aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>2013-04-14 22:13:28 -0400
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2013-04-14 22:13:28 -0400
commit11b397e6eb12191300ca19290f29f51f61118953 (patch)
tree6e0f8cb52cbcdb02108755f3d643a025a943bd79 /net
parente1c969f7814dcd23bbfe8d777544321a492b6fee (diff)
parent41ef2d5678d83af030125550329b6ae8b74618fa (diff)
Merge 3.9-rc7 intp tty-next
We want the fixes here. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'net')
-rw-r--r--net/atm/common.c2
-rw-r--r--net/ax25/af_ax25.c1
-rw-r--r--net/bluetooth/af_bluetooth.c4
-rw-r--r--net/bluetooth/rfcomm/sock.c1
-rw-r--r--net/bluetooth/sco.c1
-rw-r--r--net/caif/caif_socket.c2
-rw-r--r--net/can/gw.c6
-rw-r--r--net/core/dev.c8
-rw-r--r--net/core/dev_addr_lists.c6
-rw-r--r--net/core/flow.c2
-rw-r--r--net/core/rtnetlink.c8
-rw-r--r--net/ipv4/devinet.c66
-rw-r--r--net/ipv4/tcp_output.c1
-rw-r--r--net/ipv6/addrconf.c27
-rw-r--r--net/ipv6/ip6_input.c12
-rw-r--r--net/ipv6/netfilter/ip6t_NPT.c2
-rw-r--r--net/ipv6/tcp_ipv6.c1
-rw-r--r--net/irda/af_irda.c2
-rw-r--r--net/iucv/af_iucv.c36
-rw-r--r--net/key/af_key.c1
-rw-r--r--net/l2tp/l2tp_ip6.c1
-rw-r--r--net/llc/af_llc.c2
-rw-r--r--net/mac80211/cfg.c6
-rw-r--r--net/mac80211/chan.c17
-rw-r--r--net/mac80211/ieee80211_i.h4
-rw-r--r--net/mac80211/iface.c37
-rw-r--r--net/mac80211/mesh.c3
-rw-r--r--net/mac80211/mlme.c6
-rw-r--r--net/mac80211/offchannel.c23
-rw-r--r--net/mac80211/rx.c14
-rw-r--r--net/mac80211/sta_info.c12
-rw-r--r--net/netfilter/nf_conntrack_standalone.c1
-rw-r--r--net/netfilter/nfnetlink_acct.c2
-rw-r--r--net/netfilter/nfnetlink_queue_core.c4
-rw-r--r--net/netrom/af_netrom.c1
-rw-r--r--net/nfc/llcp/llcp.c8
-rw-r--r--net/nfc/llcp/sock.c9
-rw-r--r--net/rose/af_rose.c1
-rw-r--r--net/sched/sch_cbq.c5
-rw-r--r--net/sched/sch_fq_codel.c2
-rw-r--r--net/sched/sch_generic.c2
-rw-r--r--net/sunrpc/clnt.c11
-rw-r--r--net/tipc/socket.c7
-rw-r--r--net/unix/af_unix.c6
-rw-r--r--net/vmw_vsock/af_vsock.c8
-rw-r--r--net/vmw_vsock/vmci_transport.c34
-rw-r--r--net/vmw_vsock/vsock_addr.c10
-rw-r--r--net/vmw_vsock/vsock_addr.h2
-rw-r--r--net/wireless/core.c64
-rw-r--r--net/wireless/core.h3
-rw-r--r--net/wireless/nl80211.c52
-rw-r--r--net/wireless/scan.c24
-rw-r--r--net/wireless/sme.c8
-rw-r--r--net/wireless/trace.h5
-rw-r--r--net/wireless/wext-sme.c6
-rw-r--r--net/xfrm/xfrm_replay.c66
56 files changed, 462 insertions, 193 deletions
diff --git a/net/atm/common.c b/net/atm/common.c
index 7b491006eaf4..737bef59ce89 100644
--- a/net/atm/common.c
+++ b/net/atm/common.c
@@ -531,6 +531,8 @@ int vcc_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg,
531 struct sk_buff *skb; 531 struct sk_buff *skb;
532 int copied, error = -EINVAL; 532 int copied, error = -EINVAL;
533 533
534 msg->msg_namelen = 0;
535
534 if (sock->state != SS_CONNECTED) 536 if (sock->state != SS_CONNECTED)
535 return -ENOTCONN; 537 return -ENOTCONN;
536 538
diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
index 7b11f8bc5071..e277e38f736b 100644
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -1642,6 +1642,7 @@ static int ax25_recvmsg(struct kiocb *iocb, struct socket *sock,
1642 ax25_address src; 1642 ax25_address src;
1643 const unsigned char *mac = skb_mac_header(skb); 1643 const unsigned char *mac = skb_mac_header(skb);
1644 1644
1645 memset(sax, 0, sizeof(struct full_sockaddr_ax25));
1645 ax25_addr_parse(mac + 1, skb->data - mac - 1, &src, NULL, 1646 ax25_addr_parse(mac + 1, skb->data - mac - 1, &src, NULL,
1646 &digi, NULL, NULL); 1647 &digi, NULL, NULL);
1647 sax->sax25_family = AF_AX25; 1648 sax->sax25_family = AF_AX25;
diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
index d3ee69b35a78..0d1b08cc76e1 100644
--- a/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -230,6 +230,8 @@ int bt_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
230 if (flags & (MSG_OOB)) 230 if (flags & (MSG_OOB))
231 return -EOPNOTSUPP; 231 return -EOPNOTSUPP;
232 232
233 msg->msg_namelen = 0;
234
233 skb = skb_recv_datagram(sk, flags, noblock, &err); 235 skb = skb_recv_datagram(sk, flags, noblock, &err);
234 if (!skb) { 236 if (!skb) {
235 if (sk->sk_shutdown & RCV_SHUTDOWN) 237 if (sk->sk_shutdown & RCV_SHUTDOWN)
@@ -237,8 +239,6 @@ int bt_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
237 return err; 239 return err;
238 } 240 }
239 241
240 msg->msg_namelen = 0;
241
242 copied = skb->len; 242 copied = skb->len;
243 if (len < copied) { 243 if (len < copied) {
244 msg->msg_flags |= MSG_TRUNC; 244 msg->msg_flags |= MSG_TRUNC;
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index c23bae86263b..7c9224bcce17 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -608,6 +608,7 @@ static int rfcomm_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
608 608
609 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { 609 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
610 rfcomm_dlc_accept(d); 610 rfcomm_dlc_accept(d);
611 msg->msg_namelen = 0;
611 return 0; 612 return 0;
612 } 613 }
613 614
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index fad0302bdb32..fb6192c9812e 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -665,6 +665,7 @@ static int sco_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
665 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { 665 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
666 hci_conn_accept(pi->conn->hcon, 0); 666 hci_conn_accept(pi->conn->hcon, 0);
667 sk->sk_state = BT_CONFIG; 667 sk->sk_state = BT_CONFIG;
668 msg->msg_namelen = 0;
668 669
669 release_sock(sk); 670 release_sock(sk);
670 return 0; 671 return 0;
diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
index 095259f83902..ff2ff3ce6965 100644
--- a/net/caif/caif_socket.c
+++ b/net/caif/caif_socket.c
@@ -286,6 +286,8 @@ static int caif_seqpkt_recvmsg(struct kiocb *iocb, struct socket *sock,
286 if (m->msg_flags&MSG_OOB) 286 if (m->msg_flags&MSG_OOB)
287 goto read_error; 287 goto read_error;
288 288
289 m->msg_namelen = 0;
290
289 skb = skb_recv_datagram(sk, flags, 0 , &ret); 291 skb = skb_recv_datagram(sk, flags, 0 , &ret);
290 if (!skb) 292 if (!skb)
291 goto read_error; 293 goto read_error;
diff --git a/net/can/gw.c b/net/can/gw.c
index 2d117dc5ebea..117814a7e73c 100644
--- a/net/can/gw.c
+++ b/net/can/gw.c
@@ -466,7 +466,7 @@ static int cgw_notifier(struct notifier_block *nb,
466 if (gwj->src.dev == dev || gwj->dst.dev == dev) { 466 if (gwj->src.dev == dev || gwj->dst.dev == dev) {
467 hlist_del(&gwj->list); 467 hlist_del(&gwj->list);
468 cgw_unregister_filter(gwj); 468 cgw_unregister_filter(gwj);
469 kfree(gwj); 469 kmem_cache_free(cgw_cache, gwj);
470 } 470 }
471 } 471 }
472 } 472 }
@@ -864,7 +864,7 @@ static void cgw_remove_all_jobs(void)
864 hlist_for_each_entry_safe(gwj, nx, &cgw_list, list) { 864 hlist_for_each_entry_safe(gwj, nx, &cgw_list, list) {
865 hlist_del(&gwj->list); 865 hlist_del(&gwj->list);
866 cgw_unregister_filter(gwj); 866 cgw_unregister_filter(gwj);
867 kfree(gwj); 867 kmem_cache_free(cgw_cache, gwj);
868 } 868 }
869} 869}
870 870
@@ -920,7 +920,7 @@ static int cgw_remove_job(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg)
920 920
921 hlist_del(&gwj->list); 921 hlist_del(&gwj->list);
922 cgw_unregister_filter(gwj); 922 cgw_unregister_filter(gwj);
923 kfree(gwj); 923 kmem_cache_free(cgw_cache, gwj);
924 err = 0; 924 err = 0;
925 break; 925 break;
926 } 926 }
diff --git a/net/core/dev.c b/net/core/dev.c
index b13e5c766c11..e7d68ed8aafe 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1624,7 +1624,6 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb)
1624 } 1624 }
1625 1625
1626 skb_orphan(skb); 1626 skb_orphan(skb);
1627 nf_reset(skb);
1628 1627
1629 if (unlikely(!is_skb_forwardable(dev, skb))) { 1628 if (unlikely(!is_skb_forwardable(dev, skb))) {
1630 atomic_long_inc(&dev->rx_dropped); 1629 atomic_long_inc(&dev->rx_dropped);
@@ -1640,6 +1639,7 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb)
1640 skb->mark = 0; 1639 skb->mark = 0;
1641 secpath_reset(skb); 1640 secpath_reset(skb);
1642 nf_reset(skb); 1641 nf_reset(skb);
1642 nf_reset_trace(skb);
1643 return netif_rx(skb); 1643 return netif_rx(skb);
1644} 1644}
1645EXPORT_SYMBOL_GPL(dev_forward_skb); 1645EXPORT_SYMBOL_GPL(dev_forward_skb);
@@ -3314,6 +3314,7 @@ int netdev_rx_handler_register(struct net_device *dev,
3314 if (dev->rx_handler) 3314 if (dev->rx_handler)
3315 return -EBUSY; 3315 return -EBUSY;
3316 3316
3317 /* Note: rx_handler_data must be set before rx_handler */
3317 rcu_assign_pointer(dev->rx_handler_data, rx_handler_data); 3318 rcu_assign_pointer(dev->rx_handler_data, rx_handler_data);
3318 rcu_assign_pointer(dev->rx_handler, rx_handler); 3319 rcu_assign_pointer(dev->rx_handler, rx_handler);
3319 3320
@@ -3334,6 +3335,11 @@ void netdev_rx_handler_unregister(struct net_device *dev)
3334 3335
3335 ASSERT_RTNL(); 3336 ASSERT_RTNL();
3336 RCU_INIT_POINTER(dev->rx_handler, NULL); 3337 RCU_INIT_POINTER(dev->rx_handler, NULL);
3338 /* a reader seeing a non NULL rx_handler in a rcu_read_lock()
3339 * section has a guarantee to see a non NULL rx_handler_data
3340 * as well.
3341 */
3342 synchronize_net();
3337 RCU_INIT_POINTER(dev->rx_handler_data, NULL); 3343 RCU_INIT_POINTER(dev->rx_handler_data, NULL);
3338} 3344}
3339EXPORT_SYMBOL_GPL(netdev_rx_handler_unregister); 3345EXPORT_SYMBOL_GPL(netdev_rx_handler_unregister);
diff --git a/net/core/dev_addr_lists.c b/net/core/dev_addr_lists.c
index bd2eb9d3e369..abdc9e6ef33e 100644
--- a/net/core/dev_addr_lists.c
+++ b/net/core/dev_addr_lists.c
@@ -37,7 +37,7 @@ static int __hw_addr_create_ex(struct netdev_hw_addr_list *list,
37 ha->type = addr_type; 37 ha->type = addr_type;
38 ha->refcount = 1; 38 ha->refcount = 1;
39 ha->global_use = global; 39 ha->global_use = global;
40 ha->synced = false; 40 ha->synced = 0;
41 list_add_tail_rcu(&ha->list, &list->list); 41 list_add_tail_rcu(&ha->list, &list->list);
42 list->count++; 42 list->count++;
43 43
@@ -165,7 +165,7 @@ int __hw_addr_sync(struct netdev_hw_addr_list *to_list,
165 addr_len, ha->type); 165 addr_len, ha->type);
166 if (err) 166 if (err)
167 break; 167 break;
168 ha->synced = true; 168 ha->synced++;
169 ha->refcount++; 169 ha->refcount++;
170 } else if (ha->refcount == 1) { 170 } else if (ha->refcount == 1) {
171 __hw_addr_del(to_list, ha->addr, addr_len, ha->type); 171 __hw_addr_del(to_list, ha->addr, addr_len, ha->type);
@@ -186,7 +186,7 @@ void __hw_addr_unsync(struct netdev_hw_addr_list *to_list,
186 if (ha->synced) { 186 if (ha->synced) {
187 __hw_addr_del(to_list, ha->addr, 187 __hw_addr_del(to_list, ha->addr,
188 addr_len, ha->type); 188 addr_len, ha->type);
189 ha->synced = false; 189 ha->synced--;
190 __hw_addr_del(from_list, ha->addr, 190 __hw_addr_del(from_list, ha->addr,
191 addr_len, ha->type); 191 addr_len, ha->type);
192 } 192 }
diff --git a/net/core/flow.c b/net/core/flow.c
index c56ea6f7f6c7..2bfd081c59f7 100644
--- a/net/core/flow.c
+++ b/net/core/flow.c
@@ -328,7 +328,7 @@ static void flow_cache_flush_per_cpu(void *data)
328 struct flow_flush_info *info = data; 328 struct flow_flush_info *info = data;
329 struct tasklet_struct *tasklet; 329 struct tasklet_struct *tasklet;
330 330
331 tasklet = this_cpu_ptr(&info->cache->percpu->flush_tasklet); 331 tasklet = &this_cpu_ptr(info->cache->percpu)->flush_tasklet;
332 tasklet->data = (unsigned long)info; 332 tasklet->data = (unsigned long)info;
333 tasklet_schedule(tasklet); 333 tasklet_schedule(tasklet);
334} 334}
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 5fb8d7e47294..23854b51a259 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -496,8 +496,10 @@ static int rtnl_link_fill(struct sk_buff *skb, const struct net_device *dev)
496 } 496 }
497 if (ops->fill_info) { 497 if (ops->fill_info) {
498 data = nla_nest_start(skb, IFLA_INFO_DATA); 498 data = nla_nest_start(skb, IFLA_INFO_DATA);
499 if (data == NULL) 499 if (data == NULL) {
500 err = -EMSGSIZE;
500 goto err_cancel_link; 501 goto err_cancel_link;
502 }
501 err = ops->fill_info(skb, dev); 503 err = ops->fill_info(skb, dev);
502 if (err < 0) 504 if (err < 0)
503 goto err_cancel_data; 505 goto err_cancel_data;
@@ -1070,7 +1072,7 @@ static int rtnl_dump_ifinfo(struct sk_buff *skb, struct netlink_callback *cb)
1070 rcu_read_lock(); 1072 rcu_read_lock();
1071 cb->seq = net->dev_base_seq; 1073 cb->seq = net->dev_base_seq;
1072 1074
1073 if (nlmsg_parse(cb->nlh, sizeof(struct rtgenmsg), tb, IFLA_MAX, 1075 if (nlmsg_parse(cb->nlh, sizeof(struct ifinfomsg), tb, IFLA_MAX,
1074 ifla_policy) >= 0) { 1076 ifla_policy) >= 0) {
1075 1077
1076 if (tb[IFLA_EXT_MASK]) 1078 if (tb[IFLA_EXT_MASK])
@@ -1920,7 +1922,7 @@ static u16 rtnl_calcit(struct sk_buff *skb, struct nlmsghdr *nlh)
1920 u32 ext_filter_mask = 0; 1922 u32 ext_filter_mask = 0;
1921 u16 min_ifinfo_dump_size = 0; 1923 u16 min_ifinfo_dump_size = 0;
1922 1924
1923 if (nlmsg_parse(nlh, sizeof(struct rtgenmsg), tb, IFLA_MAX, 1925 if (nlmsg_parse(nlh, sizeof(struct ifinfomsg), tb, IFLA_MAX,
1924 ifla_policy) >= 0) { 1926 ifla_policy) >= 0) {
1925 if (tb[IFLA_EXT_MASK]) 1927 if (tb[IFLA_EXT_MASK])
1926 ext_filter_mask = nla_get_u32(tb[IFLA_EXT_MASK]); 1928 ext_filter_mask = nla_get_u32(tb[IFLA_EXT_MASK]);
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index f678507bc829..c6287cd978c2 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -587,13 +587,16 @@ static void check_lifetime(struct work_struct *work)
587{ 587{
588 unsigned long now, next, next_sec, next_sched; 588 unsigned long now, next, next_sec, next_sched;
589 struct in_ifaddr *ifa; 589 struct in_ifaddr *ifa;
590 struct hlist_node *n;
590 int i; 591 int i;
591 592
592 now = jiffies; 593 now = jiffies;
593 next = round_jiffies_up(now + ADDR_CHECK_FREQUENCY); 594 next = round_jiffies_up(now + ADDR_CHECK_FREQUENCY);
594 595
595 rcu_read_lock();
596 for (i = 0; i < IN4_ADDR_HSIZE; i++) { 596 for (i = 0; i < IN4_ADDR_HSIZE; i++) {
597 bool change_needed = false;
598
599 rcu_read_lock();
597 hlist_for_each_entry_rcu(ifa, &inet_addr_lst[i], hash) { 600 hlist_for_each_entry_rcu(ifa, &inet_addr_lst[i], hash) {
598 unsigned long age; 601 unsigned long age;
599 602
@@ -606,16 +609,7 @@ static void check_lifetime(struct work_struct *work)
606 609
607 if (ifa->ifa_valid_lft != INFINITY_LIFE_TIME && 610 if (ifa->ifa_valid_lft != INFINITY_LIFE_TIME &&
608 age >= ifa->ifa_valid_lft) { 611 age >= ifa->ifa_valid_lft) {
609 struct in_ifaddr **ifap ; 612 change_needed = true;
610
611 rtnl_lock();
612 for (ifap = &ifa->ifa_dev->ifa_list;
613 *ifap != NULL; ifap = &ifa->ifa_next) {
614 if (*ifap == ifa)
615 inet_del_ifa(ifa->ifa_dev,
616 ifap, 1);
617 }
618 rtnl_unlock();
619 } else if (ifa->ifa_preferred_lft == 613 } else if (ifa->ifa_preferred_lft ==
620 INFINITY_LIFE_TIME) { 614 INFINITY_LIFE_TIME) {
621 continue; 615 continue;
@@ -625,10 +619,8 @@ static void check_lifetime(struct work_struct *work)
625 next = ifa->ifa_tstamp + 619 next = ifa->ifa_tstamp +
626 ifa->ifa_valid_lft * HZ; 620 ifa->ifa_valid_lft * HZ;
627 621
628 if (!(ifa->ifa_flags & IFA_F_DEPRECATED)) { 622 if (!(ifa->ifa_flags & IFA_F_DEPRECATED))
629 ifa->ifa_flags |= IFA_F_DEPRECATED; 623 change_needed = true;
630 rtmsg_ifa(RTM_NEWADDR, ifa, NULL, 0);
631 }
632 } else if (time_before(ifa->ifa_tstamp + 624 } else if (time_before(ifa->ifa_tstamp +
633 ifa->ifa_preferred_lft * HZ, 625 ifa->ifa_preferred_lft * HZ,
634 next)) { 626 next)) {
@@ -636,8 +628,42 @@ static void check_lifetime(struct work_struct *work)
636 ifa->ifa_preferred_lft * HZ; 628 ifa->ifa_preferred_lft * HZ;
637 } 629 }
638 } 630 }
631 rcu_read_unlock();
632 if (!change_needed)
633 continue;
634 rtnl_lock();
635 hlist_for_each_entry_safe(ifa, n, &inet_addr_lst[i], hash) {
636 unsigned long age;
637
638 if (ifa->ifa_flags & IFA_F_PERMANENT)
639 continue;
640
641 /* We try to batch several events at once. */
642 age = (now - ifa->ifa_tstamp +
643 ADDRCONF_TIMER_FUZZ_MINUS) / HZ;
644
645 if (ifa->ifa_valid_lft != INFINITY_LIFE_TIME &&
646 age >= ifa->ifa_valid_lft) {
647 struct in_ifaddr **ifap;
648
649 for (ifap = &ifa->ifa_dev->ifa_list;
650 *ifap != NULL; ifap = &(*ifap)->ifa_next) {
651 if (*ifap == ifa) {
652 inet_del_ifa(ifa->ifa_dev,
653 ifap, 1);
654 break;
655 }
656 }
657 } else if (ifa->ifa_preferred_lft !=
658 INFINITY_LIFE_TIME &&
659 age >= ifa->ifa_preferred_lft &&
660 !(ifa->ifa_flags & IFA_F_DEPRECATED)) {
661 ifa->ifa_flags |= IFA_F_DEPRECATED;
662 rtmsg_ifa(RTM_NEWADDR, ifa, NULL, 0);
663 }
664 }
665 rtnl_unlock();
639 } 666 }
640 rcu_read_unlock();
641 667
642 next_sec = round_jiffies_up(next); 668 next_sec = round_jiffies_up(next);
643 next_sched = next; 669 next_sched = next;
@@ -802,8 +828,12 @@ static int inet_rtm_newaddr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg
802 if (nlh->nlmsg_flags & NLM_F_EXCL || 828 if (nlh->nlmsg_flags & NLM_F_EXCL ||
803 !(nlh->nlmsg_flags & NLM_F_REPLACE)) 829 !(nlh->nlmsg_flags & NLM_F_REPLACE))
804 return -EEXIST; 830 return -EEXIST;
805 831 ifa = ifa_existing;
806 set_ifa_lifetime(ifa_existing, valid_lft, prefered_lft); 832 set_ifa_lifetime(ifa, valid_lft, prefered_lft);
833 cancel_delayed_work(&check_lifetime_work);
834 schedule_delayed_work(&check_lifetime_work, 0);
835 rtmsg_ifa(RTM_NEWADDR, ifa, nlh, NETLINK_CB(skb).portid);
836 blocking_notifier_call_chain(&inetaddr_chain, NETDEV_UP, ifa);
807 } 837 }
808 return 0; 838 return 0;
809} 839}
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 5d0b4387cba6..b44cf81d8178 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2709,6 +2709,7 @@ struct sk_buff *tcp_make_synack(struct sock *sk, struct dst_entry *dst,
2709 skb_reserve(skb, MAX_TCP_HEADER); 2709 skb_reserve(skb, MAX_TCP_HEADER);
2710 2710
2711 skb_dst_set(skb, dst); 2711 skb_dst_set(skb, dst);
2712 security_skb_owned_by(skb, sk);
2712 2713
2713 mss = dst_metric_advmss(dst); 2714 mss = dst_metric_advmss(dst);
2714 if (tp->rx_opt.user_mss && tp->rx_opt.user_mss < mss) 2715 if (tp->rx_opt.user_mss && tp->rx_opt.user_mss < mss)
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 26512250e095..a459c4f5b769 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -2529,6 +2529,9 @@ static void sit_add_v4_addrs(struct inet6_dev *idev)
2529static void init_loopback(struct net_device *dev) 2529static void init_loopback(struct net_device *dev)
2530{ 2530{
2531 struct inet6_dev *idev; 2531 struct inet6_dev *idev;
2532 struct net_device *sp_dev;
2533 struct inet6_ifaddr *sp_ifa;
2534 struct rt6_info *sp_rt;
2532 2535
2533 /* ::1 */ 2536 /* ::1 */
2534 2537
@@ -2540,6 +2543,30 @@ static void init_loopback(struct net_device *dev)
2540 } 2543 }
2541 2544
2542 add_addr(idev, &in6addr_loopback, 128, IFA_HOST); 2545 add_addr(idev, &in6addr_loopback, 128, IFA_HOST);
2546
2547 /* Add routes to other interface's IPv6 addresses */
2548 for_each_netdev(dev_net(dev), sp_dev) {
2549 if (!strcmp(sp_dev->name, dev->name))
2550 continue;
2551
2552 idev = __in6_dev_get(sp_dev);
2553 if (!idev)
2554 continue;
2555
2556 read_lock_bh(&idev->lock);
2557 list_for_each_entry(sp_ifa, &idev->addr_list, if_list) {
2558
2559 if (sp_ifa->flags & (IFA_F_DADFAILED | IFA_F_TENTATIVE))
2560 continue;
2561
2562 sp_rt = addrconf_dst_alloc(idev, &sp_ifa->addr, 0);
2563
2564 /* Failure cases are ignored */
2565 if (!IS_ERR(sp_rt))
2566 ip6_ins_rt(sp_rt);
2567 }
2568 read_unlock_bh(&idev->lock);
2569 }
2543} 2570}
2544 2571
2545static void addrconf_add_linklocal(struct inet6_dev *idev, const struct in6_addr *addr) 2572static void addrconf_add_linklocal(struct inet6_dev *idev, const struct in6_addr *addr)
diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
index e33fe0ab2568..2bab2aa59745 100644
--- a/net/ipv6/ip6_input.c
+++ b/net/ipv6/ip6_input.c
@@ -118,6 +118,18 @@ int ipv6_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt
118 ipv6_addr_loopback(&hdr->daddr)) 118 ipv6_addr_loopback(&hdr->daddr))
119 goto err; 119 goto err;
120 120
121 /* RFC4291 Errata ID: 3480
122 * Interface-Local scope spans only a single interface on a
123 * node and is useful only for loopback transmission of
124 * multicast. Packets with interface-local scope received
125 * from another node must be discarded.
126 */
127 if (!(skb->pkt_type == PACKET_LOOPBACK ||
128 dev->flags & IFF_LOOPBACK) &&
129 ipv6_addr_is_multicast(&hdr->daddr) &&
130 IPV6_ADDR_MC_SCOPE(&hdr->daddr) == 1)
131 goto err;
132
121 /* RFC4291 2.7 133 /* RFC4291 2.7
122 * Nodes must not originate a packet to a multicast address whose scope 134 * Nodes must not originate a packet to a multicast address whose scope
123 * field contains the reserved value 0; if such a packet is received, it 135 * field contains the reserved value 0; if such a packet is received, it
diff --git a/net/ipv6/netfilter/ip6t_NPT.c b/net/ipv6/netfilter/ip6t_NPT.c
index 33608c610276..cb631143721c 100644
--- a/net/ipv6/netfilter/ip6t_NPT.c
+++ b/net/ipv6/netfilter/ip6t_NPT.c
@@ -57,7 +57,7 @@ static bool ip6t_npt_map_pfx(const struct ip6t_npt_tginfo *npt,
57 if (pfx_len - i >= 32) 57 if (pfx_len - i >= 32)
58 mask = 0; 58 mask = 0;
59 else 59 else
60 mask = htonl(~((1 << (pfx_len - i)) - 1)); 60 mask = htonl((1 << (i - pfx_len + 32)) - 1);
61 61
62 idx = i / 32; 62 idx = i / 32;
63 addr->s6_addr32[idx] &= mask; 63 addr->s6_addr32[idx] &= mask;
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index f6d629fd6aee..46a5be85be87 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -386,6 +386,7 @@ static void tcp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
386 386
387 if (dst) 387 if (dst)
388 dst->ops->redirect(dst, sk, skb); 388 dst->ops->redirect(dst, sk, skb);
389 goto out;
389 } 390 }
390 391
391 if (type == ICMPV6_PKT_TOOBIG) { 392 if (type == ICMPV6_PKT_TOOBIG) {
diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
index d28e7f014cc6..e493b3397ae3 100644
--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
@@ -1386,6 +1386,8 @@ static int irda_recvmsg_dgram(struct kiocb *iocb, struct socket *sock,
1386 1386
1387 IRDA_DEBUG(4, "%s()\n", __func__); 1387 IRDA_DEBUG(4, "%s()\n", __func__);
1388 1388
1389 msg->msg_namelen = 0;
1390
1389 skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT, 1391 skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT,
1390 flags & MSG_DONTWAIT, &err); 1392 flags & MSG_DONTWAIT, &err);
1391 if (!skb) 1393 if (!skb)
diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
index a7d11ffe4284..206ce6db2c36 100644
--- a/net/iucv/af_iucv.c
+++ b/net/iucv/af_iucv.c
@@ -49,12 +49,6 @@ static const u8 iprm_shutdown[8] =
49 49
50#define TRGCLS_SIZE (sizeof(((struct iucv_message *)0)->class)) 50#define TRGCLS_SIZE (sizeof(((struct iucv_message *)0)->class))
51 51
52/* macros to set/get socket control buffer at correct offset */
53#define CB_TAG(skb) ((skb)->cb) /* iucv message tag */
54#define CB_TAG_LEN (sizeof(((struct iucv_message *) 0)->tag))
55#define CB_TRGCLS(skb) ((skb)->cb + CB_TAG_LEN) /* iucv msg target class */
56#define CB_TRGCLS_LEN (TRGCLS_SIZE)
57
58#define __iucv_sock_wait(sk, condition, timeo, ret) \ 52#define __iucv_sock_wait(sk, condition, timeo, ret) \
59do { \ 53do { \
60 DEFINE_WAIT(__wait); \ 54 DEFINE_WAIT(__wait); \
@@ -1141,7 +1135,7 @@ static int iucv_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
1141 1135
1142 /* increment and save iucv message tag for msg_completion cbk */ 1136 /* increment and save iucv message tag for msg_completion cbk */
1143 txmsg.tag = iucv->send_tag++; 1137 txmsg.tag = iucv->send_tag++;
1144 memcpy(CB_TAG(skb), &txmsg.tag, CB_TAG_LEN); 1138 IUCV_SKB_CB(skb)->tag = txmsg.tag;
1145 1139
1146 if (iucv->transport == AF_IUCV_TRANS_HIPER) { 1140 if (iucv->transport == AF_IUCV_TRANS_HIPER) {
1147 atomic_inc(&iucv->msg_sent); 1141 atomic_inc(&iucv->msg_sent);
@@ -1224,7 +1218,7 @@ static int iucv_fragment_skb(struct sock *sk, struct sk_buff *skb, int len)
1224 return -ENOMEM; 1218 return -ENOMEM;
1225 1219
1226 /* copy target class to control buffer of new skb */ 1220 /* copy target class to control buffer of new skb */
1227 memcpy(CB_TRGCLS(nskb), CB_TRGCLS(skb), CB_TRGCLS_LEN); 1221 IUCV_SKB_CB(nskb)->class = IUCV_SKB_CB(skb)->class;
1228 1222
1229 /* copy data fragment */ 1223 /* copy data fragment */
1230 memcpy(nskb->data, skb->data + copied, size); 1224 memcpy(nskb->data, skb->data + copied, size);
@@ -1256,7 +1250,7 @@ static void iucv_process_message(struct sock *sk, struct sk_buff *skb,
1256 1250
1257 /* store msg target class in the second 4 bytes of skb ctrl buffer */ 1251 /* store msg target class in the second 4 bytes of skb ctrl buffer */
1258 /* Note: the first 4 bytes are reserved for msg tag */ 1252 /* Note: the first 4 bytes are reserved for msg tag */
1259 memcpy(CB_TRGCLS(skb), &msg->class, CB_TRGCLS_LEN); 1253 IUCV_SKB_CB(skb)->class = msg->class;
1260 1254
1261 /* check for special IPRM messages (e.g. iucv_sock_shutdown) */ 1255 /* check for special IPRM messages (e.g. iucv_sock_shutdown) */
1262 if ((msg->flags & IUCV_IPRMDATA) && len > 7) { 1256 if ((msg->flags & IUCV_IPRMDATA) && len > 7) {
@@ -1292,6 +1286,7 @@ static void iucv_process_message(struct sock *sk, struct sk_buff *skb,
1292 } 1286 }
1293 } 1287 }
1294 1288
1289 IUCV_SKB_CB(skb)->offset = 0;
1295 if (sock_queue_rcv_skb(sk, skb)) 1290 if (sock_queue_rcv_skb(sk, skb))
1296 skb_queue_head(&iucv_sk(sk)->backlog_skb_q, skb); 1291 skb_queue_head(&iucv_sk(sk)->backlog_skb_q, skb);
1297} 1292}
@@ -1327,6 +1322,9 @@ static int iucv_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
1327 unsigned int copied, rlen; 1322 unsigned int copied, rlen;
1328 struct sk_buff *skb, *rskb, *cskb; 1323 struct sk_buff *skb, *rskb, *cskb;
1329 int err = 0; 1324 int err = 0;
1325 u32 offset;
1326
1327 msg->msg_namelen = 0;
1330 1328
1331 if ((sk->sk_state == IUCV_DISCONN) && 1329 if ((sk->sk_state == IUCV_DISCONN) &&
1332 skb_queue_empty(&iucv->backlog_skb_q) && 1330 skb_queue_empty(&iucv->backlog_skb_q) &&
@@ -1346,13 +1344,14 @@ static int iucv_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
1346 return err; 1344 return err;
1347 } 1345 }
1348 1346
1349 rlen = skb->len; /* real length of skb */ 1347 offset = IUCV_SKB_CB(skb)->offset;
1348 rlen = skb->len - offset; /* real length of skb */
1350 copied = min_t(unsigned int, rlen, len); 1349 copied = min_t(unsigned int, rlen, len);
1351 if (!rlen) 1350 if (!rlen)
1352 sk->sk_shutdown = sk->sk_shutdown | RCV_SHUTDOWN; 1351 sk->sk_shutdown = sk->sk_shutdown | RCV_SHUTDOWN;
1353 1352
1354 cskb = skb; 1353 cskb = skb;
1355 if (skb_copy_datagram_iovec(cskb, 0, msg->msg_iov, copied)) { 1354 if (skb_copy_datagram_iovec(cskb, offset, msg->msg_iov, copied)) {
1356 if (!(flags & MSG_PEEK)) 1355 if (!(flags & MSG_PEEK))
1357 skb_queue_head(&sk->sk_receive_queue, skb); 1356 skb_queue_head(&sk->sk_receive_queue, skb);
1358 return -EFAULT; 1357 return -EFAULT;
@@ -1370,7 +1369,8 @@ static int iucv_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
1370 * get the trgcls from the control buffer of the skb due to 1369 * get the trgcls from the control buffer of the skb due to
1371 * fragmentation of original iucv message. */ 1370 * fragmentation of original iucv message. */
1372 err = put_cmsg(msg, SOL_IUCV, SCM_IUCV_TRGCLS, 1371 err = put_cmsg(msg, SOL_IUCV, SCM_IUCV_TRGCLS,
1373 CB_TRGCLS_LEN, CB_TRGCLS(skb)); 1372 sizeof(IUCV_SKB_CB(skb)->class),
1373 (void *)&IUCV_SKB_CB(skb)->class);
1374 if (err) { 1374 if (err) {
1375 if (!(flags & MSG_PEEK)) 1375 if (!(flags & MSG_PEEK))
1376 skb_queue_head(&sk->sk_receive_queue, skb); 1376 skb_queue_head(&sk->sk_receive_queue, skb);
@@ -1382,9 +1382,8 @@ static int iucv_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
1382 1382
1383 /* SOCK_STREAM: re-queue skb if it contains unreceived data */ 1383 /* SOCK_STREAM: re-queue skb if it contains unreceived data */
1384 if (sk->sk_type == SOCK_STREAM) { 1384 if (sk->sk_type == SOCK_STREAM) {
1385 skb_pull(skb, copied); 1385 if (copied < rlen) {
1386 if (skb->len) { 1386 IUCV_SKB_CB(skb)->offset = offset + copied;
1387 skb_queue_head(&sk->sk_receive_queue, skb);
1388 goto done; 1387 goto done;
1389 } 1388 }
1390 } 1389 }
@@ -1403,6 +1402,7 @@ static int iucv_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
1403 spin_lock_bh(&iucv->message_q.lock); 1402 spin_lock_bh(&iucv->message_q.lock);
1404 rskb = skb_dequeue(&iucv->backlog_skb_q); 1403 rskb = skb_dequeue(&iucv->backlog_skb_q);
1405 while (rskb) { 1404 while (rskb) {
1405 IUCV_SKB_CB(rskb)->offset = 0;
1406 if (sock_queue_rcv_skb(sk, rskb)) { 1406 if (sock_queue_rcv_skb(sk, rskb)) {
1407 skb_queue_head(&iucv->backlog_skb_q, 1407 skb_queue_head(&iucv->backlog_skb_q,
1408 rskb); 1408 rskb);
@@ -1830,7 +1830,7 @@ static void iucv_callback_txdone(struct iucv_path *path,
1830 spin_lock_irqsave(&list->lock, flags); 1830 spin_lock_irqsave(&list->lock, flags);
1831 1831
1832 while (list_skb != (struct sk_buff *)list) { 1832 while (list_skb != (struct sk_buff *)list) {
1833 if (!memcmp(&msg->tag, CB_TAG(list_skb), CB_TAG_LEN)) { 1833 if (msg->tag != IUCV_SKB_CB(list_skb)->tag) {
1834 this = list_skb; 1834 this = list_skb;
1835 break; 1835 break;
1836 } 1836 }
@@ -2091,6 +2091,7 @@ static int afiucv_hs_callback_rx(struct sock *sk, struct sk_buff *skb)
2091 skb_pull(skb, sizeof(struct af_iucv_trans_hdr)); 2091 skb_pull(skb, sizeof(struct af_iucv_trans_hdr));
2092 skb_reset_transport_header(skb); 2092 skb_reset_transport_header(skb);
2093 skb_reset_network_header(skb); 2093 skb_reset_network_header(skb);
2094 IUCV_SKB_CB(skb)->offset = 0;
2094 spin_lock(&iucv->message_q.lock); 2095 spin_lock(&iucv->message_q.lock);
2095 if (skb_queue_empty(&iucv->backlog_skb_q)) { 2096 if (skb_queue_empty(&iucv->backlog_skb_q)) {
2096 if (sock_queue_rcv_skb(sk, skb)) { 2097 if (sock_queue_rcv_skb(sk, skb)) {
@@ -2195,8 +2196,7 @@ static int afiucv_hs_rcv(struct sk_buff *skb, struct net_device *dev,
2195 /* fall through and receive zero length data */ 2196 /* fall through and receive zero length data */
2196 case 0: 2197 case 0:
2197 /* plain data frame */ 2198 /* plain data frame */
2198 memcpy(CB_TRGCLS(skb), &trans_hdr->iucv_hdr.class, 2199 IUCV_SKB_CB(skb)->class = trans_hdr->iucv_hdr.class;
2199 CB_TRGCLS_LEN);
2200 err = afiucv_hs_callback_rx(sk, skb); 2200 err = afiucv_hs_callback_rx(sk, skb);
2201 break; 2201 break;
2202 default: 2202 default:
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 8555f331ea60..5b1e5af25713 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -2693,6 +2693,7 @@ static int key_notify_policy_flush(const struct km_event *c)
2693 hdr->sadb_msg_pid = c->portid; 2693 hdr->sadb_msg_pid = c->portid;
2694 hdr->sadb_msg_version = PF_KEY_V2; 2694 hdr->sadb_msg_version = PF_KEY_V2;
2695 hdr->sadb_msg_errno = (uint8_t) 0; 2695 hdr->sadb_msg_errno = (uint8_t) 0;
2696 hdr->sadb_msg_satype = SADB_SATYPE_UNSPEC;
2696 hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t)); 2697 hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));
2697 pfkey_broadcast(skb_out, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net); 2698 pfkey_broadcast(skb_out, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net);
2698 return 0; 2699 return 0;
diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
index c74f5a91ff6a..b8a6039314e8 100644
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -690,6 +690,7 @@ static int l2tp_ip6_recvmsg(struct kiocb *iocb, struct sock *sk,
690 lsa->l2tp_addr = ipv6_hdr(skb)->saddr; 690 lsa->l2tp_addr = ipv6_hdr(skb)->saddr;
691 lsa->l2tp_flowinfo = 0; 691 lsa->l2tp_flowinfo = 0;
692 lsa->l2tp_scope_id = 0; 692 lsa->l2tp_scope_id = 0;
693 lsa->l2tp_conn_id = 0;
693 if (ipv6_addr_type(&lsa->l2tp_addr) & IPV6_ADDR_LINKLOCAL) 694 if (ipv6_addr_type(&lsa->l2tp_addr) & IPV6_ADDR_LINKLOCAL)
694 lsa->l2tp_scope_id = IP6CB(skb)->iif; 695 lsa->l2tp_scope_id = IP6CB(skb)->iif;
695 } 696 }
diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
index 88709882c464..48aaa89253e0 100644
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -720,6 +720,8 @@ static int llc_ui_recvmsg(struct kiocb *iocb, struct socket *sock,
720 int target; /* Read at least this many bytes */ 720 int target; /* Read at least this many bytes */
721 long timeo; 721 long timeo;
722 722
723 msg->msg_namelen = 0;
724
723 lock_sock(sk); 725 lock_sock(sk);
724 copied = -ENOTCONN; 726 copied = -ENOTCONN;
725 if (unlikely(sk->sk_type == SOCK_STREAM && sk->sk_state == TCP_LISTEN)) 727 if (unlikely(sk->sk_type == SOCK_STREAM && sk->sk_state == TCP_LISTEN))
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index fb306814576a..a6893602f87a 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -2582,7 +2582,7 @@ static int ieee80211_cancel_roc(struct ieee80211_local *local,
2582 list_del(&dep->list); 2582 list_del(&dep->list);
2583 mutex_unlock(&local->mtx); 2583 mutex_unlock(&local->mtx);
2584 2584
2585 ieee80211_roc_notify_destroy(dep); 2585 ieee80211_roc_notify_destroy(dep, true);
2586 return 0; 2586 return 0;
2587 } 2587 }
2588 2588
@@ -2622,7 +2622,7 @@ static int ieee80211_cancel_roc(struct ieee80211_local *local,
2622 ieee80211_start_next_roc(local); 2622 ieee80211_start_next_roc(local);
2623 mutex_unlock(&local->mtx); 2623 mutex_unlock(&local->mtx);
2624 2624
2625 ieee80211_roc_notify_destroy(found); 2625 ieee80211_roc_notify_destroy(found, true);
2626 } else { 2626 } else {
2627 /* work may be pending so use it all the time */ 2627 /* work may be pending so use it all the time */
2628 found->abort = true; 2628 found->abort = true;
@@ -2632,6 +2632,8 @@ static int ieee80211_cancel_roc(struct ieee80211_local *local,
2632 2632
2633 /* work will clean up etc */ 2633 /* work will clean up etc */
2634 flush_delayed_work(&found->work); 2634 flush_delayed_work(&found->work);
2635 WARN_ON(!found->to_be_freed);
2636 kfree(found);
2635 } 2637 }
2636 2638
2637 return 0; 2639 return 0;
diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c
index 78c0d90dd641..931be419ab5a 100644
--- a/net/mac80211/chan.c
+++ b/net/mac80211/chan.c
@@ -63,6 +63,7 @@ ieee80211_new_chanctx(struct ieee80211_local *local,
63 enum ieee80211_chanctx_mode mode) 63 enum ieee80211_chanctx_mode mode)
64{ 64{
65 struct ieee80211_chanctx *ctx; 65 struct ieee80211_chanctx *ctx;
66 u32 changed;
66 int err; 67 int err;
67 68
68 lockdep_assert_held(&local->chanctx_mtx); 69 lockdep_assert_held(&local->chanctx_mtx);
@@ -76,6 +77,13 @@ ieee80211_new_chanctx(struct ieee80211_local *local,
76 ctx->conf.rx_chains_dynamic = 1; 77 ctx->conf.rx_chains_dynamic = 1;
77 ctx->mode = mode; 78 ctx->mode = mode;
78 79
80 /* acquire mutex to prevent idle from changing */
81 mutex_lock(&local->mtx);
82 /* turn idle off *before* setting channel -- some drivers need that */
83 changed = ieee80211_idle_off(local);
84 if (changed)
85 ieee80211_hw_config(local, changed);
86
79 if (!local->use_chanctx) { 87 if (!local->use_chanctx) {
80 local->_oper_channel_type = 88 local->_oper_channel_type =
81 cfg80211_get_chandef_type(chandef); 89 cfg80211_get_chandef_type(chandef);
@@ -85,14 +93,17 @@ ieee80211_new_chanctx(struct ieee80211_local *local,
85 err = drv_add_chanctx(local, ctx); 93 err = drv_add_chanctx(local, ctx);
86 if (err) { 94 if (err) {
87 kfree(ctx); 95 kfree(ctx);
88 return ERR_PTR(err); 96 ctx = ERR_PTR(err);
97
98 ieee80211_recalc_idle(local);
99 goto out;
89 } 100 }
90 } 101 }
91 102
103 /* and keep the mutex held until the new chanctx is on the list */
92 list_add_rcu(&ctx->list, &local->chanctx_list); 104 list_add_rcu(&ctx->list, &local->chanctx_list);
93 105
94 mutex_lock(&local->mtx); 106 out:
95 ieee80211_recalc_idle(local);
96 mutex_unlock(&local->mtx); 107 mutex_unlock(&local->mtx);
97 108
98 return ctx; 109 return ctx;
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index 388580a1bada..5672533a0832 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -309,6 +309,7 @@ struct ieee80211_roc_work {
309 struct ieee80211_channel *chan; 309 struct ieee80211_channel *chan;
310 310
311 bool started, abort, hw_begun, notified; 311 bool started, abort, hw_begun, notified;
312 bool to_be_freed;
312 313
313 unsigned long hw_start_time; 314 unsigned long hw_start_time;
314 315
@@ -1347,7 +1348,7 @@ void ieee80211_offchannel_return(struct ieee80211_local *local);
1347void ieee80211_roc_setup(struct ieee80211_local *local); 1348void ieee80211_roc_setup(struct ieee80211_local *local);
1348void ieee80211_start_next_roc(struct ieee80211_local *local); 1349void ieee80211_start_next_roc(struct ieee80211_local *local);
1349void ieee80211_roc_purge(struct ieee80211_sub_if_data *sdata); 1350void ieee80211_roc_purge(struct ieee80211_sub_if_data *sdata);
1350void ieee80211_roc_notify_destroy(struct ieee80211_roc_work *roc); 1351void ieee80211_roc_notify_destroy(struct ieee80211_roc_work *roc, bool free);
1351void ieee80211_sw_roc_work(struct work_struct *work); 1352void ieee80211_sw_roc_work(struct work_struct *work);
1352void ieee80211_handle_roc_started(struct ieee80211_roc_work *roc); 1353void ieee80211_handle_roc_started(struct ieee80211_roc_work *roc);
1353 1354
@@ -1361,6 +1362,7 @@ int ieee80211_if_change_type(struct ieee80211_sub_if_data *sdata,
1361 enum nl80211_iftype type); 1362 enum nl80211_iftype type);
1362void ieee80211_if_remove(struct ieee80211_sub_if_data *sdata); 1363void ieee80211_if_remove(struct ieee80211_sub_if_data *sdata);
1363void ieee80211_remove_interfaces(struct ieee80211_local *local); 1364void ieee80211_remove_interfaces(struct ieee80211_local *local);
1365u32 ieee80211_idle_off(struct ieee80211_local *local);
1364void ieee80211_recalc_idle(struct ieee80211_local *local); 1366void ieee80211_recalc_idle(struct ieee80211_local *local);
1365void ieee80211_adjust_monitor_flags(struct ieee80211_sub_if_data *sdata, 1367void ieee80211_adjust_monitor_flags(struct ieee80211_sub_if_data *sdata,
1366 const int offset); 1368 const int offset);
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index baaa8608e52d..58150f877ec3 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -78,7 +78,7 @@ void ieee80211_recalc_txpower(struct ieee80211_sub_if_data *sdata)
78 ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_TXPOWER); 78 ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_TXPOWER);
79} 79}
80 80
81static u32 ieee80211_idle_off(struct ieee80211_local *local) 81u32 ieee80211_idle_off(struct ieee80211_local *local)
82{ 82{
83 if (!(local->hw.conf.flags & IEEE80211_CONF_IDLE)) 83 if (!(local->hw.conf.flags & IEEE80211_CONF_IDLE))
84 return 0; 84 return 0;
@@ -349,21 +349,19 @@ static void ieee80211_set_default_queues(struct ieee80211_sub_if_data *sdata)
349static int ieee80211_add_virtual_monitor(struct ieee80211_local *local) 349static int ieee80211_add_virtual_monitor(struct ieee80211_local *local)
350{ 350{
351 struct ieee80211_sub_if_data *sdata; 351 struct ieee80211_sub_if_data *sdata;
352 int ret = 0; 352 int ret;
353 353
354 if (!(local->hw.flags & IEEE80211_HW_WANT_MONITOR_VIF)) 354 if (!(local->hw.flags & IEEE80211_HW_WANT_MONITOR_VIF))
355 return 0; 355 return 0;
356 356
357 mutex_lock(&local->iflist_mtx); 357 ASSERT_RTNL();
358 358
359 if (local->monitor_sdata) 359 if (local->monitor_sdata)
360 goto out_unlock; 360 return 0;
361 361
362 sdata = kzalloc(sizeof(*sdata) + local->hw.vif_data_size, GFP_KERNEL); 362 sdata = kzalloc(sizeof(*sdata) + local->hw.vif_data_size, GFP_KERNEL);
363 if (!sdata) { 363 if (!sdata)
364 ret = -ENOMEM; 364 return -ENOMEM;
365 goto out_unlock;
366 }
367 365
368 /* set up data */ 366 /* set up data */
369 sdata->local = local; 367 sdata->local = local;
@@ -377,13 +375,13 @@ static int ieee80211_add_virtual_monitor(struct ieee80211_local *local)
377 if (WARN_ON(ret)) { 375 if (WARN_ON(ret)) {
378 /* ok .. stupid driver, it asked for this! */ 376 /* ok .. stupid driver, it asked for this! */
379 kfree(sdata); 377 kfree(sdata);
380 goto out_unlock; 378 return ret;
381 } 379 }
382 380
383 ret = ieee80211_check_queues(sdata); 381 ret = ieee80211_check_queues(sdata);
384 if (ret) { 382 if (ret) {
385 kfree(sdata); 383 kfree(sdata);
386 goto out_unlock; 384 return ret;
387 } 385 }
388 386
389 ret = ieee80211_vif_use_channel(sdata, &local->monitor_chandef, 387 ret = ieee80211_vif_use_channel(sdata, &local->monitor_chandef,
@@ -391,13 +389,14 @@ static int ieee80211_add_virtual_monitor(struct ieee80211_local *local)
391 if (ret) { 389 if (ret) {
392 drv_remove_interface(local, sdata); 390 drv_remove_interface(local, sdata);
393 kfree(sdata); 391 kfree(sdata);
394 goto out_unlock; 392 return ret;
395 } 393 }
396 394
395 mutex_lock(&local->iflist_mtx);
397 rcu_assign_pointer(local->monitor_sdata, sdata); 396 rcu_assign_pointer(local->monitor_sdata, sdata);
398 out_unlock:
399 mutex_unlock(&local->iflist_mtx); 397 mutex_unlock(&local->iflist_mtx);
400 return ret; 398
399 return 0;
401} 400}
402 401
403static void ieee80211_del_virtual_monitor(struct ieee80211_local *local) 402static void ieee80211_del_virtual_monitor(struct ieee80211_local *local)
@@ -407,14 +406,20 @@ static void ieee80211_del_virtual_monitor(struct ieee80211_local *local)
407 if (!(local->hw.flags & IEEE80211_HW_WANT_MONITOR_VIF)) 406 if (!(local->hw.flags & IEEE80211_HW_WANT_MONITOR_VIF))
408 return; 407 return;
409 408
409 ASSERT_RTNL();
410
410 mutex_lock(&local->iflist_mtx); 411 mutex_lock(&local->iflist_mtx);
411 412
412 sdata = rcu_dereference_protected(local->monitor_sdata, 413 sdata = rcu_dereference_protected(local->monitor_sdata,
413 lockdep_is_held(&local->iflist_mtx)); 414 lockdep_is_held(&local->iflist_mtx));
414 if (!sdata) 415 if (!sdata) {
415 goto out_unlock; 416 mutex_unlock(&local->iflist_mtx);
417 return;
418 }
416 419
417 rcu_assign_pointer(local->monitor_sdata, NULL); 420 rcu_assign_pointer(local->monitor_sdata, NULL);
421 mutex_unlock(&local->iflist_mtx);
422
418 synchronize_net(); 423 synchronize_net();
419 424
420 ieee80211_vif_release_channel(sdata); 425 ieee80211_vif_release_channel(sdata);
@@ -422,8 +427,6 @@ static void ieee80211_del_virtual_monitor(struct ieee80211_local *local)
422 drv_remove_interface(local, sdata); 427 drv_remove_interface(local, sdata);
423 428
424 kfree(sdata); 429 kfree(sdata);
425 out_unlock:
426 mutex_unlock(&local->iflist_mtx);
427} 430}
428 431
429/* 432/*
diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
index 29ce2aa87e7b..4749b3858695 100644
--- a/net/mac80211/mesh.c
+++ b/net/mac80211/mesh.c
@@ -1060,7 +1060,8 @@ void ieee80211_mesh_notify_scan_completed(struct ieee80211_local *local)
1060 1060
1061 rcu_read_lock(); 1061 rcu_read_lock();
1062 list_for_each_entry_rcu(sdata, &local->interfaces, list) 1062 list_for_each_entry_rcu(sdata, &local->interfaces, list)
1063 if (ieee80211_vif_is_mesh(&sdata->vif)) 1063 if (ieee80211_vif_is_mesh(&sdata->vif) &&
1064 ieee80211_sdata_running(sdata))
1064 ieee80211_queue_work(&local->hw, &sdata->work); 1065 ieee80211_queue_work(&local->hw, &sdata->work);
1065 rcu_read_unlock(); 1066 rcu_read_unlock();
1066} 1067}
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 141577412d84..82cc30318a86 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -3608,8 +3608,10 @@ void ieee80211_mlme_notify_scan_completed(struct ieee80211_local *local)
3608 3608
3609 /* Restart STA timers */ 3609 /* Restart STA timers */
3610 rcu_read_lock(); 3610 rcu_read_lock();
3611 list_for_each_entry_rcu(sdata, &local->interfaces, list) 3611 list_for_each_entry_rcu(sdata, &local->interfaces, list) {
3612 ieee80211_restart_sta_timer(sdata); 3612 if (ieee80211_sdata_running(sdata))
3613 ieee80211_restart_sta_timer(sdata);
3614 }
3613 rcu_read_unlock(); 3615 rcu_read_unlock();
3614} 3616}
3615 3617
diff --git a/net/mac80211/offchannel.c b/net/mac80211/offchannel.c
index cc79b4a2e821..430bd254e496 100644
--- a/net/mac80211/offchannel.c
+++ b/net/mac80211/offchannel.c
@@ -297,10 +297,13 @@ void ieee80211_start_next_roc(struct ieee80211_local *local)
297 } 297 }
298} 298}
299 299
300void ieee80211_roc_notify_destroy(struct ieee80211_roc_work *roc) 300void ieee80211_roc_notify_destroy(struct ieee80211_roc_work *roc, bool free)
301{ 301{
302 struct ieee80211_roc_work *dep, *tmp; 302 struct ieee80211_roc_work *dep, *tmp;
303 303
304 if (WARN_ON(roc->to_be_freed))
305 return;
306
304 /* was never transmitted */ 307 /* was never transmitted */
305 if (roc->frame) { 308 if (roc->frame) {
306 cfg80211_mgmt_tx_status(&roc->sdata->wdev, 309 cfg80211_mgmt_tx_status(&roc->sdata->wdev,
@@ -316,9 +319,12 @@ void ieee80211_roc_notify_destroy(struct ieee80211_roc_work *roc)
316 GFP_KERNEL); 319 GFP_KERNEL);
317 320
318 list_for_each_entry_safe(dep, tmp, &roc->dependents, list) 321 list_for_each_entry_safe(dep, tmp, &roc->dependents, list)
319 ieee80211_roc_notify_destroy(dep); 322 ieee80211_roc_notify_destroy(dep, true);
320 323
321 kfree(roc); 324 if (free)
325 kfree(roc);
326 else
327 roc->to_be_freed = true;
322} 328}
323 329
324void ieee80211_sw_roc_work(struct work_struct *work) 330void ieee80211_sw_roc_work(struct work_struct *work)
@@ -331,6 +337,9 @@ void ieee80211_sw_roc_work(struct work_struct *work)
331 337
332 mutex_lock(&local->mtx); 338 mutex_lock(&local->mtx);
333 339
340 if (roc->to_be_freed)
341 goto out_unlock;
342
334 if (roc->abort) 343 if (roc->abort)
335 goto finish; 344 goto finish;
336 345
@@ -370,7 +379,7 @@ void ieee80211_sw_roc_work(struct work_struct *work)
370 finish: 379 finish:
371 list_del(&roc->list); 380 list_del(&roc->list);
372 started = roc->started; 381 started = roc->started;
373 ieee80211_roc_notify_destroy(roc); 382 ieee80211_roc_notify_destroy(roc, !roc->abort);
374 383
375 if (started) { 384 if (started) {
376 drv_flush(local, false); 385 drv_flush(local, false);
@@ -410,7 +419,7 @@ static void ieee80211_hw_roc_done(struct work_struct *work)
410 419
411 list_del(&roc->list); 420 list_del(&roc->list);
412 421
413 ieee80211_roc_notify_destroy(roc); 422 ieee80211_roc_notify_destroy(roc, true);
414 423
415 /* if there's another roc, start it now */ 424 /* if there's another roc, start it now */
416 ieee80211_start_next_roc(local); 425 ieee80211_start_next_roc(local);
@@ -460,12 +469,14 @@ void ieee80211_roc_purge(struct ieee80211_sub_if_data *sdata)
460 list_for_each_entry_safe(roc, tmp, &tmp_list, list) { 469 list_for_each_entry_safe(roc, tmp, &tmp_list, list) {
461 if (local->ops->remain_on_channel) { 470 if (local->ops->remain_on_channel) {
462 list_del(&roc->list); 471 list_del(&roc->list);
463 ieee80211_roc_notify_destroy(roc); 472 ieee80211_roc_notify_destroy(roc, true);
464 } else { 473 } else {
465 ieee80211_queue_delayed_work(&local->hw, &roc->work, 0); 474 ieee80211_queue_delayed_work(&local->hw, &roc->work, 0);
466 475
467 /* work will clean up etc */ 476 /* work will clean up etc */
468 flush_delayed_work(&roc->work); 477 flush_delayed_work(&roc->work);
478 WARN_ON(!roc->to_be_freed);
479 kfree(roc);
469 } 480 }
470 } 481 }
471 482
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index bb73ed2d20b9..c6844ad080be 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -2675,7 +2675,19 @@ ieee80211_rx_h_action_return(struct ieee80211_rx_data *rx)
2675 2675
2676 memset(nskb->cb, 0, sizeof(nskb->cb)); 2676 memset(nskb->cb, 0, sizeof(nskb->cb));
2677 2677
2678 ieee80211_tx_skb(rx->sdata, nskb); 2678 if (rx->sdata->vif.type == NL80211_IFTYPE_P2P_DEVICE) {
2679 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(nskb);
2680
2681 info->flags = IEEE80211_TX_CTL_TX_OFFCHAN |
2682 IEEE80211_TX_INTFL_OFFCHAN_TX_OK |
2683 IEEE80211_TX_CTL_NO_CCK_RATE;
2684 if (local->hw.flags & IEEE80211_HW_QUEUE_CONTROL)
2685 info->hw_queue =
2686 local->hw.offchannel_tx_hw_queue;
2687 }
2688
2689 __ieee80211_tx_skb_tid_band(rx->sdata, nskb, 7,
2690 status->band);
2679 } 2691 }
2680 dev_kfree_skb(rx->skb); 2692 dev_kfree_skb(rx->skb);
2681 return RX_QUEUED; 2693 return RX_QUEUED;
diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index a79ce820cb50..238a0cca320e 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -766,6 +766,7 @@ int __must_check __sta_info_destroy(struct sta_info *sta)
766 struct ieee80211_local *local; 766 struct ieee80211_local *local;
767 struct ieee80211_sub_if_data *sdata; 767 struct ieee80211_sub_if_data *sdata;
768 int ret, i; 768 int ret, i;
769 bool have_key = false;
769 770
770 might_sleep(); 771 might_sleep();
771 772
@@ -793,12 +794,19 @@ int __must_check __sta_info_destroy(struct sta_info *sta)
793 list_del_rcu(&sta->list); 794 list_del_rcu(&sta->list);
794 795
795 mutex_lock(&local->key_mtx); 796 mutex_lock(&local->key_mtx);
796 for (i = 0; i < NUM_DEFAULT_KEYS; i++) 797 for (i = 0; i < NUM_DEFAULT_KEYS; i++) {
797 __ieee80211_key_free(key_mtx_dereference(local, sta->gtk[i])); 798 __ieee80211_key_free(key_mtx_dereference(local, sta->gtk[i]));
798 if (sta->ptk) 799 have_key = true;
800 }
801 if (sta->ptk) {
799 __ieee80211_key_free(key_mtx_dereference(local, sta->ptk)); 802 __ieee80211_key_free(key_mtx_dereference(local, sta->ptk));
803 have_key = true;
804 }
800 mutex_unlock(&local->key_mtx); 805 mutex_unlock(&local->key_mtx);
801 806
807 if (!have_key)
808 synchronize_net();
809
802 sta->dead = true; 810 sta->dead = true;
803 811
804 local->num_sta--; 812 local->num_sta--;
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 6bcce401fd1c..fedee3943661 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -568,6 +568,7 @@ static int __init nf_conntrack_standalone_init(void)
568 register_net_sysctl(&init_net, "net", nf_ct_netfilter_table); 568 register_net_sysctl(&init_net, "net", nf_ct_netfilter_table);
569 if (!nf_ct_netfilter_header) { 569 if (!nf_ct_netfilter_header) {
570 pr_err("nf_conntrack: can't register to sysctl.\n"); 570 pr_err("nf_conntrack: can't register to sysctl.\n");
571 ret = -ENOMEM;
571 goto out_sysctl; 572 goto out_sysctl;
572 } 573 }
573#endif 574#endif
diff --git a/net/netfilter/nfnetlink_acct.c b/net/netfilter/nfnetlink_acct.c
index 589d686f0b4c..dc3fd5d44464 100644
--- a/net/netfilter/nfnetlink_acct.c
+++ b/net/netfilter/nfnetlink_acct.c
@@ -49,6 +49,8 @@ nfnl_acct_new(struct sock *nfnl, struct sk_buff *skb,
49 return -EINVAL; 49 return -EINVAL;
50 50
51 acct_name = nla_data(tb[NFACCT_NAME]); 51 acct_name = nla_data(tb[NFACCT_NAME]);
52 if (strlen(acct_name) == 0)
53 return -EINVAL;
52 54
53 list_for_each_entry(nfacct, &nfnl_acct_list, head) { 55 list_for_each_entry(nfacct, &nfnl_acct_list, head) {
54 if (strncmp(nfacct->name, acct_name, NFACCT_NAME_MAX) != 0) 56 if (strncmp(nfacct->name, acct_name, NFACCT_NAME_MAX) != 0)
diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c
index 1cb48540f86a..42680b2baa11 100644
--- a/net/netfilter/nfnetlink_queue_core.c
+++ b/net/netfilter/nfnetlink_queue_core.c
@@ -1062,8 +1062,10 @@ static int __init nfnetlink_queue_init(void)
1062 1062
1063#ifdef CONFIG_PROC_FS 1063#ifdef CONFIG_PROC_FS
1064 if (!proc_create("nfnetlink_queue", 0440, 1064 if (!proc_create("nfnetlink_queue", 0440,
1065 proc_net_netfilter, &nfqnl_file_ops)) 1065 proc_net_netfilter, &nfqnl_file_ops)) {
1066 status = -ENOMEM;
1066 goto cleanup_subsys; 1067 goto cleanup_subsys;
1068 }
1067#endif 1069#endif
1068 1070
1069 register_netdevice_notifier(&nfqnl_dev_notifier); 1071 register_netdevice_notifier(&nfqnl_dev_notifier);
diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
index d1fa1d9ffd2e..103bd704b5fc 100644
--- a/net/netrom/af_netrom.c
+++ b/net/netrom/af_netrom.c
@@ -1173,6 +1173,7 @@ static int nr_recvmsg(struct kiocb *iocb, struct socket *sock,
1173 } 1173 }
1174 1174
1175 if (sax != NULL) { 1175 if (sax != NULL) {
1176 memset(sax, 0, sizeof(*sax));
1176 sax->sax25_family = AF_NETROM; 1177 sax->sax25_family = AF_NETROM;
1177 skb_copy_from_linear_data_offset(skb, 7, sax->sax25_call.ax25_call, 1178 skb_copy_from_linear_data_offset(skb, 7, sax->sax25_call.ax25_call,
1178 AX25_ADDR_LEN); 1179 AX25_ADDR_LEN);
diff --git a/net/nfc/llcp/llcp.c b/net/nfc/llcp/llcp.c
index b530afadd76c..ee25f25f0cd6 100644
--- a/net/nfc/llcp/llcp.c
+++ b/net/nfc/llcp/llcp.c
@@ -107,8 +107,6 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool listen,
107 accept_sk->sk_state_change(sk); 107 accept_sk->sk_state_change(sk);
108 108
109 bh_unlock_sock(accept_sk); 109 bh_unlock_sock(accept_sk);
110
111 sock_orphan(accept_sk);
112 } 110 }
113 111
114 if (listen == true) { 112 if (listen == true) {
@@ -134,8 +132,6 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool listen,
134 132
135 bh_unlock_sock(sk); 133 bh_unlock_sock(sk);
136 134
137 sock_orphan(sk);
138
139 sk_del_node_init(sk); 135 sk_del_node_init(sk);
140 } 136 }
141 137
@@ -164,8 +160,6 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool listen,
164 160
165 bh_unlock_sock(sk); 161 bh_unlock_sock(sk);
166 162
167 sock_orphan(sk);
168
169 sk_del_node_init(sk); 163 sk_del_node_init(sk);
170 } 164 }
171 165
@@ -827,7 +821,6 @@ static void nfc_llcp_recv_ui(struct nfc_llcp_local *local,
827 skb_get(skb); 821 skb_get(skb);
828 } else { 822 } else {
829 pr_err("Receive queue is full\n"); 823 pr_err("Receive queue is full\n");
830 kfree_skb(skb);
831 } 824 }
832 825
833 nfc_llcp_sock_put(llcp_sock); 826 nfc_llcp_sock_put(llcp_sock);
@@ -1028,7 +1021,6 @@ static void nfc_llcp_recv_hdlc(struct nfc_llcp_local *local,
1028 skb_get(skb); 1021 skb_get(skb);
1029 } else { 1022 } else {
1030 pr_err("Receive queue is full\n"); 1023 pr_err("Receive queue is full\n");
1031 kfree_skb(skb);
1032 } 1024 }
1033 } 1025 }
1034 1026
diff --git a/net/nfc/llcp/sock.c b/net/nfc/llcp/sock.c
index 5c7cdf3f2a83..6c94447ec414 100644
--- a/net/nfc/llcp/sock.c
+++ b/net/nfc/llcp/sock.c
@@ -270,7 +270,9 @@ struct sock *nfc_llcp_accept_dequeue(struct sock *parent,
270 } 270 }
271 271
272 if (sk->sk_state == LLCP_CONNECTED || !newsock) { 272 if (sk->sk_state == LLCP_CONNECTED || !newsock) {
273 nfc_llcp_accept_unlink(sk); 273 list_del_init(&lsk->accept_queue);
274 sock_put(sk);
275
274 if (newsock) 276 if (newsock)
275 sock_graft(sk, newsock); 277 sock_graft(sk, newsock);
276 278
@@ -464,8 +466,6 @@ static int llcp_sock_release(struct socket *sock)
464 nfc_llcp_accept_unlink(accept_sk); 466 nfc_llcp_accept_unlink(accept_sk);
465 467
466 release_sock(accept_sk); 468 release_sock(accept_sk);
467
468 sock_orphan(accept_sk);
469 } 469 }
470 } 470 }
471 471
@@ -646,6 +646,8 @@ static int llcp_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
646 646
647 pr_debug("%p %zu\n", sk, len); 647 pr_debug("%p %zu\n", sk, len);
648 648
649 msg->msg_namelen = 0;
650
649 lock_sock(sk); 651 lock_sock(sk);
650 652
651 if (sk->sk_state == LLCP_CLOSED && 653 if (sk->sk_state == LLCP_CLOSED &&
@@ -691,6 +693,7 @@ static int llcp_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
691 693
692 pr_debug("Datagram socket %d %d\n", ui_cb->dsap, ui_cb->ssap); 694 pr_debug("Datagram socket %d %d\n", ui_cb->dsap, ui_cb->ssap);
693 695
696 memset(sockaddr, 0, sizeof(*sockaddr));
694 sockaddr->sa_family = AF_NFC; 697 sockaddr->sa_family = AF_NFC;
695 sockaddr->nfc_protocol = NFC_PROTO_NFC_DEP; 698 sockaddr->nfc_protocol = NFC_PROTO_NFC_DEP;
696 sockaddr->dsap = ui_cb->dsap; 699 sockaddr->dsap = ui_cb->dsap;
diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
index cf68e6e4054a..9c8347451597 100644
--- a/net/rose/af_rose.c
+++ b/net/rose/af_rose.c
@@ -1253,6 +1253,7 @@ static int rose_recvmsg(struct kiocb *iocb, struct socket *sock,
1253 skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied); 1253 skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
1254 1254
1255 if (srose != NULL) { 1255 if (srose != NULL) {
1256 memset(srose, 0, msg->msg_namelen);
1256 srose->srose_family = AF_ROSE; 1257 srose->srose_family = AF_ROSE;
1257 srose->srose_addr = rose->dest_addr; 1258 srose->srose_addr = rose->dest_addr;
1258 srose->srose_call = rose->dest_call; 1259 srose->srose_call = rose->dest_call;
diff --git a/net/sched/sch_cbq.c b/net/sched/sch_cbq.c
index 13aa47aa2ffb..1bc210ffcba2 100644
--- a/net/sched/sch_cbq.c
+++ b/net/sched/sch_cbq.c
@@ -962,8 +962,11 @@ cbq_dequeue(struct Qdisc *sch)
962 cbq_update(q); 962 cbq_update(q);
963 if ((incr -= incr2) < 0) 963 if ((incr -= incr2) < 0)
964 incr = 0; 964 incr = 0;
965 q->now += incr;
966 } else {
967 if (now > q->now)
968 q->now = now;
965 } 969 }
966 q->now += incr;
967 q->now_rt = now; 970 q->now_rt = now;
968 971
969 for (;;) { 972 for (;;) {
diff --git a/net/sched/sch_fq_codel.c b/net/sched/sch_fq_codel.c
index 4e606fcb2534..55786283a3df 100644
--- a/net/sched/sch_fq_codel.c
+++ b/net/sched/sch_fq_codel.c
@@ -195,7 +195,7 @@ static int fq_codel_enqueue(struct sk_buff *skb, struct Qdisc *sch)
195 flow->deficit = q->quantum; 195 flow->deficit = q->quantum;
196 flow->dropped = 0; 196 flow->dropped = 0;
197 } 197 }
198 if (++sch->q.qlen < sch->limit) 198 if (++sch->q.qlen <= sch->limit)
199 return NET_XMIT_SUCCESS; 199 return NET_XMIT_SUCCESS;
200 200
201 q->drop_overlimit++; 201 q->drop_overlimit++;
diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
index ffad48109a22..eac7e0ee23c1 100644
--- a/net/sched/sch_generic.c
+++ b/net/sched/sch_generic.c
@@ -904,7 +904,7 @@ void psched_ratecfg_precompute(struct psched_ratecfg *r, u32 rate)
904 u64 mult; 904 u64 mult;
905 int shift; 905 int shift;
906 906
907 r->rate_bps = rate << 3; 907 r->rate_bps = (u64)rate << 3;
908 r->shift = 0; 908 r->shift = 0;
909 r->mult = 1; 909 r->mult = 1;
910 /* 910 /*
diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
index dcc446e7fbf6..d5f35f15af98 100644
--- a/net/sunrpc/clnt.c
+++ b/net/sunrpc/clnt.c
@@ -304,10 +304,8 @@ static struct rpc_clnt * rpc_new_client(const struct rpc_create_args *args, stru
304 err = rpciod_up(); 304 err = rpciod_up();
305 if (err) 305 if (err)
306 goto out_no_rpciod; 306 goto out_no_rpciod;
307 err = -EINVAL;
308 if (!xprt)
309 goto out_no_xprt;
310 307
308 err = -EINVAL;
311 if (args->version >= program->nrvers) 309 if (args->version >= program->nrvers)
312 goto out_err; 310 goto out_err;
313 version = program->version[args->version]; 311 version = program->version[args->version];
@@ -382,10 +380,9 @@ out_no_principal:
382out_no_stats: 380out_no_stats:
383 kfree(clnt); 381 kfree(clnt);
384out_err: 382out_err:
385 xprt_put(xprt);
386out_no_xprt:
387 rpciod_down(); 383 rpciod_down();
388out_no_rpciod: 384out_no_rpciod:
385 xprt_put(xprt);
389 return ERR_PTR(err); 386 return ERR_PTR(err);
390} 387}
391 388
@@ -512,7 +509,7 @@ static struct rpc_clnt *__rpc_clone_client(struct rpc_create_args *args,
512 new = rpc_new_client(args, xprt); 509 new = rpc_new_client(args, xprt);
513 if (IS_ERR(new)) { 510 if (IS_ERR(new)) {
514 err = PTR_ERR(new); 511 err = PTR_ERR(new);
515 goto out_put; 512 goto out_err;
516 } 513 }
517 514
518 atomic_inc(&clnt->cl_count); 515 atomic_inc(&clnt->cl_count);
@@ -525,8 +522,6 @@ static struct rpc_clnt *__rpc_clone_client(struct rpc_create_args *args,
525 new->cl_chatty = clnt->cl_chatty; 522 new->cl_chatty = clnt->cl_chatty;
526 return new; 523 return new;
527 524
528out_put:
529 xprt_put(xprt);
530out_err: 525out_err:
531 dprintk("RPC: %s: returned error %d\n", __func__, err); 526 dprintk("RPC: %s: returned error %d\n", __func__, err);
532 return ERR_PTR(err); 527 return ERR_PTR(err);
diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index a9622b6cd916..515ce38e4f4c 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -790,6 +790,7 @@ static void set_orig_addr(struct msghdr *m, struct tipc_msg *msg)
790 if (addr) { 790 if (addr) {
791 addr->family = AF_TIPC; 791 addr->family = AF_TIPC;
792 addr->addrtype = TIPC_ADDR_ID; 792 addr->addrtype = TIPC_ADDR_ID;
793 memset(&addr->addr, 0, sizeof(addr->addr));
793 addr->addr.id.ref = msg_origport(msg); 794 addr->addr.id.ref = msg_origport(msg);
794 addr->addr.id.node = msg_orignode(msg); 795 addr->addr.id.node = msg_orignode(msg);
795 addr->addr.name.domain = 0; /* could leave uninitialized */ 796 addr->addr.name.domain = 0; /* could leave uninitialized */
@@ -904,6 +905,9 @@ static int recv_msg(struct kiocb *iocb, struct socket *sock,
904 goto exit; 905 goto exit;
905 } 906 }
906 907
908 /* will be updated in set_orig_addr() if needed */
909 m->msg_namelen = 0;
910
907 timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT); 911 timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
908restart: 912restart:
909 913
@@ -1013,6 +1017,9 @@ static int recv_stream(struct kiocb *iocb, struct socket *sock,
1013 goto exit; 1017 goto exit;
1014 } 1018 }
1015 1019
1020 /* will be updated in set_orig_addr() if needed */
1021 m->msg_namelen = 0;
1022
1016 target = sock_rcvlowat(sk, flags & MSG_WAITALL, buf_len); 1023 target = sock_rcvlowat(sk, flags & MSG_WAITALL, buf_len);
1017 timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT); 1024 timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
1018 1025
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 971282b6f6a3..2db702d82e7d 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1412,8 +1412,8 @@ static void maybe_add_creds(struct sk_buff *skb, const struct socket *sock,
1412 if (UNIXCB(skb).cred) 1412 if (UNIXCB(skb).cred)
1413 return; 1413 return;
1414 if (test_bit(SOCK_PASSCRED, &sock->flags) || 1414 if (test_bit(SOCK_PASSCRED, &sock->flags) ||
1415 (other->sk_socket && 1415 !other->sk_socket ||
1416 test_bit(SOCK_PASSCRED, &other->sk_socket->flags))) { 1416 test_bit(SOCK_PASSCRED, &other->sk_socket->flags)) {
1417 UNIXCB(skb).pid = get_pid(task_tgid(current)); 1417 UNIXCB(skb).pid = get_pid(task_tgid(current));
1418 UNIXCB(skb).cred = get_current_cred(); 1418 UNIXCB(skb).cred = get_current_cred();
1419 } 1419 }
@@ -1993,7 +1993,7 @@ again:
1993 if ((UNIXCB(skb).pid != siocb->scm->pid) || 1993 if ((UNIXCB(skb).pid != siocb->scm->pid) ||
1994 (UNIXCB(skb).cred != siocb->scm->cred)) 1994 (UNIXCB(skb).cred != siocb->scm->cred))
1995 break; 1995 break;
1996 } else { 1996 } else if (test_bit(SOCK_PASSCRED, &sock->flags)) {
1997 /* Copy credentials */ 1997 /* Copy credentials */
1998 scm_set_cred(siocb->scm, UNIXCB(skb).pid, UNIXCB(skb).cred); 1998 scm_set_cred(siocb->scm, UNIXCB(skb).pid, UNIXCB(skb).cred);
1999 check_creds = 1; 1999 check_creds = 1;
diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
index ca511c4f388a..7f93e2a42d7a 100644
--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
@@ -207,7 +207,7 @@ static struct sock *__vsock_find_bound_socket(struct sockaddr_vm *addr)
207 struct vsock_sock *vsk; 207 struct vsock_sock *vsk;
208 208
209 list_for_each_entry(vsk, vsock_bound_sockets(addr), bound_table) 209 list_for_each_entry(vsk, vsock_bound_sockets(addr), bound_table)
210 if (vsock_addr_equals_addr_any(addr, &vsk->local_addr)) 210 if (addr->svm_port == vsk->local_addr.svm_port)
211 return sk_vsock(vsk); 211 return sk_vsock(vsk);
212 212
213 return NULL; 213 return NULL;
@@ -220,8 +220,8 @@ static struct sock *__vsock_find_connected_socket(struct sockaddr_vm *src,
220 220
221 list_for_each_entry(vsk, vsock_connected_sockets(src, dst), 221 list_for_each_entry(vsk, vsock_connected_sockets(src, dst),
222 connected_table) { 222 connected_table) {
223 if (vsock_addr_equals_addr(src, &vsk->remote_addr) 223 if (vsock_addr_equals_addr(src, &vsk->remote_addr) &&
224 && vsock_addr_equals_addr(dst, &vsk->local_addr)) { 224 dst->svm_port == vsk->local_addr.svm_port) {
225 return sk_vsock(vsk); 225 return sk_vsock(vsk);
226 } 226 }
227 } 227 }
@@ -1670,6 +1670,8 @@ vsock_stream_recvmsg(struct kiocb *kiocb,
1670 vsk = vsock_sk(sk); 1670 vsk = vsock_sk(sk);
1671 err = 0; 1671 err = 0;
1672 1672
1673 msg->msg_namelen = 0;
1674
1673 lock_sock(sk); 1675 lock_sock(sk);
1674 1676
1675 if (sk->sk_state != SS_CONNECTED) { 1677 if (sk->sk_state != SS_CONNECTED) {
diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
index a70ace83a153..5e04d3d96285 100644
--- a/net/vmw_vsock/vmci_transport.c
+++ b/net/vmw_vsock/vmci_transport.c
@@ -464,19 +464,16 @@ static struct sock *vmci_transport_get_pending(
464 struct vsock_sock *vlistener; 464 struct vsock_sock *vlistener;
465 struct vsock_sock *vpending; 465 struct vsock_sock *vpending;
466 struct sock *pending; 466 struct sock *pending;
467 struct sockaddr_vm src;
468
469 vsock_addr_init(&src, pkt->dg.src.context, pkt->src_port);
467 470
468 vlistener = vsock_sk(listener); 471 vlistener = vsock_sk(listener);
469 472
470 list_for_each_entry(vpending, &vlistener->pending_links, 473 list_for_each_entry(vpending, &vlistener->pending_links,
471 pending_links) { 474 pending_links) {
472 struct sockaddr_vm src;
473 struct sockaddr_vm dst;
474
475 vsock_addr_init(&src, pkt->dg.src.context, pkt->src_port);
476 vsock_addr_init(&dst, pkt->dg.dst.context, pkt->dst_port);
477
478 if (vsock_addr_equals_addr(&src, &vpending->remote_addr) && 475 if (vsock_addr_equals_addr(&src, &vpending->remote_addr) &&
479 vsock_addr_equals_addr(&dst, &vpending->local_addr)) { 476 pkt->dst_port == vpending->local_addr.svm_port) {
480 pending = sk_vsock(vpending); 477 pending = sk_vsock(vpending);
481 sock_hold(pending); 478 sock_hold(pending);
482 goto found; 479 goto found;
@@ -739,10 +736,15 @@ static int vmci_transport_recv_stream_cb(void *data, struct vmci_datagram *dg)
739 */ 736 */
740 bh_lock_sock(sk); 737 bh_lock_sock(sk);
741 738
742 if (!sock_owned_by_user(sk) && sk->sk_state == SS_CONNECTED) 739 if (!sock_owned_by_user(sk)) {
743 vmci_trans(vsk)->notify_ops->handle_notify_pkt( 740 /* The local context ID may be out of date, update it. */
744 sk, pkt, true, &dst, &src, 741 vsk->local_addr.svm_cid = dst.svm_cid;
745 &bh_process_pkt); 742
743 if (sk->sk_state == SS_CONNECTED)
744 vmci_trans(vsk)->notify_ops->handle_notify_pkt(
745 sk, pkt, true, &dst, &src,
746 &bh_process_pkt);
747 }
746 748
747 bh_unlock_sock(sk); 749 bh_unlock_sock(sk);
748 750
@@ -902,6 +904,9 @@ static void vmci_transport_recv_pkt_work(struct work_struct *work)
902 904
903 lock_sock(sk); 905 lock_sock(sk);
904 906
907 /* The local context ID may be out of date. */
908 vsock_sk(sk)->local_addr.svm_cid = pkt->dg.dst.context;
909
905 switch (sk->sk_state) { 910 switch (sk->sk_state) {
906 case SS_LISTEN: 911 case SS_LISTEN:
907 vmci_transport_recv_listen(sk, pkt); 912 vmci_transport_recv_listen(sk, pkt);
@@ -958,6 +963,10 @@ static int vmci_transport_recv_listen(struct sock *sk,
958 pending = vmci_transport_get_pending(sk, pkt); 963 pending = vmci_transport_get_pending(sk, pkt);
959 if (pending) { 964 if (pending) {
960 lock_sock(pending); 965 lock_sock(pending);
966
967 /* The local context ID may be out of date. */
968 vsock_sk(pending)->local_addr.svm_cid = pkt->dg.dst.context;
969
961 switch (pending->sk_state) { 970 switch (pending->sk_state) {
962 case SS_CONNECTING: 971 case SS_CONNECTING:
963 err = vmci_transport_recv_connecting_server(sk, 972 err = vmci_transport_recv_connecting_server(sk,
@@ -1727,6 +1736,8 @@ static int vmci_transport_dgram_dequeue(struct kiocb *kiocb,
1727 if (flags & MSG_OOB || flags & MSG_ERRQUEUE) 1736 if (flags & MSG_OOB || flags & MSG_ERRQUEUE)
1728 return -EOPNOTSUPP; 1737 return -EOPNOTSUPP;
1729 1738
1739 msg->msg_namelen = 0;
1740
1730 /* Retrieve the head sk_buff from the socket's receive queue. */ 1741 /* Retrieve the head sk_buff from the socket's receive queue. */
1731 err = 0; 1742 err = 0;
1732 skb = skb_recv_datagram(&vsk->sk, flags, noblock, &err); 1743 skb = skb_recv_datagram(&vsk->sk, flags, noblock, &err);
@@ -1759,7 +1770,6 @@ static int vmci_transport_dgram_dequeue(struct kiocb *kiocb,
1759 if (err) 1770 if (err)
1760 goto out; 1771 goto out;
1761 1772
1762 msg->msg_namelen = 0;
1763 if (msg->msg_name) { 1773 if (msg->msg_name) {
1764 struct sockaddr_vm *vm_addr; 1774 struct sockaddr_vm *vm_addr;
1765 1775
diff --git a/net/vmw_vsock/vsock_addr.c b/net/vmw_vsock/vsock_addr.c
index b7df1aea7c59..ec2611b4ea0e 100644
--- a/net/vmw_vsock/vsock_addr.c
+++ b/net/vmw_vsock/vsock_addr.c
@@ -64,16 +64,6 @@ bool vsock_addr_equals_addr(const struct sockaddr_vm *addr,
64} 64}
65EXPORT_SYMBOL_GPL(vsock_addr_equals_addr); 65EXPORT_SYMBOL_GPL(vsock_addr_equals_addr);
66 66
67bool vsock_addr_equals_addr_any(const struct sockaddr_vm *addr,
68 const struct sockaddr_vm *other)
69{
70 return (addr->svm_cid == VMADDR_CID_ANY ||
71 other->svm_cid == VMADDR_CID_ANY ||
72 addr->svm_cid == other->svm_cid) &&
73 addr->svm_port == other->svm_port;
74}
75EXPORT_SYMBOL_GPL(vsock_addr_equals_addr_any);
76
77int vsock_addr_cast(const struct sockaddr *addr, 67int vsock_addr_cast(const struct sockaddr *addr,
78 size_t len, struct sockaddr_vm **out_addr) 68 size_t len, struct sockaddr_vm **out_addr)
79{ 69{
diff --git a/net/vmw_vsock/vsock_addr.h b/net/vmw_vsock/vsock_addr.h
index cdfbcefdf843..9ccd5316eac0 100644
--- a/net/vmw_vsock/vsock_addr.h
+++ b/net/vmw_vsock/vsock_addr.h
@@ -24,8 +24,6 @@ bool vsock_addr_bound(const struct sockaddr_vm *addr);
24void vsock_addr_unbind(struct sockaddr_vm *addr); 24void vsock_addr_unbind(struct sockaddr_vm *addr);
25bool vsock_addr_equals_addr(const struct sockaddr_vm *addr, 25bool vsock_addr_equals_addr(const struct sockaddr_vm *addr,
26 const struct sockaddr_vm *other); 26 const struct sockaddr_vm *other);
27bool vsock_addr_equals_addr_any(const struct sockaddr_vm *addr,
28 const struct sockaddr_vm *other);
29int vsock_addr_cast(const struct sockaddr *addr, size_t len, 27int vsock_addr_cast(const struct sockaddr *addr, size_t len,
30 struct sockaddr_vm **out_addr); 28 struct sockaddr_vm **out_addr);
31 29
diff --git a/net/wireless/core.c b/net/wireless/core.c
index ea4155fe9733..6ddf74f0ae1e 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -212,6 +212,39 @@ static void cfg80211_rfkill_poll(struct rfkill *rfkill, void *data)
212 rdev_rfkill_poll(rdev); 212 rdev_rfkill_poll(rdev);
213} 213}
214 214
215void cfg80211_stop_p2p_device(struct cfg80211_registered_device *rdev,
216 struct wireless_dev *wdev)
217{
218 lockdep_assert_held(&rdev->devlist_mtx);
219 lockdep_assert_held(&rdev->sched_scan_mtx);
220
221 if (WARN_ON(wdev->iftype != NL80211_IFTYPE_P2P_DEVICE))
222 return;
223
224 if (!wdev->p2p_started)
225 return;
226
227 rdev_stop_p2p_device(rdev, wdev);
228 wdev->p2p_started = false;
229
230 rdev->opencount--;
231
232 if (rdev->scan_req && rdev->scan_req->wdev == wdev) {
233 bool busy = work_busy(&rdev->scan_done_wk);
234
235 /*
236 * If the work isn't pending or running (in which case it would
237 * be waiting for the lock we hold) the driver didn't properly
238 * cancel the scan when the interface was removed. In this case
239 * warn and leak the scan request object to not crash later.
240 */
241 WARN_ON(!busy);
242
243 rdev->scan_req->aborted = true;
244 ___cfg80211_scan_done(rdev, !busy);
245 }
246}
247
215static int cfg80211_rfkill_set_block(void *data, bool blocked) 248static int cfg80211_rfkill_set_block(void *data, bool blocked)
216{ 249{
217 struct cfg80211_registered_device *rdev = data; 250 struct cfg80211_registered_device *rdev = data;
@@ -221,7 +254,8 @@ static int cfg80211_rfkill_set_block(void *data, bool blocked)
221 return 0; 254 return 0;
222 255
223 rtnl_lock(); 256 rtnl_lock();
224 mutex_lock(&rdev->devlist_mtx); 257
258 /* read-only iteration need not hold the devlist_mtx */
225 259
226 list_for_each_entry(wdev, &rdev->wdev_list, list) { 260 list_for_each_entry(wdev, &rdev->wdev_list, list) {
227 if (wdev->netdev) { 261 if (wdev->netdev) {
@@ -231,18 +265,18 @@ static int cfg80211_rfkill_set_block(void *data, bool blocked)
231 /* otherwise, check iftype */ 265 /* otherwise, check iftype */
232 switch (wdev->iftype) { 266 switch (wdev->iftype) {
233 case NL80211_IFTYPE_P2P_DEVICE: 267 case NL80211_IFTYPE_P2P_DEVICE:
234 if (!wdev->p2p_started) 268 /* but this requires it */
235 break; 269 mutex_lock(&rdev->devlist_mtx);
236 rdev_stop_p2p_device(rdev, wdev); 270 mutex_lock(&rdev->sched_scan_mtx);
237 wdev->p2p_started = false; 271 cfg80211_stop_p2p_device(rdev, wdev);
238 rdev->opencount--; 272 mutex_unlock(&rdev->sched_scan_mtx);
273 mutex_unlock(&rdev->devlist_mtx);
239 break; 274 break;
240 default: 275 default:
241 break; 276 break;
242 } 277 }
243 } 278 }
244 279
245 mutex_unlock(&rdev->devlist_mtx);
246 rtnl_unlock(); 280 rtnl_unlock();
247 281
248 return 0; 282 return 0;
@@ -745,17 +779,13 @@ static void wdev_cleanup_work(struct work_struct *work)
745 wdev = container_of(work, struct wireless_dev, cleanup_work); 779 wdev = container_of(work, struct wireless_dev, cleanup_work);
746 rdev = wiphy_to_dev(wdev->wiphy); 780 rdev = wiphy_to_dev(wdev->wiphy);
747 781
748 cfg80211_lock_rdev(rdev); 782 mutex_lock(&rdev->sched_scan_mtx);
749 783
750 if (WARN_ON(rdev->scan_req && rdev->scan_req->wdev == wdev)) { 784 if (WARN_ON(rdev->scan_req && rdev->scan_req->wdev == wdev)) {
751 rdev->scan_req->aborted = true; 785 rdev->scan_req->aborted = true;
752 ___cfg80211_scan_done(rdev, true); 786 ___cfg80211_scan_done(rdev, true);
753 } 787 }
754 788
755 cfg80211_unlock_rdev(rdev);
756
757 mutex_lock(&rdev->sched_scan_mtx);
758
759 if (WARN_ON(rdev->sched_scan_req && 789 if (WARN_ON(rdev->sched_scan_req &&
760 rdev->sched_scan_req->dev == wdev->netdev)) { 790 rdev->sched_scan_req->dev == wdev->netdev)) {
761 __cfg80211_stop_sched_scan(rdev, false); 791 __cfg80211_stop_sched_scan(rdev, false);
@@ -781,21 +811,19 @@ void cfg80211_unregister_wdev(struct wireless_dev *wdev)
781 return; 811 return;
782 812
783 mutex_lock(&rdev->devlist_mtx); 813 mutex_lock(&rdev->devlist_mtx);
814 mutex_lock(&rdev->sched_scan_mtx);
784 list_del_rcu(&wdev->list); 815 list_del_rcu(&wdev->list);
785 rdev->devlist_generation++; 816 rdev->devlist_generation++;
786 817
787 switch (wdev->iftype) { 818 switch (wdev->iftype) {
788 case NL80211_IFTYPE_P2P_DEVICE: 819 case NL80211_IFTYPE_P2P_DEVICE:
789 if (!wdev->p2p_started) 820 cfg80211_stop_p2p_device(rdev, wdev);
790 break;
791 rdev_stop_p2p_device(rdev, wdev);
792 wdev->p2p_started = false;
793 rdev->opencount--;
794 break; 821 break;
795 default: 822 default:
796 WARN_ON_ONCE(1); 823 WARN_ON_ONCE(1);
797 break; 824 break;
798 } 825 }
826 mutex_unlock(&rdev->sched_scan_mtx);
799 mutex_unlock(&rdev->devlist_mtx); 827 mutex_unlock(&rdev->devlist_mtx);
800} 828}
801EXPORT_SYMBOL(cfg80211_unregister_wdev); 829EXPORT_SYMBOL(cfg80211_unregister_wdev);
@@ -936,6 +964,7 @@ static int cfg80211_netdev_notifier_call(struct notifier_block *nb,
936 cfg80211_update_iface_num(rdev, wdev->iftype, 1); 964 cfg80211_update_iface_num(rdev, wdev->iftype, 1);
937 cfg80211_lock_rdev(rdev); 965 cfg80211_lock_rdev(rdev);
938 mutex_lock(&rdev->devlist_mtx); 966 mutex_lock(&rdev->devlist_mtx);
967 mutex_lock(&rdev->sched_scan_mtx);
939 wdev_lock(wdev); 968 wdev_lock(wdev);
940 switch (wdev->iftype) { 969 switch (wdev->iftype) {
941#ifdef CONFIG_CFG80211_WEXT 970#ifdef CONFIG_CFG80211_WEXT
@@ -967,6 +996,7 @@ static int cfg80211_netdev_notifier_call(struct notifier_block *nb,
967 break; 996 break;
968 } 997 }
969 wdev_unlock(wdev); 998 wdev_unlock(wdev);
999 mutex_unlock(&rdev->sched_scan_mtx);
970 rdev->opencount++; 1000 rdev->opencount++;
971 mutex_unlock(&rdev->devlist_mtx); 1001 mutex_unlock(&rdev->devlist_mtx);
972 cfg80211_unlock_rdev(rdev); 1002 cfg80211_unlock_rdev(rdev);
diff --git a/net/wireless/core.h b/net/wireless/core.h
index 3aec0e429d8a..5845c2b37aa8 100644
--- a/net/wireless/core.h
+++ b/net/wireless/core.h
@@ -503,6 +503,9 @@ int cfg80211_validate_beacon_int(struct cfg80211_registered_device *rdev,
503void cfg80211_update_iface_num(struct cfg80211_registered_device *rdev, 503void cfg80211_update_iface_num(struct cfg80211_registered_device *rdev,
504 enum nl80211_iftype iftype, int num); 504 enum nl80211_iftype iftype, int num);
505 505
506void cfg80211_stop_p2p_device(struct cfg80211_registered_device *rdev,
507 struct wireless_dev *wdev);
508
506#define CFG80211_MAX_NUM_DIFFERENT_CHANNELS 10 509#define CFG80211_MAX_NUM_DIFFERENT_CHANNELS 10
507 510
508#ifdef CONFIG_CFG80211_DEVELOPER_WARNINGS 511#ifdef CONFIG_CFG80211_DEVELOPER_WARNINGS
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index d44ab216c0ec..58e13a8c95f9 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -4702,14 +4702,19 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
4702 if (!rdev->ops->scan) 4702 if (!rdev->ops->scan)
4703 return -EOPNOTSUPP; 4703 return -EOPNOTSUPP;
4704 4704
4705 if (rdev->scan_req) 4705 mutex_lock(&rdev->sched_scan_mtx);
4706 return -EBUSY; 4706 if (rdev->scan_req) {
4707 err = -EBUSY;
4708 goto unlock;
4709 }
4707 4710
4708 if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) { 4711 if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
4709 n_channels = validate_scan_freqs( 4712 n_channels = validate_scan_freqs(
4710 info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]); 4713 info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
4711 if (!n_channels) 4714 if (!n_channels) {
4712 return -EINVAL; 4715 err = -EINVAL;
4716 goto unlock;
4717 }
4713 } else { 4718 } else {
4714 enum ieee80211_band band; 4719 enum ieee80211_band band;
4715 n_channels = 0; 4720 n_channels = 0;
@@ -4723,23 +4728,29 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
4723 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) 4728 nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
4724 n_ssids++; 4729 n_ssids++;
4725 4730
4726 if (n_ssids > wiphy->max_scan_ssids) 4731 if (n_ssids > wiphy->max_scan_ssids) {
4727 return -EINVAL; 4732 err = -EINVAL;
4733 goto unlock;
4734 }
4728 4735
4729 if (info->attrs[NL80211_ATTR_IE]) 4736 if (info->attrs[NL80211_ATTR_IE])
4730 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]); 4737 ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
4731 else 4738 else
4732 ie_len = 0; 4739 ie_len = 0;
4733 4740
4734 if (ie_len > wiphy->max_scan_ie_len) 4741 if (ie_len > wiphy->max_scan_ie_len) {
4735 return -EINVAL; 4742 err = -EINVAL;
4743 goto unlock;
4744 }
4736 4745
4737 request = kzalloc(sizeof(*request) 4746 request = kzalloc(sizeof(*request)
4738 + sizeof(*request->ssids) * n_ssids 4747 + sizeof(*request->ssids) * n_ssids
4739 + sizeof(*request->channels) * n_channels 4748 + sizeof(*request->channels) * n_channels
4740 + ie_len, GFP_KERNEL); 4749 + ie_len, GFP_KERNEL);
4741 if (!request) 4750 if (!request) {
4742 return -ENOMEM; 4751 err = -ENOMEM;
4752 goto unlock;
4753 }
4743 4754
4744 if (n_ssids) 4755 if (n_ssids)
4745 request->ssids = (void *)&request->channels[n_channels]; 4756 request->ssids = (void *)&request->channels[n_channels];
@@ -4876,6 +4887,8 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
4876 kfree(request); 4887 kfree(request);
4877 } 4888 }
4878 4889
4890 unlock:
4891 mutex_unlock(&rdev->sched_scan_mtx);
4879 return err; 4892 return err;
4880} 4893}
4881 4894
@@ -7749,20 +7762,9 @@ static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
7749 if (!rdev->ops->stop_p2p_device) 7762 if (!rdev->ops->stop_p2p_device)
7750 return -EOPNOTSUPP; 7763 return -EOPNOTSUPP;
7751 7764
7752 if (!wdev->p2p_started) 7765 mutex_lock(&rdev->sched_scan_mtx);
7753 return 0; 7766 cfg80211_stop_p2p_device(rdev, wdev);
7754 7767 mutex_unlock(&rdev->sched_scan_mtx);
7755 rdev_stop_p2p_device(rdev, wdev);
7756 wdev->p2p_started = false;
7757
7758 mutex_lock(&rdev->devlist_mtx);
7759 rdev->opencount--;
7760 mutex_unlock(&rdev->devlist_mtx);
7761
7762 if (WARN_ON(rdev->scan_req && rdev->scan_req->wdev == wdev)) {
7763 rdev->scan_req->aborted = true;
7764 ___cfg80211_scan_done(rdev, true);
7765 }
7766 7768
7767 return 0; 7769 return 0;
7768} 7770}
@@ -8486,7 +8488,7 @@ static int nl80211_add_scan_req(struct sk_buff *msg,
8486 struct nlattr *nest; 8488 struct nlattr *nest;
8487 int i; 8489 int i;
8488 8490
8489 ASSERT_RDEV_LOCK(rdev); 8491 lockdep_assert_held(&rdev->sched_scan_mtx);
8490 8492
8491 if (WARN_ON(!req)) 8493 if (WARN_ON(!req))
8492 return 0; 8494 return 0;
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 674aadca0079..fd99ea495b7e 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -169,7 +169,7 @@ void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev, bool leak)
169 union iwreq_data wrqu; 169 union iwreq_data wrqu;
170#endif 170#endif
171 171
172 ASSERT_RDEV_LOCK(rdev); 172 lockdep_assert_held(&rdev->sched_scan_mtx);
173 173
174 request = rdev->scan_req; 174 request = rdev->scan_req;
175 175
@@ -230,9 +230,9 @@ void __cfg80211_scan_done(struct work_struct *wk)
230 rdev = container_of(wk, struct cfg80211_registered_device, 230 rdev = container_of(wk, struct cfg80211_registered_device,
231 scan_done_wk); 231 scan_done_wk);
232 232
233 cfg80211_lock_rdev(rdev); 233 mutex_lock(&rdev->sched_scan_mtx);
234 ___cfg80211_scan_done(rdev, false); 234 ___cfg80211_scan_done(rdev, false);
235 cfg80211_unlock_rdev(rdev); 235 mutex_unlock(&rdev->sched_scan_mtx);
236} 236}
237 237
238void cfg80211_scan_done(struct cfg80211_scan_request *request, bool aborted) 238void cfg80211_scan_done(struct cfg80211_scan_request *request, bool aborted)
@@ -698,11 +698,6 @@ cfg80211_bss_update(struct cfg80211_registered_device *dev,
698 found = rb_find_bss(dev, tmp, BSS_CMP_REGULAR); 698 found = rb_find_bss(dev, tmp, BSS_CMP_REGULAR);
699 699
700 if (found) { 700 if (found) {
701 found->pub.beacon_interval = tmp->pub.beacon_interval;
702 found->pub.signal = tmp->pub.signal;
703 found->pub.capability = tmp->pub.capability;
704 found->ts = tmp->ts;
705
706 /* Update IEs */ 701 /* Update IEs */
707 if (rcu_access_pointer(tmp->pub.proberesp_ies)) { 702 if (rcu_access_pointer(tmp->pub.proberesp_ies)) {
708 const struct cfg80211_bss_ies *old; 703 const struct cfg80211_bss_ies *old;
@@ -723,6 +718,8 @@ cfg80211_bss_update(struct cfg80211_registered_device *dev,
723 718
724 if (found->pub.hidden_beacon_bss && 719 if (found->pub.hidden_beacon_bss &&
725 !list_empty(&found->hidden_list)) { 720 !list_empty(&found->hidden_list)) {
721 const struct cfg80211_bss_ies *f;
722
726 /* 723 /*
727 * The found BSS struct is one of the probe 724 * The found BSS struct is one of the probe
728 * response members of a group, but we're 725 * response members of a group, but we're
@@ -732,6 +729,10 @@ cfg80211_bss_update(struct cfg80211_registered_device *dev,
732 * SSID to showing it, which is confusing so 729 * SSID to showing it, which is confusing so
733 * drop this information. 730 * drop this information.
734 */ 731 */
732
733 f = rcu_access_pointer(tmp->pub.beacon_ies);
734 kfree_rcu((struct cfg80211_bss_ies *)f,
735 rcu_head);
735 goto drop; 736 goto drop;
736 } 737 }
737 738
@@ -761,6 +762,11 @@ cfg80211_bss_update(struct cfg80211_registered_device *dev,
761 kfree_rcu((struct cfg80211_bss_ies *)old, 762 kfree_rcu((struct cfg80211_bss_ies *)old,
762 rcu_head); 763 rcu_head);
763 } 764 }
765
766 found->pub.beacon_interval = tmp->pub.beacon_interval;
767 found->pub.signal = tmp->pub.signal;
768 found->pub.capability = tmp->pub.capability;
769 found->ts = tmp->ts;
764 } else { 770 } else {
765 struct cfg80211_internal_bss *new; 771 struct cfg80211_internal_bss *new;
766 struct cfg80211_internal_bss *hidden; 772 struct cfg80211_internal_bss *hidden;
@@ -1056,6 +1062,7 @@ int cfg80211_wext_siwscan(struct net_device *dev,
1056 if (IS_ERR(rdev)) 1062 if (IS_ERR(rdev))
1057 return PTR_ERR(rdev); 1063 return PTR_ERR(rdev);
1058 1064
1065 mutex_lock(&rdev->sched_scan_mtx);
1059 if (rdev->scan_req) { 1066 if (rdev->scan_req) {
1060 err = -EBUSY; 1067 err = -EBUSY;
1061 goto out; 1068 goto out;
@@ -1162,6 +1169,7 @@ int cfg80211_wext_siwscan(struct net_device *dev,
1162 dev_hold(dev); 1169 dev_hold(dev);
1163 } 1170 }
1164 out: 1171 out:
1172 mutex_unlock(&rdev->sched_scan_mtx);
1165 kfree(creq); 1173 kfree(creq);
1166 cfg80211_unlock_rdev(rdev); 1174 cfg80211_unlock_rdev(rdev);
1167 return err; 1175 return err;
diff --git a/net/wireless/sme.c b/net/wireless/sme.c
index f432bd3755b1..482c70e70127 100644
--- a/net/wireless/sme.c
+++ b/net/wireless/sme.c
@@ -85,6 +85,7 @@ static int cfg80211_conn_scan(struct wireless_dev *wdev)
85 ASSERT_RTNL(); 85 ASSERT_RTNL();
86 ASSERT_RDEV_LOCK(rdev); 86 ASSERT_RDEV_LOCK(rdev);
87 ASSERT_WDEV_LOCK(wdev); 87 ASSERT_WDEV_LOCK(wdev);
88 lockdep_assert_held(&rdev->sched_scan_mtx);
88 89
89 if (rdev->scan_req) 90 if (rdev->scan_req)
90 return -EBUSY; 91 return -EBUSY;
@@ -223,6 +224,7 @@ void cfg80211_conn_work(struct work_struct *work)
223 rtnl_lock(); 224 rtnl_lock();
224 cfg80211_lock_rdev(rdev); 225 cfg80211_lock_rdev(rdev);
225 mutex_lock(&rdev->devlist_mtx); 226 mutex_lock(&rdev->devlist_mtx);
227 mutex_lock(&rdev->sched_scan_mtx);
226 228
227 list_for_each_entry(wdev, &rdev->wdev_list, list) { 229 list_for_each_entry(wdev, &rdev->wdev_list, list) {
228 wdev_lock(wdev); 230 wdev_lock(wdev);
@@ -247,6 +249,7 @@ void cfg80211_conn_work(struct work_struct *work)
247 wdev_unlock(wdev); 249 wdev_unlock(wdev);
248 } 250 }
249 251
252 mutex_unlock(&rdev->sched_scan_mtx);
250 mutex_unlock(&rdev->devlist_mtx); 253 mutex_unlock(&rdev->devlist_mtx);
251 cfg80211_unlock_rdev(rdev); 254 cfg80211_unlock_rdev(rdev);
252 rtnl_unlock(); 255 rtnl_unlock();
@@ -320,11 +323,9 @@ void cfg80211_sme_scan_done(struct net_device *dev)
320{ 323{
321 struct wireless_dev *wdev = dev->ieee80211_ptr; 324 struct wireless_dev *wdev = dev->ieee80211_ptr;
322 325
323 mutex_lock(&wiphy_to_dev(wdev->wiphy)->devlist_mtx);
324 wdev_lock(wdev); 326 wdev_lock(wdev);
325 __cfg80211_sme_scan_done(dev); 327 __cfg80211_sme_scan_done(dev);
326 wdev_unlock(wdev); 328 wdev_unlock(wdev);
327 mutex_unlock(&wiphy_to_dev(wdev->wiphy)->devlist_mtx);
328} 329}
329 330
330void cfg80211_sme_rx_auth(struct net_device *dev, 331void cfg80211_sme_rx_auth(struct net_device *dev,
@@ -924,9 +925,12 @@ int cfg80211_connect(struct cfg80211_registered_device *rdev,
924 int err; 925 int err;
925 926
926 mutex_lock(&rdev->devlist_mtx); 927 mutex_lock(&rdev->devlist_mtx);
928 /* might request scan - scan_mtx -> wdev_mtx dependency */
929 mutex_lock(&rdev->sched_scan_mtx);
927 wdev_lock(dev->ieee80211_ptr); 930 wdev_lock(dev->ieee80211_ptr);
928 err = __cfg80211_connect(rdev, dev, connect, connkeys, NULL); 931 err = __cfg80211_connect(rdev, dev, connect, connkeys, NULL);
929 wdev_unlock(dev->ieee80211_ptr); 932 wdev_unlock(dev->ieee80211_ptr);
933 mutex_unlock(&rdev->sched_scan_mtx);
930 mutex_unlock(&rdev->devlist_mtx); 934 mutex_unlock(&rdev->devlist_mtx);
931 935
932 return err; 936 return err;
diff --git a/net/wireless/trace.h b/net/wireless/trace.h
index b7a531380e19..7586de77a2f8 100644
--- a/net/wireless/trace.h
+++ b/net/wireless/trace.h
@@ -27,7 +27,8 @@
27#define WIPHY_PR_ARG __entry->wiphy_name 27#define WIPHY_PR_ARG __entry->wiphy_name
28 28
29#define WDEV_ENTRY __field(u32, id) 29#define WDEV_ENTRY __field(u32, id)
30#define WDEV_ASSIGN (__entry->id) = (wdev ? wdev->identifier : 0) 30#define WDEV_ASSIGN (__entry->id) = (!IS_ERR_OR_NULL(wdev) \
31 ? wdev->identifier : 0)
31#define WDEV_PR_FMT "wdev(%u)" 32#define WDEV_PR_FMT "wdev(%u)"
32#define WDEV_PR_ARG (__entry->id) 33#define WDEV_PR_ARG (__entry->id)
33 34
@@ -1778,7 +1779,7 @@ TRACE_EVENT(rdev_set_mac_acl,
1778 ), 1779 ),
1779 TP_fast_assign( 1780 TP_fast_assign(
1780 WIPHY_ASSIGN; 1781 WIPHY_ASSIGN;
1781 WIPHY_ASSIGN; 1782 NETDEV_ASSIGN;
1782 __entry->acl_policy = params->acl_policy; 1783 __entry->acl_policy = params->acl_policy;
1783 ), 1784 ),
1784 TP_printk(WIPHY_PR_FMT ", " NETDEV_PR_FMT ", acl policy: %d", 1785 TP_printk(WIPHY_PR_FMT ", " NETDEV_PR_FMT ", acl policy: %d",
diff --git a/net/wireless/wext-sme.c b/net/wireless/wext-sme.c
index fb9622f6d99c..e79cb5c0655a 100644
--- a/net/wireless/wext-sme.c
+++ b/net/wireless/wext-sme.c
@@ -89,6 +89,7 @@ int cfg80211_mgd_wext_siwfreq(struct net_device *dev,
89 89
90 cfg80211_lock_rdev(rdev); 90 cfg80211_lock_rdev(rdev);
91 mutex_lock(&rdev->devlist_mtx); 91 mutex_lock(&rdev->devlist_mtx);
92 mutex_lock(&rdev->sched_scan_mtx);
92 wdev_lock(wdev); 93 wdev_lock(wdev);
93 94
94 if (wdev->sme_state != CFG80211_SME_IDLE) { 95 if (wdev->sme_state != CFG80211_SME_IDLE) {
@@ -135,6 +136,7 @@ int cfg80211_mgd_wext_siwfreq(struct net_device *dev,
135 err = cfg80211_mgd_wext_connect(rdev, wdev); 136 err = cfg80211_mgd_wext_connect(rdev, wdev);
136 out: 137 out:
137 wdev_unlock(wdev); 138 wdev_unlock(wdev);
139 mutex_unlock(&rdev->sched_scan_mtx);
138 mutex_unlock(&rdev->devlist_mtx); 140 mutex_unlock(&rdev->devlist_mtx);
139 cfg80211_unlock_rdev(rdev); 141 cfg80211_unlock_rdev(rdev);
140 return err; 142 return err;
@@ -190,6 +192,7 @@ int cfg80211_mgd_wext_siwessid(struct net_device *dev,
190 192
191 cfg80211_lock_rdev(rdev); 193 cfg80211_lock_rdev(rdev);
192 mutex_lock(&rdev->devlist_mtx); 194 mutex_lock(&rdev->devlist_mtx);
195 mutex_lock(&rdev->sched_scan_mtx);
193 wdev_lock(wdev); 196 wdev_lock(wdev);
194 197
195 err = 0; 198 err = 0;
@@ -223,6 +226,7 @@ int cfg80211_mgd_wext_siwessid(struct net_device *dev,
223 err = cfg80211_mgd_wext_connect(rdev, wdev); 226 err = cfg80211_mgd_wext_connect(rdev, wdev);
224 out: 227 out:
225 wdev_unlock(wdev); 228 wdev_unlock(wdev);
229 mutex_unlock(&rdev->sched_scan_mtx);
226 mutex_unlock(&rdev->devlist_mtx); 230 mutex_unlock(&rdev->devlist_mtx);
227 cfg80211_unlock_rdev(rdev); 231 cfg80211_unlock_rdev(rdev);
228 return err; 232 return err;
@@ -285,6 +289,7 @@ int cfg80211_mgd_wext_siwap(struct net_device *dev,
285 289
286 cfg80211_lock_rdev(rdev); 290 cfg80211_lock_rdev(rdev);
287 mutex_lock(&rdev->devlist_mtx); 291 mutex_lock(&rdev->devlist_mtx);
292 mutex_lock(&rdev->sched_scan_mtx);
288 wdev_lock(wdev); 293 wdev_lock(wdev);
289 294
290 if (wdev->sme_state != CFG80211_SME_IDLE) { 295 if (wdev->sme_state != CFG80211_SME_IDLE) {
@@ -313,6 +318,7 @@ int cfg80211_mgd_wext_siwap(struct net_device *dev,
313 err = cfg80211_mgd_wext_connect(rdev, wdev); 318 err = cfg80211_mgd_wext_connect(rdev, wdev);
314 out: 319 out:
315 wdev_unlock(wdev); 320 wdev_unlock(wdev);
321 mutex_unlock(&rdev->sched_scan_mtx);
316 mutex_unlock(&rdev->devlist_mtx); 322 mutex_unlock(&rdev->devlist_mtx);
317 cfg80211_unlock_rdev(rdev); 323 cfg80211_unlock_rdev(rdev);
318 return err; 324 return err;
diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c
index 35754cc8a9e5..8dafe6d3c6e4 100644
--- a/net/xfrm/xfrm_replay.c
+++ b/net/xfrm/xfrm_replay.c
@@ -334,6 +334,70 @@ static void xfrm_replay_notify_bmp(struct xfrm_state *x, int event)
334 x->xflags &= ~XFRM_TIME_DEFER; 334 x->xflags &= ~XFRM_TIME_DEFER;
335} 335}
336 336
337static void xfrm_replay_notify_esn(struct xfrm_state *x, int event)
338{
339 u32 seq_diff, oseq_diff;
340 struct km_event c;
341 struct xfrm_replay_state_esn *replay_esn = x->replay_esn;
342 struct xfrm_replay_state_esn *preplay_esn = x->preplay_esn;
343
344 /* we send notify messages in case
345 * 1. we updated on of the sequence numbers, and the seqno difference
346 * is at least x->replay_maxdiff, in this case we also update the
347 * timeout of our timer function
348 * 2. if x->replay_maxage has elapsed since last update,
349 * and there were changes
350 *
351 * The state structure must be locked!
352 */
353
354 switch (event) {
355 case XFRM_REPLAY_UPDATE:
356 if (!x->replay_maxdiff)
357 break;
358
359 if (replay_esn->seq_hi == preplay_esn->seq_hi)
360 seq_diff = replay_esn->seq - preplay_esn->seq;
361 else
362 seq_diff = ~preplay_esn->seq + replay_esn->seq + 1;
363
364 if (replay_esn->oseq_hi == preplay_esn->oseq_hi)
365 oseq_diff = replay_esn->oseq - preplay_esn->oseq;
366 else
367 oseq_diff = ~preplay_esn->oseq + replay_esn->oseq + 1;
368
369 if (seq_diff < x->replay_maxdiff &&
370 oseq_diff < x->replay_maxdiff) {
371
372 if (x->xflags & XFRM_TIME_DEFER)
373 event = XFRM_REPLAY_TIMEOUT;
374 else
375 return;
376 }
377
378 break;
379
380 case XFRM_REPLAY_TIMEOUT:
381 if (memcmp(x->replay_esn, x->preplay_esn,
382 xfrm_replay_state_esn_len(replay_esn)) == 0) {
383 x->xflags |= XFRM_TIME_DEFER;
384 return;
385 }
386
387 break;
388 }
389
390 memcpy(x->preplay_esn, x->replay_esn,
391 xfrm_replay_state_esn_len(replay_esn));
392 c.event = XFRM_MSG_NEWAE;
393 c.data.aevent = event;
394 km_state_notify(x, &c);
395
396 if (x->replay_maxage &&
397 !mod_timer(&x->rtimer, jiffies + x->replay_maxage))
398 x->xflags &= ~XFRM_TIME_DEFER;
399}
400
337static int xfrm_replay_overflow_esn(struct xfrm_state *x, struct sk_buff *skb) 401static int xfrm_replay_overflow_esn(struct xfrm_state *x, struct sk_buff *skb)
338{ 402{
339 int err = 0; 403 int err = 0;
@@ -510,7 +574,7 @@ static struct xfrm_replay xfrm_replay_esn = {
510 .advance = xfrm_replay_advance_esn, 574 .advance = xfrm_replay_advance_esn,
511 .check = xfrm_replay_check_esn, 575 .check = xfrm_replay_check_esn,
512 .recheck = xfrm_replay_recheck_esn, 576 .recheck = xfrm_replay_recheck_esn,
513 .notify = xfrm_replay_notify_bmp, 577 .notify = xfrm_replay_notify_esn,
514 .overflow = xfrm_replay_overflow_esn, 578 .overflow = xfrm_replay_overflow_esn,
515}; 579};
516 580
generated by cgit v1.2.2 (git 2.25.0) at 2025-01-13 23:58:46 -0500