[PATCH 0/2] Bluetooth: Fix LE connection timeout handling

[PATCH 0/2] Bluetooth: Fix LE connection timeout handling

[johan.hedberg]

Hi,

This patch set fixes LE connection timeout handling when advertising is
enabled and triggering an LE Create Connection command for the
connection creation.

Johan

----------------------------------------------------------------
Johan Hedberg (2):
      Bluetooth: Fix LE connection timeout deadlock
      Bluetooth: Fix check for direct advertising

 net/bluetooth/hci_conn.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

[PATCH 1/2] Bluetooth: Fix LE connection timeout deadlock

[johan.hedberg]

From: Johan Hedberg <johan.hedberg@intel.com>

The le_conn_timeout() may call hci_le_conn_failed() which in turn may
call hci_conn_del(). Trying to use the _sync variant for cancelling the
conn timeout from hci_conn_del() could therefore result in a deadlock.
This patch converts hci_conn_del() to use the non-sync variant so the
deadlock is not possible.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
---
 net/bluetooth/hci_conn.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 6a3225bf7bac..74b8e2421e96 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -518,7 +518,7 @@ int hci_conn_del(struct hci_conn *conn)
 		/* Unacked frames */
 		hdev->acl_cnt += conn->sent;
 	} else if (conn->type == LE_LINK) {
-		cancel_delayed_work_sync(&conn->le_conn_timeout);
+		cancel_delayed_work(&conn->le_conn_timeout);
 
 		if (hdev->le_pkts)
 			hdev->le_cnt += conn->sent;
-- 
1.9.3

[PATCH 2/2] Bluetooth: Fix check for direct advertising

[johan.hedberg]

From: Johan Hedberg <johan.hedberg@intel.com>

These days we allow simultaneous LE scanning and advertising. Checking
for whether advertising is enabled or not is therefore not a reliable
way to determine whether directed advertising was used to trigger the
connection creation. The appropriate place to check (instead of the hdev
context) is the connection role that's stored in the hci_conn. This
patch fixes such a check in le_conn_timeout() which could otherwise lead
to incorrect HCI commands being sent.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
---
 net/bluetooth/hci_conn.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 74b8e2421e96..96887ae8375b 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -416,7 +416,7 @@ static void le_conn_timeout(struct work_struct *work)
 	 * happen with broken hardware or if low duty cycle was used
 	 * (which doesn't have a timeout of its own).
 	 */
-	if (test_bit(HCI_ADVERTISING, &hdev->dev_flags)) {
+	if (conn->role == HCI_ROLE_SLAVE) {
 		u8 enable = 0x00;
 		hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
 			     &enable);
-- 
1.9.3

Re: [PATCH 0/2] Bluetooth: Fix LE connection timeout handling

[Marcel Holtmann]

Hi Johan,

> This patch set fixes LE connection timeout handling when advertising is
> enabled and triggering an LE Create Connection command for the
> connection creation.
> 
> Johan
> 
> ----------------------------------------------------------------
> Johan Hedberg (2):
>      Bluetooth: Fix LE connection timeout deadlock
>      Bluetooth: Fix check for direct advertising
> 
> net/bluetooth/hci_conn.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)

both patches have been applied to bluetooth-next tree.

Regards

Marcel