... rather than relying on ciptool(8) never passing it anything else. Give
it e.g. an AF_UNIX connected socket (from socketpair(2)) and it'll oops,
trying to evaluate &l2cap_pi(sock->sk)->chan->dst...
Bug: 33982955
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Change-Id: I078260c1b5be6a96b54c265da0236bf84842e450
same story as cmtp
Bug: 33982955
Change-Id: I60ce3e3b5a5a0e41ddaec155a0c6a46307eedeb7
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
commit b3916db32c upstream.
We need to verify that the given sockets actually are l2cap sockets. If
they aren't, we are not supposed to access bt_sk(sock) and we shouldn't
start the session if the offsets turn out to be valid local BT addresses.
That is, if someone passes a TCP socket to HIDCONNADD, then we access some
random offset in the TCP socket (which isn't even guaranteed to be valid).
Fix this by checking that the socket is an l2cap socket.
Change-Id: I401bca741588b34876a1c835d8d4567852b4ec75
Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
upstream a8149a65c1db9c3980873a32e4a96331b7a61f5b from
https://github.com/LineageOS/android_kernel_samsung_msm8974.git
Validate the output buffer length for L2CAP config requests and responses
to avoid overflowing the stack buffer used for building the option blocks.
Change-Id: I7a0ff0b9dd0156c0e6383214a9c86e4ec4c0d236
Cc: stable@vger.kernel.org
Signed-off-by: Ben Seri <ben@armis.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
CVE-2017-1000251
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Restructure IOMMU clock management code to enable/disable clocks
based on iommu unit instead of context. In hardware IOMMU clocks
are associated with each IOMMU unit. There is no granularity of
clock control for each iommu context. Turning on the clocks for
one context in a IOMMU unit automatically turns on the clocks for
all the contexts in IOMMU unit. Reduce the number of clock
enable/disable calls and structure the software design as per
hardware design by doing clock management per IOMMU unit.
Change-Id: Ib54dbb7a31d6b30b65c07ef130bee149e3e587d8
Signed-off-by: Tarun Karra <tkarra@codeaurora.org>
Avoid the possible crash due to Bluetooth connection loss while data
trasfer is in progress. Bluetooth connection loss might happen due to
turn off of Bluetooth or reset of device when there is an active data
transfer over Bluetooth.
Change-Id: Ib15a9ac2df3a250d279774d6e45f1e37c9ea1cc0
CRs-fixed: 375238
Signed-off-by: Bhakthavatsala Raghavendra <braghave@codeaurora.org>
Signed-off-by: Mallikarjuna GB <gbmalli@codeaurora.org>
Keep the Clock offset valid for one Hour and read it again after
connection complete so that we have most recent value. This helps
for faster ACL connections.
CRs-fixed: 430132
Change-Id: I1526878a7365f9cc0c654e0af6c4dd214fac4cd8
Signed-off-by: Mallikarjuna GB <gbmalli@codeaurora.org>
The re-authentication code changes are added to mandate 16 digit
PIN Key for SECURE_HIGH connections. But only SAP profile needs
16 digit key, not all the profiles that register with SECURITY
HIGH. Avoid the code to mandate 16 digit key.
Change-Id: Iffc02841e52b8c0b2f6e2495b27df26869e72999
Signed-off-by: Srinivas Krovvidi <skrovvid@codeaurora.org>
Signed-off-by: Ram Mohan Korukonda <rkorukon@codeaurora.org>
Signed-off-by: Mallikarjuna GB <gbmalli@codeaurora.org>
The scatternet scenarios are difficult to be handled in SOC. This
change not to allow role switch during outgoing ACL connections
will avoid scatternet scenarios.
CRs-fixed: 392836
Change-Id: I5769b71879ea951755e115424fb2b5b504e95784
Signed-off-by: Mallikarjuna GB <gbmalli@codeaurora.org>
Addressing the PAN PTS case failure TC_BNEP_BRIDGE_TX_BV_01_I
CRs-fixed: 418765
Change-Id: Ied43be30e41afec4088c5b331eda1431015ebb3e
Signed-off-by: Mallikarjuna GB <gbmalli@codeaurora.org>
Due to simultaneous disconnects from HCI and SCO
this race condtion arrives. While doing SCO disconnect
a null pointer check for HCI connection should be present
to avoid any crash due to this condtion.
CRs-Fixed: 415887
Change-Id: I23f0a7a256e267650db0abc2fc510b964b64c50c
Signed-off-by: Nitin Srivastava <nitinsr@codeaurora.org>
Signed-off-by: Mallikarjuna GB <gbmalli@codeaurora.org>
When pairing is cancelled during the pass key request UI pop
up, call pairing complete after sending SMP_CMD_PAIRING_FAIL
which would clean up all the pairing callbacks and send
notification to the above layers.
Change-Id: I0d3e9bdc19dc2fcae280d3c70ddea976ecb218c7
Signed-off-by: Archana Ramachandran <archanar@codeaurora.org>
CRs-fixed: 430016
Signed-off-by: Sunny Kapdi <sunnyk@codeaurora.org>
Signed-off-by: Mallikarjuna GB <gbmalli@codeaurora.org>
Change has to be reverted to address one user interaction case,
in the process of addressing one issue it made mandate to have
user interactions in some BT scenarios, the issue is fixed via
f8fffe8423933433c30dda4f9a92afc71e8def21 and it addressees all
the user scenarios properly.
More details on this issue is provided in CR: 413132 analysis
section in the prism.
This reverts commit 45df0f99094aefc2564951495ab0005a18d62de3.
Change-Id: I56611cb2646789c71f4012e906a7bbada1236c00
Signed-off-by: Bhasker Neti <bneti@codeaurora.org>
Signed-off-by: Mallikarjuna GB <gbmalli@codeaurora.org>
While turning off BT, sleep is getting called in the soft isr context
from work queue which is queued from a code section guarded under the
bh lock,
To resolve this released the bh lock before queing the work, as it wont
impact any BT functionality.
CRs-fixed: 405917
Change-Id: I1b872d724b4d0d384cc5314e0f493facd9829a54
Signed-off-by: Bhasker Neti <bneti@codeaurora.org>
Signed-off-by: Mallikarjuna GB <gbmalli@codeaurora.org>
If the bonded remote device is removed from the list of paired
devices in the DUT, it is still possible to connect to the DUT
from the remote device without any user confirmation.
CRs-fixed: 413132
Change-Id: Iea3e4cf41e5403c3e304ca5f82cf42266be35b79
Signed-off-by: Bhasker Neti <bneti@codeaurora.org>
Signed-off-by: Mallikarjuna GB <gbmalli@codeaurora.org>
When whitelist APIs are used for establishing LE connection
between the phone and remote LE device, few times
ATT requests like Read by Group Type request are received by
the phone from the remote device before the L2CAP channel has
been set up completely. Hence the LE server in the phone
sends a "Request not supported" error response since
the L2CAP channel has not yet been created. This fix checks
the state of the L2CAP channel after sleeping for a while
and sends the ATT request to be processed by the upper layers
when the L2CAP channel is up.
CRs-fixed: 415648
Change-Id: Ifbaf75fe612195b3c6ce49629106cac09dd0a437
Signed-off-by: Subramanian Srinivasan <subrsrin@codeaurora.org>
Signed-off-by: Mallikarjuna GB <gbmalli@codeaurora.org>
Based on the user requirement for auth type, update even
the pending security level. This will make sure the authentication
requirement matches the action at kernel space on connection
establishment.
CRs-Fixed: 385463
Change-Id: I94c7e621c105bb2180e6e722cc8cca17869ff2e5
Signed-off-by: Srinivas Krovvidi <skrovvid@codeaurora.org>
Signed-off-by: Mallikarjuna GB <gbmalli@codeaurora.org>
Add support to create connection to LE devices using
whitelist. With this, the Controller can try to connect
to multiple devices at the same time. The following
interfaces are added.
1. Add/Remove device from whitelist
2. Clear all the devices from whitelist
3. Create Connection to devices from whitelist
4. Cancel create connection to whitelist devices
CRs-fixed: 388980
Change-Id: I3900c71255e754f80bb2873ae19a41b94cca76c3
Signed-off-by: Sunny Kapdi <sunnyk@codeaurora.org>
(cherry picked from commit 93bef895b01b79f49af60ba1394c9c3f6e563212)
(cherry picked from commit 377ee2bf1fc37bcbeae872661646bdd6a5f8da31)
Found there are some IOT issues when this command is sent from
DUT. This command is only a dummy implementation. As this doesn't
have any impact on functionality, disabled the feature.
Change-Id: Ib435ac17df9d0377bd0b41fdc33b68c738eeaccc
CRs-Fixed: 390090
Signed-off-by: Srinivas Krovvidi <skrovvid@codeaurora.org>
(cherry picked from commit ed37c51ddc9b1514f5e5bfec1ae4763a85e2faad)
Added a new function to verify whether the LE Connection Update
parameters are valid instaed of verifying all the LE Connection
parameters since only update parameters are set in the Connection
Update Request.
CRs-Fixed: 387146
Change-Id: I9fe6b51e44e2793f3945613fdfde3a039804746f
Signed-off-by: Archana Ramachandran <archanar@codeaurora.org>
(cherry picked from commit 95319af0612d58788279748f586cc57221c3443e)
Send device disconnection reason to bluez on receiving the
diconnection complete event so that low energy profiles
such as proximity can decide to reconnect if the reason
is link loss.
CRs-Fixed: 378240
Signed-off-by: Archana Ramachandran <archanar@codeaurora.org>
(cherry picked from commit da09d26a75ee1c7c1911dcfbe0128fd09f6631f4)
Change-Id: Iab1fede47f44342d87be6c3c5aa7590754fd950c
Signed-off-by: Sudhir Sharma <sudsha@codeaurora.org>
Found in a rare case there is possibility that remote device
sent disconnect on a connection and DUT is trying send data
on the same. In that case accessing some released wakelock
is causing issue. The current changes are to use locking
mechanism to validate the connection before acting on the
wake lock.
CRs-Fixed: 394651
Change-Id: I6a4188a7d0d05a8cfbe66d3680473d549157917a
Signed-off-by: Srinivas Krovvidi <skrovvid@codeaurora.org>
(cherry picked from commit 6aadc41fcbd28dc3899a4b5d098e5f316588a029)
Signed-off-by: Sudhir Sharma <sudsha@codeaurora.org>
In hci_connect API there is check for existing link, before
connect operation in order to avoid queuing connect if connection
already exist. This check for Synchronous connections is not
validating for ESCO and SCO connection types which are possible
synchronous connections.The current change takes care of verifying
both before proceeding to add a new connection.
Change-Id: I9018e0938bcd222bb6d80944e1b113e07227b066
Signed-off-by: Srinivas Krovvidi <skrovvid@codeaurora.org>
(cherry picked from commit 645f4d465ba131c87a99fdebcef5e597181b33c8)
Signed-off-by: Sudhir Sharma <sudsha@codeaurora.org>
Have maximum blocking time for shutdown operation as DISCONNECT_TIMEOUT.
During this period when SCO connection closes, the userspace will be
updated on the close operation. Existing approach of immidiate return
on shutdown call can cause synchronization issues on SCO state between
kernel and userspace. This happens when disconnect operation takes
more time at kernel space.
Change-Id: Id9e6a61c2c3d4ba2cf6da574fc49bc6894a8f96a
Signed-off-by: Srinivas Krovvidi <skrovvid@codeaurora.org>
While hid device unpair process, we are trying to access released
socket as apart of getting hci device which results a kernel panic.
CRs-fixed: 387164
Change-Id: I1f3f3f92cfd1d3b39793bc5a142001d5e26d76c4
Signed-off-by: Ram Mohan Korukonda <rkorukon@codeaurora.org>
shutdown should wait for SCO link to be properly disconnected before
detroying the socket, otherwise an application using the socket may
assume link is properly disconnected before it really happens which
can be a problem when e.g synchronizing profile switch.
Change-Id: Ifc59bfd90c264d9c742ce254161a21518108c3cb
Signed-off-by: Luiz Augusto von Dentz <luiz.dentz-von@nokia.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: Srinivas Krovvidi <skrovvid@codeaurora.org>
Found there is possibility of sniff subrate collision with some
IOT devices. When this collision happned if the remote device
send subrate values that doesn't match with DUT supported
values exit sniff mode. This will allow DUT to reconfigure
sniff after idle time.
CRs-Fixed: 380811
Change-Id: Ie9502a48411635fbea73f935f99ea4f444556b41
Signed-off-by: Srinivas Krovvidi <skrovvid@codeaurora.org>
When data transfer is in progress on a ACL connection, all the time
the set_active_mode API will be called to update the timer for next
sniff mode. If there is ACL disconnect triggered from remote side,
there is possibility of hci connection delete when set_active
routine in progress. Found a condition where delete API destroyed
the wake lock, which is used in set_active API. In codition leads
to crash in set_wakelock API. The current change is to lock hdev,
before set_active and set_sniff APIs are called. This avoids the
race condition in accessing hci connection, while delete in progress
and vice versa.
CRs-Fixed: 383490
Change-Id: I625ebb8c8f09ddf2afcd300d20ab3bf8e164b485
Signed-off-by: Srinivas Krovvidi <skrovvid@codeaurora.org>
It is possible that during BT OFF operation the hcon
could be released from a tasklet context while we are
trying to send the l2cap disconnect req. Make sure
that hcon is valid before dereferencing it during
l2cap disconnect req.
CRs-fixed: 383345
Change-Id: Icb12c62560013b5ebb047c1c5d4bfe04b3a793ef
Signed-off-by: Sunny Kapdi <sunnyk@codeaurora.org>
In rfcomm_session_put API the session count is decremented
and when it is equal to zero rfcomm_session_del is called
where session is removed from sessions list and freed. The
current change is verify the existance of session in list
before acting session. The avoids the possibility of action
on a deleted session, which causes crash.
CRs-Fixed: 383000
Change-Id: Ia55607b08ee388465494f08bbe1627102d281f8a
Signed-off-by: Srinivas Krovvidi <skrovvid@codeaurora.org>
The BT host has fixed set of buffers to send data to SoC, generic value
is 5. When a connection, like A2DP playback is ready to send data it
fills one of the buffer available and sends to SoC. Once SoC got
acknowledged from remote side that the data received it updates the host
and the buffer is freed. Till host is acknowledged the send Complete
info, the data buffer is locked for that data transfer. The below is the
example for buffers availability.
Total free Buffers count : 5
Connections : 1
Conn_1 need to send data, picks buf_1 and send to SoC
free Buffers count: 4
Buffers used by Conn_1 : 1
Still Conn_1 has more data to send ....
free Buffers count: 3
Buffers used by Conn_1 : 2
Remote device Ack for buf_1, so 1 buffer is freed, updated state is
free Buffers count : 4
Buffers used by Conn_1 : 1
When there are more ACL connections to transfer data, like one
connection for A2DP playback and one for OPP data transfer, all the data
buffers available with host can be used by any ACL which has ready data
to send. This allows maximum throughputs possibility from host. But the
existing solution has a problem. If one connection has used all the
buffers at a instanace of time, and didnt release (this happens when remote
device doesnt ACK to send) the other connections will not have buffers to
send. In current usecase A2dp data cannot be sent to headset as OPP
connection is lost. The current change is, when there are more
connections the quota for a connection that it can use maximum is
total buffers-1. This allows other connections not to get blocked,
at the same time through puts are not going to dropped.
CRs-Fixed: 370497
Change-Id: Iac34f0a223555de80d1daebde34c7fc87668c0d5
Signed-off-by: Srinivas Krovvidi <skrovvid@codeaurora.org>
LE connections don't have sniff/active connection
mode, unlike BR/EDR. Make sure that the link which
has been requested to enter sniff/active mode is not
an LE connection.
CRs-fixed: 376972
Change-Id: Iec4714d1c2ea7621267f9064b7046eb9d5ff9462
Signed-off-by: Sunny Kapdi <sunnyk@codeaurora.org>
Added support to let the userspace know about the updated
LE connection parameters. On receiving successful connection
complete and connection parameters update event from the BT
Controller, send a mgmt event to the userspace bluetoothd.
CRs-fixed: 380271
Change-Id: If8c3d785188e0d4f38c7431d01c016f399137408
Signed-off-by: Sunny Kapdi <sunnyk@codeaurora.org>
The start encryption command fails when the LE update
connection parameters request is pending.
Hence, prevent the update of LE connection parameters during the
bonding process. The update of connection parameters is
not necessary during bonding process.
CRs-fixed: 380257
Change-Id: I41cb3998fecc2297d61ec97d66ac35a0bd41ca80
Signed-off-by: Subramanian Srinivasan <subrsrin@codeaurora.org>
In error conditions Adapter state machine via Bluez tries to reset
the hci device, during that in some rare scenario if some pending event
comes from riva, the command complete apis tries to access some already
freed memory in reset sequence.
CRs-fixed: 369658
Change-Id: I5e9ce0a4322d07a26602c7f74b1484720f6b4d75
Signed-off-by: Bhasker Neti <bneti@codeaurora.org>
Since the context where unlink will be called is unaware of
validity of hci_conn pointer, fetch the valid hci_conn
before unlink.
CRs-fixed: 370274
Change-Id: I30a35acdf75c9b4787af6629c7b32d2d31b8ad80
Signed-off-by: Mallikarjuna GB <gbmalli@codeaurora.org>
Update the hdev scan state with Inquiry start/cancel commands in
non-LE case accordingly. And also there was no check to see the
SCAN_BR mode before sending inquiry cancel.Added a check to see
if the scan state is SCAN_BR,then send inquiry cancel
Change-Id: I222f500fc20b991f4c3ec7eb1fc70bf20649f142
Signed-off-by: Bhasker Neti <bneti@codeaurora.org>
CRs-fixed: 359771
Store the MTU to use the proper MTU requested by remote if the
configuration fails for other options. If the remote does not
send the MTU in the next configuration request,
we need to use that value.
CRs-fixed: 373233
Change-Id: I35d9aa777f237bce5a4194036261128af1a7ada7
Signed-off-by: Mallikarjuna GB <gbmalli@codeaurora.org>
Class of device information is required to the bluez userspace
to write to persistant storage and also update upper layers on
request. So update the local CoD info to bluez once the hci write
is successful.
Change-Id: If45910d4b391616592b49d77d87ca0314be1f033
Signed-off-by: Srinivas Krovvidi <skrovvid@codeaurora.org>
If due to timing issues out of our control, an outbound ATT Indicate
is delayed to the point that user space code does not receive
confirmation within it time-out period, both Client and Server
sockets must be torn down. We also must always respond to incoming
ATT Indicate pkt with a Confirmation, as the Error Response is an
illegal response for Indicate.
CRs-Fixed: 363355
Change-Id: I4003a59e1a731a08818f18d5b79db537e2aa2619
Signed-off-by: Brian Gix <bgix@codeaurora.org>
This change addresses an L2CAP ERTM throughput problem when a remote
device does not fully utilize the available transmit window.
The L2CAP ERTM transmit window size determines the maximum number of
unacked frames that may be outstanding at any time. It is configured
separately for each direction of an ERTM connection. Each side sends a
configuration request with a tx_win field indicating how many unacked
frames it is capable of receiving before sending an ack. The
configuration response's tx_win field shows how many frames the
transmitter will actually send before waiting for an ack.
It's important to trace both the actual transmit window (to check for
validity of incoming frames) and the number of frames that the
transmitter will send before waiting (to send acks at the appropriate
time). Now there are separate tx_win and ack_win values. ack_win is
updated based on configuration responses, and is used to determine
when acks are sent.
CRs-fixed: 370909
Change-Id: I6d9ef55a2ff2f5f3d0117ad376a09e4cc26fe742
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
AMP feature is decommitted from Android PL's. Make advertising and
support for the A2MP protocol depend on an L2CAP module parameter
and make the default state disabled.
Change-Id: Icb9827d2d4205818d6c3b49e7a53938666f769e8
Signed-off-by: Peter Krystad <pkrystad@codeaurora.org>
