From 1913e57cf9a7be4565c56a3fbfd85106919ea006 Mon Sep 17 00:00:00 2001 From: Mathias Jeppsson Date: Sat, 7 Jul 2012 00:53:18 +0200 Subject: NFC: Fix empty HCI message list check list_first_entry() will never return NULL. Instead use list_for_each_entry_safe() to iterate through the list. Signed-off-by: Mathias Jeppsson Signed-off-by: Samuel Ortiz Signed-off-by: John W. Linville --- net/nfc/hci/core.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'net') diff --git a/net/nfc/hci/core.c b/net/nfc/hci/core.c index e1a640d2b588..da6e039c8606 100644 --- a/net/nfc/hci/core.c +++ b/net/nfc/hci/core.c @@ -682,13 +682,12 @@ EXPORT_SYMBOL(nfc_hci_register_device); void nfc_hci_unregister_device(struct nfc_hci_dev *hdev) { - struct hci_msg *msg; + struct hci_msg *msg, *n; skb_queue_purge(&hdev->rx_hcp_frags); skb_queue_purge(&hdev->msg_rx_queue); - while ((msg = list_first_entry(&hdev->msg_tx_queue, struct hci_msg, - msg_l)) != NULL) { + list_for_each_entry_safe(msg, n, &hdev->msg_tx_queue, msg_l) { list_del(&msg->msg_l); skb_queue_purge(&msg->msg_frags); kfree(msg); -- cgit v1.2.3 From f8bf65bf3688835f95f7c74f5c844a64b2743a42 Mon Sep 17 00:00:00 2001 From: Mathias Jeppsson Date: Sat, 7 Jul 2012 00:53:19 +0200 Subject: NFC: Fix order of arguments to list_add_tail() when queueing HCP frames The HCP message should be added to transmit queue, not the other way around. Signed-off-by: Mathias Jeppsson Signed-off-by: Samuel Ortiz Signed-off-by: John W. Linville --- net/nfc/hci/hcp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'net') diff --git a/net/nfc/hci/hcp.c b/net/nfc/hci/hcp.c index 7212cf2c5785..f4dad1a89740 100644 --- a/net/nfc/hci/hcp.c +++ b/net/nfc/hci/hcp.c @@ -105,7 +105,7 @@ int nfc_hci_hcp_message_tx(struct nfc_hci_dev *hdev, u8 pipe, } mutex_lock(&hdev->msg_tx_mutex); - list_add_tail(&hdev->msg_tx_queue, &cmd->msg_l); + list_add_tail(&cmd->msg_l, &hdev->msg_tx_queue); mutex_unlock(&hdev->msg_tx_mutex); queue_work(hdev->msg_tx_wq, &hdev->msg_tx_work); -- cgit v1.2.3 From 353d09c6ceedc1cb0c54fe5002c0ca80b6ee6e4f Mon Sep 17 00:00:00 2001 From: Christian Lamparter Date: Sat, 7 Jul 2012 15:07:13 +0200 Subject: mac80211: fix read outside array bounds ieee802_1d_to_ac is defined as a const int[8], but the tid parameter has a range from 0 to 15. Cc: stable@vger.kernel.org Signed-off-by: Christian Lamparter Signed-off-by: John W. Linville --- net/mac80211/tx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'net') diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c index e453212fa17f..85cf32d2f7b5 100644 --- a/net/mac80211/tx.c +++ b/net/mac80211/tx.c @@ -2733,7 +2733,7 @@ EXPORT_SYMBOL(ieee80211_get_buffered_bc); void ieee80211_tx_skb_tid(struct ieee80211_sub_if_data *sdata, struct sk_buff *skb, int tid) { - int ac = ieee802_1d_to_ac[tid]; + int ac = ieee802_1d_to_ac[tid & 7]; skb_set_mac_header(skb, 0); skb_set_network_header(skb, 0); -- cgit v1.2.3 From 7c41f3159ca4f04dfc22c791fd96d3d057dcaf90 Mon Sep 17 00:00:00 2001 From: Chun-Yeow Yeoh Date: Wed, 11 Jul 2012 16:28:21 +0800 Subject: mac80211: Fix the Problem of Unreachable Mesh STA from DS This patch fixes the problem of unreachable mesh STA from Distribution System (DS) due to the introduction of previous patch solving the mesh STA joining from one MBSS to another MBSS. Reported-by: Georgiewskiy Yuriy Signed-off-by: Chun-Yeow Yeoh Signed-off-by: John W. Linville --- net/mac80211/tx.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'net') diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c index 85cf32d2f7b5..eab0d19eb4bd 100644 --- a/net/mac80211/tx.c +++ b/net/mac80211/tx.c @@ -1836,6 +1836,9 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb, /* RA TA mDA mSA AE:DA SA */ mesh_da = mppath->mpp; is_mesh_mcast = 0; + } else if (mpath) { + mesh_da = mpath->dst; + is_mesh_mcast = 0; } else { /* DA TA mSA AE:SA */ mesh_da = bcast; -- cgit v1.2.3 From 81b3039557faf1359f40494003aaade745de6c24 Mon Sep 17 00:00:00 2001 From: Eric Lapuyade Date: Thu, 12 Jul 2012 20:27:54 +0200 Subject: NFC: Set target nfcid1 for all HCI reader A targets Without the discovered target nfcid1 and its length set properly, type 2 tags detection fails with the pn544 as it checks for them from pn544_hci_complete_target_discovered(). Signed-off-by: Eric Lapuyade Reported-by: Mathias Jeppsson Signed-off-by: Samuel Ortiz Signed-off-by: John W. Linville --- net/nfc/hci/core.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'net') diff --git a/net/nfc/hci/core.c b/net/nfc/hci/core.c index da6e039c8606..4896ef13f83d 100644 --- a/net/nfc/hci/core.c +++ b/net/nfc/hci/core.c @@ -170,6 +170,7 @@ static int nfc_hci_target_discovered(struct nfc_hci_dev *hdev, u8 gate) struct nfc_target *targets; struct sk_buff *atqa_skb = NULL; struct sk_buff *sak_skb = NULL; + struct sk_buff *uid_skb = NULL; int r; pr_debug("from gate %d\n", gate); @@ -205,6 +206,19 @@ static int nfc_hci_target_discovered(struct nfc_hci_dev *hdev, u8 gate) targets->sens_res = be16_to_cpu(*(u16 *)atqa_skb->data); targets->sel_res = sak_skb->data[0]; + r = nfc_hci_get_param(hdev, NFC_HCI_RF_READER_A_GATE, + NFC_HCI_RF_READER_A_UID, &uid_skb); + if (r < 0) + goto exit; + + if (uid_skb->len == 0 || uid_skb->len > NFC_NFCID1_MAXSIZE) { + r = -EPROTO; + goto exit; + } + + memcpy(targets->nfcid1, uid_skb->data, uid_skb->len); + targets->nfcid1_len = uid_skb->len; + if (hdev->ops->complete_target_discovered) { r = hdev->ops->complete_target_discovered(hdev, gate, targets); @@ -240,6 +254,7 @@ exit: kfree(targets); kfree_skb(atqa_skb); kfree_skb(sak_skb); + kfree_skb(uid_skb); return r; } -- cgit v1.2.3 From 8a70e7f8f3081770238fbe19f78116af1d4b0652 Mon Sep 17 00:00:00 2001 From: Dave Jones Date: Thu, 12 Jul 2012 19:17:34 +0200 Subject: NFC: NCI module license 'unspecified' taints kernel Signed-off-by: Dave Jones Signed-off-by: Samuel Ortiz Signed-off-by: John W. Linville --- net/nfc/nci/core.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'net') diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c index d560e6f13072..f18f207fd3a3 100644 --- a/net/nfc/nci/core.c +++ b/net/nfc/nci/core.c @@ -27,6 +27,7 @@ #define pr_fmt(fmt) KBUILD_MODNAME ": %s: " fmt, __func__ +#include #include #include #include @@ -878,3 +879,5 @@ static void nci_cmd_work(struct work_struct *work) jiffies + msecs_to_jiffies(NCI_CMD_TIMEOUT)); } } + +MODULE_LICENSE("GPL"); -- cgit v1.2.3