During normal ERTM sends and resends, buffers are copied or cloned.
If the copy/clone fails, take sensible action rather than causing a
kernel panic.
Change-Id: Ib491cfb38dab30014ed08571dbd721dad0cc3714
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
When the connection is not in BT_CONNECTED state it was possible
for code in hci_chan_modify() to attempt to access the hci_chan
structure after it had already been deleted by hci_chan_put().
Change-Id: I5ae352ac12aa3b456e7bcf30633015d98b03e44b
CRs-fixed: 319934
Signed-off-by: Peter Krystad <pkrystad@codeaurora.org>
Default RFC values should use le16 byte ordering. These values are
used only as a fallback when poorly-behaved remote devices do not send
a proper RFC option in an ERTM or streaming configuration response.
Change-Id: I51c9ae892f18229f568b354c92b64e3a8054b619
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
When the logical link disconnects clear the reference to the
l2cap connection before moving the channel. This prevents the
channel from being disconnected before failover to BR-EDR is
complete.
Change-Id: Id55a472a8dac49fbfca4fa47cffea59acf76ed1f
Signed-off-by: Peter Krystad <pkrystad@codeaurora.org>
CRs-fixed: 321202
A well-behaved remote device should always send a reconfiguration and
flow control (RFC) option in the configuration response when using
ERTM or Streaming mode. By using default RFC option values, the
configuration code can avoid using uninitialized data.
Change-Id: I8f9ef687b694d0b34c6d65d40b934bc7946d515e
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
Previously an offset was added to the hci dev number to generate the
AMP controller ID, because it was possible for the PAL to register
as hci0, and 0 is invalid for an AMP controller ID. Since this commit
462bf76d29 it is not possible for
the PAL to register as hci0, so this offset is no longer necessary.
Change-Id: I4b01ddca5fad3aebeb4c138b5aee8819bb146f3d
Signed-off-by: Peter Krystad <pkrystad@codeaurora.org>
In three places a reference was taken without being returned.
Change-Id: I15b9ab7de530a77832d8b10fe756cfdf0b01760f
Signed-off-by: Peter Krystad <pkrystad@codeaurora.org>
A socket can be shut down while pointer to that socket is stored in a
queued skbuff or in a pending workqueue struct. Correct use of socket
reference counting will make sure the socket struct stays around until
there are no remaining references.
Change-Id: Ic3679e023a46b224929b3cefb6370d7871e3368a
CRs-fixed: 313736
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
Before attempting to create a channel directly on an AMP check
that the remote device supports A2MP signalling before starting
the physical link creation process.
Change-Id: Iac2bcebf9630368685e24e636e39ffa82651705d
Signed-off-by: Peter Krystad <pkrystad@codeaurora.org>
Socket lookup for a fixed channel should be done based on both remote and
local device addresses.
Change-Id: I35f39bea8ade6fd5d8695640251efc54bf21beae
Signed-off-by: Inga Stotland <ingas@codeaurora.org>
Timer that was started at beginning of LE Pairing did not correctly
terminate pairing process when it fired, and was not properly cleaned
up on pairing completion.
Signed-off-by: Brian Gix <bgix@codeaurora.org>
During a move collision, both devices start out thinking they are the
initiator. The loser of the collision switches from the initiator role
to the responder role when receiving a move request from the remote
device. However, a move response will also be received by the loser
after the role switch has occurred.
The loser of the collision was incorrectly modifying the AMP move
state in the move response handler. This kept it from sending a move
channel response to the remote device, which stalled the channel move
process.
This change makes sure the AMP move state remains valid, so the
channel move succeeds.
CRs-fixed: 308382
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
An incoming AMP "create channel" connection would trigger an info
request and an AMP physical accept sequence at the same time. Since
accepting an AMP physical link is a local operation, it would complete
quickly and send a config request before the info response was
received.
If there is an outstanding info request, the AMP physical link should
not be accepted yet. Existing logic in l2cap_conn_start() will accept
the physical link when the info response is received.
CRs-fixed: 307243
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
When remote device is connected outside the control of BlueZ, it
needs to be informed of whether the new connection is LE or BR/EDR.
Signed-off-by: Brian Gix <bgix@codeaurora.org>
Enabled ECB Block encoding for Low Energy pairing
Implemented missing components of MGMTOPS interface
Differentiated as needed between BR/EDR pairing and LE pairing
Signed-off-by: Brian Gix <bgix@codeaurora.org>
Conflicts:
net/bluetooth/mgmt.c
Add send and receive of Extended Flow Spec option during L2CAP
lockstep configuration and passing the flow specs to HCI.
Signed-off-by: Peter Krystad <pkrystad@codeaurora.org>
Conflicts:
include/net/bluetooth/hci.h
include/net/bluetooth/hci_core.h
net/bluetooth/l2cap_core.c
The MAXI_EN2 register is no longer owned by the RPM. Add local
control of the VPE and Rotator AXI clocks which are in it.
Signed-off-by: Matt Wagantall <mattw@codeaurora.org>
Fix race condition which can result in missing wakeup during
l2cap socket shutdown.
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Another regression fix considering incomming l2cap connections with
defer_setup enabled. In situations when incomming connection is
extracted with l2cap_sock_accept, it's bt_sock info will have
'parent' member zerroed, but 'parent' may be used unconditionally
in l2cap_conn_start() and l2cap_security_cfm() when defer_setup
is enabled.
Backtrace:
[<bf02d5ac>] (l2cap_security_cfm+0x0/0x2ac [bluetooth]) from [<bf01f01c>] (hci_event_pac
ket+0xc2c/0x4aa4 [bluetooth])
[<bf01e3f0>] (hci_event_packet+0x0/0x4aa4 [bluetooth]) from [<bf01a844>] (hci_rx_task+0x
cc/0x27c [bluetooth])
[<bf01a778>] (hci_rx_task+0x0/0x27c [bluetooth]) from [<c008eee4>] (tasklet_action+0xa0/
0x15c)
[<c008ee44>] (tasklet_action+0x0/0x15c) from [<c008f38c>] (__do_softirq+0x98/0x130)
r7:00000101 r6:00000018 r5:00000001 r4:efc46000
[<c008f2f4>] (__do_softirq+0x0/0x130) from [<c008f524>] (do_softirq+0x4c/0x58)
[<c008f4d8>] (do_softirq+0x0/0x58) from [<c008f5e0>] (run_ksoftirqd+0xb0/0x1b4)
r4:efc46000 r3:00000001
[<c008f530>] (run_ksoftirqd+0x0/0x1b4) from [<c009f2a8>] (kthread+0x84/0x8c)
r7:00000000 r6:c008f530 r5:efc47fc4 r4:efc41f08
[<c009f224>] (kthread+0x0/0x8c) from [<c008cc84>] (do_exit+0x0/0x5f0)
Signed-off-by: Ilia Kolomisnky <iliak@ti.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: David S. Miller <davem@davemloft.net>
Caused by the following commit, partially revert it.
commit 9fa7e4f76f
Author: Gustavo F. Padovan <padovan@profusion.mobi>
Date: Thu Jun 30 16:11:30 2011 -0300
Bluetooth: Fix regression with incoming L2CAP connections
PTS test A2DP/SRC/SRC_SET/TC_SRC_SET_BV_02_I revealed that
( probably after the df3c3931e commit ) the l2cap connection
could not be established in case when the "Auth Complete" HCI
event does not arive before the initiator send "Configuration
request", in which case l2cap replies with "Command rejected"
since the channel is still in BT_CONNECT2 state.
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: David S. Miller <davem@davemloft.net>
PTS test A2DP/SRC/SRC_SET/TC_SRC_SET_BV_02_I revealed that
( probably after the df3c3931e commit ) the l2cap connection
could not be established in case when the "Auth Complete" HCI
event does not arive before the initiator send "Configuration
request", in which case l2cap replies with "Command rejected"
since the channel is still in BT_CONNECT2 state.
Based on patch from: Ilia Kolomisnky <iliak@ti.com>
Change-Id: Ifcffe0124adbbc6d1931389ff7476dd0304d6f51
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
A remote user can provide a small value for the command size field in
the command header of an l2cap configuration request, resulting in an
integer underflow when subtracting the size of the configuration request
header. This results in copying a very large amount of data via
memcpy() and destroying the kernel heap. Check for underflow.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
This adds support for generating and distributing all the keys
specified in the third phase of SMP.
This will make possible to re-establish secure connections, resolve
private addresses and sign commands.
For now, the values generated are random.
Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@openbossa.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
The ERTM receive buffer is now handled in a way that does not require
the busy queue and the associated polling code.
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
This change moves most L2CAP ERTM receive buffer handling out of the
L2CAP core and in to the socket code. It's up to the higher layer
(the socket code, in this case) to tell the core when its buffer is
full or has space available. The recv op should always accept
incoming ERTM data or else the connection will go down.
Within the socket layer, an skb that does not fit in the socket
receive buffer will be temporarily stored. When the socket is read
from, that skb will be placed in the receive buffer if possible. Once
adequate buffer space becomes available, the L2CAP core is informed
and the ERTM local busy state is cleared.
Receive buffer management for non-ERTM modes is unchanged.
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
The local busy state is entered and exited based on buffer status in
the socket layer (or other upper layer). This change is in
preparation for general buffer status reports from the socket layer,
which will then be used to change the local busy status.
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Even when the received tx_seq is expected, the frame still needs to be
dropped if the TX window is exceeded or the receiver is in the local
busy state.
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Make it easier to use more normal logging styles later.
Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
ERTM timeouts are defined in milliseconds, but need to be converted
to jiffies when passed to mod_timer().
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
When the connection is ready we should set the connection
to CONNECTED so userspace can use it.
Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@openbossa.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
We already have access to the chan, we don't have to access the
socket to get its imtu.
Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@openbossa.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
We should not try to do any other type of configuration for
LE links when they become ready.
Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@openbossa.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Instead of setting bits manually we use set_bit, test_bit, etc.
Also remove L2CAP_ prefix from macros.
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
This patch adds support for disconnecting the link when SMP procedure
takes more than 30 seconds.
SMP begins when either the Pairing Request command is sent or the
Pairing Response is received, and it ends when the link is encrypted
(or terminated). Vol 3, Part H Section 3.4.
Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@openbossa.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
This adds support for resuming the user space traffic when SMP
negotiation is complete.
Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@openbossa.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Start SMP procedure for LE connections. This modification intercepts
l2cap received frames and call proper SMP functions to start the SMP
procedure. By now, no keys are being used.
Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@openbossa.org>
Signed-off-by: Anderson Briglia <anderson.briglia@openbossa.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
ERTM use the generic L2CAP timer functions to keep a reference to the
channel. This is useful for avoiding crashes.
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
We now plan to use l2cap_set_timer and l2cap_clear_timer in ERTM timers.
Change-Id: Ie62b01e003f8885ae89c73e2e64195c21cbadddd
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
struct l2cap_chan has now its own refcnt that is compatible with the
socket refcnt, i.e., we won't see sk_refcnt = 0 and chan->refcnt > 0.
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Now socket state is tracked by struct sock and channel state is tracked by
chan->state. At this point both says the same, but this is going to change
when we add AMP Support for example.
Change-Id: Idbf873f5e8dd94f5b2482ba960c52193d28ce5dd
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
