linux/net/bluetooth, branch v3.8

Bluetooth: Fix hci_conn timeout routine

2013-01-31T17:38:02Z

If occurs a LE or SCO hci_conn timeout and the connection is already established (BT_CONNECTED state), the connection is not terminated as expected. This bug can be reproduced using l2test or scotest tool. Once the connection is established, kill l2test/scotest and the connection won't be terminated. This patch fixes hci_conn_disconnect helper so it is able to terminate LE and SCO connections, as well as ACL. Signed-off-by: Andre Guedes Signed-off-by: Gustavo Padovan

Bluetooth: Fix handling of unexpected SMP PDUs

2013-01-31T17:35:42Z

The conn->smp_chan pointer can be NULL if SMP PDUs arrive at unexpected moments. To avoid NULL pointer dereferences the code should be checking for this and disconnect if an unexpected SMP PDU arrives. This patch fixes the issue by adding a check for conn->smp_chan for all other PDUs except pairing request and security request (which are are the first PDUs to come to initialize the SMP context). Signed-off-by: Johan Hedberg CC: stable@vger.kernel.org Acked-by: Marcel Holtmann Signed-off-by: Gustavo Padovan

Bluetooth: Check if the hci connection exists in SCO shutdown

2013-01-10T05:53:32Z

Checking only for sco_conn seems to not be enough and lead to NULL dereferences in the code, check for hcon instead. <1>[11340.226404] BUG: unable to handle kernel NULL pointer dereference at 0000000 8 <4>[11340.226619] EIP is at __sco_sock_close+0xe8/0x1a0 <4>[11340.226629] EAX: f063a740 EBX: 00000000 ECX: f58f4544 EDX: 00000000 <4>[11340.226640] ESI: dec83e00 EDI: 5f9a081f EBP: e0fdff38 ESP: e0fdff1c <0>[11340.226674] Stack: <4>[11340.226682] c184db87 c1251028 dec83e00 e0fdff38 c1754aef dec83e00 00000000 e0fdff5c <4>[11340.226718] c184f587 e0fdff64 e0fdff68 5f9a081f e0fdff5c c1751852 d7813800 62262f10 <4>[11340.226752] e0fdff70 c1753c00 00000000 00000001 0000000d e0fdffac c175425c 00000041 <0>[11340.226793] Call Trace: <4>[11340.226813] [] ? sco_sock_clear_timer+0x27/0x60 <4>[11340.226831] [] ? local_bh_enable+0x68/0xd0 <4>[11340.226846] [] ? lock_sock_nested+0x4f/0x60 <4>[11340.226862] [] sco_sock_shutdown+0x67/0xb0 <4>[11340.226879] [] ? sockfd_lookup_light+0x22/0x80 <4>[11340.226897] [] sys_shutdown+0x30/0x60 <4>[11340.226912] [] sys_socketcall+0x1dc/0x2a0 <4>[11340.226929] [] ? trace_hardirqs_on_thunk+0xc/0x10 <4>[11340.226944] [] syscall_call+0x7/0xb <4>[11340.226960] [] ? restore_cur+0x5e/0xd7 <0>[11340.226969] Code: ff 4b 08 0f 94 c0 84 c0 74 20 80 7b 19 01 74 2f b8 0a 00 00 Reported-by: Chuansheng Liu Signed-off-by: Gustavo Padovan

Bluetooth: Fix authentication if acl data comes before remote feature evt

2013-01-10T05:26:18Z

If remote device sends l2cap info request before read_remote_ext_feature completes then mgmt_connected will be sent in hci_acldata_packet() and remote name request wont be sent and eventually authentication wont happen Hcidump log of the issue < HCI Command: Create Connection (0x01|0x0005) plen 13 bdaddr BC:85:1F:74:7F:29 ptype 0xcc18 rswitch 0x01 clkoffset 0x4bf7 (valid) Packet type: DM1 DM3 DM5 DH1 DH3 DH5 > HCI Event: Command Status (0x0f) plen 4 Create Connection (0x01|0x0005) status 0x00 ncmd 1 > HCI Event: Connect Complete (0x03) plen 11 status 0x00 handle 12 bdaddr BC:85:1F:74:7F:29 type ACL encrypt 0x00 < HCI Command: Read Remote Supported Features (0x01|0x001b) plen 2 handle 12 > HCI Event: Command Status (0x0f) plen 4 Read Remote Supported Features (0x01|0x001b) status 0x00 ncmd 1 > HCI Event: Read Remote Supported Features (0x0b) plen 11 status 0x00 handle 12 Features: 0xbf 0xfe 0xcf 0xfe 0xdb 0xff 0x7b 0x87 > HCI Event: Max Slots Change (0x1b) plen 3 handle 12 slots 5 < HCI Command: Read Remote Extended Features (0x01|0x001c) plen 3 handle 12 page 1 > HCI Event: Command Status (0x0f) plen 4 Read Remote Extended Features (0x01|0x001c) status 0x00 ncmd 1 > ACL data: handle 12 flags 0x02 dlen 10 L2CAP(s): Info req: type 2 < ACL data: handle 12 flags 0x00 dlen 16 L2CAP(s): Info rsp: type 2 result 0 Extended feature mask 0x00b8 Enhanced Retransmission mode Streaming mode FCS Option Fixed Channels > HCI Event: Read Remote Extended Features (0x23) plen 13 status 0x00 handle 12 page 1 max 1 Features: 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 > ACL data: handle 12 flags 0x02 dlen 10 L2CAP(s): Info req: type 3 < ACL data: handle 12 flags 0x00 dlen 20 L2CAP(s): Info rsp: type 3 result 0 Fixed channel list 0x00000002 L2CAP Signalling Channel > HCI Event: Number of Completed Packets (0x13) plen 5 handle 12 packets 2 This patch moves sending mgmt_connected from hci_acldata_packet() to l2cap_connect_req() since this code is to handle the scenario remote device sends l2cap connect req too fast Signed-off-by: Jaganath Kanakkassery Signed-off-by: Gustavo Padovan

Bluetooth: Fix incorrect strncpy() in hidp_setup_hid()

2013-01-09T19:39:05Z

The length parameter should be sizeof(req->name) - 1 because there is no guarantee that string provided by userspace will contain the trailing '\0'. Can be easily reproduced by manually setting req->name to 128 non-zero bytes prior to ioctl(HIDPCONNADD) and checking the device name setup on input subsystem: $ cat /sys/devices/pnp0/00\:04/tty/ttyS0/hci0/hci0\:1/input8/name AAAAAA[...]AAAAAAAAf0:af:f0:af:f0:af ("f0:af:f0:af:f0:af" is the device bluetooth address, taken from "phys" field in struct hid_device due to overflow.) Cc: stable@vger.kernel.org Signed-off-by: Anderson Lizardo Acked-by: Marcel Holtmann Signed-off-by: Gustavo Padovan

Bluetooth: Fix sending HCI commands after reset

2013-01-09T19:05:14Z

After sending reset command wait for its command complete event before sending next command. Some chips sends CC event for command received before reset if reset was send before chip replied with CC. This is also required by specification that host shall not send additional HCI commands before receiving CC for reset. < HCI Command: Reset (0x03|0x0003) plen 0 [hci0] 18.404612 > HCI Event: Command Complete (0x0e) plen 4 [hci0] 18.405850 Write Extended Inquiry Response (0x03|0x0052) ncmd 1 Status: Success (0x00) < HCI Command: Read Local Supported Features (0x04|0x0003) plen 0 [hci0] 18.406079 > HCI Event: Command Complete (0x0e) plen 4 [hci0] 18.407864 Reset (0x03|0x0003) ncmd 1 Status: Success (0x00) < HCI Command: Read Local Supported Features (0x04|0x0003) plen 0 [hci0] 18.408062 > HCI Event: Command Complete (0x0e) plen 12 [hci0] 18.408835 Signed-off-by: Szymon Janc Cc: stable@vger.kernel.org Acked-by: Johan Hedberg Signed-off-by: Gustavo Padovan

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid

2012-12-13T20:00:48Z

Pull HID subsystem updates from Jiri Kosina: 1) Support for HID over I2C bus has been added by Benjamin Tissoires. ACPI device discovery is still in the works. 2) Support for Win8 Multitiouch protocol is being added, most work done by Benjamin Tissoires as well 3) EIO/ERESTARTSYS is fixed in hiddev/hidraw, fixes by Andrew Duggan and Jiri Kosina 4) ION iCade driver added by Bastien Nocera 5) Support for a couple new Roccat devices has been added by Stefan Achatz 6) HID sensor hubs are now auto-detected instead of having to list all the VID/PID combinations in the blacklist array 7) other random fixes and support for new device IDs * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid: (65 commits) HID: i2c-hid: add mutex protecting open/close race Revert "HID: sensors: add to special driver list" HID: sensors: autodetect USB HID sensor hubs HID: hidp: fallback to input session properly if hid is blacklisted HID: i2c-hid: fix ret_count check HID: i2c-hid: fix i2c_hid_get_raw_report count mismatches HID: i2c-hid: remove extra .irq field in struct i2c_hid HID: i2c-hid: reorder allocation/free of buffers HID: i2c-hid: fix memory corruption due to missing hid declaration HID: i2c-hid: remove superfluous include HID: i2c-hid: remove unneeded test in i2c_hid_remove HID: i2c-hid: i2c_hid_get_report may fail HID: i2c-hid: also call i2c_hid_free_buffers in i2c_hid_remove HID: i2c-hid: fix error messages HID: i2c-hid: fix return paths HID: i2c-hid: remove unused static declarations HID: i2c-hid: fix i2c_hid_dbg macro HID: i2c-hid: fix checkpatch.pl warning HID: i2c-hid: enhance Kconfig HID: i2c-hid: change I2C name ...

Merge branches 'for-3.7/upstream-fixes', 'for-3.8/hidraw', 'for-3.8/i2c-hid', 'for-3.8/multitouch', 'for-3.8/roccat', 'for-3.8/sensors' and 'for-3.8/upstream' into for-linus

2012-12-12T20:41:55Z

Conflicts: drivers/hid/hid-core.c

HID: hidp: fallback to input session properly if hid is blacklisted

2012-12-07T10:12:27Z

This patch against kernel 3.7.0-rc8 fixes a kernel oops when turning on the bluetooth mouse with id 0458:0058 [1]. The mouse in question supports both input and hid sessions, however it is blacklisted in drivers/hid/hid-core.c so the input session is one that should be used. Long ago (around kernel 3.0.0) some changes in the bluetooth subsystem made the kernel do not fallback to input session when hid session is not supported or blacklisted. This patch restore that behaviour by making the kernel try the input session if hid_add_device returns ENODEV. The patch exports hid_ignore() from hid-core.c so that it can be used in the bluetooth subsystem. [1] https://bugzilla.kernel.org/show_bug.cgi?id=39882 Signed-off-by: Lamarque V. Souza Acked-by: Gustavo Padovan Signed-off-by: Jiri Kosina

Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next

2012-12-03T18:46:03Z