8 files changed, 43 insertions, 19 deletions
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 41ff978a33f9..715d7e33fba0 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -1365,6 +1365,9 @@ static bool hci_resolve_next_name(struct hci_dev *hdev)
                return false;
        e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
+        if (!e)
+                return false;
        if (hci_resolve_name(hdev, e) == 0) {
                e->name_state = NAME_PENDING;
                return true;
@@ -1393,12 +1396,20 @@ static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
                return;
        e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
-        if (e) {
+        /* If the device was not found in a list of found devices names of which
+         * are pending. there is no need to continue resolving a next name as it
+         * will be done upon receiving another Remote Name Request Complete
+         * Event */
+        if (!e)
+                return;
+        list_del(&e->list);
+        if (name) {
                e->name_state = NAME_KNOWN;
-                list_del(&e->list);
+                mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
-                if (name)
+                                 e->data.rssi, name, name_len);
-                        mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
+        } else {
-                                         e->data.rssi, name, name_len);
+                e->name_state = NAME_NOT_KNOWN;
        }
        if (hci_resolve_next_name(hdev))
@@ -1762,7 +1773,12 @@ static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
                if (conn->type == ACL_LINK) {
                        conn->state = BT_CONFIG;
                        hci_conn_hold(conn);
-                        conn->disc_timeout = HCI_DISCONN_TIMEOUT;
+                        if (!conn->out && !hci_conn_ssp_enabled(conn) &&
+                            !hci_find_link_key(hdev, &ev->bdaddr))
+                                conn->disc_timeout = HCI_PAIRING_TIMEOUT;
+                        else
+                                conn->disc_timeout = HCI_DISCONN_TIMEOUT;
                } else
                        conn->state = BT_CONNECTED;
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index a7f04de03d79..19fdac78e555 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -694,6 +694,7 @@ static int hci_sock_getname(struct socket *sock, struct sockaddr *addr,
        *addr_len = sizeof(*haddr);
        haddr->hci_family = AF_BLUETOOTH;
        haddr->hci_dev    = hdev->id;
+        haddr->hci_channel= 0;
        release_sock(sk);
        return 0;
@@ -1009,6 +1010,7 @@ static int hci_sock_getsockopt(struct socket *sock, int level, int optname,
                {
                        struct hci_filter *f = &hci_pi(sk)->filter;
+                        memset(&uf, 0, sizeof(uf));
                        uf.type_mask = f->type_mask;
                        uf.opcode    = f->opcode;
                        uf.event_mask[0] = *((u32 *) f->event_mask + 0);
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index a8964db04bfb..daa149b7003c 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1181,6 +1181,7 @@ static void l2cap_le_conn_ready(struct l2cap_conn *conn)
        sk = chan->sk;
        hci_conn_hold(conn->hcon);
+        conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
        bacpy(&bt_sk(sk)->src, conn->src);
        bacpy(&bt_sk(sk)->dst, conn->dst);
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index a4bb27e8427e..1497edd191a2 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -245,6 +245,7 @@ static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *l
        BT_DBG("sock %p, sk %p", sock, sk);
+        memset(la, 0, sizeof(struct sockaddr_l2));
        addr->sa_family = AF_BLUETOOTH;
        *len = sizeof(struct sockaddr_l2);
@@ -1174,7 +1175,7 @@ static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int p
        chan = l2cap_chan_create();
        if (!chan) {
-                l2cap_sock_kill(sk);
+                sk_free(sk);
                return NULL;
        }
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index 7e1e59645c05..1a17850d093c 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -528,6 +528,7 @@ static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int *
        BT_DBG("sock %p, sk %p", sock, sk);
+        memset(sa, 0, sizeof(*sa));
        sa->rc_family  = AF_BLUETOOTH;
        sa->rc_channel = rfcomm_pi(sk)->channel;
        if (peer)
@@ -822,6 +823,7 @@ static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, c
                }
                sec.level = rfcomm_pi(sk)->sec_level;
+                sec.key_size = 0;
                len = min_t(unsigned int, len, sizeof(sec));
                if (copy_to_user(optval, (char *) &sec, len))
diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
index 18a80b94a8bd..ccc248791d50 100644
--- a/net/bluetooth/rfcomm/tty.c
+++ b/net/bluetooth/rfcomm/tty.c
@@ -456,7 +456,7 @@ static int rfcomm_get_dev_list(void __user *arg)
        size = sizeof(*dl) + dev_num * sizeof(*di);
-        dl = kmalloc(size, GFP_KERNEL);
+        dl = kzalloc(size, GFP_KERNEL);
        if (!dl)
                return -ENOMEM;
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index 40bbe25dcff7..3589e21edb09 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -131,6 +131,15 @@ static int sco_conn_del(struct hci_conn *hcon, int err)
                sco_sock_clear_timer(sk);
                sco_chan_del(sk, err);
                bh_unlock_sock(sk);
+                sco_conn_lock(conn);
+                conn->sk = NULL;
+                sco_pi(sk)->conn = NULL;
+                sco_conn_unlock(conn);
+                if (conn->hcon)
+                        hci_conn_put(conn->hcon);
                sco_sock_kill(sk);
        }
@@ -821,16 +830,6 @@ static void sco_chan_del(struct sock *sk, int err)
        BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
-        if (conn) {
-                sco_conn_lock(conn);
-                conn->sk = NULL;
-                sco_pi(sk)->conn = NULL;
-                sco_conn_unlock(conn);
-                if (conn->hcon)
-                        hci_conn_put(conn->hcon);
-        }
        sk->sk_state = BT_CLOSED;
        sk->sk_err   = err;
        sk->sk_state_change(sk);
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 16ef0dc85a0a..901a616c8083 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -579,8 +579,11 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
        if (!test_and_set_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags))
                smp = smp_chan_create(conn);
+        else
+                smp = conn->smp_chan;
-        smp = conn->smp_chan;
+        if (!smp)
+                return SMP_UNSPECIFIED;
        smp->preq[0] = SMP_CMD_PAIRING_REQ;
        memcpy(&smp->preq[1], req, sizeof(*req));

diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index 41ff978a33f9..715d7e33fba0 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c
@@ -1365,6 +1365,9 @@ static bool hci_resolve_next_name(struct hci_dev *hdev)
1365	return false;	1365	return false;
1366		1366
1367	e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);	1367	e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
		1368	if (!e)
		1369	return false;
		1370
1368	if (hci_resolve_name(hdev, e) == 0) {	1371	if (hci_resolve_name(hdev, e) == 0) {
1369	e->name_state = NAME_PENDING;	1372	e->name_state = NAME_PENDING;
1370	return true;	1373	return true;
@@ -1393,12 +1396,20 @@ static void hci_check_pending_name(struct hci_dev hdev, struct hci_conn conn,
1393	return;	1396	return;
1394		1397
1395	e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);	1398	e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
1396	if (e) {	1399	/* If the device was not found in a list of found devices names of which
		1400	* are pending. there is no need to continue resolving a next name as it
		1401	* will be done upon receiving another Remote Name Request Complete
		1402	* Event */
		1403	if (!e)
		1404	return;
		1405
		1406	list_del(&e->list);
		1407	if (name) {
1397	e->name_state = NAME_KNOWN;	1408	e->name_state = NAME_KNOWN;
1398	list_del(&e->list);	1409	mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
1399	if (name)	1410	e->data.rssi, name, name_len);
1400	mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,	1411	} else {
1401	e->data.rssi, name, name_len);	1412	e->name_state = NAME_NOT_KNOWN;
1402	}	1413	}
1403		1414
1404	if (hci_resolve_next_name(hdev))	1415	if (hci_resolve_next_name(hdev))
@@ -1762,7 +1773,12 @@ static void hci_conn_complete_evt(struct hci_dev hdev, struct sk_buff skb)
1762	if (conn->type == ACL_LINK) {	1773	if (conn->type == ACL_LINK) {
1763	conn->state = BT_CONFIG;	1774	conn->state = BT_CONFIG;
1764	hci_conn_hold(conn);	1775	hci_conn_hold(conn);
1765	conn->disc_timeout = HCI_DISCONN_TIMEOUT;	1776
		1777	if (!conn->out && !hci_conn_ssp_enabled(conn) &&
		1778	!hci_find_link_key(hdev, &ev->bdaddr))
		1779	conn->disc_timeout = HCI_PAIRING_TIMEOUT;
		1780	else
		1781	conn->disc_timeout = HCI_DISCONN_TIMEOUT;
1766	} else	1782	} else
1767	conn->state = BT_CONNECTED;	1783	conn->state = BT_CONNECTED;
1768		1784


diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c index a7f04de03d79..19fdac78e555 100644 --- a/net/bluetooth/hci_sock.c +++ b/net/bluetooth/hci_sock.c
@@ -694,6 +694,7 @@ static int hci_sock_getname(struct socket sock, struct sockaddr addr,
694	addr_len = sizeof(haddr);	694	addr_len = sizeof(haddr);
695	haddr->hci_family = AF_BLUETOOTH;	695	haddr->hci_family = AF_BLUETOOTH;
696	haddr->hci_dev = hdev->id;	696	haddr->hci_dev = hdev->id;
		697	haddr->hci_channel= 0;
697		698
698	release_sock(sk);	699	release_sock(sk);
699	return 0;	700	return 0;
@@ -1009,6 +1010,7 @@ static int hci_sock_getsockopt(struct socket *sock, int level, int optname,
1009	{	1010	{
1010	struct hci_filter *f = &hci_pi(sk)->filter;	1011	struct hci_filter *f = &hci_pi(sk)->filter;
1011		1012
		1013	memset(&uf, 0, sizeof(uf));
1012	uf.type_mask = f->type_mask;	1014	uf.type_mask = f->type_mask;
1013	uf.opcode = f->opcode;	1015	uf.opcode = f->opcode;
1014	uf.event_mask[0] = ((u32 ) f->event_mask + 0);	1016	uf.event_mask[0] = ((u32 ) f->event_mask + 0);


diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index a8964db04bfb..daa149b7003c 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c
@@ -1181,6 +1181,7 @@ static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1181	sk = chan->sk;	1181	sk = chan->sk;
1182		1182
1183	hci_conn_hold(conn->hcon);	1183	hci_conn_hold(conn->hcon);
		1184	conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
1184		1185
1185	bacpy(&bt_sk(sk)->src, conn->src);	1186	bacpy(&bt_sk(sk)->src, conn->src);
1186	bacpy(&bt_sk(sk)->dst, conn->dst);	1187	bacpy(&bt_sk(sk)->dst, conn->dst);


diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index a4bb27e8427e..1497edd191a2 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c
@@ -245,6 +245,7 @@ static int l2cap_sock_getname(struct socket sock, struct sockaddr addr, int *l
245		245
246	BT_DBG("sock %p, sk %p", sock, sk);	246	BT_DBG("sock %p, sk %p", sock, sk);
247		247
		248	memset(la, 0, sizeof(struct sockaddr_l2));
248	addr->sa_family = AF_BLUETOOTH;	249	addr->sa_family = AF_BLUETOOTH;
249	*len = sizeof(struct sockaddr_l2);	250	*len = sizeof(struct sockaddr_l2);
250		251
@@ -1174,7 +1175,7 @@ static struct sock l2cap_sock_alloc(struct net net, struct socket *sock, int p
1174		1175
1175	chan = l2cap_chan_create();	1176	chan = l2cap_chan_create();
1176	if (!chan) {	1177	if (!chan) {
1177	l2cap_sock_kill(sk);	1178	sk_free(sk);
1178	return NULL;	1179	return NULL;
1179	}	1180	}
1180		1181


diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c index 7e1e59645c05..1a17850d093c 100644 --- a/net/bluetooth/rfcomm/sock.c +++ b/net/bluetooth/rfcomm/sock.c
@@ -528,6 +528,7 @@ static int rfcomm_sock_getname(struct socket sock, struct sockaddr addr, int *
528		528
529	BT_DBG("sock %p, sk %p", sock, sk);	529	BT_DBG("sock %p, sk %p", sock, sk);
530		530
		531	memset(sa, 0, sizeof(*sa));
531	sa->rc_family = AF_BLUETOOTH;	532	sa->rc_family = AF_BLUETOOTH;
532	sa->rc_channel = rfcomm_pi(sk)->channel;	533	sa->rc_channel = rfcomm_pi(sk)->channel;
533	if (peer)	534	if (peer)
@@ -822,6 +823,7 @@ static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, c
822	}	823	}
823		824
824	sec.level = rfcomm_pi(sk)->sec_level;	825	sec.level = rfcomm_pi(sk)->sec_level;
		826	sec.key_size = 0;
825		827
826	len = min_t(unsigned int, len, sizeof(sec));	828	len = min_t(unsigned int, len, sizeof(sec));
827	if (copy_to_user(optval, (char *) &sec, len))	829	if (copy_to_user(optval, (char *) &sec, len))


diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c index 18a80b94a8bd..ccc248791d50 100644 --- a/net/bluetooth/rfcomm/tty.c +++ b/net/bluetooth/rfcomm/tty.c
@@ -456,7 +456,7 @@ static int rfcomm_get_dev_list(void __user *arg)
456		456
457	size = sizeof(dl) + dev_num sizeof(*di);	457	size = sizeof(dl) + dev_num sizeof(*di);
458		458
459	dl = kmalloc(size, GFP_KERNEL);	459	dl = kzalloc(size, GFP_KERNEL);
460	if (!dl)	460	if (!dl)
461	return -ENOMEM;	461	return -ENOMEM;
462		462


diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c index 40bbe25dcff7..3589e21edb09 100644 --- a/net/bluetooth/sco.c +++ b/net/bluetooth/sco.c
@@ -131,6 +131,15 @@ static int sco_conn_del(struct hci_conn *hcon, int err)
131	sco_sock_clear_timer(sk);	131	sco_sock_clear_timer(sk);
132	sco_chan_del(sk, err);	132	sco_chan_del(sk, err);
133	bh_unlock_sock(sk);	133	bh_unlock_sock(sk);
		134
		135	sco_conn_lock(conn);
		136	conn->sk = NULL;
		137	sco_pi(sk)->conn = NULL;
		138	sco_conn_unlock(conn);
		139
		140	if (conn->hcon)
		141	hci_conn_put(conn->hcon);
		142
134	sco_sock_kill(sk);	143	sco_sock_kill(sk);
135	}	144	}
136		145
@@ -821,16 +830,6 @@ static void sco_chan_del(struct sock *sk, int err)
821		830
822	BT_DBG("sk %p, conn %p, err %d", sk, conn, err);	831	BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
823		832
824	if (conn) {
825	sco_conn_lock(conn);
826	conn->sk = NULL;
827	sco_pi(sk)->conn = NULL;
828	sco_conn_unlock(conn);
829
830	if (conn->hcon)
831	hci_conn_put(conn->hcon);
832	}
833
834	sk->sk_state = BT_CLOSED;	833	sk->sk_state = BT_CLOSED;
835	sk->sk_err = err;	834	sk->sk_err = err;
836	sk->sk_state_change(sk);	835	sk->sk_state_change(sk);


diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c index 16ef0dc85a0a..901a616c8083 100644 --- a/net/bluetooth/smp.c +++ b/net/bluetooth/smp.c
@@ -579,8 +579,11 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn conn, struct sk_buff skb)
579		579
580	if (!test_and_set_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags))	580	if (!test_and_set_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags))
581	smp = smp_chan_create(conn);	581	smp = smp_chan_create(conn);
		582	else
		583	smp = conn->smp_chan;
582		584
583	smp = conn->smp_chan;	585	if (!smp)
		586	return SMP_UNSPECIFIED;
584		587
585	smp->preq[0] = SMP_CMD_PAIRING_REQ;	588	smp->preq[0] = SMP_CMD_PAIRING_REQ;
586	memcpy(&smp->preq[1], req, sizeof(*req));	589	memcpy(&smp->preq[1], req, sizeof(*req));