* [PATCH 0/5] Bluetooth: UPF cleanups & fixes
@ 2015-10-22 6:38 Johan Hedberg
2015-10-22 6:38 ` [PATCH 1/5] Bluetooth: Disable auto-connection parameters when unpairing Johan Hedberg
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: Johan Hedberg @ 2015-10-22 6:38 UTC (permalink / raw
To: linux-bluetooth
Hi,
Here's the remaining 5 patches that weren't applied yet. The only change
is a fix to the SCO rejection reason code which has some special
limitations (see commit d41c15cf95bd91b9c333).
Johan
----------------------------------------------------------------
Johan Hedberg (5):
Bluetooth: Disable auto-connection parameters when unpairing
Bluetooth: Introduce hci_req helper to abort a connection
Bluetooth: Take advantage of connection abort helpers
Bluetooth: Make hci_disconnect() behave correctly for all states
Bluetooth: Fix crash in SMP when unpairing
net/bluetooth/hci_conn.c | 90 ++++++------------------------------------
net/bluetooth/hci_request.c | 93 ++++++++++++++++++++++++++++++++++++++++++++
net/bluetooth/hci_request.h | 4 ++
net/bluetooth/mgmt.c | 49 ++++++++---------------
net/bluetooth/smp.c | 26 +++++++++++++
net/bluetooth/smp.h | 1 +
6 files changed, 151 insertions(+), 112 deletions(-)
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 1/5] Bluetooth: Disable auto-connection parameters when unpairing
2015-10-22 6:38 [PATCH 0/5] Bluetooth: UPF cleanups & fixes Johan Hedberg
@ 2015-10-22 6:38 ` Johan Hedberg
2015-10-22 6:38 ` [PATCH 2/5] Bluetooth: Introduce hci_req helper to abort a connection Johan Hedberg
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Johan Hedberg @ 2015-10-22 6:38 UTC (permalink / raw
To: linux-bluetooth
From: Johan Hedberg <johan.hedberg@intel.com>
For connection parameters that are left around until a disconnection
we should at least clear any auto-connection properties. This way a
new Add Device call is required to re-set them after calling Unpair
Device.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
---
net/bluetooth/mgmt.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index d56845a28af1..3fa4cafc2c03 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -3052,6 +3052,7 @@ static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data,
{
struct mgmt_cp_unpair_device *cp = data;
struct mgmt_rp_unpair_device rp;
+ struct hci_conn_params *params;
struct hci_cp_disconnect dc;
struct mgmt_pending_cmd *cmd;
struct hci_conn *conn;
@@ -3131,6 +3132,15 @@ static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data,
*/
set_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags);
+ /* Disable auto-connection parameters if present */
+ params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr, addr_type);
+ if (params) {
+ if (params->explicit_connect)
+ params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
+ else
+ params->auto_connect = HCI_AUTO_CONN_DISABLED;
+ }
+
/* If disconnection is not requested, then clear the connection
* variable so that the link is not terminated.
*/
--
2.5.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 2/5] Bluetooth: Introduce hci_req helper to abort a connection
2015-10-22 6:38 [PATCH 0/5] Bluetooth: UPF cleanups & fixes Johan Hedberg
2015-10-22 6:38 ` [PATCH 1/5] Bluetooth: Disable auto-connection parameters when unpairing Johan Hedberg
@ 2015-10-22 6:38 ` Johan Hedberg
2015-10-22 6:38 ` [PATCH 3/5] Bluetooth: Take advantage of connection abort helpers Johan Hedberg
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Johan Hedberg @ 2015-10-22 6:38 UTC (permalink / raw
To: linux-bluetooth
From: Johan Hedberg <johan.hedberg@intel.com>
There are several different places needing to make sure that a
connection gets disconnected or canceled. The exact action needed
depends on the connection state, so centralizing this logic can save
quite a lot of code duplication.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
---
net/bluetooth/hci_request.c | 93 +++++++++++++++++++++++++++++++++++++++++++++
net/bluetooth/hci_request.h | 4 ++
2 files changed, 97 insertions(+)
diff --git a/net/bluetooth/hci_request.c b/net/bluetooth/hci_request.c
index b7369220c9ef..5821280a14f5 100644
--- a/net/bluetooth/hci_request.c
+++ b/net/bluetooth/hci_request.c
@@ -564,3 +564,96 @@ void hci_update_background_scan(struct hci_dev *hdev)
if (err && err != -ENODATA)
BT_ERR("Failed to run HCI request: err %d", err);
}
+
+void __hci_abort_conn(struct hci_request *req, struct hci_conn *conn,
+ u8 reason)
+{
+ switch (conn->state) {
+ case BT_CONNECTED:
+ case BT_CONFIG:
+ if (conn->type == AMP_LINK) {
+ struct hci_cp_disconn_phy_link cp;
+
+ cp.phy_handle = HCI_PHY_HANDLE(conn->handle);
+ cp.reason = hci_proto_disconn_ind(conn);
+ hci_req_add(req, HCI_OP_DISCONN_PHY_LINK, sizeof(cp),
+ &cp);
+ } else {
+ struct hci_cp_disconnect dc;
+
+ dc.handle = cpu_to_le16(conn->handle);
+ dc.reason = reason;
+ hci_req_add(req, HCI_OP_DISCONNECT, sizeof(dc), &dc);
+ }
+
+ conn->state = BT_DISCONN;
+
+ break;
+ case BT_CONNECT:
+ if (test_bit(HCI_CONN_SCANNING, &conn->flags))
+ break;
+ if (conn->type == LE_LINK)
+ hci_req_add(req, HCI_OP_LE_CREATE_CONN_CANCEL,
+ 0, NULL);
+ else if (conn->type == ACL_LINK)
+ hci_req_add(req, HCI_OP_CREATE_CONN_CANCEL,
+ 6, &conn->dst);
+ break;
+ case BT_CONNECT2:
+ if (conn->type == ACL_LINK) {
+ struct hci_cp_reject_conn_req rej;
+
+ if (req->hdev->hci_ver < BLUETOOTH_VER_1_2)
+ return;
+
+ bacpy(&rej.bdaddr, &conn->dst);
+ rej.reason = reason;
+
+ hci_req_add(req, HCI_OP_REJECT_CONN_REQ,
+ sizeof(rej), &rej);
+ } else if (conn->type == SCO_LINK || conn->type == ESCO_LINK) {
+ struct hci_cp_reject_sync_conn_req rej;
+
+ bacpy(&rej.bdaddr, &conn->dst);
+
+ /* SCO rejection has its own limited set of
+ * allowed error values (0x0D-0x0F) which isn't
+ * compatible with most values passed to this
+ * function. To be safe hard-code one of the
+ * values that's suitable for SCO.
+ */
+ rej.reason = HCI_ERROR_REMOTE_LOW_RESOURCES;
+
+ hci_req_add(req, HCI_OP_REJECT_SYNC_CONN_REQ,
+ sizeof(rej), &rej);
+ }
+ break;
+ default:
+ conn->state = BT_CLOSED;
+ break;
+ }
+}
+
+static void abort_conn_complete(struct hci_dev *hdev, u8 status, u16 opcode)
+{
+ if (status)
+ BT_DBG("Failed to abort connection: status 0x%2.2x", status);
+}
+
+int hci_abort_conn(struct hci_conn *conn, u8 reason)
+{
+ struct hci_request req;
+ int err;
+
+ hci_req_init(&req, conn->hdev);
+
+ __hci_abort_conn(&req, conn, reason);
+
+ err = hci_req_run(&req, abort_conn_complete);
+ if (err && err != -ENODATA) {
+ BT_ERR("Failed to run HCI request: err %d", err);
+ return err;
+ }
+
+ return 0;
+}
diff --git a/net/bluetooth/hci_request.h b/net/bluetooth/hci_request.h
index bf6df92f42db..25c7f1305dcb 100644
--- a/net/bluetooth/hci_request.h
+++ b/net/bluetooth/hci_request.h
@@ -55,3 +55,7 @@ int hci_update_random_address(struct hci_request *req, bool require_privacy,
void hci_update_background_scan(struct hci_dev *hdev);
void __hci_update_background_scan(struct hci_request *req);
+
+int hci_abort_conn(struct hci_conn *conn, u8 reason);
+void __hci_abort_conn(struct hci_request *req, struct hci_conn *conn,
+ u8 reason);
--
2.5.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 3/5] Bluetooth: Take advantage of connection abort helpers
2015-10-22 6:38 [PATCH 0/5] Bluetooth: UPF cleanups & fixes Johan Hedberg
2015-10-22 6:38 ` [PATCH 1/5] Bluetooth: Disable auto-connection parameters when unpairing Johan Hedberg
2015-10-22 6:38 ` [PATCH 2/5] Bluetooth: Introduce hci_req helper to abort a connection Johan Hedberg
@ 2015-10-22 6:38 ` Johan Hedberg
2015-10-22 6:38 ` [PATCH 4/5] Bluetooth: Make hci_disconnect() behave correctly for all states Johan Hedberg
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Johan Hedberg @ 2015-10-22 6:38 UTC (permalink / raw
To: linux-bluetooth
From: Johan Hedberg <johan.hedberg@intel.com>
Convert the various places mapping connection state to
disconnect/cancel HCI command to use the new hci_abort_conn helper
API.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
---
net/bluetooth/hci_conn.c | 79 +++++-------------------------------------------
net/bluetooth/mgmt.c | 36 ++--------------------
2 files changed, 11 insertions(+), 104 deletions(-)
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 11316159a5a7..665a52fa6c60 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -59,11 +59,6 @@ static const struct sco_param esco_param_msbc[] = {
{ EDR_ESCO_MASK | ESCO_EV3, 0x0008, 0x02 }, /* T1 */
};
-static void hci_le_create_connection_cancel(struct hci_conn *conn)
-{
- hci_send_cmd(conn->hdev, HCI_OP_LE_CREATE_CONN_CANCEL, 0, NULL);
-}
-
/* This function requires the caller holds hdev->lock */
static void hci_connect_le_scan_cleanup(struct hci_conn *conn)
{
@@ -229,29 +224,6 @@ static void hci_acl_create_connection(struct hci_conn *conn)
hci_send_cmd(hdev, HCI_OP_CREATE_CONN, sizeof(cp), &cp);
}
-static void hci_acl_create_connection_cancel(struct hci_conn *conn)
-{
- struct hci_cp_create_conn_cancel cp;
-
- BT_DBG("hcon %p", conn);
-
- if (conn->hdev->hci_ver < BLUETOOTH_VER_1_2)
- return;
-
- bacpy(&cp.bdaddr, &conn->dst);
- hci_send_cmd(conn->hdev, HCI_OP_CREATE_CONN_CANCEL, sizeof(cp), &cp);
-}
-
-static void hci_reject_sco(struct hci_conn *conn)
-{
- struct hci_cp_reject_sync_conn_req cp;
-
- cp.reason = HCI_ERROR_REJ_LIMITED_RESOURCES;
- bacpy(&cp.bdaddr, &conn->dst);
-
- hci_send_cmd(conn->hdev, HCI_OP_REJECT_SYNC_CONN_REQ, sizeof(cp), &cp);
-}
-
int hci_disconnect(struct hci_conn *conn, __u8 reason)
{
struct hci_cp_disconnect cp;
@@ -279,20 +251,6 @@ int hci_disconnect(struct hci_conn *conn, __u8 reason)
return hci_send_cmd(conn->hdev, HCI_OP_DISCONNECT, sizeof(cp), &cp);
}
-static void hci_amp_disconn(struct hci_conn *conn)
-{
- struct hci_cp_disconn_phy_link cp;
-
- BT_DBG("hcon %p", conn);
-
- conn->state = BT_DISCONN;
-
- cp.phy_handle = HCI_PHY_HANDLE(conn->handle);
- cp.reason = hci_proto_disconn_ind(conn);
- hci_send_cmd(conn->hdev, HCI_OP_DISCONN_PHY_LINK,
- sizeof(cp), &cp);
-}
-
static void hci_add_sco(struct hci_conn *conn, __u16 handle)
{
struct hci_dev *hdev = conn->hdev;
@@ -456,35 +414,14 @@ static void hci_conn_timeout(struct work_struct *work)
if (refcnt > 0)
return;
- switch (conn->state) {
- case BT_CONNECT:
- case BT_CONNECT2:
- if (conn->out) {
- if (conn->type == ACL_LINK)
- hci_acl_create_connection_cancel(conn);
- else if (conn->type == LE_LINK) {
- if (test_bit(HCI_CONN_SCANNING, &conn->flags))
- hci_connect_le_scan_remove(conn);
- else
- hci_le_create_connection_cancel(conn);
- }
- } else if (conn->type == SCO_LINK || conn->type == ESCO_LINK) {
- hci_reject_sco(conn);
- }
- break;
- case BT_CONFIG:
- case BT_CONNECTED:
- if (conn->type == AMP_LINK) {
- hci_amp_disconn(conn);
- } else {
- __u8 reason = hci_proto_disconn_ind(conn);
- hci_disconnect(conn, reason);
- }
- break;
- default:
- conn->state = BT_CLOSED;
- break;
+ /* LE connections in scanning state need special handling */
+ if (conn->state == BT_CONNECT && conn->type == LE_LINK &&
+ test_bit(HCI_CONN_SCANNING, &conn->flags)) {
+ hci_connect_le_scan_remove(conn);
+ return;
}
+
+ hci_abort_conn(conn, hci_proto_disconn_ind(conn));
}
/* Enter sniff mode */
@@ -552,7 +489,7 @@ static void le_conn_timeout(struct work_struct *work)
return;
}
- hci_le_create_connection_cancel(conn);
+ hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM);
}
struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 3fa4cafc2c03..e1083c928d5c 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -1639,35 +1639,8 @@ static int clean_up_hci_state(struct hci_dev *hdev)
discov_stopped = hci_stop_discovery(&req);
list_for_each_entry(conn, &hdev->conn_hash.list, list) {
- struct hci_cp_disconnect dc;
- struct hci_cp_reject_conn_req rej;
-
- switch (conn->state) {
- case BT_CONNECTED:
- case BT_CONFIG:
- dc.handle = cpu_to_le16(conn->handle);
- dc.reason = 0x15; /* Terminated due to Power Off */
- hci_req_add(&req, HCI_OP_DISCONNECT, sizeof(dc), &dc);
- break;
- case BT_CONNECT:
- if (conn->type == LE_LINK)
- hci_req_add(&req, HCI_OP_LE_CREATE_CONN_CANCEL,
- 0, NULL);
- else if (conn->type == ACL_LINK)
- hci_req_add(&req, HCI_OP_CREATE_CONN_CANCEL,
- 6, &conn->dst);
- break;
- case BT_CONNECT2:
- bacpy(&rej.bdaddr, &conn->dst);
- rej.reason = 0x15; /* Terminated due to Power Off */
- if (conn->type == ACL_LINK)
- hci_req_add(&req, HCI_OP_REJECT_CONN_REQ,
- sizeof(rej), &rej);
- else if (conn->type == SCO_LINK)
- hci_req_add(&req, HCI_OP_REJECT_SYNC_CONN_REQ,
- sizeof(rej), &rej);
- break;
- }
+ /* 0x15 == Terminated due to Power Off */
+ __hci_abort_conn(&req, conn, 0x15);
}
err = hci_req_run(&req, clean_up_hci_complete);
@@ -3053,7 +3026,6 @@ static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data,
struct mgmt_cp_unpair_device *cp = data;
struct mgmt_rp_unpair_device rp;
struct hci_conn_params *params;
- struct hci_cp_disconnect dc;
struct mgmt_pending_cmd *cmd;
struct hci_conn *conn;
u8 addr_type;
@@ -3167,9 +3139,7 @@ done:
cmd->cmd_complete = addr_cmd_complete;
- dc.handle = cpu_to_le16(conn->handle);
- dc.reason = 0x13; /* Remote User Terminated Connection */
- err = hci_send_cmd(hdev, HCI_OP_DISCONNECT, sizeof(dc), &dc);
+ err = hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM);
if (err < 0)
mgmt_pending_remove(cmd);
--
2.5.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 4/5] Bluetooth: Make hci_disconnect() behave correctly for all states
2015-10-22 6:38 [PATCH 0/5] Bluetooth: UPF cleanups & fixes Johan Hedberg
` (2 preceding siblings ...)
2015-10-22 6:38 ` [PATCH 3/5] Bluetooth: Take advantage of connection abort helpers Johan Hedberg
@ 2015-10-22 6:38 ` Johan Hedberg
2015-10-22 6:38 ` [PATCH 5/5] Bluetooth: Fix crash in SMP when unpairing Johan Hedberg
2015-10-22 7:03 ` [PATCH 0/5] Bluetooth: UPF cleanups & fixes Marcel Holtmann
5 siblings, 0 replies; 7+ messages in thread
From: Johan Hedberg @ 2015-10-22 6:38 UTC (permalink / raw
To: linux-bluetooth
From: Johan Hedberg <johan.hedberg@intel.com>
There are a few places that don't explicitly check the connection
state before calling hci_disconnect(). To make this API do the right
thing take advantage of the new hci_abort_conn() API and also make
sure to only read the clock offset if we're really connected.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
---
net/bluetooth/hci_conn.c | 11 +++--------
1 file changed, 3 insertions(+), 8 deletions(-)
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 665a52fa6c60..85b82f7adbd2 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -226,8 +226,6 @@ static void hci_acl_create_connection(struct hci_conn *conn)
int hci_disconnect(struct hci_conn *conn, __u8 reason)
{
- struct hci_cp_disconnect cp;
-
BT_DBG("hcon %p", conn);
/* When we are master of an established connection and it enters
@@ -235,7 +233,8 @@ int hci_disconnect(struct hci_conn *conn, __u8 reason)
* current clock offset. Processing of the result is done
* within the event handling and hci_clock_offset_evt function.
*/
- if (conn->type == ACL_LINK && conn->role == HCI_ROLE_MASTER) {
+ if (conn->type == ACL_LINK && conn->role == HCI_ROLE_MASTER &&
+ (conn->state == BT_CONNECTED || conn->state == BT_CONFIG)) {
struct hci_dev *hdev = conn->hdev;
struct hci_cp_read_clock_offset clkoff_cp;
@@ -244,11 +243,7 @@ int hci_disconnect(struct hci_conn *conn, __u8 reason)
&clkoff_cp);
}
- conn->state = BT_DISCONN;
-
- cp.handle = cpu_to_le16(conn->handle);
- cp.reason = reason;
- return hci_send_cmd(conn->hdev, HCI_OP_DISCONNECT, sizeof(cp), &cp);
+ return hci_abort_conn(conn, reason);
}
static void hci_add_sco(struct hci_conn *conn, __u16 handle)
--
2.5.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 5/5] Bluetooth: Fix crash in SMP when unpairing
2015-10-22 6:38 [PATCH 0/5] Bluetooth: UPF cleanups & fixes Johan Hedberg
` (3 preceding siblings ...)
2015-10-22 6:38 ` [PATCH 4/5] Bluetooth: Make hci_disconnect() behave correctly for all states Johan Hedberg
@ 2015-10-22 6:38 ` Johan Hedberg
2015-10-22 7:03 ` [PATCH 0/5] Bluetooth: UPF cleanups & fixes Marcel Holtmann
5 siblings, 0 replies; 7+ messages in thread
From: Johan Hedberg @ 2015-10-22 6:38 UTC (permalink / raw
To: linux-bluetooth
From: Johan Hedberg <johan.hedberg@intel.com>
When unpairing the keys stored in hci_dev are removed. If SMP is
ongoing the SMP context will also have references to these keys, so
removing them from the hci_dev lists will make the pointers invalid.
This can result in the following type of crashes:
BUG: unable to handle kernel paging request at 6b6b6b6b
IP: [<c11f26be>] __list_del_entry+0x44/0x71
*pde = 00000000
Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
Modules linked in: hci_uart btqca btusb btintel btbcm btrtl hci_vhci rfcomm bluetooth_6lowpan bluetooth
CPU: 0 PID: 723 Comm: kworker/u5:0 Not tainted 4.3.0-rc3+ #1379
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.8.1-20150318_183358- 04/01/2014
Workqueue: hci0 hci_rx_work [bluetooth]
task: f19da940 ti: f1a94000 task.ti: f1a94000
EIP: 0060:[<c11f26be>] EFLAGS: 00010202 CPU: 0
EIP is at __list_del_entry+0x44/0x71
EAX: c0088d20 EBX: f30fcac0 ECX: 6b6b6b6b EDX: 6b6b6b6b
ESI: f4b60000 EDI: c0088d20 EBP: f1a95d90 ESP: f1a95d8c
DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
CR0: 8005003b CR2: 6b6b6b6b CR3: 319e5000 CR4: 00000690
Stack:
f30fcac0 f1a95db0 f82dc3e1 f1bfc000 00000000 c106524f f1bfc000 f30fd020
f1a95dc0 f1a95dd0 f82dcbdb f1a95de0 f82dcbdb 00000067 f1bfc000 f30fd020
f1a95de0 f1a95df0 f82d1126 00000067 f82d1126 00000006 f30fd020 f1bfc000
Call Trace:
[<f82dc3e1>] smp_chan_destroy+0x192/0x240 [bluetooth]
[<c106524f>] ? trace_hardirqs_on_caller+0x14e/0x169
[<f82dcbdb>] smp_teardown_cb+0x47/0x64 [bluetooth]
[<f82dcbdb>] ? smp_teardown_cb+0x47/0x64 [bluetooth]
[<f82d1126>] l2cap_chan_del+0x5d/0x14d [bluetooth]
[<f82d1126>] ? l2cap_chan_del+0x5d/0x14d [bluetooth]
[<f82d40ef>] l2cap_conn_del+0x109/0x17b [bluetooth]
[<f82d40ef>] ? l2cap_conn_del+0x109/0x17b [bluetooth]
[<f82c0205>] ? hci_event_packet+0x5b1/0x2092 [bluetooth]
[<f82d41aa>] l2cap_disconn_cfm+0x49/0x50 [bluetooth]
[<f82d41aa>] ? l2cap_disconn_cfm+0x49/0x50 [bluetooth]
[<f82c0228>] hci_event_packet+0x5d4/0x2092 [bluetooth]
[<c1332c16>] ? skb_release_data+0x6a/0x95
[<f82ce5d4>] ? hci_send_to_monitor+0xe7/0xf4 [bluetooth]
[<c1409708>] ? _raw_spin_unlock_irqrestore+0x44/0x57
[<f82b3bb0>] hci_rx_work+0xf1/0x28b [bluetooth]
[<f82b3bb0>] ? hci_rx_work+0xf1/0x28b [bluetooth]
[<c10635a0>] ? __lock_is_held+0x2e/0x44
[<c104772e>] process_one_work+0x232/0x432
[<c1071ddc>] ? rcu_read_lock_sched_held+0x50/0x5a
[<c104772e>] ? process_one_work+0x232/0x432
[<c1047d48>] worker_thread+0x1b8/0x255
[<c1047b90>] ? rescuer_thread+0x23c/0x23c
[<c104bb71>] kthread+0x91/0x96
[<c14096a7>] ? _raw_spin_unlock_irq+0x27/0x44
[<c1409d61>] ret_from_kernel_thread+0x21/0x30
[<c104bae0>] ? kthread_parkme+0x1e/0x1e
To solve the issue, introduce a new smp_cancel_pairing() API that can
be used to clean up the SMP state before touching the hci_dev lists.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
---
net/bluetooth/mgmt.c | 3 +++
net/bluetooth/smp.c | 26 ++++++++++++++++++++++++++
net/bluetooth/smp.h | 1 +
3 files changed, 30 insertions(+)
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index e1083c928d5c..7f22119276f3 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -3099,6 +3099,9 @@ static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data,
goto done;
}
+ /* Abort any ongoing SMP pairing */
+ smp_cancel_pairing(conn);
+
/* Defer clearing up the connection parameters until closing to
* give a chance of keeping them if a repairing happens.
*/
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 94f9c4ca68f1..c91353841e40 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -2380,6 +2380,32 @@ unlock:
return ret;
}
+void smp_cancel_pairing(struct hci_conn *hcon)
+{
+ struct l2cap_conn *conn = hcon->l2cap_data;
+ struct l2cap_chan *chan;
+ struct smp_chan *smp;
+
+ if (!conn)
+ return;
+
+ chan = conn->smp;
+ if (!chan)
+ return;
+
+ l2cap_chan_lock(chan);
+
+ smp = chan->data;
+ if (smp) {
+ if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
+ smp_failure(conn, 0);
+ else
+ smp_failure(conn, SMP_UNSPECIFIED);
+ }
+
+ l2cap_chan_unlock(chan);
+}
+
static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
{
struct smp_cmd_encrypt_info *rp = (void *) skb->data;
diff --git a/net/bluetooth/smp.h b/net/bluetooth/smp.h
index 6cf872563ea7..ffcc70b6b199 100644
--- a/net/bluetooth/smp.h
+++ b/net/bluetooth/smp.h
@@ -180,6 +180,7 @@ enum smp_key_pref {
};
/* SMP Commands */
+void smp_cancel_pairing(struct hci_conn *hcon);
bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
enum smp_key_pref key_pref);
int smp_conn_security(struct hci_conn *hcon, __u8 sec_level);
--
2.5.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 0/5] Bluetooth: UPF cleanups & fixes
2015-10-22 6:38 [PATCH 0/5] Bluetooth: UPF cleanups & fixes Johan Hedberg
` (4 preceding siblings ...)
2015-10-22 6:38 ` [PATCH 5/5] Bluetooth: Fix crash in SMP when unpairing Johan Hedberg
@ 2015-10-22 7:03 ` Marcel Holtmann
5 siblings, 0 replies; 7+ messages in thread
From: Marcel Holtmann @ 2015-10-22 7:03 UTC (permalink / raw
To: Johan Hedberg; +Cc: linux-bluetooth
Hi Johan,
> Here's the remaining 5 patches that weren't applied yet. The only change
> is a fix to the SCO rejection reason code which has some special
> limitations (see commit d41c15cf95bd91b9c333).
>
> Johan
>
> ----------------------------------------------------------------
> Johan Hedberg (5):
> Bluetooth: Disable auto-connection parameters when unpairing
> Bluetooth: Introduce hci_req helper to abort a connection
> Bluetooth: Take advantage of connection abort helpers
> Bluetooth: Make hci_disconnect() behave correctly for all states
> Bluetooth: Fix crash in SMP when unpairing
>
> net/bluetooth/hci_conn.c | 90 ++++++------------------------------------
> net/bluetooth/hci_request.c | 93 ++++++++++++++++++++++++++++++++++++++++++++
> net/bluetooth/hci_request.h | 4 ++
> net/bluetooth/mgmt.c | 49 ++++++++---------------
> net/bluetooth/smp.c | 26 +++++++++++++
> net/bluetooth/smp.h | 1 +
> 6 files changed, 151 insertions(+), 112 deletions(-)
patch 1 and 5 have been applied to bluetooth-next tree.
Regards
Marcel
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2015-10-22 7:03 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-10-22 6:38 [PATCH 0/5] Bluetooth: UPF cleanups & fixes Johan Hedberg
2015-10-22 6:38 ` [PATCH 1/5] Bluetooth: Disable auto-connection parameters when unpairing Johan Hedberg
2015-10-22 6:38 ` [PATCH 2/5] Bluetooth: Introduce hci_req helper to abort a connection Johan Hedberg
2015-10-22 6:38 ` [PATCH 3/5] Bluetooth: Take advantage of connection abort helpers Johan Hedberg
2015-10-22 6:38 ` [PATCH 4/5] Bluetooth: Make hci_disconnect() behave correctly for all states Johan Hedberg
2015-10-22 6:38 ` [PATCH 5/5] Bluetooth: Fix crash in SMP when unpairing Johan Hedberg
2015-10-22 7:03 ` [PATCH 0/5] Bluetooth: UPF cleanups & fixes Marcel Holtmann
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.