04 Nov, 2018
1 commit
-
[ Upstream commit cb28c306b93b71f2741ce1a5a66289db26715f4d ]
In case unpair_device() was called through mgmt interface at the same time
when pairing was in progress, Bluetooth kernel module crash was seen.[ 600.351225] general protection fault: 0000 [#1] SMP PTI
[ 600.351235] CPU: 1 PID: 11096 Comm: btmgmt Tainted: G OE 4.19.0-rc1+ #1
[ 600.351238] Hardware name: Dell Inc. Latitude E5440/08RCYC, BIOS A18 05/14/2017
[ 600.351272] RIP: 0010:smp_chan_destroy.isra.10+0xce/0x2c0 [bluetooth]
[ 600.351276] Code: c0 0f 84 b4 01 00 00 80 78 28 04 0f 84 53 01 00 00 4d 85 ed 0f 85 ab 00 00 00 48 8b 08 48 8b 50 08 be 10 00 00 00 48 89 51 08 89 0a 48 b9 00 02 00 00 00 00 ad de 48 89 48 08 48 8b 83 00 01
[ 600.351279] RSP: 0018:ffffa9be839b3b50 EFLAGS: 00010246
[ 600.351282] RAX: ffff9c999ac565a0 RBX: ffff9c9996e98c00 RCX: ffff9c999aa28b60
[ 600.351285] RDX: dead000000000200 RSI: 0000000000000010 RDI: ffff9c999e403500
[ 600.351287] RBP: ffffa9be839b3b70 R08: 0000000000000000 R09: ffffffff92a25c00
[ 600.351290] R10: ffffa9be839b3ae8 R11: 0000000000000001 R12: ffff9c995375b800
[ 600.351292] R13: 0000000000000000 R14: ffff9c99619a5000 R15: ffff9c9962a01c00
[ 600.351295] FS: 00007fb2be27c700(0000) GS:ffff9c999e880000(0000) knlGS:0000000000000000
[ 600.351298] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 600.351300] CR2: 00007fb2bdadbad0 CR3: 000000041c328001 CR4: 00000000001606e0
[ 600.351302] Call Trace:
[ 600.351325] smp_failure+0x4f/0x70 [bluetooth]
[ 600.351345] smp_cancel_pairing+0x74/0x80 [bluetooth]
[ 600.351370] unpair_device+0x1c1/0x330 [bluetooth]
[ 600.351399] hci_sock_sendmsg+0x960/0x9f0 [bluetooth]
[ 600.351409] ? apparmor_socket_sendmsg+0x1e/0x20
[ 600.351417] sock_sendmsg+0x3e/0x50
[ 600.351422] sock_write_iter+0x85/0xf0
[ 600.351429] do_iter_readv_writev+0x12b/0x1b0
[ 600.351434] do_iter_write+0x87/0x1a0
[ 600.351439] vfs_writev+0x98/0x110
[ 600.351443] ? ep_poll+0x16d/0x3d0
[ 600.351447] ? ep_modify+0x73/0x170
[ 600.351451] do_writev+0x61/0xf0
[ 600.351455] ? do_writev+0x61/0xf0
[ 600.351460] __x64_sys_writev+0x1c/0x20
[ 600.351465] do_syscall_64+0x5a/0x110
[ 600.351471] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 600.351474] RIP: 0033:0x7fb2bdb62fe0
[ 600.351477] Code: 73 01 c3 48 8b 0d b8 6e 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 69 c7 2c 00 00 75 10 b8 14 00 00 00 0f 05 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 de 80 01 00 48 89 04 24
[ 600.351479] RSP: 002b:00007ffe062cb8f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
[ 600.351484] RAX: ffffffffffffffda RBX: 000000000255b3d0 RCX: 00007fb2bdb62fe0
[ 600.351487] RDX: 0000000000000001 RSI: 00007ffe062cb920 RDI: 0000000000000004
[ 600.351490] RBP: 00007ffe062cb920 R08: 000000000255bd80 R09: 0000000000000000
[ 600.351494] R10: 0000000000000353 R11: 0000000000000246 R12: 0000000000000001
[ 600.351497] R13: 00007ffe062cbbe0 R14: 0000000000000000 R15: 0000000000000000
[ 600.351501] Modules linked in: algif_hash algif_skcipher af_alg cmac ipt_MASQUERADE nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo iptable_nat nf_nat_ipv4 xt_addrtype iptable_filter ip_tables xt_conntrack x_tables nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c br_netfilter bridge stp llc overlay arc4 nls_iso8859_1 dm_crypt intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp dell_laptop kvm_intel crct10dif_pclmul dell_smm_hwmon crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd glue_helper intel_cstate intel_rapl_perf uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev media hid_multitouch input_leds joydev serio_raw dell_wmi snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic dell_smbios dcdbas sparse_keymap
[ 600.351569] snd_hda_intel btusb snd_hda_codec btrtl btbcm btintel snd_hda_core bluetooth(OE) snd_hwdep snd_pcm iwlmvm ecdh_generic wmi_bmof dell_wmi_descriptor snd_seq_midi mac80211 snd_seq_midi_event lpc_ich iwlwifi snd_rawmidi snd_seq snd_seq_device snd_timer cfg80211 snd soundcore mei_me mei dell_rbtn dell_smo8800 mac_hid parport_pc ppdev lp parport autofs4 hid_generic usbhid hid i915 nouveau kvmgt vfio_mdev mdev vfio_iommu_type1 vfio kvm irqbypass i2c_algo_bit ttm drm_kms_helper syscopyarea sysfillrect sysimgblt mxm_wmi psmouse ahci sdhci_pci cqhci libahci fb_sys_fops sdhci drm e1000e video wmi
[ 600.351637] ---[ end trace e49e9f1df09c94fb ]---
[ 600.351664] RIP: 0010:smp_chan_destroy.isra.10+0xce/0x2c0 [bluetooth]
[ 600.351666] Code: c0 0f 84 b4 01 00 00 80 78 28 04 0f 84 53 01 00 00 4d 85 ed 0f 85 ab 00 00 00 48 8b 08 48 8b 50 08 be 10 00 00 00 48 89 51 08 89 0a 48 b9 00 02 00 00 00 00 ad de 48 89 48 08 48 8b 83 00 01
[ 600.351669] RSP: 0018:ffffa9be839b3b50 EFLAGS: 00010246
[ 600.351672] RAX: ffff9c999ac565a0 RBX: ffff9c9996e98c00 RCX: ffff9c999aa28b60
[ 600.351674] RDX: dead000000000200 RSI: 0000000000000010 RDI: ffff9c999e403500
[ 600.351676] RBP: ffffa9be839b3b70 R08: 0000000000000000 R09: ffffffff92a25c00
[ 600.351679] R10: ffffa9be839b3ae8 R11: 0000000000000001 R12: ffff9c995375b800
[ 600.351681] R13: 0000000000000000 R14: ffff9c99619a5000 R15: ffff9c9962a01c00
[ 600.351684] FS: 00007fb2be27c700(0000) GS:ffff9c999e880000(0000) knlGS:0000000000000000
[ 600.351686] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 600.351689] CR2: 00007fb2bdadbad0 CR3: 000000041c328001 CR4: 00000000001606e0Crash happened because list_del_rcu() was called twice for smp->ltk. This
was possible if unpair_device was called right after ltk was generated
but before keys were distributed.In this commit smp_cancel_pairing was refactored to cancel pairing if it
is in progress and otherwise just removes keys. Once keys are removed from
rcu list, pointers to smp context's keys are set to NULL to make sure
removed list items are not accessed later.This commit also adjusts the functionality of mgmt unpair_device() little
bit. Previously pairing was canceled only if pairing was in state that
keys were already generated. With this commit unpair_device() cancels
pairing already in earlier states.Bug was found by fuzzing kernel SMP implementation using Synopsys
Defensics.Reported-by: Pekka Oikarainen
Signed-off-by: Matias Karhumaa
Signed-off-by: Johan Hedberg
Signed-off-by: Sasha Levin
20 Oct, 2016
1 commit
-
Append maximum of 10 + 1 bytes of name to scan response data.
Complete name is appended only if exists and is
Signed-off-by: Marcel Holtmann
06 Oct, 2016
1 commit
-
Use eir_append_data to remove code duplication.
Signed-off-by: Michał Narajowski
Signed-off-by: Marcel Holtmann
22 Sep, 2016
2 commits
-
Scan response data should not be updated unless there
is an advertising instance.Signed-off-by: Michał Narajowski
Signed-off-by: Marcel Holtmann -
Adds missing callback assignment to cmd_complete in pending management command
context. Dump path involves security procedure performed on legacy (pre-SSP)
devices with service security requirements set to HIGH (16digits PIN).
It fails when shorter PIN is delivered by user.[ 1.517950] Bluetooth: PIN code is not 16 bytes long
[ 1.518491] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 1.518584] IP: [< (null)>] (null)
[ 1.518584] PGD 9e08067 PUD 9fdf067 PMD 0
[ 1.518584] Oops: 0010 [#1] SMP
[ 1.518584] Modules linked in:
[ 1.518584] CPU: 0 PID: 1002 Comm: kworker/u3:2 Not tainted 4.8.0-rc6-354649-gaf4168c #16
[ 1.518584] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.9.3-20160701_074356-anatol 04/01/2014
[ 1.518584] Workqueue: hci0 hci_rx_work
[ 1.518584] task: ffff880009ce14c0 task.stack: ffff880009e10000
[ 1.518584] RIP: 0010:[] [< (null)>] (null)
[ 1.518584] RSP: 0018:ffff880009e13bc8 EFLAGS: 00010293
[ 1.518584] RAX: 0000000000000000 RBX: ffff880009eed100 RCX: 0000000000000006
[ 1.518584] RDX: ffff880009ddc000 RSI: 0000000000000000 RDI: ffff880009eed100
[ 1.518584] RBP: ffff880009e13be0 R08: 0000000000000000 R09: 0000000000000001
[ 1.518584] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 1.518584] R13: ffff880009e13ccd R14: ffff880009ddc000 R15: ffff880009ddc010
[ 1.518584] FS: 0000000000000000(0000) GS:ffff88000bc00000(0000) knlGS:0000000000000000
[ 1.518584] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1.518584] CR2: 0000000000000000 CR3: 0000000009fdd000 CR4: 00000000000006f0
[ 1.518584] Stack:
[ 1.518584] ffffffff81909808 ffff880009e13cce ffff880009e0d40b ffff880009e13c68
[ 1.518584] ffffffff818f428d 00000000024000c0 ffff880009e13c08 ffffffff810ca903
[ 1.518584] ffff880009e13c48 ffffffff811ade34 ffffffff8178c31f ffff880009ee6200
[ 1.518584] Call Trace:
[ 1.518584] [] ? mgmt_pin_code_neg_reply_complete+0x38/0x60
[ 1.518584] [] hci_cmd_complete_evt+0x69d/0x3200
[ 1.518584] [] ? rcu_read_lock_sched_held+0x53/0x60
[ 1.518584] [] ? kmem_cache_alloc+0x1a4/0x200
[ 1.518584] [] ? skb_clone+0x4f/0xa0
[ 1.518584] [] hci_event_packet+0x8e1/0x28e0
[ 1.518584] [] ? _raw_spin_unlock_irqrestore+0x31/0x50
[ 1.518584] [] ? trace_hardirqs_on_caller+0xee/0x1b0
[ 1.518584] [] hci_rx_work+0x1e1/0x5b0
[ 1.518584] [] ? process_one_work+0x1ed/0x6b0
[ 1.518584] [] process_one_work+0x268/0x6b0
[ 1.518584] [] ? process_one_work+0x1ed/0x6b0
[ 1.518584] [] worker_thread+0x43/0x4e0
[ 1.518584] [] ? process_one_work+0x6b0/0x6b0
[ 1.518584] [] ? process_one_work+0x6b0/0x6b0
[ 1.518584] [] kthread+0xdf/0x100
[ 1.518584] [] ret_from_fork+0x1f/0x40
[ 1.518584] [] ? kthread_create_on_node+0x210/0x210Signed-off-by: Arek Lichwa
Signed-off-by: Marcel Holtmann
20 Sep, 2016
20 commits
-
Setting appearance on controllers without LE support will result
in No Supported error.Signed-off-by: Michał Narajowski
Signed-off-by: Johan Hedberg -
This patch adds missing event when setting appearance, just like
in the set local name command.Signed-off-by: Michał Narajowski
Signed-off-by: Szymon Janc
Signed-off-by: Marcel Holtmann -
This patch adds EIR data to extended info changed event.
Signed-off-by: Michał Narajowski
Signed-off-by: Szymon Janc
Signed-off-by: Marcel Holtmann -
If LE is enabled appearance is added to EIR data.
Signed-off-by: Michał Narajowski
Signed-off-by: Szymon Janc
Signed-off-by: Marcel Holtmann -
This will also be used for Extended Information Event handling.
Signed-off-by: Michał Narajowski
Signed-off-by: Szymon Janc
Signed-off-by: Marcel Holtmann -
There is no need to allocate heap for reply only to copy stack data to
it. This also fix rp memory leak and missing hdev unlock if kmalloc
failed.Signed-off-by: Szymon Janc
Signed-off-by: Marcel Holtmann -
Increment the mgmt revision due to the recently added
Read Extended Controller Information and Set Appearance commands.Signed-off-by: Szymon Janc
Signed-off-by: Marcel Holtmann -
Flags are not allowed in Scan Response.
Signed-off-by: Szymon Janc
Signed-off-by: Marcel Holtmann -
This unifies max length and TLV validity checks.
Signed-off-by: Szymon Janc
Signed-off-by: Marcel Holtmann -
hdev parameter is not used in function.
Signed-off-by: Szymon Janc
Signed-off-by: Marcel Holtmann -
This patch enables prepending appearance value to scan response data.
It also adds support for setting appearance value through mgmt command.
If currently advertised instance has apperance flag set it is expired
immediately.Signed-off-by: Michał Narajowski
Signed-off-by: Szymon Janc
Signed-off-by: Marcel Holtmann -
This patch enables appending local name to scan response data. If
currently advertised instance has name flag set it is expired
immediately.Signed-off-by: Michał Narajowski
Signed-off-by: Szymon Janc
Signed-off-by: Marcel Holtmann -
Use kzalloc rather than kmalloc followed by memset with 0.
Generated by: scripts/coccinelle/api/alloc/kzalloc-simple.cocci
Signed-off-by: Wei Yongjun
Signed-off-by: Marcel Holtmann -
This adds device class, complete local name and short local name
to EIR data in Extended Controller Info as specified in docs.Signed-off-by: Michał Narajowski
Signed-off-by: Marcel Holtmann -
This command is used to retrieve the current state and basic
information of a controller. It is typically used right after
getting the response to the Read Controller Index List command
or an Index Added event (or its extended counterparts).When any of the values in the EIR_Data field changes, the event
Extended Controller Information Changed will be used to inform
clients about the updated information.Signed-off-by: Marcel Holtmann
Signed-off-by: Michał Narajowski -
In case of failure, the Set IO Capability command is suppose to return
command status and not command complete.Signed-off-by: Marcel Holtmann
Signed-off-by: Johan Hedberg -
The address information of the Get Clock Information return parameters
is copying from a different memory location. It uses &cmd->param while
it actually needs to be cmd->param.Signed-off-by: Marcel Holtmann
Signed-off-by: Johan Hedberg -
Instead of hiding everything behind a general managment events flag,
introduce indivdual flags that allow fine control over which events are
send to a given management channel.Signed-off-by: Marcel Holtmann
Signed-off-by: Johan Hedberg -
When an Advertising Instance is removed, the Advertising Removed event
shouldn't be sent to the same socket that issued the Remove
Advertising command (it gets a command complete event instead). The
mgmt_advertising_removed() function already has a parameter for
skipping a specific socket, but there was no code to propagate the
right value to this parameter. This patch fixes the issue by making
sure the intermediate hci_req_clear_adv_instance() function gets the
socket pointer.Signed-off-by: Johan Hedberg
Signed-off-by: Marcel Holtmann -
The mgmt version information will be also needed for the control
changell tracing feature. This provides a helper to pack them.Signed-off-by: Marcel Holtmann
Signed-off-by: Johan Hedberg
13 Jul, 2016
1 commit
-
Increment the mgmt revision due to the recently added new
reason code for the Disconnected event.Signed-off-by: Johan Hedberg
Signed-off-by: Marcel Holtmann
10 Jul, 2016
1 commit
-
The HCI_BREDR naming is confusing since it actually stands for Primary
Bluetooth Controller. Which is a term that has been used in the latest
standard. However from a legacy point of view there only really have
been Basic Rate (BR) and Enhanced Data Rate (EDR). Recent versions of
Bluetooth introduced Low Energy (LE) and made this terminology a little
bit confused since Dual Mode Controllers include BR/EDR and LE. To
simplify this the name HCI_PRIMARY stands for the Primary Controller
which can be a single mode or dual mode controller.Signed-off-by: Marcel Holtmann
Signed-off-by: Johan Hedberg
11 Mar, 2016
3 commits
-
The Add Advertising command handler does the appropriate checks for
the AD and Scan Response data, however fails to take into account the
general length of the mgmt command itself, which could lead to
potential buffer overflows. This patch adds the necessary check that
the mgmt command length is consistent with the given ad and scan_rsp
lengths.Signed-off-by: Johan Hedberg
Signed-off-by: Marcel Holtmann
Cc: stable@vger.kernel.org -
Increment the mgmt revision due to the recently added limited
privacy mode.Signed-off-by: Johan Hedberg
Signed-off-by: Marcel Holtmann -
Introduce a limited privacy mode indicated by value 0x02 to the mgmt
Set Privacy command.With value 0x02 the kernel will use privacy mode with a resolvable
private address. In case the controller is bondable and discoverable
the identity address will be used.Signed-off-by: Johan Hedberg
Signed-off-by: Marcel Holtmann
06 Jan, 2016
2 commits
-
This patch implements the mgmt Start Limited Discovery command. Most
of existing Start Discovery code is reused since the only difference
is the presence of a 'limited' flag as part of the discovery state.Signed-off-by: Johan Hedberg
Signed-off-by: Marcel Holtmann -
To make the EIR parsing helper more general purpose, make it return
the found data and its length rather than just saying whether the data
was present or not.Signed-off-by: Johan Hedberg
Signed-off-by: Marcel Holtmann
10 Dec, 2015
8 commits
-
We can simplify a lot of code by making sure hdev->cur_adv_instance is
always up-to-date. This allows e.g. the removal of the
get_current_adv_instance() helper function and the special
HCI_ADV_CURRENT value. This patch also makes selecting instance 0x00
explicit in the various calls where advertising instances aren't
enabled, e.g. when HCI_ADVERTISING is set or we've just finished
enabling LE.Signed-off-by: Johan Hedberg
Signed-off-by: Marcel Holtmann -
This flag just tells us whether hdev->adv_instances is empty or not.
We can equally well use the list_empty() function to get this
information.Signed-off-by: Johan Hedberg
Signed-off-by: Marcel Holtmann -
The code in the Read Advertising Features mgmt command handler is
unnecessarily complicated. Clean it up and remove unnecessary
variables & branches.Signed-off-by: Johan Hedberg
Signed-off-by: Marcel Holtmann -
The request to update HCI during power on is always coming either from
hdev->req_workqueue or through an ioctl, so it's safe to use
hci_req_sync for it. This way we also eliminate potential races with
incoming mgmt commands or other actions while powering on.Part of this refactoring is the splitting of mgmt_powered() into
mgmt_power_on() and __mgmt_power_off() functions. The main reason is
the different requirements as far as hdev locking is concerned, as
highlighted with the __ prefix of the power off API.Since the power on in the case of clearing the AUTO_OFF flag cannot be
done synchronously in the set_powered mgmt handler, the hci_power_on
work callback is extended to cover this (which also simplifies the
set_powered helper a lot).Signed-off-by: Johan Hedberg
Signed-off-by: Marcel Holtmann -
We'll soon need this both in hci_request.c and mgmt.c so move it to
hci_request.c as a generic helper.Signed-off-by: Johan Hedberg
Signed-off-by: Marcel Holtmann -
We'll soon need to update the EIR both from hci_request.c and mgmt.c
so move update_eir() as a more generic request helper to
hci_request.c.Signed-off-by: Johan Hedberg
Signed-off-by: Marcel Holtmann -
We'll soon need this both from hci_request.c and mgmt.c so move it as
a request helper function to hci_request.c.Signed-off-by: Johan Hedberg
Signed-off-by: Marcel Holtmann -
Since the other discoverable changes are behind req_workqueue now it
only makes sense to move the discoverable timeout there as well.Signed-off-by: Johan Hedberg
Signed-off-by: Marcel Holtmann