12 Apr, 2014
1 commit
-
Several spots in the kernel perform a sequence like:
skb_queue_tail(&sk->s_receive_queue, skb);
sk->sk_data_ready(sk, skb->len);But at the moment we place the SKB onto the socket receive queue it
can be consumed and freed up. So this skb->len access is potentially
to freed up memory.Furthermore, the skb->len can be modified by the consumer so it is
possible that the value isn't accurate.And finally, no actual implementation of this callback actually uses
the length argument. And since nobody actually cared about it's
value, lots of call sites pass arbitrary values in such as '0' and
even '1'.So just remove the length argument from the callback, that way there
is no confusion whatsoever and all of these use-after-free cases get
fixed as a side effect.Based upon a patch by Eric Dumazet and his suggestion to audit this
issue tree-wide.Signed-off-by: David S. Miller
18 Mar, 2014
1 commit
-
Samuel Ortiz says:
"NFC: 3.15: First pull request
This is the NFC pull request for 3.15. With this one we have:
- Support for ISO 15693 a.k.a. NFC vicinity a.k.a. Type 5 tags. ISO
15693 are long range (1 - 2 meters) vicinity tags/cards. The kernel
now supports those through the NFC netlink and digital APIs.- Support for TI's trf7970a chipset. This chipset relies on the NFC
digital layer and the driver currently supports type 2, 4A and 5 tags.- Support for NXP's pn544 secure firmare download. The pn544 C3 chipsets
relies on a different firmware download protocal than the C2 one. We
now support both and use the right one depending on the version we
detect at runtime.- Support for 4A tags from the NFC digital layer.
- A bunch of cleanups and minor fixes from Axel Lin and Thierry Escande."
Signed-off-by: John W. Linville
15 Mar, 2014
3 commits
-
nfc_llcp_find_local() does not modify any list entry while iterating the list.
So use list_for_each_entry instead of list_for_each_entry_safe.Signed-off-by: Axel Lin
Signed-off-by: Samuel Ortiz -
This checking is common for all caller, so move the checking to one place.
Signed-off-by: Axel Lin
Signed-off-by: Samuel Ortiz -
Without this test, it returns NULL if dev->n_targets is 0 anyway.
Signed-off-by: Axel Lin
Signed-off-by: Samuel Ortiz
11 Mar, 2014
1 commit
-
According to the latest draft specification from
the NFC-V committee, ISO/IEC 15693 tags will be
referred to as "Type 5" tags and not "Type V"
tags anymore. Make the code reflect the new
terminology.Signed-off-by: Mark A. Greer
Signed-off-by: Samuel Ortiz
24 Feb, 2014
5 commits
-
Signed-off-by: Axel Lin
Signed-off-by: Samuel Ortiz -
This ensures we won't add polling function to the table of polling technologies
for non-supported protocols.Signed-off-by: Axel Lin
Signed-off-by: Samuel Ortiz -
nfc_find_se() does not modify any list entry while iterating the list.
So use list_for_each_entry instead of list_for_each_entry_safe.Signed-off-by: Axel Lin
Signed-off-by: Samuel Ortiz -
Calling init_completion() once is enough.
Then use reinit_completion() instead in __nci_request() and nci_spi_send().Signed-off-by: Axel Lin
Signed-off-by: Samuel Ortiz -
The check should be for setup function pointer.
This patch fixes NULL pointer dereference issue for NCI
based NFC driver which doesn't define setup handler.Signed-off-by: Amitkumar Karwar
Signed-off-by: Bing Zhao
Signed-off-by: Samuel Ortiz
17 Feb, 2014
6 commits
-
This fixes a memory leak issue that may occur if data sending fails in
initiator mode. The data_exch structure was not released in case of
error.Reported-by: Dan Carpenter
Signed-off-by: Thierry Escande
Signed-off-by: Samuel Ortiz -
There was a missing break making the digital stack configured for
ISO1443 target instead of ISO15693.Reported-by: Dan Carpenter
Signed-off-by: Thierry Escande
Signed-off-by: Samuel Ortiz -
When a type 4A target is activated, this change adds the ISO-DEP SoD
when sending frames and removes it when receiving responses. Chaining
is not supported so sent frames are rejected if they exceed remote FSC
bytes.Signed-off-by: Thierry Escande
Signed-off-by: Samuel Ortiz -
This adds support for ATS request and response handling for type 4A tag
activation.Signed-off-by: Thierry Escande
Signed-off-by: Samuel Ortiz -
Add ISO/IEC 15693 support by having netlink push the
1-byte DSFID and 8-byte UID tag information upstream.Signed-off-by: Mark A. Greer
Signed-off-by: Samuel Ortiz -
Add support for ISO/IEC 15693 to the digital layer. The code
currently uses single-slot anticollision only since the digital
layer infrastructure only supports one tag per adapter (making
it pointless to do 16-slot anticollision).The code uses two new framing types:
'NFC_DIGITAL_FRAMING_ISO15693_INVENTORY' and
'NFC_DIGITAL_FRAMING_ISO15693_TVT'. The former is used to
tell the driver to prepare for an Inventory command and the
ensuing anticollision sequence. The latter is used to tell
the driver that the anticollision sequence is over and to
prepare for non-inventory commands.Signed-off-by: Mark A. Greer
Signed-off-by: Samuel Ortiz
26 Jan, 2014
1 commit
-
Pull networking updates from David Miller:
1) BPF debugger and asm tool by Daniel Borkmann.
2) Speed up create/bind in AF_PACKET, also from Daniel Borkmann.
3) Correct reciprocal_divide and update users, from Hannes Frederic
Sowa and Daniel Borkmann.4) Currently we only have a "set" operation for the hw timestamp socket
ioctl, add a "get" operation to match. From Ben Hutchings.5) Add better trace events for debugging driver datapath problems, also
from Ben Hutchings.6) Implement auto corking in TCP, from Eric Dumazet. Basically, if we
have a small send and a previous packet is already in the qdisc or
device queue, defer until TX completion or we get more data.7) Allow userspace to manage ipv6 temporary addresses, from Jiri Pirko.
8) Add a qdisc bypass option for AF_PACKET sockets, from Daniel
Borkmann.9) Share IP header compression code between Bluetooth and IEEE802154
layers, from Jukka Rissanen.10) Fix ipv6 router reachability probing, from Jiri Benc.
11) Allow packets to be captured on macvtap devices, from Vlad Yasevich.
12) Support tunneling in GRO layer, from Jerry Chu.
13) Allow bonding to be configured fully using netlink, from Scott
Feldman.14) Allow AF_PACKET users to obtain the VLAN TPID, just like they can
already get the TCI. From Atzm Watanabe.15) New "Heavy Hitter" qdisc, from Terry Lam.
16) Significantly improve the IPSEC support in pktgen, from Fan Du.
17) Allow ipv4 tunnels to cache routes, just like sockets. From Tom
Herbert.18) Add Proportional Integral Enhanced packet scheduler, from Vijay
Subramanian.19) Allow openvswitch to mmap'd netlink, from Thomas Graf.
20) Key TCP metrics blobs also by source address, not just destination
address. From Christoph Paasch.21) Support 10G in generic phylib. From Andy Fleming.
22) Try to short-circuit GRO flow compares using device provided RX
hash, if provided. From Tom Herbert.The wireless and netfilter folks have been busy little bees too.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next: (2064 commits)
net/cxgb4: Fix referencing freed adapter
ipv6: reallocate addrconf router for ipv6 address when lo device up
fib_frontend: fix possible NULL pointer dereference
rtnetlink: remove IFLA_BOND_SLAVE definition
rtnetlink: remove check for fill_slave_info in rtnl_have_link_slave_info
qlcnic: update version to 5.3.55
qlcnic: Enhance logic to calculate msix vectors.
qlcnic: Refactor interrupt coalescing code for all adapters.
qlcnic: Update poll controller code path
qlcnic: Interrupt code cleanup
qlcnic: Enhance Tx timeout debugging.
qlcnic: Use bool for rx_mac_learn.
bonding: fix u64 division
rtnetlink: add missing IFLA_BOND_AD_INFO_UNSPEC
sfc: Use the correct maximum TX DMA ring size for SFC9100
Add Shradha Shah as the sfc driver maintainer.
net/vxlan: Share RX skb de-marking and checksum checks with ovs
tulip: cleanup by using ARRAY_SIZE()
ip_tunnel: clear IPCB in ip_tunnel_xmit() in case dst_link_failure() is called
net/cxgb4: Don't retrieve stats during recovery
...
23 Jan, 2014
1 commit
-
Pull trivial tree updates from Jiri Kosina:
"Usual rocket science stuff from trivial.git"* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial: (39 commits)
neighbour.h: fix comment
sched: Fix warning on make htmldocs caused by wait.h
slab: struct kmem_cache is protected by slab_mutex
doc: Fix typo in USB Gadget Documentation
of/Kconfig: Spelling s/one/once/
mkregtable: Fix sscanf handling
lp5523, lp8501: comment improvements
thermal: rcar: comment spelling
treewide: fix comments and printk msgs
IXP4xx: remove '1 &&' from a condition check in ixp4xx_restart()
Documentation: update /proc/uptime field description
Documentation: Fix size parameter for snprintf
arm: fix comment header and macro name
asm-generic: uaccess: Spelling s/a ny/any/
mtd: onenand: fix comment header
doc: driver-model/platform.txt: fix a typo
drivers: fix typo in DEVTMPFS_MOUNT Kconfig help text
doc: Fix typo (acces_process_vm -> access_process_vm)
treewide: Fix typos in printk
drivers/gpu/drm/qxl/Kconfig: reformat the help text
...
19 Jan, 2014
1 commit
-
This is a follow-up patch to f3d3342602f8bc ("net: rework recvmsg
handler msg_name and msg_namelen logic").DECLARE_SOCKADDR validates that the structure we use for writing the
name information to is not larger than the buffer which is reserved
for msg->msg_name (which is 128 bytes). Also use DECLARE_SOCKADDR
consistently in sendmsg code paths.Signed-off-by: Steffen Hurrle
Suggested-by: Hannes Frederic Sowa
Acked-by: Hannes Frederic Sowa
Signed-off-by: David S. Miller
18 Jan, 2014
1 commit
-
…wireless-next into for-davem
15 Jan, 2014
2 commits
-
Signed-off-by: Geert Uytterhoeven
Signed-off-by: David S. Miller
08 Jan, 2014
2 commits
-
This patch sets the correct rf tech value and crc functions in target
mode when receiving a PSL_REQ, as done when receiving an ATR_REQ.Signed-off-by: Thierry Escande
Signed-off-by: Samuel Ortiz -
The curr_protocol field of nfc_digital_dev structure used to determine
if a target is currently active was set too soon, immediately when a
target is found. This is not good since there is no other way than
deactivate_target() to reset curr_protocol and if activate_target() is
not called, the target remains active and it's not possible to put the
device in poll mode anymore.With this patch curr_protocol is set when nfc core activates a target,
puts a device up, or when an ATR_REQ is received in target mode.Signed-off-by: Thierry Escande
Signed-off-by: Samuel Ortiz
07 Jan, 2014
4 commits
-
This patch fixed several typo in printk from various
part of kernel source.Signed-off-by: Masanari Iida
Signed-off-by: Jiri Kosina -
This API can be used by drivers to send their custom
configuration using SET_CONFIG NCI command to the device.Signed-off-by: Amitkumar Karwar
Signed-off-by: Bing Zhao
Signed-off-by: Samuel Ortiz -
Some drivers require special configuration while initializing.
This patch adds setup handler for this custom configuration.Signed-off-by: Amitkumar Karwar
Signed-off-by: Bing Zhao
Signed-off-by: Samuel Ortiz -
Local general bytes returned by nfc_get_local_general_bytes()
are already in correct order. We don't need to reverse them.Remove local_gb[] local array as it's not needed any more.
Signed-off-by: Amitkumar Karwar
Signed-off-by: Bing Zhao
Signed-off-by: Samuel Ortiz
06 Jan, 2014
1 commit
-
nci_close_device() sends nci reset command to the device.
If there is no response for this command, nci request timeout
occurs first and then cmd timeout happens. Because command
timer has started after sending the command.We are immediately flushing command workqueue after nci
timeout. Later we will try to schedule cmd_work in command
timer which leads to a crash.Cancel cmd_timer before flushing the workqueue to fix the
problem.Signed-off-by: Amitkumar Karwar
Signed-off-by: Bing Zhao
Signed-off-by: Samuel Ortiz
04 Jan, 2014
7 commits
-
This removes the declaration of NFCID3 size in digital_dep.c and now
uses the one from nfc.h.This also removes a faulty and unneeded call to max().
Reported-by: Dan Carpenter
Signed-off-by: Thierry Escande
Signed-off-by: Samuel Ortiz -
It's bad to use these macros when not dealing with error code. this
patch changes calls to these macros with correct casts.Signed-off-by: Thierry Escande
Signed-off-by: Samuel Ortiz -
SE discovery errors are currently overwriting the dev_up() return error.
This is wrong for many reasons:- We don't want to report an error if we actually brought the device up
but it failed to discover SEs. By doing so we pretend we don't have an
NFC functional device even we do. The only thing we could not do was
checking for SEs availability. This is the false negative case.- In some cases the actual device power up failed but the SE discovery
succeeded. Userspace then believes the device is up while it's not.
This is the false positive case.Signed-off-by: Samuel Ortiz
-
If MIUX is not present in CONNECT or CC use default MIU value (128)
instead of one announced durring link setup.This was affecting Bluetooth handover with Android 4.3+ NCI stack.
Signed-off-by: Szymon Janc
Signed-off-by: Samuel Ortiz -
If sending was not completed due to low memory condition msg_data
was not free before returning from function.Signed-off-by: Szymon Janc
Signed-off-by: Samuel Ortiz -
If the device is polling, this will trigger a netlink event to notify
userspace about the polling error.Signed-off-by: Samuel Ortiz
-
With commit e29a9e2ae165620d, we set the active_target pointer from
nfc_dep_link_is_up() in order to support the case where the target
detection and the DEP link setting are done atomically by the driver.
That can only happen in initiator mode, so we need to check for that
otherwise we fail to bring a p2p link in target mode.Signed-off-by: Arron Wang
Signed-off-by: Samuel Ortiz
19 Dec, 2013
1 commit
-
Correct spelling typo in various part of kernel
Signed-off-by: Masanari Iida
Acked-by: Randy Dunlap
Signed-off-by: Jiri Kosina
11 Dec, 2013
1 commit
-
Several files refer to an old address for the Free Software Foundation
in the file header comment. Resolve by replacing the address with
the URL so that we do not have to keep
updating the header comments anytime the address changes.CC: linux-wireless@vger.kernel.org
CC: Lauro Ramos Venancio
CC: Aloisio Almeida Jr
CC: Samuel Ortiz
Signed-off-by: Jeff Kirsher
Signed-off-by: John W. Linville
21 Nov, 2013
1 commit
-
This patch now always passes msg->msg_namelen as 0. recvmsg handlers must
set msg_namelen to the proper size
Suggested-by: Eric Dumazet
Signed-off-by: Hannes Frederic Sowa
Signed-off-by: David S. Miller
