Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next

Johan Hedberg says: ==================== pull request: bluetooth-next 2016-04-12 Here's a set of Bluetooth & 802.15.4 patches intended for the 4.7 kernel: - Fix for race condition in vhci driver - Memory leak fix for ieee802154/adf7242 driver - Improvements to deal with single-mode (LE-only) Bluetooth controllers - Fix for allowing the BT_SECURITY_FIPS security level - New BCM2E71 ACPI ID - NULL pointer dereference fix fox hci_ldisc driver Let me know if there are any issues pulling. Thanks. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2016-04-12 11:57:53 -0400
committer: David S. Miller <davem@davemloft.net> 2016-04-12 11:57:53 -0400
commit: 69fb78121bf86c87490ea1453e310a39c320a70a (patch)
tree: 490484df49b2f3ad8d8cea6e4a9e27bc772ef99a
parent: 9a6f2b0113c8fce815db7c9d23754bdea4b428a0 (diff)
parent: 8805eea2494a2837983bc4aaaf6842c89666ec25 (diff)
10 files changed, 74 insertions, 39 deletions
diff --git a/drivers/bluetooth/hci_bcm.c b/drivers/bluetooth/hci_bcm.c
index d8881dc0600c..1c97eda8bae3 100644
--- a/drivers/bluetooth/hci_bcm.c
+++ b/drivers/bluetooth/hci_bcm.c
@@ -825,6 +825,7 @@ static const struct acpi_device_id bcm_acpi_match[] = {
        { "BCM2E64", 0 },
        { "BCM2E65", 0 },
        { "BCM2E67", 0 },
+        { "BCM2E71", 0 },
        { "BCM2E7B", 0 },
        { "BCM2E7C", 0 },
        { },
diff --git a/drivers/bluetooth/hci_bcsp.c b/drivers/bluetooth/hci_bcsp.c
index 064f2fefad62..d7d23ceba4d1 100644
--- a/drivers/bluetooth/hci_bcsp.c
+++ b/drivers/bluetooth/hci_bcsp.c
@@ -102,13 +102,12 @@ static const u16 crc_table[] = {
 /* Initialise the crc calculator */
 #define BCSP_CRC_INIT(x) x = 0xffff
-/*
+/* Update crc with next data byte
-   Update crc with next data byte
+ *
+ * Implementation note
-   Implementation note
+ *     The data byte is treated as two nibbles.  The crc is generated
-        The data byte is treated as two nibbles.  The crc is generated
+ *     in reverse, i.e., bits are fed into the register from the top.
-        in reverse, i.e., bits are fed into the register from the top.
+ */
-*/
 static void bcsp_crc_update(u16 *crc, u8 d)
 {
        u16 reg = *crc;
@@ -223,9 +222,10 @@ static struct sk_buff *bcsp_prepare_pkt(struct bcsp_struct *bcsp, u8 *data,
        }
        /* Max len of packet: (original len +4(bcsp hdr) +2(crc))*2
-           (because bytes 0xc0 and 0xdb are escaped, worst case is
+         * (because bytes 0xc0 and 0xdb are escaped, worst case is
-           when the packet is all made of 0xc0 and 0xdb :) )
+         * when the packet is all made of 0xc0 and 0xdb :) )
-           + 2 (0xc0 delimiters at start and end). */
+         * + 2 (0xc0 delimiters at start and end).
+         */
        nskb = alloc_skb((len + 6) * 2 + 2, GFP_ATOMIC);
        if (!nskb)
@@ -285,7 +285,7 @@ static struct sk_buff *bcsp_dequeue(struct hci_uart *hu)
        struct bcsp_struct *bcsp = hu->priv;
        unsigned long flags;
        struct sk_buff *skb;
-        
        /* First of all, check for unreliable messages in the queue,
           since they have priority */
@@ -305,8 +305,9 @@ static struct sk_buff *bcsp_dequeue(struct hci_uart *hu)
        }
        /* Now, try to send a reliable pkt. We can only send a
-           reliable packet if the number of packets sent but not yet ack'ed
+         * reliable packet if the number of packets sent but not yet ack'ed
-           is < than the winsize */
+         * is < than the winsize
+         */
        spin_lock_irqsave_nested(&bcsp->unack.lock, flags, SINGLE_DEPTH_NESTING);
@@ -332,12 +333,14 @@ static struct sk_buff *bcsp_dequeue(struct hci_uart *hu)
        spin_unlock_irqrestore(&bcsp->unack.lock, flags);
        /* We could not send a reliable packet, either because there are
-           none or because there are too many unack'ed pkts. Did we receive
+         * none or because there are too many unack'ed pkts. Did we receive
-           any packets we have not acknowledged yet ? */
+         * any packets we have not acknowledged yet ?
+         */
        if (bcsp->txack_req) {
                /* if so, craft an empty ACK pkt and send it on BCSP unreliable
-                   channel 0 */
+                 * channel 0
+                 */
                struct sk_buff *nskb = bcsp_prepare_pkt(bcsp, NULL, 0, BCSP_ACK_PKT);
                return nskb;
        }
@@ -399,8 +402,9 @@ static void bcsp_pkt_cull(struct bcsp_struct *bcsp)
 }
 /* Handle BCSP link-establishment packets. When we
-   detect a "sync" packet, symptom that the BT module has reset,
+ * detect a "sync" packet, symptom that the BT module has reset,
-   we do nothing :) (yet) */
+ * we do nothing :) (yet)
+ */
 static void bcsp_handle_le_pkt(struct hci_uart *hu)
 {
        struct bcsp_struct *bcsp = hu->priv;
@@ -462,7 +466,7 @@ static inline void bcsp_unslip_one_byte(struct bcsp_struct *bcsp, unsigned char
                case 0xdd:
                        memcpy(skb_put(bcsp->rx_skb, 1), &db, 1);
                        if ((bcsp->rx_skb->data[0] & 0x40) != 0 &&
-                                        bcsp->rx_state != BCSP_W4_CRC) 
+                                        bcsp->rx_state != BCSP_W4_CRC)
                                bcsp_crc_update(&bcsp->message_crc, 0xdb);
                        bcsp->rx_esc_state = BCSP_ESCSTATE_NOESC;
                        bcsp->rx_count--;
@@ -534,7 +538,7 @@ static void bcsp_complete_rx_pkt(struct hci_uart *hu)
                        } else {
                                BT_ERR("Packet for unknown channel (%u %s)",
                                        bcsp->rx_skb->data[1] & 0x0f,
-                                        bcsp->rx_skb->data[0] & 0x80 ? 
+                                        bcsp->rx_skb->data[0] & 0x80 ?
                                        "reliable" : "unreliable");
                                kfree_skb(bcsp->rx_skb);
                        }
@@ -562,7 +566,7 @@ static int bcsp_recv(struct hci_uart *hu, const void *data, int count)
        struct bcsp_struct *bcsp = hu->priv;
        const unsigned char *ptr;
-        BT_DBG("hu %p count %d rx_state %d rx_count %ld", 
+        BT_DBG("hu %p count %d rx_state %d rx_count %ld",
                hu, count, bcsp->rx_state, bcsp->rx_count);
        ptr = data;
@@ -591,7 +595,7 @@ static int bcsp_recv(struct hci_uart *hu, const void *data, int count)
                                continue;
                        }
                        if (bcsp->rx_skb->data[0] & 0x80        /* reliable pkt */
-                                        && (bcsp->rx_skb->data[0] & 0x07) != bcsp->rxseq_txack) {
+                                                && (bcsp->rx_skb->data[0] & 0x07) != bcsp->rxseq_txack) {
                                BT_ERR("Out-of-order packet arrived, got %u expected %u",
                                        bcsp->rx_skb->data[0] & 0x07, bcsp->rxseq_txack);
@@ -601,7 +605,7 @@ static int bcsp_recv(struct hci_uart *hu, const void *data, int count)
                                continue;
                        }
                        bcsp->rx_state = BCSP_W4_DATA;
-                        bcsp->rx_count = (bcsp->rx_skb->data[1] >> 4) + 
+                        bcsp->rx_count = (bcsp->rx_skb->data[1] >> 4) +
                                        (bcsp->rx_skb->data[2] << 4);   /* May be 0 */
                        continue;
@@ -615,7 +619,7 @@ static int bcsp_recv(struct hci_uart *hu, const void *data, int count)
                case BCSP_W4_CRC:
                        if (bitrev16(bcsp->message_crc) != bscp_get_crc(bcsp)) {
-                                BT_ERR ("Checksum failed: computed %04x received %04x",
+                                BT_ERR("Checksum failed: computed %04x received %04x",
                                        bitrev16(bcsp->message_crc),
                                        bscp_get_crc(bcsp));
@@ -653,8 +657,9 @@ static int bcsp_recv(struct hci_uart *hu, const void *data, int count)
                                BCSP_CRC_INIT(bcsp->message_crc);
                                /* Do not increment ptr or decrement count
-                                 * Allocate packet. Max len of a BCSP pkt= 
+                                 * Allocate packet. Max len of a BCSP pkt=
-                                 * 0xFFF (payload) +4 (header) +2 (crc) */
+                                 * 0xFFF (payload) +4 (header) +2 (crc)
+                                 */
                                bcsp->rx_skb = bt_skb_alloc(0x1005, GFP_ATOMIC);
                                if (!bcsp->rx_skb) {
diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
index c00168a5bb80..49b3e1e2d236 100644
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -227,7 +227,7 @@ static int hci_uart_flush(struct hci_dev *hdev)
        tty_ldisc_flush(tty);
        tty_driver_flush_buffer(tty);
-        if (test_bit(HCI_UART_PROTO_SET, &hu->flags))
+        if (test_bit(HCI_UART_PROTO_READY, &hu->flags))
                hu->proto->flush(hu);
        return 0;
@@ -492,7 +492,7 @@ static void hci_uart_tty_close(struct tty_struct *tty)
        cancel_work_sync(&hu->write_work);
-        if (test_and_clear_bit(HCI_UART_PROTO_SET, &hu->flags)) {
+        if (test_and_clear_bit(HCI_UART_PROTO_READY, &hu->flags)) {
                if (hdev) {
                        if (test_bit(HCI_UART_REGISTERED, &hu->flags))
                                hci_unregister_dev(hdev);
@@ -500,6 +500,7 @@ static void hci_uart_tty_close(struct tty_struct *tty)
                }
                hu->proto->close(hu);
        }
+        clear_bit(HCI_UART_PROTO_SET, &hu->flags);
        kfree(hu);
 }
@@ -526,7 +527,7 @@ static void hci_uart_tty_wakeup(struct tty_struct *tty)
        if (tty != hu->tty)
                return;
-        if (test_bit(HCI_UART_PROTO_SET, &hu->flags))
+        if (test_bit(HCI_UART_PROTO_READY, &hu->flags))
                hci_uart_tx_wakeup(hu);
 }
@@ -550,7 +551,7 @@ static void hci_uart_tty_receive(struct tty_struct *tty, const u8 *data,
        if (!hu || tty != hu->tty)
                return;
-        if (!test_bit(HCI_UART_PROTO_SET, &hu->flags))
+        if (!test_bit(HCI_UART_PROTO_READY, &hu->flags))
                return;
        /* It does not need a lock here as it is already protected by a mutex in
@@ -638,9 +639,11 @@ static int hci_uart_set_proto(struct hci_uart *hu, int id)
                return err;
        hu->proto = p;
+        set_bit(HCI_UART_PROTO_READY, &hu->flags);
        err = hci_uart_register_dev(hu);
        if (err) {
+                clear_bit(HCI_UART_PROTO_READY, &hu->flags);
                p->close(hu);
                return err;
        }
diff --git a/drivers/bluetooth/hci_uart.h b/drivers/bluetooth/hci_uart.h
index 4814ff08f427..839bad1d8152 100644
--- a/drivers/bluetooth/hci_uart.h
+++ b/drivers/bluetooth/hci_uart.h
@@ -95,6 +95,7 @@ struct hci_uart {
 /* HCI_UART proto flag bits */
 #define HCI_UART_PROTO_SET      0
 #define HCI_UART_REGISTERED     1
+#define HCI_UART_PROTO_READY    2
 /* TX states  */
 #define HCI_UART_SENDING        1
diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c
index 80783dcb7f57..f67ea1c090cb 100644
--- a/drivers/bluetooth/hci_vhci.c
+++ b/drivers/bluetooth/hci_vhci.c
@@ -189,13 +189,13 @@ static inline ssize_t vhci_get_user(struct vhci_data *data,
                break;
        case HCI_VENDOR_PKT:
+                cancel_delayed_work_sync(&data->open_timeout);
                if (data->hdev) {
                        kfree_skb(skb);
                        return -EBADFD;
                }
-                cancel_delayed_work_sync(&data->open_timeout);
                opcode = *((__u8 *) skb->data);
                skb_pull(skb, 1);
@@ -333,15 +333,18 @@ static int vhci_open(struct inode *inode, struct file *file)
 static int vhci_release(struct inode *inode, struct file *file)
 {
        struct vhci_data *data = file->private_data;
-        struct hci_dev *hdev = data->hdev;
+        struct hci_dev *hdev;
        cancel_delayed_work_sync(&data->open_timeout);
+        hdev = data->hdev;
        if (hdev) {
                hci_unregister_dev(hdev);
                hci_free_dev(hdev);
        }
+        skb_queue_purge(&data->readq);
        file->private_data = NULL;
        kfree(data);
diff --git a/drivers/net/ieee802154/adf7242.c b/drivers/net/ieee802154/adf7242.c
index 89154c079788..b82e39d24394 100644
--- a/drivers/net/ieee802154/adf7242.c
+++ b/drivers/net/ieee802154/adf7242.c
@@ -1030,6 +1030,7 @@ static int adf7242_hw_init(struct adf7242_local *lp)
        if (ret) {
                dev_err(&lp->spi->dev,
                        "upload firmware failed with %d\n", ret);
+                release_firmware(fw);
                return ret;
        }
@@ -1037,6 +1038,7 @@ static int adf7242_hw_init(struct adf7242_local *lp)
        if (ret) {
                dev_err(&lp->spi->dev,
                        "verify firmware failed with %d\n", ret);
+                release_firmware(fw);
                return ret;
        }
diff --git a/net/6lowpan/iphc.c b/net/6lowpan/iphc.c
index 99bb22aea346..68c80f3c9add 100644
--- a/net/6lowpan/iphc.c
+++ b/net/6lowpan/iphc.c
@@ -148,6 +148,11 @@
         (((a)->s6_addr16[6]) == 0) &&          \
         (((a)->s6_addr[14]) == 0))
+#define lowpan_is_linklocal_zero_padded(a)      \
+        (!(hdr->saddr.s6_addr[1] & 0x3f) &&     \
+         !hdr->saddr.s6_addr16[1] &&            \
+         !hdr->saddr.s6_addr32[1])
 #define LOWPAN_IPHC_CID_DCI(cid)        (cid & 0x0f)
 #define LOWPAN_IPHC_CID_SCI(cid)        ((cid & 0xf0) >> 4)
@@ -1101,7 +1106,8 @@ int lowpan_header_compress(struct sk_buff *skb, const struct net_device *dev,
                                                          true);
                        iphc1 |= LOWPAN_IPHC_SAC;
                } else {
-                        if (ipv6_saddr_type & IPV6_ADDR_LINKLOCAL) {
+                        if (ipv6_saddr_type & IPV6_ADDR_LINKLOCAL &&
+                            lowpan_is_linklocal_zero_padded(hdr->saddr)) {
                                iphc1 |= lowpan_compress_addr_64(&hc_ptr,
                                                                 &hdr->saddr,
                                                                 saddr, true);
@@ -1135,7 +1141,8 @@ int lowpan_header_compress(struct sk_buff *skb, const struct net_device *dev,
                                                          false);
                        iphc1 |= LOWPAN_IPHC_DAC;
                } else {
-                        if (ipv6_daddr_type & IPV6_ADDR_LINKLOCAL) {
+                        if (ipv6_daddr_type & IPV6_ADDR_LINKLOCAL &&
+                            lowpan_is_linklocal_zero_padded(hdr->daddr)) {
                                iphc1 |= lowpan_compress_addr_64(&hc_ptr,
                                                                 &hdr->daddr,
                                                                 daddr, false);
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index c162af5d16bf..d4b3dd5413be 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -4727,6 +4727,19 @@ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
        u32 flags;
        u8 *ptr, real_len;
+        switch (type) {
+        case LE_ADV_IND:
+        case LE_ADV_DIRECT_IND:
+        case LE_ADV_SCAN_IND:
+        case LE_ADV_NONCONN_IND:
+        case LE_ADV_SCAN_RSP:
+                break;
+        default:
+                BT_ERR_RATELIMITED("Unknown advetising packet type: 0x%02x",
+                                   type);
+                return;
+        }
        /* Find the end of the data in case the report contains padded zero
         * bytes at the end causing an invalid length value.
         *
diff --git a/net/bluetooth/hci_request.c b/net/bluetooth/hci_request.c
index 6e125d76df0d..c045b3c54768 100644
--- a/net/bluetooth/hci_request.c
+++ b/net/bluetooth/hci_request.c
@@ -1065,6 +1065,9 @@ static u8 create_instance_adv_data(struct hci_dev *hdev, u8 instance, u8 *ptr)
        if (instance_flags & MGMT_ADV_FLAG_LIMITED_DISCOV)
                flags |= LE_AD_LIMITED;
+        if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
+                flags |= LE_AD_NO_BREDR;
        if (flags || (instance_flags & MGMT_ADV_FLAG_MANAGED_FLAGS)) {
                /* If a discovery flag wasn't provided, simply use the global
                 * settings.
@@ -1072,9 +1075,6 @@ static u8 create_instance_adv_data(struct hci_dev *hdev, u8 instance, u8 *ptr)
                if (!flags)
                        flags |= mgmt_get_adv_discov_flags(hdev);
-                if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
-                        flags |= LE_AD_NO_BREDR;
                /* If flags would still be empty, then there is no need to
                 * include the "Flags" AD field".
                 */
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index e4cae72895a7..388ee8b59145 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -778,7 +778,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
                }
                if (sec.level < BT_SECURITY_LOW ||
-                    sec.level > BT_SECURITY_HIGH) {
+                    sec.level > BT_SECURITY_FIPS) {
                        err = -EINVAL;
                        break;
                }
author	David S. Miller <davem@davemloft.net>	2016-04-12 11:57:53 -0400
committer	David S. Miller <davem@davemloft.net>	2016-04-12 11:57:53 -0400
commit	69fb78121bf86c87490ea1453e310a39c320a70a (patch)
tree	490484df49b2f3ad8d8cea6e4a9e27bc772ef99a
parent	9a6f2b0113c8fce815db7c9d23754bdea4b428a0 (diff)
parent	8805eea2494a2837983bc4aaaf6842c89666ec25 (diff)

diff --git a/drivers/bluetooth/hci_bcm.c b/drivers/bluetooth/hci_bcm.c index d8881dc0600c..1c97eda8bae3 100644 --- a/drivers/bluetooth/hci_bcm.c +++ b/drivers/bluetooth/hci_bcm.c
@@ -825,6 +825,7 @@ static const struct acpi_device_id bcm_acpi_match[] = {
825	{ "BCM2E64", 0 },	825	{ "BCM2E64", 0 },
826	{ "BCM2E65", 0 },	826	{ "BCM2E65", 0 },
827	{ "BCM2E67", 0 },	827	{ "BCM2E67", 0 },
		828	{ "BCM2E71", 0 },
828	{ "BCM2E7B", 0 },	829	{ "BCM2E7B", 0 },
829	{ "BCM2E7C", 0 },	830	{ "BCM2E7C", 0 },
830	{ },	831	{ },


diff --git a/drivers/bluetooth/hci_bcsp.c b/drivers/bluetooth/hci_bcsp.c index 064f2fefad62..d7d23ceba4d1 100644 --- a/drivers/bluetooth/hci_bcsp.c +++ b/drivers/bluetooth/hci_bcsp.c
@@ -102,13 +102,12 @@ static const u16 crc_table[] = {
102	/* Initialise the crc calculator */	102	/* Initialise the crc calculator */
103	#define BCSP_CRC_INIT(x) x = 0xffff	103	#define BCSP_CRC_INIT(x) x = 0xffff
104		104
105	/*	105	/* Update crc with next data byte
106	Update crc with next data byte	106	*
107		107	* Implementation note
108	Implementation note	108	* The data byte is treated as two nibbles. The crc is generated
109	The data byte is treated as two nibbles. The crc is generated	109	* in reverse, i.e., bits are fed into the register from the top.
110	in reverse, i.e., bits are fed into the register from the top.	110	*/
111	*/
112	static void bcsp_crc_update(u16 *crc, u8 d)	111	static void bcsp_crc_update(u16 *crc, u8 d)
113	{	112	{
114	u16 reg = *crc;	113	u16 reg = *crc;
@@ -223,9 +222,10 @@ static struct sk_buff bcsp_prepare_pkt(struct bcsp_struct bcsp, u8 *data,
223	}	222	}
224		223
225	/* Max len of packet: (original len +4(bcsp hdr) +2(crc))*2	224	/* Max len of packet: (original len +4(bcsp hdr) +2(crc))*2
226	(because bytes 0xc0 and 0xdb are escaped, worst case is	225	* (because bytes 0xc0 and 0xdb are escaped, worst case is
227	when the packet is all made of 0xc0 and 0xdb :) )	226	* when the packet is all made of 0xc0 and 0xdb :) )
228	+ 2 (0xc0 delimiters at start and end). */	227	* + 2 (0xc0 delimiters at start and end).
		228	*/
229		229
230	nskb = alloc_skb((len + 6) * 2 + 2, GFP_ATOMIC);	230	nskb = alloc_skb((len + 6) * 2 + 2, GFP_ATOMIC);
231	if (!nskb)	231	if (!nskb)
@@ -285,7 +285,7 @@ static struct sk_buff bcsp_dequeue(struct hci_uart hu)
285	struct bcsp_struct *bcsp = hu->priv;	285	struct bcsp_struct *bcsp = hu->priv;
286	unsigned long flags;	286	unsigned long flags;
287	struct sk_buff *skb;	287	struct sk_buff *skb;
288		288
289	/* First of all, check for unreliable messages in the queue,	289	/* First of all, check for unreliable messages in the queue,
290	since they have priority */	290	since they have priority */
291		291
@@ -305,8 +305,9 @@ static struct sk_buff bcsp_dequeue(struct hci_uart hu)
305	}	305	}
306		306
307	/* Now, try to send a reliable pkt. We can only send a	307	/* Now, try to send a reliable pkt. We can only send a
308	reliable packet if the number of packets sent but not yet ack'ed	308	* reliable packet if the number of packets sent but not yet ack'ed
309	is < than the winsize */	309	* is < than the winsize
		310	*/
310		311
311	spin_lock_irqsave_nested(&bcsp->unack.lock, flags, SINGLE_DEPTH_NESTING);	312	spin_lock_irqsave_nested(&bcsp->unack.lock, flags, SINGLE_DEPTH_NESTING);
312		313
@@ -332,12 +333,14 @@ static struct sk_buff bcsp_dequeue(struct hci_uart hu)
332	spin_unlock_irqrestore(&bcsp->unack.lock, flags);	333	spin_unlock_irqrestore(&bcsp->unack.lock, flags);
333		334
334	/* We could not send a reliable packet, either because there are	335	/* We could not send a reliable packet, either because there are
335	none or because there are too many unack'ed pkts. Did we receive	336	* none or because there are too many unack'ed pkts. Did we receive
336	any packets we have not acknowledged yet ? */	337	* any packets we have not acknowledged yet ?
		338	*/
337		339
338	if (bcsp->txack_req) {	340	if (bcsp->txack_req) {
339	/* if so, craft an empty ACK pkt and send it on BCSP unreliable	341	/* if so, craft an empty ACK pkt and send it on BCSP unreliable
340	channel 0 */	342	* channel 0
		343	*/
341	struct sk_buff *nskb = bcsp_prepare_pkt(bcsp, NULL, 0, BCSP_ACK_PKT);	344	struct sk_buff *nskb = bcsp_prepare_pkt(bcsp, NULL, 0, BCSP_ACK_PKT);
342	return nskb;	345	return nskb;
343	}	346	}
@@ -399,8 +402,9 @@ static void bcsp_pkt_cull(struct bcsp_struct *bcsp)
399	}	402	}
400		403
401	/* Handle BCSP link-establishment packets. When we	404	/* Handle BCSP link-establishment packets. When we
402	detect a "sync" packet, symptom that the BT module has reset,	405	* detect a "sync" packet, symptom that the BT module has reset,
403	we do nothing :) (yet) */	406	* we do nothing :) (yet)
		407	*/
404	static void bcsp_handle_le_pkt(struct hci_uart *hu)	408	static void bcsp_handle_le_pkt(struct hci_uart *hu)
405	{	409	{
406	struct bcsp_struct *bcsp = hu->priv;	410	struct bcsp_struct *bcsp = hu->priv;
@@ -462,7 +466,7 @@ static inline void bcsp_unslip_one_byte(struct bcsp_struct *bcsp, unsigned char
462	case 0xdd:	466	case 0xdd:
463	memcpy(skb_put(bcsp->rx_skb, 1), &db, 1);	467	memcpy(skb_put(bcsp->rx_skb, 1), &db, 1);
464	if ((bcsp->rx_skb->data[0] & 0x40) != 0 &&	468	if ((bcsp->rx_skb->data[0] & 0x40) != 0 &&
465	bcsp->rx_state != BCSP_W4_CRC)	469	bcsp->rx_state != BCSP_W4_CRC)
466	bcsp_crc_update(&bcsp->message_crc, 0xdb);	470	bcsp_crc_update(&bcsp->message_crc, 0xdb);
467	bcsp->rx_esc_state = BCSP_ESCSTATE_NOESC;	471	bcsp->rx_esc_state = BCSP_ESCSTATE_NOESC;
468	bcsp->rx_count--;	472	bcsp->rx_count--;
@@ -534,7 +538,7 @@ static void bcsp_complete_rx_pkt(struct hci_uart *hu)
534	} else {	538	} else {
535	BT_ERR("Packet for unknown channel (%u %s)",	539	BT_ERR("Packet for unknown channel (%u %s)",
536	bcsp->rx_skb->data[1] & 0x0f,	540	bcsp->rx_skb->data[1] & 0x0f,
537	bcsp->rx_skb->data[0] & 0x80 ?	541	bcsp->rx_skb->data[0] & 0x80 ?
538	"reliable" : "unreliable");	542	"reliable" : "unreliable");
539	kfree_skb(bcsp->rx_skb);	543	kfree_skb(bcsp->rx_skb);
540	}	544	}
@@ -562,7 +566,7 @@ static int bcsp_recv(struct hci_uart hu, const void data, int count)
562	struct bcsp_struct *bcsp = hu->priv;	566	struct bcsp_struct *bcsp = hu->priv;
563	const unsigned char *ptr;	567	const unsigned char *ptr;
564		568
565	BT_DBG("hu %p count %d rx_state %d rx_count %ld",	569	BT_DBG("hu %p count %d rx_state %d rx_count %ld",
566	hu, count, bcsp->rx_state, bcsp->rx_count);	570	hu, count, bcsp->rx_state, bcsp->rx_count);
567		571
568	ptr = data;	572	ptr = data;
@@ -591,7 +595,7 @@ static int bcsp_recv(struct hci_uart hu, const void data, int count)
591	continue;	595	continue;
592	}	596	}
593	if (bcsp->rx_skb->data[0] & 0x80 /* reliable pkt */	597	if (bcsp->rx_skb->data[0] & 0x80 /* reliable pkt */
594	&& (bcsp->rx_skb->data[0] & 0x07) != bcsp->rxseq_txack) {	598	&& (bcsp->rx_skb->data[0] & 0x07) != bcsp->rxseq_txack) {
595	BT_ERR("Out-of-order packet arrived, got %u expected %u",	599	BT_ERR("Out-of-order packet arrived, got %u expected %u",
596	bcsp->rx_skb->data[0] & 0x07, bcsp->rxseq_txack);	600	bcsp->rx_skb->data[0] & 0x07, bcsp->rxseq_txack);
597		601
@@ -601,7 +605,7 @@ static int bcsp_recv(struct hci_uart hu, const void data, int count)
601	continue;	605	continue;
602	}	606	}
603	bcsp->rx_state = BCSP_W4_DATA;	607	bcsp->rx_state = BCSP_W4_DATA;
604	bcsp->rx_count = (bcsp->rx_skb->data[1] >> 4) +	608	bcsp->rx_count = (bcsp->rx_skb->data[1] >> 4) +
605	(bcsp->rx_skb->data[2] << 4); /* May be 0 */	609	(bcsp->rx_skb->data[2] << 4); /* May be 0 */
606	continue;	610	continue;
607		611
@@ -615,7 +619,7 @@ static int bcsp_recv(struct hci_uart hu, const void data, int count)
615		619
616	case BCSP_W4_CRC:	620	case BCSP_W4_CRC:
617	if (bitrev16(bcsp->message_crc) != bscp_get_crc(bcsp)) {	621	if (bitrev16(bcsp->message_crc) != bscp_get_crc(bcsp)) {
618	BT_ERR ("Checksum failed: computed %04x received %04x",	622	BT_ERR("Checksum failed: computed %04x received %04x",
619	bitrev16(bcsp->message_crc),	623	bitrev16(bcsp->message_crc),
620	bscp_get_crc(bcsp));	624	bscp_get_crc(bcsp));
621		625
@@ -653,8 +657,9 @@ static int bcsp_recv(struct hci_uart hu, const void data, int count)
653	BCSP_CRC_INIT(bcsp->message_crc);	657	BCSP_CRC_INIT(bcsp->message_crc);
654		658
655	/* Do not increment ptr or decrement count	659	/* Do not increment ptr or decrement count
656	* Allocate packet. Max len of a BCSP pkt=	660	* Allocate packet. Max len of a BCSP pkt=
657	* 0xFFF (payload) +4 (header) +2 (crc) */	661	* 0xFFF (payload) +4 (header) +2 (crc)
		662	*/
658		663
659	bcsp->rx_skb = bt_skb_alloc(0x1005, GFP_ATOMIC);	664	bcsp->rx_skb = bt_skb_alloc(0x1005, GFP_ATOMIC);
660	if (!bcsp->rx_skb) {	665	if (!bcsp->rx_skb) {


diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c index c00168a5bb80..49b3e1e2d236 100644 --- a/drivers/bluetooth/hci_ldisc.c +++ b/drivers/bluetooth/hci_ldisc.c
@@ -227,7 +227,7 @@ static int hci_uart_flush(struct hci_dev *hdev)
227	tty_ldisc_flush(tty);	227	tty_ldisc_flush(tty);
228	tty_driver_flush_buffer(tty);	228	tty_driver_flush_buffer(tty);
229		229
230	if (test_bit(HCI_UART_PROTO_SET, &hu->flags))	230	if (test_bit(HCI_UART_PROTO_READY, &hu->flags))
231	hu->proto->flush(hu);	231	hu->proto->flush(hu);
232		232
233	return 0;	233	return 0;
@@ -492,7 +492,7 @@ static void hci_uart_tty_close(struct tty_struct *tty)
492		492
493	cancel_work_sync(&hu->write_work);	493	cancel_work_sync(&hu->write_work);
494		494
495	if (test_and_clear_bit(HCI_UART_PROTO_SET, &hu->flags)) {	495	if (test_and_clear_bit(HCI_UART_PROTO_READY, &hu->flags)) {
496	if (hdev) {	496	if (hdev) {
497	if (test_bit(HCI_UART_REGISTERED, &hu->flags))	497	if (test_bit(HCI_UART_REGISTERED, &hu->flags))
498	hci_unregister_dev(hdev);	498	hci_unregister_dev(hdev);
@@ -500,6 +500,7 @@ static void hci_uart_tty_close(struct tty_struct *tty)
500	}	500	}
501	hu->proto->close(hu);	501	hu->proto->close(hu);
502	}	502	}
		503	clear_bit(HCI_UART_PROTO_SET, &hu->flags);
503		504
504	kfree(hu);	505	kfree(hu);
505	}	506	}
@@ -526,7 +527,7 @@ static void hci_uart_tty_wakeup(struct tty_struct *tty)
526	if (tty != hu->tty)	527	if (tty != hu->tty)
527	return;	528	return;
528		529
529	if (test_bit(HCI_UART_PROTO_SET, &hu->flags))	530	if (test_bit(HCI_UART_PROTO_READY, &hu->flags))
530	hci_uart_tx_wakeup(hu);	531	hci_uart_tx_wakeup(hu);
531	}	532	}
532		533
@@ -550,7 +551,7 @@ static void hci_uart_tty_receive(struct tty_struct tty, const u8 data,
550	if (!hu \|\| tty != hu->tty)	551	if (!hu \|\| tty != hu->tty)
551	return;	552	return;
552		553
553	if (!test_bit(HCI_UART_PROTO_SET, &hu->flags))	554	if (!test_bit(HCI_UART_PROTO_READY, &hu->flags))
554	return;	555	return;
555		556
556	/* It does not need a lock here as it is already protected by a mutex in	557	/* It does not need a lock here as it is already protected by a mutex in
@@ -638,9 +639,11 @@ static int hci_uart_set_proto(struct hci_uart *hu, int id)
638	return err;	639	return err;
639		640
640	hu->proto = p;	641	hu->proto = p;
		642	set_bit(HCI_UART_PROTO_READY, &hu->flags);
641		643
642	err = hci_uart_register_dev(hu);	644	err = hci_uart_register_dev(hu);
643	if (err) {	645	if (err) {
		646	clear_bit(HCI_UART_PROTO_READY, &hu->flags);
644	p->close(hu);	647	p->close(hu);
645	return err;	648	return err;
646	}	649	}


diff --git a/drivers/bluetooth/hci_uart.h b/drivers/bluetooth/hci_uart.h index 4814ff08f427..839bad1d8152 100644 --- a/drivers/bluetooth/hci_uart.h +++ b/drivers/bluetooth/hci_uart.h
@@ -95,6 +95,7 @@ struct hci_uart {
95	/* HCI_UART proto flag bits */	95	/* HCI_UART proto flag bits */
96	#define HCI_UART_PROTO_SET 0	96	#define HCI_UART_PROTO_SET 0
97	#define HCI_UART_REGISTERED 1	97	#define HCI_UART_REGISTERED 1
		98	#define HCI_UART_PROTO_READY 2
98		99
99	/* TX states */	100	/* TX states */
100	#define HCI_UART_SENDING 1	101	#define HCI_UART_SENDING 1


diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c index 80783dcb7f57..f67ea1c090cb 100644 --- a/drivers/bluetooth/hci_vhci.c +++ b/drivers/bluetooth/hci_vhci.c
@@ -189,13 +189,13 @@ static inline ssize_t vhci_get_user(struct vhci_data *data,
189	break;	189	break;
190		190
191	case HCI_VENDOR_PKT:	191	case HCI_VENDOR_PKT:
		192	cancel_delayed_work_sync(&data->open_timeout);
		193
192	if (data->hdev) {	194	if (data->hdev) {
193	kfree_skb(skb);	195	kfree_skb(skb);
194	return -EBADFD;	196	return -EBADFD;
195	}	197	}
196		198
197	cancel_delayed_work_sync(&data->open_timeout);
198
199	opcode = ((__u8 ) skb->data);	199	opcode = ((__u8 ) skb->data);
200	skb_pull(skb, 1);	200	skb_pull(skb, 1);
201		201
@@ -333,15 +333,18 @@ static int vhci_open(struct inode inode, struct file file)
333	static int vhci_release(struct inode inode, struct file file)	333	static int vhci_release(struct inode inode, struct file file)
334	{	334	{
335	struct vhci_data *data = file->private_data;	335	struct vhci_data *data = file->private_data;
336	struct hci_dev *hdev = data->hdev;	336	struct hci_dev *hdev;
337		337
338	cancel_delayed_work_sync(&data->open_timeout);	338	cancel_delayed_work_sync(&data->open_timeout);
339		339
		340	hdev = data->hdev;
		341
340	if (hdev) {	342	if (hdev) {
341	hci_unregister_dev(hdev);	343	hci_unregister_dev(hdev);
342	hci_free_dev(hdev);	344	hci_free_dev(hdev);
343	}	345	}
344		346
		347	skb_queue_purge(&data->readq);
345	file->private_data = NULL;	348	file->private_data = NULL;
346	kfree(data);	349	kfree(data);
347		350


diff --git a/drivers/net/ieee802154/adf7242.c b/drivers/net/ieee802154/adf7242.c index 89154c079788..b82e39d24394 100644 --- a/drivers/net/ieee802154/adf7242.c +++ b/drivers/net/ieee802154/adf7242.c
@@ -1030,6 +1030,7 @@ static int adf7242_hw_init(struct adf7242_local *lp)
1030	if (ret) {	1030	if (ret) {
1031	dev_err(&lp->spi->dev,	1031	dev_err(&lp->spi->dev,
1032	"upload firmware failed with %d\n", ret);	1032	"upload firmware failed with %d\n", ret);
		1033	release_firmware(fw);
1033	return ret;	1034	return ret;
1034	}	1035	}
1035		1036
@@ -1037,6 +1038,7 @@ static int adf7242_hw_init(struct adf7242_local *lp)
1037	if (ret) {	1038	if (ret) {
1038	dev_err(&lp->spi->dev,	1039	dev_err(&lp->spi->dev,
1039	"verify firmware failed with %d\n", ret);	1040	"verify firmware failed with %d\n", ret);
		1041	release_firmware(fw);
1040	return ret;	1042	return ret;
1041	}	1043	}
1042		1044


diff --git a/net/6lowpan/iphc.c b/net/6lowpan/iphc.c index 99bb22aea346..68c80f3c9add 100644 --- a/net/6lowpan/iphc.c +++ b/net/6lowpan/iphc.c
@@ -148,6 +148,11 @@
148	(((a)->s6_addr16[6]) == 0) && \	148	(((a)->s6_addr16[6]) == 0) && \
149	(((a)->s6_addr[14]) == 0))	149	(((a)->s6_addr[14]) == 0))
150		150
		151	#define lowpan_is_linklocal_zero_padded(a) \
		152	(!(hdr->saddr.s6_addr[1] & 0x3f) && \
		153	!hdr->saddr.s6_addr16[1] && \
		154	!hdr->saddr.s6_addr32[1])
		155
151	#define LOWPAN_IPHC_CID_DCI(cid) (cid & 0x0f)	156	#define LOWPAN_IPHC_CID_DCI(cid) (cid & 0x0f)
152	#define LOWPAN_IPHC_CID_SCI(cid) ((cid & 0xf0) >> 4)	157	#define LOWPAN_IPHC_CID_SCI(cid) ((cid & 0xf0) >> 4)
153		158
@@ -1101,7 +1106,8 @@ int lowpan_header_compress(struct sk_buff skb, const struct net_device dev,
1101	true);	1106	true);
1102	iphc1 \|= LOWPAN_IPHC_SAC;	1107	iphc1 \|= LOWPAN_IPHC_SAC;
1103	} else {	1108	} else {
1104	if (ipv6_saddr_type & IPV6_ADDR_LINKLOCAL) {	1109	if (ipv6_saddr_type & IPV6_ADDR_LINKLOCAL &&
		1110	lowpan_is_linklocal_zero_padded(hdr->saddr)) {
1105	iphc1 \|= lowpan_compress_addr_64(&hc_ptr,	1111	iphc1 \|= lowpan_compress_addr_64(&hc_ptr,
1106	&hdr->saddr,	1112	&hdr->saddr,
1107	saddr, true);	1113	saddr, true);
@@ -1135,7 +1141,8 @@ int lowpan_header_compress(struct sk_buff skb, const struct net_device dev,
1135	false);	1141	false);
1136	iphc1 \|= LOWPAN_IPHC_DAC;	1142	iphc1 \|= LOWPAN_IPHC_DAC;
1137	} else {	1143	} else {
1138	if (ipv6_daddr_type & IPV6_ADDR_LINKLOCAL) {	1144	if (ipv6_daddr_type & IPV6_ADDR_LINKLOCAL &&
		1145	lowpan_is_linklocal_zero_padded(hdr->daddr)) {
1139	iphc1 \|= lowpan_compress_addr_64(&hc_ptr,	1146	iphc1 \|= lowpan_compress_addr_64(&hc_ptr,
1140	&hdr->daddr,	1147	&hdr->daddr,
1141	daddr, false);	1148	daddr, false);


diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index c162af5d16bf..d4b3dd5413be 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c
@@ -4727,6 +4727,19 @@ static void process_adv_report(struct hci_dev hdev, u8 type, bdaddr_t bdaddr,
4727	u32 flags;	4727	u32 flags;
4728	u8 *ptr, real_len;	4728	u8 *ptr, real_len;
4729		4729
		4730	switch (type) {
		4731	case LE_ADV_IND:
		4732	case LE_ADV_DIRECT_IND:
		4733	case LE_ADV_SCAN_IND:
		4734	case LE_ADV_NONCONN_IND:
		4735	case LE_ADV_SCAN_RSP:
		4736	break;
		4737	default:
		4738	BT_ERR_RATELIMITED("Unknown advetising packet type: 0x%02x",
		4739	type);
		4740	return;
		4741	}
		4742
4730	/* Find the end of the data in case the report contains padded zero	4743	/* Find the end of the data in case the report contains padded zero
4731	* bytes at the end causing an invalid length value.	4744	* bytes at the end causing an invalid length value.
4732	*	4745	*


diff --git a/net/bluetooth/hci_request.c b/net/bluetooth/hci_request.c index 6e125d76df0d..c045b3c54768 100644 --- a/net/bluetooth/hci_request.c +++ b/net/bluetooth/hci_request.c
@@ -1065,6 +1065,9 @@ static u8 create_instance_adv_data(struct hci_dev hdev, u8 instance, u8 ptr)
1065	if (instance_flags & MGMT_ADV_FLAG_LIMITED_DISCOV)	1065	if (instance_flags & MGMT_ADV_FLAG_LIMITED_DISCOV)
1066	flags \|= LE_AD_LIMITED;	1066	flags \|= LE_AD_LIMITED;
1067		1067
		1068	if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
		1069	flags \|= LE_AD_NO_BREDR;
		1070
1068	if (flags \|\| (instance_flags & MGMT_ADV_FLAG_MANAGED_FLAGS)) {	1071	if (flags \|\| (instance_flags & MGMT_ADV_FLAG_MANAGED_FLAGS)) {
1069	/* If a discovery flag wasn't provided, simply use the global	1072	/* If a discovery flag wasn't provided, simply use the global
1070	* settings.	1073	* settings.
@@ -1072,9 +1075,6 @@ static u8 create_instance_adv_data(struct hci_dev hdev, u8 instance, u8 ptr)
1072	if (!flags)	1075	if (!flags)
1073	flags \|= mgmt_get_adv_discov_flags(hdev);	1076	flags \|= mgmt_get_adv_discov_flags(hdev);
1074		1077
1075	if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1076	flags \|= LE_AD_NO_BREDR;
1077
1078	/* If flags would still be empty, then there is no need to	1078	/* If flags would still be empty, then there is no need to
1079	* include the "Flags" AD field".	1079	* include the "Flags" AD field".
1080	*/	1080	*/


diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index e4cae72895a7..388ee8b59145 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c
@@ -778,7 +778,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
778	}	778	}
779		779
780	if (sec.level < BT_SECURITY_LOW \|\|	780	if (sec.level < BT_SECURITY_LOW \|\|
781	sec.level > BT_SECURITY_HIGH) {	781	sec.level > BT_SECURITY_FIPS) {
782	err = -EINVAL;	782	err = -EINVAL;
783	break;	783	break;
784	}	784	}