<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/net/bluetooth, branch linux-2.6.33.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>Bluetooth: Prevent buffer overflow in l2cap config request</title>
<updated>2011-11-07T21:47:40+00:00</updated>
<author>
<name>Dan Rosenberg</name>
<email>drosenberg@vsecurity.com</email>
</author>
<published>2011-06-24T12:38:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b847425fb436aca533a769cc15b4fa11d95177ee'/>
<id>b847425fb436aca533a769cc15b4fa11d95177ee</id>
<content type='text'>
commit 7ac28817536797fd40e9646452183606f9e17f71 upstream.

A remote user can provide a small value for the command size field in
the command header of an l2cap configuration request, resulting in an
integer underflow when subtracting the size of the configuration request
header.  This results in copying a very large amount of data via
memcpy() and destroying the kernel heap.  Check for underflow.

Signed-off-by: Dan Rosenberg &lt;drosenberg@vsecurity.com&gt;
Signed-off-by: Gustavo F. Padovan &lt;padovan@profusion.mobi&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;


</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 7ac28817536797fd40e9646452183606f9e17f71 upstream.

A remote user can provide a small value for the command size field in
the command header of an l2cap configuration request, resulting in an
integer underflow when subtracting the size of the configuration request
header.  This results in copying a very large amount of data via
memcpy() and destroying the kernel heap.  Check for underflow.

Signed-off-by: Dan Rosenberg &lt;drosenberg@vsecurity.com&gt;
Signed-off-by: Gustavo F. Padovan &lt;padovan@profusion.mobi&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;


</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: l2cap and rfcomm: fix 1 byte infoleak to userspace.</title>
<updated>2011-11-07T21:47:38+00:00</updated>
<author>
<name>Filip Palian</name>
<email>s3810@pjwstk.edu.pl</email>
</author>
<published>2011-05-12T17:32:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a0d5fef19e47dd30bcec109c0aff7749b0261bab'/>
<id>a0d5fef19e47dd30bcec109c0aff7749b0261bab</id>
<content type='text'>
commit 8d03e971cf403305217b8e62db3a2e5ad2d6263f upstream.

Structures "l2cap_conninfo" and "rfcomm_conninfo" have one padding
byte each. This byte in "cinfo" is copied to userspace uninitialized.

Signed-off-by: Filip Palian &lt;filip.palian@pjwstk.edu.pl&gt;
Acked-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Signed-off-by: Gustavo F. Padovan &lt;padovan@profusion.mobi&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 8d03e971cf403305217b8e62db3a2e5ad2d6263f upstream.

Structures "l2cap_conninfo" and "rfcomm_conninfo" have one padding
byte each. This byte in "cinfo" is copied to userspace uninitialized.

Signed-off-by: Filip Palian &lt;filip.palian@pjwstk.edu.pl&gt;
Acked-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Signed-off-by: Gustavo F. Padovan &lt;padovan@profusion.mobi&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: bnep: fix buffer overflow</title>
<updated>2011-04-14T23:53:02+00:00</updated>
<author>
<name>Vasiliy Kulikov</name>
<email>segoon@openwall.com</email>
</author>
<published>2011-02-14T10:54:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=914b365dbf1500f9c6c058eadd1bbb9fad534a76'/>
<id>914b365dbf1500f9c6c058eadd1bbb9fad534a76</id>
<content type='text'>
commit 43629f8f5ea32a998d06d1bb41eefa0e821ff573 upstream.

Struct ca is copied from userspace.  It is not checked whether the "device"
field is NULL terminated.  This potentially leads to BUG() inside of
alloc_netdev_mqs() and/or information leak by creating a device with a name
made of contents of kernel stack.

Signed-off-by: Vasiliy Kulikov &lt;segoon@openwall.com&gt;
Signed-off-by: Gustavo F. Padovan &lt;padovan@profusion.mobi&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 43629f8f5ea32a998d06d1bb41eefa0e821ff573 upstream.

Struct ca is copied from userspace.  It is not checked whether the "device"
field is NULL terminated.  This potentially leads to BUG() inside of
alloc_netdev_mqs() and/or information leak by creating a device with a name
made of contents of kernel stack.

Signed-off-by: Vasiliy Kulikov &lt;segoon@openwall.com&gt;
Signed-off-by: Gustavo F. Padovan &lt;padovan@profusion.mobi&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: sco: fix information leak to userspace</title>
<updated>2011-04-14T23:53:01+00:00</updated>
<author>
<name>Vasiliy Kulikov</name>
<email>segoon@openwall.com</email>
</author>
<published>2011-02-14T10:54:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a578aadd26d69db27e80f01fbb88a7b91d4c7500'/>
<id>a578aadd26d69db27e80f01fbb88a7b91d4c7500</id>
<content type='text'>
commit c4c896e1471aec3b004a693c689f60be3b17ac86 upstream.

struct sco_conninfo has one padding byte in the end.  Local variable
cinfo of type sco_conninfo is copied to userspace with this uninizialized
one byte, leading to old stack contents leak.

Signed-off-by: Vasiliy Kulikov &lt;segoon@openwall.com&gt;
Signed-off-by: Gustavo F. Padovan &lt;padovan@profusion.mobi&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit c4c896e1471aec3b004a693c689f60be3b17ac86 upstream.

struct sco_conninfo has one padding byte in the end.  Local variable
cinfo of type sco_conninfo is copied to userspace with this uninizialized
one byte, leading to old stack contents leak.

Signed-off-by: Vasiliy Kulikov &lt;segoon@openwall.com&gt;
Signed-off-by: Gustavo F. Padovan &lt;padovan@profusion.mobi&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: Fix kernel crash on L2CAP stress tests</title>
<updated>2010-04-01T23:02:13+00:00</updated>
<author>
<name>Andrei Emeltchenko</name>
<email>andrei.emeltchenko@nokia.com</email>
</author>
<published>2010-03-19T08:26:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=cf724d19f2e56135927eadc1154940d3f42f9f0e'/>
<id>cf724d19f2e56135927eadc1154940d3f42f9f0e</id>
<content type='text'>
commit c2c77ec83bdad17fb688557b5b3fdc36661dd1c6 upstream.

Added very simple check that req buffer has enough space to
fit configuration parameters. Shall be enough to reject packets
with configuration size more than req buffer.

Crash trace below

[ 6069.659393] Unable to handle kernel paging request at virtual address 02000205
[ 6069.673034] Internal error: Oops: 805 [#1] PREEMPT
...
[ 6069.727172] PC is at l2cap_add_conf_opt+0x70/0xf0 [l2cap]
[ 6069.732604] LR is at l2cap_recv_frame+0x1350/0x2e78 [l2cap]
...
[ 6070.030303] Backtrace:
[ 6070.032806] [&lt;bf1c2880&gt;] (l2cap_add_conf_opt+0x0/0xf0 [l2cap]) from
[&lt;bf1c6624&gt;] (l2cap_recv_frame+0x1350/0x2e78 [l2cap])
[ 6070.043823]  r8:dc5d3100 r7:df2a91d6 r6:00000001 r5:df2a8000 r4:00000200
[ 6070.050659] [&lt;bf1c52d4&gt;] (l2cap_recv_frame+0x0/0x2e78 [l2cap]) from
[&lt;bf1c8408&gt;] (l2cap_recv_acldata+0x2bc/0x350 [l2cap])
[ 6070.061798] [&lt;bf1c814c&gt;] (l2cap_recv_acldata+0x0/0x350 [l2cap]) from
[&lt;bf0037a4&gt;] (hci_rx_task+0x244/0x478 [bluetooth])
[ 6070.072631]  r6:dc647700 r5:00000001 r4:df2ab740
[ 6070.077362] [&lt;bf003560&gt;] (hci_rx_task+0x0/0x478 [bluetooth]) from
[&lt;c006b9fc&gt;] (tasklet_action+0x78/0xd8)
[ 6070.087005] [&lt;c006b984&gt;] (tasklet_action+0x0/0xd8) from [&lt;c006c160&gt;]

Signed-off-by: Andrei Emeltchenko &lt;andrei.emeltchenko@nokia.com&gt;
Acked-by: Gustavo F. Padovan &lt;gustavo@padovan.org&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit c2c77ec83bdad17fb688557b5b3fdc36661dd1c6 upstream.

Added very simple check that req buffer has enough space to
fit configuration parameters. Shall be enough to reject packets
with configuration size more than req buffer.

Crash trace below

[ 6069.659393] Unable to handle kernel paging request at virtual address 02000205
[ 6069.673034] Internal error: Oops: 805 [#1] PREEMPT
...
[ 6069.727172] PC is at l2cap_add_conf_opt+0x70/0xf0 [l2cap]
[ 6069.732604] LR is at l2cap_recv_frame+0x1350/0x2e78 [l2cap]
...
[ 6070.030303] Backtrace:
[ 6070.032806] [&lt;bf1c2880&gt;] (l2cap_add_conf_opt+0x0/0xf0 [l2cap]) from
[&lt;bf1c6624&gt;] (l2cap_recv_frame+0x1350/0x2e78 [l2cap])
[ 6070.043823]  r8:dc5d3100 r7:df2a91d6 r6:00000001 r5:df2a8000 r4:00000200
[ 6070.050659] [&lt;bf1c52d4&gt;] (l2cap_recv_frame+0x0/0x2e78 [l2cap]) from
[&lt;bf1c8408&gt;] (l2cap_recv_acldata+0x2bc/0x350 [l2cap])
[ 6070.061798] [&lt;bf1c814c&gt;] (l2cap_recv_acldata+0x0/0x350 [l2cap]) from
[&lt;bf0037a4&gt;] (hci_rx_task+0x244/0x478 [bluetooth])
[ 6070.072631]  r6:dc647700 r5:00000001 r4:df2ab740
[ 6070.077362] [&lt;bf003560&gt;] (hci_rx_task+0x0/0x478 [bluetooth]) from
[&lt;c006b9fc&gt;] (tasklet_action+0x78/0xd8)
[ 6070.087005] [&lt;c006b984&gt;] (tasklet_action+0x0/0xd8) from [&lt;c006c160&gt;]

Signed-off-by: Andrei Emeltchenko &lt;andrei.emeltchenko@nokia.com&gt;
Acked-by: Gustavo F. Padovan &lt;gustavo@padovan.org&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: Fix potential bad memory access with sysfs files</title>
<updated>2010-04-01T23:02:13+00:00</updated>
<author>
<name>Marcel Holtmann</name>
<email>marcel@holtmann.org</email>
</author>
<published>2010-03-15T21:12:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a318674438c789f5bf46a91cf24b5988b2091f16'/>
<id>a318674438c789f5bf46a91cf24b5988b2091f16</id>
<content type='text'>
commit 101545f6fef4a0a3ea8daf0b5b880df2c6a92a69 upstream.

When creating a high number of Bluetooth sockets (L2CAP, SCO
and RFCOMM) it is possible to scribble repeatedly on arbitrary
pages of memory. Ensure that the content of these sysfs files is
always less than one page. Even if this means truncating. The
files in question are scheduled to be moved over to debugfs in
the future anyway.

Based on initial patches from Neil Brown and Linus Torvalds

Reported-by: Neil Brown &lt;neilb@suse.de&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 101545f6fef4a0a3ea8daf0b5b880df2c6a92a69 upstream.

When creating a high number of Bluetooth sockets (L2CAP, SCO
and RFCOMM) it is possible to scribble repeatedly on arbitrary
pages of memory. Ensure that the content of these sysfs files is
always less than one page. Even if this means truncating. The
files in question are scheduled to be moved over to debugfs in
the future anyway.

Based on initial patches from Neil Brown and Linus Torvalds

Reported-by: Neil Brown &lt;neilb@suse.de&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: Keep a copy of each HID device's report descriptor</title>
<updated>2010-02-05T17:50:05+00:00</updated>
<author>
<name>Michael Poole</name>
<email>mdpoole@troilus.org</email>
</author>
<published>2010-02-05T17:23:43+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=15c697ce1c5b408c5e20dcdc6aea2968d1125b75'/>
<id>15c697ce1c5b408c5e20dcdc6aea2968d1125b75</id>
<content type='text'>
The report descriptor is read by user space (via the Service
Discovery Protocol), so it is only available during the ioctl
to connect. However, the HID probe function that needs the
descriptor might not be called until a specific module is
loaded. Keep a copy of the descriptor so it is available for
later use.

Signed-off-by: Michael Poole &lt;mdpoole@troilus.org&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The report descriptor is read by user space (via the Service
Discovery Protocol), so it is only available during the ioctl
to connect. However, the HID probe function that needs the
descriptor might not be called until a specific module is
loaded. Keep a copy of the descriptor so it is available for
later use.

Signed-off-by: Michael Poole &lt;mdpoole@troilus.org&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: Enter active mode before establishing a SCO link.</title>
<updated>2010-02-04T03:10:59+00:00</updated>
<author>
<name>Nick Pelly</name>
<email>npelly@google.com</email>
</author>
<published>2009-11-13T22:16:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c390216b3e868b16d8154939f4b6f8c16dbd9a9f'/>
<id>c390216b3e868b16d8154939f4b6f8c16dbd9a9f</id>
<content type='text'>
When in sniff mode with a long interval time (1.28s) it can take 4+ seconds
to establish a SCO link. Fix by requesting active mode before requesting
SCO connection. This improves SCO setup time to ~500ms.

Bluetooth headsets that use a long interval time, and exhibit the long
SCO connection time include Motorola H790, HX1 and H17. They have a
CSR 2.1 chipset.

Verified this behavior and fix with host Bluetooth chipsets: BCM4329 and
TI1271.

2009-10-13 14:17:46.183722 &gt; HCI Event: Mode Change (0x14) plen 6
    status 0x00 handle 1 mode 0x02 interval 2048
    Mode: Sniff
2009-10-13 14:17:53.436285 &lt; HCI Command: Setup Synchronous Connection (0x01|0x0028) plen 17
    handle 1 voice setting 0x0060
2009-10-13 14:17:53.445593 &gt; HCI Event: Command Status (0x0f) plen 4
    Setup Synchronous Connection (0x01|0x0028) status 0x00 ncmd 1
2009-10-13 14:17:57.788855 &gt; HCI Event: Synchronous Connect Complete 0x2c) plen 17
    status 0x00 handle 257 bdaddr 00:1A:0E:F1:A4:7F type eSCO
    Air mode: CVSD

Signed-off-by: Nick Pelly &lt;npelly@google.com&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
When in sniff mode with a long interval time (1.28s) it can take 4+ seconds
to establish a SCO link. Fix by requesting active mode before requesting
SCO connection. This improves SCO setup time to ~500ms.

Bluetooth headsets that use a long interval time, and exhibit the long
SCO connection time include Motorola H790, HX1 and H17. They have a
CSR 2.1 chipset.

Verified this behavior and fix with host Bluetooth chipsets: BCM4329 and
TI1271.

2009-10-13 14:17:46.183722 &gt; HCI Event: Mode Change (0x14) plen 6
    status 0x00 handle 1 mode 0x02 interval 2048
    Mode: Sniff
2009-10-13 14:17:53.436285 &lt; HCI Command: Setup Synchronous Connection (0x01|0x0028) plen 17
    handle 1 voice setting 0x0060
2009-10-13 14:17:53.445593 &gt; HCI Event: Command Status (0x0f) plen 4
    Setup Synchronous Connection (0x01|0x0028) status 0x00 ncmd 1
2009-10-13 14:17:57.788855 &gt; HCI Event: Synchronous Connect Complete 0x2c) plen 17
    status 0x00 handle 257 bdaddr 00:1A:0E:F1:A4:7F type eSCO
    Air mode: CVSD

Signed-off-by: Nick Pelly &lt;npelly@google.com&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: Do not call rfcomm_session_put() for RFCOMM UA on closed socket</title>
<updated>2010-02-04T00:28:44+00:00</updated>
<author>
<name>Nick Pelly</name>
<email>npelly@google.com</email>
</author>
<published>2010-02-04T00:18:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6c2718da59613d76013b501bf0f8bcf9d7794b2d'/>
<id>6c2718da59613d76013b501bf0f8bcf9d7794b2d</id>
<content type='text'>
When processing a RFCOMM UA frame when the socket is closed and we were
not the RFCOMM initiator would cause rfcomm_session_put() to be called
twice during rfcomm_process_rx(). This would cause a kernel panic in
rfcomm_session_close() then.

This could be easily reproduced during disconnect with devices such as
Motorola H270 that send RFCOMM UA followed quickly by L2CAP disconnect
request. This trace for this looks like:

2009-09-21 17:22:37.788895 &lt; ACL data: handle 1 flags 0x02 dlen 8
   L2CAP(d): cid 0x0041 len 4 [psm 3]
     RFCOMM(s): DISC: cr 0 dlci 20 pf 1 ilen 0 fcs 0x7d
2009-09-21 17:22:37.906204 &gt; HCI Event: Number of Completed Packets (0x13) plen 5
   handle 1 packets 1
2009-09-21 17:22:37.933090 &gt; ACL data: handle 1 flags 0x02 dlen 8
   L2CAP(d): cid 0x0040 len 4 [psm 3]
     RFCOMM(s): UA: cr 0 dlci 20 pf 1 ilen 0 fcs 0x57
2009-09-21 17:22:38.636764 &lt; ACL data: handle 1 flags 0x02 dlen 8
   L2CAP(d): cid 0x0041 len 4 [psm 3]
     RFCOMM(s): DISC: cr 0 dlci 0 pf 1 ilen 0 fcs 0x9c
2009-09-21 17:22:38.744125 &gt; HCI Event: Number of Completed Packets (0x13) plen 5
   handle 1 packets 1
2009-09-21 17:22:38.763687 &gt; ACL data: handle 1 flags 0x02 dlen 8
   L2CAP(d): cid 0x0040 len 4 [psm 3]
     RFCOMM(s): UA: cr 0 dlci 0 pf 1 ilen 0 fcs 0xb6
2009-09-21 17:22:38.783554 &gt; ACL data: handle 1 flags 0x02 dlen 12
   L2CAP(s): Disconn req: dcid 0x0040 scid 0x0041

Avoid calling rfcomm_session_put() twice by skipping this call
in rfcomm_recv_ua() if the socket is closed.

Signed-off-by: Nick Pelly &lt;npelly@google.com&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
When processing a RFCOMM UA frame when the socket is closed and we were
not the RFCOMM initiator would cause rfcomm_session_put() to be called
twice during rfcomm_process_rx(). This would cause a kernel panic in
rfcomm_session_close() then.

This could be easily reproduced during disconnect with devices such as
Motorola H270 that send RFCOMM UA followed quickly by L2CAP disconnect
request. This trace for this looks like:

2009-09-21 17:22:37.788895 &lt; ACL data: handle 1 flags 0x02 dlen 8
   L2CAP(d): cid 0x0041 len 4 [psm 3]
     RFCOMM(s): DISC: cr 0 dlci 20 pf 1 ilen 0 fcs 0x7d
2009-09-21 17:22:37.906204 &gt; HCI Event: Number of Completed Packets (0x13) plen 5
   handle 1 packets 1
2009-09-21 17:22:37.933090 &gt; ACL data: handle 1 flags 0x02 dlen 8
   L2CAP(d): cid 0x0040 len 4 [psm 3]
     RFCOMM(s): UA: cr 0 dlci 20 pf 1 ilen 0 fcs 0x57
2009-09-21 17:22:38.636764 &lt; ACL data: handle 1 flags 0x02 dlen 8
   L2CAP(d): cid 0x0041 len 4 [psm 3]
     RFCOMM(s): DISC: cr 0 dlci 0 pf 1 ilen 0 fcs 0x9c
2009-09-21 17:22:38.744125 &gt; HCI Event: Number of Completed Packets (0x13) plen 5
   handle 1 packets 1
2009-09-21 17:22:38.763687 &gt; ACL data: handle 1 flags 0x02 dlen 8
   L2CAP(d): cid 0x0040 len 4 [psm 3]
     RFCOMM(s): UA: cr 0 dlci 0 pf 1 ilen 0 fcs 0xb6
2009-09-21 17:22:38.783554 &gt; ACL data: handle 1 flags 0x02 dlen 12
   L2CAP(s): Disconn req: dcid 0x0040 scid 0x0041

Avoid calling rfcomm_session_put() twice by skipping this call
in rfcomm_recv_ua() if the socket is closed.

Signed-off-by: Nick Pelly &lt;npelly@google.com&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: Fix sleeping function in RFCOMM within invalid context</title>
<updated>2010-02-03T23:52:18+00:00</updated>
<author>
<name>Marcel Holtmann</name>
<email>marcel@holtmann.org</email>
</author>
<published>2010-02-03T23:52:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=485f1eff73a7b932fd3abb0dfcf804e1a1f59025'/>
<id>485f1eff73a7b932fd3abb0dfcf804e1a1f59025</id>
<content type='text'>
With the commit 9e726b17422bade75fba94e625cd35fd1353e682 the
rfcomm_session_put() gets accidentially called from a timeout
callback and results in this:

BUG: sleeping function called from invalid context at net/core/sock.c:1897
in_atomic(): 1, irqs_disabled(): 0, pid: 0, name: swapper
Pid: 0, comm: swapper Tainted: P           2.6.32 #31
Call Trace:
 &lt;IRQ&gt;  [&lt;ffffffff81036455&gt;] __might_sleep+0xf8/0xfa
 [&lt;ffffffff8138ef1d&gt;] lock_sock_nested+0x29/0xc4
 [&lt;ffffffffa03921b3&gt;] lock_sock+0xb/0xd [l2cap]
 [&lt;ffffffffa03948e6&gt;] l2cap_sock_shutdown+0x1c/0x76 [l2cap]
 [&lt;ffffffff8106adea&gt;] ? clockevents_program_event+0x75/0x7e
 [&lt;ffffffff8106bea2&gt;] ? tick_dev_program_event+0x37/0xa5
 [&lt;ffffffffa0394967&gt;] l2cap_sock_release+0x27/0x67 [l2cap]
 [&lt;ffffffff8138c971&gt;] sock_release+0x1a/0x67
 [&lt;ffffffffa03d2492&gt;] rfcomm_session_del+0x34/0x53 [rfcomm]
 [&lt;ffffffffa03d24c5&gt;] rfcomm_session_put+0x14/0x16 [rfcomm]
 [&lt;ffffffffa03d28b4&gt;] rfcomm_session_timeout+0xe/0x1a [rfcomm]
 [&lt;ffffffff810554a8&gt;] run_timer_softirq+0x1e2/0x29a
 [&lt;ffffffffa03d28a6&gt;] ? rfcomm_session_timeout+0x0/0x1a [rfcomm]
 [&lt;ffffffff8104e0f6&gt;] __do_softirq+0xfe/0x1c5
 [&lt;ffffffff8100e8ce&gt;] ? timer_interrupt+0x1a/0x21
 [&lt;ffffffff8100cc4c&gt;] call_softirq+0x1c/0x28
 [&lt;ffffffff8100e05b&gt;] do_softirq+0x33/0x6b
 [&lt;ffffffff8104daf6&gt;] irq_exit+0x36/0x85
 [&lt;ffffffff8100d7a9&gt;] do_IRQ+0xa6/0xbd
 [&lt;ffffffff8100c493&gt;] ret_from_intr+0x0/0xa
 &lt;EOI&gt;  [&lt;ffffffff812585b3&gt;] ? acpi_idle_enter_bm+0x269/0x294
 [&lt;ffffffff812585a9&gt;] ? acpi_idle_enter_bm+0x25f/0x294
 [&lt;ffffffff81373ddc&gt;] ? cpuidle_idle_call+0x97/0x107
 [&lt;ffffffff8100aca0&gt;] ? cpu_idle+0x53/0xaa
 [&lt;ffffffff81429006&gt;] ? rest_init+0x7a/0x7c
 [&lt;ffffffff8177bc8c&gt;] ? start_kernel+0x389/0x394
 [&lt;ffffffff8177b29c&gt;] ? x86_64_start_reservations+0xac/0xb0
 [&lt;ffffffff8177b384&gt;] ? x86_64_start_kernel+0xe4/0xeb

To fix this, the rfcomm_session_put() needs to be moved out of
rfcomm_session_timeout() into rfcomm_process_sessions(). In that
context it is perfectly fine to sleep and disconnect the socket.

Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Tested-by: David John &lt;davidjon@xenontk.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
With the commit 9e726b17422bade75fba94e625cd35fd1353e682 the
rfcomm_session_put() gets accidentially called from a timeout
callback and results in this:

BUG: sleeping function called from invalid context at net/core/sock.c:1897
in_atomic(): 1, irqs_disabled(): 0, pid: 0, name: swapper
Pid: 0, comm: swapper Tainted: P           2.6.32 #31
Call Trace:
 &lt;IRQ&gt;  [&lt;ffffffff81036455&gt;] __might_sleep+0xf8/0xfa
 [&lt;ffffffff8138ef1d&gt;] lock_sock_nested+0x29/0xc4
 [&lt;ffffffffa03921b3&gt;] lock_sock+0xb/0xd [l2cap]
 [&lt;ffffffffa03948e6&gt;] l2cap_sock_shutdown+0x1c/0x76 [l2cap]
 [&lt;ffffffff8106adea&gt;] ? clockevents_program_event+0x75/0x7e
 [&lt;ffffffff8106bea2&gt;] ? tick_dev_program_event+0x37/0xa5
 [&lt;ffffffffa0394967&gt;] l2cap_sock_release+0x27/0x67 [l2cap]
 [&lt;ffffffff8138c971&gt;] sock_release+0x1a/0x67
 [&lt;ffffffffa03d2492&gt;] rfcomm_session_del+0x34/0x53 [rfcomm]
 [&lt;ffffffffa03d24c5&gt;] rfcomm_session_put+0x14/0x16 [rfcomm]
 [&lt;ffffffffa03d28b4&gt;] rfcomm_session_timeout+0xe/0x1a [rfcomm]
 [&lt;ffffffff810554a8&gt;] run_timer_softirq+0x1e2/0x29a
 [&lt;ffffffffa03d28a6&gt;] ? rfcomm_session_timeout+0x0/0x1a [rfcomm]
 [&lt;ffffffff8104e0f6&gt;] __do_softirq+0xfe/0x1c5
 [&lt;ffffffff8100e8ce&gt;] ? timer_interrupt+0x1a/0x21
 [&lt;ffffffff8100cc4c&gt;] call_softirq+0x1c/0x28
 [&lt;ffffffff8100e05b&gt;] do_softirq+0x33/0x6b
 [&lt;ffffffff8104daf6&gt;] irq_exit+0x36/0x85
 [&lt;ffffffff8100d7a9&gt;] do_IRQ+0xa6/0xbd
 [&lt;ffffffff8100c493&gt;] ret_from_intr+0x0/0xa
 &lt;EOI&gt;  [&lt;ffffffff812585b3&gt;] ? acpi_idle_enter_bm+0x269/0x294
 [&lt;ffffffff812585a9&gt;] ? acpi_idle_enter_bm+0x25f/0x294
 [&lt;ffffffff81373ddc&gt;] ? cpuidle_idle_call+0x97/0x107
 [&lt;ffffffff8100aca0&gt;] ? cpu_idle+0x53/0xaa
 [&lt;ffffffff81429006&gt;] ? rest_init+0x7a/0x7c
 [&lt;ffffffff8177bc8c&gt;] ? start_kernel+0x389/0x394
 [&lt;ffffffff8177b29c&gt;] ? x86_64_start_reservations+0xac/0xb0
 [&lt;ffffffff8177b384&gt;] ? x86_64_start_kernel+0xe4/0xeb

To fix this, the rfcomm_session_put() needs to be moved out of
rfcomm_session_timeout() into rfcomm_process_sessions(). In that
context it is perfectly fine to sleep and disconnect the socket.

Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Tested-by: David John &lt;davidjon@xenontk.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
