| Age | Commit message (Collapse) | Author |
|---|
|
This is easily triggerable when fuzz-testing as an unprivileged user.
We could rate-limit it, but given we don't print similar messages
for other protocols, I just removed it.
Signed-off-by: Dave Jones <davej@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/sameo/nfc-3.0
This is an NFC LLCP fix for 3.7 and contains only one patch.
It fixes a potential crash when receiving an LLCP HDLC frame acking a frame
that is not the last sent one. In that case we may dereference an already
freed pointer.
|
|
nfc_llcp_ns(s) dereferences the s pointer which is freed a line
above. In a result, it can produce a crash or you will read
incorrect value.
Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless
Conflicts:
drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
drivers/net/wireless/iwlwifi/pcie/tx.c
|
|
list_add was called with swapped parameters
Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
Drivers are allowed to modify the sent skb and thus we need to make a copy
of it before passing it to the driver. Without this fix, LLCP Tx skbs were
not queued properly as the ptype check was failing due to e.g. the pn533
driver skb_pushing the Tx skb.
Reported-by: Thierry Escande <thierry.escande@linux.intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
When the tx pending queues and/or the socket tx queue is getting too deep,
we have to let userspace know. We won't be queueing any more frames until
the congestion is fixed.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
Using the userspace IO vector directly is wrong, we should copy it from
user space first.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
NFC_CMD_LLC_GET_PARAMS: request LTO, RW, and MIUX parameters for a device
NFC_CMD_LLC_SET_PARAMS: set one or more of LTO, RW, and MIUX parameters for
a device. LTO must be set before the link is up otherwise -EINPROGRESS is
returned. RW and MIUX can be set at anytime and will be passed in subsequent
CONNECT and CC messages. If one of the passed parameters is wrong none is
set and -EINVAL is returned.
Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
The Tx queues are no longer valid when we receive a disconnection or when
the LLCP link goes down. In the later case we also purge the entire local
Tx queue.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
This config item has not carried much meaning for a while now and is
almost always enabled by default. As agreed during the Linux kernel
summit, remove it.
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
The previous code was always returning the last socket from the
LLCP socket list.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
It simply involves getting the client dsap and ssap and calling the UI
frame building and sending routine.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
UI frames still need to follow the MIU rule, and they need to use the
client passed dsap as the listening socket dsap is stuck on SDP.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
With connection less PDUs we have to send the SSAP and DSAP as well.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
UI (Unnumbered Information) frames are used for sending data over
connection less links.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
When DEP goes down, bound cl sockets can be kept alive as there is no
reason to kill a connection less server socket because the LLCP link
went down.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
Connection less server sockets will be in BOUND state, not LISTEN.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
Replying to an SNL (Service Name Lookup) means that the other end of
the link can now rely on our answer (Which is an ssap) and thus we have
to reserve it.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
Logical continuations should be on the previous line.
Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
There is no need for return statement at the end of function returning
void.
Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
SNL (Service Name Lookup) allows for LLCP peers to map service names with
SAPs. This is mandatory for connection less support as peers need to get
the right SAPs without sending the CONNECT frame.
Here we only support the Rx part of SNL. The Tx one will be implemented
when supporting connection less LLCP sockets.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
SNL (Service Name Lookup) frames are used to respond to SNL requests.
This is needed for SDP implementation.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
We no longer need to be atomic as this is only called from
llcp_sock_release().
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
In some cases (SNL, DISC, DM) we need to send an LLCP skbs without
having a sock owning it. I frames are an exception here since
they may be requeued to the llcp_sock queue.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
Validation of userspace input shouldn't trigger dmesg spamming.
Signed-off-by: Dave Jones <davej@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
The network merge brought in a few users of functions that got
deprecated by the workqueue cleanups: the 'system_nrt_wq' is now the
same as the regular system_wq, since all workqueues are now non-
reentrant.
Similarly, remove one use of flush_work_sync() - the regular
flush_work() has become synchronous, and the "_sync()" version is thus
deprecated as being superfluous.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
nfc_llcp_socket_release is calling lock_sock/release_sock while holding
write lock for rwlock. Use bh_lock/unlock_sock instead.
BUG: sleeping function called from invalid context at net/core/sock.c:2138
in_atomic(): 1, irqs_disabled(): 0, pid: 56, name: kworker/1:1
4 locks held by kworker/1:1/56:
Pid: 56, comm: kworker/1:1 Not tainted 3.5.0-999-nfc+ #7
Call Trace:
[<ffffffff810952c5>] __might_sleep+0x145/0x200
[<ffffffff815d7686>] lock_sock_nested+0x36/0xa0
[<ffffffff81731569>] ? _raw_write_lock+0x49/0x50
[<ffffffffa04aa100>] ? nfc_llcp_socket_release+0x30/0x200 [nfc]
[<ffffffffa04aa122>] nfc_llcp_socket_release+0x52/0x200 [nfc]
[<ffffffffa04ab9f0>] nfc_llcp_mac_is_down+0x20/0x30 [nfc]
[<ffffffffa04a6fea>] nfc_dep_link_down+0xaa/0xf0 [nfc]
[<ffffffffa04a9bb5>] nfc_llcp_timeout_work+0x15/0x20 [nfc]
[<ffffffff810825f7>] process_one_work+0x197/0x7c0
[<ffffffff81082596>] ? process_one_work+0x136/0x7c0
[<ffffffff8172fbc9>] ? __schedule+0x419/0x9c0
[<ffffffffa04a9ba0>] ? nfc_llcp_build_gb+0x1b0/0x1b0 [nfc]
[<ffffffff81083090>] worker_thread+0x190/0x4c0
[<ffffffff81082f00>] ? rescuer_thread+0x2a0/0x2a0
[<ffffffff81088d1e>] kthread+0xae/0xc0
[<ffffffff810caafd>] ? trace_hardirqs_on+0xd/0x10
[<ffffffff8173acc4>] kernel_thread_helper+0x4/0x10
[<ffffffff81732174>] ? retint_restore_args+0x13/0x13
[<ffffffff81088c70>] ? flush_kthread_worker+0x150/0x150
[<ffffffff8173acc0>] ? gs_change+0x13/0x13
Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
This adds support for socket of type SOCK_RAW to LLCP.
sk_buff are copied and sent to raw sockets with a 2 bytes extra header:
The first byte header contains the nfc adapter index.
The second one contains flags:
- 0x01 - Direction (0=RX, 1=TX)
- 0x02-0x80 - Reserved
A raw socket has to be explicitly bound to a nfc adapter. This is achieved
by specifying the adapter index to be bound to in the dev_idx field of the
sockaddr_nfc_llcp struct passed to bind().
Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
If rwlock is dynamically allocated but statically initialized it is
missing proper lockdep annotation.
INFO: trying to register non-static key.
the code is fine but needs lockdep annotation.
turning off the locking correctness validator.
Pid: 3352, comm: neard Not tainted 3.5.0-999-nfc+ #2
Call Trace:
[<ffffffff810c8526>] __lock_acquire+0x8f6/0x1bf0
[<ffffffff81739045>] ? printk+0x4d/0x4f
[<ffffffff810c9eed>] lock_acquire+0x9d/0x220
[<ffffffff81702bfe>] ? nfc_llcp_sock_from_sn+0x4e/0x160
[<ffffffff81746724>] _raw_read_lock+0x44/0x60
[<ffffffff81702bfe>] ? nfc_llcp_sock_from_sn+0x4e/0x160
[<ffffffff81702bfe>] nfc_llcp_sock_from_sn+0x4e/0x160
[<ffffffff817034a7>] nfc_llcp_get_sdp_ssap+0xa7/0x1b0
[<ffffffff81706353>] llcp_sock_bind+0x173/0x210
[<ffffffff815d9c94>] sys_bind+0xe4/0x100
[<ffffffff8139209e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
[<ffffffff8174ea69>] system_call_fastpath+0x16/0x1b
Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
nfc_llcp_build_tlv() malloced the memory and should be free in
nfc_llcp_build_gb() after used, and the same in the error handling
case, otherwise it will cause memory leak.
spatch with a semantic match is used to found this problem.
(http://coccinelle.lip6.fr/)
Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
NFC is using a number of custom ordered workqueues w/ WQ_MEM_RECLAIM.
WQ_MEM_RECLAIM is unnecessary unless NFC is gonna be used as transport
for storage device, and all use cases match one work item to one
ordered workqueue - IOW, there's no actual ordering going on at all
and using system_nrt_wq gives the same behavior.
There's nothing to be gained by using custom workqueues. Use
system_nrt_wq instead and drop all the custom ones.
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
This patch remove the repeated code for checking llcp_sock &
llcp_sock->dev against NULL.
Signed-off-by: Syam Sidhardhan <s.syam@samsung.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
They both can potentially be NULL.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
The socket local pointer can be NULL when a socket is created but never
bound or connected.
Reported-by: Sasha Levin <levinsasha928@gmail.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
When receiving such frame, the sockets waiting for a connection to finish
should be woken up. Connecting to an unbound LLCP service will trigger a
DM as a response.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
With the LLCP 16 local SAPs we can potentially quickly run out of source
SAPs for non well known services.
With the so called late binding we will reserve an SAP only when we actually
get a client connection for a local service. The SAP will be released once
the last client is gone, leaving it available to other services.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
With not Well Known Services there is no guarantees as to which
SSAP the server will be listening on, so there is no reason to
support binding to a specific source SAP.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
This patch fixes a typo and return the correct error when trying to
bind 2 sockets to the same service name.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
The LLCP SAP should only be freed when the socket owning it is released.
As long as the socket is alive, the SAP should be reserved in order to
e.g. send the right wks array when bringing the MAC up.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
When the MAC link goes down, we should only keep the bound sockets
alive. They will be closed by sock_release or when the underlying
NFC device is moving away.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
Drivers will need them before starting a poll or when being activated
as targets. Mostly WKS can have changed between device registration and
then so we need to re-build the whole array.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
Set the right target index and use a better socket declaration routine.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
Getting a valid CONNECT means we have a valid target index.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless
Conflicts:
net/mac80211/mlme.c
|
|
llcp_sock_getname can be called without a device attached to the nfc_llcp_sock.
This would lead to the following BUG:
[ 362.341807] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 362.341815] IP: [<ffffffff836258e5>] llcp_sock_getname+0x75/0xc0
[ 362.341818] PGD 31b35067 PUD 30631067 PMD 0
[ 362.341821] Oops: 0000 [#627] PREEMPT SMP DEBUG_PAGEALLOC
[ 362.341826] CPU 3
[ 362.341827] Pid: 7816, comm: trinity-child55 Tainted: G D W 3.5.0-rc4-next-20120628-sasha-00005-g9f23eb7 #479
[ 362.341831] RIP: 0010:[<ffffffff836258e5>] [<ffffffff836258e5>] llcp_sock_getname+0x75/0xc0
[ 362.341832] RSP: 0018:ffff8800304fde88 EFLAGS: 00010286
[ 362.341834] RAX: 0000000000000000 RBX: ffff880033cb8000 RCX: 0000000000000001
[ 362.341835] RDX: ffff8800304fdec4 RSI: ffff8800304fdec8 RDI: ffff8800304fdeda
[ 362.341836] RBP: ffff8800304fdea8 R08: 7ebcebcb772b7ffb R09: 5fbfcb9c35bdfd53
[ 362.341838] R10: 4220020c54326244 R11: 0000000000000246 R12: ffff8800304fdec8
[ 362.341839] R13: ffff8800304fdec4 R14: ffff8800304fdec8 R15: 0000000000000044
[ 362.341841] FS: 00007effa376e700(0000) GS:ffff880035a00000(0000) knlGS:0000000000000000
[ 362.341843] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 362.341844] CR2: 0000000000000000 CR3: 0000000030438000 CR4: 00000000000406e0
[ 362.341851] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 362.341856] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 362.341858] Process trinity-child55 (pid: 7816, threadinfo ffff8800304fc000, task ffff880031270000)
[ 362.341858] Stack:
[ 362.341862] ffff8800304fdea8 ffff880035156780 0000000000000000 0000000000001000
[ 362.341865] ffff8800304fdf78 ffffffff83183b40 00000000304fdec8 0000006000000000
[ 362.341868] ffff8800304f0027 ffffffff83729649 ffff8800304fdee8 ffff8800304fdf48
[ 362.341869] Call Trace:
[ 362.341874] [<ffffffff83183b40>] sys_getpeername+0xa0/0x110
[ 362.341877] [<ffffffff83729649>] ? _raw_spin_unlock_irq+0x59/0x80
[ 362.341882] [<ffffffff810f342b>] ? do_setitimer+0x23b/0x290
[ 362.341886] [<ffffffff81985ede>] ? trace_hardirqs_on_thunk+0x3a/0x3f
[ 362.341889] [<ffffffff8372a539>] system_call_fastpath+0x16/0x1b
[ 362.341921] Code: 84 00 00 00 00 00 b8 b3 ff ff ff 48 85 db 74 54 66 41 c7 04 24 27 00 49 8d 7c 24 12 41 c7 45 00 60 00 00 00 48 8b 83 28 05 00 00 <8b> 00 41 89 44 24 04 0f b6 83 41 05 00 00 41 88 44 24 10 0f b6
[ 362.341924] RIP [<ffffffff836258e5>] llcp_sock_getname+0x75/0xc0
[ 362.341925] RSP <ffff8800304fde88>
[ 362.341926] CR2: 0000000000000000
[ 362.341928] ---[ end trace 6d450e935ee18bf3 ]---
Signed-off-by: Sasha Levin <levinsasha928@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless
Conflicts:
MAINTAINERS
drivers/net/wireless/iwlwifi/pcie/trans.c
|
|
llcp_sock_getname() might get called before the LLCP socket was created.
This condition isn't checked, and llcp_sock_getname will simply deref a
NULL ptr in that case.
This exists starting with d646960 ("NFC: Initial LLCP support").
Signed-off-by: Sasha Levin <levinsasha928@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
