linux.git/net/bluetooth, branch v4.2-rc5 Linux kernel source tree Bluetooth: Fix NULL pointer dereference in smp_conn_security 2015-07-23T14:41:24+00:00 Johan Hedberg johan.hedberg@intel.com 2015-07-20T17:31:25+00:00 25ba265390c09b0a2b2f3fd9ba82e37248b7a371 The l2cap_conn->smp pointer may be NULL for various valid reasons where SMP has failed to initialize properly. One such scenario is when crypto support is missing, another when the adapter has been powered on through a legacy method. The smp_conn_security() function should have the appropriate check for this situation to avoid NULL pointer dereferences. Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Cc: stable@vger.kernel.org # 4.0+ 
The l2cap_conn->smp pointer may be NULL for various valid reasons where SMP has
failed to initialize properly. One such scenario is when crypto support is
missing, another when the adapter has been powered on through a legacy method.
The smp_conn_security() function should have the appropriate check for this
situation to avoid NULL pointer dereferences.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Cc: stable@vger.kernel.org # 4.0+
bluetooth: fix list handling 2015-07-05T02:11:33+00:00 Linus Torvalds torvalds@linux-foundation.org 2015-07-05T02:11:33+00:00 9b284cbdb5de3b8871014f8290d1b540e5181c21 Commit 835a6a2f8603 ("Bluetooth: Stop sabotaging list poisoning") thought that the code was sabotaging the list poisoning when NULL'ing out the list pointers and removed it. But what was going on was that the bluetooth code was using NULL pointers for the list as a way to mark it empty, and that commit just broke it (and replaced the test with NULL with a "list_empty()" test on a uninitialized list instead, breaking things even further). So fix it all up to use the regular and real list_empty() handling (which does not use NULL, but a pointer to itself), also making sure to initialize the list properly (the previous NULL case was initialized implicitly by the session being allocated with kzalloc()) This is a combination of patches by Marcel Holtmann and Tedd Ho-Jeong An. [ I would normally expect to get this through the bt tree, but I'm going to release -rc1, so I'm just committing this directly - Linus ] Reported-and-tested-by: Jörg Otte <jrg.otte@gmail.com> Cc: Alexey Dobriyan <adobriyan@gmail.com> Original-by: Tedd Ho-Jeong An <tedd.an@intel.com> Original-by: Marcel Holtmann <marcel@holtmann.org>: Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 
Commit 835a6a2f8603 ("Bluetooth: Stop sabotaging list poisoning")
thought that the code was sabotaging the list poisoning when NULL'ing
out the list pointers and removed it.

But what was going on was that the bluetooth code was using NULL
pointers for the list as a way to mark it empty, and that commit just
broke it (and replaced the test with NULL with a "list_empty()" test on
a uninitialized list instead, breaking things even further).

So fix it all up to use the regular and real list_empty() handling
(which does not use NULL, but a pointer to itself), also making sure to
initialize the list properly (the previous NULL case was initialized
implicitly by the session being allocated with kzalloc())

This is a combination of patches by Marcel Holtmann and Tedd Ho-Jeong
An.

[ I would normally expect to get this through the bt tree, but I'm going
  to release -rc1, so I'm just committing this directly   - Linus ]

Reported-and-tested-by: Jörg Otte <jrg.otte@gmail.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Original-by: Tedd Ho-Jeong An <tedd.an@intel.com>
Original-by: Marcel Holtmann <marcel@holtmann.org>:
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Bluetooth: Fix warning of potentially uninitialized adv_instance variable 2015-06-18T18:05:31+00:00 Johan Hedberg johan.hedberg@intel.com 2015-06-18T18:05:31+00:00 952497b159468477392f9b562b904da9bc76d468 Rework the logic of checking for a valid adv_instance for non-zero cp->instance values. Without this change we may get (false positive) warnings as follows: >> net/bluetooth/mgmt.c:7294:29: warning: 'adv_instance' may be used uninitialized in this function [-Wuninitialized] Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> 
Rework the logic of checking for a valid adv_instance for non-zero
cp->instance values. Without this change we may get (false positive)
warnings as follows:

>> net/bluetooth/mgmt.c:7294:29: warning: 'adv_instance' may be used
uninitialized in this function [-Wuninitialized]

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Bluetooth: Use zalloc when possible 2015-06-18T18:00:06+00:00 Johan Hedberg johan.hedberg@intel.com 2015-06-18T17:50:08+00:00 39ecfad68f14b71b6d1917c27eb01c4936f88bda Use zallog for adv_instance allocation instead of kmalloc + memset. This also fixes the following coccinelle warning: >> net/bluetooth/hci_core.c:2693:17-24: WARNING: kzalloc should be used for adv_instance, instead of kmalloc/memset Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> 
Use zallog for adv_instance allocation instead of kmalloc + memset.
This also fixes the following coccinelle warning:

>> net/bluetooth/hci_core.c:2693:17-24: WARNING: kzalloc should be
used for adv_instance, instead of kmalloc/memset

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Bluetooth: Increment management interface revision 2015-06-18T17:11:46+00:00 Marcel Holtmann marcel@holtmann.org 2015-06-18T16:58:03+00:00 e58627d1ec840ee2d8aca5aeae9899319b58e8f0 This patch increments the management interface revision due to introduction of new multi-advertising feature and various bug fixes. Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> 
This patch increments the management interface revision due to
introduction of new multi-advertising feature and various bug fixes.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Bluetooth: hci_core: remove obsolete adv_instance 2015-06-18T16:11:53+00:00 Florian Grandel fgrandel@gmail.com 2015-06-18T01:16:52+00:00 d4c5af8f71c8104504a83f7c71911550ebe43ac3 Now that the obsolete adv_instance is no longer being referenced anywhere in the code it can be removed without breaking the build. Signed-off-by: Florian Grandel <fgrandel@gmail.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> 
Now that the obsolete adv_instance is no longer being referenced
anywhere in the code it can be removed without breaking the build.

Signed-off-by: Florian Grandel <fgrandel@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Bluetooth: mgmt: multi-adv for mgmt_reenable_advertising() 2015-06-18T16:11:53+00:00 Florian Grandel fgrandel@gmail.com 2015-06-18T01:16:51+00:00 eb6f95f9c38de4cf64600c1ad29fc8e02224b155 During service discovery, advertising will be disabled. This patch ensures that it is correctly being re-enabled, both for configuration made via set advertising and add advertising, once the scanning times out. Signed-off-by: Florian Grandel <fgrandel@gmail.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> 
During service discovery, advertising will be disabled. This patch
ensures that it is correctly being re-enabled, both for configuration
made via set advertising and add advertising, once the scanning
times out.

Signed-off-by: Florian Grandel <fgrandel@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Bluetooth: mgmt: multi-adv for trigger_le_scan() 2015-06-18T16:11:53+00:00 Florian Grandel fgrandel@gmail.com 2015-06-18T01:16:50+00:00 9d5fc2f23afc842cbb3ee85600cd92bf5120a71d This patch ensures that instance advertising is correctly canceled before starting a le scan. Signed-off-by: Florian Grandel <fgrandel@gmail.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> 
This patch ensures that instance advertising is correctly canceled
before starting a le scan.

Signed-off-by: Florian Grandel <fgrandel@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Bluetooth: mgmt: program multi-adv on power on 2015-06-18T16:11:52+00:00 Florian Grandel fgrandel@gmail.com 2015-06-18T01:16:49+00:00 320b3bf7027b89821030e5e7c5fbd1f6aecb4af0 Advertising instances programmed while powered off should be advertised once the device is powered. This patch ensures that all combinations of setting and/or adding advertising configuration while powered off will be correctly activated on power on. Signed-off-by: Florian Grandel <fgrandel@gmail.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> 
Advertising instances programmed while powered off should be advertised
once the device is powered. This patch ensures that all combinations
of setting and/or adding advertising configuration while powered off
will be correctly activated on power on.

Signed-off-by: Florian Grandel <fgrandel@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Bluetooth: mgmt: multi adv for remove_advertising*() 2015-06-18T16:11:52+00:00 Florian Grandel fgrandel@gmail.com 2015-06-18T01:16:48+00:00 01948331af001cd893c8733a4288e9ad246f62f3 The remove_advertising() and remove_advertising_complete() functions had instance identifiers hard coded. Notably, when passing in 0x00 as an instance identifier to signal that all instances should be removed then the mgmt API would return a hard coded 0x01 rather than returning the expected value 0x00. This bug is being fixed by always referencing the instance identifier from the management API call instead. remove_advertising() is refactored to use the new dynamic advertising instance list. The logic is being changed to make multi-instance advertising actually work, notably the schedule_adv_instance() method is being referenced to make sure that other instances will continue to advertise even if one instance is being removed. The code is made more readable by factoring advertising instance management and initialization into the low-level hci_remove_adv_instance() and hci_adv_instances_clear() functions. The method now references the clear_adv_instance() helper method to remove duplicate logic and code. Signed-off-by: Florian Grandel <fgrandel@gmail.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> 
The remove_advertising() and remove_advertising_complete() functions
had instance identifiers hard coded. Notably, when passing in 0x00 as
an instance identifier to signal that all instances should be removed
then the mgmt API would return a hard coded 0x01 rather than returning
the expected value 0x00. This bug is being fixed by always referencing
the instance identifier from the management API call instead.

remove_advertising() is refactored to use the new dynamic advertising
instance list. The logic is being changed to make multi-instance
advertising actually work, notably the schedule_adv_instance() method is
being referenced to make sure that other instances will continue to
advertise even if one instance is being removed.

The code is made more readable by factoring advertising instance
management and initialization into the low-level
hci_remove_adv_instance() and hci_adv_instances_clear() functions.

The method now references the clear_adv_instance() helper method to
remove duplicate logic and code.

Signed-off-by: Florian Grandel <fgrandel@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>