--- /dev/null
+From 5981a8821b774ada0be512fd9bad7c241e17657e Mon Sep 17 00:00:00 2001
+From: Claudio Takahasi <claudio.takahasi@openbossa.org>
+Date: Thu, 25 Jul 2013 16:34:24 -0300
+Subject: Bluetooth: Fix removing Long Term Key
+
+From: Claudio Takahasi <claudio.takahasi@openbossa.org>
+
+commit 5981a8821b774ada0be512fd9bad7c241e17657e upstream.
+
+This patch fixes authentication failure on LE link re-connection when
+BlueZ acts as slave (peripheral). LTK is removed from the internal list
+after its first use causing PIN or Key missing reply when re-connecting
+the link. The LE Long Term Key Request event indicates that the master
+is attempting to encrypt or re-encrypt the link.
+
+Pre-condition: BlueZ host paired and running as slave.
+How to reproduce(master):
+
+ 1) Establish an ACL LE encrypted link
+ 2) Disconnect the link
+ 3) Try to re-establish the ACL LE encrypted link (fails)
+
+> HCI Event: LE Meta Event (0x3e) plen 19
+ LE Connection Complete (0x01)
+ Status: Success (0x00)
+ Handle: 64
+ Role: Slave (0x01)
+...
+@ Device Connected: 00:02:72:DC:29:C9 (1) flags 0x0000
+> HCI Event: LE Meta Event (0x3e) plen 13
+ LE Long Term Key Request (0x05)
+ Handle: 64
+ Random number: 875be18439d9aa37
+ Encryption diversifier: 0x76ed
+< HCI Command: LE Long Term Key Request Reply (0x08|0x001a) plen 18
+ Handle: 64
+ Long term key: 2aa531db2fce9f00a0569c7d23d17409
+> HCI Event: Command Complete (0x0e) plen 6
+ LE Long Term Key Request Reply (0x08|0x001a) ncmd 1
+ Status: Success (0x00)
+ Handle: 64
+> HCI Event: Encryption Change (0x08) plen 4
+ Status: Success (0x00)
+ Handle: 64
+ Encryption: Enabled with AES-CCM (0x01)
+...
+@ Device Disconnected: 00:02:72:DC:29:C9 (1) reason 3
+< HCI Command: LE Set Advertise Enable (0x08|0x000a) plen 1
+ Advertising: Enabled (0x01)
+> HCI Event: Command Complete (0x0e) plen 4
+ LE Set Advertise Enable (0x08|0x000a) ncmd 1
+ Status: Success (0x00)
+> HCI Event: LE Meta Event (0x3e) plen 19
+ LE Connection Complete (0x01)
+ Status: Success (0x00)
+ Handle: 64
+ Role: Slave (0x01)
+...
+@ Device Connected: 00:02:72:DC:29:C9 (1) flags 0x0000
+> HCI Event: LE Meta Event (0x3e) plen 13
+ LE Long Term Key Request (0x05)
+ Handle: 64
+ Random number: 875be18439d9aa37
+ Encryption diversifier: 0x76ed
+< HCI Command: LE Long Term Key Request Neg Reply (0x08|0x001b) plen 2
+ Handle: 64
+> HCI Event: Command Complete (0x0e) plen 6
+ LE Long Term Key Request Neg Reply (0x08|0x001b) ncmd 1
+ Status: Success (0x00)
+ Handle: 64
+> HCI Event: Disconnect Complete (0x05) plen 4
+ Status: Success (0x00)
+ Handle: 64
+ Reason: Authentication Failure (0x05)
+@ Device Disconnected: 00:02:72:DC:29:C9 (1) reason 0
+
+Signed-off-by: Claudio Takahasi <claudio.takahasi@openbossa.org>
+Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/hci_event.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -3383,7 +3383,13 @@ static inline void hci_le_ltk_request_ev
+
+ hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
+
+- if (ltk->type & HCI_SMP_STK) {
++ /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
++ * temporary key used to encrypt a connection following
++ * pairing. It is used during the Encrypted Session Setup to
++ * distribute the keys. Later, security can be re-established
++ * using a distributed LTK.
++ */
++ if (ltk->type == HCI_SMP_STK_SLAVE) {
+ list_del(<k->list);
+ kfree(ltk);
+ }
--- /dev/null
+From a94cdd1f4d30f12904ab528152731fb13a812a16 Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Mon, 14 Apr 2014 09:46:50 -0500
+Subject: Char: ipmi_bt_sm, fix infinite loop
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+commit a94cdd1f4d30f12904ab528152731fb13a812a16 upstream.
+
+In read_all_bytes, we do
+
+ unsigned char i;
+ ...
+ bt->read_data[0] = BMC2HOST;
+ bt->read_count = bt->read_data[0];
+ ...
+ for (i = 1; i <= bt->read_count; i++)
+ bt->read_data[i] = BMC2HOST;
+
+If bt->read_data[0] == bt->read_count == 255, we loop infinitely in the
+'for' loop. Make 'i' an 'int' instead of 'char' to get rid of the
+overflow and finish the loop after 255 iterations every time.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Reported-and-debugged-by: Rui Hui Dian <rhdian@novell.com>
+Cc: Tomas Cech <tcech@suse.cz>
+Cc: Corey Minyard <minyard@acm.org>
+Cc: <openipmi-developer@lists.sourceforge.net>
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/ipmi/ipmi_bt_sm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/ipmi/ipmi_bt_sm.c
++++ b/drivers/char/ipmi/ipmi_bt_sm.c
+@@ -352,7 +352,7 @@ static inline void write_all_bytes(struc
+
+ static inline int read_all_bytes(struct si_sm_data *bt)
+ {
+- unsigned char i;
++ unsigned int i;
+
+ /*
+ * length is "framing info", minimum = 4: NetFn, Seq, Cmd, cCode.
projects / thirdparty / kernel / stable-queue.git / commitdiff
