Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (27 commits) ipv6: Don't pass invalid dst_entry pointer to dst_release(). mlx4: fix kfree on error path in new_steering_entry() tcp: len check is unnecessarily devastating, change to WARN_ON sctp: malloc enough room for asconf-ack chunk sctp: fix auth_hmacs field's length of struct sctp_cookie net: Fix dev dev_ethtool_get_rx_csum() for forced NETIF_F_RXCSUM usbnet: use eth%d name for known ethernet devices starfire: clean up dma_addr_t size test iwlegacy: fix bugs in change_interface carl9170: Fix tx aggregation problems with some clients iwl3945: disable hw scan by default wireless: rt2x00: rt2800usb.c add and identify ids iwl3945: do not deprecate software scan mac80211: fix aggregation frame release during timeout cfg80211: fix BSS double-unlinking (continued) cfg80211:: fix possible NULL pointer dereference mac80211: fix possible NULL pointer dereference mac80211: fix NULL pointer dereference in ieee80211_key_alloc() ath9k: fix a chip wakeup related crash in ath9k_start mac80211: fix a crash in minstrel_ht in HT mode with no supported MCS rates ...
author: Linus Torvalds <torvalds@linux-foundation.org> 2011-04-05 15:26:57 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2011-04-05 15:26:57 -0400
commit: d14f5b810b49c7dbd1a01be1c6d3641d46090080 (patch)
tree: b201a1cf14c455b919ecb7d4a6631134d5815703 /net
parent: b2a8b4b81966094703088a7bc76a313af841924d (diff)
parent: 738faca34335cd1d5d87fa7c58703139c7fa15bd (diff)
12 files changed, 69 insertions, 30 deletions
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index b372fb8bcdcf..2216620ff296 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -186,6 +186,7 @@ static void hci_reset_req(struct hci_dev *hdev, unsigned long opt)
        BT_DBG("%s %ld", hdev->name, opt);
        /* Reset device */
+        set_bit(HCI_RESET, &hdev->flags);
        hci_send_cmd(hdev, HCI_OP_RESET, 0, NULL);
 }
@@ -213,8 +214,10 @@ static void hci_init_req(struct hci_dev *hdev, unsigned long opt)
        /* Mandatory initialization */
        /* Reset */
-        if (!test_bit(HCI_QUIRK_NO_RESET, &hdev->quirks))
+        if (!test_bit(HCI_QUIRK_NO_RESET, &hdev->quirks)) {
+                        set_bit(HCI_RESET, &hdev->flags);
                        hci_send_cmd(hdev, HCI_OP_RESET, 0, NULL);
+        }
        /* Read Local Supported Features */
        hci_send_cmd(hdev, HCI_OP_READ_LOCAL_FEATURES, 0, NULL);
@@ -584,6 +587,9 @@ static int hci_dev_do_close(struct hci_dev *hdev)
        hci_req_cancel(hdev, ENODEV);
        hci_req_lock(hdev);
+        /* Stop timer, it might be running */
+        del_timer_sync(&hdev->cmd_timer);
        if (!test_and_clear_bit(HCI_UP, &hdev->flags)) {
                hci_req_unlock(hdev);
                return 0;
@@ -623,7 +629,6 @@ static int hci_dev_do_close(struct hci_dev *hdev)
        /* Drop last sent command */
        if (hdev->sent_cmd) {
-                del_timer_sync(&hdev->cmd_timer);
                kfree_skb(hdev->sent_cmd);
                hdev->sent_cmd = NULL;
        }
@@ -1074,6 +1079,7 @@ static void hci_cmd_timer(unsigned long arg)
        BT_ERR("%s command tx timeout", hdev->name);
        atomic_set(&hdev->cmd_cnt, 1);
+        clear_bit(HCI_RESET, &hdev->flags);
        tasklet_schedule(&hdev->cmd_task);
 }
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 3fbfa50c2bff..cebe7588469f 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -183,6 +183,8 @@ static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
        BT_DBG("%s status 0x%x", hdev->name, status);
+        clear_bit(HCI_RESET, &hdev->flags);
        hci_req_complete(hdev, HCI_OP_RESET, status);
 }
@@ -1847,7 +1849,7 @@ static inline void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb)
        if (ev->opcode != HCI_OP_NOP)
                del_timer(&hdev->cmd_timer);
-        if (ev->ncmd) {
+        if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) {
                atomic_set(&hdev->cmd_cnt, 1);
                if (!skb_queue_empty(&hdev->cmd_q))
                        tasklet_schedule(&hdev->cmd_task);
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index c9f9cecca527..ca27f3a41536 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1116,7 +1116,9 @@ int l2cap_ertm_send(struct sock *sk)
                bt_cb(skb)->tx_seq = pi->next_tx_seq;
                pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
-                pi->unacked_frames++;
+                if (bt_cb(skb)->retries == 1)
+                        pi->unacked_frames++;
                pi->frames_sent++;
                if (skb_queue_is_last(TX_QUEUE(sk), skb))
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index fc85e7ae33c7..f77308e63e58 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -923,8 +923,9 @@ void __l2cap_sock_close(struct sock *sk, int reason)
                        rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
                        l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
                                        L2CAP_CONN_RSP, sizeof(rsp), &rsp);
-                } else
+                }
-                        l2cap_chan_del(sk, reason);
+                l2cap_chan_del(sk, reason);
                break;
        case BT_CONNECT:
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 0054c74e27b7..4476d8e3c0f2 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -1230,6 +1230,8 @@ static int user_confirm_reply(struct sock *sk, u16 index, unsigned char *data,
        if (!hdev)
                return cmd_status(sk, index, mgmt_op, ENODEV);
+        hci_dev_lock_bh(hdev);
        if (!test_bit(HCI_UP, &hdev->flags)) {
                err = cmd_status(sk, index, mgmt_op, ENETDOWN);
                goto failed;
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index dfa5beb0c1c8..8b0d0167e44a 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -1003,7 +1003,8 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len,
        int nlen;
        u8 flags;
-        BUG_ON(len > skb->len);
+        if (WARN_ON(len > skb->len))
+                return -EINVAL;
        nsize = skb_headlen(skb) - len;
        if (nsize < 0)
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 2b0c186862c8..56fa12538d45 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -503,6 +503,7 @@ static int tcp_v6_send_synack(struct sock *sk, struct request_sock *req,
        dst = ip6_dst_lookup_flow(sk, &fl6, final_p, false);
        if (IS_ERR(dst)) {
                err = PTR_ERR(dst);
+                dst = NULL;
                goto done;
        }
        skb = tcp_make_synack(sk, dst, req, rvp);
diff --git a/net/mac80211/key.c b/net/mac80211/key.c
index 8c02469b7176..af3c56482c80 100644
--- a/net/mac80211/key.c
+++ b/net/mac80211/key.c
@@ -342,7 +342,7 @@ struct ieee80211_key *ieee80211_key_alloc(u32 cipher, int idx, size_t key_len,
                if (IS_ERR(key->u.ccmp.tfm)) {
                        err = PTR_ERR(key->u.ccmp.tfm);
                        kfree(key);
-                        key = ERR_PTR(err);
+                        return ERR_PTR(err);
                }
                break;
        case WLAN_CIPHER_SUITE_AES_CMAC:
@@ -360,7 +360,7 @@ struct ieee80211_key *ieee80211_key_alloc(u32 cipher, int idx, size_t key_len,
                if (IS_ERR(key->u.aes_cmac.tfm)) {
                        err = PTR_ERR(key->u.aes_cmac.tfm);
                        kfree(key);
-                        key = ERR_PTR(err);
+                        return ERR_PTR(err);
                }
                break;
        }
@@ -400,11 +400,12 @@ int ieee80211_key_link(struct ieee80211_key *key,
 {
        struct ieee80211_key *old_key;
        int idx, ret;
-        bool pairwise = key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE;
+        bool pairwise;
        BUG_ON(!sdata);
        BUG_ON(!key);
+        pairwise = key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE;
        idx = key->conf.keyidx;
        key->local = sdata->local;
        key->sdata = sdata;
diff --git a/net/mac80211/rc80211_minstrel_ht.c b/net/mac80211/rc80211_minstrel_ht.c
index 8212a8bebf06..dbdebeda097f 100644
--- a/net/mac80211/rc80211_minstrel_ht.c
+++ b/net/mac80211/rc80211_minstrel_ht.c
@@ -659,18 +659,14 @@ minstrel_ht_update_caps(void *priv, struct ieee80211_supported_band *sband,
        struct ieee80211_mcs_info *mcs = &sta->ht_cap.mcs;
        struct ieee80211_local *local = hw_to_local(mp->hw);
        u16 sta_cap = sta->ht_cap.cap;
+        int n_supported = 0;
        int ack_dur;
        int stbc;
        int i;
        /* fall back to the old minstrel for legacy stations */
-        if (!sta->ht_cap.ht_supported) {
+        if (!sta->ht_cap.ht_supported)
-                msp->is_ht = false;
+                goto use_legacy;
-                memset(&msp->legacy, 0, sizeof(msp->legacy));
-                msp->legacy.r = msp->ratelist;
-                msp->legacy.sample_table = msp->sample_table;
-                return mac80211_minstrel.rate_init(priv, sband, sta, &msp->legacy);
-        }
        BUILD_BUG_ON(ARRAY_SIZE(minstrel_mcs_groups) !=
                MINSTREL_MAX_STREAMS * MINSTREL_STREAM_GROUPS);
@@ -725,7 +721,22 @@ minstrel_ht_update_caps(void *priv, struct ieee80211_supported_band *sband,
                mi->groups[i].supported =
                        mcs->rx_mask[minstrel_mcs_groups[i].streams - 1];
+                if (mi->groups[i].supported)
+                        n_supported++;
        }
+        if (!n_supported)
+                goto use_legacy;
+        return;
+use_legacy:
+        msp->is_ht = false;
+        memset(&msp->legacy, 0, sizeof(msp->legacy));
+        msp->legacy.r = msp->ratelist;
+        msp->legacy.sample_table = msp->sample_table;
+        return mac80211_minstrel.rate_init(priv, sband, sta, &msp->legacy);
 }
 static void
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 5c1930ba8ebe..aa5cc37b4921 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -612,7 +612,8 @@ static void ieee80211_sta_reorder_release(struct ieee80211_hw *hw,
                                skipped++;
                                continue;
                        }
-                        if (!time_after(jiffies, tid_agg_rx->reorder_time[j] +
+                        if (skipped &&
+                            !time_after(jiffies, tid_agg_rx->reorder_time[j] +
                                        HT_RX_REORDER_BUF_TIMEOUT))
                                goto set_release_timer;
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index de98665db524..b3434cc7d0cf 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -3106,10 +3106,10 @@ struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc,
        /* create an ASCONF_ACK chunk.
         * Based on the definitions of parameters, we know that the size of
-         * ASCONF_ACK parameters are less than or equal to the twice of ASCONF
+         * ASCONF_ACK parameters are less than or equal to the fourfold of ASCONF
         * parameters.
         */
-        asconf_ack = sctp_make_asconf_ack(asoc, serial, chunk_len * 2);
+        asconf_ack = sctp_make_asconf_ack(asoc, serial, chunk_len * 4);
        if (!asconf_ack)
                goto done;
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index ea427f418f64..fbf6f33ae4d0 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -124,6 +124,15 @@ void cfg80211_bss_age(struct cfg80211_registered_device *dev,
 }
 /* must hold dev->bss_lock! */
+static void __cfg80211_unlink_bss(struct cfg80211_registered_device *dev,
+                                  struct cfg80211_internal_bss *bss)
+{
+        list_del_init(&bss->list);
+        rb_erase(&bss->rbn, &dev->bss_tree);
+        kref_put(&bss->ref, bss_release);
+}
+/* must hold dev->bss_lock! */
 void cfg80211_bss_expire(struct cfg80211_registered_device *dev)
 {
        struct cfg80211_internal_bss *bss, *tmp;
@@ -134,9 +143,7 @@ void cfg80211_bss_expire(struct cfg80211_registered_device *dev)
                        continue;
                if (!time_after(jiffies, bss->ts + IEEE80211_SCAN_RESULT_EXPIRE))
                        continue;
-                list_del(&bss->list);
+                __cfg80211_unlink_bss(dev, bss);
-                rb_erase(&bss->rbn, &dev->bss_tree);
-                kref_put(&bss->ref, bss_release);
                expired = true;
        }
@@ -585,16 +592,23 @@ cfg80211_inform_bss_frame(struct wiphy *wiphy,
        struct cfg80211_internal_bss *res;
        size_t ielen = len - offsetof(struct ieee80211_mgmt,
                                      u.probe_resp.variable);
-        size_t privsz = wiphy->bss_priv_size;
+        size_t privsz;
+        if (WARN_ON(!mgmt))
+                return NULL;
+        if (WARN_ON(!wiphy))
+                return NULL;
        if (WARN_ON(wiphy->signal_type == CFG80211_SIGNAL_TYPE_UNSPEC &&
                    (signal < 0 || signal > 100)))
                return NULL;
-        if (WARN_ON(!mgmt || !wiphy ||
+        if (WARN_ON(len < offsetof(struct ieee80211_mgmt, u.probe_resp.variable)))
-                    len < offsetof(struct ieee80211_mgmt, u.probe_resp.variable)))
                return NULL;
+        privsz = wiphy->bss_priv_size;
        res = kzalloc(sizeof(*res) + privsz + ielen, gfp);
        if (!res)
                return NULL;
@@ -662,11 +676,8 @@ void cfg80211_unlink_bss(struct wiphy *wiphy, struct cfg80211_bss *pub)
        spin_lock_bh(&dev->bss_lock);
        if (!list_empty(&bss->list)) {
-                list_del_init(&bss->list);
+                __cfg80211_unlink_bss(dev, bss);
                dev->bss_generation++;
-                rb_erase(&bss->rbn, &dev->bss_tree);
-                kref_put(&bss->ref, bss_release);
        }
        spin_unlock_bh(&dev->bss_lock);
 }
author	Linus Torvalds <torvalds@linux-foundation.org>	2011-04-05 15:26:57 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2011-04-05 15:26:57 -0400
commit	d14f5b810b49c7dbd1a01be1c6d3641d46090080 (patch)
tree	b201a1cf14c455b919ecb7d4a6631134d5815703 /net
parent	b2a8b4b81966094703088a7bc76a313af841924d (diff)
parent	738faca34335cd1d5d87fa7c58703139c7fa15bd (diff)

diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index b372fb8bcdcf..2216620ff296 100644 --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c
@@ -186,6 +186,7 @@ static void hci_reset_req(struct hci_dev *hdev, unsigned long opt)
186	BT_DBG("%s %ld", hdev->name, opt);	186	BT_DBG("%s %ld", hdev->name, opt);
187		187
188	/* Reset device */	188	/* Reset device */
		189	set_bit(HCI_RESET, &hdev->flags);
189	hci_send_cmd(hdev, HCI_OP_RESET, 0, NULL);	190	hci_send_cmd(hdev, HCI_OP_RESET, 0, NULL);
190	}	191	}
191		192
@@ -213,8 +214,10 @@ static void hci_init_req(struct hci_dev *hdev, unsigned long opt)
213	/* Mandatory initialization */	214	/* Mandatory initialization */
214		215
215	/* Reset */	216	/* Reset */
216	if (!test_bit(HCI_QUIRK_NO_RESET, &hdev->quirks))	217	if (!test_bit(HCI_QUIRK_NO_RESET, &hdev->quirks)) {
		218	set_bit(HCI_RESET, &hdev->flags);
217	hci_send_cmd(hdev, HCI_OP_RESET, 0, NULL);	219	hci_send_cmd(hdev, HCI_OP_RESET, 0, NULL);
		220	}
218		221
219	/* Read Local Supported Features */	222	/* Read Local Supported Features */
220	hci_send_cmd(hdev, HCI_OP_READ_LOCAL_FEATURES, 0, NULL);	223	hci_send_cmd(hdev, HCI_OP_READ_LOCAL_FEATURES, 0, NULL);
@@ -584,6 +587,9 @@ static int hci_dev_do_close(struct hci_dev *hdev)
584	hci_req_cancel(hdev, ENODEV);	587	hci_req_cancel(hdev, ENODEV);
585	hci_req_lock(hdev);	588	hci_req_lock(hdev);
586		589
		590	/* Stop timer, it might be running */
		591	del_timer_sync(&hdev->cmd_timer);
		592
587	if (!test_and_clear_bit(HCI_UP, &hdev->flags)) {	593	if (!test_and_clear_bit(HCI_UP, &hdev->flags)) {
588	hci_req_unlock(hdev);	594	hci_req_unlock(hdev);
589	return 0;	595	return 0;
@@ -623,7 +629,6 @@ static int hci_dev_do_close(struct hci_dev *hdev)
623		629
624	/* Drop last sent command */	630	/* Drop last sent command */
625	if (hdev->sent_cmd) {	631	if (hdev->sent_cmd) {
626	del_timer_sync(&hdev->cmd_timer);
627	kfree_skb(hdev->sent_cmd);	632	kfree_skb(hdev->sent_cmd);
628	hdev->sent_cmd = NULL;	633	hdev->sent_cmd = NULL;
629	}	634	}
@@ -1074,6 +1079,7 @@ static void hci_cmd_timer(unsigned long arg)
1074		1079
1075	BT_ERR("%s command tx timeout", hdev->name);	1080	BT_ERR("%s command tx timeout", hdev->name);
1076	atomic_set(&hdev->cmd_cnt, 1);	1081	atomic_set(&hdev->cmd_cnt, 1);
		1082	clear_bit(HCI_RESET, &hdev->flags);
1077	tasklet_schedule(&hdev->cmd_task);	1083	tasklet_schedule(&hdev->cmd_task);
1078	}	1084	}
1079		1085


diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index 3fbfa50c2bff..cebe7588469f 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c
@@ -183,6 +183,8 @@ static void hci_cc_reset(struct hci_dev hdev, struct sk_buff skb)
183		183
184	BT_DBG("%s status 0x%x", hdev->name, status);	184	BT_DBG("%s status 0x%x", hdev->name, status);
185		185
		186	clear_bit(HCI_RESET, &hdev->flags);
		187
186	hci_req_complete(hdev, HCI_OP_RESET, status);	188	hci_req_complete(hdev, HCI_OP_RESET, status);
187	}	189	}
188		190
@@ -1847,7 +1849,7 @@ static inline void hci_cmd_status_evt(struct hci_dev hdev, struct sk_buff skb)
1847	if (ev->opcode != HCI_OP_NOP)	1849	if (ev->opcode != HCI_OP_NOP)
1848	del_timer(&hdev->cmd_timer);	1850	del_timer(&hdev->cmd_timer);
1849		1851
1850	if (ev->ncmd) {	1852	if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) {
1851	atomic_set(&hdev->cmd_cnt, 1);	1853	atomic_set(&hdev->cmd_cnt, 1);
1852	if (!skb_queue_empty(&hdev->cmd_q))	1854	if (!skb_queue_empty(&hdev->cmd_q))
1853	tasklet_schedule(&hdev->cmd_task);	1855	tasklet_schedule(&hdev->cmd_task);


diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index c9f9cecca527..ca27f3a41536 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c
@@ -1116,7 +1116,9 @@ int l2cap_ertm_send(struct sock *sk)
1116	bt_cb(skb)->tx_seq = pi->next_tx_seq;	1116	bt_cb(skb)->tx_seq = pi->next_tx_seq;
1117	pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;	1117	pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
1118		1118
1119	pi->unacked_frames++;	1119	if (bt_cb(skb)->retries == 1)
		1120	pi->unacked_frames++;
		1121
1120	pi->frames_sent++;	1122	pi->frames_sent++;
1121		1123
1122	if (skb_queue_is_last(TX_QUEUE(sk), skb))	1124	if (skb_queue_is_last(TX_QUEUE(sk), skb))


diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index fc85e7ae33c7..f77308e63e58 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c
@@ -923,8 +923,9 @@ void __l2cap_sock_close(struct sock *sk, int reason)
923	rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);	923	rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
924	l2cap_send_cmd(conn, l2cap_pi(sk)->ident,	924	l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
925	L2CAP_CONN_RSP, sizeof(rsp), &rsp);	925	L2CAP_CONN_RSP, sizeof(rsp), &rsp);
926	} else	926	}
927	l2cap_chan_del(sk, reason);	927
		928	l2cap_chan_del(sk, reason);
928	break;	929	break;
929		930
930	case BT_CONNECT:	931	case BT_CONNECT:


diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c index 0054c74e27b7..4476d8e3c0f2 100644 --- a/net/bluetooth/mgmt.c +++ b/net/bluetooth/mgmt.c
@@ -1230,6 +1230,8 @@ static int user_confirm_reply(struct sock sk, u16 index, unsigned char data,
1230	if (!hdev)	1230	if (!hdev)
1231	return cmd_status(sk, index, mgmt_op, ENODEV);	1231	return cmd_status(sk, index, mgmt_op, ENODEV);
1232		1232
		1233	hci_dev_lock_bh(hdev);
		1234
1233	if (!test_bit(HCI_UP, &hdev->flags)) {	1235	if (!test_bit(HCI_UP, &hdev->flags)) {
1234	err = cmd_status(sk, index, mgmt_op, ENETDOWN);	1236	err = cmd_status(sk, index, mgmt_op, ENETDOWN);
1235	goto failed;	1237	goto failed;


diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index dfa5beb0c1c8..8b0d0167e44a 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c
@@ -1003,7 +1003,8 @@ int tcp_fragment(struct sock sk, struct sk_buff skb, u32 len,
1003	int nlen;	1003	int nlen;
1004	u8 flags;	1004	u8 flags;
1005		1005
1006	BUG_ON(len > skb->len);	1006	if (WARN_ON(len > skb->len))
		1007	return -EINVAL;
1007		1008
1008	nsize = skb_headlen(skb) - len;	1009	nsize = skb_headlen(skb) - len;
1009	if (nsize < 0)	1010	if (nsize < 0)


diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index 2b0c186862c8..56fa12538d45 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c
@@ -503,6 +503,7 @@ static int tcp_v6_send_synack(struct sock sk, struct request_sock req,
503	dst = ip6_dst_lookup_flow(sk, &fl6, final_p, false);	503	dst = ip6_dst_lookup_flow(sk, &fl6, final_p, false);
504	if (IS_ERR(dst)) {	504	if (IS_ERR(dst)) {
505	err = PTR_ERR(dst);	505	err = PTR_ERR(dst);
		506	dst = NULL;
506	goto done;	507	goto done;
507	}	508	}
508	skb = tcp_make_synack(sk, dst, req, rvp);	509	skb = tcp_make_synack(sk, dst, req, rvp);


diff --git a/net/mac80211/key.c b/net/mac80211/key.c index 8c02469b7176..af3c56482c80 100644 --- a/net/mac80211/key.c +++ b/net/mac80211/key.c
@@ -342,7 +342,7 @@ struct ieee80211_key *ieee80211_key_alloc(u32 cipher, int idx, size_t key_len,
342	if (IS_ERR(key->u.ccmp.tfm)) {	342	if (IS_ERR(key->u.ccmp.tfm)) {
343	err = PTR_ERR(key->u.ccmp.tfm);	343	err = PTR_ERR(key->u.ccmp.tfm);
344	kfree(key);	344	kfree(key);
345	key = ERR_PTR(err);	345	return ERR_PTR(err);
346	}	346	}
347	break;	347	break;
348	case WLAN_CIPHER_SUITE_AES_CMAC:	348	case WLAN_CIPHER_SUITE_AES_CMAC:
@@ -360,7 +360,7 @@ struct ieee80211_key *ieee80211_key_alloc(u32 cipher, int idx, size_t key_len,
360	if (IS_ERR(key->u.aes_cmac.tfm)) {	360	if (IS_ERR(key->u.aes_cmac.tfm)) {
361	err = PTR_ERR(key->u.aes_cmac.tfm);	361	err = PTR_ERR(key->u.aes_cmac.tfm);
362	kfree(key);	362	kfree(key);
363	key = ERR_PTR(err);	363	return ERR_PTR(err);
364	}	364	}
365	break;	365	break;
366	}	366	}
@@ -400,11 +400,12 @@ int ieee80211_key_link(struct ieee80211_key *key,
400	{	400	{
401	struct ieee80211_key *old_key;	401	struct ieee80211_key *old_key;
402	int idx, ret;	402	int idx, ret;
403	bool pairwise = key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE;	403	bool pairwise;
404		404
405	BUG_ON(!sdata);	405	BUG_ON(!sdata);
406	BUG_ON(!key);	406	BUG_ON(!key);
407		407
		408	pairwise = key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE;
408	idx = key->conf.keyidx;	409	idx = key->conf.keyidx;
409	key->local = sdata->local;	410	key->local = sdata->local;
410	key->sdata = sdata;	411	key->sdata = sdata;


diff --git a/net/mac80211/rc80211_minstrel_ht.c b/net/mac80211/rc80211_minstrel_ht.c index 8212a8bebf06..dbdebeda097f 100644 --- a/net/mac80211/rc80211_minstrel_ht.c +++ b/net/mac80211/rc80211_minstrel_ht.c
@@ -659,18 +659,14 @@ minstrel_ht_update_caps(void priv, struct ieee80211_supported_band sband,
659	struct ieee80211_mcs_info *mcs = &sta->ht_cap.mcs;	659	struct ieee80211_mcs_info *mcs = &sta->ht_cap.mcs;
660	struct ieee80211_local *local = hw_to_local(mp->hw);	660	struct ieee80211_local *local = hw_to_local(mp->hw);
661	u16 sta_cap = sta->ht_cap.cap;	661	u16 sta_cap = sta->ht_cap.cap;
		662	int n_supported = 0;
662	int ack_dur;	663	int ack_dur;
663	int stbc;	664	int stbc;
664	int i;	665	int i;
665		666
666	/* fall back to the old minstrel for legacy stations */	667	/* fall back to the old minstrel for legacy stations */
667	if (!sta->ht_cap.ht_supported) {	668	if (!sta->ht_cap.ht_supported)
668	msp->is_ht = false;	669	goto use_legacy;
669	memset(&msp->legacy, 0, sizeof(msp->legacy));
670	msp->legacy.r = msp->ratelist;
671	msp->legacy.sample_table = msp->sample_table;
672	return mac80211_minstrel.rate_init(priv, sband, sta, &msp->legacy);
673	}
674		670
675	BUILD_BUG_ON(ARRAY_SIZE(minstrel_mcs_groups) !=	671	BUILD_BUG_ON(ARRAY_SIZE(minstrel_mcs_groups) !=
676	MINSTREL_MAX_STREAMS * MINSTREL_STREAM_GROUPS);	672	MINSTREL_MAX_STREAMS * MINSTREL_STREAM_GROUPS);
@@ -725,7 +721,22 @@ minstrel_ht_update_caps(void priv, struct ieee80211_supported_band sband,
725		721
726	mi->groups[i].supported =	722	mi->groups[i].supported =
727	mcs->rx_mask[minstrel_mcs_groups[i].streams - 1];	723	mcs->rx_mask[minstrel_mcs_groups[i].streams - 1];
		724
		725	if (mi->groups[i].supported)
		726	n_supported++;
728	}	727	}
		728
		729	if (!n_supported)
		730	goto use_legacy;
		731
		732	return;
		733
		734	use_legacy:
		735	msp->is_ht = false;
		736	memset(&msp->legacy, 0, sizeof(msp->legacy));
		737	msp->legacy.r = msp->ratelist;
		738	msp->legacy.sample_table = msp->sample_table;
		739	return mac80211_minstrel.rate_init(priv, sband, sta, &msp->legacy);
729	}	740	}
730		741
731	static void	742	static void


diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c index 5c1930ba8ebe..aa5cc37b4921 100644 --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c
@@ -612,7 +612,8 @@ static void ieee80211_sta_reorder_release(struct ieee80211_hw *hw,
612	skipped++;	612	skipped++;
613	continue;	613	continue;
614	}	614	}
615	if (!time_after(jiffies, tid_agg_rx->reorder_time[j] +	615	if (skipped &&
		616	!time_after(jiffies, tid_agg_rx->reorder_time[j] +
616	HT_RX_REORDER_BUF_TIMEOUT))	617	HT_RX_REORDER_BUF_TIMEOUT))
617	goto set_release_timer;	618	goto set_release_timer;
618		619


diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c index de98665db524..b3434cc7d0cf 100644 --- a/net/sctp/sm_make_chunk.c +++ b/net/sctp/sm_make_chunk.c
@@ -3106,10 +3106,10 @@ struct sctp_chunk sctp_process_asconf(struct sctp_association asoc,
3106		3106
3107	/* create an ASCONF_ACK chunk.	3107	/* create an ASCONF_ACK chunk.
3108	* Based on the definitions of parameters, we know that the size of	3108	* Based on the definitions of parameters, we know that the size of
3109	* ASCONF_ACK parameters are less than or equal to the twice of ASCONF	3109	* ASCONF_ACK parameters are less than or equal to the fourfold of ASCONF
3110	* parameters.	3110	* parameters.
3111	*/	3111	*/
3112	asconf_ack = sctp_make_asconf_ack(asoc, serial, chunk_len * 2);	3112	asconf_ack = sctp_make_asconf_ack(asoc, serial, chunk_len * 4);
3113	if (!asconf_ack)	3113	if (!asconf_ack)
3114	goto done;	3114	goto done;
3115		3115


diff --git a/net/wireless/scan.c b/net/wireless/scan.c index ea427f418f64..fbf6f33ae4d0 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c
@@ -124,6 +124,15 @@ void cfg80211_bss_age(struct cfg80211_registered_device *dev,
124	}	124	}
125		125
126	/* must hold dev->bss_lock! */	126	/* must hold dev->bss_lock! */
		127	static void __cfg80211_unlink_bss(struct cfg80211_registered_device *dev,
		128	struct cfg80211_internal_bss *bss)
		129	{
		130	list_del_init(&bss->list);
		131	rb_erase(&bss->rbn, &dev->bss_tree);
		132	kref_put(&bss->ref, bss_release);
		133	}
		134
		135	/* must hold dev->bss_lock! */
127	void cfg80211_bss_expire(struct cfg80211_registered_device *dev)	136	void cfg80211_bss_expire(struct cfg80211_registered_device *dev)
128	{	137	{
129	struct cfg80211_internal_bss bss, tmp;	138	struct cfg80211_internal_bss bss, tmp;
@@ -134,9 +143,7 @@ void cfg80211_bss_expire(struct cfg80211_registered_device *dev)
134	continue;	143	continue;
135	if (!time_after(jiffies, bss->ts + IEEE80211_SCAN_RESULT_EXPIRE))	144	if (!time_after(jiffies, bss->ts + IEEE80211_SCAN_RESULT_EXPIRE))
136	continue;	145	continue;
137	list_del(&bss->list);	146	__cfg80211_unlink_bss(dev, bss);
138	rb_erase(&bss->rbn, &dev->bss_tree);
139	kref_put(&bss->ref, bss_release);
140	expired = true;	147	expired = true;
141	}	148	}
142		149
@@ -585,16 +592,23 @@ cfg80211_inform_bss_frame(struct wiphy *wiphy,
585	struct cfg80211_internal_bss *res;	592	struct cfg80211_internal_bss *res;
586	size_t ielen = len - offsetof(struct ieee80211_mgmt,	593	size_t ielen = len - offsetof(struct ieee80211_mgmt,
587	u.probe_resp.variable);	594	u.probe_resp.variable);
588	size_t privsz = wiphy->bss_priv_size;	595	size_t privsz;
		596
		597	if (WARN_ON(!mgmt))
		598	return NULL;
		599
		600	if (WARN_ON(!wiphy))
		601	return NULL;
589		602
590	if (WARN_ON(wiphy->signal_type == CFG80211_SIGNAL_TYPE_UNSPEC &&	603	if (WARN_ON(wiphy->signal_type == CFG80211_SIGNAL_TYPE_UNSPEC &&
591	(signal < 0 \|\| signal > 100)))	604	(signal < 0 \|\| signal > 100)))
592	return NULL;	605	return NULL;
593		606
594	if (WARN_ON(!mgmt \|\| !wiphy \|\|	607	if (WARN_ON(len < offsetof(struct ieee80211_mgmt, u.probe_resp.variable)))
595	len < offsetof(struct ieee80211_mgmt, u.probe_resp.variable)))
596	return NULL;	608	return NULL;
597		609
		610	privsz = wiphy->bss_priv_size;
		611
598	res = kzalloc(sizeof(*res) + privsz + ielen, gfp);	612	res = kzalloc(sizeof(*res) + privsz + ielen, gfp);
599	if (!res)	613	if (!res)
600	return NULL;	614	return NULL;
@@ -662,11 +676,8 @@ void cfg80211_unlink_bss(struct wiphy wiphy, struct cfg80211_bss pub)
662		676
663	spin_lock_bh(&dev->bss_lock);	677	spin_lock_bh(&dev->bss_lock);
664	if (!list_empty(&bss->list)) {	678	if (!list_empty(&bss->list)) {
665	list_del_init(&bss->list);	679	__cfg80211_unlink_bss(dev, bss);
666	dev->bss_generation++;	680	dev->bss_generation++;
667	rb_erase(&bss->rbn, &dev->bss_tree);
668
669	kref_put(&bss->ref, bss_release);
670	}	681	}
671	spin_unlock_bh(&dev->bss_lock);	682	spin_unlock_bh(&dev->bss_lock);
672	}	683	}