openwrt/staging/blogic.git
10 years agoBluetooth: Fix canceling RPA expiry timer
Johan Hedberg [Mon, 24 Feb 2014 18:35:07 +0000 (20:35 +0200)]
Bluetooth: Fix canceling RPA expiry timer

The RPA expiry timer is only initialized inside mgmt.c when we receive
the first command from user space. This action also involves setting the
HCI_MGMT flag for the first time so that flag acts as a good indicator
of whether the delayed work variable can be touched or not. This patch
fixes hci_dev_do_close to first check the flag.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Enable RPA resolving if mgmt_set_privacy is called
Johan Hedberg [Mon, 24 Feb 2014 09:10:30 +0000 (11:10 +0200)]
Bluetooth: Enable RPA resolving if mgmt_set_privacy is called

A user space that supports the Set Privacy command is also expected to
be able to handle New IRK events. Therefore, set the HCI_RPA_RESOLVING
flag whenever the Set Privacy command is received.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Export current local RPA with identity information
Marcel Holtmann [Mon, 24 Feb 2014 04:39:23 +0000 (20:39 -0800)]
Bluetooth: Export current local RPA with identity information

The identity information in debugfs currently do not include the
current in use local RPA. Since the RPA is now stored in the
controller information, include it in the debugfs as well.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
10 years agoBluetooth: Store current RPA and update it if needed
Marcel Holtmann [Mon, 24 Feb 2014 04:39:22 +0000 (20:39 -0800)]
Bluetooth: Store current RPA and update it if needed

The RPA needs to be stored to know which is the current one. Otherwise
it is impossible to ensure that always the correct RPA can be programmed
into the controller when it is needed.

Current code checks if the address in the controller is a RPA, but that
can potentially lead to using a RPA that can not be resolved with the
IRK that has been distributed.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
10 years agoBluetooth: Use privacy mode for non-connectable advertising
Marcel Holtmann [Mon, 24 Feb 2014 04:25:55 +0000 (20:25 -0800)]
Bluetooth: Use privacy mode for non-connectable advertising

When enabling non-connectable advertising, there is no need to advertise
with a public address or static address. In case LE privacy has not been
enabled a unresolvable private address will be used.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
10 years agoBluetooth: Use unresolvable private address for active scanning
Marcel Holtmann [Mon, 24 Feb 2014 04:25:54 +0000 (20:25 -0800)]
Bluetooth: Use unresolvable private address for active scanning

When running active scanning during LE discovery, do not reveal the own
identity to the peer devices. In case LE privacy has been enabled, then
a resolvable private address is used. If the LE privacy option is off,
then use an unresolvable private address.

The public address or static random address is never used in active
scanning anymore. This ensures that scan request are send using a
random address.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
10 years agoBluetooth: Expose current identity information in debugfs
Marcel Holtmann [Sun, 23 Feb 2014 20:44:25 +0000 (12:44 -0800)]
Bluetooth: Expose current identity information in debugfs

When using LE Privacy it is useful to know the local identity address,
identity address type and identity resolving key. For debugging purposes
add these information to debugfs.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
10 years agoBluetooth: Remove unneeded hdev->own_addr_type
Johan Hedberg [Sun, 23 Feb 2014 17:42:29 +0000 (19:42 +0200)]
Bluetooth: Remove unneeded hdev->own_addr_type

Now that the identity address type is always looked up for all
successful connections, the hdev->own_addr_type variable has become
completely unnecessary. Simply remove it.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Fix setting correct src_type when connecting LE
Johan Hedberg [Sun, 23 Feb 2014 17:42:28 +0000 (19:42 +0200)]
Bluetooth: Fix setting correct src_type when connecting LE

This patch ensures that conn->src_type contains the same address type as
is used for initiating the connection while the connection attempt is in
progress. Once connected this value will be overwritten with the
identity address type.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Add support for Set Privacy command
Johan Hedberg [Sun, 23 Feb 2014 17:42:27 +0000 (19:42 +0200)]
Bluetooth: Add support for Set Privacy command

This patch adds support for handling the Set Privacy mgmt command,
including copying the value to hdev->irk and toggling the HCI_PRIVACY
flag.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Add debugfs entry for RPA regeneration timeout
Johan Hedberg [Sun, 23 Feb 2014 17:42:26 +0000 (19:42 +0200)]
Bluetooth: Add debugfs entry for RPA regeneration timeout

This patch adds a rpa_timeout debugfs entry which can be used to set the
RPA regeneration timeout to something else than the default 15 minutes.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Don't write static address during power on
Johan Hedberg [Sun, 23 Feb 2014 17:42:25 +0000 (19:42 +0200)]
Bluetooth: Don't write static address during power on

Since we always update the random address before enabling advertising,
scanning and initiating LE connections there is no need to write the
random address add power on.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Use hci_update_random_address() for initiating LE scan
Johan Hedberg [Sun, 23 Feb 2014 17:42:24 +0000 (19:42 +0200)]
Bluetooth: Use hci_update_random_address() for initiating LE scan

When we start LE scanning we need to update the local random address if
necessary. This patch updates the code to use hci_update_random_address()
for setting the own_address_type scan parameter and updating the local
random address if necessary.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Use hci_update_random_address() for enabling advertising
Johan Hedberg [Sun, 23 Feb 2014 17:42:23 +0000 (19:42 +0200)]
Bluetooth: Use hci_update_random_address() for enabling advertising

When we enable advertising we need to update the local random address if
necessary. This patch takes advantage of the hci_update_random_address()
function to set the own_address_type variable and to update the local
random address if necessary.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Use hci_update_random_address() when connecting LE
Johan Hedberg [Sun, 23 Feb 2014 17:42:22 +0000 (19:42 +0200)]
Bluetooth: Use hci_update_random_address() when connecting LE

When we initiate LE connections we need to update the local random
address if necessary. This patch updates the LE connection creation
mechanism to use the new hci_update_random_address() function to set the
own_address_type parameter and to update the local random address if
necessary.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Add hci_update_random_address() convenience function
Johan Hedberg [Sun, 23 Feb 2014 17:42:21 +0000 (19:42 +0200)]
Bluetooth: Add hci_update_random_address() convenience function

This patch adds a convenience function for updating the local random
address which is needed before advertising, scanning and initiating LE
connections.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Add timer for regenerating local RPA
Johan Hedberg [Sun, 23 Feb 2014 17:42:20 +0000 (19:42 +0200)]
Bluetooth: Add timer for regenerating local RPA

This patch adds a timer for updating the local RPA periodically. The
default timeout is set to 15 minutes.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Add SMP function for generating RPAs
Johan Hedberg [Sun, 23 Feb 2014 17:42:19 +0000 (19:42 +0200)]
Bluetooth: Add SMP function for generating RPAs

We need a function in smp.c to generate Resolvable Random Addresses in
order to support privacy. The local RPA will need to be generated before
advertising, scanning or connecting and regenerated at periodic
intervals. This patch adds the necessary function for RPA generation.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Set the correct values for Identity Address Information
Johan Hedberg [Sun, 23 Feb 2014 17:42:18 +0000 (19:42 +0200)]
Bluetooth: Set the correct values for Identity Address Information

The SMP Identity Address Information PDU should contain our Identity
Address. This patch updates the code to copy the correct values from the
hci_conn object.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Ensure hci_conn always contains the local identity address
Johan Hedberg [Sun, 23 Feb 2014 17:42:17 +0000 (19:42 +0200)]
Bluetooth: Ensure hci_conn always contains the local identity address

To be consistent with the remote address info in hci_conn we want it to
also contain the local identity address information. This patch updates
the code to copy the right values in place whenever an LE connection has
been established.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Add Privacy flag to mgmt supported/current settings
Johan Hedberg [Sat, 22 Feb 2014 17:06:35 +0000 (19:06 +0200)]
Bluetooth: Add Privacy flag to mgmt supported/current settings

This patch makes sure that the Privacy flag is available in the mgmt
supported settings for all LE capable controllers and in the current
settings whenever the HCI_PRIVACY flag is set.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Add mgmt defines for privacy
Johan Hedberg [Sat, 22 Feb 2014 17:06:34 +0000 (19:06 +0200)]
Bluetooth: Add mgmt defines for privacy

This patch adds basic mgmt defines for enabling privacy. This includes a
new setting flag as well as the Set Privacy command.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Move enable/disable_advertising higher up in mgmt.c
Johan Hedberg [Sat, 22 Feb 2014 17:06:33 +0000 (19:06 +0200)]
Bluetooth: Move enable/disable_advertising higher up in mgmt.c

These functions will soon be needed by the RPA regeneration timeout so
move them higher up in mgmt.c to avoid a forward declaration.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Add initial code for distributing local IRK
Johan Hedberg [Sat, 22 Feb 2014 17:06:32 +0000 (19:06 +0200)]
Bluetooth: Add initial code for distributing local IRK

This code adds a HCI_PRIVACY flag to track whether Privacy support is
enabled (meaning we have a local IRK) and makes sure the IRK is
distributed during SMP key distribution in case this flag is set.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Add helper variables to smp_distribute_keys()
Johan Hedberg [Sat, 22 Feb 2014 17:06:31 +0000 (19:06 +0200)]
Bluetooth: Add helper variables to smp_distribute_keys()

This patch a couple of helper variables to the smp_distribute_keys
function in order to avoid long chains of dereferences and thereby help
readability.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Fix issue with missing management event opcode
Marcel Holtmann [Sat, 22 Feb 2014 05:35:30 +0000 (21:35 -0800)]
Bluetooth: Fix issue with missing management event opcode

The event opcode for New Identity Resolving Key event is missing from
supported event list. Just add it there.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
10 years agoBluetooth: Fix iterating wrong list in hci_remove_irk()
Johan Hedberg [Fri, 21 Feb 2014 14:03:31 +0000 (16:03 +0200)]
Bluetooth: Fix iterating wrong list in hci_remove_irk()

We should be iterating hdev->identity_resolving_keys in the
hci_remove_irk() function instead of hdev->long_term_keys. This patch
fixes the issue.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
10 years agoBluetooth: Increase minor version of core module
Marcel Holtmann [Thu, 20 Feb 2014 20:44:20 +0000 (12:44 -0800)]
Bluetooth: Increase minor version of core module

With the addition of Resolvable Private Address (RPA) resolution
support for Bluetooth Low Energy connections, it makes sense to
increase the minor version of the Bluetooth core module.

The module version is not used anywhere, but it gives a nice extra
hint for debugging purposes.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
10 years agoBluetooth: Provide option for changing LE advertising channel map
Marcel Holtmann [Thu, 20 Feb 2014 19:55:56 +0000 (11:55 -0800)]
Bluetooth: Provide option for changing LE advertising channel map

For testing purposes it is useful to provide an option to change the
advertising channel map. So add a debugfs option to allow this.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
10 years agoBluetooth: Fix channel check when binding RFCOMM sock
Andrzej Kaczmarek [Thu, 20 Feb 2014 15:42:01 +0000 (16:42 +0100)]
Bluetooth: Fix channel check when binding RFCOMM sock

When binding RFCOMM socket with non-zero channel we're checking if
there is already any other socket which has the same channel number
assigned and then fail. This check does not consider situation where
we have another socket connected to remote device on given channel
number in which case we still should be able to bind local socket.

This patch changes __rfcomm_get_sock_by_addr() to return only sockets
in either BT_BOUND or BT_LISTEN states, also name is updated to better
describe what this function does now.

Signed-off-by: Andrzej Kaczmarek <andrzej.kaczmarek@tieto.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Track the current configured random address
Marcel Holtmann [Thu, 20 Feb 2014 03:52:13 +0000 (19:52 -0800)]
Bluetooth: Track the current configured random address

For Bluetooth controllers with LE support, track the value of the
currently configured random address. It is important to know what
the current random address is to avoid unneeded attempts to set
a new address. This will become important when introducing the
LE privacy support in the future.

In addition expose the current configured random address via
debugfs for debugging purposes.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
10 years agoBluetooth: Replace own_address_type with force_static_address debugfs
Marcel Holtmann [Thu, 20 Feb 2014 03:31:26 +0000 (19:31 -0800)]
Bluetooth: Replace own_address_type with force_static_address debugfs

The own_address_type debugfs option does not providing enough
flexibity for interacting with the upcoming LE privacy support.

What really is needed is an option to force using the static address
compared to the public address. The new force_static_address debugfs
option does exactly that. In addition it is also only available when
the controller does actually have a public address. For single mode
LE only controllers this option will not be available.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
10 years agoBluetooth: Add comment explainging store hint for long term keys
Marcel Holtmann [Thu, 20 Feb 2014 01:11:58 +0000 (17:11 -0800)]
Bluetooth: Add comment explainging store hint for long term keys

The code itself is not descriptive on what store hint is used for
long term keys and why. So add some extensive comment here. Similar
to what has already been done for identity resolving key store hint.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
10 years agoBluetooth: Don't send store hint for devices using identity addresses
Marcel Holtmann [Wed, 19 Feb 2014 19:51:54 +0000 (11:51 -0800)]
Bluetooth: Don't send store hint for devices using identity addresses

The identity resolving keys should only be stored for devices using
resolvable random addresses. If the device is already using an
identity address, inform it about the new identity resolving key,
but tell userspace that this key is not persistent.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
10 years agoBluetooth: Add support for sending New IRK event
Johan Hedberg [Wed, 19 Feb 2014 13:18:31 +0000 (15:18 +0200)]
Bluetooth: Add support for sending New IRK event

This patch adds the necessary helper function to send the New IRK mgmt
event and makes sure that the function is called at when SMP key
distribution has completed. The event is sent before the New LTK event
so user space knows which remote device to associate with the keys.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Move SMP LTK notification after key distribution
Johan Hedberg [Wed, 19 Feb 2014 12:57:47 +0000 (14:57 +0200)]
Bluetooth: Move SMP LTK notification after key distribution

This patch moves the SMP Long Term Key notification over mgmt from the
hci_add_ltk function to smp.c when both sides have completed their key
distribution. This way we are also able to update the identity address
into the mgmt_new_ltk event.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Track SMP keys in the SMP context
Johan Hedberg [Wed, 19 Feb 2014 12:57:46 +0000 (14:57 +0200)]
Bluetooth: Track SMP keys in the SMP context

As preparation to do mgmt notification in a single place at the end of
the key distribution, store the keys that need to be notified within the
SMP context.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Move New LTK store hint evaluation into mgmt_new_ltk
Johan Hedberg [Wed, 19 Feb 2014 12:57:45 +0000 (14:57 +0200)]
Bluetooth: Move New LTK store hint evaluation into mgmt_new_ltk

It's simpler (one less if-statement) to just evaluate the appropriate
value for store_hint in the mgmt_new_ltk function than to pass a boolean
parameter to the function. Furthermore, this simplifies moving the mgmt
event emission out from hci_add_ltk in subsequent patches.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Return added key when adding LTKs and IRKs
Johan Hedberg [Wed, 19 Feb 2014 12:57:44 +0000 (14:57 +0200)]
Bluetooth: Return added key when adding LTKs and IRKs

The SMP code will need to postpone the mgmt event emission for the IRK
and LTKs. To avoid extra lookups at the end of the key distribution
simply return the added value from the add_ltk and add_irk functions.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Avoid using GFP_ATOMIC where not necessary
Johan Hedberg [Wed, 19 Feb 2014 12:57:43 +0000 (14:57 +0200)]
Bluetooth: Avoid using GFP_ATOMIC where not necessary

The various pieces of data cached in the hci_dev structure do not need
to be allocated using GFP_ATOMIC since they are never added from
interrupt context. This patch updates these allocations to use
GFP_KERNEL instead.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Use same LE min/max connection event length during update
Marcel Holtmann [Wed, 19 Feb 2014 06:27:14 +0000 (22:27 -0800)]
Bluetooth: Use same LE min/max connection event length during update

During LE connection establishment the value 0x0000 is used for min/max
connection event length. So use the same value when the peripheral is
requesting an update of the the connection paramters.

For some reason the value 0x0001 got used in the connection update and
0x0000 in the connection creation. Using the same value for both just
makes sense.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
10 years agoBluetooth: Expose current list of identity resolving keys via debugfs
Marcel Holtmann [Wed, 19 Feb 2014 05:54:49 +0000 (21:54 -0800)]
Bluetooth: Expose current list of identity resolving keys via debugfs

For debugging purposes expose the current list of identity resolving
keys via debugfs. This file is read-only and limited to root access.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
10 years agoBluetooth: Fix wrong identity address during connection failures
Marcel Holtmann [Tue, 18 Feb 2014 23:13:43 +0000 (15:13 -0800)]
Bluetooth: Fix wrong identity address during connection failures

When the connection attempt fails, the address information are not
provided in the HCI_LE_Connection_Complete event. So use the original
information from the connection to reconstruct the identity address.

This is important when a connection attempt has been made using the
identity address, but the cached resolvable random address has changed
in the meantime. The failure event needs to use the identity address
and not the resolvable random address.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
10 years agoBluetooth: Use connection address for reporting connection failures
Marcel Holtmann [Tue, 18 Feb 2014 22:22:20 +0000 (14:22 -0800)]
Bluetooth: Use connection address for reporting connection failures

When reporting connect failed events to userspace, use the address
of the connection and not the address from the HCI event.

This change is strictly speaking not needed since BR/EDR does not
have the concept of resolvable random addresses. It is more for
making the code consistent.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
10 years agoBluetooth: Report identity address when remote device connects
Marcel Holtmann [Tue, 18 Feb 2014 22:22:19 +0000 (14:22 -0800)]
Bluetooth: Report identity address when remote device connects

When the remote device has been successfully connected, report the
identity address (public address or static random address).

Currently the address from the HCI_LE_Connection_Complete event is
used. This was no problem so far, but since now known resolvable
random addresses are converted into identities, it is important to
use the identity of the connection and not the address report by
HCI event.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
10 years agoBluetooth: Print error when dropping L2CAP data
Szymon Janc [Tue, 18 Feb 2014 19:48:34 +0000 (20:48 +0100)]
Bluetooth: Print error when dropping L2CAP data

Silently dropping L2CAP data (i.e. due to remote device not obeying
negotiated MTU) is confusing and makes debugging harder.

Signed-off-by: Szymon Janc <szymon.janc@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Use Identity Address in Device Found event
Johan Hedberg [Tue, 18 Feb 2014 19:41:37 +0000 (21:41 +0200)]
Bluetooth: Use Identity Address in Device Found event

Whenever a device uses an RPA we want to have user space identify it by
its Identity Address if we've got an IRK available for it. This patch
updates the Device Found mgmt event to contain the Identity Address if
an IRK is available for the device in question.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Look up RPA for connection requests with Identity Address
Johan Hedberg [Tue, 18 Feb 2014 19:41:36 +0000 (21:41 +0200)]
Bluetooth: Look up RPA for connection requests with Identity Address

We need to check whether there's a matching IRK and RPA when we're
requested to connect to a remote LE device based on its Identity
Address. This patch updates the hci_connect_le function to do an extra
call to hci_find_irk_by_addr and uses the RPA if it's cached. This is
particularly important once we start exposing the Identity Address to
user space instead of the RPA in events such as Device Connected and
Device Found.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Don't try to look up private addresses as Identity Address
Johan Hedberg [Tue, 18 Feb 2014 19:41:35 +0000 (21:41 +0200)]
Bluetooth: Don't try to look up private addresses as Identity Address

Identity Addresses are either public or static random. When looking up
addresses based on the Identity Address it doesn't make sense to go
through the IRK list if we're given a private random address. This patch
fixes (or rather improves) the hci_find_irk_by_addr function to bail out
early if given a private random address.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Wait for SMP key distribution completion when pairing
Johan Hedberg [Tue, 18 Feb 2014 19:41:34 +0000 (21:41 +0200)]
Bluetooth: Wait for SMP key distribution completion when pairing

When we initiate pairing through mgmt_pair_device the code has so far
been waiting for a successful HCI Encrypt Change event in order to
respond to the mgmt command. However, putting privacy into the play we
actually want the key distribution to be complete before replying so
that we can include the Identity Address in the mgmt response.

This patch updates the various hci_conn callbacks for LE in mgmt.c to
only respond in the case of failure, and adds a new mgmt_smp_complete
function that the SMP code will call once key distribution has been
completed.

Since the smp_chan_destroy function that's used to indicate completion
and clean up the SMP context can be called from various places,
including outside of smp.c, the easiest way to track failure vs success
is a new flag that we set once key distribution has been successfully
completed.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Fix updating Identity Address in L2CAP channels
Johan Hedberg [Tue, 18 Feb 2014 19:41:33 +0000 (21:41 +0200)]
Bluetooth: Fix updating Identity Address in L2CAP channels

When we receive a remote identity address during SMP key distribution we
should ensure that any associated L2CAP channel instances get their
address information correspondingly updated (so that e.g. doing
getpeername on associated sockets returns the correct address).

This patch adds a new L2CAP core function l2cap_conn_update_id_addr()
which is used to iterate through all L2CAP channels associated with a
connection and update their address information.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Track the LE Identity Address in struct hci_conn
Johan Hedberg [Tue, 18 Feb 2014 19:41:32 +0000 (21:41 +0200)]
Bluetooth: Track the LE Identity Address in struct hci_conn

Since we want user space to see and use the LE Identity Address whenever
interfacing with the kernel it makes sense to track that instead of the
real address (the two will only be different in the case of an RPA).
This patch adds the necessary updates to when an LE connection gets
established and when receiving the Identity Address from a remote
device.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Remove SMP data specific crypto context
Johan Hedberg [Tue, 18 Feb 2014 19:41:31 +0000 (21:41 +0200)]
Bluetooth: Remove SMP data specific crypto context

Now that each HCI device has its own AES crypto context we don't need
the one stored in the SMP data any more. This patch removes the variable
from struct smp_chan and updates the SMP code to use the per-hdev crypto
context.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: append new supported device to the list [0b05:17d0]
Andy Shevchenko [Tue, 18 Feb 2014 16:26:20 +0000 (18:26 +0200)]
Bluetooth: append new supported device to the list [0b05:17d0]

The device found on Asus Z87 Expert motherboard requires firmware to work
correctly.

T:  Bus=03 Lev=01 Prnt=01 Port=03 Cnt=02 Dev#=  3 Spd=12  MxCh= 0
D:  Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
P:  Vendor=0b05 ProdID=17d0 Rev=00.02
C:  #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
I:  If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
I:  If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb

Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: sort the list of IDs in the source code
Andy Shevchenko [Tue, 18 Feb 2014 16:26:19 +0000 (18:26 +0200)]
Bluetooth: sort the list of IDs in the source code

This will help to manage table of supported IDs.

There is no functional change.

Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: allocate static minor for vhci
Lucas De Marchi [Tue, 18 Feb 2014 05:19:26 +0000 (02:19 -0300)]
Bluetooth: allocate static minor for vhci

Commit bfacbb9 (Bluetooth: Use devname:vhci module alias for virtual HCI
driver) added the module alias to hci_vhci module so it's possible to
create the /dev/vhci node. However creating an alias without
specifying the minor doesn't allow us to create the node ahead,
triggerring module auto-load when it's first accessed.

Starting with depmod from kmod 16 we started to warn if there's a
devname alias without specifying the major and minor.

Let's do the same done for uhid, kvm, fuse and others, specifying a
fixed minor. In systems with systemd as the init the following will
happen: on early boot systemd will call "kmod static-nodes" to read
/lib/modules/$(uname -r)/modules.devname and then create the nodes. When
first accessed these "dead" nodes will trigger the module loading.

Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Add convenience function for fetching IRKs
Johan Hedberg [Tue, 18 Feb 2014 15:14:36 +0000 (17:14 +0200)]
Bluetooth: Add convenience function for fetching IRKs

There are many situations where we need to check if an LE address is an
RPA and if so try to look up the IRK for it. To simplify such cases this
patch adds a convenience function for the job.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Fix removing any IRKs when unpairing devices
Johan Hedberg [Tue, 18 Feb 2014 15:14:35 +0000 (17:14 +0200)]
Bluetooth: Fix removing any IRKs when unpairing devices

When mgmt_unpair_device is called we should also remove any associated
IRKs. This patch adds a hci_remove_irk convenience function and ensures
that it's called when mgmt_unpair_device is called.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Fix completing SMP as peripheral when no keys are expected
Johan Hedberg [Tue, 18 Feb 2014 15:14:34 +0000 (17:14 +0200)]
Bluetooth: Fix completing SMP as peripheral when no keys are expected

When we're the acceptors (peripheral/slave) of an SMP procedure and
we've completed distributing our keys we should only stick around
waiting for keys from the remote side if any of the initiator
distribution bits were actually set. This patch fixes the
smp_distribute_keys function to clear the SMP context when this
situation occurs.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Fix hci_remove_ltk failure when no match is found
Johan Hedberg [Tue, 18 Feb 2014 15:14:33 +0000 (17:14 +0200)]
Bluetooth: Fix hci_remove_ltk failure when no match is found

There is code (in mgmt.c) that depends on the hci_remove_ltk function to
fail if no match is found. This patch adds tracking of removed LTKs
(there can be up to two: one for master and another for slave) in the
hci_remove_ltk function and returns -ENOENT of no matches were found.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Remove return values from functions that don't need them
Johan Hedberg [Tue, 18 Feb 2014 15:14:32 +0000 (17:14 +0200)]
Bluetooth: Remove return values from functions that don't need them

There are many functions that never fail but still declare an integer
return value for no reason. This patch converts these functions to use a
void return value to avoid any confusion of whether they can fail or not.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Fix missing address type check for removing LTKs
Johan Hedberg [Tue, 18 Feb 2014 15:14:31 +0000 (17:14 +0200)]
Bluetooth: Fix missing address type check for removing LTKs

When removing Long Term Keys we should also be checking that the given
address type (public vs random) matches. This patch updates the
hci_remove_ltk function to take an extra parameter and uses it for
address type matching.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Fix properly ignoring unexpected SMP PDUs
Johan Hedberg [Tue, 18 Feb 2014 08:19:37 +0000 (10:19 +0200)]
Bluetooth: Fix properly ignoring unexpected SMP PDUs

If we didn't request certain pieces of information during the key
distribution negotiation we should properly ignore those PDUs if the
peer incorrectly sends them. This includes the Encryption Information
and Master Identification PDUs if the EncKey bit was not set, and the
Identity Information and Identity Address Information PDUs if the IdKey
bit was not set.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Enable support for remote IRK distribution
Johan Hedberg [Tue, 18 Feb 2014 08:19:36 +0000 (10:19 +0200)]
Bluetooth: Enable support for remote IRK distribution

This patch does the necessary changes to request the remote device to
distribute its IRK to us during the SMP pairing procedure. This includes
setting the right key distribution values in the pairing
request/response and handling of the two related SMP PDUs, i.e. Identity
Information and Identity Address Information.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Implement mgmt_load_irks command
Johan Hedberg [Tue, 18 Feb 2014 08:19:35 +0000 (10:19 +0200)]
Bluetooth: Implement mgmt_load_irks command

This patch implements the Load IRKs command for the management
interface. The command is used to load the kernel with the initial set
of IRKs. It also sets a HCI_RPA_RESOLVING flag to indicate that we can
start requesting devices to distribute their IRK to us.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Add hci_bdaddr_is_rpa convenience function
Johan Hedberg [Tue, 18 Feb 2014 08:19:34 +0000 (10:19 +0200)]
Bluetooth: Add hci_bdaddr_is_rpa convenience function

When implementing support for Resolvable Private Addresses (RPAs) we'll
need to in several places be able to identify such addresses. This patch
adds a simple convenience function to do the identification of the
address type.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Add basic IRK management support
Johan Hedberg [Tue, 18 Feb 2014 08:19:33 +0000 (10:19 +0200)]
Bluetooth: Add basic IRK management support

This patch adds the initial IRK storage and management functions to the
HCI core. This includes storing a list of IRKs per HCI device and the
ability to add, remove and lookup entries in that list.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Add AES crypto context for each HCI device
Johan Hedberg [Tue, 18 Feb 2014 08:40:07 +0000 (10:40 +0200)]
Bluetooth: Add AES crypto context for each HCI device

Previously the crypto context has only been available for LE SMP
sessions, but now that we'll need to perform operations also during
discovery it makes sense to have this context part of the hci_dev
struct. Later, the context can be removed from the SMP context.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Add smp_irk_matches helper function
Johan Hedberg [Tue, 18 Feb 2014 08:19:31 +0000 (10:19 +0200)]
Bluetooth: Add smp_irk_matches helper function

This patch adds a helper function to check whether a given IRK matches a
given Resolvable Private Address (RPA). The function will be needed for
implementing the rest of address resolving support.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Fix minor whitespace issues in SMP code
Johan Hedberg [Tue, 18 Feb 2014 08:19:30 +0000 (10:19 +0200)]
Bluetooth: Fix minor whitespace issues in SMP code

This patch fixes a couple of unnecessary empty lines in the SMP code.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Fix missing PDU length checks for SMP
Johan Hedberg [Tue, 18 Feb 2014 08:19:29 +0000 (10:19 +0200)]
Bluetooth: Fix missing PDU length checks for SMP

For each received SMP PDU we need to check that we have enough data to
fit the specified size of the PDU. This patch adds the necessary checks
for each SMP PDU handler and ensures that buffer overflows do not occur
if to little data has been received.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Allow HCI User Channel usage for controllers without address
Marcel Holtmann [Mon, 17 Feb 2014 17:21:19 +0000 (09:21 -0800)]
Bluetooth: Allow HCI User Channel usage for controllers without address

Trying to setup HCI User Channel usage for LE only controllers without
a public address or configured static address will fail with an error
saying that no address is available.

In case of HCI User Channel the requirement for a valid address is not
needed. So allow skipping this extra validation step.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
10 years agoBluetooth: Add missing index added event on user channel failure
Marcel Holtmann [Mon, 17 Feb 2014 17:21:18 +0000 (09:21 -0800)]
Bluetooth: Add missing index added event on user channel failure

When the setup of user channel fails, the index added event is not sent
and will cause issues with user interaction. This problem can be easily
triggered with a LE only controller without a public address. In that
case hci_dev_open() fails and that error case is not sending an event
saying that the controller is available for normal use again.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
10 years agoBluetooth: Fix sending wrong store hint for new long term keys
Marcel Holtmann [Sun, 16 Feb 2014 20:59:06 +0000 (12:59 -0800)]
Bluetooth: Fix sending wrong store hint for new long term keys

The long term keys should only be stored when they belong to an
indentity address. The identity address can either be a public
address or a random static address.

For all other addresses (unresovable or resolvable) tell userspace
that the long term key is not persistent.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
10 years agoBluetooth: Restrict long term keys to public and static addresses
Marcel Holtmann [Sun, 16 Feb 2014 20:59:05 +0000 (12:59 -0800)]
Bluetooth: Restrict long term keys to public and static addresses

The long term keys should be associated with an identity address. Valid
identity addresses are public addresses or static addresses. So only
allow these two as valid address information for long term keys.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
10 years agoBluetooth: btusb: Add IMC Networks (Broadcom based)
Jurgen Kramer [Sat, 15 Feb 2014 11:01:09 +0000 (12:01 +0100)]
Bluetooth: btusb: Add IMC Networks (Broadcom based)

Add support for IMC Networks (Broadcom based) to btusb driver.

Below the output of /sys/kernel/debug/usb/devices for this device:

T:  Bus=01 Lev=02 Prnt=02 Port=04 Cnt=01 Dev#=  3 Spd=12   MxCh= 0
D:  Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
P:  Vendor=13d3 ProdID=3404 Rev= 1.12
S:  Manufacturer=Broadcom Corp
S:  Product=BCM20702A0
S:  SerialNumber=240A649F8246
C:* #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=  0mA
I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
I:  If#= 1 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
I:  If#= 1 Alt= 2 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
I:  If#= 1 Alt= 3 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
I:  If#= 1 Alt= 4 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
I:  If#= 1 Alt= 5 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms
I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E:  Ad=84(I) Atr=02(Bulk) MxPS=  32 Ivl=0ms
E:  Ad=04(O) Atr=02(Bulk) MxPS=  32 Ivl=0ms
I:* If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none)

Signed-off-by: Jurgen Kramer <gtmkramer@xs4all.nl>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Fix write_room() calculation
Peter Hurley [Mon, 10 Feb 2014 01:59:24 +0000 (20:59 -0500)]
Bluetooth: Fix write_room() calculation

The skb truesize of a 12-byte payload with a 10-byte head/tail
reserve is 768 bytes. Consequently, even with 40 tx_credits, at
most 6 packets could be queued at any one time:

  40 tx_credits * 127-byte mtu < 768-byte truesize * 7

This error could also cause the tx queue to apparently stall if
credit flow control is disabled (where tx_credits is fixed at 5),
or if the receiver only granted a limited number of tx credits
(eg., less than 7).

Instead, track the outstanding number of queued packets not yet sent
in wmem_alloc and allow for a maximum of 40 queued packets. Report
the space avail for a single write() as the mtu * number of packets
left before reaching the maximum.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Tested-By: Alexander Holler <holler@ahsoftware.de>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Refactor write_room() calculation
Peter Hurley [Mon, 10 Feb 2014 01:59:23 +0000 (20:59 -0500)]
Bluetooth: Refactor write_room() calculation

Compute the amount of space available for a single write()
within rfcomm_room(); clamp to 0 for negative values. Note
this patch does not change the result of the computation.

Report the amount of room returned in the debug printk.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Tested-By: Alexander Holler <holler@ahsoftware.de>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Don't fail RFCOMM tty writes
Peter Hurley [Mon, 10 Feb 2014 01:59:22 +0000 (20:59 -0500)]
Bluetooth: Don't fail RFCOMM tty writes

The tty driver api design prefers no-fail writes if the driver
write_room() method has previously indicated space is available
to accept writes. Since this is trivially possible for the
RFCOMM tty driver, do so.

Introduce rfcomm_dlc_send_noerror(), which queues but does not
schedule the krfcomm thread if the dlc is not yet connected
(and thus does not error based on the connection state).
The mtu size test is also unnecessary since the caller already
chunks the written data into mtu size.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Tested-By: Alexander Holler <holler@ahsoftware.de>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Force -EIO from tty read/write if .activate() fails
Peter Hurley [Mon, 10 Feb 2014 01:59:21 +0000 (20:59 -0500)]
Bluetooth: Force -EIO from tty read/write if .activate() fails

If rfcomm_dlc_open() fails, set tty into error state which returns
-EIO from reads and writes.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Tested-By: Alexander Holler <holler@ahsoftware.de>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Cleanup RFCOMM device registration error handling
Peter Hurley [Mon, 10 Feb 2014 01:59:20 +0000 (20:59 -0500)]
Bluetooth: Cleanup RFCOMM device registration error handling

If RFCOMM tty device registration fails, cleanup by releasing
the tty_port reference to trigger rfcomm_dev destruction
(rather than open-coding it).

The dlc reference release is moved into rfcomm_dev_add(),
which ensures cleanup in both error paths -- ie., if
__rfcomm_dev_add() fails or if tty_port_register_device() fails.

Fixes releasing the module reference if device registration fails.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Tested-By: Alexander Holler <holler@ahsoftware.de>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Refactor rfcomm_dev_add()
Peter Hurley [Mon, 10 Feb 2014 01:59:19 +0000 (20:59 -0500)]
Bluetooth: Refactor rfcomm_dev_add()

Move rfcomm_dev allocation and initialization into new function,
__rfcomm_dev_add(), to simplify resource release in error handling.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Tested-By: Alexander Holler <holler@ahsoftware.de>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Serialize RFCOMMCREATEDEV and RFCOMMRELEASEDEV ioctls
Peter Hurley [Mon, 10 Feb 2014 01:59:18 +0000 (20:59 -0500)]
Bluetooth: Serialize RFCOMMCREATEDEV and RFCOMMRELEASEDEV ioctls

At least two different race conditions exist with multiple concurrent
RFCOMMCREATEDEV and RFCOMMRELEASEDEV ioctls:
* Multiple concurrent RFCOMMCREATEDEVs with RFCOMM_REUSE_DLC can
  mistakenly share the same DLC.
* RFCOMMRELEASEDEV can destruct the rfcomm_dev still being
  constructed by RFCOMMCREATEDEV.

Introduce rfcomm_ioctl_mutex to serialize these add/remove operations.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Tested-By: Alexander Holler <holler@ahsoftware.de>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Rename __rfcomm_dev_get() to __rfcomm_dev_lookup()
Peter Hurley [Mon, 10 Feb 2014 01:59:17 +0000 (20:59 -0500)]
Bluetooth: Rename __rfcomm_dev_get() to __rfcomm_dev_lookup()

Functions which search lists for matching id's are more
commonly named *_lookup, which is the convention in the
bluetooth core as well.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Tested-By: Alexander Holler <holler@ahsoftware.de>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Fix RFCOMM parent device for reused dlc
Peter Hurley [Mon, 10 Feb 2014 01:59:16 +0000 (20:59 -0500)]
Bluetooth: Fix RFCOMM parent device for reused dlc

The RFCOMM tty device is parented to the acl link device when
the dlc state_change(BT_CONNECTED) notification is received.
However, if the dlc from the RFCOMM socket is being reused
(RFCOMM_REUSE_DLC is set), then the dlc may already be connected,
and no notification will occur.

Instead, always parent the RFCOMM tty device to the acl link
device at registration time. If the acl link device is not available
(eg, because the dlc is not connected) then the tty will remain
unparented until the BT_CONNECTED notification is received.

Fixes regression with ModemManager when the rfcomm device is
created with the flag RFCOMM_REUSE_DLC.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Tested-By: Alexander Holler <holler@ahsoftware.de>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Fix unsafe RFCOMM device parenting
Peter Hurley [Mon, 10 Feb 2014 01:59:15 +0000 (20:59 -0500)]
Bluetooth: Fix unsafe RFCOMM device parenting

Accessing the results of hci_conn_hash_lookup_ba() is unsafe without
holding the hci_dev_lock() during the lookup. For example:

CPU 0                             | CPU 1
hci_conn_hash_lookup_ba           | hci_conn_del
  rcu_read_lock                   |   hci_conn_hash_del
  list_for_each_entry_rcu         |     list_del_rcu
    if (.....)                    |       synchronize_rcu
      rcu_read_unlock             |
                                  |   hci_conn_del_sysfs
                                  |   hci_dev_put
                                  |   hci_conn_put
                                  |     put_device (last reference)
                                  |       bt_link_release
                                  |         kfree(conn)
      return p  << just freed     |

Even if a hci_conn reference were taken (via hci_conn_get), would
not guarantee the lifetime of the sysfs device, but only safe
access to the in-memory structure.

Ensure the hci_conn device stays valid while the rfcomm device
is reparented; rename rfcomm_get_device() to rfcomm_reparent_device()
and perform the reparenting within the function while holding the
hci_dev_lock.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Tested-By: Alexander Holler <holler@ahsoftware.de>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Directly close dlc for not yet started RFCOMM session
Peter Hurley [Mon, 10 Feb 2014 01:59:14 +0000 (20:59 -0500)]
Bluetooth: Directly close dlc for not yet started RFCOMM session

If the RFCOMM session has not yet been started (ie., session is
still in BT_BOUND state) when a dlc is closed, directly close and
unlink the dlc rather than sending a DISC frame that is never
sent.

This allows the dlci to be immediately reused rather than waiting
for a 20 second timeout.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Tested-By: Alexander Holler <holler@ahsoftware.de>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Refactor dlc disconnect logic in rfcomm_dlc_close()
Peter Hurley [Mon, 10 Feb 2014 01:59:13 +0000 (20:59 -0500)]
Bluetooth: Refactor dlc disconnect logic in rfcomm_dlc_close()

Prepare for directly closing dlc if the RFCOMM session has not
yet been started; refactor the dlc disconnect logic into a separate
local function, __rfcomm_dlc_disconn(). Retains functional
equivalence.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Tested-By: Alexander Holler <holler@ahsoftware.de>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Refactor deferred setup test in rfcomm_dlc_close()
Peter Hurley [Mon, 10 Feb 2014 01:59:12 +0000 (20:59 -0500)]
Bluetooth: Refactor deferred setup test in rfcomm_dlc_close()

Prepare for directly closing dlc if the RFCOMM session has not
yet been started; refactor the deferred setup test for only those
dlc states to which the test applies. Retains functional
equivalence.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Tested-By: Alexander Holler <holler@ahsoftware.de>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Simplify RFCOMM session state eval
Peter Hurley [Mon, 10 Feb 2014 01:59:11 +0000 (20:59 -0500)]
Bluetooth: Simplify RFCOMM session state eval

Merge conditional test for BT_LISTEN session state into following
switch statement (which is functionally equivalent).

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Tested-By: Alexander Holler <holler@ahsoftware.de>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Verify dlci not in use before rfcomm_dev create
Peter Hurley [Mon, 10 Feb 2014 01:59:10 +0000 (20:59 -0500)]
Bluetooth: Verify dlci not in use before rfcomm_dev create

Only one session/channel combination may be in use at any one
time. However, the failure does not occur until the tty is
opened (in rfcomm_dlc_open()).

Because these settings are actually bound at rfcomm device
creation (via RFCOMMCREATEDEV ioctl), validate and fail before
creating the rfcomm tty device.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Tested-By: Alexander Holler <holler@ahsoftware.de>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Fix RFCOMM tty teardown race
Peter Hurley [Mon, 10 Feb 2014 01:59:09 +0000 (20:59 -0500)]
Bluetooth: Fix RFCOMM tty teardown race

RFCOMM tty device teardown can race with new tty device registration
for the same device id:

CPU 0                           | CPU 1
rfcomm_dev_add                  | rfcomm_dev_destruct
                                |   spin_lock
                                |   list_del   <== dev_id no longer used
                                |   spin_unlock
  spin_lock                     |     .
  [search rfcomm_dev_list]      |     .
  [dev_id not in use]           |     .
  [initialize new rfcomm_dev]   |     .
  spin_unlock                   |     .
                                |     .
  tty_port_register_device      |   tty_unregister_device

Don't remove rfcomm_dev from the device list until after tty device
unregistration has completed.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Tested-By: Alexander Holler <holler@ahsoftware.de>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Fix unreleased rfcomm_dev reference
Peter Hurley [Mon, 10 Feb 2014 01:59:08 +0000 (20:59 -0500)]
Bluetooth: Fix unreleased rfcomm_dev reference

When RFCOMM_RELEASE_ONHUP is set, the rfcomm tty driver 'takes over'
the initial rfcomm_dev reference created by the RFCOMMCREATEDEV ioctl.
The assumption is that the rfcomm tty driver will release the
rfcomm_dev reference when the tty is freed (in rfcomm_tty_cleanup()).
However, if the tty is never opened, the 'take over' never occurs,
so when RFCOMMRELEASEDEV ioctl is called, the reference is not
released.

Track the state of the reference 'take over' so that the release
is guaranteed by either the RFCOMMRELEASEDEV ioctl or the rfcomm tty
driver.

Note that the synchronous hangup in rfcomm_release_dev() ensures
that rfcomm_tty_install() cannot race with the RFCOMMRELEASEDEV ioctl.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Tested-By: Alexander Holler <holler@ahsoftware.de>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Release rfcomm_dev only once
Peter Hurley [Mon, 10 Feb 2014 01:59:07 +0000 (20:59 -0500)]
Bluetooth: Release rfcomm_dev only once

No logic prevents an rfcomm_dev from being released multiple
times. For example, if the rfcomm_dev ref count is large due
to pending tx, then multiple RFCOMMRELEASEDEV ioctls may
mistakenly release the rfcomm_dev too many times. Note that
concurrent ioctls are not required to create this condition.

Introduce RFCOMM_DEV_RELEASED status bit which guarantees the
rfcomm_dev can only be released once.

NB: Since the flags are exported to userspace, introduce the status
field to track state for which userspace should not be aware.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Tested-By: Alexander Holler <holler@ahsoftware.de>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Exclude released devices from RFCOMMGETDEVLIST ioctl
Peter Hurley [Mon, 10 Feb 2014 01:59:06 +0000 (20:59 -0500)]
Bluetooth: Exclude released devices from RFCOMMGETDEVLIST ioctl

When enumerating RFCOMM devices in the rfcomm_dev_list, holding
the rfcomm_dev_lock only guarantees the existence of the enumerated
rfcomm_dev in memory, and not safe access to its state. Testing
the device state (such as RFCOMM_TTY_RELEASED) does not guarantee
the device will remain in that state for the subsequent access
to the rfcomm_dev's fields, nor guarantee that teardown has not
commenced.

Obtain an rfcomm_dev reference for the duration of rfcomm_dev
access.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Tested-By: Alexander Holler <holler@ahsoftware.de>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoBluetooth: Fix racy acquire of rfcomm_dev reference
Peter Hurley [Mon, 10 Feb 2014 01:59:05 +0000 (20:59 -0500)]
Bluetooth: Fix racy acquire of rfcomm_dev reference

rfcomm_dev_get() can return a rfcomm_dev reference for a
device for which destruction may be commencing. This can happen
on tty destruction, which calls rfcomm_tty_cleanup(), the last
port reference may have been released but RFCOMM_TTY_RELEASED
was not set. The following race is also possible:

CPU 0                            | CPU 1
                                 | rfcomm_release_dev
rfcomm_dev_get                   |   .
  spin_lock                      |   .
    dev  = __rfcomm_dev_get      |   .
    if dev                       |   .
      if test_bit(TTY_RELEASED)  |   .
                                 |   !test_and_set_bit(TTY_RELEASED)
                                 |     tty_port_put   <<<< last reference
      else                       |
        tty_port_get             |

The reference acquire is bogus because destruction will commence
with the release of the last reference.

Ignore the external state change of TTY_RELEASED and instead rely
on the reference acquire itself to determine if the reference is
valid.

Cc: Jiri Slaby <jslaby@suse.cz>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Tested-By: Alexander Holler <holler@ahsoftware.de>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agotty: Fix ref counting for port krefs
Peter Hurley [Mon, 10 Feb 2014 01:59:04 +0000 (20:59 -0500)]
tty: Fix ref counting for port krefs

The tty core supports two models for handling tty_port lifetimes;
the tty_port can use the kref supplied by tty_port (which will
automatically destruct the tty_port when the ref count drops to
zero) or it can destruct the tty_port manually.

For tty drivers that choose to use the port kref to manage the
tty_port lifetime, it is not possible to safely acquire a port
reference conditionally. If the last reference is released after
evaluating the condition but before acquiring the reference, a
bogus reference will be held while the tty_port destruction
commences.

Rather, only acquire a port reference if the ref count is non-zero
and allow the caller to distinguish if a reference has successfully
been acquired.

Cc: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Tested-By: Alexander Holler <holler@ahsoftware.de>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoRevert "Bluetooth: Move rfcomm_get_device() before rfcomm_dev_activate()"
Peter Hurley [Mon, 10 Feb 2014 01:59:03 +0000 (20:59 -0500)]
Revert "Bluetooth: Move rfcomm_get_device() before rfcomm_dev_activate()"

This reverts commit e228b63390536f5b737056059a9a04ea016b1abf.

This is the third of a 3-patch revert, together with
Revert "Bluetooth: Remove rfcomm_carrier_raised()" and
Revert "Bluetooth: Always wait for a connection on RFCOMM open()".

Commit 4a2fb3ecc7467c775b154813861f25a0ddc11aa0,
"Bluetooth: Always wait for a connection on RFCOMM open()" open-codes
blocking on tty open(), rather than using the default behavior
implemented by the tty port.

The reasons for reverting that patch are detailed in that changelog;
this patch restores required functionality for that revert.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Tested-By: Alexander Holler <holler@ahsoftware.de>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoRevert "Bluetooth: Always wait for a connection on RFCOMM open()"
Peter Hurley [Mon, 10 Feb 2014 01:59:02 +0000 (20:59 -0500)]
Revert "Bluetooth: Always wait for a connection on RFCOMM open()"

This reverts commit 4a2fb3ecc7467c775b154813861f25a0ddc11aa0.

This is the second of a 3-patch revert, together with
Revert "Bluetooth: Remove rfcomm_carrier_raised()" and
Revert "Bluetooth: Move rfcomm_get_device() before rfcomm_dev_activate()".

Before commit cad348a17e170451ea8688b532a6ca3e98c63b60,
  Bluetooth: Implement .activate, .shutdown and .carrier_raised methods,
tty_port_block_til_ready() was open-coded in rfcomm_tty_install() as
part of the RFCOMM tty open().

Unfortunately, it did not implement non-blocking open nor CLOCAL open,
but rather always blocked for carrier. This is not the expected or
typical behavior for ttys, and prevents several common terminal
programming idioms from working (eg., opening in non-blocking
mode to initialize desired termios settings then re-opening for
connection).

Commit cad348a17e170451ea8688b532a6ca3e98c63b60,
  Bluetooth: Implement .activate, .shutdown and .carrier_raised methods,
added the necessary tty_port methods to use the default tty_port_open().
However, this triggered two important user-space regressions.

The first regression involves the complicated mechanism for reparenting
the rfcomm tty device to the ACL link device which represents an
open link to a specific bluetooth host. This regression causes ModemManager
to conclude the rfcomm tty device does not front a modem so it makes
no attempt to initialize an attached modem. This regression is
caused by the lack of a device_move() if the dlc is already open (and
not specifically related to the open-coded block_til_ready()).

A more appropriate solution is submitted in
"Bluetooth: Fix unsafe RFCOMM device parenting" and
"Bluetooth: Fix RFCOMM parent device for reused dlc"

The second regression involves "rfcomm bind" and wvdial (a ppp dialer).
rfcomm bind creates a device node for a /dev/rfcomm<n>. wvdial opens
that device in non-blocking mode (because it expects the connection
to have already been established). In addition, subsequent writes
to the rfcomm tty device fail (because the link is not yet connected;
rfcomm connection begins with the actual tty open()).

However, restoring the original behavior (in the patch which
this reverts) was undesirable.

Firstly, the original reporter notes that a trivial userspace
"workaround" already exists: rfcomm connect, which creates the
device node and establishes the expected connection.

Secondly, the failed writes occur because the rfcomm tty driver
does not buffer writes to an unconnected device; this contrasts with
the dozen of other tty drivers (in fact, all of them) that do just
that. The submitted patch "Bluetooth: Don't fail RFCOMM tty writes"
corrects this.

Thirdly, it was a long-standing bug to block on non-blocking open,
which is re-fixed by revert.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Tested-By: Alexander Holler <holler@ahsoftware.de>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
10 years agoRevert "Bluetooth: Remove rfcomm_carrier_raised()"
Peter Hurley [Mon, 10 Feb 2014 01:59:01 +0000 (20:59 -0500)]
Revert "Bluetooth: Remove rfcomm_carrier_raised()"

This reverts commit f86772af6a0f643d3e13eb3f4f9213ae0c333ee4.

This is the first of a 3-patch revert, together with
Revert "Bluetooth: Always wait for a connection on RFCOMM open()" and
Revert "Bluetooth: Move rfcomm_get_device() before rfcomm_dev_activate()".

Commit 4a2fb3ecc7467c775b154813861f25a0ddc11aa0,
"Bluetooth: Always wait for a connection on RFCOMM open()" open-codes
blocking on tty open(), rather than using the default behavior
implemented by the tty port.

The reasons for reverting that patch are detailed in that changelog;
this patch restores required functionality for that revert.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Tested-By: Alexander Holler <holler@ahsoftware.de>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>