26 Mar, 2020
1 commit
-
This uses the DEFER_SETUP flag to group channels with
L2CAP_CREDIT_BASED_CONNECTION_REQ.Signed-off-by: Luiz Augusto von Dentz
Signed-off-by: Marcel Holtmann
25 Mar, 2020
1 commit
-
With this change, the encryption key size is not assumed to be 16 if the
read_encryption_key_size command fails for any reason. This ensures
that if the controller fails the command for any reason that the
encryption key size isn't implicitely set to 16 and instead take a more
concervative posture to assume it is 0.Signed-off-by: Alain Michaud
Signed-off-by: Marcel Holtmann
24 Mar, 2020
3 commits
-
This adds a callback to read the socket pid.
Signed-off-by: Luiz Augusto von Dentz
Signed-off-by: Marcel Holtmann -
When handling auto-connected devices, we should execute the rest of the
connection complete when it was previously discovered and it is an ACL
connection.Signed-off-by: Abhishek Pandit-Subedi
Signed-off-by: Marcel Holtmann -
If Bluetooth fails to enter the suspended state correctly, restore the
state to running (re-enabling scans). PM_POST_SUSPEND is only sent to
notifiers that successfully return from PM_PREPARE_SUSPEND notification
so we should recover gracefully if it fails.Signed-off-by: Abhishek Pandit-Subedi
Signed-off-by: Marcel Holtmann
18 Mar, 2020
1 commit
-
BlueZ cancels adv when starting a scan, but does not cancel a scan when
starting to adv. Neither is required, so this brings both to a
consistent state (of not affecting each other). Some very rare (I've
never seen one) BT 4.0 chips will fail to do both at once. Even this is
ok since the command that will fail will be the second one, and thus the
common sense logic of first-come-first-served is preserved for BLE
requests.Signed-off-by: Dmitry Grinberg
Signed-off-by: Manish Mandlik
Signed-off-by: Marcel Holtmann
15 Mar, 2020
1 commit
-
net/bluetooth/l2cap_core.c: In function l2cap_ecred_conn_req:
net/bluetooth/l2cap_core.c:5848:6: warning: variable credits set but not used [-Wunused-but-set-variable]commit 15f02b910562 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode")
involved this unused variable, remove it.Reported-by: Hulk Robot
Signed-off-by: YueHaibing
Signed-off-by: Marcel Holtmann
12 Mar, 2020
7 commits
-
Smatch complains about the indenting:
net/bluetooth/l2cap_sock.c:1027 l2cap_sock_recvmsg()
warn: inconsistent indentingIt looks like this is supposed to be an "else if" condition.
Fixes: 15f02b910562 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode")
Signed-off-by: Dan Carpenter
Signed-off-by: Marcel Holtmann -
According to Core Spec Version 5.2 | Vol 3, Part A 6.1.5,
the incoming L2CAP_ConfigReq should be handled during
OPEN state.The section below shows the btmon trace when running
L2CAP/COS/CFD/BV-12-C before and after this change.=== Before ===
...
> ACL Data RX: Handle 256 flags 0x02 dlen 12 #22
L2CAP: Connection Request (0x02) ident 2 len 4
PSM: 1 (0x0001)
Source CID: 65
< ACL Data TX: Handle 256 flags 0x00 dlen 16 #23
L2CAP: Connection Response (0x03) ident 2 len 8
Destination CID: 64
Source CID: 65
Result: Connection successful (0x0000)
Status: No further information available (0x0000)
< ACL Data TX: Handle 256 flags 0x00 dlen 12 #24
L2CAP: Configure Request (0x04) ident 2 len 4
Destination CID: 65
Flags: 0x0000
> HCI Event: Number of Completed Packets (0x13) plen 5 #25
Num handles: 1
Handle: 256
Count: 1
> HCI Event: Number of Completed Packets (0x13) plen 5 #26
Num handles: 1
Handle: 256
Count: 1
> ACL Data RX: Handle 256 flags 0x02 dlen 16 #27
L2CAP: Configure Request (0x04) ident 3 len 8
Destination CID: 64
Flags: 0x0000
Option: Unknown (0x10) [hint]
01 00 ..
< ACL Data TX: Handle 256 flags 0x00 dlen 18 #28
L2CAP: Configure Response (0x05) ident 3 len 10
Source CID: 65
Flags: 0x0000
Result: Success (0x0000)
Option: Maximum Transmission Unit (0x01) [mandatory]
MTU: 672
> HCI Event: Number of Completed Packets (0x13) plen 5 #29
Num handles: 1
Handle: 256
Count: 1
> ACL Data RX: Handle 256 flags 0x02 dlen 14 #30
L2CAP: Configure Response (0x05) ident 2 len 6
Source CID: 64
Flags: 0x0000
Result: Success (0x0000)
> ACL Data RX: Handle 256 flags 0x02 dlen 20 #31
L2CAP: Configure Request (0x04) ident 3 len 12
Destination CID: 64
Flags: 0x0000
Option: Unknown (0x10) [hint]
01 00 91 02 11 11 ......
< ACL Data TX: Handle 256 flags 0x00 dlen 14 #32
L2CAP: Command Reject (0x01) ident 3 len 6
Reason: Invalid CID in request (0x0002)
Destination CID: 64
Source CID: 65
> HCI Event: Number of Completed Packets (0x13) plen 5 #33
Num handles: 1
Handle: 256
Count: 1
...
=== After ===
...
> ACL Data RX: Handle 256 flags 0x02 dlen 12 #22
L2CAP: Connection Request (0x02) ident 2 len 4
PSM: 1 (0x0001)
Source CID: 65
< ACL Data TX: Handle 256 flags 0x00 dlen 16 #23
L2CAP: Connection Response (0x03) ident 2 len 8
Destination CID: 64
Source CID: 65
Result: Connection successful (0x0000)
Status: No further information available (0x0000)
< ACL Data TX: Handle 256 flags 0x00 dlen 12 #24
L2CAP: Configure Request (0x04) ident 2 len 4
Destination CID: 65
Flags: 0x0000
> HCI Event: Number of Completed Packets (0x13) plen 5 #25
Num handles: 1
Handle: 256
Count: 1
> HCI Event: Number of Completed Packets (0x13) plen 5 #26
Num handles: 1
Handle: 256
Count: 1
> ACL Data RX: Handle 256 flags 0x02 dlen 16 #27
L2CAP: Configure Request (0x04) ident 3 len 8
Destination CID: 64
Flags: 0x0000
Option: Unknown (0x10) [hint]
01 00 ..
< ACL Data TX: Handle 256 flags 0x00 dlen 18 #28
L2CAP: Configure Response (0x05) ident 3 len 10
Source CID: 65
Flags: 0x0000
Result: Success (0x0000)
Option: Maximum Transmission Unit (0x01) [mandatory]
MTU: 672
> HCI Event: Number of Completed Packets (0x13) plen 5 #29
Num handles: 1
Handle: 256
Count: 1
> ACL Data RX: Handle 256 flags 0x02 dlen 14 #30
L2CAP: Configure Response (0x05) ident 2 len 6
Source CID: 64
Flags: 0x0000
Result: Success (0x0000)
> ACL Data RX: Handle 256 flags 0x02 dlen 20 #31
L2CAP: Configure Request (0x04) ident 3 len 12
Destination CID: 64
Flags: 0x0000
Option: Unknown (0x10) [hint]
01 00 91 02 11 11 .....
< ACL Data TX: Handle 256 flags 0x00 dlen 18 #32
L2CAP: Configure Response (0x05) ident 3 len 10
Source CID: 65
Flags: 0x0000
Result: Success (0x0000)
Option: Maximum Transmission Unit (0x01) [mandatory]
MTU: 672
< ACL Data TX: Handle 256 flags 0x00 dlen 12 #33
L2CAP: Configure Request (0x04) ident 3 len 4
Destination CID: 65
Flags: 0x0000
> HCI Event: Number of Completed Packets (0x13) plen 5 #34
Num handles: 1
Handle: 256
Count: 1
> HCI Event: Number of Completed Packets (0x13) plen 5 #35
Num handles: 1
Handle: 256
Count: 1
...Signed-off-by: Howard Chung
Signed-off-by: Marcel Holtmann -
In bluetooth core specification 4.2,
Vol 2, Part E, 7.8.9 LE Set Advertise Enable Command, it saysThe Controller shall continue advertising until ...
or until a connection is created or ...
In these cases, advertising is then disabled.Hence, advertising would be disabled before a connection is
established. In current kernel implementation, advertising would
be re-enabled when all connections are terminated.The correct disconnection flow looks like
< HCI Command: Disconnect
> HCI Event: Command Status
Status: Success> HCI Event: Disconnect Complete
Status: SuccessSpecifically, the last Disconnect Complete Event would trigger a
callback function hci_event.c:hci_disconn_complete_evt() to
cleanup the connection and re-enable advertising when proper.However, sometimes, there might occur an exception in the controller
when disconnection is being executed. The disconnection flow might
then look like< HCI Command: Disconnect
> HCI Event: Command Status
Status: Unknown Connection IdentifierNote that "> HCI Event: Disconnect Complete" is missing when such an
exception occurs. This would result in advertising staying disabled
forever since the connection in question is not cleaned up correctly.To fix the controller exception issue, we need to do some connection
cleanup when the disconnect command status indicates an error.Signed-off-by: Joseph Hwang
Signed-off-by: Manish Mandlik
Signed-off-by: Marcel Holtmann -
To prevent spurious wake ups, we disable any discovery or advertising
when we enter suspend and restore it when we exit suspend. While paused,
we disable any management requests to modify discovery or advertising.Signed-off-by: Abhishek Pandit-Subedi
Signed-off-by: Marcel Holtmann -
To handle LE devices, we must first disable passive scanning and
disconnect all connected devices. Once that is complete, we update the
whitelist and re-enable scanningSigned-off-by: Abhishek Pandit-Subedi
Signed-off-by: Marcel Holtmann -
To handle BR/EDR devices, we first disable page scan and disconnect all
connected devices. Once that is complete, we add event filters (for
devices that can wake the system) and re-enable page scan.Signed-off-by: Abhishek Pandit-Subedi
Signed-off-by: Marcel Holtmann -
Register for PM_SUSPEND_PREPARE and PM_POST_SUSPEND to make sure the
Bluetooth controller is prepared correctly for suspend/resume. Implement
the registration, scheduling and task handling portions only in this
patch.Signed-off-by: Abhishek Pandit-Subedi
Signed-off-by: Marcel Holtmann
11 Mar, 2020
3 commits
-
If an error occurs during request building in add_advertising(),
remember to send MGMT_STATUS_FAILED command status back to bluetoothd.Signed-off-by: Joseph Hwang
Signed-off-by: Manish Mandlik
Signed-off-by: Marcel Holtmann -
This change fixes the off by one error in the erroneous command bit
masks which can lead to the erroneous data commands being sent to a
controller that doesn't support them.Signed-off-by: Alain Michaud
Signed-off-by: Marcel Holtmann -
When the RPA generation fails, indicate the error with a device specifc
error message.Signed-off-by: Marcel Holtmann
Signed-off-by: Johan Hedberg
08 Mar, 2020
6 commits
-
Needn't call 'rfcomm_dlc_put' here, because 'rfcomm_dlc_exists' didn't
increase dlc->refcnt.Reported-by: syzbot+4496e82090657320efc6@syzkaller.appspotmail.com
Signed-off-by: Qiujun Huang
Suggested-by: Hillf Danton
Signed-off-by: Marcel Holtmann -
This should make it safe to have the code upstream without affecting
stable systems since there are a few details not sort out with ECRED
mode e.g: how to initiate multiple connections at once.Signed-off-by: Luiz Augusto von Dentz
Signed-off-by: Marcel Holtmann -
This adds the initial code for Enhanced Credit Based Mode which
introduces a new socket mode called L2CAP_MODE_EXT_FLOWCTL, which for
the most part work the same as L2CAP_MODE_LE_FLOWCTL but uses different
PDUs to setup the connections and also works over BR/EDR.Signed-off-by: Luiz Augusto von Dentz
Signed-off-by: Marcel Holtmann -
Increment the mgmt revision due to the recently added setting and
command.Signed-off-by: Marcel Holtmann
Signed-off-by: Johan Hedberg -
This change introduces a wide band speech setting which allows higher
level clients to query the local controller support for wide band speech
as well as set the setting state when the radio is powered off.
Internally, this setting controls if erroneous data reporting is enabled
on the controller.Signed-off-by: Alain Michaud
Signed-off-by: Marcel Holtmann -
This uses skb_pull when parsing signalling PDUs so skb->data for
pointing to the current PDU and skb->len as the remaining bytes to be
processed.Signed-off-by: Luiz Augusto von Dentz
Signed-off-by: Marcel Holtmann
07 Mar, 2020
1 commit
-
When processing SCO packets, the handle is wrongly assumed as 16-bit
value. The actual size is 12-bits and the other 4-bits are used for
packet flags.Signed-off-by: Marcel Holtmann
Signed-off-by: Johan Hedberg
04 Mar, 2020
1 commit
-
Some controllers have been observed to send zero'd events under some
conditions. This change guards against this condition as well as adding
a trace to facilitate diagnosability of this condition.Signed-off-by: Alain Michaud
Signed-off-by: Marcel Holtmann
28 Feb, 2020
6 commits
-
This patch provides a mechanism for MGMT interface client to query the
capability of the controller to support WBS.Signed-off-by: Alain Michaud
Signed-off-by: Marcel Holtmann -
Disabling LE_LEGACY_ADV when LE_EXT_ADV is enabled causes 'command
disallowed . This patch fixes that issue and disables EXT_ADV if
enabled.Signed-off-by: Sathish Narsimman
Signed-off-by: Marcel Holtmann -
Extended advertising Data is set during bluetooth initialization
by default which causes InvalidHCICommandParameters when setting
Extended advertising parameters.As per Core Spec 5.2 Vol 2, PART E, Sec 7.8.53, for
advertising_event_property LE_LEGACY_ADV_DIRECT_IND does not
supports advertising data when the advertising set already
contains some, the controller shall return erroc code
'InvalidHCICommandParameters(0x12).So it is required to remove adv set for handle 0x00. since we use
instance 0 for directed adv.Signed-off-by: Sathish Narsimman
Signed-off-by: Marcel Holtmann -
In function hci_is_blocked_key() RCU list is traversed with
list_for_each_entry() in RCU read-side CS.
Use list_for_each_entry_rcu() instead.Signed-off-by: Madhuparna Bhowmik
Signed-off-by: Marcel Holtmann -
The following functions in hci_core are always called with
hdev->lock held. No need to use list_for_each_entry_rcu(), therefore
change the usage of list_for_each_entry_rcu() in these functions
to list_for_each_entry().hci_link_keys_clear()
hci_smp_ltks_clear()
hci_smp_irks_clear()
hci_blocked_keys_clear()Warning encountered with CONFIG_PROVE_RCU_LIST:
[ 72.213184] =============================
[ 72.213188] WARNING: suspicious RCU usage
[ 72.213192] 5.6.0-rc1+ #5 Not tainted
[ 72.213195] -----------------------------
[ 72.213198] net/bluetooth/hci_core.c:2288 RCU-list traversed in non-reader section!![ 72.213676] =============================
[ 72.213679] WARNING: suspicious RCU usage
[ 72.213683] 5.6.0-rc1+ #5 Not tainted
[ 72.213685] -----------------------------
[ 72.213689] net/bluetooth/hci_core.c:2298 RCU-list traversed in non-reader section!![ 72.214195] =============================
[ 72.214198] WARNING: suspicious RCU usage
[ 72.214201] 5.6.0-rc1+ #5 Not tainted
[ 72.214204] -----------------------------
[ 72.214208] net/bluetooth/hci_core.c:2308 RCU-list traversed in non-reader section!![ 333.456972] =============================
[ 333.456979] WARNING: suspicious RCU usage
[ 333.457001] 5.6.0-rc1+ #5 Not tainted
[ 333.457007] -----------------------------
[ 333.457014] net/bluetooth/hci_core.c:2318 RCU-list traversed in non-reader section!!Signed-off-by: Madhuparna Bhowmik
Signed-off-by: Marcel Holtmann -
The current codebase makes use of the zero-length array language
extension to the C90 standard, but the preferred mechanism to declare
variable-length types such as these ones is a flexible array member[1][2],
introduced in C99:struct foo {
int stuff;
struct boo array[];
};By making use of the mechanism above, we will get a compiler warning
in case the flexible array does not occur last in the structure, which
will help us prevent some kind of undefined behavior bugs from being
inadvertently introduced[3] to the codebase from now on.Also, notice that, dynamic memory allocations won't be affected by
this change:"Flexible array members have incomplete type, and so the sizeof operator
may not be applied. As a quirk of the original implementation of
zero-length arrays, sizeof evaluates to zero."[1]This issue was found with the help of Coccinelle.
[1] https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html
[2] https://github.com/KSPP/linux/issues/21
[3] commit 76497732932f ("cxgb3/l2t: Fix undefined behaviour")Signed-off-by: Gustavo A. R. Silva
Signed-off-by: Marcel Holtmann
20 Feb, 2020
2 commits
-
This patch fix the issue: warning:variable 'passkey' is uninitialized
when used hereLink: https://groups.google.com/forum/#!topic/clang-built-linux/kyRKCjRsGoU
Fixes: cee5f20fece3 ("Bluetooth: secure bluetooth stack from bluedump attack")
Reported-by: kbuild test robot
Suggested-by: Marcel Holtmann
Signed-off-by: Howard Chung
Signed-off-by: Marcel Holtmann -
This reuse the L2CAP MTU auto logic to select the MTU used for RFCOMM
channels, this should increase the maximum from 1013 to 1021 when 3-DH5
is supported.Since it does not set an L2CAP MTU we no longer need a debugfs so that
is removed.Signed-off-by: Luiz Augusto von Dentz
Signed-off-by: Marcel Holtmann
19 Feb, 2020
1 commit
-
This fixes the invalid check for connected socket which causes the
following trace due to sco_pi(sk)->conn being NULL:RIP: 0010:sco_sock_getsockopt+0x2ff/0x800 net/bluetooth/sco.c:966
L2CAP has also been fixed since it has the same problem.
Signed-off-by: Luiz Augusto von Dentz
Signed-off-by: Marcel Holtmann
18 Feb, 2020
1 commit
-
Disabling LEGACY_ADV when EXT_ADV is enabled causes
'command disallowed' during DIRECTED_ADV. This Patch fixes this
issue.Signed-off-by: Sathish Narsimman
Signed-off-by: Marcel Holtmann
15 Feb, 2020
1 commit
-
This adds BT_PHY socket option (read-only) which can be used to read
the PHYs in use by the underline connection.Signed-off-by: Luiz Augusto von Dentz
Signed-off-by: Marcel Holtmann
14 Feb, 2020
1 commit
-
Attack scenario:
1. A Chromebook (let's call this device A) is paired to a legitimate
Bluetooth classic device (e.g. a speaker) (let's call this device
B).
2. A malicious device (let's call this device C) pretends to be the
Bluetooth speaker by using the same BT address.
3. If device A is not currently connected to device B, device A will
be ready to accept connection from device B in the background
(technically, doing Page Scan).
4. Therefore, device C can initiate connection to device A
(because device A is doing Page Scan) and device A will accept the
connection because device A trusts device C's address which is the
same as device B's address.
5. Device C won't be able to communicate at any high level Bluetooth
profile with device A because device A enforces that device C is
encrypted with their common Link Key, which device C doesn't have.
But device C can initiate pairing with device A with just-works
model without requiring user interaction (there is only pairing
notification). After pairing, device A now trusts device C with a
new different link key, common between device A and C.
6. From now on, device A trusts device C, so device C can at anytime
connect to device A to do any kind of high-level hijacking, e.g.
speaker hijack or mouse/keyboard hijack.Since we don't know whether the repairing is legitimate or not,
leave the decision to user space if all the conditions below are met.
- the pairing is initialized by peer
- the authorization method is just-work
- host already had the link key to the peerSigned-off-by: Howard Chung
Acked-by: Johan Hedberg
Signed-off-by: Marcel Holtmann
05 Feb, 2020
2 commits
-
These 3 macros are never used from first git commit Linux-2.6.12-rc2.
let's remove them.Signed-off-by: Alex Shi
Signed-off-by: Marcel Holtmann -
Prefetch channel before killing sock in order to fix UAF like
BUG: KASAN: use-after-free in l2cap_sock_release+0x24c/0x290 net/bluetooth/l2cap_sock.c:1212
Read of size 8 at addr ffff8880944904a0 by task syz-fuzzer/9751Reported-by: syzbot+c3c5bdea7863886115dc@syzkaller.appspotmail.com
Fixes: 6c08fc896b60 ("Bluetooth: Fix refcount use-after-free issue")
Cc: Manish Mandlik
Signed-off-by: Hillf Danton
Signed-off-by: Marcel Holtmann
30 Jan, 2020
1 commit
-
Use smp_mb__before_atomic() instead of smp_mb() and avoid the
unnecessary barrier for non LL/SC architectures, such as x86.Signed-off-by: Davidlohr Bueso
Signed-off-by: Marcel Holtmann
