diff options
| author | John W. Linville <linville@tuxdriver.com> | 2013-12-20 15:40:06 -0500 |
|---|---|---|
| committer | John W. Linville <linville@tuxdriver.com> | 2013-12-20 15:40:06 -0500 |
| commit | 76ae07df2520d2f26c565747ad40c9e993b16cf7 (patch) | |
| tree | b44c7c5dd5fa8f953078661dfaa4c7c881e64636 /net | |
| parent | 965cdea825693c821d200e38fac9402cde6dce6a (diff) | |
| parent | b7e047358449f8eb5cba8197b42280b676b82e54 (diff) | |
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless into for-davem
Diffstat (limited to 'net')
| -rw-r--r-- | net/bluetooth/hci_sock.c | 26 | ||||
| -rw-r--r-- | net/wireless/radiotap.c | 4 | ||||
| -rw-r--r-- | net/wireless/sme.c | 22 |
3 files changed, 32 insertions, 20 deletions
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c index 6a6c8bb4fd72..7552f9e3089c 100644 --- a/net/bluetooth/hci_sock.c +++ b/net/bluetooth/hci_sock.c | |||
| @@ -940,8 +940,22 @@ static int hci_sock_sendmsg(struct kiocb *iocb, struct socket *sock, | |||
| 940 | bt_cb(skb)->pkt_type = *((unsigned char *) skb->data); | 940 | bt_cb(skb)->pkt_type = *((unsigned char *) skb->data); |
| 941 | skb_pull(skb, 1); | 941 | skb_pull(skb, 1); |
| 942 | 942 | ||
| 943 | if (hci_pi(sk)->channel == HCI_CHANNEL_RAW && | 943 | if (hci_pi(sk)->channel == HCI_CHANNEL_USER) { |
| 944 | bt_cb(skb)->pkt_type == HCI_COMMAND_PKT) { | 944 | /* No permission check is needed for user channel |
| 945 | * since that gets enforced when binding the socket. | ||
| 946 | * | ||
| 947 | * However check that the packet type is valid. | ||
| 948 | */ | ||
| 949 | if (bt_cb(skb)->pkt_type != HCI_COMMAND_PKT && | ||
| 950 | bt_cb(skb)->pkt_type != HCI_ACLDATA_PKT && | ||
| 951 | bt_cb(skb)->pkt_type != HCI_SCODATA_PKT) { | ||
| 952 | err = -EINVAL; | ||
| 953 | goto drop; | ||
| 954 | } | ||
| 955 | |||
| 956 | skb_queue_tail(&hdev->raw_q, skb); | ||
| 957 | queue_work(hdev->workqueue, &hdev->tx_work); | ||
| 958 | } else if (bt_cb(skb)->pkt_type == HCI_COMMAND_PKT) { | ||
| 945 | u16 opcode = get_unaligned_le16(skb->data); | 959 | u16 opcode = get_unaligned_le16(skb->data); |
| 946 | u16 ogf = hci_opcode_ogf(opcode); | 960 | u16 ogf = hci_opcode_ogf(opcode); |
| 947 | u16 ocf = hci_opcode_ocf(opcode); | 961 | u16 ocf = hci_opcode_ocf(opcode); |
| @@ -972,14 +986,6 @@ static int hci_sock_sendmsg(struct kiocb *iocb, struct socket *sock, | |||
| 972 | goto drop; | 986 | goto drop; |
| 973 | } | 987 | } |
| 974 | 988 | ||
| 975 | if (hci_pi(sk)->channel == HCI_CHANNEL_USER && | ||
| 976 | bt_cb(skb)->pkt_type != HCI_COMMAND_PKT && | ||
| 977 | bt_cb(skb)->pkt_type != HCI_ACLDATA_PKT && | ||
| 978 | bt_cb(skb)->pkt_type != HCI_SCODATA_PKT) { | ||
| 979 | err = -EINVAL; | ||
| 980 | goto drop; | ||
| 981 | } | ||
| 982 | |||
| 983 | skb_queue_tail(&hdev->raw_q, skb); | 989 | skb_queue_tail(&hdev->raw_q, skb); |
| 984 | queue_work(hdev->workqueue, &hdev->tx_work); | 990 | queue_work(hdev->workqueue, &hdev->tx_work); |
| 985 | } | 991 | } |
diff --git a/net/wireless/radiotap.c b/net/wireless/radiotap.c index a271c27fac77..722da616438c 100644 --- a/net/wireless/radiotap.c +++ b/net/wireless/radiotap.c | |||
| @@ -124,6 +124,10 @@ int ieee80211_radiotap_iterator_init( | |||
| 124 | /* find payload start allowing for extended bitmap(s) */ | 124 | /* find payload start allowing for extended bitmap(s) */ |
| 125 | 125 | ||
| 126 | if (iterator->_bitmap_shifter & (1<<IEEE80211_RADIOTAP_EXT)) { | 126 | if (iterator->_bitmap_shifter & (1<<IEEE80211_RADIOTAP_EXT)) { |
| 127 | if ((unsigned long)iterator->_arg - | ||
| 128 | (unsigned long)iterator->_rtheader + sizeof(uint32_t) > | ||
| 129 | (unsigned long)iterator->_max_length) | ||
| 130 | return -EINVAL; | ||
| 127 | while (get_unaligned_le32(iterator->_arg) & | 131 | while (get_unaligned_le32(iterator->_arg) & |
| 128 | (1 << IEEE80211_RADIOTAP_EXT)) { | 132 | (1 << IEEE80211_RADIOTAP_EXT)) { |
| 129 | iterator->_arg += sizeof(uint32_t); | 133 | iterator->_arg += sizeof(uint32_t); |
diff --git a/net/wireless/sme.c b/net/wireless/sme.c index 65f800890d70..d3c5bd7c6b51 100644 --- a/net/wireless/sme.c +++ b/net/wireless/sme.c | |||
| @@ -632,6 +632,16 @@ void __cfg80211_connect_result(struct net_device *dev, const u8 *bssid, | |||
| 632 | } | 632 | } |
| 633 | #endif | 633 | #endif |
| 634 | 634 | ||
| 635 | if (!bss && (status == WLAN_STATUS_SUCCESS)) { | ||
| 636 | WARN_ON_ONCE(!wiphy_to_dev(wdev->wiphy)->ops->connect); | ||
| 637 | bss = cfg80211_get_bss(wdev->wiphy, NULL, bssid, | ||
| 638 | wdev->ssid, wdev->ssid_len, | ||
| 639 | WLAN_CAPABILITY_ESS, | ||
| 640 | WLAN_CAPABILITY_ESS); | ||
| 641 | if (bss) | ||
| 642 | cfg80211_hold_bss(bss_from_pub(bss)); | ||
| 643 | } | ||
| 644 | |||
| 635 | if (wdev->current_bss) { | 645 | if (wdev->current_bss) { |
| 636 | cfg80211_unhold_bss(wdev->current_bss); | 646 | cfg80211_unhold_bss(wdev->current_bss); |
| 637 | cfg80211_put_bss(wdev->wiphy, &wdev->current_bss->pub); | 647 | cfg80211_put_bss(wdev->wiphy, &wdev->current_bss->pub); |
| @@ -649,16 +659,8 @@ void __cfg80211_connect_result(struct net_device *dev, const u8 *bssid, | |||
| 649 | return; | 659 | return; |
| 650 | } | 660 | } |
| 651 | 661 | ||
| 652 | if (!bss) { | 662 | if (WARN_ON(!bss)) |
| 653 | WARN_ON_ONCE(!wiphy_to_dev(wdev->wiphy)->ops->connect); | 663 | return; |
| 654 | bss = cfg80211_get_bss(wdev->wiphy, NULL, bssid, | ||
| 655 | wdev->ssid, wdev->ssid_len, | ||
| 656 | WLAN_CAPABILITY_ESS, | ||
| 657 | WLAN_CAPABILITY_ESS); | ||
| 658 | if (WARN_ON(!bss)) | ||
| 659 | return; | ||
| 660 | cfg80211_hold_bss(bss_from_pub(bss)); | ||
| 661 | } | ||
| 662 | 664 | ||
| 663 | wdev->current_bss = bss_from_pub(bss); | 665 | wdev->current_bss = bss_from_pub(bss); |
| 664 | 666 | ||