Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless into for-davem

John W. Linville says: ==================== Please pull these fixes intended for 3.6. There are more commits here than I would like -- I got a bit behind while I was stalking Steven Rostedt in San Diego last week... I'll slow it down after this! There are a couple of pulls here. One is from Johannes: "Please pull (according to the below information) to get a few fixes. * a fix to properly disconnect in the driver when authentication or association fails * a fix to prevent invalid information about mesh paths being reported to userspace * a memory leak fix in an nl80211 error path" The other comes via Gustavo: "A few updates for the 3.6 kernel. There are two btusb patches to add more supported devices through the new USB_VENDOR_AND_INTEFACE_INFO() macro and another one that add a new device id for a Sony Vaio laptop, one fix for a user-after-free and, finally, two patches from Vinicius to fix a issue in SMP pairing." Along with those... Arend van Spriel provides a fix for a use-after-free bug in brcmfmac. Daniel Drake avoids a hang by not trying to touch the libertas hardware duing suspend if it is already powered-down. Felix Fietkau provides a batch of ath9k fixes that adress some potential problems with power settings, as well as a fix to avoid a potential interrupt storm. Gertjan van Wingerde provides a register-width fix for rt2x00, and a rt2x00 fix to prevent incorrectly detecting the rfkill status. He also provides a device ID patch. Hante Meuleman gives us three brcmfmac fixes, one that properly initializes a command structure, one that fixes a race condition that could lose usb requests, and one that removes some log spam. Marc Kleine-Budde offers an rt2x00 fix for a voltage setting on some specific devices. Mohammed Shafi Shajakhan sent an ath9k fix to avoid a crash related to using timers that aren't allocated when 2 wire bluetooth coexistence hardware is in use. Sergei Poselenov changes rt2800usb to do some validity checking for received packets, avoiding crashes on an ARM Soc. Stone Piao gives us an mwifiex fix for an incorrectly set skb length value for a command buffer. All of these are localized to their specific drivers, and relatively small. The power-related patches from Felix are bigger than I would like, but I merged them in consideration of their isolation to ath9k and the sensitive nature of power settings in wireless devices. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
author: John W. Linville <linville@tuxdriver.com> 2012-09-07 13:33:27 -0400
committer: David S. Miller <davem@davemloft.net> 2012-09-07 14:38:50 -0400
commit: 777bf135b77071672662c67f0abffcf433450d68 (patch)
tree: 80cfe20e5ff5a3f1297c2ef86427c9bba93a8bce /net
parent: b8dfc6a0a7235aed452c0e376b6feff182a86992 (diff)
parent: f10723841e624c0726c70356b31d91befed01dd6 (diff)
7 files changed, 27 insertions, 17 deletions
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 5ad7da217474..3c094e78dde9 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -29,6 +29,7 @@
 #include <net/bluetooth/bluetooth.h>
 #include <net/bluetooth/hci_core.h>
 #include <net/bluetooth/a2mp.h>
+#include <net/bluetooth/smp.h>
 static void hci_le_connect(struct hci_conn *conn)
 {
@@ -619,6 +620,9 @@ int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
 {
        BT_DBG("hcon %p", conn);
+        if (conn->type == LE_LINK)
+                return smp_conn_security(conn, sec_level);
        /* For sdp we don't need the link key. */
        if (sec_level == BT_SECURITY_SDP)
                return 1;
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index daa149b7003c..4ea1710a4783 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1199,14 +1199,15 @@ clean:
 static void l2cap_conn_ready(struct l2cap_conn *conn)
 {
        struct l2cap_chan *chan;
+        struct hci_conn *hcon = conn->hcon;
        BT_DBG("conn %p", conn);
-        if (!conn->hcon->out && conn->hcon->type == LE_LINK)
+        if (!hcon->out && hcon->type == LE_LINK)
                l2cap_le_conn_ready(conn);
-        if (conn->hcon->out && conn->hcon->type == LE_LINK)
+        if (hcon->out && hcon->type == LE_LINK)
-                smp_conn_security(conn, conn->hcon->pending_sec_level);
+                smp_conn_security(hcon, hcon->pending_sec_level);
        mutex_lock(&conn->chan_lock);
@@ -1219,8 +1220,8 @@ static void l2cap_conn_ready(struct l2cap_conn *conn)
                        continue;
                }
-                if (conn->hcon->type == LE_LINK) {
+                if (hcon->type == LE_LINK) {
-                        if (smp_conn_security(conn, chan->sec_level))
+                        if (smp_conn_security(hcon, chan->sec_level))
                                l2cap_chan_ready(chan);
                } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 1497edd191a2..34bbe1c5e389 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -616,7 +616,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
                                break;
                        }
-                        if (smp_conn_security(conn, sec.level))
+                        if (smp_conn_security(conn->hcon, sec.level))
                                break;
                        sk->sk_state = BT_CONFIG;
                        chan->state = BT_CONFIG;
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 901a616c8083..8c225ef349cd 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -267,10 +267,10 @@ static void smp_failure(struct l2cap_conn *conn, u8 reason, u8 send)
        mgmt_auth_failed(conn->hcon->hdev, conn->dst, hcon->type,
                         hcon->dst_type, reason);
-        if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
+        cancel_delayed_work_sync(&conn->security_timer);
-                cancel_delayed_work_sync(&conn->security_timer);
+        if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags))
                smp_chan_destroy(conn);
-        }
 }
 #define JUST_WORKS      0x00
@@ -760,9 +760,9 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
        return 0;
 }
-int smp_conn_security(struct l2cap_conn *conn, __u8 sec_level)
+int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
 {
-        struct hci_conn *hcon = conn->hcon;
+        struct l2cap_conn *conn = hcon->l2cap_data;
        struct smp_chan *smp = conn->smp_chan;
        __u8 authreq;
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index d41974aacf51..a58c0b649ba1 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1378,6 +1378,8 @@ static void mpath_set_pinfo(struct mesh_path *mpath, u8 *next_hop,
        else
                memset(next_hop, 0, ETH_ALEN);
+        memset(pinfo, 0, sizeof(*pinfo));
        pinfo->generation = mesh_paths_generation;
        pinfo->filled = MPATH_INFO_FRAME_QLEN |
@@ -1396,7 +1398,6 @@ static void mpath_set_pinfo(struct mesh_path *mpath, u8 *next_hop,
        pinfo->discovery_timeout =
                        jiffies_to_msecs(mpath->discovery_timeout);
        pinfo->discovery_retries = mpath->discovery_retries;
-        pinfo->flags = 0;
        if (mpath->flags & MESH_PATH_ACTIVE)
                pinfo->flags |= NL80211_MPATH_FLAG_ACTIVE;
        if (mpath->flags & MESH_PATH_RESOLVING)
@@ -1405,10 +1406,8 @@ static void mpath_set_pinfo(struct mesh_path *mpath, u8 *next_hop,
                pinfo->flags |= NL80211_MPATH_FLAG_SN_VALID;
        if (mpath->flags & MESH_PATH_FIXED)
                pinfo->flags |= NL80211_MPATH_FLAG_FIXED;
-        if (mpath->flags & MESH_PATH_RESOLVING)
+        if (mpath->flags & MESH_PATH_RESOLVED)
-                pinfo->flags |= NL80211_MPATH_FLAG_RESOLVING;
+                pinfo->flags |= NL80211_MPATH_FLAG_RESOLVED;
-        pinfo->flags = mpath->flags;
 }
 static int ieee80211_get_mpath(struct wiphy *wiphy, struct net_device *dev,
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index a4a5acdbaa4d..f76b83341cf9 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -3248,6 +3248,8 @@ int ieee80211_mgd_auth(struct ieee80211_sub_if_data *sdata,
        goto out_unlock;
 err_clear:
+        memset(ifmgd->bssid, 0, ETH_ALEN);
+        ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BSSID);
        ifmgd->auth_data = NULL;
 err_free:
        kfree(auth_data);
@@ -3439,6 +3441,8 @@ int ieee80211_mgd_assoc(struct ieee80211_sub_if_data *sdata,
        err = 0;
        goto out;
 err_clear:
+        memset(ifmgd->bssid, 0, ETH_ALEN);
+        ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BSSID);
        ifmgd->assoc_data = NULL;
 err_free:
        kfree(assoc_data);
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 97026f3b215a..1e37dbf00cb3 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -5633,8 +5633,10 @@ static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
                       sizeof(connect.ht_capa_mask));
        if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
-                if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
+                if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
+                        kfree(connkeys);
                        return -EINVAL;
+                }
                memcpy(&connect.ht_capa,
                       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
                       sizeof(connect.ht_capa));
author	John W. Linville <linville@tuxdriver.com>	2012-09-07 13:33:27 -0400
committer	David S. Miller <davem@davemloft.net>	2012-09-07 14:38:50 -0400
commit	777bf135b77071672662c67f0abffcf433450d68 (patch)
tree	80cfe20e5ff5a3f1297c2ef86427c9bba93a8bce /net
parent	b8dfc6a0a7235aed452c0e376b6feff182a86992 (diff)
parent	f10723841e624c0726c70356b31d91befed01dd6 (diff)

diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index 5ad7da217474..3c094e78dde9 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c
@@ -29,6 +29,7 @@
29	#include <net/bluetooth/bluetooth.h>	29	#include <net/bluetooth/bluetooth.h>
30	#include <net/bluetooth/hci_core.h>	30	#include <net/bluetooth/hci_core.h>
31	#include <net/bluetooth/a2mp.h>	31	#include <net/bluetooth/a2mp.h>
		32	#include <net/bluetooth/smp.h>
32		33
33	static void hci_le_connect(struct hci_conn *conn)	34	static void hci_le_connect(struct hci_conn *conn)
34	{	35	{
@@ -619,6 +620,9 @@ int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
619	{	620	{
620	BT_DBG("hcon %p", conn);	621	BT_DBG("hcon %p", conn);
621		622
		623	if (conn->type == LE_LINK)
		624	return smp_conn_security(conn, sec_level);
		625
622	/* For sdp we don't need the link key. */	626	/* For sdp we don't need the link key. */
623	if (sec_level == BT_SECURITY_SDP)	627	if (sec_level == BT_SECURITY_SDP)
624	return 1;	628	return 1;


diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index daa149b7003c..4ea1710a4783 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c
@@ -1199,14 +1199,15 @@ clean:
1199	static void l2cap_conn_ready(struct l2cap_conn *conn)	1199	static void l2cap_conn_ready(struct l2cap_conn *conn)
1200	{	1200	{
1201	struct l2cap_chan *chan;	1201	struct l2cap_chan *chan;
		1202	struct hci_conn *hcon = conn->hcon;
1202		1203
1203	BT_DBG("conn %p", conn);	1204	BT_DBG("conn %p", conn);
1204		1205
1205	if (!conn->hcon->out && conn->hcon->type == LE_LINK)	1206	if (!hcon->out && hcon->type == LE_LINK)
1206	l2cap_le_conn_ready(conn);	1207	l2cap_le_conn_ready(conn);
1207		1208
1208	if (conn->hcon->out && conn->hcon->type == LE_LINK)	1209	if (hcon->out && hcon->type == LE_LINK)
1209	smp_conn_security(conn, conn->hcon->pending_sec_level);	1210	smp_conn_security(hcon, hcon->pending_sec_level);
1210		1211
1211	mutex_lock(&conn->chan_lock);	1212	mutex_lock(&conn->chan_lock);
1212		1213
@@ -1219,8 +1220,8 @@ static void l2cap_conn_ready(struct l2cap_conn *conn)
1219	continue;	1220	continue;
1220	}	1221	}
1221		1222
1222	if (conn->hcon->type == LE_LINK) {	1223	if (hcon->type == LE_LINK) {
1223	if (smp_conn_security(conn, chan->sec_level))	1224	if (smp_conn_security(hcon, chan->sec_level))
1224	l2cap_chan_ready(chan);	1225	l2cap_chan_ready(chan);
1225		1226
1226	} else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {	1227	} else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {


diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index 1497edd191a2..34bbe1c5e389 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c
@@ -616,7 +616,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
616	break;	616	break;
617	}	617	}
618		618
619	if (smp_conn_security(conn, sec.level))	619	if (smp_conn_security(conn->hcon, sec.level))
620	break;	620	break;
621	sk->sk_state = BT_CONFIG;	621	sk->sk_state = BT_CONFIG;
622	chan->state = BT_CONFIG;	622	chan->state = BT_CONFIG;


diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c index 901a616c8083..8c225ef349cd 100644 --- a/net/bluetooth/smp.c +++ b/net/bluetooth/smp.c
@@ -267,10 +267,10 @@ static void smp_failure(struct l2cap_conn *conn, u8 reason, u8 send)
267	mgmt_auth_failed(conn->hcon->hdev, conn->dst, hcon->type,	267	mgmt_auth_failed(conn->hcon->hdev, conn->dst, hcon->type,
268	hcon->dst_type, reason);	268	hcon->dst_type, reason);
269		269
270	if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {	270	cancel_delayed_work_sync(&conn->security_timer);
271	cancel_delayed_work_sync(&conn->security_timer);	271
		272	if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags))
272	smp_chan_destroy(conn);	273	smp_chan_destroy(conn);
273	}
274	}	274	}
275		275
276	#define JUST_WORKS 0x00	276	#define JUST_WORKS 0x00
@@ -760,9 +760,9 @@ static u8 smp_cmd_security_req(struct l2cap_conn conn, struct sk_buff skb)
760	return 0;	760	return 0;
761	}	761	}
762		762
763	int smp_conn_security(struct l2cap_conn *conn, __u8 sec_level)	763	int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
764	{	764	{
765	struct hci_conn *hcon = conn->hcon;	765	struct l2cap_conn *conn = hcon->l2cap_data;
766	struct smp_chan *smp = conn->smp_chan;	766	struct smp_chan *smp = conn->smp_chan;
767	__u8 authreq;	767	__u8 authreq;
768		768


diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c index d41974aacf51..a58c0b649ba1 100644 --- a/net/mac80211/cfg.c +++ b/net/mac80211/cfg.c
@@ -1378,6 +1378,8 @@ static void mpath_set_pinfo(struct mesh_path mpath, u8 next_hop,
1378	else	1378	else
1379	memset(next_hop, 0, ETH_ALEN);	1379	memset(next_hop, 0, ETH_ALEN);
1380		1380
		1381	memset(pinfo, 0, sizeof(*pinfo));
		1382
1381	pinfo->generation = mesh_paths_generation;	1383	pinfo->generation = mesh_paths_generation;
1382		1384
1383	pinfo->filled = MPATH_INFO_FRAME_QLEN \|	1385	pinfo->filled = MPATH_INFO_FRAME_QLEN \|
@@ -1396,7 +1398,6 @@ static void mpath_set_pinfo(struct mesh_path mpath, u8 next_hop,
1396	pinfo->discovery_timeout =	1398	pinfo->discovery_timeout =
1397	jiffies_to_msecs(mpath->discovery_timeout);	1399	jiffies_to_msecs(mpath->discovery_timeout);
1398	pinfo->discovery_retries = mpath->discovery_retries;	1400	pinfo->discovery_retries = mpath->discovery_retries;
1399	pinfo->flags = 0;
1400	if (mpath->flags & MESH_PATH_ACTIVE)	1401	if (mpath->flags & MESH_PATH_ACTIVE)
1401	pinfo->flags \|= NL80211_MPATH_FLAG_ACTIVE;	1402	pinfo->flags \|= NL80211_MPATH_FLAG_ACTIVE;
1402	if (mpath->flags & MESH_PATH_RESOLVING)	1403	if (mpath->flags & MESH_PATH_RESOLVING)
@@ -1405,10 +1406,8 @@ static void mpath_set_pinfo(struct mesh_path mpath, u8 next_hop,
1405	pinfo->flags \|= NL80211_MPATH_FLAG_SN_VALID;	1406	pinfo->flags \|= NL80211_MPATH_FLAG_SN_VALID;
1406	if (mpath->flags & MESH_PATH_FIXED)	1407	if (mpath->flags & MESH_PATH_FIXED)
1407	pinfo->flags \|= NL80211_MPATH_FLAG_FIXED;	1408	pinfo->flags \|= NL80211_MPATH_FLAG_FIXED;
1408	if (mpath->flags & MESH_PATH_RESOLVING)	1409	if (mpath->flags & MESH_PATH_RESOLVED)
1409	pinfo->flags \|= NL80211_MPATH_FLAG_RESOLVING;	1410	pinfo->flags \|= NL80211_MPATH_FLAG_RESOLVED;
1410
1411	pinfo->flags = mpath->flags;
1412	}	1411	}
1413		1412
1414	static int ieee80211_get_mpath(struct wiphy wiphy, struct net_device dev,	1413	static int ieee80211_get_mpath(struct wiphy wiphy, struct net_device dev,


diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c index a4a5acdbaa4d..f76b83341cf9 100644 --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c
@@ -3248,6 +3248,8 @@ int ieee80211_mgd_auth(struct ieee80211_sub_if_data *sdata,
3248	goto out_unlock;	3248	goto out_unlock;
3249		3249
3250	err_clear:	3250	err_clear:
		3251	memset(ifmgd->bssid, 0, ETH_ALEN);
		3252	ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BSSID);
3251	ifmgd->auth_data = NULL;	3253	ifmgd->auth_data = NULL;
3252	err_free:	3254	err_free:
3253	kfree(auth_data);	3255	kfree(auth_data);
@@ -3439,6 +3441,8 @@ int ieee80211_mgd_assoc(struct ieee80211_sub_if_data *sdata,
3439	err = 0;	3441	err = 0;
3440	goto out;	3442	goto out;
3441	err_clear:	3443	err_clear:
		3444	memset(ifmgd->bssid, 0, ETH_ALEN);
		3445	ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BSSID);
3442	ifmgd->assoc_data = NULL;	3446	ifmgd->assoc_data = NULL;
3443	err_free:	3447	err_free:
3444	kfree(assoc_data);	3448	kfree(assoc_data);


diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index 97026f3b215a..1e37dbf00cb3 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c
@@ -5633,8 +5633,10 @@ static int nl80211_connect(struct sk_buff skb, struct genl_info info)
5633	sizeof(connect.ht_capa_mask));	5633	sizeof(connect.ht_capa_mask));
5634		5634
5635	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {	5635	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
5636	if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])	5636	if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
		5637	kfree(connkeys);
5637	return -EINVAL;	5638	return -EINVAL;
		5639	}
5638	memcpy(&connect.ht_capa,	5640	memcpy(&connect.ht_capa,
5639	nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),	5641	nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
5640	sizeof(connect.ht_capa));	5642	sizeof(connect.ht_capa));