aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
Diffstat (limited to 'net')
-rw-r--r--net/bridge/br_if.c10
-rw-r--r--net/can/af_can.c10
-rw-r--r--net/can/bcm.c23
-rw-r--r--net/can/raw.c3
-rw-r--r--net/ipv4/fib_trie.c17
-rw-r--r--net/ipv4/netfilter/nf_nat_snmp_basic.c2
-rw-r--r--net/ipv4/tcp.c4
-rw-r--r--net/ipv4/tcp_probe.c2
-rw-r--r--net/ipv6/addrconf.c4
-rw-r--r--net/ipv6/exthdrs.c2
-rw-r--r--net/irda/irnetlink.c4
-rw-r--r--net/mac80211/main.c4
-rw-r--r--net/mac80211/mlme.c13
-rw-r--r--net/mac80211/rc80211_pid.h5
-rw-r--r--net/mac80211/rc80211_pid_algo.c31
-rw-r--r--net/netfilter/nf_conntrack_proto_tcp.c10
-rw-r--r--net/netlabel/netlabel_cipso_v4.c7
-rw-r--r--net/netlabel/netlabel_mgmt.c12
-rw-r--r--net/netlabel/netlabel_unlabeled.c6
-rw-r--r--net/sctp/sm_statefuns.c9
-rw-r--r--net/sctp/ulpevent.c5
-rw-r--r--net/sunrpc/rpcb_clnt.c23
-rw-r--r--net/xfrm/xfrm_user.c3
23 files changed, 111 insertions, 98 deletions
diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
index c2397f503b0f..f38cc5317b88 100644
--- a/net/bridge/br_if.c
+++ b/net/bridge/br_if.c
@@ -442,12 +442,16 @@ int br_del_if(struct net_bridge *br, struct net_device *dev)
442 442
443void __exit br_cleanup_bridges(void) 443void __exit br_cleanup_bridges(void)
444{ 444{
445 struct net_device *dev, *nxt; 445 struct net_device *dev;
446 446
447 rtnl_lock(); 447 rtnl_lock();
448 for_each_netdev_safe(&init_net, dev, nxt) 448restart:
449 if (dev->priv_flags & IFF_EBRIDGE) 449 for_each_netdev(&init_net, dev) {
450 if (dev->priv_flags & IFF_EBRIDGE) {
450 del_br(dev->priv); 451 del_br(dev->priv);
452 goto restart;
453 }
454 }
451 rtnl_unlock(); 455 rtnl_unlock();
452 456
453} 457}
diff --git a/net/can/af_can.c b/net/can/af_can.c
index 7e8ca2836452..484bbf6dd032 100644
--- a/net/can/af_can.c
+++ b/net/can/af_can.c
@@ -205,12 +205,19 @@ static int can_create(struct net *net, struct socket *sock, int protocol)
205 * -ENOBUFS on full driver queue (see net_xmit_errno()) 205 * -ENOBUFS on full driver queue (see net_xmit_errno())
206 * -ENOMEM when local loopback failed at calling skb_clone() 206 * -ENOMEM when local loopback failed at calling skb_clone()
207 * -EPERM when trying to send on a non-CAN interface 207 * -EPERM when trying to send on a non-CAN interface
208 * -EINVAL when the skb->data does not contain a valid CAN frame
208 */ 209 */
209int can_send(struct sk_buff *skb, int loop) 210int can_send(struct sk_buff *skb, int loop)
210{ 211{
211 struct sk_buff *newskb = NULL; 212 struct sk_buff *newskb = NULL;
213 struct can_frame *cf = (struct can_frame *)skb->data;
212 int err; 214 int err;
213 215
216 if (skb->len != sizeof(struct can_frame) || cf->can_dlc > 8) {
217 kfree_skb(skb);
218 return -EINVAL;
219 }
220
214 if (skb->dev->type != ARPHRD_CAN) { 221 if (skb->dev->type != ARPHRD_CAN) {
215 kfree_skb(skb); 222 kfree_skb(skb);
216 return -EPERM; 223 return -EPERM;
@@ -605,6 +612,7 @@ static int can_rcv(struct sk_buff *skb, struct net_device *dev,
605 struct packet_type *pt, struct net_device *orig_dev) 612 struct packet_type *pt, struct net_device *orig_dev)
606{ 613{
607 struct dev_rcv_lists *d; 614 struct dev_rcv_lists *d;
615 struct can_frame *cf = (struct can_frame *)skb->data;
608 int matches; 616 int matches;
609 617
610 if (dev->type != ARPHRD_CAN || dev_net(dev) != &init_net) { 618 if (dev->type != ARPHRD_CAN || dev_net(dev) != &init_net) {
@@ -612,6 +620,8 @@ static int can_rcv(struct sk_buff *skb, struct net_device *dev,
612 return 0; 620 return 0;
613 } 621 }
614 622
623 BUG_ON(skb->len != sizeof(struct can_frame) || cf->can_dlc > 8);
624
615 /* update statistics */ 625 /* update statistics */
616 can_stats.rx_frames++; 626 can_stats.rx_frames++;
617 can_stats.rx_frames_delta++; 627 can_stats.rx_frames_delta++;
diff --git a/net/can/bcm.c b/net/can/bcm.c
index d9a3a9d13bed..72c2ce904f83 100644
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -298,7 +298,7 @@ static void bcm_send_to_user(struct bcm_op *op, struct bcm_msg_head *head,
298 298
299 if (head->nframes) { 299 if (head->nframes) {
300 /* can_frames starting here */ 300 /* can_frames starting here */
301 firstframe = (struct can_frame *) skb_tail_pointer(skb); 301 firstframe = (struct can_frame *)skb_tail_pointer(skb);
302 302
303 memcpy(skb_put(skb, datalen), frames, datalen); 303 memcpy(skb_put(skb, datalen), frames, datalen);
304 304
@@ -826,6 +826,10 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
826 for (i = 0; i < msg_head->nframes; i++) { 826 for (i = 0; i < msg_head->nframes; i++) {
827 err = memcpy_fromiovec((u8 *)&op->frames[i], 827 err = memcpy_fromiovec((u8 *)&op->frames[i],
828 msg->msg_iov, CFSIZ); 828 msg->msg_iov, CFSIZ);
829
830 if (op->frames[i].can_dlc > 8)
831 err = -EINVAL;
832
829 if (err < 0) 833 if (err < 0)
830 return err; 834 return err;
831 835
@@ -858,6 +862,10 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
858 for (i = 0; i < msg_head->nframes; i++) { 862 for (i = 0; i < msg_head->nframes; i++) {
859 err = memcpy_fromiovec((u8 *)&op->frames[i], 863 err = memcpy_fromiovec((u8 *)&op->frames[i],
860 msg->msg_iov, CFSIZ); 864 msg->msg_iov, CFSIZ);
865
866 if (op->frames[i].can_dlc > 8)
867 err = -EINVAL;
868
861 if (err < 0) { 869 if (err < 0) {
862 if (op->frames != &op->sframe) 870 if (op->frames != &op->sframe)
863 kfree(op->frames); 871 kfree(op->frames);
@@ -1164,9 +1172,12 @@ static int bcm_tx_send(struct msghdr *msg, int ifindex, struct sock *sk)
1164 1172
1165 skb->dev = dev; 1173 skb->dev = dev;
1166 skb->sk = sk; 1174 skb->sk = sk;
1167 can_send(skb, 1); /* send with loopback */ 1175 err = can_send(skb, 1); /* send with loopback */
1168 dev_put(dev); 1176 dev_put(dev);
1169 1177
1178 if (err)
1179 return err;
1180
1170 return CFSIZ + MHSIZ; 1181 return CFSIZ + MHSIZ;
1171} 1182}
1172 1183
@@ -1185,6 +1196,10 @@ static int bcm_sendmsg(struct kiocb *iocb, struct socket *sock,
1185 if (!bo->bound) 1196 if (!bo->bound)
1186 return -ENOTCONN; 1197 return -ENOTCONN;
1187 1198
1199 /* check for valid message length from userspace */
1200 if (size < MHSIZ || (size - MHSIZ) % CFSIZ)
1201 return -EINVAL;
1202
1188 /* check for alternative ifindex for this bcm_op */ 1203 /* check for alternative ifindex for this bcm_op */
1189 1204
1190 if (!ifindex && msg->msg_name) { 1205 if (!ifindex && msg->msg_name) {
@@ -1259,8 +1274,8 @@ static int bcm_sendmsg(struct kiocb *iocb, struct socket *sock,
1259 break; 1274 break;
1260 1275
1261 case TX_SEND: 1276 case TX_SEND:
1262 /* we need at least one can_frame */ 1277 /* we need exactly one can_frame behind the msg head */
1263 if (msg_head.nframes < 1) 1278 if ((msg_head.nframes != 1) || (size != CFSIZ + MHSIZ))
1264 ret = -EINVAL; 1279 ret = -EINVAL;
1265 else 1280 else
1266 ret = bcm_tx_send(msg, ifindex, sk); 1281 ret = bcm_tx_send(msg, ifindex, sk);
diff --git a/net/can/raw.c b/net/can/raw.c
index 69877b8e7e9c..3e46ee36a1aa 100644
--- a/net/can/raw.c
+++ b/net/can/raw.c
@@ -632,6 +632,9 @@ static int raw_sendmsg(struct kiocb *iocb, struct socket *sock,
632 } else 632 } else
633 ifindex = ro->ifindex; 633 ifindex = ro->ifindex;
634 634
635 if (size != sizeof(struct can_frame))
636 return -EINVAL;
637
635 dev = dev_get_by_index(&init_net, ifindex); 638 dev = dev_get_by_index(&init_net, ifindex);
636 if (!dev) 639 if (!dev)
637 return -ENXIO; 640 return -ENXIO;
diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index 4b02d14e7ab9..e1600ad8fb0e 100644
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -1359,17 +1359,17 @@ static int check_leaf(struct trie *t, struct leaf *l,
1359 t->stats.semantic_match_miss++; 1359 t->stats.semantic_match_miss++;
1360#endif 1360#endif
1361 if (err <= 0) 1361 if (err <= 0)
1362 return plen; 1362 return err;
1363 } 1363 }
1364 1364
1365 return -1; 1365 return 1;
1366} 1366}
1367 1367
1368static int fn_trie_lookup(struct fib_table *tb, const struct flowi *flp, 1368static int fn_trie_lookup(struct fib_table *tb, const struct flowi *flp,
1369 struct fib_result *res) 1369 struct fib_result *res)
1370{ 1370{
1371 struct trie *t = (struct trie *) tb->tb_data; 1371 struct trie *t = (struct trie *) tb->tb_data;
1372 int plen, ret = 0; 1372 int ret;
1373 struct node *n; 1373 struct node *n;
1374 struct tnode *pn; 1374 struct tnode *pn;
1375 int pos, bits; 1375 int pos, bits;
@@ -1393,10 +1393,7 @@ static int fn_trie_lookup(struct fib_table *tb, const struct flowi *flp,
1393 1393
1394 /* Just a leaf? */ 1394 /* Just a leaf? */
1395 if (IS_LEAF(n)) { 1395 if (IS_LEAF(n)) {
1396 plen = check_leaf(t, (struct leaf *)n, key, flp, res); 1396 ret = check_leaf(t, (struct leaf *)n, key, flp, res);
1397 if (plen < 0)
1398 goto failed;
1399 ret = 0;
1400 goto found; 1397 goto found;
1401 } 1398 }
1402 1399
@@ -1421,11 +1418,9 @@ static int fn_trie_lookup(struct fib_table *tb, const struct flowi *flp,
1421 } 1418 }
1422 1419
1423 if (IS_LEAF(n)) { 1420 if (IS_LEAF(n)) {
1424 plen = check_leaf(t, (struct leaf *)n, key, flp, res); 1421 ret = check_leaf(t, (struct leaf *)n, key, flp, res);
1425 if (plen < 0) 1422 if (ret > 0)
1426 goto backtrace; 1423 goto backtrace;
1427
1428 ret = 0;
1429 goto found; 1424 goto found;
1430 } 1425 }
1431 1426
diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.c b/net/ipv4/netfilter/nf_nat_snmp_basic.c
index 7750c97fde7b..ffeaffc3fffe 100644
--- a/net/ipv4/netfilter/nf_nat_snmp_basic.c
+++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c
@@ -439,8 +439,8 @@ static unsigned char asn1_oid_decode(struct asn1_ctx *ctx,
439 unsigned int *len) 439 unsigned int *len)
440{ 440{
441 unsigned long subid; 441 unsigned long subid;
442 unsigned int size;
443 unsigned long *optr; 442 unsigned long *optr;
443 size_t size;
444 444
445 size = eoc - ctx->pointer + 1; 445 size = eoc - ctx->pointer + 1;
446 446
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 850825dc86e6..1d723de18686 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -255,6 +255,7 @@
255#include <linux/init.h> 255#include <linux/init.h>
256#include <linux/fs.h> 256#include <linux/fs.h>
257#include <linux/skbuff.h> 257#include <linux/skbuff.h>
258#include <linux/scatterlist.h>
258#include <linux/splice.h> 259#include <linux/splice.h>
259#include <linux/net.h> 260#include <linux/net.h>
260#include <linux/socket.h> 261#include <linux/socket.h>
@@ -1208,7 +1209,8 @@ int tcp_read_sock(struct sock *sk, read_descriptor_t *desc,
1208 return -ENOTCONN; 1209 return -ENOTCONN;
1209 while ((skb = tcp_recv_skb(sk, seq, &offset)) != NULL) { 1210 while ((skb = tcp_recv_skb(sk, seq, &offset)) != NULL) {
1210 if (offset < skb->len) { 1211 if (offset < skb->len) {
1211 size_t used, len; 1212 int used;
1213 size_t len;
1212 1214
1213 len = skb->len - offset; 1215 len = skb->len - offset;
1214 /* Stop reading if we hit a patch of urgent data */ 1216 /* Stop reading if we hit a patch of urgent data */
diff --git a/net/ipv4/tcp_probe.c b/net/ipv4/tcp_probe.c
index 5ff0ce6e9d39..7ddc30f0744f 100644
--- a/net/ipv4/tcp_probe.c
+++ b/net/ipv4/tcp_probe.c
@@ -224,7 +224,7 @@ static __init int tcpprobe_init(void)
224 if (bufsize < 0) 224 if (bufsize < 0)
225 return -EINVAL; 225 return -EINVAL;
226 226
227 tcp_probe.log = kcalloc(sizeof(struct tcp_log), bufsize, GFP_KERNEL); 227 tcp_probe.log = kcalloc(bufsize, sizeof(struct tcp_log), GFP_KERNEL);
228 if (!tcp_probe.log) 228 if (!tcp_probe.log)
229 goto err0; 229 goto err0;
230 230
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 147588f4c7c0..ff61a5cdb0b3 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -749,12 +749,12 @@ static void ipv6_del_addr(struct inet6_ifaddr *ifp)
749 } 749 }
750 write_unlock_bh(&idev->lock); 750 write_unlock_bh(&idev->lock);
751 751
752 addrconf_del_timer(ifp);
753
752 ipv6_ifa_notify(RTM_DELADDR, ifp); 754 ipv6_ifa_notify(RTM_DELADDR, ifp);
753 755
754 atomic_notifier_call_chain(&inet6addr_chain, NETDEV_DOWN, ifp); 756 atomic_notifier_call_chain(&inet6addr_chain, NETDEV_DOWN, ifp);
755 757
756 addrconf_del_timer(ifp);
757
758 /* 758 /*
759 * Purge or update corresponding prefix 759 * Purge or update corresponding prefix
760 * 760 *
diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
index 3cd1c993d52b..dcf94fdfb863 100644
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -445,7 +445,7 @@ looped_back:
445 kfree_skb(skb); 445 kfree_skb(skb);
446 return -1; 446 return -1;
447 } 447 }
448 if (!ipv6_chk_home_addr(&init_net, addr)) { 448 if (!ipv6_chk_home_addr(dev_net(skb->dst->dev), addr)) {
449 IP6_INC_STATS_BH(ip6_dst_idev(skb->dst), 449 IP6_INC_STATS_BH(ip6_dst_idev(skb->dst),
450 IPSTATS_MIB_INADDRERRORS); 450 IPSTATS_MIB_INADDRERRORS);
451 kfree_skb(skb); 451 kfree_skb(skb);
diff --git a/net/irda/irnetlink.c b/net/irda/irnetlink.c
index 9e1fb82e3220..2f05ec1037ab 100644
--- a/net/irda/irnetlink.c
+++ b/net/irda/irnetlink.c
@@ -101,8 +101,8 @@ static int irda_nl_get_mode(struct sk_buff *skb, struct genl_info *info)
101 101
102 hdr = genlmsg_put(msg, info->snd_pid, info->snd_seq, 102 hdr = genlmsg_put(msg, info->snd_pid, info->snd_seq,
103 &irda_nl_family, 0, IRDA_NL_CMD_GET_MODE); 103 &irda_nl_family, 0, IRDA_NL_CMD_GET_MODE);
104 if (IS_ERR(hdr)) { 104 if (hdr == NULL) {
105 ret = PTR_ERR(hdr); 105 ret = -EMSGSIZE;
106 goto err_out; 106 goto err_out;
107 } 107 }
108 108
diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index 98c0b5e56ecc..df0836ff1a20 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -530,8 +530,6 @@ static int ieee80211_stop(struct net_device *dev)
530 local->sta_hw_scanning = 0; 530 local->sta_hw_scanning = 0;
531 } 531 }
532 532
533 flush_workqueue(local->hw.workqueue);
534
535 sdata->u.sta.flags &= ~IEEE80211_STA_PRIVACY_INVOKED; 533 sdata->u.sta.flags &= ~IEEE80211_STA_PRIVACY_INVOKED;
536 kfree(sdata->u.sta.extra_ie); 534 kfree(sdata->u.sta.extra_ie);
537 sdata->u.sta.extra_ie = NULL; 535 sdata->u.sta.extra_ie = NULL;
@@ -555,6 +553,8 @@ static int ieee80211_stop(struct net_device *dev)
555 553
556 ieee80211_led_radio(local, 0); 554 ieee80211_led_radio(local, 0);
557 555
556 flush_workqueue(local->hw.workqueue);
557
558 tasklet_disable(&local->tx_pending_tasklet); 558 tasklet_disable(&local->tx_pending_tasklet);
559 tasklet_disable(&local->tasklet); 559 tasklet_disable(&local->tasklet);
560 } 560 }
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 4d2b582dd055..b404537c0bcd 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -547,15 +547,14 @@ static void ieee80211_set_associated(struct net_device *dev,
547 sdata->bss_conf.ht_bss_conf = &conf->ht_bss_conf; 547 sdata->bss_conf.ht_bss_conf = &conf->ht_bss_conf;
548 } 548 }
549 549
550 netif_carrier_on(dev);
551 ifsta->flags |= IEEE80211_STA_PREV_BSSID_SET; 550 ifsta->flags |= IEEE80211_STA_PREV_BSSID_SET;
552 memcpy(ifsta->prev_bssid, sdata->u.sta.bssid, ETH_ALEN); 551 memcpy(ifsta->prev_bssid, sdata->u.sta.bssid, ETH_ALEN);
553 memcpy(wrqu.ap_addr.sa_data, sdata->u.sta.bssid, ETH_ALEN); 552 memcpy(wrqu.ap_addr.sa_data, sdata->u.sta.bssid, ETH_ALEN);
554 ieee80211_sta_send_associnfo(dev, ifsta); 553 ieee80211_sta_send_associnfo(dev, ifsta);
555 } else { 554 } else {
555 netif_carrier_off(dev);
556 ieee80211_sta_tear_down_BA_sessions(dev, ifsta->bssid); 556 ieee80211_sta_tear_down_BA_sessions(dev, ifsta->bssid);
557 ifsta->flags &= ~IEEE80211_STA_ASSOCIATED; 557 ifsta->flags &= ~IEEE80211_STA_ASSOCIATED;
558 netif_carrier_off(dev);
559 ieee80211_reset_erp_info(dev); 558 ieee80211_reset_erp_info(dev);
560 559
561 sdata->bss_conf.assoc_ht = 0; 560 sdata->bss_conf.assoc_ht = 0;
@@ -569,6 +568,10 @@ static void ieee80211_set_associated(struct net_device *dev,
569 568
570 sdata->bss_conf.assoc = assoc; 569 sdata->bss_conf.assoc = assoc;
571 ieee80211_bss_info_change_notify(sdata, changed); 570 ieee80211_bss_info_change_notify(sdata, changed);
571
572 if (assoc)
573 netif_carrier_on(dev);
574
572 wrqu.ap_addr.sa_family = ARPHRD_ETHER; 575 wrqu.ap_addr.sa_family = ARPHRD_ETHER;
573 wireless_send_event(dev, SIOCGIWAP, &wrqu, NULL); 576 wireless_send_event(dev, SIOCGIWAP, &wrqu, NULL);
574} 577}
@@ -3611,8 +3614,10 @@ static int ieee80211_sta_find_ibss(struct net_device *dev,
3611 spin_unlock_bh(&local->sta_bss_lock); 3614 spin_unlock_bh(&local->sta_bss_lock);
3612 3615
3613#ifdef CONFIG_MAC80211_IBSS_DEBUG 3616#ifdef CONFIG_MAC80211_IBSS_DEBUG
3614 printk(KERN_DEBUG " sta_find_ibss: selected %s current " 3617 if (found)
3615 "%s\n", print_mac(mac, bssid), print_mac(mac2, ifsta->bssid)); 3618 printk(KERN_DEBUG " sta_find_ibss: selected %s current "
3619 "%s\n", print_mac(mac, bssid),
3620 print_mac(mac2, ifsta->bssid));
3616#endif /* CONFIG_MAC80211_IBSS_DEBUG */ 3621#endif /* CONFIG_MAC80211_IBSS_DEBUG */
3617 if (found && memcmp(ifsta->bssid, bssid, ETH_ALEN) != 0 && 3622 if (found && memcmp(ifsta->bssid, bssid, ETH_ALEN) != 0 &&
3618 (bss = ieee80211_rx_bss_get(dev, bssid, 3623 (bss = ieee80211_rx_bss_get(dev, bssid,
diff --git a/net/mac80211/rc80211_pid.h b/net/mac80211/rc80211_pid.h
index 04afc13ed825..4ea7b97d1af1 100644
--- a/net/mac80211/rc80211_pid.h
+++ b/net/mac80211/rc80211_pid.h
@@ -141,7 +141,6 @@ struct rc_pid_events_file_info {
141 * rate behaviour values (lower means we should trust more what we learnt 141 * rate behaviour values (lower means we should trust more what we learnt
142 * about behaviour of rates, higher means we should trust more the natural 142 * about behaviour of rates, higher means we should trust more the natural
143 * ordering of rates) 143 * ordering of rates)
144 * @fast_start: if Y, push high rates right after initialization
145 */ 144 */
146struct rc_pid_debugfs_entries { 145struct rc_pid_debugfs_entries {
147 struct dentry *dir; 146 struct dentry *dir;
@@ -154,7 +153,6 @@ struct rc_pid_debugfs_entries {
154 struct dentry *sharpen_factor; 153 struct dentry *sharpen_factor;
155 struct dentry *sharpen_duration; 154 struct dentry *sharpen_duration;
156 struct dentry *norm_offset; 155 struct dentry *norm_offset;
157 struct dentry *fast_start;
158}; 156};
159 157
160void rate_control_pid_event_tx_status(struct rc_pid_event_buffer *buf, 158void rate_control_pid_event_tx_status(struct rc_pid_event_buffer *buf,
@@ -267,9 +265,6 @@ struct rc_pid_info {
267 /* Normalization offset. */ 265 /* Normalization offset. */
268 unsigned int norm_offset; 266 unsigned int norm_offset;
269 267
270 /* Fast starst parameter. */
271 unsigned int fast_start;
272
273 /* Rates information. */ 268 /* Rates information. */
274 struct rc_pid_rateinfo *rinfo; 269 struct rc_pid_rateinfo *rinfo;
275 270
diff --git a/net/mac80211/rc80211_pid_algo.c b/net/mac80211/rc80211_pid_algo.c
index a849b745bdb5..bcd27c1d7594 100644
--- a/net/mac80211/rc80211_pid_algo.c
+++ b/net/mac80211/rc80211_pid_algo.c
@@ -398,13 +398,25 @@ static void *rate_control_pid_alloc(struct ieee80211_local *local)
398 return NULL; 398 return NULL;
399 } 399 }
400 400
401 pinfo->target = RC_PID_TARGET_PF;
402 pinfo->sampling_period = RC_PID_INTERVAL;
403 pinfo->coeff_p = RC_PID_COEFF_P;
404 pinfo->coeff_i = RC_PID_COEFF_I;
405 pinfo->coeff_d = RC_PID_COEFF_D;
406 pinfo->smoothing_shift = RC_PID_SMOOTHING_SHIFT;
407 pinfo->sharpen_factor = RC_PID_SHARPENING_FACTOR;
408 pinfo->sharpen_duration = RC_PID_SHARPENING_DURATION;
409 pinfo->norm_offset = RC_PID_NORM_OFFSET;
410 pinfo->rinfo = rinfo;
411 pinfo->oldrate = 0;
412
401 /* Sort the rates. This is optimized for the most common case (i.e. 413 /* Sort the rates. This is optimized for the most common case (i.e.
402 * almost-sorted CCK+OFDM rates). Kind of bubble-sort with reversed 414 * almost-sorted CCK+OFDM rates). Kind of bubble-sort with reversed
403 * mapping too. */ 415 * mapping too. */
404 for (i = 0; i < sband->n_bitrates; i++) { 416 for (i = 0; i < sband->n_bitrates; i++) {
405 rinfo[i].index = i; 417 rinfo[i].index = i;
406 rinfo[i].rev_index = i; 418 rinfo[i].rev_index = i;
407 if (pinfo->fast_start) 419 if (RC_PID_FAST_START)
408 rinfo[i].diff = 0; 420 rinfo[i].diff = 0;
409 else 421 else
410 rinfo[i].diff = i * pinfo->norm_offset; 422 rinfo[i].diff = i * pinfo->norm_offset;
@@ -425,19 +437,6 @@ static void *rate_control_pid_alloc(struct ieee80211_local *local)
425 break; 437 break;
426 } 438 }
427 439
428 pinfo->target = RC_PID_TARGET_PF;
429 pinfo->sampling_period = RC_PID_INTERVAL;
430 pinfo->coeff_p = RC_PID_COEFF_P;
431 pinfo->coeff_i = RC_PID_COEFF_I;
432 pinfo->coeff_d = RC_PID_COEFF_D;
433 pinfo->smoothing_shift = RC_PID_SMOOTHING_SHIFT;
434 pinfo->sharpen_factor = RC_PID_SHARPENING_FACTOR;
435 pinfo->sharpen_duration = RC_PID_SHARPENING_DURATION;
436 pinfo->norm_offset = RC_PID_NORM_OFFSET;
437 pinfo->fast_start = RC_PID_FAST_START;
438 pinfo->rinfo = rinfo;
439 pinfo->oldrate = 0;
440
441#ifdef CONFIG_MAC80211_DEBUGFS 440#ifdef CONFIG_MAC80211_DEBUGFS
442 de = &pinfo->dentries; 441 de = &pinfo->dentries;
443 de->dir = debugfs_create_dir("rc80211_pid", 442 de->dir = debugfs_create_dir("rc80211_pid",
@@ -465,9 +464,6 @@ static void *rate_control_pid_alloc(struct ieee80211_local *local)
465 de->norm_offset = debugfs_create_u32("norm_offset", 464 de->norm_offset = debugfs_create_u32("norm_offset",
466 S_IRUSR | S_IWUSR, de->dir, 465 S_IRUSR | S_IWUSR, de->dir,
467 &pinfo->norm_offset); 466 &pinfo->norm_offset);
468 de->fast_start = debugfs_create_bool("fast_start",
469 S_IRUSR | S_IWUSR, de->dir,
470 &pinfo->fast_start);
471#endif 467#endif
472 468
473 return pinfo; 469 return pinfo;
@@ -479,7 +475,6 @@ static void rate_control_pid_free(void *priv)
479#ifdef CONFIG_MAC80211_DEBUGFS 475#ifdef CONFIG_MAC80211_DEBUGFS
480 struct rc_pid_debugfs_entries *de = &pinfo->dentries; 476 struct rc_pid_debugfs_entries *de = &pinfo->dentries;
481 477
482 debugfs_remove(de->fast_start);
483 debugfs_remove(de->norm_offset); 478 debugfs_remove(de->norm_offset);
484 debugfs_remove(de->sharpen_duration); 479 debugfs_remove(de->sharpen_duration);
485 debugfs_remove(de->sharpen_factor); 480 debugfs_remove(de->sharpen_factor);
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 271cd01d57ae..dd28fb239a60 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -844,9 +844,15 @@ static int tcp_packet(struct nf_conn *ct,
844 /* Attempt to reopen a closed/aborted connection. 844 /* Attempt to reopen a closed/aborted connection.
845 * Delete this connection and look up again. */ 845 * Delete this connection and look up again. */
846 write_unlock_bh(&tcp_lock); 846 write_unlock_bh(&tcp_lock);
847 if (del_timer(&ct->timeout)) 847 /* Only repeat if we can actually remove the timer.
848 * Destruction may already be in progress in process
849 * context and we must give it a chance to terminate.
850 */
851 if (del_timer(&ct->timeout)) {
848 ct->timeout.function((unsigned long)ct); 852 ct->timeout.function((unsigned long)ct);
849 return -NF_REPEAT; 853 return -NF_REPEAT;
854 }
855 return -NF_DROP;
850 } 856 }
851 /* Fall through */ 857 /* Fall through */
852 case TCP_CONNTRACK_IGNORE: 858 case TCP_CONNTRACK_IGNORE:
diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c
index fdc14a0d21af..9080c61b71a5 100644
--- a/net/netlabel/netlabel_cipso_v4.c
+++ b/net/netlabel/netlabel_cipso_v4.c
@@ -584,12 +584,7 @@ list_start:
584 rcu_read_unlock(); 584 rcu_read_unlock();
585 585
586 genlmsg_end(ans_skb, data); 586 genlmsg_end(ans_skb, data);
587 587 return genlmsg_reply(ans_skb, info);
588 ret_val = genlmsg_reply(ans_skb, info);
589 if (ret_val != 0)
590 goto list_failure;
591
592 return 0;
593 588
594list_retry: 589list_retry:
595 /* XXX - this limit is a guesstimate */ 590 /* XXX - this limit is a guesstimate */
diff --git a/net/netlabel/netlabel_mgmt.c b/net/netlabel/netlabel_mgmt.c
index 22c191267808..44be5d5261f4 100644
--- a/net/netlabel/netlabel_mgmt.c
+++ b/net/netlabel/netlabel_mgmt.c
@@ -386,11 +386,7 @@ static int netlbl_mgmt_listdef(struct sk_buff *skb, struct genl_info *info)
386 rcu_read_unlock(); 386 rcu_read_unlock();
387 387
388 genlmsg_end(ans_skb, data); 388 genlmsg_end(ans_skb, data);
389 389 return genlmsg_reply(ans_skb, info);
390 ret_val = genlmsg_reply(ans_skb, info);
391 if (ret_val != 0)
392 goto listdef_failure;
393 return 0;
394 390
395listdef_failure_lock: 391listdef_failure_lock:
396 rcu_read_unlock(); 392 rcu_read_unlock();
@@ -501,11 +497,7 @@ static int netlbl_mgmt_version(struct sk_buff *skb, struct genl_info *info)
501 goto version_failure; 497 goto version_failure;
502 498
503 genlmsg_end(ans_skb, data); 499 genlmsg_end(ans_skb, data);
504 500 return genlmsg_reply(ans_skb, info);
505 ret_val = genlmsg_reply(ans_skb, info);
506 if (ret_val != 0)
507 goto version_failure;
508 return 0;
509 501
510version_failure: 502version_failure:
511 kfree_skb(ans_skb); 503 kfree_skb(ans_skb);
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index 52b2611a6eb6..56f80872924e 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -1107,11 +1107,7 @@ static int netlbl_unlabel_list(struct sk_buff *skb, struct genl_info *info)
1107 goto list_failure; 1107 goto list_failure;
1108 1108
1109 genlmsg_end(ans_skb, data); 1109 genlmsg_end(ans_skb, data);
1110 1110 return genlmsg_reply(ans_skb, info);
1111 ret_val = genlmsg_reply(ans_skb, info);
1112 if (ret_val != 0)
1113 goto list_failure;
1114 return 0;
1115 1111
1116list_failure: 1112list_failure:
1117 kfree_skb(ans_skb); 1113 kfree_skb(ans_skb);
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 0c9d5a6950fe..fcdb45d1071b 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -5899,12 +5899,6 @@ static int sctp_eat_data(const struct sctp_association *asoc,
5899 return SCTP_IERROR_NO_DATA; 5899 return SCTP_IERROR_NO_DATA;
5900 } 5900 }
5901 5901
5902 /* If definately accepting the DATA chunk, record its TSN, otherwise
5903 * wait for renege processing.
5904 */
5905 if (SCTP_CMD_CHUNK_ULP == deliver)
5906 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn));
5907
5908 chunk->data_accepted = 1; 5902 chunk->data_accepted = 1;
5909 5903
5910 /* Note: Some chunks may get overcounted (if we drop) or overcounted 5904 /* Note: Some chunks may get overcounted (if we drop) or overcounted
@@ -5924,6 +5918,9 @@ static int sctp_eat_data(const struct sctp_association *asoc,
5924 * and discard the DATA chunk. 5918 * and discard the DATA chunk.
5925 */ 5919 */
5926 if (ntohs(data_hdr->stream) >= asoc->c.sinit_max_instreams) { 5920 if (ntohs(data_hdr->stream) >= asoc->c.sinit_max_instreams) {
5921 /* Mark tsn as received even though we drop it */
5922 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn));
5923
5927 err = sctp_make_op_error(asoc, chunk, SCTP_ERROR_INV_STRM, 5924 err = sctp_make_op_error(asoc, chunk, SCTP_ERROR_INV_STRM,
5928 &data_hdr->stream, 5925 &data_hdr->stream,
5929 sizeof(data_hdr->stream)); 5926 sizeof(data_hdr->stream));
diff --git a/net/sctp/ulpevent.c b/net/sctp/ulpevent.c
index ce6cda6b6994..a1f654aea268 100644
--- a/net/sctp/ulpevent.c
+++ b/net/sctp/ulpevent.c
@@ -710,6 +710,11 @@ struct sctp_ulpevent *sctp_ulpevent_make_rcvmsg(struct sctp_association *asoc,
710 if (!skb) 710 if (!skb)
711 goto fail; 711 goto fail;
712 712
713 /* Now that all memory allocations for this chunk succeeded, we
714 * can mark it as received so the tsn_map is updated correctly.
715 */
716 sctp_tsnmap_mark(&asoc->peer.tsn_map, ntohl(chunk->subh.data_hdr->tsn));
717
713 /* First calculate the padding, so we don't inadvertently 718 /* First calculate the padding, so we don't inadvertently
714 * pass up the wrong length to the user. 719 * pass up the wrong length to the user.
715 * 720 *
diff --git a/net/sunrpc/rpcb_clnt.c b/net/sunrpc/rpcb_clnt.c
index 0517967a68bf..e6fb21b19b86 100644
--- a/net/sunrpc/rpcb_clnt.c
+++ b/net/sunrpc/rpcb_clnt.c
@@ -243,10 +243,10 @@ int rpcb_getport_sync(struct sockaddr_in *sin, u32 prog, u32 vers, int prot)
243} 243}
244EXPORT_SYMBOL_GPL(rpcb_getport_sync); 244EXPORT_SYMBOL_GPL(rpcb_getport_sync);
245 245
246static struct rpc_task *rpcb_call_async(struct rpc_clnt *rpcb_clnt, struct rpcbind_args *map, int version) 246static struct rpc_task *rpcb_call_async(struct rpc_clnt *rpcb_clnt, struct rpcbind_args *map, struct rpc_procinfo *proc)
247{ 247{
248 struct rpc_message msg = { 248 struct rpc_message msg = {
249 .rpc_proc = rpcb_next_version[version].rpc_proc, 249 .rpc_proc = proc,
250 .rpc_argp = map, 250 .rpc_argp = map,
251 .rpc_resp = &map->r_port, 251 .rpc_resp = &map->r_port,
252 }; 252 };
@@ -271,6 +271,7 @@ static struct rpc_task *rpcb_call_async(struct rpc_clnt *rpcb_clnt, struct rpcbi
271void rpcb_getport_async(struct rpc_task *task) 271void rpcb_getport_async(struct rpc_task *task)
272{ 272{
273 struct rpc_clnt *clnt = task->tk_client; 273 struct rpc_clnt *clnt = task->tk_client;
274 struct rpc_procinfo *proc;
274 u32 bind_version; 275 u32 bind_version;
275 struct rpc_xprt *xprt = task->tk_xprt; 276 struct rpc_xprt *xprt = task->tk_xprt;
276 struct rpc_clnt *rpcb_clnt; 277 struct rpc_clnt *rpcb_clnt;
@@ -280,7 +281,6 @@ void rpcb_getport_async(struct rpc_task *task)
280 struct sockaddr *sap = (struct sockaddr *)&addr; 281 struct sockaddr *sap = (struct sockaddr *)&addr;
281 size_t salen; 282 size_t salen;
282 int status; 283 int status;
283 struct rpcb_info *info;
284 284
285 dprintk("RPC: %5u %s(%s, %u, %u, %d)\n", 285 dprintk("RPC: %5u %s(%s, %u, %u, %d)\n",
286 task->tk_pid, __func__, 286 task->tk_pid, __func__,
@@ -313,10 +313,12 @@ void rpcb_getport_async(struct rpc_task *task)
313 /* Don't ever use rpcbind v2 for AF_INET6 requests */ 313 /* Don't ever use rpcbind v2 for AF_INET6 requests */
314 switch (sap->sa_family) { 314 switch (sap->sa_family) {
315 case AF_INET: 315 case AF_INET:
316 info = rpcb_next_version; 316 proc = rpcb_next_version[xprt->bind_index].rpc_proc;
317 bind_version = rpcb_next_version[xprt->bind_index].rpc_vers;
317 break; 318 break;
318 case AF_INET6: 319 case AF_INET6:
319 info = rpcb_next_version6; 320 proc = rpcb_next_version6[xprt->bind_index].rpc_proc;
321 bind_version = rpcb_next_version6[xprt->bind_index].rpc_vers;
320 break; 322 break;
321 default: 323 default:
322 status = -EAFNOSUPPORT; 324 status = -EAFNOSUPPORT;
@@ -324,14 +326,13 @@ void rpcb_getport_async(struct rpc_task *task)
324 task->tk_pid, __func__); 326 task->tk_pid, __func__);
325 goto bailout_nofree; 327 goto bailout_nofree;
326 } 328 }
327 if (info[xprt->bind_index].rpc_proc == NULL) { 329 if (proc == NULL) {
328 xprt->bind_index = 0; 330 xprt->bind_index = 0;
329 status = -EPFNOSUPPORT; 331 status = -EPFNOSUPPORT;
330 dprintk("RPC: %5u %s: no more getport versions available\n", 332 dprintk("RPC: %5u %s: no more getport versions available\n",
331 task->tk_pid, __func__); 333 task->tk_pid, __func__);
332 goto bailout_nofree; 334 goto bailout_nofree;
333 } 335 }
334 bind_version = info[xprt->bind_index].rpc_vers;
335 336
336 dprintk("RPC: %5u %s: trying rpcbind version %u\n", 337 dprintk("RPC: %5u %s: trying rpcbind version %u\n",
337 task->tk_pid, __func__, bind_version); 338 task->tk_pid, __func__, bind_version);
@@ -361,22 +362,20 @@ void rpcb_getport_async(struct rpc_task *task)
361 map->r_addr = rpc_peeraddr2str(rpcb_clnt, RPC_DISPLAY_UNIVERSAL_ADDR); 362 map->r_addr = rpc_peeraddr2str(rpcb_clnt, RPC_DISPLAY_UNIVERSAL_ADDR);
362 map->r_owner = RPCB_OWNER_STRING; /* ignored for GETADDR */ 363 map->r_owner = RPCB_OWNER_STRING; /* ignored for GETADDR */
363 364
364 child = rpcb_call_async(rpcb_clnt, map, xprt->bind_index); 365 child = rpcb_call_async(rpcb_clnt, map, proc);
365 rpc_release_client(rpcb_clnt); 366 rpc_release_client(rpcb_clnt);
366 if (IS_ERR(child)) { 367 if (IS_ERR(child)) {
367 status = -EIO; 368 status = -EIO;
369 /* rpcb_map_release() has freed the arguments */
368 dprintk("RPC: %5u %s: rpc_run_task failed\n", 370 dprintk("RPC: %5u %s: rpc_run_task failed\n",
369 task->tk_pid, __func__); 371 task->tk_pid, __func__);
370 goto bailout; 372 goto bailout_nofree;
371 } 373 }
372 rpc_put_task(child); 374 rpc_put_task(child);
373 375
374 task->tk_xprt->stat.bind_count++; 376 task->tk_xprt->stat.bind_count++;
375 return; 377 return;
376 378
377bailout:
378 kfree(map);
379 xprt_put(xprt);
380bailout_nofree: 379bailout_nofree:
381 rpcb_wake_rpcbind_waiters(xprt, status); 380 rpcb_wake_rpcbind_waiters(xprt, status);
382bailout_nowake: 381bailout_nowake:
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index b976d9ed10e4..04c41504f84c 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -277,9 +277,8 @@ static void copy_from_user_state(struct xfrm_state *x, struct xfrm_usersa_info *
277 memcpy(&x->props.saddr, &p->saddr, sizeof(x->props.saddr)); 277 memcpy(&x->props.saddr, &p->saddr, sizeof(x->props.saddr));
278 x->props.flags = p->flags; 278 x->props.flags = p->flags;
279 279
280 if (!x->sel.family) 280 if (!x->sel.family && !(p->flags & XFRM_STATE_AF_UNSPEC))
281 x->sel.family = p->family; 281 x->sel.family = p->family;
282
283} 282}
284 283
285/* 284/*