aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
Diffstat (limited to 'net')
-rw-r--r--net/8021q/vlanproc.c2
-rw-r--r--net/9p/client.c2
-rw-r--r--net/9p/trans_common.c4
-rw-r--r--net/9p/util.c2
-rw-r--r--net/appletalk/ddp.c11
-rw-r--r--net/atm/br2684.c2
-rw-r--r--net/atm/common.c1
-rw-r--r--net/atm/lec.h2
-rw-r--r--net/batman-adv/soft-interface.c2
-rw-r--r--net/bluetooth/hci_core.c12
-rw-r--r--net/bluetooth/hci_event.c4
-rw-r--r--net/bluetooth/l2cap_core.c4
-rw-r--r--net/bluetooth/l2cap_sock.c7
-rw-r--r--net/bluetooth/mgmt.c2
-rw-r--r--net/bridge/br_fdb.c2
-rw-r--r--net/bridge/br_if.c6
-rw-r--r--net/bridge/br_ioctl.c2
-rw-r--r--net/bridge/br_multicast.c4
-rw-r--r--net/bridge/br_private.h2
-rw-r--r--net/bridge/br_stp_if.c11
-rw-r--r--net/caif/caif_socket.c2
-rw-r--r--net/can/af_can.c9
-rw-r--r--net/can/bcm.c6
-rw-r--r--net/can/raw.c4
-rw-r--r--net/ceph/Kconfig1
-rw-r--r--net/ceph/auth.c8
-rw-r--r--net/ceph/auth_x.c8
-rw-r--r--net/ceph/ceph_common.c112
-rw-r--r--net/ceph/crypto.c73
-rw-r--r--net/ceph/crypto.h4
-rw-r--r--net/ceph/mon_client.c2
-rw-r--r--net/ceph/osd_client.c14
-rw-r--r--net/core/dev.c110
-rw-r--r--net/core/ethtool.c19
-rw-r--r--net/core/filter.c2
-rw-r--r--net/core/link_watch.c2
-rw-r--r--net/core/rtnetlink.c4
-rw-r--r--net/core/skbuff.c2
-rw-r--r--net/core/sock.c10
-rw-r--r--net/dccp/output.c2
-rw-r--r--net/dsa/mv88e6131.c2
-rw-r--r--net/ipv4/arp.c3
-rw-r--r--net/ipv4/cipso_ipv4.c8
-rw-r--r--net/ipv4/devinet.c30
-rw-r--r--net/ipv4/fib_frontend.c114
-rw-r--r--net/ipv4/fib_lookup.h3
-rw-r--r--net/ipv4/fib_semantics.c47
-rw-r--r--net/ipv4/fib_trie.c20
-rw-r--r--net/ipv4/icmp.c2
-rw-r--r--net/ipv4/ip_options.c6
-rw-r--r--net/ipv4/ip_output.c2
-rw-r--r--net/ipv4/ipconfig.c2
-rw-r--r--net/ipv4/netfilter/arp_tables.c4
-rw-r--r--net/ipv4/netfilter/ip_tables.c2
-rw-r--r--net/ipv4/netfilter/nf_nat_core.c4
-rw-r--r--net/ipv4/raw.c3
-rw-r--r--net/ipv4/route.c12
-rw-r--r--net/ipv4/tcp_input.c22
-rw-r--r--net/ipv4/tcp_lp.c2
-rw-r--r--net/ipv4/tcp_output.c5
-rw-r--r--net/ipv4/tcp_yeah.c2
-rw-r--r--net/ipv4/udp.c2
-rw-r--r--net/ipv6/addrconf.c4
-rw-r--r--net/ipv6/af_inet6.c2
-rw-r--r--net/ipv6/ip6_output.c2
-rw-r--r--net/ipv6/ip6mr.c2
-rw-r--r--net/ipv6/ndisc.c2
-rw-r--r--net/ipv6/netfilter/ip6_tables.c2
-rw-r--r--net/ipv6/netfilter/nf_defrag_ipv6_hooks.c2
-rw-r--r--net/ipv6/route.c2
-rw-r--r--net/ipv6/tcp_ipv6.c1
-rw-r--r--net/irda/iriap.c6
-rw-r--r--net/irda/irlap.c2
-rw-r--r--net/irda/irlap_event.c8
-rw-r--r--net/irda/irlap_frame.c2
-rw-r--r--net/irda/irlmp_event.c2
-rw-r--r--net/irda/irnet/irnet.h2
-rw-r--r--net/irda/irnet/irnet_ppp.c3
-rw-r--r--net/irda/irqueue.c2
-rw-r--r--net/irda/irttp.c2
-rw-r--r--net/irda/qos.c8
-rw-r--r--net/irda/timer.c2
-rw-r--r--net/iucv/af_iucv.c2
-rw-r--r--net/iucv/iucv.c4
-rw-r--r--net/mac80211/ieee80211_i.h2
-rw-r--r--net/mac80211/key.c7
-rw-r--r--net/mac80211/mesh_pathtbl.c2
-rw-r--r--net/mac80211/rc80211_minstrel_ht.c27
-rw-r--r--net/mac80211/rc80211_pid.h2
-rw-r--r--net/mac80211/rx.c5
-rw-r--r--net/mac80211/sta_info.c5
-rw-r--r--net/mac80211/sta_info.h2
-rw-r--r--net/netfilter/ipset/ip_set_core.c2
-rw-r--r--net/netfilter/ipvs/ip_vs_conn.c4
-rw-r--r--net/netfilter/ipvs/ip_vs_lblc.c2
-rw-r--r--net/netfilter/ipvs/ip_vs_lblcr.c2
-rw-r--r--net/netfilter/ipvs/ip_vs_proto_sctp.c8
-rw-r--r--net/netfilter/nf_conntrack_core.c4
-rw-r--r--net/netfilter/nf_conntrack_proto_dccp.c2
-rw-r--r--net/netfilter/nf_conntrack_proto_sctp.c6
-rw-r--r--net/netfilter/nf_conntrack_sip.c2
-rw-r--r--net/netfilter/nf_queue.c2
-rw-r--r--net/netlabel/netlabel_domainhash.c10
-rw-r--r--net/netlabel/netlabel_mgmt.c2
-rw-r--r--net/rds/ib_send.c2
-rw-r--r--net/rds/iw_cm.c2
-rw-r--r--net/rds/iw_rdma.c2
-rw-r--r--net/rds/iw_send.c2
-rw-r--r--net/rds/send.c2
-rw-r--r--net/rose/af_rose.c8
-rw-r--r--net/rose/rose_loopback.c13
-rw-r--r--net/rose/rose_route.c22
-rw-r--r--net/rose/rose_subr.c101
-rw-r--r--net/sched/act_api.c2
-rw-r--r--net/sched/act_pedit.c2
-rw-r--r--net/sched/em_meta.c2
-rw-r--r--net/sched/sch_htb.c2
-rw-r--r--net/sched/sch_netem.c6
-rw-r--r--net/sctp/associola.c2
-rw-r--r--net/sctp/auth.c6
-rw-r--r--net/sctp/input.c2
-rw-r--r--net/sctp/output.c2
-rw-r--r--net/sctp/outqueue.c6
-rw-r--r--net/sctp/protocol.c4
-rw-r--r--net/sctp/sm_make_chunk.c4
-rw-r--r--net/sctp/sm_sideeffect.c2
-rw-r--r--net/sctp/sm_statefuns.c20
-rw-r--r--net/sctp/socket.c2
-rw-r--r--net/sctp/ulpevent.c2
-rw-r--r--net/sctp/ulpqueue.c2
-rw-r--r--net/socket.c2
-rw-r--r--net/sunrpc/auth_gss/gss_mech_switch.c38
-rw-r--r--net/sunrpc/auth_gss/svcauth_gss.c2
-rw-r--r--net/sunrpc/sched.c4
-rw-r--r--net/sunrpc/xprtsock.c6
-rw-r--r--net/tipc/link.c2
-rw-r--r--net/tipc/name_distr.c2
-rw-r--r--net/unix/af_unix.c2
-rw-r--r--net/wanrouter/wanproc.c2
-rw-r--r--net/wireless/reg.c4
-rw-r--r--net/wireless/scan.c31
-rw-r--r--net/x25/x25_facilities.c2
-rw-r--r--net/x25/x25_forward.c4
-rw-r--r--net/xfrm/xfrm_input.c4
-rw-r--r--net/xfrm/xfrm_output.c4
-rw-r--r--net/xfrm/xfrm_replay.c17
-rw-r--r--net/xfrm/xfrm_state.c6
-rw-r--r--net/xfrm/xfrm_user.c30
148 files changed, 891 insertions, 430 deletions
diff --git a/net/8021q/vlanproc.c b/net/8021q/vlanproc.c
index d1314cf18adf..d940c49d168a 100644
--- a/net/8021q/vlanproc.c
+++ b/net/8021q/vlanproc.c
@@ -54,7 +54,7 @@ static const char name_conf[] = "config";
54 54
55/* 55/*
56 * Structures for interfacing with the /proc filesystem. 56 * Structures for interfacing with the /proc filesystem.
57 * VLAN creates its own directory /proc/net/vlan with the folowing 57 * VLAN creates its own directory /proc/net/vlan with the following
58 * entries: 58 * entries:
59 * config device status/configuration 59 * config device status/configuration
60 * <device> entry for each device 60 * <device> entry for each device
diff --git a/net/9p/client.c b/net/9p/client.c
index 2ccbf04d37df..48b8e084e710 100644
--- a/net/9p/client.c
+++ b/net/9p/client.c
@@ -178,7 +178,7 @@ free_and_return:
178 * @tag: numeric id for transaction 178 * @tag: numeric id for transaction
179 * 179 *
180 * this is a simple array lookup, but will grow the 180 * this is a simple array lookup, but will grow the
181 * request_slots as necessary to accomodate transaction 181 * request_slots as necessary to accommodate transaction
182 * ids which did not previously have a slot. 182 * ids which did not previously have a slot.
183 * 183 *
184 * this code relies on the client spinlock to manage locks, its 184 * this code relies on the client spinlock to manage locks, its
diff --git a/net/9p/trans_common.c b/net/9p/trans_common.c
index 9172ab78fcb0..d47880e971dd 100644
--- a/net/9p/trans_common.c
+++ b/net/9p/trans_common.c
@@ -36,7 +36,7 @@ p9_release_req_pages(struct trans_rpage_info *rpinfo)
36EXPORT_SYMBOL(p9_release_req_pages); 36EXPORT_SYMBOL(p9_release_req_pages);
37 37
38/** 38/**
39 * p9_nr_pages - Return number of pages needed to accomodate the payload. 39 * p9_nr_pages - Return number of pages needed to accommodate the payload.
40 */ 40 */
41int 41int
42p9_nr_pages(struct p9_req_t *req) 42p9_nr_pages(struct p9_req_t *req)
@@ -55,7 +55,7 @@ EXPORT_SYMBOL(p9_nr_pages);
55 * @req: Request to be sent to server. 55 * @req: Request to be sent to server.
56 * @pdata_off: data offset into the first page after translation (gup). 56 * @pdata_off: data offset into the first page after translation (gup).
57 * @pdata_len: Total length of the IO. gup may not return requested # of pages. 57 * @pdata_len: Total length of the IO. gup may not return requested # of pages.
58 * @nr_pages: number of pages to accomodate the payload 58 * @nr_pages: number of pages to accommodate the payload
59 * @rw: Indicates if the pages are for read or write. 59 * @rw: Indicates if the pages are for read or write.
60 */ 60 */
61int 61int
diff --git a/net/9p/util.c b/net/9p/util.c
index b84619b5ba22..da6af81e59d9 100644
--- a/net/9p/util.c
+++ b/net/9p/util.c
@@ -67,7 +67,7 @@ EXPORT_SYMBOL(p9_idpool_create);
67 67
68/** 68/**
69 * p9_idpool_destroy - create a new per-connection id pool 69 * p9_idpool_destroy - create a new per-connection id pool
70 * @p: idpool to destory 70 * @p: idpool to destroy
71 */ 71 */
72 72
73void p9_idpool_destroy(struct p9_idpool *p) 73void p9_idpool_destroy(struct p9_idpool *p)
diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c
index 206e771e82d1..956a5302002a 100644
--- a/net/appletalk/ddp.c
+++ b/net/appletalk/ddp.c
@@ -1051,16 +1051,17 @@ static int atalk_release(struct socket *sock)
1051{ 1051{
1052 struct sock *sk = sock->sk; 1052 struct sock *sk = sock->sk;
1053 1053
1054 sock_hold(sk);
1055 lock_sock(sk);
1056 if (sk) { 1054 if (sk) {
1055 sock_hold(sk);
1056 lock_sock(sk);
1057
1057 sock_orphan(sk); 1058 sock_orphan(sk);
1058 sock->sk = NULL; 1059 sock->sk = NULL;
1059 atalk_destroy_socket(sk); 1060 atalk_destroy_socket(sk);
1060 }
1061 release_sock(sk);
1062 sock_put(sk);
1063 1061
1062 release_sock(sk);
1063 sock_put(sk);
1064 }
1064 return 0; 1065 return 0;
1065} 1066}
1066 1067
diff --git a/net/atm/br2684.c b/net/atm/br2684.c
index fce2eae8d476..2252c2085dac 100644
--- a/net/atm/br2684.c
+++ b/net/atm/br2684.c
@@ -509,7 +509,7 @@ static int br2684_regvcc(struct atm_vcc *atmvcc, void __user * arg)
509 write_lock_irq(&devs_lock); 509 write_lock_irq(&devs_lock);
510 net_dev = br2684_find_dev(&be.ifspec); 510 net_dev = br2684_find_dev(&be.ifspec);
511 if (net_dev == NULL) { 511 if (net_dev == NULL) {
512 pr_err("tried to attach to non-existant device\n"); 512 pr_err("tried to attach to non-existent device\n");
513 err = -ENXIO; 513 err = -ENXIO;
514 goto error; 514 goto error;
515 } 515 }
diff --git a/net/atm/common.c b/net/atm/common.c
index 1b9c52a02cd3..22b963d06a10 100644
--- a/net/atm/common.c
+++ b/net/atm/common.c
@@ -252,6 +252,7 @@ void atm_dev_release_vccs(struct atm_dev *dev)
252 } 252 }
253 write_unlock_irq(&vcc_sklist_lock); 253 write_unlock_irq(&vcc_sklist_lock);
254} 254}
255EXPORT_SYMBOL(atm_dev_release_vccs);
255 256
256static int adjust_tp(struct atm_trafprm *tp, unsigned char aal) 257static int adjust_tp(struct atm_trafprm *tp, unsigned char aal)
257{ 258{
diff --git a/net/atm/lec.h b/net/atm/lec.h
index 9d14d196cc1d..dfc071966463 100644
--- a/net/atm/lec.h
+++ b/net/atm/lec.h
@@ -35,7 +35,7 @@ struct lecdatahdr_8025 {
35 * Operations that LANE2 capable device can do. Two first functions 35 * Operations that LANE2 capable device can do. Two first functions
36 * are used to make the device do things. See spec 3.1.3 and 3.1.4. 36 * are used to make the device do things. See spec 3.1.3 and 3.1.4.
37 * 37 *
38 * The third function is intented for the MPOA component sitting on 38 * The third function is intended for the MPOA component sitting on
39 * top of the LANE device. The MPOA component assigns it's own function 39 * top of the LANE device. The MPOA component assigns it's own function
40 * to (*associate_indicator)() and the LANE device will use that 40 * to (*associate_indicator)() and the LANE device will use that
41 * function to tell about TLVs it sees floating through. 41 * function to tell about TLVs it sees floating through.
diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
index 9ed26140a269..824e1f6e50f2 100644
--- a/net/batman-adv/soft-interface.c
+++ b/net/batman-adv/soft-interface.c
@@ -474,7 +474,7 @@ void interface_rx(struct net_device *soft_iface,
474 goto dropped; 474 goto dropped;
475 skb->protocol = eth_type_trans(skb, soft_iface); 475 skb->protocol = eth_type_trans(skb, soft_iface);
476 476
477 /* should not be neccesary anymore as we use skb_pull_rcsum() 477 /* should not be necessary anymore as we use skb_pull_rcsum()
478 * TODO: please verify this and remove this TODO 478 * TODO: please verify this and remove this TODO
479 * -- Dec 21st 2009, Simon Wunderlich */ 479 * -- Dec 21st 2009, Simon Wunderlich */
480 480
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index b372fb8bcdcf..c83f618282f7 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -186,6 +186,7 @@ static void hci_reset_req(struct hci_dev *hdev, unsigned long opt)
186 BT_DBG("%s %ld", hdev->name, opt); 186 BT_DBG("%s %ld", hdev->name, opt);
187 187
188 /* Reset device */ 188 /* Reset device */
189 set_bit(HCI_RESET, &hdev->flags);
189 hci_send_cmd(hdev, HCI_OP_RESET, 0, NULL); 190 hci_send_cmd(hdev, HCI_OP_RESET, 0, NULL);
190} 191}
191 192
@@ -213,8 +214,10 @@ static void hci_init_req(struct hci_dev *hdev, unsigned long opt)
213 /* Mandatory initialization */ 214 /* Mandatory initialization */
214 215
215 /* Reset */ 216 /* Reset */
216 if (!test_bit(HCI_QUIRK_NO_RESET, &hdev->quirks)) 217 if (!test_bit(HCI_QUIRK_NO_RESET, &hdev->quirks)) {
218 set_bit(HCI_RESET, &hdev->flags);
217 hci_send_cmd(hdev, HCI_OP_RESET, 0, NULL); 219 hci_send_cmd(hdev, HCI_OP_RESET, 0, NULL);
220 }
218 221
219 /* Read Local Supported Features */ 222 /* Read Local Supported Features */
220 hci_send_cmd(hdev, HCI_OP_READ_LOCAL_FEATURES, 0, NULL); 223 hci_send_cmd(hdev, HCI_OP_READ_LOCAL_FEATURES, 0, NULL);
@@ -584,6 +587,9 @@ static int hci_dev_do_close(struct hci_dev *hdev)
584 hci_req_cancel(hdev, ENODEV); 587 hci_req_cancel(hdev, ENODEV);
585 hci_req_lock(hdev); 588 hci_req_lock(hdev);
586 589
590 /* Stop timer, it might be running */
591 del_timer_sync(&hdev->cmd_timer);
592
587 if (!test_and_clear_bit(HCI_UP, &hdev->flags)) { 593 if (!test_and_clear_bit(HCI_UP, &hdev->flags)) {
588 hci_req_unlock(hdev); 594 hci_req_unlock(hdev);
589 return 0; 595 return 0;
@@ -623,7 +629,6 @@ static int hci_dev_do_close(struct hci_dev *hdev)
623 629
624 /* Drop last sent command */ 630 /* Drop last sent command */
625 if (hdev->sent_cmd) { 631 if (hdev->sent_cmd) {
626 del_timer_sync(&hdev->cmd_timer);
627 kfree_skb(hdev->sent_cmd); 632 kfree_skb(hdev->sent_cmd);
628 hdev->sent_cmd = NULL; 633 hdev->sent_cmd = NULL;
629 } 634 }
@@ -1074,6 +1079,7 @@ static void hci_cmd_timer(unsigned long arg)
1074 1079
1075 BT_ERR("%s command tx timeout", hdev->name); 1080 BT_ERR("%s command tx timeout", hdev->name);
1076 atomic_set(&hdev->cmd_cnt, 1); 1081 atomic_set(&hdev->cmd_cnt, 1);
1082 clear_bit(HCI_RESET, &hdev->flags);
1077 tasklet_schedule(&hdev->cmd_task); 1083 tasklet_schedule(&hdev->cmd_task);
1078} 1084}
1079 1085
@@ -1877,7 +1883,7 @@ static void hci_tx_task(unsigned long arg)
1877 read_unlock(&hci_task_lock); 1883 read_unlock(&hci_task_lock);
1878} 1884}
1879 1885
1880/* ----- HCI RX task (incoming data proccessing) ----- */ 1886/* ----- HCI RX task (incoming data processing) ----- */
1881 1887
1882/* ACL data packet */ 1888/* ACL data packet */
1883static inline void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb) 1889static inline void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 3fbfa50c2bff..cebe7588469f 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -183,6 +183,8 @@ static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
183 183
184 BT_DBG("%s status 0x%x", hdev->name, status); 184 BT_DBG("%s status 0x%x", hdev->name, status);
185 185
186 clear_bit(HCI_RESET, &hdev->flags);
187
186 hci_req_complete(hdev, HCI_OP_RESET, status); 188 hci_req_complete(hdev, HCI_OP_RESET, status);
187} 189}
188 190
@@ -1847,7 +1849,7 @@ static inline void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb)
1847 if (ev->opcode != HCI_OP_NOP) 1849 if (ev->opcode != HCI_OP_NOP)
1848 del_timer(&hdev->cmd_timer); 1850 del_timer(&hdev->cmd_timer);
1849 1851
1850 if (ev->ncmd) { 1852 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) {
1851 atomic_set(&hdev->cmd_cnt, 1); 1853 atomic_set(&hdev->cmd_cnt, 1);
1852 if (!skb_queue_empty(&hdev->cmd_q)) 1854 if (!skb_queue_empty(&hdev->cmd_q))
1853 tasklet_schedule(&hdev->cmd_task); 1855 tasklet_schedule(&hdev->cmd_task);
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index c9f9cecca527..ca27f3a41536 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1116,7 +1116,9 @@ int l2cap_ertm_send(struct sock *sk)
1116 bt_cb(skb)->tx_seq = pi->next_tx_seq; 1116 bt_cb(skb)->tx_seq = pi->next_tx_seq;
1117 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64; 1117 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
1118 1118
1119 pi->unacked_frames++; 1119 if (bt_cb(skb)->retries == 1)
1120 pi->unacked_frames++;
1121
1120 pi->frames_sent++; 1122 pi->frames_sent++;
1121 1123
1122 if (skb_queue_is_last(TX_QUEUE(sk), skb)) 1124 if (skb_queue_is_last(TX_QUEUE(sk), skb))
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index fc85e7ae33c7..299fe56a9668 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -679,7 +679,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
679 679
680 if (opt == BT_FLUSHABLE_OFF) { 680 if (opt == BT_FLUSHABLE_OFF) {
681 struct l2cap_conn *conn = l2cap_pi(sk)->conn; 681 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
682 /* proceed futher only when we have l2cap_conn and 682 /* proceed further only when we have l2cap_conn and
683 No Flush support in the LM */ 683 No Flush support in the LM */
684 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) { 684 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
685 err = -EINVAL; 685 err = -EINVAL;
@@ -923,8 +923,9 @@ void __l2cap_sock_close(struct sock *sk, int reason)
923 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO); 923 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
924 l2cap_send_cmd(conn, l2cap_pi(sk)->ident, 924 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
925 L2CAP_CONN_RSP, sizeof(rsp), &rsp); 925 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
926 } else 926 }
927 l2cap_chan_del(sk, reason); 927
928 l2cap_chan_del(sk, reason);
928 break; 929 break;
929 930
930 case BT_CONNECT: 931 case BT_CONNECT:
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 0054c74e27b7..4476d8e3c0f2 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -1230,6 +1230,8 @@ static int user_confirm_reply(struct sock *sk, u16 index, unsigned char *data,
1230 if (!hdev) 1230 if (!hdev)
1231 return cmd_status(sk, index, mgmt_op, ENODEV); 1231 return cmd_status(sk, index, mgmt_op, ENODEV);
1232 1232
1233 hci_dev_lock_bh(hdev);
1234
1233 if (!test_bit(HCI_UP, &hdev->flags)) { 1235 if (!test_bit(HCI_UP, &hdev->flags)) {
1234 err = cmd_status(sk, index, mgmt_op, ENETDOWN); 1236 err = cmd_status(sk, index, mgmt_op, ENETDOWN);
1235 goto failed; 1237 goto failed;
diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
index 88485cc74dc3..cc4d3c5ab1c6 100644
--- a/net/bridge/br_fdb.c
+++ b/net/bridge/br_fdb.c
@@ -169,7 +169,7 @@ void br_fdb_flush(struct net_bridge *br)
169 spin_unlock_bh(&br->hash_lock); 169 spin_unlock_bh(&br->hash_lock);
170} 170}
171 171
172/* Flush all entries refering to a specific port. 172/* Flush all entries referring to a specific port.
173 * if do_all is set also flush static entries 173 * if do_all is set also flush static entries
174 */ 174 */
175void br_fdb_delete_by_port(struct net_bridge *br, 175void br_fdb_delete_by_port(struct net_bridge *br,
diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
index dce8f0009a12..718b60366dfe 100644
--- a/net/bridge/br_if.c
+++ b/net/bridge/br_if.c
@@ -389,6 +389,7 @@ int br_add_if(struct net_bridge *br, struct net_device *dev)
389{ 389{
390 struct net_bridge_port *p; 390 struct net_bridge_port *p;
391 int err = 0; 391 int err = 0;
392 bool changed_addr;
392 393
393 /* Don't allow bridging non-ethernet like devices */ 394 /* Don't allow bridging non-ethernet like devices */
394 if ((dev->flags & IFF_LOOPBACK) || 395 if ((dev->flags & IFF_LOOPBACK) ||
@@ -446,7 +447,7 @@ int br_add_if(struct net_bridge *br, struct net_device *dev)
446 list_add_rcu(&p->list, &br->port_list); 447 list_add_rcu(&p->list, &br->port_list);
447 448
448 spin_lock_bh(&br->lock); 449 spin_lock_bh(&br->lock);
449 br_stp_recalculate_bridge_id(br); 450 changed_addr = br_stp_recalculate_bridge_id(br);
450 br_features_recompute(br); 451 br_features_recompute(br);
451 452
452 if ((dev->flags & IFF_UP) && netif_carrier_ok(dev) && 453 if ((dev->flags & IFF_UP) && netif_carrier_ok(dev) &&
@@ -456,6 +457,9 @@ int br_add_if(struct net_bridge *br, struct net_device *dev)
456 457
457 br_ifinfo_notify(RTM_NEWLINK, p); 458 br_ifinfo_notify(RTM_NEWLINK, p);
458 459
460 if (changed_addr)
461 call_netdevice_notifiers(NETDEV_CHANGEADDR, dev);
462
459 dev_set_mtu(br->dev, br_min_mtu(br)); 463 dev_set_mtu(br->dev, br_min_mtu(br));
460 464
461 kobject_uevent(&p->kobj, KOBJ_ADD); 465 kobject_uevent(&p->kobj, KOBJ_ADD);
diff --git a/net/bridge/br_ioctl.c b/net/bridge/br_ioctl.c
index cb43312b846e..3d9fca0e3370 100644
--- a/net/bridge/br_ioctl.c
+++ b/net/bridge/br_ioctl.c
@@ -106,7 +106,7 @@ static int add_del_if(struct net_bridge *br, int ifindex, int isadd)
106/* 106/*
107 * Legacy ioctl's through SIOCDEVPRIVATE 107 * Legacy ioctl's through SIOCDEVPRIVATE
108 * This interface is deprecated because it was too difficult to 108 * This interface is deprecated because it was too difficult to
109 * to do the translation for 32/64bit ioctl compatability. 109 * to do the translation for 32/64bit ioctl compatibility.
110 */ 110 */
111static int old_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd) 111static int old_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
112{ 112{
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 030a002ff8ee..59660c909a7c 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -445,9 +445,9 @@ static struct sk_buff *br_ip6_multicast_alloc_query(struct net_bridge *br,
445 ip6h->payload_len = htons(8 + sizeof(*mldq)); 445 ip6h->payload_len = htons(8 + sizeof(*mldq));
446 ip6h->nexthdr = IPPROTO_HOPOPTS; 446 ip6h->nexthdr = IPPROTO_HOPOPTS;
447 ip6h->hop_limit = 1; 447 ip6h->hop_limit = 1;
448 ipv6_addr_set(&ip6h->daddr, htonl(0xff020000), 0, 0, htonl(1));
448 ipv6_dev_get_saddr(dev_net(br->dev), br->dev, &ip6h->daddr, 0, 449 ipv6_dev_get_saddr(dev_net(br->dev), br->dev, &ip6h->daddr, 0,
449 &ip6h->saddr); 450 &ip6h->saddr);
450 ipv6_addr_set(&ip6h->daddr, htonl(0xff020000), 0, 0, htonl(1));
451 ipv6_eth_mc_map(&ip6h->daddr, eth->h_dest); 451 ipv6_eth_mc_map(&ip6h->daddr, eth->h_dest);
452 452
453 hopopt = (u8 *)(ip6h + 1); 453 hopopt = (u8 *)(ip6h + 1);
@@ -1475,7 +1475,7 @@ static int br_multicast_ipv6_rcv(struct net_bridge *br,
1475 ip6h->payload_len == 0) 1475 ip6h->payload_len == 0)
1476 return 0; 1476 return 0;
1477 1477
1478 len = ntohs(ip6h->payload_len); 1478 len = ntohs(ip6h->payload_len) + sizeof(*ip6h);
1479 if (skb->len < len) 1479 if (skb->len < len)
1480 return -EINVAL; 1480 return -EINVAL;
1481 1481
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index 19e2f46ed086..387013d33745 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -497,7 +497,7 @@ extern void br_stp_disable_bridge(struct net_bridge *br);
497extern void br_stp_set_enabled(struct net_bridge *br, unsigned long val); 497extern void br_stp_set_enabled(struct net_bridge *br, unsigned long val);
498extern void br_stp_enable_port(struct net_bridge_port *p); 498extern void br_stp_enable_port(struct net_bridge_port *p);
499extern void br_stp_disable_port(struct net_bridge_port *p); 499extern void br_stp_disable_port(struct net_bridge_port *p);
500extern void br_stp_recalculate_bridge_id(struct net_bridge *br); 500extern bool br_stp_recalculate_bridge_id(struct net_bridge *br);
501extern void br_stp_change_bridge_id(struct net_bridge *br, const unsigned char *a); 501extern void br_stp_change_bridge_id(struct net_bridge *br, const unsigned char *a);
502extern void br_stp_set_bridge_priority(struct net_bridge *br, 502extern void br_stp_set_bridge_priority(struct net_bridge *br,
503 u16 newprio); 503 u16 newprio);
diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c
index 79372d4a4055..9b61d09de9b9 100644
--- a/net/bridge/br_stp_if.c
+++ b/net/bridge/br_stp_if.c
@@ -204,7 +204,7 @@ void br_stp_change_bridge_id(struct net_bridge *br, const unsigned char *addr)
204static const unsigned short br_mac_zero_aligned[ETH_ALEN >> 1]; 204static const unsigned short br_mac_zero_aligned[ETH_ALEN >> 1];
205 205
206/* called under bridge lock */ 206/* called under bridge lock */
207void br_stp_recalculate_bridge_id(struct net_bridge *br) 207bool br_stp_recalculate_bridge_id(struct net_bridge *br)
208{ 208{
209 const unsigned char *br_mac_zero = 209 const unsigned char *br_mac_zero =
210 (const unsigned char *)br_mac_zero_aligned; 210 (const unsigned char *)br_mac_zero_aligned;
@@ -213,7 +213,7 @@ void br_stp_recalculate_bridge_id(struct net_bridge *br)
213 213
214 /* user has chosen a value so keep it */ 214 /* user has chosen a value so keep it */
215 if (br->flags & BR_SET_MAC_ADDR) 215 if (br->flags & BR_SET_MAC_ADDR)
216 return; 216 return false;
217 217
218 list_for_each_entry(p, &br->port_list, list) { 218 list_for_each_entry(p, &br->port_list, list) {
219 if (addr == br_mac_zero || 219 if (addr == br_mac_zero ||
@@ -222,8 +222,11 @@ void br_stp_recalculate_bridge_id(struct net_bridge *br)
222 222
223 } 223 }
224 224
225 if (compare_ether_addr(br->bridge_id.addr, addr)) 225 if (compare_ether_addr(br->bridge_id.addr, addr) == 0)
226 br_stp_change_bridge_id(br, addr); 226 return false; /* no change */
227
228 br_stp_change_bridge_id(br, addr);
229 return true;
227} 230}
228 231
229/* called under bridge lock */ 232/* called under bridge lock */
diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
index 8184c031d028..37a4034dfc29 100644
--- a/net/caif/caif_socket.c
+++ b/net/caif/caif_socket.c
@@ -852,7 +852,7 @@ static int caif_connect(struct socket *sock, struct sockaddr *uaddr,
852 sock->state = SS_CONNECTING; 852 sock->state = SS_CONNECTING;
853 sk->sk_state = CAIF_CONNECTING; 853 sk->sk_state = CAIF_CONNECTING;
854 854
855 /* Check priority value comming from socket */ 855 /* Check priority value coming from socket */
856 /* if priority value is out of range it will be ajusted */ 856 /* if priority value is out of range it will be ajusted */
857 if (cf_sk->sk.sk_priority > CAIF_PRIO_MAX) 857 if (cf_sk->sk.sk_priority > CAIF_PRIO_MAX)
858 cf_sk->conn_req.priority = CAIF_PRIO_MAX; 858 cf_sk->conn_req.priority = CAIF_PRIO_MAX;
diff --git a/net/can/af_can.c b/net/can/af_can.c
index 702be5a2c956..733d66f1b05a 100644
--- a/net/can/af_can.c
+++ b/net/can/af_can.c
@@ -95,7 +95,7 @@ struct s_pstats can_pstats; /* receive list statistics */
95 * af_can socket functions 95 * af_can socket functions
96 */ 96 */
97 97
98static int can_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) 98int can_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
99{ 99{
100 struct sock *sk = sock->sk; 100 struct sock *sk = sock->sk;
101 101
@@ -108,6 +108,7 @@ static int can_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
108 return -ENOIOCTLCMD; 108 return -ENOIOCTLCMD;
109 } 109 }
110} 110}
111EXPORT_SYMBOL(can_ioctl);
111 112
112static void can_sock_destruct(struct sock *sk) 113static void can_sock_destruct(struct sock *sk)
113{ 114{
@@ -698,13 +699,9 @@ int can_proto_register(struct can_proto *cp)
698 printk(KERN_ERR "can: protocol %d already registered\n", 699 printk(KERN_ERR "can: protocol %d already registered\n",
699 proto); 700 proto);
700 err = -EBUSY; 701 err = -EBUSY;
701 } else { 702 } else
702 proto_tab[proto] = cp; 703 proto_tab[proto] = cp;
703 704
704 /* use generic ioctl function if not defined by module */
705 if (!cp->ops->ioctl)
706 cp->ops->ioctl = can_ioctl;
707 }
708 spin_unlock(&proto_tab_lock); 705 spin_unlock(&proto_tab_lock);
709 706
710 if (err < 0) 707 if (err < 0)
diff --git a/net/can/bcm.c b/net/can/bcm.c
index 092dc88a7c64..57b1aed79014 100644
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -387,7 +387,7 @@ static void bcm_tx_timeout_tsklet(unsigned long data)
387} 387}
388 388
389/* 389/*
390 * bcm_tx_timeout_handler - performes cyclic CAN frame transmissions 390 * bcm_tx_timeout_handler - performs cyclic CAN frame transmissions
391 */ 391 */
392static enum hrtimer_restart bcm_tx_timeout_handler(struct hrtimer *hrtimer) 392static enum hrtimer_restart bcm_tx_timeout_handler(struct hrtimer *hrtimer)
393{ 393{
@@ -1569,7 +1569,7 @@ static int bcm_recvmsg(struct kiocb *iocb, struct socket *sock,
1569 return size; 1569 return size;
1570} 1570}
1571 1571
1572static struct proto_ops bcm_ops __read_mostly = { 1572static const struct proto_ops bcm_ops = {
1573 .family = PF_CAN, 1573 .family = PF_CAN,
1574 .release = bcm_release, 1574 .release = bcm_release,
1575 .bind = sock_no_bind, 1575 .bind = sock_no_bind,
@@ -1578,7 +1578,7 @@ static struct proto_ops bcm_ops __read_mostly = {
1578 .accept = sock_no_accept, 1578 .accept = sock_no_accept,
1579 .getname = sock_no_getname, 1579 .getname = sock_no_getname,
1580 .poll = datagram_poll, 1580 .poll = datagram_poll,
1581 .ioctl = NULL, /* use can_ioctl() from af_can.c */ 1581 .ioctl = can_ioctl, /* use can_ioctl() from af_can.c */
1582 .listen = sock_no_listen, 1582 .listen = sock_no_listen,
1583 .shutdown = sock_no_shutdown, 1583 .shutdown = sock_no_shutdown,
1584 .setsockopt = sock_no_setsockopt, 1584 .setsockopt = sock_no_setsockopt,
diff --git a/net/can/raw.c b/net/can/raw.c
index 883e9d74fddf..649acfa7c70a 100644
--- a/net/can/raw.c
+++ b/net/can/raw.c
@@ -742,7 +742,7 @@ static int raw_recvmsg(struct kiocb *iocb, struct socket *sock,
742 return size; 742 return size;
743} 743}
744 744
745static struct proto_ops raw_ops __read_mostly = { 745static const struct proto_ops raw_ops = {
746 .family = PF_CAN, 746 .family = PF_CAN,
747 .release = raw_release, 747 .release = raw_release,
748 .bind = raw_bind, 748 .bind = raw_bind,
@@ -751,7 +751,7 @@ static struct proto_ops raw_ops __read_mostly = {
751 .accept = sock_no_accept, 751 .accept = sock_no_accept,
752 .getname = raw_getname, 752 .getname = raw_getname,
753 .poll = datagram_poll, 753 .poll = datagram_poll,
754 .ioctl = NULL, /* use can_ioctl() from af_can.c */ 754 .ioctl = can_ioctl, /* use can_ioctl() from af_can.c */
755 .listen = sock_no_listen, 755 .listen = sock_no_listen,
756 .shutdown = sock_no_shutdown, 756 .shutdown = sock_no_shutdown,
757 .setsockopt = raw_setsockopt, 757 .setsockopt = raw_setsockopt,
diff --git a/net/ceph/Kconfig b/net/ceph/Kconfig
index ad424049b0cf..be683f2d401f 100644
--- a/net/ceph/Kconfig
+++ b/net/ceph/Kconfig
@@ -4,6 +4,7 @@ config CEPH_LIB
4 select LIBCRC32C 4 select LIBCRC32C
5 select CRYPTO_AES 5 select CRYPTO_AES
6 select CRYPTO 6 select CRYPTO
7 select KEYS
7 default n 8 default n
8 help 9 help
9 Choose Y or M here to include cephlib, which provides the 10 Choose Y or M here to include cephlib, which provides the
diff --git a/net/ceph/auth.c b/net/ceph/auth.c
index 549c1f43e1d5..b4bf4ac090f1 100644
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -35,12 +35,12 @@ static int ceph_auth_init_protocol(struct ceph_auth_client *ac, int protocol)
35/* 35/*
36 * setup, teardown. 36 * setup, teardown.
37 */ 37 */
38struct ceph_auth_client *ceph_auth_init(const char *name, const char *secret) 38struct ceph_auth_client *ceph_auth_init(const char *name, const struct ceph_crypto_key *key)
39{ 39{
40 struct ceph_auth_client *ac; 40 struct ceph_auth_client *ac;
41 int ret; 41 int ret;
42 42
43 dout("auth_init name '%s' secret '%s'\n", name, secret); 43 dout("auth_init name '%s'\n", name);
44 44
45 ret = -ENOMEM; 45 ret = -ENOMEM;
46 ac = kzalloc(sizeof(*ac), GFP_NOFS); 46 ac = kzalloc(sizeof(*ac), GFP_NOFS);
@@ -52,8 +52,8 @@ struct ceph_auth_client *ceph_auth_init(const char *name, const char *secret)
52 ac->name = name; 52 ac->name = name;
53 else 53 else
54 ac->name = CEPH_AUTH_NAME_DEFAULT; 54 ac->name = CEPH_AUTH_NAME_DEFAULT;
55 dout("auth_init name %s secret %s\n", ac->name, secret); 55 dout("auth_init name %s\n", ac->name);
56 ac->secret = secret; 56 ac->key = key;
57 return ac; 57 return ac;
58 58
59out: 59out:
diff --git a/net/ceph/auth_x.c b/net/ceph/auth_x.c
index 7fd5dfcf6e18..1587dc6010c6 100644
--- a/net/ceph/auth_x.c
+++ b/net/ceph/auth_x.c
@@ -662,14 +662,16 @@ int ceph_x_init(struct ceph_auth_client *ac)
662 goto out; 662 goto out;
663 663
664 ret = -EINVAL; 664 ret = -EINVAL;
665 if (!ac->secret) { 665 if (!ac->key) {
666 pr_err("no secret set (for auth_x protocol)\n"); 666 pr_err("no secret set (for auth_x protocol)\n");
667 goto out_nomem; 667 goto out_nomem;
668 } 668 }
669 669
670 ret = ceph_crypto_key_unarmor(&xi->secret, ac->secret); 670 ret = ceph_crypto_key_clone(&xi->secret, ac->key);
671 if (ret) 671 if (ret < 0) {
672 pr_err("cannot clone key: %d\n", ret);
672 goto out_nomem; 673 goto out_nomem;
674 }
673 675
674 xi->starting = true; 676 xi->starting = true;
675 xi->ticket_handlers = RB_ROOT; 677 xi->ticket_handlers = RB_ROOT;
diff --git a/net/ceph/ceph_common.c b/net/ceph/ceph_common.c
index 95f96ab94bba..132963abc266 100644
--- a/net/ceph/ceph_common.c
+++ b/net/ceph/ceph_common.c
@@ -5,6 +5,8 @@
5#include <linux/fs.h> 5#include <linux/fs.h>
6#include <linux/inet.h> 6#include <linux/inet.h>
7#include <linux/in6.h> 7#include <linux/in6.h>
8#include <linux/key.h>
9#include <keys/ceph-type.h>
8#include <linux/module.h> 10#include <linux/module.h>
9#include <linux/mount.h> 11#include <linux/mount.h>
10#include <linux/parser.h> 12#include <linux/parser.h>
@@ -20,6 +22,7 @@
20#include <linux/ceph/decode.h> 22#include <linux/ceph/decode.h>
21#include <linux/ceph/mon_client.h> 23#include <linux/ceph/mon_client.h>
22#include <linux/ceph/auth.h> 24#include <linux/ceph/auth.h>
25#include "crypto.h"
23 26
24 27
25 28
@@ -117,9 +120,29 @@ int ceph_compare_options(struct ceph_options *new_opt,
117 if (ret) 120 if (ret)
118 return ret; 121 return ret;
119 122
120 ret = strcmp_null(opt1->secret, opt2->secret); 123 if (opt1->key && !opt2->key)
121 if (ret) 124 return -1;
122 return ret; 125 if (!opt1->key && opt2->key)
126 return 1;
127 if (opt1->key && opt2->key) {
128 if (opt1->key->type != opt2->key->type)
129 return -1;
130 if (opt1->key->created.tv_sec != opt2->key->created.tv_sec)
131 return -1;
132 if (opt1->key->created.tv_nsec != opt2->key->created.tv_nsec)
133 return -1;
134 if (opt1->key->len != opt2->key->len)
135 return -1;
136 if (opt1->key->key && !opt2->key->key)
137 return -1;
138 if (!opt1->key->key && opt2->key->key)
139 return 1;
140 if (opt1->key->key && opt2->key->key) {
141 ret = memcmp(opt1->key->key, opt2->key->key, opt1->key->len);
142 if (ret)
143 return ret;
144 }
145 }
123 146
124 /* any matching mon ip implies a match */ 147 /* any matching mon ip implies a match */
125 for (i = 0; i < opt1->num_mon; i++) { 148 for (i = 0; i < opt1->num_mon; i++) {
@@ -176,6 +199,7 @@ enum {
176 Opt_fsid, 199 Opt_fsid,
177 Opt_name, 200 Opt_name,
178 Opt_secret, 201 Opt_secret,
202 Opt_key,
179 Opt_ip, 203 Opt_ip,
180 Opt_last_string, 204 Opt_last_string,
181 /* string args above */ 205 /* string args above */
@@ -192,6 +216,7 @@ static match_table_t opt_tokens = {
192 {Opt_fsid, "fsid=%s"}, 216 {Opt_fsid, "fsid=%s"},
193 {Opt_name, "name=%s"}, 217 {Opt_name, "name=%s"},
194 {Opt_secret, "secret=%s"}, 218 {Opt_secret, "secret=%s"},
219 {Opt_key, "key=%s"},
195 {Opt_ip, "ip=%s"}, 220 {Opt_ip, "ip=%s"},
196 /* string args above */ 221 /* string args above */
197 {Opt_noshare, "noshare"}, 222 {Opt_noshare, "noshare"},
@@ -203,11 +228,56 @@ void ceph_destroy_options(struct ceph_options *opt)
203{ 228{
204 dout("destroy_options %p\n", opt); 229 dout("destroy_options %p\n", opt);
205 kfree(opt->name); 230 kfree(opt->name);
206 kfree(opt->secret); 231 if (opt->key) {
232 ceph_crypto_key_destroy(opt->key);
233 kfree(opt->key);
234 }
207 kfree(opt); 235 kfree(opt);
208} 236}
209EXPORT_SYMBOL(ceph_destroy_options); 237EXPORT_SYMBOL(ceph_destroy_options);
210 238
239/* get secret from key store */
240static int get_secret(struct ceph_crypto_key *dst, const char *name) {
241 struct key *ukey;
242 int key_err;
243 int err = 0;
244 struct ceph_crypto_key *ckey;
245
246 ukey = request_key(&key_type_ceph, name, NULL);
247 if (!ukey || IS_ERR(ukey)) {
248 /* request_key errors don't map nicely to mount(2)
249 errors; don't even try, but still printk */
250 key_err = PTR_ERR(ukey);
251 switch (key_err) {
252 case -ENOKEY:
253 pr_warning("ceph: Mount failed due to key not found: %s\n", name);
254 break;
255 case -EKEYEXPIRED:
256 pr_warning("ceph: Mount failed due to expired key: %s\n", name);
257 break;
258 case -EKEYREVOKED:
259 pr_warning("ceph: Mount failed due to revoked key: %s\n", name);
260 break;
261 default:
262 pr_warning("ceph: Mount failed due to unknown key error"
263 " %d: %s\n", key_err, name);
264 }
265 err = -EPERM;
266 goto out;
267 }
268
269 ckey = ukey->payload.data;
270 err = ceph_crypto_key_clone(dst, ckey);
271 if (err)
272 goto out_key;
273 /* pass through, err is 0 */
274
275out_key:
276 key_put(ukey);
277out:
278 return err;
279}
280
211int ceph_parse_options(struct ceph_options **popt, char *options, 281int ceph_parse_options(struct ceph_options **popt, char *options,
212 const char *dev_name, const char *dev_name_end, 282 const char *dev_name, const char *dev_name_end,
213 int (*parse_extra_token)(char *c, void *private), 283 int (*parse_extra_token)(char *c, void *private),
@@ -295,9 +365,24 @@ int ceph_parse_options(struct ceph_options **popt, char *options,
295 GFP_KERNEL); 365 GFP_KERNEL);
296 break; 366 break;
297 case Opt_secret: 367 case Opt_secret:
298 opt->secret = kstrndup(argstr[0].from, 368 opt->key = kzalloc(sizeof(*opt->key), GFP_KERNEL);
299 argstr[0].to-argstr[0].from, 369 if (!opt->key) {
300 GFP_KERNEL); 370 err = -ENOMEM;
371 goto out;
372 }
373 err = ceph_crypto_key_unarmor(opt->key, argstr[0].from);
374 if (err < 0)
375 goto out;
376 break;
377 case Opt_key:
378 opt->key = kzalloc(sizeof(*opt->key), GFP_KERNEL);
379 if (!opt->key) {
380 err = -ENOMEM;
381 goto out;
382 }
383 err = get_secret(opt->key, argstr[0].from);
384 if (err < 0)
385 goto out;
301 break; 386 break;
302 387
303 /* misc */ 388 /* misc */
@@ -394,8 +479,8 @@ void ceph_destroy_client(struct ceph_client *client)
394 ceph_osdc_stop(&client->osdc); 479 ceph_osdc_stop(&client->osdc);
395 480
396 /* 481 /*
397 * make sure mds and osd connections close out before destroying 482 * make sure osd connections close out before destroying the
398 * the auth module, which is needed to free those connections' 483 * auth module, which is needed to free those connections'
399 * ceph_authorizers. 484 * ceph_authorizers.
400 */ 485 */
401 ceph_msgr_flush(); 486 ceph_msgr_flush();
@@ -496,10 +581,14 @@ static int __init init_ceph_lib(void)
496 if (ret < 0) 581 if (ret < 0)
497 goto out; 582 goto out;
498 583
499 ret = ceph_msgr_init(); 584 ret = ceph_crypto_init();
500 if (ret < 0) 585 if (ret < 0)
501 goto out_debugfs; 586 goto out_debugfs;
502 587
588 ret = ceph_msgr_init();
589 if (ret < 0)
590 goto out_crypto;
591
503 pr_info("loaded (mon/osd proto %d/%d, osdmap %d/%d %d/%d)\n", 592 pr_info("loaded (mon/osd proto %d/%d, osdmap %d/%d %d/%d)\n",
504 CEPH_MONC_PROTOCOL, CEPH_OSDC_PROTOCOL, 593 CEPH_MONC_PROTOCOL, CEPH_OSDC_PROTOCOL,
505 CEPH_OSDMAP_VERSION, CEPH_OSDMAP_VERSION_EXT, 594 CEPH_OSDMAP_VERSION, CEPH_OSDMAP_VERSION_EXT,
@@ -507,6 +596,8 @@ static int __init init_ceph_lib(void)
507 596
508 return 0; 597 return 0;
509 598
599out_crypto:
600 ceph_crypto_shutdown();
510out_debugfs: 601out_debugfs:
511 ceph_debugfs_cleanup(); 602 ceph_debugfs_cleanup();
512out: 603out:
@@ -517,6 +608,7 @@ static void __exit exit_ceph_lib(void)
517{ 608{
518 dout("exit_ceph_lib\n"); 609 dout("exit_ceph_lib\n");
519 ceph_msgr_exit(); 610 ceph_msgr_exit();
611 ceph_crypto_shutdown();
520 ceph_debugfs_cleanup(); 612 ceph_debugfs_cleanup();
521} 613}
522 614
diff --git a/net/ceph/crypto.c b/net/ceph/crypto.c
index 7b505b0c983f..5a8009c9e0cd 100644
--- a/net/ceph/crypto.c
+++ b/net/ceph/crypto.c
@@ -5,10 +5,23 @@
5#include <linux/scatterlist.h> 5#include <linux/scatterlist.h>
6#include <linux/slab.h> 6#include <linux/slab.h>
7#include <crypto/hash.h> 7#include <crypto/hash.h>
8#include <linux/key-type.h>
8 9
10#include <keys/ceph-type.h>
9#include <linux/ceph/decode.h> 11#include <linux/ceph/decode.h>
10#include "crypto.h" 12#include "crypto.h"
11 13
14int ceph_crypto_key_clone(struct ceph_crypto_key *dst,
15 const struct ceph_crypto_key *src)
16{
17 memcpy(dst, src, sizeof(struct ceph_crypto_key));
18 dst->key = kmalloc(src->len, GFP_NOFS);
19 if (!dst->key)
20 return -ENOMEM;
21 memcpy(dst->key, src->key, src->len);
22 return 0;
23}
24
12int ceph_crypto_key_encode(struct ceph_crypto_key *key, void **p, void *end) 25int ceph_crypto_key_encode(struct ceph_crypto_key *key, void **p, void *end)
13{ 26{
14 if (*p + sizeof(u16) + sizeof(key->created) + 27 if (*p + sizeof(u16) + sizeof(key->created) +
@@ -410,3 +423,63 @@ int ceph_encrypt2(struct ceph_crypto_key *secret, void *dst, size_t *dst_len,
410 return -EINVAL; 423 return -EINVAL;
411 } 424 }
412} 425}
426
427int ceph_key_instantiate(struct key *key, const void *data, size_t datalen)
428{
429 struct ceph_crypto_key *ckey;
430 int ret;
431 void *p;
432
433 ret = -EINVAL;
434 if (datalen <= 0 || datalen > 32767 || !data)
435 goto err;
436
437 ret = key_payload_reserve(key, datalen);
438 if (ret < 0)
439 goto err;
440
441 ret = -ENOMEM;
442 ckey = kmalloc(sizeof(*ckey), GFP_KERNEL);
443 if (!ckey)
444 goto err;
445
446 /* TODO ceph_crypto_key_decode should really take const input */
447 p = (void*)data;
448 ret = ceph_crypto_key_decode(ckey, &p, (char*)data+datalen);
449 if (ret < 0)
450 goto err_ckey;
451
452 key->payload.data = ckey;
453 return 0;
454
455err_ckey:
456 kfree(ckey);
457err:
458 return ret;
459}
460
461int ceph_key_match(const struct key *key, const void *description)
462{
463 return strcmp(key->description, description) == 0;
464}
465
466void ceph_key_destroy(struct key *key) {
467 struct ceph_crypto_key *ckey = key->payload.data;
468
469 ceph_crypto_key_destroy(ckey);
470}
471
472struct key_type key_type_ceph = {
473 .name = "ceph",
474 .instantiate = ceph_key_instantiate,
475 .match = ceph_key_match,
476 .destroy = ceph_key_destroy,
477};
478
479int ceph_crypto_init(void) {
480 return register_key_type(&key_type_ceph);
481}
482
483void ceph_crypto_shutdown(void) {
484 unregister_key_type(&key_type_ceph);
485}
diff --git a/net/ceph/crypto.h b/net/ceph/crypto.h
index f9eccace592b..1919d1550d75 100644
--- a/net/ceph/crypto.h
+++ b/net/ceph/crypto.h
@@ -19,6 +19,8 @@ static inline void ceph_crypto_key_destroy(struct ceph_crypto_key *key)
19 kfree(key->key); 19 kfree(key->key);
20} 20}
21 21
22extern int ceph_crypto_key_clone(struct ceph_crypto_key *dst,
23 const struct ceph_crypto_key *src);
22extern int ceph_crypto_key_encode(struct ceph_crypto_key *key, 24extern int ceph_crypto_key_encode(struct ceph_crypto_key *key,
23 void **p, void *end); 25 void **p, void *end);
24extern int ceph_crypto_key_decode(struct ceph_crypto_key *key, 26extern int ceph_crypto_key_decode(struct ceph_crypto_key *key,
@@ -40,6 +42,8 @@ extern int ceph_encrypt2(struct ceph_crypto_key *secret,
40 void *dst, size_t *dst_len, 42 void *dst, size_t *dst_len,
41 const void *src1, size_t src1_len, 43 const void *src1, size_t src1_len,
42 const void *src2, size_t src2_len); 44 const void *src2, size_t src2_len);
45extern int ceph_crypto_init(void);
46extern void ceph_crypto_shutdown(void);
43 47
44/* armor.c */ 48/* armor.c */
45extern int ceph_armor(char *dst, const char *src, const char *end); 49extern int ceph_armor(char *dst, const char *src, const char *end);
diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c
index 8a079399174a..cbe31fa45508 100644
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -759,7 +759,7 @@ int ceph_monc_init(struct ceph_mon_client *monc, struct ceph_client *cl)
759 759
760 /* authentication */ 760 /* authentication */
761 monc->auth = ceph_auth_init(cl->options->name, 761 monc->auth = ceph_auth_init(cl->options->name,
762 cl->options->secret); 762 cl->options->key);
763 if (IS_ERR(monc->auth)) 763 if (IS_ERR(monc->auth))
764 return PTR_ERR(monc->auth); 764 return PTR_ERR(monc->auth);
765 monc->auth->want_keys = 765 monc->auth->want_keys =
diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c
index 02212ed50852..50af02737a3d 100644
--- a/net/ceph/osd_client.c
+++ b/net/ceph/osd_client.c
@@ -837,8 +837,7 @@ static void __unregister_request(struct ceph_osd_client *osdc,
837 dout("moving osd to %p lru\n", req->r_osd); 837 dout("moving osd to %p lru\n", req->r_osd);
838 __move_osd_to_lru(osdc, req->r_osd); 838 __move_osd_to_lru(osdc, req->r_osd);
839 } 839 }
840 if (list_empty(&req->r_osd_item) && 840 if (list_empty(&req->r_linger_item))
841 list_empty(&req->r_linger_item))
842 req->r_osd = NULL; 841 req->r_osd = NULL;
843 } 842 }
844 843
@@ -883,7 +882,8 @@ static void __unregister_linger_request(struct ceph_osd_client *osdc,
883 dout("moving osd to %p lru\n", req->r_osd); 882 dout("moving osd to %p lru\n", req->r_osd);
884 __move_osd_to_lru(osdc, req->r_osd); 883 __move_osd_to_lru(osdc, req->r_osd);
885 } 884 }
886 req->r_osd = NULL; 885 if (list_empty(&req->r_osd_item))
886 req->r_osd = NULL;
887 } 887 }
888} 888}
889 889
@@ -917,7 +917,7 @@ EXPORT_SYMBOL(ceph_osdc_set_request_linger);
917/* 917/*
918 * Pick an osd (the first 'up' osd in the pg), allocate the osd struct 918 * Pick an osd (the first 'up' osd in the pg), allocate the osd struct
919 * (as needed), and set the request r_osd appropriately. If there is 919 * (as needed), and set the request r_osd appropriately. If there is
920 * no up osd, set r_osd to NULL. Move the request to the appropiate list 920 * no up osd, set r_osd to NULL. Move the request to the appropriate list
921 * (unsent, homeless) or leave on in-flight lru. 921 * (unsent, homeless) or leave on in-flight lru.
922 * 922 *
923 * Return 0 if unchanged, 1 if changed, or negative on error. 923 * Return 0 if unchanged, 1 if changed, or negative on error.
@@ -1602,11 +1602,11 @@ void handle_watch_notify(struct ceph_osd_client *osdc, struct ceph_msg *msg)
1602 cookie, ver, event); 1602 cookie, ver, event);
1603 if (event) { 1603 if (event) {
1604 event_work = kmalloc(sizeof(*event_work), GFP_NOIO); 1604 event_work = kmalloc(sizeof(*event_work), GFP_NOIO);
1605 INIT_WORK(&event_work->work, do_event_work);
1606 if (!event_work) { 1605 if (!event_work) {
1607 dout("ERROR: could not allocate event_work\n"); 1606 dout("ERROR: could not allocate event_work\n");
1608 goto done_err; 1607 goto done_err;
1609 } 1608 }
1609 INIT_WORK(&event_work->work, do_event_work);
1610 event_work->event = event; 1610 event_work->event = event;
1611 event_work->ver = ver; 1611 event_work->ver = ver;
1612 event_work->notify_id = notify_id; 1612 event_work->notify_id = notify_id;
@@ -1672,7 +1672,7 @@ int ceph_osdc_start_request(struct ceph_osd_client *osdc,
1672 if (req->r_sent == 0) { 1672 if (req->r_sent == 0) {
1673 rc = __map_request(osdc, req); 1673 rc = __map_request(osdc, req);
1674 if (rc < 0) 1674 if (rc < 0)
1675 return rc; 1675 goto out_unlock;
1676 if (req->r_osd == NULL) { 1676 if (req->r_osd == NULL) {
1677 dout("send_request %p no up osds in pg\n", req); 1677 dout("send_request %p no up osds in pg\n", req);
1678 ceph_monc_request_next_osdmap(&osdc->client->monc); 1678 ceph_monc_request_next_osdmap(&osdc->client->monc);
@@ -1689,6 +1689,8 @@ int ceph_osdc_start_request(struct ceph_osd_client *osdc,
1689 } 1689 }
1690 } 1690 }
1691 } 1691 }
1692
1693out_unlock:
1692 mutex_unlock(&osdc->request_mutex); 1694 mutex_unlock(&osdc->request_mutex);
1693 up_read(&osdc->map_sem); 1695 up_read(&osdc->map_sem);
1694 return rc; 1696 return rc;
diff --git a/net/core/dev.c b/net/core/dev.c
index 0b88eba97dab..956d3b006e8b 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1140,9 +1140,6 @@ static int __dev_open(struct net_device *dev)
1140 1140
1141 ASSERT_RTNL(); 1141 ASSERT_RTNL();
1142 1142
1143 /*
1144 * Is it even present?
1145 */
1146 if (!netif_device_present(dev)) 1143 if (!netif_device_present(dev))
1147 return -ENODEV; 1144 return -ENODEV;
1148 1145
@@ -1151,9 +1148,6 @@ static int __dev_open(struct net_device *dev)
1151 if (ret) 1148 if (ret)
1152 return ret; 1149 return ret;
1153 1150
1154 /*
1155 * Call device private open method
1156 */
1157 set_bit(__LINK_STATE_START, &dev->state); 1151 set_bit(__LINK_STATE_START, &dev->state);
1158 1152
1159 if (ops->ndo_validate_addr) 1153 if (ops->ndo_validate_addr)
@@ -1162,31 +1156,12 @@ static int __dev_open(struct net_device *dev)
1162 if (!ret && ops->ndo_open) 1156 if (!ret && ops->ndo_open)
1163 ret = ops->ndo_open(dev); 1157 ret = ops->ndo_open(dev);
1164 1158
1165 /*
1166 * If it went open OK then:
1167 */
1168
1169 if (ret) 1159 if (ret)
1170 clear_bit(__LINK_STATE_START, &dev->state); 1160 clear_bit(__LINK_STATE_START, &dev->state);
1171 else { 1161 else {
1172 /*
1173 * Set the flags.
1174 */
1175 dev->flags |= IFF_UP; 1162 dev->flags |= IFF_UP;
1176
1177 /*
1178 * Enable NET_DMA
1179 */
1180 net_dmaengine_get(); 1163 net_dmaengine_get();
1181
1182 /*
1183 * Initialize multicasting status
1184 */
1185 dev_set_rx_mode(dev); 1164 dev_set_rx_mode(dev);
1186
1187 /*
1188 * Wakeup transmit queue engine
1189 */
1190 dev_activate(dev); 1165 dev_activate(dev);
1191 } 1166 }
1192 1167
@@ -1209,22 +1184,13 @@ int dev_open(struct net_device *dev)
1209{ 1184{
1210 int ret; 1185 int ret;
1211 1186
1212 /*
1213 * Is it already up?
1214 */
1215 if (dev->flags & IFF_UP) 1187 if (dev->flags & IFF_UP)
1216 return 0; 1188 return 0;
1217 1189
1218 /*
1219 * Open device
1220 */
1221 ret = __dev_open(dev); 1190 ret = __dev_open(dev);
1222 if (ret < 0) 1191 if (ret < 0)
1223 return ret; 1192 return ret;
1224 1193
1225 /*
1226 * ... and announce new interface.
1227 */
1228 rtmsg_ifinfo(RTM_NEWLINK, dev, IFF_UP|IFF_RUNNING); 1194 rtmsg_ifinfo(RTM_NEWLINK, dev, IFF_UP|IFF_RUNNING);
1229 call_netdevice_notifiers(NETDEV_UP, dev); 1195 call_netdevice_notifiers(NETDEV_UP, dev);
1230 1196
@@ -1240,10 +1206,6 @@ static int __dev_close_many(struct list_head *head)
1240 might_sleep(); 1206 might_sleep();
1241 1207
1242 list_for_each_entry(dev, head, unreg_list) { 1208 list_for_each_entry(dev, head, unreg_list) {
1243 /*
1244 * Tell people we are going down, so that they can
1245 * prepare to death, when device is still operating.
1246 */
1247 call_netdevice_notifiers(NETDEV_GOING_DOWN, dev); 1209 call_netdevice_notifiers(NETDEV_GOING_DOWN, dev);
1248 1210
1249 clear_bit(__LINK_STATE_START, &dev->state); 1211 clear_bit(__LINK_STATE_START, &dev->state);
@@ -1272,15 +1234,7 @@ static int __dev_close_many(struct list_head *head)
1272 if (ops->ndo_stop) 1234 if (ops->ndo_stop)
1273 ops->ndo_stop(dev); 1235 ops->ndo_stop(dev);
1274 1236
1275 /*
1276 * Device is now down.
1277 */
1278
1279 dev->flags &= ~IFF_UP; 1237 dev->flags &= ~IFF_UP;
1280
1281 /*
1282 * Shutdown NET_DMA
1283 */
1284 net_dmaengine_put(); 1238 net_dmaengine_put();
1285 } 1239 }
1286 1240
@@ -1309,9 +1263,6 @@ static int dev_close_many(struct list_head *head)
1309 1263
1310 __dev_close_many(head); 1264 __dev_close_many(head);
1311 1265
1312 /*
1313 * Tell people we are down
1314 */
1315 list_for_each_entry(dev, head, unreg_list) { 1266 list_for_each_entry(dev, head, unreg_list) {
1316 rtmsg_ifinfo(RTM_NEWLINK, dev, IFF_UP|IFF_RUNNING); 1267 rtmsg_ifinfo(RTM_NEWLINK, dev, IFF_UP|IFF_RUNNING);
1317 call_netdevice_notifiers(NETDEV_DOWN, dev); 1268 call_netdevice_notifiers(NETDEV_DOWN, dev);
@@ -1353,14 +1304,17 @@ EXPORT_SYMBOL(dev_close);
1353 */ 1304 */
1354void dev_disable_lro(struct net_device *dev) 1305void dev_disable_lro(struct net_device *dev)
1355{ 1306{
1356 if (dev->ethtool_ops && dev->ethtool_ops->get_flags && 1307 u32 flags;
1357 dev->ethtool_ops->set_flags) { 1308
1358 u32 flags = dev->ethtool_ops->get_flags(dev); 1309 if (dev->ethtool_ops && dev->ethtool_ops->get_flags)
1359 if (flags & ETH_FLAG_LRO) { 1310 flags = dev->ethtool_ops->get_flags(dev);
1360 flags &= ~ETH_FLAG_LRO; 1311 else
1361 dev->ethtool_ops->set_flags(dev, flags); 1312 flags = ethtool_op_get_flags(dev);
1362 } 1313
1363 } 1314 if (!(flags & ETH_FLAG_LRO))
1315 return;
1316
1317 __ethtool_set_flags(dev, flags & ~ETH_FLAG_LRO);
1364 WARN_ON(dev->features & NETIF_F_LRO); 1318 WARN_ON(dev->features & NETIF_F_LRO);
1365} 1319}
1366EXPORT_SYMBOL(dev_disable_lro); 1320EXPORT_SYMBOL(dev_disable_lro);
@@ -1368,11 +1322,6 @@ EXPORT_SYMBOL(dev_disable_lro);
1368 1322
1369static int dev_boot_phase = 1; 1323static int dev_boot_phase = 1;
1370 1324
1371/*
1372 * Device change register/unregister. These are not inline or static
1373 * as we export them to the world.
1374 */
1375
1376/** 1325/**
1377 * register_netdevice_notifier - register a network notifier block 1326 * register_netdevice_notifier - register a network notifier block
1378 * @nb: notifier 1327 * @nb: notifier
@@ -1474,6 +1423,7 @@ int call_netdevice_notifiers(unsigned long val, struct net_device *dev)
1474 ASSERT_RTNL(); 1423 ASSERT_RTNL();
1475 return raw_notifier_call_chain(&netdev_chain, val, dev); 1424 return raw_notifier_call_chain(&netdev_chain, val, dev);
1476} 1425}
1426EXPORT_SYMBOL(call_netdevice_notifiers);
1477 1427
1478/* When > 0 there are consumers of rx skb time stamps */ 1428/* When > 0 there are consumers of rx skb time stamps */
1479static atomic_t netstamp_needed = ATOMIC_INIT(0); 1429static atomic_t netstamp_needed = ATOMIC_INIT(0);
@@ -1504,6 +1454,27 @@ static inline void net_timestamp_check(struct sk_buff *skb)
1504 __net_timestamp(skb); 1454 __net_timestamp(skb);
1505} 1455}
1506 1456
1457static inline bool is_skb_forwardable(struct net_device *dev,
1458 struct sk_buff *skb)
1459{
1460 unsigned int len;
1461
1462 if (!(dev->flags & IFF_UP))
1463 return false;
1464
1465 len = dev->mtu + dev->hard_header_len + VLAN_HLEN;
1466 if (skb->len <= len)
1467 return true;
1468
1469 /* if TSO is enabled, we don't care about the length as the packet
1470 * could be forwarded without being segmented before
1471 */
1472 if (skb_is_gso(skb))
1473 return true;
1474
1475 return false;
1476}
1477
1507/** 1478/**
1508 * dev_forward_skb - loopback an skb to another netif 1479 * dev_forward_skb - loopback an skb to another netif
1509 * 1480 *
@@ -1527,8 +1498,7 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb)
1527 skb_orphan(skb); 1498 skb_orphan(skb);
1528 nf_reset(skb); 1499 nf_reset(skb);
1529 1500
1530 if (unlikely(!(dev->flags & IFF_UP) || 1501 if (unlikely(!is_skb_forwardable(dev, skb))) {
1531 (skb->len > (dev->mtu + dev->hard_header_len + VLAN_HLEN)))) {
1532 atomic_long_inc(&dev->rx_dropped); 1502 atomic_long_inc(&dev->rx_dropped);
1533 kfree_skb(skb); 1503 kfree_skb(skb);
1534 return NET_RX_DROP; 1504 return NET_RX_DROP;
@@ -2121,7 +2091,7 @@ int dev_hard_start_xmit(struct sk_buff *skb, struct net_device *dev,
2121 u32 features; 2091 u32 features;
2122 2092
2123 /* 2093 /*
2124 * If device doesnt need skb->dst, release it right now while 2094 * If device doesn't need skb->dst, release it right now while
2125 * its hot in this cpu cache 2095 * its hot in this cpu cache
2126 */ 2096 */
2127 if (dev->priv_flags & IFF_XMIT_DST_RELEASE) 2097 if (dev->priv_flags & IFF_XMIT_DST_RELEASE)
@@ -2181,7 +2151,7 @@ gso:
2181 nskb->next = NULL; 2151 nskb->next = NULL;
2182 2152
2183 /* 2153 /*
2184 * If device doesnt need nskb->dst, release it right now while 2154 * If device doesn't need nskb->dst, release it right now while
2185 * its hot in this cpu cache 2155 * its hot in this cpu cache
2186 */ 2156 */
2187 if (dev->priv_flags & IFF_XMIT_DST_RELEASE) 2157 if (dev->priv_flags & IFF_XMIT_DST_RELEASE)
@@ -3000,8 +2970,8 @@ EXPORT_SYMBOL_GPL(br_fdb_test_addr_hook);
3000 * when CONFIG_NET_CLS_ACT is? otherwise some useless instructions 2970 * when CONFIG_NET_CLS_ACT is? otherwise some useless instructions
3001 * a compare and 2 stores extra right now if we dont have it on 2971 * a compare and 2 stores extra right now if we dont have it on
3002 * but have CONFIG_NET_CLS_ACT 2972 * but have CONFIG_NET_CLS_ACT
3003 * NOTE: This doesnt stop any functionality; if you dont have 2973 * NOTE: This doesn't stop any functionality; if you dont have
3004 * the ingress scheduler, you just cant add policies on ingress. 2974 * the ingress scheduler, you just can't add policies on ingress.
3005 * 2975 *
3006 */ 2976 */
3007static int ing_filter(struct sk_buff *skb, struct netdev_queue *rxq) 2977static int ing_filter(struct sk_buff *skb, struct netdev_queue *rxq)
@@ -3830,7 +3800,7 @@ static void net_rx_action(struct softirq_action *h)
3830 * with netpoll's poll_napi(). Only the entity which 3800 * with netpoll's poll_napi(). Only the entity which
3831 * obtains the lock and sees NAPI_STATE_SCHED set will 3801 * obtains the lock and sees NAPI_STATE_SCHED set will
3832 * actually make the ->poll() call. Therefore we avoid 3802 * actually make the ->poll() call. Therefore we avoid
3833 * accidently calling ->poll() when NAPI is not scheduled. 3803 * accidentally calling ->poll() when NAPI is not scheduled.
3834 */ 3804 */
3835 work = 0; 3805 work = 0;
3836 if (test_bit(NAPI_STATE_SCHED, &n->state)) { 3806 if (test_bit(NAPI_STATE_SCHED, &n->state)) {
@@ -6366,7 +6336,7 @@ static void __net_exit default_device_exit(struct net *net)
6366 if (dev->rtnl_link_ops) 6336 if (dev->rtnl_link_ops)
6367 continue; 6337 continue;
6368 6338
6369 /* Push remaing network devices to init_net */ 6339 /* Push remaining network devices to init_net */
6370 snprintf(fb_name, IFNAMSIZ, "dev%d", dev->ifindex); 6340 snprintf(fb_name, IFNAMSIZ, "dev%d", dev->ifindex);
6371 err = dev_change_net_namespace(dev, &init_net, fb_name); 6341 err = dev_change_net_namespace(dev, &init_net, fb_name);
6372 if (err) { 6342 if (err) {
diff --git a/net/core/ethtool.c b/net/core/ethtool.c
index a1086fb0c0c7..74ead9eca126 100644
--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -141,9 +141,24 @@ u32 ethtool_op_get_flags(struct net_device *dev)
141} 141}
142EXPORT_SYMBOL(ethtool_op_get_flags); 142EXPORT_SYMBOL(ethtool_op_get_flags);
143 143
144/* Check if device can enable (or disable) particular feature coded in "data"
145 * argument. Flags "supported" describe features that can be toggled by device.
146 * If feature can not be toggled, it state (enabled or disabled) must match
147 * hardcoded device features state, otherwise flags are marked as invalid.
148 */
149bool ethtool_invalid_flags(struct net_device *dev, u32 data, u32 supported)
150{
151 u32 features = dev->features & flags_dup_features;
152 /* "data" can contain only flags_dup_features bits,
153 * see __ethtool_set_flags */
154
155 return (features & ~supported) != (data & ~supported);
156}
157EXPORT_SYMBOL(ethtool_invalid_flags);
158
144int ethtool_op_set_flags(struct net_device *dev, u32 data, u32 supported) 159int ethtool_op_set_flags(struct net_device *dev, u32 data, u32 supported)
145{ 160{
146 if (data & ~supported) 161 if (ethtool_invalid_flags(dev, data, supported))
147 return -EINVAL; 162 return -EINVAL;
148 163
149 dev->features = ((dev->features & ~flags_dup_features) | 164 dev->features = ((dev->features & ~flags_dup_features) |
@@ -513,7 +528,7 @@ static int ethtool_set_one_feature(struct net_device *dev,
513 } 528 }
514} 529}
515 530
516static int __ethtool_set_flags(struct net_device *dev, u32 data) 531int __ethtool_set_flags(struct net_device *dev, u32 data)
517{ 532{
518 u32 changed; 533 u32 changed;
519 534
diff --git a/net/core/filter.c b/net/core/filter.c
index 232b1873bb28..afb8afb066bb 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -425,7 +425,7 @@ EXPORT_SYMBOL(sk_run_filter);
425 * As we dont want to clear mem[] array for each packet going through 425 * As we dont want to clear mem[] array for each packet going through
426 * sk_run_filter(), we check that filter loaded by user never try to read 426 * sk_run_filter(), we check that filter loaded by user never try to read
427 * a cell if not previously written, and we check all branches to be sure 427 * a cell if not previously written, and we check all branches to be sure
428 * a malicious user doesnt try to abuse us. 428 * a malicious user doesn't try to abuse us.
429 */ 429 */
430static int check_load_and_stores(struct sock_filter *filter, int flen) 430static int check_load_and_stores(struct sock_filter *filter, int flen)
431{ 431{
diff --git a/net/core/link_watch.c b/net/core/link_watch.c
index 01a1101b5936..a7b342131869 100644
--- a/net/core/link_watch.c
+++ b/net/core/link_watch.c
@@ -129,7 +129,7 @@ static void linkwatch_schedule_work(int urgent)
129 if (!cancel_delayed_work(&linkwatch_work)) 129 if (!cancel_delayed_work(&linkwatch_work))
130 return; 130 return;
131 131
132 /* Otherwise we reschedule it again for immediate exection. */ 132 /* Otherwise we reschedule it again for immediate execution. */
133 schedule_delayed_work(&linkwatch_work, 0); 133 schedule_delayed_work(&linkwatch_work, 0);
134} 134}
135 135
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 49f7ea5b4c75..d7c4bb4b1820 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -196,7 +196,7 @@ EXPORT_SYMBOL_GPL(__rtnl_register);
196 * as failure of this function is very unlikely, it can only happen due 196 * as failure of this function is very unlikely, it can only happen due
197 * to lack of memory when allocating the chain to store all message 197 * to lack of memory when allocating the chain to store all message
198 * handlers for a protocol. Meant for use in init functions where lack 198 * handlers for a protocol. Meant for use in init functions where lack
199 * of memory implies no sense in continueing. 199 * of memory implies no sense in continuing.
200 */ 200 */
201void rtnl_register(int protocol, int msgtype, 201void rtnl_register(int protocol, int msgtype,
202 rtnl_doit_func doit, rtnl_dumpit_func dumpit) 202 rtnl_doit_func doit, rtnl_dumpit_func dumpit)
@@ -1440,7 +1440,7 @@ static int do_setlink(struct net_device *dev, struct ifinfomsg *ifm,
1440errout: 1440errout:
1441 if (err < 0 && modified && net_ratelimit()) 1441 if (err < 0 && modified && net_ratelimit())
1442 printk(KERN_WARNING "A link change request failed with " 1442 printk(KERN_WARNING "A link change request failed with "
1443 "some changes comitted already. Interface %s may " 1443 "some changes committed already. Interface %s may "
1444 "have been left with an inconsistent configuration, " 1444 "have been left with an inconsistent configuration, "
1445 "please check.\n", dev->name); 1445 "please check.\n", dev->name);
1446 1446
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 801dd08908f9..7ebeed0a877c 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2267,7 +2267,7 @@ EXPORT_SYMBOL(skb_prepare_seq_read);
2267 * of bytes already consumed and the next call to 2267 * of bytes already consumed and the next call to
2268 * skb_seq_read() will return the remaining part of the block. 2268 * skb_seq_read() will return the remaining part of the block.
2269 * 2269 *
2270 * Note 1: The size of each block of data returned can be arbitary, 2270 * Note 1: The size of each block of data returned can be arbitrary,
2271 * this limitation is the cost for zerocopy seqeuental 2271 * this limitation is the cost for zerocopy seqeuental
2272 * reads of potentially non linear data. 2272 * reads of potentially non linear data.
2273 * 2273 *
diff --git a/net/core/sock.c b/net/core/sock.c
index 7dfed792434d..6e819780c232 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -215,7 +215,7 @@ __u32 sysctl_rmem_max __read_mostly = SK_RMEM_MAX;
215__u32 sysctl_wmem_default __read_mostly = SK_WMEM_MAX; 215__u32 sysctl_wmem_default __read_mostly = SK_WMEM_MAX;
216__u32 sysctl_rmem_default __read_mostly = SK_RMEM_MAX; 216__u32 sysctl_rmem_default __read_mostly = SK_RMEM_MAX;
217 217
218/* Maximal space eaten by iovec or ancilliary data plus some space */ 218/* Maximal space eaten by iovec or ancillary data plus some space */
219int sysctl_optmem_max __read_mostly = sizeof(unsigned long)*(2*UIO_MAXIOV+512); 219int sysctl_optmem_max __read_mostly = sizeof(unsigned long)*(2*UIO_MAXIOV+512);
220EXPORT_SYMBOL(sysctl_optmem_max); 220EXPORT_SYMBOL(sysctl_optmem_max);
221 221
@@ -1175,7 +1175,7 @@ static void __sk_free(struct sock *sk)
1175void sk_free(struct sock *sk) 1175void sk_free(struct sock *sk)
1176{ 1176{
1177 /* 1177 /*
1178 * We substract one from sk_wmem_alloc and can know if 1178 * We subtract one from sk_wmem_alloc and can know if
1179 * some packets are still in some tx queue. 1179 * some packets are still in some tx queue.
1180 * If not null, sock_wfree() will call __sk_free(sk) later 1180 * If not null, sock_wfree() will call __sk_free(sk) later
1181 */ 1181 */
@@ -1185,10 +1185,10 @@ void sk_free(struct sock *sk)
1185EXPORT_SYMBOL(sk_free); 1185EXPORT_SYMBOL(sk_free);
1186 1186
1187/* 1187/*
1188 * Last sock_put should drop referrence to sk->sk_net. It has already 1188 * Last sock_put should drop reference to sk->sk_net. It has already
1189 * been dropped in sk_change_net. Taking referrence to stopping namespace 1189 * been dropped in sk_change_net. Taking reference to stopping namespace
1190 * is not an option. 1190 * is not an option.
1191 * Take referrence to a socket to remove it from hash _alive_ and after that 1191 * Take reference to a socket to remove it from hash _alive_ and after that
1192 * destroy it in the context of init_net. 1192 * destroy it in the context of init_net.
1193 */ 1193 */
1194void sk_release_kernel(struct sock *sk) 1194void sk_release_kernel(struct sock *sk)
diff --git a/net/dccp/output.c b/net/dccp/output.c
index 784d30210543..136d41cbcd02 100644
--- a/net/dccp/output.c
+++ b/net/dccp/output.c
@@ -143,7 +143,7 @@ static int dccp_transmit_skb(struct sock *sk, struct sk_buff *skb)
143} 143}
144 144
145/** 145/**
146 * dccp_determine_ccmps - Find out about CCID-specfic packet-size limits 146 * dccp_determine_ccmps - Find out about CCID-specific packet-size limits
147 * We only consider the HC-sender CCID for setting the CCMPS (RFC 4340, 14.), 147 * We only consider the HC-sender CCID for setting the CCMPS (RFC 4340, 14.),
148 * since the RX CCID is restricted to feedback packets (Acks), which are small 148 * since the RX CCID is restricted to feedback packets (Acks), which are small
149 * in comparison with the data traffic. A value of 0 means "no current CCMPS". 149 * in comparison with the data traffic. A value of 0 means "no current CCMPS".
diff --git a/net/dsa/mv88e6131.c b/net/dsa/mv88e6131.c
index bb2b41bc854e..d951f93644bf 100644
--- a/net/dsa/mv88e6131.c
+++ b/net/dsa/mv88e6131.c
@@ -124,7 +124,7 @@ static int mv88e6131_setup_global(struct dsa_switch *ds)
124 * Ignore removed tag data on doubly tagged packets, disable 124 * Ignore removed tag data on doubly tagged packets, disable
125 * flow control messages, force flow control priority to the 125 * flow control messages, force flow control priority to the
126 * highest, and send all special multicast frames to the CPU 126 * highest, and send all special multicast frames to the CPU
127 * port at the higest priority. 127 * port at the highest priority.
128 */ 128 */
129 REG_WRITE(REG_GLOBAL2, 0x05, 0x00ff); 129 REG_WRITE(REG_GLOBAL2, 0x05, 0x00ff);
130 130
diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
index 090d273d7865..1b74d3b64371 100644
--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -215,6 +215,9 @@ int arp_mc_map(__be32 addr, u8 *haddr, struct net_device *dev, int dir)
215 case ARPHRD_INFINIBAND: 215 case ARPHRD_INFINIBAND:
216 ip_ib_mc_map(addr, dev->broadcast, haddr); 216 ip_ib_mc_map(addr, dev->broadcast, haddr);
217 return 0; 217 return 0;
218 case ARPHRD_IPGRE:
219 ip_ipgre_mc_map(addr, dev->broadcast, haddr);
220 return 0;
218 default: 221 default:
219 if (dir) { 222 if (dir) {
220 memcpy(haddr, dev->broadcast, dev->addr_len); 223 memcpy(haddr, dev->broadcast, dev->addr_len);
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index 094e150c6260..a0af7ea87870 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -112,7 +112,7 @@ int cipso_v4_rbm_strictvalid = 1;
112/* The maximum number of category ranges permitted in the ranged category tag 112/* The maximum number of category ranges permitted in the ranged category tag
113 * (tag #5). You may note that the IETF draft states that the maximum number 113 * (tag #5). You may note that the IETF draft states that the maximum number
114 * of category ranges is 7, but if the low end of the last category range is 114 * of category ranges is 7, but if the low end of the last category range is
115 * zero then it is possibile to fit 8 category ranges because the zero should 115 * zero then it is possible to fit 8 category ranges because the zero should
116 * be omitted. */ 116 * be omitted. */
117#define CIPSO_V4_TAG_RNG_CAT_MAX 8 117#define CIPSO_V4_TAG_RNG_CAT_MAX 8
118 118
@@ -438,7 +438,7 @@ cache_add_failure:
438 * 438 *
439 * Description: 439 * Description:
440 * Search the DOI definition list for a DOI definition with a DOI value that 440 * Search the DOI definition list for a DOI definition with a DOI value that
441 * matches @doi. The caller is responsibile for calling rcu_read_[un]lock(). 441 * matches @doi. The caller is responsible for calling rcu_read_[un]lock().
442 * Returns a pointer to the DOI definition on success and NULL on failure. 442 * Returns a pointer to the DOI definition on success and NULL on failure.
443 */ 443 */
444static struct cipso_v4_doi *cipso_v4_doi_search(u32 doi) 444static struct cipso_v4_doi *cipso_v4_doi_search(u32 doi)
@@ -1293,7 +1293,7 @@ static int cipso_v4_gentag_rbm(const struct cipso_v4_doi *doi_def,
1293 return ret_val; 1293 return ret_val;
1294 1294
1295 /* This will send packets using the "optimized" format when 1295 /* This will send packets using the "optimized" format when
1296 * possibile as specified in section 3.4.2.6 of the 1296 * possible as specified in section 3.4.2.6 of the
1297 * CIPSO draft. */ 1297 * CIPSO draft. */
1298 if (cipso_v4_rbm_optfmt && ret_val > 0 && ret_val <= 10) 1298 if (cipso_v4_rbm_optfmt && ret_val > 0 && ret_val <= 10)
1299 tag_len = 14; 1299 tag_len = 14;
@@ -1752,7 +1752,7 @@ validate_return:
1752} 1752}
1753 1753
1754/** 1754/**
1755 * cipso_v4_error - Send the correct reponse for a bad packet 1755 * cipso_v4_error - Send the correct response for a bad packet
1756 * @skb: the packet 1756 * @skb: the packet
1757 * @error: the error code 1757 * @error: the error code
1758 * @gateway: CIPSO gateway flag 1758 * @gateway: CIPSO gateway flag
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index 6d85800daeb7..5345b0bee6df 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -64,6 +64,8 @@
64#include <net/rtnetlink.h> 64#include <net/rtnetlink.h>
65#include <net/net_namespace.h> 65#include <net/net_namespace.h>
66 66
67#include "fib_lookup.h"
68
67static struct ipv4_devconf ipv4_devconf = { 69static struct ipv4_devconf ipv4_devconf = {
68 .data = { 70 .data = {
69 [IPV4_DEVCONF_ACCEPT_REDIRECTS - 1] = 1, 71 [IPV4_DEVCONF_ACCEPT_REDIRECTS - 1] = 1,
@@ -151,6 +153,20 @@ struct net_device *__ip_dev_find(struct net *net, __be32 addr, bool devref)
151 break; 153 break;
152 } 154 }
153 } 155 }
156 if (!result) {
157 struct flowi4 fl4 = { .daddr = addr };
158 struct fib_result res = { 0 };
159 struct fib_table *local;
160
161 /* Fallback to FIB local table so that communication
162 * over loopback subnets work.
163 */
164 local = fib_get_table(net, RT_TABLE_LOCAL);
165 if (local &&
166 !fib_table_lookup(local, &fl4, &res, FIB_LOOKUP_NOREF) &&
167 res.type == RTN_LOCAL)
168 result = FIB_RES_DEV(res);
169 }
154 if (result && devref) 170 if (result && devref)
155 dev_hold(result); 171 dev_hold(result);
156 rcu_read_unlock(); 172 rcu_read_unlock();
@@ -345,6 +361,17 @@ static void __inet_del_ifa(struct in_device *in_dev, struct in_ifaddr **ifap,
345 } 361 }
346 } 362 }
347 363
364 /* On promotion all secondaries from subnet are changing
365 * the primary IP, we must remove all their routes silently
366 * and later to add them back with new prefsrc. Do this
367 * while all addresses are on the device list.
368 */
369 for (ifa = promote; ifa; ifa = ifa->ifa_next) {
370 if (ifa1->ifa_mask == ifa->ifa_mask &&
371 inet_ifa_match(ifa1->ifa_address, ifa))
372 fib_del_ifaddr(ifa, ifa1);
373 }
374
348 /* 2. Unlink it */ 375 /* 2. Unlink it */
349 376
350 *ifap = ifa1->ifa_next; 377 *ifap = ifa1->ifa_next;
@@ -364,6 +391,7 @@ static void __inet_del_ifa(struct in_device *in_dev, struct in_ifaddr **ifap,
364 blocking_notifier_call_chain(&inetaddr_chain, NETDEV_DOWN, ifa1); 391 blocking_notifier_call_chain(&inetaddr_chain, NETDEV_DOWN, ifa1);
365 392
366 if (promote) { 393 if (promote) {
394 struct in_ifaddr *next_sec = promote->ifa_next;
367 395
368 if (prev_prom) { 396 if (prev_prom) {
369 prev_prom->ifa_next = promote->ifa_next; 397 prev_prom->ifa_next = promote->ifa_next;
@@ -375,7 +403,7 @@ static void __inet_del_ifa(struct in_device *in_dev, struct in_ifaddr **ifap,
375 rtmsg_ifa(RTM_NEWADDR, promote, nlh, pid); 403 rtmsg_ifa(RTM_NEWADDR, promote, nlh, pid);
376 blocking_notifier_call_chain(&inetaddr_chain, 404 blocking_notifier_call_chain(&inetaddr_chain,
377 NETDEV_UP, promote); 405 NETDEV_UP, promote);
378 for (ifa = promote->ifa_next; ifa; ifa = ifa->ifa_next) { 406 for (ifa = next_sec; ifa; ifa = ifa->ifa_next) {
379 if (ifa1->ifa_mask != ifa->ifa_mask || 407 if (ifa1->ifa_mask != ifa->ifa_mask ||
380 !inet_ifa_match(ifa1->ifa_address, ifa)) 408 !inet_ifa_match(ifa1->ifa_address, ifa))
381 continue; 409 continue;
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index a373a259253c..451088330bbb 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -228,7 +228,7 @@ int fib_validate_source(__be32 src, __be32 dst, u8 tos, int oif,
228 if (res.type != RTN_LOCAL || !accept_local) 228 if (res.type != RTN_LOCAL || !accept_local)
229 goto e_inval; 229 goto e_inval;
230 } 230 }
231 *spec_dst = FIB_RES_PREFSRC(res); 231 *spec_dst = FIB_RES_PREFSRC(net, res);
232 fib_combine_itag(itag, &res); 232 fib_combine_itag(itag, &res);
233 dev_match = false; 233 dev_match = false;
234 234
@@ -258,7 +258,7 @@ int fib_validate_source(__be32 src, __be32 dst, u8 tos, int oif,
258 ret = 0; 258 ret = 0;
259 if (fib_lookup(net, &fl4, &res) == 0) { 259 if (fib_lookup(net, &fl4, &res) == 0) {
260 if (res.type == RTN_UNICAST) { 260 if (res.type == RTN_UNICAST) {
261 *spec_dst = FIB_RES_PREFSRC(res); 261 *spec_dst = FIB_RES_PREFSRC(net, res);
262 ret = FIB_RES_NH(res).nh_scope >= RT_SCOPE_HOST; 262 ret = FIB_RES_NH(res).nh_scope >= RT_SCOPE_HOST;
263 } 263 }
264 } 264 }
@@ -722,12 +722,17 @@ void fib_add_ifaddr(struct in_ifaddr *ifa)
722 } 722 }
723} 723}
724 724
725static void fib_del_ifaddr(struct in_ifaddr *ifa) 725/* Delete primary or secondary address.
726 * Optionally, on secondary address promotion consider the addresses
727 * from subnet iprim as deleted, even if they are in device list.
728 * In this case the secondary ifa can be in device list.
729 */
730void fib_del_ifaddr(struct in_ifaddr *ifa, struct in_ifaddr *iprim)
726{ 731{
727 struct in_device *in_dev = ifa->ifa_dev; 732 struct in_device *in_dev = ifa->ifa_dev;
728 struct net_device *dev = in_dev->dev; 733 struct net_device *dev = in_dev->dev;
729 struct in_ifaddr *ifa1; 734 struct in_ifaddr *ifa1;
730 struct in_ifaddr *prim = ifa; 735 struct in_ifaddr *prim = ifa, *prim1 = NULL;
731 __be32 brd = ifa->ifa_address | ~ifa->ifa_mask; 736 __be32 brd = ifa->ifa_address | ~ifa->ifa_mask;
732 __be32 any = ifa->ifa_address & ifa->ifa_mask; 737 __be32 any = ifa->ifa_address & ifa->ifa_mask;
733#define LOCAL_OK 1 738#define LOCAL_OK 1
@@ -735,17 +740,26 @@ static void fib_del_ifaddr(struct in_ifaddr *ifa)
735#define BRD0_OK 4 740#define BRD0_OK 4
736#define BRD1_OK 8 741#define BRD1_OK 8
737 unsigned ok = 0; 742 unsigned ok = 0;
743 int subnet = 0; /* Primary network */
744 int gone = 1; /* Address is missing */
745 int same_prefsrc = 0; /* Another primary with same IP */
738 746
739 if (!(ifa->ifa_flags & IFA_F_SECONDARY)) 747 if (ifa->ifa_flags & IFA_F_SECONDARY) {
740 fib_magic(RTM_DELROUTE,
741 dev->flags & IFF_LOOPBACK ? RTN_LOCAL : RTN_UNICAST,
742 any, ifa->ifa_prefixlen, prim);
743 else {
744 prim = inet_ifa_byprefix(in_dev, any, ifa->ifa_mask); 748 prim = inet_ifa_byprefix(in_dev, any, ifa->ifa_mask);
745 if (prim == NULL) { 749 if (prim == NULL) {
746 printk(KERN_WARNING "fib_del_ifaddr: bug: prim == NULL\n"); 750 printk(KERN_WARNING "fib_del_ifaddr: bug: prim == NULL\n");
747 return; 751 return;
748 } 752 }
753 if (iprim && iprim != prim) {
754 printk(KERN_WARNING "fib_del_ifaddr: bug: iprim != prim\n");
755 return;
756 }
757 } else if (!ipv4_is_zeronet(any) &&
758 (any != ifa->ifa_local || ifa->ifa_prefixlen < 32)) {
759 fib_magic(RTM_DELROUTE,
760 dev->flags & IFF_LOOPBACK ? RTN_LOCAL : RTN_UNICAST,
761 any, ifa->ifa_prefixlen, prim);
762 subnet = 1;
749 } 763 }
750 764
751 /* Deletion is more complicated than add. 765 /* Deletion is more complicated than add.
@@ -755,6 +769,49 @@ static void fib_del_ifaddr(struct in_ifaddr *ifa)
755 */ 769 */
756 770
757 for (ifa1 = in_dev->ifa_list; ifa1; ifa1 = ifa1->ifa_next) { 771 for (ifa1 = in_dev->ifa_list; ifa1; ifa1 = ifa1->ifa_next) {
772 if (ifa1 == ifa) {
773 /* promotion, keep the IP */
774 gone = 0;
775 continue;
776 }
777 /* Ignore IFAs from our subnet */
778 if (iprim && ifa1->ifa_mask == iprim->ifa_mask &&
779 inet_ifa_match(ifa1->ifa_address, iprim))
780 continue;
781
782 /* Ignore ifa1 if it uses different primary IP (prefsrc) */
783 if (ifa1->ifa_flags & IFA_F_SECONDARY) {
784 /* Another address from our subnet? */
785 if (ifa1->ifa_mask == prim->ifa_mask &&
786 inet_ifa_match(ifa1->ifa_address, prim))
787 prim1 = prim;
788 else {
789 /* We reached the secondaries, so
790 * same_prefsrc should be determined.
791 */
792 if (!same_prefsrc)
793 continue;
794 /* Search new prim1 if ifa1 is not
795 * using the current prim1
796 */
797 if (!prim1 ||
798 ifa1->ifa_mask != prim1->ifa_mask ||
799 !inet_ifa_match(ifa1->ifa_address, prim1))
800 prim1 = inet_ifa_byprefix(in_dev,
801 ifa1->ifa_address,
802 ifa1->ifa_mask);
803 if (!prim1)
804 continue;
805 if (prim1->ifa_local != prim->ifa_local)
806 continue;
807 }
808 } else {
809 if (prim->ifa_local != ifa1->ifa_local)
810 continue;
811 prim1 = ifa1;
812 if (prim != prim1)
813 same_prefsrc = 1;
814 }
758 if (ifa->ifa_local == ifa1->ifa_local) 815 if (ifa->ifa_local == ifa1->ifa_local)
759 ok |= LOCAL_OK; 816 ok |= LOCAL_OK;
760 if (ifa->ifa_broadcast == ifa1->ifa_broadcast) 817 if (ifa->ifa_broadcast == ifa1->ifa_broadcast)
@@ -763,19 +820,37 @@ static void fib_del_ifaddr(struct in_ifaddr *ifa)
763 ok |= BRD1_OK; 820 ok |= BRD1_OK;
764 if (any == ifa1->ifa_broadcast) 821 if (any == ifa1->ifa_broadcast)
765 ok |= BRD0_OK; 822 ok |= BRD0_OK;
823 /* primary has network specific broadcasts */
824 if (prim1 == ifa1 && ifa1->ifa_prefixlen < 31) {
825 __be32 brd1 = ifa1->ifa_address | ~ifa1->ifa_mask;
826 __be32 any1 = ifa1->ifa_address & ifa1->ifa_mask;
827
828 if (!ipv4_is_zeronet(any1)) {
829 if (ifa->ifa_broadcast == brd1 ||
830 ifa->ifa_broadcast == any1)
831 ok |= BRD_OK;
832 if (brd == brd1 || brd == any1)
833 ok |= BRD1_OK;
834 if (any == brd1 || any == any1)
835 ok |= BRD0_OK;
836 }
837 }
766 } 838 }
767 839
768 if (!(ok & BRD_OK)) 840 if (!(ok & BRD_OK))
769 fib_magic(RTM_DELROUTE, RTN_BROADCAST, ifa->ifa_broadcast, 32, prim); 841 fib_magic(RTM_DELROUTE, RTN_BROADCAST, ifa->ifa_broadcast, 32, prim);
770 if (!(ok & BRD1_OK)) 842 if (subnet && ifa->ifa_prefixlen < 31) {
771 fib_magic(RTM_DELROUTE, RTN_BROADCAST, brd, 32, prim); 843 if (!(ok & BRD1_OK))
772 if (!(ok & BRD0_OK)) 844 fib_magic(RTM_DELROUTE, RTN_BROADCAST, brd, 32, prim);
773 fib_magic(RTM_DELROUTE, RTN_BROADCAST, any, 32, prim); 845 if (!(ok & BRD0_OK))
846 fib_magic(RTM_DELROUTE, RTN_BROADCAST, any, 32, prim);
847 }
774 if (!(ok & LOCAL_OK)) { 848 if (!(ok & LOCAL_OK)) {
775 fib_magic(RTM_DELROUTE, RTN_LOCAL, ifa->ifa_local, 32, prim); 849 fib_magic(RTM_DELROUTE, RTN_LOCAL, ifa->ifa_local, 32, prim);
776 850
777 /* Check, that this local address finally disappeared. */ 851 /* Check, that this local address finally disappeared. */
778 if (inet_addr_type(dev_net(dev), ifa->ifa_local) != RTN_LOCAL) { 852 if (gone &&
853 inet_addr_type(dev_net(dev), ifa->ifa_local) != RTN_LOCAL) {
779 /* And the last, but not the least thing. 854 /* And the last, but not the least thing.
780 * We must flush stray FIB entries. 855 * We must flush stray FIB entries.
781 * 856 *
@@ -885,6 +960,7 @@ static int fib_inetaddr_event(struct notifier_block *this, unsigned long event,
885{ 960{
886 struct in_ifaddr *ifa = (struct in_ifaddr *)ptr; 961 struct in_ifaddr *ifa = (struct in_ifaddr *)ptr;
887 struct net_device *dev = ifa->ifa_dev->dev; 962 struct net_device *dev = ifa->ifa_dev->dev;
963 struct net *net = dev_net(dev);
888 964
889 switch (event) { 965 switch (event) {
890 case NETDEV_UP: 966 case NETDEV_UP:
@@ -892,12 +968,12 @@ static int fib_inetaddr_event(struct notifier_block *this, unsigned long event,
892#ifdef CONFIG_IP_ROUTE_MULTIPATH 968#ifdef CONFIG_IP_ROUTE_MULTIPATH
893 fib_sync_up(dev); 969 fib_sync_up(dev);
894#endif 970#endif
895 fib_update_nh_saddrs(dev); 971 atomic_inc(&net->ipv4.dev_addr_genid);
896 rt_cache_flush(dev_net(dev), -1); 972 rt_cache_flush(dev_net(dev), -1);
897 break; 973 break;
898 case NETDEV_DOWN: 974 case NETDEV_DOWN:
899 fib_del_ifaddr(ifa); 975 fib_del_ifaddr(ifa, NULL);
900 fib_update_nh_saddrs(dev); 976 atomic_inc(&net->ipv4.dev_addr_genid);
901 if (ifa->ifa_dev->ifa_list == NULL) { 977 if (ifa->ifa_dev->ifa_list == NULL) {
902 /* Last address was deleted from this interface. 978 /* Last address was deleted from this interface.
903 * Disable IP. 979 * Disable IP.
@@ -915,6 +991,7 @@ static int fib_netdev_event(struct notifier_block *this, unsigned long event, vo
915{ 991{
916 struct net_device *dev = ptr; 992 struct net_device *dev = ptr;
917 struct in_device *in_dev = __in_dev_get_rtnl(dev); 993 struct in_device *in_dev = __in_dev_get_rtnl(dev);
994 struct net *net = dev_net(dev);
918 995
919 if (event == NETDEV_UNREGISTER) { 996 if (event == NETDEV_UNREGISTER) {
920 fib_disable_ip(dev, 2, -1); 997 fib_disable_ip(dev, 2, -1);
@@ -932,6 +1009,7 @@ static int fib_netdev_event(struct notifier_block *this, unsigned long event, vo
932#ifdef CONFIG_IP_ROUTE_MULTIPATH 1009#ifdef CONFIG_IP_ROUTE_MULTIPATH
933 fib_sync_up(dev); 1010 fib_sync_up(dev);
934#endif 1011#endif
1012 atomic_inc(&net->ipv4.dev_addr_genid);
935 rt_cache_flush(dev_net(dev), -1); 1013 rt_cache_flush(dev_net(dev), -1);
936 break; 1014 break;
937 case NETDEV_DOWN: 1015 case NETDEV_DOWN:
@@ -990,6 +1068,7 @@ static void ip_fib_net_exit(struct net *net)
990 fib4_rules_exit(net); 1068 fib4_rules_exit(net);
991#endif 1069#endif
992 1070
1071 rtnl_lock();
993 for (i = 0; i < FIB_TABLE_HASHSZ; i++) { 1072 for (i = 0; i < FIB_TABLE_HASHSZ; i++) {
994 struct fib_table *tb; 1073 struct fib_table *tb;
995 struct hlist_head *head; 1074 struct hlist_head *head;
@@ -1002,6 +1081,7 @@ static void ip_fib_net_exit(struct net *net)
1002 fib_free_table(tb); 1081 fib_free_table(tb);
1003 } 1082 }
1004 } 1083 }
1084 rtnl_unlock();
1005 kfree(net->ipv4.fib_table_hash); 1085 kfree(net->ipv4.fib_table_hash);
1006} 1086}
1007 1087
diff --git a/net/ipv4/fib_lookup.h b/net/ipv4/fib_lookup.h
index 4ec323875a02..af0f14aba169 100644
--- a/net/ipv4/fib_lookup.h
+++ b/net/ipv4/fib_lookup.h
@@ -10,7 +10,6 @@ struct fib_alias {
10 struct fib_info *fa_info; 10 struct fib_info *fa_info;
11 u8 fa_tos; 11 u8 fa_tos;
12 u8 fa_type; 12 u8 fa_type;
13 u8 fa_scope;
14 u8 fa_state; 13 u8 fa_state;
15 struct rcu_head rcu; 14 struct rcu_head rcu;
16}; 15};
@@ -29,7 +28,7 @@ extern void fib_release_info(struct fib_info *);
29extern struct fib_info *fib_create_info(struct fib_config *cfg); 28extern struct fib_info *fib_create_info(struct fib_config *cfg);
30extern int fib_nh_match(struct fib_config *cfg, struct fib_info *fi); 29extern int fib_nh_match(struct fib_config *cfg, struct fib_info *fi);
31extern int fib_dump_info(struct sk_buff *skb, u32 pid, u32 seq, int event, 30extern int fib_dump_info(struct sk_buff *skb, u32 pid, u32 seq, int event,
32 u32 tb_id, u8 type, u8 scope, __be32 dst, 31 u32 tb_id, u8 type, __be32 dst,
33 int dst_len, u8 tos, struct fib_info *fi, 32 int dst_len, u8 tos, struct fib_info *fi,
34 unsigned int); 33 unsigned int);
35extern void rtmsg_fib(int event, __be32 key, struct fib_alias *fa, 34extern void rtmsg_fib(int event, __be32 key, struct fib_alias *fa,
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index 622ac4c95026..641a5a2a9f9c 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -222,7 +222,7 @@ static inline unsigned int fib_info_hashfn(const struct fib_info *fi)
222 unsigned int mask = (fib_info_hash_size - 1); 222 unsigned int mask = (fib_info_hash_size - 1);
223 unsigned int val = fi->fib_nhs; 223 unsigned int val = fi->fib_nhs;
224 224
225 val ^= fi->fib_protocol; 225 val ^= (fi->fib_protocol << 8) | fi->fib_scope;
226 val ^= (__force u32)fi->fib_prefsrc; 226 val ^= (__force u32)fi->fib_prefsrc;
227 val ^= fi->fib_priority; 227 val ^= fi->fib_priority;
228 for_nexthops(fi) { 228 for_nexthops(fi) {
@@ -248,10 +248,11 @@ static struct fib_info *fib_find_info(const struct fib_info *nfi)
248 if (fi->fib_nhs != nfi->fib_nhs) 248 if (fi->fib_nhs != nfi->fib_nhs)
249 continue; 249 continue;
250 if (nfi->fib_protocol == fi->fib_protocol && 250 if (nfi->fib_protocol == fi->fib_protocol &&
251 nfi->fib_scope == fi->fib_scope &&
251 nfi->fib_prefsrc == fi->fib_prefsrc && 252 nfi->fib_prefsrc == fi->fib_prefsrc &&
252 nfi->fib_priority == fi->fib_priority && 253 nfi->fib_priority == fi->fib_priority &&
253 memcmp(nfi->fib_metrics, fi->fib_metrics, 254 memcmp(nfi->fib_metrics, fi->fib_metrics,
254 sizeof(fi->fib_metrics)) == 0 && 255 sizeof(u32) * RTAX_MAX) == 0 &&
255 ((nfi->fib_flags ^ fi->fib_flags) & ~RTNH_F_DEAD) == 0 && 256 ((nfi->fib_flags ^ fi->fib_flags) & ~RTNH_F_DEAD) == 0 &&
256 (nfi->fib_nhs == 0 || nh_comp(fi, nfi) == 0)) 257 (nfi->fib_nhs == 0 || nh_comp(fi, nfi) == 0))
257 return fi; 258 return fi;
@@ -328,7 +329,7 @@ void rtmsg_fib(int event, __be32 key, struct fib_alias *fa,
328 goto errout; 329 goto errout;
329 330
330 err = fib_dump_info(skb, info->pid, seq, event, tb_id, 331 err = fib_dump_info(skb, info->pid, seq, event, tb_id,
331 fa->fa_type, fa->fa_scope, key, dst_len, 332 fa->fa_type, key, dst_len,
332 fa->fa_tos, fa->fa_info, nlm_flags); 333 fa->fa_tos, fa->fa_info, nlm_flags);
333 if (err < 0) { 334 if (err < 0) {
334 /* -EMSGSIZE implies BUG in fib_nlmsg_size() */ 335 /* -EMSGSIZE implies BUG in fib_nlmsg_size() */
@@ -695,6 +696,16 @@ static void fib_info_hash_move(struct hlist_head *new_info_hash,
695 fib_info_hash_free(old_laddrhash, bytes); 696 fib_info_hash_free(old_laddrhash, bytes);
696} 697}
697 698
699__be32 fib_info_update_nh_saddr(struct net *net, struct fib_nh *nh)
700{
701 nh->nh_saddr = inet_select_addr(nh->nh_dev,
702 nh->nh_gw,
703 nh->nh_parent->fib_scope);
704 nh->nh_saddr_genid = atomic_read(&net->ipv4.dev_addr_genid);
705
706 return nh->nh_saddr;
707}
708
698struct fib_info *fib_create_info(struct fib_config *cfg) 709struct fib_info *fib_create_info(struct fib_config *cfg)
699{ 710{
700 int err; 711 int err;
@@ -753,6 +764,7 @@ struct fib_info *fib_create_info(struct fib_config *cfg)
753 764
754 fi->fib_net = hold_net(net); 765 fi->fib_net = hold_net(net);
755 fi->fib_protocol = cfg->fc_protocol; 766 fi->fib_protocol = cfg->fc_protocol;
767 fi->fib_scope = cfg->fc_scope;
756 fi->fib_flags = cfg->fc_flags; 768 fi->fib_flags = cfg->fc_flags;
757 fi->fib_priority = cfg->fc_priority; 769 fi->fib_priority = cfg->fc_priority;
758 fi->fib_prefsrc = cfg->fc_prefsrc; 770 fi->fib_prefsrc = cfg->fc_prefsrc;
@@ -854,10 +866,7 @@ struct fib_info *fib_create_info(struct fib_config *cfg)
854 } 866 }
855 867
856 change_nexthops(fi) { 868 change_nexthops(fi) {
857 nexthop_nh->nh_cfg_scope = cfg->fc_scope; 869 fib_info_update_nh_saddr(net, nexthop_nh);
858 nexthop_nh->nh_saddr = inet_select_addr(nexthop_nh->nh_dev,
859 nexthop_nh->nh_gw,
860 nexthop_nh->nh_cfg_scope);
861 } endfor_nexthops(fi) 870 } endfor_nexthops(fi)
862 871
863link_it: 872link_it:
@@ -906,7 +915,7 @@ failure:
906} 915}
907 916
908int fib_dump_info(struct sk_buff *skb, u32 pid, u32 seq, int event, 917int fib_dump_info(struct sk_buff *skb, u32 pid, u32 seq, int event,
909 u32 tb_id, u8 type, u8 scope, __be32 dst, int dst_len, u8 tos, 918 u32 tb_id, u8 type, __be32 dst, int dst_len, u8 tos,
910 struct fib_info *fi, unsigned int flags) 919 struct fib_info *fi, unsigned int flags)
911{ 920{
912 struct nlmsghdr *nlh; 921 struct nlmsghdr *nlh;
@@ -928,7 +937,7 @@ int fib_dump_info(struct sk_buff *skb, u32 pid, u32 seq, int event,
928 NLA_PUT_U32(skb, RTA_TABLE, tb_id); 937 NLA_PUT_U32(skb, RTA_TABLE, tb_id);
929 rtm->rtm_type = type; 938 rtm->rtm_type = type;
930 rtm->rtm_flags = fi->fib_flags; 939 rtm->rtm_flags = fi->fib_flags;
931 rtm->rtm_scope = scope; 940 rtm->rtm_scope = fi->fib_scope;
932 rtm->rtm_protocol = fi->fib_protocol; 941 rtm->rtm_protocol = fi->fib_protocol;
933 942
934 if (rtm->rtm_dst_len) 943 if (rtm->rtm_dst_len)
@@ -1084,7 +1093,7 @@ void fib_select_default(struct fib_result *res)
1084 list_for_each_entry_rcu(fa, fa_head, fa_list) { 1093 list_for_each_entry_rcu(fa, fa_head, fa_list) {
1085 struct fib_info *next_fi = fa->fa_info; 1094 struct fib_info *next_fi = fa->fa_info;
1086 1095
1087 if (fa->fa_scope != res->scope || 1096 if (next_fi->fib_scope != res->scope ||
1088 fa->fa_type != RTN_UNICAST) 1097 fa->fa_type != RTN_UNICAST)
1089 continue; 1098 continue;
1090 1099
@@ -1128,24 +1137,6 @@ out:
1128 return; 1137 return;
1129} 1138}
1130 1139
1131void fib_update_nh_saddrs(struct net_device *dev)
1132{
1133 struct hlist_head *head;
1134 struct hlist_node *node;
1135 struct fib_nh *nh;
1136 unsigned int hash;
1137
1138 hash = fib_devindex_hashfn(dev->ifindex);
1139 head = &fib_info_devhash[hash];
1140 hlist_for_each_entry(nh, node, head, nh_hash) {
1141 if (nh->nh_dev != dev)
1142 continue;
1143 nh->nh_saddr = inet_select_addr(nh->nh_dev,
1144 nh->nh_gw,
1145 nh->nh_cfg_scope);
1146 }
1147}
1148
1149#ifdef CONFIG_IP_ROUTE_MULTIPATH 1140#ifdef CONFIG_IP_ROUTE_MULTIPATH
1150 1141
1151/* 1142/*
diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index 3d28a35c2e1a..e9013d6c1f51 100644
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -12,7 +12,7 @@
12 * 12 *
13 * Hans Liss <hans.liss@its.uu.se> Uppsala Universitet 13 * Hans Liss <hans.liss@its.uu.se> Uppsala Universitet
14 * 14 *
15 * This work is based on the LPC-trie which is originally descibed in: 15 * This work is based on the LPC-trie which is originally described in:
16 * 16 *
17 * An experimental study of compression methods for dynamic tries 17 * An experimental study of compression methods for dynamic tries
18 * Stefan Nilsson and Matti Tikkanen. Algorithmica, 33(1):19-33, 2002. 18 * Stefan Nilsson and Matti Tikkanen. Algorithmica, 33(1):19-33, 2002.
@@ -1245,7 +1245,6 @@ int fib_table_insert(struct fib_table *tb, struct fib_config *cfg)
1245 if (fa->fa_info->fib_priority != fi->fib_priority) 1245 if (fa->fa_info->fib_priority != fi->fib_priority)
1246 break; 1246 break;
1247 if (fa->fa_type == cfg->fc_type && 1247 if (fa->fa_type == cfg->fc_type &&
1248 fa->fa_scope == cfg->fc_scope &&
1249 fa->fa_info == fi) { 1248 fa->fa_info == fi) {
1250 fa_match = fa; 1249 fa_match = fa;
1251 break; 1250 break;
@@ -1271,7 +1270,6 @@ int fib_table_insert(struct fib_table *tb, struct fib_config *cfg)
1271 new_fa->fa_tos = fa->fa_tos; 1270 new_fa->fa_tos = fa->fa_tos;
1272 new_fa->fa_info = fi; 1271 new_fa->fa_info = fi;
1273 new_fa->fa_type = cfg->fc_type; 1272 new_fa->fa_type = cfg->fc_type;
1274 new_fa->fa_scope = cfg->fc_scope;
1275 state = fa->fa_state; 1273 state = fa->fa_state;
1276 new_fa->fa_state = state & ~FA_S_ACCESSED; 1274 new_fa->fa_state = state & ~FA_S_ACCESSED;
1277 1275
@@ -1308,7 +1306,6 @@ int fib_table_insert(struct fib_table *tb, struct fib_config *cfg)
1308 new_fa->fa_info = fi; 1306 new_fa->fa_info = fi;
1309 new_fa->fa_tos = tos; 1307 new_fa->fa_tos = tos;
1310 new_fa->fa_type = cfg->fc_type; 1308 new_fa->fa_type = cfg->fc_type;
1311 new_fa->fa_scope = cfg->fc_scope;
1312 new_fa->fa_state = 0; 1309 new_fa->fa_state = 0;
1313 /* 1310 /*
1314 * Insert new entry to the list. 1311 * Insert new entry to the list.
@@ -1362,15 +1359,15 @@ static int check_leaf(struct fib_table *tb, struct trie *t, struct leaf *l,
1362 1359
1363 if (fa->fa_tos && fa->fa_tos != flp->flowi4_tos) 1360 if (fa->fa_tos && fa->fa_tos != flp->flowi4_tos)
1364 continue; 1361 continue;
1365 if (fa->fa_scope < flp->flowi4_scope) 1362 if (fa->fa_info->fib_scope < flp->flowi4_scope)
1366 continue; 1363 continue;
1367 fib_alias_accessed(fa); 1364 fib_alias_accessed(fa);
1368 err = fib_props[fa->fa_type].error; 1365 err = fib_props[fa->fa_type].error;
1369 if (err) { 1366 if (err) {
1370#ifdef CONFIG_IP_FIB_TRIE_STATS 1367#ifdef CONFIG_IP_FIB_TRIE_STATS
1371 t->stats.semantic_match_miss++; 1368 t->stats.semantic_match_passed++;
1372#endif 1369#endif
1373 return 1; 1370 return err;
1374 } 1371 }
1375 if (fi->fib_flags & RTNH_F_DEAD) 1372 if (fi->fib_flags & RTNH_F_DEAD)
1376 continue; 1373 continue;
@@ -1388,7 +1385,7 @@ static int check_leaf(struct fib_table *tb, struct trie *t, struct leaf *l,
1388 res->prefixlen = plen; 1385 res->prefixlen = plen;
1389 res->nh_sel = nhsel; 1386 res->nh_sel = nhsel;
1390 res->type = fa->fa_type; 1387 res->type = fa->fa_type;
1391 res->scope = fa->fa_scope; 1388 res->scope = fa->fa_info->fib_scope;
1392 res->fi = fi; 1389 res->fi = fi;
1393 res->table = tb; 1390 res->table = tb;
1394 res->fa_head = &li->falh; 1391 res->fa_head = &li->falh;
@@ -1664,7 +1661,9 @@ int fib_table_delete(struct fib_table *tb, struct fib_config *cfg)
1664 1661
1665 if ((!cfg->fc_type || fa->fa_type == cfg->fc_type) && 1662 if ((!cfg->fc_type || fa->fa_type == cfg->fc_type) &&
1666 (cfg->fc_scope == RT_SCOPE_NOWHERE || 1663 (cfg->fc_scope == RT_SCOPE_NOWHERE ||
1667 fa->fa_scope == cfg->fc_scope) && 1664 fa->fa_info->fib_scope == cfg->fc_scope) &&
1665 (!cfg->fc_prefsrc ||
1666 fi->fib_prefsrc == cfg->fc_prefsrc) &&
1668 (!cfg->fc_protocol || 1667 (!cfg->fc_protocol ||
1669 fi->fib_protocol == cfg->fc_protocol) && 1668 fi->fib_protocol == cfg->fc_protocol) &&
1670 fib_nh_match(cfg, fi) == 0) { 1669 fib_nh_match(cfg, fi) == 0) {
@@ -1861,7 +1860,6 @@ static int fn_trie_dump_fa(t_key key, int plen, struct list_head *fah,
1861 RTM_NEWROUTE, 1860 RTM_NEWROUTE,
1862 tb->tb_id, 1861 tb->tb_id,
1863 fa->fa_type, 1862 fa->fa_type,
1864 fa->fa_scope,
1865 xkey, 1863 xkey,
1866 plen, 1864 plen,
1867 fa->fa_tos, 1865 fa->fa_tos,
@@ -2382,7 +2380,7 @@ static int fib_trie_seq_show(struct seq_file *seq, void *v)
2382 seq_indent(seq, iter->depth+1); 2380 seq_indent(seq, iter->depth+1);
2383 seq_printf(seq, " /%d %s %s", li->plen, 2381 seq_printf(seq, " /%d %s %s", li->plen,
2384 rtn_scope(buf1, sizeof(buf1), 2382 rtn_scope(buf1, sizeof(buf1),
2385 fa->fa_scope), 2383 fa->fa_info->fib_scope),
2386 rtn_type(buf2, sizeof(buf2), 2384 rtn_type(buf2, sizeof(buf2),
2387 fa->fa_type)); 2385 fa->fa_type));
2388 if (fa->fa_tos) 2386 if (fa->fa_tos)
diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index a91dc1611081..e5f8a71d3a2a 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -704,7 +704,7 @@ static void icmp_unreach(struct sk_buff *skb)
704 */ 704 */
705 705
706 /* 706 /*
707 * Check the other end isnt violating RFC 1122. Some routers send 707 * Check the other end isn't violating RFC 1122. Some routers send
708 * bogus responses to broadcast frames. If you see this message 708 * bogus responses to broadcast frames. If you see this message
709 * first check your netmask matches at both ends, if it does then 709 * first check your netmask matches at both ends, if it does then
710 * get the other vendor to fix their kit. 710 * get the other vendor to fix their kit.
diff --git a/net/ipv4/ip_options.c b/net/ipv4/ip_options.c
index 1906fa35860c..28a736f3442f 100644
--- a/net/ipv4/ip_options.c
+++ b/net/ipv4/ip_options.c
@@ -140,11 +140,11 @@ int ip_options_echo(struct ip_options * dopt, struct sk_buff * skb)
140 } else { 140 } else {
141 dopt->ts_needtime = 0; 141 dopt->ts_needtime = 0;
142 142
143 if (soffset + 8 <= optlen) { 143 if (soffset + 7 <= optlen) {
144 __be32 addr; 144 __be32 addr;
145 145
146 memcpy(&addr, sptr+soffset-1, 4); 146 memcpy(&addr, dptr+soffset-1, 4);
147 if (inet_addr_type(dev_net(skb_dst(skb)->dev), addr) != RTN_LOCAL) { 147 if (inet_addr_type(dev_net(skb_dst(skb)->dev), addr) != RTN_UNICAST) {
148 dopt->ts_needtime = 1; 148 dopt->ts_needtime = 1;
149 soffset += 8; 149 soffset += 8;
150 } 150 }
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 67f241b97649..459c011b1d4a 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -603,7 +603,7 @@ slow_path:
603 /* IF: it doesn't fit, use 'mtu' - the data space left */ 603 /* IF: it doesn't fit, use 'mtu' - the data space left */
604 if (len > mtu) 604 if (len > mtu)
605 len = mtu; 605 len = mtu;
606 /* IF: we are not sending upto and including the packet end 606 /* IF: we are not sending up to and including the packet end
607 then align the next start on an eight byte boundary */ 607 then align the next start on an eight byte boundary */
608 if (len < left) { 608 if (len < left) {
609 len &= ~7; 609 len &= ~7;
diff --git a/net/ipv4/ipconfig.c b/net/ipv4/ipconfig.c
index 2b097752426b..cbff2ecccf3d 100644
--- a/net/ipv4/ipconfig.c
+++ b/net/ipv4/ipconfig.c
@@ -1444,7 +1444,7 @@ static int __init ip_auto_config(void)
1444 root_server_addr = addr; 1444 root_server_addr = addr;
1445 1445
1446 /* 1446 /*
1447 * Use defaults whereever applicable. 1447 * Use defaults wherever applicable.
1448 */ 1448 */
1449 if (ic_defaults() < 0) 1449 if (ic_defaults() < 0)
1450 return -1; 1450 return -1;
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 4b5d457c2d76..89bc7e66d598 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -76,7 +76,7 @@ static inline int arp_devaddr_compare(const struct arpt_devaddr_info *ap,
76} 76}
77 77
78/* 78/*
79 * Unfortunatly, _b and _mask are not aligned to an int (or long int) 79 * Unfortunately, _b and _mask are not aligned to an int (or long int)
80 * Some arches dont care, unrolling the loop is a win on them. 80 * Some arches dont care, unrolling the loop is a win on them.
81 * For other arches, we only have a 16bit alignement. 81 * For other arches, we only have a 16bit alignement.
82 */ 82 */
@@ -1874,7 +1874,7 @@ static int __init arp_tables_init(void)
1874 if (ret < 0) 1874 if (ret < 0)
1875 goto err1; 1875 goto err1;
1876 1876
1877 /* Noone else will be downing sem now, so we won't sleep */ 1877 /* No one else will be downing sem now, so we won't sleep */
1878 ret = xt_register_targets(arpt_builtin_tg, ARRAY_SIZE(arpt_builtin_tg)); 1878 ret = xt_register_targets(arpt_builtin_tg, ARRAY_SIZE(arpt_builtin_tg));
1879 if (ret < 0) 1879 if (ret < 0)
1880 goto err2; 1880 goto err2;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index ffcea0d1678e..704915028009 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -2233,7 +2233,7 @@ static int __init ip_tables_init(void)
2233 if (ret < 0) 2233 if (ret < 0)
2234 goto err1; 2234 goto err1;
2235 2235
2236 /* Noone else will be downing sem now, so we won't sleep */ 2236 /* No one else will be downing sem now, so we won't sleep */
2237 ret = xt_register_targets(ipt_builtin_tg, ARRAY_SIZE(ipt_builtin_tg)); 2237 ret = xt_register_targets(ipt_builtin_tg, ARRAY_SIZE(ipt_builtin_tg));
2238 if (ret < 0) 2238 if (ret < 0)
2239 goto err2; 2239 goto err2;
diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c
index 21bcf471b25a..9c71b2755ce3 100644
--- a/net/ipv4/netfilter/nf_nat_core.c
+++ b/net/ipv4/netfilter/nf_nat_core.c
@@ -521,7 +521,7 @@ int nf_nat_protocol_register(const struct nf_nat_protocol *proto)
521} 521}
522EXPORT_SYMBOL(nf_nat_protocol_register); 522EXPORT_SYMBOL(nf_nat_protocol_register);
523 523
524/* Noone stores the protocol anywhere; simply delete it. */ 524/* No one stores the protocol anywhere; simply delete it. */
525void nf_nat_protocol_unregister(const struct nf_nat_protocol *proto) 525void nf_nat_protocol_unregister(const struct nf_nat_protocol *proto)
526{ 526{
527 spin_lock_bh(&nf_nat_lock); 527 spin_lock_bh(&nf_nat_lock);
@@ -532,7 +532,7 @@ void nf_nat_protocol_unregister(const struct nf_nat_protocol *proto)
532} 532}
533EXPORT_SYMBOL(nf_nat_protocol_unregister); 533EXPORT_SYMBOL(nf_nat_protocol_unregister);
534 534
535/* Noone using conntrack by the time this called. */ 535/* No one using conntrack by the time this called. */
536static void nf_nat_cleanup_conntrack(struct nf_conn *ct) 536static void nf_nat_cleanup_conntrack(struct nf_conn *ct)
537{ 537{
538 struct nf_conn_nat *nat = nf_ct_ext_find(ct, NF_CT_EXT_NAT); 538 struct nf_conn_nat *nat = nf_ct_ext_find(ct, NF_CT_EXT_NAT);
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index e837ffd3edc3..bceaec42c37d 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -569,6 +569,7 @@ static int raw_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
569 rt = ip_route_output_flow(sock_net(sk), &fl4, sk); 569 rt = ip_route_output_flow(sock_net(sk), &fl4, sk);
570 if (IS_ERR(rt)) { 570 if (IS_ERR(rt)) {
571 err = PTR_ERR(rt); 571 err = PTR_ERR(rt);
572 rt = NULL;
572 goto done; 573 goto done;
573 } 574 }
574 } 575 }
@@ -621,7 +622,7 @@ do_confirm:
621static void raw_close(struct sock *sk, long timeout) 622static void raw_close(struct sock *sk, long timeout)
622{ 623{
623 /* 624 /*
624 * Raw sockets may have direct kernel refereneces. Kill them. 625 * Raw sockets may have direct kernel references. Kill them.
625 */ 626 */
626 ip_ra_control(sk, 0, NULL); 627 ip_ra_control(sk, 0, NULL);
627 628
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 870b5182ddd8..ea107515c53e 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -821,7 +821,7 @@ static int has_noalias(const struct rtable *head, const struct rtable *rth)
821} 821}
822 822
823/* 823/*
824 * Pertubation of rt_genid by a small quantity [1..256] 824 * Perturbation of rt_genid by a small quantity [1..256]
825 * Using 8 bits of shuffling ensure we can call rt_cache_invalidate() 825 * Using 8 bits of shuffling ensure we can call rt_cache_invalidate()
826 * many times (2^24) without giving recent rt_genid. 826 * many times (2^24) without giving recent rt_genid.
827 * Jenkins hash is strong enough that litle changes of rt_genid are OK. 827 * Jenkins hash is strong enough that litle changes of rt_genid are OK.
@@ -1191,7 +1191,7 @@ restart:
1191#endif 1191#endif
1192 /* 1192 /*
1193 * Since lookup is lockfree, we must make sure 1193 * Since lookup is lockfree, we must make sure
1194 * previous writes to rt are comitted to memory 1194 * previous writes to rt are committed to memory
1195 * before making rt visible to other CPUS. 1195 * before making rt visible to other CPUS.
1196 */ 1196 */
1197 rcu_assign_pointer(rt_hash_table[hash].chain, rt); 1197 rcu_assign_pointer(rt_hash_table[hash].chain, rt);
@@ -1593,8 +1593,6 @@ static void ip_rt_update_pmtu(struct dst_entry *dst, u32 mtu)
1593 rt->rt_peer_genid = rt_peer_genid(); 1593 rt->rt_peer_genid = rt_peer_genid();
1594 } 1594 }
1595 check_peer_pmtu(dst, peer); 1595 check_peer_pmtu(dst, peer);
1596
1597 inet_putpeer(peer);
1598 } 1596 }
1599} 1597}
1600 1598
@@ -1720,7 +1718,7 @@ void ip_rt_get_source(u8 *addr, struct rtable *rt)
1720 1718
1721 rcu_read_lock(); 1719 rcu_read_lock();
1722 if (fib_lookup(dev_net(rt->dst.dev), &fl4, &res) == 0) 1720 if (fib_lookup(dev_net(rt->dst.dev), &fl4, &res) == 0)
1723 src = FIB_RES_PREFSRC(res); 1721 src = FIB_RES_PREFSRC(dev_net(rt->dst.dev), res);
1724 else 1722 else
1725 src = inet_select_addr(rt->dst.dev, rt->rt_gateway, 1723 src = inet_select_addr(rt->dst.dev, rt->rt_gateway,
1726 RT_SCOPE_UNIVERSE); 1724 RT_SCOPE_UNIVERSE);
@@ -2617,7 +2615,7 @@ static struct rtable *ip_route_output_slow(struct net *net,
2617 fib_select_default(&res); 2615 fib_select_default(&res);
2618 2616
2619 if (!fl4.saddr) 2617 if (!fl4.saddr)
2620 fl4.saddr = FIB_RES_PREFSRC(res); 2618 fl4.saddr = FIB_RES_PREFSRC(net, res);
2621 2619
2622 dev_out = FIB_RES_DEV(res); 2620 dev_out = FIB_RES_DEV(res);
2623 fl4.flowi4_oif = dev_out->ifindex; 2621 fl4.flowi4_oif = dev_out->ifindex;
@@ -3221,6 +3219,8 @@ static __net_init int rt_genid_init(struct net *net)
3221{ 3219{
3222 get_random_bytes(&net->ipv4.rt_genid, 3220 get_random_bytes(&net->ipv4.rt_genid,
3223 sizeof(net->ipv4.rt_genid)); 3221 sizeof(net->ipv4.rt_genid));
3222 get_random_bytes(&net->ipv4.dev_addr_genid,
3223 sizeof(net->ipv4.dev_addr_genid));
3224 return 0; 3224 return 0;
3225} 3225}
3226 3226
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index da782e7ab16d..bef9f04c22ba 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -2659,7 +2659,7 @@ static void DBGUNDO(struct sock *sk, const char *msg)
2659#define DBGUNDO(x...) do { } while (0) 2659#define DBGUNDO(x...) do { } while (0)
2660#endif 2660#endif
2661 2661
2662static void tcp_undo_cwr(struct sock *sk, const int undo) 2662static void tcp_undo_cwr(struct sock *sk, const bool undo_ssthresh)
2663{ 2663{
2664 struct tcp_sock *tp = tcp_sk(sk); 2664 struct tcp_sock *tp = tcp_sk(sk);
2665 2665
@@ -2671,14 +2671,13 @@ static void tcp_undo_cwr(struct sock *sk, const int undo)
2671 else 2671 else
2672 tp->snd_cwnd = max(tp->snd_cwnd, tp->snd_ssthresh << 1); 2672 tp->snd_cwnd = max(tp->snd_cwnd, tp->snd_ssthresh << 1);
2673 2673
2674 if (undo && tp->prior_ssthresh > tp->snd_ssthresh) { 2674 if (undo_ssthresh && tp->prior_ssthresh > tp->snd_ssthresh) {
2675 tp->snd_ssthresh = tp->prior_ssthresh; 2675 tp->snd_ssthresh = tp->prior_ssthresh;
2676 TCP_ECN_withdraw_cwr(tp); 2676 TCP_ECN_withdraw_cwr(tp);
2677 } 2677 }
2678 } else { 2678 } else {
2679 tp->snd_cwnd = max(tp->snd_cwnd, tp->snd_ssthresh); 2679 tp->snd_cwnd = max(tp->snd_cwnd, tp->snd_ssthresh);
2680 } 2680 }
2681 tcp_moderate_cwnd(tp);
2682 tp->snd_cwnd_stamp = tcp_time_stamp; 2681 tp->snd_cwnd_stamp = tcp_time_stamp;
2683} 2682}
2684 2683
@@ -2699,7 +2698,7 @@ static int tcp_try_undo_recovery(struct sock *sk)
2699 * or our original transmission succeeded. 2698 * or our original transmission succeeded.
2700 */ 2699 */
2701 DBGUNDO(sk, inet_csk(sk)->icsk_ca_state == TCP_CA_Loss ? "loss" : "retrans"); 2700 DBGUNDO(sk, inet_csk(sk)->icsk_ca_state == TCP_CA_Loss ? "loss" : "retrans");
2702 tcp_undo_cwr(sk, 1); 2701 tcp_undo_cwr(sk, true);
2703 if (inet_csk(sk)->icsk_ca_state == TCP_CA_Loss) 2702 if (inet_csk(sk)->icsk_ca_state == TCP_CA_Loss)
2704 mib_idx = LINUX_MIB_TCPLOSSUNDO; 2703 mib_idx = LINUX_MIB_TCPLOSSUNDO;
2705 else 2704 else
@@ -2726,7 +2725,7 @@ static void tcp_try_undo_dsack(struct sock *sk)
2726 2725
2727 if (tp->undo_marker && !tp->undo_retrans) { 2726 if (tp->undo_marker && !tp->undo_retrans) {
2728 DBGUNDO(sk, "D-SACK"); 2727 DBGUNDO(sk, "D-SACK");
2729 tcp_undo_cwr(sk, 1); 2728 tcp_undo_cwr(sk, true);
2730 tp->undo_marker = 0; 2729 tp->undo_marker = 0;
2731 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPDSACKUNDO); 2730 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPDSACKUNDO);
2732 } 2731 }
@@ -2779,7 +2778,7 @@ static int tcp_try_undo_partial(struct sock *sk, int acked)
2779 tcp_update_reordering(sk, tcp_fackets_out(tp) + acked, 1); 2778 tcp_update_reordering(sk, tcp_fackets_out(tp) + acked, 1);
2780 2779
2781 DBGUNDO(sk, "Hoe"); 2780 DBGUNDO(sk, "Hoe");
2782 tcp_undo_cwr(sk, 0); 2781 tcp_undo_cwr(sk, false);
2783 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPPARTIALUNDO); 2782 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPPARTIALUNDO);
2784 2783
2785 /* So... Do not make Hoe's retransmit yet. 2784 /* So... Do not make Hoe's retransmit yet.
@@ -2808,7 +2807,7 @@ static int tcp_try_undo_loss(struct sock *sk)
2808 2807
2809 DBGUNDO(sk, "partial loss"); 2808 DBGUNDO(sk, "partial loss");
2810 tp->lost_out = 0; 2809 tp->lost_out = 0;
2811 tcp_undo_cwr(sk, 1); 2810 tcp_undo_cwr(sk, true);
2812 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPLOSSUNDO); 2811 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPLOSSUNDO);
2813 inet_csk(sk)->icsk_retransmits = 0; 2812 inet_csk(sk)->icsk_retransmits = 0;
2814 tp->undo_marker = 0; 2813 tp->undo_marker = 0;
@@ -2822,8 +2821,11 @@ static int tcp_try_undo_loss(struct sock *sk)
2822static inline void tcp_complete_cwr(struct sock *sk) 2821static inline void tcp_complete_cwr(struct sock *sk)
2823{ 2822{
2824 struct tcp_sock *tp = tcp_sk(sk); 2823 struct tcp_sock *tp = tcp_sk(sk);
2825 tp->snd_cwnd = min(tp->snd_cwnd, tp->snd_ssthresh); 2824 /* Do not moderate cwnd if it's already undone in cwr or recovery */
2826 tp->snd_cwnd_stamp = tcp_time_stamp; 2825 if (tp->undo_marker && tp->snd_cwnd > tp->snd_ssthresh) {
2826 tp->snd_cwnd = tp->snd_ssthresh;
2827 tp->snd_cwnd_stamp = tcp_time_stamp;
2828 }
2827 tcp_ca_event(sk, CA_EVENT_COMPLETE_CWR); 2829 tcp_ca_event(sk, CA_EVENT_COMPLETE_CWR);
2828} 2830}
2829 2831
@@ -3494,7 +3496,7 @@ static void tcp_undo_spur_to_response(struct sock *sk, int flag)
3494 if (flag & FLAG_ECE) 3496 if (flag & FLAG_ECE)
3495 tcp_ratehalving_spur_to_response(sk); 3497 tcp_ratehalving_spur_to_response(sk);
3496 else 3498 else
3497 tcp_undo_cwr(sk, 1); 3499 tcp_undo_cwr(sk, true);
3498} 3500}
3499 3501
3500/* F-RTO spurious RTO detection algorithm (RFC4138) 3502/* F-RTO spurious RTO detection algorithm (RFC4138)
diff --git a/net/ipv4/tcp_lp.c b/net/ipv4/tcp_lp.c
index 656d431c99ad..72f7218b03f5 100644
--- a/net/ipv4/tcp_lp.c
+++ b/net/ipv4/tcp_lp.c
@@ -12,7 +12,7 @@
12 * within cong_avoid. 12 * within cong_avoid.
13 * o Error correcting in remote HZ, therefore remote HZ will be keeped 13 * o Error correcting in remote HZ, therefore remote HZ will be keeped
14 * on checking and updating. 14 * on checking and updating.
15 * o Handling calculation of One-Way-Delay (OWD) within rtt_sample, sicne 15 * o Handling calculation of One-Way-Delay (OWD) within rtt_sample, since
16 * OWD have a similar meaning as RTT. Also correct the buggy formular. 16 * OWD have a similar meaning as RTT. Also correct the buggy formular.
17 * o Handle reaction for Early Congestion Indication (ECI) within 17 * o Handle reaction for Early Congestion Indication (ECI) within
18 * pkts_acked, as mentioned within pseudo code. 18 * pkts_acked, as mentioned within pseudo code.
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index dfa5beb0c1c8..17388c7f49c4 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -73,7 +73,7 @@ static void tcp_event_new_data_sent(struct sock *sk, struct sk_buff *skb)
73 tcp_advance_send_head(sk, skb); 73 tcp_advance_send_head(sk, skb);
74 tp->snd_nxt = TCP_SKB_CB(skb)->end_seq; 74 tp->snd_nxt = TCP_SKB_CB(skb)->end_seq;
75 75
76 /* Don't override Nagle indefinately with F-RTO */ 76 /* Don't override Nagle indefinitely with F-RTO */
77 if (tp->frto_counter == 2) 77 if (tp->frto_counter == 2)
78 tp->frto_counter = 3; 78 tp->frto_counter = 3;
79 79
@@ -1003,7 +1003,8 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len,
1003 int nlen; 1003 int nlen;
1004 u8 flags; 1004 u8 flags;
1005 1005
1006 BUG_ON(len > skb->len); 1006 if (WARN_ON(len > skb->len))
1007 return -EINVAL;
1007 1008
1008 nsize = skb_headlen(skb) - len; 1009 nsize = skb_headlen(skb) - len;
1009 if (nsize < 0) 1010 if (nsize < 0)
diff --git a/net/ipv4/tcp_yeah.c b/net/ipv4/tcp_yeah.c
index dc7f43179c9a..05c3b6f0e8e1 100644
--- a/net/ipv4/tcp_yeah.c
+++ b/net/ipv4/tcp_yeah.c
@@ -20,7 +20,7 @@
20#define TCP_YEAH_DELTA 3 //log minimum fraction of cwnd to be removed on loss 20#define TCP_YEAH_DELTA 3 //log minimum fraction of cwnd to be removed on loss
21#define TCP_YEAH_EPSILON 1 //log maximum fraction to be removed on early decongestion 21#define TCP_YEAH_EPSILON 1 //log maximum fraction to be removed on early decongestion
22#define TCP_YEAH_PHY 8 //lin maximum delta from base 22#define TCP_YEAH_PHY 8 //lin maximum delta from base
23#define TCP_YEAH_RHO 16 //lin minumum number of consecutive rtt to consider competition on loss 23#define TCP_YEAH_RHO 16 //lin minimum number of consecutive rtt to consider competition on loss
24#define TCP_YEAH_ZETA 50 //lin minimum number of state switchs to reset reno_count 24#define TCP_YEAH_ZETA 50 //lin minimum number of state switchs to reset reno_count
25 25
26#define TCP_SCALABLE_AI_CNT 100U 26#define TCP_SCALABLE_AI_CNT 100U
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 588f47af5faf..f87a8eb76f3b 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -189,7 +189,7 @@ static int udp_lib_lport_inuse2(struct net *net, __u16 num,
189 * @sk: socket struct in question 189 * @sk: socket struct in question
190 * @snum: port number to look up 190 * @snum: port number to look up
191 * @saddr_comp: AF-dependent comparison of bound local IP addresses 191 * @saddr_comp: AF-dependent comparison of bound local IP addresses
192 * @hash2_nulladdr: AF-dependant hash value in secondary hash chains, 192 * @hash2_nulladdr: AF-dependent hash value in secondary hash chains,
193 * with NULL address 193 * with NULL address
194 */ 194 */
195int udp_lib_get_port(struct sock *sk, unsigned short snum, 195int udp_lib_get_port(struct sock *sk, unsigned short snum,
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 3daaf3c7703c..1493534116df 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -1084,7 +1084,7 @@ static int ipv6_get_saddr_eval(struct net *net,
1084 case IPV6_SADDR_RULE_PRIVACY: 1084 case IPV6_SADDR_RULE_PRIVACY:
1085 { 1085 {
1086 /* Rule 7: Prefer public address 1086 /* Rule 7: Prefer public address
1087 * Note: prefer temprary address if use_tempaddr >= 2 1087 * Note: prefer temporary address if use_tempaddr >= 2
1088 */ 1088 */
1089 int preftmp = dst->prefs & (IPV6_PREFER_SRC_PUBLIC|IPV6_PREFER_SRC_TMP) ? 1089 int preftmp = dst->prefs & (IPV6_PREFER_SRC_PUBLIC|IPV6_PREFER_SRC_TMP) ?
1090 !!(dst->prefs & IPV6_PREFER_SRC_TMP) : 1090 !!(dst->prefs & IPV6_PREFER_SRC_TMP) :
@@ -1968,7 +1968,7 @@ ok:
1968 * to the stored lifetime since we'll 1968 * to the stored lifetime since we'll
1969 * be updating the timestamp below, 1969 * be updating the timestamp below,
1970 * else we'll set it back to the 1970 * else we'll set it back to the
1971 * minumum. 1971 * minimum.
1972 */ 1972 */
1973 if (prefered_lft != ifp->prefered_lft) { 1973 if (prefered_lft != ifp->prefered_lft) {
1974 valid_lft = stored_lft; 1974 valid_lft = stored_lft;
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index 4b13d5d8890e..afcc7099f96d 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -1113,7 +1113,7 @@ static int __init inet6_init(void)
1113 /* 1113 /*
1114 * ipngwg API draft makes clear that the correct semantics 1114 * ipngwg API draft makes clear that the correct semantics
1115 * for TCP and UDP is to consider one TCP and UDP instance 1115 * for TCP and UDP is to consider one TCP and UDP instance
1116 * in a host availiable by both INET and INET6 APIs and 1116 * in a host available by both INET and INET6 APIs and
1117 * able to communicate via both network protocols. 1117 * able to communicate via both network protocols.
1118 */ 1118 */
1119 1119
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 18208876aa8a..46cf7bea6769 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -779,7 +779,7 @@ slow_path:
779 /* IF: it doesn't fit, use 'mtu' - the data space left */ 779 /* IF: it doesn't fit, use 'mtu' - the data space left */
780 if (len > mtu) 780 if (len > mtu)
781 len = mtu; 781 len = mtu;
782 /* IF: we are not sending upto and including the packet end 782 /* IF: we are not sending up to and including the packet end
783 then align the next start on an eight byte boundary */ 783 then align the next start on an eight byte boundary */
784 if (len < left) { 784 if (len < left) {
785 len &= ~7; 785 len &= ~7;
diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
index 7ff0343e05c7..29e48593bf22 100644
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -663,7 +663,7 @@ static int pim6_rcv(struct sk_buff *skb)
663 skb_pull(skb, (u8 *)encap - skb->data); 663 skb_pull(skb, (u8 *)encap - skb->data);
664 skb_reset_network_header(skb); 664 skb_reset_network_header(skb);
665 skb->protocol = htons(ETH_P_IPV6); 665 skb->protocol = htons(ETH_P_IPV6);
666 skb->ip_summed = 0; 666 skb->ip_summed = CHECKSUM_NONE;
667 skb->pkt_type = PACKET_HOST; 667 skb->pkt_type = PACKET_HOST;
668 668
669 skb_tunnel_rx(skb, reg_dev); 669 skb_tunnel_rx(skb, reg_dev);
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index 0e49c9db3c98..92f952d093db 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -341,6 +341,8 @@ int ndisc_mc_map(struct in6_addr *addr, char *buf, struct net_device *dev, int d
341 case ARPHRD_INFINIBAND: 341 case ARPHRD_INFINIBAND:
342 ipv6_ib_mc_map(addr, dev->broadcast, buf); 342 ipv6_ib_mc_map(addr, dev->broadcast, buf);
343 return 0; 343 return 0;
344 case ARPHRD_IPGRE:
345 return ipv6_ipgre_mc_map(addr, dev->broadcast, buf);
344 default: 346 default:
345 if (dir) { 347 if (dir) {
346 memcpy(buf, dev->broadcast, dev->addr_len); 348 memcpy(buf, dev->broadcast, dev->addr_len);
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 0b2af9b85cec..5a1c6f27ffaf 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -2248,7 +2248,7 @@ static int __init ip6_tables_init(void)
2248 if (ret < 0) 2248 if (ret < 0)
2249 goto err1; 2249 goto err1;
2250 2250
2251 /* Noone else will be downing sem now, so we won't sleep */ 2251 /* No one else will be downing sem now, so we won't sleep */
2252 ret = xt_register_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg)); 2252 ret = xt_register_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
2253 if (ret < 0) 2253 if (ret < 0)
2254 goto err2; 2254 goto err2;
diff --git a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
index 97c5b21b9674..cdd6d045e42e 100644
--- a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
+++ b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
@@ -71,7 +71,7 @@ static unsigned int ipv6_defrag(unsigned int hooknum,
71 if (reasm == NULL) 71 if (reasm == NULL)
72 return NF_STOLEN; 72 return NF_STOLEN;
73 73
74 /* error occured or not fragmented */ 74 /* error occurred or not fragmented */
75 if (reasm == skb) 75 if (reasm == skb)
76 return NF_ACCEPT; 76 return NF_ACCEPT;
77 77
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 6814c8722fa7..843406f14d7b 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -854,7 +854,7 @@ static struct rt6_info *ip6_pol_route_output(struct net *net, struct fib6_table
854 return ip6_pol_route(net, table, fl6->flowi6_oif, fl6, flags); 854 return ip6_pol_route(net, table, fl6->flowi6_oif, fl6, flags);
855} 855}
856 856
857struct dst_entry * ip6_route_output(struct net *net, struct sock *sk, 857struct dst_entry * ip6_route_output(struct net *net, const struct sock *sk,
858 struct flowi6 *fl6) 858 struct flowi6 *fl6)
859{ 859{
860 int flags = 0; 860 int flags = 0;
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 2b0c186862c8..56fa12538d45 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -503,6 +503,7 @@ static int tcp_v6_send_synack(struct sock *sk, struct request_sock *req,
503 dst = ip6_dst_lookup_flow(sk, &fl6, final_p, false); 503 dst = ip6_dst_lookup_flow(sk, &fl6, final_p, false);
504 if (IS_ERR(dst)) { 504 if (IS_ERR(dst)) {
505 err = PTR_ERR(dst); 505 err = PTR_ERR(dst);
506 dst = NULL;
506 goto done; 507 goto done;
507 } 508 }
508 skb = tcp_make_synack(sk, dst, req, rvp); 509 skb = tcp_make_synack(sk, dst, req, rvp);
diff --git a/net/irda/iriap.c b/net/irda/iriap.c
index 5b743bdd89ba..36477538cea8 100644
--- a/net/irda/iriap.c
+++ b/net/irda/iriap.c
@@ -656,10 +656,16 @@ static void iriap_getvaluebyclass_indication(struct iriap_cb *self,
656 n = 1; 656 n = 1;
657 657
658 name_len = fp[n++]; 658 name_len = fp[n++];
659
660 IRDA_ASSERT(name_len < IAS_MAX_CLASSNAME + 1, return;);
661
659 memcpy(name, fp+n, name_len); n+=name_len; 662 memcpy(name, fp+n, name_len); n+=name_len;
660 name[name_len] = '\0'; 663 name[name_len] = '\0';
661 664
662 attr_len = fp[n++]; 665 attr_len = fp[n++];
666
667 IRDA_ASSERT(attr_len < IAS_MAX_ATTRIBNAME + 1, return;);
668
663 memcpy(attr, fp+n, attr_len); n+=attr_len; 669 memcpy(attr, fp+n, attr_len); n+=attr_len;
664 attr[attr_len] = '\0'; 670 attr[attr_len] = '\0';
665 671
diff --git a/net/irda/irlap.c b/net/irda/irlap.c
index 783c5f367d29..005b424494a0 100644
--- a/net/irda/irlap.c
+++ b/net/irda/irlap.c
@@ -165,7 +165,7 @@ struct irlap_cb *irlap_open(struct net_device *dev, struct qos_info *qos,
165 165
166 irlap_apply_default_connection_parameters(self); 166 irlap_apply_default_connection_parameters(self);
167 167
168 self->N3 = 3; /* # connections attemts to try before giving up */ 168 self->N3 = 3; /* # connections attempts to try before giving up */
169 169
170 self->state = LAP_NDM; 170 self->state = LAP_NDM;
171 171
diff --git a/net/irda/irlap_event.c b/net/irda/irlap_event.c
index d434c8880745..bb47021c9a55 100644
--- a/net/irda/irlap_event.c
+++ b/net/irda/irlap_event.c
@@ -708,7 +708,7 @@ static int irlap_state_reply(struct irlap_cb *self, IRLAP_EVENT event,
708 708
709 self->frame_sent = TRUE; 709 self->frame_sent = TRUE;
710 } 710 }
711 /* Readjust our timer to accomodate devices 711 /* Readjust our timer to accommodate devices
712 * doing faster or slower discovery than us... 712 * doing faster or slower discovery than us...
713 * Jean II */ 713 * Jean II */
714 irlap_start_query_timer(self, info->S, info->s); 714 irlap_start_query_timer(self, info->S, info->s);
@@ -931,7 +931,7 @@ static int irlap_state_setup(struct irlap_cb *self, IRLAP_EVENT event,
931 irlap_send_rr_frame(self, CMD_FRAME); 931 irlap_send_rr_frame(self, CMD_FRAME);
932 932
933 /* The timer is set to half the normal timer to quickly 933 /* The timer is set to half the normal timer to quickly
934 * detect a failure to negociate the new connection 934 * detect a failure to negotiate the new connection
935 * parameters. IrLAP 6.11.3.2, note 3. 935 * parameters. IrLAP 6.11.3.2, note 3.
936 * Note that currently we don't process this failure 936 * Note that currently we don't process this failure
937 * properly, as we should do a quick disconnect. 937 * properly, as we should do a quick disconnect.
@@ -1052,7 +1052,7 @@ static int irlap_state_xmit_p(struct irlap_cb *self, IRLAP_EVENT event,
1052 return -EPROTO; 1052 return -EPROTO;
1053 } 1053 }
1054 1054
1055 /* Substract space used by this skb */ 1055 /* Subtract space used by this skb */
1056 self->bytes_left -= skb->len; 1056 self->bytes_left -= skb->len;
1057#else /* CONFIG_IRDA_DYNAMIC_WINDOW */ 1057#else /* CONFIG_IRDA_DYNAMIC_WINDOW */
1058 /* Window has been adjusted for the max packet 1058 /* Window has been adjusted for the max packet
@@ -1808,7 +1808,7 @@ static int irlap_state_xmit_s(struct irlap_cb *self, IRLAP_EVENT event,
1808 1808
1809 return -EPROTO; /* Try again later */ 1809 return -EPROTO; /* Try again later */
1810 } 1810 }
1811 /* Substract space used by this skb */ 1811 /* Subtract space used by this skb */
1812 self->bytes_left -= skb->len; 1812 self->bytes_left -= skb->len;
1813#else /* CONFIG_IRDA_DYNAMIC_WINDOW */ 1813#else /* CONFIG_IRDA_DYNAMIC_WINDOW */
1814 /* Window has been adjusted for the max packet 1814 /* Window has been adjusted for the max packet
diff --git a/net/irda/irlap_frame.c b/net/irda/irlap_frame.c
index 688222cbf55b..8c004161a843 100644
--- a/net/irda/irlap_frame.c
+++ b/net/irda/irlap_frame.c
@@ -848,7 +848,7 @@ void irlap_send_data_primary_poll(struct irlap_cb *self, struct sk_buff *skb)
848 * though IrLAP is currently sending the *last* frame of the 848 * though IrLAP is currently sending the *last* frame of the
849 * tx-window, the driver most likely has only just started 849 * tx-window, the driver most likely has only just started
850 * sending the *first* frame of the same tx-window. 850 * sending the *first* frame of the same tx-window.
851 * I.e. we are always at the very begining of or Tx window. 851 * I.e. we are always at the very beginning of or Tx window.
852 * Now, we are supposed to set the final timer from the end 852 * Now, we are supposed to set the final timer from the end
853 * of our tx-window to let the other peer reply. So, we need 853 * of our tx-window to let the other peer reply. So, we need
854 * to add extra time to compensate for the fact that we 854 * to add extra time to compensate for the fact that we
diff --git a/net/irda/irlmp_event.c b/net/irda/irlmp_event.c
index c1fb5db81042..9505a7d06f1a 100644
--- a/net/irda/irlmp_event.c
+++ b/net/irda/irlmp_event.c
@@ -498,7 +498,7 @@ static int irlmp_state_disconnected(struct lsap_cb *self, IRLMP_EVENT event,
498 switch (event) { 498 switch (event) {
499#ifdef CONFIG_IRDA_ULTRA 499#ifdef CONFIG_IRDA_ULTRA
500 case LM_UDATA_INDICATION: 500 case LM_UDATA_INDICATION:
501 /* This is most bizzare. Those packets are aka unreliable 501 /* This is most bizarre. Those packets are aka unreliable
502 * connected, aka IrLPT or SOCK_DGRAM/IRDAPROTO_UNITDATA. 502 * connected, aka IrLPT or SOCK_DGRAM/IRDAPROTO_UNITDATA.
503 * Why do we pass them as Ultra ??? Jean II */ 503 * Why do we pass them as Ultra ??? Jean II */
504 irlmp_connless_data_indication(self, skb); 504 irlmp_connless_data_indication(self, skb);
diff --git a/net/irda/irnet/irnet.h b/net/irda/irnet/irnet.h
index 0d82ff5aeff1..979ecb2435a7 100644
--- a/net/irda/irnet/irnet.h
+++ b/net/irda/irnet/irnet.h
@@ -73,7 +73,7 @@
73 * Infinite thanks to those brave souls for providing the infrastructure 73 * Infinite thanks to those brave souls for providing the infrastructure
74 * upon which IrNET is built. 74 * upon which IrNET is built.
75 * 75 *
76 * Thanks to all my collegues in HP for helping me. In particular, 76 * Thanks to all my colleagues in HP for helping me. In particular,
77 * thanks to Salil Pradhan and Bill Serra for W2k testing... 77 * thanks to Salil Pradhan and Bill Serra for W2k testing...
78 * Thanks to Luiz Magalhaes for irnetd and much testing... 78 * Thanks to Luiz Magalhaes for irnetd and much testing...
79 * 79 *
diff --git a/net/irda/irnet/irnet_ppp.c b/net/irda/irnet/irnet_ppp.c
index 7c567b8aa89a..2bb2beb6a373 100644
--- a/net/irda/irnet/irnet_ppp.c
+++ b/net/irda/irnet/irnet_ppp.c
@@ -105,6 +105,9 @@ irnet_ctrl_write(irnet_socket * ap,
105 while(isspace(start[length - 1])) 105 while(isspace(start[length - 1]))
106 length--; 106 length--;
107 107
108 DABORT(length < 5 || length > NICKNAME_MAX_LEN + 5,
109 -EINVAL, CTRL_ERROR, "Invalid nickname.\n");
110
108 /* Copy the name for later reuse */ 111 /* Copy the name for later reuse */
109 memcpy(ap->rname, start + 5, length - 5); 112 memcpy(ap->rname, start + 5, length - 5);
110 ap->rname[length - 5] = '\0'; 113 ap->rname[length - 5] = '\0';
diff --git a/net/irda/irqueue.c b/net/irda/irqueue.c
index 849aaf0dabb5..9715e6e5900b 100644
--- a/net/irda/irqueue.c
+++ b/net/irda/irqueue.c
@@ -40,7 +40,7 @@
40 * o the hash function for ints is pathetic (but could be changed) 40 * o the hash function for ints is pathetic (but could be changed)
41 * o locking is sometime suspicious (especially during enumeration) 41 * o locking is sometime suspicious (especially during enumeration)
42 * o most users have only a few elements (== overhead) 42 * o most users have only a few elements (== overhead)
43 * o most users never use seach, so don't benefit from hashing 43 * o most users never use search, so don't benefit from hashing
44 * Problem already fixed : 44 * Problem already fixed :
45 * o not 64 bit compliant (most users do hashv = (int) self) 45 * o not 64 bit compliant (most users do hashv = (int) self)
46 * o hashbin_remove() is broken => use hashbin_remove_this() 46 * o hashbin_remove() is broken => use hashbin_remove_this()
diff --git a/net/irda/irttp.c b/net/irda/irttp.c
index f6054f9ccbe3..9d9af4606970 100644
--- a/net/irda/irttp.c
+++ b/net/irda/irttp.c
@@ -1193,7 +1193,7 @@ EXPORT_SYMBOL(irttp_connect_request);
1193/* 1193/*
1194 * Function irttp_connect_confirm (handle, qos, skb) 1194 * Function irttp_connect_confirm (handle, qos, skb)
1195 * 1195 *
1196 * Sevice user confirms TSAP connection with peer. 1196 * Service user confirms TSAP connection with peer.
1197 * 1197 *
1198 */ 1198 */
1199static void irttp_connect_confirm(void *instance, void *sap, 1199static void irttp_connect_confirm(void *instance, void *sap,
diff --git a/net/irda/qos.c b/net/irda/qos.c
index 2b00974e5bae..1b51bcf42394 100644
--- a/net/irda/qos.c
+++ b/net/irda/qos.c
@@ -39,16 +39,16 @@
39#include <net/irda/irlap_frame.h> 39#include <net/irda/irlap_frame.h>
40 40
41/* 41/*
42 * Maximum values of the baud rate we negociate with the other end. 42 * Maximum values of the baud rate we negotiate with the other end.
43 * Most often, you don't have to change that, because Linux-IrDA will 43 * Most often, you don't have to change that, because Linux-IrDA will
44 * use the maximum offered by the link layer, which usually works fine. 44 * use the maximum offered by the link layer, which usually works fine.
45 * In some very rare cases, you may want to limit it to lower speeds... 45 * In some very rare cases, you may want to limit it to lower speeds...
46 */ 46 */
47int sysctl_max_baud_rate = 16000000; 47int sysctl_max_baud_rate = 16000000;
48/* 48/*
49 * Maximum value of the lap disconnect timer we negociate with the other end. 49 * Maximum value of the lap disconnect timer we negotiate with the other end.
50 * Most often, the value below represent the best compromise, but some user 50 * Most often, the value below represent the best compromise, but some user
51 * may want to keep the LAP alive longuer or shorter in case of link failure. 51 * may want to keep the LAP alive longer or shorter in case of link failure.
52 * Remember that the threshold time (early warning) is fixed to 3s... 52 * Remember that the threshold time (early warning) is fixed to 3s...
53 */ 53 */
54int sysctl_max_noreply_time = 12; 54int sysctl_max_noreply_time = 12;
@@ -411,7 +411,7 @@ static void irlap_adjust_qos_settings(struct qos_info *qos)
411 * Fix tx data size according to user limits - Jean II 411 * Fix tx data size according to user limits - Jean II
412 */ 412 */
413 if (qos->data_size.value > sysctl_max_tx_data_size) 413 if (qos->data_size.value > sysctl_max_tx_data_size)
414 /* Allow non discrete adjustement to avoid loosing capacity */ 414 /* Allow non discrete adjustement to avoid losing capacity */
415 qos->data_size.value = sysctl_max_tx_data_size; 415 qos->data_size.value = sysctl_max_tx_data_size;
416 /* 416 /*
417 * Override Tx window if user request it. - Jean II 417 * Override Tx window if user request it. - Jean II
diff --git a/net/irda/timer.c b/net/irda/timer.c
index 0335ba0cc593..f418cb2ad49c 100644
--- a/net/irda/timer.c
+++ b/net/irda/timer.c
@@ -59,7 +59,7 @@ void irlap_start_query_timer(struct irlap_cb *self, int S, int s)
59 * slot time, plus add some extra time to properly receive the last 59 * slot time, plus add some extra time to properly receive the last
60 * discovery packet (which is longer due to extra discovery info), 60 * discovery packet (which is longer due to extra discovery info),
61 * to avoid messing with for incomming connections requests and 61 * to avoid messing with for incomming connections requests and
62 * to accomodate devices that perform discovery slower than us. 62 * to accommodate devices that perform discovery slower than us.
63 * Jean II */ 63 * Jean II */
64 timeout = ((sysctl_slot_timeout * HZ / 1000) * (S - s) 64 timeout = ((sysctl_slot_timeout * HZ / 1000) * (S - s)
65 + XIDEXTRA_TIMEOUT + SMALLBUSY_TIMEOUT); 65 + XIDEXTRA_TIMEOUT + SMALLBUSY_TIMEOUT);
diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
index 9637e45744fa..986b2a5e8769 100644
--- a/net/iucv/af_iucv.c
+++ b/net/iucv/af_iucv.c
@@ -250,7 +250,7 @@ static struct device *af_iucv_dev;
250 * PRMDATA[0..6] socket data (max 7 bytes); 250 * PRMDATA[0..6] socket data (max 7 bytes);
251 * PRMDATA[7] socket data length value (len is 0xff - PRMDATA[7]) 251 * PRMDATA[7] socket data length value (len is 0xff - PRMDATA[7])
252 * 252 *
253 * The socket data length is computed by substracting the socket data length 253 * The socket data length is computed by subtracting the socket data length
254 * value from 0xFF. 254 * value from 0xFF.
255 * If the socket data len is greater 7, then PRMDATA can be used for special 255 * If the socket data len is greater 7, then PRMDATA can be used for special
256 * notifications (see iucv_sock_shutdown); and further, 256 * notifications (see iucv_sock_shutdown); and further,
diff --git a/net/iucv/iucv.c b/net/iucv/iucv.c
index 1ee5dab3cfae..8f156bd86be7 100644
--- a/net/iucv/iucv.c
+++ b/net/iucv/iucv.c
@@ -735,7 +735,7 @@ static void iucv_cleanup_queue(void)
735 struct iucv_irq_list *p, *n; 735 struct iucv_irq_list *p, *n;
736 736
737 /* 737 /*
738 * When a path is severed, the pathid can be reused immediatly 738 * When a path is severed, the pathid can be reused immediately
739 * on a iucv connect or a connection pending interrupt. Remove 739 * on a iucv connect or a connection pending interrupt. Remove
740 * all entries from the task queue that refer to a stale pathid 740 * all entries from the task queue that refer to a stale pathid
741 * (iucv_path_table[ix] == NULL). Only then do the iucv connect 741 * (iucv_path_table[ix] == NULL). Only then do the iucv connect
@@ -807,7 +807,7 @@ void iucv_unregister(struct iucv_handler *handler, int smp)
807 spin_lock_bh(&iucv_table_lock); 807 spin_lock_bh(&iucv_table_lock);
808 /* Remove handler from the iucv_handler_list. */ 808 /* Remove handler from the iucv_handler_list. */
809 list_del_init(&handler->list); 809 list_del_init(&handler->list);
810 /* Sever all pathids still refering to the handler. */ 810 /* Sever all pathids still referring to the handler. */
811 list_for_each_entry_safe(p, n, &handler->paths, list) { 811 list_for_each_entry_safe(p, n, &handler->paths, list) {
812 iucv_sever_pathid(p->pathid, NULL); 812 iucv_sever_pathid(p->pathid, NULL);
813 iucv_path_table[p->pathid] = NULL; 813 iucv_path_table[p->pathid] = NULL;
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index a40401701424..c18396c248d7 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -97,7 +97,7 @@ struct ieee80211_bss {
97 size_t supp_rates_len; 97 size_t supp_rates_len;
98 98
99 /* 99 /*
100 * During assocation, we save an ERP value from a probe response so 100 * During association, we save an ERP value from a probe response so
101 * that we can feed ERP info to the driver when handling the 101 * that we can feed ERP info to the driver when handling the
102 * association completes. these fields probably won't be up-to-date 102 * association completes. these fields probably won't be up-to-date
103 * otherwise, you probably don't want to use them. 103 * otherwise, you probably don't want to use them.
diff --git a/net/mac80211/key.c b/net/mac80211/key.c
index 8c02469b7176..af3c56482c80 100644
--- a/net/mac80211/key.c
+++ b/net/mac80211/key.c
@@ -342,7 +342,7 @@ struct ieee80211_key *ieee80211_key_alloc(u32 cipher, int idx, size_t key_len,
342 if (IS_ERR(key->u.ccmp.tfm)) { 342 if (IS_ERR(key->u.ccmp.tfm)) {
343 err = PTR_ERR(key->u.ccmp.tfm); 343 err = PTR_ERR(key->u.ccmp.tfm);
344 kfree(key); 344 kfree(key);
345 key = ERR_PTR(err); 345 return ERR_PTR(err);
346 } 346 }
347 break; 347 break;
348 case WLAN_CIPHER_SUITE_AES_CMAC: 348 case WLAN_CIPHER_SUITE_AES_CMAC:
@@ -360,7 +360,7 @@ struct ieee80211_key *ieee80211_key_alloc(u32 cipher, int idx, size_t key_len,
360 if (IS_ERR(key->u.aes_cmac.tfm)) { 360 if (IS_ERR(key->u.aes_cmac.tfm)) {
361 err = PTR_ERR(key->u.aes_cmac.tfm); 361 err = PTR_ERR(key->u.aes_cmac.tfm);
362 kfree(key); 362 kfree(key);
363 key = ERR_PTR(err); 363 return ERR_PTR(err);
364 } 364 }
365 break; 365 break;
366 } 366 }
@@ -400,11 +400,12 @@ int ieee80211_key_link(struct ieee80211_key *key,
400{ 400{
401 struct ieee80211_key *old_key; 401 struct ieee80211_key *old_key;
402 int idx, ret; 402 int idx, ret;
403 bool pairwise = key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE; 403 bool pairwise;
404 404
405 BUG_ON(!sdata); 405 BUG_ON(!sdata);
406 BUG_ON(!key); 406 BUG_ON(!key);
407 407
408 pairwise = key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE;
408 idx = key->conf.keyidx; 409 idx = key->conf.keyidx;
409 key->local = sdata->local; 410 key->local = sdata->local;
410 key->sdata = sdata; 411 key->sdata = sdata;
diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c
index 8d65b47d9837..336ca9d0c5c4 100644
--- a/net/mac80211/mesh_pathtbl.c
+++ b/net/mac80211/mesh_pathtbl.c
@@ -628,7 +628,7 @@ void mesh_path_discard_frame(struct sk_buff *skb,
628 * 628 *
629 * @mpath: mesh path whose queue has to be freed 629 * @mpath: mesh path whose queue has to be freed
630 * 630 *
631 * Locking: the function must me called withing a rcu_read_lock region 631 * Locking: the function must me called within a rcu_read_lock region
632 */ 632 */
633void mesh_path_flush_pending(struct mesh_path *mpath) 633void mesh_path_flush_pending(struct mesh_path *mpath)
634{ 634{
diff --git a/net/mac80211/rc80211_minstrel_ht.c b/net/mac80211/rc80211_minstrel_ht.c
index 8212a8bebf06..c06aa3ac6b9d 100644
--- a/net/mac80211/rc80211_minstrel_ht.c
+++ b/net/mac80211/rc80211_minstrel_ht.c
@@ -259,7 +259,7 @@ minstrel_ht_update_stats(struct minstrel_priv *mp, struct minstrel_ht_sta *mi)
259 } 259 }
260 } 260 }
261 261
262 /* try to sample up to half of the availble rates during each interval */ 262 /* try to sample up to half of the available rates during each interval */
263 mi->sample_count *= 4; 263 mi->sample_count *= 4;
264 264
265 cur_prob = 0; 265 cur_prob = 0;
@@ -659,18 +659,14 @@ minstrel_ht_update_caps(void *priv, struct ieee80211_supported_band *sband,
659 struct ieee80211_mcs_info *mcs = &sta->ht_cap.mcs; 659 struct ieee80211_mcs_info *mcs = &sta->ht_cap.mcs;
660 struct ieee80211_local *local = hw_to_local(mp->hw); 660 struct ieee80211_local *local = hw_to_local(mp->hw);
661 u16 sta_cap = sta->ht_cap.cap; 661 u16 sta_cap = sta->ht_cap.cap;
662 int n_supported = 0;
662 int ack_dur; 663 int ack_dur;
663 int stbc; 664 int stbc;
664 int i; 665 int i;
665 666
666 /* fall back to the old minstrel for legacy stations */ 667 /* fall back to the old minstrel for legacy stations */
667 if (!sta->ht_cap.ht_supported) { 668 if (!sta->ht_cap.ht_supported)
668 msp->is_ht = false; 669 goto use_legacy;
669 memset(&msp->legacy, 0, sizeof(msp->legacy));
670 msp->legacy.r = msp->ratelist;
671 msp->legacy.sample_table = msp->sample_table;
672 return mac80211_minstrel.rate_init(priv, sband, sta, &msp->legacy);
673 }
674 670
675 BUILD_BUG_ON(ARRAY_SIZE(minstrel_mcs_groups) != 671 BUILD_BUG_ON(ARRAY_SIZE(minstrel_mcs_groups) !=
676 MINSTREL_MAX_STREAMS * MINSTREL_STREAM_GROUPS); 672 MINSTREL_MAX_STREAMS * MINSTREL_STREAM_GROUPS);
@@ -725,7 +721,22 @@ minstrel_ht_update_caps(void *priv, struct ieee80211_supported_band *sband,
725 721
726 mi->groups[i].supported = 722 mi->groups[i].supported =
727 mcs->rx_mask[minstrel_mcs_groups[i].streams - 1]; 723 mcs->rx_mask[minstrel_mcs_groups[i].streams - 1];
724
725 if (mi->groups[i].supported)
726 n_supported++;
728 } 727 }
728
729 if (!n_supported)
730 goto use_legacy;
731
732 return;
733
734use_legacy:
735 msp->is_ht = false;
736 memset(&msp->legacy, 0, sizeof(msp->legacy));
737 msp->legacy.r = msp->ratelist;
738 msp->legacy.sample_table = msp->sample_table;
739 return mac80211_minstrel.rate_init(priv, sband, sta, &msp->legacy);
729} 740}
730 741
731static void 742static void
diff --git a/net/mac80211/rc80211_pid.h b/net/mac80211/rc80211_pid.h
index 6510f8ee738e..19111c7bf454 100644
--- a/net/mac80211/rc80211_pid.h
+++ b/net/mac80211/rc80211_pid.h
@@ -77,7 +77,7 @@ union rc_pid_event_data {
77}; 77};
78 78
79struct rc_pid_event { 79struct rc_pid_event {
80 /* The time when the event occured */ 80 /* The time when the event occurred */
81 unsigned long timestamp; 81 unsigned long timestamp;
82 82
83 /* Event ID number */ 83 /* Event ID number */
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 5c1930ba8ebe..9d192d665ff5 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -381,7 +381,7 @@ static void ieee80211_parse_qos(struct ieee80211_rx_data *rx)
381 * specs were sane enough this time around to require padding each A-MSDU 381 * specs were sane enough this time around to require padding each A-MSDU
382 * subframe to a length that is a multiple of four. 382 * subframe to a length that is a multiple of four.
383 * 383 *
384 * Padding like Atheros hardware adds which is inbetween the 802.11 header and 384 * Padding like Atheros hardware adds which is between the 802.11 header and
385 * the payload is not supported, the driver is required to move the 802.11 385 * the payload is not supported, the driver is required to move the 802.11
386 * header to be directly in front of the payload in that case. 386 * header to be directly in front of the payload in that case.
387 */ 387 */
@@ -612,7 +612,8 @@ static void ieee80211_sta_reorder_release(struct ieee80211_hw *hw,
612 skipped++; 612 skipped++;
613 continue; 613 continue;
614 } 614 }
615 if (!time_after(jiffies, tid_agg_rx->reorder_time[j] + 615 if (skipped &&
616 !time_after(jiffies, tid_agg_rx->reorder_time[j] +
616 HT_RX_REORDER_BUF_TIMEOUT)) 617 HT_RX_REORDER_BUF_TIMEOUT))
617 goto set_release_timer; 618 goto set_release_timer;
618 619
diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index 5a11078827ab..13e8c30adf01 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -47,9 +47,9 @@
47 * Station entries are added by mac80211 when you establish a link with a 47 * Station entries are added by mac80211 when you establish a link with a
48 * peer. This means different things for the different type of interfaces 48 * peer. This means different things for the different type of interfaces
49 * we support. For a regular station this mean we add the AP sta when we 49 * we support. For a regular station this mean we add the AP sta when we
50 * receive an assocation response from the AP. For IBSS this occurs when 50 * receive an association response from the AP. For IBSS this occurs when
51 * get to know about a peer on the same IBSS. For WDS we add the sta for 51 * get to know about a peer on the same IBSS. For WDS we add the sta for
52 * the peer imediately upon device open. When using AP mode we add stations 52 * the peer immediately upon device open. When using AP mode we add stations
53 * for each respective station upon request from userspace through nl80211. 53 * for each respective station upon request from userspace through nl80211.
54 * 54 *
55 * In order to remove a STA info structure, various sta_info_destroy_*() 55 * In order to remove a STA info structure, various sta_info_destroy_*()
@@ -243,6 +243,7 @@ struct sta_info *sta_info_alloc(struct ieee80211_sub_if_data *sdata,
243 memcpy(sta->sta.addr, addr, ETH_ALEN); 243 memcpy(sta->sta.addr, addr, ETH_ALEN);
244 sta->local = local; 244 sta->local = local;
245 sta->sdata = sdata; 245 sta->sdata = sdata;
246 sta->last_rx = jiffies;
246 247
247 ewma_init(&sta->avg_signal, 1024, 8); 248 ewma_init(&sta->avg_signal, 1024, 8);
248 249
diff --git a/net/mac80211/sta_info.h b/net/mac80211/sta_info.h
index 57681149e37f..b2f95966c7f4 100644
--- a/net/mac80211/sta_info.h
+++ b/net/mac80211/sta_info.h
@@ -173,7 +173,7 @@ struct sta_ampdu_mlme {
173/** 173/**
174 * enum plink_state - state of a mesh peer link finite state machine 174 * enum plink_state - state of a mesh peer link finite state machine
175 * 175 *
176 * @PLINK_LISTEN: initial state, considered the implicit state of non existant 176 * @PLINK_LISTEN: initial state, considered the implicit state of non existent
177 * mesh peer links 177 * mesh peer links
178 * @PLINK_OPN_SNT: mesh plink open frame has been sent to this mesh peer 178 * @PLINK_OPN_SNT: mesh plink open frame has been sent to this mesh peer
179 * @PLINK_OPN_RCVD: mesh plink open frame has been received from this mesh peer 179 * @PLINK_OPN_RCVD: mesh plink open frame has been received from this mesh peer
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index d6b48230a540..253326e8d990 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -893,7 +893,7 @@ ip_set_swap(struct sock *ctnl, struct sk_buff *skb,
893 to = ip_set_list[to_id]; 893 to = ip_set_list[to_id];
894 894
895 /* Features must not change. 895 /* Features must not change.
896 * Not an artifical restriction anymore, as we must prevent 896 * Not an artificial restriction anymore, as we must prevent
897 * possible loops created by swapping in setlist type of sets. */ 897 * possible loops created by swapping in setlist type of sets. */
898 if (!(from->type->features == to->type->features && 898 if (!(from->type->features == to->type->features &&
899 from->type->family == to->type->family)) 899 from->type->family == to->type->family))
diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c
index f289306cbf12..c97bd45975be 100644
--- a/net/netfilter/ipvs/ip_vs_conn.c
+++ b/net/netfilter/ipvs/ip_vs_conn.c
@@ -595,7 +595,7 @@ ip_vs_bind_dest(struct ip_vs_conn *cp, struct ip_vs_dest *dest)
595 atomic_inc(&dest->inactconns); 595 atomic_inc(&dest->inactconns);
596 } else { 596 } else {
597 /* It is a persistent connection/template, so increase 597 /* It is a persistent connection/template, so increase
598 the peristent connection counter */ 598 the persistent connection counter */
599 atomic_inc(&dest->persistconns); 599 atomic_inc(&dest->persistconns);
600 } 600 }
601 601
@@ -657,7 +657,7 @@ static inline void ip_vs_unbind_dest(struct ip_vs_conn *cp)
657 } 657 }
658 } else { 658 } else {
659 /* It is a persistent connection/template, so decrease 659 /* It is a persistent connection/template, so decrease
660 the peristent connection counter */ 660 the persistent connection counter */
661 atomic_dec(&dest->persistconns); 661 atomic_dec(&dest->persistconns);
662 } 662 }
663 663
diff --git a/net/netfilter/ipvs/ip_vs_lblc.c b/net/netfilter/ipvs/ip_vs_lblc.c
index f276df9896b3..87e40ea77a95 100644
--- a/net/netfilter/ipvs/ip_vs_lblc.c
+++ b/net/netfilter/ipvs/ip_vs_lblc.c
@@ -131,7 +131,7 @@ static inline void ip_vs_lblc_free(struct ip_vs_lblc_entry *en)
131{ 131{
132 list_del(&en->list); 132 list_del(&en->list);
133 /* 133 /*
134 * We don't kfree dest because it is refered either by its service 134 * We don't kfree dest because it is referred either by its service
135 * or the trash dest list. 135 * or the trash dest list.
136 */ 136 */
137 atomic_dec(&en->dest->refcnt); 137 atomic_dec(&en->dest->refcnt);
diff --git a/net/netfilter/ipvs/ip_vs_lblcr.c b/net/netfilter/ipvs/ip_vs_lblcr.c
index cb1c9913d38b..90f618ab6dda 100644
--- a/net/netfilter/ipvs/ip_vs_lblcr.c
+++ b/net/netfilter/ipvs/ip_vs_lblcr.c
@@ -152,7 +152,7 @@ static void ip_vs_dest_set_eraseall(struct ip_vs_dest_set *set)
152 write_lock(&set->lock); 152 write_lock(&set->lock);
153 list_for_each_entry_safe(e, ep, &set->list, list) { 153 list_for_each_entry_safe(e, ep, &set->list, list) {
154 /* 154 /*
155 * We don't kfree dest because it is refered either 155 * We don't kfree dest because it is referred either
156 * by its service or by the trash dest list. 156 * by its service or by the trash dest list.
157 */ 157 */
158 atomic_dec(&e->dest->refcnt); 158 atomic_dec(&e->dest->refcnt);
diff --git a/net/netfilter/ipvs/ip_vs_proto_sctp.c b/net/netfilter/ipvs/ip_vs_proto_sctp.c
index b027ccc49f43..d12ed53ec95f 100644
--- a/net/netfilter/ipvs/ip_vs_proto_sctp.c
+++ b/net/netfilter/ipvs/ip_vs_proto_sctp.c
@@ -566,7 +566,7 @@ static struct ipvs_sctp_nextstate
566 * SHUTDOWN sent from the client, waitinf for SHUT ACK from the server 566 * SHUTDOWN sent from the client, waitinf for SHUT ACK from the server
567 */ 567 */
568 /* 568 /*
569 * We recieved the data chuck, keep the state unchanged. I assume 569 * We received the data chuck, keep the state unchanged. I assume
570 * that still data chuncks can be received by both the peers in 570 * that still data chuncks can be received by both the peers in
571 * SHUDOWN state 571 * SHUDOWN state
572 */ 572 */
@@ -633,7 +633,7 @@ static struct ipvs_sctp_nextstate
633 * SHUTDOWN sent from the server, waitinf for SHUTDOWN ACK from client 633 * SHUTDOWN sent from the server, waitinf for SHUTDOWN ACK from client
634 */ 634 */
635 /* 635 /*
636 * We recieved the data chuck, keep the state unchanged. I assume 636 * We received the data chuck, keep the state unchanged. I assume
637 * that still data chuncks can be received by both the peers in 637 * that still data chuncks can be received by both the peers in
638 * SHUDOWN state 638 * SHUDOWN state
639 */ 639 */
@@ -701,7 +701,7 @@ static struct ipvs_sctp_nextstate
701 * SHUTDOWN ACK from the client, awaiting for SHUTDOWN COM from server 701 * SHUTDOWN ACK from the client, awaiting for SHUTDOWN COM from server
702 */ 702 */
703 /* 703 /*
704 * We recieved the data chuck, keep the state unchanged. I assume 704 * We received the data chuck, keep the state unchanged. I assume
705 * that still data chuncks can be received by both the peers in 705 * that still data chuncks can be received by both the peers in
706 * SHUDOWN state 706 * SHUDOWN state
707 */ 707 */
@@ -771,7 +771,7 @@ static struct ipvs_sctp_nextstate
771 * SHUTDOWN ACK from the server, awaiting for SHUTDOWN COM from client 771 * SHUTDOWN ACK from the server, awaiting for SHUTDOWN COM from client
772 */ 772 */
773 /* 773 /*
774 * We recieved the data chuck, keep the state unchanged. I assume 774 * We received the data chuck, keep the state unchanged. I assume
775 * that still data chuncks can be received by both the peers in 775 * that still data chuncks can be received by both the peers in
776 * SHUDOWN state 776 * SHUDOWN state
777 */ 777 */
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 941286ca911d..2e1c11f78419 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -453,7 +453,7 @@ __nf_conntrack_confirm(struct sk_buff *skb)
453 REJECT will give spurious warnings here. */ 453 REJECT will give spurious warnings here. */
454 /* NF_CT_ASSERT(atomic_read(&ct->ct_general.use) == 1); */ 454 /* NF_CT_ASSERT(atomic_read(&ct->ct_general.use) == 1); */
455 455
456 /* No external references means noone else could have 456 /* No external references means no one else could have
457 confirmed us. */ 457 confirmed us. */
458 NF_CT_ASSERT(!nf_ct_is_confirmed(ct)); 458 NF_CT_ASSERT(!nf_ct_is_confirmed(ct));
459 pr_debug("Confirming conntrack %p\n", ct); 459 pr_debug("Confirming conntrack %p\n", ct);
@@ -901,7 +901,7 @@ nf_conntrack_in(struct net *net, u_int8_t pf, unsigned int hooknum,
901 ret = l3proto->get_l4proto(skb, skb_network_offset(skb), 901 ret = l3proto->get_l4proto(skb, skb_network_offset(skb),
902 &dataoff, &protonum); 902 &dataoff, &protonum);
903 if (ret <= 0) { 903 if (ret <= 0) {
904 pr_debug("not prepared to track yet or error occured\n"); 904 pr_debug("not prepared to track yet or error occurred\n");
905 NF_CT_STAT_INC_ATOMIC(net, error); 905 NF_CT_STAT_INC_ATOMIC(net, error);
906 NF_CT_STAT_INC_ATOMIC(net, invalid); 906 NF_CT_STAT_INC_ATOMIC(net, invalid);
907 ret = -ret; 907 ret = -ret;
diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c
index 9ae57c57c50e..2e664a69d7db 100644
--- a/net/netfilter/nf_conntrack_proto_dccp.c
+++ b/net/netfilter/nf_conntrack_proto_dccp.c
@@ -98,7 +98,7 @@ static const char * const dccp_state_names[] = {
98#define sIV CT_DCCP_INVALID 98#define sIV CT_DCCP_INVALID
99 99
100/* 100/*
101 * DCCP state transistion table 101 * DCCP state transition table
102 * 102 *
103 * The assumption is the same as for TCP tracking: 103 * The assumption is the same as for TCP tracking:
104 * 104 *
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 6f4ee70f460b..6772b1154654 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -107,9 +107,9 @@ static const u8 sctp_conntracks[2][9][SCTP_CONNTRACK_MAX] = {
107/* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL}, 107/* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL},
108/* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA}, 108/* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA},
109/* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA}, 109/* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA},
110/* error */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* Cant have Stale cookie*/ 110/* error */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* Can't have Stale cookie*/
111/* cookie_echo */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA},/* 5.2.4 - Big TODO */ 111/* cookie_echo */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA},/* 5.2.4 - Big TODO */
112/* cookie_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* Cant come in orig dir */ 112/* cookie_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* Can't come in orig dir */
113/* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL} 113/* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL}
114 }, 114 },
115 { 115 {
@@ -121,7 +121,7 @@ static const u8 sctp_conntracks[2][9][SCTP_CONNTRACK_MAX] = {
121/* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA}, 121/* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA},
122/* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA}, 122/* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA},
123/* error */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA}, 123/* error */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA},
124/* cookie_echo */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* Cant come in reply dir */ 124/* cookie_echo */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* Can't come in reply dir */
125/* cookie_ack */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA}, 125/* cookie_ack */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA},
126/* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL} 126/* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL}
127 } 127 }
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index bcf47eb518ef..237cc1981b89 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -707,7 +707,7 @@ static const char *ct_sdp_header_search(const char *dptr, const char *limit,
707} 707}
708 708
709/* Locate a SDP header (optionally a substring within the header value), 709/* Locate a SDP header (optionally a substring within the header value),
710 * optionally stopping at the first occurence of the term header, parse 710 * optionally stopping at the first occurrence of the term header, parse
711 * it and return the offset and length of the data we're interested in. 711 * it and return the offset and length of the data we're interested in.
712 */ 712 */
713int ct_sip_get_sdp_header(const struct nf_conn *ct, const char *dptr, 713int ct_sip_get_sdp_header(const struct nf_conn *ct, const char *dptr,
diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index 5ab22e2bbd7d..5b466cd1272f 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -134,7 +134,7 @@ static int __nf_queue(struct sk_buff *skb,
134 const struct nf_afinfo *afinfo; 134 const struct nf_afinfo *afinfo;
135 const struct nf_queue_handler *qh; 135 const struct nf_queue_handler *qh;
136 136
137 /* QUEUE == DROP if noone is waiting, to be safe. */ 137 /* QUEUE == DROP if no one is waiting, to be safe. */
138 rcu_read_lock(); 138 rcu_read_lock();
139 139
140 qh = rcu_dereference(queue_handler[pf]); 140 qh = rcu_dereference(queue_handler[pf]);
diff --git a/net/netlabel/netlabel_domainhash.c b/net/netlabel/netlabel_domainhash.c
index d37b7f80fa37..de0d8e4cbfb6 100644
--- a/net/netlabel/netlabel_domainhash.c
+++ b/net/netlabel/netlabel_domainhash.c
@@ -109,7 +109,7 @@ static void netlbl_domhsh_free_entry(struct rcu_head *entry)
109 * 109 *
110 * Description: 110 * Description:
111 * This is the hashing function for the domain hash table, it returns the 111 * This is the hashing function for the domain hash table, it returns the
112 * correct bucket number for the domain. The caller is responsibile for 112 * correct bucket number for the domain. The caller is responsible for
113 * ensuring that the hash table is protected with either a RCU read lock or the 113 * ensuring that the hash table is protected with either a RCU read lock or the
114 * hash table lock. 114 * hash table lock.
115 * 115 *
@@ -134,7 +134,7 @@ static u32 netlbl_domhsh_hash(const char *key)
134 * 134 *
135 * Description: 135 * Description:
136 * Searches the domain hash table and returns a pointer to the hash table 136 * Searches the domain hash table and returns a pointer to the hash table
137 * entry if found, otherwise NULL is returned. The caller is responsibile for 137 * entry if found, otherwise NULL is returned. The caller is responsible for
138 * ensuring that the hash table is protected with either a RCU read lock or the 138 * ensuring that the hash table is protected with either a RCU read lock or the
139 * hash table lock. 139 * hash table lock.
140 * 140 *
@@ -165,7 +165,7 @@ static struct netlbl_dom_map *netlbl_domhsh_search(const char *domain)
165 * Searches the domain hash table and returns a pointer to the hash table 165 * Searches the domain hash table and returns a pointer to the hash table
166 * entry if an exact match is found, if an exact match is not present in the 166 * entry if an exact match is found, if an exact match is not present in the
167 * hash table then the default entry is returned if valid otherwise NULL is 167 * hash table then the default entry is returned if valid otherwise NULL is
168 * returned. The caller is responsibile ensuring that the hash table is 168 * returned. The caller is responsible ensuring that the hash table is
169 * protected with either a RCU read lock or the hash table lock. 169 * protected with either a RCU read lock or the hash table lock.
170 * 170 *
171 */ 171 */
@@ -193,7 +193,7 @@ static struct netlbl_dom_map *netlbl_domhsh_search_def(const char *domain)
193 * 193 *
194 * Description: 194 * Description:
195 * Generate an audit record for adding a new NetLabel/LSM mapping entry with 195 * Generate an audit record for adding a new NetLabel/LSM mapping entry with
196 * the given information. Caller is responsibile for holding the necessary 196 * the given information. Caller is responsible for holding the necessary
197 * locks. 197 * locks.
198 * 198 *
199 */ 199 */
@@ -605,7 +605,7 @@ int netlbl_domhsh_remove_default(struct netlbl_audit *audit_info)
605 * 605 *
606 * Description: 606 * Description:
607 * Look through the domain hash table searching for an entry to match @domain, 607 * Look through the domain hash table searching for an entry to match @domain,
608 * return a pointer to a copy of the entry or NULL. The caller is responsibile 608 * return a pointer to a copy of the entry or NULL. The caller is responsible
609 * for ensuring that rcu_read_[un]lock() is called. 609 * for ensuring that rcu_read_[un]lock() is called.
610 * 610 *
611 */ 611 */
diff --git a/net/netlabel/netlabel_mgmt.c b/net/netlabel/netlabel_mgmt.c
index 998e85e895d0..4f251b19fbcc 100644
--- a/net/netlabel/netlabel_mgmt.c
+++ b/net/netlabel/netlabel_mgmt.c
@@ -259,7 +259,7 @@ add_failure:
259 * 259 *
260 * Description: 260 * Description:
261 * This function is a helper function used by the LISTALL and LISTDEF command 261 * This function is a helper function used by the LISTALL and LISTDEF command
262 * handlers. The caller is responsibile for ensuring that the RCU read lock 262 * handlers. The caller is responsible for ensuring that the RCU read lock
263 * is held. Returns zero on success, negative values on failure. 263 * is held. Returns zero on success, negative values on failure.
264 * 264 *
265 */ 265 */
diff --git a/net/rds/ib_send.c b/net/rds/ib_send.c
index c47a511f203d..7c4dce8fa5e6 100644
--- a/net/rds/ib_send.c
+++ b/net/rds/ib_send.c
@@ -355,7 +355,7 @@ void rds_ib_send_cq_comp_handler(struct ib_cq *cq, void *context)
355 * 355 *
356 * Conceptually, we have two counters: 356 * Conceptually, we have two counters:
357 * - send credits: this tells us how many WRs we're allowed 357 * - send credits: this tells us how many WRs we're allowed
358 * to submit without overruning the reciever's queue. For 358 * to submit without overruning the receiver's queue. For
359 * each SEND WR we post, we decrement this by one. 359 * each SEND WR we post, we decrement this by one.
360 * 360 *
361 * - posted credits: this tells us how many WRs we recently 361 * - posted credits: this tells us how many WRs we recently
diff --git a/net/rds/iw_cm.c b/net/rds/iw_cm.c
index 712cf2d1f28e..3a60a15d1b4a 100644
--- a/net/rds/iw_cm.c
+++ b/net/rds/iw_cm.c
@@ -181,7 +181,7 @@ static int rds_iw_init_qp_attrs(struct ib_qp_init_attr *attr,
181 unsigned int send_size, recv_size; 181 unsigned int send_size, recv_size;
182 int ret; 182 int ret;
183 183
184 /* The offset of 1 is to accomodate the additional ACK WR. */ 184 /* The offset of 1 is to accommodate the additional ACK WR. */
185 send_size = min_t(unsigned int, rds_iwdev->max_wrs, rds_iw_sysctl_max_send_wr + 1); 185 send_size = min_t(unsigned int, rds_iwdev->max_wrs, rds_iw_sysctl_max_send_wr + 1);
186 recv_size = min_t(unsigned int, rds_iwdev->max_wrs, rds_iw_sysctl_max_recv_wr + 1); 186 recv_size = min_t(unsigned int, rds_iwdev->max_wrs, rds_iw_sysctl_max_recv_wr + 1);
187 rds_iw_ring_resize(send_ring, send_size - 1); 187 rds_iw_ring_resize(send_ring, send_size - 1);
diff --git a/net/rds/iw_rdma.c b/net/rds/iw_rdma.c
index 59509e9a9e72..6deaa77495e3 100644
--- a/net/rds/iw_rdma.c
+++ b/net/rds/iw_rdma.c
@@ -122,7 +122,7 @@ static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwd
122#else 122#else
123 /* FIXME - needs to compare the local and remote 123 /* FIXME - needs to compare the local and remote
124 * ipaddr/port tuple, but the ipaddr is the only 124 * ipaddr/port tuple, but the ipaddr is the only
125 * available infomation in the rds_sock (as the rest are 125 * available information in the rds_sock (as the rest are
126 * zero'ed. It doesn't appear to be properly populated 126 * zero'ed. It doesn't appear to be properly populated
127 * during connection setup... 127 * during connection setup...
128 */ 128 */
diff --git a/net/rds/iw_send.c b/net/rds/iw_send.c
index 6280ea020d4e..545d8ee3efb1 100644
--- a/net/rds/iw_send.c
+++ b/net/rds/iw_send.c
@@ -307,7 +307,7 @@ void rds_iw_send_cq_comp_handler(struct ib_cq *cq, void *context)
307 * 307 *
308 * Conceptually, we have two counters: 308 * Conceptually, we have two counters:
309 * - send credits: this tells us how many WRs we're allowed 309 * - send credits: this tells us how many WRs we're allowed
310 * to submit without overruning the reciever's queue. For 310 * to submit without overruning the receiver's queue. For
311 * each SEND WR we post, we decrement this by one. 311 * each SEND WR we post, we decrement this by one.
312 * 312 *
313 * - posted credits: this tells us how many WRs we recently 313 * - posted credits: this tells us how many WRs we recently
diff --git a/net/rds/send.c b/net/rds/send.c
index 35b9c2e9caf1..d58ae5f9339e 100644
--- a/net/rds/send.c
+++ b/net/rds/send.c
@@ -116,7 +116,7 @@ static void release_in_xmit(struct rds_connection *conn)
116} 116}
117 117
118/* 118/*
119 * We're making the concious trade-off here to only send one message 119 * We're making the conscious trade-off here to only send one message
120 * down the connection at a time. 120 * down the connection at a time.
121 * Pro: 121 * Pro:
122 * - tx queueing is a simple fifo list 122 * - tx queueing is a simple fifo list
diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
index 5ee0c62046a0..a80aef6e3d1f 100644
--- a/net/rose/af_rose.c
+++ b/net/rose/af_rose.c
@@ -978,7 +978,7 @@ int rose_rx_call_request(struct sk_buff *skb, struct net_device *dev, struct ros
978 struct sock *make; 978 struct sock *make;
979 struct rose_sock *make_rose; 979 struct rose_sock *make_rose;
980 struct rose_facilities_struct facilities; 980 struct rose_facilities_struct facilities;
981 int n, len; 981 int n;
982 982
983 skb->sk = NULL; /* Initially we don't know who it's for */ 983 skb->sk = NULL; /* Initially we don't know who it's for */
984 984
@@ -987,9 +987,9 @@ int rose_rx_call_request(struct sk_buff *skb, struct net_device *dev, struct ros
987 */ 987 */
988 memset(&facilities, 0x00, sizeof(struct rose_facilities_struct)); 988 memset(&facilities, 0x00, sizeof(struct rose_facilities_struct));
989 989
990 len = (((skb->data[3] >> 4) & 0x0F) + 1) >> 1; 990 if (!rose_parse_facilities(skb->data + ROSE_CALL_REQ_FACILITIES_OFF,
991 len += (((skb->data[3] >> 0) & 0x0F) + 1) >> 1; 991 skb->len - ROSE_CALL_REQ_FACILITIES_OFF,
992 if (!rose_parse_facilities(skb->data + len + 4, &facilities)) { 992 &facilities)) {
993 rose_transmit_clear_request(neigh, lci, ROSE_INVALID_FACILITY, 76); 993 rose_transmit_clear_request(neigh, lci, ROSE_INVALID_FACILITY, 76);
994 return 0; 994 return 0;
995 } 995 }
diff --git a/net/rose/rose_loopback.c b/net/rose/rose_loopback.c
index ae4a9d99aec7..344456206b70 100644
--- a/net/rose/rose_loopback.c
+++ b/net/rose/rose_loopback.c
@@ -73,9 +73,20 @@ static void rose_loopback_timer(unsigned long param)
73 unsigned int lci_i, lci_o; 73 unsigned int lci_i, lci_o;
74 74
75 while ((skb = skb_dequeue(&loopback_queue)) != NULL) { 75 while ((skb = skb_dequeue(&loopback_queue)) != NULL) {
76 if (skb->len < ROSE_MIN_LEN) {
77 kfree_skb(skb);
78 continue;
79 }
76 lci_i = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) & 0x0FF); 80 lci_i = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) & 0x0FF);
77 frametype = skb->data[2]; 81 frametype = skb->data[2];
78 dest = (rose_address *)(skb->data + 4); 82 if (frametype == ROSE_CALL_REQUEST &&
83 (skb->len <= ROSE_CALL_REQ_FACILITIES_OFF ||
84 skb->data[ROSE_CALL_REQ_ADDR_LEN_OFF] !=
85 ROSE_CALL_REQ_ADDR_LEN_VAL)) {
86 kfree_skb(skb);
87 continue;
88 }
89 dest = (rose_address *)(skb->data + ROSE_CALL_REQ_DEST_ADDR_OFF);
79 lci_o = ROSE_DEFAULT_MAXVC + 1 - lci_i; 90 lci_o = ROSE_DEFAULT_MAXVC + 1 - lci_i;
80 91
81 skb_reset_transport_header(skb); 92 skb_reset_transport_header(skb);
diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
index 88a77e90e7e8..479cae57d187 100644
--- a/net/rose/rose_route.c
+++ b/net/rose/rose_route.c
@@ -587,7 +587,7 @@ static int rose_clear_routes(void)
587 587
588/* 588/*
589 * Check that the device given is a valid AX.25 interface that is "up". 589 * Check that the device given is a valid AX.25 interface that is "up".
590 * called whith RTNL 590 * called with RTNL
591 */ 591 */
592static struct net_device *rose_ax25_dev_find(char *devname) 592static struct net_device *rose_ax25_dev_find(char *devname)
593{ 593{
@@ -861,7 +861,7 @@ int rose_route_frame(struct sk_buff *skb, ax25_cb *ax25)
861 unsigned int lci, new_lci; 861 unsigned int lci, new_lci;
862 unsigned char cause, diagnostic; 862 unsigned char cause, diagnostic;
863 struct net_device *dev; 863 struct net_device *dev;
864 int len, res = 0; 864 int res = 0;
865 char buf[11]; 865 char buf[11];
866 866
867#if 0 867#if 0
@@ -869,10 +869,17 @@ int rose_route_frame(struct sk_buff *skb, ax25_cb *ax25)
869 return res; 869 return res;
870#endif 870#endif
871 871
872 if (skb->len < ROSE_MIN_LEN)
873 return res;
872 frametype = skb->data[2]; 874 frametype = skb->data[2];
873 lci = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) & 0x0FF); 875 lci = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) & 0x0FF);
874 src_addr = (rose_address *)(skb->data + 9); 876 if (frametype == ROSE_CALL_REQUEST &&
875 dest_addr = (rose_address *)(skb->data + 4); 877 (skb->len <= ROSE_CALL_REQ_FACILITIES_OFF ||
878 skb->data[ROSE_CALL_REQ_ADDR_LEN_OFF] !=
879 ROSE_CALL_REQ_ADDR_LEN_VAL))
880 return res;
881 src_addr = (rose_address *)(skb->data + ROSE_CALL_REQ_SRC_ADDR_OFF);
882 dest_addr = (rose_address *)(skb->data + ROSE_CALL_REQ_DEST_ADDR_OFF);
876 883
877 spin_lock_bh(&rose_neigh_list_lock); 884 spin_lock_bh(&rose_neigh_list_lock);
878 spin_lock_bh(&rose_route_list_lock); 885 spin_lock_bh(&rose_route_list_lock);
@@ -1010,12 +1017,11 @@ int rose_route_frame(struct sk_buff *skb, ax25_cb *ax25)
1010 goto out; 1017 goto out;
1011 } 1018 }
1012 1019
1013 len = (((skb->data[3] >> 4) & 0x0F) + 1) >> 1;
1014 len += (((skb->data[3] >> 0) & 0x0F) + 1) >> 1;
1015
1016 memset(&facilities, 0x00, sizeof(struct rose_facilities_struct)); 1020 memset(&facilities, 0x00, sizeof(struct rose_facilities_struct));
1017 1021
1018 if (!rose_parse_facilities(skb->data + len + 4, &facilities)) { 1022 if (!rose_parse_facilities(skb->data + ROSE_CALL_REQ_FACILITIES_OFF,
1023 skb->len - ROSE_CALL_REQ_FACILITIES_OFF,
1024 &facilities)) {
1019 rose_transmit_clear_request(rose_neigh, lci, ROSE_INVALID_FACILITY, 76); 1025 rose_transmit_clear_request(rose_neigh, lci, ROSE_INVALID_FACILITY, 76);
1020 goto out; 1026 goto out;
1021 } 1027 }
diff --git a/net/rose/rose_subr.c b/net/rose/rose_subr.c
index 1734abba26a2..f6c71caa94b9 100644
--- a/net/rose/rose_subr.c
+++ b/net/rose/rose_subr.c
@@ -142,7 +142,7 @@ void rose_write_internal(struct sock *sk, int frametype)
142 *dptr++ = ROSE_GFI | lci1; 142 *dptr++ = ROSE_GFI | lci1;
143 *dptr++ = lci2; 143 *dptr++ = lci2;
144 *dptr++ = frametype; 144 *dptr++ = frametype;
145 *dptr++ = 0xAA; 145 *dptr++ = ROSE_CALL_REQ_ADDR_LEN_VAL;
146 memcpy(dptr, &rose->dest_addr, ROSE_ADDR_LEN); 146 memcpy(dptr, &rose->dest_addr, ROSE_ADDR_LEN);
147 dptr += ROSE_ADDR_LEN; 147 dptr += ROSE_ADDR_LEN;
148 memcpy(dptr, &rose->source_addr, ROSE_ADDR_LEN); 148 memcpy(dptr, &rose->source_addr, ROSE_ADDR_LEN);
@@ -246,12 +246,16 @@ static int rose_parse_national(unsigned char *p, struct rose_facilities_struct *
246 do { 246 do {
247 switch (*p & 0xC0) { 247 switch (*p & 0xC0) {
248 case 0x00: 248 case 0x00:
249 if (len < 2)
250 return -1;
249 p += 2; 251 p += 2;
250 n += 2; 252 n += 2;
251 len -= 2; 253 len -= 2;
252 break; 254 break;
253 255
254 case 0x40: 256 case 0x40:
257 if (len < 3)
258 return -1;
255 if (*p == FAC_NATIONAL_RAND) 259 if (*p == FAC_NATIONAL_RAND)
256 facilities->rand = ((p[1] << 8) & 0xFF00) + ((p[2] << 0) & 0x00FF); 260 facilities->rand = ((p[1] << 8) & 0xFF00) + ((p[2] << 0) & 0x00FF);
257 p += 3; 261 p += 3;
@@ -260,40 +264,61 @@ static int rose_parse_national(unsigned char *p, struct rose_facilities_struct *
260 break; 264 break;
261 265
262 case 0x80: 266 case 0x80:
267 if (len < 4)
268 return -1;
263 p += 4; 269 p += 4;
264 n += 4; 270 n += 4;
265 len -= 4; 271 len -= 4;
266 break; 272 break;
267 273
268 case 0xC0: 274 case 0xC0:
275 if (len < 2)
276 return -1;
269 l = p[1]; 277 l = p[1];
278 if (len < 2 + l)
279 return -1;
270 if (*p == FAC_NATIONAL_DEST_DIGI) { 280 if (*p == FAC_NATIONAL_DEST_DIGI) {
271 if (!fac_national_digis_received) { 281 if (!fac_national_digis_received) {
282 if (l < AX25_ADDR_LEN)
283 return -1;
272 memcpy(&facilities->source_digis[0], p + 2, AX25_ADDR_LEN); 284 memcpy(&facilities->source_digis[0], p + 2, AX25_ADDR_LEN);
273 facilities->source_ndigis = 1; 285 facilities->source_ndigis = 1;
274 } 286 }
275 } 287 }
276 else if (*p == FAC_NATIONAL_SRC_DIGI) { 288 else if (*p == FAC_NATIONAL_SRC_DIGI) {
277 if (!fac_national_digis_received) { 289 if (!fac_national_digis_received) {
290 if (l < AX25_ADDR_LEN)
291 return -1;
278 memcpy(&facilities->dest_digis[0], p + 2, AX25_ADDR_LEN); 292 memcpy(&facilities->dest_digis[0], p + 2, AX25_ADDR_LEN);
279 facilities->dest_ndigis = 1; 293 facilities->dest_ndigis = 1;
280 } 294 }
281 } 295 }
282 else if (*p == FAC_NATIONAL_FAIL_CALL) { 296 else if (*p == FAC_NATIONAL_FAIL_CALL) {
297 if (l < AX25_ADDR_LEN)
298 return -1;
283 memcpy(&facilities->fail_call, p + 2, AX25_ADDR_LEN); 299 memcpy(&facilities->fail_call, p + 2, AX25_ADDR_LEN);
284 } 300 }
285 else if (*p == FAC_NATIONAL_FAIL_ADD) { 301 else if (*p == FAC_NATIONAL_FAIL_ADD) {
302 if (l < 1 + ROSE_ADDR_LEN)
303 return -1;
286 memcpy(&facilities->fail_addr, p + 3, ROSE_ADDR_LEN); 304 memcpy(&facilities->fail_addr, p + 3, ROSE_ADDR_LEN);
287 } 305 }
288 else if (*p == FAC_NATIONAL_DIGIS) { 306 else if (*p == FAC_NATIONAL_DIGIS) {
307 if (l % AX25_ADDR_LEN)
308 return -1;
289 fac_national_digis_received = 1; 309 fac_national_digis_received = 1;
290 facilities->source_ndigis = 0; 310 facilities->source_ndigis = 0;
291 facilities->dest_ndigis = 0; 311 facilities->dest_ndigis = 0;
292 for (pt = p + 2, lg = 0 ; lg < l ; pt += AX25_ADDR_LEN, lg += AX25_ADDR_LEN) { 312 for (pt = p + 2, lg = 0 ; lg < l ; pt += AX25_ADDR_LEN, lg += AX25_ADDR_LEN) {
293 if (pt[6] & AX25_HBIT) 313 if (pt[6] & AX25_HBIT) {
314 if (facilities->dest_ndigis >= ROSE_MAX_DIGIS)
315 return -1;
294 memcpy(&facilities->dest_digis[facilities->dest_ndigis++], pt, AX25_ADDR_LEN); 316 memcpy(&facilities->dest_digis[facilities->dest_ndigis++], pt, AX25_ADDR_LEN);
295 else 317 } else {
318 if (facilities->source_ndigis >= ROSE_MAX_DIGIS)
319 return -1;
296 memcpy(&facilities->source_digis[facilities->source_ndigis++], pt, AX25_ADDR_LEN); 320 memcpy(&facilities->source_digis[facilities->source_ndigis++], pt, AX25_ADDR_LEN);
321 }
297 } 322 }
298 } 323 }
299 p += l + 2; 324 p += l + 2;
@@ -314,25 +339,38 @@ static int rose_parse_ccitt(unsigned char *p, struct rose_facilities_struct *fac
314 do { 339 do {
315 switch (*p & 0xC0) { 340 switch (*p & 0xC0) {
316 case 0x00: 341 case 0x00:
342 if (len < 2)
343 return -1;
317 p += 2; 344 p += 2;
318 n += 2; 345 n += 2;
319 len -= 2; 346 len -= 2;
320 break; 347 break;
321 348
322 case 0x40: 349 case 0x40:
350 if (len < 3)
351 return -1;
323 p += 3; 352 p += 3;
324 n += 3; 353 n += 3;
325 len -= 3; 354 len -= 3;
326 break; 355 break;
327 356
328 case 0x80: 357 case 0x80:
358 if (len < 4)
359 return -1;
329 p += 4; 360 p += 4;
330 n += 4; 361 n += 4;
331 len -= 4; 362 len -= 4;
332 break; 363 break;
333 364
334 case 0xC0: 365 case 0xC0:
366 if (len < 2)
367 return -1;
335 l = p[1]; 368 l = p[1];
369
370 /* Prevent overflows*/
371 if (l < 10 || l > 20)
372 return -1;
373
336 if (*p == FAC_CCITT_DEST_NSAP) { 374 if (*p == FAC_CCITT_DEST_NSAP) {
337 memcpy(&facilities->source_addr, p + 7, ROSE_ADDR_LEN); 375 memcpy(&facilities->source_addr, p + 7, ROSE_ADDR_LEN);
338 memcpy(callsign, p + 12, l - 10); 376 memcpy(callsign, p + 12, l - 10);
@@ -355,45 +393,44 @@ static int rose_parse_ccitt(unsigned char *p, struct rose_facilities_struct *fac
355 return n; 393 return n;
356} 394}
357 395
358int rose_parse_facilities(unsigned char *p, 396int rose_parse_facilities(unsigned char *p, unsigned packet_len,
359 struct rose_facilities_struct *facilities) 397 struct rose_facilities_struct *facilities)
360{ 398{
361 int facilities_len, len; 399 int facilities_len, len;
362 400
363 facilities_len = *p++; 401 facilities_len = *p++;
364 402
365 if (facilities_len == 0) 403 if (facilities_len == 0 || (unsigned)facilities_len > packet_len)
366 return 0; 404 return 0;
367 405
368 while (facilities_len > 0) { 406 while (facilities_len >= 3 && *p == 0x00) {
369 if (*p == 0x00) { 407 facilities_len--;
370 facilities_len--; 408 p++;
371 p++; 409
372 410 switch (*p) {
373 switch (*p) { 411 case FAC_NATIONAL: /* National */
374 case FAC_NATIONAL: /* National */ 412 len = rose_parse_national(p + 1, facilities, facilities_len - 1);
375 len = rose_parse_national(p + 1, facilities, facilities_len - 1); 413 break;
376 facilities_len -= len + 1; 414
377 p += len + 1; 415 case FAC_CCITT: /* CCITT */
378 break; 416 len = rose_parse_ccitt(p + 1, facilities, facilities_len - 1);
379 417 break;
380 case FAC_CCITT: /* CCITT */ 418
381 len = rose_parse_ccitt(p + 1, facilities, facilities_len - 1); 419 default:
382 facilities_len -= len + 1; 420 printk(KERN_DEBUG "ROSE: rose_parse_facilities - unknown facilities family %02X\n", *p);
383 p += len + 1; 421 len = 1;
384 break; 422 break;
385 423 }
386 default: 424
387 printk(KERN_DEBUG "ROSE: rose_parse_facilities - unknown facilities family %02X\n", *p); 425 if (len < 0)
388 facilities_len--; 426 return 0;
389 p++; 427 if (WARN_ON(len >= facilities_len))
390 break; 428 return 0;
391 } 429 facilities_len -= len + 1;
392 } else 430 p += len + 1;
393 break; /* Error in facilities format */
394 } 431 }
395 432
396 return 1; 433 return facilities_len == 0;
397} 434}
398 435
399static int rose_create_facilities(unsigned char *buffer, struct rose_sock *rose) 436static int rose_create_facilities(unsigned char *buffer, struct rose_sock *rose)
diff --git a/net/sched/act_api.c b/net/sched/act_api.c
index 15873e14cb54..14b42f4ad791 100644
--- a/net/sched/act_api.c
+++ b/net/sched/act_api.c
@@ -999,7 +999,7 @@ static int tc_ctl_action(struct sk_buff *skb, struct nlmsghdr *n, void *arg)
999 switch (n->nlmsg_type) { 999 switch (n->nlmsg_type) {
1000 case RTM_NEWACTION: 1000 case RTM_NEWACTION:
1001 /* we are going to assume all other flags 1001 /* we are going to assume all other flags
1002 * imply create only if it doesnt exist 1002 * imply create only if it doesn't exist
1003 * Note that CREATE | EXCL implies that 1003 * Note that CREATE | EXCL implies that
1004 * but since we want avoid ambiguity (eg when flags 1004 * but since we want avoid ambiguity (eg when flags
1005 * is zero) then just set this 1005 * is zero) then just set this
diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
index 50c7c06c019d..7affe9a92757 100644
--- a/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -161,7 +161,7 @@ static int tcf_pedit(struct sk_buff *skb, struct tc_action *a,
161 } 161 }
162 if (offset > 0 && offset > skb->len) { 162 if (offset > 0 && offset > skb->len) {
163 pr_info("tc filter pedit" 163 pr_info("tc filter pedit"
164 " offset %d cant exceed pkt length %d\n", 164 " offset %d can't exceed pkt length %d\n",
165 offset, skb->len); 165 offset, skb->len);
166 goto bad; 166 goto bad;
167 } 167 }
diff --git a/net/sched/em_meta.c b/net/sched/em_meta.c
index a4de67eca824..49130e8abff0 100644
--- a/net/sched/em_meta.c
+++ b/net/sched/em_meta.c
@@ -47,7 +47,7 @@
47 * on the meta type. Obviously, the length of the data must also 47 * on the meta type. Obviously, the length of the data must also
48 * be provided for non-numeric types. 48 * be provided for non-numeric types.
49 * 49 *
50 * Additionaly, type dependant modifiers such as shift operators 50 * Additionally, type dependent modifiers such as shift operators
51 * or mask may be applied to extend the functionaliy. As of now, 51 * or mask may be applied to extend the functionaliy. As of now,
52 * the variable length type supports shifting the byte string to 52 * the variable length type supports shifting the byte string to
53 * the right, eating up any number of octets and thus supporting 53 * the right, eating up any number of octets and thus supporting
diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c
index e1429a85091f..29b942ce9e82 100644
--- a/net/sched/sch_htb.c
+++ b/net/sched/sch_htb.c
@@ -183,7 +183,7 @@ static inline struct htb_class *htb_find(u32 handle, struct Qdisc *sch)
183 * filters in qdisc and in inner nodes (if higher filter points to the inner 183 * filters in qdisc and in inner nodes (if higher filter points to the inner
184 * node). If we end up with classid MAJOR:0 we enqueue the skb into special 184 * node). If we end up with classid MAJOR:0 we enqueue the skb into special
185 * internal fifo (direct). These packets then go directly thru. If we still 185 * internal fifo (direct). These packets then go directly thru. If we still
186 * have no valid leaf we try to use MAJOR:default leaf. It still unsuccessfull 186 * have no valid leaf we try to use MAJOR:default leaf. It still unsuccessful
187 * then finish and return direct queue. 187 * then finish and return direct queue.
188 */ 188 */
189#define HTB_DIRECT ((struct htb_class *)-1L) 189#define HTB_DIRECT ((struct htb_class *)-1L)
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index edbbf7ad6623..69c35f6cd13f 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -160,7 +160,7 @@ static bool loss_4state(struct netem_sched_data *q)
160 u32 rnd = net_random(); 160 u32 rnd = net_random();
161 161
162 /* 162 /*
163 * Makes a comparision between rnd and the transition 163 * Makes a comparison between rnd and the transition
164 * probabilities outgoing from the current state, then decides the 164 * probabilities outgoing from the current state, then decides the
165 * next state and if the next packet has to be transmitted or lost. 165 * next state and if the next packet has to be transmitted or lost.
166 * The four states correspond to: 166 * The four states correspond to:
@@ -212,9 +212,9 @@ static bool loss_4state(struct netem_sched_data *q)
212 * Generates losses according to the Gilbert-Elliot loss model or 212 * Generates losses according to the Gilbert-Elliot loss model or
213 * its special cases (Gilbert or Simple Gilbert) 213 * its special cases (Gilbert or Simple Gilbert)
214 * 214 *
215 * Makes a comparision between random number and the transition 215 * Makes a comparison between random number and the transition
216 * probabilities outgoing from the current state, then decides the 216 * probabilities outgoing from the current state, then decides the
217 * next state. A second random number is extracted and the comparision 217 * next state. A second random number is extracted and the comparison
218 * with the loss probability of the current state decides if the next 218 * with the loss probability of the current state decides if the next
219 * packet will be transmitted or lost. 219 * packet will be transmitted or lost.
220 */ 220 */
diff --git a/net/sctp/associola.c b/net/sctp/associola.c
index 6b04287913cd..0698cad61763 100644
--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -1593,7 +1593,7 @@ void sctp_assoc_clean_asconf_ack_cache(const struct sctp_association *asoc)
1593 struct sctp_chunk *ack; 1593 struct sctp_chunk *ack;
1594 struct sctp_chunk *tmp; 1594 struct sctp_chunk *tmp;
1595 1595
1596 /* We can remove all the entries from the queue upto 1596 /* We can remove all the entries from the queue up to
1597 * the "Peer-Sequence-Number". 1597 * the "Peer-Sequence-Number".
1598 */ 1598 */
1599 list_for_each_entry_safe(ack, tmp, &asoc->asconf_ack_list, 1599 list_for_each_entry_safe(ack, tmp, &asoc->asconf_ack_list,
diff --git a/net/sctp/auth.c b/net/sctp/auth.c
index ddbbf7c81fa1..865e68fef21c 100644
--- a/net/sctp/auth.c
+++ b/net/sctp/auth.c
@@ -113,7 +113,7 @@ struct sctp_shared_key *sctp_auth_shkey_create(__u16 key_id, gfp_t gfp)
113 return new; 113 return new;
114} 114}
115 115
116/* Free the shared key stucture */ 116/* Free the shared key structure */
117static void sctp_auth_shkey_free(struct sctp_shared_key *sh_key) 117static void sctp_auth_shkey_free(struct sctp_shared_key *sh_key)
118{ 118{
119 BUG_ON(!list_empty(&sh_key->key_list)); 119 BUG_ON(!list_empty(&sh_key->key_list));
@@ -122,7 +122,7 @@ static void sctp_auth_shkey_free(struct sctp_shared_key *sh_key)
122 kfree(sh_key); 122 kfree(sh_key);
123} 123}
124 124
125/* Destory the entire key list. This is done during the 125/* Destroy the entire key list. This is done during the
126 * associon and endpoint free process. 126 * associon and endpoint free process.
127 */ 127 */
128void sctp_auth_destroy_keys(struct list_head *keys) 128void sctp_auth_destroy_keys(struct list_head *keys)
@@ -324,7 +324,7 @@ static struct sctp_auth_bytes *sctp_auth_asoc_create_secret(
324 if (!peer_key_vector || !local_key_vector) 324 if (!peer_key_vector || !local_key_vector)
325 goto out; 325 goto out;
326 326
327 /* Figure out the order in wich the key_vectors will be 327 /* Figure out the order in which the key_vectors will be
328 * added to the endpoint shared key. 328 * added to the endpoint shared key.
329 * SCTP-AUTH, Section 6.1: 329 * SCTP-AUTH, Section 6.1:
330 * This is performed by selecting the numerically smaller key 330 * This is performed by selecting the numerically smaller key
diff --git a/net/sctp/input.c b/net/sctp/input.c
index 826661be73e7..5436c6921167 100644
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -1034,7 +1034,7 @@ static struct sctp_association *__sctp_rcv_asconf_lookup(
1034* association. 1034* association.
1035* 1035*
1036* This means that any chunks that can help us identify the association need 1036* This means that any chunks that can help us identify the association need
1037* to be looked at to find this assocation. 1037* to be looked at to find this association.
1038*/ 1038*/
1039static struct sctp_association *__sctp_rcv_walk_lookup(struct sk_buff *skb, 1039static struct sctp_association *__sctp_rcv_walk_lookup(struct sk_buff *skb,
1040 const union sctp_addr *laddr, 1040 const union sctp_addr *laddr,
diff --git a/net/sctp/output.c b/net/sctp/output.c
index 60600d337a3a..b4f3cf06d8da 100644
--- a/net/sctp/output.c
+++ b/net/sctp/output.c
@@ -510,7 +510,7 @@ int sctp_packet_transmit(struct sctp_packet *packet)
510 sh->checksum = sctp_end_cksum(crc32); 510 sh->checksum = sctp_end_cksum(crc32);
511 } else { 511 } else {
512 if (dst->dev->features & NETIF_F_SCTP_CSUM) { 512 if (dst->dev->features & NETIF_F_SCTP_CSUM) {
513 /* no need to seed psuedo checksum for SCTP */ 513 /* no need to seed pseudo checksum for SCTP */
514 nskb->ip_summed = CHECKSUM_PARTIAL; 514 nskb->ip_summed = CHECKSUM_PARTIAL;
515 nskb->csum_start = (skb_transport_header(nskb) - 515 nskb->csum_start = (skb_transport_header(nskb) -
516 nskb->head); 516 nskb->head);
diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
index 26dc005113a0..bf92a5b68f8b 100644
--- a/net/sctp/outqueue.c
+++ b/net/sctp/outqueue.c
@@ -177,13 +177,13 @@ static inline int sctp_cacc_skip_3_2(struct sctp_transport *primary, __u32 tsn)
177 * 3) If the missing report count for TSN t is to be 177 * 3) If the missing report count for TSN t is to be
178 * incremented according to [RFC2960] and 178 * incremented according to [RFC2960] and
179 * [SCTP_STEWART-2002], and CHANGEOVER_ACTIVE is set, 179 * [SCTP_STEWART-2002], and CHANGEOVER_ACTIVE is set,
180 * then the sender MUST futher execute steps 3.1 and 180 * then the sender MUST further execute steps 3.1 and
181 * 3.2 to determine if the missing report count for 181 * 3.2 to determine if the missing report count for
182 * TSN t SHOULD NOT be incremented. 182 * TSN t SHOULD NOT be incremented.
183 * 183 *
184 * 3.3) If 3.1 and 3.2 do not dictate that the missing 184 * 3.3) If 3.1 and 3.2 do not dictate that the missing
185 * report count for t should not be incremented, then 185 * report count for t should not be incremented, then
186 * the sender SOULD increment missing report count for 186 * the sender SHOULD increment missing report count for
187 * t (according to [RFC2960] and [SCTP_STEWART_2002]). 187 * t (according to [RFC2960] and [SCTP_STEWART_2002]).
188 */ 188 */
189static inline int sctp_cacc_skip(struct sctp_transport *primary, 189static inline int sctp_cacc_skip(struct sctp_transport *primary,
@@ -843,7 +843,7 @@ static int sctp_outq_flush(struct sctp_outq *q, int rtx_timeout)
843 case SCTP_CID_ECN_CWR: 843 case SCTP_CID_ECN_CWR:
844 case SCTP_CID_ASCONF_ACK: 844 case SCTP_CID_ASCONF_ACK:
845 one_packet = 1; 845 one_packet = 1;
846 /* Fall throught */ 846 /* Fall through */
847 847
848 case SCTP_CID_SACK: 848 case SCTP_CID_SACK:
849 case SCTP_CID_HEARTBEAT: 849 case SCTP_CID_HEARTBEAT:
diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c
index 152976ec0b74..d5bf91d04f63 100644
--- a/net/sctp/protocol.c
+++ b/net/sctp/protocol.c
@@ -1205,7 +1205,7 @@ SCTP_STATIC __init int sctp_init(void)
1205 if ((sctp_assoc_hashsize > (64 * 1024)) && order > 0) 1205 if ((sctp_assoc_hashsize > (64 * 1024)) && order > 0)
1206 continue; 1206 continue;
1207 sctp_assoc_hashtable = (struct sctp_hashbucket *) 1207 sctp_assoc_hashtable = (struct sctp_hashbucket *)
1208 __get_free_pages(GFP_ATOMIC, order); 1208 __get_free_pages(GFP_ATOMIC|__GFP_NOWARN, order);
1209 } while (!sctp_assoc_hashtable && --order > 0); 1209 } while (!sctp_assoc_hashtable && --order > 0);
1210 if (!sctp_assoc_hashtable) { 1210 if (!sctp_assoc_hashtable) {
1211 pr_err("Failed association hash alloc\n"); 1211 pr_err("Failed association hash alloc\n");
@@ -1238,7 +1238,7 @@ SCTP_STATIC __init int sctp_init(void)
1238 if ((sctp_port_hashsize > (64 * 1024)) && order > 0) 1238 if ((sctp_port_hashsize > (64 * 1024)) && order > 0)
1239 continue; 1239 continue;
1240 sctp_port_hashtable = (struct sctp_bind_hashbucket *) 1240 sctp_port_hashtable = (struct sctp_bind_hashbucket *)
1241 __get_free_pages(GFP_ATOMIC, order); 1241 __get_free_pages(GFP_ATOMIC|__GFP_NOWARN, order);
1242 } while (!sctp_port_hashtable && --order > 0); 1242 } while (!sctp_port_hashtable && --order > 0);
1243 if (!sctp_port_hashtable) { 1243 if (!sctp_port_hashtable) {
1244 pr_err("Failed bind hash alloc\n"); 1244 pr_err("Failed bind hash alloc\n");
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index de98665db524..b3434cc7d0cf 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -3106,10 +3106,10 @@ struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc,
3106 3106
3107 /* create an ASCONF_ACK chunk. 3107 /* create an ASCONF_ACK chunk.
3108 * Based on the definitions of parameters, we know that the size of 3108 * Based on the definitions of parameters, we know that the size of
3109 * ASCONF_ACK parameters are less than or equal to the twice of ASCONF 3109 * ASCONF_ACK parameters are less than or equal to the fourfold of ASCONF
3110 * parameters. 3110 * parameters.
3111 */ 3111 */
3112 asconf_ack = sctp_make_asconf_ack(asoc, serial, chunk_len * 2); 3112 asconf_ack = sctp_make_asconf_ack(asoc, serial, chunk_len * 4);
3113 if (!asconf_ack) 3113 if (!asconf_ack)
3114 goto done; 3114 goto done;
3115 3115
diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c
index b21b218d564f..5f86ee4b54c1 100644
--- a/net/sctp/sm_sideeffect.c
+++ b/net/sctp/sm_sideeffect.c
@@ -482,7 +482,7 @@ static void sctp_do_8_2_transport_strike(struct sctp_association *asoc,
482 * If the timer was a heartbeat, we only increment error counts 482 * If the timer was a heartbeat, we only increment error counts
483 * when we already have an outstanding HEARTBEAT that has not 483 * when we already have an outstanding HEARTBEAT that has not
484 * been acknowledged. 484 * been acknowledged.
485 * Additionaly, some tranport states inhibit error increments. 485 * Additionally, some tranport states inhibit error increments.
486 */ 486 */
487 if (!is_hb) { 487 if (!is_hb) {
488 asoc->overall_error_count++; 488 asoc->overall_error_count++;
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 4b4eb7c96bbd..76792083c379 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -551,7 +551,7 @@ sctp_disposition_t sctp_sf_do_5_1C_ack(const struct sctp_endpoint *ep,
551 * 551 *
552 * This means that if we only want to abort associations 552 * This means that if we only want to abort associations
553 * in an authenticated way (i.e AUTH+ABORT), then we 553 * in an authenticated way (i.e AUTH+ABORT), then we
554 * can't destroy this association just becuase the packet 554 * can't destroy this association just because the packet
555 * was malformed. 555 * was malformed.
556 */ 556 */
557 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 557 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
@@ -1546,7 +1546,7 @@ cleanup:
1546} 1546}
1547 1547
1548/* 1548/*
1549 * Handle simultanous INIT. 1549 * Handle simultaneous INIT.
1550 * This means we started an INIT and then we got an INIT request from 1550 * This means we started an INIT and then we got an INIT request from
1551 * our peer. 1551 * our peer.
1552 * 1552 *
@@ -2079,7 +2079,7 @@ sctp_disposition_t sctp_sf_shutdown_pending_abort(
2079 * RFC 2960, Section 3.3.7 2079 * RFC 2960, Section 3.3.7
2080 * If an endpoint receives an ABORT with a format error or for an 2080 * If an endpoint receives an ABORT with a format error or for an
2081 * association that doesn't exist, it MUST silently discard it. 2081 * association that doesn't exist, it MUST silently discard it.
2082 * Becasue the length is "invalid", we can't really discard just 2082 * Because the length is "invalid", we can't really discard just
2083 * as we do not know its true length. So, to be safe, discard the 2083 * as we do not know its true length. So, to be safe, discard the
2084 * packet. 2084 * packet.
2085 */ 2085 */
@@ -2120,7 +2120,7 @@ sctp_disposition_t sctp_sf_shutdown_sent_abort(const struct sctp_endpoint *ep,
2120 * RFC 2960, Section 3.3.7 2120 * RFC 2960, Section 3.3.7
2121 * If an endpoint receives an ABORT with a format error or for an 2121 * If an endpoint receives an ABORT with a format error or for an
2122 * association that doesn't exist, it MUST silently discard it. 2122 * association that doesn't exist, it MUST silently discard it.
2123 * Becasue the length is "invalid", we can't really discard just 2123 * Because the length is "invalid", we can't really discard just
2124 * as we do not know its true length. So, to be safe, discard the 2124 * as we do not know its true length. So, to be safe, discard the
2125 * packet. 2125 * packet.
2126 */ 2126 */
@@ -2381,7 +2381,7 @@ sctp_disposition_t sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep,
2381 * RFC 2960, Section 3.3.7 2381 * RFC 2960, Section 3.3.7
2382 * If an endpoint receives an ABORT with a format error or for an 2382 * If an endpoint receives an ABORT with a format error or for an
2383 * association that doesn't exist, it MUST silently discard it. 2383 * association that doesn't exist, it MUST silently discard it.
2384 * Becasue the length is "invalid", we can't really discard just 2384 * Because the length is "invalid", we can't really discard just
2385 * as we do not know its true length. So, to be safe, discard the 2385 * as we do not know its true length. So, to be safe, discard the
2386 * packet. 2386 * packet.
2387 */ 2387 */
@@ -2448,7 +2448,7 @@ sctp_disposition_t sctp_sf_cookie_wait_abort(const struct sctp_endpoint *ep,
2448 * RFC 2960, Section 3.3.7 2448 * RFC 2960, Section 3.3.7
2449 * If an endpoint receives an ABORT with a format error or for an 2449 * If an endpoint receives an ABORT with a format error or for an
2450 * association that doesn't exist, it MUST silently discard it. 2450 * association that doesn't exist, it MUST silently discard it.
2451 * Becasue the length is "invalid", we can't really discard just 2451 * Because the length is "invalid", we can't really discard just
2452 * as we do not know its true length. So, to be safe, discard the 2452 * as we do not know its true length. So, to be safe, discard the
2453 * packet. 2453 * packet.
2454 */ 2454 */
@@ -3855,7 +3855,7 @@ gen_shutdown:
3855} 3855}
3856 3856
3857/* 3857/*
3858 * SCTP-AUTH Section 6.3 Receving authenticated chukns 3858 * SCTP-AUTH Section 6.3 Receiving authenticated chukns
3859 * 3859 *
3860 * The receiver MUST use the HMAC algorithm indicated in the HMAC 3860 * The receiver MUST use the HMAC algorithm indicated in the HMAC
3861 * Identifier field. If this algorithm was not specified by the 3861 * Identifier field. If this algorithm was not specified by the
@@ -4231,7 +4231,7 @@ static sctp_disposition_t sctp_sf_abort_violation(
4231 * 4231 *
4232 * This means that if we only want to abort associations 4232 * This means that if we only want to abort associations
4233 * in an authenticated way (i.e AUTH+ABORT), then we 4233 * in an authenticated way (i.e AUTH+ABORT), then we
4234 * can't destroy this association just becuase the packet 4234 * can't destroy this association just because the packet
4235 * was malformed. 4235 * was malformed.
4236 */ 4236 */
4237 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc)) 4237 if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
@@ -4402,9 +4402,9 @@ static sctp_disposition_t sctp_sf_violation_ctsn(
4402} 4402}
4403 4403
4404/* Handle protocol violation of an invalid chunk bundling. For example, 4404/* Handle protocol violation of an invalid chunk bundling. For example,
4405 * when we have an association and we recieve bundled INIT-ACK, or 4405 * when we have an association and we receive bundled INIT-ACK, or
4406 * SHUDOWN-COMPLETE, our peer is clearly violationg the "MUST NOT bundle" 4406 * SHUDOWN-COMPLETE, our peer is clearly violationg the "MUST NOT bundle"
4407 * statement from the specs. Additinally, there might be an attacker 4407 * statement from the specs. Additionally, there might be an attacker
4408 * on the path and we may not want to continue this communication. 4408 * on the path and we may not want to continue this communication.
4409 */ 4409 */
4410static sctp_disposition_t sctp_sf_violation_chunk( 4410static sctp_disposition_t sctp_sf_violation_chunk(
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 3951a10605bc..deb82e35a107 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -1193,7 +1193,7 @@ out_free:
1193 * an endpoint that is multi-homed. Much like sctp_bindx() this call 1193 * an endpoint that is multi-homed. Much like sctp_bindx() this call
1194 * allows a caller to specify multiple addresses at which a peer can be 1194 * allows a caller to specify multiple addresses at which a peer can be
1195 * reached. The way the SCTP stack uses the list of addresses to set up 1195 * reached. The way the SCTP stack uses the list of addresses to set up
1196 * the association is implementation dependant. This function only 1196 * the association is implementation dependent. This function only
1197 * specifies that the stack will try to make use of all the addresses in 1197 * specifies that the stack will try to make use of all the addresses in
1198 * the list when needed. 1198 * the list when needed.
1199 * 1199 *
diff --git a/net/sctp/ulpevent.c b/net/sctp/ulpevent.c
index aa72e89c3ee1..dff27d5e22fd 100644
--- a/net/sctp/ulpevent.c
+++ b/net/sctp/ulpevent.c
@@ -554,7 +554,7 @@ struct sctp_ulpevent *sctp_ulpevent_make_send_failed(
554 memcpy(&ssf->ssf_info, &chunk->sinfo, sizeof(struct sctp_sndrcvinfo)); 554 memcpy(&ssf->ssf_info, &chunk->sinfo, sizeof(struct sctp_sndrcvinfo));
555 555
556 /* Per TSVWG discussion with Randy. Allow the application to 556 /* Per TSVWG discussion with Randy. Allow the application to
557 * ressemble a fragmented message. 557 * resemble a fragmented message.
558 */ 558 */
559 ssf->ssf_info.sinfo_flags = chunk->chunk_hdr->flags; 559 ssf->ssf_info.sinfo_flags = chunk->chunk_hdr->flags;
560 560
diff --git a/net/sctp/ulpqueue.c b/net/sctp/ulpqueue.c
index 17678189d054..f2d1de7f2ffb 100644
--- a/net/sctp/ulpqueue.c
+++ b/net/sctp/ulpqueue.c
@@ -240,7 +240,7 @@ int sctp_ulpq_tail_event(struct sctp_ulpq *ulpq, struct sctp_ulpevent *event)
240 } else { 240 } else {
241 /* 241 /*
242 * If fragment interleave is enabled, we 242 * If fragment interleave is enabled, we
243 * can queue this to the recieve queue instead 243 * can queue this to the receive queue instead
244 * of the lobby. 244 * of the lobby.
245 */ 245 */
246 if (sctp_sk(sk)->frag_interleave) 246 if (sctp_sk(sk)->frag_interleave)
diff --git a/net/socket.c b/net/socket.c
index 5212447c86e7..310d16b1b3c9 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -2986,7 +2986,7 @@ out:
2986 2986
2987/* Since old style bridge ioctl's endup using SIOCDEVPRIVATE 2987/* Since old style bridge ioctl's endup using SIOCDEVPRIVATE
2988 * for some operations; this forces use of the newer bridge-utils that 2988 * for some operations; this forces use of the newer bridge-utils that
2989 * use compatiable ioctls 2989 * use compatible ioctls
2990 */ 2990 */
2991static int old_bridge_ioctl(compat_ulong_t __user *argp) 2991static int old_bridge_ioctl(compat_ulong_t __user *argp)
2992{ 2992{
diff --git a/net/sunrpc/auth_gss/gss_mech_switch.c b/net/sunrpc/auth_gss/gss_mech_switch.c
index 8b4061049d76..e3c36a274412 100644
--- a/net/sunrpc/auth_gss/gss_mech_switch.c
+++ b/net/sunrpc/auth_gss/gss_mech_switch.c
@@ -160,6 +160,28 @@ gss_mech_get_by_name(const char *name)
160 160
161EXPORT_SYMBOL_GPL(gss_mech_get_by_name); 161EXPORT_SYMBOL_GPL(gss_mech_get_by_name);
162 162
163struct gss_api_mech *
164gss_mech_get_by_OID(struct xdr_netobj *obj)
165{
166 struct gss_api_mech *pos, *gm = NULL;
167
168 spin_lock(&registered_mechs_lock);
169 list_for_each_entry(pos, &registered_mechs, gm_list) {
170 if (obj->len == pos->gm_oid.len) {
171 if (0 == memcmp(obj->data, pos->gm_oid.data, obj->len)) {
172 if (try_module_get(pos->gm_owner))
173 gm = pos;
174 break;
175 }
176 }
177 }
178 spin_unlock(&registered_mechs_lock);
179 return gm;
180
181}
182
183EXPORT_SYMBOL_GPL(gss_mech_get_by_OID);
184
163static inline int 185static inline int
164mech_supports_pseudoflavor(struct gss_api_mech *gm, u32 pseudoflavor) 186mech_supports_pseudoflavor(struct gss_api_mech *gm, u32 pseudoflavor)
165{ 187{
@@ -193,6 +215,22 @@ gss_mech_get_by_pseudoflavor(u32 pseudoflavor)
193 215
194EXPORT_SYMBOL_GPL(gss_mech_get_by_pseudoflavor); 216EXPORT_SYMBOL_GPL(gss_mech_get_by_pseudoflavor);
195 217
218int gss_mech_list_pseudoflavors(rpc_authflavor_t *array_ptr)
219{
220 struct gss_api_mech *pos = NULL;
221 int i = 0;
222
223 spin_lock(&registered_mechs_lock);
224 list_for_each_entry(pos, &registered_mechs, gm_list) {
225 array_ptr[i] = pos->gm_pfs->pseudoflavor;
226 i++;
227 }
228 spin_unlock(&registered_mechs_lock);
229 return i;
230}
231
232EXPORT_SYMBOL_GPL(gss_mech_list_pseudoflavors);
233
196u32 234u32
197gss_svc_to_pseudoflavor(struct gss_api_mech *gm, u32 service) 235gss_svc_to_pseudoflavor(struct gss_api_mech *gm, u32 service)
198{ 236{
diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
index bcdae78fdfc6..8d0f7d3c71c8 100644
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -1101,7 +1101,7 @@ svcauth_gss_accept(struct svc_rqst *rqstp, __be32 *authp)
1101 1101
1102 /* credential is: 1102 /* credential is:
1103 * version(==1), proc(0,1,2,3), seq, service (1,2,3), handle 1103 * version(==1), proc(0,1,2,3), seq, service (1,2,3), handle
1104 * at least 5 u32s, and is preceeded by length, so that makes 6. 1104 * at least 5 u32s, and is preceded by length, so that makes 6.
1105 */ 1105 */
1106 1106
1107 if (argv->iov_len < 5 * 4) 1107 if (argv->iov_len < 5 * 4)
diff --git a/net/sunrpc/sched.c b/net/sunrpc/sched.c
index ffb687671da0..6b43ee7221d5 100644
--- a/net/sunrpc/sched.c
+++ b/net/sunrpc/sched.c
@@ -860,8 +860,10 @@ static void rpc_release_resources_task(struct rpc_task *task)
860{ 860{
861 if (task->tk_rqstp) 861 if (task->tk_rqstp)
862 xprt_release(task); 862 xprt_release(task);
863 if (task->tk_msg.rpc_cred) 863 if (task->tk_msg.rpc_cred) {
864 put_rpccred(task->tk_msg.rpc_cred); 864 put_rpccred(task->tk_msg.rpc_cred);
865 task->tk_msg.rpc_cred = NULL;
866 }
865 rpc_task_release_client(task); 867 rpc_task_release_client(task);
866} 868}
867 869
diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c
index be96d429b475..bf005d3c65ef 100644
--- a/net/sunrpc/xprtsock.c
+++ b/net/sunrpc/xprtsock.c
@@ -504,7 +504,7 @@ static int xs_nospace(struct rpc_task *task)
504 * EAGAIN: The socket was blocked, please call again later to 504 * EAGAIN: The socket was blocked, please call again later to
505 * complete the request 505 * complete the request
506 * ENOTCONN: Caller needs to invoke connect logic then call again 506 * ENOTCONN: Caller needs to invoke connect logic then call again
507 * other: Some other error occured, the request was not sent 507 * other: Some other error occurred, the request was not sent
508 */ 508 */
509static int xs_udp_send_request(struct rpc_task *task) 509static int xs_udp_send_request(struct rpc_task *task)
510{ 510{
@@ -590,7 +590,7 @@ static inline void xs_encode_tcp_record_marker(struct xdr_buf *buf)
590 * EAGAIN: The socket was blocked, please call again later to 590 * EAGAIN: The socket was blocked, please call again later to
591 * complete the request 591 * complete the request
592 * ENOTCONN: Caller needs to invoke connect logic then call again 592 * ENOTCONN: Caller needs to invoke connect logic then call again
593 * other: Some other error occured, the request was not sent 593 * other: Some other error occurred, the request was not sent
594 * 594 *
595 * XXX: In the case of soft timeouts, should we eventually give up 595 * XXX: In the case of soft timeouts, should we eventually give up
596 * if sendmsg is not able to make progress? 596 * if sendmsg is not able to make progress?
@@ -710,6 +710,8 @@ static void xs_reset_transport(struct sock_xprt *transport)
710 if (sk == NULL) 710 if (sk == NULL)
711 return; 711 return;
712 712
713 transport->srcport = 0;
714
713 write_lock_bh(&sk->sk_callback_lock); 715 write_lock_bh(&sk->sk_callback_lock);
714 transport->inet = NULL; 716 transport->inet = NULL;
715 transport->sock = NULL; 717 transport->sock = NULL;
diff --git a/net/tipc/link.c b/net/tipc/link.c
index 43639ff1cbec..ebf338f7b14e 100644
--- a/net/tipc/link.c
+++ b/net/tipc/link.c
@@ -2471,7 +2471,7 @@ exit:
2471 * A pending message being re-assembled must store certain values 2471 * A pending message being re-assembled must store certain values
2472 * to handle subsequent fragments correctly. The following functions 2472 * to handle subsequent fragments correctly. The following functions
2473 * help storing these values in unused, available fields in the 2473 * help storing these values in unused, available fields in the
2474 * pending message. This makes dynamic memory allocation unecessary. 2474 * pending message. This makes dynamic memory allocation unnecessary.
2475 */ 2475 */
2476 2476
2477static void set_long_msg_seqno(struct sk_buff *buf, u32 seqno) 2477static void set_long_msg_seqno(struct sk_buff *buf, u32 seqno)
diff --git a/net/tipc/name_distr.c b/net/tipc/name_distr.c
index c9fa6dfcf287..80025a1b3bfd 100644
--- a/net/tipc/name_distr.c
+++ b/net/tipc/name_distr.c
@@ -160,7 +160,7 @@ void tipc_named_withdraw(struct publication *publ)
160 160
161 buf = named_prepare_buf(WITHDRAWAL, ITEM_SIZE, 0); 161 buf = named_prepare_buf(WITHDRAWAL, ITEM_SIZE, 0);
162 if (!buf) { 162 if (!buf) {
163 warn("Withdrawl distribution failure\n"); 163 warn("Withdrawal distribution failure\n");
164 return; 164 return;
165 } 165 }
166 166
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 1663e1a2efdd..3a43a8304768 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -207,7 +207,7 @@ static int unix_mkname(struct sockaddr_un *sunaddr, int len, unsigned *hashp)
207 /* 207 /*
208 * This may look like an off by one error but it is a bit more 208 * This may look like an off by one error but it is a bit more
209 * subtle. 108 is the longest valid AF_UNIX path for a binding. 209 * subtle. 108 is the longest valid AF_UNIX path for a binding.
210 * sun_path[108] doesnt as such exist. However in kernel space 210 * sun_path[108] doesn't as such exist. However in kernel space
211 * we are guaranteed that it is a valid memory location in our 211 * we are guaranteed that it is a valid memory location in our
212 * kernel address buffer. 212 * kernel address buffer.
213 */ 213 */
diff --git a/net/wanrouter/wanproc.c b/net/wanrouter/wanproc.c
index 11f25c7a7a05..f346395314ba 100644
--- a/net/wanrouter/wanproc.c
+++ b/net/wanrouter/wanproc.c
@@ -51,7 +51,7 @@
51 51
52/* 52/*
53 * Structures for interfacing with the /proc filesystem. 53 * Structures for interfacing with the /proc filesystem.
54 * Router creates its own directory /proc/net/router with the folowing 54 * Router creates its own directory /proc/net/router with the following
55 * entries: 55 * entries:
56 * config device configuration 56 * config device configuration
57 * status global device statistics 57 * status global device statistics
diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index 3332d5bce317..ab801a1097b2 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -809,7 +809,7 @@ static void handle_channel(struct wiphy *wiphy,
809 if (r) { 809 if (r) {
810 /* 810 /*
811 * We will disable all channels that do not match our 811 * We will disable all channels that do not match our
812 * recieved regulatory rule unless the hint is coming 812 * received regulatory rule unless the hint is coming
813 * from a Country IE and the Country IE had no information 813 * from a Country IE and the Country IE had no information
814 * about a band. The IEEE 802.11 spec allows for an AP 814 * about a band. The IEEE 802.11 spec allows for an AP
815 * to send only a subset of the regulatory rules allowed, 815 * to send only a subset of the regulatory rules allowed,
@@ -838,7 +838,7 @@ static void handle_channel(struct wiphy *wiphy,
838 request_wiphy && request_wiphy == wiphy && 838 request_wiphy && request_wiphy == wiphy &&
839 request_wiphy->flags & WIPHY_FLAG_STRICT_REGULATORY) { 839 request_wiphy->flags & WIPHY_FLAG_STRICT_REGULATORY) {
840 /* 840 /*
841 * This gaurantees the driver's requested regulatory domain 841 * This guarantees the driver's requested regulatory domain
842 * will always be used as a base for further regulatory 842 * will always be used as a base for further regulatory
843 * settings 843 * settings
844 */ 844 */
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index ea427f418f64..fbf6f33ae4d0 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -124,6 +124,15 @@ void cfg80211_bss_age(struct cfg80211_registered_device *dev,
124} 124}
125 125
126/* must hold dev->bss_lock! */ 126/* must hold dev->bss_lock! */
127static void __cfg80211_unlink_bss(struct cfg80211_registered_device *dev,
128 struct cfg80211_internal_bss *bss)
129{
130 list_del_init(&bss->list);
131 rb_erase(&bss->rbn, &dev->bss_tree);
132 kref_put(&bss->ref, bss_release);
133}
134
135/* must hold dev->bss_lock! */
127void cfg80211_bss_expire(struct cfg80211_registered_device *dev) 136void cfg80211_bss_expire(struct cfg80211_registered_device *dev)
128{ 137{
129 struct cfg80211_internal_bss *bss, *tmp; 138 struct cfg80211_internal_bss *bss, *tmp;
@@ -134,9 +143,7 @@ void cfg80211_bss_expire(struct cfg80211_registered_device *dev)
134 continue; 143 continue;
135 if (!time_after(jiffies, bss->ts + IEEE80211_SCAN_RESULT_EXPIRE)) 144 if (!time_after(jiffies, bss->ts + IEEE80211_SCAN_RESULT_EXPIRE))
136 continue; 145 continue;
137 list_del(&bss->list); 146 __cfg80211_unlink_bss(dev, bss);
138 rb_erase(&bss->rbn, &dev->bss_tree);
139 kref_put(&bss->ref, bss_release);
140 expired = true; 147 expired = true;
141 } 148 }
142 149
@@ -585,16 +592,23 @@ cfg80211_inform_bss_frame(struct wiphy *wiphy,
585 struct cfg80211_internal_bss *res; 592 struct cfg80211_internal_bss *res;
586 size_t ielen = len - offsetof(struct ieee80211_mgmt, 593 size_t ielen = len - offsetof(struct ieee80211_mgmt,
587 u.probe_resp.variable); 594 u.probe_resp.variable);
588 size_t privsz = wiphy->bss_priv_size; 595 size_t privsz;
596
597 if (WARN_ON(!mgmt))
598 return NULL;
599
600 if (WARN_ON(!wiphy))
601 return NULL;
589 602
590 if (WARN_ON(wiphy->signal_type == CFG80211_SIGNAL_TYPE_UNSPEC && 603 if (WARN_ON(wiphy->signal_type == CFG80211_SIGNAL_TYPE_UNSPEC &&
591 (signal < 0 || signal > 100))) 604 (signal < 0 || signal > 100)))
592 return NULL; 605 return NULL;
593 606
594 if (WARN_ON(!mgmt || !wiphy || 607 if (WARN_ON(len < offsetof(struct ieee80211_mgmt, u.probe_resp.variable)))
595 len < offsetof(struct ieee80211_mgmt, u.probe_resp.variable)))
596 return NULL; 608 return NULL;
597 609
610 privsz = wiphy->bss_priv_size;
611
598 res = kzalloc(sizeof(*res) + privsz + ielen, gfp); 612 res = kzalloc(sizeof(*res) + privsz + ielen, gfp);
599 if (!res) 613 if (!res)
600 return NULL; 614 return NULL;
@@ -662,11 +676,8 @@ void cfg80211_unlink_bss(struct wiphy *wiphy, struct cfg80211_bss *pub)
662 676
663 spin_lock_bh(&dev->bss_lock); 677 spin_lock_bh(&dev->bss_lock);
664 if (!list_empty(&bss->list)) { 678 if (!list_empty(&bss->list)) {
665 list_del_init(&bss->list); 679 __cfg80211_unlink_bss(dev, bss);
666 dev->bss_generation++; 680 dev->bss_generation++;
667 rb_erase(&bss->rbn, &dev->bss_tree);
668
669 kref_put(&bss->ref, bss_release);
670 } 681 }
671 spin_unlock_bh(&dev->bss_lock); 682 spin_unlock_bh(&dev->bss_lock);
672} 683}
diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c
index 406207515b5e..f77e4e75f914 100644
--- a/net/x25/x25_facilities.c
+++ b/net/x25/x25_facilities.c
@@ -31,7 +31,7 @@
31 * x25_parse_facilities - Parse facilities from skb into the facilities structs 31 * x25_parse_facilities - Parse facilities from skb into the facilities structs
32 * 32 *
33 * @skb: sk_buff to parse 33 * @skb: sk_buff to parse
34 * @facilities: Regular facilites, updated as facilities are found 34 * @facilities: Regular facilities, updated as facilities are found
35 * @dte_facs: ITU DTE facilities, updated as DTE facilities are found 35 * @dte_facs: ITU DTE facilities, updated as DTE facilities are found
36 * @vc_fac_mask: mask is updated with all facilities found 36 * @vc_fac_mask: mask is updated with all facilities found
37 * 37 *
diff --git a/net/x25/x25_forward.c b/net/x25/x25_forward.c
index 25a810793968..c541b622ae16 100644
--- a/net/x25/x25_forward.c
+++ b/net/x25/x25_forward.c
@@ -31,7 +31,7 @@ int x25_forward_call(struct x25_address *dest_addr, struct x25_neigh *from,
31 goto out_no_route; 31 goto out_no_route;
32 32
33 if ((neigh_new = x25_get_neigh(rt->dev)) == NULL) { 33 if ((neigh_new = x25_get_neigh(rt->dev)) == NULL) {
34 /* This shouldnt happen, if it occurs somehow 34 /* This shouldn't happen, if it occurs somehow
35 * do something sensible 35 * do something sensible
36 */ 36 */
37 goto out_put_route; 37 goto out_put_route;
@@ -45,7 +45,7 @@ int x25_forward_call(struct x25_address *dest_addr, struct x25_neigh *from,
45 } 45 }
46 46
47 /* Remote end sending a call request on an already 47 /* Remote end sending a call request on an already
48 * established LCI? It shouldnt happen, just in case.. 48 * established LCI? It shouldn't happen, just in case..
49 */ 49 */
50 read_lock_bh(&x25_forward_list_lock); 50 read_lock_bh(&x25_forward_list_lock);
51 list_for_each(entry, &x25_forward_list) { 51 list_for_each(entry, &x25_forward_list) {
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 872065ca7f8c..a026b0ef2443 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -173,7 +173,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
173 goto drop_unlock; 173 goto drop_unlock;
174 } 174 }
175 175
176 if (x->props.replay_window && x->repl->check(x, skb, seq)) { 176 if (x->repl->check(x, skb, seq)) {
177 XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATESEQERROR); 177 XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATESEQERROR);
178 goto drop_unlock; 178 goto drop_unlock;
179 } 179 }
@@ -190,6 +190,8 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
190 XFRM_SKB_CB(skb)->seq.input.low = seq; 190 XFRM_SKB_CB(skb)->seq.input.low = seq;
191 XFRM_SKB_CB(skb)->seq.input.hi = seq_hi; 191 XFRM_SKB_CB(skb)->seq.input.hi = seq_hi;
192 192
193 skb_dst_force(skb);
194
193 nexthdr = x->type->input(x, skb); 195 nexthdr = x->type->input(x, skb);
194 196
195 if (nexthdr == -EINPROGRESS) 197 if (nexthdr == -EINPROGRESS)
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
index 1aba03f449cc..47bacd8c0250 100644
--- a/net/xfrm/xfrm_output.c
+++ b/net/xfrm/xfrm_output.c
@@ -78,6 +78,8 @@ static int xfrm_output_one(struct sk_buff *skb, int err)
78 78
79 spin_unlock_bh(&x->lock); 79 spin_unlock_bh(&x->lock);
80 80
81 skb_dst_force(skb);
82
81 err = x->type->output(x, skb); 83 err = x->type->output(x, skb);
82 if (err == -EINPROGRESS) 84 if (err == -EINPROGRESS)
83 goto out_exit; 85 goto out_exit;
@@ -94,7 +96,7 @@ resume:
94 err = -EHOSTUNREACH; 96 err = -EHOSTUNREACH;
95 goto error_nolock; 97 goto error_nolock;
96 } 98 }
97 skb_dst_set(skb, dst_clone(dst)); 99 skb_dst_set(skb, dst);
98 x = dst->xfrm; 100 x = dst->xfrm;
99 } while (x && !(x->outer_mode->flags & XFRM_MODE_FLAG_TUNNEL)); 101 } while (x && !(x->outer_mode->flags & XFRM_MODE_FLAG_TUNNEL));
100 102
diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c
index 2f5be5b15740..f218385950ca 100644
--- a/net/xfrm/xfrm_replay.c
+++ b/net/xfrm/xfrm_replay.c
@@ -118,6 +118,9 @@ static int xfrm_replay_check(struct xfrm_state *x,
118 u32 diff; 118 u32 diff;
119 u32 seq = ntohl(net_seq); 119 u32 seq = ntohl(net_seq);
120 120
121 if (!x->props.replay_window)
122 return 0;
123
121 if (unlikely(seq == 0)) 124 if (unlikely(seq == 0))
122 goto err; 125 goto err;
123 126
@@ -193,9 +196,14 @@ static int xfrm_replay_check_bmp(struct xfrm_state *x,
193{ 196{
194 unsigned int bitnr, nr; 197 unsigned int bitnr, nr;
195 struct xfrm_replay_state_esn *replay_esn = x->replay_esn; 198 struct xfrm_replay_state_esn *replay_esn = x->replay_esn;
199 u32 pos;
196 u32 seq = ntohl(net_seq); 200 u32 seq = ntohl(net_seq);
197 u32 diff = replay_esn->seq - seq; 201 u32 diff = replay_esn->seq - seq;
198 u32 pos = (replay_esn->seq - 1) % replay_esn->replay_window; 202
203 if (!replay_esn->replay_window)
204 return 0;
205
206 pos = (replay_esn->seq - 1) % replay_esn->replay_window;
199 207
200 if (unlikely(seq == 0)) 208 if (unlikely(seq == 0))
201 goto err; 209 goto err;
@@ -373,12 +381,17 @@ static int xfrm_replay_check_esn(struct xfrm_state *x,
373 unsigned int bitnr, nr; 381 unsigned int bitnr, nr;
374 u32 diff; 382 u32 diff;
375 struct xfrm_replay_state_esn *replay_esn = x->replay_esn; 383 struct xfrm_replay_state_esn *replay_esn = x->replay_esn;
384 u32 pos;
376 u32 seq = ntohl(net_seq); 385 u32 seq = ntohl(net_seq);
377 u32 pos = (replay_esn->seq - 1) % replay_esn->replay_window;
378 u32 wsize = replay_esn->replay_window; 386 u32 wsize = replay_esn->replay_window;
379 u32 top = replay_esn->seq; 387 u32 top = replay_esn->seq;
380 u32 bottom = top - wsize + 1; 388 u32 bottom = top - wsize + 1;
381 389
390 if (!wsize)
391 return 0;
392
393 pos = (replay_esn->seq - 1) % replay_esn->replay_window;
394
382 if (unlikely(seq == 0 && replay_esn->seq_hi == 0 && 395 if (unlikely(seq == 0 && replay_esn->seq_hi == 0 &&
383 (replay_esn->seq < replay_esn->replay_window - 1))) 396 (replay_esn->seq < replay_esn->replay_window - 1)))
384 goto err; 397 goto err;
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index f83a3d1da81b..dd78536d40de 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -1181,6 +1181,12 @@ static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig, int *errp)
1181 goto error; 1181 goto error;
1182 } 1182 }
1183 1183
1184 if (orig->replay_esn) {
1185 err = xfrm_replay_clone(x, orig);
1186 if (err)
1187 goto error;
1188 }
1189
1184 memcpy(&x->mark, &orig->mark, sizeof(x->mark)); 1190 memcpy(&x->mark, &orig->mark, sizeof(x->mark));
1185 1191
1186 err = xfrm_init_state(x); 1192 err = xfrm_init_state(x);
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index fc152d28753c..5d1d60d3ca83 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -127,6 +127,9 @@ static inline int verify_replay(struct xfrm_usersa_info *p,
127 if (!rt) 127 if (!rt)
128 return 0; 128 return 0;
129 129
130 if (p->id.proto != IPPROTO_ESP)
131 return -EINVAL;
132
130 if (p->replay_window != 0) 133 if (p->replay_window != 0)
131 return -EINVAL; 134 return -EINVAL;
132 135
@@ -360,6 +363,23 @@ static int attach_aead(struct xfrm_algo_aead **algpp, u8 *props,
360 return 0; 363 return 0;
361} 364}
362 365
366static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_esn,
367 struct nlattr *rp)
368{
369 struct xfrm_replay_state_esn *up;
370
371 if (!replay_esn || !rp)
372 return 0;
373
374 up = nla_data(rp);
375
376 if (xfrm_replay_state_esn_len(replay_esn) !=
377 xfrm_replay_state_esn_len(up))
378 return -EINVAL;
379
380 return 0;
381}
382
363static int xfrm_alloc_replay_state_esn(struct xfrm_replay_state_esn **replay_esn, 383static int xfrm_alloc_replay_state_esn(struct xfrm_replay_state_esn **replay_esn,
364 struct xfrm_replay_state_esn **preplay_esn, 384 struct xfrm_replay_state_esn **preplay_esn,
365 struct nlattr *rta) 385 struct nlattr *rta)
@@ -874,7 +894,7 @@ static int build_spdinfo(struct sk_buff *skb, struct net *net,
874 u32 *f; 894 u32 *f;
875 895
876 nlh = nlmsg_put(skb, pid, seq, XFRM_MSG_NEWSPDINFO, sizeof(u32), 0); 896 nlh = nlmsg_put(skb, pid, seq, XFRM_MSG_NEWSPDINFO, sizeof(u32), 0);
877 if (nlh == NULL) /* shouldnt really happen ... */ 897 if (nlh == NULL) /* shouldn't really happen ... */
878 return -EMSGSIZE; 898 return -EMSGSIZE;
879 899
880 f = nlmsg_data(nlh); 900 f = nlmsg_data(nlh);
@@ -934,7 +954,7 @@ static int build_sadinfo(struct sk_buff *skb, struct net *net,
934 u32 *f; 954 u32 *f;
935 955
936 nlh = nlmsg_put(skb, pid, seq, XFRM_MSG_NEWSADINFO, sizeof(u32), 0); 956 nlh = nlmsg_put(skb, pid, seq, XFRM_MSG_NEWSADINFO, sizeof(u32), 0);
937 if (nlh == NULL) /* shouldnt really happen ... */ 957 if (nlh == NULL) /* shouldn't really happen ... */
938 return -EMSGSIZE; 958 return -EMSGSIZE;
939 959
940 f = nlmsg_data(nlh); 960 f = nlmsg_data(nlh);
@@ -1341,7 +1361,7 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
1341 if (!xp) 1361 if (!xp)
1342 return err; 1362 return err;
1343 1363
1344 /* shouldnt excl be based on nlh flags?? 1364 /* shouldn't excl be based on nlh flags??
1345 * Aha! this is anti-netlink really i.e more pfkey derived 1365 * Aha! this is anti-netlink really i.e more pfkey derived
1346 * in netlink excl is a flag and you wouldnt need 1366 * in netlink excl is a flag and you wouldnt need
1347 * a type XFRM_MSG_UPDPOLICY - JHS */ 1367 * a type XFRM_MSG_UPDPOLICY - JHS */
@@ -1766,6 +1786,10 @@ static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh,
1766 if (x->km.state != XFRM_STATE_VALID) 1786 if (x->km.state != XFRM_STATE_VALID)
1767 goto out; 1787 goto out;
1768 1788
1789 err = xfrm_replay_verify_len(x->replay_esn, rp);
1790 if (err)
1791 goto out;
1792
1769 spin_lock_bh(&x->lock); 1793 spin_lock_bh(&x->lock);
1770 xfrm_update_ae_params(x, attrs); 1794 xfrm_update_ae_params(x, attrs);
1771 spin_unlock_bh(&x->lock); 1795 spin_unlock_bh(&x->lock);
generated by cgit v1.2.2 (git 2.25.0) at 2025-12-30 23:48:46 -0500