Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Conflicts:
	drivers/net/wireless/ath/ath9k/Kconfig
	drivers/net/xen-netback/netback.c
	net/batman-adv/bat_iv_ogm.c
	net/wireless/nl80211.c

The ath9k Kconfig conflict was a change of a Kconfig option name right
next to the deletion of another option.

The xen-netback conflict was overlapping changes involving the
handling of the notify list in xen_netbk_rx_action().

Batman conflict resolution provided by Antonio Quartulli, basically
keep everything in both conflict hunks.

The nl80211 conflict is a little more involved.  In 'net' we added a
dynamic memory allocation to nl80211_dump_wiphy() to fix a race that
Linus reported.  Meanwhile in 'net-next' the handlers were converted
to use pre and post doit handlers which use a flag to determine
whether to hold the RTNL mutex around the operation.

However, the dump handlers to not use this logic.  Instead they have
to explicitly do the locking.  There were apparent bugs in the
conversion of nl80211_dump_wiphy() in that we were not dropping the
RTNL mutex in all the return paths, and it seems we very much should
be doing so.  So I fixed that whilst handling the overlapping changes.

To simplify the initial returns, I take the RTNL mutex after we try
to allocate 'tb'.

Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 14 insertions, 3 deletions

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 31d265f36d2c..ea74b9dd9d82 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -1527,12 +1527,18 @@ static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
         struct cfg80211_registered_device *dev;
         s64 filter_wiphy = -1;
         bool split = false;
-        struct nlattr **tb = nl80211_fam.attrbuf;
+        struct nlattr **tb;
         int res;
 
+        /* will be zeroed in nlmsg_parse() */
+        tb = kmalloc(sizeof(*tb) * (NL80211_ATTR_MAX + 1), GFP_KERNEL);
+        if (!tb)
+                return -ENOMEM;
+
         rtnl_lock();
+
         res = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
-                          tb, nl80211_fam.maxattr, nl80211_policy);
+                          tb, NL80211_ATTR_MAX, nl80211_policy);
         if (res == 0) {
                 split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
                 if (tb[NL80211_ATTR_WIPHY])
@@ -1544,8 +1550,11 @@ static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
                         int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
 
                         netdev = dev_get_by_index(sock_net(skb->sk), ifidx);
-                        if (!netdev)
+                        if (!netdev) {
+                                rtnl_unlock();
+                                kfree(tb);
                                 return -ENODEV;
+                        }
                         if (netdev->ieee80211_ptr) {
                                 dev = wiphy_to_dev(
                                         netdev->ieee80211_ptr->wiphy);
@@ -1554,6 +1563,7 @@ static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
                         dev_put(netdev);
                 }
         }
+        kfree(tb);
 
         list_for_each_entry(dev, &cfg80211_rdev_list, list) {
                 if (!net_eq(wiphy_net(&dev->wiphy), sock_net(skb->sk)))
@@ -1589,6 +1599,7 @@ static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
                                     !skb->len &&
                                     cb->min_dump_alloc < 4096) {
                                         cb->min_dump_alloc = 4096;
+                                        rtnl_unlock();
                                         return 1;
                                 }
                                 idx--;