23 Jun, 2013
1 commit
-
The length check is invalid since the length varies with type of
info response.This was introduced by the commit cb3b3152b2f5939d67005cff841a1ca748b19888
Because of this, l2cap info rsp is not handled and command reject is sent.
> ACL data: handle 11 flags 0x02 dlen 16
L2CAP(s): Info rsp: type 2 result 0
Extended feature mask 0x00b8
Enhanced Retransmission mode
Streaming mode
FCS Option
Fixed Channels
< ACL data: handle 11 flags 0x00 dlen 10
L2CAP(s): Command rej: reason 0
Command not understoodCc: stable@vger.kernel.org
Signed-off-by: Jaganath Kanakkassery
Signed-off-by: Chan-Yeol Park
Acked-by: Johan Hedberg
Signed-off-by: Gustavo Padovan
14 Jun, 2013
1 commit
-
If a too small MTU value is set with ioctl(HCISETACLMTU) or by a bogus
controller, memory corruption happens due to a memcpy() call with
negative length.Fix this crash on either incoming or outgoing connections with a MTU
smaller than L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE:[ 46.885433] BUG: unable to handle kernel paging request at f56ad000
[ 46.888037] IP: [] memcpy+0x1d/0x40
[ 46.888037] *pdpt = 0000000000ac3001 *pde = 00000000373f8067 *pte = 80000000356ad060
[ 46.888037] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC
[ 46.888037] Modules linked in: hci_vhci bluetooth virtio_balloon i2c_piix4 uhci_hcd usbcore usb_common
[ 46.888037] CPU: 0 PID: 1044 Comm: kworker/u3:0 Not tainted 3.10.0-rc1+ #12
[ 46.888037] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
[ 46.888037] Workqueue: hci0 hci_rx_work [bluetooth]
[ 46.888037] task: f59b15b0 ti: f55c4000 task.ti: f55c4000
[ 46.888037] EIP: 0060:[] EFLAGS: 00010212 CPU: 0
[ 46.888037] EIP is at memcpy+0x1d/0x40
[ 46.888037] EAX: f56ac1c0 EBX: fffffff8 ECX: 3ffffc6e EDX: f55c5cf2
[ 46.888037] ESI: f55c6b32 EDI: f56ad000 EBP: f55c5c68 ESP: f55c5c5c
[ 46.888037] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[ 46.888037] CR0: 8005003b CR2: f56ad000 CR3: 3557d000 CR4: 000006f0
[ 46.888037] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[ 46.888037] DR6: ffff0ff0 DR7: 00000400
[ 46.888037] Stack:
[ 46.888037] fffffff8 00000010 00000003 f55c5cac f8c6a54c ffffffff f8c69eb2 00000000
[ 46.888037] f4783cdc f57f0070 f759c590 1001c580 00000003 0200000a 00000000 f5a88560
[ 46.888037] f5ba2600 f5a88560 00000041 00000000 f55c5d90 f8c6f4c7 00000008 f55c5cf2
[ 46.888037] Call Trace:
[ 46.888037] [] l2cap_send_cmd+0x1cc/0x230 [bluetooth]
[ 46.888037] [] ? l2cap_global_chan_by_psm+0x152/0x1a0 [bluetooth]
[ 46.888037] [] l2cap_connect+0x3f7/0x540 [bluetooth]
[ 46.888037] [] ? trace_hardirqs_off+0xb/0x10
[ 46.888037] [] ? mark_held_locks+0x68/0x110
[ 46.888037] [] ? mutex_lock_nested+0x280/0x360
[ 46.888037] [] ? __mutex_unlock_slowpath+0xa9/0x150
[ 46.888037] [] ? trace_hardirqs_on_caller+0xec/0x1b0
[ 46.888037] [] ? mutex_lock_nested+0x268/0x360
[ 46.888037] [] ? trace_hardirqs_on+0xb/0x10
[ 46.888037] [] l2cap_recv_frame+0xb2d/0x1d30 [bluetooth]
[ 46.888037] [] ? mark_held_locks+0x68/0x110
[ 46.888037] [] ? __mutex_unlock_slowpath+0xa9/0x150
[ 46.888037] [] ? trace_hardirqs_on_caller+0xec/0x1b0
[ 46.888037] [] l2cap_recv_acldata+0x2a1/0x320 [bluetooth]
[ 46.888037] [] hci_rx_work+0x518/0x810 [bluetooth]
[ 46.888037] [] ? hci_rx_work+0x132/0x810 [bluetooth]
[ 46.888037] [] process_one_work+0x1a9/0x600
[ 46.888037] [] ? process_one_work+0x12b/0x600
[ 46.888037] [] ? worker_thread+0x19e/0x320
[ 46.888037] [] ? worker_thread+0x19e/0x320
[ 46.888037] [] worker_thread+0xf7/0x320
[ 46.888037] [] ? rescuer_thread+0x290/0x290
[ 46.888037] [] kthread+0xa8/0xb0
[ 46.888037] [] ret_from_kernel_thread+0x1b/0x28
[ 46.888037] [] ? flush_kthread_worker+0x120/0x120
[ 46.888037] Code: c3 90 8d 74 26 00 e8 63 fc ff ff eb e8 90 55 89 e5 83 ec 0c 89 5d f4 89 75 f8 89 7d fc 3e 8d 74 26 00 89 cb 89 c7 c1 e9 02 89 d6 a5 89 d9 83 e1 03 74 02 f3 a4 8b 5d f4 8b 75 f8 8b 7d fc 89
[ 46.888037] EIP: [] memcpy+0x1d/0x40 SS:ESP 0068:f55c5c5c
[ 46.888037] CR2: 00000000f56ad000
[ 46.888037] ---[ end trace 0217c1f4d78714a9 ]---Signed-off-by: Anderson Lizardo
Cc: stable@vger.kernel.org
Signed-off-by: Gustavo Padovan
Signed-off-by: John W. Linville
12 Jun, 2013
1 commit
-
There has been code in place to check that the L2CAP length header
matches the amount of data received, but many PDU handlers have not been
checking that the data received actually matches that expected by the
specific PDU. This patch adds passing the length header to the specific
handler functions and ensures that those functions fail cleanly in the
case of an incorrect amount of data.Signed-off-by: Johan Hedberg
Cc: stable@vger.kernel.org
Signed-off-by: Gustavo Padovan
Signed-off-by: John W. Linville
24 Apr, 2013
1 commit
-
The CID is fixed to L2CAP ATT channel and so there is no need to hand it
down to the handling function. Just use a constant instead.Signed-off-by: Marcel Holtmann
Acked-by: Johan Hedberg
Signed-off-by: Gustavo Padovan
17 Apr, 2013
2 commits
-
Several sub-modules like HIDP, rfcomm, ... need to track l2cap
connections. The l2cap_conn->hcon->dev object is used as parent for sysfs
devices so the sub-modules need to be notified when the hci_conn object is
removed from sysfs.As submodules normally use the l2cap layer, the l2cap_user objects are
registered there instead of on the underlying hci_conn object. This avoids
any direct dependency on the HCI layer and lets the l2cap core handle any
specifics.This patch introduces l2cap_user objects which contain a "probe" and
"remove" callback. You can register them on any l2cap_conn object and if
it is active, the "probe" callback will get called. Otherwise, an error is
returned.The l2cap_conn object will call your "remove" callback directly before it
is removed from user-space. This allows you to remove your submodules
_before_ the parent l2cap_conn and hci_conn object is removed.At any time you can asynchronously unregister your l2cap_user object if
your submodule vanishes before the l2cap_conn object does.There is no way around l2cap_user. If we want wire-protocols in the
kernel, we always want the hci_conn object as parent in the sysfs tree. We
cannot use a channel here since we might need multiple channels for a
single protocol.
But the problem is, we _must_ get notified when an l2cap_conn object is
removed. We cannot use reference-counting for object-removal! This is not
how it works. If a hardware is removed, we should immediately remove the
object from sysfs. Any other behavior would be inconsistent with the rest
of the system. Also note that device_del() might sleep, but it doesn't
wait for user-space or block very long. It only _unlinks_ the object from
sysfs and the whole device-tree. Everything else is handled by ref-counts!
This is exactly what the other sub-modules must do: unlink their devices
when the "remove" l2cap_user callback is called. They should not do any
cleanup or synchronous shutdowns.Signed-off-by: David Herrmann
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo Padovan -
If we want to use l2cap_conn outside of l2cap_core.c, we need refcounting
for these objects. Otherwise, we cannot synchronize l2cap locks with
outside locks and end up with deadlocks.Hence, introduce ref-counting for l2cap_conn objects. This doesn't affect
l2cap internals at all, as they use a direct synchronization.
We also keep a reference to the parent hci_conn for locking purposes as
l2cap_conn depends on this. This doesn't affect the connection itself but
only the lifetime of the (dead) object.Signed-off-by: David Herrmann
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo Padovan
12 Apr, 2013
2 commits
-
This patch removes the status parameter of the l2cap_conn_add function.
The parameter 'status' is always 0.Signed-off-by: Claudio Takahasi
Signed-off-by: Gustavo Padovan -
We use _get() and _put() for device ref-counting in the kernel. However,
hci_conn_put() is _not_ used for ref-counting, hence, rename it to
hci_conn_drop() so we can later fix ref-counting and introduce
hci_conn_put().hci_conn_hold() and hci_conn_put() are currently used to manage how long a
connection should be held alive. When the last user drops the connection,
we spawn a delayed work that performs the disconnect. Obviously, this has
nothing to do with ref-counting for the _object_ but rather for the
keep-alive of the connection.But we really _need_ proper ref-counting for the _object_ to allow
connection-users like rfcomm-tty, HIDP or others.Signed-off-by: David Herrmann
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo Padovan
31 Jan, 2013
1 commit
-
…etooth/bluetooth-next
10 Jan, 2013
2 commits
-
If remote device sends l2cap info request before read_remote_ext_feature
completes then mgmt_connected will be sent in hci_acldata_packet() and
remote name request wont be sent and eventually authentication wont happenHcidump log of the issue
< HCI Command: Create Connection (0x01|0x0005) plen 13
bdaddr BC:85:1F:74:7F:29 ptype 0xcc18 rswitch 0x01 clkoffset 0x4bf7 (valid)
Packet type: DM1 DM3 DM5 DH1 DH3 DH5
> HCI Event: Command Status (0x0f) plen 4
Create Connection (0x01|0x0005) status 0x00 ncmd 1
> HCI Event: Connect Complete (0x03) plen 11
status 0x00 handle 12 bdaddr BC:85:1F:74:7F:29 type ACL encrypt 0x00
< HCI Command: Read Remote Supported Features (0x01|0x001b) plen 2
handle 12
> HCI Event: Command Status (0x0f) plen 4
Read Remote Supported Features (0x01|0x001b) status 0x00 ncmd 1
> HCI Event: Read Remote Supported Features (0x0b) plen 11
status 0x00 handle 12
Features: 0xbf 0xfe 0xcf 0xfe 0xdb 0xff 0x7b 0x87
> HCI Event: Max Slots Change (0x1b) plen 3
handle 12 slots 5
< HCI Command: Read Remote Extended Features (0x01|0x001c) plen 3
handle 12 page 1
> HCI Event: Command Status (0x0f) plen 4
Read Remote Extended Features (0x01|0x001c) status 0x00 ncmd 1
> ACL data: handle 12 flags 0x02 dlen 10
L2CAP(s): Info req: type 2
< ACL data: handle 12 flags 0x00 dlen 16
L2CAP(s): Info rsp: type 2 result 0
Extended feature mask 0x00b8
Enhanced Retransmission mode
Streaming mode
FCS Option
Fixed Channels
> HCI Event: Read Remote Extended Features (0x23) plen 13
status 0x00 handle 12 page 1 max 1
Features: 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00
> ACL data: handle 12 flags 0x02 dlen 10
L2CAP(s): Info req: type 3
< ACL data: handle 12 flags 0x00 dlen 20
L2CAP(s): Info rsp: type 3 result 0
Fixed channel list 0x00000002
L2CAP Signalling Channel
> HCI Event: Number of Completed Packets (0x13) plen 5
handle 12 packets 2This patch moves sending mgmt_connected from hci_acldata_packet() to
l2cap_connect_req() since this code is to handle the scenario remote
device sends l2cap connect req too fastSigned-off-by: Jaganath Kanakkassery
Signed-off-by: Gustavo Padovan -
Remove code which cannot execute. l2cap_conn_add for AMP_LINK
might only be invoked when receiving data in l2cap_recv_acldata.
But this case is checked in the first statement there.Signed-off-by: Andrei Emeltchenko
Signed-off-by: Gustavo Padovan
04 Dec, 2012
5 commits
-
Make code more readable by changing CONF_NO_FCS_RECV which is read
as "No L2CAP FCS option received" to CONF_RECV_NO_FCS which means
"Received L2CAP option NO_FCS". This flag really means that we have
received L2CAP FRAME CHECK SEQUENCE (FCS) OPTION with value "No FCS".Signed-off-by: Andrei Emeltchenko
Signed-off-by: Gustavo Padovan -
Process L2CAP Config rsp Pending with FCS Option 0x00 (No FCS)
which is sent by Motorola Windows 7 Bluetooth stack. The trace
is shown below (all other options are skipped)....
< ACL data: handle 1 flags 0x00 dlen 48
L2CAP(s): Config req: dcid 0x0043 flags 0x00 clen 36
...
FCS Option 0x00 (No FCS)
> ACL data: handle 1 flags 0x02 dlen 48
L2CAP(s): Config req: dcid 0x0041 flags 0x00 clen 36
...
FCS Option 0x01 (CRC16 Check)
< ACL data: handle 1 flags 0x00 dlen 47
L2CAP(s): Config rsp: scid 0x0043 flags 0x00 result 4 clen 33
Pending
...
> ACL data: handle 1 flags 0x02 dlen 50
L2CAP(s): Config rsp: scid 0x0041 flags 0x00 result 4 clen 36
Pending
...
FCS Option 0x00 (No FCS)
< ACL data: handle 1 flags 0x00 dlen 14
L2CAP(s): Config rsp: scid 0x0043 flags 0x00 result 0 clen 0
Success
> ACL data: handle 1 flags 0x02 dlen 14
L2CAP(s): Config rsp: scid 0x0041 flags 0x00 result 0 clen 0
Success
...Signed-off-by: Andrei Emeltchenko
Signed-off-by: Gustavo Padovan -
If L2CAP_FEAT_FCS is not supported we sould miss EWS option
configuration because of break. Make code more readable by
combining FCS configuration in the single block.Signed-off-by: Andrei Emeltchenko
Signed-off-by: Gustavo Padovan -
Before starting quering remote AMP controllers make sure
that there is local active AMP controller.Signed-off-by: Andrei Emeltchenko
Signed-off-by: Gustavo Padovan -
l2cap_send_disconn_req takes 3 parameters of which conn might be
derived from chan. Make this conversion inside l2cap_send_disconn_req.Signed-off-by: Andrei Emeltchenko
Signed-off-by: Gustavo Padovan
21 Nov, 2012
3 commits
-
When receiving L2CAP Create Channel Request set the channel as
L2CAP_FCS_NONE. Then in "L2CAP Config req" following field will
be set: "FCS Option 0x00 (No FCS)". So by default High Speed
channels have no FCS.Signed-off-by: Andrei Emeltchenko
Signed-off-by: Gustavo Padovan -
Instead of printing:
"[ 7763.082007] Bluetooth: 2"
print something like:
"[ 7763.082007] Bluetooth: Trailing bytes: 2 in sframe"Signed-off-by: Andrei Emeltchenko
Signed-off-by: Gustavo Padovan -
When receiving Physical Link Completed event we need to create L2CAP
channel with L2CAP Create Chan Request. Current code was sending
this command only if connection was pending (which is probably
needed in channel move case). If channel is not moved but created
Create Chan should be sent for outgoing channel which is checked
with BT_CONNECT flag.Signed-off-by: Andrei Emeltchenko
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo Padovan
20 Nov, 2012
5 commits
-
Signed-off-by: Andrei Emeltchenko
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo Padovan -
Set chan->fcs to L2CAP_FCS_NONE only for new L2CAP channels
(not moved). Other side can still request to use FCS.Signed-off-by: Andrei Emeltchenko
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo Padovan -
Remove locking from l2cap_physical_cfm and lock chan inside
amp_physical_cfm.Signed-off-by: Andrei Emeltchenko
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo Padovan -
local_amp_id is already set in l2cap_connect() which is called several
lines above.Signed-off-by: Andrei Emeltchenko
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo Padovan -
Use helper instead of test_bit. This is the only place left using
test CONF_CONNECT_PEND flag.Signed-off-by: Andrei Emeltchenko
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo Padovan
02 Nov, 2012
12 commits
-
Since we have started to use local_amp_id for local AMP
Controller Id it makes sense to rename ctrl_id to remote_amp_id
since it represents remote AMP controller Id.Signed-off-by: Andrei Emeltchenko
Signed-off-by: Gustavo Padovan -
Add processing L2CAP Create Chan Request. When channel is created
save associated high speed link hs_hcon.Signed-off-by: Andrei Emeltchenko
Signed-off-by: Gustavo Padovan -
When deciding whether to send EFS configuration response with success,
check rather for existence of High Speed physical link hs_hcon then
ctrl_id. There might be cases when there is ctrl_id but high speed link
is not established yet.Signed-off-by: Andrei Emeltchenko
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo Padovan -
Disconnect logical link for high speed channel hs_hchan
associated with L2CAP channel chan.Signed-off-by: Andrei Emeltchenko
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo Padovan -
After physical link is created logical link needs to be created.
The process starts after L2CAP channel is created and L2CAP
Configuration Response with result PENDING is received.Signed-off-by: Andrei Emeltchenko
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo Padovan -
l2cap_chan already keeps information about *_amp_id.
Signed-off-by: Andrei Emeltchenko
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo Padovan -
Return L2CAP_CREATE_CHAN_RSP for Create Channel Request and
L2CAP_CONN_RSP for Create Connection Request.Signed-off-by: Andrei Emeltchenko
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo Padovan -
When logical link creation is completed we need to save hs_hchan
which represents logical link instead of hs_hcon representing
physical link. hs_hcon shall be saved when receiving physical link
complete event.Signed-off-by: Andrei Emeltchenko
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo Padovan -
Signed-off-by: Andrei Emeltchenko
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo Padovan -
After receiving HCI Logical Link Complete event finish EFS
configuration by sending L2CAP Conf Response with success code.Signed-off-by: Andrei Emeltchenko
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo Padovan -
There is helper function used to send EFS Configuration Response.
Signed-off-by: Andrei Emeltchenko
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo Padovan -
Assignment is not needed here since err is always gets value.
Signed-off-by: Andrei Emeltchenko
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo Padovan
24 Oct, 2012
4 commits
-
Channel moves are triggered by changes to the BT_CHANNEL_POLICY
sockopt when an ERTM or streaming-mode channel is connected.Moves are only started if enable_hs is true.
Signed-off-by: Mat Martineau
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo Padovan -
Do not retransmit previously-sent data when a "receiver ready" s-frame
with the "final" flag is received during a move.The ERTM state machines will resynchronize at the end of a channel
move, and the state machine needs to avoid state changes during a
move.Signed-off-by: Mat Martineau
Acked-by: Marcel Holtmann
Acked-by: Andrei Emeltchenko
Signed-off-by: Gustavo Padovan -
When operating over BR/EDR, ERTM accounts for the maximum over-the-air
packet size when setting the PDU size. AMP controllers do not use the
same over-the-air packets, so the PDU size should only be based on the
HCI MTU of the AMP controller.Signed-off-by: Mat Martineau
Signed-off-by: Andrei Emeltchenko
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo Padovan -
The L2CAP spec recommends specific retransmit and monitor timeouts for
ERTM channels that are on AMP controllers. These timeouts are
calculated from the AMP controller's best effort flush timeout.BR/EDR controllers use the default retransmit and monitor timeouts.
Signed-off-by: Mat Martineau
Acked-by: Marcel Holtmann
Signed-off-by: Gustavo Padovan