diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2017-06-21 15:40:20 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2017-06-21 15:40:20 -0400 |
| commit | 48b6bbef9a1789f0365c1a385879a1fea4460016 (patch) | |
| tree | d9cb9408c080b84bed59e3b14004530306bf53ae /net | |
| parent | ce879b64a7be347a315bce6785318e9662e31cb5 (diff) | |
| parent | b4846fc3c8559649277e3e4e6b5cec5348a8d208 (diff) | |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull networking fixes from David Miller:
1) Fix refcounting wrt timers which hold onto inet6 address objects,
from Xin Long.
2) Fix an ancient bug in wireless wext ioctls, from Johannes Berg.
3) Firmware handling fixes in brcm80211 driver, from Arend Van Spriel.
4) Several mlx5 driver fixes (firmware readiness, timestamp cap
reporting, devlink command validity checking, tc offloading, etc.)
From Eli Cohen, Maor Dickman, Chris Mi, and Or Gerlitz.
5) Fix dst leak in IP/IP6 tunnels, from Haishuang Yan.
6) Fix dst refcount bug in decnet, from Wei Wang.
7) Netdev can be double freed in register_vlan_device(). Fix from Gao
Feng.
8) Don't allow object to be destroyed while it is being dumped in SCTP,
from Xin Long.
9) Fix dpaa_eth build when modular, from Madalin Bucur.
10) Fix throw route leaks, from Serhey Popovych.
11) IFLA_GROUP missing from if_nlmsg_size() and ifla_policy[] table,
also from Serhey Popovych.
12) Fix premature TX SKB free in stmmac, from Niklas Cassel.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (36 commits)
igmp: add a missing spin_lock_init()
net: stmmac: free an skb first when there are no longer any descriptors using it
sfc: remove duplicate up_write on VF filter_sem
rtnetlink: add IFLA_GROUP to ifla_policy
ipv6: Do not leak throw route references
dt-bindings: net: sms911x: Add missing optional VDD regulators
dpaa_eth: reuse the dma_ops provided by the FMan MAC device
fsl/fman: propagate dma_ops
net/core: remove explicit do_softirq() from busy_poll_stop()
fib_rules: Resolve goto rules target on delete
sctp: ensure ep is not destroyed before doing the dump
net/hns:bugfix of ethtool -t phy self_test
net: 8021q: Fix one possible panic caused by BUG_ON in free_netdev
cxgb4: notify uP to route ctrlq compl to rdma rspq
ip6_tunnel: Correct tos value in collect_md mode
decnet: always not take dst->__refcnt when inserting dst into hash table
ip6_tunnel: fix potential issue in __ip6_tnl_rcv
ip_tunnel: fix potential issue in ip_tunnel_rcv
brcmfmac: fix uninitialized warning in brcmf_usb_probe_phase2()
net/mlx5e: Avoid doing a cleanup call if the profile doesn't have it
...
Diffstat (limited to 'net')
| -rw-r--r-- | net/8021q/vlan.c | 3 | ||||
| -rw-r--r-- | net/core/dev.c | 2 | ||||
| -rw-r--r-- | net/core/dev_ioctl.c | 19 | ||||
| -rw-r--r-- | net/core/fib_rules.c | 21 | ||||
| -rw-r--r-- | net/core/rtnetlink.c | 2 | ||||
| -rw-r--r-- | net/decnet/dn_route.c | 14 | ||||
| -rw-r--r-- | net/ipv4/igmp.c | 1 | ||||
| -rw-r--r-- | net/ipv4/ip_tunnel.c | 2 | ||||
| -rw-r--r-- | net/ipv6/addrconf.c | 6 | ||||
| -rw-r--r-- | net/ipv6/fib6_rules.c | 22 | ||||
| -rw-r--r-- | net/ipv6/ip6_fib.c | 3 | ||||
| -rw-r--r-- | net/ipv6/ip6_tunnel.c | 6 | ||||
| -rw-r--r-- | net/rxrpc/key.c | 64 | ||||
| -rw-r--r-- | net/sctp/endpointola.c | 1 | ||||
| -rw-r--r-- | net/sctp/sctp_diag.c | 5 | ||||
| -rw-r--r-- | net/sctp/socket.c | 5 | ||||
| -rw-r--r-- | net/wireless/wext-core.c | 22 |
17 files changed, 104 insertions, 94 deletions
diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c index 467069b73ce1..9649579b5b9f 100644 --- a/net/8021q/vlan.c +++ b/net/8021q/vlan.c | |||
| @@ -277,7 +277,8 @@ static int register_vlan_device(struct net_device *real_dev, u16 vlan_id) | |||
| 277 | return 0; | 277 | return 0; |
| 278 | 278 | ||
| 279 | out_free_newdev: | 279 | out_free_newdev: |
| 280 | free_netdev(new_dev); | 280 | if (new_dev->reg_state == NETREG_UNINITIALIZED) |
| 281 | free_netdev(new_dev); | ||
| 281 | return err; | 282 | return err; |
| 282 | } | 283 | } |
| 283 | 284 | ||
diff --git a/net/core/dev.c b/net/core/dev.c index 6d60149287a1..7243421c9783 100644 --- a/net/core/dev.c +++ b/net/core/dev.c | |||
| @@ -5206,8 +5206,6 @@ static void busy_poll_stop(struct napi_struct *napi, void *have_poll_lock) | |||
| 5206 | if (rc == BUSY_POLL_BUDGET) | 5206 | if (rc == BUSY_POLL_BUDGET) |
| 5207 | __napi_schedule(napi); | 5207 | __napi_schedule(napi); |
| 5208 | local_bh_enable(); | 5208 | local_bh_enable(); |
| 5209 | if (local_softirq_pending()) | ||
| 5210 | do_softirq(); | ||
| 5211 | } | 5209 | } |
| 5212 | 5210 | ||
| 5213 | void napi_busy_loop(unsigned int napi_id, | 5211 | void napi_busy_loop(unsigned int napi_id, |
diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c index b94b1d293506..27fad31784a8 100644 --- a/net/core/dev_ioctl.c +++ b/net/core/dev_ioctl.c | |||
| @@ -410,6 +410,22 @@ int dev_ioctl(struct net *net, unsigned int cmd, void __user *arg) | |||
| 410 | if (cmd == SIOCGIFNAME) | 410 | if (cmd == SIOCGIFNAME) |
| 411 | return dev_ifname(net, (struct ifreq __user *)arg); | 411 | return dev_ifname(net, (struct ifreq __user *)arg); |
| 412 | 412 | ||
| 413 | /* | ||
| 414 | * Take care of Wireless Extensions. Unfortunately struct iwreq | ||
| 415 | * isn't a proper subset of struct ifreq (it's 8 byte shorter) | ||
| 416 | * so we need to treat it specially, otherwise applications may | ||
| 417 | * fault if the struct they're passing happens to land at the | ||
| 418 | * end of a mapped page. | ||
| 419 | */ | ||
| 420 | if (cmd >= SIOCIWFIRST && cmd <= SIOCIWLAST) { | ||
| 421 | struct iwreq iwr; | ||
| 422 | |||
| 423 | if (copy_from_user(&iwr, arg, sizeof(iwr))) | ||
| 424 | return -EFAULT; | ||
| 425 | |||
| 426 | return wext_handle_ioctl(net, &iwr, cmd, arg); | ||
| 427 | } | ||
| 428 | |||
| 413 | if (copy_from_user(&ifr, arg, sizeof(struct ifreq))) | 429 | if (copy_from_user(&ifr, arg, sizeof(struct ifreq))) |
| 414 | return -EFAULT; | 430 | return -EFAULT; |
| 415 | 431 | ||
| @@ -559,9 +575,6 @@ int dev_ioctl(struct net *net, unsigned int cmd, void __user *arg) | |||
| 559 | ret = -EFAULT; | 575 | ret = -EFAULT; |
| 560 | return ret; | 576 | return ret; |
| 561 | } | 577 | } |
| 562 | /* Take care of Wireless Extensions */ | ||
| 563 | if (cmd >= SIOCIWFIRST && cmd <= SIOCIWLAST) | ||
| 564 | return wext_handle_ioctl(net, &ifr, cmd, arg); | ||
| 565 | return -ENOTTY; | 578 | return -ENOTTY; |
| 566 | } | 579 | } |
| 567 | } | 580 | } |
diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c index f21c4d3aeae0..3bba291c6c32 100644 --- a/net/core/fib_rules.c +++ b/net/core/fib_rules.c | |||
| @@ -568,7 +568,7 @@ int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
| 568 | struct net *net = sock_net(skb->sk); | 568 | struct net *net = sock_net(skb->sk); |
| 569 | struct fib_rule_hdr *frh = nlmsg_data(nlh); | 569 | struct fib_rule_hdr *frh = nlmsg_data(nlh); |
| 570 | struct fib_rules_ops *ops = NULL; | 570 | struct fib_rules_ops *ops = NULL; |
| 571 | struct fib_rule *rule, *tmp; | 571 | struct fib_rule *rule, *r; |
| 572 | struct nlattr *tb[FRA_MAX+1]; | 572 | struct nlattr *tb[FRA_MAX+1]; |
| 573 | struct fib_kuid_range range; | 573 | struct fib_kuid_range range; |
| 574 | int err = -EINVAL; | 574 | int err = -EINVAL; |
| @@ -668,16 +668,23 @@ int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
| 668 | 668 | ||
| 669 | /* | 669 | /* |
| 670 | * Check if this rule is a target to any of them. If so, | 670 | * Check if this rule is a target to any of them. If so, |
| 671 | * adjust to the next one with the same preference or | ||
| 671 | * disable them. As this operation is eventually very | 672 | * disable them. As this operation is eventually very |
| 672 | * expensive, it is only performed if goto rules have | 673 | * expensive, it is only performed if goto rules, except |
| 673 | * actually been added. | 674 | * current if it is goto rule, have actually been added. |
| 674 | */ | 675 | */ |
| 675 | if (ops->nr_goto_rules > 0) { | 676 | if (ops->nr_goto_rules > 0) { |
| 676 | list_for_each_entry(tmp, &ops->rules_list, list) { | 677 | struct fib_rule *n; |
| 677 | if (rtnl_dereference(tmp->ctarget) == rule) { | 678 | |
| 678 | RCU_INIT_POINTER(tmp->ctarget, NULL); | 679 | n = list_next_entry(rule, list); |
| 680 | if (&n->list == &ops->rules_list || n->pref != rule->pref) | ||
| 681 | n = NULL; | ||
| 682 | list_for_each_entry(r, &ops->rules_list, list) { | ||
| 683 | if (rtnl_dereference(r->ctarget) != rule) | ||
| 684 | continue; | ||
| 685 | rcu_assign_pointer(r->ctarget, n); | ||
| 686 | if (!n) | ||
| 679 | ops->unresolved_rules++; | 687 | ops->unresolved_rules++; |
| 680 | } | ||
| 681 | } | 688 | } |
| 682 | } | 689 | } |
| 683 | 690 | ||
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index 5e61456f6bc7..467a2f4510a7 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c | |||
| @@ -931,6 +931,7 @@ static noinline size_t if_nlmsg_size(const struct net_device *dev, | |||
| 931 | + nla_total_size(1) /* IFLA_LINKMODE */ | 931 | + nla_total_size(1) /* IFLA_LINKMODE */ |
| 932 | + nla_total_size(4) /* IFLA_CARRIER_CHANGES */ | 932 | + nla_total_size(4) /* IFLA_CARRIER_CHANGES */ |
| 933 | + nla_total_size(4) /* IFLA_LINK_NETNSID */ | 933 | + nla_total_size(4) /* IFLA_LINK_NETNSID */ |
| 934 | + nla_total_size(4) /* IFLA_GROUP */ | ||
| 934 | + nla_total_size(ext_filter_mask | 935 | + nla_total_size(ext_filter_mask |
| 935 | & RTEXT_FILTER_VF ? 4 : 0) /* IFLA_NUM_VF */ | 936 | & RTEXT_FILTER_VF ? 4 : 0) /* IFLA_NUM_VF */ |
| 936 | + rtnl_vfinfo_size(dev, ext_filter_mask) /* IFLA_VFINFO_LIST */ | 937 | + rtnl_vfinfo_size(dev, ext_filter_mask) /* IFLA_VFINFO_LIST */ |
| @@ -1468,6 +1469,7 @@ static const struct nla_policy ifla_policy[IFLA_MAX+1] = { | |||
| 1468 | [IFLA_LINK_NETNSID] = { .type = NLA_S32 }, | 1469 | [IFLA_LINK_NETNSID] = { .type = NLA_S32 }, |
| 1469 | [IFLA_PROTO_DOWN] = { .type = NLA_U8 }, | 1470 | [IFLA_PROTO_DOWN] = { .type = NLA_U8 }, |
| 1470 | [IFLA_XDP] = { .type = NLA_NESTED }, | 1471 | [IFLA_XDP] = { .type = NLA_NESTED }, |
| 1472 | [IFLA_GROUP] = { .type = NLA_U32 }, | ||
| 1471 | }; | 1473 | }; |
| 1472 | 1474 | ||
| 1473 | static const struct nla_policy ifla_info_policy[IFLA_INFO_MAX+1] = { | 1475 | static const struct nla_policy ifla_info_policy[IFLA_INFO_MAX+1] = { |
diff --git a/net/decnet/dn_route.c b/net/decnet/dn_route.c index 4b9518a0d248..6f95612b4d32 100644 --- a/net/decnet/dn_route.c +++ b/net/decnet/dn_route.c | |||
| @@ -188,12 +188,6 @@ static inline void dnrt_free(struct dn_route *rt) | |||
| 188 | call_rcu_bh(&rt->dst.rcu_head, dst_rcu_free); | 188 | call_rcu_bh(&rt->dst.rcu_head, dst_rcu_free); |
| 189 | } | 189 | } |
| 190 | 190 | ||
| 191 | static inline void dnrt_drop(struct dn_route *rt) | ||
| 192 | { | ||
| 193 | dst_release(&rt->dst); | ||
| 194 | call_rcu_bh(&rt->dst.rcu_head, dst_rcu_free); | ||
| 195 | } | ||
| 196 | |||
| 197 | static void dn_dst_check_expire(unsigned long dummy) | 191 | static void dn_dst_check_expire(unsigned long dummy) |
| 198 | { | 192 | { |
| 199 | int i; | 193 | int i; |
| @@ -248,7 +242,7 @@ static int dn_dst_gc(struct dst_ops *ops) | |||
| 248 | } | 242 | } |
| 249 | *rtp = rt->dst.dn_next; | 243 | *rtp = rt->dst.dn_next; |
| 250 | rt->dst.dn_next = NULL; | 244 | rt->dst.dn_next = NULL; |
| 251 | dnrt_drop(rt); | 245 | dnrt_free(rt); |
| 252 | break; | 246 | break; |
| 253 | } | 247 | } |
| 254 | spin_unlock_bh(&dn_rt_hash_table[i].lock); | 248 | spin_unlock_bh(&dn_rt_hash_table[i].lock); |
| @@ -350,7 +344,7 @@ static int dn_insert_route(struct dn_route *rt, unsigned int hash, struct dn_rou | |||
| 350 | dst_use(&rth->dst, now); | 344 | dst_use(&rth->dst, now); |
| 351 | spin_unlock_bh(&dn_rt_hash_table[hash].lock); | 345 | spin_unlock_bh(&dn_rt_hash_table[hash].lock); |
| 352 | 346 | ||
| 353 | dnrt_drop(rt); | 347 | dst_free(&rt->dst); |
| 354 | *rp = rth; | 348 | *rp = rth; |
| 355 | return 0; | 349 | return 0; |
| 356 | } | 350 | } |
| @@ -380,7 +374,7 @@ static void dn_run_flush(unsigned long dummy) | |||
| 380 | for(; rt; rt = next) { | 374 | for(; rt; rt = next) { |
| 381 | next = rcu_dereference_raw(rt->dst.dn_next); | 375 | next = rcu_dereference_raw(rt->dst.dn_next); |
| 382 | RCU_INIT_POINTER(rt->dst.dn_next, NULL); | 376 | RCU_INIT_POINTER(rt->dst.dn_next, NULL); |
| 383 | dst_free((struct dst_entry *)rt); | 377 | dnrt_free(rt); |
| 384 | } | 378 | } |
| 385 | 379 | ||
| 386 | nothing_to_declare: | 380 | nothing_to_declare: |
| @@ -1187,7 +1181,7 @@ make_route: | |||
| 1187 | if (dev_out->flags & IFF_LOOPBACK) | 1181 | if (dev_out->flags & IFF_LOOPBACK) |
| 1188 | flags |= RTCF_LOCAL; | 1182 | flags |= RTCF_LOCAL; |
| 1189 | 1183 | ||
| 1190 | rt = dst_alloc(&dn_dst_ops, dev_out, 1, DST_OBSOLETE_NONE, DST_HOST); | 1184 | rt = dst_alloc(&dn_dst_ops, dev_out, 0, DST_OBSOLETE_NONE, DST_HOST); |
| 1191 | if (rt == NULL) | 1185 | if (rt == NULL) |
| 1192 | goto e_nobufs; | 1186 | goto e_nobufs; |
| 1193 | 1187 | ||
diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c index 8f6b5bbcbf69..ec9a396fa466 100644 --- a/net/ipv4/igmp.c +++ b/net/ipv4/igmp.c | |||
| @@ -1112,6 +1112,7 @@ static void igmpv3_add_delrec(struct in_device *in_dev, struct ip_mc_list *im) | |||
| 1112 | pmc = kzalloc(sizeof(*pmc), GFP_KERNEL); | 1112 | pmc = kzalloc(sizeof(*pmc), GFP_KERNEL); |
| 1113 | if (!pmc) | 1113 | if (!pmc) |
| 1114 | return; | 1114 | return; |
| 1115 | spin_lock_init(&pmc->lock); | ||
| 1115 | spin_lock_bh(&im->lock); | 1116 | spin_lock_bh(&im->lock); |
| 1116 | pmc->interface = im->interface; | 1117 | pmc->interface = im->interface; |
| 1117 | in_dev_hold(in_dev); | 1118 | in_dev_hold(in_dev); |
diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c index b436d0775631..129d1a3616f8 100644 --- a/net/ipv4/ip_tunnel.c +++ b/net/ipv4/ip_tunnel.c | |||
| @@ -446,6 +446,8 @@ int ip_tunnel_rcv(struct ip_tunnel *tunnel, struct sk_buff *skb, | |||
| 446 | return 0; | 446 | return 0; |
| 447 | 447 | ||
| 448 | drop: | 448 | drop: |
| 449 | if (tun_dst) | ||
| 450 | dst_release((struct dst_entry *)tun_dst); | ||
| 449 | kfree_skb(skb); | 451 | kfree_skb(skb); |
| 450 | return 0; | 452 | return 0; |
| 451 | } | 453 | } |
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index 6a4fb1e629fb..686c92375e81 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c | |||
| @@ -332,9 +332,9 @@ static void addrconf_mod_rs_timer(struct inet6_dev *idev, | |||
| 332 | static void addrconf_mod_dad_work(struct inet6_ifaddr *ifp, | 332 | static void addrconf_mod_dad_work(struct inet6_ifaddr *ifp, |
| 333 | unsigned long delay) | 333 | unsigned long delay) |
| 334 | { | 334 | { |
| 335 | if (!delayed_work_pending(&ifp->dad_work)) | 335 | in6_ifa_hold(ifp); |
| 336 | in6_ifa_hold(ifp); | 336 | if (mod_delayed_work(addrconf_wq, &ifp->dad_work, delay)) |
| 337 | mod_delayed_work(addrconf_wq, &ifp->dad_work, delay); | 337 | in6_ifa_put(ifp); |
| 338 | } | 338 | } |
| 339 | 339 | ||
| 340 | static int snmp6_alloc_dev(struct inet6_dev *idev) | 340 | static int snmp6_alloc_dev(struct inet6_dev *idev) |
diff --git a/net/ipv6/fib6_rules.c b/net/ipv6/fib6_rules.c index eea23b57c6a5..ec849d88a662 100644 --- a/net/ipv6/fib6_rules.c +++ b/net/ipv6/fib6_rules.c | |||
| @@ -32,7 +32,6 @@ struct fib6_rule { | |||
| 32 | struct dst_entry *fib6_rule_lookup(struct net *net, struct flowi6 *fl6, | 32 | struct dst_entry *fib6_rule_lookup(struct net *net, struct flowi6 *fl6, |
| 33 | int flags, pol_lookup_t lookup) | 33 | int flags, pol_lookup_t lookup) |
| 34 | { | 34 | { |
| 35 | struct rt6_info *rt; | ||
| 36 | struct fib_lookup_arg arg = { | 35 | struct fib_lookup_arg arg = { |
| 37 | .lookup_ptr = lookup, | 36 | .lookup_ptr = lookup, |
| 38 | .flags = FIB_LOOKUP_NOREF, | 37 | .flags = FIB_LOOKUP_NOREF, |
| @@ -44,21 +43,11 @@ struct dst_entry *fib6_rule_lookup(struct net *net, struct flowi6 *fl6, | |||
| 44 | fib_rules_lookup(net->ipv6.fib6_rules_ops, | 43 | fib_rules_lookup(net->ipv6.fib6_rules_ops, |
| 45 | flowi6_to_flowi(fl6), flags, &arg); | 44 | flowi6_to_flowi(fl6), flags, &arg); |
| 46 | 45 | ||
| 47 | rt = arg.result; | 46 | if (arg.result) |
| 47 | return arg.result; | ||
| 48 | 48 | ||
| 49 | if (!rt) { | 49 | dst_hold(&net->ipv6.ip6_null_entry->dst); |
| 50 | dst_hold(&net->ipv6.ip6_null_entry->dst); | 50 | return &net->ipv6.ip6_null_entry->dst; |
| 51 | return &net->ipv6.ip6_null_entry->dst; | ||
| 52 | } | ||
| 53 | |||
| 54 | if (rt->rt6i_flags & RTF_REJECT && | ||
| 55 | rt->dst.error == -EAGAIN) { | ||
| 56 | ip6_rt_put(rt); | ||
| 57 | rt = net->ipv6.ip6_null_entry; | ||
| 58 | dst_hold(&rt->dst); | ||
| 59 | } | ||
| 60 | |||
| 61 | return &rt->dst; | ||
| 62 | } | 51 | } |
| 63 | 52 | ||
| 64 | static int fib6_rule_action(struct fib_rule *rule, struct flowi *flp, | 53 | static int fib6_rule_action(struct fib_rule *rule, struct flowi *flp, |
| @@ -121,7 +110,8 @@ static int fib6_rule_action(struct fib_rule *rule, struct flowi *flp, | |||
| 121 | flp6->saddr = saddr; | 110 | flp6->saddr = saddr; |
| 122 | } | 111 | } |
| 123 | err = rt->dst.error; | 112 | err = rt->dst.error; |
| 124 | goto out; | 113 | if (err != -EAGAIN) |
| 114 | goto out; | ||
| 125 | } | 115 | } |
| 126 | again: | 116 | again: |
| 127 | ip6_rt_put(rt); | 117 | ip6_rt_put(rt); |
diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c index d4bf2c68a545..e6b78ba0e636 100644 --- a/net/ipv6/ip6_fib.c +++ b/net/ipv6/ip6_fib.c | |||
| @@ -289,8 +289,7 @@ struct dst_entry *fib6_rule_lookup(struct net *net, struct flowi6 *fl6, | |||
| 289 | struct rt6_info *rt; | 289 | struct rt6_info *rt; |
| 290 | 290 | ||
| 291 | rt = lookup(net, net->ipv6.fib6_main_tbl, fl6, flags); | 291 | rt = lookup(net, net->ipv6.fib6_main_tbl, fl6, flags); |
| 292 | if (rt->rt6i_flags & RTF_REJECT && | 292 | if (rt->dst.error == -EAGAIN) { |
| 293 | rt->dst.error == -EAGAIN) { | ||
| 294 | ip6_rt_put(rt); | 293 | ip6_rt_put(rt); |
| 295 | rt = net->ipv6.ip6_null_entry; | 294 | rt = net->ipv6.ip6_null_entry; |
| 296 | dst_hold(&rt->dst); | 295 | dst_hold(&rt->dst); |
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c index c3581973f5d7..8c6c3c8e7eef 100644 --- a/net/ipv6/ip6_tunnel.c +++ b/net/ipv6/ip6_tunnel.c | |||
| @@ -858,6 +858,8 @@ static int __ip6_tnl_rcv(struct ip6_tnl *tunnel, struct sk_buff *skb, | |||
| 858 | return 0; | 858 | return 0; |
| 859 | 859 | ||
| 860 | drop: | 860 | drop: |
| 861 | if (tun_dst) | ||
| 862 | dst_release((struct dst_entry *)tun_dst); | ||
| 861 | kfree_skb(skb); | 863 | kfree_skb(skb); |
| 862 | return 0; | 864 | return 0; |
| 863 | } | 865 | } |
| @@ -1246,7 +1248,7 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev) | |||
| 1246 | fl6.flowi6_proto = IPPROTO_IPIP; | 1248 | fl6.flowi6_proto = IPPROTO_IPIP; |
| 1247 | fl6.daddr = key->u.ipv6.dst; | 1249 | fl6.daddr = key->u.ipv6.dst; |
| 1248 | fl6.flowlabel = key->label; | 1250 | fl6.flowlabel = key->label; |
| 1249 | dsfield = ip6_tclass(key->label); | 1251 | dsfield = key->tos; |
| 1250 | } else { | 1252 | } else { |
| 1251 | if (!(t->parms.flags & IP6_TNL_F_IGN_ENCAP_LIMIT)) | 1253 | if (!(t->parms.flags & IP6_TNL_F_IGN_ENCAP_LIMIT)) |
| 1252 | encap_limit = t->parms.encap_limit; | 1254 | encap_limit = t->parms.encap_limit; |
| @@ -1317,7 +1319,7 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev) | |||
| 1317 | fl6.flowi6_proto = IPPROTO_IPV6; | 1319 | fl6.flowi6_proto = IPPROTO_IPV6; |
| 1318 | fl6.daddr = key->u.ipv6.dst; | 1320 | fl6.daddr = key->u.ipv6.dst; |
| 1319 | fl6.flowlabel = key->label; | 1321 | fl6.flowlabel = key->label; |
| 1320 | dsfield = ip6_tclass(key->label); | 1322 | dsfield = key->tos; |
| 1321 | } else { | 1323 | } else { |
| 1322 | offset = ip6_tnl_parse_tlv_enc_lim(skb, skb_network_header(skb)); | 1324 | offset = ip6_tnl_parse_tlv_enc_lim(skb, skb_network_header(skb)); |
| 1323 | /* ip6_tnl_parse_tlv_enc_lim() might have reallocated skb->head */ | 1325 | /* ip6_tnl_parse_tlv_enc_lim() might have reallocated skb->head */ |
diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c index 0a4e28477ad9..54369225766e 100644 --- a/net/rxrpc/key.c +++ b/net/rxrpc/key.c | |||
| @@ -217,7 +217,7 @@ static int rxrpc_krb5_decode_principal(struct krb5_principal *princ, | |||
| 217 | unsigned int *_toklen) | 217 | unsigned int *_toklen) |
| 218 | { | 218 | { |
| 219 | const __be32 *xdr = *_xdr; | 219 | const __be32 *xdr = *_xdr; |
| 220 | unsigned int toklen = *_toklen, n_parts, loop, tmp; | 220 | unsigned int toklen = *_toklen, n_parts, loop, tmp, paddedlen; |
| 221 | 221 | ||
| 222 | /* there must be at least one name, and at least #names+1 length | 222 | /* there must be at least one name, and at least #names+1 length |
| 223 | * words */ | 223 | * words */ |
| @@ -247,16 +247,16 @@ static int rxrpc_krb5_decode_principal(struct krb5_principal *princ, | |||
| 247 | toklen -= 4; | 247 | toklen -= 4; |
| 248 | if (tmp <= 0 || tmp > AFSTOKEN_STRING_MAX) | 248 | if (tmp <= 0 || tmp > AFSTOKEN_STRING_MAX) |
| 249 | return -EINVAL; | 249 | return -EINVAL; |
| 250 | if (tmp > toklen) | 250 | paddedlen = (tmp + 3) & ~3; |
| 251 | if (paddedlen > toklen) | ||
| 251 | return -EINVAL; | 252 | return -EINVAL; |
| 252 | princ->name_parts[loop] = kmalloc(tmp + 1, GFP_KERNEL); | 253 | princ->name_parts[loop] = kmalloc(tmp + 1, GFP_KERNEL); |
| 253 | if (!princ->name_parts[loop]) | 254 | if (!princ->name_parts[loop]) |
| 254 | return -ENOMEM; | 255 | return -ENOMEM; |
| 255 | memcpy(princ->name_parts[loop], xdr, tmp); | 256 | memcpy(princ->name_parts[loop], xdr, tmp); |
| 256 | princ->name_parts[loop][tmp] = 0; | 257 | princ->name_parts[loop][tmp] = 0; |
| 257 | tmp = (tmp + 3) & ~3; | 258 | toklen -= paddedlen; |
| 258 | toklen -= tmp; | 259 | xdr += paddedlen >> 2; |
| 259 | xdr += tmp >> 2; | ||
| 260 | } | 260 | } |
| 261 | 261 | ||
| 262 | if (toklen < 4) | 262 | if (toklen < 4) |
| @@ -265,16 +265,16 @@ static int rxrpc_krb5_decode_principal(struct krb5_principal *princ, | |||
| 265 | toklen -= 4; | 265 | toklen -= 4; |
| 266 | if (tmp <= 0 || tmp > AFSTOKEN_K5_REALM_MAX) | 266 | if (tmp <= 0 || tmp > AFSTOKEN_K5_REALM_MAX) |
| 267 | return -EINVAL; | 267 | return -EINVAL; |
| 268 | if (tmp > toklen) | 268 | paddedlen = (tmp + 3) & ~3; |
| 269 | if (paddedlen > toklen) | ||
| 269 | return -EINVAL; | 270 | return -EINVAL; |
| 270 | princ->realm = kmalloc(tmp + 1, GFP_KERNEL); | 271 | princ->realm = kmalloc(tmp + 1, GFP_KERNEL); |
| 271 | if (!princ->realm) | 272 | if (!princ->realm) |
| 272 | return -ENOMEM; | 273 | return -ENOMEM; |
| 273 | memcpy(princ->realm, xdr, tmp); | 274 | memcpy(princ->realm, xdr, tmp); |
| 274 | princ->realm[tmp] = 0; | 275 | princ->realm[tmp] = 0; |
| 275 | tmp = (tmp + 3) & ~3; | 276 | toklen -= paddedlen; |
| 276 | toklen -= tmp; | 277 | xdr += paddedlen >> 2; |
| 277 | xdr += tmp >> 2; | ||
| 278 | 278 | ||
| 279 | _debug("%s/...@%s", princ->name_parts[0], princ->realm); | 279 | _debug("%s/...@%s", princ->name_parts[0], princ->realm); |
| 280 | 280 | ||
| @@ -293,7 +293,7 @@ static int rxrpc_krb5_decode_tagged_data(struct krb5_tagged_data *td, | |||
| 293 | unsigned int *_toklen) | 293 | unsigned int *_toklen) |
| 294 | { | 294 | { |
| 295 | const __be32 *xdr = *_xdr; | 295 | const __be32 *xdr = *_xdr; |
| 296 | unsigned int toklen = *_toklen, len; | 296 | unsigned int toklen = *_toklen, len, paddedlen; |
| 297 | 297 | ||
| 298 | /* there must be at least one tag and one length word */ | 298 | /* there must be at least one tag and one length word */ |
| 299 | if (toklen <= 8) | 299 | if (toklen <= 8) |
| @@ -307,15 +307,17 @@ static int rxrpc_krb5_decode_tagged_data(struct krb5_tagged_data *td, | |||
| 307 | toklen -= 8; | 307 | toklen -= 8; |
| 308 | if (len > max_data_size) | 308 | if (len > max_data_size) |
| 309 | return -EINVAL; | 309 | return -EINVAL; |
| 310 | paddedlen = (len + 3) & ~3; | ||
| 311 | if (paddedlen > toklen) | ||
| 312 | return -EINVAL; | ||
| 310 | td->data_len = len; | 313 | td->data_len = len; |
| 311 | 314 | ||
| 312 | if (len > 0) { | 315 | if (len > 0) { |
| 313 | td->data = kmemdup(xdr, len, GFP_KERNEL); | 316 | td->data = kmemdup(xdr, len, GFP_KERNEL); |
| 314 | if (!td->data) | 317 | if (!td->data) |
| 315 | return -ENOMEM; | 318 | return -ENOMEM; |
| 316 | len = (len + 3) & ~3; | 319 | toklen -= paddedlen; |
| 317 | toklen -= len; | 320 | xdr += paddedlen >> 2; |
| 318 | xdr += len >> 2; | ||
| 319 | } | 321 | } |
| 320 | 322 | ||
| 321 | _debug("tag %x len %x", td->tag, td->data_len); | 323 | _debug("tag %x len %x", td->tag, td->data_len); |
| @@ -387,7 +389,7 @@ static int rxrpc_krb5_decode_ticket(u8 **_ticket, u16 *_tktlen, | |||
| 387 | const __be32 **_xdr, unsigned int *_toklen) | 389 | const __be32 **_xdr, unsigned int *_toklen) |
| 388 | { | 390 | { |
| 389 | const __be32 *xdr = *_xdr; | 391 | const __be32 *xdr = *_xdr; |
| 390 | unsigned int toklen = *_toklen, len; | 392 | unsigned int toklen = *_toklen, len, paddedlen; |
| 391 | 393 | ||
| 392 | /* there must be at least one length word */ | 394 | /* there must be at least one length word */ |
| 393 | if (toklen <= 4) | 395 | if (toklen <= 4) |
| @@ -399,6 +401,9 @@ static int rxrpc_krb5_decode_ticket(u8 **_ticket, u16 *_tktlen, | |||
| 399 | toklen -= 4; | 401 | toklen -= 4; |
| 400 | if (len > AFSTOKEN_K5_TIX_MAX) | 402 | if (len > AFSTOKEN_K5_TIX_MAX) |
| 401 | return -EINVAL; | 403 | return -EINVAL; |
| 404 | paddedlen = (len + 3) & ~3; | ||
| 405 | if (paddedlen > toklen) | ||
| 406 | return -EINVAL; | ||
| 402 | *_tktlen = len; | 407 | *_tktlen = len; |
| 403 | 408 | ||
| 404 | _debug("ticket len %u", len); | 409 | _debug("ticket len %u", len); |
| @@ -407,9 +412,8 @@ static int rxrpc_krb5_decode_ticket(u8 **_ticket, u16 *_tktlen, | |||
| 407 | *_ticket = kmemdup(xdr, len, GFP_KERNEL); | 412 | *_ticket = kmemdup(xdr, len, GFP_KERNEL); |
| 408 | if (!*_ticket) | 413 | if (!*_ticket) |
| 409 | return -ENOMEM; | 414 | return -ENOMEM; |
| 410 | len = (len + 3) & ~3; | 415 | toklen -= paddedlen; |
| 411 | toklen -= len; | 416 | xdr += paddedlen >> 2; |
| 412 | xdr += len >> 2; | ||
| 413 | } | 417 | } |
| 414 | 418 | ||
| 415 | *_xdr = xdr; | 419 | *_xdr = xdr; |
| @@ -552,7 +556,7 @@ static int rxrpc_preparse_xdr(struct key_preparsed_payload *prep) | |||
| 552 | { | 556 | { |
| 553 | const __be32 *xdr = prep->data, *token; | 557 | const __be32 *xdr = prep->data, *token; |
| 554 | const char *cp; | 558 | const char *cp; |
| 555 | unsigned int len, tmp, loop, ntoken, toklen, sec_ix; | 559 | unsigned int len, paddedlen, loop, ntoken, toklen, sec_ix; |
| 556 | size_t datalen = prep->datalen; | 560 | size_t datalen = prep->datalen; |
| 557 | int ret; | 561 | int ret; |
| 558 | 562 | ||
| @@ -578,22 +582,21 @@ static int rxrpc_preparse_xdr(struct key_preparsed_payload *prep) | |||
| 578 | if (len < 1 || len > AFSTOKEN_CELL_MAX) | 582 | if (len < 1 || len > AFSTOKEN_CELL_MAX) |
| 579 | goto not_xdr; | 583 | goto not_xdr; |
| 580 | datalen -= 4; | 584 | datalen -= 4; |
| 581 | tmp = (len + 3) & ~3; | 585 | paddedlen = (len + 3) & ~3; |
| 582 | if (tmp > datalen) | 586 | if (paddedlen > datalen) |
| 583 | goto not_xdr; | 587 | goto not_xdr; |
| 584 | 588 | ||
| 585 | cp = (const char *) xdr; | 589 | cp = (const char *) xdr; |
| 586 | for (loop = 0; loop < len; loop++) | 590 | for (loop = 0; loop < len; loop++) |
| 587 | if (!isprint(cp[loop])) | 591 | if (!isprint(cp[loop])) |
| 588 | goto not_xdr; | 592 | goto not_xdr; |
| 589 | if (len < tmp) | 593 | for (; loop < paddedlen; loop++) |
| 590 | for (; loop < tmp; loop++) | 594 | if (cp[loop]) |
| 591 | if (cp[loop]) | 595 | goto not_xdr; |
| 592 | goto not_xdr; | ||
| 593 | _debug("cellname: [%u/%u] '%*.*s'", | 596 | _debug("cellname: [%u/%u] '%*.*s'", |
| 594 | len, tmp, len, len, (const char *) xdr); | 597 | len, paddedlen, len, len, (const char *) xdr); |
| 595 | datalen -= tmp; | 598 | datalen -= paddedlen; |
| 596 | xdr += tmp >> 2; | 599 | xdr += paddedlen >> 2; |
| 597 | 600 | ||
| 598 | /* get the token count */ | 601 | /* get the token count */ |
| 599 | if (datalen < 12) | 602 | if (datalen < 12) |
| @@ -614,10 +617,11 @@ static int rxrpc_preparse_xdr(struct key_preparsed_payload *prep) | |||
| 614 | sec_ix = ntohl(*xdr); | 617 | sec_ix = ntohl(*xdr); |
| 615 | datalen -= 4; | 618 | datalen -= 4; |
| 616 | _debug("token: [%x/%zx] %x", toklen, datalen, sec_ix); | 619 | _debug("token: [%x/%zx] %x", toklen, datalen, sec_ix); |
| 617 | if (toklen < 20 || toklen > datalen) | 620 | paddedlen = (toklen + 3) & ~3; |
| 621 | if (toklen < 20 || toklen > datalen || paddedlen > datalen) | ||
| 618 | goto not_xdr; | 622 | goto not_xdr; |
| 619 | datalen -= (toklen + 3) & ~3; | 623 | datalen -= paddedlen; |
| 620 | xdr += (toklen + 3) >> 2; | 624 | xdr += paddedlen >> 2; |
| 621 | 625 | ||
| 622 | } while (--loop > 0); | 626 | } while (--loop > 0); |
| 623 | 627 | ||
diff --git a/net/sctp/endpointola.c b/net/sctp/endpointola.c index 8c589230794f..3dcd0ecf3d99 100644 --- a/net/sctp/endpointola.c +++ b/net/sctp/endpointola.c | |||
| @@ -275,6 +275,7 @@ static void sctp_endpoint_destroy(struct sctp_endpoint *ep) | |||
| 275 | if (sctp_sk(sk)->bind_hash) | 275 | if (sctp_sk(sk)->bind_hash) |
| 276 | sctp_put_port(sk); | 276 | sctp_put_port(sk); |
| 277 | 277 | ||
| 278 | sctp_sk(sk)->ep = NULL; | ||
| 278 | sock_put(sk); | 279 | sock_put(sk); |
| 279 | } | 280 | } |
| 280 | 281 | ||
diff --git a/net/sctp/sctp_diag.c b/net/sctp/sctp_diag.c index 048954eee984..9a647214a91e 100644 --- a/net/sctp/sctp_diag.c +++ b/net/sctp/sctp_diag.c | |||
| @@ -278,7 +278,6 @@ out: | |||
| 278 | 278 | ||
| 279 | static int sctp_sock_dump(struct sock *sk, void *p) | 279 | static int sctp_sock_dump(struct sock *sk, void *p) |
| 280 | { | 280 | { |
| 281 | struct sctp_endpoint *ep = sctp_sk(sk)->ep; | ||
| 282 | struct sctp_comm_param *commp = p; | 281 | struct sctp_comm_param *commp = p; |
| 283 | struct sk_buff *skb = commp->skb; | 282 | struct sk_buff *skb = commp->skb; |
| 284 | struct netlink_callback *cb = commp->cb; | 283 | struct netlink_callback *cb = commp->cb; |
| @@ -287,7 +286,9 @@ static int sctp_sock_dump(struct sock *sk, void *p) | |||
| 287 | int err = 0; | 286 | int err = 0; |
| 288 | 287 | ||
| 289 | lock_sock(sk); | 288 | lock_sock(sk); |
| 290 | list_for_each_entry(assoc, &ep->asocs, asocs) { | 289 | if (!sctp_sk(sk)->ep) |
| 290 | goto release; | ||
| 291 | list_for_each_entry(assoc, &sctp_sk(sk)->ep->asocs, asocs) { | ||
| 291 | if (cb->args[4] < cb->args[1]) | 292 | if (cb->args[4] < cb->args[1]) |
| 292 | goto next; | 293 | goto next; |
| 293 | 294 | ||
diff --git a/net/sctp/socket.c b/net/sctp/socket.c index 30aa0a529215..3a8318e518f1 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c | |||
| @@ -4666,9 +4666,8 @@ int sctp_for_each_transport(int (*cb)(struct sctp_transport *, void *), | |||
| 4666 | if (err) | 4666 | if (err) |
| 4667 | return err; | 4667 | return err; |
| 4668 | 4668 | ||
| 4669 | sctp_transport_get_idx(net, &hti, pos); | 4669 | obj = sctp_transport_get_idx(net, &hti, pos + 1); |
| 4670 | obj = sctp_transport_get_next(net, &hti); | 4670 | for (; !IS_ERR_OR_NULL(obj); obj = sctp_transport_get_next(net, &hti)) { |
| 4671 | for (; obj && !IS_ERR(obj); obj = sctp_transport_get_next(net, &hti)) { | ||
| 4672 | struct sctp_transport *transport = obj; | 4671 | struct sctp_transport *transport = obj; |
| 4673 | 4672 | ||
| 4674 | if (!sctp_transport_hold(transport)) | 4673 | if (!sctp_transport_hold(transport)) |
diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c index 1a4db6790e20..6cdb054484d6 100644 --- a/net/wireless/wext-core.c +++ b/net/wireless/wext-core.c | |||
| @@ -914,13 +914,12 @@ int call_commit_handler(struct net_device *dev) | |||
| 914 | * Main IOCTl dispatcher. | 914 | * Main IOCTl dispatcher. |
| 915 | * Check the type of IOCTL and call the appropriate wrapper... | 915 | * Check the type of IOCTL and call the appropriate wrapper... |
| 916 | */ | 916 | */ |
| 917 | static int wireless_process_ioctl(struct net *net, struct ifreq *ifr, | 917 | static int wireless_process_ioctl(struct net *net, struct iwreq *iwr, |
| 918 | unsigned int cmd, | 918 | unsigned int cmd, |
| 919 | struct iw_request_info *info, | 919 | struct iw_request_info *info, |
| 920 | wext_ioctl_func standard, | 920 | wext_ioctl_func standard, |
| 921 | wext_ioctl_func private) | 921 | wext_ioctl_func private) |
| 922 | { | 922 | { |
| 923 | struct iwreq *iwr = (struct iwreq *) ifr; | ||
| 924 | struct net_device *dev; | 923 | struct net_device *dev; |
| 925 | iw_handler handler; | 924 | iw_handler handler; |
| 926 | 925 | ||
| @@ -928,7 +927,7 @@ static int wireless_process_ioctl(struct net *net, struct ifreq *ifr, | |||
| 928 | * The copy_to/from_user() of ifr is also dealt with in there */ | 927 | * The copy_to/from_user() of ifr is also dealt with in there */ |
| 929 | 928 | ||
| 930 | /* Make sure the device exist */ | 929 | /* Make sure the device exist */ |
| 931 | if ((dev = __dev_get_by_name(net, ifr->ifr_name)) == NULL) | 930 | if ((dev = __dev_get_by_name(net, iwr->ifr_name)) == NULL) |
| 932 | return -ENODEV; | 931 | return -ENODEV; |
| 933 | 932 | ||
| 934 | /* A bunch of special cases, then the generic case... | 933 | /* A bunch of special cases, then the generic case... |
| @@ -957,9 +956,6 @@ static int wireless_process_ioctl(struct net *net, struct ifreq *ifr, | |||
| 957 | else if (private) | 956 | else if (private) |
| 958 | return private(dev, iwr, cmd, info, handler); | 957 | return private(dev, iwr, cmd, info, handler); |
| 959 | } | 958 | } |
| 960 | /* Old driver API : call driver ioctl handler */ | ||
| 961 | if (dev->netdev_ops->ndo_do_ioctl) | ||
| 962 | return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd); | ||
| 963 | return -EOPNOTSUPP; | 959 | return -EOPNOTSUPP; |
| 964 | } | 960 | } |
| 965 | 961 | ||
| @@ -977,7 +973,7 @@ static int wext_permission_check(unsigned int cmd) | |||
| 977 | } | 973 | } |
| 978 | 974 | ||
| 979 | /* entry point from dev ioctl */ | 975 | /* entry point from dev ioctl */ |
| 980 | static int wext_ioctl_dispatch(struct net *net, struct ifreq *ifr, | 976 | static int wext_ioctl_dispatch(struct net *net, struct iwreq *iwr, |
| 981 | unsigned int cmd, struct iw_request_info *info, | 977 | unsigned int cmd, struct iw_request_info *info, |
| 982 | wext_ioctl_func standard, | 978 | wext_ioctl_func standard, |
| 983 | wext_ioctl_func private) | 979 | wext_ioctl_func private) |
| @@ -987,9 +983,9 @@ static int wext_ioctl_dispatch(struct net *net, struct ifreq *ifr, | |||
| 987 | if (ret) | 983 | if (ret) |
| 988 | return ret; | 984 | return ret; |
| 989 | 985 | ||
| 990 | dev_load(net, ifr->ifr_name); | 986 | dev_load(net, iwr->ifr_name); |
| 991 | rtnl_lock(); | 987 | rtnl_lock(); |
| 992 | ret = wireless_process_ioctl(net, ifr, cmd, info, standard, private); | 988 | ret = wireless_process_ioctl(net, iwr, cmd, info, standard, private); |
| 993 | rtnl_unlock(); | 989 | rtnl_unlock(); |
| 994 | 990 | ||
| 995 | return ret; | 991 | return ret; |
| @@ -1039,18 +1035,18 @@ static int ioctl_standard_call(struct net_device * dev, | |||
| 1039 | } | 1035 | } |
| 1040 | 1036 | ||
| 1041 | 1037 | ||
| 1042 | int wext_handle_ioctl(struct net *net, struct ifreq *ifr, unsigned int cmd, | 1038 | int wext_handle_ioctl(struct net *net, struct iwreq *iwr, unsigned int cmd, |
| 1043 | void __user *arg) | 1039 | void __user *arg) |
| 1044 | { | 1040 | { |
| 1045 | struct iw_request_info info = { .cmd = cmd, .flags = 0 }; | 1041 | struct iw_request_info info = { .cmd = cmd, .flags = 0 }; |
| 1046 | int ret; | 1042 | int ret; |
| 1047 | 1043 | ||
| 1048 | ret = wext_ioctl_dispatch(net, ifr, cmd, &info, | 1044 | ret = wext_ioctl_dispatch(net, iwr, cmd, &info, |
| 1049 | ioctl_standard_call, | 1045 | ioctl_standard_call, |
| 1050 | ioctl_private_call); | 1046 | ioctl_private_call); |
| 1051 | if (ret >= 0 && | 1047 | if (ret >= 0 && |
| 1052 | IW_IS_GET(cmd) && | 1048 | IW_IS_GET(cmd) && |
| 1053 | copy_to_user(arg, ifr, sizeof(struct iwreq))) | 1049 | copy_to_user(arg, iwr, sizeof(struct iwreq))) |
| 1054 | return -EFAULT; | 1050 | return -EFAULT; |
| 1055 | 1051 | ||
| 1056 | return ret; | 1052 | return ret; |
| @@ -1107,7 +1103,7 @@ int compat_wext_handle_ioctl(struct net *net, unsigned int cmd, | |||
| 1107 | info.cmd = cmd; | 1103 | info.cmd = cmd; |
| 1108 | info.flags = IW_REQUEST_FLAG_COMPAT; | 1104 | info.flags = IW_REQUEST_FLAG_COMPAT; |
| 1109 | 1105 | ||
| 1110 | ret = wext_ioctl_dispatch(net, (struct ifreq *) &iwr, cmd, &info, | 1106 | ret = wext_ioctl_dispatch(net, &iwr, cmd, &info, |
| 1111 | compat_standard_call, | 1107 | compat_standard_call, |
| 1112 | compat_private_call); | 1108 | compat_private_call); |
| 1113 | 1109 | ||