aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2014-12-18 19:41:13 -0500
committerLinus Torvalds <torvalds@linux-foundation.org>2014-12-18 19:41:13 -0500
commit00c845dbfe2e966a2efd3818e40f46e286ca1ae6 (patch)
tree67d0f5d066b963e596126155a4da513d7b0550da /net
parent28ee5809ff7365d935d217c387ba959b8aa7182f (diff)
parent86c8fc4bbe14b8950e62d379bb57722427ad3d67 (diff)
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull networking fixes from David Miller: 1) Fix NBMA tunnel mac header handling in GRE, from Timo Teräs. 2) Fix a NAPI race in the fec driver, from Nimrod Andy. 3) The new IFF_VNET_LE bit is outside the size of the flags member it is stored in (which is 16-bits), store the state locally in the drivers. From Michael S Tsirkin. 4) We are kicking the tires with the new wireless maintainership situation. Bluetooth fixes via Johan Hedberg, and mac80211 fixes from Johannes Berg. 5) Fix locking and leaks in geneve driver, from Jesse Gross. 6) Make netlink TX mmap code always copy, so we don't have to be potentially exposed to the user changing the underlying contents from underneath us. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (63 commits) be2net: Fix incorrect setting of tunnel offload flag in netdev features bnx2x: fix typos in "configure" xen-netback: support frontends without feature-rx-notify again MAINTAINERS: changes for wireless cxgb4: Fix decoding QSA module for ethtool get settings geneve: Fix races between socket add and release. geneve: Remove socket and offload handlers at destruction. netlink: Don't reorder loads/stores before marking mmap netlink frame as available netlink: Always copy on mmap TX. Bluetooth: Fix bug with filter in service discovery optimization mac80211: free management frame keys when removing station net: Disallow providing non zero VLAN ID for NIC drivers FDB add flow net/mlx4: Cache line CQE/EQE stride fixes net: fec: Fix NAPI race xen-netfront: use napi_complete() correctly to prevent Rx stalling ip_tunnel: Add missing validation of encap type to ip_tunnel_encap_setup() ip_tunnel: Add sanity checks to ip_tunnel_encap_add_ops() net: Allow FIXED_PHY to be modular. if_tun: drop broken IFF_VNET_LE macvtap: drop broken IFF_VNET_LE ...
Diffstat (limited to 'net')
-rw-r--r--net/bluetooth/hci_conn.c2
-rw-r--r--net/bluetooth/hci_core.c60
-rw-r--r--net/bluetooth/hci_event.c20
-rw-r--r--net/bluetooth/l2cap_core.c5
-rw-r--r--net/bluetooth/mgmt.c99
-rw-r--r--net/bluetooth/smp.c5
-rw-r--r--net/core/rtnetlink.c5
-rw-r--r--net/ipv4/geneve.c30
-rw-r--r--net/ipv4/ip_gre.c9
-rw-r--r--net/ipv4/ip_tunnel.c9
-rw-r--r--net/mac80211/chan.c4
-rw-r--r--net/mac80211/key.c2
-rw-r--r--net/mac80211/mlme.c1
-rw-r--r--net/mac80211/rx.c11
-rw-r--r--net/netlink/af_netlink.c54
-rw-r--r--net/rds/message.c3
-rw-r--r--net/wireless/chan.c9
-rw-r--r--net/wireless/nl80211.c2
-rw-r--r--net/wireless/reg.c20
19 files changed, 226 insertions, 124 deletions
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 79d84b88b8f0..fe18825cc8a4 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -661,7 +661,7 @@ static void hci_req_add_le_create_conn(struct hci_request *req,
661 memset(&cp, 0, sizeof(cp)); 661 memset(&cp, 0, sizeof(cp));
662 662
663 /* Update random address, but set require_privacy to false so 663 /* Update random address, but set require_privacy to false so
664 * that we never connect with an unresolvable address. 664 * that we never connect with an non-resolvable address.
665 */ 665 */
666 if (hci_update_random_address(req, false, &own_addr_type)) 666 if (hci_update_random_address(req, false, &own_addr_type))
667 return; 667 return;
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 93f92a085506..5dcacf9607e4 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1373,8 +1373,6 @@ static void hci_init1_req(struct hci_request *req, unsigned long opt)
1373 1373
1374static void bredr_setup(struct hci_request *req) 1374static void bredr_setup(struct hci_request *req)
1375{ 1375{
1376 struct hci_dev *hdev = req->hdev;
1377
1378 __le16 param; 1376 __le16 param;
1379 __u8 flt_type; 1377 __u8 flt_type;
1380 1378
@@ -1403,14 +1401,6 @@ static void bredr_setup(struct hci_request *req)
1403 /* Connection accept timeout ~20 secs */ 1401 /* Connection accept timeout ~20 secs */
1404 param = cpu_to_le16(0x7d00); 1402 param = cpu_to_le16(0x7d00);
1405 hci_req_add(req, HCI_OP_WRITE_CA_TIMEOUT, 2, &param); 1403 hci_req_add(req, HCI_OP_WRITE_CA_TIMEOUT, 2, &param);
1406
1407 /* AVM Berlin (31), aka "BlueFRITZ!", reports version 1.2,
1408 * but it does not support page scan related HCI commands.
1409 */
1410 if (hdev->manufacturer != 31 && hdev->hci_ver > BLUETOOTH_VER_1_1) {
1411 hci_req_add(req, HCI_OP_READ_PAGE_SCAN_ACTIVITY, 0, NULL);
1412 hci_req_add(req, HCI_OP_READ_PAGE_SCAN_TYPE, 0, NULL);
1413 }
1414} 1404}
1415 1405
1416static void le_setup(struct hci_request *req) 1406static void le_setup(struct hci_request *req)
@@ -1718,6 +1708,16 @@ static void hci_init3_req(struct hci_request *req, unsigned long opt)
1718 if (hdev->commands[5] & 0x10) 1708 if (hdev->commands[5] & 0x10)
1719 hci_setup_link_policy(req); 1709 hci_setup_link_policy(req);
1720 1710
1711 if (hdev->commands[8] & 0x01)
1712 hci_req_add(req, HCI_OP_READ_PAGE_SCAN_ACTIVITY, 0, NULL);
1713
1714 /* Some older Broadcom based Bluetooth 1.2 controllers do not
1715 * support the Read Page Scan Type command. Check support for
1716 * this command in the bit mask of supported commands.
1717 */
1718 if (hdev->commands[13] & 0x01)
1719 hci_req_add(req, HCI_OP_READ_PAGE_SCAN_TYPE, 0, NULL);
1720
1721 if (lmp_le_capable(hdev)) { 1721 if (lmp_le_capable(hdev)) {
1722 u8 events[8]; 1722 u8 events[8];
1723 1723
@@ -2634,6 +2634,12 @@ static int hci_dev_do_close(struct hci_dev *hdev)
2634 drain_workqueue(hdev->workqueue); 2634 drain_workqueue(hdev->workqueue);
2635 2635
2636 hci_dev_lock(hdev); 2636 hci_dev_lock(hdev);
2637
2638 if (!test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags)) {
2639 if (hdev->dev_type == HCI_BREDR)
2640 mgmt_powered(hdev, 0);
2641 }
2642
2637 hci_inquiry_cache_flush(hdev); 2643 hci_inquiry_cache_flush(hdev);
2638 hci_pend_le_actions_clear(hdev); 2644 hci_pend_le_actions_clear(hdev);
2639 hci_conn_hash_flush(hdev); 2645 hci_conn_hash_flush(hdev);
@@ -2681,14 +2687,6 @@ static int hci_dev_do_close(struct hci_dev *hdev)
2681 hdev->flags &= BIT(HCI_RAW); 2687 hdev->flags &= BIT(HCI_RAW);
2682 hdev->dev_flags &= ~HCI_PERSISTENT_MASK; 2688 hdev->dev_flags &= ~HCI_PERSISTENT_MASK;
2683 2689
2684 if (!test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags)) {
2685 if (hdev->dev_type == HCI_BREDR) {
2686 hci_dev_lock(hdev);
2687 mgmt_powered(hdev, 0);
2688 hci_dev_unlock(hdev);
2689 }
2690 }
2691
2692 /* Controller radio is available but is currently powered down */ 2690 /* Controller radio is available but is currently powered down */
2693 hdev->amp_status = AMP_STATUS_POWERED_DOWN; 2691 hdev->amp_status = AMP_STATUS_POWERED_DOWN;
2694 2692
@@ -3083,7 +3081,9 @@ static void hci_power_on(struct work_struct *work)
3083 3081
3084 err = hci_dev_do_open(hdev); 3082 err = hci_dev_do_open(hdev);
3085 if (err < 0) { 3083 if (err < 0) {
3084 hci_dev_lock(hdev);
3086 mgmt_set_powered_failed(hdev, err); 3085 mgmt_set_powered_failed(hdev, err);
3086 hci_dev_unlock(hdev);
3087 return; 3087 return;
3088 } 3088 }
3089 3089
@@ -3959,17 +3959,29 @@ int hci_update_random_address(struct hci_request *req, bool require_privacy,
3959 } 3959 }
3960 3960
3961 /* In case of required privacy without resolvable private address, 3961 /* In case of required privacy without resolvable private address,
3962 * use an unresolvable private address. This is useful for active 3962 * use an non-resolvable private address. This is useful for active
3963 * scanning and non-connectable advertising. 3963 * scanning and non-connectable advertising.
3964 */ 3964 */
3965 if (require_privacy) { 3965 if (require_privacy) {
3966 bdaddr_t urpa; 3966 bdaddr_t nrpa;
3967
3968 while (true) {
3969 /* The non-resolvable private address is generated
3970 * from random six bytes with the two most significant
3971 * bits cleared.
3972 */
3973 get_random_bytes(&nrpa, 6);
3974 nrpa.b[5] &= 0x3f;
3967 3975
3968 get_random_bytes(&urpa, 6); 3976 /* The non-resolvable private address shall not be
3969 urpa.b[5] &= 0x3f; /* Clear two most significant bits */ 3977 * equal to the public address.
3978 */
3979 if (bacmp(&hdev->bdaddr, &nrpa))
3980 break;
3981 }
3970 3982
3971 *own_addr_type = ADDR_LE_DEV_RANDOM; 3983 *own_addr_type = ADDR_LE_DEV_RANDOM;
3972 set_random_addr(req, &urpa); 3984 set_random_addr(req, &nrpa);
3973 return 0; 3985 return 0;
3974 } 3986 }
3975 3987
@@ -5625,7 +5637,7 @@ void hci_req_add_le_passive_scan(struct hci_request *req)
5625 u8 filter_policy; 5637 u8 filter_policy;
5626 5638
5627 /* Set require_privacy to false since no SCAN_REQ are send 5639 /* Set require_privacy to false since no SCAN_REQ are send
5628 * during passive scanning. Not using an unresolvable address 5640 * during passive scanning. Not using an non-resolvable address
5629 * here is important so that peer devices using direct 5641 * here is important so that peer devices using direct
5630 * advertising with our address will be correctly reported 5642 * advertising with our address will be correctly reported
5631 * by the controller. 5643 * by the controller.
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 322abbbbcef9..39a5c8a01726 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -257,6 +257,8 @@ static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
257 if (!sent) 257 if (!sent)
258 return; 258 return;
259 259
260 hci_dev_lock(hdev);
261
260 if (!status) { 262 if (!status) {
261 __u8 param = *((__u8 *) sent); 263 __u8 param = *((__u8 *) sent);
262 264
@@ -268,6 +270,8 @@ static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
268 270
269 if (test_bit(HCI_MGMT, &hdev->dev_flags)) 271 if (test_bit(HCI_MGMT, &hdev->dev_flags))
270 mgmt_auth_enable_complete(hdev, status); 272 mgmt_auth_enable_complete(hdev, status);
273
274 hci_dev_unlock(hdev);
271} 275}
272 276
273static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb) 277static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb)
@@ -443,6 +447,8 @@ static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
443 if (!sent) 447 if (!sent)
444 return; 448 return;
445 449
450 hci_dev_lock(hdev);
451
446 if (!status) { 452 if (!status) {
447 if (sent->mode) 453 if (sent->mode)
448 hdev->features[1][0] |= LMP_HOST_SSP; 454 hdev->features[1][0] |= LMP_HOST_SSP;
@@ -458,6 +464,8 @@ static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
458 else 464 else
459 clear_bit(HCI_SSP_ENABLED, &hdev->dev_flags); 465 clear_bit(HCI_SSP_ENABLED, &hdev->dev_flags);
460 } 466 }
467
468 hci_dev_unlock(hdev);
461} 469}
462 470
463static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb) 471static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb)
@@ -471,6 +479,8 @@ static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb)
471 if (!sent) 479 if (!sent)
472 return; 480 return;
473 481
482 hci_dev_lock(hdev);
483
474 if (!status) { 484 if (!status) {
475 if (sent->support) 485 if (sent->support)
476 hdev->features[1][0] |= LMP_HOST_SC; 486 hdev->features[1][0] |= LMP_HOST_SC;
@@ -486,6 +496,8 @@ static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb)
486 else 496 else
487 clear_bit(HCI_SC_ENABLED, &hdev->dev_flags); 497 clear_bit(HCI_SC_ENABLED, &hdev->dev_flags);
488 } 498 }
499
500 hci_dev_unlock(hdev);
489} 501}
490 502
491static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb) 503static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
@@ -1135,6 +1147,8 @@ static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1135 if (!cp) 1147 if (!cp)
1136 return; 1148 return;
1137 1149
1150 hci_dev_lock(hdev);
1151
1138 switch (cp->enable) { 1152 switch (cp->enable) {
1139 case LE_SCAN_ENABLE: 1153 case LE_SCAN_ENABLE:
1140 set_bit(HCI_LE_SCAN, &hdev->dev_flags); 1154 set_bit(HCI_LE_SCAN, &hdev->dev_flags);
@@ -1184,6 +1198,8 @@ static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1184 BT_ERR("Used reserved LE_Scan_Enable param %d", cp->enable); 1198 BT_ERR("Used reserved LE_Scan_Enable param %d", cp->enable);
1185 break; 1199 break;
1186 } 1200 }
1201
1202 hci_dev_unlock(hdev);
1187} 1203}
1188 1204
1189static void hci_cc_le_read_white_list_size(struct hci_dev *hdev, 1205static void hci_cc_le_read_white_list_size(struct hci_dev *hdev,
@@ -1278,6 +1294,8 @@ static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
1278 if (!sent) 1294 if (!sent)
1279 return; 1295 return;
1280 1296
1297 hci_dev_lock(hdev);
1298
1281 if (sent->le) { 1299 if (sent->le) {
1282 hdev->features[1][0] |= LMP_HOST_LE; 1300 hdev->features[1][0] |= LMP_HOST_LE;
1283 set_bit(HCI_LE_ENABLED, &hdev->dev_flags); 1301 set_bit(HCI_LE_ENABLED, &hdev->dev_flags);
@@ -1291,6 +1309,8 @@ static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
1291 hdev->features[1][0] |= LMP_HOST_LE_BREDR; 1309 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
1292 else 1310 else
1293 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR; 1311 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
1312
1313 hci_dev_unlock(hdev);
1294} 1314}
1295 1315
1296static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb) 1316static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index a2b6dfa38a0c..d04dc0095736 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -6966,8 +6966,9 @@ static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
6966 test_bit(HCI_HS_ENABLED, &hcon->hdev->dev_flags)) 6966 test_bit(HCI_HS_ENABLED, &hcon->hdev->dev_flags))
6967 conn->local_fixed_chan |= L2CAP_FC_A2MP; 6967 conn->local_fixed_chan |= L2CAP_FC_A2MP;
6968 6968
6969 if (bredr_sc_enabled(hcon->hdev) && 6969 if (test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags) &&
6970 test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags)) 6970 (bredr_sc_enabled(hcon->hdev) ||
6971 test_bit(HCI_FORCE_LESC, &hcon->hdev->dbg_flags)))
6971 conn->local_fixed_chan |= L2CAP_FC_SMP_BREDR; 6972 conn->local_fixed_chan |= L2CAP_FC_SMP_BREDR;
6972 6973
6973 mutex_init(&conn->ident_lock); 6974 mutex_init(&conn->ident_lock);
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 7384f1161336..693ce8bcd06e 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -2199,12 +2199,14 @@ static void le_enable_complete(struct hci_dev *hdev, u8 status)
2199{ 2199{
2200 struct cmd_lookup match = { NULL, hdev }; 2200 struct cmd_lookup match = { NULL, hdev };
2201 2201
2202 hci_dev_lock(hdev);
2203
2202 if (status) { 2204 if (status) {
2203 u8 mgmt_err = mgmt_status(status); 2205 u8 mgmt_err = mgmt_status(status);
2204 2206
2205 mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, cmd_status_rsp, 2207 mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, cmd_status_rsp,
2206 &mgmt_err); 2208 &mgmt_err);
2207 return; 2209 goto unlock;
2208 } 2210 }
2209 2211
2210 mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, settings_rsp, &match); 2212 mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, settings_rsp, &match);
@@ -2222,17 +2224,16 @@ static void le_enable_complete(struct hci_dev *hdev, u8 status)
2222 if (test_bit(HCI_LE_ENABLED, &hdev->dev_flags)) { 2224 if (test_bit(HCI_LE_ENABLED, &hdev->dev_flags)) {
2223 struct hci_request req; 2225 struct hci_request req;
2224 2226
2225 hci_dev_lock(hdev);
2226
2227 hci_req_init(&req, hdev); 2227 hci_req_init(&req, hdev);
2228 update_adv_data(&req); 2228 update_adv_data(&req);
2229 update_scan_rsp_data(&req); 2229 update_scan_rsp_data(&req);
2230 hci_req_run(&req, NULL); 2230 hci_req_run(&req, NULL);
2231 2231
2232 hci_update_background_scan(hdev); 2232 hci_update_background_scan(hdev);
2233
2234 hci_dev_unlock(hdev);
2235 } 2233 }
2234
2235unlock:
2236 hci_dev_unlock(hdev);
2236} 2237}
2237 2238
2238static int set_le(struct sock *sk, struct hci_dev *hdev, void *data, u16 len) 2239static int set_le(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
@@ -3114,14 +3115,13 @@ static void pairing_complete(struct pending_cmd *cmd, u8 status)
3114 conn->disconn_cfm_cb = NULL; 3115 conn->disconn_cfm_cb = NULL;
3115 3116
3116 hci_conn_drop(conn); 3117 hci_conn_drop(conn);
3117 hci_conn_put(conn);
3118
3119 mgmt_pending_remove(cmd);
3120 3118
3121 /* The device is paired so there is no need to remove 3119 /* The device is paired so there is no need to remove
3122 * its connection parameters anymore. 3120 * its connection parameters anymore.
3123 */ 3121 */
3124 clear_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags); 3122 clear_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags);
3123
3124 hci_conn_put(conn);
3125} 3125}
3126 3126
3127void mgmt_smp_complete(struct hci_conn *conn, bool complete) 3127void mgmt_smp_complete(struct hci_conn *conn, bool complete)
@@ -3130,8 +3130,10 @@ void mgmt_smp_complete(struct hci_conn *conn, bool complete)
3130 struct pending_cmd *cmd; 3130 struct pending_cmd *cmd;
3131 3131
3132 cmd = find_pairing(conn); 3132 cmd = find_pairing(conn);
3133 if (cmd) 3133 if (cmd) {
3134 cmd->cmd_complete(cmd, status); 3134 cmd->cmd_complete(cmd, status);
3135 mgmt_pending_remove(cmd);
3136 }
3135} 3137}
3136 3138
3137static void pairing_complete_cb(struct hci_conn *conn, u8 status) 3139static void pairing_complete_cb(struct hci_conn *conn, u8 status)
@@ -3141,10 +3143,13 @@ static void pairing_complete_cb(struct hci_conn *conn, u8 status)
3141 BT_DBG("status %u", status); 3143 BT_DBG("status %u", status);
3142 3144
3143 cmd = find_pairing(conn); 3145 cmd = find_pairing(conn);
3144 if (!cmd) 3146 if (!cmd) {
3145 BT_DBG("Unable to find a pending command"); 3147 BT_DBG("Unable to find a pending command");
3146 else 3148 return;
3147 cmd->cmd_complete(cmd, mgmt_status(status)); 3149 }
3150
3151 cmd->cmd_complete(cmd, mgmt_status(status));
3152 mgmt_pending_remove(cmd);
3148} 3153}
3149 3154
3150static void le_pairing_complete_cb(struct hci_conn *conn, u8 status) 3155static void le_pairing_complete_cb(struct hci_conn *conn, u8 status)
@@ -3157,10 +3162,13 @@ static void le_pairing_complete_cb(struct hci_conn *conn, u8 status)
3157 return; 3162 return;
3158 3163
3159 cmd = find_pairing(conn); 3164 cmd = find_pairing(conn);
3160 if (!cmd) 3165 if (!cmd) {
3161 BT_DBG("Unable to find a pending command"); 3166 BT_DBG("Unable to find a pending command");
3162 else 3167 return;
3163 cmd->cmd_complete(cmd, mgmt_status(status)); 3168 }
3169
3170 cmd->cmd_complete(cmd, mgmt_status(status));
3171 mgmt_pending_remove(cmd);
3164} 3172}
3165 3173
3166static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data, 3174static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
@@ -3274,8 +3282,10 @@ static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
3274 cmd->user_data = hci_conn_get(conn); 3282 cmd->user_data = hci_conn_get(conn);
3275 3283
3276 if ((conn->state == BT_CONNECTED || conn->state == BT_CONFIG) && 3284 if ((conn->state == BT_CONNECTED || conn->state == BT_CONFIG) &&
3277 hci_conn_security(conn, sec_level, auth_type, true)) 3285 hci_conn_security(conn, sec_level, auth_type, true)) {
3278 pairing_complete(cmd, 0); 3286 cmd->cmd_complete(cmd, 0);
3287 mgmt_pending_remove(cmd);
3288 }
3279 3289
3280 err = 0; 3290 err = 0;
3281 3291
@@ -3317,7 +3327,8 @@ static int cancel_pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
3317 goto unlock; 3327 goto unlock;
3318 } 3328 }
3319 3329
3320 pairing_complete(cmd, MGMT_STATUS_CANCELLED); 3330 cmd->cmd_complete(cmd, MGMT_STATUS_CANCELLED);
3331 mgmt_pending_remove(cmd);
3321 3332
3322 err = cmd_complete(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE, 0, 3333 err = cmd_complete(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE, 0,
3323 addr, sizeof(*addr)); 3334 addr, sizeof(*addr));
@@ -3791,7 +3802,7 @@ static bool trigger_discovery(struct hci_request *req, u8 *status)
3791 3802
3792 /* All active scans will be done with either a resolvable 3803 /* All active scans will be done with either a resolvable
3793 * private address (when privacy feature has been enabled) 3804 * private address (when privacy feature has been enabled)
3794 * or unresolvable private address. 3805 * or non-resolvable private address.
3795 */ 3806 */
3796 err = hci_update_random_address(req, true, &own_addr_type); 3807 err = hci_update_random_address(req, true, &own_addr_type);
3797 if (err < 0) { 3808 if (err < 0) {
@@ -4279,12 +4290,14 @@ static void set_advertising_complete(struct hci_dev *hdev, u8 status)
4279{ 4290{
4280 struct cmd_lookup match = { NULL, hdev }; 4291 struct cmd_lookup match = { NULL, hdev };
4281 4292
4293 hci_dev_lock(hdev);
4294
4282 if (status) { 4295 if (status) {
4283 u8 mgmt_err = mgmt_status(status); 4296 u8 mgmt_err = mgmt_status(status);
4284 4297
4285 mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev, 4298 mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev,
4286 cmd_status_rsp, &mgmt_err); 4299 cmd_status_rsp, &mgmt_err);
4287 return; 4300 goto unlock;
4288 } 4301 }
4289 4302
4290 if (test_bit(HCI_LE_ADV, &hdev->dev_flags)) 4303 if (test_bit(HCI_LE_ADV, &hdev->dev_flags))
@@ -4299,6 +4312,9 @@ static void set_advertising_complete(struct hci_dev *hdev, u8 status)
4299 4312
4300 if (match.sk) 4313 if (match.sk)
4301 sock_put(match.sk); 4314 sock_put(match.sk);
4315
4316unlock:
4317 hci_dev_unlock(hdev);
4302} 4318}
4303 4319
4304static int set_advertising(struct sock *sk, struct hci_dev *hdev, void *data, 4320static int set_advertising(struct sock *sk, struct hci_dev *hdev, void *data,
@@ -6081,6 +6097,11 @@ static int powered_update_hci(struct hci_dev *hdev)
6081 hci_req_add(&req, HCI_OP_WRITE_SSP_MODE, 1, &ssp); 6097 hci_req_add(&req, HCI_OP_WRITE_SSP_MODE, 1, &ssp);
6082 } 6098 }
6083 6099
6100 if (bredr_sc_enabled(hdev) && !lmp_host_sc_capable(hdev)) {
6101 u8 sc = 0x01;
6102 hci_req_add(&req, HCI_OP_WRITE_SC_SUPPORT, sizeof(sc), &sc);
6103 }
6104
6084 if (test_bit(HCI_LE_ENABLED, &hdev->dev_flags) && 6105 if (test_bit(HCI_LE_ENABLED, &hdev->dev_flags) &&
6085 lmp_bredr_capable(hdev)) { 6106 lmp_bredr_capable(hdev)) {
6086 struct hci_cp_write_le_host_supported cp; 6107 struct hci_cp_write_le_host_supported cp;
@@ -6130,8 +6151,7 @@ static int powered_update_hci(struct hci_dev *hdev)
6130int mgmt_powered(struct hci_dev *hdev, u8 powered) 6151int mgmt_powered(struct hci_dev *hdev, u8 powered)
6131{ 6152{
6132 struct cmd_lookup match = { NULL, hdev }; 6153 struct cmd_lookup match = { NULL, hdev };
6133 u8 status_not_powered = MGMT_STATUS_NOT_POWERED; 6154 u8 status, zero_cod[] = { 0, 0, 0 };
6134 u8 zero_cod[] = { 0, 0, 0 };
6135 int err; 6155 int err;
6136 6156
6137 if (!test_bit(HCI_MGMT, &hdev->dev_flags)) 6157 if (!test_bit(HCI_MGMT, &hdev->dev_flags))
@@ -6147,7 +6167,20 @@ int mgmt_powered(struct hci_dev *hdev, u8 powered)
6147 } 6167 }
6148 6168
6149 mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match); 6169 mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match);
6150 mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &status_not_powered); 6170
6171 /* If the power off is because of hdev unregistration let
6172 * use the appropriate INVALID_INDEX status. Otherwise use
6173 * NOT_POWERED. We cover both scenarios here since later in
6174 * mgmt_index_removed() any hci_conn callbacks will have already
6175 * been triggered, potentially causing misleading DISCONNECTED
6176 * status responses.
6177 */
6178 if (test_bit(HCI_UNREGISTER, &hdev->dev_flags))
6179 status = MGMT_STATUS_INVALID_INDEX;
6180 else
6181 status = MGMT_STATUS_NOT_POWERED;
6182
6183 mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &status);
6151 6184
6152 if (memcmp(hdev->dev_class, zero_cod, sizeof(zero_cod)) != 0) 6185 if (memcmp(hdev->dev_class, zero_cod, sizeof(zero_cod)) != 0)
6153 mgmt_event(MGMT_EV_CLASS_OF_DEV_CHANGED, hdev, 6186 mgmt_event(MGMT_EV_CLASS_OF_DEV_CHANGED, hdev,
@@ -6681,8 +6714,10 @@ void mgmt_auth_failed(struct hci_conn *conn, u8 hci_status)
6681 mgmt_event(MGMT_EV_AUTH_FAILED, conn->hdev, &ev, sizeof(ev), 6714 mgmt_event(MGMT_EV_AUTH_FAILED, conn->hdev, &ev, sizeof(ev),
6682 cmd ? cmd->sk : NULL); 6715 cmd ? cmd->sk : NULL);
6683 6716
6684 if (cmd) 6717 if (cmd) {
6685 pairing_complete(cmd, status); 6718 cmd->cmd_complete(cmd, status);
6719 mgmt_pending_remove(cmd);
6720 }
6686} 6721}
6687 6722
6688void mgmt_auth_enable_complete(struct hci_dev *hdev, u8 status) 6723void mgmt_auth_enable_complete(struct hci_dev *hdev, u8 status)
@@ -7046,13 +7081,15 @@ void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
7046 * kept and checking possible scan response data 7081 * kept and checking possible scan response data
7047 * will be skipped. 7082 * will be skipped.
7048 */ 7083 */
7049 if (hdev->discovery.uuid_count > 0) { 7084 if (hdev->discovery.uuid_count > 0)
7050 match = eir_has_uuids(eir, eir_len, 7085 match = eir_has_uuids(eir, eir_len,
7051 hdev->discovery.uuid_count, 7086 hdev->discovery.uuid_count,
7052 hdev->discovery.uuids); 7087 hdev->discovery.uuids);
7053 if (!match) 7088 else
7054 return; 7089 match = true;
7055 } 7090
7091 if (!match && !scan_rsp_len)
7092 return;
7056 7093
7057 /* Copy EIR or advertising data into event */ 7094 /* Copy EIR or advertising data into event */
7058 memcpy(ev->eir, eir, eir_len); 7095 memcpy(ev->eir, eir, eir_len);
@@ -7061,8 +7098,10 @@ void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
7061 * provided, results with empty EIR or advertising data 7098 * provided, results with empty EIR or advertising data
7062 * should be dropped since they do not match any UUID. 7099 * should be dropped since they do not match any UUID.
7063 */ 7100 */
7064 if (hdev->discovery.uuid_count > 0) 7101 if (hdev->discovery.uuid_count > 0 && !scan_rsp_len)
7065 return; 7102 return;
7103
7104 match = false;
7066 } 7105 }
7067 7106
7068 if (dev_class && !eir_has_data_type(ev->eir, eir_len, EIR_CLASS_OF_DEV)) 7107 if (dev_class && !eir_has_data_type(ev->eir, eir_len, EIR_CLASS_OF_DEV))
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 6a46252fe66f..b67749bb55bf 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -1673,7 +1673,8 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1673 /* SMP over BR/EDR requires special treatment */ 1673 /* SMP over BR/EDR requires special treatment */
1674 if (conn->hcon->type == ACL_LINK) { 1674 if (conn->hcon->type == ACL_LINK) {
1675 /* We must have a BR/EDR SC link */ 1675 /* We must have a BR/EDR SC link */
1676 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags)) 1676 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1677 !test_bit(HCI_FORCE_LESC, &hdev->dbg_flags))
1677 return SMP_CROSS_TRANSP_NOT_ALLOWED; 1678 return SMP_CROSS_TRANSP_NOT_ALLOWED;
1678 1679
1679 set_bit(SMP_FLAG_SC, &smp->flags); 1680 set_bit(SMP_FLAG_SC, &smp->flags);
@@ -2927,7 +2928,7 @@ static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
2927 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, 0); 2928 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, 0);
2928 if (IS_ERR(tfm_aes)) { 2929 if (IS_ERR(tfm_aes)) {
2929 BT_ERR("Unable to create crypto context"); 2930 BT_ERR("Unable to create crypto context");
2930 return ERR_PTR(PTR_ERR(tfm_aes)); 2931 return ERR_CAST(tfm_aes);
2931 } 2932 }
2932 2933
2933create_chan: 2934create_chan:
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index d06107d36ec8..9cf6fe9ddc0c 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -2368,6 +2368,11 @@ int ndo_dflt_fdb_add(struct ndmsg *ndm,
2368 return err; 2368 return err;
2369 } 2369 }
2370 2370
2371 if (vid) {
2372 pr_info("%s: vlans aren't supported yet for dev_uc|mc_add()\n", dev->name);
2373 return err;
2374 }
2375
2371 if (is_unicast_ether_addr(addr) || is_link_local_ether_addr(addr)) 2376 if (is_unicast_ether_addr(addr) || is_link_local_ether_addr(addr))
2372 err = dev_uc_add_excl(dev, addr); 2377 err = dev_uc_add_excl(dev, addr);
2373 else if (is_multicast_ether_addr(addr)) 2378 else if (is_multicast_ether_addr(addr))
diff --git a/net/ipv4/geneve.c b/net/ipv4/geneve.c
index a457232f0131..95e47c97585e 100644
--- a/net/ipv4/geneve.c
+++ b/net/ipv4/geneve.c
@@ -159,6 +159,15 @@ static void geneve_notify_add_rx_port(struct geneve_sock *gs)
159 } 159 }
160} 160}
161 161
162static void geneve_notify_del_rx_port(struct geneve_sock *gs)
163{
164 struct sock *sk = gs->sock->sk;
165 sa_family_t sa_family = sk->sk_family;
166
167 if (sa_family == AF_INET)
168 udp_del_offload(&gs->udp_offloads);
169}
170
162/* Callback from net/ipv4/udp.c to receive packets */ 171/* Callback from net/ipv4/udp.c to receive packets */
163static int geneve_udp_encap_recv(struct sock *sk, struct sk_buff *skb) 172static int geneve_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
164{ 173{
@@ -287,6 +296,7 @@ struct geneve_sock *geneve_sock_add(struct net *net, __be16 port,
287 geneve_rcv_t *rcv, void *data, 296 geneve_rcv_t *rcv, void *data,
288 bool no_share, bool ipv6) 297 bool no_share, bool ipv6)
289{ 298{
299 struct geneve_net *gn = net_generic(net, geneve_net_id);
290 struct geneve_sock *gs; 300 struct geneve_sock *gs;
291 301
292 gs = geneve_socket_create(net, port, rcv, data, ipv6); 302 gs = geneve_socket_create(net, port, rcv, data, ipv6);
@@ -296,15 +306,15 @@ struct geneve_sock *geneve_sock_add(struct net *net, __be16 port,
296 if (no_share) /* Return error if sharing is not allowed. */ 306 if (no_share) /* Return error if sharing is not allowed. */
297 return ERR_PTR(-EINVAL); 307 return ERR_PTR(-EINVAL);
298 308
309 spin_lock(&gn->sock_lock);
299 gs = geneve_find_sock(net, port); 310 gs = geneve_find_sock(net, port);
300 if (gs) { 311 if (gs && ((gs->rcv != rcv) ||
301 if (gs->rcv == rcv) 312 !atomic_add_unless(&gs->refcnt, 1, 0)))
302 atomic_inc(&gs->refcnt);
303 else
304 gs = ERR_PTR(-EBUSY); 313 gs = ERR_PTR(-EBUSY);
305 } else { 314 spin_unlock(&gn->sock_lock);
315
316 if (!gs)
306 gs = ERR_PTR(-EINVAL); 317 gs = ERR_PTR(-EINVAL);
307 }
308 318
309 return gs; 319 return gs;
310} 320}
@@ -312,9 +322,17 @@ EXPORT_SYMBOL_GPL(geneve_sock_add);
312 322
313void geneve_sock_release(struct geneve_sock *gs) 323void geneve_sock_release(struct geneve_sock *gs)
314{ 324{
325 struct net *net = sock_net(gs->sock->sk);
326 struct geneve_net *gn = net_generic(net, geneve_net_id);
327
315 if (!atomic_dec_and_test(&gs->refcnt)) 328 if (!atomic_dec_and_test(&gs->refcnt))
316 return; 329 return;
317 330
331 spin_lock(&gn->sock_lock);
332 hlist_del_rcu(&gs->hlist);
333 geneve_notify_del_rx_port(gs);
334 spin_unlock(&gn->sock_lock);
335
318 queue_work(geneve_wq, &gs->del_work); 336 queue_work(geneve_wq, &gs->del_work);
319} 337}
320EXPORT_SYMBOL_GPL(geneve_sock_release); 338EXPORT_SYMBOL_GPL(geneve_sock_release);
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index ac8491245e5b..4f4bf5b99686 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -252,10 +252,6 @@ static netdev_tx_t ipgre_xmit(struct sk_buff *skb,
252 struct ip_tunnel *tunnel = netdev_priv(dev); 252 struct ip_tunnel *tunnel = netdev_priv(dev);
253 const struct iphdr *tnl_params; 253 const struct iphdr *tnl_params;
254 254
255 skb = gre_handle_offloads(skb, !!(tunnel->parms.o_flags&TUNNEL_CSUM));
256 if (IS_ERR(skb))
257 goto out;
258
259 if (dev->header_ops) { 255 if (dev->header_ops) {
260 /* Need space for new headers */ 256 /* Need space for new headers */
261 if (skb_cow_head(skb, dev->needed_headroom - 257 if (skb_cow_head(skb, dev->needed_headroom -
@@ -268,6 +264,7 @@ static netdev_tx_t ipgre_xmit(struct sk_buff *skb,
268 * to gre header. 264 * to gre header.
269 */ 265 */
270 skb_pull(skb, tunnel->hlen + sizeof(struct iphdr)); 266 skb_pull(skb, tunnel->hlen + sizeof(struct iphdr));
267 skb_reset_mac_header(skb);
271 } else { 268 } else {
272 if (skb_cow_head(skb, dev->needed_headroom)) 269 if (skb_cow_head(skb, dev->needed_headroom))
273 goto free_skb; 270 goto free_skb;
@@ -275,6 +272,10 @@ static netdev_tx_t ipgre_xmit(struct sk_buff *skb,
275 tnl_params = &tunnel->parms.iph; 272 tnl_params = &tunnel->parms.iph;
276 } 273 }
277 274
275 skb = gre_handle_offloads(skb, !!(tunnel->parms.o_flags&TUNNEL_CSUM));
276 if (IS_ERR(skb))
277 goto out;
278
278 __gre_xmit(skb, dev, tnl_params, skb->protocol); 279 __gre_xmit(skb, dev, tnl_params, skb->protocol);
279 280
280 return NETDEV_TX_OK; 281 return NETDEV_TX_OK;
diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
index 63e745aadab6..d3e447936720 100644
--- a/net/ipv4/ip_tunnel.c
+++ b/net/ipv4/ip_tunnel.c
@@ -514,6 +514,9 @@ const struct ip_tunnel_encap_ops __rcu *
514int ip_tunnel_encap_add_ops(const struct ip_tunnel_encap_ops *ops, 514int ip_tunnel_encap_add_ops(const struct ip_tunnel_encap_ops *ops,
515 unsigned int num) 515 unsigned int num)
516{ 516{
517 if (num >= MAX_IPTUN_ENCAP_OPS)
518 return -ERANGE;
519
517 return !cmpxchg((const struct ip_tunnel_encap_ops **) 520 return !cmpxchg((const struct ip_tunnel_encap_ops **)
518 &iptun_encaps[num], 521 &iptun_encaps[num],
519 NULL, ops) ? 0 : -1; 522 NULL, ops) ? 0 : -1;
@@ -525,6 +528,9 @@ int ip_tunnel_encap_del_ops(const struct ip_tunnel_encap_ops *ops,
525{ 528{
526 int ret; 529 int ret;
527 530
531 if (num >= MAX_IPTUN_ENCAP_OPS)
532 return -ERANGE;
533
528 ret = (cmpxchg((const struct ip_tunnel_encap_ops **) 534 ret = (cmpxchg((const struct ip_tunnel_encap_ops **)
529 &iptun_encaps[num], 535 &iptun_encaps[num],
530 ops, NULL) == ops) ? 0 : -1; 536 ops, NULL) == ops) ? 0 : -1;
@@ -567,6 +573,9 @@ int ip_tunnel_encap(struct sk_buff *skb, struct ip_tunnel *t,
567 if (t->encap.type == TUNNEL_ENCAP_NONE) 573 if (t->encap.type == TUNNEL_ENCAP_NONE)
568 return 0; 574 return 0;
569 575
576 if (t->encap.type >= MAX_IPTUN_ENCAP_OPS)
577 return -EINVAL;
578
570 rcu_read_lock(); 579 rcu_read_lock();
571 ops = rcu_dereference(iptun_encaps[t->encap.type]); 580 ops = rcu_dereference(iptun_encaps[t->encap.type]);
572 if (likely(ops && ops->build_header)) 581 if (likely(ops && ops->build_header))
diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c
index 5d6dae9e4aac..da1c12c34487 100644
--- a/net/mac80211/chan.c
+++ b/net/mac80211/chan.c
@@ -1011,6 +1011,10 @@ ieee80211_vif_use_reserved_reassign(struct ieee80211_sub_if_data *sdata)
1011 1011
1012 ieee80211_vif_update_chandef(sdata, &sdata->reserved_chandef); 1012 ieee80211_vif_update_chandef(sdata, &sdata->reserved_chandef);
1013 1013
1014 ieee80211_recalc_smps_chanctx(local, new_ctx);
1015 ieee80211_recalc_radar_chanctx(local, new_ctx);
1016 ieee80211_recalc_chanctx_min_def(local, new_ctx);
1017
1014 if (changed) 1018 if (changed)
1015 ieee80211_bss_info_change_notify(sdata, changed); 1019 ieee80211_bss_info_change_notify(sdata, changed);
1016 1020
diff --git a/net/mac80211/key.c b/net/mac80211/key.c
index 434a91ad12c8..0bb7038121ac 100644
--- a/net/mac80211/key.c
+++ b/net/mac80211/key.c
@@ -656,7 +656,7 @@ void ieee80211_free_sta_keys(struct ieee80211_local *local,
656 int i; 656 int i;
657 657
658 mutex_lock(&local->key_mtx); 658 mutex_lock(&local->key_mtx);
659 for (i = 0; i < NUM_DEFAULT_KEYS; i++) { 659 for (i = 0; i < ARRAY_SIZE(sta->gtk); i++) {
660 key = key_mtx_dereference(local, sta->gtk[i]); 660 key = key_mtx_dereference(local, sta->gtk[i]);
661 if (!key) 661 if (!key)
662 continue; 662 continue;
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 75a9bf50207e..2c36c4765f47 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -174,6 +174,7 @@ ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata,
174 if (!(ht_cap->cap_info & 174 if (!(ht_cap->cap_info &
175 cpu_to_le16(IEEE80211_HT_CAP_SUP_WIDTH_20_40))) { 175 cpu_to_le16(IEEE80211_HT_CAP_SUP_WIDTH_20_40))) {
176 ret = IEEE80211_STA_DISABLE_40MHZ; 176 ret = IEEE80211_STA_DISABLE_40MHZ;
177 vht_chandef = *chandef;
177 goto out; 178 goto out;
178 } 179 }
179 180
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 49c23bdf08bb..683b10f46505 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -1761,14 +1761,14 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
1761 sc = le16_to_cpu(hdr->seq_ctrl); 1761 sc = le16_to_cpu(hdr->seq_ctrl);
1762 frag = sc & IEEE80211_SCTL_FRAG; 1762 frag = sc & IEEE80211_SCTL_FRAG;
1763 1763
1764 if (likely(!ieee80211_has_morefrags(fc) && frag == 0))
1765 goto out;
1766
1767 if (is_multicast_ether_addr(hdr->addr1)) { 1764 if (is_multicast_ether_addr(hdr->addr1)) {
1768 rx->local->dot11MulticastReceivedFrameCount++; 1765 rx->local->dot11MulticastReceivedFrameCount++;
1769 goto out; 1766 goto out_no_led;
1770 } 1767 }
1771 1768
1769 if (likely(!ieee80211_has_morefrags(fc) && frag == 0))
1770 goto out;
1771
1772 I802_DEBUG_INC(rx->local->rx_handlers_fragments); 1772 I802_DEBUG_INC(rx->local->rx_handlers_fragments);
1773 1773
1774 if (skb_linearize(rx->skb)) 1774 if (skb_linearize(rx->skb))
@@ -1859,9 +1859,10 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
1859 status->rx_flags |= IEEE80211_RX_FRAGMENTED; 1859 status->rx_flags |= IEEE80211_RX_FRAGMENTED;
1860 1860
1861 out: 1861 out:
1862 ieee80211_led_rx(rx->local);
1863 out_no_led:
1862 if (rx->sta) 1864 if (rx->sta)
1863 rx->sta->rx_packets++; 1865 rx->sta->rx_packets++;
1864 ieee80211_led_rx(rx->local);
1865 return RX_CONTINUE; 1866 return RX_CONTINUE;
1866} 1867}
1867 1868
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index ef5f77b44ec7..074cf3e91c6f 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -525,14 +525,14 @@ out:
525 return err; 525 return err;
526} 526}
527 527
528static void netlink_frame_flush_dcache(const struct nl_mmap_hdr *hdr) 528static void netlink_frame_flush_dcache(const struct nl_mmap_hdr *hdr, unsigned int nm_len)
529{ 529{
530#if ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE == 1 530#if ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE == 1
531 struct page *p_start, *p_end; 531 struct page *p_start, *p_end;
532 532
533 /* First page is flushed through netlink_{get,set}_status */ 533 /* First page is flushed through netlink_{get,set}_status */
534 p_start = pgvec_to_page(hdr + PAGE_SIZE); 534 p_start = pgvec_to_page(hdr + PAGE_SIZE);
535 p_end = pgvec_to_page((void *)hdr + NL_MMAP_HDRLEN + hdr->nm_len - 1); 535 p_end = pgvec_to_page((void *)hdr + NL_MMAP_HDRLEN + nm_len - 1);
536 while (p_start <= p_end) { 536 while (p_start <= p_end) {
537 flush_dcache_page(p_start); 537 flush_dcache_page(p_start);
538 p_start++; 538 p_start++;
@@ -550,9 +550,9 @@ static enum nl_mmap_status netlink_get_status(const struct nl_mmap_hdr *hdr)
550static void netlink_set_status(struct nl_mmap_hdr *hdr, 550static void netlink_set_status(struct nl_mmap_hdr *hdr,
551 enum nl_mmap_status status) 551 enum nl_mmap_status status)
552{ 552{
553 smp_mb();
553 hdr->nm_status = status; 554 hdr->nm_status = status;
554 flush_dcache_page(pgvec_to_page(hdr)); 555 flush_dcache_page(pgvec_to_page(hdr));
555 smp_wmb();
556} 556}
557 557
558static struct nl_mmap_hdr * 558static struct nl_mmap_hdr *
@@ -714,24 +714,16 @@ static int netlink_mmap_sendmsg(struct sock *sk, struct msghdr *msg,
714 struct nl_mmap_hdr *hdr; 714 struct nl_mmap_hdr *hdr;
715 struct sk_buff *skb; 715 struct sk_buff *skb;
716 unsigned int maxlen; 716 unsigned int maxlen;
717 bool excl = true;
718 int err = 0, len = 0; 717 int err = 0, len = 0;
719 718
720 /* Netlink messages are validated by the receiver before processing.
721 * In order to avoid userspace changing the contents of the message
722 * after validation, the socket and the ring may only be used by a
723 * single process, otherwise we fall back to copying.
724 */
725 if (atomic_long_read(&sk->sk_socket->file->f_count) > 1 ||
726 atomic_read(&nlk->mapped) > 1)
727 excl = false;
728
729 mutex_lock(&nlk->pg_vec_lock); 719 mutex_lock(&nlk->pg_vec_lock);
730 720
731 ring = &nlk->tx_ring; 721 ring = &nlk->tx_ring;
732 maxlen = ring->frame_size - NL_MMAP_HDRLEN; 722 maxlen = ring->frame_size - NL_MMAP_HDRLEN;
733 723
734 do { 724 do {
725 unsigned int nm_len;
726
735 hdr = netlink_current_frame(ring, NL_MMAP_STATUS_VALID); 727 hdr = netlink_current_frame(ring, NL_MMAP_STATUS_VALID);
736 if (hdr == NULL) { 728 if (hdr == NULL) {
737 if (!(msg->msg_flags & MSG_DONTWAIT) && 729 if (!(msg->msg_flags & MSG_DONTWAIT) &&
@@ -739,35 +731,23 @@ static int netlink_mmap_sendmsg(struct sock *sk, struct msghdr *msg,
739 schedule(); 731 schedule();
740 continue; 732 continue;
741 } 733 }
742 if (hdr->nm_len > maxlen) { 734
735 nm_len = ACCESS_ONCE(hdr->nm_len);
736 if (nm_len > maxlen) {
743 err = -EINVAL; 737 err = -EINVAL;
744 goto out; 738 goto out;
745 } 739 }
746 740
747 netlink_frame_flush_dcache(hdr); 741 netlink_frame_flush_dcache(hdr, nm_len);
748 742
749 if (likely(dst_portid == 0 && dst_group == 0 && excl)) { 743 skb = alloc_skb(nm_len, GFP_KERNEL);
750 skb = alloc_skb_head(GFP_KERNEL); 744 if (skb == NULL) {
751 if (skb == NULL) { 745 err = -ENOBUFS;
752 err = -ENOBUFS; 746 goto out;
753 goto out;
754 }
755 sock_hold(sk);
756 netlink_ring_setup_skb(skb, sk, ring, hdr);
757 NETLINK_CB(skb).flags |= NETLINK_SKB_TX;
758 __skb_put(skb, hdr->nm_len);
759 netlink_set_status(hdr, NL_MMAP_STATUS_RESERVED);
760 atomic_inc(&ring->pending);
761 } else {
762 skb = alloc_skb(hdr->nm_len, GFP_KERNEL);
763 if (skb == NULL) {
764 err = -ENOBUFS;
765 goto out;
766 }
767 __skb_put(skb, hdr->nm_len);
768 memcpy(skb->data, (void *)hdr + NL_MMAP_HDRLEN, hdr->nm_len);
769 netlink_set_status(hdr, NL_MMAP_STATUS_UNUSED);
770 } 747 }
748 __skb_put(skb, nm_len);
749 memcpy(skb->data, (void *)hdr + NL_MMAP_HDRLEN, nm_len);
750 netlink_set_status(hdr, NL_MMAP_STATUS_UNUSED);
771 751
772 netlink_increment_head(ring); 752 netlink_increment_head(ring);
773 753
@@ -813,7 +793,7 @@ static void netlink_queue_mmaped_skb(struct sock *sk, struct sk_buff *skb)
813 hdr->nm_pid = NETLINK_CB(skb).creds.pid; 793 hdr->nm_pid = NETLINK_CB(skb).creds.pid;
814 hdr->nm_uid = from_kuid(sk_user_ns(sk), NETLINK_CB(skb).creds.uid); 794 hdr->nm_uid = from_kuid(sk_user_ns(sk), NETLINK_CB(skb).creds.uid);
815 hdr->nm_gid = from_kgid(sk_user_ns(sk), NETLINK_CB(skb).creds.gid); 795 hdr->nm_gid = from_kgid(sk_user_ns(sk), NETLINK_CB(skb).creds.gid);
816 netlink_frame_flush_dcache(hdr); 796 netlink_frame_flush_dcache(hdr, hdr->nm_len);
817 netlink_set_status(hdr, NL_MMAP_STATUS_VALID); 797 netlink_set_status(hdr, NL_MMAP_STATUS_VALID);
818 798
819 NETLINK_CB(skb).flags |= NETLINK_SKB_DELIVERED; 799 NETLINK_CB(skb).flags |= NETLINK_SKB_DELIVERED;
diff --git a/net/rds/message.c b/net/rds/message.c
index ff2202218187..5a21e6f5986f 100644
--- a/net/rds/message.c
+++ b/net/rds/message.c
@@ -325,7 +325,8 @@ int rds_message_inc_copy_to_user(struct rds_incoming *inc, struct iov_iter *to)
325 copied = 0; 325 copied = 0;
326 326
327 while (iov_iter_count(to) && copied < len) { 327 while (iov_iter_count(to) && copied < len) {
328 to_copy = min(iov_iter_count(to), sg->length - vec_off); 328 to_copy = min_t(unsigned long, iov_iter_count(to),
329 sg->length - vec_off);
329 to_copy = min_t(unsigned long, to_copy, len - copied); 330 to_copy = min_t(unsigned long, to_copy, len - copied);
330 331
331 rds_stats_add(s_copy_to_user, to_copy); 332 rds_stats_add(s_copy_to_user, to_copy);
diff --git a/net/wireless/chan.c b/net/wireless/chan.c
index 85506f1d0789..7aaf7415dc4c 100644
--- a/net/wireless/chan.c
+++ b/net/wireless/chan.c
@@ -603,7 +603,7 @@ bool cfg80211_chandef_usable(struct wiphy *wiphy,
603{ 603{
604 struct ieee80211_sta_ht_cap *ht_cap; 604 struct ieee80211_sta_ht_cap *ht_cap;
605 struct ieee80211_sta_vht_cap *vht_cap; 605 struct ieee80211_sta_vht_cap *vht_cap;
606 u32 width, control_freq; 606 u32 width, control_freq, cap;
607 607
608 if (WARN_ON(!cfg80211_chandef_valid(chandef))) 608 if (WARN_ON(!cfg80211_chandef_valid(chandef)))
609 return false; 609 return false;
@@ -643,7 +643,8 @@ bool cfg80211_chandef_usable(struct wiphy *wiphy,
643 return false; 643 return false;
644 break; 644 break;
645 case NL80211_CHAN_WIDTH_80P80: 645 case NL80211_CHAN_WIDTH_80P80:
646 if (!(vht_cap->cap & IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160_80PLUS80MHZ)) 646 cap = vht_cap->cap & IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_MASK;
647 if (cap != IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160_80PLUS80MHZ)
647 return false; 648 return false;
648 case NL80211_CHAN_WIDTH_80: 649 case NL80211_CHAN_WIDTH_80:
649 if (!vht_cap->vht_supported) 650 if (!vht_cap->vht_supported)
@@ -654,7 +655,9 @@ bool cfg80211_chandef_usable(struct wiphy *wiphy,
654 case NL80211_CHAN_WIDTH_160: 655 case NL80211_CHAN_WIDTH_160:
655 if (!vht_cap->vht_supported) 656 if (!vht_cap->vht_supported)
656 return false; 657 return false;
657 if (!(vht_cap->cap & IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160MHZ)) 658 cap = vht_cap->cap & IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_MASK;
659 if (cap != IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160MHZ &&
660 cap != IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160_80PLUS80MHZ)
658 return false; 661 return false;
659 prohibited_flags |= IEEE80211_CHAN_NO_160MHZ; 662 prohibited_flags |= IEEE80211_CHAN_NO_160MHZ;
660 width = 160; 663 width = 160;
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index a17d6bc6b22c..7ca4b5133123 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -6002,7 +6002,7 @@ nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
6002 } 6002 }
6003 6003
6004 /* there was no other matchset, so the RSSI one is alone */ 6004 /* there was no other matchset, so the RSSI one is alone */
6005 if (i == 0) 6005 if (i == 0 && n_match_sets)
6006 request->match_sets[0].rssi_thold = default_match_rssi; 6006 request->match_sets[0].rssi_thold = default_match_rssi;
6007 6007
6008 request->min_rssi_thold = INT_MAX; 6008 request->min_rssi_thold = INT_MAX;
diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index 47be6163381c..7b8309840d4e 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -1549,9 +1549,15 @@ static bool reg_wdev_chan_valid(struct wiphy *wiphy, struct wireless_dev *wdev)
1549 ret = cfg80211_reg_can_beacon(wiphy, 1549 ret = cfg80211_reg_can_beacon(wiphy,
1550 &wdev->chandef, wdev->iftype); 1550 &wdev->chandef, wdev->iftype);
1551 break; 1551 break;
1552 case NL80211_IFTYPE_ADHOC:
1553 if (!wdev->ssid_len)
1554 goto out;
1555
1556 ret = cfg80211_reg_can_beacon(wiphy,
1557 &wdev->chandef, wdev->iftype);
1558 break;
1552 case NL80211_IFTYPE_STATION: 1559 case NL80211_IFTYPE_STATION:
1553 case NL80211_IFTYPE_P2P_CLIENT: 1560 case NL80211_IFTYPE_P2P_CLIENT:
1554 case NL80211_IFTYPE_ADHOC:
1555 if (!wdev->current_bss || 1561 if (!wdev->current_bss ||
1556 !wdev->current_bss->pub.channel) 1562 !wdev->current_bss->pub.channel)
1557 goto out; 1563 goto out;
@@ -1907,7 +1913,7 @@ static enum reg_request_treatment
1907reg_process_hint_driver(struct wiphy *wiphy, 1913reg_process_hint_driver(struct wiphy *wiphy,
1908 struct regulatory_request *driver_request) 1914 struct regulatory_request *driver_request)
1909{ 1915{
1910 const struct ieee80211_regdomain *regd; 1916 const struct ieee80211_regdomain *regd, *tmp;
1911 enum reg_request_treatment treatment; 1917 enum reg_request_treatment treatment;
1912 1918
1913 treatment = __reg_process_hint_driver(driver_request); 1919 treatment = __reg_process_hint_driver(driver_request);
@@ -1927,7 +1933,10 @@ reg_process_hint_driver(struct wiphy *wiphy,
1927 reg_free_request(driver_request); 1933 reg_free_request(driver_request);
1928 return REG_REQ_IGNORE; 1934 return REG_REQ_IGNORE;
1929 } 1935 }
1936
1937 tmp = get_wiphy_regdom(wiphy);
1930 rcu_assign_pointer(wiphy->regd, regd); 1938 rcu_assign_pointer(wiphy->regd, regd);
1939 rcu_free_regdom(tmp);
1931 } 1940 }
1932 1941
1933 1942
@@ -1986,11 +1995,8 @@ __reg_process_hint_country_ie(struct wiphy *wiphy,
1986 return REG_REQ_IGNORE; 1995 return REG_REQ_IGNORE;
1987 return REG_REQ_ALREADY_SET; 1996 return REG_REQ_ALREADY_SET;
1988 } 1997 }
1989 /* 1998
1990 * Two consecutive Country IE hints on the same wiphy. 1999 if (regdom_changes(country_ie_request->alpha2))
1991 * This should be picked up early by the driver/stack
1992 */
1993 if (WARN_ON(regdom_changes(country_ie_request->alpha2)))
1994 return REG_REQ_OK; 2000 return REG_REQ_OK;
1995 return REG_REQ_ALREADY_SET; 2001 return REG_REQ_ALREADY_SET;
1996} 2002}