* [PATCH bluetooth-next 2/5] mac802154: fix mac header length check
2016-02-19 8:59 [PATCH bluetooth-next 1/5] MAINTAINERS: update 802.15.4 entries Alexander Aring
@ 2016-02-19 8:59 ` Alexander Aring
2016-02-19 8:59 ` [PATCH bluetooth-next 3/5] at86rf230: fix race on error handling Alexander Aring
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Alexander Aring @ 2016-02-19 8:59 UTC (permalink / raw)
To: linux-wpan; +Cc: Alexander Aring
I got report about that sometimes the WARN_ON occurs there which should
never happen. I came to the conclusion that the mac header is there but
inside the headroom of skb. The skb->len information doesn't contain the
information about the headroom length and skb->len is lesser than two.
We check now if the skb_mac_header pointer is set and the room between
mac header pointer and tail pointer.
Signed-off-by: Alexander Aring <aar@pengutronix.de>
---
include/net/mac802154.h | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/include/net/mac802154.h b/include/net/mac802154.h
index da574bb..2e3cdd20 100644
--- a/include/net/mac802154.h
+++ b/include/net/mac802154.h
@@ -247,8 +247,9 @@ struct ieee802154_ops {
*/
static inline __le16 ieee802154_get_fc_from_skb(const struct sk_buff *skb)
{
- /* return some invalid fc on failure */
- if (unlikely(skb->len < 2)) {
+ /* check if we can fc at skb_mac_header of sk buffer */
+ if (unlikely(!skb_mac_header_was_set(skb) ||
+ (skb_tail_pointer(skb) - skb_mac_header(skb)) < 2)) {
WARN_ON(1);
return cpu_to_le16(0);
}
--
2.7.1
^ permalink raw reply related [flat|nested] 6+ messages in thread* [PATCH bluetooth-next 3/5] at86rf230: fix race on error handling
2016-02-19 8:59 [PATCH bluetooth-next 1/5] MAINTAINERS: update 802.15.4 entries Alexander Aring
2016-02-19 8:59 ` [PATCH bluetooth-next 2/5] mac802154: fix mac header length check Alexander Aring
@ 2016-02-19 8:59 ` Alexander Aring
2016-02-19 8:59 ` [PATCH bluetooth-next 4/5] at86rf230: fix state change handling on error Alexander Aring
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Alexander Aring @ 2016-02-19 8:59 UTC (permalink / raw)
To: linux-wpan; +Cc: Alexander Aring
The resource "ctx" can be still used by at86rf230_async_state_change, we
need to free it at the complete handler of the async state change to
avoid a use after free.
Signed-off-by: Alexander Aring <aar@pengutronix.de>
---
drivers/net/ieee802154/at86rf230.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ieee802154/at86rf230.c b/drivers/net/ieee802154/at86rf230.c
index 0fbbba7..bf3cfe4 100644
--- a/drivers/net/ieee802154/at86rf230.c
+++ b/drivers/net/ieee802154/at86rf230.c
@@ -343,16 +343,26 @@ static const struct regmap_config at86rf230_regmap_spi_config = {
};
static void
-at86rf230_async_error_recover(void *context)
+at86rf230_async_error_recover_complete(void *context)
{
struct at86rf230_state_change *ctx = context;
struct at86rf230_local *lp = ctx->lp;
- lp->is_tx = 0;
- at86rf230_async_state_change(lp, ctx, STATE_RX_AACK_ON, NULL);
- ieee802154_wake_queue(lp->hw);
if (ctx->free)
kfree(ctx);
+
+ ieee802154_wake_queue(lp->hw);
+}
+
+static void
+at86rf230_async_error_recover(void *context)
+{
+ struct at86rf230_state_change *ctx = context;
+ struct at86rf230_local *lp = ctx->lp;
+
+ lp->is_tx = 0;
+ at86rf230_async_state_change(lp, ctx, STATE_RX_AACK_ON,
+ at86rf230_async_error_recover_complete);
}
static inline void
--
2.7.1
^ permalink raw reply related [flat|nested] 6+ messages in thread* [PATCH bluetooth-next 4/5] at86rf230: fix state change handling on error
2016-02-19 8:59 [PATCH bluetooth-next 1/5] MAINTAINERS: update 802.15.4 entries Alexander Aring
2016-02-19 8:59 ` [PATCH bluetooth-next 2/5] mac802154: fix mac header length check Alexander Aring
2016-02-19 8:59 ` [PATCH bluetooth-next 3/5] at86rf230: fix race on error handling Alexander Aring
@ 2016-02-19 8:59 ` Alexander Aring
2016-02-19 8:59 ` [PATCH bluetooth-next 5/5] mrf24j40: add writeable missing reg Alexander Aring
2016-02-21 0:20 ` [PATCH bluetooth-next 1/5] MAINTAINERS: update 802.15.4 entries Marcel Holtmann
4 siblings, 0 replies; 6+ messages in thread
From: Alexander Aring @ 2016-02-19 8:59 UTC (permalink / raw)
To: linux-wpan; +Cc: Alexander Aring
This patch force always to set "is_tx_from_off", when calibration
timeout was not occurred. In case of error handling the is_tx_from_off
can be inside in an invalid state.
Signed-off-by: Alexander Aring <aar@pengutronix.de>
---
drivers/net/ieee802154/at86rf230.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ieee802154/at86rf230.c b/drivers/net/ieee802154/at86rf230.c
index bf3cfe4..cb9e9fe 100644
--- a/drivers/net/ieee802154/at86rf230.c
+++ b/drivers/net/ieee802154/at86rf230.c
@@ -902,14 +902,12 @@ at86rf230_xmit_start(void *context)
struct at86rf230_local *lp = ctx->lp;
/* check if we change from off state */
- if (lp->is_tx_from_off) {
- lp->is_tx_from_off = false;
+ if (lp->is_tx_from_off)
at86rf230_async_state_change(lp, ctx, STATE_TX_ARET_ON,
at86rf230_write_frame);
- } else {
+ else
at86rf230_async_state_change(lp, ctx, STATE_TX_ON,
at86rf230_xmit_tx_on);
- }
}
static int
@@ -933,6 +931,7 @@ at86rf230_xmit(struct ieee802154_hw *hw, struct sk_buff *skb)
at86rf230_async_state_change(lp, ctx, STATE_TRX_OFF,
at86rf230_xmit_start);
} else {
+ lp->is_tx_from_off = false;
at86rf230_xmit_start(ctx);
}
--
2.7.1
^ permalink raw reply related [flat|nested] 6+ messages in thread* [PATCH bluetooth-next 5/5] mrf24j40: add writeable missing reg
2016-02-19 8:59 [PATCH bluetooth-next 1/5] MAINTAINERS: update 802.15.4 entries Alexander Aring
` (2 preceding siblings ...)
2016-02-19 8:59 ` [PATCH bluetooth-next 4/5] at86rf230: fix state change handling on error Alexander Aring
@ 2016-02-19 8:59 ` Alexander Aring
2016-02-21 0:20 ` [PATCH bluetooth-next 1/5] MAINTAINERS: update 802.15.4 entries Marcel Holtmann
4 siblings, 0 replies; 6+ messages in thread
From: Alexander Aring @ 2016-02-19 8:59 UTC (permalink / raw)
To: linux-wpan; +Cc: Alexander Aring, Alan Ott
This patch adds a missing reg for writeable stuff for regmap.
Cc: Alan Ott <alan@signal11.us>
Signed-off-by: Alexander Aring <aar@pengutronix.de>
---
drivers/net/ieee802154/mrf24j40.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ieee802154/mrf24j40.c b/drivers/net/ieee802154/mrf24j40.c
index 4cdf516..764a2bd 100644
--- a/drivers/net/ieee802154/mrf24j40.c
+++ b/drivers/net/ieee802154/mrf24j40.c
@@ -310,6 +310,7 @@ mrf24j40_short_reg_writeable(struct device *dev, unsigned int reg)
case REG_TRISGPIO:
case REG_GPIO:
case REG_RFCTL:
+ case REG_SECCR2:
case REG_SLPACK:
case REG_BBREG0:
case REG_BBREG1:
--
2.7.1
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: [PATCH bluetooth-next 1/5] MAINTAINERS: update 802.15.4 entries
2016-02-19 8:59 [PATCH bluetooth-next 1/5] MAINTAINERS: update 802.15.4 entries Alexander Aring
` (3 preceding siblings ...)
2016-02-19 8:59 ` [PATCH bluetooth-next 5/5] mrf24j40: add writeable missing reg Alexander Aring
@ 2016-02-21 0:20 ` Marcel Holtmann
4 siblings, 0 replies; 6+ messages in thread
From: Marcel Holtmann @ 2016-02-21 0:20 UTC (permalink / raw)
To: Alexander Aring; +Cc: linux-wpan
Hi Alex,
> This patch updates my e-mail address and other pending information for
> 802.15.4 subsystem which are not correct anymore.
>
> Signed-off-by: Alexander Aring <aar@pengutronix.de>
> ---
> MAINTAINERS | 9 +++++----
> 1 file changed, 5 insertions(+), 4 deletions(-)
all 5 patches have been applied to bluetooth-next tree.
Regards
Marcel
^ permalink raw reply [flat|nested] 6+ messages in thread