Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Conflicts: drivers/net/wireless/ath/ath9k/Kconfig drivers/net/xen-netback/netback.c net/batman-adv/bat_iv_ogm.c net/wireless/nl80211.c The ath9k Kconfig conflict was a change of a Kconfig option name right next to the deletion of another option. The xen-netback conflict was overlapping changes involving the handling of the notify list in xen_netbk_rx_action(). Batman conflict resolution provided by Antonio Quartulli, basically keep everything in both conflict hunks. The nl80211 conflict is a little more involved. In 'net' we added a dynamic memory allocation to nl80211_dump_wiphy() to fix a race that Linus reported. Meanwhile in 'net-next' the handlers were converted to use pre and post doit handlers which use a flag to determine whether to hold the RTNL mutex around the operation. However, the dump handlers to not use this logic. Instead they have to explicitly do the locking. There were apparent bugs in the conversion of nl80211_dump_wiphy() in that we were not dropping the RTNL mutex in all the return paths, and it seems we very much should be doing so. So I fixed that whilst handling the overlapping changes. To simplify the initial returns, I take the RTNL mutex after we try to allocate 'tb'. Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2013-06-19 19:49:39 -0400
committer: David S. Miller <davem@davemloft.net> 2013-06-19 19:49:39 -0400
commit: d98cae64e4a733ff377184d78aa0b1f2b54faede (patch)
tree: e973e3c93fe7e17741567ac3947f5197bc9d582d /net
parent: 646093a29f85630d8efe2aa38fa585d2c3ea2e46 (diff)
parent: 4067c666f2dccf56f5db5c182713e68c40d46013 (diff)
34 files changed, 356 insertions, 156 deletions
diff --git a/net/9p/client.c b/net/9p/client.c
index 8eb75425e6e6..addc116cecf0 100644
--- a/net/9p/client.c
+++ b/net/9p/client.c
@@ -562,36 +562,19 @@ static int p9_check_zc_errors(struct p9_client *c, struct p9_req_t *req,
        if (!p9_is_proto_dotl(c)) {
                /* Error is reported in string format */
-                uint16_t len;
+                int len;
-                /* 7 = header size for RERROR, 2 is the size of string len; */
+                /* 7 = header size for RERROR; */
-                int inline_len = in_hdrlen - (7 + 2);
+                int inline_len = in_hdrlen - 7;
-                /* Read the size of error string */
+                len =  req->rc->size - req->rc->offset;
-                err = p9pdu_readf(req->rc, c->proto_version, "w", &len);
+                if (len > (P9_ZC_HDR_SZ - 7)) {
-                if (err)
+                        err = -EFAULT;
-                        goto out_err;
-                ename = kmalloc(len + 1, GFP_NOFS);
-                if (!ename) {
-                        err = -ENOMEM;
                        goto out_err;
                }
-                if (len <= inline_len) {
-                        /* We have error in protocol buffer itself */
-                        if (pdu_read(req->rc, ename, len)) {
-                                err = -EFAULT;
-                                goto out_free;
-                        }
+                ename = &req->rc->sdata[req->rc->offset];
-                } else {
+                if (len > inline_len) {
-                        /*
+                        /* We have error in external buffer */
-                         *  Part of the data is in user space buffer.
-                         */
-                        if (pdu_read(req->rc, ename, inline_len)) {
-                                err = -EFAULT;
-                                goto out_free;
-                        }
                        if (kern_buf) {
                                memcpy(ename + inline_len, uidata,
                                       len - inline_len);
@@ -600,19 +583,19 @@ static int p9_check_zc_errors(struct p9_client *c, struct p9_req_t *req,
                                                     uidata, len - inline_len);
                                if (err) {
                                        err = -EFAULT;
-                                        goto out_free;
+                                        goto out_err;
                                }
                        }
                }
-                ename[len] = 0;
+                ename = NULL;
-                if (p9_is_proto_dotu(c)) {
+                err = p9pdu_readf(req->rc, c->proto_version, "s?d",
-                        /* For dotu we also have error code */
+                                  &ename, &ecode);
-                        err = p9pdu_readf(req->rc,
+                if (err)
-                                          c->proto_version, "d", &ecode);
+                        goto out_err;
-                        if (err)
-                                goto out_free;
+                if (p9_is_proto_dotu(c))
                        err = -ecode;
-                }
                if (!err || !IS_ERR_VALUE(err)) {
                        err = p9_errstr2errno(ename, strlen(ename));
@@ -628,8 +611,6 @@ static int p9_check_zc_errors(struct p9_client *c, struct p9_req_t *req,
        }
        return err;
-out_free:
-        kfree(ename);
 out_err:
        p9_debug(P9_DEBUG_ERROR, "couldn't parse error%d\n", err);
        return err;
diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
index d07323b3e9b8..62da5278014a 100644
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -70,6 +70,22 @@ static uint8_t batadv_ring_buffer_avg(const uint8_t lq_recv[])
        return (uint8_t)(sum / count);
 }
+/*
+ * batadv_dup_status - duplicate status
+ * @BATADV_NO_DUP: the packet is a duplicate
+ * @BATADV_ORIG_DUP: OGM is a duplicate in the originator (but not for the
+ *  neighbor)
+ * @BATADV_NEIGH_DUP: OGM is a duplicate for the neighbor
+ * @BATADV_PROTECTED: originator is currently protected (after reboot)
+ */
+enum batadv_dup_status {
+        BATADV_NO_DUP = 0,
+        BATADV_ORIG_DUP,
+        BATADV_NEIGH_DUP,
+        BATADV_PROTECTED,
+};
 static struct batadv_neigh_node *
 batadv_iv_ogm_neigh_new(struct batadv_hard_iface *hard_iface,
                        const uint8_t *neigh_addr,
@@ -723,7 +739,7 @@ batadv_iv_ogm_orig_update(struct batadv_priv *bat_priv,
                          const struct batadv_ogm_packet *batadv_ogm_packet,
                          struct batadv_hard_iface *if_incoming,
                          const unsigned char *tt_buff,
-                          int is_duplicate)
+                          enum batadv_dup_status dup_status)
 {
        struct batadv_neigh_node *neigh_node = NULL, *tmp_neigh_node = NULL;
        struct batadv_neigh_node *router = NULL;
@@ -749,7 +765,7 @@ batadv_iv_ogm_orig_update(struct batadv_priv *bat_priv,
                        continue;
                }
-                if (is_duplicate)
+                if (dup_status != BATADV_NO_DUP)
                        continue;
                spin_lock_bh(&tmp_neigh_node->lq_update_lock);
@@ -790,7 +806,7 @@ batadv_iv_ogm_orig_update(struct batadv_priv *bat_priv,
        neigh_node->tq_avg = batadv_ring_buffer_avg(neigh_node->tq_recv);
        spin_unlock_bh(&neigh_node->lq_update_lock);
-        if (!is_duplicate) {
+        if (dup_status == BATADV_NO_DUP) {
                orig_node->last_ttl = batadv_ogm_packet->header.ttl;
                neigh_node->last_ttl = batadv_ogm_packet->header.ttl;
        }
@@ -973,15 +989,16 @@ out:
        return ret;
 }
-/* processes a batman packet for all interfaces, adjusts the sequence number and
+/**
- * finds out whether it is a duplicate.
+ * batadv_iv_ogm_update_seqnos -  process a batman packet for all interfaces,
- * returns:
+ *  adjust the sequence number and find out whether it is a duplicate
- *   1 the packet is a duplicate
+ * @ethhdr: ethernet header of the packet
- *   0 the packet has not yet been received
+ * @batadv_ogm_packet: OGM packet to be considered
- *  -1 the packet is old and has been received while the seqno window
+ * @if_incoming: interface on which the OGM packet was received
- *     was protected. Caller should drop it.
+ *
+ * Returns duplicate status as enum batadv_dup_status
 */
-static int
+static enum batadv_dup_status
 batadv_iv_ogm_update_seqnos(const struct ethhdr *ethhdr,
                            const struct batadv_ogm_packet *batadv_ogm_packet,
                            const struct batadv_hard_iface *if_incoming)
@@ -989,17 +1006,18 @@ batadv_iv_ogm_update_seqnos(const struct ethhdr *ethhdr,
        struct batadv_priv *bat_priv = netdev_priv(if_incoming->soft_iface);
        struct batadv_orig_node *orig_node;
        struct batadv_neigh_node *tmp_neigh_node;
-        int is_duplicate = 0;
+        int is_dup;
        int32_t seq_diff;
        int need_update = 0;
-        int set_mark, ret = -1;
+        int set_mark;
+        enum batadv_dup_status ret = BATADV_NO_DUP;
        uint32_t seqno = ntohl(batadv_ogm_packet->seqno);
        uint8_t *neigh_addr;
        uint8_t packet_count;
        orig_node = batadv_get_orig_node(bat_priv, batadv_ogm_packet->orig);
        if (!orig_node)
-                return 0;
+                return BATADV_NO_DUP;
        spin_lock_bh(&orig_node->ogm_cnt_lock);
        seq_diff = seqno - orig_node->last_real_seqno;
@@ -1007,22 +1025,29 @@ batadv_iv_ogm_update_seqnos(const struct ethhdr *ethhdr,
        /* signalize caller that the packet is to be dropped. */
        if (!hlist_empty(&orig_node->neigh_list) &&
            batadv_window_protected(bat_priv, seq_diff,
-                                    &orig_node->batman_seqno_reset))
+                                    &orig_node->batman_seqno_reset)) {
+                ret = BATADV_PROTECTED;
                goto out;
+        }
        rcu_read_lock();
        hlist_for_each_entry_rcu(tmp_neigh_node,
                                 &orig_node->neigh_list, list) {
-                is_duplicate |= batadv_test_bit(tmp_neigh_node->real_bits,
-                                                orig_node->last_real_seqno,
-                                                seqno);
                neigh_addr = tmp_neigh_node->addr;
+                is_dup = batadv_test_bit(tmp_neigh_node->real_bits,
+                                         orig_node->last_real_seqno,
+                                         seqno);
                if (batadv_compare_eth(neigh_addr, ethhdr->h_source) &&
-                    tmp_neigh_node->if_incoming == if_incoming)
+                    tmp_neigh_node->if_incoming == if_incoming) {
                        set_mark = 1;
-                else
+                        if (is_dup)
+                                ret = BATADV_NEIGH_DUP;
+                } else {
                        set_mark = 0;
+                        if (is_dup && (ret != BATADV_NEIGH_DUP))
+                                ret = BATADV_ORIG_DUP;
+                }
                /* if the window moved, set the update flag. */
                need_update |= batadv_bit_get_packet(bat_priv,
@@ -1042,8 +1067,6 @@ batadv_iv_ogm_update_seqnos(const struct ethhdr *ethhdr,
                orig_node->last_real_seqno = seqno;
        }
-        ret = is_duplicate;
 out:
        spin_unlock_bh(&orig_node->ogm_cnt_lock);
        batadv_orig_node_free_ref(orig_node);
@@ -1065,7 +1088,8 @@ static void batadv_iv_ogm_process(const struct ethhdr *ethhdr,
        int is_bidirect;
        bool is_single_hop_neigh = false;
        bool is_from_best_next_hop = false;
-        int is_duplicate, sameseq, simlar_ttl;
+        int sameseq, similar_ttl;
+        enum batadv_dup_status dup_status;
        uint32_t if_incoming_seqno;
        uint8_t *prev_sender;
@@ -1192,10 +1216,10 @@ static void batadv_iv_ogm_process(const struct ethhdr *ethhdr,
        if (!orig_node)
                return;
-        is_duplicate = batadv_iv_ogm_update_seqnos(ethhdr, batadv_ogm_packet,
+        dup_status = batadv_iv_ogm_update_seqnos(ethhdr, batadv_ogm_packet,
-                                                   if_incoming);
+                                                 if_incoming);
-        if (is_duplicate == -1) {
+        if (dup_status == BATADV_PROTECTED) {
                batadv_dbg(BATADV_DBG_BATMAN, bat_priv,
                           "Drop packet: packet within seqno protection time (sender: %pM)\n",
                           ethhdr->h_source);
@@ -1265,11 +1289,12 @@ static void batadv_iv_ogm_process(const struct ethhdr *ethhdr,
         * seqno and similar ttl as the non-duplicate
         */
        sameseq = orig_node->last_real_seqno == ntohl(batadv_ogm_packet->seqno);
-        simlar_ttl = orig_node->last_ttl - 3 <= batadv_ogm_packet->header.ttl;
+        similar_ttl = orig_node->last_ttl - 3 <= batadv_ogm_packet->header.ttl;
-        if (is_bidirect && (!is_duplicate || (sameseq && simlar_ttl)))
+        if (is_bidirect && ((dup_status == BATADV_NO_DUP) ||
+                            (sameseq && similar_ttl)))
                batadv_iv_ogm_orig_update(bat_priv, orig_node, ethhdr,
                                          batadv_ogm_packet, if_incoming,
-                                          tt_buff, is_duplicate);
+                                          tt_buff, dup_status);
        /* is single hop (direct) neighbor */
        if (is_single_hop_neigh) {
@@ -1290,7 +1315,7 @@ static void batadv_iv_ogm_process(const struct ethhdr *ethhdr,
                goto out_neigh;
        }
-        if (is_duplicate) {
+        if (dup_status == BATADV_NEIGH_DUP) {
                batadv_dbg(BATADV_DBG_BATMAN, bat_priv,
                           "Drop packet: duplicate packet received\n");
                goto out_neigh;
diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
index e9d8e0b3c3d0..e14531f1ce1c 100644
--- a/net/batman-adv/bridge_loop_avoidance.c
+++ b/net/batman-adv/bridge_loop_avoidance.c
@@ -1073,6 +1073,10 @@ void batadv_bla_update_orig_address(struct batadv_priv *bat_priv,
        group = htons(crc16(0, primary_if->net_dev->dev_addr, ETH_ALEN));
        bat_priv->bla.claim_dest.group = group;
+        /* purge everything when bridge loop avoidance is turned off */
+        if (!atomic_read(&bat_priv->bridge_loop_avoidance))
+                oldif = NULL;
        if (!oldif) {
                batadv_bla_purge_claims(bat_priv, NULL, 1);
                batadv_bla_purge_backbone_gw(bat_priv, 1);
diff --git a/net/batman-adv/sysfs.c b/net/batman-adv/sysfs.c
index 15a22efa9a67..929e304dacb2 100644
--- a/net/batman-adv/sysfs.c
+++ b/net/batman-adv/sysfs.c
@@ -582,10 +582,7 @@ static ssize_t batadv_store_mesh_iface(struct kobject *kobj,
            (strncmp(hard_iface->soft_iface->name, buff, IFNAMSIZ) == 0))
                goto out;
-        if (!rtnl_trylock()) {
+        rtnl_lock();
-                ret = -ERESTARTSYS;
-                goto out;
-        }
        if (status_tmp == BATADV_IF_NOT_IN_USE) {
                batadv_hardif_disable_interface(hard_iface,
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 33843c5c4939..ace5e55fe5a3 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -341,7 +341,6 @@ static void hci_init1_req(struct hci_request *req, unsigned long opt)
 static void bredr_setup(struct hci_request *req)
 {
-        struct hci_cp_delete_stored_link_key cp;
        __le16 param;
        __u8 flt_type;
@@ -365,10 +364,6 @@ static void bredr_setup(struct hci_request *req)
        param = __constant_cpu_to_le16(0x7d00);
        hci_req_add(req, HCI_OP_WRITE_CA_TIMEOUT, 2, &param);
-        bacpy(&cp.bdaddr, BDADDR_ANY);
-        cp.delete_all = 0x01;
-        hci_req_add(req, HCI_OP_DELETE_STORED_LINK_KEY, sizeof(cp), &cp);
        /* Read page scan parameters */
        if (req->hdev->hci_ver > BLUETOOTH_VER_1_1) {
                hci_req_add(req, HCI_OP_READ_PAGE_SCAN_ACTIVITY, 0, NULL);
@@ -602,6 +597,16 @@ static void hci_init3_req(struct hci_request *req, unsigned long opt)
        struct hci_dev *hdev = req->hdev;
        u8 p;
+        /* Only send HCI_Delete_Stored_Link_Key if it is supported */
+        if (hdev->commands[6] & 0x80) {
+                struct hci_cp_delete_stored_link_key cp;
+                bacpy(&cp.bdaddr, BDADDR_ANY);
+                cp.delete_all = 0x01;
+                hci_req_add(req, HCI_OP_DELETE_STORED_LINK_KEY,
+                            sizeof(cp), &cp);
+        }
        if (hdev->commands[5] & 0x10)
                hci_setup_link_policy(req);
@@ -1555,11 +1560,15 @@ static const struct rfkill_ops hci_rfkill_ops = {
 static void hci_power_on(struct work_struct *work)
 {
        struct hci_dev *hdev = container_of(work, struct hci_dev, power_on);
+        int err;
        BT_DBG("%s", hdev->name);
-        if (hci_dev_open(hdev->id) < 0)
+        err = hci_dev_open(hdev->id);
+        if (err < 0) {
+                mgmt_set_powered_failed(hdev, err);
                return;
+        }
        if (test_bit(HCI_AUTO_OFF, &hdev->dev_flags))
                queue_delayed_work(hdev->req_workqueue, &hdev->power_off,
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index a76d1ac0321b..4be6a264b475 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -2852,6 +2852,9 @@ static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
        BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
               conn, code, ident, dlen);
+        if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
+                return NULL;
        len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
        count = min_t(unsigned int, conn->mtu, len);
@@ -3677,10 +3680,14 @@ static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
 }
 static inline int l2cap_command_rej(struct l2cap_conn *conn,
-                                    struct l2cap_cmd_hdr *cmd, u8 *data)
+                                    struct l2cap_cmd_hdr *cmd, u16 cmd_len,
+                                    u8 *data)
 {
        struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
+        if (cmd_len < sizeof(*rej))
+                return -EPROTO;
        if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
                return 0;
@@ -3829,11 +3836,14 @@ sendresp:
 }
 static int l2cap_connect_req(struct l2cap_conn *conn,
-                             struct l2cap_cmd_hdr *cmd, u8 *data)
+                             struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
 {
        struct hci_dev *hdev = conn->hcon->hdev;
        struct hci_conn *hcon = conn->hcon;
+        if (cmd_len < sizeof(struct l2cap_conn_req))
+                return -EPROTO;
        hci_dev_lock(hdev);
        if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
            !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
@@ -3847,7 +3857,8 @@ static int l2cap_connect_req(struct l2cap_conn *conn,
 }
 static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
-                                    struct l2cap_cmd_hdr *cmd, u8 *data)
+                                    struct l2cap_cmd_hdr *cmd, u16 cmd_len,
+                                    u8 *data)
 {
        struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
        u16 scid, dcid, result, status;
@@ -3855,6 +3866,9 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
        u8 req[128];
        int err;
+        if (cmd_len < sizeof(*rsp))
+                return -EPROTO;
        scid   = __le16_to_cpu(rsp->scid);
        dcid   = __le16_to_cpu(rsp->dcid);
        result = __le16_to_cpu(rsp->result);
@@ -3952,6 +3966,9 @@ static inline int l2cap_config_req(struct l2cap_conn *conn,
        struct l2cap_chan *chan;
        int len, err = 0;
+        if (cmd_len < sizeof(*req))
+                return -EPROTO;
        dcid  = __le16_to_cpu(req->dcid);
        flags = __le16_to_cpu(req->flags);
@@ -3975,7 +3992,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn,
        /* Reject if config buffer is too small. */
        len = cmd_len - sizeof(*req);
-        if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
+        if (chan->conf_len + len > sizeof(chan->conf_req)) {
                l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
                               l2cap_build_conf_rsp(chan, rsp,
                               L2CAP_CONF_REJECT, flags), rsp);
@@ -4053,14 +4070,18 @@ unlock:
 }
 static inline int l2cap_config_rsp(struct l2cap_conn *conn,
-                                   struct l2cap_cmd_hdr *cmd, u8 *data)
+                                   struct l2cap_cmd_hdr *cmd, u16 cmd_len,
+                                   u8 *data)
 {
        struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
        u16 scid, flags, result;
        struct l2cap_chan *chan;
-        int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
+        int len = cmd_len - sizeof(*rsp);
        int err = 0;
+        if (cmd_len < sizeof(*rsp))
+                return -EPROTO;
        scid   = __le16_to_cpu(rsp->scid);
        flags  = __le16_to_cpu(rsp->flags);
        result = __le16_to_cpu(rsp->result);
@@ -4161,7 +4182,8 @@ done:
 }
 static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
-                                       struct l2cap_cmd_hdr *cmd, u8 *data)
+                                       struct l2cap_cmd_hdr *cmd, u16 cmd_len,
+                                       u8 *data)
 {
        struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
        struct l2cap_disconn_rsp rsp;
@@ -4169,6 +4191,9 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
        struct l2cap_chan *chan;
        struct sock *sk;
+        if (cmd_len != sizeof(*req))
+                return -EPROTO;
        scid = __le16_to_cpu(req->scid);
        dcid = __le16_to_cpu(req->dcid);
@@ -4208,12 +4233,16 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
 }
 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
-                                       struct l2cap_cmd_hdr *cmd, u8 *data)
+                                       struct l2cap_cmd_hdr *cmd, u16 cmd_len,
+                                       u8 *data)
 {
        struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
        u16 dcid, scid;
        struct l2cap_chan *chan;
+        if (cmd_len != sizeof(*rsp))
+                return -EPROTO;
        scid = __le16_to_cpu(rsp->scid);
        dcid = __le16_to_cpu(rsp->dcid);
@@ -4243,11 +4272,15 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
 }
 static inline int l2cap_information_req(struct l2cap_conn *conn,
-                                        struct l2cap_cmd_hdr *cmd, u8 *data)
+                                        struct l2cap_cmd_hdr *cmd, u16 cmd_len,
+                                        u8 *data)
 {
        struct l2cap_info_req *req = (struct l2cap_info_req *) data;
        u16 type;
+        if (cmd_len != sizeof(*req))
+                return -EPROTO;
        type = __le16_to_cpu(req->type);
        BT_DBG("type 0x%4.4x", type);
@@ -4294,11 +4327,15 @@ static inline int l2cap_information_req(struct l2cap_conn *conn,
 }
 static inline int l2cap_information_rsp(struct l2cap_conn *conn,
-                                        struct l2cap_cmd_hdr *cmd, u8 *data)
+                                        struct l2cap_cmd_hdr *cmd, u16 cmd_len,
+                                        u8 *data)
 {
        struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
        u16 type, result;
+        if (cmd_len != sizeof(*rsp))
+                return -EPROTO;
        type   = __le16_to_cpu(rsp->type);
        result = __le16_to_cpu(rsp->result);
@@ -5164,16 +5201,16 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
        switch (cmd->code) {
        case L2CAP_COMMAND_REJ:
-                l2cap_command_rej(conn, cmd, data);
+                l2cap_command_rej(conn, cmd, cmd_len, data);
                break;
        case L2CAP_CONN_REQ:
-                err = l2cap_connect_req(conn, cmd, data);
+                err = l2cap_connect_req(conn, cmd, cmd_len, data);
                break;
        case L2CAP_CONN_RSP:
        case L2CAP_CREATE_CHAN_RSP:
-                err = l2cap_connect_create_rsp(conn, cmd, data);
+                err = l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
                break;
        case L2CAP_CONF_REQ:
@@ -5181,15 +5218,15 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
                break;
        case L2CAP_CONF_RSP:
-                err = l2cap_config_rsp(conn, cmd, data);
+                err = l2cap_config_rsp(conn, cmd, cmd_len, data);
                break;
        case L2CAP_DISCONN_REQ:
-                err = l2cap_disconnect_req(conn, cmd, data);
+                err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
                break;
        case L2CAP_DISCONN_RSP:
-                err = l2cap_disconnect_rsp(conn, cmd, data);
+                err = l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
                break;
        case L2CAP_ECHO_REQ:
@@ -5200,11 +5237,11 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
                break;
        case L2CAP_INFO_REQ:
-                err = l2cap_information_req(conn, cmd, data);
+                err = l2cap_information_req(conn, cmd, cmd_len, data);
                break;
        case L2CAP_INFO_RSP:
-                err = l2cap_information_rsp(conn, cmd, data);
+                err = l2cap_information_rsp(conn, cmd, cmd_len, data);
                break;
        case L2CAP_CREATE_CHAN_REQ:
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 35fef22703e9..f8ecbc70293d 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -2700,7 +2700,7 @@ static int start_discovery(struct sock *sk, struct hci_dev *hdev,
                break;
        case DISCOV_TYPE_LE:
-                if (!lmp_host_le_capable(hdev)) {
+                if (!test_bit(HCI_LE_ENABLED, &hdev->dev_flags)) {
                        err = cmd_status(sk, hdev->id, MGMT_OP_START_DISCOVERY,
                                         MGMT_STATUS_NOT_SUPPORTED);
                        mgmt_pending_remove(cmd);
@@ -3418,6 +3418,27 @@ new_settings:
        return err;
 }
+int mgmt_set_powered_failed(struct hci_dev *hdev, int err)
+{
+        struct pending_cmd *cmd;
+        u8 status;
+        cmd = mgmt_pending_find(MGMT_OP_SET_POWERED, hdev);
+        if (!cmd)
+                return -ENOENT;
+        if (err == -ERFKILL)
+                status = MGMT_STATUS_RFKILLED;
+        else
+                status = MGMT_STATUS_FAILED;
+        err = cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_POWERED, status);
+        mgmt_pending_remove(cmd);
+        return err;
+}
 int mgmt_discoverable(struct hci_dev *hdev, u8 discoverable)
 {
        struct cmd_lookup match = { NULL, hdev };
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index b2296d3857a0..b5562abdd6e0 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -770,7 +770,7 @@ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
        BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
-        if (!lmp_host_le_capable(hcon->hdev))
+        if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags))
                return 1;
        if (sec_level == BT_SECURITY_LOW)
@@ -851,7 +851,7 @@ int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
        __u8 reason;
        int err = 0;
-        if (!lmp_host_le_capable(conn->hcon->hdev)) {
+        if (!test_bit(HCI_LE_ENABLED, &conn->hcon->hdev->dev_flags)) {
                err = -ENOTSUPP;
                reason = SMP_PAIRING_NOTSUPP;
                goto done;
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 37a467697967..31952a103949 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -467,8 +467,9 @@ static struct sk_buff *br_ip6_multicast_alloc_query(struct net_bridge *br,
        skb_set_transport_header(skb, skb->len);
        mldq = (struct mld_msg *) icmp6_hdr(skb);
-        interval = ipv6_addr_any(group) ? br->multicast_last_member_interval :
+        interval = ipv6_addr_any(group) ?
-                                          br->multicast_query_response_interval;
+                        br->multicast_query_response_interval :
+                        br->multicast_last_member_interval;
        mldq->mld_type = ICMPV6_MGM_QUERY;
        mldq->mld_code = 0;
diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c
index d5953b87918c..3a246a6cab47 100644
--- a/net/ceph/osd_client.c
+++ b/net/ceph/osd_client.c
@@ -1675,13 +1675,13 @@ static void kick_requests(struct ceph_osd_client *osdc, int force_resend)
                __register_request(osdc, req);
                __unregister_linger_request(osdc, req);
        }
+        reset_changed_osds(osdc);
        mutex_unlock(&osdc->request_mutex);
        if (needmap) {
                dout("%d requests for down osds, need new map\n", needmap);
                ceph_monc_request_next_osdmap(&osdc->client->monc);
        }
-        reset_changed_osds(osdc);
 }
diff --git a/net/core/ethtool.c b/net/core/ethtool.c
index cd23d314d68a..9255bbdf81ff 100644
--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -60,10 +60,10 @@ static const char netdev_features_strings[NETDEV_FEATURE_COUNT][ETH_GSTRING_LEN]
        [NETIF_F_IPV6_CSUM_BIT] =        "tx-checksum-ipv6",
        [NETIF_F_HIGHDMA_BIT] =          "highdma",
        [NETIF_F_FRAGLIST_BIT] =         "tx-scatter-gather-fraglist",
-        [NETIF_F_HW_VLAN_CTAG_TX_BIT] =  "tx-vlan-ctag-hw-insert",
+        [NETIF_F_HW_VLAN_CTAG_TX_BIT] =  "tx-vlan-hw-insert",
-        [NETIF_F_HW_VLAN_CTAG_RX_BIT] =  "rx-vlan-ctag-hw-parse",
+        [NETIF_F_HW_VLAN_CTAG_RX_BIT] =  "rx-vlan-hw-parse",
-        [NETIF_F_HW_VLAN_CTAG_FILTER_BIT] = "rx-vlan-ctag-filter",
+        [NETIF_F_HW_VLAN_CTAG_FILTER_BIT] = "rx-vlan-filter",
        [NETIF_F_HW_VLAN_STAG_TX_BIT] =  "tx-vlan-stag-hw-insert",
        [NETIF_F_HW_VLAN_STAG_RX_BIT] =  "rx-vlan-stag-hw-parse",
        [NETIF_F_HW_VLAN_STAG_FILTER_BIT] = "rx-vlan-stag-filter",
diff --git a/net/core/filter.c b/net/core/filter.c
index dad2a178f9f8..6438f29ff266 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -778,7 +778,7 @@ int sk_detach_filter(struct sock *sk)
 }
 EXPORT_SYMBOL_GPL(sk_detach_filter);
-static void sk_decode_filter(struct sock_filter *filt, struct sock_filter *to)
+void sk_decode_filter(struct sock_filter *filt, struct sock_filter *to)
 {
        static const u16 decodes[] = {
                [BPF_S_ALU_ADD_K]       = BPF_ALU|BPF_ADD|BPF_K,
diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
index d5bef0b0f639..a0e9cf6379de 100644
--- a/net/core/sock_diag.c
+++ b/net/core/sock_diag.c
@@ -73,8 +73,13 @@ int sock_diag_put_filterinfo(struct user_namespace *user_ns, struct sock *sk,
                goto out;
        }
-        if (filter)
+        if (filter) {
-                memcpy(nla_data(attr), filter->insns, len);
+                struct sock_filter *fb = (struct sock_filter *)nla_data(attr);
+                int i;
+                for (i = 0; i < filter->len; i++, fb++)
+                        sk_decode_filter(&filter->insns[i], fb);
+        }
 out:
        rcu_read_unlock();
diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
index 7c79cf8ad449..e189db409b0e 100644
--- a/net/ipv4/ip_tunnel.c
+++ b/net/ipv4/ip_tunnel.c
@@ -853,7 +853,7 @@ void ip_tunnel_dellink(struct net_device *dev, struct list_head *head)
 }
 EXPORT_SYMBOL_GPL(ip_tunnel_dellink);
-int __net_init ip_tunnel_init_net(struct net *net, int ip_tnl_net_id,
+int ip_tunnel_init_net(struct net *net, int ip_tnl_net_id,
                                  struct rtnl_link_ops *ops, char *devname)
 {
        struct ip_tunnel_net *itn = net_generic(net, ip_tnl_net_id);
@@ -899,7 +899,7 @@ static void ip_tunnel_destroy(struct ip_tunnel_net *itn, struct list_head *head)
                unregister_netdevice_queue(itn->fb_tunnel_dev, head);
 }
-void __net_exit ip_tunnel_delete_net(struct ip_tunnel_net *itn)
+void ip_tunnel_delete_net(struct ip_tunnel_net *itn)
 {
        LIST_HEAD(list);
diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
index 9d2bdb2c1d3f..c118f6b576bb 100644
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -361,8 +361,7 @@ static netdev_tx_t vti_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
                        tunnel->err_count = 0;
        }
-        IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED |
+        memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
-                              IPSKB_REROUTED);
        skb_dst_drop(skb);
        skb_dst_set(skb, &rt->dst);
        nf_reset(skb);
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index 781dd3c99680..b3b5730b48c5 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -1494,7 +1494,7 @@ void ndisc_send_redirect(struct sk_buff *skb, const struct in6_addr *target)
         */
        if (ha)
-                ndisc_fill_addr_option(skb, ND_OPT_TARGET_LL_ADDR, ha);
+                ndisc_fill_addr_option(buff, ND_OPT_TARGET_LL_ADDR, ha);
        /*
         *      build redirect option and copy skb over to the new packet.
diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
index 637a341c1e2d..8dec6876dc50 100644
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -346,19 +346,19 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh
        skb_put(skb, 2);
        /* Copy user data into skb */
-        error = memcpy_fromiovec(skb->data, m->msg_iov, total_len);
+        error = memcpy_fromiovec(skb_put(skb, total_len), m->msg_iov,
+                                 total_len);
        if (error < 0) {
                kfree_skb(skb);
                goto error_put_sess_tun;
        }
-        skb_put(skb, total_len);
        l2tp_xmit_skb(session, skb, session->hdr_len);
        sock_put(ps->tunnel_sock);
        sock_put(sk);
-        return error;
+        return total_len;
 error_put_sess_tun:
        sock_put(ps->tunnel_sock);
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 30622101d3b5..a1c6e1ceede8 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1071,6 +1071,12 @@ static int ieee80211_stop_ap(struct wiphy *wiphy, struct net_device *dev)
        clear_bit(SDATA_STATE_OFFCHANNEL_BEACON_STOPPED, &sdata->state);
        ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BEACON_ENABLED);
+        if (sdata->wdev.cac_started) {
+                cancel_delayed_work_sync(&sdata->dfs_cac_timer_work);
+                cfg80211_cac_event(sdata->dev, NL80211_RADAR_CAC_ABORTED,
+                                   GFP_KERNEL);
+        }
        drv_stop_ap(sdata->local, sdata);
        /* free all potentially still buffered bcast frames */
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index 9eed6f1d1614..923e1772e8f3 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -1512,10 +1512,11 @@ static inline void ieee80211_tx_skb(struct ieee80211_sub_if_data *sdata,
        ieee80211_tx_skb_tid(sdata, skb, 7);
 }
-u32 ieee802_11_parse_elems_crc(u8 *start, size_t len, bool action,
+u32 ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
                               struct ieee802_11_elems *elems,
                               u64 filter, u32 crc);
-static inline void ieee802_11_parse_elems(u8 *start, size_t len, bool action,
+static inline void ieee802_11_parse_elems(const u8 *start, size_t len,
+                                          bool action,
                                          struct ieee802_11_elems *elems)
 {
        ieee802_11_parse_elems_crc(start, len, action, elems, 0, 0);
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index f44f4caa69ee..118540b16729 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -2486,8 +2486,11 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
        u16 capab_info, aid;
        struct ieee802_11_elems elems;
        struct ieee80211_bss_conf *bss_conf = &sdata->vif.bss_conf;
+        const struct cfg80211_bss_ies *bss_ies = NULL;
+        struct ieee80211_mgd_assoc_data *assoc_data = ifmgd->assoc_data;
        u32 changed = 0;
        int err;
+        bool ret;
        /* AssocResp and ReassocResp have identical structure */
@@ -2519,21 +2522,86 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
        ifmgd->aid = aid;
        /*
+         * Some APs are erroneously not including some information in their
+         * (re)association response frames. Try to recover by using the data
+         * from the beacon or probe response. This seems to afflict mobile
+         * 2G/3G/4G wifi routers, reported models include the "Onda PN51T",
+         * "Vodafone PocketWiFi 2", "ZTE MF60" and a similar T-Mobile device.
+         */
+        if ((assoc_data->wmm && !elems.wmm_param) ||
+            (!(ifmgd->flags & IEEE80211_STA_DISABLE_HT) &&
+             (!elems.ht_cap_elem || !elems.ht_operation)) ||
+            (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT) &&
+             (!elems.vht_cap_elem || !elems.vht_operation))) {
+                const struct cfg80211_bss_ies *ies;
+                struct ieee802_11_elems bss_elems;
+                rcu_read_lock();
+                ies = rcu_dereference(cbss->ies);
+                if (ies)
+                        bss_ies = kmemdup(ies, sizeof(*ies) + ies->len,
+                                          GFP_ATOMIC);
+                rcu_read_unlock();
+                if (!bss_ies)
+                        return false;
+                ieee802_11_parse_elems(bss_ies->data, bss_ies->len,
+                                       false, &bss_elems);
+                if (assoc_data->wmm &&
+                    !elems.wmm_param && bss_elems.wmm_param) {
+                        elems.wmm_param = bss_elems.wmm_param;
+                        sdata_info(sdata,
+                                   "AP bug: WMM param missing from AssocResp\n");
+                }
+                /*
+                 * Also check if we requested HT/VHT, otherwise the AP doesn't
+                 * have to include the IEs in the (re)association response.
+                 */
+                if (!elems.ht_cap_elem && bss_elems.ht_cap_elem &&
+                    !(ifmgd->flags & IEEE80211_STA_DISABLE_HT)) {
+                        elems.ht_cap_elem = bss_elems.ht_cap_elem;
+                        sdata_info(sdata,
+                                   "AP bug: HT capability missing from AssocResp\n");
+                }
+                if (!elems.ht_operation && bss_elems.ht_operation &&
+                    !(ifmgd->flags & IEEE80211_STA_DISABLE_HT)) {
+                        elems.ht_operation = bss_elems.ht_operation;
+                        sdata_info(sdata,
+                                   "AP bug: HT operation missing from AssocResp\n");
+                }
+                if (!elems.vht_cap_elem && bss_elems.vht_cap_elem &&
+                    !(ifmgd->flags & IEEE80211_STA_DISABLE_VHT)) {
+                        elems.vht_cap_elem = bss_elems.vht_cap_elem;
+                        sdata_info(sdata,
+                                   "AP bug: VHT capa missing from AssocResp\n");
+                }
+                if (!elems.vht_operation && bss_elems.vht_operation &&
+                    !(ifmgd->flags & IEEE80211_STA_DISABLE_VHT)) {
+                        elems.vht_operation = bss_elems.vht_operation;
+                        sdata_info(sdata,
+                                   "AP bug: VHT operation missing from AssocResp\n");
+                }
+        }
+        /*
         * We previously checked these in the beacon/probe response, so
         * they should be present here. This is just a safety net.
         */
        if (!(ifmgd->flags & IEEE80211_STA_DISABLE_HT) &&
            (!elems.wmm_param || !elems.ht_cap_elem || !elems.ht_operation)) {
                sdata_info(sdata,
-                           "HT AP is missing WMM params or HT capability/operation in AssocResp\n");
+                           "HT AP is missing WMM params or HT capability/operation\n");
-                return false;
+                ret = false;
+                goto out;
        }
        if (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT) &&
            (!elems.vht_cap_elem || !elems.vht_operation)) {
                sdata_info(sdata,
-                           "VHT AP is missing VHT capability/operation in AssocResp\n");
+                           "VHT AP is missing VHT capability/operation\n");
-                return false;
+                ret = false;
+                goto out;
        }
        mutex_lock(&sdata->local->sta_mtx);
@@ -2544,7 +2612,8 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
        sta = sta_info_get(sdata, cbss->bssid);
        if (WARN_ON(!sta)) {
                mutex_unlock(&sdata->local->sta_mtx);
-                return false;
+                ret = false;
+                goto out;
        }
        sband = local->hw.wiphy->bands[ieee80211_get_sdata_band(sdata)];
@@ -2597,7 +2666,8 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
                           sta->sta.addr);
                WARN_ON(__sta_info_destroy(sta));
                mutex_unlock(&sdata->local->sta_mtx);
-                return false;
+                ret = false;
+                goto out;
        }
        mutex_unlock(&sdata->local->sta_mtx);
@@ -2637,7 +2707,10 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
        ieee80211_sta_rx_notify(sdata, (struct ieee80211_hdr *)mgmt);
        ieee80211_sta_reset_beacon_monitor(sdata);
-        return true;
+        ret = true;
+ out:
+        kfree(bss_ies);
+        return ret;
 }
 static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
diff --git a/net/mac80211/rate.c b/net/mac80211/rate.c
index d3f414fe67e0..a02bef35b134 100644
--- a/net/mac80211/rate.c
+++ b/net/mac80211/rate.c
@@ -615,7 +615,7 @@ static void rate_control_apply_mask(struct ieee80211_sub_if_data *sdata,
                if (rates[i].idx < 0)
                        break;
-                rate_idx_match_mask(&rates[i], sband, mask, chan_width,
+                rate_idx_match_mask(&rates[i], sband, chan_width, mask,
                                    mcs_mask);
        }
 }
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 89a83770d152..c75d3db2a31c 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -667,12 +667,12 @@ void ieee80211_queue_delayed_work(struct ieee80211_hw *hw,
 }
 EXPORT_SYMBOL(ieee80211_queue_delayed_work);
-u32 ieee802_11_parse_elems_crc(u8 *start, size_t len, bool action,
+u32 ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
                               struct ieee802_11_elems *elems,
                               u64 filter, u32 crc)
 {
        size_t left = len;
-        u8 *pos = start;
+        const u8 *pos = start;
        bool calc_crc = filter != 0;
        DECLARE_BITMAP(seen_elems, 256);
        const u8 *ie;
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index edb88fbcb1bd..47e510819f54 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -2542,6 +2542,7 @@ __ip_vs_get_dest_entries(struct net *net, const struct ip_vs_get_dests *get,
                struct ip_vs_dest *dest;
                struct ip_vs_dest_entry entry;
+                memset(&entry, 0, sizeof(entry));
                list_for_each_entry(dest, &svc->destinations, n_list) {
                        if (count >= get->num_dests)
                                break;
diff --git a/net/netfilter/nfnetlink_acct.c b/net/netfilter/nfnetlink_acct.c
index dc3fd5d44464..c7b6d466a662 100644
--- a/net/netfilter/nfnetlink_acct.c
+++ b/net/netfilter/nfnetlink_acct.c
@@ -149,9 +149,12 @@ nfnl_acct_dump(struct sk_buff *skb, struct netlink_callback *cb)
        rcu_read_lock();
        list_for_each_entry_rcu(cur, &nfnl_acct_list, head) {
-                if (last && cur != last)
+                if (last) {
-                        continue;
+                        if (cur != last)
+                                continue;
+                        last = NULL;
+                }
                if (nfnl_acct_fill_info(skb, NETLINK_CB(cb->skb).portid,
                                       cb->nlh->nlmsg_seq,
                                       NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
diff --git a/net/netfilter/nfnetlink_cttimeout.c b/net/netfilter/nfnetlink_cttimeout.c
index 701c88a20fea..65074dfb9383 100644
--- a/net/netfilter/nfnetlink_cttimeout.c
+++ b/net/netfilter/nfnetlink_cttimeout.c
@@ -220,9 +220,12 @@ ctnl_timeout_dump(struct sk_buff *skb, struct netlink_callback *cb)
        rcu_read_lock();
        list_for_each_entry_rcu(cur, &cttimeout_list, head) {
-                if (last && cur != last)
+                if (last) {
-                        continue;
+                        if (cur != last)
+                                continue;
+                        last = NULL;
+                }
                if (ctnl_timeout_fill_info(skb, NETLINK_CB(cb->skb).portid,
                                           cb->nlh->nlmsg_seq,
                                           NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c
index c011543bff5d..299a48ae5dc9 100644
--- a/net/netfilter/nfnetlink_queue_core.c
+++ b/net/netfilter/nfnetlink_queue_core.c
@@ -641,9 +641,6 @@ nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum)
        if (queue->copy_mode == NFQNL_COPY_NONE)
                return -EINVAL;
-        if ((queue->flags & NFQA_CFG_F_GSO) || !skb_is_gso(entry->skb))
-                return __nfqnl_enqueue_packet(net, queue, entry);
        skb = entry->skb;
        switch (entry->pf) {
@@ -655,6 +652,9 @@ nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum)
                break;
        }
+        if ((queue->flags & NFQA_CFG_F_GSO) || !skb_is_gso(skb))
+                return __nfqnl_enqueue_packet(net, queue, entry);
        nf_bridge_adjust_skb_data(skb);
        segs = skb_gso_segment(skb, 0);
        /* Does not use PTR_ERR to limit the number of error codes that can be
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index a75240f0d42b..7011c71646f0 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -45,17 +45,22 @@ optlen(const u_int8_t *opt, unsigned int offset)
 static int
 tcpmss_mangle_packet(struct sk_buff *skb,
-                     const struct xt_tcpmss_info *info,
+                     const struct xt_action_param *par,
                     unsigned int in_mtu,
                     unsigned int tcphoff,
                     unsigned int minlen)
 {
+        const struct xt_tcpmss_info *info = par->targinfo;
        struct tcphdr *tcph;
        unsigned int tcplen, i;
        __be16 oldval;
        u16 newmss;
        u8 *opt;
+        /* This is a fragment, no TCP header is available */
+        if (par->fragoff != 0)
+                return XT_CONTINUE;
        if (!skb_make_writable(skb, skb->len))
                return -1;
@@ -125,6 +130,18 @@ tcpmss_mangle_packet(struct sk_buff *skb,
        skb_put(skb, TCPOLEN_MSS);
+        /*
+         * IPv4: RFC 1122 states "If an MSS option is not received at
+         * connection setup, TCP MUST assume a default send MSS of 536".
+         * IPv6: RFC 2460 states IPv6 has a minimum MTU of 1280 and a minimum
+         * length IPv6 header of 60, ergo the default MSS value is 1220
+         * Since no MSS was provided, we must use the default values
+         */
+        if (par->family == NFPROTO_IPV4)
+                newmss = min(newmss, (u16)536);
+        else
+                newmss = min(newmss, (u16)1220);
        opt = (u_int8_t *)tcph + sizeof(struct tcphdr);
        memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr));
@@ -182,7 +199,7 @@ tcpmss_tg4(struct sk_buff *skb, const struct xt_action_param *par)
        __be16 newlen;
        int ret;
-        ret = tcpmss_mangle_packet(skb, par->targinfo,
+        ret = tcpmss_mangle_packet(skb, par,
                                   tcpmss_reverse_mtu(skb, PF_INET),
                                   iph->ihl * 4,
                                   sizeof(*iph) + sizeof(struct tcphdr));
@@ -211,7 +228,7 @@ tcpmss_tg6(struct sk_buff *skb, const struct xt_action_param *par)
        tcphoff = ipv6_skip_exthdr(skb, sizeof(*ipv6h), &nexthdr, &frag_off);
        if (tcphoff < 0)
                return NF_DROP;
-        ret = tcpmss_mangle_packet(skb, par->targinfo,
+        ret = tcpmss_mangle_packet(skb, par,
                                   tcpmss_reverse_mtu(skb, PF_INET6),
                                   tcphoff,
                                   sizeof(*ipv6h) + sizeof(struct tcphdr));
diff --git a/net/netfilter/xt_TCPOPTSTRIP.c b/net/netfilter/xt_TCPOPTSTRIP.c
index 1eb1a44bfd3d..b68fa191710f 100644
--- a/net/netfilter/xt_TCPOPTSTRIP.c
+++ b/net/netfilter/xt_TCPOPTSTRIP.c
@@ -48,11 +48,13 @@ tcpoptstrip_mangle_packet(struct sk_buff *skb,
                return NF_DROP;
        len = skb->len - tcphoff;
-        if (len < (int)sizeof(struct tcphdr) ||
+        if (len < (int)sizeof(struct tcphdr))
-            tcp_hdr(skb)->doff * 4 > len)
                return NF_DROP;
        tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
+        if (tcph->doff * 4 > len)
+                return NF_DROP;
        opt  = (u_int8_t *)tcph;
        /*
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 8978755251f7..275d901d7e46 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -371,7 +371,7 @@ static int netlink_mmap(struct file *file, struct socket *sock,
        err = 0;
 out:
        mutex_unlock(&nlk->pg_vec_lock);
-        return 0;
+        return err;
 }
 static void netlink_frame_flush_dcache(const struct nl_mmap_hdr *hdr)
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 79fe63246b27..4b66c752eae5 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2851,12 +2851,11 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr,
                return -EOPNOTSUPP;
        uaddr->sa_family = AF_PACKET;
+        memset(uaddr->sa_data, 0, sizeof(uaddr->sa_data));
        rcu_read_lock();
        dev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex);
        if (dev)
-                strncpy(uaddr->sa_data, dev->name, 14);
+                strlcpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data));
-        else
-                memset(uaddr->sa_data, 0, 14);
        rcu_read_unlock();
        *uaddr_len = sizeof(*uaddr);
diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
index 2b935e7cfe7b..281c1bded1f6 100644
--- a/net/sched/sch_api.c
+++ b/net/sched/sch_api.c
@@ -291,17 +291,18 @@ struct qdisc_rate_table *qdisc_get_rtab(struct tc_ratespec *r, struct nlattr *ta
 {
        struct qdisc_rate_table *rtab;
+        if (tab == NULL || r->rate == 0 || r->cell_log == 0 ||
+            nla_len(tab) != TC_RTAB_SIZE)
+                return NULL;
        for (rtab = qdisc_rtab_list; rtab; rtab = rtab->next) {
-                if (memcmp(&rtab->rate, r, sizeof(struct tc_ratespec)) == 0) {
+                if (!memcmp(&rtab->rate, r, sizeof(struct tc_ratespec)) &&
+                    !memcmp(&rtab->data, nla_data(tab), 1024)) {
                        rtab->refcnt++;
                        return rtab;
                }
        }
-        if (tab == NULL || r->rate == 0 || r->cell_log == 0 ||
-            nla_len(tab) != TC_RTAB_SIZE)
-                return NULL;
        rtab = kmalloc(sizeof(*rtab), GFP_KERNEL);
        if (rtab) {
                rtab->rate = *r;
diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
index 32a4625fef77..be35e2dbcc9a 100644
--- a/net/sctp/outqueue.c
+++ b/net/sctp/outqueue.c
@@ -206,6 +206,8 @@ static inline int sctp_cacc_skip(struct sctp_transport *primary,
 */
 void sctp_outq_init(struct sctp_association *asoc, struct sctp_outq *q)
 {
+        memset(q, 0, sizeof(struct sctp_outq));
        q->asoc = asoc;
        INIT_LIST_HEAD(&q->out_chunk_list);
        INIT_LIST_HEAD(&q->control_chunk_list);
@@ -213,11 +215,7 @@ void sctp_outq_init(struct sctp_association *asoc, struct sctp_outq *q)
        INIT_LIST_HEAD(&q->sacked);
        INIT_LIST_HEAD(&q->abandoned);
-        q->fast_rtx = 0;
-        q->outstanding_bytes = 0;
        q->empty = 1;
-        q->cork  = 0;
-        q->out_qlen = 0;
 }
 /* Free the outqueue structure and any related pending chunks.
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 75fe92ac2e9c..32db19ba4a21 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -3996,6 +3996,12 @@ static void sctp_destroy_sock(struct sock *sk)
        /* Release our hold on the endpoint. */
        sp = sctp_sk(sk);
+        /* This could happen during socket init, thus we bail out
+         * early, since the rest of the below is not setup either.
+         */
+        if (sp->ep == NULL)
+                return;
        if (sp->do_auto_asconf) {
                sp->do_auto_asconf = 0;
                list_del(&sp->auto_asconf_list);
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 31d265f36d2c..ea74b9dd9d82 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -1527,12 +1527,18 @@ static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
        struct cfg80211_registered_device *dev;
        s64 filter_wiphy = -1;
        bool split = false;
-        struct nlattr **tb = nl80211_fam.attrbuf;
+        struct nlattr **tb;
        int res;
+        /* will be zeroed in nlmsg_parse() */
+        tb = kmalloc(sizeof(*tb) * (NL80211_ATTR_MAX + 1), GFP_KERNEL);
+        if (!tb)
+                return -ENOMEM;
        rtnl_lock();
        res = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
-                          tb, nl80211_fam.maxattr, nl80211_policy);
+                          tb, NL80211_ATTR_MAX, nl80211_policy);
        if (res == 0) {
                split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
                if (tb[NL80211_ATTR_WIPHY])
@@ -1544,8 +1550,11 @@ static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
                        int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
                        netdev = dev_get_by_index(sock_net(skb->sk), ifidx);
-                        if (!netdev)
+                        if (!netdev) {
+                                rtnl_unlock();
+                                kfree(tb);
                                return -ENODEV;
+                        }
                        if (netdev->ieee80211_ptr) {
                                dev = wiphy_to_dev(
                                        netdev->ieee80211_ptr->wiphy);
@@ -1554,6 +1563,7 @@ static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
                        dev_put(netdev);
                }
        }
+        kfree(tb);
        list_for_each_entry(dev, &cfg80211_rdev_list, list) {
                if (!net_eq(wiphy_net(&dev->wiphy), sock_net(skb->sk)))
@@ -1589,6 +1599,7 @@ static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
                                    !skb->len &&
                                    cb->min_dump_alloc < 4096) {
                                        cb->min_dump_alloc = 4096;
+                                        rtnl_unlock();
                                        return 1;
                                }
                                idx--;
author	David S. Miller <davem@davemloft.net>	2013-06-19 19:49:39 -0400
committer	David S. Miller <davem@davemloft.net>	2013-06-19 19:49:39 -0400
commit	d98cae64e4a733ff377184d78aa0b1f2b54faede (patch)
tree	e973e3c93fe7e17741567ac3947f5197bc9d582d /net
parent	646093a29f85630d8efe2aa38fa585d2c3ea2e46 (diff)
parent	4067c666f2dccf56f5db5c182713e68c40d46013 (diff)