aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2013-06-12 20:18:29 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2013-06-12 20:18:29 -0400
commit26e04462c8b78d079d3231396ec72d58a14f114b (patch)
treec1f47f78eef6d4eccef0195c72107f3dc2d6744b /net
parent645a992934c8007fa17ac2e512ce73c100ed1614 (diff)
parent090adb893137ff3c672a644413edc174b0a75706 (diff)
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull networking update from David Miller: 1) Fix dump iterator in nfnl_acct_dump() and ctnl_timeout_dump() to dump all objects properly, from Pablo Neira Ayuso. 2) xt_TCPMSS must use the default MSS of 536 when no MSS TCP option is present. Fix from Phil Oester. 3) qdisc_get_rtab() looks for an existing matching rate table and uses that instead of creating a new one. However, it's key matching is incomplete, it fails to check to make sure the ->data[] array is identical too. Fix from Eric Dumazet. 4) ip_vs_dest_entry isn't fully initialized before copying back to userspace, fix from Dan Carpenter. 5) Fix ubuf reference counting regression in vhost_net, from Jason Wang. 6) When sock_diag dumps a socket filter back to userspace, we have to translate it out of the kernel's internal representation first. From Nicolas Dichtel. 7) davinci_mdio holds a spinlock while calling pm_runtime, which sleeps. Fix from Sebastian Siewior. 8) Timeout check in sh_eth_check_reset is off by one, from Sergei Shtylyov. 9) If sctp socket init fails, we can NULL deref during cleanup. Fix from Daniel Borkmann. 10) netlink_mmap() does not propagate errors properly, from Patrick McHardy. 11) Disable powersave and use minstrel by default in ath9k. From Sujith Manoharan. 12) Fix a regression in that SOCK_ZEROCOPY is not set on tuntap sockets which prevents vhost from being able to use zerocopy. From Jason Wang. 13) Fix race between port lookup and TX path in team driver, from Jiri Pirko. 14) Missing length checks in bluetooth L2CAP packet parsing, from Johan Hedberg. 15) rtlwifi fails to connect to networking using any encryption method other than WPA2. Fix from Larry Finger. 16) Fix iwlegacy build due to incorrect CONFIG_* ifdeffing for power management stuff. From Yijing Wang. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (35 commits) b43: stop format string leaking into error msgs ath9k: Use minstrel rate control by default Revert "ath9k_hw: Update rx gain initval to improve rx sensitivity" ath9k: Disable PowerSave by default net: wireless: iwlegacy: fix build error for il_pm_ops rtlwifi: Fix a false leak indication for PCI devices wl12xx/wl18xx: scan all 5ghz channels wl12xx: increase minimum singlerole firmware version required wl12xx: fix minimum required firmware version for wl127x multirole rtlwifi: rtl8192cu: Fix problem in connecting to WEP or WPA(1) networks mwifiex: debugfs: Fix out of bounds array access Bluetooth: Fix mgmt handling of power on failures Bluetooth: Fix missing length checks for L2CAP signalling PDUs Bluetooth: btmrvl: support Marvell Bluetooth device SD8897 Bluetooth: Fix checks for LE support on LE-only controllers team: fix checks in team_get_first_port_txable_rcu() team: move add to port list before port enablement team: check return value of team_get_port_by_index_rcu() for NULL tuntap: set SOCK_ZEROCOPY flag during open netlink: fix error propagation in netlink_mmap() ...
Diffstat (limited to 'net')
-rw-r--r--net/bluetooth/hci_core.c6
-rw-r--r--net/bluetooth/l2cap_core.c70
-rw-r--r--net/bluetooth/mgmt.c23
-rw-r--r--net/bluetooth/smp.c4
-rw-r--r--net/core/filter.c2
-rw-r--r--net/core/sock_diag.c9
-rw-r--r--net/netfilter/ipvs/ip_vs_ctl.c1
-rw-r--r--net/netfilter/nfnetlink_acct.c7
-rw-r--r--net/netfilter/nfnetlink_cttimeout.c7
-rw-r--r--net/netfilter/nfnetlink_queue_core.c6
-rw-r--r--net/netfilter/xt_TCPMSS.c6
-rw-r--r--net/netlink/af_netlink.c2
-rw-r--r--net/sched/sch_api.c11
-rw-r--r--net/sctp/socket.c6
14 files changed, 122 insertions, 38 deletions
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 33843c5c4939..d817c932d634 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1555,11 +1555,15 @@ static const struct rfkill_ops hci_rfkill_ops = {
1555static void hci_power_on(struct work_struct *work) 1555static void hci_power_on(struct work_struct *work)
1556{ 1556{
1557 struct hci_dev *hdev = container_of(work, struct hci_dev, power_on); 1557 struct hci_dev *hdev = container_of(work, struct hci_dev, power_on);
1558 int err;
1558 1559
1559 BT_DBG("%s", hdev->name); 1560 BT_DBG("%s", hdev->name);
1560 1561
1561 if (hci_dev_open(hdev->id) < 0) 1562 err = hci_dev_open(hdev->id);
1563 if (err < 0) {
1564 mgmt_set_powered_failed(hdev, err);
1562 return; 1565 return;
1566 }
1563 1567
1564 if (test_bit(HCI_AUTO_OFF, &hdev->dev_flags)) 1568 if (test_bit(HCI_AUTO_OFF, &hdev->dev_flags))
1565 queue_delayed_work(hdev->req_workqueue, &hdev->power_off, 1569 queue_delayed_work(hdev->req_workqueue, &hdev->power_off,
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index a76d1ac0321b..24bee07ee4ce 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -3677,10 +3677,14 @@ static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
3677} 3677}
3678 3678
3679static inline int l2cap_command_rej(struct l2cap_conn *conn, 3679static inline int l2cap_command_rej(struct l2cap_conn *conn,
3680 struct l2cap_cmd_hdr *cmd, u8 *data) 3680 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3681 u8 *data)
3681{ 3682{
3682 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data; 3683 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
3683 3684
3685 if (cmd_len < sizeof(*rej))
3686 return -EPROTO;
3687
3684 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD) 3688 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
3685 return 0; 3689 return 0;
3686 3690
@@ -3829,11 +3833,14 @@ sendresp:
3829} 3833}
3830 3834
3831static int l2cap_connect_req(struct l2cap_conn *conn, 3835static int l2cap_connect_req(struct l2cap_conn *conn,
3832 struct l2cap_cmd_hdr *cmd, u8 *data) 3836 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3833{ 3837{
3834 struct hci_dev *hdev = conn->hcon->hdev; 3838 struct hci_dev *hdev = conn->hcon->hdev;
3835 struct hci_conn *hcon = conn->hcon; 3839 struct hci_conn *hcon = conn->hcon;
3836 3840
3841 if (cmd_len < sizeof(struct l2cap_conn_req))
3842 return -EPROTO;
3843
3837 hci_dev_lock(hdev); 3844 hci_dev_lock(hdev);
3838 if (test_bit(HCI_MGMT, &hdev->dev_flags) && 3845 if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
3839 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags)) 3846 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
@@ -3847,7 +3854,8 @@ static int l2cap_connect_req(struct l2cap_conn *conn,
3847} 3854}
3848 3855
3849static int l2cap_connect_create_rsp(struct l2cap_conn *conn, 3856static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
3850 struct l2cap_cmd_hdr *cmd, u8 *data) 3857 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3858 u8 *data)
3851{ 3859{
3852 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data; 3860 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3853 u16 scid, dcid, result, status; 3861 u16 scid, dcid, result, status;
@@ -3855,6 +3863,9 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
3855 u8 req[128]; 3863 u8 req[128];
3856 int err; 3864 int err;
3857 3865
3866 if (cmd_len < sizeof(*rsp))
3867 return -EPROTO;
3868
3858 scid = __le16_to_cpu(rsp->scid); 3869 scid = __le16_to_cpu(rsp->scid);
3859 dcid = __le16_to_cpu(rsp->dcid); 3870 dcid = __le16_to_cpu(rsp->dcid);
3860 result = __le16_to_cpu(rsp->result); 3871 result = __le16_to_cpu(rsp->result);
@@ -3952,6 +3963,9 @@ static inline int l2cap_config_req(struct l2cap_conn *conn,
3952 struct l2cap_chan *chan; 3963 struct l2cap_chan *chan;
3953 int len, err = 0; 3964 int len, err = 0;
3954 3965
3966 if (cmd_len < sizeof(*req))
3967 return -EPROTO;
3968
3955 dcid = __le16_to_cpu(req->dcid); 3969 dcid = __le16_to_cpu(req->dcid);
3956 flags = __le16_to_cpu(req->flags); 3970 flags = __le16_to_cpu(req->flags);
3957 3971
@@ -3975,7 +3989,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn,
3975 3989
3976 /* Reject if config buffer is too small. */ 3990 /* Reject if config buffer is too small. */
3977 len = cmd_len - sizeof(*req); 3991 len = cmd_len - sizeof(*req);
3978 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) { 3992 if (chan->conf_len + len > sizeof(chan->conf_req)) {
3979 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, 3993 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3980 l2cap_build_conf_rsp(chan, rsp, 3994 l2cap_build_conf_rsp(chan, rsp,
3981 L2CAP_CONF_REJECT, flags), rsp); 3995 L2CAP_CONF_REJECT, flags), rsp);
@@ -4053,14 +4067,18 @@ unlock:
4053} 4067}
4054 4068
4055static inline int l2cap_config_rsp(struct l2cap_conn *conn, 4069static inline int l2cap_config_rsp(struct l2cap_conn *conn,
4056 struct l2cap_cmd_hdr *cmd, u8 *data) 4070 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4071 u8 *data)
4057{ 4072{
4058 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data; 4073 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4059 u16 scid, flags, result; 4074 u16 scid, flags, result;
4060 struct l2cap_chan *chan; 4075 struct l2cap_chan *chan;
4061 int len = le16_to_cpu(cmd->len) - sizeof(*rsp); 4076 int len = cmd_len - sizeof(*rsp);
4062 int err = 0; 4077 int err = 0;
4063 4078
4079 if (cmd_len < sizeof(*rsp))
4080 return -EPROTO;
4081
4064 scid = __le16_to_cpu(rsp->scid); 4082 scid = __le16_to_cpu(rsp->scid);
4065 flags = __le16_to_cpu(rsp->flags); 4083 flags = __le16_to_cpu(rsp->flags);
4066 result = __le16_to_cpu(rsp->result); 4084 result = __le16_to_cpu(rsp->result);
@@ -4161,7 +4179,8 @@ done:
4161} 4179}
4162 4180
4163static inline int l2cap_disconnect_req(struct l2cap_conn *conn, 4181static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4164 struct l2cap_cmd_hdr *cmd, u8 *data) 4182 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4183 u8 *data)
4165{ 4184{
4166 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data; 4185 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4167 struct l2cap_disconn_rsp rsp; 4186 struct l2cap_disconn_rsp rsp;
@@ -4169,6 +4188,9 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4169 struct l2cap_chan *chan; 4188 struct l2cap_chan *chan;
4170 struct sock *sk; 4189 struct sock *sk;
4171 4190
4191 if (cmd_len != sizeof(*req))
4192 return -EPROTO;
4193
4172 scid = __le16_to_cpu(req->scid); 4194 scid = __le16_to_cpu(req->scid);
4173 dcid = __le16_to_cpu(req->dcid); 4195 dcid = __le16_to_cpu(req->dcid);
4174 4196
@@ -4208,12 +4230,16 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4208} 4230}
4209 4231
4210static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, 4232static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4211 struct l2cap_cmd_hdr *cmd, u8 *data) 4233 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4234 u8 *data)
4212{ 4235{
4213 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data; 4236 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4214 u16 dcid, scid; 4237 u16 dcid, scid;
4215 struct l2cap_chan *chan; 4238 struct l2cap_chan *chan;
4216 4239
4240 if (cmd_len != sizeof(*rsp))
4241 return -EPROTO;
4242
4217 scid = __le16_to_cpu(rsp->scid); 4243 scid = __le16_to_cpu(rsp->scid);
4218 dcid = __le16_to_cpu(rsp->dcid); 4244 dcid = __le16_to_cpu(rsp->dcid);
4219 4245
@@ -4243,11 +4269,15 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4243} 4269}
4244 4270
4245static inline int l2cap_information_req(struct l2cap_conn *conn, 4271static inline int l2cap_information_req(struct l2cap_conn *conn,
4246 struct l2cap_cmd_hdr *cmd, u8 *data) 4272 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4273 u8 *data)
4247{ 4274{
4248 struct l2cap_info_req *req = (struct l2cap_info_req *) data; 4275 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
4249 u16 type; 4276 u16 type;
4250 4277
4278 if (cmd_len != sizeof(*req))
4279 return -EPROTO;
4280
4251 type = __le16_to_cpu(req->type); 4281 type = __le16_to_cpu(req->type);
4252 4282
4253 BT_DBG("type 0x%4.4x", type); 4283 BT_DBG("type 0x%4.4x", type);
@@ -4294,11 +4324,15 @@ static inline int l2cap_information_req(struct l2cap_conn *conn,
4294} 4324}
4295 4325
4296static inline int l2cap_information_rsp(struct l2cap_conn *conn, 4326static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4297 struct l2cap_cmd_hdr *cmd, u8 *data) 4327 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4328 u8 *data)
4298{ 4329{
4299 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data; 4330 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4300 u16 type, result; 4331 u16 type, result;
4301 4332
4333 if (cmd_len != sizeof(*rsp))
4334 return -EPROTO;
4335
4302 type = __le16_to_cpu(rsp->type); 4336 type = __le16_to_cpu(rsp->type);
4303 result = __le16_to_cpu(rsp->result); 4337 result = __le16_to_cpu(rsp->result);
4304 4338
@@ -5164,16 +5198,16 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
5164 5198
5165 switch (cmd->code) { 5199 switch (cmd->code) {
5166 case L2CAP_COMMAND_REJ: 5200 case L2CAP_COMMAND_REJ:
5167 l2cap_command_rej(conn, cmd, data); 5201 l2cap_command_rej(conn, cmd, cmd_len, data);
5168 break; 5202 break;
5169 5203
5170 case L2CAP_CONN_REQ: 5204 case L2CAP_CONN_REQ:
5171 err = l2cap_connect_req(conn, cmd, data); 5205 err = l2cap_connect_req(conn, cmd, cmd_len, data);
5172 break; 5206 break;
5173 5207
5174 case L2CAP_CONN_RSP: 5208 case L2CAP_CONN_RSP:
5175 case L2CAP_CREATE_CHAN_RSP: 5209 case L2CAP_CREATE_CHAN_RSP:
5176 err = l2cap_connect_create_rsp(conn, cmd, data); 5210 err = l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
5177 break; 5211 break;
5178 5212
5179 case L2CAP_CONF_REQ: 5213 case L2CAP_CONF_REQ:
@@ -5181,15 +5215,15 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
5181 break; 5215 break;
5182 5216
5183 case L2CAP_CONF_RSP: 5217 case L2CAP_CONF_RSP:
5184 err = l2cap_config_rsp(conn, cmd, data); 5218 err = l2cap_config_rsp(conn, cmd, cmd_len, data);
5185 break; 5219 break;
5186 5220
5187 case L2CAP_DISCONN_REQ: 5221 case L2CAP_DISCONN_REQ:
5188 err = l2cap_disconnect_req(conn, cmd, data); 5222 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5189 break; 5223 break;
5190 5224
5191 case L2CAP_DISCONN_RSP: 5225 case L2CAP_DISCONN_RSP:
5192 err = l2cap_disconnect_rsp(conn, cmd, data); 5226 err = l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5193 break; 5227 break;
5194 5228
5195 case L2CAP_ECHO_REQ: 5229 case L2CAP_ECHO_REQ:
@@ -5200,11 +5234,11 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
5200 break; 5234 break;
5201 5235
5202 case L2CAP_INFO_REQ: 5236 case L2CAP_INFO_REQ:
5203 err = l2cap_information_req(conn, cmd, data); 5237 err = l2cap_information_req(conn, cmd, cmd_len, data);
5204 break; 5238 break;
5205 5239
5206 case L2CAP_INFO_RSP: 5240 case L2CAP_INFO_RSP:
5207 err = l2cap_information_rsp(conn, cmd, data); 5241 err = l2cap_information_rsp(conn, cmd, cmd_len, data);
5208 break; 5242 break;
5209 5243
5210 case L2CAP_CREATE_CHAN_REQ: 5244 case L2CAP_CREATE_CHAN_REQ:
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 35fef22703e9..f8ecbc70293d 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -2700,7 +2700,7 @@ static int start_discovery(struct sock *sk, struct hci_dev *hdev,
2700 break; 2700 break;
2701 2701
2702 case DISCOV_TYPE_LE: 2702 case DISCOV_TYPE_LE:
2703 if (!lmp_host_le_capable(hdev)) { 2703 if (!test_bit(HCI_LE_ENABLED, &hdev->dev_flags)) {
2704 err = cmd_status(sk, hdev->id, MGMT_OP_START_DISCOVERY, 2704 err = cmd_status(sk, hdev->id, MGMT_OP_START_DISCOVERY,
2705 MGMT_STATUS_NOT_SUPPORTED); 2705 MGMT_STATUS_NOT_SUPPORTED);
2706 mgmt_pending_remove(cmd); 2706 mgmt_pending_remove(cmd);
@@ -3418,6 +3418,27 @@ new_settings:
3418 return err; 3418 return err;
3419} 3419}
3420 3420
3421int mgmt_set_powered_failed(struct hci_dev *hdev, int err)
3422{
3423 struct pending_cmd *cmd;
3424 u8 status;
3425
3426 cmd = mgmt_pending_find(MGMT_OP_SET_POWERED, hdev);
3427 if (!cmd)
3428 return -ENOENT;
3429
3430 if (err == -ERFKILL)
3431 status = MGMT_STATUS_RFKILLED;
3432 else
3433 status = MGMT_STATUS_FAILED;
3434
3435 err = cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_POWERED, status);
3436
3437 mgmt_pending_remove(cmd);
3438
3439 return err;
3440}
3441
3421int mgmt_discoverable(struct hci_dev *hdev, u8 discoverable) 3442int mgmt_discoverable(struct hci_dev *hdev, u8 discoverable)
3422{ 3443{
3423 struct cmd_lookup match = { NULL, hdev }; 3444 struct cmd_lookup match = { NULL, hdev };
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index b2296d3857a0..b5562abdd6e0 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -770,7 +770,7 @@ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
770 770
771 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level); 771 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
772 772
773 if (!lmp_host_le_capable(hcon->hdev)) 773 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags))
774 return 1; 774 return 1;
775 775
776 if (sec_level == BT_SECURITY_LOW) 776 if (sec_level == BT_SECURITY_LOW)
@@ -851,7 +851,7 @@ int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
851 __u8 reason; 851 __u8 reason;
852 int err = 0; 852 int err = 0;
853 853
854 if (!lmp_host_le_capable(conn->hcon->hdev)) { 854 if (!test_bit(HCI_LE_ENABLED, &conn->hcon->hdev->dev_flags)) {
855 err = -ENOTSUPP; 855 err = -ENOTSUPP;
856 reason = SMP_PAIRING_NOTSUPP; 856 reason = SMP_PAIRING_NOTSUPP;
857 goto done; 857 goto done;
diff --git a/net/core/filter.c b/net/core/filter.c
index dad2a178f9f8..6438f29ff266 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -778,7 +778,7 @@ int sk_detach_filter(struct sock *sk)
778} 778}
779EXPORT_SYMBOL_GPL(sk_detach_filter); 779EXPORT_SYMBOL_GPL(sk_detach_filter);
780 780
781static void sk_decode_filter(struct sock_filter *filt, struct sock_filter *to) 781void sk_decode_filter(struct sock_filter *filt, struct sock_filter *to)
782{ 782{
783 static const u16 decodes[] = { 783 static const u16 decodes[] = {
784 [BPF_S_ALU_ADD_K] = BPF_ALU|BPF_ADD|BPF_K, 784 [BPF_S_ALU_ADD_K] = BPF_ALU|BPF_ADD|BPF_K,
diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
index d5bef0b0f639..a0e9cf6379de 100644
--- a/net/core/sock_diag.c
+++ b/net/core/sock_diag.c
@@ -73,8 +73,13 @@ int sock_diag_put_filterinfo(struct user_namespace *user_ns, struct sock *sk,
73 goto out; 73 goto out;
74 } 74 }
75 75
76 if (filter) 76 if (filter) {
77 memcpy(nla_data(attr), filter->insns, len); 77 struct sock_filter *fb = (struct sock_filter *)nla_data(attr);
78 int i;
79
80 for (i = 0; i < filter->len; i++, fb++)
81 sk_decode_filter(&filter->insns[i], fb);
82 }
78 83
79out: 84out:
80 rcu_read_unlock(); 85 rcu_read_unlock();
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 5b142fb16480..9e6c2a075a4c 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -2542,6 +2542,7 @@ __ip_vs_get_dest_entries(struct net *net, const struct ip_vs_get_dests *get,
2542 struct ip_vs_dest *dest; 2542 struct ip_vs_dest *dest;
2543 struct ip_vs_dest_entry entry; 2543 struct ip_vs_dest_entry entry;
2544 2544
2545 memset(&entry, 0, sizeof(entry));
2545 list_for_each_entry(dest, &svc->destinations, n_list) { 2546 list_for_each_entry(dest, &svc->destinations, n_list) {
2546 if (count >= get->num_dests) 2547 if (count >= get->num_dests)
2547 break; 2548 break;
diff --git a/net/netfilter/nfnetlink_acct.c b/net/netfilter/nfnetlink_acct.c
index dc3fd5d44464..c7b6d466a662 100644
--- a/net/netfilter/nfnetlink_acct.c
+++ b/net/netfilter/nfnetlink_acct.c
@@ -149,9 +149,12 @@ nfnl_acct_dump(struct sk_buff *skb, struct netlink_callback *cb)
149 149
150 rcu_read_lock(); 150 rcu_read_lock();
151 list_for_each_entry_rcu(cur, &nfnl_acct_list, head) { 151 list_for_each_entry_rcu(cur, &nfnl_acct_list, head) {
152 if (last && cur != last) 152 if (last) {
153 continue; 153 if (cur != last)
154 continue;
154 155
156 last = NULL;
157 }
155 if (nfnl_acct_fill_info(skb, NETLINK_CB(cb->skb).portid, 158 if (nfnl_acct_fill_info(skb, NETLINK_CB(cb->skb).portid,
156 cb->nlh->nlmsg_seq, 159 cb->nlh->nlmsg_seq,
157 NFNL_MSG_TYPE(cb->nlh->nlmsg_type), 160 NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
diff --git a/net/netfilter/nfnetlink_cttimeout.c b/net/netfilter/nfnetlink_cttimeout.c
index 701c88a20fea..65074dfb9383 100644
--- a/net/netfilter/nfnetlink_cttimeout.c
+++ b/net/netfilter/nfnetlink_cttimeout.c
@@ -220,9 +220,12 @@ ctnl_timeout_dump(struct sk_buff *skb, struct netlink_callback *cb)
220 220
221 rcu_read_lock(); 221 rcu_read_lock();
222 list_for_each_entry_rcu(cur, &cttimeout_list, head) { 222 list_for_each_entry_rcu(cur, &cttimeout_list, head) {
223 if (last && cur != last) 223 if (last) {
224 continue; 224 if (cur != last)
225 continue;
225 226
227 last = NULL;
228 }
226 if (ctnl_timeout_fill_info(skb, NETLINK_CB(cb->skb).portid, 229 if (ctnl_timeout_fill_info(skb, NETLINK_CB(cb->skb).portid,
227 cb->nlh->nlmsg_seq, 230 cb->nlh->nlmsg_seq,
228 NFNL_MSG_TYPE(cb->nlh->nlmsg_type), 231 NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c
index 4e27fa035814..5352b2d2d5bf 100644
--- a/net/netfilter/nfnetlink_queue_core.c
+++ b/net/netfilter/nfnetlink_queue_core.c
@@ -637,9 +637,6 @@ nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum)
637 if (queue->copy_mode == NFQNL_COPY_NONE) 637 if (queue->copy_mode == NFQNL_COPY_NONE)
638 return -EINVAL; 638 return -EINVAL;
639 639
640 if ((queue->flags & NFQA_CFG_F_GSO) || !skb_is_gso(entry->skb))
641 return __nfqnl_enqueue_packet(net, queue, entry);
642
643 skb = entry->skb; 640 skb = entry->skb;
644 641
645 switch (entry->pf) { 642 switch (entry->pf) {
@@ -651,6 +648,9 @@ nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum)
651 break; 648 break;
652 } 649 }
653 650
651 if ((queue->flags & NFQA_CFG_F_GSO) || !skb_is_gso(skb))
652 return __nfqnl_enqueue_packet(net, queue, entry);
653
654 nf_bridge_adjust_skb_data(skb); 654 nf_bridge_adjust_skb_data(skb);
655 segs = skb_gso_segment(skb, 0); 655 segs = skb_gso_segment(skb, 0);
656 /* Does not use PTR_ERR to limit the number of error codes that can be 656 /* Does not use PTR_ERR to limit the number of error codes that can be
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index a75240f0d42b..afaebc766933 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -125,6 +125,12 @@ tcpmss_mangle_packet(struct sk_buff *skb,
125 125
126 skb_put(skb, TCPOLEN_MSS); 126 skb_put(skb, TCPOLEN_MSS);
127 127
128 /* RFC 879 states that the default MSS is 536 without specific
129 * knowledge that the destination host is prepared to accept larger.
130 * Since no MSS was provided, we MUST NOT set a value > 536.
131 */
132 newmss = min(newmss, (u16)536);
133
128 opt = (u_int8_t *)tcph + sizeof(struct tcphdr); 134 opt = (u_int8_t *)tcph + sizeof(struct tcphdr);
129 memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr)); 135 memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr));
130 136
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index d0b3dd60d386..57ee84d21470 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -371,7 +371,7 @@ static int netlink_mmap(struct file *file, struct socket *sock,
371 err = 0; 371 err = 0;
372out: 372out:
373 mutex_unlock(&nlk->pg_vec_lock); 373 mutex_unlock(&nlk->pg_vec_lock);
374 return 0; 374 return err;
375} 375}
376 376
377static void netlink_frame_flush_dcache(const struct nl_mmap_hdr *hdr) 377static void netlink_frame_flush_dcache(const struct nl_mmap_hdr *hdr)
diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
index 2b935e7cfe7b..281c1bded1f6 100644
--- a/net/sched/sch_api.c
+++ b/net/sched/sch_api.c
@@ -291,17 +291,18 @@ struct qdisc_rate_table *qdisc_get_rtab(struct tc_ratespec *r, struct nlattr *ta
291{ 291{
292 struct qdisc_rate_table *rtab; 292 struct qdisc_rate_table *rtab;
293 293
294 if (tab == NULL || r->rate == 0 || r->cell_log == 0 ||
295 nla_len(tab) != TC_RTAB_SIZE)
296 return NULL;
297
294 for (rtab = qdisc_rtab_list; rtab; rtab = rtab->next) { 298 for (rtab = qdisc_rtab_list; rtab; rtab = rtab->next) {
295 if (memcmp(&rtab->rate, r, sizeof(struct tc_ratespec)) == 0) { 299 if (!memcmp(&rtab->rate, r, sizeof(struct tc_ratespec)) &&
300 !memcmp(&rtab->data, nla_data(tab), 1024)) {
296 rtab->refcnt++; 301 rtab->refcnt++;
297 return rtab; 302 return rtab;
298 } 303 }
299 } 304 }
300 305
301 if (tab == NULL || r->rate == 0 || r->cell_log == 0 ||
302 nla_len(tab) != TC_RTAB_SIZE)
303 return NULL;
304
305 rtab = kmalloc(sizeof(*rtab), GFP_KERNEL); 306 rtab = kmalloc(sizeof(*rtab), GFP_KERNEL);
306 if (rtab) { 307 if (rtab) {
307 rtab->rate = *r; 308 rtab->rate = *r;
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index f631c5ff4dbf..6abb1caf9836 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -4003,6 +4003,12 @@ SCTP_STATIC void sctp_destroy_sock(struct sock *sk)
4003 4003
4004 /* Release our hold on the endpoint. */ 4004 /* Release our hold on the endpoint. */
4005 sp = sctp_sk(sk); 4005 sp = sctp_sk(sk);
4006 /* This could happen during socket init, thus we bail out
4007 * early, since the rest of the below is not setup either.
4008 */
4009 if (sp->ep == NULL)
4010 return;
4011
4006 if (sp->do_auto_asconf) { 4012 if (sp->do_auto_asconf) {
4007 sp->do_auto_asconf = 0; 4013 sp->do_auto_asconf = 0;
4008 list_del(&sp->auto_asconf_list); 4014 list_del(&sp->auto_asconf_list);