If remote device sends bogus RFC option with invalid length,
undefined options values are used. Fix this by using defaults when
remote misbehaves.

This also fixes the following warning reported by gcc 4.7.0:

net/bluetooth/l2cap_core.c: In function 'l2cap_config_rsp':
net/bluetooth/l2cap_core.c:3302:13: warning: 'rfc.max_pdu_size' may be used uninitialized in this function [-Wmaybe-uninitialized]
net/bluetooth/l2cap_core.c:3266:24: note: 'rfc.max_pdu_size' was declared here
net/bluetooth/l2cap_core.c:3298:25: warning: 'rfc.monitor_timeout' may be used uninitialized in this function [-Wmaybe-uninitialized]
net/bluetooth/l2cap_core.c:3266:24: note: 'rfc.monitor_timeout' was declared here
net/bluetooth/l2cap_core.c:3297:25: warning: 'rfc.retrans_timeout' may be used uninitialized in this function [-Wmaybe-uninitialized]
net/bluetooth/l2cap_core.c:3266:24: note: 'rfc.retrans_timeout' was declared here
net/bluetooth/l2cap_core.c:3295:2: warning: 'rfc.mode' may be used uninitialized in this function [-Wmaybe-uninitialized]
net/bluetooth/l2cap_core.c:3266:24: note: 'rfc.mode' was declared here
Signed-off-by: NSzymon Janc <szymon.janc@tieto.com>
Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>

With LE/SMP the completion of a security level elavation from medium to
high is indicated by a HCI Encryption Key Refresh Complete event. The
necessary behavior upon receiving this event is a mix of what's done for
auth_complete and encryption_change, which is also where most of the
event handling code has been copied from.
Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>

If we have an unauthenticated key it is not sufficient to acheive high
security. Therefore, when deciding whether to encrypt the link or
request pairing, it is essential to in addition to checking the
existence of a key to also check whether it is authenticated or not.
Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>

The l2cap_conn_del function tries to cancel_sync the security timer, but
when it's called from the timeout function itself a deadlock occurs.
Subsequently the "hcon->l2cap_data = NULL" that's supposed to protect
multiple calls to l2cap_conn_del never gets cleared and when the
connection finally drops we double free's etc which will crash the
kernel.

This patch fixes the issue by using the HCI_CONN_LE_SMP_PEND for
protecting against this. The same flag is also used for the same purpose
in other places in the SMP code.
Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>

For BR/EDR pairing is assumed to be finished when connection is
done. For LE if connection is successful it did not necessarily
mean that pairing is also done but if the connection is unsuccessful
it should be assumed that pairing procedure is also finished.
This patch registers a new function with connect_cfm_cb callback for
LE link which sends the pairing complete signal to user space if
connection is unsuccessful.
Signed-off-by: NVishal Agarwal <vishal.agarwal@stericsson.com>
Acked-by: NJohan Hedberg <johan.hedberg@intel.com>
Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>

The tk_request function takes the local IO capability as the second last
parameter and the remote IO capability as the last parameter. They were
previously swapped: when we receive a pairing response
req->io_capability contains the local one and rsp->io_capability the
remote one.
Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
Acked-by: NMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>

Most probably a typo, the check should have been for BT_SK_DEFER_SETUP
instead of BT_DEFER_SETUP (which right now only represents a socket
option).
Signed-off-by: NVinicius Costa Gomes <vinicius.gomes@openbossa.org>
Acked-by: NAndrei Emeltchenko <andrei.emeltchenko@intel.com>
Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>

This reverts the tty layer change to use per-tty locking, because it's
not correct yet, and fixing it will require some more deep surgery.

The main revert is d29f3ef3 ("tty_lock: Localise the lock"), but
there are several smaller commits that built upon it, they also get
reverted here. The list of reverted commits is:

  fde86d31 - tty: add lockdep annotations
  8f6576ad - tty: fix ldisc lock inversion trace
  d3ca8b64 - pty: Fix lock inversion
  b1d679af - tty: drop the pty lock during hangup
  abcefe5f - tty/amiserial: Add missing argument for tty_unlock()
  fd11b42e - cris: fix missing tty arg in wait_event_interruptible_tty call
  d29f3ef3 - tty_lock: Localise the lock

The revert had a trivial conflict in the 68360serial.c staging driver
that got removed in the meantime.
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

If encryption change fails we should disconnect with auth failure error
code.
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>
Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>

defer_setup and suspended are now flags into bt_sk().
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>
Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>

During a security level elevation we need to keep track of the current
security level of a connection until the new one is not confirmed.
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>
Acked-by: NMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>

The ERTM and streaming mode transmit queue must only be accessed while
the L2CAP channel lock is held.  Locking the channel before calling
l2cap_chan_send ensures that multiple threads cannot simultaneously
manipulate the queue when sending and receiving concurrently.

L2CAP channel locking had previously moved to the l2cap_chan struct
instead of the associated socket, so some of the old socket locking
can also be removed in this patch.
Signed-off-by: NMat Martineau <mathewm@codeaurora.org>
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>

As the comment for l2cap_get_chan_by_scid indicated, the function used
to return a locked socket.  The lock for the socket was acquired while
the channel list was also locked.

When locking was moved over to the l2cap_chan structure, the channel
lock was no longer acquired with the channel list still locked.  This
made it possible for the l2cap_chan to be deleted after
conn->chan_lock was released but before l2cap_chan_lock was called.
Making the call to l2cap_chan_lock before releasing conn->chan_lock
makes it impossible for the l2cap_chan to be deleted at the wrong
time.
Signed-off-by: NMat Martineau <mathewm@codeaurora.org>
Reviewed-by: NUlisses Furquim <ulisses@profusion.mobi>
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>

The L2CAP MTU for incoming data is verified differently depending on
the L2CAP mode, so the check is best performed in a mode-specific
context.  Checking the incoming MTU before HCI fragment reassembly is
a layer violation and assumes all bytes after the standard L2CAP
header are L2CAP data.

This approach causes issues with unsegmented ERTM or streaming mode
frames, where there are additional enhanced or extended headers before
the data payload and possible FCS bytes after the data payload.  A
valid frame could be as many as 10 bytes larger than the MTU.

Removing this code is the best fix, because the MTU is checked later
on for all L2CAP data frames (connectionless, basic, ERTM, and
streaming).  This also gets rid of outdated locking (socket instead of
l2cap_chan) and an extra lookup of the channel ID.
Signed-off-by: NMat Martineau <mathewm@codeaurora.org>
Reviewed-by: NUlisses Furquim <ulisses@profusion.mobi>
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>

The mgmt_device_found function expects to receive only the significant
part of the EIR data so it needs to be removed before calling the
function. This patch adds a new eir_get_length() helper function to
calculate the length of the significant part.
Signed-off-by: NVishal Agarwal <vishal.agarwal@stericsson.com>
Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>

The right bit for "Inquiry with RSSI" is 0x02 and not 0x04 (which means
"Read Remote Extended Features Complete").
Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>

Removes one indentation level.
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>
Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>

When we add a fragment to a skb, len and data_len fields need to be
updated.
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>
Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>

When building fragmented skb's skb->len keeps track of the size of head
plus all fragments combined, however when queueing the skb for sending we
need to report the head size instead of the total size, so we just set
skb->len to skb_headlen().

This bug appeared when implementing MSG_MORE support for L2CAP sockets, it
never showed up before because l2cap_skbuff_fromiovec() never accounted skb
size correctly. A following patch will fix this.
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>
Reviewed-by: NMat Martineau <mathewm@codeaurora.org>
Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>

If alloc() fails we let the frags linked list with garbage value (the
err ptr value) in its last element.
Reported-by: NMat Martineau <mathewm@codeaurora.org>
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>
Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>

Commit 105bdf9e introduced a
regression in L2CAP streaming mode due to rearranged initialization
code that is shared between ERTM and streaming mode.  This change
makes sure the transmit queue is initialized in both modes.
Signed-off-by: NMat Martineau <mathewm@codeaurora.org>
Acked-by: NAndrei Emeltchenko <andrei.emeltchenko@intel.com>
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>

Commit 94122bbe introduced a problem
where tx_send_head was not set to point to the first skb in the ERTM
transmit queue, which stalled data transmission.  This change sets
that pointer when transmission is not already in progress.
Reported-by: NAndrei Emeltchenko <andrei.emeltchenko@intel.com>
Signed-off-by: NMat Martineau <mathewm@codeaurora.org>
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>

The mgmt_ev_device_connected signal must be sent before any event
indications happen for sockets associated with the connection. Otherwise
e.g. device authorization for the sockets will fail with ENOTCONN as
user space things that there is no baseband link.

This patch fixes the issue by ensuring that the device_connected event
if sent (if it hasn't been so already) as soon as the first ACL data
packet arrives from the remote device.
Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
Acked-by: NMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

It fixes L2CAP socket based security level elevation during a
connection. The HID profile needs this (for keyboards) and it is the only
way to achieve the security level elevation when using the management
interface to talk to the kernel (hence the management enabling patch
being the one that exposes this issue).

It enables the userspace a security level change when the socket is
already connected and create a way to notify the socket the result of the
request. At the moment of the request the socket is made non writable, if
the request fails the connections closes, otherwise the socket is made
writable again, POLL_OUT is emmited.
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>
Acked-by: NMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

Use the new bool function ether_addr_equal to add
some clarity and reduce the likelihood for misuse
of compare_ether_addr for sorting.

Done via cocci script:

$ cat compare_ether_addr.cocci
@@
expression a,b;
@@
-	!compare_ether_addr(a, b)
+	ether_addr_equal(a, b)

@@
expression a,b;
@@
-	compare_ether_addr(a, b)
+	!ether_addr_equal(a, b)

@@
expression a,b;
@@
-	!ether_addr_equal(a, b) == 0
+	ether_addr_equal(a, b)

@@
expression a,b;
@@
-	!ether_addr_equal(a, b) != 0
+	!ether_addr_equal(a, b)

@@
expression a,b;
@@
-	ether_addr_equal(a, b) == 0
+	!ether_addr_equal(a, b)

@@
expression a,b;
@@
-	ether_addr_equal(a, b) != 0
+	ether_addr_equal(a, b)

@@
expression a,b;
@@
-	!!ether_addr_equal(a, b)
+	ether_addr_equal(a, b)
Signed-off-by: NJoe Perches <joe@perches.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Fixed some checkpatch warnings in mgmt.c.
Signed-off-by: NCristian Chilipirea <cristian.chilipirea@gmail.com>
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>

The dot1q ethertype number (0x8100) is embedded in the code, although
it is already defined in included headers.
Signed-off-by: NEldad Zack <eldad@fogrefinery.com>
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>

Use more common code for ERTM and streaming mode segmentation and
transmission, and begin using skb control block data for delaying
extended or enhanced header generation until just before the packet is
transmitted.  This code is also better suited for resegmentation,
which is needed when L2CAP links are reconfigured after an AMP channel
move.
Signed-off-by: NMat Martineau <mathewm@codeaurora.org>
Reviewed-by: NUlisses Furquim <ulisses@profusion.mobi>
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>

Remove magic number unneeded calculation since
hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE
Signed-off-by: NAndrei Emeltchenko <andrei.emeltchenko@intel.com>
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>

hlen has a fixed size of L2CAP_HDR_SIZE, use this instead.
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>
Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>

The Bluetooth Low Energy support so far was disabled by default via
a module parameter. With this change the module parameter will be removed
and Low Energy is enabled by default.
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>

No one is using hci_le_ltk_neg_reply() in bluetooth subsystem.
Signed-off-by: NSyam Sidhardhan <s.syam@samsung.com>
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>

hlen - L2CAP_HDR_SIZE = 0, so we don't need to add them in the
calculation.
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>
Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>

In this API, we were using sizeof operator for an array
given as function argument, which is invalid.
However this API is not used anywhere.
Signed-off-by: NSyam Sidhardhan <s.syam@samsung.com>
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>

Adding Code Aurora Forum copyright information due to significant
additions of code.
Acked-by: NMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: NMat Martineau <mathewm@codeaurora.org>
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>

L2CAP sockets contain a pointer to l2cap_chan that needs to be
reference counted in order to prevent a possible dangling pointer when
the channel is freed.

There were a few other cases where an l2cap_chan pointer on the stack
was dereferenced after a call to l2cap_chan_del. Those pointers are
also now reference counted.
Signed-off-by: NMat Martineau <mathewm@codeaurora.org>
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>

l2cap_get_chan_by_ident was not used, but didn't generate a compiler
warning because it was an inline function.
Signed-off-by: NMat Martineau <mathewm@codeaurora.org>
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>

Structure members used by ERTM or streaming mode need to be
initialized when an ERTM or streaming mode link is configured.  Some
duplicate code is also eliminated by moving in to the ERTM init
function.
Signed-off-by: NMat Martineau <mathewm@codeaurora.org>
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>

Moving these functions simplifies future patches by eliminating
forward declarations, makes future patches easier to review, and
better preserves 'git blame' information.
Signed-off-by: NMat Martineau <mathewm@codeaurora.org>
Acked-by: NMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>

These values are now in the nested l2cap_ctrl struct.
Signed-off-by: NMat Martineau <mathewm@codeaurora.org>
Acked-by: NMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>