Commit ca33c00f authored by David S. Miller's avatar David S. Miller

Merge branch 'for-davem' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless

John Linville says:

====================
Amitkumar Karwar gives us two mwifiex fixes: one fixes some skb
manipulations when handling some event messages; and another that
does some similar fixing on an error path.

Avinash Patil gives us a fix for for a memory leak in mwifiex.

Dan Rosenberg offers an NFC NCI fix to enforce some message length
limits to prevent buffer overflows.

Eliad Peller provides a mac80211 fix to prevent some frames from
being built with an invalid BSSID.

Eric Dumazet sends an NFC fix to prevent a BUG caused by a NULL
pointer dereference.

Felix Fietkau has an ath9k fix for a regression causing
LEAP-authenticated connection failures.

Johannes Berg provides an iwlwifi fix that eliminates some log SPAM
after an authentication/association timeout.  He also provides a
mac80211 fix to prevent incorrectly addressing certain action frames
(and in so doing, to comply with the 802.11 specs).

Larry Finger provides a few USB IDs for the rtl8192cu driver --
should be harmless.

Panayiotis Karabassis provices a one-liner to fix kernel bug 42903
(a system freeze).

Randy Dunlap provides a one-line Kconfig change to prevent build
failures with some configurations.

Stone Piao provides an mwifiex sequence numbering fix and a fix
to prevent mwifiex from attempting to include eapol frames in an
aggregation frame.

Finally, Tom Hughes provides an ath9k fix for a NULL pointer
dereference.
====================
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 9740e001 de03309b
...@@ -143,6 +143,7 @@ struct ath_common { ...@@ -143,6 +143,7 @@ struct ath_common {
u32 keymax; u32 keymax;
DECLARE_BITMAP(keymap, ATH_KEYMAX); DECLARE_BITMAP(keymap, ATH_KEYMAX);
DECLARE_BITMAP(tkip_keymap, ATH_KEYMAX); DECLARE_BITMAP(tkip_keymap, ATH_KEYMAX);
DECLARE_BITMAP(ccmp_keymap, ATH_KEYMAX);
enum ath_crypt_caps crypt_caps; enum ath_crypt_caps crypt_caps;
unsigned int clockrate; unsigned int clockrate;
......
...@@ -622,7 +622,7 @@ static int __ath9k_hw_init(struct ath_hw *ah) ...@@ -622,7 +622,7 @@ static int __ath9k_hw_init(struct ath_hw *ah)
if (NR_CPUS > 1 && ah->config.serialize_regmode == SER_REG_MODE_AUTO) { if (NR_CPUS > 1 && ah->config.serialize_regmode == SER_REG_MODE_AUTO) {
if (ah->hw_version.macVersion == AR_SREV_VERSION_5416_PCI || if (ah->hw_version.macVersion == AR_SREV_VERSION_5416_PCI ||
((AR_SREV_9160(ah) || AR_SREV_9280(ah)) && ((AR_SREV_9160(ah) || AR_SREV_9280(ah) || AR_SREV_9287(ah)) &&
!ah->is_pciexpress)) { !ah->is_pciexpress)) {
ah->config.serialize_regmode = ah->config.serialize_regmode =
SER_REG_MODE_ON; SER_REG_MODE_ON;
......
...@@ -695,9 +695,9 @@ static bool ath_edma_get_buffers(struct ath_softc *sc, ...@@ -695,9 +695,9 @@ static bool ath_edma_get_buffers(struct ath_softc *sc,
__skb_unlink(skb, &rx_edma->rx_fifo); __skb_unlink(skb, &rx_edma->rx_fifo);
list_add_tail(&bf->list, &sc->rx.rxbuf); list_add_tail(&bf->list, &sc->rx.rxbuf);
ath_rx_edma_buf_link(sc, qtype); ath_rx_edma_buf_link(sc, qtype);
} else {
bf = NULL;
} }
bf = NULL;
} }
*dest = bf; *dest = bf;
...@@ -822,7 +822,8 @@ static bool ath9k_rx_accept(struct ath_common *common, ...@@ -822,7 +822,8 @@ static bool ath9k_rx_accept(struct ath_common *common,
* descriptor does contain a valid key index. This has been observed * descriptor does contain a valid key index. This has been observed
* mostly with CCMP encryption. * mostly with CCMP encryption.
*/ */
if (rx_stats->rs_keyix == ATH9K_RXKEYIX_INVALID) if (rx_stats->rs_keyix == ATH9K_RXKEYIX_INVALID ||
!test_bit(rx_stats->rs_keyix, common->ccmp_keymap))
rx_stats->rs_status &= ~ATH9K_RXERR_KEYMISS; rx_stats->rs_status &= ~ATH9K_RXERR_KEYMISS;
if (!rx_stats->rs_datalen) { if (!rx_stats->rs_datalen) {
......
...@@ -556,6 +556,9 @@ int ath_key_config(struct ath_common *common, ...@@ -556,6 +556,9 @@ int ath_key_config(struct ath_common *common,
return -EIO; return -EIO;
set_bit(idx, common->keymap); set_bit(idx, common->keymap);
if (key->cipher == WLAN_CIPHER_SUITE_CCMP)
set_bit(idx, common->ccmp_keymap);
if (key->cipher == WLAN_CIPHER_SUITE_TKIP) { if (key->cipher == WLAN_CIPHER_SUITE_TKIP) {
set_bit(idx + 64, common->keymap); set_bit(idx + 64, common->keymap);
set_bit(idx, common->tkip_keymap); set_bit(idx, common->tkip_keymap);
...@@ -582,6 +585,7 @@ void ath_key_delete(struct ath_common *common, struct ieee80211_key_conf *key) ...@@ -582,6 +585,7 @@ void ath_key_delete(struct ath_common *common, struct ieee80211_key_conf *key)
return; return;
clear_bit(key->hw_key_idx, common->keymap); clear_bit(key->hw_key_idx, common->keymap);
clear_bit(key->hw_key_idx, common->ccmp_keymap);
if (key->cipher != WLAN_CIPHER_SUITE_TKIP) if (key->cipher != WLAN_CIPHER_SUITE_TKIP)
return; return;
......
...@@ -796,6 +796,18 @@ int iwlagn_mac_sta_state(struct ieee80211_hw *hw, ...@@ -796,6 +796,18 @@ int iwlagn_mac_sta_state(struct ieee80211_hw *hw,
switch (op) { switch (op) {
case ADD: case ADD:
ret = iwlagn_mac_sta_add(hw, vif, sta); ret = iwlagn_mac_sta_add(hw, vif, sta);
if (ret)
break;
/*
* Clear the in-progress flag, the AP station entry was added
* but we'll initialize LQ only when we've associated (which
* would also clear the in-progress flag). This is necessary
* in case we never initialize LQ because association fails.
*/
spin_lock_bh(&priv->sta_lock);
priv->stations[iwl_sta_id(sta)].used &=
~IWL_STA_UCODE_INPROGRESS;
spin_unlock_bh(&priv->sta_lock);
break; break;
case REMOVE: case REMOVE:
ret = iwlagn_mac_sta_remove(hw, vif, sta); ret = iwlagn_mac_sta_remove(hw, vif, sta);
......
...@@ -256,7 +256,8 @@ mwifiex_11n_create_rx_reorder_tbl(struct mwifiex_private *priv, u8 *ta, ...@@ -256,7 +256,8 @@ mwifiex_11n_create_rx_reorder_tbl(struct mwifiex_private *priv, u8 *ta,
else else
last_seq = priv->rx_seq[tid]; last_seq = priv->rx_seq[tid];
if (last_seq >= new_node->start_win) if (last_seq != MWIFIEX_DEF_11N_RX_SEQ_NUM &&
last_seq >= new_node->start_win)
new_node->start_win = last_seq + 1; new_node->start_win = last_seq + 1;
new_node->win_size = win_size; new_node->win_size = win_size;
...@@ -596,5 +597,5 @@ void mwifiex_11n_cleanup_reorder_tbl(struct mwifiex_private *priv) ...@@ -596,5 +597,5 @@ void mwifiex_11n_cleanup_reorder_tbl(struct mwifiex_private *priv)
spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags); spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags);
INIT_LIST_HEAD(&priv->rx_reorder_tbl_ptr); INIT_LIST_HEAD(&priv->rx_reorder_tbl_ptr);
memset(priv->rx_seq, 0, sizeof(priv->rx_seq)); mwifiex_reset_11n_rx_seq_num(priv);
} }
...@@ -37,6 +37,13 @@ ...@@ -37,6 +37,13 @@
#define ADDBA_RSP_STATUS_ACCEPT 0 #define ADDBA_RSP_STATUS_ACCEPT 0
#define MWIFIEX_DEF_11N_RX_SEQ_NUM 0xffff
static inline void mwifiex_reset_11n_rx_seq_num(struct mwifiex_private *priv)
{
memset(priv->rx_seq, 0xff, sizeof(priv->rx_seq));
}
int mwifiex_11n_rx_reorder_pkt(struct mwifiex_private *, int mwifiex_11n_rx_reorder_pkt(struct mwifiex_private *,
u16 seqNum, u16 seqNum,
u16 tid, u8 *ta, u16 tid, u8 *ta,
......
...@@ -213,6 +213,7 @@ mwifiex_update_uap_custom_ie(struct mwifiex_private *priv, ...@@ -213,6 +213,7 @@ mwifiex_update_uap_custom_ie(struct mwifiex_private *priv,
/* save assoc resp ie index after auto-indexing */ /* save assoc resp ie index after auto-indexing */
*assoc_idx = *((u16 *)pos); *assoc_idx = *((u16 *)pos);
kfree(ap_custom_ie);
return ret; return ret;
} }
......
...@@ -978,10 +978,10 @@ static int mwifiex_decode_rx_packet(struct mwifiex_adapter *adapter, ...@@ -978,10 +978,10 @@ static int mwifiex_decode_rx_packet(struct mwifiex_adapter *adapter,
dev_dbg(adapter->dev, "info: --- Rx: Event ---\n"); dev_dbg(adapter->dev, "info: --- Rx: Event ---\n");
adapter->event_cause = *(u32 *) skb->data; adapter->event_cause = *(u32 *) skb->data;
skb_pull(skb, MWIFIEX_EVENT_HEADER_LEN);
if ((skb->len > 0) && (skb->len < MAX_EVENT_SIZE)) if ((skb->len > 0) && (skb->len < MAX_EVENT_SIZE))
memcpy(adapter->event_body, skb->data, skb->len); memcpy(adapter->event_body,
skb->data + MWIFIEX_EVENT_HEADER_LEN,
skb->len);
/* event cause has been saved to adapter->event_cause */ /* event cause has been saved to adapter->event_cause */
adapter->event_received = true; adapter->event_received = true;
......
...@@ -406,9 +406,9 @@ int mwifiex_process_sta_event(struct mwifiex_private *priv) ...@@ -406,9 +406,9 @@ int mwifiex_process_sta_event(struct mwifiex_private *priv)
break; break;
case EVENT_UAP_STA_ASSOC: case EVENT_UAP_STA_ASSOC:
skb_pull(adapter->event_skb, MWIFIEX_UAP_EVENT_EXTRA_HEADER);
memset(&sinfo, 0, sizeof(sinfo)); memset(&sinfo, 0, sizeof(sinfo));
event = (struct mwifiex_assoc_event *)adapter->event_skb->data; event = (struct mwifiex_assoc_event *)
(adapter->event_body + MWIFIEX_UAP_EVENT_EXTRA_HEADER);
if (le16_to_cpu(event->type) == TLV_TYPE_UAP_MGMT_FRAME) { if (le16_to_cpu(event->type) == TLV_TYPE_UAP_MGMT_FRAME) {
len = -1; len = -1;
...@@ -433,9 +433,8 @@ int mwifiex_process_sta_event(struct mwifiex_private *priv) ...@@ -433,9 +433,8 @@ int mwifiex_process_sta_event(struct mwifiex_private *priv)
GFP_KERNEL); GFP_KERNEL);
break; break;
case EVENT_UAP_STA_DEAUTH: case EVENT_UAP_STA_DEAUTH:
skb_pull(adapter->event_skb, MWIFIEX_UAP_EVENT_EXTRA_HEADER); cfg80211_del_sta(priv->netdev, adapter->event_body +
cfg80211_del_sta(priv->netdev, adapter->event_skb->data, MWIFIEX_UAP_EVENT_EXTRA_HEADER, GFP_KERNEL);
GFP_KERNEL);
break; break;
case EVENT_UAP_BSS_IDLE: case EVENT_UAP_BSS_IDLE:
priv->media_connected = false; priv->media_connected = false;
......
...@@ -49,6 +49,7 @@ static int mwifiex_usb_recv(struct mwifiex_adapter *adapter, ...@@ -49,6 +49,7 @@ static int mwifiex_usb_recv(struct mwifiex_adapter *adapter,
struct device *dev = adapter->dev; struct device *dev = adapter->dev;
u32 recv_type; u32 recv_type;
__le32 tmp; __le32 tmp;
int ret;
if (adapter->hs_activated) if (adapter->hs_activated)
mwifiex_process_hs_config(adapter); mwifiex_process_hs_config(adapter);
...@@ -69,16 +70,19 @@ static int mwifiex_usb_recv(struct mwifiex_adapter *adapter, ...@@ -69,16 +70,19 @@ static int mwifiex_usb_recv(struct mwifiex_adapter *adapter,
case MWIFIEX_USB_TYPE_CMD: case MWIFIEX_USB_TYPE_CMD:
if (skb->len > MWIFIEX_SIZE_OF_CMD_BUFFER) { if (skb->len > MWIFIEX_SIZE_OF_CMD_BUFFER) {
dev_err(dev, "CMD: skb->len too large\n"); dev_err(dev, "CMD: skb->len too large\n");
return -1; ret = -1;
goto exit_restore_skb;
} else if (!adapter->curr_cmd) { } else if (!adapter->curr_cmd) {
dev_dbg(dev, "CMD: no curr_cmd\n"); dev_dbg(dev, "CMD: no curr_cmd\n");
if (adapter->ps_state == PS_STATE_SLEEP_CFM) { if (adapter->ps_state == PS_STATE_SLEEP_CFM) {
mwifiex_process_sleep_confirm_resp( mwifiex_process_sleep_confirm_resp(
adapter, skb->data, adapter, skb->data,
skb->len); skb->len);
return 0; ret = 0;
goto exit_restore_skb;
} }
return -1; ret = -1;
goto exit_restore_skb;
} }
adapter->curr_cmd->resp_skb = skb; adapter->curr_cmd->resp_skb = skb;
...@@ -87,20 +91,22 @@ static int mwifiex_usb_recv(struct mwifiex_adapter *adapter, ...@@ -87,20 +91,22 @@ static int mwifiex_usb_recv(struct mwifiex_adapter *adapter,
case MWIFIEX_USB_TYPE_EVENT: case MWIFIEX_USB_TYPE_EVENT:
if (skb->len < sizeof(u32)) { if (skb->len < sizeof(u32)) {
dev_err(dev, "EVENT: skb->len too small\n"); dev_err(dev, "EVENT: skb->len too small\n");
return -1; ret = -1;
goto exit_restore_skb;
} }
skb_copy_from_linear_data(skb, &tmp, sizeof(u32)); skb_copy_from_linear_data(skb, &tmp, sizeof(u32));
adapter->event_cause = le32_to_cpu(tmp); adapter->event_cause = le32_to_cpu(tmp);
skb_pull(skb, sizeof(u32));
dev_dbg(dev, "event_cause %#x\n", adapter->event_cause); dev_dbg(dev, "event_cause %#x\n", adapter->event_cause);
if (skb->len > MAX_EVENT_SIZE) { if (skb->len > MAX_EVENT_SIZE) {
dev_err(dev, "EVENT: event body too large\n"); dev_err(dev, "EVENT: event body too large\n");
return -1; ret = -1;
goto exit_restore_skb;
} }
skb_copy_from_linear_data(skb, adapter->event_body, memcpy(adapter->event_body, skb->data +
skb->len); MWIFIEX_EVENT_HEADER_LEN, skb->len);
adapter->event_received = true; adapter->event_received = true;
adapter->event_skb = skb; adapter->event_skb = skb;
break; break;
...@@ -124,6 +130,12 @@ static int mwifiex_usb_recv(struct mwifiex_adapter *adapter, ...@@ -124,6 +130,12 @@ static int mwifiex_usb_recv(struct mwifiex_adapter *adapter,
} }
return -EINPROGRESS; return -EINPROGRESS;
exit_restore_skb:
/* The buffer will be reused for further cmds/events */
skb_push(skb, INTF_HEADER_LEN);
return ret;
} }
static void mwifiex_usb_rx_complete(struct urb *urb) static void mwifiex_usb_rx_complete(struct urb *urb)
......
...@@ -404,6 +404,8 @@ mwifiex_wmm_init(struct mwifiex_adapter *adapter) ...@@ -404,6 +404,8 @@ mwifiex_wmm_init(struct mwifiex_adapter *adapter)
priv->add_ba_param.tx_win_size = MWIFIEX_AMPDU_DEF_TXWINSIZE; priv->add_ba_param.tx_win_size = MWIFIEX_AMPDU_DEF_TXWINSIZE;
priv->add_ba_param.rx_win_size = MWIFIEX_AMPDU_DEF_RXWINSIZE; priv->add_ba_param.rx_win_size = MWIFIEX_AMPDU_DEF_RXWINSIZE;
mwifiex_reset_11n_rx_seq_num(priv);
atomic_set(&priv->wmm.tx_pkts_queued, 0); atomic_set(&priv->wmm.tx_pkts_queued, 0);
atomic_set(&priv->wmm.highest_queued_prio, HIGH_PRIO_TID); atomic_set(&priv->wmm.highest_queued_prio, HIGH_PRIO_TID);
} }
...@@ -1221,6 +1223,7 @@ mwifiex_dequeue_tx_packet(struct mwifiex_adapter *adapter) ...@@ -1221,6 +1223,7 @@ mwifiex_dequeue_tx_packet(struct mwifiex_adapter *adapter)
if (!ptr->is_11n_enabled || if (!ptr->is_11n_enabled ||
mwifiex_is_ba_stream_setup(priv, ptr, tid) || mwifiex_is_ba_stream_setup(priv, ptr, tid) ||
priv->wps.session_enable ||
((priv->sec_info.wpa_enabled || ((priv->sec_info.wpa_enabled ||
priv->sec_info.wpa2_enabled) && priv->sec_info.wpa2_enabled) &&
!priv->wpa_is_gtk_set)) { !priv->wpa_is_gtk_set)) {
......
...@@ -301,9 +301,11 @@ static struct usb_device_id rtl8192c_usb_ids[] = { ...@@ -301,9 +301,11 @@ static struct usb_device_id rtl8192c_usb_ids[] = {
{RTL_USB_DEVICE(0x07b8, 0x8188, rtl92cu_hal_cfg)}, /*Abocom - Abocom*/ {RTL_USB_DEVICE(0x07b8, 0x8188, rtl92cu_hal_cfg)}, /*Abocom - Abocom*/
{RTL_USB_DEVICE(0x07b8, 0x8189, rtl92cu_hal_cfg)}, /*Funai - Abocom*/ {RTL_USB_DEVICE(0x07b8, 0x8189, rtl92cu_hal_cfg)}, /*Funai - Abocom*/
{RTL_USB_DEVICE(0x0846, 0x9041, rtl92cu_hal_cfg)}, /*NetGear WNA1000M*/ {RTL_USB_DEVICE(0x0846, 0x9041, rtl92cu_hal_cfg)}, /*NetGear WNA1000M*/
{RTL_USB_DEVICE(0x0bda, 0x5088, rtl92cu_hal_cfg)}, /*Thinkware-CC&C*/
{RTL_USB_DEVICE(0x0df6, 0x0052, rtl92cu_hal_cfg)}, /*Sitecom - Edimax*/ {RTL_USB_DEVICE(0x0df6, 0x0052, rtl92cu_hal_cfg)}, /*Sitecom - Edimax*/
{RTL_USB_DEVICE(0x0df6, 0x005c, rtl92cu_hal_cfg)}, /*Sitecom - Edimax*/ {RTL_USB_DEVICE(0x0df6, 0x005c, rtl92cu_hal_cfg)}, /*Sitecom - Edimax*/
{RTL_USB_DEVICE(0x0eb0, 0x9071, rtl92cu_hal_cfg)}, /*NO Brand - Etop*/ {RTL_USB_DEVICE(0x0eb0, 0x9071, rtl92cu_hal_cfg)}, /*NO Brand - Etop*/
{RTL_USB_DEVICE(0x4856, 0x0091, rtl92cu_hal_cfg)}, /*NetweeN - Feixun*/
/* HP - Lite-On ,8188CUS Slim Combo */ /* HP - Lite-On ,8188CUS Slim Combo */
{RTL_USB_DEVICE(0x103c, 0x1629, rtl92cu_hal_cfg)}, {RTL_USB_DEVICE(0x103c, 0x1629, rtl92cu_hal_cfg)},
{RTL_USB_DEVICE(0x13d3, 0x3357, rtl92cu_hal_cfg)}, /* AzureWave */ {RTL_USB_DEVICE(0x13d3, 0x3357, rtl92cu_hal_cfg)}, /* AzureWave */
...@@ -346,6 +348,7 @@ static struct usb_device_id rtl8192c_usb_ids[] = { ...@@ -346,6 +348,7 @@ static struct usb_device_id rtl8192c_usb_ids[] = {
{RTL_USB_DEVICE(0x07b8, 0x8178, rtl92cu_hal_cfg)}, /*Funai -Abocom*/ {RTL_USB_DEVICE(0x07b8, 0x8178, rtl92cu_hal_cfg)}, /*Funai -Abocom*/
{RTL_USB_DEVICE(0x0846, 0x9021, rtl92cu_hal_cfg)}, /*Netgear-Sercomm*/ {RTL_USB_DEVICE(0x0846, 0x9021, rtl92cu_hal_cfg)}, /*Netgear-Sercomm*/
{RTL_USB_DEVICE(0x0b05, 0x17ab, rtl92cu_hal_cfg)}, /*ASUS-Edimax*/ {RTL_USB_DEVICE(0x0b05, 0x17ab, rtl92cu_hal_cfg)}, /*ASUS-Edimax*/
{RTL_USB_DEVICE(0x0bda, 0x8186, rtl92cu_hal_cfg)}, /*Realtek 92CE-VAU*/
{RTL_USB_DEVICE(0x0df6, 0x0061, rtl92cu_hal_cfg)}, /*Sitecom-Edimax*/ {RTL_USB_DEVICE(0x0df6, 0x0061, rtl92cu_hal_cfg)}, /*Sitecom-Edimax*/
{RTL_USB_DEVICE(0x0e66, 0x0019, rtl92cu_hal_cfg)}, /*Hawking-Edimax*/ {RTL_USB_DEVICE(0x0e66, 0x0019, rtl92cu_hal_cfg)}, /*Hawking-Edimax*/
{RTL_USB_DEVICE(0x2001, 0x3307, rtl92cu_hal_cfg)}, /*D-Link-Cameo*/ {RTL_USB_DEVICE(0x2001, 0x3307, rtl92cu_hal_cfg)}, /*D-Link-Cameo*/
......
config WLCORE config WLCORE
tristate "TI wlcore support" tristate "TI wlcore support"
depends on WL_TI && GENERIC_HARDIRQS && MAC80211 depends on WL_TI && GENERIC_HARDIRQS && MAC80211
depends on INET
select FW_LOADER select FW_LOADER
---help--- ---help---
This module contains the main code for TI WLAN chips. It abstracts This module contains the main code for TI WLAN chips. It abstracts
......
...@@ -1342,7 +1342,6 @@ static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata, ...@@ -1342,7 +1342,6 @@ static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata,
struct ieee80211_local *local = sdata->local; struct ieee80211_local *local = sdata->local;
struct sta_info *sta; struct sta_info *sta;
u32 changed = 0; u32 changed = 0;
u8 bssid[ETH_ALEN];
ASSERT_MGD_MTX(ifmgd); ASSERT_MGD_MTX(ifmgd);
...@@ -1354,10 +1353,7 @@ static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata, ...@@ -1354,10 +1353,7 @@ static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata,
ieee80211_stop_poll(sdata); ieee80211_stop_poll(sdata);
memcpy(bssid, ifmgd->associated->bssid, ETH_ALEN);
ifmgd->associated = NULL; ifmgd->associated = NULL;
memset(ifmgd->bssid, 0, ETH_ALEN);
/* /*
* we need to commit the associated = NULL change because the * we need to commit the associated = NULL change because the
...@@ -1377,7 +1373,7 @@ static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata, ...@@ -1377,7 +1373,7 @@ static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata,
netif_carrier_off(sdata->dev); netif_carrier_off(sdata->dev);
mutex_lock(&local->sta_mtx); mutex_lock(&local->sta_mtx);
sta = sta_info_get(sdata, bssid); sta = sta_info_get(sdata, ifmgd->bssid);
if (sta) { if (sta) {
set_sta_flag(sta, WLAN_STA_BLOCK_BA); set_sta_flag(sta, WLAN_STA_BLOCK_BA);
ieee80211_sta_tear_down_BA_sessions(sta, tx); ieee80211_sta_tear_down_BA_sessions(sta, tx);
...@@ -1386,13 +1382,16 @@ static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata, ...@@ -1386,13 +1382,16 @@ static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata,
/* deauthenticate/disassociate now */ /* deauthenticate/disassociate now */
if (tx || frame_buf) if (tx || frame_buf)
ieee80211_send_deauth_disassoc(sdata, bssid, stype, reason, ieee80211_send_deauth_disassoc(sdata, ifmgd->bssid, stype,
tx, frame_buf); reason, tx, frame_buf);
/* flush out frame */ /* flush out frame */
if (tx) if (tx)
drv_flush(local, false); drv_flush(local, false);
/* clear bssid only after building the needed mgmt frames */
memset(ifmgd->bssid, 0, ETH_ALEN);
/* remove AP and TDLS peers */ /* remove AP and TDLS peers */
sta_info_flush(local, sdata); sta_info_flush(local, sdata);
......
...@@ -2455,7 +2455,7 @@ ieee80211_rx_h_action_return(struct ieee80211_rx_data *rx) ...@@ -2455,7 +2455,7 @@ ieee80211_rx_h_action_return(struct ieee80211_rx_data *rx)
* frames that we didn't handle, including returning unknown * frames that we didn't handle, including returning unknown
* ones. For all other modes we will return them to the sender, * ones. For all other modes we will return them to the sender,
* setting the 0x80 bit in the action category, as required by * setting the 0x80 bit in the action category, as required by
* 802.11-2007 7.3.1.11. * 802.11-2012 9.24.4.
* Newer versions of hostapd shall also use the management frame * Newer versions of hostapd shall also use the management frame
* registration mechanisms, but older ones still use cooked * registration mechanisms, but older ones still use cooked
* monitor interfaces so push all frames there. * monitor interfaces so push all frames there.
...@@ -2465,6 +2465,9 @@ ieee80211_rx_h_action_return(struct ieee80211_rx_data *rx) ...@@ -2465,6 +2465,9 @@ ieee80211_rx_h_action_return(struct ieee80211_rx_data *rx)
sdata->vif.type == NL80211_IFTYPE_AP_VLAN)) sdata->vif.type == NL80211_IFTYPE_AP_VLAN))
return RX_DROP_MONITOR; return RX_DROP_MONITOR;
if (is_multicast_ether_addr(mgmt->da))
return RX_DROP_MONITOR;
/* do not return rejected action frames */ /* do not return rejected action frames */
if (mgmt->u.action.category & 0x80) if (mgmt->u.action.category & 0x80)
return RX_DROP_UNUSABLE; return RX_DROP_UNUSABLE;
......
...@@ -106,7 +106,7 @@ static __u8 *nci_extract_rf_params_nfca_passive_poll(struct nci_dev *ndev, ...@@ -106,7 +106,7 @@ static __u8 *nci_extract_rf_params_nfca_passive_poll(struct nci_dev *ndev,
nfca_poll->sens_res = __le16_to_cpu(*((__u16 *)data)); nfca_poll->sens_res = __le16_to_cpu(*((__u16 *)data));
data += 2; data += 2;
nfca_poll->nfcid1_len = *data++; nfca_poll->nfcid1_len = min_t(__u8, *data++, NFC_NFCID1_MAXSIZE);
pr_debug("sens_res 0x%x, nfcid1_len %d\n", pr_debug("sens_res 0x%x, nfcid1_len %d\n",
nfca_poll->sens_res, nfca_poll->nfcid1_len); nfca_poll->sens_res, nfca_poll->nfcid1_len);
...@@ -130,7 +130,7 @@ static __u8 *nci_extract_rf_params_nfcb_passive_poll(struct nci_dev *ndev, ...@@ -130,7 +130,7 @@ static __u8 *nci_extract_rf_params_nfcb_passive_poll(struct nci_dev *ndev,
struct rf_tech_specific_params_nfcb_poll *nfcb_poll, struct rf_tech_specific_params_nfcb_poll *nfcb_poll,
__u8 *data) __u8 *data)
{ {
nfcb_poll->sensb_res_len = *data++; nfcb_poll->sensb_res_len = min_t(__u8, *data++, NFC_SENSB_RES_MAXSIZE);
pr_debug("sensb_res_len %d\n", nfcb_poll->sensb_res_len); pr_debug("sensb_res_len %d\n", nfcb_poll->sensb_res_len);
...@@ -145,7 +145,7 @@ static __u8 *nci_extract_rf_params_nfcf_passive_poll(struct nci_dev *ndev, ...@@ -145,7 +145,7 @@ static __u8 *nci_extract_rf_params_nfcf_passive_poll(struct nci_dev *ndev,
__u8 *data) __u8 *data)
{ {
nfcf_poll->bit_rate = *data++; nfcf_poll->bit_rate = *data++;
nfcf_poll->sensf_res_len = *data++; nfcf_poll->sensf_res_len = min_t(__u8, *data++, NFC_SENSF_RES_MAXSIZE);
pr_debug("bit_rate %d, sensf_res_len %d\n", pr_debug("bit_rate %d, sensf_res_len %d\n",
nfcf_poll->bit_rate, nfcf_poll->sensf_res_len); nfcf_poll->bit_rate, nfcf_poll->sensf_res_len);
...@@ -331,7 +331,7 @@ static int nci_extract_activation_params_iso_dep(struct nci_dev *ndev, ...@@ -331,7 +331,7 @@ static int nci_extract_activation_params_iso_dep(struct nci_dev *ndev,
switch (ntf->activation_rf_tech_and_mode) { switch (ntf->activation_rf_tech_and_mode) {
case NCI_NFC_A_PASSIVE_POLL_MODE: case NCI_NFC_A_PASSIVE_POLL_MODE:
nfca_poll = &ntf->activation_params.nfca_poll_iso_dep; nfca_poll = &ntf->activation_params.nfca_poll_iso_dep;
nfca_poll->rats_res_len = *data++; nfca_poll->rats_res_len = min_t(__u8, *data++, 20);
pr_debug("rats_res_len %d\n", nfca_poll->rats_res_len); pr_debug("rats_res_len %d\n", nfca_poll->rats_res_len);
if (nfca_poll->rats_res_len > 0) { if (nfca_poll->rats_res_len > 0) {
memcpy(nfca_poll->rats_res, memcpy(nfca_poll->rats_res,
...@@ -341,7 +341,7 @@ static int nci_extract_activation_params_iso_dep(struct nci_dev *ndev, ...@@ -341,7 +341,7 @@ static int nci_extract_activation_params_iso_dep(struct nci_dev *ndev,
case NCI_NFC_B_PASSIVE_POLL_MODE: case NCI_NFC_B_PASSIVE_POLL_MODE:
nfcb_poll = &ntf->activation_params.nfcb_poll_iso_dep; nfcb_poll = &ntf->activation_params.nfcb_poll_iso_dep;
nfcb_poll->attrib_res_len = *data++; nfcb_poll->attrib_res_len = min_t(__u8, *data++, 50);
pr_debug("attrib_res_len %d\n", nfcb_poll->attrib_res_len); pr_debug("attrib_res_len %d\n", nfcb_poll->attrib_res_len);
if (nfcb_poll->attrib_res_len > 0) { if (nfcb_poll->attrib_res_len > 0) {
memcpy(nfcb_poll->attrib_res, memcpy(nfcb_poll->attrib_res,
......
...@@ -54,7 +54,10 @@ static int rawsock_release(struct socket *sock) ...@@ -54,7 +54,10 @@ static int rawsock_release(struct socket *sock)
{ {
struct sock *sk = sock->sk; struct sock *sk = sock->sk;
pr_debug("sock=%p\n", sock); pr_debug("sock=%p sk=%p\n", sock, sk);
if (!sk)
return 0;
sock_orphan(sk); sock_orphan(sk);
sock_put(sk); sock_put(sk);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment