From: Greg Kroah-Hartman Date: Sun, 20 Apr 2014 20:03:23 +0000 (-0700) Subject: 3.4-stable patches X-Git-Tag: v3.13.11~10 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f8c2615cf6ae31dbf3d633abd258211d0071d44a;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: bluetooth-fix-removing-long-term-key.patch char-ipmi_bt_sm-fix-infinite-loop.patch --- diff --git a/queue-3.4/bluetooth-fix-removing-long-term-key.patch b/queue-3.4/bluetooth-fix-removing-long-term-key.patch new file mode 100644 index 00000000000..e0845e08479 --- /dev/null +++ b/queue-3.4/bluetooth-fix-removing-long-term-key.patch @@ -0,0 +1,101 @@ +From 5981a8821b774ada0be512fd9bad7c241e17657e Mon Sep 17 00:00:00 2001 +From: Claudio Takahasi +Date: Thu, 25 Jul 2013 16:34:24 -0300 +Subject: Bluetooth: Fix removing Long Term Key + +From: Claudio Takahasi + +commit 5981a8821b774ada0be512fd9bad7c241e17657e upstream. + +This patch fixes authentication failure on LE link re-connection when +BlueZ acts as slave (peripheral). LTK is removed from the internal list +after its first use causing PIN or Key missing reply when re-connecting +the link. The LE Long Term Key Request event indicates that the master +is attempting to encrypt or re-encrypt the link. + +Pre-condition: BlueZ host paired and running as slave. +How to reproduce(master): + + 1) Establish an ACL LE encrypted link + 2) Disconnect the link + 3) Try to re-establish the ACL LE encrypted link (fails) + +> HCI Event: LE Meta Event (0x3e) plen 19 + LE Connection Complete (0x01) + Status: Success (0x00) + Handle: 64 + Role: Slave (0x01) +... +@ Device Connected: 00:02:72:DC:29:C9 (1) flags 0x0000 +> HCI Event: LE Meta Event (0x3e) plen 13 + LE Long Term Key Request (0x05) + Handle: 64 + Random number: 875be18439d9aa37 + Encryption diversifier: 0x76ed +< HCI Command: LE Long Term Key Request Reply (0x08|0x001a) plen 18 + Handle: 64 + Long term key: 2aa531db2fce9f00a0569c7d23d17409 +> HCI Event: Command Complete (0x0e) plen 6 + LE Long Term Key Request Reply (0x08|0x001a) ncmd 1 + Status: Success (0x00) + Handle: 64 +> HCI Event: Encryption Change (0x08) plen 4 + Status: Success (0x00) + Handle: 64 + Encryption: Enabled with AES-CCM (0x01) +... +@ Device Disconnected: 00:02:72:DC:29:C9 (1) reason 3 +< HCI Command: LE Set Advertise Enable (0x08|0x000a) plen 1 + Advertising: Enabled (0x01) +> HCI Event: Command Complete (0x0e) plen 4 + LE Set Advertise Enable (0x08|0x000a) ncmd 1 + Status: Success (0x00) +> HCI Event: LE Meta Event (0x3e) plen 19 + LE Connection Complete (0x01) + Status: Success (0x00) + Handle: 64 + Role: Slave (0x01) +... +@ Device Connected: 00:02:72:DC:29:C9 (1) flags 0x0000 +> HCI Event: LE Meta Event (0x3e) plen 13 + LE Long Term Key Request (0x05) + Handle: 64 + Random number: 875be18439d9aa37 + Encryption diversifier: 0x76ed +< HCI Command: LE Long Term Key Request Neg Reply (0x08|0x001b) plen 2 + Handle: 64 +> HCI Event: Command Complete (0x0e) plen 6 + LE Long Term Key Request Neg Reply (0x08|0x001b) ncmd 1 + Status: Success (0x00) + Handle: 64 +> HCI Event: Disconnect Complete (0x05) plen 4 + Status: Success (0x00) + Handle: 64 + Reason: Authentication Failure (0x05) +@ Device Disconnected: 00:02:72:DC:29:C9 (1) reason 0 + +Signed-off-by: Claudio Takahasi +Signed-off-by: Johan Hedberg +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/hci_event.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -3383,7 +3383,13 @@ static inline void hci_le_ltk_request_ev + + hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp); + +- if (ltk->type & HCI_SMP_STK) { ++ /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a ++ * temporary key used to encrypt a connection following ++ * pairing. It is used during the Encrypted Session Setup to ++ * distribute the keys. Later, security can be re-established ++ * using a distributed LTK. ++ */ ++ if (ltk->type == HCI_SMP_STK_SLAVE) { + list_del(<k->list); + kfree(ltk); + } diff --git a/queue-3.4/char-ipmi_bt_sm-fix-infinite-loop.patch b/queue-3.4/char-ipmi_bt_sm-fix-infinite-loop.patch new file mode 100644 index 00000000000..d8aea543745 --- /dev/null +++ b/queue-3.4/char-ipmi_bt_sm-fix-infinite-loop.patch @@ -0,0 +1,47 @@ +From a94cdd1f4d30f12904ab528152731fb13a812a16 Mon Sep 17 00:00:00 2001 +From: Jiri Slaby +Date: Mon, 14 Apr 2014 09:46:50 -0500 +Subject: Char: ipmi_bt_sm, fix infinite loop + +From: Jiri Slaby + +commit a94cdd1f4d30f12904ab528152731fb13a812a16 upstream. + +In read_all_bytes, we do + + unsigned char i; + ... + bt->read_data[0] = BMC2HOST; + bt->read_count = bt->read_data[0]; + ... + for (i = 1; i <= bt->read_count; i++) + bt->read_data[i] = BMC2HOST; + +If bt->read_data[0] == bt->read_count == 255, we loop infinitely in the +'for' loop. Make 'i' an 'int' instead of 'char' to get rid of the +overflow and finish the loop after 255 iterations every time. + +Signed-off-by: Jiri Slaby +Reported-and-debugged-by: Rui Hui Dian +Cc: Tomas Cech +Cc: Corey Minyard +Cc: +Signed-off-by: Corey Minyard +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/ipmi/ipmi_bt_sm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/char/ipmi/ipmi_bt_sm.c ++++ b/drivers/char/ipmi/ipmi_bt_sm.c +@@ -352,7 +352,7 @@ static inline void write_all_bytes(struc + + static inline int read_all_bytes(struct si_sm_data *bt) + { +- unsigned char i; ++ unsigned int i; + + /* + * length is "framing info", minimum = 4: NetFn, Seq, Cmd, cCode. diff --git a/queue-3.4/series b/queue-3.4/series index 97719f80cea..7f2cd6a26f2 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -18,3 +18,5 @@ sparc-pci-fix-incorrect-address-calculation-of-pci-bridge-windows-on-simba-bridg revert-sparc64-fix-__copy_-to-from-_user_inatomic-defines.patch sparc32-fix-build-failure-for-arch_jump_label_transform.patch sparc64-don-t-treat-64-bit-syscall-return-codes-as-32-bit.patch +char-ipmi_bt_sm-fix-infinite-loop.patch +bluetooth-fix-removing-long-term-key.patch