summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2013-09-25NFC: pn533: Add support for incoming fragmented frame in target modeOlivier Guiter
This code processes, for Target Mode, incoming fragmented frames. If the MI bit is present, we start a working queue to grab and aggregate all the parts (using TmGetData between each parts). On the last one, as there's no more MI bit, we jump on the usual behavior. Signed-off-by: Olivier Guiter <olivier.guiter@linux.intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-09-25NFC: pn533: Add MI/TG bits only when in Initiator modeOlivier Guiter
The fragmentation routine (used to split big frames) could be used in target or initiator mode (TgSetMetaData vs InDataExchange), but the MI/TG bytes are not needed in target mode (TgSetMetaData), so we add a check on the mode Signed-off-by: Olivier Guiter <olivier.guiter@linux.intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-09-25NFC: NCI: Modify NCI SPI to implement CS/INT handshake per the specEric Lapuyade
The NFC Forum NCI specification defines both a hardware and software protocol when using a SPI physical transport to connect an NFC NCI Chipset. The hardware requirement is that, after having raised the chip select line, the SPI driver must wait for an INT line from the NFC chipset to raise before it sends the data. The chip select must be raised first though, because this is the signal that the NFC chipset will detect to wake up and then raise its INT line. If the INT line doesn't raise in a timely fashion, the SPI driver should abort operation. When data is transferred from Device host (DH) to NFC Controller (NFCC), the signaling sequence is the following: Data Transfer from DH to NFCC • 1-Master asserts SPI_CSN • 2-Slave asserts SPI_INT • 3-Master sends NCI-over-SPI protocol header and payload data • 4-Slave deasserts SPI_INT • 5-Master deasserts SPI_CSN When data must be transferred from NFCC to DH, things are a little bit different. Data Transfer from NFCC to DH • 1-Slave asserts SPI_INT -> NFC chipset irq handler called -> process reading from SPI • 2-Master asserts SPI_CSN • 3-Master send 2-octet NCI-over-SPI protocol header • 4-Slave sends 2-octet NCI-over-SPI protocol payload length • 5-Slave sends NCI-over-SPI protocol payload • 6-Master deasserts SPI_CSN In this case, SPI driver should function normally as it does today. Note that the INT line can and will be lowered anytime between beginning of step 3 and end of step 5. A low INT is therefore valid after chip select has been raised. This would be easily implemented in a single driver. Unfortunately, we don't write the SPI driver and I had to imagine some workaround trick to get the SPI and NFC drivers to work in a synchronized fashion. The trick is the following: - send an empty spi message: this will raise the chip select line, and send nothing. We expect the /CS line will stay arisen because we asked for it in the spi_transfer cs_change field - wait for a completion, that will be completed by the NFC driver IRQ handler when it knows we are in the process of sending data (NFC spec says that we use SPI in a half duplex mode, so we are either sending or receiving). - when completed, proceed with the normal data send. This has been tested and verified to work very consistently on a Nexus 10 (spi-s3c64xx driver). It may not work the same with other spi drivers. The previously defined nci_spi_ops{} whose intended purpose were to address this problem are not used anymore and therefore totally removed. The nci_spi_send() takes a new optional write_handshake_completion completion pointer. If non NULL, the nci spi layer will run the above trick when sending data to the NFC Chip. If NULL, the data is sent normally all at once and it is then the NFC driver responsibility to know what it's doing. Signed-off-by: Eric Lapuyade <eric.lapuyade@intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-09-25NFC: NCI: nci_spi_recv_frame() now returns (not forward) the read frameEric Lapuyade
Previously, nci_spi_recv_frame() would directly transmit incoming frames to the NCI Core. However, it turns out that some NFC NCI Chips will add additional proprietary headers that must be handled/removed before NCI Core gets a chance to handle the frame. With this modification, the chip phy or driver are now responsible to transmit incoming frames to NCI Core after proper treatment, and NCI SPI becomes a driver helper instead of sitting between the NFC driver and NCI Core. As a general rule in NFC, *_recv_frame() APIs are used to deliver an incoming frame to an upper layer. To better suit the actual purpose of nci_spi_recv_frame(), and go along with its nci_spi_send() counterpart, the function is renamed to nci_spi_read() The skb is returned as the function result Signed-off-by: Eric Lapuyade <eric.lapuyade@intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-09-25NFC: NCI: zero struct spi_transfer variables before usageEric Lapuyade
Using ARM compiler, and without zero-ing spi_transfer, spi-s3c64xx driver would issue abnormal errors due to bpw field value being set to unexpected value. This structure MUST be set to all zeros except for those field specifically used. Signed-off-by: Eric Lapuyade <eric.lapuyade@intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-09-25NFC: netlink: SE API implementationSamuel Ortiz
Implementation of the NFC_CMD_SE_IO command for sending ISO7816 APDUs to NFC embedded secure elements. The reply is forwarded to user space through NFC_CMD_SE_IO as well. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-09-25NFC: Define secure element IO API and commandsSamuel Ortiz
In order to send and receive ISO7816 APDUs to and from NFC embedded secure elements, we define a specific netlink command. On a typical SE use case, host applications will send very few APDUs (Less than 10) per transaction. This is why we decided to go for a simple netlink API. Defining another NFC socket protocol for such low traffic would have been overengineered. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-09-25NFC: Document NFC targets sens_res fieldSamuel Ortiz
SENS_RES has no specific endiannes attached to it, the kernel ABI is the following one: Byte 2 (As described by the NFC Forum Digital spec) is the u16 most significant byte. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-09-25NFC: digital: Fix sens_res endiannes handlingThierry Escande
This was triggered by the following sparse warning: net/nfc/digital_technology.c:272:20: sparse: cast to restricted __be16 The SENS_RES response must be treated as __le16 with the first byte received as LSB and the second one as MSB. This is the way neard handles it in the sens_res field of the nfc_target structure which is treated as u16 in cpu endianness. So le16_to_cpu() is used on the received SENS_RES instead of memcpy'ing it. SENS_RES test macros have also been fixed accordingly. Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-09-25NFC: rawsock: Fix a memory leakThierry Escande
In the rawsock data exchange callback, the sk_buff is not freed on error. Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-09-25NFC: pn533: Staticize local symbolsSachin Kamat
Local symbols used only in this file are made static. Signed-off-by: Sachin Kamat <sachin.kamat@linaro.org> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-09-25NFC: nfcwilink: Remove redundant dev_set_drvdataSachin Kamat
Driver core sets driver data to NULL upon failure or remove. Cc: Ilan Elias <ilane@ti.com> Signed-off-by: Sachin Kamat <sachin.kamat@linaro.org> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-09-25NFC: digital: digital_tg_send_sensf_res() can be staticFengguang Wu
Fixes sparse hint: net/nfc/digital_technology.c:640:5: sparse: symbol 'digital_tg_send_sensf_res' was not declared. Should it be static? Cc: Thierry Escande <thierry.escande@linux.intel.com> Signed-off-by: Fengguang Wu <fengguang.wu@intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-09-25NFC: digital: Add newline to pr_* callsSamuel Ortiz
We do not add the newline to the pr_fmt macro, in order to give more flexibility to the caller and to keep the logging style consistent with the rest of the NFC and kernel code. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-09-25NFC: digital: Remove PR_ERR and PR_DBG macrosSamuel Ortiz
They can be replaced by the standard pr_err and pr_debug one after defining the right pr_fmt macro. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-09-25NFC: NCI: Store the spi device pointer from the spi instanceEric Lapuyade
Storing the spi device was forgotten in the original implementation, which would pretty obviously cause some kind of serious crash when actually trying to send something through that device. Signed-off-by: Eric Lapuyade <eric.lapuyade@intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-09-25NFC Digital: Add target NFC-DEP supportThierry Escande
This adds support for NFC-DEP target mode for NFC-A and NFC-F technologies. If the driver provides it, the stack uses an automatic mode for technology detection and automatic anti-collision. Otherwise the stack tries to use non-automatic synchronization and listens for SENS_REQ and SENSF_REQ commands. The detection, activation, and data exchange procedures work exactly the same way as in initiator mode, as described in the previous commits, except that the digital stack waits for commands and sends responses back to the peer device. Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-09-25NFC Digital: Add initiator NFC-DEP supportThierry Escande
This adds support for NFC-DEP protocol in initiator mode for NFC-A and NFC-F technologies. When a target is detected, the process flow is as follow: For NFC-A technology: 1 - The digital stack receives a SEL_RES as the reply of the SEL_REQ command. 2 - If b7 of SEL_RES is set, the peer device is configure for NFC-DEP protocol. NFC core is notified through nfc_targets_found(). Execution continues at step 4. 3 - Otherwise, it's a tag and the NFC core is notified. Detection ends. 4 - The digital stacks sends an ATR_REQ command containing a randomly generated NFCID3 and the general bytes obtained from the LLCP layer of NFC core. For NFC-F technology: 1 - The digital stack receives a SENSF_RES as the reply of the SENSF_REQ command. 2 - If B1 and B2 of NFCID2 are 0x01 and 0xFE respectively, the peer device is configured for NFC-DEP protocol. NFC core is notified through nfc_targets_found(). Execution continues at step 4. 3 - Otherwise it's a type 3 tag. NFC core is notified. Detection ends. 4 - The digital stacks sends an ATR_REQ command containing the NFC-F NFCID2 as NFCID3 and the general bytes obtained from the LLCP layer of NFC core. For both technologies: 5 - The digital stacks receives the ATR_RES response containing the NFCID3 and the general bytes of the peer device. 6 - The digital stack notifies NFC core that the DEP link is up through nfc_dep_link_up(). 7 - The NFC core performs data exchange through tm_transceive(). 8 - The digital stack sends a DEP_REQ command containing an I PDU with the data from NFC core. 9 - The digital stack receives a DEP_RES command 10 - If the DEP_RES response contains a supervisor PDU with timeout extension request (RTOX) the digital stack sends a DEP_REQ command containing a supervisor PDU acknowledging the RTOX request. The execution continues at step 9. 11 - If the DEP_RES response contains an I PDU, the response data is passed back to NFC core through the response callback. The execution continues at step 8. Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-09-25NFC Digital: Add NFC-F technology supportThierry Escande
This adds polling support for NFC-F technology at 212 kbits/s and 424 kbits/s. A user space application like neard can send type 3 tag commands through the NFC core. Process flow for NFC-F detection is as follow: 1 - The digital stack sends the SENSF_REQ command to the NFC device. 2 - A peer device replies with a SENSF_RES response. 3 - The digital stack notifies the NFC core of the presence of a target in the operation field and passes the target NFCID2. This also adds support for CRC calculation of type CRC-F. The CRC calculation is handled by the digital stack if the NFC device doesn't support it. Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-09-25NFC Digital: Add NFC-A technology supportThierry Escande
This adds support for NFC-A technology at 106 kbits/s. The stack can detect tags of type 1 and 2. There is no support for collision detection. Tags can be read and written by using a user space application or a daemon like neard. The flow of polling operations for NFC-A detection is as follow: 1 - The digital stack sends the SENS_REQ command to the NFC device. 2 - The NFC device receives a SENS_RES response from a peer device and passes it to the digital stack. 3 - If the SENS_RES response identifies a type 1 tag, detection ends. NFC core is notified through nfc_targets_found(). 4 - Otherwise, the digital stack sets the cascade level of NFCID1 to CL1 and sends the SDD_REQ command. 5 - The digital stack selects SEL_CMD and SEL_PAR according to the cascade level and sends the SDD_REQ command. 4 - The digital stack receives a SDD_RES response for the cascade level passed in the SDD_REQ command. 5 - The digital stack analyses (part of) NFCID1 and verify BCC. 6 - The digital stack sends the SEL_REQ command with the NFCID1 received in the SDD_RES. 6 - The peer device replies with a SEL_RES response 7 - Detection ends if NFCID1 is complete. NFC core notified of new target by nfc_targets_found(). 8 - If NFCID1 is not complete, the cascade level is incremented (up to and including CL3) and the execution continues at step 5 to get the remaining bytes of NFCID1. Once target detection is done, type 1 and 2 tag commands must be handled by a user space application (i.e neard) through the NFC core. Responses for type 1 tag are returned directly to user space via NFC core. Responses of type 2 commands are handled differently. The digital stack doesn't analyse the type of commands sent through im_transceive() and must differentiate valid responses from error ones. The response process flow is as follow: 1 - If the response length is 16 bytes, it is a valid response of a READ command. the packet is returned to the NFC core through the callback passed to im_transceive(). Processing stops. 2 - If the response is 1 byte long and is a ACK byte (0x0A), it is a valid response of a WRITE command for example. First packet byte is set to 0 for no-error and passed back to the NFC core. Processing stops. 3 - Any other response is treated as an error and -EIO error code is returned to the NFC core through the response callback. Moreover, since the driver can't differentiate success response from a NACK response, the digital stack has to handle CRC calculation. Thus, this patch also adds support for CRC calculation. If the driver doesn't handle it, the digital stack will calculate CRC and will add it to sent frames. CRC will also be checked and removed from received frames. Pointers to the correct CRC calculation functions are stored in the digital stack device structure when a target is detected. This avoids the need to check the current target type for every call to im_transceive() and for every response received from a peer device. Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-09-25NFC Digital: Implement driver commands mechanismThierry Escande
This implements the mechanism used to send commands to the driver in initiator mode through in_send_cmd(). Commands are serialized and sent to the driver by using a work item on the system workqueue. Responses are handled asynchronously by another work item. Once the digital stack receives the response through the command_complete callback, the next command is sent to the driver. This also implements the polling mechanism. It's handled by a work item cycling on all supported protocols. The start poll command for a given protocol is sent to the driver using the mechanism described above. The process continues until a peer is discovered or stop_poll is called. This patch implements the poll function for NFC-A that sends a SENS_REQ command and waits for the SENS_RES response. Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-09-24NFC: Digital Protocol stack implementationThierry Escande
This is the initial commit of the NFC Digital Protocol stack implementation. It offers an interface for devices that don't have an embedded NFC Digital protocol stack. The driver instantiates the digital stack by calling nfc_digital_allocate_device(). Within the nfc_digital_ops structure, the driver specifies a set of function pointers for driver operations. These functions must be implemented by the driver and are: in_configure_hw: Hardware configuration for RF technology and communication framing in initiator mode. This is a synchronous function. in_send_cmd: Initiator mode data exchange using RF technology and framing previously set with in_configure_hw. The peer response is returned through callback cb. If an io error occurs or the peer didn't reply within the specified timeout (ms), the error code is passed back through the resp pointer. This is an asynchronous function. tg_configure_hw: Hardware configuration for RF technology and communication framing in target mode. This is a synchronous function. tg_send_cmd: Target mode data exchange using RF technology and framing previously set with tg_configure_hw. The peer next command is returned through callback cb. If an io error occurs or the peer didn't reply within the specified timeout (ms), the error code is passed back through the resp pointer. This is an asynchronous function. tg_listen: Put the device in listen mode waiting for data from the peer device. This is an asynchronous function. tg_listen_mdaa: If supported, put the device in automatic listen mode with mode detection and automatic anti-collision. In this mode, the device automatically detects the RF technology and executes the anti-collision detection using the command responses specified in mdaa_params. The mdaa_params structure contains SENS_RES, NFCID1, and SEL_RES for 106A RF tech. NFCID2 and system code (sc) for 212F and 424F. The driver returns the NFC-DEP ATR_REQ command through cb. The digital stack deducts the RF tech by analyzing the SoD of the frame containing the ATR_REQ command. This is an asynchronous function. switch_rf: Turns device radio on or off. The stack does not call explicitly switch_rf to turn the radio on. A call to in|tg_configure_hw must turn the device radio on. abort_cmd: Discard the last sent command. Then the driver registers itself against the digital stack by using nfc_digital_register_device() which in turn registers the digital stack against the NFC core layer. The digital stack implements common NFC operations like dev_up(), dev_down(), start_poll(), stop_poll(), etc. This patch is only a skeleton and NFC operations are just stubs. Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-09-24NFC: pn533: Start listen timer from start_pollSamuel Ortiz
If we start the polling loop from a listening cycle, we need to start the corresponding timer as well. This bug showed up after commit dfccd0f5 as it was impossible to start from a listening cycle before it. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-09-24NFC: pn533: Send ATR_REQ directly for active device detectionSamuel Ortiz
In order to improve active devices detection, we send an ATR_REQ between each passive detection cycle. Without this algorithm, Android 4.3 based devices running the Broadcom stack are hardly detected. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-09-24NFC: Set active target upon DEP up event receptionSamuel Ortiz
As we can potentially get DEP up events without having sent a netlink command, we need to set the active target properly from dep_link_is_up. Spontaneous DEP up events can come from devices that detected an active p2p target. In that case there is no need to call the netlink DEP up command as the link is already up and running. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-09-24NFC: NCI: Simplify NCI SPI to become a simple framing/checking layerEric Lapuyade
NCI SPI layer should not manage the nci dev, this is the job of the nci chipset driver. This layer should be limited to frame/deframe nci packets, and optionnaly check integrity (crc) and manage the ack/nak protocol. The NCI SPI must not be mixed up with an NCI dev. spi_[dev|device] are therefore renamed to a simple spi for more clarity. The header and crc sizes are moved to nci.h so that drivers can use them to reserve space in outgoing skbs. nci_spi_send() is exported to be accessible by drivers. Signed-off-by: Eric Lapuyade <eric.lapuyade@intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-09-24NFC: Move struct nfc_phy_ops out of HCI up to nfc core levelEric Lapuyade
struct nfc_phy_ops is not an HCI structure only, it can also be used by NCI or direct NFC Core drivers. Signed-off-by: Eric Lapuyade <eric.lapuyade@intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-09-24NFC: NCI: Rename spi ndev -> nsdev and nci_dev -> ndev for consistencyEric Lapuyade
An hci dev is an hdev. An nci dev is an ndev. Calling an nci spi dev an ndev is misleading since it's not the same thing. The nci dev contained in the nci spi dev is also named inconsistently. Signed-off-by: Eric Lapuyade <eric.lapuyade@intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-09-24NFC: NCI: Fix wrong allocation size in nci_spi_allocate_device()Eric Lapuyade
Signed-off-by: Eric Lapuyade <eric.lapuyade@intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-09-24NFC: Standardize logging styleJoe Perches
Use standardized styles to minimize coding defects. Always use nfc_<level> where feasible. Add \n to formats where appropriate. Typo "it it" correction. Add #define pr_fmt where appropriate. Remove function tracing logging messages. Remove OOM messages. Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-09-24NFC: Convert nfc_dev_info and nfc_dev_err to nfc_<level>Joe Perches
Use a more standard kernel style macro logging name. Standardize the spacing of the "NFC: " prefix. Add \n to uses, remove from macro. Fix the defective uses that already had a \n. Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-09-24NFC: Replace nfc_dev_dbg with dev_dbgJoe Perches
Use the generic kernel function instead of a home-grown one that does the same thing. Add \n to uses not at the macro. Don't add \n where the nfc_dev_dbg macro mistakenly had them already. Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-09-24NFC: pn544: Add SE enable/disable operationArron Wang
To enable the UICC secure element, we first enable the UICC gate list in order for the SE to be able to use all RF technologies. For the embedded SE, we just turn the eSE default mode to ON. Signed-off-by: Arron Wang <arron.wang@intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-09-24NFC: Export nfc_find_se()Arron Wang
This will be needed by all NFC driver implementing the SE ops. Signed-off-by: Arron Wang <arron.wang@intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-09-24NFC: pn544: Add SE discover operationArron Wang
For the SWP secure element, we send the proprietary SELF_TEST_SWP command and check the response. For the WI secure element, we simply try to switch to the default embedded SE mode. If that works, it means we have an embedded SE. Signed-off-by: Arron Wang <arron.wang@intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2013-09-19Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/netLinus Torvalds
Pull networking fixes from David Miller: 1) If the local_df boolean is set on an SKB we have to allocate a unique ID even if IP_DF is set in the ipv4 headers, from Ansis Atteka. 2) Some fixups for the new chipset support that went into the sfc driver, from Ben Hutchings. 3) Because SCTP bypasses a good chunk of, and actually duplicates, the logic of the ipv6 output path, some IPSEC things don't get done properly. Integrate SCTP better into the ipv6 output path so that these problems are fixed and such issues don't get missed in the future either. From Daniel Borkmann. 4) Fix skge regressions added by the DMA mapping error return checking added in v3.10, from Mikulas Patocka. 5) Kill some more IRQF_DISABLED references, from Michael Opdenacker. 6) Fix races and deadlocks in the bridging code, from Hong Zhiguo. 7) Fix error handling in tun_set_iff(), in particular don't leak resources. From Jason Wang. 8) Prevent format-string injection into xen-netback driver, from Kees Cook. 9) Fix regression added to netpoll ARP packet handling, in particular check for the right ETH_P_ARP protocol code. From Sonic Zhang. 10) Try to deal with AMD IOMMU errors when using r8169 chips, from Francois Romieu. 11) Cure freezes due to recent changes in the rt2x00 wireless driver, from Stanislaw Gruszka. 12) Don't do SPI transfers (which can sleep) in interrupt context in cw1200 driver, from Solomon Peachy. 13) Fix LEDs handling bug in 5720 tg3 chips already handled for 5719. From Nithin Sujir. 14) Make xen_netbk_count_skb_slots() count the actual number of slots that will be used, taking into consideration packing and other issues that the transmit path will run into. From David Vrabel. 15) Use the correct maximum age when calculating the bridge message_age_timer, from Chris Healy. 16) Get rid of memory leaks in mcs7780 IRDA driver, from Alexey Khoroshilov. 17) Netfilter conntrack extensions were converted to RCU but are not always freed properly using kfree_rcu(). Fix from Michal Kubecek. 18) VF reset recovery not being done correctly in qlcnic driver, from Manish Chopra. 19) Fix inverted test in ATM nicstar driver, from Andy Shevchenko. 20) Missing workqueue destroy in cxgb4 error handling, from Wei Yang. 21) Internal switch not initialized properly in bgmac driver, from Rafał Miłecki. 22) Netlink messages report wrong local and remote addresses in IPv6 tunneling, from Ding Zhi. 23) ICMP redirects should not generate socket errors in DCCP and SCTP. We're still working out how this should be handled for RAW and UDP sockets. From Daniel Borkmann and Duan Jiong. 24) We've had several bugs wherein the network namespace's loopback device gets accessed after it is free'd, NULL it out so that we can catch these problems more readily. From Eric W Biederman. 25) Fix regression in TCP RTO calculations, from Neal Cardwell. 26) Fix too early free of xen-netback network device when VIFs still exist. From Paul Durrant. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (87 commits) netconsole: fix a deadlock with rtnl and netconsole's mutex netpoll: fix NULL pointer dereference in netpoll_cleanup skge: fix broken driver ip: generate unique IP identificator if local fragmentation is allowed ip: use ip_hdr() in __ip_make_skb() to retrieve IP header xen-netback: Don't destroy the netdev until the vif is shut down net:dccp: do not report ICMP redirects to user space cnic: Fix crash in cnic_bnx2x_service_kcq() bnx2x, cnic, bnx2i, bnx2fc: Fix bnx2i and bnx2fc regressions. vxlan: Avoid creating fdb entry with NULL destination tcp: fix RTO calculated from cached RTT drivers: net: phy: cicada.c: clears warning Use #include <linux/io.h> instead of <asm/io.h> net loopback: Set loopback_dev to NULL when freed batman-adv: set the TAG flag for the vid passed to BLA netfilter: nfnetlink_queue: use network skb for sequence adjustment net: sctp: rfc4443: do not report ICMP redirects to user space net: usb: cdc_ether: use usb.h macros whenever possible net: usb: cdc_ether: fix checkpatch errors and warnings net: usb: cdc_ether: Use wwan interface for Telit modules ip6_tunnels: raddr and laddr are inverted in nl msg ...
2013-09-19netconsole: fix a deadlock with rtnl and netconsole's mutexNikolay Aleksandrov
This bug was introduced by commit 7a163bfb7ce50895bbe67300ea610d31b9c09230 ("netconsole: avoid a crash with multiple sysfs writers"). In store_enabled() we have the following sequence: acquire nt->mutex then rtnl, but in the netconsole netdev notifier we have rtnl then nt->mutex effectively leading to a deadlock. The NULL pointer dereference that the above commit tries to fix is actually due to another bug in netpoll_cleanup(). This is fixed by dropping the mutex from the netdev notifier as it's already protected by rtnl. Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-09-19netpoll: fix NULL pointer dereference in netpoll_cleanupNikolay Aleksandrov
I've been hitting a NULL ptr deref while using netconsole because the np->dev check and the pointer manipulation in netpoll_cleanup are done without rtnl and the following sequence happens when having a netconsole over a vlan and we remove the vlan while disabling the netconsole: CPU 1 CPU2 removes vlan and calls the notifier enters store_enabled(), calls netdev_cleanup which checks np->dev and then waits for rtnl executes the netconsole netdev release notifier making np->dev == NULL and releases rtnl continues to dereference a member of np->dev which at this point is == NULL Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-09-19skge: fix broken driverMikulas Patocka
The patch 136d8f377e1575463b47840bc5f1b22d94bf8f63 broke the skge driver. Note this part of the patch: + if (skge_rx_setup(skge, e, nskb, skge->rx_buf_size) < 0) { + dev_kfree_skb(nskb); + goto resubmit; + } + pci_unmap_single(skge->hw->pdev, dma_unmap_addr(e, mapaddr), dma_unmap_len(e, maplen), PCI_DMA_FROMDEVICE); skb = e->skb; prefetch(skb->data); - skge_rx_setup(skge, e, nskb, skge->rx_buf_size); The function skge_rx_setup modifies e->skb to point to the new skb. Thus, after this change, the new buffer, not the old, is returned to the networking stack. This bug is present in kernels 3.11, 3.11.1 and 3.12-rc1. The patch should be queued for 3.11-stable. Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> Reported-by: Mikulas Patocka <mpatocka@redhat.com> Reported-by: Vasiliy Glazov <vascom2@gmail.com> Tested-by: Mikulas Patocka <mpatocka@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-09-19ip: generate unique IP identificator if local fragmentation is allowedAnsis Atteka
If local fragmentation is allowed, then ip_select_ident() and ip_select_ident_more() need to generate unique IDs to ensure correct defragmentation on the peer. For example, if IPsec (tunnel mode) has to encrypt large skbs that have local_df bit set, then all IP fragments that belonged to different ESP datagrams would have used the same identificator. If one of these IP fragments would get lost or reordered, then peer could possibly stitch together wrong IP fragments that did not belong to the same datagram. This would lead to a packet loss or data corruption. Signed-off-by: Ansis Atteka <aatteka@nicira.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-09-19ip: use ip_hdr() in __ip_make_skb() to retrieve IP headerAnsis Atteka
skb->data already points to IP header, but for the sake of consistency we can also use ip_hdr() to retrieve it. Signed-off-by: Ansis Atteka <aatteka@nicira.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-09-19xen-netback: Don't destroy the netdev until the vif is shut downPaul Durrant
Without this patch, if a frontend cycles through states Closing and Closed (which Windows frontends need to do) then the netdev will be destroyed and requires re-invocation of hotplug scripts to restore state before the frontend can move to Connected. Thus when udev is not in use the backend gets stuck in InitWait. With this patch, the netdev is left alone whilst the backend is still online and is only de-registered and freed just prior to destroying the vif (which is also nicely symmetrical with the netdev allocation and registration being done during probe) so no re-invocation of hotplug scripts is required. Signed-off-by: Paul Durrant <paul.durrant@citrix.com> Cc: David Vrabel <david.vrabel@citrix.com> Cc: Wei Liu <wei.liu2@citrix.com> Cc: Ian Campbell <ian.campbell@citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-09-19Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linusLinus Torvalds
Pull MIPS updates from Ralf Baechle: - Minor updates and fixes to the Octeon ethernet driver in staging - A fix to VGA_MAP_MEM() for 64 bit platforms - Fix a workaround for 74K/1074K processors - The symlink arch/mips/boot/dts/include/dt-bindings was pointing to a a file with a name ending in \n. I think this may have been caused by a git bug with with patches sent by email - A build fix for VGA console on BCM1480-based systems - Fix PCI device access via "/sys/bus/pci/.../resource0" or similar work for Alchemy platforms - Fix potential data leak on MIPS R5 cores. This doesn't add proper support for any R5 features, just ensures a kernel without such support will be secure to run - Adding a macros for the CP0 Config5 register to be used by the R5 fix - Make get_cycles() actually return something useful where possible This also requires a preparatory patch for performance sake - Fix a warning about the use of smp_processor_id() in preemptible code. Again this includes a preparatory patch adding the infrastructure to be used by the actual patch - Finally remove pointless one-line comment * 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus: MIPS: Fix invalid symbolic link file MIPS: PCI: pci-bcm1480: Include missing vt.h header MIPS: Disable usermode switching of the FR bit for MIPS R5 CPUs. MIPS: Add MIPS R5 config5 register. MIPS: PCI: Use pci_resource_to_user to map pci memory space properly MIPS: 74K/1074K: Correct erratum workaround. MIPS: Cleanup CP0 PRId and CP1 FPIR register access masks MIPS: Remove useless comment about kprobe from arch/mips/Makefile MIPS: Fix VGA_MAP_MEM macro. MIPS: Reimplement get_cycles(). MIPS: Optimize current_cpu_type() for better code. MIPS: Fix accessing to per-cpu data when flushing the cache MIPS: Provide nice way to access boot CPU's data. staging: octeon-ethernet: rgmii: enable interrupts that we can handle staging: octeon-ethernet: remove skb alloc failure warnings staging: octeon-ethernet: make dropped packets to consume NAPI budget
2013-09-19Merge branch 'for-linus' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client Pull ceph fixes from Sage Weil: "These fix several bugs with RBD from 3.11 that didn't get tested in time for the merge window: some error handling, a use-after-free, and a sequencing issue when unmapping and image races with a notify operation. There is also a patch fixing a problem with the new ceph + fscache code that just went in" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client: fscache: check consistency does not decrement refcount rbd: fix error handling from rbd_snap_name() rbd: ignore unmapped snapshots that no longer exist rbd: fix use-after free of rbd_dev->disk rbd: make rbd_obj_notify_ack() synchronous rbd: complete notifies before cleaning up osd_client and rbd_dev libceph: add function to ensure notifies are complete
2013-09-19MIPS: Fix invalid symbolic link fileMadhavan Srinivasan
Commit 3b29aa5ba204c [MIPS: add <dt-bindings/> symlink] created a symlink file in include/dt-bindings. Even though commit diff is fine, the symlink is invalid and ls -lb shows a newline character at the end of the filename: lrwxrwxrwx 1 maddy maddy 35 Sep 19 18:11 dt-bindings -> ../../../../../include/dt-bindings\n Signed-off-by: Madhavan Srinivasan <maddy@linux.vnet.ibm.com> Cc: steven.hill@imgtec.com Cc: mmarek@suse.cz Cc: swarren@nvidia.com Cc: linux-mips@linux-mips.org Cc: linux-kbuild@vger.kernel.org Cc: james.hogan@imgtec.com Patchwork: https://patchwork.linux-mips.org/patch/5859/ Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2013-09-19MIPS: PCI: pci-bcm1480: Include missing vt.h headerMarkos Chandras
It's needed for the MAX_NR_CONSOLES macro. Fixes the following build problem on a randconfig: arch/mips/pci/pci-bcm1480.c: In function 'bcm1480_pcibios_init': arch/mips/pci/pci-bcm1480.c:261:36: error: 'MAX_NR_CONSOLES' undeclared (first use in this function) arch/mips/pci/pci-bcm1480.c:261:36: note: each undeclared identifier is reported only once for each function it appears in make[1]: *** [arch/mips/pci/pci-bcm1480.o] Error 1 Signed-off-by: Markos Chandras <markos.chandras@imgtec.com> Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/5858/ Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2013-09-19MIPS: Disable usermode switching of the FR bit for MIPS R5 CPUs.Ralf Baechle
Currently the kernel will always use the FR=0 register model for O32. If an O32 application did enable FR=1 mode, some data from another application might be leaked in the extra registers becoming visible. Iow, this patch is meant to make the kernel MIPS R5 tolerant but leaves proper MIPS R5 support to a future patchset. Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2013-09-19MIPS: Add MIPS R5 config5 register.Ralf Baechle
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2013-09-19Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linuxLinus Torvalds
Pull drm radeon/nouveau/core fixes from Dave Airlie: "Mostly radeon fixes, with some nouveau bios parser, ttm fix and a fix for AST driver" * 'drm-fixes' of git://people.freedesktop.org/~airlied/linux: (42 commits) drm/fb-helper: don't sleep for screen unblank when an oops is in progress drm, ttm Fix uninitialized warning drm/ttm: fix the tt_populated check in ttm_tt_destroy() drm/nouveau/ttm: prevent double-free in nouveau_sgdma_create_ttm() failure path drm/nouveau/bios/init: fix thinko in INIT_CONFIGURE_MEM drm/nouveau/kms: enable for non-vga pci classes drm/nouveau/bios/init: stub opcode 0xaa drm/radeon: avoid UVD corruptions on AGP cards drm/radeon: fix panel scaling with eDP and LVDS bridges drm/radeon/dpm: rework auto performance level enable drm/radeon: Fix hmdi typo drm/radeon/dpm/rs780: fix force_performance state for same sclks drm/radeon/dpm/rs780: don't enable sclk scaling if not required drm/radeon/dpm/rs780: add some sanity checking to sclk scaling drm/radeon/dpm/rs780: use drm_mode_vrefresh() drm/udl: rip out set_need_resched drm/ast: fix the ast open key function drm/radeon/dpm: add bapm callback for kb/kv drm/radeon/dpm: add bapm callback for trinity drm/radeon/dpm: add infrastructure to properly handle bapm ...
2013-09-19drm/fb-helper: don't sleep for screen unblank when an oops is in progressDaniel Vetter
Otherwise the system will burn even brighter and worse, leave the user wondering what's going on exactly. Since we already have a panic handler which will (try) to restore the entire fbdev console mode, we can just bail out. Inspired by a patch from Konstantin Khlebnikov. The callchain leading to this, cut&pasted from Konstantin's original patch: callstack: panic() bust_spinlocks(1) unblank_screen() vc->vc_sw->con_blank() fbcon_blank() fb_blank() info->fbops->fb_blank() drm_fb_helper_blank() drm_fb_helper_dpms() drm_modeset_lock_all() mutex_lock(&dev->mode_config.mutex) Note that the entire locking in the fb helper around panic/sysrq and kdbg is ... non-existant. So we have a decent change of blowing up everything. But since reworking this ties in with funny concepts like the fbdev notifier chain or the impressive things which happen around console_lock while oopsing, I'll leave that as an exercise for braver souls than me. Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> Cc: Konstantin Khlebnikov <khlebnikov@openvz.org> Cc: Dave Airlie <airlied@gmail.com> Reviewed-by: Rob Clark <robdclark@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Dave Airlie <airlied@redhat.com>