RE: LMP transaction collision at Set encryption

RE: LMP transaction collision at Set encryption

[Mohanan, Rajmohan]

[-- Attachment #1: Type: text/plain, Size: 2852 bytes --]


Hi,
             I got an interesting issue in bluez stack .

1.       I started pairing from my device(DUT) to a remote device (Lenovo T500). After successful bonding bluez send device discovery in    the same ACL connection created prior to BONDING
2.       I'm changed to my role as slave.
3.       From my LMP ,sending Set Connection Encryption, I'm getting LMP Error Transaction Collision as status of my encryption command
           (Remote guy who is a master has also initiated Set encryption).
4.       In between bluez has initiated SDP search after bonding process complete(device_bonding_complete()) so l2cap connect req has initiated and the BT state is BT_CONFIG
5.       From the encryption change event (event status is )x23(LMP transaction collision),l2cap_connect_cfm will call and in that we are disconnecting l2cap and then acl link.

 If we are getting Lmp transaction collision and we are slave . do we need to Disconnect ACL link ? .

We are not able Find the services of remote device because application written in spite of service discovery has initiated after bonding process.


I'm attaching  Hci dump and Air trace
>From  hci dump You can find that Slave(DUT) is sending Set encryption command and From Air trace you can see Encryption mod request from Master.
 
I took air trace with Link key which is generated previously. So initial LMP transaction I got in air trace. 
I could not able to put new link key which is generated in current transaction, so after encryption the air trace has some missing packets You can see after  frame 3288 in air trace.


/*code changes*/
                      I have  made changes in hci_event.c  for solving LMP Transaction collision.
When we gets Encrypt change event with error code as LMP  transaction collision , I'm ignoring the change event because From Master Encrypt change event will process and will get encrypt change event with success second time. If we are not getting Encrypt change event from master we are sending again Set encryption from slave( because we already sent a set encryption which result in to a collision) after 1 second delay. If we getting a encrypt change event from master after collision event then we delete timer and process it normally.

I got another issue also  with Lenovo T500laptop where , when ever after bonding Lenovo T500 is initiating a SDP search Request which collides our SDP request(from Bluez we are initiator we are starting SDP query immediately and if we are responder we are delaying for 2 seconds for starting SDP query).

 
For solving this IOP issue I have made a change that if we are initiator also we will delay for 1 second and starting SDP query after bonding.


I'm attaching patch for above two issues.

Please review it and  let me know the feedback.

Regards
Rajmohan




[-- Attachment #2: 0001-LMP-Transaction-Collision-handling-set-encryption.patch --]
[-- Type: application/octet-stream, Size: 6503 bytes --]

From 957ce9ab97a55b2522abc5b5ab9dfbeed9432dc1 Mon Sep 17 00:00:00 2001
From: mohanan <rajmohan.mohanan@intel.com>
Date: Fri, 10 Feb 2012 09:56:23 +0530
Subject: [PATCH] LMP Transaction Collision handling[set encryption]

Change-Id: Ibaa5361fa782efb27acaff0c4433ad2901faeca1
---
 include/linux/kernel.h           |    5 +++--
 include/net/bluetooth/hci.h      |    1 +
 include/net/bluetooth/hci_core.h |   21 +++++++++++----------
 net/bluetooth/hci_conn.c         |   22 +++++++++++++++++++++-
 net/bluetooth/hci_event.c        |   16 ++++++++++++----
 5 files changed, 48 insertions(+), 17 deletions(-)

diff --git a/include/linux/kernel.h b/include/linux/kernel.h
index f4e3184..75e7f89 100644
--- a/include/linux/kernel.h
+++ b/include/linux/kernel.h
@@ -20,6 +20,7 @@
 #include <asm/byteorder.h>
 #include <asm/bug.h>
 
+
 extern const char linux_banner[];
 extern const char linux_proc_banner[];
 
@@ -386,7 +387,7 @@ static inline char *pack_hex_byte(char *buf, u8 byte)
 /* pr_devel() should produce zero code unless DEBUG is defined */
 #ifdef DEBUG
 #define pr_devel(fmt, ...) \
-	printk(KERN_DEBUG pr_fmt(fmt), ##__VA_ARGS__)
+	printk(KERN_INFO pr_fmt(fmt), ##__VA_ARGS__)
 #else
 #define pr_devel(fmt, ...) \
 	({ if (0) printk(KERN_DEBUG pr_fmt(fmt), ##__VA_ARGS__); 0; })
@@ -395,7 +396,7 @@ static inline char *pack_hex_byte(char *buf, u8 byte)
 /* If you are writing a driver, please use dev_dbg instead */
 #if defined(DEBUG)
 #define pr_debug(fmt, ...) \
-	printk(KERN_DEBUG pr_fmt(fmt), ##__VA_ARGS__)
+	printk(KERN_INFO pr_fmt(fmt), ##__VA_ARGS__)
 #elif defined(CONFIG_DYNAMIC_DEBUG)
 /* dynamic_pr_debug() uses pr_fmt() internally so we don't need it here */
 #define pr_debug(fmt, ...) do { \
diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
index a60b694..4f20612 100644
--- a/include/net/bluetooth/hci.h
+++ b/include/net/bluetooth/hci.h
@@ -104,6 +104,7 @@ enum {
 #define HCI_PAIRING_TIMEOUT	(60000)	/* 60 seconds */
 #define HCI_IDLE_TIMEOUT	(6000)	/* 6 seconds */
 #define HCI_INIT_TIMEOUT	(10000)	/* 10 seconds */
+#define HCI_ENCRYPTION_TIMEOUT (1000) /* 1 Seconds  */
 
 /* HCI data types */
 #define HCI_COMMAND_PKT		0x01
diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index d9b20bc..7bef2ce 100644
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -187,16 +187,17 @@ struct hci_conn {
 	__u8		 out;
 	__u8		 attempt;
 	__u8		 dev_class[3];
-	__u8             features[8];
-	__u8             ssp_mode;
-	__u16            interval;
-	__u16            pkt_type;
-	__u16            link_policy;
+	__u8         features[8];
+	__u8         ssp_mode;
+	__u16        interval;
+	__u16        pkt_type;
+	__u16        link_policy;
 	__u32		 link_mode;
-	__u8             auth_type;
-	__u8             sec_level;
-	__u8             power_save;
-	__u16            disc_timeout;
+	__u8         auth_type;
+	__u8         sec_level;
+	__u8         power_save;
+	__u16        disc_timeout;
+	__u16        encrypt_timeout;   
 	unsigned long	 pend;
 
 	unsigned int	 sent;
@@ -205,7 +206,7 @@ struct hci_conn {
 
 	struct timer_list disc_timer;
 	struct timer_list idle_timer;
-
+    struct timer_list encrypt_timer;
 	struct work_struct work_add;
 	struct work_struct work_del;
 
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 2f4d30f..22a6df0 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -195,7 +195,23 @@ static void hci_conn_idle(unsigned long arg)
 
 	hci_conn_enter_sniff_mode(conn);
 }
+static void hci_conn_encryption(unsigned long arg)
+{
+	struct hci_conn *conn = (void *) arg;
+    
+	BT_DBG("Encryption status check");
 
+	if((conn) && (test_and_clear_bit(HCI_CONN_ENCRYPT_PEND,&conn->pend)))
+	{
+		struct hci_dev *hdev = conn->hdev;
+		del_timer(&conn->encrypt_timer);
+		struct hci_cp_set_conn_encrypt cp;
+		cp.handle  = conn->handle;
+		cp.encrypt = 0x01;
+		hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT,
+					sizeof(cp), &cp);
+	}
+}
 struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type,
 					__u16 pkt_type, bdaddr_t *dst)
 {
@@ -216,6 +232,7 @@ struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type,
 
 	conn->power_save = 1;
 	conn->disc_timeout = HCI_DISCONN_TIMEOUT;
+	conn->encrypt_timeout = HCI_ENCRYPTION_TIMEOUT;
 
 	switch (type) {
 	case ACL_LINK:
@@ -245,6 +262,7 @@ struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type,
 
 	setup_timer(&conn->disc_timer, hci_conn_timeout, (unsigned long)conn);
 	setup_timer(&conn->idle_timer, hci_conn_idle, (unsigned long)conn);
+	setup_timer(&conn->encrypt_timer, hci_conn_encryption, (unsigned long)conn);
 
 	atomic_set(&conn->refcnt, 0);
 
@@ -275,6 +293,8 @@ int hci_conn_del(struct hci_conn *conn)
 
 	del_timer(&conn->disc_timer);
 
+	del_timer(&conn->encrypt_timer);
+
 	if (conn->type == ACL_LINK) {
 		struct hci_conn *sco = conn->link;
 		if (sco)
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 92654a3..1a6c668 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -659,7 +659,7 @@ static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
 
 	if (!status)
 		return;
-
+       
 	cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
 	if (!cp)
 		return;
@@ -1103,14 +1103,15 @@ static inline void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *
 {
 	struct hci_ev_encrypt_change *ev = (void *) skb->data;
 	struct hci_conn *conn;
-
+    unsigned long timeo;
 	BT_DBG("%s status %d", hdev->name, ev->status);
 
 	hci_dev_lock(hdev);
-
+    
 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
 	if (conn) {
 		if (!ev->status) {
+			del_timer(&conn->encrypt_timer);
 			if (ev->encrypt) {
 				/* Encryption implies authentication */
 				conn->link_mode |= HCI_LM_AUTH;
@@ -1118,6 +1119,13 @@ static inline void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *
 			} else
 				conn->link_mode &= ~HCI_LM_ENCRYPT;
 		}
+	   else if(ev->status == 0x23)
+	   {
+	   		BT_DBG("LMP transactioon collision happened, we need to wait");
+			timeo = msecs_to_jiffies(conn->encrypt_timeout);
+		    mod_timer(&conn->encrypt_timer, jiffies + timeo);
+			goto done;
+	   }
 
 		clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend);
 
@@ -1130,7 +1138,7 @@ static inline void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *
 		} else
 			hci_encrypt_cfm(conn, ev->status, ev->encrypt);
 	}
-
+done:
 	hci_dev_unlock(hdev);
 }
 
-- 
1.7.0.4


[-- Attachment #3: 0001-Service-discovery-collision-after-bonding-handling.patch --]
[-- Type: application/octet-stream, Size: 1288 bytes --]

From aa3eb3b1ad7687e16b65bc7d1be68b06e14e6e9d Mon Sep 17 00:00:00 2001
From: mohanan <rajmohan.mohanan@intel.com>
Date: Fri, 10 Feb 2012 10:16:21 +0530
Subject: [PATCH] Service discovery collision after bonding handling

Change-Id: I0818451eb3cbcf64b5335e2ae624e6a872d86d34
---
 src/device.c |    9 ++++++++-
 1 files changed, 8 insertions(+), 1 deletions(-)

diff --git a/src/device.c b/src/device.c
index 5328db9..3793cb1 100644
--- a/src/device.c
+++ b/src/device.c
@@ -2020,6 +2020,7 @@ void device_bonding_complete(struct btd_device *device, uint8_t status)
 	 * before SDP. This is due to potential IOP issues if the other
 	 * end starts doing SDP at the same time as us */
 	if (bonding) {
+	#if 0
 		/* If we are initiators remove any discovery timer and just
 		 * start discovering services directly */
 		if (device->discov_timer) {
@@ -2029,7 +2030,13 @@ void device_bonding_complete(struct btd_device *device, uint8_t status)
 
 		device_browse(device, bonding->conn, bonding->msg,
 				NULL, FALSE);
-
+     #else
+	    debug("Service discovery started");
+			device->discov_timer = g_timeout_add(
+							1000,
+							start_discovery,
+							device);
+	 #endif
 		bonding_request_free(bonding);
 	} else {
 		if (!device->browse && !device->discov_timer &&
-- 
1.7.0.4

RE: LMP transaction collision at Set encryption

[Marcel Holtmann]

Hi Rajmohan,

<snip>

> I'm attaching patch for above two issues.
> 
> Please review it and  let me know the feedback.

please send one patch per email. That is what git format-patch and git
send-email are for.

The commit message needs to have a clear explanation of the issue and
how you are fixing it. Including hcidump log is a good idea as well in
these cases where you have some protocol issues.

Patches need to be signed-off-by and should not contain change-id (that
is Android Gerrit stuff).

Also patches need to be against the latest bluetooth-next tree.

Userspace patches should not contain signed-off-by and also no change-id
here as well.

The need to be against latest upstream and #if hacking is not allowed of
course.

Regards

Marcel

RE: LMP transaction collision at Set encryption

[Mohanan, Rajmohan]

[-- Attachment #1: Type: text/plain, Size: 1574 bytes --]

Hi Marcel,
                      I'm attaching Patch for LMP transaction collision.
I could not Create patch according to Latest Bluez Tree because due to Project Constraints. Please review the patch . I have added Hcidump  aslo.

Regards
Rajmohan


-----Original Message-----
From: linux-bluetooth-owner@vger.kernel.org [mailto:linux-bluetooth-owner@vger.kernel.org] On Behalf Of Marcel Holtmann
Sent: Monday, February 13, 2012 12:58 PM
To: Mohanan, Rajmohan
Cc: linux-bluetooth@vger.kernel.org; padovan@profusion.mobi
Subject: RE: LMP transaction collision at Set encryption

Hi Rajmohan,

<snip>

> I'm attaching patch for above two issues.
> 
> Please review it and  let me know the feedback.

please send one patch per email. That is what git format-patch and git send-email are for.

The commit message needs to have a clear explanation of the issue and how you are fixing it. Including hcidump log is a good idea as well in these cases where you have some protocol issues.

Patches need to be signed-off-by and should not contain change-id (that is Android Gerrit stuff).

Also patches need to be against the latest bluetooth-next tree.

Userspace patches should not contain signed-off-by and also no change-id here as well.

The need to be against latest upstream and #if hacking is not allowed of course.

Regards

Marcel


--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@vger.kernel.org More majordomo info at  http://vger.kernel.org/majordomo-info.html

[-- Attachment #2: 0001-LMP-transaction-collision-at-Set-encryption.patch --]
[-- Type: application/octet-stream, Size: 16003 bytes --]

From fd5932239bb33d5be2dcfd50bc348adb0deeb74b Mon Sep 17 00:00:00 2001
From: mohanan <rajmohan.mohanan@intel.com>
Date: Mon, 13 Feb 2012 14:48:49 +0530
Subject: [PATCH] LMP transaction collision at Set encryption

ISSUE:
1. started pairing from my device(DUT) to a remote device (Lenovo T500). After successful bonding bluez send device discovery in the same ACL connection createdprior to BONDING
2. Changed to DUT role as slave.
3. From Host ,sending Set Connection Encryption, getting LMP Error Transaction Collision as status of  encryption command sent by DUT(Slave).(Remote guy who is a master has also initiated Set encryption).
4. In between bluez has initiated SDP search after bonding process complete(device_bonding_complete()).
5. From the encryption change event (event status is 0x23(LMP transaction collision),Bluez disconnecting l2cap and then acl link.
We are not able Find the services of remote device because application written in spite of service discovery has initiated after bonding process

FIX:
Made changes in hci_event.c  for solving LMP Transaction collision.

When we gets Encrypt change event with error code as LMP  transaction collision , Ignoring the change event because From Master Encrypt change event will process and will get encrypt change event with success second time.

If we are not getting Encrypt change event from master we are sending again Set encryption from slave( because we already sent a set encryption which result in to a collision) after 1 second delay.

If we getting a encrypt change event from master after collision event then we delete timer and process it normally.

HCIDUMP:

HCI sniffer - Bluetooth packet analyzer ver 1.42

device: hci0 snap_len: 1028 filter: 0xffffffff

2004-01-01 00:24:28.201531 < HCI Command: Create Connection (0x01|0x0005) plen 13

    bdaddr C4:17:FE:F5:74:DF ptype 0xcc18 rswitch 0x01 clkoffset 0x0000

    Packet type: DM1 DM3 DM5 DH1 DH3 DH5

2004-01-01 00:24:28.214399 > HCI Event: Command Status (0x0f) plen 4

    Create Connection (0x01|0x0005) status 0x00 ncmd 1

2004-01-01 00:24:33.329983 > HCI Event: Connect Complete (0x03) plen 11

    status 0x04 handle 65535 bdaddr C4:17:FE:F5:74:DF type ACL encrypt 0x00

    Error: Page Timeout

2004-01-01 00:24:45.458623 < HCI Command: Create Connection (0x01|0x0005) plen 13

    bdaddr C4:17:FE:F5:74:DF ptype 0xcc18 rswitch 0x01 clkoffset 0x0000

    Packet type: DM1 DM3 DM5 DH1 DH3 DH5

2004-01-01 00:24:45.466521 > HCI Event: Command Status (0x0f) plen 4

    Create Connection (0x01|0x0005) status 0x00 ncmd 1

2004-01-01 00:24:47.052369 > HCI Event: Role Change (0x12) plen 8

    status 0x00 bdaddr C4:17:FE:F5:74:DF role 0x01

    Role: Slave

2004-01-01 00:24:47.213870 > HCI Event: Connect Complete (0x03) plen 11

    status 0x00 handle 256 bdaddr C4:17:FE:F5:74:DF type ACL encrypt 0x00

2004-01-01 00:24:47.214457 < HCI Command: Read Remote Supported Features (0x01|0x001b) plen 2

    handle 256

2004-01-01 00:24:47.234339 > HCI Event: Max Slots Change (0x1b) plen 3

    handle 256 slots 5

2004-01-01 00:24:47.234397 > HCI Event: Command Status (0x0f) plen 4

    Read Remote Supported Features (0x01|0x001b) status 0x00 ncmd 1

2004-01-01 00:24:47.234405 > HCI Event: Read Remote Supported Features (0x0b) plen 11

    status 0x00 handle 256

    Features: 0xff 0xff 0x8f 0xfe 0x9b 0xff 0x79 0x83

2004-01-01 00:24:47.234917 < HCI Command: Read Remote Extended Features (0x01|0x001c) plen 3

    handle 256 page 1

2004-01-01 00:24:47.236452 > HCI Event: Command Status (0x0f) plen 4

    Read Remote Extended Features (0x01|0x001c) status 0x00 ncmd 1

2004-01-01 00:24:47.244773 > HCI Event: Read Remote Extended Features (0x23) plen 13

    status 0x00 handle 256 page 1 max 0

    Features: 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00

2004-01-01 00:24:47.244923 < HCI Command: Authentication Requested (0x01|0x0011) plen 2

    handle 256

2004-01-01 00:24:47.246853 > HCI Event: Command Status (0x0f) plen 4

    Authentication Requested (0x01|0x0011) status 0x00 ncmd 1

2004-01-01 00:24:47.246882 > HCI Event: Link Key Request (0x17) plen 6

    bdaddr C4:17:FE:F5:74:DF

2004-01-01 00:24:47.264148 < HCI Command: Remote Name Request (0x01|0x0019) plen 10

    bdaddr C4:17:FE:F5:74:DF mode 2 clkoffset 0x0000

2004-01-01 00:24:47.266043 > HCI Event: Command Status (0x0f) plen 4

    Remote Name Request (0x01|0x0019) status 0x00 ncmd 1

2004-01-01 00:24:47.270761 < HCI Command: Link Key Request Negative Reply (0x01|0x000c) plen 6

    bdaddr C4:17:FE:F5:74:DF

2004-01-01 00:24:47.272375 > HCI Event: Command Complete (0x0e) plen 10

    Link Key Request Negative Reply (0x01|0x000c) ncmd 1

    status 0x00 bdaddr C4:17:FE:F5:74:DF

2004-01-01 00:24:47.272536 > HCI Event: IO Capability Request (0x31) plen 6

    bdaddr C4:17:FE:F5:74:DF

2004-01-01 00:24:47.280195 < HCI Command: IO Capability Request Reply (0x01|0x002b) plen 9

    bdaddr C4:17:FE:F5:74:DF capability 0x01 oob 0x00 auth 0x03

    Capability: DisplayYesNo (OOB data not present)

    Authentication: Dedicated Bonding (MITM Protection)

2004-01-01 00:24:47.282037 > HCI Event: Command Complete (0x0e) plen 10

    IO Capability Request Reply (0x01|0x002b) ncmd 1

    status 0x00 bdaddr C4:17:FE:F5:74:DF

2004-01-01 00:24:48.026091 > HCI Event: IO Capability Response (0x32) plen 9

    bdaddr C4:17:FE:F5:74:DF capability 0x01 oob 0x00 auth 0x05

    Capability: DisplayYesNo (OOB data not present)

    Authentication: General Bonding (MITM Protection)

2004-01-01 00:24:48.027156 > HCI Event: Remote Name Req Complete (0x07) plen 255

    status 0x00 bdaddr C4:17:FE:F5:74:DF name 'ICHAUHAX-MOBL'

2004-01-01 00:24:49.023901 > HCI Event: User Confirmation Request (0x33) plen 10

    bdaddr C4:17:FE:F5:74:DF passkey 733849

2004-01-01 00:24:53.594371 < HCI Command: User Confirmation Request Reply (0x01|0x002c) plen 6

    bdaddr C4:17:FE:F5:74:DF

2004-01-01 00:24:53.596301 > HCI Event: Command Complete (0x0e) plen 10

    User Confirmation Request Reply (0x01|0x002c) ncmd 1

    status 0x00 bdaddr C4:17:FE:F5:74:DF

2004-01-01 00:24:58.224051 > HCI Event: Simple Pairing Complete (0x36) plen 7

    status 0x00 bdaddr C4:17:FE:F5:74:DF

2004-01-01 00:24:58.329211 > HCI Event: Link Key Notification (0x18) plen 23

    bdaddr C4:17:FE:F5:74:DF key 9DAA63E15700DAC5E321CFA90C251CAC type 5

    Type: Authenticated Combination Key

2004-01-01 00:24:58.329246 > HCI Event: Auth Complete (0x06) plen 3

    status 0x00 handle 256

2004-01-01 00:24:58.329536 < HCI Command: Set Connection Encryption (0x01|0x0013) plen 3

    handle 256 encrypt 0x01

2004-01-01 00:24:58.330803 > HCI Event: Command Status (0x0f) plen 4

    Set Connection Encryption (0x01|0x0013) status 0x00 ncmd 1

2004-01-01 00:24:58.331115 > HCI Event: Encrypt Change (0x08) plen 4

    status 0x23 handle 256 encrypt 0x00

    Error: LMP Error Transaction Collision

2004-01-01 00:24:58.334127 < HCI Command: Disconnect (0x01|0x0006) plen 3

    handle 256 reason 0x13

    Reason: Remote User Terminated Connection

2004-01-01 00:24:58.335829 > HCI Event: Command Status (0x0f) plen 4

    Disconnect (0x01|0x0006) status 0x00 ncmd 1

2004-01-01 00:24:58.505066 > HCI Event: Disconn Complete (0x05) plen 4

    status 0x00 handle 256 reason 0x16

    Reason: Connection Terminated by Local Host

2004-01-01 00:25:01.005023 < HCI Command: Create Connection (0x01|0x0005) plen 13

    bdaddr C4:17:FE:F5:74:DF ptype 0xcc18 rswitch 0x01 clkoffset 0x0000

    Packet type: DM1 DM3 DM5 DH1 DH3 DH5

2004-01-01 00:25:01.012243 > HCI Event: Command Status (0x0f) plen 4

    Create Connection (0x01|0x0005) status 0x00 ncmd 1

2004-01-01 00:25:04.143950 > HCI Event: Role Change (0x12) plen 8

    status 0x00 bdaddr C4:17:FE:F5:74:DF role 0x01

    Role: Slave

2004-01-01 00:25:04.302687 > HCI Event: Connect Complete (0x03) plen 11

    status 0x00 handle 256 bdaddr C4:17:FE:F5:74:DF type ACL encrypt 0x00

2004-01-01 00:25:04.302884 < HCI Command: Read Remote Supported Features (0x01|0x001b) plen 2

    handle 256

2004-01-01 00:25:04.309310 > HCI Event: Command Status (0x0f) plen 4

    Read Remote Supported Features (0x01|0x001b) status 0x00 ncmd 1

2004-01-01 00:25:04.309339 > HCI Event: Max Slots Change (0x1b) plen 3

    handle 256 slots 5

2004-01-01 00:25:04.316336 > HCI Event: Read Remote Supported Features (0x0b) plen 11

    status 0x00 handle 256

    Features: 0xff 0xff 0x8f 0xfe 0x9b 0xff 0x79 0x83

2004-01-01 00:25:04.316805 < HCI Command: Read Remote Extended Features (0x01|0x001c) plen 3

    handle 256 page 1

2004-01-01 00:25:04.318293 > HCI Event: Command Status (0x0f) plen 4

    Read Remote Extended Features (0x01|0x001c) status 0x00 ncmd 1

2004-01-01 00:25:04.323696 > HCI Event: Read Remote Extended Features (0x23) plen 13

    status 0x00 handle 256 page 1 max 0

    Features: 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00

2004-01-01 00:25:04.323868 < ACL data: handle 256 flags 0x00 dlen 10

    L2CAP(s): Info req: type 2

2004-01-01 00:25:04.342133 > HCI Event: Number of Completed Packets (0x13) plen 5

    handle 256 packets 1

2004-01-01 00:25:04.347449 > ACL data: handle 256 flags 0x02 dlen 12

    L2CAP(s): Info rsp: type 2 result 1

      Not supported

2004-01-01 00:25:04.347614 < ACL data: handle 256 flags 0x00 dlen 10

    L2CAP(s): Info req: type 3

2004-01-01 00:25:04.364833 < HCI Command: Remote Name Request (0x01|0x0019) plen 10

    bdaddr C4:17:FE:F5:74:DF mode 2 clkoffset 0x0000

2004-01-01 00:25:04.366772 > HCI Event: Command Status (0x0f) plen 4

    Remote Name Request (0x01|0x0019) status 0x00 ncmd 1

2004-01-01 00:25:10.563930 > HCI Event: Number of Completed Packets (0x13) plen 5

    handle 256 packets 1

2004-01-01 00:25:10.565921 > ACL data: handle 256 flags 0x02 dlen 12

    L2CAP(s): Info rsp: type 3 result 1

      Not supported

2004-01-01 00:25:10.566069 < ACL data: handle 256 flags 0x00 dlen 12

    L2CAP(s): Connect req: psm 1 scid 0x0040

2004-01-01 00:25:40.756957 > HCI Event: Remote Name Req Complete (0x07) plen 255

    status 0x22 bdaddr C4:17:FE:F5:74:DF name ''

    Error: LMP Response Timeout

2004-01-01 00:25:40.756993 > HCI Event: Disconn Complete (0x05) plen 4

    status 0x00 handle 256 reason 0x22

    Reason: LMP Response Timeout

Signed-off-by: mohanan <rajmohan.mohanan@intel.com>
---
 include/net/bluetooth/hci.h      |    1 +
 include/net/bluetooth/hci_core.h |   11 ++++++-----
 net/bluetooth/hci_conn.c         |   22 +++++++++++++++++++++-
 net/bluetooth/hci_event.c        |   16 ++++++++++------
 4 files changed, 38 insertions(+), 12 deletions(-)

diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
index 22ddaf3..e2eefdd 100644
--- a/include/net/bluetooth/hci.h
+++ b/include/net/bluetooth/hci.h
@@ -108,6 +108,7 @@ enum {
 #define HCI_PAIRING_TIMEOUT	(60000)	/* 60 seconds */
 #define HCI_IDLE_TIMEOUT	(6000)	/* 6 seconds */
 #define HCI_INIT_TIMEOUT	(10000)	/* 10 seconds */
+#define HCI_ENCRYPTION_TIMEOUT (1000) /*1 seconds*/
 
 /* HCI data types */
 #define HCI_COMMAND_PKT		0x01
diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index 7a1c03d..e426786 100644
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -197,10 +197,11 @@ struct hci_conn {
 	__u16            pkt_type;
 	__u16            link_policy;
 	__u32		 link_mode;
-	__u8             auth_type;
-	__u8             sec_level;
-	__u8             power_save;
-	__u16            disc_timeout;
+	__u8         auth_type;
+	__u8         sec_level;
+	__u8         power_save;
+	__u16        disc_timeout;
+	__u16        encrypt_timeout;   
 	unsigned long	 pend;
 
 	unsigned int	 sent;
@@ -209,7 +210,7 @@ struct hci_conn {
 
 	struct timer_list disc_timer;
 	struct timer_list idle_timer;
-
+    struct timer_list encrypt_timer;
 	struct work_struct work_add;
 	struct work_struct work_del;
 
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 2f4d30f..22a6df0 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -195,7 +195,23 @@ static void hci_conn_idle(unsigned long arg)
 
 	hci_conn_enter_sniff_mode(conn);
 }
+static void hci_conn_encryption(unsigned long arg)
+{
+	struct hci_conn *conn = (void *) arg;
+    
+	BT_DBG("Encryption status check");
 
+	if((conn) && (test_and_clear_bit(HCI_CONN_ENCRYPT_PEND,&conn->pend)))
+	{
+		struct hci_dev *hdev = conn->hdev;
+		del_timer(&conn->encrypt_timer);
+		struct hci_cp_set_conn_encrypt cp;
+		cp.handle  = conn->handle;
+		cp.encrypt = 0x01;
+		hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT,
+					sizeof(cp), &cp);
+	}
+}
 struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type,
 					__u16 pkt_type, bdaddr_t *dst)
 {
@@ -216,6 +232,7 @@ struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type,
 
 	conn->power_save = 1;
 	conn->disc_timeout = HCI_DISCONN_TIMEOUT;
+	conn->encrypt_timeout = HCI_ENCRYPTION_TIMEOUT;
 
 	switch (type) {
 	case ACL_LINK:
@@ -245,6 +262,7 @@ struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type,
 
 	setup_timer(&conn->disc_timer, hci_conn_timeout, (unsigned long)conn);
 	setup_timer(&conn->idle_timer, hci_conn_idle, (unsigned long)conn);
+	setup_timer(&conn->encrypt_timer, hci_conn_encryption, (unsigned long)conn);
 
 	atomic_set(&conn->refcnt, 0);
 
@@ -275,6 +293,8 @@ int hci_conn_del(struct hci_conn *conn)
 
 	del_timer(&conn->disc_timer);
 
+	del_timer(&conn->encrypt_timer);
+
 	if (conn->type == ACL_LINK) {
 		struct hci_conn *sco = conn->link;
 		if (sco)
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index f7229d2..75719b4 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -1,6 +1,5 @@
 /*
    BlueZ - Bluetooth protocol stack for Linux
-   Copyright (C) 2012 Intel Mobile Communications GmbH
    Copyright (C) 2000-2001 Qualcomm Incorporated
 
    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
@@ -21,9 +20,6 @@
    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
    SOFTWARE IS DISCLAIMED.
-
-notes:
-   18-Jan-2012 Added handling for hci flowspec complete event.
 */
 
 /* Bluetooth HCI event handling. */
@@ -1107,7 +1103,7 @@ static inline void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *
 {
 	struct hci_ev_encrypt_change *ev = (void *) skb->data;
 	struct hci_conn *conn;
-
+    unsigned long timeo;
 	BT_DBG("%s status %d", hdev->name, ev->status);
 
 	hci_dev_lock(hdev);
@@ -1115,6 +1111,7 @@ static inline void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *
 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
 	if (conn) {
 		if (!ev->status) {
+			del_timer(&conn->encrypt_timer);
 			if (ev->encrypt) {
 				/* Encryption implies authentication */
 				conn->link_mode |= HCI_LM_AUTH;
@@ -1122,6 +1119,13 @@ static inline void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *
 			} else
 				conn->link_mode &= ~HCI_LM_ENCRYPT;
 		}
+	   else if(ev->status == 0x23)
+	   {
+	   		BT_DBG("LMP transactioon collision happened, we need to wait");
+			timeo = msecs_to_jiffies(conn->encrypt_timeout);
+		    mod_timer(&conn->encrypt_timer, jiffies + timeo);
+			goto done;
+	   }
 
 		clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend);
 
@@ -1134,7 +1138,7 @@ static inline void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *
 		} else
 			hci_encrypt_cfm(conn, ev->status, ev->encrypt);
 	}
-
+done:
 	hci_dev_unlock(hdev);
 }
 
-- 
1.7.0.4

RE: LMP transaction collision at Set encryption

[Marcel Holtmann]

Hi Rajmohan,

>                       I'm attaching Patch for LMP transaction collision.
> I could not Create patch according to Latest Bluez Tree because due to Project Constraints. Please review the patch . I have added Hcidump  aslo.

please use git format-patch and then git send-email. If you have
problems with Exchange, then just point it to linux.intel.com and it
will work smoothly.

Reviewing attached patches is not something we do here. All patches need
to be inline.

Regards

Marcel