Kuba Pawlak [Mon, 26 Oct 2015 16:17:14 +0000 (16:17 +0000)]
Bluetooth: Fix crash on fast disconnect of SCO
Fix a crash that may happen when a connection is closed before it was fully
established. Mapping conn->hcon was released by shutdown function, but it
is still referenced in (not yet finished) connection established handling
function.
[ 4635.254073] BUG: unable to handle kernel NULL pointer dereference at
00000013
[ 4635.262058] IP: [<
c11659f0>] memcmp+0xe/0x25
[ 4635.266835] *pdpt =
0000000024190001 *pde =
0000000000000000
[ 4635.273261] Oops: 0000 [#1] PREEMPT SMP
[ 4635.277652] Modules linked in: evdev ecb vfat fat libcomposite usb2380 isofs zlib_inflate rfcomm(O) udc_core bnep(O) btusb(O) btbcm(O) btintel(O) bluetooth(O) cdc_acm arc4 uinput hid_mule
[ 4635.321761] Pid: 363, comm: kworker/u:2H Tainted: G O 3.8.0-119.1-plk-adaptation-byt-ivi-brd #1
[ 4635.332642] EIP: 0060:[<
c11659f0>] EFLAGS:
00010206 CPU: 0
[ 4635.338767] EIP is at memcmp+0xe/0x25
[ 4635.342852] EAX:
e4720678 EBX:
00000000 ECX:
00000006 EDX:
00000013
[ 4635.349849] ESI:
00000000 EDI:
fb85366c EBP:
e40c7dc0 ESP:
e40c7db4
[ 4635.356846] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
[ 4635.362873] CR0:
8005003b CR2:
00000013 CR3:
24191000 CR4:
001007f0
[ 4635.369869] DR0:
00000000 DR1:
00000000 DR2:
00000000 DR3:
00000000
[ 4635.376865] DR6:
ffff0ff0 DR7:
00000400
[ 4635.381143] Process kworker/u:2H (pid: 363, ti=
e40c6000 task=
e40c5510 task.ti=
e40c6000)
[ 4635.390080] Stack:
[ 4635.392319]
e4720400 00000000 fb85366c e40c7df4 fb842285 e40c7de2 fb853200 00000013
[ 4635.401003]
e3f101c4 e4720678 e3f101c0 e403be0a e40c7dfc e416a000 e403be0a fb85366c
[ 4635.409692]
e40c7e1c fb820186 020f6c00 e47c49ac e47c4008 00000000 e416a000 e47c402c
[ 4635.418380] Call Trace:
[ 4635.421153] [<
fb842285>] sco_connect_cfm+0xff/0x236 [bluetooth]
[ 4635.427893] [<
fb820186>] hci_sync_conn_complete_evt.clone.101+0x227/0x268 [bluetooth]
[ 4635.436758] [<
fb82370f>] hci_event_packet+0x1caa/0x21d3 [bluetooth]
[ 4635.443859] [<
c106231f>] ? trace_hardirqs_on+0xb/0xd
[ 4635.449502] [<
c1375b8a>] ? _raw_spin_unlock_irqrestore+0x42/0x59
[ 4635.456340] [<
fb814b67>] hci_rx_work+0xb9/0x350 [bluetooth]
[ 4635.462663] [<
c1039f1e>] ? process_one_work+0x17b/0x2e6
[ 4635.468596] [<
c1039f77>] process_one_work+0x1d4/0x2e6
[ 4635.474333] [<
c1039f1e>] ? process_one_work+0x17b/0x2e6
[ 4635.480294] [<
fb814aae>] ? hci_cmd_work+0xda/0xda [bluetooth]
[ 4635.486810] [<
c103a3fa>] worker_thread+0x171/0x20f
[ 4635.492257] [<
c10456c5>] ? complete+0x34/0x3e
[ 4635.497219] [<
c103ea06>] kthread+0x90/0x95
[ 4635.501888] [<
c103a289>] ? manage_workers+0x1df/0x1df
[ 4635.507628] [<
c1376537>] ret_from_kernel_thread+0x1b/0x28
[ 4635.513755] [<
c103e976>] ? __init_kthread_worker+0x42/0x42
[ 4635.519975] Code: 74 0d 3c 79 74 04 3c 59 75 0c c6 02 01 eb 03 c6 02 00 31 c0 eb 05 b8 ea ff ff ff 5d c3 55 89 e5 57 56 53 31 db eb 0e 0f b6 34 18 <0f> b6 3c 1a 43 29 fe 75 07 49 85 c9 7f
[ 4635.541264] EIP: [<
c11659f0>] memcmp+0xe/0x25 SS:ESP 0068:
e40c7db4
[ 4635.548166] CR2:
0000000000000013
[ 4635.552177] ---[ end trace
e05ce9b8ce6182f6 ]---
Signed-off-by: Kuba Pawlak <kubax.t.pawlak@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Marcel Holtmann [Mon, 26 Oct 2015 01:08:38 +0000 (02:08 +0100)]
Bluetooth: Fix some obvious coding style issues in the SCO module
Lets fix this obvious coding style issues in the SCO module and bring it
in line with the rest of the Bluetooth subsystem.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Marcel Holtmann [Sun, 25 Oct 2015 22:29:22 +0000 (23:29 +0100)]
Bluetooth: Replace hci_notify with hci_sock_dev_event
There is no point in wrapping hci_sock_dev_event around hci_notify. It
is an empty wrapper which adds no value. So remove it.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Marcel Holtmann [Sun, 25 Oct 2015 21:45:53 +0000 (22:45 +0100)]
Bluetooth: Rename bt_cb()->req into bt_cb()->hci
The SKB context buffer for HCI request is really not just for requests,
information in their are preserved for the whole HCI layer. So it makes
more sense to actually rename it into bt_cb()->hci and also call it then
struct hci_ctrl.
In addition that allows moving the decoded opcode for outgoing packets
into that struct. So far it was just consuming valuable space from the
main shared items. And opcode are not valid for L2CAP packets.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Marcel Holtmann [Sun, 25 Oct 2015 21:45:18 +0000 (22:45 +0100)]
Bluetooth: Remove unneeded parenthesis around MSG_OOB
There are two checks that are still using (MSG_OOB) instead of just
MSG_OOB and so lets just fix them.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Kuba Pawlak [Mon, 5 Oct 2015 16:44:17 +0000 (18:44 +0200)]
Bluetooth: Fix locking issue during fast SCO reconnection.
When SCO connection is requested and disconnected fast, there is a change
that sco_sock_shutdown is going to preempt thread started in sco_connect_cfm.
When this happens struct sock sk may be removed but a pointer to it is still
held in sco_conn_ready, where embedded spinlock is used. If it is used, but
struct sock has been removed, it will crash.
Block connection object, which will prevent struct sock from being removed
and give connection process chance to finish.
BUG: spinlock bad magic on CPU#0, kworker/u:2H/319
lock: 0xe3e99434, .magic:
f3000000, .owner: (���/0, .owner_cpu: -
203804160
Pid: 319, comm: kworker/u:2H Tainted: G O 3.8.0-115.1-plk-adaptation-byt-ivi-brd #1
Call Trace:
[<
c1155659>] ? do_raw_spin_lock+0x19/0xe9
[<
fb75354f>] ? sco_connect_cfm+0x92/0x236 [bluetooth]
[<
fb731dbc>] ? hci_sync_conn_complete_evt.clone.101+0x18b/0x1cb [bluetooth]
[<
fb734ee7>] ? hci_event_packet+0x1acd/0x21a6 [bluetooth]
[<
c1041095>] ? finish_task_switch+0x50/0x89
[<
c1349a2e>] ? __schedule+0x638/0x6b8
[<
fb727918>] ? hci_rx_work+0xb9/0x2b8 [bluetooth]
[<
c103760a>] ? queue_delayed_work_on+0x21/0x2a
[<
c1035df9>] ? process_one_work+0x157/0x21b
[<
fb72785f>] ? hci_cmd_work+0xef/0xef [bluetooth]
[<
c1036217>] ? worker_thread+0x16e/0x20a
[<
c10360a9>] ? manage_workers+0x1cf/0x1cf
[<
c103a0ef>] ? kthread+0x8d/0x92
[<
c134adf7>] ? ret_from_kernel_thread+0x1b/0x28
[<
c103a062>] ? __init_kthread_worker+0x24/0x24
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [< (null)>] (null)
*pdpt =
00000000244e1001 *pde =
0000000000000000
Oops: 0010 [#1] PREEMPT SMP
Modules linked in: evdev ecb rfcomm(O) libcomposite usb2380 udc_core bnep(O) btusb(O) btbcm(O) cdc_acm btintel(O) bluetooth(O) arc4 uinput hid_multitouch usbhid hid iwlmvm(O)e
Pid: 319, comm: kworker/u:2H Tainted: G O 3.8.0-115.1-plk-adaptation-byt-ivi-brd #1
EIP: 0060:[<
00000000>] EFLAGS:
00010246 CPU: 0
EIP is at 0x0
EAX:
e3e99400 EBX:
e3e99400 ECX:
00000100 EDX:
00000000
ESI:
e3e99434 EDI:
fb763ce0 EBP:
e49b9e44 ESP:
e49b9e14
DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
CR0:
8005003b CR2:
00000000 CR3:
24444000 CR4:
001007f0
DR0:
00000000 DR1:
00000000 DR2:
00000000 DR3:
00000000
DR6:
ffff0ff0 DR7:
00000400
Process kworker/u:2H (pid: 319, ti=
e49b8000 task=
e4ab9030 task.ti=
e49b8000)
Stack:
fb75355b 00000246 fb763900 22222222 22222222 22222222 e3f94460 e3ca7c0a
e49b9e4c e3f34c00 e3ca7c0a fb763ce0 e49b9e6c fb731dbc 02000246 e4cec85c
e4cec008 00000000 e3f34c00 e4cec000 e3c2ce00 0000002c e49b9ed0 fb734ee7
Call Trace:
[<
fb75355b>] ? sco_connect_cfm+0x9e/0x236 [bluetooth]
[<
fb731dbc>] ? hci_sync_conn_complete_evt.clone.101+0x18b/0x1cb [bluetooth]
[<
fb734ee7>] ? hci_event_packet+0x1acd/0x21a6 [bluetooth]
[<
c1041095>] ? finish_task_switch+0x50/0x89
[<
c1349a2e>] ? __schedule+0x638/0x6b8
[<
fb727918>] ? hci_rx_work+0xb9/0x2b8 [bluetooth]
[<
c103760a>] ? queue_delayed_work_on+0x21/0x2a
[<
c1035df9>] ? process_one_work+0x157/0x21b
[<
fb72785f>] ? hci_cmd_work+0xef/0xef [bluetooth]
[<
c1036217>] ? worker_thread+0x16e/0x20a
[<
c10360a9>] ? manage_workers+0x1cf/0x1cf
[<
c103a0ef>] ? kthread+0x8d/0x92
[<
c134adf7>] ? ret_from_kernel_thread+0x1b/0x28
[<
c103a062>] ? __init_kthread_worker+0x24/0x24
Code: Bad EIP value.
EIP: [<
00000000>] 0x0 SS:ESP 0068:
e49b9e14
CR2:
0000000000000000
---[ end trace
942a6577c0abd725 ]---
Signed-off-by: Kuba Pawlak <kubax.t.pawlak@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Kuba Pawlak [Mon, 5 Oct 2015 16:44:16 +0000 (18:44 +0200)]
Bluetooth: Fix locking issue on SCO disconnection
Thread handling SCO disconnection may get preempted in '__sco_sock_close'
after dropping a reference to hci_conn but before marking this as NULL
in associated struct sco_conn. When execution returs to this thread,
this connection will possibly be released, resulting in kernel crash
Lock connection before this point.
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [<
fb770ab9>] __sco_sock_close+0x194/0x1ff [bluetooth]
*pdpt =
0000000023da6001 *pde =
0000000000000000
Oops: 0002 [#1] PREEMPT SMP
Modules linked in: evdev ecb rfcomm(O) libcomposite usb2380 udc_core bnep(O) btusb(O) btbcm(O) cdc_acm btintel(O) bluetooth(O) arc4 uinput hid_multitouch usbhid iwlmvm(O) hide
Pid: 984, comm: bluetooth Tainted: G O 3.8.0-115.1-plk-adaptation-byt-ivi-brd #1
EIP: 0060:[<
fb770ab9>] EFLAGS:
00010282 CPU: 2
EIP is at __sco_sock_close+0x194/0x1ff [bluetooth]
EAX:
00000000 EBX:
e49d7600 ECX:
ef1ec3c2 EDX:
000000c3
ESI:
e4c12000 EDI:
00000000 EBP:
ef1edf5c ESP:
ef1edf4c
DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
CR0:
80050033 CR2:
00000000 CR3:
23da7000 CR4:
001007f0
DR0:
00000000 DR1:
00000000 DR2:
00000000 DR3:
00000000
DR6:
ffff0ff0 DR7:
00000400
Process bluetooth (pid: 984, ti=
ef1ec000 task=
e47f2550 task.ti=
ef1ec000)
Stack:
e4c120d0 e49d7600 00000000 08421a40 ef1edf70 fb770b7a 00000002 e8a4cc80
08421a40 ef1ec000 c12966b1 00000001 00000000 0000000b 084954c8 c1296b6c
0000001b 00000002 0000001b 00000002 00000000 00000002 b2524880 00000046
Call Trace:
[<
fb770b7a>] ? sco_sock_shutdown+0x56/0x95 [bluetooth]
[<
c12966b1>] ? sys_shutdown+0x37/0x53
[<
c1296b6c>] ? sys_socketcall+0x12e/0x1be
[<
c134ae7e>] ? sysenter_do_call+0x12/0x26
[<
c1340000>] ? ip_vs_control_net_cleanup+0x46/0xb1
Code: e8 90 6b 8c c5 f6 05 72 5d 78 fb 04 74 17 8b 46 08 50 56 68 0a fd 77 fb 68 60 5d 78 fb e8 68 95 9e c5 83 c4 10 8b 83 fc 01 00 00 <c7> 00 00 00 00 00 eb 32 ba 68 00 00 0b
EIP: [<
fb770ab9>] __sco_sock_close+0x194/0x1ff [bluetooth] SS:ESP 0068:
ef1edf4c
CR2:
0000000000000000
---[ end trace
47fa2f55a9544e69 ]---
Signed-off-by: Kuba Pawlak <kubax.t.pawlak@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Kuba Pawlak [Mon, 5 Oct 2015 16:44:15 +0000 (18:44 +0200)]
Bluetooth: Fix crash on SCO disconnect
When disconnecting audio from the phone's side, it may happen, that
a thread handling HCI message 'disconnection complete' will get preempted
in 'sco_conn_del' before calling 'sco_sock_kill', still holding a pointer
to struct sock sk. Interrupting thread started in 'sco_sock_shutdown' will
carry on releasing resources and will eventually release struct sock.
When execution goes back to first thread it will call sco_sock_kill using
now invalid pointer to already destroyed socket.
Fix is to grab a reference to the socket a release it after calling
'sco_sock_kill'.
[ 166.358213] BUG: unable to handle kernel paging request at
7541203a
[ 166.365228] IP: [<
fb6e8bfb>] bt_sock_unlink+0x1a/0x38 [bluetooth]
[ 166.372068] *pdpt =
0000000024b19001 *pde =
0000000000000000
[ 166.378483] Oops: 0002 [#1] PREEMPT SMP
[ 166.382871] Modules linked in: evdev ecb rfcomm(O) libcomposite usb2380 udc_core bnep(O) btusb(O) btbcm(O) btintel(O) cdc_acm bluetooth(O) arc4 uinput hid_multitouch iwlmvm(O) usbhid hide
[ 166.424233] Pid: 338, comm: kworker/u:2H Tainted: G O 3.8.0-115.1-plk-adaptation-byt-ivi-brd #1
[ 166.435112] EIP: 0060:[<
fb6e8bfb>] EFLAGS:
00010206 CPU: 0
[ 166.441259] EIP is at bt_sock_unlink+0x1a/0x38 [bluetooth]
[ 166.447382] EAX:
632e6563 EBX:
e4bfc600 ECX:
e466d4d3 EDX:
7541203a
[ 166.454369] ESI:
fb7278ac EDI:
e4d52000 EBP:
e4669e20 ESP:
e4669e0c
[ 166.461366] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
[ 166.467391] CR0:
8005003b CR2:
7541203a CR3:
24aba000 CR4:
001007f0
[ 166.474387] DR0:
00000000 DR1:
00000000 DR2:
00000000 DR3:
00000000
[ 166.481375] DR6:
ffff0ff0 DR7:
00000400
[ 166.485654] Process kworker/u:2H (pid: 338, ti=
e4668000 task=
e466e030 task.ti=
e4668000)
[ 166.494591] Stack:
[ 166.496830]
e4bfc600 e4bfc600 fb715c28 e4717ee0 e4d52000 e4669e3c fb715cf3 e4bfc634
[ 166.505518]
00000068 e4d52000 e4c32000 fb7277c0 e4669e6c fb6f2019 0000004a 00000216
[ 166.514205]
e4660101 e4c32008 02000001 00000013 e4d52000 e4c32000 e3dc9240 00000005
[ 166.522891] Call Trace:
[ 166.525654] [<
fb715c28>] ? sco_sock_kill+0x73/0x9a [bluetooth]
[ 166.532295] [<
fb715cf3>] ? sco_conn_del+0xa4/0xbf [bluetooth]
[ 166.538836] [<
fb6f2019>] ? hci_disconn_complete_evt.clone.55+0x1bd/0x205 [bluetooth]
[ 166.547609] [<
fb6f73d3>] ? hci_event_packet+0x297/0x223c [bluetooth]
[ 166.554805] [<
c10416da>] ? dequeue_task+0xaf/0xb7
[ 166.560154] [<
c1041095>] ? finish_task_switch+0x50/0x89
[ 166.566086] [<
c1349a2e>] ? __schedule+0x638/0x6b8
[ 166.571460] [<
fb6eb906>] ? hci_rx_work+0xb9/0x2b8 [bluetooth]
[ 166.577975] [<
c1035df9>] ? process_one_work+0x157/0x21b
[ 166.583933] [<
fb6eb84d>] ? hci_cmd_work+0xef/0xef [bluetooth]
[ 166.590448] [<
c1036217>] ? worker_thread+0x16e/0x20a
[ 166.596088] [<
c10360a9>] ? manage_workers+0x1cf/0x1cf
[ 166.601826] [<
c103a0ef>] ? kthread+0x8d/0x92
[ 166.606691] [<
c134adf7>] ? ret_from_kernel_thread+0x1b/0x28
[ 166.613010] [<
c103a062>] ? __init_kthread_worker+0x24/0x24
[ 166.619230] Code: 85 63 ff ff ff 31 db 8d 65 f4 89 d8 5b 5e 5f 5d c3 56 8d 70 04 53 89 f0 89 d3 e8 7e 17 c6 c5 8b 53 28 85 d2 74 1a 8b 43 24 85 c0 <89> 02 74 03 89 50 04 c7 43 28 00 00 00
[ 166.640501] EIP: [<
fb6e8bfb>] bt_sock_unlink+0x1a/0x38 [bluetooth] SS:ESP 0068:
e4669e0c
[ 166.649474] CR2:
000000007541203a
[ 166.653420] ---[ end trace
0181ff2c9e42d51e ]---
[ 166.658609] note: kworker/u:2H[338] exited with preempt_count 1
Signed-off-by: Kuba Pawlak <kubax.t.pawlak@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Julia Lawall [Sat, 24 Oct 2015 14:42:32 +0000 (16:42 +0200)]
Bluetooth: btmrvl: add missing of_node_put
for_each_compatible_node performs an of_node_get on each iteration, so
a break out of the loop requires an of_node_put.
A simplified version of the semantic patch that fixes this problem is as
follows (http://coccinelle.lip6.fr):
// <smpl>
@@
expression e;
local idexpression n;
@@
for_each_compatible_node(n, ...) {
... when != of_node_put(n)
when != e = n
(
return n;
|
+ of_node_put(n);
? return ...;
)
...
}
// </smpl>
Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Marcel Holtmann [Thu, 22 Oct 2015 10:29:27 +0000 (12:29 +0200)]
Bluetooth: Increase minor version of core module
With the addition of support for diagnostic feature, it makes sense to
increase the minor version of the Bluetooth core module.
The module version is not used anywhere, but it gives a nice extra
hint for debugging purposes.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Alexander Aring [Thu, 22 Oct 2015 10:11:27 +0000 (12:11 +0200)]
ieee802154: 6lowpan: fix memory leak
Looking at current situation of memory management in 6lowpan receive
function I detected some invalid handling. After calling
lowpan_invoke_rx_handlers we will do a kfree_skb and then NET_RX_DROP on
error handling. We don't do this before, also on
skb_share_check/skb_unshare which might manipulate the reference
counters.
After running some 'grep -r "dev_add_pack" net/' to look how others
packet-layer receive callbacks works I detected that every subsystem do
a kfree_skb, then NET_RX_DROP without calling skb functions which
might manipulate the skb reference counters. This is the reason why we
should do the same here like all others subsystems. I didn't find any
documentation how the packet-layer receive callbacks handle NET_RX_DROP
return values either.
This patch will add a kfree_skb, then NET_RX_DROP handling for the
"trivial checks", in case of skb_share_check/skb_unshare the kfree_skb
call will be done inside these functions.
Signed-off-by: Alexander Aring <alex.aring@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Johan Hedberg [Thu, 22 Oct 2015 07:49:39 +0000 (10:49 +0300)]
Bluetooth: Make hci_disconnect() behave correctly for all states
There are a few places that don't explicitly check the connection
state before calling hci_disconnect(). To make this API do the right
thing take advantage of the new hci_abort_conn() API and also make
sure to only read the clock offset if we're really connected.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Johan Hedberg [Thu, 22 Oct 2015 07:49:38 +0000 (10:49 +0300)]
Bluetooth: Take advantage of connection abort helpers
Convert the various places mapping connection state to
disconnect/cancel HCI command to use the new hci_abort_conn helper
API.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Johan Hedberg [Thu, 22 Oct 2015 07:49:37 +0000 (10:49 +0300)]
Bluetooth: Introduce hci_req helper to abort a connection
There are several different places needing to make sure that a
connection gets disconnected or canceled. The exact action needed
depends on the connection state, so centralizing this logic can save
quite a lot of code duplication.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Dan Carpenter [Thu, 22 Oct 2015 09:06:09 +0000 (12:06 +0300)]
Bluetooth: hci_bcm: checking for ERR_PTR instead of NULL
bt_skb_alloc() returns NULL on error, it never returns an ERR_PTR.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Johan Hedberg [Thu, 22 Oct 2015 06:38:35 +0000 (09:38 +0300)]
Bluetooth: Fix crash in SMP when unpairing
When unpairing the keys stored in hci_dev are removed. If SMP is
ongoing the SMP context will also have references to these keys, so
removing them from the hci_dev lists will make the pointers invalid.
This can result in the following type of crashes:
BUG: unable to handle kernel paging request at
6b6b6b6b
IP: [<
c11f26be>] __list_del_entry+0x44/0x71
*pde =
00000000
Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
Modules linked in: hci_uart btqca btusb btintel btbcm btrtl hci_vhci rfcomm bluetooth_6lowpan bluetooth
CPU: 0 PID: 723 Comm: kworker/u5:0 Not tainted 4.3.0-rc3+ #1379
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.8.1-20150318_183358- 04/01/2014
Workqueue: hci0 hci_rx_work [bluetooth]
task:
f19da940 ti:
f1a94000 task.ti:
f1a94000
EIP: 0060:[<
c11f26be>] EFLAGS:
00010202 CPU: 0
EIP is at __list_del_entry+0x44/0x71
EAX:
c0088d20 EBX:
f30fcac0 ECX:
6b6b6b6b EDX:
6b6b6b6b
ESI:
f4b60000 EDI:
c0088d20 EBP:
f1a95d90 ESP:
f1a95d8c
DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
CR0:
8005003b CR2:
6b6b6b6b CR3:
319e5000 CR4:
00000690
Stack:
f30fcac0 f1a95db0 f82dc3e1 f1bfc000 00000000 c106524f f1bfc000 f30fd020
f1a95dc0 f1a95dd0 f82dcbdb f1a95de0 f82dcbdb 00000067 f1bfc000 f30fd020
f1a95de0 f1a95df0 f82d1126 00000067 f82d1126 00000006 f30fd020 f1bfc000
Call Trace:
[<
f82dc3e1>] smp_chan_destroy+0x192/0x240 [bluetooth]
[<
c106524f>] ? trace_hardirqs_on_caller+0x14e/0x169
[<
f82dcbdb>] smp_teardown_cb+0x47/0x64 [bluetooth]
[<
f82dcbdb>] ? smp_teardown_cb+0x47/0x64 [bluetooth]
[<
f82d1126>] l2cap_chan_del+0x5d/0x14d [bluetooth]
[<
f82d1126>] ? l2cap_chan_del+0x5d/0x14d [bluetooth]
[<
f82d40ef>] l2cap_conn_del+0x109/0x17b [bluetooth]
[<
f82d40ef>] ? l2cap_conn_del+0x109/0x17b [bluetooth]
[<
f82c0205>] ? hci_event_packet+0x5b1/0x2092 [bluetooth]
[<
f82d41aa>] l2cap_disconn_cfm+0x49/0x50 [bluetooth]
[<
f82d41aa>] ? l2cap_disconn_cfm+0x49/0x50 [bluetooth]
[<
f82c0228>] hci_event_packet+0x5d4/0x2092 [bluetooth]
[<
c1332c16>] ? skb_release_data+0x6a/0x95
[<
f82ce5d4>] ? hci_send_to_monitor+0xe7/0xf4 [bluetooth]
[<
c1409708>] ? _raw_spin_unlock_irqrestore+0x44/0x57
[<
f82b3bb0>] hci_rx_work+0xf1/0x28b [bluetooth]
[<
f82b3bb0>] ? hci_rx_work+0xf1/0x28b [bluetooth]
[<
c10635a0>] ? __lock_is_held+0x2e/0x44
[<
c104772e>] process_one_work+0x232/0x432
[<
c1071ddc>] ? rcu_read_lock_sched_held+0x50/0x5a
[<
c104772e>] ? process_one_work+0x232/0x432
[<
c1047d48>] worker_thread+0x1b8/0x255
[<
c1047b90>] ? rescuer_thread+0x23c/0x23c
[<
c104bb71>] kthread+0x91/0x96
[<
c14096a7>] ? _raw_spin_unlock_irq+0x27/0x44
[<
c1409d61>] ret_from_kernel_thread+0x21/0x30
[<
c104bae0>] ? kthread_parkme+0x1e/0x1e
To solve the issue, introduce a new smp_cancel_pairing() API that can
be used to clean up the SMP state before touching the hci_dev lists.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Johan Hedberg [Thu, 22 Oct 2015 06:38:31 +0000 (09:38 +0300)]
Bluetooth: Disable auto-connection parameters when unpairing
For connection parameters that are left around until a disconnection
we should at least clear any auto-connection properties. This way a
new Add Device call is required to re-set them after calling Unpair
Device.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Johan Hedberg [Wed, 21 Oct 2015 15:03:10 +0000 (18:03 +0300)]
Bluetooth: Remove unnecessary hci_explicit_connect_lookup function
There's only one user of this helper which can be replaces with a call
to hci_pend_le_action_lookup() and a check for params->explicit_connect.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Johan Hedberg [Wed, 21 Oct 2015 15:03:07 +0000 (18:03 +0300)]
Bluetooth: Remove redundant (and possibly wrong) flag clearing
There's no need to clear the HCI_CONN_ENCRYPT_PEND flag in
smp_failure. In fact, this may cause the encryption tracking to get
out of sync as this has nothing to do with HCI activity.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Johan Hedberg [Wed, 21 Oct 2015 15:03:09 +0000 (18:03 +0300)]
Bluetooth: Add hdev helper variable to hci_le_create_connection_cancel
The hci_le_create_connection_cancel() function needs to use the hdev
pointer in many places so add a variable for it to avoid the need to
dereference the hci_conn every time.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Johan Hedberg [Wed, 21 Oct 2015 15:03:03 +0000 (18:03 +0300)]
Bluetooth: Remove unnecessary indentation in unpair_device()
Instead of doing all of the LE-specific handling in an else-branch in
unpair_device() create a 'done' label for the BR/EDR branch to jump to
and then remove the else-branch completely.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Johan Hedberg [Wed, 21 Oct 2015 15:03:02 +0000 (18:03 +0300)]
Bluetooth: 6lowpan: Use hci_conn_hash_lookup_le() when possible
Use the new hci_conn_hash_lookup_le() API to look up LE connections.
This way we're guaranteed exact matches that also take into account
the address type.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Johan Hedberg [Wed, 21 Oct 2015 15:03:01 +0000 (18:03 +0300)]
Bluetooth: Use hci_conn_hash_lookup_le() when possible
Use the new hci_conn_hash_lookup_le() API to look up LE connections.
This way we're guaranteed exact matches that also take into account
the address type.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Johan Hedberg [Wed, 21 Oct 2015 15:03:00 +0000 (18:03 +0300)]
Bluetooth: Add hci_conn_hash_lookup_le() helper function
Many of the existing LE connection lookups are forced to use
hci_conn_hash_lookup_ba() which doesn't take into account the address
type. What's worse, most of the users don't bother checking that the
returned address type matches what was wanted.
This patch adds a new helper API to look up LE connections based on
their address and address type, paving the way to have the
hci_conn_hash_lookup_ba() users converted to do more precise lookups.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Johan Hedberg [Wed, 21 Oct 2015 15:02:59 +0000 (18:02 +0300)]
Bluetooth: Add le_addr_type() helper function
The mgmt code needs to convert from mgmt/L2CAP address types to HCI in
many places. Having a dedicated helper function for this simplifies
code by shortening it and removing unnecessary 'addr_type' variables.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Johan Hedberg [Wed, 21 Oct 2015 12:21:31 +0000 (15:21 +0300)]
Bluetooth: Fix missing hdev locking for LE scan cleanup
The hci_conn objects don't have a dedicated lock themselves but rely
on the caller to hold the hci_dev lock for most types of access. The
hci_conn_timeout() function has so far sent certain HCI commands based
on the hci_conn state which has been possible without holding the
hci_dev lock.
The recent changes to do LE scanning before connect attempts added
even more operations to hci_conn and hci_dev from hci_conn_timeout,
thereby exposing potential race conditions with the hci_dev and
hci_conn states.
As an example of such a race, here there's a timeout but an
l2cap_sock_connect() call manages to race with the cleanup routine:
[Oct21 08:14] l2cap_chan_timeout: chan
ee4b12c0 state BT_CONNECT
[ +0.000004] l2cap_chan_close: chan
ee4b12c0 state BT_CONNECT
[ +0.000002] l2cap_chan_del: chan
ee4b12c0, conn
f3141580, err 111, state BT_CONNECT
[ +0.000002] l2cap_sock_teardown_cb: chan
ee4b12c0 state BT_CONNECT
[ +0.000005] l2cap_chan_put: chan
ee4b12c0 orig refcnt 4
[ +0.000010] hci_conn_drop: hcon
f53d56e0 orig refcnt 1
[ +0.000013] l2cap_chan_put: chan
ee4b12c0 orig refcnt 3
[ +0.000063] hci_conn_timeout: hcon
f53d56e0 state BT_CONNECT
[ +0.000049] hci_conn_params_del: addr ee:0d:30:09:53:1f (type 1)
[ +0.000002] hci_chan_list_flush: hcon
f53d56e0
[ +0.000001] hci_chan_del: hci0 hcon
f53d56e0 chan
f4e7ccc0
[ +0.004528] l2cap_sock_create: sock
e708fc00
[ +0.000023] l2cap_chan_create: chan
ee4b1770
[ +0.000001] l2cap_chan_hold: chan
ee4b1770 orig refcnt 1
[ +0.000002] l2cap_sock_init: sk
ee4b3390
[ +0.000029] l2cap_sock_bind: sk
ee4b3390
[ +0.000010] l2cap_sock_setsockopt: sk
ee4b3390
[ +0.000037] l2cap_sock_connect: sk
ee4b3390
[ +0.000002] l2cap_chan_connect: 00:02:72:d9:e5:8b -> ee:0d:30:09:53:1f (type 2) psm 0x00
[ +0.000002] hci_get_route: 00:02:72:d9:e5:8b -> ee:0d:30:09:53:1f
[ +0.000001] hci_dev_hold: hci0 orig refcnt 8
[ +0.000003] hci_conn_hold: hcon
f53d56e0 orig refcnt 0
Above the l2cap_chan_connect() shouldn't have been able to reach the
hci_conn
f53d56e0 anymore but since hci_conn_timeout didn't do proper
locking that's not the case. The end result is a reference to hci_conn
that's not in the conn_hash list, resulting in list corruption when
trying to remove it later:
[Oct21 08:15] l2cap_chan_timeout: chan
ee4b1770 state BT_CONNECT
[ +0.000004] l2cap_chan_close: chan
ee4b1770 state BT_CONNECT
[ +0.000003] l2cap_chan_del: chan
ee4b1770, conn
f3141580, err 111, state BT_CONNECT
[ +0.000001] l2cap_sock_teardown_cb: chan
ee4b1770 state BT_CONNECT
[ +0.000005] l2cap_chan_put: chan
ee4b1770 orig refcnt 4
[ +0.000002] hci_conn_drop: hcon
f53d56e0 orig refcnt 1
[ +0.000015] l2cap_chan_put: chan
ee4b1770 orig refcnt 3
[ +0.000038] hci_conn_timeout: hcon
f53d56e0 state BT_CONNECT
[ +0.000003] hci_chan_list_flush: hcon
f53d56e0
[ +0.000002] hci_conn_hash_del: hci0 hcon
f53d56e0
[ +0.000001] ------------[ cut here ]------------
[ +0.000461] WARNING: CPU: 0 PID: 1782 at lib/list_debug.c:56 __list_del_entry+0x3f/0x71()
[ +0.000839] list_del corruption,
f53d56e0->prev is LIST_POISON2 (
00000200)
The necessary fix is unfortunately more complicated than just adding
hci_dev_lock/unlock calls to the hci_conn_timeout() call path.
Particularly, the hci_conn_del() API, which expects the hci_dev lock to
be held, performs a cancel_delayed_work_sync(&hcon->disc_work) which
would lead to a deadlock if the hci_conn_timeout() call path tries to
acquire the same lock.
This patch solves the problem by deferring the cleanup work to a
separate work callback. To protect against the hci_dev or hci_conn
going away meanwhile temporary references are taken with the help of
hci_dev_hold() and hci_conn_get().
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Cc: stable@vger.kernel.org # 4.3
Marcel Holtmann [Wed, 21 Oct 2015 00:45:19 +0000 (02:45 +0200)]
Bluetooth: btintel: Enable extra Intel vendor events
The Intel Bluetooth controllers can emit extra vendor specific events in
error conditions or for debugging purposes. To make the life easier for
engineers, enable them by default. When the vendor_diag options has been
enabled, then additional debug events are also enabled.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Marcel Holtmann [Tue, 20 Oct 2015 23:31:45 +0000 (01:31 +0200)]
Bluetooth: btusb: Set manufacturer for Intel bootloader devices
For Intel bootloader devices, set the manufacturer information so that
it becomes possible to decode the boot process.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Marcel Holtmann [Tue, 20 Oct 2015 21:25:42 +0000 (23:25 +0200)]
Bluetooth: Introduce driver specific post init callback
Some drivers might have to restore certain settings after the init
procedure has been completed. This driver callback allows them to hook
into that stage. This callback is run just before the controller is
declared as powered up.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Marcel Holtmann [Tue, 20 Oct 2015 19:30:45 +0000 (21:30 +0200)]
Bluetooth: hci_uart: Provide initial manufacturer information
Provide an early indication about the manufacturer information so that
it can be forwarded into monitor channel.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Dean Jenkins [Wed, 14 Oct 2015 10:18:47 +0000 (12:18 +0200)]
Bluetooth: l2cap_disconnection_req priority over shutdown
There is a L2CAP protocol race between the local peer and
the remote peer demanding disconnection of the L2CAP link.
When L2CAP ERTM is used, l2cap_sock_shutdown() can be called
from userland to disconnect L2CAP. However, there can be a
delay introduced by waiting for ACKs. During this waiting
period, the remote peer may have sent a Disconnection Request.
Therefore, recheck the shutdown status of the socket
after waiting for ACKs because there is no need to do
further processing if the connection has gone.
Signed-off-by: Dean Jenkins <Dean_Jenkins@mentor.com>
Signed-off-by: Harish Jenny K N <harish_kandiga@mentor.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Dean Jenkins [Wed, 14 Oct 2015 10:18:46 +0000 (12:18 +0200)]
Bluetooth: Reorganize mutex lock in l2cap_sock_shutdown()
This commit reorganizes the mutex lock and is now
only protecting l2cap_chan_close(). This is now consistent
with other places where l2cap_chan_close() is called.
If a conn connection exists, call
mutex_lock(&conn->chan_lock) before calling l2cap_chan_close()
to ensure other L2CAP protocol operations do not interfere.
Note that the conn structure has to be protected from being
freed as it is possible for the connection to be disconnected
whilst the locks are not held. This solution allows the mutex
lock to be used even when the connection has just been
disconnected.
This commit also reduces the scope of chan locking.
The only place where chan locking is needed is the call to
l2cap_chan_close(chan, 0) which if necessary closes the channel.
Therefore, move the l2cap_chan_lock(chan) and
l2cap_chan_lock(chan) locking calls to around
l2cap_chan_close(chan, 0).
This allows __l2cap_wait_ack(sk, chan) to be called with no
chan locks being held so L2CAP messaging over the ACL link
can be done unimpaired.
Signed-off-by: Dean Jenkins <Dean_Jenkins@mentor.com>
Signed-off-by: Harish Jenny K N <harish_kandiga@mentor.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Dean Jenkins [Wed, 14 Oct 2015 10:18:45 +0000 (12:18 +0200)]
Bluetooth: Unwind l2cap_sock_shutdown()
l2cap_sock_shutdown() is designed to only action shutdown
of the channel when shutdown is not already in progress.
Therefore, reorganise the code flow by adding a goto
to jump to the end of function handling when shutdown is
already being actioned. This removes one level of code
indentation and make the code more readable.
Signed-off-by: Dean Jenkins <Dean_Jenkins@mentor.com>
Signed-off-by: Harish Jenny K N <harish_kandiga@mentor.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Alexander Aring [Tue, 20 Oct 2015 06:31:26 +0000 (08:31 +0200)]
6lowpan: put mcast compression in an own function
This patch moves the mcast compression algorithmn to an own function
like all other compression/decompression methods in iphc.
Signed-off-by: Alexander Aring <alex.aring@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Alexander Aring [Tue, 20 Oct 2015 06:31:25 +0000 (08:31 +0200)]
6lowpan: rework tc and flow label handling
This patch reworks the handling of compression/decompression of traffic
class and flow label handling. The current method is hard to understand,
also doesn't checks if we can read the buffer from skb length.
I tried to put the shifting operations into static inline functions and
comment each steps which I did there to make it hopefully somewhat more
readable. The big mess to deal with that is the that the ipv6 header
bring the order "DSCP + ECN" but iphc uses "ECN + DSCP". Additional the
DCSP + ECN bits are splitted in ipv6_hdr inside the priority and
flow_lbl[0] fields.
I tested these compressions by using fakelb 802.15.4 driver and
manipulate the tc and flow label fields manually in function
"__ip6_local_out" before the skb will be send to lower layers. Then I
looked up the tc and flow label fields in wireshark on a wpan and lowpan
interface.
Signed-off-by: Alexander Aring <alex.aring@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Alexander Aring [Tue, 20 Oct 2015 06:31:24 +0000 (08:31 +0200)]
6lowpan: iphc: change define values
This patch has the main goal to delete shift operations. Instead we
doing masks and equals afterwards. E.g. for the SAM evaluation we
masking only the SAM value which fits in iphc1 byte, then comparing with
all possible SAM values over a switch case statement. We will not
shifting the SAM value to somewhat readable anymore.
Additional this patch slighty change the naming style like RFC 6282,
e.g. TTL to HLIM and we will drop an errno now if CID flag is set,
because we don't support it.
Signed-off-by: Alexander Aring <alex.aring@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Alexander Aring [Tue, 20 Oct 2015 06:31:23 +0000 (08:31 +0200)]
6lowpan: remove lowpan_is_addr_broadcast
This macro is used at 802.15.4 6LoWPAN only and can be replaced by
memcmp with the interface broadcast address.
Signed-off-by: Alexander Aring <alex.aring@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Alexander Aring [Tue, 20 Oct 2015 06:31:22 +0000 (08:31 +0200)]
6lowpan: move IPHC functionality defines
This patch removes the IPHC related defines for doing bit manipulation
from global 6lowpan header to the iphc file which should the only one
implementation which use these defines.
Also move next header compression defines to their nhc implementation.
Signed-off-by: Alexander Aring <alex.aring@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Alexander Aring [Tue, 20 Oct 2015 06:31:21 +0000 (08:31 +0200)]
6lowpan: nhc: move iphc manipulation out of nhc
This patch moves the iphc setting of next header commpression bit inside
iphc functionality. Setting of IPHC bits should be happen at iphc.c file
only.
Signed-off-by: Alexander Aring <alex.aring@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Alexander Aring [Tue, 13 Oct 2015 11:42:59 +0000 (13:42 +0200)]
6lowpan: remove lowpan_fetch_skb_u8
This patch removes the lowpan_fetch_skb_u8 function for getting the iphc
bytes. Instead we using the generic which has a len parameter to tell
the amount of bytes to fetch.
Signed-off-by: Alexander Aring <alex.aring@gmail.com>
Acked-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Alexander Aring [Tue, 13 Oct 2015 11:42:58 +0000 (13:42 +0200)]
6lowpan: cleanup lowpan_header_decompress
This patch changes the lowpan_header_decompress function by removing
inklayer related information from parameters. This is currently for
supporting short and extended address for iphc handling in 802154.
We don't support short address handling anyway right now, but there
exists already code for handling short addresses in
lowpan_header_decompress.
The address parameters are also changed to a void pointer, so 6LoWPAN
linklayer specific code can put complex structures as these parameters
and cast it again inside the generic code by evaluating linklayer type
before. The order is also changed by destination address at first and
then source address, which is the same like all others functions where
destination is always the first, memcpy, dev_hard_header,
lowpan_header_compress, etc.
This patch also moves the fetching of iphc values from 6LoWPAN linklayer
specific code into the generic branch.
Signed-off-by: Alexander Aring <alex.aring@gmail.com>
Acked-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Alexander Aring [Tue, 13 Oct 2015 11:42:57 +0000 (13:42 +0200)]
6lowpan: cleanup lowpan_header_compress
This patch changes the lowpan_header_compress function by removing
unused parameters like "len" and drop static value parameters of
protocol type. Instead we really check the protocol type inside inside
the skb structure. Also we drop the use of IEEE802154_ADDR_LEN which is
link-layer specific. Instead we using EUI64_ADDR_LEN which should always
the default case for now.
Signed-off-by: Alexander Aring <alex.aring@gmail.com>
Acked-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Alexander Aring [Tue, 13 Oct 2015 11:42:56 +0000 (13:42 +0200)]
6lowpan: introduce LOWPAN_IPHC_MAX_HC_BUF_LEN
This patch introduces the LOWPAN_IPHC_MAX_HC_BUF_LEN define which
represent the worst-case supported IPHC buffer length. It's used to
allocate the stack buffer space for creating the IPHC header.
Signed-off-by: Alexander Aring <alex.aring@gmail.com>
Acked-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Alexander Aring [Tue, 13 Oct 2015 11:42:55 +0000 (13:42 +0200)]
bluetooth: 6lowpan: use lowpan dispatch helpers
This patch adds a check if the dataroom of skb contains a dispatch value
by checking if skb->len != 0. This patch also change the dispatch
evaluation by the recently introduced helpers for checking the common
6LoWPAN dispatch values for IPv6 and IPHC header.
There was also a forgotten else branch which should drop the packet if
no matching dispatch is available.
Signed-off-by: Alexander Aring <alex.aring@gmail.com>
Acked-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Alexander Aring [Tue, 13 Oct 2015 11:42:54 +0000 (13:42 +0200)]
mac802154: llsec: use kzfree
This patch will use kzfree instead kfree for security related
information which can be offered by acccident.
Signed-off-by: Alexander Aring <alex.aring@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Johan Hedberg [Mon, 19 Oct 2015 07:51:47 +0000 (10:51 +0300)]
Bluetooth: Fix removing connection parameters when unpairing
The commit
89cbb0638e9b7 introduced support for deferred connection
parameter removal when unpairing by removing them only once an
existing connection gets disconnected. However, it failed to address
the scenario when we're *not* connected and do an unpair operation.
What makes things worse is that most user space BlueZ versions will
first issue a disconnect request and only then unpair, meaning the
buggy code will be triggered every time. This effectively causes the
kernel to resume scanning and reconnect to a device for which we've
removed all keys and GATT database information.
This patch fixes the issue by adding the missing call to the
hci_conn_params_del() function to a branch which handles the case of
no existing connection.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Cc: stable@vger.kernel.org # 3.19+
Marcel Holtmann [Mon, 19 Oct 2015 22:53:33 +0000 (00:53 +0200)]
Bluetooth: btusb: Add support for latest Apple controllers
The latest Apple Bluetooth controllers with Broadcom chip in it have
a small design change. Instead of including a USB hub with mouse and
keyboard devices, they are now HID interfaces on the same device.
T: Bus=04 Lev=02 Prnt=02 Port=04 Cnt=01 Dev#= 39 Spd=12 MxCh= 0
D: Ver= 2.01 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=05ac ProdID=8290 Rev= 0.79
S: Manufacturer=Broadcom Corp.
S: Product=Bluetooth USB Host Controller
C:* #Ifs= 6 Cfg#= 1 Atr=e0 MxPwr= 0mA
A: FirstIf#= 2 IfCount= 4 Cls=ff(vend.) Sub=01 Prot=01
I:* If#= 0 Alt= 0 #EPs= 1 Cls=03(HID ) Sub=01 Prot=01 Driver=usbhid
E: Ad=85(I) Atr=03(Int.) MxPS= 8 Ivl=10ms
I:* If#= 1 Alt= 0 #EPs= 1 Cls=03(HID ) Sub=01 Prot=02 Driver=usbhid
E: Ad=86(I) Atr=03(Int.) MxPS= 8 Ivl=10ms
I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
I:* If#= 3 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
I: If#= 3 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
I: If#= 3 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
I: If#= 3 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
I: If#= 3 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
I: If#= 3 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
I:* If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=btusb
E: Ad=84(I) Atr=02(Bulk) MxPS= 32 Ivl=0ms
E: Ad=04(O) Atr=02(Bulk) MxPS= 32 Ivl=0ms
I:* If#= 5 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none)
The general layout of Bluetooth devices is that interface 0 is the main
interface and interface 1 is for audio data. This design obviously moves
it to main interface 2 and audio data on interface 3.
Starting with the MacBookPro12,1 (early 2015 models) the new Broadcom
BCM943602CS cards are used which show this interface layout.
usb 4-1.5: New USB device found, idVendor=05ac, idProduct=8290
usb 4-1.5: New USB device strings: Mfr=1, Product=2, SerialNumber=0
usb 4-1.5: Product: Bluetooth USB Host Controller
usb 4-1.5: Manufacturer: Broadcom Corp.
Bluetooth: hci0: BCM: chip id 102 build 0243
Bluetooth: hci0: BCM: product 05ac:8290
Bluetooth: hci0: BCM20703A1 Generic USB UHE Apple 20Mhz fcbga_X87
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Marcel Holtmann [Tue, 20 Oct 2015 00:30:48 +0000 (02:30 +0200)]
Bluetooth: btusb: Set early vendor info for Intel and Broadcom
For the controllers from Intel and Broadcom (including Apple), it is
helpful to have the information about the manufacturer send out early.
This patch sets the hdev->manufacturer information which will be send
out before actually calling the vendor specific hdev->setup driver
callback.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Marcel Holtmann [Tue, 20 Oct 2015 00:30:47 +0000 (02:30 +0200)]
Bluetooth: Add support setup stage internal notification event
Before the vendor specific setup stage is triggered call back into the
core to trigger an internal notification event. That event is used to
send an index update to the monitor interface. With that specific event
it is possible to update userspace with manufacturer information before
any HCI command has been executed. This is useful for early stage
debugging of vendor specific initialization sequences.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Dmitry Tunin [Fri, 16 Oct 2015 08:45:26 +0000 (11:45 +0300)]
Bluetooth: ath3k: Add support of AR3012 0cf3:817b device
T: Bus=04 Lev=02 Prnt=02 Port=04 Cnt=01 Dev#= 3 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=0cf3 ProdID=817b Rev=00.02
C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
BugLink: https://bugs.launchpad.net/bugs/1506615
Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Cc: stable@vger.kernel.org
Dmitry Tunin [Mon, 5 Oct 2015 16:29:33 +0000 (19:29 +0300)]
Bluetooth: ath3k: Add new AR3012 0930:021c id
This adapter works with the existing linux-firmware.
T: Bus=01 Lev=01 Prnt=01 Port=03 Cnt=02 Dev#= 3 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=0930 ProdID=021c Rev=00.01
C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
BugLink: https://bugs.launchpad.net/bugs/1502781
Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Cc: stable@vger.kernel.org
Santtu Rekilä [Mon, 5 Oct 2015 12:45:27 +0000 (15:45 +0300)]
Bluetooth: btusb: Add support for Foxconn/Lenovo BCM43142A0 (105b:e065)
Recently salvaged this 'BCM43142A0' WiFi/Bluetooth module from a Lenovo laptop
and noticed it doesn't work automatically, because the USB IDs are missing
from btusb.c.
Plugging in the adapter on Linux 4.1 (dmesg):
usb 3-3.3.3: new full-speed USB device number 90 using xhci_hcd
usb 3-3.3.3: New USB device found, idVendor=105b, idProduct=e065
usb 3-3.3.3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 3-3.3.3: Product: BCM43142A0
usb 3-3.3.3: Manufacturer: Broadcom Corp
usb 3-3.3.3: SerialNumber:
0090A286559E
/sys/kernel/debug/usb/devices:
T: Bus=03 Lev=03 Prnt=22 Port=02 Cnt=02 Dev#= 90 Spd=12 MxCh= 0
D: Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=105b ProdID=e065 Rev= 1.12
S: Manufacturer=Broadcom Corp
S: Product=BCM43142A0
S: SerialNumber=
0090A286559E
C:* #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr= 0mA
I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none)
E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none)
E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none)
E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
I: If#= 1 Alt= 2 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none)
E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
I: If#= 1 Alt= 3 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none)
E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
I: If#= 1 Alt= 4 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none)
E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
I: If#= 1 Alt= 5 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none)
E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E: Ad=84(I) Atr=02(Bulk) MxPS= 32 Ivl=0ms
E: Ad=04(O) Atr=02(Bulk) MxPS= 32 Ivl=0ms
I:* If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none)
Support for the chipset was added in commit
88f9b65 and a similar BCM43142
based device was added in commit
8f0c304.
To work around the issue, I got the firmware
(BCM43142A0_001.001.011.0122.0153) off a Windows installation of Broadcom
bluetooth driver and converted it to a .hcd -file via. hex2hcd and placed it
in /lib/firmware/brcm/BCM.hcd. After that:
$ echo "105b e065 0 19ff 0239" > /sys/bus/usb/drivers/btusb/new_id
...(plug in the adapter)
usb 3-3.3.3: new full-speed USB device number 91 using xhci_hcd
usb 3-3.3.3: New USB device found, idVendor=105b, idProduct=e065
usb 3-3.3.3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 3-3.3.3: Product: BCM43142A0
usb 3-3.3.3: Manufacturer: Broadcom Corp
usb 3-3.3.3: SerialNumber:
0090A286559E
Bluetooth: hci0: BCM: chip id 70
Bluetooth: hci0: BCM (001.001.011) build 0000
bluetooth hci0: firmware: direct-loading firmware brcm/BCM.hcd
Bluetooth: hci0: BCM (001.001.011) build 0154
Bam, now it works for me!
/sys/kernel/debug/usb/devices:
T: Bus=03 Lev=03 Prnt=22 Port=02 Cnt=02 Dev#= 92 Spd=12 MxCh= 0
D: Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=105b ProdID=e065 Rev= 1.12
S: Manufacturer=Broadcom Corp
S: Product=BCM43142A0
S: SerialNumber=
0090A286559E
C:* #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr= 0mA
I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
I: If#= 1 Alt= 2 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
I: If#= 1 Alt= 3 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
I: If#= 1 Alt= 4 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
I: If#= 1 Alt= 5 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E: Ad=84(I) Atr=02(Bulk) MxPS= 32 Ivl=0ms
E: Ad=04(O) Atr=02(Bulk) MxPS= 32 Ivl=0ms
I:* If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none)
Signed-off-by: Santtu Rekilä <sare@r00t3d.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
David Herrmann [Mon, 7 Sep 2015 10:05:41 +0000 (12:05 +0200)]
Bluetooth: hidp: fix device disconnect on idle timeout
The HIDP specs define an idle-timeout which automatically disconnects a
device. This has always been implemented in the HIDP layer and forced a
synchronous shutdown of the hidp-scheduler. This works just fine, but
lacks a forced disconnect on the underlying l2cap channels. This has been
broken since:
commit
5205185d461d5902325e457ca80bd421127b7308
Author: David Herrmann <dh.herrmann@gmail.com>
Date: Sat Apr 6 20:28:47 2013 +0200
Bluetooth: hidp: remove old session-management
The old session-management always forced an l2cap error on the ctrl/intr
channels when shutting down. The new session-management skips this, as we
don't want to enforce channel policy on the caller. In other words, if
user-space removes an HIDP device, the underlying channels (which are
*owned* and *referenced* by user-space) are still left active. User-space
needs to call shutdown(2) or close(2) to release them.
Unfortunately, this does not work with idle-timeouts. There is no way to
signal user-space that the HIDP layer has been stopped. The API simply
does not support any event-passing except for poll(2). Hence, we restore
old behavior and force EUNATCH on the sockets if the HIDP layer is
disconnected due to idle-timeouts (behavior of explicit disconnects
remains unmodified). User-space can still call
getsockopt(..., SO_ERROR, ...)
..to retrieve the EUNATCH error and clear sk_err. Hence, the channels can
still be re-used (which nobody does so far, though). Therefore, the API
still supports the new behavior, but with this patch it's also compatible
to the old implicit channel shutdown.
Cc: <stable@vger.kernel.org> # 3.10+
Reported-by: Mark Haun <haunma@keteu.org>
Reported-by: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Marcel Holtmann [Sun, 18 Oct 2015 20:48:28 +0000 (22:48 +0200)]
Bluetooth: btbcm: Read USB product information for Apple devices
For the Apple Bluetooth devices, read the USB product information and
print them. This allows for easy mapping of chip and USB details.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Marcel Holtmann [Sun, 18 Oct 2015 20:37:56 +0000 (22:37 +0200)]
Bluetooth: btbcm: Fix firmware version number calculation
The calculation for the firmware version number is off by one bit.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Marcel Holtmann [Sat, 17 Oct 2015 12:39:27 +0000 (14:39 +0200)]
Bluetooth: btusb: Mark BCM2045 devices to have broken link key commands
The BCM2045 seems to have a problem with the stored link key commands
and thus just mark them as broken.
HCI Event: Command Complete (0x0e) plen 12
Read Local Supported Features (0x04|0x0003) ncmd 1
status 0x00
Features: 0xff 0xff 0x8d 0xfe 0x8f 0xf9 0x00 0x80
HCI Event: Command Complete (0x0e) plen 12
Read Local Version Information (0x04|0x0001) ncmd 1
status 0x00
HCI Version: 2.0 (0x3) HCI Revision: 0x2000
LMP Version: 2.0 (0x3) LMP Subversion: 0x410d
Manufacturer: Broadcom Corporation (15)
HCI Event: Command Complete (0x0e) plen 11
Read Buffer Size (0x04|0x0005) ncmd 1
status 0x00
ACL MTU 1017:8 SCO MTU 64:0
HCI Event: Command Complete (0x0e) plen 68
Read Local Supported Commands (0x04|0x0002) ncmd 1
status 0x00
Commands:
ffffff03feffcfffffffffff0300f8ff07
HCI Event: Command Complete (0x0e) plen 4
Delete Stored Link Key (0x03|0x0012) ncmd 1
status 0x11 deleted 2048
Error: Unsupported Feature or Parameter Value
From the looks of it, this device seems genuine and not one of the
devices that are neither Broadcom nor CSR devices in reality.
T: Bus=04 Lev=02 Prnt=02 Port=02 Cnt=02 Dev#= 3 Spd=12 MxCh= 0
D: Ver= 2.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=0a5c ProdID=2045 Rev= 1.12
S: Manufacturer=Broadcom Corp
S: Product=BCM2045A
S: SerialNumber=
000000000000
C:* #Ifs= 4 Cfg#= 1 Atr=a0 MxPwr=100mA
I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E: Ad=84(I) Atr=02(Bulk) MxPS= 32 Ivl=0ms
E: Ad=04(O) Atr=02(Bulk) MxPS= 32 Ivl=0ms
I:* If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=00 Driver=(none)
Reported-and-tested-by: Julio González Mejías <juliolokooo@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Marcel Holtmann [Sat, 17 Oct 2015 14:00:28 +0000 (16:00 +0200)]
Bluetooth: btintel: Add diagnostic support for older controllers
For the older controllers like Wilkens Peak and Stone Peak, enabling the
traces requires to switch into manufacturer mode first. This patch does
exactly that, but only for these older controllers.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Marcel Holtmann [Sat, 17 Oct 2015 14:00:27 +0000 (16:00 +0200)]
Bluetooth: btintel: Set quirk for non-persistent diagnostic settings
For Intel controllers the diagnostics settings are not persistent over
HCI Reset. So set the quirk to programm them again on every power up.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Marcel Holtmann [Sat, 17 Oct 2015 14:00:26 +0000 (16:00 +0200)]
Bluetooth: Add new quirk for non-persistent diagnostic settings
If the diagnostic settings are not persistent over HCI Reset, then this
quirk can be used to tell the Bluetoth core about it. This will ensure
that the settings are programmed correctly when the controller is
powered up.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Arnd Bergmann [Fri, 16 Oct 2015 22:03:38 +0000 (00:03 +0200)]
Bluetooth: bpa10x: fix BT_HCIUART dependency
The change to bpa10x to use the h4_recv_buf helper added a dependency
on BT_HCIUART. This was incorrectly added to Kconfig by adding a
'select' statement, which now in turn causes build failures
when CONFIG_TTY is not set:
warning: (BT_HCIBPA10X) selects BT_HCIUART which has unmet direct dependencies (NET && BT && TTY)
vers/built-in.o: In function `hci_uart_tty_receive':
fpga-mgr.c:(.text+0x282824): undefined reference to `tty_unthrottle'
drivers/built-in.o: In function `hci_uart_tty_ioctl':
fpga-mgr.c:(.text+0x282aa0): undefined reference to `n_tty_ioctl_helper'
drivers/built-in.o: In function `hci_uart_flush':
This replaces the 'select BT_HCIUART' dependency with 'depends on', which
does not have this kind of problem. Alternatively, one could add 'depends
on TTY', but avoiding 'select' on user-visible options is generally the
preferred choice as that does not introduce the potential for dependency
loops or incomplete dependency chains.
Fixes:
91489919247a ("Bluetooth: bpa10x: Fix missing BT_HCIUART dependency")
Fixes:
943cc592195e ("Bluetooth: bpa10x: Use h4_recv_buf helper for frame reassembly")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Marcel Holtmann [Tue, 13 Oct 2015 11:54:55 +0000 (13:54 +0200)]
Bluetooth: btusb: Print information of Intel SfP lock states
The lock states from Intel SfP controllers can only be read once before
loading the firmware. So for debugging purposes, print them out.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Johan Hedberg [Mon, 12 Oct 2015 11:36:19 +0000 (13:36 +0200)]
Bluetooth: Don't use remote address type to decide IRK persistency
There are LE devices on the market that start off by announcing their
public address and then once paired switch to using private address.
To be interoperable with such devices we should simply trust the fact
that we're receiving an IRK from them to indicate that they may use
private addresses in the future. Instead, simply tie the persistency
to the bonding/no-bonding information the same way as for LTKs and
CSRKs.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Marcel Holtmann [Fri, 9 Oct 2015 14:13:51 +0000 (16:13 +0200)]
Bluetooth: Queue diagnostic messages together with HCI packets
Sending diagnostic messages directly to the monitor socket might cause
issues for devices processing their messages in interrupt context. So
instead of trying to directly forward them, queue them up with the other
HCI packets and lets them be processed by the sockets at the same time.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Marcel Holtmann [Fri, 9 Oct 2015 14:13:50 +0000 (16:13 +0200)]
Bluetooth: Restrict valid packet types via HCI_CHANNEL_RAW
When using the HCI_CHANNEL_RAW, restrict the packet types to valid ones
from the Bluetooth specification.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Marcel Holtmann [Fri, 9 Oct 2015 14:13:49 +0000 (16:13 +0200)]
Bluetooth: Remove quirk for HCI_VENDOR_PKT filter handling
The HCI_VENDOR_PKT quirk was needed for BPA-100/105 devices that send
these messages. Now that there is support for proper diagnostic channel
this quirk is no longer needed.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Marcel Holtmann [Fri, 9 Oct 2015 12:42:08 +0000 (14:42 +0200)]
Bluetooth: btintel: Add support for enabling tracing functionality
For Intel controllers with firmware that allows tracing of baseband
functionality this allows enabling it via set_diag driver callback.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Marcel Holtmann [Thu, 8 Oct 2015 18:23:08 +0000 (20:23 +0200)]
Bluetooth: btusb: Add support for Broadcom LM_DIAG interface
The Broadcom Bluetooth USB devices have a third interface that is
dedicated for LM_DIAG messages. The If#= 2 describes this interface
and it consists of one bulk in and one bulk endpoint.
T: Bus=01 Lev=01 Prnt=01 Port=01 Cnt=02 Dev#= 38 Spd=12 MxCh= 0
D: Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=19ff ProdID=0239 Rev= 1.12
S: Manufacturer=Broadcom Corp
S: Product=BCM20702A0
C:* #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr= 0mA
I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
I: If#= 1 Alt= 2 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
I: If#= 1 Alt= 3 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
I: If#= 1 Alt= 4 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
I: If#= 1 Alt= 5 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=btusb
E: Ad=84(I) Atr=02(Bulk) MxPS= 32 Ivl=0ms
E: Ad=04(O) Atr=02(Bulk) MxPS= 32 Ivl=0ms
I:* If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none)
For all Broadcom based devices with this interface, the driver now
claims it and schedules URBs for it. This allows to capture the
LM_DIAG messages and allows forwarding them via hci_recv_diag into
the diagnostic channel of the Bluetooth subsystem.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Marcel Holtmann [Thu, 8 Oct 2015 17:30:05 +0000 (19:30 +0200)]
Bluetooth: bpa10x: Fix missing BT_HCIUART dependency
Selecting just BT_HCIUART_H4 is not enough and it also needs to select
BT_HCIUART to avoid this warning:
warning: (BT_HCIBPA10X) selects BT_HCIUART_H4 which has unmet direct
dependencies (NET && BT && BT_HCIUART)
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
David S. Miller [Tue, 20 Oct 2015 13:08:27 +0000 (06:08 -0700)]
Merge git://git./linux/kernel/git/davem/net
Conflicts:
drivers/net/usb/asix_common.c
net/ipv4/inet_connection_sock.c
net/switchdev/switchdev.c
In the inet_connection_sock.c case the request socket hashing scheme
is completely different in net-next.
The other two conflicts were overlapping changes.
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Mon, 19 Oct 2015 16:55:40 +0000 (09:55 -0700)]
Merge git://git./linux/kernel/git/davem/net
Pull networking fixes from David Miller:
1) Account for extra headroom in ath9k driver, from Felix Fietkau.
2) Fix OOPS in pppoe driver due to incorrect socket state transition,
from Guillaume Nault.
3) Kill memory leak in amd-xgbe debugfx, from Geliang Tang.
4) Power management fixes for iwlwifi, from Johannes Berg.
5) Fix races in reqsk_queue_unlink(), from Eric Dumazet.
6) Fix dst_entry usage in ARP replies, from Jiri Benc.
7) Cure OOPSes with SO_GET_FILTER, from Daniel Borkmann.
8) Missing allocation failure check in amd-xgbe, from Tom Lendacky.
9) Various resource allocation/freeing cures in DSA< from Neil
Armstrong.
10) A series of bug fixes in the openvswitch conntrack support, from
Joe Stringer.
11) Fix two cases (BPF and act_mirred) where we have to clean the sender
cpu stored in the SKB before transmitting. From WANG Cong and
Alexei Starovoitov.
12) Disable VLAN filtering in promiscuous mode in mlx5 driver, from
Achiad Shochat.
13) Older bnx2x chips cannot do 4-tuple UDP hashing, so prevent this
configuration via ethtool. From Yuval Mintz.
14) Don't call rt6_uncached_list_flush_dev() from rt6_ifdown() when
'dev' is NULL, from Eric Biederman.
15) Prevent stalled link synchronization in tipc, from Jon Paul Maloy.
16) kcalloc() gstrings ethtool buffer before having driver fill it in,
in order to prevent kernel memory leaking. From Joe Perches.
17) Fix mixxing rt6_info initialization for blackhole routes, from
Martin KaFai Lau.
18) Kill VLAN regression in via-rhine, from Andrej Ota.
19) Missing pfmemalloc check in sk_add_backlog(), from Eric Dumazet.
20) Fix spurious MSG_TRUNC signalling in netlink dumps, from Ronen Arad.
21) Scrube SKBs when pushing them between namespaces in openvswitch,
from Joe Stringer.
22) bcmgenet enables link interrupts too early, fix from Florian
Fainelli.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (92 commits)
net: bcmgenet: Fix early link interrupt enabling
tunnels: Don't require remote endpoint or ID during creation.
openvswitch: Scrub skb between namespaces
xen-netback: correctly check failed allocation
net: asix: add support for the Billionton GUSB2AM-1G-B USB adapter
netlink: Trim skb to alloc size to avoid MSG_TRUNC
net: add pfmemalloc check in sk_add_backlog()
via-rhine: fix VLAN receive handling regression.
ipv6: Initialize rt6_info properly in ip6_blackhole_route()
ipv6: Move common init code for rt6_info to a new function rt6_info_init()
Bluetooth: Fix initializing conn_params in scan phase
Bluetooth: Fix conn_params list update in hci_connect_le_scan_cleanup
Bluetooth: Fix remove_device behavior for explicit connects
Bluetooth: Fix LE reconnection logic
Bluetooth: Fix reference counting for LE-scan based connections
Bluetooth: Fix double scan updates
mlxsw: core: Fix race condition in __mlxsw_emad_transmit
tipc: move fragment importance field to new header position
ethtool: Use kcalloc instead of kmalloc for ethtool_get_strings
tipc: eliminate risk of stalled link synchronization
...
Florian Fainelli [Sat, 17 Oct 2015 21:22:46 +0000 (14:22 -0700)]
net: bcmgenet: Fix early link interrupt enabling
Link interrupts are enabled in init_umac(), which is too early for us to
process them since we do not yet have a valid PHY device pointer. On
BCM7425 chips for instance, we will crash calling phy_mac_interrupt()
because phydev is NULL.
Fix this by moving the link interrupts enabling in
bcmgenet_netif_start(), under a specific function:
bcmgenet_link_intr_enable() and while at it, update the comments
surrounding the code.
Fixes:
6cc8e6d4dcb36 ("net: bcmgenet: Delay PHY initialization to bcmgenet_open()")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Mon, 19 Oct 2015 06:05:56 +0000 (23:05 -0700)]
Merge tag 'wireless-drivers-for-davem-2015-10-17' of git://git./linux/kernel/git/kvalo/wireless-drivers
Kalle Valo says:
====================
iwlwifi:
* mvm: flush fw_dump_wk when mvm fails to start
* mvm: init card correctly on ctkill exit check
* pci: add a few more PCI subvendor IDs for the 7265 series
* fix firmware filename for 3160
* mvm: clear csa countdown when AP is stopped
* mvm: fix D3 firmware PN programming
* dvm: fix D3 firmware PN programming
* mvm: fix D3 CCMP TX PN assignment
rtlwifi:
* rtl8821ae: Fix system lockups on boot
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Mon, 19 Oct 2015 05:48:34 +0000 (22:48 -0700)]
Merge git://git./linux/kernel/git/pablo/nf-next
Pablo Neira Ayuso says:
====================
Netfilter/IPVS updates for net-next
The following patchset contains Netfilter/IPVS updates for your net-next
tree. Most relevantly, updates for the nfnetlink_log to integrate with
conntrack, fixes for cttimeout and improvements for nf_queue core, they are:
1) Remove useless ifdef around static inline function in IPVS, from
Eric W. Biederman.
2) Simplify the conntrack support for nfnetlink_queue: Merge
nfnetlink_queue_ct.c file into nfnetlink_queue_core.c, then rename it back
to nfnetlink_queue.c
3) Use y2038 safe timestamp from nfnetlink_queue.
4) Get rid of dead function definition in nf_conntrack, from Flavio
Leitner.
5) Attach conntrack support for nfnetlink_log.c, from Ken-ichirou MATSUZAWA.
This adds a new NETFILTER_NETLINK_GLUE_CT Kconfig switch that
controls enabling both nfqueue and nflog integration with conntrack.
The userspace application can request this via NFULNL_CFG_F_CONNTRACK
configuration flag.
6) Remove unused netns variables in IPVS, from Eric W. Biederman and
Simon Horman.
7) Don't put back the refcount on the cttimeout object from xt_CT on success.
8) Fix crash on cttimeout policy object removal. We have to flush out
the cttimeout extension area of the conntrack not to refer to an unexisting
object that was just removed.
9) Make sure rcu_callback completion before removing nfnetlink_cttimeout
module removal.
10) Fix compilation warning in br_netfilter when no nf_defrag_ipv4 and
nf_defrag_ipv6 are enabled. Patch from Arnd Bergmann.
11) Autoload ctnetlink dependencies when NFULNL_CFG_F_CONNTRACK is
requested. Again from Ken-ichirou MATSUZAWA.
12) Don't use pointer to previous hook when reinjecting traffic via
nf_queue with NF_REPEAT verdict since it may be already gone. This
also avoids a deadloop if the userspace application keeps returning
NF_REPEAT.
13) A bunch of cleanups for netfilter IPv4 and IPv6 code from Ian Morris.
14) Consolidate logger instance existence check in nfulnl_recv_config().
15) Fix broken atomicity when applying configuration updates to logger
instances in nfnetlink_log.
16) Get rid of the .owner attribute in our hook object. We don't need
this anymore since we're dropping pending packets that have escaped
from the kernel when unremoving the hook. Patch from Florian Westphal.
17) Remove unnecessary rcu_read_lock() from nf_reinject code, we always
assume RCU read side lock from .call_rcu in nfnetlink. Also from Florian.
18) Use static inline function instead of macros to define NF_HOOK() and
NF_HOOK_COND() when no netfilter support in on, from Arnd Bergmann.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
santosh.shilimkar@oracle.com [Sat, 17 Oct 2015 02:13:21 +0000 (22:13 -0400)]
RDS: fix rds-ping deadlock over TCP transport
Sowmini found hang with rds-ping while testing RDS over TCP. Its
a corner case and doesn't happen always. The issue is not reproducible
with IB transport. Its clear from below dump why we see it with RDS TCP.
[<
ffffffff8153b7e5>] do_tcp_setsockopt+0xb5/0x740
[<
ffffffff8153bec4>] tcp_setsockopt+0x24/0x30
[<
ffffffff814d57d4>] sock_common_setsockopt+0x14/0x20
[<
ffffffffa096071d>] rds_tcp_xmit_prepare+0x5d/0x70 [rds_tcp]
[<
ffffffffa093b5f7>] rds_send_xmit+0xd7/0x740 [rds]
[<
ffffffffa093bda2>] rds_send_pong+0x142/0x180 [rds]
[<
ffffffffa0939d34>] rds_recv_incoming+0x274/0x330 [rds]
[<
ffffffff810815ae>] ? ttwu_queue+0x11e/0x130
[<
ffffffff814dcacd>] ? skb_copy_bits+0x6d/0x2c0
[<
ffffffffa0960350>] rds_tcp_data_recv+0x2f0/0x3d0 [rds_tcp]
[<
ffffffff8153d836>] tcp_read_sock+0x96/0x1c0
[<
ffffffffa0960060>] ? rds_tcp_recv_init+0x40/0x40 [rds_tcp]
[<
ffffffff814d6a90>] ? sock_def_write_space+0xa0/0xa0
[<
ffffffffa09604d1>] rds_tcp_data_ready+0xa1/0xf0 [rds_tcp]
[<
ffffffff81545249>] tcp_data_queue+0x379/0x5b0
[<
ffffffffa0960cdb>] ? rds_tcp_write_space+0xbb/0x110 [rds_tcp]
[<
ffffffff81547fd2>] tcp_rcv_established+0x2e2/0x6e0
[<
ffffffff81552602>] tcp_v4_do_rcv+0x122/0x220
[<
ffffffff81553627>] tcp_v4_rcv+0x867/0x880
[<
ffffffff8152e0b3>] ip_local_deliver_finish+0xa3/0x220
This happens because rds_send_xmit() chain wants to take
sock_lock which is already taken by tcp_v4_rcv() on its
way to rds_tcp_data_ready(). Commit
db6526dcb51b ("RDS: use
rds_send_xmit() state instead of RDS_LL_SEND_FULL") which
was trying to opportunistically finish the send request
in same thread context.
But because of above recursive lock hang with RDS TCP,
the send work from rds_send_pong() needs to deferred to
worker to avoid lock up. Given RDS ping is more of connectivity
test than performance critical path, its should be ok even
for transport like IB.
Reported-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Acked-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Signed-off-by: Santosh Shilimkar <ssantosh@kernel.org>
Signed-off-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Acked-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jesse Gross [Fri, 16 Oct 2015 23:36:00 +0000 (16:36 -0700)]
tunnels: Don't require remote endpoint or ID during creation.
Before lightweight tunnels existed, it really didn't make sense to
create a tunnel that was not fully specified, such as without a
destination IP address - the resulting packets would go nowhere.
However, with lightweight tunnels, the opposite is true - it doesn't
make sense to require this information when it will be provided later
on by the route. This loosens the requirements for this information.
An alternative would be to allow the relaxed version only when
COLLECT_METADATA is enabled. However, since there are several
variations on this theme (such as NBMA tunnels in GRE), just dropping
the restrictions seems the most consistent across tunnels and with
the existing configuration.
CC: John Linville <linville@tuxdriver.com>
Signed-off-by: Jesse Gross <jesse@nicira.com>
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
stephen hemminger [Fri, 16 Oct 2015 23:12:34 +0000 (16:12 -0700)]
uapi: add mpls_iptunnel.h
Add missing rule to export mpls iptunnel header needed by iproute2
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Roopa Prabhu <roopa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Fri, 16 Oct 2015 20:00:01 +0000 (13:00 -0700)]
tcp: do not set queue_mapping on SYNACK
At the time of commit
fff326990789 ("tcp: reflect SYN queue_mapping into
SYNACK packets") we had little ways to cope with SYN floods.
We no longer need to reflect incoming skb queue mappings, and instead
can pick a TX queue based on cpu cooking the SYNACK, with normal XPS
affinities.
Note that all SYNACK retransmits were picking TX queue 0, this no longer
is a win given that SYNACK rtx are now distributed on all cpus.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Joe Stringer [Fri, 16 Oct 2015 18:08:18 +0000 (11:08 -0700)]
openvswitch: Scrub skb between namespaces
If OVS receives a packet from another namespace, then the packet should
be scrubbed. However, people have already begun to rely on the behaviour
that skb->mark is preserved across namespaces, so retain this one field.
This is mainly to address information leakage between namespaces when
using OVS internal ports, but by placing it in ovs_vport_receive() it is
more generally applicable, meaning it should not be overlooked if other
port types are allowed to be moved into namespaces in future.
Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
Acked-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Mon, 19 Oct 2015 05:23:33 +0000 (22:23 -0700)]
Merge branch 'for-upstream' of git://git./linux/kernel/git/bluetooth/bluetooth
Johan Hedberg says:
====================
pull request: bluetooth 2015-10-16
First of all, sorry for the late set of patches for the 4.3 cycle. We
just finished an intensive week of testing at the Bluetooth UnPlugFest
and discovered (and fixed) issues there. Unfortunately a few issues
affect 4.3-rc5 in a way that they break existing Bluetooth LE mouse and
keyboard support.
The regressions result from supporting LE privacy in conjunction with
scanning for Resolvable Private Addresses before connecting. A feature
that has been tested heavily (including automated unit tests), but sadly
some regressions slipped in. The UnPlugFest with its multitude of test
platforms is a good battle testing ground for uncovering every corner
case.
The patches in this pull request focus only on fixing the regressions in
4.3-rc5. The patches look a bit larger since we also added comments in
the critical sections of the fixes to improve clarity.
I would appreciate if we can get these regression fixes to Linus
quickly. Please let me know if there are any issues pulling. Thanks.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Arnd Bergmann [Fri, 16 Oct 2015 10:00:51 +0000 (12:00 +0200)]
net: hix5hd2_gmac: avoid integer overload warning
BITS_RX_EN is an 'unsigned long' constant, so the ones complement of that
has bits set that do not fit into a 32-bit variable on 64-bit architectures,
which causes a harmless gcc warning:
drivers/net/ethernet/hisilicon/hix5hd2_gmac.c: In function 'hix5hd2_port_disable':
drivers/net/ethernet/hisilicon/hix5hd2_gmac.c:374:2: warning: large integer implicitly truncated to unsigned type [-Woverflow]
writel_relaxed(~(BITS_RX_EN | BITS_TX_EN), priv->base + PORT_EN);
This adds a cast to (u32) to tell gcc that the code is indeed fine.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Arnd Bergmann [Fri, 16 Oct 2015 09:33:49 +0000 (11:33 +0200)]
net: hisilicon: add OF dependency
The HNS MDIO driver fails to build on older ARM machines that are not
yet converted to CONFIG_OF:
drivers/net/ethernet/hisilicon/hns_mdio.c: In function 'hns_mdio_bus_name':
drivers/net/ethernet/hisilicon/hns_mdio.c:405:14: error: 'OF_BAD_ADDR' undeclared (first use in this function)
u64 taddr = OF_BAD_ADDR;
^
drivers/net/ethernet/hisilicon/hns_mdio.c:405:14: note: each undeclared identifier is reported only once for each function it appears in
drivers/net/ethernet/hisilicon/hns_mdio.c:409:11: error: implicit declaration of function 'of_translate_address' [-Werror=implicit-function-declaration]
taddr = of_translate_address(np, addr);
^
This clarifies the dependency to ensure we don't attempt to build these
drivers without CONFIG_OF, but also adds a COMPILE_TEST alternative to
give us better build coverage testing.
Build-tested on x86 as well to ensure this actually works.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Arnd Bergmann [Fri, 16 Oct 2015 09:30:56 +0000 (11:30 +0200)]
net: hisilicon: include linux/vmalloc.h in dsaf
Some configurations fail to build the hns dsaf code because of
a missing header file:
ethernet/hisilicon/hns/hns_dsaf_main.c: In function 'hns_dsaf_init':
ethernet/hisilicon/hns/hns_dsaf_main.c:1096:2: error: implicit declaration of function 'vzalloc' [-Werror=implicit-function-declaration]
priv->soft_mac_tbl = vzalloc(sizeof(*priv->soft_mac_tbl)
This adds the correct #include.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Mon, 19 Oct 2015 02:57:12 +0000 (19:57 -0700)]
Merge branch 'hns-fixes'
yankejian says:
====================
net: hns: fixes two bugs in hns driver
This patchset fixes two bugs in hns driver.
- fixes timeout when received pause frame from the connective ports
- should be set by using ethtool -s when the devices are link down
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
lisheng [Fri, 16 Oct 2015 09:03:20 +0000 (17:03 +0800)]
net: hns: fixes a bug about timeout by pause frame
this patch fixes the bug triggered timeout sequence. when the connective
ports cannot accept the packets with higher speed, they will send out the
pause frame to the Soc's mac. At that time, the driver resets the relevant
of the Soc, then it causes the packets cannot be sent out immediately.
this patch fixes the issue.
Signed-off-by: yankejian <yankejian@huawei.com>
Signed-off-by: Yisen Zhuang <yisen.zhuang@huawei.com>
Signed-off-by: lisheng <lisheng011@huawei.com>
Signed-off-by: lipeng <lipeng321@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Chenny Xu [Fri, 16 Oct 2015 09:03:19 +0000 (17:03 +0800)]
net: hns: fixes the issue by using ethtool -s
before this patch, hns driver only permits user to set the net device
by using ethtool -s when the device is link up. it is obviously not so
good. it needs to be set no matter it is link up or down. so this patch
fixes this issue.
Signed-off-by: yankejian <yankejian@huawei.com>
Signed-off-by: Yisen Zhuang <yisen.zhuang@huawei.com>
Signed-off-by: lisheng <lisheng011@huawei.com>
Signed-off-by: lipeng <lipeng321@huawei.com>
Signed-off-by: Chenny Xu <chenny.xu@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Mon, 19 Oct 2015 02:54:45 +0000 (19:54 -0700)]
Merge branch 'hsi-fixes'
huangdaode says:
====================
net: hisilicon fix some bugs in HNS drivers
This patchset fixes the two bugs in HNS driver, one is remove the hnae sysfs interface
according to the review comments from Arnd Bergmann <arnd@arndb.de>, another
is fixing the wrong mac_id judgement bug which is found during internal tests.
change log:
v3:
remove the hnae sysfs interface.
v2:
1) remove first bug fix, which is fixed in another patch submitted by
Arnd Bergmann <arnd@arndb.de>
2) change the code sytyle according to Joe.
v1:
initial version.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
huangdaode [Fri, 16 Oct 2015 03:54:17 +0000 (11:54 +0800)]
net: hisilicon fix a bug on Hisilicon Network Subsystem
This patch fixes the wrong judgement of mac_id when get port num.
Signed-off-by: huangdaode <huangdaode@hisilicon.com>
Signed-off-by: yankejian <yankejian@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
huangdaode [Fri, 16 Oct 2015 03:54:16 +0000 (11:54 +0800)]
net: hisilicon rm hnae sysfs interface
This patch removes the hns driver hnae sysfs interface according to
Arnd's review comments.
Signed-off-by: huangdaode <huangdaode@hisilicon.com>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Insu Yun [Thu, 15 Oct 2015 18:02:28 +0000 (18:02 +0000)]
xen-netback: correctly check failed allocation
Since vzalloc can be failed in memory pressure,
writes -ENOMEM to xenstore to indicate error.
Signed-off-by: Insu Yun <wuninsu@gmail.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Chia-Sheng Chang [Thu, 15 Oct 2015 18:00:21 +0000 (02:00 +0800)]
net: asix: add support for the Billionton GUSB2AM-1G-B USB adapter
Just another AX88178-based 10/100/1000 USB-to-Ethernet dongle. This one
shows up in lsusb as: "ID 08dd:0114 Billionton Systems, Inc".
Signed-off-by: Chia-Sheng Chang <changchias@gmail.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Luca Ceresoli <luca@lucaceresoli.net>
Cc: Christoph Jaeger <cj@linux.com>
Cc: "Woojung.Huh@microchip.com" <Woojung.Huh@microchip.com>
Cc: Matthew Garrett <mjg59@srcf.ucam.org>
Cc: Markus Elfring <elfring@users.sourceforge.net>
Cc: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
Cc: netdev@vger.kernel.org
Cc: linux-usb@vger.kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
Arun Parameswaran [Thu, 15 Oct 2015 17:37:13 +0000 (10:37 -0700)]
net: phy: bcm-phy-lib: Fix module license issue
The 'bcm-phy-lib.c', added as a part of the commit
"net: phy: Add Broadcom phy library for common interfaces"
was missing the module license. This was causing an issue
when the library is built as a module; "module license
'unspecified' taints kernel".
This patch fixes the issue by adding the module license,
author and description to the bcm-phy-lib.c file.
Fixes:
a1cba5613edf5 ("net: phy: Add Broadcom phy library for
common interfaces")
Signed-off-by: Arun Parameswaran <arunp@broadcom.com>
Acked-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Arad, Ronen [Thu, 15 Oct 2015 08:55:17 +0000 (01:55 -0700)]
netlink: Trim skb to alloc size to avoid MSG_TRUNC
netlink_dump() allocates skb based on the calculated min_dump_alloc or
a per socket max_recvmsg_len.
min_alloc_size is maximum space required for any single netdev
attributes as calculated by rtnl_calcit().
max_recvmsg_len tracks the user provided buffer to netlink_recvmsg.
It is capped at 16KiB.
The intention is to avoid small allocations and to minimize the number
of calls required to obtain dump information for all net devices.
netlink_dump packs as many small messages as could fit within an skb
that was sized for the largest single netdev information. The actual
space available within an skb is larger than what is requested. It could
be much larger and up to near 2x with align to next power of 2 approach.
Allowing netlink_dump to use all the space available within the
allocated skb increases the buffer size a user has to provide to avoid
truncaion (i.e. MSG_TRUNG flag set).
It was observed that with many VLANs configured on at least one netdev,
a larger buffer of near 64KiB was necessary to avoid "Message truncated"
error in "ip link" or "bridge [-c[ompressvlans]] vlan show" when
min_alloc_size was only little over 32KiB.
This patch trims skb to allocated size in order to allow the user to
avoid truncation with more reasonable buffer size.
Signed-off-by: Ronen Arad <ronen.arad@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Li RongQing [Thu, 15 Oct 2015 08:54:36 +0000 (16:54 +0800)]
ipconfig: send Client-identifier in DHCP requests
A dhcp server may provide parameters to a client from a pool of IP
addresses and using a shared rootfs, or provide a specific set of
parameters for a specific client, usually using the MAC address to
identify each client individually. The dhcp protocol also specifies
a client-id field which can be used to determine the correct
parameters to supply when no MAC address is available. There is
currently no way to tell the kernel to supply a specific client-id,
only the userspace dhcp clients support this feature, but this can
not be used when the network is needed before userspace is available
such as when the root filesystem is on NFS.
This patch is to be able to do something like "ip=dhcp,client_id_type,
client_id_value", as a kernel parameter to enable the kernel to
identify itself to the server.
Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Sun, 18 Oct 2015 23:08:42 +0000 (16:08 -0700)]
Linux 4.3-rc6
Linus Torvalds [Sun, 18 Oct 2015 19:07:48 +0000 (12:07 -0700)]
Merge branch 'i2c/for-current' of git://git./linux/kernel/git/wsa/linux
Pull i2c fixes from Wolfram Sang:
"Here are some bugfixes for the I2C subsystem.
Kieran found a flaw in the recently renewed wake irq handling. Mika
handled a user bug report where the ACPI info turned out to be
unusable. I updated MAINTAINERS so that such bug reports will sooner
get to the right people. Geert pointed me to a problem of some i2c
drivers regarding PM which I fixed"
* 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
i2c: designware: Do not use parameters from ACPI on Dell Inspiron 7348
MAINTAINERS: add maintainers for Synopsis Designware I2C drivers
i2c: designware-platdrv: enable RuntimePM before registering to the core
i2c: s3c2410: enable RuntimePM before registering to the core
i2c: rcar: enable RuntimePM before registering to the core
i2c: return probe deferred status on dev_pm_domain_attach
Mika Westerberg [Thu, 24 Sep 2015 09:06:54 +0000 (12:06 +0300)]
i2c: designware: Do not use parameters from ACPI on Dell Inspiron 7348
ACPI SSCN/FMCN methods were originally added because then the platform can
provide the most accurate HCNT/LCNT values to the driver. However, this
seems not to be true for Dell Inspiron 7348 where using these causes the
touchpad to fail in boot:
i2c_hid i2c-DLL0675:00: failed to retrieve report from device.
i2c_designware INT3433:00: i2c_dw_handle_tx_abort: lost arbitration
i2c_hid i2c-DLL0675:00: failed to retrieve report from device.
i2c_designware INT3433:00: controller timed out
The values received from ACPI are (in fast mode):
HCNT: 72
LCNT: 160
this translates to following timings (input clock is 100MHz on Broadwell):
tHIGH: 720 ns (spec min 600 ns)
tLOW: 1600 ns (spec min 1300 ns)
Bus period: 2920 ns (assuming 300 ns tf and tr)
Bus speed: 342.5 kHz
Both tHIGH and tLOW are within the I2C specification.
The calculated values when ACPI parameters are not used are (in fast mode):
HCNT: 87
LCNT: 159
which translates to:
tHIGH: 870 ns (spec min 600 ns)
tLOW: 1590 ns (spec min 1300 ns)
Bus period 3060 ns (assuming 300 ns tf and tr)
Bus speed 326.8 kHz
These values are also within the I2C specification.
Since both ACPI and calculated values meet the I2C specification timing
requirements it is hard to say why the touchpad does not function properly
with the ACPI values except that the bus speed is higher in this case (but
still well below the max 400kHz).
Solve this by adding DMI quirk to the driver that disables using ACPI
parameters on this particulare machine.
Reported-by: Pavel Roskin <plroskin@gmail.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Tested-by: Pavel Roskin <plroskin@gmail.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Cc: stable@kernel.org
Linus Torvalds [Sat, 17 Oct 2015 15:47:27 +0000 (08:47 -0700)]
Merge branches 'irq-urgent-for-linus' and 'timers-urgent-for-linus' of git://git./linux/kernel/git/tip/tip
Pull irq/timer fixes from Thomas Gleixner:
"irq: a fix for the new hierarchical MSI interrupt handling which
unbreaks PCI=n configurations.
timers: a fix for the new hrtimer clock offset update mechanism to
ensure that the boot time offset is respected"
* 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
genirq/msi: Do not use pci_msi_[un]mask_irq as default methods
* 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
timekeeping: Increment clock_was_set_seq in timekeeping_init()
Pablo Neira Ayuso [Sat, 17 Oct 2015 12:11:08 +0000 (14:11 +0200)]
Merge branch 'master' of git://git./linux/kernel/git/davem/net-next
This merge resolves conflicts with
75aec9df3a78 ("bridge: Remove
br_nf_push_frag_xmit_sk") as part of Eric Biederman's effort to improve
netns support in the network stack that reached upstream via David's
net-next tree.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Conflicts:
net/bridge/br_netfilter_hooks.c
Eric Dumazet [Wed, 30 Sep 2015 01:52:25 +0000 (18:52 -0700)]
net: add pfmemalloc check in sk_add_backlog()
Greg reported crashes hitting the following check in __sk_backlog_rcv()
BUG_ON(!sock_flag(sk, SOCK_MEMALLOC));
The pfmemalloc bit is currently checked in sk_filter().
This works correctly for TCP, because sk_filter() is ran in
tcp_v[46]_rcv() before hitting the prequeue or backlog checks.
For UDP or other protocols, this does not work, because the sk_filter()
is ran from sock_queue_rcv_skb(), which might be called _after_ backlog
queuing if socket is owned by user by the time packet is processed by
softirq handler.
Fixes:
b4b9e35585089 ("netvm: set PF_MEMALLOC as appropriate during SKB processing")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Greg Thelen <gthelen@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Sat, 17 Oct 2015 00:39:27 +0000 (17:39 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/dtor/input
Pull input fixes from Dmitry Torokhov:
"Just two small fixups to ads7846 touchscreen controller driver and
Cypress touchpad driver"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
Input: cyapa - fix the copy paste error on electrodes_rx value
Input: ads7846 - correct the value got from SPI