Bluetooth: Add support for SMP timeout

This patch adds support for disconnecting the link when SMP procedure
takes more than 30 seconds.

SMP begins when either the Pairing Request command is sent or the
Pairing Response is received, and it ends when the link is encrypted
(or terminated). Vol 3, Part H Section 3.4.

Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@openbossa.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>

2 files changed, 58 insertions, 30 deletions

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 584a4237eb3f..bbbae2e0aa84 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -970,6 +970,45 @@ static void l2cap_info_timeout(unsigned long arg)
         l2cap_conn_start(conn);
 }
 
+static void l2cap_conn_del(struct hci_conn *hcon, int err)
+{
+        struct l2cap_conn *conn = hcon->l2cap_data;
+        struct l2cap_chan *chan, *l;
+        struct sock *sk;
+
+        if (!conn)
+                return;
+
+        BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
+
+        kfree_skb(conn->rx_skb);
+
+        /* Kill channels */
+        list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
+                sk = chan->sk;
+                bh_lock_sock(sk);
+                l2cap_chan_del(chan, err);
+                bh_unlock_sock(sk);
+                chan->ops->close(chan->data);
+        }
+
+        if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
+                del_timer_sync(&conn->info_timer);
+
+        if (test_bit(HCI_CONN_ENCRYPT_PEND, &hcon->pend))
+                del_timer(&conn->security_timer);
+
+        hcon->l2cap_data = NULL;
+        kfree(conn);
+}
+
+static void security_timeout(unsigned long arg)
+{
+        struct l2cap_conn *conn = (void *) arg;
+
+        l2cap_conn_del(conn->hcon, ETIMEDOUT);
+}
+
 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
 {
         struct l2cap_conn *conn = hcon->l2cap_data;
@@ -1001,7 +1040,10 @@ static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
 
         INIT_LIST_HEAD(&conn->chan_l);
 
-        if (hcon->type != LE_LINK)
+        if (hcon->type == LE_LINK)
+                setup_timer(&conn->security_timer, security_timeout,
+                                                (unsigned long) conn);
+        else
                 setup_timer(&conn->info_timer, l2cap_info_timeout,
                                                 (unsigned long) conn);
 
@@ -1010,35 +1052,6 @@ static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
         return conn;
 }
 
-static void l2cap_conn_del(struct hci_conn *hcon, int err)
-{
-        struct l2cap_conn *conn = hcon->l2cap_data;
-        struct l2cap_chan *chan, *l;
-        struct sock *sk;
-
-        if (!conn)
-                return;
-
-        BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
-
-        kfree_skb(conn->rx_skb);
-
-        /* Kill channels */
-        list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
-                sk = chan->sk;
-                bh_lock_sock(sk);
-                l2cap_chan_del(chan, err);
-                bh_unlock_sock(sk);
-                chan->ops->close(chan->data);
-        }
-
-        if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
-                del_timer_sync(&conn->info_timer);
-
-        hcon->l2cap_data = NULL;
-        kfree(conn);
-}
-
 static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
 {
         write_lock_bh(&conn->chan_lock);
@@ -4182,6 +4195,7 @@ static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
                 if (chan->scid == L2CAP_CID_LE_DATA) {
                         if (!status && encrypt) {
                                 chan->sec_level = hcon->sec_level;
+                                del_timer(&conn->security_timer);
                                 l2cap_chan_ready(sk);
                         }
 
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index dfd6891b9c86..39886786eb7f 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -27,6 +27,8 @@
 #include <linux/crypto.h>
 #include <crypto/b128ops.h>
 
+#define SMP_TIMEOUT 30000 /* 30 seconds */
+
 static inline void swap128(u8 src[16], u8 dst[16])
 {
         int i;
@@ -228,6 +230,9 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
 
         smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(*rp), rp);
 
+        mod_timer(&conn->security_timer, jiffies +
+                                        msecs_to_jiffies(SMP_TIMEOUT));
+
         return 0;
 }
 
@@ -303,6 +308,9 @@ static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
                 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
         }
 
+        mod_timer(&conn->security_timer, jiffies +
+                                        msecs_to_jiffies(SMP_TIMEOUT));
+
         return 0;
 }
 
@@ -382,6 +390,9 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
 
         smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
 
+        mod_timer(&conn->security_timer, jiffies +
+                                        msecs_to_jiffies(SMP_TIMEOUT));
+
         set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->pend);
 
         return 0;
@@ -415,6 +426,9 @@ int smp_conn_security(struct l2cap_conn *conn, __u8 sec_level)
                 conn->preq[0] = SMP_CMD_PAIRING_REQ;
                 memcpy(&conn->preq[1], &cp, sizeof(cp));
 
+                mod_timer(&conn->security_timer, jiffies +
+                                        msecs_to_jiffies(SMP_TIMEOUT));
+
                 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
         } else {
                 struct smp_cmd_security_req cp;