Fix not able to disconnect from the Host after SMP requests
The following fixes were added:
1. While using whitelist API for connection, if SMP requests are received
before the L2CAP channel is correctly setup, queue the SMP requets
and execute them once the channel state is bounded and connected and
therefore maintaining the correct connection reference count.
2. If the status LE start encryption command is not successful,
then call hci_conn put which would decrement the HCI connection
reference count.
CRs-fixed: 447092
Change-Id: Ibb11ecf94f28e0b0aff5eacc86d1660e7ec2e25d
Signed-off-by: Archana Ramachandran <archanar@codeaurora.org>
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 198773c..b12de75 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -1567,7 +1567,28 @@
static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
{
+ struct hci_cp_le_start_enc *cp;
+ struct hci_conn *conn;
+
BT_DBG("%s status 0x%x", hdev->name, status);
+ if (!status) {
+ return;
+ }
+
+ BT_DBG("%s Le start enc failed 0x%x", hdev->name, status);
+ cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
+ if (!cp) {
+ BT_DBG("CP is null");
+ return;
+ }
+ hci_dev_lock(hdev);
+
+ conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
+ if (conn) {
+ BT_DBG("conn exists");
+ hci_conn_put(conn);
+ }
+ hci_dev_unlock(hdev);
}
static inline void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index fd9088a..6ff8460 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -94,12 +94,18 @@
static u16 l2cap_get_smallest_flushto(struct l2cap_chan_list *l);
static void l2cap_set_acl_flushto(struct hci_conn *hcon, u16 flush_to);
static void l2cap_queue_acl_data(struct work_struct *worker);
+static void l2cap_queue_smp_data(struct work_struct *worker);
static struct att_channel_parameters{
struct sk_buff *skb;
struct l2cap_conn *conn;
__le16 cid;
int dir;
} att_chn_params;
+static struct smp_channel_params{
+ struct sk_buff *skb;
+ struct l2cap_conn *conn;
+ __le16 cid;
+} smp_chn_params;
/* ---- L2CAP channels ---- */
static struct sock *__l2cap_get_chan_by_dcid(struct l2cap_chan_list *l, u16 cid)
@@ -959,6 +965,8 @@
sk_for_each(sk, node, &l2cap_sk_list.head) {
+ BT_DBG("sock %p scid %d check cid : %d ", sk, l2cap_pi(sk)->scid, cid);
+
if (incoming && !l2cap_pi(sk)->incoming)
continue;
@@ -1220,6 +1228,7 @@
kfree(conn);
}
att_chn_params.conn = NULL;
+ smp_chn_params.conn = NULL;
BT_DBG("att_chn_params.conn set to NULL");
}
@@ -7393,6 +7402,7 @@
struct sock *sk;
u16 cid, len;
__le16 psm;
+ struct work_struct *smp_worker;
skb_pull(skb, L2CAP_HDR_SIZE);
cid = __le16_to_cpu(lh->cid);
@@ -7422,8 +7432,39 @@
break;
case L2CAP_CID_SMP:
+ BT_DBG("get socket state");
+ sk = l2cap_find_sock_by_fixed_cid_and_dir(
+ L2CAP_CID_LE_DATA, conn->src, conn->dst, 1);
+ if (sk) {
+ BT_DBG("socket exists sk %p", sk);
+ bh_lock_sock(sk);
+
+ if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED) {
+ BT_DBG("socket state sk %p state %d", sk, sk->sk_state);
+ smp_chn_params.cid = L2CAP_CID_LE_DATA;
+ smp_chn_params.conn = conn;
+ smp_chn_params.skb = skb;
+ smp_worker = kzalloc(sizeof(*smp_worker), GFP_ATOMIC);
+ if (!smp_worker) {
+ BT_ERR("Out of memory smp_worker");
+ } else {
+ INIT_WORK(smp_worker, l2cap_queue_smp_data);
+ BT_DBG("schedule smp_worker");
+ schedule_work(smp_worker);
+ }
+
+ bh_unlock_sock(sk);
+ goto done;
+ } else {
+ BT_DBG("Socket state is BT_BOUND and BT_CONNECTED ");
+ bh_unlock_sock(sk);
+ }
+ }
+
if (smp_sig_channel(conn, skb))
l2cap_conn_del(conn->hcon, EACCES, 0);
+
+done:
break;
default:
@@ -7810,6 +7851,68 @@
return 0;
}
+static void l2cap_queue_smp_data(struct work_struct *worker)
+{
+ struct sock *sk = NULL;
+ struct hci_conn *hcon = NULL;
+ int attempts = 0;
+ __u8 reason;
+
+ for (attempts = 0; attempts < 40; attempts++) {
+ msleep(50);
+ BT_DBG("sock state check attempt %d", attempts);
+ if (!smp_chn_params.conn) {
+ BT_DBG("smp_chn_params.conn is NULL");
+ return;
+ }
+ sk = l2cap_find_sock_by_fixed_cid_and_dir(
+ smp_chn_params.cid,
+ smp_chn_params.conn->src,
+ smp_chn_params.conn->dst, 1);
+
+ if (!sk) {
+ BT_DBG("sock does not exist");
+ goto err;
+ }
+
+ bh_lock_sock(sk);
+ if (sk->sk_state == BT_CONNECTED) {
+ BT_DBG("sock state BT_CONNECTED");
+
+ bh_unlock_sock(sk);
+ if (smp_sig_channel(
+ smp_chn_params.conn,
+ smp_chn_params.skb))
+ l2cap_conn_del(
+ smp_chn_params.conn->hcon,
+ EACCES, 0);
+ return;
+ }
+ bh_unlock_sock(sk);
+ }
+
+err:
+ //If sock state is not connected after 40 attepmts
+ //respond to the remote saying SMP_UNSPECIFIED
+ hcon = smp_chn_params.conn->hcon;
+ reason = SMP_UNSPECIFIED;
+ BT_ERR("SMP_CMD_PAIRING_FAIL: %d", reason);
+ smp_conn_security_fail(
+ smp_chn_params.conn,
+ SMP_CMD_PAIRING_FAIL,
+ reason);
+ del_timer(&hcon->smp_timer);
+ clear_bit(HCI_CONN_ENCRYPT_PEND, &hcon->pend);
+ mgmt_auth_failed(hcon->hdev->id,
+ smp_chn_params.conn->dst,
+ reason);
+ hci_conn_put(hcon);
+
+ kfree_skb(smp_chn_params.skb);
+ l2cap_conn_del(smp_chn_params.conn->hcon, EACCES, 0);
+}
+
+
static void l2cap_queue_acl_data(struct work_struct *worker)
{
struct sock *sk = NULL;
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index b908996..75a74ac 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -1035,6 +1035,12 @@
return 0;
}
+void smp_conn_security_fail(struct l2cap_conn *conn, u8 code, u8 reason)
+{
+ BT_DBG("smp: %d %d ", code, reason);
+ smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason), &reason);
+}
+
int smp_link_encrypt_cmplt(struct l2cap_conn *conn, u8 status, u8 encrypt)
{
struct hci_conn *hcon = conn->hcon;