Linux bluetooth development
 help / color / mirror / Atom feed
* [PATCH] Fix strict aliasing issue
From: Rafal Michalski @ 2011-03-22 12:19 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: Rafal Michalski

This patch adjust type of some variables to type used by the kernel.
It avoids some unexpected performance which may occur after violating
strict aliasing rule.
---
 lib/hci.h            |    4 ++--
 lib/hci_lib.h        |    6 +++---
 tools/hcisecfilter.c |   20 ++++++++++----------
 3 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/lib/hci.h b/lib/hci.h
index d2d4f77..a8e6c12 100644
--- a/lib/hci.h
+++ b/lib/hci.h
@@ -2268,8 +2268,8 @@ struct sockaddr_hci {
 #define HCI_CHANNEL_CONTROL	1
 
 struct hci_filter {
-	uint32_t type_mask;
-	uint32_t event_mask[2];
+	unsigned long type_mask;
+	unsigned long event_mask[2];
 	uint16_t opcode;
 };
 
diff --git a/lib/hci_lib.h b/lib/hci_lib.h
index 725eb05..c0c43c2 100644
--- a/lib/hci_lib.h
+++ b/lib/hci_lib.h
@@ -163,17 +163,17 @@ char *lmp_featurestostr(uint8_t *features, char *pref, int width);
 
 static inline void hci_set_bit(int nr, void *addr)
 {
-	*((uint32_t *) addr + (nr >> 5)) |= (1 << (nr & 31));
+	*((unsigned long *) addr + (nr >> 5)) |= (1 << (nr & 31));
 }
 
 static inline void hci_clear_bit(int nr, void *addr)
 {
-	*((uint32_t *) addr + (nr >> 5)) &= ~(1 << (nr & 31));
+	*((unsigned long *) addr + (nr >> 5)) &= ~(1 << (nr & 31));
 }
 
 static inline int hci_test_bit(int nr, void *addr)
 {
-	return *((uint32_t *) addr + (nr >> 5)) & (1 << (nr & 31));
+	return *((unsigned long *) addr + (nr >> 5)) & (1 << (nr & 31));
 }
 
 /* HCI filter tools */
diff --git a/tools/hcisecfilter.c b/tools/hcisecfilter.c
index 9ad4ce0..4512baa 100644
--- a/tools/hcisecfilter.c
+++ b/tools/hcisecfilter.c
@@ -35,15 +35,15 @@
 
 int main(void)
 {
-	uint32_t type_mask;
-	uint32_t event_mask[2];
-	uint32_t ocf_mask[4];
+	unsigned long type_mask;
+	unsigned long event_mask[2];
+	unsigned long ocf_mask[4];
 
 	/* Packet types */
 	memset(&type_mask, 0, sizeof(type_mask));
 	hci_set_bit(HCI_EVENT_PKT, &type_mask);
 
-	printf("Type mask:        { 0x%02x }\n", type_mask);
+	printf("Type mask:        { 0x%02lx }\n", type_mask);
 
 	/* Events */
 	memset(event_mask, 0, sizeof(event_mask));
@@ -66,7 +66,7 @@ int main(void)
 	hci_set_bit(EVT_SYNC_CONN_CHANGED,			event_mask);
 	hci_set_bit(EVT_EXTENDED_INQUIRY_RESULT,		event_mask);
 
-	printf("Event mask:       { 0x%08x, 0x%08x }\n",
+	printf("Event mask:       { 0x%08lx, 0x%08lx }\n",
 					event_mask[0], event_mask[1]);
 
 	/* OGF_LINK_CTL */
@@ -81,7 +81,7 @@ int main(void)
 	hci_set_bit(OCF_READ_CLOCK_OFFSET,		ocf_mask);
 	hci_set_bit(OCF_READ_LMP_HANDLE,		ocf_mask);
 
-	printf("OGF_LINK_CTL:     { 0x%08x, 0x%08x, 0x%08x, 0x%02x }\n",
+	printf("OGF_LINK_CTL:     { 0x%08lx, 0x%08lx, 0x%08lx, 0x%02lx }\n",
 			ocf_mask[0], ocf_mask[1], ocf_mask[2], ocf_mask[3]);
 
 	/* OGF_LINK_POLICY */
@@ -90,7 +90,7 @@ int main(void)
 	hci_set_bit(OCF_READ_LINK_POLICY,		ocf_mask);
 	hci_set_bit(OCF_READ_DEFAULT_LINK_POLICY,	ocf_mask);
 
-	printf("OGF_LINK_POLICY:  { 0x%08x, 0x%08x, 0x%08x, 0x%02x }\n",
+	printf("OGF_LINK_POLICY:  { 0x%08lx, 0x%08lx, 0x%08lx, 0x%02lx }\n",
 			ocf_mask[0], ocf_mask[1], ocf_mask[2], ocf_mask[3]);
 
 	/* OGF_HOST_CTL */
@@ -124,7 +124,7 @@ int main(void)
 	hci_set_bit(OCF_READ_INQ_RESPONSE_TX_POWER_LEVEL,	ocf_mask);
 	hci_set_bit(OCF_READ_DEFAULT_ERROR_DATA_REPORTING,	ocf_mask);
 
-	printf("OGF_HOST_CTL:     { 0x%08x, 0x%08x, 0x%08x, 0x%02x }\n",
+	printf("OGF_HOST_CTL:     { 0x%08lx, 0x%08lx, 0x%08lx, 0x%02lx }\n",
 			ocf_mask[0], ocf_mask[1], ocf_mask[2], ocf_mask[3]);
 
 	/* OGF_INFO_PARAM */
@@ -137,7 +137,7 @@ int main(void)
 	hci_set_bit(OCF_READ_COUNTRY_CODE,		ocf_mask);
 	hci_set_bit(OCF_READ_BD_ADDR,			ocf_mask);
 
-	printf("OGF_INFO_PARAM:   { 0x%08x, 0x%08x, 0x%08x, 0x%02x }\n",
+	printf("OGF_INFO_PARAM:   { 0x%08lx, 0x%08lx, 0x%08lx, 0x%02lx }\n",
 			ocf_mask[0], ocf_mask[1], ocf_mask[2], ocf_mask[3]);
 
 	/* OGF_STATUS_PARAM */
@@ -148,7 +148,7 @@ int main(void)
 	hci_set_bit(OCF_READ_AFH_MAP,			ocf_mask);
 	hci_set_bit(OCF_READ_CLOCK,			ocf_mask);
 
-	printf("OGF_STATUS_PARAM: { 0x%08x, 0x%08x, 0x%08x, 0x%02x }\n",
+	printf("OGF_STATUS_PARAM: { 0x%08lx, 0x%08lx, 0x%08lx, 0x%02lx }\n",
 			ocf_mask[0], ocf_mask[1], ocf_mask[2], ocf_mask[3]);
 
 	return 0;
-- 
1.6.3.3


^ permalink raw reply related

* [PATCH v5 5/5] Bluetooth: Enable support for out of band association model
From: Szymon Janc @ 2011-03-22 12:12 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: par-gunnar.p.hjalmdahl, henrik.possung, Szymon Janc
In-Reply-To: <1300795943-6681-1-git-send-email-szymon.janc@tieto.com>

If remote side reports oob availability or we are pairing initiator
use oob data for pairing if available.

Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
---
 net/bluetooth/hci_event.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index aa60969..833797e 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -2373,9 +2373,14 @@ static inline void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff
 
 		bacpy(&cp.bdaddr, &ev->bdaddr);
 		cp.capability = conn->io_capability;
-		cp.oob_data = 0;
 		cp.authentication = hci_get_auth_req(conn);
 
+		if ((conn->out == 0x01 || conn->remote_oob == 0x01) &&
+				hci_find_remote_oob_data(hdev, &conn->dst))
+			cp.oob_data = 0x01;
+		else
+			cp.oob_data = 0x00;
+
 		hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
 							sizeof(cp), &cp);
 	} else {
-- 
1.7.0.4


^ permalink raw reply related

* [PATCH v5 4/5] Bluetooth: Add add/remove_remote_oob_data management commands
From: Szymon Janc @ 2011-03-22 12:12 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: par-gunnar.p.hjalmdahl, henrik.possung, Szymon Janc
In-Reply-To: <1300795943-6681-1-git-send-email-szymon.janc@tieto.com>

This patch adds commands to add and remove remote OOB data to the managment
interface. Remote data is stored in kernel and can be used by corresponding
HCI commands and events when needed.

Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
---
 include/net/bluetooth/hci.h      |   17 +++++++++
 include/net/bluetooth/hci_core.h |   16 ++++++++
 include/net/bluetooth/mgmt.h     |   12 ++++++
 net/bluetooth/hci_core.c         |   67 ++++++++++++++++++++++++++++++++++
 net/bluetooth/hci_event.c        |   35 ++++++++++++++++++
 net/bluetooth/mgmt.c             |   75 ++++++++++++++++++++++++++++++++++++++
 6 files changed, 222 insertions(+), 0 deletions(-)

diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
index 0ac0804..4848f83 100644
--- a/include/net/bluetooth/hci.h
+++ b/include/net/bluetooth/hci.h
@@ -428,6 +428,18 @@ struct hci_rp_user_confirm_reply {
 
 #define HCI_OP_USER_CONFIRM_NEG_REPLY	0x042d
 
+#define HCI_OP_REMOTE_OOB_DATA_REPLY	0x0430
+struct hci_cp_remote_oob_data_reply {
+	bdaddr_t bdaddr;
+	__u8     hash[16];
+	__u8     randomizer[16];
+} __packed;
+
+#define HCI_OP_REMOTE_OOB_DATA_NEG_REPLY	0x0433
+struct hci_cp_remote_oob_data_neg_reply {
+	bdaddr_t bdaddr;
+} __packed;
+
 #define HCI_OP_IO_CAPABILITY_NEG_REPLY	0x0434
 struct hci_cp_io_capability_neg_reply {
 	bdaddr_t bdaddr;
@@ -964,6 +976,11 @@ struct hci_ev_user_confirm_req {
 	__le32		passkey;
 } __packed;
 
+#define HCI_EV_REMOTE_OOB_DATA_REQUEST	0x35
+struct hci_ev_remote_oob_data_request {
+	bdaddr_t bdaddr;
+} __packed;
+
 #define HCI_EV_SIMPLE_PAIR_COMPLETE	0x36
 struct hci_ev_simple_pair_complete {
 	__u8     status;
diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index fd9b8a3..87bff51 100644
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -82,6 +82,13 @@ struct link_key {
 	u8 pin_len;
 };
 
+struct oob_data {
+	struct list_head list;
+	bdaddr_t bdaddr;
+	u8 hash[16];
+	u8 randomizer[16];
+};
+
 #define NUM_REASSEMBLY 4
 struct hci_dev {
 	struct list_head list;
@@ -169,6 +176,8 @@ struct hci_dev {
 
 	struct list_head	link_keys;
 
+	struct list_head	remote_oob_data;
+
 	struct hci_dev_stats	stat;
 
 	struct sk_buff_head	driver_init;
@@ -505,6 +514,13 @@ int hci_add_link_key(struct hci_dev *hdev, int new_key, bdaddr_t *bdaddr,
 						u8 *key, u8 type, u8 pin_len);
 int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr);
 
+int hci_remote_oob_data_clear(struct hci_dev *hdev);
+struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev,
+							bdaddr_t *bdaddr);
+int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 *hash,
+								u8 *randomizer);
+int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr);
+
 void hci_del_off_timer(struct hci_dev *hdev);
 
 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb);
diff --git a/include/net/bluetooth/mgmt.h b/include/net/bluetooth/mgmt.h
index 6ebb126..1a6283f 100644
--- a/include/net/bluetooth/mgmt.h
+++ b/include/net/bluetooth/mgmt.h
@@ -183,6 +183,18 @@ struct mgmt_rp_read_local_oob_data {
 	__u8 randomizer[16];
 } __packed;
 
+#define MGMT_OP_ADD_REMOTE_OOB_DATA	0x0019
+struct mgmt_cp_add_remote_oob_data {
+	bdaddr_t bdaddr;
+	__u8 hash[16];
+	__u8 randomizer[16];
+} __packed;
+
+#define MGMT_OP_REMOVE_REMOTE_OOB_DATA	0x001A
+struct mgmt_cp_remove_remote_oob_data {
+	bdaddr_t bdaddr;
+} __packed;
+
 #define MGMT_EV_CMD_COMPLETE		0x0001
 struct mgmt_ev_cmd_complete {
 	__le16 opcode;
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 1f11fe3..c7131a4 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1080,6 +1080,70 @@ static void hci_cmd_timer(unsigned long arg)
 	tasklet_schedule(&hdev->cmd_task);
 }
 
+struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev,
+							bdaddr_t *bdaddr)
+{
+	struct oob_data *data;
+
+	list_for_each_entry(data, &hdev->remote_oob_data, list)
+		if (bacmp(bdaddr, &data->bdaddr) == 0)
+			return data;
+
+	return NULL;
+}
+
+int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr)
+{
+	struct oob_data *data;
+
+	data = hci_find_remote_oob_data(hdev, bdaddr);
+	if (!data)
+		return -ENOENT;
+
+	BT_DBG("%s removing %s", hdev->name, batostr(bdaddr));
+
+	list_del(&data->list);
+	kfree(data);
+
+	return 0;
+}
+
+int hci_remote_oob_data_clear(struct hci_dev *hdev)
+{
+	struct oob_data *data, *n;
+
+	list_for_each_entry_safe(data, n, &hdev->remote_oob_data, list) {
+		list_del(&data->list);
+		kfree(data);
+	}
+
+	return 0;
+}
+
+int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 *hash,
+								u8 *randomizer)
+{
+	struct oob_data *data;
+
+	data = hci_find_remote_oob_data(hdev, bdaddr);
+
+	if (!data) {
+		data = kmalloc(sizeof(*data), GFP_ATOMIC);
+		if (!data)
+			return -ENOMEM;
+
+		bacpy(&data->bdaddr, bdaddr);
+		list_add(&data->list, &hdev->remote_oob_data);
+	}
+
+	memcpy(data->hash, hash, sizeof(data->hash));
+	memcpy(data->randomizer, randomizer, sizeof(data->randomizer));
+
+	BT_DBG("%s for %s", hdev->name, batostr(bdaddr));
+
+	return 0;
+}
+
 /* Register HCI device */
 int hci_register_dev(struct hci_dev *hdev)
 {
@@ -1144,6 +1208,8 @@ int hci_register_dev(struct hci_dev *hdev)
 
 	INIT_LIST_HEAD(&hdev->link_keys);
 
+	INIT_LIST_HEAD(&hdev->remote_oob_data);
+
 	INIT_WORK(&hdev->power_on, hci_power_on);
 	INIT_WORK(&hdev->power_off, hci_power_off);
 	setup_timer(&hdev->off_timer, hci_auto_off, (unsigned long) hdev);
@@ -1223,6 +1289,7 @@ int hci_unregister_dev(struct hci_dev *hdev)
 	hci_blacklist_clear(hdev);
 	hci_uuids_clear(hdev);
 	hci_link_keys_clear(hdev);
+	hci_remote_oob_data_clear(hdev);
 	hci_dev_unlock_bh(hdev);
 
 	__hci_dev_put(hdev);
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 0223b38..aa60969 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -2473,6 +2473,37 @@ static inline void hci_remote_host_features_evt(struct hci_dev *hdev, struct sk_
 	hci_dev_unlock(hdev);
 }
 
+static inline void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
+							struct sk_buff *skb)
+{
+	struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
+	struct oob_data *data;
+
+	BT_DBG("%s", hdev->name);
+
+	hci_dev_lock(hdev);
+
+	data = hci_find_remote_oob_data(hdev, &ev->bdaddr);
+	if (data) {
+		struct hci_cp_remote_oob_data_reply cp;
+
+		bacpy(&cp.bdaddr, &ev->bdaddr);
+		memcpy(cp.hash, data->hash, sizeof(cp.hash));
+		memcpy(cp.randomizer, data->randomizer, sizeof(cp.randomizer));
+
+		hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY, sizeof(cp),
+									&cp);
+	} else {
+		struct hci_cp_remote_oob_data_neg_reply cp;
+
+		bacpy(&cp.bdaddr, &ev->bdaddr);
+		hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY, sizeof(cp),
+									&cp);
+	}
+
+	hci_dev_unlock(hdev);
+}
+
 static inline void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
 {
 	struct hci_ev_le_conn_complete *ev = (void *) skb->data;
@@ -2675,6 +2706,10 @@ void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
 		hci_le_meta_evt(hdev, skb);
 		break;
 
+	case HCI_EV_REMOTE_OOB_DATA_REQUEST:
+		hci_remote_oob_data_request_evt(hdev, skb);
+		break;
+
 	default:
 		BT_DBG("%s event 0x%x", hdev->name, event);
 		break;
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 30b7d02..722d5b0 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -1347,6 +1347,74 @@ unlock:
 	return err;
 }
 
+static int add_remote_oob_data(struct sock *sk, u16 index, unsigned char *data,
+									u16 len)
+{
+	struct hci_dev *hdev;
+	struct mgmt_cp_add_remote_oob_data *cp = (void *) data;
+	int err;
+
+	BT_DBG("hci%u ", index);
+
+	if (len != sizeof(*cp))
+		return cmd_status(sk, index, MGMT_OP_ADD_REMOTE_OOB_DATA,
+									EINVAL);
+
+	hdev = hci_dev_get(index);
+	if (!hdev)
+		return cmd_status(sk, index, MGMT_OP_ADD_REMOTE_OOB_DATA,
+									ENODEV);
+
+	hci_dev_lock_bh(hdev);
+
+	err = hci_add_remote_oob_data(hdev, &cp->bdaddr, cp->hash,
+								cp->randomizer);
+	if (err < 0)
+		err = cmd_status(sk, index, MGMT_OP_ADD_REMOTE_OOB_DATA, -err);
+	else
+		err = cmd_complete(sk, index, MGMT_OP_ADD_REMOTE_OOB_DATA, NULL,
+									0);
+
+	hci_dev_unlock_bh(hdev);
+	hci_dev_put(hdev);
+
+	return err;
+}
+
+static int remove_remote_oob_data(struct sock *sk, u16 index,
+						unsigned char *data, u16 len)
+{
+	struct hci_dev *hdev;
+	struct mgmt_cp_remove_remote_oob_data *cp = (void *) data;
+	int err;
+
+	BT_DBG("hci%u ", index);
+
+	if (len != sizeof(*cp))
+		return cmd_status(sk, index, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
+									EINVAL);
+
+	hdev = hci_dev_get(index);
+	if (!hdev)
+		return cmd_status(sk, index, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
+									ENODEV);
+
+	hci_dev_lock_bh(hdev);
+
+	err = hci_remove_remote_oob_data(hdev, &cp->bdaddr);
+	if (err < 0)
+		err = cmd_status(sk, index, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
+									-err);
+	else
+		err = cmd_complete(sk, index, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
+								NULL, 0);
+
+	hci_dev_unlock_bh(hdev);
+	hci_dev_put(hdev);
+
+	return err;
+}
+
 int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen)
 {
 	unsigned char *buf;
@@ -1448,6 +1516,13 @@ int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen)
 	case MGMT_OP_READ_LOCAL_OOB_DATA:
 		err = read_local_oob_data(sk, index);
 		break;
+	case MGMT_OP_ADD_REMOTE_OOB_DATA:
+		err = add_remote_oob_data(sk, index, buf + sizeof(*hdr), len);
+		break;
+	case MGMT_OP_REMOVE_REMOTE_OOB_DATA:
+		err = remove_remote_oob_data(sk, index, buf + sizeof(*hdr),
+									len);
+		break;
 
 	default:
 		BT_DBG("Unknown op %u", opcode);
-- 
1.7.0.4


^ permalink raw reply related

* [PATCH v5 3/5] Bluetooth: Add read_local_oob_data management command
From: Szymon Janc @ 2011-03-22 12:12 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: par-gunnar.p.hjalmdahl, henrik.possung, Szymon Janc
In-Reply-To: <1300795943-6681-1-git-send-email-szymon.janc@tieto.com>

This patch adds a command to read local OOB data to the managment interface.
The command maps directly to the Read Local OOB Data HCI command.

Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
---
 include/net/bluetooth/hci.h      |    7 +++
 include/net/bluetooth/hci_core.h |    2 +
 include/net/bluetooth/mgmt.h     |    6 +++
 net/bluetooth/hci_event.c        |   15 +++++++
 net/bluetooth/mgmt.c             |   83 ++++++++++++++++++++++++++++++++++++++
 5 files changed, 113 insertions(+), 0 deletions(-)

diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
index 00fdcb7..0ac0804 100644
--- a/include/net/bluetooth/hci.h
+++ b/include/net/bluetooth/hci.h
@@ -615,6 +615,13 @@ struct hci_cp_write_ssp_mode {
 	__u8     mode;
 } __packed;
 
+#define HCI_OP_READ_LOCAL_OOB_DATA		0x0c57
+struct hci_rp_read_local_oob_data {
+	__u8     status;
+	__u8     hash[16];
+	__u8     randomizer[16];
+} __packed;
+
 #define HCI_OP_READ_INQ_RSP_TX_POWER	0x0c58
 
 #define HCI_OP_READ_LOCAL_VERSION	0x1001
diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index 3912c7a..fd9b8a3 100644
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -768,6 +768,8 @@ int mgmt_user_confirm_neg_reply_complete(u16 index, bdaddr_t *bdaddr,
 								u8 status);
 int mgmt_auth_failed(u16 index, bdaddr_t *bdaddr, u8 status);
 int mgmt_set_local_name_complete(u16 index, u8 *name, u8 status);
+int mgmt_read_local_oob_data_reply_complete(u16 index, u8 *hash, u8 *randomizer,
+								u8 status);
 
 /* HCI info for socket */
 #define hci_pi(sk) ((struct hci_pinfo *) sk)
diff --git a/include/net/bluetooth/mgmt.h b/include/net/bluetooth/mgmt.h
index 89e7c82..6ebb126 100644
--- a/include/net/bluetooth/mgmt.h
+++ b/include/net/bluetooth/mgmt.h
@@ -177,6 +177,12 @@ struct mgmt_cp_set_local_name {
 	__u8 name[MGMT_MAX_NAME_LENGTH];
 } __packed;
 
+#define MGMT_OP_READ_LOCAL_OOB_DATA	0x0018
+struct mgmt_rp_read_local_oob_data {
+	__u8 hash[16];
+	__u8 randomizer[16];
+} __packed;
+
 #define MGMT_EV_CMD_COMPLETE		0x0001
 struct mgmt_ev_cmd_complete {
 	__le16 opcode;
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 11f0dd8..0223b38 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -824,6 +824,17 @@ static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
 								rp->status);
 }
 
+static void hci_cc_read_local_oob_data_reply(struct hci_dev *hdev,
+							struct sk_buff *skb)
+{
+	struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
+
+	BT_DBG("%s status 0x%x", hdev->name, rp->status);
+
+	mgmt_read_local_oob_data_reply_complete(hdev->id, rp->hash,
+						rp->randomizer, rp->status);
+}
+
 static inline void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
 {
 	BT_DBG("%s status 0x%x", hdev->name, status);
@@ -1754,6 +1765,10 @@ static inline void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *sk
 		hci_cc_pin_code_neg_reply(hdev, skb);
 		break;
 
+	case HCI_OP_READ_LOCAL_OOB_DATA:
+		hci_cc_read_local_oob_data_reply(hdev, skb);
+		break;
+
 	case HCI_OP_LE_READ_BUFFER_SIZE:
 		hci_cc_le_read_buffer_size(hdev, skb);
 		break;
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index ebf495d..30b7d02 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -1298,6 +1298,55 @@ failed:
 	return err;
 }
 
+static int read_local_oob_data(struct sock *sk, u16 index)
+{
+	struct hci_dev *hdev;
+	struct pending_cmd *cmd;
+	int err;
+
+	BT_DBG("hci%u", index);
+
+	hdev = hci_dev_get(index);
+	if (!hdev)
+		return cmd_status(sk, index, MGMT_OP_READ_LOCAL_OOB_DATA,
+									ENODEV);
+
+	hci_dev_lock_bh(hdev);
+
+	if (!test_bit(HCI_UP, &hdev->flags)) {
+		err = cmd_status(sk, index, MGMT_OP_READ_LOCAL_OOB_DATA,
+								ENETDOWN);
+		goto unlock;
+	}
+
+	if (!(hdev->features[6] & LMP_SIMPLE_PAIR)) {
+		err = cmd_status(sk, index, MGMT_OP_READ_LOCAL_OOB_DATA,
+								EOPNOTSUPP);
+		goto unlock;
+	}
+
+	if (mgmt_pending_find(MGMT_OP_READ_LOCAL_OOB_DATA, index)) {
+		err = cmd_status(sk, index, MGMT_OP_READ_LOCAL_OOB_DATA, EBUSY);
+		goto unlock;
+	}
+
+	cmd = mgmt_pending_add(sk, MGMT_OP_READ_LOCAL_OOB_DATA, index, NULL, 0);
+	if (!cmd) {
+		err = -ENOMEM;
+		goto unlock;
+	}
+
+	err = hci_send_cmd(hdev, HCI_OP_READ_LOCAL_OOB_DATA, 0, NULL);
+	if (err < 0)
+		mgmt_pending_remove(cmd);
+
+unlock:
+	hci_dev_unlock_bh(hdev);
+	hci_dev_put(hdev);
+
+	return err;
+}
+
 int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen)
 {
 	unsigned char *buf;
@@ -1396,6 +1445,10 @@ int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen)
 	case MGMT_OP_SET_LOCAL_NAME:
 		err = set_local_name(sk, index, buf + sizeof(*hdr), len);
 		break;
+	case MGMT_OP_READ_LOCAL_OOB_DATA:
+		err = read_local_oob_data(sk, index);
+		break;
+
 	default:
 		BT_DBG("Unknown op %u", opcode);
 		err = cmd_status(sk, index, opcode, 0x01);
@@ -1725,3 +1778,33 @@ failed:
 		mgmt_pending_remove(cmd);
 	return err;
 }
+
+int mgmt_read_local_oob_data_reply_complete(u16 index, u8 *hash, u8 *randomizer,
+								u8 status)
+{
+	struct pending_cmd *cmd;
+	int err;
+
+	BT_DBG("hci%u status %u", index, status);
+
+	cmd = mgmt_pending_find(MGMT_OP_READ_LOCAL_OOB_DATA, index);
+	if (!cmd)
+		return -ENOENT;
+
+	if (status) {
+		err = cmd_status(cmd->sk, index, MGMT_OP_READ_LOCAL_OOB_DATA,
+									EIO);
+	} else {
+		struct mgmt_rp_read_local_oob_data rp;
+
+		memcpy(rp.hash, hash, sizeof(rp.hash));
+		memcpy(rp.randomizer, randomizer, sizeof(rp.randomizer));
+
+		err = cmd_complete(cmd->sk, index, MGMT_OP_READ_LOCAL_OOB_DATA,
+							&rp, sizeof(rp));
+	}
+
+	mgmt_pending_remove(cmd);
+
+	return err;
+}
-- 
1.7.0.4


^ permalink raw reply related

* [PATCH v5 2/5] Bluetooth: Allow for NULL data in mgmt_pending_add
From: Szymon Janc @ 2011-03-22 12:12 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: par-gunnar.p.hjalmdahl, henrik.possung, Szymon Janc
In-Reply-To: <1300795943-6681-1-git-send-email-szymon.janc@tieto.com>

Since index is in mgmt_hdr it is possible to have mgmt command with
no parameters that still needs to add itself to pending list.

Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
---
 net/bluetooth/mgmt.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 657a02d..ebf495d 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -239,7 +239,8 @@ static struct pending_cmd *mgmt_pending_add(struct sock *sk, u16 opcode,
 		return NULL;
 	}
 
-	memcpy(cmd->param, data, len);
+	if (data)
+		memcpy(cmd->param, data, len);
 
 	cmd->sk = sk;
 	sock_hold(sk);
-- 
1.7.0.4


^ permalink raw reply related

* [PATCH v5 1/5] Bluetooth: Rename cmd to param in pending_cmd
From: Szymon Janc @ 2011-03-22 12:12 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: par-gunnar.p.hjalmdahl, henrik.possung, Szymon Janc
In-Reply-To: <1300795943-6681-1-git-send-email-szymon.janc@tieto.com>

This field holds not whole command but only command specific
parameters.

Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
---
 net/bluetooth/mgmt.c |   14 +++++++-------
 1 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 98988c8..657a02d 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -36,7 +36,7 @@ struct pending_cmd {
 	struct list_head list;
 	__u16 opcode;
 	int index;
-	void *cmd;
+	void *param;
 	struct sock *sk;
 	void *user_data;
 };
@@ -217,7 +217,7 @@ static int read_controller_info(struct sock *sk, u16 index)
 static void mgmt_pending_free(struct pending_cmd *cmd)
 {
 	sock_put(cmd->sk);
-	kfree(cmd->cmd);
+	kfree(cmd->param);
 	kfree(cmd);
 }
 
@@ -233,13 +233,13 @@ static struct pending_cmd *mgmt_pending_add(struct sock *sk, u16 opcode,
 	cmd->opcode = opcode;
 	cmd->index = index;
 
-	cmd->cmd = kmalloc(len, GFP_ATOMIC);
-	if (!cmd->cmd) {
+	cmd->param = kmalloc(len, GFP_ATOMIC);
+	if (!cmd->param) {
 		kfree(cmd);
 		return NULL;
 	}
 
-	memcpy(cmd->cmd, data, len);
+	memcpy(cmd->param, data, len);
 
 	cmd->sk = sk;
 	sock_hold(sk);
@@ -1428,7 +1428,7 @@ struct cmd_lookup {
 
 static void mode_rsp(struct pending_cmd *cmd, void *data)
 {
-	struct mgmt_mode *cp = cmd->cmd;
+	struct mgmt_mode *cp = cmd->param;
 	struct cmd_lookup *match = data;
 
 	if (cp->val != match->val)
@@ -1527,7 +1527,7 @@ int mgmt_connected(u16 index, bdaddr_t *bdaddr)
 
 static void disconnect_rsp(struct pending_cmd *cmd, void *data)
 {
-	struct mgmt_cp_disconnect *cp = cmd->cmd;
+	struct mgmt_cp_disconnect *cp = cmd->param;
 	struct sock **sk = data;
 	struct mgmt_rp_disconnect rp;
 
-- 
1.7.0.4


^ permalink raw reply related

* [PATCH v5 0/5] Support for OOB in mgmt interface
From: Szymon Janc @ 2011-03-22 12:12 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: par-gunnar.p.hjalmdahl, henrik.possung, Szymon Janc

Changes since v4:
- include comments from Anderson Lizardo
- use sizeof instead of hardcoded size in memcpy calls

BR,
Szymon Janc
on behalf of ST-Ericsson

Szymon Janc (5):
  Bluetooth: Rename cmd to param in pending_cmd
  Bluetooth: Allow for NULL data in mgmt_pending_add
  Bluetooth: Add read_local_oob_data management command
  Bluetooth: Add add/remove_remote_oob_data management commands
  Bluetooth: Enable support for out of band association model

 include/net/bluetooth/hci.h      |   24 +++++
 include/net/bluetooth/hci_core.h |   18 ++++
 include/net/bluetooth/mgmt.h     |   18 ++++
 net/bluetooth/hci_core.c         |   67 +++++++++++++++
 net/bluetooth/hci_event.c        |   57 ++++++++++++-
 net/bluetooth/mgmt.c             |  173 ++++++++++++++++++++++++++++++++++++--
 6 files changed, 349 insertions(+), 8 deletions(-)


^ permalink raw reply

* [PATCH] Add release all sessions when adapter is switched off
From: Dmitriy Paliy @ 2011-03-22 11:46 UTC (permalink / raw)
  To: linux-bluetooth, johan.hedberg; +Cc: Dmitriy Paliy
In-Reply-To: <1300794418-453-1-git-send-email-dmitriy.paliy@nokia.com>

All sessions should be released when adapter is switched off. Then a new
RequestSession method call always results in change from power off to power
on such ensuring operational mode. Otherwise, it is possible to end up in
adapter state being powered off after RequestSession succeded.

g_slist_free is not called after g_slist_foreach because the list is updated
using g_slist_remove inside of session_free, which is called for each element
by g_slist_foreach.
---
 src/adapter.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/src/adapter.c b/src/adapter.c
index cc4f43e..b0d1773 100644
--- a/src/adapter.c
+++ b/src/adapter.c
@@ -2507,6 +2507,10 @@ static void set_mode_complete(struct btd_adapter *adapter)
 
 	DBG("");
 
+	if (adapter->mode == MODE_OFF)
+		g_slist_foreach(adapter->mode_sessions, (GFunc) session_free,
+									NULL);
+
 	if (adapter->pending_mode == NULL)
 		return;
 
-- 
1.7.1


^ permalink raw reply related

* [PATCH 0/1 v2] Add release all sessions when adapter is switched off
From: Dmitriy Paliy @ 2011-03-22 11:46 UTC (permalink / raw)
  To: linux-bluetooth, johan.hedberg

Hi,

This is updated version to previous submission where more detailed comments
are added explaining why g_slist_free is not called after g_slist_foreach,
and second space is removed.

BR,
Dmitriy


^ permalink raw reply

* Re: [PATCH] Add release all sessions when adapter is switched off
From: Johan Hedberg @ 2011-03-22 10:43 UTC (permalink / raw)
  To: Dmitriy Paliy; +Cc: linux-bluetooth
In-Reply-To: <1300721959-5913-1-git-send-email-dmitriy.paliy@nokia.com>

Hi Dmitriy,

On Mon, Mar 21, 2011, Dmitriy Paliy wrote:
> All sessions should be released when adapter is switched off. Then a new
> RequestSession method call always results in change from power off to power
> on such ensuring operational mode. Otherwise, it is possible to end up in
> adapter state being powered off after RequestSession succeded.
> ---
>  src/adapter.c |    4 ++++
>  1 files changed, 4 insertions(+), 0 deletions(-)
> 
> diff --git a/src/adapter.c b/src/adapter.c
> index cc4f43e..f1c0e2a 100644
> --- a/src/adapter.c
> +++ b/src/adapter.c
> @@ -2507,6 +2507,10 @@ static void set_mode_complete(struct btd_adapter *adapter)
>  
>  	DBG("");
>  
> +	if (adapter->mode == MODE_OFF)
> +		g_slist_foreach(adapter->mode_sessions, (GFunc)  session_free,
> +									NULL);
> +

Don't you have to do g_slist_free() and adapter->mode_sessions = NULL
too? Oh, and you've got two spaces between (GFunc) and session_free :)

Johan

^ permalink raw reply

* Re: [PATCH 1/4] Add parsing for ATT Find By Type
From: Johan Hedberg @ 2011-03-22 10:41 UTC (permalink / raw)
  To: Andre Dieb Martins; +Cc: linux-bluetooth
In-Reply-To: <1300709914-2838-1-git-send-email-andre.dieb@signove.com>

Hi André,

On Mon, Mar 21, 2011, Andre Dieb Martins wrote:
> ---
>  parser/att.c |   35 +++++++++++++++++++++++++++++++++++
>  1 files changed, 35 insertions(+), 0 deletions(-)

All four patches have been pushed upstream. Thanks.

Johan

^ permalink raw reply

* Re: [PATCH] Fix crash when unregistering a2dp driver before media driver
From: Johan Hedberg @ 2011-03-22 10:36 UTC (permalink / raw)
  To: Luiz Augusto von Dentz; +Cc: linux-bluetooth
In-Reply-To: <1300709926-32395-1-git-send-email-luiz.dentz@gmail.com>

Hi Luiz,

On Mon, Mar 21, 2011, Luiz Augusto von Dentz wrote:
> Since media driver uses a2dp to register its sep and store a pointer,
> this pointer may be invalid/freed when media driver is unregistered.
> 
> To fix this now a2dp will also release any sep registered using media
> API.
> 
> It also protect from future changes on the order of drivers removal by
> checking if pointers (sep or endpoint) are still available in the list
> before removing them.
> ---
>  audio/a2dp.c  |    7 +++++++
>  audio/media.c |    3 +++
>  2 files changed, 10 insertions(+), 0 deletions(-)

Pushed upstream. Thanks.

Johan

^ permalink raw reply

* Re: accessing Link key within the Bluetooth module
From: Suraj Sumangala @ 2011-03-22  4:29 UTC (permalink / raw)
  To: linux-bluetooth@vger.kernel.org
In-Reply-To: <20110321134833.GA8819@jh-x301>

Hi Johan,

On 3/21/2011 7:18 PM, Johan Hedberg wrote:
> Hi Suraj,
>
> That list only gets populated if you've enabled the management interface
> (enable_mgmt=1 module option) and have a matching user space version
> with management interface support.

Thanks,
The link key is required for creating an AMP connection.

Does it make sense to depend the AMP module on the "enable_mgmt" feature?
Or
Add an new link key variable to the "struct hci_conn" and update it by 
handling the LINK KEY related HCI (Link key request/reply) events?
>
> Johan

Regards
Suraj

^ permalink raw reply

* [PATCH] rfcomm/core.c avoid dangling pointer, check session
From: David Fries @ 2011-03-22  2:38 UTC (permalink / raw)
  To: linux-bluetooth, linux-kernel

rfcomm_process_sessions is calling rfcomm_process_rx, but
in this case the session is closed and freed leaving a
dangling pointer that blows up when rfcomm_process_rx returns
and rfcomm_process_dlcs is called with the now dangling session
pointer.

I can reproduce using blueman-manager on desktop, and Motorola S305 bluetooth
headset.  Start out with the desktop as the last device the S305 paired
with.
desktop, connect to the S305,
S305, turn on
desktop (connection fails)
desktop (connection automatically comes up now that S305 is on)
desktop disconnect S305
desktop (kernel panic)

While rfcomm_process_sessions looks symmetrical,
rfcomm_session_hold(s);
rfcomm_process_rx
rfcomm_process_dlcs
rfcomm_session_put(s);

rfcomm_process_rx
if (sk->sk_state == BT_CLOSED) {
	if (!s->initiator)
		rfcomm_session_put(s);
	rfcomm_session_close(s, sk->sk_err);

Which isn't symmetrical.

Bluetooth: RFCOMM TTY layer initialized
Bluetooth: RFCOMM socket layer initialized
Bluetooth: RFCOMM ver 1.11
rfcomm_run:
rfcomm_l2sock_create:
rfcomm_session_add: session ddad6a40 sock dcf22200
rfcomm_dlc_clear_state: dd85d640
rfcomm_dlc_alloc: dd85d640
rfcomm_dlc_free: dd85d640
Bluetooth: BNEP (Ethernet Emulation) ver 1.3
Bluetooth: BNEP filters: protocol multicast
Bluetooth: SCO (Voice Link) ver 0.6
Bluetooth: SCO socket layer initialized
rfcomm_dlc_clear_state: dd85d4c0
rfcomm_dlc_alloc: dd85d4c0
rfcomm_dlc_clear_state: dd85d540
rfcomm_dlc_alloc: dd85d540
rfcomm_dlc_clear_state: dd85d440
rfcomm_dlc_alloc: dd85d440
rfcomm_dlc_clear_state: dd85d3c0
rfcomm_dlc_alloc: dd85d3c0
rfcomm_dlc_clear_state: dd85d140
rfcomm_dlc_alloc: dd85d140
rfcomm_dlc_clear_state: dd85d1c0
rfcomm_dlc_alloc: dd85d1c0
rfcomm_dlc_clear_state: de6fcf60
rfcomm_dlc_alloc: de6fcf60
rfcomm_dlc_free: de6fcf60
rfcomm_dlc_clear_state: c15187a0
rfcomm_dlc_alloc: c15187a0
rfcomm_dlc_free: c15187a0
rfcomm_security_cfm: conn df67fa00 status 0x00 encrypt 0x01
rfcomm_l2data_ready: c3c02000 bytes 0
rfcomm_run 2070
rfcomm_process_sessions: ddad6a40 sock dcf22200 flags 0
rfcomm_accept_connection: session ddad6a40
rfcomm_session_add: session ddad6920 sock df31a4e0
rfcomm_run 2072
rfcomm_run 2070
rfcomm_process_sessions: ddad6920 sock df31a4e0 flags 0
rfcomm_process_rx: session ddad6920 state 2 qlen 0
rfcomm_process_sessions: line 1976
rfcomm_process_dlcs: session ddad6920 state 2
rfcomm_process_dlcs: pre loop, &p c2ba1fb0 &n c2ba1fac &s->dlcs ddad6960
s->dlcs.next ddad6960
s->dlcs.prev ddad6960
s->dlcs.next->next ddad6960
LIST_POISON1 00100100 LIST_POISON2 00200200
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1978
rfcomm_process_sessions: line 1981
rfcomm_process_sessions: ddad6a40 sock dcf22200 flags 0
rfcomm_run 2072
rfcomm_l2data_ready: c1690c00 bytes 4
rfcomm_run 2070
rfcomm_process_sessions: ddad6920 sock df31a4e0 flags 0
rfcomm_process_rx: session ddad6920 state 2 qlen 1
rfcomm_recv_sabm: session ddad6920 state 2 dlci 0
rfcomm_send_ua: ddad6920 dlci 0
rfcomm_send_frame: session ddad6920 len 4
rfcomm_process_connect: session ddad6920 state 1
rfcomm_process_sessions: line 1976
rfcomm_process_dlcs: session ddad6920 state 1
rfcomm_process_dlcs: pre loop, &p c2ba1fb0 &n c2ba1fac &s->dlcs ddad6960
s->dlcs.next ddad6960
s->dlcs.prev ddad6960
s->dlcs.next->next ddad6960
LIST_POISON1 00100100 LIST_POISON2 00200200
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1978
rfcomm_process_sessions: line 1981
rfcomm_process_sessions: ddad6a40 sock dcf22200 flags 0
rfcomm_run 2072
rfcomm_l2data_ready: c1690c00 bytes 14
rfcomm_run 2070
rfcomm_process_sessions: ddad6920 sock df31a4e0 flags 0
rfcomm_process_rx: session ddad6920 state 1 qlen 1
rfcomm_recv_mcc: ddad6920 type 0x20 cr 2
rfcomm_recv_pn: session ddad6920 state 1 dlci 26
rfcomm_dlc_clear_state: c15187a0
rfcomm_dlc_alloc: c15187a0
rfcomm_dlc_link: dlc c15187a0 session ddad6920
rfcomm_session_clear_timer: session ddad6920 state 1
rfcomm_apply_pn: dlc c15187a0 state 2 dlci 26 mtu 126 fc 0xf0 credits 0
rfcomm_send_pn: ddad6920 cr 0 dlci 26 mtu 126
rfcomm_send_frame: session ddad6920 len 14
rfcomm_process_sessions: line 1976
rfcomm_process_dlcs: session ddad6920 state 1
rfcomm_process_dlcs: pre loop, &p c2ba1fb0 &n c2ba1fac &s->dlcs ddad6960
s->dlcs.next c15187a0
s->dlcs.prev c15187a0
s->dlcs.next->next ddad6960
LIST_POISON1 00100100 LIST_POISON2 00200200
rfcomm_process_dlcs: in loop, p c15187a0 n ddad6960 &s->dlcs ddad6960
rfcomm_process_dlcs: rfcomm_dlc c15187a0 flags 0
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1978
rfcomm_process_sessions: line 1981
rfcomm_process_sessions: ddad6a40 sock dcf22200 flags 0
rfcomm_run 2072
rfcomm_l2data_ready: c1690c00 bytes 4
rfcomm_run 2070
rfcomm_process_sessions: ddad6920 sock df31a4e0 flags 0
rfcomm_process_rx: session ddad6920 state 1 qlen 1
rfcomm_recv_sabm: session ddad6920 state 1 dlci 26
rfcomm_dlc_set_timer: dlc c15187a0 state 2 timeout 25000
rfcomm_process_sessions: line 1976
rfcomm_process_dlcs: session ddad6920 state 1
rfcomm_process_dlcs: pre loop, &p c2ba1fb0 &n c2ba1fac &s->dlcs ddad6960
s->dlcs.next c15187a0
s->dlcs.prev c15187a0
s->dlcs.next->next ddad6960
LIST_POISON1 00100100 LIST_POISON2 00200200
rfcomm_process_dlcs: in loop, p c15187a0 n ddad6960 &s->dlcs ddad6960
rfcomm_process_dlcs: rfcomm_dlc c15187a0 flags 20
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1978
rfcomm_process_sessions: line 1981
rfcomm_process_sessions: ddad6a40 sock dcf22200 flags 0
rfcomm_run 2072
rfcomm_security_cfm: conn df67fa00 status 0x00 encrypt 0x01
rfcomm_run 2070
rfcomm_process_sessions: ddad6920 sock df31a4e0 flags 0
rfcomm_process_rx: session ddad6920 state 1 qlen 0
rfcomm_process_sessions: line 1976
rfcomm_process_dlcs: session ddad6920 state 1
rfcomm_process_dlcs: pre loop, &p c2ba1fb0 &n c2ba1fac &s->dlcs ddad6960
s->dlcs.next c15187a0
s->dlcs.prev c15187a0
s->dlcs.next->next ddad6960
LIST_POISON1 00100100 LIST_POISON2 00200200
rfcomm_process_dlcs: in loop, p c15187a0 n ddad6960 &s->dlcs ddad6960
rfcomm_process_dlcs: rfcomm_dlc c15187a0 flags 40
rfcomm_dlc_clear_timer: dlc c15187a0 state 2
rfcomm_dlc_set_timer: dlc c15187a0 state 2 timeout 25000
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1978
rfcomm_process_sessions: line 1981
rfcomm_process_sessions: ddad6a40 sock dcf22200 flags 0
rfcomm_run 2072
rfcomm_dlc_accept: dlc c15187a0
rfcomm_send_ua: ddad6920 dlci 26
rfcomm_send_frame: session ddad6920 len 4
rfcomm_dlc_clear_timer: dlc c15187a0 state 6
rfcomm_send_msc: ddad6920 cr 1 v24 0x8c
rfcomm_send_frame: session ddad6920 len 8
rfcomm_l2data_ready: c1690c00 bytes 8
rfcomm_run 2070
rfcomm_process_sessions: ddad6920 sock df31a4e0 flags 0
rfcomm_process_rx: session ddad6920 state 1 qlen 1
rfcomm_recv_mcc: ddad6920 type 0x38 cr 0
rfcomm_recv_msc: dlci 26 cr 0 v24 0x8d
rfcomm_process_sessions: line 1976
rfcomm_process_dlcs: session ddad6920 state 1
rfcomm_process_dlcs: pre loop, &p c2ba1fb0 &n c2ba1fac &s->dlcs ddad6960
s->dlcs.next c15187a0
s->dlcs.prev c15187a0
s->dlcs.next->next ddad6960
LIST_POISON1 00100100 LIST_POISON2 00200200
rfcomm_process_dlcs: in loop, p c15187a0 n ddad6960 &s->dlcs ddad6960
rfcomm_process_dlcs: rfcomm_dlc c15187a0 flags 0
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1978
rfcomm_process_sessions: line 1981
rfcomm_process_sessions: ddad6a40 sock dcf22200 flags 0
rfcomm_run 2072
rfcomm_l2data_ready: c1690c00 bytes 8
rfcomm_run 2070
rfcomm_process_sessions: ddad6920 sock df31a4e0 flags 0
rfcomm_process_rx: session ddad6920 state 1 qlen 1
rfcomm_recv_mcc: ddad6920 type 0x38 cr 2
rfcomm_recv_msc: dlci 26 cr 2 v24 0xd
rfcomm_send_msc: ddad6920 cr 0 v24 0xd
rfcomm_send_frame: session ddad6920 len 8
rfcomm_process_sessions: line 1976
rfcomm_process_dlcs: session ddad6920 state 1
rfcomm_process_dlcs: pre loop, &p c2ba1fb0 &n c2ba1fac &s->dlcs ddad6960
s->dlcs.next c15187a0
s->dlcs.prev c15187a0
s->dlcs.next->next ddad6960
LIST_POISON1 00100100 LIST_POISON2 00200200
rfcomm_process_dlcs: in loop, p c15187a0 n ddad6960 &s->dlcs ddad6960
rfcomm_process_dlcs: rfcomm_dlc c15187a0 flags 0
rfcomm_process_tx: dlc c15187a0 state 1 cfc 40 rx_credits 7 tx_credits 0
rfcomm_send_credits: ddad6920 addr 105 credits 33
rfcomm_send_frame: session ddad6920 len 5
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1978
rfcomm_process_sessions: line 1981
rfcomm_process_sessions: ddad6a40 sock dcf22200 flags 0
rfcomm_run 2072
rfcomm_l2data_ready: c1690c00 bytes 5
rfcomm_run 2070
rfcomm_process_sessions: ddad6920 sock df31a4e0 flags 0
rfcomm_process_rx: session ddad6920 state 1 qlen 1
rfcomm_recv_data: session ddad6920 state 1 dlci 26 pf 16
rfcomm_process_sessions: line 1976
rfcomm_process_dlcs: session ddad6920 state 1
rfcomm_process_dlcs: pre loop, &p c2ba1fb0 &n c2ba1fac &s->dlcs ddad6960
s->dlcs.next c15187a0
s->dlcs.prev c15187a0
s->dlcs.next->next ddad6960
LIST_POISON1 00100100 LIST_POISON2 00200200
rfcomm_process_dlcs: in loop, p c15187a0 n ddad6960 &s->dlcs ddad6960
rfcomm_process_dlcs: rfcomm_dlc c15187a0 flags 0
rfcomm_process_tx: dlc c15187a0 state 1 cfc 40 rx_credits 40 tx_credits 15
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1978
rfcomm_process_sessions: line 1981
rfcomm_process_sessions: ddad6a40 sock dcf22200 flags 0
rfcomm_run 2072
rfcomm_security_cfm: conn df67fa00 status 0x00 encrypt 0x00
rfcomm_dlc_set_timer: dlc c15187a0 state 1 timeout 25000
rfcomm_run 2070
rfcomm_process_sessions: ddad6920 sock df31a4e0 flags 0
rfcomm_process_rx: session ddad6920 state 1 qlen 0
rfcomm_process_sessions: line 1976
rfcomm_process_dlcs: session ddad6920 state 1
rfcomm_process_dlcs: pre loop, &p c2ba1fb0 &n c2ba1fac &s->dlcs ddad6960
s->dlcs.next c15187a0
s->dlcs.prev c15187a0
s->dlcs.next->next ddad6960
LIST_POISON1 00100100 LIST_POISON2 00200200
rfcomm_process_dlcs: in loop, p c15187a0 n ddad6960 &s->dlcs ddad6960
rfcomm_process_dlcs: rfcomm_dlc c15187a0 flags 10
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1978
rfcomm_process_sessions: line 1981
rfcomm_process_sessions: ddad6a40 sock dcf22200 flags 0
rfcomm_run 2072
rfcomm_security_cfm: conn df67fa00 status 0x00 encrypt 0x01
rfcomm_dlc_clear_timer: dlc c15187a0 state 1
rfcomm_run 2070
rfcomm_process_sessions: ddad6920 sock df31a4e0 flags 0
rfcomm_process_rx: session ddad6920 state 1 qlen 0
rfcomm_process_sessions: line 1976
rfcomm_process_dlcs: session ddad6920 state 1
rfcomm_process_dlcs: pre loop, &p c2ba1fb0 &n c2ba1fac &s->dlcs ddad6960
s->dlcs.next c15187a0
s->dlcs.prev c15187a0
s->dlcs.next->next ddad6960
LIST_POISON1 00100100 LIST_POISON2 00200200
rfcomm_process_dlcs: in loop, p c15187a0 n ddad6960 &s->dlcs ddad6960
rfcomm_process_dlcs: rfcomm_dlc c15187a0 flags 0
rfcomm_process_tx: dlc c15187a0 state 1 cfc 40 rx_credits 40 tx_credits 15
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1978
rfcomm_process_sessions: line 1981
rfcomm_process_sessions: ddad6a40 sock dcf22200 flags 0
rfcomm_run 2072
rfcomm_l2data_ready: c1690c00 bytes 15
rfcomm_run 2070
rfcomm_process_sessions: ddad6920 sock df31a4e0 flags 0
rfcomm_process_rx: session ddad6920 state 1 qlen 1
rfcomm_recv_data: session ddad6920 state 1 dlci 26 pf 0
rfcomm_process_sessions: line 1976
rfcomm_process_dlcs: session ddad6920 state 1
rfcomm_process_dlcs: pre loop, &p c2ba1fb0 &n c2ba1fac &s->dlcs ddad6960
s->dlcs.next c15187a0
s->dlcs.prev c15187a0
s->dlcs.next->next ddad6960
LIST_POISON1 00100100 LIST_POISON2 00200200
rfcomm_process_dlcs: in loop, p c15187a0 n ddad6960 &s->dlcs ddad6960
rfcomm_process_dlcs: rfcomm_dlc c15187a0 flags 0
rfcomm_process_tx: dlc c15187a0 state 1 cfc 40 rx_credits 39 tx_credits 15
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1978
rfcomm_process_sessions: line 1981
rfcomm_process_sessions: ddad6a40 sock dcf22200 flags 0
rfcomm_run 2072
rfcomm_dlc_send: dlc c15187a0 mtu 126 len 14
rfcomm_run 2070
rfcomm_process_sessions: ddad6920 sock df31a4e0 flags 0
rfcomm_process_rx: session ddad6920 state 1 qlen 0
rfcomm_process_sessions: line 1976
rfcomm_process_dlcs: session ddad6920 state 1
rfcomm_process_dlcs: pre loop, &p c2ba1fb0 &n c2ba1fac &s->dlcs ddad6960
s->dlcs.next c15187a0
s->dlcs.prev c15187a0
s->dlcs.next->next ddad6960
LIST_POISON1 00100100 LIST_POISON2 00200200
rfcomm_process_dlcs: in loop, p c15187a0 n ddad6960 &s->dlcs ddad6960
rfcomm_process_dlcs: rfcomm_dlc c15187a0 flags 0
rfcomm_process_tx: dlc c15187a0 state 1 cfc 40 rx_credits 39 tx_credits 15
rfcomm_send_frame: session ddad6920 len 18
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1978
rfcomm_process_sessions: line 1981
rfcomm_process_sessions: ddad6a40 sock dcf22200 flags 0
rfcomm_run 2072
rfcomm_dlc_send: dlc c15187a0 mtu 126 len 6
rfcomm_run 2070
rfcomm_process_sessions: ddad6920 sock df31a4e0 flags 0
rfcomm_process_rx: session ddad6920 state 1 qlen 0
rfcomm_process_sessions: line 1976
rfcomm_process_dlcs: session ddad6920 state 1
rfcomm_process_dlcs: pre loop, &p c2ba1fb0 &n c2ba1fac &s->dlcs ddad6960
s->dlcs.next c15187a0
s->dlcs.prev c15187a0
s->dlcs.next->next ddad6960
LIST_POISON1 00100100 LIST_POISON2 00200200
rfcomm_process_dlcs: in loop, p c15187a0 n ddad6960 &s->dlcs ddad6960
rfcomm_process_dlcs: rfcomm_dlc c15187a0 flags 0
rfcomm_process_tx: dlc c15187a0 state 1 cfc 40 rx_credits 39 tx_credits 14
rfcomm_send_frame: session ddad6920 len 10
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1978
rfcomm_process_sessions: line 1981
rfcomm_process_sessions: ddad6a40 sock dcf22200 flags 0
rfcomm_run 2072
rfcomm_l2data_ready: c1690c00 bytes 15
rfcomm_run 2070
rfcomm_process_sessions: ddad6920 sock df31a4e0 flags 0
rfcomm_process_rx: session ddad6920 state 1 qlen 1
rfcomm_recv_data: session ddad6920 state 1 dlci 26 pf 16
rfcomm_process_sessions: line 1976
rfcomm_process_dlcs: session ddad6920 state 1
rfcomm_process_dlcs: pre loop, &p c2ba1fb0 &n c2ba1fac &s->dlcs ddad6960
s->dlcs.next c15187a0
s->dlcs.prev c15187a0
s->dlcs.next->next ddad6960
LIST_POISON1 00100100 LIST_POISON2 00200200
rfcomm_process_dlcs: in loop, p c15187a0 n ddad6960 &s->dlcs ddad6960
rfcomm_process_dlcs: rfcomm_dlc c15187a0 flags 0
rfcomm_process_tx: dlc c15187a0 state 1 cfc 40 rx_credits 38 tx_credits 15
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1978
rfcomm_process_sessions: line 1981
rfcomm_process_sessions: ddad6a40 sock dcf22200 flags 0
rfcomm_run 2072
rfcomm_dlc_send: dlc c15187a0 mtu 126 len 126
rfcomm_run 2070
rfcomm_process_sessions: ddad6920 sock df31a4e0 flags 0
rfcomm_process_rx: session ddad6920 state 1 qlen 0
rfcomm_process_sessions: line 1976
rfcomm_process_dlcs: session ddad6920 state 1
rfcomm_process_dlcs: pre loop, &p c2ba1fb0 &n c2ba1fac &s->dlcs ddad6960
s->dlcs.next c15187a0
s->dlcs.prev c15187a0
s->dlcs.next->next ddad6960
LIST_POISON1 00100100 LIST_POISON2 00200200
rfcomm_process_dlcs: in loop, p c15187a0 n ddad6960 &s->dlcs ddad6960
rfcomm_process_dlcs: rfcomm_dlc c15187a0 flags 0
rfcomm_process_tx: dlc c15187a0 state 1 cfc 40 rx_credits 38 tx_credits 15
rfcomm_send_frame: session ddad6920 len 130
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1978
rfcomm_process_sessions: line 1981
rfcomm_process_sessions: ddad6a40 sock dcf22200 flags 0
rfcomm_run 2072
rfcomm_dlc_send: dlc c15187a0 mtu 126 len 6
rfcomm_run 2070
rfcomm_process_sessions: ddad6920 sock df31a4e0 flags 0
rfcomm_process_rx: session ddad6920 state 1 qlen 0
rfcomm_process_sessions: line 1976
rfcomm_process_dlcs: session ddad6920 state 1
rfcomm_process_dlcs: pre loop, &p c2ba1fb0 &n c2ba1fac &s->dlcs ddad6960
s->dlcs.next c15187a0
s->dlcs.prev c15187a0
s->dlcs.next->next ddad6960
LIST_POISON1 00100100 LIST_POISON2 00200200
rfcomm_process_dlcs: in loop, p c15187a0 n ddad6960 &s->dlcs ddad6960
rfcomm_process_dlcs: rfcomm_dlc c15187a0 flags 0
rfcomm_process_tx: dlc c15187a0 state 1 cfc 40 rx_credits 38 tx_credits 14
rfcomm_send_frame: session ddad6920 len 10
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1978
rfcomm_process_sessions: line 1981
rfcomm_process_sessions: ddad6a40 sock dcf22200 flags 0
rfcomm_run 2072
rfcomm_dlc_send: dlc c15187a0 mtu 126 len 6
rfcomm_run 2070
rfcomm_process_sessions: ddad6920 sock df31a4e0 flags 0
rfcomm_process_rx: session ddad6920 state 1 qlen 0
rfcomm_process_sessions: line 1976
rfcomm_process_dlcs: session ddad6920 state 1
rfcomm_process_dlcs: pre loop, &p c2ba1fb0 &n c2ba1fac &s->dlcs ddad6960
s->dlcs.next c15187a0
s->dlcs.prev c15187a0
s->dlcs.next->next ddad6960
LIST_POISON1 00100100 LIST_POISON2 00200200
rfcomm_process_dlcs: in loop, p c15187a0 n ddad6960 &s->dlcs ddad6960
rfcomm_process_dlcs: rfcomm_dlc c15187a0 flags 0
rfcomm_process_tx: dlc c15187a0 state 1 cfc 40 rx_credits 38 tx_credits 13
rfcomm_send_frame: session ddad6920 len 10
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1978
rfcomm_process_sessions: line 1981
rfcomm_process_sessions: ddad6a40 sock dcf22200 flags 0
rfcomm_run 2072
rfcomm_l2data_ready: c1690c00 bytes 14
rfcomm_run 2070
rfcomm_process_sessions: ddad6920 sock df31a4e0 flags 0
rfcomm_process_rx: session ddad6920 state 1 qlen 1
rfcomm_recv_data: session ddad6920 state 1 dlci 26 pf 16
rfcomm_process_sessions: line 1976
rfcomm_process_dlcs: session ddad6920 state 1
rfcomm_process_dlcs: pre loop, &p c2ba1fb0 &n c2ba1fac &s->dlcs ddad6960
s->dlcs.next c15187a0
s->dlcs.prev c15187a0
s->dlcs.next->next ddad6960
LIST_POISON1 00100100 LIST_POISON2 00200200
rfcomm_process_dlcs: in loop, p c15187a0 n ddad6960 &s->dlcs ddad6960
rfcomm_process_dlcs: rfcomm_dlc c15187a0 flags 0
rfcomm_process_tx: dlc c15187a0 state 1 cfc 40 rx_credits 37 tx_credits 15
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1978
rfcomm_process_sessions: line 1981
rfcomm_process_sessions: ddad6a40 sock dcf22200 flags 0
rfcomm_run 2072
rfcomm_dlc_send: dlc c15187a0 mtu 126 len 24
rfcomm_run 2070
rfcomm_process_sessions: ddad6920 sock df31a4e0 flags 0
rfcomm_process_rx: session ddad6920 state 1 qlen 0
rfcomm_process_sessions: line 1976
rfcomm_process_dlcs: session ddad6920 state 1
rfcomm_process_dlcs: pre loop, &p c2ba1fb0 &n c2ba1fac &s->dlcs ddad6960
s->dlcs.next c15187a0
s->dlcs.prev c15187a0
s->dlcs.next->next ddad6960
LIST_POISON1 00100100 LIST_POISON2 00200200
rfcomm_process_dlcs: in loop, p c15187a0 n ddad6960 &s->dlcs ddad6960
rfcomm_process_dlcs: rfcomm_dlc c15187a0 flags 0
rfcomm_process_tx: dlc c15187a0 state 1 cfc 40 rx_credits 37 tx_credits 15
rfcomm_send_frame: session ddad6920 len 28
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1978
rfcomm_process_sessions: line 1981
rfcomm_process_sessions: ddad6a40 sock dcf22200 flags 0
rfcomm_run 2072
rfcomm_dlc_send: dlc c15187a0 mtu 126 len 6
rfcomm_run 2070
rfcomm_process_sessions: ddad6920 sock df31a4e0 flags 0
rfcomm_process_rx: session ddad6920 state 1 qlen 0
rfcomm_process_sessions: line 1976
rfcomm_process_dlcs: session ddad6920 state 1
rfcomm_process_dlcs: pre loop, &p c2ba1fb0 &n c2ba1fac &s->dlcs ddad6960
s->dlcs.next c15187a0
s->dlcs.prev c15187a0
s->dlcs.next->next ddad6960
LIST_POISON1 00100100 LIST_POISON2 00200200
rfcomm_process_dlcs: in loop, p c15187a0 n ddad6960 &s->dlcs ddad6960
rfcomm_process_dlcs: rfcomm_dlc c15187a0 flags 0
rfcomm_process_tx: dlc c15187a0 state 1 cfc 40 rx_credits 37 tx_credits 14
rfcomm_send_frame: session ddad6920 len 10
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1978
rfcomm_process_sessions: line 1981
rfcomm_process_sessions: ddad6a40 sock dcf22200 flags 0
rfcomm_run 2072
rfcomm_l2data_ready: c1690c00 bytes 24
rfcomm_run 2070
rfcomm_process_sessions: ddad6920 sock df31a4e0 flags 0
rfcomm_process_rx: session ddad6920 state 1 qlen 1
rfcomm_recv_data: session ddad6920 state 1 dlci 26 pf 16
rfcomm_process_sessions: line 1976
rfcomm_process_dlcs: session ddad6920 state 1
rfcomm_process_dlcs: pre loop, &p c2ba1fb0 &n c2ba1fac &s->dlcs ddad6960
s->dlcs.next c15187a0
s->dlcs.prev c15187a0
s->dlcs.next->next ddad6960
LIST_POISON1 00100100 LIST_POISON2 00200200
rfcomm_process_dlcs: in loop, p c15187a0 n ddad6960 &s->dlcs ddad6960
rfcomm_process_dlcs: rfcomm_dlc c15187a0 flags 0
rfcomm_process_tx: dlc c15187a0 state 1 cfc 40 rx_credits 36 tx_credits 15
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1978
rfcomm_process_sessions: line 1981
rfcomm_process_sessions: ddad6a40 sock dcf22200 flags 0
rfcomm_run 2072
rfcomm_dlc_send: dlc c15187a0 mtu 126 len 6
rfcomm_run 2070
rfcomm_process_sessions: ddad6920 sock df31a4e0 flags 0
rfcomm_process_rx: session ddad6920 state 1 qlen 0
rfcomm_process_sessions: line 1976
rfcomm_process_dlcs: session ddad6920 state 1
rfcomm_process_dlcs: pre loop, &p c2ba1fb0 &n c2ba1fac &s->dlcs ddad6960
s->dlcs.next c15187a0
s->dlcs.prev c15187a0
s->dlcs.next->next ddad6960
LIST_POISON1 00100100 LIST_POISON2 00200200
rfcomm_process_dlcs: in loop, p c15187a0 n ddad6960 &s->dlcs ddad6960
rfcomm_process_dlcs: rfcomm_dlc c15187a0 flags 0
rfcomm_process_tx: dlc c15187a0 state 1 cfc 40 rx_credits 36 tx_credits 15
rfcomm_send_frame: session ddad6920 len 10
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1978
rfcomm_process_sessions: line 1981
rfcomm_process_sessions: ddad6a40 sock dcf22200 flags 0
rfcomm_run 2072
rfcomm_l2data_ready: c1690c00 bytes 15
rfcomm_run 2070
rfcomm_process_sessions: ddad6920 sock df31a4e0 flags 0
rfcomm_process_rx: session ddad6920 state 1 qlen 1
rfcomm_recv_data: session ddad6920 state 1 dlci 26 pf 16
rfcomm_process_sessions: line 1976
rfcomm_process_dlcs: session ddad6920 state 1
rfcomm_process_dlcs: pre loop, &p c2ba1fb0 &n c2ba1fac &s->dlcs ddad6960
s->dlcs.next c15187a0
s->dlcs.prev c15187a0
s->dlcs.next->next ddad6960
LIST_POISON1 00100100 LIST_POISON2 00200200
rfcomm_process_dlcs: in loop, p c15187a0 n ddad6960 &s->dlcs ddad6960
rfcomm_process_dlcs: rfcomm_dlc c15187a0 flags 0
rfcomm_process_tx: dlc c15187a0 state 1 cfc 40 rx_credits 35 tx_credits 15
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1978
rfcomm_process_sessions: line 1981
rfcomm_process_sessions: ddad6a40 sock dcf22200 flags 0
rfcomm_run 2072
rfcomm_dlc_send: dlc c15187a0 mtu 126 len 6
rfcomm_run 2070
rfcomm_process_sessions: ddad6920 sock df31a4e0 flags 0
rfcomm_process_rx: session ddad6920 state 1 qlen 0
rfcomm_process_sessions: line 1976
rfcomm_process_dlcs: session ddad6920 state 1
rfcomm_process_dlcs: pre loop, &p c2ba1fb0 &n c2ba1fac &s->dlcs ddad6960
s->dlcs.next c15187a0
s->dlcs.prev c15187a0
s->dlcs.next->next ddad6960
LIST_POISON1 00100100 LIST_POISON2 00200200
rfcomm_process_dlcs: in loop, p c15187a0 n ddad6960 &s->dlcs ddad6960
rfcomm_process_dlcs: rfcomm_dlc c15187a0 flags 0
rfcomm_process_tx: dlc c15187a0 state 1 cfc 40 rx_credits 35 tx_credits 15
rfcomm_send_frame: session ddad6920 len 10
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1978
rfcomm_process_sessions: line 1981
rfcomm_process_sessions: ddad6a40 sock dcf22200 flags 0
rfcomm_run 2072
rfcomm_l2data_ready: c1690c00 bytes 15
rfcomm_run 2070
rfcomm_process_sessions: ddad6920 sock df31a4e0 flags 0
rfcomm_process_rx: session ddad6920 state 1 qlen 1
rfcomm_recv_data: session ddad6920 state 1 dlci 26 pf 16
rfcomm_process_sessions: line 1976
rfcomm_process_dlcs: session ddad6920 state 1
rfcomm_process_dlcs: pre loop, &p c2ba1fb0 &n c2ba1fac &s->dlcs ddad6960
s->dlcs.next c15187a0
s->dlcs.prev c15187a0
s->dlcs.next->next ddad6960
LIST_POISON1 00100100 LIST_POISON2 00200200
rfcomm_process_dlcs: in loop, p c15187a0 n ddad6960 &s->dlcs ddad6960
rfcomm_process_dlcs: rfcomm_dlc c15187a0 flags 0
rfcomm_process_tx: dlc c15187a0 state 1 cfc 40 rx_credits 34 tx_credits 15
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1978
rfcomm_process_sessions: line 1981
rfcomm_process_sessions: ddad6a40 sock dcf22200 flags 0
rfcomm_run 2072
rfcomm_dlc_send: dlc c15187a0 mtu 126 len 6
rfcomm_run 2070
rfcomm_process_sessions: ddad6920 sock df31a4e0 flags 0
rfcomm_process_rx: session ddad6920 state 1 qlen 0
rfcomm_process_sessions: line 1976
rfcomm_process_dlcs: session ddad6920 state 1
rfcomm_process_dlcs: pre loop, &p c2ba1fb0 &n c2ba1fac &s->dlcs ddad6960
s->dlcs.next c15187a0
s->dlcs.prev c15187a0
s->dlcs.next->next ddad6960
LIST_POISON1 00100100 LIST_POISON2 00200200
rfcomm_process_dlcs: in loop, p c15187a0 n ddad6960 &s->dlcs ddad6960
rfcomm_process_dlcs: rfcomm_dlc c15187a0 flags 0
rfcomm_process_tx: dlc c15187a0 state 1 cfc 40 rx_credits 34 tx_credits 15
rfcomm_send_frame: session ddad6920 len 10
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1978
rfcomm_process_sessions: line 1981
rfcomm_process_sessions: ddad6a40 sock dcf22200 flags 0
rfcomm_run 2072
input: 00:0D:FD:36:A5:FC as /devices/virtual/input/input5
rfcomm_l2data_ready: c1690c00 bytes 4
rfcomm_run 2070
rfcomm_process_sessions: ddad6920 sock df31a4e0 flags 0
rfcomm_process_rx: session ddad6920 state 1 qlen 1
rfcomm_recv_disc: session ddad6920 state 1 dlci 26
rfcomm_send_ua: ddad6920 dlci 26
rfcomm_send_frame: session ddad6920 len 4
__rfcomm_dlc_close: dlc c15187a0 state 9 dlci 26 err 104 session ddad6920
rfcomm_dlc_clear_timer: dlc c15187a0 state 9
rfcomm_dlc_unlink: dlc c15187a0 refcnt 2 session ddad6920
rfcomm_session_set_timer: session ddad6920 state 1 timeout 2000
rfcomm_process_sessions: line 1976
rfcomm_process_dlcs: session ddad6920 state 1
rfcomm_process_dlcs: pre loop, &p c2ba1fb0 &n c2ba1fac &s->dlcs ddad6960
s->dlcs.next ddad6960
s->dlcs.prev ddad6960
s->dlcs.next->next ddad6960
LIST_POISON1 00100100 LIST_POISON2 00200200
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1978
rfcomm_process_sessions: line 1981
rfcomm_process_sessions: ddad6a40 sock dcf22200 flags 0
rfcomm_run 2072
rfcomm_dlc_free: c15187a0
rfcomm_l2data_ready: c1690c00 bytes 4
rfcomm_run 2070
rfcomm_process_sessions: ddad6920 sock df31a4e0 flags 0
rfcomm_process_rx: session ddad6920 state 1 qlen 1
rfcomm_recv_disc: session ddad6920 state 1 dlci 0
rfcomm_send_ua: ddad6920 dlci 0
rfcomm_send_frame: session ddad6920 len 4
rfcomm_session_close: session ddad6920 state 9 err 104
rfcomm_session_clear_timer: session ddad6920 state 9
rfcomm_process_sessions: line 1976
rfcomm_process_dlcs: session ddad6920 state 9
rfcomm_process_dlcs: pre loop, &p c2ba1fb0 &n c2ba1fac &s->dlcs ddad6960
s->dlcs.next ddad6960
s->dlcs.prev ddad6960
s->dlcs.next->next ddad6960
LIST_POISON1 00100100 LIST_POISON2 00200200
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1978
rfcomm_process_sessions: line 1981
rfcomm_process_sessions: ddad6a40 sock dcf22200 flags 0
rfcomm_run 2072
rfcomm_l2state_change: c1690c00 state 9
rfcomm_run 2070
rfcomm_process_sessions: ddad6920 sock df31a4e0 flags 0
rfcomm_process_rx: session ddad6920 state 9 qlen 0
rfcomm_session_close: session ddad6920 state 9 err 104
rfcomm_session_clear_timer: session ddad6920 state 9
rfcomm_process_sessions: line 1976
rfcomm_process_dlcs: session ddad6920 state 9
rfcomm_process_dlcs: pre loop, &p c2ba1fb0 &n c2ba1fac &s->dlcs ddad6960
s->dlcs.next ddad6960
s->dlcs.prev ddad6960
s->dlcs.next->next ddad6960
LIST_POISON1 00100100 LIST_POISON2 00200200
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1978
rfcomm_session_del: session ddad6920 state 9
rfcomm_session_clear_timer: session ddad6920 state 9
rfcomm_process_sessions: line 1981
rfcomm_process_sessions: ddad6a40 sock dcf22200 flags 0
rfcomm_run 2072
rfcomm_dlc_clear_state: c15187a0
rfcomm_dlc_alloc: c15187a0
rfcomm_dlc_free: c15187a0
rfcomm_dlc_clear_state: c15187a0
rfcomm_dlc_alloc: c15187a0
rfcomm_dlc_free: c15187a0
rfcomm_dlc_free: dd85d4c0
rfcomm_dlc_free: dd85d540
rfcomm_dlc_free: dd85d3c0
rfcomm_dlc_free: dd85d440
rfcomm_dlc_free: dd85d140
rfcomm_dlc_free: dd85d1c0
rfcomm_run 2070
rfcomm_process_sessions: ddad6a40 sock dcf22200 flags 0
rfcomm_run 2072
rfcomm_kill_listener:
rfcomm_session_del: session ddad6a40 state 4
rfcomm_session_clear_timer: session ddad6a40 state 4
Bluetooth: RFCOMM TTY layer initialized
Bluetooth: RFCOMM socket layer initialized
Bluetooth: RFCOMM ver 1.11
rfcomm_run:
rfcomm_l2sock_create:
rfcomm_session_add: session df7e9740 sock df31ad20
rfcomm_dlc_clear_state: dd85d4c0
rfcomm_dlc_alloc: dd85d4c0
rfcomm_dlc_free: dd85d4c0
rfcomm_dlc_clear_state: dd85d5c0
rfcomm_dlc_alloc: dd85d5c0
rfcomm_dlc_clear_state: dd85d6c0
rfcomm_dlc_alloc: dd85d6c0
rfcomm_dlc_clear_state: dd85d740
rfcomm_dlc_alloc: dd85d740
rfcomm_dlc_clear_state: dd85d640
rfcomm_dlc_alloc: dd85d640
rfcomm_dlc_clear_state: dd85d140
rfcomm_dlc_alloc: dd85d140
rfcomm_dlc_clear_state: c1623f40
rfcomm_dlc_alloc: c1623f40
rfcomm_dlc_clear_state: c1623ec0
rfcomm_dlc_alloc: c1623ec0
rfcomm_dlc_free: c1623ec0
rfcomm_dlc_clear_state: c1623ec0
rfcomm_dlc_alloc: c1623ec0
rfcomm_dlc_free: c1623ec0
rfcomm_dlc_clear_state: c1623ec0
rfcomm_dlc_alloc: c1623ec0
rfcomm_dlc_free: c1623ec0
rfcomm_dlc_clear_state: c1623ec0
rfcomm_dlc_alloc: c1623ec0
rfcomm_dlc_free: c1623ec0
rfcomm_dlc_clear_state: c1623ec0
rfcomm_dlc_alloc: c1623ec0
rfcomm_dlc_free: c1623ec0
rfcomm_security_cfm: conn df71b000 status 0x00 encrypt 0x01
rfcomm_l2data_ready: c3c02000 bytes 0
rfcomm_run 2078
rfcomm_process_sessions: df7e9740 sock df31ad20 flags 0
rfcomm_accept_connection: session df7e9740
rfcomm_session_add: session c16918a0 sock dccab360
rfcomm_run 2080
rfcomm_run 2078
rfcomm_process_sessions: c16918a0 sock dccab360 flags 0
rfcomm_process_rx: session c16918a0 state 2 qlen 0
rfcomm_process_sessions: line 1984
rfcomm_process_dlcs: session c16918a0 state 2
rfcomm_process_dlcs: pre loop, &p c1405fb0 &n c1405fac &s->dlcs c16918e0
s->dlcs.next c16918e0
s->dlcs.prev c16918e0
s->dlcs.next->next c16918e0
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1986
rfcomm_process_sessions: line 1989
rfcomm_process_sessions: df7e9740 sock df31ad20 flags 0
rfcomm_run 2080
rfcomm_l2data_ready: c1622000 bytes 4
rfcomm_run 2078
rfcomm_process_sessions: c16918a0 sock dccab360 flags 0
rfcomm_process_rx: session c16918a0 state 2 qlen 1
rfcomm_recv_sabm: session c16918a0 state 2 dlci 0
rfcomm_send_ua: c16918a0 dlci 0
rfcomm_send_frame: session c16918a0 len 4
rfcomm_process_connect: session c16918a0 state 1
rfcomm_process_sessions: line 1984
rfcomm_process_dlcs: session c16918a0 state 1
rfcomm_process_dlcs: pre loop, &p c1405fb0 &n c1405fac &s->dlcs c16918e0
s->dlcs.next c16918e0
s->dlcs.prev c16918e0
s->dlcs.next->next c16918e0
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1986
rfcomm_process_sessions: line 1989
rfcomm_process_sessions: df7e9740 sock df31ad20 flags 0
rfcomm_run 2080
rfcomm_l2data_ready: c1622000 bytes 14
rfcomm_run 2078
rfcomm_process_sessions: c16918a0 sock dccab360 flags 0
rfcomm_process_rx: session c16918a0 state 1 qlen 1
rfcomm_recv_mcc: c16918a0 type 0x20 cr 2
rfcomm_recv_pn: session c16918a0 state 1 dlci 26
rfcomm_dlc_clear_state: c1623e40
rfcomm_dlc_alloc: c1623e40
rfcomm_dlc_link: dlc c1623e40 session c16918a0
rfcomm_session_clear_timer: session c16918a0 state 1
rfcomm_apply_pn: dlc c1623e40 state 2 dlci 26 mtu 126 fc 0xf0 credits 0
rfcomm_send_pn: c16918a0 cr 0 dlci 26 mtu 126
rfcomm_send_frame: session c16918a0 len 14
rfcomm_process_sessions: line 1984
rfcomm_process_dlcs: session c16918a0 state 1
rfcomm_process_dlcs: pre loop, &p c1405fb0 &n c1405fac &s->dlcs c16918e0
s->dlcs.next c1623e40
s->dlcs.prev c1623e40
s->dlcs.next->next c16918e0
rfcomm_process_dlcs: in loop, p c1623e40 n c16918e0 &s->dlcs c16918e0
rfcomm_process_dlcs: rfcomm_dlc c1623e40 flags 0
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1986
rfcomm_process_sessions: line 1989
rfcomm_process_sessions: df7e9740 sock df31ad20 flags 0
rfcomm_run 2080
rfcomm_l2data_ready: c1622000 bytes 4
rfcomm_run 2078
rfcomm_process_sessions: c16918a0 sock dccab360 flags 0
rfcomm_process_rx: session c16918a0 state 1 qlen 1
rfcomm_recv_sabm: session c16918a0 state 1 dlci 26
rfcomm_dlc_set_timer: dlc c1623e40 state 2 timeout 25000
rfcomm_process_sessions: line 1984
rfcomm_process_dlcs: session c16918a0 state 1
rfcomm_process_dlcs: pre loop, &p c1405fb0 &n c1405fac &s->dlcs c16918e0
s->dlcs.next c1623e40
s->dlcs.prev c1623e40
s->dlcs.next->next c16918e0
rfcomm_process_dlcs: in loop, p c1623e40 n c16918e0 &s->dlcs c16918e0
rfcomm_process_dlcs: rfcomm_dlc c1623e40 flags 20
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1986
rfcomm_process_sessions: line 1989
rfcomm_process_sessions: df7e9740 sock df31ad20 flags 0
rfcomm_run 2080
rfcomm_security_cfm: conn df71b000 status 0x00 encrypt 0x01
rfcomm_run 2078
rfcomm_process_sessions: c16918a0 sock dccab360 flags 0
rfcomm_process_rx: session c16918a0 state 1 qlen 0
rfcomm_process_sessions: line 1984
rfcomm_process_dlcs: session c16918a0 state 1
rfcomm_process_dlcs: pre loop, &p c1405fb0 &n c1405fac &s->dlcs c16918e0
s->dlcs.next c1623e40
s->dlcs.prev c1623e40
s->dlcs.next->next c16918e0
rfcomm_process_dlcs: in loop, p c1623e40 n c16918e0 &s->dlcs c16918e0
rfcomm_process_dlcs: rfcomm_dlc c1623e40 flags 40
rfcomm_dlc_clear_timer: dlc c1623e40 state 2
rfcomm_dlc_set_timer: dlc c1623e40 state 2 timeout 25000
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1986
rfcomm_process_sessions: line 1989
rfcomm_process_sessions: df7e9740 sock df31ad20 flags 0
rfcomm_run 2080
rfcomm_dlc_accept: dlc c1623e40
rfcomm_send_ua: c16918a0 dlci 26
rfcomm_send_frame: session c16918a0 len 4
rfcomm_dlc_clear_timer: dlc c1623e40 state 6
rfcomm_send_msc: c16918a0 cr 1 v24 0x8c
rfcomm_send_frame: session c16918a0 len 8
rfcomm_l2data_ready: c1622000 bytes 8
rfcomm_run 2078
rfcomm_process_sessions: c16918a0 sock dccab360 flags 0
rfcomm_process_rx: session c16918a0 state 1 qlen 1
rfcomm_recv_mcc: c16918a0 type 0x38 cr 0
rfcomm_recv_msc: dlci 26 cr 0 v24 0x8d
rfcomm_process_sessions: line 1984
rfcomm_process_dlcs: session c16918a0 state 1
rfcomm_process_dlcs: pre loop, &p c1405fb0 &n c1405fac &s->dlcs c16918e0
s->dlcs.next c1623e40
s->dlcs.prev c1623e40
s->dlcs.next->next c16918e0
rfcomm_process_dlcs: in loop, p c1623e40 n c16918e0 &s->dlcs c16918e0
rfcomm_process_dlcs: rfcomm_dlc c1623e40 flags 0
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1986
rfcomm_process_sessions: line 1989
rfcomm_process_sessions: df7e9740 sock df31ad20 flags 0
rfcomm_run 2080
rfcomm_l2data_ready: c1622000 bytes 8
rfcomm_run 2078
rfcomm_process_sessions: c16918a0 sock dccab360 flags 0
rfcomm_process_rx: session c16918a0 state 1 qlen 1
rfcomm_recv_mcc: c16918a0 type 0x38 cr 2
rfcomm_recv_msc: dlci 26 cr 2 v24 0xd
rfcomm_send_msc: c16918a0 cr 0 v24 0xd
rfcomm_send_frame: session c16918a0 len 8
rfcomm_process_sessions: line 1984
rfcomm_process_dlcs: session c16918a0 state 1
rfcomm_process_dlcs: pre loop, &p c1405fb0 &n c1405fac &s->dlcs c16918e0
s->dlcs.next c1623e40
s->dlcs.prev c1623e40
s->dlcs.next->next c16918e0
rfcomm_process_dlcs: in loop, p c1623e40 n c16918e0 &s->dlcs c16918e0
rfcomm_process_dlcs: rfcomm_dlc c1623e40 flags 0
rfcomm_process_tx: dlc c1623e40 state 1 cfc 40 rx_credits 7 tx_credits 0
rfcomm_send_credits: c16918a0 addr 105 credits 33
rfcomm_send_frame: session c16918a0 len 5
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1986
rfcomm_process_sessions: line 1989
rfcomm_process_sessions: df7e9740 sock df31ad20 flags 0
rfcomm_run 2080
rfcomm_l2data_ready: c1622000 bytes 5
rfcomm_run 2078
rfcomm_process_sessions: c16918a0 sock dccab360 flags 0
rfcomm_process_rx: session c16918a0 state 1 qlen 1
rfcomm_recv_data: session c16918a0 state 1 dlci 26 pf 16
rfcomm_process_sessions: line 1984
rfcomm_process_dlcs: session c16918a0 state 1
rfcomm_process_dlcs: pre loop, &p c1405fb0 &n c1405fac &s->dlcs c16918e0
s->dlcs.next c1623e40
s->dlcs.prev c1623e40
s->dlcs.next->next c16918e0
rfcomm_process_dlcs: in loop, p c1623e40 n c16918e0 &s->dlcs c16918e0
rfcomm_process_dlcs: rfcomm_dlc c1623e40 flags 0
rfcomm_process_tx: dlc c1623e40 state 1 cfc 40 rx_credits 40 tx_credits 15
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1986
rfcomm_process_sessions: line 1989
rfcomm_process_sessions: df7e9740 sock df31ad20 flags 0
rfcomm_run 2080
rfcomm_security_cfm: conn df71b000 status 0x00 encrypt 0x00
rfcomm_dlc_set_timer: dlc c1623e40 state 1 timeout 25000
rfcomm_run 2078
rfcomm_process_sessions: c16918a0 sock dccab360 flags 0
rfcomm_process_rx: session c16918a0 state 1 qlen 0
rfcomm_process_sessions: line 1984
rfcomm_process_dlcs: session c16918a0 state 1
rfcomm_process_dlcs: pre loop, &p c1405fb0 &n c1405fac &s->dlcs c16918e0
s->dlcs.next c1623e40
s->dlcs.prev c1623e40
s->dlcs.next->next c16918e0
rfcomm_process_dlcs: in loop, p c1623e40 n c16918e0 &s->dlcs c16918e0
rfcomm_process_dlcs: rfcomm_dlc c1623e40 flags 10
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1986
rfcomm_process_sessions: line 1989
rfcomm_process_sessions: df7e9740 sock df31ad20 flags 0
rfcomm_run 2080
rfcomm_security_cfm: conn df71b000 status 0x00 encrypt 0x01
rfcomm_dlc_clear_timer: dlc c1623e40 state 1
rfcomm_run 2078
rfcomm_process_sessions: c16918a0 sock dccab360 flags 0
rfcomm_process_rx: session c16918a0 state 1 qlen 0
rfcomm_process_sessions: line 1984
rfcomm_process_dlcs: session c16918a0 state 1
rfcomm_process_dlcs: pre loop, &p c1405fb0 &n c1405fac &s->dlcs c16918e0
s->dlcs.next c1623e40
s->dlcs.prev c1623e40
s->dlcs.next->next c16918e0
rfcomm_process_dlcs: in loop, p c1623e40 n c16918e0 &s->dlcs c16918e0
rfcomm_process_dlcs: rfcomm_dlc c1623e40 flags 0
rfcomm_process_tx: dlc c1623e40 state 1 cfc 40 rx_credits 40 tx_credits 15
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1986
rfcomm_process_sessions: line 1989
rfcomm_process_sessions: df7e9740 sock df31ad20 flags 0
rfcomm_run 2080
rfcomm_l2data_ready: c1622000 bytes 15
rfcomm_run 2078
rfcomm_process_sessions: c16918a0 sock dccab360 flags 0
rfcomm_process_rx: session c16918a0 state 1 qlen 1
rfcomm_recv_data: session c16918a0 state 1 dlci 26 pf 0
rfcomm_process_sessions: line 1984
rfcomm_process_dlcs: session c16918a0 state 1
rfcomm_process_dlcs: pre loop, &p c1405fb0 &n c1405fac &s->dlcs c16918e0
s->dlcs.next c1623e40
s->dlcs.prev c1623e40
s->dlcs.next->next c16918e0
rfcomm_process_dlcs: in loop, p c1623e40 n c16918e0 &s->dlcs c16918e0
rfcomm_process_dlcs: rfcomm_dlc c1623e40 flags 0
rfcomm_process_tx: dlc c1623e40 state 1 cfc 40 rx_credits 39 tx_credits 15
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1986
rfcomm_process_sessions: line 1989
rfcomm_process_sessions: df7e9740 sock df31ad20 flags 0
rfcomm_run 2080
rfcomm_dlc_send: dlc c1623e40 mtu 126 len 14
rfcomm_run 2078
rfcomm_process_sessions: c16918a0 sock dccab360 flags 0
rfcomm_process_rx: session c16918a0 state 1 qlen 0
rfcomm_process_sessions: line 1984
rfcomm_process_dlcs: session c16918a0 state 1
rfcomm_process_dlcs: pre loop, &p c1405fb0 &n c1405fac &s->dlcs c16918e0
s->dlcs.next c1623e40
s->dlcs.prev c1623e40
s->dlcs.next->next c16918e0
rfcomm_process_dlcs: in loop, p c1623e40 n c16918e0 &s->dlcs c16918e0
rfcomm_process_dlcs: rfcomm_dlc c1623e40 flags 0
rfcomm_process_tx: dlc c1623e40 state 1 cfc 40 rx_credits 39 tx_credits 15
rfcomm_send_frame: session c16918a0 len 18
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1986
rfcomm_process_sessions: line 1989
rfcomm_process_sessions: df7e9740 sock df31ad20 flags 0
rfcomm_run 2080
rfcomm_dlc_send: dlc c1623e40 mtu 126 len 6
rfcomm_run 2078
rfcomm_process_sessions: c16918a0 sock dccab360 flags 0
rfcomm_process_rx: session c16918a0 state 1 qlen 0
rfcomm_process_sessions: line 1984
rfcomm_process_dlcs: session c16918a0 state 1
rfcomm_process_dlcs: pre loop, &p c1405fb0 &n c1405fac &s->dlcs c16918e0
s->dlcs.next c1623e40
s->dlcs.prev c1623e40
s->dlcs.next->next c16918e0
rfcomm_process_dlcs: in loop, p c1623e40 n c16918e0 &s->dlcs c16918e0
rfcomm_process_dlcs: rfcomm_dlc c1623e40 flags 0
rfcomm_process_tx: dlc c1623e40 state 1 cfc 40 rx_credits 39 tx_credits 14
rfcomm_send_frame: session c16918a0 len 10
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1986
rfcomm_process_sessions: line 1989
rfcomm_process_sessions: df7e9740 sock df31ad20 flags 0
rfcomm_run 2080
rfcomm_l2data_ready: c1622000 bytes 15
rfcomm_run 2078
rfcomm_process_sessions: c16918a0 sock dccab360 flags 0
rfcomm_process_rx: session c16918a0 state 1 qlen 1
rfcomm_recv_data: session c16918a0 state 1 dlci 26 pf 16
rfcomm_process_sessions: line 1984
rfcomm_process_dlcs: session c16918a0 state 1
rfcomm_process_dlcs: pre loop, &p c1405fb0 &n c1405fac &s->dlcs c16918e0
s->dlcs.next c1623e40
s->dlcs.prev c1623e40
s->dlcs.next->next c16918e0
rfcomm_process_dlcs: in loop, p c1623e40 n c16918e0 &s->dlcs c16918e0
rfcomm_process_dlcs: rfcomm_dlc c1623e40 flags 0
rfcomm_process_tx: dlc c1623e40 state 1 cfc 40 rx_credits 38 tx_credits 15
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1986
rfcomm_process_sessions: line 1989
rfcomm_process_sessions: df7e9740 sock df31ad20 flags 0
rfcomm_run 2080
rfcomm_dlc_send: dlc c1623e40 mtu 126 len 126
rfcomm_run 2078
rfcomm_process_sessions: c16918a0 sock dccab360 flags 0
rfcomm_process_rx: session c16918a0 state 1 qlen 0
rfcomm_process_sessions: line 1984
rfcomm_process_dlcs: session c16918a0 state 1
rfcomm_process_dlcs: pre loop, &p c1405fb0 &n c1405fac &s->dlcs c16918e0
s->dlcs.next c1623e40
s->dlcs.prev c1623e40
s->dlcs.next->next c16918e0
rfcomm_process_dlcs: in loop, p c1623e40 n c16918e0 &s->dlcs c16918e0
rfcomm_process_dlcs: rfcomm_dlc c1623e40 flags 0
rfcomm_process_tx: dlc c1623e40 state 1 cfc 40 rx_credits 38 tx_credits 15
rfcomm_send_frame: session c16918a0 len 130
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1986
rfcomm_process_sessions: line 1989
rfcomm_process_sessions: df7e9740 sock df31ad20 flags 0
rfcomm_run 2080
rfcomm_dlc_send: dlc c1623e40 mtu 126 len 6
rfcomm_run 2078
rfcomm_process_sessions: c16918a0 sock dccab360 flags 0
rfcomm_process_rx: session c16918a0 state 1 qlen 0
rfcomm_process_sessions: line 1984
rfcomm_process_dlcs: session c16918a0 state 1
rfcomm_process_dlcs: pre loop, &p c1405fb0 &n c1405fac &s->dlcs c16918e0
s->dlcs.next c1623e40
s->dlcs.prev c1623e40
s->dlcs.next->next c16918e0
rfcomm_process_dlcs: in loop, p c1623e40 n c16918e0 &s->dlcs c16918e0
rfcomm_process_dlcs: rfcomm_dlc c1623e40 flags 0
rfcomm_process_tx: dlc c1623e40 state 1 cfc 40 rx_credits 38 tx_credits 14
rfcomm_send_frame: session c16918a0 len 10
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1986
rfcomm_process_sessions: line 1989
rfcomm_process_sessions: df7e9740 sock df31ad20 flags 0
rfcomm_run 2080
rfcomm_dlc_send: dlc c1623e40 mtu 126 len 6
rfcomm_run 2078
rfcomm_process_sessions: c16918a0 sock dccab360 flags 0
rfcomm_process_rx: session c16918a0 state 1 qlen 0
rfcomm_process_sessions: line 1984
rfcomm_process_dlcs: session c16918a0 state 1
rfcomm_process_dlcs: pre loop, &p c1405fb0 &n c1405fac &s->dlcs c16918e0
s->dlcs.next c1623e40
s->dlcs.prev c1623e40
s->dlcs.next->next c16918e0
rfcomm_process_dlcs: in loop, p c1623e40 n c16918e0 &s->dlcs c16918e0
rfcomm_process_dlcs: rfcomm_dlc c1623e40 flags 0
rfcomm_process_tx: dlc c1623e40 state 1 cfc 40 rx_credits 38 tx_credits 13
rfcomm_send_frame: session c16918a0 len 10
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1986
rfcomm_process_sessions: line 1989
rfcomm_process_sessions: df7e9740 sock df31ad20 flags 0
rfcomm_run 2080
rfcomm_l2data_ready: c1622000 bytes 14
rfcomm_run 2078
rfcomm_process_sessions: c16918a0 sock dccab360 flags 0
rfcomm_process_rx: session c16918a0 state 1 qlen 1
rfcomm_recv_data: session c16918a0 state 1 dlci 26 pf 16
rfcomm_process_sessions: line 1984
rfcomm_process_dlcs: session c16918a0 state 1
rfcomm_process_dlcs: pre loop, &p c1405fb0 &n c1405fac &s->dlcs c16918e0
s->dlcs.next c1623e40
s->dlcs.prev c1623e40
s->dlcs.next->next c16918e0
rfcomm_process_dlcs: in loop, p c1623e40 n c16918e0 &s->dlcs c16918e0
rfcomm_process_dlcs: rfcomm_dlc c1623e40 flags 0
rfcomm_process_tx: dlc c1623e40 state 1 cfc 40 rx_credits 37 tx_credits 15
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1986
rfcomm_process_sessions: line 1989
rfcomm_process_sessions: df7e9740 sock df31ad20 flags 0
rfcomm_run 2080
rfcomm_dlc_send: dlc c1623e40 mtu 126 len 24
rfcomm_run 2078
rfcomm_process_sessions: c16918a0 sock dccab360 flags 0
rfcomm_process_rx: session c16918a0 state 1 qlen 0
rfcomm_process_sessions: line 1984
rfcomm_process_dlcs: session c16918a0 state 1
rfcomm_process_dlcs: pre loop, &p c1405fb0 &n c1405fac &s->dlcs c16918e0
s->dlcs.next c1623e40
s->dlcs.prev c1623e40
s->dlcs.next->next c16918e0
rfcomm_process_dlcs: in loop, p c1623e40 n c16918e0 &s->dlcs c16918e0
rfcomm_process_dlcs: rfcomm_dlc c1623e40 flags 0
rfcomm_process_tx: dlc c1623e40 state 1 cfc 40 rx_credits 37 tx_credits 15
rfcomm_send_frame: session c16918a0 len 28
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1986
rfcomm_process_sessions: line 1989
rfcomm_process_sessions: df7e9740 sock df31ad20 flags 0
rfcomm_run 2080
rfcomm_dlc_send: dlc c1623e40 mtu 126 len 6
rfcomm_run 2078
rfcomm_process_sessions: c16918a0 sock dccab360 flags 0
rfcomm_process_rx: session c16918a0 state 1 qlen 0
rfcomm_process_sessions: line 1984
rfcomm_process_dlcs: session c16918a0 state 1
rfcomm_process_dlcs: pre loop, &p c1405fb0 &n c1405fac &s->dlcs c16918e0
s->dlcs.next c1623e40
s->dlcs.prev c1623e40
s->dlcs.next->next c16918e0
rfcomm_process_dlcs: in loop, p c1623e40 n c16918e0 &s->dlcs c16918e0
rfcomm_process_dlcs: rfcomm_dlc c1623e40 flags 0
rfcomm_process_tx: dlc c1623e40 state 1 cfc 40 rx_credits 37 tx_credits 14
rfcomm_send_frame: session c16918a0 len 10
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1986
rfcomm_process_sessions: line 1989
rfcomm_process_sessions: df7e9740 sock df31ad20 flags 0
rfcomm_run 2080
rfcomm_l2data_ready: c1622000 bytes 24
rfcomm_run 2078
rfcomm_process_sessions: c16918a0 sock dccab360 flags 0
rfcomm_process_rx: session c16918a0 state 1 qlen 1
rfcomm_recv_data: session c16918a0 state 1 dlci 26 pf 16
rfcomm_process_sessions: line 1984
rfcomm_process_dlcs: session c16918a0 state 1
rfcomm_process_dlcs: pre loop, &p c1405fb0 &n c1405fac &s->dlcs c16918e0
s->dlcs.next c1623e40
s->dlcs.prev c1623e40
s->dlcs.next->next c16918e0
rfcomm_process_dlcs: in loop, p c1623e40 n c16918e0 &s->dlcs c16918e0
rfcomm_process_dlcs: rfcomm_dlc c1623e40 flags 0
rfcomm_process_tx: dlc c1623e40 state 1 cfc 40 rx_credits 36 tx_credits 15
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1986
rfcomm_process_sessions: line 1989
rfcomm_process_sessions: df7e9740 sock df31ad20 flags 0
rfcomm_run 2080
rfcomm_dlc_send: dlc c1623e40 mtu 126 len 6
rfcomm_run 2078
rfcomm_process_sessions: c16918a0 sock dccab360 flags 0
rfcomm_process_rx: session c16918a0 state 1 qlen 0
rfcomm_process_sessions: line 1984
rfcomm_process_dlcs: session c16918a0 state 1
rfcomm_process_dlcs: pre loop, &p c1405fb0 &n c1405fac &s->dlcs c16918e0
s->dlcs.next c1623e40
s->dlcs.prev c1623e40
s->dlcs.next->next c16918e0
rfcomm_process_dlcs: in loop, p c1623e40 n c16918e0 &s->dlcs c16918e0
rfcomm_process_dlcs: rfcomm_dlc c1623e40 flags 0
rfcomm_process_tx: dlc c1623e40 state 1 cfc 40 rx_credits 36 tx_credits 15
rfcomm_send_frame: session c16918a0 len 10
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1986
rfcomm_process_sessions: line 1989
rfcomm_process_sessions: df7e9740 sock df31ad20 flags 0
rfcomm_run 2080
rfcomm_l2data_ready: c1622000 bytes 15
rfcomm_run 2078
rfcomm_process_sessions: c16918a0 sock dccab360 flags 0
rfcomm_process_rx: session c16918a0 state 1 qlen 1
rfcomm_recv_data: session c16918a0 state 1 dlci 26 pf 16
rfcomm_process_sessions: line 1984
rfcomm_process_dlcs: session c16918a0 state 1
rfcomm_process_dlcs: pre loop, &p c1405fb0 &n c1405fac &s->dlcs c16918e0
s->dlcs.next c1623e40
s->dlcs.prev c1623e40
s->dlcs.next->next c16918e0
rfcomm_process_dlcs: in loop, p c1623e40 n c16918e0 &s->dlcs c16918e0
rfcomm_process_dlcs: rfcomm_dlc c1623e40 flags 0
rfcomm_process_tx: dlc c1623e40 state 1 cfc 40 rx_credits 35 tx_credits 15
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1986
rfcomm_process_sessions: line 1989
rfcomm_process_sessions: df7e9740 sock df31ad20 flags 0
rfcomm_run 2080
rfcomm_dlc_send: dlc c1623e40 mtu 126 len 6
rfcomm_run 2078
rfcomm_process_sessions: c16918a0 sock dccab360 flags 0
rfcomm_process_rx: session c16918a0 state 1 qlen 0
rfcomm_process_sessions: line 1984
rfcomm_process_dlcs: session c16918a0 state 1
rfcomm_process_dlcs: pre loop, &p c1405fb0 &n c1405fac &s->dlcs c16918e0
s->dlcs.next c1623e40
s->dlcs.prev c1623e40
s->dlcs.next->next c16918e0
rfcomm_process_dlcs: in loop, p c1623e40 n c16918e0 &s->dlcs c16918e0
rfcomm_process_dlcs: rfcomm_dlc c1623e40 flags 0
rfcomm_process_tx: dlc c1623e40 state 1 cfc 40 rx_credits 35 tx_credits 15
rfcomm_send_frame: session c16918a0 len 10
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1986
rfcomm_process_sessions: line 1989
rfcomm_process_sessions: df7e9740 sock df31ad20 flags 0
rfcomm_run 2080
rfcomm_l2data_ready: c1622000 bytes 15
rfcomm_run 2078
rfcomm_process_sessions: c16918a0 sock dccab360 flags 0
rfcomm_process_rx: session c16918a0 state 1 qlen 1
rfcomm_recv_data: session c16918a0 state 1 dlci 26 pf 16
rfcomm_process_sessions: line 1984
rfcomm_process_dlcs: session c16918a0 state 1
rfcomm_process_dlcs: pre loop, &p c1405fb0 &n c1405fac &s->dlcs c16918e0
s->dlcs.next c1623e40
s->dlcs.prev c1623e40
s->dlcs.next->next c16918e0
rfcomm_process_dlcs: in loop, p c1623e40 n c16918e0 &s->dlcs c16918e0
rfcomm_process_dlcs: rfcomm_dlc c1623e40 flags 0
rfcomm_process_tx: dlc c1623e40 state 1 cfc 40 rx_credits 34 tx_credits 15
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1986
rfcomm_process_sessions: line 1989
rfcomm_process_sessions: df7e9740 sock df31ad20 flags 0
rfcomm_run 2080
rfcomm_dlc_send: dlc c1623e40 mtu 126 len 6
rfcomm_run 2078
rfcomm_process_sessions: c16918a0 sock dccab360 flags 0
rfcomm_process_rx: session c16918a0 state 1 qlen 0
rfcomm_process_sessions: line 1984
rfcomm_process_dlcs: session c16918a0 state 1
rfcomm_process_dlcs: pre loop, &p c1405fb0 &n c1405fac &s->dlcs c16918e0
s->dlcs.next c1623e40
s->dlcs.prev c1623e40
s->dlcs.next->next c16918e0
rfcomm_process_dlcs: in loop, p c1623e40 n c16918e0 &s->dlcs c16918e0
rfcomm_process_dlcs: rfcomm_dlc c1623e40 flags 0
rfcomm_process_tx: dlc c1623e40 state 1 cfc 40 rx_credits 34 tx_credits 15
rfcomm_send_frame: session c16918a0 len 10
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1986
rfcomm_process_sessions: line 1989
rfcomm_process_sessions: df7e9740 sock df31ad20 flags 0
rfcomm_run 2080
input: 00:0D:FD:36:A5:FC as /devices/virtual/input/input6
rfcomm_dlc_clear_state: c16230c0
rfcomm_dlc_alloc: c16230c0
rfcomm_dlc_free: c16230c0
rfcomm_dlc_clear_state: c16230c0
rfcomm_dlc_alloc: c16230c0
rfcomm_dlc_free: c16230c0
__rfcomm_dlc_close: dlc c1623e40 state 1 dlci 26 err 0 session c16918a0
rfcomm_send_disc: c16918a0 dlci 26
rfcomm_send_frame: session c16918a0 len 4
rfcomm_dlc_set_timer: dlc c1623e40 state 8 timeout 20000
rfcomm_l2data_ready: c1622000 bytes 4
rfcomm_run 2078
rfcomm_process_sessions: c16918a0 sock dccab360 flags 0
rfcomm_process_rx: session c16918a0 state 1 qlen 1
rfcomm_recv_ua: session c16918a0 state 1 dlci 26
__rfcomm_dlc_close: dlc c1623e40 state 9 dlci 26 err 0 session c16918a0
rfcomm_dlc_clear_timer: dlc c1623e40 state 9
rfcomm_dlc_unlink: dlc c1623e40 refcnt 1 session c16918a0
rfcomm_dlc_free: c1623e40
rfcomm_dlc_unlink: list is empty &s->dlcs c16918e0 next c16918e0 prev c16918e0
rfcomm_session_set_timer: session c16918a0 state 1 timeout 2000
rfcomm_send_disc: c16918a0 dlci 0
rfcomm_send_frame: session c16918a0 len 4
rfcomm_process_sessions: line 1984
rfcomm_process_dlcs: session c16918a0 state 8
rfcomm_process_dlcs: pre loop, &p c1405fb0 &n c1405fac &s->dlcs c16918e0
s->dlcs.next c16918e0
s->dlcs.prev c16918e0
s->dlcs.next->next c16918e0
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1986
rfcomm_process_sessions: line 1989
rfcomm_process_sessions: df7e9740 sock df31ad20 flags 0
rfcomm_run 2080
rfcomm_l2data_ready: c1622000 bytes 4
rfcomm_run 2078
rfcomm_process_sessions: c16918a0 sock dccab360 flags 0
rfcomm_process_rx: session c16918a0 state 8 qlen 1
rfcomm_recv_ua: session c16918a0 state 8 dlci 0
rfcomm_process_sessions: line 1984
rfcomm_process_dlcs: session c16918a0 state 8
rfcomm_process_dlcs: pre loop, &p c1405fb0 &n c1405fac &s->dlcs c16918e0
s->dlcs.next c16918e0
s->dlcs.prev c16918e0
s->dlcs.next->next c16918e0
rfcomm_process_dlcs: about to return
rfcomm_process_sessions: line 1986
rfcomm_process_sessions: line 1989
rfcomm_process_sessions: df7e9740 sock df31ad20 flags 0
rfcomm_run 2080
rfcomm_l2state_change: c1622000 state 9
rfcomm_run 2078
rfcomm_process_sessions: c16918a0 sock dccab360 flags 0
rfcomm_process_rx: session c16918a0 state 8 qlen 0
rfcomm_session_close: session c16918a0 state 8 err 103
rfcomm_session_clear_timer: session c16918a0 state 9
rfcomm_session_del: session c16918a0 state 9
rfcomm_session_clear_timer: session c16918a0 state 9
rfcomm_process_sessions: line 1984
rfcomm_process_dlcs: session c16918a0 state 758263603
rfcomm_process_dlcs: pre loop, &p c1405fb0 &n c1405fac &s->dlcs c16918e0
s->dlcs.next 6963682f
s->dlcs.prev 39333a30
BUG: unable to handle kernel paging request at 6963682f
IP: [<e085b325>] rfcomm_run+0x967/0xd17 [rfcomm]
*pde = 00000000
Oops: 0000 [#1] PREEMPT
last sysfs file: /sys/devices/virtual/input/input6/name
Modules linked in: rfcomm sco bnep nfsd exportfs xt_state ipt_REJECT iptable_filter ip_tables xt_tcpudp xt_multiport x_tables nf_conntrack_ipv4 nf_conntrack nf_defrag_ipv4 it87 hwmon_vid hwmon tvaudio nfs lockd fscache auth_rpcgss sunrpc udf crc_itu_t isofs uinput hidp l2cap snd_intel8x0m snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm_oss btusb snd_mixer_oss bluetooth snd_pcm snd_seq_dummy snd_seq_oss usblp usbhid snd_seq_midi tuner tea5767 tda8290 tda18271 tda827x tuner_xc2028 xc5000 tda9887 tuner_simple tuner_types mt20xx tea5761 snd_rawmidi msp3400 bttv snd_seq_midi_event snd_seq ohci_hcd snd_timer v4l2_common usbcore videodev snd_seq_device videobuf_dma_sg parport_pc snd videobuf_core ir_lirc_codec lirc_dev btcx_risc rc_core evdev floppy sis900 soundcore parport button tveeprom snd_page_alloc i2c_sis96x nls_base [last unloaded: rfcomm]

Pid: 3277, comm: krfcommd Not tainted 2.6.38+ #47 SYNTAX                           S635MP                          /S635MP
EIP: 0060:[<e085b325>] EFLAGS: 00010292 CPU: 0
EIP is at rfcomm_run+0x967/0xd17 [rfcomm]
EAX: 6963682f EBX: c16918a0 ECX: c1405f5c EDX: e085ec90
ESI: 00000000 EDI: c16918a0 EBP: c16918e0 ESP: c1405f58
 DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068
Process krfcommd (pid: 3277, ti=c1404000 task=ddbf0f00 task.ti=c1404000)
Stack:
 e085ec90 39333a30 e085ec7d 6963682f 0000001a 00000063 c1623e00 c16918d0
 c16918e0 c1622000 df7e9740 ddbf0f00 c16918cc c162203c ddbf0f00 ff694233
 00222101 00000000 00000000 00000282 00000000 c16918e0 c16918e0 c1403f58
Call Trace:
 [<e085a9be>] ? rfcomm_run+0x0/0xd17 [rfcomm]
 [<c102b90c>] ? kthread+0x62/0x67
 [<c102b8aa>] ? kthread+0x0/0x67
 [<c1002bd6>] ? kernel_thread_helper+0x6/0x10
Code: e0 68 53 ec 85 e0 e8 e1 be 9d e0 83 c4 30 ff 73 40 68 7d ec 85 e0 e8 d1 be 9d e0 ff 73 44 68 90 ec 85 e0 e8 c4 be 9d e0 8b 43 40 <ff> 30 68 a3 ec 85 e0 e8 b5 be 9d e0 8b 43 40 89 44 24 60 8b 00
EIP: [<e085b325>] rfcomm_run+0x967/0xd17 [rfcomm] SS:ESP 0068:c1405f58
CR2: 000000006963682f
---[ end trace e78c5dd54fa11e2c ]---
rfcomm_dlc_clear_state: c1623e40
rfcomm_dlc_alloc: c1623e40
rfcomm_dlc_free: c1623e40
rfcomm_dlc_clear_state: c1623640
rfcomm_dlc_alloc: c1623640
rfcomm_dlc_free: c1623640
rfcomm_dlc_free: dd85d5c0
rfcomm_dlc_free: dd85d6c0
rfcomm_dlc_free: dd85d640
rfcomm_dlc_free: dd85d740
rfcomm_dlc_free: dd85d140
rfcomm_dlc_free: c1623f40

Signed-off-by: David Fries <David@Fries.net>
---
 net/bluetooth/rfcomm/core.c |   19 ++++++++++++-------
 1 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index 6b83776..e48e150 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -124,10 +124,13 @@ static inline void rfcomm_schedule(void)
 	wake_up_process(rfcomm_thread);
 }
 
-static inline void rfcomm_session_put(struct rfcomm_session *s)
+static inline int rfcomm_session_put(struct rfcomm_session *s)
 {
-	if (atomic_dec_and_test(&s->refcnt))
+	if (atomic_dec_and_test(&s->refcnt)) {
 		rfcomm_session_del(s);
+		return 1;
+	}
+	return 0;
 }
 
 /* ---- RFCOMM FCS computation ---- */
@@ -661,7 +664,7 @@ static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
 	return NULL;
 }
 
-static void rfcomm_session_close(struct rfcomm_session *s, int err)
+static int rfcomm_session_close(struct rfcomm_session *s, int err)
 {
 	struct rfcomm_dlc *d;
 	struct list_head *p, *n;
@@ -680,7 +683,7 @@ static void rfcomm_session_close(struct rfcomm_session *s, int err)
 	}
 
 	rfcomm_session_clear_timer(s);
-	rfcomm_session_put(s);
+	return rfcomm_session_put(s);
 }
 
 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
@@ -1842,7 +1845,7 @@ static inline void rfcomm_process_dlcs(struct rfcomm_session *s)
 	}
 }
 
-static inline void rfcomm_process_rx(struct rfcomm_session *s)
+static inline int rfcomm_process_rx(struct rfcomm_session *s)
 {
 	struct socket *sock = s->sock;
 	struct sock *sk = sock->sk;
@@ -1860,8 +1863,9 @@ static inline void rfcomm_process_rx(struct rfcomm_session *s)
 		if (!s->initiator)
 			rfcomm_session_put(s);
 
-		rfcomm_session_close(s, sk->sk_err);
+		return rfcomm_session_close(s, sk->sk_err);
 	}
+	return 0;
 }
 
 static inline void rfcomm_accept_connection(struct rfcomm_session *s)
@@ -1951,7 +1955,8 @@ static inline void rfcomm_process_sessions(void)
 			break;
 
 		default:
-			rfcomm_process_rx(s);
+			if (rfcomm_process_rx(s))
+				continue;
 			break;
 		}
 
-- 
1.7.2.3


On Fri, Mar 04, 2011 at 11:12:57PM -0300, Gustavo F. Padovan wrote:
> Hi David,
> 
> * David Fries <david@fries.net> [2011-03-02 00:19:10 -0600]:
> 
> > On Mon, Feb 28, 2011 at 02:30:22PM -0300, Gustavo F. Padovan wrote:
> > > Hi David,
> > > 
> > > * David Fries <david@fries.net> [2011-02-27 23:03:40 -0600]:
> > > 
> > > > On Sun, Feb 27, 2011 at 04:15:45PM -0300, Gustavo F. Padovan wrote:
> > > > > I pushed the following patch to bluetooth-2.6 tree. It should fix the problem
> > > > > by avoiding connections to be accepted before a L2CAP info response comes:
> > > > 
> > > > Is
> > > > git://git.kernel.org/pub/scm/linux/kernel/git/padovan/bluetooth-2.6.git
> > > > the bluetooth-2.6 tree you mentioned?  I don't see your patch there.
> > > > As a side note, the inline patch in your e-mail has the tabs replaced by
> > > > spaces, once I changed them, it applied cleanly.
> > > > 
> > > > I first reverted to the base N900 kernel-power-2.6.28 46 (none of my
> > > > changes or debugging), it crashed as expected.  I then applied your
> > > > patch 743400e0, and it still crashed.  I added back the
> > > > l2cap_conn_start parent check and some debugging in af_bluetooth.c
> > > > dmesg debug output and patches follow.
> > > 
> > > I want to see a test with this patch and a recent kernel. We added many fixes
> > > to stack in the last two years. Can you test this scenario?
> > 
> > I'm sorry, but apparently not, at least this post says 2.6.37 isn't
> > going to happen for the N900 and Maemo.
> > http://forums.internettablettalk.com/showthread.php?t=70082
> > 
> > I tried 2.6.37-n900 from
> > git://gitorious.org/nokia-n900-kernel/nokia-n900-kernel.git anyway,
> > but the display visibly degrades like it isn't being updated and
> > doesn't apparently get any further.  I don't have anyway to debug it
> > further.
> 
> I think you can test this in a desktop machine.
> 
> -- 
> Gustavo F. Padovan
> http://profusion.mobi
> --
> To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

-- 
David Fries <david@fries.net>    PGP pub CB1EE8F0
http://fries.net/~david/

^ permalink raw reply related

* Re: [PATCH] work around for l2cap NULL dereference in l2cap_conn_start
From: David Fries @ 2011-03-22  2:30 UTC (permalink / raw)
  To: Liang Bao, Andrei Warkentin, linux-bluetooth, linux-kernel,
	Feng Tang
In-Reply-To: <20110305021257.GD9005@joana>

On Fri, Mar 04, 2011 at 11:12:57PM -0300, Gustavo F. Padovan wrote:
> Hi David,
> 
> * David Fries <david@fries.net> [2011-03-02 00:19:10 -0600]:
> 
> > On Mon, Feb 28, 2011 at 02:30:22PM -0300, Gustavo F. Padovan wrote:
> > > Hi David,
> > > 
> > > * David Fries <david@fries.net> [2011-02-27 23:03:40 -0600]:
> > > 
> > > > On Sun, Feb 27, 2011 at 04:15:45PM -0300, Gustavo F. Padovan wrote:
> > > > > I pushed the following patch to bluetooth-2.6 tree. It should fix the problem
> > > > > by avoiding connections to be accepted before a L2CAP info response comes:
> > > > 
> > > > Is
> > > > git://git.kernel.org/pub/scm/linux/kernel/git/padovan/bluetooth-2.6.git
> > > > the bluetooth-2.6 tree you mentioned?  I don't see your patch there.
> > > > As a side note, the inline patch in your e-mail has the tabs replaced by
> > > > spaces, once I changed them, it applied cleanly.
> > > > 
> > > > I first reverted to the base N900 kernel-power-2.6.28 46 (none of my
> > > > changes or debugging), it crashed as expected.  I then applied your
> > > > patch 743400e0, and it still crashed.  I added back the
> > > > l2cap_conn_start parent check and some debugging in af_bluetooth.c
> > > > dmesg debug output and patches follow.
> > > 
> > > I want to see a test with this patch and a recent kernel. We added many fixes
> > > to stack in the last two years. Can you test this scenario?
> > 
> > I'm sorry, but apparently not, at least this post says 2.6.37 isn't
> > going to happen for the N900 and Maemo.
> > http://forums.internettablettalk.com/showthread.php?t=70082
> > 
> > I tried 2.6.37-n900 from
> > git://gitorious.org/nokia-n900-kernel/nokia-n900-kernel.git anyway,
> > but the display visibly degrades like it isn't being updated and
> > doesn't apparently get any further.  I don't have anyway to debug it
> > further.
> 
> I think you can test this in a desktop machine.

I've not been able to reproduce the bug on my desktop, and not for a
lack of trying.
2.6.28, l2cap_conn_start doesn't dereference parent (so it wouldn't
crash there anyway)  N900 must have some backported patches.
2.6.30 first kernel with that code
2.6.30, 2.6.37+, 2.6.38-rc7+, with a debug patch to print
the sk and parent in l2cap_conn_start, only executes the BT_CONNECT2
path in l2cap_conn_start maybe only one in five or less times and I
have yet to see it (on the desktop) have a NULL parent.
This is with the following USB Bluetooth dongle,
Cambridge Silicon Radio, Ltd Bluetooth Dongle (HCI mode)

Looks like I'm not going to be any more help verifying it is or isn't
fixed with a newer bluetooth stack.  Here's a post from Liang Bao.

On Tue, Mar 15, 2011 at 10:42:07PM +0800, Liang Bao wrote:
> Hi,
>
> Sorry for get back so late. I am really crazy busy with my project. I tested
> with 2.6.35-27 kernel + ubuntu 10.10 just now and seems the issue is really
> gone. Hcidump attached for your reference. It's more than one year so it
> might need some more time to figure out the difference of logs but as said,
> I am really hard to find out that time. Wondering if you would like to
> compare this with the one I attached into the mailing list a year ago.

-- 
David Fries <david@fries.net>
http://fries.net/~david/ (PGP encryption key available)

^ permalink raw reply

* Re: SMP data within struct l2cap_conn  -vs-  single threading SMP
From: Brian Gix @ 2011-03-21 23:09 UTC (permalink / raw)
  To: Vinicius Costa Gomes; +Cc: Claudio Takahasi, BlueZ development
In-Reply-To: <20110321222829.GA2910@piper>

Hi Vinicius,

On 3/21/2011 3:28 PM, Vinicius Costa Gomes wrote:
> Hi Brian,
>
> Sorry for the delay,
>
> On 15:09 Thu 17 Mar, Brian Gix wrote:
>>
>> Hi Vinicius,
>>
>> As you probably know, I am working on adding mgmt.c plumbing into
>> SMP, to enable user level input (Confirmation, passkeys, perhaps
>> OOB).
>>
>
> I didn't know. Cool.
>
>> One issue I am running into is matching up the return of user
>> confirmation with the (struct l2cap_conn *).  There is nothing
>> within the user confirmation aside from the bdaddr that identifies
>> who it is intended for, and there is no one-to-one relationship
>> between bdaddrs and L2CAP channels.
>>
>
> Yeah, I can see why this is a problem.
>
>> What would you think about enforcing a "one at a time" SMP process?
>>
>
> Short answer: seems easier to get right, but a little ugly. Long answer
> below, opinions welcome.
>
>> The SMP pairing data within the l2cap_conn structure is certainly a
>> handy place for it, however it is bulky for the times (most of the
>> time) where SMP is *not* taking place, and as in the obvious case I
>> mention above, there is not a handy way to track the L2CAP
>> connection back to the user input.
>
> I agree that this information needs to be grouped and moved somewhere
> else. Something similar to l2cap_pinfo? smp_pinfo perhaps?

Maybe.  I will look at that mechanism. Is this a way to attach a block 
of data to a socket?

>
>>
>> I would like to suggest that all of the SMP data be pulled out of
>> the l2cap_conn structure, and put into a private structure within
>> smp.c. It can be malloc'd when the pairing process starts, free'd
>> when it completes, and any traffic (from either the User or the
>> Baseband) that takes place when another device is in the midst of
>> pairing gets rejected.
>
> This sounds very tempting, but I don't think that imposing this
> restriction from kernel side is the right aproach, the only hard
> limitation that I can imagine is user interaction. And if we use
> Just Works even that limitation is droped.

The JUST_WORKS case becomes a race condition.  In my experience, because 
there is no user interaction (aside from the initial action the caused 
the request), this all happens in well under a second. The 
"inconvenience factor" is therefore mitigated by it being very short.

Also, for the foreseeable future, the RF links do not have the ability 
to be connected to more than one LE peer at a time, making concurrent LE 
SMP sessions a technical impossibility at this point regardless (except 
in the case of multiple adapters).

>
> One question: what were your plans for dealing with multiple adapters?

I didn't have any. I still sort of think that concurrent pairing is 
unlikely to ever be a critical use case. Even though user input is a 
user space responsibility and not kernel, I think accounting for the 
fact that the User can only respond to a single pairing request at a 
time should not be ignored if it can make the code simpler.

>
> Btw, it would be great if we could maintain a similar behaviour to
> Basic Rate.

There will necessarily need to be some minor changes due to the fact 
that passkey handling is different between BR and LE. In BR, if both 
devices have Displays and Y/N capabilities, the same passkey is 
presented to both, and other than visual comparison, nobody has to 
actually enter the digits.  In LE, for MITM protection without oob, one 
of the two devices MUST be able to enter a 6 digit number.

I think both BR interfaces will be maintained as is, and I am adding a 
"one off" of the standard JUST WORKS, plus a couple explicit requests:

1. If Local Device has Input capabilities, it will be asked to 
Accept/Reject any *BONDING* requests, even if the pairing method is 
JUST_WORKS. This isn't really necessary if not bonding. This aligns with 
standard BR functionality, which requests confirmation even without MITM 
authentication.

2. I am writing a new MGMT function which explicitely requests a 
passkey. The existing one for BR always supplies the baseband generated 
passkey (which doesn't exist in LE), and passes that to user space, 
which can be used either to visually compare, or to request user entry 
of matching value.

3. I am adding a placeholder for OOB input which I intend to leave as an 
unused shell for now, until I see a little more about how it is done for 
BR. I see patches being submitted by Szymon Janc for BR OOB, so I don't 
imagine we'll be waiting for too long for that.


>
>>
>> This structure local to smp.c would store both the bdaddr (to match
>> up with user input) and the l2cap_conn * to match up with BB
>> traffic, and provide the outbound path for the user confirmation
>> which would otherwise be difficult to track down.
>
> It would be a little harder but we could do something similar to l2cap
> when it's needed to find a socket associated with a connection.
>
>>
>> Your Thoughts?
>>
>> --
>> Brian Gix
>> bgix@codeaurora.org
>> Employee of Qualcomm Innovation Center, Inc.
>> Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum
>
>
> Cheers,


-- 
Brian Gix
bgix@codeaurora.org
Employee of Qualcomm Innovation Center, Inc.
Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum

^ permalink raw reply

* Re: SMP data within struct l2cap_conn  -vs-  single threading SMP
From: Vinicius Costa Gomes @ 2011-03-21 22:28 UTC (permalink / raw)
  To: Brian Gix; +Cc: Claudio Takahasi, BlueZ development
In-Reply-To: <4D8286A4.4000706@codeaurora.org>

Hi Brian,

Sorry for the delay,

On 15:09 Thu 17 Mar, Brian Gix wrote:
> 
> Hi Vinicius,
> 
> As you probably know, I am working on adding mgmt.c plumbing into
> SMP, to enable user level input (Confirmation, passkeys, perhaps
> OOB).
>

I didn't know. Cool.

> One issue I am running into is matching up the return of user
> confirmation with the (struct l2cap_conn *).  There is nothing
> within the user confirmation aside from the bdaddr that identifies
> who it is intended for, and there is no one-to-one relationship
> between bdaddrs and L2CAP channels.
> 

Yeah, I can see why this is a problem.

> What would you think about enforcing a "one at a time" SMP process?
> 

Short answer: seems easier to get right, but a little ugly. Long answer
below, opinions welcome.

> The SMP pairing data within the l2cap_conn structure is certainly a
> handy place for it, however it is bulky for the times (most of the
> time) where SMP is *not* taking place, and as in the obvious case I
> mention above, there is not a handy way to track the L2CAP
> connection back to the user input.

I agree that this information needs to be grouped and moved somewhere
else. Something similar to l2cap_pinfo? smp_pinfo perhaps?

> 
> I would like to suggest that all of the SMP data be pulled out of
> the l2cap_conn structure, and put into a private structure within
> smp.c. It can be malloc'd when the pairing process starts, free'd
> when it completes, and any traffic (from either the User or the
> Baseband) that takes place when another device is in the midst of
> pairing gets rejected.

This sounds very tempting, but I don't think that imposing this 
restriction from kernel side is the right aproach, the only hard
limitation that I can imagine is user interaction. And if we use
Just Works even that limitation is droped.

One question: what were your plans for dealing with multiple adapters?

Btw, it would be great if we could maintain a similar behaviour to
Basic Rate.

> 
> This structure local to smp.c would store both the bdaddr (to match
> up with user input) and the l2cap_conn * to match up with BB
> traffic, and provide the outbound path for the user confirmation
> which would otherwise be difficult to track down.

It would be a little harder but we could do something similar to l2cap
when it's needed to find a socket associated with a connection.

> 
> Your Thoughts?
> 
> -- 
> Brian Gix
> bgix@codeaurora.org
> Employee of Qualcomm Innovation Center, Inc.
> Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum


Cheers,
-- 
Vinicius


^ permalink raw reply

* Re: [PATCH v4 4/5] Bluetooth: Add add/remove_remote_oob_data management commands
From: Anderson Lizardo @ 2011-03-21 19:24 UTC (permalink / raw)
  To: Szymon Janc; +Cc: linux-bluetooth, par-gunnar.p.hjalmdahl, henrik.possung
In-Reply-To: <1300722233-11598-5-git-send-email-szymon.janc@tieto.com>

Hi Szymon,

Minor coding style issue follows.

On Mon, Mar 21, 2011 at 11:43 AM, Szymon Janc <szymon.janc@tieto.com> wrote:
> +static int remove_remote_oob_data(struct sock *sk, u16 index,
> +                                               unsigned char *data, u16 len)
> +{
> +       struct hci_dev *hdev;
> +       struct mgmt_cp_remove_remote_oob_data *cp = (void *)data;

Missing space between "(void *)" and "data".

Regards,
-- 
Anderson Lizardo
Instituto Nokia de Tecnologia - INdT
Manaus - Brazil

^ permalink raw reply

* Re: [PATCH v4 3/5] Bluetooth: Add read_local_oob_data management command
From: Anderson Lizardo @ 2011-03-21 19:17 UTC (permalink / raw)
  To: Szymon Janc; +Cc: linux-bluetooth, par-gunnar.p.hjalmdahl, henrik.possung
In-Reply-To: <1300722233-11598-4-git-send-email-szymon.janc@tieto.com>

Hi Szymon,

Just a few minor tips:

On Mon, Mar 21, 2011 at 11:43 AM, Szymon Janc <szymon.janc@tieto.com> wrote:
> +       cmd = mgmt_pending_add(sk, MGMT_OP_READ_LOCAL_OOB_DATA, index, NULL, 0);
> +
> +       if (!cmd) {
> +               err = -ENOMEM;
> +               goto unlock;
> +       }

No empty line before the if() above.

> +
> +       err = hci_send_cmd(hdev, HCI_OP_READ_LOCAL_OOB_DATA, 0, NULL);
> +
> +       if (err < 0)
> +               mgmt_pending_remove(cmd);

Same above.

> +       } else {
> +               struct mgmt_rp_read_local_oob_data rp;
> +
> +               memcpy(rp.hash, hash, 16);
> +               memcpy(rp.randomizer, randomizer, 16);

What about using "sizeof(rp.hash)" and "sizeof(rp.randomizer)" ?

> +
> +               err = cmd_complete(cmd->sk, index, MGMT_OP_READ_LOCAL_OOB_DATA,
> +                                                       &rp, sizeof(rp));
> +       }
> +
> +       mgmt_pending_remove(cmd);
> +
> +       return err;
> +}
> --
> 1.7.0.4
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Regards,
-- 
Anderson Lizardo
Instituto Nokia de Tecnologia - INdT
Manaus - Brazil

^ permalink raw reply

* [PATCH v4 5/5] Bluetooth: Enable support for out of band association model
From: Szymon Janc @ 2011-03-21 15:43 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: par-gunnar.p.hjalmdahl, henrik.possung, Szymon Janc
In-Reply-To: <1300722233-11598-1-git-send-email-szymon.janc@tieto.com>

If remote side reports oob availability or we are pairing initiator
use oob data for pairing if available.

Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
---
 net/bluetooth/hci_event.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 47eabaa..f7b3fe7 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -2373,9 +2373,14 @@ static inline void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff
 
 		bacpy(&cp.bdaddr, &ev->bdaddr);
 		cp.capability = conn->io_capability;
-		cp.oob_data = 0;
 		cp.authentication = hci_get_auth_req(conn);
 
+		if ((conn->out == 0x01 || conn->remote_oob == 0x01) &&
+				hci_find_remote_oob_data(hdev, &conn->dst))
+			cp.oob_data = 0x01;
+		else
+			cp.oob_data = 0x00;
+
 		hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
 							sizeof(cp), &cp);
 	} else {
-- 
1.7.0.4


^ permalink raw reply related

* [PATCH v4 4/5] Bluetooth: Add add/remove_remote_oob_data management commands
From: Szymon Janc @ 2011-03-21 15:43 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: par-gunnar.p.hjalmdahl, henrik.possung, Szymon Janc
In-Reply-To: <1300722233-11598-1-git-send-email-szymon.janc@tieto.com>

This patch adds commands to add and remove remote OOB data to the managment
interface. Remote data is stored in kernel and can be used by corresponding
HCI commands and events when needed.

Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
---
 include/net/bluetooth/hci.h      |   17 +++++++++
 include/net/bluetooth/hci_core.h |   16 ++++++++
 include/net/bluetooth/mgmt.h     |   12 ++++++
 net/bluetooth/hci_core.c         |   67 ++++++++++++++++++++++++++++++++++
 net/bluetooth/hci_event.c        |   35 ++++++++++++++++++
 net/bluetooth/mgmt.c             |   75 ++++++++++++++++++++++++++++++++++++++
 6 files changed, 222 insertions(+), 0 deletions(-)

diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
index 0ac0804..4848f83 100644
--- a/include/net/bluetooth/hci.h
+++ b/include/net/bluetooth/hci.h
@@ -428,6 +428,18 @@ struct hci_rp_user_confirm_reply {
 
 #define HCI_OP_USER_CONFIRM_NEG_REPLY	0x042d
 
+#define HCI_OP_REMOTE_OOB_DATA_REPLY	0x0430
+struct hci_cp_remote_oob_data_reply {
+	bdaddr_t bdaddr;
+	__u8     hash[16];
+	__u8     randomizer[16];
+} __packed;
+
+#define HCI_OP_REMOTE_OOB_DATA_NEG_REPLY	0x0433
+struct hci_cp_remote_oob_data_neg_reply {
+	bdaddr_t bdaddr;
+} __packed;
+
 #define HCI_OP_IO_CAPABILITY_NEG_REPLY	0x0434
 struct hci_cp_io_capability_neg_reply {
 	bdaddr_t bdaddr;
@@ -964,6 +976,11 @@ struct hci_ev_user_confirm_req {
 	__le32		passkey;
 } __packed;
 
+#define HCI_EV_REMOTE_OOB_DATA_REQUEST	0x35
+struct hci_ev_remote_oob_data_request {
+	bdaddr_t bdaddr;
+} __packed;
+
 #define HCI_EV_SIMPLE_PAIR_COMPLETE	0x36
 struct hci_ev_simple_pair_complete {
 	__u8     status;
diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index fd9b8a3..87bff51 100644
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -82,6 +82,13 @@ struct link_key {
 	u8 pin_len;
 };
 
+struct oob_data {
+	struct list_head list;
+	bdaddr_t bdaddr;
+	u8 hash[16];
+	u8 randomizer[16];
+};
+
 #define NUM_REASSEMBLY 4
 struct hci_dev {
 	struct list_head list;
@@ -169,6 +176,8 @@ struct hci_dev {
 
 	struct list_head	link_keys;
 
+	struct list_head	remote_oob_data;
+
 	struct hci_dev_stats	stat;
 
 	struct sk_buff_head	driver_init;
@@ -505,6 +514,13 @@ int hci_add_link_key(struct hci_dev *hdev, int new_key, bdaddr_t *bdaddr,
 						u8 *key, u8 type, u8 pin_len);
 int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr);
 
+int hci_remote_oob_data_clear(struct hci_dev *hdev);
+struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev,
+							bdaddr_t *bdaddr);
+int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 *hash,
+								u8 *randomizer);
+int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr);
+
 void hci_del_off_timer(struct hci_dev *hdev);
 
 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb);
diff --git a/include/net/bluetooth/mgmt.h b/include/net/bluetooth/mgmt.h
index 6ebb126..1a6283f 100644
--- a/include/net/bluetooth/mgmt.h
+++ b/include/net/bluetooth/mgmt.h
@@ -183,6 +183,18 @@ struct mgmt_rp_read_local_oob_data {
 	__u8 randomizer[16];
 } __packed;
 
+#define MGMT_OP_ADD_REMOTE_OOB_DATA	0x0019
+struct mgmt_cp_add_remote_oob_data {
+	bdaddr_t bdaddr;
+	__u8 hash[16];
+	__u8 randomizer[16];
+} __packed;
+
+#define MGMT_OP_REMOVE_REMOTE_OOB_DATA	0x001A
+struct mgmt_cp_remove_remote_oob_data {
+	bdaddr_t bdaddr;
+} __packed;
+
 #define MGMT_EV_CMD_COMPLETE		0x0001
 struct mgmt_ev_cmd_complete {
 	__le16 opcode;
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 1f11fe3..1fa9ce5 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1080,6 +1080,70 @@ static void hci_cmd_timer(unsigned long arg)
 	tasklet_schedule(&hdev->cmd_task);
 }
 
+struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev,
+							bdaddr_t *bdaddr)
+{
+	struct oob_data *data;
+
+	list_for_each_entry(data, &hdev->remote_oob_data, list)
+		if (bacmp(bdaddr, &data->bdaddr) == 0)
+			return data;
+
+	return NULL;
+}
+
+int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr)
+{
+	struct oob_data *data;
+
+	data = hci_find_remote_oob_data(hdev, bdaddr);
+	if (!data)
+		return -ENOENT;
+
+	BT_DBG("%s removing %s", hdev->name, batostr(bdaddr));
+
+	list_del(&data->list);
+	kfree(data);
+
+	return 0;
+}
+
+int hci_remote_oob_data_clear(struct hci_dev *hdev)
+{
+	struct oob_data *data, *n;
+
+	list_for_each_entry_safe(data, n, &hdev->remote_oob_data, list) {
+		list_del(&data->list);
+		kfree(data);
+	}
+
+	return 0;
+}
+
+int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 *hash,
+								u8 *randomizer)
+{
+	struct oob_data *data;
+
+	data = hci_find_remote_oob_data(hdev, bdaddr);
+
+	if (!data) {
+		data = kmalloc(sizeof(*data), GFP_ATOMIC);
+		if (!data)
+			return -ENOMEM;
+
+		bacpy(&data->bdaddr, bdaddr);
+		list_add(&data->list, &hdev->remote_oob_data);
+	}
+
+	memcpy(data->hash, hash, 16);
+	memcpy(data->randomizer, randomizer, 16);
+
+	BT_DBG("%s for %s", hdev->name, batostr(bdaddr));
+
+	return 0;
+}
+
 /* Register HCI device */
 int hci_register_dev(struct hci_dev *hdev)
 {
@@ -1144,6 +1208,8 @@ int hci_register_dev(struct hci_dev *hdev)
 
 	INIT_LIST_HEAD(&hdev->link_keys);
 
+	INIT_LIST_HEAD(&hdev->remote_oob_data);
+
 	INIT_WORK(&hdev->power_on, hci_power_on);
 	INIT_WORK(&hdev->power_off, hci_power_off);
 	setup_timer(&hdev->off_timer, hci_auto_off, (unsigned long) hdev);
@@ -1223,6 +1289,7 @@ int hci_unregister_dev(struct hci_dev *hdev)
 	hci_blacklist_clear(hdev);
 	hci_uuids_clear(hdev);
 	hci_link_keys_clear(hdev);
+	hci_remote_oob_data_clear(hdev);
 	hci_dev_unlock_bh(hdev);
 
 	__hci_dev_put(hdev);
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 0223b38..47eabaa 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -2473,6 +2473,37 @@ static inline void hci_remote_host_features_evt(struct hci_dev *hdev, struct sk_
 	hci_dev_unlock(hdev);
 }
 
+static inline void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
+							struct sk_buff *skb)
+{
+	struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
+	struct oob_data *data;
+
+	BT_DBG("%s", hdev->name);
+
+	hci_dev_lock(hdev);
+
+	data = hci_find_remote_oob_data(hdev, &ev->bdaddr);
+	if (data) {
+		struct hci_cp_remote_oob_data_reply cp;
+
+		bacpy(&cp.bdaddr, &ev->bdaddr);
+		memcpy(cp.hash, data->hash, 16);
+		memcpy(cp.randomizer, data->randomizer, 16);
+
+		hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY, sizeof(cp),
+									&cp);
+	} else {
+		struct hci_cp_remote_oob_data_neg_reply cp;
+
+		bacpy(&cp.bdaddr, &ev->bdaddr);
+		hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY, sizeof(cp),
+									&cp);
+	}
+
+	hci_dev_unlock(hdev);
+}
+
 static inline void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
 {
 	struct hci_ev_le_conn_complete *ev = (void *) skb->data;
@@ -2675,6 +2706,10 @@ void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
 		hci_le_meta_evt(hdev, skb);
 		break;
 
+	case HCI_EV_REMOTE_OOB_DATA_REQUEST:
+		hci_remote_oob_data_request_evt(hdev, skb);
+		break;
+
 	default:
 		BT_DBG("%s event 0x%x", hdev->name, event);
 		break;
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index a72cbf6..46c96b3 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -1349,6 +1349,74 @@ unlock:
 	return err;
 }
 
+static int add_remote_oob_data(struct sock *sk, u16 index, unsigned char *data,
+									u16 len)
+{
+	struct hci_dev *hdev;
+	struct mgmt_cp_add_remote_oob_data *cp = (void *) data;
+	int err;
+
+	BT_DBG("hci%u ", index);
+
+	if (len != sizeof(*cp))
+		return cmd_status(sk, index, MGMT_OP_ADD_REMOTE_OOB_DATA,
+									EINVAL);
+
+	hdev = hci_dev_get(index);
+	if (!hdev)
+		return cmd_status(sk, index, MGMT_OP_ADD_REMOTE_OOB_DATA,
+									ENODEV);
+
+	hci_dev_lock_bh(hdev);
+
+	err = hci_add_remote_oob_data(hdev, &cp->bdaddr, cp->hash,
+								cp->randomizer);
+	if (err < 0)
+		err = cmd_status(sk, index, MGMT_OP_ADD_REMOTE_OOB_DATA, -err);
+	else
+		err = cmd_complete(sk, index, MGMT_OP_ADD_REMOTE_OOB_DATA, NULL,
+									0);
+
+	hci_dev_unlock_bh(hdev);
+	hci_dev_put(hdev);
+
+	return err;
+}
+
+static int remove_remote_oob_data(struct sock *sk, u16 index,
+						unsigned char *data, u16 len)
+{
+	struct hci_dev *hdev;
+	struct mgmt_cp_remove_remote_oob_data *cp = (void *)data;
+	int err;
+
+	BT_DBG("hci%u ", index);
+
+	if (len != sizeof(*cp))
+		return cmd_status(sk, index, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
+									EINVAL);
+
+	hdev = hci_dev_get(index);
+	if (!hdev)
+		return cmd_status(sk, index, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
+									ENODEV);
+
+	hci_dev_lock_bh(hdev);
+
+	err = hci_remove_remote_oob_data(hdev, &cp->bdaddr);
+	if (err < 0)
+		err = cmd_status(sk, index, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
+									-err);
+	else
+		err = cmd_complete(sk, index, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
+								NULL, 0);
+
+	hci_dev_unlock_bh(hdev);
+	hci_dev_put(hdev);
+
+	return err;
+}
+
 int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen)
 {
 	unsigned char *buf;
@@ -1450,6 +1518,13 @@ int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen)
 	case MGMT_OP_READ_LOCAL_OOB_DATA:
 		err = read_local_oob_data(sk, index);
 		break;
+	case MGMT_OP_ADD_REMOTE_OOB_DATA:
+		err = add_remote_oob_data(sk, index, buf + sizeof(*hdr), len);
+		break;
+	case MGMT_OP_REMOVE_REMOTE_OOB_DATA:
+		err = remove_remote_oob_data(sk, index, buf + sizeof(*hdr),
+									len);
+		break;
 
 	default:
 		BT_DBG("Unknown op %u", opcode);
-- 
1.7.0.4


^ permalink raw reply related

* [PATCH v4 3/5] Bluetooth: Add read_local_oob_data management command
From: Szymon Janc @ 2011-03-21 15:43 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: par-gunnar.p.hjalmdahl, henrik.possung, Szymon Janc
In-Reply-To: <1300722233-11598-1-git-send-email-szymon.janc@tieto.com>

This patch adds a command to read local OOB data to the managment interface.
The command maps directly to the Read Local OOB Data HCI command.

Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
---
 include/net/bluetooth/hci.h      |    7 +++
 include/net/bluetooth/hci_core.h |    2 +
 include/net/bluetooth/mgmt.h     |    6 +++
 net/bluetooth/hci_event.c        |   15 +++++++
 net/bluetooth/mgmt.c             |   85 ++++++++++++++++++++++++++++++++++++++
 5 files changed, 115 insertions(+), 0 deletions(-)

diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
index 00fdcb7..0ac0804 100644
--- a/include/net/bluetooth/hci.h
+++ b/include/net/bluetooth/hci.h
@@ -615,6 +615,13 @@ struct hci_cp_write_ssp_mode {
 	__u8     mode;
 } __packed;
 
+#define HCI_OP_READ_LOCAL_OOB_DATA		0x0c57
+struct hci_rp_read_local_oob_data {
+	__u8     status;
+	__u8     hash[16];
+	__u8     randomizer[16];
+} __packed;
+
 #define HCI_OP_READ_INQ_RSP_TX_POWER	0x0c58
 
 #define HCI_OP_READ_LOCAL_VERSION	0x1001
diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index 3912c7a..fd9b8a3 100644
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -768,6 +768,8 @@ int mgmt_user_confirm_neg_reply_complete(u16 index, bdaddr_t *bdaddr,
 								u8 status);
 int mgmt_auth_failed(u16 index, bdaddr_t *bdaddr, u8 status);
 int mgmt_set_local_name_complete(u16 index, u8 *name, u8 status);
+int mgmt_read_local_oob_data_reply_complete(u16 index, u8 *hash, u8 *randomizer,
+								u8 status);
 
 /* HCI info for socket */
 #define hci_pi(sk) ((struct hci_pinfo *) sk)
diff --git a/include/net/bluetooth/mgmt.h b/include/net/bluetooth/mgmt.h
index 89e7c82..6ebb126 100644
--- a/include/net/bluetooth/mgmt.h
+++ b/include/net/bluetooth/mgmt.h
@@ -177,6 +177,12 @@ struct mgmt_cp_set_local_name {
 	__u8 name[MGMT_MAX_NAME_LENGTH];
 } __packed;
 
+#define MGMT_OP_READ_LOCAL_OOB_DATA	0x0018
+struct mgmt_rp_read_local_oob_data {
+	__u8 hash[16];
+	__u8 randomizer[16];
+} __packed;
+
 #define MGMT_EV_CMD_COMPLETE		0x0001
 struct mgmt_ev_cmd_complete {
 	__le16 opcode;
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 11f0dd8..0223b38 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -824,6 +824,17 @@ static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
 								rp->status);
 }
 
+static void hci_cc_read_local_oob_data_reply(struct hci_dev *hdev,
+							struct sk_buff *skb)
+{
+	struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
+
+	BT_DBG("%s status 0x%x", hdev->name, rp->status);
+
+	mgmt_read_local_oob_data_reply_complete(hdev->id, rp->hash,
+						rp->randomizer, rp->status);
+}
+
 static inline void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
 {
 	BT_DBG("%s status 0x%x", hdev->name, status);
@@ -1754,6 +1765,10 @@ static inline void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *sk
 		hci_cc_pin_code_neg_reply(hdev, skb);
 		break;
 
+	case HCI_OP_READ_LOCAL_OOB_DATA:
+		hci_cc_read_local_oob_data_reply(hdev, skb);
+		break;
+
 	case HCI_OP_LE_READ_BUFFER_SIZE:
 		hci_cc_le_read_buffer_size(hdev, skb);
 		break;
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index ebf495d..a72cbf6 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -1298,6 +1298,57 @@ failed:
 	return err;
 }
 
+static int read_local_oob_data(struct sock *sk, u16 index)
+{
+	struct hci_dev *hdev;
+	struct pending_cmd *cmd;
+	int err;
+
+	BT_DBG("hci%u", index);
+
+	hdev = hci_dev_get(index);
+	if (!hdev)
+		return cmd_status(sk, index, MGMT_OP_READ_LOCAL_OOB_DATA,
+									ENODEV);
+
+	hci_dev_lock_bh(hdev);
+
+	if (!test_bit(HCI_UP, &hdev->flags)) {
+		err = cmd_status(sk, index, MGMT_OP_READ_LOCAL_OOB_DATA,
+								ENETDOWN);
+		goto unlock;
+	}
+
+	if (!(hdev->features[6] & LMP_SIMPLE_PAIR)) {
+		err = cmd_status(sk, index, MGMT_OP_READ_LOCAL_OOB_DATA,
+								EOPNOTSUPP);
+		goto unlock;
+	}
+
+	if (mgmt_pending_find(MGMT_OP_READ_LOCAL_OOB_DATA, index)) {
+		err = cmd_status(sk, index, MGMT_OP_READ_LOCAL_OOB_DATA, EBUSY);
+		goto unlock;
+	}
+
+	cmd = mgmt_pending_add(sk, MGMT_OP_READ_LOCAL_OOB_DATA, index, NULL, 0);
+
+	if (!cmd) {
+		err = -ENOMEM;
+		goto unlock;
+	}
+
+	err = hci_send_cmd(hdev, HCI_OP_READ_LOCAL_OOB_DATA, 0, NULL);
+
+	if (err < 0)
+		mgmt_pending_remove(cmd);
+
+unlock:
+	hci_dev_unlock_bh(hdev);
+	hci_dev_put(hdev);
+
+	return err;
+}
+
 int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen)
 {
 	unsigned char *buf;
@@ -1396,6 +1447,10 @@ int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen)
 	case MGMT_OP_SET_LOCAL_NAME:
 		err = set_local_name(sk, index, buf + sizeof(*hdr), len);
 		break;
+	case MGMT_OP_READ_LOCAL_OOB_DATA:
+		err = read_local_oob_data(sk, index);
+		break;
+
 	default:
 		BT_DBG("Unknown op %u", opcode);
 		err = cmd_status(sk, index, opcode, 0x01);
@@ -1725,3 +1780,33 @@ failed:
 		mgmt_pending_remove(cmd);
 	return err;
 }
+
+int mgmt_read_local_oob_data_reply_complete(u16 index, u8 *hash, u8 *randomizer,
+								u8 status)
+{
+	struct pending_cmd *cmd;
+	int err;
+
+	BT_DBG("hci%u status %u", index, status);
+
+	cmd = mgmt_pending_find(MGMT_OP_READ_LOCAL_OOB_DATA, index);
+	if (!cmd)
+		return -ENOENT;
+
+	if (status) {
+		err = cmd_status(cmd->sk, index, MGMT_OP_READ_LOCAL_OOB_DATA,
+									EIO);
+	} else {
+		struct mgmt_rp_read_local_oob_data rp;
+
+		memcpy(rp.hash, hash, 16);
+		memcpy(rp.randomizer, randomizer, 16);
+
+		err = cmd_complete(cmd->sk, index, MGMT_OP_READ_LOCAL_OOB_DATA,
+							&rp, sizeof(rp));
+	}
+
+	mgmt_pending_remove(cmd);
+
+	return err;
+}
-- 
1.7.0.4


^ permalink raw reply related

* [PATCH v4 2/5] Bluetooth: Allow for NULL data in mgmt_pending_add
From: Szymon Janc @ 2011-03-21 15:43 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: par-gunnar.p.hjalmdahl, henrik.possung, Szymon Janc
In-Reply-To: <1300722233-11598-1-git-send-email-szymon.janc@tieto.com>

Since index is in mgmt_hdr it is possible to have mgmt command with
no parameters that still needs to add itself to pending list.

Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
---
 net/bluetooth/mgmt.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 657a02d..ebf495d 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -239,7 +239,8 @@ static struct pending_cmd *mgmt_pending_add(struct sock *sk, u16 opcode,
 		return NULL;
 	}
 
-	memcpy(cmd->param, data, len);
+	if (data)
+		memcpy(cmd->param, data, len);
 
 	cmd->sk = sk;
 	sock_hold(sk);
-- 
1.7.0.4


^ permalink raw reply related

* [PATCH v4 1/5] Bluetooth: Rename cmd to param in pending_cmd
From: Szymon Janc @ 2011-03-21 15:43 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: par-gunnar.p.hjalmdahl, henrik.possung, Szymon Janc
In-Reply-To: <1300722233-11598-1-git-send-email-szymon.janc@tieto.com>

This field holds not whole command but only command specific
parameters.

Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
---
 net/bluetooth/mgmt.c |   14 +++++++-------
 1 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 98988c8..657a02d 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -36,7 +36,7 @@ struct pending_cmd {
 	struct list_head list;
 	__u16 opcode;
 	int index;
-	void *cmd;
+	void *param;
 	struct sock *sk;
 	void *user_data;
 };
@@ -217,7 +217,7 @@ static int read_controller_info(struct sock *sk, u16 index)
 static void mgmt_pending_free(struct pending_cmd *cmd)
 {
 	sock_put(cmd->sk);
-	kfree(cmd->cmd);
+	kfree(cmd->param);
 	kfree(cmd);
 }
 
@@ -233,13 +233,13 @@ static struct pending_cmd *mgmt_pending_add(struct sock *sk, u16 opcode,
 	cmd->opcode = opcode;
 	cmd->index = index;
 
-	cmd->cmd = kmalloc(len, GFP_ATOMIC);
-	if (!cmd->cmd) {
+	cmd->param = kmalloc(len, GFP_ATOMIC);
+	if (!cmd->param) {
 		kfree(cmd);
 		return NULL;
 	}
 
-	memcpy(cmd->cmd, data, len);
+	memcpy(cmd->param, data, len);
 
 	cmd->sk = sk;
 	sock_hold(sk);
@@ -1428,7 +1428,7 @@ struct cmd_lookup {
 
 static void mode_rsp(struct pending_cmd *cmd, void *data)
 {
-	struct mgmt_mode *cp = cmd->cmd;
+	struct mgmt_mode *cp = cmd->param;
 	struct cmd_lookup *match = data;
 
 	if (cp->val != match->val)
@@ -1527,7 +1527,7 @@ int mgmt_connected(u16 index, bdaddr_t *bdaddr)
 
 static void disconnect_rsp(struct pending_cmd *cmd, void *data)
 {
-	struct mgmt_cp_disconnect *cp = cmd->cmd;
+	struct mgmt_cp_disconnect *cp = cmd->param;
 	struct sock **sk = data;
 	struct mgmt_rp_disconnect rp;
 
-- 
1.7.0.4


^ permalink raw reply related

* [PATCH v4 0/5] Support for OOB in mgmt interface
From: Szymon Janc @ 2011-03-21 15:43 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: par-gunnar.p.hjalmdahl, henrik.possung, Szymon Janc

Changes since v3:
- fix missing break in switch-case in hci_event_packet()
- remove some not needed empty lines in hci.h

BR,
Szymon Janc
on behalf of ST-Ericsson

Szymon Janc (5):
  Bluetooth: Rename cmd to param in pending_cmd
  Bluetooth: Allow for NULL data in mgmt_pending_add
  Bluetooth: Add read_local_oob_data management command
  Bluetooth: Add add/remove_remote_oob_data management commands
  Bluetooth: Enable support for out of band association model

 include/net/bluetooth/hci.h      |   24 +++++
 include/net/bluetooth/hci_core.h |   18 ++++
 include/net/bluetooth/mgmt.h     |   18 ++++
 net/bluetooth/hci_core.c         |   67 +++++++++++++++
 net/bluetooth/hci_event.c        |   57 ++++++++++++-
 net/bluetooth/mgmt.c             |  175 ++++++++++++++++++++++++++++++++++++--
 6 files changed, 351 insertions(+), 8 deletions(-)


^ permalink raw reply


This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox