Bluetooth: hci_core: fix NULL-pointer dereference at unregister

[linux-flexiantxendom0.git] / net / bluetooth / hci_core.c

diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 8f5bee1..857dc88 100644 (file)
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -60,8 +60,6 @@ static void hci_tx_task(unsigned long arg);
 
 static DEFINE_RWLOCK(hci_task_lock);
 
-static int enable_smp;
-
 /* HCI device list */
 LIST_HEAD(hci_dev_list);
 DEFINE_RWLOCK(hci_dev_list_lock);
@@ -148,7 +146,7 @@ static int __hci_request(struct hci_dev *hdev, void (*req)(struct hci_dev *hdev,
 
        switch (hdev->req_status) {
        case HCI_REQ_DONE:
-               err = -bt_err(hdev->req_result);
+               err = -bt_to_errno(hdev->req_result);
                break;
 
        case HCI_REQ_CANCELED:
@@ -512,6 +510,11 @@ int hci_dev_open(__u16 dev)
 
        hci_req_lock(hdev);
 
+       if (test_bit(HCI_UNREGISTER, &hdev->flags)) {
+               ret = -ENODEV;
+               goto done;
+       }
+
        if (hdev->rfkill && rfkill_blocked(hdev->rfkill)) {
                ret = -ERFKILL;
                goto done;
@@ -542,7 +545,7 @@ int hci_dev_open(__u16 dev)
                ret = __hci_request(hdev, hci_init_req, 0,
                                        msecs_to_jiffies(HCI_INIT_TIMEOUT));
 
-               if (lmp_le_capable(hdev))
+               if (lmp_host_le_capable(hdev))
                        ret = __hci_request(hdev, hci_le_init_req, 0,
                                        msecs_to_jiffies(HCI_INIT_TIMEOUT));
 
@@ -1059,6 +1062,42 @@ static int hci_persistent_key(struct hci_dev *hdev, struct hci_conn *conn,
        return 0;
 }
 
+struct link_key *hci_find_ltk(struct hci_dev *hdev, __le16 ediv, u8 rand[8])
+{
+       struct link_key *k;
+
+       list_for_each_entry(k, &hdev->link_keys, list) {
+               struct key_master_id *id;
+
+               if (k->type != HCI_LK_SMP_LTK)
+                       continue;
+
+               if (k->dlen != sizeof(*id))
+                       continue;
+
+               id = (void *) &k->data;
+               if (id->ediv == ediv &&
+                               (memcmp(rand, id->rand, sizeof(id->rand)) == 0))
+                       return k;
+       }
+
+       return NULL;
+}
+EXPORT_SYMBOL(hci_find_ltk);
+
+struct link_key *hci_find_link_key_type(struct hci_dev *hdev,
+                                       bdaddr_t *bdaddr, u8 type)
+{
+       struct link_key *k;
+
+       list_for_each_entry(k, &hdev->link_keys, list)
+               if (k->type == type && bacmp(bdaddr, &k->bdaddr) == 0)
+                       return k;
+
+       return NULL;
+}
+EXPORT_SYMBOL(hci_find_link_key_type);
+
 int hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn, int new_key,
                                bdaddr_t *bdaddr, u8 *val, u8 type, u8 pin_len)
 {
@@ -1114,6 +1153,44 @@ int hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn, int new_key,
        return 0;
 }
 
+int hci_add_ltk(struct hci_dev *hdev, int new_key, bdaddr_t *bdaddr,
+                       u8 key_size, __le16 ediv, u8 rand[8], u8 ltk[16])
+{
+       struct link_key *key, *old_key;
+       struct key_master_id *id;
+       u8 old_key_type;
+
+       BT_DBG("%s addr %s", hdev->name, batostr(bdaddr));
+
+       old_key = hci_find_link_key_type(hdev, bdaddr, HCI_LK_SMP_LTK);
+       if (old_key) {
+               key = old_key;
+               old_key_type = old_key->type;
+       } else {
+               key = kzalloc(sizeof(*key) + sizeof(*id), GFP_ATOMIC);
+               if (!key)
+                       return -ENOMEM;
+               list_add(&key->list, &hdev->link_keys);
+               old_key_type = 0xff;
+       }
+
+       key->dlen = sizeof(*id);
+
+       bacpy(&key->bdaddr, bdaddr);
+       memcpy(key->val, ltk, sizeof(key->val));
+       key->type = HCI_LK_SMP_LTK;
+       key->pin_len = key_size;
+
+       id = (void *) &key->data;
+       id->ediv = ediv;
+       memcpy(id->rand, rand, sizeof(id->rand));
+
+       if (new_key)
+               mgmt_new_key(hdev->id, key, old_key_type);
+
+       return 0;
+}
+
 int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
 {
        struct link_key *key;
@@ -1137,7 +1214,6 @@ static void hci_cmd_timer(unsigned long arg)
 
        BT_ERR("%s command tx timeout", hdev->name);
        atomic_set(&hdev->cmd_cnt, 1);
-       clear_bit(HCI_RESET, &hdev->flags);
        tasklet_schedule(&hdev->cmd_task);
 }
 
@@ -1242,8 +1318,6 @@ int hci_blacklist_add(struct hci_dev *hdev, bdaddr_t *bdaddr)
 {
        struct bdaddr_list *entry;
 
-       hci_dev_lock(hdev);
-
        if (bacmp(bdaddr, BDADDR_ANY) == 0)
                return -EBADF;
 
@@ -1258,30 +1332,26 @@ int hci_blacklist_add(struct hci_dev *hdev, bdaddr_t *bdaddr)
 
        list_add(&entry->list, &hdev->blacklist);
 
-       hci_dev_unlock(hdev);
-
-       return 0;
+       return mgmt_device_blocked(hdev->id, bdaddr);
 }
 
 int hci_blacklist_del(struct hci_dev *hdev, bdaddr_t *bdaddr)
 {
        struct bdaddr_list *entry;
 
-       hci_dev_lock(hdev);
-
-       if (bacmp(bdaddr, BDADDR_ANY) == 0)
+       if (bacmp(bdaddr, BDADDR_ANY) == 0) {
                return hci_blacklist_clear(hdev);
+       }
 
        entry = hci_blacklist_lookup(hdev, bdaddr);
-       if (!entry)
+       if (!entry) {
                return -ENOENT;
+       }
 
        list_del(&entry->list);
        kfree(entry);
 
-       hci_dev_unlock(hdev);
-
-       return 0;
+       return mgmt_device_unblocked(hdev->id, bdaddr);
 }
 
 static void hci_clear_adv_cache(unsigned long arg)
@@ -1356,14 +1426,6 @@ int hci_add_adv_entry(struct hci_dev *hdev,
        return 0;
 }
 
-static struct crypto_blkcipher *alloc_cypher(void)
-{
-       if (enable_smp)
-               return crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
-
-       return ERR_PTR(-ENOTSUPP);
-}
-
 /* Register HCI device */
 int hci_register_dev(struct hci_dev *hdev)
 {
@@ -1448,11 +1510,6 @@ int hci_register_dev(struct hci_dev *hdev)
        if (!hdev->workqueue)
                goto nomem;
 
-       hdev->tfm = alloc_cypher();
-       if (IS_ERR(hdev->tfm))
-               BT_INFO("Failed to load transform for ecb(aes): %ld",
-                                                       PTR_ERR(hdev->tfm));
-
        hci_register_sysfs(hdev);
 
        hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev,
@@ -1488,6 +1545,8 @@ int hci_unregister_dev(struct hci_dev *hdev)
 
        BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
 
+       set_bit(HCI_UNREGISTER, &hdev->flags);
+
        write_lock_bh(&hci_dev_list_lock);
        list_del(&hdev->list);
        write_unlock_bh(&hci_dev_list_lock);
@@ -1501,9 +1560,6 @@ int hci_unregister_dev(struct hci_dev *hdev)
                                        !test_bit(HCI_SETUP, &hdev->flags))
                mgmt_index_removed(hdev->id);
 
-       if (!IS_ERR(hdev->tfm))
-               crypto_free_blkcipher(hdev->tfm);
-
        hci_notify(hdev, HCI_DEV_UNREG);
 
        if (hdev->rfkill) {
@@ -1695,7 +1751,7 @@ int hci_recv_fragment(struct hci_dev *hdev, int type, void *data, int count)
 
                data += (count - rem);
                count = rem;
-       };
+       }
 
        return rem;
 }
@@ -1730,7 +1786,7 @@ int hci_recv_stream_fragment(struct hci_dev *hdev, void *data, int count)
 
                data += (count - rem);
                count = rem;
-       };
+       }
 
        return rem;
 }
@@ -1999,6 +2055,9 @@ static inline struct hci_conn *hci_low_sent(struct hci_dev *hdev, __u8 type, int
                        min  = c->sent;
                        conn = c;
                }
+
+               if (hci_conn_num(hdev, type) == num)
+                       break;
        }
 
        if (conn) {
@@ -2056,6 +2115,9 @@ static inline void hci_sched_acl(struct hci_dev *hdev)
 
        BT_DBG("%s", hdev->name);
 
+       if (!hci_conn_num(hdev, ACL_LINK))
+               return;
+
        if (!test_bit(HCI_RAW, &hdev->flags)) {
                /* ACL tx timeout must be longer than maximum
                 * link supervision timeout (40.9 seconds) */
@@ -2087,6 +2149,9 @@ static inline void hci_sched_sco(struct hci_dev *hdev)
 
        BT_DBG("%s", hdev->name);
 
+       if (!hci_conn_num(hdev, SCO_LINK))
+               return;
+
        while (hdev->sco_cnt && (conn = hci_low_sent(hdev, SCO_LINK, &quote))) {
                while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
                        BT_DBG("skb %p len %d", skb, skb->len);
@@ -2107,6 +2172,9 @@ static inline void hci_sched_esco(struct hci_dev *hdev)
 
        BT_DBG("%s", hdev->name);
 
+       if (!hci_conn_num(hdev, ESCO_LINK))
+               return;
+
        while (hdev->sco_cnt && (conn = hci_low_sent(hdev, ESCO_LINK, &quote))) {
                while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
                        BT_DBG("skb %p len %d", skb, skb->len);
@@ -2127,6 +2195,9 @@ static inline void hci_sched_le(struct hci_dev *hdev)
 
        BT_DBG("%s", hdev->name);
 
+       if (!hci_conn_num(hdev, LE_LINK))
+               return;
+
        if (!test_bit(HCI_RAW, &hdev->flags)) {
                /* LE tx timeout must be longer than maximum
                 * link supervision timeout (40.9 seconds) */
@@ -2332,7 +2403,10 @@ static void hci_cmd_task(unsigned long arg)
                if (hdev->sent_cmd) {
                        atomic_dec(&hdev->cmd_cnt);
                        hci_send_frame(skb);
-                       mod_timer(&hdev->cmd_timer,
+                       if (test_bit(HCI_RESET, &hdev->flags))
+                               del_timer(&hdev->cmd_timer);
+                       else
+                               mod_timer(&hdev->cmd_timer,
                                  jiffies + msecs_to_jiffies(HCI_CMD_TIMEOUT));
                } else {
                        skb_queue_head(&hdev->cmd_q, skb);
@@ -2340,6 +2414,3 @@ static void hci_cmd_task(unsigned long arg)
                }
        }
 }
-
-module_param(enable_smp, bool, 0644);
-MODULE_PARM_DESC(enable_smp, "Enable SMP support (LE only)");