1. 15 8月, 2012 1 次提交
    • A
      Bluetooth: Fix use-after-free bug in SMP · 61a0cfb0
      Andre Guedes 提交于
      If SMP fails, we should always cancel security_timer delayed work.
      Otherwise, security_timer function may run after l2cap_conn object
      has been freed.
      
      This patch fixes the following warning reported by ODEBUG:
      
      WARNING: at lib/debugobjects.c:261 debug_print_object+0x7c/0x8d()
      Hardware name: Bochs
      ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x27
      Modules linked in: btusb bluetooth
      Pid: 440, comm: kworker/u:2 Not tainted 3.5.0-rc1+ #4
      Call Trace:
       [<ffffffff81174600>] ? free_obj_work+0x4a/0x7f
       [<ffffffff81023eb8>] warn_slowpath_common+0x7e/0x97
       [<ffffffff81023f65>] warn_slowpath_fmt+0x41/0x43
       [<ffffffff811746b1>] debug_print_object+0x7c/0x8d
       [<ffffffff810394f0>] ? __queue_work+0x241/0x241
       [<ffffffff81174fdd>] debug_check_no_obj_freed+0x92/0x159
       [<ffffffff810ac08e>] slab_free_hook+0x6f/0x77
       [<ffffffffa0019145>] ? l2cap_conn_del+0x148/0x157 [bluetooth]
       [<ffffffff810ae408>] kfree+0x59/0xac
       [<ffffffffa0019145>] l2cap_conn_del+0x148/0x157 [bluetooth]
       [<ffffffffa001b9a2>] l2cap_recv_frame+0xa77/0xfa4 [bluetooth]
       [<ffffffff810592f9>] ? trace_hardirqs_on_caller+0x112/0x1ad
       [<ffffffffa001c86c>] l2cap_recv_acldata+0xe2/0x264 [bluetooth]
       [<ffffffffa0002b2f>] hci_rx_work+0x235/0x33c [bluetooth]
       [<ffffffff81038dc3>] ? process_one_work+0x126/0x2fe
       [<ffffffff81038e22>] process_one_work+0x185/0x2fe
       [<ffffffff81038dc3>] ? process_one_work+0x126/0x2fe
       [<ffffffff81059f2e>] ? lock_acquired+0x1b5/0x1cf
       [<ffffffffa00028fa>] ? le_scan_work+0x11d/0x11d [bluetooth]
       [<ffffffff81036fb6>] ? spin_lock_irq+0x9/0xb
       [<ffffffff81039209>] worker_thread+0xcf/0x175
       [<ffffffff8103913a>] ? rescuer_thread+0x175/0x175
       [<ffffffff8103cfe0>] kthread+0x95/0x9d
       [<ffffffff812c5054>] kernel_threadi_helper+0x4/0x10
       [<ffffffff812c36b0>] ? retint_restore_args+0x13/0x13
       [<ffffffff8103cf4b>] ? flush_kthread_worker+0xdb/0xdb
       [<ffffffff812c5050>] ? gs_change+0x13/0x13
      
      This bug can be reproduced using hctool lecc or l2test tools and
      bluetoothd not running.
      Signed-off-by: NAndre Guedes <andre.guedes@openbossa.org>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      61a0cfb0
  2. 14 8月, 2012 2 次提交
    • B
      ath5k: fix spin_lock_irqsave/spin_lock_bh nesting in mesh · 7dd6753f
      Bob Copeland 提交于
      Lockdep found an inconsistent lock state when joining a mesh with
      ath5k.  The problem is that ath5k takes the lock for its beacon state,
      ah->block, with spin_lock_irqsave(), while mesh internally takes the
      sync_offset_lock with spin_lock_bh() in mesh_sync_offset_adjust_tbtt(),
      which in turn is called under ah->block.
      
      This could deadlock if the beacon tasklet was run on the processor
      that held the beacon lock during the do_softirq() in spin_unlock_bh().
      
      We probably shouldn't hold the lock around the callbacks, but the
      easiest fix is to switch to spin_lock_bh for ah->block: it doesn't
      need interrupts disabled anyway as the data in question is only accessed
      in softirq or process context.
      
      Fixes the following lockdep warning:
      
      [  446.892304] WARNING: at kernel/softirq.c:159 _local_bh_enable_ip+0x38/0xa6()
      [  446.892306] Hardware name: MacBook1,1
      [  446.892309] Modules linked in: tcp_lp fuse sunrpc cpufreq_ondemand acpi_cpufreq mperf ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 nf_conntrack_ipv4 ip6table_filter nf_defrag_ipv4 xt_state nf_conntrack ip6_tables ext2 arc4 btusb bluetooth snd_hda_codec_idt snd_hda_intel carl9170 snd_hda_codec coretemp joydev ath5k snd_hwdep snd_seq isight_firmware ath snd_seq_device snd_pcm applesmc appletouch mac80211 input_polldev snd_timer microcode cfg80211 snd lpc_ich pcspkr i2c_i801 mfd_core soundcore rfkill snd_page_alloc sky2 tpm_infineon virtio_net kvm_intel kvm i915 drm_kms_helper drm i2c_algo_bit i2c_core video
      [  446.892385] Pid: 1892, comm: iw Not tainted 3.6.0-rc1-wl+ #296
      [  446.892387] Call Trace:
      [  446.892394]  [<c0432958>] warn_slowpath_common+0x7c/0x91
      [  446.892398]  [<c04399d7>] ? _local_bh_enable_ip+0x38/0xa6
      [  446.892403]  [<c04399d7>] ? _local_bh_enable_ip+0x38/0xa6
      [  446.892459]  [<f7f9ae3b>] ? mesh_sync_offset_adjust_tbtt+0x95/0x99 [mac80211]
      [  446.892464]  [<c043298f>] warn_slowpath_null+0x22/0x24
      [  446.892468]  [<c04399d7>] _local_bh_enable_ip+0x38/0xa6
      [  446.892473]  [<c0439a52>] local_bh_enable_ip+0xd/0xf
      [  446.892479]  [<c088004f>] _raw_spin_unlock_bh+0x34/0x37
      [  446.892527]  [<f7f9ae3b>] mesh_sync_offset_adjust_tbtt+0x95/0x99 [mac80211]
      [  446.892569]  [<f7f7650f>] ieee80211_beacon_get_tim+0x28f/0x4e0 [mac80211]
      [  446.892575]  [<c047ceeb>] ? trace_hardirqs_on_caller+0x10e/0x13f
      [  446.892591]  [<f7fdc541>] ath5k_beacon_update+0x40/0x26b [ath5k]
      [  446.892597]  [<c047ad67>] ? lock_acquired+0x1f5/0x21e
      [  446.892612]  [<f7fdf9fb>] ? ath5k_bss_info_changed+0x167/0x1b2 [ath5k]
      [  446.892617]  [<c087f9ea>] ? _raw_spin_lock_irqsave+0x78/0x82
      [  446.892632]  [<f7fdf9fb>] ? ath5k_bss_info_changed+0x167/0x1b2 [ath5k]
      [  446.892647]  [<f7fdfa09>] ath5k_bss_info_changed+0x175/0x1b2 [ath5k]
      [  446.892651]  [<c0479dd4>] ? lock_is_held+0x73/0x7b
      [  446.892662]  [<c0458fd5>] ? __might_sleep+0xa7/0x17a
      [  446.892698]  [<f7f5d8f7>] ieee80211_bss_info_change_notify+0x1ed/0x21a [mac80211]
      [  446.892703]  [<c0449875>] ? queue_work+0x24/0x32
      [  446.892718]  [<f7fdf894>] ? ath5k_configure_filter+0x163/0x163 [ath5k]
      [  446.892766]  [<f7f95fa4>] ieee80211_start_mesh+0xb9/0xbd [mac80211]
      [  446.892806]  [<f7f6e610>] ieee80211_join_mesh+0x10c/0x116 [mac80211]
      [  446.892834]  [<f7a96b90>] __cfg80211_join_mesh+0x176/0x1b3 [cfg80211]
      [  446.892855]  [<f7a96c1c>] cfg80211_join_mesh+0x4f/0x6a [cfg80211]
      [  446.892875]  [<f7a89891>] nl80211_join_mesh+0x1de/0x1ed [cfg80211]
      [  446.892908]  [<f7a8db99>] ? nl80211_set_wiphy+0x4cf/0x4cf [cfg80211]
      [  446.892919]  [<c07cfa36>] genl_rcv_msg+0x1d5/0x1f3
      [  446.892940]  [<c07cf861>] ? genl_rcv+0x25/0x25
      [  446.892946]  [<c07cf009>] netlink_rcv_skb+0x37/0x78
      [  446.892950]  [<c07cf85a>] genl_rcv+0x1e/0x25
      [  446.892955]  [<c07cebf3>] netlink_unicast+0xc3/0x12d
      [  446.892959]  [<c07cee46>] netlink_sendmsg+0x1e9/0x213
      [  446.892966]  [<c079f282>] sock_sendmsg+0x79/0x96
      [  446.892972]  [<c04eb90d>] ? might_fault+0x9d/0xa3
      [  446.892978]  [<c07a81d8>] ? copy_from_user+0x8/0xa
      [  446.892983]  [<c07a852c>] ? verify_iovec+0x43/0x77
      [  446.892987]  [<c079f4d8>] __sys_sendmsg+0x180/0x215
      [  446.892993]  [<c045f107>] ? sched_clock_cpu+0x134/0x144
      [  446.892997]  [<c047992f>] ? trace_hardirqs_off+0xb/0xd
      [  446.893002]  [<c047bf88>] ? __lock_acquire+0x46b/0xb6e
      [  446.893006]  [<c047992f>] ? trace_hardirqs_off+0xb/0xd
      [  446.893010]  [<c045f149>] ? local_clock+0x32/0x49
      [  446.893015]  [<c0479ec1>] ? lock_release_holdtime.part.9+0x4b/0x51
      [  446.893020]  [<c0479dd4>] ? lock_is_held+0x73/0x7b
      [  446.893025]  [<c050d127>] ? fcheck_files+0x97/0xcd
      [  446.893029]  [<c050d4df>] ? fget_light+0x2d/0x81
      [  446.893034]  [<c07a01f3>] sys_sendmsg+0x3b/0x52
      [  446.893038]  [<c07a07b4>] sys_socketcall+0x238/0x2a2
      [  446.893044]  [<c0885edf>] sysenter_do_call+0x12/0x38
      [  446.893047] ---[ end trace a9af5998f929270f ]---
      [  447.627222]
      [  447.627232] =================================
      [  447.627237] [ INFO: inconsistent lock state ]
      [  447.627244] 3.6.0-rc1-wl+ #296 Tainted: G        W
      [  447.627248] ---------------------------------
      [  447.627253] inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
      [  447.627260] swapper/0/0 [HC0[0]:SC1[1]:HE1:SE0] takes:
      [  447.627264]  (&(&ah->block)->rlock){+.?...}, at: [<f7fdd2d1>] ath5k_tasklet_beacon+0x91/0xa7 [ath5k]
      [  447.627299] {SOFTIRQ-ON-W} state was registered at:
      [  447.627304]   [<c047cdbf>] mark_held_locks+0x59/0x77
      [  447.627316]   [<c047ceeb>] trace_hardirqs_on_caller+0x10e/0x13f
      [  447.627324]   [<c047cf27>] trace_hardirqs_on+0xb/0xd
      [  447.627332]   [<c0439a3d>] _local_bh_enable_ip+0x9e/0xa6
      [  447.627342]   [<c0439a52>] local_bh_enable_ip+0xd/0xf
      [  447.627349]   [<c088004f>] _raw_spin_unlock_bh+0x34/0x37
      [  447.627359]   [<f7f9ae3b>] mesh_sync_offset_adjust_tbtt+0x95/0x99 [mac80211]
      [  447.627451]   [<f7f7650f>] ieee80211_beacon_get_tim+0x28f/0x4e0 [mac80211]
      [  447.627526]   [<f7fdc541>] ath5k_beacon_update+0x40/0x26b [ath5k]
      [  447.627547]   [<f7fdfa09>] ath5k_bss_info_changed+0x175/0x1b2 [ath5k]
      [  447.627569]   [<f7f5d8f7>] ieee80211_bss_info_change_notify+0x1ed/0x21a [mac80211]
      [  447.627628]   [<f7f95fa4>] ieee80211_start_mesh+0xb9/0xbd [mac80211]
      [  447.627712]   [<f7f6e610>] ieee80211_join_mesh+0x10c/0x116 [mac80211]
      [  447.627782]   [<f7a96b90>] __cfg80211_join_mesh+0x176/0x1b3 [cfg80211]
      [  447.627816]   [<f7a96c1c>] cfg80211_join_mesh+0x4f/0x6a [cfg80211]
      [  447.627845]   [<f7a89891>] nl80211_join_mesh+0x1de/0x1ed [cfg80211]
      [  447.627872]   [<c07cfa36>] genl_rcv_msg+0x1d5/0x1f3
      [  447.627881]   [<c07cf009>] netlink_rcv_skb+0x37/0x78
      [  447.627891]   [<c07cf85a>] genl_rcv+0x1e/0x25
      [  447.627898]   [<c07cebf3>] netlink_unicast+0xc3/0x12d
      [  447.627907]   [<c07cee46>] netlink_sendmsg+0x1e9/0x213
      [  447.627915]   [<c079f282>] sock_sendmsg+0x79/0x96
      [  447.627926]   [<c079f4d8>] __sys_sendmsg+0x180/0x215
      [  447.627934]   [<c07a01f3>] sys_sendmsg+0x3b/0x52
      [  447.627941]   [<c07a07b4>] sys_socketcall+0x238/0x2a2
      [  447.627949]   [<c0885edf>] sysenter_do_call+0x12/0x38
      [  447.627959] irq event stamp: 1929200
      [  447.627963] hardirqs last  enabled at (1929200): [<c043a0e9>] tasklet_hi_action+0x3e/0xbf
      [  447.627972] hardirqs last disabled at (1929199): [<c043a0c0>] tasklet_hi_action+0x15/0xbf
      [  447.627981] softirqs last  enabled at (1929196): [<c043999d>] _local_bh_enable+0x12/0x14
      [  447.627989] softirqs last disabled at (1929197): [<c040443b>] do_softirq+0x63/0xb8
      [  447.627999]
      [  447.627999] other info that might help us debug this:
      [  447.628004]  Possible unsafe locking scenario:
      [  447.628004]
      [  447.628009]        CPU0
      [  447.628012]        ----
      [  447.628016]   lock(&(&ah->block)->rlock);
      [  447.628023]   <Interrupt>
      [  447.628027]     lock(&(&ah->block)->rlock);
      [  447.628034]
      [  447.628034]  *** DEADLOCK ***
      Signed-off-by: NBob Copeland <me@bobcopeland.com>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      7dd6753f
    • L
      ath9k: fix decrypt_error initialization in ath_rx_tasklet() · e1352fde
      Lorenzo Bianconi 提交于
      ath_rx_tasklet() calls ath9k_rx_skb_preprocess() and ath9k_rx_skb_postprocess()
      in a loop over the received frames. The decrypt_error flag is
      initialized to false
      just outside ath_rx_tasklet() loop. ath9k_rx_accept(), called by
      ath9k_rx_skb_preprocess(),
      only sets decrypt_error to true and never to false.
      Then ath_rx_tasklet() calls ath9k_rx_skb_postprocess() and passes
      decrypt_error to it.
      So, after a decryption error, in ath9k_rx_skb_postprocess(), we can
      have a leftover value
      from another processed frame. In that case, the frame will not be marked with
      RX_FLAG_DECRYPTED even if it is decrypted correctly.
      When using CCMP encryption this issue can lead to connection stuck
      because of CCMP
      PN corruption and a waste of CPU time since mac80211 tries to decrypt an already
      deciphered frame with ieee80211_aes_ccm_decrypt.
      Fix the issue initializing decrypt_error flag at the begging of the
      ath_rx_tasklet() loop.
      Signed-off-by: NLorenzo Bianconi <lorenzo.bianconi83@gmail.com>
      Cc: <stable@kernel.org>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      e1352fde
  3. 11 8月, 2012 5 次提交
  4. 07 8月, 2012 12 次提交
    • P
      Bluetooth: add support for atheros 0489:e057 · 2096ae6c
      Peng Chen 提交于
          Add support for the AR3012 chip found on Fioxconn.
      
          usb-devices shows:
      
          T:  Bus=06 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 44 Spd=12   MxCh= 0
          D:  Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
          P:  Vendor=0489 ProdID=e057 Rev= 0.02
          C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
          I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
          E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
          E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
          E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
          I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
          E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
          E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
          I:  If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
          E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
          E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
          I:  If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
          E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
          E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
          I:  If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
          E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
          E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
          I:  If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
          E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
          E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
          I:  If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
          E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms
          E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      Signed-off-by: NPeng Chen <pengchen@qca.qualcomm.com>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      2096ae6c
    • J
      iwlwifi: disable greenfield transmissions as a workaround · 50e2a30c
      Johannes Berg 提交于
      There's a bug that causes the rate scaling to get stuck
      when it has to use single-stream rates with a peer that
      can do GF and SGI; the two are incompatible so we can't
      use them together, but that causes the algorithm to not
      work at all, it always rejects updates.
      
      Disable greenfield for now to prevent that problem.
      
      Cc: stable@vger.kernel.org
      Reviewed-by: NEmmanuel Grumbach <emmanuel.grumbach@intel.com>
      Tested-by: NCesar Eduardo Barros <cesarb@cesarb.net>
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      50e2a30c
    • S
      rt61pci: fix NULL pointer dereference in config_lna_gain · deee0214
      Stanislaw Gruszka 提交于
      We can not pass NULL libconf->conf->channel to rt61pci_config() as it
      is dereferenced unconditionally in rt61pci_config_lna_gain() subroutine.
      
      Resolves:
      https://bugzilla.kernel.org/show_bug.cgi?id=44361
      
      Cc: stable@vger.kernel.org
      Reported-and-tested-by: <dolohow@gmail.com>
      Signed-off-by: NStanislaw Gruszka <sgruszka@redhat.com>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      deee0214
    • D
      cfg80211: process pending events when unregistering net device · 1f6fc43e
      Daniel Drake 提交于
      libertas currently calls cfg80211_disconnected() when it is being
      brought down. This causes an event to be allocated, but since the
      wdev is already removed from the rdev by the time that the event
      processing work executes, the event is never processed or freed.
      http://article.gmane.org/gmane.linux.kernel.wireless.general/95666
      
      Fix this leak, and other possible situations, by processing the event
      queue when a device is being unregistered. Thanks to Johannes Berg for
      the suggestion.
      Signed-off-by: NDaniel Drake <dsd@laptop.org>
      Cc: stable@vger.kernel.org
      Reviewed-by: NJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      1f6fc43e
    • J
      Bluetooth: Fix socket not getting freed if l2cap channel create fails · 49dfbb91
      Jaganath Kanakkassery 提交于
      If l2cap_chan_create() fails then it will return from l2cap_sock_kill
      since zapped flag of sk is reset.
      Signed-off-by: NJaganath Kanakkassery <jaganath.k@samsung.com>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      49dfbb91
    • A
      Bluetooth: smp: Fix possible NULL dereference · d08fd0e7
      Andrei Emeltchenko 提交于
      smp_chan_create might return NULL so we need to check before
      dereferencing smp.
      Signed-off-by: NAndrei Emeltchenko <andrei.emeltchenko@intel.com>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      d08fd0e7
    • R
      Bluetooth: Set name_state to unknown when entry name is empty · c3e7c0d9
      Ram Malovany 提交于
      When the name of the given entry is empty , the state needs to be
      updated accordingly.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NRam Malovany <ramm@ti.com>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      c3e7c0d9
    • R
      Bluetooth: Fix using a NULL inquiry cache entry · 7cc8380e
      Ram Malovany 提交于
      If the device was not found in a list of found devices names of which
      are pending.This may happen in a case when HCI Remote Name Request
      was sent as a part of incoming connection establishment procedure.
      Hence there is no need to continue resolving a next name as it will
      be done upon receiving another Remote Name Request Complete Event.
      This will fix a kernel crash when trying to use this entry to resolve
      the next name.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NRam Malovany <ramm@ti.com>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      7cc8380e
    • R
      Bluetooth: Fix using NULL inquiry entry · c810089c
      Ram Malovany 提交于
      If entry wasn't found in the hci_inquiry_cache_lookup_resolve do not
      resolve the name.This will fix a kernel crash when trying to use NULL
      pointer.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NRam Malovany <ramm@ti.com>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      c810089c
    • S
      Bluetooth: Fix legacy pairing with some devices · a9ea3ed9
      Szymon Janc 提交于
      Some devices e.g. some Android based phones don't do SDP search before
      pairing and cancel legacy pairing when ACL is disconnected.
      
      PIN Code Request event which changes ACL timeout to HCI_PAIRING_TIMEOUT
      is only received after remote user entered PIN.
      
      In that case no L2CAP is connected so default HCI_DISCONN_TIMEOUT
      (2 seconds) is being used to timeout ACL connection. This results in
      problems with legacy pairing as remote user has only few seconds to
      enter PIN before ACL is disconnected.
      
      Increase disconnect timeout for incomming connection to
      HCI_PAIRING_TIMEOUT if SSP is disabled and no linkey exists.
      
      To avoid keeping ACL alive for too long after SDP search set ACL
      timeout back to HCI_DISCONN_TIMEOUT when L2CAP is connected.
      
      2012-07-19 13:24:43.413521 < HCI Command: Create Connection (0x01|0x0005) plen 13
          bdaddr 00:02:72:D6:6A:3F ptype 0xcc18 rswitch 0x01 clkoffset 0x0000
          Packet type: DM1 DM3 DM5 DH1 DH3 DH5
      2012-07-19 13:24:43.425224 > HCI Event: Command Status (0x0f) plen 4
          Create Connection (0x01|0x0005) status 0x00 ncmd 1
      2012-07-19 13:24:43.885222 > HCI Event: Role Change (0x12) plen 8
          status 0x00 bdaddr 00:02:72:D6:6A:3F role 0x01
          Role: Slave
      2012-07-19 13:24:44.054221 > HCI Event: Connect Complete (0x03) plen 11
          status 0x00 handle 42 bdaddr 00:02:72:D6:6A:3F type ACL encrypt 0x00
      2012-07-19 13:24:44.054313 < HCI Command: Read Remote Supported Features (0x01|0x001b) plen 2
          handle 42
      2012-07-19 13:24:44.055176 > HCI Event: Page Scan Repetition Mode Change (0x20) plen 7
          bdaddr 00:02:72:D6:6A:3F mode 0
      2012-07-19 13:24:44.056217 > HCI Event: Max Slots Change (0x1b) plen 3
          handle 42 slots 5
      2012-07-19 13:24:44.059218 > HCI Event: Command Status (0x0f) plen 4
          Read Remote Supported Features (0x01|0x001b) status 0x00 ncmd 0
      2012-07-19 13:24:44.062192 > HCI Event: Command Status (0x0f) plen 4
          Unknown (0x00|0x0000) status 0x00 ncmd 1
      2012-07-19 13:24:44.067219 > HCI Event: Read Remote Supported Features (0x0b) plen 11
          status 0x00 handle 42
          Features: 0xbf 0xfe 0xcf 0xfe 0xdb 0xff 0x7b 0x87
      2012-07-19 13:24:44.067248 < HCI Command: Read Remote Extended Features (0x01|0x001c) plen 3
          handle 42 page 1
      2012-07-19 13:24:44.071217 > HCI Event: Command Status (0x0f) plen 4
          Read Remote Extended Features (0x01|0x001c) status 0x00 ncmd 1
      2012-07-19 13:24:44.076218 > HCI Event: Read Remote Extended Features (0x23) plen 13
          status 0x00 handle 42 page 1 max 1
          Features: 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00
      2012-07-19 13:24:44.076249 < HCI Command: Remote Name Request (0x01|0x0019) plen 10
          bdaddr 00:02:72:D6:6A:3F mode 2 clkoffset 0x0000
      2012-07-19 13:24:44.081218 > HCI Event: Command Status (0x0f) plen 4
          Remote Name Request (0x01|0x0019) status 0x00 ncmd 1
      2012-07-19 13:24:44.105214 > HCI Event: Remote Name Req Complete (0x07) plen 255
          status 0x00 bdaddr 00:02:72:D6:6A:3F name 'uw000951-0'
      2012-07-19 13:24:44.105284 < HCI Command: Authentication Requested (0x01|0x0011) plen 2
          handle 42
      2012-07-19 13:24:44.111207 > HCI Event: Command Status (0x0f) plen 4
          Authentication Requested (0x01|0x0011) status 0x00 ncmd 1
      2012-07-19 13:24:44.112220 > HCI Event: Link Key Request (0x17) plen 6
          bdaddr 00:02:72:D6:6A:3F
      2012-07-19 13:24:44.112249 < HCI Command: Link Key Request Negative Reply (0x01|0x000c) plen 6
          bdaddr 00:02:72:D6:6A:3F
      2012-07-19 13:24:44.115215 > HCI Event: Command Complete (0x0e) plen 10
          Link Key Request Negative Reply (0x01|0x000c) ncmd 1
          status 0x00 bdaddr 00:02:72:D6:6A:3F
      2012-07-19 13:24:44.116215 > HCI Event: PIN Code Request (0x16) plen 6
          bdaddr 00:02:72:D6:6A:3F
      2012-07-19 13:24:48.099184 > HCI Event: Auth Complete (0x06) plen 3
          status 0x13 handle 42
          Error: Remote User Terminated Connection
      2012-07-19 13:24:48.179182 > HCI Event: Disconn Complete (0x05) plen 4
          status 0x00 handle 42 reason 0x13
          Reason: Remote User Terminated Connection
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NSzymon Janc <szymon.janc@tieto.com>
      Acked-by: NJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      a9ea3ed9
    • G
      Bluetooth: Fix possible deadlock in SCO code · 269c4845
      Gustavo Padovan 提交于
      sco_chan_del() only has conn != NULL when called from sco_conn_del() so
      just move the code from it that deal with conn to sco_conn_del().
      
      [  120.765529]
      [  120.765529] ======================================================
      [  120.766529] [ INFO: possible circular locking dependency detected ]
      [  120.766529] 3.5.0-rc1-10292-g3701f944-dirty #70 Tainted: G        W
      [  120.766529] -------------------------------------------------------
      [  120.766529] kworker/u:3/1497 is trying to acquire lock:
      [  120.766529]  (&(&conn->lock)->rlock#2){+.+...}, at:
      [<ffffffffa00b7ecc>] sco_chan_del+0x4c/0x170 [bluetooth]
      [  120.766529]
      [  120.766529] but task is already holding lock:
      [  120.766529]  (slock-AF_BLUETOOTH-BTPROTO_SCO){+.+...}, at:
      [<ffffffffa00b8401>] sco_conn_del+0x61/0xe0 [bluetooth]
      [  120.766529]
      [  120.766529] which lock already depends on the new lock.
      [  120.766529]
      [  120.766529]
      [  120.766529] the existing dependency chain (in reverse order) is:
      [  120.766529]
      [  120.766529] -> #1 (slock-AF_BLUETOOTH-BTPROTO_SCO){+.+...}:
      [  120.766529]        [<ffffffff8107980e>] lock_acquire+0x8e/0xb0
      [  120.766529]        [<ffffffff813c19e0>] _raw_spin_lock+0x40/0x80
      [  120.766529]        [<ffffffffa00b85e9>] sco_connect_cfm+0x79/0x300
      [bluetooth]
      [  120.766529]        [<ffffffffa0094b13>]
      hci_sync_conn_complete_evt.isra.90+0x343/0x400 [bluetooth]
      [  120.766529]        [<ffffffffa009d447>] hci_event_packet+0x317/0xfb0
      [bluetooth]
      [  120.766529]        [<ffffffffa008aa68>] hci_rx_work+0x2c8/0x890
      [bluetooth]
      [  120.766529]        [<ffffffff81047db7>] process_one_work+0x197/0x460
      [  120.766529]        [<ffffffff810489d6>] worker_thread+0x126/0x2d0
      [  120.766529]        [<ffffffff8104ee4d>] kthread+0x9d/0xb0
      [  120.766529]        [<ffffffff813c4294>] kernel_thread_helper+0x4/0x10
      [  120.766529]
      [  120.766529] -> #0 (&(&conn->lock)->rlock#2){+.+...}:
      [  120.766529]        [<ffffffff81078a8a>] __lock_acquire+0x154a/0x1d30
      [  120.766529]        [<ffffffff8107980e>] lock_acquire+0x8e/0xb0
      [  120.766529]        [<ffffffff813c19e0>] _raw_spin_lock+0x40/0x80
      [  120.766529]        [<ffffffffa00b7ecc>] sco_chan_del+0x4c/0x170
      [bluetooth]
      [  120.766529]        [<ffffffffa00b8414>] sco_conn_del+0x74/0xe0
      [bluetooth]
      [  120.766529]        [<ffffffffa00b88a2>] sco_disconn_cfm+0x32/0x60
      [bluetooth]
      [  120.766529]        [<ffffffffa0093a82>]
      hci_disconn_complete_evt.isra.53+0x242/0x390 [bluetooth]
      [  120.766529]        [<ffffffffa009d747>] hci_event_packet+0x617/0xfb0
      [bluetooth]
      [  120.766529]        [<ffffffffa008aa68>] hci_rx_work+0x2c8/0x890
      [bluetooth]
      [  120.766529]        [<ffffffff81047db7>] process_one_work+0x197/0x460
      [  120.766529]        [<ffffffff810489d6>] worker_thread+0x126/0x2d0
      [  120.766529]        [<ffffffff8104ee4d>] kthread+0x9d/0xb0
      [  120.766529]        [<ffffffff813c4294>] kernel_thread_helper+0x4/0x10
      [  120.766529]
      [  120.766529] other info that might help us debug this:
      [  120.766529]
      [  120.766529]  Possible unsafe locking scenario:
      [  120.766529]
      [  120.766529]        CPU0                    CPU1
      [  120.766529]        ----                    ----
      [  120.766529]   lock(slock-AF_BLUETOOTH-BTPROTO_SCO);
      [  120.766529]
      lock(&(&conn->lock)->rlock#2);
      [  120.766529]
      lock(slock-AF_BLUETOOTH-BTPROTO_SCO);
      [  120.766529]   lock(&(&conn->lock)->rlock#2);
      [  120.766529]
      [  120.766529]  *** DEADLOCK ***
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      269c4845
    • M
      Bluetooth: btusb: Add vendor specific ID (0a5c:21f4) BCM20702A0 · 61c964ba
      Manoj Iyer 提交于
      Patch adds support for BCM20702A0 device id (0a5c:21f4).
      
      usb-devices after patch was applied:
      T: Bus=03 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 2 Spd=12 MxCh= 0
      D: Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
      P: Vendor=0a5c ProdID=21f4 Rev=01.12
      S: Manufacturer=Broadcom Corp
      S: Product=BCM20702A0
      S: SerialNumber=E4D53DF154D6
      C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=0mA
      I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
      I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
      I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
      I: If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none)
      
      usb-devices before patch was applied:
      T: Bus=03 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 2 Spd=12 MxCh= 0
      D: Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
      P: Vendor=0a5c ProdID=21f4 Rev=01.12
      S: Manufacturer=Broadcom Corp
      S: Product=BCM20702A0
      S: SerialNumber=E4D53DF154D6
      C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=0mA
      I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none)
      I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none)
      I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
      I: If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none)
      Signed-off-by: NManoj Iyer <manoj.iyer@canonical.com>
      Tested-by: NChris Gagnon <chris.gagnon@canonical.com>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      61c964ba
  5. 03 8月, 2012 8 次提交
  6. 02 8月, 2012 12 次提交
    • P
      cfg80211: Clear "beacon_found" on regulatory restore · 899852af
      Paul Stewart 提交于
      Restore the default state to the "beacon_found" flag when
      the channel flags are restored.  Otherwise, we can end up
      with a channel that we can no longer transmit on even when
      we can see beacons on that channel.
      Signed-off-by: NPaul Stewart <pstew@chromium.org>
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      899852af
    • S
      cfg80211: add channel flag to prohibit OFDM operation · 03f6b084
      Seth Forshee 提交于
      Currently the only way for wireless drivers to tell whether or not OFDM
      is allowed on the current channel is to check the regulatory
      information. However, this requires hodling cfg80211_mutex, which is not
      visible to the drivers.
      
      Other regulatory restrictions are provided as flags in the channel
      definition, so let's do similarly with OFDM. This patch adds a new flag,
      IEEE80211_CHAN_NO_OFDM, to tell drivers that OFDM on a channel is not
      allowed. This flag is set on any channels for which regulatory indicates
      that OFDM is prohibited.
      Signed-off-by: NSeth Forshee <seth.forshee@canonical.com>
      Tested-by: NArend van Spriel <arend@broadcom.com>
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      03f6b084
    • E
      ipv4: route.c cleanup · e33cdac0
      Eric Dumazet 提交于
      Remove unused includes after IP cache removal
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e33cdac0
    • J
      bnx2x: fix mem leak when command is unknown · 8b6d5c09
      Jesper Juhl 提交于
      In bnx2x_mcast_enqueue_cmd() we'll leak the memory allocated to
      'new_cmd' if we hit the deafault case of the 'switch (cmd)'.
      Add a 'kfree(new_cmd)' to that case to avoid the leak.
      Signed-off-by: NJesper Juhl <jj@chaosbits.net>
      Acked-by: NDmitry Kravkov <dmitry@broadcom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8b6d5c09
    • F
      Fix unexpected SA hard expiration after changing date · e3c0d047
      Fan Du 提交于
      After SA is setup, one timer is armed to detect soft/hard expiration,
      however the timer handler uses xtime to do the math. This makes hard
      expiration occurs first before soft expiration after setting new date
      with big interval. As a result new child SA is deleted before rekeying
      the new one.
      Signed-off-by: NFan Du <fdu@windriver.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e3c0d047
    • B
      tcp: Apply device TSO segment limit earlier · 1485348d
      Ben Hutchings 提交于
      Cache the device gso_max_segs in sock::sk_gso_max_segs and use it to
      limit the size of TSO skbs.  This avoids the need to fall back to
      software GSO for local TCP senders.
      Signed-off-by: NBen Hutchings <bhutchings@solarflare.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1485348d
    • B
      sfc: Fix maximum number of TSO segments and minimum TX queue size · 7e6d06f0
      Ben Hutchings 提交于
      Currently an skb requiring TSO may not fit within a minimum-size TX
      queue.  The TX queue selected for the skb may stall and trigger the TX
      watchdog repeatedly (since the problem skb will be retried after the
      TX reset).  This issue is designated as CVE-2012-3412.
      
      Set the maximum number of TSO segments for our devices to 100.  This
      should make no difference to behaviour unless the actual MSS is less
      than about 700.  Increase the minimum TX queue size accordingly to
      allow for 2 worst-case skbs, so that there will definitely be space
      to add an skb after we wake a queue.
      
      To avoid invalidating existing configurations, change
      efx_ethtool_set_ringparam() to fix up values that are too small rather
      than returning -EINVAL.
      Signed-off-by: NBen Hutchings <bhutchings@solarflare.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7e6d06f0
    • B
      net: Allow driver to limit number of GSO segments per skb · 30b678d8
      Ben Hutchings 提交于
      A peer (or local user) may cause TCP to use a nominal MSS of as little
      as 88 (actual MSS of 76 with timestamps).  Given that we have a
      sufficiently prodigious local sender and the peer ACKs quickly enough,
      it is nevertheless possible to grow the window for such a connection
      to the point that we will try to send just under 64K at once.  This
      results in a single skb that expands to 861 segments.
      
      In some drivers with TSO support, such an skb will require hundreds of
      DMA descriptors; a substantial fraction of a TX ring or even more than
      a full ring.  The TX queue selected for the skb may stall and trigger
      the TX watchdog repeatedly (since the problem skb will be retried
      after the TX reset).  This particularly affects sfc, for which the
      issue is designated as CVE-2012-3412.
      
      Therefore:
      1. Add the field net_device::gso_max_segs holding the device-specific
         limit.
      2. In netif_skb_features(), if the number of segments is too high then
         mask out GSO features to force fall back to software GSO.
      Signed-off-by: NBen Hutchings <bhutchings@solarflare.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      30b678d8
    • L
      Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus · 1a9b4993
      Linus Torvalds 提交于
      Pull MIPS updates from Ralf Baechle:
       "The lion share of this pull request are fixes for clk-related breakage
        caused by other changes during this merge window.  For some platforms
        the fix was as simple as selecting HAVE_CLK, for others like the
        Loongson 2 significant restructuring was required.
      
        The remainder are changes required to get the Lantiq code to work
        again."
      
      * 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus:
        MIPS: Loongson 2: Sort out clock managment.
        MIPS: Loongson 1: more clk support and add select HAVE_CLK
        MIPS: txx9: Fix redefinition of clk_* by adding select HAVE_CLK
        MIPS: BCM63xx: Fix redefinition of clk_* by adding select HAVE_CLK
        MIPS: AR7: Fix redefinition of clk_* by adding select HAVE_CLK
        MIPS: Lantiq: Platform specific CLK fixup
        MIPS: Lantiq: Add device_tree_init function
        MIPS: Lantiq: Fix interface clock and PCI control register offset
      1a9b4993
    • L
      Merge branch 'for-linus-3.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/uml · 1871e845
      Linus Torvalds 提交于
      Pull UML fixes from Richard Weinberger:
       "This patch set contains mostly fixes and cleanups.  The UML tty driver
        uses now tty_port and is no longer broken like hell  :-)"
      
      * 'for-linus-3.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/uml:
        um: Add arch/x86/um to MAINTAINERS
        um: pass siginfo to guest process
        um: fix ubd_file_size for read-only files
        um: pull interrupt_end() into userspace()
        um: split syscall_trace(), pass pt_regs to it
        um: switch UPT_SET_RETURN_VALUE and regs_return_value to pt_regs
        um: set BLK_CGROUP=y in defconfig
        um: remove count_lock
        um: fully use tty_port
        um: Remove dead code
        um: remove line_ioctl()
        TTY: um/line, use tty from tty_port
        TTY: um/line, add tty_port
      1871e845
    • L
      Merge branch 'dmaengine' of git://git.linaro.org/people/rmk/linux-arm · a6dc7725
      Linus Torvalds 提交于
      Pull ARM DMA engine updates from Russell King:
       "This looks scary at first glance, but what it is is:
         - a rework of the sa11x0 DMA engine driver merged during the previous
           cycle, to extract a common set of helper functions for DMA engine
           implementations.
         - conversion of amba-pl08x.c to use these helper functions.
         - addition of OMAP DMA engine driver (using these helper functions),
           and conversion of some of the OMAP DMA users to use DMA engine.
      
        Nothing in the helper functions is ARM specific, so I hope that other
        implementations can consolidate some of their code by making use of
        these helpers.
      
        This has been sitting in linux-next most of the merge cycle, and has
        been tested by several OMAP folk.  I've tested it on sa11x0 platforms,
        and given it my best shot on my broken platforms which have the
        amba-pl08x controller.
      
        The last point is the addition to feature-removal-schedule.txt, which
        will have a merge conflict.  Between myself and TI, we're planning to
        remove the old TI DMA implementation next year."
      
      Fix up trivial add/add conflicts in Documentation/feature-removal-schedule.txt
      and drivers/dma/{Kconfig,Makefile}
      
      * 'dmaengine' of git://git.linaro.org/people/rmk/linux-arm: (53 commits)
        ARM: 7481/1: OMAP2+: omap2plus_defconfig: enable OMAP DMA engine
        ARM: 7464/1: mmc: omap_hsmmc: ensure probe returns error if DMA channel request fails
        Add feature removal of old OMAP private DMA implementation
        mtd: omap2: remove private DMA API implementation
        mtd: omap2: add DMA engine support
        spi: omap2-mcspi: remove private DMA API implementation
        spi: omap2-mcspi: add DMA engine support
        ARM: omap: remove mmc platform data dma_mask and initialization
        mmc: omap: remove private DMA API implementation
        mmc: omap: add DMA engine support
        mmc: omap_hsmmc: remove private DMA API implementation
        mmc: omap_hsmmc: add DMA engine support
        dmaengine: omap: add support for cyclic DMA
        dmaengine: omap: add support for setting fi
        dmaengine: omap: add support for returning residue in tx_state method
        dmaengine: add OMAP DMA engine driver
        dmaengine: sa11x0-dma: add cyclic DMA support
        dmaengine: sa11x0-dma: fix DMA residue support
        dmaengine: PL08x: ensure all descriptors are freed when channel is released
        dmaengine: PL08x: get rid of write only pool_ctr and free_txd locking
        ...
      a6dc7725
    • L
      Merge branch 'audit' of git://git.linaro.org/people/rmk/linux-arm · 02a6ec6a
      Linus Torvalds 提交于
      Pull ARM audit/signal updates from Russell King:
       "ARM audit/signal handling updates from Al and Will.  This improves on
        the work Viro did last merge window, and sorts out some of the issues
        found with that work."
      
      * 'audit' of git://git.linaro.org/people/rmk/linux-arm:
        ARM: 7475/1: sys_trace: allow all syscall arguments to be updated via ptrace
        ARM: 7474/1: get rid of TIF_SYSCALL_RESTARTSYS
        ARM: 7473/1: deal with handlerless restarts without leaving the kernel
        ARM: 7472/1: pull all work_pending logics into C function
        ARM: 7471/1: Revert "7442/1: Revert "remove unused restart trampoline""
        ARM: 7470/1: Revert "7443/1: Revert "new way of handling ERESTART_RESTARTBLOCK""
      02a6ec6a