1. 15 11月, 2014 3 次提交
  2. 13 11月, 2014 1 次提交
    • J
      Bluetooth: Use proper nesting annotation for l2cap_chan lock · abe84903
      Johan Hedberg 提交于
      By default lockdep considers all L2CAP channels equal. This would mean
      that we get warnings if a channel is locked when another one's lock is
      tried to be acquired in the same thread. This kind of inter-channel
      locking dependencies exist in the form of parent-child channels as well
      as any channel wishing to elevate the security by requesting procedures
      on the SMP channel.
      
      To eliminate the chance for these lockdep warnings we introduce a
      nesting level for each channel and use that when acquiring the channel
      lock. For now there exists the earlier mentioned three identified
      categories: SMP, "normal" channels and parent channels (i.e. those in
      BT_LISTEN state). The nesting level is defined as atomic_t since we need
      access to it before the lock is actually acquired.
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      abe84903
  3. 12 11月, 2014 1 次提交
  4. 29 10月, 2014 1 次提交
  5. 28 10月, 2014 1 次提交
  6. 26 10月, 2014 3 次提交
  7. 18 9月, 2014 1 次提交
    • J
      Bluetooth: Fix setting correct security level when initiating SMP · 5eb596f5
      Johan Hedberg 提交于
      We can only determine the final security level when both pairing request
      and response have been exchanged. When initiating pairing the starting
      target security level is set to MEDIUM unless explicitly specified to be
      HIGH, so that we can still perform pairing even if the remote doesn't
      have MITM capabilities. However, once we've received the pairing
      response we should re-consult the remote and local IO capabilities and
      upgrade the target security level if necessary.
      
      Without this patch the resulting Long Term Key will occasionally be
      reported to be unauthenticated when it in reality is an authenticated
      one.
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      Cc: stable@vger.kernel.org
      5eb596f5
  8. 11 9月, 2014 6 次提交
  9. 10 9月, 2014 1 次提交
  10. 09 9月, 2014 12 次提交
    • J
      Bluetooth: Fix mgmt pairing failure when authentication fails · e1e930f5
      Johan Hedberg 提交于
      Whether through HCI with BR/EDR or SMP with LE when authentication fails
      we should also notify any pending Pair Device mgmt command. This patch
      updates the mgmt_auth_failed function to take the actual hci_conn object
      and makes sure that any pending pairing command is notified and cleaned
      up appropriately.
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      e1e930f5
    • J
      Bluetooth: Fix dereferencing conn variable before NULL check · c68b7f12
      Johan Hedberg 提交于
      This patch fixes the following type of static analyzer warning (and
      probably a real bug as well as the NULL check should be there for a
      reason):
      
      net/bluetooth/smp.c:1182 smp_conn_security() warn: variable dereferenced before check 'conn' (see line 1174)
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      c68b7f12
    • J
      Bluetooth: Add strict checks for allowed SMP PDUs · b28b4943
      Johan Hedberg 提交于
      SMP defines quite clearly when certain PDUs are to be expected/allowed
      and when not, but doesn't have any explicit request/response definition.
      So far the code has relied on each PDU handler to behave correctly if
      receiving PDUs at an unexpected moment, however this requires many
      different checks and is prone to errors.
      
      This patch introduces a generic way to keep track of allowed PDUs and
      thereby reduces the responsibility & load on individual command
      handlers. The tracking is implemented using a simple bit-mask where each
      opcode maps to its own bit. If the bit is set the corresponding PDU is
      allow and if the bit is not set the PDU is not allowed.
      
      As a simple example, when we send the Pairing Request we'd set the bit
      for Pairing Response, and when we receive the Pairing Response we'd
      clear the bit for Pairing Response.
      
      Since the disallowed PDU rejection is now done in a single central place
      we need to be a bit careful of which action makes most sense to all
      cases. Previously some, such as Security Request, have been simply
      ignored whereas others have caused an explicit disconnect.
      
      The only PDU rejection action that keeps good interoperability and can
      be used for all the applicable use cases is to drop the data. This may
      raise some concerns of us now being more lenient for misbehaving (and
      potentially malicious) devices, but the policy of simply dropping data
      has been a successful one for many years e.g. in L2CAP (where this is
      the *only* policy for such cases - we never request disconnection in
      l2cap_core.c because of bad data). Furthermore, we cannot prevent
      connected devices from creating the SMP context (through a Security or
      Pairing Request), and once the context exists looking up the
      corresponding bit for the received opcode and deciding to reject it is
      essentially an equally lightweight operation as the kind of rejection
      that l2cap_core.c already successfully does.
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      b28b4943
    • J
      Bluetooth: Fix calling smp_distribute_keys() when still waiting for keys · c6e81e9a
      Johan Hedberg 提交于
      When we're in the process of receiving keys in phase 3 of SMP we keep
      track of which keys are still expected in the smp->remote_key_dist
      variable. If we still have some key bits set we need to continue waiting
      for more PDUs and not needlessly call smp_distribute_keys(). This patch
      fixes two such cases in the smp_cmd_master_ident() and
      smp_cmd_ident_addr_info() handler functions.
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      c6e81e9a
    • J
      Bluetooth: Add define for key distribution mask · 88d3a8ac
      Johan Hedberg 提交于
      This patch adds a define for the allowed bits of the key distribution
      mask so we don't have to have magic 0x07 constants throughout the code.
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      88d3a8ac
    • J
      Bluetooth: Fix locking of the SMP context · fc75cc86
      Johan Hedberg 提交于
      Before the move the l2cap_chan the SMP context (smp_chan) didn't have
      any kind of proper locking. The best there existed was the
      HCI_CONN_LE_SMP_PEND flag which was used to enable mutual exclusion for
      potential multiple creators of the SMP context.
      
      Now that SMP has been converted to use the l2cap_chan infrastructure and
      since the SMP context is directly mapped to a corresponding l2cap_chan
      we get the SMP context locking essentially for free through the
      l2cap_chan lock. For all callbacks that l2cap_core.c makes for each
      channel implementation (smp.c in the case of SMP) the l2cap_chan lock is
      held through l2cap_chan_lock(chan).
      
      Since the calls from l2cap_core.c to smp.c are covered the only missing
      piece to have the locking implemented properly is to ensure that the
      lock is held for any other call path that may access the SMP context.
      This means user responses through mgmt.c, requests to elevate the
      security of a connection through hci_conn.c, as well as any deferred
      work through workqueues.
      
      This patch adds the necessary locking to all these other code paths that
      try to access the SMP context. Since mutual exclusion for the l2cap_chan
      access is now covered from all directions the patch also removes
      unnecessary HCI_CONN_LE_SMP_PEND flag (once we've acquired the chan lock
      we can simply check whether chan->smp is set to know if there's an SMP
      context).
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      fc75cc86
    • J
      Bluetooth: Remove unnecessary deferred work for SMP key distribution · d6268e86
      Johan Hedberg 提交于
      Now that the identity address update happens through its own deferred
      work there's no need to have smp_distribute_keys anymore behind a second
      deferred work. This patch removes this extra construction and makes the
      code do direct calls to smp_distribute_keys() again.
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      d6268e86
    • J
      Bluetooth: Move identity address update behind a workqueue · f3d82d0c
      Johan Hedberg 提交于
      The identity address update of all channels for an l2cap_conn needs to
      take the lock for each channel, i.e. it's safest to do this by a
      separate workqueue callback.
      
      Previously this was partially solved by moving the entire SMP key
      distribution behind a workqueue. However, if we want SMP context locking
      to be correct and safe we should always use the l2cap_chan lock when
      accessing it, meaning even smp_distribute_keys needs to take that lock
      which would once again create a dead lock when updating the identity
      address.
      
      The simplest way to solve this is to have l2cap_conn manage the deferred
      work which is what this patch does. A subsequent patch will remove the
      now unnecessary SMP key distribution work struct.
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      f3d82d0c
    • J
      Bluetooth: Don't take any action in smp_resume_cb if not encrypted · 84bc0db5
      Johan Hedberg 提交于
      When smp_resume_cb is called if we're not encrypted (i.e. the callback
      wasn't called because the connection became encrypted) we shouldn't take
      any action at all. This patch moves also the security_timer cancellation
      behind this condition.
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      84bc0db5
    • J
      Bluetooth: Remove unnecessary checks after canceling SMP security timer · 1b0921d6
      Johan Hedberg 提交于
      The SMP security timer used to be able to modify the SMP context state
      but now days it simply calls hci_disconnect(). It is therefore
      unnecessary to have extra sanity checks for the SMP context after
      canceling the timer.
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      1b0921d6
    • J
      Bluetooth: Fix SMP error and response to be mutually exclusive · 9b7b18ef
      Johan Hedberg 提交于
      Returning failure from the SMP data parsing function will cause an
      immediate disconnect, making any attempts to send a response PDU futile.
      This patch updates the function to always either send a response or
      return an error, but never both at the same time:
      
      * In the case that HCI_LE_ENABLED is not set we want to send a Pairing Not
        Supported response but it is not required to force a disconnection, so
        do not set the error return in this case.
      
      * If we get garbage SMP data we can just fail with the handler function
        instead of also trying to send an SMP Failure PDU.
      
      * There's no reason to force a disconnection if we receive an unknown SMP
        command. Instead simply send a proper Command Not Supported SMP
        response.
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      9b7b18ef
    • J
      Bluetooth: Use hci_disconnect for immediate disconnection from SMP · 1e91c29e
      Johan Hedberg 提交于
      Relying on the l2cap_conn_del procedure (triggered through the
      l2cap_conn_shutdown API) to get the connection disconnected is not
      reliable as it depends on all users releasing (through hci_conn_drop)
      and that there's at least one user (so hci_conn_drop is called at least
      one time).
      
      A much simpler and more reliable solution is to call hci_disconnect()
      directly from the SMP code when we want to disconnect. One side-effect
      this has is that it prevents any SMP Failure PDU from being sent before
      the disconnection, however neither one of the scenarios where
      l2cap_conn_shutdown was used really requires this.
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      1e91c29e
  11. 14 8月, 2014 10 次提交