Store the link key persistently if one of the following is true:
1. this is a legacy link key
2. this is a changed combination key and there was a previously
stored one
3. neither local nor remote side had no-bonding as a requirement
4. the local side had dedicated bonding as a requirement
5. the remote side is using dedicated bonding since in that case
also the local requirements are set to dedicated bonding
If none of the above match only keep the link key around for
this connection and set the temporary flag for the device.
CRs-Fixed: 309161
Signed-off-by: Srinivas Krovvidi <skrovvid@codeaurora.org>
Timer that was started at beginning of LE Pairing did not correctly
terminate pairing process when it fired, and was not properly cleaned
up on pairing completion.
Signed-off-by: Brian Gix <bgix@codeaurora.org>
During a move collision, both devices start out thinking they are the
initiator. The loser of the collision switches from the initiator role
to the responder role when receiving a move request from the remote
device. However, a move response will also be received by the loser
after the role switch has occurred.
The loser of the collision was incorrectly modifying the AMP move
state in the move response handler. This kept it from sending a move
channel response to the remote device, which stalled the channel move
process.
This change makes sure the AMP move state remains valid, so the
channel move succeeds.
CRs-fixed: 308382
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
When sock_put() is called on an L2CAP socket, if the reference count
on a sock goes to 0, l2cap_sock_release() is called. As part of the
release, l2cap_sock_shutdown() locks the socket. This is not allowable
in interrupt context. This change makes calls to sock_put() on the
system workqueue, where it can safely lock.
This addresses "scheduling while atomic" issues in both the Bluetooth
mgmt_ops pairing code and when RFCOMM sessions are deleted in a
security_cfm callback.
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
When remote device do not have link key, DUT will try to reinitiate
authentication process. We should remove the link key before
reinitiating authentication process. This was fixed in hciops in
Bluez user space. Adding this change for mgmtops to handle this
case in kernel space.
CRs-fixed: 307063
Signed-off-by: Prabhakaran Mc <prabhakaranmc@codeaurora.org>
An incoming AMP "create channel" connection would trigger an info
request and an AMP physical accept sequence at the same time. Since
accepting an AMP physical link is a local operation, it would complete
quickly and send a config request before the info response was
received.
If there is an outstanding info request, the AMP physical link should
not be accepted yet. Existing logic in l2cap_conn_start() will accept
the physical link when the info response is received.
CRs-fixed: 307243
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
If hci_dev_open() returns no error or EALREADY, allow the power on
sequence to proceed.
Signed-off-by: Inga Stotland <ingas@codeaurora.org>
Conflicts:
net/bluetooth/hci_core.c
When remote device is connected outside the control of BlueZ, it
needs to be informed of whether the new connection is LE or BR/EDR.
Signed-off-by: Brian Gix <bgix@codeaurora.org>
There was a crashing issue when pairing was performed on LE connections
that were already up, due to a NULL function pointer being followed.
Signed-off-by: Brian Gix <bgix@codeaurora.org>
When LE was added, the refcnt's for the hci_conns used were not balanced
and some of this bleeded over between LE pairing and Legacy pairing.
CRs-fixed: 305391
Signed-off-by: Brian Gix <bgix@codeaurora.org>
Enabled ECB Block encoding for Low Energy pairing
Implemented missing components of MGMTOPS interface
Differentiated as needed between BR/EDR pairing and LE pairing
Signed-off-by: Brian Gix <bgix@codeaurora.org>
Conflicts:
net/bluetooth/mgmt.c
Redundant calls to hci_setup_event_mask() prematurly exited Init state
when first call when erroneously detected as the last cmd sent.
CRs-fixed: 302804
Signed-off-by: Brian Gix <bgix@codeaurora.org>
Handle -EALREADY error in hci_sock of hci_dev_open as indication that
the HCI device is already open. This was causing reset inducing timeout,
and removed unused/useless check of failure in power-up code.
Signed-off-by: Brian Gix <bgix@codeaurora.org>
RFCOMM Frame size changes to accomodate the credits in the data packet.
Earlier implementation was not considering the 1 Byte required for
Credits information in data packet and hence was considering the
RFCOMM header plus FCS as 5 Bytes.
Because of this if the remote device sends a data packet with
negotiated frame size and credits information,packet size exceeds L2CAPMTU
and will be discarded by L2CAP.
CRs-fixed: 303518
Signed-off-by: Mallikarjuna GB <gbmalli@codeaurora.org>
SAP profile requires 16 pin length authentication for BT 1.2/2.0
devices as per specification. These changes were present for hciops
pluging, the current changes are for Management operations plugin.
Signed-off-by: Prabhakaran Mc <prabhakaranmc@codeaurora.org>
Add send and receive of Extended Flow Spec option during L2CAP
lockstep configuration and passing the flow specs to HCI.
Signed-off-by: Peter Krystad <pkrystad@codeaurora.org>
Conflicts:
include/net/bluetooth/hci.h
include/net/bluetooth/hci_core.h
net/bluetooth/l2cap_core.c
The MAXI_EN2 register is no longer owned by the RPM. Add local
control of the VPE and Rotator AXI clocks which are in it.
Signed-off-by: Matt Wagantall <mattw@codeaurora.org>
Commit 330605423c fixed l2cap conn establishment for non-ssp remote
devices by not setting HCI_CONN_ENCRYPT_PEND every time conn security
is tested (which was always returning failure on any subsequent
security checks).
However, this broke l2cap conn establishment for ssp remote devices
when an ACL link was already established at SDP-level security. This
fix ensures that encryption must be pending whenever authentication
is also pending.
Change-Id: I6876ea5134e90d1f3d0f84e8ed40b92977b3df64
Signed-off-by: Peter Hurley <peter@xxxxxxxxxxxxxxxxxx>
Turns out that some devices don't call the notifier chains
with NETDEV_UNREGISTER.
So now we only track up/down as the points for tracking
active/inactive transitions and saving the get_dev_stats().
Change-Id: I948755962b4c64150b4d04f294fb4889f151e42b
Signed-off-by: JP Abgrall <jpa@google.com>
/proc/net/xt_qtaguid/ctrl will now show:
active tagged sockets: lines of "sock=%p tag=0x%llx (uid=%u)"
sockets_tagged, : the number of sockets successfully tagged.
sockets_untagged: the number of sockets successfully untagged.
counter_set_changes: ctrl counter set change requests.
delete_cmds: ctrl delete commands completed.
iface_events: number of NETDEV_* events handled.
match_found_sk: sk found in skbuff without ct assist.
match_found_sk_in_ct: the number of times the connection tracker found
a socket for us. This happens when the skbuff didn't have info.
match_found_sk_none: the number of times no sk could be determined
successfully looked up. This indicates we don't know who the
data actually belongs to. This could be unsolicited traffic.
Change-Id: I3a65613bb24852e1eea768ab0320a6a7073ab9be
Signed-off-by: JP Abgrall <jpa@google.com>
sockfd_put() risks sleeping.
So when doing a delete ctrl command, defer the sockfd_put() and
kfree() to outside of the spinlock.
Change-Id: I5f8ab51d05888d885b2fbb035f61efa5b7abb88a
Signed-off-by: JP Abgrall <jpa@google.com>
* Don't hold the sockets after tagging.
sockfd_lookup() does a get() on the associated file.
There was no matching put() so a closed socket could never be
freed.
* Don't rely on struct member order for tag_node
The structs that had a struct tag_node member would work with
the *_tree_* routines only because tag_node was 1st.
* Improve debug messages
Provide info on who the caller is. Use unsigned int for uid.
* Only process NETDEV_UP events.
* Pacifier: disable netfilter matching. Leave .../stats header.
Change-Id: Iccb8ae3cca9608210c417597287a2391010dff2c
Signed-off-by: JP Abgrall <jpa@google.com>
When an hidp connection is added for a boot protocol input
device, don't release a device reference that was never
acquired. The device reference is acquired when the session
is linked to the session list (which hasn't happened yet when
hidp_setup_input is called).
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
When an hidp connection is added for a boot protocol input
device, only free the allocated device if device registration fails.
Subsequent failures should only unregister the device (the input
device api documents that unregister will also free the allocated
device).
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Once the session thread is running, cleanup must be
handled by the session thread only.
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Commit f4d7cd4a4c introduced the usage of kthread API.
kthread_stop is a blocking function which returns only when
the thread exits. In this case, the thread can't exit because it's
waiting for the write lock, which is being held by bnep_del_connection()
which is waiting for the thread to exit -- deadlock.
Use atomic_t/wake_up_process instead to signal to the thread to exit.
Signed-off-by: Jaikumar Ganesh <jaikumar@google.com>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
No command should be send before Command Complete event for HCI
reset is received. This fix regression introduced by commit
6bd32326cda(Bluetooth: Use proper timer for hci command timout)
for chips whose reset command takes longer to complete (e.g. CSR)
resulting in next command being send before HCI reset completed.
Signed-off-by: Szymon Janc <szymon@janc.net.pl>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
* Allow tracking interfaces that only have an ipv6 address.
Deal with ipv6 notifier chains that do NETDEV_UP without the rtnl_lock()
* Allow root all access to procfs ctrl/stats.
To disable all checks:
echo 0 > /sys/module/xt_qtaguid/parameters/ctrl_write_gid
echo 0 > /sys/module/xt_qtaguid/parameters/stats_readall_gid
* Add CDEBUG define to enable pr_debug output specific to
procfs ctrl/stats access.
Change-Id: I9a469511d92fe42734daff6ea2326701312a161b
Signed-off-by: JP Abgrall <jpa@google.com>
* Added support for sets of counters.
By default set 0 is active.
Userspace can control which set is active for a given UID by
writing to .../ctrl
s <set_num> <uid>
Changing the active set is only permitted for processes in the
AID_NET_BW_ACCT group.
The active set tracking is reset when the uid tag is deleted with
the .../ctrl command
d 0 <uid>
* New output format for the proc .../stats
- Now has cnt_set in the list.
"""
idx iface acct_tag_hex uid_tag_int cnt_set rx_bytes rx_packets tx_bytes tx_packets rx_tcp_packets rx_tcp_bytes rx_udp_packets rx_udp_bytes rx_other_packets rx_other_bytes tx_tcp_packets tx_tcp_bytes tx_udp_packets tx_udp_bytes tx_other_packets tx_other_bytes
...
2 rmnet0 0x0 1000 0 27729 29 1477 27 27501 26 228 3 0 0 1249 24 228 3 0 0
2 rmnet0 0x0 1000 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
3 rmnet0 0x0 10005 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
3 rmnet0 0x0 10005 1 46407 57 8008 64 46407 57 0 0 0 0 8008 64 0 0 0 0
...
6 rmnet0 0x7fff000100000000 10005 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
6 rmnet0 0x7fff000100000000 10005 1 27493 24 1564 22 27493 24 0 0 0 0 1564 22 0 0 0 0
"""
* Refactored for proc stats output code.
* Silenced some of the per packet debug output.
* Reworded some of the debug messages.
* Replaced all the spin_lock_irqsave/irqrestore with *_bh():
netfilter handling is done in softirq.
Change-Id: Ibe89f9d754579fd97335617186c614b43333cfd3
Signed-off-by: JP Abgrall <jpa@google.com>
L2CAP connection timeout needs to be assigned as miliseconds
and not as jiffies.
Signed-off-by: Chen Ganir <chen.ganir@ti.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
commit a203c2aa4cefccb879c879b8e1cad1a09a679e55 upstream.
At the beginning of wiphy_update_regulatory() a check is performed
whether the request is to be ignored. Then the request is sent to
the driver nevertheless. This happens even if last_request points
to NULL, leading to a crash in the driver:
[<bf01d864>] (lbs_set_11d_domain_info+0x28/0x1e4 [libertas]) from [<c03b714c>] (wiphy_update_regulatory+0x4d0/0x4f4)
[<c03b714c>] (wiphy_update_regulatory+0x4d0/0x4f4) from [<c03b4008>] (wiphy_register+0x354/0x420)
[<c03b4008>] (wiphy_register+0x354/0x420) from [<bf01b17c>] (lbs_cfg_register+0x80/0x164 [libertas])
[<bf01b17c>] (lbs_cfg_register+0x80/0x164 [libertas]) from [<bf020e64>] (lbs_start_card+0x20/0x88 [libertas])
[<bf020e64>] (lbs_start_card+0x20/0x88 [libertas]) from [<bf02cbd8>] (if_sdio_probe+0x898/0x9c0 [libertas_sdio])
Fix this by returning early. Also remove the out: label as it is
not any longer needed.
Signed-off-by: Sven Neumann <s.neumann@raumfeld.com>
Cc: linux-wireless@vger.kernel.org
Cc: Johannes Berg <johannes@sipsolutions.net>
Cc: Daniel Mack <daniel@zonque.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit ebc63e531cc6a457595dd110b07ac530eae788c3 upstream.
After commit 3262c816a3 "[PATCH] knfsd:
split svc_serv into pools", svc_delete_xprt (then svc_delete_socket) no
longer removed its xpt_ready (then sk_ready) field from whatever list it
was on, noting that there was no point since the whole list was about to
be destroyed anyway.
That was mostly true, but forgot that a few svc_xprt_enqueue()'s might
still be hanging around playing with the about-to-be-destroyed list, and
could get themselves into trouble writing to freed memory if we left
this xprt on the list after freeing it.
(This is actually functionally identical to a patch made first by Ben
Greear, but with more comments.)
Cc: gnb@fmeh.org
Reported-by: Ben Greear <greearb@candelatech.com>
Tested-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit 676b58c27475a9defccc025fea1cbd2b141ee539 upstream.
A panic was observed when the device is failed to resume properly,
and there are no running interfaces. ieee80211_reconfig tries
to restart STA timers on unassociated state.
Signed-off-by: Rajkumar Manoharan <rmanohar@qca.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
