1. 06 Jan, 2014 1 commit
    • Johan Hedberg's avatar
      Bluetooth: Fix NULL pointer dereference when disconnecting · 8cef8f50
      Johan Hedberg authored
      When disconnecting it is possible that the l2cap_conn pointer is already
      NULL when bt_6lowpan_del_conn() is entered. Looking at l2cap_conn_del
      also verifies this as there's a NULL check there too. This patch adds
      the missing NULL check without which the following bug may occur:
      
      BUG: unable to handle kernel NULL pointer dereference at   (null)
      IP: [<c131e9c7>] bt_6lowpan_del_conn+0x19/0x12a
      *pde = 00000000
      Oops: 0000 [#1] SMP
      CPU: 1 PID: 52 Comm: kworker/u5:1 Not tainted 3.12.0+ #196
      Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
      Workqueue: hci0 hci_rx_work
      task: f6259b00 ti: f48c0000 task.ti: f48c0000
      EIP: 0060:[<c131e9c7>] EFLAGS: 00010282 CPU: 1
      EIP is at bt_6lowpan_del_conn+0x19/0x12a
      EAX: 00000000 EBX: ef094e10 ECX: 00000000 EDX: 00000016
      ESI: 00000000 EDI: f48c1e60 EBP: f48c1e50 ESP: f48c1e34
       DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
      CR0: 8005003b CR2: 00000000 CR3: 30c65000 CR4: 00000690
      Stack:
       f4d38000 00000000 f4d38000 00000002 ef094e10 00000016 f48c1e60 f48c1e70
       c1316bed f48c1e84 c1316bed 00000000 00000001 ef094e10 f48c1e84 f48c1ed0
       c1303cc6 c1303c7b f31f331a c1303cc6 f6e7d1c0 f3f8ea16 f3f8f380 f4d38008
      Call Trace:
       [<c1316bed>] l2cap_disconn_cfm+0x3f/0x5b
       [<c1316bed>] ? l2cap_disconn_cfm+0x3f/0x5b
       [<c1303cc6>] hci_event_packet+0x645/0x2117
       [<c1303c7b>] ? hci_event_packet+0x5fa/0x2117
       [<c1303cc6>] ? hci_event_packet+0x645/0x2117
       [<c12681bd>] ? __kfree_skb+0x65/0x68
       [<c12681eb>] ? kfree_skb+0x2b/0x2e
       [<c130d3fb>] ? hci_send_to_sock+0x18d/0x199
       [<c12fa327>] hci_rx_work+0xf9/0x295
       [<c12fa327>] ? hci_rx_work+0xf9/0x295
       [<c1036d25>] process_one_work+0x128/0x1df
       [<c1346a39>] ? _raw_spin_unlock_irq+0x8/0x12
       [<c1036d25>] ? process_one_work+0x128/0x1df
       [<c103713a>] worker_thread+0x127/0x1c4
       [<c1037013>] ? rescuer_thread+0x216/0x216
       [<c103aec6>] kthread+0x88/0x8d
       [<c1040000>] ? task_rq_lock+0x37/0x6e
       [<c13474b7>] ret_from_kernel_thread+0x1b/0x28
       [<c103ae3e>] ? __kthread_parkme+0x50/0x50
      Code: 05 b8 f4 ff ff ff 8d 65 f4 5b 5e 5f 5d 8d 67 f8 5f c3 57 8d 7c 24 08 83 e4 f8 ff 77 fc 55 89 e5 57 56f
      EIP: [<c131e9c7>] bt_6lowpan_del_conn+0x19/0x12a SS:ESP 0068:f48c1e34
      CR2: 0000000000000000
      Signed-off-by: default avatarJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      8cef8f50
  2. 04 Jan, 2014 2 commits
    • Marcel Holtmann's avatar
      Bluetooth: Deal with USB devices that are faking CSR vendor · 81cac64b
      Marcel Holtmann authored
      There exists a set of Bluetooth USB devices that show up on the USB
      bus as 0a12:0001 and identify themselves as devices from CSR. However
      they are not. When sending Read Local Version command they now have
      a split personality and say they are from Broadcom.
      
        < HCI Command: Read Local Version Information (0x04|0x0001) plen 0
        > HCI Event: Command Complete (0x0e) plen 12
            Read Local Version Information (0x04|0x0001) ncmd 1
            status 0x00
            HCI Version: 2.0 (0x3) HCI Revision: 0x3000
            LMP Version: 2.0 (0x3) LMP Subversion: 0x420b
            Manufacturer: Broadcom Corporation (15)
      
      The assumption is that they are neither CSR nor Broadcom based devices
      and that they are designed and manufactured by someone else.
      
      For the most parts they follow the Bluetooth HCI specification and
      can be used as standard Bluetooth devices. However they have the
      minor problem that the Delete Stored Link Key command is not working
      as it should.
      
      During the Bluetooth controller setup, this command is needed if
      stored link keys are supported. For these devices it has to be
      assumed that this is broken and so just set a quirk to clearly
      indicate the behavior. After that the setup can just proceed.
      
      Now the trick part is to detect these faulty devices since we do
      not want to punish all CSR and all Broadcom devices. The original
      devices do actually work according to the specification.
      
      What is known so far is that these broken devices set the USB bcdDevice
      revision information to 1.0 or less.
      
      T:  Bus=02 Lev=01 Prnt=01 Port=08 Cnt=03 Dev#=  9 Spd=12   MxCh= 0
      D:  Ver= 2.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=0a12 ProdID=0001 Rev= 1.00
      S:  Manufacturer=Bluetooth v2.0
      S:  Product=Bluetooth V2.0 Dongle
      
      T:  Bus=05 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#=  2 Spd=12   MxCh= 0
      D:  Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=0a12 ProdID=0001 Rev= 0.07
      
      In case of CSR devices, the bcdDevice revision contains the firmware
      build ID and that is normally a higher value. If the bcdDevice revision
      is 1.0 or less, then an extra setup stage is checking if Read Local
      Version returns CSR manufacturer information. If not then it will be
      assumed that this is a broken device and the Delete Stored Link Key
      command will be marked as broken.
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarJohan Hedberg <johan.hedberg@intel.com>
      81cac64b
    • Marcel Holtmann's avatar
      Bluetooth: Add quirk for disabling Delete Stored Link Key command · f9f462fa
      Marcel Holtmann authored
      Some controller pretend they support the Delete Stored Link Key command,
      but in reality they really don't support it.
      
        < HCI Command: Delete Stored Link Key (0x03|0x0012) plen 7
            bdaddr 00:00:00:00:00:00 all 1
        > HCI Event: Command Complete (0x0e) plen 4
            Delete Stored Link Key (0x03|0x0012) ncmd 1
            status 0x11 deleted 0
            Error: Unsupported Feature or Parameter Value
      
      Not correctly supporting this command causes the controller setup to
      fail and will make a device not work. However sending the command for
      controller that handle stored link keys is important. This quirk
      allows a driver to disable the command if it knows that this command
      handling is broken.
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarJohan Hedberg <johan.hedberg@intel.com>
      f9f462fa
  3. 29 Dec, 2013 2 commits
  4. 23 Dec, 2013 1 commit
  5. 17 Dec, 2013 8 commits
  6. 14 Dec, 2013 2 commits
  7. 12 Dec, 2013 3 commits
  8. 11 Dec, 2013 5 commits
  9. 10 Dec, 2013 1 commit
  10. 08 Dec, 2013 1 commit
  11. 07 Dec, 2013 1 commit
  12. 06 Dec, 2013 2 commits
  13. 05 Dec, 2013 11 commits