From: Archie Pusaka <apusaka@google.com>
To: linux-bluetooth <linux-bluetooth@vger.kernel.org>,
Marcel Holtmann <marcel@holtmann.org>
Cc: chromeos-bluetooth-upstreaming
<chromeos-bluetooth-upstreaming@chromium.org>,
Archie Pusaka <apusaka@chromium.org>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
Johan Hedberg <johan.hedberg@gmail.com>,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org
Subject: [RFC PATCH v1 0/2] handle USB endpoint race condition
Date: Sat, 27 Jun 2020 18:54:35 +0800 [thread overview]
Message-ID: <20200627105437.453053-1-apusaka@google.com> (raw)
From: Archie Pusaka <apusaka@chromium.org>
On platforms with USB transport, events and data are transferred via
different endpoints. This could potentially cause ordering problems,
where the order of processed information is different than the actual
order.
One such a case is we receive a ACL packet before receiving the
connect complete event. This could be frequently observed on ChromeOS
auto test setup.
> ACL Data RX: Handle 256 flags 0x02 dlen 12 #6 [hci0] 9.314240
L2CAP: Connection Request (0x02) ident 1 len 4
PSM: 1 (0x0001)
Source CID: 1536
> HCI Event: Connect Complete (0x03) plen 11 #7 [hci0] 9.333236
Status: Success (0x00)
Handle: 256
Address: 70:BF:92:CF:95:B7 (OUI 70-BF-92)
Link type: ACL (0x01)
Encryption: Disabled (0x00)
If this happens, we will simply discard the ACL packet, since no
corresponding handle is registered yet. The situation where the ACL
packet is not replied by us is handled differently by each peripheral:
some will resend the ACL packet (which will be successful, since the
handle can be found now), but some will get upset and disconnect.
To prevent this from happening, we propose to introduce a queue. So,
instead of discarding those packets without handle, we put them in a
queue. Then, we will process this queue when we receive a connect
completion event for the matching handle. The queued packets will be
cleared if after 2 seconds we still don't receive the corresponding
connect complete event.
Similarly, there is a chance that the incoming L2CAP connection
request comes before HCI encryption change event. When this happens,
the incoming connection will be refused.
> ACL Data RX: Handle 256 flags 0x02 dlen 12 #46 [hci0] 9.275297
L2CAP: Connection Request (0x02) ident 4 len 4
PSM: 3 (0x0003)
Source CID: 256
< ACL Data TX: Handle 256 flags 0x00 dlen 16 #47 [hci0] 9.275393
L2CAP: Connection Response (0x03) ident 4 len 8
Destination CID: 0
Source CID: 256
Result: Connection refused - security block (0x0003)
Status: No further information available (0x0000)
> HCI Event: Encryption Change (0x08) plen 4 #51 [hci0] 9.314109
Status: Success (0x00)
Handle: 256
Encryption: Enabled with E0 (0x01)
We propose to handle this case with a similar solution: queuing the
L2CAP connection request until we receive HCI encryption change.
The proposed patch is tested with a special Intel firmware which
allows us to purposely delay the "connect complete" event.
We plan to merge this change to ChromeOS auto test setup to see
whether this could fix the problem there, but we also would like
to have your input on this in the meantime.
Thanks,
Archie
Archie Pusaka (2):
Bluetooth: queue ACL packets if no handle is found
Bluetooth: queue L2CAP conn req if encryption is needed
include/net/bluetooth/bluetooth.h | 6 +++
include/net/bluetooth/hci_core.h | 8 +++
include/net/bluetooth/l2cap.h | 6 +++
net/bluetooth/hci_core.c | 84 ++++++++++++++++++++++++++---
net/bluetooth/hci_event.c | 5 ++
net/bluetooth/l2cap_core.c | 87 +++++++++++++++++++++++++++----
6 files changed, 179 insertions(+), 17 deletions(-)
--
2.27.0.212.ge8ba1cc988-goog
next reply other threads:[~2020-06-27 10:55 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-27 10:54 Archie Pusaka [this message]
2020-06-27 10:54 ` [RFC PATCH v1 1/2] Bluetooth: queue ACL packets if no handle is found Archie Pusaka
2020-06-29 6:40 ` Marcel Holtmann
2020-06-30 6:48 ` Archie Pusaka
2020-06-30 6:54 ` Marcel Holtmann
[not found] ` <CALWDO_Vrn_pXMbkXifKFazha7BYPqLpCthqHOb9ZmVE3wDRMfA@mail.gmail.com>
2020-07-15 14:07 ` Alain Michaud
2020-07-15 15:25 ` Luiz Augusto von Dentz
2020-07-17 6:51 ` Marcel Holtmann
2020-07-17 13:17 ` Alain Michaud
2020-06-27 10:54 ` [RFC PATCH v1 2/2] Bluetooth: queue L2CAP conn req if encryption is needed Archie Pusaka
2020-06-29 6:49 ` Marcel Holtmann
2020-06-29 19:42 ` Luiz Augusto von Dentz
2020-06-29 20:20 ` Marcel Holtmann
2020-06-29 22:44 ` Luiz Augusto von Dentz
2020-06-30 6:48 ` Marcel Holtmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200627105437.453053-1-apusaka@google.com \
--to=apusaka@google.com \
--cc=apusaka@chromium.org \
--cc=chromeos-bluetooth-upstreaming@chromium.org \
--cc=davem@davemloft.net \
--cc=johan.hedberg@gmail.com \
--cc=kuba@kernel.org \
--cc=linux-bluetooth@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marcel@holtmann.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).