<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-toradex.git/net/bluetooth, branch v2.6.38.8</title>
<subtitle>Linux kernel for Apalis and Colibri modules</subtitle>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/'/>
<entry>
<title>Bluetooth: Fix HCI_RESET command synchronization</title>
<updated>2011-04-21T21:32:59+00:00</updated>
<author>
<name>Gustavo F. Padovan</name>
<email>padovan@profusion.mobi</email>
</author>
<published>2011-03-16T18:36:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=2951119b25479349af6ebf1bfa3111bee3c29896'/>
<id>2951119b25479349af6ebf1bfa3111bee3c29896</id>
<content type='text'>
commit f630cf0d5434e3923e1b8226ffa2753ead6b0ce5 upstream.

We can't send new commands before a cmd_complete for the HCI_RESET command
shows up.

Reported-by: Mikko Vinni &lt;mmvinni@yahoo.com&gt;
Reported-by: Justin P. Mattock &lt;justinmattock@gmail.com&gt;
Reported-by: Ed Tomlinson &lt;edt@aei.ca&gt;
Signed-off-by: Gustavo F. Padovan &lt;padovan@profusion.mobi&gt;
Tested-by: Justin P. Mattock &lt;justinmattock@gmail.com&gt;
Tested-by: Mikko Vinni &lt;mmvinni@yahoo.com&gt;
Tested-by: Ed Tomlinson &lt;edt@aei.ca&gt;


</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit f630cf0d5434e3923e1b8226ffa2753ead6b0ce5 upstream.

We can't send new commands before a cmd_complete for the HCI_RESET command
shows up.

Reported-by: Mikko Vinni &lt;mmvinni@yahoo.com&gt;
Reported-by: Justin P. Mattock &lt;justinmattock@gmail.com&gt;
Reported-by: Ed Tomlinson &lt;edt@aei.ca&gt;
Signed-off-by: Gustavo F. Padovan &lt;padovan@profusion.mobi&gt;
Tested-by: Justin P. Mattock &lt;justinmattock@gmail.com&gt;
Tested-by: Mikko Vinni &lt;mmvinni@yahoo.com&gt;
Tested-by: Ed Tomlinson &lt;edt@aei.ca&gt;


</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: bnep: fix buffer overflow</title>
<updated>2011-04-14T20:02:29+00:00</updated>
<author>
<name>Vasiliy Kulikov</name>
<email>segoon@openwall.com</email>
</author>
<published>2011-02-14T10:54:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=f4fc0e56a21f9b5c345965f49da91f330b7cf202'/>
<id>f4fc0e56a21f9b5c345965f49da91f330b7cf202</id>
<content type='text'>
commit 43629f8f5ea32a998d06d1bb41eefa0e821ff573 upstream.

Struct ca is copied from userspace.  It is not checked whether the "device"
field is NULL terminated.  This potentially leads to BUG() inside of
alloc_netdev_mqs() and/or information leak by creating a device with a name
made of contents of kernel stack.

Signed-off-by: Vasiliy Kulikov &lt;segoon@openwall.com&gt;
Signed-off-by: Gustavo F. Padovan &lt;padovan@profusion.mobi&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 43629f8f5ea32a998d06d1bb41eefa0e821ff573 upstream.

Struct ca is copied from userspace.  It is not checked whether the "device"
field is NULL terminated.  This potentially leads to BUG() inside of
alloc_netdev_mqs() and/or information leak by creating a device with a name
made of contents of kernel stack.

Signed-off-by: Vasiliy Kulikov &lt;segoon@openwall.com&gt;
Signed-off-by: Gustavo F. Padovan &lt;padovan@profusion.mobi&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: sco: fix information leak to userspace</title>
<updated>2011-04-14T20:02:27+00:00</updated>
<author>
<name>Vasiliy Kulikov</name>
<email>segoon@openwall.com</email>
</author>
<published>2011-02-14T10:54:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=a0ef5893ec7ae42f502993f6e4f6e60e6f941ce0'/>
<id>a0ef5893ec7ae42f502993f6e4f6e60e6f941ce0</id>
<content type='text'>
commit c4c896e1471aec3b004a693c689f60be3b17ac86 upstream.

struct sco_conninfo has one padding byte in the end.  Local variable
cinfo of type sco_conninfo is copied to userspace with this uninizialized
one byte, leading to old stack contents leak.

Signed-off-by: Vasiliy Kulikov &lt;segoon@openwall.com&gt;
Signed-off-by: Gustavo F. Padovan &lt;padovan@profusion.mobi&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit c4c896e1471aec3b004a693c689f60be3b17ac86 upstream.

struct sco_conninfo has one padding byte in the end.  Local variable
cinfo of type sco_conninfo is copied to userspace with this uninizialized
one byte, leading to old stack contents leak.

Signed-off-by: Vasiliy Kulikov &lt;segoon@openwall.com&gt;
Signed-off-by: Gustavo F. Padovan &lt;padovan@profusion.mobi&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: Release BTM while sleeping to avoid deadlock</title>
<updated>2011-02-16T18:54:11+00:00</updated>
<author>
<name>Vladislav P</name>
<email>vladisslav@inbox.ru</email>
</author>
<published>2011-02-14T17:21:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=840af824b2bf9194ea596e0ddc7aa05066794ca1'/>
<id>840af824b2bf9194ea596e0ddc7aa05066794ca1</id>
<content type='text'>
Signed-off-by: Vladislav P &lt;vladisslav@inbox.ru&gt;
Signed-off-by: Gustavo F. Padovan &lt;padovan@profusion.mobi&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Signed-off-by: Vladislav P &lt;vladisslav@inbox.ru&gt;
Signed-off-by: Gustavo F. Padovan &lt;padovan@profusion.mobi&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: Set conn state to BT_DISCONN to avoid multiple responses</title>
<updated>2011-02-02T14:47:59+00:00</updated>
<author>
<name>Bao Liang</name>
<email>tim.bao@gmail.com</email>
</author>
<published>2011-01-29T13:39:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=e733fb62082b3b187870dfba28d5f6730b8436c4'/>
<id>e733fb62082b3b187870dfba28d5f6730b8436c4</id>
<content type='text'>
This patch fixes a minor issue that two connection responses will be sent
for one L2CAP connection request. If the L2CAP connection request is first
blocked due to security reason and responded with reason "security block",
the state of the connection remains BT_CONNECT2. If a pairing procedure
completes successfully before the ACL connection is down, local host will
send another connection complete response. See the following packets
captured by hcidump.

2010-12-07 22:21:24.928096 &lt; ACL data: handle 12 flags 0x00 dlen 16
    0000: 0c 00 01 00 03 19 08 00  41 00 53 00 03 00 00 00  ........A.S.....
... ...

2010-12-07 22:21:35.791747 &gt; HCI Event: Auth Complete (0x06) plen 3
    status 0x00 handle 12
... ...

2010-12-07 22:21:35.872372 &gt; ACL data: handle 12 flags 0x02 dlen 16
    L2CAP(s): Connect rsp: dcid 0x0054 scid 0x0040 result 0 status 0
      Connection successful

Signed-off-by: Liang Bao &lt;tim.bao@gmail.com&gt;
Acked-by: Ville Tervo &lt;ville.tervo@nokia.com&gt;
Signed-off-by: Gustavo F. Padovan &lt;padovan@profusion.mobi&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This patch fixes a minor issue that two connection responses will be sent
for one L2CAP connection request. If the L2CAP connection request is first
blocked due to security reason and responded with reason "security block",
the state of the connection remains BT_CONNECT2. If a pairing procedure
completes successfully before the ACL connection is down, local host will
send another connection complete response. See the following packets
captured by hcidump.

2010-12-07 22:21:24.928096 &lt; ACL data: handle 12 flags 0x00 dlen 16
    0000: 0c 00 01 00 03 19 08 00  41 00 53 00 03 00 00 00  ........A.S.....
... ...

2010-12-07 22:21:35.791747 &gt; HCI Event: Auth Complete (0x06) plen 3
    status 0x00 handle 12
... ...

2010-12-07 22:21:35.872372 &gt; ACL data: handle 12 flags 0x02 dlen 16
    L2CAP(s): Connect rsp: dcid 0x0054 scid 0x0040 result 0 status 0
      Connection successful

Signed-off-by: Liang Bao &lt;tim.bao@gmail.com&gt;
Acked-by: Ville Tervo &lt;ville.tervo@nokia.com&gt;
Signed-off-by: Gustavo F. Padovan &lt;padovan@profusion.mobi&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: Fix race condition with conn-&gt;sec_level</title>
<updated>2011-01-19T16:43:11+00:00</updated>
<author>
<name>Johan Hedberg</name>
<email>johan.hedberg@nokia.com</email>
</author>
<published>2011-01-19T06:36:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=765c2a964b49bd06b61a52991519281c85d82b67'/>
<id>765c2a964b49bd06b61a52991519281c85d82b67</id>
<content type='text'>
The conn-&gt;sec_level value is supposed to represent the current level of
security that the connection has. However, by assigning to it before
requesting authentication it will have the wrong value during the
authentication procedure. To fix this a pending_sec_level variable is
added which is used to track the desired security level while making
sure that sec_level always represents the current level of security.

Signed-off-by: Johan Hedberg &lt;johan.hedberg@nokia.com&gt;
Signed-off-by: Gustavo F. Padovan &lt;padovan@profusion.mobi&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The conn-&gt;sec_level value is supposed to represent the current level of
security that the connection has. However, by assigning to it before
requesting authentication it will have the wrong value during the
authentication procedure. To fix this a pending_sec_level variable is
added which is used to track the desired security level while making
sure that sec_level always represents the current level of security.

Signed-off-by: Johan Hedberg &lt;johan.hedberg@nokia.com&gt;
Signed-off-by: Gustavo F. Padovan &lt;padovan@profusion.mobi&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: Fix authentication request for L2CAP raw sockets</title>
<updated>2011-01-19T16:40:43+00:00</updated>
<author>
<name>Johan Hedberg</name>
<email>johan.hedberg@nokia.com</email>
</author>
<published>2011-01-19T06:36:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=d00ef24fc2923b65fdd440dc6445903e965841ac'/>
<id>d00ef24fc2923b65fdd440dc6445903e965841ac</id>
<content type='text'>
When there is an existing connection l2cap_check_security needs to be
called to ensure that the security level of the new socket is fulfilled.
Normally l2cap_do_start takes care of this, but that function doesn't
get called for SOCK_RAW type sockets. This patch adds the necessary
l2cap_check_security call to the appropriate branch in l2cap_do_connect.

Signed-off-by: Johan Hedberg &lt;johan.hedberg@nokia.com&gt;
Acked-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Signed-off-by: Gustavo F. Padovan &lt;padovan@profusion.mobi&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
When there is an existing connection l2cap_check_security needs to be
called to ensure that the security level of the new socket is fulfilled.
Normally l2cap_do_start takes care of this, but that function doesn't
get called for SOCK_RAW type sockets. This patch adds the necessary
l2cap_check_security call to the appropriate branch in l2cap_do_connect.

Signed-off-by: Johan Hedberg &lt;johan.hedberg@nokia.com&gt;
Acked-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Signed-off-by: Gustavo F. Padovan &lt;padovan@profusion.mobi&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: Create a unified auth_type evaluation function</title>
<updated>2011-01-19T16:40:43+00:00</updated>
<author>
<name>Johan Hedberg</name>
<email>johan.hedberg@nokia.com</email>
</author>
<published>2011-01-19T06:36:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=8556edd32f01c50a3c99e44dc2c3b1252ea59605'/>
<id>8556edd32f01c50a3c99e44dc2c3b1252ea59605</id>
<content type='text'>
The logic for determining the needed auth_type for an L2CAP socket is
rather complicated and has so far been duplicated in
l2cap_check_security as well as l2cap_do_connect. Additionally the
l2cap_check_security code was completely missing the handling of
SOCK_RAW type sockets. This patch creates a unified function for the
evaluation and makes l2cap_do_connect and l2cap_check_security use that
function.

Signed-off-by: Johan Hedberg &lt;johan.hedberg@nokia.com&gt;
Acked-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Signed-off-by: Gustavo F. Padovan &lt;padovan@profusion.mobi&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The logic for determining the needed auth_type for an L2CAP socket is
rather complicated and has so far been duplicated in
l2cap_check_security as well as l2cap_do_connect. Additionally the
l2cap_check_security code was completely missing the handling of
SOCK_RAW type sockets. This patch creates a unified function for the
evaluation and makes l2cap_do_connect and l2cap_check_security use that
function.

Signed-off-by: Johan Hedberg &lt;johan.hedberg@nokia.com&gt;
Acked-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Signed-off-by: Gustavo F. Padovan &lt;padovan@profusion.mobi&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: Fix MITM protection requirement preservation</title>
<updated>2011-01-19T16:40:43+00:00</updated>
<author>
<name>Johan Hedberg</name>
<email>johan.hedberg@nokia.com</email>
</author>
<published>2011-01-19T06:36:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=65cf686ee102b7eb0477a4bab82ff227071a0258'/>
<id>65cf686ee102b7eb0477a4bab82ff227071a0258</id>
<content type='text'>
If an existing connection has a MITM protection requirement (the first
bit of the auth_type) then that requirement should not be cleared by new
sockets that reuse the ACL but don't have that requirement.

Signed-off-by: Johan Hedberg &lt;johan.hedberg@nokia.com&gt;
Acked-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Signed-off-by: Gustavo F. Padovan &lt;padovan@profusion.mobi&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
If an existing connection has a MITM protection requirement (the first
bit of the auth_type) then that requirement should not be cleared by new
sockets that reuse the ACL but don't have that requirement.

Signed-off-by: Johan Hedberg &lt;johan.hedberg@nokia.com&gt;
Acked-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Signed-off-by: Gustavo F. Padovan &lt;padovan@profusion.mobi&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Revert "Bluetooth: Update sec_level/auth_type for already existing connections"</title>
<updated>2011-01-19T16:40:42+00:00</updated>
<author>
<name>Johan Hedberg</name>
<email>johan.hedberg@nokia.com</email>
</author>
<published>2011-01-19T06:36:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=88644bb9fee591b2743a881923263bc28df4cded'/>
<id>88644bb9fee591b2743a881923263bc28df4cded</id>
<content type='text'>
This reverts commit 045309820afe047920a50de25634dab46a1e851d. That
commit is wrong for two reasons:

- The conn-&gt;sec_level shouldn't be updated without performing
authentication first (as it's supposed to represent the level of
security that the existing connection has)

- A higher auth_type value doesn't mean "more secure" like the commit
seems to assume. E.g. dedicated bonding with MITM protection is 0x03
whereas general bonding without MITM protection is 0x04. hci_conn_auth
already takes care of updating conn-&gt;auth_type so hci_connect doesn't
need to do it.

Signed-off-by: Johan Hedberg &lt;johan.hedberg@nokia.com&gt;
Acked-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Signed-off-by: Gustavo F. Padovan &lt;padovan@profusion.mobi&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This reverts commit 045309820afe047920a50de25634dab46a1e851d. That
commit is wrong for two reasons:

- The conn-&gt;sec_level shouldn't be updated without performing
authentication first (as it's supposed to represent the level of
security that the existing connection has)

- A higher auth_type value doesn't mean "more secure" like the commit
seems to assume. E.g. dedicated bonding with MITM protection is 0x03
whereas general bonding without MITM protection is 0x04. hci_conn_auth
already takes care of updating conn-&gt;auth_type so hci_connect doesn't
need to do it.

Signed-off-by: Johan Hedberg &lt;johan.hedberg@nokia.com&gt;
Acked-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Signed-off-by: Gustavo F. Padovan &lt;padovan@profusion.mobi&gt;
</pre>
</div>
</content>
</entry>
</feed>
