diff options
| author | David S. Miller <davem@davemloft.net> | 2012-08-14 20:03:22 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2012-08-14 20:03:22 -0400 |
| commit | 7bab3ae7608292fd987e390dec9fc21fd6dc4d7d (patch) | |
| tree | 52168ad7bd91e6878456fdf9d1b1bd47ff0910d1 /net | |
| parent | 4acd4945cd1e1f92b20d14e349c6c6a52acbd42d (diff) | |
| parent | 1e55217e174f4e6920fd441dcd3aaf8e37645460 (diff) | |
Merge branch 'for-davem' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless
John W. Linville says:
====================
Alexey Khoroshilov provides a potential memory leak in rndis_wlan.
Bob Copeland gives us an ath5k fix for a lockdep problem.
Dan Carpenter fixes a signedness mismatch in at76c50x.
Felix Fietkau corrects a regression caused by an earlier commit that can
lead to an IRQ storm.
Lorenzo Bianconi offers a fix for a bad variable initialization in ath9k
that can cause it to improperly mark decrypted frames.
Rajkumar Manoharan fixes ath9k to prevent the btcoex time from running
when the hardware is asleep.
The remainder are Bluetooth fixes, about which Gustavo says:
"Here goes some fixes for 3.6-rc1, there are a few fix to
thte inquiry code by Ram Malovany, support for 2 new devices,
and few others fixes for NULL dereference, possible deadlock
and a memory leak."
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/bluetooth/hci_event.c | 28 | ||||
| -rw-r--r-- | net/bluetooth/l2cap_core.c | 1 | ||||
| -rw-r--r-- | net/bluetooth/l2cap_sock.c | 2 | ||||
| -rw-r--r-- | net/bluetooth/sco.c | 19 | ||||
| -rw-r--r-- | net/bluetooth/smp.c | 5 |
5 files changed, 37 insertions, 18 deletions
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index 41ff978a33f9..715d7e33fba0 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c | |||
| @@ -1365,6 +1365,9 @@ static bool hci_resolve_next_name(struct hci_dev *hdev) | |||
| 1365 | return false; | 1365 | return false; |
| 1366 | 1366 | ||
| 1367 | e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED); | 1367 | e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED); |
| 1368 | if (!e) | ||
| 1369 | return false; | ||
| 1370 | |||
| 1368 | if (hci_resolve_name(hdev, e) == 0) { | 1371 | if (hci_resolve_name(hdev, e) == 0) { |
| 1369 | e->name_state = NAME_PENDING; | 1372 | e->name_state = NAME_PENDING; |
| 1370 | return true; | 1373 | return true; |
| @@ -1393,12 +1396,20 @@ static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn, | |||
| 1393 | return; | 1396 | return; |
| 1394 | 1397 | ||
| 1395 | e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING); | 1398 | e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING); |
| 1396 | if (e) { | 1399 | /* If the device was not found in a list of found devices names of which |
| 1400 | * are pending. there is no need to continue resolving a next name as it | ||
| 1401 | * will be done upon receiving another Remote Name Request Complete | ||
| 1402 | * Event */ | ||
| 1403 | if (!e) | ||
| 1404 | return; | ||
| 1405 | |||
| 1406 | list_del(&e->list); | ||
| 1407 | if (name) { | ||
| 1397 | e->name_state = NAME_KNOWN; | 1408 | e->name_state = NAME_KNOWN; |
| 1398 | list_del(&e->list); | 1409 | mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, |
| 1399 | if (name) | 1410 | e->data.rssi, name, name_len); |
| 1400 | mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, | 1411 | } else { |
| 1401 | e->data.rssi, name, name_len); | 1412 | e->name_state = NAME_NOT_KNOWN; |
| 1402 | } | 1413 | } |
| 1403 | 1414 | ||
| 1404 | if (hci_resolve_next_name(hdev)) | 1415 | if (hci_resolve_next_name(hdev)) |
| @@ -1762,7 +1773,12 @@ static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) | |||
| 1762 | if (conn->type == ACL_LINK) { | 1773 | if (conn->type == ACL_LINK) { |
| 1763 | conn->state = BT_CONFIG; | 1774 | conn->state = BT_CONFIG; |
| 1764 | hci_conn_hold(conn); | 1775 | hci_conn_hold(conn); |
| 1765 | conn->disc_timeout = HCI_DISCONN_TIMEOUT; | 1776 | |
| 1777 | if (!conn->out && !hci_conn_ssp_enabled(conn) && | ||
| 1778 | !hci_find_link_key(hdev, &ev->bdaddr)) | ||
| 1779 | conn->disc_timeout = HCI_PAIRING_TIMEOUT; | ||
| 1780 | else | ||
| 1781 | conn->disc_timeout = HCI_DISCONN_TIMEOUT; | ||
| 1766 | } else | 1782 | } else |
| 1767 | conn->state = BT_CONNECTED; | 1783 | conn->state = BT_CONNECTED; |
| 1768 | 1784 | ||
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index a8964db04bfb..daa149b7003c 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c | |||
| @@ -1181,6 +1181,7 @@ static void l2cap_le_conn_ready(struct l2cap_conn *conn) | |||
| 1181 | sk = chan->sk; | 1181 | sk = chan->sk; |
| 1182 | 1182 | ||
| 1183 | hci_conn_hold(conn->hcon); | 1183 | hci_conn_hold(conn->hcon); |
| 1184 | conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT; | ||
| 1184 | 1185 | ||
| 1185 | bacpy(&bt_sk(sk)->src, conn->src); | 1186 | bacpy(&bt_sk(sk)->src, conn->src); |
| 1186 | bacpy(&bt_sk(sk)->dst, conn->dst); | 1187 | bacpy(&bt_sk(sk)->dst, conn->dst); |
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index a4bb27e8427e..b94abd30e6f9 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c | |||
| @@ -1174,7 +1174,7 @@ static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int p | |||
| 1174 | 1174 | ||
| 1175 | chan = l2cap_chan_create(); | 1175 | chan = l2cap_chan_create(); |
| 1176 | if (!chan) { | 1176 | if (!chan) { |
| 1177 | l2cap_sock_kill(sk); | 1177 | sk_free(sk); |
| 1178 | return NULL; | 1178 | return NULL; |
| 1179 | } | 1179 | } |
| 1180 | 1180 | ||
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c index 40bbe25dcff7..3589e21edb09 100644 --- a/net/bluetooth/sco.c +++ b/net/bluetooth/sco.c | |||
| @@ -131,6 +131,15 @@ static int sco_conn_del(struct hci_conn *hcon, int err) | |||
| 131 | sco_sock_clear_timer(sk); | 131 | sco_sock_clear_timer(sk); |
| 132 | sco_chan_del(sk, err); | 132 | sco_chan_del(sk, err); |
| 133 | bh_unlock_sock(sk); | 133 | bh_unlock_sock(sk); |
| 134 | |||
| 135 | sco_conn_lock(conn); | ||
| 136 | conn->sk = NULL; | ||
| 137 | sco_pi(sk)->conn = NULL; | ||
| 138 | sco_conn_unlock(conn); | ||
| 139 | |||
| 140 | if (conn->hcon) | ||
| 141 | hci_conn_put(conn->hcon); | ||
| 142 | |||
| 134 | sco_sock_kill(sk); | 143 | sco_sock_kill(sk); |
| 135 | } | 144 | } |
| 136 | 145 | ||
| @@ -821,16 +830,6 @@ static void sco_chan_del(struct sock *sk, int err) | |||
| 821 | 830 | ||
| 822 | BT_DBG("sk %p, conn %p, err %d", sk, conn, err); | 831 | BT_DBG("sk %p, conn %p, err %d", sk, conn, err); |
| 823 | 832 | ||
| 824 | if (conn) { | ||
| 825 | sco_conn_lock(conn); | ||
| 826 | conn->sk = NULL; | ||
| 827 | sco_pi(sk)->conn = NULL; | ||
| 828 | sco_conn_unlock(conn); | ||
| 829 | |||
| 830 | if (conn->hcon) | ||
| 831 | hci_conn_put(conn->hcon); | ||
| 832 | } | ||
| 833 | |||
| 834 | sk->sk_state = BT_CLOSED; | 833 | sk->sk_state = BT_CLOSED; |
| 835 | sk->sk_err = err; | 834 | sk->sk_err = err; |
| 836 | sk->sk_state_change(sk); | 835 | sk->sk_state_change(sk); |
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c index 16ef0dc85a0a..901a616c8083 100644 --- a/net/bluetooth/smp.c +++ b/net/bluetooth/smp.c | |||
| @@ -579,8 +579,11 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb) | |||
| 579 | 579 | ||
| 580 | if (!test_and_set_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) | 580 | if (!test_and_set_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) |
| 581 | smp = smp_chan_create(conn); | 581 | smp = smp_chan_create(conn); |
| 582 | else | ||
| 583 | smp = conn->smp_chan; | ||
| 582 | 584 | ||
| 583 | smp = conn->smp_chan; | 585 | if (!smp) |
| 586 | return SMP_UNSPECIFIED; | ||
| 584 | 587 | ||
| 585 | smp->preq[0] = SMP_CMD_PAIRING_REQ; | 588 | smp->preq[0] = SMP_CMD_PAIRING_REQ; |
| 586 | memcpy(&smp->preq[1], req, sizeof(*req)); | 589 | memcpy(&smp->preq[1], req, sizeof(*req)); |