Caused by the following commit, partially revert it.
commit 9fa7e4f76f
Author: Gustavo F. Padovan <padovan@profusion.mobi>
Date: Thu Jun 30 16:11:30 2011 -0300
Bluetooth: Fix regression with incoming L2CAP connections
PTS test A2DP/SRC/SRC_SET/TC_SRC_SET_BV_02_I revealed that
( probably after the df3c3931e commit ) the l2cap connection
could not be established in case when the "Auth Complete" HCI
event does not arive before the initiator send "Configuration
request", in which case l2cap replies with "Command rejected"
since the channel is still in BT_CONNECT2 state.
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: David S. Miller <davem@davemloft.net>
PTS test A2DP/SRC/SRC_SET/TC_SRC_SET_BV_02_I revealed that
( probably after the df3c3931e commit ) the l2cap connection
could not be established in case when the "Auth Complete" HCI
event does not arive before the initiator send "Configuration
request", in which case l2cap replies with "Command rejected"
since the channel is still in BT_CONNECT2 state.
Based on patch from: Ilia Kolomisnky <iliak@ti.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
A remote user can provide a small value for the command size field in
the command header of an l2cap configuration request, resulting in an
integer underflow when subtracting the size of the configuration request
header. This results in copying a very large amount of data via
memcpy() and destroying the kernel heap. Check for underflow.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
When authentication completes we shouldn't blindly accept any pending
L2CAP connect requests. If the socket has the defer_setup feature
enabled it should still wait for user space acceptance of the connect
request. The issue only happens for non-SSP connections since with SSP
the L2CAP Connect request may not be sent for non-SDP PSMs before
authentication has completed successfully.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
read_lock() ... read_unlock_bh() is clearly bogus.
This was broken by
commit 23691d75cd
Author: Gustavo F. Padovan <padovan@profusion.mobi>
Date: Wed Apr 27 18:26:32 2011 -0300
Bluetooth: Remove l2cap_sk_list
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
net/bluetooth/l2cap_core.c: In function ‘l2cap_recv_frame’:
net/bluetooth/l2cap_core.c:3758:15: warning: ‘sk’ may be used uninitialized in this function
net/bluetooth/l2cap_core.c:3758:15: note: ‘sk’ was declared here
net/bluetooth/l2cap_core.c:3791:15: warning: ‘sk’ may be used uninitialized in this function
net/bluetooth/l2cap_core.c:3791:15: note: ‘sk’ was declared here
Signed-off-by: David S. Miller <davem@davemloft.net>
A new list was added to replace the socket based one. This new list
doesn't depent on sock and then fits better inside l2cap_core.c code.
It also rename l2cap_chan_alloc() to l2cap_chan_create() and
l2cap_chan_free() to l2cap_chan_destroy)
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
When the user doesn't specify a psm we have the choose one for the
channel. Now we do this inside l2cap_add_psm().
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
The intention is to get rid of the l2cap_sk_list usage inside
l2cap_core.c. l2cap_sk_list will soon be replaced by a list that does not
depend on socket usage.
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
There is no need to the socket deal directly with the channel, most of the
time it cares about the channel only.
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
In this commit, omtu, imtu, flush_to, mode and sport. It also remove the
pi var from l2cap_sock_sendmsg().
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
l2cap_chan_connect() is a much better name and reflects what this
functions is doing (or will do once socket dependence is removed from the
core).
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
If the allocation happens at l2cap_sock_create() will be able to use the
struct l2cap_chan to store channel info that comes from the user via
setsockopt.
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Resolved logic conflicts causing a build failure due to
drivers/net/r8169.c changes using a patch from Stephen Rothwell.
Signed-off-by: David S. Miller <davem@davemloft.net>
net/bluetooth/l2cap_core.c: In function ‘l2cap_recv_frame’:
net/bluetooth/l2cap_core.c:3612:15: warning: ‘sk’ may be used uninitialized in this function
net/bluetooth/l2cap_core.c:3612:15: note: ‘sk’ was declared here
Actually the problem is in the inline function l2cap_data_channel(), we
branch to the label 'done' which tests 'sk' before we set it to anything.
Initialize it to NULL to fix this.
Signed-off-by: David S. Miller <davem@davemloft.net>
When retrasmitting one frame, only SAR bits in control field should
be kept.
Signed-off-by: Ruiyi Zhang <Ruiyi.zhang@atheros.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Fix a regression from the L2CAP "rewrite" patches.
Purge the tx_q already happens on l2cap_chan_del() so we don't need it at
l2cap_disconnect_req().
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
l2cap_get_sock_by_scid was changed to not lock the socket anymore, but I
forgot to change all the users of this function.
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Fix an locking issue with the new l2cap_att_channel(). l2cap_att_channel()
was trying to lock a locked socket.
Reported-by: Anderson Lizardo <anderson.lizardo@openbossa.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Despite it works, handling through l2cap_data_channel() is wrongs.
That function should handle only connection oriented data.
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
This is a regression acctually, caused by the first patch series for
creating a formal strcut l2cap_chan.
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
This is part of "moving things to l2cap_chan". As one the first move it
triggered a big number of changes in the funcions parameters, basically
changing the struct sock param to struct l2cap_chan.
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
As we use struct list_head to keep L2CAP channels list the workaround with
del_list is not needed anymore.
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Use a well known Kernel API is always a good idea than implement your own
list.
In the future we might use RCU on this list.
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
struct l2cap_chan cames to create a clear separation between what
properties and data belongs to the L2CAP channel and what belongs to the
socket. By now we just fold the struct sock * in struct l2cap_chan as all
the channel info is struct l2cap_pinfo today.
In the next commits we will see a move of channel stuff to struct
l2cap_chan.
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
This patch lets 'l2cap_pinfo.unacked_frames' be incremented only
the first time a frame is transmitted.
Previously it was being incremented for retransmitted packets
too resulting the value to cross the transmit window size.
Signed-off-by: Suraj Sumangala <suraj@atheros.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>