| Age | Commit message (Collapse) | Author |
|---|
|
When in sniff mode with a long interval time (1.28s) it can take 4+ seconds to
establish a SCO link. Fix by requesting active mode before requesting SCO
connection. This improves SCO setup time to ~500ms.
Bluetooth headsets that use a long interval time, and exhibit the long SCO
connection time include Motorola H790, HX1 and H17. They have a CSR 2.1 chipset
Verified this behavior and fix with host Bluetooth chipsets: BCM4329 and
TI1271.
Signed-off-by: Nick Pelly <npelly@google.com>
|
|
When sk_error_report is called, it wakes up the user-space thread, which then
calls tcp_close. When the tcp_close is interrupted by the tcp_v4_nuke_addr
ioctl thread running tcp_done, it leaks 392 bytes and triggers a WARN_ON.
This patch moves the call to sk_error_report inside the bh_lock_sock, which
matches the locking used in tcp_v4_err.
Signed-off-by: Colin Cross <ccross@android.com>
|
|
Signed-off-by: Robert Love <rlove@google.com>
Signed-off-by: Colin Cross <ccross@android.com>
|
|
To fix a recursive deadlock in 2.6.29, we stopped holding the hash table lock
across tcp_done() calls. This fixed the deadlock, but introduced a race where
the socket could die or change state.
Fix: Before unlocking the hash table, we grab a reference to the socket. We
can then unlock the hash table without risk of the socket going away. We then
lock the socket, which is safe because it is pinned. We can then call
tcp_done() without recursive deadlock and without race. Upon return, we unlock
the socket and then unpin it, killing it.
Change-Id: Idcdae072b48238b01bdbc8823b60310f1976e045
Signed-off-by: Robert Love <rlove@google.com>
Acked-by: Dima Zavin <dima@android.com>
|
|
This patch fixes double pairing issues with SSP.
It was observed that when pairing with SSP bluez asks confirmation
2 times.
http://www.spinics.net/lists/linux-bluetooth/msg02473.html
This also causes bug when we initiate SSP connection from Vista.
The reason is because bluetoothd does not store link keys since
ioctl HCIGETAUTHINFO returns 0. Setting default general
bonding fixes these issues.
Signed-off-by: Andrei Emeltchenko <andrei.emeltchenko.news@gmail.com>
|
|
The Bluetooth 2.1 specification introduced four different security modes
that can be mapped using Legacy Pairing and Simple Pairing. With the
usage of Simple Pairing it is required that all connections (except
the ones for SDP) are encrypted. So even the low security requirement
mandates an encrypted connection when using Simple Pairing. When using
Legacy Pairing (for Bluetooth 2.0 devices and older) this is not required
since it causes interoperability issues.
To support this properly the low security requirement translates into
different host controller transactions depending if Simple Pairing is
supported or not. However in case of Simple Pairing the command to
switch on encryption after a successful authentication is not triggered
for the low security mode. This patch fixes this and actually makes
the logic to differentiate between Simple Pairing and Legacy Pairing
a lot simpler.
Based on a report by Ville Tervo <ville.tervo@nokia.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
|
|
This is to support the Motorola HF850 carkit which reports the error code 0x10
for an eSCO attempt, even though it advertises eSCO support. Here is the
hcidump:
2009-09-22 15:40:24.492391 < HCI Command: Setup Synchronous Connection
(0x01|0x0028) plen 17
handle 1 voice setting 0x0060
2009-09-22 15:40:24.493002 > HCI Event: Command Status (0x0f) plen 4
Setup Synchronous Connection (0x01|0x0028) status 0x00 ncmd 1
2009-09-22 15:40:30.594869 > HCI Event: Synchronous Connect Complete (0x2c)
plen 17
status 0x10 handle 257 bdaddr 00:50:CD:20:C6:84 type eSCO
Error: Connection Accept Timeout Exceeded
With this patch we will retry with a SCO connection, which succeeds.
Unfortunately the Moto HF850 also takes 5 seconds to return the error for the
eSCO attempt, so it will still take 5 seconds to fallback to SCO with this
patch.
Signed-off-by: Nick Pelly <npelly@google.com>
|
|
Processing a RFCOMM UA frame when the socket is closed and we were not the
RFCOMM initiator would cause rfcomm_session_put() to be called twice during
rfcomm_process_rx(). This would cause a kernel panic in rfcomm_session_close.
This could be easily reproduced during disconnect with devices such as
Motorola H270 that send RFCOMM UA followed quickly by L2CAP disconnect request.
This hcidump for this looks like:
2009-09-21 17:22:37.788895 < ACL data: handle 1 flags 0x02 dlen 8
L2CAP(d): cid 0x0041 len 4 [psm 3]
RFCOMM(s): DISC: cr 0 dlci 20 pf 1 ilen 0 fcs 0x7d
2009-09-21 17:22:37.906204 > HCI Event: Number of Completed Packets (0x13)
plen 5
handle 1 packets 1
2009-09-21 17:22:37.933090 > ACL data: handle 1 flags 0x02 dlen 8
L2CAP(d): cid 0x0040 len 4 [psm 3]
RFCOMM(s): UA: cr 0 dlci 20 pf 1 ilen 0 fcs 0x57
2009-09-21 17:22:38.636764 < ACL data: handle 1 flags 0x02 dlen 8
L2CAP(d): cid 0x0041 len 4 [psm 3]
RFCOMM(s): DISC: cr 0 dlci 0 pf 1 ilen 0 fcs 0x9c
2009-09-21 17:22:38.744125 > HCI Event: Number of Completed Packets (0x13)
plen 5
handle 1 packets 1
2009-09-21 17:22:38.763687 > ACL data: handle 1 flags 0x02 dlen 8
L2CAP(d): cid 0x0040 len 4 [psm 3]
RFCOMM(s): UA: cr 0 dlci 0 pf 1 ilen 0 fcs 0xb6
2009-09-21 17:22:38.783554 > ACL data: handle 1 flags 0x02 dlen 12
L2CAP(s): Disconn req: dcid 0x0040 scid 0x0041
Avoid calling rfcomm_session_put() twice by skipping this call
in rfcomm_recv_ua() if the socket is closed.
Signed-off-by: Nick Pelly <npelly@google.com>
|
|
This reverts commit 6f505dbe5337e49302574f8d2e65fd83e30f9117.
Unfortunately this fix did not address the unbalanced rfcomm_session_put()
call, and panics during this disconnect sequence (with Moto H270)
2009-09-21 17:22:37.384811 < ACL data: handle 1 flags 0x02 dlen 22
L2CAP(d): cid 0x0041 len 18 [psm 3]
RFCOMM(d): UIH: cr 0 dlci 20 pf 0 ilen 14 fcs 0xeb
0000: 0d 0a 2b 43 49 45 56 3a 20 37 2c 33 0d 0a ..+CIEV: 7,3..
2009-09-21 17:22:37.502273 > HCI Event: Number of Completed Packets
(0x13) plen 5
handle 1 packets 1
2009-09-21 17:22:37.788895 < ACL data: handle 1 flags 0x02 dlen 8
L2CAP(d): cid 0x0041 len 4 [psm 3]
RFCOMM(s): DISC: cr 0 dlci 20 pf 1 ilen 0 fcs 0x7d
2009-09-21 17:22:37.906204 > HCI Event: Number of Completed Packets
(0x13) plen 5
handle 1 packets 1
2009-09-21 17:22:37.933090 > ACL data: handle 1 flags 0x02 dlen 8
L2CAP(d): cid 0x0040 len 4 [psm 3]
RFCOMM(s): UA: cr 0 dlci 20 pf 1 ilen 0 fcs 0x57
2009-09-21 17:22:38.636764 < ACL data: handle 1 flags 0x02 dlen 8
L2CAP(d): cid 0x0041 len 4 [psm 3]
RFCOMM(s): DISC: cr 0 dlci 0 pf 1 ilen 0 fcs 0x9c
2009-09-21 17:22:38.744125 > HCI Event: Number of Completed Packets
(0x13) plen 5
handle 1 packets 1
2009-09-21 17:22:38.763687 > ACL data: handle 1 flags 0x02 dlen 8
L2CAP(d): cid 0x0040 len 4 [psm 3]
RFCOMM(s): UA: cr 0 dlci 0 pf 1 ilen 0 fcs 0xb6
2009-09-21 17:22:38.783554 > ACL data: handle 1 flags 0x02 dlen 12
L2CAP(s): Disconn req: dcid 0x0040 scid 0x0041
2009-09-21 17:22:39.029526 < ACL data: handle 1 flags 0x02 dlen 12
L2CAP(s): Disconn rsp: dcid 0x0040 scid 0x0041
2009-09-21 17:22:39.136581 > HCI Event: Number of Completed Packets
(0x13) plen 5
handle 1 packets 1
2009-09-21 17:22:41.337203 > HCI Event: Disconn Complete (0x05) plen 4
status 0x00 handle 1 reason 0x13
Reason: Remote User Terminated Connection
Signed-off-by: Nick Pelly <npelly@google.com>
|
|
Use a different work_struct variables for add_conn() and del_conn() and
use single work queue instead of two for adding and deleting connections.
It eliminates the following error on a preemptible kernel:
[ 204.358032] Unable to handle kernel NULL pointer dereference at virtual address 0000000c
[ 204.370697] pgd = c0004000
[ 204.373443] [0000000c] *pgd=00000000
[ 204.378601] Internal error: Oops: 17 [#1] PREEMPT
[ 204.383361] Modules linked in: vfat fat rfcomm sco l2cap sd_mod scsi_mod iphb pvr2d drm omaplfb ps
[ 204.438537] CPU: 0 Not tainted (2.6.28-maemo2 #1)
[ 204.443664] PC is at klist_put+0x2c/0xb4
[ 204.447601] LR is at klist_put+0x18/0xb4
[ 204.451568] pc : [<c0270f08>] lr : [<c0270ef4>] psr: a0000113
[ 204.451568] sp : cf1b3f10 ip : cf1b3f10 fp : cf1b3f2c
[ 204.463104] r10: 00000000 r9 : 00000000 r8 : bf08029c
[ 204.468353] r7 : c7869200 r6 : cfbe2690 r5 : c78692c8 r4 : 00000001
[ 204.474945] r3 : 00000001 r2 : cf1b2000 r1 : 00000001 r0 : 00000000
[ 204.481506] Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel
[ 204.488861] Control: 10c5387d Table: 887fc018 DAC: 00000017
[ 204.494628] Process btdelconn (pid: 515, stack limit = 0xcf1b22e0)
Signed-off-by: Roger Quadros <ext-roger.quadros@nokia.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
|
|
rfcomm_session_del() was being called after session entry removed from list.
Signed-off-by: Nick Pelly <npelly@google.com>
|
|
We can't hold the lock while calling to tcp_done(), so we drop
it before calling. We then have to start at the top of the chain again.
Signed-off-by: Dima Zavin <dima@android.com>
|
|
GM carkits with LGE BT chipsets return this error code when eSCO is attempted.
Signed-off-by: Jaikumar Ganesh <jaikumar@google.com>
Acked-by: Nick Pelly <npelly@google.com>
|
|
kernel_sendpage() does the proper default case handling for when the
socket doesn't have a native sendpage implementation.
Now, arguably this might be something that we could instead solve by
just specifying that all protocols should do it themselves at the
protocol level, but we really only care about the common protocols.
Does anybody really care about sendpage on something like Appletalk? Not
likely.
Acked-by: David S. Miller <davem@davemloft.net>
Cc: Julien TINNES <julien@cr0.org>
Cc: Tavis Ormandy <taviso@sdf.lonestar.org>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
This fixes a bug where shutdown() and close() on a rfcomm socket during ACL
connection would not cause HCI Create Connection Cancel.
Signed-off-by: Nick Pelly <npelly@google.com>
|
|
When I fixed the GRO crash in the legacy receive path I used
napi_complete to replace __napi_complete. Unfortunately they're
not the same when NETPOLL is enabled, which may result in us
not calling __napi_complete at all.
What's more, we really do need to keep the __napi_complete call
within the IRQ-off section since in theory an IRQ can occur in
between and fill up the backlog to the maximum, causing us to
lock up.
Since we can't seem to find a fix that works properly right now,
this patch reverts all the GRO support from the netif_rx path.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jack Veenstra <veenstra@android.com>
|
|
Signed-off-by: Chia-chi Yeh <chiachi@android.com>
|
|
Fix compilation of the IPv6 module -- current->euid does not exist anymore,
current_euid() is what needs to be used.
Signed-off-by: Steinar H. Gunderson <sesse@google.com>
|
|
Some platforms do not want to power down rfkill devices on suspend.
Signed-off-by: Nick Pelly <npelly@google.com>
|
|
Signed-off-by: Mike Chan <mike@android.com>
|
|
Add a family of knobs to /sys/kernel/ipv4 for controlling the TCP window size:
tcp_wmem_min
tcp_wmem_def
tcp_wmem_max
tcp_rmem_min
tcp_rmem_def
tcp_rmem_max
This six values mirror the sysctl knobs in /proc/sys/net/ipv4/tcp_wmem and
/proc/sys/net/ipv4/tcp_rmem.
Sysfs, unlike sysctl, allows us to set and manage the files' permissions and
owners.
Signed-off-by: Robert Love <rlove@google.com>
|
|
Introduce a new socket ioctl, SIOCKILLADDR, that nukes all sockets
bound to the same local address. This is useful in situations with
dynamic IPs, to kill stuck connections.
Signed-off-by: Brian Swetland <swetland@google.com>
net: fix tcp_v4_nuke_addr
Signed-off-by: Dima Zavin <dima@android.com>
|
|
With CONFIG_ANDROID_PARANOID_NETWORK, require specific uids/gids to instantiate
network sockets.
Signed-off-by: Robert Love <rlove@google.com>
paranoid networking: Use in_egroup_p() to check group membership
The previous group_search() caused trouble for partners with module builds.
in_egroup_p() is also cleaner.
Signed-off-by: Nick Pelly <npelly@google.com>
Fix 2.6.29 build.
Signed-off-by: Arve Hjønnevåg <arve@android.com>
|
|
Kyocera ED-8800 headset returns this error code when eSCO is attempted.
Signed-off-by: Nick Pelly <npelly@google.com>
|
|
Remove some pointless conditionals before kfree_skb().
Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
|
|
The following commit introduce a regression:
commit 7d0db0a373195385a2e0b19d1f5e4b186fdcffac
Author: Marcel Holtmann <marcel@holtmann.org>
Date: Mon Jul 14 20:13:51 2008 +0200
[Bluetooth] Use a more unique bus name for connections
I get panic as following (by netconsole):
[ 2709.344034] usb 5-1: new full speed USB device using uhci_hcd and address 4
[ 2709.505776] usb 5-1: configuration #1 chosen from 1 choice
[ 2709.569207] Bluetooth: Generic Bluetooth USB driver ver 0.4
[ 2709.570169] usbcore: registered new interface driver btusb
[ 2845.742781] BUG: unable to handle kernel paging request at 6b6b6c2f
[ 2845.742958] IP: [<c015515c>] __lock_acquire+0x6c/0xa80
[ 2845.743087] *pde = 00000000
[ 2845.743206] Oops: 0002 [#1] SMP
[ 2845.743377] last sysfs file: /sys/class/bluetooth/hci0/hci0:6/type
[ 2845.743742] Modules linked in: btusb netconsole snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss rfcomm l2cap bluetooth vfat fuse snd_hda_codec_idt snd_hda_intel snd_hda_codec snd_hwdep snd_pcm pl2303 snd_timer psmouse usbserial snd 3c59x e100 serio_raw soundcore i2c_i801 intel_agp mii agpgart snd_page_alloc rtc_cmos rtc_core thermal processor rtc_lib button thermal_sys sg evdev
[ 2845.743742]
[ 2845.743742] Pid: 0, comm: swapper Not tainted (2.6.29-rc5-smp #54) Dell DM051
[ 2845.743742] EIP: 0060:[<c015515c>] EFLAGS: 00010002 CPU: 0
[ 2845.743742] EIP is at __lock_acquire+0x6c/0xa80
[ 2845.743742] EAX: 00000046 EBX: 00000046 ECX: 6b6b6b6b EDX: 00000002
[ 2845.743742] ESI: 6b6b6b6b EDI: 00000000 EBP: c064fd14 ESP: c064fcc8
[ 2845.743742] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
[ 2845.743742] Process swapper (pid: 0, ti=c064e000 task=c05d1400 task.ti=c064e000)
[ 2845.743742] Stack:
[ 2845.743742] c05d1400 00000002 c05d1400 00000001 00000002 00000000 f65388dc c05d1400
[ 2845.743742] 6b6b6b6b 00000292 c064fd0c c0153732 00000000 00000000 00000001 f700fa50
[ 2845.743742] 00000046 00000000 00000000 c064fd40 c0155be6 00000000 00000002 00000001
[ 2845.743742] Call Trace:
[ 2845.743742] [<c0153732>] ? trace_hardirqs_on_caller+0x72/0x1c0
[ 2845.743742] [<c0155be6>] ? lock_acquire+0x76/0xa0
[ 2845.743742] [<c03e1aad>] ? skb_dequeue+0x1d/0x70
[ 2845.743742] [<c046c885>] ? _spin_lock_irqsave+0x45/0x80
[ 2845.743742] [<c03e1aad>] ? skb_dequeue+0x1d/0x70
[ 2845.743742] [<c03e1aad>] ? skb_dequeue+0x1d/0x70
[ 2845.743742] [<c03e1f94>] ? skb_queue_purge+0x14/0x20
[ 2845.743742] [<f8171f5a>] ? hci_conn_del+0x10a/0x1c0 [bluetooth]
[ 2845.743742] [<f81399c9>] ? l2cap_disconn_ind+0x59/0xb0 [l2cap]
[ 2845.743742] [<f81795ce>] ? hci_conn_del_sysfs+0x8e/0xd0 [bluetooth]
[ 2845.743742] [<f8175758>] ? hci_event_packet+0x5f8/0x31c0 [bluetooth]
[ 2845.743742] [<c03dfe19>] ? sock_def_readable+0x59/0x80
[ 2845.743742] [<c046c14d>] ? _read_unlock+0x1d/0x20
[ 2845.743742] [<f8178aa9>] ? hci_send_to_sock+0xe9/0x1d0 [bluetooth]
[ 2845.743742] [<c015388b>] ? trace_hardirqs_on+0xb/0x10
[ 2845.743742] [<f816fa6a>] ? hci_rx_task+0x2ba/0x490 [bluetooth]
[ 2845.743742] [<c0133661>] ? tasklet_action+0x31/0xc0
[ 2845.743742] [<c013367c>] ? tasklet_action+0x4c/0xc0
[ 2845.743742] [<c0132eb7>] ? __do_softirq+0xa7/0x170
[ 2845.743742] [<c0116dec>] ? ack_apic_level+0x5c/0x1c0
[ 2845.743742] [<c0132fd7>] ? do_softirq+0x57/0x60
[ 2845.743742] [<c01333dc>] ? irq_exit+0x7c/0x90
[ 2845.743742] [<c01055bb>] ? do_IRQ+0x4b/0x90
[ 2845.743742] [<c01333d5>] ? irq_exit+0x75/0x90
[ 2845.743742] [<c010392c>] ? common_interrupt+0x2c/0x34
[ 2845.743742] [<c010a14f>] ? mwait_idle+0x4f/0x70
[ 2845.743742] [<c0101c05>] ? cpu_idle+0x65/0xb0
[ 2845.743742] [<c045731e>] ? rest_init+0x4e/0x60
[ 2845.743742] Code: 0f 84 69 02 00 00 83 ff 07 0f 87 1e 06 00 00 85 ff 0f 85 08 05 00 00 8b 4d cc 8b 49 04 85 c9 89 4d d4 0f 84 f7 04 00 00 8b 75 d4 <f0> ff 86 c4 00 00 00 89 f0 e8 56 a9 ff ff 85 c0 0f 85 6e 03 00
[ 2845.743742] EIP: [<c015515c>] __lock_acquire+0x6c/0xa80 SS:ESP 0068:c064fcc8
[ 2845.743742] ---[ end trace 4c985b38f022279f ]---
[ 2845.743742] Kernel panic - not syncing: Fatal exception in interrupt
[ 2845.743742] ------------[ cut here ]------------
[ 2845.743742] WARNING: at kernel/smp.c:329 smp_call_function_many+0x151/0x200()
[ 2845.743742] Hardware name: Dell DM051
[ 2845.743742] Modules linked in: btusb netconsole snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss rfcomm l2cap bluetooth vfat fuse snd_hda_codec_idt snd_hda_intel snd_hda_codec snd_hwdep snd_pcm pl2303 snd_timer psmouse usbserial snd 3c59x e100 serio_raw soundcore i2c_i801 intel_agp mii agpgart snd_page_alloc rtc_cmos rtc_core thermal processor rtc_lib button thermal_sys sg evdev
[ 2845.743742] Pid: 0, comm: swapper Tainted: G D 2.6.29-rc5-smp #54
[ 2845.743742] Call Trace:
[ 2845.743742] [<c012e076>] warn_slowpath+0x86/0xa0
[ 2845.743742] [<c015041b>] ? trace_hardirqs_off+0xb/0x10
[ 2845.743742] [<c0146384>] ? up+0x14/0x40
[ 2845.743742] [<c012e661>] ? release_console_sem+0x31/0x1e0
[ 2845.743742] [<c046c8ab>] ? _spin_lock_irqsave+0x6b/0x80
[ 2845.743742] [<c015041b>] ? trace_hardirqs_off+0xb/0x10
[ 2845.743742] [<c046c900>] ? _read_lock_irqsave+0x40/0x80
[ 2845.743742] [<c012e7f2>] ? release_console_sem+0x1c2/0x1e0
[ 2845.743742] [<c0146384>] ? up+0x14/0x40
[ 2845.743742] [<c015041b>] ? trace_hardirqs_off+0xb/0x10
[ 2845.743742] [<c046a3d7>] ? __mutex_unlock_slowpath+0x97/0x160
[ 2845.743742] [<c046a563>] ? mutex_trylock+0xb3/0x180
[ 2845.743742] [<c046a4a8>] ? mutex_unlock+0x8/0x10
[ 2845.743742] [<c015b991>] smp_call_function_many+0x151/0x200
[ 2845.743742] [<c010a1a0>] ? stop_this_cpu+0x0/0x40
[ 2845.743742] [<c015ba61>] smp_call_function+0x21/0x30
[ 2845.743742] [<c01137ae>] native_smp_send_stop+0x1e/0x50
[ 2845.743742] [<c012e0f5>] panic+0x55/0x110
[ 2845.743742] [<c01065a8>] oops_end+0xb8/0xc0
[ 2845.743742] [<c010668f>] die+0x4f/0x70
[ 2845.743742] [<c011a8c9>] do_page_fault+0x269/0x610
[ 2845.743742] [<c011a660>] ? do_page_fault+0x0/0x610
[ 2845.743742] [<c046cbaf>] error_code+0x77/0x7c
[ 2845.743742] [<c015515c>] ? __lock_acquire+0x6c/0xa80
[ 2845.743742] [<c0153732>] ? trace_hardirqs_on_caller+0x72/0x1c0
[ 2845.743742] [<c0155be6>] lock_acquire+0x76/0xa0
[ 2845.743742] [<c03e1aad>] ? skb_dequeue+0x1d/0x70
[ 2845.743742] [<c046c885>] _spin_lock_irqsave+0x45/0x80
[ 2845.743742] [<c03e1aad>] ? skb_dequeue+0x1d/0x70
[ 2845.743742] [<c03e1aad>] skb_dequeue+0x1d/0x70
[ 2845.743742] [<c03e1f94>] skb_queue_purge+0x14/0x20
[ 2845.743742] [<f8171f5a>] hci_conn_del+0x10a/0x1c0 [bluetooth]
[ 2845.743742] [<f81399c9>] ? l2cap_disconn_ind+0x59/0xb0 [l2cap]
[ 2845.743742] [<f81795ce>] ? hci_conn_del_sysfs+0x8e/0xd0 [bluetooth]
[ 2845.743742] [<f8175758>] hci_event_packet+0x5f8/0x31c0 [bluetooth]
[ 2845.743742] [<c03dfe19>] ? sock_def_readable+0x59/0x80
[ 2845.743742] [<c046c14d>] ? _read_unlock+0x1d/0x20
[ 2845.743742] [<f8178aa9>] ? hci_send_to_sock+0xe9/0x1d0 [bluetooth]
[ 2845.743742] [<c015388b>] ? trace_hardirqs_on+0xb/0x10
[ 2845.743742] [<f816fa6a>] hci_rx_task+0x2ba/0x490 [bluetooth]
[ 2845.743742] [<c0133661>] ? tasklet_action+0x31/0xc0
[ 2845.743742] [<c013367c>] tasklet_action+0x4c/0xc0
[ 2845.743742] [<c0132eb7>] __do_softirq+0xa7/0x170
[ 2845.743742] [<c0116dec>] ? ack_apic_level+0x5c/0x1c0
[ 2845.743742] [<c0132fd7>] do_softirq+0x57/0x60
[ 2845.743742] [<c01333dc>] irq_exit+0x7c/0x90
[ 2845.743742] [<c01055bb>] do_IRQ+0x4b/0x90
[ 2845.743742] [<c01333d5>] ? irq_exit+0x75/0x90
[ 2845.743742] [<c010392c>] common_interrupt+0x2c/0x34
[ 2845.743742] [<c010a14f>] ? mwait_idle+0x4f/0x70
[ 2845.743742] [<c0101c05>] cpu_idle+0x65/0xb0
[ 2845.743742] [<c045731e>] rest_init+0x4e/0x60
[ 2845.743742] ---[ end trace 4c985b38f02227a0 ]---
[ 2845.743742] ------------[ cut here ]------------
[ 2845.743742] WARNING: at kernel/smp.c:226 smp_call_function_single+0x8e/0x110()
[ 2845.743742] Hardware name: Dell DM051
[ 2845.743742] Modules linked in: btusb netconsole snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss rfcomm l2cap bluetooth vfat fuse snd_hda_codec_idt snd_hda_intel snd_hda_codec snd_hwdep snd_pcm pl2303 snd_timer psmouse usbserial snd 3c59x e100 serio_raw soundcore i2c_i801 intel_agp mii agpgart snd_page_alloc rtc_cmos rtc_core thermal processor rtc_lib button thermal_sys sg evdev
[ 2845.743742] Pid: 0, comm: swapper Tainted: G D W 2.6.29-rc5-smp #54
[ 2845.743742] Call Trace:
[ 2845.743742] [<c012e076>] warn_slowpath+0x86/0xa0
[ 2845.743742] [<c012e000>] ? warn_slowpath+0x10/0xa0
[ 2845.743742] [<c015041b>] ? trace_hardirqs_off+0xb/0x10
[ 2845.743742] [<c0146384>] ? up+0x14/0x40
[ 2845.743742] [<c012e661>] ? release_console_sem+0x31/0x1e0
[ 2845.743742] [<c046c8ab>] ? _spin_lock_irqsave+0x6b/0x80
[ 2845.743742] [<c015041b>] ? trace_hardirqs_off+0xb/0x10
[ 2845.743742] [<c046c900>] ? _read_lock_irqsave+0x40/0x80
[ 2845.743742] [<c012e7f2>] ? release_console_sem+0x1c2/0x1e0
[ 2845.743742] [<c0146384>] ? up+0x14/0x40
[ 2845.743742] [<c015b7be>] smp_call_function_single+0x8e/0x110
[ 2845.743742] [<c010a1a0>] ? stop_this_cpu+0x0/0x40
[ 2845.743742] [<c026d23f>] ? cpumask_next_and+0x1f/0x40
[ 2845.743742] [<c015b95a>] smp_call_function_many+0x11a/0x200
[ 2845.743742] [<c010a1a0>] ? stop_this_cpu+0x0/0x40
[ 2845.743742] [<c015ba61>] smp_call_function+0x21/0x30
[ 2845.743742] [<c01137ae>] native_smp_send_stop+0x1e/0x50
[ 2845.743742] [<c012e0f5>] panic+0x55/0x110
[ 2845.743742] [<c01065a8>] oops_end+0xb8/0xc0
[ 2845.743742] [<c010668f>] die+0x4f/0x70
[ 2845.743742] [<c011a8c9>] do_page_fault+0x269/0x610
[ 2845.743742] [<c011a660>] ? do_page_fault+0x0/0x610
[ 2845.743742] [<c046cbaf>] error_code+0x77/0x7c
[ 2845.743742] [<c015515c>] ? __lock_acquire+0x6c/0xa80
[ 2845.743742] [<c0153732>] ? trace_hardirqs_on_caller+0x72/0x1c0
[ 2845.743742] [<c0155be6>] lock_acquire+0x76/0xa0
[ 2845.743742] [<c03e1aad>] ? skb_dequeue+0x1d/0x70
[ 2845.743742] [<c046c885>] _spin_lock_irqsave+0x45/0x80
[ 2845.743742] [<c03e1aad>] ? skb_dequeue+0x1d/0x70
[ 2845.743742] [<c03e1aad>] skb_dequeue+0x1d/0x70
[ 2845.743742] [<c03e1f94>] skb_queue_purge+0x14/0x20
[ 2845.743742] [<f8171f5a>] hci_conn_del+0x10a/0x1c0 [bluetooth]
[ 2845.743742] [<f81399c9>] ? l2cap_disconn_ind+0x59/0xb0 [l2cap]
[ 2845.743742] [<f81795ce>] ? hci_conn_del_sysfs+0x8e/0xd0 [bluetooth]
[ 2845.743742] [<f8175758>] hci_event_packet+0x5f8/0x31c0 [bluetooth]
[ 2845.743742] [<c03dfe19>] ? sock_def_readable+0x59/0x80
[ 2845.743742] [<c046c14d>] ? _read_unlock+0x1d/0x20
[ 2845.743742] [<f8178aa9>] ? hci_send_to_sock+0xe9/0x1d0 [bluetooth]
[ 2845.743742] [<c015388b>] ? trace_hardirqs_on+0xb/0x10
[ 2845.743742] [<f816fa6a>] hci_rx_task+0x2ba/0x490 [bluetooth]
[ 2845.743742] [<c0133661>] ? tasklet_action+0x31/0xc0
[ 2845.743742] [<c013367c>] tasklet_action+0x4c/0xc0
[ 2845.743742] [<c0132eb7>] __do_softirq+0xa7/0x170
[ 2845.743742] [<c0116dec>] ? ack_apic_level+0x5c/0x1c0
[ 2845.743742] [<c0132fd7>] do_softirq+0x57/0x60
[ 2845.743742] [<c01333dc>] irq_exit+0x7c/0x90
[ 2845.743742] [<c01055bb>] do_IRQ+0x4b/0x90
[ 2845.743742] [<c01333d5>] ? irq_exit+0x75/0x90
[ 2845.743742] [<c010392c>] common_interrupt+0x2c/0x34
[ 2845.743742] [<c010a14f>] ? mwait_idle+0x4f/0x70
[ 2845.743742] [<c0101c05>] cpu_idle+0x65/0xb0
[ 2845.743742] [<c045731e>] rest_init+0x4e/0x60
[ 2845.743742] ---[ end trace 4c985b38f02227a1 ]---
[ 2845.743742] Rebooting in 3 seconds..
My logitec bluetooth mouse trying connect to pc, but
pc side reject the connection again and again. then panic happens.
The reason is due to hci_conn_del_sysfs now called in hci_event_packet,
the del work is done in a workqueue, so it's possible done before
skb_queue_purge called.
I move the hci_conn_del_sysfs after skb_queue_purge just as that before
marcel's commit.
Remove the hci_conn_del_sysfs in hci_conn_hash_flush as well due to
hci_conn_del will deal with the work.
Signed-off-by: Dave Young <hidave.darkstar@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
|
|
Userspace pairing code can be simplified if it doesn't have to fall
back to using L2CAP_LM in the case of L2CAP raw sockets. This patch
allows the BT_SECURITY socket option to be used for these sockets.
Signed-off-by: Johan Hedberg <johan.hedberg@nokia.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
|
|
The CID value of L2CAP sockets need to be set to zero. All userspace
applications do this via memset() on the sockaddr_l2 structure. The
RFCOMM implementation uses in-kernel L2CAP sockets and so it has to
make sure that l2_cid is set to zero.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
|
|
In the future the L2CAP layer will have full support for fixed channels
and right now it already can export the channel assignment, but for the
functions bind() and connect() the usage of only CID 0 is allowed. This
allows an easy detection if the kernel supports fixed channels or not,
because otherwise it would impossible for application to tell.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
|
|
When BT_DEFER_SETUP is enabled on a RFCOMM socket, then switch its
current state from BT_OPEN to BT_CONNECT2. This gives the Bluetooth
core a unified way to handle L2CAP and RFCOMM sockets. The BT_CONNECT2
state is designated for incoming connections.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
|
|
When BT_DEFER_SETUP has been enabled on a Bluetooth socket it keeps
signaling POLLIN all the time. This is a wrong behavior. The POLLIN
should only be signaled if the client socket is in BT_CONNECT2 state
and the parent has been BT_DEFER_SETUP enabled.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
|
|
The authentication requirement got only updated when the security level
increased. This is a wrong behavior. The authentication requirement is
read by the Bluetooth daemon to make proper decisions when handling the
IO capabilities exchange. So set the value that is currently expected by
the higher layers like L2CAP and RFCOMM.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
|
|
The L2CAP layer can trigger the authentication via an ACL connection or
later on to increase the security level. When increasing the security
level it didn't use the same authentication requirements when triggering
a new ACL connection. Make sure that exactly the same authentication
requirements are used. The only exception here are the L2CAP raw sockets
which are only used for dedicated bonding.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
|
|
Some of the qualification tests demand that in case of failures in L2CAP
the HCI disconnect should indicate a reason why L2CAP fails. This is a
bluntly layer violation since multiple L2CAP connections could be using
the same ACL and thus forcing a disconnect reason is not a good idea.
To comply with the Bluetooth test specification, the disconnect reason
is now stored in the L2CAP connection structure and every time a new
L2CAP channel is added it will set back to its default. So only in the
case where the L2CAP channel with the disconnect reason is really the
last one, it will propagated to the HCI layer.
The HCI layer has been extended with a disconnect indication that allows
it to ask upper layers for a disconnect reason. The upper layer must not
support this callback and in that case it will nicely default to the
existing behavior. If an upper layer like L2CAP can provide a disconnect
reason that one will be used to disconnect the ACL or SCO link.
No modification to the ACL disconnect timeout have been made. So in case
of Linux to Linux connection the initiator will disconnect the ACL link
before the acceptor side can signal the specific disconnect reason. That
is perfectly fine since Linux doesn't make use of this value anyway. The
L2CAP layer has a perfect valid error code for rejecting connection due
to a security violation. It is unclear why the Bluetooth specification
insists on having specific HCI disconnect reason.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
|
|
In preparation for L2CAP fixed channel support, the CID value of a
L2CAP connection needs to be accessible via the socket interface. The
CID is the connection identifier and exists as source and destination
value. So extend the L2CAP socket address structure with this field and
change getsockname() and getpeername() to fill it in.
The bind() and connect() functions have been modified to handle L2CAP
socket address structures of variable sizes. This makes them future
proof if additional fields need to be added.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
|
|
If the extended features mask indicates support for fixed channels,
request the list of available fixed channels. This also enables the
fixed channel features bit so remote implementations can request
information about it. Currently only the signal channel will be
listed.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
|
|
The recommendation for the L2CAP PSM 1 (SDP) is to not use any kind
of authentication or encryption. So don't trigger authentication
for incoming and outgoing SDP connections.
For L2CAP PSM 3 (RFCOMM) there is no clear requirement, but with
Bluetooth 2.1 the initiator is required to enable authentication
and encryption first and this gets enforced. So there is no need
to trigger an additional authentication step. The RFCOMM service
security will make sure that a secure enough link key is present.
When the encryption gets enabled after the SDP connection setup,
then switch the security level from SDP to low security.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
|
|
If the remote L2CAP server uses authentication pending stage and
encryption is enabled it can happen that a L2CAP connection request is
sent twice due to a race condition in the connection state machine.
When the remote side indicates any kind of connection pending, then
track this state and skip sending of L2CAP commands for this period.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
|
|
When two L2CAP connections are requested quickly after the ACL link has
been established there exists a window for a race condition where a
connection request is sent before the information response has been
received. Any connection request should only be sent after an exchange
of the extended features mask has been finished.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
|
|
When no authentication requirements are selected, but an outgoing or
incoming connection has requested any kind of security enforcement,
then set these authentication requirements.
This ensures that the userspace always gets informed about the
authentication requirements (if available). Only when no security
enforcement has happened, the kernel will signal invalid requirements.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
|
|
When receiving incoming connection to specific services, always use
general bonding. This ensures that the link key gets stored and can be
used for further authentications.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
|
|
When attempting to setup eSCO connections it can happen that some link
manager implementations fail to properly negotiate the eSCO parameters
and thus fail the eSCO setup. Normally the link manager is responsible
for the negotiation of the parameters and actually fallback to SCO if
no agreement can be reached. In cases where the link manager is just too
stupid, then at least try to establish a SCO link if eSCO fails.
For the Bluetooth devices with EDR support this includes handling packet
types of EDR basebands. This is particular tricky since for the EDR the
logic of enabling/disabling one specific packet type is turned around.
This fix contains an extra bitmask to disable eSCO EDR packet when
trying to fallback to a SCO connection.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
|
|
For L2CAP sockets with medium and high security requirement a missing
encryption will enforce the closing of the link. For the L2CAP raw
sockets this is not needed, so skip that check.
This fixes a crash when pairing Bluetooth 2.0 (and earlier) devices
since the L2CAP state machine got confused and then locked up the whole
system.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
|
|
During a role change with pre-Bluetooth 2.1 devices, the remote side drops
the encryption of the RFCOMM connection. We allow a grace period for the
encryption to be re-established, before dropping the connection. During
this grace period, the RFCOMM_SEC_PENDING flag is set. Check this flag
before sending RFCOMM packets.
Signed-off-by: Jaikumar Ganesh <jaikumar@google.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
|
|
Due to lockdep changes, the CONFIG_DEBUG_LOCK_ALLOC ifdef is not needed
now. So just remove it here.
The following commit fixed the !lockdep build warnings:
commit e8f6fbf62de37cbc2e179176ac7010d5f4396b67
Author: Ingo Molnar <mingo@elte.hu>
Date: Wed Nov 12 01:38:36 2008 +0000
lockdep: include/linux/lockdep.h - fix warning in net/bluetooth/af_bluetooth.c
Signed-off-by: Dave Young <hidave.darkstar@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
|
|
With the support for the enhanced security model and the support for
deferring connection setup, it is a good idea to increase various
version numbers.
This is purely cosmetic and has no effect on the behavior, but can
be really helpful when debugging problems in different kernel versions.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
|
|
The new socket options should only be evaluated for SOL_BLUETOOTH level
and not for every other level. Previously this causes some minor issues
when detecting if a kernel with certain features is available.
Also restrict BT_SECURITY to SOCK_SEQPACKET for L2CAP and SOCK_STREAM for
the RFCOMM protocol.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
|
|
For L2CAP connections with high security setting, the link will be
immediately dropped when the encryption gets disabled. For L2CAP
connections with medium security there will be grace period where
the remote device has the chance to re-enable encryption. If it
doesn't happen then the link will also be disconnected.
The requirement for the grace period with medium security comes from
Bluetooth 2.0 and earlier devices that require role switching.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
|
|
A role switch with devices following the Bluetooth pre-2.1 standards
or without Encryption Pause and Resume support is not possible if
encryption is enabled. Most newer headsets require the role switch,
but also require that the connection is encrypted.
For connections with a high security mode setting, the link will be
immediately dropped. When the connection uses medium security mode
setting, then a grace period is introduced where the TX is halted and
the remote device gets a change to re-enable encryption after the
role switch. If not re-enabled the link will be dropped.
Based on initial work by Ville Tervo <ville.tervo@nokia.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
|
|
Change the RFCOMM internals to use the new security levels and remove
the link mode details.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
|
