diff options
Diffstat (limited to 'net')
-rw-r--r-- | net/atm/mpc.c | 2 | ||||
-rw-r--r-- | net/bluetooth/l2cap.c | 62 | ||||
-rw-r--r-- | net/bluetooth/rfcomm/sock.c | 4 | ||||
-rw-r--r-- | net/caif/caif_socket.c | 21 | ||||
-rw-r--r-- | net/core/ethtool.c | 8 | ||||
-rw-r--r-- | net/core/stream.c | 8 | ||||
-rw-r--r-- | net/ipv4/Kconfig | 2 | ||||
-rw-r--r-- | net/ipv4/igmp.c | 14 | ||||
-rw-r--r-- | net/ipv6/route.c | 28 | ||||
-rw-r--r-- | net/mac80211/agg-tx.c | 2 | ||||
-rw-r--r-- | net/mac80211/status.c | 4 | ||||
-rw-r--r-- | net/sched/cls_u32.c | 2 | ||||
-rw-r--r-- | net/sctp/auth.c | 8 | ||||
-rw-r--r-- | net/sctp/socket.c | 13 |
14 files changed, 118 insertions, 60 deletions
diff --git a/net/atm/mpc.c b/net/atm/mpc.c index 622b471e14e0..74bcc662c3dd 100644 --- a/net/atm/mpc.c +++ b/net/atm/mpc.c | |||
@@ -778,7 +778,7 @@ static void mpc_push(struct atm_vcc *vcc, struct sk_buff *skb) | |||
778 | eg->packets_rcvd++; | 778 | eg->packets_rcvd++; |
779 | mpc->eg_ops->put(eg); | 779 | mpc->eg_ops->put(eg); |
780 | 780 | ||
781 | memset(ATM_SKB(skb), 0, sizeof(struct atm_skb_data)); | 781 | memset(ATM_SKB(new_skb), 0, sizeof(struct atm_skb_data)); |
782 | netif_rx(new_skb); | 782 | netif_rx(new_skb); |
783 | } | 783 | } |
784 | 784 | ||
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c index fadf26b4ed7c..0b54b7dd8401 100644 --- a/net/bluetooth/l2cap.c +++ b/net/bluetooth/l2cap.c | |||
@@ -1441,33 +1441,23 @@ static inline void l2cap_do_send(struct sock *sk, struct sk_buff *skb) | |||
1441 | 1441 | ||
1442 | static void l2cap_streaming_send(struct sock *sk) | 1442 | static void l2cap_streaming_send(struct sock *sk) |
1443 | { | 1443 | { |
1444 | struct sk_buff *skb, *tx_skb; | 1444 | struct sk_buff *skb; |
1445 | struct l2cap_pinfo *pi = l2cap_pi(sk); | 1445 | struct l2cap_pinfo *pi = l2cap_pi(sk); |
1446 | u16 control, fcs; | 1446 | u16 control, fcs; |
1447 | 1447 | ||
1448 | while ((skb = sk->sk_send_head)) { | 1448 | while ((skb = skb_dequeue(TX_QUEUE(sk)))) { |
1449 | tx_skb = skb_clone(skb, GFP_ATOMIC); | 1449 | control = get_unaligned_le16(skb->data + L2CAP_HDR_SIZE); |
1450 | |||
1451 | control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE); | ||
1452 | control |= pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT; | 1450 | control |= pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT; |
1453 | put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE); | 1451 | put_unaligned_le16(control, skb->data + L2CAP_HDR_SIZE); |
1454 | 1452 | ||
1455 | if (pi->fcs == L2CAP_FCS_CRC16) { | 1453 | if (pi->fcs == L2CAP_FCS_CRC16) { |
1456 | fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2); | 1454 | fcs = crc16(0, (u8 *)skb->data, skb->len - 2); |
1457 | put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2); | 1455 | put_unaligned_le16(fcs, skb->data + skb->len - 2); |
1458 | } | 1456 | } |
1459 | 1457 | ||
1460 | l2cap_do_send(sk, tx_skb); | 1458 | l2cap_do_send(sk, skb); |
1461 | 1459 | ||
1462 | pi->next_tx_seq = (pi->next_tx_seq + 1) % 64; | 1460 | pi->next_tx_seq = (pi->next_tx_seq + 1) % 64; |
1463 | |||
1464 | if (skb_queue_is_last(TX_QUEUE(sk), skb)) | ||
1465 | sk->sk_send_head = NULL; | ||
1466 | else | ||
1467 | sk->sk_send_head = skb_queue_next(TX_QUEUE(sk), skb); | ||
1468 | |||
1469 | skb = skb_dequeue(TX_QUEUE(sk)); | ||
1470 | kfree_skb(skb); | ||
1471 | } | 1461 | } |
1472 | } | 1462 | } |
1473 | 1463 | ||
@@ -1960,6 +1950,11 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __us | |||
1960 | 1950 | ||
1961 | switch (optname) { | 1951 | switch (optname) { |
1962 | case L2CAP_OPTIONS: | 1952 | case L2CAP_OPTIONS: |
1953 | if (sk->sk_state == BT_CONNECTED) { | ||
1954 | err = -EINVAL; | ||
1955 | break; | ||
1956 | } | ||
1957 | |||
1963 | opts.imtu = l2cap_pi(sk)->imtu; | 1958 | opts.imtu = l2cap_pi(sk)->imtu; |
1964 | opts.omtu = l2cap_pi(sk)->omtu; | 1959 | opts.omtu = l2cap_pi(sk)->omtu; |
1965 | opts.flush_to = l2cap_pi(sk)->flush_to; | 1960 | opts.flush_to = l2cap_pi(sk)->flush_to; |
@@ -2771,10 +2766,10 @@ static int l2cap_parse_conf_rsp(struct sock *sk, void *rsp, int len, void *data, | |||
2771 | case L2CAP_CONF_MTU: | 2766 | case L2CAP_CONF_MTU: |
2772 | if (val < L2CAP_DEFAULT_MIN_MTU) { | 2767 | if (val < L2CAP_DEFAULT_MIN_MTU) { |
2773 | *result = L2CAP_CONF_UNACCEPT; | 2768 | *result = L2CAP_CONF_UNACCEPT; |
2774 | pi->omtu = L2CAP_DEFAULT_MIN_MTU; | 2769 | pi->imtu = L2CAP_DEFAULT_MIN_MTU; |
2775 | } else | 2770 | } else |
2776 | pi->omtu = val; | 2771 | pi->imtu = val; |
2777 | l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu); | 2772 | l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu); |
2778 | break; | 2773 | break; |
2779 | 2774 | ||
2780 | case L2CAP_CONF_FLUSH_TO: | 2775 | case L2CAP_CONF_FLUSH_TO: |
@@ -3071,6 +3066,17 @@ static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hd | |||
3071 | return 0; | 3066 | return 0; |
3072 | } | 3067 | } |
3073 | 3068 | ||
3069 | static inline void set_default_fcs(struct l2cap_pinfo *pi) | ||
3070 | { | ||
3071 | /* FCS is enabled only in ERTM or streaming mode, if one or both | ||
3072 | * sides request it. | ||
3073 | */ | ||
3074 | if (pi->mode != L2CAP_MODE_ERTM && pi->mode != L2CAP_MODE_STREAMING) | ||
3075 | pi->fcs = L2CAP_FCS_NONE; | ||
3076 | else if (!(pi->conf_state & L2CAP_CONF_NO_FCS_RECV)) | ||
3077 | pi->fcs = L2CAP_FCS_CRC16; | ||
3078 | } | ||
3079 | |||
3074 | static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data) | 3080 | static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data) |
3075 | { | 3081 | { |
3076 | struct l2cap_conf_req *req = (struct l2cap_conf_req *) data; | 3082 | struct l2cap_conf_req *req = (struct l2cap_conf_req *) data; |
@@ -3088,14 +3094,8 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr | |||
3088 | if (!sk) | 3094 | if (!sk) |
3089 | return -ENOENT; | 3095 | return -ENOENT; |
3090 | 3096 | ||
3091 | if (sk->sk_state != BT_CONFIG) { | 3097 | if (sk->sk_state == BT_DISCONN) |
3092 | struct l2cap_cmd_rej rej; | ||
3093 | |||
3094 | rej.reason = cpu_to_le16(0x0002); | ||
3095 | l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ, | ||
3096 | sizeof(rej), &rej); | ||
3097 | goto unlock; | 3098 | goto unlock; |
3098 | } | ||
3099 | 3099 | ||
3100 | /* Reject if config buffer is too small. */ | 3100 | /* Reject if config buffer is too small. */ |
3101 | len = cmd_len - sizeof(*req); | 3101 | len = cmd_len - sizeof(*req); |
@@ -3135,9 +3135,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr | |||
3135 | goto unlock; | 3135 | goto unlock; |
3136 | 3136 | ||
3137 | if (l2cap_pi(sk)->conf_state & L2CAP_CONF_INPUT_DONE) { | 3137 | if (l2cap_pi(sk)->conf_state & L2CAP_CONF_INPUT_DONE) { |
3138 | if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_NO_FCS_RECV) || | 3138 | set_default_fcs(l2cap_pi(sk)); |
3139 | l2cap_pi(sk)->fcs != L2CAP_FCS_NONE) | ||
3140 | l2cap_pi(sk)->fcs = L2CAP_FCS_CRC16; | ||
3141 | 3139 | ||
3142 | sk->sk_state = BT_CONNECTED; | 3140 | sk->sk_state = BT_CONNECTED; |
3143 | 3141 | ||
@@ -3225,9 +3223,7 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr | |||
3225 | l2cap_pi(sk)->conf_state |= L2CAP_CONF_INPUT_DONE; | 3223 | l2cap_pi(sk)->conf_state |= L2CAP_CONF_INPUT_DONE; |
3226 | 3224 | ||
3227 | if (l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE) { | 3225 | if (l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE) { |
3228 | if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_NO_FCS_RECV) || | 3226 | set_default_fcs(l2cap_pi(sk)); |
3229 | l2cap_pi(sk)->fcs != L2CAP_FCS_NONE) | ||
3230 | l2cap_pi(sk)->fcs = L2CAP_FCS_CRC16; | ||
3231 | 3227 | ||
3232 | sk->sk_state = BT_CONNECTED; | 3228 | sk->sk_state = BT_CONNECTED; |
3233 | l2cap_pi(sk)->next_tx_seq = 0; | 3229 | l2cap_pi(sk)->next_tx_seq = 0; |
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c index 44a623275951..194b3a04cfd3 100644 --- a/net/bluetooth/rfcomm/sock.c +++ b/net/bluetooth/rfcomm/sock.c | |||
@@ -82,11 +82,14 @@ static void rfcomm_sk_data_ready(struct rfcomm_dlc *d, struct sk_buff *skb) | |||
82 | static void rfcomm_sk_state_change(struct rfcomm_dlc *d, int err) | 82 | static void rfcomm_sk_state_change(struct rfcomm_dlc *d, int err) |
83 | { | 83 | { |
84 | struct sock *sk = d->owner, *parent; | 84 | struct sock *sk = d->owner, *parent; |
85 | unsigned long flags; | ||
86 | |||
85 | if (!sk) | 87 | if (!sk) |
86 | return; | 88 | return; |
87 | 89 | ||
88 | BT_DBG("dlc %p state %ld err %d", d, d->state, err); | 90 | BT_DBG("dlc %p state %ld err %d", d, d->state, err); |
89 | 91 | ||
92 | local_irq_save(flags); | ||
90 | bh_lock_sock(sk); | 93 | bh_lock_sock(sk); |
91 | 94 | ||
92 | if (err) | 95 | if (err) |
@@ -108,6 +111,7 @@ static void rfcomm_sk_state_change(struct rfcomm_dlc *d, int err) | |||
108 | } | 111 | } |
109 | 112 | ||
110 | bh_unlock_sock(sk); | 113 | bh_unlock_sock(sk); |
114 | local_irq_restore(flags); | ||
111 | 115 | ||
112 | if (parent && sock_flag(sk, SOCK_ZAPPED)) { | 116 | if (parent && sock_flag(sk, SOCK_ZAPPED)) { |
113 | /* We have to drop DLC lock here, otherwise | 117 | /* We have to drop DLC lock here, otherwise |
diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c index 8ce904786116..4bf28f25f368 100644 --- a/net/caif/caif_socket.c +++ b/net/caif/caif_socket.c | |||
@@ -827,6 +827,7 @@ static int caif_connect(struct socket *sock, struct sockaddr *uaddr, | |||
827 | long timeo; | 827 | long timeo; |
828 | int err; | 828 | int err; |
829 | int ifindex, headroom, tailroom; | 829 | int ifindex, headroom, tailroom; |
830 | unsigned int mtu; | ||
830 | struct net_device *dev; | 831 | struct net_device *dev; |
831 | 832 | ||
832 | lock_sock(sk); | 833 | lock_sock(sk); |
@@ -896,15 +897,23 @@ static int caif_connect(struct socket *sock, struct sockaddr *uaddr, | |||
896 | cf_sk->sk.sk_state = CAIF_DISCONNECTED; | 897 | cf_sk->sk.sk_state = CAIF_DISCONNECTED; |
897 | goto out; | 898 | goto out; |
898 | } | 899 | } |
899 | dev = dev_get_by_index(sock_net(sk), ifindex); | 900 | |
901 | err = -ENODEV; | ||
902 | rcu_read_lock(); | ||
903 | dev = dev_get_by_index_rcu(sock_net(sk), ifindex); | ||
904 | if (!dev) { | ||
905 | rcu_read_unlock(); | ||
906 | goto out; | ||
907 | } | ||
900 | cf_sk->headroom = LL_RESERVED_SPACE_EXTRA(dev, headroom); | 908 | cf_sk->headroom = LL_RESERVED_SPACE_EXTRA(dev, headroom); |
909 | mtu = dev->mtu; | ||
910 | rcu_read_unlock(); | ||
911 | |||
901 | cf_sk->tailroom = tailroom; | 912 | cf_sk->tailroom = tailroom; |
902 | cf_sk->maxframe = dev->mtu - (headroom + tailroom); | 913 | cf_sk->maxframe = mtu - (headroom + tailroom); |
903 | dev_put(dev); | ||
904 | if (cf_sk->maxframe < 1) { | 914 | if (cf_sk->maxframe < 1) { |
905 | pr_warning("CAIF: %s(): CAIF Interface MTU too small (%d)\n", | 915 | pr_warning("CAIF: %s(): CAIF Interface MTU too small (%u)\n", |
906 | __func__, dev->mtu); | 916 | __func__, mtu); |
907 | err = -ENODEV; | ||
908 | goto out; | 917 | goto out; |
909 | } | 918 | } |
910 | 919 | ||
diff --git a/net/core/ethtool.c b/net/core/ethtool.c index 7a85367b3c2f..8451ab481095 100644 --- a/net/core/ethtool.c +++ b/net/core/ethtool.c | |||
@@ -348,7 +348,7 @@ static noinline_for_stack int ethtool_get_rxnfc(struct net_device *dev, | |||
348 | if (info.cmd == ETHTOOL_GRXCLSRLALL) { | 348 | if (info.cmd == ETHTOOL_GRXCLSRLALL) { |
349 | if (info.rule_cnt > 0) { | 349 | if (info.rule_cnt > 0) { |
350 | if (info.rule_cnt <= KMALLOC_MAX_SIZE / sizeof(u32)) | 350 | if (info.rule_cnt <= KMALLOC_MAX_SIZE / sizeof(u32)) |
351 | rule_buf = kmalloc(info.rule_cnt * sizeof(u32), | 351 | rule_buf = kzalloc(info.rule_cnt * sizeof(u32), |
352 | GFP_USER); | 352 | GFP_USER); |
353 | if (!rule_buf) | 353 | if (!rule_buf) |
354 | return -ENOMEM; | 354 | return -ENOMEM; |
@@ -397,7 +397,7 @@ static noinline_for_stack int ethtool_get_rxfh_indir(struct net_device *dev, | |||
397 | (KMALLOC_MAX_SIZE - sizeof(*indir)) / sizeof(*indir->ring_index)) | 397 | (KMALLOC_MAX_SIZE - sizeof(*indir)) / sizeof(*indir->ring_index)) |
398 | return -ENOMEM; | 398 | return -ENOMEM; |
399 | full_size = sizeof(*indir) + sizeof(*indir->ring_index) * table_size; | 399 | full_size = sizeof(*indir) + sizeof(*indir->ring_index) * table_size; |
400 | indir = kmalloc(full_size, GFP_USER); | 400 | indir = kzalloc(full_size, GFP_USER); |
401 | if (!indir) | 401 | if (!indir) |
402 | return -ENOMEM; | 402 | return -ENOMEM; |
403 | 403 | ||
@@ -538,7 +538,7 @@ static int ethtool_get_rx_ntuple(struct net_device *dev, void __user *useraddr) | |||
538 | 538 | ||
539 | gstrings.len = ret; | 539 | gstrings.len = ret; |
540 | 540 | ||
541 | data = kmalloc(gstrings.len * ETH_GSTRING_LEN, GFP_USER); | 541 | data = kzalloc(gstrings.len * ETH_GSTRING_LEN, GFP_USER); |
542 | if (!data) | 542 | if (!data) |
543 | return -ENOMEM; | 543 | return -ENOMEM; |
544 | 544 | ||
@@ -775,7 +775,7 @@ static int ethtool_get_regs(struct net_device *dev, char __user *useraddr) | |||
775 | if (regs.len > reglen) | 775 | if (regs.len > reglen) |
776 | regs.len = reglen; | 776 | regs.len = reglen; |
777 | 777 | ||
778 | regbuf = kmalloc(reglen, GFP_USER); | 778 | regbuf = kzalloc(reglen, GFP_USER); |
779 | if (!regbuf) | 779 | if (!regbuf) |
780 | return -ENOMEM; | 780 | return -ENOMEM; |
781 | 781 | ||
diff --git a/net/core/stream.c b/net/core/stream.c index d959e0f41528..f5df85dcd20b 100644 --- a/net/core/stream.c +++ b/net/core/stream.c | |||
@@ -141,10 +141,10 @@ int sk_stream_wait_memory(struct sock *sk, long *timeo_p) | |||
141 | 141 | ||
142 | set_bit(SOCK_NOSPACE, &sk->sk_socket->flags); | 142 | set_bit(SOCK_NOSPACE, &sk->sk_socket->flags); |
143 | sk->sk_write_pending++; | 143 | sk->sk_write_pending++; |
144 | sk_wait_event(sk, ¤t_timeo, !sk->sk_err && | 144 | sk_wait_event(sk, ¤t_timeo, sk->sk_err || |
145 | !(sk->sk_shutdown & SEND_SHUTDOWN) && | 145 | (sk->sk_shutdown & SEND_SHUTDOWN) || |
146 | sk_stream_memory_free(sk) && | 146 | (sk_stream_memory_free(sk) && |
147 | vm_wait); | 147 | !vm_wait)); |
148 | sk->sk_write_pending--; | 148 | sk->sk_write_pending--; |
149 | 149 | ||
150 | if (vm_wait) { | 150 | if (vm_wait) { |
diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig index 72380a30d1c8..7cd7760144f7 100644 --- a/net/ipv4/Kconfig +++ b/net/ipv4/Kconfig | |||
@@ -413,7 +413,7 @@ config INET_XFRM_MODE_BEET | |||
413 | If unsure, say Y. | 413 | If unsure, say Y. |
414 | 414 | ||
415 | config INET_LRO | 415 | config INET_LRO |
416 | bool "Large Receive Offload (ipv4/tcp)" | 416 | tristate "Large Receive Offload (ipv4/tcp)" |
417 | default y | 417 | default y |
418 | ---help--- | 418 | ---help--- |
419 | Support for Large Receive Offload (ipv4/tcp). | 419 | Support for Large Receive Offload (ipv4/tcp). |
diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c index 1fdcacd36ce7..2a4bb76f2132 100644 --- a/net/ipv4/igmp.c +++ b/net/ipv4/igmp.c | |||
@@ -834,7 +834,7 @@ static void igmp_heard_query(struct in_device *in_dev, struct sk_buff *skb, | |||
834 | int mark = 0; | 834 | int mark = 0; |
835 | 835 | ||
836 | 836 | ||
837 | if (len == 8 || IGMP_V2_SEEN(in_dev)) { | 837 | if (len == 8) { |
838 | if (ih->code == 0) { | 838 | if (ih->code == 0) { |
839 | /* Alas, old v1 router presents here. */ | 839 | /* Alas, old v1 router presents here. */ |
840 | 840 | ||
@@ -856,6 +856,18 @@ static void igmp_heard_query(struct in_device *in_dev, struct sk_buff *skb, | |||
856 | igmpv3_clear_delrec(in_dev); | 856 | igmpv3_clear_delrec(in_dev); |
857 | } else if (len < 12) { | 857 | } else if (len < 12) { |
858 | return; /* ignore bogus packet; freed by caller */ | 858 | return; /* ignore bogus packet; freed by caller */ |
859 | } else if (IGMP_V1_SEEN(in_dev)) { | ||
860 | /* This is a v3 query with v1 queriers present */ | ||
861 | max_delay = IGMP_Query_Response_Interval; | ||
862 | group = 0; | ||
863 | } else if (IGMP_V2_SEEN(in_dev)) { | ||
864 | /* this is a v3 query with v2 queriers present; | ||
865 | * Interpretation of the max_delay code is problematic here. | ||
866 | * A real v2 host would use ih_code directly, while v3 has a | ||
867 | * different encoding. We use the v3 encoding as more likely | ||
868 | * to be intended in a v3 query. | ||
869 | */ | ||
870 | max_delay = IGMPV3_MRC(ih3->code)*(HZ/IGMP_TIMER_SCALE); | ||
859 | } else { /* v3 */ | 871 | } else { /* v3 */ |
860 | if (!pskb_may_pull(skb, sizeof(struct igmpv3_query))) | 872 | if (!pskb_may_pull(skb, sizeof(struct igmpv3_query))) |
861 | return; | 873 | return; |
diff --git a/net/ipv6/route.c b/net/ipv6/route.c index 8323136bdc54..a275c6e1e25c 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c | |||
@@ -1556,14 +1556,13 @@ out: | |||
1556 | * i.e. Path MTU discovery | 1556 | * i.e. Path MTU discovery |
1557 | */ | 1557 | */ |
1558 | 1558 | ||
1559 | void rt6_pmtu_discovery(struct in6_addr *daddr, struct in6_addr *saddr, | 1559 | static void rt6_do_pmtu_disc(struct in6_addr *daddr, struct in6_addr *saddr, |
1560 | struct net_device *dev, u32 pmtu) | 1560 | struct net *net, u32 pmtu, int ifindex) |
1561 | { | 1561 | { |
1562 | struct rt6_info *rt, *nrt; | 1562 | struct rt6_info *rt, *nrt; |
1563 | struct net *net = dev_net(dev); | ||
1564 | int allfrag = 0; | 1563 | int allfrag = 0; |
1565 | 1564 | ||
1566 | rt = rt6_lookup(net, daddr, saddr, dev->ifindex, 0); | 1565 | rt = rt6_lookup(net, daddr, saddr, ifindex, 0); |
1567 | if (rt == NULL) | 1566 | if (rt == NULL) |
1568 | return; | 1567 | return; |
1569 | 1568 | ||
@@ -1631,6 +1630,27 @@ out: | |||
1631 | dst_release(&rt->dst); | 1630 | dst_release(&rt->dst); |
1632 | } | 1631 | } |
1633 | 1632 | ||
1633 | void rt6_pmtu_discovery(struct in6_addr *daddr, struct in6_addr *saddr, | ||
1634 | struct net_device *dev, u32 pmtu) | ||
1635 | { | ||
1636 | struct net *net = dev_net(dev); | ||
1637 | |||
1638 | /* | ||
1639 | * RFC 1981 states that a node "MUST reduce the size of the packets it | ||
1640 | * is sending along the path" that caused the Packet Too Big message. | ||
1641 | * Since it's not possible in the general case to determine which | ||
1642 | * interface was used to send the original packet, we update the MTU | ||
1643 | * on the interface that will be used to send future packets. We also | ||
1644 | * update the MTU on the interface that received the Packet Too Big in | ||
1645 | * case the original packet was forced out that interface with | ||
1646 | * SO_BINDTODEVICE or similar. This is the next best thing to the | ||
1647 | * correct behaviour, which would be to update the MTU on all | ||
1648 | * interfaces. | ||
1649 | */ | ||
1650 | rt6_do_pmtu_disc(daddr, saddr, net, pmtu, 0); | ||
1651 | rt6_do_pmtu_disc(daddr, saddr, net, pmtu, dev->ifindex); | ||
1652 | } | ||
1653 | |||
1634 | /* | 1654 | /* |
1635 | * Misc support functions | 1655 | * Misc support functions |
1636 | */ | 1656 | */ |
diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c index c893f236acea..8f23401832b7 100644 --- a/net/mac80211/agg-tx.c +++ b/net/mac80211/agg-tx.c | |||
@@ -175,6 +175,8 @@ int ___ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid, | |||
175 | 175 | ||
176 | set_bit(HT_AGG_STATE_STOPPING, &tid_tx->state); | 176 | set_bit(HT_AGG_STATE_STOPPING, &tid_tx->state); |
177 | 177 | ||
178 | del_timer_sync(&tid_tx->addba_resp_timer); | ||
179 | |||
178 | /* | 180 | /* |
179 | * After this packets are no longer handed right through | 181 | * After this packets are no longer handed right through |
180 | * to the driver but are put onto tid_tx->pending instead, | 182 | * to the driver but are put onto tid_tx->pending instead, |
diff --git a/net/mac80211/status.c b/net/mac80211/status.c index 10caec5ea8fa..34da67995d94 100644 --- a/net/mac80211/status.c +++ b/net/mac80211/status.c | |||
@@ -377,7 +377,7 @@ void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb) | |||
377 | skb2 = skb_clone(skb, GFP_ATOMIC); | 377 | skb2 = skb_clone(skb, GFP_ATOMIC); |
378 | if (skb2) { | 378 | if (skb2) { |
379 | skb2->dev = prev_dev; | 379 | skb2->dev = prev_dev; |
380 | netif_receive_skb(skb2); | 380 | netif_rx(skb2); |
381 | } | 381 | } |
382 | } | 382 | } |
383 | 383 | ||
@@ -386,7 +386,7 @@ void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb) | |||
386 | } | 386 | } |
387 | if (prev_dev) { | 387 | if (prev_dev) { |
388 | skb->dev = prev_dev; | 388 | skb->dev = prev_dev; |
389 | netif_receive_skb(skb); | 389 | netif_rx(skb); |
390 | skb = NULL; | 390 | skb = NULL; |
391 | } | 391 | } |
392 | rcu_read_unlock(); | 392 | rcu_read_unlock(); |
diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c index 7416a5c73b2a..b0c2a82178af 100644 --- a/net/sched/cls_u32.c +++ b/net/sched/cls_u32.c | |||
@@ -137,7 +137,7 @@ next_knode: | |||
137 | int toff = off + key->off + (off2 & key->offmask); | 137 | int toff = off + key->off + (off2 & key->offmask); |
138 | __be32 *data, _data; | 138 | __be32 *data, _data; |
139 | 139 | ||
140 | if (skb_headroom(skb) + toff < 0) | 140 | if (skb_headroom(skb) + toff > INT_MAX) |
141 | goto out; | 141 | goto out; |
142 | 142 | ||
143 | data = skb_header_pointer(skb, toff, 4, &_data); | 143 | data = skb_header_pointer(skb, toff, 4, &_data); |
diff --git a/net/sctp/auth.c b/net/sctp/auth.c index 86366390038a..ddbbf7c81fa1 100644 --- a/net/sctp/auth.c +++ b/net/sctp/auth.c | |||
@@ -543,16 +543,20 @@ struct sctp_hmac *sctp_auth_asoc_get_hmac(const struct sctp_association *asoc) | |||
543 | id = ntohs(hmacs->hmac_ids[i]); | 543 | id = ntohs(hmacs->hmac_ids[i]); |
544 | 544 | ||
545 | /* Check the id is in the supported range */ | 545 | /* Check the id is in the supported range */ |
546 | if (id > SCTP_AUTH_HMAC_ID_MAX) | 546 | if (id > SCTP_AUTH_HMAC_ID_MAX) { |
547 | id = 0; | ||
547 | continue; | 548 | continue; |
549 | } | ||
548 | 550 | ||
549 | /* See is we support the id. Supported IDs have name and | 551 | /* See is we support the id. Supported IDs have name and |
550 | * length fields set, so that we can allocated and use | 552 | * length fields set, so that we can allocated and use |
551 | * them. We can safely just check for name, for without the | 553 | * them. We can safely just check for name, for without the |
552 | * name, we can't allocate the TFM. | 554 | * name, we can't allocate the TFM. |
553 | */ | 555 | */ |
554 | if (!sctp_hmac_list[id].hmac_name) | 556 | if (!sctp_hmac_list[id].hmac_name) { |
557 | id = 0; | ||
555 | continue; | 558 | continue; |
559 | } | ||
556 | 560 | ||
557 | break; | 561 | break; |
558 | } | 562 | } |
diff --git a/net/sctp/socket.c b/net/sctp/socket.c index ca44917872d2..fbb70770ad05 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c | |||
@@ -916,6 +916,11 @@ SCTP_STATIC int sctp_setsockopt_bindx(struct sock* sk, | |||
916 | /* Walk through the addrs buffer and count the number of addresses. */ | 916 | /* Walk through the addrs buffer and count the number of addresses. */ |
917 | addr_buf = kaddrs; | 917 | addr_buf = kaddrs; |
918 | while (walk_size < addrs_size) { | 918 | while (walk_size < addrs_size) { |
919 | if (walk_size + sizeof(sa_family_t) > addrs_size) { | ||
920 | kfree(kaddrs); | ||
921 | return -EINVAL; | ||
922 | } | ||
923 | |||
919 | sa_addr = (struct sockaddr *)addr_buf; | 924 | sa_addr = (struct sockaddr *)addr_buf; |
920 | af = sctp_get_af_specific(sa_addr->sa_family); | 925 | af = sctp_get_af_specific(sa_addr->sa_family); |
921 | 926 | ||
@@ -1002,9 +1007,13 @@ static int __sctp_connect(struct sock* sk, | |||
1002 | /* Walk through the addrs buffer and count the number of addresses. */ | 1007 | /* Walk through the addrs buffer and count the number of addresses. */ |
1003 | addr_buf = kaddrs; | 1008 | addr_buf = kaddrs; |
1004 | while (walk_size < addrs_size) { | 1009 | while (walk_size < addrs_size) { |
1010 | if (walk_size + sizeof(sa_family_t) > addrs_size) { | ||
1011 | err = -EINVAL; | ||
1012 | goto out_free; | ||
1013 | } | ||
1014 | |||
1005 | sa_addr = (union sctp_addr *)addr_buf; | 1015 | sa_addr = (union sctp_addr *)addr_buf; |
1006 | af = sctp_get_af_specific(sa_addr->sa.sa_family); | 1016 | af = sctp_get_af_specific(sa_addr->sa.sa_family); |
1007 | port = ntohs(sa_addr->v4.sin_port); | ||
1008 | 1017 | ||
1009 | /* If the address family is not supported or if this address | 1018 | /* If the address family is not supported or if this address |
1010 | * causes the address buffer to overflow return EINVAL. | 1019 | * causes the address buffer to overflow return EINVAL. |
@@ -1014,6 +1023,8 @@ static int __sctp_connect(struct sock* sk, | |||
1014 | goto out_free; | 1023 | goto out_free; |
1015 | } | 1024 | } |
1016 | 1025 | ||
1026 | port = ntohs(sa_addr->v4.sin_port); | ||
1027 | |||
1017 | /* Save current address so we can work with it */ | 1028 | /* Save current address so we can work with it */ |
1018 | memcpy(&to, sa_addr, af->sockaddr_len); | 1029 | memcpy(&to, sa_addr, af->sockaddr_len); |
1019 | 1030 | ||