2 files changed, 12 insertions, 7 deletions
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index 3e3cd9d4e52c..fadf26b4ed7c 100644
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -2705,8 +2705,9 @@ done:
                case L2CAP_MODE_ERTM:
                        pi->remote_tx_win = rfc.txwin_size;
                        pi->remote_max_tx = rfc.max_transmit;
-                        if (rfc.max_pdu_size > pi->conn->mtu - 10)
-                                rfc.max_pdu_size = le16_to_cpu(pi->conn->mtu - 10);
+                        if (le16_to_cpu(rfc.max_pdu_size) > pi->conn->mtu - 10)
+                                rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
                        pi->remote_mps = le16_to_cpu(rfc.max_pdu_size);
@@ -2723,8 +2724,8 @@ done:
                        break;
                case L2CAP_MODE_STREAMING:
-                        if (rfc.max_pdu_size > pi->conn->mtu - 10)
+                        if (le16_to_cpu(rfc.max_pdu_size) > pi->conn->mtu - 10)
-                                rfc.max_pdu_size = le16_to_cpu(pi->conn->mtu - 10);
+                                rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
                        pi->remote_mps = le16_to_cpu(rfc.max_pdu_size);
@@ -2806,7 +2807,6 @@ static int l2cap_parse_conf_rsp(struct sock *sk, void *rsp, int len, void *data,
        if (*result == L2CAP_CONF_SUCCESS) {
                switch (rfc.mode) {
                case L2CAP_MODE_ERTM:
-                        pi->remote_tx_win   = rfc.txwin_size;
                        pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
                        pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
                        pi->mps    = le16_to_cpu(rfc.max_pdu_size);
@@ -2862,7 +2862,6 @@ static void l2cap_conf_rfc_get(struct sock *sk, void *rsp, int len)
 done:
        switch (rfc.mode) {
        case L2CAP_MODE_ERTM:
-                pi->remote_tx_win   = rfc.txwin_size;
                pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
                pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
                pi->mps    = le16_to_cpu(rfc.max_pdu_size);
diff --git a/net/wireless/mlme.c b/net/wireless/mlme.c
index e74a1a2119d3..d1a3fb99fdf2 100644
--- a/net/wireless/mlme.c
+++ b/net/wireless/mlme.c
@@ -843,13 +843,19 @@ int cfg80211_mlme_action(struct cfg80211_registered_device *rdev,
                return -EINVAL;
        if (mgmt->u.action.category != WLAN_CATEGORY_PUBLIC) {
                /* Verify that we are associated with the destination AP */
+                wdev_lock(wdev);
                if (!wdev->current_bss ||
                    memcmp(wdev->current_bss->pub.bssid, mgmt->bssid,
                           ETH_ALEN) != 0 ||
                    (wdev->iftype == NL80211_IFTYPE_STATION &&
                     memcmp(wdev->current_bss->pub.bssid, mgmt->da,
-                            ETH_ALEN) != 0))
+                            ETH_ALEN) != 0)) {
+                        wdev_unlock(wdev);
                        return -ENOTCONN;
+                }
+                wdev_unlock(wdev);
        }
        if (memcmp(mgmt->sa, dev->dev_addr, ETH_ALEN) != 0)

diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c index 3e3cd9d4e52c..fadf26b4ed7c 100644 --- a/net/bluetooth/l2cap.c +++ b/net/bluetooth/l2cap.c
@@ -2705,8 +2705,9 @@ done:
2705	case L2CAP_MODE_ERTM:	2705	case L2CAP_MODE_ERTM:
2706	pi->remote_tx_win = rfc.txwin_size;	2706	pi->remote_tx_win = rfc.txwin_size;
2707	pi->remote_max_tx = rfc.max_transmit;	2707	pi->remote_max_tx = rfc.max_transmit;
2708	if (rfc.max_pdu_size > pi->conn->mtu - 10)	2708
2709	rfc.max_pdu_size = le16_to_cpu(pi->conn->mtu - 10);	2709	if (le16_to_cpu(rfc.max_pdu_size) > pi->conn->mtu - 10)
		2710	rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
2710		2711
2711	pi->remote_mps = le16_to_cpu(rfc.max_pdu_size);	2712	pi->remote_mps = le16_to_cpu(rfc.max_pdu_size);
2712		2713
@@ -2723,8 +2724,8 @@ done:
2723	break;	2724	break;
2724		2725
2725	case L2CAP_MODE_STREAMING:	2726	case L2CAP_MODE_STREAMING:
2726	if (rfc.max_pdu_size > pi->conn->mtu - 10)	2727	if (le16_to_cpu(rfc.max_pdu_size) > pi->conn->mtu - 10)
2727	rfc.max_pdu_size = le16_to_cpu(pi->conn->mtu - 10);	2728	rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
2728		2729
2729	pi->remote_mps = le16_to_cpu(rfc.max_pdu_size);	2730	pi->remote_mps = le16_to_cpu(rfc.max_pdu_size);
2730		2731
@@ -2806,7 +2807,6 @@ static int l2cap_parse_conf_rsp(struct sock sk, void rsp, int len, void *data,
2806	if (*result == L2CAP_CONF_SUCCESS) {	2807	if (*result == L2CAP_CONF_SUCCESS) {
2807	switch (rfc.mode) {	2808	switch (rfc.mode) {
2808	case L2CAP_MODE_ERTM:	2809	case L2CAP_MODE_ERTM:
2809	pi->remote_tx_win = rfc.txwin_size;
2810	pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);	2810	pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2811	pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);	2811	pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2812	pi->mps = le16_to_cpu(rfc.max_pdu_size);	2812	pi->mps = le16_to_cpu(rfc.max_pdu_size);
@@ -2862,7 +2862,6 @@ static void l2cap_conf_rfc_get(struct sock sk, void rsp, int len)
2862	done:	2862	done:
2863	switch (rfc.mode) {	2863	switch (rfc.mode) {
2864	case L2CAP_MODE_ERTM:	2864	case L2CAP_MODE_ERTM:
2865	pi->remote_tx_win = rfc.txwin_size;
2866	pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);	2865	pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2867	pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);	2866	pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2868	pi->mps = le16_to_cpu(rfc.max_pdu_size);	2867	pi->mps = le16_to_cpu(rfc.max_pdu_size);


diff --git a/net/wireless/mlme.c b/net/wireless/mlme.c index e74a1a2119d3..d1a3fb99fdf2 100644 --- a/net/wireless/mlme.c +++ b/net/wireless/mlme.c
@@ -843,13 +843,19 @@ int cfg80211_mlme_action(struct cfg80211_registered_device *rdev,
843	return -EINVAL;	843	return -EINVAL;
844	if (mgmt->u.action.category != WLAN_CATEGORY_PUBLIC) {	844	if (mgmt->u.action.category != WLAN_CATEGORY_PUBLIC) {
845	/* Verify that we are associated with the destination AP */	845	/* Verify that we are associated with the destination AP */
		846	wdev_lock(wdev);
		847
846	if (!wdev->current_bss \|\|	848	if (!wdev->current_bss \|\|
847	memcmp(wdev->current_bss->pub.bssid, mgmt->bssid,	849	memcmp(wdev->current_bss->pub.bssid, mgmt->bssid,
848	ETH_ALEN) != 0 \|\|	850	ETH_ALEN) != 0 \|\|
849	(wdev->iftype == NL80211_IFTYPE_STATION &&	851	(wdev->iftype == NL80211_IFTYPE_STATION &&
850	memcmp(wdev->current_bss->pub.bssid, mgmt->da,	852	memcmp(wdev->current_bss->pub.bssid, mgmt->da,
851	ETH_ALEN) != 0))	853	ETH_ALEN) != 0)) {
		854	wdev_unlock(wdev);
852	return -ENOTCONN;	855	return -ENOTCONN;
		856	}
		857
		858	wdev_unlock(wdev);
853	}	859	}
854		860
855	if (memcmp(mgmt->sa, dev->dev_addr, ETH_ALEN) != 0)	861	if (memcmp(mgmt->sa, dev->dev_addr, ETH_ALEN) != 0)