2012-10-05 13:56:52

by Andrei Emeltchenko

[permalink] [raw]
Subject: [PATCHv1 1/7] Bluetooth: L2CAP: Fix using default Flush Timeout for EFS

From: Andrei Emeltchenko <[email protected]>

There are two Flush Timeouts: one is old Flush Timeot Option
which is 2 octets and the second is Flush Timeout inside EFS
which is 4 octets long.

Signed-off-by: Andrei Emeltchenko <[email protected]>
---
include/net/bluetooth/l2cap.h | 3 ++-
net/bluetooth/l2cap_core.c | 10 ++++++----
2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
index ab58b81..83fb9c7 100644
--- a/include/net/bluetooth/l2cap.h
+++ b/include/net/bluetooth/l2cap.h
@@ -32,7 +32,8 @@
/* L2CAP defaults */
#define L2CAP_DEFAULT_MTU 672
#define L2CAP_DEFAULT_MIN_MTU 48
-#define L2CAP_DEFAULT_FLUSH_TO 0xffff
+#define L2CAP_DEFAULT_FLUSH_TO 0xFFFF
+#define L2CAP_EFS_DEFAULT_FLUSH_TO 0xFFFFFFFF
#define L2CAP_DEFAULT_TX_WINDOW 63
#define L2CAP_DEFAULT_EXT_WINDOW 0x3FFF
#define L2CAP_DEFAULT_MAX_TX 3
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index b4e707b..ab6853d 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -504,7 +504,7 @@ void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
- chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
+ chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;

l2cap_chan_hold(chan);

@@ -2714,8 +2714,10 @@ static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
efs.stype = chan->local_stype;
efs.msdu = cpu_to_le16(chan->local_msdu);
efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
- efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
- efs.flush_to = __constant_cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
+ efs.acc_lat =
+ __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
+ efs.flush_to =
+ __constant_cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
break;

case L2CAP_MODE_STREAMING:
@@ -2732,7 +2734,7 @@ static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
}

l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
- (unsigned long) &efs);
+ (unsigned long) &efs);
}

static void l2cap_ack_timeout(struct work_struct *work)
--
1.7.9.5



2012-10-08 12:41:50

by Gustavo Padovan

[permalink] [raw]
Subject: Re: [PATCH] Bluetooth: L2CAP: Fix using default Flush Timeout for EFS

Hi Andrei,

* Andrei Emeltchenko <[email protected]> [2012-10-08 11:14:41 +0300]:

> From: Andrei Emeltchenko <[email protected]>
>
> There are two Flush Timeouts: one is old Flush Timeot Option
> which is 2 octets and the second is Flush Timeout inside EFS
> which is 4 octets long.
>
> Signed-off-by: Andrei Emeltchenko <[email protected]>
> ---
> include/net/bluetooth/l2cap.h | 3 ++-
> net/bluetooth/l2cap_core.c | 6 +++---
> 2 files changed, 5 insertions(+), 4 deletions(-)

Applied, thanks.

Gustavo

2012-10-08 08:14:41

by Andrei Emeltchenko

[permalink] [raw]
Subject: [PATCH] Bluetooth: L2CAP: Fix using default Flush Timeout for EFS

From: Andrei Emeltchenko <[email protected]>

There are two Flush Timeouts: one is old Flush Timeot Option
which is 2 octets and the second is Flush Timeout inside EFS
which is 4 octets long.

Signed-off-by: Andrei Emeltchenko <[email protected]>
---
include/net/bluetooth/l2cap.h | 3 ++-
net/bluetooth/l2cap_core.c | 6 +++---
2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
index 7002f0d..caab98c 100644
--- a/include/net/bluetooth/l2cap.h
+++ b/include/net/bluetooth/l2cap.h
@@ -32,7 +32,8 @@
/* L2CAP defaults */
#define L2CAP_DEFAULT_MTU 672
#define L2CAP_DEFAULT_MIN_MTU 48
-#define L2CAP_DEFAULT_FLUSH_TO 0xffff
+#define L2CAP_DEFAULT_FLUSH_TO 0xFFFF
+#define L2CAP_EFS_DEFAULT_FLUSH_TO 0xFFFFFFFF
#define L2CAP_DEFAULT_TX_WINDOW 63
#define L2CAP_DEFAULT_EXT_WINDOW 0x3FFF
#define L2CAP_DEFAULT_MAX_TX 3
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index d605bbf..d42cdb1 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -504,7 +504,7 @@ void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
- chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
+ chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;

l2cap_chan_hold(chan);

@@ -2727,7 +2727,7 @@ static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
efs.msdu = cpu_to_le16(chan->local_msdu);
efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
- efs.flush_to = __constant_cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
+ efs.flush_to = __constant_cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
break;

case L2CAP_MODE_STREAMING:
@@ -2744,7 +2744,7 @@ static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
}

l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
- (unsigned long) &efs);
+ (unsigned long) &efs);
}

static void l2cap_ack_timeout(struct work_struct *work)
--
1.7.9.5


2012-10-07 22:25:00

by Gustavo Padovan

[permalink] [raw]
Subject: Re: [PATCHv1 7/7] Bluetooth: Adjust L2CAP Max PDU size for AMP packets

Hi Andrei,

* Andrei Emeltchenko <[email protected]> [2012-10-05 16:56:58 +0300]:

> From: Andrei Emeltchenko <[email protected]>
>
> Maximum PDU size is defined by new BT Spec as 1492 octets.
>
> Signed-off-by: Andrei Emeltchenko <[email protected]>
> ---
> include/net/bluetooth/l2cap.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)

Patches 2 to 7 were applied to bluetooth-next. Thanks.

Gustavo

2012-10-07 21:48:00

by Gustavo Padovan

[permalink] [raw]
Subject: Re: [PATCHv1 1/7] Bluetooth: L2CAP: Fix using default Flush Timeout for EFS

Hi Andrei,

* Andrei Emeltchenko <[email protected]> [2012-10-05 16:56:52 +0300]:

> From: Andrei Emeltchenko <[email protected]>
>
> There are two Flush Timeouts: one is old Flush Timeot Option
> which is 2 octets and the second is Flush Timeout inside EFS
> which is 4 octets long.
>
> Signed-off-by: Andrei Emeltchenko <[email protected]>
> ---
> include/net/bluetooth/l2cap.h | 3 ++-
> net/bluetooth/l2cap_core.c | 10 ++++++----
> 2 files changed, 8 insertions(+), 5 deletions(-)
>
> diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
> index ab58b81..83fb9c7 100644
> --- a/include/net/bluetooth/l2cap.h
> +++ b/include/net/bluetooth/l2cap.h
> @@ -32,7 +32,8 @@
> /* L2CAP defaults */
> #define L2CAP_DEFAULT_MTU 672
> #define L2CAP_DEFAULT_MIN_MTU 48
> -#define L2CAP_DEFAULT_FLUSH_TO 0xffff
> +#define L2CAP_DEFAULT_FLUSH_TO 0xFFFF
> +#define L2CAP_EFS_DEFAULT_FLUSH_TO 0xFFFFFFFF
> #define L2CAP_DEFAULT_TX_WINDOW 63
> #define L2CAP_DEFAULT_EXT_WINDOW 0x3FFF
> #define L2CAP_DEFAULT_MAX_TX 3
> diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
> index b4e707b..ab6853d 100644
> --- a/net/bluetooth/l2cap_core.c
> +++ b/net/bluetooth/l2cap_core.c
> @@ -504,7 +504,7 @@ void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
> chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
> chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
> chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
> - chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
> + chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
>
> l2cap_chan_hold(chan);
>
> @@ -2714,8 +2714,10 @@ static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
> efs.stype = chan->local_stype;
> efs.msdu = cpu_to_le16(chan->local_msdu);
> efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
> - efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
> - efs.flush_to = __constant_cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
> + efs.acc_lat =
> + __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
> + efs.flush_to =
> + __constant_cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);

Just let these lines go over 80 columns.

Gustavo

2012-10-05 17:40:32

by Mat Martineau

[permalink] [raw]
Subject: Re: [PATCHv1 7/7] Bluetooth: Adjust L2CAP Max PDU size for AMP packets


On Fri, 5 Oct 2012, Andrei Emeltchenko wrote:

> From: Andrei Emeltchenko <[email protected]>
>
> Maximum PDU size is defined by new BT Spec as 1492 octets.
>
> Signed-off-by: Andrei Emeltchenko <[email protected]>
> ---
> include/net/bluetooth/l2cap.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
> index 83fb9c7..caab98c 100644
> --- a/include/net/bluetooth/l2cap.h
> +++ b/include/net/bluetooth/l2cap.h
> @@ -39,7 +39,7 @@
> #define L2CAP_DEFAULT_MAX_TX 3
> #define L2CAP_DEFAULT_RETRANS_TO 2000 /* 2 seconds */
> #define L2CAP_DEFAULT_MONITOR_TO 12000 /* 12 seconds */
> -#define L2CAP_DEFAULT_MAX_PDU_SIZE 1009 /* Sized for 3-DH5 packet */
> +#define L2CAP_DEFAULT_MAX_PDU_SIZE 1492 /* Sized for AMP packet */
> #define L2CAP_DEFAULT_ACK_TO 200
> #define L2CAP_DEFAULT_MAX_SDU_SIZE 0xFFFF
> #define L2CAP_DEFAULT_SDU_ITIME 0xFFFFFFFF
> --
> 1.7.9.5

I had missed this, thanks for fixing it. This makes AMP use the most
efficient PDU size for AMP controllers, while the size of the PDUs
sent on BR/EDR links will still be limited to
L2CAP_BR_EDR_MAX_PAYLOAD.

Reviewed-by: Mat Martineau <[email protected]>

--
Mat Martineau

The Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum,
hosted by The Linux Foundation


2012-10-05 13:56:58

by Andrei Emeltchenko

[permalink] [raw]
Subject: [PATCHv1 7/7] Bluetooth: Adjust L2CAP Max PDU size for AMP packets

From: Andrei Emeltchenko <[email protected]>

Maximum PDU size is defined by new BT Spec as 1492 octets.

Signed-off-by: Andrei Emeltchenko <[email protected]>
---
include/net/bluetooth/l2cap.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
index 83fb9c7..caab98c 100644
--- a/include/net/bluetooth/l2cap.h
+++ b/include/net/bluetooth/l2cap.h
@@ -39,7 +39,7 @@
#define L2CAP_DEFAULT_MAX_TX 3
#define L2CAP_DEFAULT_RETRANS_TO 2000 /* 2 seconds */
#define L2CAP_DEFAULT_MONITOR_TO 12000 /* 12 seconds */
-#define L2CAP_DEFAULT_MAX_PDU_SIZE 1009 /* Sized for 3-DH5 packet */
+#define L2CAP_DEFAULT_MAX_PDU_SIZE 1492 /* Sized for AMP packet */
#define L2CAP_DEFAULT_ACK_TO 200
#define L2CAP_DEFAULT_MAX_SDU_SIZE 0xFFFF
#define L2CAP_DEFAULT_SDU_ITIME 0xFFFFFFFF
--
1.7.9.5


2012-10-05 13:56:55

by Andrei Emeltchenko

[permalink] [raw]
Subject: [PATCHv1 4/7] Bluetooth: AMP: Factor out amp_ctrl_add

From: Andrei Emeltchenko <[email protected]>

Add ctrl_id parameter to amp_ctrl_add since we always set it
after function ctrl is created.

Signed-off-by: Andrei Emeltchenko <[email protected]>
---
include/net/bluetooth/amp.h | 2 +-
net/bluetooth/a2mp.c | 8 ++------
net/bluetooth/amp.c | 7 ++++---
3 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/include/net/bluetooth/amp.h b/include/net/bluetooth/amp.h
index b1e5490..ae2c3e5 100644
--- a/include/net/bluetooth/amp.h
+++ b/include/net/bluetooth/amp.h
@@ -26,7 +26,7 @@ struct amp_ctrl {

int amp_ctrl_put(struct amp_ctrl *ctrl);
void amp_ctrl_get(struct amp_ctrl *ctrl);
-struct amp_ctrl *amp_ctrl_add(struct amp_mgr *mgr);
+struct amp_ctrl *amp_ctrl_add(struct amp_mgr *mgr, u8 id);
struct amp_ctrl *amp_ctrl_lookup(struct amp_mgr *mgr, u8 id);
void amp_ctrl_list_flush(struct amp_mgr *mgr);

diff --git a/net/bluetooth/a2mp.c b/net/bluetooth/a2mp.c
index d4946b5..88a4b58 100644
--- a/net/bluetooth/a2mp.c
+++ b/net/bluetooth/a2mp.c
@@ -316,12 +316,10 @@ static int a2mp_getinfo_rsp(struct amp_mgr *mgr, struct sk_buff *skb,
if (rsp->status)
return -EINVAL;

- ctrl = amp_ctrl_add(mgr);
+ ctrl = amp_ctrl_add(mgr, rsp->id);
if (!ctrl)
return -ENOMEM;

- ctrl->id = rsp->id;
-
req.id = rsp->id;
a2mp_send(mgr, A2MP_GETAMPASSOC_REQ, __next_ident(mgr), sizeof(req),
&req);
@@ -461,7 +459,7 @@ static int a2mp_createphyslink_req(struct amp_mgr *mgr, struct sk_buff *skb,

ctrl = amp_ctrl_lookup(mgr, rsp.remote_id);
if (!ctrl) {
- ctrl = amp_ctrl_add(mgr);
+ ctrl = amp_ctrl_add(mgr, rsp.remote_id);
if (ctrl) {
amp_ctrl_get(ctrl);
} else {
@@ -474,8 +472,6 @@ static int a2mp_createphyslink_req(struct amp_mgr *mgr, struct sk_buff *skb,
size_t assoc_len = le16_to_cpu(hdr->len) - sizeof(*req);
u8 *assoc;

- ctrl->id = rsp.remote_id;
-
assoc = kzalloc(assoc_len, GFP_KERNEL);
if (!assoc) {
amp_ctrl_put(ctrl);
diff --git a/net/bluetooth/amp.c b/net/bluetooth/amp.c
index b6e1c3a..2fc5562 100644
--- a/net/bluetooth/amp.c
+++ b/net/bluetooth/amp.c
@@ -45,7 +45,7 @@ int amp_ctrl_put(struct amp_ctrl *ctrl)
return kref_put(&ctrl->kref, &amp_ctrl_destroy);
}

-struct amp_ctrl *amp_ctrl_add(struct amp_mgr *mgr)
+struct amp_ctrl *amp_ctrl_add(struct amp_mgr *mgr, u8 id)
{
struct amp_ctrl *ctrl;

@@ -53,12 +53,13 @@ struct amp_ctrl *amp_ctrl_add(struct amp_mgr *mgr)
if (!ctrl)
return NULL;

+ kref_init(&ctrl->kref);
+ ctrl->id = id;
+
mutex_lock(&mgr->amp_ctrls_lock);
list_add(&ctrl->list, &mgr->amp_ctrls);
mutex_unlock(&mgr->amp_ctrls_lock);

- kref_init(&ctrl->kref);
-
BT_DBG("mgr %p ctrl %p", mgr, ctrl);

return ctrl;
--
1.7.9.5


2012-10-05 13:56:57

by Andrei Emeltchenko

[permalink] [raw]
Subject: [PATCHv1 6/7] Bluetooth: AMP: Use block_mtu for AMP controller

From: Andrei Emeltchenko <[email protected]>


Signed-off-by: Andrei Emeltchenko <[email protected]>
---
net/bluetooth/l2cap_core.c | 18 +++++++++++++++---
1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index ab6853d..3066157 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1390,10 +1390,22 @@ static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)

BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);

- if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
- conn->mtu = hcon->hdev->le_mtu;
- else
+ switch (hcon->type) {
+ case AMP_LINK:
+ conn->mtu = hcon->hdev->block_mtu;
+ break;
+
+ case LE_LINK:
+ if (hcon->hdev->le_mtu) {
+ conn->mtu = hcon->hdev->le_mtu;
+ break;
+ }
+ /* fall through */
+
+ default:
conn->mtu = hcon->hdev->acl_mtu;
+ break;
+ }

conn->src = &hcon->hdev->bdaddr;
conn->dst = &hcon->dst;
--
1.7.9.5


2012-10-05 13:56:53

by Andrei Emeltchenko

[permalink] [raw]
Subject: [PATCHv1 2/7] Bluetooth: AMP: Fix possible NULL dereference

From: Andrei Emeltchenko <[email protected]>

Check that link key exist before accessing.

Signed-off-by: Andrei Emeltchenko <[email protected]>
---
net/bluetooth/amp.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/net/bluetooth/amp.c b/net/bluetooth/amp.c
index 5dab2d1..b6e1c3a 100644
--- a/net/bluetooth/amp.c
+++ b/net/bluetooth/amp.c
@@ -184,6 +184,10 @@ int phylink_gen_key(struct hci_conn *conn, u8 *data, u8 *len, u8 *type)
*len = HCI_AMP_LINK_KEY_SIZE;

key = hci_find_link_key(hdev, &conn->dst);
+ if (!key) {
+ BT_DBG("No Link key for conn %p dst %pMR", conn, &conn->dst);
+ return -EACCES;
+ }

/* BR/EDR Link Key concatenated together with itself */
memcpy(&keybuf[0], key->val, HCI_LINK_KEY_SIZE);
--
1.7.9.5


2012-10-05 13:56:56

by Andrei Emeltchenko

[permalink] [raw]
Subject: [PATCHv1 5/7] Bluetooth: AMP: Factor out phylink_add

From: Andrei Emeltchenko <[email protected]>

Add direction parameter to phylink_add since it is anyway set later.

Signed-off-by: Andrei Emeltchenko <[email protected]>
---
include/net/bluetooth/amp.h | 2 +-
net/bluetooth/a2mp.c | 4 ++--
net/bluetooth/amp.c | 6 ++++--
3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/include/net/bluetooth/amp.h b/include/net/bluetooth/amp.h
index ae2c3e5..2e7c79e 100644
--- a/include/net/bluetooth/amp.h
+++ b/include/net/bluetooth/amp.h
@@ -31,7 +31,7 @@ struct amp_ctrl *amp_ctrl_lookup(struct amp_mgr *mgr, u8 id);
void amp_ctrl_list_flush(struct amp_mgr *mgr);

struct hci_conn *phylink_add(struct hci_dev *hdev, struct amp_mgr *mgr,
- u8 remote_id);
+ u8 remote_id, bool out);

int phylink_gen_key(struct hci_conn *hcon, u8 *data, u8 *len, u8 *type);

diff --git a/net/bluetooth/a2mp.c b/net/bluetooth/a2mp.c
index 88a4b58..3ff4dc9 100644
--- a/net/bluetooth/a2mp.c
+++ b/net/bluetooth/a2mp.c
@@ -417,7 +417,7 @@ static int a2mp_getampassoc_rsp(struct amp_mgr *mgr, struct sk_buff *skb,
if (!hdev)
return -EINVAL;

- hcon = phylink_add(hdev, mgr, rsp->id);
+ hcon = phylink_add(hdev, mgr, rsp->id, true);
if (!hcon)
goto done;

@@ -487,7 +487,7 @@ static int a2mp_createphyslink_req(struct amp_mgr *mgr, struct sk_buff *skb,
amp_ctrl_put(ctrl);
}

- hcon = phylink_add(hdev, mgr, req->local_id);
+ hcon = phylink_add(hdev, mgr, req->local_id, false);
if (hcon) {
amp_accept_phylink(hdev, mgr, hcon);
rsp.status = A2MP_STATUS_SUCCESS;
diff --git a/net/bluetooth/amp.c b/net/bluetooth/amp.c
index 2fc5562..59da0f1 100644
--- a/net/bluetooth/amp.c
+++ b/net/bluetooth/amp.c
@@ -108,7 +108,7 @@ static u8 __next_handle(struct amp_mgr *mgr)
}

struct hci_conn *phylink_add(struct hci_dev *hdev, struct amp_mgr *mgr,
- u8 remote_id)
+ u8 remote_id, bool out)
{
bdaddr_t *dst = mgr->l2cap_conn->dst;
struct hci_conn *hcon;
@@ -117,12 +117,14 @@ struct hci_conn *phylink_add(struct hci_dev *hdev, struct amp_mgr *mgr,
if (!hcon)
return NULL;

+ BT_DBG("hcon %p dst %pMR", hcon, dst);
+
hcon->state = BT_CONNECT;
- hcon->out = true;
hcon->attempt++;
hcon->handle = __next_handle(mgr);
hcon->remote_id = remote_id;
hcon->amp_mgr = mgr;
+ hcon->out = out;

return hcon;
}
--
1.7.9.5


2012-10-05 13:56:54

by Andrei Emeltchenko

[permalink] [raw]
Subject: [PATCHv1 3/7] Bluetooth: Fix dereference after NULL check

From: Andrei Emeltchenko <[email protected]>

Move code dereferencing possible NULL pointer to the check branch.

Signed-off-by: Andrei Emeltchenko <[email protected]>
---
net/bluetooth/l2cap_sock.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 2542abd..a71c408 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -382,13 +382,14 @@ static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, ch
}

memset(&sec, 0, sizeof(sec));
- if (chan->conn)
+ if (chan->conn) {
sec.level = chan->conn->hcon->sec_level;
- else
- sec.level = chan->sec_level;

- if (sk->sk_state == BT_CONNECTED)
- sec.key_size = chan->conn->hcon->enc_key_size;
+ if (sk->sk_state == BT_CONNECTED)
+ sec.key_size = chan->conn->hcon->enc_key_size;
+ } else {
+ sec.level = chan->sec_level;
+ }

len = min_t(unsigned int, len, sizeof(sec));
if (copy_to_user(optval, (char *) &sec, len))
--
1.7.9.5