<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/net/bluetooth/smp.c, branch linux-3.4.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>Bluetooth: Fix setting correct security level when initiating SMP</title>
<updated>2015-02-02T09:04:37+00:00</updated>
<author>
<name>Johan Hedberg</name>
<email>johan.hedberg@intel.com</email>
</author>
<published>2014-09-18T08:26:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2d150da34ec69ac10329d01cab11e9334d0faba7'/>
<id>2d150da34ec69ac10329d01cab11e9334d0faba7</id>
<content type='text'>
commit 5eb596f55cacc2389554a8d7572d90d5e9d4269d upstream.

We can only determine the final security level when both pairing request
and response have been exchanged. When initiating pairing the starting
target security level is set to MEDIUM unless explicitly specified to be
HIGH, so that we can still perform pairing even if the remote doesn't
have MITM capabilities. However, once we've received the pairing
response we should re-consult the remote and local IO capabilities and
upgrade the target security level if necessary.

Without this patch the resulting Long Term Key will occasionally be
reported to be unauthenticated when it in reality is an authenticated
one.

Signed-off-by: Johan Hedberg &lt;johan.hedberg@intel.com&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
[lizf: Backported to 3.4: adjust context]
Signed-off-by: Zefan Li &lt;lizefan@huawei.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 5eb596f55cacc2389554a8d7572d90d5e9d4269d upstream.

We can only determine the final security level when both pairing request
and response have been exchanged. When initiating pairing the starting
target security level is set to MEDIUM unless explicitly specified to be
HIGH, so that we can still perform pairing even if the remote doesn't
have MITM capabilities. However, once we've received the pairing
response we should re-consult the remote and local IO capabilities and
upgrade the target security level if necessary.

Without this patch the resulting Long Term Key will occasionally be
reported to be unauthenticated when it in reality is an authenticated
one.

Signed-off-by: Johan Hedberg &lt;johan.hedberg@intel.com&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
[lizf: Backported to 3.4: adjust context]
Signed-off-by: Zefan Li &lt;lizefan@huawei.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: Fix handling of unexpected SMP PDUs</title>
<updated>2013-02-14T18:48:53+00:00</updated>
<author>
<name>Johan Hedberg</name>
<email>johan.hedberg@intel.com</email>
</author>
<published>2013-01-29T16:44:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a256a4c2001293548f0851b66ea8f39b704bac72'/>
<id>a256a4c2001293548f0851b66ea8f39b704bac72</id>
<content type='text'>
commit 8cf9fa1240229cbdd888236c0c43fcbad680cf00 upstream.

The conn-&gt;smp_chan pointer can be NULL if SMP PDUs arrive at unexpected
moments. To avoid NULL pointer dereferences the code should be checking
for this and disconnect if an unexpected SMP PDU arrives. This patch
fixes the issue by adding a check for conn-&gt;smp_chan for all other PDUs
except pairing request and security request (which are are the first
PDUs to come to initialize the SMP context).

Signed-off-by: Johan Hedberg &lt;johan.hedberg@intel.com&gt;
Acked-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Signed-off-by: Gustavo Padovan &lt;gustavo.padovan@collabora.co.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 8cf9fa1240229cbdd888236c0c43fcbad680cf00 upstream.

The conn-&gt;smp_chan pointer can be NULL if SMP PDUs arrive at unexpected
moments. To avoid NULL pointer dereferences the code should be checking
for this and disconnect if an unexpected SMP PDU arrives. This patch
fixes the issue by adding a check for conn-&gt;smp_chan for all other PDUs
except pairing request and security request (which are are the first
PDUs to come to initialize the SMP context).

Signed-off-by: Johan Hedberg &lt;johan.hedberg@intel.com&gt;
Acked-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Signed-off-by: Gustavo Padovan &lt;gustavo.padovan@collabora.co.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: SMP: Fix setting unknown auth_req bits</title>
<updated>2012-10-31T17:03:02+00:00</updated>
<author>
<name>Johan Hedberg</name>
<email>johan.hedberg@intel.com</email>
</author>
<published>2012-10-11T14:26:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0fb0773f2da4ffa566e0c813dc295c44208debb5'/>
<id>0fb0773f2da4ffa566e0c813dc295c44208debb5</id>
<content type='text'>
commit 065a13e2cc665f6547dc7e8a9d6b6565badf940a upstream.

When sending a pairing request or response we should not just blindly
copy the value that the remote device sent. Instead we should at least
make sure to mask out any unknown bits. This is particularly critical
from the upcoming LE Secure Connections feature perspective as
incorrectly indicating support for it (by copying the remote value)
would cause a failure to pair with devices that support it.

Signed-off-by: Johan Hedberg &lt;johan.hedberg@intel.com&gt;
Acked-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Signed-off-by: Gustavo Padovan &lt;gustavo.padovan@collabora.co.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 065a13e2cc665f6547dc7e8a9d6b6565badf940a upstream.

When sending a pairing request or response we should not just blindly
copy the value that the remote device sent. Instead we should at least
make sure to mask out any unknown bits. This is particularly critical
from the upcoming LE Secure Connections feature perspective as
incorrectly indicating support for it (by copying the remote value)
would cause a failure to pair with devices that support it.

Signed-off-by: Johan Hedberg &lt;johan.hedberg@intel.com&gt;
Acked-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Signed-off-by: Gustavo Padovan &lt;gustavo.padovan@collabora.co.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: Change signature of smp_conn_security()</title>
<updated>2012-10-02T17:30:34+00:00</updated>
<author>
<name>Vinicius Costa Gomes</name>
<email>vinicius.gomes@openbossa.org</email>
</author>
<published>2012-08-24T00:32:43+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0fcc0805df9cf7483e927cf6a4dc94938318c06a'/>
<id>0fcc0805df9cf7483e927cf6a4dc94938318c06a</id>
<content type='text'>
commit cc110922da7e902b62d18641a370fec01a9fa794 upstream.

To make it clear that it may be called from contexts that may not have
any knowledge of L2CAP, we change the connection parameter, to receive
a hci_conn.

This also makes it clear that it is checking the security of the link.

Signed-off-by: Vinicius Costa Gomes &lt;vinicius.gomes@openbossa.org&gt;
Signed-off-by: Gustavo Padovan &lt;gustavo.padovan@collabora.co.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit cc110922da7e902b62d18641a370fec01a9fa794 upstream.

To make it clear that it may be called from contexts that may not have
any knowledge of L2CAP, we change the connection parameter, to receive
a hci_conn.

This also makes it clear that it is checking the security of the link.

Signed-off-by: Vinicius Costa Gomes &lt;vinicius.gomes@openbossa.org&gt;
Signed-off-by: Gustavo Padovan &lt;gustavo.padovan@collabora.co.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: Fix use-after-free bug in SMP</title>
<updated>2012-10-02T17:30:34+00:00</updated>
<author>
<name>Andre Guedes</name>
<email>andre.guedes@openbossa.org</email>
</author>
<published>2012-08-01T23:34:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=27d50469825fd267f44e13fb0627b011c0da6abd'/>
<id>27d50469825fd267f44e13fb0627b011c0da6abd</id>
<content type='text'>
commit 61a0cfb008f57ecf7eb28ee762952fb42dc15d15 upstream.

If SMP fails, we should always cancel security_timer delayed work.
Otherwise, security_timer function may run after l2cap_conn object
has been freed.

This patch fixes the following warning reported by ODEBUG:

WARNING: at lib/debugobjects.c:261 debug_print_object+0x7c/0x8d()
Hardware name: Bochs
ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x27
Modules linked in: btusb bluetooth
Pid: 440, comm: kworker/u:2 Not tainted 3.5.0-rc1+ #4
Call Trace:
 [&lt;ffffffff81174600&gt;] ? free_obj_work+0x4a/0x7f
 [&lt;ffffffff81023eb8&gt;] warn_slowpath_common+0x7e/0x97
 [&lt;ffffffff81023f65&gt;] warn_slowpath_fmt+0x41/0x43
 [&lt;ffffffff811746b1&gt;] debug_print_object+0x7c/0x8d
 [&lt;ffffffff810394f0&gt;] ? __queue_work+0x241/0x241
 [&lt;ffffffff81174fdd&gt;] debug_check_no_obj_freed+0x92/0x159
 [&lt;ffffffff810ac08e&gt;] slab_free_hook+0x6f/0x77
 [&lt;ffffffffa0019145&gt;] ? l2cap_conn_del+0x148/0x157 [bluetooth]
 [&lt;ffffffff810ae408&gt;] kfree+0x59/0xac
 [&lt;ffffffffa0019145&gt;] l2cap_conn_del+0x148/0x157 [bluetooth]
 [&lt;ffffffffa001b9a2&gt;] l2cap_recv_frame+0xa77/0xfa4 [bluetooth]
 [&lt;ffffffff810592f9&gt;] ? trace_hardirqs_on_caller+0x112/0x1ad
 [&lt;ffffffffa001c86c&gt;] l2cap_recv_acldata+0xe2/0x264 [bluetooth]
 [&lt;ffffffffa0002b2f&gt;] hci_rx_work+0x235/0x33c [bluetooth]
 [&lt;ffffffff81038dc3&gt;] ? process_one_work+0x126/0x2fe
 [&lt;ffffffff81038e22&gt;] process_one_work+0x185/0x2fe
 [&lt;ffffffff81038dc3&gt;] ? process_one_work+0x126/0x2fe
 [&lt;ffffffff81059f2e&gt;] ? lock_acquired+0x1b5/0x1cf
 [&lt;ffffffffa00028fa&gt;] ? le_scan_work+0x11d/0x11d [bluetooth]
 [&lt;ffffffff81036fb6&gt;] ? spin_lock_irq+0x9/0xb
 [&lt;ffffffff81039209&gt;] worker_thread+0xcf/0x175
 [&lt;ffffffff8103913a&gt;] ? rescuer_thread+0x175/0x175
 [&lt;ffffffff8103cfe0&gt;] kthread+0x95/0x9d
 [&lt;ffffffff812c5054&gt;] kernel_threadi_helper+0x4/0x10
 [&lt;ffffffff812c36b0&gt;] ? retint_restore_args+0x13/0x13
 [&lt;ffffffff8103cf4b&gt;] ? flush_kthread_worker+0xdb/0xdb
 [&lt;ffffffff812c5050&gt;] ? gs_change+0x13/0x13

This bug can be reproduced using hctool lecc or l2test tools and
bluetoothd not running.

Signed-off-by: Andre Guedes &lt;andre.guedes@openbossa.org&gt;
Signed-off-by: Gustavo Padovan &lt;gustavo.padovan@collabora.co.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 61a0cfb008f57ecf7eb28ee762952fb42dc15d15 upstream.

If SMP fails, we should always cancel security_timer delayed work.
Otherwise, security_timer function may run after l2cap_conn object
has been freed.

This patch fixes the following warning reported by ODEBUG:

WARNING: at lib/debugobjects.c:261 debug_print_object+0x7c/0x8d()
Hardware name: Bochs
ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x27
Modules linked in: btusb bluetooth
Pid: 440, comm: kworker/u:2 Not tainted 3.5.0-rc1+ #4
Call Trace:
 [&lt;ffffffff81174600&gt;] ? free_obj_work+0x4a/0x7f
 [&lt;ffffffff81023eb8&gt;] warn_slowpath_common+0x7e/0x97
 [&lt;ffffffff81023f65&gt;] warn_slowpath_fmt+0x41/0x43
 [&lt;ffffffff811746b1&gt;] debug_print_object+0x7c/0x8d
 [&lt;ffffffff810394f0&gt;] ? __queue_work+0x241/0x241
 [&lt;ffffffff81174fdd&gt;] debug_check_no_obj_freed+0x92/0x159
 [&lt;ffffffff810ac08e&gt;] slab_free_hook+0x6f/0x77
 [&lt;ffffffffa0019145&gt;] ? l2cap_conn_del+0x148/0x157 [bluetooth]
 [&lt;ffffffff810ae408&gt;] kfree+0x59/0xac
 [&lt;ffffffffa0019145&gt;] l2cap_conn_del+0x148/0x157 [bluetooth]
 [&lt;ffffffffa001b9a2&gt;] l2cap_recv_frame+0xa77/0xfa4 [bluetooth]
 [&lt;ffffffff810592f9&gt;] ? trace_hardirqs_on_caller+0x112/0x1ad
 [&lt;ffffffffa001c86c&gt;] l2cap_recv_acldata+0xe2/0x264 [bluetooth]
 [&lt;ffffffffa0002b2f&gt;] hci_rx_work+0x235/0x33c [bluetooth]
 [&lt;ffffffff81038dc3&gt;] ? process_one_work+0x126/0x2fe
 [&lt;ffffffff81038e22&gt;] process_one_work+0x185/0x2fe
 [&lt;ffffffff81038dc3&gt;] ? process_one_work+0x126/0x2fe
 [&lt;ffffffff81059f2e&gt;] ? lock_acquired+0x1b5/0x1cf
 [&lt;ffffffffa00028fa&gt;] ? le_scan_work+0x11d/0x11d [bluetooth]
 [&lt;ffffffff81036fb6&gt;] ? spin_lock_irq+0x9/0xb
 [&lt;ffffffff81039209&gt;] worker_thread+0xcf/0x175
 [&lt;ffffffff8103913a&gt;] ? rescuer_thread+0x175/0x175
 [&lt;ffffffff8103cfe0&gt;] kthread+0x95/0x9d
 [&lt;ffffffff812c5054&gt;] kernel_threadi_helper+0x4/0x10
 [&lt;ffffffff812c36b0&gt;] ? retint_restore_args+0x13/0x13
 [&lt;ffffffff8103cf4b&gt;] ? flush_kthread_worker+0xdb/0xdb
 [&lt;ffffffff812c5050&gt;] ? gs_change+0x13/0x13

This bug can be reproduced using hctool lecc or l2test tools and
bluetoothd not running.

Signed-off-by: Andre Guedes &lt;andre.guedes@openbossa.org&gt;
Signed-off-by: Gustavo Padovan &lt;gustavo.padovan@collabora.co.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: Set security level on incoming pairing request</title>
<updated>2012-03-08T05:26:04+00:00</updated>
<author>
<name>Ido Yariv</name>
<email>ido@wizery.com</email>
</author>
<published>2012-03-05T18:09:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=fdde0a26a218d95e2ea38c0838ab6f24040af14c'/>
<id>fdde0a26a218d95e2ea38c0838ab6f24040af14c</id>
<content type='text'>
If a master would like to raise the security level, it will send a
pairing request. While the pending security level is set on an incoming
security request (from a slave), it is not set on a pairing request. As
a result, the security level would not be raised on the slave in such
case.

Fix this by setting the pending security when receiving pairing
requests according to the requested authorization.

Signed-off-by: Ido Yariv &lt;ido@wizery.com&gt;
Acked-by: Vinicius Costa Gomes &lt;vinicius.gomes@openbossa.org&gt;
Signed-off-by: Gustavo F. Padovan &lt;padovan@profusion.mobi&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
If a master would like to raise the security level, it will send a
pairing request. While the pending security level is set on an incoming
security request (from a slave), it is not set on a pairing request. As
a result, the security level would not be raised on the slave in such
case.

Fix this by setting the pending security when receiving pairing
requests according to the requested authorization.

Signed-off-by: Ido Yariv &lt;ido@wizery.com&gt;
Acked-by: Vinicius Costa Gomes &lt;vinicius.gomes@openbossa.org&gt;
Signed-off-by: Gustavo F. Padovan &lt;padovan@profusion.mobi&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: Fix access to the STK generation methods matrix</title>
<updated>2012-03-08T05:25:00+00:00</updated>
<author>
<name>Ido Yariv</name>
<email>ido@wizery.com</email>
</author>
<published>2012-03-05T18:07:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b3ff53ff006b7906c88adf9d0fccc06a8877fae1'/>
<id>b3ff53ff006b7906c88adf9d0fccc06a8877fae1</id>
<content type='text'>
The major index of the table is actually the remote I/O capabilities, not
the local ones. As a result, devices with different I/O capabilities
could have used wrong or even unsupported generation methods.

Signed-off-by: Ido Yariv &lt;ido@wizery.com&gt;
CC: Brian Gix &lt;bgix@codeaurora.org&gt;
Acked-by: Vinicius Costa Gomes &lt;vinicius.gomes@openbossa.org&gt;
Signed-off-by: Gustavo F. Padovan &lt;padovan@profusion.mobi&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The major index of the table is actually the remote I/O capabilities, not
the local ones. As a result, devices with different I/O capabilities
could have used wrong or even unsupported generation methods.

Signed-off-by: Ido Yariv &lt;ido@wizery.com&gt;
CC: Brian Gix &lt;bgix@codeaurora.org&gt;
Acked-by: Vinicius Costa Gomes &lt;vinicius.gomes@openbossa.org&gt;
Signed-off-by: Gustavo F. Padovan &lt;padovan@profusion.mobi&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: fix conding style issues all over the tree</title>
<updated>2012-03-08T05:02:26+00:00</updated>
<author>
<name>Gustavo F. Padovan</name>
<email>padovan@profusion.mobi</email>
</author>
<published>2012-03-08T04:25:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=04124681f104c1980024ff249a34a77a249fd2bc'/>
<id>04124681f104c1980024ff249a34a77a249fd2bc</id>
<content type='text'>
Signed-off-by: Gustavo F. Padovan &lt;padovan@profusion.mobi&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Signed-off-by: Gustavo F. Padovan &lt;padovan@profusion.mobi&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: Update MGMT and SMP timeout constants to use msecs_to_jiffies</title>
<updated>2012-03-01T22:35:57+00:00</updated>
<author>
<name>Marcel Holtmann</name>
<email>marcel@holtmann.org</email>
</author>
<published>2012-03-01T22:32:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=17b02e625662906f370a3eb5e7495cf06ed7d4a4'/>
<id>17b02e625662906f370a3eb5e7495cf06ed7d4a4</id>
<content type='text'>
The MGMT and SMP timeout constants are always used in form of jiffies. So
just include the conversion from msecs in the define itself. This has the
advantage of making the code where the timeout is used more readable.

Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Signed-off-by: Johan Hedberg &lt;johan.hedberg@intel.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The MGMT and SMP timeout constants are always used in form of jiffies. So
just include the conversion from msecs in the define itself. This has the
advantage of making the code where the timeout is used more readable.

Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Signed-off-by: Johan Hedberg &lt;johan.hedberg@intel.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: Add address type to mgmt_ev_auth_failed</title>
<updated>2012-02-13T15:01:37+00:00</updated>
<author>
<name>Johan Hedberg</name>
<email>johan.hedberg@intel.com</email>
</author>
<published>2012-02-09T14:07:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=bab73cb68435232ba78a4bd1ac1a85862e3be0bb'/>
<id>bab73cb68435232ba78a4bd1ac1a85862e3be0bb</id>
<content type='text'>
This patch updates the Authentication Failed mgmt event to match the
latest API specification by adding an address type to it.

Signed-off-by: Johan Hedberg &lt;johan.hedberg@intel.com&gt;
Acked-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This patch updates the Authentication Failed mgmt event to match the
latest API specification by adding an address type to it.

Signed-off-by: Johan Hedberg &lt;johan.hedberg@intel.com&gt;
Acked-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
