1. 04 3月, 2020 2 次提交
  2. 01 3月, 2020 1 次提交
  3. 28 2月, 2020 13 次提交
  4. 20 2月, 2020 2 次提交
  5. 19 2月, 2020 1 次提交
  6. 18 2月, 2020 4 次提交
  7. 16 2月, 2020 1 次提交
  8. 15 2月, 2020 1 次提交
  9. 14 2月, 2020 1 次提交
    • H
      Bluetooth: secure bluetooth stack from bluedump attack · cee5f20f
      Howard Chung 提交于
      Attack scenario:
      1. A Chromebook (let's call this device A) is paired to a legitimate
         Bluetooth classic device (e.g. a speaker) (let's call this device
         B).
      2. A malicious device (let's call this device C) pretends to be the
         Bluetooth speaker by using the same BT address.
      3. If device A is not currently connected to device B, device A will
         be ready to accept connection from device B in the background
         (technically, doing Page Scan).
      4. Therefore, device C can initiate connection to device A
         (because device A is doing Page Scan) and device A will accept the
         connection because device A trusts device C's address which is the
         same as device B's address.
      5. Device C won't be able to communicate at any high level Bluetooth
         profile with device A because device A enforces that device C is
         encrypted with their common Link Key, which device C doesn't have.
         But device C can initiate pairing with device A with just-works
         model without requiring user interaction (there is only pairing
         notification). After pairing, device A now trusts device C with a
         new different link key, common between device A and C.
      6. From now on, device A trusts device C, so device C can at anytime
         connect to device A to do any kind of high-level hijacking, e.g.
         speaker hijack or mouse/keyboard hijack.
      
      Since we don't know whether the repairing is legitimate or not,
      leave the decision to user space if all the conditions below are met.
      - the pairing is initialized by peer
      - the authorization method is just-work
      - host already had the link key to the peer
      Signed-off-by: NHoward Chung <howardchung@google.com>
      Acked-by: NJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      cee5f20f
  10. 13 2月, 2020 3 次提交
  11. 09 2月, 2020 1 次提交
    • S
      Bluetooth: btusb: Add support for 13d3:3548 Realtek 8822CE device · eb3939e3
      Sergey Shatunov 提交于
      The ASUS FX505DV laptop contains RTL8822CE device with an
      associated BT chip using a USB ID of 13d3:3548.
      This patch add fw download support for it.
      
      T:  Bus=03 Lev=01 Prnt=01 Port=03 Cnt=03 Dev#=  4 Spd=12   MxCh= 0
      D:  Ver= 1.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=13d3 ProdID=3548 Rev= 0.00
      S:  Manufacturer=Realtek
      S:  Product=Bluetooth Radio
      S:  SerialNumber=00e04c000001
      C:* #Ifs= 2 Cfg#= 1 Atr=a0 MxPwr=500mA
      I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
      E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      I:  If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      I:  If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      I:  If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      I:  If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      I:  If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      Signed-off-by: NSergey Shatunov <me@prok.pw>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      eb3939e3
  12. 05 2月, 2020 3 次提交
  13. 03 2月, 2020 2 次提交
  14. 30 1月, 2020 1 次提交
  15. 29 1月, 2020 1 次提交
    • M
      Bluetooth: Fix refcount use-after-free issue · 6c08fc89
      Manish Mandlik 提交于
      There is no lock preventing both l2cap_sock_release() and
      chan->ops->close() from running at the same time.
      
      If we consider Thread A running l2cap_chan_timeout() and Thread B running
      l2cap_sock_release(), expected behavior is:
        A::l2cap_chan_timeout()->l2cap_chan_close()->l2cap_sock_teardown_cb()
        A::l2cap_chan_timeout()->l2cap_sock_close_cb()->l2cap_sock_kill()
        B::l2cap_sock_release()->sock_orphan()
        B::l2cap_sock_release()->l2cap_sock_kill()
      
      where,
      sock_orphan() clears "sk->sk_socket" and l2cap_sock_teardown_cb() marks
      socket as SOCK_ZAPPED.
      
      In l2cap_sock_kill(), there is an "if-statement" that checks if both
      sock_orphan() and sock_teardown() has been run i.e. sk->sk_socket is NULL
      and socket is marked as SOCK_ZAPPED. Socket is killed if the condition is
      satisfied.
      
      In the race condition, following occurs:
        A::l2cap_chan_timeout()->l2cap_chan_close()->l2cap_sock_teardown_cb()
        B::l2cap_sock_release()->sock_orphan()
        B::l2cap_sock_release()->l2cap_sock_kill()
        A::l2cap_chan_timeout()->l2cap_sock_close_cb()->l2cap_sock_kill()
      
      In this scenario, "if-statement" is true in both B::l2cap_sock_kill() and
      A::l2cap_sock_kill() and we hit "refcount: underflow; use-after-free" bug.
      
      Similar condition occurs at other places where teardown/sock_kill is
      happening:
        l2cap_disconnect_rsp()->l2cap_chan_del()->l2cap_sock_teardown_cb()
        l2cap_disconnect_rsp()->l2cap_sock_close_cb()->l2cap_sock_kill()
      
        l2cap_conn_del()->l2cap_chan_del()->l2cap_sock_teardown_cb()
        l2cap_conn_del()->l2cap_sock_close_cb()->l2cap_sock_kill()
      
        l2cap_disconnect_req()->l2cap_chan_del()->l2cap_sock_teardown_cb()
        l2cap_disconnect_req()->l2cap_sock_close_cb()->l2cap_sock_kill()
      
        l2cap_sock_cleanup_listen()->l2cap_chan_close()->l2cap_sock_teardown_cb()
        l2cap_sock_cleanup_listen()->l2cap_sock_kill()
      
      Protect teardown/sock_kill and orphan/sock_kill by adding hold_lock on
      l2cap channel to ensure that the socket is killed only after marked as
      zapped and orphan.
      Signed-off-by: NManish Mandlik <mmandlik@google.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      6c08fc89
  16. 28 1月, 2020 1 次提交
  17. 27 1月, 2020 2 次提交
    • D
      Merge branch 'qed-Utilize-FW-8.42.2.0' · 8e5aa617
      David S. Miller 提交于
      Michal Kalderon says:
      
      ====================
      qed*: Utilize FW 8.42.2.0
      
      This FW contains several fixes and features, main ones listed below.
      We have taken into consideration past comments on previous FW versions
      that were uploaded and tried to separate this one to smaller patches to
      ease review.
      
      - RoCE
      	- SRIOV support
      	- Fixes in following flows:
      		- latency optimization flow for inline WQEs
      		- iwarp OOO packed DDPs flow
      		- tx-dif workaround calculations flow
      		- XRC-SRQ exceed cache num
      
      - iSCSI
      	- Fixes:
      		- iSCSI TCP out-of-order handling.
      		- iscsi retransmit flow
      
      - Fcoe
      	- Fixes:
      		- upload + cleanup flows
      
      - Debug
      	- Better handling of extracting data during traffic
      	- ILT Dump -> dumping host memory used by chip
      	- MDUMP -> collect debug data on system crash and extract after
      	  reboot
      
      Patches prefixed with FW 8.42.2.0 are required to work with binary
      8.42.2.0 FW where as the rest are FW related but do not require the
      binary.
      
      Changes from V2
      ---------------
      - Move FW version to the start of the series to maintain minimal compatibility
      - Fix some kbuild errors:
      	- frame size larger than 1024 (Queue Manager patch - remove redundant
      	  field from struct)
      	- sparse warning on endianity (Dmae patch fix - wrong use of __le32 for field
      	  used only on host, should be u32)
      	- static should be used for some functions (Debug feature ilt and mdump)
      Reported-by: Nkbuild test robot <lkp@intel.com>
      
      Changes from V1
      ---------------
      - Remove epoch + kernel version from device debug dump
      - don't bump driver version
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8e5aa617
    • M
      qed: FW 8.42.2.0 debug features · 2d22bc83
      Michal Kalderon 提交于
      Add to debug dump more information on the platform it was collected
      from (pci func, path id).
      Provide human readable reg fifo erros.
      
      Removed static debug arrays from HSI Functions, and move them to
      the hwfn.
      
      Some structures were slightly changed (removing reserved chip id
      for example) which lead to many long initializations being modified
      with one parameter less during initialization. This leads to
      some long diffs that don't really change anything.
      Signed-off-by: NAriel Elior <ariel.elior@marvell.com>
      Signed-off-by: NMichal Kalderon <michal.kalderon@marvell.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2d22bc83