8 files changed, 32 insertions, 27 deletions
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 4ca88247b7c2..d42dfdc83ebb 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -3278,12 +3278,14 @@ static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
        while (len >= L2CAP_CONF_OPT_SIZE) {
                len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
-                switch (type) {
+                if (type != L2CAP_CONF_RFC)
-                case L2CAP_CONF_RFC:
+                        continue;
-                        if (olen == sizeof(rfc))
-                                memcpy(&rfc, (void *)val, olen);
+                if (olen != sizeof(rfc))
-                        goto done;
+                        break;
-                }
+                memcpy(&rfc, (void *)val, olen);
+                goto done;
        }
        /* Use sane default values in case a misbehaving remote device
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index c72307cc25fc..a6e0f3d8da6c 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -1598,7 +1598,7 @@ static int disconnect(struct sock *sk, struct hci_dev *hdev, void *data,
        else
                conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->addr.bdaddr);
-        if (!conn) {
+        if (!conn || conn->state == BT_OPEN || conn->state == BT_CLOSED) {
                err = cmd_status(sk, hdev->id, MGMT_OP_DISCONNECT,
                                 MGMT_STATUS_NOT_CONNECTED);
                goto failed;
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index d563f7c55531..f49f14f8ba82 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -1326,7 +1326,6 @@ static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata,
        struct ieee80211_local *local = sdata->local;
        struct sta_info *sta;
        u32 changed = 0;
-        u8 bssid[ETH_ALEN];
        ASSERT_MGD_MTX(ifmgd);
@@ -1338,10 +1337,7 @@ static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata,
        ieee80211_stop_poll(sdata);
-        memcpy(bssid, ifmgd->associated->bssid, ETH_ALEN);
        ifmgd->associated = NULL;
-        memset(ifmgd->bssid, 0, ETH_ALEN);
        /*
         * we need to commit the associated = NULL change because the
@@ -1361,7 +1357,7 @@ static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata,
        netif_carrier_off(sdata->dev);
        mutex_lock(&local->sta_mtx);
-        sta = sta_info_get(sdata, bssid);
+        sta = sta_info_get(sdata, ifmgd->bssid);
        if (sta) {
                set_sta_flag(sta, WLAN_STA_BLOCK_BA);
                ieee80211_sta_tear_down_BA_sessions(sta, tx);
@@ -1374,13 +1370,16 @@ static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata,
        /* deauthenticate/disassociate now */
        if (tx || frame_buf)
-                ieee80211_send_deauth_disassoc(sdata, bssid, stype, reason,
+                ieee80211_send_deauth_disassoc(sdata, ifmgd->bssid, stype,
-                                               tx, frame_buf);
+                                               reason, tx, frame_buf);
        /* flush out frame */
        if (tx)
                drv_flush(local, false);
+        /* clear bssid only after building the needed mgmt frames */
+        memset(ifmgd->bssid, 0, ETH_ALEN);
        /* remove AP and TDLS peers */
        sta_info_flush(local, sdata);
@@ -2167,15 +2166,13 @@ ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
                           mgmt->sa, status_code);
                ieee80211_destroy_assoc_data(sdata, false);
        } else {
-                sdata_info(sdata, "associated\n");
                if (!ieee80211_assoc_success(sdata, *bss, mgmt, len)) {
                        /* oops -- internal error -- send timeout for now */
-                        ieee80211_destroy_assoc_data(sdata, true);
+                        ieee80211_destroy_assoc_data(sdata, false);
-                        sta_info_destroy_addr(sdata, mgmt->bssid);
                        cfg80211_put_bss(*bss);
                        return RX_MGMT_CFG80211_ASSOC_TIMEOUT;
                }
+                sdata_info(sdata, "associated\n");
                /*
                 * destroy assoc_data afterwards, as otherwise an idle
diff --git a/net/mac80211/rc80211_minstrel_ht.c b/net/mac80211/rc80211_minstrel_ht.c
index 2d1acc6c5445..f9e51ef8dfa2 100644
--- a/net/mac80211/rc80211_minstrel_ht.c
+++ b/net/mac80211/rc80211_minstrel_ht.c
@@ -809,7 +809,7 @@ minstrel_ht_alloc_sta(void *priv, struct ieee80211_sta *sta, gfp_t gfp)
                        max_rates = sband->n_bitrates;
        }
-        msp = kzalloc(sizeof(struct minstrel_ht_sta), gfp);
+        msp = kzalloc(sizeof(*msp), gfp);
        if (!msp)
                return NULL;
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index ab5185054e6c..839cac8fab57 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -2434,7 +2434,7 @@ ieee80211_rx_h_action_return(struct ieee80211_rx_data *rx)
         * frames that we didn't handle, including returning unknown
         * ones. For all other modes we will return them to the sender,
         * setting the 0x80 bit in the action category, as required by
-         * 802.11-2007 7.3.1.11.
+         * 802.11-2012 9.24.4.
         * Newer versions of hostapd shall also use the management frame
         * registration mechanisms, but older ones still use cooked
         * monitor interfaces so push all frames there.
@@ -2444,6 +2444,9 @@ ieee80211_rx_h_action_return(struct ieee80211_rx_data *rx)
             sdata->vif.type == NL80211_IFTYPE_AP_VLAN))
                return RX_DROP_MONITOR;
+        if (is_multicast_ether_addr(mgmt->da))
+                return RX_DROP_MONITOR;
        /* do not return rejected action frames */
        if (mgmt->u.action.category & 0x80)
                return RX_DROP_UNUSABLE;
diff --git a/net/nfc/llcp/sock.c b/net/nfc/llcp/sock.c
index 2c0b317344b7..05ca5a680071 100644
--- a/net/nfc/llcp/sock.c
+++ b/net/nfc/llcp/sock.c
@@ -292,7 +292,7 @@ static int llcp_sock_getname(struct socket *sock, struct sockaddr *addr,
        pr_debug("%p\n", sk);
-        if (llcp_sock == NULL)
+        if (llcp_sock == NULL || llcp_sock->dev == NULL)
                return -EBADFD;
        addr->sa_family = AF_NFC;
diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c
index cb2646179e5f..2ab196a9f228 100644
--- a/net/nfc/nci/ntf.c
+++ b/net/nfc/nci/ntf.c
@@ -106,7 +106,7 @@ static __u8 *nci_extract_rf_params_nfca_passive_poll(struct nci_dev *ndev,
        nfca_poll->sens_res = __le16_to_cpu(*((__u16 *)data));
        data += 2;
-        nfca_poll->nfcid1_len = *data++;
+        nfca_poll->nfcid1_len = min_t(__u8, *data++, NFC_NFCID1_MAXSIZE);
        pr_debug("sens_res 0x%x, nfcid1_len %d\n",
                 nfca_poll->sens_res, nfca_poll->nfcid1_len);
@@ -130,7 +130,7 @@ static __u8 *nci_extract_rf_params_nfcb_passive_poll(struct nci_dev *ndev,
                        struct rf_tech_specific_params_nfcb_poll *nfcb_poll,
                                                     __u8 *data)
 {
-        nfcb_poll->sensb_res_len = *data++;
+        nfcb_poll->sensb_res_len = min_t(__u8, *data++, NFC_SENSB_RES_MAXSIZE);
        pr_debug("sensb_res_len %d\n", nfcb_poll->sensb_res_len);
@@ -145,7 +145,7 @@ static __u8 *nci_extract_rf_params_nfcf_passive_poll(struct nci_dev *ndev,
                                                     __u8 *data)
 {
        nfcf_poll->bit_rate = *data++;
-        nfcf_poll->sensf_res_len = *data++;
+        nfcf_poll->sensf_res_len = min_t(__u8, *data++, NFC_SENSF_RES_MAXSIZE);
        pr_debug("bit_rate %d, sensf_res_len %d\n",
                 nfcf_poll->bit_rate, nfcf_poll->sensf_res_len);
@@ -331,7 +331,7 @@ static int nci_extract_activation_params_iso_dep(struct nci_dev *ndev,
        switch (ntf->activation_rf_tech_and_mode) {
        case NCI_NFC_A_PASSIVE_POLL_MODE:
                nfca_poll = &ntf->activation_params.nfca_poll_iso_dep;
-                nfca_poll->rats_res_len = *data++;
+                nfca_poll->rats_res_len = min_t(__u8, *data++, 20);
                pr_debug("rats_res_len %d\n", nfca_poll->rats_res_len);
                if (nfca_poll->rats_res_len > 0) {
                        memcpy(nfca_poll->rats_res,
@@ -341,7 +341,7 @@ static int nci_extract_activation_params_iso_dep(struct nci_dev *ndev,
        case NCI_NFC_B_PASSIVE_POLL_MODE:
                nfcb_poll = &ntf->activation_params.nfcb_poll_iso_dep;
-                nfcb_poll->attrib_res_len = *data++;
+                nfcb_poll->attrib_res_len = min_t(__u8, *data++, 50);
                pr_debug("attrib_res_len %d\n", nfcb_poll->attrib_res_len);
                if (nfcb_poll->attrib_res_len > 0) {
                        memcpy(nfcb_poll->attrib_res,
diff --git a/net/nfc/rawsock.c b/net/nfc/rawsock.c
index ec1134c9e07f..8b8a6a2b2bad 100644
--- a/net/nfc/rawsock.c
+++ b/net/nfc/rawsock.c
@@ -54,7 +54,10 @@ static int rawsock_release(struct socket *sock)
 {
        struct sock *sk = sock->sk;
-        pr_debug("sock=%p\n", sock);
+        pr_debug("sock=%p sk=%p\n", sock, sk);
+        if (!sk)
+                return 0;
        sock_orphan(sk);
        sock_put(sk);

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index 4ca88247b7c2..d42dfdc83ebb 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c
@@ -3278,12 +3278,14 @@ static void l2cap_conf_rfc_get(struct l2cap_chan chan, void rsp, int len)
3278	while (len >= L2CAP_CONF_OPT_SIZE) {	3278	while (len >= L2CAP_CONF_OPT_SIZE) {
3279	len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);	3279	len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3280		3280
3281	switch (type) {	3281	if (type != L2CAP_CONF_RFC)
3282	case L2CAP_CONF_RFC:	3282	continue;
3283	if (olen == sizeof(rfc))	3283
3284	memcpy(&rfc, (void *)val, olen);	3284	if (olen != sizeof(rfc))
3285	goto done;	3285	break;
3286	}	3286
		3287	memcpy(&rfc, (void *)val, olen);
		3288	goto done;
3287	}	3289	}
3288		3290
3289	/* Use sane default values in case a misbehaving remote device	3291	/* Use sane default values in case a misbehaving remote device


diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c index c72307cc25fc..a6e0f3d8da6c 100644 --- a/net/bluetooth/mgmt.c +++ b/net/bluetooth/mgmt.c
@@ -1598,7 +1598,7 @@ static int disconnect(struct sock sk, struct hci_dev hdev, void *data,
1598	else	1598	else
1599	conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->addr.bdaddr);	1599	conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->addr.bdaddr);
1600		1600
1601	if (!conn) {	1601	if (!conn \|\| conn->state == BT_OPEN \|\| conn->state == BT_CLOSED) {
1602	err = cmd_status(sk, hdev->id, MGMT_OP_DISCONNECT,	1602	err = cmd_status(sk, hdev->id, MGMT_OP_DISCONNECT,
1603	MGMT_STATUS_NOT_CONNECTED);	1603	MGMT_STATUS_NOT_CONNECTED);
1604	goto failed;	1604	goto failed;


diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c index d563f7c55531..f49f14f8ba82 100644 --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c
@@ -1326,7 +1326,6 @@ static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata,
1326	struct ieee80211_local *local = sdata->local;	1326	struct ieee80211_local *local = sdata->local;
1327	struct sta_info *sta;	1327	struct sta_info *sta;
1328	u32 changed = 0;	1328	u32 changed = 0;
1329	u8 bssid[ETH_ALEN];
1330		1329
1331	ASSERT_MGD_MTX(ifmgd);	1330	ASSERT_MGD_MTX(ifmgd);
1332		1331
@@ -1338,10 +1337,7 @@ static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata,
1338		1337
1339	ieee80211_stop_poll(sdata);	1338	ieee80211_stop_poll(sdata);
1340		1339
1341	memcpy(bssid, ifmgd->associated->bssid, ETH_ALEN);
1342
1343	ifmgd->associated = NULL;	1340	ifmgd->associated = NULL;
1344	memset(ifmgd->bssid, 0, ETH_ALEN);
1345		1341
1346	/*	1342	/*
1347	* we need to commit the associated = NULL change because the	1343	* we need to commit the associated = NULL change because the
@@ -1361,7 +1357,7 @@ static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata,
1361	netif_carrier_off(sdata->dev);	1357	netif_carrier_off(sdata->dev);
1362		1358
1363	mutex_lock(&local->sta_mtx);	1359	mutex_lock(&local->sta_mtx);
1364	sta = sta_info_get(sdata, bssid);	1360	sta = sta_info_get(sdata, ifmgd->bssid);
1365	if (sta) {	1361	if (sta) {
1366	set_sta_flag(sta, WLAN_STA_BLOCK_BA);	1362	set_sta_flag(sta, WLAN_STA_BLOCK_BA);
1367	ieee80211_sta_tear_down_BA_sessions(sta, tx);	1363	ieee80211_sta_tear_down_BA_sessions(sta, tx);
@@ -1374,13 +1370,16 @@ static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata,
1374		1370
1375	/* deauthenticate/disassociate now */	1371	/* deauthenticate/disassociate now */
1376	if (tx \|\| frame_buf)	1372	if (tx \|\| frame_buf)
1377	ieee80211_send_deauth_disassoc(sdata, bssid, stype, reason,	1373	ieee80211_send_deauth_disassoc(sdata, ifmgd->bssid, stype,
1378	tx, frame_buf);	1374	reason, tx, frame_buf);
1379		1375
1380	/* flush out frame */	1376	/* flush out frame */
1381	if (tx)	1377	if (tx)
1382	drv_flush(local, false);	1378	drv_flush(local, false);
1383		1379
		1380	/* clear bssid only after building the needed mgmt frames */
		1381	memset(ifmgd->bssid, 0, ETH_ALEN);
		1382
1384	/* remove AP and TDLS peers */	1383	/* remove AP and TDLS peers */
1385	sta_info_flush(local, sdata);	1384	sta_info_flush(local, sdata);
1386		1385
@@ -2167,15 +2166,13 @@ ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
2167	mgmt->sa, status_code);	2166	mgmt->sa, status_code);
2168	ieee80211_destroy_assoc_data(sdata, false);	2167	ieee80211_destroy_assoc_data(sdata, false);
2169	} else {	2168	} else {
2170	sdata_info(sdata, "associated\n");
2171
2172	if (!ieee80211_assoc_success(sdata, *bss, mgmt, len)) {	2169	if (!ieee80211_assoc_success(sdata, *bss, mgmt, len)) {
2173	/* oops -- internal error -- send timeout for now */	2170	/* oops -- internal error -- send timeout for now */
2174	ieee80211_destroy_assoc_data(sdata, true);	2171	ieee80211_destroy_assoc_data(sdata, false);
2175	sta_info_destroy_addr(sdata, mgmt->bssid);
2176	cfg80211_put_bss(*bss);	2172	cfg80211_put_bss(*bss);
2177	return RX_MGMT_CFG80211_ASSOC_TIMEOUT;	2173	return RX_MGMT_CFG80211_ASSOC_TIMEOUT;
2178	}	2174	}
		2175	sdata_info(sdata, "associated\n");
2179		2176
2180	/*	2177	/*
2181	* destroy assoc_data afterwards, as otherwise an idle	2178	* destroy assoc_data afterwards, as otherwise an idle


diff --git a/net/mac80211/rc80211_minstrel_ht.c b/net/mac80211/rc80211_minstrel_ht.c index 2d1acc6c5445..f9e51ef8dfa2 100644 --- a/net/mac80211/rc80211_minstrel_ht.c +++ b/net/mac80211/rc80211_minstrel_ht.c
@@ -809,7 +809,7 @@ minstrel_ht_alloc_sta(void priv, struct ieee80211_sta sta, gfp_t gfp)
809	max_rates = sband->n_bitrates;	809	max_rates = sband->n_bitrates;
810	}	810	}
811		811
812	msp = kzalloc(sizeof(struct minstrel_ht_sta), gfp);	812	msp = kzalloc(sizeof(*msp), gfp);
813	if (!msp)	813	if (!msp)
814	return NULL;	814	return NULL;
815		815


diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c index ab5185054e6c..839cac8fab57 100644 --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c
@@ -2434,7 +2434,7 @@ ieee80211_rx_h_action_return(struct ieee80211_rx_data *rx)
2434	* frames that we didn't handle, including returning unknown	2434	* frames that we didn't handle, including returning unknown
2435	* ones. For all other modes we will return them to the sender,	2435	* ones. For all other modes we will return them to the sender,
2436	* setting the 0x80 bit in the action category, as required by	2436	* setting the 0x80 bit in the action category, as required by
2437	* 802.11-2007 7.3.1.11.	2437	* 802.11-2012 9.24.4.
2438	* Newer versions of hostapd shall also use the management frame	2438	* Newer versions of hostapd shall also use the management frame
2439	* registration mechanisms, but older ones still use cooked	2439	* registration mechanisms, but older ones still use cooked
2440	* monitor interfaces so push all frames there.	2440	* monitor interfaces so push all frames there.
@@ -2444,6 +2444,9 @@ ieee80211_rx_h_action_return(struct ieee80211_rx_data *rx)
2444	sdata->vif.type == NL80211_IFTYPE_AP_VLAN))	2444	sdata->vif.type == NL80211_IFTYPE_AP_VLAN))
2445	return RX_DROP_MONITOR;	2445	return RX_DROP_MONITOR;
2446		2446
		2447	if (is_multicast_ether_addr(mgmt->da))
		2448	return RX_DROP_MONITOR;
		2449
2447	/* do not return rejected action frames */	2450	/* do not return rejected action frames */
2448	if (mgmt->u.action.category & 0x80)	2451	if (mgmt->u.action.category & 0x80)
2449	return RX_DROP_UNUSABLE;	2452	return RX_DROP_UNUSABLE;


diff --git a/net/nfc/llcp/sock.c b/net/nfc/llcp/sock.c index 2c0b317344b7..05ca5a680071 100644 --- a/net/nfc/llcp/sock.c +++ b/net/nfc/llcp/sock.c
@@ -292,7 +292,7 @@ static int llcp_sock_getname(struct socket sock, struct sockaddr addr,
292		292
293	pr_debug("%p\n", sk);	293	pr_debug("%p\n", sk);
294		294
295	if (llcp_sock == NULL)	295	if (llcp_sock == NULL \|\| llcp_sock->dev == NULL)
296	return -EBADFD;	296	return -EBADFD;
297		297
298	addr->sa_family = AF_NFC;	298	addr->sa_family = AF_NFC;


diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c index cb2646179e5f..2ab196a9f228 100644 --- a/net/nfc/nci/ntf.c +++ b/net/nfc/nci/ntf.c
@@ -106,7 +106,7 @@ static __u8 nci_extract_rf_params_nfca_passive_poll(struct nci_dev ndev,
106	nfca_poll->sens_res = __le16_to_cpu(((__u16 )data));	106	nfca_poll->sens_res = __le16_to_cpu(((__u16 )data));
107	data += 2;	107	data += 2;
108		108
109	nfca_poll->nfcid1_len = *data++;	109	nfca_poll->nfcid1_len = min_t(__u8, *data++, NFC_NFCID1_MAXSIZE);
110		110
111	pr_debug("sens_res 0x%x, nfcid1_len %d\n",	111	pr_debug("sens_res 0x%x, nfcid1_len %d\n",
112	nfca_poll->sens_res, nfca_poll->nfcid1_len);	112	nfca_poll->sens_res, nfca_poll->nfcid1_len);
@@ -130,7 +130,7 @@ static __u8 nci_extract_rf_params_nfcb_passive_poll(struct nci_dev ndev,
130	struct rf_tech_specific_params_nfcb_poll *nfcb_poll,	130	struct rf_tech_specific_params_nfcb_poll *nfcb_poll,
131	__u8 *data)	131	__u8 *data)
132	{	132	{
133	nfcb_poll->sensb_res_len = *data++;	133	nfcb_poll->sensb_res_len = min_t(__u8, *data++, NFC_SENSB_RES_MAXSIZE);
134		134
135	pr_debug("sensb_res_len %d\n", nfcb_poll->sensb_res_len);	135	pr_debug("sensb_res_len %d\n", nfcb_poll->sensb_res_len);
136		136
@@ -145,7 +145,7 @@ static __u8 nci_extract_rf_params_nfcf_passive_poll(struct nci_dev ndev,
145	__u8 *data)	145	__u8 *data)
146	{	146	{
147	nfcf_poll->bit_rate = *data++;	147	nfcf_poll->bit_rate = *data++;
148	nfcf_poll->sensf_res_len = *data++;	148	nfcf_poll->sensf_res_len = min_t(__u8, *data++, NFC_SENSF_RES_MAXSIZE);
149		149
150	pr_debug("bit_rate %d, sensf_res_len %d\n",	150	pr_debug("bit_rate %d, sensf_res_len %d\n",
151	nfcf_poll->bit_rate, nfcf_poll->sensf_res_len);	151	nfcf_poll->bit_rate, nfcf_poll->sensf_res_len);
@@ -331,7 +331,7 @@ static int nci_extract_activation_params_iso_dep(struct nci_dev *ndev,
331	switch (ntf->activation_rf_tech_and_mode) {	331	switch (ntf->activation_rf_tech_and_mode) {
332	case NCI_NFC_A_PASSIVE_POLL_MODE:	332	case NCI_NFC_A_PASSIVE_POLL_MODE:
333	nfca_poll = &ntf->activation_params.nfca_poll_iso_dep;	333	nfca_poll = &ntf->activation_params.nfca_poll_iso_dep;
334	nfca_poll->rats_res_len = *data++;	334	nfca_poll->rats_res_len = min_t(__u8, *data++, 20);
335	pr_debug("rats_res_len %d\n", nfca_poll->rats_res_len);	335	pr_debug("rats_res_len %d\n", nfca_poll->rats_res_len);
336	if (nfca_poll->rats_res_len > 0) {	336	if (nfca_poll->rats_res_len > 0) {
337	memcpy(nfca_poll->rats_res,	337	memcpy(nfca_poll->rats_res,
@@ -341,7 +341,7 @@ static int nci_extract_activation_params_iso_dep(struct nci_dev *ndev,
341		341
342	case NCI_NFC_B_PASSIVE_POLL_MODE:	342	case NCI_NFC_B_PASSIVE_POLL_MODE:
343	nfcb_poll = &ntf->activation_params.nfcb_poll_iso_dep;	343	nfcb_poll = &ntf->activation_params.nfcb_poll_iso_dep;
344	nfcb_poll->attrib_res_len = *data++;	344	nfcb_poll->attrib_res_len = min_t(__u8, *data++, 50);
345	pr_debug("attrib_res_len %d\n", nfcb_poll->attrib_res_len);	345	pr_debug("attrib_res_len %d\n", nfcb_poll->attrib_res_len);
346	if (nfcb_poll->attrib_res_len > 0) {	346	if (nfcb_poll->attrib_res_len > 0) {
347	memcpy(nfcb_poll->attrib_res,	347	memcpy(nfcb_poll->attrib_res,


diff --git a/net/nfc/rawsock.c b/net/nfc/rawsock.c index ec1134c9e07f..8b8a6a2b2bad 100644 --- a/net/nfc/rawsock.c +++ b/net/nfc/rawsock.c
@@ -54,7 +54,10 @@ static int rawsock_release(struct socket *sock)
54	{	54	{
55	struct sock *sk = sock->sk;	55	struct sock *sk = sock->sk;
56		56
57	pr_debug("sock=%p\n", sock);	57	pr_debug("sock=%p sk=%p\n", sock, sk);
		58
		59	if (!sk)
		60	return 0;
58		61
59	sock_orphan(sk);	62	sock_orphan(sk);
60	sock_put(sk);	63	sock_put(sk);