aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
Diffstat (limited to 'net')
-rw-r--r--net/bluetooth/af_bluetooth.c8
-rw-r--r--net/bluetooth/hci_event.c22
-rw-r--r--net/bluetooth/hci_sock.c2
-rw-r--r--net/bluetooth/l2cap_core.c26
-rw-r--r--net/bluetooth/l2cap_sock.c2
-rw-r--r--net/bluetooth/mgmt.c4
-rw-r--r--net/bluetooth/rfcomm/sock.c12
-rw-r--r--net/bluetooth/rfcomm/tty.c22
-rw-r--r--net/bluetooth/sco.c8
-rw-r--r--net/mac80211/wpa.c2
-rw-r--r--net/wireless/nl80211.c34
11 files changed, 86 insertions, 56 deletions
diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
index cdcfcabb34ab..ef92864ac625 100644
--- a/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -156,17 +156,17 @@ static int bt_sock_create(struct net *net, struct socket *sock, int proto,
156 156
157void bt_sock_link(struct bt_sock_list *l, struct sock *sk) 157void bt_sock_link(struct bt_sock_list *l, struct sock *sk)
158{ 158{
159 write_lock_bh(&l->lock); 159 write_lock(&l->lock);
160 sk_add_node(sk, &l->head); 160 sk_add_node(sk, &l->head);
161 write_unlock_bh(&l->lock); 161 write_unlock(&l->lock);
162} 162}
163EXPORT_SYMBOL(bt_sock_link); 163EXPORT_SYMBOL(bt_sock_link);
164 164
165void bt_sock_unlink(struct bt_sock_list *l, struct sock *sk) 165void bt_sock_unlink(struct bt_sock_list *l, struct sock *sk)
166{ 166{
167 write_lock_bh(&l->lock); 167 write_lock(&l->lock);
168 sk_del_node_init(sk); 168 sk_del_node_init(sk);
169 write_unlock_bh(&l->lock); 169 write_unlock(&l->lock);
170} 170}
171EXPORT_SYMBOL(bt_sock_unlink); 171EXPORT_SYMBOL(bt_sock_unlink);
172 172
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 4221bd256bdd..001307f81057 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -711,7 +711,14 @@ static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
711 if (rp->status) 711 if (rp->status)
712 return; 712 return;
713 713
714 memcpy(hdev->extfeatures, rp->features, 8); 714 switch (rp->page) {
715 case 0:
716 memcpy(hdev->features, rp->features, 8);
717 break;
718 case 1:
719 memcpy(hdev->host_features, rp->features, 8);
720 break;
721 }
715 722
716 hci_req_complete(hdev, HCI_OP_READ_LOCAL_EXT_FEATURES, rp->status); 723 hci_req_complete(hdev, HCI_OP_READ_LOCAL_EXT_FEATURES, rp->status);
717} 724}
@@ -1047,9 +1054,7 @@ static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1047 case LE_SCANNING_DISABLED: 1054 case LE_SCANNING_DISABLED:
1048 clear_bit(HCI_LE_SCAN, &hdev->dev_flags); 1055 clear_bit(HCI_LE_SCAN, &hdev->dev_flags);
1049 1056
1050 cancel_delayed_work_sync(&hdev->adv_work); 1057 schedule_delayed_work(&hdev->adv_work, ADV_CLEAR_TIMEOUT);
1051 queue_delayed_work(hdev->workqueue, &hdev->adv_work,
1052 jiffies + ADV_CLEAR_TIMEOUT);
1053 break; 1058 break;
1054 1059
1055 default: 1060 default:
@@ -2266,20 +2271,19 @@ static inline void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *s
2266 struct hci_ev_num_comp_pkts *ev = (void *) skb->data; 2271 struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
2267 int i; 2272 int i;
2268 2273
2269 skb_pull(skb, sizeof(*ev));
2270
2271 BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
2272
2273 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) { 2274 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
2274 BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode); 2275 BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode);
2275 return; 2276 return;
2276 } 2277 }
2277 2278
2278 if (skb->len < ev->num_hndl * 4) { 2279 if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
2280 ev->num_hndl * sizeof(struct hci_comp_pkts_info)) {
2279 BT_DBG("%s bad parameters", hdev->name); 2281 BT_DBG("%s bad parameters", hdev->name);
2280 return; 2282 return;
2281 } 2283 }
2282 2284
2285 BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
2286
2283 for (i = 0; i < ev->num_hndl; i++) { 2287 for (i = 0; i < ev->num_hndl; i++) {
2284 struct hci_comp_pkts_info *info = &ev->handles[i]; 2288 struct hci_comp_pkts_info *info = &ev->handles[i];
2285 struct hci_conn *conn; 2289 struct hci_conn *conn;
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index 6d94616af312..0dcc96266779 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -767,7 +767,6 @@ static int hci_sock_dev_event(struct notifier_block *this, unsigned long event,
767 /* Detach sockets from device */ 767 /* Detach sockets from device */
768 read_lock(&hci_sk_list.lock); 768 read_lock(&hci_sk_list.lock);
769 sk_for_each(sk, node, &hci_sk_list.head) { 769 sk_for_each(sk, node, &hci_sk_list.head) {
770 local_bh_disable();
771 bh_lock_sock_nested(sk); 770 bh_lock_sock_nested(sk);
772 if (hci_pi(sk)->hdev == hdev) { 771 if (hci_pi(sk)->hdev == hdev) {
773 hci_pi(sk)->hdev = NULL; 772 hci_pi(sk)->hdev = NULL;
@@ -778,7 +777,6 @@ static int hci_sock_dev_event(struct notifier_block *this, unsigned long event,
778 hci_dev_put(hdev); 777 hci_dev_put(hdev);
779 } 778 }
780 bh_unlock_sock(sk); 779 bh_unlock_sock(sk);
781 local_bh_enable();
782 } 780 }
783 read_unlock(&hci_sk_list.lock); 781 read_unlock(&hci_sk_list.lock);
784 } 782 }
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index aa78d8c4b93b..faf0b11ac1d3 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -165,7 +165,7 @@ int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
165{ 165{
166 int err; 166 int err;
167 167
168 write_lock_bh(&chan_list_lock); 168 write_lock(&chan_list_lock);
169 169
170 if (psm && __l2cap_global_chan_by_addr(psm, src)) { 170 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
171 err = -EADDRINUSE; 171 err = -EADDRINUSE;
@@ -190,17 +190,17 @@ int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
190 } 190 }
191 191
192done: 192done:
193 write_unlock_bh(&chan_list_lock); 193 write_unlock(&chan_list_lock);
194 return err; 194 return err;
195} 195}
196 196
197int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid) 197int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
198{ 198{
199 write_lock_bh(&chan_list_lock); 199 write_lock(&chan_list_lock);
200 200
201 chan->scid = scid; 201 chan->scid = scid;
202 202
203 write_unlock_bh(&chan_list_lock); 203 write_unlock(&chan_list_lock);
204 204
205 return 0; 205 return 0;
206} 206}
@@ -289,9 +289,9 @@ struct l2cap_chan *l2cap_chan_create(struct sock *sk)
289 289
290 chan->sk = sk; 290 chan->sk = sk;
291 291
292 write_lock_bh(&chan_list_lock); 292 write_lock(&chan_list_lock);
293 list_add(&chan->global_l, &chan_list); 293 list_add(&chan->global_l, &chan_list);
294 write_unlock_bh(&chan_list_lock); 294 write_unlock(&chan_list_lock);
295 295
296 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout); 296 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
297 297
@@ -306,9 +306,9 @@ struct l2cap_chan *l2cap_chan_create(struct sock *sk)
306 306
307void l2cap_chan_destroy(struct l2cap_chan *chan) 307void l2cap_chan_destroy(struct l2cap_chan *chan)
308{ 308{
309 write_lock_bh(&chan_list_lock); 309 write_lock(&chan_list_lock);
310 list_del(&chan->global_l); 310 list_del(&chan->global_l);
311 write_unlock_bh(&chan_list_lock); 311 write_unlock(&chan_list_lock);
312 312
313 l2cap_chan_put(chan); 313 l2cap_chan_put(chan);
314} 314}
@@ -543,14 +543,14 @@ static u8 l2cap_get_ident(struct l2cap_conn *conn)
543 * 200 - 254 are used by utilities like l2ping, etc. 543 * 200 - 254 are used by utilities like l2ping, etc.
544 */ 544 */
545 545
546 spin_lock_bh(&conn->lock); 546 spin_lock(&conn->lock);
547 547
548 if (++conn->tx_ident > 128) 548 if (++conn->tx_ident > 128)
549 conn->tx_ident = 1; 549 conn->tx_ident = 1;
550 550
551 id = conn->tx_ident; 551 id = conn->tx_ident;
552 552
553 spin_unlock_bh(&conn->lock); 553 spin_unlock(&conn->lock);
554 554
555 return id; 555 return id;
556} 556}
@@ -1190,7 +1190,7 @@ inline int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid, bdad
1190 } 1190 }
1191 1191
1192 /* Set destination address and psm */ 1192 /* Set destination address and psm */
1193 bacpy(&bt_sk(sk)->dst, src); 1193 bacpy(&bt_sk(sk)->dst, dst);
1194 chan->psm = psm; 1194 chan->psm = psm;
1195 chan->dcid = cid; 1195 chan->dcid = cid;
1196 1196
@@ -4702,7 +4702,7 @@ static int l2cap_debugfs_show(struct seq_file *f, void *p)
4702{ 4702{
4703 struct l2cap_chan *c; 4703 struct l2cap_chan *c;
4704 4704
4705 read_lock_bh(&chan_list_lock); 4705 read_lock(&chan_list_lock);
4706 4706
4707 list_for_each_entry(c, &chan_list, global_l) { 4707 list_for_each_entry(c, &chan_list, global_l) {
4708 struct sock *sk = c->sk; 4708 struct sock *sk = c->sk;
@@ -4715,7 +4715,7 @@ static int l2cap_debugfs_show(struct seq_file *f, void *p)
4715 c->sec_level, c->mode); 4715 c->sec_level, c->mode);
4716} 4716}
4717 4717
4718 read_unlock_bh(&chan_list_lock); 4718 read_unlock(&chan_list_lock);
4719 4719
4720 return 0; 4720 return 0;
4721} 4721}
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 9ca5616166f7..c61d967012b2 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -587,6 +587,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
587 if (smp_conn_security(conn, sec.level)) 587 if (smp_conn_security(conn, sec.level))
588 break; 588 break;
589 sk->sk_state = BT_CONFIG; 589 sk->sk_state = BT_CONFIG;
590 chan->state = BT_CONFIG;
590 591
591 /* or for ACL link, under defer_setup time */ 592 /* or for ACL link, under defer_setup time */
592 } else if (sk->sk_state == BT_CONNECT2 && 593 } else if (sk->sk_state == BT_CONNECT2 &&
@@ -731,6 +732,7 @@ static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct ms
731 732
732 if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) { 733 if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) {
733 sk->sk_state = BT_CONFIG; 734 sk->sk_state = BT_CONFIG;
735 pi->chan->state = BT_CONFIG;
734 736
735 __l2cap_connect_rsp_defer(pi->chan); 737 __l2cap_connect_rsp_defer(pi->chan);
736 release_sock(sk); 738 release_sock(sk);
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 2540944d871f..bc8e59dda78e 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -291,7 +291,7 @@ static u32 get_current_settings(struct hci_dev *hdev)
291 if (!(hdev->features[4] & LMP_NO_BREDR)) 291 if (!(hdev->features[4] & LMP_NO_BREDR))
292 settings |= MGMT_SETTING_BREDR; 292 settings |= MGMT_SETTING_BREDR;
293 293
294 if (hdev->extfeatures[0] & LMP_HOST_LE) 294 if (hdev->host_features[0] & LMP_HOST_LE)
295 settings |= MGMT_SETTING_LE; 295 settings |= MGMT_SETTING_LE;
296 296
297 if (test_bit(HCI_AUTH, &hdev->flags)) 297 if (test_bit(HCI_AUTH, &hdev->flags))
@@ -2756,7 +2756,7 @@ int mgmt_stop_discovery_failed(struct hci_dev *hdev, u8 status)
2756 if (!cmd) 2756 if (!cmd)
2757 return -ENOENT; 2757 return -ENOENT;
2758 2758
2759 err = cmd_status(cmd->sk, hdev->id, cmd->opcode, status); 2759 err = cmd_status(cmd->sk, hdev->id, cmd->opcode, mgmt_status(status));
2760 mgmt_pending_remove(cmd); 2760 mgmt_pending_remove(cmd);
2761 2761
2762 return err; 2762 return err;
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index aea2bdd1510f..f066678faeee 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -370,7 +370,7 @@ static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr
370 goto done; 370 goto done;
371 } 371 }
372 372
373 write_lock_bh(&rfcomm_sk_list.lock); 373 write_lock(&rfcomm_sk_list.lock);
374 374
375 if (sa->rc_channel && __rfcomm_get_sock_by_addr(sa->rc_channel, &sa->rc_bdaddr)) { 375 if (sa->rc_channel && __rfcomm_get_sock_by_addr(sa->rc_channel, &sa->rc_bdaddr)) {
376 err = -EADDRINUSE; 376 err = -EADDRINUSE;
@@ -381,7 +381,7 @@ static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr
381 sk->sk_state = BT_BOUND; 381 sk->sk_state = BT_BOUND;
382 } 382 }
383 383
384 write_unlock_bh(&rfcomm_sk_list.lock); 384 write_unlock(&rfcomm_sk_list.lock);
385 385
386done: 386done:
387 release_sock(sk); 387 release_sock(sk);
@@ -455,7 +455,7 @@ static int rfcomm_sock_listen(struct socket *sock, int backlog)
455 455
456 err = -EINVAL; 456 err = -EINVAL;
457 457
458 write_lock_bh(&rfcomm_sk_list.lock); 458 write_lock(&rfcomm_sk_list.lock);
459 459
460 for (channel = 1; channel < 31; channel++) 460 for (channel = 1; channel < 31; channel++)
461 if (!__rfcomm_get_sock_by_addr(channel, src)) { 461 if (!__rfcomm_get_sock_by_addr(channel, src)) {
@@ -464,7 +464,7 @@ static int rfcomm_sock_listen(struct socket *sock, int backlog)
464 break; 464 break;
465 } 465 }
466 466
467 write_unlock_bh(&rfcomm_sk_list.lock); 467 write_unlock(&rfcomm_sk_list.lock);
468 468
469 if (err < 0) 469 if (err < 0)
470 goto done; 470 goto done;
@@ -982,7 +982,7 @@ static int rfcomm_sock_debugfs_show(struct seq_file *f, void *p)
982 struct sock *sk; 982 struct sock *sk;
983 struct hlist_node *node; 983 struct hlist_node *node;
984 984
985 read_lock_bh(&rfcomm_sk_list.lock); 985 read_lock(&rfcomm_sk_list.lock);
986 986
987 sk_for_each(sk, node, &rfcomm_sk_list.head) { 987 sk_for_each(sk, node, &rfcomm_sk_list.head) {
988 seq_printf(f, "%s %s %d %d\n", 988 seq_printf(f, "%s %s %d %d\n",
@@ -991,7 +991,7 @@ static int rfcomm_sock_debugfs_show(struct seq_file *f, void *p)
991 sk->sk_state, rfcomm_pi(sk)->channel); 991 sk->sk_state, rfcomm_pi(sk)->channel);
992 } 992 }
993 993
994 read_unlock_bh(&rfcomm_sk_list.lock); 994 read_unlock(&rfcomm_sk_list.lock);
995 995
996 return 0; 996 return 0;
997} 997}
diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
index fa8f4de53b99..a2d4f5122a6a 100644
--- a/net/bluetooth/rfcomm/tty.c
+++ b/net/bluetooth/rfcomm/tty.c
@@ -76,7 +76,7 @@ struct rfcomm_dev {
76}; 76};
77 77
78static LIST_HEAD(rfcomm_dev_list); 78static LIST_HEAD(rfcomm_dev_list);
79static DEFINE_RWLOCK(rfcomm_dev_lock); 79static DEFINE_SPINLOCK(rfcomm_dev_lock);
80 80
81static void rfcomm_dev_data_ready(struct rfcomm_dlc *dlc, struct sk_buff *skb); 81static void rfcomm_dev_data_ready(struct rfcomm_dlc *dlc, struct sk_buff *skb);
82static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err); 82static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err);
@@ -146,7 +146,7 @@ static inline struct rfcomm_dev *rfcomm_dev_get(int id)
146{ 146{
147 struct rfcomm_dev *dev; 147 struct rfcomm_dev *dev;
148 148
149 read_lock(&rfcomm_dev_lock); 149 spin_lock(&rfcomm_dev_lock);
150 150
151 dev = __rfcomm_dev_get(id); 151 dev = __rfcomm_dev_get(id);
152 152
@@ -157,7 +157,7 @@ static inline struct rfcomm_dev *rfcomm_dev_get(int id)
157 rfcomm_dev_hold(dev); 157 rfcomm_dev_hold(dev);
158 } 158 }
159 159
160 read_unlock(&rfcomm_dev_lock); 160 spin_unlock(&rfcomm_dev_lock);
161 161
162 return dev; 162 return dev;
163} 163}
@@ -205,7 +205,7 @@ static int rfcomm_dev_add(struct rfcomm_dev_req *req, struct rfcomm_dlc *dlc)
205 if (!dev) 205 if (!dev)
206 return -ENOMEM; 206 return -ENOMEM;
207 207
208 write_lock_bh(&rfcomm_dev_lock); 208 spin_lock(&rfcomm_dev_lock);
209 209
210 if (req->dev_id < 0) { 210 if (req->dev_id < 0) {
211 dev->id = 0; 211 dev->id = 0;
@@ -290,7 +290,7 @@ static int rfcomm_dev_add(struct rfcomm_dev_req *req, struct rfcomm_dlc *dlc)
290 __module_get(THIS_MODULE); 290 __module_get(THIS_MODULE);
291 291
292out: 292out:
293 write_unlock_bh(&rfcomm_dev_lock); 293 spin_unlock(&rfcomm_dev_lock);
294 294
295 if (err < 0) 295 if (err < 0)
296 goto free; 296 goto free;
@@ -327,9 +327,9 @@ static void rfcomm_dev_del(struct rfcomm_dev *dev)
327 if (atomic_read(&dev->opened) > 0) 327 if (atomic_read(&dev->opened) > 0)
328 return; 328 return;
329 329
330 write_lock_bh(&rfcomm_dev_lock); 330 spin_lock(&rfcomm_dev_lock);
331 list_del_init(&dev->list); 331 list_del_init(&dev->list);
332 write_unlock_bh(&rfcomm_dev_lock); 332 spin_unlock(&rfcomm_dev_lock);
333 333
334 rfcomm_dev_put(dev); 334 rfcomm_dev_put(dev);
335} 335}
@@ -473,7 +473,7 @@ static int rfcomm_get_dev_list(void __user *arg)
473 473
474 di = dl->dev_info; 474 di = dl->dev_info;
475 475
476 read_lock_bh(&rfcomm_dev_lock); 476 spin_lock(&rfcomm_dev_lock);
477 477
478 list_for_each_entry(dev, &rfcomm_dev_list, list) { 478 list_for_each_entry(dev, &rfcomm_dev_list, list) {
479 if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags)) 479 if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags))
@@ -488,7 +488,7 @@ static int rfcomm_get_dev_list(void __user *arg)
488 break; 488 break;
489 } 489 }
490 490
491 read_unlock_bh(&rfcomm_dev_lock); 491 spin_unlock(&rfcomm_dev_lock);
492 492
493 dl->dev_num = n; 493 dl->dev_num = n;
494 size = sizeof(*dl) + n * sizeof(*di); 494 size = sizeof(*dl) + n * sizeof(*di);
@@ -766,9 +766,9 @@ static void rfcomm_tty_close(struct tty_struct *tty, struct file *filp)
766 rfcomm_dlc_unlock(dev->dlc); 766 rfcomm_dlc_unlock(dev->dlc);
767 767
768 if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags)) { 768 if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags)) {
769 write_lock_bh(&rfcomm_dev_lock); 769 spin_lock(&rfcomm_dev_lock);
770 list_del_init(&dev->list); 770 list_del_init(&dev->list);
771 write_unlock_bh(&rfcomm_dev_lock); 771 spin_unlock(&rfcomm_dev_lock);
772 772
773 rfcomm_dev_put(dev); 773 rfcomm_dev_put(dev);
774 } 774 }
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index 5dc2f2126fac..8bf26d1bc5c1 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -482,7 +482,7 @@ static int sco_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_le
482 goto done; 482 goto done;
483 } 483 }
484 484
485 write_lock_bh(&sco_sk_list.lock); 485 write_lock(&sco_sk_list.lock);
486 486
487 if (bacmp(src, BDADDR_ANY) && __sco_get_sock_by_addr(src)) { 487 if (bacmp(src, BDADDR_ANY) && __sco_get_sock_by_addr(src)) {
488 err = -EADDRINUSE; 488 err = -EADDRINUSE;
@@ -492,7 +492,7 @@ static int sco_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_le
492 sk->sk_state = BT_BOUND; 492 sk->sk_state = BT_BOUND;
493 } 493 }
494 494
495 write_unlock_bh(&sco_sk_list.lock); 495 write_unlock(&sco_sk_list.lock);
496 496
497done: 497done:
498 release_sock(sk); 498 release_sock(sk);
@@ -965,14 +965,14 @@ static int sco_debugfs_show(struct seq_file *f, void *p)
965 struct sock *sk; 965 struct sock *sk;
966 struct hlist_node *node; 966 struct hlist_node *node;
967 967
968 read_lock_bh(&sco_sk_list.lock); 968 read_lock(&sco_sk_list.lock);
969 969
970 sk_for_each(sk, node, &sco_sk_list.head) { 970 sk_for_each(sk, node, &sco_sk_list.head) {
971 seq_printf(f, "%s %s %d\n", batostr(&bt_sk(sk)->src), 971 seq_printf(f, "%s %s %d\n", batostr(&bt_sk(sk)->src),
972 batostr(&bt_sk(sk)->dst), sk->sk_state); 972 batostr(&bt_sk(sk)->dst), sk->sk_state);
973 } 973 }
974 974
975 read_unlock_bh(&sco_sk_list.lock); 975 read_unlock(&sco_sk_list.lock);
976 976
977 return 0; 977 return 0;
978} 978}
diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c
index 93aab0715e8a..422b79851ec5 100644
--- a/net/mac80211/wpa.c
+++ b/net/mac80211/wpa.c
@@ -106,7 +106,7 @@ ieee80211_rx_h_michael_mic_verify(struct ieee80211_rx_data *rx)
106 if (status->flag & RX_FLAG_MMIC_ERROR) 106 if (status->flag & RX_FLAG_MMIC_ERROR)
107 goto mic_fail; 107 goto mic_fail;
108 108
109 if (!(status->flag & RX_FLAG_IV_STRIPPED)) 109 if (!(status->flag & RX_FLAG_IV_STRIPPED) && rx->key)
110 goto update_iv; 110 goto update_iv;
111 111
112 return RX_CONTINUE; 112 return RX_CONTINUE;
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index b3d3cf8931cb..afeea32e04ad 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -2250,6 +2250,7 @@ static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
2250}; 2250};
2251 2251
2252static int parse_station_flags(struct genl_info *info, 2252static int parse_station_flags(struct genl_info *info,
2253 enum nl80211_iftype iftype,
2253 struct station_parameters *params) 2254 struct station_parameters *params)
2254{ 2255{
2255 struct nlattr *flags[NL80211_STA_FLAG_MAX + 1]; 2256 struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
@@ -2283,8 +2284,33 @@ static int parse_station_flags(struct genl_info *info,
2283 nla, sta_flags_policy)) 2284 nla, sta_flags_policy))
2284 return -EINVAL; 2285 return -EINVAL;
2285 2286
2286 params->sta_flags_mask = (1 << __NL80211_STA_FLAG_AFTER_LAST) - 1; 2287 /*
2287 params->sta_flags_mask &= ~1; 2288 * Only allow certain flags for interface types so that
2289 * other attributes are silently ignored. Remember that
2290 * this is backward compatibility code with old userspace
2291 * and shouldn't be hit in other cases anyway.
2292 */
2293 switch (iftype) {
2294 case NL80211_IFTYPE_AP:
2295 case NL80211_IFTYPE_AP_VLAN:
2296 case NL80211_IFTYPE_P2P_GO:
2297 params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
2298 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
2299 BIT(NL80211_STA_FLAG_WME) |
2300 BIT(NL80211_STA_FLAG_MFP);
2301 break;
2302 case NL80211_IFTYPE_P2P_CLIENT:
2303 case NL80211_IFTYPE_STATION:
2304 params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
2305 BIT(NL80211_STA_FLAG_TDLS_PEER);
2306 break;
2307 case NL80211_IFTYPE_MESH_POINT:
2308 params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
2309 BIT(NL80211_STA_FLAG_MFP) |
2310 BIT(NL80211_STA_FLAG_AUTHORIZED);
2311 default:
2312 return -EINVAL;
2313 }
2288 2314
2289 for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) 2315 for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++)
2290 if (flags[flag]) 2316 if (flags[flag])
@@ -2585,7 +2611,7 @@ static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
2585 if (!rdev->ops->change_station) 2611 if (!rdev->ops->change_station)
2586 return -EOPNOTSUPP; 2612 return -EOPNOTSUPP;
2587 2613
2588 if (parse_station_flags(info, &params)) 2614 if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
2589 return -EINVAL; 2615 return -EINVAL;
2590 2616
2591 if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION]) 2617 if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
@@ -2731,7 +2757,7 @@ static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
2731 if (!rdev->ops->add_station) 2757 if (!rdev->ops->add_station)
2732 return -EOPNOTSUPP; 2758 return -EOPNOTSUPP;
2733 2759
2734 if (parse_station_flags(info, &params)) 2760 if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
2735 return -EINVAL; 2761 return -EINVAL;
2736 2762
2737 switch (dev->ieee80211_ptr->iftype) { 2763 switch (dev->ieee80211_ptr->iftype) {