Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Pull networking fixes from David Miller: 1) Fix bluetooth userland regression reported by Keith Packard, from Gustavo Padovan. 2) Revert ath9k PS idle change, from Sujith Manoharan. 3) Correct default TCP memory limits (again), from Eric Dumazet. 4) Fix tcp_rcv_rtt_update() accidental use of unscaled RTT, from Neal Cardwell. 5) We made a facility for layers like wireless to say how much tailroom they need in the SKB for link layer stuff such as wireless encryption etc., but TCP works hard to fill every SKB out to the end defeating this specification. This leads to every TCP packet getting reallocated by the wireless code in order to have the right amount of tailroom available. Fix TCP to only fill SKBs out to the real amount of data area it asked for during the allocation, this way it won't eat into the slack added for the device's tailroom needs. Reported by Marc Merlin and fixed by Eric Dumazet. 6) Leaks, endian bugs, and new device IDs in bluetooth from Santosh Nayak, João Paulo Rechi Vita, Cho, Yu-Chen, Andrei Emeltchenko, AceLan Kao, and Andrei Emeltchenko. 7) OOPS on tty_close fix in bluetooth's hci_ldisc from Johan Hovold. 8) netfilter erroneously scales TCP window twice, fix from Changli Gao. 9) Memleak fix in wext-core from Julia Lawall. 10) Consistently handle invalid TCP packets in ipv4 vs. ipv6 conntrack, from Jozsef Kadlecsik. 11) Validate IP header length properly in netfilter conntrack's ipv4_get_l4proto(). * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (39 commits) NFC: Fix the LLCP Tx fragmentation loop rtlwifi: Add missing DMA buffer unmapping for PCI drivers rtlwifi: Preallocate USB read buffers and eliminate kalloc in read routine tcp: avoid order-1 allocations on wifi and tx path net: allow pskb_expand_head() to get maximum tailroom bridge: Do not send queries on multicast group leaves MAINTAINERS: Mark NATSEMI driver as orphan'd. tcp: fix tcp_rcv_rtt_update() use of an unscaled RTT sample tcp: restore correct limit Revert "ath9k: fix going to full-sleep on PS idle" rt2x00: Fix rfkill_polling register function. bcma: fix build error on MIPS; implicit pcibios_enable_device netfilter: nf_conntrack: fix incorrect logic in nf_conntrack_init_net netfilter: nf_ct_ipv4: packets with wrong ihl are invalid netfilter: nf_ct_ipv4: handle invalid IPv4 and IPv6 packets consistently net/wireless/wext-core.c: add missing kfree rtlwifi: Fix oops on rate-control failure mac80211: Convert WARN_ON to WARN_ON_ONCE rtlwifi: rtl8192de: Fix firmware initialization nl80211: ensure interface is up in various APIs ...
author: Linus Torvalds <torvalds@linux-foundation.org> 2012-04-12 17:04:33 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2012-04-12 17:04:33 -0400
commit: 174808af90a06ee59ffedd60c00c252f1f887f25 (patch)
tree: 5e026fdc0d2b4d66c0a79267e5755e10d6d04bd8 /net
parent: 778c2dee6f134bf0472ed45eedaee53b4f336afb (diff)
parent: 5d949944229b0a08e218723be231731cd86b94f3 (diff)
18 files changed, 74 insertions, 139 deletions
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index e33af63a884..92a857e3786 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -665,6 +665,11 @@ int hci_dev_open(__u16 dev)
        hci_req_lock(hdev);
+        if (test_bit(HCI_UNREGISTER, &hdev->dev_flags)) {
+                ret = -ENODEV;
+                goto done;
+        }
        if (hdev->rfkill && rfkill_blocked(hdev->rfkill)) {
                ret = -ERFKILL;
                goto done;
@@ -1849,6 +1854,8 @@ void hci_unregister_dev(struct hci_dev *hdev)
        BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
+        set_bit(HCI_UNREGISTER, &hdev->dev_flags);
        write_lock(&hci_dev_list_lock);
        list_del(&hdev->list);
        write_unlock(&hci_dev_list_lock);
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index b8e17e4dac8..94552b33d52 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1308,6 +1308,7 @@ static void l2cap_monitor_timeout(struct work_struct *work)
        if (chan->retry_count >= chan->remote_max_tx) {
                l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
                l2cap_chan_unlock(chan);
+                l2cap_chan_put(chan);
                return;
        }
@@ -1316,6 +1317,7 @@ static void l2cap_monitor_timeout(struct work_struct *work)
        l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
        l2cap_chan_unlock(chan);
+        l2cap_chan_put(chan);
 }
 static void l2cap_retrans_timeout(struct work_struct *work)
@@ -1335,6 +1337,7 @@ static void l2cap_retrans_timeout(struct work_struct *work)
        l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
        l2cap_chan_unlock(chan);
+        l2cap_chan_put(chan);
 }
 static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index c4fe583b0af..29122ed28ea 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -82,7 +82,7 @@ static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
        }
        if (la.l2_cid)
-                err = l2cap_add_scid(chan, la.l2_cid);
+                err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
        else
                err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
@@ -123,7 +123,8 @@ static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int al
        if (la.l2_cid && la.l2_psm)
                return -EINVAL;
-        err = l2cap_chan_connect(chan, la.l2_psm, la.l2_cid, &la.l2_bdaddr);
+        err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
+                                &la.l2_bdaddr);
        if (err)
                return err;
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 7fcff888713..4ef275c6967 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -2523,13 +2523,18 @@ static int set_fast_connectable(struct sock *sk, struct hci_dev *hdev,
        if (cp->val) {
                type = PAGE_SCAN_TYPE_INTERLACED;
-                acp.interval = 0x0024;  /* 22.5 msec page scan interval */
+                /* 22.5 msec page scan interval */
+                acp.interval = __constant_cpu_to_le16(0x0024);
        } else {
                type = PAGE_SCAN_TYPE_STANDARD; /* default */
-                acp.interval = 0x0800;  /* default 1.28 sec page scan */
+                /* default 1.28 sec page scan */
+                acp.interval = __constant_cpu_to_le16(0x0800);
        }
-        acp.window = 0x0012;    /* default 11.25 msec page scan window */
+        /* default 11.25 msec page scan window */
+        acp.window = __constant_cpu_to_le16(0x0012);
        err = hci_send_cmd(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY, sizeof(acp),
                           &acp);
@@ -2936,7 +2941,7 @@ int mgmt_device_connected(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
                                          name, name_len);
        if (dev_class && memcmp(dev_class, "\0\0\0", 3) != 0)
-                eir_len = eir_append_data(&ev->eir[eir_len], eir_len,
+                eir_len = eir_append_data(ev->eir, eir_len,
                                          EIR_CLASS_OF_DEV, dev_class, 3);
        put_unaligned_le16(eir_len, &ev->eir_len);
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 702a1ae9220..27ca25ed702 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -241,7 +241,6 @@ static void br_multicast_group_expired(unsigned long data)
        hlist_del_rcu(&mp->hlist[mdb->ver]);
        mdb->size--;
-        del_timer(&mp->query_timer);
        call_rcu_bh(&mp->rcu, br_multicast_free_group);
 out:
@@ -271,7 +270,6 @@ static void br_multicast_del_pg(struct net_bridge *br,
                rcu_assign_pointer(*pp, p->next);
                hlist_del_init(&p->mglist);
                del_timer(&p->timer);
-                del_timer(&p->query_timer);
                call_rcu_bh(&p->rcu, br_multicast_free_pg);
                if (!mp->ports && !mp->mglist &&
@@ -507,74 +505,6 @@ static struct sk_buff *br_multicast_alloc_query(struct net_bridge *br,
        return NULL;
 }
-static void br_multicast_send_group_query(struct net_bridge_mdb_entry *mp)
-{
-        struct net_bridge *br = mp->br;
-        struct sk_buff *skb;
-        skb = br_multicast_alloc_query(br, &mp->addr);
-        if (!skb)
-                goto timer;
-        netif_rx(skb);
-timer:
-        if (++mp->queries_sent < br->multicast_last_member_count)
-                mod_timer(&mp->query_timer,
-                          jiffies + br->multicast_last_member_interval);
-}
-static void br_multicast_group_query_expired(unsigned long data)
-{
-        struct net_bridge_mdb_entry *mp = (void *)data;
-        struct net_bridge *br = mp->br;
-        spin_lock(&br->multicast_lock);
-        if (!netif_running(br->dev) || !mp->mglist ||
-            mp->queries_sent >= br->multicast_last_member_count)
-                goto out;
-        br_multicast_send_group_query(mp);
-out:
-        spin_unlock(&br->multicast_lock);
-}
-static void br_multicast_send_port_group_query(struct net_bridge_port_group *pg)
-{
-        struct net_bridge_port *port = pg->port;
-        struct net_bridge *br = port->br;
-        struct sk_buff *skb;
-        skb = br_multicast_alloc_query(br, &pg->addr);
-        if (!skb)
-                goto timer;
-        br_deliver(port, skb);
-timer:
-        if (++pg->queries_sent < br->multicast_last_member_count)
-                mod_timer(&pg->query_timer,
-                          jiffies + br->multicast_last_member_interval);
-}
-static void br_multicast_port_group_query_expired(unsigned long data)
-{
-        struct net_bridge_port_group *pg = (void *)data;
-        struct net_bridge_port *port = pg->port;
-        struct net_bridge *br = port->br;
-        spin_lock(&br->multicast_lock);
-        if (!netif_running(br->dev) || hlist_unhashed(&pg->mglist) ||
-            pg->queries_sent >= br->multicast_last_member_count)
-                goto out;
-        br_multicast_send_port_group_query(pg);
-out:
-        spin_unlock(&br->multicast_lock);
-}
 static struct net_bridge_mdb_entry *br_multicast_get_group(
        struct net_bridge *br, struct net_bridge_port *port,
        struct br_ip *group, int hash)
@@ -690,8 +620,6 @@ rehash:
        mp->addr = *group;
        setup_timer(&mp->timer, br_multicast_group_expired,
                    (unsigned long)mp);
-        setup_timer(&mp->query_timer, br_multicast_group_query_expired,
-                    (unsigned long)mp);
        hlist_add_head_rcu(&mp->hlist[mdb->ver], &mdb->mhash[hash]);
        mdb->size++;
@@ -746,8 +674,6 @@ static int br_multicast_add_group(struct net_bridge *br,
        hlist_add_head(&p->mglist, &port->mglist);
        setup_timer(&p->timer, br_multicast_port_group_expired,
                    (unsigned long)p);
-        setup_timer(&p->query_timer, br_multicast_port_group_query_expired,
-                    (unsigned long)p);
        rcu_assign_pointer(*pp, p);
@@ -1291,9 +1217,6 @@ static void br_multicast_leave_group(struct net_bridge *br,
                     time_after(mp->timer.expires, time) :
                     try_to_del_timer_sync(&mp->timer) >= 0)) {
                        mod_timer(&mp->timer, time);
-                        mp->queries_sent = 0;
-                        mod_timer(&mp->query_timer, now);
                }
                goto out;
@@ -1310,9 +1233,6 @@ static void br_multicast_leave_group(struct net_bridge *br,
                     time_after(p->timer.expires, time) :
                     try_to_del_timer_sync(&p->timer) >= 0)) {
                        mod_timer(&p->timer, time);
-                        p->queries_sent = 0;
-                        mod_timer(&p->query_timer, now);
                }
                break;
@@ -1681,7 +1601,6 @@ void br_multicast_stop(struct net_bridge *br)
                hlist_for_each_entry_safe(mp, p, n, &mdb->mhash[i],
                                          hlist[ver]) {
                        del_timer(&mp->timer);
-                        del_timer(&mp->query_timer);
                        call_rcu_bh(&mp->rcu, br_multicast_free_group);
                }
        }
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index 0b67a63ad7a..e1d88225787 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -82,9 +82,7 @@ struct net_bridge_port_group {
        struct hlist_node               mglist;
        struct rcu_head                 rcu;
        struct timer_list               timer;
-        struct timer_list               query_timer;
        struct br_ip                    addr;
-        u32                             queries_sent;
 };
 struct net_bridge_mdb_entry
@@ -94,10 +92,8 @@ struct net_bridge_mdb_entry
        struct net_bridge_port_group __rcu *ports;
        struct rcu_head                 rcu;
        struct timer_list               timer;
-        struct timer_list               query_timer;
        struct br_ip                    addr;
        bool                            mglist;
-        u32                             queries_sent;
 };
 struct net_bridge_mdb_htable
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index baf8d281152..e59840010d4 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -952,9 +952,11 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
                goto adjust_others;
        }
-        data = kmalloc(size + sizeof(struct skb_shared_info), gfp_mask);
+        data = kmalloc(size + SKB_DATA_ALIGN(sizeof(struct skb_shared_info)),
+                       gfp_mask);
        if (!data)
                goto nodata;
+        size = SKB_WITH_OVERHEAD(ksize(data));
        /* Copy only real data... and, alas, header. This should be
         * optimized for the cases when header is void.
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index de9da21113a..cf73cc70ed2 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -74,16 +74,24 @@ static int ipv4_get_l4proto(const struct sk_buff *skb, unsigned int nhoff,
        iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph);
        if (iph == NULL)
-                return -NF_DROP;
+                return -NF_ACCEPT;
        /* Conntrack defragments packets, we might still see fragments
         * inside ICMP packets though. */
        if (iph->frag_off & htons(IP_OFFSET))
-                return -NF_DROP;
+                return -NF_ACCEPT;
        *dataoff = nhoff + (iph->ihl << 2);
        *protonum = iph->protocol;
+        /* Check bogus IP headers */
+        if (*dataoff > skb->len) {
+                pr_debug("nf_conntrack_ipv4: bogus IPv4 packet: "
+                         "nhoff %u, ihl %u, skblen %u\n",
+                         nhoff, iph->ihl << 2, skb->len);
+                return -NF_ACCEPT;
+        }
        return NF_ACCEPT;
 }
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 0cd36e33273..8bb6adeb62c 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -701,11 +701,12 @@ struct sk_buff *sk_stream_alloc_skb(struct sock *sk, int size, gfp_t gfp)
        skb = alloc_skb_fclone(size + sk->sk_prot->max_header, gfp);
        if (skb) {
                if (sk_wmem_schedule(sk, skb->truesize)) {
+                        skb_reserve(skb, sk->sk_prot->max_header);
                        /*
                         * Make sure that we have exactly size bytes
                         * available to the caller, no more, no less.
                         */
-                        skb_reserve(skb, skb_tailroom(skb) - size);
+                        skb->avail_size = size;
                        return skb;
                }
                __kfree_skb(skb);
@@ -995,10 +996,9 @@ new_segment:
                                copy = seglen;
                        /* Where to copy to? */
-                        if (skb_tailroom(skb) > 0) {
+                        if (skb_availroom(skb) > 0) {
                                /* We have some space in skb head. Superb! */
-                                if (copy > skb_tailroom(skb))
+                                copy = min_t(int, copy, skb_availroom(skb));
-                                        copy = skb_tailroom(skb);
                                err = skb_add_data_nocache(sk, skb, from, copy);
                                if (err)
                                        goto do_fault;
@@ -3302,8 +3302,7 @@ void __init tcp_init(void)
        tcp_init_mem(&init_net);
        /* Set per-socket limits to no more than 1/128 the pressure threshold */
-        limit = nr_free_buffer_pages() << (PAGE_SHIFT - 10);
+        limit = nr_free_buffer_pages() << (PAGE_SHIFT - 7);
-        limit = max(limit, 128UL);
        max_share = min(4UL*1024*1024, limit);
        sysctl_tcp_wmem[0] = SK_MEM_QUANTUM;
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 05b2dd56969..9944c1d9a21 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -474,8 +474,11 @@ static void tcp_rcv_rtt_update(struct tcp_sock *tp, u32 sample, int win_dep)
                if (!win_dep) {
                        m -= (new_sample >> 3);
                        new_sample += m;
-                } else if (m < new_sample)
+                } else {
-                        new_sample = m << 3;
+                        m <<= 3;
+                        if (m < new_sample)
+                                new_sample = m;
+                }
        } else {
                /* No previous measure. */
                new_sample = m << 3;
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 364784a9193..376b2cfbb68 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2060,7 +2060,7 @@ static void tcp_retrans_try_collapse(struct sock *sk, struct sk_buff *to,
                /* Punt if not enough space exists in the first SKB for
                 * the data in the second
                 */
-                if (skb->len > skb_tailroom(to))
+                if (skb->len > skb_availroom(to))
                        break;
                if (after(TCP_SKB_CB(skb)->end_seq, tcp_wnd_end(tp)))
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 94874b0bdcd..9d4e1555931 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -78,19 +78,6 @@ EXPORT_SYMBOL_GPL(ip6t_alloc_initial_table);
   Hence the start of any table is given by get_table() below.  */
-/* Check for an extension */
-int
-ip6t_ext_hdr(u8 nexthdr)
-{
-        return  (nexthdr == IPPROTO_HOPOPTS)   ||
-                (nexthdr == IPPROTO_ROUTING)   ||
-                (nexthdr == IPPROTO_FRAGMENT)  ||
-                (nexthdr == IPPROTO_ESP)       ||
-                (nexthdr == IPPROTO_AH)        ||
-                (nexthdr == IPPROTO_NONE)      ||
-                (nexthdr == IPPROTO_DSTOPTS);
-}
 /* Returns whether matches rule or not. */
 /* Performance critical - called for every packet */
 static inline bool
@@ -2366,7 +2353,6 @@ int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
 EXPORT_SYMBOL(ip6t_register_table);
 EXPORT_SYMBOL(ip6t_unregister_table);
 EXPORT_SYMBOL(ip6t_do_table);
-EXPORT_SYMBOL(ip6t_ext_hdr);
 EXPORT_SYMBOL(ipv6_find_hdr);
 module_init(ip6_tables_init);
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 576fb25456d..f76da5b3f5c 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -3387,8 +3387,7 @@ int ieee80211_mgd_assoc(struct ieee80211_sub_if_data *sdata,
                 */
                printk(KERN_DEBUG "%s: waiting for beacon from %pM\n",
                       sdata->name, ifmgd->bssid);
-                assoc_data->timeout = jiffies +
+                assoc_data->timeout = TU_TO_EXP_TIME(req->bss->beacon_interval);
-                                TU_TO_EXP_TIME(req->bss->beacon_interval);
        } else {
                assoc_data->have_beacon = true;
                assoc_data->sent_assoc = false;
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 3cc4487ac34..729f157a0ef 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1592,7 +1592,7 @@ static int nf_conntrack_init_net(struct net *net)
        return 0;
 err_timeout:
-        nf_conntrack_timeout_fini(net);
+        nf_conntrack_ecache_fini(net);
 err_ecache:
        nf_conntrack_tstamp_fini(net);
 err_tstamp:
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 361eade62a0..0d07a1dcf60 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -584,8 +584,8 @@ static bool tcp_in_window(const struct nf_conn *ct,
                         * Let's try to use the data from the packet.
                         */
                        sender->td_end = end;
-                        win <<= sender->td_scale;
+                        swin = win << sender->td_scale;
-                        sender->td_maxwin = (win == 0 ? 1 : win);
+                        sender->td_maxwin = (swin == 0 ? 1 : swin);
                        sender->td_maxend = end + sender->td_maxwin;
                        /*
                         * We haven't seen traffic in the other direction yet
diff --git a/net/nfc/llcp/commands.c b/net/nfc/llcp/commands.c
index 7b76eb7192f..ef10ffcb4b6 100644
--- a/net/nfc/llcp/commands.c
+++ b/net/nfc/llcp/commands.c
@@ -474,7 +474,7 @@ int nfc_llcp_send_i_frame(struct nfc_llcp_sock *sock,
        while (remaining_len > 0) {
-                frag_len = min_t(u16, local->remote_miu, remaining_len);
+                frag_len = min_t(size_t, local->remote_miu, remaining_len);
                pr_debug("Fragment %zd bytes remaining %zd",
                         frag_len, remaining_len);
@@ -497,7 +497,7 @@ int nfc_llcp_send_i_frame(struct nfc_llcp_sock *sock,
                release_sock(sk);
                remaining_len -= frag_len;
-                msg_ptr += len;
+                msg_ptr += frag_len;
        }
        kfree(msg_data);
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index e49da279702..f432c57af05 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -1294,6 +1294,11 @@ static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
                        goto bad_res;
                }
+                if (!netif_running(netdev)) {
+                        result = -ENETDOWN;
+                        goto bad_res;
+                }
                nla_for_each_nested(nl_txq_params,
                                    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
                                    rem_txq_params) {
@@ -6384,7 +6389,7 @@ static struct genl_ops nl80211_ops[] = {
                .doit = nl80211_get_key,
                .policy = nl80211_policy,
                .flags = GENL_ADMIN_PERM,
-                .internal_flags = NL80211_FLAG_NEED_NETDEV |
+                .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
                                  NL80211_FLAG_NEED_RTNL,
        },
        {
@@ -6416,7 +6421,7 @@ static struct genl_ops nl80211_ops[] = {
                .policy = nl80211_policy,
                .flags = GENL_ADMIN_PERM,
                .doit = nl80211_set_beacon,
-                .internal_flags = NL80211_FLAG_NEED_NETDEV |
+                .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
                                  NL80211_FLAG_NEED_RTNL,
        },
        {
@@ -6424,7 +6429,7 @@ static struct genl_ops nl80211_ops[] = {
                .policy = nl80211_policy,
                .flags = GENL_ADMIN_PERM,
                .doit = nl80211_start_ap,
-                .internal_flags = NL80211_FLAG_NEED_NETDEV |
+                .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
                                  NL80211_FLAG_NEED_RTNL,
        },
        {
@@ -6432,7 +6437,7 @@ static struct genl_ops nl80211_ops[] = {
                .policy = nl80211_policy,
                .flags = GENL_ADMIN_PERM,
                .doit = nl80211_stop_ap,
-                .internal_flags = NL80211_FLAG_NEED_NETDEV |
+                .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
                                  NL80211_FLAG_NEED_RTNL,
        },
        {
@@ -6448,7 +6453,7 @@ static struct genl_ops nl80211_ops[] = {
                .doit = nl80211_set_station,
                .policy = nl80211_policy,
                .flags = GENL_ADMIN_PERM,
-                .internal_flags = NL80211_FLAG_NEED_NETDEV |
+                .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
                                  NL80211_FLAG_NEED_RTNL,
        },
        {
@@ -6464,7 +6469,7 @@ static struct genl_ops nl80211_ops[] = {
                .doit = nl80211_del_station,
                .policy = nl80211_policy,
                .flags = GENL_ADMIN_PERM,
-                .internal_flags = NL80211_FLAG_NEED_NETDEV |
+                .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
                                  NL80211_FLAG_NEED_RTNL,
        },
        {
@@ -6497,7 +6502,7 @@ static struct genl_ops nl80211_ops[] = {
                .doit = nl80211_del_mpath,
                .policy = nl80211_policy,
                .flags = GENL_ADMIN_PERM,
-                .internal_flags = NL80211_FLAG_NEED_NETDEV |
+                .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
                                  NL80211_FLAG_NEED_RTNL,
        },
        {
@@ -6505,7 +6510,7 @@ static struct genl_ops nl80211_ops[] = {
                .doit = nl80211_set_bss,
                .policy = nl80211_policy,
                .flags = GENL_ADMIN_PERM,
-                .internal_flags = NL80211_FLAG_NEED_NETDEV |
+                .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
                                  NL80211_FLAG_NEED_RTNL,
        },
        {
@@ -6531,7 +6536,7 @@ static struct genl_ops nl80211_ops[] = {
                .doit = nl80211_get_mesh_config,
                .policy = nl80211_policy,
                /* can be retrieved by unprivileged users */
-                .internal_flags = NL80211_FLAG_NEED_NETDEV |
+                .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
                                  NL80211_FLAG_NEED_RTNL,
        },
        {
@@ -6664,7 +6669,7 @@ static struct genl_ops nl80211_ops[] = {
                .doit = nl80211_setdel_pmksa,
                .policy = nl80211_policy,
                .flags = GENL_ADMIN_PERM,
-                .internal_flags = NL80211_FLAG_NEED_NETDEV |
+                .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
                                  NL80211_FLAG_NEED_RTNL,
        },
        {
@@ -6672,7 +6677,7 @@ static struct genl_ops nl80211_ops[] = {
                .doit = nl80211_setdel_pmksa,
                .policy = nl80211_policy,
                .flags = GENL_ADMIN_PERM,
-                .internal_flags = NL80211_FLAG_NEED_NETDEV |
+                .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
                                  NL80211_FLAG_NEED_RTNL,
        },
        {
@@ -6680,7 +6685,7 @@ static struct genl_ops nl80211_ops[] = {
                .doit = nl80211_flush_pmksa,
                .policy = nl80211_policy,
                .flags = GENL_ADMIN_PERM,
-                .internal_flags = NL80211_FLAG_NEED_NETDEV |
+                .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
                                  NL80211_FLAG_NEED_RTNL,
        },
        {
@@ -6840,7 +6845,7 @@ static struct genl_ops nl80211_ops[] = {
                .doit = nl80211_probe_client,
                .policy = nl80211_policy,
                .flags = GENL_ADMIN_PERM,
-                .internal_flags = NL80211_FLAG_NEED_NETDEV |
+                .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
                                  NL80211_FLAG_NEED_RTNL,
        },
        {
diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c
index 0af7f54e4f6..af648e08e61 100644
--- a/net/wireless/wext-core.c
+++ b/net/wireless/wext-core.c
@@ -780,8 +780,10 @@ static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd,
                if (cmd == SIOCSIWENCODEEXT) {
                        struct iw_encode_ext *ee = (void *) extra;
-                        if (iwp->length < sizeof(*ee) + ee->key_len)
+                        if (iwp->length < sizeof(*ee) + ee->key_len) {
-                                return -EFAULT;
+                                err = -EFAULT;
+                                goto out;
+                        }
                }
        }
author	Linus Torvalds <torvalds@linux-foundation.org>	2012-04-12 17:04:33 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2012-04-12 17:04:33 -0400
commit	174808af90a06ee59ffedd60c00c252f1f887f25 (patch)
tree	5e026fdc0d2b4d66c0a79267e5755e10d6d04bd8 /net
parent	778c2dee6f134bf0472ed45eedaee53b4f336afb (diff)
parent	5d949944229b0a08e218723be231731cd86b94f3 (diff)