diff options
author | Greg Kroah-Hartman <gregkh@google.com> | 2019-04-03 10:24:12 +0200 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@google.com> | 2019-04-03 10:24:12 +0200 |
commit | 7af10f2966c2b52527b20d773a9a3332b07fa5e2 (patch) | |
tree | aa13faf7cbe2e43673cc441e20b56a2123fa3517 /net | |
parent | b20fa86720f852d10f93a23d2b5be65a806c6128 (diff) | |
parent | 12ae58ca7ec42fe23df5d0b0d01bce2ccb728fd5 (diff) |
Merge 4.4.178 into android-4.4
Changes in 4.4.178
mmc: pxamci: fix enum type confusion
drm/vmwgfx: Don't double-free the mode stored in par->set_mode
udf: Fix crash on IO error during truncate
mips: loongson64: lemote-2f: Add IRQF_NO_SUSPEND to "cascade" irqaction.
MIPS: Fix kernel crash for R6 in jump label branch function
futex: Ensure that futex address is aligned in handle_futex_death()
ext4: fix NULL pointer dereference while journal is aborted
ext4: fix data corruption caused by unaligned direct AIO
ext4: brelse all indirect buffer in ext4_ind_remove_space()
mmc: tmio_mmc_core: don't claim spurious interrupts
media: v4l2-ctrls.c/uvc: zero v4l2_event
locking/lockdep: Add debug_locks check in __lock_downgrade()
ALSA: hda - Record the current power state before suspend/resume calls
ALSA: hda - Enforces runtime_resume after S3 and S4 for each codec
mmc: pwrseq_simple: Make reset-gpios optional to match doc
mmc: debugfs: Add a restriction to mmc debugfs clock setting
mmc: make MAN_BKOPS_EN message a debug
mmc: sanitize 'bus width' in debug output
mmc: core: shut up "voltage-ranges unspecified" pr_info()
usb: dwc3: gadget: Fix suspend/resume during device mode
arm64: mm: Add trace_irqflags annotations to do_debug_exception()
mmc: core: fix using wrong io voltage if mmc_select_hs200 fails
mm/rmap: replace BUG_ON(anon_vma->degree) with VM_WARN_ON
extcon: usb-gpio: Don't miss event during suspend/resume
kbuild: setlocalversion: print error to STDERR
usb: gadget: composite: fix dereference after null check coverify warning
usb: gadget: Add the gserial port checking in gs_start_tx()
tcp/dccp: drop SYN packets if accept queue is full
serial: sprd: adjust TIMEOUT to a big value
Hang/soft lockup in d_invalidate with simultaneous calls
arm64: traps: disable irq in die()
usb: renesas_usbhs: gadget: fix unused-but-set-variable warning
serial: sprd: clear timeout interrupt only rather than all interrupts
lib/int_sqrt: optimize small argument
USB: core: only clean up what we allocated
rtc: Fix overflow when converting time64_t to rtc_time
ath10k: avoid possible string overflow
Bluetooth: Check L2CAP option sizes returned from l2cap_get_conf_opt
Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer
sched/fair: Fix new task's load avg removed from source CPU in wake_up_new_task()
mmc: block: Allow more than 8 partitions per card
arm64: fix COMPAT_SHMLBA definition for large pages
efi: stub: define DISABLE_BRANCH_PROFILING for all architectures
ARM: 8458/1: bL_switcher: add GIC dependency
ARM: 8494/1: mm: Enable PXN when running non-LPAE kernel on LPAE processor
android: unconditionally remove callbacks in sync_fence_free()
vmstat: make vmstat_updater deferrable again and shut down on idle
hid-sensor-hub.c: fix wrong do_div() usage
arm64: hide __efistub_ aliases from kallsyms
perf: Synchronously free aux pages in case of allocation failure
net: diag: support v4mapped sockets in inet_diag_find_one_icsk()
Revert "mmc: block: don't use parameter prefix if built as module"
writeback: initialize inode members that track writeback history
coresight: fixing lockdep error
coresight: coresight_unregister() function cleanup
coresight: release reference taken by 'bus_find_device()'
coresight: remove csdev's link from topology
stm class: Fix locking in unbinding policy path
stm class: Fix link list locking
stm class: Prevent user-controllable allocations
stm class: Support devices with multiple instances
stm class: Fix unlocking braino in the error path
stm class: Guard output assignment against concurrency
stm class: Fix unbalanced module/device refcounting
stm class: Fix a race in unlinking
coresight: "DEVICE_ATTR_RO" should defined as static.
coresight: etm4x: Check every parameter used by dma_xx_coherent.
asm-generic: Fix local variable shadow in __set_fixmap_offset
staging: ashmem: Avoid deadlock with mmap/shrink
staging: ashmem: Add missing include
staging: ion: Set minimum carveout heap allocation order to PAGE_SHIFT
staging: goldfish: audio: fix compiliation on arm
ARM: 8510/1: rework ARM_CPU_SUSPEND dependencies
arm64/kernel: fix incorrect EL0 check in inv_entry macro
mac80211: fix "warning: ‘target_metric’ may be used uninitialized"
perf/ring_buffer: Refuse to begin AUX transaction after rb->aux_mmap_count drops
arm64: kernel: Include _AC definition in page.h
PM / Hibernate: Call flush_icache_range() on pages restored in-place
stm class: Do not leak the chrdev in error path
stm class: Fix stm device initialization order
ipv6: fix endianness error in icmpv6_err
usb: gadget: configfs: add mutex lock before unregister gadget
usb: gadget: rndis: free response queue during REMOTE_NDIS_RESET_MSG
cpu/hotplug: Handle unbalanced hotplug enable/disable
video: fbdev: Set pixclock = 0 in goldfishfb
arm64: kconfig: drop CONFIG_RTC_LIB dependency
mmc: mmc: fix switch timeout issue caused by jiffies precision
cfg80211: size various nl80211 messages correctly
stmmac: copy unicast mac address to MAC registers
dccp: do not use ipv6 header for ipv4 flow
mISDN: hfcpci: Test both vendor & device ID for Digium HFC4S
net/packet: Set __GFP_NOWARN upon allocation in alloc_pg_vec
net: rose: fix a possible stack overflow
Add hlist_add_tail_rcu() (Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net)
packets: Always register packet sk in the same order
tcp: do not use ipv6 header for ipv4 flow
vxlan: Don't call gro_cells_destroy() before device is unregistered
sctp: get sctphdr by offset in sctp_compute_cksum
mac8390: Fix mmio access size probe
btrfs: remove WARN_ON in log_dir_items
btrfs: raid56: properly unmap parity page in finish_parity_scrub()
ARM: imx6q: cpuidle: fix bug that CPU might not wake up at expected time
ALSA: compress: add support for 32bit calls in a 64bit kernel
ALSA: rawmidi: Fix potential Spectre v1 vulnerability
ALSA: seq: oss: Fix Spectre v1 vulnerability
ALSA: pcm: Fix possible OOB access in PCM oss plugins
ALSA: pcm: Don't suspend stream in unrecoverable PCM state
scsi: sd: Fix a race between closing an sd device and sd I/O
scsi: zfcp: fix rport unblock if deleted SCSI devices on Scsi_Host
scsi: zfcp: fix scsi_eh host reset with port_forced ERP for non-NPIV FCP devices
tty: atmel_serial: fix a potential NULL pointer dereference
staging: vt6655: Remove vif check from vnt_interrupt
staging: vt6655: Fix interrupt race condition on device start up.
serial: max310x: Fix to avoid potential NULL pointer dereference
serial: sh-sci: Fix setting SCSCR_TIE while transferring data
USB: serial: cp210x: add new device id
USB: serial: ftdi_sio: add additional NovaTech products
USB: serial: mos7720: fix mos_parport refcount imbalance on error path
USB: serial: option: set driver_info for SIM5218 and compatibles
USB: serial: option: add Olicard 600
Disable kgdboc failed by echo space to /sys/module/kgdboc/parameters/kgdboc
fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links
gpio: adnp: Fix testing wrong value in adnp_gpio_direction_input
perf intel-pt: Fix TSC slip
x86/smp: Enforce CONFIG_HOTPLUG_CPU when SMP=y
KVM: Reject device ioctls from processes other than the VM's creator
xhci: Fix port resume done detection for SS ports with LPM enabled
Revert "USB: core: only clean up what we allocated"
arm64: support keyctl() system call in 32-bit mode
coresight: removing bind/unbind options from sysfs
stm class: Hide STM-specific options if STM is disabled
Linux 4.4.178
Change-Id: Ia7fc9419e85c78352eef494a0c914dec7650062f
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Diffstat (limited to 'net')
-rw-r--r-- | net/bluetooth/l2cap_core.c | 83 | ||||
-rw-r--r-- | net/dccp/ipv4.c | 8 | ||||
-rw-r--r-- | net/dccp/ipv6.c | 6 | ||||
-rw-r--r-- | net/ipv4/tcp_input.c | 8 | ||||
-rw-r--r-- | net/ipv6/tcp_ipv6.c | 8 | ||||
-rw-r--r-- | net/packet/af_packet.c | 4 | ||||
-rw-r--r-- | net/rose/rose_subr.c | 21 | ||||
-rw-r--r-- | net/wireless/nl80211.c | 16 |
8 files changed, 83 insertions, 71 deletions
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index af68674690af..f76e9c1e9f17 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -3315,16 +3315,22 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data while (len >= L2CAP_CONF_OPT_SIZE) { len -= l2cap_get_conf_opt(&req, &type, &olen, &val); + if (len < 0) + break; hint = type & L2CAP_CONF_HINT; type &= L2CAP_CONF_MASK; switch (type) { case L2CAP_CONF_MTU: + if (olen != 2) + break; mtu = val; break; case L2CAP_CONF_FLUSH_TO: + if (olen != 2) + break; chan->flush_to = val; break; @@ -3332,26 +3338,30 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data break; case L2CAP_CONF_RFC: - if (olen == sizeof(rfc)) - memcpy(&rfc, (void *) val, olen); + if (olen != sizeof(rfc)) + break; + memcpy(&rfc, (void *) val, olen); break; case L2CAP_CONF_FCS: + if (olen != 1) + break; if (val == L2CAP_FCS_NONE) set_bit(CONF_RECV_NO_FCS, &chan->conf_state); break; case L2CAP_CONF_EFS: - if (olen == sizeof(efs)) { - remote_efs = 1; - memcpy(&efs, (void *) val, olen); - } + if (olen != sizeof(efs)) + break; + remote_efs = 1; + memcpy(&efs, (void *) val, olen); break; case L2CAP_CONF_EWS: + if (olen != 2) + break; if (!(chan->conn->local_fixed_chan & L2CAP_FC_A2MP)) return -ECONNREFUSED; - set_bit(FLAG_EXT_CTRL, &chan->flags); set_bit(CONF_EWS_RECV, &chan->conf_state); chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW; @@ -3361,7 +3371,6 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data default: if (hint) break; - result = L2CAP_CONF_UNKNOWN; *((u8 *) ptr++) = type; break; @@ -3526,58 +3535,65 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, while (len >= L2CAP_CONF_OPT_SIZE) { len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val); + if (len < 0) + break; switch (type) { case L2CAP_CONF_MTU: + if (olen != 2) + break; if (val < L2CAP_DEFAULT_MIN_MTU) { *result = L2CAP_CONF_UNACCEPT; chan->imtu = L2CAP_DEFAULT_MIN_MTU; } else chan->imtu = val; - l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, endptr - ptr); + l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, + endptr - ptr); break; case L2CAP_CONF_FLUSH_TO: + if (olen != 2) + break; chan->flush_to = val; - l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, - 2, chan->flush_to, endptr - ptr); + l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2, + chan->flush_to, endptr - ptr); break; case L2CAP_CONF_RFC: - if (olen == sizeof(rfc)) - memcpy(&rfc, (void *)val, olen); - + if (olen != sizeof(rfc)) + break; + memcpy(&rfc, (void *)val, olen); if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) && rfc.mode != chan->mode) return -ECONNREFUSED; - chan->fcs = 0; - - l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, - sizeof(rfc), (unsigned long) &rfc, endptr - ptr); + l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), + (unsigned long) &rfc, endptr - ptr); break; case L2CAP_CONF_EWS: + if (olen != 2) + break; chan->ack_win = min_t(u16, val, chan->ack_win); l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2, chan->tx_win, endptr - ptr); break; case L2CAP_CONF_EFS: - if (olen == sizeof(efs)) { - memcpy(&efs, (void *)val, olen); - - if (chan->local_stype != L2CAP_SERV_NOTRAFIC && - efs.stype != L2CAP_SERV_NOTRAFIC && - efs.stype != chan->local_stype) - return -ECONNREFUSED; - - l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs), - (unsigned long) &efs, endptr - ptr); - } + if (olen != sizeof(efs)) + break; + memcpy(&efs, (void *)val, olen); + if (chan->local_stype != L2CAP_SERV_NOTRAFIC && + efs.stype != L2CAP_SERV_NOTRAFIC && + efs.stype != chan->local_stype) + return -ECONNREFUSED; + l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs), + (unsigned long) &efs, endptr - ptr); break; case L2CAP_CONF_FCS: + if (olen != 1) + break; if (*result == L2CAP_CONF_PENDING) if (val == L2CAP_FCS_NONE) set_bit(CONF_RECV_NO_FCS, @@ -3706,13 +3722,18 @@ static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len) while (len >= L2CAP_CONF_OPT_SIZE) { len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val); + if (len < 0) + break; switch (type) { case L2CAP_CONF_RFC: - if (olen == sizeof(rfc)) - memcpy(&rfc, (void *)val, olen); + if (olen != sizeof(rfc)) + break; + memcpy(&rfc, (void *)val, olen); break; case L2CAP_CONF_EWS: + if (olen != 2) + break; txwin_ext = val; break; } diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c index 45fd82e61e79..b0a577a79a6a 100644 --- a/net/dccp/ipv4.c +++ b/net/dccp/ipv4.c @@ -592,13 +592,7 @@ int dccp_v4_conn_request(struct sock *sk, struct sk_buff *skb) if (inet_csk_reqsk_queue_is_full(sk)) goto drop; - /* - * Accept backlog is full. If we have already queued enough - * of warm entries in syn queue, drop request. It is better than - * clogging syn queue with openreqs with exponentially increasing - * timeout. - */ - if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1) + if (sk_acceptq_is_full(sk)) goto drop; req = inet_reqsk_alloc(&dccp_request_sock_ops, sk, true); diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c index 0bf41faeffc4..d2caa4d69159 100644 --- a/net/dccp/ipv6.c +++ b/net/dccp/ipv6.c @@ -324,7 +324,7 @@ static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb) if (inet_csk_reqsk_queue_is_full(sk)) goto drop; - if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1) + if (sk_acceptq_is_full(sk)) goto drop; req = inet_reqsk_alloc(&dccp6_request_sock_ops, sk, true); @@ -427,8 +427,8 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk, newnp->ipv6_mc_list = NULL; newnp->ipv6_ac_list = NULL; newnp->ipv6_fl_list = NULL; - newnp->mcast_oif = inet6_iif(skb); - newnp->mcast_hops = ipv6_hdr(skb)->hop_limit; + newnp->mcast_oif = inet_iif(skb); + newnp->mcast_hops = ip_hdr(skb)->ttl; /* * No need to charge this sock to the relevant IPv6 refcnt debug socks count diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index 5202a04467ad..e444b6249783 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -6306,13 +6306,7 @@ int tcp_conn_request(struct request_sock_ops *rsk_ops, goto drop; } - - /* Accept backlog is full. If we have already queued enough - * of warm entries in syn queue, drop request. It is better than - * clogging syn queue with openreqs with exponentially increasing - * timeout. - */ - if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1) { + if (sk_acceptq_is_full(sk)) { NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_LISTENOVERFLOWS); goto drop; } diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index 625e05dbf8cc..75caab7dfa2a 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -1045,11 +1045,11 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff * newnp->ipv6_fl_list = NULL; newnp->pktoptions = NULL; newnp->opt = NULL; - newnp->mcast_oif = tcp_v6_iif(skb); - newnp->mcast_hops = ipv6_hdr(skb)->hop_limit; - newnp->rcv_flowinfo = ip6_flowinfo(ipv6_hdr(skb)); + newnp->mcast_oif = inet_iif(skb); + newnp->mcast_hops = ip_hdr(skb)->ttl; + newnp->rcv_flowinfo = 0; if (np->repflow) - newnp->flow_label = ip6_flowlabel(ipv6_hdr(skb)); + newnp->flow_label = 0; /* * No need to charge this sock to the relevant IPv6 refcnt debug socks count diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index d517dd7f4ac7..7d93228ba1e1 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -3155,7 +3155,7 @@ static int packet_create(struct net *net, struct socket *sock, int protocol, } mutex_lock(&net->packet.sklist_lock); - sk_add_node_rcu(sk, &net->packet.sklist); + sk_add_node_tail_rcu(sk, &net->packet.sklist); mutex_unlock(&net->packet.sklist_lock); preempt_disable(); @@ -4130,7 +4130,7 @@ static struct pgv *alloc_pg_vec(struct tpacket_req *req, int order) struct pgv *pg_vec; int i; - pg_vec = kcalloc(block_nr, sizeof(struct pgv), GFP_KERNEL); + pg_vec = kcalloc(block_nr, sizeof(struct pgv), GFP_KERNEL | __GFP_NOWARN); if (unlikely(!pg_vec)) goto out; diff --git a/net/rose/rose_subr.c b/net/rose/rose_subr.c index 7ca57741b2fb..7849f286bb93 100644 --- a/net/rose/rose_subr.c +++ b/net/rose/rose_subr.c @@ -105,16 +105,17 @@ void rose_write_internal(struct sock *sk, int frametype) struct sk_buff *skb; unsigned char *dptr; unsigned char lci1, lci2; - char buffer[100]; - int len, faclen = 0; + int maxfaclen = 0; + int len, faclen; + int reserve; - len = AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + ROSE_MIN_LEN + 1; + reserve = AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + 1; + len = ROSE_MIN_LEN; switch (frametype) { case ROSE_CALL_REQUEST: len += 1 + ROSE_ADDR_LEN + ROSE_ADDR_LEN; - faclen = rose_create_facilities(buffer, rose); - len += faclen; + maxfaclen = 256; break; case ROSE_CALL_ACCEPTED: case ROSE_CLEAR_REQUEST: @@ -123,15 +124,16 @@ void rose_write_internal(struct sock *sk, int frametype) break; } - if ((skb = alloc_skb(len, GFP_ATOMIC)) == NULL) + skb = alloc_skb(reserve + len + maxfaclen, GFP_ATOMIC); + if (!skb) return; /* * Space for AX.25 header and PID. */ - skb_reserve(skb, AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + 1); + skb_reserve(skb, reserve); - dptr = skb_put(skb, skb_tailroom(skb)); + dptr = skb_put(skb, len); lci1 = (rose->lci >> 8) & 0x0F; lci2 = (rose->lci >> 0) & 0xFF; @@ -146,7 +148,8 @@ void rose_write_internal(struct sock *sk, int frametype) dptr += ROSE_ADDR_LEN; memcpy(dptr, &rose->source_addr, ROSE_ADDR_LEN); dptr += ROSE_ADDR_LEN; - memcpy(dptr, buffer, faclen); + faclen = rose_create_facilities(dptr, rose); + skb_put(skb, faclen); dptr += faclen; break; diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index 9efc0c1426ec..db65d94987c9 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -11721,7 +11721,7 @@ static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev, struct sk_buff *msg; void *hdr; - msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp); + msg = nlmsg_new(100 + len, gfp); if (!msg) return; @@ -11873,7 +11873,7 @@ void nl80211_send_connect_result(struct cfg80211_registered_device *rdev, struct sk_buff *msg; void *hdr; - msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp); + msg = nlmsg_new(100 + req_ie_len + resp_ie_len, gfp); if (!msg) return; @@ -11913,7 +11913,7 @@ void nl80211_send_roamed(struct cfg80211_registered_device *rdev, struct sk_buff *msg; void *hdr; - msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp); + msg = nlmsg_new(100 + req_ie_len + resp_ie_len, gfp); if (!msg) return; @@ -11951,7 +11951,7 @@ void nl80211_send_disconnected(struct cfg80211_registered_device *rdev, struct sk_buff *msg; void *hdr; - msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); + msg = nlmsg_new(100 + ie_len, GFP_KERNEL); if (!msg) return; @@ -12028,7 +12028,7 @@ void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr, trace_cfg80211_notify_new_peer_candidate(dev, addr); - msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp); + msg = nlmsg_new(100 + ie_len, gfp); if (!msg) return; @@ -12397,7 +12397,7 @@ int nl80211_send_mgmt(struct cfg80211_registered_device *rdev, struct sk_buff *msg; void *hdr; - msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp); + msg = nlmsg_new(100 + len, gfp); if (!msg) return -ENOMEM; @@ -12440,7 +12440,7 @@ void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie, trace_cfg80211_mgmt_tx_status(wdev, cookie, ack); - msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp); + msg = nlmsg_new(100 + len, gfp); if (!msg) return; @@ -13244,7 +13244,7 @@ void cfg80211_ft_event(struct net_device *netdev, if (!ft_event->target_ap) return; - msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); + msg = nlmsg_new(100 + ft_event->ric_ies_len, GFP_KERNEL); if (!msg) return; |