From patchwork Sat Jun 27 10:54:36 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Archie Pusaka X-Patchwork-Id: 11629535 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D402A618 for ; Sat, 27 Jun 2020 10:55:24 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id B095A214F1 for ; Sat, 27 Jun 2020 10:55:24 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="Pe/l/66I" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726552AbgF0KzX (ORCPT ); Sat, 27 Jun 2020 06:55:23 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33658 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726546AbgF0KzW (ORCPT ); Sat, 27 Jun 2020 06:55:22 -0400 Received: from mail-yb1-xb4a.google.com (mail-yb1-xb4a.google.com [IPv6:2607:f8b0:4864:20::b4a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DC3F8C03E97B for ; Sat, 27 Jun 2020 03:55:21 -0700 (PDT) Received: by mail-yb1-xb4a.google.com with SMTP id o84so12863945ybg.0 for ; Sat, 27 Jun 2020 03:55:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=hXel7qYEL2h1Ox+Ye8sns97da4WDPOmCvVF0B5at7tg=; b=Pe/l/66IdZ9Lhzaj9eGNNwOGtyoKPS5+ayyodjX+42TqFSoiWlvpqrB/p9k5YYLcGx ttDG/EP2vMoInr+UtV+EUo+x92YY6DEtGq8w6tDLfExc1vCpvpWZCVG91lytm7hvwalS AJqFno58PkUFYdTn2d3TrDctIZUeKYLvduUPNsWFUHMAKto/91T+wadonKz3hlMkSoV6 ZCVADj60YQzugkuk7AzJlkHYgRkmL/TwwT2VOa7r7j9D5TR2oGyivZoVf3lxoR8NosP7 nYDlu9/1fQ8tpcAk4qMpZOWBCVBEZQOk6GfadRY1m/F8ZSsITHn+X+zBHuIsfSFrcVZ/ 2Hmw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=hXel7qYEL2h1Ox+Ye8sns97da4WDPOmCvVF0B5at7tg=; b=e/RK229qljcGLr4syo6H1cJ6u7n4MUmgeX78f9rhUxjz6pK3HOxZqBwYbXvxdweXSr ChB3fEEDjn1s9AZUh2rJAxKupWgKIeaRUkz9QPSOx5evII+VO5pSwWmbo5zvb7NroSMx ygjqXZRaMqKjuYfhZsMvUegurbtgDeLYEWsAaMZ/I/dBvTrooWGtj4BrPVyfiri4YvHo eP2RUW4zntyXNH1k7PV8n4jTe0abcUZy7RPsE9VkBH+rESga2KLajOYWNV9IXiXOJgf1 tw4jnUsFJseLP4tJ6ZtUy23XPGrTO2IPwb4a3dJZelcmZVUvP8pdZkHDZoHIbUW2F7xF vtbg== X-Gm-Message-State: AOAM533Y6vPjYx8PQdcrkMS8tJqbpIEsq26EaO6r1MEXjqQPwRnfbQGE FFi9jdXGGH1awyuiFcFfvetR1Qo1NYEWw+KApTupyn17Wp4CkmLjBlrAZD0HU9z0RqdjynbYQ+M Te8WqZeBiYmRyvj20j1HSw8mWDxrsENwWfppR0ZETk2BhkWnv21oymhSed2EU1ZQsmLFDCsfePm AZ X-Google-Smtp-Source: ABdhPJyPfy7s/+o4eZKfkw6mztV+uWshtdiNNkloy27vf3/MiJm62SV5aSN0AzbwPyJidtBVtIYWcok7HH8x X-Received: by 2002:a25:80c7:: with SMTP id c7mr11756319ybm.357.1593255320973; Sat, 27 Jun 2020 03:55:20 -0700 (PDT) Date: Sat, 27 Jun 2020 18:54:36 +0800 In-Reply-To: <20200627105437.453053-1-apusaka@google.com> Message-Id: <20200627185320.RFC.v1.1.Icea550bb064a24b89f2217cf19e35b4480a31afd@changeid> Mime-Version: 1.0 References: <20200627105437.453053-1-apusaka@google.com> X-Mailer: git-send-email 2.27.0.212.ge8ba1cc988-goog Subject: [RFC PATCH v1 1/2] Bluetooth: queue ACL packets if no handle is found From: Archie Pusaka To: linux-bluetooth , Marcel Holtmann Cc: chromeos-bluetooth-upstreaming , Archie Pusaka , Abhishek Pandit-Subedi , "David S. Miller" , Jakub Kicinski , Johan Hedberg , linux-kernel@vger.kernel.org, netdev@vger.kernel.org Sender: linux-bluetooth-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org From: Archie Pusaka There is a possibility that an ACL packet is received before we receive the HCI connect event for the corresponding handle. If this happens, we discard the ACL packet. Rather than just ignoring them, this patch provides a queue for incoming ACL packet without a handle. The queue is processed when receiving a HCI connection event. If 2 seconds elapsed without receiving the HCI connection event, assume something bad happened and discard the queued packet. Signed-off-by: Archie Pusaka Reviewed-by: Abhishek Pandit-Subedi --- include/net/bluetooth/hci_core.h | 8 +++ net/bluetooth/hci_core.c | 84 +++++++++++++++++++++++++++++--- net/bluetooth/hci_event.c | 2 + 3 files changed, 88 insertions(+), 6 deletions(-) diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h index 836dc997ff94..b69ecdd0d15a 100644 --- a/include/net/bluetooth/hci_core.h +++ b/include/net/bluetooth/hci_core.h @@ -270,6 +270,9 @@ struct adv_monitor { /* Default authenticated payload timeout 30s */ #define DEFAULT_AUTH_PAYLOAD_TIMEOUT 0x0bb8 +/* Time to keep ACL packets without a corresponding handle queued (2s) */ +#define PENDING_ACL_TIMEOUT msecs_to_jiffies(2000) + struct amp_assoc { __u16 len; __u16 offset; @@ -538,6 +541,9 @@ struct hci_dev { struct delayed_work rpa_expired; bdaddr_t rpa; + struct delayed_work remove_pending_acl; + struct sk_buff_head pending_acl_q; + #if IS_ENABLED(CONFIG_BT_LEDS) struct led_trigger *power_led; #endif @@ -1773,6 +1779,8 @@ void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand, void hci_copy_identity_address(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 *bdaddr_type); +void hci_process_pending_acl(struct hci_dev *hdev, struct hci_conn *conn); + #define SCO_AIRMODE_MASK 0x0003 #define SCO_AIRMODE_CVSD 0x0000 #define SCO_AIRMODE_TRANSP 0x0003 diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index 7959b851cc63..30780242c267 100644 --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c @@ -1786,6 +1786,7 @@ int hci_dev_do_close(struct hci_dev *hdev) skb_queue_purge(&hdev->rx_q); skb_queue_purge(&hdev->cmd_q); skb_queue_purge(&hdev->raw_q); + skb_queue_purge(&hdev->pending_acl_q); /* Drop last sent command */ if (hdev->sent_cmd) { @@ -3518,6 +3519,78 @@ static int hci_suspend_notifier(struct notifier_block *nb, unsigned long action, return NOTIFY_STOP; } +static void hci_add_pending_acl(struct hci_dev *hdev, struct sk_buff *skb) +{ + skb_queue_tail(&hdev->pending_acl_q, skb); + + queue_delayed_work(hdev->workqueue, &hdev->remove_pending_acl, + PENDING_ACL_TIMEOUT); +} + +void hci_process_pending_acl(struct hci_dev *hdev, struct hci_conn *conn) +{ + struct sk_buff *skb, *tmp; + struct hci_acl_hdr *hdr; + u16 handle, flags; + bool reset_timer = false; + + skb_queue_walk_safe(&hdev->pending_acl_q, skb, tmp) { + hdr = (struct hci_acl_hdr *)skb->data; + handle = __le16_to_cpu(hdr->handle); + flags = hci_flags(handle); + handle = hci_handle(handle); + + if (handle != conn->handle) + continue; + + __skb_unlink(skb, &hdev->pending_acl_q); + skb_pull(skb, HCI_ACL_HDR_SIZE); + + l2cap_recv_acldata(conn, skb, flags); + reset_timer = true; + } + + if (reset_timer) + mod_delayed_work(hdev->workqueue, &hdev->remove_pending_acl, + PENDING_ACL_TIMEOUT); +} + +/* Remove the oldest pending ACL, and all pending ACLs with the same handle */ +static void hci_remove_pending_acl(struct work_struct *work) +{ + struct hci_dev *hdev; + struct sk_buff *skb, *tmp; + struct hci_acl_hdr *hdr; + u16 handle, oldest_handle; + + hdev = container_of(work, struct hci_dev, remove_pending_acl.work); + skb = skb_dequeue(&hdev->pending_acl_q); + + if (!skb) + return; + + hdr = (struct hci_acl_hdr *)skb->data; + oldest_handle = hci_handle(__le16_to_cpu(hdr->handle)); + kfree_skb(skb); + + bt_dev_err(hdev, "ACL packet for unknown connection handle %d", + oldest_handle); + + skb_queue_walk_safe(&hdev->pending_acl_q, skb, tmp) { + hdr = (struct hci_acl_hdr *)skb->data; + handle = hci_handle(__le16_to_cpu(hdr->handle)); + + if (handle == oldest_handle) { + __skb_unlink(skb, &hdev->pending_acl_q); + kfree_skb(skb); + } + } + + if (!skb_queue_empty(&hdev->pending_acl_q)) + queue_delayed_work(hdev->workqueue, &hdev->remove_pending_acl, + PENDING_ACL_TIMEOUT); +} + /* Alloc HCI device */ struct hci_dev *hci_alloc_dev(void) { @@ -3610,10 +3683,12 @@ struct hci_dev *hci_alloc_dev(void) INIT_WORK(&hdev->suspend_prepare, hci_prepare_suspend); INIT_DELAYED_WORK(&hdev->power_off, hci_power_off); + INIT_DELAYED_WORK(&hdev->remove_pending_acl, hci_remove_pending_acl); skb_queue_head_init(&hdev->rx_q); skb_queue_head_init(&hdev->cmd_q); skb_queue_head_init(&hdev->raw_q); + skb_queue_head_init(&hdev->pending_acl_q); init_waitqueue_head(&hdev->req_wait_q); init_waitqueue_head(&hdev->suspend_wait_q); @@ -4662,8 +4737,6 @@ static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb) struct hci_conn *conn; __u16 handle, flags; - skb_pull(skb, HCI_ACL_HDR_SIZE); - handle = __le16_to_cpu(hdr->handle); flags = hci_flags(handle); handle = hci_handle(handle); @@ -4678,17 +4751,16 @@ static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb) hci_dev_unlock(hdev); if (conn) { + skb_pull(skb, HCI_ACL_HDR_SIZE); + hci_conn_enter_active_mode(conn, BT_POWER_FORCE_ACTIVE_OFF); /* Send to upper protocol */ l2cap_recv_acldata(conn, skb, flags); return; } else { - bt_dev_err(hdev, "ACL packet for unknown connection handle %d", - handle); + hci_add_pending_acl(hdev, skb); } - - kfree_skb(skb); } /* SCO data packet */ diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index e060fc9ebb18..108c6c102a6a 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -2627,6 +2627,8 @@ static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp), &cp); } + + hci_process_pending_acl(hdev, conn); } else { conn->state = BT_CLOSED; if (conn->type == ACL_LINK) From patchwork Sat Jun 27 10:54:37 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Archie Pusaka X-Patchwork-Id: 11629537 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DDCAD90 for ; Sat, 27 Jun 2020 10:55:38 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id BCA202081A for ; Sat, 27 Jun 2020 10:55:38 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="GuwbOSx2" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726595AbgF0Kze (ORCPT ); Sat, 27 Jun 2020 06:55:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33688 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726579AbgF0Kzb (ORCPT ); Sat, 27 Jun 2020 06:55:31 -0400 Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com [IPv6:2607:f8b0:4864:20::b49]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7799BC03E97B for ; Sat, 27 Jun 2020 03:55:31 -0700 (PDT) Received: by mail-yb1-xb49.google.com with SMTP id k127so8295837ybk.11 for ; Sat, 27 Jun 2020 03:55:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=B8cj7noT3gqtr7TfBspAj7Mt+u+WB7mZtChkBCJp8NI=; b=GuwbOSx2zG2imk28P5V+Ks8JSLBbJazjhgQE9JsqNuEkS1jqWjuJgt39kolpwfSjOq xWKaWeBy5Bsnpj2U+PMOw4dW1y1phGQRABXsxklKivj4rqRHolF1hzwPIMM+rc8Fm1Fx XOtNFaP1pI1h3BUghiWWZJPvHB+EdGVZMU6F5kZAPGN5jgRd/1AuJkI9KTSsnUFZ+wvu lCW4NVCF/EP9iHAsSyABr2AJ1w32rVYVZoT+PUu+eSU2adkmaH0Zgyeq0ySJOXIakLg8 IdVK7LDWRovC7TEFCjoi9bQKFA+tPPX3N90gooTlWJKAd7qXvkfdnpXZuBX166woGNbY Rppw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=B8cj7noT3gqtr7TfBspAj7Mt+u+WB7mZtChkBCJp8NI=; b=RJf+4YLuqGtw6ebxAtIIulXhh5GAgREuRuz0agcYJqQ5fb1s/vlpEarvdjsA6uJ3ah inew5S3T/RY4+6P/XLpbdMumHYH2J4dA2GgCfB2iQDxSNQvg3nweA8fN97ZPzsw1ybuU N3mI6D2obn2/VIw1oMDlghOhIDSwx1hl8GX5WXjqb/0MTQTxBpWrRuuFdVXV+WPyEgrn ScWB/vq0km/0nAoL+S69XCHeEgKFdrg++9V0jvHbN/NTpkAhxYqkioW3xKWU9wBUDcW/ KZFmQlURNX4KtwayqC2MkVu6ctNOWIr4HMdV5KxT0QEaYatvZpBNdS7wSbe8Ce7w5eEw sR+A== X-Gm-Message-State: AOAM531JGCuld0l+R20AzLYL259ljtMCr0NOVzwmLDcN0STDQU9WeVXu doIsvriHZXLiw26MYwIu2yubeWxqjEM6Emz8mC6969twFS8YNqlky3gvXR5LqaVDEc46R5vlGC0 1RWVGFEcdcO6zmZFloigYgBHTdklOWKEIlsNf7+BOwlfJAoIrB9hYyqbambzOsAGkhLOcqMZoUK qh X-Google-Smtp-Source: ABdhPJxRkLMu6N8l9lSqNk57NeU1XLPYmxklsrUU1kbsLq5k2gSu0s3WAGA8q5qtfNPnAT2IqpxkiWu0+FDw X-Received: by 2002:a25:ad5a:: with SMTP id l26mr11556917ybe.188.1593255330661; Sat, 27 Jun 2020 03:55:30 -0700 (PDT) Date: Sat, 27 Jun 2020 18:54:37 +0800 In-Reply-To: <20200627105437.453053-1-apusaka@google.com> Message-Id: <20200627185320.RFC.v1.2.I7363a6e528433d88c5240b67cbda5a88a107f56c@changeid> Mime-Version: 1.0 References: <20200627105437.453053-1-apusaka@google.com> X-Mailer: git-send-email 2.27.0.212.ge8ba1cc988-goog Subject: [RFC PATCH v1 2/2] Bluetooth: queue L2CAP conn req if encryption is needed From: Archie Pusaka To: linux-bluetooth , Marcel Holtmann Cc: chromeos-bluetooth-upstreaming , Archie Pusaka , Abhishek Pandit-Subedi , "David S. Miller" , Jakub Kicinski , Johan Hedberg , linux-kernel@vger.kernel.org, netdev@vger.kernel.org Sender: linux-bluetooth-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org From: Archie Pusaka It is possible to receive an L2CAP conn req for an encrypted connection, before actually receiving the HCI change encryption event. If this happened, the received L2CAP packet will be ignored. This patch queues the L2CAP packet and process them after the expected HCI event is received. If after 2 seconds we still don't receive it, then we assume something bad happened and discard the queued packets. Signed-off-by: Archie Pusaka Reviewed-by: Abhishek Pandit-Subedi --- include/net/bluetooth/bluetooth.h | 6 +++ include/net/bluetooth/l2cap.h | 6 +++ net/bluetooth/hci_event.c | 3 ++ net/bluetooth/l2cap_core.c | 87 +++++++++++++++++++++++++++---- 4 files changed, 91 insertions(+), 11 deletions(-) diff --git a/include/net/bluetooth/bluetooth.h b/include/net/bluetooth/bluetooth.h index 7ee8041af803..e64278401084 100644 --- a/include/net/bluetooth/bluetooth.h +++ b/include/net/bluetooth/bluetooth.h @@ -335,7 +335,11 @@ struct l2cap_ctrl { u16 reqseq; u16 txseq; u8 retries; + u8 rsp_code; + u8 amp_id; + __u8 ident; __le16 psm; + __le16 scid; bdaddr_t bdaddr; struct l2cap_chan *chan; }; @@ -374,6 +378,8 @@ struct bt_skb_cb { struct hci_ctrl hci; }; }; +static_assert(sizeof(struct bt_skb_cb) <= sizeof(((struct sk_buff *)0)->cb)); + #define bt_cb(skb) ((struct bt_skb_cb *)((skb)->cb)) #define hci_skb_pkt_type(skb) bt_cb((skb))->pkt_type diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h index 8f1e6a7a2df8..f8f6dec96f12 100644 --- a/include/net/bluetooth/l2cap.h +++ b/include/net/bluetooth/l2cap.h @@ -58,6 +58,7 @@ #define L2CAP_MOVE_ERTX_TIMEOUT msecs_to_jiffies(60000) #define L2CAP_WAIT_ACK_POLL_PERIOD msecs_to_jiffies(200) #define L2CAP_WAIT_ACK_TIMEOUT msecs_to_jiffies(10000) +#define L2CAP_PEND_ENC_CONN_TIMEOUT msecs_to_jiffies(2000) #define L2CAP_A2MP_DEFAULT_MTU 670 @@ -700,6 +701,9 @@ struct l2cap_conn { struct mutex chan_lock; struct kref ref; struct list_head users; + + struct delayed_work remove_pending_encrypt_conn; + struct sk_buff_head pending_conn_q; }; struct l2cap_user { @@ -1001,4 +1005,6 @@ void l2cap_conn_put(struct l2cap_conn *conn); int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user); void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user); +void l2cap_process_pending_encrypt_conn(struct hci_conn *hcon); + #endif /* __L2CAP_H */ diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index 108c6c102a6a..8cefc51a5ca4 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -3136,6 +3136,9 @@ static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb) unlock: hci_dev_unlock(hdev); + + if (conn && !ev->status && ev->encrypt) + l2cap_process_pending_encrypt_conn(conn); } static void hci_change_link_key_complete_evt(struct hci_dev *hdev, diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index 35d2bc569a2d..fc6fe2c80c46 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -62,6 +62,10 @@ static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err); static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control, struct sk_buff_head *skbs, u8 event); +static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn, + u8 ident, u8 *data, u8 rsp_code, + u8 amp_id, bool queue_if_fail); + static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type) { if (link_type == LE_LINK) { @@ -1902,6 +1906,8 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err) if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) cancel_delayed_work_sync(&conn->info_timer); + cancel_delayed_work_sync(&conn->remove_pending_encrypt_conn); + hcon->l2cap_data = NULL; conn->hchan = NULL; l2cap_conn_put(conn); @@ -2023,6 +2029,55 @@ static void l2cap_retrans_timeout(struct work_struct *work) l2cap_chan_put(chan); } +static void l2cap_add_pending_encrypt_conn(struct l2cap_conn *conn, + struct l2cap_conn_req *req, + u8 ident, u8 rsp_code, u8 amp_id) +{ + struct sk_buff *skb = bt_skb_alloc(0, GFP_KERNEL); + + bt_cb(skb)->l2cap.psm = req->psm; + bt_cb(skb)->l2cap.scid = req->scid; + bt_cb(skb)->l2cap.ident = ident; + bt_cb(skb)->l2cap.rsp_code = rsp_code; + bt_cb(skb)->l2cap.amp_id = amp_id; + + skb_queue_tail(&conn->pending_conn_q, skb); + queue_delayed_work(conn->hcon->hdev->workqueue, + &conn->remove_pending_encrypt_conn, + L2CAP_PEND_ENC_CONN_TIMEOUT); +} + +void l2cap_process_pending_encrypt_conn(struct hci_conn *hcon) +{ + struct sk_buff *skb; + struct l2cap_conn *conn = hcon->l2cap_data; + + if (!conn) + return; + + while ((skb = skb_dequeue(&conn->pending_conn_q))) { + struct l2cap_conn_req req; + u8 ident, rsp_code, amp_id; + + req.psm = bt_cb(skb)->l2cap.psm; + req.scid = bt_cb(skb)->l2cap.scid; + ident = bt_cb(skb)->l2cap.ident; + rsp_code = bt_cb(skb)->l2cap.rsp_code; + amp_id = bt_cb(skb)->l2cap.amp_id; + + l2cap_connect(conn, ident, (u8 *)&req, rsp_code, amp_id, false); + kfree_skb(skb); + } +} + +static void l2cap_remove_pending_encrypt_conn(struct work_struct *work) +{ + struct l2cap_conn *conn = container_of(work, struct l2cap_conn, + remove_pending_encrypt_conn.work); + + l2cap_process_pending_encrypt_conn(conn->hcon); +} + static void l2cap_streaming_send(struct l2cap_chan *chan, struct sk_buff_head *skbs) { @@ -4076,8 +4131,8 @@ static inline int l2cap_command_rej(struct l2cap_conn *conn, } static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn, - struct l2cap_cmd_hdr *cmd, - u8 *data, u8 rsp_code, u8 amp_id) + u8 ident, u8 *data, u8 rsp_code, + u8 amp_id, bool queue_if_fail) { struct l2cap_conn_req *req = (struct l2cap_conn_req *) data; struct l2cap_conn_rsp rsp; @@ -4103,8 +4158,15 @@ static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn, /* Check if the ACL is secure enough (if not SDP) */ if (psm != cpu_to_le16(L2CAP_PSM_SDP) && !hci_conn_check_link_mode(conn->hcon)) { - conn->disc_reason = HCI_ERROR_AUTH_FAILURE; - result = L2CAP_CR_SEC_BLOCK; + if (!queue_if_fail) { + conn->disc_reason = HCI_ERROR_AUTH_FAILURE; + result = L2CAP_CR_SEC_BLOCK; + goto response; + } + + l2cap_add_pending_encrypt_conn(conn, req, ident, rsp_code, + amp_id); + result = L2CAP_CR_PEND; goto response; } @@ -4147,7 +4209,7 @@ static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn, __set_chan_timer(chan, chan->ops->get_sndtimeo(chan)); - chan->ident = cmd->ident; + chan->ident = ident; if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) { if (l2cap_chan_check_security(chan, false)) { @@ -4191,7 +4253,7 @@ static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn, rsp.dcid = cpu_to_le16(dcid); rsp.result = cpu_to_le16(result); rsp.status = cpu_to_le16(status); - l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp); + l2cap_send_cmd(conn, ident, rsp_code, sizeof(rsp), &rsp); if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) { struct l2cap_info_req info; @@ -4233,7 +4295,7 @@ static int l2cap_connect_req(struct l2cap_conn *conn, mgmt_device_connected(hdev, hcon, 0, NULL, 0); hci_dev_unlock(hdev); - l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0); + l2cap_connect(conn, cmd->ident, data, L2CAP_CONN_RSP, 0, true); return 0; } @@ -4802,8 +4864,8 @@ static int l2cap_create_channel_req(struct l2cap_conn *conn, /* For controller id 0 make BR/EDR connection */ if (req->amp_id == AMP_ID_BREDR) { - l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP, - req->amp_id); + l2cap_connect(conn, cmd->ident, data, L2CAP_CREATE_CHAN_RSP, + req->amp_id, true); return 0; } @@ -4817,8 +4879,8 @@ static int l2cap_create_channel_req(struct l2cap_conn *conn, goto error; } - chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP, - req->amp_id); + chan = l2cap_connect(conn, cmd->ident, data, L2CAP_CREATE_CHAN_RSP, + req->amp_id, true); if (chan) { struct amp_mgr *mgr = conn->hcon->amp_mgr; struct hci_conn *hs_hcon; @@ -7745,8 +7807,11 @@ static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon) INIT_LIST_HEAD(&conn->users); INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout); + INIT_DELAYED_WORK(&conn->remove_pending_encrypt_conn, + l2cap_remove_pending_encrypt_conn); skb_queue_head_init(&conn->pending_rx); + skb_queue_head_init(&conn->pending_conn_q); INIT_WORK(&conn->pending_rx_work, process_pending_rx); INIT_WORK(&conn->id_addr_update_work, l2cap_conn_update_id_addr);