commit b3916db32c upstream.
We need to verify that the given sockets actually are l2cap sockets. If
they aren't, we are not supposed to access bt_sk(sock) and we shouldn't
start the session if the offsets turn out to be valid local BT addresses.
That is, if someone passes a TCP socket to HIDCONNADD, then we access some
random offset in the TCP socket (which isn't even guaranteed to be valid).
Fix this by checking that the socket is an l2cap socket.
Change-Id: I401bca741588b34876a1c835d8d4567852b4ec75
Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
upstream a8149a65c1db9c3980873a32e4a96331b7a61f5b from
https://github.com/LineageOS/android_kernel_samsung_msm8974.git
Validate the output buffer length for L2CAP config requests and responses
to avoid overflowing the stack buffer used for building the option blocks.
Change-Id: I7a0ff0b9dd0156c0e6383214a9c86e4ec4c0d236
Cc: stable@vger.kernel.org
Signed-off-by: Ben Seri <ben@armis.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
CVE-2017-1000251
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Added a new function to verify whether the LE Connection Update
parameters are valid instaed of verifying all the LE Connection
parameters since only update parameters are set in the Connection
Update Request.
CRs-Fixed: 387146
Change-Id: I9fe6b51e44e2793f3945613fdfde3a039804746f
Signed-off-by: Archana Ramachandran <archanar@codeaurora.org>
(cherry picked from commit 95319af0612d58788279748f586cc57221c3443e)
If due to timing issues out of our control, an outbound ATT Indicate
is delayed to the point that user space code does not receive
confirmation within it time-out period, both Client and Server
sockets must be torn down. We also must always respond to incoming
ATT Indicate pkt with a Confirmation, as the Error Response is an
illegal response for Indicate.
CRs-Fixed: 363355
Change-Id: I4003a59e1a731a08818f18d5b79db537e2aa2619
Signed-off-by: Brian Gix <bgix@codeaurora.org>
This change addresses an L2CAP ERTM throughput problem when a remote
device does not fully utilize the available transmit window.
The L2CAP ERTM transmit window size determines the maximum number of
unacked frames that may be outstanding at any time. It is configured
separately for each direction of an ERTM connection. Each side sends a
configuration request with a tx_win field indicating how many unacked
frames it is capable of receiving before sending an ack. The
configuration response's tx_win field shows how many frames the
transmitter will actually send before waiting for an ack.
It's important to trace both the actual transmit window (to check for
validity of incoming frames) and the number of frames that the
transmitter will send before waiting (to send acks at the appropriate
time). Now there are separate tx_win and ack_win values. ack_win is
updated based on configuration responses, and is used to determine
when acks are sent.
CRs-fixed: 370909
Change-Id: I6d9ef55a2ff2f5f3d0117ad376a09e4cc26fe742
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
Various LE profiles require very specific LE parameters for
both establishing and maintaining LE connections to remote
peripherals. These LE only parameters are encapsulated into
a single sockopts structure, and may be passed from user space.
CRs-Fixed: 335971
Change-Id: I408edb97ab0fa9717c7d3fe5fc8ad6ac179a2fff
Signed-off-by: Brian Gix <bgix@codeaurora.org>
On LE connections, either side may request security elevation. This
patch propogates the secuity level being requested by remote devices
to local servers and clients.
CRs-Fixed: 352637
Change-Id: Ia9ada039f0fef03c35c19d90b415423117e00e9a
Signed-off-by: Brian Gix <bgix@codeaurora.org>
Because traffic between the local GATT client(s) and
remote servers are subject to different controls than
remote clients and the local server, all on the shared
fixed CID, it is important to manage the traffic on
seperate sockets.
Change-Id: I62385143c86522f4b123b32592b69f2a0ae6dc76
CRs-fixed: 336029
Signed-off-by: Brian Gix <bgix@codeaurora.org>
An application may call recv() on a disconnected socket if the
connection has unexpectedly dropped. In this case, the socket may
still exist, but it will be in an error state and the L2CAP connection
will be mostly torn down.
A crash was observed when the ERTM code attempted to send an ACK when
the L2CAP connection was not up. If the error state is detected and
ERTM queue processing is skipped, then the crash is avoided and the
recv() call just returns an error in userspace.
CRs-fixed: 336000
Change-Id: I540d774c5d42f0df856b13b6e634e6ba31d86492
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
The L2CAP specification has two ways to support streaming mode: Allow
fallback to ERTM or basic mode when the remote device requests one of
those modes, or make the connection fail unless both sides agree on
streaming mode.
The current code does not properly support either method. This change
makes a streaming mode connection fail if the remote device does not
also request streaming mode.
CRs-fixed: 336291
Change-Id: Id26f963a5e15d18e85a2faf2f8f01848e2a73fa4
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
When doing L2CAP configuration, use the correct retransmit and monitor
timeouts when configuring (or reconfiguring) AMP channels. The host
stack needs to use the timeouts read from incoming configuration
responses, and write appropriate timeouts when sending configuration
responses.
Change-Id: I1271ade93dbfee58a1cac115280704a327e901b2
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
Added Flush Timeout parameter setting for l2cap channel. Bluetooth
profiles using l2cap can set this parameter to flush out the data
when it cannot be sent over the air with in timeout duration.
Change-Id: I60420c5be3a790aff26bc30e8089fdca47a99222
Signed-off-by: Srinivas Krovvidi <skrovvid@codeaurora.org>
The upstream kernel has acquired new BT socket options since
BT_AMP_POLICY was first defined, now BT_FLUSHABLE is option 8 and
BT_POWER is option 9. It will save us some future pain if we align
with upstream code now and make BT_AMP_POLICY be option 10.
In addition, the option values for BT_AMP_POLICY were changed during
the upstreaming process.
CRs-fixed: 313757
Change-Id: Ia31e9c8cfd5207a6dd44e40a605d3021f5ce9fd9
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
Before attempting to create a channel directly on an AMP check
that the remote device supports A2MP signalling before starting
the physical link creation process.
Change-Id: Iac2bcebf9630368685e24e636e39ffa82651705d
Signed-off-by: Peter Krystad <pkrystad@codeaurora.org>
When setting up an initial link over AMP, use "create channel" signals
to start the link rather than doing an initial connection over BR/EDR
and moving the channel to AMP.
Change-Id: I5ebef97d6214e5333f0d1475d90b6f66f89e2d87
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
AMP controllers have different optimal settings for packet sizes
and checksums, so BT3.0+HS includes the ability to reconfigure
the L2CAP settings when a channel is moved between controllers.
Change-Id: Iad1592104ebc6ac4a9d9ed54b1d763b1786f4a1b
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
Bluetooth 3.0+HS depends on an AMP manager to coordinate the setup and
teardown of AMP physical and logical links using the A2MP protocol.
There are also new L2CAP signals that allow two Bluetooth devices to
move L2CAP channels to and from a high-speed link, and a new socket
option for applications to use to control the type of Bluetooth link
used for L2CAP traffic.
Change-Id: I98067e0781b31f5d694e7b7da5cf5006dc21f514
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
The A2MP protocol uses a reliable ERTM channel to coordinate
high-speed AMP channels between two Bluetooth devices. This
is done using a fixed channel ID, but ERTM carries a lot of
state so the existing approach of hard-coded fixed channel
handlers does not work. This adds hooks for creation and
use of fixed channel sockets for use within the kernel.
Change-Id: I27363b7882ffc8ec643ffe792b078f253700089b
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
Enhanced Retransmission Mode (ERTM) is a new feature in BT3.0, and
is a requirement for BT3.0+HS with high-speed AMP controllers.
Some work had already been done to add ERTM support to BlueZ,
but the high-speed feature is more demanding in terms of efficiency
and needs some extended control over ERTM operation. This commit
includes more robust state machines, no copying of received data,
improved transmit queue management, support for extended headers,
and more robust locking.
Change-Id: I21aba0e3fecb02e901bb174787a37533a923c327
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
This undoes all upstream bluetooth core changes since around
b79f44c (Bluetooth: Fix keeping the command timer running,
2011-04-11).
Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
It fixes L2CAP socket based security level elevation during a
connection. The HID profile needs this (for keyboards) and it is the only
way to achieve the security level elevation when using the management
interface to talk to the kernel (hence the management enabling patch
being the one that exposes this issue).
It enables the userspace a security level change when the socket is
already connected and create a way to notify the socket the result of the
request. At the moment of the request the socket is made non writable, if
the request fails the connections closes, otherwise the socket is made
writable again, POLL_OUT is emmited.
Signed-off-by: Gustavo Padovan <gustavo@padovan.org>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
The L2CAP timeout constants are always used in form of jiffies. So just
include the conversion from msecs in the define itself. This has the
advantage of making the code where the timeout is used more readable.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Simplify code so that we do not need to check whether socket is locked.
Signed-off-by: Andrei Emeltchenko <andrei.emeltchenko@intel.com>
Acked-by: Gustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Change sk lock to chan lock in l2cap core and move sk locks
to l2cap sock code. bh_locks were used because of being RCU
critical section. When needed use explicit socket locks.
Signed-off-by: Andrei Emeltchenko <andrei.emeltchenko@intel.com>
Reviewed-by: Ulisses Furquim <ulisses@profusion.mobi>
Acked-by: Gustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Usage of RCU list looks not reasonalbe for a number of reasons:
our code sleep and we had to use socket spinlocks. Most parts
of code are updaters thus there is little sense to use RCU.
Signed-off-by: Andrei Emeltchenko <andrei.emeltchenko@intel.com>
Reviewed-by: Ulisses Furquim <ulisses@profusion.mobi>
Acked-by: Gustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Use state_to_string function in debug statements.
Signed-off-by: Andrei Emeltchenko <andrei.emeltchenko@intel.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
sk_sndtime value should be specified in jiffies thus initial value
needs to be converted from miliseconds. Otherwise this timeout is
unreliable when CONFIG_HZ is not set to 1000.
Signed-off-by: Andrzej Kaczmarek <andrzej.kaczmarek@tieto.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
This move some checking code that was in l2cap_sock_connect() to
l2cap_chan_connect(). Thus we can invert the lock calls, i.e., call
lock_sock() before hci_dev_lock() to avoid a deadlock scenario.
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Some incomming connections needs to increase the security level by
requesting encryption for example (HID keyboard case). This change allows
the userspace to change it through setsockopt with defer_setup enabled.
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Each channel has a policy to require BR/EDR (the default),
prefer BR/EDR, or prefer AMP.
Check for valid policy value and L2CAP mode.
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Acked-by: Andrei Emeltchenko <andrei.emeltchenko@intel.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
tx_win_max is initialized during L2CAP configuration phase. For fixed
channels (e.g. A2MP) we want to have it initialized when channel is
created.
Signed-off-by: Andrei Emeltchenko <andrei.emeltchenko@intel.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
This uses SO_PRIORITY to set the skbuffer priority field
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
These files are non modular, but need to export symbols using
the macros now living in export.h -- call out the include so
that things won't break when we remove the implicit presence
of module.h from everywhere.
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
The Bluetooth stack has internal connection handlers for all of the various
Bluetooth protocols, and unfortunately, they are currently lacking the LSM
hooks found in the core network stack's connection handlers. I say
unfortunately, because this can cause problems for users who have have an
LSM enabled and are using certain Bluetooth devices. See one problem
report below:
* http://bugzilla.redhat.com/show_bug.cgi?id=741703
In order to keep things simple at this point in time, this patch fixes the
problem by cloning the parent socket's LSM attributes to the newly created
child socket. If we decide we need a more elaborate LSM marking mechanism
for Bluetooth (I somewhat doubt this) we can always revisit this decision
in the future.
Reported-by: James M. Cape <jcape@ignore-your.tv>
Signed-off-by: Paul Moore <pmoore@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Adds support for extended window size (EWS) config option. We enable EWS
feature in L2CAP Info RSP when hs enabled. EWS option is included in L2CAP
Config Req if tx_win (which is set via socket) bigger then standard default
value (63) && hs enabled && remote side supports EWS feature.
Using EWS selects extended control field in L2CAP.
Code partly based on Qualcomm and Atheros patches sent upstream a year ago.
Signed-off-by: Andrei Emeltchenko <andrei.emeltchenko@intel.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
role_switch variable inside l2cap_chan is a logical one and can
be easily converted to flag
Signed-off-by: Andrei Emeltchenko <andrei.emeltchenko@intel.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
