This patch series fixes several bugs in the gtp module.

First patch fixes suspicious RCU usage. The problem is to use rcu_dereference_sk_user_data() outside of RCU read critical section.

Second patch fixes use-after-free. gtp_encap_destroy() is called twice. gtp_encap_destroy() use both gtp->sk0 and gtp->sk1u. these pointers can be freed in gtp_encap_destroy(). So, gtp_encap_destroy() should avoid using freed sk pointer.

Third patch removes duplicate code in gtp_dellink(). gtp_dellink() calls gtp_encap_disable() twice. So, remove one of them.

Fourth patch fixes usage of GFP_KERNEL. GFP_KERNEL can not be used in RCU read critical section. This patch make ipv4_pdp_add() to use GFP_ATOMIC instead of GFP_KERNEL.

Fifth patch fixes use-after-free in gtp_newlink(). gtp_newlink() uses gtp_net which would be destroyed by the __exit_net routine. So, gtp_newlink should not be called after the __exit_net routine.

Sixth patch adds missing error handling routine in gtp_encap_enable(). gtp_encap_enable() will fail, if invalid role value is sent from user-space. if so, gtp_encap_enable() should execute error handling routine.

Taehee Yoo (6): gtp: fix suspicious RCU usage gtp: fix use-after-free in gtp_encap_destroy() gtp: remove duplicate code in gtp_dellink() gtp: fix Illegal context switch in RCU read-side critical section. gtp: fix use-after-free in gtp_newlink() gtp: add missing gtp_encap_disable_sock() in gtp_encap_enable()

drivers/net/gtp.c | 37 +++++++++++++++++++++++++++++-------- 1 file changed, 29 insertions(+), 8 deletions(-)