From 9191e6ad897a8b4f0b89aea7c2d3c843f29a8630 Mon Sep 17 00:00:00 2001 From: "Gustavo F. Padovan" Date: Fri, 15 Jul 2011 18:30:20 +0000 Subject: Bluetooth: Fix regression in L2CAP connection procedure Caused by the following commit, partially revert it. commit 9fa7e4f76f3658ba1f44fbdb95c77e7df3f53f95 Author: Gustavo F. Padovan Date: Thu Jun 30 16:11:30 2011 -0300 Bluetooth: Fix regression with incoming L2CAP connections PTS test A2DP/SRC/SRC_SET/TC_SRC_SET_BV_02_I revealed that ( probably after the df3c3931e commit ) the l2cap connection could not be established in case when the "Auth Complete" HCI event does not arive before the initiator send "Configuration request", in which case l2cap replies with "Command rejected" since the channel is still in BT_CONNECT2 state. Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Gustavo F. Padovan Signed-off-by: David S. Miller --- net/bluetooth/l2cap_core.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'net/bluetooth') diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index ebff14c69078..4fbf67eda239 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -2323,8 +2323,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr sk = chan->sk; - if ((bt_sk(sk)->defer_setup && sk->sk_state != BT_CONNECT2) || - (!bt_sk(sk)->defer_setup && sk->sk_state != BT_CONFIG)) { + if (sk->sk_state != BT_CONFIG && sk->sk_state != BT_CONNECT2) { struct l2cap_cmd_rej rej; rej.reason = cpu_to_le16(0x0002); -- cgit v1.2.3 From 05e9a2f67849e427f8900bad0a3f2a939e8dd3d6 Mon Sep 17 00:00:00 2001 From: Ilia Kolomisnky Date: Fri, 15 Jul 2011 18:30:21 +0000 Subject: Bluetooth: Fix crash with incoming L2CAP connections Another regression fix considering incomming l2cap connections with defer_setup enabled. In situations when incomming connection is extracted with l2cap_sock_accept, it's bt_sock info will have 'parent' member zerroed, but 'parent' may be used unconditionally in l2cap_conn_start() and l2cap_security_cfm() when defer_setup is enabled. Backtrace: [] (l2cap_security_cfm+0x0/0x2ac [bluetooth]) from [] (hci_event_pac ket+0xc2c/0x4aa4 [bluetooth]) [] (hci_event_packet+0x0/0x4aa4 [bluetooth]) from [] (hci_rx_task+0x cc/0x27c [bluetooth]) [] (hci_rx_task+0x0/0x27c [bluetooth]) from [] (tasklet_action+0xa0/ 0x15c) [] (tasklet_action+0x0/0x15c) from [] (__do_softirq+0x98/0x130) r7:00000101 r6:00000018 r5:00000001 r4:efc46000 [] (__do_softirq+0x0/0x130) from [] (do_softirq+0x4c/0x58) [] (do_softirq+0x0/0x58) from [] (run_ksoftirqd+0xb0/0x1b4) r4:efc46000 r3:00000001 [] (run_ksoftirqd+0x0/0x1b4) from [] (kthread+0x84/0x8c) r7:00000000 r6:c008f530 r5:efc47fc4 r4:efc41f08 [] (kthread+0x0/0x8c) from [] (do_exit+0x0/0x5f0) Signed-off-by: Ilia Kolomisnky Signed-off-by: Gustavo F. Padovan Signed-off-by: David S. Miller --- net/bluetooth/l2cap_core.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'net/bluetooth') diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index 4fbf67eda239..7705e26e699f 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -620,7 +620,8 @@ static void l2cap_conn_start(struct l2cap_conn *conn) struct sock *parent = bt_sk(sk)->parent; rsp.result = cpu_to_le16(L2CAP_CR_PEND); rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND); - parent->sk_data_ready(parent, 0); + if (parent) + parent->sk_data_ready(parent, 0); } else { sk->sk_state = BT_CONFIG; @@ -4009,7 +4010,8 @@ static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt) struct sock *parent = bt_sk(sk)->parent; res = L2CAP_CR_PEND; stat = L2CAP_CS_AUTHOR_PEND; - parent->sk_data_ready(parent, 0); + if (parent) + parent->sk_data_ready(parent, 0); } else { sk->sk_state = BT_CONFIG; res = L2CAP_CR_SUCCESS; -- cgit v1.2.3