Hi Andrei,
> Due to race condition in L2CAP state machine L2CAP Connection Request
> may be sent twice for SDP with the same source channel id. Problems
> reported connecting to Apple products, some carkit, Blackberry phones.
>
> ...
> 2010-06-07 21:18:03.651031 < ACL data: handle 1 flags 0x02 dlen 12
> L2CAP(s): Connect req: psm 1 scid 0x0040
> 2010-06-07 21:18:03.653473 > HCI Event: Number of Completed Packets (0x13) plen 5
> handle 1 packets 1
> 2010-06-07 21:18:03.653808 > HCI Event: Auth Complete (0x06) plen 3
> status 0x00 handle 1
> 2010-06-07 21:18:03.653869 < ACL data: handle 1 flags 0x02 dlen 12
> L2CAP(s): Connect req: psm 1 scid 0x0040
> ...
>
> Patch uses L2CAP_CONF_CONNECT_PEND flag to mark that L2CAP Connection
> Request has been sent.
patch in general looks fine, but I do have some comments.
> diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
> index bb00015..7f82f7b 100644
> --- a/net/bluetooth/l2cap.c
> +++ b/net/bluetooth/l2cap.c
> @@ -409,13 +409,16 @@ static void l2cap_do_start(struct sock *sk)
> if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
> return;
>
> - if (l2cap_check_security(sk)) {
> + if (l2cap_check_security(sk) &&
> + !(l2cap_pi(sk)->conf_state &
> + L2CAP_CONF_CONNECT_PEND)) {
I think having some l2cap_check_pending() would be a good idea. This
high indentation is not easy to read.
> struct l2cap_conn_req req;
> req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
> req.psm = l2cap_pi(sk)->psm;
>
> l2cap_pi(sk)->ident = l2cap_get_ident(conn);
>
> + l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
> l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
> L2CAP_CONN_REQ, sizeof(req), &req);
If we look at the other cases we have done this, then either have an
empty line between these two commands. Or remove the other empty line.
> }
> @@ -464,13 +467,16 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
> }
>
> if (sk->sk_state == BT_CONNECT) {
> - if (l2cap_check_security(sk)) {
> + if (l2cap_check_security(sk) &&
> + !(l2cap_pi(sk)->conf_state &
> + L2CAP_CONF_CONNECT_PEND)) {
See above.
> struct l2cap_conn_req req;
> req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
> req.psm = l2cap_pi(sk)->psm;
>
> l2cap_pi(sk)->ident = l2cap_get_ident(conn);
>
> + l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
> l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
> L2CAP_CONN_REQ, sizeof(req), &req);
See above.
> }
> @@ -4407,6 +4413,7 @@ static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
>
> l2cap_pi(sk)->ident = l2cap_get_ident(conn);
>
> + l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
> l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
> L2CAP_CONN_REQ, sizeof(req), &req);
> } else {
See above.
Regards
Marcel
--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
