Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.9 commit in: /
Date: Thu, 18 Oct 2018 10:25:35
Message-Id: 1539858303.3600da4bd594f2afcd0935f7b1ea2fcd53b4c5d9.mpagano@gentoo
1 commit: 3600da4bd594f2afcd0935f7b1ea2fcd53b4c5d9
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Thu Oct 18 10:25:03 2018 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Thu Oct 18 10:25:03 2018 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=3600da4b
7
8 Linux patch 4.9.134
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 4 +
13 1133_linux-4.9.134.patch | 4551 ++++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 4555 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index 5ccf4d0..99ea31b 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -575,6 +575,10 @@ Patch: 1130_linux-4.9.133.patch
21 From: http://www.kernel.org
22 Desc: Linux 4.9.133
23
24 +Patch: 1131_linux-4.9.134.patch
25 +From: http://www.kernel.org
26 +Desc: Linux 4.9.134
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1133_linux-4.9.134.patch b/1133_linux-4.9.134.patch
33 new file mode 100644
34 index 0000000..a137980
35 --- /dev/null
36 +++ b/1133_linux-4.9.134.patch
37 @@ -0,0 +1,4551 @@
38 +diff --git a/Documentation/devicetree/bindings/net/macb.txt b/Documentation/devicetree/bindings/net/macb.txt
39 +index 1506e948610c..d1f435c92912 100644
40 +--- a/Documentation/devicetree/bindings/net/macb.txt
41 ++++ b/Documentation/devicetree/bindings/net/macb.txt
42 +@@ -10,6 +10,7 @@ Required properties:
43 + Use "cdns,pc302-gem" for Picochip picoXcell pc302 and later devices based on
44 + the Cadence GEM, or the generic form: "cdns,gem".
45 + Use "atmel,sama5d2-gem" for the GEM IP (10/100) available on Atmel sama5d2 SoCs.
46 ++ Use "atmel,sama5d3-macb" for the 10/100Mbit IP available on Atmel sama5d3 SoCs.
47 + Use "atmel,sama5d3-gem" for the Gigabit IP available on Atmel sama5d3 SoCs.
48 + Use "atmel,sama5d4-gem" for the GEM IP (10/100) available on Atmel sama5d4 SoCs.
49 + Use "cdns,zynq-gem" Xilinx Zynq-7xxx SoC.
50 +diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
51 +index 3db8c67d2c8d..dbdc4130e149 100644
52 +--- a/Documentation/networking/ip-sysctl.txt
53 ++++ b/Documentation/networking/ip-sysctl.txt
54 +@@ -122,14 +122,11 @@ min_adv_mss - INTEGER
55 +
56 + IP Fragmentation:
57 +
58 +-ipfrag_high_thresh - INTEGER
59 +- Maximum memory used to reassemble IP fragments. When
60 +- ipfrag_high_thresh bytes of memory is allocated for this purpose,
61 +- the fragment handler will toss packets until ipfrag_low_thresh
62 +- is reached. This also serves as a maximum limit to namespaces
63 +- different from the initial one.
64 +-
65 +-ipfrag_low_thresh - INTEGER
66 ++ipfrag_high_thresh - LONG INTEGER
67 ++ Maximum memory used to reassemble IP fragments.
68 ++
69 ++ipfrag_low_thresh - LONG INTEGER
70 ++ (Obsolete since linux-4.17)
71 + Maximum memory used to reassemble IP fragments before the kernel
72 + begins to remove incomplete fragment queues to free up resources.
73 + The kernel still accepts new fragments for defragmentation.
74 +diff --git a/Makefile b/Makefile
75 +index 18090f899a7c..46135e4333e6 100644
76 +--- a/Makefile
77 ++++ b/Makefile
78 +@@ -1,6 +1,6 @@
79 + VERSION = 4
80 + PATCHLEVEL = 9
81 +-SUBLEVEL = 133
82 ++SUBLEVEL = 134
83 + EXTRAVERSION =
84 + NAME = Roaring Lionus
85 +
86 +diff --git a/arch/arm/boot/dts/sama5d3_emac.dtsi b/arch/arm/boot/dts/sama5d3_emac.dtsi
87 +index 7cb235ef0fb6..6e9e1c2f9def 100644
88 +--- a/arch/arm/boot/dts/sama5d3_emac.dtsi
89 ++++ b/arch/arm/boot/dts/sama5d3_emac.dtsi
90 +@@ -41,7 +41,7 @@
91 + };
92 +
93 + macb1: ethernet@f802c000 {
94 +- compatible = "cdns,at91sam9260-macb", "cdns,macb";
95 ++ compatible = "atmel,sama5d3-macb", "cdns,at91sam9260-macb", "cdns,macb";
96 + reg = <0xf802c000 0x100>;
97 + interrupts = <35 IRQ_TYPE_LEVEL_HIGH 3>;
98 + pinctrl-names = "default";
99 +diff --git a/arch/x86/include/uapi/asm/kvm.h b/arch/x86/include/uapi/asm/kvm.h
100 +index 739c0c594022..1bb90fafcdc3 100644
101 +--- a/arch/x86/include/uapi/asm/kvm.h
102 ++++ b/arch/x86/include/uapi/asm/kvm.h
103 +@@ -356,5 +356,6 @@ struct kvm_sync_regs {
104 +
105 + #define KVM_X86_QUIRK_LINT0_REENABLED (1 << 0)
106 + #define KVM_X86_QUIRK_CD_NW_CLEARED (1 << 1)
107 ++#define KVM_X86_QUIRK_LAPIC_MMIO_HOLE (1 << 2)
108 +
109 + #endif /* _ASM_X86_KVM_H */
110 +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
111 +index a8a86be8cf15..69a81a7daa24 100644
112 +--- a/arch/x86/kvm/lapic.c
113 ++++ b/arch/x86/kvm/lapic.c
114 +@@ -1220,9 +1220,8 @@ EXPORT_SYMBOL_GPL(kvm_lapic_reg_read);
115 +
116 + static int apic_mmio_in_range(struct kvm_lapic *apic, gpa_t addr)
117 + {
118 +- return kvm_apic_hw_enabled(apic) &&
119 +- addr >= apic->base_address &&
120 +- addr < apic->base_address + LAPIC_MMIO_LENGTH;
121 ++ return addr >= apic->base_address &&
122 ++ addr < apic->base_address + LAPIC_MMIO_LENGTH;
123 + }
124 +
125 + static int apic_mmio_read(struct kvm_vcpu *vcpu, struct kvm_io_device *this,
126 +@@ -1234,6 +1233,15 @@ static int apic_mmio_read(struct kvm_vcpu *vcpu, struct kvm_io_device *this,
127 + if (!apic_mmio_in_range(apic, address))
128 + return -EOPNOTSUPP;
129 +
130 ++ if (!kvm_apic_hw_enabled(apic) || apic_x2apic_mode(apic)) {
131 ++ if (!kvm_check_has_quirk(vcpu->kvm,
132 ++ KVM_X86_QUIRK_LAPIC_MMIO_HOLE))
133 ++ return -EOPNOTSUPP;
134 ++
135 ++ memset(data, 0xff, len);
136 ++ return 0;
137 ++ }
138 ++
139 + kvm_lapic_reg_read(apic, offset, len, data);
140 +
141 + return 0;
142 +@@ -1646,6 +1654,14 @@ static int apic_mmio_write(struct kvm_vcpu *vcpu, struct kvm_io_device *this,
143 + if (!apic_mmio_in_range(apic, address))
144 + return -EOPNOTSUPP;
145 +
146 ++ if (!kvm_apic_hw_enabled(apic) || apic_x2apic_mode(apic)) {
147 ++ if (!kvm_check_has_quirk(vcpu->kvm,
148 ++ KVM_X86_QUIRK_LAPIC_MMIO_HOLE))
149 ++ return -EOPNOTSUPP;
150 ++
151 ++ return 0;
152 ++ }
153 ++
154 + /*
155 + * APIC register must be aligned on 128-bits boundary.
156 + * 32/64/128 bits registers must be accessed thru 32 bits.
157 +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v7.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v7.c
158 +index 47951f4775b9..d47c32a18da8 100644
159 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v7.c
160 ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v7.c
161 +@@ -505,7 +505,7 @@ static int kgd_hqd_sdma_destroy(struct kgd_dev *kgd, void *mqd,
162 +
163 + while (true) {
164 + temp = RREG32(sdma_base_addr + mmSDMA0_RLC0_CONTEXT_STATUS);
165 +- if (temp & SDMA0_STATUS_REG__RB_CMD_IDLE__SHIFT)
166 ++ if (temp & SDMA0_RLC0_CONTEXT_STATUS__IDLE_MASK)
167 + break;
168 + if (timeout <= 0)
169 + return -ETIME;
170 +diff --git a/drivers/i2c/busses/i2c-scmi.c b/drivers/i2c/busses/i2c-scmi.c
171 +index 7aa7b9cb6203..efefcfa24a4c 100644
172 +--- a/drivers/i2c/busses/i2c-scmi.c
173 ++++ b/drivers/i2c/busses/i2c-scmi.c
174 +@@ -152,6 +152,7 @@ acpi_smbus_cmi_access(struct i2c_adapter *adap, u16 addr, unsigned short flags,
175 + mt_params[3].type = ACPI_TYPE_INTEGER;
176 + mt_params[3].integer.value = len;
177 + mt_params[4].type = ACPI_TYPE_BUFFER;
178 ++ mt_params[4].buffer.length = len;
179 + mt_params[4].buffer.pointer = data->block + 1;
180 + }
181 + break;
182 +diff --git a/drivers/mfd/omap-usb-host.c b/drivers/mfd/omap-usb-host.c
183 +index 7aab376ecb84..3785c638d530 100644
184 +--- a/drivers/mfd/omap-usb-host.c
185 ++++ b/drivers/mfd/omap-usb-host.c
186 +@@ -548,8 +548,8 @@ static int usbhs_omap_get_dt_pdata(struct device *dev,
187 + }
188 +
189 + static const struct of_device_id usbhs_child_match_table[] = {
190 +- { .compatible = "ti,omap-ehci", },
191 +- { .compatible = "ti,omap-ohci", },
192 ++ { .compatible = "ti,ehci-omap", },
193 ++ { .compatible = "ti,ohci-omap3", },
194 + { }
195 + };
196 +
197 +@@ -875,6 +875,7 @@ static struct platform_driver usbhs_omap_driver = {
198 + .pm = &usbhsomap_dev_pm_ops,
199 + .of_match_table = usbhs_omap_dt_ids,
200 + },
201 ++ .probe = usbhs_omap_probe,
202 + .remove = usbhs_omap_remove,
203 + };
204 +
205 +@@ -884,9 +885,9 @@ MODULE_ALIAS("platform:" USBHS_DRIVER_NAME);
206 + MODULE_LICENSE("GPL v2");
207 + MODULE_DESCRIPTION("usb host common core driver for omap EHCI and OHCI");
208 +
209 +-static int __init omap_usbhs_drvinit(void)
210 ++static int omap_usbhs_drvinit(void)
211 + {
212 +- return platform_driver_probe(&usbhs_omap_driver, usbhs_omap_probe);
213 ++ return platform_driver_register(&usbhs_omap_driver);
214 + }
215 +
216 + /*
217 +@@ -898,7 +899,7 @@ static int __init omap_usbhs_drvinit(void)
218 + */
219 + fs_initcall_sync(omap_usbhs_drvinit);
220 +
221 +-static void __exit omap_usbhs_drvexit(void)
222 ++static void omap_usbhs_drvexit(void)
223 + {
224 + platform_driver_unregister(&usbhs_omap_driver);
225 + }
226 +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
227 +index 8a5e0ae4e4c0..b1ea29d8ad1a 100644
228 +--- a/drivers/net/bonding/bond_main.c
229 ++++ b/drivers/net/bonding/bond_main.c
230 +@@ -216,6 +216,7 @@ static struct rtnl_link_stats64 *bond_get_stats(struct net_device *bond_dev,
231 + static void bond_slave_arr_handler(struct work_struct *work);
232 + static bool bond_time_in_interval(struct bonding *bond, unsigned long last_act,
233 + int mod);
234 ++static void bond_netdev_notify_work(struct work_struct *work);
235 +
236 + /*---------------------------- General routines -----------------------------*/
237 +
238 +@@ -1250,6 +1251,8 @@ static struct slave *bond_alloc_slave(struct bonding *bond)
239 + return NULL;
240 + }
241 + }
242 ++ INIT_DELAYED_WORK(&slave->notify_work, bond_netdev_notify_work);
243 ++
244 + return slave;
245 + }
246 +
247 +@@ -1257,6 +1260,7 @@ static void bond_free_slave(struct slave *slave)
248 + {
249 + struct bonding *bond = bond_get_bond_by_slave(slave);
250 +
251 ++ cancel_delayed_work_sync(&slave->notify_work);
252 + if (BOND_MODE(bond) == BOND_MODE_8023AD)
253 + kfree(SLAVE_AD_INFO(slave));
254 +
255 +@@ -1278,39 +1282,26 @@ static void bond_fill_ifslave(struct slave *slave, struct ifslave *info)
256 + info->link_failure_count = slave->link_failure_count;
257 + }
258 +
259 +-static void bond_netdev_notify(struct net_device *dev,
260 +- struct netdev_bonding_info *info)
261 +-{
262 +- rtnl_lock();
263 +- netdev_bonding_info_change(dev, info);
264 +- rtnl_unlock();
265 +-}
266 +-
267 + static void bond_netdev_notify_work(struct work_struct *_work)
268 + {
269 +- struct netdev_notify_work *w =
270 +- container_of(_work, struct netdev_notify_work, work.work);
271 ++ struct slave *slave = container_of(_work, struct slave,
272 ++ notify_work.work);
273 ++
274 ++ if (rtnl_trylock()) {
275 ++ struct netdev_bonding_info binfo;
276 +
277 +- bond_netdev_notify(w->dev, &w->bonding_info);
278 +- dev_put(w->dev);
279 +- kfree(w);
280 ++ bond_fill_ifslave(slave, &binfo.slave);
281 ++ bond_fill_ifbond(slave->bond, &binfo.master);
282 ++ netdev_bonding_info_change(slave->dev, &binfo);
283 ++ rtnl_unlock();
284 ++ } else {
285 ++ queue_delayed_work(slave->bond->wq, &slave->notify_work, 1);
286 ++ }
287 + }
288 +
289 + void bond_queue_slave_event(struct slave *slave)
290 + {
291 +- struct bonding *bond = slave->bond;
292 +- struct netdev_notify_work *nnw = kzalloc(sizeof(*nnw), GFP_ATOMIC);
293 +-
294 +- if (!nnw)
295 +- return;
296 +-
297 +- dev_hold(slave->dev);
298 +- nnw->dev = slave->dev;
299 +- bond_fill_ifslave(slave, &nnw->bonding_info.slave);
300 +- bond_fill_ifbond(bond, &nnw->bonding_info.master);
301 +- INIT_DELAYED_WORK(&nnw->work, bond_netdev_notify_work);
302 +-
303 +- queue_delayed_work(slave->bond->wq, &nnw->work, 0);
304 ++ queue_delayed_work(slave->bond->wq, &slave->notify_work, 0);
305 + }
306 +
307 + void bond_lower_state_changed(struct slave *slave)
308 +diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c
309 +index 2ce7ae97ac91..c2cd540e9c9e 100644
310 +--- a/drivers/net/dsa/bcm_sf2.c
311 ++++ b/drivers/net/dsa/bcm_sf2.c
312 +@@ -744,7 +744,6 @@ static int bcm_sf2_sw_suspend(struct dsa_switch *ds)
313 + static int bcm_sf2_sw_resume(struct dsa_switch *ds)
314 + {
315 + struct bcm_sf2_priv *priv = bcm_sf2_to_priv(ds);
316 +- unsigned int port;
317 + int ret;
318 +
319 + ret = bcm_sf2_sw_rst(priv);
320 +@@ -756,12 +755,7 @@ static int bcm_sf2_sw_resume(struct dsa_switch *ds)
321 + if (priv->hw_params.num_gphy == 1)
322 + bcm_sf2_gphy_enable_set(ds, true);
323 +
324 +- for (port = 0; port < DSA_MAX_PORTS; port++) {
325 +- if ((1 << port) & ds->enabled_port_mask)
326 +- bcm_sf2_port_setup(ds, port, NULL);
327 +- else if (dsa_is_cpu_port(ds, port))
328 +- bcm_sf2_imp_setup(ds, port);
329 +- }
330 ++ ds->ops->setup(ds);
331 +
332 + return 0;
333 + }
334 +@@ -1135,10 +1129,10 @@ static int bcm_sf2_sw_remove(struct platform_device *pdev)
335 + {
336 + struct bcm_sf2_priv *priv = platform_get_drvdata(pdev);
337 +
338 +- /* Disable all ports and interrupts */
339 + priv->wol_ports_mask = 0;
340 +- bcm_sf2_sw_suspend(priv->dev->ds);
341 + dsa_unregister_switch(priv->dev->ds);
342 ++ /* Disable all ports and interrupts */
343 ++ bcm_sf2_sw_suspend(priv->dev->ds);
344 + bcm_sf2_mdio_unregister(priv);
345 +
346 + return 0;
347 +diff --git a/drivers/net/ethernet/broadcom/bcmsysport.c b/drivers/net/ethernet/broadcom/bcmsysport.c
348 +index 91fbba58d033..16dc9ac7ecb6 100644
349 +--- a/drivers/net/ethernet/broadcom/bcmsysport.c
350 ++++ b/drivers/net/ethernet/broadcom/bcmsysport.c
351 +@@ -828,14 +828,22 @@ static void bcm_sysport_resume_from_wol(struct bcm_sysport_priv *priv)
352 + {
353 + u32 reg;
354 +
355 +- /* Stop monitoring MPD interrupt */
356 +- intrl2_0_mask_set(priv, INTRL2_0_MPD);
357 +-
358 + /* Clear the MagicPacket detection logic */
359 + reg = umac_readl(priv, UMAC_MPD_CTRL);
360 + reg &= ~MPD_EN;
361 + umac_writel(priv, reg, UMAC_MPD_CTRL);
362 +
363 ++ reg = intrl2_0_readl(priv, INTRL2_CPU_STATUS);
364 ++ if (reg & INTRL2_0_MPD)
365 ++ netdev_info(priv->netdev, "Wake-on-LAN (MPD) interrupt!\n");
366 ++
367 ++ if (reg & INTRL2_0_BRCM_MATCH_TAG) {
368 ++ reg = rxchk_readl(priv, RXCHK_BRCM_TAG_MATCH_STATUS) &
369 ++ RXCHK_BRCM_TAG_MATCH_MASK;
370 ++ netdev_info(priv->netdev,
371 ++ "Wake-on-LAN (filters 0x%02x) interrupt!\n", reg);
372 ++ }
373 ++
374 + netif_dbg(priv, wol, priv->netdev, "resumed from WOL\n");
375 + }
376 +
377 +@@ -868,11 +876,6 @@ static irqreturn_t bcm_sysport_rx_isr(int irq, void *dev_id)
378 + if (priv->irq0_stat & INTRL2_0_TX_RING_FULL)
379 + bcm_sysport_tx_reclaim_all(priv);
380 +
381 +- if (priv->irq0_stat & INTRL2_0_MPD) {
382 +- netdev_info(priv->netdev, "Wake-on-LAN interrupt!\n");
383 +- bcm_sysport_resume_from_wol(priv);
384 +- }
385 +-
386 + return IRQ_HANDLED;
387 + }
388 +
389 +@@ -1901,9 +1904,6 @@ static int bcm_sysport_suspend_to_wol(struct bcm_sysport_priv *priv)
390 + /* UniMAC receive needs to be turned on */
391 + umac_enable_set(priv, CMD_RX_EN, 1);
392 +
393 +- /* Enable the interrupt wake-up source */
394 +- intrl2_0_mask_clear(priv, INTRL2_0_MPD);
395 +-
396 + netif_dbg(priv, wol, ndev, "entered WOL mode\n");
397 +
398 + return 0;
399 +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
400 +index 72297b76944f..208e9dacfd34 100644
401 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
402 ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
403 +@@ -1666,8 +1666,11 @@ static int bnxt_poll_work(struct bnxt *bp, struct bnxt_napi *bnapi, int budget)
404 + if (TX_CMP_TYPE(txcmp) == CMP_TYPE_TX_L2_CMP) {
405 + tx_pkts++;
406 + /* return full budget so NAPI will complete. */
407 +- if (unlikely(tx_pkts > bp->tx_wake_thresh))
408 ++ if (unlikely(tx_pkts > bp->tx_wake_thresh)) {
409 + rx_pkts = budget;
410 ++ raw_cons = NEXT_RAW_CMP(raw_cons);
411 ++ break;
412 ++ }
413 + } else if ((TX_CMP_TYPE(txcmp) & 0x30) == 0x10) {
414 + rc = bnxt_rx_pkt(bp, bnapi, &raw_cons, &agg_event);
415 + if (likely(rc >= 0))
416 +@@ -1685,7 +1688,7 @@ static int bnxt_poll_work(struct bnxt *bp, struct bnxt_napi *bnapi, int budget)
417 + }
418 + raw_cons = NEXT_RAW_CMP(raw_cons);
419 +
420 +- if (rx_pkts == budget)
421 ++ if (rx_pkts && rx_pkts == budget)
422 + break;
423 + }
424 +
425 +@@ -1797,8 +1800,12 @@ static int bnxt_poll(struct napi_struct *napi, int budget)
426 + while (1) {
427 + work_done += bnxt_poll_work(bp, bnapi, budget - work_done);
428 +
429 +- if (work_done >= budget)
430 ++ if (work_done >= budget) {
431 ++ if (!budget)
432 ++ BNXT_CP_DB_REARM(cpr->cp_doorbell,
433 ++ cpr->cp_raw_cons);
434 + break;
435 ++ }
436 +
437 + if (!bnxt_has_work(bp, cpr)) {
438 + napi_complete(napi);
439 +diff --git a/drivers/net/ethernet/cadence/macb.c b/drivers/net/ethernet/cadence/macb.c
440 +index 2e1585635083..8f55c23e9821 100644
441 +--- a/drivers/net/ethernet/cadence/macb.c
442 ++++ b/drivers/net/ethernet/cadence/macb.c
443 +@@ -2861,6 +2861,13 @@ static const struct macb_config at91sam9260_config = {
444 + .init = macb_init,
445 + };
446 +
447 ++static const struct macb_config sama5d3macb_config = {
448 ++ .caps = MACB_CAPS_SG_DISABLED
449 ++ | MACB_CAPS_USRIO_HAS_CLKEN | MACB_CAPS_USRIO_DEFAULT_IS_MII_GMII,
450 ++ .clk_init = macb_clk_init,
451 ++ .init = macb_init,
452 ++};
453 ++
454 + static const struct macb_config pc302gem_config = {
455 + .caps = MACB_CAPS_SG_DISABLED | MACB_CAPS_GIGABIT_MODE_AVAILABLE,
456 + .dma_burst_length = 16,
457 +@@ -2925,6 +2932,7 @@ static const struct of_device_id macb_dt_ids[] = {
458 + { .compatible = "cdns,gem", .data = &pc302gem_config },
459 + { .compatible = "atmel,sama5d2-gem", .data = &sama5d2_config },
460 + { .compatible = "atmel,sama5d3-gem", .data = &sama5d3_config },
461 ++ { .compatible = "atmel,sama5d3-macb", .data = &sama5d3macb_config },
462 + { .compatible = "atmel,sama5d4-gem", .data = &sama5d4_config },
463 + { .compatible = "cdns,at91rm9200-emac", .data = &emac_config },
464 + { .compatible = "cdns,emac", .data = &emac_config },
465 +diff --git a/drivers/net/ethernet/hisilicon/hns/hnae.c b/drivers/net/ethernet/hisilicon/hns/hnae.c
466 +index b6ed818f78ff..06bc8638501e 100644
467 +--- a/drivers/net/ethernet/hisilicon/hns/hnae.c
468 ++++ b/drivers/net/ethernet/hisilicon/hns/hnae.c
469 +@@ -80,7 +80,7 @@ static void hnae_unmap_buffer(struct hnae_ring *ring, struct hnae_desc_cb *cb)
470 + if (cb->type == DESC_TYPE_SKB)
471 + dma_unmap_single(ring_to_dev(ring), cb->dma, cb->length,
472 + ring_to_dma_dir(ring));
473 +- else
474 ++ else if (cb->length)
475 + dma_unmap_page(ring_to_dev(ring), cb->dma, cb->length,
476 + ring_to_dma_dir(ring));
477 + }
478 +diff --git a/drivers/net/ethernet/hisilicon/hns/hns_enet.c b/drivers/net/ethernet/hisilicon/hns/hns_enet.c
479 +index 8a2a07e21324..92ed6534ceae 100644
480 +--- a/drivers/net/ethernet/hisilicon/hns/hns_enet.c
481 ++++ b/drivers/net/ethernet/hisilicon/hns/hns_enet.c
482 +@@ -39,9 +39,9 @@
483 + #define SKB_TMP_LEN(SKB) \
484 + (((SKB)->transport_header - (SKB)->mac_header) + tcp_hdrlen(SKB))
485 +
486 +-static void fill_v2_desc(struct hnae_ring *ring, void *priv,
487 +- int size, dma_addr_t dma, int frag_end,
488 +- int buf_num, enum hns_desc_type type, int mtu)
489 ++static void fill_v2_desc_hw(struct hnae_ring *ring, void *priv, int size,
490 ++ int send_sz, dma_addr_t dma, int frag_end,
491 ++ int buf_num, enum hns_desc_type type, int mtu)
492 + {
493 + struct hnae_desc *desc = &ring->desc[ring->next_to_use];
494 + struct hnae_desc_cb *desc_cb = &ring->desc_cb[ring->next_to_use];
495 +@@ -63,7 +63,7 @@ static void fill_v2_desc(struct hnae_ring *ring, void *priv,
496 + desc_cb->type = type;
497 +
498 + desc->addr = cpu_to_le64(dma);
499 +- desc->tx.send_size = cpu_to_le16((u16)size);
500 ++ desc->tx.send_size = cpu_to_le16((u16)send_sz);
501 +
502 + /* config bd buffer end */
503 + hnae_set_bit(rrcfv, HNSV2_TXD_VLD_B, 1);
504 +@@ -132,6 +132,14 @@ static void fill_v2_desc(struct hnae_ring *ring, void *priv,
505 + ring_ptr_move_fw(ring, next_to_use);
506 + }
507 +
508 ++static void fill_v2_desc(struct hnae_ring *ring, void *priv,
509 ++ int size, dma_addr_t dma, int frag_end,
510 ++ int buf_num, enum hns_desc_type type, int mtu)
511 ++{
512 ++ fill_v2_desc_hw(ring, priv, size, size, dma, frag_end,
513 ++ buf_num, type, mtu);
514 ++}
515 ++
516 + static const struct acpi_device_id hns_enet_acpi_match[] = {
517 + { "HISI00C1", 0 },
518 + { "HISI00C2", 0 },
519 +@@ -288,15 +296,15 @@ static void fill_tso_desc(struct hnae_ring *ring, void *priv,
520 +
521 + /* when the frag size is bigger than hardware, split this frag */
522 + for (k = 0; k < frag_buf_num; k++)
523 +- fill_v2_desc(ring, priv,
524 +- (k == frag_buf_num - 1) ?
525 ++ fill_v2_desc_hw(ring, priv, k == 0 ? size : 0,
526 ++ (k == frag_buf_num - 1) ?
527 + sizeoflast : BD_MAX_SEND_SIZE,
528 +- dma + BD_MAX_SEND_SIZE * k,
529 +- frag_end && (k == frag_buf_num - 1) ? 1 : 0,
530 +- buf_num,
531 +- (type == DESC_TYPE_SKB && !k) ?
532 ++ dma + BD_MAX_SEND_SIZE * k,
533 ++ frag_end && (k == frag_buf_num - 1) ? 1 : 0,
534 ++ buf_num,
535 ++ (type == DESC_TYPE_SKB && !k) ?
536 + DESC_TYPE_SKB : DESC_TYPE_PAGE,
537 +- mtu);
538 ++ mtu);
539 + }
540 +
541 + netdev_tx_t hns_nic_net_xmit_hw(struct net_device *ndev,
542 +diff --git a/drivers/net/ethernet/marvell/mvpp2.c b/drivers/net/ethernet/marvell/mvpp2.c
543 +index 7e2ebfc565ee..ff62dc7485d5 100644
544 +--- a/drivers/net/ethernet/marvell/mvpp2.c
545 ++++ b/drivers/net/ethernet/marvell/mvpp2.c
546 +@@ -29,6 +29,7 @@
547 + #include <linux/clk.h>
548 + #include <linux/hrtimer.h>
549 + #include <linux/ktime.h>
550 ++#include <linux/if_vlan.h>
551 + #include <uapi/linux/ppp_defs.h>
552 + #include <net/ip.h>
553 + #include <net/ipv6.h>
554 +@@ -4266,7 +4267,7 @@ static void mvpp2_txq_desc_put(struct mvpp2_tx_queue *txq)
555 + }
556 +
557 + /* Set Tx descriptors fields relevant for CSUM calculation */
558 +-static u32 mvpp2_txq_desc_csum(int l3_offs, int l3_proto,
559 ++static u32 mvpp2_txq_desc_csum(int l3_offs, __be16 l3_proto,
560 + int ip_hdr_len, int l4_proto)
561 + {
562 + u32 command;
563 +@@ -5019,14 +5020,15 @@ static u32 mvpp2_skb_tx_csum(struct mvpp2_port *port, struct sk_buff *skb)
564 + if (skb->ip_summed == CHECKSUM_PARTIAL) {
565 + int ip_hdr_len = 0;
566 + u8 l4_proto;
567 ++ __be16 l3_proto = vlan_get_protocol(skb);
568 +
569 +- if (skb->protocol == htons(ETH_P_IP)) {
570 ++ if (l3_proto == htons(ETH_P_IP)) {
571 + struct iphdr *ip4h = ip_hdr(skb);
572 +
573 + /* Calculate IPv4 checksum and L4 checksum */
574 + ip_hdr_len = ip4h->ihl;
575 + l4_proto = ip4h->protocol;
576 +- } else if (skb->protocol == htons(ETH_P_IPV6)) {
577 ++ } else if (l3_proto == htons(ETH_P_IPV6)) {
578 + struct ipv6hdr *ip6h = ipv6_hdr(skb);
579 +
580 + /* Read l4_protocol from one of IPv6 extra headers */
581 +@@ -5038,7 +5040,7 @@ static u32 mvpp2_skb_tx_csum(struct mvpp2_port *port, struct sk_buff *skb)
582 + }
583 +
584 + return mvpp2_txq_desc_csum(skb_network_offset(skb),
585 +- skb->protocol, ip_hdr_len, l4_proto);
586 ++ l3_proto, ip_hdr_len, l4_proto);
587 + }
588 +
589 + return MVPP2_TXD_L4_CSUM_NOT | MVPP2_TXD_IP_CSUM_DISABLE;
590 +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic.h b/drivers/net/ethernet/qlogic/qlcnic/qlcnic.h
591 +index 49bad00a0f8f..5ddadcd0c8db 100644
592 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic.h
593 ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic.h
594 +@@ -1800,7 +1800,8 @@ struct qlcnic_hardware_ops {
595 + int (*config_loopback) (struct qlcnic_adapter *, u8);
596 + int (*clear_loopback) (struct qlcnic_adapter *, u8);
597 + int (*config_promisc_mode) (struct qlcnic_adapter *, u32);
598 +- void (*change_l2_filter) (struct qlcnic_adapter *, u64 *, u16);
599 ++ void (*change_l2_filter)(struct qlcnic_adapter *adapter, u64 *addr,
600 ++ u16 vlan, struct qlcnic_host_tx_ring *tx_ring);
601 + int (*get_board_info) (struct qlcnic_adapter *);
602 + void (*set_mac_filter_count) (struct qlcnic_adapter *);
603 + void (*free_mac_list) (struct qlcnic_adapter *);
604 +@@ -2042,9 +2043,10 @@ static inline int qlcnic_nic_set_promisc(struct qlcnic_adapter *adapter,
605 + }
606 +
607 + static inline void qlcnic_change_filter(struct qlcnic_adapter *adapter,
608 +- u64 *addr, u16 id)
609 ++ u64 *addr, u16 vlan,
610 ++ struct qlcnic_host_tx_ring *tx_ring)
611 + {
612 +- adapter->ahw->hw_ops->change_l2_filter(adapter, addr, id);
613 ++ adapter->ahw->hw_ops->change_l2_filter(adapter, addr, vlan, tx_ring);
614 + }
615 +
616 + static inline int qlcnic_get_board_info(struct qlcnic_adapter *adapter)
617 +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
618 +index c3c28f0960e5..05d32e86bcf7 100644
619 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
620 ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
621 +@@ -2132,7 +2132,8 @@ out:
622 + }
623 +
624 + void qlcnic_83xx_change_l2_filter(struct qlcnic_adapter *adapter, u64 *addr,
625 +- u16 vlan_id)
626 ++ u16 vlan_id,
627 ++ struct qlcnic_host_tx_ring *tx_ring)
628 + {
629 + u8 mac[ETH_ALEN];
630 + memcpy(&mac, addr, ETH_ALEN);
631 +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.h b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.h
632 +index 331ae2c20f40..c8e012b3f7e7 100644
633 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.h
634 ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.h
635 +@@ -550,7 +550,8 @@ int qlcnic_83xx_wrt_reg_indirect(struct qlcnic_adapter *, ulong, u32);
636 + int qlcnic_83xx_nic_set_promisc(struct qlcnic_adapter *, u32);
637 + int qlcnic_83xx_config_hw_lro(struct qlcnic_adapter *, int);
638 + int qlcnic_83xx_config_rss(struct qlcnic_adapter *, int);
639 +-void qlcnic_83xx_change_l2_filter(struct qlcnic_adapter *, u64 *, u16);
640 ++void qlcnic_83xx_change_l2_filter(struct qlcnic_adapter *adapter, u64 *addr,
641 ++ u16 vlan, struct qlcnic_host_tx_ring *ring);
642 + int qlcnic_83xx_get_pci_info(struct qlcnic_adapter *, struct qlcnic_pci_info *);
643 + int qlcnic_83xx_set_nic_info(struct qlcnic_adapter *, struct qlcnic_info *);
644 + void qlcnic_83xx_initialize_nic(struct qlcnic_adapter *, int);
645 +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_hw.h b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_hw.h
646 +index 4bb33af8e2b3..56a3bd9e37dc 100644
647 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_hw.h
648 ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_hw.h
649 +@@ -173,7 +173,8 @@ int qlcnic_82xx_napi_add(struct qlcnic_adapter *adapter,
650 + struct net_device *netdev);
651 + void qlcnic_82xx_get_beacon_state(struct qlcnic_adapter *);
652 + void qlcnic_82xx_change_filter(struct qlcnic_adapter *adapter,
653 +- u64 *uaddr, u16 vlan_id);
654 ++ u64 *uaddr, u16 vlan_id,
655 ++ struct qlcnic_host_tx_ring *tx_ring);
656 + int qlcnic_82xx_config_intr_coalesce(struct qlcnic_adapter *,
657 + struct ethtool_coalesce *);
658 + int qlcnic_82xx_set_rx_coalesce(struct qlcnic_adapter *);
659 +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c
660 +index fedd7366713c..e36129401b71 100644
661 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c
662 ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c
663 +@@ -268,13 +268,12 @@ static void qlcnic_add_lb_filter(struct qlcnic_adapter *adapter,
664 + }
665 +
666 + void qlcnic_82xx_change_filter(struct qlcnic_adapter *adapter, u64 *uaddr,
667 +- u16 vlan_id)
668 ++ u16 vlan_id, struct qlcnic_host_tx_ring *tx_ring)
669 + {
670 + struct cmd_desc_type0 *hwdesc;
671 + struct qlcnic_nic_req *req;
672 + struct qlcnic_mac_req *mac_req;
673 + struct qlcnic_vlan_req *vlan_req;
674 +- struct qlcnic_host_tx_ring *tx_ring = adapter->tx_ring;
675 + u32 producer;
676 + u64 word;
677 +
678 +@@ -301,7 +300,8 @@ void qlcnic_82xx_change_filter(struct qlcnic_adapter *adapter, u64 *uaddr,
679 +
680 + static void qlcnic_send_filter(struct qlcnic_adapter *adapter,
681 + struct cmd_desc_type0 *first_desc,
682 +- struct sk_buff *skb)
683 ++ struct sk_buff *skb,
684 ++ struct qlcnic_host_tx_ring *tx_ring)
685 + {
686 + struct vlan_ethhdr *vh = (struct vlan_ethhdr *)(skb->data);
687 + struct ethhdr *phdr = (struct ethhdr *)(skb->data);
688 +@@ -335,7 +335,7 @@ static void qlcnic_send_filter(struct qlcnic_adapter *adapter,
689 + tmp_fil->vlan_id == vlan_id) {
690 + if (jiffies > (QLCNIC_READD_AGE * HZ + tmp_fil->ftime))
691 + qlcnic_change_filter(adapter, &src_addr,
692 +- vlan_id);
693 ++ vlan_id, tx_ring);
694 + tmp_fil->ftime = jiffies;
695 + return;
696 + }
697 +@@ -350,7 +350,7 @@ static void qlcnic_send_filter(struct qlcnic_adapter *adapter,
698 + if (!fil)
699 + return;
700 +
701 +- qlcnic_change_filter(adapter, &src_addr, vlan_id);
702 ++ qlcnic_change_filter(adapter, &src_addr, vlan_id, tx_ring);
703 + fil->ftime = jiffies;
704 + fil->vlan_id = vlan_id;
705 + memcpy(fil->faddr, &src_addr, ETH_ALEN);
706 +@@ -766,7 +766,7 @@ netdev_tx_t qlcnic_xmit_frame(struct sk_buff *skb, struct net_device *netdev)
707 + }
708 +
709 + if (adapter->drv_mac_learn)
710 +- qlcnic_send_filter(adapter, first_desc, skb);
711 ++ qlcnic_send_filter(adapter, first_desc, skb, tx_ring);
712 +
713 + tx_ring->tx_stats.tx_bytes += skb->len;
714 + tx_ring->tx_stats.xmit_called++;
715 +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
716 +index 890e4b083f4f..2019e163e0e9 100644
717 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
718 ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
719 +@@ -71,7 +71,7 @@ static int dwmac1000_validate_mcast_bins(int mcast_bins)
720 + * Description:
721 + * This function validates the number of Unicast address entries supported
722 + * by a particular Synopsys 10/100/1000 controller. The Synopsys controller
723 +- * supports 1, 32, 64, or 128 Unicast filter entries for it's Unicast filter
724 ++ * supports 1..32, 64, or 128 Unicast filter entries for it's Unicast filter
725 + * logic. This function validates a valid, supported configuration is
726 + * selected, and defaults to 1 Unicast address if an unsupported
727 + * configuration is selected.
728 +@@ -81,8 +81,7 @@ static int dwmac1000_validate_ucast_entries(int ucast_entries)
729 + int x = ucast_entries;
730 +
731 + switch (x) {
732 +- case 1:
733 +- case 32:
734 ++ case 1 ... 32:
735 + case 64:
736 + case 128:
737 + break;
738 +diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
739 +index f9ec00981b1e..9670aa23ffb9 100644
740 +--- a/drivers/net/team/team.c
741 ++++ b/drivers/net/team/team.c
742 +@@ -1171,6 +1171,11 @@ static int team_port_add(struct team *team, struct net_device *port_dev)
743 + return -EBUSY;
744 + }
745 +
746 ++ if (dev == port_dev) {
747 ++ netdev_err(dev, "Cannot enslave team device to itself\n");
748 ++ return -EINVAL;
749 ++ }
750 ++
751 + if (port_dev->features & NETIF_F_VLAN_CHALLENGED &&
752 + vlan_uses_dev(dev)) {
753 + netdev_err(dev, "Device %s is VLAN challenged and team device has VLAN set up\n",
754 +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
755 +index 0d4440f28f6b..2b728cc52e3a 100644
756 +--- a/drivers/net/usb/qmi_wwan.c
757 ++++ b/drivers/net/usb/qmi_wwan.c
758 +@@ -934,6 +934,7 @@ static const struct usb_device_id products[] = {
759 + {QMI_FIXED_INTF(0x0b3c, 0xc00b, 4)}, /* Olivetti Olicard 500 */
760 + {QMI_FIXED_INTF(0x1e2d, 0x0060, 4)}, /* Cinterion PLxx */
761 + {QMI_FIXED_INTF(0x1e2d, 0x0053, 4)}, /* Cinterion PHxx,PXxx */
762 ++ {QMI_FIXED_INTF(0x1e2d, 0x0063, 10)}, /* Cinterion ALASxx (1 RmNet) */
763 + {QMI_FIXED_INTF(0x1e2d, 0x0082, 4)}, /* Cinterion PHxx,PXxx (2 RmNet) */
764 + {QMI_FIXED_INTF(0x1e2d, 0x0082, 5)}, /* Cinterion PHxx,PXxx (2 RmNet) */
765 + {QMI_FIXED_INTF(0x1e2d, 0x0083, 4)}, /* Cinterion PHxx,PXxx (1 RmNet + USB Audio)*/
766 +diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c
767 +index 03d04011d653..8d3f938c6a51 100644
768 +--- a/drivers/net/usb/smsc75xx.c
769 ++++ b/drivers/net/usb/smsc75xx.c
770 +@@ -1518,6 +1518,7 @@ static void smsc75xx_unbind(struct usbnet *dev, struct usb_interface *intf)
771 + {
772 + struct smsc75xx_priv *pdata = (struct smsc75xx_priv *)(dev->data[0]);
773 + if (pdata) {
774 ++ cancel_work_sync(&pdata->set_multicast);
775 + netif_dbg(dev, ifdown, dev->net, "free pdata\n");
776 + kfree(pdata);
777 + pdata = NULL;
778 +diff --git a/drivers/scsi/qla2xxx/qla_target.h b/drivers/scsi/qla2xxx/qla_target.h
779 +index 0824a8164a24..07ea4fcf4f88 100644
780 +--- a/drivers/scsi/qla2xxx/qla_target.h
781 ++++ b/drivers/scsi/qla2xxx/qla_target.h
782 +@@ -440,8 +440,8 @@ struct atio_from_isp {
783 + static inline int fcpcmd_is_corrupted(struct atio *atio)
784 + {
785 + if (atio->entry_type == ATIO_TYPE7 &&
786 +- (le16_to_cpu(atio->attr_n_length & FCP_CMD_LENGTH_MASK) <
787 +- FCP_CMD_LENGTH_MIN))
788 ++ ((le16_to_cpu(atio->attr_n_length) & FCP_CMD_LENGTH_MASK) <
789 ++ FCP_CMD_LENGTH_MIN))
790 + return 1;
791 + else
792 + return 0;
793 +diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
794 +index 04d2b6e25503..80205f3362d4 100644
795 +--- a/drivers/target/iscsi/iscsi_target.c
796 ++++ b/drivers/target/iscsi/iscsi_target.c
797 +@@ -1435,7 +1435,8 @@ static void iscsit_do_crypto_hash_buf(
798 +
799 + sg_init_table(sg, ARRAY_SIZE(sg));
800 + sg_set_buf(sg, buf, payload_length);
801 +- sg_set_buf(sg + 1, pad_bytes, padding);
802 ++ if (padding)
803 ++ sg_set_buf(sg + 1, pad_bytes, padding);
804 +
805 + ahash_request_set_crypt(hash, sg, data_crc, payload_length + padding);
806 +
807 +@@ -3949,10 +3950,14 @@ static bool iscsi_target_check_conn_state(struct iscsi_conn *conn)
808 + static void iscsit_get_rx_pdu(struct iscsi_conn *conn)
809 + {
810 + int ret;
811 +- u8 buffer[ISCSI_HDR_LEN], opcode;
812 ++ u8 *buffer, opcode;
813 + u32 checksum = 0, digest = 0;
814 + struct kvec iov;
815 +
816 ++ buffer = kcalloc(ISCSI_HDR_LEN, sizeof(*buffer), GFP_KERNEL);
817 ++ if (!buffer)
818 ++ return;
819 ++
820 + while (!kthread_should_stop()) {
821 + /*
822 + * Ensure that both TX and RX per connection kthreads
823 +@@ -3960,7 +3965,6 @@ static void iscsit_get_rx_pdu(struct iscsi_conn *conn)
824 + */
825 + iscsit_thread_check_cpumask(conn, current, 0);
826 +
827 +- memset(buffer, 0, ISCSI_HDR_LEN);
828 + memset(&iov, 0, sizeof(struct kvec));
829 +
830 + iov.iov_base = buffer;
831 +@@ -3969,7 +3973,7 @@ static void iscsit_get_rx_pdu(struct iscsi_conn *conn)
832 + ret = rx_data(conn, &iov, 1, ISCSI_HDR_LEN);
833 + if (ret != ISCSI_HDR_LEN) {
834 + iscsit_rx_thread_wait_for_tcp(conn);
835 +- return;
836 ++ break;
837 + }
838 +
839 + if (conn->conn_ops->HeaderDigest) {
840 +@@ -3979,7 +3983,7 @@ static void iscsit_get_rx_pdu(struct iscsi_conn *conn)
841 + ret = rx_data(conn, &iov, 1, ISCSI_CRC_LEN);
842 + if (ret != ISCSI_CRC_LEN) {
843 + iscsit_rx_thread_wait_for_tcp(conn);
844 +- return;
845 ++ break;
846 + }
847 +
848 + iscsit_do_crypto_hash_buf(conn->conn_rx_hash,
849 +@@ -4003,7 +4007,7 @@ static void iscsit_get_rx_pdu(struct iscsi_conn *conn)
850 + }
851 +
852 + if (conn->conn_state == TARG_CONN_STATE_IN_LOGOUT)
853 +- return;
854 ++ break;
855 +
856 + opcode = buffer[0] & ISCSI_OPCODE_MASK;
857 +
858 +@@ -4014,13 +4018,15 @@ static void iscsit_get_rx_pdu(struct iscsi_conn *conn)
859 + " while in Discovery Session, rejecting.\n", opcode);
860 + iscsit_add_reject(conn, ISCSI_REASON_PROTOCOL_ERROR,
861 + buffer);
862 +- return;
863 ++ break;
864 + }
865 +
866 + ret = iscsi_target_rx_opcode(conn, buffer);
867 + if (ret < 0)
868 +- return;
869 ++ break;
870 + }
871 ++
872 ++ kfree(buffer);
873 + }
874 +
875 + int iscsi_target_rx_thread(void *arg)
876 +diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c
877 +index 0722f75f1d6a..45a03eff4db1 100644
878 +--- a/drivers/usb/host/xhci-hub.c
879 ++++ b/drivers/usb/host/xhci-hub.c
880 +@@ -1072,17 +1072,17 @@ int xhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue,
881 + temp = readl(port_array[wIndex]);
882 + break;
883 + }
884 +-
885 +- /* Software should not attempt to set
886 +- * port link state above '3' (U3) and the port
887 +- * must be enabled.
888 +- */
889 +- if ((temp & PORT_PE) == 0 ||
890 +- (link_state > USB_SS_PORT_LS_U3)) {
891 +- xhci_warn(xhci, "Cannot set link state.\n");
892 ++ /* Port must be enabled */
893 ++ if (!(temp & PORT_PE)) {
894 ++ retval = -ENODEV;
895 ++ break;
896 ++ }
897 ++ /* Can't set port link state above '3' (U3) */
898 ++ if (link_state > USB_SS_PORT_LS_U3) {
899 ++ xhci_warn(xhci, "Cannot set port %d link state %d\n",
900 ++ wIndex, link_state);
901 + goto error;
902 + }
903 +-
904 + if (link_state == USB_SS_PORT_LS_U3) {
905 + slot_id = xhci_find_slot_id_by_port(hcd, xhci,
906 + wIndex + 1);
907 +diff --git a/drivers/video/fbdev/aty/atyfb.h b/drivers/video/fbdev/aty/atyfb.h
908 +index 63c4842eb224..46e0e8b39b76 100644
909 +--- a/drivers/video/fbdev/aty/atyfb.h
910 ++++ b/drivers/video/fbdev/aty/atyfb.h
911 +@@ -332,6 +332,8 @@ extern const struct aty_pll_ops aty_pll_ct; /* Integrated */
912 + extern void aty_set_pll_ct(const struct fb_info *info, const union aty_pll *pll);
913 + extern u8 aty_ld_pll_ct(int offset, const struct atyfb_par *par);
914 +
915 ++extern const u8 aty_postdividers[8];
916 ++
917 +
918 + /*
919 + * Hardware cursor support
920 +@@ -358,7 +360,6 @@ static inline void wait_for_idle(struct atyfb_par *par)
921 +
922 + extern void aty_reset_engine(const struct atyfb_par *par);
923 + extern void aty_init_engine(struct atyfb_par *par, struct fb_info *info);
924 +-extern u8 aty_ld_pll_ct(int offset, const struct atyfb_par *par);
925 +
926 + void atyfb_copyarea(struct fb_info *info, const struct fb_copyarea *area);
927 + void atyfb_fillrect(struct fb_info *info, const struct fb_fillrect *rect);
928 +diff --git a/drivers/video/fbdev/aty/atyfb_base.c b/drivers/video/fbdev/aty/atyfb_base.c
929 +index 81367cf0af77..da748c39196c 100644
930 +--- a/drivers/video/fbdev/aty/atyfb_base.c
931 ++++ b/drivers/video/fbdev/aty/atyfb_base.c
932 +@@ -3093,17 +3093,18 @@ static int atyfb_setup_sparc(struct pci_dev *pdev, struct fb_info *info,
933 + /*
934 + * PLL Reference Divider M:
935 + */
936 +- M = pll_regs[2];
937 ++ M = pll_regs[PLL_REF_DIV];
938 +
939 + /*
940 + * PLL Feedback Divider N (Dependent on CLOCK_CNTL):
941 + */
942 +- N = pll_regs[7 + (clock_cntl & 3)];
943 ++ N = pll_regs[VCLK0_FB_DIV + (clock_cntl & 3)];
944 +
945 + /*
946 + * PLL Post Divider P (Dependent on CLOCK_CNTL):
947 + */
948 +- P = 1 << (pll_regs[6] >> ((clock_cntl & 3) << 1));
949 ++ P = aty_postdividers[((pll_regs[VCLK_POST_DIV] >> ((clock_cntl & 3) << 1)) & 3) |
950 ++ ((pll_regs[PLL_EXT_CNTL] >> (2 + (clock_cntl & 3))) & 4)];
951 +
952 + /*
953 + * PLL Divider Q:
954 +diff --git a/drivers/video/fbdev/aty/mach64_ct.c b/drivers/video/fbdev/aty/mach64_ct.c
955 +index 51f29d627ceb..af54256a20a1 100644
956 +--- a/drivers/video/fbdev/aty/mach64_ct.c
957 ++++ b/drivers/video/fbdev/aty/mach64_ct.c
958 +@@ -114,7 +114,7 @@ static void aty_st_pll_ct(int offset, u8 val, const struct atyfb_par *par)
959 + */
960 +
961 + #define Maximum_DSP_PRECISION 7
962 +-static u8 postdividers[] = {1,2,4,8,3};
963 ++const u8 aty_postdividers[8] = {1,2,4,8,3,5,6,12};
964 +
965 + static int aty_dsp_gt(const struct fb_info *info, u32 bpp, struct pll_ct *pll)
966 + {
967 +@@ -221,7 +221,7 @@ static int aty_valid_pll_ct(const struct fb_info *info, u32 vclk_per, struct pll
968 + pll->vclk_post_div += (q < 64*8);
969 + pll->vclk_post_div += (q < 32*8);
970 + }
971 +- pll->vclk_post_div_real = postdividers[pll->vclk_post_div];
972 ++ pll->vclk_post_div_real = aty_postdividers[pll->vclk_post_div];
973 + // pll->vclk_post_div <<= 6;
974 + pll->vclk_fb_div = q * pll->vclk_post_div_real / 8;
975 + pllvclk = (1000000 * 2 * pll->vclk_fb_div) /
976 +@@ -512,7 +512,7 @@ static int aty_init_pll_ct(const struct fb_info *info, union aty_pll *pll)
977 + u8 mclk_fb_div, pll_ext_cntl;
978 + pll->ct.pll_ref_div = aty_ld_pll_ct(PLL_REF_DIV, par);
979 + pll_ext_cntl = aty_ld_pll_ct(PLL_EXT_CNTL, par);
980 +- pll->ct.xclk_post_div_real = postdividers[pll_ext_cntl & 0x07];
981 ++ pll->ct.xclk_post_div_real = aty_postdividers[pll_ext_cntl & 0x07];
982 + mclk_fb_div = aty_ld_pll_ct(MCLK_FB_DIV, par);
983 + if (pll_ext_cntl & PLL_MFB_TIMES_4_2B)
984 + mclk_fb_div <<= 1;
985 +@@ -534,7 +534,7 @@ static int aty_init_pll_ct(const struct fb_info *info, union aty_pll *pll)
986 + xpost_div += (q < 64*8);
987 + xpost_div += (q < 32*8);
988 + }
989 +- pll->ct.xclk_post_div_real = postdividers[xpost_div];
990 ++ pll->ct.xclk_post_div_real = aty_postdividers[xpost_div];
991 + pll->ct.mclk_fb_div = q * pll->ct.xclk_post_div_real / 8;
992 +
993 + #ifdef CONFIG_PPC
994 +@@ -583,7 +583,7 @@ static int aty_init_pll_ct(const struct fb_info *info, union aty_pll *pll)
995 + mpost_div += (q < 64*8);
996 + mpost_div += (q < 32*8);
997 + }
998 +- sclk_post_div_real = postdividers[mpost_div];
999 ++ sclk_post_div_real = aty_postdividers[mpost_div];
1000 + pll->ct.sclk_fb_div = q * sclk_post_div_real / 8;
1001 + pll->ct.spll_cntl2 = mpost_div << 4;
1002 + #ifdef DEBUG
1003 +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
1004 +index c10180d0b018..7d6da09e637b 100644
1005 +--- a/fs/ext4/xattr.c
1006 ++++ b/fs/ext4/xattr.c
1007 +@@ -657,7 +657,7 @@ ext4_xattr_set_entry(struct ext4_xattr_info *i, struct ext4_xattr_search *s,
1008 + next = EXT4_XATTR_NEXT(last);
1009 + if ((void *)next >= s->end) {
1010 + EXT4_ERROR_INODE(inode, "corrupted xattr entries");
1011 +- return -EIO;
1012 ++ return -EFSCORRUPTED;
1013 + }
1014 + if (last->e_value_size) {
1015 + size_t offs = le16_to_cpu(last->e_value_offs);
1016 +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
1017 +index 47c7f5b8f675..f254982e1a8f 100644
1018 +--- a/include/linux/netdevice.h
1019 ++++ b/include/linux/netdevice.h
1020 +@@ -2338,6 +2338,13 @@ struct netdev_notifier_info {
1021 + struct net_device *dev;
1022 + };
1023 +
1024 ++struct netdev_notifier_info_ext {
1025 ++ struct netdev_notifier_info info; /* must be first */
1026 ++ union {
1027 ++ u32 mtu;
1028 ++ } ext;
1029 ++};
1030 ++
1031 + struct netdev_notifier_change_info {
1032 + struct netdev_notifier_info info; /* must be first */
1033 + unsigned int flags_changed;
1034 +diff --git a/include/linux/rhashtable.h b/include/linux/rhashtable.h
1035 +index 85d1ffc90285..4421e5ccb092 100644
1036 +--- a/include/linux/rhashtable.h
1037 ++++ b/include/linux/rhashtable.h
1038 +@@ -138,7 +138,6 @@ struct rhashtable_params {
1039 + /**
1040 + * struct rhashtable - Hash table handle
1041 + * @tbl: Bucket table
1042 +- * @nelems: Number of elements in table
1043 + * @key_len: Key length for hashfn
1044 + * @elasticity: Maximum chain length before rehash
1045 + * @p: Configuration parameters
1046 +@@ -146,10 +145,10 @@ struct rhashtable_params {
1047 + * @run_work: Deferred worker to expand/shrink asynchronously
1048 + * @mutex: Mutex to protect current/future table swapping
1049 + * @lock: Spin lock to protect walker list
1050 ++ * @nelems: Number of elements in table
1051 + */
1052 + struct rhashtable {
1053 + struct bucket_table __rcu *tbl;
1054 +- atomic_t nelems;
1055 + unsigned int key_len;
1056 + unsigned int elasticity;
1057 + struct rhashtable_params p;
1058 +@@ -157,6 +156,7 @@ struct rhashtable {
1059 + struct work_struct run_work;
1060 + struct mutex mutex;
1061 + spinlock_t lock;
1062 ++ atomic_t nelems;
1063 + };
1064 +
1065 + /**
1066 +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
1067 +index 1f207dd22757..e90fe6b83e00 100644
1068 +--- a/include/linux/skbuff.h
1069 ++++ b/include/linux/skbuff.h
1070 +@@ -643,9 +643,14 @@ struct sk_buff {
1071 + struct skb_mstamp skb_mstamp;
1072 + };
1073 + };
1074 +- struct rb_node rbnode; /* used in netem & tcp stack */
1075 ++ struct rb_node rbnode; /* used in netem, ip4 defrag, and tcp stack */
1076 + };
1077 +- struct sock *sk;
1078 ++
1079 ++ union {
1080 ++ struct sock *sk;
1081 ++ int ip_defrag_offset;
1082 ++ };
1083 ++
1084 + struct net_device *dev;
1085 +
1086 + /*
1087 +@@ -2413,7 +2418,7 @@ static inline void __skb_queue_purge(struct sk_buff_head *list)
1088 + kfree_skb(skb);
1089 + }
1090 +
1091 +-void skb_rbtree_purge(struct rb_root *root);
1092 ++unsigned int skb_rbtree_purge(struct rb_root *root);
1093 +
1094 + void *netdev_alloc_frag(unsigned int fragsz);
1095 +
1096 +@@ -2949,6 +2954,7 @@ static inline unsigned char *skb_push_rcsum(struct sk_buff *skb,
1097 + return skb->data;
1098 + }
1099 +
1100 ++int pskb_trim_rcsum_slow(struct sk_buff *skb, unsigned int len);
1101 + /**
1102 + * pskb_trim_rcsum - trim received skb and update checksum
1103 + * @skb: buffer to trim
1104 +@@ -2962,9 +2968,7 @@ static inline int pskb_trim_rcsum(struct sk_buff *skb, unsigned int len)
1105 + {
1106 + if (likely(len >= skb->len))
1107 + return 0;
1108 +- if (skb->ip_summed == CHECKSUM_COMPLETE)
1109 +- skb->ip_summed = CHECKSUM_NONE;
1110 +- return __pskb_trim(skb, len);
1111 ++ return pskb_trim_rcsum_slow(skb, len);
1112 + }
1113 +
1114 + static inline int __skb_trim_rcsum(struct sk_buff *skb, unsigned int len)
1115 +@@ -2984,6 +2988,12 @@ static inline int __skb_grow_rcsum(struct sk_buff *skb, unsigned int len)
1116 +
1117 + #define rb_to_skb(rb) rb_entry_safe(rb, struct sk_buff, rbnode)
1118 +
1119 ++#define rb_to_skb(rb) rb_entry_safe(rb, struct sk_buff, rbnode)
1120 ++#define skb_rb_first(root) rb_to_skb(rb_first(root))
1121 ++#define skb_rb_last(root) rb_to_skb(rb_last(root))
1122 ++#define skb_rb_next(skb) rb_to_skb(rb_next(&(skb)->rbnode))
1123 ++#define skb_rb_prev(skb) rb_to_skb(rb_prev(&(skb)->rbnode))
1124 ++
1125 + #define skb_queue_walk(queue, skb) \
1126 + for (skb = (queue)->next; \
1127 + skb != (struct sk_buff *)(queue); \
1128 +@@ -2998,6 +3008,18 @@ static inline int __skb_grow_rcsum(struct sk_buff *skb, unsigned int len)
1129 + for (; skb != (struct sk_buff *)(queue); \
1130 + skb = skb->next)
1131 +
1132 ++#define skb_rbtree_walk(skb, root) \
1133 ++ for (skb = skb_rb_first(root); skb != NULL; \
1134 ++ skb = skb_rb_next(skb))
1135 ++
1136 ++#define skb_rbtree_walk_from(skb) \
1137 ++ for (; skb != NULL; \
1138 ++ skb = skb_rb_next(skb))
1139 ++
1140 ++#define skb_rbtree_walk_from_safe(skb, tmp) \
1141 ++ for (; tmp = skb ? skb_rb_next(skb) : NULL, (skb != NULL); \
1142 ++ skb = tmp)
1143 ++
1144 + #define skb_queue_walk_from_safe(queue, skb, tmp) \
1145 + for (tmp = skb->next; \
1146 + skb != (struct sk_buff *)(queue); \
1147 +diff --git a/include/net/bonding.h b/include/net/bonding.h
1148 +index 714428c54c68..8750c2c4871a 100644
1149 +--- a/include/net/bonding.h
1150 ++++ b/include/net/bonding.h
1151 +@@ -139,12 +139,6 @@ struct bond_parm_tbl {
1152 + int mode;
1153 + };
1154 +
1155 +-struct netdev_notify_work {
1156 +- struct delayed_work work;
1157 +- struct net_device *dev;
1158 +- struct netdev_bonding_info bonding_info;
1159 +-};
1160 +-
1161 + struct slave {
1162 + struct net_device *dev; /* first - useful for panic debug */
1163 + struct bonding *bond; /* our master */
1164 +@@ -171,6 +165,7 @@ struct slave {
1165 + #ifdef CONFIG_NET_POLL_CONTROLLER
1166 + struct netpoll *np;
1167 + #endif
1168 ++ struct delayed_work notify_work;
1169 + struct kobject kobj;
1170 + struct rtnl_link_stats64 slave_stats;
1171 + };
1172 +diff --git a/include/net/inet_frag.h b/include/net/inet_frag.h
1173 +index 634d19203e7d..a3812e9c8fee 100644
1174 +--- a/include/net/inet_frag.h
1175 ++++ b/include/net/inet_frag.h
1176 +@@ -1,14 +1,20 @@
1177 + #ifndef __NET_FRAG_H__
1178 + #define __NET_FRAG_H__
1179 +
1180 ++#include <linux/rhashtable.h>
1181 ++
1182 + struct netns_frags {
1183 +- /* Keep atomic mem on separate cachelines in structs that include it */
1184 +- atomic_t mem ____cacheline_aligned_in_smp;
1185 + /* sysctls */
1186 ++ long high_thresh;
1187 ++ long low_thresh;
1188 + int timeout;
1189 +- int high_thresh;
1190 +- int low_thresh;
1191 + int max_dist;
1192 ++ struct inet_frags *f;
1193 ++
1194 ++ struct rhashtable rhashtable ____cacheline_aligned_in_smp;
1195 ++
1196 ++ /* Keep atomic mem on separate cachelines in structs that include it */
1197 ++ atomic_long_t mem ____cacheline_aligned_in_smp;
1198 + };
1199 +
1200 + /**
1201 +@@ -24,130 +30,115 @@ enum {
1202 + INET_FRAG_COMPLETE = BIT(2),
1203 + };
1204 +
1205 ++struct frag_v4_compare_key {
1206 ++ __be32 saddr;
1207 ++ __be32 daddr;
1208 ++ u32 user;
1209 ++ u32 vif;
1210 ++ __be16 id;
1211 ++ u16 protocol;
1212 ++};
1213 ++
1214 ++struct frag_v6_compare_key {
1215 ++ struct in6_addr saddr;
1216 ++ struct in6_addr daddr;
1217 ++ u32 user;
1218 ++ __be32 id;
1219 ++ u32 iif;
1220 ++};
1221 ++
1222 + /**
1223 + * struct inet_frag_queue - fragment queue
1224 + *
1225 +- * @lock: spinlock protecting the queue
1226 ++ * @node: rhash node
1227 ++ * @key: keys identifying this frag.
1228 + * @timer: queue expiration timer
1229 +- * @list: hash bucket list
1230 ++ * @lock: spinlock protecting this frag
1231 + * @refcnt: reference count of the queue
1232 + * @fragments: received fragments head
1233 ++ * @rb_fragments: received fragments rb-tree root
1234 + * @fragments_tail: received fragments tail
1235 ++ * @last_run_head: the head of the last "run". see ip_fragment.c
1236 + * @stamp: timestamp of the last received fragment
1237 + * @len: total length of the original datagram
1238 + * @meat: length of received fragments so far
1239 + * @flags: fragment queue flags
1240 + * @max_size: maximum received fragment size
1241 + * @net: namespace that this frag belongs to
1242 +- * @list_evictor: list of queues to forcefully evict (e.g. due to low memory)
1243 ++ * @rcu: rcu head for freeing deferall
1244 + */
1245 + struct inet_frag_queue {
1246 +- spinlock_t lock;
1247 ++ struct rhash_head node;
1248 ++ union {
1249 ++ struct frag_v4_compare_key v4;
1250 ++ struct frag_v6_compare_key v6;
1251 ++ } key;
1252 + struct timer_list timer;
1253 +- struct hlist_node list;
1254 ++ spinlock_t lock;
1255 + atomic_t refcnt;
1256 +- struct sk_buff *fragments;
1257 ++ struct sk_buff *fragments; /* Used in IPv6. */
1258 ++ struct rb_root rb_fragments; /* Used in IPv4. */
1259 + struct sk_buff *fragments_tail;
1260 ++ struct sk_buff *last_run_head;
1261 + ktime_t stamp;
1262 + int len;
1263 + int meat;
1264 + __u8 flags;
1265 + u16 max_size;
1266 +- struct netns_frags *net;
1267 +- struct hlist_node list_evictor;
1268 +-};
1269 +-
1270 +-#define INETFRAGS_HASHSZ 1024
1271 +-
1272 +-/* averaged:
1273 +- * max_depth = default ipfrag_high_thresh / INETFRAGS_HASHSZ /
1274 +- * rounded up (SKB_TRUELEN(0) + sizeof(struct ipq or
1275 +- * struct frag_queue))
1276 +- */
1277 +-#define INETFRAGS_MAXDEPTH 128
1278 +-
1279 +-struct inet_frag_bucket {
1280 +- struct hlist_head chain;
1281 +- spinlock_t chain_lock;
1282 ++ struct netns_frags *net;
1283 ++ struct rcu_head rcu;
1284 + };
1285 +
1286 + struct inet_frags {
1287 +- struct inet_frag_bucket hash[INETFRAGS_HASHSZ];
1288 +-
1289 +- struct work_struct frags_work;
1290 +- unsigned int next_bucket;
1291 +- unsigned long last_rebuild_jiffies;
1292 +- bool rebuild;
1293 +-
1294 +- /* The first call to hashfn is responsible to initialize
1295 +- * rnd. This is best done with net_get_random_once.
1296 +- *
1297 +- * rnd_seqlock is used to let hash insertion detect
1298 +- * when it needs to re-lookup the hash chain to use.
1299 +- */
1300 +- u32 rnd;
1301 +- seqlock_t rnd_seqlock;
1302 + int qsize;
1303 +
1304 +- unsigned int (*hashfn)(const struct inet_frag_queue *);
1305 +- bool (*match)(const struct inet_frag_queue *q,
1306 +- const void *arg);
1307 + void (*constructor)(struct inet_frag_queue *q,
1308 + const void *arg);
1309 + void (*destructor)(struct inet_frag_queue *);
1310 + void (*frag_expire)(unsigned long data);
1311 + struct kmem_cache *frags_cachep;
1312 + const char *frags_cache_name;
1313 ++ struct rhashtable_params rhash_params;
1314 + };
1315 +
1316 + int inet_frags_init(struct inet_frags *);
1317 + void inet_frags_fini(struct inet_frags *);
1318 +
1319 +-static inline void inet_frags_init_net(struct netns_frags *nf)
1320 ++static inline int inet_frags_init_net(struct netns_frags *nf)
1321 + {
1322 +- atomic_set(&nf->mem, 0);
1323 ++ atomic_long_set(&nf->mem, 0);
1324 ++ return rhashtable_init(&nf->rhashtable, &nf->f->rhash_params);
1325 + }
1326 +-void inet_frags_exit_net(struct netns_frags *nf, struct inet_frags *f);
1327 ++void inet_frags_exit_net(struct netns_frags *nf);
1328 +
1329 +-void inet_frag_kill(struct inet_frag_queue *q, struct inet_frags *f);
1330 +-void inet_frag_destroy(struct inet_frag_queue *q, struct inet_frags *f);
1331 +-struct inet_frag_queue *inet_frag_find(struct netns_frags *nf,
1332 +- struct inet_frags *f, void *key, unsigned int hash);
1333 ++void inet_frag_kill(struct inet_frag_queue *q);
1334 ++void inet_frag_destroy(struct inet_frag_queue *q);
1335 ++struct inet_frag_queue *inet_frag_find(struct netns_frags *nf, void *key);
1336 +
1337 +-void inet_frag_maybe_warn_overflow(struct inet_frag_queue *q,
1338 +- const char *prefix);
1339 ++/* Free all skbs in the queue; return the sum of their truesizes. */
1340 ++unsigned int inet_frag_rbtree_purge(struct rb_root *root);
1341 +
1342 +-static inline void inet_frag_put(struct inet_frag_queue *q, struct inet_frags *f)
1343 ++static inline void inet_frag_put(struct inet_frag_queue *q)
1344 + {
1345 + if (atomic_dec_and_test(&q->refcnt))
1346 +- inet_frag_destroy(q, f);
1347 +-}
1348 +-
1349 +-static inline bool inet_frag_evicting(struct inet_frag_queue *q)
1350 +-{
1351 +- return !hlist_unhashed(&q->list_evictor);
1352 ++ inet_frag_destroy(q);
1353 + }
1354 +
1355 + /* Memory Tracking Functions. */
1356 +
1357 +-static inline int frag_mem_limit(struct netns_frags *nf)
1358 +-{
1359 +- return atomic_read(&nf->mem);
1360 +-}
1361 +-
1362 +-static inline void sub_frag_mem_limit(struct netns_frags *nf, int i)
1363 ++static inline long frag_mem_limit(const struct netns_frags *nf)
1364 + {
1365 +- atomic_sub(i, &nf->mem);
1366 ++ return atomic_long_read(&nf->mem);
1367 + }
1368 +
1369 +-static inline void add_frag_mem_limit(struct netns_frags *nf, int i)
1370 ++static inline void sub_frag_mem_limit(struct netns_frags *nf, long val)
1371 + {
1372 +- atomic_add(i, &nf->mem);
1373 ++ atomic_long_sub(val, &nf->mem);
1374 + }
1375 +
1376 +-static inline int sum_frag_mem_limit(struct netns_frags *nf)
1377 ++static inline void add_frag_mem_limit(struct netns_frags *nf, long val)
1378 + {
1379 +- return atomic_read(&nf->mem);
1380 ++ atomic_long_add(val, &nf->mem);
1381 + }
1382 +
1383 + /* RFC 3168 support :
1384 +diff --git a/include/net/inet_sock.h b/include/net/inet_sock.h
1385 +index 0464b207d0cf..6213a90a8cec 100644
1386 +--- a/include/net/inet_sock.h
1387 ++++ b/include/net/inet_sock.h
1388 +@@ -132,12 +132,6 @@ static inline int inet_request_bound_dev_if(const struct sock *sk,
1389 + return sk->sk_bound_dev_if;
1390 + }
1391 +
1392 +-static inline struct ip_options_rcu *ireq_opt_deref(const struct inet_request_sock *ireq)
1393 +-{
1394 +- return rcu_dereference_check(ireq->ireq_opt,
1395 +- atomic_read(&ireq->req.rsk_refcnt) > 0);
1396 +-}
1397 +-
1398 + struct inet_cork {
1399 + unsigned int flags;
1400 + __be32 addr;
1401 +diff --git a/include/net/ip.h b/include/net/ip.h
1402 +index bc9b4deeb60e..8646da034851 100644
1403 +--- a/include/net/ip.h
1404 ++++ b/include/net/ip.h
1405 +@@ -548,7 +548,6 @@ static inline struct sk_buff *ip_check_defrag(struct net *net, struct sk_buff *s
1406 + return skb;
1407 + }
1408 + #endif
1409 +-int ip_frag_mem(struct net *net);
1410 +
1411 + /*
1412 + * Functions provided by ip_forward.c
1413 +diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h
1414 +index 978387d6c3e6..a6446d72c5d9 100644
1415 +--- a/include/net/ip_fib.h
1416 ++++ b/include/net/ip_fib.h
1417 +@@ -363,6 +363,7 @@ int ip_fib_check_default(__be32 gw, struct net_device *dev);
1418 + int fib_sync_down_dev(struct net_device *dev, unsigned long event, bool force);
1419 + int fib_sync_down_addr(struct net_device *dev, __be32 local);
1420 + int fib_sync_up(struct net_device *dev, unsigned int nh_flags);
1421 ++void fib_sync_mtu(struct net_device *dev, u32 orig_mtu);
1422 +
1423 + extern u32 fib_multipath_secret __read_mostly;
1424 +
1425 +diff --git a/include/net/ipv6.h b/include/net/ipv6.h
1426 +index 64b0e9df31c7..7cb100d25bb5 100644
1427 +--- a/include/net/ipv6.h
1428 ++++ b/include/net/ipv6.h
1429 +@@ -330,13 +330,6 @@ static inline bool ipv6_accept_ra(struct inet6_dev *idev)
1430 + idev->cnf.accept_ra;
1431 + }
1432 +
1433 +-#if IS_ENABLED(CONFIG_IPV6)
1434 +-static inline int ip6_frag_mem(struct net *net)
1435 +-{
1436 +- return sum_frag_mem_limit(&net->ipv6.frags);
1437 +-}
1438 +-#endif
1439 +-
1440 + #define IPV6_FRAG_HIGH_THRESH (4 * 1024*1024) /* 4194304 */
1441 + #define IPV6_FRAG_LOW_THRESH (3 * 1024*1024) /* 3145728 */
1442 + #define IPV6_FRAG_TIMEOUT (60 * HZ) /* 60 seconds */
1443 +@@ -530,17 +523,8 @@ enum ip6_defrag_users {
1444 + __IP6_DEFRAG_CONNTRACK_BRIDGE_IN = IP6_DEFRAG_CONNTRACK_BRIDGE_IN + USHRT_MAX,
1445 + };
1446 +
1447 +-struct ip6_create_arg {
1448 +- __be32 id;
1449 +- u32 user;
1450 +- const struct in6_addr *src;
1451 +- const struct in6_addr *dst;
1452 +- int iif;
1453 +- u8 ecn;
1454 +-};
1455 +-
1456 + void ip6_frag_init(struct inet_frag_queue *q, const void *a);
1457 +-bool ip6_frag_match(const struct inet_frag_queue *q, const void *a);
1458 ++extern const struct rhashtable_params ip6_rhash_params;
1459 +
1460 + /*
1461 + * Equivalent of ipv4 struct ip
1462 +@@ -548,19 +532,13 @@ bool ip6_frag_match(const struct inet_frag_queue *q, const void *a);
1463 + struct frag_queue {
1464 + struct inet_frag_queue q;
1465 +
1466 +- __be32 id; /* fragment id */
1467 +- u32 user;
1468 +- struct in6_addr saddr;
1469 +- struct in6_addr daddr;
1470 +-
1471 + int iif;
1472 + unsigned int csum;
1473 + __u16 nhoffset;
1474 + u8 ecn;
1475 + };
1476 +
1477 +-void ip6_expire_frag_queue(struct net *net, struct frag_queue *fq,
1478 +- struct inet_frags *frags);
1479 ++void ip6_expire_frag_queue(struct net *net, struct frag_queue *fq);
1480 +
1481 + static inline bool ipv6_addr_any(const struct in6_addr *a)
1482 + {
1483 +diff --git a/include/uapi/linux/snmp.h b/include/uapi/linux/snmp.h
1484 +index e7a31f830690..3442a26d36d9 100644
1485 +--- a/include/uapi/linux/snmp.h
1486 ++++ b/include/uapi/linux/snmp.h
1487 +@@ -55,6 +55,7 @@ enum
1488 + IPSTATS_MIB_ECT1PKTS, /* InECT1Pkts */
1489 + IPSTATS_MIB_ECT0PKTS, /* InECT0Pkts */
1490 + IPSTATS_MIB_CEPKTS, /* InCEPkts */
1491 ++ IPSTATS_MIB_REASM_OVERLAPS, /* ReasmOverlaps */
1492 + __IPSTATS_MIB_MAX
1493 + };
1494 +
1495 +diff --git a/lib/rhashtable.c b/lib/rhashtable.c
1496 +index 101dac085c62..fdffd6232365 100644
1497 +--- a/lib/rhashtable.c
1498 ++++ b/lib/rhashtable.c
1499 +@@ -251,8 +251,10 @@ static int rhashtable_rehash_table(struct rhashtable *ht)
1500 + if (!new_tbl)
1501 + return 0;
1502 +
1503 +- for (old_hash = 0; old_hash < old_tbl->size; old_hash++)
1504 ++ for (old_hash = 0; old_hash < old_tbl->size; old_hash++) {
1505 + rhashtable_rehash_chain(ht, old_hash);
1506 ++ cond_resched();
1507 ++ }
1508 +
1509 + /* Publish the new table pointer. */
1510 + rcu_assign_pointer(ht->tbl, new_tbl);
1511 +@@ -993,6 +995,7 @@ void rhashtable_free_and_destroy(struct rhashtable *ht,
1512 + for (i = 0; i < tbl->size; i++) {
1513 + struct rhash_head *pos, *next;
1514 +
1515 ++ cond_resched();
1516 + for (pos = rht_dereference(tbl->buckets[i], ht),
1517 + next = !rht_is_a_nulls(pos) ?
1518 + rht_dereference(pos->next, ht) : NULL;
1519 +diff --git a/mm/vmstat.c b/mm/vmstat.c
1520 +index d31e801a467c..5e6a4d76659d 100644
1521 +--- a/mm/vmstat.c
1522 ++++ b/mm/vmstat.c
1523 +@@ -1089,7 +1089,6 @@ const char * const vmstat_text[] = {
1524 + #ifdef CONFIG_DEBUG_VM_VMACACHE
1525 + "vmacache_find_calls",
1526 + "vmacache_find_hits",
1527 +- "vmacache_full_flushes",
1528 + #endif
1529 + #endif /* CONFIG_VM_EVENTS_COUNTERS */
1530 + };
1531 +diff --git a/net/core/dev.c b/net/core/dev.c
1532 +index b85e789044d5..15e3bb94156b 100644
1533 +--- a/net/core/dev.c
1534 ++++ b/net/core/dev.c
1535 +@@ -1664,6 +1664,28 @@ int call_netdevice_notifiers(unsigned long val, struct net_device *dev)
1536 + }
1537 + EXPORT_SYMBOL(call_netdevice_notifiers);
1538 +
1539 ++/**
1540 ++ * call_netdevice_notifiers_mtu - call all network notifier blocks
1541 ++ * @val: value passed unmodified to notifier function
1542 ++ * @dev: net_device pointer passed unmodified to notifier function
1543 ++ * @arg: additional u32 argument passed to the notifier function
1544 ++ *
1545 ++ * Call all network notifier blocks. Parameters and return value
1546 ++ * are as for raw_notifier_call_chain().
1547 ++ */
1548 ++static int call_netdevice_notifiers_mtu(unsigned long val,
1549 ++ struct net_device *dev, u32 arg)
1550 ++{
1551 ++ struct netdev_notifier_info_ext info = {
1552 ++ .info.dev = dev,
1553 ++ .ext.mtu = arg,
1554 ++ };
1555 ++
1556 ++ BUILD_BUG_ON(offsetof(struct netdev_notifier_info_ext, info) != 0);
1557 ++
1558 ++ return call_netdevice_notifiers_info(val, dev, &info.info);
1559 ++}
1560 ++
1561 + #ifdef CONFIG_NET_INGRESS
1562 + static struct static_key ingress_needed __read_mostly;
1563 +
1564 +@@ -6589,14 +6611,16 @@ int dev_set_mtu(struct net_device *dev, int new_mtu)
1565 + err = __dev_set_mtu(dev, new_mtu);
1566 +
1567 + if (!err) {
1568 +- err = call_netdevice_notifiers(NETDEV_CHANGEMTU, dev);
1569 ++ err = call_netdevice_notifiers_mtu(NETDEV_CHANGEMTU, dev,
1570 ++ orig_mtu);
1571 + err = notifier_to_errno(err);
1572 + if (err) {
1573 + /* setting mtu back and notifying everyone again,
1574 + * so that they have a chance to revert changes.
1575 + */
1576 + __dev_set_mtu(dev, orig_mtu);
1577 +- call_netdevice_notifiers(NETDEV_CHANGEMTU, dev);
1578 ++ call_netdevice_notifiers_mtu(NETDEV_CHANGEMTU, dev,
1579 ++ new_mtu);
1580 + }
1581 + }
1582 + return err;
1583 +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
1584 +index 194e844e1021..189082dc288d 100644
1585 +--- a/net/core/rtnetlink.c
1586 ++++ b/net/core/rtnetlink.c
1587 +@@ -2368,6 +2368,12 @@ struct net_device *rtnl_create_link(struct net *net,
1588 + else if (ops->get_num_rx_queues)
1589 + num_rx_queues = ops->get_num_rx_queues();
1590 +
1591 ++ if (num_tx_queues < 1 || num_tx_queues > 4096)
1592 ++ return ERR_PTR(-EINVAL);
1593 ++
1594 ++ if (num_rx_queues < 1 || num_rx_queues > 4096)
1595 ++ return ERR_PTR(-EINVAL);
1596 ++
1597 + err = -ENOMEM;
1598 + dev = alloc_netdev_mqs(ops->priv_size, ifname, name_assign_type,
1599 + ops->setup, num_tx_queues, num_rx_queues);
1600 +diff --git a/net/core/skbuff.c b/net/core/skbuff.c
1601 +index 84c731aef0d8..038ec74fa131 100644
1602 +--- a/net/core/skbuff.c
1603 ++++ b/net/core/skbuff.c
1604 +@@ -1578,6 +1578,20 @@ done:
1605 + }
1606 + EXPORT_SYMBOL(___pskb_trim);
1607 +
1608 ++/* Note : use pskb_trim_rcsum() instead of calling this directly
1609 ++ */
1610 ++int pskb_trim_rcsum_slow(struct sk_buff *skb, unsigned int len)
1611 ++{
1612 ++ if (skb->ip_summed == CHECKSUM_COMPLETE) {
1613 ++ int delta = skb->len - len;
1614 ++
1615 ++ skb->csum = csum_sub(skb->csum,
1616 ++ skb_checksum(skb, len, delta, 0));
1617 ++ }
1618 ++ return __pskb_trim(skb, len);
1619 ++}
1620 ++EXPORT_SYMBOL(pskb_trim_rcsum_slow);
1621 ++
1622 + /**
1623 + * __pskb_pull_tail - advance tail of skb header
1624 + * @skb: buffer to reallocate
1625 +@@ -2425,20 +2439,27 @@ EXPORT_SYMBOL(skb_queue_purge);
1626 + /**
1627 + * skb_rbtree_purge - empty a skb rbtree
1628 + * @root: root of the rbtree to empty
1629 ++ * Return value: the sum of truesizes of all purged skbs.
1630 + *
1631 + * Delete all buffers on an &sk_buff rbtree. Each buffer is removed from
1632 + * the list and one reference dropped. This function does not take
1633 + * any lock. Synchronization should be handled by the caller (e.g., TCP
1634 + * out-of-order queue is protected by the socket lock).
1635 + */
1636 +-void skb_rbtree_purge(struct rb_root *root)
1637 ++unsigned int skb_rbtree_purge(struct rb_root *root)
1638 + {
1639 +- struct sk_buff *skb, *next;
1640 ++ struct rb_node *p = rb_first(root);
1641 ++ unsigned int sum = 0;
1642 +
1643 +- rbtree_postorder_for_each_entry_safe(skb, next, root, rbnode)
1644 +- kfree_skb(skb);
1645 ++ while (p) {
1646 ++ struct sk_buff *skb = rb_entry(p, struct sk_buff, rbnode);
1647 +
1648 +- *root = RB_ROOT;
1649 ++ p = rb_next(p);
1650 ++ rb_erase(&skb->rbnode, root);
1651 ++ sum += skb->truesize;
1652 ++ kfree_skb(skb);
1653 ++ }
1654 ++ return sum;
1655 + }
1656 +
1657 + /**
1658 +diff --git a/net/dccp/input.c b/net/dccp/input.c
1659 +index 4a05d7876850..84ff43acd427 100644
1660 +--- a/net/dccp/input.c
1661 ++++ b/net/dccp/input.c
1662 +@@ -605,11 +605,13 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
1663 + if (sk->sk_state == DCCP_LISTEN) {
1664 + if (dh->dccph_type == DCCP_PKT_REQUEST) {
1665 + /* It is possible that we process SYN packets from backlog,
1666 +- * so we need to make sure to disable BH right there.
1667 ++ * so we need to make sure to disable BH and RCU right there.
1668 + */
1669 ++ rcu_read_lock();
1670 + local_bh_disable();
1671 + acceptable = inet_csk(sk)->icsk_af_ops->conn_request(sk, skb) >= 0;
1672 + local_bh_enable();
1673 ++ rcu_read_unlock();
1674 + if (!acceptable)
1675 + return 1;
1676 + consume_skb(skb);
1677 +diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
1678 +index 6697b180e122..28ad6f187e19 100644
1679 +--- a/net/dccp/ipv4.c
1680 ++++ b/net/dccp/ipv4.c
1681 +@@ -493,9 +493,11 @@ static int dccp_v4_send_response(const struct sock *sk, struct request_sock *req
1682 +
1683 + dh->dccph_checksum = dccp_v4_csum_finish(skb, ireq->ir_loc_addr,
1684 + ireq->ir_rmt_addr);
1685 ++ rcu_read_lock();
1686 + err = ip_build_and_send_pkt(skb, sk, ireq->ir_loc_addr,
1687 + ireq->ir_rmt_addr,
1688 +- ireq_opt_deref(ireq));
1689 ++ rcu_dereference(ireq->ireq_opt));
1690 ++ rcu_read_unlock();
1691 + err = net_xmit_eval(err);
1692 + }
1693 +
1694 +diff --git a/net/ieee802154/6lowpan/6lowpan_i.h b/net/ieee802154/6lowpan/6lowpan_i.h
1695 +index 5ac778962e4e..3bfec472734a 100644
1696 +--- a/net/ieee802154/6lowpan/6lowpan_i.h
1697 ++++ b/net/ieee802154/6lowpan/6lowpan_i.h
1698 +@@ -16,37 +16,19 @@ typedef unsigned __bitwise__ lowpan_rx_result;
1699 + #define LOWPAN_DISPATCH_FRAG1 0xc0
1700 + #define LOWPAN_DISPATCH_FRAGN 0xe0
1701 +
1702 +-struct lowpan_create_arg {
1703 ++struct frag_lowpan_compare_key {
1704 + u16 tag;
1705 + u16 d_size;
1706 +- const struct ieee802154_addr *src;
1707 +- const struct ieee802154_addr *dst;
1708 ++ const struct ieee802154_addr src;
1709 ++ const struct ieee802154_addr dst;
1710 + };
1711 +
1712 +-/* Equivalent of ipv4 struct ip
1713 ++/* Equivalent of ipv4 struct ipq
1714 + */
1715 + struct lowpan_frag_queue {
1716 + struct inet_frag_queue q;
1717 +-
1718 +- u16 tag;
1719 +- u16 d_size;
1720 +- struct ieee802154_addr saddr;
1721 +- struct ieee802154_addr daddr;
1722 + };
1723 +
1724 +-static inline u32 ieee802154_addr_hash(const struct ieee802154_addr *a)
1725 +-{
1726 +- switch (a->mode) {
1727 +- case IEEE802154_ADDR_LONG:
1728 +- return (((__force u64)a->extended_addr) >> 32) ^
1729 +- (((__force u64)a->extended_addr) & 0xffffffff);
1730 +- case IEEE802154_ADDR_SHORT:
1731 +- return (__force u32)(a->short_addr + (a->pan_id << 16));
1732 +- default:
1733 +- return 0;
1734 +- }
1735 +-}
1736 +-
1737 + int lowpan_frag_rcv(struct sk_buff *skb, const u8 frag_type);
1738 + void lowpan_net_frag_exit(void);
1739 + int lowpan_net_frag_init(void);
1740 +diff --git a/net/ieee802154/6lowpan/reassembly.c b/net/ieee802154/6lowpan/reassembly.c
1741 +index f85b08baff16..6fca75581e13 100644
1742 +--- a/net/ieee802154/6lowpan/reassembly.c
1743 ++++ b/net/ieee802154/6lowpan/reassembly.c
1744 +@@ -37,47 +37,15 @@ static struct inet_frags lowpan_frags;
1745 + static int lowpan_frag_reasm(struct lowpan_frag_queue *fq,
1746 + struct sk_buff *prev, struct net_device *ldev);
1747 +
1748 +-static unsigned int lowpan_hash_frag(u16 tag, u16 d_size,
1749 +- const struct ieee802154_addr *saddr,
1750 +- const struct ieee802154_addr *daddr)
1751 +-{
1752 +- net_get_random_once(&lowpan_frags.rnd, sizeof(lowpan_frags.rnd));
1753 +- return jhash_3words(ieee802154_addr_hash(saddr),
1754 +- ieee802154_addr_hash(daddr),
1755 +- (__force u32)(tag + (d_size << 16)),
1756 +- lowpan_frags.rnd);
1757 +-}
1758 +-
1759 +-static unsigned int lowpan_hashfn(const struct inet_frag_queue *q)
1760 +-{
1761 +- const struct lowpan_frag_queue *fq;
1762 +-
1763 +- fq = container_of(q, struct lowpan_frag_queue, q);
1764 +- return lowpan_hash_frag(fq->tag, fq->d_size, &fq->saddr, &fq->daddr);
1765 +-}
1766 +-
1767 +-static bool lowpan_frag_match(const struct inet_frag_queue *q, const void *a)
1768 +-{
1769 +- const struct lowpan_frag_queue *fq;
1770 +- const struct lowpan_create_arg *arg = a;
1771 +-
1772 +- fq = container_of(q, struct lowpan_frag_queue, q);
1773 +- return fq->tag == arg->tag && fq->d_size == arg->d_size &&
1774 +- ieee802154_addr_equal(&fq->saddr, arg->src) &&
1775 +- ieee802154_addr_equal(&fq->daddr, arg->dst);
1776 +-}
1777 +-
1778 + static void lowpan_frag_init(struct inet_frag_queue *q, const void *a)
1779 + {
1780 +- const struct lowpan_create_arg *arg = a;
1781 ++ const struct frag_lowpan_compare_key *key = a;
1782 + struct lowpan_frag_queue *fq;
1783 +
1784 + fq = container_of(q, struct lowpan_frag_queue, q);
1785 +
1786 +- fq->tag = arg->tag;
1787 +- fq->d_size = arg->d_size;
1788 +- fq->saddr = *arg->src;
1789 +- fq->daddr = *arg->dst;
1790 ++ BUILD_BUG_ON(sizeof(*key) > sizeof(q->key));
1791 ++ memcpy(&q->key, key, sizeof(*key));
1792 + }
1793 +
1794 + static void lowpan_frag_expire(unsigned long data)
1795 +@@ -93,10 +61,10 @@ static void lowpan_frag_expire(unsigned long data)
1796 + if (fq->q.flags & INET_FRAG_COMPLETE)
1797 + goto out;
1798 +
1799 +- inet_frag_kill(&fq->q, &lowpan_frags);
1800 ++ inet_frag_kill(&fq->q);
1801 + out:
1802 + spin_unlock(&fq->q.lock);
1803 +- inet_frag_put(&fq->q, &lowpan_frags);
1804 ++ inet_frag_put(&fq->q);
1805 + }
1806 +
1807 + static inline struct lowpan_frag_queue *
1808 +@@ -104,25 +72,20 @@ fq_find(struct net *net, const struct lowpan_802154_cb *cb,
1809 + const struct ieee802154_addr *src,
1810 + const struct ieee802154_addr *dst)
1811 + {
1812 +- struct inet_frag_queue *q;
1813 +- struct lowpan_create_arg arg;
1814 +- unsigned int hash;
1815 + struct netns_ieee802154_lowpan *ieee802154_lowpan =
1816 + net_ieee802154_lowpan(net);
1817 ++ struct frag_lowpan_compare_key key = {
1818 ++ .tag = cb->d_tag,
1819 ++ .d_size = cb->d_size,
1820 ++ .src = *src,
1821 ++ .dst = *dst,
1822 ++ };
1823 ++ struct inet_frag_queue *q;
1824 +
1825 +- arg.tag = cb->d_tag;
1826 +- arg.d_size = cb->d_size;
1827 +- arg.src = src;
1828 +- arg.dst = dst;
1829 +-
1830 +- hash = lowpan_hash_frag(cb->d_tag, cb->d_size, src, dst);
1831 +-
1832 +- q = inet_frag_find(&ieee802154_lowpan->frags,
1833 +- &lowpan_frags, &arg, hash);
1834 +- if (IS_ERR_OR_NULL(q)) {
1835 +- inet_frag_maybe_warn_overflow(q, pr_fmt());
1836 ++ q = inet_frag_find(&ieee802154_lowpan->frags, &key);
1837 ++ if (!q)
1838 + return NULL;
1839 +- }
1840 ++
1841 + return container_of(q, struct lowpan_frag_queue, q);
1842 + }
1843 +
1844 +@@ -229,7 +192,7 @@ static int lowpan_frag_reasm(struct lowpan_frag_queue *fq, struct sk_buff *prev,
1845 + struct sk_buff *fp, *head = fq->q.fragments;
1846 + int sum_truesize;
1847 +
1848 +- inet_frag_kill(&fq->q, &lowpan_frags);
1849 ++ inet_frag_kill(&fq->q);
1850 +
1851 + /* Make the one we just received the head. */
1852 + if (prev) {
1853 +@@ -437,7 +400,7 @@ int lowpan_frag_rcv(struct sk_buff *skb, u8 frag_type)
1854 + ret = lowpan_frag_queue(fq, skb, frag_type);
1855 + spin_unlock(&fq->q.lock);
1856 +
1857 +- inet_frag_put(&fq->q, &lowpan_frags);
1858 ++ inet_frag_put(&fq->q);
1859 + return ret;
1860 + }
1861 +
1862 +@@ -447,24 +410,22 @@ err:
1863 + }
1864 +
1865 + #ifdef CONFIG_SYSCTL
1866 +-static int zero;
1867 +
1868 + static struct ctl_table lowpan_frags_ns_ctl_table[] = {
1869 + {
1870 + .procname = "6lowpanfrag_high_thresh",
1871 + .data = &init_net.ieee802154_lowpan.frags.high_thresh,
1872 +- .maxlen = sizeof(int),
1873 ++ .maxlen = sizeof(unsigned long),
1874 + .mode = 0644,
1875 +- .proc_handler = proc_dointvec_minmax,
1876 ++ .proc_handler = proc_doulongvec_minmax,
1877 + .extra1 = &init_net.ieee802154_lowpan.frags.low_thresh
1878 + },
1879 + {
1880 + .procname = "6lowpanfrag_low_thresh",
1881 + .data = &init_net.ieee802154_lowpan.frags.low_thresh,
1882 +- .maxlen = sizeof(int),
1883 ++ .maxlen = sizeof(unsigned long),
1884 + .mode = 0644,
1885 +- .proc_handler = proc_dointvec_minmax,
1886 +- .extra1 = &zero,
1887 ++ .proc_handler = proc_doulongvec_minmax,
1888 + .extra2 = &init_net.ieee802154_lowpan.frags.high_thresh
1889 + },
1890 + {
1891 +@@ -580,14 +541,20 @@ static int __net_init lowpan_frags_init_net(struct net *net)
1892 + {
1893 + struct netns_ieee802154_lowpan *ieee802154_lowpan =
1894 + net_ieee802154_lowpan(net);
1895 ++ int res;
1896 +
1897 + ieee802154_lowpan->frags.high_thresh = IPV6_FRAG_HIGH_THRESH;
1898 + ieee802154_lowpan->frags.low_thresh = IPV6_FRAG_LOW_THRESH;
1899 + ieee802154_lowpan->frags.timeout = IPV6_FRAG_TIMEOUT;
1900 ++ ieee802154_lowpan->frags.f = &lowpan_frags;
1901 +
1902 +- inet_frags_init_net(&ieee802154_lowpan->frags);
1903 +-
1904 +- return lowpan_frags_ns_sysctl_register(net);
1905 ++ res = inet_frags_init_net(&ieee802154_lowpan->frags);
1906 ++ if (res < 0)
1907 ++ return res;
1908 ++ res = lowpan_frags_ns_sysctl_register(net);
1909 ++ if (res < 0)
1910 ++ inet_frags_exit_net(&ieee802154_lowpan->frags);
1911 ++ return res;
1912 + }
1913 +
1914 + static void __net_exit lowpan_frags_exit_net(struct net *net)
1915 +@@ -596,7 +563,7 @@ static void __net_exit lowpan_frags_exit_net(struct net *net)
1916 + net_ieee802154_lowpan(net);
1917 +
1918 + lowpan_frags_ns_sysctl_unregister(net);
1919 +- inet_frags_exit_net(&ieee802154_lowpan->frags, &lowpan_frags);
1920 ++ inet_frags_exit_net(&ieee802154_lowpan->frags);
1921 + }
1922 +
1923 + static struct pernet_operations lowpan_frags_ops = {
1924 +@@ -604,32 +571,63 @@ static struct pernet_operations lowpan_frags_ops = {
1925 + .exit = lowpan_frags_exit_net,
1926 + };
1927 +
1928 +-int __init lowpan_net_frag_init(void)
1929 ++static u32 lowpan_key_hashfn(const void *data, u32 len, u32 seed)
1930 + {
1931 +- int ret;
1932 ++ return jhash2(data,
1933 ++ sizeof(struct frag_lowpan_compare_key) / sizeof(u32), seed);
1934 ++}
1935 +
1936 +- ret = lowpan_frags_sysctl_register();
1937 +- if (ret)
1938 +- return ret;
1939 ++static u32 lowpan_obj_hashfn(const void *data, u32 len, u32 seed)
1940 ++{
1941 ++ const struct inet_frag_queue *fq = data;
1942 +
1943 +- ret = register_pernet_subsys(&lowpan_frags_ops);
1944 +- if (ret)
1945 +- goto err_pernet;
1946 ++ return jhash2((const u32 *)&fq->key,
1947 ++ sizeof(struct frag_lowpan_compare_key) / sizeof(u32), seed);
1948 ++}
1949 ++
1950 ++static int lowpan_obj_cmpfn(struct rhashtable_compare_arg *arg, const void *ptr)
1951 ++{
1952 ++ const struct frag_lowpan_compare_key *key = arg->key;
1953 ++ const struct inet_frag_queue *fq = ptr;
1954 ++
1955 ++ return !!memcmp(&fq->key, key, sizeof(*key));
1956 ++}
1957 ++
1958 ++static const struct rhashtable_params lowpan_rhash_params = {
1959 ++ .head_offset = offsetof(struct inet_frag_queue, node),
1960 ++ .hashfn = lowpan_key_hashfn,
1961 ++ .obj_hashfn = lowpan_obj_hashfn,
1962 ++ .obj_cmpfn = lowpan_obj_cmpfn,
1963 ++ .automatic_shrinking = true,
1964 ++};
1965 ++
1966 ++int __init lowpan_net_frag_init(void)
1967 ++{
1968 ++ int ret;
1969 +
1970 +- lowpan_frags.hashfn = lowpan_hashfn;
1971 + lowpan_frags.constructor = lowpan_frag_init;
1972 + lowpan_frags.destructor = NULL;
1973 + lowpan_frags.qsize = sizeof(struct frag_queue);
1974 +- lowpan_frags.match = lowpan_frag_match;
1975 + lowpan_frags.frag_expire = lowpan_frag_expire;
1976 + lowpan_frags.frags_cache_name = lowpan_frags_cache_name;
1977 ++ lowpan_frags.rhash_params = lowpan_rhash_params;
1978 + ret = inet_frags_init(&lowpan_frags);
1979 + if (ret)
1980 +- goto err_pernet;
1981 ++ goto out;
1982 +
1983 ++ ret = lowpan_frags_sysctl_register();
1984 ++ if (ret)
1985 ++ goto err_sysctl;
1986 ++
1987 ++ ret = register_pernet_subsys(&lowpan_frags_ops);
1988 ++ if (ret)
1989 ++ goto err_pernet;
1990 ++out:
1991 + return ret;
1992 + err_pernet:
1993 + lowpan_frags_sysctl_unregister();
1994 ++err_sysctl:
1995 ++ inet_frags_fini(&lowpan_frags);
1996 + return ret;
1997 + }
1998 +
1999 +diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
2000 +index 6a2ef162088d..9364c39d0555 100644
2001 +--- a/net/ipv4/fib_frontend.c
2002 ++++ b/net/ipv4/fib_frontend.c
2003 +@@ -1171,7 +1171,8 @@ static int fib_inetaddr_event(struct notifier_block *this, unsigned long event,
2004 + static int fib_netdev_event(struct notifier_block *this, unsigned long event, void *ptr)
2005 + {
2006 + struct net_device *dev = netdev_notifier_info_to_dev(ptr);
2007 +- struct netdev_notifier_changeupper_info *info;
2008 ++ struct netdev_notifier_changeupper_info *upper_info = ptr;
2009 ++ struct netdev_notifier_info_ext *info_ext = ptr;
2010 + struct in_device *in_dev;
2011 + struct net *net = dev_net(dev);
2012 + unsigned int flags;
2013 +@@ -1206,16 +1207,19 @@ static int fib_netdev_event(struct notifier_block *this, unsigned long event, vo
2014 + fib_sync_up(dev, RTNH_F_LINKDOWN);
2015 + else
2016 + fib_sync_down_dev(dev, event, false);
2017 +- /* fall through */
2018 ++ rt_cache_flush(net);
2019 ++ break;
2020 + case NETDEV_CHANGEMTU:
2021 ++ fib_sync_mtu(dev, info_ext->ext.mtu);
2022 + rt_cache_flush(net);
2023 + break;
2024 + case NETDEV_CHANGEUPPER:
2025 +- info = ptr;
2026 ++ upper_info = ptr;
2027 + /* flush all routes if dev is linked to or unlinked from
2028 + * an L3 master device (e.g., VRF)
2029 + */
2030 +- if (info->upper_dev && netif_is_l3_master(info->upper_dev))
2031 ++ if (upper_info->upper_dev &&
2032 ++ netif_is_l3_master(upper_info->upper_dev))
2033 + fib_disable_ip(dev, NETDEV_DOWN, true);
2034 + break;
2035 + }
2036 +diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
2037 +index a88dab33cdf6..90c654012510 100644
2038 +--- a/net/ipv4/fib_semantics.c
2039 ++++ b/net/ipv4/fib_semantics.c
2040 +@@ -1377,6 +1377,56 @@ int fib_sync_down_addr(struct net_device *dev, __be32 local)
2041 + return ret;
2042 + }
2043 +
2044 ++/* Update the PMTU of exceptions when:
2045 ++ * - the new MTU of the first hop becomes smaller than the PMTU
2046 ++ * - the old MTU was the same as the PMTU, and it limited discovery of
2047 ++ * larger MTUs on the path. With that limit raised, we can now
2048 ++ * discover larger MTUs
2049 ++ * A special case is locked exceptions, for which the PMTU is smaller
2050 ++ * than the minimal accepted PMTU:
2051 ++ * - if the new MTU is greater than the PMTU, don't make any change
2052 ++ * - otherwise, unlock and set PMTU
2053 ++ */
2054 ++static void nh_update_mtu(struct fib_nh *nh, u32 new, u32 orig)
2055 ++{
2056 ++ struct fnhe_hash_bucket *bucket;
2057 ++ int i;
2058 ++
2059 ++ bucket = rcu_dereference_protected(nh->nh_exceptions, 1);
2060 ++ if (!bucket)
2061 ++ return;
2062 ++
2063 ++ for (i = 0; i < FNHE_HASH_SIZE; i++) {
2064 ++ struct fib_nh_exception *fnhe;
2065 ++
2066 ++ for (fnhe = rcu_dereference_protected(bucket[i].chain, 1);
2067 ++ fnhe;
2068 ++ fnhe = rcu_dereference_protected(fnhe->fnhe_next, 1)) {
2069 ++ if (fnhe->fnhe_mtu_locked) {
2070 ++ if (new <= fnhe->fnhe_pmtu) {
2071 ++ fnhe->fnhe_pmtu = new;
2072 ++ fnhe->fnhe_mtu_locked = false;
2073 ++ }
2074 ++ } else if (new < fnhe->fnhe_pmtu ||
2075 ++ orig == fnhe->fnhe_pmtu) {
2076 ++ fnhe->fnhe_pmtu = new;
2077 ++ }
2078 ++ }
2079 ++ }
2080 ++}
2081 ++
2082 ++void fib_sync_mtu(struct net_device *dev, u32 orig_mtu)
2083 ++{
2084 ++ unsigned int hash = fib_devindex_hashfn(dev->ifindex);
2085 ++ struct hlist_head *head = &fib_info_devhash[hash];
2086 ++ struct fib_nh *nh;
2087 ++
2088 ++ hlist_for_each_entry(nh, head, nh_hash) {
2089 ++ if (nh->nh_dev == dev)
2090 ++ nh_update_mtu(nh, dev->mtu, orig_mtu);
2091 ++ }
2092 ++}
2093 ++
2094 + /* Event force Flags Description
2095 + * NETDEV_CHANGE 0 LINKDOWN Carrier OFF, not for scope host
2096 + * NETDEV_DOWN 0 LINKDOWN|DEAD Link down, not for scope host
2097 +diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
2098 +index d1cab49393e2..528a6777cda0 100644
2099 +--- a/net/ipv4/inet_connection_sock.c
2100 ++++ b/net/ipv4/inet_connection_sock.c
2101 +@@ -410,7 +410,8 @@ struct dst_entry *inet_csk_route_req(const struct sock *sk,
2102 + struct ip_options_rcu *opt;
2103 + struct rtable *rt;
2104 +
2105 +- opt = ireq_opt_deref(ireq);
2106 ++ rcu_read_lock();
2107 ++ opt = rcu_dereference(ireq->ireq_opt);
2108 +
2109 + flowi4_init_output(fl4, ireq->ir_iif, ireq->ir_mark,
2110 + RT_CONN_FLAGS(sk), RT_SCOPE_UNIVERSE,
2111 +@@ -424,11 +425,13 @@ struct dst_entry *inet_csk_route_req(const struct sock *sk,
2112 + goto no_route;
2113 + if (opt && opt->opt.is_strictroute && rt->rt_uses_gateway)
2114 + goto route_err;
2115 ++ rcu_read_unlock();
2116 + return &rt->dst;
2117 +
2118 + route_err:
2119 + ip_rt_put(rt);
2120 + no_route:
2121 ++ rcu_read_unlock();
2122 + __IP_INC_STATS(net, IPSTATS_MIB_OUTNOROUTES);
2123 + return NULL;
2124 + }
2125 +diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c
2126 +index f8b41aaac76f..8323d33c0ce2 100644
2127 +--- a/net/ipv4/inet_fragment.c
2128 ++++ b/net/ipv4/inet_fragment.c
2129 +@@ -25,12 +25,6 @@
2130 + #include <net/inet_frag.h>
2131 + #include <net/inet_ecn.h>
2132 +
2133 +-#define INETFRAGS_EVICT_BUCKETS 128
2134 +-#define INETFRAGS_EVICT_MAX 512
2135 +-
2136 +-/* don't rebuild inetfrag table with new secret more often than this */
2137 +-#define INETFRAGS_MIN_REBUILD_INTERVAL (5 * HZ)
2138 +-
2139 + /* Given the OR values of all fragments, apply RFC 3168 5.3 requirements
2140 + * Value : 0xff if frame should be dropped.
2141 + * 0 or INET_ECN_CE value, to be ORed in to final iph->tos field
2142 +@@ -52,157 +46,8 @@ const u8 ip_frag_ecn_table[16] = {
2143 + };
2144 + EXPORT_SYMBOL(ip_frag_ecn_table);
2145 +
2146 +-static unsigned int
2147 +-inet_frag_hashfn(const struct inet_frags *f, const struct inet_frag_queue *q)
2148 +-{
2149 +- return f->hashfn(q) & (INETFRAGS_HASHSZ - 1);
2150 +-}
2151 +-
2152 +-static bool inet_frag_may_rebuild(struct inet_frags *f)
2153 +-{
2154 +- return time_after(jiffies,
2155 +- f->last_rebuild_jiffies + INETFRAGS_MIN_REBUILD_INTERVAL);
2156 +-}
2157 +-
2158 +-static void inet_frag_secret_rebuild(struct inet_frags *f)
2159 +-{
2160 +- int i;
2161 +-
2162 +- write_seqlock_bh(&f->rnd_seqlock);
2163 +-
2164 +- if (!inet_frag_may_rebuild(f))
2165 +- goto out;
2166 +-
2167 +- get_random_bytes(&f->rnd, sizeof(u32));
2168 +-
2169 +- for (i = 0; i < INETFRAGS_HASHSZ; i++) {
2170 +- struct inet_frag_bucket *hb;
2171 +- struct inet_frag_queue *q;
2172 +- struct hlist_node *n;
2173 +-
2174 +- hb = &f->hash[i];
2175 +- spin_lock(&hb->chain_lock);
2176 +-
2177 +- hlist_for_each_entry_safe(q, n, &hb->chain, list) {
2178 +- unsigned int hval = inet_frag_hashfn(f, q);
2179 +-
2180 +- if (hval != i) {
2181 +- struct inet_frag_bucket *hb_dest;
2182 +-
2183 +- hlist_del(&q->list);
2184 +-
2185 +- /* Relink to new hash chain. */
2186 +- hb_dest = &f->hash[hval];
2187 +-
2188 +- /* This is the only place where we take
2189 +- * another chain_lock while already holding
2190 +- * one. As this will not run concurrently,
2191 +- * we cannot deadlock on hb_dest lock below, if its
2192 +- * already locked it will be released soon since
2193 +- * other caller cannot be waiting for hb lock
2194 +- * that we've taken above.
2195 +- */
2196 +- spin_lock_nested(&hb_dest->chain_lock,
2197 +- SINGLE_DEPTH_NESTING);
2198 +- hlist_add_head(&q->list, &hb_dest->chain);
2199 +- spin_unlock(&hb_dest->chain_lock);
2200 +- }
2201 +- }
2202 +- spin_unlock(&hb->chain_lock);
2203 +- }
2204 +-
2205 +- f->rebuild = false;
2206 +- f->last_rebuild_jiffies = jiffies;
2207 +-out:
2208 +- write_sequnlock_bh(&f->rnd_seqlock);
2209 +-}
2210 +-
2211 +-static bool inet_fragq_should_evict(const struct inet_frag_queue *q)
2212 +-{
2213 +- if (!hlist_unhashed(&q->list_evictor))
2214 +- return false;
2215 +-
2216 +- return q->net->low_thresh == 0 ||
2217 +- frag_mem_limit(q->net) >= q->net->low_thresh;
2218 +-}
2219 +-
2220 +-static unsigned int
2221 +-inet_evict_bucket(struct inet_frags *f, struct inet_frag_bucket *hb)
2222 +-{
2223 +- struct inet_frag_queue *fq;
2224 +- struct hlist_node *n;
2225 +- unsigned int evicted = 0;
2226 +- HLIST_HEAD(expired);
2227 +-
2228 +- spin_lock(&hb->chain_lock);
2229 +-
2230 +- hlist_for_each_entry_safe(fq, n, &hb->chain, list) {
2231 +- if (!inet_fragq_should_evict(fq))
2232 +- continue;
2233 +-
2234 +- if (!del_timer(&fq->timer))
2235 +- continue;
2236 +-
2237 +- hlist_add_head(&fq->list_evictor, &expired);
2238 +- ++evicted;
2239 +- }
2240 +-
2241 +- spin_unlock(&hb->chain_lock);
2242 +-
2243 +- hlist_for_each_entry_safe(fq, n, &expired, list_evictor)
2244 +- f->frag_expire((unsigned long) fq);
2245 +-
2246 +- return evicted;
2247 +-}
2248 +-
2249 +-static void inet_frag_worker(struct work_struct *work)
2250 +-{
2251 +- unsigned int budget = INETFRAGS_EVICT_BUCKETS;
2252 +- unsigned int i, evicted = 0;
2253 +- struct inet_frags *f;
2254 +-
2255 +- f = container_of(work, struct inet_frags, frags_work);
2256 +-
2257 +- BUILD_BUG_ON(INETFRAGS_EVICT_BUCKETS >= INETFRAGS_HASHSZ);
2258 +-
2259 +- local_bh_disable();
2260 +-
2261 +- for (i = ACCESS_ONCE(f->next_bucket); budget; --budget) {
2262 +- evicted += inet_evict_bucket(f, &f->hash[i]);
2263 +- i = (i + 1) & (INETFRAGS_HASHSZ - 1);
2264 +- if (evicted > INETFRAGS_EVICT_MAX)
2265 +- break;
2266 +- }
2267 +-
2268 +- f->next_bucket = i;
2269 +-
2270 +- local_bh_enable();
2271 +-
2272 +- if (f->rebuild && inet_frag_may_rebuild(f))
2273 +- inet_frag_secret_rebuild(f);
2274 +-}
2275 +-
2276 +-static void inet_frag_schedule_worker(struct inet_frags *f)
2277 +-{
2278 +- if (unlikely(!work_pending(&f->frags_work)))
2279 +- schedule_work(&f->frags_work);
2280 +-}
2281 +-
2282 + int inet_frags_init(struct inet_frags *f)
2283 + {
2284 +- int i;
2285 +-
2286 +- INIT_WORK(&f->frags_work, inet_frag_worker);
2287 +-
2288 +- for (i = 0; i < INETFRAGS_HASHSZ; i++) {
2289 +- struct inet_frag_bucket *hb = &f->hash[i];
2290 +-
2291 +- spin_lock_init(&hb->chain_lock);
2292 +- INIT_HLIST_HEAD(&hb->chain);
2293 +- }
2294 +-
2295 +- seqlock_init(&f->rnd_seqlock);
2296 +- f->last_rebuild_jiffies = 0;
2297 + f->frags_cachep = kmem_cache_create(f->frags_cache_name, f->qsize, 0, 0,
2298 + NULL);
2299 + if (!f->frags_cachep)
2300 +@@ -214,83 +59,75 @@ EXPORT_SYMBOL(inet_frags_init);
2301 +
2302 + void inet_frags_fini(struct inet_frags *f)
2303 + {
2304 +- cancel_work_sync(&f->frags_work);
2305 ++ /* We must wait that all inet_frag_destroy_rcu() have completed. */
2306 ++ rcu_barrier();
2307 ++
2308 + kmem_cache_destroy(f->frags_cachep);
2309 ++ f->frags_cachep = NULL;
2310 + }
2311 + EXPORT_SYMBOL(inet_frags_fini);
2312 +
2313 +-void inet_frags_exit_net(struct netns_frags *nf, struct inet_frags *f)
2314 ++static void inet_frags_free_cb(void *ptr, void *arg)
2315 + {
2316 +- unsigned int seq;
2317 +- int i;
2318 +-
2319 +- nf->low_thresh = 0;
2320 +-
2321 +-evict_again:
2322 +- local_bh_disable();
2323 +- seq = read_seqbegin(&f->rnd_seqlock);
2324 ++ struct inet_frag_queue *fq = ptr;
2325 +
2326 +- for (i = 0; i < INETFRAGS_HASHSZ ; i++)
2327 +- inet_evict_bucket(f, &f->hash[i]);
2328 +-
2329 +- local_bh_enable();
2330 +- cond_resched();
2331 +-
2332 +- if (read_seqretry(&f->rnd_seqlock, seq) ||
2333 +- sum_frag_mem_limit(nf))
2334 +- goto evict_again;
2335 +-}
2336 +-EXPORT_SYMBOL(inet_frags_exit_net);
2337 +-
2338 +-static struct inet_frag_bucket *
2339 +-get_frag_bucket_locked(struct inet_frag_queue *fq, struct inet_frags *f)
2340 +-__acquires(hb->chain_lock)
2341 +-{
2342 +- struct inet_frag_bucket *hb;
2343 +- unsigned int seq, hash;
2344 +-
2345 +- restart:
2346 +- seq = read_seqbegin(&f->rnd_seqlock);
2347 +-
2348 +- hash = inet_frag_hashfn(f, fq);
2349 +- hb = &f->hash[hash];
2350 ++ /* If we can not cancel the timer, it means this frag_queue
2351 ++ * is already disappearing, we have nothing to do.
2352 ++ * Otherwise, we own a refcount until the end of this function.
2353 ++ */
2354 ++ if (!del_timer(&fq->timer))
2355 ++ return;
2356 +
2357 +- spin_lock(&hb->chain_lock);
2358 +- if (read_seqretry(&f->rnd_seqlock, seq)) {
2359 +- spin_unlock(&hb->chain_lock);
2360 +- goto restart;
2361 ++ spin_lock_bh(&fq->lock);
2362 ++ if (!(fq->flags & INET_FRAG_COMPLETE)) {
2363 ++ fq->flags |= INET_FRAG_COMPLETE;
2364 ++ atomic_dec(&fq->refcnt);
2365 + }
2366 ++ spin_unlock_bh(&fq->lock);
2367 +
2368 +- return hb;
2369 ++ inet_frag_put(fq);
2370 + }
2371 +
2372 +-static inline void fq_unlink(struct inet_frag_queue *fq, struct inet_frags *f)
2373 ++void inet_frags_exit_net(struct netns_frags *nf)
2374 + {
2375 +- struct inet_frag_bucket *hb;
2376 ++ nf->low_thresh = 0; /* prevent creation of new frags */
2377 +
2378 +- hb = get_frag_bucket_locked(fq, f);
2379 +- hlist_del(&fq->list);
2380 +- fq->flags |= INET_FRAG_COMPLETE;
2381 +- spin_unlock(&hb->chain_lock);
2382 ++ rhashtable_free_and_destroy(&nf->rhashtable, inet_frags_free_cb, NULL);
2383 + }
2384 ++EXPORT_SYMBOL(inet_frags_exit_net);
2385 +
2386 +-void inet_frag_kill(struct inet_frag_queue *fq, struct inet_frags *f)
2387 ++void inet_frag_kill(struct inet_frag_queue *fq)
2388 + {
2389 + if (del_timer(&fq->timer))
2390 + atomic_dec(&fq->refcnt);
2391 +
2392 + if (!(fq->flags & INET_FRAG_COMPLETE)) {
2393 +- fq_unlink(fq, f);
2394 ++ struct netns_frags *nf = fq->net;
2395 ++
2396 ++ fq->flags |= INET_FRAG_COMPLETE;
2397 ++ rhashtable_remove_fast(&nf->rhashtable, &fq->node, nf->f->rhash_params);
2398 + atomic_dec(&fq->refcnt);
2399 + }
2400 + }
2401 + EXPORT_SYMBOL(inet_frag_kill);
2402 +
2403 +-void inet_frag_destroy(struct inet_frag_queue *q, struct inet_frags *f)
2404 ++static void inet_frag_destroy_rcu(struct rcu_head *head)
2405 ++{
2406 ++ struct inet_frag_queue *q = container_of(head, struct inet_frag_queue,
2407 ++ rcu);
2408 ++ struct inet_frags *f = q->net->f;
2409 ++
2410 ++ if (f->destructor)
2411 ++ f->destructor(q);
2412 ++ kmem_cache_free(f->frags_cachep, q);
2413 ++}
2414 ++
2415 ++void inet_frag_destroy(struct inet_frag_queue *q)
2416 + {
2417 + struct sk_buff *fp;
2418 + struct netns_frags *nf;
2419 + unsigned int sum, sum_truesize = 0;
2420 ++ struct inet_frags *f;
2421 +
2422 + WARN_ON(!(q->flags & INET_FRAG_COMPLETE));
2423 + WARN_ON(del_timer(&q->timer) != 0);
2424 +@@ -298,64 +135,35 @@ void inet_frag_destroy(struct inet_frag_queue *q, struct inet_frags *f)
2425 + /* Release all fragment data. */
2426 + fp = q->fragments;
2427 + nf = q->net;
2428 +- while (fp) {
2429 +- struct sk_buff *xp = fp->next;
2430 +-
2431 +- sum_truesize += fp->truesize;
2432 +- kfree_skb(fp);
2433 +- fp = xp;
2434 ++ f = nf->f;
2435 ++ if (fp) {
2436 ++ do {
2437 ++ struct sk_buff *xp = fp->next;
2438 ++
2439 ++ sum_truesize += fp->truesize;
2440 ++ kfree_skb(fp);
2441 ++ fp = xp;
2442 ++ } while (fp);
2443 ++ } else {
2444 ++ sum_truesize = inet_frag_rbtree_purge(&q->rb_fragments);
2445 + }
2446 + sum = sum_truesize + f->qsize;
2447 +
2448 +- if (f->destructor)
2449 +- f->destructor(q);
2450 +- kmem_cache_free(f->frags_cachep, q);
2451 ++ call_rcu(&q->rcu, inet_frag_destroy_rcu);
2452 +
2453 + sub_frag_mem_limit(nf, sum);
2454 + }
2455 + EXPORT_SYMBOL(inet_frag_destroy);
2456 +
2457 +-static struct inet_frag_queue *inet_frag_intern(struct netns_frags *nf,
2458 +- struct inet_frag_queue *qp_in,
2459 +- struct inet_frags *f,
2460 +- void *arg)
2461 +-{
2462 +- struct inet_frag_bucket *hb = get_frag_bucket_locked(qp_in, f);
2463 +- struct inet_frag_queue *qp;
2464 +-
2465 +-#ifdef CONFIG_SMP
2466 +- /* With SMP race we have to recheck hash table, because
2467 +- * such entry could have been created on other cpu before
2468 +- * we acquired hash bucket lock.
2469 +- */
2470 +- hlist_for_each_entry(qp, &hb->chain, list) {
2471 +- if (qp->net == nf && f->match(qp, arg)) {
2472 +- atomic_inc(&qp->refcnt);
2473 +- spin_unlock(&hb->chain_lock);
2474 +- qp_in->flags |= INET_FRAG_COMPLETE;
2475 +- inet_frag_put(qp_in, f);
2476 +- return qp;
2477 +- }
2478 +- }
2479 +-#endif
2480 +- qp = qp_in;
2481 +- if (!mod_timer(&qp->timer, jiffies + nf->timeout))
2482 +- atomic_inc(&qp->refcnt);
2483 +-
2484 +- atomic_inc(&qp->refcnt);
2485 +- hlist_add_head(&qp->list, &hb->chain);
2486 +-
2487 +- spin_unlock(&hb->chain_lock);
2488 +-
2489 +- return qp;
2490 +-}
2491 +-
2492 + static struct inet_frag_queue *inet_frag_alloc(struct netns_frags *nf,
2493 + struct inet_frags *f,
2494 + void *arg)
2495 + {
2496 + struct inet_frag_queue *q;
2497 +
2498 ++ if (!nf->high_thresh || frag_mem_limit(nf) > nf->high_thresh)
2499 ++ return NULL;
2500 ++
2501 + q = kmem_cache_zalloc(f->frags_cachep, GFP_ATOMIC);
2502 + if (!q)
2503 + return NULL;
2504 +@@ -366,75 +174,50 @@ static struct inet_frag_queue *inet_frag_alloc(struct netns_frags *nf,
2505 +
2506 + setup_timer(&q->timer, f->frag_expire, (unsigned long)q);
2507 + spin_lock_init(&q->lock);
2508 +- atomic_set(&q->refcnt, 1);
2509 ++ atomic_set(&q->refcnt, 3);
2510 +
2511 + return q;
2512 + }
2513 +
2514 + static struct inet_frag_queue *inet_frag_create(struct netns_frags *nf,
2515 +- struct inet_frags *f,
2516 + void *arg)
2517 + {
2518 ++ struct inet_frags *f = nf->f;
2519 + struct inet_frag_queue *q;
2520 ++ int err;
2521 +
2522 + q = inet_frag_alloc(nf, f, arg);
2523 + if (!q)
2524 + return NULL;
2525 +
2526 +- return inet_frag_intern(nf, q, f, arg);
2527 +-}
2528 ++ mod_timer(&q->timer, jiffies + nf->timeout);
2529 +
2530 +-struct inet_frag_queue *inet_frag_find(struct netns_frags *nf,
2531 +- struct inet_frags *f, void *key,
2532 +- unsigned int hash)
2533 +-{
2534 +- struct inet_frag_bucket *hb;
2535 +- struct inet_frag_queue *q;
2536 +- int depth = 0;
2537 +-
2538 +- if (!nf->high_thresh || frag_mem_limit(nf) > nf->high_thresh) {
2539 +- inet_frag_schedule_worker(f);
2540 ++ err = rhashtable_insert_fast(&nf->rhashtable, &q->node,
2541 ++ f->rhash_params);
2542 ++ if (err < 0) {
2543 ++ q->flags |= INET_FRAG_COMPLETE;
2544 ++ inet_frag_kill(q);
2545 ++ inet_frag_destroy(q);
2546 + return NULL;
2547 + }
2548 +-
2549 +- if (frag_mem_limit(nf) > nf->low_thresh)
2550 +- inet_frag_schedule_worker(f);
2551 +-
2552 +- hash &= (INETFRAGS_HASHSZ - 1);
2553 +- hb = &f->hash[hash];
2554 +-
2555 +- spin_lock(&hb->chain_lock);
2556 +- hlist_for_each_entry(q, &hb->chain, list) {
2557 +- if (q->net == nf && f->match(q, key)) {
2558 +- atomic_inc(&q->refcnt);
2559 +- spin_unlock(&hb->chain_lock);
2560 +- return q;
2561 +- }
2562 +- depth++;
2563 +- }
2564 +- spin_unlock(&hb->chain_lock);
2565 +-
2566 +- if (depth <= INETFRAGS_MAXDEPTH)
2567 +- return inet_frag_create(nf, f, key);
2568 +-
2569 +- if (inet_frag_may_rebuild(f)) {
2570 +- if (!f->rebuild)
2571 +- f->rebuild = true;
2572 +- inet_frag_schedule_worker(f);
2573 +- }
2574 +-
2575 +- return ERR_PTR(-ENOBUFS);
2576 ++ return q;
2577 + }
2578 +-EXPORT_SYMBOL(inet_frag_find);
2579 ++EXPORT_SYMBOL(inet_frag_create);
2580 +
2581 +-void inet_frag_maybe_warn_overflow(struct inet_frag_queue *q,
2582 +- const char *prefix)
2583 ++/* TODO : call from rcu_read_lock() and no longer use refcount_inc_not_zero() */
2584 ++struct inet_frag_queue *inet_frag_find(struct netns_frags *nf, void *key)
2585 + {
2586 +- static const char msg[] = "inet_frag_find: Fragment hash bucket"
2587 +- " list length grew over limit " __stringify(INETFRAGS_MAXDEPTH)
2588 +- ". Dropping fragment.\n";
2589 ++ struct inet_frag_queue *fq;
2590 +
2591 +- if (PTR_ERR(q) == -ENOBUFS)
2592 +- net_dbg_ratelimited("%s%s", prefix, msg);
2593 ++ rcu_read_lock();
2594 ++ fq = rhashtable_lookup(&nf->rhashtable, key, nf->f->rhash_params);
2595 ++ if (fq) {
2596 ++ if (!atomic_inc_not_zero(&fq->refcnt))
2597 ++ fq = NULL;
2598 ++ rcu_read_unlock();
2599 ++ return fq;
2600 ++ }
2601 ++ rcu_read_unlock();
2602 ++ return inet_frag_create(nf, key);
2603 + }
2604 +-EXPORT_SYMBOL(inet_frag_maybe_warn_overflow);
2605 ++EXPORT_SYMBOL(inet_frag_find);
2606 +diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
2607 +index 752711cd4834..cc8c6ac84d08 100644
2608 +--- a/net/ipv4/ip_fragment.c
2609 ++++ b/net/ipv4/ip_fragment.c
2610 +@@ -56,27 +56,64 @@
2611 + */
2612 + static const char ip_frag_cache_name[] = "ip4-frags";
2613 +
2614 +-struct ipfrag_skb_cb
2615 +-{
2616 ++/* Use skb->cb to track consecutive/adjacent fragments coming at
2617 ++ * the end of the queue. Nodes in the rb-tree queue will
2618 ++ * contain "runs" of one or more adjacent fragments.
2619 ++ *
2620 ++ * Invariants:
2621 ++ * - next_frag is NULL at the tail of a "run";
2622 ++ * - the head of a "run" has the sum of all fragment lengths in frag_run_len.
2623 ++ */
2624 ++struct ipfrag_skb_cb {
2625 + struct inet_skb_parm h;
2626 +- int offset;
2627 ++ struct sk_buff *next_frag;
2628 ++ int frag_run_len;
2629 + };
2630 +
2631 +-#define FRAG_CB(skb) ((struct ipfrag_skb_cb *)((skb)->cb))
2632 ++#define FRAG_CB(skb) ((struct ipfrag_skb_cb *)((skb)->cb))
2633 ++
2634 ++static void ip4_frag_init_run(struct sk_buff *skb)
2635 ++{
2636 ++ BUILD_BUG_ON(sizeof(struct ipfrag_skb_cb) > sizeof(skb->cb));
2637 ++
2638 ++ FRAG_CB(skb)->next_frag = NULL;
2639 ++ FRAG_CB(skb)->frag_run_len = skb->len;
2640 ++}
2641 ++
2642 ++/* Append skb to the last "run". */
2643 ++static void ip4_frag_append_to_last_run(struct inet_frag_queue *q,
2644 ++ struct sk_buff *skb)
2645 ++{
2646 ++ RB_CLEAR_NODE(&skb->rbnode);
2647 ++ FRAG_CB(skb)->next_frag = NULL;
2648 ++
2649 ++ FRAG_CB(q->last_run_head)->frag_run_len += skb->len;
2650 ++ FRAG_CB(q->fragments_tail)->next_frag = skb;
2651 ++ q->fragments_tail = skb;
2652 ++}
2653 ++
2654 ++/* Create a new "run" with the skb. */
2655 ++static void ip4_frag_create_run(struct inet_frag_queue *q, struct sk_buff *skb)
2656 ++{
2657 ++ if (q->last_run_head)
2658 ++ rb_link_node(&skb->rbnode, &q->last_run_head->rbnode,
2659 ++ &q->last_run_head->rbnode.rb_right);
2660 ++ else
2661 ++ rb_link_node(&skb->rbnode, NULL, &q->rb_fragments.rb_node);
2662 ++ rb_insert_color(&skb->rbnode, &q->rb_fragments);
2663 ++
2664 ++ ip4_frag_init_run(skb);
2665 ++ q->fragments_tail = skb;
2666 ++ q->last_run_head = skb;
2667 ++}
2668 +
2669 + /* Describe an entry in the "incomplete datagrams" queue. */
2670 + struct ipq {
2671 + struct inet_frag_queue q;
2672 +
2673 +- u32 user;
2674 +- __be32 saddr;
2675 +- __be32 daddr;
2676 +- __be16 id;
2677 +- u8 protocol;
2678 + u8 ecn; /* RFC3168 support */
2679 + u16 max_df_size; /* largest frag with DF set seen */
2680 + int iif;
2681 +- int vif; /* L3 master device index */
2682 + unsigned int rid;
2683 + struct inet_peer *peer;
2684 + };
2685 +@@ -88,49 +125,9 @@ static u8 ip4_frag_ecn(u8 tos)
2686 +
2687 + static struct inet_frags ip4_frags;
2688 +
2689 +-int ip_frag_mem(struct net *net)
2690 +-{
2691 +- return sum_frag_mem_limit(&net->ipv4.frags);
2692 +-}
2693 +-
2694 +-static int ip_frag_reasm(struct ipq *qp, struct sk_buff *prev,
2695 +- struct net_device *dev);
2696 +-
2697 +-struct ip4_create_arg {
2698 +- struct iphdr *iph;
2699 +- u32 user;
2700 +- int vif;
2701 +-};
2702 ++static int ip_frag_reasm(struct ipq *qp, struct sk_buff *skb,
2703 ++ struct sk_buff *prev_tail, struct net_device *dev);
2704 +
2705 +-static unsigned int ipqhashfn(__be16 id, __be32 saddr, __be32 daddr, u8 prot)
2706 +-{
2707 +- net_get_random_once(&ip4_frags.rnd, sizeof(ip4_frags.rnd));
2708 +- return jhash_3words((__force u32)id << 16 | prot,
2709 +- (__force u32)saddr, (__force u32)daddr,
2710 +- ip4_frags.rnd);
2711 +-}
2712 +-
2713 +-static unsigned int ip4_hashfn(const struct inet_frag_queue *q)
2714 +-{
2715 +- const struct ipq *ipq;
2716 +-
2717 +- ipq = container_of(q, struct ipq, q);
2718 +- return ipqhashfn(ipq->id, ipq->saddr, ipq->daddr, ipq->protocol);
2719 +-}
2720 +-
2721 +-static bool ip4_frag_match(const struct inet_frag_queue *q, const void *a)
2722 +-{
2723 +- const struct ipq *qp;
2724 +- const struct ip4_create_arg *arg = a;
2725 +-
2726 +- qp = container_of(q, struct ipq, q);
2727 +- return qp->id == arg->iph->id &&
2728 +- qp->saddr == arg->iph->saddr &&
2729 +- qp->daddr == arg->iph->daddr &&
2730 +- qp->protocol == arg->iph->protocol &&
2731 +- qp->user == arg->user &&
2732 +- qp->vif == arg->vif;
2733 +-}
2734 +
2735 + static void ip4_frag_init(struct inet_frag_queue *q, const void *a)
2736 + {
2737 +@@ -139,17 +136,12 @@ static void ip4_frag_init(struct inet_frag_queue *q, const void *a)
2738 + frags);
2739 + struct net *net = container_of(ipv4, struct net, ipv4);
2740 +
2741 +- const struct ip4_create_arg *arg = a;
2742 ++ const struct frag_v4_compare_key *key = a;
2743 +
2744 +- qp->protocol = arg->iph->protocol;
2745 +- qp->id = arg->iph->id;
2746 +- qp->ecn = ip4_frag_ecn(arg->iph->tos);
2747 +- qp->saddr = arg->iph->saddr;
2748 +- qp->daddr = arg->iph->daddr;
2749 +- qp->vif = arg->vif;
2750 +- qp->user = arg->user;
2751 ++ q->key.v4 = *key;
2752 ++ qp->ecn = 0;
2753 + qp->peer = q->net->max_dist ?
2754 +- inet_getpeer_v4(net->ipv4.peers, arg->iph->saddr, arg->vif, 1) :
2755 ++ inet_getpeer_v4(net->ipv4.peers, key->saddr, key->vif, 1) :
2756 + NULL;
2757 + }
2758 +
2759 +@@ -167,7 +159,7 @@ static void ip4_frag_free(struct inet_frag_queue *q)
2760 +
2761 + static void ipq_put(struct ipq *ipq)
2762 + {
2763 +- inet_frag_put(&ipq->q, &ip4_frags);
2764 ++ inet_frag_put(&ipq->q);
2765 + }
2766 +
2767 + /* Kill ipq entry. It is not destroyed immediately,
2768 +@@ -175,7 +167,7 @@ static void ipq_put(struct ipq *ipq)
2769 + */
2770 + static void ipq_kill(struct ipq *ipq)
2771 + {
2772 +- inet_frag_kill(&ipq->q, &ip4_frags);
2773 ++ inet_frag_kill(&ipq->q);
2774 + }
2775 +
2776 + static bool frag_expire_skip_icmp(u32 user)
2777 +@@ -192,8 +184,11 @@ static bool frag_expire_skip_icmp(u32 user)
2778 + */
2779 + static void ip_expire(unsigned long arg)
2780 + {
2781 +- struct ipq *qp;
2782 ++ const struct iphdr *iph;
2783 ++ struct sk_buff *head = NULL;
2784 + struct net *net;
2785 ++ struct ipq *qp;
2786 ++ int err;
2787 +
2788 + qp = container_of((struct inet_frag_queue *) arg, struct ipq, q);
2789 + net = container_of(qp->q.net, struct net, ipv4.frags);
2790 +@@ -206,51 +201,65 @@ static void ip_expire(unsigned long arg)
2791 +
2792 + ipq_kill(qp);
2793 + __IP_INC_STATS(net, IPSTATS_MIB_REASMFAILS);
2794 ++ __IP_INC_STATS(net, IPSTATS_MIB_REASMTIMEOUT);
2795 +
2796 +- if (!inet_frag_evicting(&qp->q)) {
2797 +- struct sk_buff *clone, *head = qp->q.fragments;
2798 +- const struct iphdr *iph;
2799 +- int err;
2800 +-
2801 +- __IP_INC_STATS(net, IPSTATS_MIB_REASMTIMEOUT);
2802 ++ if (!(qp->q.flags & INET_FRAG_FIRST_IN))
2803 ++ goto out;
2804 +
2805 +- if (!(qp->q.flags & INET_FRAG_FIRST_IN) || !qp->q.fragments)
2806 ++ /* sk_buff::dev and sk_buff::rbnode are unionized. So we
2807 ++ * pull the head out of the tree in order to be able to
2808 ++ * deal with head->dev.
2809 ++ */
2810 ++ if (qp->q.fragments) {
2811 ++ head = qp->q.fragments;
2812 ++ qp->q.fragments = head->next;
2813 ++ } else {
2814 ++ head = skb_rb_first(&qp->q.rb_fragments);
2815 ++ if (!head)
2816 + goto out;
2817 ++ if (FRAG_CB(head)->next_frag)
2818 ++ rb_replace_node(&head->rbnode,
2819 ++ &FRAG_CB(head)->next_frag->rbnode,
2820 ++ &qp->q.rb_fragments);
2821 ++ else
2822 ++ rb_erase(&head->rbnode, &qp->q.rb_fragments);
2823 ++ memset(&head->rbnode, 0, sizeof(head->rbnode));
2824 ++ barrier();
2825 ++ }
2826 ++ if (head == qp->q.fragments_tail)
2827 ++ qp->q.fragments_tail = NULL;
2828 +
2829 +- head->dev = dev_get_by_index_rcu(net, qp->iif);
2830 +- if (!head->dev)
2831 +- goto out;
2832 ++ sub_frag_mem_limit(qp->q.net, head->truesize);
2833 ++
2834 ++ head->dev = dev_get_by_index_rcu(net, qp->iif);
2835 ++ if (!head->dev)
2836 ++ goto out;
2837 +
2838 +
2839 +- /* skb has no dst, perform route lookup again */
2840 +- iph = ip_hdr(head);
2841 +- err = ip_route_input_noref(head, iph->daddr, iph->saddr,
2842 ++ /* skb has no dst, perform route lookup again */
2843 ++ iph = ip_hdr(head);
2844 ++ err = ip_route_input_noref(head, iph->daddr, iph->saddr,
2845 + iph->tos, head->dev);
2846 +- if (err)
2847 +- goto out;
2848 ++ if (err)
2849 ++ goto out;
2850 +
2851 +- /* Only an end host needs to send an ICMP
2852 +- * "Fragment Reassembly Timeout" message, per RFC792.
2853 +- */
2854 +- if (frag_expire_skip_icmp(qp->user) &&
2855 +- (skb_rtable(head)->rt_type != RTN_LOCAL))
2856 +- goto out;
2857 ++ /* Only an end host needs to send an ICMP
2858 ++ * "Fragment Reassembly Timeout" message, per RFC792.
2859 ++ */
2860 ++ if (frag_expire_skip_icmp(qp->q.key.v4.user) &&
2861 ++ (skb_rtable(head)->rt_type != RTN_LOCAL))
2862 ++ goto out;
2863 +
2864 +- clone = skb_clone(head, GFP_ATOMIC);
2865 ++ spin_unlock(&qp->q.lock);
2866 ++ icmp_send(head, ICMP_TIME_EXCEEDED, ICMP_EXC_FRAGTIME, 0);
2867 ++ goto out_rcu_unlock;
2868 +
2869 +- /* Send an ICMP "Fragment Reassembly Timeout" message. */
2870 +- if (clone) {
2871 +- spin_unlock(&qp->q.lock);
2872 +- icmp_send(clone, ICMP_TIME_EXCEEDED,
2873 +- ICMP_EXC_FRAGTIME, 0);
2874 +- consume_skb(clone);
2875 +- goto out_rcu_unlock;
2876 +- }
2877 +- }
2878 + out:
2879 + spin_unlock(&qp->q.lock);
2880 + out_rcu_unlock:
2881 + rcu_read_unlock();
2882 ++ if (head)
2883 ++ kfree_skb(head);
2884 + ipq_put(qp);
2885 + }
2886 +
2887 +@@ -260,21 +269,20 @@ out_rcu_unlock:
2888 + static struct ipq *ip_find(struct net *net, struct iphdr *iph,
2889 + u32 user, int vif)
2890 + {
2891 ++ struct frag_v4_compare_key key = {
2892 ++ .saddr = iph->saddr,
2893 ++ .daddr = iph->daddr,
2894 ++ .user = user,
2895 ++ .vif = vif,
2896 ++ .id = iph->id,
2897 ++ .protocol = iph->protocol,
2898 ++ };
2899 + struct inet_frag_queue *q;
2900 +- struct ip4_create_arg arg;
2901 +- unsigned int hash;
2902 +-
2903 +- arg.iph = iph;
2904 +- arg.user = user;
2905 +- arg.vif = vif;
2906 +
2907 +- hash = ipqhashfn(iph->id, iph->saddr, iph->daddr, iph->protocol);
2908 +-
2909 +- q = inet_frag_find(&net->ipv4.frags, &ip4_frags, &arg, hash);
2910 +- if (IS_ERR_OR_NULL(q)) {
2911 +- inet_frag_maybe_warn_overflow(q, pr_fmt());
2912 ++ q = inet_frag_find(&net->ipv4.frags, &key);
2913 ++ if (!q)
2914 + return NULL;
2915 +- }
2916 ++
2917 + return container_of(q, struct ipq, q);
2918 + }
2919 +
2920 +@@ -294,7 +302,7 @@ static int ip_frag_too_far(struct ipq *qp)
2921 + end = atomic_inc_return(&peer->rid);
2922 + qp->rid = end;
2923 +
2924 +- rc = qp->q.fragments && (end - start) > max;
2925 ++ rc = qp->q.fragments_tail && (end - start) > max;
2926 +
2927 + if (rc) {
2928 + struct net *net;
2929 +@@ -308,7 +316,6 @@ static int ip_frag_too_far(struct ipq *qp)
2930 +
2931 + static int ip_frag_reinit(struct ipq *qp)
2932 + {
2933 +- struct sk_buff *fp;
2934 + unsigned int sum_truesize = 0;
2935 +
2936 + if (!mod_timer(&qp->q.timer, jiffies + qp->q.net->timeout)) {
2937 +@@ -316,21 +323,16 @@ static int ip_frag_reinit(struct ipq *qp)
2938 + return -ETIMEDOUT;
2939 + }
2940 +
2941 +- fp = qp->q.fragments;
2942 +- do {
2943 +- struct sk_buff *xp = fp->next;
2944 +-
2945 +- sum_truesize += fp->truesize;
2946 +- kfree_skb(fp);
2947 +- fp = xp;
2948 +- } while (fp);
2949 ++ sum_truesize = inet_frag_rbtree_purge(&qp->q.rb_fragments);
2950 + sub_frag_mem_limit(qp->q.net, sum_truesize);
2951 +
2952 + qp->q.flags = 0;
2953 + qp->q.len = 0;
2954 + qp->q.meat = 0;
2955 + qp->q.fragments = NULL;
2956 ++ qp->q.rb_fragments = RB_ROOT;
2957 + qp->q.fragments_tail = NULL;
2958 ++ qp->q.last_run_head = NULL;
2959 + qp->iif = 0;
2960 + qp->ecn = 0;
2961 +
2962 +@@ -340,7 +342,9 @@ static int ip_frag_reinit(struct ipq *qp)
2963 + /* Add new segment to existing queue. */
2964 + static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb)
2965 + {
2966 +- struct sk_buff *prev, *next;
2967 ++ struct net *net = container_of(qp->q.net, struct net, ipv4.frags);
2968 ++ struct rb_node **rbn, *parent;
2969 ++ struct sk_buff *skb1, *prev_tail;
2970 + struct net_device *dev;
2971 + unsigned int fragsize;
2972 + int flags, offset;
2973 +@@ -403,99 +407,61 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb)
2974 + if (err)
2975 + goto err;
2976 +
2977 +- /* Find out which fragments are in front and at the back of us
2978 +- * in the chain of fragments so far. We must know where to put
2979 +- * this fragment, right?
2980 +- */
2981 +- prev = qp->q.fragments_tail;
2982 +- if (!prev || FRAG_CB(prev)->offset < offset) {
2983 +- next = NULL;
2984 +- goto found;
2985 +- }
2986 +- prev = NULL;
2987 +- for (next = qp->q.fragments; next != NULL; next = next->next) {
2988 +- if (FRAG_CB(next)->offset >= offset)
2989 +- break; /* bingo! */
2990 +- prev = next;
2991 +- }
2992 +-
2993 +-found:
2994 +- /* We found where to put this one. Check for overlap with
2995 +- * preceding fragment, and, if needed, align things so that
2996 +- * any overlaps are eliminated.
2997 ++ /* Note : skb->rbnode and skb->dev share the same location. */
2998 ++ dev = skb->dev;
2999 ++ /* Makes sure compiler wont do silly aliasing games */
3000 ++ barrier();
3001 ++
3002 ++ /* RFC5722, Section 4, amended by Errata ID : 3089
3003 ++ * When reassembling an IPv6 datagram, if
3004 ++ * one or more its constituent fragments is determined to be an
3005 ++ * overlapping fragment, the entire datagram (and any constituent
3006 ++ * fragments) MUST be silently discarded.
3007 ++ *
3008 ++ * We do the same here for IPv4 (and increment an snmp counter).
3009 + */
3010 +- if (prev) {
3011 +- int i = (FRAG_CB(prev)->offset + prev->len) - offset;
3012 +
3013 +- if (i > 0) {
3014 +- offset += i;
3015 +- err = -EINVAL;
3016 +- if (end <= offset)
3017 +- goto err;
3018 +- err = -ENOMEM;
3019 +- if (!pskb_pull(skb, i))
3020 +- goto err;
3021 +- if (skb->ip_summed != CHECKSUM_UNNECESSARY)
3022 +- skb->ip_summed = CHECKSUM_NONE;
3023 +- }
3024 +- }
3025 +-
3026 +- err = -ENOMEM;
3027 +-
3028 +- while (next && FRAG_CB(next)->offset < end) {
3029 +- int i = end - FRAG_CB(next)->offset; /* overlap is 'i' bytes */
3030 +-
3031 +- if (i < next->len) {
3032 +- int delta = -next->truesize;
3033 +-
3034 +- /* Eat head of the next overlapped fragment
3035 +- * and leave the loop. The next ones cannot overlap.
3036 +- */
3037 +- if (!pskb_pull(next, i))
3038 +- goto err;
3039 +- delta += next->truesize;
3040 +- if (delta)
3041 +- add_frag_mem_limit(qp->q.net, delta);
3042 +- FRAG_CB(next)->offset += i;
3043 +- qp->q.meat -= i;
3044 +- if (next->ip_summed != CHECKSUM_UNNECESSARY)
3045 +- next->ip_summed = CHECKSUM_NONE;
3046 +- break;
3047 +- } else {
3048 +- struct sk_buff *free_it = next;
3049 +-
3050 +- /* Old fragment is completely overridden with
3051 +- * new one drop it.
3052 +- */
3053 +- next = next->next;
3054 +-
3055 +- if (prev)
3056 +- prev->next = next;
3057 +- else
3058 +- qp->q.fragments = next;
3059 +-
3060 +- qp->q.meat -= free_it->len;
3061 +- sub_frag_mem_limit(qp->q.net, free_it->truesize);
3062 +- kfree_skb(free_it);
3063 +- }
3064 ++ /* Find out where to put this fragment. */
3065 ++ prev_tail = qp->q.fragments_tail;
3066 ++ if (!prev_tail)
3067 ++ ip4_frag_create_run(&qp->q, skb); /* First fragment. */
3068 ++ else if (prev_tail->ip_defrag_offset + prev_tail->len < end) {
3069 ++ /* This is the common case: skb goes to the end. */
3070 ++ /* Detect and discard overlaps. */
3071 ++ if (offset < prev_tail->ip_defrag_offset + prev_tail->len)
3072 ++ goto discard_qp;
3073 ++ if (offset == prev_tail->ip_defrag_offset + prev_tail->len)
3074 ++ ip4_frag_append_to_last_run(&qp->q, skb);
3075 ++ else
3076 ++ ip4_frag_create_run(&qp->q, skb);
3077 ++ } else {
3078 ++ /* Binary search. Note that skb can become the first fragment,
3079 ++ * but not the last (covered above).
3080 ++ */
3081 ++ rbn = &qp->q.rb_fragments.rb_node;
3082 ++ do {
3083 ++ parent = *rbn;
3084 ++ skb1 = rb_to_skb(parent);
3085 ++ if (end <= skb1->ip_defrag_offset)
3086 ++ rbn = &parent->rb_left;
3087 ++ else if (offset >= skb1->ip_defrag_offset +
3088 ++ FRAG_CB(skb1)->frag_run_len)
3089 ++ rbn = &parent->rb_right;
3090 ++ else /* Found an overlap with skb1. */
3091 ++ goto discard_qp;
3092 ++ } while (*rbn);
3093 ++ /* Here we have parent properly set, and rbn pointing to
3094 ++ * one of its NULL left/right children. Insert skb.
3095 ++ */
3096 ++ ip4_frag_init_run(skb);
3097 ++ rb_link_node(&skb->rbnode, parent, rbn);
3098 ++ rb_insert_color(&skb->rbnode, &qp->q.rb_fragments);
3099 + }
3100 +
3101 +- FRAG_CB(skb)->offset = offset;
3102 +-
3103 +- /* Insert this fragment in the chain of fragments. */
3104 +- skb->next = next;
3105 +- if (!next)
3106 +- qp->q.fragments_tail = skb;
3107 +- if (prev)
3108 +- prev->next = skb;
3109 +- else
3110 +- qp->q.fragments = skb;
3111 +-
3112 +- dev = skb->dev;
3113 +- if (dev) {
3114 ++ if (dev)
3115 + qp->iif = dev->ifindex;
3116 +- skb->dev = NULL;
3117 +- }
3118 ++ skb->ip_defrag_offset = offset;
3119 ++
3120 + qp->q.stamp = skb->tstamp;
3121 + qp->q.meat += skb->len;
3122 + qp->ecn |= ecn;
3123 +@@ -517,7 +483,7 @@ found:
3124 + unsigned long orefdst = skb->_skb_refdst;
3125 +
3126 + skb->_skb_refdst = 0UL;
3127 +- err = ip_frag_reasm(qp, prev, dev);
3128 ++ err = ip_frag_reasm(qp, skb, prev_tail, dev);
3129 + skb->_skb_refdst = orefdst;
3130 + return err;
3131 + }
3132 +@@ -525,20 +491,24 @@ found:
3133 + skb_dst_drop(skb);
3134 + return -EINPROGRESS;
3135 +
3136 ++discard_qp:
3137 ++ inet_frag_kill(&qp->q);
3138 ++ err = -EINVAL;
3139 ++ __IP_INC_STATS(net, IPSTATS_MIB_REASM_OVERLAPS);
3140 + err:
3141 + kfree_skb(skb);
3142 + return err;
3143 + }
3144 +
3145 +-
3146 + /* Build a new IP datagram from all its fragments. */
3147 +-
3148 +-static int ip_frag_reasm(struct ipq *qp, struct sk_buff *prev,
3149 +- struct net_device *dev)
3150 ++static int ip_frag_reasm(struct ipq *qp, struct sk_buff *skb,
3151 ++ struct sk_buff *prev_tail, struct net_device *dev)
3152 + {
3153 + struct net *net = container_of(qp->q.net, struct net, ipv4.frags);
3154 + struct iphdr *iph;
3155 +- struct sk_buff *fp, *head = qp->q.fragments;
3156 ++ struct sk_buff *fp, *head = skb_rb_first(&qp->q.rb_fragments);
3157 ++ struct sk_buff **nextp; /* To build frag_list. */
3158 ++ struct rb_node *rbn;
3159 + int len;
3160 + int ihlen;
3161 + int err;
3162 +@@ -552,26 +522,27 @@ static int ip_frag_reasm(struct ipq *qp, struct sk_buff *prev,
3163 + goto out_fail;
3164 + }
3165 + /* Make the one we just received the head. */
3166 +- if (prev) {
3167 +- head = prev->next;
3168 +- fp = skb_clone(head, GFP_ATOMIC);
3169 ++ if (head != skb) {
3170 ++ fp = skb_clone(skb, GFP_ATOMIC);
3171 + if (!fp)
3172 + goto out_nomem;
3173 +-
3174 +- fp->next = head->next;
3175 +- if (!fp->next)
3176 ++ FRAG_CB(fp)->next_frag = FRAG_CB(skb)->next_frag;
3177 ++ if (RB_EMPTY_NODE(&skb->rbnode))
3178 ++ FRAG_CB(prev_tail)->next_frag = fp;
3179 ++ else
3180 ++ rb_replace_node(&skb->rbnode, &fp->rbnode,
3181 ++ &qp->q.rb_fragments);
3182 ++ if (qp->q.fragments_tail == skb)
3183 + qp->q.fragments_tail = fp;
3184 +- prev->next = fp;
3185 +-
3186 +- skb_morph(head, qp->q.fragments);
3187 +- head->next = qp->q.fragments->next;
3188 +-
3189 +- consume_skb(qp->q.fragments);
3190 +- qp->q.fragments = head;
3191 ++ skb_morph(skb, head);
3192 ++ FRAG_CB(skb)->next_frag = FRAG_CB(head)->next_frag;
3193 ++ rb_replace_node(&head->rbnode, &skb->rbnode,
3194 ++ &qp->q.rb_fragments);
3195 ++ consume_skb(head);
3196 ++ head = skb;
3197 + }
3198 +
3199 +- WARN_ON(!head);
3200 +- WARN_ON(FRAG_CB(head)->offset != 0);
3201 ++ WARN_ON(head->ip_defrag_offset != 0);
3202 +
3203 + /* Allocate a new buffer for the datagram. */
3204 + ihlen = ip_hdrlen(head);
3205 +@@ -595,35 +566,61 @@ static int ip_frag_reasm(struct ipq *qp, struct sk_buff *prev,
3206 + clone = alloc_skb(0, GFP_ATOMIC);
3207 + if (!clone)
3208 + goto out_nomem;
3209 +- clone->next = head->next;
3210 +- head->next = clone;
3211 + skb_shinfo(clone)->frag_list = skb_shinfo(head)->frag_list;
3212 + skb_frag_list_init(head);
3213 + for (i = 0; i < skb_shinfo(head)->nr_frags; i++)
3214 + plen += skb_frag_size(&skb_shinfo(head)->frags[i]);
3215 + clone->len = clone->data_len = head->data_len - plen;
3216 +- head->data_len -= clone->len;
3217 +- head->len -= clone->len;
3218 ++ head->truesize += clone->truesize;
3219 + clone->csum = 0;
3220 + clone->ip_summed = head->ip_summed;
3221 + add_frag_mem_limit(qp->q.net, clone->truesize);
3222 ++ skb_shinfo(head)->frag_list = clone;
3223 ++ nextp = &clone->next;
3224 ++ } else {
3225 ++ nextp = &skb_shinfo(head)->frag_list;
3226 + }
3227 +
3228 +- skb_shinfo(head)->frag_list = head->next;
3229 + skb_push(head, head->data - skb_network_header(head));
3230 +
3231 +- for (fp=head->next; fp; fp = fp->next) {
3232 +- head->data_len += fp->len;
3233 +- head->len += fp->len;
3234 +- if (head->ip_summed != fp->ip_summed)
3235 +- head->ip_summed = CHECKSUM_NONE;
3236 +- else if (head->ip_summed == CHECKSUM_COMPLETE)
3237 +- head->csum = csum_add(head->csum, fp->csum);
3238 +- head->truesize += fp->truesize;
3239 ++ /* Traverse the tree in order, to build frag_list. */
3240 ++ fp = FRAG_CB(head)->next_frag;
3241 ++ rbn = rb_next(&head->rbnode);
3242 ++ rb_erase(&head->rbnode, &qp->q.rb_fragments);
3243 ++ while (rbn || fp) {
3244 ++ /* fp points to the next sk_buff in the current run;
3245 ++ * rbn points to the next run.
3246 ++ */
3247 ++ /* Go through the current run. */
3248 ++ while (fp) {
3249 ++ *nextp = fp;
3250 ++ nextp = &fp->next;
3251 ++ fp->prev = NULL;
3252 ++ memset(&fp->rbnode, 0, sizeof(fp->rbnode));
3253 ++ fp->sk = NULL;
3254 ++ head->data_len += fp->len;
3255 ++ head->len += fp->len;
3256 ++ if (head->ip_summed != fp->ip_summed)
3257 ++ head->ip_summed = CHECKSUM_NONE;
3258 ++ else if (head->ip_summed == CHECKSUM_COMPLETE)
3259 ++ head->csum = csum_add(head->csum, fp->csum);
3260 ++ head->truesize += fp->truesize;
3261 ++ fp = FRAG_CB(fp)->next_frag;
3262 ++ }
3263 ++ /* Move to the next run. */
3264 ++ if (rbn) {
3265 ++ struct rb_node *rbnext = rb_next(rbn);
3266 ++
3267 ++ fp = rb_to_skb(rbn);
3268 ++ rb_erase(rbn, &qp->q.rb_fragments);
3269 ++ rbn = rbnext;
3270 ++ }
3271 + }
3272 + sub_frag_mem_limit(qp->q.net, head->truesize);
3273 +
3274 ++ *nextp = NULL;
3275 + head->next = NULL;
3276 ++ head->prev = NULL;
3277 + head->dev = dev;
3278 + head->tstamp = qp->q.stamp;
3279 + IPCB(head)->frag_max_size = max(qp->max_df_size, qp->q.max_size);
3280 +@@ -651,7 +648,9 @@ static int ip_frag_reasm(struct ipq *qp, struct sk_buff *prev,
3281 +
3282 + __IP_INC_STATS(net, IPSTATS_MIB_REASMOKS);
3283 + qp->q.fragments = NULL;
3284 ++ qp->q.rb_fragments = RB_ROOT;
3285 + qp->q.fragments_tail = NULL;
3286 ++ qp->q.last_run_head = NULL;
3287 + return 0;
3288 +
3289 + out_nomem:
3290 +@@ -659,7 +658,7 @@ out_nomem:
3291 + err = -ENOMEM;
3292 + goto out_fail;
3293 + out_oversize:
3294 +- net_info_ratelimited("Oversized IP packet from %pI4\n", &qp->saddr);
3295 ++ net_info_ratelimited("Oversized IP packet from %pI4\n", &qp->q.key.v4.saddr);
3296 + out_fail:
3297 + __IP_INC_STATS(net, IPSTATS_MIB_REASMFAILS);
3298 + return err;
3299 +@@ -733,25 +732,46 @@ struct sk_buff *ip_check_defrag(struct net *net, struct sk_buff *skb, u32 user)
3300 + }
3301 + EXPORT_SYMBOL(ip_check_defrag);
3302 +
3303 ++unsigned int inet_frag_rbtree_purge(struct rb_root *root)
3304 ++{
3305 ++ struct rb_node *p = rb_first(root);
3306 ++ unsigned int sum = 0;
3307 ++
3308 ++ while (p) {
3309 ++ struct sk_buff *skb = rb_entry(p, struct sk_buff, rbnode);
3310 ++
3311 ++ p = rb_next(p);
3312 ++ rb_erase(&skb->rbnode, root);
3313 ++ while (skb) {
3314 ++ struct sk_buff *next = FRAG_CB(skb)->next_frag;
3315 ++
3316 ++ sum += skb->truesize;
3317 ++ kfree_skb(skb);
3318 ++ skb = next;
3319 ++ }
3320 ++ }
3321 ++ return sum;
3322 ++}
3323 ++EXPORT_SYMBOL(inet_frag_rbtree_purge);
3324 ++
3325 + #ifdef CONFIG_SYSCTL
3326 +-static int zero;
3327 ++static int dist_min;
3328 +
3329 + static struct ctl_table ip4_frags_ns_ctl_table[] = {
3330 + {
3331 + .procname = "ipfrag_high_thresh",
3332 + .data = &init_net.ipv4.frags.high_thresh,
3333 +- .maxlen = sizeof(int),
3334 ++ .maxlen = sizeof(unsigned long),
3335 + .mode = 0644,
3336 +- .proc_handler = proc_dointvec_minmax,
3337 ++ .proc_handler = proc_doulongvec_minmax,
3338 + .extra1 = &init_net.ipv4.frags.low_thresh
3339 + },
3340 + {
3341 + .procname = "ipfrag_low_thresh",
3342 + .data = &init_net.ipv4.frags.low_thresh,
3343 +- .maxlen = sizeof(int),
3344 ++ .maxlen = sizeof(unsigned long),
3345 + .mode = 0644,
3346 +- .proc_handler = proc_dointvec_minmax,
3347 +- .extra1 = &zero,
3348 ++ .proc_handler = proc_doulongvec_minmax,
3349 + .extra2 = &init_net.ipv4.frags.high_thresh
3350 + },
3351 + {
3352 +@@ -767,7 +787,7 @@ static struct ctl_table ip4_frags_ns_ctl_table[] = {
3353 + .maxlen = sizeof(int),
3354 + .mode = 0644,
3355 + .proc_handler = proc_dointvec_minmax,
3356 +- .extra1 = &zero
3357 ++ .extra1 = &dist_min,
3358 + },
3359 + { }
3360 + };
3361 +@@ -849,6 +869,8 @@ static void __init ip4_frags_ctl_register(void)
3362 +
3363 + static int __net_init ipv4_frags_init_net(struct net *net)
3364 + {
3365 ++ int res;
3366 ++
3367 + /* Fragment cache limits.
3368 + *
3369 + * The fragment memory accounting code, (tries to) account for
3370 +@@ -873,16 +895,21 @@ static int __net_init ipv4_frags_init_net(struct net *net)
3371 + net->ipv4.frags.timeout = IP_FRAG_TIME;
3372 +
3373 + net->ipv4.frags.max_dist = 64;
3374 +-
3375 +- inet_frags_init_net(&net->ipv4.frags);
3376 +-
3377 +- return ip4_frags_ns_ctl_register(net);
3378 ++ net->ipv4.frags.f = &ip4_frags;
3379 ++
3380 ++ res = inet_frags_init_net(&net->ipv4.frags);
3381 ++ if (res < 0)
3382 ++ return res;
3383 ++ res = ip4_frags_ns_ctl_register(net);
3384 ++ if (res < 0)
3385 ++ inet_frags_exit_net(&net->ipv4.frags);
3386 ++ return res;
3387 + }
3388 +
3389 + static void __net_exit ipv4_frags_exit_net(struct net *net)
3390 + {
3391 + ip4_frags_ns_ctl_unregister(net);
3392 +- inet_frags_exit_net(&net->ipv4.frags, &ip4_frags);
3393 ++ inet_frags_exit_net(&net->ipv4.frags);
3394 + }
3395 +
3396 + static struct pernet_operations ip4_frags_ops = {
3397 +@@ -890,17 +917,49 @@ static struct pernet_operations ip4_frags_ops = {
3398 + .exit = ipv4_frags_exit_net,
3399 + };
3400 +
3401 ++
3402 ++static u32 ip4_key_hashfn(const void *data, u32 len, u32 seed)
3403 ++{
3404 ++ return jhash2(data,
3405 ++ sizeof(struct frag_v4_compare_key) / sizeof(u32), seed);
3406 ++}
3407 ++
3408 ++static u32 ip4_obj_hashfn(const void *data, u32 len, u32 seed)
3409 ++{
3410 ++ const struct inet_frag_queue *fq = data;
3411 ++
3412 ++ return jhash2((const u32 *)&fq->key.v4,
3413 ++ sizeof(struct frag_v4_compare_key) / sizeof(u32), seed);
3414 ++}
3415 ++
3416 ++static int ip4_obj_cmpfn(struct rhashtable_compare_arg *arg, const void *ptr)
3417 ++{
3418 ++ const struct frag_v4_compare_key *key = arg->key;
3419 ++ const struct inet_frag_queue *fq = ptr;
3420 ++
3421 ++ return !!memcmp(&fq->key, key, sizeof(*key));
3422 ++}
3423 ++
3424 ++static const struct rhashtable_params ip4_rhash_params = {
3425 ++ .head_offset = offsetof(struct inet_frag_queue, node),
3426 ++ .key_offset = offsetof(struct inet_frag_queue, key),
3427 ++ .key_len = sizeof(struct frag_v4_compare_key),
3428 ++ .hashfn = ip4_key_hashfn,
3429 ++ .obj_hashfn = ip4_obj_hashfn,
3430 ++ .obj_cmpfn = ip4_obj_cmpfn,
3431 ++ .automatic_shrinking = true,
3432 ++};
3433 ++
3434 + void __init ipfrag_init(void)
3435 + {
3436 +- ip4_frags_ctl_register();
3437 +- register_pernet_subsys(&ip4_frags_ops);
3438 +- ip4_frags.hashfn = ip4_hashfn;
3439 + ip4_frags.constructor = ip4_frag_init;
3440 + ip4_frags.destructor = ip4_frag_free;
3441 + ip4_frags.qsize = sizeof(struct ipq);
3442 +- ip4_frags.match = ip4_frag_match;
3443 + ip4_frags.frag_expire = ip_expire;
3444 + ip4_frags.frags_cache_name = ip_frag_cache_name;
3445 ++ ip4_frags.rhash_params = ip4_rhash_params;
3446 + if (inet_frags_init(&ip4_frags))
3447 + panic("IP: failed to allocate ip4_frags cache\n");
3448 ++ ip4_frags_ctl_register();
3449 ++ register_pernet_subsys(&ip4_frags_ops);
3450 + }
3451 +diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
3452 +index b21e435f428c..a5851c0bc278 100644
3453 +--- a/net/ipv4/ip_sockglue.c
3454 ++++ b/net/ipv4/ip_sockglue.c
3455 +@@ -134,7 +134,6 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
3456 + static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb)
3457 + {
3458 + struct sockaddr_in sin;
3459 +- const struct iphdr *iph = ip_hdr(skb);
3460 + __be16 *ports;
3461 + int end;
3462 +
3463 +@@ -149,7 +148,7 @@ static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb)
3464 + ports = (__be16 *)skb_transport_header(skb);
3465 +
3466 + sin.sin_family = AF_INET;
3467 +- sin.sin_addr.s_addr = iph->daddr;
3468 ++ sin.sin_addr.s_addr = ip_hdr(skb)->daddr;
3469 + sin.sin_port = ports[1];
3470 + memset(sin.sin_zero, 0, sizeof(sin.sin_zero));
3471 +
3472 +diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
3473 +index e1271e75e107..d8d99c21a9c1 100644
3474 +--- a/net/ipv4/ip_tunnel.c
3475 ++++ b/net/ipv4/ip_tunnel.c
3476 +@@ -627,6 +627,7 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev,
3477 + const struct iphdr *tnl_params, u8 protocol)
3478 + {
3479 + struct ip_tunnel *tunnel = netdev_priv(dev);
3480 ++ unsigned int inner_nhdr_len = 0;
3481 + const struct iphdr *inner_iph;
3482 + struct flowi4 fl4;
3483 + u8 tos, ttl;
3484 +@@ -636,6 +637,14 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev,
3485 + __be32 dst;
3486 + bool connected;
3487 +
3488 ++ /* ensure we can access the inner net header, for several users below */
3489 ++ if (skb->protocol == htons(ETH_P_IP))
3490 ++ inner_nhdr_len = sizeof(struct iphdr);
3491 ++ else if (skb->protocol == htons(ETH_P_IPV6))
3492 ++ inner_nhdr_len = sizeof(struct ipv6hdr);
3493 ++ if (unlikely(!pskb_may_pull(skb, inner_nhdr_len)))
3494 ++ goto tx_error;
3495 ++
3496 + inner_iph = (const struct iphdr *)skb_inner_network_header(skb);
3497 + connected = (tunnel->parms.iph.daddr != 0);
3498 +
3499 +diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c
3500 +index 7143ca1a6af9..ec48d8eafc7e 100644
3501 +--- a/net/ipv4/proc.c
3502 ++++ b/net/ipv4/proc.c
3503 +@@ -54,7 +54,6 @@
3504 + static int sockstat_seq_show(struct seq_file *seq, void *v)
3505 + {
3506 + struct net *net = seq->private;
3507 +- unsigned int frag_mem;
3508 + int orphans, sockets;
3509 +
3510 + local_bh_disable();
3511 +@@ -74,8 +73,9 @@ static int sockstat_seq_show(struct seq_file *seq, void *v)
3512 + sock_prot_inuse_get(net, &udplite_prot));
3513 + seq_printf(seq, "RAW: inuse %d\n",
3514 + sock_prot_inuse_get(net, &raw_prot));
3515 +- frag_mem = ip_frag_mem(net);
3516 +- seq_printf(seq, "FRAG: inuse %u memory %u\n", !!frag_mem, frag_mem);
3517 ++ seq_printf(seq, "FRAG: inuse %u memory %lu\n",
3518 ++ atomic_read(&net->ipv4.frags.rhashtable.nelems),
3519 ++ frag_mem_limit(&net->ipv4.frags));
3520 + return 0;
3521 + }
3522 +
3523 +@@ -134,6 +134,7 @@ static const struct snmp_mib snmp4_ipextstats_list[] = {
3524 + SNMP_MIB_ITEM("InECT1Pkts", IPSTATS_MIB_ECT1PKTS),
3525 + SNMP_MIB_ITEM("InECT0Pkts", IPSTATS_MIB_ECT0PKTS),
3526 + SNMP_MIB_ITEM("InCEPkts", IPSTATS_MIB_CEPKTS),
3527 ++ SNMP_MIB_ITEM("ReasmOverlaps", IPSTATS_MIB_REASM_OVERLAPS),
3528 + SNMP_MIB_SENTINEL
3529 + };
3530 +
3531 +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
3532 +index 9d0b73aa649f..dbb153c6b21a 100644
3533 +--- a/net/ipv4/tcp_input.c
3534 ++++ b/net/ipv4/tcp_input.c
3535 +@@ -4406,7 +4406,7 @@ static void tcp_ofo_queue(struct sock *sk)
3536 +
3537 + p = rb_first(&tp->out_of_order_queue);
3538 + while (p) {
3539 +- skb = rb_entry(p, struct sk_buff, rbnode);
3540 ++ skb = rb_to_skb(p);
3541 + if (after(TCP_SKB_CB(skb)->seq, tp->rcv_nxt))
3542 + break;
3543 +
3544 +@@ -4470,7 +4470,7 @@ static int tcp_try_rmem_schedule(struct sock *sk, struct sk_buff *skb,
3545 + static void tcp_data_queue_ofo(struct sock *sk, struct sk_buff *skb)
3546 + {
3547 + struct tcp_sock *tp = tcp_sk(sk);
3548 +- struct rb_node **p, *q, *parent;
3549 ++ struct rb_node **p, *parent;
3550 + struct sk_buff *skb1;
3551 + u32 seq, end_seq;
3552 + bool fragstolen;
3553 +@@ -4529,7 +4529,7 @@ coalesce_done:
3554 + parent = NULL;
3555 + while (*p) {
3556 + parent = *p;
3557 +- skb1 = rb_entry(parent, struct sk_buff, rbnode);
3558 ++ skb1 = rb_to_skb(parent);
3559 + if (before(seq, TCP_SKB_CB(skb1)->seq)) {
3560 + p = &parent->rb_left;
3561 + continue;
3562 +@@ -4574,9 +4574,7 @@ insert:
3563 +
3564 + merge_right:
3565 + /* Remove other segments covered by skb. */
3566 +- while ((q = rb_next(&skb->rbnode)) != NULL) {
3567 +- skb1 = rb_entry(q, struct sk_buff, rbnode);
3568 +-
3569 ++ while ((skb1 = skb_rb_next(skb)) != NULL) {
3570 + if (!after(end_seq, TCP_SKB_CB(skb1)->seq))
3571 + break;
3572 + if (before(end_seq, TCP_SKB_CB(skb1)->end_seq)) {
3573 +@@ -4591,7 +4589,7 @@ merge_right:
3574 + tcp_drop(sk, skb1);
3575 + }
3576 + /* If there is no skb after us, we are the last_skb ! */
3577 +- if (!q)
3578 ++ if (!skb1)
3579 + tp->ooo_last_skb = skb;
3580 +
3581 + add_sack:
3582 +@@ -4792,7 +4790,7 @@ static struct sk_buff *tcp_skb_next(struct sk_buff *skb, struct sk_buff_head *li
3583 + if (list)
3584 + return !skb_queue_is_last(list, skb) ? skb->next : NULL;
3585 +
3586 +- return rb_entry_safe(rb_next(&skb->rbnode), struct sk_buff, rbnode);
3587 ++ return skb_rb_next(skb);
3588 + }
3589 +
3590 + static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb,
3591 +@@ -4821,7 +4819,7 @@ static void tcp_rbtree_insert(struct rb_root *root, struct sk_buff *skb)
3592 +
3593 + while (*p) {
3594 + parent = *p;
3595 +- skb1 = rb_entry(parent, struct sk_buff, rbnode);
3596 ++ skb1 = rb_to_skb(parent);
3597 + if (before(TCP_SKB_CB(skb)->seq, TCP_SKB_CB(skb1)->seq))
3598 + p = &parent->rb_left;
3599 + else
3600 +@@ -4941,19 +4939,12 @@ static void tcp_collapse_ofo_queue(struct sock *sk)
3601 + struct tcp_sock *tp = tcp_sk(sk);
3602 + u32 range_truesize, sum_tiny = 0;
3603 + struct sk_buff *skb, *head;
3604 +- struct rb_node *p;
3605 + u32 start, end;
3606 +
3607 +- p = rb_first(&tp->out_of_order_queue);
3608 +- skb = rb_entry_safe(p, struct sk_buff, rbnode);
3609 ++ skb = skb_rb_first(&tp->out_of_order_queue);
3610 + new_range:
3611 + if (!skb) {
3612 +- p = rb_last(&tp->out_of_order_queue);
3613 +- /* Note: This is possible p is NULL here. We do not
3614 +- * use rb_entry_safe(), as ooo_last_skb is valid only
3615 +- * if rbtree is not empty.
3616 +- */
3617 +- tp->ooo_last_skb = rb_entry(p, struct sk_buff, rbnode);
3618 ++ tp->ooo_last_skb = skb_rb_last(&tp->out_of_order_queue);
3619 + return;
3620 + }
3621 + start = TCP_SKB_CB(skb)->seq;
3622 +@@ -4961,7 +4952,7 @@ new_range:
3623 + range_truesize = skb->truesize;
3624 +
3625 + for (head = skb;;) {
3626 +- skb = tcp_skb_next(skb, NULL);
3627 ++ skb = skb_rb_next(skb);
3628 +
3629 + /* Range is terminated when we see a gap or when
3630 + * we are at the queue end.
3631 +@@ -5017,7 +5008,7 @@ static bool tcp_prune_ofo_queue(struct sock *sk)
3632 + prev = rb_prev(node);
3633 + rb_erase(node, &tp->out_of_order_queue);
3634 + goal -= rb_to_skb(node)->truesize;
3635 +- tcp_drop(sk, rb_entry(node, struct sk_buff, rbnode));
3636 ++ tcp_drop(sk, rb_to_skb(node));
3637 + if (!prev || goal <= 0) {
3638 + sk_mem_reclaim(sk);
3639 + if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf &&
3640 +@@ -5027,7 +5018,7 @@ static bool tcp_prune_ofo_queue(struct sock *sk)
3641 + }
3642 + node = prev;
3643 + } while (node);
3644 +- tp->ooo_last_skb = rb_entry(prev, struct sk_buff, rbnode);
3645 ++ tp->ooo_last_skb = rb_to_skb(prev);
3646 +
3647 + /* Reset SACK state. A conforming SACK implementation will
3648 + * do the same at a timeout based retransmit. When a connection
3649 +@@ -5978,11 +5969,13 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb)
3650 + if (th->fin)
3651 + goto discard;
3652 + /* It is possible that we process SYN packets from backlog,
3653 +- * so we need to make sure to disable BH right there.
3654 ++ * so we need to make sure to disable BH and RCU right there.
3655 + */
3656 ++ rcu_read_lock();
3657 + local_bh_disable();
3658 + acceptable = icsk->icsk_af_ops->conn_request(sk, skb) >= 0;
3659 + local_bh_enable();
3660 ++ rcu_read_unlock();
3661 +
3662 + if (!acceptable)
3663 + return 1;
3664 +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
3665 +index 16dea67792e0..1ea0c91ba994 100644
3666 +--- a/net/ipv4/tcp_ipv4.c
3667 ++++ b/net/ipv4/tcp_ipv4.c
3668 +@@ -859,9 +859,11 @@ static int tcp_v4_send_synack(const struct sock *sk, struct dst_entry *dst,
3669 + if (skb) {
3670 + __tcp_v4_send_check(skb, ireq->ir_loc_addr, ireq->ir_rmt_addr);
3671 +
3672 ++ rcu_read_lock();
3673 + err = ip_build_and_send_pkt(skb, sk, ireq->ir_loc_addr,
3674 + ireq->ir_rmt_addr,
3675 +- ireq_opt_deref(ireq));
3676 ++ rcu_dereference(ireq->ireq_opt));
3677 ++ rcu_read_unlock();
3678 + err = net_xmit_eval(err);
3679 + }
3680 +
3681 +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
3682 +index 3a27cf762da1..bc532206077f 100644
3683 +--- a/net/ipv6/addrconf.c
3684 ++++ b/net/ipv6/addrconf.c
3685 +@@ -4068,7 +4068,6 @@ static struct inet6_ifaddr *if6_get_first(struct seq_file *seq, loff_t pos)
3686 + p++;
3687 + continue;
3688 + }
3689 +- state->offset++;
3690 + return ifa;
3691 + }
3692 +
3693 +@@ -4092,13 +4091,12 @@ static struct inet6_ifaddr *if6_get_next(struct seq_file *seq,
3694 + return ifa;
3695 + }
3696 +
3697 ++ state->offset = 0;
3698 + while (++state->bucket < IN6_ADDR_HSIZE) {
3699 +- state->offset = 0;
3700 + hlist_for_each_entry_rcu_bh(ifa,
3701 + &inet6_addr_lst[state->bucket], addr_lst) {
3702 + if (!net_eq(dev_net(ifa->idev->dev), net))
3703 + continue;
3704 +- state->offset++;
3705 + return ifa;
3706 + }
3707 + }
3708 +diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
3709 +index cda63426eefb..fd081a14064e 100644
3710 +--- a/net/ipv6/ip6_tunnel.c
3711 ++++ b/net/ipv6/ip6_tunnel.c
3712 +@@ -1226,7 +1226,7 @@ static inline int
3713 + ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
3714 + {
3715 + struct ip6_tnl *t = netdev_priv(dev);
3716 +- const struct iphdr *iph = ip_hdr(skb);
3717 ++ const struct iphdr *iph;
3718 + int encap_limit = -1;
3719 + struct flowi6 fl6;
3720 + __u8 dsfield;
3721 +@@ -1234,6 +1234,11 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
3722 + u8 tproto;
3723 + int err;
3724 +
3725 ++ /* ensure we can access the full inner ip header */
3726 ++ if (!pskb_may_pull(skb, sizeof(struct iphdr)))
3727 ++ return -1;
3728 ++
3729 ++ iph = ip_hdr(skb);
3730 + memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
3731 +
3732 + tproto = ACCESS_ONCE(t->parms.proto);
3733 +@@ -1293,7 +1298,7 @@ static inline int
3734 + ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
3735 + {
3736 + struct ip6_tnl *t = netdev_priv(dev);
3737 +- struct ipv6hdr *ipv6h = ipv6_hdr(skb);
3738 ++ struct ipv6hdr *ipv6h;
3739 + int encap_limit = -1;
3740 + __u16 offset;
3741 + struct flowi6 fl6;
3742 +@@ -1302,6 +1307,10 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
3743 + u8 tproto;
3744 + int err;
3745 +
3746 ++ if (unlikely(!pskb_may_pull(skb, sizeof(*ipv6h))))
3747 ++ return -1;
3748 ++
3749 ++ ipv6h = ipv6_hdr(skb);
3750 + tproto = ACCESS_ONCE(t->parms.proto);
3751 + if ((tproto != IPPROTO_IPV6 && tproto != 0) ||
3752 + ip6_tnl_addr_conflict(t, ipv6h))
3753 +diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
3754 +index ee33a6743f3b..b9147558a8f2 100644
3755 +--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
3756 ++++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
3757 +@@ -63,7 +63,6 @@ struct nf_ct_frag6_skb_cb
3758 + static struct inet_frags nf_frags;
3759 +
3760 + #ifdef CONFIG_SYSCTL
3761 +-static int zero;
3762 +
3763 + static struct ctl_table nf_ct_frag6_sysctl_table[] = {
3764 + {
3765 +@@ -76,18 +75,17 @@ static struct ctl_table nf_ct_frag6_sysctl_table[] = {
3766 + {
3767 + .procname = "nf_conntrack_frag6_low_thresh",
3768 + .data = &init_net.nf_frag.frags.low_thresh,
3769 +- .maxlen = sizeof(unsigned int),
3770 ++ .maxlen = sizeof(unsigned long),
3771 + .mode = 0644,
3772 +- .proc_handler = proc_dointvec_minmax,
3773 +- .extra1 = &zero,
3774 ++ .proc_handler = proc_doulongvec_minmax,
3775 + .extra2 = &init_net.nf_frag.frags.high_thresh
3776 + },
3777 + {
3778 + .procname = "nf_conntrack_frag6_high_thresh",
3779 + .data = &init_net.nf_frag.frags.high_thresh,
3780 +- .maxlen = sizeof(unsigned int),
3781 ++ .maxlen = sizeof(unsigned long),
3782 + .mode = 0644,
3783 +- .proc_handler = proc_dointvec_minmax,
3784 ++ .proc_handler = proc_doulongvec_minmax,
3785 + .extra1 = &init_net.nf_frag.frags.low_thresh
3786 + },
3787 + { }
3788 +@@ -152,23 +150,6 @@ static inline u8 ip6_frag_ecn(const struct ipv6hdr *ipv6h)
3789 + return 1 << (ipv6_get_dsfield(ipv6h) & INET_ECN_MASK);
3790 + }
3791 +
3792 +-static unsigned int nf_hash_frag(__be32 id, const struct in6_addr *saddr,
3793 +- const struct in6_addr *daddr)
3794 +-{
3795 +- net_get_random_once(&nf_frags.rnd, sizeof(nf_frags.rnd));
3796 +- return jhash_3words(ipv6_addr_hash(saddr), ipv6_addr_hash(daddr),
3797 +- (__force u32)id, nf_frags.rnd);
3798 +-}
3799 +-
3800 +-
3801 +-static unsigned int nf_hashfn(const struct inet_frag_queue *q)
3802 +-{
3803 +- const struct frag_queue *nq;
3804 +-
3805 +- nq = container_of(q, struct frag_queue, q);
3806 +- return nf_hash_frag(nq->id, &nq->saddr, &nq->daddr);
3807 +-}
3808 +-
3809 + static void nf_ct_frag6_expire(unsigned long data)
3810 + {
3811 + struct frag_queue *fq;
3812 +@@ -177,34 +158,26 @@ static void nf_ct_frag6_expire(unsigned long data)
3813 + fq = container_of((struct inet_frag_queue *)data, struct frag_queue, q);
3814 + net = container_of(fq->q.net, struct net, nf_frag.frags);
3815 +
3816 +- ip6_expire_frag_queue(net, fq, &nf_frags);
3817 ++ ip6_expire_frag_queue(net, fq);
3818 + }
3819 +
3820 + /* Creation primitives. */
3821 +-static inline struct frag_queue *fq_find(struct net *net, __be32 id,
3822 +- u32 user, struct in6_addr *src,
3823 +- struct in6_addr *dst, int iif, u8 ecn)
3824 ++static struct frag_queue *fq_find(struct net *net, __be32 id, u32 user,
3825 ++ const struct ipv6hdr *hdr, int iif)
3826 + {
3827 ++ struct frag_v6_compare_key key = {
3828 ++ .id = id,
3829 ++ .saddr = hdr->saddr,
3830 ++ .daddr = hdr->daddr,
3831 ++ .user = user,
3832 ++ .iif = iif,
3833 ++ };
3834 + struct inet_frag_queue *q;
3835 +- struct ip6_create_arg arg;
3836 +- unsigned int hash;
3837 +-
3838 +- arg.id = id;
3839 +- arg.user = user;
3840 +- arg.src = src;
3841 +- arg.dst = dst;
3842 +- arg.iif = iif;
3843 +- arg.ecn = ecn;
3844 +-
3845 +- local_bh_disable();
3846 +- hash = nf_hash_frag(id, src, dst);
3847 +-
3848 +- q = inet_frag_find(&net->nf_frag.frags, &nf_frags, &arg, hash);
3849 +- local_bh_enable();
3850 +- if (IS_ERR_OR_NULL(q)) {
3851 +- inet_frag_maybe_warn_overflow(q, pr_fmt());
3852 ++
3853 ++ q = inet_frag_find(&net->nf_frag.frags, &key);
3854 ++ if (!q)
3855 + return NULL;
3856 +- }
3857 ++
3858 + return container_of(q, struct frag_queue, q);
3859 + }
3860 +
3861 +@@ -263,7 +236,7 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
3862 + * this case. -DaveM
3863 + */
3864 + pr_debug("end of fragment not rounded to 8 bytes.\n");
3865 +- inet_frag_kill(&fq->q, &nf_frags);
3866 ++ inet_frag_kill(&fq->q);
3867 + return -EPROTO;
3868 + }
3869 + if (end > fq->q.len) {
3870 +@@ -356,7 +329,7 @@ found:
3871 + return 0;
3872 +
3873 + discard_fq:
3874 +- inet_frag_kill(&fq->q, &nf_frags);
3875 ++ inet_frag_kill(&fq->q);
3876 + err:
3877 + return -EINVAL;
3878 + }
3879 +@@ -378,7 +351,7 @@ nf_ct_frag6_reasm(struct frag_queue *fq, struct sk_buff *prev, struct net_devic
3880 + int payload_len;
3881 + u8 ecn;
3882 +
3883 +- inet_frag_kill(&fq->q, &nf_frags);
3884 ++ inet_frag_kill(&fq->q);
3885 +
3886 + WARN_ON(head == NULL);
3887 + WARN_ON(NFCT_FRAG6_CB(head)->offset != 0);
3888 +@@ -479,6 +452,7 @@ nf_ct_frag6_reasm(struct frag_queue *fq, struct sk_buff *prev, struct net_devic
3889 + else if (head->ip_summed == CHECKSUM_COMPLETE)
3890 + head->csum = csum_add(head->csum, fp->csum);
3891 + head->truesize += fp->truesize;
3892 ++ fp->sk = NULL;
3893 + }
3894 + sub_frag_mem_limit(fq->q.net, head->truesize);
3895 +
3896 +@@ -497,6 +471,7 @@ nf_ct_frag6_reasm(struct frag_queue *fq, struct sk_buff *prev, struct net_devic
3897 + head->csum);
3898 +
3899 + fq->q.fragments = NULL;
3900 ++ fq->q.rb_fragments = RB_ROOT;
3901 + fq->q.fragments_tail = NULL;
3902 +
3903 + return true;
3904 +@@ -591,9 +566,13 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user)
3905 + hdr = ipv6_hdr(skb);
3906 + fhdr = (struct frag_hdr *)skb_transport_header(skb);
3907 +
3908 ++ if (skb->len - skb_network_offset(skb) < IPV6_MIN_MTU &&
3909 ++ fhdr->frag_off & htons(IP6_MF))
3910 ++ return -EINVAL;
3911 ++
3912 + skb_orphan(skb);
3913 +- fq = fq_find(net, fhdr->identification, user, &hdr->saddr, &hdr->daddr,
3914 +- skb->dev ? skb->dev->ifindex : 0, ip6_frag_ecn(hdr));
3915 ++ fq = fq_find(net, fhdr->identification, user, hdr,
3916 ++ skb->dev ? skb->dev->ifindex : 0);
3917 + if (fq == NULL) {
3918 + pr_debug("Can't find and can't create new queue\n");
3919 + return -ENOMEM;
3920 +@@ -623,25 +602,33 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user)
3921 +
3922 + out_unlock:
3923 + spin_unlock_bh(&fq->q.lock);
3924 +- inet_frag_put(&fq->q, &nf_frags);
3925 ++ inet_frag_put(&fq->q);
3926 + return ret;
3927 + }
3928 + EXPORT_SYMBOL_GPL(nf_ct_frag6_gather);
3929 +
3930 + static int nf_ct_net_init(struct net *net)
3931 + {
3932 ++ int res;
3933 ++
3934 + net->nf_frag.frags.high_thresh = IPV6_FRAG_HIGH_THRESH;
3935 + net->nf_frag.frags.low_thresh = IPV6_FRAG_LOW_THRESH;
3936 + net->nf_frag.frags.timeout = IPV6_FRAG_TIMEOUT;
3937 +- inet_frags_init_net(&net->nf_frag.frags);
3938 +-
3939 +- return nf_ct_frag6_sysctl_register(net);
3940 ++ net->nf_frag.frags.f = &nf_frags;
3941 ++
3942 ++ res = inet_frags_init_net(&net->nf_frag.frags);
3943 ++ if (res < 0)
3944 ++ return res;
3945 ++ res = nf_ct_frag6_sysctl_register(net);
3946 ++ if (res < 0)
3947 ++ inet_frags_exit_net(&net->nf_frag.frags);
3948 ++ return res;
3949 + }
3950 +
3951 + static void nf_ct_net_exit(struct net *net)
3952 + {
3953 + nf_ct_frags6_sysctl_unregister(net);
3954 +- inet_frags_exit_net(&net->nf_frag.frags, &nf_frags);
3955 ++ inet_frags_exit_net(&net->nf_frag.frags);
3956 + }
3957 +
3958 + static struct pernet_operations nf_ct_net_ops = {
3959 +@@ -653,13 +640,12 @@ int nf_ct_frag6_init(void)
3960 + {
3961 + int ret = 0;
3962 +
3963 +- nf_frags.hashfn = nf_hashfn;
3964 + nf_frags.constructor = ip6_frag_init;
3965 + nf_frags.destructor = NULL;
3966 + nf_frags.qsize = sizeof(struct frag_queue);
3967 +- nf_frags.match = ip6_frag_match;
3968 + nf_frags.frag_expire = nf_ct_frag6_expire;
3969 + nf_frags.frags_cache_name = nf_frags_cache_name;
3970 ++ nf_frags.rhash_params = ip6_rhash_params;
3971 + ret = inet_frags_init(&nf_frags);
3972 + if (ret)
3973 + goto out;
3974 +diff --git a/net/ipv6/proc.c b/net/ipv6/proc.c
3975 +index e88bcb8ff0fd..dc04c024986c 100644
3976 +--- a/net/ipv6/proc.c
3977 ++++ b/net/ipv6/proc.c
3978 +@@ -38,7 +38,6 @@
3979 + static int sockstat6_seq_show(struct seq_file *seq, void *v)
3980 + {
3981 + struct net *net = seq->private;
3982 +- unsigned int frag_mem = ip6_frag_mem(net);
3983 +
3984 + seq_printf(seq, "TCP6: inuse %d\n",
3985 + sock_prot_inuse_get(net, &tcpv6_prot));
3986 +@@ -48,7 +47,9 @@ static int sockstat6_seq_show(struct seq_file *seq, void *v)
3987 + sock_prot_inuse_get(net, &udplitev6_prot));
3988 + seq_printf(seq, "RAW6: inuse %d\n",
3989 + sock_prot_inuse_get(net, &rawv6_prot));
3990 +- seq_printf(seq, "FRAG6: inuse %u memory %u\n", !!frag_mem, frag_mem);
3991 ++ seq_printf(seq, "FRAG6: inuse %u memory %lu\n",
3992 ++ atomic_read(&net->ipv6.frags.rhashtable.nelems),
3993 ++ frag_mem_limit(&net->ipv6.frags));
3994 + return 0;
3995 + }
3996 +
3997 +diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
3998 +index 71ffa526cb23..a4f979ff31b9 100644
3999 +--- a/net/ipv6/raw.c
4000 ++++ b/net/ipv6/raw.c
4001 +@@ -645,8 +645,6 @@ static int rawv6_send_hdrinc(struct sock *sk, struct msghdr *msg, int length,
4002 + skb->protocol = htons(ETH_P_IPV6);
4003 + skb->priority = sk->sk_priority;
4004 + skb->mark = sk->sk_mark;
4005 +- skb_dst_set(skb, &rt->dst);
4006 +- *dstp = NULL;
4007 +
4008 + skb_put(skb, length);
4009 + skb_reset_network_header(skb);
4010 +@@ -656,8 +654,14 @@ static int rawv6_send_hdrinc(struct sock *sk, struct msghdr *msg, int length,
4011 +
4012 + skb->transport_header = skb->network_header;
4013 + err = memcpy_from_msg(iph, msg, length);
4014 +- if (err)
4015 +- goto error_fault;
4016 ++ if (err) {
4017 ++ err = -EFAULT;
4018 ++ kfree_skb(skb);
4019 ++ goto error;
4020 ++ }
4021 ++
4022 ++ skb_dst_set(skb, &rt->dst);
4023 ++ *dstp = NULL;
4024 +
4025 + /* if egress device is enslaved to an L3 master device pass the
4026 + * skb to its handler for processing
4027 +@@ -666,21 +670,28 @@ static int rawv6_send_hdrinc(struct sock *sk, struct msghdr *msg, int length,
4028 + if (unlikely(!skb))
4029 + return 0;
4030 +
4031 ++ /* Acquire rcu_read_lock() in case we need to use rt->rt6i_idev
4032 ++ * in the error path. Since skb has been freed, the dst could
4033 ++ * have been queued for deletion.
4034 ++ */
4035 ++ rcu_read_lock();
4036 + IP6_UPD_PO_STATS(net, rt->rt6i_idev, IPSTATS_MIB_OUT, skb->len);
4037 + err = NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, net, sk, skb,
4038 + NULL, rt->dst.dev, dst_output);
4039 + if (err > 0)
4040 + err = net_xmit_errno(err);
4041 +- if (err)
4042 +- goto error;
4043 ++ if (err) {
4044 ++ IP6_INC_STATS(net, rt->rt6i_idev, IPSTATS_MIB_OUTDISCARDS);
4045 ++ rcu_read_unlock();
4046 ++ goto error_check;
4047 ++ }
4048 ++ rcu_read_unlock();
4049 + out:
4050 + return 0;
4051 +
4052 +-error_fault:
4053 +- err = -EFAULT;
4054 +- kfree_skb(skb);
4055 + error:
4056 + IP6_INC_STATS(net, rt->rt6i_idev, IPSTATS_MIB_OUTDISCARDS);
4057 ++error_check:
4058 + if (err == -ENOBUFS && !np->recverr)
4059 + err = 0;
4060 + return err;
4061 +diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
4062 +index e585c0a2591c..74ffbcb306a6 100644
4063 +--- a/net/ipv6/reassembly.c
4064 ++++ b/net/ipv6/reassembly.c
4065 +@@ -79,94 +79,58 @@ static struct inet_frags ip6_frags;
4066 + static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *prev,
4067 + struct net_device *dev);
4068 +
4069 +-/*
4070 +- * callers should be careful not to use the hash value outside the ipfrag_lock
4071 +- * as doing so could race with ipfrag_hash_rnd being recalculated.
4072 +- */
4073 +-static unsigned int inet6_hash_frag(__be32 id, const struct in6_addr *saddr,
4074 +- const struct in6_addr *daddr)
4075 +-{
4076 +- net_get_random_once(&ip6_frags.rnd, sizeof(ip6_frags.rnd));
4077 +- return jhash_3words(ipv6_addr_hash(saddr), ipv6_addr_hash(daddr),
4078 +- (__force u32)id, ip6_frags.rnd);
4079 +-}
4080 +-
4081 +-static unsigned int ip6_hashfn(const struct inet_frag_queue *q)
4082 +-{
4083 +- const struct frag_queue *fq;
4084 +-
4085 +- fq = container_of(q, struct frag_queue, q);
4086 +- return inet6_hash_frag(fq->id, &fq->saddr, &fq->daddr);
4087 +-}
4088 +-
4089 +-bool ip6_frag_match(const struct inet_frag_queue *q, const void *a)
4090 +-{
4091 +- const struct frag_queue *fq;
4092 +- const struct ip6_create_arg *arg = a;
4093 +-
4094 +- fq = container_of(q, struct frag_queue, q);
4095 +- return fq->id == arg->id &&
4096 +- fq->user == arg->user &&
4097 +- ipv6_addr_equal(&fq->saddr, arg->src) &&
4098 +- ipv6_addr_equal(&fq->daddr, arg->dst) &&
4099 +- (arg->iif == fq->iif ||
4100 +- !(ipv6_addr_type(arg->dst) & (IPV6_ADDR_MULTICAST |
4101 +- IPV6_ADDR_LINKLOCAL)));
4102 +-}
4103 +-EXPORT_SYMBOL(ip6_frag_match);
4104 +-
4105 + void ip6_frag_init(struct inet_frag_queue *q, const void *a)
4106 + {
4107 + struct frag_queue *fq = container_of(q, struct frag_queue, q);
4108 +- const struct ip6_create_arg *arg = a;
4109 ++ const struct frag_v6_compare_key *key = a;
4110 +
4111 +- fq->id = arg->id;
4112 +- fq->user = arg->user;
4113 +- fq->saddr = *arg->src;
4114 +- fq->daddr = *arg->dst;
4115 +- fq->ecn = arg->ecn;
4116 ++ q->key.v6 = *key;
4117 ++ fq->ecn = 0;
4118 + }
4119 + EXPORT_SYMBOL(ip6_frag_init);
4120 +
4121 +-void ip6_expire_frag_queue(struct net *net, struct frag_queue *fq,
4122 +- struct inet_frags *frags)
4123 ++void ip6_expire_frag_queue(struct net *net, struct frag_queue *fq)
4124 + {
4125 + struct net_device *dev = NULL;
4126 ++ struct sk_buff *head;
4127 +
4128 ++ rcu_read_lock();
4129 + spin_lock(&fq->q.lock);
4130 +
4131 + if (fq->q.flags & INET_FRAG_COMPLETE)
4132 + goto out;
4133 +
4134 +- inet_frag_kill(&fq->q, frags);
4135 ++ inet_frag_kill(&fq->q);
4136 +
4137 +- rcu_read_lock();
4138 + dev = dev_get_by_index_rcu(net, fq->iif);
4139 + if (!dev)
4140 +- goto out_rcu_unlock;
4141 ++ goto out;
4142 +
4143 + __IP6_INC_STATS(net, __in6_dev_get(dev), IPSTATS_MIB_REASMFAILS);
4144 +-
4145 +- if (inet_frag_evicting(&fq->q))
4146 +- goto out_rcu_unlock;
4147 +-
4148 + __IP6_INC_STATS(net, __in6_dev_get(dev), IPSTATS_MIB_REASMTIMEOUT);
4149 +
4150 + /* Don't send error if the first segment did not arrive. */
4151 +- if (!(fq->q.flags & INET_FRAG_FIRST_IN) || !fq->q.fragments)
4152 +- goto out_rcu_unlock;
4153 ++ head = fq->q.fragments;
4154 ++ if (!(fq->q.flags & INET_FRAG_FIRST_IN) || !head)
4155 ++ goto out;
4156 +
4157 + /* But use as source device on which LAST ARRIVED
4158 + * segment was received. And do not use fq->dev
4159 + * pointer directly, device might already disappeared.
4160 + */
4161 +- fq->q.fragments->dev = dev;
4162 +- icmpv6_send(fq->q.fragments, ICMPV6_TIME_EXCEED, ICMPV6_EXC_FRAGTIME, 0);
4163 +-out_rcu_unlock:
4164 +- rcu_read_unlock();
4165 ++ head->dev = dev;
4166 ++ skb_get(head);
4167 ++ spin_unlock(&fq->q.lock);
4168 ++
4169 ++ icmpv6_send(head, ICMPV6_TIME_EXCEED, ICMPV6_EXC_FRAGTIME, 0);
4170 ++ kfree_skb(head);
4171 ++ goto out_rcu_unlock;
4172 ++
4173 + out:
4174 + spin_unlock(&fq->q.lock);
4175 +- inet_frag_put(&fq->q, frags);
4176 ++out_rcu_unlock:
4177 ++ rcu_read_unlock();
4178 ++ inet_frag_put(&fq->q);
4179 + }
4180 + EXPORT_SYMBOL(ip6_expire_frag_queue);
4181 +
4182 +@@ -178,31 +142,29 @@ static void ip6_frag_expire(unsigned long data)
4183 + fq = container_of((struct inet_frag_queue *)data, struct frag_queue, q);
4184 + net = container_of(fq->q.net, struct net, ipv6.frags);
4185 +
4186 +- ip6_expire_frag_queue(net, fq, &ip6_frags);
4187 ++ ip6_expire_frag_queue(net, fq);
4188 + }
4189 +
4190 + static struct frag_queue *
4191 +-fq_find(struct net *net, __be32 id, const struct in6_addr *src,
4192 +- const struct in6_addr *dst, int iif, u8 ecn)
4193 ++fq_find(struct net *net, __be32 id, const struct ipv6hdr *hdr, int iif)
4194 + {
4195 ++ struct frag_v6_compare_key key = {
4196 ++ .id = id,
4197 ++ .saddr = hdr->saddr,
4198 ++ .daddr = hdr->daddr,
4199 ++ .user = IP6_DEFRAG_LOCAL_DELIVER,
4200 ++ .iif = iif,
4201 ++ };
4202 + struct inet_frag_queue *q;
4203 +- struct ip6_create_arg arg;
4204 +- unsigned int hash;
4205 +
4206 +- arg.id = id;
4207 +- arg.user = IP6_DEFRAG_LOCAL_DELIVER;
4208 +- arg.src = src;
4209 +- arg.dst = dst;
4210 +- arg.iif = iif;
4211 +- arg.ecn = ecn;
4212 ++ if (!(ipv6_addr_type(&hdr->daddr) & (IPV6_ADDR_MULTICAST |
4213 ++ IPV6_ADDR_LINKLOCAL)))
4214 ++ key.iif = 0;
4215 +
4216 +- hash = inet6_hash_frag(id, src, dst);
4217 +-
4218 +- q = inet_frag_find(&net->ipv6.frags, &ip6_frags, &arg, hash);
4219 +- if (IS_ERR_OR_NULL(q)) {
4220 +- inet_frag_maybe_warn_overflow(q, pr_fmt());
4221 ++ q = inet_frag_find(&net->ipv6.frags, &key);
4222 ++ if (!q)
4223 + return NULL;
4224 +- }
4225 ++
4226 + return container_of(q, struct frag_queue, q);
4227 + }
4228 +
4229 +@@ -359,7 +321,7 @@ found:
4230 + return -1;
4231 +
4232 + discard_fq:
4233 +- inet_frag_kill(&fq->q, &ip6_frags);
4234 ++ inet_frag_kill(&fq->q);
4235 + err:
4236 + __IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
4237 + IPSTATS_MIB_REASMFAILS);
4238 +@@ -386,7 +348,7 @@ static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *prev,
4239 + int sum_truesize;
4240 + u8 ecn;
4241 +
4242 +- inet_frag_kill(&fq->q, &ip6_frags);
4243 ++ inet_frag_kill(&fq->q);
4244 +
4245 + ecn = ip_frag_ecn_table[fq->ecn];
4246 + if (unlikely(ecn == 0xff))
4247 +@@ -504,6 +466,7 @@ static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *prev,
4248 + __IP6_INC_STATS(net, __in6_dev_get(dev), IPSTATS_MIB_REASMOKS);
4249 + rcu_read_unlock();
4250 + fq->q.fragments = NULL;
4251 ++ fq->q.rb_fragments = RB_ROOT;
4252 + fq->q.fragments_tail = NULL;
4253 + return 1;
4254 +
4255 +@@ -525,6 +488,7 @@ static int ipv6_frag_rcv(struct sk_buff *skb)
4256 + struct frag_queue *fq;
4257 + const struct ipv6hdr *hdr = ipv6_hdr(skb);
4258 + struct net *net = dev_net(skb_dst(skb)->dev);
4259 ++ int iif;
4260 +
4261 + if (IP6CB(skb)->flags & IP6SKB_FRAGMENTED)
4262 + goto fail_hdr;
4263 +@@ -553,17 +517,22 @@ static int ipv6_frag_rcv(struct sk_buff *skb)
4264 + return 1;
4265 + }
4266 +
4267 +- fq = fq_find(net, fhdr->identification, &hdr->saddr, &hdr->daddr,
4268 +- skb->dev ? skb->dev->ifindex : 0, ip6_frag_ecn(hdr));
4269 ++ if (skb->len - skb_network_offset(skb) < IPV6_MIN_MTU &&
4270 ++ fhdr->frag_off & htons(IP6_MF))
4271 ++ goto fail_hdr;
4272 ++
4273 ++ iif = skb->dev ? skb->dev->ifindex : 0;
4274 ++ fq = fq_find(net, fhdr->identification, hdr, iif);
4275 + if (fq) {
4276 + int ret;
4277 +
4278 + spin_lock(&fq->q.lock);
4279 +
4280 ++ fq->iif = iif;
4281 + ret = ip6_frag_queue(fq, skb, fhdr, IP6CB(skb)->nhoff);
4282 +
4283 + spin_unlock(&fq->q.lock);
4284 +- inet_frag_put(&fq->q, &ip6_frags);
4285 ++ inet_frag_put(&fq->q);
4286 + return ret;
4287 + }
4288 +
4289 +@@ -584,24 +553,22 @@ static const struct inet6_protocol frag_protocol = {
4290 + };
4291 +
4292 + #ifdef CONFIG_SYSCTL
4293 +-static int zero;
4294 +
4295 + static struct ctl_table ip6_frags_ns_ctl_table[] = {
4296 + {
4297 + .procname = "ip6frag_high_thresh",
4298 + .data = &init_net.ipv6.frags.high_thresh,
4299 +- .maxlen = sizeof(int),
4300 ++ .maxlen = sizeof(unsigned long),
4301 + .mode = 0644,
4302 +- .proc_handler = proc_dointvec_minmax,
4303 ++ .proc_handler = proc_doulongvec_minmax,
4304 + .extra1 = &init_net.ipv6.frags.low_thresh
4305 + },
4306 + {
4307 + .procname = "ip6frag_low_thresh",
4308 + .data = &init_net.ipv6.frags.low_thresh,
4309 +- .maxlen = sizeof(int),
4310 ++ .maxlen = sizeof(unsigned long),
4311 + .mode = 0644,
4312 +- .proc_handler = proc_dointvec_minmax,
4313 +- .extra1 = &zero,
4314 ++ .proc_handler = proc_doulongvec_minmax,
4315 + .extra2 = &init_net.ipv6.frags.high_thresh
4316 + },
4317 + {
4318 +@@ -644,10 +611,6 @@ static int __net_init ip6_frags_ns_sysctl_register(struct net *net)
4319 + table[1].data = &net->ipv6.frags.low_thresh;
4320 + table[1].extra2 = &net->ipv6.frags.high_thresh;
4321 + table[2].data = &net->ipv6.frags.timeout;
4322 +-
4323 +- /* Don't export sysctls to unprivileged users */
4324 +- if (net->user_ns != &init_user_ns)
4325 +- table[0].procname = NULL;
4326 + }
4327 +
4328 + hdr = register_net_sysctl(net, "net/ipv6", table);
4329 +@@ -709,19 +672,27 @@ static void ip6_frags_sysctl_unregister(void)
4330 +
4331 + static int __net_init ipv6_frags_init_net(struct net *net)
4332 + {
4333 ++ int res;
4334 ++
4335 + net->ipv6.frags.high_thresh = IPV6_FRAG_HIGH_THRESH;
4336 + net->ipv6.frags.low_thresh = IPV6_FRAG_LOW_THRESH;
4337 + net->ipv6.frags.timeout = IPV6_FRAG_TIMEOUT;
4338 ++ net->ipv6.frags.f = &ip6_frags;
4339 +
4340 +- inet_frags_init_net(&net->ipv6.frags);
4341 ++ res = inet_frags_init_net(&net->ipv6.frags);
4342 ++ if (res < 0)
4343 ++ return res;
4344 +
4345 +- return ip6_frags_ns_sysctl_register(net);
4346 ++ res = ip6_frags_ns_sysctl_register(net);
4347 ++ if (res < 0)
4348 ++ inet_frags_exit_net(&net->ipv6.frags);
4349 ++ return res;
4350 + }
4351 +
4352 + static void __net_exit ipv6_frags_exit_net(struct net *net)
4353 + {
4354 + ip6_frags_ns_sysctl_unregister(net);
4355 +- inet_frags_exit_net(&net->ipv6.frags, &ip6_frags);
4356 ++ inet_frags_exit_net(&net->ipv6.frags);
4357 + }
4358 +
4359 + static struct pernet_operations ip6_frags_ops = {
4360 +@@ -729,14 +700,55 @@ static struct pernet_operations ip6_frags_ops = {
4361 + .exit = ipv6_frags_exit_net,
4362 + };
4363 +
4364 ++static u32 ip6_key_hashfn(const void *data, u32 len, u32 seed)
4365 ++{
4366 ++ return jhash2(data,
4367 ++ sizeof(struct frag_v6_compare_key) / sizeof(u32), seed);
4368 ++}
4369 ++
4370 ++static u32 ip6_obj_hashfn(const void *data, u32 len, u32 seed)
4371 ++{
4372 ++ const struct inet_frag_queue *fq = data;
4373 ++
4374 ++ return jhash2((const u32 *)&fq->key.v6,
4375 ++ sizeof(struct frag_v6_compare_key) / sizeof(u32), seed);
4376 ++}
4377 ++
4378 ++static int ip6_obj_cmpfn(struct rhashtable_compare_arg *arg, const void *ptr)
4379 ++{
4380 ++ const struct frag_v6_compare_key *key = arg->key;
4381 ++ const struct inet_frag_queue *fq = ptr;
4382 ++
4383 ++ return !!memcmp(&fq->key, key, sizeof(*key));
4384 ++}
4385 ++
4386 ++const struct rhashtable_params ip6_rhash_params = {
4387 ++ .head_offset = offsetof(struct inet_frag_queue, node),
4388 ++ .hashfn = ip6_key_hashfn,
4389 ++ .obj_hashfn = ip6_obj_hashfn,
4390 ++ .obj_cmpfn = ip6_obj_cmpfn,
4391 ++ .automatic_shrinking = true,
4392 ++};
4393 ++EXPORT_SYMBOL(ip6_rhash_params);
4394 ++
4395 + int __init ipv6_frag_init(void)
4396 + {
4397 + int ret;
4398 +
4399 +- ret = inet6_add_protocol(&frag_protocol, IPPROTO_FRAGMENT);
4400 ++ ip6_frags.constructor = ip6_frag_init;
4401 ++ ip6_frags.destructor = NULL;
4402 ++ ip6_frags.qsize = sizeof(struct frag_queue);
4403 ++ ip6_frags.frag_expire = ip6_frag_expire;
4404 ++ ip6_frags.frags_cache_name = ip6_frag_cache_name;
4405 ++ ip6_frags.rhash_params = ip6_rhash_params;
4406 ++ ret = inet_frags_init(&ip6_frags);
4407 + if (ret)
4408 + goto out;
4409 +
4410 ++ ret = inet6_add_protocol(&frag_protocol, IPPROTO_FRAGMENT);
4411 ++ if (ret)
4412 ++ goto err_protocol;
4413 ++
4414 + ret = ip6_frags_sysctl_register();
4415 + if (ret)
4416 + goto err_sysctl;
4417 +@@ -745,16 +757,6 @@ int __init ipv6_frag_init(void)
4418 + if (ret)
4419 + goto err_pernet;
4420 +
4421 +- ip6_frags.hashfn = ip6_hashfn;
4422 +- ip6_frags.constructor = ip6_frag_init;
4423 +- ip6_frags.destructor = NULL;
4424 +- ip6_frags.qsize = sizeof(struct frag_queue);
4425 +- ip6_frags.match = ip6_frag_match;
4426 +- ip6_frags.frag_expire = ip6_frag_expire;
4427 +- ip6_frags.frags_cache_name = ip6_frag_cache_name;
4428 +- ret = inet_frags_init(&ip6_frags);
4429 +- if (ret)
4430 +- goto err_pernet;
4431 + out:
4432 + return ret;
4433 +
4434 +@@ -762,6 +764,8 @@ err_pernet:
4435 + ip6_frags_sysctl_unregister();
4436 + err_sysctl:
4437 + inet6_del_protocol(&frag_protocol, IPPROTO_FRAGMENT);
4438 ++err_protocol:
4439 ++ inet_frags_fini(&ip6_frags);
4440 + goto out;
4441 + }
4442 +
4443 +diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
4444 +index a123d0dc1ef9..053ba8646155 100644
4445 +--- a/net/netlabel/netlabel_unlabeled.c
4446 ++++ b/net/netlabel/netlabel_unlabeled.c
4447 +@@ -787,7 +787,8 @@ static int netlbl_unlabel_addrinfo_get(struct genl_info *info,
4448 + {
4449 + u32 addr_len;
4450 +
4451 +- if (info->attrs[NLBL_UNLABEL_A_IPV4ADDR]) {
4452 ++ if (info->attrs[NLBL_UNLABEL_A_IPV4ADDR] &&
4453 ++ info->attrs[NLBL_UNLABEL_A_IPV4MASK]) {
4454 + addr_len = nla_len(info->attrs[NLBL_UNLABEL_A_IPV4ADDR]);
4455 + if (addr_len != sizeof(struct in_addr) &&
4456 + addr_len != nla_len(info->attrs[NLBL_UNLABEL_A_IPV4MASK]))
4457 +diff --git a/sound/hda/hdac_controller.c b/sound/hda/hdac_controller.c
4458 +index 8761877207ec..00c6af2ae1c2 100644
4459 +--- a/sound/hda/hdac_controller.c
4460 ++++ b/sound/hda/hdac_controller.c
4461 +@@ -40,6 +40,8 @@ static void azx_clear_corbrp(struct hdac_bus *bus)
4462 + */
4463 + void snd_hdac_bus_init_cmd_io(struct hdac_bus *bus)
4464 + {
4465 ++ WARN_ON_ONCE(!bus->rb.area);
4466 ++
4467 + spin_lock_irq(&bus->reg_lock);
4468 + /* CORB set up */
4469 + bus->corb.addr = bus->rb.addr;
4470 +@@ -478,13 +480,15 @@ bool snd_hdac_bus_init_chip(struct hdac_bus *bus, bool full_reset)
4471 + /* reset controller */
4472 + azx_reset(bus, full_reset);
4473 +
4474 +- /* initialize interrupts */
4475 ++ /* clear interrupts */
4476 + azx_int_clear(bus);
4477 +- azx_int_enable(bus);
4478 +
4479 + /* initialize the codec command I/O */
4480 + snd_hdac_bus_init_cmd_io(bus);
4481 +
4482 ++ /* enable interrupts after CORB/RIRB buffers are initialized above */
4483 ++ azx_int_enable(bus);
4484 ++
4485 + /* program the position buffer */
4486 + if (bus->use_posbuf && bus->posbuf.addr) {
4487 + snd_hdac_chip_writel(bus, DPLBASE, (u32)bus->posbuf.addr);
4488 +diff --git a/sound/soc/codecs/sigmadsp.c b/sound/soc/codecs/sigmadsp.c
4489 +index d53680ac78e4..6df158669420 100644
4490 +--- a/sound/soc/codecs/sigmadsp.c
4491 ++++ b/sound/soc/codecs/sigmadsp.c
4492 +@@ -117,8 +117,7 @@ static int sigmadsp_ctrl_write(struct sigmadsp *sigmadsp,
4493 + struct sigmadsp_control *ctrl, void *data)
4494 + {
4495 + /* safeload loads up to 20 bytes in a atomic operation */
4496 +- if (ctrl->num_bytes > 4 && ctrl->num_bytes <= 20 && sigmadsp->ops &&
4497 +- sigmadsp->ops->safeload)
4498 ++ if (ctrl->num_bytes <= 20 && sigmadsp->ops && sigmadsp->ops->safeload)
4499 + return sigmadsp->ops->safeload(sigmadsp, ctrl->addr, data,
4500 + ctrl->num_bytes);
4501 + else
4502 +diff --git a/sound/soc/codecs/wm8804-i2c.c b/sound/soc/codecs/wm8804-i2c.c
4503 +index f27464c2c5ba..79541960f45d 100644
4504 +--- a/sound/soc/codecs/wm8804-i2c.c
4505 ++++ b/sound/soc/codecs/wm8804-i2c.c
4506 +@@ -13,6 +13,7 @@
4507 + #include <linux/init.h>
4508 + #include <linux/module.h>
4509 + #include <linux/i2c.h>
4510 ++#include <linux/acpi.h>
4511 +
4512 + #include "wm8804.h"
4513 +
4514 +@@ -40,17 +41,29 @@ static const struct i2c_device_id wm8804_i2c_id[] = {
4515 + };
4516 + MODULE_DEVICE_TABLE(i2c, wm8804_i2c_id);
4517 +
4518 ++#if defined(CONFIG_OF)
4519 + static const struct of_device_id wm8804_of_match[] = {
4520 + { .compatible = "wlf,wm8804", },
4521 + { }
4522 + };
4523 + MODULE_DEVICE_TABLE(of, wm8804_of_match);
4524 ++#endif
4525 ++
4526 ++#ifdef CONFIG_ACPI
4527 ++static const struct acpi_device_id wm8804_acpi_match[] = {
4528 ++ { "1AEC8804", 0 }, /* Wolfson PCI ID + part ID */
4529 ++ { "10138804", 0 }, /* Cirrus Logic PCI ID + part ID */
4530 ++ { },
4531 ++};
4532 ++MODULE_DEVICE_TABLE(acpi, wm8804_acpi_match);
4533 ++#endif
4534 +
4535 + static struct i2c_driver wm8804_i2c_driver = {
4536 + .driver = {
4537 + .name = "wm8804",
4538 + .pm = &wm8804_pm,
4539 +- .of_match_table = wm8804_of_match,
4540 ++ .of_match_table = of_match_ptr(wm8804_of_match),
4541 ++ .acpi_match_table = ACPI_PTR(wm8804_acpi_match),
4542 + },
4543 + .probe = wm8804_i2c_probe,
4544 + .remove = wm8804_i2c_remove,
4545 +diff --git a/tools/perf/scripts/python/export-to-postgresql.py b/tools/perf/scripts/python/export-to-postgresql.py
4546 +index 7656ff8aa066..c001d5a91d22 100644
4547 +--- a/tools/perf/scripts/python/export-to-postgresql.py
4548 ++++ b/tools/perf/scripts/python/export-to-postgresql.py
4549 +@@ -204,14 +204,23 @@ from ctypes import *
4550 + libpq = CDLL("libpq.so.5")
4551 + PQconnectdb = libpq.PQconnectdb
4552 + PQconnectdb.restype = c_void_p
4553 ++PQconnectdb.argtypes = [ c_char_p ]
4554 + PQfinish = libpq.PQfinish
4555 ++PQfinish.argtypes = [ c_void_p ]
4556 + PQstatus = libpq.PQstatus
4557 ++PQstatus.restype = c_int
4558 ++PQstatus.argtypes = [ c_void_p ]
4559 + PQexec = libpq.PQexec
4560 + PQexec.restype = c_void_p
4561 ++PQexec.argtypes = [ c_void_p, c_char_p ]
4562 + PQresultStatus = libpq.PQresultStatus
4563 ++PQresultStatus.restype = c_int
4564 ++PQresultStatus.argtypes = [ c_void_p ]
4565 + PQputCopyData = libpq.PQputCopyData
4566 ++PQputCopyData.restype = c_int
4567 + PQputCopyData.argtypes = [ c_void_p, c_void_p, c_int ]
4568 + PQputCopyEnd = libpq.PQputCopyEnd
4569 ++PQputCopyEnd.restype = c_int
4570 + PQputCopyEnd.argtypes = [ c_void_p, c_void_p ]
4571 +
4572 + sys.path.append(os.environ['PERF_EXEC_PATH'] + \
4573 +diff --git a/tools/testing/selftests/efivarfs/config b/tools/testing/selftests/efivarfs/config
4574 +new file mode 100644
4575 +index 000000000000..4e151f1005b2
4576 +--- /dev/null
4577 ++++ b/tools/testing/selftests/efivarfs/config
4578 +@@ -0,0 +1 @@
4579 ++CONFIG_EFIVAR_FS=y
4580 +diff --git a/tools/testing/selftests/memory-hotplug/config b/tools/testing/selftests/memory-hotplug/config
4581 +index 2fde30191a47..a7e8cd5bb265 100644
4582 +--- a/tools/testing/selftests/memory-hotplug/config
4583 ++++ b/tools/testing/selftests/memory-hotplug/config
4584 +@@ -2,3 +2,4 @@ CONFIG_MEMORY_HOTPLUG=y
4585 + CONFIG_MEMORY_HOTPLUG_SPARSE=y
4586 + CONFIG_NOTIFIER_ERROR_INJECTION=y
4587 + CONFIG_MEMORY_NOTIFIER_ERROR_INJECT=m
4588 ++CONFIG_MEMORY_HOTREMOVE=y
Report Message
Find on MARC Find on Google Groups