Merge master.kernel.org:/home/davem/BK/net-2.5

into penguin.transmeta.com:/home/penguin/torvalds/repositories/kernel/linux

Documentation/crypto/api-intro.txt

@@ -73,6 +73,13 @@ add the following line to /etc/modules.conf:
 
   alias des3_ede des
 
+The Null algorithms reside in the crypto_null module, so these lines
+should also be added:
+
+  alias cipher_null crypto_null
+  alias digest_null crypto_null
+  alias compress_null crypto_null
+
 
 DEVELOPER NOTES
 

crypto/Kconfig

@@ -16,6 +16,12 @@ config CRYPTO_HMAC
 	  HMAC: Keyed-Hashing for Message Authentication (RFC2104).
 	  This is required for IPSec.
 
+config CRYPTO_NULL
+	tristate "Null algorithms"
+	depends on CRYPTO
+	help
+	  These are 'Null' algorithms, used by IPsec, which do nothing.
+
 config CRYPTO_MD4
 	tristate "MD4 digest algorithm"
 	depends on CRYPTO

crypto/Makefile

@@ -9,6 +9,7 @@ autoload-crypto-$(CONFIG_KMOD) = autoload.o
 obj-$(CONFIG_CRYPTO) += api.o cipher.o digest.o compress.o $(autoload-crypto-y)
 
 obj-$(CONFIG_CRYPTO_HMAC) += hmac.o
+obj-$(CONFIG_CRYPTO_NULL) += crypto_null.o
 obj-$(CONFIG_CRYPTO_MD4) += md4.o
 obj-$(CONFIG_CRYPTO_MD5) += md5.o
 obj-$(CONFIG_CRYPTO_SHA1) += sha1.o

crypto/api.c

@@ -63,7 +63,7 @@ static int crypto_init_flags(struct crypto_tfm *tfm, u32 flags)
 	case CRYPTO_ALG_TYPE_DIGEST:
 		return crypto_init_digest_flags(tfm, flags);
 		
-	case CRYPTO_ALG_TYPE_COMP:
+	case CRYPTO_ALG_TYPE_COMPRESS:
 		return crypto_init_compress_flags(tfm, flags);
 	
 	default:
@@ -83,7 +83,7 @@ static int crypto_init_ops(struct crypto_tfm *tfm)
 	case CRYPTO_ALG_TYPE_DIGEST:
 		return crypto_init_digest_ops(tfm);
 		
-	case CRYPTO_ALG_TYPE_COMP:
+	case CRYPTO_ALG_TYPE_COMPRESS:
 		return crypto_init_compress_ops(tfm);
 	
 	default:
@@ -105,7 +105,7 @@ static void crypto_exit_ops(struct crypto_tfm *tfm)
 		crypto_exit_digest_ops(tfm);
 		break;
 		
-	case CRYPTO_ALG_TYPE_COMP:
+	case CRYPTO_ALG_TYPE_COMPRESS:
 		crypto_exit_compress_ops(tfm);
 		break;
 	
@@ -129,8 +129,6 @@ struct crypto_tfm *crypto_alloc_tfm(const char *name, u32 flags)
 		goto out_put;
 
 	memset(tfm, 0, sizeof(*tfm));
-
-	memset(tfm, 0, sizeof(*tfm));
 	
 	if (alg->cra_ctxsize) {
 		tfm->crt_ctx = kmalloc(alg->cra_ctxsize, GFP_KERNEL);

crypto/compress.c

@@ -18,15 +18,15 @@
 #include <linux/string.h>
 #include "internal.h"
 
-/*
- * This code currently implements blazingly fast and
- * lossless Quadruple ROT13 compression.
- */
 static void crypto_compress(struct crypto_tfm *tfm)
-{ }
+{
+	tfm->__crt_alg->cra_compress.coa_compress();
+}
 
 static void crypto_decompress(struct crypto_tfm *tfm)
-{ }
+{
+	tfm->__crt_alg->cra_compress.coa_decompress();
+}
 
 int crypto_init_compress_flags(struct crypto_tfm *tfm, u32 flags)
 {

crypto/crypto_null.c

+/* 
+ * Cryptographic API.
+ *
+ * Null algorithms, aka Much Ado About Nothing.
+ *
+ * These are needed for IPsec, and may be useful in general for
+ * testing & debugging.
+ * 
+ * The null cipher is compliant with RFC2410.
+ *
+ * Copyright (c) 2002 James Morris <jmorris@intercode.com.au>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ */
+#include <linux/init.h>
+#include <linux/module.h>
+#include <linux/mm.h>
+#include <asm/scatterlist.h>
+#include <linux/crypto.h>
+
+#define NULL_KEY_SIZE		0
+#define NULL_BLOCK_SIZE		1
+#define NULL_DIGEST_SIZE	0
+
+static void null_compress(void)
+{ }
+
+static void null_decompress(void)
+{ }
+
+static void null_init(void *ctx)
+{ }
+
+static void null_update(void *ctx, const u8 *data, unsigned int len)
+{ }
+
+static void null_final(void *ctx, u8 *out)
+{ }
+
+static int null_setkey(void *ctx, const u8 *key,
+                       unsigned int keylen, u32 *flags)
+{ return 0; }
+
+static void null_encrypt(void *ctx, u8 *dst, const u8 *src)
+{ }
+
+static void null_decrypt(void *ctx, u8 *dst, const u8 *src)
+{ }
+
+static struct crypto_alg compress_null = {
+	.cra_name		=	"compress_null",
+	.cra_flags		=	CRYPTO_ALG_TYPE_COMPRESS,
+	.cra_blocksize		=	NULL_BLOCK_SIZE,
+	.cra_ctxsize		=	0,
+	.cra_module		=	THIS_MODULE,
+	.cra_list		=       LIST_HEAD_INIT(compress_null.cra_list),
+	.cra_u			=	{ .compress = {
+	.coa_compress 		=	null_compress,
+	.coa_decompress		=	null_decompress } }
+};
+
+static struct crypto_alg digest_null = {
+	.cra_name		=	"digest_null",
+	.cra_flags		=	CRYPTO_ALG_TYPE_DIGEST,
+	.cra_blocksize		=	NULL_BLOCK_SIZE,
+	.cra_ctxsize		=	0,
+	.cra_module		=	THIS_MODULE,
+	.cra_list		=       LIST_HEAD_INIT(digest_null.cra_list),	
+	.cra_u			=	{ .digest = {
+	.dia_digestsize		=	NULL_DIGEST_SIZE,
+	.dia_init   		=	null_init,
+	.dia_update 		=	null_update,
+	.dia_final  		=	null_final } }
+};
+
+static struct crypto_alg cipher_null = {
+	.cra_name		=	"cipher_null",
+	.cra_flags		=	CRYPTO_ALG_TYPE_CIPHER,
+	.cra_blocksize		=	NULL_BLOCK_SIZE,
+	.cra_ctxsize		=	0,
+	.cra_module		=	THIS_MODULE,
+	.cra_list		=	LIST_HEAD_INIT(cipher_null.cra_list),
+	.cra_u			=	{ .cipher = {
+	.cia_min_keysize	=	NULL_KEY_SIZE,
+	.cia_max_keysize	=	NULL_KEY_SIZE,
+	.cia_ivsize		=	0,
+	.cia_setkey		= 	null_setkey,
+	.cia_encrypt		=	null_encrypt,
+	.cia_decrypt		=	null_decrypt } }
+};
+
+static int __init init(void)
+{
+	int ret = 0;
+	
+	ret = crypto_register_alg(&cipher_null);
+	if (ret < 0)
+		goto out;
+
+	ret = crypto_register_alg(&digest_null);
+	if (ret < 0) {
+		crypto_unregister_alg(&cipher_null);
+		goto out;
+	}
+
+	ret = crypto_register_alg(&compress_null);
+	if (ret < 0) {
+		crypto_unregister_alg(&digest_null);
+		crypto_unregister_alg(&cipher_null);
+		goto out;
+	}
+
+out:	
+	return ret;
+}
+
+static void __exit fini(void)
+{
+	crypto_unregister_alg(&compress_null);
+	crypto_unregister_alg(&digest_null);
+	crypto_unregister_alg(&cipher_null);
+}
+
+module_init(init);
+module_exit(fini);
+
+MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("Null Cryptographic Algorithms");

drivers/net/tg3.c

@@ -2371,6 +2371,7 @@ static int tg3_start_xmit_4gbug(struct sk_buff *skb, struct net_device *dev)
 	unsigned int i;
 	u32 len, entry, base_flags, mss;
 	int would_hit_hwbug;
+	unsigned long flags;
 
 	len = (skb->len - skb->data_len);
 
@@ -2393,12 +2394,12 @@ static int tg3_start_xmit_4gbug(struct sk_buff *skb, struct net_device *dev)
 	 * So we really do need to disable interrupts when taking
 	 * tx_lock here.
 	 */
-	spin_lock_irq(&tp->tx_lock);
+	spin_lock_irqsave(&tp->tx_lock, flags);
 
 	/* This is a hard error, log it. */
 	if (unlikely(TX_BUFFS_AVAIL(tp) <= (skb_shinfo(skb)->nr_frags + 1))) {
 		netif_stop_queue(dev);
-		spin_unlock_irq(&tp->tx_lock);
+		spin_unlock_irqrestore(&tp->tx_lock, flags);
 		printk(KERN_ERR PFX "%s: BUG! Tx Ring full when queue awake!\n",
 		       dev->name);
 		return 1;
@@ -2550,7 +2551,7 @@ static int tg3_start_xmit_4gbug(struct sk_buff *skb, struct net_device *dev)
 		netif_stop_queue(dev);
 
 out_unlock:
-	spin_unlock_irq(&tp->tx_lock);
+	spin_unlock_irqrestore(&tp->tx_lock, flags);
 
 	dev->trans_start = jiffies;
 
@@ -2562,6 +2563,7 @@ static int tg3_start_xmit(struct sk_buff *skb, struct net_device *dev)
 	struct tg3 *tp = dev->priv;
 	dma_addr_t mapping;
 	u32 len, entry, base_flags, mss;
+	unsigned long flags;
 
 	len = (skb->len - skb->data_len);
 
@@ -2584,12 +2586,12 @@ static int tg3_start_xmit(struct sk_buff *skb, struct net_device *dev)
 	 * So we really do need to disable interrupts when taking
 	 * tx_lock here.
 	 */
-	spin_lock_irq(&tp->tx_lock);
+	spin_lock_irqsave(&tp->tx_lock, flags);
 
 	/* This is a hard error, log it. */
 	if (unlikely(TX_BUFFS_AVAIL(tp) <= (skb_shinfo(skb)->nr_frags + 1))) {
 		netif_stop_queue(dev);
-		spin_unlock_irq(&tp->tx_lock);
+		spin_unlock_irqrestore(&tp->tx_lock, flags);
 		printk(KERN_ERR PFX "%s: BUG! Tx Ring full when queue awake!\n",
 		       dev->name);
 		return 1;
@@ -2695,7 +2697,7 @@ static int tg3_start_xmit(struct sk_buff *skb, struct net_device *dev)
 	if (TX_BUFFS_AVAIL(tp) <= (MAX_SKB_FRAGS + 1))
 		netif_stop_queue(dev);
 
-	spin_unlock_irq(&tp->tx_lock);
+	spin_unlock_irqrestore(&tp->tx_lock, flags);
 
 	dev->trans_start = jiffies;
 

include/linux/crypto.h

@@ -29,7 +29,7 @@
 #define CRYPTO_ALG_TYPE_MASK		0x000000ff
 #define CRYPTO_ALG_TYPE_CIPHER		0x00000001
 #define CRYPTO_ALG_TYPE_DIGEST		0x00000002
-#define CRYPTO_ALG_TYPE_COMP		0x00000004
+#define CRYPTO_ALG_TYPE_COMPRESS	0x00000004
 
 
 /*
@@ -209,16 +209,19 @@ static inline u32 crypto_tfm_alg_type(struct crypto_tfm *tfm)
 
 static inline unsigned int crypto_tfm_alg_min_keysize(struct crypto_tfm *tfm)
 {
+	BUG_ON(crypto_tfm_alg_type(tfm) != CRYPTO_ALG_TYPE_CIPHER);
 	return tfm->__crt_alg->cra_cipher.cia_min_keysize;
 }
 
 static inline unsigned int crypto_tfm_alg_max_keysize(struct crypto_tfm *tfm)
 {
+	BUG_ON(crypto_tfm_alg_type(tfm) != CRYPTO_ALG_TYPE_CIPHER);
 	return tfm->__crt_alg->cra_cipher.cia_max_keysize;
 }
 
 static inline unsigned int crypto_tfm_alg_ivsize(struct crypto_tfm *tfm)
 {
+	BUG_ON(crypto_tfm_alg_type(tfm) != CRYPTO_ALG_TYPE_CIPHER);
 	return tfm->__crt_alg->cra_cipher.cia_ivsize;
 }
 
@@ -229,6 +232,7 @@ static inline unsigned int crypto_tfm_alg_blocksize(struct crypto_tfm *tfm)
 
 static inline unsigned int crypto_tfm_alg_digestsize(struct crypto_tfm *tfm)
 {
+	BUG_ON(crypto_tfm_alg_type(tfm) != CRYPTO_ALG_TYPE_DIGEST);
 	return tfm->__crt_alg->cra_digest.dia_digestsize;
 }
 
@@ -302,13 +306,13 @@ static inline void crypto_cipher_get_iv(struct crypto_tfm *tfm,
 
 static inline void crypto_comp_compress(struct crypto_tfm *tfm)
 {
-	BUG_ON(crypto_tfm_alg_type(tfm) != CRYPTO_ALG_TYPE_COMP);
+	BUG_ON(crypto_tfm_alg_type(tfm) != CRYPTO_ALG_TYPE_COMPRESS);
 	tfm->crt_compress.cot_compress(tfm);
 }
 
 static inline void crypto_comp_decompress(struct crypto_tfm *tfm) 
 {
-	BUG_ON(crypto_tfm_alg_type(tfm) != CRYPTO_ALG_TYPE_COMP);
+	BUG_ON(crypto_tfm_alg_type(tfm) != CRYPTO_ALG_TYPE_COMPRESS);
 	tfm->crt_compress.cot_decompress(tfm);
 }
 

net/8021q/vlan.c

@@ -45,7 +45,7 @@ spinlock_t vlan_group_lock = SPIN_LOCK_UNLOCKED;
 
 static char vlan_fullname[] = "802.1Q VLAN Support";
 static unsigned int vlan_version = 1;
-static unsigned int vlan_release = 7;
+static unsigned int vlan_release = 8;
 static char vlan_copyright[] = "Ben Greear <greearb@candelatech.com>";
 static char vlan_buggyright[] = "David S. Miller <davem@redhat.com>";
 
@@ -229,12 +229,13 @@ static int unregister_vlan_dev(struct net_device *real_dev,
 			if (real_dev->features &
 			    (NETIF_F_HW_VLAN_RX | NETIF_F_HW_VLAN_FILTER)) {
 				real_dev->vlan_rx_kill_vid(real_dev, vlan_id);
-			} else {
-				br_write_lock(BR_NETPROTO_LOCK);
-				grp->vlan_devices[vlan_id] = NULL;
-				br_write_unlock(BR_NETPROTO_LOCK);
 			}
 
+			br_write_lock(BR_NETPROTO_LOCK);
+			grp->vlan_devices[vlan_id] = NULL;
+			br_write_unlock(BR_NETPROTO_LOCK);
+
+
 			/* Caller unregisters (and if necessary, puts)
 			 * VLAN device, but we get rid of the reference to
 			 * real_dev here.
@@ -256,6 +257,12 @@ static int unregister_vlan_dev(struct net_device *real_dev,
 				__grp_unhash(grp);
 				spin_unlock_bh(&vlan_group_lock);
 
+				/* Free the group, after we have removed it
+				 * from the hash.
+				 */
+				kfree(grp);
+				grp = NULL;
+
 				ret = 1;
 			}
 
@@ -626,6 +633,7 @@ static int vlan_device_event(struct notifier_block *unused, unsigned long event,
 			ret = unregister_vlan_dev(dev,
 						  VLAN_DEV_INFO(vlandev)->vlan_id);
 
+			dev_put(vlandev);
 			unregister_netdevice(vlandev);
 
 			/* Group was destroyed? */

net/8021q/vlan_dev.c

@@ -738,7 +738,7 @@ static void vlan_flush_mc_list(struct net_device *dev)
 
 	while (dmi) {
 		dev_mc_delete(dev, dmi->dmi_addr, dmi->dmi_addrlen, 0);
-		printk(KERN_INFO "%s: del %.2x:%.2x:%.2x:%.2x:%.2x:%.2x mcast address from vlan interface\n",
+		printk(KERN_DEBUG "%s: del %.2x:%.2x:%.2x:%.2x:%.2x:%.2x mcast address from vlan interface\n",
 		       dev->name,
 		       dmi->dmi_addr[0],
 		       dmi->dmi_addr[1],
@@ -820,7 +820,7 @@ void vlan_dev_set_multicast_list(struct net_device *vlan_dev)
 		for (dmi = vlan_dev->mc_list; dmi != NULL; dmi = dmi->next) {
 			if (vlan_should_add_mc(dmi, VLAN_DEV_INFO(vlan_dev)->old_mc_list)) {
 				dev_mc_add(real_dev, dmi->dmi_addr, dmi->dmi_addrlen, 0);
-				printk(KERN_INFO "%s: add %.2x:%.2x:%.2x:%.2x:%.2x:%.2x mcast address to master interface\n",
+				printk(KERN_DEBUG "%s: add %.2x:%.2x:%.2x:%.2x:%.2x:%.2x mcast address to master interface\n",
 				       vlan_dev->name,
 				       dmi->dmi_addr[0],
 				       dmi->dmi_addr[1],
@@ -838,7 +838,7 @@ void vlan_dev_set_multicast_list(struct net_device *vlan_dev)
 				 * delete it from the real list on the underlying device.
 				 */
 				dev_mc_delete(real_dev, dmi->dmi_addr, dmi->dmi_addrlen, 0);
-				printk(KERN_INFO "%s: del %.2x:%.2x:%.2x:%.2x:%.2x:%.2x mcast address from master interface\n",
+				printk(KERN_DEBUG "%s: del %.2x:%.2x:%.2x:%.2x:%.2x:%.2x mcast address from master interface\n",
 				       vlan_dev->name,
 				       dmi->dmi_addr[0],
 				       dmi->dmi_addr[1],

net/bridge/netfilter/ebtables.c

@@ -183,7 +183,7 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff **pskb,
 	point = (struct ebt_entry *)(private->hook_entry[hook]->data);
 	counter_base = cb_base + private->hook_entry[hook]->counter_offset;
 	// base for chain jumps
-	base = (char *)chaininfo;
+	base = private->entries;
 	i = 0;
 	while (i < nentries) {
 		if (ebt_basic_match(point, (**pskb).mac.ethernet, in, out))

net/ipv4/xfrm_user.c

@@ -23,7 +23,7 @@ static struct sock *xfrm_nl;
 
 static int verify_one_alg(struct rtattr **xfrma, enum xfrm_attr_type_t type)
 {
-	struct rtattr *rt = xfrma[type];
+	struct rtattr *rt = xfrma[type - 1];
 	struct xfrm_algo *algp;
 
 	if (!rt)
@@ -73,23 +73,23 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
 	err = -EINVAL;
 	switch (p->id.proto) {
 	case IPPROTO_AH:
-		if (!xfrma[XFRMA_ALG_AUTH]	||
-		    xfrma[XFRMA_ALG_CRYPT]	||
-		    xfrma[XFRMA_ALG_COMP])
+		if (!xfrma[XFRMA_ALG_AUTH-1]	||
+		    xfrma[XFRMA_ALG_CRYPT-1]	||
+		    xfrma[XFRMA_ALG_COMP-1])
 			goto out;
 		break;
 
 	case IPPROTO_ESP:
-		if ((!xfrma[XFRMA_ALG_AUTH] &&
-		     !xfrma[XFRMA_ALG_CRYPT])	||
-		    xfrma[XFRMA_ALG_COMP])
+		if ((!xfrma[XFRMA_ALG_AUTH-1] &&
+		     !xfrma[XFRMA_ALG_CRYPT-1])	||
+		    xfrma[XFRMA_ALG_COMP-1])
 			goto out;
 		break;
 
 	case IPPROTO_COMP:
-		if (!xfrma[XFRMA_ALG_COMP]	||
-		    xfrma[XFRMA_ALG_AUTH]	||
-		    xfrma[XFRMA_ALG_CRYPT])
+		if (!xfrma[XFRMA_ALG_COMP-1]	||
+		    xfrma[XFRMA_ALG_AUTH-1]	||
+		    xfrma[XFRMA_ALG_CRYPT-1])
 			goto out;
 		break;
 
@@ -162,11 +162,11 @@ static struct xfrm_state *xfrm_state_construct(struct xfrm_usersa_info *p,
 
 	copy_from_user_state(x, p);
 
-	if ((err = attach_one_algo(&x->aalg, xfrma[XFRMA_ALG_AUTH])))
+	if ((err = attach_one_algo(&x->aalg, xfrma[XFRMA_ALG_AUTH-1])))
 		goto error;
-	if ((err = attach_one_algo(&x->ealg, xfrma[XFRMA_ALG_CRYPT])))
+	if ((err = attach_one_algo(&x->ealg, xfrma[XFRMA_ALG_CRYPT-1])))
 		goto error;
-	if ((err = attach_one_algo(&x->calg, xfrma[XFRMA_ALG_COMP])))
+	if ((err = attach_one_algo(&x->calg, xfrma[XFRMA_ALG_COMP-1])))
 		goto error;
 
 	err = -ENOENT;
@@ -485,7 +485,7 @@ static void copy_templates(struct xfrm_policy *xp, struct xfrm_user_tmpl *ut,
 
 static int copy_user_tmpl(struct xfrm_policy *pol, struct rtattr **xfrma)
 {
-	struct rtattr *rt = xfrma[XFRMA_TMPL];
+	struct rtattr *rt = xfrma[XFRMA_TMPL-1];
 	struct xfrm_user_tmpl *utmpl;
 	int nr;
 

net/ipv6/ipv6_syms.c

@@ -24,3 +24,4 @@ EXPORT_SYMBOL(inet6_bind);
 EXPORT_SYMBOL(inet6_getname);
 EXPORT_SYMBOL(inet6_ioctl);
 EXPORT_SYMBOL(ipv6_get_saddr);
+EXPORT_SYMBOL(ipv6_chk_addr);

net/sched/sch_gred.c

@@ -328,18 +328,20 @@ static int gred_change(struct Qdisc *sch, struct rtattr *opt)
 	struct tc_gred_qopt *ctl;
 	struct tc_gred_sopt *sopt;
 	struct rtattr *tb[TCA_GRED_STAB];
-	struct rtattr *tb2[TCA_GRED_STAB];
+	struct rtattr *tb2[TCA_GRED_DPS];
 	int i;
 
 	if (opt == NULL ||
 		rtattr_parse(tb, TCA_GRED_STAB, RTA_DATA(opt), RTA_PAYLOAD(opt)) )
 			return -EINVAL;
 
-	if (tb[TCA_GRED_PARMS-1] == 0 && tb[TCA_GRED_STAB-1] == 0 &&
-	    tb[TCA_GRED_DPS-1] != 0) {
+	if (tb[TCA_GRED_PARMS-1] == 0 && tb[TCA_GRED_STAB-1] == 0) {
 		rtattr_parse(tb2, TCA_GRED_DPS, RTA_DATA(opt),
 		    RTA_PAYLOAD(opt));
 
+	    if (tb2[TCA_GRED_DPS-1] == 0) 
+			return -EINVAL;
+
 		sopt = RTA_DATA(tb2[TCA_GRED_DPS-1]);
 		table->DPs=sopt->DPs;   
 		table->def=sopt->def_DP; 
@@ -471,16 +473,18 @@ static int gred_init(struct Qdisc *sch, struct rtattr *opt)
 	struct gred_sched *table = (struct gred_sched *)sch->data;
 	struct tc_gred_sopt *sopt;
 	struct rtattr *tb[TCA_GRED_STAB];
-	struct rtattr *tb2[TCA_GRED_STAB];
+	struct rtattr *tb2[TCA_GRED_DPS];
 
 	if (opt == NULL ||
 		rtattr_parse(tb, TCA_GRED_STAB, RTA_DATA(opt), RTA_PAYLOAD(opt)) )
 			return -EINVAL;
 
-	if (tb[TCA_GRED_PARMS-1] == 0 && tb[TCA_GRED_STAB-1] == 0 &&
-	    tb[TCA_GRED_DPS-1] != 0) {
+	if (tb[TCA_GRED_PARMS-1] == 0 && tb[TCA_GRED_STAB-1] == 0) {
 		rtattr_parse(tb2, TCA_GRED_DPS, RTA_DATA(opt),RTA_PAYLOAD(opt));
 
+	    if (tb2[TCA_GRED_DPS-1] == 0) 
+			return -EINVAL;
+
 		sopt = RTA_DATA(tb2[TCA_GRED_DPS-1]);
 		table->DPs=sopt->DPs;   
 		table->def=sopt->def_DP; 

net/socket.c

@@ -726,8 +726,8 @@ int (*dlci_ioctl_hook)(unsigned int, void *);
  *	what to do with it - that's up to the protocol still.
  */
 
-int sock_ioctl(struct inode *inode, struct file *file, unsigned int cmd,
-	   unsigned long arg)
+static int sock_ioctl(struct inode *inode, struct file *file, unsigned int cmd,
+		      unsigned long arg)
 {
 	struct socket *sock;
 	int pid, err;