diff options
author | Andrei Emeltchenko <andrei.emeltchenko@nokia.com> | 2010-07-08 05:14:41 -0400 |
---|---|---|
committer | Marcel Holtmann <marcel@holtmann.org> | 2010-07-08 19:35:23 -0400 |
commit | e501d0553a7580fcc6654d7f58a5f061d31d00af (patch) | |
tree | 8f1489e92272e18cc5c222283bcbeccfe7bcecd2 | |
parent | 33b665eeeb85956ccbdf31c4c31a4e2a31133c44 (diff) |
Bluetooth: Check L2CAP pending status before sending connect request
Due to race condition in L2CAP state machine L2CAP Connection Request
may be sent twice for SDP with the same source channel id. Problems
reported connecting to Apple products, some carkit, Blackberry phones.
...
2010-06-07 21:18:03.651031 < ACL data: handle 1 flags 0x02 dlen 12
L2CAP(s): Connect req: psm 1 scid 0x0040
2010-06-07 21:18:03.653473 > HCI Event: Number of Completed Packets (0x13) plen 5
handle 1 packets 1
2010-06-07 21:18:03.653808 > HCI Event: Auth Complete (0x06) plen 3
status 0x00 handle 1
2010-06-07 21:18:03.653869 < ACL data: handle 1 flags 0x02 dlen 12
L2CAP(s): Connect req: psm 1 scid 0x0040
...
Patch uses L2CAP_CONF_CONNECT_PEND flag to mark that L2CAP Connection
Request has been sent already.
Modified version of patch from Ville Tervo.
Signed-off-by: Andrei Emeltchenko <andrei.emeltchenko@nokia.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
-rw-r--r-- | net/bluetooth/l2cap.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c index 1b682a5aa061..cf3c4073a8a6 100644 --- a/net/bluetooth/l2cap.c +++ b/net/bluetooth/l2cap.c | |||
@@ -401,6 +401,11 @@ static inline void l2cap_send_rr_or_rnr(struct l2cap_pinfo *pi, u16 control) | |||
401 | l2cap_send_sframe(pi, control); | 401 | l2cap_send_sframe(pi, control); |
402 | } | 402 | } |
403 | 403 | ||
404 | static inline int __l2cap_no_conn_pending(struct sock *sk) | ||
405 | { | ||
406 | return !(l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND); | ||
407 | } | ||
408 | |||
404 | static void l2cap_do_start(struct sock *sk) | 409 | static void l2cap_do_start(struct sock *sk) |
405 | { | 410 | { |
406 | struct l2cap_conn *conn = l2cap_pi(sk)->conn; | 411 | struct l2cap_conn *conn = l2cap_pi(sk)->conn; |
@@ -409,12 +414,13 @@ static void l2cap_do_start(struct sock *sk) | |||
409 | if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)) | 414 | if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)) |
410 | return; | 415 | return; |
411 | 416 | ||
412 | if (l2cap_check_security(sk)) { | 417 | if (l2cap_check_security(sk) && __l2cap_no_conn_pending(sk)) { |
413 | struct l2cap_conn_req req; | 418 | struct l2cap_conn_req req; |
414 | req.scid = cpu_to_le16(l2cap_pi(sk)->scid); | 419 | req.scid = cpu_to_le16(l2cap_pi(sk)->scid); |
415 | req.psm = l2cap_pi(sk)->psm; | 420 | req.psm = l2cap_pi(sk)->psm; |
416 | 421 | ||
417 | l2cap_pi(sk)->ident = l2cap_get_ident(conn); | 422 | l2cap_pi(sk)->ident = l2cap_get_ident(conn); |
423 | l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND; | ||
418 | 424 | ||
419 | l2cap_send_cmd(conn, l2cap_pi(sk)->ident, | 425 | l2cap_send_cmd(conn, l2cap_pi(sk)->ident, |
420 | L2CAP_CONN_REQ, sizeof(req), &req); | 426 | L2CAP_CONN_REQ, sizeof(req), &req); |
@@ -464,12 +470,14 @@ static void l2cap_conn_start(struct l2cap_conn *conn) | |||
464 | } | 470 | } |
465 | 471 | ||
466 | if (sk->sk_state == BT_CONNECT) { | 472 | if (sk->sk_state == BT_CONNECT) { |
467 | if (l2cap_check_security(sk)) { | 473 | if (l2cap_check_security(sk) && |
474 | __l2cap_no_conn_pending(sk)) { | ||
468 | struct l2cap_conn_req req; | 475 | struct l2cap_conn_req req; |
469 | req.scid = cpu_to_le16(l2cap_pi(sk)->scid); | 476 | req.scid = cpu_to_le16(l2cap_pi(sk)->scid); |
470 | req.psm = l2cap_pi(sk)->psm; | 477 | req.psm = l2cap_pi(sk)->psm; |
471 | 478 | ||
472 | l2cap_pi(sk)->ident = l2cap_get_ident(conn); | 479 | l2cap_pi(sk)->ident = l2cap_get_ident(conn); |
480 | l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND; | ||
473 | 481 | ||
474 | l2cap_send_cmd(conn, l2cap_pi(sk)->ident, | 482 | l2cap_send_cmd(conn, l2cap_pi(sk)->ident, |
475 | L2CAP_CONN_REQ, sizeof(req), &req); | 483 | L2CAP_CONN_REQ, sizeof(req), &req); |
@@ -2912,7 +2920,6 @@ static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hd | |||
2912 | l2cap_pi(sk)->ident = 0; | 2920 | l2cap_pi(sk)->ident = 0; |
2913 | l2cap_pi(sk)->dcid = dcid; | 2921 | l2cap_pi(sk)->dcid = dcid; |
2914 | l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT; | 2922 | l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT; |
2915 | |||
2916 | l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_CONNECT_PEND; | 2923 | l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_CONNECT_PEND; |
2917 | 2924 | ||
2918 | l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, | 2925 | l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, |
@@ -4404,6 +4411,7 @@ static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt) | |||
4404 | req.psm = l2cap_pi(sk)->psm; | 4411 | req.psm = l2cap_pi(sk)->psm; |
4405 | 4412 | ||
4406 | l2cap_pi(sk)->ident = l2cap_get_ident(conn); | 4413 | l2cap_pi(sk)->ident = l2cap_get_ident(conn); |
4414 | l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND; | ||
4407 | 4415 | ||
4408 | l2cap_send_cmd(conn, l2cap_pi(sk)->ident, | 4416 | l2cap_send_cmd(conn, l2cap_pi(sk)->ident, |
4409 | L2CAP_CONN_REQ, sizeof(req), &req); | 4417 | L2CAP_CONN_REQ, sizeof(req), &req); |