From 9437d2edc39ed8f7e40536281ee53ec3fd5a14ca Mon Sep 17 00:00:00 2001 From: Marcel Holtmann Date: Sun, 7 Dec 2014 20:13:17 +0100 Subject: Bluetooth: Fix generation of non-resolvable private addresses When the host decides to use a non-resolvable private address, it must ensure that this generated address does not match the public address of the controller. Add an extra check to ensure this required behavior. In addition rename the variable from urpa to nrpa and fix all of the comments in the code that use the term unresolvable instead of the term non-resolvable as used in the Bluetooth specification. Signed-off-by: Marcel Holtmann Signed-off-by: Johan Hedberg --- net/bluetooth/mgmt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'net/bluetooth/mgmt.c') diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c index a91e484886fe..44b20deb6038 100644 --- a/net/bluetooth/mgmt.c +++ b/net/bluetooth/mgmt.c @@ -3791,7 +3791,7 @@ static bool trigger_discovery(struct hci_request *req, u8 *status) /* All active scans will be done with either a resolvable * private address (when privacy feature has been enabled) - * or unresolvable private address. + * or non-resolvable private address. */ err = hci_update_random_address(req, true, &own_addr_type); if (err < 0) { -- cgit v1.2.3 From 3ad675827f4a3623b7fc51ffe8fdb0347b3cbc53 Mon Sep 17 00:00:00 2001 From: Jaganath Kanakkassery Date: Thu, 11 Dec 2014 11:43:12 +0530 Subject: Bluetooth: Fix missing hci_dev_lock/unlock in mgmt req_complete() mgmt_pending_remove() should be called with hci_dev_lock protection and currently the rule to take dev lock is that all mgmt req_complete functions should take dev lock. So this patch fixes the same in the missing functions Without this patch there is a chance of invalid memory access while accessing the mgmt_pending list like below bluetoothd: 392] [0] Backtrace: bluetoothd: 392] [0] [] (pending_eir_or_class+0x0/0x68) from [] (add_uuid+0x34/0x1c4) bluetoothd: 392] [0] [] (add_uuid+0x0/0x1c4) from [] (mgmt_control+0x204/0x274) bluetoothd: 392] [0] [] (mgmt_control+0x0/0x274) from [] (hci_sock_sendmsg+0x80/0x308) bluetoothd: 392] [0] [] (hci_sock_sendmsg+0x0/0x308) from [] (sock_aio_write+0x144/0x174) bluetoothd: 392] [0] r8:00000000 r7 7c1be90 r6 7c1be18 r5:00000017 r4 a90ea80 bluetoothd: 392] [0] [] (sock_aio_write+0x0/0x174) from [] (do_sync_write+0xb0/0xe0) bluetoothd: 392] [0] [] (do_sync_write+0x0/0xe0) from [] (vfs_write+0x134/0x13c) bluetoothd: 392] [0] r8:00000000 r7 7c1bf70 r6:beeca5c8 r5:00000017 r4 7c05900 bluetoothd: 392] [0] [] (vfs_write+0x0/0x13c) from [] (sys_write+0x44/0x70) bluetoothd: 392] [0] r8:00000000 r7:00000004 r6:00000017 r5:beeca5c8 r4 7c05900 bluetoothd: 392] [0] [] (sys_write+0x0/0x70) from [] (ret_fast_syscall+0x0/0x30) bluetoothd: 392] [0] r9 7c1a000 r8:c000e568 r6:400b5f10 r5:403896d8 r4:beeca604 bluetoothd: 392] [0] Code: e28cc00c e152000c 0a00000f e3a00001 (e1d210b8) bluetoothd: 392] [0] ---[ end trace 67b6ac67435864c4 ]--- bluetoothd: 392] [0] Kernel panic - not syncing: Fatal exception Signed-off-by: Jaganath Kanakkassery Signed-off-by: Marcel Holtmann --- net/bluetooth/mgmt.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) (limited to 'net/bluetooth/mgmt.c') diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c index 44b20deb6038..16ac03730f4d 100644 --- a/net/bluetooth/mgmt.c +++ b/net/bluetooth/mgmt.c @@ -2199,12 +2199,14 @@ static void le_enable_complete(struct hci_dev *hdev, u8 status) { struct cmd_lookup match = { NULL, hdev }; + hci_dev_lock(hdev); + if (status) { u8 mgmt_err = mgmt_status(status); mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, cmd_status_rsp, &mgmt_err); - return; + goto unlock; } mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, settings_rsp, &match); @@ -2222,17 +2224,16 @@ static void le_enable_complete(struct hci_dev *hdev, u8 status) if (test_bit(HCI_LE_ENABLED, &hdev->dev_flags)) { struct hci_request req; - hci_dev_lock(hdev); - hci_req_init(&req, hdev); update_adv_data(&req); update_scan_rsp_data(&req); hci_req_run(&req, NULL); hci_update_background_scan(hdev); - - hci_dev_unlock(hdev); } + +unlock: + hci_dev_unlock(hdev); } static int set_le(struct sock *sk, struct hci_dev *hdev, void *data, u16 len) @@ -4279,12 +4280,14 @@ static void set_advertising_complete(struct hci_dev *hdev, u8 status) { struct cmd_lookup match = { NULL, hdev }; + hci_dev_lock(hdev); + if (status) { u8 mgmt_err = mgmt_status(status); mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev, cmd_status_rsp, &mgmt_err); - return; + goto unlock; } if (test_bit(HCI_LE_ADV, &hdev->dev_flags)) @@ -4299,6 +4302,9 @@ static void set_advertising_complete(struct hci_dev *hdev, u8 status) if (match.sk) sock_put(match.sk); + +unlock: + hci_dev_unlock(hdev); } static int set_advertising(struct sock *sk, struct hci_dev *hdev, void *data, -- cgit v1.2.3 From 15013aeb63fb4df7ff809d63246c8398e9703736 Mon Sep 17 00:00:00 2001 From: Johan Hedberg Date: Thu, 11 Dec 2014 21:45:44 +0200 Subject: Bluetooth: Fix calling hci_conn_put too early The pairing_complete() function relies on a hci_conn reference to be able to access the hci_conn object. It should therefore only release this reference once it's done accessing the object, i.e. at the end of the function. Signed-off-by: Johan Hedberg Signed-off-by: Marcel Holtmann --- net/bluetooth/mgmt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'net/bluetooth/mgmt.c') diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c index 16ac03730f4d..34da65ccc888 100644 --- a/net/bluetooth/mgmt.c +++ b/net/bluetooth/mgmt.c @@ -3115,14 +3115,14 @@ static void pairing_complete(struct pending_cmd *cmd, u8 status) conn->disconn_cfm_cb = NULL; hci_conn_drop(conn); - hci_conn_put(conn); - mgmt_pending_remove(cmd); /* The device is paired so there is no need to remove * its connection parameters anymore. */ clear_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags); + + hci_conn_put(conn); } void mgmt_smp_complete(struct hci_conn *conn, bool complete) -- cgit v1.2.3 From a511b35ba4f02cca526c7239723c48445a8b127d Mon Sep 17 00:00:00 2001 From: Johan Hedberg Date: Thu, 11 Dec 2014 21:45:45 +0200 Subject: Bluetooth: Fix incorrect pending cmd removal in pairing_complete() The pairing_complete() function is used as a pending mgmt command cmd_complete callback. The expectation of such functions is that they are not responsible themselves for calling mgmt_pending_remove(). This patch fixes the incorrect mgmt_pending_remove() call in pairing_complete() and adds it to the appropriate changes. Signed-off-by: Johan Hedberg Signed-off-by: Marcel Holtmann --- net/bluetooth/mgmt.c | 38 +++++++++++++++++++++++++------------- 1 file changed, 25 insertions(+), 13 deletions(-) (limited to 'net/bluetooth/mgmt.c') diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c index 34da65ccc888..827107d5a424 100644 --- a/net/bluetooth/mgmt.c +++ b/net/bluetooth/mgmt.c @@ -3115,7 +3115,6 @@ static void pairing_complete(struct pending_cmd *cmd, u8 status) conn->disconn_cfm_cb = NULL; hci_conn_drop(conn); - mgmt_pending_remove(cmd); /* The device is paired so there is no need to remove * its connection parameters anymore. @@ -3131,8 +3130,10 @@ void mgmt_smp_complete(struct hci_conn *conn, bool complete) struct pending_cmd *cmd; cmd = find_pairing(conn); - if (cmd) + if (cmd) { cmd->cmd_complete(cmd, status); + mgmt_pending_remove(cmd); + } } static void pairing_complete_cb(struct hci_conn *conn, u8 status) @@ -3142,10 +3143,13 @@ static void pairing_complete_cb(struct hci_conn *conn, u8 status) BT_DBG("status %u", status); cmd = find_pairing(conn); - if (!cmd) + if (!cmd) { BT_DBG("Unable to find a pending command"); - else - cmd->cmd_complete(cmd, mgmt_status(status)); + return; + } + + cmd->cmd_complete(cmd, mgmt_status(status)); + mgmt_pending_remove(cmd); } static void le_pairing_complete_cb(struct hci_conn *conn, u8 status) @@ -3158,10 +3162,13 @@ static void le_pairing_complete_cb(struct hci_conn *conn, u8 status) return; cmd = find_pairing(conn); - if (!cmd) + if (!cmd) { BT_DBG("Unable to find a pending command"); - else - cmd->cmd_complete(cmd, mgmt_status(status)); + return; + } + + cmd->cmd_complete(cmd, mgmt_status(status)); + mgmt_pending_remove(cmd); } static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data, @@ -3275,8 +3282,10 @@ static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data, cmd->user_data = hci_conn_get(conn); if ((conn->state == BT_CONNECTED || conn->state == BT_CONFIG) && - hci_conn_security(conn, sec_level, auth_type, true)) - pairing_complete(cmd, 0); + hci_conn_security(conn, sec_level, auth_type, true)) { + cmd->cmd_complete(cmd, 0); + mgmt_pending_remove(cmd); + } err = 0; @@ -3318,7 +3327,8 @@ static int cancel_pair_device(struct sock *sk, struct hci_dev *hdev, void *data, goto unlock; } - pairing_complete(cmd, MGMT_STATUS_CANCELLED); + cmd->cmd_complete(cmd, MGMT_STATUS_CANCELLED); + mgmt_pending_remove(cmd); err = cmd_complete(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE, 0, addr, sizeof(*addr)); @@ -6687,8 +6697,10 @@ void mgmt_auth_failed(struct hci_conn *conn, u8 hci_status) mgmt_event(MGMT_EV_AUTH_FAILED, conn->hdev, &ev, sizeof(ev), cmd ? cmd->sk : NULL); - if (cmd) - pairing_complete(cmd, status); + if (cmd) { + cmd->cmd_complete(cmd, status); + mgmt_pending_remove(cmd); + } } void mgmt_auth_enable_complete(struct hci_dev *hdev, u8 status) -- cgit v1.2.3 From ec6f99b807e4bd50566c48fff8994da2fb1bf9fe Mon Sep 17 00:00:00 2001 From: Johan Hedberg Date: Fri, 12 Dec 2014 13:30:11 +0200 Subject: Bluetooth: Fix enabling BR/EDR SC when powering on If we're in the AUTO_OFF stage the powered_update_hci() function is responsible for doing the updates to the HCI state that were not done during the actual mgmt command handlers. One of the updates needing done is for BR/EDR SC support. This patch adds the missing HCI command for SC support to the powered_update_hci() function. Signed-off-by: Johan Hedberg Signed-off-by: Marcel Holtmann --- net/bluetooth/mgmt.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'net/bluetooth/mgmt.c') diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c index 827107d5a424..1e33880ed562 100644 --- a/net/bluetooth/mgmt.c +++ b/net/bluetooth/mgmt.c @@ -6097,6 +6097,11 @@ static int powered_update_hci(struct hci_dev *hdev) hci_req_add(&req, HCI_OP_WRITE_SSP_MODE, 1, &ssp); } + if (bredr_sc_enabled(hdev) && !lmp_host_sc_capable(hdev)) { + u8 sc = 0x01; + hci_req_add(&req, HCI_OP_WRITE_SC_SUPPORT, sizeof(sc), &sc); + } + if (test_bit(HCI_LE_ENABLED, &hdev->dev_flags) && lmp_bredr_capable(hdev)) { struct hci_cp_write_le_host_supported cp; -- cgit v1.2.3 From 9845904fd489288bcf693642c1b31cc463c0b660 Mon Sep 17 00:00:00 2001 From: Johan Hedberg Date: Fri, 12 Dec 2014 11:15:21 +0200 Subject: Bluetooth: Fix mgmt response status when removing adapter When an adapter is removed (hci_unregister_dev) any pending mgmt commands for that adapter should get the appropriate INVALID_INDEX response. Since hci_unregister_dev() calls hci_dev_do_close() first that'd so far have caused "not powered" responses to be sent. Skipping the HCI_UNREGISTER case in mgmt_powered() is also not a solution since before reaching the mgmt_index_removed() stage any hci_conn callbacks (e.g. used by pairing) will get called, thereby causing "disconnected" status responses to be sent. The fix that covers all scenarios is to handle both INVALID_INDEX and NOT_POWERED responses through the mgmt_powered() function. The INVALID_INDEX response sending from mgmt_index_removed() is left untouched since there are a couple of places not related to powering off or removing an adapter that call it (e.g. configuring a new bdaddr). Signed-off-by: Johan Hedberg Signed-off-by: Marcel Holtmann --- net/bluetooth/mgmt.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) (limited to 'net/bluetooth/mgmt.c') diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c index 1e33880ed562..23a0ca5a4737 100644 --- a/net/bluetooth/mgmt.c +++ b/net/bluetooth/mgmt.c @@ -6151,8 +6151,7 @@ static int powered_update_hci(struct hci_dev *hdev) int mgmt_powered(struct hci_dev *hdev, u8 powered) { struct cmd_lookup match = { NULL, hdev }; - u8 status_not_powered = MGMT_STATUS_NOT_POWERED; - u8 zero_cod[] = { 0, 0, 0 }; + u8 status, zero_cod[] = { 0, 0, 0 }; int err; if (!test_bit(HCI_MGMT, &hdev->dev_flags)) @@ -6168,7 +6167,20 @@ int mgmt_powered(struct hci_dev *hdev, u8 powered) } mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match); - mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &status_not_powered); + + /* If the power off is because of hdev unregistration let + * use the appropriate INVALID_INDEX status. Otherwise use + * NOT_POWERED. We cover both scenarios here since later in + * mgmt_index_removed() any hci_conn callbacks will have already + * been triggered, potentially causing misleading DISCONNECTED + * status responses. + */ + if (test_bit(HCI_UNREGISTER, &hdev->dev_flags)) + status = MGMT_STATUS_INVALID_INDEX; + else + status = MGMT_STATUS_NOT_POWERED; + + mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &status); if (memcmp(hdev->dev_class, zero_cod, sizeof(zero_cod)) != 0) mgmt_event(MGMT_EV_CLASS_OF_DEV_CHANGED, hdev, -- cgit v1.2.3 From ea8ae2516ac43028a01c40b58ffa80d3b0afb802 Mon Sep 17 00:00:00 2001 From: Marcel Holtmann Date: Wed, 17 Dec 2014 18:18:08 +0100 Subject: Bluetooth: Fix bug with filter in service discovery optimization MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The optimization for filtering out extended inquiry results, advertising reports or scan response data based on provided UUID list has a logic bug. In case no match is found in the advertising data, the scan response is ignored and not checked against the filter. This will lead to events being filtered wrongly. Change the code to actually only drop the events when the scan response data is not present. If it is present, it needs to be checked against the provided filter. The patch is a bit more complex than it needs to be. That is because it also fixes this compiler warning that some gcc versions produce. CC net/bluetooth/mgmt.o net/bluetooth/mgmt.c: In function ‘mgmt_device_found’: net/bluetooth/mgmt.c:7028:7: warning: ‘match’ may be used uninitialized in this function [-Wmaybe-uninitialized] bool match; ^ It seems that gcc can not clearly figure out the context of the match variable. So just change the branches for the extended inquiry response and advertising data around so that it is clear. Reported-by: Geert Uytterhoeven Signed-off-by: Marcel Holtmann Signed-off-by: Johan Hedberg --- net/bluetooth/mgmt.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'net/bluetooth/mgmt.c') diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c index 06c2e652e4b6..693ce8bcd06e 100644 --- a/net/bluetooth/mgmt.c +++ b/net/bluetooth/mgmt.c @@ -7081,13 +7081,15 @@ void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type, * kept and checking possible scan response data * will be skipped. */ - if (hdev->discovery.uuid_count > 0) { + if (hdev->discovery.uuid_count > 0) match = eir_has_uuids(eir, eir_len, hdev->discovery.uuid_count, hdev->discovery.uuids); - if (!match) - return; - } + else + match = true; + + if (!match && !scan_rsp_len) + return; /* Copy EIR or advertising data into event */ memcpy(ev->eir, eir, eir_len); @@ -7096,8 +7098,10 @@ void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type, * provided, results with empty EIR or advertising data * should be dropped since they do not match any UUID. */ - if (hdev->discovery.uuid_count > 0) + if (hdev->discovery.uuid_count > 0 && !scan_rsp_len) return; + + match = false; } if (dev_class && !eir_has_data_type(ev->eir, eir_len, EIR_CLASS_OF_DEV)) -- cgit v1.2.3