From fe100acddf438591ecf3582cb57241e560da70b7 Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Mon, 9 Aug 2010 15:52:03 +0200 Subject: cfg80211: fix locking in action frame TX Accesses to "wdev->current_bss" must be locked with the wdev lock, which action frame transmission is missing. Cc: stable@kernel.org [2.6.33+] Signed-off-by: Johannes Berg Signed-off-by: John W. Linville --- net/wireless/mlme.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'net') diff --git a/net/wireless/mlme.c b/net/wireless/mlme.c index e74a1a2..d1a3fb9 100644 --- a/net/wireless/mlme.c +++ b/net/wireless/mlme.c @@ -843,13 +843,19 @@ int cfg80211_mlme_action(struct cfg80211_registered_device *rdev, return -EINVAL; if (mgmt->u.action.category != WLAN_CATEGORY_PUBLIC) { /* Verify that we are associated with the destination AP */ + wdev_lock(wdev); + if (!wdev->current_bss || memcmp(wdev->current_bss->pub.bssid, mgmt->bssid, ETH_ALEN) != 0 || (wdev->iftype == NL80211_IFTYPE_STATION && memcmp(wdev->current_bss->pub.bssid, mgmt->da, - ETH_ALEN) != 0)) + ETH_ALEN) != 0)) { + wdev_unlock(wdev); return -ENOTCONN; + } + + wdev_unlock(wdev); } if (memcmp(mgmt->sa, dev->dev_addr, ETH_ALEN) != 0) -- cgit v1.1 From 86b1b26326279299c93ddb11ab4782d3896bf84c Mon Sep 17 00:00:00 2001 From: Mat Martineau Date: Thu, 5 Aug 2010 15:54:22 -0700 Subject: Bluetooth: Fix endianness issue with L2CAP MPS configuration Incoming configuration values must be converted to native CPU order before use. This fixes a bug where a little-endian MPS value is compared to a native CPU value. On big-endian processors, this can cause ERTM and streaming mode segmentation to produce PDUs that are larger than the remote stack is expecting, or that would produce fragmented skbs that the current FCS code cannot handle. Signed-off-by: Mat Martineau Signed-off-by: Marcel Holtmann --- net/bluetooth/l2cap.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'net') diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c index 3e3cd9d..9d1f154 100644 --- a/net/bluetooth/l2cap.c +++ b/net/bluetooth/l2cap.c @@ -2705,8 +2705,9 @@ done: case L2CAP_MODE_ERTM: pi->remote_tx_win = rfc.txwin_size; pi->remote_max_tx = rfc.max_transmit; - if (rfc.max_pdu_size > pi->conn->mtu - 10) - rfc.max_pdu_size = le16_to_cpu(pi->conn->mtu - 10); + + if (le16_to_cpu(rfc.max_pdu_size) > pi->conn->mtu - 10) + rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10); pi->remote_mps = le16_to_cpu(rfc.max_pdu_size); @@ -2723,8 +2724,8 @@ done: break; case L2CAP_MODE_STREAMING: - if (rfc.max_pdu_size > pi->conn->mtu - 10) - rfc.max_pdu_size = le16_to_cpu(pi->conn->mtu - 10); + if (le16_to_cpu(rfc.max_pdu_size) > pi->conn->mtu - 10) + rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10); pi->remote_mps = le16_to_cpu(rfc.max_pdu_size); -- cgit v1.1 From cff70fae111efba80c27023772ce5265797fb514 Mon Sep 17 00:00:00 2001 From: Mat Martineau Date: Thu, 5 Aug 2010 15:54:23 -0700 Subject: Bluetooth: Fix incorrect setting of remote_tx_win for L2CAP ERTM remote_tx_win is intended to be set on receipt of an L2CAP configuration request. The value is used to determine the size of the transmit window on the remote side of an ERTM connection, so L2CAP can stop sending frames when that remote window is full. An incorrect remote_tx_win value will cause the stack to not fully utilize the tx window (performance impact), or to overfill the remote tx window (causing dropped frames or a disconnect). This patch removes an extra setting of remote_tx_win when a configuration response is received. The transmit window has a different meaning in a response - it is an informational value less than or equal to the local tx_win. Signed-off-by: Mat Martineau Signed-off-by: Marcel Holtmann --- net/bluetooth/l2cap.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'net') diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c index 9d1f154..fadf26b 100644 --- a/net/bluetooth/l2cap.c +++ b/net/bluetooth/l2cap.c @@ -2807,7 +2807,6 @@ static int l2cap_parse_conf_rsp(struct sock *sk, void *rsp, int len, void *data, if (*result == L2CAP_CONF_SUCCESS) { switch (rfc.mode) { case L2CAP_MODE_ERTM: - pi->remote_tx_win = rfc.txwin_size; pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout); pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout); pi->mps = le16_to_cpu(rfc.max_pdu_size); @@ -2863,7 +2862,6 @@ static void l2cap_conf_rfc_get(struct sock *sk, void *rsp, int len) done: switch (rfc.mode) { case L2CAP_MODE_ERTM: - pi->remote_tx_win = rfc.txwin_size; pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout); pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout); pi->mps = le16_to_cpu(rfc.max_pdu_size); -- cgit v1.1