path: root/net/nfc
AgeCommit message (Collapse)Author
2013-04-07NFC: llcp: fix info leaks via msg_name in llcp_sock_recvmsg()Mathias Krause
The code in llcp_sock_recvmsg() does not initialize all the members of struct sockaddr_nfc_llcp when filling the sockaddr info. Nor does it initialize the padding bytes of the structure inserted by the compiler for alignment. Also, if the socket is in state LLCP_CLOSED or is shutting down during receive the msg_namelen member is not updated to 0 while otherwise returning with 0, i.e. "success". The msg_namelen update is also missing for stream and seqpacket sockets which don't fill the sockaddr info. Both issues lead to the fact that the code will leak uninitialized kernel stack bytes in net/socket.c. Fix the first issue by initializing the memory used for sockaddr info with memset(0). Fix the second one by setting msg_namelen to 0 early. It will be updated later if we're going to fill the msg_name member. Cc: Lauro Ramos Venancio <lauro.venancio@openbossa.org> Cc: Aloisio Almeida Jr <aloisio.almeida@openbossa.org> Cc: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-03-26NFC: llcp: Keep the connected socket parent pointer aliveSamuel Ortiz
And avoid decreasing the ack log twice when dequeueing connected LLCP sockets. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-03-20NFC: llcp: Remove possible double call to kfree_skbThierry Escande
kfree_skb was called twice when the socket receive queue is full Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-03-20NFC: llcp: Detach socket from process context only when releasing the socketSamuel Ortiz
Calling sock_orphan when e.g. the NFC adapter is removed can lead to kernel crashes when e.g. a connection less client is sleeping on the Rx workqueue, waiting for data to show up. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-03-08NFC: llcp: Report error to pending sockets when a device is removedSamuel Ortiz
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-03-08NFC: llcp: Clean raw sockets from nfc_llcp_socket_releaseSamuel Ortiz
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-03-08NFC: llcp: Clean local timers and works when removing a deviceSamuel Ortiz
Whenever an adapter is removed we must clean all the local structures, especially the timers and scheduled work. Otherwise those asynchronous threads will eventually try to access the freed nfc_dev pointer if an LLCP link is up. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-03-08NFC: llcp: Decrease socket ack log when accepting a connectionSamuel Ortiz
This is really difficult to test with real NFC devices, but without this fix an LLCP server will eventually refuse new connections. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-02-27hlist: drop the node parameter from iteratorsSasha Levin
I'm not sure why, but the hlist for each entry iterators were conceived list_for_each_entry(pos, head, member) The hlist ones were greedy and wanted an extra parameter: hlist_for_each_entry(tpos, pos, head, member) Why did they need an extra pos parameter? I'm not quite sure. Not only they don't really need it, it also prevents the iterator from looking exactly like the list iterator, which is unfortunate. Besides the semantic patch, there was some manual work required: - Fix up the actual hlist iterators in linux/list.h - Fix up the declaration of other iterators based on the hlist ones. - A very small amount of places were using the 'node' parameter, this was modified to use 'obj->member' instead. - Coccinelle didn't handle the hlist_for_each_entry_safe iterator properly, so those had to be fixed up manually. The semantic patch which is mostly the work of Peter Senna Tschudin is here: @@ iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host; type T; expression a,c,d,e; identifier b; statement S; @@ -T b; <+... when != b ( hlist_for_each_entry(a, - b, c, d) S | hlist_for_each_entry_continue(a, - b, c) S | hlist_for_each_entry_from(a, - b, c) S | hlist_for_each_entry_rcu(a, - b, c, d) S | hlist_for_each_entry_rcu_bh(a, - b, c, d) S | hlist_for_each_entry_continue_rcu_bh(a, - b, c) S | for_each_busy_worker(a, c, - b, d) S | ax25_uid_for_each(a, - b, c) S | ax25_for_each(a, - b, c) S | inet_bind_bucket_for_each(a, - b, c) S | sctp_for_each_hentry(a, - b, c) S | sk_for_each(a, - b, c) S | sk_for_each_rcu(a, - b, c) S | sk_for_each_from -(a, b) +(a) S + sk_for_each_from(a) S | sk_for_each_safe(a, - b, c, d) S | sk_for_each_bound(a, - b, c) S | hlist_for_each_entry_safe(a, - b, c, d, e) S | hlist_for_each_entry_continue_rcu(a, - b, c) S | nr_neigh_for_each(a, - b, c) S | nr_neigh_for_each_safe(a, - b, c, d) S | nr_node_for_each(a, - b, c) S | nr_node_for_each_safe(a, - b, c, d) S | - for_each_gfn_sp(a, c, d, b) S + for_each_gfn_sp(a, c, d) S | - for_each_gfn_indirect_valid_sp(a, c, d, b) S + for_each_gfn_indirect_valid_sp(a, c, d) S | for_each_host(a, - b, c) S | for_each_host_safe(a, - b, c, d) S | for_each_mesh_entry(a, - b, c, d) S ) ...+> [akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c] [akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c] [akpm@linux-foundation.org: checkpatch fixes] [akpm@linux-foundation.org: fix warnings] [akpm@linux-foudnation.org: redo intrusive kvm changes] Tested-by: Peter Senna Tschudin <peter.senna@gmail.com> Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Signed-off-by: Sasha Levin <sasha.levin@oracle.com> Cc: Wu Fengguang <fengguang.wu@intel.com> Cc: Marcelo Tosatti <mtosatti@redhat.com> Cc: Gleb Natapov <gleb@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-02-21Merge tag 'driver-core-3.9-rc1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core Pull driver core patches from Greg Kroah-Hartman: "Here is the big driver core merge for 3.9-rc1 There are two major series here, both of which touch lots of drivers all over the kernel, and will cause you some merge conflicts: - add a new function called devm_ioremap_resource() to properly be able to check return values. - remove CONFIG_EXPERIMENTAL Other than those patches, there's not much here, some minor fixes and updates" Fix up trivial conflicts * tag 'driver-core-3.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core: (221 commits) base: memory: fix soft/hard_offline_page permissions drivercore: Fix ordering between deferred_probe and exiting initcalls backlight: fix class_find_device() arguments TTY: mark tty_get_device call with the proper const values driver-core: constify data for class_find_device() firmware: Ignore abort check when no user-helper is used firmware: Reduce ifdef CONFIG_FW_LOADER_USER_HELPER firmware: Make user-mode helper optional firmware: Refactoring for splitting user-mode helper code Driver core: treat unregistered bus_types as having no devices watchdog: Convert to devm_ioremap_resource() thermal: Convert to devm_ioremap_resource() spi: Convert to devm_ioremap_resource() power: Convert to devm_ioremap_resource() mtd: Convert to devm_ioremap_resource() mmc: Convert to devm_ioremap_resource() mfd: Convert to devm_ioremap_resource() media: Convert to devm_ioremap_resource() iommu: Convert to devm_ioremap_resource() drm: Convert to devm_ioremap_resource() ...
2013-02-08NFC: llcp: integer underflow in nfc_llcp_set_remote_gb()Dan Carpenter
If gb_len is less than 3 it would cause an integer underflow and possibly memory corruption in nfc_llcp_parse_gb_tlv(). I removed the old test for gb_len == 0. I also removed the test for ->remote_gb == NULL. It's not possible for ->remote_gb to be NULL and we have already dereferenced ->remote_gb_len so it's too late to test. The old test return -ENODEV but my test returns -EINVAL. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-02-06driver-core: constify data for class_find_device()Michał Mirosław
All in-kernel users of class_find_device() don't really need mutable data for match callback. In two places (kernel/power/suspend_test.c, drivers/scsi/osd/osd_uld.c) this patch changes match callbacks to use const search data. The const is propagated to rtc_class_open() and power_supply_get_by_name() parameters. Note that there's a dev reference leak in suspend_test.c that's not touched in this patch. Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl> Acked-by: Grant Likely <grant.likely@secretlab.ca> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-01-11NFC: Use skb_copy_datagram_iovecSamuel Ortiz
Safer and more robust than than memcpy_toiovec. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-01-11NFC: Avoid memcpy on LLCP connection less Rx pathSamuel Ortiz
We can cast msg_name to a sockaddr_nfc_llcp pointer directly. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-01-10NFC: Initial Secure Element APISamuel Ortiz
Each NFC adapter can have several links to different secure elements and that property needs to be exported by the drivers. A secure element link can be enabled and disabled, and card emulation will be handled by the currently active one. Otherwise card emulation will be host implemented. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-01-10NFC: Add HCI quirks to support driver (non)standard implementationsEric Lapuyade
Some chips diverge from the HCI spec in their implementation of standard features. This adds a new quirks parameter to nfc_hci_allocate_device() to let the driver indicate its divergence. Signed-off-by: Eric Lapuyade <eric.lapuyade@intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-01-10NFC: Fixed skb leak in tm_send() nfc and hci ops implementationsEric Lapuyade
Signed-off-by: Eric Lapuyade <eric.lapuyade@intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-01-10NFC: Changed event_received hci ops result semanticEric Lapuyade
Some chips use a standard HCI event code, destined to a proprietary gate, with a different meaning. Therefore, the HCI driver must always have a chance to intercept the event before standard processing is attempted. The new semantic specifies that the result value "1" means that the driver doesn't especially handle the event. result <= 0 means it was handled. Signed-off-by: Eric Lapuyade <eric.lapuyade@intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-01-10NFC: Added error handling in event_received hci opsEric Lapuyade
There is no use to return an error if the caller doesn't get it. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-01-10NFC: Fixed nfc core and hci unregistration and cleanupEric Lapuyade
When an adapter is removed, it will unregister itself from hci and/or nfc core. In order to do that safely, work tasks must first be canceled and prevented to be scheduled again, before the hci or nfc device can be destroyed. Signed-off-by: Eric Lapuyade <eric.lapuyade@intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-01-10NFC: llcp: Fix Rx memory leakSamuel Ortiz
The reference count bump on the llcp Rx path is leading to a memory leak whenever we're not receiving an I frame. We fix that by removing the refcount bump (drivers must not free their received skb) and using it only in the I frame path, when the frame is actually queued. In that case, the skb will only be freed when someone fetches it from userspace. in all other cases, LLCP received frames will be freed when leaving the Rx work queue. Reported-by: Eric Lapuyade <eric.lapuyade@linux.intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-01-10NFC: llcp: Remove the tx backlog queueSamuel Ortiz
Not only it was improperly use to queue backlogged RX skbuffs, but it was also not processed at all. If the socket receive queue is full we simply drop the incoming packets. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-01-10NFC: Add support for SO_TIMESTAMP LLCP socket optionThierry Escande
Set timestamp in sent and received sk_buffs. timestamp is then put in msghdr structure in llcp_sock_recvmsg(). Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2012-12-13nfc: remove noisy message from llcp_sock_sendmsgDave Jones
This is easily triggerable when fuzz-testing as an unprivileged user. We could rate-limit it, but given we don't print similar messages for other protocols, I just removed it. Signed-off-by: Dave Jones <davej@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-12-06Merge tag 'nfc-fixes-3.7-2' of ↵John W. Linville
git://git.kernel.org/pub/scm/linux/kernel/git/sameo/nfc-3.0 This is an NFC LLCP fix for 3.7 and contains only one patch. It fixes a potential crash when receiving an LLCP HDLC frame acking a frame that is not the last sent one. In that case we may dereference an already freed pointer.
2012-11-28NFC: Fix incorrect llcp pointer dereferenceWaldemar Rymarkiewicz
nfc_llcp_ns(s) dereferences the s pointer which is freed a line above. In a result, it can produce a crash or you will read incorrect value. Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2012-11-21Merge branch 'master' of ↵John W. Linville
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless Conflicts: drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c drivers/net/wireless/iwlwifi/pcie/tx.c
2012-11-20NFC: Fix nfc_llcp_local chained list insertionThierry Escande
list_add was called with swapped parameters Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2012-11-19NFC: Queue a copy of the transmitted LLCP skbSamuel Ortiz
Drivers are allowed to modify the sent skb and thus we need to make a copy of it before passing it to the driver. Without this fix, LLCP Tx skbs were not queued properly as the ptype check was failing due to e.g. the pn533 driver skb_pushing the Tx skb. Reported-by: Thierry Escande <thierry.escande@linux.intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2012-11-19NFC: Stop sending LLCP frames when tx queues are getting too deepSamuel Ortiz
When the tx pending queues and/or the socket tx queue is getting too deep, we have to let userspace know. We won't be queueing any more frames until the congestion is fixed. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2012-11-19NFC: Copy user space buffer when sending UI framesSamuel Ortiz
Using the userspace IO vector directly is wrong, we should copy it from user space first. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2012-11-19NFC: Export nfc_hci_sak_to_protocol()Eric Lapuyade
Some HCI drivers will need it. Signed-off-by: Eric Lapuyade <eric.lapuyade@intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2012-11-19NFC: Export nfc_hci_result_to_errno as it can be needed by HCI driversEric Lapuyade
Signed-off-by: Eric Lapuyade <eric.lapuyade@intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2012-11-19NFC: Dot not dispatch HCI event received on unopened pipeEric Lapuyade
A chip with pre-opened gates may send events on a gate that nobody has opened in the handset host. Discard those events. Signed-off-by: Eric Lapuyade <eric.lapuyade@intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2012-11-19NFC: Ignore err when chip doesn't implement HW/SW info registersEric Lapuyade
NFC_HCI_ID_MGMT_VERSION_SW and NFC_HCI_ID_MGMT_VERSION_HW are optional registers for gate NFC_HCI_ID_MGMT_GATE in standard HCI. When chip doesn't implement, just leave all the information as zeros. Signed-off-by: Eric Lapuyade <eric.lapuyade@intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2012-11-19NFC: Fix hci_connect_gate() when a pre-opened pipe is passedEric Lapuyade
In some cases, pre-opened pipes don't stay open when a clear all pipes command is sent. They stay created however. Therefore, one can never assume that such a pipe is already open. As re-opening a pipe seems not to be a problem, we do that now. Signed-off-by: Eric Lapuyade <eric.lapuyade@intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2012-10-29NFC: Extend netlink interface for LTO, RW, and MIUX parameters supportThierry Escande
NFC_CMD_LLC_GET_PARAMS: request LTO, RW, and MIUX parameters for a device NFC_CMD_LLC_SET_PARAMS: set one or more of LTO, RW, and MIUX parameters for a device. LTO must be set before the link is up otherwise -EINPROGRESS is returned. RW and MIUX can be set at anytime and will be passed in subsequent CONNECT and CC messages. If one of the passed parameters is wrong none is set and -EINVAL is returned. Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2012-10-26NFC: Purge LLCP socket Tx queues when being disconnectedSamuel Ortiz
The Tx queues are no longer valid when we receive a disconnection or when the LLCP link goes down. In the later case we also purge the entire local Tx queue. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2012-10-26NFC: Remove CONFIG_EXPERIMENTAL from the NCI MakefileKees Cook
This config item has not carried much meaning for a while now and is almost always enabled by default. As agreed during the Linux kernel summit, remove it. Acked-by: David S. Miller <davem@davemloft.net> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2012-10-26NFC: Remove CONFIG_EXPERIMENTAL from the LLCP MakefileKees Cook
This config item has not carried much meaning for a while now and is almost always enabled by default. As agreed during the Linux kernel summit, remove it. Acked-by: David S. Miller <davem@davemloft.net> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2012-10-26NFC: Remove CONFIG_EXPERIMENTALKees Cook
This config item has not carried much meaning for a while now and is almost always enabled by default. As agreed during the Linux kernel summit, remove it. Acked-by: David S. Miller <davem@davemloft.net> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2012-10-26NFC: Fix some code style and whitespace issuesSzymon Janc
Signed-off-by: Szymon Janc <szymon.janc@tieto.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2012-10-26NFC: Use IDR library to assing NFC devices IDsSamuel Ortiz
As a consequence the NFC device IDs won't be increasing all the time, as IDR provides the first available ID. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2012-10-26NFC: Return NULL when no LLCP socket for a dsap,ssap couple is foundSamuel Ortiz
The previous code was always returning the last socket from the LLCP socket list. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2012-10-26NFC: Implement LLCP connection less Tx pathSamuel Ortiz
It simply involves getting the client dsap and ssap and calling the UI frame building and sending routine. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2012-10-26NFC: UI frame sending routine implementationSamuel Ortiz
UI frames still need to follow the MIU rule, and they need to use the client passed dsap as the listening socket dsap is stuck on SDP. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2012-10-26NFC: Forward LLCP datagrams to userspaceSamuel Ortiz
With connection less PDUs we have to send the SSAP and DSAP as well. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2012-10-26NFC: Handle LLCP UI framesSamuel Ortiz
UI (Unnumbered Information) frames are used for sending data over connection less links. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2012-10-26NFC: Keep connection less bound sockets alive when DEP link goes downSamuel Ortiz
When DEP goes down, bound cl sockets can be kept alive as there is no reason to kill a connection less server socket because the LLCP link went down. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2012-10-26NFC: Check for connection less sockets when looking for a service nameSamuel Ortiz
Connection less server sockets will be in BOUND state, not LISTEN. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>