- 05 Jun, 2014 1 commit
-
-
John W. Linville authored
Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next
-
- 02 Jun, 2014 2 commits
-
-
Jukka Taimisto authored
-[0x01 Introduction We have found a programming error causing a deadlock in Bluetooth subsystem of Linux kernel. The problem is caused by missing release_sock() call when L2CAP connection creation fails due full accept queue. The issue can be reproduced with 3.15-rc5 kernel and is also present in earlier kernels. -[0x02 Details The problem occurs when multiple L2CAP connections are created to a PSM which contains listening socket (like SDP) and left pending, for example, configuration (the underlying ACL link is not disconnected between connections). When L2CAP connection request is received and listening socket is found the l2cap_sock_new_connection_cb() function (net/bluetooth/l2cap_sock.c) is called. This function locks the 'parent' socket and then checks if the accept queue is full. 1178 lock_sock(parent); 1179 1180 /* Check for backlog size */ 1181 if (sk_acceptq_is_full(parent)) { 1182 BT_DBG("backlog full %d", parent->sk_ack_backlog); 1183 return NULL; 1184 } If case the accept queue is full NULL is returned, but the 'parent' socket is not released. Thus when next L2CAP connection request is received the code blocks on lock_sock() since the parent is still locked. Also note that for connections already established and waiting for configuration to complete a timeout will occur and l2cap_chan_timeout() (net/bluetooth/l2cap_core.c) will be called. All threads calling this function will also be blocked waiting for the channel mutex since the thread which is waiting on lock_sock() alread holds the channel mutex. We were able to reproduce this by sending continuously L2CAP connection request followed by disconnection request containing invalid CID. This left the created connections pending configuration. After the deadlock occurs it is impossible to kill bluetoothd, btmon will not get any more data etc. requiring reboot to recover. -[0x03 Fix Releasing the 'parent' socket when l2cap_sock_new_connection_cb() returns NULL seems to fix the issue. Signed-off-by:Jukka Taimisto <jtt@codenomicon.com> Reported-by:
Tommi Mäkilä <tmakila@codenomicon.com> Signed-off-by:
Johan Hedberg <johan.hedberg@intel.com> Cc: stable@vger.kernel.org
-
Johan Hedberg authored
When checking whether a legacy link key provides at least HIGH security level we also need to check for FIPS level which is one step above HIGH. This patch fixes a missing check in the hci_link_key_request_evt() function. Signed-off-by:
Marcel Holtmann <marcel@holtmann.org> Cc: stable@vger.kernel.org
-
- 01 Jun, 2014 1 commit
-
-
Johan Hedberg authored
Due to recent changes to the way that the MITM requirement is set for outgoing pairing attempts we can no longer rely on the hcon->auth_type variable (which is actually good since it was formed from BR/EDR concepts that don't really exist for SMP). To match the logic that BR/EDR now uses simply rely on the local IO capability and/or needed security level to set the MITM requirement for outgoing pairing requests. Signed-off-by:
-
- 31 May, 2014 4 commits
-
-
Jukka Rissanen authored
Default values for various channel settings were missing. This way channel users do not need to set default values themselves. Signed-off-by:
Jukka Rissanen <jukka.rissanen@linux.intel.com> Signed-off-by:
-
Jukka Rissanen authored
The universal/local bit handling was incorrectly done in the code. So when setting EUI address from BD address we do this: - If BD address type is PUBLIC, then we clear the universal bit in EUI address. If the address type is RANDOM, then the universal bit is set (BT 6lowpan draft chapter 3.2.2) - After this we invert the universal/local bit according to RFC 2464 When figuring out BD address we do the reverse: - Take EUI address from stateless IPv6 address, invert the universal/local bit according to RFC 2464 - If universal bit is 1 in this modified EUI address, then address type is set to RANDOM, otherwise it is PUBLIC Note that 6lowpan_iphc.[ch] does the final toggling of U/L bit before sending or receiving the network packet. Signed-off-by:
-
Johan Hedberg authored
When checking whether we need to request authentication or not we should include HCI_SECURITY_FIPS to the levels that always need authentication. This patch fixes check for it in the hci_outgoing_auth_needed() function. Signed-off-by:
-
Johan Hedberg authored
In case there are new LTK types in the future we shouldn't just blindly assume that != MGMT_LTK_UNAUTHENTICATED means that the key is authenticated. This patch adds explicit checks for each allowed key type in the form of a switch statement and skips any key which has an unknown value. Signed-off-by:
-
- 30 May, 2014 3 commits
-
-
Vladimir Kondratiev authored
Print message if no events received. This should not happen. If it is, it points to the problem in firmware. Track also cases when multiple events processed in one IRQ Print information as soon as possible - mbox pointers and event header right after reading it. This helps to identify potential problem with memory allocation for the event buffer. Signed-off-by:
Vladimir Kondratiev <qca_vkondrat@qca.qualcomm.com> Signed-off-by:
John W. Linville <linville@tuxdriver.com>
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/sameo/nfc-nextJohn W. Linville authored
Samuel Ortiz <sameo@linux.intel.com> says: "NFC: 3.16: Second pull request This is the 2nd NFC pull request for 3.16. We have: - Felica (Type3) tags support for trf7970a - Type 4b tags support for port100 - st21nfca DTS typo fix - A few sparse warning check fixes" Signed-off-by:
-
- 29 May, 2014 29 commits
-
-
Paul Bolle authored
A check for CONFIG_AUTOSUSPEND was included in this driver when it was added in v2.6.39. But that Kconfig symbol doesn't exist. Remove that check and the single line it hides. Signed-off-by:
Paul Bolle <pebolle@tiscali.nl> Signed-off-by:
-
Sachin Kamat authored
fw_common.h was included twice. Signed-off-by:
Sachin Kamat <sachin.kamat@linaro.org> Signed-off-by:
-
Sachin Kamat authored
phy.h was included twice. Signed-off-by:
-
Rajkumar Manoharan authored
Currently mac80211 does not support WDS and DFS with channel context drivers. So advertise these features only when the driver is not supporting channel context and modparam "use_chanctx" is introduced for preparing channel context support in ath9k. Signed-off-by:
Rajkumar Manoharan <rmanohar@qti.qualcomm.com> Signed-off-by:
-
Bing Zhao authored
If host sleep parameter gap is set to 0xff, firmware will wait for an ack from host to confirm the success of host wakeup. This prevents firmware from uploading data packet before host actually wakes up. Signed-off-by:
Bing Zhao <bzhao@marvell.com> Signed-off-by:
-
Avinash Patil authored
Current implementation sets tdls_link flag only while restoring packets from TDLS queue. If traffic to peer starts after TDLS is setup, there is no way to set TDLS link flag to true. Do this while creating RA list and we confirm that there exist a TDLS peer for which setup is complete. Signed-off-by:
Avinash Patil <patila@marvell.com> Signed-off-by:
-
Avinash Patil authored
[113.967694] Unable to handle kernel NULL pointer dereference at virtual address 00000020 ............ [113.967859] PC is at mwifiex_update_rxreor_flags+0xfc/0x430 ............ [113.968110] mwifiex_update_rxreor_flags+0xfc/0x430 [113.968129] mwifiex_handle_event_ext_scan_report+0x1e4/0x21c [113.968148] mwifiex_process_sta_event+0x410/0x508 [113.968165] mwifiex_process_event+0x184/0x1e0 [113.968181] mwifiex_main_process+0x220/0x48c [113.968197] mwifiex_sdio_interrupt+0xc8/0x1cc [113.968210] sdio_irq_thread+0x11c/0x290 In case of legacy scan, adapter->curr_cmd is guranteed to be non-NULL in check_next_scan_cmd. This may not be case in extended scan where scan command response would come earlier and set curr_cmd to NULL. Extended scan event comes later and while trying to complete IOCTL for scan, driver would crash in dereferencing adapter->curr_cmd->wait_q_enabled. Avoid this by completing IOCTL in case of legacy scans only. Internal scan would be completed while handling extended scan command response. Signed-off-by: -
Rafał Miłecki authored
Broadcom's wl 6.30.223.141 has some optimizations for radios 0x205[67]. Signed-off-by:
Rafał Miłecki <zajec5@gmail.com> Signed-off-by:
-
Rafał Miłecki authored
Signed-off-by:
-
Rafał Miłecki authored
PHY has to be often re-initialized (e.g. during band switching after PHY reset), however some operations have to be performed only once (only power reset affects them). Signed-off-by:
-
Vladimir Kondratiev authored
In case of receiving frame with sequence number far greater than current, wil_release_reorder_frames() will iterate many times over empty buffer. Optimize this case by checking buffer emptiness and simply update head_seq_num without iterating. Suggested-by:
Vladimir Shulman <Vladimir.Shulman@Wilocity.com> Signed-off-by:
-
Vladimir Kondratiev authored
use proper format %pad for the dma_addr_t arguments; prefix %p with 0x, as %p don't print is by itself Signed-off-by:
-
Vladimir Kondratiev authored
If scan has not finished in some reasonable time (10sec), interpret it as if firmware error occurs but was not reported. Firmware should report scan completion for every scan request, so it is error condition indeed. Perform firmware recovery procedure. Signed-off-by:
-
Vladimir Kondratiev authored
Provide clear definition of the watermarks for the vring descriptor space. Signed-off-by:
-
Vladimir Kondratiev authored
In case there is something fundamentally wrong with the firmware (example: RF cable disconnected), FW will always crash immediately after reset. This leads to infinite fw error recovery loop. Count consecutive unsuccessful error recovery attempts in a short period of time, and stop doing recovery after some reasonable count. It is still possible to manually reset fw doing interface down/up sequence. Signed-off-by:
-
Vladimir Kondratiev authored
Obey 802.11 spec that defines max. data size 7920 bytes Signed-off-by:
-
Rajkumar Manoharan authored
pm_lock is taken twice while syncing HW TSF of p2p vif. Fix this by taking the lock at caller side. Cc: Felix Fietkau <nbd@openwrt.org> Signed-off-by:
-
Arend van Spriel authored
The USB driver was using a list for firmware info that was used in suspend/resume scenario. Now that brcmfmac is using the asynchronous firmware request this is no longer needed. Reviewed-by:
Hante Meuleman <meuleman@broadcom.com> Reviewed-by:
Franky (Zhenhui) Lin <frankyl@broadcom.com> Reviewed-by:
Daniel (Deognyoun) Kim <dekim@broadcom.com> Reviewed-by:
Pieter-Paul Giesberts <pieterpg@broadcom.com> Signed-off-by:
Arend van Spriel <arend@broadcom.com> Signed-off-by:
-
Hante Meuleman authored
The USB bus driver always configured an USB intr EP urb. The driver did not use the result at all and with newer firmware it is causing continues errors on this EP. Reviewed-by:
-
Daniel Kim authored
The max buffer size for receiving control message from dongle needs to be increased considering possible block padding. Otherwise some big control message can't be received due to buffer overrun check. Reviewed-by:
-
Arend van Spriel authored
The firmware channel specification is a bitfield using a 16-bit integer, but only 14 lsb are used. Upon encoding this value assure all 16 bits are cleared. Reviewed-by:
-
Arend van Spriel authored
The function brcmf_fw_nvram_strip() is no longer called so it does not need to be exposed. Reviewed-by:
-
Arend van Spriel authored
This patch adds use of asynchronous firmware request to the driver USB layer. Reviewed-by:
-
Arend van Spriel authored
This patch adds use of asynchronous firmware request to the driver SDIO layer. Reviewed-by:
-
Arend van Spriel authored
The driver needs firmware to be loaded to the device, which is done through the firmware class API. The synchronous call request_firmware() need root filesystem to be mounted and/or user-mode helper. These may not be avaliable on the moment it is called. Instead use request_firmware_nowait(). Reviewed-by:
-
Hante Meuleman authored
Reviewed-by:
-
Arend van Spriel authored
The resume callbacks do partly the same a the probe callback so put common code in separate function for use in the callbacks. This also fixes suspend/resume regression introduced by brcmfmac: remove .init() callback for internal bus interface The .init() callback was the first function called by the common bus function brcmf_bus_start(). Given that it is not really necessary and the bus layer can call it before calling the brcmf_bus_start() function. Reviewed-by: -
Arend van Spriel authored
The function brcmf_detach() checks whether it needs to do his stuff or can return immediately. No need to have the same check in the calling code. Reviewed-by:
-
Arend van Spriel authored
The firmware processing will be modified to use asynchronous request firmware api. In preparation this patch is simple rename of source and header file to which the functionality will be added. Reviewed-by:
-
