tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6:
ipsec: Fix deadlock in xfrm_state management.
ipv: Re-enable IP when MTU > 68
net/xfrm: Use an IS_ERR test rather than a NULL test
ath9: Fix ath_rx_flush_tid() for IRQs disabled kernel warning message.
ath9k: Incorrect key used when group and pairwise ciphers are different.
rt2x00: Compiler warning unmasked by fix of BUILD_BUG_ON
mac80211: Fix debugfs union misuse and pointer corruption
wireless/libertas/if_cs.c: fix memory leaks
orinoco: Multicast to the specified addresses
iwlwifi: fix 64bit platform firmware loading
iwlwifi: fix apm_stop (wrong bit polarity for FLAG_INIT_DONE)
iwlwifi: workaround interrupt handling no some platforms
iwlwifi: do not use GFP_DMA in iwl_tx_queue_init
net/wireless/Kconfig: clarify the description for CONFIG_WIRELESS_EXT_SYSFS
net: Unbreak userspace usage of linux/mroute.h
pkt_sched: Fix locking of qdisc_root with qdisc_root_sleeping_lock()
ipv6: When we droped a packet, we should return NET_RX_DROP instead of 0

Linus Torvalds d26acd92 fbb16e24

+102 -90
+4 -4
drivers/net/wireless/ath9k/hw.c
··· 7285 7285 } 7286 7286 break; 7287 7287 case ATH9K_CIPHER_WEP: 7288 - if (k->kv_len < 40 / NBBY) { 7288 + if (k->kv_len < LEN_WEP40) { 7289 7289 DPRINTF(ah->ah_sc, ATH_DBG_KEYCACHE, 7290 7290 "%s: WEP key length %u too small\n", 7291 7291 __func__, k->kv_len); 7292 7292 return false; 7293 7293 } 7294 - if (k->kv_len <= 40 / NBBY) 7294 + if (k->kv_len <= LEN_WEP40) 7295 7295 keyType = AR_KEYTABLE_TYPE_40; 7296 - else if (k->kv_len <= 104 / NBBY) 7296 + else if (k->kv_len <= LEN_WEP104) 7297 7297 keyType = AR_KEYTABLE_TYPE_104; 7298 7298 else 7299 7299 keyType = AR_KEYTABLE_TYPE_128; ··· 7313 7313 key2 = get_unaligned_le32(k->kv_val + 6) ^ xorMask; 7314 7314 key3 = (get_unaligned_le16(k->kv_val + 10) ^ xorMask) & 0xffff; 7315 7315 key4 = get_unaligned_le32(k->kv_val + 12) ^ xorMask; 7316 - if (k->kv_len <= 104 / NBBY) 7316 + if (k->kv_len <= LEN_WEP104) 7317 7317 key4 &= 0xff; 7318 7318 7319 7319 if (keyType == AR_KEYTABLE_TYPE_TKIP && ATH9K_IS_MIC_ENABLED(ah)) {
+4 -2
drivers/net/wireless/ath9k/main.c
··· 206 206 if (!ret) 207 207 return -EIO; 208 208 209 - sc->sc_keytype = hk.kv_type; 209 + if (mac) 210 + sc->sc_keytype = hk.kv_type; 210 211 return 0; 211 212 } 212 213 ··· 757 756 key->hw_key_idx = key->keyidx; 758 757 /* push IV and Michael MIC generation to stack */ 759 758 key->flags |= IEEE80211_KEY_FLAG_GENERATE_IV; 760 - key->flags |= IEEE80211_KEY_FLAG_GENERATE_MMIC; 759 + if (key->alg == ALG_TKIP) 760 + key->flags |= IEEE80211_KEY_FLAG_GENERATE_MMIC; 761 761 } 762 762 break; 763 763 case DISABLE_KEY:
+3 -2
drivers/net/wireless/ath9k/recv.c
··· 360 360 struct ath_arx_tid *rxtid, int drop) 361 361 { 362 362 struct ath_rxbuf *rxbuf; 363 + unsigned long flag; 363 364 364 - spin_lock_bh(&rxtid->tidlock); 365 + spin_lock_irqsave(&rxtid->tidlock, flag); 365 366 while (rxtid->baw_head != rxtid->baw_tail) { 366 367 rxbuf = rxtid->rxbuf + rxtid->baw_head; 367 368 if (!rxbuf->rx_wbuf) { ··· 383 382 INCR(rxtid->baw_head, ATH_TID_MAX_BUFS); 384 383 INCR(rxtid->seq_next, IEEE80211_SEQ_MAX); 385 384 } 386 - spin_unlock_bh(&rxtid->tidlock); 385 + spin_unlock_irqrestore(&rxtid->tidlock, flag); 387 386 } 388 387 389 388 static struct sk_buff *ath_rxbuf_alloc(struct ath_softc *sc,
+2 -2
drivers/net/wireless/iwlwifi/iwl-4965.c
··· 474 474 iwl_set_bit(priv, CSR_RESET, CSR_RESET_REG_FLAG_SW_RESET); 475 475 476 476 udelay(10); 477 - 478 - iwl_set_bit(priv, CSR_GP_CNTRL, CSR_GP_CNTRL_REG_FLAG_INIT_DONE); 477 + /* clear "init complete" move adapter D0A* --> D0U state */ 478 + iwl_clear_bit(priv, CSR_GP_CNTRL, CSR_GP_CNTRL_REG_FLAG_INIT_DONE); 479 479 spin_unlock_irqrestore(&priv->lock, flags); 480 480 } 481 481
+6 -8
drivers/net/wireless/iwlwifi/iwl-5000.c
··· 145 145 146 146 udelay(10); 147 147 148 - iwl_set_bit(priv, CSR_GP_CNTRL, CSR_GP_CNTRL_REG_FLAG_INIT_DONE); 148 + /* clear "init complete" move adapter D0A* --> D0U state */ 149 + iwl_clear_bit(priv, CSR_GP_CNTRL, CSR_GP_CNTRL_REG_FLAG_INIT_DONE); 149 150 150 151 spin_unlock_irqrestore(&priv->lock, flags); 151 152 } ··· 578 577 FH_TFDIB_CTRL0_REG(FH_SRVC_CHNL), 579 578 phy_addr & FH_MEM_TFDIB_DRAM_ADDR_LSB_MSK); 580 579 581 - /* FIME: write the MSB of the phy_addr in CTRL1 582 - * iwl_write_direct32(priv, 583 - IWL_FH_TFDIB_CTRL1_REG(IWL_FH_SRVC_CHNL), 584 - ((phy_addr & MSB_MSK) 585 - << FH_MEM_TFDIB_REG1_ADDR_BITSHIFT) | byte_count); 586 - */ 587 580 iwl_write_direct32(priv, 588 - FH_TFDIB_CTRL1_REG(FH_SRVC_CHNL), byte_cnt); 581 + FH_TFDIB_CTRL1_REG(FH_SRVC_CHNL), 582 + (iwl_get_dma_hi_address(phy_addr) 583 + << FH_MEM_TFDIB_REG1_ADDR_BITSHIFT) | byte_cnt); 584 + 589 585 iwl_write_direct32(priv, 590 586 FH_TCSR_CHNL_TX_BUF_STS_REG(FH_SRVC_CHNL), 591 587 1 << FH_TCSR_CHNL_TX_BUF_STS_REG_POS_TB_NUM |
+8
drivers/net/wireless/iwlwifi/iwl-agn.c
··· 2602 2602 { 2603 2603 struct iwl_priv *priv = hw->priv; 2604 2604 int ret; 2605 + u16 pci_cmd; 2605 2606 2606 2607 IWL_DEBUG_MAC80211("enter\n"); 2607 2608 ··· 2612 2611 } 2613 2612 pci_restore_state(priv->pci_dev); 2614 2613 pci_enable_msi(priv->pci_dev); 2614 + 2615 + /* enable interrupts if needed: hw bug w/a */ 2616 + pci_read_config_word(priv->pci_dev, PCI_COMMAND, &pci_cmd); 2617 + if (pci_cmd & PCI_COMMAND_INTX_DISABLE) { 2618 + pci_cmd &= ~PCI_COMMAND_INTX_DISABLE; 2619 + pci_write_config_word(priv->pci_dev, PCI_COMMAND, pci_cmd); 2620 + } 2615 2621 2616 2622 ret = request_irq(priv->pci_dev->irq, iwl4965_isr, IRQF_SHARED, 2617 2623 DRV_NAME, priv);
+1
drivers/net/wireless/iwlwifi/iwl-fh.h
··· 287 287 288 288 #define FH_RSSR_CHNL0_RX_STATUS_CHNL_IDLE (0x01000000) 289 289 290 + #define FH_MEM_TFDIB_REG1_ADDR_BITSHIFT 28 290 291 291 292 /** 292 293 * Transmit DMA Channel Control/Status Registers (TCSR)
+1 -1
drivers/net/wireless/iwlwifi/iwl-tx.c
··· 426 426 continue; 427 427 } 428 428 429 - txq->cmd[i] = kmalloc(len, GFP_KERNEL | GFP_DMA); 429 + txq->cmd[i] = kmalloc(len, GFP_KERNEL); 430 430 if (!txq->cmd[i]) 431 431 return -ENOMEM; 432 432 }
+3 -10
drivers/net/wireless/libertas/if_cs.c
··· 595 595 if (ret < 0) { 596 596 lbs_pr_err("can't download helper at 0x%x, ret %d\n", 597 597 sent, ret); 598 - goto done; 598 + goto err_release; 599 599 } 600 600 601 601 if (count == 0) ··· 604 604 sent += count; 605 605 } 606 606 607 + err_release: 607 608 release_firmware(fw); 608 - ret = 0; 609 - 610 609 done: 611 610 lbs_deb_leave_args(LBS_DEB_CS, "ret %d", ret); 612 611 return ret; ··· 675 676 } 676 677 677 678 ret = if_cs_poll_while_fw_download(card, IF_CS_SCRATCH, 0x5a); 678 - if (ret < 0) { 679 + if (ret < 0) 679 680 lbs_pr_err("firmware download failed\n"); 680 - goto err_release; 681 - } 682 - 683 - ret = 0; 684 - goto done; 685 - 686 681 687 682 err_release: 688 683 release_firmware(fw);
+7 -3
drivers/net/wireless/orinoco.c
··· 1970 1970 priv->promiscuous = promisc; 1971 1971 } 1972 1972 1973 + /* If we're not in promiscuous mode, then we need to set the 1974 + * group address if either we want to multicast, or if we were 1975 + * multicasting and want to stop */ 1973 1976 if (! promisc && (mc_count || priv->mc_count) ) { 1974 1977 struct dev_mc_list *p = dev->mc_list; 1975 1978 struct hermes_multicast mclist; ··· 1992 1989 printk(KERN_WARNING "%s: Multicast list is " 1993 1990 "longer than mc_count\n", dev->name); 1994 1991 1995 - err = hermes_write_ltv(hw, USER_BAP, HERMES_RID_CNFGROUPADDRESSES, 1996 - HERMES_BYTES_TO_RECLEN(priv->mc_count * ETH_ALEN), 1997 - &mclist); 1992 + err = hermes_write_ltv(hw, USER_BAP, 1993 + HERMES_RID_CNFGROUPADDRESSES, 1994 + HERMES_BYTES_TO_RECLEN(mc_count * ETH_ALEN), 1995 + &mclist); 1998 1996 if (err) 1999 1997 printk(KERN_ERR "%s: Error %d setting multicast list.\n", 2000 1998 dev->name, err);
+2 -3
drivers/net/wireless/rt2x00/rt2x00reg.h
··· 136 136 */ 137 137 #define is_power_of_two(x) ( !((x) & ((x)-1)) ) 138 138 #define low_bit_mask(x) ( ((x)-1) & ~(x) ) 139 - #define is_valid_mask(x) is_power_of_two(1 + (x) + low_bit_mask(x)) 139 + #define is_valid_mask(x) is_power_of_two(1LU + (x) + low_bit_mask(x)) 140 140 141 141 /* 142 142 * Macro's to find first set bit in a variable. ··· 173 173 * does not exceed the given typelimit. 174 174 */ 175 175 #define FIELD_CHECK(__mask, __type) \ 176 - BUILD_BUG_ON(!__builtin_constant_p(__mask) || \ 177 - !(__mask) || \ 176 + BUILD_BUG_ON(!(__mask) || \ 178 177 !is_valid_mask(__mask) || \ 179 178 (__mask) != (__type)(__mask)) \ 180 179
-1
include/linux/Kbuild
··· 297 297 unifdef-y += patchkey.h 298 298 unifdef-y += pci.h 299 299 unifdef-y += personality.h 300 - unifdef-y += pim.h 301 300 unifdef-y += pktcdvd.h 302 301 unifdef-y += pmu.h 303 302 unifdef-y += poll.h
+1 -1
include/linux/mroute.h
··· 6 6 #ifdef __KERNEL__ 7 7 #include <linux/in.h> 8 8 #endif 9 - #include <linux/pim.h> 10 9 11 10 /* 12 11 * Based on the MROUTING 3.5 defines primarily to keep ··· 129 130 */ 130 131 131 132 #ifdef __KERNEL__ 133 + #include <linux/pim.h> 132 134 #include <net/sock.h> 133 135 134 136 #ifdef CONFIG_IP_MROUTE
+1
include/linux/mroute6.h
··· 115 115 116 116 #ifdef __KERNEL__ 117 117 118 + #include <linux/pim.h> 118 119 #include <linux/skbuff.h> /* for struct sk_buff_head */ 119 120 120 121 #ifdef CONFIG_IPV6_MROUTE
-18
include/linux/pim.h
··· 3 3 4 4 #include <asm/byteorder.h> 5 5 6 - #ifndef __KERNEL__ 7 - struct pim { 8 - #if defined(__LITTLE_ENDIAN_BITFIELD) 9 - __u8 pim_type:4, /* PIM message type */ 10 - pim_ver:4; /* PIM version */ 11 - #elif defined(__BIG_ENDIAN_BITFIELD) 12 - __u8 pim_ver:4; /* PIM version */ 13 - pim_type:4; /* PIM message type */ 14 - #endif 15 - __u8 pim_rsv; /* Reserved */ 16 - __be16 pim_cksum; /* Checksum */ 17 - }; 18 - 19 - #define PIM_MINLEN 8 20 - #endif 21 - 22 6 /* Message types - V1 */ 23 7 #define PIM_V1_VERSION __constant_htonl(0x10000000) 24 8 #define PIM_V1_REGISTER 1 ··· 11 27 #define PIM_VERSION 2 12 28 #define PIM_REGISTER 1 13 29 14 - #if defined(__KERNEL__) 15 30 #define PIM_NULL_REGISTER __constant_htonl(0x40000000) 16 31 17 32 /* PIMv2 register message header layout (ietf-draft-idmr-pimvsm-v2-00.ps */ ··· 24 41 25 42 struct sk_buff; 26 43 extern int pim_rcv_v1(struct sk_buff *); 27 - #endif 28 44 #endif
+12 -3
net/ipv4/devinet.c
··· 1029 1029 } 1030 1030 } 1031 1031 1032 + static inline bool inetdev_valid_mtu(unsigned mtu) 1033 + { 1034 + return mtu >= 68; 1035 + } 1036 + 1032 1037 /* Called only under RTNL semaphore */ 1033 1038 1034 1039 static int inetdev_event(struct notifier_block *this, unsigned long event, ··· 1053 1048 IN_DEV_CONF_SET(in_dev, NOXFRM, 1); 1054 1049 IN_DEV_CONF_SET(in_dev, NOPOLICY, 1); 1055 1050 } 1051 + } else if (event == NETDEV_CHANGEMTU) { 1052 + /* Re-enabling IP */ 1053 + if (inetdev_valid_mtu(dev->mtu)) 1054 + in_dev = inetdev_init(dev); 1056 1055 } 1057 1056 goto out; 1058 1057 } ··· 1067 1058 dev->ip_ptr = NULL; 1068 1059 break; 1069 1060 case NETDEV_UP: 1070 - if (dev->mtu < 68) 1061 + if (!inetdev_valid_mtu(dev->mtu)) 1071 1062 break; 1072 1063 if (dev->flags & IFF_LOOPBACK) { 1073 1064 struct in_ifaddr *ifa; ··· 1089 1080 ip_mc_down(in_dev); 1090 1081 break; 1091 1082 case NETDEV_CHANGEMTU: 1092 - if (dev->mtu >= 68) 1083 + if (inetdev_valid_mtu(dev->mtu)) 1093 1084 break; 1094 - /* MTU falled under 68, disable IP */ 1085 + /* disable IP when MTU is not enough */ 1095 1086 case NETDEV_UNREGISTER: 1096 1087 inetdev_destroy(in_dev); 1097 1088 break;
+3 -3
net/ipv6/raw.c
··· 377 377 skb_checksum_complete(skb)) { 378 378 atomic_inc(&sk->sk_drops); 379 379 kfree_skb(skb); 380 - return 0; 380 + return NET_RX_DROP; 381 381 } 382 382 383 383 /* Charge it to the socket. */ 384 384 if (sock_queue_rcv_skb(sk,skb)<0) { 385 385 atomic_inc(&sk->sk_drops); 386 386 kfree_skb(skb); 387 - return 0; 387 + return NET_RX_DROP; 388 388 } 389 389 390 390 return 0; ··· 429 429 if (skb_checksum_complete(skb)) { 430 430 atomic_inc(&sk->sk_drops); 431 431 kfree_skb(skb); 432 - return 0; 432 + return NET_RX_DROP; 433 433 } 434 434 } 435 435
+3 -3
net/mac80211/debugfs_key.c
··· 265 265 key = sdata->default_key; 266 266 if (key) { 267 267 sprintf(buf, "../keys/%d", key->debugfs.cnt); 268 - sdata->debugfs.default_key = 268 + sdata->common_debugfs.default_key = 269 269 debugfs_create_symlink("default_key", 270 270 sdata->debugfsdir, buf); 271 271 } else ··· 277 277 if (!sdata) 278 278 return; 279 279 280 - debugfs_remove(sdata->debugfs.default_key); 281 - sdata->debugfs.default_key = NULL; 280 + debugfs_remove(sdata->common_debugfs.default_key); 281 + sdata->common_debugfs.default_key = NULL; 282 282 } 283 283 284 284 void ieee80211_debugfs_key_sta_del(struct ieee80211_key *key,
+3 -1
net/mac80211/ieee80211_i.h
··· 496 496 struct { 497 497 struct dentry *mode; 498 498 } monitor; 499 - struct dentry *default_key; 500 499 } debugfs; 500 + struct { 501 + struct dentry *default_key; 502 + } common_debugfs; 501 503 502 504 #ifdef CONFIG_MAC80211_MESH 503 505 struct dentry *mesh_stats_dir;
+1 -1
net/sched/cls_api.c
··· 205 205 } 206 206 } 207 207 208 - root_lock = qdisc_root_lock(q); 208 + root_lock = qdisc_root_sleeping_lock(q); 209 209 210 210 if (tp == NULL) { 211 211 /* Proto-tcf does not exist, create new one */
+1 -1
net/sched/cls_route.c
··· 75 75 static inline 76 76 void route4_reset_fastmap(struct Qdisc *q, struct route4_head *head, u32 id) 77 77 { 78 - spinlock_t *root_lock = qdisc_root_lock(q); 78 + spinlock_t *root_lock = qdisc_root_sleeping_lock(q); 79 79 80 80 spin_lock_bh(root_lock); 81 81 memset(head->fastmap, 0, sizeof(head->fastmap));
+4 -4
net/sched/sch_api.c
··· 1169 1169 if (q->stab && qdisc_dump_stab(skb, q->stab) < 0) 1170 1170 goto nla_put_failure; 1171 1171 1172 - if (gnet_stats_start_copy_compat(skb, TCA_STATS2, TCA_STATS, 1173 - TCA_XSTATS, qdisc_root_lock(q), &d) < 0) 1172 + if (gnet_stats_start_copy_compat(skb, TCA_STATS2, TCA_STATS, TCA_XSTATS, 1173 + qdisc_root_sleeping_lock(q), &d) < 0) 1174 1174 goto nla_put_failure; 1175 1175 1176 1176 if (q->ops->dump_stats && q->ops->dump_stats(q, &d) < 0) ··· 1461 1461 if (cl_ops->dump && cl_ops->dump(q, cl, skb, tcm) < 0) 1462 1462 goto nla_put_failure; 1463 1463 1464 - if (gnet_stats_start_copy_compat(skb, TCA_STATS2, TCA_STATS, 1465 - TCA_XSTATS, qdisc_root_lock(q), &d) < 0) 1464 + if (gnet_stats_start_copy_compat(skb, TCA_STATS2, TCA_STATS, TCA_XSTATS, 1465 + qdisc_root_sleeping_lock(q), &d) < 0) 1466 1466 goto nla_put_failure; 1467 1467 1468 1468 if (cl_ops->dump_stats && cl_ops->dump_stats(q, cl, &d) < 0)
+1 -1
net/sched/sch_cbq.c
··· 1754 1754 1755 1755 if (--cl->refcnt == 0) { 1756 1756 #ifdef CONFIG_NET_CLS_ACT 1757 - spinlock_t *root_lock = qdisc_root_lock(sch); 1757 + spinlock_t *root_lock = qdisc_root_sleeping_lock(sch); 1758 1758 struct cbq_sched_data *q = qdisc_priv(sch); 1759 1759 1760 1760 spin_lock_bh(root_lock);
+2 -2
net/sched/sch_htb.c
··· 1043 1043 1044 1044 static int htb_dump(struct Qdisc *sch, struct sk_buff *skb) 1045 1045 { 1046 - spinlock_t *root_lock = qdisc_root_lock(sch); 1046 + spinlock_t *root_lock = qdisc_root_sleeping_lock(sch); 1047 1047 struct htb_sched *q = qdisc_priv(sch); 1048 1048 struct nlattr *nest; 1049 1049 struct tc_htb_glob gopt; ··· 1075 1075 struct sk_buff *skb, struct tcmsg *tcm) 1076 1076 { 1077 1077 struct htb_class *cl = (struct htb_class *)arg; 1078 - spinlock_t *root_lock = qdisc_root_lock(sch); 1078 + spinlock_t *root_lock = qdisc_root_sleeping_lock(sch); 1079 1079 struct nlattr *nest; 1080 1080 struct tc_htb_opt opt; 1081 1081
+1 -1
net/sched/sch_netem.c
··· 341 341 for (i = 0; i < n; i++) 342 342 d->table[i] = data[i]; 343 343 344 - root_lock = qdisc_root_lock(sch); 344 + root_lock = qdisc_root_sleeping_lock(sch); 345 345 346 346 spin_lock_bh(root_lock); 347 347 d = xchg(&q->delay_dist, d);
+1 -1
net/sched/sch_teql.c
··· 161 161 txq = netdev_get_tx_queue(master->dev, 0); 162 162 master->slaves = NULL; 163 163 164 - root_lock = qdisc_root_lock(txq->qdisc); 164 + root_lock = qdisc_root_sleeping_lock(txq->qdisc); 165 165 spin_lock_bh(root_lock); 166 166 qdisc_reset(txq->qdisc); 167 167 spin_unlock_bh(root_lock);
+2 -1
net/wireless/Kconfig
··· 39 39 files in /sys/class/net/*/wireless/. The same information 40 40 is available via the ioctls as well. 41 41 42 - Say Y if you have programs using it (we don't know of any). 42 + Say Y if you have programs using it, like old versions of 43 + hal.
+2 -4
net/xfrm/xfrm_policy.c
··· 1731 1731 * We can't enlist stable bundles either. 1732 1732 */ 1733 1733 write_unlock_bh(&policy->lock); 1734 - if (dst) 1735 - dst_free(dst); 1734 + dst_free(dst); 1736 1735 1737 1736 if (pol_dead) 1738 1737 XFRM_INC_STATS(LINUX_MIB_XFRMOUTPOLDEAD); ··· 1747 1748 err = xfrm_dst_update_origin(dst, fl); 1748 1749 if (unlikely(err)) { 1749 1750 write_unlock_bh(&policy->lock); 1750 - if (dst) 1751 - dst_free(dst); 1751 + dst_free(dst); 1752 1752 XFRM_INC_STATS(LINUX_MIB_XFRMOUTBUNDLECHECKERROR); 1753 1753 goto error; 1754 1754 }
+23 -9
net/xfrm/xfrm_state.c
··· 780 780 { 781 781 unsigned int h; 782 782 struct hlist_node *entry; 783 - struct xfrm_state *x, *x0; 783 + struct xfrm_state *x, *x0, *to_put; 784 784 int acquire_in_progress = 0; 785 785 int error = 0; 786 786 struct xfrm_state *best = NULL; 787 + 788 + to_put = NULL; 787 789 788 790 spin_lock_bh(&xfrm_state_lock); 789 791 h = xfrm_dst_hash(daddr, saddr, tmpl->reqid, family); ··· 835 833 if (tmpl->id.spi && 836 834 (x0 = __xfrm_state_lookup(daddr, tmpl->id.spi, 837 835 tmpl->id.proto, family)) != NULL) { 838 - xfrm_state_put(x0); 836 + to_put = x0; 839 837 error = -EEXIST; 840 838 goto out; 841 839 } ··· 851 849 error = security_xfrm_state_alloc_acquire(x, pol->security, fl->secid); 852 850 if (error) { 853 851 x->km.state = XFRM_STATE_DEAD; 854 - xfrm_state_put(x); 852 + to_put = x; 855 853 x = NULL; 856 854 goto out; 857 855 } ··· 872 870 xfrm_hash_grow_check(x->bydst.next != NULL); 873 871 } else { 874 872 x->km.state = XFRM_STATE_DEAD; 875 - xfrm_state_put(x); 873 + to_put = x; 876 874 x = NULL; 877 875 error = -ESRCH; 878 876 } ··· 883 881 else 884 882 *err = acquire_in_progress ? -EAGAIN : error; 885 883 spin_unlock_bh(&xfrm_state_lock); 884 + if (to_put) 885 + xfrm_state_put(to_put); 886 886 return x; 887 887 } 888 888 ··· 1071 1067 1072 1068 int xfrm_state_add(struct xfrm_state *x) 1073 1069 { 1074 - struct xfrm_state *x1; 1070 + struct xfrm_state *x1, *to_put; 1075 1071 int family; 1076 1072 int err; 1077 1073 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY); 1078 1074 1079 1075 family = x->props.family; 1080 1076 1077 + to_put = NULL; 1078 + 1081 1079 spin_lock_bh(&xfrm_state_lock); 1082 1080 1083 1081 x1 = __xfrm_state_locate(x, use_spi, family); 1084 1082 if (x1) { 1085 - xfrm_state_put(x1); 1083 + to_put = x1; 1086 1084 x1 = NULL; 1087 1085 err = -EEXIST; 1088 1086 goto out; ··· 1094 1088 x1 = __xfrm_find_acq_byseq(x->km.seq); 1095 1089 if (x1 && ((x1->id.proto != x->id.proto) || 1096 1090 xfrm_addr_cmp(&x1->id.daddr, &x->id.daddr, family))) { 1097 - xfrm_state_put(x1); 1091 + to_put = x1; 1098 1092 x1 = NULL; 1099 1093 } 1100 1094 } ··· 1115 1109 xfrm_state_delete(x1); 1116 1110 xfrm_state_put(x1); 1117 1111 } 1112 + 1113 + if (to_put) 1114 + xfrm_state_put(to_put); 1118 1115 1119 1116 return err; 1120 1117 } ··· 1278 1269 1279 1270 int xfrm_state_update(struct xfrm_state *x) 1280 1271 { 1281 - struct xfrm_state *x1; 1272 + struct xfrm_state *x1, *to_put; 1282 1273 int err; 1283 1274 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY); 1275 + 1276 + to_put = NULL; 1284 1277 1285 1278 spin_lock_bh(&xfrm_state_lock); 1286 1279 x1 = __xfrm_state_locate(x, use_spi, x->props.family); ··· 1292 1281 goto out; 1293 1282 1294 1283 if (xfrm_state_kern(x1)) { 1295 - xfrm_state_put(x1); 1284 + to_put = x1; 1296 1285 err = -EEXIST; 1297 1286 goto out; 1298 1287 } ··· 1305 1294 1306 1295 out: 1307 1296 spin_unlock_bh(&xfrm_state_lock); 1297 + 1298 + if (to_put) 1299 + xfrm_state_put(to_put); 1308 1300 1309 1301 if (err) 1310 1302 return err;