aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2012-05-16 16:14:52 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2012-05-16 16:14:52 -0400
commit8011652957995914272f398071b70140639185ce (patch)
treea4aa83038c3b763cce267cfec9b652795af7f420
parent568b44559d7ca269d367e694c74eb4436e7e3ccf (diff)
parent26a5d3cc0b3d1ff23b5a94edb58226afe7f12a0c (diff)
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull networking tree from David Miller: 1) ptp_pch driver build broke during this merge window due to missing slab.h header, fix from Geery Uytterhoeven. 2) If ipset passes in a bogus hash table size we crash because the size is not validated properly. Compounding this, gcc-4.7 can miscompile ipset such that even when the user specifies legitimate parameters the tool passes in an out-of-range size to the kernel. Fix from Jozsef Kadlecsik. 3) Users have reported that the netdev watchdog can trigger with pch_gbe devices, and it turns out this is happening because of races in the TX path of the driver leading to the transmitter hanging. Fix from Eric Dumazet, reported and tested by Andy Cress. 4) Novatel USB551L devices match the generic class entries for the cdc ethernet USB driver, but they don't work because they have generic descriptors and thus need FLAG_WWAN to function properly. Add the necessary ID table entry to fix this, from Dan Williams. 5) A recursive locking fix in the USBNET driver added a new problem, in that packet list traversal is now racy and we can thus access unlinked SKBs and crash. Avoid this situation by adding some extra state tracking, from Ming Lei. 6) The rtlwifi conversion to asynchronous firmware loading is racy, fix by reordering the probe procedure. From Larry Finger. Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=43187 7) Fix regressions with bluetooth keyboards by notifying userland properly when the security level changes, from Gustavo Padovan. 8) Bluetooth needs to make sure device connected events are emitted before other kinds of events, otherwise userspace will think there is no baseband link yet and therefore abort the sockets associated with that connection. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: netfilter: ipset: fix hash size checking in kernel ptp_pch: Add missing #include <linux/slab.h> pch_gbe: fix transmit races cdc_ether: add Novatel USB551L device IDs for FLAG_WWAN usbnet: fix skb traversing races during unlink(v2) Bluetooth: mgmt: Fix device_connected sending order Bluetooth: notify userspace of security level change rtlwifi: fix for race condition when firmware is cached
-rw-r--r--drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe.h2
-rw-r--r--drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c25
-rw-r--r--drivers/net/usb/cdc_ether.c16
-rw-r--r--drivers/net/usb/usbnet.c54
-rw-r--r--drivers/net/wireless/rtlwifi/pci.c16
-rw-r--r--drivers/net/wireless/rtlwifi/usb.c10
-rw-r--r--drivers/ptp/ptp_pch.c1
-rw-r--r--include/linux/netfilter/ipset/ip_set_ahash.h16
-rw-r--r--include/linux/usb/usbnet.h3
-rw-r--r--include/net/bluetooth/bluetooth.h1
-rw-r--r--net/bluetooth/af_bluetooth.c2
-rw-r--r--net/bluetooth/hci_core.c8
-rw-r--r--net/bluetooth/hci_event.c11
-rw-r--r--net/bluetooth/l2cap_core.c5
-rw-r--r--net/bluetooth/l2cap_sock.c12
-rw-r--r--net/netfilter/ipset/ip_set_hash_ip.c10
-rw-r--r--net/netfilter/ipset/ip_set_hash_ipport.c10
-rw-r--r--net/netfilter/ipset/ip_set_hash_ipportip.c10
-rw-r--r--net/netfilter/ipset/ip_set_hash_ipportnet.c10
-rw-r--r--net/netfilter/ipset/ip_set_hash_net.c10
-rw-r--r--net/netfilter/ipset/ip_set_hash_netiface.c10
-rw-r--r--net/netfilter/ipset/ip_set_hash_netport.c10
22 files changed, 178 insertions, 74 deletions
diff --git a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe.h b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe.h
index dd14915f54bb..ba781747d174 100644
--- a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe.h
+++ b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe.h
@@ -584,7 +584,6 @@ struct pch_gbe_hw_stats {
584/** 584/**
585 * struct pch_gbe_adapter - board specific private data structure 585 * struct pch_gbe_adapter - board specific private data structure
586 * @stats_lock: Spinlock structure for status 586 * @stats_lock: Spinlock structure for status
587 * @tx_queue_lock: Spinlock structure for transmit
588 * @ethtool_lock: Spinlock structure for ethtool 587 * @ethtool_lock: Spinlock structure for ethtool
589 * @irq_sem: Semaphore for interrupt 588 * @irq_sem: Semaphore for interrupt
590 * @netdev: Pointer of network device structure 589 * @netdev: Pointer of network device structure
@@ -609,7 +608,6 @@ struct pch_gbe_hw_stats {
609 608
610struct pch_gbe_adapter { 609struct pch_gbe_adapter {
611 spinlock_t stats_lock; 610 spinlock_t stats_lock;
612 spinlock_t tx_queue_lock;
613 spinlock_t ethtool_lock; 611 spinlock_t ethtool_lock;
614 atomic_t irq_sem; 612 atomic_t irq_sem;
615 struct net_device *netdev; 613 struct net_device *netdev;
diff --git a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c
index 8035e5ff6e06..1e38d502a062 100644
--- a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c
+++ b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c
@@ -640,14 +640,11 @@ static void pch_gbe_mac_set_pause_packet(struct pch_gbe_hw *hw)
640 */ 640 */
641static int pch_gbe_alloc_queues(struct pch_gbe_adapter *adapter) 641static int pch_gbe_alloc_queues(struct pch_gbe_adapter *adapter)
642{ 642{
643 int size; 643 adapter->tx_ring = kzalloc(sizeof(*adapter->tx_ring), GFP_KERNEL);
644
645 size = (int)sizeof(struct pch_gbe_tx_ring);
646 adapter->tx_ring = kzalloc(size, GFP_KERNEL);
647 if (!adapter->tx_ring) 644 if (!adapter->tx_ring)
648 return -ENOMEM; 645 return -ENOMEM;
649 size = (int)sizeof(struct pch_gbe_rx_ring); 646
650 adapter->rx_ring = kzalloc(size, GFP_KERNEL); 647 adapter->rx_ring = kzalloc(sizeof(*adapter->rx_ring), GFP_KERNEL);
651 if (!adapter->rx_ring) { 648 if (!adapter->rx_ring) {
652 kfree(adapter->tx_ring); 649 kfree(adapter->tx_ring);
653 return -ENOMEM; 650 return -ENOMEM;
@@ -1162,7 +1159,6 @@ static void pch_gbe_tx_queue(struct pch_gbe_adapter *adapter,
1162 struct sk_buff *tmp_skb; 1159 struct sk_buff *tmp_skb;
1163 unsigned int frame_ctrl; 1160 unsigned int frame_ctrl;
1164 unsigned int ring_num; 1161 unsigned int ring_num;
1165 unsigned long flags;
1166 1162
1167 /*-- Set frame control --*/ 1163 /*-- Set frame control --*/
1168 frame_ctrl = 0; 1164 frame_ctrl = 0;
@@ -1211,14 +1207,14 @@ static void pch_gbe_tx_queue(struct pch_gbe_adapter *adapter,
1211 } 1207 }
1212 } 1208 }
1213 } 1209 }
1214 spin_lock_irqsave(&tx_ring->tx_lock, flags); 1210
1215 ring_num = tx_ring->next_to_use; 1211 ring_num = tx_ring->next_to_use;
1216 if (unlikely((ring_num + 1) == tx_ring->count)) 1212 if (unlikely((ring_num + 1) == tx_ring->count))
1217 tx_ring->next_to_use = 0; 1213 tx_ring->next_to_use = 0;
1218 else 1214 else
1219 tx_ring->next_to_use = ring_num + 1; 1215 tx_ring->next_to_use = ring_num + 1;
1220 1216
1221 spin_unlock_irqrestore(&tx_ring->tx_lock, flags); 1217
1222 buffer_info = &tx_ring->buffer_info[ring_num]; 1218 buffer_info = &tx_ring->buffer_info[ring_num];
1223 tmp_skb = buffer_info->skb; 1219 tmp_skb = buffer_info->skb;
1224 1220
@@ -1518,7 +1514,7 @@ pch_gbe_alloc_rx_buffers_pool(struct pch_gbe_adapter *adapter,
1518 &rx_ring->rx_buff_pool_logic, 1514 &rx_ring->rx_buff_pool_logic,
1519 GFP_KERNEL); 1515 GFP_KERNEL);
1520 if (!rx_ring->rx_buff_pool) { 1516 if (!rx_ring->rx_buff_pool) {
1521 pr_err("Unable to allocate memory for the receive poll buffer\n"); 1517 pr_err("Unable to allocate memory for the receive pool buffer\n");
1522 return -ENOMEM; 1518 return -ENOMEM;
1523 } 1519 }
1524 memset(rx_ring->rx_buff_pool, 0, size); 1520 memset(rx_ring->rx_buff_pool, 0, size);
@@ -1637,15 +1633,17 @@ pch_gbe_clean_tx(struct pch_gbe_adapter *adapter,
1637 pr_debug("called pch_gbe_unmap_and_free_tx_resource() %d count\n", 1633 pr_debug("called pch_gbe_unmap_and_free_tx_resource() %d count\n",
1638 cleaned_count); 1634 cleaned_count);
1639 /* Recover from running out of Tx resources in xmit_frame */ 1635 /* Recover from running out of Tx resources in xmit_frame */
1636 spin_lock(&tx_ring->tx_lock);
1640 if (unlikely(cleaned && (netif_queue_stopped(adapter->netdev)))) { 1637 if (unlikely(cleaned && (netif_queue_stopped(adapter->netdev)))) {
1641 netif_wake_queue(adapter->netdev); 1638 netif_wake_queue(adapter->netdev);
1642 adapter->stats.tx_restart_count++; 1639 adapter->stats.tx_restart_count++;
1643 pr_debug("Tx wake queue\n"); 1640 pr_debug("Tx wake queue\n");
1644 } 1641 }
1645 spin_lock(&adapter->tx_queue_lock); 1642
1646 tx_ring->next_to_clean = i; 1643 tx_ring->next_to_clean = i;
1647 spin_unlock(&adapter->tx_queue_lock); 1644
1648 pr_debug("next_to_clean : %d\n", tx_ring->next_to_clean); 1645 pr_debug("next_to_clean : %d\n", tx_ring->next_to_clean);
1646 spin_unlock(&tx_ring->tx_lock);
1649 return cleaned; 1647 return cleaned;
1650} 1648}
1651 1649
@@ -2037,7 +2035,6 @@ static int pch_gbe_sw_init(struct pch_gbe_adapter *adapter)
2037 return -ENOMEM; 2035 return -ENOMEM;
2038 } 2036 }
2039 spin_lock_init(&adapter->hw.miim_lock); 2037 spin_lock_init(&adapter->hw.miim_lock);
2040 spin_lock_init(&adapter->tx_queue_lock);
2041 spin_lock_init(&adapter->stats_lock); 2038 spin_lock_init(&adapter->stats_lock);
2042 spin_lock_init(&adapter->ethtool_lock); 2039 spin_lock_init(&adapter->ethtool_lock);
2043 atomic_set(&adapter->irq_sem, 0); 2040 atomic_set(&adapter->irq_sem, 0);
@@ -2142,10 +2139,10 @@ static int pch_gbe_xmit_frame(struct sk_buff *skb, struct net_device *netdev)
2142 tx_ring->next_to_use, tx_ring->next_to_clean); 2139 tx_ring->next_to_use, tx_ring->next_to_clean);
2143 return NETDEV_TX_BUSY; 2140 return NETDEV_TX_BUSY;
2144 } 2141 }
2145 spin_unlock_irqrestore(&tx_ring->tx_lock, flags);
2146 2142
2147 /* CRC,ITAG no support */ 2143 /* CRC,ITAG no support */
2148 pch_gbe_tx_queue(adapter, tx_ring, skb); 2144 pch_gbe_tx_queue(adapter, tx_ring, skb);
2145 spin_unlock_irqrestore(&tx_ring->tx_lock, flags);
2149 return NETDEV_TX_OK; 2146 return NETDEV_TX_OK;
2150} 2147}
2151 2148
diff --git a/drivers/net/usb/cdc_ether.c b/drivers/net/usb/cdc_ether.c
index 00880edba048..425e201f597c 100644
--- a/drivers/net/usb/cdc_ether.c
+++ b/drivers/net/usb/cdc_ether.c
@@ -485,6 +485,7 @@ static const struct driver_info wwan_info = {
485/*-------------------------------------------------------------------------*/ 485/*-------------------------------------------------------------------------*/
486 486
487#define HUAWEI_VENDOR_ID 0x12D1 487#define HUAWEI_VENDOR_ID 0x12D1
488#define NOVATEL_VENDOR_ID 0x1410
488 489
489static const struct usb_device_id products [] = { 490static const struct usb_device_id products [] = {
490/* 491/*
@@ -602,6 +603,21 @@ static const struct usb_device_id products [] = {
602 * because of bugs/quirks in a given product (like Zaurus, above). 603 * because of bugs/quirks in a given product (like Zaurus, above).
603 */ 604 */
604{ 605{
606 /* Novatel USB551L */
607 /* This match must come *before* the generic CDC-ETHER match so that
608 * we get FLAG_WWAN set on the device, since it's descriptors are
609 * generic CDC-ETHER.
610 */
611 .match_flags = USB_DEVICE_ID_MATCH_VENDOR
612 | USB_DEVICE_ID_MATCH_PRODUCT
613 | USB_DEVICE_ID_MATCH_INT_INFO,
614 .idVendor = NOVATEL_VENDOR_ID,
615 .idProduct = 0xB001,
616 .bInterfaceClass = USB_CLASS_COMM,
617 .bInterfaceSubClass = USB_CDC_SUBCLASS_ETHERNET,
618 .bInterfaceProtocol = USB_CDC_PROTO_NONE,
619 .driver_info = (unsigned long)&wwan_info,
620}, {
605 USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ETHERNET, 621 USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ETHERNET,
606 USB_CDC_PROTO_NONE), 622 USB_CDC_PROTO_NONE),
607 .driver_info = (unsigned long) &cdc_info, 623 .driver_info = (unsigned long) &cdc_info,
diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
index 2d927fb4adf4..b38db48b1ce0 100644
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -282,17 +282,32 @@ int usbnet_change_mtu (struct net_device *net, int new_mtu)
282} 282}
283EXPORT_SYMBOL_GPL(usbnet_change_mtu); 283EXPORT_SYMBOL_GPL(usbnet_change_mtu);
284 284
285/* The caller must hold list->lock */
286static void __usbnet_queue_skb(struct sk_buff_head *list,
287 struct sk_buff *newsk, enum skb_state state)
288{
289 struct skb_data *entry = (struct skb_data *) newsk->cb;
290
291 __skb_queue_tail(list, newsk);
292 entry->state = state;
293}
294
285/*-------------------------------------------------------------------------*/ 295/*-------------------------------------------------------------------------*/
286 296
287/* some LK 2.4 HCDs oopsed if we freed or resubmitted urbs from 297/* some LK 2.4 HCDs oopsed if we freed or resubmitted urbs from
288 * completion callbacks. 2.5 should have fixed those bugs... 298 * completion callbacks. 2.5 should have fixed those bugs...
289 */ 299 */
290 300
291static void defer_bh(struct usbnet *dev, struct sk_buff *skb, struct sk_buff_head *list) 301static enum skb_state defer_bh(struct usbnet *dev, struct sk_buff *skb,
302 struct sk_buff_head *list, enum skb_state state)
292{ 303{
293 unsigned long flags; 304 unsigned long flags;
305 enum skb_state old_state;
306 struct skb_data *entry = (struct skb_data *) skb->cb;
294 307
295 spin_lock_irqsave(&list->lock, flags); 308 spin_lock_irqsave(&list->lock, flags);
309 old_state = entry->state;
310 entry->state = state;
296 __skb_unlink(skb, list); 311 __skb_unlink(skb, list);
297 spin_unlock(&list->lock); 312 spin_unlock(&list->lock);
298 spin_lock(&dev->done.lock); 313 spin_lock(&dev->done.lock);
@@ -300,6 +315,7 @@ static void defer_bh(struct usbnet *dev, struct sk_buff *skb, struct sk_buff_hea
300 if (dev->done.qlen == 1) 315 if (dev->done.qlen == 1)
301 tasklet_schedule(&dev->bh); 316 tasklet_schedule(&dev->bh);
302 spin_unlock_irqrestore(&dev->done.lock, flags); 317 spin_unlock_irqrestore(&dev->done.lock, flags);
318 return old_state;
303} 319}
304 320
305/* some work can't be done in tasklets, so we use keventd 321/* some work can't be done in tasklets, so we use keventd
@@ -340,7 +356,6 @@ static int rx_submit (struct usbnet *dev, struct urb *urb, gfp_t flags)
340 entry = (struct skb_data *) skb->cb; 356 entry = (struct skb_data *) skb->cb;
341 entry->urb = urb; 357 entry->urb = urb;
342 entry->dev = dev; 358 entry->dev = dev;
343 entry->state = rx_start;
344 entry->length = 0; 359 entry->length = 0;
345 360
346 usb_fill_bulk_urb (urb, dev->udev, dev->in, 361 usb_fill_bulk_urb (urb, dev->udev, dev->in,
@@ -372,7 +387,7 @@ static int rx_submit (struct usbnet *dev, struct urb *urb, gfp_t flags)
372 tasklet_schedule (&dev->bh); 387 tasklet_schedule (&dev->bh);
373 break; 388 break;
374 case 0: 389 case 0:
375 __skb_queue_tail (&dev->rxq, skb); 390 __usbnet_queue_skb(&dev->rxq, skb, rx_start);
376 } 391 }
377 } else { 392 } else {
378 netif_dbg(dev, ifdown, dev->net, "rx: stopped\n"); 393 netif_dbg(dev, ifdown, dev->net, "rx: stopped\n");
@@ -423,16 +438,17 @@ static void rx_complete (struct urb *urb)
423 struct skb_data *entry = (struct skb_data *) skb->cb; 438 struct skb_data *entry = (struct skb_data *) skb->cb;
424 struct usbnet *dev = entry->dev; 439 struct usbnet *dev = entry->dev;
425 int urb_status = urb->status; 440 int urb_status = urb->status;
441 enum skb_state state;
426 442
427 skb_put (skb, urb->actual_length); 443 skb_put (skb, urb->actual_length);
428 entry->state = rx_done; 444 state = rx_done;
429 entry->urb = NULL; 445 entry->urb = NULL;
430 446
431 switch (urb_status) { 447 switch (urb_status) {
432 /* success */ 448 /* success */
433 case 0: 449 case 0:
434 if (skb->len < dev->net->hard_header_len) { 450 if (skb->len < dev->net->hard_header_len) {
435 entry->state = rx_cleanup; 451 state = rx_cleanup;
436 dev->net->stats.rx_errors++; 452 dev->net->stats.rx_errors++;
437 dev->net->stats.rx_length_errors++; 453 dev->net->stats.rx_length_errors++;
438 netif_dbg(dev, rx_err, dev->net, 454 netif_dbg(dev, rx_err, dev->net,
@@ -471,7 +487,7 @@ static void rx_complete (struct urb *urb)
471 "rx throttle %d\n", urb_status); 487 "rx throttle %d\n", urb_status);
472 } 488 }
473block: 489block:
474 entry->state = rx_cleanup; 490 state = rx_cleanup;
475 entry->urb = urb; 491 entry->urb = urb;
476 urb = NULL; 492 urb = NULL;
477 break; 493 break;
@@ -482,17 +498,18 @@ block:
482 // FALLTHROUGH 498 // FALLTHROUGH
483 499
484 default: 500 default:
485 entry->state = rx_cleanup; 501 state = rx_cleanup;
486 dev->net->stats.rx_errors++; 502 dev->net->stats.rx_errors++;
487 netif_dbg(dev, rx_err, dev->net, "rx status %d\n", urb_status); 503 netif_dbg(dev, rx_err, dev->net, "rx status %d\n", urb_status);
488 break; 504 break;
489 } 505 }
490 506
491 defer_bh(dev, skb, &dev->rxq); 507 state = defer_bh(dev, skb, &dev->rxq, state);
492 508
493 if (urb) { 509 if (urb) {
494 if (netif_running (dev->net) && 510 if (netif_running (dev->net) &&
495 !test_bit (EVENT_RX_HALT, &dev->flags)) { 511 !test_bit (EVENT_RX_HALT, &dev->flags) &&
512 state != unlink_start) {
496 rx_submit (dev, urb, GFP_ATOMIC); 513 rx_submit (dev, urb, GFP_ATOMIC);
497 usb_mark_last_busy(dev->udev); 514 usb_mark_last_busy(dev->udev);
498 return; 515 return;
@@ -579,16 +596,23 @@ EXPORT_SYMBOL_GPL(usbnet_purge_paused_rxq);
579static int unlink_urbs (struct usbnet *dev, struct sk_buff_head *q) 596static int unlink_urbs (struct usbnet *dev, struct sk_buff_head *q)
580{ 597{
581 unsigned long flags; 598 unsigned long flags;
582 struct sk_buff *skb, *skbnext; 599 struct sk_buff *skb;
583 int count = 0; 600 int count = 0;
584 601
585 spin_lock_irqsave (&q->lock, flags); 602 spin_lock_irqsave (&q->lock, flags);
586 skb_queue_walk_safe(q, skb, skbnext) { 603 while (!skb_queue_empty(q)) {
587 struct skb_data *entry; 604 struct skb_data *entry;
588 struct urb *urb; 605 struct urb *urb;
589 int retval; 606 int retval;
590 607
591 entry = (struct skb_data *) skb->cb; 608 skb_queue_walk(q, skb) {
609 entry = (struct skb_data *) skb->cb;
610 if (entry->state != unlink_start)
611 goto found;
612 }
613 break;
614found:
615 entry->state = unlink_start;
592 urb = entry->urb; 616 urb = entry->urb;
593 617
594 /* 618 /*
@@ -1039,8 +1063,7 @@ static void tx_complete (struct urb *urb)
1039 } 1063 }
1040 1064
1041 usb_autopm_put_interface_async(dev->intf); 1065 usb_autopm_put_interface_async(dev->intf);
1042 entry->state = tx_done; 1066 (void) defer_bh(dev, skb, &dev->txq, tx_done);
1043 defer_bh(dev, skb, &dev->txq);
1044} 1067}
1045 1068
1046/*-------------------------------------------------------------------------*/ 1069/*-------------------------------------------------------------------------*/
@@ -1096,7 +1119,6 @@ netdev_tx_t usbnet_start_xmit (struct sk_buff *skb,
1096 entry = (struct skb_data *) skb->cb; 1119 entry = (struct skb_data *) skb->cb;
1097 entry->urb = urb; 1120 entry->urb = urb;
1098 entry->dev = dev; 1121 entry->dev = dev;
1099 entry->state = tx_start;
1100 entry->length = length; 1122 entry->length = length;
1101 1123
1102 usb_fill_bulk_urb (urb, dev->udev, dev->out, 1124 usb_fill_bulk_urb (urb, dev->udev, dev->out,
@@ -1155,7 +1177,7 @@ netdev_tx_t usbnet_start_xmit (struct sk_buff *skb,
1155 break; 1177 break;
1156 case 0: 1178 case 0:
1157 net->trans_start = jiffies; 1179 net->trans_start = jiffies;
1158 __skb_queue_tail (&dev->txq, skb); 1180 __usbnet_queue_skb(&dev->txq, skb, tx_start);
1159 if (dev->txq.qlen >= TX_QLEN (dev)) 1181 if (dev->txq.qlen >= TX_QLEN (dev))
1160 netif_stop_queue (net); 1182 netif_stop_queue (net);
1161 } 1183 }
diff --git a/drivers/net/wireless/rtlwifi/pci.c b/drivers/net/wireless/rtlwifi/pci.c
index cc15fdb36060..67f9430ee197 100644
--- a/drivers/net/wireless/rtlwifi/pci.c
+++ b/drivers/net/wireless/rtlwifi/pci.c
@@ -1851,14 +1851,6 @@ int __devinit rtl_pci_probe(struct pci_dev *pdev,
1851 /*like read eeprom and so on */ 1851 /*like read eeprom and so on */
1852 rtlpriv->cfg->ops->read_eeprom_info(hw); 1852 rtlpriv->cfg->ops->read_eeprom_info(hw);
1853 1853
1854 if (rtlpriv->cfg->ops->init_sw_vars(hw)) {
1855 RT_TRACE(rtlpriv, COMP_ERR, DBG_EMERG, "Can't init_sw_vars\n");
1856 err = -ENODEV;
1857 goto fail3;
1858 }
1859
1860 rtlpriv->cfg->ops->init_sw_leds(hw);
1861
1862 /*aspm */ 1854 /*aspm */
1863 rtl_pci_init_aspm(hw); 1855 rtl_pci_init_aspm(hw);
1864 1856
@@ -1877,6 +1869,14 @@ int __devinit rtl_pci_probe(struct pci_dev *pdev,
1877 goto fail3; 1869 goto fail3;
1878 } 1870 }
1879 1871
1872 if (rtlpriv->cfg->ops->init_sw_vars(hw)) {
1873 RT_TRACE(rtlpriv, COMP_ERR, DBG_EMERG, "Can't init_sw_vars\n");
1874 err = -ENODEV;
1875 goto fail3;
1876 }
1877
1878 rtlpriv->cfg->ops->init_sw_leds(hw);
1879
1880 err = sysfs_create_group(&pdev->dev.kobj, &rtl_attribute_group); 1880 err = sysfs_create_group(&pdev->dev.kobj, &rtl_attribute_group);
1881 if (err) { 1881 if (err) {
1882 RT_TRACE(rtlpriv, COMP_ERR, DBG_EMERG, 1882 RT_TRACE(rtlpriv, COMP_ERR, DBG_EMERG,
diff --git a/drivers/net/wireless/rtlwifi/usb.c b/drivers/net/wireless/rtlwifi/usb.c
index d04dbda13f5a..a6049d7d51b3 100644
--- a/drivers/net/wireless/rtlwifi/usb.c
+++ b/drivers/net/wireless/rtlwifi/usb.c
@@ -971,11 +971,6 @@ int __devinit rtl_usb_probe(struct usb_interface *intf,
971 rtlpriv->cfg->ops->read_chip_version(hw); 971 rtlpriv->cfg->ops->read_chip_version(hw);
972 /*like read eeprom and so on */ 972 /*like read eeprom and so on */
973 rtlpriv->cfg->ops->read_eeprom_info(hw); 973 rtlpriv->cfg->ops->read_eeprom_info(hw);
974 if (rtlpriv->cfg->ops->init_sw_vars(hw)) {
975 RT_TRACE(rtlpriv, COMP_ERR, DBG_EMERG, "Can't init_sw_vars\n");
976 goto error_out;
977 }
978 rtlpriv->cfg->ops->init_sw_leds(hw);
979 err = _rtl_usb_init(hw); 974 err = _rtl_usb_init(hw);
980 if (err) 975 if (err)
981 goto error_out; 976 goto error_out;
@@ -987,6 +982,11 @@ int __devinit rtl_usb_probe(struct usb_interface *intf,
987 "Can't allocate sw for mac80211\n"); 982 "Can't allocate sw for mac80211\n");
988 goto error_out; 983 goto error_out;
989 } 984 }
985 if (rtlpriv->cfg->ops->init_sw_vars(hw)) {
986 RT_TRACE(rtlpriv, COMP_ERR, DBG_EMERG, "Can't init_sw_vars\n");
987 goto error_out;
988 }
989 rtlpriv->cfg->ops->init_sw_leds(hw);
990 990
991 return 0; 991 return 0;
992error_out: 992error_out:
diff --git a/drivers/ptp/ptp_pch.c b/drivers/ptp/ptp_pch.c
index 375eb04c16ea..6fff68020488 100644
--- a/drivers/ptp/ptp_pch.c
+++ b/drivers/ptp/ptp_pch.c
@@ -30,6 +30,7 @@
30#include <linux/module.h> 30#include <linux/module.h>
31#include <linux/pci.h> 31#include <linux/pci.h>
32#include <linux/ptp_clock_kernel.h> 32#include <linux/ptp_clock_kernel.h>
33#include <linux/slab.h>
33 34
34#define STATION_ADDR_LEN 20 35#define STATION_ADDR_LEN 20
35#define PCI_DEVICE_ID_PCH_1588 0x8819 36#define PCI_DEVICE_ID_PCH_1588 0x8819
diff --git a/include/linux/netfilter/ipset/ip_set_ahash.h b/include/linux/netfilter/ipset/ip_set_ahash.h
index 05a5d72680be..230a290e1973 100644
--- a/include/linux/netfilter/ipset/ip_set_ahash.h
+++ b/include/linux/netfilter/ipset/ip_set_ahash.h
@@ -99,6 +99,22 @@ struct ip_set_hash {
99#endif 99#endif
100}; 100};
101 101
102static size_t
103htable_size(u8 hbits)
104{
105 size_t hsize;
106
107 /* We must fit both into u32 in jhash and size_t */
108 if (hbits > 31)
109 return 0;
110 hsize = jhash_size(hbits);
111 if ((((size_t)-1) - sizeof(struct htable))/sizeof(struct hbucket)
112 < hsize)
113 return 0;
114
115 return hsize * sizeof(struct hbucket) + sizeof(struct htable);
116}
117
102/* Compute htable_bits from the user input parameter hashsize */ 118/* Compute htable_bits from the user input parameter hashsize */
103static u8 119static u8
104htable_bits(u32 hashsize) 120htable_bits(u32 hashsize)
diff --git a/include/linux/usb/usbnet.h b/include/linux/usb/usbnet.h
index 605b0aa8d852..76f439647c4b 100644
--- a/include/linux/usb/usbnet.h
+++ b/include/linux/usb/usbnet.h
@@ -191,7 +191,8 @@ extern void usbnet_cdc_status(struct usbnet *, struct urb *);
191enum skb_state { 191enum skb_state {
192 illegal = 0, 192 illegal = 0,
193 tx_start, tx_done, 193 tx_start, tx_done,
194 rx_start, rx_done, rx_cleanup 194 rx_start, rx_done, rx_cleanup,
195 unlink_start
195}; 196};
196 197
197struct skb_data { /* skb->cb is one of these */ 198struct skb_data { /* skb->cb is one of these */
diff --git a/include/net/bluetooth/bluetooth.h b/include/net/bluetooth/bluetooth.h
index 262ebd1747d4..a65910bda381 100644
--- a/include/net/bluetooth/bluetooth.h
+++ b/include/net/bluetooth/bluetooth.h
@@ -191,6 +191,7 @@ struct bt_sock {
191 struct list_head accept_q; 191 struct list_head accept_q;
192 struct sock *parent; 192 struct sock *parent;
193 u32 defer_setup; 193 u32 defer_setup;
194 bool suspended;
194}; 195};
195 196
196struct bt_sock_list { 197struct bt_sock_list {
diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
index 72eb187a5f60..6fb68a9743af 100644
--- a/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -450,7 +450,7 @@ unsigned int bt_sock_poll(struct file *file, struct socket *sock, poll_table *wa
450 sk->sk_state == BT_CONFIG) 450 sk->sk_state == BT_CONFIG)
451 return mask; 451 return mask;
452 452
453 if (sock_writeable(sk)) 453 if (!bt_sk(sk)->suspended && sock_writeable(sk))
454 mask |= POLLOUT | POLLWRNORM | POLLWRBAND; 454 mask |= POLLOUT | POLLWRNORM | POLLWRBAND;
455 else 455 else
456 set_bit(SOCK_ASYNC_NOSPACE, &sk->sk_socket->flags); 456 set_bit(SOCK_ASYNC_NOSPACE, &sk->sk_socket->flags);
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index edfd61addcec..d6dc44cd15b0 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -2784,6 +2784,14 @@ static inline void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)
2784 if (conn) { 2784 if (conn) {
2785 hci_conn_enter_active_mode(conn, BT_POWER_FORCE_ACTIVE_OFF); 2785 hci_conn_enter_active_mode(conn, BT_POWER_FORCE_ACTIVE_OFF);
2786 2786
2787 hci_dev_lock(hdev);
2788 if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
2789 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2790 mgmt_device_connected(hdev, &conn->dst, conn->type,
2791 conn->dst_type, 0, NULL, 0,
2792 conn->dev_class);
2793 hci_dev_unlock(hdev);
2794
2787 /* Send to upper protocol */ 2795 /* Send to upper protocol */
2788 l2cap_recv_acldata(conn, skb, flags); 2796 l2cap_recv_acldata(conn, skb, flags);
2789 return; 2797 return;
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 6c065254afc0..1266f78fa8e3 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -2039,6 +2039,12 @@ static inline void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *
2039 2039
2040 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 2040 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2041 2041
2042 if (ev->status && conn->state == BT_CONNECTED) {
2043 hci_acl_disconn(conn, 0x13);
2044 hci_conn_put(conn);
2045 goto unlock;
2046 }
2047
2042 if (conn->state == BT_CONFIG) { 2048 if (conn->state == BT_CONFIG) {
2043 if (!ev->status) 2049 if (!ev->status)
2044 conn->state = BT_CONNECTED; 2050 conn->state = BT_CONNECTED;
@@ -2049,6 +2055,7 @@ static inline void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *
2049 hci_encrypt_cfm(conn, ev->status, ev->encrypt); 2055 hci_encrypt_cfm(conn, ev->status, ev->encrypt);
2050 } 2056 }
2051 2057
2058unlock:
2052 hci_dev_unlock(hdev); 2059 hci_dev_unlock(hdev);
2053} 2060}
2054 2061
@@ -2102,7 +2109,7 @@ static inline void hci_remote_features_evt(struct hci_dev *hdev, struct sk_buff
2102 goto unlock; 2109 goto unlock;
2103 } 2110 }
2104 2111
2105 if (!ev->status) { 2112 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
2106 struct hci_cp_remote_name_req cp; 2113 struct hci_cp_remote_name_req cp;
2107 memset(&cp, 0, sizeof(cp)); 2114 memset(&cp, 0, sizeof(cp));
2108 bacpy(&cp.bdaddr, &conn->dst); 2115 bacpy(&cp.bdaddr, &conn->dst);
@@ -2871,7 +2878,7 @@ static inline void hci_remote_ext_features_evt(struct hci_dev *hdev, struct sk_b
2871 if (conn->state != BT_CONFIG) 2878 if (conn->state != BT_CONFIG)
2872 goto unlock; 2879 goto unlock;
2873 2880
2874 if (!ev->status) { 2881 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
2875 struct hci_cp_remote_name_req cp; 2882 struct hci_cp_remote_name_req cp;
2876 memset(&cp, 0, sizeof(cp)); 2883 memset(&cp, 0, sizeof(cp));
2877 bacpy(&cp.bdaddr, &conn->dst); 2884 bacpy(&cp.bdaddr, &conn->dst);
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 94552b33d528..6f9c25b633a6 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -4589,6 +4589,11 @@ int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
4589 4589
4590 if (!status && (chan->state == BT_CONNECTED || 4590 if (!status && (chan->state == BT_CONNECTED ||
4591 chan->state == BT_CONFIG)) { 4591 chan->state == BT_CONFIG)) {
4592 struct sock *sk = chan->sk;
4593
4594 bt_sk(sk)->suspended = false;
4595 sk->sk_state_change(sk);
4596
4592 l2cap_check_encryption(chan, encrypt); 4597 l2cap_check_encryption(chan, encrypt);
4593 l2cap_chan_unlock(chan); 4598 l2cap_chan_unlock(chan);
4594 continue; 4599 continue;
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 29122ed28ea9..04e7c172d49c 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -592,10 +592,14 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
592 sk->sk_state = BT_CONFIG; 592 sk->sk_state = BT_CONFIG;
593 chan->state = BT_CONFIG; 593 chan->state = BT_CONFIG;
594 594
595 /* or for ACL link, under defer_setup time */ 595 /* or for ACL link */
596 } else if (sk->sk_state == BT_CONNECT2 && 596 } else if ((sk->sk_state == BT_CONNECT2 &&
597 bt_sk(sk)->defer_setup) { 597 bt_sk(sk)->defer_setup) ||
598 err = l2cap_chan_check_security(chan); 598 sk->sk_state == BT_CONNECTED) {
599 if (!l2cap_chan_check_security(chan))
600 bt_sk(sk)->suspended = true;
601 else
602 sk->sk_state_change(sk);
599 } else { 603 } else {
600 err = -EINVAL; 604 err = -EINVAL;
601 } 605 }
diff --git a/net/netfilter/ipset/ip_set_hash_ip.c b/net/netfilter/ipset/ip_set_hash_ip.c
index 5139dea6019e..828ce46cb34b 100644
--- a/net/netfilter/ipset/ip_set_hash_ip.c
+++ b/net/netfilter/ipset/ip_set_hash_ip.c
@@ -364,6 +364,7 @@ hash_ip_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
364{ 364{
365 u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM; 365 u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
366 u8 netmask, hbits; 366 u8 netmask, hbits;
367 size_t hsize;
367 struct ip_set_hash *h; 368 struct ip_set_hash *h;
368 369
369 if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6)) 370 if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6))
@@ -405,9 +406,12 @@ hash_ip_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
405 h->timeout = IPSET_NO_TIMEOUT; 406 h->timeout = IPSET_NO_TIMEOUT;
406 407
407 hbits = htable_bits(hashsize); 408 hbits = htable_bits(hashsize);
408 h->table = ip_set_alloc( 409 hsize = htable_size(hbits);
409 sizeof(struct htable) 410 if (hsize == 0) {
410 + jhash_size(hbits) * sizeof(struct hbucket)); 411 kfree(h);
412 return -ENOMEM;
413 }
414 h->table = ip_set_alloc(hsize);
411 if (!h->table) { 415 if (!h->table) {
412 kfree(h); 416 kfree(h);
413 return -ENOMEM; 417 return -ENOMEM;
diff --git a/net/netfilter/ipset/ip_set_hash_ipport.c b/net/netfilter/ipset/ip_set_hash_ipport.c
index 9c27e249c171..e8dbb498af8f 100644
--- a/net/netfilter/ipset/ip_set_hash_ipport.c
+++ b/net/netfilter/ipset/ip_set_hash_ipport.c
@@ -449,6 +449,7 @@ hash_ipport_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
449 struct ip_set_hash *h; 449 struct ip_set_hash *h;
450 u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM; 450 u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
451 u8 hbits; 451 u8 hbits;
452 size_t hsize;
452 453
453 if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6)) 454 if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6))
454 return -IPSET_ERR_INVALID_FAMILY; 455 return -IPSET_ERR_INVALID_FAMILY;
@@ -476,9 +477,12 @@ hash_ipport_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
476 h->timeout = IPSET_NO_TIMEOUT; 477 h->timeout = IPSET_NO_TIMEOUT;
477 478
478 hbits = htable_bits(hashsize); 479 hbits = htable_bits(hashsize);
479 h->table = ip_set_alloc( 480 hsize = htable_size(hbits);
480 sizeof(struct htable) 481 if (hsize == 0) {
481 + jhash_size(hbits) * sizeof(struct hbucket)); 482 kfree(h);
483 return -ENOMEM;
484 }
485 h->table = ip_set_alloc(hsize);
482 if (!h->table) { 486 if (!h->table) {
483 kfree(h); 487 kfree(h);
484 return -ENOMEM; 488 return -ENOMEM;
diff --git a/net/netfilter/ipset/ip_set_hash_ipportip.c b/net/netfilter/ipset/ip_set_hash_ipportip.c
index 9134057c0728..52f79d8ef741 100644
--- a/net/netfilter/ipset/ip_set_hash_ipportip.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportip.c
@@ -467,6 +467,7 @@ hash_ipportip_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
467 struct ip_set_hash *h; 467 struct ip_set_hash *h;
468 u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM; 468 u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
469 u8 hbits; 469 u8 hbits;
470 size_t hsize;
470 471
471 if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6)) 472 if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6))
472 return -IPSET_ERR_INVALID_FAMILY; 473 return -IPSET_ERR_INVALID_FAMILY;
@@ -494,9 +495,12 @@ hash_ipportip_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
494 h->timeout = IPSET_NO_TIMEOUT; 495 h->timeout = IPSET_NO_TIMEOUT;
495 496
496 hbits = htable_bits(hashsize); 497 hbits = htable_bits(hashsize);
497 h->table = ip_set_alloc( 498 hsize = htable_size(hbits);
498 sizeof(struct htable) 499 if (hsize == 0) {
499 + jhash_size(hbits) * sizeof(struct hbucket)); 500 kfree(h);
501 return -ENOMEM;
502 }
503 h->table = ip_set_alloc(hsize);
500 if (!h->table) { 504 if (!h->table) {
501 kfree(h); 505 kfree(h);
502 return -ENOMEM; 506 return -ENOMEM;
diff --git a/net/netfilter/ipset/ip_set_hash_ipportnet.c b/net/netfilter/ipset/ip_set_hash_ipportnet.c
index 5d05e6969862..97583f5af745 100644
--- a/net/netfilter/ipset/ip_set_hash_ipportnet.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportnet.c
@@ -616,6 +616,7 @@ hash_ipportnet_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
616 struct ip_set_hash *h; 616 struct ip_set_hash *h;
617 u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM; 617 u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
618 u8 hbits; 618 u8 hbits;
619 size_t hsize;
619 620
620 if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6)) 621 if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6))
621 return -IPSET_ERR_INVALID_FAMILY; 622 return -IPSET_ERR_INVALID_FAMILY;
@@ -645,9 +646,12 @@ hash_ipportnet_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
645 h->timeout = IPSET_NO_TIMEOUT; 646 h->timeout = IPSET_NO_TIMEOUT;
646 647
647 hbits = htable_bits(hashsize); 648 hbits = htable_bits(hashsize);
648 h->table = ip_set_alloc( 649 hsize = htable_size(hbits);
649 sizeof(struct htable) 650 if (hsize == 0) {
650 + jhash_size(hbits) * sizeof(struct hbucket)); 651 kfree(h);
652 return -ENOMEM;
653 }
654 h->table = ip_set_alloc(hsize);
651 if (!h->table) { 655 if (!h->table) {
652 kfree(h); 656 kfree(h);
653 return -ENOMEM; 657 return -ENOMEM;
diff --git a/net/netfilter/ipset/ip_set_hash_net.c b/net/netfilter/ipset/ip_set_hash_net.c
index 7c3d945517cf..1721cdecc9f9 100644
--- a/net/netfilter/ipset/ip_set_hash_net.c
+++ b/net/netfilter/ipset/ip_set_hash_net.c
@@ -460,6 +460,7 @@ hash_net_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
460 u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM; 460 u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
461 struct ip_set_hash *h; 461 struct ip_set_hash *h;
462 u8 hbits; 462 u8 hbits;
463 size_t hsize;
463 464
464 if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6)) 465 if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6))
465 return -IPSET_ERR_INVALID_FAMILY; 466 return -IPSET_ERR_INVALID_FAMILY;
@@ -489,9 +490,12 @@ hash_net_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
489 h->timeout = IPSET_NO_TIMEOUT; 490 h->timeout = IPSET_NO_TIMEOUT;
490 491
491 hbits = htable_bits(hashsize); 492 hbits = htable_bits(hashsize);
492 h->table = ip_set_alloc( 493 hsize = htable_size(hbits);
493 sizeof(struct htable) 494 if (hsize == 0) {
494 + jhash_size(hbits) * sizeof(struct hbucket)); 495 kfree(h);
496 return -ENOMEM;
497 }
498 h->table = ip_set_alloc(hsize);
495 if (!h->table) { 499 if (!h->table) {
496 kfree(h); 500 kfree(h);
497 return -ENOMEM; 501 return -ENOMEM;
diff --git a/net/netfilter/ipset/ip_set_hash_netiface.c b/net/netfilter/ipset/ip_set_hash_netiface.c
index f24037ff4322..33bafc97ca6d 100644
--- a/net/netfilter/ipset/ip_set_hash_netiface.c
+++ b/net/netfilter/ipset/ip_set_hash_netiface.c
@@ -722,6 +722,7 @@ hash_netiface_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
722 struct ip_set_hash *h; 722 struct ip_set_hash *h;
723 u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM; 723 u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
724 u8 hbits; 724 u8 hbits;
725 size_t hsize;
725 726
726 if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6)) 727 if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6))
727 return -IPSET_ERR_INVALID_FAMILY; 728 return -IPSET_ERR_INVALID_FAMILY;
@@ -752,9 +753,12 @@ hash_netiface_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
752 h->ahash_max = AHASH_MAX_SIZE; 753 h->ahash_max = AHASH_MAX_SIZE;
753 754
754 hbits = htable_bits(hashsize); 755 hbits = htable_bits(hashsize);
755 h->table = ip_set_alloc( 756 hsize = htable_size(hbits);
756 sizeof(struct htable) 757 if (hsize == 0) {
757 + jhash_size(hbits) * sizeof(struct hbucket)); 758 kfree(h);
759 return -ENOMEM;
760 }
761 h->table = ip_set_alloc(hsize);
758 if (!h->table) { 762 if (!h->table) {
759 kfree(h); 763 kfree(h);
760 return -ENOMEM; 764 return -ENOMEM;
diff --git a/net/netfilter/ipset/ip_set_hash_netport.c b/net/netfilter/ipset/ip_set_hash_netport.c
index ce2e77100b64..3a5e198641d6 100644
--- a/net/netfilter/ipset/ip_set_hash_netport.c
+++ b/net/netfilter/ipset/ip_set_hash_netport.c
@@ -572,6 +572,7 @@ hash_netport_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
572 struct ip_set_hash *h; 572 struct ip_set_hash *h;
573 u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM; 573 u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
574 u8 hbits; 574 u8 hbits;
575 size_t hsize;
575 576
576 if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6)) 577 if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6))
577 return -IPSET_ERR_INVALID_FAMILY; 578 return -IPSET_ERR_INVALID_FAMILY;
@@ -601,9 +602,12 @@ hash_netport_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
601 h->timeout = IPSET_NO_TIMEOUT; 602 h->timeout = IPSET_NO_TIMEOUT;
602 603
603 hbits = htable_bits(hashsize); 604 hbits = htable_bits(hashsize);
604 h->table = ip_set_alloc( 605 hsize = htable_size(hbits);
605 sizeof(struct htable) 606 if (hsize == 0) {
606 + jhash_size(hbits) * sizeof(struct hbucket)); 607 kfree(h);
608 return -ENOMEM;
609 }
610 h->table = ip_set_alloc(hsize);
607 if (!h->table) { 611 if (!h->table) {
608 kfree(h); 612 kfree(h);
609 return -ENOMEM; 613 return -ENOMEM;