bluetooth pull request for net:

- Fix regression with RFCOMM - Fix regression with LE devices using Privacy (RPA) - Fix regression with LE devices not waiting proper timeout to establish connections - Fix race in smp -----BEGIN PGP SIGNATURE----- iQJNBAABCAA3FiEE7E6oRXp8w05ovYr/9JCA4xAyCykFAmIX8ZIZHGx1aXoudm9u LmRlbnR6QGludGVsLmNvbQAKCRD0kIDjEDILKQQDD/9rAmU8MSGKWouZa4jQWiYJ AQwGq0H7cohafYLebKp2rqG9kWTcB7GIIb1rfDkf0R+O6AkQFEaoEfHbzXYeznLq JKiXMibw44cW1wde7qcrvekBNNHCIFqUcUcAD3yY++jodFOppB4TCKUz0VI//LZ+ Yh85BoyNaeb1Iztbd1V5l4EdhUcA/zw45GvPHbqfDRB3enzuNZS8xbIZPkOahzPF sa8JiNJBqjp4HDPZt825waY7tw/6yDVGCVTE0Pl97BqDmlJdmUCfWKI7skldjC3C ZZ31eNg6VpTjV4y9OC9GvZQmQAKjHqpjYAT4/xz5DC2EA3Vatq9nbCggkzEwfHhb aW3i/yd8xCJE9sfIppoFMRX5EhK2/FzfmT7yGvNOWfFWqGxL71Y16QTLxKrmfP7m ucTxAayiJPxpkzwPsZiMgphucCXZ2vG9eI4UOmZXvE/OU2voGSFhb9nSapvmNJh4 LEKX1tE+vlFL6oMnaMOiZvKpya1jXVJE0+UGLYJdqYJmh0kmUWOkpNk2OAAX54hO UETvs74nbGUpN9UbA9ZysGHBSxEL6MkDauK5Os2CDitLCRoDl3gigfKFxv5e4oIz 11x9BHagTV9iuDbFQX3hWX388pLSsnCsdn09gQoMAmVaeQG1GDNlVamL/Zsadvvh jYK9SsKTxGP+F5DIhMw1MA== =Asaz -----END PGP SIGNATURE----- Merge tag 'for-net-2022-02-24' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth Luiz Augusto von Dentz says: ==================== bluetooth pull request for net: - Fix regression with RFCOMM - Fix regression with LE devices using Privacy (RPA) - Fix regression with LE devices not waiting proper timeout to establish connections - Fix race in smp * tag 'for-net-2022-02-24' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth: Bluetooth: hci_sync: Fix not using conn_timeout Bluetooth: hci_sync: Fix hci_update_accept_list_sync Bluetooth: assign len after null check Bluetooth: Fix bt_skb_sendmmsg not allocating partial chunks Bluetooth: fix data races in smp_unregister(), smp_del_chan() Bluetooth: hci_core: Fix leaking sent_cmd skb ==================== Link: https://lore.kernel.org/r/20220224210838.197787-1-luiz.dentz@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2022-02-24 18:13:30 -08:00 · 2022-02-24 18:13:30 -08:00 · 8a7271000b
commit 8a7271000b
parent d8152cfe2f a56a1138cb
5 changed files with 33 additions and 12 deletions
--- a/include/net/bluetooth/bluetooth.h
+++ b/include/net/bluetooth/bluetooth.h
@ -506,8 +506,7 @@ static inline struct sk_buff *bt_skb_sendmmsg(struct sock *sk,

 		tmp = bt_skb_sendmsg(sk, msg, len, mtu, headroom, tailroom);
 		if (IS_ERR(tmp)) {
-			kfree_skb(skb);
-			return tmp;
+			return skb;
 		}

 		len -= tmp->len;
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@ -1489,6 +1489,14 @@ void hci_conn_del_sysfs(struct hci_conn *conn);
 /* Extended advertising support */
 #define ext_adv_capable(dev) (((dev)->le_features[1] & HCI_LE_EXT_ADV))

+/* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E page 1789:
+ *
+ * C24: Mandatory if the LE Controller supports Connection State and either
+ * LE Feature (LL Privacy) or LE Feature (Extended Advertising) is supported
+ */
+#define use_enhanced_conn_complete(dev) (ll_privacy_capable(dev) || \
+					 ext_adv_capable(dev))
+
 /* ----- HCI protocols ----- */
 #define HCI_PROTO_DEFER             0x01

--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@ -2738,6 +2738,7 @@ void hci_release_dev(struct hci_dev *hdev)
 	hci_dev_unlock(hdev);

 	ida_simple_remove(&hci_index_ida, hdev->id);
+	kfree_skb(hdev->sent_cmd);
 	kfree(hdev);
 }
 EXPORT_SYMBOL(hci_release_dev);
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@ -1841,6 +1841,7 @@ static u8 hci_update_accept_list_sync(struct hci_dev *hdev)
 	struct bdaddr_list *b, *t;
 	u8 num_entries = 0;
 	bool pend_conn, pend_report;
+	u8 filter_policy;
 	int err;

 	/* Pause advertising if resolving list can be used as controllers are
@ -1927,6 +1928,8 @@ static u8 hci_update_accept_list_sync(struct hci_dev *hdev)
 		err = -EINVAL;

 done:
+	filter_policy = err ? 0x00 : 0x01;
+
 	/* Enable address resolution when LL Privacy is enabled. */
 	err = hci_le_set_addr_resolution_enable_sync(hdev, 0x01);
 	if (err)
@ -1937,7 +1940,7 @@ done:
 		hci_resume_advertising_sync(hdev);

 	/* Select filter policy to use accept list */
-	return err ? 0x00 : 0x01;
+	return filter_policy;
 }

 /* Returns true if an le connection is in the scanning state */
@ -3262,10 +3265,10 @@ static int hci_le_set_event_mask_sync(struct hci_dev *hdev)
 	if (hdev->le_features[0] & HCI_LE_DATA_LEN_EXT)
 		events[0] |= 0x40;	/* LE Data Length Change */

-	/* If the controller supports LL Privacy feature, enable
-	 * the corresponding event.
+	/* If the controller supports LL Privacy feature or LE Extended Adv,
+	 * enable the corresponding event.
 	 */
-	if (hdev->le_features[0] & HCI_LE_LL_PRIVACY)
+	if (use_enhanced_conn_complete(hdev))
 		events[1] |= 0x02;	/* LE Enhanced Connection Complete */

 	/* If the controller supports Extended Scanner Filter
@ -4106,9 +4109,9 @@ int hci_dev_close_sync(struct hci_dev *hdev)
 	hci_inquiry_cache_flush(hdev);
 	hci_pend_le_actions_clear(hdev);
 	hci_conn_hash_flush(hdev);
-	hci_dev_unlock(hdev);
-
+	/* Prevent data races on hdev->smp_data or hdev->smp_bredr_data */
 	smp_unregister(hdev);
+	hci_dev_unlock(hdev);

 	hci_sock_dev_event(hdev, HCI_DEV_DOWN);

@ -5185,7 +5188,7 @@ int hci_le_ext_create_conn_sync(struct hci_dev *hdev, struct hci_conn *conn,
 	return __hci_cmd_sync_status_sk(hdev, HCI_OP_LE_EXT_CREATE_CONN,
 					plen, data,
 					HCI_EV_LE_ENHANCED_CONN_COMPLETE,
-					HCI_CMD_TIMEOUT, NULL);
+					conn->conn_timeout, NULL);
 }

 int hci_le_create_conn_sync(struct hci_dev *hdev, struct hci_conn *conn)
@ -5270,9 +5273,18 @@ int hci_le_create_conn_sync(struct hci_dev *hdev, struct hci_conn *conn)
 	cp.min_ce_len = cpu_to_le16(0x0000);
 	cp.max_ce_len = cpu_to_le16(0x0000);

+	/* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E page 2261:
+	 *
+	 * If this event is unmasked and the HCI_LE_Connection_Complete event
+	 * is unmasked, only the HCI_LE_Enhanced_Connection_Complete event is
+	 * sent when a new connection has been created.
+	 */
 	err = __hci_cmd_sync_status_sk(hdev, HCI_OP_LE_CREATE_CONN,
-				       sizeof(cp), &cp, HCI_EV_LE_CONN_COMPLETE,
-				       HCI_CMD_TIMEOUT, NULL);
+				       sizeof(cp), &cp,
+				       use_enhanced_conn_complete(hdev) ?
+				       HCI_EV_LE_ENHANCED_CONN_COMPLETE :
+				       HCI_EV_LE_CONN_COMPLETE,
+				       conn->conn_timeout, NULL);

 done:
 	/* Re-enable advertising after the connection attempt is finished. */
--- a/net/bluetooth/mgmt_util.c
+++ b/net/bluetooth/mgmt_util.c
@ -77,11 +77,12 @@ int mgmt_send_event_skb(unsigned short channel, struct sk_buff *skb, int flag,
 {
 	struct hci_dev *hdev;
 	struct mgmt_hdr *hdr;
-	int len = skb->len;
+	int len;

 	if (!skb)
 		return -EINVAL;

+	len = skb->len;
 	hdev = bt_cb(skb)->mgmt.hdev;

 	/* Time stamp */