| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If gb_len is less than 3 it would cause an integer underflow and
possibly memory corruption in nfc_llcp_parse_gb_tlv().
I removed the old test for gb_len == 0. I also removed the test for
->remote_gb == NULL. It's not possible for ->remote_gb to be NULL and
we have already dereferenced ->remote_gb_len so it's too late to test.
The old test return -ENODEV but my test returns -EINVAL.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
| |
|
|
|
|
| |
Safer and more robust than than memcpy_toiovec.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| |
|
|
|
|
| |
We can cast msg_name to a sockaddr_nfc_llcp pointer directly.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| |
|
|
|
|
|
|
|
|
| |
Each NFC adapter can have several links to different secure elements and
that property needs to be exported by the drivers.
A secure element link can be enabled and disabled, and card emulation will
be handled by the currently active one. Otherwise card emulation will be
host implemented.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| |
|
|
|
|
|
|
|
| |
Some chips diverge from the HCI spec in their implementation of standard
features. This adds a new quirks parameter to
nfc_hci_allocate_device() to let the driver indicate its divergence.
Signed-off-by: Eric Lapuyade <eric.lapuyade@intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| |
|
|
|
| |
Signed-off-by: Eric Lapuyade <eric.lapuyade@intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Some chips use a standard HCI event code, destined to a proprietary
gate, with a different meaning. Therefore, the HCI driver must always
have a chance to intercept the event before standard processing is
attempted.
The new semantic specifies that the result value "1" means that the
driver doesn't especially handle the event. result <= 0 means it was
handled.
Signed-off-by: Eric Lapuyade <eric.lapuyade@intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| |
|
|
|
|
| |
There is no use to return an error if the caller doesn't get it.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| |
|
|
|
|
|
|
|
|
| |
When an adapter is removed, it will unregister itself from hci and/or
nfc core. In order to do that safely, work tasks must first be canceled
and prevented to be scheduled again, before the hci or nfc device can be
destroyed.
Signed-off-by: Eric Lapuyade <eric.lapuyade@intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The reference count bump on the llcp Rx path is leading to a memory leak
whenever we're not receiving an I frame.
We fix that by removing the refcount bump (drivers must not free their
received skb) and using it only in the I frame path, when the frame is
actually queued. In that case, the skb will only be freed when someone
fetches it from userspace. in all other cases, LLCP received frames will
be freed when leaving the Rx work queue.
Reported-by: Eric Lapuyade <eric.lapuyade@linux.intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| |
|
|
|
|
|
|
| |
Not only it was improperly use to queue backlogged RX skbuffs, but it was
also not processed at all.
If the socket receive queue is full we simply drop the incoming packets.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| |
|
|
|
|
|
|
| |
Set timestamp in sent and received sk_buffs. timestamp is then put in
msghdr structure in llcp_sock_recvmsg().
Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| |
|
|
|
|
|
|
|
| |
This is easily triggerable when fuzz-testing as an unprivileged user.
We could rate-limit it, but given we don't print similar messages
for other protocols, I just removed it.
Signed-off-by: Dave Jones <davej@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| | |
git://git.kernel.org/pub/scm/linux/kernel/git/sameo/nfc-3.0
This is an NFC LLCP fix for 3.7 and contains only one patch.
It fixes a potential crash when receiving an LLCP HDLC frame acking a frame
that is not the last sent one. In that case we may dereference an already
freed pointer.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
nfc_llcp_ns(s) dereferences the s pointer which is freed a line
above. In a result, it can produce a crash or you will read
incorrect value.
Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| |\|
| |
| |
| |
| |
| |
| |
| | |
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless
Conflicts:
drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
drivers/net/wireless/iwlwifi/pcie/tx.c
|
| | |
| |
| |
| |
| |
| |
| | |
list_add was called with swapped parameters
Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Drivers are allowed to modify the sent skb and thus we need to make a copy
of it before passing it to the driver. Without this fix, LLCP Tx skbs were
not queued properly as the ptype check was failing due to e.g. the pn533
driver skb_pushing the Tx skb.
Reported-by: Thierry Escande <thierry.escande@linux.intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
When the tx pending queues and/or the socket tx queue is getting too deep,
we have to let userspace know. We won't be queueing any more frames until
the congestion is fixed.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| | |
| |
| |
| |
| |
| |
| | |
Using the userspace IO vector directly is wrong, we should copy it from
user space first.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| | |
| |
| |
| |
| |
| |
| | |
Some HCI drivers will need it.
Signed-off-by: Eric Lapuyade <eric.lapuyade@intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| | |
| |
| |
| |
| | |
Signed-off-by: Eric Lapuyade <eric.lapuyade@intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
A chip with pre-opened gates may send events on a gate that nobody
has opened in the handset host. Discard those events.
Signed-off-by: Eric Lapuyade <eric.lapuyade@intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
NFC_HCI_ID_MGMT_VERSION_SW and NFC_HCI_ID_MGMT_VERSION_HW are optional
registers for gate NFC_HCI_ID_MGMT_GATE in standard HCI. When chip
doesn't implement, just leave all the information as zeros.
Signed-off-by: Eric Lapuyade <eric.lapuyade@intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In some cases, pre-opened pipes don't stay open when a clear all pipes
command is sent. They stay created however. Therefore, one can never
assume that such a pipe is already open. As re-opening a pipe seems not
to be a problem, we do that now.
Signed-off-by: Eric Lapuyade <eric.lapuyade@intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
NFC_CMD_LLC_GET_PARAMS: request LTO, RW, and MIUX parameters for a device
NFC_CMD_LLC_SET_PARAMS: set one or more of LTO, RW, and MIUX parameters for
a device. LTO must be set before the link is up otherwise -EINPROGRESS is
returned. RW and MIUX can be set at anytime and will be passed in subsequent
CONNECT and CC messages. If one of the passed parameters is wrong none is
set and -EINVAL is returned.
Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
The Tx queues are no longer valid when we receive a disconnection or when
the LLCP link goes down. In the later case we also purge the entire local
Tx queue.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This config item has not carried much meaning for a while now and is
almost always enabled by default. As agreed during the Linux kernel
summit, remove it.
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This config item has not carried much meaning for a while now and is
almost always enabled by default. As agreed during the Linux kernel
summit, remove it.
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This config item has not carried much meaning for a while now and is
almost always enabled by default. As agreed during the Linux kernel
summit, remove it.
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| | |
| |
| |
| |
| | |
Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| | |
| |
| |
| |
| |
| |
| | |
As a consequence the NFC device IDs won't be increasing all the time,
as IDR provides the first available ID.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| | |
| |
| |
| |
| |
| |
| | |
The previous code was always returning the last socket from the
LLCP socket list.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| | |
| |
| |
| |
| |
| |
| | |
It simply involves getting the client dsap and ssap and calling the UI
frame building and sending routine.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| | |
| |
| |
| |
| |
| |
| | |
UI frames still need to follow the MIU rule, and they need to use the
client passed dsap as the listening socket dsap is stuck on SDP.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| | |
| |
| |
| |
| |
| | |
With connection less PDUs we have to send the SSAP and DSAP as well.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| | |
| |
| |
| |
| |
| |
| | |
UI (Unnumbered Information) frames are used for sending data over
connection less links.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
When DEP goes down, bound cl sockets can be kept alive as there is no
reason to kill a connection less server socket because the LLCP link
went down.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| | |
| |
| |
| |
| |
| | |
Connection less server sockets will be in BOUND state, not LISTEN.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Replying to an SNL (Service Name Lookup) means that the other end of
the link can now rely on our answer (Which is an ssap) and thus we have
to reserve it.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| | |
| |
| |
| |
| | |
Signed-off-by: Arron Wang <arron.wang@intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| | |
| |
| |
| |
| |
| |
| | |
Logical continuations should be on the previous line.
Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| | |
| |
| |
| |
| |
| |
| | |
Return code from nfc_hci_execute_cmd was not propagated to caller.
Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Check for error and return if any. This makes it easier to see what is
a 'positive' function flow.
Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
There is no need for return statement at the end of function returning
void.
Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
No need for local rc variable as result of nci_request can be returned
directly.
Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
local_gb is of size NFC_MAX_GT_LEN and len is used as index for it.
Check len against this instead of NCI_MAX_PARAM_LEN before accessing
local_gb.
Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This is useful when getting devices to know if they're in target or
initiator mode.
Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
rf_mode is now set to NFC_RF_NONE when a device gets allocated,
when the link goes down, and when stop polling.
Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
SNL (Service Name Lookup) allows for LLCP peers to map service names with
SAPs. This is mandatory for connection less support as peers need to get
the right SAPs without sending the CONNECT frame.
Here we only support the Rx part of SNL. The Tx one will be implemented
when supporting connection less LLCP sockets.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
