Merge tag 'net-7.0-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

+6 -6

Documentation/netlink/specs/net_shaper.yaml

··· 247 247 flags: [admin-perm] 248 248 249 249 do: 250 - pre: net-shaper-nl-pre-doit 251 - post: net-shaper-nl-post-doit 250 + pre: net-shaper-nl-pre-doit-write 251 + post: net-shaper-nl-post-doit-write 252 252 request: 253 253 attributes: 254 254 - ifindex ··· 278 278 flags: [admin-perm] 279 279 280 280 do: 281 - pre: net-shaper-nl-pre-doit 282 - post: net-shaper-nl-post-doit 281 + pre: net-shaper-nl-pre-doit-write 282 + post: net-shaper-nl-post-doit-write 283 283 request: 284 284 attributes: *ns-binding 285 285 ··· 309 309 flags: [admin-perm] 310 310 311 311 do: 312 - pre: net-shaper-nl-pre-doit 313 - post: net-shaper-nl-post-doit 312 + pre: net-shaper-nl-pre-doit-write 313 + post: net-shaper-nl-post-doit-write 314 314 request: 315 315 attributes: 316 316 - ifindex

+2

drivers/bluetooth/btqca.c

··· 787 787 */ 788 788 if (soc_type == QCA_WCN3988) 789 789 rom_ver = ((soc_ver & 0x00000f00) >> 0x05) | (soc_ver & 0x0000000f); 790 + else if (soc_type == QCA_WCN3998) 791 + rom_ver = ((soc_ver & 0x0000f000) >> 0x07) | (soc_ver & 0x0000000f); 790 792 else 791 793 rom_ver = ((soc_ver & 0x00000f00) >> 0x04) | (soc_ver & 0x0000000f); 792 794

+3 -2

drivers/firewire/net.c

··· 257 257 memcpy((u8 *)hh->hh_data + HH_DATA_OFF(FWNET_HLEN), haddr, net->addr_len); 258 258 } 259 259 260 - static int fwnet_header_parse(const struct sk_buff *skb, unsigned char *haddr) 260 + static int fwnet_header_parse(const struct sk_buff *skb, const struct net_device *dev, 261 + unsigned char *haddr) 261 262 { 262 - memcpy(haddr, skb->dev->dev_addr, FWNET_ALEN); 263 + memcpy(haddr, dev->dev_addr, FWNET_ALEN); 263 264 264 265 return FWNET_ALEN; 265 266 }

+11 -5

drivers/net/bonding/bond_debugfs.c

··· 34 34 for (; hash_index != RLB_NULL_INDEX; 35 35 hash_index = client_info->used_next) { 36 36 client_info = &(bond_info->rx_hashtbl[hash_index]); 37 - seq_printf(m, "%-15pI4 %-15pI4 %-17pM %s\n", 38 - &client_info->ip_src, 39 - &client_info->ip_dst, 40 - &client_info->mac_dst, 41 - client_info->slave->dev->name); 37 + if (client_info->slave) 38 + seq_printf(m, "%-15pI4 %-15pI4 %-17pM %s\n", 39 + &client_info->ip_src, 40 + &client_info->ip_dst, 41 + &client_info->mac_dst, 42 + client_info->slave->dev->name); 43 + else 44 + seq_printf(m, "%-15pI4 %-15pI4 %-17pM (none)\n", 45 + &client_info->ip_src, 46 + &client_info->ip_dst, 47 + &client_info->mac_dst); 42 48 } 43 49 44 50 spin_unlock_bh(&bond->mode_lock);

+5 -3

drivers/net/bonding/bond_main.c

··· 1530 1530 return ret; 1531 1531 } 1532 1532 1533 - static int bond_header_parse(const struct sk_buff *skb, unsigned char *haddr) 1533 + static int bond_header_parse(const struct sk_buff *skb, 1534 + const struct net_device *dev, 1535 + unsigned char *haddr) 1534 1536 { 1535 - struct bonding *bond = netdev_priv(skb->dev); 1537 + struct bonding *bond = netdev_priv(dev); 1536 1538 const struct header_ops *slave_ops; 1537 1539 struct slave *slave; 1538 1540 int ret = 0; ··· 1544 1542 if (slave) { 1545 1543 slave_ops = READ_ONCE(slave->dev->header_ops); 1546 1544 if (slave_ops && slave_ops->parse) 1547 - ret = slave_ops->parse(skb, haddr); 1545 + ret = slave_ops->parse(skb, slave->dev, haddr); 1548 1546 } 1549 1547 rcu_read_unlock(); 1550 1548 return ret;

+6 -2

drivers/net/dsa/bcm_sf2.c

··· 980 980 ret = bcm_sf2_sw_rst(priv); 981 981 if (ret) { 982 982 pr_err("%s: failed to software reset switch\n", __func__); 983 + if (!priv->wol_ports_mask) 984 + clk_disable_unprepare(priv->clk); 983 985 return ret; 984 986 } 985 987 986 988 bcm_sf2_crossbar_setup(priv); 987 989 988 990 ret = bcm_sf2_cfp_resume(ds); 989 - if (ret) 991 + if (ret) { 992 + if (!priv->wol_ports_mask) 993 + clk_disable_unprepare(priv->clk); 990 994 return ret; 991 - 995 + } 992 996 if (priv->hw_params.num_gphy == 1) 993 997 bcm_sf2_gphy_enable_set(ds, true); 994 998

-1

drivers/net/ethernet/airoha/airoha_eth.c

··· 3083 3083 if (!port) 3084 3084 continue; 3085 3085 3086 - airoha_dev_stop(port->dev); 3087 3086 unregister_netdev(port->dev); 3088 3087 airoha_metadata_dst_free(port); 3089 3088 }

+2

drivers/net/ethernet/broadcom/bnxt/bnxt.c

··· 2929 2929 u16 type = (u16)BNXT_EVENT_BUF_PRODUCER_TYPE(data1); 2930 2930 u32 offset = BNXT_EVENT_BUF_PRODUCER_OFFSET(data2); 2931 2931 2932 + if (type >= ARRAY_SIZE(bp->bs_trace)) 2933 + goto async_event_process_exit; 2932 2934 bnxt_bs_trace_check_wrap(&bp->bs_trace[type], offset); 2933 2935 goto async_event_process_exit; 2934 2936 }

+1 -1

drivers/net/ethernet/broadcom/bnxt/bnxt.h

··· 2146 2146 }; 2147 2147 2148 2148 #define BNXT_TRACE_BUF_MAGIC_BYTE ((u8)0xbc) 2149 - #define BNXT_TRACE_MAX 11 2149 + #define BNXT_TRACE_MAX (DBG_LOG_BUFFER_FLUSH_REQ_TYPE_ERR_QPC_TRACE + 1) 2150 2150 2151 2151 struct bnxt_bs_trace_info { 2152 2152 u8 *magic_byte;

+1 -1

drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c

··· 123 123 while (!(bcmgenet_rbuf_readl(priv, RBUF_STATUS) 124 124 & RBUF_STATUS_WOL)) { 125 125 retries++; 126 - if (retries > 5) { 126 + if (retries > 50) { 127 127 netdev_crit(dev, "polling wol mode timeout\n"); 128 128 return -ETIMEDOUT; 129 129 }

+11

drivers/net/ethernet/broadcom/tg3.c

··· 17029 17029 return err; 17030 17030 } 17031 17031 17032 + static int tg3_is_default_mac_address(u8 *addr) 17033 + { 17034 + static const u8 default_mac_address[ETH_ALEN] = { 0x00, 0x10, 0x18, 0x00, 0x00, 0x00 }; 17035 + 17036 + return ether_addr_equal(default_mac_address, addr); 17037 + } 17038 + 17032 17039 static int tg3_get_device_address(struct tg3 *tp, u8 *addr) 17033 17040 { 17034 17041 u32 hi, lo, mac_offset; ··· 17109 17102 17110 17103 if (!is_valid_ether_addr(addr)) 17111 17104 return -EINVAL; 17105 + 17106 + if (tg3_is_default_mac_address(addr)) 17107 + return device_get_mac_address(&tp->pdev->dev, addr); 17108 + 17112 17109 return 0; 17113 17110 } 17114 17111

+22 -4

drivers/net/ethernet/cadence/macb_main.c

··· 2669 2669 desc->ctrl = 0; 2670 2670 } 2671 2671 2672 + static void gem_init_rx_ring(struct macb_queue *queue) 2673 + { 2674 + queue->rx_tail = 0; 2675 + queue->rx_prepared_head = 0; 2676 + 2677 + gem_rx_refill(queue); 2678 + } 2679 + 2672 2680 static void gem_init_rings(struct macb *bp) 2673 2681 { 2674 2682 struct macb_queue *queue; ··· 2694 2686 queue->tx_head = 0; 2695 2687 queue->tx_tail = 0; 2696 2688 2697 - queue->rx_tail = 0; 2698 - queue->rx_prepared_head = 0; 2699 - 2700 - gem_rx_refill(queue); 2689 + gem_init_rx_ring(queue); 2701 2690 } 2702 2691 2703 2692 macb_init_tieoff(bp); ··· 3982 3977 { 3983 3978 struct macb *bp = netdev_priv(netdev); 3984 3979 int ret; 3980 + 3981 + if (!(netdev->hw_features & NETIF_F_NTUPLE)) 3982 + return -EOPNOTSUPP; 3985 3983 3986 3984 switch (cmd->cmd) { 3987 3985 case ETHTOOL_SRXCLSRLINS: ··· 5955 5947 rtnl_unlock(); 5956 5948 } 5957 5949 5950 + if (!(bp->caps & MACB_CAPS_MACB_IS_EMAC)) 5951 + macb_init_buffers(bp); 5952 + 5958 5953 for (q = 0, queue = bp->queues; q < bp->num_queues; 5959 5954 ++q, ++queue) { 5955 + if (!(bp->caps & MACB_CAPS_MACB_IS_EMAC)) { 5956 + if (macb_is_gem(bp)) 5957 + gem_init_rx_ring(queue); 5958 + else 5959 + macb_init_rx_ring(queue); 5960 + } 5961 + 5960 5962 napi_enable(&queue->napi_rx); 5961 5963 napi_enable(&queue->napi_tx); 5962 5964 }

+3 -1

drivers/net/ethernet/cadence/macb_ptp.c

··· 357 357 { 358 358 struct macb *bp = netdev_priv(ndev); 359 359 360 - if (bp->ptp_clock) 360 + if (bp->ptp_clock) { 361 361 ptp_clock_unregister(bp->ptp_clock); 362 + bp->ptp_clock = NULL; 363 + } 362 364 363 365 gem_ptp_clear_timer(bp); 364 366

+6 -3

drivers/net/ethernet/intel/iavf/iavf_main.c

··· 757 757 adapter->num_vlan_filters++; 758 758 iavf_schedule_aq_request(adapter, IAVF_FLAG_AQ_ADD_VLAN_FILTER); 759 759 } else if (f->state == IAVF_VLAN_REMOVE) { 760 - /* IAVF_VLAN_REMOVE means that VLAN wasn't yet removed. 761 - * We can safely only change the state here. 760 + /* Re-add the filter since we cannot tell whether the 761 + * pending delete has already been processed by the PF. 762 + * A duplicate add is harmless. 762 763 */ 763 - f->state = IAVF_VLAN_ACTIVE; 764 + f->state = IAVF_VLAN_ADD; 765 + iavf_schedule_aq_request(adapter, 766 + IAVF_FLAG_AQ_ADD_VLAN_FILTER); 764 767 } 765 768 766 769 clearout:

+2

drivers/net/ethernet/intel/igc/igc.h

··· 781 781 struct kernel_hwtstamp_config *config, 782 782 struct netlink_ext_ack *extack); 783 783 void igc_ptp_tx_hang(struct igc_adapter *adapter); 784 + void igc_ptp_clear_xsk_tx_tstamp_queue(struct igc_adapter *adapter, 785 + u16 queue_id); 784 786 void igc_ptp_read(struct igc_adapter *adapter, struct timespec64 *ts); 785 787 void igc_ptp_tx_tstamp_event(struct igc_adapter *adapter); 786 788

+9 -5

drivers/net/ethernet/intel/igc/igc_main.c

··· 264 264 /* reset next_to_use and next_to_clean */ 265 265 tx_ring->next_to_use = 0; 266 266 tx_ring->next_to_clean = 0; 267 + 268 + /* Clear any lingering XSK TX timestamp requests */ 269 + if (test_bit(IGC_RING_FLAG_TX_HWTSTAMP, &tx_ring->flags)) { 270 + struct igc_adapter *adapter = netdev_priv(tx_ring->netdev); 271 + 272 + igc_ptp_clear_xsk_tx_tstamp_queue(adapter, tx_ring->queue_index); 273 + } 267 274 } 268 275 269 276 /** ··· 1737 1730 /* The minimum packet size with TCTL.PSP set is 17 so pad the skb 1738 1731 * in order to meet this minimum size requirement. 1739 1732 */ 1740 - if (skb->len < 17) { 1741 - if (skb_padto(skb, 17)) 1742 - return NETDEV_TX_OK; 1743 - skb->len = 17; 1744 - } 1733 + if (skb_put_padto(skb, 17)) 1734 + return NETDEV_TX_OK; 1745 1735 1746 1736 return igc_xmit_frame_ring(skb, igc_tx_queue_mapping(adapter, skb)); 1747 1737 }

+33

drivers/net/ethernet/intel/igc/igc_ptp.c

··· 577 577 spin_unlock_irqrestore(&adapter->ptp_tx_lock, flags); 578 578 } 579 579 580 + /** 581 + * igc_ptp_clear_xsk_tx_tstamp_queue - Clear pending XSK TX timestamps for a queue 582 + * @adapter: Board private structure 583 + * @queue_id: TX queue index to clear timestamps for 584 + * 585 + * Iterates over all TX timestamp registers and releases any pending 586 + * timestamp requests associated with the given TX queue. This is 587 + * called when an XDP pool is being disabled to ensure no stale 588 + * timestamp references remain. 589 + */ 590 + void igc_ptp_clear_xsk_tx_tstamp_queue(struct igc_adapter *adapter, u16 queue_id) 591 + { 592 + unsigned long flags; 593 + int i; 594 + 595 + spin_lock_irqsave(&adapter->ptp_tx_lock, flags); 596 + 597 + for (i = 0; i < IGC_MAX_TX_TSTAMP_REGS; i++) { 598 + struct igc_tx_timestamp_request *tstamp = &adapter->tx_tstamp[i]; 599 + 600 + if (tstamp->buffer_type != IGC_TX_BUFFER_TYPE_XSK) 601 + continue; 602 + if (tstamp->xsk_queue_index != queue_id) 603 + continue; 604 + if (!tstamp->xsk_tx_buffer) 605 + continue; 606 + 607 + igc_ptp_free_tx_buffer(adapter, tstamp); 608 + } 609 + 610 + spin_unlock_irqrestore(&adapter->ptp_tx_lock, flags); 611 + } 612 + 580 613 static void igc_ptp_disable_tx_timestamp(struct igc_adapter *adapter) 581 614 { 582 615 struct igc_hw *hw = &adapter->hw;

+36 -13

drivers/net/ethernet/intel/libie/fwlog.c

··· 433 433 module = libie_find_module_by_dentry(fwlog->debugfs_modules, dentry); 434 434 if (module < 0) { 435 435 dev_info(dev, "unknown module\n"); 436 - return -EINVAL; 436 + count = -EINVAL; 437 + goto free_cmd_buf; 437 438 } 438 439 439 440 cnt = sscanf(cmd_buf, "%s", user_val); 440 - if (cnt != 1) 441 - return -EINVAL; 441 + if (cnt != 1) { 442 + count = -EINVAL; 443 + goto free_cmd_buf; 444 + } 442 445 443 446 log_level = sysfs_match_string(libie_fwlog_level_string, user_val); 444 447 if (log_level < 0) { 445 448 dev_info(dev, "unknown log level '%s'\n", user_val); 446 - return -EINVAL; 449 + count = -EINVAL; 450 + goto free_cmd_buf; 447 451 } 448 452 449 453 if (module != LIBIE_AQC_FW_LOG_ID_MAX) { ··· 461 457 for (i = 0; i < LIBIE_AQC_FW_LOG_ID_MAX; i++) 462 458 fwlog->cfg.module_entries[i].log_level = log_level; 463 459 } 460 + 461 + free_cmd_buf: 462 + kfree(cmd_buf); 464 463 465 464 return count; 466 465 } ··· 522 515 return PTR_ERR(cmd_buf); 523 516 524 517 ret = sscanf(cmd_buf, "%s", user_val); 525 - if (ret != 1) 526 - return -EINVAL; 518 + if (ret != 1) { 519 + count = -EINVAL; 520 + goto free_cmd_buf; 521 + } 527 522 528 523 ret = kstrtos16(user_val, 0, &nr_messages); 529 - if (ret) 530 - return ret; 524 + if (ret) { 525 + count = ret; 526 + goto free_cmd_buf; 527 + } 531 528 532 529 if (nr_messages < LIBIE_AQC_FW_LOG_MIN_RESOLUTION || 533 530 nr_messages > LIBIE_AQC_FW_LOG_MAX_RESOLUTION) { 534 531 dev_err(dev, "Invalid FW log number of messages %d, value must be between %d - %d\n", 535 532 nr_messages, LIBIE_AQC_FW_LOG_MIN_RESOLUTION, 536 533 LIBIE_AQC_FW_LOG_MAX_RESOLUTION); 537 - return -EINVAL; 534 + count = -EINVAL; 535 + goto free_cmd_buf; 538 536 } 539 537 540 538 fwlog->cfg.log_resolution = nr_messages; 539 + 540 + free_cmd_buf: 541 + kfree(cmd_buf); 541 542 542 543 return count; 543 544 } ··· 603 588 return PTR_ERR(cmd_buf); 604 589 605 590 ret = sscanf(cmd_buf, "%s", user_val); 606 - if (ret != 1) 607 - return -EINVAL; 591 + if (ret != 1) { 592 + ret = -EINVAL; 593 + goto free_cmd_buf; 594 + } 608 595 609 596 ret = kstrtobool(user_val, &enable); 610 597 if (ret) ··· 641 624 */ 642 625 if (WARN_ON(ret != (ssize_t)count && ret >= 0)) 643 626 ret = -EIO; 627 + free_cmd_buf: 628 + kfree(cmd_buf); 644 629 645 630 return ret; 646 631 } ··· 701 682 return PTR_ERR(cmd_buf); 702 683 703 684 ret = sscanf(cmd_buf, "%s", user_val); 704 - if (ret != 1) 705 - return -EINVAL; 685 + if (ret != 1) { 686 + ret = -EINVAL; 687 + goto free_cmd_buf; 688 + } 706 689 707 690 index = sysfs_match_string(libie_fwlog_log_size, user_val); 708 691 if (index < 0) { ··· 733 712 */ 734 713 if (WARN_ON(ret != (ssize_t)count && ret >= 0)) 735 714 ret = -EIO; 715 + free_cmd_buf: 716 + kfree(cmd_buf); 736 717 737 718 return ret; 738 719 }

+2 -2

drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c

··· 5016 5016 if (priv->percpu_pools) 5017 5017 numbufs = port->nrxqs * 2; 5018 5018 5019 - if (change_percpu) 5019 + if (change_percpu && priv->global_tx_fc) 5020 5020 mvpp2_bm_pool_update_priv_fc(priv, false); 5021 5021 5022 5022 for (i = 0; i < numbufs; i++) ··· 5041 5041 mvpp2_open(port->dev); 5042 5042 } 5043 5043 5044 - if (change_percpu) 5044 + if (change_percpu && priv->global_tx_fc) 5045 5045 mvpp2_bm_pool_update_priv_fc(priv, true); 5046 5046 5047 5047 return 0;

+1

drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h

··· 287 287 struct mlx5e_ipsec_dwork *dwork; 288 288 struct mlx5e_ipsec_limits limits; 289 289 u32 rx_mapped_id; 290 + u8 ctx[MLX5_ST_SZ_BYTES(ipsec_aso)]; 290 291 }; 291 292 292 293 struct mlx5_accel_pol_xfrm_attrs {

+23 -29

drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c

··· 310 310 mlx5e_ipsec_aso_query(sa_entry, data); 311 311 } 312 312 313 - static void mlx5e_ipsec_update_esn_state(struct mlx5e_ipsec_sa_entry *sa_entry, 314 - u32 mode_param) 313 + static void 314 + mlx5e_ipsec_update_esn_state(struct mlx5e_ipsec_sa_entry *sa_entry, 315 + u32 mode_param, 316 + struct mlx5_accel_esp_xfrm_attrs *attrs) 315 317 { 316 - struct mlx5_accel_esp_xfrm_attrs attrs = {}; 317 318 struct mlx5_wqe_aso_ctrl_seg data = {}; 318 319 319 320 if (mode_param < MLX5E_IPSEC_ESN_SCOPE_MID) { ··· 324 323 sa_entry->esn_state.overlap = 1; 325 324 } 326 325 327 - mlx5e_ipsec_build_accel_xfrm_attrs(sa_entry, &attrs); 328 - 329 - /* It is safe to execute the modify below unlocked since the only flows 330 - * that could affect this HW object, are create, destroy and this work. 331 - * 332 - * Creation flow can't co-exist with this modify work, the destruction 333 - * flow would cancel this work, and this work is a single entity that 334 - * can't conflict with it self. 335 - */ 336 - spin_unlock_bh(&sa_entry->x->lock); 337 - mlx5_accel_esp_modify_xfrm(sa_entry, &attrs); 338 - spin_lock_bh(&sa_entry->x->lock); 326 + mlx5e_ipsec_build_accel_xfrm_attrs(sa_entry, attrs); 339 327 340 328 data.data_offset_condition_operand = 341 329 MLX5_IPSEC_ASO_REMOVE_FLOW_PKT_CNT_OFFSET; ··· 360 370 static void mlx5e_ipsec_handle_limits(struct mlx5e_ipsec_sa_entry *sa_entry) 361 371 { 362 372 struct mlx5_accel_esp_xfrm_attrs *attrs = &sa_entry->attrs; 363 - struct mlx5e_ipsec *ipsec = sa_entry->ipsec; 364 - struct mlx5e_ipsec_aso *aso = ipsec->aso; 365 373 bool soft_arm, hard_arm; 366 374 u64 hard_cnt; 367 375 368 376 lockdep_assert_held(&sa_entry->x->lock); 369 377 370 - soft_arm = !MLX5_GET(ipsec_aso, aso->ctx, soft_lft_arm); 371 - hard_arm = !MLX5_GET(ipsec_aso, aso->ctx, hard_lft_arm); 378 + soft_arm = !MLX5_GET(ipsec_aso, sa_entry->ctx, soft_lft_arm); 379 + hard_arm = !MLX5_GET(ipsec_aso, sa_entry->ctx, hard_lft_arm); 372 380 if (!soft_arm && !hard_arm) 373 381 /* It is not lifetime event */ 374 382 return; 375 383 376 - hard_cnt = MLX5_GET(ipsec_aso, aso->ctx, remove_flow_pkt_cnt); 384 + hard_cnt = MLX5_GET(ipsec_aso, sa_entry->ctx, remove_flow_pkt_cnt); 377 385 if (!hard_cnt || hard_arm) { 378 386 /* It is possible to see packet counter equal to zero without 379 387 * hard limit event armed. Such situation can be if packet ··· 441 453 struct mlx5e_ipsec_work *work = 442 454 container_of(_work, struct mlx5e_ipsec_work, work); 443 455 struct mlx5e_ipsec_sa_entry *sa_entry = work->data; 456 + struct mlx5_accel_esp_xfrm_attrs tmp = {}; 444 457 struct mlx5_accel_esp_xfrm_attrs *attrs; 445 - struct mlx5e_ipsec_aso *aso; 458 + bool need_modify = false; 446 459 int ret; 447 460 448 - aso = sa_entry->ipsec->aso; 449 461 attrs = &sa_entry->attrs; 450 462 451 463 spin_lock_bh(&sa_entry->x->lock); ··· 453 465 if (ret) 454 466 goto unlock; 455 467 456 - if (attrs->replay_esn.trigger && 457 - !MLX5_GET(ipsec_aso, aso->ctx, esn_event_arm)) { 458 - u32 mode_param = MLX5_GET(ipsec_aso, aso->ctx, mode_parameter); 459 - 460 - mlx5e_ipsec_update_esn_state(sa_entry, mode_param); 461 - } 462 - 463 468 if (attrs->lft.soft_packet_limit != XFRM_INF) 464 469 mlx5e_ipsec_handle_limits(sa_entry); 465 470 471 + if (attrs->replay_esn.trigger && 472 + !MLX5_GET(ipsec_aso, sa_entry->ctx, esn_event_arm)) { 473 + u32 mode_param = MLX5_GET(ipsec_aso, sa_entry->ctx, 474 + mode_parameter); 475 + 476 + mlx5e_ipsec_update_esn_state(sa_entry, mode_param, &tmp); 477 + need_modify = true; 478 + } 479 + 466 480 unlock: 467 481 spin_unlock_bh(&sa_entry->x->lock); 482 + if (need_modify) 483 + mlx5_accel_esp_modify_xfrm(sa_entry, &tmp); 468 484 kfree(work); 469 485 } 470 486 ··· 621 629 /* We are in atomic context */ 622 630 udelay(10); 623 631 } while (ret && time_is_after_jiffies(expires)); 632 + if (!ret) 633 + memcpy(sa_entry->ctx, aso->ctx, MLX5_ST_SZ_BYTES(ipsec_aso)); 624 634 spin_unlock_bh(&aso->lock); 625 635 return ret; 626 636 }

+9 -14

drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c

··· 1489 1489 return err; 1490 1490 } 1491 1491 1492 - static u32 mlx5_esw_qos_lag_link_speed_get_locked(struct mlx5_core_dev *mdev) 1492 + static u32 mlx5_esw_qos_lag_link_speed_get(struct mlx5_core_dev *mdev, 1493 + bool take_rtnl) 1493 1494 { 1494 1495 struct ethtool_link_ksettings lksettings; 1495 1496 struct net_device *slave, *master; 1496 1497 u32 speed = SPEED_UNKNOWN; 1497 1498 1498 - /* Lock ensures a stable reference to master and slave netdevice 1499 - * while port speed of master is queried. 1500 - */ 1501 - ASSERT_RTNL(); 1502 - 1503 1499 slave = mlx5_uplink_netdev_get(mdev); 1504 1500 if (!slave) 1505 1501 goto out; 1506 1502 1503 + if (take_rtnl) 1504 + rtnl_lock(); 1507 1505 master = netdev_master_upper_dev_get(slave); 1508 1506 if (master && !__ethtool_get_link_ksettings(master, &lksettings)) 1509 1507 speed = lksettings.base.speed; 1508 + if (take_rtnl) 1509 + rtnl_unlock(); 1510 1510 1511 1511 out: 1512 1512 mlx5_uplink_netdev_put(mdev, slave); ··· 1514 1514 } 1515 1515 1516 1516 static int mlx5_esw_qos_max_link_speed_get(struct mlx5_core_dev *mdev, u32 *link_speed_max, 1517 - bool hold_rtnl_lock, struct netlink_ext_ack *extack) 1517 + bool take_rtnl, 1518 + struct netlink_ext_ack *extack) 1518 1519 { 1519 1520 int err; 1520 1521 1521 1522 if (!mlx5_lag_is_active(mdev)) 1522 1523 goto skip_lag; 1523 1524 1524 - if (hold_rtnl_lock) 1525 - rtnl_lock(); 1526 - 1527 - *link_speed_max = mlx5_esw_qos_lag_link_speed_get_locked(mdev); 1528 - 1529 - if (hold_rtnl_lock) 1530 - rtnl_unlock(); 1525 + *link_speed_max = mlx5_esw_qos_lag_link_speed_get(mdev, take_rtnl); 1531 1526 1532 1527 if (*link_speed_max != (u32)SPEED_UNKNOWN) 1533 1528 return 0;

+3 -3

drivers/net/ethernet/microsoft/mana/hw_channel.c

··· 814 814 gc->max_num_cqs = 0; 815 815 } 816 816 817 - kfree(hwc->caller_ctx); 818 - hwc->caller_ctx = NULL; 819 - 820 817 if (hwc->txq) 821 818 mana_hwc_destroy_wq(hwc, hwc->txq); 822 819 ··· 822 825 823 826 if (hwc->cq) 824 827 mana_hwc_destroy_cq(hwc->gdma_dev->gdma_context, hwc->cq); 828 + 829 + kfree(hwc->caller_ctx); 830 + hwc->caller_ctx = NULL; 825 831 826 832 mana_gd_free_res_map(&hwc->inflight_msg_res); 827 833

+5

drivers/net/ethernet/ti/icssg/icssg_common.c

··· 1075 1075 xdp_prepare_buff(&xdp, pa, PRUETH_HEADROOM, pkt_len, false); 1076 1076 1077 1077 *xdp_state = emac_run_xdp(emac, &xdp, &pkt_len); 1078 + if (*xdp_state == ICSSG_XDP_CONSUMED) { 1079 + page_pool_recycle_direct(pool, page); 1080 + goto requeue; 1081 + } 1082 + 1078 1083 if (*xdp_state != ICSSG_XDP_PASS) 1079 1084 goto requeue; 1080 1085 headroom = xdp.data - xdp.data_hard_start;

+4 -1

drivers/net/netdevsim/netdev.c

··· 109 109 int ret; 110 110 111 111 ret = __dev_forward_skb(rx_dev, skb); 112 - if (ret) 112 + if (ret) { 113 + if (psp_ext) 114 + __skb_ext_put(psp_ext); 113 115 return ret; 116 + } 114 117 115 118 nsim_psp_handle_ext(skb, psp_ext); 116 119

+6 -6

drivers/net/usb/aqc111.c

··· 1395 1395 aqc111_write16_cmd_nopm(dev, AQ_ACCESS_MAC, 1396 1396 SFR_MEDIUM_STATUS_MODE, 2, &reg16); 1397 1397 1398 - aqc111_write_cmd(dev, AQ_WOL_CFG, 0, 0, 1399 - WOL_CFG_SIZE, &wol_cfg); 1400 - aqc111_write32_cmd(dev, AQ_PHY_OPS, 0, 0, 1401 - &aqc111_data->phy_cfg); 1398 + aqc111_write_cmd_nopm(dev, AQ_WOL_CFG, 0, 0, 1399 + WOL_CFG_SIZE, &wol_cfg); 1400 + aqc111_write32_cmd_nopm(dev, AQ_PHY_OPS, 0, 0, 1401 + &aqc111_data->phy_cfg); 1402 1402 } else { 1403 1403 aqc111_data->phy_cfg |= AQ_LOW_POWER; 1404 - aqc111_write32_cmd(dev, AQ_PHY_OPS, 0, 0, 1405 - &aqc111_data->phy_cfg); 1404 + aqc111_write32_cmd_nopm(dev, AQ_PHY_OPS, 0, 0, 1405 + &aqc111_data->phy_cfg); 1406 1406 1407 1407 /* Disable RX path */ 1408 1408 aqc111_read16_cmd_nopm(dev, AQ_ACCESS_MAC,

+6 -4

drivers/net/usb/cdc_ncm.c

··· 1656 1656 struct usbnet *dev = netdev_priv(skb_in->dev); 1657 1657 struct usb_cdc_ncm_ndp16 *ndp16; 1658 1658 int ret = -EINVAL; 1659 + size_t ndp_len; 1659 1660 1660 1661 if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp16)) > skb_in->len) { 1661 1662 netif_dbg(dev, rx_err, dev->net, "invalid NDP offset <%u>\n", ··· 1676 1675 sizeof(struct usb_cdc_ncm_dpe16)); 1677 1676 ret--; /* we process NDP entries except for the last one */ 1678 1677 1679 - if ((sizeof(struct usb_cdc_ncm_ndp16) + 1680 - ret * (sizeof(struct usb_cdc_ncm_dpe16))) > skb_in->len) { 1678 + ndp_len = struct_size_t(struct usb_cdc_ncm_ndp16, dpe16, ret); 1679 + if (ndpoffset + ndp_len > skb_in->len) { 1681 1680 netif_dbg(dev, rx_err, dev->net, "Invalid nframes = %d\n", ret); 1682 1681 ret = -EINVAL; 1683 1682 } ··· 1693 1692 struct usbnet *dev = netdev_priv(skb_in->dev); 1694 1693 struct usb_cdc_ncm_ndp32 *ndp32; 1695 1694 int ret = -EINVAL; 1695 + size_t ndp_len; 1696 1696 1697 1697 if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp32)) > skb_in->len) { 1698 1698 netif_dbg(dev, rx_err, dev->net, "invalid NDP offset <%u>\n", ··· 1713 1711 sizeof(struct usb_cdc_ncm_dpe32)); 1714 1712 ret--; /* we process NDP entries except for the last one */ 1715 1713 1716 - if ((sizeof(struct usb_cdc_ncm_ndp32) + 1717 - ret * (sizeof(struct usb_cdc_ncm_dpe32))) > skb_in->len) { 1714 + ndp_len = struct_size_t(struct usb_cdc_ncm_ndp32, dpe32, ret); 1715 + if (ndpoffset + ndp_len > skb_in->len) { 1718 1716 netif_dbg(dev, rx_err, dev->net, "Invalid nframes = %d\n", ret); 1719 1717 ret = -EINVAL; 1720 1718 }

+2 -4

drivers/net/wireless/ath/ath9k/channel.c

··· 1006 1006 skb_set_queue_mapping(skb, IEEE80211_AC_VO); 1007 1007 1008 1008 if (!ieee80211_tx_prepare_skb(sc->hw, vif, skb, band, NULL)) 1009 - goto error; 1009 + return; 1010 1010 1011 1011 txctl.txq = sc->tx.txq_map[IEEE80211_AC_VO]; 1012 1012 if (ath_tx_start(sc->hw, skb, &txctl)) ··· 1119 1119 1120 1120 skb->priority = 7; 1121 1121 skb_set_queue_mapping(skb, IEEE80211_AC_VO); 1122 - if (!ieee80211_tx_prepare_skb(sc->hw, vif, skb, band, &sta)) { 1123 - dev_kfree_skb_any(skb); 1122 + if (!ieee80211_tx_prepare_skb(sc->hw, vif, skb, band, &sta)) 1124 1123 return false; 1125 - } 1126 1124 break; 1127 1125 default: 1128 1126 return false;

+1 -3

drivers/net/wireless/mediatek/mt76/scan.c

··· 63 63 64 64 rcu_read_lock(); 65 65 66 - if (!ieee80211_tx_prepare_skb(phy->hw, vif, skb, band, NULL)) { 67 - ieee80211_free_txskb(phy->hw, skb); 66 + if (!ieee80211_tx_prepare_skb(phy->hw, vif, skb, band, NULL)) 68 67 goto out; 69 - } 70 68 71 69 info = IEEE80211_SKB_CB(skb); 72 70 if (req->no_cck)

+1 -1

drivers/net/wireless/ti/wlcore/tx.c

··· 210 210 if (skb_headroom(skb) < (total_len - skb->len) && 211 211 pskb_expand_head(skb, (total_len - skb->len), 0, GFP_ATOMIC)) { 212 212 wl1271_free_tx_id(wl, id); 213 - return -EAGAIN; 213 + return -ENOMEM; 214 214 } 215 215 desc = skb_push(skb, total_len - skb->len); 216 216

+1 -2

drivers/net/wireless/virtual/mac80211_hwsim.c

··· 3021 3021 hwsim->tmp_chan->band, 3022 3022 NULL)) { 3023 3023 rcu_read_unlock(); 3024 - kfree_skb(probe); 3025 3024 continue; 3026 3025 } 3027 3026 ··· 6488 6489 if (info->attrs[HWSIM_ATTR_PMSR_SUPPORT]) { 6489 6490 struct cfg80211_pmsr_capabilities *pmsr_capa; 6490 6491 6491 - pmsr_capa = kmalloc_obj(*pmsr_capa); 6492 + pmsr_capa = kzalloc_obj(*pmsr_capa); 6492 6493 if (!pmsr_capa) { 6493 6494 ret = -ENOMEM; 6494 6495 goto out_free;

+2 -2

drivers/nfc/nxp-nci/i2c.c

··· 47 47 { 48 48 struct nxp_nci_i2c_phy *phy = (struct nxp_nci_i2c_phy *) phy_id; 49 49 50 - gpiod_set_value(phy->gpiod_fw, (mode == NXP_NCI_MODE_FW) ? 1 : 0); 51 - gpiod_set_value(phy->gpiod_en, (mode != NXP_NCI_MODE_COLD) ? 1 : 0); 50 + gpiod_set_value_cansleep(phy->gpiod_fw, (mode == NXP_NCI_MODE_FW) ? 1 : 0); 51 + gpiod_set_value_cansleep(phy->gpiod_en, (mode != NXP_NCI_MODE_COLD) ? 1 : 0); 52 52 usleep_range(10000, 15000); 53 53 54 54 if (mode == NXP_NCI_MODE_COLD)

+2 -1

include/linux/etherdevice.h

··· 42 42 43 43 int eth_header(struct sk_buff *skb, struct net_device *dev, unsigned short type, 44 44 const void *daddr, const void *saddr, unsigned len); 45 - int eth_header_parse(const struct sk_buff *skb, unsigned char *haddr); 45 + int eth_header_parse(const struct sk_buff *skb, const struct net_device *dev, 46 + unsigned char *haddr); 46 47 int eth_header_cache(const struct neighbour *neigh, struct hh_cache *hh, 47 48 __be16 type); 48 49 void eth_header_cache_update(struct hh_cache *hh, const struct net_device *dev,

+2 -1

include/linux/if_ether.h

··· 40 40 return (struct ethhdr *)skb_inner_mac_header(skb); 41 41 } 42 42 43 - int eth_header_parse(const struct sk_buff *skb, unsigned char *haddr); 43 + int eth_header_parse(const struct sk_buff *skb, const struct net_device *dev, 44 + unsigned char *haddr); 44 45 45 46 extern ssize_t sysfs_format_mac(char *buf, const unsigned char *addr, int len); 46 47

+5 -4

include/linux/netdevice.h

··· 311 311 int (*create) (struct sk_buff *skb, struct net_device *dev, 312 312 unsigned short type, const void *daddr, 313 313 const void *saddr, unsigned int len); 314 - int (*parse)(const struct sk_buff *skb, unsigned char *haddr); 314 + int (*parse)(const struct sk_buff *skb, 315 + const struct net_device *dev, 316 + unsigned char *haddr); 315 317 int (*cache)(const struct neighbour *neigh, struct hh_cache *hh, __be16 type); 316 318 void (*cache_update)(struct hh_cache *hh, 317 319 const struct net_device *dev, ··· 2157 2155 unsigned long state; 2158 2156 unsigned int flags; 2159 2157 unsigned short hard_header_len; 2158 + enum netdev_stat_type pcpu_stat_type:8; 2160 2159 netdev_features_t features; 2161 2160 struct inet6_dev __rcu *ip6_ptr; 2162 2161 __cacheline_group_end(net_device_read_txrx); ··· 2406 2403 /* mid-layer private */ 2407 2404 void *ml_priv; 2408 2405 enum netdev_ml_priv_type ml_priv_type; 2409 - 2410 - enum netdev_stat_type pcpu_stat_type:8; 2411 2406 2412 2407 #if IS_ENABLED(CONFIG_GARP) 2413 2408 struct garp_port __rcu *garp_port; ··· 3447 3446 3448 3447 if (!dev->header_ops || !dev->header_ops->parse) 3449 3448 return 0; 3450 - return dev->header_ops->parse(skb, haddr); 3449 + return dev->header_ops->parse(skb, dev, haddr); 3451 3450 } 3452 3451 3453 3452 static inline __be16 dev_parse_header_protocol(const struct sk_buff *skb)

+22 -6

include/net/ip_tunnels.h

··· 665 665 static inline void iptunnel_xmit_stats(struct net_device *dev, int pkt_len) 666 666 { 667 667 if (pkt_len > 0) { 668 - struct pcpu_sw_netstats *tstats = get_cpu_ptr(dev->tstats); 668 + if (dev->pcpu_stat_type == NETDEV_PCPU_STAT_DSTATS) { 669 + struct pcpu_dstats *dstats = get_cpu_ptr(dev->dstats); 669 670 670 - u64_stats_update_begin(&tstats->syncp); 671 - u64_stats_add(&tstats->tx_bytes, pkt_len); 672 - u64_stats_inc(&tstats->tx_packets); 673 - u64_stats_update_end(&tstats->syncp); 674 - put_cpu_ptr(tstats); 671 + u64_stats_update_begin(&dstats->syncp); 672 + u64_stats_add(&dstats->tx_bytes, pkt_len); 673 + u64_stats_inc(&dstats->tx_packets); 674 + u64_stats_update_end(&dstats->syncp); 675 + put_cpu_ptr(dstats); 676 + return; 677 + } 678 + if (dev->pcpu_stat_type == NETDEV_PCPU_STAT_TSTATS) { 679 + struct pcpu_sw_netstats *tstats = get_cpu_ptr(dev->tstats); 680 + 681 + u64_stats_update_begin(&tstats->syncp); 682 + u64_stats_add(&tstats->tx_bytes, pkt_len); 683 + u64_stats_inc(&tstats->tx_packets); 684 + u64_stats_update_end(&tstats->syncp); 685 + put_cpu_ptr(tstats); 686 + return; 687 + } 688 + pr_err_once("iptunnel_xmit_stats pcpu_stat_type=%d\n", 689 + dev->pcpu_stat_type); 690 + WARN_ON_ONCE(1); 675 691 return; 676 692 } 677 693

+3 -1

include/net/mac80211.h

··· 7407 7407 * @band: the band to transmit on 7408 7408 * @sta: optional pointer to get the station to send the frame to 7409 7409 * 7410 - * Return: %true if the skb was prepared, %false otherwise 7410 + * Return: %true if the skb was prepared, %false otherwise. 7411 + * On failure, the skb is freed by this function; callers must not 7412 + * free it again. 7411 7413 * 7412 7414 * Note: must be called under RCU lock 7413 7415 */

+2 -4

include/net/netfilter/nf_tables.h

··· 277 277 unsigned char data[]; 278 278 }; 279 279 280 - #define NFT_SET_ELEM_INTERNAL_LAST 0x1 281 - 282 280 /* placeholder structure for opaque set element backend representation. */ 283 281 struct nft_elem_priv { }; 284 282 ··· 286 288 * @key: element key 287 289 * @key_end: closing element key 288 290 * @data: element data 289 - * @flags: flags 290 291 * @priv: element private data and extensions 291 292 */ 292 293 struct nft_set_elem { ··· 301 304 u32 buf[NFT_DATA_VALUE_MAXLEN / sizeof(u32)]; 302 305 struct nft_data val; 303 306 } data; 304 - u32 flags; 305 307 struct nft_elem_priv *priv; 306 308 }; 307 309 ··· 874 878 u64 timeout, u64 expiration, gfp_t gfp); 875 879 int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set, 876 880 struct nft_expr *expr_array[]); 881 + void nft_set_elem_expr_destroy(const struct nft_ctx *ctx, 882 + struct nft_set_elem_expr *elem_expr); 877 883 void nft_set_elem_destroy(const struct nft_set *set, 878 884 const struct nft_elem_priv *elem_priv, 879 885 bool destroy_expr);

+33

include/net/sch_generic.h

··· 716 716 void qdisc_put(struct Qdisc *qdisc); 717 717 void qdisc_put_unlocked(struct Qdisc *qdisc); 718 718 void qdisc_tree_reduce_backlog(struct Qdisc *qdisc, int n, int len); 719 + 720 + static inline void dev_reset_queue(struct net_device *dev, 721 + struct netdev_queue *dev_queue, 722 + void *_unused) 723 + { 724 + struct Qdisc *qdisc; 725 + bool nolock; 726 + 727 + qdisc = rtnl_dereference(dev_queue->qdisc_sleeping); 728 + if (!qdisc) 729 + return; 730 + 731 + nolock = qdisc->flags & TCQ_F_NOLOCK; 732 + 733 + if (nolock) 734 + spin_lock_bh(&qdisc->seqlock); 735 + spin_lock_bh(qdisc_lock(qdisc)); 736 + 737 + qdisc_reset(qdisc); 738 + 739 + spin_unlock_bh(qdisc_lock(qdisc)); 740 + if (nolock) { 741 + clear_bit(__QDISC_STATE_MISSED, &qdisc->state); 742 + clear_bit(__QDISC_STATE_DRAINING, &qdisc->state); 743 + spin_unlock_bh(&qdisc->seqlock); 744 + } 745 + } 746 + 719 747 #ifdef CONFIG_NET_SCHED 720 748 int qdisc_offload_dump_helper(struct Qdisc *q, enum tc_setup_type type, 721 749 void *type_data); ··· 1456 1428 struct mini_Qdisc __rcu **p_miniq); 1457 1429 void mini_qdisc_pair_block_init(struct mini_Qdisc_pair *miniqp, 1458 1430 struct tcf_block *block); 1431 + 1432 + static inline bool mini_qdisc_pair_inited(struct mini_Qdisc_pair *miniqp) 1433 + { 1434 + return !!miniqp->p_miniq; 1435 + } 1459 1436 1460 1437 void mq_change_real_num_tx(struct Qdisc *sch, unsigned int new_real_tx); 1461 1438

+1 -1

include/net/udp_tunnel.h

··· 52 52 static inline int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg, 53 53 struct socket **sockp) 54 54 { 55 - return 0; 55 + return -EPFNOSUPPORT; 56 56 } 57 57 #endif 58 58

+47 -25

net/atm/lec.c

··· 154 154 /* 0x01 is topology change */ 155 155 156 156 priv = netdev_priv(dev); 157 - atm_force_charge(priv->lecd, skb2->truesize); 158 - sk = sk_atm(priv->lecd); 159 - skb_queue_tail(&sk->sk_receive_queue, skb2); 160 - sk->sk_data_ready(sk); 157 + struct atm_vcc *vcc; 158 + 159 + rcu_read_lock(); 160 + vcc = rcu_dereference(priv->lecd); 161 + if (vcc) { 162 + atm_force_charge(vcc, skb2->truesize); 163 + sk = sk_atm(vcc); 164 + skb_queue_tail(&sk->sk_receive_queue, skb2); 165 + sk->sk_data_ready(sk); 166 + } else { 167 + dev_kfree_skb(skb2); 168 + } 169 + rcu_read_unlock(); 161 170 } 162 171 } 163 172 #endif /* IS_ENABLED(CONFIG_BRIDGE) */ ··· 225 216 int is_rdesc; 226 217 227 218 pr_debug("called\n"); 228 - if (!priv->lecd) { 219 + if (!rcu_access_pointer(priv->lecd)) { 229 220 pr_info("%s:No lecd attached\n", dev->name); 230 221 dev->stats.tx_errors++; 231 222 netif_stop_queue(dev); ··· 458 449 break; 459 450 skb2->len = sizeof(struct atmlec_msg); 460 451 skb_copy_to_linear_data(skb2, mesg, sizeof(*mesg)); 461 - atm_force_charge(priv->lecd, skb2->truesize); 462 - sk = sk_atm(priv->lecd); 463 - skb_queue_tail(&sk->sk_receive_queue, skb2); 464 - sk->sk_data_ready(sk); 452 + struct atm_vcc *vcc; 453 + 454 + rcu_read_lock(); 455 + vcc = rcu_dereference(priv->lecd); 456 + if (vcc) { 457 + atm_force_charge(vcc, skb2->truesize); 458 + sk = sk_atm(vcc); 459 + skb_queue_tail(&sk->sk_receive_queue, skb2); 460 + sk->sk_data_ready(sk); 461 + } else { 462 + dev_kfree_skb(skb2); 463 + } 464 + rcu_read_unlock(); 465 465 } 466 466 } 467 467 #endif /* IS_ENABLED(CONFIG_BRIDGE) */ ··· 486 468 487 469 static void lec_atm_close(struct atm_vcc *vcc) 488 470 { 489 - struct sk_buff *skb; 490 471 struct net_device *dev = (struct net_device *)vcc->proto_data; 491 472 struct lec_priv *priv = netdev_priv(dev); 492 473 493 - priv->lecd = NULL; 474 + rcu_assign_pointer(priv->lecd, NULL); 475 + synchronize_rcu(); 494 476 /* Do something needful? */ 495 477 496 478 netif_stop_queue(dev); 497 479 lec_arp_destroy(priv); 498 - 499 - if (skb_peek(&sk_atm(vcc)->sk_receive_queue)) 500 - pr_info("%s closing with messages pending\n", dev->name); 501 - while ((skb = skb_dequeue(&sk_atm(vcc)->sk_receive_queue))) { 502 - atm_return(vcc, skb->truesize); 503 - dev_kfree_skb(skb); 504 - } 505 480 506 481 pr_info("%s: Shut down!\n", dev->name); 507 482 module_put(THIS_MODULE); ··· 521 510 const unsigned char *mac_addr, const unsigned char *atm_addr, 522 511 struct sk_buff *data) 523 512 { 513 + struct atm_vcc *vcc; 524 514 struct sock *sk; 525 515 struct sk_buff *skb; 526 516 struct atmlec_msg *mesg; 527 517 528 - if (!priv || !priv->lecd) 518 + if (!priv || !rcu_access_pointer(priv->lecd)) 529 519 return -1; 520 + 530 521 skb = alloc_skb(sizeof(struct atmlec_msg), GFP_ATOMIC); 531 522 if (!skb) 532 523 return -1; ··· 545 532 if (atm_addr) 546 533 memcpy(&mesg->content.normal.atm_addr, atm_addr, ATM_ESA_LEN); 547 534 548 - atm_force_charge(priv->lecd, skb->truesize); 549 - sk = sk_atm(priv->lecd); 535 + rcu_read_lock(); 536 + vcc = rcu_dereference(priv->lecd); 537 + if (!vcc) { 538 + rcu_read_unlock(); 539 + kfree_skb(skb); 540 + return -1; 541 + } 542 + 543 + atm_force_charge(vcc, skb->truesize); 544 + sk = sk_atm(vcc); 550 545 skb_queue_tail(&sk->sk_receive_queue, skb); 551 546 sk->sk_data_ready(sk); 552 547 553 548 if (data != NULL) { 554 549 pr_debug("about to send %d bytes of data\n", data->len); 555 - atm_force_charge(priv->lecd, data->truesize); 550 + atm_force_charge(vcc, data->truesize); 556 551 skb_queue_tail(&sk->sk_receive_queue, data); 557 552 sk->sk_data_ready(sk); 558 553 } 559 554 555 + rcu_read_unlock(); 560 556 return 0; 561 557 } 562 558 ··· 640 618 641 619 atm_return(vcc, skb->truesize); 642 620 if (*(__be16 *) skb->data == htons(priv->lecid) || 643 - !priv->lecd || !(dev->flags & IFF_UP)) { 621 + !rcu_access_pointer(priv->lecd) || !(dev->flags & IFF_UP)) { 644 622 /* 645 623 * Probably looping back, or if lecd is missing, 646 624 * lecd has gone down ··· 775 753 priv = netdev_priv(dev_lec[i]); 776 754 } else { 777 755 priv = netdev_priv(dev_lec[i]); 778 - if (priv->lecd) 756 + if (rcu_access_pointer(priv->lecd)) 779 757 return -EADDRINUSE; 780 758 } 781 759 lec_arp_init(priv); 782 760 priv->itfnum = i; /* LANE2 addition */ 783 - priv->lecd = vcc; 761 + rcu_assign_pointer(priv->lecd, vcc); 784 762 vcc->dev = &lecatm_dev; 785 763 vcc_insert_socket(sk_atm(vcc)); 786 764

+1 -1

net/atm/lec.h

··· 91 91 */ 92 92 spinlock_t lec_arp_lock; 93 93 struct atm_vcc *mcast_vcc; /* Default Multicast Send VCC */ 94 - struct atm_vcc *lecd; 94 + struct atm_vcc __rcu *lecd; 95 95 struct delayed_work lec_arp_work; /* C10 */ 96 96 unsigned int maximum_unknown_frame_count; 97 97 /*

+3

net/batman-adv/bat_iv_ogm.c

··· 473 473 if (aggregated_bytes > max_bytes) 474 474 return false; 475 475 476 + if (skb_tailroom(forw_packet->skb) < packet_len) 477 + return false; 478 + 476 479 if (packet_num >= BATADV_MAX_AGGREGATION_PACKETS) 477 480 return false; 478 481

+2 -2

net/bluetooth/hci_conn.c

··· 1944 1944 return false; 1945 1945 1946 1946 done: 1947 + conn->iso_qos = *qos; 1948 + 1947 1949 if (hci_cmd_sync_queue(hdev, set_cig_params_sync, 1948 1950 UINT_PTR(qos->ucast.cig), NULL) < 0) 1949 1951 return false; ··· 2015 2013 } 2016 2014 2017 2015 hci_conn_hold(cis); 2018 - 2019 - cis->iso_qos = *qos; 2020 2016 cis->state = BT_BOUND; 2021 2017 2022 2018 return cis;

+1 -1

net/bluetooth/hci_sync.c

··· 6627 6627 * state. 6628 6628 */ 6629 6629 if (hci_dev_test_flag(hdev, HCI_LE_SCAN)) { 6630 - hci_scan_disable_sync(hdev); 6631 6630 hci_dev_set_flag(hdev, HCI_LE_SCAN_INTERRUPTED); 6631 + hci_scan_disable_sync(hdev); 6632 6632 } 6633 6633 6634 6634 /* Update random address, but set require_privacy to false so

+14 -2

net/bluetooth/hidp/core.c

··· 986 986 skb_queue_purge(&session->intr_transmit); 987 987 fput(session->intr_sock->file); 988 988 fput(session->ctrl_sock->file); 989 - l2cap_conn_put(session->conn); 989 + if (session->conn) 990 + l2cap_conn_put(session->conn); 990 991 kfree(session); 991 992 } 992 993 ··· 1165 1164 1166 1165 down_write(&hidp_session_sem); 1167 1166 1167 + /* Drop L2CAP reference immediately to indicate that 1168 + * l2cap_unregister_user() shall not be called as it is already 1169 + * considered removed. 1170 + */ 1171 + if (session->conn) { 1172 + l2cap_conn_put(session->conn); 1173 + session->conn = NULL; 1174 + } 1175 + 1168 1176 hidp_session_terminate(session); 1169 1177 1170 1178 cancel_work_sync(&session->dev_init); ··· 1311 1301 * Instead, this call has the same semantics as if user-space tried to 1312 1302 * delete the session. 1313 1303 */ 1314 - l2cap_unregister_user(session->conn, &session->user); 1304 + if (session->conn) 1305 + l2cap_unregister_user(session->conn, &session->user); 1306 + 1315 1307 hidp_session_put(session); 1316 1308 1317 1309 module_put_and_kthread_exit(0);

+31 -20

net/bluetooth/l2cap_core.c

··· 1678 1678 1679 1679 int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user) 1680 1680 { 1681 - struct hci_dev *hdev = conn->hcon->hdev; 1682 1681 int ret; 1683 1682 1684 1683 /* We need to check whether l2cap_conn is registered. If it is not, we 1685 - * must not register the l2cap_user. l2cap_conn_del() is unregisters 1686 - * l2cap_conn objects, but doesn't provide its own locking. Instead, it 1687 - * relies on the parent hci_conn object to be locked. This itself relies 1688 - * on the hci_dev object to be locked. So we must lock the hci device 1689 - * here, too. */ 1684 + * must not register the l2cap_user. l2cap_conn_del() unregisters 1685 + * l2cap_conn objects under conn->lock, and we use the same lock here 1686 + * to protect access to conn->users and conn->hchan. 1687 + */ 1690 1688 1691 - hci_dev_lock(hdev); 1689 + mutex_lock(&conn->lock); 1692 1690 1693 1691 if (!list_empty(&user->list)) { 1694 1692 ret = -EINVAL; ··· 1707 1709 ret = 0; 1708 1710 1709 1711 out_unlock: 1710 - hci_dev_unlock(hdev); 1712 + mutex_unlock(&conn->lock); 1711 1713 return ret; 1712 1714 } 1713 1715 EXPORT_SYMBOL(l2cap_register_user); 1714 1716 1715 1717 void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user) 1716 1718 { 1717 - struct hci_dev *hdev = conn->hcon->hdev; 1718 - 1719 - hci_dev_lock(hdev); 1719 + mutex_lock(&conn->lock); 1720 1720 1721 1721 if (list_empty(&user->list)) 1722 1722 goto out_unlock; ··· 1723 1727 user->remove(conn, user); 1724 1728 1725 1729 out_unlock: 1726 - hci_dev_unlock(hdev); 1730 + mutex_unlock(&conn->lock); 1727 1731 } 1728 1732 EXPORT_SYMBOL(l2cap_unregister_user); 1729 1733 ··· 4612 4616 4613 4617 switch (type) { 4614 4618 case L2CAP_IT_FEAT_MASK: 4615 - conn->feat_mask = get_unaligned_le32(rsp->data); 4619 + if (cmd_len >= sizeof(*rsp) + sizeof(u32)) 4620 + conn->feat_mask = get_unaligned_le32(rsp->data); 4616 4621 4617 4622 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) { 4618 4623 struct l2cap_info_req req; ··· 4632 4635 break; 4633 4636 4634 4637 case L2CAP_IT_FIXED_CHAN: 4635 - conn->remote_fixed_chan = rsp->data[0]; 4638 + if (cmd_len >= sizeof(*rsp) + sizeof(rsp->data[0])) 4639 + conn->remote_fixed_chan = rsp->data[0]; 4636 4640 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE; 4637 4641 conn->info_ident = 0; 4638 4642 ··· 5057 5059 u16 mtu, mps; 5058 5060 __le16 psm; 5059 5061 u8 result, rsp_len = 0; 5060 - int i, num_scid; 5062 + int i, num_scid = 0; 5061 5063 bool defer = false; 5062 5064 5063 5065 if (!enable_ecred) ··· 5066 5068 memset(pdu, 0, sizeof(*pdu)); 5067 5069 5068 5070 if (cmd_len < sizeof(*req) || (cmd_len - sizeof(*req)) % sizeof(u16)) { 5071 + result = L2CAP_CR_LE_INVALID_PARAMS; 5072 + goto response; 5073 + } 5074 + 5075 + /* Check if there are no pending channels with the same ident */ 5076 + __l2cap_chan_list_id(conn, cmd->ident, l2cap_ecred_list_defer, 5077 + &num_scid); 5078 + if (num_scid) { 5069 5079 result = L2CAP_CR_LE_INVALID_PARAMS; 5070 5080 goto response; 5071 5081 } ··· 5430 5424 u8 *data) 5431 5425 { 5432 5426 struct l2cap_chan *chan, *tmp; 5433 - struct l2cap_ecred_conn_rsp *rsp = (void *) data; 5427 + struct l2cap_ecred_reconf_rsp *rsp = (void *)data; 5434 5428 u16 result; 5435 5429 5436 5430 if (cmd_len < sizeof(*rsp)) ··· 5438 5432 5439 5433 result = __le16_to_cpu(rsp->result); 5440 5434 5441 - BT_DBG("result 0x%4.4x", rsp->result); 5435 + BT_DBG("result 0x%4.4x", result); 5442 5436 5443 5437 if (!result) 5444 5438 return 0; ··· 6668 6662 return -ENOBUFS; 6669 6663 } 6670 6664 6671 - if (chan->imtu < skb->len) { 6672 - BT_ERR("Too big LE L2CAP PDU"); 6665 + if (skb->len > chan->imtu) { 6666 + BT_ERR("Too big LE L2CAP PDU: len %u > %u", skb->len, 6667 + chan->imtu); 6668 + l2cap_send_disconn_req(chan, ECONNRESET); 6673 6669 return -ENOBUFS; 6674 6670 } 6675 6671 ··· 6697 6689 sdu_len, skb->len, chan->imtu); 6698 6690 6699 6691 if (sdu_len > chan->imtu) { 6700 - BT_ERR("Too big LE L2CAP SDU length received"); 6692 + BT_ERR("Too big LE L2CAP SDU length: len %u > %u", 6693 + skb->len, sdu_len); 6694 + l2cap_send_disconn_req(chan, ECONNRESET); 6701 6695 err = -EMSGSIZE; 6702 6696 goto failed; 6703 6697 } ··· 6735 6725 6736 6726 if (chan->sdu->len + skb->len > chan->sdu_len) { 6737 6727 BT_ERR("Too much LE L2CAP data received"); 6728 + l2cap_send_disconn_req(chan, ECONNRESET); 6738 6729 err = -EINVAL; 6739 6730 goto failed; 6740 6731 }

+2 -5

net/bluetooth/mgmt.c

··· 2195 2195 sk = cmd->sk; 2196 2196 2197 2197 if (status) { 2198 - mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER, 2199 - status); 2200 - mgmt_pending_foreach(MGMT_OP_SET_MESH_RECEIVER, hdev, true, 2201 - cmd_status_rsp, &status); 2198 + mgmt_cmd_status(cmd->sk, hdev->id, cmd->opcode, status); 2202 2199 goto done; 2203 2200 } 2204 2201 ··· 5374 5377 5375 5378 mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode, 5376 5379 mgmt_status(status), &rp, sizeof(rp)); 5377 - mgmt_pending_remove(cmd); 5380 + mgmt_pending_free(cmd); 5378 5381 5379 5382 hci_dev_unlock(hdev); 5380 5383 bt_dev_dbg(hdev, "add monitor %d complete, status %d",

+1 -1

net/bluetooth/smp.c

··· 2743 2743 if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) && 2744 2744 !crypto_memneq(key, smp->local_pk, 64)) { 2745 2745 bt_dev_err(hdev, "Remote and local public keys are identical"); 2746 - return SMP_UNSPECIFIED; 2746 + return SMP_DHKEY_CHECK_FAILED; 2747 2747 } 2748 2748 2749 2749 memcpy(smp->remote_pk, key, 64);

+2 -2

net/bridge/br_cfm.c

··· 576 576 577 577 /* Empty and free peer MEP list */ 578 578 hlist_for_each_entry_safe(peer_mep, n_store, &mep->peer_mep_list, head) { 579 - cancel_delayed_work_sync(&peer_mep->ccm_rx_dwork); 579 + disable_delayed_work_sync(&peer_mep->ccm_rx_dwork); 580 580 hlist_del_rcu(&peer_mep->head); 581 581 kfree_rcu(peer_mep, rcu); 582 582 } ··· 732 732 return -ENOENT; 733 733 } 734 734 735 - cc_peer_disable(peer_mep); 735 + disable_delayed_work_sync(&peer_mep->ccm_rx_dwork); 736 736 737 737 hlist_del_rcu(&peer_mep->head); 738 738 kfree_rcu(peer_mep, rcu);

+3 -6

net/ethernet/eth.c

··· 193 193 } 194 194 EXPORT_SYMBOL(eth_type_trans); 195 195 196 - /** 197 - * eth_header_parse - extract hardware address from packet 198 - * @skb: packet to extract header from 199 - * @haddr: destination buffer 200 - */ 201 - int eth_header_parse(const struct sk_buff *skb, unsigned char *haddr) 196 + int eth_header_parse(const struct sk_buff *skb, const struct net_device *dev, 197 + unsigned char *haddr) 202 198 { 203 199 const struct ethhdr *eth = eth_hdr(skb); 200 + 204 201 memcpy(haddr, eth->h_source, ETH_ALEN); 205 202 return ETH_ALEN; 206 203 }

+3 -1

net/ipv4/icmp.c

··· 1079 1079 1080 1080 static bool icmp_tag_validation(int proto) 1081 1081 { 1082 + const struct net_protocol *ipprot; 1082 1083 bool ok; 1083 1084 1084 1085 rcu_read_lock(); 1085 - ok = rcu_dereference(inet_protos[proto])->icmp_strict_tag_validation; 1086 + ipprot = rcu_dereference(inet_protos[proto]); 1087 + ok = ipprot ? ipprot->icmp_strict_tag_validation : false; 1086 1088 rcu_read_unlock(); 1087 1089 return ok; 1088 1090 }

+2 -1

net/ipv4/ip_gre.c

··· 919 919 return -(t->hlen + sizeof(*iph)); 920 920 } 921 921 922 - static int ipgre_header_parse(const struct sk_buff *skb, unsigned char *haddr) 922 + static int ipgre_header_parse(const struct sk_buff *skb, const struct net_device *dev, 923 + unsigned char *haddr) 923 924 { 924 925 const struct iphdr *iph = (const struct iphdr *) skb_mac_header(skb); 925 926 memcpy(haddr, &iph->saddr, 4);

+4

net/ipv6/exthdrs.c

··· 379 379 hdr = (struct ipv6_sr_hdr *)skb_transport_header(skb); 380 380 381 381 idev = __in6_dev_get(skb->dev); 382 + if (!idev) { 383 + kfree_skb(skb); 384 + return -1; 385 + } 382 386 383 387 accept_seg6 = min(READ_ONCE(net->ipv6.devconf_all->seg6_enabled), 384 388 READ_ONCE(idev->cnf.seg6_enabled));

+2

net/ipv6/seg6_hmac.c

··· 184 184 int require_hmac; 185 185 186 186 idev = __in6_dev_get(skb->dev); 187 + if (!idev) 188 + return false; 187 189 188 190 srh = (struct ipv6_sr_hdr *)skb_transport_header(skb); 189 191

+6 -6

net/mac80211/cfg.c

··· 1904 1904 1905 1905 __sta_info_flush(sdata, true, link_id, NULL); 1906 1906 1907 - ieee80211_remove_link_keys(link, &keys); 1908 - if (!list_empty(&keys)) { 1909 - synchronize_net(); 1910 - ieee80211_free_key_list(local, &keys); 1911 - } 1912 - 1913 1907 ieee80211_stop_mbssid(sdata); 1914 1908 RCU_INIT_POINTER(link_conf->tx_bss_conf, NULL); 1915 1909 ··· 1914 1920 clear_bit(SDATA_STATE_OFFCHANNEL_BEACON_STOPPED, &sdata->state); 1915 1921 ieee80211_link_info_change_notify(sdata, link, 1916 1922 BSS_CHANGED_BEACON_ENABLED); 1923 + 1924 + ieee80211_remove_link_keys(link, &keys); 1925 + if (!list_empty(&keys)) { 1926 + synchronize_net(); 1927 + ieee80211_free_key_list(local, &keys); 1928 + } 1917 1929 1918 1930 if (sdata->wdev.links[link_id].cac_started) { 1919 1931 chandef = link_conf->chanreq.oper;

+4 -2

net/mac80211/chan.c

··· 561 561 rcu_read_lock(); 562 562 list_for_each_entry_rcu(sta, &local->sta_list, 563 563 list) { 564 - struct ieee80211_sub_if_data *sdata = sta->sdata; 564 + struct ieee80211_sub_if_data *sdata; 565 565 enum ieee80211_sta_rx_bandwidth new_sta_bw; 566 566 unsigned int link_id; 567 567 568 568 if (!ieee80211_sdata_running(sta->sdata)) 569 569 continue; 570 570 571 - for (link_id = 0; link_id < ARRAY_SIZE(sta->sdata->link); link_id++) { 571 + sdata = get_bss_sdata(sta->sdata); 572 + 573 + for (link_id = 0; link_id < ARRAY_SIZE(sdata->link); link_id++) { 572 574 struct ieee80211_link_data *link = 573 575 rcu_dereference(sdata->link[link_id]); 574 576 struct ieee80211_bss_conf *link_conf;

+5 -9

net/mac80211/debugfs.c

··· 320 320 static ssize_t aql_enable_write(struct file *file, const char __user *user_buf, 321 321 size_t count, loff_t *ppos) 322 322 { 323 - bool aql_disabled = static_key_false(&aql_disable.key); 324 323 char buf[3]; 325 324 size_t len; 326 325 ··· 334 335 if (len > 0 && buf[len - 1] == '\n') 335 336 buf[len - 1] = 0; 336 337 337 - if (buf[0] == '0' && buf[1] == '\0') { 338 - if (!aql_disabled) 339 - static_branch_inc(&aql_disable); 340 - } else if (buf[0] == '1' && buf[1] == '\0') { 341 - if (aql_disabled) 342 - static_branch_dec(&aql_disable); 343 - } else { 338 + if (buf[0] == '0' && buf[1] == '\0') 339 + static_branch_enable(&aql_disable); 340 + else if (buf[0] == '1' && buf[1] == '\0') 341 + static_branch_disable(&aql_disable); 342 + else 344 343 return -EINVAL; 345 - } 346 344 347 345 return count; 348 346 }

+3

net/mac80211/mesh.c

··· 79 79 * - MDA enabled 80 80 * - Power management control on fc 81 81 */ 82 + if (!ie->mesh_config) 83 + return false; 84 + 82 85 if (!(ifmsh->mesh_id_len == ie->mesh_id_len && 83 86 memcmp(ifmsh->mesh_id, ie->mesh_id, ie->mesh_id_len) == 0 && 84 87 (ifmsh->mesh_pp_id == ie->mesh_config->meshconf_psel) &&

+5 -2

net/mac80211/sta_info.c

··· 2782 2782 } 2783 2783 2784 2784 link_sinfo->inactive_time = 2785 - jiffies_to_msecs(jiffies - ieee80211_sta_last_active(sta, link_id)); 2785 + jiffies_delta_to_msecs(jiffies - 2786 + ieee80211_sta_last_active(sta, 2787 + link_id)); 2786 2788 2787 2789 if (!(link_sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES64) | 2788 2790 BIT_ULL(NL80211_STA_INFO_TX_BYTES)))) { ··· 3017 3015 sinfo->connected_time = ktime_get_seconds() - sta->last_connected; 3018 3016 sinfo->assoc_at = sta->assoc_at; 3019 3017 sinfo->inactive_time = 3020 - jiffies_to_msecs(jiffies - ieee80211_sta_last_active(sta, -1)); 3018 + jiffies_delta_to_msecs(jiffies - 3019 + ieee80211_sta_last_active(sta, -1)); 3021 3020 3022 3021 if (!(sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES64) | 3023 3022 BIT_ULL(NL80211_STA_INFO_TX_BYTES)))) {

+1 -1

net/mac80211/tdls.c

··· 1449 1449 } 1450 1450 1451 1451 sta = sta_info_get(sdata, peer); 1452 - if (!sta) 1452 + if (!sta || !sta->sta.tdls) 1453 1453 return -ENOLINK; 1454 1454 1455 1455 iee80211_tdls_recalc_chanctx(sdata, sta);

+3 -1

net/mac80211/tx.c

··· 1899 1899 struct ieee80211_tx_data tx; 1900 1900 struct sk_buff *skb2; 1901 1901 1902 - if (ieee80211_tx_prepare(sdata, &tx, NULL, skb) == TX_DROP) 1902 + if (ieee80211_tx_prepare(sdata, &tx, NULL, skb) == TX_DROP) { 1903 + kfree_skb(skb); 1903 1904 return false; 1905 + } 1904 1906 1905 1907 info->band = band; 1906 1908 info->control.vif = vif;

+3 -1

net/mac802154/iface.c

··· 469 469 } 470 470 471 471 static int 472 - mac802154_header_parse(const struct sk_buff *skb, unsigned char *haddr) 472 + mac802154_header_parse(const struct sk_buff *skb, 473 + const struct net_device *dev, 474 + unsigned char *haddr) 473 475 { 474 476 struct ieee802154_hdr hdr; 475 477

+1

net/mpls/af_mpls.c

··· 2854 2854 rtnl_af_unregister(&mpls_af_ops); 2855 2855 out_unregister_dev_type: 2856 2856 dev_remove_pack(&mpls_packet_type); 2857 + unregister_netdevice_notifier(&mpls_dev_notifier); 2857 2858 out_unregister_pernet: 2858 2859 unregister_pernet_subsys(&mpls_net_ops); 2859 2860 goto out;

+1 -1

net/mptcp/pm_kernel.c

··· 838 838 static int mptcp_pm_nl_create_listen_socket(struct sock *sk, 839 839 struct mptcp_pm_addr_entry *entry) 840 840 { 841 - bool is_ipv6 = sk->sk_family == AF_INET6; 841 + bool is_ipv6 = entry->addr.family == AF_INET6; 842 842 int addrlen = sizeof(struct sockaddr_in); 843 843 struct sockaddr_storage addr; 844 844 struct sock *newsk, *ssk;

+1 -1

net/netfilter/nf_bpf_link.c

··· 170 170 171 171 static const struct bpf_link_ops bpf_nf_link_lops = { 172 172 .release = bpf_nf_link_release, 173 - .dealloc = bpf_nf_link_dealloc, 173 + .dealloc_deferred = bpf_nf_link_dealloc, 174 174 .detach = bpf_nf_link_detach, 175 175 .show_fdinfo = bpf_nf_link_show_info, 176 176 .fill_link_info = bpf_nf_link_fill_link_info,

+4

net/netfilter/nf_conntrack_h323_asn1.c

··· 331 331 if (nf_h323_error_boundary(bs, 0, 2)) 332 332 return H323_ERROR_BOUND; 333 333 len = get_bits(bs, 2) + 1; 334 + if (nf_h323_error_boundary(bs, len, 0)) 335 + return H323_ERROR_BOUND; 334 336 BYTE_ALIGN(bs); 335 337 if (base && (f->attr & DECODE)) { /* timeToLive */ 336 338 unsigned int v = get_uint(bs, len) + f->lb; ··· 924 922 break; 925 923 p++; 926 924 len--; 925 + if (len <= 0) 926 + break; 927 927 return DecodeH323_UserInformation(buf, p, len, 928 928 &q931->UUIE); 929 929 }

+26 -2

net/netfilter/nf_conntrack_netlink.c

··· 3212 3212 { 3213 3213 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 3214 3214 struct nf_conn *ct = cb->data; 3215 - struct nf_conn_help *help = nfct_help(ct); 3215 + struct nf_conn_help *help; 3216 3216 u_int8_t l3proto = nfmsg->nfgen_family; 3217 3217 unsigned long last_id = cb->args[1]; 3218 3218 struct nf_conntrack_expect *exp; 3219 3219 3220 3220 if (cb->args[0]) 3221 + return 0; 3222 + 3223 + help = nfct_help(ct); 3224 + if (!help) 3221 3225 return 0; 3222 3226 3223 3227 rcu_read_lock(); ··· 3253 3249 return skb->len; 3254 3250 } 3255 3251 3252 + static int ctnetlink_dump_exp_ct_start(struct netlink_callback *cb) 3253 + { 3254 + struct nf_conn *ct = cb->data; 3255 + 3256 + if (!refcount_inc_not_zero(&ct->ct_general.use)) 3257 + return -ENOENT; 3258 + return 0; 3259 + } 3260 + 3261 + static int ctnetlink_dump_exp_ct_done(struct netlink_callback *cb) 3262 + { 3263 + struct nf_conn *ct = cb->data; 3264 + 3265 + if (ct) 3266 + nf_ct_put(ct); 3267 + return 0; 3268 + } 3269 + 3256 3270 static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl, 3257 3271 struct sk_buff *skb, 3258 3272 const struct nlmsghdr *nlh, ··· 3286 3264 struct nf_conntrack_zone zone; 3287 3265 struct netlink_dump_control c = { 3288 3266 .dump = ctnetlink_exp_ct_dump_table, 3267 + .start = ctnetlink_dump_exp_ct_start, 3268 + .done = ctnetlink_dump_exp_ct_done, 3289 3269 }; 3290 3270 3291 3271 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, ··· 3489 3465 3490 3466 #if IS_ENABLED(CONFIG_NF_NAT) 3491 3467 static const struct nla_policy exp_nat_nla_policy[CTA_EXPECT_NAT_MAX+1] = { 3492 - [CTA_EXPECT_NAT_DIR] = { .type = NLA_U32 }, 3468 + [CTA_EXPECT_NAT_DIR] = NLA_POLICY_MAX(NLA_BE32, IP_CT_DIR_REPLY), 3493 3469 [CTA_EXPECT_NAT_TUPLE] = { .type = NLA_NESTED }, 3494 3470 }; 3495 3471 #endif

+2 -1

net/netfilter/nf_conntrack_proto_sctp.c

··· 582 582 } 583 583 584 584 static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = { 585 - [CTA_PROTOINFO_SCTP_STATE] = { .type = NLA_U8 }, 585 + [CTA_PROTOINFO_SCTP_STATE] = NLA_POLICY_MAX(NLA_U8, 586 + SCTP_CONNTRACK_HEARTBEAT_SENT), 586 587 [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] = { .type = NLA_U32 }, 587 588 [CTA_PROTOINFO_SCTP_VTAG_REPLY] = { .type = NLA_U32 }, 588 589 };

+5 -1

net/netfilter/nf_conntrack_sip.c

··· 1534 1534 { 1535 1535 struct tcphdr *th, _tcph; 1536 1536 unsigned int dataoff, datalen; 1537 - unsigned int matchoff, matchlen, clen; 1537 + unsigned int matchoff, matchlen; 1538 1538 unsigned int msglen, origlen; 1539 1539 const char *dptr, *end; 1540 1540 s16 diff, tdiff = 0; 1541 1541 int ret = NF_ACCEPT; 1542 + unsigned long clen; 1542 1543 bool term; 1543 1544 1544 1545 if (ctinfo != IP_CT_ESTABLISHED && ··· 1572 1571 1573 1572 clen = simple_strtoul(dptr + matchoff, (char **)&end, 10); 1574 1573 if (dptr + matchoff == end) 1574 + break; 1575 + 1576 + if (clen > datalen) 1575 1577 break; 1576 1578 1577 1579 term = false;

+1

net/netfilter/nf_flow_table_ip.c

··· 738 738 switch (tuple->encap[i].proto) { 739 739 case htons(ETH_P_8021Q): 740 740 case htons(ETH_P_8021AD): 741 + skb_reset_mac_header(skb); 741 742 if (skb_vlan_push(skb, tuple->encap[i].proto, 742 743 tuple->encap[i].id) < 0) 743 744 return -1;

+7 -19

net/netfilter/nf_tables_api.c

··· 6744 6744 } 6745 6745 } 6746 6746 6747 - static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx, 6748 - struct nft_set_elem_expr *elem_expr) 6747 + void nft_set_elem_expr_destroy(const struct nft_ctx *ctx, 6748 + struct nft_set_elem_expr *elem_expr) 6749 6749 { 6750 6750 struct nft_expr *expr; 6751 6751 u32 size; ··· 7156 7156 } 7157 7157 7158 7158 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, 7159 - const struct nlattr *attr, u32 nlmsg_flags, 7160 - bool last) 7159 + const struct nlattr *attr, u32 nlmsg_flags) 7161 7160 { 7162 7161 struct nft_expr *expr_array[NFT_SET_EXPR_MAX] = {}; 7163 7162 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; ··· 7443 7444 if (flags) 7444 7445 *nft_set_ext_flags(ext) = flags; 7445 7446 7446 - if (last) 7447 - elem.flags = NFT_SET_ELEM_INTERNAL_LAST; 7448 - else 7449 - elem.flags = 0; 7450 - 7451 7447 if (obj) 7452 7448 *nft_set_ext_obj(ext) = obj; 7453 7449 ··· 7607 7613 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 7608 7614 7609 7615 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 7610 - err = nft_add_set_elem(&ctx, set, attr, info->nlh->nlmsg_flags, 7611 - nla_is_last(attr, rem)); 7616 + err = nft_add_set_elem(&ctx, set, attr, info->nlh->nlmsg_flags); 7612 7617 if (err < 0) { 7613 7618 NL_SET_BAD_ATTR(extack, attr); 7614 7619 return err; ··· 7731 7738 } 7732 7739 7733 7740 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set, 7734 - const struct nlattr *attr, bool last) 7741 + const struct nlattr *attr) 7735 7742 { 7736 7743 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; 7737 7744 struct nft_set_ext_tmpl tmpl; ··· 7798 7805 ext = nft_set_elem_ext(set, elem.priv); 7799 7806 if (flags) 7800 7807 *nft_set_ext_flags(ext) = flags; 7801 - 7802 - if (last) 7803 - elem.flags = NFT_SET_ELEM_INTERNAL_LAST; 7804 - else 7805 - elem.flags = 0; 7806 7808 7807 7809 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set); 7808 7810 if (trans == NULL) ··· 7949 7961 return nft_set_flush(&ctx, set, genmask); 7950 7962 7951 7963 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 7952 - err = nft_del_setelem(&ctx, set, attr, 7953 - nla_is_last(attr, rem)); 7964 + err = nft_del_setelem(&ctx, set, attr); 7954 7965 if (err == -ENOENT && 7955 7966 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSETELEM) 7956 7967 continue; ··· 9203 9216 return 0; 9204 9217 9205 9218 err_flowtable_hooks: 9219 + synchronize_rcu(); 9206 9220 nft_trans_destroy(trans); 9207 9221 err_flowtable_trans: 9208 9222 nft_hooks_destroy(&flowtable->hook_list);

+13

net/netfilter/nfnetlink_osf.c

··· 302 302 { 303 303 struct nf_osf_user_finger *f; 304 304 struct nf_osf_finger *kf = NULL, *sf; 305 + unsigned int tot_opt_len = 0; 305 306 int err = 0; 307 + int i; 306 308 307 309 if (!capable(CAP_NET_ADMIN)) 308 310 return -EPERM; ··· 319 317 320 318 if (f->opt_num > ARRAY_SIZE(f->opt)) 321 319 return -EINVAL; 320 + 321 + for (i = 0; i < f->opt_num; i++) { 322 + if (!f->opt[i].length || f->opt[i].length > MAX_IPOPTLEN) 323 + return -EINVAL; 324 + if (f->opt[i].kind == OSFOPT_MSS && f->opt[i].length < 4) 325 + return -EINVAL; 326 + 327 + tot_opt_len += f->opt[i].length; 328 + if (tot_opt_len > MAX_IPOPTLEN) 329 + return -EINVAL; 330 + } 322 331 323 332 if (!memchr(f->genre, 0, MAXGENRELEN) || 324 333 !memchr(f->subtype, 0, MAXGENRELEN) ||

+4

net/netfilter/nft_ct.c

··· 23 23 #include <net/netfilter/nf_conntrack_l4proto.h> 24 24 #include <net/netfilter/nf_conntrack_expect.h> 25 25 #include <net/netfilter/nf_conntrack_seqadj.h> 26 + #include "nf_internals.h" 26 27 27 28 struct nft_ct_helper_obj { 28 29 struct nf_conntrack_helper *helper4; ··· 544 543 #endif 545 544 #ifdef CONFIG_NF_CONNTRACK_ZONES 546 545 case NFT_CT_ZONE: 546 + nf_queue_nf_hook_drop(ctx->net); 547 547 mutex_lock(&nft_ct_pcpu_mutex); 548 548 if (--nft_ct_pcpu_template_refcnt == 0) 549 549 nft_ct_tmpl_put_pcpu(); ··· 1017 1015 struct nft_ct_timeout_obj *priv = nft_obj_data(obj); 1018 1016 struct nf_ct_timeout *timeout = priv->timeout; 1019 1017 1018 + nf_queue_nf_hook_drop(ctx->net); 1020 1019 nf_ct_untimeout(ctx->net, timeout); 1021 1020 nf_ct_netns_put(ctx->net, ctx->family); 1022 1021 kfree(priv->timeout); ··· 1150 1147 { 1151 1148 struct nft_ct_helper_obj *priv = nft_obj_data(obj); 1152 1149 1150 + nf_queue_nf_hook_drop(ctx->net); 1153 1151 if (priv->helper4) 1154 1152 nf_conntrack_helper_put(priv->helper4); 1155 1153 if (priv->helper6)

+9 -1

net/netfilter/nft_dynset.c

··· 30 30 const struct nft_set_ext *ext) 31 31 { 32 32 struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext); 33 + struct nft_ctx ctx = { 34 + .net = read_pnet(&priv->set->net), 35 + .family = priv->set->table->family, 36 + }; 33 37 struct nft_expr *expr; 34 38 int i; 35 39 36 40 for (i = 0; i < priv->num_exprs; i++) { 37 41 expr = nft_setelem_expr_at(elem_expr, elem_expr->size); 38 42 if (nft_expr_clone(expr, priv->expr_array[i], GFP_ATOMIC) < 0) 39 - return -1; 43 + goto err_out; 40 44 41 45 elem_expr->size += priv->expr_array[i]->ops->size; 42 46 } 43 47 44 48 return 0; 49 + err_out: 50 + nft_set_elem_expr_destroy(&ctx, elem_expr); 51 + 52 + return -1; 45 53 } 46 54 47 55 struct nft_elem_priv *nft_dynset_new(struct nft_set *set,

+10 -61

net/netfilter/nft_set_rbtree.c

··· 304 304 priv->start_rbe_cookie = (unsigned long)rbe; 305 305 } 306 306 307 - static void nft_rbtree_set_start_cookie_open(struct nft_rbtree *priv, 308 - const struct nft_rbtree_elem *rbe, 309 - unsigned long open_interval) 310 - { 311 - priv->start_rbe_cookie = (unsigned long)rbe | open_interval; 312 - } 313 - 314 - #define NFT_RBTREE_OPEN_INTERVAL 1UL 315 - 316 307 static bool nft_rbtree_cmp_start_cookie(struct nft_rbtree *priv, 317 308 const struct nft_rbtree_elem *rbe) 318 309 { 319 - return (priv->start_rbe_cookie & ~NFT_RBTREE_OPEN_INTERVAL) == (unsigned long)rbe; 310 + return priv->start_rbe_cookie == (unsigned long)rbe; 320 311 } 321 312 322 313 static bool nft_rbtree_insert_same_interval(const struct net *net, ··· 337 346 338 347 static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set, 339 348 struct nft_rbtree_elem *new, 340 - struct nft_elem_priv **elem_priv, u64 tstamp, bool last) 349 + struct nft_elem_priv **elem_priv, u64 tstamp) 341 350 { 342 351 struct nft_rbtree_elem *rbe, *rbe_le = NULL, *rbe_ge = NULL, *rbe_prev; 343 352 struct rb_node *node, *next, *parent, **p, *first = NULL; 344 353 struct nft_rbtree *priv = nft_set_priv(set); 345 354 u8 cur_genmask = nft_genmask_cur(net); 346 355 u8 genmask = nft_genmask_next(net); 347 - unsigned long open_interval = 0; 348 356 int d; 349 357 350 358 /* Descend the tree to search for an existing element greater than the ··· 449 459 } 450 460 } 451 461 452 - if (nft_rbtree_interval_null(set, new)) { 462 + if (nft_rbtree_interval_null(set, new)) 453 463 priv->start_rbe_cookie = 0; 454 - } else if (nft_rbtree_interval_start(new) && priv->start_rbe_cookie) { 455 - if (nft_set_is_anonymous(set)) { 456 - priv->start_rbe_cookie = 0; 457 - } else if (priv->start_rbe_cookie & NFT_RBTREE_OPEN_INTERVAL) { 458 - /* Previous element is an open interval that partially 459 - * overlaps with an existing non-open interval. 460 - */ 461 - return -ENOTEMPTY; 462 - } 463 - } 464 + else if (nft_rbtree_interval_start(new) && priv->start_rbe_cookie) 465 + priv->start_rbe_cookie = 0; 464 466 465 467 /* - new start element matching existing start element: full overlap 466 468 * reported as -EEXIST, cleared by caller if NLM_F_EXCL is not given. ··· 460 478 if (rbe_ge && !nft_rbtree_cmp(set, new, rbe_ge) && 461 479 nft_rbtree_interval_start(rbe_ge) == nft_rbtree_interval_start(new)) { 462 480 *elem_priv = &rbe_ge->priv; 463 - 464 - /* - Corner case: new start element of open interval (which 465 - * comes as last element in the batch) overlaps the start of 466 - * an existing interval with an end element: partial overlap. 467 - */ 468 - node = rb_first(&priv->root); 469 - rbe = __nft_rbtree_next_active(node, genmask); 470 - if (rbe && nft_rbtree_interval_end(rbe)) { 471 - rbe = nft_rbtree_next_active(rbe, genmask); 472 - if (rbe && 473 - nft_rbtree_interval_start(rbe) && 474 - !nft_rbtree_cmp(set, new, rbe)) { 475 - if (last) 476 - return -ENOTEMPTY; 477 - 478 - /* Maybe open interval? */ 479 - open_interval = NFT_RBTREE_OPEN_INTERVAL; 480 - } 481 - } 482 - nft_rbtree_set_start_cookie_open(priv, rbe_ge, open_interval); 483 - 481 + nft_rbtree_set_start_cookie(priv, rbe_ge); 484 482 return -EEXIST; 485 483 } 486 484 ··· 513 551 */ 514 552 if (rbe_ge && 515 553 nft_rbtree_interval_end(rbe_ge) && nft_rbtree_interval_end(new)) 516 - return -ENOTEMPTY; 517 - 518 - /* - start element overlaps an open interval but end element is new: 519 - * partial overlap, reported as -ENOEMPTY. 520 - */ 521 - if (!rbe_ge && priv->start_rbe_cookie && nft_rbtree_interval_end(new)) 522 554 return -ENOTEMPTY; 523 555 524 556 /* Accepted element: pick insertion point depending on key value */ ··· 624 668 struct nft_elem_priv **elem_priv) 625 669 { 626 670 struct nft_rbtree_elem *rbe = nft_elem_priv_cast(elem->priv); 627 - bool last = !!(elem->flags & NFT_SET_ELEM_INTERNAL_LAST); 628 671 struct nft_rbtree *priv = nft_set_priv(set); 629 672 u64 tstamp = nft_net_tstamp(net); 630 673 int err; ··· 640 685 cond_resched(); 641 686 642 687 write_lock_bh(&priv->lock); 643 - err = __nft_rbtree_insert(net, set, rbe, elem_priv, tstamp, last); 688 + err = __nft_rbtree_insert(net, set, rbe, elem_priv, tstamp); 644 689 write_unlock_bh(&priv->lock); 645 - 646 - if (nft_rbtree_interval_end(rbe)) 647 - priv->start_rbe_cookie = 0; 648 - 649 690 } while (err == -EAGAIN); 650 691 651 692 return err; ··· 729 778 const struct nft_set_elem *elem) 730 779 { 731 780 struct nft_rbtree_elem *rbe, *this = nft_elem_priv_cast(elem->priv); 732 - bool last = !!(elem->flags & NFT_SET_ELEM_INTERNAL_LAST); 733 781 struct nft_rbtree *priv = nft_set_priv(set); 734 782 const struct rb_node *parent = priv->root.rb_node; 735 783 u8 genmask = nft_genmask_next(net); ··· 769 819 continue; 770 820 } 771 821 772 - if (nft_rbtree_interval_start(rbe)) { 773 - if (!last) 774 - nft_rbtree_set_start_cookie(priv, rbe); 775 - } else if (!nft_rbtree_deactivate_same_interval(net, priv, rbe)) 822 + if (nft_rbtree_interval_start(rbe)) 823 + nft_rbtree_set_start_cookie(priv, rbe); 824 + else if (!nft_rbtree_deactivate_same_interval(net, priv, rbe)) 776 825 return NULL; 777 826 778 827 nft_rbtree_flush(net, set, &rbe->priv);

+4

net/netfilter/xt_CT.c

··· 16 16 #include <net/netfilter/nf_conntrack_ecache.h> 17 17 #include <net/netfilter/nf_conntrack_timeout.h> 18 18 #include <net/netfilter/nf_conntrack_zones.h> 19 + #include "nf_internals.h" 19 20 20 21 static inline int xt_ct_target(struct sk_buff *skb, struct nf_conn *ct) 21 22 { ··· 284 283 struct nf_conn_help *help; 285 284 286 285 if (ct) { 286 + if (info->helper[0] || info->timeout[0]) 287 + nf_queue_nf_hook_drop(par->net); 288 + 287 289 help = nfct_help(ct); 288 290 xt_ct_put_helper(help); 289 291

+2 -2

net/netfilter/xt_time.c

··· 223 223 224 224 localtime_2(&current_time, stamp); 225 225 226 - if (!(info->weekdays_match & (1 << current_time.weekday))) 226 + if (!(info->weekdays_match & (1U << current_time.weekday))) 227 227 return false; 228 228 229 229 /* Do not spend time computing monthday if all days match anyway */ 230 230 if (info->monthdays_match != XT_TIME_ALL_MONTHDAYS) { 231 231 localtime_3(&current_time, stamp); 232 - if (!(info->monthdays_match & (1 << current_time.monthday))) 232 + if (!(info->monthdays_match & (1U << current_time.monthday))) 233 233 return false; 234 234 } 235 235

+4 -1

net/phonet/af_phonet.c

··· 129 129 return 1; 130 130 } 131 131 132 - static int pn_header_parse(const struct sk_buff *skb, unsigned char *haddr) 132 + static int pn_header_parse(const struct sk_buff *skb, 133 + const struct net_device *dev, 134 + unsigned char *haddr) 133 135 { 134 136 const u8 *media = skb_mac_header(skb); 137 + 135 138 *haddr = *media; 136 139 return 1; 137 140 }

+5

net/rose/af_rose.c

··· 811 811 goto out_release; 812 812 } 813 813 814 + if (sk->sk_state == TCP_SYN_SENT) { 815 + err = -EALREADY; 816 + goto out_release; 817 + } 818 + 814 819 sk->sk_state = TCP_CLOSE; 815 820 sock->state = SS_UNCONNECTED; 816 821

-27

net/sched/sch_generic.c

··· 1288 1288 } 1289 1289 } 1290 1290 1291 - static void dev_reset_queue(struct net_device *dev, 1292 - struct netdev_queue *dev_queue, 1293 - void *_unused) 1294 - { 1295 - struct Qdisc *qdisc; 1296 - bool nolock; 1297 - 1298 - qdisc = rtnl_dereference(dev_queue->qdisc_sleeping); 1299 - if (!qdisc) 1300 - return; 1301 - 1302 - nolock = qdisc->flags & TCQ_F_NOLOCK; 1303 - 1304 - if (nolock) 1305 - spin_lock_bh(&qdisc->seqlock); 1306 - spin_lock_bh(qdisc_lock(qdisc)); 1307 - 1308 - qdisc_reset(qdisc); 1309 - 1310 - spin_unlock_bh(qdisc_lock(qdisc)); 1311 - if (nolock) { 1312 - clear_bit(__QDISC_STATE_MISSED, &qdisc->state); 1313 - clear_bit(__QDISC_STATE_DRAINING, &qdisc->state); 1314 - spin_unlock_bh(&qdisc->seqlock); 1315 - } 1316 - } 1317 - 1318 1291 static bool some_qdisc_is_busy(struct net_device *dev) 1319 1292 { 1320 1293 unsigned int i;

+8 -6

net/sched/sch_ingress.c

··· 113 113 { 114 114 struct ingress_sched_data *q = qdisc_priv(sch); 115 115 struct net_device *dev = qdisc_dev(sch); 116 - struct bpf_mprog_entry *entry = rtnl_dereference(dev->tcx_ingress); 116 + struct bpf_mprog_entry *entry; 117 117 118 118 if (sch->parent != TC_H_INGRESS) 119 119 return; 120 120 121 121 tcf_block_put_ext(q->block, sch, &q->block_info); 122 122 123 - if (entry) { 123 + if (mini_qdisc_pair_inited(&q->miniqp)) { 124 + entry = rtnl_dereference(dev->tcx_ingress); 124 125 tcx_miniq_dec(entry); 125 126 if (!tcx_entry_is_active(entry)) { 126 127 tcx_entry_update(dev, NULL, true); ··· 291 290 292 291 static void clsact_destroy(struct Qdisc *sch) 293 292 { 293 + struct bpf_mprog_entry *ingress_entry, *egress_entry; 294 294 struct clsact_sched_data *q = qdisc_priv(sch); 295 295 struct net_device *dev = qdisc_dev(sch); 296 - struct bpf_mprog_entry *ingress_entry = rtnl_dereference(dev->tcx_ingress); 297 - struct bpf_mprog_entry *egress_entry = rtnl_dereference(dev->tcx_egress); 298 296 299 297 if (sch->parent != TC_H_CLSACT) 300 298 return; ··· 301 301 tcf_block_put_ext(q->ingress_block, sch, &q->ingress_block_info); 302 302 tcf_block_put_ext(q->egress_block, sch, &q->egress_block_info); 303 303 304 - if (ingress_entry) { 304 + if (mini_qdisc_pair_inited(&q->miniqp_ingress)) { 305 + ingress_entry = rtnl_dereference(dev->tcx_ingress); 305 306 tcx_miniq_dec(ingress_entry); 306 307 if (!tcx_entry_is_active(ingress_entry)) { 307 308 tcx_entry_update(dev, NULL, true); ··· 310 309 } 311 310 } 312 311 313 - if (egress_entry) { 312 + if (mini_qdisc_pair_inited(&q->miniqp_egress)) { 313 + egress_entry = rtnl_dereference(dev->tcx_egress); 314 314 tcx_miniq_dec(egress_entry); 315 315 if (!tcx_entry_is_active(egress_entry)) { 316 316 tcx_entry_update(dev, NULL, false);

+2 -5

net/sched/sch_teql.c

··· 146 146 master->slaves = NEXT_SLAVE(q); 147 147 if (q == master->slaves) { 148 148 struct netdev_queue *txq; 149 - spinlock_t *root_lock; 150 149 151 150 txq = netdev_get_tx_queue(master->dev, 0); 152 151 master->slaves = NULL; 153 152 154 - root_lock = qdisc_root_sleeping_lock(rtnl_dereference(txq->qdisc)); 155 - spin_lock_bh(root_lock); 156 - qdisc_reset(rtnl_dereference(txq->qdisc)); 157 - spin_unlock_bh(root_lock); 153 + dev_reset_queue(master->dev, 154 + txq, NULL); 158 155 } 159 156 } 160 157 skb_queue_purge(&dat->q);

+94 -66

net/shaper/shaper.c

··· 36 36 return &((struct net_shaper_nl_ctx *)ctx)->binding; 37 37 } 38 38 39 - static void net_shaper_lock(struct net_shaper_binding *binding) 40 - { 41 - switch (binding->type) { 42 - case NET_SHAPER_BINDING_TYPE_NETDEV: 43 - netdev_lock(binding->netdev); 44 - break; 45 - } 46 - } 47 - 48 - static void net_shaper_unlock(struct net_shaper_binding *binding) 49 - { 50 - switch (binding->type) { 51 - case NET_SHAPER_BINDING_TYPE_NETDEV: 52 - netdev_unlock(binding->netdev); 53 - break; 54 - } 55 - } 56 - 57 39 static struct net_shaper_hierarchy * 58 40 net_shaper_hierarchy(struct net_shaper_binding *binding) 59 41 { 60 42 /* Pairs with WRITE_ONCE() in net_shaper_hierarchy_setup. */ 61 43 if (binding->type == NET_SHAPER_BINDING_TYPE_NETDEV) 44 + return READ_ONCE(binding->netdev->net_shaper_hierarchy); 45 + 46 + /* No other type supported yet. */ 47 + return NULL; 48 + } 49 + 50 + static struct net_shaper_hierarchy * 51 + net_shaper_hierarchy_rcu(struct net_shaper_binding *binding) 52 + { 53 + /* Readers look up the device and take a ref, then take RCU lock 54 + * later at which point netdev may have been unregistered and flushed. 55 + * READ_ONCE() pairs with WRITE_ONCE() in net_shaper_hierarchy_setup. 56 + */ 57 + if (binding->type == NET_SHAPER_BINDING_TYPE_NETDEV && 58 + READ_ONCE(binding->netdev->reg_state) <= NETREG_REGISTERED) 62 59 return READ_ONCE(binding->netdev->net_shaper_hierarchy); 63 60 64 61 /* No other type supported yet. */ ··· 201 204 return 0; 202 205 } 203 206 207 + /* Like net_shaper_ctx_setup(), but for "write" handlers (never for dumps!) 208 + * Acquires the lock protecting the hierarchy (instance lock for netdev). 209 + */ 210 + static int net_shaper_ctx_setup_lock(const struct genl_info *info, int type, 211 + struct net_shaper_nl_ctx *ctx) 212 + { 213 + struct net *ns = genl_info_net(info); 214 + struct net_device *dev; 215 + int ifindex; 216 + 217 + if (GENL_REQ_ATTR_CHECK(info, type)) 218 + return -EINVAL; 219 + 220 + ifindex = nla_get_u32(info->attrs[type]); 221 + dev = netdev_get_by_index_lock(ns, ifindex); 222 + if (!dev) { 223 + NL_SET_BAD_ATTR(info->extack, info->attrs[type]); 224 + return -ENOENT; 225 + } 226 + 227 + if (!dev->netdev_ops->net_shaper_ops) { 228 + NL_SET_BAD_ATTR(info->extack, info->attrs[type]); 229 + netdev_unlock(dev); 230 + return -EOPNOTSUPP; 231 + } 232 + 233 + ctx->binding.type = NET_SHAPER_BINDING_TYPE_NETDEV; 234 + ctx->binding.netdev = dev; 235 + return 0; 236 + } 237 + 204 238 static void net_shaper_ctx_cleanup(struct net_shaper_nl_ctx *ctx) 205 239 { 206 240 if (ctx->binding.type == NET_SHAPER_BINDING_TYPE_NETDEV) 207 241 netdev_put(ctx->binding.netdev, &ctx->dev_tracker); 242 + } 243 + 244 + static void net_shaper_ctx_cleanup_unlock(struct net_shaper_nl_ctx *ctx) 245 + { 246 + if (ctx->binding.type == NET_SHAPER_BINDING_TYPE_NETDEV) 247 + netdev_unlock(ctx->binding.netdev); 208 248 } 209 249 210 250 static u32 net_shaper_handle_to_index(const struct net_shaper_handle *handle) ··· 285 251 net_shaper_lookup(struct net_shaper_binding *binding, 286 252 const struct net_shaper_handle *handle) 287 253 { 288 - struct net_shaper_hierarchy *hierarchy = net_shaper_hierarchy(binding); 289 254 u32 index = net_shaper_handle_to_index(handle); 255 + struct net_shaper_hierarchy *hierarchy; 290 256 257 + hierarchy = net_shaper_hierarchy_rcu(binding); 291 258 if (!hierarchy || xa_get_mark(&hierarchy->shapers, index, 292 259 NET_SHAPER_NOT_VALID)) 293 260 return NULL; ··· 297 262 } 298 263 299 264 /* Allocate on demand the per device shaper's hierarchy container. 300 - * Called under the net shaper lock 265 + * Called under the lock protecting the hierarchy (instance lock for netdev) 301 266 */ 302 267 static struct net_shaper_hierarchy * 303 268 net_shaper_hierarchy_setup(struct net_shaper_binding *binding) ··· 716 681 net_shaper_generic_post(info); 717 682 } 718 683 684 + int net_shaper_nl_pre_doit_write(const struct genl_split_ops *ops, 685 + struct sk_buff *skb, struct genl_info *info) 686 + { 687 + struct net_shaper_nl_ctx *ctx = (struct net_shaper_nl_ctx *)info->ctx; 688 + 689 + BUILD_BUG_ON(sizeof(*ctx) > sizeof(info->ctx)); 690 + 691 + return net_shaper_ctx_setup_lock(info, NET_SHAPER_A_IFINDEX, ctx); 692 + } 693 + 694 + void net_shaper_nl_post_doit_write(const struct genl_split_ops *ops, 695 + struct sk_buff *skb, struct genl_info *info) 696 + { 697 + net_shaper_ctx_cleanup_unlock((struct net_shaper_nl_ctx *)info->ctx); 698 + } 699 + 719 700 int net_shaper_nl_pre_dumpit(struct netlink_callback *cb) 720 701 { 721 702 struct net_shaper_nl_ctx *ctx = (struct net_shaper_nl_ctx *)cb->ctx; ··· 829 778 830 779 /* Don't error out dumps performed before any set operation. */ 831 780 binding = net_shaper_binding_from_ctx(ctx); 832 - hierarchy = net_shaper_hierarchy(binding); 833 - if (!hierarchy) 834 - return 0; 835 781 836 782 rcu_read_lock(); 783 + hierarchy = net_shaper_hierarchy_rcu(binding); 784 + if (!hierarchy) 785 + goto out_unlock; 786 + 837 787 for (; (shaper = xa_find(&hierarchy->shapers, &ctx->start_index, 838 788 U32_MAX, XA_PRESENT)); ctx->start_index++) { 839 789 ret = net_shaper_fill_one(skb, binding, shaper, info); 840 790 if (ret) 841 791 break; 842 792 } 793 + out_unlock: 843 794 rcu_read_unlock(); 844 795 845 796 return ret; ··· 859 806 860 807 binding = net_shaper_binding_from_ctx(info->ctx); 861 808 862 - net_shaper_lock(binding); 863 809 ret = net_shaper_parse_info(binding, info->attrs, info, &shaper, 864 810 &exists); 865 811 if (ret) 866 - goto unlock; 812 + return ret; 867 813 868 814 if (!exists) 869 815 net_shaper_default_parent(&shaper.handle, &shaper.parent); 870 816 871 817 hierarchy = net_shaper_hierarchy_setup(binding); 872 - if (!hierarchy) { 873 - ret = -ENOMEM; 874 - goto unlock; 875 - } 818 + if (!hierarchy) 819 + return -ENOMEM; 876 820 877 821 /* The 'set' operation can't create node-scope shapers. */ 878 822 handle = shaper.handle; 879 823 if (handle.scope == NET_SHAPER_SCOPE_NODE && 880 - !net_shaper_lookup(binding, &handle)) { 881 - ret = -ENOENT; 882 - goto unlock; 883 - } 824 + !net_shaper_lookup(binding, &handle)) 825 + return -ENOENT; 884 826 885 827 ret = net_shaper_pre_insert(binding, &handle, info->extack); 886 828 if (ret) 887 - goto unlock; 829 + return ret; 888 830 889 831 ops = net_shaper_ops(binding); 890 832 ret = ops->set(binding, &shaper, info->extack); 891 833 if (ret) { 892 834 net_shaper_rollback(binding); 893 - goto unlock; 835 + return ret; 894 836 } 895 837 896 838 net_shaper_commit(binding, 1, &shaper); 897 839 898 - unlock: 899 - net_shaper_unlock(binding); 900 - return ret; 840 + return 0; 901 841 } 902 842 903 843 static int __net_shaper_delete(struct net_shaper_binding *binding, ··· 1118 1072 1119 1073 binding = net_shaper_binding_from_ctx(info->ctx); 1120 1074 1121 - net_shaper_lock(binding); 1122 1075 ret = net_shaper_parse_handle(info->attrs[NET_SHAPER_A_HANDLE], info, 1123 1076 &handle); 1124 1077 if (ret) 1125 - goto unlock; 1078 + return ret; 1126 1079 1127 1080 hierarchy = net_shaper_hierarchy(binding); 1128 - if (!hierarchy) { 1129 - ret = -ENOENT; 1130 - goto unlock; 1131 - } 1081 + if (!hierarchy) 1082 + return -ENOENT; 1132 1083 1133 1084 shaper = net_shaper_lookup(binding, &handle); 1134 - if (!shaper) { 1135 - ret = -ENOENT; 1136 - goto unlock; 1137 - } 1085 + if (!shaper) 1086 + return -ENOENT; 1138 1087 1139 1088 if (handle.scope == NET_SHAPER_SCOPE_NODE) { 1140 1089 ret = net_shaper_pre_del_node(binding, shaper, info->extack); 1141 1090 if (ret) 1142 - goto unlock; 1091 + return ret; 1143 1092 } 1144 1093 1145 - ret = __net_shaper_delete(binding, shaper, info->extack); 1146 - 1147 - unlock: 1148 - net_shaper_unlock(binding); 1149 - return ret; 1094 + return __net_shaper_delete(binding, shaper, info->extack); 1150 1095 } 1151 1096 1152 1097 static int net_shaper_group_send_reply(struct net_shaper_binding *binding, ··· 1186 1149 if (!net_shaper_ops(binding)->group) 1187 1150 return -EOPNOTSUPP; 1188 1151 1189 - net_shaper_lock(binding); 1190 1152 leaves_count = net_shaper_list_len(info, NET_SHAPER_A_LEAVES); 1191 1153 if (!leaves_count) { 1192 1154 NL_SET_BAD_ATTR(info->extack, 1193 1155 info->attrs[NET_SHAPER_A_LEAVES]); 1194 - ret = -EINVAL; 1195 - goto unlock; 1156 + return -EINVAL; 1196 1157 } 1197 1158 1198 1159 leaves = kcalloc(leaves_count, sizeof(struct net_shaper) + 1199 1160 sizeof(struct net_shaper *), GFP_KERNEL); 1200 - if (!leaves) { 1201 - ret = -ENOMEM; 1202 - goto unlock; 1203 - } 1161 + if (!leaves) 1162 + return -ENOMEM; 1204 1163 old_nodes = (void *)&leaves[leaves_count]; 1205 1164 1206 1165 ret = net_shaper_parse_node(binding, info->attrs, info, &node); ··· 1273 1240 1274 1241 free_leaves: 1275 1242 kfree(leaves); 1276 - 1277 - unlock: 1278 - net_shaper_unlock(binding); 1279 1243 return ret; 1280 1244 1281 1245 free_msg: ··· 1382 1352 if (!hierarchy) 1383 1353 return; 1384 1354 1385 - net_shaper_lock(binding); 1386 1355 xa_lock(&hierarchy->shapers); 1387 1356 xa_for_each(&hierarchy->shapers, index, cur) { 1388 1357 __xa_erase(&hierarchy->shapers, index); 1389 1358 kfree(cur); 1390 1359 } 1391 1360 xa_unlock(&hierarchy->shapers); 1392 - net_shaper_unlock(binding); 1393 1361 1394 1362 kfree(hierarchy); 1395 1363 }

+6 -6

net/shaper/shaper_nl_gen.c

··· 99 99 }, 100 100 { 101 101 .cmd = NET_SHAPER_CMD_SET, 102 - .pre_doit = net_shaper_nl_pre_doit, 102 + .pre_doit = net_shaper_nl_pre_doit_write, 103 103 .doit = net_shaper_nl_set_doit, 104 - .post_doit = net_shaper_nl_post_doit, 104 + .post_doit = net_shaper_nl_post_doit_write, 105 105 .policy = net_shaper_set_nl_policy, 106 106 .maxattr = NET_SHAPER_A_IFINDEX, 107 107 .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, 108 108 }, 109 109 { 110 110 .cmd = NET_SHAPER_CMD_DELETE, 111 - .pre_doit = net_shaper_nl_pre_doit, 111 + .pre_doit = net_shaper_nl_pre_doit_write, 112 112 .doit = net_shaper_nl_delete_doit, 113 - .post_doit = net_shaper_nl_post_doit, 113 + .post_doit = net_shaper_nl_post_doit_write, 114 114 .policy = net_shaper_delete_nl_policy, 115 115 .maxattr = NET_SHAPER_A_IFINDEX, 116 116 .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, 117 117 }, 118 118 { 119 119 .cmd = NET_SHAPER_CMD_GROUP, 120 - .pre_doit = net_shaper_nl_pre_doit, 120 + .pre_doit = net_shaper_nl_pre_doit_write, 121 121 .doit = net_shaper_nl_group_doit, 122 - .post_doit = net_shaper_nl_post_doit, 122 + .post_doit = net_shaper_nl_post_doit_write, 123 123 .policy = net_shaper_group_nl_policy, 124 124 .maxattr = NET_SHAPER_A_LEAVES, 125 125 .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO,

+5

net/shaper/shaper_nl_gen.h

··· 18 18 19 19 int net_shaper_nl_pre_doit(const struct genl_split_ops *ops, 20 20 struct sk_buff *skb, struct genl_info *info); 21 + int net_shaper_nl_pre_doit_write(const struct genl_split_ops *ops, 22 + struct sk_buff *skb, struct genl_info *info); 21 23 int net_shaper_nl_cap_pre_doit(const struct genl_split_ops *ops, 22 24 struct sk_buff *skb, struct genl_info *info); 23 25 void 24 26 net_shaper_nl_post_doit(const struct genl_split_ops *ops, struct sk_buff *skb, 25 27 struct genl_info *info); 28 + void 29 + net_shaper_nl_post_doit_write(const struct genl_split_ops *ops, 30 + struct sk_buff *skb, struct genl_info *info); 26 31 void 27 32 net_shaper_nl_cap_post_doit(const struct genl_split_ops *ops, 28 33 struct sk_buff *skb, struct genl_info *info);

+17 -6

net/smc/af_smc.c

··· 131 131 struct smc_sock *smc; 132 132 struct sock *child; 133 133 134 - smc = smc_clcsock_user_data(sk); 134 + rcu_read_lock(); 135 + smc = smc_clcsock_user_data_rcu(sk); 136 + if (!smc || !refcount_inc_not_zero(&smc->sk.sk_refcnt)) { 137 + rcu_read_unlock(); 138 + smc = NULL; 139 + goto drop; 140 + } 141 + rcu_read_unlock(); 135 142 136 143 if (READ_ONCE(sk->sk_ack_backlog) + atomic_read(&smc->queued_smc_hs) > 137 144 sk->sk_max_ack_backlog) ··· 160 153 if (inet_csk(child)->icsk_af_ops == inet_csk(sk)->icsk_af_ops) 161 154 inet_csk(child)->icsk_af_ops = smc->ori_af_ops; 162 155 } 156 + sock_put(&smc->sk); 163 157 return child; 164 158 165 159 drop: 166 160 dst_release(dst); 167 161 tcp_listendrop(sk); 162 + if (smc) 163 + sock_put(&smc->sk); 168 164 return NULL; 169 165 } 170 166 ··· 264 254 struct sock *clcsk = smc->clcsock->sk; 265 255 266 256 write_lock_bh(&clcsk->sk_callback_lock); 267 - clcsk->sk_user_data = NULL; 257 + rcu_assign_sk_user_data(clcsk, NULL); 268 258 269 259 smc_clcsock_restore_cb(&clcsk->sk_state_change, &smc->clcsk_state_change); 270 260 smc_clcsock_restore_cb(&clcsk->sk_data_ready, &smc->clcsk_data_ready); ··· 912 902 struct sock *clcsk = smc->clcsock->sk; 913 903 914 904 write_lock_bh(&clcsk->sk_callback_lock); 915 - clcsk->sk_user_data = (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY); 905 + __rcu_assign_sk_user_data_with_flags(clcsk, smc, SK_USER_DATA_NOCOPY); 916 906 917 907 smc_clcsock_replace_cb(&clcsk->sk_state_change, smc_fback_state_change, 918 908 &smc->clcsk_state_change); ··· 2675 2665 * smc-specific sk_data_ready function 2676 2666 */ 2677 2667 write_lock_bh(&smc->clcsock->sk->sk_callback_lock); 2678 - smc->clcsock->sk->sk_user_data = 2679 - (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY); 2668 + __rcu_assign_sk_user_data_with_flags(smc->clcsock->sk, smc, 2669 + SK_USER_DATA_NOCOPY); 2680 2670 smc_clcsock_replace_cb(&smc->clcsock->sk->sk_data_ready, 2681 2671 smc_clcsock_data_ready, &smc->clcsk_data_ready); 2682 2672 write_unlock_bh(&smc->clcsock->sk->sk_callback_lock); ··· 2697 2687 write_lock_bh(&smc->clcsock->sk->sk_callback_lock); 2698 2688 smc_clcsock_restore_cb(&smc->clcsock->sk->sk_data_ready, 2699 2689 &smc->clcsk_data_ready); 2700 - smc->clcsock->sk->sk_user_data = NULL; 2690 + rcu_assign_sk_user_data(smc->clcsock->sk, NULL); 2701 2691 write_unlock_bh(&smc->clcsock->sk->sk_callback_lock); 2702 2692 goto out; 2703 2693 } 2694 + sock_set_flag(sk, SOCK_RCU_FREE); 2704 2695 sk->sk_max_ack_backlog = backlog; 2705 2696 sk->sk_ack_backlog = 0; 2706 2697 sk->sk_state = SMC_LISTEN;

+5

net/smc/smc.h

··· 346 346 ((uintptr_t)clcsk->sk_user_data & ~SK_USER_DATA_NOCOPY); 347 347 } 348 348 349 + static inline struct smc_sock *smc_clcsock_user_data_rcu(const struct sock *clcsk) 350 + { 351 + return (struct smc_sock *)rcu_dereference_sk_user_data(clcsk); 352 + } 353 + 349 354 /* save target_cb in saved_cb, and replace target_cb with new_cb */ 350 355 static inline void smc_clcsock_replace_cb(void (**target_cb)(struct sock *), 351 356 void (*new_cb)(struct sock *),

+1 -1

net/smc/smc_close.c

··· 218 218 write_lock_bh(&smc->clcsock->sk->sk_callback_lock); 219 219 smc_clcsock_restore_cb(&smc->clcsock->sk->sk_data_ready, 220 220 &smc->clcsk_data_ready); 221 - smc->clcsock->sk->sk_user_data = NULL; 221 + rcu_assign_sk_user_data(smc->clcsock->sk, NULL); 222 222 write_unlock_bh(&smc->clcsock->sk->sk_callback_lock); 223 223 rc = kernel_sock_shutdown(smc->clcsock, SHUT_RDWR); 224 224 }

+2

net/unix/af_unix.c

··· 1958 1958 static void unix_peek_fds(struct scm_cookie *scm, struct sk_buff *skb) 1959 1959 { 1960 1960 scm->fp = scm_fp_dup(UNIXCB(skb).fp); 1961 + 1962 + unix_peek_fpl(scm->fp); 1961 1963 } 1962 1964 1963 1965 static void unix_destruct_scm(struct sk_buff *skb)

+1

net/unix/af_unix.h

··· 29 29 void unix_update_edges(struct unix_sock *receiver); 30 30 int unix_prepare_fpl(struct scm_fp_list *fpl); 31 31 void unix_destroy_fpl(struct scm_fp_list *fpl); 32 + void unix_peek_fpl(struct scm_fp_list *fpl); 32 33 void unix_schedule_gc(struct user_struct *user); 33 34 34 35 /* SOCK_DIAG */

+51 -28

net/unix/garbage.c

··· 318 318 unix_free_vertices(fpl); 319 319 } 320 320 321 + static bool gc_in_progress; 322 + static seqcount_t unix_peek_seq = SEQCNT_ZERO(unix_peek_seq); 323 + 324 + void unix_peek_fpl(struct scm_fp_list *fpl) 325 + { 326 + static DEFINE_SPINLOCK(unix_peek_lock); 327 + 328 + if (!fpl || !fpl->count_unix) 329 + return; 330 + 331 + if (!READ_ONCE(gc_in_progress)) 332 + return; 333 + 334 + /* Invalidate the final refcnt check in unix_vertex_dead(). */ 335 + spin_lock(&unix_peek_lock); 336 + raw_write_seqcount_barrier(&unix_peek_seq); 337 + spin_unlock(&unix_peek_lock); 338 + } 339 + 321 340 static bool unix_vertex_dead(struct unix_vertex *vertex) 322 341 { 323 342 struct unix_edge *edge; ··· 368 349 return false; 369 350 370 351 return true; 352 + } 353 + 354 + static LIST_HEAD(unix_visited_vertices); 355 + static unsigned long unix_vertex_grouped_index = UNIX_VERTEX_INDEX_MARK2; 356 + 357 + static bool unix_scc_dead(struct list_head *scc, bool fast) 358 + { 359 + struct unix_vertex *vertex; 360 + bool scc_dead = true; 361 + unsigned int seq; 362 + 363 + seq = read_seqcount_begin(&unix_peek_seq); 364 + 365 + list_for_each_entry_reverse(vertex, scc, scc_entry) { 366 + /* Don't restart DFS from this vertex. */ 367 + list_move_tail(&vertex->entry, &unix_visited_vertices); 368 + 369 + /* Mark vertex as off-stack for __unix_walk_scc(). */ 370 + if (!fast) 371 + vertex->index = unix_vertex_grouped_index; 372 + 373 + if (scc_dead) 374 + scc_dead = unix_vertex_dead(vertex); 375 + } 376 + 377 + /* If MSG_PEEK intervened, defer this SCC to the next round. */ 378 + if (read_seqcount_retry(&unix_peek_seq, seq)) 379 + return false; 380 + 381 + return scc_dead; 371 382 } 372 383 373 384 static void unix_collect_skb(struct list_head *scc, struct sk_buff_head *hitlist) ··· 452 403 453 404 return false; 454 405 } 455 - 456 - static LIST_HEAD(unix_visited_vertices); 457 - static unsigned long unix_vertex_grouped_index = UNIX_VERTEX_INDEX_MARK2; 458 406 459 407 static unsigned long __unix_walk_scc(struct unix_vertex *vertex, 460 408 unsigned long *last_index, ··· 520 474 } 521 475 522 476 if (vertex->index == vertex->scc_index) { 523 - struct unix_vertex *v; 524 477 struct list_head scc; 525 - bool scc_dead = true; 526 478 527 479 /* SCC finalised. 528 480 * ··· 529 485 */ 530 486 __list_cut_position(&scc, &vertex_stack, &vertex->scc_entry); 531 487 532 - list_for_each_entry_reverse(v, &scc, scc_entry) { 533 - /* Don't restart DFS from this vertex in unix_walk_scc(). */ 534 - list_move_tail(&v->entry, &unix_visited_vertices); 535 - 536 - /* Mark vertex as off-stack. */ 537 - v->index = unix_vertex_grouped_index; 538 - 539 - if (scc_dead) 540 - scc_dead = unix_vertex_dead(v); 541 - } 542 - 543 - if (scc_dead) { 488 + if (unix_scc_dead(&scc, false)) { 544 489 unix_collect_skb(&scc, hitlist); 545 490 } else { 546 491 if (unix_vertex_max_scc_index < vertex->scc_index) ··· 583 550 while (!list_empty(&unix_unvisited_vertices)) { 584 551 struct unix_vertex *vertex; 585 552 struct list_head scc; 586 - bool scc_dead = true; 587 553 588 554 vertex = list_first_entry(&unix_unvisited_vertices, typeof(*vertex), entry); 589 555 list_add(&scc, &vertex->scc_entry); 590 556 591 - list_for_each_entry_reverse(vertex, &scc, scc_entry) { 592 - list_move_tail(&vertex->entry, &unix_visited_vertices); 593 - 594 - if (scc_dead) 595 - scc_dead = unix_vertex_dead(vertex); 596 - } 597 - 598 - if (scc_dead) { 557 + if (unix_scc_dead(&scc, true)) { 599 558 cyclic_sccs--; 600 559 unix_collect_skb(&scc, hitlist); 601 560 } ··· 601 576 WRITE_ONCE(unix_graph_state, 602 577 cyclic_sccs ? UNIX_GRAPH_CYCLIC : UNIX_GRAPH_NOT_CYCLIC); 603 578 } 604 - 605 - static bool gc_in_progress; 606 579 607 580 static void unix_gc(struct work_struct *work) 608 581 {

+1

net/wireless/pmsr.c

··· 664 664 } 665 665 spin_unlock_bh(&wdev->pmsr_lock); 666 666 667 + cancel_work_sync(&wdev->pmsr_free_wk); 667 668 if (found) 668 669 cfg80211_pmsr_process_abort(wdev); 669 670

Configure Feed

Configure Feed