tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Pull networking update from David Miller:

1) Fix dump iterator in nfnl_acct_dump() and ctnl_timeout_dump() to
dump all objects properly, from Pablo Neira Ayuso.

2) xt_TCPMSS must use the default MSS of 536 when no MSS TCP option is
present. Fix from Phil Oester.

3) qdisc_get_rtab() looks for an existing matching rate table and uses
that instead of creating a new one. However, it's key matching is
incomplete, it fails to check to make sure the ->data[] array is
identical too. Fix from Eric Dumazet.

4) ip_vs_dest_entry isn't fully initialized before copying back to
userspace, fix from Dan Carpenter.

5) Fix ubuf reference counting regression in vhost_net, from Jason
Wang.

6) When sock_diag dumps a socket filter back to userspace, we have to
translate it out of the kernel's internal representation first.
From Nicolas Dichtel.

7) davinci_mdio holds a spinlock while calling pm_runtime, which
sleeps. Fix from Sebastian Siewior.

8) Timeout check in sh_eth_check_reset is off by one, from Sergei
Shtylyov.

9) If sctp socket init fails, we can NULL deref during cleanup. Fix
from Daniel Borkmann.

10) netlink_mmap() does not propagate errors properly, from Patrick
McHardy.

11) Disable powersave and use minstrel by default in ath9k. From Sujith
Manoharan.

12) Fix a regression in that SOCK_ZEROCOPY is not set on tuntap sockets
which prevents vhost from being able to use zerocopy. From Jason
Wang.

13) Fix race between port lookup and TX path in team driver, from Jiri
Pirko.

14) Missing length checks in bluetooth L2CAP packet parsing, from Johan
Hedberg.

15) rtlwifi fails to connect to networking using any encryption method
other than WPA2. Fix from Larry Finger.

16) Fix iwlegacy build due to incorrect CONFIG_* ifdeffing for power
management stuff. From Yijing Wang.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (35 commits)
b43: stop format string leaking into error msgs
ath9k: Use minstrel rate control by default
Revert "ath9k_hw: Update rx gain initval to improve rx sensitivity"
ath9k: Disable PowerSave by default
net: wireless: iwlegacy: fix build error for il_pm_ops
rtlwifi: Fix a false leak indication for PCI devices
wl12xx/wl18xx: scan all 5ghz channels
wl12xx: increase minimum singlerole firmware version required
wl12xx: fix minimum required firmware version for wl127x multirole
rtlwifi: rtl8192cu: Fix problem in connecting to WEP or WPA(1) networks
mwifiex: debugfs: Fix out of bounds array access
Bluetooth: Fix mgmt handling of power on failures
Bluetooth: Fix missing length checks for L2CAP signalling PDUs
Bluetooth: btmrvl: support Marvell Bluetooth device SD8897
Bluetooth: Fix checks for LE support on LE-only controllers
team: fix checks in team_get_first_port_txable_rcu()
team: move add to port list before port enablement
team: check return value of team_get_port_by_index_rcu() for NULL
tuntap: set SOCK_ZEROCOPY flag during open
netlink: fix error propagation in netlink_mmap()
...

Linus Torvalds 26e04462 645a9929

+377 -136
+2 -2
drivers/bluetooth/Kconfig
··· 201 201 The core driver to support Marvell Bluetooth devices. 202 202 203 203 This driver is required if you want to support 204 - Marvell Bluetooth devices, such as 8688/8787/8797. 204 + Marvell Bluetooth devices, such as 8688/8787/8797/8897. 205 205 206 206 Say Y here to compile Marvell Bluetooth driver 207 207 into the kernel or say M to compile it as module. ··· 214 214 The driver for Marvell Bluetooth chipsets with SDIO interface. 215 215 216 216 This driver is required if you want to use Marvell Bluetooth 217 - devices with SDIO interface. Currently SD8688/SD8787/SD8797 217 + devices with SDIO interface. Currently SD8688/SD8787/SD8797/SD8897 218 218 chipsets are supported. 219 219 220 220 Say Y here to compile support for Marvell BT-over-SDIO driver
+28
drivers/bluetooth/btmrvl_sdio.c
··· 82 82 .io_port_2 = 0x7a, 83 83 }; 84 84 85 + static const struct btmrvl_sdio_card_reg btmrvl_reg_88xx = { 86 + .cfg = 0x00, 87 + .host_int_mask = 0x02, 88 + .host_intstatus = 0x03, 89 + .card_status = 0x50, 90 + .sq_read_base_addr_a0 = 0x60, 91 + .sq_read_base_addr_a1 = 0x61, 92 + .card_revision = 0xbc, 93 + .card_fw_status0 = 0xc0, 94 + .card_fw_status1 = 0xc1, 95 + .card_rx_len = 0xc2, 96 + .card_rx_unit = 0xc3, 97 + .io_port_0 = 0xd8, 98 + .io_port_1 = 0xd9, 99 + .io_port_2 = 0xda, 100 + }; 101 + 85 102 static const struct btmrvl_sdio_device btmrvl_sdio_sd8688 = { 86 103 .helper = "mrvl/sd8688_helper.bin", 87 104 .firmware = "mrvl/sd8688.bin", ··· 120 103 .sd_blksz_fw_dl = 256, 121 104 }; 122 105 106 + static const struct btmrvl_sdio_device btmrvl_sdio_sd8897 = { 107 + .helper = NULL, 108 + .firmware = "mrvl/sd8897_uapsta.bin", 109 + .reg = &btmrvl_reg_88xx, 110 + .sd_blksz_fw_dl = 256, 111 + }; 112 + 123 113 static const struct sdio_device_id btmrvl_sdio_ids[] = { 124 114 /* Marvell SD8688 Bluetooth device */ 125 115 { SDIO_DEVICE(SDIO_VENDOR_ID_MARVELL, 0x9105), ··· 140 116 /* Marvell SD8797 Bluetooth device */ 141 117 { SDIO_DEVICE(SDIO_VENDOR_ID_MARVELL, 0x912A), 142 118 .driver_data = (unsigned long) &btmrvl_sdio_sd8797 }, 119 + /* Marvell SD8897 Bluetooth device */ 120 + { SDIO_DEVICE(SDIO_VENDOR_ID_MARVELL, 0x912E), 121 + .driver_data = (unsigned long) &btmrvl_sdio_sd8897 }, 143 122 144 123 { } /* Terminating entry */ 145 124 }; ··· 1221 1194 MODULE_FIRMWARE("mrvl/sd8688.bin"); 1222 1195 MODULE_FIRMWARE("mrvl/sd8787_uapsta.bin"); 1223 1196 MODULE_FIRMWARE("mrvl/sd8797_uapsta.bin"); 1197 + MODULE_FIRMWARE("mrvl/sd8897_uapsta.bin");
+2 -2
drivers/net/ethernet/renesas/sh_eth.c
··· 897 897 mdelay(1); 898 898 cnt--; 899 899 } 900 - if (cnt < 0) { 901 - pr_err("Device reset fail\n"); 900 + if (cnt <= 0) { 901 + pr_err("Device reset failed\n"); 902 902 ret = -ETIMEDOUT; 903 903 } 904 904 return ret;
+2 -3
drivers/net/ethernet/ti/davinci_mdio.c
··· 449 449 __raw_writel(ctrl, &data->regs->control); 450 450 wait_for_idle(data); 451 451 452 - pm_runtime_put_sync(data->dev); 453 - 454 452 data->suspended = true; 455 453 spin_unlock(&data->lock); 454 + pm_runtime_put_sync(data->dev); 456 455 457 456 return 0; 458 457 } ··· 461 462 struct davinci_mdio_data *data = dev_get_drvdata(dev); 462 463 u32 ctrl; 463 464 464 - spin_lock(&data->lock); 465 465 pm_runtime_get_sync(data->dev); 466 466 467 + spin_lock(&data->lock); 467 468 /* restart the scan state machine */ 468 469 ctrl = __raw_readl(&data->regs->control); 469 470 ctrl |= CONTROL_ENABLE;
+1 -1
drivers/net/team/team.c
··· 1092 1092 } 1093 1093 1094 1094 port->index = -1; 1095 - team_port_enable(team, port); 1096 1095 list_add_tail_rcu(&port->list, &team->port_list); 1096 + team_port_enable(team, port); 1097 1097 __team_compute_features(team); 1098 1098 __team_port_change_port_added(port, !!netif_carrier_ok(port_dev)); 1099 1099 __team_options_change_check(team);
+2
drivers/net/team/team_mode_random.c
··· 28 28 29 29 port_index = random_N(team->en_port_count); 30 30 port = team_get_port_by_index_rcu(team, port_index); 31 + if (unlikely(!port)) 32 + goto drop; 31 33 port = team_get_first_port_txable_rcu(team, port); 32 34 if (unlikely(!port)) 33 35 goto drop;
+2
drivers/net/team/team_mode_roundrobin.c
··· 32 32 33 33 port_index = rr_priv(team)->sent_packets++ % team->en_port_count; 34 34 port = team_get_port_by_index_rcu(team, port_index); 35 + if (unlikely(!port)) 36 + goto drop; 35 37 port = team_get_first_port_txable_rcu(team, port); 36 38 if (unlikely(!port)) 37 39 goto drop;
+3 -1
drivers/net/tun.c
··· 352 352 u32 numqueues = 0; 353 353 354 354 rcu_read_lock(); 355 - numqueues = tun->numqueues; 355 + numqueues = ACCESS_ONCE(tun->numqueues); 356 356 357 357 txq = skb_get_rxhash(skb); 358 358 if (txq) { ··· 2158 2158 file->private_data = tfile; 2159 2159 set_bit(SOCK_EXTERNALLY_ALLOCATED, &tfile->socket.flags); 2160 2160 INIT_LIST_HEAD(&tfile->next); 2161 + 2162 + sock_set_flag(&tfile->sk, SOCK_ZEROCOPY); 2161 2163 2162 2164 return 0; 2163 2165 }
+6
drivers/net/usb/cdc_ether.c
··· 627 627 .driver_info = 0, 628 628 }, 629 629 630 + /* Huawei E1820 - handled by qmi_wwan */ 631 + { 632 + USB_DEVICE_INTERFACE_NUMBER(HUAWEI_VENDOR_ID, 0x14ac, 1), 633 + .driver_info = 0, 634 + }, 635 + 630 636 /* Realtek RTL8152 Based USB 2.0 Ethernet Adapters */ 631 637 #if defined(CONFIG_USB_RTL8152) || defined(CONFIG_USB_RTL8152_MODULE) 632 638 {
+1
drivers/net/usb/qmi_wwan.c
··· 519 519 /* 3. Combined interface devices matching on interface number */ 520 520 {QMI_FIXED_INTF(0x0408, 0xea42, 4)}, /* Yota / Megafon M100-1 */ 521 521 {QMI_FIXED_INTF(0x12d1, 0x140c, 1)}, /* Huawei E173 */ 522 + {QMI_FIXED_INTF(0x12d1, 0x14ac, 1)}, /* Huawei E1820 */ 522 523 {QMI_FIXED_INTF(0x19d2, 0x0002, 1)}, 523 524 {QMI_FIXED_INTF(0x19d2, 0x0012, 1)}, 524 525 {QMI_FIXED_INTF(0x19d2, 0x0017, 3)},
+7 -3
drivers/net/wireless/ath/ath9k/Kconfig
··· 92 92 This option enables collection of statistics for Rx/Tx status 93 93 data and some other MAC related statistics 94 94 95 - config ATH9K_RATE_CONTROL 95 + config ATH9K_LEGACY_RATE_CONTROL 96 96 bool "Atheros ath9k rate control" 97 97 depends on ATH9K 98 - default y 98 + default n 99 99 ---help--- 100 100 Say Y, if you want to use the ath9k specific rate control 101 - module instead of minstrel_ht. 101 + module instead of minstrel_ht. Be warned that there are various 102 + issues with the ath9k RC and minstrel is a more robust algorithm. 103 + Note that even if this option is selected, "ath9k_rate_control" 104 + has to be passed to mac80211 using the module parameter, 105 + ieee80211_default_rc_algo. 102 106 103 107 config ATH9K_HTC 104 108 tristate "Atheros HTC based wireless cards support"
+1 -1
drivers/net/wireless/ath/ath9k/Makefile
··· 8 8 antenna.o 9 9 10 10 ath9k-$(CONFIG_ATH9K_BTCOEX_SUPPORT) += mci.o 11 - ath9k-$(CONFIG_ATH9K_RATE_CONTROL) += rc.o 11 + ath9k-$(CONFIG_ATH9K_LEGACY_RATE_CONTROL) += rc.o 12 12 ath9k-$(CONFIG_ATH9K_PCI) += pci.o 13 13 ath9k-$(CONFIG_ATH9K_AHB) += ahb.o 14 14 ath9k-$(CONFIG_ATH9K_DEBUGFS) += debug.o
+5 -5
drivers/net/wireless/ath/ath9k/ar9003_2p2_initvals.h
··· 958 958 {0x0000a074, 0x00000000}, 959 959 {0x0000a078, 0x00000000}, 960 960 {0x0000a07c, 0x00000000}, 961 - {0x0000a080, 0x1a1a1a1a}, 962 - {0x0000a084, 0x1a1a1a1a}, 963 - {0x0000a088, 0x1a1a1a1a}, 964 - {0x0000a08c, 0x1a1a1a1a}, 965 - {0x0000a090, 0x171a1a1a}, 961 + {0x0000a080, 0x22222229}, 962 + {0x0000a084, 0x1d1d1d1d}, 963 + {0x0000a088, 0x1d1d1d1d}, 964 + {0x0000a08c, 0x1d1d1d1d}, 965 + {0x0000a090, 0x171d1d1d}, 966 966 {0x0000a094, 0x11111717}, 967 967 {0x0000a098, 0x00030311}, 968 968 {0x0000a09c, 0x00000000},
+1 -6
drivers/net/wireless/ath/ath9k/init.c
··· 787 787 hw->wiphy->iface_combinations = if_comb; 788 788 hw->wiphy->n_iface_combinations = ARRAY_SIZE(if_comb); 789 789 790 - if (AR_SREV_5416(sc->sc_ah)) 791 - hw->wiphy->flags &= ~WIPHY_FLAG_PS_ON_BY_DEFAULT; 790 + hw->wiphy->flags &= ~WIPHY_FLAG_PS_ON_BY_DEFAULT; 792 791 793 792 hw->wiphy->flags |= WIPHY_FLAG_IBSS_RSN; 794 793 hw->wiphy->flags |= WIPHY_FLAG_SUPPORTS_TDLS; ··· 828 829 829 830 sc->ant_rx = hw->wiphy->available_antennas_rx; 830 831 sc->ant_tx = hw->wiphy->available_antennas_tx; 831 - 832 - #ifdef CONFIG_ATH9K_RATE_CONTROL 833 - hw->rate_control_algorithm = "ath9k_rate_control"; 834 - #endif 835 832 836 833 if (sc->sc_ah->caps.hw_caps & ATH9K_HW_CAP_2GHZ) 837 834 hw->wiphy->bands[IEEE80211_BAND_2GHZ] =
+1 -1
drivers/net/wireless/ath/ath9k/rc.h
··· 231 231 } 232 232 #endif 233 233 234 - #ifdef CONFIG_ATH9K_RATE_CONTROL 234 + #ifdef CONFIG_ATH9K_LEGACY_RATE_CONTROL 235 235 int ath_rate_control_register(void); 236 236 void ath_rate_control_unregister(void); 237 237 #else
+1 -1
drivers/net/wireless/b43/main.c
··· 2458 2458 for (i = 0; i < B43_NR_FWTYPES; i++) { 2459 2459 errmsg = ctx->errors[i]; 2460 2460 if (strlen(errmsg)) 2461 - b43err(dev->wl, errmsg); 2461 + b43err(dev->wl, "%s", errmsg); 2462 2462 } 2463 2463 b43_print_fw_helptext(dev->wl, 1); 2464 2464 goto out;
+3 -3
drivers/net/wireless/iwlegacy/common.h
··· 1832 1832 __le32 il_add_beacon_time(struct il_priv *il, u32 base, u32 addon, 1833 1833 u32 beacon_interval); 1834 1834 1835 - #ifdef CONFIG_PM 1835 + #ifdef CONFIG_PM_SLEEP 1836 1836 extern const struct dev_pm_ops il_pm_ops; 1837 1837 1838 1838 #define IL_LEGACY_PM_OPS (&il_pm_ops) 1839 1839 1840 - #else /* !CONFIG_PM */ 1840 + #else /* !CONFIG_PM_SLEEP */ 1841 1841 1842 1842 #define IL_LEGACY_PM_OPS NULL 1843 1843 1844 - #endif /* !CONFIG_PM */ 1844 + #endif /* !CONFIG_PM_SLEEP */ 1845 1845 1846 1846 /***************************************************** 1847 1847 * Error Handling Debugging
+17 -5
drivers/net/wireless/mwifiex/debugfs.c
··· 26 26 static struct dentry *mwifiex_dfs_dir; 27 27 28 28 static char *bss_modes[] = { 29 - "Unknown", 30 - "Ad-hoc", 31 - "Managed", 32 - "Auto" 29 + "UNSPECIFIED", 30 + "ADHOC", 31 + "STATION", 32 + "AP", 33 + "AP_VLAN", 34 + "WDS", 35 + "MONITOR", 36 + "MESH_POINT", 37 + "P2P_CLIENT", 38 + "P2P_GO", 39 + "P2P_DEVICE", 33 40 }; 34 41 35 42 /* size/addr for mwifiex_debug_info */ ··· 207 200 p += sprintf(p, "driver_version = %s", fmt); 208 201 p += sprintf(p, "\nverext = %s", priv->version_str); 209 202 p += sprintf(p, "\ninterface_name=\"%s\"\n", netdev->name); 210 - p += sprintf(p, "bss_mode=\"%s\"\n", bss_modes[info.bss_mode]); 203 + 204 + if (info.bss_mode >= ARRAY_SIZE(bss_modes)) 205 + p += sprintf(p, "bss_mode=\"%d\"\n", info.bss_mode); 206 + else 207 + p += sprintf(p, "bss_mode=\"%s\"\n", bss_modes[info.bss_mode]); 208 + 211 209 p += sprintf(p, "media_state=\"%s\"\n", 212 210 (!priv->media_connected ? "Disconnected" : "Connected")); 213 211 p += sprintf(p, "mac_address=\"%pM\"\n", netdev->dev_addr);
+1
drivers/net/wireless/rtlwifi/pci.c
··· 764 764 "can't alloc skb for rx\n"); 765 765 goto done; 766 766 } 767 + kmemleak_not_leak(new_skb); 767 768 768 769 pci_unmap_single(rtlpci->pdev, 769 770 *((dma_addr_t *) skb->cb),
+99 -33
drivers/net/wireless/rtlwifi/rtl8192cu/hw.c
··· 1973 1973 } 1974 1974 } 1975 1975 1976 - void rtl92cu_update_hal_rate_table(struct ieee80211_hw *hw, 1977 - struct ieee80211_sta *sta, 1978 - u8 rssi_level) 1976 + static void rtl92cu_update_hal_rate_table(struct ieee80211_hw *hw, 1977 + struct ieee80211_sta *sta) 1979 1978 { 1980 1979 struct rtl_priv *rtlpriv = rtl_priv(hw); 1981 1980 struct rtl_phy *rtlphy = &(rtlpriv->phy); 1982 1981 struct rtl_mac *mac = rtl_mac(rtl_priv(hw)); 1983 - u32 ratr_value = (u32) mac->basic_rates; 1984 - u8 *mcsrate = mac->mcs; 1982 + struct rtl_hal *rtlhal = rtl_hal(rtl_priv(hw)); 1983 + u32 ratr_value; 1985 1984 u8 ratr_index = 0; 1986 1985 u8 nmode = mac->ht_enable; 1987 - u8 mimo_ps = 1; 1988 - u16 shortgi_rate = 0; 1989 - u32 tmp_ratr_value = 0; 1986 + u8 mimo_ps = IEEE80211_SMPS_OFF; 1987 + u16 shortgi_rate; 1988 + u32 tmp_ratr_value; 1990 1989 u8 curtxbw_40mhz = mac->bw_40; 1991 - u8 curshortgi_40mhz = mac->sgi_40; 1992 - u8 curshortgi_20mhz = mac->sgi_20; 1990 + u8 curshortgi_40mhz = (sta->ht_cap.cap & IEEE80211_HT_CAP_SGI_40) ? 1991 + 1 : 0; 1992 + u8 curshortgi_20mhz = (sta->ht_cap.cap & IEEE80211_HT_CAP_SGI_20) ? 1993 + 1 : 0; 1993 1994 enum wireless_mode wirelessmode = mac->mode; 1994 1995 1995 - ratr_value |= ((*(u16 *) (mcsrate))) << 12; 1996 + if (rtlhal->current_bandtype == BAND_ON_5G) 1997 + ratr_value = sta->supp_rates[1] << 4; 1998 + else 1999 + ratr_value = sta->supp_rates[0]; 2000 + if (mac->opmode == NL80211_IFTYPE_ADHOC) 2001 + ratr_value = 0xfff; 2002 + 2003 + ratr_value |= (sta->ht_cap.mcs.rx_mask[1] << 20 | 2004 + sta->ht_cap.mcs.rx_mask[0] << 12); 1996 2005 switch (wirelessmode) { 1997 2006 case WIRELESS_MODE_B: 1998 2007 if (ratr_value & 0x0000000c) ··· 2015 2006 case WIRELESS_MODE_N_24G: 2016 2007 case WIRELESS_MODE_N_5G: 2017 2008 nmode = 1; 2018 - if (mimo_ps == 0) { 2009 + if (mimo_ps == IEEE80211_SMPS_STATIC) { 2019 2010 ratr_value &= 0x0007F005; 2020 2011 } else { 2021 2012 u32 ratr_mask; ··· 2025 2016 ratr_mask = 0x000ff005; 2026 2017 else 2027 2018 ratr_mask = 0x0f0ff005; 2028 - if (curtxbw_40mhz) 2029 - ratr_mask |= 0x00000010; 2019 + 2030 2020 ratr_value &= ratr_mask; 2031 2021 } 2032 2022 break; ··· 2034 2026 ratr_value &= 0x000ff0ff; 2035 2027 else 2036 2028 ratr_value &= 0x0f0ff0ff; 2029 + 2037 2030 break; 2038 2031 } 2032 + 2039 2033 ratr_value &= 0x0FFFFFFF; 2040 - if (nmode && ((curtxbw_40mhz && curshortgi_40mhz) || 2041 - (!curtxbw_40mhz && curshortgi_20mhz))) { 2034 + 2035 + if (nmode && ((curtxbw_40mhz && 2036 + curshortgi_40mhz) || (!curtxbw_40mhz && 2037 + curshortgi_20mhz))) { 2038 + 2042 2039 ratr_value |= 0x10000000; 2043 2040 tmp_ratr_value = (ratr_value >> 12); 2041 + 2044 2042 for (shortgi_rate = 15; shortgi_rate > 0; shortgi_rate--) { 2045 2043 if ((1 << shortgi_rate) & tmp_ratr_value) 2046 2044 break; 2047 2045 } 2046 + 2048 2047 shortgi_rate = (shortgi_rate << 12) | (shortgi_rate << 8) | 2049 - (shortgi_rate << 4) | (shortgi_rate); 2048 + (shortgi_rate << 4) | (shortgi_rate); 2050 2049 } 2050 + 2051 2051 rtl_write_dword(rtlpriv, REG_ARFR0 + ratr_index * 4, ratr_value); 2052 + 2053 + RT_TRACE(rtlpriv, COMP_RATR, DBG_DMESG, "%x\n", 2054 + rtl_read_dword(rtlpriv, REG_ARFR0)); 2052 2055 } 2053 2056 2054 - void rtl92cu_update_hal_rate_mask(struct ieee80211_hw *hw, u8 rssi_level) 2057 + static void rtl92cu_update_hal_rate_mask(struct ieee80211_hw *hw, 2058 + struct ieee80211_sta *sta, 2059 + u8 rssi_level) 2055 2060 { 2056 2061 struct rtl_priv *rtlpriv = rtl_priv(hw); 2057 2062 struct rtl_phy *rtlphy = &(rtlpriv->phy); 2058 2063 struct rtl_mac *mac = rtl_mac(rtl_priv(hw)); 2059 - u32 ratr_bitmap = (u32) mac->basic_rates; 2060 - u8 *p_mcsrate = mac->mcs; 2061 - u8 ratr_index = 0; 2062 - u8 curtxbw_40mhz = mac->bw_40; 2063 - u8 curshortgi_40mhz = mac->sgi_40; 2064 - u8 curshortgi_20mhz = mac->sgi_20; 2065 - enum wireless_mode wirelessmode = mac->mode; 2064 + struct rtl_hal *rtlhal = rtl_hal(rtl_priv(hw)); 2065 + struct rtl_sta_info *sta_entry = NULL; 2066 + u32 ratr_bitmap; 2067 + u8 ratr_index; 2068 + u8 curtxbw_40mhz = (sta->bandwidth >= IEEE80211_STA_RX_BW_40) ? 1 : 0; 2069 + u8 curshortgi_40mhz = curtxbw_40mhz && 2070 + (sta->ht_cap.cap & IEEE80211_HT_CAP_SGI_40) ? 2071 + 1 : 0; 2072 + u8 curshortgi_20mhz = (sta->ht_cap.cap & IEEE80211_HT_CAP_SGI_20) ? 2073 + 1 : 0; 2074 + enum wireless_mode wirelessmode = 0; 2066 2075 bool shortgi = false; 2067 2076 u8 rate_mask[5]; 2068 2077 u8 macid = 0; 2069 - u8 mimops = 1; 2078 + u8 mimo_ps = IEEE80211_SMPS_OFF; 2070 2079 2071 - ratr_bitmap |= (p_mcsrate[1] << 20) | (p_mcsrate[0] << 12); 2080 + sta_entry = (struct rtl_sta_info *) sta->drv_priv; 2081 + wirelessmode = sta_entry->wireless_mode; 2082 + if (mac->opmode == NL80211_IFTYPE_STATION || 2083 + mac->opmode == NL80211_IFTYPE_MESH_POINT) 2084 + curtxbw_40mhz = mac->bw_40; 2085 + else if (mac->opmode == NL80211_IFTYPE_AP || 2086 + mac->opmode == NL80211_IFTYPE_ADHOC) 2087 + macid = sta->aid + 1; 2088 + 2089 + if (rtlhal->current_bandtype == BAND_ON_5G) 2090 + ratr_bitmap = sta->supp_rates[1] << 4; 2091 + else 2092 + ratr_bitmap = sta->supp_rates[0]; 2093 + if (mac->opmode == NL80211_IFTYPE_ADHOC) 2094 + ratr_bitmap = 0xfff; 2095 + ratr_bitmap |= (sta->ht_cap.mcs.rx_mask[1] << 20 | 2096 + sta->ht_cap.mcs.rx_mask[0] << 12); 2072 2097 switch (wirelessmode) { 2073 2098 case WIRELESS_MODE_B: 2074 2099 ratr_index = RATR_INX_WIRELESS_B; ··· 2112 2071 break; 2113 2072 case WIRELESS_MODE_G: 2114 2073 ratr_index = RATR_INX_WIRELESS_GB; 2074 + 2115 2075 if (rssi_level == 1) 2116 2076 ratr_bitmap &= 0x00000f00; 2117 2077 else if (rssi_level == 2) ··· 2127 2085 case WIRELESS_MODE_N_24G: 2128 2086 case WIRELESS_MODE_N_5G: 2129 2087 ratr_index = RATR_INX_WIRELESS_NGB; 2130 - if (mimops == 0) { 2088 + 2089 + if (mimo_ps == IEEE80211_SMPS_STATIC) { 2131 2090 if (rssi_level == 1) 2132 2091 ratr_bitmap &= 0x00070000; 2133 2092 else if (rssi_level == 2) ··· 2171 2128 } 2172 2129 } 2173 2130 } 2131 + 2174 2132 if ((curtxbw_40mhz && curshortgi_40mhz) || 2175 2133 (!curtxbw_40mhz && curshortgi_20mhz)) { 2134 + 2176 2135 if (macid == 0) 2177 2136 shortgi = true; 2178 2137 else if (macid == 1) ··· 2183 2138 break; 2184 2139 default: 2185 2140 ratr_index = RATR_INX_WIRELESS_NGB; 2141 + 2186 2142 if (rtlphy->rf_type == RF_1T2R) 2187 2143 ratr_bitmap &= 0x000ff0ff; 2188 2144 else 2189 2145 ratr_bitmap &= 0x0f0ff0ff; 2190 2146 break; 2191 2147 } 2192 - RT_TRACE(rtlpriv, COMP_RATR, DBG_DMESG, "ratr_bitmap :%x\n", 2193 - ratr_bitmap); 2194 - *(u32 *)&rate_mask = ((ratr_bitmap & 0x0fffffff) | 2195 - ratr_index << 28); 2148 + sta_entry->ratr_index = ratr_index; 2149 + 2150 + RT_TRACE(rtlpriv, COMP_RATR, DBG_DMESG, 2151 + "ratr_bitmap :%x\n", ratr_bitmap); 2152 + *(u32 *)&rate_mask = (ratr_bitmap & 0x0fffffff) | 2153 + (ratr_index << 28); 2196 2154 rate_mask[4] = macid | (shortgi ? 0x20 : 0x00) | 0x80; 2197 2155 RT_TRACE(rtlpriv, COMP_RATR, DBG_DMESG, 2198 2156 "Rate_index:%x, ratr_val:%x, %5phC\n", 2199 2157 ratr_index, ratr_bitmap, rate_mask); 2200 - rtl92c_fill_h2c_cmd(hw, H2C_RA_MASK, 5, rate_mask); 2158 + memcpy(rtlpriv->rate_mask, rate_mask, 5); 2159 + /* rtl92c_fill_h2c_cmd() does USB I/O and will result in a 2160 + * "scheduled while atomic" if called directly */ 2161 + schedule_work(&rtlpriv->works.fill_h2c_cmd); 2162 + 2163 + if (macid != 0) 2164 + sta_entry->ratr_index = ratr_index; 2165 + } 2166 + 2167 + void rtl92cu_update_hal_rate_tbl(struct ieee80211_hw *hw, 2168 + struct ieee80211_sta *sta, 2169 + u8 rssi_level) 2170 + { 2171 + struct rtl_priv *rtlpriv = rtl_priv(hw); 2172 + 2173 + if (rtlpriv->dm.useramask) 2174 + rtl92cu_update_hal_rate_mask(hw, sta, rssi_level); 2175 + else 2176 + rtl92cu_update_hal_rate_table(hw, sta); 2201 2177 } 2202 2178 2203 2179 void rtl92cu_update_channel_access_setting(struct ieee80211_hw *hw)
-4
drivers/net/wireless/rtlwifi/rtl8192cu/hw.h
··· 98 98 u32 add_msr, u32 rm_msr); 99 99 void rtl92cu_get_hw_reg(struct ieee80211_hw *hw, u8 variable, u8 *val); 100 100 void rtl92cu_set_hw_reg(struct ieee80211_hw *hw, u8 variable, u8 *val); 101 - void rtl92cu_update_hal_rate_table(struct ieee80211_hw *hw, 102 - struct ieee80211_sta *sta, 103 - u8 rssi_level); 104 - void rtl92cu_update_hal_rate_mask(struct ieee80211_hw *hw, u8 rssi_level); 105 101 106 102 void rtl92cu_update_channel_access_setting(struct ieee80211_hw *hw); 107 103 bool rtl92cu_gpio_radio_on_off_checking(struct ieee80211_hw *hw, u8 * valid);
+17 -1
drivers/net/wireless/rtlwifi/rtl8192cu/mac.c
··· 289 289 macaddr = cam_const_broad; 290 290 entry_id = key_index; 291 291 } else { 292 + if (mac->opmode == NL80211_IFTYPE_AP || 293 + mac->opmode == NL80211_IFTYPE_MESH_POINT) { 294 + entry_id = rtl_cam_get_free_entry(hw, 295 + p_macaddr); 296 + if (entry_id >= TOTAL_CAM_ENTRY) { 297 + RT_TRACE(rtlpriv, COMP_SEC, 298 + DBG_EMERG, 299 + "Can not find free hw security cam entry\n"); 300 + return; 301 + } 302 + } else { 303 + entry_id = CAM_PAIRWISE_KEY_POSITION; 304 + } 305 + 292 306 key_index = PAIRWISE_KEYIDX; 293 - entry_id = CAM_PAIRWISE_KEY_POSITION; 294 307 is_pairwise = true; 295 308 } 296 309 } 297 310 if (rtlpriv->sec.key_len[key_index] == 0) { 298 311 RT_TRACE(rtlpriv, COMP_SEC, DBG_DMESG, 299 312 "delete one entry\n"); 313 + if (mac->opmode == NL80211_IFTYPE_AP || 314 + mac->opmode == NL80211_IFTYPE_MESH_POINT) 315 + rtl_cam_del_entry(hw, p_macaddr); 300 316 rtl_cam_delete_one_entry(hw, p_macaddr, entry_id); 301 317 } else { 302 318 RT_TRACE(rtlpriv, COMP_SEC, DBG_LOUD,
+2 -2
drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
··· 106 106 .update_interrupt_mask = rtl92cu_update_interrupt_mask, 107 107 .get_hw_reg = rtl92cu_get_hw_reg, 108 108 .set_hw_reg = rtl92cu_set_hw_reg, 109 - .update_rate_tbl = rtl92cu_update_hal_rate_table, 110 - .update_rate_mask = rtl92cu_update_hal_rate_mask, 109 + .update_rate_tbl = rtl92cu_update_hal_rate_tbl, 111 110 .fill_tx_desc = rtl92cu_tx_fill_desc, 112 111 .fill_fake_txdesc = rtl92cu_fill_fake_txdesc, 113 112 .fill_tx_cmddesc = rtl92cu_tx_fill_cmddesc, ··· 136 137 .phy_lc_calibrate = _rtl92cu_phy_lc_calibrate, 137 138 .phy_set_bw_mode_callback = rtl92cu_phy_set_bw_mode_callback, 138 139 .dm_dynamic_txpower = rtl92cu_dm_dynamic_txpower, 140 + .fill_h2c_cmd = rtl92c_fill_h2c_cmd, 139 141 }; 140 142 141 143 static struct rtl_mod_params rtl92cu_mod_params = {
+3
drivers/net/wireless/rtlwifi/rtl8192cu/sw.h
··· 49 49 u32 rtl92cu_phy_query_rf_reg(struct ieee80211_hw *hw, 50 50 enum radio_path rfpath, u32 regaddr, u32 bitmask); 51 51 void rtl92cu_phy_set_bw_mode_callback(struct ieee80211_hw *hw); 52 + void rtl92cu_update_hal_rate_tbl(struct ieee80211_hw *hw, 53 + struct ieee80211_sta *sta, 54 + u8 rssi_level); 52 55 53 56 #endif
+13
drivers/net/wireless/rtlwifi/usb.c
··· 824 824 825 825 /* should after adapter start and interrupt enable. */ 826 826 set_hal_stop(rtlhal); 827 + cancel_work_sync(&rtlpriv->works.fill_h2c_cmd); 827 828 /* Enable software */ 828 829 SET_USB_STOP(rtlusb); 829 830 rtl_usb_deinit(hw); ··· 1027 1026 return false; 1028 1027 } 1029 1028 1029 + static void rtl_fill_h2c_cmd_work_callback(struct work_struct *work) 1030 + { 1031 + struct rtl_works *rtlworks = 1032 + container_of(work, struct rtl_works, fill_h2c_cmd); 1033 + struct ieee80211_hw *hw = rtlworks->hw; 1034 + struct rtl_priv *rtlpriv = rtl_priv(hw); 1035 + 1036 + rtlpriv->cfg->ops->fill_h2c_cmd(hw, H2C_RA_MASK, 5, rtlpriv->rate_mask); 1037 + } 1038 + 1030 1039 static struct rtl_intf_ops rtl_usb_ops = { 1031 1040 .adapter_start = rtl_usb_start, 1032 1041 .adapter_stop = rtl_usb_stop, ··· 1068 1057 1069 1058 /* this spin lock must be initialized early */ 1070 1059 spin_lock_init(&rtlpriv->locks.usb_lock); 1060 + INIT_WORK(&rtlpriv->works.fill_h2c_cmd, 1061 + rtl_fill_h2c_cmd_work_callback); 1071 1062 1072 1063 rtlpriv->usb_data_index = 0; 1073 1064 init_completion(&rtlpriv->firmware_loading_complete);
+4
drivers/net/wireless/rtlwifi/wifi.h
··· 1736 1736 void (*bt_wifi_media_status_notify) (struct ieee80211_hw *hw, 1737 1737 bool mstate); 1738 1738 void (*bt_coex_off_before_lps) (struct ieee80211_hw *hw); 1739 + void (*fill_h2c_cmd) (struct ieee80211_hw *hw, u8 element_id, 1740 + u32 cmd_len, u8 *p_cmdbuffer); 1739 1741 }; 1740 1742 1741 1743 struct rtl_intf_ops { ··· 1871 1869 struct delayed_work fwevt_wq; 1872 1870 1873 1871 struct work_struct lps_change_work; 1872 + struct work_struct fill_h2c_cmd; 1874 1873 }; 1875 1874 1876 1875 struct rtl_debug { ··· 2051 2048 }; 2052 2049 }; 2053 2050 bool enter_ps; /* true when entering PS */ 2051 + u8 rate_mask[5]; 2054 2052 2055 2053 /*This must be the last item so 2056 2054 that it points to the data allocated
+1 -1
drivers/net/wireless/ti/wl12xx/scan.c
··· 310 310 memcpy(cmd->channels_2, cmd_channels->channels_2, 311 311 sizeof(cmd->channels_2)); 312 312 memcpy(cmd->channels_5, cmd_channels->channels_5, 313 - sizeof(cmd->channels_2)); 313 + sizeof(cmd->channels_5)); 314 314 /* channels_4 are not supported, so no need to copy them */ 315 315 } 316 316
+3 -3
drivers/net/wireless/ti/wl12xx/wl12xx.h
··· 36 36 #define WL127X_IFTYPE_SR_VER 3 37 37 #define WL127X_MAJOR_SR_VER 10 38 38 #define WL127X_SUBTYPE_SR_VER WLCORE_FW_VER_IGNORE 39 - #define WL127X_MINOR_SR_VER 115 39 + #define WL127X_MINOR_SR_VER 133 40 40 /* minimum multi-role FW version for wl127x */ 41 41 #define WL127X_IFTYPE_MR_VER 5 42 42 #define WL127X_MAJOR_MR_VER 7 43 43 #define WL127X_SUBTYPE_MR_VER WLCORE_FW_VER_IGNORE 44 - #define WL127X_MINOR_MR_VER 115 44 + #define WL127X_MINOR_MR_VER 42 45 45 46 46 /* FW chip version for wl128x */ 47 47 #define WL128X_CHIP_VER 7 ··· 49 49 #define WL128X_IFTYPE_SR_VER 3 50 50 #define WL128X_MAJOR_SR_VER 10 51 51 #define WL128X_SUBTYPE_SR_VER WLCORE_FW_VER_IGNORE 52 - #define WL128X_MINOR_SR_VER 115 52 + #define WL128X_MINOR_SR_VER 133 53 53 /* minimum multi-role FW version for wl128x */ 54 54 #define WL128X_IFTYPE_MR_VER 5 55 55 #define WL128X_MAJOR_MR_VER 7
+1 -1
drivers/net/wireless/ti/wl18xx/scan.c
··· 34 34 memcpy(cmd->channels_2, cmd_channels->channels_2, 35 35 sizeof(cmd->channels_2)); 36 36 memcpy(cmd->channels_5, cmd_channels->channels_5, 37 - sizeof(cmd->channels_2)); 37 + sizeof(cmd->channels_5)); 38 38 /* channels_4 are not supported, so no need to copy them */ 39 39 } 40 40
+13 -16
drivers/vhost/net.c
··· 155 155 156 156 static void vhost_net_clear_ubuf_info(struct vhost_net *n) 157 157 { 158 - 159 - bool zcopy; 160 158 int i; 161 159 162 - for (i = 0; i < n->dev.nvqs; ++i) { 163 - zcopy = vhost_net_zcopy_mask & (0x1 << i); 164 - if (zcopy) 165 - kfree(n->vqs[i].ubuf_info); 160 + for (i = 0; i < VHOST_NET_VQ_MAX; ++i) { 161 + kfree(n->vqs[i].ubuf_info); 162 + n->vqs[i].ubuf_info = NULL; 166 163 } 167 164 } 168 165 ··· 168 171 bool zcopy; 169 172 int i; 170 173 171 - for (i = 0; i < n->dev.nvqs; ++i) { 174 + for (i = 0; i < VHOST_NET_VQ_MAX; ++i) { 172 175 zcopy = vhost_net_zcopy_mask & (0x1 << i); 173 176 if (!zcopy) 174 177 continue; ··· 180 183 return 0; 181 184 182 185 err: 183 - while (i--) { 184 - zcopy = vhost_net_zcopy_mask & (0x1 << i); 185 - if (!zcopy) 186 - continue; 187 - kfree(n->vqs[i].ubuf_info); 188 - } 186 + vhost_net_clear_ubuf_info(n); 189 187 return -ENOMEM; 190 188 } 191 189 ··· 188 196 { 189 197 int i; 190 198 199 + vhost_net_clear_ubuf_info(n); 200 + 191 201 for (i = 0; i < VHOST_NET_VQ_MAX; i++) { 192 202 n->vqs[i].done_idx = 0; 193 203 n->vqs[i].upend_idx = 0; 194 204 n->vqs[i].ubufs = NULL; 195 - kfree(n->vqs[i].ubuf_info); 196 - n->vqs[i].ubuf_info = NULL; 197 205 n->vqs[i].vhost_hlen = 0; 198 206 n->vqs[i].sock_hlen = 0; 199 207 } ··· 428 436 kref_get(&ubufs->kref); 429 437 } 430 438 nvq->upend_idx = (nvq->upend_idx + 1) % UIO_MAXIOV; 431 - } 439 + } else 440 + msg.msg_control = NULL; 432 441 /* TODO: Check specific error and bomb out unless ENOBUFS? */ 433 442 err = sock->ops->sendmsg(NULL, sock, &msg, len); 434 443 if (unlikely(err < 0)) { ··· 1046 1053 int r; 1047 1054 1048 1055 mutex_lock(&n->dev.mutex); 1056 + if (vhost_dev_has_owner(&n->dev)) { 1057 + r = -EBUSY; 1058 + goto out; 1059 + } 1049 1060 r = vhost_net_set_ubuf_info(n); 1050 1061 if (r) 1051 1062 goto out;
+7 -1
drivers/vhost/vhost.c
··· 344 344 } 345 345 346 346 /* Caller should have device mutex */ 347 + bool vhost_dev_has_owner(struct vhost_dev *dev) 348 + { 349 + return dev->mm; 350 + } 351 + 352 + /* Caller should have device mutex */ 347 353 long vhost_dev_set_owner(struct vhost_dev *dev) 348 354 { 349 355 struct task_struct *worker; 350 356 int err; 351 357 352 358 /* Is there an owner already? */ 353 - if (dev->mm) { 359 + if (vhost_dev_has_owner(dev)) { 354 360 err = -EBUSY; 355 361 goto err_mm; 356 362 }
+1
drivers/vhost/vhost.h
··· 133 133 134 134 long vhost_dev_init(struct vhost_dev *, struct vhost_virtqueue **vqs, int nvqs); 135 135 long vhost_dev_set_owner(struct vhost_dev *dev); 136 + bool vhost_dev_has_owner(struct vhost_dev *dev); 136 137 long vhost_dev_check_owner(struct vhost_dev *); 137 138 struct vhost_memory *vhost_dev_reset_owner_prepare(void); 138 139 void vhost_dev_reset_owner(struct vhost_dev *, struct vhost_memory *);
+1
include/linux/filter.h
··· 46 46 extern int sk_detach_filter(struct sock *sk); 47 47 extern int sk_chk_filter(struct sock_filter *filter, unsigned int flen); 48 48 extern int sk_get_filter(struct sock *sk, struct sock_filter __user *filter, unsigned len); 49 + extern void sk_decode_filter(struct sock_filter *filt, struct sock_filter *to); 49 50 50 51 #ifdef CONFIG_BPF_JIT 51 52 #include <stdarg.h>
+2 -2
include/linux/if_team.h
··· 249 249 return port; 250 250 cur = port; 251 251 list_for_each_entry_continue_rcu(cur, &team->port_list, list) 252 - if (team_port_txable(port)) 252 + if (team_port_txable(cur)) 253 253 return cur; 254 254 list_for_each_entry_rcu(cur, &team->port_list, list) { 255 255 if (cur == port) 256 256 break; 257 - if (team_port_txable(port)) 257 + if (team_port_txable(cur)) 258 258 return cur; 259 259 } 260 260 return NULL;
+1
include/net/bluetooth/hci_core.h
··· 1117 1117 int mgmt_control(struct sock *sk, struct msghdr *msg, size_t len); 1118 1118 int mgmt_index_added(struct hci_dev *hdev); 1119 1119 int mgmt_index_removed(struct hci_dev *hdev); 1120 + int mgmt_set_powered_failed(struct hci_dev *hdev, int err); 1120 1121 int mgmt_powered(struct hci_dev *hdev, u8 powered); 1121 1122 int mgmt_discoverable(struct hci_dev *hdev, u8 discoverable); 1122 1123 int mgmt_connectable(struct hci_dev *hdev, u8 connectable);
+1
include/net/bluetooth/mgmt.h
··· 42 42 #define MGMT_STATUS_NOT_POWERED 0x0f 43 43 #define MGMT_STATUS_CANCELLED 0x10 44 44 #define MGMT_STATUS_INVALID_INDEX 0x11 45 + #define MGMT_STATUS_RFKILLED 0x12 45 46 46 47 struct mgmt_hdr { 47 48 __le16 opcode;
+5 -1
net/bluetooth/hci_core.c
··· 1555 1555 static void hci_power_on(struct work_struct *work) 1556 1556 { 1557 1557 struct hci_dev *hdev = container_of(work, struct hci_dev, power_on); 1558 + int err; 1558 1559 1559 1560 BT_DBG("%s", hdev->name); 1560 1561 1561 - if (hci_dev_open(hdev->id) < 0) 1562 + err = hci_dev_open(hdev->id); 1563 + if (err < 0) { 1564 + mgmt_set_powered_failed(hdev, err); 1562 1565 return; 1566 + } 1563 1567 1564 1568 if (test_bit(HCI_AUTO_OFF, &hdev->dev_flags)) 1565 1569 queue_delayed_work(hdev->req_workqueue, &hdev->power_off,
+52 -18
net/bluetooth/l2cap_core.c
··· 3677 3677 } 3678 3678 3679 3679 static inline int l2cap_command_rej(struct l2cap_conn *conn, 3680 - struct l2cap_cmd_hdr *cmd, u8 *data) 3680 + struct l2cap_cmd_hdr *cmd, u16 cmd_len, 3681 + u8 *data) 3681 3682 { 3682 3683 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data; 3684 + 3685 + if (cmd_len < sizeof(*rej)) 3686 + return -EPROTO; 3683 3687 3684 3688 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD) 3685 3689 return 0; ··· 3833 3829 } 3834 3830 3835 3831 static int l2cap_connect_req(struct l2cap_conn *conn, 3836 - struct l2cap_cmd_hdr *cmd, u8 *data) 3832 + struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data) 3837 3833 { 3838 3834 struct hci_dev *hdev = conn->hcon->hdev; 3839 3835 struct hci_conn *hcon = conn->hcon; 3836 + 3837 + if (cmd_len < sizeof(struct l2cap_conn_req)) 3838 + return -EPROTO; 3840 3839 3841 3840 hci_dev_lock(hdev); 3842 3841 if (test_bit(HCI_MGMT, &hdev->dev_flags) && ··· 3854 3847 } 3855 3848 3856 3849 static int l2cap_connect_create_rsp(struct l2cap_conn *conn, 3857 - struct l2cap_cmd_hdr *cmd, u8 *data) 3850 + struct l2cap_cmd_hdr *cmd, u16 cmd_len, 3851 + u8 *data) 3858 3852 { 3859 3853 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data; 3860 3854 u16 scid, dcid, result, status; 3861 3855 struct l2cap_chan *chan; 3862 3856 u8 req[128]; 3863 3857 int err; 3858 + 3859 + if (cmd_len < sizeof(*rsp)) 3860 + return -EPROTO; 3864 3861 3865 3862 scid = __le16_to_cpu(rsp->scid); 3866 3863 dcid = __le16_to_cpu(rsp->dcid); ··· 3963 3952 struct l2cap_chan *chan; 3964 3953 int len, err = 0; 3965 3954 3955 + if (cmd_len < sizeof(*req)) 3956 + return -EPROTO; 3957 + 3966 3958 dcid = __le16_to_cpu(req->dcid); 3967 3959 flags = __le16_to_cpu(req->flags); 3968 3960 ··· 3989 3975 3990 3976 /* Reject if config buffer is too small. */ 3991 3977 len = cmd_len - sizeof(*req); 3992 - if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) { 3978 + if (chan->conf_len + len > sizeof(chan->conf_req)) { 3993 3979 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, 3994 3980 l2cap_build_conf_rsp(chan, rsp, 3995 3981 L2CAP_CONF_REJECT, flags), rsp); ··· 4067 4053 } 4068 4054 4069 4055 static inline int l2cap_config_rsp(struct l2cap_conn *conn, 4070 - struct l2cap_cmd_hdr *cmd, u8 *data) 4056 + struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4057 + u8 *data) 4071 4058 { 4072 4059 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data; 4073 4060 u16 scid, flags, result; 4074 4061 struct l2cap_chan *chan; 4075 - int len = le16_to_cpu(cmd->len) - sizeof(*rsp); 4062 + int len = cmd_len - sizeof(*rsp); 4076 4063 int err = 0; 4064 + 4065 + if (cmd_len < sizeof(*rsp)) 4066 + return -EPROTO; 4077 4067 4078 4068 scid = __le16_to_cpu(rsp->scid); 4079 4069 flags = __le16_to_cpu(rsp->flags); ··· 4179 4161 } 4180 4162 4181 4163 static inline int l2cap_disconnect_req(struct l2cap_conn *conn, 4182 - struct l2cap_cmd_hdr *cmd, u8 *data) 4164 + struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4165 + u8 *data) 4183 4166 { 4184 4167 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data; 4185 4168 struct l2cap_disconn_rsp rsp; 4186 4169 u16 dcid, scid; 4187 4170 struct l2cap_chan *chan; 4188 4171 struct sock *sk; 4172 + 4173 + if (cmd_len != sizeof(*req)) 4174 + return -EPROTO; 4189 4175 4190 4176 scid = __le16_to_cpu(req->scid); 4191 4177 dcid = __le16_to_cpu(req->dcid); ··· 4230 4208 } 4231 4209 4232 4210 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, 4233 - struct l2cap_cmd_hdr *cmd, u8 *data) 4211 + struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4212 + u8 *data) 4234 4213 { 4235 4214 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data; 4236 4215 u16 dcid, scid; 4237 4216 struct l2cap_chan *chan; 4217 + 4218 + if (cmd_len != sizeof(*rsp)) 4219 + return -EPROTO; 4238 4220 4239 4221 scid = __le16_to_cpu(rsp->scid); 4240 4222 dcid = __le16_to_cpu(rsp->dcid); ··· 4269 4243 } 4270 4244 4271 4245 static inline int l2cap_information_req(struct l2cap_conn *conn, 4272 - struct l2cap_cmd_hdr *cmd, u8 *data) 4246 + struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4247 + u8 *data) 4273 4248 { 4274 4249 struct l2cap_info_req *req = (struct l2cap_info_req *) data; 4275 4250 u16 type; 4251 + 4252 + if (cmd_len != sizeof(*req)) 4253 + return -EPROTO; 4276 4254 4277 4255 type = __le16_to_cpu(req->type); 4278 4256 ··· 4324 4294 } 4325 4295 4326 4296 static inline int l2cap_information_rsp(struct l2cap_conn *conn, 4327 - struct l2cap_cmd_hdr *cmd, u8 *data) 4297 + struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4298 + u8 *data) 4328 4299 { 4329 4300 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data; 4330 4301 u16 type, result; 4302 + 4303 + if (cmd_len != sizeof(*rsp)) 4304 + return -EPROTO; 4331 4305 4332 4306 type = __le16_to_cpu(rsp->type); 4333 4307 result = __le16_to_cpu(rsp->result); ··· 5198 5164 5199 5165 switch (cmd->code) { 5200 5166 case L2CAP_COMMAND_REJ: 5201 - l2cap_command_rej(conn, cmd, data); 5167 + l2cap_command_rej(conn, cmd, cmd_len, data); 5202 5168 break; 5203 5169 5204 5170 case L2CAP_CONN_REQ: 5205 - err = l2cap_connect_req(conn, cmd, data); 5171 + err = l2cap_connect_req(conn, cmd, cmd_len, data); 5206 5172 break; 5207 5173 5208 5174 case L2CAP_CONN_RSP: 5209 5175 case L2CAP_CREATE_CHAN_RSP: 5210 - err = l2cap_connect_create_rsp(conn, cmd, data); 5176 + err = l2cap_connect_create_rsp(conn, cmd, cmd_len, data); 5211 5177 break; 5212 5178 5213 5179 case L2CAP_CONF_REQ: ··· 5215 5181 break; 5216 5182 5217 5183 case L2CAP_CONF_RSP: 5218 - err = l2cap_config_rsp(conn, cmd, data); 5184 + err = l2cap_config_rsp(conn, cmd, cmd_len, data); 5219 5185 break; 5220 5186 5221 5187 case L2CAP_DISCONN_REQ: 5222 - err = l2cap_disconnect_req(conn, cmd, data); 5188 + err = l2cap_disconnect_req(conn, cmd, cmd_len, data); 5223 5189 break; 5224 5190 5225 5191 case L2CAP_DISCONN_RSP: 5226 - err = l2cap_disconnect_rsp(conn, cmd, data); 5192 + err = l2cap_disconnect_rsp(conn, cmd, cmd_len, data); 5227 5193 break; 5228 5194 5229 5195 case L2CAP_ECHO_REQ: ··· 5234 5200 break; 5235 5201 5236 5202 case L2CAP_INFO_REQ: 5237 - err = l2cap_information_req(conn, cmd, data); 5203 + err = l2cap_information_req(conn, cmd, cmd_len, data); 5238 5204 break; 5239 5205 5240 5206 case L2CAP_INFO_RSP: 5241 - err = l2cap_information_rsp(conn, cmd, data); 5207 + err = l2cap_information_rsp(conn, cmd, cmd_len, data); 5242 5208 break; 5243 5209 5244 5210 case L2CAP_CREATE_CHAN_REQ:
+22 -1
net/bluetooth/mgmt.c
··· 2700 2700 break; 2701 2701 2702 2702 case DISCOV_TYPE_LE: 2703 - if (!lmp_host_le_capable(hdev)) { 2703 + if (!test_bit(HCI_LE_ENABLED, &hdev->dev_flags)) { 2704 2704 err = cmd_status(sk, hdev->id, MGMT_OP_START_DISCOVERY, 2705 2705 MGMT_STATUS_NOT_SUPPORTED); 2706 2706 mgmt_pending_remove(cmd); ··· 3414 3414 3415 3415 if (match.sk) 3416 3416 sock_put(match.sk); 3417 + 3418 + return err; 3419 + } 3420 + 3421 + int mgmt_set_powered_failed(struct hci_dev *hdev, int err) 3422 + { 3423 + struct pending_cmd *cmd; 3424 + u8 status; 3425 + 3426 + cmd = mgmt_pending_find(MGMT_OP_SET_POWERED, hdev); 3427 + if (!cmd) 3428 + return -ENOENT; 3429 + 3430 + if (err == -ERFKILL) 3431 + status = MGMT_STATUS_RFKILLED; 3432 + else 3433 + status = MGMT_STATUS_FAILED; 3434 + 3435 + err = cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_POWERED, status); 3436 + 3437 + mgmt_pending_remove(cmd); 3417 3438 3418 3439 return err; 3419 3440 }
+2 -2
net/bluetooth/smp.c
··· 770 770 771 771 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level); 772 772 773 - if (!lmp_host_le_capable(hcon->hdev)) 773 + if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags)) 774 774 return 1; 775 775 776 776 if (sec_level == BT_SECURITY_LOW) ··· 851 851 __u8 reason; 852 852 int err = 0; 853 853 854 - if (!lmp_host_le_capable(conn->hcon->hdev)) { 854 + if (!test_bit(HCI_LE_ENABLED, &conn->hcon->hdev->dev_flags)) { 855 855 err = -ENOTSUPP; 856 856 reason = SMP_PAIRING_NOTSUPP; 857 857 goto done;
+1 -1
net/core/filter.c
··· 778 778 } 779 779 EXPORT_SYMBOL_GPL(sk_detach_filter); 780 780 781 - static void sk_decode_filter(struct sock_filter *filt, struct sock_filter *to) 781 + void sk_decode_filter(struct sock_filter *filt, struct sock_filter *to) 782 782 { 783 783 static const u16 decodes[] = { 784 784 [BPF_S_ALU_ADD_K] = BPF_ALU|BPF_ADD|BPF_K,
+7 -2
net/core/sock_diag.c
··· 73 73 goto out; 74 74 } 75 75 76 - if (filter) 77 - memcpy(nla_data(attr), filter->insns, len); 76 + if (filter) { 77 + struct sock_filter *fb = (struct sock_filter *)nla_data(attr); 78 + int i; 79 + 80 + for (i = 0; i < filter->len; i++, fb++) 81 + sk_decode_filter(&filter->insns[i], fb); 82 + } 78 83 79 84 out: 80 85 rcu_read_unlock();
+1
net/netfilter/ipvs/ip_vs_ctl.c
··· 2542 2542 struct ip_vs_dest *dest; 2543 2543 struct ip_vs_dest_entry entry; 2544 2544 2545 + memset(&entry, 0, sizeof(entry)); 2545 2546 list_for_each_entry(dest, &svc->destinations, n_list) { 2546 2547 if (count >= get->num_dests) 2547 2548 break;
+6
net/netfilter/xt_TCPMSS.c
··· 125 125 126 126 skb_put(skb, TCPOLEN_MSS); 127 127 128 + /* RFC 879 states that the default MSS is 536 without specific 129 + * knowledge that the destination host is prepared to accept larger. 130 + * Since no MSS was provided, we MUST NOT set a value > 536. 131 + */ 132 + newmss = min(newmss, (u16)536); 133 + 128 134 opt = (u_int8_t *)tcph + sizeof(struct tcphdr); 129 135 memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr)); 130 136
+1 -1
net/netlink/af_netlink.c
··· 371 371 err = 0; 372 372 out: 373 373 mutex_unlock(&nlk->pg_vec_lock); 374 - return 0; 374 + return err; 375 375 } 376 376 377 377 static void netlink_frame_flush_dcache(const struct nl_mmap_hdr *hdr)
+6 -5
net/sched/sch_api.c
··· 291 291 { 292 292 struct qdisc_rate_table *rtab; 293 293 294 + if (tab == NULL || r->rate == 0 || r->cell_log == 0 || 295 + nla_len(tab) != TC_RTAB_SIZE) 296 + return NULL; 297 + 294 298 for (rtab = qdisc_rtab_list; rtab; rtab = rtab->next) { 295 - if (memcmp(&rtab->rate, r, sizeof(struct tc_ratespec)) == 0) { 299 + if (!memcmp(&rtab->rate, r, sizeof(struct tc_ratespec)) && 300 + !memcmp(&rtab->data, nla_data(tab), 1024)) { 296 301 rtab->refcnt++; 297 302 return rtab; 298 303 } 299 304 } 300 - 301 - if (tab == NULL || r->rate == 0 || r->cell_log == 0 || 302 - nla_len(tab) != TC_RTAB_SIZE) 303 - return NULL; 304 305 305 306 rtab = kmalloc(sizeof(*rtab), GFP_KERNEL); 306 307 if (rtab) {
+6
net/sctp/socket.c
··· 4003 4003 4004 4004 /* Release our hold on the endpoint. */ 4005 4005 sp = sctp_sk(sk); 4006 + /* This could happen during socket init, thus we bail out 4007 + * early, since the rest of the below is not setup either. 4008 + */ 4009 + if (sp->ep == NULL) 4010 + return; 4011 + 4006 4012 if (sp->do_auto_asconf) { 4007 4013 sp->do_auto_asconf = 0; 4008 4014 list_del(&sp->auto_asconf_list);