18 Jul, 2016
2 commits
-
Some Bluetooth controllers allow for reading hardware and firmware
related vendor specific infos. If they are available, then they can be
exposed via debugfs now.Signed-off-by: Marcel Holtmann
Signed-off-by: Johan Hedberg -
When we retrieve imtu value from userspace we should use 16 bit pointer
cast instead of 32 as it's defined that way in headers. Fixes setsockopt
calls on big-endian platforms.Signed-off-by: Amadeusz Sławiński
Signed-off-by: Marcel Holtmann
Cc: stable@vger.kernel.org
13 Jul, 2016
2 commits
-
Increment the mgmt revision due to the recently added new
reason code for the Disconnected event.Signed-off-by: Johan Hedberg
Signed-off-by: Marcel Holtmann -
If link is disconnected due to Authentication Failure (PIN or Key
Missing status) userspace will be notified about this with proper error
code. Many LE profiles define "PIN or Key Missing" status as indication
of remote lost bond so this allows userspace to take action on this.@ Device Connected: 88:63:DF:88:0E:83 (1) flags 0x0000
02 01 1a 05 03 0a 18 0d 18 0b 09 48 65 61 72 74 ...........Heart
20 52 61 74 65 Rate
> HCI Event: Command Status (0x0f) plen 4
LE Read Remote Used Features (0x08|0x0016) ncmd 1
Status: Success (0x00)
> ACL Data RX: Handle 3585 flags 0x02 dlen 11
ATT: Read By Group Type Request (0x10) len 6
Handle range: 0x0001-0xffff
Attribute group type: Primary Service (0x2800)
> HCI Event: LE Meta Event (0x3e) plen 12
LE Read Remote Used Features (0x04)
Status: Success (0x00)
Handle: 3585
Features: 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00
LE Encryption
< HCI Command: LE Start Encryption (0x08|0x0019) plen 28
Handle: 3585
Random number: 0x0000000000000000
Encrypted diversifier: 0x0000
Long term key: 26201cd479a0921b6f949f0b1fa8dc82
> HCI Event: Command Status (0x0f) plen 4
LE Start Encryption (0x08|0x0019) ncmd 1
Status: Success (0x00)
> HCI Event: Encryption Change (0x08) plen 4
Status: PIN or Key Missing (0x06)
Handle: 3585
Encryption: Disabled (0x00)
< HCI Command: Disconnect (0x01|0x0006) plen 3
Handle: 3585
Reason: Authentication Failure (0x05)
> HCI Event: Command Status (0x0f) plen 4
Disconnect (0x01|0x0006) ncmd 1
Status: Success (0x00)
> HCI Event: Disconnect Complete (0x05) plen 4
Status: Success (0x00)
Handle: 3585
Reason: Connection Terminated By Local Host (0x16)
@ Device Disconnected: 88:63:DF:88:0E:83 (1) reason 4@ Device Connected: C4:43:8F:A3:4D:83 (0) flags 0x0000
08 09 4e 65 78 75 73 20 35 ..Nexus 5
> HCI Event: Command Status (0x0f) plen 4
Authentication Requested (0x01|0x0011) ncmd 1
Status: Success (0x00)
> HCI Event: Link Key Request (0x17) plen 6
Address: C4:43:8F:A3:4D:83 (LG Electronics)
< HCI Command: Link Key Request Reply (0x01|0x000b) plen 22
Address: C4:43:8F:A3:4D:83 (LG Electronics)
Link key: 080812e4aa97a863d11826f71f65a933
> HCI Event: Command Complete (0x0e) plen 10
Link Key Request Reply (0x01|0x000b) ncmd 1
Status: Success (0x00)
Address: C4:43:8F:A3:4D:83 (LG Electronics)
> HCI Event: Auth Complete (0x06) plen 3
Status: PIN or Key Missing (0x06)
Handle: 75
@ Authentication Failed: C4:43:8F:A3:4D:83 (0) status 0x05
< HCI Command: Disconnect (0x01|0x0006) plen 3
Handle: 75
Reason: Remote User Terminated Connection (0x13)
> HCI Event: Command Status (0x0f) plen 4
Disconnect (0x01|0x0006) ncmd 1
Status: Success (0x00)
> HCI Event: Disconnect Complete (0x05) plen 4
Status: Success (0x00)
Handle: 75
Reason: Connection Terminated By Local Host (0x16)
@ Device Disconnected: C4:43:8F:A3:4D:83 (0) reason 4Signed-off-by: Szymon Janc
Signed-off-by: Johan Hedberg
10 Jul, 2016
3 commits
-
The HCI_BREDR naming is confusing since it actually stands for Primary
Bluetooth Controller. Which is a term that has been used in the latest
standard. However from a legacy point of view there only really have
been Basic Rate (BR) and Enhanced Data Rate (EDR). Recent versions of
Bluetooth introduced Low Energy (LE) and made this terminology a little
bit confused since Dual Mode Controllers include BR/EDR and LE. To
simplify this the name HCI_PRIMARY stands for the Primary Controller
which can be a single mode or dual mode controller.Signed-off-by: Marcel Holtmann
Signed-off-by: Johan Hedberg -
The controller device attributes are not used and expose no valuable
information.Signed-off-by: Marcel Holtmann
Signed-off-by: Johan Hedberg -
The connection link attributes are not used and expose no valuable
information.Signed-off-by: Marcel Holtmann
Signed-off-by: Johan Hedberg
08 Jul, 2016
3 commits
-
If recvmsg is called with a destination buffer that is too small to
receive the contents of skb in its entirety, the return value from
recvmsg was inconsistent with common SOCK_SEQPACKET or SOCK_DGRAM
semantics.If destination buffer provided by userspace is too small (e.g. len <
copied), then MSG_TRUNC flag is set and copied is returned. Instead, it
should return the length of the message, which is consistent with how
other datagram based sockets act. Quoting 'man recv':"All three calls return the length of the message on successful comple‐
tion. If a message is too long to fit in the supplied buffer, excess
bytes may be discarded depending on the type of socket the message is
received from."and
"MSG_TRUNC (since Linux 2.2)
For raw (AF_PACKET), Internet datagram (since Linux
2.4.27/2.6.8), netlink (since Linux 2.6.22), and UNIX datagram
(since Linux 3.4) sockets: return the real length of the packet
or datagram, even when it was longer than the passed buffer."Signed-off-by: Denis Kenzior
Signed-off-by: Marcel Holtmann -
If recvmsg is called with a destination buffer that is too small to
receive the contents of skb in its entirety, the return value from
recvmsg was inconsistent with common SOCK_SEQPACKET or SOCK_DGRAM
semantics.If destination buffer provided by userspace is too small (e.g. len <
copied), then MSG_TRUNC flag is set and copied is returned. Instead, it
should return the length of the message, which is consistent with how
other datagram based sockets act. Quoting 'man recv':"All three calls return the length of the message on successful comple‐
tion. If a message is too long to fit in the supplied buffer, excess
bytes may be discarded depending on the type of socket the message is
received from."and
"MSG_TRUNC (since Linux 2.2)
For raw (AF_PACKET), Internet datagram (since Linux
2.4.27/2.6.8), netlink (since Linux 2.6.22), and UNIX datagram
(since Linux 3.4) sockets: return the real length of the packet
or datagram, even when it was longer than the passed buffer."Signed-off-by: Denis Kenzior
Signed-off-by: Marcel Holtmann -
SMP does ECB crypto on stack buffers. This is complicated and
fragile, and it will not work if the stack is virtually allocated.Switch to the crypto_cipher interface, which is simpler and safer.
Signed-off-by: Andy Lutomirski
Acked-by: Herbert Xu
Acked-by: Johan Hedberg
Tested-by: Johan Hedberg
Signed-off-by: Marcel Holtmann
10 Jun, 2016
1 commit
-
It is time to add netdev_lockdep_set_classes() helper
so that lockdep annotations per device type are easier to manage.This removes a lot of copies and missing annotations.
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller
08 Jun, 2016
1 commit
-
Instead of using a single bit (__QDISC___STATE_RUNNING)
in sch->__state, use a seqcount.This adds lockdep support, but more importantly it will allow us
to sample qdisc/class statistics without having to grab qdisc root lock.Signed-off-by: Eric Dumazet
Cc: Cong Wang
Cc: Jamal Hadi Salim
Signed-off-by: David S. Miller
13 May, 2016
1 commit
-
With all the latest fixes applied, I am still able to reproduce this
(and other) warning(s):
WARNING: CPU: 1 PID: 19684 at ../kernel/workqueue.c:4092 destroy_workqueue+0x70a/0x770()
...
Call Trace:
[] ? dump_stack+0xb3/0x112
[] ? warn_slowpath_common+0xde/0x140
[] ? destroy_workqueue+0x70a/0x770
[] ? warn_slowpath_null+0x2e/0x40
[] ? destroy_workqueue+0x70a/0x770
[] ? hci_unregister_dev+0x2a9/0x720 [bluetooth]
[] ? vhci_release+0x7b/0xf0 [hci_vhci]
[] ? vhci_flush+0x50/0x50 [hci_vhci]
[] ? do_exit+0x863/0x2b90This is due to race present in the hci_unregister_dev path.
hdev->power_on work races with hci_dev_do_close. One tries to open,
the other tries to close, leading to warning like the above. (Another
example is a warning in kobject_get or kobject_put depending on who
wins the race.)Fix this by switching those two racers to ensure hdev->power_on never
triggers while hci_dev_do_close is in progress.Signed-off-by: Jiri Slaby
Signed-off-by: Marcel Holtmann
05 May, 2016
1 commit
-
Replace all trans_start updates with netif_trans_update helper.
change was done via spatch:struct net_device *d;
@@
- d->trans_start = jiffies
+ netif_trans_update(d)Compile tested only.
Cc: user-mode-linux-devel@lists.sourceforge.net
Cc: linux-xtensa@linux-xtensa.org
Cc: linux1394-devel@lists.sourceforge.net
Cc: linux-rdma@vger.kernel.org
Cc: netdev@vger.kernel.org
Cc: MPT-FusionLinux.pdl@broadcom.com
Cc: linux-scsi@vger.kernel.org
Cc: linux-can@vger.kernel.org
Cc: linux-parisc@vger.kernel.org
Cc: linux-omap@vger.kernel.org
Cc: linux-hams@vger.kernel.org
Cc: linux-usb@vger.kernel.org
Cc: linux-wireless@vger.kernel.org
Cc: linux-s390@vger.kernel.org
Cc: devel@driverdev.osuosl.org
Cc: b.a.t.m.a.n@lists.open-mesh.org
Cc: linux-bluetooth@vger.kernel.org
Signed-off-by: Florian Westphal
Acked-by: Felipe Balbi
Acked-by: Mugunthan V N
Acked-by: Antonio Quartulli
Signed-off-by: David S. Miller
27 Apr, 2016
1 commit
-
…etooth/bluetooth-next
Johan Hedberg says:
====================
pull request: bluetooth-next 2016-04-26Here's another set of Bluetooth & 802.15.4 patches for the 4.7 kernel:
- Cleanups & refactoring of ieee802154 & 6lowpan code
- Security related additions to ieee802154 and mrf24j40 driver
- Memory corruption fix to Bluetooth 6lowpan code
- Race condition fix in vhci driver
- Enhancements to the atusb 802.15.4 driverPlease let me know if there are any issues pulling. Thanks.
====================Signed-off-by: David S. Miller <davem@davemloft.net>
26 Apr, 2016
1 commit
-
The memcpy of ipv6 header destination address to the skb control block
(sbk->cb) in header_create() results in currupted memory when bt_xmit()
is issued. The skb->cb is "released" in the return of header_create()
making room for lower layer to minipulate the skb->cb.The value retrieved in bt_xmit is not persistent across header creation
and sending, and the lower layer will overwrite portions of skb->cb,
making the copied destination address wrong.The memory corruption will lead to non-working multicast as the first 4
bytes of the copied destination address is replaced by a value that
resolves into a non-multicast prefix.This fix removes the dependency on the skb control block between header
creation and send, by moving the destination address memcpy to the send
function path (setup_create, which is called from bt_xmit).Signed-off-by: Glenn Ruben Bakke
Acked-by: Jukka Rissanen
Signed-off-by: Marcel Holtmann
Cc: stable@vger.kernel.org # 4.5+
14 Apr, 2016
1 commit
-
sock_owned_by_user should not be used without socket lock held. It seems
to be a common practice to check .owned before lock reclassification, so
provide a little help to abstract this check away.Cc: linux-cifs@vger.kernel.org
Cc: linux-bluetooth@vger.kernel.org
Cc: linux-nfs@vger.kernel.org
Signed-off-by: Hannes Frederic Sowa
Signed-off-by: David S. Miller
13 Apr, 2016
1 commit
-
This patch changes the naming for interface private data for lowpan
intefaces. The current private data scheme is:-------------------------------------------------
| 6LoWPAN Generic | LinkLayer 6LoWPAN |
-------------------------------------------------the current naming schemes are:
- 6LoWPAN Generic:
- lowpan_priv
- LinkLayer 6LoWPAN:
- BTLE
- lowpan_dev
- 802.15.4:
- lowpan_dev_infothe new naming scheme with this patch will be:
- 6LoWPAN Generic:
- lowpan_dev
- LinkLayer 6LoWPAN:
- BTLE
- lowpan_btle_dev
- 802.15.4:
- lowpan_802154_devSigned-off-by: Alexander Aring
Reviewed-by: Stefan Schmidt
Acked-by: Jukka Rissanen
Signed-off-by: Marcel Holtmann
09 Apr, 2016
3 commits
-
Update the security level check to allow setting BT_SECURITY_FIPS for
an L2CAP socket.Signed-off-by: Patrik Flykt
Signed-off-by: Marcel Holtmann -
In case of buggy controllers send advertising packet types that we
don't know of we should simply ignore them instead of trying to react
to them in some (potentially wrong) way.Signed-off-by: Johan Hedberg
Signed-off-by: Marcel Holtmann -
If we're dealing with a single-mode controller or BR/EDR is disable
for a dual-mode one, the NO_BREDR flag needs to be unconditionally
present in the advertising data. This patch moves it out from behind
an extra condition to be always set in the create_instance_adv_data()
function if BR/EDR is disabled.Signed-off-by: Johan Hedberg
Signed-off-by: Marcel Holtmann
20 Mar, 2016
1 commit
-
Pull networking updates from David Miller:
"Highlights:1) Support more Realtek wireless chips, from Jes Sorenson.
2) New BPF types for per-cpu hash and arrap maps, from Alexei
Starovoitov.3) Make several TCP sysctls per-namespace, from Nikolay Borisov.
4) Allow the use of SO_REUSEPORT in order to do per-thread processing
of incoming TCP/UDP connections. The muxing can be done using a
BPF program which hashes the incoming packet. From Craig Gallek.5) Add a multiplexer for TCP streams, to provide a messaged based
interface. BPF programs can be used to determine the message
boundaries. From Tom Herbert.6) Add 802.1AE MACSEC support, from Sabrina Dubroca.
7) Avoid factorial complexity when taking down an inetdev interface
with lots of configured addresses. We were doing things like
traversing the entire address less for each address removed, and
flushing the entire netfilter conntrack table for every address as
well.8) Add and use SKB bulk free infrastructure, from Jesper Brouer.
9) Allow offloading u32 classifiers to hardware, and implement for
ixgbe, from John Fastabend.10) Allow configuring IRQ coalescing parameters on a per-queue basis,
from Kan Liang.11) Extend ethtool so that larger link mode masks can be supported.
From David Decotigny.12) Introduce devlink, which can be used to configure port link types
(ethernet vs Infiniband, etc.), port splitting, and switch device
level attributes as a whole. From Jiri Pirko.13) Hardware offload support for flower classifiers, from Amir Vadai.
14) Add "Local Checksum Offload". Basically, for a tunneled packet
the checksum of the outer header is 'constant' (because with the
checksum field filled into the inner protocol header, the payload
of the outer frame checksums to 'zero'), and we can take advantage
of that in various ways. From Edward Cree"* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next: (1548 commits)
bonding: fix bond_get_stats()
net: bcmgenet: fix dma api length mismatch
net/mlx4_core: Fix backward compatibility on VFs
phy: mdio-thunder: Fix some Kconfig typos
lan78xx: add ndo_get_stats64
lan78xx: handle statistics counter rollover
RDS: TCP: Remove unused constant
RDS: TCP: Add sysctl tunables for sndbuf/rcvbuf on rds-tcp socket
net: smc911x: convert pxa dma to dmaengine
team: remove duplicate set of flag IFF_MULTICAST
bonding: remove duplicate set of flag IFF_MULTICAST
net: fix a comment typo
ethernet: micrel: fix some error codes
ip_tunnels, bpf: define IP_TUNNEL_OPTS_MAX and use it
bpf, dst: add and use dst_tclassid helper
bpf: make skb->tc_classid also readable
net: mvneta: bm: clarify dependencies
cls_bpf: reset class and reuse major in da
ldmvsw: Checkpatch sunvnet.c and sunvnet_common.c
ldmvsw: Add ldmvsw.c driver code
...
18 Mar, 2016
1 commit
-
Pull crypto update from Herbert Xu:
"Here is the crypto update for 4.6:API:
- Convert remaining crypto_hash users to shash or ahash, also convert
blkcipher/ablkcipher users to skcipher.
- Remove crypto_hash interface.
- Remove crypto_pcomp interface.
- Add crypto engine for async cipher drivers.
- Add akcipher documentation.
- Add skcipher documentation.Algorithms:
- Rename crypto/crc32 to avoid name clash with lib/crc32.
- Fix bug in keywrap where we zero the wrong pointer.Drivers:
- Support T5/M5, T7/M7 SPARC CPUs in n2 hwrng driver.
- Add PIC32 hwrng driver.
- Support BCM6368 in bcm63xx hwrng driver.
- Pack structs for 32-bit compat users in qat.
- Use crypto engine in omap-aes.
- Add support for sama5d2x SoCs in atmel-sha.
- Make atmel-sha available again.
- Make sahara hashing available again.
- Make ccp hashing available again.
- Make sha1-mb available again.
- Add support for multiple devices in ccp.
- Improve DMA performance in caam.
- Add hashing support to rockchip"* 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (116 commits)
crypto: qat - remove redundant arbiter configuration
crypto: ux500 - fix checks of error code returned by devm_ioremap_resource()
crypto: atmel - fix checks of error code returned by devm_ioremap_resource()
crypto: qat - Change the definition of icp_qat_uof_regtype
hwrng: exynos - use __maybe_unused to hide pm functions
crypto: ccp - Add abstraction for device-specific calls
crypto: ccp - CCP versioning support
crypto: ccp - Support for multiple CCPs
crypto: ccp - Remove check for x86 family and model
crypto: ccp - memset request context to zero during import
lib/mpi: use "static inline" instead of "extern inline"
lib/mpi: avoid assembler warning
hwrng: bcm63xx - fix non device tree compatibility
crypto: testmgr - allow rfc3686 aes-ctr variants in fips mode.
crypto: qat - The AE id should be less than the maximal AE number
lib/mpi: Endianness fix
crypto: rockchip - add hash support for crypto engine in rk3288
crypto: xts - fix compile errors
crypto: doc - add skcipher API documentation
crypto: doc - update AEAD AD handling
...
11 Mar, 2016
6 commits
-
The Add Advertising command handler does the appropriate checks for
the AD and Scan Response data, however fails to take into account the
general length of the mgmt command itself, which could lead to
potential buffer overflows. This patch adds the necessary check that
the mgmt command length is consistent with the given ad and scan_rsp
lengths.Signed-off-by: Johan Hedberg
Signed-off-by: Marcel Holtmann
Cc: stable@vger.kernel.org -
A recent change added MGMT_ADV_FLAG_DISCOV to the flags returned by
get_adv_instance_flags(), however failed to take into account limited
discoverable mode. This patch fixes the issue by setting the correct
discoverability flag in the AD data.Signed-off-by: Johan Hedberg
Signed-off-by: Marcel Holtmann -
Increment the mgmt revision due to the recently added limited
privacy mode.Signed-off-by: Johan Hedberg
Signed-off-by: Marcel Holtmann -
Introduce a limited privacy mode indicated by value 0x02 to the mgmt
Set Privacy command.With value 0x02 the kernel will use privacy mode with a resolvable
private address. In case the controller is bondable and discoverable
the identity address will be used.Signed-off-by: Johan Hedberg
Signed-off-by: Marcel Holtmann -
When lookup up the advertising instance flags for the default
advertising instance (0) the discoverable flag should be filled in
based on the HCI_DISCOVERABLE flag.Signed-off-by: Johan Hedberg
Signed-off-by: Marcel Holtmann -
Minor fix to not do the memset until the variable it clears is
actually used.Signed-off-by: Johan Hedberg
Signed-off-by: Marcel Holtmann
24 Feb, 2016
3 commits
-
When the HCI_AUTO_OFF flag is cleared, the power_off delayed work need
to be cancel or HCI will be powered off even if it's managed.Signed-off-by: Wei-Ning Huang
Signed-off-by: Marcel Holtmann -
Recently a managed version of led_trigger_register was introduced.
Using devm_led_trigger_register allows to simplify the LED trigger code.Signed-off-by: Heiner Kallweit
Signed-off-by: Marcel Holtmann -
Add support for LED triggers to the Bluetooth subsystem and add kernel
config symbol BT_LEDS for it.For now one trigger for indicating "HCI is powered up" is supported.
Signed-off-by: Heiner Kallweit
Signed-off-by: Marcel Holtmann
20 Feb, 2016
1 commit
-
In commit 44d271377479 ("Bluetooth: Compress the size of struct
hci_ctrl") we squashed down the size of the structure by using a union
with the assumption that all users would use the flag to determine
whether we had a req_complete or a req_complete_skb.Unfortunately we had a case in hci_req_cmd_complete() where we weren't
looking at the flag. This can result in a situation where we might be
storing a hci_req_complete_skb_t in a hci_req_complete_t variable, or
vice versa.During some testing I found at least one case where the function
hci_req_sync_complete() was called improperly because the kernel thought
that it didn't require an SKB. Looking through the stack in kgdb I
found that it was called by hci_event_packet() and that
hci_event_packet() had both of its locals "req_complete" and
"req_complete_skb" pointing to the same place: both to
hci_req_sync_complete().Let's make sure we always check the flag.
For more details on debugging done, see .
Fixes: 44d271377479 ("Bluetooth: Compress the size of struct hci_ctrl")
Signed-off-by: Douglas Anderson
Acked-by: Johan Hedberg
Signed-off-by: Marcel Holtmann
29 Jan, 2016
4 commits
-
The commit cad20c278085d893ebd616cd20c0747a8e9d53c7 was supposed to
fix handling of devices first using public addresses and then
switching to RPAs after pairing. Unfortunately it missed a couple of
key places in the code.1. When evaluating which devices should be removed from the existing
white list we also need to consider whether we have an IRK for them or
not, i.e. a call to hci_find_irk_by_addr() is needed.2. In smp_notify_keys() we should not be requiring the knowledge of
the RPA, but should simply keep the IRK around if the other conditions
require it.Signed-off-by: Johan Hedberg
Signed-off-by: Marcel Holtmann
Cc: stable@vger.kernel.org # 4.4+ -
At least the l2cap_add_psm() routine depends on the source address
type being properly set to know what auto-allocation ranges to use, so
the assignment to l2cap_chan needs to happen before this.Signed-off-by: Johan Hedberg
Signed-off-by: Marcel Holtmann -
The LE dynamic PSM range is different from BR/EDR (0x0080 - 0x00ff)
and doesn't have requirements relating to parity, so separate checks
are needed.Signed-off-by: Johan Hedberg
Signed-off-by: Marcel Holtmann -
Having proper defines makes the code a bit readable, it also avoids
duplicating hard-coded values since these are also needed when
auto-allocating PSM values (in a subsequent patch).Signed-off-by: Johan Hedberg
Signed-off-by: Marcel Holtmann
27 Jan, 2016
1 commit
-
This patch replaces uses of blkcipher with skcipher and the long
obsolete hash interface with shash.Signed-off-by: Herbert Xu
Acked-by: Marcel Holtmann
23 Jan, 2016
2 commits
-
This patch fixes incorrect handling of the 6lowpan packets that contain
uncompressed IPv6 header.RFC4944 specifies a special dispatch for 6lowpan to carry uncompressed
IPv6 header. This dispatch (1 byte long) has to be removed during
reception and skb data pointer has to be moved. To correctly point in
the beginning of the IPv6 header the dispatch byte has to be pulled off
before packet can be processed by netif_rx_in().Test scenario: IPv6 packets are not correctly interpreted by the network
layer when IPv6 header is not compressed (e.g. ICMPv6 Echo Reply is not
propagated correctly to the ICMPv6 layer because the extra byte will make
the header look corrupted).Similar approach is done for IEEE 802.15.4.
Signed-off-by: Lukasz Duda
Signed-off-by: Glenn Ruben Bakke
Acked-by: Jukka Rissanen
Signed-off-by: Johan Hedberg
Cc: stable@vger.kernel.org # 4.4+ -
The fixes provided in this patch assigns a valid net_device structure to
skb before dispatching it for further processing.Scenario #1:
============Bluetooth 6lowpan receives an uncompressed IPv6 header, and dispatches it
to netif. The following error occurs:Null pointer dereference error #1 crash log:
[ 845.854013] BUG: unable to handle kernel NULL pointer dereference at
0000000000000048
[ 845.855785] IP: [] enqueue_to_backlog+0x56/0x240
...
[ 845.909459] Call Trace:
[ 845.911678] [] netif_rx_internal+0x44/0xf0The first modification fixes the NULL pointer dereference error by
assigning dev to the local_skb in order to set a valid net_device before
processing the skb by netif_rx_ni().Scenario #2:
============Bluetooth 6lowpan receives an UDP compressed message which needs further
decompression by nhc_udp. The following error occurs:Null pointer dereference error #2 crash log:
[ 63.295149] BUG: unable to handle kernel NULL pointer dereference at
0000000000000840
[ 63.295931] IP: [] udp_uncompress+0x320/0x626
[nhc_udp]The second modification fixes the NULL pointer dereference error by
assigning dev to the local_skb in the case of a udp compressed packet.
The 6lowpan udp_uncompress function expects that the net_device is set in
the skb when checking lltype.Signed-off-by: Glenn Ruben Bakke
Signed-off-by: Lukasz Duda
Acked-by: Jukka Rissanen
Signed-off-by: Johan Hedberg
Cc: stable@vger.kernel.org # 4.4+