diff options
| author | David S. Miller <davem@davemloft.net> | 2012-06-28 19:58:09 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2012-06-28 19:58:09 -0400 |
| commit | ca33c00fff12b15428003b7b0423b313190ef03a (patch) | |
| tree | 379c58de3d8a04243e1a52f61d1eb22fa2c52f53 /net | |
| parent | 9740e001932f59ee007d13ee3f39bb1b61086651 (diff) | |
| parent | de03309bd209b6fb025e9359266e0cbb441f7441 (diff) | |
Merge branch 'for-davem' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless
John Linville says:
====================
Amitkumar Karwar gives us two mwifiex fixes: one fixes some skb
manipulations when handling some event messages; and another that
does some similar fixing on an error path.
Avinash Patil gives us a fix for for a memory leak in mwifiex.
Dan Rosenberg offers an NFC NCI fix to enforce some message length
limits to prevent buffer overflows.
Eliad Peller provides a mac80211 fix to prevent some frames from
being built with an invalid BSSID.
Eric Dumazet sends an NFC fix to prevent a BUG caused by a NULL
pointer dereference.
Felix Fietkau has an ath9k fix for a regression causing
LEAP-authenticated connection failures.
Johannes Berg provides an iwlwifi fix that eliminates some log SPAM
after an authentication/association timeout. He also provides a
mac80211 fix to prevent incorrectly addressing certain action frames
(and in so doing, to comply with the 802.11 specs).
Larry Finger provides a few USB IDs for the rtl8192cu driver --
should be harmless.
Panayiotis Karabassis provices a one-liner to fix kernel bug 42903
(a system freeze).
Randy Dunlap provides a one-line Kconfig change to prevent build
failures with some configurations.
Stone Piao provides an mwifiex sequence numbering fix and a fix
to prevent mwifiex from attempting to include eapol frames in an
aggregation frame.
Finally, Tom Hughes provides an ath9k fix for a NULL pointer
dereference.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/mac80211/mlme.c | 13 | ||||
| -rw-r--r-- | net/mac80211/rx.c | 5 | ||||
| -rw-r--r-- | net/nfc/nci/ntf.c | 10 | ||||
| -rw-r--r-- | net/nfc/rawsock.c | 5 |
4 files changed, 19 insertions, 14 deletions
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c index 66e4fcdd1c6b..a4bb856de08f 100644 --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c | |||
| @@ -1342,7 +1342,6 @@ static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata, | |||
| 1342 | struct ieee80211_local *local = sdata->local; | 1342 | struct ieee80211_local *local = sdata->local; |
| 1343 | struct sta_info *sta; | 1343 | struct sta_info *sta; |
| 1344 | u32 changed = 0; | 1344 | u32 changed = 0; |
| 1345 | u8 bssid[ETH_ALEN]; | ||
| 1346 | 1345 | ||
| 1347 | ASSERT_MGD_MTX(ifmgd); | 1346 | ASSERT_MGD_MTX(ifmgd); |
| 1348 | 1347 | ||
| @@ -1354,10 +1353,7 @@ static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata, | |||
| 1354 | 1353 | ||
| 1355 | ieee80211_stop_poll(sdata); | 1354 | ieee80211_stop_poll(sdata); |
| 1356 | 1355 | ||
| 1357 | memcpy(bssid, ifmgd->associated->bssid, ETH_ALEN); | ||
| 1358 | |||
| 1359 | ifmgd->associated = NULL; | 1356 | ifmgd->associated = NULL; |
| 1360 | memset(ifmgd->bssid, 0, ETH_ALEN); | ||
| 1361 | 1357 | ||
| 1362 | /* | 1358 | /* |
| 1363 | * we need to commit the associated = NULL change because the | 1359 | * we need to commit the associated = NULL change because the |
| @@ -1377,7 +1373,7 @@ static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata, | |||
| 1377 | netif_carrier_off(sdata->dev); | 1373 | netif_carrier_off(sdata->dev); |
| 1378 | 1374 | ||
| 1379 | mutex_lock(&local->sta_mtx); | 1375 | mutex_lock(&local->sta_mtx); |
| 1380 | sta = sta_info_get(sdata, bssid); | 1376 | sta = sta_info_get(sdata, ifmgd->bssid); |
| 1381 | if (sta) { | 1377 | if (sta) { |
| 1382 | set_sta_flag(sta, WLAN_STA_BLOCK_BA); | 1378 | set_sta_flag(sta, WLAN_STA_BLOCK_BA); |
| 1383 | ieee80211_sta_tear_down_BA_sessions(sta, tx); | 1379 | ieee80211_sta_tear_down_BA_sessions(sta, tx); |
| @@ -1386,13 +1382,16 @@ static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata, | |||
| 1386 | 1382 | ||
| 1387 | /* deauthenticate/disassociate now */ | 1383 | /* deauthenticate/disassociate now */ |
| 1388 | if (tx || frame_buf) | 1384 | if (tx || frame_buf) |
| 1389 | ieee80211_send_deauth_disassoc(sdata, bssid, stype, reason, | 1385 | ieee80211_send_deauth_disassoc(sdata, ifmgd->bssid, stype, |
| 1390 | tx, frame_buf); | 1386 | reason, tx, frame_buf); |
| 1391 | 1387 | ||
| 1392 | /* flush out frame */ | 1388 | /* flush out frame */ |
| 1393 | if (tx) | 1389 | if (tx) |
| 1394 | drv_flush(local, false); | 1390 | drv_flush(local, false); |
| 1395 | 1391 | ||
| 1392 | /* clear bssid only after building the needed mgmt frames */ | ||
| 1393 | memset(ifmgd->bssid, 0, ETH_ALEN); | ||
| 1394 | |||
| 1396 | /* remove AP and TDLS peers */ | 1395 | /* remove AP and TDLS peers */ |
| 1397 | sta_info_flush(local, sdata); | 1396 | sta_info_flush(local, sdata); |
| 1398 | 1397 | ||
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c index 7bcecf73aafb..965e6ec0adb6 100644 --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c | |||
| @@ -2455,7 +2455,7 @@ ieee80211_rx_h_action_return(struct ieee80211_rx_data *rx) | |||
| 2455 | * frames that we didn't handle, including returning unknown | 2455 | * frames that we didn't handle, including returning unknown |
| 2456 | * ones. For all other modes we will return them to the sender, | 2456 | * ones. For all other modes we will return them to the sender, |
| 2457 | * setting the 0x80 bit in the action category, as required by | 2457 | * setting the 0x80 bit in the action category, as required by |
| 2458 | * 802.11-2007 7.3.1.11. | 2458 | * 802.11-2012 9.24.4. |
| 2459 | * Newer versions of hostapd shall also use the management frame | 2459 | * Newer versions of hostapd shall also use the management frame |
| 2460 | * registration mechanisms, but older ones still use cooked | 2460 | * registration mechanisms, but older ones still use cooked |
| 2461 | * monitor interfaces so push all frames there. | 2461 | * monitor interfaces so push all frames there. |
| @@ -2465,6 +2465,9 @@ ieee80211_rx_h_action_return(struct ieee80211_rx_data *rx) | |||
| 2465 | sdata->vif.type == NL80211_IFTYPE_AP_VLAN)) | 2465 | sdata->vif.type == NL80211_IFTYPE_AP_VLAN)) |
| 2466 | return RX_DROP_MONITOR; | 2466 | return RX_DROP_MONITOR; |
| 2467 | 2467 | ||
| 2468 | if (is_multicast_ether_addr(mgmt->da)) | ||
| 2469 | return RX_DROP_MONITOR; | ||
| 2470 | |||
| 2468 | /* do not return rejected action frames */ | 2471 | /* do not return rejected action frames */ |
| 2469 | if (mgmt->u.action.category & 0x80) | 2472 | if (mgmt->u.action.category & 0x80) |
| 2470 | return RX_DROP_UNUSABLE; | 2473 | return RX_DROP_UNUSABLE; |
diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c index cb2646179e5f..2ab196a9f228 100644 --- a/net/nfc/nci/ntf.c +++ b/net/nfc/nci/ntf.c | |||
| @@ -106,7 +106,7 @@ static __u8 *nci_extract_rf_params_nfca_passive_poll(struct nci_dev *ndev, | |||
| 106 | nfca_poll->sens_res = __le16_to_cpu(*((__u16 *)data)); | 106 | nfca_poll->sens_res = __le16_to_cpu(*((__u16 *)data)); |
| 107 | data += 2; | 107 | data += 2; |
| 108 | 108 | ||
| 109 | nfca_poll->nfcid1_len = *data++; | 109 | nfca_poll->nfcid1_len = min_t(__u8, *data++, NFC_NFCID1_MAXSIZE); |
| 110 | 110 | ||
| 111 | pr_debug("sens_res 0x%x, nfcid1_len %d\n", | 111 | pr_debug("sens_res 0x%x, nfcid1_len %d\n", |
| 112 | nfca_poll->sens_res, nfca_poll->nfcid1_len); | 112 | nfca_poll->sens_res, nfca_poll->nfcid1_len); |
| @@ -130,7 +130,7 @@ static __u8 *nci_extract_rf_params_nfcb_passive_poll(struct nci_dev *ndev, | |||
| 130 | struct rf_tech_specific_params_nfcb_poll *nfcb_poll, | 130 | struct rf_tech_specific_params_nfcb_poll *nfcb_poll, |
| 131 | __u8 *data) | 131 | __u8 *data) |
| 132 | { | 132 | { |
| 133 | nfcb_poll->sensb_res_len = *data++; | 133 | nfcb_poll->sensb_res_len = min_t(__u8, *data++, NFC_SENSB_RES_MAXSIZE); |
| 134 | 134 | ||
| 135 | pr_debug("sensb_res_len %d\n", nfcb_poll->sensb_res_len); | 135 | pr_debug("sensb_res_len %d\n", nfcb_poll->sensb_res_len); |
| 136 | 136 | ||
| @@ -145,7 +145,7 @@ static __u8 *nci_extract_rf_params_nfcf_passive_poll(struct nci_dev *ndev, | |||
| 145 | __u8 *data) | 145 | __u8 *data) |
| 146 | { | 146 | { |
| 147 | nfcf_poll->bit_rate = *data++; | 147 | nfcf_poll->bit_rate = *data++; |
| 148 | nfcf_poll->sensf_res_len = *data++; | 148 | nfcf_poll->sensf_res_len = min_t(__u8, *data++, NFC_SENSF_RES_MAXSIZE); |
| 149 | 149 | ||
| 150 | pr_debug("bit_rate %d, sensf_res_len %d\n", | 150 | pr_debug("bit_rate %d, sensf_res_len %d\n", |
| 151 | nfcf_poll->bit_rate, nfcf_poll->sensf_res_len); | 151 | nfcf_poll->bit_rate, nfcf_poll->sensf_res_len); |
| @@ -331,7 +331,7 @@ static int nci_extract_activation_params_iso_dep(struct nci_dev *ndev, | |||
| 331 | switch (ntf->activation_rf_tech_and_mode) { | 331 | switch (ntf->activation_rf_tech_and_mode) { |
| 332 | case NCI_NFC_A_PASSIVE_POLL_MODE: | 332 | case NCI_NFC_A_PASSIVE_POLL_MODE: |
| 333 | nfca_poll = &ntf->activation_params.nfca_poll_iso_dep; | 333 | nfca_poll = &ntf->activation_params.nfca_poll_iso_dep; |
| 334 | nfca_poll->rats_res_len = *data++; | 334 | nfca_poll->rats_res_len = min_t(__u8, *data++, 20); |
| 335 | pr_debug("rats_res_len %d\n", nfca_poll->rats_res_len); | 335 | pr_debug("rats_res_len %d\n", nfca_poll->rats_res_len); |
| 336 | if (nfca_poll->rats_res_len > 0) { | 336 | if (nfca_poll->rats_res_len > 0) { |
| 337 | memcpy(nfca_poll->rats_res, | 337 | memcpy(nfca_poll->rats_res, |
| @@ -341,7 +341,7 @@ static int nci_extract_activation_params_iso_dep(struct nci_dev *ndev, | |||
| 341 | 341 | ||
| 342 | case NCI_NFC_B_PASSIVE_POLL_MODE: | 342 | case NCI_NFC_B_PASSIVE_POLL_MODE: |
| 343 | nfcb_poll = &ntf->activation_params.nfcb_poll_iso_dep; | 343 | nfcb_poll = &ntf->activation_params.nfcb_poll_iso_dep; |
| 344 | nfcb_poll->attrib_res_len = *data++; | 344 | nfcb_poll->attrib_res_len = min_t(__u8, *data++, 50); |
| 345 | pr_debug("attrib_res_len %d\n", nfcb_poll->attrib_res_len); | 345 | pr_debug("attrib_res_len %d\n", nfcb_poll->attrib_res_len); |
| 346 | if (nfcb_poll->attrib_res_len > 0) { | 346 | if (nfcb_poll->attrib_res_len > 0) { |
| 347 | memcpy(nfcb_poll->attrib_res, | 347 | memcpy(nfcb_poll->attrib_res, |
diff --git a/net/nfc/rawsock.c b/net/nfc/rawsock.c index ec1134c9e07f..8b8a6a2b2bad 100644 --- a/net/nfc/rawsock.c +++ b/net/nfc/rawsock.c | |||
| @@ -54,7 +54,10 @@ static int rawsock_release(struct socket *sock) | |||
| 54 | { | 54 | { |
| 55 | struct sock *sk = sock->sk; | 55 | struct sock *sk = sock->sk; |
| 56 | 56 | ||
| 57 | pr_debug("sock=%p\n", sock); | 57 | pr_debug("sock=%p sk=%p\n", sock, sk); |
| 58 | |||
| 59 | if (!sk) | ||
| 60 | return 0; | ||
| 58 | 61 | ||
| 59 | sock_orphan(sk); | 62 | sock_orphan(sk); |
| 60 | sock_put(sk); | 63 | sock_put(sk); |