* Re: [PATCH] Add INdT developers in AUTHORS
From: Johan Hedberg @ 2010-10-15 13:56 UTC (permalink / raw)
To: Claudio Takahasi; +Cc: linux-bluetooth
In-Reply-To: <1287149783-15672-1-git-send-email-claudio.takahasi@openbossa.org>
Hi Claudio,
On Fri, Oct 15, 2010, Claudio Takahasi wrote:
> ---
> AUTHORS | 3 +++
> 1 files changed, 3 insertions(+), 0 deletions(-)
Thanks. The patch has been pushed upstream.
Johan
^ permalink raw reply
* Re: [PATCH] TODO: Define attribute server API
From: Johan Hedberg @ 2010-10-15 13:55 UTC (permalink / raw)
To: Claudio Takahasi; +Cc: linux-bluetooth
In-Reply-To: <1287147783-14998-2-git-send-email-claudio.takahasi@openbossa.org>
Hi Claudio,
On Fri, Oct 15, 2010, Claudio Takahasi wrote:
> ---
> TODO | 8 ++++++++
> 1 files changed, 8 insertions(+), 0 deletions(-)
This one's also upstream.
Johan
^ permalink raw reply
* Re: [PATCH] TODO: Avoid Characteristic discovery for non connectable device
From: Johan Hedberg @ 2010-10-15 13:55 UTC (permalink / raw)
To: Claudio Takahasi; +Cc: linux-bluetooth
In-Reply-To: <1287147783-14998-1-git-send-email-claudio.takahasi@openbossa.org>
Hi Claudio,
On Fri, Oct 15, 2010, Claudio Takahasi wrote:
> ---
> TODO | 13 +++++++++++--
> 1 files changed, 11 insertions(+), 2 deletions(-)
Pushed upstream.
Johan
^ permalink raw reply
* [PATCH] Add INdT developers in AUTHORS
From: Claudio Takahasi @ 2010-10-15 13:36 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Claudio Takahasi
---
AUTHORS | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/AUTHORS b/AUTHORS
index e063569..15351a3 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -50,3 +50,6 @@ Santiago Carot-Nemesio <scarot@libresoft.es>
José Antonio Santos Cadenas <jcaden@libresoft.es>
Francisco Alecrim <francisco.alecrim@openbossa.org>
Daniel Orstadius <daniel.orstadius@gmail.com>
+Anderson Briglia <anderson.briglia@openbossa.org>
+Anderson Lizardo <anderson.lizardo@openbossa.org>
+Bruna Moreira <bruna.moreira@openbossa.org>
--
1.7.3.1
^ permalink raw reply related
* [PATCH] TODO: Define attribute server API
From: Claudio Takahasi @ 2010-10-15 13:03 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Claudio Takahasi
In-Reply-To: <1287147783-14998-1-git-send-email-claudio.takahasi@openbossa.org>
---
TODO | 8 ++++++++
1 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/TODO b/TODO
index 1d4e789..b4682e8 100644
--- a/TODO
+++ b/TODO
@@ -129,3 +129,11 @@ ATT/GATT
Priority: Low
Complexity: C2
+
+- Define attribute server API. External applications needs to register,
+ change attributes and to be notified about changes. Example: Proximity,
+ Time and Alert Profiles. "Local Service hierarchy" in the attribute-api
+ needs to be proposed and a RFC shall be sent to the ML.
+
+ Priority: Low
+ Complexity: C2
--
1.7.3.1
^ permalink raw reply related
* [PATCH] TODO: Avoid Characteristic discovery for non connectable device
From: Claudio Takahasi @ 2010-10-15 13:03 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Claudio Takahasi
---
TODO | 13 +++++++++++--
1 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/TODO b/TODO
index 2c17c6b..1d4e789 100644
--- a/TODO
+++ b/TODO
@@ -14,8 +14,17 @@ Background
Higher complexity tasks should be refined into several lower complexity tasks
once the task is better understood.
-LE Generic Access Profile
-=========================
+Low Energy
+==========
+
+- Avoid Characteristic discovery for non connectable devices. Proper parsing
+ of LE Advertising Report Event is missing. Event_Type field needs to be
+ extracted and its value shall be considered before to start the LE
+ connection on the channel 4. Characteristic discovery should not be
+ started for non connectable devices.
+
+ Priority: Medium
+ Complexity: C2
- Device Name Characteristic is a GAP characteristic for Low Energy. This
characteristic shall be integrated/used in the discovery procedure. The
--
1.7.3.1
^ permalink raw reply related
* Re: [PATCH] Type conversion in read and write obex streams
From: Johan Hedberg @ 2010-10-15 11:52 UTC (permalink / raw)
To: Dmitriy Paliy; +Cc: linux-bluetooth
In-Reply-To: <1287143179-22136-2-git-send-email-dmitriy.paliy@nokia.com>
Hi Dmitriy,
On Fri, Oct 15, 2010, Dmitriy Paliy wrote:
> Integer types in obex_write_stream and obex_read_stream shell be the
> same as those returned by read and write function prototypes of
> obex_mime_type_driver.
> ---
> src/obex.c | 8 ++++----
> 1 files changed, 4 insertions(+), 4 deletions(-)
Thanks. Pushed upstream.
Johan
^ permalink raw reply
* [PATCH] Type conversion in read and write obex streams
From: Dmitriy Paliy @ 2010-10-15 11:46 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Dmitriy Paliy
In-Reply-To: <1287143179-22136-1-git-send-email-dmitriy.paliy@nokia.com>
Integer types in obex_write_stream and obex_read_stream shell be the
same as those returned by read and write function prototypes of
obex_mime_type_driver.
---
src/obex.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/obex.c b/src/obex.c
index adfcc95..f37cd90 100644
--- a/src/obex.c
+++ b/src/obex.c
@@ -555,7 +555,7 @@ static int obex_read_stream(struct obex_session *os, obex_t *obex,
obex_object_t *obj)
{
int size;
- int32_t len = 0;
+ ssize_t len = 0;
const uint8_t *buffer;
DBG("name=%s type=%s rx_mtu=%d file=%p",
@@ -596,7 +596,7 @@ static int obex_read_stream(struct obex_session *os, obex_t *obex,
write:
while (os->pending > 0) {
- int w;
+ ssize_t w;
w = os->driver->write(os->object, os->buf + len,
os->pending);
@@ -622,7 +622,7 @@ static int obex_write_stream(struct obex_session *os,
{
obex_headerdata_t hd;
uint8_t *ptr;
- int32_t len;
+ ssize_t len;
unsigned int flags;
uint8_t hi;
@@ -644,7 +644,7 @@ static int obex_write_stream(struct obex_session *os,
len = os->driver->read(os->object, os->buf, os->tx_mtu, &hi);
if (len < 0) {
- error("read(): %s (%d)", strerror(-len), -len);
+ error("read(): %s (%zd)", strerror(-len), -len);
if (len == -EAGAIN)
return len;
else if (len == -ENOSTR)
--
1.7.0.4
^ permalink raw reply related
* [PATCH 0/1] Type conversion in read and write obex streams
From: Dmitriy Paliy @ 2010-10-15 11:46 UTC (permalink / raw)
To: linux-bluetooth
Hi,
This is to correct previous patch on change of int32_t to ssize_t
types. Printing out is also fixed.
Br,
Dmitriy
^ permalink raw reply
* Re: [PATCH] Type conversion in read and write obex streams
From: Johan Hedberg @ 2010-10-15 11:10 UTC (permalink / raw)
To: Dmitriy Paliy; +Cc: linux-bluetooth
In-Reply-To: <1287138458-10780-1-git-send-email-dmitriy.paliy@nokia.com>
Hi Dmitriy,
On Fri, Oct 15, 2010, Dmitriy Paliy wrote:
> Integer types in obex_write_stream and obex_read_stream shell be the
> same as those returned by read and write function prototypes of
> obex_mime_type_driver.
> ---
> src/obex.c | 6 +++---
> 1 files changed, 3 insertions(+), 3 deletions(-)
Not good:
src/obex.c: In function ‘obex_write_stream’:
src/obex.c:647: error: format ‘%d’ expects type ‘int’, but argument 3 has type ‘ssize_t’
Always compile-check your patches with ./bootstrap-configure.
The correct format specifier for ssize_t is %zd
Johan
^ permalink raw reply
* [PATCH] Type conversion in read and write obex streams
From: Dmitriy Paliy @ 2010-10-15 10:27 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Dmitriy Paliy
Integer types in obex_write_stream and obex_read_stream shell be the
same as those returned by read and write function prototypes of
obex_mime_type_driver.
---
src/obex.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/obex.c b/src/obex.c
index adfcc95..0a0b6b9 100644
--- a/src/obex.c
+++ b/src/obex.c
@@ -555,7 +555,7 @@ static int obex_read_stream(struct obex_session *os, obex_t *obex,
obex_object_t *obj)
{
int size;
- int32_t len = 0;
+ ssize_t len = 0;
const uint8_t *buffer;
DBG("name=%s type=%s rx_mtu=%d file=%p",
@@ -596,7 +596,7 @@ static int obex_read_stream(struct obex_session *os, obex_t *obex,
write:
while (os->pending > 0) {
- int w;
+ ssize_t w;
w = os->driver->write(os->object, os->buf + len,
os->pending);
@@ -622,7 +622,7 @@ static int obex_write_stream(struct obex_session *os,
{
obex_headerdata_t hd;
uint8_t *ptr;
- int32_t len;
+ ssize_t len;
unsigned int flags;
uint8_t hi;
--
1.7.0.4
^ permalink raw reply related
* Re: [PATCH] Fix not responding Not Found for filtered vcard-listing
From: Johan Hedberg @ 2010-10-15 9:58 UTC (permalink / raw)
To: Luiz Augusto von Dentz; +Cc: linux-bluetooth
In-Reply-To: <1287135959-6605-1-git-send-email-luiz.dentz@gmail.com>
Hi Luiz,
On Fri, Oct 15, 2010, Luiz Augusto von Dentz wrote:
> From: Luiz Augusto von Dentz <luiz.dentz-von@nokia.com>
>
> In this case entries may be found but it still may not match the filter
> criteria.
> ---
> plugins/pbap.c | 12 ++++++------
> 1 files changed, 6 insertions(+), 6 deletions(-)
Thanks. Pushed upstream.
Johan
^ permalink raw reply
* [PATCH] Fix not responding Not Found for filtered vcard-listing
From: Luiz Augusto von Dentz @ 2010-10-15 9:45 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.dentz-von@nokia.com>
In this case entries may be found but it still may not match the filter
criteria.
---
plugins/pbap.c | 12 ++++++------
1 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/plugins/pbap.c b/plugins/pbap.c
index 13742da..11cb678 100644
--- a/plugins/pbap.c
+++ b/plugins/pbap.c
@@ -398,12 +398,6 @@ static void cache_ready_notify(void *user_data)
goto done;
}
- if (pbap->cache.entries == NULL) {
- pbap->cache.valid = TRUE;
- obex_object_set_io_flags(pbap, G_IO_ERR, -ENOENT);
- return;
- }
-
/*
* Don't free the sorted list content: this list contains
* only the reference for the "real" cache entry.
@@ -412,6 +406,12 @@ static void cache_ready_notify(void *user_data)
pbap->params->searchattrib,
(const char *) pbap->params->searchval);
+ if (sorted == NULL) {
+ pbap->cache.valid = TRUE;
+ obex_object_set_io_flags(pbap, G_IO_ERR, -ENOENT);
+ return;
+ }
+
/* Computing offset considering first entry of the phonebook */
l = g_slist_nth(sorted, pbap->params->liststartoffset);
--
1.7.1
^ permalink raw reply related
* Re: [PATCH] Bluetooth: Fix non-SSP auth request for HIGH security level sockets
From: Marcel Holtmann @ 2010-10-15 9:16 UTC (permalink / raw)
To: johan.hedberg; +Cc: linux-bluetooth, Johan Hedberg
In-Reply-To: <1287128769-5078-1-git-send-email-johan.hedberg@gmail.com>
Hi Johan,
> When initiating dedicated bonding a L2CAP raw socket with HIGH security
> level is used. The kernel is supposed to trigger the authentication
> request in this case but this doesn't happen currently for non-SSP
> (pre-2.1) devices. The reason is that the authentication request happens
> in the remote extended features callback which never gets called for
> non-SSP devices. This patch fixes the issue by requesting also
> authentiation in the (normal) remote features callback in the case of
> non-SSP devices.
>
> This rule is applied only for HIGH security level which might at first
> seem unintuitive since on the server socket side MEDIUM is already
> enough for authentication. However, for the clients we really want to
> prefer the server side to decide the authentication requrement in most
> cases, and since most client sockets use MEDIUM it's better to be
> avoided on the kernel side for these sockets. The important socket to
> request it for is the dedicated bonding one and that socket uses HIGH
> security level.
>
> The patch is based on the initial investigation and patch proposal from
> Andrei Emeltchenko <endrei.emeltchenko@nokia.com>.
>
> Signed-off-by: Johan Hedberg <johan.hedberg@nokia.com>
so I had a quick review here on this one. Looks fine to me and it makes
sense.
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Regards
Marcel
^ permalink raw reply
* [PATCH] Bluetooth: Fix non-SSP auth request for HIGH security level sockets
From: johan.hedberg @ 2010-10-15 7:46 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Johan Hedberg
From: Johan Hedberg <johan.hedberg@nokia.com>
When initiating dedicated bonding a L2CAP raw socket with HIGH security
level is used. The kernel is supposed to trigger the authentication
request in this case but this doesn't happen currently for non-SSP
(pre-2.1) devices. The reason is that the authentication request happens
in the remote extended features callback which never gets called for
non-SSP devices. This patch fixes the issue by requesting also
authentiation in the (normal) remote features callback in the case of
non-SSP devices.
This rule is applied only for HIGH security level which might at first
seem unintuitive since on the server socket side MEDIUM is already
enough for authentication. However, for the clients we really want to
prefer the server side to decide the authentication requrement in most
cases, and since most client sockets use MEDIUM it's better to be
avoided on the kernel side for these sockets. The important socket to
request it for is the dedicated bonding one and that socket uses HIGH
security level.
The patch is based on the initial investigation and patch proposal from
Andrei Emeltchenko <endrei.emeltchenko@nokia.com>.
Signed-off-by: Johan Hedberg <johan.hedberg@nokia.com>
---
net/bluetooth/hci_event.c | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index bfef5ba..84093b0 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -1175,6 +1175,12 @@ static inline void hci_remote_features_evt(struct hci_dev *hdev, struct sk_buff
hci_send_cmd(hdev,
HCI_OP_READ_REMOTE_EXT_FEATURES,
sizeof(cp), &cp);
+ } else if (!ev->status && conn->out &&
+ conn->sec_level == BT_SECURITY_HIGH) {
+ struct hci_cp_auth_requested cp;
+ cp.handle = ev->handle;
+ hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
+ sizeof(cp), &cp);
} else {
conn->state = BT_CONNECTED;
hci_proto_connect_cfm(conn, ev->status);
--
1.7.1
^ permalink raw reply related
* Re: [PATCH 0/2] Fix regression on suspend on opening
From: Johan Hedberg @ 2010-10-15 7:21 UTC (permalink / raw)
To: Dmitriy Paliy; +Cc: linux-bluetooth
In-Reply-To: <1287125828-5479-1-git-send-email-dmitriy.paliy@nokia.com>
Hi Dmitriy,
On Fri, Oct 15, 2010, Dmitriy Paliy wrote:
> This fixes regression when doing suspend on opening obex stream. If
> obex_write_stream returns length of buffer, it is treated as an error
> response later on, which is not correct.
>
> Negative values returned by obex_write_stream are error codes, while
> positive ones mean length of buffer. Positive values are never used
> afterwards in the code. Therefore, due to this reason, and for being
> compliant with obex_read_stream, which also returns 0 only, it was
> decided to remove return of positive value representing length at all.
>
> Result of such is also some code cleanup that removes unnecessary return
> len when it is zero.
>
> A typo is fixed in comments as well.
Both patches have been pushed upstream. Thanks. Btw, don't be afraid to
put this kind of explanations in the commit messages themselves since
that info is easier to find in a couple of years time than this cover
letter email.
Johan
^ permalink raw reply
* [PATCH 2/2] Code cleanup: unnecessary operation and typo removed
From: Dmitriy Paliy @ 2010-10-15 6:57 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Dmitriy Paliy
In-Reply-To: <1287125828-5479-1-git-send-email-dmitriy.paliy@nokia.com>
Code cleanup: unnecessary operation 'return len;' removed and typo in
comments immidiately to immediately corrected.
---
src/obex.c | 3 +--
1 files changed, 1 insertions(+), 2 deletions(-)
diff --git a/src/obex.c b/src/obex.c
index 4e1db9c..adfcc95 100644
--- a/src/obex.c
+++ b/src/obex.c
@@ -678,7 +678,6 @@ add_header:
if (len == 0) {
g_free(os->buf);
os->buf = NULL;
- return len;
}
os->offset += len;
@@ -818,7 +817,7 @@ static void cmd_get(struct obex_session *os, obex_t *obex, obex_object_t *obj)
OBEX_ObjectAddHeader (obex, obj, OBEX_HDR_BODY,
hd, 0, OBEX_FL_STREAM_START);
- /* Try to write to stream and suspend the stream immidiately
+ /* Try to write to stream and suspend the stream immediately
* if no data available to send. */
err = obex_write_stream(os, obex, obj);
if (err == -EAGAIN) {
--
1.7.0.4
^ permalink raw reply related
* [PATCH 1/2] Fix regression on suspend on opening
From: Dmitriy Paliy @ 2010-10-15 6:57 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Dmitriy Paliy
In-Reply-To: <1287125828-5479-1-git-send-email-dmitriy.paliy@nokia.com>
This fixes regression on suspend on opening when obex_write_stream
returns length of buffer, which is treated as error response
afterwards.
---
src/obex.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/src/obex.c b/src/obex.c
index d1ac339..4e1db9c 100644
--- a/src/obex.c
+++ b/src/obex.c
@@ -683,7 +683,7 @@ add_header:
os->offset += len;
- return len;
+ return 0;
}
static gboolean handle_async_io(void *object, int flags, int err,
--
1.7.0.4
^ permalink raw reply related
* [PATCH 0/2] Fix regression on suspend on opening
From: Dmitriy Paliy @ 2010-10-15 6:57 UTC (permalink / raw)
To: linux-bluetooth
Hi,
This fixes regression when doing suspend on opening obex stream. If
obex_write_stream returns length of buffer, it is treated as an error
response later on, which is not correct.
Negative values returned by obex_write_stream are error codes, while
positive ones mean length of buffer. Positive values are never used
afterwards in the code. Therefore, due to this reason, and for being
compliant with obex_read_stream, which also returns 0 only, it was
decided to remove return of positive value representing length at all.
Result of such is also some code cleanup that removes unnecessary return
len when it is zero.
A typo is fixed in comments as well.
Br,
Dmitriy
^ permalink raw reply
* Re: [PATCH] Update Gustavo's email in AUTHORS
From: Johan Hedberg @ 2010-10-15 5:59 UTC (permalink / raw)
To: Gustavo F. Padovan; +Cc: linux-bluetooth
In-Reply-To: <1287098803-22806-1-git-send-email-padovan@profusion.mobi>
Hi Gustavo,
On Thu, Oct 14, 2010, Gustavo F. Padovan wrote:
> ---
> AUTHORS | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/AUTHORS b/AUTHORS
> index 8e0a012..e063569 100644
> --- a/AUTHORS
> +++ b/AUTHORS
> @@ -35,7 +35,7 @@ Pekka Pessi <pekka.pessi@nokia.com>
> Siarhei Siamashka <siarhei.siamashka@nokia.com>
> Nick Pelly <npelly@google.com>
> Lennart Poettering <lennart@poettering.net>
> -Gustavo F. Padovan <gustavo@las.ic.unicamp.br>
> +Gustavo F. Padovan <padovan@profusion.mobi>
> Marc-Andre Lureau <marc-andre.lureau@nokia.com>
> Bea Lam <bea.lam@nokia.com>
> Zygo Blaxell <zygo.blaxell@xandros.com>
Pushed upstream. Thanks.
Johan
^ permalink raw reply
* [PATCH] Update Gustavo's email in AUTHORS
From: Gustavo F. Padovan @ 2010-10-14 23:26 UTC (permalink / raw)
To: linux-bluetooth
---
AUTHORS | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/AUTHORS b/AUTHORS
index 8e0a012..e063569 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -35,7 +35,7 @@ Pekka Pessi <pekka.pessi@nokia.com>
Siarhei Siamashka <siarhei.siamashka@nokia.com>
Nick Pelly <npelly@google.com>
Lennart Poettering <lennart@poettering.net>
-Gustavo F. Padovan <gustavo@las.ic.unicamp.br>
+Gustavo F. Padovan <padovan@profusion.mobi>
Marc-Andre Lureau <marc-andre.lureau@nokia.com>
Bea Lam <bea.lam@nokia.com>
Zygo Blaxell <zygo.blaxell@xandros.com>
--
1.7.3.1
^ permalink raw reply related
* [PATCH] fix oops in l2cap_connect_req
From: Nathan Holstein @ 2010-10-14 22:37 UTC (permalink / raw)
To: linux-kernel, linux-bluetooth
(Please keep me in the CC list, I'm not subscribed to lkml)
[1] L2CAP module dereferences an uninitialized pointer within l2cap_connect_req.
[2] I'm currently testing a 2.6.35 kernel on a Nexus One with backported
patches from bluetooth-2.6. When testing against certain BT devices, I'm seeing
a null-pointer deref. The crash is caused by this portion of commit e9aeb2dd:
@@ -2966,6 +2991,15 @@ sendresp:
L2CAP_INFO_REQ, sizeof(info), &info);
}
+ if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) &&
+ result == L2CAP_CR_SUCCESS) {
+ u8 buf[128];
+ l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
+ l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
+ l2cap_build_conf_req(sk, buf), buf);
+ l2cap_pi(sk)->num_conf_req++;
+ }
+
return 0;
}
Multiple error cases jump to the response & sendresp labels prior to
initializing
the "sk" variable. In the case I'm currently seeing, the remote BT
device fails to
properly secure the ACL, making this crash 100% reproducible.
[3] Bluetooth, L2CAP
[4] This bug appears to be in the mainline 2.6.36-rc? kernel, in addition to
multiple Bluetooth development trees
The following patch fixes the crash.
--nathan
---
In error cases when the ACL is insecure or we fail to allocate a new
struct sock, we jump to the "response" label. If so, "sk" will be
uninitialized and the kernel crashes.
Signed-off-by: Nathan Holstein <nathan.holstein@gmail.com>
---
net/bluetooth/l2cap.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index d527b10..10ae0af 100644
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -2911,7 +2911,7 @@ static inline int l2cap_connect_req(struct
l2cap_conn *conn, struct l2cap_cmd_hd
struct l2cap_chan_list *list = &conn->chan_list;
struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
struct l2cap_conn_rsp rsp;
- struct sock *parent, *uninitialized_var(sk);
+ struct sock *parent, *sk = 0;
int result, status = L2CAP_CS_NO_INFO;
u16 dcid = 0, scid = __le16_to_cpu(req->scid);
@@ -3020,7 +3020,7 @@ sendresp:
L2CAP_INFO_REQ, sizeof(info), &info);
}
- if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) &&
+ if (sk && !(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) &&
result == L2CAP_CR_SUCCESS) {
u8 buf[128];
l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
--
1.7.2.3
^ permalink raw reply related
* Re: [PATCH] fix oops in l2cap_connect_req
From: Gustavo F. Padovan @ 2010-10-14 21:37 UTC (permalink / raw)
To: Nathan Holstein; +Cc: linux-kernel, linux-bluetooth
In-Reply-To: <AANLkTi=CNW1pu-YdvmViqHxfw-_TDzvLkj15Ai_aANWo@mail.gmail.com>
Hi Nathan,
* Nathan Holstein <nathan.holstein@gmail.com> [2010-10-14 18:37:53 -0400]:
> (Please keep me in the CC list, I'm not subscribed to lkml)
>
> [1] L2CAP module dereferences an uninitialized pointer within l2cap_connect_req.
>
> [2] I'm currently testing a 2.6.35 kernel on a Nexus One with backported
> patches from bluetooth-2.6. When testing against certain BT devices, I'm seeing
> a null-pointer deref. The crash is caused by this portion of commit e9aeb2dd:
>
> @@ -2966,6 +2991,15 @@ sendresp:
> L2CAP_INFO_REQ, sizeof(info), &info);
> }
>
> + if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) &&
> + result == L2CAP_CR_SUCCESS) {
> + u8 buf[128];
> + l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
> + l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
> + l2cap_build_conf_req(sk, buf), buf);
> + l2cap_pi(sk)->num_conf_req++;
> + }
> +
> return 0;
> }
>
> Multiple error cases jump to the response & sendresp labels prior to
> initializing
> the "sk" variable. In the case I'm currently seeing, the remote BT
> device fails to
> properly secure the ACL, making this crash 100% reproducible.
>
> [3] Bluetooth, L2CAP
>
> [4] This bug appears to be in the mainline 2.6.36-rc? kernel, in addition to
> multiple Bluetooth development trees
>
> The following patch fixes the crash.
>
>
> --nathan
>
> ---
> In error cases when the ACL is insecure or we fail to allocate a new
> struct sock, we jump to the "response" label. If so, "sk" will be
> uninitialized and the kernel crashes.
>
> Signed-off-by: Nathan Holstein <nathan.holstein@gmail.com>
> ---
> net/bluetooth/l2cap.c | 4 ++--
> 1 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
> index d527b10..10ae0af 100644
> --- a/net/bluetooth/l2cap.c
> +++ b/net/bluetooth/l2cap.c
> @@ -2911,7 +2911,7 @@ static inline int l2cap_connect_req(struct
> l2cap_conn *conn, struct l2cap_cmd_hd
> struct l2cap_chan_list *list = &conn->chan_list;
> struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
> struct l2cap_conn_rsp rsp;
> - struct sock *parent, *uninitialized_var(sk);
> + struct sock *parent, *sk = 0;
Your fix is right, but please make *sk = NULL here.
When I wrote that code I thought is was a false positive, but no, it's
bug. :(
--
Gustavo F. Padovan
ProFUSION embedded systems - http://profusion.mobi
^ permalink raw reply
* Re: [PATCH] Fix not responding Not Found when no entry is found
From: Johan Hedberg @ 2010-10-14 20:35 UTC (permalink / raw)
To: Luiz Augusto von Dentz; +Cc: linux-bluetooth
In-Reply-To: <1287063243-23296-1-git-send-email-luiz.dentz@gmail.com>
Hi Luiz,
On Thu, Oct 14, 2010, Luiz Augusto von Dentz wrote:
> From: Luiz Augusto von Dentz <luiz.dentz-von@nokia.com>
>
> Accourding to PBAP spec PSE must reply Not Found when:
>
> "The function was recognized and all the parameters are proper, but the
> vCard handle or the phone book object could not be found."
> ---
> plugins/pbap.c | 15 +++++++++++++++
> plugins/phonebook-tracker.c | 12 +++++++++---
> 2 files changed, 24 insertions(+), 3 deletions(-)
Pushed upstream. Thanks.
Johan
^ permalink raw reply
* Re: [PATCH] Unref pending call in fallback scenario.
From: Johan Hedberg @ 2010-10-14 20:34 UTC (permalink / raw)
To: Lukasz Rymanowski; +Cc: linux-bluetooth, Par-Gunnar.p.HJALMDAHL
In-Reply-To: <1287069227-4076-1-git-send-email-lukasz.rymanowski@tieto.com>
Hi Lukasz,
On Thu, Oct 14, 2010, Lukasz Rymanowski wrote:
> Drop the reference to pending call in fallback scenario.
> Otherwise, dbus will assert once timer expires.
> ---
> src/agent.c | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/src/agent.c b/src/agent.c
> index c7fdbd4..b65a550 100644
> --- a/src/agent.c
> +++ b/src/agent.c
> @@ -706,6 +706,7 @@ static int request_fallback(struct agent_request *req,
> return -EINVAL;
>
> dbus_pending_call_cancel(req->call);
> + dbus_pending_call_unref(req->call);
>
> msg = dbus_message_copy(req->msg);
>
Good catch. The patch has been pushed upstream. Over the last few years
I've bumped into this libdbus issue several times but it seems this
particular code path (request_fallback) gets triggered seldom enough for
it to not have surfaced earlier. I also vaguely remember that this got
fixed in newer D-Bus versions so those might not assert in this case
anymore.
Johan
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox