Merge 3.10-rc6 into tty-next

We want the changes in here as well. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-06-17 15:00:22 -0400
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-06-17 15:00:22 -0400
commit: bf32d52c455d933cc9a459bb94af9ea8b5850af9 (patch)
tree: 0d6af119b141e46e120ad06c867fe82ac3c00f1c /net
parent: 0c375501be6e6dc23c11ebfa394434517444e62d (diff)
parent: 7d132055814ef17a6c7b69f342244c410a5e000f (diff)
24 files changed, 211 insertions, 125 deletions
diff --git a/net/9p/client.c b/net/9p/client.c
index 8eb75425e6e6..addc116cecf0 100644
--- a/net/9p/client.c
+++ b/net/9p/client.c
@@ -562,36 +562,19 @@ static int p9_check_zc_errors(struct p9_client *c, struct p9_req_t *req,
        if (!p9_is_proto_dotl(c)) {
                /* Error is reported in string format */
-                uint16_t len;
+                int len;
-                /* 7 = header size for RERROR, 2 is the size of string len; */
+                /* 7 = header size for RERROR; */
-                int inline_len = in_hdrlen - (7 + 2);
+                int inline_len = in_hdrlen - 7;
-                /* Read the size of error string */
+                len =  req->rc->size - req->rc->offset;
-                err = p9pdu_readf(req->rc, c->proto_version, "w", &len);
+                if (len > (P9_ZC_HDR_SZ - 7)) {
-                if (err)
+                        err = -EFAULT;
-                        goto out_err;
-                ename = kmalloc(len + 1, GFP_NOFS);
-                if (!ename) {
-                        err = -ENOMEM;
                        goto out_err;
                }
-                if (len <= inline_len) {
-                        /* We have error in protocol buffer itself */
-                        if (pdu_read(req->rc, ename, len)) {
-                                err = -EFAULT;
-                                goto out_free;
-                        }
+                ename = &req->rc->sdata[req->rc->offset];
-                } else {
+                if (len > inline_len) {
-                        /*
+                        /* We have error in external buffer */
-                         *  Part of the data is in user space buffer.
-                         */
-                        if (pdu_read(req->rc, ename, inline_len)) {
-                                err = -EFAULT;
-                                goto out_free;
-                        }
                        if (kern_buf) {
                                memcpy(ename + inline_len, uidata,
                                       len - inline_len);
@@ -600,19 +583,19 @@ static int p9_check_zc_errors(struct p9_client *c, struct p9_req_t *req,
                                                     uidata, len - inline_len);
                                if (err) {
                                        err = -EFAULT;
-                                        goto out_free;
+                                        goto out_err;
                                }
                        }
                }
-                ename[len] = 0;
+                ename = NULL;
-                if (p9_is_proto_dotu(c)) {
+                err = p9pdu_readf(req->rc, c->proto_version, "s?d",
-                        /* For dotu we also have error code */
+                                  &ename, &ecode);
-                        err = p9pdu_readf(req->rc,
+                if (err)
-                                          c->proto_version, "d", &ecode);
+                        goto out_err;
-                        if (err)
-                                goto out_free;
+                if (p9_is_proto_dotu(c))
                        err = -ecode;
-                }
                if (!err || !IS_ERR_VALUE(err)) {
                        err = p9_errstr2errno(ename, strlen(ename));
@@ -628,8 +611,6 @@ static int p9_check_zc_errors(struct p9_client *c, struct p9_req_t *req,
        }
        return err;
-out_free:
-        kfree(ename);
 out_err:
        p9_debug(P9_DEBUG_ERROR, "couldn't parse error%d\n", err);
        return err;
diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
index 071f288b77a8..f680ee101878 100644
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -29,6 +29,21 @@
 #include "bat_algo.h"
 #include "network-coding.h"
+/**
+ * batadv_dup_status - duplicate status
+ * @BATADV_NO_DUP: the packet is a duplicate
+ * @BATADV_ORIG_DUP: OGM is a duplicate in the originator (but not for the
+ *  neighbor)
+ * @BATADV_NEIGH_DUP: OGM is a duplicate for the neighbor
+ * @BATADV_PROTECTED: originator is currently protected (after reboot)
+ */
+enum batadv_dup_status {
+        BATADV_NO_DUP = 0,
+        BATADV_ORIG_DUP,
+        BATADV_NEIGH_DUP,
+        BATADV_PROTECTED,
+};
 static struct batadv_neigh_node *
 batadv_iv_ogm_neigh_new(struct batadv_hard_iface *hard_iface,
                        const uint8_t *neigh_addr,
@@ -650,7 +665,7 @@ batadv_iv_ogm_orig_update(struct batadv_priv *bat_priv,
                          const struct batadv_ogm_packet *batadv_ogm_packet,
                          struct batadv_hard_iface *if_incoming,
                          const unsigned char *tt_buff,
-                          int is_duplicate)
+                          enum batadv_dup_status dup_status)
 {
        struct batadv_neigh_node *neigh_node = NULL, *tmp_neigh_node = NULL;
        struct batadv_neigh_node *router = NULL;
@@ -676,7 +691,7 @@ batadv_iv_ogm_orig_update(struct batadv_priv *bat_priv,
                        continue;
                }
-                if (is_duplicate)
+                if (dup_status != BATADV_NO_DUP)
                        continue;
                spin_lock_bh(&tmp_neigh_node->lq_update_lock);
@@ -718,7 +733,7 @@ batadv_iv_ogm_orig_update(struct batadv_priv *bat_priv,
        neigh_node->tq_avg = batadv_ring_buffer_avg(neigh_node->tq_recv);
        spin_unlock_bh(&neigh_node->lq_update_lock);
-        if (!is_duplicate) {
+        if (dup_status == BATADV_NO_DUP) {
                orig_node->last_ttl = batadv_ogm_packet->header.ttl;
                neigh_node->last_ttl = batadv_ogm_packet->header.ttl;
        }
@@ -902,15 +917,16 @@ out:
        return ret;
 }
-/* processes a batman packet for all interfaces, adjusts the sequence number and
+/**
- * finds out whether it is a duplicate.
+ * batadv_iv_ogm_update_seqnos -  process a batman packet for all interfaces,
- * returns:
+ *  adjust the sequence number and find out whether it is a duplicate
- *   1 the packet is a duplicate
+ * @ethhdr: ethernet header of the packet
- *   0 the packet has not yet been received
+ * @batadv_ogm_packet: OGM packet to be considered
- *  -1 the packet is old and has been received while the seqno window
+ * @if_incoming: interface on which the OGM packet was received
- *     was protected. Caller should drop it.
+ *
+ * Returns duplicate status as enum batadv_dup_status
 */
-static int
+static enum batadv_dup_status
 batadv_iv_ogm_update_seqnos(const struct ethhdr *ethhdr,
                            const struct batadv_ogm_packet *batadv_ogm_packet,
                            const struct batadv_hard_iface *if_incoming)
@@ -918,17 +934,18 @@ batadv_iv_ogm_update_seqnos(const struct ethhdr *ethhdr,
        struct batadv_priv *bat_priv = netdev_priv(if_incoming->soft_iface);
        struct batadv_orig_node *orig_node;
        struct batadv_neigh_node *tmp_neigh_node;
-        int is_duplicate = 0;
+        int is_dup;
        int32_t seq_diff;
        int need_update = 0;
-        int set_mark, ret = -1;
+        int set_mark;
+        enum batadv_dup_status ret = BATADV_NO_DUP;
        uint32_t seqno = ntohl(batadv_ogm_packet->seqno);
        uint8_t *neigh_addr;
        uint8_t packet_count;
        orig_node = batadv_get_orig_node(bat_priv, batadv_ogm_packet->orig);
        if (!orig_node)
-                return 0;
+                return BATADV_NO_DUP;
        spin_lock_bh(&orig_node->ogm_cnt_lock);
        seq_diff = seqno - orig_node->last_real_seqno;
@@ -936,22 +953,29 @@ batadv_iv_ogm_update_seqnos(const struct ethhdr *ethhdr,
        /* signalize caller that the packet is to be dropped. */
        if (!hlist_empty(&orig_node->neigh_list) &&
            batadv_window_protected(bat_priv, seq_diff,
-                                    &orig_node->batman_seqno_reset))
+                                    &orig_node->batman_seqno_reset)) {
+                ret = BATADV_PROTECTED;
                goto out;
+        }
        rcu_read_lock();
        hlist_for_each_entry_rcu(tmp_neigh_node,
                                 &orig_node->neigh_list, list) {
-                is_duplicate |= batadv_test_bit(tmp_neigh_node->real_bits,
-                                                orig_node->last_real_seqno,
-                                                seqno);
                neigh_addr = tmp_neigh_node->addr;
+                is_dup = batadv_test_bit(tmp_neigh_node->real_bits,
+                                         orig_node->last_real_seqno,
+                                         seqno);
                if (batadv_compare_eth(neigh_addr, ethhdr->h_source) &&
-                    tmp_neigh_node->if_incoming == if_incoming)
+                    tmp_neigh_node->if_incoming == if_incoming) {
                        set_mark = 1;
-                else
+                        if (is_dup)
+                                ret = BATADV_NEIGH_DUP;
+                } else {
                        set_mark = 0;
+                        if (is_dup && (ret != BATADV_NEIGH_DUP))
+                                ret = BATADV_ORIG_DUP;
+                }
                /* if the window moved, set the update flag. */
                need_update |= batadv_bit_get_packet(bat_priv,
@@ -971,8 +995,6 @@ batadv_iv_ogm_update_seqnos(const struct ethhdr *ethhdr,
                orig_node->last_real_seqno = seqno;
        }
-        ret = is_duplicate;
 out:
        spin_unlock_bh(&orig_node->ogm_cnt_lock);
        batadv_orig_node_free_ref(orig_node);
@@ -994,7 +1016,8 @@ static void batadv_iv_ogm_process(const struct ethhdr *ethhdr,
        int is_broadcast = 0, is_bidirect;
        bool is_single_hop_neigh = false;
        bool is_from_best_next_hop = false;
-        int is_duplicate, sameseq, simlar_ttl;
+        int sameseq, similar_ttl;
+        enum batadv_dup_status dup_status;
        uint32_t if_incoming_seqno;
        uint8_t *prev_sender;
@@ -1138,10 +1161,10 @@ static void batadv_iv_ogm_process(const struct ethhdr *ethhdr,
        if (!orig_node)
                return;
-        is_duplicate = batadv_iv_ogm_update_seqnos(ethhdr, batadv_ogm_packet,
+        dup_status = batadv_iv_ogm_update_seqnos(ethhdr, batadv_ogm_packet,
-                                                   if_incoming);
+                                                 if_incoming);
-        if (is_duplicate == -1) {
+        if (dup_status == BATADV_PROTECTED) {
                batadv_dbg(BATADV_DBG_BATMAN, bat_priv,
                           "Drop packet: packet within seqno protection time (sender: %pM)\n",
                           ethhdr->h_source);
@@ -1211,11 +1234,12 @@ static void batadv_iv_ogm_process(const struct ethhdr *ethhdr,
         * seqno and similar ttl as the non-duplicate
         */
        sameseq = orig_node->last_real_seqno == ntohl(batadv_ogm_packet->seqno);
-        simlar_ttl = orig_node->last_ttl - 3 <= batadv_ogm_packet->header.ttl;
+        similar_ttl = orig_node->last_ttl - 3 <= batadv_ogm_packet->header.ttl;
-        if (is_bidirect && (!is_duplicate || (sameseq && simlar_ttl)))
+        if (is_bidirect && ((dup_status == BATADV_NO_DUP) ||
+                            (sameseq && similar_ttl)))
                batadv_iv_ogm_orig_update(bat_priv, orig_node, ethhdr,
                                          batadv_ogm_packet, if_incoming,
-                                          tt_buff, is_duplicate);
+                                          tt_buff, dup_status);
        /* is single hop (direct) neighbor */
        if (is_single_hop_neigh) {
@@ -1236,7 +1260,7 @@ static void batadv_iv_ogm_process(const struct ethhdr *ethhdr,
                goto out_neigh;
        }
-        if (is_duplicate) {
+        if (dup_status == BATADV_NEIGH_DUP) {
                batadv_dbg(BATADV_DBG_BATMAN, bat_priv,
                           "Drop packet: duplicate packet received\n");
                goto out_neigh;
diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
index 379061c72549..de27b3175cfd 100644
--- a/net/batman-adv/bridge_loop_avoidance.c
+++ b/net/batman-adv/bridge_loop_avoidance.c
@@ -1067,6 +1067,10 @@ void batadv_bla_update_orig_address(struct batadv_priv *bat_priv,
        group = htons(crc16(0, primary_if->net_dev->dev_addr, ETH_ALEN));
        bat_priv->bla.claim_dest.group = group;
+        /* purge everything when bridge loop avoidance is turned off */
+        if (!atomic_read(&bat_priv->bridge_loop_avoidance))
+                oldif = NULL;
        if (!oldif) {
                batadv_bla_purge_claims(bat_priv, NULL, 1);
                batadv_bla_purge_backbone_gw(bat_priv, 1);
diff --git a/net/batman-adv/sysfs.c b/net/batman-adv/sysfs.c
index 15a22efa9a67..929e304dacb2 100644
--- a/net/batman-adv/sysfs.c
+++ b/net/batman-adv/sysfs.c
@@ -582,10 +582,7 @@ static ssize_t batadv_store_mesh_iface(struct kobject *kobj,
            (strncmp(hard_iface->soft_iface->name, buff, IFNAMSIZ) == 0))
                goto out;
-        if (!rtnl_trylock()) {
+        rtnl_lock();
-                ret = -ERESTARTSYS;
-                goto out;
-        }
        if (status_tmp == BATADV_IF_NOT_IN_USE) {
                batadv_hardif_disable_interface(hard_iface,
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 33843c5c4939..d817c932d634 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1555,11 +1555,15 @@ static const struct rfkill_ops hci_rfkill_ops = {
 static void hci_power_on(struct work_struct *work)
 {
        struct hci_dev *hdev = container_of(work, struct hci_dev, power_on);
+        int err;
        BT_DBG("%s", hdev->name);
-        if (hci_dev_open(hdev->id) < 0)
+        err = hci_dev_open(hdev->id);
+        if (err < 0) {
+                mgmt_set_powered_failed(hdev, err);
                return;
+        }
        if (test_bit(HCI_AUTO_OFF, &hdev->dev_flags))
                queue_delayed_work(hdev->req_workqueue, &hdev->power_off,
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index a76d1ac0321b..24bee07ee4ce 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -3677,10 +3677,14 @@ static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
 }
 static inline int l2cap_command_rej(struct l2cap_conn *conn,
-                                    struct l2cap_cmd_hdr *cmd, u8 *data)
+                                    struct l2cap_cmd_hdr *cmd, u16 cmd_len,
+                                    u8 *data)
 {
        struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
+        if (cmd_len < sizeof(*rej))
+                return -EPROTO;
        if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
                return 0;
@@ -3829,11 +3833,14 @@ sendresp:
 }
 static int l2cap_connect_req(struct l2cap_conn *conn,
-                             struct l2cap_cmd_hdr *cmd, u8 *data)
+                             struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
 {
        struct hci_dev *hdev = conn->hcon->hdev;
        struct hci_conn *hcon = conn->hcon;
+        if (cmd_len < sizeof(struct l2cap_conn_req))
+                return -EPROTO;
        hci_dev_lock(hdev);
        if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
            !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
@@ -3847,7 +3854,8 @@ static int l2cap_connect_req(struct l2cap_conn *conn,
 }
 static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
-                                    struct l2cap_cmd_hdr *cmd, u8 *data)
+                                    struct l2cap_cmd_hdr *cmd, u16 cmd_len,
+                                    u8 *data)
 {
        struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
        u16 scid, dcid, result, status;
@@ -3855,6 +3863,9 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
        u8 req[128];
        int err;
+        if (cmd_len < sizeof(*rsp))
+                return -EPROTO;
        scid   = __le16_to_cpu(rsp->scid);
        dcid   = __le16_to_cpu(rsp->dcid);
        result = __le16_to_cpu(rsp->result);
@@ -3952,6 +3963,9 @@ static inline int l2cap_config_req(struct l2cap_conn *conn,
        struct l2cap_chan *chan;
        int len, err = 0;
+        if (cmd_len < sizeof(*req))
+                return -EPROTO;
        dcid  = __le16_to_cpu(req->dcid);
        flags = __le16_to_cpu(req->flags);
@@ -3975,7 +3989,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn,
        /* Reject if config buffer is too small. */
        len = cmd_len - sizeof(*req);
-        if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
+        if (chan->conf_len + len > sizeof(chan->conf_req)) {
                l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
                               l2cap_build_conf_rsp(chan, rsp,
                               L2CAP_CONF_REJECT, flags), rsp);
@@ -4053,14 +4067,18 @@ unlock:
 }
 static inline int l2cap_config_rsp(struct l2cap_conn *conn,
-                                   struct l2cap_cmd_hdr *cmd, u8 *data)
+                                   struct l2cap_cmd_hdr *cmd, u16 cmd_len,
+                                   u8 *data)
 {
        struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
        u16 scid, flags, result;
        struct l2cap_chan *chan;
-        int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
+        int len = cmd_len - sizeof(*rsp);
        int err = 0;
+        if (cmd_len < sizeof(*rsp))
+                return -EPROTO;
        scid   = __le16_to_cpu(rsp->scid);
        flags  = __le16_to_cpu(rsp->flags);
        result = __le16_to_cpu(rsp->result);
@@ -4161,7 +4179,8 @@ done:
 }
 static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
-                                       struct l2cap_cmd_hdr *cmd, u8 *data)
+                                       struct l2cap_cmd_hdr *cmd, u16 cmd_len,
+                                       u8 *data)
 {
        struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
        struct l2cap_disconn_rsp rsp;
@@ -4169,6 +4188,9 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
        struct l2cap_chan *chan;
        struct sock *sk;
+        if (cmd_len != sizeof(*req))
+                return -EPROTO;
        scid = __le16_to_cpu(req->scid);
        dcid = __le16_to_cpu(req->dcid);
@@ -4208,12 +4230,16 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
 }
 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
-                                       struct l2cap_cmd_hdr *cmd, u8 *data)
+                                       struct l2cap_cmd_hdr *cmd, u16 cmd_len,
+                                       u8 *data)
 {
        struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
        u16 dcid, scid;
        struct l2cap_chan *chan;
+        if (cmd_len != sizeof(*rsp))
+                return -EPROTO;
        scid = __le16_to_cpu(rsp->scid);
        dcid = __le16_to_cpu(rsp->dcid);
@@ -4243,11 +4269,15 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
 }
 static inline int l2cap_information_req(struct l2cap_conn *conn,
-                                        struct l2cap_cmd_hdr *cmd, u8 *data)
+                                        struct l2cap_cmd_hdr *cmd, u16 cmd_len,
+                                        u8 *data)
 {
        struct l2cap_info_req *req = (struct l2cap_info_req *) data;
        u16 type;
+        if (cmd_len != sizeof(*req))
+                return -EPROTO;
        type = __le16_to_cpu(req->type);
        BT_DBG("type 0x%4.4x", type);
@@ -4294,11 +4324,15 @@ static inline int l2cap_information_req(struct l2cap_conn *conn,
 }
 static inline int l2cap_information_rsp(struct l2cap_conn *conn,
-                                        struct l2cap_cmd_hdr *cmd, u8 *data)
+                                        struct l2cap_cmd_hdr *cmd, u16 cmd_len,
+                                        u8 *data)
 {
        struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
        u16 type, result;
+        if (cmd_len != sizeof(*rsp))
+                return -EPROTO;
        type   = __le16_to_cpu(rsp->type);
        result = __le16_to_cpu(rsp->result);
@@ -5164,16 +5198,16 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
        switch (cmd->code) {
        case L2CAP_COMMAND_REJ:
-                l2cap_command_rej(conn, cmd, data);
+                l2cap_command_rej(conn, cmd, cmd_len, data);
                break;
        case L2CAP_CONN_REQ:
-                err = l2cap_connect_req(conn, cmd, data);
+                err = l2cap_connect_req(conn, cmd, cmd_len, data);
                break;
        case L2CAP_CONN_RSP:
        case L2CAP_CREATE_CHAN_RSP:
-                err = l2cap_connect_create_rsp(conn, cmd, data);
+                err = l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
                break;
        case L2CAP_CONF_REQ:
@@ -5181,15 +5215,15 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
                break;
        case L2CAP_CONF_RSP:
-                err = l2cap_config_rsp(conn, cmd, data);
+                err = l2cap_config_rsp(conn, cmd, cmd_len, data);
                break;
        case L2CAP_DISCONN_REQ:
-                err = l2cap_disconnect_req(conn, cmd, data);
+                err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
                break;
        case L2CAP_DISCONN_RSP:
-                err = l2cap_disconnect_rsp(conn, cmd, data);
+                err = l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
                break;
        case L2CAP_ECHO_REQ:
@@ -5200,11 +5234,11 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
                break;
        case L2CAP_INFO_REQ:
-                err = l2cap_information_req(conn, cmd, data);
+                err = l2cap_information_req(conn, cmd, cmd_len, data);
                break;
        case L2CAP_INFO_RSP:
-                err = l2cap_information_rsp(conn, cmd, data);
+                err = l2cap_information_rsp(conn, cmd, cmd_len, data);
                break;
        case L2CAP_CREATE_CHAN_REQ:
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 35fef22703e9..f8ecbc70293d 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -2700,7 +2700,7 @@ static int start_discovery(struct sock *sk, struct hci_dev *hdev,
                break;
        case DISCOV_TYPE_LE:
-                if (!lmp_host_le_capable(hdev)) {
+                if (!test_bit(HCI_LE_ENABLED, &hdev->dev_flags)) {
                        err = cmd_status(sk, hdev->id, MGMT_OP_START_DISCOVERY,
                                         MGMT_STATUS_NOT_SUPPORTED);
                        mgmt_pending_remove(cmd);
@@ -3418,6 +3418,27 @@ new_settings:
        return err;
 }
+int mgmt_set_powered_failed(struct hci_dev *hdev, int err)
+{
+        struct pending_cmd *cmd;
+        u8 status;
+        cmd = mgmt_pending_find(MGMT_OP_SET_POWERED, hdev);
+        if (!cmd)
+                return -ENOENT;
+        if (err == -ERFKILL)
+                status = MGMT_STATUS_RFKILLED;
+        else
+                status = MGMT_STATUS_FAILED;
+        err = cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_POWERED, status);
+        mgmt_pending_remove(cmd);
+        return err;
+}
 int mgmt_discoverable(struct hci_dev *hdev, u8 discoverable)
 {
        struct cmd_lookup match = { NULL, hdev };
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index b2296d3857a0..b5562abdd6e0 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -770,7 +770,7 @@ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
        BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
-        if (!lmp_host_le_capable(hcon->hdev))
+        if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags))
                return 1;
        if (sec_level == BT_SECURITY_LOW)
@@ -851,7 +851,7 @@ int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
        __u8 reason;
        int err = 0;
-        if (!lmp_host_le_capable(conn->hcon->hdev)) {
+        if (!test_bit(HCI_LE_ENABLED, &conn->hcon->hdev->dev_flags)) {
                err = -ENOTSUPP;
                reason = SMP_PAIRING_NOTSUPP;
                goto done;
diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c
index d5953b87918c..3a246a6cab47 100644
--- a/net/ceph/osd_client.c
+++ b/net/ceph/osd_client.c
@@ -1675,13 +1675,13 @@ static void kick_requests(struct ceph_osd_client *osdc, int force_resend)
                __register_request(osdc, req);
                __unregister_linger_request(osdc, req);
        }
+        reset_changed_osds(osdc);
        mutex_unlock(&osdc->request_mutex);
        if (needmap) {
                dout("%d requests for down osds, need new map\n", needmap);
                ceph_monc_request_next_osdmap(&osdc->client->monc);
        }
-        reset_changed_osds(osdc);
 }
diff --git a/net/core/filter.c b/net/core/filter.c
index dad2a178f9f8..6438f29ff266 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -778,7 +778,7 @@ int sk_detach_filter(struct sock *sk)
 }
 EXPORT_SYMBOL_GPL(sk_detach_filter);
-static void sk_decode_filter(struct sock_filter *filt, struct sock_filter *to)
+void sk_decode_filter(struct sock_filter *filt, struct sock_filter *to)
 {
        static const u16 decodes[] = {
                [BPF_S_ALU_ADD_K]       = BPF_ALU|BPF_ADD|BPF_K,
diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
index d5bef0b0f639..a0e9cf6379de 100644
--- a/net/core/sock_diag.c
+++ b/net/core/sock_diag.c
@@ -73,8 +73,13 @@ int sock_diag_put_filterinfo(struct user_namespace *user_ns, struct sock *sk,
                goto out;
        }
-        if (filter)
+        if (filter) {
-                memcpy(nla_data(attr), filter->insns, len);
+                struct sock_filter *fb = (struct sock_filter *)nla_data(attr);
+                int i;
+                for (i = 0; i < filter->len; i++, fb++)
+                        sk_decode_filter(&filter->insns[i], fb);
+        }
 out:
        rcu_read_unlock();
diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
index be2f8da0ae8e..7fa8f08fa7ae 100644
--- a/net/ipv4/ip_tunnel.c
+++ b/net/ipv4/ip_tunnel.c
@@ -853,7 +853,7 @@ void ip_tunnel_dellink(struct net_device *dev, struct list_head *head)
 }
 EXPORT_SYMBOL_GPL(ip_tunnel_dellink);
-int __net_init ip_tunnel_init_net(struct net *net, int ip_tnl_net_id,
+int ip_tunnel_init_net(struct net *net, int ip_tnl_net_id,
                                  struct rtnl_link_ops *ops, char *devname)
 {
        struct ip_tunnel_net *itn = net_generic(net, ip_tnl_net_id);
@@ -899,7 +899,7 @@ static void ip_tunnel_destroy(struct ip_tunnel_net *itn, struct list_head *head)
                unregister_netdevice_queue(itn->fb_tunnel_dev, head);
 }
-void __net_exit ip_tunnel_delete_net(struct ip_tunnel_net *itn)
+void ip_tunnel_delete_net(struct ip_tunnel_net *itn)
 {
        LIST_HEAD(list);
diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
index 9d2bdb2c1d3f..c118f6b576bb 100644
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -361,8 +361,7 @@ static netdev_tx_t vti_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
                        tunnel->err_count = 0;
        }
-        IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED |
+        memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
-                              IPSKB_REROUTED);
        skb_dst_drop(skb);
        skb_dst_set(skb, &rt->dst);
        nf_reset(skb);
diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
index 637a341c1e2d..8dec6876dc50 100644
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -346,19 +346,19 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh
        skb_put(skb, 2);
        /* Copy user data into skb */
-        error = memcpy_fromiovec(skb->data, m->msg_iov, total_len);
+        error = memcpy_fromiovec(skb_put(skb, total_len), m->msg_iov,
+                                 total_len);
        if (error < 0) {
                kfree_skb(skb);
                goto error_put_sess_tun;
        }
-        skb_put(skb, total_len);
        l2tp_xmit_skb(session, skb, session->hdr_len);
        sock_put(ps->tunnel_sock);
        sock_put(sk);
-        return error;
+        return total_len;
 error_put_sess_tun:
        sock_put(ps->tunnel_sock);
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 5b142fb16480..9e6c2a075a4c 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -2542,6 +2542,7 @@ __ip_vs_get_dest_entries(struct net *net, const struct ip_vs_get_dests *get,
                struct ip_vs_dest *dest;
                struct ip_vs_dest_entry entry;
+                memset(&entry, 0, sizeof(entry));
                list_for_each_entry(dest, &svc->destinations, n_list) {
                        if (count >= get->num_dests)
                                break;
diff --git a/net/netfilter/nfnetlink_acct.c b/net/netfilter/nfnetlink_acct.c
index dc3fd5d44464..c7b6d466a662 100644
--- a/net/netfilter/nfnetlink_acct.c
+++ b/net/netfilter/nfnetlink_acct.c
@@ -149,9 +149,12 @@ nfnl_acct_dump(struct sk_buff *skb, struct netlink_callback *cb)
        rcu_read_lock();
        list_for_each_entry_rcu(cur, &nfnl_acct_list, head) {
-                if (last && cur != last)
+                if (last) {
-                        continue;
+                        if (cur != last)
+                                continue;
+                        last = NULL;
+                }
                if (nfnl_acct_fill_info(skb, NETLINK_CB(cb->skb).portid,
                                       cb->nlh->nlmsg_seq,
                                       NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
diff --git a/net/netfilter/nfnetlink_cttimeout.c b/net/netfilter/nfnetlink_cttimeout.c
index 701c88a20fea..65074dfb9383 100644
--- a/net/netfilter/nfnetlink_cttimeout.c
+++ b/net/netfilter/nfnetlink_cttimeout.c
@@ -220,9 +220,12 @@ ctnl_timeout_dump(struct sk_buff *skb, struct netlink_callback *cb)
        rcu_read_lock();
        list_for_each_entry_rcu(cur, &cttimeout_list, head) {
-                if (last && cur != last)
+                if (last) {
-                        continue;
+                        if (cur != last)
+                                continue;
+                        last = NULL;
+                }
                if (ctnl_timeout_fill_info(skb, NETLINK_CB(cb->skb).portid,
                                           cb->nlh->nlmsg_seq,
                                           NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c
index 4e27fa035814..5352b2d2d5bf 100644
--- a/net/netfilter/nfnetlink_queue_core.c
+++ b/net/netfilter/nfnetlink_queue_core.c
@@ -637,9 +637,6 @@ nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum)
        if (queue->copy_mode == NFQNL_COPY_NONE)
                return -EINVAL;
-        if ((queue->flags & NFQA_CFG_F_GSO) || !skb_is_gso(entry->skb))
-                return __nfqnl_enqueue_packet(net, queue, entry);
        skb = entry->skb;
        switch (entry->pf) {
@@ -651,6 +648,9 @@ nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum)
                break;
        }
+        if ((queue->flags & NFQA_CFG_F_GSO) || !skb_is_gso(skb))
+                return __nfqnl_enqueue_packet(net, queue, entry);
        nf_bridge_adjust_skb_data(skb);
        segs = skb_gso_segment(skb, 0);
        /* Does not use PTR_ERR to limit the number of error codes that can be
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index a75240f0d42b..afaebc766933 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -125,6 +125,12 @@ tcpmss_mangle_packet(struct sk_buff *skb,
        skb_put(skb, TCPOLEN_MSS);
+        /* RFC 879 states that the default MSS is 536 without specific
+         * knowledge that the destination host is prepared to accept larger.
+         * Since no MSS was provided, we MUST NOT set a value > 536.
+         */
+        newmss = min(newmss, (u16)536);
        opt = (u_int8_t *)tcph + sizeof(struct tcphdr);
        memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr));
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index d0b3dd60d386..57ee84d21470 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -371,7 +371,7 @@ static int netlink_mmap(struct file *file, struct socket *sock,
        err = 0;
 out:
        mutex_unlock(&nlk->pg_vec_lock);
-        return 0;
+        return err;
 }
 static void netlink_frame_flush_dcache(const struct nl_mmap_hdr *hdr)
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 8ec1bca7f859..20a1bd0e6549 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2851,12 +2851,11 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr,
                return -EOPNOTSUPP;
        uaddr->sa_family = AF_PACKET;
+        memset(uaddr->sa_data, 0, sizeof(uaddr->sa_data));
        rcu_read_lock();
        dev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex);
        if (dev)
-                strncpy(uaddr->sa_data, dev->name, 14);
+                strlcpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data));
-        else
-                memset(uaddr->sa_data, 0, 14);
        rcu_read_unlock();
        *uaddr_len = sizeof(*uaddr);
diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
index 2b935e7cfe7b..281c1bded1f6 100644
--- a/net/sched/sch_api.c
+++ b/net/sched/sch_api.c
@@ -291,17 +291,18 @@ struct qdisc_rate_table *qdisc_get_rtab(struct tc_ratespec *r, struct nlattr *ta
 {
        struct qdisc_rate_table *rtab;
+        if (tab == NULL || r->rate == 0 || r->cell_log == 0 ||
+            nla_len(tab) != TC_RTAB_SIZE)
+                return NULL;
        for (rtab = qdisc_rtab_list; rtab; rtab = rtab->next) {
-                if (memcmp(&rtab->rate, r, sizeof(struct tc_ratespec)) == 0) {
+                if (!memcmp(&rtab->rate, r, sizeof(struct tc_ratespec)) &&
+                    !memcmp(&rtab->data, nla_data(tab), 1024)) {
                        rtab->refcnt++;
                        return rtab;
                }
        }
-        if (tab == NULL || r->rate == 0 || r->cell_log == 0 ||
-            nla_len(tab) != TC_RTAB_SIZE)
-                return NULL;
        rtab = kmalloc(sizeof(*rtab), GFP_KERNEL);
        if (rtab) {
                rtab->rate = *r;
diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
index 32a4625fef77..be35e2dbcc9a 100644
--- a/net/sctp/outqueue.c
+++ b/net/sctp/outqueue.c
@@ -206,6 +206,8 @@ static inline int sctp_cacc_skip(struct sctp_transport *primary,
 */
 void sctp_outq_init(struct sctp_association *asoc, struct sctp_outq *q)
 {
+        memset(q, 0, sizeof(struct sctp_outq));
        q->asoc = asoc;
        INIT_LIST_HEAD(&q->out_chunk_list);
        INIT_LIST_HEAD(&q->control_chunk_list);
@@ -213,11 +215,7 @@ void sctp_outq_init(struct sctp_association *asoc, struct sctp_outq *q)
        INIT_LIST_HEAD(&q->sacked);
        INIT_LIST_HEAD(&q->abandoned);
-        q->fast_rtx = 0;
-        q->outstanding_bytes = 0;
        q->empty = 1;
-        q->cork  = 0;
-        q->out_qlen = 0;
 }
 /* Free the outqueue structure and any related pending chunks.
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index f631c5ff4dbf..6abb1caf9836 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -4003,6 +4003,12 @@ SCTP_STATIC void sctp_destroy_sock(struct sock *sk)
        /* Release our hold on the endpoint. */
        sp = sctp_sk(sk);
+        /* This could happen during socket init, thus we bail out
+         * early, since the rest of the below is not setup either.
+         */
+        if (sp->ep == NULL)
+                return;
        if (sp->do_auto_asconf) {
                sp->do_auto_asconf = 0;
                list_del(&sp->auto_asconf_list);
author	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2013-06-17 15:00:22 -0400
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2013-06-17 15:00:22 -0400
commit	bf32d52c455d933cc9a459bb94af9ea8b5850af9 (patch)
tree	0d6af119b141e46e120ad06c867fe82ac3c00f1c /net
parent	0c375501be6e6dc23c11ebfa394434517444e62d (diff)
parent	7d132055814ef17a6c7b69f342244c410a5e000f (diff)