Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth

+2

include/net/bluetooth/hci_core.h

··· 464 464 HCI_AUTO_CONN_ALWAYS, 465 465 HCI_AUTO_CONN_LINK_LOSS, 466 466 } auto_connect; 467 + 468 + struct hci_conn *conn; 467 469 }; 468 470 469 471 extern struct list_head hci_dev_list;

-1

include/net/netns/ieee802154_6lowpan.h

··· 16 16 struct netns_ieee802154_lowpan { 17 17 struct netns_sysctl_lowpan sysctl; 18 18 struct netns_frags frags; 19 - int max_dsize; 20 19 }; 21 20 22 21 #endif

+8

net/bluetooth/hci_conn.c

··· 589 589 void hci_le_conn_failed(struct hci_conn *conn, u8 status) 590 590 { 591 591 struct hci_dev *hdev = conn->hdev; 592 + struct hci_conn_params *params; 593 + 594 + params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst, 595 + conn->dst_type); 596 + if (params && params->conn) { 597 + hci_conn_drop(params->conn); 598 + params->conn = NULL; 599 + } 592 600 593 601 conn->state = BT_CLOSED; 594 602

+12 -2

net/bluetooth/hci_core.c

··· 2536 2536 { 2537 2537 struct hci_conn_params *p; 2538 2538 2539 - list_for_each_entry(p, &hdev->le_conn_params, list) 2539 + list_for_each_entry(p, &hdev->le_conn_params, list) { 2540 + if (p->conn) { 2541 + hci_conn_drop(p->conn); 2542 + p->conn = NULL; 2543 + } 2540 2544 list_del_init(&p->action); 2545 + } 2541 2546 2542 2547 BT_DBG("All LE pending actions cleared"); 2543 2548 } ··· 2583 2578 2584 2579 hci_dev_lock(hdev); 2585 2580 hci_inquiry_cache_flush(hdev); 2586 - hci_conn_hash_flush(hdev); 2587 2581 hci_pend_le_actions_clear(hdev); 2582 + hci_conn_hash_flush(hdev); 2588 2583 hci_dev_unlock(hdev); 2589 2584 2590 2585 hci_notify(hdev, HCI_DEV_DOWN); ··· 3732 3727 if (!params) 3733 3728 return; 3734 3729 3730 + if (params->conn) 3731 + hci_conn_drop(params->conn); 3732 + 3735 3733 list_del(&params->action); 3736 3734 list_del(&params->list); 3737 3735 kfree(params); ··· 3765 3757 struct hci_conn_params *params, *tmp; 3766 3758 3767 3759 list_for_each_entry_safe(params, tmp, &hdev->le_conn_params, list) { 3760 + if (params->conn) 3761 + hci_conn_drop(params->conn); 3768 3762 list_del(&params->action); 3769 3763 list_del(&params->list); 3770 3764 kfree(params);

+15 -2

net/bluetooth/hci_event.c

··· 4221 4221 hci_proto_connect_cfm(conn, ev->status); 4222 4222 4223 4223 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type); 4224 - if (params) 4224 + if (params) { 4225 4225 list_del_init(&params->action); 4226 + if (params->conn) { 4227 + hci_conn_drop(params->conn); 4228 + params->conn = NULL; 4229 + } 4230 + } 4226 4231 4227 4232 unlock: 4228 4233 hci_update_background_scan(hdev); ··· 4309 4304 4310 4305 conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW, 4311 4306 HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER); 4312 - if (!IS_ERR(conn)) 4307 + if (!IS_ERR(conn)) { 4308 + /* Store the pointer since we don't really have any 4309 + * other owner of the object besides the params that 4310 + * triggered it. This way we can abort the connection if 4311 + * the parameters get removed and keep the reference 4312 + * count consistent once the connection is established. 4313 + */ 4314 + params->conn = conn; 4313 4315 return; 4316 + } 4314 4317 4315 4318 switch (PTR_ERR(conn)) { 4316 4319 case -EBUSY:

+2 -2

net/ieee802154/6lowpan_rtnl.c

··· 246 246 return ERR_PTR(-rc); 247 247 } 248 248 } else { 249 - frag = ERR_PTR(ENOMEM); 249 + frag = ERR_PTR(-ENOMEM); 250 250 } 251 251 252 252 return frag; ··· 437 437 /* Frame Control + Sequence Number + Address fields + Security Header */ 438 438 dev->hard_header_len = 2 + 1 + 20 + 14; 439 439 dev->needed_tailroom = 2; /* FCS */ 440 - dev->mtu = 1281; 440 + dev->mtu = IPV6_MIN_MTU; 441 441 dev->tx_queue_len = 0; 442 442 dev->flags = IFF_BROADCAST | IFF_MULTICAST; 443 443 dev->watchdog_timeo = 0;

+3 -12

net/ieee802154/reassembly.c

··· 355 355 struct net *net = dev_net(skb->dev); 356 356 struct lowpan_frag_info *frag_info = lowpan_cb(skb); 357 357 struct ieee802154_addr source, dest; 358 - struct netns_ieee802154_lowpan *ieee802154_lowpan = 359 - net_ieee802154_lowpan(net); 360 358 int err; 361 359 362 360 source = mac_cb(skb)->source; ··· 364 366 if (err < 0) 365 367 goto err; 366 368 367 - if (frag_info->d_size > ieee802154_lowpan->max_dsize) 369 + if (frag_info->d_size > IPV6_MIN_MTU) { 370 + net_warn_ratelimited("lowpan_frag_rcv: datagram size exceeds MTU\n"); 368 371 goto err; 372 + } 369 373 370 374 fq = fq_find(net, frag_info, &source, &dest); 371 375 if (fq != NULL) { ··· 415 415 .mode = 0644, 416 416 .proc_handler = proc_dointvec_jiffies, 417 417 }, 418 - { 419 - .procname = "6lowpanfrag_max_datagram_size", 420 - .data = &init_net.ieee802154_lowpan.max_dsize, 421 - .maxlen = sizeof(int), 422 - .mode = 0644, 423 - .proc_handler = proc_dointvec 424 - }, 425 418 { } 426 419 }; 427 420 ··· 451 458 table[1].data = &ieee802154_lowpan->frags.low_thresh; 452 459 table[1].extra2 = &ieee802154_lowpan->frags.high_thresh; 453 460 table[2].data = &ieee802154_lowpan->frags.timeout; 454 - table[3].data = &ieee802154_lowpan->max_dsize; 455 461 456 462 /* Don't export sysctls to unprivileged users */ 457 463 if (net->user_ns != &init_user_ns) ··· 525 533 ieee802154_lowpan->frags.high_thresh = IPV6_FRAG_HIGH_THRESH; 526 534 ieee802154_lowpan->frags.low_thresh = IPV6_FRAG_LOW_THRESH; 527 535 ieee802154_lowpan->frags.timeout = IPV6_FRAG_TIMEOUT; 528 - ieee802154_lowpan->max_dsize = 0xFFFF; 529 536 530 537 inet_frags_init_net(&ieee802154_lowpan->frags); 531 538

+5 -1

net/mac802154/wpan.c

··· 462 462 skb->pkt_type = PACKET_OTHERHOST; 463 463 break; 464 464 default: 465 - break; 465 + spin_unlock_bh(&sdata->mib_lock); 466 + pr_debug("invalid dest mode\n"); 467 + kfree_skb(skb); 468 + return NET_RX_DROP; 466 469 } 467 470 468 471 spin_unlock_bh(&sdata->mib_lock); ··· 576 573 ret = mac802154_parse_frame_start(skb, &hdr); 577 574 if (ret) { 578 575 pr_debug("got invalid frame\n"); 576 + kfree_skb(skb); 579 577 return; 580 578 } 581 579