This patch fixes the issue caused by ef81bb40bf
which is a backport of upstream 87c48fa3b4630905f98268dde838ee43626a060c. The
problem does not exist in upstream.
We do not check whether route is attached before trying to assign ip
identification through route dest which lead NULL pointer dereference. This
happens when host bridge transmit a packet from guest.
This patch changes ipv6_select_ident() to accept in6_addr as its paramter and
fix the issue by using the destination address in ipv6 header when no route is
attached.
Signed-off-by: Jason Wang <jasowang@redhat.com>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Fix setting of ENCRYPTION_PENDING and Connection refcnt's that could
be out of sync due to remote slave issued security requests.
Change-Id: Ie72abd0648182db0ef60693820139f40ef2e4bf6
Signed-off-by: Brian Gix <bgix@codeaurora.org>
Socket lookup for a fixed channel should be done based on both remote and
local device addresses.
Change-Id: I35f39bea8ade6fd5d8695640251efc54bf21beae
Signed-off-by: Inga Stotland <ingas@codeaurora.org>
If LE devices stop advertising or go out of range, we need
to apply a timeout because the baseband doesn't.
Change-Id: I115672e21fd8aef56ac688b2df4664bb74b725e4
Signed-off-by: Brian Gix <bgix@codeaurora.org>
Because for now the xt_qtaguid module allows procs to use tags without
having /dev/xt_qtaguid open, there was a case where it would try
to delete a resources from a list that was proc specific.
But that resource was never added to that list which is only
used when /dev/xt_qtaguid has been opened by the proc.
Once our userspace is fully updated, we won't need those exceptions.
Change-Id: Idd4bfea926627190c74645142916e10832eb2504
Signed-off-by: JP Abgrall <jpa@google.com>
Since rx_bytes accounting does not include Ethernet Headers in
br_input.c, excluding ETH_HLEN on the transmit path for consistent
measurement of packet length on both the Tx and Rx chains.
The clean way would be for Rx to include the eth header, but the
skb len has already been adjusted by the time the br code sees the skb.
This is only a temporary workaround until we can completely ignore or
cleanly fix the skb->len handling.
Change-Id: I910de95a4686b2119da7f1f326e2154ef31f9972
Signed-off-by: Ashish Sharma <ashishsharma@google.com>
Store the link key persistently if one of the following is true:
1. this is a legacy link key
2. this is a changed combination key and there was a previously
stored one
3. neither local nor remote side had no-bonding as a requirement
4. the local side had dedicated bonding as a requirement
5. the remote side is using dedicated bonding since in that case
also the local requirements are set to dedicated bonding
If none of the above match only keep the link key around for
this connection and set the temporary flag for the device.
CRs-Fixed: 309161
Signed-off-by: Srinivas Krovvidi <skrovvid@codeaurora.org>
Timer that was started at beginning of LE Pairing did not correctly
terminate pairing process when it fired, and was not properly cleaned
up on pairing completion.
Signed-off-by: Brian Gix <bgix@codeaurora.org>
During a move collision, both devices start out thinking they are the
initiator. The loser of the collision switches from the initiator role
to the responder role when receiving a move request from the remote
device. However, a move response will also be received by the loser
after the role switch has occurred.
The loser of the collision was incorrectly modifying the AMP move
state in the move response handler. This kept it from sending a move
channel response to the remote device, which stalled the channel move
process.
This change makes sure the AMP move state remains valid, so the
channel move succeeds.
CRs-fixed: 308382
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
When sock_put() is called on an L2CAP socket, if the reference count
on a sock goes to 0, l2cap_sock_release() is called. As part of the
release, l2cap_sock_shutdown() locks the socket. This is not allowable
in interrupt context. This change makes calls to sock_put() on the
system workqueue, where it can safely lock.
This addresses "scheduling while atomic" issues in both the Bluetooth
mgmt_ops pairing code and when RFCOMM sessions are deleted in a
security_cfm callback.
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
When remote device do not have link key, DUT will try to reinitiate
authentication process. We should remove the link key before
reinitiating authentication process. This was fixed in hciops in
Bluez user space. Adding this change for mgmtops to handle this
case in kernel space.
CRs-fixed: 307063
Signed-off-by: Prabhakaran Mc <prabhakaranmc@codeaurora.org>
An incoming AMP "create channel" connection would trigger an info
request and an AMP physical accept sequence at the same time. Since
accepting an AMP physical link is a local operation, it would complete
quickly and send a config request before the info response was
received.
If there is an outstanding info request, the AMP physical link should
not be accepted yet. Existing logic in l2cap_conn_start() will accept
the physical link when the info response is received.
CRs-fixed: 307243
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
If hci_dev_open() returns no error or EALREADY, allow the power on
sequence to proceed.
Signed-off-by: Inga Stotland <ingas@codeaurora.org>
Conflicts:
net/bluetooth/hci_core.c
When remote device is connected outside the control of BlueZ, it
needs to be informed of whether the new connection is LE or BR/EDR.
Signed-off-by: Brian Gix <bgix@codeaurora.org>
There was a crashing issue when pairing was performed on LE connections
that were already up, due to a NULL function pointer being followed.
Signed-off-by: Brian Gix <bgix@codeaurora.org>
When LE was added, the refcnt's for the hci_conns used were not balanced
and some of this bleeded over between LE pairing and Legacy pairing.
CRs-fixed: 305391
Signed-off-by: Brian Gix <bgix@codeaurora.org>
Enabled ECB Block encoding for Low Energy pairing
Implemented missing components of MGMTOPS interface
Differentiated as needed between BR/EDR pairing and LE pairing
Signed-off-by: Brian Gix <bgix@codeaurora.org>
Conflicts:
net/bluetooth/mgmt.c
Redundant calls to hci_setup_event_mask() prematurly exited Init state
when first call when erroneously detected as the last cmd sent.
CRs-fixed: 302804
Signed-off-by: Brian Gix <bgix@codeaurora.org>
Handle -EALREADY error in hci_sock of hci_dev_open as indication that
the HCI device is already open. This was causing reset inducing timeout,
and removed unused/useless check of failure in power-up code.
Signed-off-by: Brian Gix <bgix@codeaurora.org>
RFCOMM Frame size changes to accomodate the credits in the data packet.
Earlier implementation was not considering the 1 Byte required for
Credits information in data packet and hence was considering the
RFCOMM header plus FCS as 5 Bytes.
Because of this if the remote device sends a data packet with
negotiated frame size and credits information,packet size exceeds L2CAPMTU
and will be discarded by L2CAP.
CRs-fixed: 303518
Signed-off-by: Mallikarjuna GB <gbmalli@codeaurora.org>
SAP profile requires 16 pin length authentication for BT 1.2/2.0
devices as per specification. These changes were present for hciops
pluging, the current changes are for Management operations plugin.
Signed-off-by: Prabhakaran Mc <prabhakaranmc@codeaurora.org>
commit 1b9ca0272ffae212e726380f66777b30a56ed7a5 upstream.
Incorrect variable was used in validating the akm_suites array from
NL80211_ATTR_AKM_SUITES. In addition, there was no explicit
validation of the array length (we only have room for
NL80211_MAX_NR_AKM_SUITES).
This can result in a buffer write overflow for stack variables with
arbitrary data from user space. The nl80211 commands using the affected
functionality require GENL_ADMIN_PERM, so this is only exposed to admin
users.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit 2d20a26a92f72e3bb658fe8ce99c3663756e9e7a upstream.
The checks for HCI_INQUIRY and HCI_MGMT were in the wrong order,
so that second scans always failed.
Signed-off-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
[ Upstream commit 22df13319d1fec30b8f9bcaadc295829647109bb ]
br_multicast_ipv6_rcv() can call pskb_trim_rcsum() and therefore skb
head can be reallocated.
Cache icmp6_type field instead of dereferencing twice the struct
icmp6hdr pointer.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
[ Upstream commit 4b275d7efa1c4412f0d572fcd7f78ed0919370b3 ]
Checksum of ICMPv6 is not properly computed because the pseudo header is not used.
Thus, the MLD packet gets dropped by the bridge.
Signed-off-by: Zheng Yan <zheng.z.yan@intel.com>
Reported-by: Ang Way Chuang <wcang@sfc.wide.ad.jp>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
[ Upstream commit bcf66bf54aabffc150acd1c99e0f4bc51935eada ]
When asyncronous crypto algorithms are used, there might be many
packets that passed the xfrm replay check, but the replay advance
function is not called yet for these packets. So the replay check
function would accept a replay of all of these packets. Also the
system might crash if there are more packets in async processing
than the size of the anti replay window, because the replay advance
function would try to update the replay window beyond the bounds.
This pach adds a second replay check after resuming from the async
processing to fix these issues.
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
[ Upstream commit c5114cd59d2664f258b0d021d79b1532d94bdc2b ]
It's after all necessary to do reset headers here. The reason is we
cannot depend that it gets reseted in __netif_receive_skb once skb is
reinjected. For incoming vlanids without vlan_dev, vlan_do_receive()
returns false with skb != NULL and __netif_reveive_skb continues, skb is
not reinjected.
This might be good material for 3.0-stable as well
Reported-by: Mike Auty <mike.auty@gmail.com>
Signed-off-by: Jiri Pirko <jpirko@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
[ Upstream commit f0e3d0689da401f7d1981c2777a714ba295ea5ff ]
Using a gcc 4.4.3, warnings are emitted for a possibly uninitialized use
of ecn_ok.
This can happen if cookie_check_timestamp() returns due to not having
seen a timestamp. Defaulting to ecn off seems like a reasonable thing
to do in this case, so initialized ecn_ok to false.
Signed-off-by: Mike Waychison <mikew@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
