Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (41 commits) inet_diag: Make sure we actually run the same bytecode we audited. netlink: Make nlmsg_find_attr take a const nlmsghdr*. fib: fib_result_assign() should not change fib refcounts netfilter: ip6_tables: fix information leak to userspace cls_cgroup: Fix crash on module unload memory corruption in X.25 facilities parsing net dst: fix percpu_counter list corruption and poison overwritten rds: Remove kfreed tcp conn from list rds: Lost locking in loop connection freeing de2104x: fix panic on load atl1 : fix panic on load netxen: remove unused firmware exports caif: Remove noisy printout when disconnecting caif socket caif: SPI-driver bugfix - incorrect padding. caif: Bugfix for socket priority, bindtodev and dbg channel. smsc911x: Set Ethernet EEPROM size to supported device's size ipv4: netfilter: ip_tables: fix information leak to userland ipv4: netfilter: arp_tables: fix information leak to userland cxgb4vf: remove call to stop TX queues at load time. cxgb4: remove call to stop TX queues at load time. ...
author: Linus Torvalds <torvalds@linux-foundation.org> 2010-11-05 18:25:48 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2010-11-05 18:25:48 -0400
commit: 4b4a2700f462102569b407102c60d3b9cf4432a0 (patch)
tree: d326b404c99ca477d47aa0e06eb64f0b3e2d8347 /net
parent: f69fa76482e654f7d94e4aa40ea0ebf04363396a (diff)
parent: 22e76c849d505d87c5ecf3d3e6742a65f0ff4860 (diff)
24 files changed, 120 insertions, 91 deletions
diff --git a/net/caif/caif_config_util.c b/net/caif/caif_config_util.c
index 76ae68303d3a..d522d8c1703e 100644
--- a/net/caif/caif_config_util.c
+++ b/net/caif/caif_config_util.c
@@ -16,11 +16,18 @@ int connect_req_to_link_param(struct cfcnfg *cnfg,
 {
        struct dev_info *dev_info;
        enum cfcnfg_phy_preference pref;
+        int res;
        memset(l, 0, sizeof(*l));
-        l->priority = s->priority;
+        /* In caif protocol low value is high priority */
+        l->priority = CAIF_PRIO_MAX - s->priority + 1;
-        if (s->link_name[0] != '\0')
+        if (s->ifindex != 0){
-                l->phyid = cfcnfg_get_named(cnfg, s->link_name);
+                res = cfcnfg_get_id_from_ifi(cnfg, s->ifindex);
+                if (res < 0)
+                        return res;
+                l->phyid = res;
+        }
        else {
                switch (s->link_selector) {
                case CAIF_LINK_HIGH_BANDW:
diff --git a/net/caif/caif_dev.c b/net/caif/caif_dev.c
index b99369a055d1..a42a408306e4 100644
--- a/net/caif/caif_dev.c
+++ b/net/caif/caif_dev.c
@@ -307,6 +307,8 @@ static int caif_device_notify(struct notifier_block *me, unsigned long what,
        case NETDEV_UNREGISTER:
                caifd = caif_get(dev);
+                if (caifd == NULL)
+                        break;
                netdev_info(dev, "unregister\n");
                atomic_set(&caifd->state, what);
                caif_device_destroy(dev);
diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
index 2eca2dd0000f..1bf0cf503796 100644
--- a/net/caif/caif_socket.c
+++ b/net/caif/caif_socket.c
@@ -716,8 +716,7 @@ static int setsockopt(struct socket *sock,
 {
        struct sock *sk = sock->sk;
        struct caifsock *cf_sk = container_of(sk, struct caifsock, sk);
-        int prio, linksel;
+        int linksel;
-        struct ifreq ifreq;
        if (cf_sk->sk.sk_socket->state != SS_UNCONNECTED)
                return -ENOPROTOOPT;
@@ -735,33 +734,6 @@ static int setsockopt(struct socket *sock,
                release_sock(&cf_sk->sk);
                return 0;
-        case SO_PRIORITY:
-                if (lvl != SOL_SOCKET)
-                        goto bad_sol;
-                if (ol < sizeof(int))
-                        return -EINVAL;
-                if (copy_from_user(&prio, ov, sizeof(int)))
-                        return -EINVAL;
-                lock_sock(&(cf_sk->sk));
-                cf_sk->conn_req.priority = prio;
-                release_sock(&cf_sk->sk);
-                return 0;
-        case SO_BINDTODEVICE:
-                if (lvl != SOL_SOCKET)
-                        goto bad_sol;
-                if (ol < sizeof(struct ifreq))
-                        return -EINVAL;
-                if (copy_from_user(&ifreq, ov, sizeof(ifreq)))
-                        return -EFAULT;
-                lock_sock(&(cf_sk->sk));
-                strncpy(cf_sk->conn_req.link_name, ifreq.ifr_name,
-                        sizeof(cf_sk->conn_req.link_name));
-                cf_sk->conn_req.link_name
-                        [sizeof(cf_sk->conn_req.link_name)-1] = 0;
-                release_sock(&cf_sk->sk);
-                return 0;
        case CAIFSO_REQ_PARAM:
                if (lvl != SOL_CAIF)
                        goto bad_sol;
@@ -880,6 +852,18 @@ static int caif_connect(struct socket *sock, struct sockaddr *uaddr,
        sock->state = SS_CONNECTING;
        sk->sk_state = CAIF_CONNECTING;
+        /* Check priority value comming from socket */
+        /* if priority value is out of range it will be ajusted */
+        if (cf_sk->sk.sk_priority > CAIF_PRIO_MAX)
+                cf_sk->conn_req.priority = CAIF_PRIO_MAX;
+        else if (cf_sk->sk.sk_priority < CAIF_PRIO_MIN)
+                cf_sk->conn_req.priority = CAIF_PRIO_MIN;
+        else
+                cf_sk->conn_req.priority = cf_sk->sk.sk_priority;
+        /*ifindex = id of the interface.*/
+        cf_sk->conn_req.ifindex = cf_sk->sk.sk_bound_dev_if;
        dbfs_atomic_inc(&cnt.num_connect_req);
        cf_sk->layer.receive = caif_sktrecv_cb;
        err = caif_connect_client(&cf_sk->conn_req,
@@ -905,6 +889,7 @@ static int caif_connect(struct socket *sock, struct sockaddr *uaddr,
        cf_sk->maxframe = mtu - (headroom + tailroom);
        if (cf_sk->maxframe < 1) {
                pr_warn("CAIF Interface MTU too small (%d)\n", dev->mtu);
+                err = -ENODEV;
                goto out;
        }
@@ -1142,7 +1127,7 @@ static int caif_create(struct net *net, struct socket *sock, int protocol,
        set_rx_flow_on(cf_sk);
        /* Set default options on configuration */
-        cf_sk->conn_req.priority = CAIF_PRIO_NORMAL;
+        cf_sk->sk.sk_priority= CAIF_PRIO_NORMAL;
        cf_sk->conn_req.link_selector = CAIF_LINK_LOW_LATENCY;
        cf_sk->conn_req.protocol = protocol;
        /* Increase the number of sockets created. */
diff --git a/net/caif/cfcnfg.c b/net/caif/cfcnfg.c
index 41adafd18914..21ede141018a 100644
--- a/net/caif/cfcnfg.c
+++ b/net/caif/cfcnfg.c
@@ -173,18 +173,15 @@ static struct cfcnfg_phyinfo *cfcnfg_get_phyinfo(struct cfcnfg *cnfg,
        return NULL;
 }
-int cfcnfg_get_named(struct cfcnfg *cnfg, char *name)
+int cfcnfg_get_id_from_ifi(struct cfcnfg *cnfg, int ifi)
 {
        int i;
+        for (i = 0; i < MAX_PHY_LAYERS; i++)
-        /* Try to match with specified name */
+                if (cnfg->phy_layers[i].frm_layer != NULL &&
-        for (i = 0; i < MAX_PHY_LAYERS; i++) {
+                                cnfg->phy_layers[i].ifindex == ifi)
-                if (cnfg->phy_layers[i].frm_layer != NULL
+                        return i;
-                    && strcmp(cnfg->phy_layers[i].phy_layer->name,
+        return -ENODEV;
-                              name) == 0)
-                        return cnfg->phy_layers[i].frm_layer->id;
-        }
-        return 0;
 }
 int cfcnfg_disconn_adapt_layer(struct cfcnfg *cnfg, struct cflayer *adap_layer)
diff --git a/net/caif/cfctrl.c b/net/caif/cfctrl.c
index 08f267a109aa..3cd8f978e309 100644
--- a/net/caif/cfctrl.c
+++ b/net/caif/cfctrl.c
@@ -361,11 +361,10 @@ void cfctrl_cancel_req(struct cflayer *layr, struct cflayer *adap_layer)
        struct cfctrl_request_info *p, *tmp;
        struct cfctrl *ctrl = container_obj(layr);
        spin_lock(&ctrl->info_list_lock);
-        pr_warn("enter\n");
        list_for_each_entry_safe(p, tmp, &ctrl->list, list) {
                if (p->client_layer == adap_layer) {
-                        pr_warn("cancel req :%d\n", p->sequence_no);
+                        pr_debug("cancel req :%d\n", p->sequence_no);
                        list_del(&p->list);
                        kfree(p);
                }
diff --git a/net/caif/cfdbgl.c b/net/caif/cfdbgl.c
index 496fda9ac66f..11a2af4c162a 100644
--- a/net/caif/cfdbgl.c
+++ b/net/caif/cfdbgl.c
@@ -12,6 +12,8 @@
 #include <net/caif/cfsrvl.h>
 #include <net/caif/cfpkt.h>
+#define container_obj(layr) ((struct cfsrvl *) layr)
 static int cfdbgl_receive(struct cflayer *layr, struct cfpkt *pkt);
 static int cfdbgl_transmit(struct cflayer *layr, struct cfpkt *pkt);
@@ -38,5 +40,17 @@ static int cfdbgl_receive(struct cflayer *layr, struct cfpkt *pkt)
 static int cfdbgl_transmit(struct cflayer *layr, struct cfpkt *pkt)
 {
+        struct cfsrvl *service = container_obj(layr);
+        struct caif_payload_info *info;
+        int ret;
+        if (!cfsrvl_ready(service, &ret))
+                return ret;
+        /* Add info for MUX-layer to route the packet out */
+        info = cfpkt_info(pkt);
+        info->channel_id = service->layer.id;
+        info->dev_info = &service->dev_info;
        return layr->dn->transmit(layr->dn, pkt);
 }
diff --git a/net/caif/cfrfml.c b/net/caif/cfrfml.c
index bde8481e8d25..e2fb5fa75795 100644
--- a/net/caif/cfrfml.c
+++ b/net/caif/cfrfml.c
@@ -193,7 +193,7 @@ out:
 static int cfrfml_transmit_segment(struct cfrfml *rfml, struct cfpkt *pkt)
 {
-        caif_assert(cfpkt_getlen(pkt) >= rfml->fragment_size);
+        caif_assert(cfpkt_getlen(pkt) < rfml->fragment_size);
        /* Add info for MUX-layer to route the packet out. */
        cfpkt_info(pkt)->channel_id = rfml->serv.layer.id;
diff --git a/net/core/dev.c b/net/core/dev.c
index 35dfb8318483..0dd54a69dace 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2131,7 +2131,7 @@ static struct netdev_queue *dev_pick_tx(struct net_device *dev,
        } else {
                struct sock *sk = skb->sk;
                queue_index = sk_tx_queue_get(sk);
-                if (queue_index < 0) {
+                if (queue_index < 0 || queue_index >= dev->real_num_tx_queues) {
                        queue_index = 0;
                        if (dev->real_num_tx_queues > 1)
diff --git a/net/ipv4/fib_lookup.h b/net/ipv4/fib_lookup.h
index a29edf2219c8..c079cc0ec651 100644
--- a/net/ipv4/fib_lookup.h
+++ b/net/ipv4/fib_lookup.h
@@ -47,11 +47,8 @@ extern int fib_detect_death(struct fib_info *fi, int order,
 static inline void fib_result_assign(struct fib_result *res,
                                     struct fib_info *fi)
 {
-        if (res->fi != NULL)
+        /* we used to play games with refcounts, but we now use RCU */
-                fib_info_put(res->fi);
        res->fi = fi;
-        if (fi != NULL)
-                atomic_inc(&fi->fib_clntref);
 }
 #endif /* _FIB_LOOKUP_H */
diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
index ba8042665849..2ada17129fce 100644
--- a/net/ipv4/inet_diag.c
+++ b/net/ipv4/inet_diag.c
@@ -490,9 +490,11 @@ static int inet_csk_diag_dump(struct sock *sk,
 {
        struct inet_diag_req *r = NLMSG_DATA(cb->nlh);
-        if (cb->nlh->nlmsg_len > 4 + NLMSG_SPACE(sizeof(*r))) {
+        if (nlmsg_attrlen(cb->nlh, sizeof(*r))) {
                struct inet_diag_entry entry;
-                struct rtattr *bc = (struct rtattr *)(r + 1);
+                const struct nlattr *bc = nlmsg_find_attr(cb->nlh,
+                                                          sizeof(*r),
+                                                          INET_DIAG_REQ_BYTECODE);
                struct inet_sock *inet = inet_sk(sk);
                entry.family = sk->sk_family;
@@ -512,7 +514,7 @@ static int inet_csk_diag_dump(struct sock *sk,
                entry.dport = ntohs(inet->inet_dport);
                entry.userlocks = sk->sk_userlocks;
-                if (!inet_diag_bc_run(RTA_DATA(bc), RTA_PAYLOAD(bc), &entry))
+                if (!inet_diag_bc_run(nla_data(bc), nla_len(bc), &entry))
                        return 0;
        }
@@ -527,9 +529,11 @@ static int inet_twsk_diag_dump(struct inet_timewait_sock *tw,
 {
        struct inet_diag_req *r = NLMSG_DATA(cb->nlh);
-        if (cb->nlh->nlmsg_len > 4 + NLMSG_SPACE(sizeof(*r))) {
+        if (nlmsg_attrlen(cb->nlh, sizeof(*r))) {
                struct inet_diag_entry entry;
-                struct rtattr *bc = (struct rtattr *)(r + 1);
+                const struct nlattr *bc = nlmsg_find_attr(cb->nlh,
+                                                          sizeof(*r),
+                                                          INET_DIAG_REQ_BYTECODE);
                entry.family = tw->tw_family;
 #if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE)
@@ -548,7 +552,7 @@ static int inet_twsk_diag_dump(struct inet_timewait_sock *tw,
                entry.dport = ntohs(tw->tw_dport);
                entry.userlocks = 0;
-                if (!inet_diag_bc_run(RTA_DATA(bc), RTA_PAYLOAD(bc), &entry))
+                if (!inet_diag_bc_run(nla_data(bc), nla_len(bc), &entry))
                        return 0;
        }
@@ -618,7 +622,7 @@ static int inet_diag_dump_reqs(struct sk_buff *skb, struct sock *sk,
        struct inet_diag_req *r = NLMSG_DATA(cb->nlh);
        struct inet_connection_sock *icsk = inet_csk(sk);
        struct listen_sock *lopt;
-        struct rtattr *bc = NULL;
+        const struct nlattr *bc = NULL;
        struct inet_sock *inet = inet_sk(sk);
        int j, s_j;
        int reqnum, s_reqnum;
@@ -638,8 +642,9 @@ static int inet_diag_dump_reqs(struct sk_buff *skb, struct sock *sk,
        if (!lopt || !lopt->qlen)
                goto out;
-        if (cb->nlh->nlmsg_len > 4 + NLMSG_SPACE(sizeof(*r))) {
+        if (nlmsg_attrlen(cb->nlh, sizeof(*r))) {
-                bc = (struct rtattr *)(r + 1);
+                bc = nlmsg_find_attr(cb->nlh, sizeof(*r),
+                                     INET_DIAG_REQ_BYTECODE);
                entry.sport = inet->inet_num;
                entry.userlocks = sk->sk_userlocks;
        }
@@ -672,8 +677,8 @@ static int inet_diag_dump_reqs(struct sk_buff *skb, struct sock *sk,
                                        &ireq->rmt_addr;
                                entry.dport = ntohs(ireq->rmt_port);
-                                if (!inet_diag_bc_run(RTA_DATA(bc),
+                                if (!inet_diag_bc_run(nla_data(bc),
-                                                    RTA_PAYLOAD(bc), &entry))
+                                                      nla_len(bc), &entry))
                                        continue;
                        }
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 3cad2591ace0..3fac340a28d5 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -927,6 +927,7 @@ static int get_info(struct net *net, void __user *user,
                        private = &tmp;
                }
 #endif
+                memset(&info, 0, sizeof(info));
                info.valid_hooks = t->valid_hooks;
                memcpy(info.hook_entry, private->hook_entry,
                       sizeof(info.hook_entry));
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index d31b007a6d80..a846d633b3b6 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1124,6 +1124,7 @@ static int get_info(struct net *net, void __user *user,
                        private = &tmp;
                }
 #endif
+                memset(&info, 0, sizeof(info));
                info.valid_hooks = t->valid_hooks;
                memcpy(info.hook_entry, private->hook_entry,
                       sizeof(info.hook_entry));
diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c
index 295c97431e43..c04787ce1a71 100644
--- a/net/ipv4/netfilter/nf_nat_core.c
+++ b/net/ipv4/netfilter/nf_nat_core.c
@@ -47,26 +47,6 @@ __nf_nat_proto_find(u_int8_t protonum)
        return rcu_dereference(nf_nat_protos[protonum]);
 }
-static const struct nf_nat_protocol *
-nf_nat_proto_find_get(u_int8_t protonum)
-{
-        const struct nf_nat_protocol *p;
-        rcu_read_lock();
-        p = __nf_nat_proto_find(protonum);
-        if (!try_module_get(p->me))
-                p = &nf_nat_unknown_protocol;
-        rcu_read_unlock();
-        return p;
-}
-static void
-nf_nat_proto_put(const struct nf_nat_protocol *p)
-{
-        module_put(p->me);
-}
 /* We keep an extra hash for each conntrack, for fast searching. */
 static inline unsigned int
 hash_by_src(const struct net *net, u16 zone,
@@ -588,6 +568,26 @@ static struct nf_ct_ext_type nat_extend __read_mostly = {
 #include <linux/netfilter/nfnetlink.h>
 #include <linux/netfilter/nfnetlink_conntrack.h>
+static const struct nf_nat_protocol *
+nf_nat_proto_find_get(u_int8_t protonum)
+{
+        const struct nf_nat_protocol *p;
+        rcu_read_lock();
+        p = __nf_nat_proto_find(protonum);
+        if (!try_module_get(p->me))
+                p = &nf_nat_unknown_protocol;
+        rcu_read_unlock();
+        return p;
+}
+static void
+nf_nat_proto_put(const struct nf_nat_protocol *p)
+{
+        module_put(p->me);
+}
 static const struct nla_policy protonat_nla_policy[CTA_PROTONAT_MAX+1] = {
        [CTA_PROTONAT_PORT_MIN] = { .type = NLA_U16 },
        [CTA_PROTONAT_PORT_MAX] = { .type = NLA_U16 },
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 51df035897e7..455582384ece 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1137,6 +1137,7 @@ static int get_info(struct net *net, void __user *user,
                        private = &tmp;
                }
 #endif
+                memset(&info, 0, sizeof(info));
                info.valid_hooks = t->valid_hooks;
                memcpy(info.hook_entry, private->hook_entry,
                       sizeof(info.hook_entry));
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 25661f968f3f..fc328339be99 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -2741,6 +2741,7 @@ static void __net_exit ip6_route_net_exit(struct net *net)
        kfree(net->ipv6.ip6_prohibit_entry);
        kfree(net->ipv6.ip6_blk_hole_entry);
 #endif
+        dst_entries_destroy(&net->ipv6.ip6_dst_ops);
 }
 static struct pernet_operations ip6_route_net_ops = {
@@ -2832,5 +2833,6 @@ void ip6_route_cleanup(void)
        xfrm6_fini();
        fib6_gc_cleanup();
        unregister_pernet_subsys(&ip6_route_net_ops);
+        dst_entries_destroy(&ip6_dst_blackhole_ops);
        kmem_cache_destroy(ip6_dst_ops_template.kmem_cachep);
 }
diff --git a/net/l2tp/l2tp_debugfs.c b/net/l2tp/l2tp_debugfs.c
index 104ec3b283d4..b8dbae82fab8 100644
--- a/net/l2tp/l2tp_debugfs.c
+++ b/net/l2tp/l2tp_debugfs.c
@@ -249,7 +249,7 @@ static int l2tp_dfs_seq_open(struct inode *inode, struct file *file)
        struct seq_file *seq;
        int rc = -ENOMEM;
-        pd = kzalloc(GFP_KERNEL, sizeof(*pd));
+        pd = kzalloc(sizeof(*pd), GFP_KERNEL);
        if (pd == NULL)
                goto out;
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 1eacf8d9966a..27a5ea6b6a0f 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1312,7 +1312,8 @@ void *nf_ct_alloc_hashtable(unsigned int *sizep, int *vmalloced, int nulls)
        if (!hash) {
                *vmalloced = 1;
                printk(KERN_WARNING "nf_conntrack: falling back to vmalloc.\n");
-                hash = __vmalloc(sz, GFP_KERNEL | __GFP_ZERO, PAGE_KERNEL);
+                hash = __vmalloc(sz, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO,
+                                 PAGE_KERNEL);
        }
        if (hash && nulls)
diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
index ed6d92958023..dc7bb74110df 100644
--- a/net/netfilter/nf_conntrack_proto.c
+++ b/net/netfilter/nf_conntrack_proto.c
@@ -292,6 +292,12 @@ int nf_conntrack_l4proto_register(struct nf_conntrack_l4proto *l4proto)
                for (i = 0; i < MAX_NF_CT_PROTO; i++)
                        proto_array[i] = &nf_conntrack_l4proto_generic;
+                /* Before making proto_array visible to lockless readers,
+                 * we must make sure its content is committed to memory.
+                 */
+                smp_wmb();
                nf_ct_protos[l4proto->l3proto] = proto_array;
        } else if (nf_ct_protos[l4proto->l3proto][l4proto->l4proto] !=
                                        &nf_conntrack_l4proto_generic) {
diff --git a/net/rds/loop.c b/net/rds/loop.c
index c390156b426f..aeec1d483b17 100644
--- a/net/rds/loop.c
+++ b/net/rds/loop.c
@@ -134,8 +134,12 @@ static int rds_loop_conn_alloc(struct rds_connection *conn, gfp_t gfp)
 static void rds_loop_conn_free(void *arg)
 {
        struct rds_loop_connection *lc = arg;
+        unsigned long flags;
        rdsdebug("lc %p\n", lc);
+        spin_lock_irqsave(&loop_conns_lock, flags);
        list_del(&lc->loop_node);
+        spin_unlock_irqrestore(&loop_conns_lock, flags);
        kfree(lc);
 }
diff --git a/net/rds/tcp.c b/net/rds/tcp.c
index 08a8c6cf2d10..8e0a32001c90 100644
--- a/net/rds/tcp.c
+++ b/net/rds/tcp.c
@@ -221,7 +221,13 @@ static int rds_tcp_conn_alloc(struct rds_connection *conn, gfp_t gfp)
 static void rds_tcp_conn_free(void *arg)
 {
        struct rds_tcp_connection *tc = arg;
+        unsigned long flags;
        rdsdebug("freeing tc %p\n", tc);
+        spin_lock_irqsave(&rds_tcp_conn_lock, flags);
+        list_del(&tc->t_tcp_node);
+        spin_unlock_irqrestore(&rds_tcp_conn_lock, flags);
        kmem_cache_free(rds_tcp_conn_slab, tc);
 }
diff --git a/net/sched/cls_cgroup.c b/net/sched/cls_cgroup.c
index 37dff78e9cb1..d49c40fb7e09 100644
--- a/net/sched/cls_cgroup.c
+++ b/net/sched/cls_cgroup.c
@@ -34,8 +34,6 @@ struct cgroup_subsys net_cls_subsys = {
        .populate       = cgrp_populate,
 #ifdef CONFIG_NET_CLS_CGROUP
        .subsys_id      = net_cls_subsys_id,
-#else
-#define net_cls_subsys_id net_cls_subsys.subsys_id
 #endif
        .module         = THIS_MODULE,
 };
diff --git a/net/sched/em_text.c b/net/sched/em_text.c
index 763253257411..ea8f566e720c 100644
--- a/net/sched/em_text.c
+++ b/net/sched/em_text.c
@@ -103,7 +103,8 @@ retry:
 static void em_text_destroy(struct tcf_proto *tp, struct tcf_ematch *m)
 {
-        textsearch_destroy(EM_TEXT_PRIV(m)->config);
+        if (EM_TEXT_PRIV(m) && EM_TEXT_PRIV(m)->config)
+                textsearch_destroy(EM_TEXT_PRIV(m)->config);
 }
 static int em_text_dump(struct sk_buff *skb, struct tcf_ematch *m)
diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c
index 771bab00754b..3a8c4c419cd4 100644
--- a/net/x25/x25_facilities.c
+++ b/net/x25/x25_facilities.c
@@ -134,15 +134,15 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
                case X25_FAC_CLASS_D:
                        switch (*p) {
                        case X25_FAC_CALLING_AE:
-                                if (p[1] > X25_MAX_DTE_FACIL_LEN)
+                                if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
-                                        break;
+                                        return 0;
                                dte_facs->calling_len = p[2];
                                memcpy(dte_facs->calling_ae, &p[3], p[1] - 1);
                                *vc_fac_mask |= X25_MASK_CALLING_AE;
                                break;
                        case X25_FAC_CALLED_AE:
-                                if (p[1] > X25_MAX_DTE_FACIL_LEN)
+                                if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
-                                        break;
+                                        return 0;
                                dte_facs->called_len = p[2];
                                memcpy(dte_facs->called_ae, &p[3], p[1] - 1);
                                *vc_fac_mask |= X25_MASK_CALLED_AE;
diff --git a/net/x25/x25_in.c b/net/x25/x25_in.c
index 63178961efac..f729f022be69 100644
--- a/net/x25/x25_in.c
+++ b/net/x25/x25_in.c
@@ -119,6 +119,8 @@ static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametyp
                                                &x25->vc_facil_mask);
                        if (len > 0)
                                skb_pull(skb, len);
+                        else
+                                return -1;
                        /*
                         *      Copy any Call User Data.
                         */
author	Linus Torvalds <torvalds@linux-foundation.org>	2010-11-05 18:25:48 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2010-11-05 18:25:48 -0400
commit	4b4a2700f462102569b407102c60d3b9cf4432a0 (patch)
tree	d326b404c99ca477d47aa0e06eb64f0b3e2d8347 /net
parent	f69fa76482e654f7d94e4aa40ea0ebf04363396a (diff)
parent	22e76c849d505d87c5ecf3d3e6742a65f0ff4860 (diff)