).portid); 2795 2785 spin_unlock_bh(&x->lock); 2796 2786 xfrm_state_put(x); 2797 2787 return err; ··· 3011 3001 if (attrs[XFRMA_SA_PCPU]) { 3012 3002 x->pcpu_num = nla_get_u32(attrs[XFRMA_SA_PCPU]); 3013 3003 err = -EINVAL; 3014 - if (x->pcpu_num >= num_possible_cpus()) 3004 + if (x->pcpu_num >= num_possible_cpus()) { 3005 + NL_SET_ERR_MSG(extack, "pCPU number too big"); 3015 3006 goto free_state; 3007 + } 3016 3008 } 3017 3009 3018 3010 err = verify_newpolicy_info(&ua->policy, extack); ··· 3495 3483 goto err; 3496 3484 } 3497 3485 3498 - err = netlink_dump_start(net->xfrm.nlsk, skb, nlh, &c); 3486 + err = netlink_dump_start(xfrm_net_nlsk(net, skb), skb, nlh, &c); 3499 3487 goto err; 3500 3488 } 3501 3489 ··· 3685 3673 } 3686 3674 if (x->if_id) 3687 3675 l += nla_total_size(sizeof(x->if_id)); 3688 - if (x->pcpu_num) 3676 + if (x->pcpu_num != UINT_MAX) 3689 3677 l += nla_total_size(sizeof(x->pcpu_num)); 3690 3678 3691 3679 /* Must count x->lastused as it may become non-zero behind our back. */

+1

tools/testing/selftests/drivers/net/team/Makefile

··· 3 3 4 4 TEST_PROGS := \ 5 5 dev_addr_lists.sh \ 6 + non_ether_header_ops.sh \ 6 7 options.sh \ 7 8 propagation.sh \ 8 9 refleak.sh \

+2

tools/testing/selftests/drivers/net/team/config

··· 1 + CONFIG_BONDING=y 1 2 CONFIG_DUMMY=y 2 3 CONFIG_IPV6=y 3 4 CONFIG_MACVLAN=y 4 5 CONFIG_NETDEVSIM=m 6 + CONFIG_NET_IPGRE=y 5 7 CONFIG_NET_TEAM=y 6 8 CONFIG_NET_TEAM_MODE_ACTIVEBACKUP=y 7 9 CONFIG_NET_TEAM_MODE_LOADBALANCE=y

+41

tools/testing/selftests/drivers/net/team/non_ether_header_ops.sh

··· 1 + #!/bin/bash 2 + # SPDX-License-Identifier: GPL-2.0 3 + # shellcheck disable=SC2154 4 + # 5 + # Reproduce the non-Ethernet header_ops confusion scenario with: 6 + # g0 (gre) -> b0 (bond) -> t0 (team) 7 + # 8 + # Before the fix, direct header_ops inheritance in this stack could call 9 + # callbacks with the wrong net_device context and crash. 10 + 11 + lib_dir=$(dirname "$0") 12 + source "$lib_dir"/../../../net/lib.sh 13 + 14 + trap cleanup_all_ns EXIT 15 + 16 + setup_ns ns1 17 + 18 + ip -n "$ns1" link add d0 type dummy 19 + ip -n "$ns1" addr add 10.10.10.1/24 dev d0 20 + ip -n "$ns1" link set d0 up 21 + 22 + ip -n "$ns1" link add g0 type gre local 10.10.10.1 23 + ip -n "$ns1" link add b0 type bond mode active-backup 24 + ip -n "$ns1" link add t0 type team 25 + 26 + ip -n "$ns1" link set g0 master b0 27 + ip -n "$ns1" link set b0 master t0 28 + 29 + ip -n "$ns1" link set g0 up 30 + ip -n "$ns1" link set b0 up 31 + ip -n "$ns1" link set t0 up 32 + 33 + # IPv6 address assignment triggers MLD join reports that call 34 + # dev_hard_header() on t0, exercising the inherited header_ops path. 35 + ip -n "$ns1" -6 addr add 2001:db8:1::1/64 dev t0 nodad 36 + for i in $(seq 1 20); do 37 + ip netns exec "$ns1" ping -6 -I t0 ff02::1 -c1 -W1 &>/dev/null || true 38 + done 39 + 40 + echo "PASS: non-Ethernet header_ops stacking did not crash" 41 + exit "$EXIT_STATUS"

+58 -3

tools/testing/selftests/net/fib_tests.sh

··· 868 868 check_rt_num 5 $($IP -6 route list |grep -v expires|grep 2001:20::|wc -l) 869 869 log_test $ret 0 "ipv6 route garbage collection (replace with permanent)" 870 870 871 + # Delete dummy_10 and remove all routes 872 + $IP link del dev dummy_10 873 + 874 + # rd6 is required for the next test. (ipv6toolkit) 875 + if [ ! -x "$(command -v rd6)" ]; then 876 + echo "SKIP: rd6 not found." 877 + set +e 878 + cleanup &> /dev/null 879 + return 880 + fi 881 + 882 + setup_ns ns2 883 + $IP link add veth1 type veth peer veth2 netns $ns2 884 + $IP link set veth1 up 885 + ip -netns $ns2 link set veth2 up 886 + $IP addr add fe80:dead::1/64 dev veth1 887 + ip -netns $ns2 addr add fe80:dead::2/64 dev veth2 888 + 889 + # Add NTF_ROUTER neighbour to prevent rt6_age_examine_exception() 890 + # from removing not-yet-expired exceptions. 891 + ip -netns $ns2 link set veth2 address 00:11:22:33:44:55 892 + $IP neigh add fe80:dead::3 lladdr 00:11:22:33:44:55 dev veth1 router 893 + 894 + $NS_EXEC sysctl -wq net.ipv6.conf.veth1.accept_redirects=1 895 + $NS_EXEC sysctl -wq net.ipv6.conf.veth1.forwarding=0 896 + 897 + # Temporary routes 898 + for i in $(seq 1 5); do 899 + # Expire route after $EXPIRE seconds 900 + $IP -6 route add 2001:10::$i \ 901 + via fe80:dead::2 dev veth1 expires $EXPIRE 902 + 903 + ip netns exec $ns2 rd6 -i veth2 \ 904 + -s fe80:dead::2 -d fe80:dead::1 \ 905 + -r 2001:10::$i -t fe80:dead::3 -p ICMP6 906 + done 907 + 908 + check_rt_num 5 $($IP -6 route list | grep expires | grep 2001:10:: | wc -l) 909 + 910 + # Promote to permanent routes by "prepend" (w/o NLM_F_EXCL and NLM_F_REPLACE) 911 + for i in $(seq 1 5); do 912 + # -EEXIST, but the temporary route becomes the permanent route. 913 + $IP -6 route append 2001:10::$i \ 914 + via fe80:dead::2 dev veth1 2>/dev/null || true 915 + done 916 + 917 + check_rt_num 5 $($IP -6 route list | grep -v expires | grep 2001:10:: | wc -l) 918 + check_rt_num 5 $($IP -6 route list cache | grep 2001:10:: | wc -l) 919 + 920 + # Trigger GC instead of waiting $GC_WAIT_TIME. 921 + # rt6_nh_dump_exceptions() just skips expired exceptions. 922 + $NS_EXEC sysctl -wq net.ipv6.route.flush=1 923 + check_rt_num 0 $($IP -6 route list cache | grep 2001:10:: | wc -l) 924 + log_test $ret 0 "ipv6 route garbage collection (promote to permanent routes)" 925 + 926 + $IP neigh del fe80:dead::3 lladdr 00:11:22:33:44:55 dev veth1 router 927 + $IP link del veth1 928 + 871 929 # ra6 is required for the next test. (ipv6toolkit) 872 930 if [ ! -x "$(command -v ra6)" ]; then 873 931 echo "SKIP: ra6 not found." ··· 933 875 cleanup &> /dev/null 934 876 return 935 877 fi 936 - 937 - # Delete dummy_10 and remove all routes 938 - $IP link del dev dummy_10 939 878 940 879 # Create a pair of veth devices to send a RA message from one 941 880 # device to another.

+69 -1

tools/testing/selftests/net/netfilter/nft_concat_range.sh

··· 29 29 net6_port_net6_port net_port_mac_proto_net" 30 30 31 31 # Reported bugs, also described by TYPE_ variables below 32 - BUGS="flush_remove_add reload net_port_proto_match avx2_mismatch doublecreate insert_overlap" 32 + BUGS="flush_remove_add reload net_port_proto_match avx2_mismatch doublecreate 33 + insert_overlap load_flush_load4 load_flush_load8" 33 34 34 35 # List of possible paths to pktgen script from kernel tree for performance tests 35 36 PKTGEN_SCRIPT_PATHS=" ··· 423 422 424 423 TYPE_insert_overlap=" 425 424 display reject overlapping range on add 425 + type_spec ipv4_addr . ipv4_addr 426 + chain_spec ip saddr . ip daddr 427 + dst addr4 428 + proto icmp 429 + 430 + race_repeat 0 431 + 432 + perf_duration 0 433 + " 434 + 435 + TYPE_load_flush_load4=" 436 + display reload with flush, 4bit groups 437 + type_spec ipv4_addr . ipv4_addr 438 + chain_spec ip saddr . ip daddr 439 + dst addr4 440 + proto icmp 441 + 442 + race_repeat 0 443 + 444 + perf_duration 0 445 + " 446 + 447 + TYPE_load_flush_load8=" 448 + display reload with flush, 8bit groups 426 449 type_spec ipv4_addr . ipv4_addr 427 450 chain_spec ip saddr . ip daddr 428 451 dst addr4 ··· 2018 1993 2019 1994 elements="1.2.3.4 . 1.2.4.1-1.2.4.2" 2020 1995 add_fail "{ $elements }" || return 1 1996 + 1997 + return 0 1998 + } 1999 + 2000 + test_bug_load_flush_load4() 2001 + { 2002 + local i 2003 + 2004 + setup veth send_"${proto}" set || return ${ksft_skip} 2005 + 2006 + for i in $(seq 0 255); do 2007 + local addelem="add element inet filter test" 2008 + local j 2009 + 2010 + for j in $(seq 0 20); do 2011 + echo "$addelem { 10.$j.0.$i . 10.$j.1.$i }" 2012 + echo "$addelem { 10.$j.0.$i . 10.$j.2.$i }" 2013 + done 2014 + done > "$tmp" 2015 + 2016 + nft -f "$tmp" || return 1 2017 + 2018 + ( echo "flush set inet filter test";cat "$tmp") | nft -f - 2019 + [ $? -eq 0 ] || return 1 2020 + 2021 + return 0 2022 + } 2023 + 2024 + test_bug_load_flush_load8() 2025 + { 2026 + local i 2027 + 2028 + setup veth send_"${proto}" set || return ${ksft_skip} 2029 + 2030 + for i in $(seq 1 100); do 2031 + echo "add element inet filter test { 10.0.0.$i . 10.0.1.$i }" 2032 + echo "add element inet filter test { 10.0.0.$i . 10.0.2.$i }" 2033 + done > "$tmp" 2034 + 2035 + nft -f "$tmp" || return 1 2036 + 2037 + ( echo "flush set inet filter test";cat "$tmp") | nft -f - 2038 + [ $? -eq 0 ] || return 1 2021 2039 2022 2040 return 0 2023 2041 }

Configure Feed

Configure Feed