1 files changed, 17 insertions, 10 deletions
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index ca27f3a41536..c3cebed205cc 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -169,7 +169,7 @@ static inline void l2cap_chan_unlink(struct l2cap_chan_list *l, struct sock *sk)
        __sock_put(sk);
 }
-static void __l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
+static void __l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk)
 {
        struct l2cap_chan_list *l = &conn->chan_list;
@@ -204,9 +204,6 @@ static void __l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct so
        }
        __l2cap_chan_link(l, sk);
-        if (parent)
-                bt_accept_enqueue(parent, sk);
 }
 /* Delete channel.
@@ -652,7 +649,9 @@ static void l2cap_le_conn_ready(struct l2cap_conn *conn)
        bacpy(&bt_sk(sk)->src, conn->src);
        bacpy(&bt_sk(sk)->dst, conn->dst);
-        __l2cap_chan_add(conn, sk, parent);
+        bt_accept_enqueue(parent, sk);
+        __l2cap_chan_add(conn, sk);
        l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
@@ -793,11 +792,11 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
        kfree(conn);
 }
-static inline void l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
+static inline void l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk)
 {
        struct l2cap_chan_list *l = &conn->chan_list;
        write_lock_bh(&l->lock);
-        __l2cap_chan_add(conn, sk, parent);
+        __l2cap_chan_add(conn, sk);
        write_unlock_bh(&l->lock);
 }
@@ -876,7 +875,7 @@ int l2cap_do_connect(struct sock *sk)
        /* Update source addr of the socket */
        bacpy(src, conn->src);
-        l2cap_chan_add(conn, sk, NULL);
+        l2cap_chan_add(conn, sk);
        sk->sk_state = BT_CONNECT;
        l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
@@ -2032,7 +2031,9 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
        l2cap_pi(sk)->psm  = psm;
        l2cap_pi(sk)->dcid = scid;
-        __l2cap_chan_add(conn, sk, parent);
+        bt_accept_enqueue(parent, sk);
+        __l2cap_chan_add(conn, sk);
        dcid = l2cap_pi(sk)->scid;
        l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
@@ -2462,6 +2463,11 @@ static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cm
        BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
+        /* L2CAP Info req/rsp are unbound to channels, add extra checks */
+        if (cmd->ident != conn->info_ident ||
+                        conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
+                return 0;
        del_timer(&conn->info_timer);
        if (result != L2CAP_IR_SUCCESS) {
@@ -2672,7 +2678,8 @@ static inline void l2cap_sig_channel(struct l2cap_conn *conn,
                if (err) {
                        struct l2cap_cmd_rej rej;
-                        BT_DBG("error %d", err);
+                        BT_ERR("Wrong link type (%d)", err);
                        /* FIXME: Map err to a valid reason */
                        rej.reason = cpu_to_le16(0);

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index ca27f3a41536..c3cebed205cc 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c
@@ -169,7 +169,7 @@ static inline void l2cap_chan_unlink(struct l2cap_chan_list l, struct sock sk)
169	__sock_put(sk);	169	__sock_put(sk);
170	}	170	}
171		171
172	static void __l2cap_chan_add(struct l2cap_conn conn, struct sock sk, struct sock *parent)	172	static void __l2cap_chan_add(struct l2cap_conn conn, struct sock sk)
173	{	173	{
174	struct l2cap_chan_list *l = &conn->chan_list;	174	struct l2cap_chan_list *l = &conn->chan_list;
175		175
@@ -204,9 +204,6 @@ static void __l2cap_chan_add(struct l2cap_conn conn, struct sock sk, struct so
204	}	204	}
205		205
206	__l2cap_chan_link(l, sk);	206	__l2cap_chan_link(l, sk);
207
208	if (parent)
209	bt_accept_enqueue(parent, sk);
210	}	207	}
211		208
212	/* Delete channel.	209	/* Delete channel.
@@ -652,7 +649,9 @@ static void l2cap_le_conn_ready(struct l2cap_conn *conn)
652	bacpy(&bt_sk(sk)->src, conn->src);	649	bacpy(&bt_sk(sk)->src, conn->src);
653	bacpy(&bt_sk(sk)->dst, conn->dst);	650	bacpy(&bt_sk(sk)->dst, conn->dst);
654		651
655	__l2cap_chan_add(conn, sk, parent);	652	bt_accept_enqueue(parent, sk);
		653
		654	__l2cap_chan_add(conn, sk);
656		655
657	l2cap_sock_set_timer(sk, sk->sk_sndtimeo);	656	l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
658		657
@@ -793,11 +792,11 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
793	kfree(conn);	792	kfree(conn);
794	}	793	}
795		794
796	static inline void l2cap_chan_add(struct l2cap_conn conn, struct sock sk, struct sock *parent)	795	static inline void l2cap_chan_add(struct l2cap_conn conn, struct sock sk)
797	{	796	{
798	struct l2cap_chan_list *l = &conn->chan_list;	797	struct l2cap_chan_list *l = &conn->chan_list;
799	write_lock_bh(&l->lock);	798	write_lock_bh(&l->lock);
800	__l2cap_chan_add(conn, sk, parent);	799	__l2cap_chan_add(conn, sk);
801	write_unlock_bh(&l->lock);	800	write_unlock_bh(&l->lock);
802	}	801	}
803		802
@@ -876,7 +875,7 @@ int l2cap_do_connect(struct sock *sk)
876	/* Update source addr of the socket */	875	/* Update source addr of the socket */
877	bacpy(src, conn->src);	876	bacpy(src, conn->src);
878		877
879	l2cap_chan_add(conn, sk, NULL);	878	l2cap_chan_add(conn, sk);
880		879
881	sk->sk_state = BT_CONNECT;	880	sk->sk_state = BT_CONNECT;
882	l2cap_sock_set_timer(sk, sk->sk_sndtimeo);	881	l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
@@ -2032,7 +2031,9 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
2032	l2cap_pi(sk)->psm = psm;	2031	l2cap_pi(sk)->psm = psm;
2033	l2cap_pi(sk)->dcid = scid;	2032	l2cap_pi(sk)->dcid = scid;
2034		2033
2035	__l2cap_chan_add(conn, sk, parent);	2034	bt_accept_enqueue(parent, sk);
		2035
		2036	__l2cap_chan_add(conn, sk);
2036	dcid = l2cap_pi(sk)->scid;	2037	dcid = l2cap_pi(sk)->scid;
2037		2038
2038	l2cap_sock_set_timer(sk, sk->sk_sndtimeo);	2039	l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
@@ -2462,6 +2463,11 @@ static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cm
2462		2463
2463	BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);	2464	BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
2464		2465
		2466	/* L2CAP Info req/rsp are unbound to channels, add extra checks */
		2467	if (cmd->ident != conn->info_ident \|\|
		2468	conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
		2469	return 0;
		2470
2465	del_timer(&conn->info_timer);	2471	del_timer(&conn->info_timer);
2466		2472
2467	if (result != L2CAP_IR_SUCCESS) {	2473	if (result != L2CAP_IR_SUCCESS) {
@@ -2672,7 +2678,8 @@ static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2672		2678
2673	if (err) {	2679	if (err) {
2674	struct l2cap_cmd_rej rej;	2680	struct l2cap_cmd_rej rej;
2675	BT_DBG("error %d", err);	2681
		2682	BT_ERR("Wrong link type (%d)", err);
2676		2683
2677	/* FIXME: Map err to a valid reason */	2684	/* FIXME: Map err to a valid reason */
2678	rej.reason = cpu_to_le16(0);	2685	rej.reason = cpu_to_le16(0);