aboutsummaryrefslogtreecommitdiff
path: root/net/nfc
AgeCommit message (Collapse)Author
2012-12-03NFC: Fix nfc_llcp_local chained list insertionThierry Escande
commit 16a78e9fed5e8baa8480ae3413f4328c4537c599 upstream. list_add was called with swapped parameters Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: Peter Huewe <peterhuewe@gmx.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2012-07-16NFC: Prevent multiple buffer overflows in NCIDan Rosenberg
commit 67de956ff5dc1d4f321e16cfbd63f5be3b691b43 upstream. Fix multiple remotely-exploitable stack-based buffer overflows due to the NCI code pulling length fields directly from incoming frames and copying too much data into statically-sized arrays. Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com> Cc: security@kernel.org Cc: Lauro Ramos Venancio <lauro.venancio@openbossa.org> Cc: Aloisio Almeida Jr <aloisio.almeida@openbossa.org> Cc: Samuel Ortiz <sameo@linux.intel.com> Cc: David S. Miller <davem@davemloft.net> Acked-by: Ilan Elias <ilane@ti.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2012-07-16NFC: Return from rawsock_release when sk is NULLEric Dumazet
commit 03e934f620101ca2cfc9383bd76172dd3e1f8567 upstream. Sasha Levin reported following panic : [ 2136.383310] BUG: unable to handle kernel NULL pointer dereference at 00000000000003b0 [ 2136.384022] IP: [<ffffffff8114e400>] __lock_acquire+0xc0/0x4b0 [ 2136.384022] PGD 131c4067 PUD 11c0c067 PMD 0 [ 2136.388106] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC [ 2136.388106] CPU 1 [ 2136.388106] Pid: 24855, comm: trinity-child1 Tainted: G W 3.5.0-rc2-sasha-00015-g7b268f7 #374 [ 2136.388106] RIP: 0010:[<ffffffff8114e400>] [<ffffffff8114e400>] __lock_acquire+0xc0/0x4b0 [ 2136.388106] RSP: 0018:ffff8800130b3ca8 EFLAGS: 00010046 [ 2136.388106] RAX: 0000000000000086 RBX: ffff88001186b000 RCX: 0000000000000000 [ 2136.388106] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 2136.388106] RBP: ffff8800130b3d08 R08: 0000000000000001 R09: 0000000000000000 [ 2136.388106] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000002 [ 2136.388106] R13: 00000000000003b0 R14: 0000000000000000 R15: 0000000000000000 [ 2136.388106] FS: 00007fa5b1bd4700(0000) GS:ffff88001b800000(0000) knlGS:0000000000000000 [ 2136.388106] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 2136.388106] CR2: 00000000000003b0 CR3: 0000000011d1f000 CR4: 00000000000406e0 [ 2136.388106] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 2136.388106] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 2136.388106] Process trinity-child1 (pid: 24855, threadinfo ffff8800130b2000, task ffff88001186b000) [ 2136.388106] Stack: [ 2136.388106] ffff8800130b3cd8 ffffffff81121785 ffffffff81236774 000080d000000001 [ 2136.388106] ffff88001b9d6c00 00000000001d6c00 ffffffff130b3d08 ffff88001186b000 [ 2136.388106] 0000000000000000 0000000000000002 0000000000000000 0000000000000000 [ 2136.388106] Call Trace: [ 2136.388106] [<ffffffff81121785>] ? sched_clock_local+0x25/0x90 [ 2136.388106] [<ffffffff81236774>] ? get_empty_filp+0x74/0x220 [ 2136.388106] [<ffffffff8114e97a>] lock_acquire+0x18a/0x1e0 [ 2136.388106] [<ffffffff836b37df>] ? rawsock_release+0x4f/0xa0 [ 2136.388106] [<ffffffff837c0ef0>] _raw_write_lock_bh+0x40/0x80 [ 2136.388106] [<ffffffff836b37df>] ? rawsock_release+0x4f/0xa0 [ 2136.388106] [<ffffffff836b37df>] rawsock_release+0x4f/0xa0 [ 2136.388106] [<ffffffff8321cfe8>] sock_release+0x18/0x70 [ 2136.388106] [<ffffffff8321d069>] sock_close+0x29/0x30 [ 2136.388106] [<ffffffff81236bca>] __fput+0x11a/0x2c0 [ 2136.388106] [<ffffffff81236d85>] fput+0x15/0x20 [ 2136.388106] [<ffffffff8321de34>] sys_accept4+0x1b4/0x200 [ 2136.388106] [<ffffffff837c165c>] ? _raw_spin_unlock_irq+0x4c/0x80 [ 2136.388106] [<ffffffff837c1669>] ? _raw_spin_unlock_irq+0x59/0x80 [ 2136.388106] [<ffffffff837c2565>] ? sysret_check+0x22/0x5d [ 2136.388106] [<ffffffff8321de8b>] sys_accept+0xb/0x10 [ 2136.388106] [<ffffffff837c2539>] system_call_fastpath+0x16/0x1b [ 2136.388106] Code: ec 04 00 0f 85 ea 03 00 00 be d5 0b 00 00 48 c7 c7 8a c1 40 84 e8 b1 a5 f8 ff 31 c0 e9 d4 03 00 00 66 2e 0f 1f 84 00 00 00 00 00 <49> 81 7d 00 60 73 5e 85 b8 01 00 00 00 44 0f 44 e0 83 fe 01 77 [ 2136.388106] RIP [<ffffffff8114e400>] __lock_acquire+0xc0/0x4b0 [ 2136.388106] RSP <ffff8800130b3ca8> [ 2136.388106] CR2: 00000000000003b0 [ 2136.388106] ---[ end trace 6d450e935ee18982 ]--- [ 2136.388106] Kernel panic - not syncing: Fatal exception in interrupt rawsock_release() should test if sock->sk is NULL before calling sock_orphan()/sock_put() Reported-by: Sasha Levin <levinsasha928@gmail.com> Tested-by: Sasha Levin <levinsasha928@gmail.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2012-04-11NFC: Fix the LLCP Tx fragmentation loopSamuel Ortiz
Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-03-06NFC: NCI code identation fixesSamuel Ortiz
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-03-06NFC: Core code identation fixesSamuel Ortiz
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-03-06NFC: LLCP code identation fixesSamuel Ortiz
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-03-06NFC: Fix LLCP sockets releasing pathSamuel Ortiz
The socket local pointer needs to be set to NULL when the adapter is removed or the MAC goes down. If the socket release code is called after such an event, the socket reference count still needs to be decreased in order for the socket to eventually be freed. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-03-06NFC: Remove the rf mode parameter from the DEP link up routineSamuel Ortiz
When calling nfc_dep_link_up, we implicitely are in initiator mode. Which means we also can provide the general bytes as a function argument, as all drivers will eventually request them. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-03-06NFC: SN is not an invalid GT valueSamuel Ortiz
We just don't do anything with it when parsing the general bytes. We handle it from the CONNECT reception code. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-03-06NFC: Unlink LLCP child sockets from llcp_sock_releaseSamuel Ortiz
The parent socket (the bound one) could be freed before its children, so we should unlink the children without trying to reach it through the parent. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-03-06NFC: Fragment LLCP I framesSamuel Ortiz
Based on the receiver MIU, we have to fragment the frame to be transmitted. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-03-06NFC: Set MIU and RW values from CONNECT and CC LLCP framesSamuel Ortiz
We use the maximum values for the LLCP Maximum Information Unit and Receive Window Size. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-03-06NFC: Send LLCP RR frames to acknowledge received I framesSamuel Ortiz
In order to acknowledge an I frame, we have to either queue pending local I frames or queue a receiver ready frame. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-03-06NFC: Set the right LLCP N(R) value for I framesSamuel Ortiz
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-03-06NFC: Clear LLCP SDPs whan MAC goes downSamuel Ortiz
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-03-06NFC: Fix bitops usage in LLCPSamuel Ortiz
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-03-06NFC: LLCP socket sendmsg implemetationSamuel Ortiz
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-03-06NFC: Handle Receiver Not Ready LLCP frameSamuel Ortiz
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-03-06NFC: Factorize the I frame queueing routineSamuel Ortiz
This one will be called from the I frame command sending. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-03-06NFC: Add device powered netlink attributeSamuel Ortiz
For user space to know if a device is up or down. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-01-27nfc: NULL vs zero in nci_activate_target()Dan Carpenter
This is a pointer so it should be NULL instead of zero. Sparse complains about this stuff: net/nfc/nci/core.c:447:37: warning: Using plain integer as NULL pointer Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-01-24NFC: Add NCI multiple targets supportIlan Elias
Add the ability to select between multiple targets in NCI. If only one target is found, it will be auto-activated. If more than one target is found, then DISCOVER_NTF will be generated for each target, and the host should select one by calling DISCOVER_SELECT_CMD. Then, the target will be activated. If the activation fails, GENERIC_ERROR_NTF is generated. Signed-off-by: Ilan Elias <ilane@ti.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-01-24NFC: NFC core layer should not set the target_idxIlan Elias
The NFC core layer should not set the target_idx. Instead, the driver layer (e.g. NCI, PN533) should set the target_idx, so that it will be able to identify the target when its I/F (e.g. activate_target) is called. This is required in order to support multiple targets. Note that currently supported drivers (PN533 and NCI) don't use the target_idx in their implementation. Signed-off-by: Ilan Elias <ilane@ti.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-01-24NFC: Clearly separate NCI states from flagsIlan Elias
Make a clear separation between NCI states and flags. This is required in order to support more NCI states (e.g. for multiple targets support). Signed-off-by: Ilan Elias <ilane@ti.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-01-24NFC: Add NCI data exchange timerIlan Elias
Add NCI data exchange timer to catch timeouts, and call the data exchange callback with an error. Signed-off-by: Ilan Elias <ilane@ti.com> Acked-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-01-24NFC: Export new attributes sensb_res and sensf_resIlan Elias
Export new attributes sensb_res for tech B and sensf_res for tech F in the target info (returned as a response to NFC_CMD_GET_TARGET). The max size of the attributes nfcid1, sensb_res and sensf_res is exported to user space though include/linux/nfc. Signed-off-by: Ilan Elias <ilane@ti.com> Acked-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-01-24NFC: Complete NCI deactivate in deactivate_ntfIlan Elias
If a target was active, complete the NCI deactivate request only in deactivate_ntf. Otherwise, complete it at deactivate_rsp. Deactivate_ntf represents the actual disconnection event (sent from the NCI controller). Signed-off-by: Ilan Elias <ilane@ti.com> Acked-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-01-04NFC: Export a new attribute nfcid1 in target infoIlan Elias
The nfcid1 is the NFC-A identifier. It is exported as an attribute of the target info (returned as a response to NFC_CMD_GET_TARGET). Signed-off-by: Ilan Elias <ilane@ti.com> Acked-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-01-04NFC: Handle error during NCI data exchangeIlan Elias
Add support for NCI Interface Error Notification. When this notification is received and we're during a data exchange transaction, indicate an error to the NFC core layer via the data exchange callback. Signed-off-by: Ilan Elias <ilane@ti.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-01-04NFC: Update names and structs to NCI spec 1.0 d22Ilan Elias
Addition, deletion, and modification of NCI constants. Changes in NCI commands, responses, and notifications structures. Signed-off-by: Ilan Elias <ilane@ti.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-12-19NFC: use kfree_skb() for sk_buffsDan Carpenter
This is a struct sk_buff pointer and it should be freed with kfree_skb() instead of kfree(). Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-12-19NFC: double unlock in nfc_llcp_recv_connect()Dan Carpenter
We unlock inside the if block on the other side of this if else statement. It could result in calling mutex_unlock() twice. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-12-19NFC: Fix LLCP related build failureSamuel Ortiz
llcp_mac routines should be static and inlined or build will fail with NFC selected without LLCP. This patch fixes: LD [M] net/nfc/nfc.o net/nfc/netlink.o: In function `nfc_llcp_mac_is_down': netlink.c:(.text+0x0): multiple definition of `nfc_llcp_mac_is_down' net/nfc/core.o:(.text+0x0): first defined here net/nfc/netlink.o: In function `nfc_llcp_mac_is_up': netlink.c:(.text+0x10): multiple definition of `nfc_llcp_mac_is_up' net/nfc/core.o:(.text+0x10): first defined here net/nfc/af_nfc.o: In function `nfc_llcp_mac_is_down': (.text+0x0): multiple definition of `nfc_llcp_mac_is_down' net/nfc/core.o:(.text+0x0): first defined here net/nfc/af_nfc.o: In function `nfc_llcp_mac_is_up': (.text+0x10): multiple definition of `nfc_llcp_mac_is_up' net/nfc/core.o:(.text+0x10): first defined here net/nfc/rawsock.o: In function `nfc_llcp_mac_is_down': rawsock.c:(.text+0x0): multiple definition of `nfc_llcp_mac_is_down' net/nfc/core.o:(.text+0x0): first defined here net/nfc/rawsock.o: In function `nfc_llcp_mac_is_up': rawsock.c:(.text+0x10): multiple definition of `nfc_llcp_mac_is_up' net/nfc/core.o:(.text+0x10): first defined here Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-12-14NFC: Initial LLCP supportSamuel Ortiz
This patch is an initial implementation for the NFC Logical Link Control protocol. It's also known as NFC peer to peer mode. This is a basic implementation as it lacks SDP (services Discovery Protocol), frames aggregation support, and frame rejecion parsing. Follow up patches will implement those missing features. This code has been tested against a Nexus S phone implementing LLCP 1.0. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-12-14NFC: Set and get DEP general bytesSamuel Ortiz
Without an API for setting and getting the local and remote general bytes, drivers won't be able to properly establish a DEP link. This API also allows them to propagate the remote general bytes they get from the DEP link establishment up to the LLCP layer. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-12-14NFC: Add a DEP link control netlink commandSamuel Ortiz
NFC-DEP (Data Exchange Protocol) is an NFC MAC layer. This command allows to enable and disable the DEP link on to which e.g. LLCP can run. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-12-14NFC: Atomic socket allocationSamuel Ortiz
rawsock_create() is called with preemption disabled, so we should not sleep. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-12-14NFC: Do not take the genl mutex from the netlink release notifierSamuel Ortiz
The netlink notifier is atomic so we must not sleep in that context. Also we know that Any netlink packets arriving to us will be purged when the notifier is called, so we don't need to take the mutex. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-12-14NFC: Add tx skb allocation routineSamuel Ortiz
This is a factorization of the current rawsock tx skb allocation routine, as it will be used by the LLCP code. We also rename nfc_alloc_skb to nfc_alloc_recv_skb for consistency sake. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-12-14NFC: Add function name to the NFC pr_fmt() routineSamuel Ortiz
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-12-14Merge branch 'master' of ↵John W. Linville
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless Conflicts: drivers/net/wireless/iwlwifi/iwl-agn.c
2011-12-12nfc: signedness bug in __nci_request()Dan Carpenter
wait_for_completion_interruptible_timeout() returns -ERESTARTSYS if interrupted so completion_rc needs to be signed. The current code probably returns -ETIMEDOUT if we hit this situation, but after this patch is applied it will return -ERESTARTSYS. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-11-30nfc: Remove function tracer like entry messagesJoe Perches
Logging messages that mimic function tracer enter/exit aren't necessary. Just remove them. Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-11-30nfc: Remove unused nfc_printk and nfc_<level> macrosJoe Perches
All uses have been removed, so killing what's not necessary. Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-11-30nfc: Convert nfc_dbg to pr_debugJoe Perches
Using the standard debugging mechanisms is better than subsystem specific ones when the subsystem doesn't use a specific struct. Coalesce long formats. Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-11-30nfc: Use standard logging stylesJoe Perches
Using the normal logging styles is preferred over subsystem specific styles when the subsystem does not take a specific struct. Convert nfc_<level> specific messages to pr_<level> Add newlines to uses. Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-11-22Merge branch 'master' of ↵John W. Linville
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux Conflicts: drivers/net/wireless/iwlegacy/iwl-debugfs.c drivers/net/wireless/iwlegacy/iwl-rx.c drivers/net/wireless/iwlegacy/iwl-scan.c drivers/net/wireless/iwlegacy/iwl-tx.c include/net/bluetooth/bluetooth.h
2011-11-11NFC: Check if NCI data flow control is usedIlan Elias
Check if NCI data flow control is used in nci_tx_work. Signed-off-by: Ilan Elias <ilane@ti.com> Acked-by: Lauro Ramos Venancio <lauro.venancio@openbossa.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-11-11NFC: Removal of unused operations for NCI spec 1.0 d18Ilan Elias
Remove unused NCI operations, e.g. create static rf connection. Signed-off-by: Ilan Elias <ilane@ti.com> Acked-by: Lauro Ramos Venancio <lauro.venancio@openbossa.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>