summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorDavid S. Miller <davem@davemloft.net>2014-12-09 18:12:03 -0500
committerDavid S. Miller <davem@davemloft.net>2014-12-09 18:12:03 -0500
commitb5f185f33d0432cef6ff78765e033dfa8f4de068 (patch)
tree33179c016b8fc3b4d57ed7a7786079ba00b6ef4a /net
parent450fa21942fe2c37f0c9f52d1a33bbc081eee288 (diff)
parent81c412600f946fc1c8731685cb6c6fae8002043a (diff)
Merge tag 'master-2014-12-08' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next
John W. Linville says: ==================== pull request: wireless-next 2014-12-08 Please pull this last batch of pending wireless updates for the 3.19 tree... For the wireless bits, Johannes says: "This time I have Felix's no-status rate control work, which will allow drivers to work better with rate control even if they don't have perfect status reporting. In addition to this, a small hwsim fix from Patrik, one of the regulatory patches from Arik, and a number of cleanups and fixes I did myself. Of note is a patch where I disable CFG80211_WEXT so that compatibility is no longer selectable - this is intended as a wake-up call for anyone who's still using it, and is still easily worked around (it's a one-line patch) before we fully remove the code as well in the future." For the Bluetooth bits, Johan says: "Here's one more bluetooth-next pull request for 3.19: - Minor cleanups for ieee802154 & mac802154 - Fix for the kernel warning with !TASK_RUNNING reported by Kirill A. Shutemov - Support for another ath3k device - Fix for tracking link key based security level - Device tree bindings for btmrvl + a state update fix - Fix for wrong ACL flags on LE links" And... "In addition to the previous one this contains two more cleanups to mac802154 as well as support for some new HCI features from the Bluetooth 4.2 specification. From the original request: 'Here's what should be the last bluetooth-next pull request for 3.19. It's rather large but the majority of it is the Low Energy Secure Connections feature that's part of the Bluetooth 4.2 specification. The specification went public only this week so we couldn't publish the corresponding code before that. The code itself can nevertheless be considered fairly mature as it's been in development for over 6 months and gone through several interoperability test events. Besides LE SC the pull request contains an important fix for command complete events for mgmt sockets which also fixes some leaks of hci_conn objects when powering off or unplugging Bluetooth adapters. A smaller feature that's part of the pull request is service discovery support. This is like normal device discovery except that devices not matching specific UUIDs or strong enough RSSI are filtered out. Other changes that the pull request contains are firmware dump support to the btmrvl driver, firmware download support for Broadcom BCM20702A0 variants, as well as some coding style cleanups in 6lowpan & ieee802154/mac802154 code.'" For the NFC bits, Samuel says: "With this one we get: - NFC digital improvements for DEP support: Chaining, NACK and ATN support added. - NCI improvements: Support for p2p target, SE IO operand addition, SE operands extensions to support proprietary implementations, and a few fixes. - NFC HCI improvements: OPEN_PIPE and NOTIFY_ALL_CLEARED support, and SE IO operand addition. - A bunch of minor improvements and fixes for STMicro st21nfcb and st21nfca" For the iwlwifi bits, Emmanuel says: "Major works are CSA and TDLS. On top of that I have a new firmware API for scan and a few rate control improvements. Johannes find a few tricks to improve our CPU utilization and adds support for a new spin of 7265 called 7265D. Along with this a few random things that don't stand out." And... "I deprecate here -8.ucode since -9 has been published long ago. Along with that I have a new activity, we have now better a infrastructure for firmware debugging. This will allow to have configurable probes insides the firmware. Luca continues his work on NetDetect, this feature is now complete. All the rest is minor fixes here and there." For the Atheros bits, Kalle says: "Only ath10k changes this time and no major changes. Most visible are: o new debugfs interface for runtime firmware debugging (Yanbo) o fix shared WEP (Sujith) o don't rebuild whenever kernel version changes (Johannes) o lots of refactoring to make it easier to add new hw support (Michal) There's also smaller fixes and improvements with no point of listing here." In addition, there are a few last minute updates to ath5k, ath9k, brcmfmac, brcmsmac, mwifiex, rt2x00, rtlwifi, and wil6210. Also included is a pull of the wireless tree to pick-up the fixes originally included in "pull request: wireless 2014-12-03"... Please let me know if there are problems! ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/6lowpan/iphc.c3
-rw-r--r--net/bluetooth/Kconfig1
-rw-r--r--net/bluetooth/Makefile2
-rw-r--r--net/bluetooth/af_bluetooth.c2
-rw-r--r--net/bluetooth/ecc.c816
-rw-r--r--net/bluetooth/ecc.h54
-rw-r--r--net/bluetooth/hci_conn.c1
-rw-r--r--net/bluetooth/hci_core.c239
-rw-r--r--net/bluetooth/hci_event.c155
-rw-r--r--net/bluetooth/l2cap_core.c55
-rw-r--r--net/bluetooth/mgmt.c869
-rw-r--r--net/bluetooth/smp.c1543
-rw-r--r--net/bluetooth/smp.h51
-rw-r--r--net/ieee802154/6lowpan_rtnl.c3
-rw-r--r--net/ieee802154/af_ieee802154.c4
-rw-r--r--net/ieee802154/dgram.c1
-rw-r--r--net/ieee802154/netlink.c5
-rw-r--r--net/ieee802154/nl-mac.c16
-rw-r--r--net/ieee802154/nl-phy.c3
-rw-r--r--net/ieee802154/raw.c1
-rw-r--r--net/mac80211/chan.c23
-rw-r--r--net/mac80211/iface.c1
-rw-r--r--net/mac80211/mlme.c24
-rw-r--r--net/mac80211/rate.c3
-rw-r--r--net/mac80211/rate.h24
-rw-r--r--net/mac80211/rc80211_minstrel.c5
-rw-r--r--net/mac80211/rc80211_minstrel_ht.c15
-rw-r--r--net/mac80211/status.c113
-rw-r--r--net/mac80211/trace.h6
-rw-r--r--net/mac80211/tx.c2
-rw-r--r--net/mac80211/util.c11
-rw-r--r--net/mac802154/iface.c8
-rw-r--r--net/mac802154/llsec.c19
-rw-r--r--net/mac802154/mib.c6
-rw-r--r--net/mac802154/rx.c3
-rw-r--r--net/nfc/digital_dep.c834
-rw-r--r--net/nfc/hci/command.c3
-rw-r--r--net/nfc/hci/core.c56
-rw-r--r--net/nfc/llcp_commands.c6
-rw-r--r--net/nfc/llcp_core.c5
-rw-r--r--net/nfc/llcp_sock.c6
-rw-r--r--net/nfc/nci/core.c150
-rw-r--r--net/nfc/nci/data.c24
-rw-r--r--net/nfc/nci/ntf.c152
-rw-r--r--net/nfc/netlink.c77
-rw-r--r--net/wireless/Kconfig2
-rw-r--r--net/wireless/core.c14
-rw-r--r--net/wireless/nl80211.c260
-rw-r--r--net/wireless/reg.c107
49 files changed, 4823 insertions, 960 deletions
diff --git a/net/6lowpan/iphc.c b/net/6lowpan/iphc.c
index aced97db62f0..32ffec6ef164 100644
--- a/net/6lowpan/iphc.c
+++ b/net/6lowpan/iphc.c
@@ -15,9 +15,6 @@
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details. 16 * GNU General Public License for more details.
17 * 17 *
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 */ 18 */
22 19
23/* Jon's code is based on 6lowpan implementation for Contiki which is: 20/* Jon's code is based on 6lowpan implementation for Contiki which is:
diff --git a/net/bluetooth/Kconfig b/net/bluetooth/Kconfig
index 5e97a8ff850b..29bcafc41adf 100644
--- a/net/bluetooth/Kconfig
+++ b/net/bluetooth/Kconfig
@@ -10,6 +10,7 @@ menuconfig BT
10 select CRYPTO 10 select CRYPTO
11 select CRYPTO_BLKCIPHER 11 select CRYPTO_BLKCIPHER
12 select CRYPTO_AES 12 select CRYPTO_AES
13 select CRYPTO_CMAC
13 select CRYPTO_ECB 14 select CRYPTO_ECB
14 select CRYPTO_SHA256 15 select CRYPTO_SHA256
15 help 16 help
diff --git a/net/bluetooth/Makefile b/net/bluetooth/Makefile
index 886e9aa3ecf1..a5432a6a0ae6 100644
--- a/net/bluetooth/Makefile
+++ b/net/bluetooth/Makefile
@@ -13,6 +13,6 @@ bluetooth_6lowpan-y := 6lowpan.o
13 13
14bluetooth-y := af_bluetooth.o hci_core.o hci_conn.o hci_event.o mgmt.o \ 14bluetooth-y := af_bluetooth.o hci_core.o hci_conn.o hci_event.o mgmt.o \
15 hci_sock.o hci_sysfs.o l2cap_core.o l2cap_sock.o smp.o sco.o lib.o \ 15 hci_sock.o hci_sysfs.o l2cap_core.o l2cap_sock.o smp.o sco.o lib.o \
16 a2mp.o amp.o 16 a2mp.o amp.o ecc.o
17 17
18subdir-ccflags-y += -D__CHECK_ENDIAN__ 18subdir-ccflags-y += -D__CHECK_ENDIAN__
diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
index 0a7cc565f93e..012e3b03589d 100644
--- a/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -31,7 +31,7 @@
31#include <net/bluetooth/bluetooth.h> 31#include <net/bluetooth/bluetooth.h>
32#include <linux/proc_fs.h> 32#include <linux/proc_fs.h>
33 33
34#define VERSION "2.19" 34#define VERSION "2.20"
35 35
36/* Bluetooth sockets */ 36/* Bluetooth sockets */
37#define BT_MAX_PROTO 8 37#define BT_MAX_PROTO 8
diff --git a/net/bluetooth/ecc.c b/net/bluetooth/ecc.c
new file mode 100644
index 000000000000..e1709f8467ac
--- /dev/null
+++ b/net/bluetooth/ecc.c
@@ -0,0 +1,816 @@
1/*
2 * Copyright (c) 2013, Kenneth MacKay
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions are
7 * met:
8 * * Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * * Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
15 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
16 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
17 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
18 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
19 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
20 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
24 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 */
26
27#include <linux/random.h>
28
29#include "ecc.h"
30
31/* 256-bit curve */
32#define ECC_BYTES 32
33
34#define MAX_TRIES 16
35
36/* Number of u64's needed */
37#define NUM_ECC_DIGITS (ECC_BYTES / 8)
38
39struct ecc_point {
40 u64 x[NUM_ECC_DIGITS];
41 u64 y[NUM_ECC_DIGITS];
42};
43
44typedef struct {
45 u64 m_low;
46 u64 m_high;
47} uint128_t;
48
49#define CURVE_P_32 { 0xFFFFFFFFFFFFFFFFull, 0x00000000FFFFFFFFull, \
50 0x0000000000000000ull, 0xFFFFFFFF00000001ull }
51
52#define CURVE_G_32 { \
53 { 0xF4A13945D898C296ull, 0x77037D812DEB33A0ull, \
54 0xF8BCE6E563A440F2ull, 0x6B17D1F2E12C4247ull }, \
55 { 0xCBB6406837BF51F5ull, 0x2BCE33576B315ECEull, \
56 0x8EE7EB4A7C0F9E16ull, 0x4FE342E2FE1A7F9Bull } \
57}
58
59#define CURVE_N_32 { 0xF3B9CAC2FC632551ull, 0xBCE6FAADA7179E84ull, \
60 0xFFFFFFFFFFFFFFFFull, 0xFFFFFFFF00000000ull }
61
62static u64 curve_p[NUM_ECC_DIGITS] = CURVE_P_32;
63static struct ecc_point curve_g = CURVE_G_32;
64static u64 curve_n[NUM_ECC_DIGITS] = CURVE_N_32;
65
66static void vli_clear(u64 *vli)
67{
68 int i;
69
70 for (i = 0; i < NUM_ECC_DIGITS; i++)
71 vli[i] = 0;
72}
73
74/* Returns true if vli == 0, false otherwise. */
75static bool vli_is_zero(const u64 *vli)
76{
77 int i;
78
79 for (i = 0; i < NUM_ECC_DIGITS; i++) {
80 if (vli[i])
81 return false;
82 }
83
84 return true;
85}
86
87/* Returns nonzero if bit bit of vli is set. */
88static u64 vli_test_bit(const u64 *vli, unsigned int bit)
89{
90 return (vli[bit / 64] & ((u64) 1 << (bit % 64)));
91}
92
93/* Counts the number of 64-bit "digits" in vli. */
94static unsigned int vli_num_digits(const u64 *vli)
95{
96 int i;
97
98 /* Search from the end until we find a non-zero digit.
99 * We do it in reverse because we expect that most digits will
100 * be nonzero.
101 */
102 for (i = NUM_ECC_DIGITS - 1; i >= 0 && vli[i] == 0; i--);
103
104 return (i + 1);
105}
106
107/* Counts the number of bits required for vli. */
108static unsigned int vli_num_bits(const u64 *vli)
109{
110 unsigned int i, num_digits;
111 u64 digit;
112
113 num_digits = vli_num_digits(vli);
114 if (num_digits == 0)
115 return 0;
116
117 digit = vli[num_digits - 1];
118 for (i = 0; digit; i++)
119 digit >>= 1;
120
121 return ((num_digits - 1) * 64 + i);
122}
123
124/* Sets dest = src. */
125static void vli_set(u64 *dest, const u64 *src)
126{
127 int i;
128
129 for (i = 0; i < NUM_ECC_DIGITS; i++)
130 dest[i] = src[i];
131}
132
133/* Returns sign of left - right. */
134static int vli_cmp(const u64 *left, const u64 *right)
135{
136 int i;
137
138 for (i = NUM_ECC_DIGITS - 1; i >= 0; i--) {
139 if (left[i] > right[i])
140 return 1;
141 else if (left[i] < right[i])
142 return -1;
143 }
144
145 return 0;
146}
147
148/* Computes result = in << c, returning carry. Can modify in place
149 * (if result == in). 0 < shift < 64.
150 */
151static u64 vli_lshift(u64 *result, const u64 *in,
152 unsigned int shift)
153{
154 u64 carry = 0;
155 int i;
156
157 for (i = 0; i < NUM_ECC_DIGITS; i++) {
158 u64 temp = in[i];
159
160 result[i] = (temp << shift) | carry;
161 carry = temp >> (64 - shift);
162 }
163
164 return carry;
165}
166
167/* Computes vli = vli >> 1. */
168static void vli_rshift1(u64 *vli)
169{
170 u64 *end = vli;
171 u64 carry = 0;
172
173 vli += NUM_ECC_DIGITS;
174
175 while (vli-- > end) {
176 u64 temp = *vli;
177 *vli = (temp >> 1) | carry;
178 carry = temp << 63;
179 }
180}
181
182/* Computes result = left + right, returning carry. Can modify in place. */
183static u64 vli_add(u64 *result, const u64 *left,
184 const u64 *right)
185{
186 u64 carry = 0;
187 int i;
188
189 for (i = 0; i < NUM_ECC_DIGITS; i++) {
190 u64 sum;
191
192 sum = left[i] + right[i] + carry;
193 if (sum != left[i])
194 carry = (sum < left[i]);
195
196 result[i] = sum;
197 }
198
199 return carry;
200}
201
202/* Computes result = left - right, returning borrow. Can modify in place. */
203static u64 vli_sub(u64 *result, const u64 *left, const u64 *right)
204{
205 u64 borrow = 0;
206 int i;
207
208 for (i = 0; i < NUM_ECC_DIGITS; i++) {
209 u64 diff;
210
211 diff = left[i] - right[i] - borrow;
212 if (diff != left[i])
213 borrow = (diff > left[i]);
214
215 result[i] = diff;
216 }
217
218 return borrow;
219}
220
221static uint128_t mul_64_64(u64 left, u64 right)
222{
223 u64 a0 = left & 0xffffffffull;
224 u64 a1 = left >> 32;
225 u64 b0 = right & 0xffffffffull;
226 u64 b1 = right >> 32;
227 u64 m0 = a0 * b0;
228 u64 m1 = a0 * b1;
229 u64 m2 = a1 * b0;
230 u64 m3 = a1 * b1;
231 uint128_t result;
232
233 m2 += (m0 >> 32);
234 m2 += m1;
235
236 /* Overflow */
237 if (m2 < m1)
238 m3 += 0x100000000ull;
239
240 result.m_low = (m0 & 0xffffffffull) | (m2 << 32);
241 result.m_high = m3 + (m2 >> 32);
242
243 return result;
244}
245
246static uint128_t add_128_128(uint128_t a, uint128_t b)
247{
248 uint128_t result;
249
250 result.m_low = a.m_low + b.m_low;
251 result.m_high = a.m_high + b.m_high + (result.m_low < a.m_low);
252
253 return result;
254}
255
256static void vli_mult(u64 *result, const u64 *left, const u64 *right)
257{
258 uint128_t r01 = { 0, 0 };
259 u64 r2 = 0;
260 unsigned int i, k;
261
262 /* Compute each digit of result in sequence, maintaining the
263 * carries.
264 */
265 for (k = 0; k < NUM_ECC_DIGITS * 2 - 1; k++) {
266 unsigned int min;
267
268 if (k < NUM_ECC_DIGITS)
269 min = 0;
270 else
271 min = (k + 1) - NUM_ECC_DIGITS;
272
273 for (i = min; i <= k && i < NUM_ECC_DIGITS; i++) {
274 uint128_t product;
275
276 product = mul_64_64(left[i], right[k - i]);
277
278 r01 = add_128_128(r01, product);
279 r2 += (r01.m_high < product.m_high);
280 }
281
282 result[k] = r01.m_low;
283 r01.m_low = r01.m_high;
284 r01.m_high = r2;
285 r2 = 0;
286 }
287
288 result[NUM_ECC_DIGITS * 2 - 1] = r01.m_low;
289}
290
291static void vli_square(u64 *result, const u64 *left)
292{
293 uint128_t r01 = { 0, 0 };
294 u64 r2 = 0;
295 int i, k;
296
297 for (k = 0; k < NUM_ECC_DIGITS * 2 - 1; k++) {
298 unsigned int min;
299
300 if (k < NUM_ECC_DIGITS)
301 min = 0;
302 else
303 min = (k + 1) - NUM_ECC_DIGITS;
304
305 for (i = min; i <= k && i <= k - i; i++) {
306 uint128_t product;
307
308 product = mul_64_64(left[i], left[k - i]);
309
310 if (i < k - i) {
311 r2 += product.m_high >> 63;
312 product.m_high = (product.m_high << 1) |
313 (product.m_low >> 63);
314 product.m_low <<= 1;
315 }
316
317 r01 = add_128_128(r01, product);
318 r2 += (r01.m_high < product.m_high);
319 }
320
321 result[k] = r01.m_low;
322 r01.m_low = r01.m_high;
323 r01.m_high = r2;
324 r2 = 0;
325 }
326
327 result[NUM_ECC_DIGITS * 2 - 1] = r01.m_low;
328}
329
330/* Computes result = (left + right) % mod.
331 * Assumes that left < mod and right < mod, result != mod.
332 */
333static void vli_mod_add(u64 *result, const u64 *left, const u64 *right,
334 const u64 *mod)
335{
336 u64 carry;
337
338 carry = vli_add(result, left, right);
339
340 /* result > mod (result = mod + remainder), so subtract mod to
341 * get remainder.
342 */
343 if (carry || vli_cmp(result, mod) >= 0)
344 vli_sub(result, result, mod);
345}
346
347/* Computes result = (left - right) % mod.
348 * Assumes that left < mod and right < mod, result != mod.
349 */
350static void vli_mod_sub(u64 *result, const u64 *left, const u64 *right,
351 const u64 *mod)
352{
353 u64 borrow = vli_sub(result, left, right);
354
355 /* In this case, p_result == -diff == (max int) - diff.
356 * Since -x % d == d - x, we can get the correct result from
357 * result + mod (with overflow).
358 */
359 if (borrow)
360 vli_add(result, result, mod);
361}
362
363/* Computes result = product % curve_p
364 from http://www.nsa.gov/ia/_files/nist-routines.pdf */
365static void vli_mmod_fast(u64 *result, const u64 *product)
366{
367 u64 tmp[NUM_ECC_DIGITS];
368 int carry;
369
370 /* t */
371 vli_set(result, product);
372
373 /* s1 */
374 tmp[0] = 0;
375 tmp[1] = product[5] & 0xffffffff00000000ull;
376 tmp[2] = product[6];
377 tmp[3] = product[7];
378 carry = vli_lshift(tmp, tmp, 1);
379 carry += vli_add(result, result, tmp);
380
381 /* s2 */
382 tmp[1] = product[6] << 32;
383 tmp[2] = (product[6] >> 32) | (product[7] << 32);
384 tmp[3] = product[7] >> 32;
385 carry += vli_lshift(tmp, tmp, 1);
386 carry += vli_add(result, result, tmp);
387
388 /* s3 */
389 tmp[0] = product[4];
390 tmp[1] = product[5] & 0xffffffff;
391 tmp[2] = 0;
392 tmp[3] = product[7];
393 carry += vli_add(result, result, tmp);
394
395 /* s4 */
396 tmp[0] = (product[4] >> 32) | (product[5] << 32);
397 tmp[1] = (product[5] >> 32) | (product[6] & 0xffffffff00000000ull);
398 tmp[2] = product[7];
399 tmp[3] = (product[6] >> 32) | (product[4] << 32);
400 carry += vli_add(result, result, tmp);
401
402 /* d1 */
403 tmp[0] = (product[5] >> 32) | (product[6] << 32);
404 tmp[1] = (product[6] >> 32);
405 tmp[2] = 0;
406 tmp[3] = (product[4] & 0xffffffff) | (product[5] << 32);
407 carry -= vli_sub(result, result, tmp);
408
409 /* d2 */
410 tmp[0] = product[6];
411 tmp[1] = product[7];
412 tmp[2] = 0;
413 tmp[3] = (product[4] >> 32) | (product[5] & 0xffffffff00000000ull);
414 carry -= vli_sub(result, result, tmp);
415
416 /* d3 */
417 tmp[0] = (product[6] >> 32) | (product[7] << 32);
418 tmp[1] = (product[7] >> 32) | (product[4] << 32);
419 tmp[2] = (product[4] >> 32) | (product[5] << 32);
420 tmp[3] = (product[6] << 32);
421 carry -= vli_sub(result, result, tmp);
422
423 /* d4 */
424 tmp[0] = product[7];
425 tmp[1] = product[4] & 0xffffffff00000000ull;
426 tmp[2] = product[5];
427 tmp[3] = product[6] & 0xffffffff00000000ull;
428 carry -= vli_sub(result, result, tmp);
429
430 if (carry < 0) {
431 do {
432 carry += vli_add(result, result, curve_p);
433 } while (carry < 0);
434 } else {
435 while (carry || vli_cmp(curve_p, result) != 1)
436 carry -= vli_sub(result, result, curve_p);
437 }
438}
439
440/* Computes result = (left * right) % curve_p. */
441static void vli_mod_mult_fast(u64 *result, const u64 *left, const u64 *right)
442{
443 u64 product[2 * NUM_ECC_DIGITS];
444
445 vli_mult(product, left, right);
446 vli_mmod_fast(result, product);
447}
448
449/* Computes result = left^2 % curve_p. */
450static void vli_mod_square_fast(u64 *result, const u64 *left)
451{
452 u64 product[2 * NUM_ECC_DIGITS];
453
454 vli_square(product, left);
455 vli_mmod_fast(result, product);
456}
457
458#define EVEN(vli) (!(vli[0] & 1))
459/* Computes result = (1 / p_input) % mod. All VLIs are the same size.
460 * See "From Euclid's GCD to Montgomery Multiplication to the Great Divide"
461 * https://labs.oracle.com/techrep/2001/smli_tr-2001-95.pdf
462 */
463static void vli_mod_inv(u64 *result, const u64 *input, const u64 *mod)
464{
465 u64 a[NUM_ECC_DIGITS], b[NUM_ECC_DIGITS];
466 u64 u[NUM_ECC_DIGITS], v[NUM_ECC_DIGITS];
467 u64 carry;
468 int cmp_result;
469
470 if (vli_is_zero(input)) {
471 vli_clear(result);
472 return;
473 }
474
475 vli_set(a, input);
476 vli_set(b, mod);
477 vli_clear(u);
478 u[0] = 1;
479 vli_clear(v);
480
481 while ((cmp_result = vli_cmp(a, b)) != 0) {
482 carry = 0;
483
484 if (EVEN(a)) {
485 vli_rshift1(a);
486
487 if (!EVEN(u))
488 carry = vli_add(u, u, mod);
489
490 vli_rshift1(u);
491 if (carry)
492 u[NUM_ECC_DIGITS - 1] |= 0x8000000000000000ull;
493 } else if (EVEN(b)) {
494 vli_rshift1(b);
495
496 if (!EVEN(v))
497 carry = vli_add(v, v, mod);
498
499 vli_rshift1(v);
500 if (carry)
501 v[NUM_ECC_DIGITS - 1] |= 0x8000000000000000ull;
502 } else if (cmp_result > 0) {
503 vli_sub(a, a, b);
504 vli_rshift1(a);
505
506 if (vli_cmp(u, v) < 0)
507 vli_add(u, u, mod);
508
509 vli_sub(u, u, v);
510 if (!EVEN(u))
511 carry = vli_add(u, u, mod);
512
513 vli_rshift1(u);
514 if (carry)
515 u[NUM_ECC_DIGITS - 1] |= 0x8000000000000000ull;
516 } else {
517 vli_sub(b, b, a);
518 vli_rshift1(b);
519
520 if (vli_cmp(v, u) < 0)
521 vli_add(v, v, mod);
522
523 vli_sub(v, v, u);
524 if (!EVEN(v))
525 carry = vli_add(v, v, mod);
526
527 vli_rshift1(v);
528 if (carry)
529 v[NUM_ECC_DIGITS - 1] |= 0x8000000000000000ull;
530 }
531 }
532
533 vli_set(result, u);
534}
535
536/* ------ Point operations ------ */
537
538/* Returns true if p_point is the point at infinity, false otherwise. */
539static bool ecc_point_is_zero(const struct ecc_point *point)
540{
541 return (vli_is_zero(point->x) && vli_is_zero(point->y));
542}
543
544/* Point multiplication algorithm using Montgomery's ladder with co-Z
545 * coordinates. From http://eprint.iacr.org/2011/338.pdf
546 */
547
548/* Double in place */
549static void ecc_point_double_jacobian(u64 *x1, u64 *y1, u64 *z1)
550{
551 /* t1 = x, t2 = y, t3 = z */
552 u64 t4[NUM_ECC_DIGITS];
553 u64 t5[NUM_ECC_DIGITS];
554
555 if (vli_is_zero(z1))
556 return;
557
558 vli_mod_square_fast(t4, y1); /* t4 = y1^2 */
559 vli_mod_mult_fast(t5, x1, t4); /* t5 = x1*y1^2 = A */
560 vli_mod_square_fast(t4, t4); /* t4 = y1^4 */
561 vli_mod_mult_fast(y1, y1, z1); /* t2 = y1*z1 = z3 */
562 vli_mod_square_fast(z1, z1); /* t3 = z1^2 */
563
564 vli_mod_add(x1, x1, z1, curve_p); /* t1 = x1 + z1^2 */
565 vli_mod_add(z1, z1, z1, curve_p); /* t3 = 2*z1^2 */
566 vli_mod_sub(z1, x1, z1, curve_p); /* t3 = x1 - z1^2 */
567 vli_mod_mult_fast(x1, x1, z1); /* t1 = x1^2 - z1^4 */
568
569 vli_mod_add(z1, x1, x1, curve_p); /* t3 = 2*(x1^2 - z1^4) */
570 vli_mod_add(x1, x1, z1, curve_p); /* t1 = 3*(x1^2 - z1^4) */
571 if (vli_test_bit(x1, 0)) {
572 u64 carry = vli_add(x1, x1, curve_p);
573 vli_rshift1(x1);
574 x1[NUM_ECC_DIGITS - 1] |= carry << 63;
575 } else {
576 vli_rshift1(x1);
577 }
578 /* t1 = 3/2*(x1^2 - z1^4) = B */
579
580 vli_mod_square_fast(z1, x1); /* t3 = B^2 */
581 vli_mod_sub(z1, z1, t5, curve_p); /* t3 = B^2 - A */
582 vli_mod_sub(z1, z1, t5, curve_p); /* t3 = B^2 - 2A = x3 */
583 vli_mod_sub(t5, t5, z1, curve_p); /* t5 = A - x3 */
584 vli_mod_mult_fast(x1, x1, t5); /* t1 = B * (A - x3) */
585 vli_mod_sub(t4, x1, t4, curve_p); /* t4 = B * (A - x3) - y1^4 = y3 */
586
587 vli_set(x1, z1);
588 vli_set(z1, y1);
589 vli_set(y1, t4);
590}
591
592/* Modify (x1, y1) => (x1 * z^2, y1 * z^3) */
593static void apply_z(u64 *x1, u64 *y1, u64 *z)
594{
595 u64 t1[NUM_ECC_DIGITS];
596
597 vli_mod_square_fast(t1, z); /* z^2 */
598 vli_mod_mult_fast(x1, x1, t1); /* x1 * z^2 */
599 vli_mod_mult_fast(t1, t1, z); /* z^3 */
600 vli_mod_mult_fast(y1, y1, t1); /* y1 * z^3 */
601}
602
603/* P = (x1, y1) => 2P, (x2, y2) => P' */
604static void xycz_initial_double(u64 *x1, u64 *y1, u64 *x2, u64 *y2,
605 u64 *p_initial_z)
606{
607 u64 z[NUM_ECC_DIGITS];
608
609 vli_set(x2, x1);
610 vli_set(y2, y1);
611
612 vli_clear(z);
613 z[0] = 1;
614
615 if (p_initial_z)
616 vli_set(z, p_initial_z);
617
618 apply_z(x1, y1, z);
619
620 ecc_point_double_jacobian(x1, y1, z);
621
622 apply_z(x2, y2, z);
623}
624
625/* Input P = (x1, y1, Z), Q = (x2, y2, Z)
626 * Output P' = (x1', y1', Z3), P + Q = (x3, y3, Z3)
627 * or P => P', Q => P + Q
628 */
629static void xycz_add(u64 *x1, u64 *y1, u64 *x2, u64 *y2)
630{
631 /* t1 = X1, t2 = Y1, t3 = X2, t4 = Y2 */
632 u64 t5[NUM_ECC_DIGITS];
633
634 vli_mod_sub(t5, x2, x1, curve_p); /* t5 = x2 - x1 */
635 vli_mod_square_fast(t5, t5); /* t5 = (x2 - x1)^2 = A */
636 vli_mod_mult_fast(x1, x1, t5); /* t1 = x1*A = B */
637 vli_mod_mult_fast(x2, x2, t5); /* t3 = x2*A = C */
638 vli_mod_sub(y2, y2, y1, curve_p); /* t4 = y2 - y1 */
639 vli_mod_square_fast(t5, y2); /* t5 = (y2 - y1)^2 = D */
640
641 vli_mod_sub(t5, t5, x1, curve_p); /* t5 = D - B */
642 vli_mod_sub(t5, t5, x2, curve_p); /* t5 = D - B - C = x3 */
643 vli_mod_sub(x2, x2, x1, curve_p); /* t3 = C - B */
644 vli_mod_mult_fast(y1, y1, x2); /* t2 = y1*(C - B) */
645 vli_mod_sub(x2, x1, t5, curve_p); /* t3 = B - x3 */
646 vli_mod_mult_fast(y2, y2, x2); /* t4 = (y2 - y1)*(B - x3) */
647 vli_mod_sub(y2, y2, y1, curve_p); /* t4 = y3 */
648
649 vli_set(x2, t5);
650}
651
652/* Input P = (x1, y1, Z), Q = (x2, y2, Z)
653 * Output P + Q = (x3, y3, Z3), P - Q = (x3', y3', Z3)
654 * or P => P - Q, Q => P + Q
655 */
656static void xycz_add_c(u64 *x1, u64 *y1, u64 *x2, u64 *y2)
657{
658 /* t1 = X1, t2 = Y1, t3 = X2, t4 = Y2 */
659 u64 t5[NUM_ECC_DIGITS];
660 u64 t6[NUM_ECC_DIGITS];
661 u64 t7[NUM_ECC_DIGITS];
662
663 vli_mod_sub(t5, x2, x1, curve_p); /* t5 = x2 - x1 */
664 vli_mod_square_fast(t5, t5); /* t5 = (x2 - x1)^2 = A */
665 vli_mod_mult_fast(x1, x1, t5); /* t1 = x1*A = B */
666 vli_mod_mult_fast(x2, x2, t5); /* t3 = x2*A = C */
667 vli_mod_add(t5, y2, y1, curve_p); /* t4 = y2 + y1 */
668 vli_mod_sub(y2, y2, y1, curve_p); /* t4 = y2 - y1 */
669
670 vli_mod_sub(t6, x2, x1, curve_p); /* t6 = C - B */
671 vli_mod_mult_fast(y1, y1, t6); /* t2 = y1 * (C - B) */
672 vli_mod_add(t6, x1, x2, curve_p); /* t6 = B + C */
673 vli_mod_square_fast(x2, y2); /* t3 = (y2 - y1)^2 */
674 vli_mod_sub(x2, x2, t6, curve_p); /* t3 = x3 */
675
676 vli_mod_sub(t7, x1, x2, curve_p); /* t7 = B - x3 */
677 vli_mod_mult_fast(y2, y2, t7); /* t4 = (y2 - y1)*(B - x3) */
678 vli_mod_sub(y2, y2, y1, curve_p); /* t4 = y3 */
679
680 vli_mod_square_fast(t7, t5); /* t7 = (y2 + y1)^2 = F */
681 vli_mod_sub(t7, t7, t6, curve_p); /* t7 = x3' */
682 vli_mod_sub(t6, t7, x1, curve_p); /* t6 = x3' - B */
683 vli_mod_mult_fast(t6, t6, t5); /* t6 = (y2 + y1)*(x3' - B) */
684 vli_mod_sub(y1, t6, y1, curve_p); /* t2 = y3' */
685
686 vli_set(x1, t7);
687}
688
689static void ecc_point_mult(struct ecc_point *result,
690 const struct ecc_point *point, u64 *scalar,
691 u64 *initial_z, int num_bits)
692{
693 /* R0 and R1 */
694 u64 rx[2][NUM_ECC_DIGITS];
695 u64 ry[2][NUM_ECC_DIGITS];
696 u64 z[NUM_ECC_DIGITS];
697 int i, nb;
698
699 vli_set(rx[1], point->x);
700 vli_set(ry[1], point->y);
701
702 xycz_initial_double(rx[1], ry[1], rx[0], ry[0], initial_z);
703
704 for (i = num_bits - 2; i > 0; i--) {
705 nb = !vli_test_bit(scalar, i);
706 xycz_add_c(rx[1 - nb], ry[1 - nb], rx[nb], ry[nb]);
707 xycz_add(rx[nb], ry[nb], rx[1 - nb], ry[1 - nb]);
708 }
709
710 nb = !vli_test_bit(scalar, 0);
711 xycz_add_c(rx[1 - nb], ry[1 - nb], rx[nb], ry[nb]);
712
713 /* Find final 1/Z value. */
714 vli_mod_sub(z, rx[1], rx[0], curve_p); /* X1 - X0 */
715 vli_mod_mult_fast(z, z, ry[1 - nb]); /* Yb * (X1 - X0) */
716 vli_mod_mult_fast(z, z, point->x); /* xP * Yb * (X1 - X0) */
717 vli_mod_inv(z, z, curve_p); /* 1 / (xP * Yb * (X1 - X0)) */
718 vli_mod_mult_fast(z, z, point->y); /* yP / (xP * Yb * (X1 - X0)) */
719 vli_mod_mult_fast(z, z, rx[1 - nb]); /* Xb * yP / (xP * Yb * (X1 - X0)) */
720 /* End 1/Z calculation */
721
722 xycz_add(rx[nb], ry[nb], rx[1 - nb], ry[1 - nb]);
723
724 apply_z(rx[0], ry[0], z);
725
726 vli_set(result->x, rx[0]);
727 vli_set(result->y, ry[0]);
728}
729
730static void ecc_bytes2native(const u8 bytes[ECC_BYTES],
731 u64 native[NUM_ECC_DIGITS])
732{
733 int i;
734
735 for (i = 0; i < NUM_ECC_DIGITS; i++) {
736 const u8 *digit = bytes + 8 * (NUM_ECC_DIGITS - 1 - i);
737
738 native[NUM_ECC_DIGITS - 1 - i] =
739 ((u64) digit[0] << 0) |
740 ((u64) digit[1] << 8) |
741 ((u64) digit[2] << 16) |
742 ((u64) digit[3] << 24) |
743 ((u64) digit[4] << 32) |
744 ((u64) digit[5] << 40) |
745 ((u64) digit[6] << 48) |
746 ((u64) digit[7] << 56);
747 }
748}
749
750static void ecc_native2bytes(const u64 native[NUM_ECC_DIGITS],
751 u8 bytes[ECC_BYTES])
752{
753 int i;
754
755 for (i = 0; i < NUM_ECC_DIGITS; i++) {
756 u8 *digit = bytes + 8 * (NUM_ECC_DIGITS - 1 - i);
757
758 digit[0] = native[NUM_ECC_DIGITS - 1 - i] >> 0;
759 digit[1] = native[NUM_ECC_DIGITS - 1 - i] >> 8;
760 digit[2] = native[NUM_ECC_DIGITS - 1 - i] >> 16;
761 digit[3] = native[NUM_ECC_DIGITS - 1 - i] >> 24;
762 digit[4] = native[NUM_ECC_DIGITS - 1 - i] >> 32;
763 digit[5] = native[NUM_ECC_DIGITS - 1 - i] >> 40;
764 digit[6] = native[NUM_ECC_DIGITS - 1 - i] >> 48;
765 digit[7] = native[NUM_ECC_DIGITS - 1 - i] >> 56;
766 }
767}
768
769bool ecc_make_key(u8 public_key[64], u8 private_key[32])
770{
771 struct ecc_point pk;
772 u64 priv[NUM_ECC_DIGITS];
773 unsigned int tries = 0;
774
775 do {
776 if (tries++ >= MAX_TRIES)
777 return false;
778
779 get_random_bytes(priv, ECC_BYTES);
780
781 if (vli_is_zero(priv))
782 continue;
783
784 /* Make sure the private key is in the range [1, n-1]. */
785 if (vli_cmp(curve_n, priv) != 1)
786 continue;
787
788 ecc_point_mult(&pk, &curve_g, priv, NULL, vli_num_bits(priv));
789 } while (ecc_point_is_zero(&pk));
790
791 ecc_native2bytes(priv, private_key);
792 ecc_native2bytes(pk.x, public_key);
793 ecc_native2bytes(pk.y, &public_key[32]);
794
795 return true;
796}
797
798bool ecdh_shared_secret(const u8 public_key[64], const u8 private_key[32],
799 u8 secret[32])
800{
801 u64 priv[NUM_ECC_DIGITS];
802 u64 rand[NUM_ECC_DIGITS];
803 struct ecc_point product, pk;
804
805 get_random_bytes(rand, ECC_BYTES);
806
807 ecc_bytes2native(public_key, pk.x);
808 ecc_bytes2native(&public_key[32], pk.y);
809 ecc_bytes2native(private_key, priv);
810
811 ecc_point_mult(&product, &pk, priv, rand, vli_num_bits(priv));
812
813 ecc_native2bytes(product.x, secret);
814
815 return !ecc_point_is_zero(&product);
816}
diff --git a/net/bluetooth/ecc.h b/net/bluetooth/ecc.h
new file mode 100644
index 000000000000..8d6a2f4d1905
--- /dev/null
+++ b/net/bluetooth/ecc.h
@@ -0,0 +1,54 @@
1/*
2 * Copyright (c) 2013, Kenneth MacKay
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions are
7 * met:
8 * * Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * * Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
15 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
16 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
17 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
18 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
19 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
20 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
24 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 */
26
27/* Create a public/private key pair.
28 * Outputs:
29 * public_key - Will be filled in with the public key.
30 * private_key - Will be filled in with the private key.
31 *
32 * Returns true if the key pair was generated successfully, false
33 * if an error occurred. The keys are with the LSB first.
34 */
35bool ecc_make_key(u8 public_key[64], u8 private_key[32]);
36
37/* Compute a shared secret given your secret key and someone else's
38 * public key.
39 * Note: It is recommended that you hash the result of ecdh_shared_secret
40 * before using it for symmetric encryption or HMAC.
41 *
42 * Inputs:
43 * public_key - The public key of the remote party
44 * private_key - Your private key.
45 *
46 * Outputs:
47 * secret - Will be filled in with the shared secret value.
48 *
49 * Returns true if the shared secret was generated successfully, false
50 * if an error occurred. Both input and output parameters are with the
51 * LSB first.
52 */
53bool ecdh_shared_secret(const u8 public_key[64], const u8 private_key[32],
54 u8 secret[32]);
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 96887ae8375b..79d84b88b8f0 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -449,6 +449,7 @@ struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
449 conn->io_capability = hdev->io_capability; 449 conn->io_capability = hdev->io_capability;
450 conn->remote_auth = 0xff; 450 conn->remote_auth = 0xff;
451 conn->key_type = 0xff; 451 conn->key_type = 0xff;
452 conn->rssi = HCI_RSSI_INVALID;
452 conn->tx_power = HCI_TX_POWER_INVALID; 453 conn->tx_power = HCI_TX_POWER_INVALID;
453 conn->max_tx_power = HCI_TX_POWER_INVALID; 454 conn->max_tx_power = HCI_TX_POWER_INVALID;
454 455
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index d786958a1dec..93f92a085506 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -274,15 +274,13 @@ static const struct file_operations inquiry_cache_fops = {
274static int link_keys_show(struct seq_file *f, void *ptr) 274static int link_keys_show(struct seq_file *f, void *ptr)
275{ 275{
276 struct hci_dev *hdev = f->private; 276 struct hci_dev *hdev = f->private;
277 struct list_head *p, *n; 277 struct link_key *key;
278 278
279 hci_dev_lock(hdev); 279 rcu_read_lock();
280 list_for_each_safe(p, n, &hdev->link_keys) { 280 list_for_each_entry_rcu(key, &hdev->link_keys, list)
281 struct link_key *key = list_entry(p, struct link_key, list);
282 seq_printf(f, "%pMR %u %*phN %u\n", &key->bdaddr, key->type, 281 seq_printf(f, "%pMR %u %*phN %u\n", &key->bdaddr, key->type,
283 HCI_LINK_KEY_SIZE, key->val, key->pin_len); 282 HCI_LINK_KEY_SIZE, key->val, key->pin_len);
284 } 283 rcu_read_unlock();
285 hci_dev_unlock(hdev);
286 284
287 return 0; 285 return 0;
288} 286}
@@ -408,6 +406,49 @@ static const struct file_operations force_sc_support_fops = {
408 .llseek = default_llseek, 406 .llseek = default_llseek,
409}; 407};
410 408
409static ssize_t force_lesc_support_read(struct file *file, char __user *user_buf,
410 size_t count, loff_t *ppos)
411{
412 struct hci_dev *hdev = file->private_data;
413 char buf[3];
414
415 buf[0] = test_bit(HCI_FORCE_LESC, &hdev->dbg_flags) ? 'Y': 'N';
416 buf[1] = '\n';
417 buf[2] = '\0';
418 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
419}
420
421static ssize_t force_lesc_support_write(struct file *file,
422 const char __user *user_buf,
423 size_t count, loff_t *ppos)
424{
425 struct hci_dev *hdev = file->private_data;
426 char buf[32];
427 size_t buf_size = min(count, (sizeof(buf)-1));
428 bool enable;
429
430 if (copy_from_user(buf, user_buf, buf_size))
431 return -EFAULT;
432
433 buf[buf_size] = '\0';
434 if (strtobool(buf, &enable))
435 return -EINVAL;
436
437 if (enable == test_bit(HCI_FORCE_LESC, &hdev->dbg_flags))
438 return -EALREADY;
439
440 change_bit(HCI_FORCE_LESC, &hdev->dbg_flags);
441
442 return count;
443}
444
445static const struct file_operations force_lesc_support_fops = {
446 .open = simple_open,
447 .read = force_lesc_support_read,
448 .write = force_lesc_support_write,
449 .llseek = default_llseek,
450};
451
411static ssize_t sc_only_mode_read(struct file *file, char __user *user_buf, 452static ssize_t sc_only_mode_read(struct file *file, char __user *user_buf,
412 size_t count, loff_t *ppos) 453 size_t count, loff_t *ppos)
413{ 454{
@@ -1128,6 +1169,7 @@ struct sk_buff *__hci_cmd_sync_ev(struct hci_dev *hdev, u16 opcode, u32 plen,
1128 err = hci_req_run(&req, hci_req_sync_complete); 1169 err = hci_req_run(&req, hci_req_sync_complete);
1129 if (err < 0) { 1170 if (err < 0) {
1130 remove_wait_queue(&hdev->req_wait_q, &wait); 1171 remove_wait_queue(&hdev->req_wait_q, &wait);
1172 set_current_state(TASK_RUNNING);
1131 return ERR_PTR(err); 1173 return ERR_PTR(err);
1132 } 1174 }
1133 1175
@@ -1196,6 +1238,7 @@ static int __hci_req_sync(struct hci_dev *hdev,
1196 hdev->req_status = 0; 1238 hdev->req_status = 0;
1197 1239
1198 remove_wait_queue(&hdev->req_wait_q, &wait); 1240 remove_wait_queue(&hdev->req_wait_q, &wait);
1241 set_current_state(TASK_RUNNING);
1199 1242
1200 /* ENODATA means the HCI request command queue is empty. 1243 /* ENODATA means the HCI request command queue is empty.
1201 * This can happen when a request with conditionals doesn't 1244 * This can happen when a request with conditionals doesn't
@@ -1692,6 +1735,28 @@ static void hci_init3_req(struct hci_request *req, unsigned long opt)
1692 * Parameter Request 1735 * Parameter Request
1693 */ 1736 */
1694 1737
1738 /* If the controller supports Extended Scanner Filter
1739 * Policies, enable the correspondig event.
1740 */
1741 if (hdev->le_features[0] & HCI_LE_EXT_SCAN_POLICY)
1742 events[1] |= 0x04; /* LE Direct Advertising
1743 * Report
1744 */
1745
1746 /* If the controller supports the LE Read Local P-256
1747 * Public Key command, enable the corresponding event.
1748 */
1749 if (hdev->commands[34] & 0x02)
1750 events[0] |= 0x80; /* LE Read Local P-256
1751 * Public Key Complete
1752 */
1753
1754 /* If the controller supports the LE Generate DHKey
1755 * command, enable the corresponding event.
1756 */
1757 if (hdev->commands[34] & 0x04)
1758 events[1] |= 0x01; /* LE Generate DHKey Complete */
1759
1695 hci_req_add(req, HCI_OP_LE_SET_EVENT_MASK, sizeof(events), 1760 hci_req_add(req, HCI_OP_LE_SET_EVENT_MASK, sizeof(events),
1696 events); 1761 events);
1697 1762
@@ -1734,9 +1799,7 @@ static void hci_init4_req(struct hci_request *req, unsigned long opt)
1734 hci_req_add(req, HCI_OP_READ_SYNC_TRAIN_PARAMS, 0, NULL); 1799 hci_req_add(req, HCI_OP_READ_SYNC_TRAIN_PARAMS, 0, NULL);
1735 1800
1736 /* Enable Secure Connections if supported and configured */ 1801 /* Enable Secure Connections if supported and configured */
1737 if ((lmp_sc_capable(hdev) || 1802 if (bredr_sc_enabled(hdev)) {
1738 test_bit(HCI_FORCE_SC, &hdev->dbg_flags)) &&
1739 test_bit(HCI_SC_ENABLED, &hdev->dev_flags)) {
1740 u8 support = 0x01; 1803 u8 support = 0x01;
1741 hci_req_add(req, HCI_OP_WRITE_SC_SUPPORT, 1804 hci_req_add(req, HCI_OP_WRITE_SC_SUPPORT,
1742 sizeof(support), &support); 1805 sizeof(support), &support);
@@ -1819,6 +1882,10 @@ static int __hci_init(struct hci_dev *hdev)
1819 hdev, &force_sc_support_fops); 1882 hdev, &force_sc_support_fops);
1820 debugfs_create_file("sc_only_mode", 0444, hdev->debugfs, 1883 debugfs_create_file("sc_only_mode", 0444, hdev->debugfs,
1821 hdev, &sc_only_mode_fops); 1884 hdev, &sc_only_mode_fops);
1885 if (lmp_le_capable(hdev))
1886 debugfs_create_file("force_lesc_support", 0644,
1887 hdev->debugfs, hdev,
1888 &force_lesc_support_fops);
1822 } 1889 }
1823 1890
1824 if (lmp_sniff_capable(hdev)) { 1891 if (lmp_sniff_capable(hdev)) {
@@ -2115,7 +2182,7 @@ u32 hci_inquiry_cache_update(struct hci_dev *hdev, struct inquiry_data *data,
2115 2182
2116 BT_DBG("cache %p, %pMR", cache, &data->bdaddr); 2183 BT_DBG("cache %p, %pMR", cache, &data->bdaddr);
2117 2184
2118 hci_remove_remote_oob_data(hdev, &data->bdaddr); 2185 hci_remove_remote_oob_data(hdev, &data->bdaddr, BDADDR_BREDR);
2119 2186
2120 if (!data->ssp_mode) 2187 if (!data->ssp_mode)
2121 flags |= MGMT_DEV_FOUND_LEGACY_PAIRING; 2188 flags |= MGMT_DEV_FOUND_LEGACY_PAIRING;
@@ -3099,15 +3166,11 @@ void hci_uuids_clear(struct hci_dev *hdev)
3099 3166
3100void hci_link_keys_clear(struct hci_dev *hdev) 3167void hci_link_keys_clear(struct hci_dev *hdev)
3101{ 3168{
3102 struct list_head *p, *n; 3169 struct link_key *key;
3103
3104 list_for_each_safe(p, n, &hdev->link_keys) {
3105 struct link_key *key;
3106
3107 key = list_entry(p, struct link_key, list);
3108 3170
3109 list_del(p); 3171 list_for_each_entry_rcu(key, &hdev->link_keys, list) {
3110 kfree(key); 3172 list_del_rcu(&key->list);
3173 kfree_rcu(key, rcu);
3111 } 3174 }
3112} 3175}
3113 3176
@@ -3135,9 +3198,14 @@ struct link_key *hci_find_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
3135{ 3198{
3136 struct link_key *k; 3199 struct link_key *k;
3137 3200
3138 list_for_each_entry(k, &hdev->link_keys, list) 3201 rcu_read_lock();
3139 if (bacmp(bdaddr, &k->bdaddr) == 0) 3202 list_for_each_entry_rcu(k, &hdev->link_keys, list) {
3203 if (bacmp(bdaddr, &k->bdaddr) == 0) {
3204 rcu_read_unlock();
3140 return k; 3205 return k;
3206 }
3207 }
3208 rcu_read_unlock();
3141 3209
3142 return NULL; 3210 return NULL;
3143} 3211}
@@ -3161,6 +3229,10 @@ static bool hci_persistent_key(struct hci_dev *hdev, struct hci_conn *conn,
3161 if (!conn) 3229 if (!conn)
3162 return true; 3230 return true;
3163 3231
3232 /* BR/EDR key derived using SC from an LE link */
3233 if (conn->type == LE_LINK)
3234 return true;
3235
3164 /* Neither local nor remote side had no-bonding as requirement */ 3236 /* Neither local nor remote side had no-bonding as requirement */
3165 if (conn->auth_type > 0x01 && conn->remote_auth > 0x01) 3237 if (conn->auth_type > 0x01 && conn->remote_auth > 0x01)
3166 return true; 3238 return true;
@@ -3186,37 +3258,17 @@ static u8 ltk_role(u8 type)
3186 return HCI_ROLE_SLAVE; 3258 return HCI_ROLE_SLAVE;
3187} 3259}
3188 3260
3189struct smp_ltk *hci_find_ltk(struct hci_dev *hdev, __le16 ediv, __le64 rand, 3261struct smp_ltk *hci_find_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr,
3190 u8 role) 3262 u8 addr_type, u8 role)
3191{ 3263{
3192 struct smp_ltk *k; 3264 struct smp_ltk *k;
3193 3265
3194 rcu_read_lock(); 3266 rcu_read_lock();
3195 list_for_each_entry_rcu(k, &hdev->long_term_keys, list) { 3267 list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
3196 if (k->ediv != ediv || k->rand != rand) 3268 if (addr_type != k->bdaddr_type || bacmp(bdaddr, &k->bdaddr))
3197 continue;
3198
3199 if (ltk_role(k->type) != role)
3200 continue; 3269 continue;
3201 3270
3202 rcu_read_unlock(); 3271 if (smp_ltk_is_sc(k) || ltk_role(k->type) == role) {
3203 return k;
3204 }
3205 rcu_read_unlock();
3206
3207 return NULL;
3208}
3209
3210struct smp_ltk *hci_find_ltk_by_addr(struct hci_dev *hdev, bdaddr_t *bdaddr,
3211 u8 addr_type, u8 role)
3212{
3213 struct smp_ltk *k;
3214
3215 rcu_read_lock();
3216 list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
3217 if (addr_type == k->bdaddr_type &&
3218 bacmp(bdaddr, &k->bdaddr) == 0 &&
3219 ltk_role(k->type) == role) {
3220 rcu_read_unlock(); 3272 rcu_read_unlock();
3221 return k; 3273 return k;
3222 } 3274 }
@@ -3288,7 +3340,7 @@ struct link_key *hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn,
3288 key = kzalloc(sizeof(*key), GFP_KERNEL); 3340 key = kzalloc(sizeof(*key), GFP_KERNEL);
3289 if (!key) 3341 if (!key)
3290 return NULL; 3342 return NULL;
3291 list_add(&key->list, &hdev->link_keys); 3343 list_add_rcu(&key->list, &hdev->link_keys);
3292 } 3344 }
3293 3345
3294 BT_DBG("%s key for %pMR type %u", hdev->name, bdaddr, type); 3346 BT_DBG("%s key for %pMR type %u", hdev->name, bdaddr, type);
@@ -3326,7 +3378,7 @@ struct smp_ltk *hci_add_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr,
3326 struct smp_ltk *key, *old_key; 3378 struct smp_ltk *key, *old_key;
3327 u8 role = ltk_role(type); 3379 u8 role = ltk_role(type);
3328 3380
3329 old_key = hci_find_ltk_by_addr(hdev, bdaddr, addr_type, role); 3381 old_key = hci_find_ltk(hdev, bdaddr, addr_type, role);
3330 if (old_key) 3382 if (old_key)
3331 key = old_key; 3383 key = old_key;
3332 else { 3384 else {
@@ -3381,8 +3433,8 @@ int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
3381 3433
3382 BT_DBG("%s removing %pMR", hdev->name, bdaddr); 3434 BT_DBG("%s removing %pMR", hdev->name, bdaddr);
3383 3435
3384 list_del(&key->list); 3436 list_del_rcu(&key->list);
3385 kfree(key); 3437 kfree_rcu(key, rcu);
3386 3438
3387 return 0; 3439 return 0;
3388} 3440}
@@ -3441,26 +3493,31 @@ static void hci_cmd_timeout(struct work_struct *work)
3441} 3493}
3442 3494
3443struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev, 3495struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev,
3444 bdaddr_t *bdaddr) 3496 bdaddr_t *bdaddr, u8 bdaddr_type)
3445{ 3497{
3446 struct oob_data *data; 3498 struct oob_data *data;
3447 3499
3448 list_for_each_entry(data, &hdev->remote_oob_data, list) 3500 list_for_each_entry(data, &hdev->remote_oob_data, list) {
3449 if (bacmp(bdaddr, &data->bdaddr) == 0) 3501 if (bacmp(bdaddr, &data->bdaddr) != 0)
3450 return data; 3502 continue;
3503 if (data->bdaddr_type != bdaddr_type)
3504 continue;
3505 return data;
3506 }
3451 3507
3452 return NULL; 3508 return NULL;
3453} 3509}
3454 3510
3455int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr) 3511int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr,
3512 u8 bdaddr_type)
3456{ 3513{
3457 struct oob_data *data; 3514 struct oob_data *data;
3458 3515
3459 data = hci_find_remote_oob_data(hdev, bdaddr); 3516 data = hci_find_remote_oob_data(hdev, bdaddr, bdaddr_type);
3460 if (!data) 3517 if (!data)
3461 return -ENOENT; 3518 return -ENOENT;
3462 3519
3463 BT_DBG("%s removing %pMR", hdev->name, bdaddr); 3520 BT_DBG("%s removing %pMR (%u)", hdev->name, bdaddr, bdaddr_type);
3464 3521
3465 list_del(&data->list); 3522 list_del(&data->list);
3466 kfree(data); 3523 kfree(data);
@@ -3479,52 +3536,37 @@ void hci_remote_oob_data_clear(struct hci_dev *hdev)
3479} 3536}
3480 3537
3481int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr, 3538int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr,
3482 u8 *hash, u8 *rand) 3539 u8 bdaddr_type, u8 *hash192, u8 *rand192,
3540 u8 *hash256, u8 *rand256)
3483{ 3541{
3484 struct oob_data *data; 3542 struct oob_data *data;
3485 3543
3486 data = hci_find_remote_oob_data(hdev, bdaddr); 3544 data = hci_find_remote_oob_data(hdev, bdaddr, bdaddr_type);
3487 if (!data) { 3545 if (!data) {
3488 data = kmalloc(sizeof(*data), GFP_KERNEL); 3546 data = kmalloc(sizeof(*data), GFP_KERNEL);
3489 if (!data) 3547 if (!data)
3490 return -ENOMEM; 3548 return -ENOMEM;
3491 3549
3492 bacpy(&data->bdaddr, bdaddr); 3550 bacpy(&data->bdaddr, bdaddr);
3551 data->bdaddr_type = bdaddr_type;
3493 list_add(&data->list, &hdev->remote_oob_data); 3552 list_add(&data->list, &hdev->remote_oob_data);
3494 } 3553 }
3495 3554
3496 memcpy(data->hash192, hash, sizeof(data->hash192)); 3555 if (hash192 && rand192) {
3497 memcpy(data->rand192, rand, sizeof(data->rand192)); 3556 memcpy(data->hash192, hash192, sizeof(data->hash192));
3498 3557 memcpy(data->rand192, rand192, sizeof(data->rand192));
3499 memset(data->hash256, 0, sizeof(data->hash256)); 3558 } else {
3500 memset(data->rand256, 0, sizeof(data->rand256)); 3559 memset(data->hash192, 0, sizeof(data->hash192));
3501 3560 memset(data->rand192, 0, sizeof(data->rand192));
3502 BT_DBG("%s for %pMR", hdev->name, bdaddr);
3503
3504 return 0;
3505}
3506
3507int hci_add_remote_oob_ext_data(struct hci_dev *hdev, bdaddr_t *bdaddr,
3508 u8 *hash192, u8 *rand192,
3509 u8 *hash256, u8 *rand256)
3510{
3511 struct oob_data *data;
3512
3513 data = hci_find_remote_oob_data(hdev, bdaddr);
3514 if (!data) {
3515 data = kmalloc(sizeof(*data), GFP_KERNEL);
3516 if (!data)
3517 return -ENOMEM;
3518
3519 bacpy(&data->bdaddr, bdaddr);
3520 list_add(&data->list, &hdev->remote_oob_data);
3521 } 3561 }
3522 3562
3523 memcpy(data->hash192, hash192, sizeof(data->hash192)); 3563 if (hash256 && rand256) {
3524 memcpy(data->rand192, rand192, sizeof(data->rand192)); 3564 memcpy(data->hash256, hash256, sizeof(data->hash256));
3525 3565 memcpy(data->rand256, rand256, sizeof(data->rand256));
3526 memcpy(data->hash256, hash256, sizeof(data->hash256)); 3566 } else {
3527 memcpy(data->rand256, rand256, sizeof(data->rand256)); 3567 memset(data->hash256, 0, sizeof(data->hash256));
3568 memset(data->rand256, 0, sizeof(data->rand256));
3569 }
3528 3570
3529 BT_DBG("%s for %pMR", hdev->name, bdaddr); 3571 BT_DBG("%s for %pMR", hdev->name, bdaddr);
3530 3572
@@ -4224,6 +4266,7 @@ void hci_unregister_dev(struct hci_dev *hdev)
4224 hci_remote_oob_data_clear(hdev); 4266 hci_remote_oob_data_clear(hdev);
4225 hci_bdaddr_list_clear(&hdev->le_white_list); 4267 hci_bdaddr_list_clear(&hdev->le_white_list);
4226 hci_conn_params_clear_all(hdev); 4268 hci_conn_params_clear_all(hdev);
4269 hci_discovery_filter_clear(hdev);
4227 hci_dev_unlock(hdev); 4270 hci_dev_unlock(hdev);
4228 4271
4229 hci_dev_put(hdev); 4272 hci_dev_put(hdev);
@@ -5596,6 +5639,19 @@ void hci_req_add_le_passive_scan(struct hci_request *req)
5596 */ 5639 */
5597 filter_policy = update_white_list(req); 5640 filter_policy = update_white_list(req);
5598 5641
5642 /* When the controller is using random resolvable addresses and
5643 * with that having LE privacy enabled, then controllers with
5644 * Extended Scanner Filter Policies support can now enable support
5645 * for handling directed advertising.
5646 *
5647 * So instead of using filter polices 0x00 (no whitelist)
5648 * and 0x01 (whitelist enabled) use the new filter policies
5649 * 0x02 (no whitelist) and 0x03 (whitelist enabled).
5650 */
5651 if (test_bit(HCI_PRIVACY, &hdev->dev_flags) &&
5652 (hdev->le_features[0] & HCI_LE_EXT_SCAN_POLICY))
5653 filter_policy |= 0x02;
5654
5599 memset(&param_cp, 0, sizeof(param_cp)); 5655 memset(&param_cp, 0, sizeof(param_cp));
5600 param_cp.type = LE_SCAN_PASSIVE; 5656 param_cp.type = LE_SCAN_PASSIVE;
5601 param_cp.interval = cpu_to_le16(hdev->le_scan_interval); 5657 param_cp.interval = cpu_to_le16(hdev->le_scan_interval);
@@ -5647,6 +5703,15 @@ void hci_update_background_scan(struct hci_dev *hdev)
5647 if (hdev->discovery.state != DISCOVERY_STOPPED) 5703 if (hdev->discovery.state != DISCOVERY_STOPPED)
5648 return; 5704 return;
5649 5705
5706 /* Reset RSSI and UUID filters when starting background scanning
5707 * since these filters are meant for service discovery only.
5708 *
5709 * The Start Discovery and Start Service Discovery operations
5710 * ensure to set proper values for RSSI threshold and UUID
5711 * filter list. So it is safe to just reset them here.
5712 */
5713 hci_discovery_filter_clear(hdev);
5714
5650 hci_req_init(&req, hdev); 5715 hci_req_init(&req, hdev);
5651 5716
5652 if (list_empty(&hdev->pend_le_conns) && 5717 if (list_empty(&hdev->pend_le_conns) &&
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 844f7d1ff1cd..322abbbbcef9 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -2043,13 +2043,14 @@ static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
2043 data.pscan_mode = info->pscan_mode; 2043 data.pscan_mode = info->pscan_mode;
2044 memcpy(data.dev_class, info->dev_class, 3); 2044 memcpy(data.dev_class, info->dev_class, 3);
2045 data.clock_offset = info->clock_offset; 2045 data.clock_offset = info->clock_offset;
2046 data.rssi = 0x00; 2046 data.rssi = HCI_RSSI_INVALID;
2047 data.ssp_mode = 0x00; 2047 data.ssp_mode = 0x00;
2048 2048
2049 flags = hci_inquiry_cache_update(hdev, &data, false); 2049 flags = hci_inquiry_cache_update(hdev, &data, false);
2050 2050
2051 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 2051 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
2052 info->dev_class, 0, flags, NULL, 0, NULL, 0); 2052 info->dev_class, HCI_RSSI_INVALID,
2053 flags, NULL, 0, NULL, 0);
2053 } 2054 }
2054 2055
2055 hci_dev_unlock(hdev); 2056 hci_dev_unlock(hdev);
@@ -3191,6 +3192,38 @@ unlock:
3191 hci_dev_unlock(hdev); 3192 hci_dev_unlock(hdev);
3192} 3193}
3193 3194
3195static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
3196{
3197 if (key_type == HCI_LK_CHANGED_COMBINATION)
3198 return;
3199
3200 conn->pin_length = pin_len;
3201 conn->key_type = key_type;
3202
3203 switch (key_type) {
3204 case HCI_LK_LOCAL_UNIT:
3205 case HCI_LK_REMOTE_UNIT:
3206 case HCI_LK_DEBUG_COMBINATION:
3207 return;
3208 case HCI_LK_COMBINATION:
3209 if (pin_len == 16)
3210 conn->pending_sec_level = BT_SECURITY_HIGH;
3211 else
3212 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3213 break;
3214 case HCI_LK_UNAUTH_COMBINATION_P192:
3215 case HCI_LK_UNAUTH_COMBINATION_P256:
3216 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3217 break;
3218 case HCI_LK_AUTH_COMBINATION_P192:
3219 conn->pending_sec_level = BT_SECURITY_HIGH;
3220 break;
3221 case HCI_LK_AUTH_COMBINATION_P256:
3222 conn->pending_sec_level = BT_SECURITY_FIPS;
3223 break;
3224 }
3225}
3226
3194static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 3227static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3195{ 3228{
3196 struct hci_ev_link_key_req *ev = (void *) skb->data; 3229 struct hci_ev_link_key_req *ev = (void *) skb->data;
@@ -3217,6 +3250,8 @@ static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3217 3250
3218 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3251 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3219 if (conn) { 3252 if (conn) {
3253 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3254
3220 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 || 3255 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
3221 key->type == HCI_LK_UNAUTH_COMBINATION_P256) && 3256 key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
3222 conn->auth_type != 0xff && (conn->auth_type & 0x01)) { 3257 conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
@@ -3232,8 +3267,7 @@ static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3232 goto not_found; 3267 goto not_found;
3233 } 3268 }
3234 3269
3235 conn->key_type = key->type; 3270 conn_set_key(conn, key->type, key->pin_len);
3236 conn->pin_length = key->pin_len;
3237 } 3271 }
3238 3272
3239 bacpy(&cp.bdaddr, &ev->bdaddr); 3273 bacpy(&cp.bdaddr, &ev->bdaddr);
@@ -3263,16 +3297,15 @@ static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
3263 hci_dev_lock(hdev); 3297 hci_dev_lock(hdev);
3264 3298
3265 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3299 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3266 if (conn) { 3300 if (!conn)
3267 hci_conn_hold(conn); 3301 goto unlock;
3268 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3269 pin_len = conn->pin_length;
3270 3302
3271 if (ev->key_type != HCI_LK_CHANGED_COMBINATION) 3303 hci_conn_hold(conn);
3272 conn->key_type = ev->key_type; 3304 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3305 hci_conn_drop(conn);
3273 3306
3274 hci_conn_drop(conn); 3307 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3275 } 3308 conn_set_key(conn, ev->key_type, conn->pin_length);
3276 3309
3277 if (!test_bit(HCI_MGMT, &hdev->dev_flags)) 3310 if (!test_bit(HCI_MGMT, &hdev->dev_flags))
3278 goto unlock; 3311 goto unlock;
@@ -3282,6 +3315,12 @@ static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
3282 if (!key) 3315 if (!key)
3283 goto unlock; 3316 goto unlock;
3284 3317
3318 /* Update connection information since adding the key will have
3319 * fixed up the type in the case of changed combination keys.
3320 */
3321 if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
3322 conn_set_key(conn, key->type, key->pin_len);
3323
3285 mgmt_new_link_key(hdev, key, persistent); 3324 mgmt_new_link_key(hdev, key, persistent);
3286 3325
3287 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag 3326 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
@@ -3291,15 +3330,16 @@ static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
3291 */ 3330 */
3292 if (key->type == HCI_LK_DEBUG_COMBINATION && 3331 if (key->type == HCI_LK_DEBUG_COMBINATION &&
3293 !test_bit(HCI_KEEP_DEBUG_KEYS, &hdev->dev_flags)) { 3332 !test_bit(HCI_KEEP_DEBUG_KEYS, &hdev->dev_flags)) {
3294 list_del(&key->list); 3333 list_del_rcu(&key->list);
3295 kfree(key); 3334 kfree_rcu(key, rcu);
3296 } else if (conn) { 3335 goto unlock;
3297 if (persistent)
3298 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3299 else
3300 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3301 } 3336 }
3302 3337
3338 if (persistent)
3339 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3340 else
3341 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3342
3303unlock: 3343unlock:
3304 hci_dev_unlock(hdev); 3344 hci_dev_unlock(hdev);
3305} 3345}
@@ -3734,7 +3774,7 @@ static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3734 3774
3735 cp.authentication = conn->auth_type; 3775 cp.authentication = conn->auth_type;
3736 3776
3737 if (hci_find_remote_oob_data(hdev, &conn->dst) && 3777 if (hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR) &&
3738 (conn->out || test_bit(HCI_CONN_REMOTE_OOB, &conn->flags))) 3778 (conn->out || test_bit(HCI_CONN_REMOTE_OOB, &conn->flags)))
3739 cp.oob_data = 0x01; 3779 cp.oob_data = 0x01;
3740 else 3780 else
@@ -3989,9 +4029,9 @@ static void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
3989 if (!test_bit(HCI_MGMT, &hdev->dev_flags)) 4029 if (!test_bit(HCI_MGMT, &hdev->dev_flags))
3990 goto unlock; 4030 goto unlock;
3991 4031
3992 data = hci_find_remote_oob_data(hdev, &ev->bdaddr); 4032 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
3993 if (data) { 4033 if (data) {
3994 if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags)) { 4034 if (bredr_sc_enabled(hdev)) {
3995 struct hci_cp_remote_oob_ext_data_reply cp; 4035 struct hci_cp_remote_oob_ext_data_reply cp;
3996 4036
3997 bacpy(&cp.bdaddr, &ev->bdaddr); 4037 bacpy(&cp.bdaddr, &ev->bdaddr);
@@ -4386,7 +4426,8 @@ static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
4386} 4426}
4387 4427
4388static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr, 4428static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
4389 u8 bdaddr_type, s8 rssi, u8 *data, u8 len) 4429 u8 bdaddr_type, bdaddr_t *direct_addr,
4430 u8 direct_addr_type, s8 rssi, u8 *data, u8 len)
4390{ 4431{
4391 struct discovery_state *d = &hdev->discovery; 4432 struct discovery_state *d = &hdev->discovery;
4392 struct smp_irk *irk; 4433 struct smp_irk *irk;
@@ -4394,6 +4435,32 @@ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
4394 bool match; 4435 bool match;
4395 u32 flags; 4436 u32 flags;
4396 4437
4438 /* If the direct address is present, then this report is from
4439 * a LE Direct Advertising Report event. In that case it is
4440 * important to see if the address is matching the local
4441 * controller address.
4442 */
4443 if (direct_addr) {
4444 /* Only resolvable random addresses are valid for these
4445 * kind of reports and others can be ignored.
4446 */
4447 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
4448 return;
4449
4450 /* If the controller is not using resolvable random
4451 * addresses, then this report can be ignored.
4452 */
4453 if (!test_bit(HCI_PRIVACY, &hdev->dev_flags))
4454 return;
4455
4456 /* If the local IRK of the controller does not match
4457 * with the resolvable random address provided, then
4458 * this report can be ignored.
4459 */
4460 if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
4461 return;
4462 }
4463
4397 /* Check if we need to convert to identity address */ 4464 /* Check if we need to convert to identity address */
4398 irk = hci_get_irk(hdev, bdaddr, bdaddr_type); 4465 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
4399 if (irk) { 4466 if (irk) {
@@ -4530,7 +4597,8 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
4530 4597
4531 rssi = ev->data[ev->length]; 4598 rssi = ev->data[ev->length];
4532 process_adv_report(hdev, ev->evt_type, &ev->bdaddr, 4599 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
4533 ev->bdaddr_type, rssi, ev->data, ev->length); 4600 ev->bdaddr_type, NULL, 0, rssi,
4601 ev->data, ev->length);
4534 4602
4535 ptr += sizeof(*ev) + ev->length + 1; 4603 ptr += sizeof(*ev) + ev->length + 1;
4536 } 4604 }
@@ -4554,10 +4622,20 @@ static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
4554 if (conn == NULL) 4622 if (conn == NULL)
4555 goto not_found; 4623 goto not_found;
4556 4624
4557 ltk = hci_find_ltk(hdev, ev->ediv, ev->rand, conn->role); 4625 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
4558 if (ltk == NULL) 4626 if (!ltk)
4559 goto not_found; 4627 goto not_found;
4560 4628
4629 if (smp_ltk_is_sc(ltk)) {
4630 /* With SC both EDiv and Rand are set to zero */
4631 if (ev->ediv || ev->rand)
4632 goto not_found;
4633 } else {
4634 /* For non-SC keys check that EDiv and Rand match */
4635 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
4636 goto not_found;
4637 }
4638
4561 memcpy(cp.ltk, ltk->val, sizeof(ltk->val)); 4639 memcpy(cp.ltk, ltk->val, sizeof(ltk->val));
4562 cp.handle = cpu_to_le16(conn->handle); 4640 cp.handle = cpu_to_le16(conn->handle);
4563 4641
@@ -4661,6 +4739,27 @@ static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev,
4661 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp); 4739 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
4662} 4740}
4663 4741
4742static void hci_le_direct_adv_report_evt(struct hci_dev *hdev,
4743 struct sk_buff *skb)
4744{
4745 u8 num_reports = skb->data[0];
4746 void *ptr = &skb->data[1];
4747
4748 hci_dev_lock(hdev);
4749
4750 while (num_reports--) {
4751 struct hci_ev_le_direct_adv_info *ev = ptr;
4752
4753 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
4754 ev->bdaddr_type, &ev->direct_addr,
4755 ev->direct_addr_type, ev->rssi, NULL, 0);
4756
4757 ptr += sizeof(*ev);
4758 }
4759
4760 hci_dev_unlock(hdev);
4761}
4762
4664static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb) 4763static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
4665{ 4764{
4666 struct hci_ev_le_meta *le_ev = (void *) skb->data; 4765 struct hci_ev_le_meta *le_ev = (void *) skb->data;
@@ -4688,6 +4787,10 @@ static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
4688 hci_le_remote_conn_param_req_evt(hdev, skb); 4787 hci_le_remote_conn_param_req_evt(hdev, skb);
4689 break; 4788 break;
4690 4789
4790 case HCI_EV_LE_DIRECT_ADV_REPORT:
4791 hci_le_direct_adv_report_evt(hdev, skb);
4792 break;
4793
4691 default: 4794 default:
4692 break; 4795 break;
4693 } 4796 }
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 8e1273173020..a8da7ea9c2c0 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -46,7 +46,6 @@
46bool disable_ertm; 46bool disable_ertm;
47 47
48static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD; 48static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
49static u8 l2cap_fixed_chan[8] = { L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS, };
50 49
51static LIST_HEAD(chan_list); 50static LIST_HEAD(chan_list);
52static DEFINE_RWLOCK(chan_list_lock); 51static DEFINE_RWLOCK(chan_list_lock);
@@ -840,7 +839,10 @@ static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
840 if (!skb) 839 if (!skb)
841 return; 840 return;
842 841
843 if (lmp_no_flush_capable(conn->hcon->hdev)) 842 /* Use NO_FLUSH if supported or we have an LE link (which does
843 * not support auto-flushing packets) */
844 if (lmp_no_flush_capable(conn->hcon->hdev) ||
845 conn->hcon->type == LE_LINK)
844 flags = ACL_START_NO_FLUSH; 846 flags = ACL_START_NO_FLUSH;
845 else 847 else
846 flags = ACL_START; 848 flags = ACL_START;
@@ -874,8 +876,13 @@ static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
874 return; 876 return;
875 } 877 }
876 878
877 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) && 879 /* Use NO_FLUSH for LE links (where this is the only option) or
878 lmp_no_flush_capable(hcon->hdev)) 880 * if the BR/EDR link supports it and flushing has not been
881 * explicitly requested (through FLAG_FLUSHABLE).
882 */
883 if (hcon->type == LE_LINK ||
884 (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
885 lmp_no_flush_capable(hcon->hdev)))
879 flags = ACL_START_NO_FLUSH; 886 flags = ACL_START_NO_FLUSH;
880 else 887 else
881 flags = ACL_START; 888 flags = ACL_START;
@@ -1112,10 +1119,10 @@ static bool __amp_capable(struct l2cap_chan *chan)
1112 struct hci_dev *hdev; 1119 struct hci_dev *hdev;
1113 bool amp_available = false; 1120 bool amp_available = false;
1114 1121
1115 if (!conn->hs_enabled) 1122 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
1116 return false; 1123 return false;
1117 1124
1118 if (!(conn->fixed_chan_mask & L2CAP_FC_A2MP)) 1125 if (!(conn->remote_fixed_chan & L2CAP_FC_A2MP))
1119 return false; 1126 return false;
1120 1127
1121 read_lock(&hci_dev_list_lock); 1128 read_lock(&hci_dev_list_lock);
@@ -3088,12 +3095,14 @@ static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3088 3095
3089static inline bool __l2cap_ews_supported(struct l2cap_conn *conn) 3096static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
3090{ 3097{
3091 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_WINDOW; 3098 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3099 (conn->feat_mask & L2CAP_FEAT_EXT_WINDOW));
3092} 3100}
3093 3101
3094static inline bool __l2cap_efs_supported(struct l2cap_conn *conn) 3102static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
3095{ 3103{
3096 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_FLOW; 3104 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3105 (conn->feat_mask & L2CAP_FEAT_EXT_FLOW));
3097} 3106}
3098 3107
3099static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan, 3108static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
@@ -3322,7 +3331,7 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
3322 break; 3331 break;
3323 3332
3324 case L2CAP_CONF_EWS: 3333 case L2CAP_CONF_EWS:
3325 if (!chan->conn->hs_enabled) 3334 if (!(chan->conn->local_fixed_chan & L2CAP_FC_A2MP))
3326 return -ECONNREFUSED; 3335 return -ECONNREFUSED;
3327 3336
3328 set_bit(FLAG_EXT_CTRL, &chan->flags); 3337 set_bit(FLAG_EXT_CTRL, &chan->flags);
@@ -4326,7 +4335,7 @@ static inline int l2cap_information_req(struct l2cap_conn *conn,
4326 if (!disable_ertm) 4335 if (!disable_ertm)
4327 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING 4336 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
4328 | L2CAP_FEAT_FCS; 4337 | L2CAP_FEAT_FCS;
4329 if (conn->hs_enabled) 4338 if (conn->local_fixed_chan & L2CAP_FC_A2MP)
4330 feat_mask |= L2CAP_FEAT_EXT_FLOW 4339 feat_mask |= L2CAP_FEAT_EXT_FLOW
4331 | L2CAP_FEAT_EXT_WINDOW; 4340 | L2CAP_FEAT_EXT_WINDOW;
4332 4341
@@ -4337,14 +4346,10 @@ static inline int l2cap_information_req(struct l2cap_conn *conn,
4337 u8 buf[12]; 4346 u8 buf[12];
4338 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf; 4347 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4339 4348
4340 if (conn->hs_enabled)
4341 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4342 else
4343 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4344
4345 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN); 4349 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4346 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS); 4350 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4347 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan)); 4351 rsp->data[0] = conn->local_fixed_chan;
4352 memset(rsp->data + 1, 0, 7);
4348 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf), 4353 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4349 buf); 4354 buf);
4350 } else { 4355 } else {
@@ -4410,7 +4415,7 @@ static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4410 break; 4415 break;
4411 4416
4412 case L2CAP_IT_FIXED_CHAN: 4417 case L2CAP_IT_FIXED_CHAN:
4413 conn->fixed_chan_mask = rsp->data[0]; 4418 conn->remote_fixed_chan = rsp->data[0];
4414 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE; 4419 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4415 conn->info_ident = 0; 4420 conn->info_ident = 0;
4416 4421
@@ -4434,7 +4439,7 @@ static int l2cap_create_channel_req(struct l2cap_conn *conn,
4434 if (cmd_len != sizeof(*req)) 4439 if (cmd_len != sizeof(*req))
4435 return -EPROTO; 4440 return -EPROTO;
4436 4441
4437 if (!conn->hs_enabled) 4442 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
4438 return -EINVAL; 4443 return -EINVAL;
4439 4444
4440 psm = le16_to_cpu(req->psm); 4445 psm = le16_to_cpu(req->psm);
@@ -4864,7 +4869,7 @@ static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
4864 4869
4865 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id); 4870 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
4866 4871
4867 if (!conn->hs_enabled) 4872 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
4868 return -EINVAL; 4873 return -EINVAL;
4869 4874
4870 chan = l2cap_get_chan_by_dcid(conn, icid); 4875 chan = l2cap_get_chan_by_dcid(conn, icid);
@@ -6956,9 +6961,15 @@ static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
6956 6961
6957 conn->feat_mask = 0; 6962 conn->feat_mask = 0;
6958 6963
6959 if (hcon->type == ACL_LINK) 6964 conn->local_fixed_chan = L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS;
6960 conn->hs_enabled = test_bit(HCI_HS_ENABLED, 6965
6961 &hcon->hdev->dev_flags); 6966 if (hcon->type == ACL_LINK &&
6967 test_bit(HCI_HS_ENABLED, &hcon->hdev->dev_flags))
6968 conn->local_fixed_chan |= L2CAP_FC_A2MP;
6969
6970 if (bredr_sc_enabled(hcon->hdev) &&
6971 test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags))
6972 conn->local_fixed_chan |= L2CAP_FC_SMP_BREDR;
6962 6973
6963 mutex_init(&conn->ident_lock); 6974 mutex_init(&conn->ident_lock);
6964 mutex_init(&conn->chan_lock); 6975 mutex_init(&conn->chan_lock);
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index f3e4a16fb157..7384f1161336 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -35,7 +35,7 @@
35#include "smp.h" 35#include "smp.h"
36 36
37#define MGMT_VERSION 1 37#define MGMT_VERSION 1
38#define MGMT_REVISION 7 38#define MGMT_REVISION 8
39 39
40static const u16 mgmt_commands[] = { 40static const u16 mgmt_commands[] = {
41 MGMT_OP_READ_INDEX_LIST, 41 MGMT_OP_READ_INDEX_LIST,
@@ -93,6 +93,7 @@ static const u16 mgmt_commands[] = {
93 MGMT_OP_READ_CONFIG_INFO, 93 MGMT_OP_READ_CONFIG_INFO,
94 MGMT_OP_SET_EXTERNAL_CONFIG, 94 MGMT_OP_SET_EXTERNAL_CONFIG,
95 MGMT_OP_SET_PUBLIC_ADDRESS, 95 MGMT_OP_SET_PUBLIC_ADDRESS,
96 MGMT_OP_START_SERVICE_DISCOVERY,
96}; 97};
97 98
98static const u16 mgmt_events[] = { 99static const u16 mgmt_events[] = {
@@ -134,8 +135,10 @@ struct pending_cmd {
134 u16 opcode; 135 u16 opcode;
135 int index; 136 int index;
136 void *param; 137 void *param;
138 size_t param_len;
137 struct sock *sk; 139 struct sock *sk;
138 void *user_data; 140 void *user_data;
141 void (*cmd_complete)(struct pending_cmd *cmd, u8 status);
139}; 142};
140 143
141/* HCI to MGMT error code conversion table */ 144/* HCI to MGMT error code conversion table */
@@ -574,6 +577,7 @@ static u32 get_supported_settings(struct hci_dev *hdev)
574 if (lmp_le_capable(hdev)) { 577 if (lmp_le_capable(hdev)) {
575 settings |= MGMT_SETTING_LE; 578 settings |= MGMT_SETTING_LE;
576 settings |= MGMT_SETTING_ADVERTISING; 579 settings |= MGMT_SETTING_ADVERTISING;
580 settings |= MGMT_SETTING_SECURE_CONN;
577 settings |= MGMT_SETTING_PRIVACY; 581 settings |= MGMT_SETTING_PRIVACY;
578 } 582 }
579 583
@@ -1202,14 +1206,13 @@ static struct pending_cmd *mgmt_pending_add(struct sock *sk, u16 opcode,
1202 cmd->opcode = opcode; 1206 cmd->opcode = opcode;
1203 cmd->index = hdev->id; 1207 cmd->index = hdev->id;
1204 1208
1205 cmd->param = kmalloc(len, GFP_KERNEL); 1209 cmd->param = kmemdup(data, len, GFP_KERNEL);
1206 if (!cmd->param) { 1210 if (!cmd->param) {
1207 kfree(cmd); 1211 kfree(cmd);
1208 return NULL; 1212 return NULL;
1209 } 1213 }
1210 1214
1211 if (data) 1215 cmd->param_len = len;
1212 memcpy(cmd->param, data, len);
1213 1216
1214 cmd->sk = sk; 1217 cmd->sk = sk;
1215 sock_hold(sk); 1218 sock_hold(sk);
@@ -1469,6 +1472,32 @@ static void cmd_status_rsp(struct pending_cmd *cmd, void *data)
1469 mgmt_pending_remove(cmd); 1472 mgmt_pending_remove(cmd);
1470} 1473}
1471 1474
1475static void cmd_complete_rsp(struct pending_cmd *cmd, void *data)
1476{
1477 if (cmd->cmd_complete) {
1478 u8 *status = data;
1479
1480 cmd->cmd_complete(cmd, *status);
1481 mgmt_pending_remove(cmd);
1482
1483 return;
1484 }
1485
1486 cmd_status_rsp(cmd, data);
1487}
1488
1489static void generic_cmd_complete(struct pending_cmd *cmd, u8 status)
1490{
1491 cmd_complete(cmd->sk, cmd->index, cmd->opcode, status, cmd->param,
1492 cmd->param_len);
1493}
1494
1495static void addr_cmd_complete(struct pending_cmd *cmd, u8 status)
1496{
1497 cmd_complete(cmd->sk, cmd->index, cmd->opcode, status, cmd->param,
1498 sizeof(struct mgmt_addr_info));
1499}
1500
1472static u8 mgmt_bredr_support(struct hci_dev *hdev) 1501static u8 mgmt_bredr_support(struct hci_dev *hdev)
1473{ 1502{
1474 if (!lmp_bredr_capable(hdev)) 1503 if (!lmp_bredr_capable(hdev))
@@ -2792,6 +2821,8 @@ static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2792 goto unlock; 2821 goto unlock;
2793 } 2822 }
2794 2823
2824 cmd->cmd_complete = addr_cmd_complete;
2825
2795 dc.handle = cpu_to_le16(conn->handle); 2826 dc.handle = cpu_to_le16(conn->handle);
2796 dc.reason = 0x13; /* Remote User Terminated Connection */ 2827 dc.reason = 0x13; /* Remote User Terminated Connection */
2797 err = hci_send_cmd(hdev, HCI_OP_DISCONNECT, sizeof(dc), &dc); 2828 err = hci_send_cmd(hdev, HCI_OP_DISCONNECT, sizeof(dc), &dc);
@@ -2855,6 +2886,8 @@ static int disconnect(struct sock *sk, struct hci_dev *hdev, void *data,
2855 goto failed; 2886 goto failed;
2856 } 2887 }
2857 2888
2889 cmd->cmd_complete = generic_cmd_complete;
2890
2858 err = hci_disconnect(conn, HCI_ERROR_REMOTE_USER_TERM); 2891 err = hci_disconnect(conn, HCI_ERROR_REMOTE_USER_TERM);
2859 if (err < 0) 2892 if (err < 0)
2860 mgmt_pending_remove(cmd); 2893 mgmt_pending_remove(cmd);
@@ -3007,6 +3040,8 @@ static int pin_code_reply(struct sock *sk, struct hci_dev *hdev, void *data,
3007 goto failed; 3040 goto failed;
3008 } 3041 }
3009 3042
3043 cmd->cmd_complete = addr_cmd_complete;
3044
3010 bacpy(&reply.bdaddr, &cp->addr.bdaddr); 3045 bacpy(&reply.bdaddr, &cp->addr.bdaddr);
3011 reply.pin_len = cp->pin_len; 3046 reply.pin_len = cp->pin_len;
3012 memcpy(reply.pin_code, cp->pin_code, sizeof(reply.pin_code)); 3047 memcpy(reply.pin_code, cp->pin_code, sizeof(reply.pin_code));
@@ -3096,7 +3131,7 @@ void mgmt_smp_complete(struct hci_conn *conn, bool complete)
3096 3131
3097 cmd = find_pairing(conn); 3132 cmd = find_pairing(conn);
3098 if (cmd) 3133 if (cmd)
3099 pairing_complete(cmd, status); 3134 cmd->cmd_complete(cmd, status);
3100} 3135}
3101 3136
3102static void pairing_complete_cb(struct hci_conn *conn, u8 status) 3137static void pairing_complete_cb(struct hci_conn *conn, u8 status)
@@ -3109,7 +3144,7 @@ static void pairing_complete_cb(struct hci_conn *conn, u8 status)
3109 if (!cmd) 3144 if (!cmd)
3110 BT_DBG("Unable to find a pending command"); 3145 BT_DBG("Unable to find a pending command");
3111 else 3146 else
3112 pairing_complete(cmd, mgmt_status(status)); 3147 cmd->cmd_complete(cmd, mgmt_status(status));
3113} 3148}
3114 3149
3115static void le_pairing_complete_cb(struct hci_conn *conn, u8 status) 3150static void le_pairing_complete_cb(struct hci_conn *conn, u8 status)
@@ -3125,7 +3160,7 @@ static void le_pairing_complete_cb(struct hci_conn *conn, u8 status)
3125 if (!cmd) 3160 if (!cmd)
3126 BT_DBG("Unable to find a pending command"); 3161 BT_DBG("Unable to find a pending command");
3127 else 3162 else
3128 pairing_complete(cmd, mgmt_status(status)); 3163 cmd->cmd_complete(cmd, mgmt_status(status));
3129} 3164}
3130 3165
3131static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data, 3166static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
@@ -3222,6 +3257,8 @@ static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
3222 goto unlock; 3257 goto unlock;
3223 } 3258 }
3224 3259
3260 cmd->cmd_complete = pairing_complete;
3261
3225 /* For LE, just connecting isn't a proof that the pairing finished */ 3262 /* For LE, just connecting isn't a proof that the pairing finished */
3226 if (cp->addr.type == BDADDR_BREDR) { 3263 if (cp->addr.type == BDADDR_BREDR) {
3227 conn->connect_cfm_cb = pairing_complete_cb; 3264 conn->connect_cfm_cb = pairing_complete_cb;
@@ -3338,6 +3375,8 @@ static int user_pairing_resp(struct sock *sk, struct hci_dev *hdev,
3338 goto done; 3375 goto done;
3339 } 3376 }
3340 3377
3378 cmd->cmd_complete = addr_cmd_complete;
3379
3341 /* Continue with pairing via HCI */ 3380 /* Continue with pairing via HCI */
3342 if (hci_op == HCI_OP_USER_PASSKEY_REPLY) { 3381 if (hci_op == HCI_OP_USER_PASSKEY_REPLY) {
3343 struct hci_cp_user_passkey_reply cp; 3382 struct hci_cp_user_passkey_reply cp;
@@ -3562,7 +3601,7 @@ static int read_local_oob_data(struct sock *sk, struct hci_dev *hdev,
3562 goto unlock; 3601 goto unlock;
3563 } 3602 }
3564 3603
3565 if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags)) 3604 if (bredr_sc_enabled(hdev))
3566 err = hci_send_cmd(hdev, HCI_OP_READ_LOCAL_OOB_EXT_DATA, 3605 err = hci_send_cmd(hdev, HCI_OP_READ_LOCAL_OOB_EXT_DATA,
3567 0, NULL); 3606 0, NULL);
3568 else 3607 else
@@ -3598,7 +3637,8 @@ static int add_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
3598 } 3637 }
3599 3638
3600 err = hci_add_remote_oob_data(hdev, &cp->addr.bdaddr, 3639 err = hci_add_remote_oob_data(hdev, &cp->addr.bdaddr,
3601 cp->hash, cp->rand); 3640 cp->addr.type, cp->hash,
3641 cp->rand, NULL, NULL);
3602 if (err < 0) 3642 if (err < 0)
3603 status = MGMT_STATUS_FAILED; 3643 status = MGMT_STATUS_FAILED;
3604 else 3644 else
@@ -3608,6 +3648,7 @@ static int add_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
3608 status, &cp->addr, sizeof(cp->addr)); 3648 status, &cp->addr, sizeof(cp->addr));
3609 } else if (len == MGMT_ADD_REMOTE_OOB_EXT_DATA_SIZE) { 3649 } else if (len == MGMT_ADD_REMOTE_OOB_EXT_DATA_SIZE) {
3610 struct mgmt_cp_add_remote_oob_ext_data *cp = data; 3650 struct mgmt_cp_add_remote_oob_ext_data *cp = data;
3651 u8 *rand192, *hash192;
3611 u8 status; 3652 u8 status;
3612 3653
3613 if (cp->addr.type != BDADDR_BREDR) { 3654 if (cp->addr.type != BDADDR_BREDR) {
@@ -3618,9 +3659,17 @@ static int add_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
3618 goto unlock; 3659 goto unlock;
3619 } 3660 }
3620 3661
3621 err = hci_add_remote_oob_ext_data(hdev, &cp->addr.bdaddr, 3662 if (bdaddr_type_is_le(cp->addr.type)) {
3622 cp->hash192, cp->rand192, 3663 rand192 = NULL;
3623 cp->hash256, cp->rand256); 3664 hash192 = NULL;
3665 } else {
3666 rand192 = cp->rand192;
3667 hash192 = cp->hash192;
3668 }
3669
3670 err = hci_add_remote_oob_data(hdev, &cp->addr.bdaddr,
3671 cp->addr.type, hash192, rand192,
3672 cp->hash256, cp->rand256);
3624 if (err < 0) 3673 if (err < 0)
3625 status = MGMT_STATUS_FAILED; 3674 status = MGMT_STATUS_FAILED;
3626 else 3675 else
@@ -3661,7 +3710,7 @@ static int remove_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
3661 goto done; 3710 goto done;
3662 } 3711 }
3663 3712
3664 err = hci_remove_remote_oob_data(hdev, &cp->addr.bdaddr); 3713 err = hci_remove_remote_oob_data(hdev, &cp->addr.bdaddr, cp->addr.type);
3665 if (err < 0) 3714 if (err < 0)
3666 status = MGMT_STATUS_INVALID_PARAMS; 3715 status = MGMT_STATUS_INVALID_PARAMS;
3667 else 3716 else
@@ -3675,64 +3724,150 @@ done:
3675 return err; 3724 return err;
3676} 3725}
3677 3726
3678static int mgmt_start_discovery_failed(struct hci_dev *hdev, u8 status) 3727static bool trigger_discovery(struct hci_request *req, u8 *status)
3679{ 3728{
3680 struct pending_cmd *cmd; 3729 struct hci_dev *hdev = req->hdev;
3681 u8 type; 3730 struct hci_cp_le_set_scan_param param_cp;
3731 struct hci_cp_le_set_scan_enable enable_cp;
3732 struct hci_cp_inquiry inq_cp;
3733 /* General inquiry access code (GIAC) */
3734 u8 lap[3] = { 0x33, 0x8b, 0x9e };
3735 u8 own_addr_type;
3682 int err; 3736 int err;
3683 3737
3684 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 3738 switch (hdev->discovery.type) {
3739 case DISCOV_TYPE_BREDR:
3740 *status = mgmt_bredr_support(hdev);
3741 if (*status)
3742 return false;
3685 3743
3686 cmd = mgmt_pending_find(MGMT_OP_START_DISCOVERY, hdev); 3744 if (test_bit(HCI_INQUIRY, &hdev->flags)) {
3687 if (!cmd) 3745 *status = MGMT_STATUS_BUSY;
3688 return -ENOENT; 3746 return false;
3747 }
3689 3748
3690 type = hdev->discovery.type; 3749 hci_inquiry_cache_flush(hdev);
3691 3750
3692 err = cmd_complete(cmd->sk, hdev->id, cmd->opcode, mgmt_status(status), 3751 memset(&inq_cp, 0, sizeof(inq_cp));
3693 &type, sizeof(type)); 3752 memcpy(&inq_cp.lap, lap, sizeof(inq_cp.lap));
3694 mgmt_pending_remove(cmd); 3753 inq_cp.length = DISCOV_BREDR_INQUIRY_LEN;
3754 hci_req_add(req, HCI_OP_INQUIRY, sizeof(inq_cp), &inq_cp);
3755 break;
3695 3756
3696 return err; 3757 case DISCOV_TYPE_LE:
3758 case DISCOV_TYPE_INTERLEAVED:
3759 *status = mgmt_le_support(hdev);
3760 if (*status)
3761 return false;
3762
3763 if (hdev->discovery.type == DISCOV_TYPE_INTERLEAVED &&
3764 !test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags)) {
3765 *status = MGMT_STATUS_NOT_SUPPORTED;
3766 return false;
3767 }
3768
3769 if (test_bit(HCI_LE_ADV, &hdev->dev_flags)) {
3770 /* Don't let discovery abort an outgoing
3771 * connection attempt that's using directed
3772 * advertising.
3773 */
3774 if (hci_conn_hash_lookup_state(hdev, LE_LINK,
3775 BT_CONNECT)) {
3776 *status = MGMT_STATUS_REJECTED;
3777 return false;
3778 }
3779
3780 disable_advertising(req);
3781 }
3782
3783 /* If controller is scanning, it means the background scanning
3784 * is running. Thus, we should temporarily stop it in order to
3785 * set the discovery scanning parameters.
3786 */
3787 if (test_bit(HCI_LE_SCAN, &hdev->dev_flags))
3788 hci_req_add_le_scan_disable(req);
3789
3790 memset(&param_cp, 0, sizeof(param_cp));
3791
3792 /* All active scans will be done with either a resolvable
3793 * private address (when privacy feature has been enabled)
3794 * or unresolvable private address.
3795 */
3796 err = hci_update_random_address(req, true, &own_addr_type);
3797 if (err < 0) {
3798 *status = MGMT_STATUS_FAILED;
3799 return false;
3800 }
3801
3802 param_cp.type = LE_SCAN_ACTIVE;
3803 param_cp.interval = cpu_to_le16(DISCOV_LE_SCAN_INT);
3804 param_cp.window = cpu_to_le16(DISCOV_LE_SCAN_WIN);
3805 param_cp.own_address_type = own_addr_type;
3806 hci_req_add(req, HCI_OP_LE_SET_SCAN_PARAM, sizeof(param_cp),
3807 &param_cp);
3808
3809 memset(&enable_cp, 0, sizeof(enable_cp));
3810 enable_cp.enable = LE_SCAN_ENABLE;
3811 enable_cp.filter_dup = LE_SCAN_FILTER_DUP_ENABLE;
3812 hci_req_add(req, HCI_OP_LE_SET_SCAN_ENABLE, sizeof(enable_cp),
3813 &enable_cp);
3814 break;
3815
3816 default:
3817 *status = MGMT_STATUS_INVALID_PARAMS;
3818 return false;
3819 }
3820
3821 return true;
3697} 3822}
3698 3823
3699static void start_discovery_complete(struct hci_dev *hdev, u8 status) 3824static void start_discovery_complete(struct hci_dev *hdev, u8 status)
3700{ 3825{
3701 unsigned long timeout = 0; 3826 struct pending_cmd *cmd;
3827 unsigned long timeout;
3702 3828
3703 BT_DBG("status %d", status); 3829 BT_DBG("status %d", status);
3704 3830
3831 hci_dev_lock(hdev);
3832
3833 cmd = mgmt_pending_find(MGMT_OP_START_DISCOVERY, hdev);
3834 if (!cmd)
3835 cmd = mgmt_pending_find(MGMT_OP_START_SERVICE_DISCOVERY, hdev);
3836
3837 if (cmd) {
3838 cmd->cmd_complete(cmd, mgmt_status(status));
3839 mgmt_pending_remove(cmd);
3840 }
3841
3705 if (status) { 3842 if (status) {
3706 hci_dev_lock(hdev); 3843 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3707 mgmt_start_discovery_failed(hdev, status); 3844 goto unlock;
3708 hci_dev_unlock(hdev);
3709 return;
3710 } 3845 }
3711 3846
3712 hci_dev_lock(hdev);
3713 hci_discovery_set_state(hdev, DISCOVERY_FINDING); 3847 hci_discovery_set_state(hdev, DISCOVERY_FINDING);
3714 hci_dev_unlock(hdev);
3715 3848
3716 switch (hdev->discovery.type) { 3849 switch (hdev->discovery.type) {
3717 case DISCOV_TYPE_LE: 3850 case DISCOV_TYPE_LE:
3718 timeout = msecs_to_jiffies(DISCOV_LE_TIMEOUT); 3851 timeout = msecs_to_jiffies(DISCOV_LE_TIMEOUT);
3719 break; 3852 break;
3720
3721 case DISCOV_TYPE_INTERLEAVED: 3853 case DISCOV_TYPE_INTERLEAVED:
3722 timeout = msecs_to_jiffies(hdev->discov_interleaved_timeout); 3854 timeout = msecs_to_jiffies(hdev->discov_interleaved_timeout);
3723 break; 3855 break;
3724
3725 case DISCOV_TYPE_BREDR: 3856 case DISCOV_TYPE_BREDR:
3857 timeout = 0;
3726 break; 3858 break;
3727
3728 default: 3859 default:
3729 BT_ERR("Invalid discovery type %d", hdev->discovery.type); 3860 BT_ERR("Invalid discovery type %d", hdev->discovery.type);
3861 timeout = 0;
3862 break;
3730 } 3863 }
3731 3864
3732 if (!timeout) 3865 if (timeout)
3733 return; 3866 queue_delayed_work(hdev->workqueue,
3867 &hdev->le_scan_disable, timeout);
3734 3868
3735 queue_delayed_work(hdev->workqueue, &hdev->le_scan_disable, timeout); 3869unlock:
3870 hci_dev_unlock(hdev);
3736} 3871}
3737 3872
3738static int start_discovery(struct sock *sk, struct hci_dev *hdev, 3873static int start_discovery(struct sock *sk, struct hci_dev *hdev,
@@ -3740,13 +3875,8 @@ static int start_discovery(struct sock *sk, struct hci_dev *hdev,
3740{ 3875{
3741 struct mgmt_cp_start_discovery *cp = data; 3876 struct mgmt_cp_start_discovery *cp = data;
3742 struct pending_cmd *cmd; 3877 struct pending_cmd *cmd;
3743 struct hci_cp_le_set_scan_param param_cp;
3744 struct hci_cp_le_set_scan_enable enable_cp;
3745 struct hci_cp_inquiry inq_cp;
3746 struct hci_request req; 3878 struct hci_request req;
3747 /* General inquiry access code (GIAC) */ 3879 u8 status;
3748 u8 lap[3] = { 0x33, 0x8b, 0x9e };
3749 u8 status, own_addr_type;
3750 int err; 3880 int err;
3751 3881
3752 BT_DBG("%s", hdev->name); 3882 BT_DBG("%s", hdev->name);
@@ -3760,184 +3890,182 @@ static int start_discovery(struct sock *sk, struct hci_dev *hdev,
3760 goto failed; 3890 goto failed;
3761 } 3891 }
3762 3892
3763 if (test_bit(HCI_PERIODIC_INQ, &hdev->dev_flags)) { 3893 if (hdev->discovery.state != DISCOVERY_STOPPED ||
3894 test_bit(HCI_PERIODIC_INQ, &hdev->dev_flags)) {
3764 err = cmd_complete(sk, hdev->id, MGMT_OP_START_DISCOVERY, 3895 err = cmd_complete(sk, hdev->id, MGMT_OP_START_DISCOVERY,
3765 MGMT_STATUS_BUSY, &cp->type, 3896 MGMT_STATUS_BUSY, &cp->type,
3766 sizeof(cp->type)); 3897 sizeof(cp->type));
3767 goto failed; 3898 goto failed;
3768 } 3899 }
3769 3900
3770 if (hdev->discovery.state != DISCOVERY_STOPPED) { 3901 cmd = mgmt_pending_add(sk, MGMT_OP_START_DISCOVERY, hdev, data, len);
3771 err = cmd_complete(sk, hdev->id, MGMT_OP_START_DISCOVERY,
3772 MGMT_STATUS_BUSY, &cp->type,
3773 sizeof(cp->type));
3774 goto failed;
3775 }
3776
3777 cmd = mgmt_pending_add(sk, MGMT_OP_START_DISCOVERY, hdev, NULL, 0);
3778 if (!cmd) { 3902 if (!cmd) {
3779 err = -ENOMEM; 3903 err = -ENOMEM;
3780 goto failed; 3904 goto failed;
3781 } 3905 }
3782 3906
3907 cmd->cmd_complete = generic_cmd_complete;
3908
3909 /* Clear the discovery filter first to free any previously
3910 * allocated memory for the UUID list.
3911 */
3912 hci_discovery_filter_clear(hdev);
3913
3783 hdev->discovery.type = cp->type; 3914 hdev->discovery.type = cp->type;
3915 hdev->discovery.report_invalid_rssi = false;
3784 3916
3785 hci_req_init(&req, hdev); 3917 hci_req_init(&req, hdev);
3786 3918
3787 switch (hdev->discovery.type) { 3919 if (!trigger_discovery(&req, &status)) {
3788 case DISCOV_TYPE_BREDR: 3920 err = cmd_complete(sk, hdev->id, MGMT_OP_START_DISCOVERY,
3789 status = mgmt_bredr_support(hdev); 3921 status, &cp->type, sizeof(cp->type));
3790 if (status) { 3922 mgmt_pending_remove(cmd);
3791 err = cmd_complete(sk, hdev->id, 3923 goto failed;
3792 MGMT_OP_START_DISCOVERY, status, 3924 }
3793 &cp->type, sizeof(cp->type));
3794 mgmt_pending_remove(cmd);
3795 goto failed;
3796 }
3797 3925
3798 if (test_bit(HCI_INQUIRY, &hdev->flags)) { 3926 err = hci_req_run(&req, start_discovery_complete);
3799 err = cmd_complete(sk, hdev->id, 3927 if (err < 0) {
3800 MGMT_OP_START_DISCOVERY, 3928 mgmt_pending_remove(cmd);
3801 MGMT_STATUS_BUSY, &cp->type, 3929 goto failed;
3802 sizeof(cp->type)); 3930 }
3803 mgmt_pending_remove(cmd);
3804 goto failed;
3805 }
3806 3931
3807 hci_inquiry_cache_flush(hdev); 3932 hci_discovery_set_state(hdev, DISCOVERY_STARTING);
3808 3933
3809 memset(&inq_cp, 0, sizeof(inq_cp)); 3934failed:
3810 memcpy(&inq_cp.lap, lap, sizeof(inq_cp.lap)); 3935 hci_dev_unlock(hdev);
3811 inq_cp.length = DISCOV_BREDR_INQUIRY_LEN; 3936 return err;
3812 hci_req_add(&req, HCI_OP_INQUIRY, sizeof(inq_cp), &inq_cp); 3937}
3813 break;
3814 3938
3815 case DISCOV_TYPE_LE: 3939static void service_discovery_cmd_complete(struct pending_cmd *cmd, u8 status)
3816 case DISCOV_TYPE_INTERLEAVED: 3940{
3817 status = mgmt_le_support(hdev); 3941 cmd_complete(cmd->sk, cmd->index, cmd->opcode, status, cmd->param, 1);
3818 if (status) { 3942}
3819 err = cmd_complete(sk, hdev->id,
3820 MGMT_OP_START_DISCOVERY, status,
3821 &cp->type, sizeof(cp->type));
3822 mgmt_pending_remove(cmd);
3823 goto failed;
3824 }
3825 3943
3826 if (hdev->discovery.type == DISCOV_TYPE_INTERLEAVED && 3944static int start_service_discovery(struct sock *sk, struct hci_dev *hdev,
3827 !test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags)) { 3945 void *data, u16 len)
3828 err = cmd_complete(sk, hdev->id, 3946{
3829 MGMT_OP_START_DISCOVERY, 3947 struct mgmt_cp_start_service_discovery *cp = data;
3830 MGMT_STATUS_NOT_SUPPORTED, 3948 struct pending_cmd *cmd;
3831 &cp->type, sizeof(cp->type)); 3949 struct hci_request req;
3832 mgmt_pending_remove(cmd); 3950 const u16 max_uuid_count = ((U16_MAX - sizeof(*cp)) / 16);
3833 goto failed; 3951 u16 uuid_count, expected_len;
3834 } 3952 u8 status;
3953 int err;
3835 3954
3836 if (test_bit(HCI_LE_ADV, &hdev->dev_flags)) { 3955 BT_DBG("%s", hdev->name);
3837 /* Don't let discovery abort an outgoing
3838 * connection attempt that's using directed
3839 * advertising.
3840 */
3841 if (hci_conn_hash_lookup_state(hdev, LE_LINK,
3842 BT_CONNECT)) {
3843 err = cmd_complete(sk, hdev->id,
3844 MGMT_OP_START_DISCOVERY,
3845 MGMT_STATUS_REJECTED,
3846 &cp->type,
3847 sizeof(cp->type));
3848 mgmt_pending_remove(cmd);
3849 goto failed;
3850 }
3851 3956
3852 disable_advertising(&req); 3957 hci_dev_lock(hdev);
3853 }
3854 3958
3855 /* If controller is scanning, it means the background scanning 3959 if (!hdev_is_powered(hdev)) {
3856 * is running. Thus, we should temporarily stop it in order to 3960 err = cmd_complete(sk, hdev->id,
3857 * set the discovery scanning parameters. 3961 MGMT_OP_START_SERVICE_DISCOVERY,
3858 */ 3962 MGMT_STATUS_NOT_POWERED,
3859 if (test_bit(HCI_LE_SCAN, &hdev->dev_flags)) 3963 &cp->type, sizeof(cp->type));
3860 hci_req_add_le_scan_disable(&req); 3964 goto failed;
3965 }
3861 3966
3862 memset(&param_cp, 0, sizeof(param_cp)); 3967 if (hdev->discovery.state != DISCOVERY_STOPPED ||
3968 test_bit(HCI_PERIODIC_INQ, &hdev->dev_flags)) {
3969 err = cmd_complete(sk, hdev->id,
3970 MGMT_OP_START_SERVICE_DISCOVERY,
3971 MGMT_STATUS_BUSY, &cp->type,
3972 sizeof(cp->type));
3973 goto failed;
3974 }
3863 3975
3864 /* All active scans will be done with either a resolvable 3976 uuid_count = __le16_to_cpu(cp->uuid_count);
3865 * private address (when privacy feature has been enabled) 3977 if (uuid_count > max_uuid_count) {
3866 * or unresolvable private address. 3978 BT_ERR("service_discovery: too big uuid_count value %u",
3867 */ 3979 uuid_count);
3868 err = hci_update_random_address(&req, true, &own_addr_type); 3980 err = cmd_complete(sk, hdev->id,
3869 if (err < 0) { 3981 MGMT_OP_START_SERVICE_DISCOVERY,
3982 MGMT_STATUS_INVALID_PARAMS, &cp->type,
3983 sizeof(cp->type));
3984 goto failed;
3985 }
3986
3987 expected_len = sizeof(*cp) + uuid_count * 16;
3988 if (expected_len != len) {
3989 BT_ERR("service_discovery: expected %u bytes, got %u bytes",
3990 expected_len, len);
3991 err = cmd_complete(sk, hdev->id,
3992 MGMT_OP_START_SERVICE_DISCOVERY,
3993 MGMT_STATUS_INVALID_PARAMS, &cp->type,
3994 sizeof(cp->type));
3995 goto failed;
3996 }
3997
3998 cmd = mgmt_pending_add(sk, MGMT_OP_START_SERVICE_DISCOVERY,
3999 hdev, data, len);
4000 if (!cmd) {
4001 err = -ENOMEM;
4002 goto failed;
4003 }
4004
4005 cmd->cmd_complete = service_discovery_cmd_complete;
4006
4007 /* Clear the discovery filter first to free any previously
4008 * allocated memory for the UUID list.
4009 */
4010 hci_discovery_filter_clear(hdev);
4011
4012 hdev->discovery.type = cp->type;
4013 hdev->discovery.rssi = cp->rssi;
4014 hdev->discovery.uuid_count = uuid_count;
4015
4016 if (uuid_count > 0) {
4017 hdev->discovery.uuids = kmemdup(cp->uuids, uuid_count * 16,
4018 GFP_KERNEL);
4019 if (!hdev->discovery.uuids) {
3870 err = cmd_complete(sk, hdev->id, 4020 err = cmd_complete(sk, hdev->id,
3871 MGMT_OP_START_DISCOVERY, 4021 MGMT_OP_START_SERVICE_DISCOVERY,
3872 MGMT_STATUS_FAILED, 4022 MGMT_STATUS_FAILED,
3873 &cp->type, sizeof(cp->type)); 4023 &cp->type, sizeof(cp->type));
3874 mgmt_pending_remove(cmd); 4024 mgmt_pending_remove(cmd);
3875 goto failed; 4025 goto failed;
3876 } 4026 }
4027 }
3877 4028
3878 param_cp.type = LE_SCAN_ACTIVE; 4029 hci_req_init(&req, hdev);
3879 param_cp.interval = cpu_to_le16(DISCOV_LE_SCAN_INT);
3880 param_cp.window = cpu_to_le16(DISCOV_LE_SCAN_WIN);
3881 param_cp.own_address_type = own_addr_type;
3882 hci_req_add(&req, HCI_OP_LE_SET_SCAN_PARAM, sizeof(param_cp),
3883 &param_cp);
3884
3885 memset(&enable_cp, 0, sizeof(enable_cp));
3886 enable_cp.enable = LE_SCAN_ENABLE;
3887 enable_cp.filter_dup = LE_SCAN_FILTER_DUP_ENABLE;
3888 hci_req_add(&req, HCI_OP_LE_SET_SCAN_ENABLE, sizeof(enable_cp),
3889 &enable_cp);
3890 break;
3891 4030
3892 default: 4031 if (!trigger_discovery(&req, &status)) {
3893 err = cmd_complete(sk, hdev->id, MGMT_OP_START_DISCOVERY, 4032 err = cmd_complete(sk, hdev->id,
3894 MGMT_STATUS_INVALID_PARAMS, 4033 MGMT_OP_START_SERVICE_DISCOVERY,
3895 &cp->type, sizeof(cp->type)); 4034 status, &cp->type, sizeof(cp->type));
3896 mgmt_pending_remove(cmd); 4035 mgmt_pending_remove(cmd);
3897 goto failed; 4036 goto failed;
3898 } 4037 }
3899 4038
3900 err = hci_req_run(&req, start_discovery_complete); 4039 err = hci_req_run(&req, start_discovery_complete);
3901 if (err < 0) 4040 if (err < 0) {
3902 mgmt_pending_remove(cmd); 4041 mgmt_pending_remove(cmd);
3903 else 4042 goto failed;
3904 hci_discovery_set_state(hdev, DISCOVERY_STARTING); 4043 }
4044
4045 hci_discovery_set_state(hdev, DISCOVERY_STARTING);
3905 4046
3906failed: 4047failed:
3907 hci_dev_unlock(hdev); 4048 hci_dev_unlock(hdev);
3908 return err; 4049 return err;
3909} 4050}
3910 4051
3911static int mgmt_stop_discovery_failed(struct hci_dev *hdev, u8 status) 4052static void stop_discovery_complete(struct hci_dev *hdev, u8 status)
3912{ 4053{
3913 struct pending_cmd *cmd; 4054 struct pending_cmd *cmd;
3914 int err;
3915 4055
3916 cmd = mgmt_pending_find(MGMT_OP_STOP_DISCOVERY, hdev);
3917 if (!cmd)
3918 return -ENOENT;
3919
3920 err = cmd_complete(cmd->sk, hdev->id, cmd->opcode, mgmt_status(status),
3921 &hdev->discovery.type, sizeof(hdev->discovery.type));
3922 mgmt_pending_remove(cmd);
3923
3924 return err;
3925}
3926
3927static void stop_discovery_complete(struct hci_dev *hdev, u8 status)
3928{
3929 BT_DBG("status %d", status); 4056 BT_DBG("status %d", status);
3930 4057
3931 hci_dev_lock(hdev); 4058 hci_dev_lock(hdev);
3932 4059
3933 if (status) { 4060 cmd = mgmt_pending_find(MGMT_OP_STOP_DISCOVERY, hdev);
3934 mgmt_stop_discovery_failed(hdev, status); 4061 if (cmd) {
3935 goto unlock; 4062 cmd->cmd_complete(cmd, mgmt_status(status));
4063 mgmt_pending_remove(cmd);
3936 } 4064 }
3937 4065
3938 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 4066 if (!status)
4067 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3939 4068
3940unlock:
3941 hci_dev_unlock(hdev); 4069 hci_dev_unlock(hdev);
3942} 4070}
3943 4071
@@ -3967,12 +4095,14 @@ static int stop_discovery(struct sock *sk, struct hci_dev *hdev, void *data,
3967 goto unlock; 4095 goto unlock;
3968 } 4096 }
3969 4097
3970 cmd = mgmt_pending_add(sk, MGMT_OP_STOP_DISCOVERY, hdev, NULL, 0); 4098 cmd = mgmt_pending_add(sk, MGMT_OP_STOP_DISCOVERY, hdev, data, len);
3971 if (!cmd) { 4099 if (!cmd) {
3972 err = -ENOMEM; 4100 err = -ENOMEM;
3973 goto unlock; 4101 goto unlock;
3974 } 4102 }
3975 4103
4104 cmd->cmd_complete = generic_cmd_complete;
4105
3976 hci_req_init(&req, hdev); 4106 hci_req_init(&req, hdev);
3977 4107
3978 hci_stop_discovery(&req); 4108 hci_stop_discovery(&req);
@@ -4572,18 +4702,13 @@ static int set_secure_conn(struct sock *sk, struct hci_dev *hdev,
4572{ 4702{
4573 struct mgmt_mode *cp = data; 4703 struct mgmt_mode *cp = data;
4574 struct pending_cmd *cmd; 4704 struct pending_cmd *cmd;
4575 u8 val, status; 4705 u8 val;
4576 int err; 4706 int err;
4577 4707
4578 BT_DBG("request for %s", hdev->name); 4708 BT_DBG("request for %s", hdev->name);
4579 4709
4580 status = mgmt_bredr_support(hdev); 4710 if (!test_bit(HCI_LE_ENABLED, &hdev->dev_flags) &&
4581 if (status) 4711 !lmp_sc_capable(hdev) && !test_bit(HCI_FORCE_SC, &hdev->dbg_flags))
4582 return cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
4583 status);
4584
4585 if (!lmp_sc_capable(hdev) &&
4586 !test_bit(HCI_FORCE_SC, &hdev->dbg_flags))
4587 return cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN, 4712 return cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
4588 MGMT_STATUS_NOT_SUPPORTED); 4713 MGMT_STATUS_NOT_SUPPORTED);
4589 4714
@@ -4593,7 +4718,10 @@ static int set_secure_conn(struct sock *sk, struct hci_dev *hdev,
4593 4718
4594 hci_dev_lock(hdev); 4719 hci_dev_lock(hdev);
4595 4720
4596 if (!hdev_is_powered(hdev)) { 4721 if (!hdev_is_powered(hdev) ||
4722 (!lmp_sc_capable(hdev) &&
4723 !test_bit(HCI_FORCE_SC, &hdev->dbg_flags)) ||
4724 !test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags)) {
4597 bool changed; 4725 bool changed;
4598 4726
4599 if (cp->val) { 4727 if (cp->val) {
@@ -4910,18 +5038,26 @@ static int load_long_term_keys(struct sock *sk, struct hci_dev *hdev,
4910 else 5038 else
4911 addr_type = ADDR_LE_DEV_RANDOM; 5039 addr_type = ADDR_LE_DEV_RANDOM;
4912 5040
4913 if (key->master)
4914 type = SMP_LTK;
4915 else
4916 type = SMP_LTK_SLAVE;
4917
4918 switch (key->type) { 5041 switch (key->type) {
4919 case MGMT_LTK_UNAUTHENTICATED: 5042 case MGMT_LTK_UNAUTHENTICATED:
4920 authenticated = 0x00; 5043 authenticated = 0x00;
5044 type = key->master ? SMP_LTK : SMP_LTK_SLAVE;
4921 break; 5045 break;
4922 case MGMT_LTK_AUTHENTICATED: 5046 case MGMT_LTK_AUTHENTICATED:
4923 authenticated = 0x01; 5047 authenticated = 0x01;
5048 type = key->master ? SMP_LTK : SMP_LTK_SLAVE;
5049 break;
5050 case MGMT_LTK_P256_UNAUTH:
5051 authenticated = 0x00;
5052 type = SMP_LTK_P256;
4924 break; 5053 break;
5054 case MGMT_LTK_P256_AUTH:
5055 authenticated = 0x01;
5056 type = SMP_LTK_P256;
5057 break;
5058 case MGMT_LTK_P256_DEBUG:
5059 authenticated = 0x00;
5060 type = SMP_LTK_P256_DEBUG;
4925 default: 5061 default:
4926 continue; 5062 continue;
4927 } 5063 }
@@ -4939,67 +5075,42 @@ static int load_long_term_keys(struct sock *sk, struct hci_dev *hdev,
4939 return err; 5075 return err;
4940} 5076}
4941 5077
4942struct cmd_conn_lookup { 5078static void conn_info_cmd_complete(struct pending_cmd *cmd, u8 status)
4943 struct hci_conn *conn;
4944 bool valid_tx_power;
4945 u8 mgmt_status;
4946};
4947
4948static void get_conn_info_complete(struct pending_cmd *cmd, void *data)
4949{ 5079{
4950 struct cmd_conn_lookup *match = data;
4951 struct mgmt_cp_get_conn_info *cp;
4952 struct mgmt_rp_get_conn_info rp;
4953 struct hci_conn *conn = cmd->user_data; 5080 struct hci_conn *conn = cmd->user_data;
5081 struct mgmt_rp_get_conn_info rp;
4954 5082
4955 if (conn != match->conn) 5083 memcpy(&rp.addr, cmd->param, sizeof(rp.addr));
4956 return;
4957
4958 cp = (struct mgmt_cp_get_conn_info *) cmd->param;
4959
4960 memset(&rp, 0, sizeof(rp));
4961 bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
4962 rp.addr.type = cp->addr.type;
4963 5084
4964 if (!match->mgmt_status) { 5085 if (status == MGMT_STATUS_SUCCESS) {
4965 rp.rssi = conn->rssi; 5086 rp.rssi = conn->rssi;
4966 5087 rp.tx_power = conn->tx_power;
4967 if (match->valid_tx_power) { 5088 rp.max_tx_power = conn->max_tx_power;
4968 rp.tx_power = conn->tx_power; 5089 } else {
4969 rp.max_tx_power = conn->max_tx_power; 5090 rp.rssi = HCI_RSSI_INVALID;
4970 } else { 5091 rp.tx_power = HCI_TX_POWER_INVALID;
4971 rp.tx_power = HCI_TX_POWER_INVALID; 5092 rp.max_tx_power = HCI_TX_POWER_INVALID;
4972 rp.max_tx_power = HCI_TX_POWER_INVALID;
4973 }
4974 } 5093 }
4975 5094
4976 cmd_complete(cmd->sk, cmd->index, MGMT_OP_GET_CONN_INFO, 5095 cmd_complete(cmd->sk, cmd->index, MGMT_OP_GET_CONN_INFO, status,
4977 match->mgmt_status, &rp, sizeof(rp)); 5096 &rp, sizeof(rp));
4978 5097
4979 hci_conn_drop(conn); 5098 hci_conn_drop(conn);
4980 hci_conn_put(conn); 5099 hci_conn_put(conn);
4981
4982 mgmt_pending_remove(cmd);
4983} 5100}
4984 5101
4985static void conn_info_refresh_complete(struct hci_dev *hdev, u8 status) 5102static void conn_info_refresh_complete(struct hci_dev *hdev, u8 hci_status)
4986{ 5103{
4987 struct hci_cp_read_rssi *cp; 5104 struct hci_cp_read_rssi *cp;
5105 struct pending_cmd *cmd;
4988 struct hci_conn *conn; 5106 struct hci_conn *conn;
4989 struct cmd_conn_lookup match;
4990 u16 handle; 5107 u16 handle;
5108 u8 status;
4991 5109
4992 BT_DBG("status 0x%02x", status); 5110 BT_DBG("status 0x%02x", hci_status);
4993 5111
4994 hci_dev_lock(hdev); 5112 hci_dev_lock(hdev);
4995 5113
4996 /* TX power data is valid in case request completed successfully,
4997 * otherwise we assume it's not valid. At the moment we assume that
4998 * either both or none of current and max values are valid to keep code
4999 * simple.
5000 */
5001 match.valid_tx_power = !status;
5002
5003 /* Commands sent in request are either Read RSSI or Read Transmit Power 5114 /* Commands sent in request are either Read RSSI or Read Transmit Power
5004 * Level so we check which one was last sent to retrieve connection 5115 * Level so we check which one was last sent to retrieve connection
5005 * handle. Both commands have handle as first parameter so it's safe to 5116 * handle. Both commands have handle as first parameter so it's safe to
@@ -5012,29 +5123,29 @@ static void conn_info_refresh_complete(struct hci_dev *hdev, u8 status)
5012 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_RSSI); 5123 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_RSSI);
5013 if (!cp) { 5124 if (!cp) {
5014 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER); 5125 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
5015 status = 0; 5126 status = MGMT_STATUS_SUCCESS;
5127 } else {
5128 status = mgmt_status(hci_status);
5016 } 5129 }
5017 5130
5018 if (!cp) { 5131 if (!cp) {
5019 BT_ERR("invalid sent_cmd in response"); 5132 BT_ERR("invalid sent_cmd in conn_info response");
5020 goto unlock; 5133 goto unlock;
5021 } 5134 }
5022 5135
5023 handle = __le16_to_cpu(cp->handle); 5136 handle = __le16_to_cpu(cp->handle);
5024 conn = hci_conn_hash_lookup_handle(hdev, handle); 5137 conn = hci_conn_hash_lookup_handle(hdev, handle);
5025 if (!conn) { 5138 if (!conn) {
5026 BT_ERR("unknown handle (%d) in response", handle); 5139 BT_ERR("unknown handle (%d) in conn_info response", handle);
5027 goto unlock; 5140 goto unlock;
5028 } 5141 }
5029 5142
5030 match.conn = conn; 5143 cmd = mgmt_pending_find_data(MGMT_OP_GET_CONN_INFO, hdev, conn);
5031 match.mgmt_status = mgmt_status(status); 5144 if (!cmd)
5145 goto unlock;
5032 5146
5033 /* Cache refresh is complete, now reply for mgmt request for given 5147 cmd->cmd_complete(cmd, status);
5034 * connection only. 5148 mgmt_pending_remove(cmd);
5035 */
5036 mgmt_pending_foreach(MGMT_OP_GET_CONN_INFO, hdev,
5037 get_conn_info_complete, &match);
5038 5149
5039unlock: 5150unlock:
5040 hci_dev_unlock(hdev); 5151 hci_dev_unlock(hdev);
@@ -5080,6 +5191,12 @@ static int get_conn_info(struct sock *sk, struct hci_dev *hdev, void *data,
5080 goto unlock; 5191 goto unlock;
5081 } 5192 }
5082 5193
5194 if (mgmt_pending_find_data(MGMT_OP_GET_CONN_INFO, hdev, conn)) {
5195 err = cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
5196 MGMT_STATUS_BUSY, &rp, sizeof(rp));
5197 goto unlock;
5198 }
5199
5083 /* To avoid client trying to guess when to poll again for information we 5200 /* To avoid client trying to guess when to poll again for information we
5084 * calculate conn info age as random value between min/max set in hdev. 5201 * calculate conn info age as random value between min/max set in hdev.
5085 */ 5202 */
@@ -5135,6 +5252,7 @@ static int get_conn_info(struct sock *sk, struct hci_dev *hdev, void *data,
5135 5252
5136 hci_conn_hold(conn); 5253 hci_conn_hold(conn);
5137 cmd->user_data = hci_conn_get(conn); 5254 cmd->user_data = hci_conn_get(conn);
5255 cmd->cmd_complete = conn_info_cmd_complete;
5138 5256
5139 conn->conn_info_timestamp = jiffies; 5257 conn->conn_info_timestamp = jiffies;
5140 } else { 5258 } else {
@@ -5152,10 +5270,40 @@ unlock:
5152 return err; 5270 return err;
5153} 5271}
5154 5272
5155static void get_clock_info_complete(struct hci_dev *hdev, u8 status) 5273static void clock_info_cmd_complete(struct pending_cmd *cmd, u8 status)
5156{ 5274{
5157 struct mgmt_cp_get_clock_info *cp; 5275 struct hci_conn *conn = cmd->user_data;
5158 struct mgmt_rp_get_clock_info rp; 5276 struct mgmt_rp_get_clock_info rp;
5277 struct hci_dev *hdev;
5278
5279 memset(&rp, 0, sizeof(rp));
5280 memcpy(&rp.addr, &cmd->param, sizeof(rp.addr));
5281
5282 if (status)
5283 goto complete;
5284
5285 hdev = hci_dev_get(cmd->index);
5286 if (hdev) {
5287 rp.local_clock = cpu_to_le32(hdev->clock);
5288 hci_dev_put(hdev);
5289 }
5290
5291 if (conn) {
5292 rp.piconet_clock = cpu_to_le32(conn->clock);
5293 rp.accuracy = cpu_to_le16(conn->clock_accuracy);
5294 }
5295
5296complete:
5297 cmd_complete(cmd->sk, cmd->index, cmd->opcode, status, &rp, sizeof(rp));
5298
5299 if (conn) {
5300 hci_conn_drop(conn);
5301 hci_conn_put(conn);
5302 }
5303}
5304
5305static void get_clock_info_complete(struct hci_dev *hdev, u8 status)
5306{
5159 struct hci_cp_read_clock *hci_cp; 5307 struct hci_cp_read_clock *hci_cp;
5160 struct pending_cmd *cmd; 5308 struct pending_cmd *cmd;
5161 struct hci_conn *conn; 5309 struct hci_conn *conn;
@@ -5179,29 +5327,8 @@ static void get_clock_info_complete(struct hci_dev *hdev, u8 status)
5179 if (!cmd) 5327 if (!cmd)
5180 goto unlock; 5328 goto unlock;
5181 5329
5182 cp = cmd->param; 5330 cmd->cmd_complete(cmd, mgmt_status(status));
5183
5184 memset(&rp, 0, sizeof(rp));
5185 memcpy(&rp.addr, &cp->addr, sizeof(rp.addr));
5186
5187 if (status)
5188 goto send_rsp;
5189
5190 rp.local_clock = cpu_to_le32(hdev->clock);
5191
5192 if (conn) {
5193 rp.piconet_clock = cpu_to_le32(conn->clock);
5194 rp.accuracy = cpu_to_le16(conn->clock_accuracy);
5195 }
5196
5197send_rsp:
5198 cmd_complete(cmd->sk, cmd->index, cmd->opcode, mgmt_status(status),
5199 &rp, sizeof(rp));
5200 mgmt_pending_remove(cmd); 5331 mgmt_pending_remove(cmd);
5201 if (conn) {
5202 hci_conn_drop(conn);
5203 hci_conn_put(conn);
5204 }
5205 5332
5206unlock: 5333unlock:
5207 hci_dev_unlock(hdev); 5334 hci_dev_unlock(hdev);
@@ -5257,6 +5384,8 @@ static int get_clock_info(struct sock *sk, struct hci_dev *hdev, void *data,
5257 goto unlock; 5384 goto unlock;
5258 } 5385 }
5259 5386
5387 cmd->cmd_complete = clock_info_cmd_complete;
5388
5260 hci_req_init(&req, hdev); 5389 hci_req_init(&req, hdev);
5261 5390
5262 memset(&hci_cp, 0, sizeof(hci_cp)); 5391 memset(&hci_cp, 0, sizeof(hci_cp));
@@ -5746,6 +5875,7 @@ static const struct mgmt_handler {
5746 { read_config_info, false, MGMT_READ_CONFIG_INFO_SIZE }, 5875 { read_config_info, false, MGMT_READ_CONFIG_INFO_SIZE },
5747 { set_external_config, false, MGMT_SET_EXTERNAL_CONFIG_SIZE }, 5876 { set_external_config, false, MGMT_SET_EXTERNAL_CONFIG_SIZE },
5748 { set_public_address, false, MGMT_SET_PUBLIC_ADDRESS_SIZE }, 5877 { set_public_address, false, MGMT_SET_PUBLIC_ADDRESS_SIZE },
5878 { start_service_discovery,true, MGMT_START_SERVICE_DISCOVERY_SIZE },
5749}; 5879};
5750 5880
5751int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen) 5881int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen)
@@ -5882,7 +6012,7 @@ void mgmt_index_removed(struct hci_dev *hdev)
5882 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks)) 6012 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
5883 return; 6013 return;
5884 6014
5885 mgmt_pending_foreach(0, hdev, cmd_status_rsp, &status); 6015 mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &status);
5886 6016
5887 if (test_bit(HCI_UNCONFIGURED, &hdev->dev_flags)) 6017 if (test_bit(HCI_UNCONFIGURED, &hdev->dev_flags))
5888 mgmt_event(MGMT_EV_UNCONF_INDEX_REMOVED, hdev, NULL, 0, NULL); 6018 mgmt_event(MGMT_EV_UNCONF_INDEX_REMOVED, hdev, NULL, 0, NULL);
@@ -6017,7 +6147,7 @@ int mgmt_powered(struct hci_dev *hdev, u8 powered)
6017 } 6147 }
6018 6148
6019 mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match); 6149 mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match);
6020 mgmt_pending_foreach(0, hdev, cmd_status_rsp, &status_not_powered); 6150 mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &status_not_powered);
6021 6151
6022 if (memcmp(hdev->dev_class, zero_cod, sizeof(zero_cod)) != 0) 6152 if (memcmp(hdev->dev_class, zero_cod, sizeof(zero_cod)) != 0)
6023 mgmt_event(MGMT_EV_CLASS_OF_DEV_CHANGED, hdev, 6153 mgmt_event(MGMT_EV_CLASS_OF_DEV_CHANGED, hdev,
@@ -6101,8 +6231,19 @@ void mgmt_new_link_key(struct hci_dev *hdev, struct link_key *key,
6101 6231
6102static u8 mgmt_ltk_type(struct smp_ltk *ltk) 6232static u8 mgmt_ltk_type(struct smp_ltk *ltk)
6103{ 6233{
6104 if (ltk->authenticated) 6234 switch (ltk->type) {
6105 return MGMT_LTK_AUTHENTICATED; 6235 case SMP_LTK:
6236 case SMP_LTK_SLAVE:
6237 if (ltk->authenticated)
6238 return MGMT_LTK_AUTHENTICATED;
6239 return MGMT_LTK_UNAUTHENTICATED;
6240 case SMP_LTK_P256:
6241 if (ltk->authenticated)
6242 return MGMT_LTK_P256_AUTH;
6243 return MGMT_LTK_P256_UNAUTH;
6244 case SMP_LTK_P256_DEBUG:
6245 return MGMT_LTK_P256_DEBUG;
6246 }
6106 6247
6107 return MGMT_LTK_UNAUTHENTICATED; 6248 return MGMT_LTK_UNAUTHENTICATED;
6108} 6249}
@@ -6276,15 +6417,9 @@ void mgmt_device_connected(struct hci_dev *hdev, struct hci_conn *conn,
6276 6417
6277static void disconnect_rsp(struct pending_cmd *cmd, void *data) 6418static void disconnect_rsp(struct pending_cmd *cmd, void *data)
6278{ 6419{
6279 struct mgmt_cp_disconnect *cp = cmd->param;
6280 struct sock **sk = data; 6420 struct sock **sk = data;
6281 struct mgmt_rp_disconnect rp;
6282 6421
6283 bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr); 6422 cmd->cmd_complete(cmd, 0);
6284 rp.addr.type = cp->addr.type;
6285
6286 cmd_complete(cmd->sk, cmd->index, MGMT_OP_DISCONNECT, 0, &rp,
6287 sizeof(rp));
6288 6423
6289 *sk = cmd->sk; 6424 *sk = cmd->sk;
6290 sock_hold(*sk); 6425 sock_hold(*sk);
@@ -6296,16 +6431,10 @@ static void unpair_device_rsp(struct pending_cmd *cmd, void *data)
6296{ 6431{
6297 struct hci_dev *hdev = data; 6432 struct hci_dev *hdev = data;
6298 struct mgmt_cp_unpair_device *cp = cmd->param; 6433 struct mgmt_cp_unpair_device *cp = cmd->param;
6299 struct mgmt_rp_unpair_device rp;
6300
6301 memset(&rp, 0, sizeof(rp));
6302 bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
6303 rp.addr.type = cp->addr.type;
6304 6434
6305 device_unpaired(hdev, &cp->addr.bdaddr, cp->addr.type, cmd->sk); 6435 device_unpaired(hdev, &cp->addr.bdaddr, cp->addr.type, cmd->sk);
6306 6436
6307 cmd_complete(cmd->sk, cmd->index, cmd->opcode, 0, &rp, sizeof(rp)); 6437 cmd->cmd_complete(cmd, 0);
6308
6309 mgmt_pending_remove(cmd); 6438 mgmt_pending_remove(cmd);
6310} 6439}
6311 6440
@@ -6366,7 +6495,6 @@ void mgmt_disconnect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr,
6366{ 6495{
6367 u8 bdaddr_type = link_to_bdaddr(link_type, addr_type); 6496 u8 bdaddr_type = link_to_bdaddr(link_type, addr_type);
6368 struct mgmt_cp_disconnect *cp; 6497 struct mgmt_cp_disconnect *cp;
6369 struct mgmt_rp_disconnect rp;
6370 struct pending_cmd *cmd; 6498 struct pending_cmd *cmd;
6371 6499
6372 mgmt_pending_foreach(MGMT_OP_UNPAIR_DEVICE, hdev, unpair_device_rsp, 6500 mgmt_pending_foreach(MGMT_OP_UNPAIR_DEVICE, hdev, unpair_device_rsp,
@@ -6384,12 +6512,7 @@ void mgmt_disconnect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr,
6384 if (cp->addr.type != bdaddr_type) 6512 if (cp->addr.type != bdaddr_type)
6385 return; 6513 return;
6386 6514
6387 bacpy(&rp.addr.bdaddr, bdaddr); 6515 cmd->cmd_complete(cmd, mgmt_status(status));
6388 rp.addr.type = bdaddr_type;
6389
6390 cmd_complete(cmd->sk, cmd->index, MGMT_OP_DISCONNECT,
6391 mgmt_status(status), &rp, sizeof(rp));
6392
6393 mgmt_pending_remove(cmd); 6516 mgmt_pending_remove(cmd);
6394} 6517}
6395 6518
@@ -6428,18 +6551,12 @@ void mgmt_pin_code_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
6428 u8 status) 6551 u8 status)
6429{ 6552{
6430 struct pending_cmd *cmd; 6553 struct pending_cmd *cmd;
6431 struct mgmt_rp_pin_code_reply rp;
6432 6554
6433 cmd = mgmt_pending_find(MGMT_OP_PIN_CODE_REPLY, hdev); 6555 cmd = mgmt_pending_find(MGMT_OP_PIN_CODE_REPLY, hdev);
6434 if (!cmd) 6556 if (!cmd)
6435 return; 6557 return;
6436 6558
6437 bacpy(&rp.addr.bdaddr, bdaddr); 6559 cmd->cmd_complete(cmd, mgmt_status(status));
6438 rp.addr.type = BDADDR_BREDR;
6439
6440 cmd_complete(cmd->sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
6441 mgmt_status(status), &rp, sizeof(rp));
6442
6443 mgmt_pending_remove(cmd); 6560 mgmt_pending_remove(cmd);
6444} 6561}
6445 6562
@@ -6447,18 +6564,12 @@ void mgmt_pin_code_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
6447 u8 status) 6564 u8 status)
6448{ 6565{
6449 struct pending_cmd *cmd; 6566 struct pending_cmd *cmd;
6450 struct mgmt_rp_pin_code_reply rp;
6451 6567
6452 cmd = mgmt_pending_find(MGMT_OP_PIN_CODE_NEG_REPLY, hdev); 6568 cmd = mgmt_pending_find(MGMT_OP_PIN_CODE_NEG_REPLY, hdev);
6453 if (!cmd) 6569 if (!cmd)
6454 return; 6570 return;
6455 6571
6456 bacpy(&rp.addr.bdaddr, bdaddr); 6572 cmd->cmd_complete(cmd, mgmt_status(status));
6457 rp.addr.type = BDADDR_BREDR;
6458
6459 cmd_complete(cmd->sk, hdev->id, MGMT_OP_PIN_CODE_NEG_REPLY,
6460 mgmt_status(status), &rp, sizeof(rp));
6461
6462 mgmt_pending_remove(cmd); 6573 mgmt_pending_remove(cmd);
6463} 6574}
6464 6575
@@ -6498,21 +6609,15 @@ static int user_pairing_resp_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
6498 u8 opcode) 6609 u8 opcode)
6499{ 6610{
6500 struct pending_cmd *cmd; 6611 struct pending_cmd *cmd;
6501 struct mgmt_rp_user_confirm_reply rp;
6502 int err;
6503 6612
6504 cmd = mgmt_pending_find(opcode, hdev); 6613 cmd = mgmt_pending_find(opcode, hdev);
6505 if (!cmd) 6614 if (!cmd)
6506 return -ENOENT; 6615 return -ENOENT;
6507 6616
6508 bacpy(&rp.addr.bdaddr, bdaddr); 6617 cmd->cmd_complete(cmd, mgmt_status(status));
6509 rp.addr.type = link_to_bdaddr(link_type, addr_type);
6510 err = cmd_complete(cmd->sk, hdev->id, opcode, mgmt_status(status),
6511 &rp, sizeof(rp));
6512
6513 mgmt_pending_remove(cmd); 6618 mgmt_pending_remove(cmd);
6514 6619
6515 return err; 6620 return 0;
6516} 6621}
6517 6622
6518int mgmt_user_confirm_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr, 6623int mgmt_user_confirm_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
@@ -6784,8 +6889,7 @@ void mgmt_read_local_oob_data_complete(struct hci_dev *hdev, u8 *hash192,
6784 cmd_status(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA, 6889 cmd_status(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
6785 mgmt_status(status)); 6890 mgmt_status(status));
6786 } else { 6891 } else {
6787 if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags) && 6892 if (bredr_sc_enabled(hdev) && hash256 && rand256) {
6788 hash256 && rand256) {
6789 struct mgmt_rp_read_local_oob_ext_data rp; 6893 struct mgmt_rp_read_local_oob_ext_data rp;
6790 6894
6791 memcpy(rp.hash192, hash192, sizeof(rp.hash192)); 6895 memcpy(rp.hash192, hash192, sizeof(rp.hash192));
@@ -6812,6 +6916,73 @@ void mgmt_read_local_oob_data_complete(struct hci_dev *hdev, u8 *hash192,
6812 mgmt_pending_remove(cmd); 6916 mgmt_pending_remove(cmd);
6813} 6917}
6814 6918
6919static inline bool has_uuid(u8 *uuid, u16 uuid_count, u8 (*uuids)[16])
6920{
6921 int i;
6922
6923 for (i = 0; i < uuid_count; i++) {
6924 if (!memcmp(uuid, uuids[i], 16))
6925 return true;
6926 }
6927
6928 return false;
6929}
6930
6931static bool eir_has_uuids(u8 *eir, u16 eir_len, u16 uuid_count, u8 (*uuids)[16])
6932{
6933 u16 parsed = 0;
6934
6935 while (parsed < eir_len) {
6936 u8 field_len = eir[0];
6937 u8 uuid[16];
6938 int i;
6939
6940 if (field_len == 0)
6941 break;
6942
6943 if (eir_len - parsed < field_len + 1)
6944 break;
6945
6946 switch (eir[1]) {
6947 case EIR_UUID16_ALL:
6948 case EIR_UUID16_SOME:
6949 for (i = 0; i + 3 <= field_len; i += 2) {
6950 memcpy(uuid, bluetooth_base_uuid, 16);
6951 uuid[13] = eir[i + 3];
6952 uuid[12] = eir[i + 2];
6953 if (has_uuid(uuid, uuid_count, uuids))
6954 return true;
6955 }
6956 break;
6957 case EIR_UUID32_ALL:
6958 case EIR_UUID32_SOME:
6959 for (i = 0; i + 5 <= field_len; i += 4) {
6960 memcpy(uuid, bluetooth_base_uuid, 16);
6961 uuid[15] = eir[i + 5];
6962 uuid[14] = eir[i + 4];
6963 uuid[13] = eir[i + 3];
6964 uuid[12] = eir[i + 2];
6965 if (has_uuid(uuid, uuid_count, uuids))
6966 return true;
6967 }
6968 break;
6969 case EIR_UUID128_ALL:
6970 case EIR_UUID128_SOME:
6971 for (i = 0; i + 17 <= field_len; i += 16) {
6972 memcpy(uuid, eir + i + 2, 16);
6973 if (has_uuid(uuid, uuid_count, uuids))
6974 return true;
6975 }
6976 break;
6977 }
6978
6979 parsed += field_len + 1;
6980 eir += field_len + 1;
6981 }
6982
6983 return false;
6984}
6985
6815void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type, 6986void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
6816 u8 addr_type, u8 *dev_class, s8 rssi, u32 flags, 6987 u8 addr_type, u8 *dev_class, s8 rssi, u32 flags,
6817 u8 *eir, u16 eir_len, u8 *scan_rsp, u8 scan_rsp_len) 6988 u8 *eir, u16 eir_len, u8 *scan_rsp, u8 scan_rsp_len)
@@ -6819,6 +6990,7 @@ void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
6819 char buf[512]; 6990 char buf[512];
6820 struct mgmt_ev_device_found *ev = (void *) buf; 6991 struct mgmt_ev_device_found *ev = (void *) buf;
6821 size_t ev_size; 6992 size_t ev_size;
6993 bool match;
6822 6994
6823 /* Don't send events for a non-kernel initiated discovery. With 6995 /* Don't send events for a non-kernel initiated discovery. With
6824 * LE one exception is if we have pend_le_reports > 0 in which 6996 * LE one exception is if we have pend_le_reports > 0 in which
@@ -6831,6 +7003,18 @@ void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
6831 return; 7003 return;
6832 } 7004 }
6833 7005
7006 /* When using service discovery with a RSSI threshold, then check
7007 * if such a RSSI threshold is specified. If a RSSI threshold has
7008 * been specified, then all results with a RSSI smaller than the
7009 * RSSI threshold will be dropped.
7010 *
7011 * For BR/EDR devices (pre 1.2) providing no RSSI during inquiry,
7012 * the results are also dropped.
7013 */
7014 if (hdev->discovery.rssi != HCI_RSSI_INVALID &&
7015 (rssi < hdev->discovery.rssi || rssi == HCI_RSSI_INVALID))
7016 return;
7017
6834 /* Make sure that the buffer is big enough. The 5 extra bytes 7018 /* Make sure that the buffer is big enough. The 5 extra bytes
6835 * are for the potential CoD field. 7019 * are for the potential CoD field.
6836 */ 7020 */
@@ -6839,20 +7023,75 @@ void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
6839 7023
6840 memset(buf, 0, sizeof(buf)); 7024 memset(buf, 0, sizeof(buf));
6841 7025
7026 /* In case of device discovery with BR/EDR devices (pre 1.2), the
7027 * RSSI value was reported as 0 when not available. This behavior
7028 * is kept when using device discovery. This is required for full
7029 * backwards compatibility with the API.
7030 *
7031 * However when using service discovery, the value 127 will be
7032 * returned when the RSSI is not available.
7033 */
7034 if (rssi == HCI_RSSI_INVALID && !hdev->discovery.report_invalid_rssi)
7035 rssi = 0;
7036
6842 bacpy(&ev->addr.bdaddr, bdaddr); 7037 bacpy(&ev->addr.bdaddr, bdaddr);
6843 ev->addr.type = link_to_bdaddr(link_type, addr_type); 7038 ev->addr.type = link_to_bdaddr(link_type, addr_type);
6844 ev->rssi = rssi; 7039 ev->rssi = rssi;
6845 ev->flags = cpu_to_le32(flags); 7040 ev->flags = cpu_to_le32(flags);
6846 7041
6847 if (eir_len > 0) 7042 if (eir_len > 0) {
7043 /* When using service discovery and a list of UUID is
7044 * provided, results with no matching UUID should be
7045 * dropped. In case there is a match the result is
7046 * kept and checking possible scan response data
7047 * will be skipped.
7048 */
7049 if (hdev->discovery.uuid_count > 0) {
7050 match = eir_has_uuids(eir, eir_len,
7051 hdev->discovery.uuid_count,
7052 hdev->discovery.uuids);
7053 if (!match)
7054 return;
7055 }
7056
7057 /* Copy EIR or advertising data into event */
6848 memcpy(ev->eir, eir, eir_len); 7058 memcpy(ev->eir, eir, eir_len);
7059 } else {
7060 /* When using service discovery and a list of UUID is
7061 * provided, results with empty EIR or advertising data
7062 * should be dropped since they do not match any UUID.
7063 */
7064 if (hdev->discovery.uuid_count > 0)
7065 return;
7066 }
6849 7067
6850 if (dev_class && !eir_has_data_type(ev->eir, eir_len, EIR_CLASS_OF_DEV)) 7068 if (dev_class && !eir_has_data_type(ev->eir, eir_len, EIR_CLASS_OF_DEV))
6851 eir_len = eir_append_data(ev->eir, eir_len, EIR_CLASS_OF_DEV, 7069 eir_len = eir_append_data(ev->eir, eir_len, EIR_CLASS_OF_DEV,
6852 dev_class, 3); 7070 dev_class, 3);
6853 7071
6854 if (scan_rsp_len > 0) 7072 if (scan_rsp_len > 0) {
7073 /* When using service discovery and a list of UUID is
7074 * provided, results with no matching UUID should be
7075 * dropped if there is no previous match from the
7076 * advertising data.
7077 */
7078 if (hdev->discovery.uuid_count > 0) {
7079 if (!match && !eir_has_uuids(scan_rsp, scan_rsp_len,
7080 hdev->discovery.uuid_count,
7081 hdev->discovery.uuids))
7082 return;
7083 }
7084
7085 /* Append scan response data to event */
6855 memcpy(ev->eir + eir_len, scan_rsp, scan_rsp_len); 7086 memcpy(ev->eir + eir_len, scan_rsp, scan_rsp_len);
7087 } else {
7088 /* When using service discovery and a list of UUID is
7089 * provided, results with empty scan response and no
7090 * previous matched advertising data should be dropped.
7091 */
7092 if (hdev->discovery.uuid_count > 0 && !match)
7093 return;
7094 }
6856 7095
6857 ev->eir_len = cpu_to_le16(eir_len + scan_rsp_len); 7096 ev->eir_len = cpu_to_le16(eir_len + scan_rsp_len);
6858 ev_size = sizeof(*ev) + eir_len + scan_rsp_len; 7097 ev_size = sizeof(*ev) + eir_len + scan_rsp_len;
@@ -6886,23 +7125,9 @@ void mgmt_remote_name(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
6886void mgmt_discovering(struct hci_dev *hdev, u8 discovering) 7125void mgmt_discovering(struct hci_dev *hdev, u8 discovering)
6887{ 7126{
6888 struct mgmt_ev_discovering ev; 7127 struct mgmt_ev_discovering ev;
6889 struct pending_cmd *cmd;
6890 7128
6891 BT_DBG("%s discovering %u", hdev->name, discovering); 7129 BT_DBG("%s discovering %u", hdev->name, discovering);
6892 7130
6893 if (discovering)
6894 cmd = mgmt_pending_find(MGMT_OP_START_DISCOVERY, hdev);
6895 else
6896 cmd = mgmt_pending_find(MGMT_OP_STOP_DISCOVERY, hdev);
6897
6898 if (cmd != NULL) {
6899 u8 type = hdev->discovery.type;
6900
6901 cmd_complete(cmd->sk, hdev->id, cmd->opcode, 0, &type,
6902 sizeof(type));
6903 mgmt_pending_remove(cmd);
6904 }
6905
6906 memset(&ev, 0, sizeof(ev)); 7131 memset(&ev, 0, sizeof(ev));
6907 ev.type = hdev->discovery.type; 7132 ev.type = hdev->discovery.type;
6908 ev.discovering = discovering; 7133 ev.discovering = discovering;
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 069b76e03b57..96bf16dcd9e9 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -29,14 +29,34 @@
29#include <net/bluetooth/l2cap.h> 29#include <net/bluetooth/l2cap.h>
30#include <net/bluetooth/mgmt.h> 30#include <net/bluetooth/mgmt.h>
31 31
32#include "ecc.h"
32#include "smp.h" 33#include "smp.h"
33 34
35/* Low-level debug macros to be used for stuff that we don't want
36 * accidentially in dmesg, i.e. the values of the various crypto keys
37 * and the inputs & outputs of crypto functions.
38 */
39#ifdef DEBUG
40#define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
41 ##__VA_ARGS__)
42#else
43#define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
44 ##__VA_ARGS__)
45#endif
46
34#define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd) 47#define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
35 48
49/* Keys which are not distributed with Secure Connections */
50#define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
51
36#define SMP_TIMEOUT msecs_to_jiffies(30000) 52#define SMP_TIMEOUT msecs_to_jiffies(30000)
37 53
38#define AUTH_REQ_MASK 0x07 54#define AUTH_REQ_MASK(dev) (test_bit(HCI_SC_ENABLED, &(dev)->dev_flags) ? \
39#define KEY_DIST_MASK 0x07 55 0x1f : 0x07)
56#define KEY_DIST_MASK 0x07
57
58/* Maximum message length that can be passed to aes_cmac */
59#define CMAC_MSG_MAX 80
40 60
41enum { 61enum {
42 SMP_FLAG_TK_VALID, 62 SMP_FLAG_TK_VALID,
@@ -44,6 +64,12 @@ enum {
44 SMP_FLAG_MITM_AUTH, 64 SMP_FLAG_MITM_AUTH,
45 SMP_FLAG_COMPLETE, 65 SMP_FLAG_COMPLETE,
46 SMP_FLAG_INITIATOR, 66 SMP_FLAG_INITIATOR,
67 SMP_FLAG_SC,
68 SMP_FLAG_REMOTE_PK,
69 SMP_FLAG_DEBUG_KEY,
70 SMP_FLAG_WAIT_USER,
71 SMP_FLAG_DHKEY_PENDING,
72 SMP_FLAG_OOB,
47}; 73};
48 74
49struct smp_chan { 75struct smp_chan {
@@ -57,6 +83,7 @@ struct smp_chan {
57 u8 rrnd[16]; /* SMP Pairing Random (remote) */ 83 u8 rrnd[16]; /* SMP Pairing Random (remote) */
58 u8 pcnf[16]; /* SMP Pairing Confirm */ 84 u8 pcnf[16]; /* SMP Pairing Confirm */
59 u8 tk[16]; /* SMP Temporary Key */ 85 u8 tk[16]; /* SMP Temporary Key */
86 u8 rr[16];
60 u8 enc_key_size; 87 u8 enc_key_size;
61 u8 remote_key_dist; 88 u8 remote_key_dist;
62 bdaddr_t id_addr; 89 bdaddr_t id_addr;
@@ -67,9 +94,43 @@ struct smp_chan {
67 struct smp_ltk *ltk; 94 struct smp_ltk *ltk;
68 struct smp_ltk *slave_ltk; 95 struct smp_ltk *slave_ltk;
69 struct smp_irk *remote_irk; 96 struct smp_irk *remote_irk;
97 u8 *link_key;
70 unsigned long flags; 98 unsigned long flags;
99 u8 method;
100 u8 passkey_round;
101
102 /* Secure Connections variables */
103 u8 local_pk[64];
104 u8 local_sk[32];
105 u8 remote_pk[64];
106 u8 dhkey[32];
107 u8 mackey[16];
71 108
72 struct crypto_blkcipher *tfm_aes; 109 struct crypto_blkcipher *tfm_aes;
110 struct crypto_hash *tfm_cmac;
111};
112
113/* These debug key values are defined in the SMP section of the core
114 * specification. debug_pk is the public debug key and debug_sk the
115 * private debug key.
116 */
117static const u8 debug_pk[64] = {
118 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
119 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
120 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
121 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
122
123 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
124 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
125 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
126 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
127};
128
129static const u8 debug_sk[32] = {
130 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
131 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
132 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
133 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
73}; 134};
74 135
75static inline void swap_buf(const u8 *src, u8 *dst, size_t len) 136static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
@@ -80,14 +141,22 @@ static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
80 dst[len - 1 - i] = src[i]; 141 dst[len - 1 - i] = src[i];
81} 142}
82 143
83static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r) 144/* The following functions map to the LE SC SMP crypto functions
145 * AES-CMAC, f4, f5, f6, g2 and h6.
146 */
147
148static int aes_cmac(struct crypto_hash *tfm, const u8 k[16], const u8 *m,
149 size_t len, u8 mac[16])
84{ 150{
85 struct blkcipher_desc desc; 151 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
152 struct hash_desc desc;
86 struct scatterlist sg; 153 struct scatterlist sg;
87 uint8_t tmp[16], data[16];
88 int err; 154 int err;
89 155
90 if (tfm == NULL) { 156 if (len > CMAC_MSG_MAX)
157 return -EFBIG;
158
159 if (!tfm) {
91 BT_ERR("tfm %p", tfm); 160 BT_ERR("tfm %p", tfm);
92 return -EINVAL; 161 return -EINVAL;
93 } 162 }
@@ -95,105 +164,233 @@ static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
95 desc.tfm = tfm; 164 desc.tfm = tfm;
96 desc.flags = 0; 165 desc.flags = 0;
97 166
98 /* The most significant octet of key corresponds to k[0] */ 167 crypto_hash_init(&desc);
168
169 /* Swap key and message from LSB to MSB */
99 swap_buf(k, tmp, 16); 170 swap_buf(k, tmp, 16);
171 swap_buf(m, msg_msb, len);
100 172
101 err = crypto_blkcipher_setkey(tfm, tmp, 16); 173 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
174 SMP_DBG("key %16phN", k);
175
176 err = crypto_hash_setkey(tfm, tmp, 16);
102 if (err) { 177 if (err) {
103 BT_ERR("cipher setkey failed: %d", err); 178 BT_ERR("cipher setkey failed: %d", err);
104 return err; 179 return err;
105 } 180 }
106 181
107 /* Most significant octet of plaintextData corresponds to data[0] */ 182 sg_init_one(&sg, msg_msb, len);
108 swap_buf(r, data, 16);
109 183
110 sg_init_one(&sg, data, 16); 184 err = crypto_hash_update(&desc, &sg, len);
185 if (err) {
186 BT_ERR("Hash update error %d", err);
187 return err;
188 }
111 189
112 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16); 190 err = crypto_hash_final(&desc, mac_msb);
191 if (err) {
192 BT_ERR("Hash final error %d", err);
193 return err;
194 }
195
196 swap_buf(mac_msb, mac, 16);
197
198 SMP_DBG("mac %16phN", mac);
199
200 return 0;
201}
202
203static int smp_f4(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
204 const u8 x[16], u8 z, u8 res[16])
205{
206 u8 m[65];
207 int err;
208
209 SMP_DBG("u %32phN", u);
210 SMP_DBG("v %32phN", v);
211 SMP_DBG("x %16phN z %02x", x, z);
212
213 m[0] = z;
214 memcpy(m + 1, v, 32);
215 memcpy(m + 33, u, 32);
216
217 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
113 if (err) 218 if (err)
114 BT_ERR("Encrypt data error %d", err); 219 return err;
115 220
116 /* Most significant octet of encryptedData corresponds to data[0] */ 221 SMP_DBG("res %16phN", res);
117 swap_buf(data, r, 16);
118 222
119 return err; 223 return err;
120} 224}
121 225
122static int smp_ah(struct crypto_blkcipher *tfm, u8 irk[16], u8 r[3], u8 res[3]) 226static int smp_f5(struct crypto_hash *tfm_cmac, u8 w[32], u8 n1[16], u8 n2[16],
227 u8 a1[7], u8 a2[7], u8 mackey[16], u8 ltk[16])
123{ 228{
124 u8 _res[16]; 229 /* The btle, salt and length "magic" values are as defined in
230 * the SMP section of the Bluetooth core specification. In ASCII
231 * the btle value ends up being 'btle'. The salt is just a
232 * random number whereas length is the value 256 in little
233 * endian format.
234 */
235 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
236 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
237 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
238 const u8 length[2] = { 0x00, 0x01 };
239 u8 m[53], t[16];
125 int err; 240 int err;
126 241
127 /* r' = padding || r */ 242 SMP_DBG("w %32phN", w);
128 memcpy(_res, r, 3); 243 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
129 memset(_res + 3, 0, 13); 244 SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
130 245
131 err = smp_e(tfm, irk, _res); 246 err = aes_cmac(tfm_cmac, salt, w, 32, t);
132 if (err) { 247 if (err)
133 BT_ERR("Encrypt error");
134 return err; 248 return err;
135 }
136 249
137 /* The output of the random address function ah is: 250 SMP_DBG("t %16phN", t);
138 * ah(h, r) = e(k, r') mod 2^24 251
139 * The output of the security function e is then truncated to 24 bits 252 memcpy(m, length, 2);
140 * by taking the least significant 24 bits of the output of e as the 253 memcpy(m + 2, a2, 7);
141 * result of ah. 254 memcpy(m + 9, a1, 7);
142 */ 255 memcpy(m + 16, n2, 16);
143 memcpy(res, _res, 3); 256 memcpy(m + 32, n1, 16);
257 memcpy(m + 48, btle, 4);
258
259 m[52] = 0; /* Counter */
260
261 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
262 if (err)
263 return err;
264
265 SMP_DBG("mackey %16phN", mackey);
266
267 m[52] = 1; /* Counter */
268
269 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
270 if (err)
271 return err;
272
273 SMP_DBG("ltk %16phN", ltk);
144 274
145 return 0; 275 return 0;
146} 276}
147 277
148bool smp_irk_matches(struct hci_dev *hdev, u8 irk[16], bdaddr_t *bdaddr) 278static int smp_f6(struct crypto_hash *tfm_cmac, const u8 w[16],
279 const u8 n1[16], u8 n2[16], const u8 r[16],
280 const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
281 u8 res[16])
149{ 282{
150 struct l2cap_chan *chan = hdev->smp_data; 283 u8 m[65];
151 struct crypto_blkcipher *tfm;
152 u8 hash[3];
153 int err; 284 int err;
154 285
155 if (!chan || !chan->data) 286 SMP_DBG("w %16phN", w);
156 return false; 287 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
288 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
157 289
158 tfm = chan->data; 290 memcpy(m, a2, 7);
291 memcpy(m + 7, a1, 7);
292 memcpy(m + 14, io_cap, 3);
293 memcpy(m + 17, r, 16);
294 memcpy(m + 33, n2, 16);
295 memcpy(m + 49, n1, 16);
159 296
160 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk); 297 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
298 if (err)
299 return err;
161 300
162 err = smp_ah(tfm, irk, &bdaddr->b[3], hash); 301 BT_DBG("res %16phN", res);
302
303 return err;
304}
305
306static int smp_g2(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
307 const u8 x[16], const u8 y[16], u32 *val)
308{
309 u8 m[80], tmp[16];
310 int err;
311
312 SMP_DBG("u %32phN", u);
313 SMP_DBG("v %32phN", v);
314 SMP_DBG("x %16phN y %16phN", x, y);
315
316 memcpy(m, y, 16);
317 memcpy(m + 16, v, 32);
318 memcpy(m + 48, u, 32);
319
320 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
163 if (err) 321 if (err)
164 return false; 322 return err;
165 323
166 return !memcmp(bdaddr->b, hash, 3); 324 *val = get_unaligned_le32(tmp);
325 *val %= 1000000;
326
327 SMP_DBG("val %06u", *val);
328
329 return 0;
167} 330}
168 331
169int smp_generate_rpa(struct hci_dev *hdev, u8 irk[16], bdaddr_t *rpa) 332static int smp_h6(struct crypto_hash *tfm_cmac, const u8 w[16],
333 const u8 key_id[4], u8 res[16])
170{ 334{
171 struct l2cap_chan *chan = hdev->smp_data;
172 struct crypto_blkcipher *tfm;
173 int err; 335 int err;
174 336
175 if (!chan || !chan->data) 337 SMP_DBG("w %16phN key_id %4phN", w, key_id);
176 return -EOPNOTSUPP;
177 338
178 tfm = chan->data; 339 err = aes_cmac(tfm_cmac, w, key_id, 4, res);
340 if (err)
341 return err;
179 342
180 get_random_bytes(&rpa->b[3], 3); 343 SMP_DBG("res %16phN", res);
181 344
182 rpa->b[5] &= 0x3f; /* Clear two most significant bits */ 345 return err;
183 rpa->b[5] |= 0x40; /* Set second most significant bit */ 346}
184 347
185 err = smp_ah(tfm, irk, &rpa->b[3], rpa->b); 348/* The following functions map to the legacy SMP crypto functions e, c1,
186 if (err < 0) 349 * s1 and ah.
350 */
351
352static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
353{
354 struct blkcipher_desc desc;
355 struct scatterlist sg;
356 uint8_t tmp[16], data[16];
357 int err;
358
359 if (!tfm) {
360 BT_ERR("tfm %p", tfm);
361 return -EINVAL;
362 }
363
364 desc.tfm = tfm;
365 desc.flags = 0;
366
367 /* The most significant octet of key corresponds to k[0] */
368 swap_buf(k, tmp, 16);
369
370 err = crypto_blkcipher_setkey(tfm, tmp, 16);
371 if (err) {
372 BT_ERR("cipher setkey failed: %d", err);
187 return err; 373 return err;
374 }
188 375
189 BT_DBG("RPA %pMR", rpa); 376 /* Most significant octet of plaintextData corresponds to data[0] */
377 swap_buf(r, data, 16);
190 378
191 return 0; 379 sg_init_one(&sg, data, 16);
380
381 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
382 if (err)
383 BT_ERR("Encrypt data error %d", err);
384
385 /* Most significant octet of encryptedData corresponds to data[0] */
386 swap_buf(data, r, 16);
387
388 return err;
192} 389}
193 390
194static int smp_c1(struct crypto_blkcipher *tfm_aes, u8 k[16], u8 r[16], 391static int smp_c1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
195 u8 preq[7], u8 pres[7], u8 _iat, bdaddr_t *ia, u8 _rat, 392 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
196 bdaddr_t *ra, u8 res[16]) 393 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
197{ 394{
198 u8 p1[16], p2[16]; 395 u8 p1[16], p2[16];
199 int err; 396 int err;
@@ -232,8 +429,8 @@ static int smp_c1(struct crypto_blkcipher *tfm_aes, u8 k[16], u8 r[16],
232 return err; 429 return err;
233} 430}
234 431
235static int smp_s1(struct crypto_blkcipher *tfm_aes, u8 k[16], u8 r1[16], 432static int smp_s1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
236 u8 r2[16], u8 _r[16]) 433 const u8 r1[16], const u8 r2[16], u8 _r[16])
237{ 434{
238 int err; 435 int err;
239 436
@@ -248,6 +445,80 @@ static int smp_s1(struct crypto_blkcipher *tfm_aes, u8 k[16], u8 r1[16],
248 return err; 445 return err;
249} 446}
250 447
448static int smp_ah(struct crypto_blkcipher *tfm, const u8 irk[16],
449 const u8 r[3], u8 res[3])
450{
451 u8 _res[16];
452 int err;
453
454 /* r' = padding || r */
455 memcpy(_res, r, 3);
456 memset(_res + 3, 0, 13);
457
458 err = smp_e(tfm, irk, _res);
459 if (err) {
460 BT_ERR("Encrypt error");
461 return err;
462 }
463
464 /* The output of the random address function ah is:
465 * ah(h, r) = e(k, r') mod 2^24
466 * The output of the security function e is then truncated to 24 bits
467 * by taking the least significant 24 bits of the output of e as the
468 * result of ah.
469 */
470 memcpy(res, _res, 3);
471
472 return 0;
473}
474
475bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
476 const bdaddr_t *bdaddr)
477{
478 struct l2cap_chan *chan = hdev->smp_data;
479 struct crypto_blkcipher *tfm;
480 u8 hash[3];
481 int err;
482
483 if (!chan || !chan->data)
484 return false;
485
486 tfm = chan->data;
487
488 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
489
490 err = smp_ah(tfm, irk, &bdaddr->b[3], hash);
491 if (err)
492 return false;
493
494 return !memcmp(bdaddr->b, hash, 3);
495}
496
497int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
498{
499 struct l2cap_chan *chan = hdev->smp_data;
500 struct crypto_blkcipher *tfm;
501 int err;
502
503 if (!chan || !chan->data)
504 return -EOPNOTSUPP;
505
506 tfm = chan->data;
507
508 get_random_bytes(&rpa->b[3], 3);
509
510 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
511 rpa->b[5] |= 0x40; /* Set second most significant bit */
512
513 err = smp_ah(tfm, irk, &rpa->b[3], rpa->b);
514 if (err < 0)
515 return err;
516
517 BT_DBG("RPA %pMR", rpa);
518
519 return 0;
520}
521
251static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data) 522static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
252{ 523{
253 struct l2cap_chan *chan = conn->smp; 524 struct l2cap_chan *chan = conn->smp;
@@ -282,17 +553,22 @@ static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
282 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT); 553 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
283} 554}
284 555
285static __u8 authreq_to_seclevel(__u8 authreq) 556static u8 authreq_to_seclevel(u8 authreq)
286{ 557{
287 if (authreq & SMP_AUTH_MITM) 558 if (authreq & SMP_AUTH_MITM) {
288 return BT_SECURITY_HIGH; 559 if (authreq & SMP_AUTH_SC)
289 else 560 return BT_SECURITY_FIPS;
561 else
562 return BT_SECURITY_HIGH;
563 } else {
290 return BT_SECURITY_MEDIUM; 564 return BT_SECURITY_MEDIUM;
565 }
291} 566}
292 567
293static __u8 seclevel_to_authreq(__u8 sec_level) 568static __u8 seclevel_to_authreq(__u8 sec_level)
294{ 569{
295 switch (sec_level) { 570 switch (sec_level) {
571 case BT_SECURITY_FIPS:
296 case BT_SECURITY_HIGH: 572 case BT_SECURITY_HIGH:
297 return SMP_AUTH_MITM | SMP_AUTH_BONDING; 573 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
298 case BT_SECURITY_MEDIUM: 574 case BT_SECURITY_MEDIUM:
@@ -310,7 +586,7 @@ static void build_pairing_cmd(struct l2cap_conn *conn,
310 struct smp_chan *smp = chan->data; 586 struct smp_chan *smp = chan->data;
311 struct hci_conn *hcon = conn->hcon; 587 struct hci_conn *hcon = conn->hcon;
312 struct hci_dev *hdev = hcon->hdev; 588 struct hci_dev *hdev = hcon->hdev;
313 u8 local_dist = 0, remote_dist = 0; 589 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
314 590
315 if (test_bit(HCI_BONDABLE, &conn->hcon->hdev->dev_flags)) { 591 if (test_bit(HCI_BONDABLE, &conn->hcon->hdev->dev_flags)) {
316 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN; 592 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
@@ -326,24 +602,52 @@ static void build_pairing_cmd(struct l2cap_conn *conn,
326 if (test_bit(HCI_PRIVACY, &hdev->dev_flags)) 602 if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
327 local_dist |= SMP_DIST_ID_KEY; 603 local_dist |= SMP_DIST_ID_KEY;
328 604
605 if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags) &&
606 (authreq & SMP_AUTH_SC)) {
607 struct oob_data *oob_data;
608 u8 bdaddr_type;
609
610 if (test_bit(HCI_SSP_ENABLED, &hdev->dev_flags)) {
611 local_dist |= SMP_DIST_LINK_KEY;
612 remote_dist |= SMP_DIST_LINK_KEY;
613 }
614
615 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
616 bdaddr_type = BDADDR_LE_PUBLIC;
617 else
618 bdaddr_type = BDADDR_LE_RANDOM;
619
620 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
621 bdaddr_type);
622 if (oob_data) {
623 set_bit(SMP_FLAG_OOB, &smp->flags);
624 oob_flag = SMP_OOB_PRESENT;
625 memcpy(smp->rr, oob_data->rand256, 16);
626 memcpy(smp->pcnf, oob_data->hash256, 16);
627 }
628
629 } else {
630 authreq &= ~SMP_AUTH_SC;
631 }
632
329 if (rsp == NULL) { 633 if (rsp == NULL) {
330 req->io_capability = conn->hcon->io_capability; 634 req->io_capability = conn->hcon->io_capability;
331 req->oob_flag = SMP_OOB_NOT_PRESENT; 635 req->oob_flag = oob_flag;
332 req->max_key_size = SMP_MAX_ENC_KEY_SIZE; 636 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
333 req->init_key_dist = local_dist; 637 req->init_key_dist = local_dist;
334 req->resp_key_dist = remote_dist; 638 req->resp_key_dist = remote_dist;
335 req->auth_req = (authreq & AUTH_REQ_MASK); 639 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
336 640
337 smp->remote_key_dist = remote_dist; 641 smp->remote_key_dist = remote_dist;
338 return; 642 return;
339 } 643 }
340 644
341 rsp->io_capability = conn->hcon->io_capability; 645 rsp->io_capability = conn->hcon->io_capability;
342 rsp->oob_flag = SMP_OOB_NOT_PRESENT; 646 rsp->oob_flag = oob_flag;
343 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE; 647 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
344 rsp->init_key_dist = req->init_key_dist & remote_dist; 648 rsp->init_key_dist = req->init_key_dist & remote_dist;
345 rsp->resp_key_dist = req->resp_key_dist & local_dist; 649 rsp->resp_key_dist = req->resp_key_dist & local_dist;
346 rsp->auth_req = (authreq & AUTH_REQ_MASK); 650 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
347 651
348 smp->remote_key_dist = rsp->init_key_dist; 652 smp->remote_key_dist = rsp->init_key_dist;
349} 653}
@@ -366,6 +670,7 @@ static void smp_chan_destroy(struct l2cap_conn *conn)
366{ 670{
367 struct l2cap_chan *chan = conn->smp; 671 struct l2cap_chan *chan = conn->smp;
368 struct smp_chan *smp = chan->data; 672 struct smp_chan *smp = chan->data;
673 struct hci_conn *hcon = conn->hcon;
369 bool complete; 674 bool complete;
370 675
371 BUG_ON(!smp); 676 BUG_ON(!smp);
@@ -373,12 +678,24 @@ static void smp_chan_destroy(struct l2cap_conn *conn)
373 cancel_delayed_work_sync(&smp->security_timer); 678 cancel_delayed_work_sync(&smp->security_timer);
374 679
375 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags); 680 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
376 mgmt_smp_complete(conn->hcon, complete); 681 mgmt_smp_complete(hcon, complete);
377 682
378 kfree(smp->csrk); 683 kfree(smp->csrk);
379 kfree(smp->slave_csrk); 684 kfree(smp->slave_csrk);
685 kfree(smp->link_key);
380 686
381 crypto_free_blkcipher(smp->tfm_aes); 687 crypto_free_blkcipher(smp->tfm_aes);
688 crypto_free_hash(smp->tfm_cmac);
689
690 /* Ensure that we don't leave any debug key around if debug key
691 * support hasn't been explicitly enabled.
692 */
693 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
694 !test_bit(HCI_KEEP_DEBUG_KEYS, &hcon->hdev->dev_flags)) {
695 list_del_rcu(&smp->ltk->list);
696 kfree_rcu(smp->ltk, rcu);
697 smp->ltk = NULL;
698 }
382 699
383 /* If pairing failed clean up any keys we might have */ 700 /* If pairing failed clean up any keys we might have */
384 if (!complete) { 701 if (!complete) {
@@ -400,7 +717,7 @@ static void smp_chan_destroy(struct l2cap_conn *conn)
400 717
401 chan->data = NULL; 718 chan->data = NULL;
402 kfree(smp); 719 kfree(smp);
403 hci_conn_drop(conn->hcon); 720 hci_conn_drop(hcon);
404} 721}
405 722
406static void smp_failure(struct l2cap_conn *conn, u8 reason) 723static void smp_failure(struct l2cap_conn *conn, u8 reason)
@@ -424,6 +741,7 @@ static void smp_failure(struct l2cap_conn *conn, u8 reason)
424#define REQ_PASSKEY 0x02 741#define REQ_PASSKEY 0x02
425#define CFM_PASSKEY 0x03 742#define CFM_PASSKEY 0x03
426#define REQ_OOB 0x04 743#define REQ_OOB 0x04
744#define DSP_PASSKEY 0x05
427#define OVERLAP 0xFF 745#define OVERLAP 0xFF
428 746
429static const u8 gen_method[5][5] = { 747static const u8 gen_method[5][5] = {
@@ -434,6 +752,14 @@ static const u8 gen_method[5][5] = {
434 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP }, 752 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
435}; 753};
436 754
755static const u8 sc_method[5][5] = {
756 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
757 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
758 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
759 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
760 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
761};
762
437static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io) 763static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
438{ 764{
439 /* If either side has unknown io_caps, use JUST_CFM (which gets 765 /* If either side has unknown io_caps, use JUST_CFM (which gets
@@ -443,6 +769,9 @@ static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
443 remote_io > SMP_IO_KEYBOARD_DISPLAY) 769 remote_io > SMP_IO_KEYBOARD_DISPLAY)
444 return JUST_CFM; 770 return JUST_CFM;
445 771
772 if (test_bit(SMP_FLAG_SC, &smp->flags))
773 return sc_method[remote_io][local_io];
774
446 return gen_method[remote_io][local_io]; 775 return gen_method[remote_io][local_io];
447} 776}
448 777
@@ -452,7 +781,6 @@ static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
452 struct hci_conn *hcon = conn->hcon; 781 struct hci_conn *hcon = conn->hcon;
453 struct l2cap_chan *chan = conn->smp; 782 struct l2cap_chan *chan = conn->smp;
454 struct smp_chan *smp = chan->data; 783 struct smp_chan *smp = chan->data;
455 u8 method;
456 u32 passkey = 0; 784 u32 passkey = 0;
457 int ret = 0; 785 int ret = 0;
458 786
@@ -469,26 +797,28 @@ static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
469 * table. 797 * table.
470 */ 798 */
471 if (!(auth & SMP_AUTH_MITM)) 799 if (!(auth & SMP_AUTH_MITM))
472 method = JUST_CFM; 800 smp->method = JUST_CFM;
473 else 801 else
474 method = get_auth_method(smp, local_io, remote_io); 802 smp->method = get_auth_method(smp, local_io, remote_io);
475 803
476 /* Don't confirm locally initiated pairing attempts */ 804 /* Don't confirm locally initiated pairing attempts */
477 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags)) 805 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
478 method = JUST_WORKS; 806 &smp->flags))
807 smp->method = JUST_WORKS;
479 808
480 /* Don't bother user space with no IO capabilities */ 809 /* Don't bother user space with no IO capabilities */
481 if (method == JUST_CFM && hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT) 810 if (smp->method == JUST_CFM &&
482 method = JUST_WORKS; 811 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
812 smp->method = JUST_WORKS;
483 813
484 /* If Just Works, Continue with Zero TK */ 814 /* If Just Works, Continue with Zero TK */
485 if (method == JUST_WORKS) { 815 if (smp->method == JUST_WORKS) {
486 set_bit(SMP_FLAG_TK_VALID, &smp->flags); 816 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
487 return 0; 817 return 0;
488 } 818 }
489 819
490 /* Not Just Works/Confirm results in MITM Authentication */ 820 /* Not Just Works/Confirm results in MITM Authentication */
491 if (method != JUST_CFM) { 821 if (smp->method != JUST_CFM) {
492 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags); 822 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
493 if (hcon->pending_sec_level < BT_SECURITY_HIGH) 823 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
494 hcon->pending_sec_level = BT_SECURITY_HIGH; 824 hcon->pending_sec_level = BT_SECURITY_HIGH;
@@ -497,15 +827,15 @@ static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
497 /* If both devices have Keyoard-Display I/O, the master 827 /* If both devices have Keyoard-Display I/O, the master
498 * Confirms and the slave Enters the passkey. 828 * Confirms and the slave Enters the passkey.
499 */ 829 */
500 if (method == OVERLAP) { 830 if (smp->method == OVERLAP) {
501 if (hcon->role == HCI_ROLE_MASTER) 831 if (hcon->role == HCI_ROLE_MASTER)
502 method = CFM_PASSKEY; 832 smp->method = CFM_PASSKEY;
503 else 833 else
504 method = REQ_PASSKEY; 834 smp->method = REQ_PASSKEY;
505 } 835 }
506 836
507 /* Generate random passkey. */ 837 /* Generate random passkey. */
508 if (method == CFM_PASSKEY) { 838 if (smp->method == CFM_PASSKEY) {
509 memset(smp->tk, 0, sizeof(smp->tk)); 839 memset(smp->tk, 0, sizeof(smp->tk));
510 get_random_bytes(&passkey, sizeof(passkey)); 840 get_random_bytes(&passkey, sizeof(passkey));
511 passkey %= 1000000; 841 passkey %= 1000000;
@@ -514,10 +844,10 @@ static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
514 set_bit(SMP_FLAG_TK_VALID, &smp->flags); 844 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
515 } 845 }
516 846
517 if (method == REQ_PASSKEY) 847 if (smp->method == REQ_PASSKEY)
518 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst, 848 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
519 hcon->type, hcon->dst_type); 849 hcon->type, hcon->dst_type);
520 else if (method == JUST_CFM) 850 else if (smp->method == JUST_CFM)
521 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, 851 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
522 hcon->type, hcon->dst_type, 852 hcon->type, hcon->dst_type,
523 passkey, 1); 853 passkey, 1);
@@ -638,11 +968,13 @@ static void smp_notify_keys(struct l2cap_conn *conn)
638 mgmt_new_irk(hdev, smp->remote_irk); 968 mgmt_new_irk(hdev, smp->remote_irk);
639 /* Now that user space can be considered to know the 969 /* Now that user space can be considered to know the
640 * identity address track the connection based on it 970 * identity address track the connection based on it
641 * from now on. 971 * from now on (assuming this is an LE link).
642 */ 972 */
643 bacpy(&hcon->dst, &smp->remote_irk->bdaddr); 973 if (hcon->type == LE_LINK) {
644 hcon->dst_type = smp->remote_irk->addr_type; 974 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
645 queue_work(hdev->workqueue, &conn->id_addr_update_work); 975 hcon->dst_type = smp->remote_irk->addr_type;
976 queue_work(hdev->workqueue, &conn->id_addr_update_work);
977 }
646 978
647 /* When receiving an indentity resolving key for 979 /* When receiving an indentity resolving key for
648 * a remote device that does not use a resolvable 980 * a remote device that does not use a resolvable
@@ -661,10 +993,20 @@ static void smp_notify_keys(struct l2cap_conn *conn)
661 } 993 }
662 } 994 }
663 995
664 /* The LTKs and CSRKs should be persistent only if both sides 996 if (hcon->type == ACL_LINK) {
665 * had the bonding bit set in their authentication requests. 997 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
666 */ 998 persistent = false;
667 persistent = !!((req->auth_req & rsp->auth_req) & SMP_AUTH_BONDING); 999 else
1000 persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1001 &hcon->flags);
1002 } else {
1003 /* The LTKs and CSRKs should be persistent only if both sides
1004 * had the bonding bit set in their authentication requests.
1005 */
1006 persistent = !!((req->auth_req & rsp->auth_req) &
1007 SMP_AUTH_BONDING);
1008 }
1009
668 1010
669 if (smp->csrk) { 1011 if (smp->csrk) {
670 smp->csrk->bdaddr_type = hcon->dst_type; 1012 smp->csrk->bdaddr_type = hcon->dst_type;
@@ -689,6 +1031,81 @@ static void smp_notify_keys(struct l2cap_conn *conn)
689 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst); 1031 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
690 mgmt_new_ltk(hdev, smp->slave_ltk, persistent); 1032 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
691 } 1033 }
1034
1035 if (smp->link_key) {
1036 struct link_key *key;
1037 u8 type;
1038
1039 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1040 type = HCI_LK_DEBUG_COMBINATION;
1041 else if (hcon->sec_level == BT_SECURITY_FIPS)
1042 type = HCI_LK_AUTH_COMBINATION_P256;
1043 else
1044 type = HCI_LK_UNAUTH_COMBINATION_P256;
1045
1046 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1047 smp->link_key, type, 0, &persistent);
1048 if (key) {
1049 mgmt_new_link_key(hdev, key, persistent);
1050
1051 /* Don't keep debug keys around if the relevant
1052 * flag is not set.
1053 */
1054 if (!test_bit(HCI_KEEP_DEBUG_KEYS, &hdev->dev_flags) &&
1055 key->type == HCI_LK_DEBUG_COMBINATION) {
1056 list_del_rcu(&key->list);
1057 kfree_rcu(key, rcu);
1058 }
1059 }
1060 }
1061}
1062
1063static void sc_add_ltk(struct smp_chan *smp)
1064{
1065 struct hci_conn *hcon = smp->conn->hcon;
1066 u8 key_type, auth;
1067
1068 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1069 key_type = SMP_LTK_P256_DEBUG;
1070 else
1071 key_type = SMP_LTK_P256;
1072
1073 if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1074 auth = 1;
1075 else
1076 auth = 0;
1077
1078 memset(smp->tk + smp->enc_key_size, 0,
1079 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
1080
1081 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1082 key_type, auth, smp->tk, smp->enc_key_size,
1083 0, 0);
1084}
1085
1086static void sc_generate_link_key(struct smp_chan *smp)
1087{
1088 /* These constants are as specified in the core specification.
1089 * In ASCII they spell out to 'tmp1' and 'lebr'.
1090 */
1091 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1092 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1093
1094 smp->link_key = kzalloc(16, GFP_KERNEL);
1095 if (!smp->link_key)
1096 return;
1097
1098 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1099 kfree(smp->link_key);
1100 smp->link_key = NULL;
1101 return;
1102 }
1103
1104 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1105 kfree(smp->link_key);
1106 smp->link_key = NULL;
1107 return;
1108 }
692} 1109}
693 1110
694static void smp_allow_key_dist(struct smp_chan *smp) 1111static void smp_allow_key_dist(struct smp_chan *smp)
@@ -705,6 +1122,35 @@ static void smp_allow_key_dist(struct smp_chan *smp)
705 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO); 1122 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
706} 1123}
707 1124
1125static void sc_generate_ltk(struct smp_chan *smp)
1126{
1127 /* These constants are as specified in the core specification.
1128 * In ASCII they spell out to 'tmp2' and 'brle'.
1129 */
1130 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1131 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1132 struct hci_conn *hcon = smp->conn->hcon;
1133 struct hci_dev *hdev = hcon->hdev;
1134 struct link_key *key;
1135
1136 key = hci_find_link_key(hdev, &hcon->dst);
1137 if (!key) {
1138 BT_ERR("%s No Link Key found to generate LTK", hdev->name);
1139 return;
1140 }
1141
1142 if (key->type == HCI_LK_DEBUG_COMBINATION)
1143 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1144
1145 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1146 return;
1147
1148 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1149 return;
1150
1151 sc_add_ltk(smp);
1152}
1153
708static void smp_distribute_keys(struct smp_chan *smp) 1154static void smp_distribute_keys(struct smp_chan *smp)
709{ 1155{
710 struct smp_cmd_pairing *req, *rsp; 1156 struct smp_cmd_pairing *req, *rsp;
@@ -733,6 +1179,16 @@ static void smp_distribute_keys(struct smp_chan *smp)
733 *keydist &= req->resp_key_dist; 1179 *keydist &= req->resp_key_dist;
734 } 1180 }
735 1181
1182 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1183 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1184 sc_generate_link_key(smp);
1185 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1186 sc_generate_ltk(smp);
1187
1188 /* Clear the keys which are generated but not distributed */
1189 *keydist &= ~SMP_SC_NO_DIST;
1190 }
1191
736 BT_DBG("keydist 0x%x", *keydist); 1192 BT_DBG("keydist 0x%x", *keydist);
737 1193
738 if (*keydist & SMP_DIST_ENC_KEY) { 1194 if (*keydist & SMP_DIST_ENC_KEY) {
@@ -844,6 +1300,14 @@ static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
844 return NULL; 1300 return NULL;
845 } 1301 }
846 1302
1303 smp->tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
1304 if (IS_ERR(smp->tfm_cmac)) {
1305 BT_ERR("Unable to create CMAC crypto context");
1306 crypto_free_blkcipher(smp->tfm_aes);
1307 kfree(smp);
1308 return NULL;
1309 }
1310
847 smp->conn = conn; 1311 smp->conn = conn;
848 chan->data = smp; 1312 chan->data = smp;
849 1313
@@ -856,6 +1320,213 @@ static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
856 return smp; 1320 return smp;
857} 1321}
858 1322
1323static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1324{
1325 struct hci_conn *hcon = smp->conn->hcon;
1326 u8 *na, *nb, a[7], b[7];
1327
1328 if (hcon->out) {
1329 na = smp->prnd;
1330 nb = smp->rrnd;
1331 } else {
1332 na = smp->rrnd;
1333 nb = smp->prnd;
1334 }
1335
1336 memcpy(a, &hcon->init_addr, 6);
1337 memcpy(b, &hcon->resp_addr, 6);
1338 a[6] = hcon->init_addr_type;
1339 b[6] = hcon->resp_addr_type;
1340
1341 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1342}
1343
1344static void sc_dhkey_check(struct smp_chan *smp)
1345{
1346 struct hci_conn *hcon = smp->conn->hcon;
1347 struct smp_cmd_dhkey_check check;
1348 u8 a[7], b[7], *local_addr, *remote_addr;
1349 u8 io_cap[3], r[16];
1350
1351 memcpy(a, &hcon->init_addr, 6);
1352 memcpy(b, &hcon->resp_addr, 6);
1353 a[6] = hcon->init_addr_type;
1354 b[6] = hcon->resp_addr_type;
1355
1356 if (hcon->out) {
1357 local_addr = a;
1358 remote_addr = b;
1359 memcpy(io_cap, &smp->preq[1], 3);
1360 } else {
1361 local_addr = b;
1362 remote_addr = a;
1363 memcpy(io_cap, &smp->prsp[1], 3);
1364 }
1365
1366 memset(r, 0, sizeof(r));
1367
1368 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1369 put_unaligned_le32(hcon->passkey_notify, r);
1370
1371 if (smp->method == REQ_OOB)
1372 memcpy(r, smp->rr, 16);
1373
1374 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1375 local_addr, remote_addr, check.e);
1376
1377 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1378}
1379
1380static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1381{
1382 struct l2cap_conn *conn = smp->conn;
1383 struct hci_conn *hcon = conn->hcon;
1384 struct smp_cmd_pairing_confirm cfm;
1385 u8 r;
1386
1387 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1388 r |= 0x80;
1389
1390 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1391
1392 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1393 cfm.confirm_val))
1394 return SMP_UNSPECIFIED;
1395
1396 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1397
1398 return 0;
1399}
1400
1401static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1402{
1403 struct l2cap_conn *conn = smp->conn;
1404 struct hci_conn *hcon = conn->hcon;
1405 struct hci_dev *hdev = hcon->hdev;
1406 u8 cfm[16], r;
1407
1408 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1409 if (smp->passkey_round >= 20)
1410 return 0;
1411
1412 switch (smp_op) {
1413 case SMP_CMD_PAIRING_RANDOM:
1414 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1415 r |= 0x80;
1416
1417 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1418 smp->rrnd, r, cfm))
1419 return SMP_UNSPECIFIED;
1420
1421 if (memcmp(smp->pcnf, cfm, 16))
1422 return SMP_CONFIRM_FAILED;
1423
1424 smp->passkey_round++;
1425
1426 if (smp->passkey_round == 20) {
1427 /* Generate MacKey and LTK */
1428 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1429 return SMP_UNSPECIFIED;
1430 }
1431
1432 /* The round is only complete when the initiator
1433 * receives pairing random.
1434 */
1435 if (!hcon->out) {
1436 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1437 sizeof(smp->prnd), smp->prnd);
1438 if (smp->passkey_round == 20)
1439 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1440 else
1441 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1442 return 0;
1443 }
1444
1445 /* Start the next round */
1446 if (smp->passkey_round != 20)
1447 return sc_passkey_round(smp, 0);
1448
1449 /* Passkey rounds are complete - start DHKey Check */
1450 sc_dhkey_check(smp);
1451 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1452
1453 break;
1454
1455 case SMP_CMD_PAIRING_CONFIRM:
1456 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1457 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1458 return 0;
1459 }
1460
1461 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1462
1463 if (hcon->out) {
1464 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1465 sizeof(smp->prnd), smp->prnd);
1466 return 0;
1467 }
1468
1469 return sc_passkey_send_confirm(smp);
1470
1471 case SMP_CMD_PUBLIC_KEY:
1472 default:
1473 /* Initiating device starts the round */
1474 if (!hcon->out)
1475 return 0;
1476
1477 BT_DBG("%s Starting passkey round %u", hdev->name,
1478 smp->passkey_round + 1);
1479
1480 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1481
1482 return sc_passkey_send_confirm(smp);
1483 }
1484
1485 return 0;
1486}
1487
1488static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1489{
1490 struct l2cap_conn *conn = smp->conn;
1491 struct hci_conn *hcon = conn->hcon;
1492 u8 smp_op;
1493
1494 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1495
1496 switch (mgmt_op) {
1497 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1498 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1499 return 0;
1500 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1501 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1502 return 0;
1503 case MGMT_OP_USER_PASSKEY_REPLY:
1504 hcon->passkey_notify = le32_to_cpu(passkey);
1505 smp->passkey_round = 0;
1506
1507 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1508 smp_op = SMP_CMD_PAIRING_CONFIRM;
1509 else
1510 smp_op = 0;
1511
1512 if (sc_passkey_round(smp, smp_op))
1513 return -EIO;
1514
1515 return 0;
1516 }
1517
1518 /* Initiator sends DHKey check first */
1519 if (hcon->out) {
1520 sc_dhkey_check(smp);
1521 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1522 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1523 sc_dhkey_check(smp);
1524 sc_add_ltk(smp);
1525 }
1526
1527 return 0;
1528}
1529
859int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey) 1530int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
860{ 1531{
861 struct l2cap_conn *conn = hcon->l2cap_data; 1532 struct l2cap_conn *conn = hcon->l2cap_data;
@@ -881,6 +1552,11 @@ int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
881 1552
882 smp = chan->data; 1553 smp = chan->data;
883 1554
1555 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1556 err = sc_user_reply(smp, mgmt_op, passkey);
1557 goto unlock;
1558 }
1559
884 switch (mgmt_op) { 1560 switch (mgmt_op) {
885 case MGMT_OP_USER_PASSKEY_REPLY: 1561 case MGMT_OP_USER_PASSKEY_REPLY:
886 value = le32_to_cpu(passkey); 1562 value = le32_to_cpu(passkey);
@@ -916,6 +1592,46 @@ unlock:
916 return err; 1592 return err;
917} 1593}
918 1594
1595static void build_bredr_pairing_cmd(struct smp_chan *smp,
1596 struct smp_cmd_pairing *req,
1597 struct smp_cmd_pairing *rsp)
1598{
1599 struct l2cap_conn *conn = smp->conn;
1600 struct hci_dev *hdev = conn->hcon->hdev;
1601 u8 local_dist = 0, remote_dist = 0;
1602
1603 if (test_bit(HCI_BONDABLE, &hdev->dev_flags)) {
1604 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1605 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1606 }
1607
1608 if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags))
1609 remote_dist |= SMP_DIST_ID_KEY;
1610
1611 if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
1612 local_dist |= SMP_DIST_ID_KEY;
1613
1614 if (!rsp) {
1615 memset(req, 0, sizeof(*req));
1616
1617 req->init_key_dist = local_dist;
1618 req->resp_key_dist = remote_dist;
1619 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
1620
1621 smp->remote_key_dist = remote_dist;
1622
1623 return;
1624 }
1625
1626 memset(rsp, 0, sizeof(*rsp));
1627
1628 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
1629 rsp->init_key_dist = req->init_key_dist & remote_dist;
1630 rsp->resp_key_dist = req->resp_key_dist & local_dist;
1631
1632 smp->remote_key_dist = rsp->init_key_dist;
1633}
1634
919static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb) 1635static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
920{ 1636{
921 struct smp_cmd_pairing rsp, *req = (void *) skb->data; 1637 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
@@ -942,16 +1658,49 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
942 return SMP_UNSPECIFIED; 1658 return SMP_UNSPECIFIED;
943 1659
944 /* We didn't start the pairing, so match remote */ 1660 /* We didn't start the pairing, so match remote */
945 auth = req->auth_req & AUTH_REQ_MASK; 1661 auth = req->auth_req & AUTH_REQ_MASK(hdev);
946 1662
947 if (!test_bit(HCI_BONDABLE, &hdev->dev_flags) && 1663 if (!test_bit(HCI_BONDABLE, &hdev->dev_flags) &&
948 (auth & SMP_AUTH_BONDING)) 1664 (auth & SMP_AUTH_BONDING))
949 return SMP_PAIRING_NOTSUPP; 1665 return SMP_PAIRING_NOTSUPP;
950 1666
1667 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC))
1668 return SMP_AUTH_REQUIREMENTS;
1669
951 smp->preq[0] = SMP_CMD_PAIRING_REQ; 1670 smp->preq[0] = SMP_CMD_PAIRING_REQ;
952 memcpy(&smp->preq[1], req, sizeof(*req)); 1671 memcpy(&smp->preq[1], req, sizeof(*req));
953 skb_pull(skb, sizeof(*req)); 1672 skb_pull(skb, sizeof(*req));
954 1673
1674 /* SMP over BR/EDR requires special treatment */
1675 if (conn->hcon->type == ACL_LINK) {
1676 /* We must have a BR/EDR SC link */
1677 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags))
1678 return SMP_CROSS_TRANSP_NOT_ALLOWED;
1679
1680 set_bit(SMP_FLAG_SC, &smp->flags);
1681
1682 build_bredr_pairing_cmd(smp, req, &rsp);
1683
1684 key_size = min(req->max_key_size, rsp.max_key_size);
1685 if (check_enc_key_size(conn, key_size))
1686 return SMP_ENC_KEY_SIZE;
1687
1688 /* Clear bits which are generated but not distributed */
1689 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1690
1691 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1692 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1693 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1694
1695 smp_distribute_keys(smp);
1696 return 0;
1697 }
1698
1699 build_pairing_cmd(conn, req, &rsp, auth);
1700
1701 if (rsp.auth_req & SMP_AUTH_SC)
1702 set_bit(SMP_FLAG_SC, &smp->flags);
1703
955 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT) 1704 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
956 sec_level = BT_SECURITY_MEDIUM; 1705 sec_level = BT_SECURITY_MEDIUM;
957 else 1706 else
@@ -970,8 +1719,6 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
970 return SMP_AUTH_REQUIREMENTS; 1719 return SMP_AUTH_REQUIREMENTS;
971 } 1720 }
972 1721
973 build_pairing_cmd(conn, req, &rsp, auth);
974
975 key_size = min(req->max_key_size, rsp.max_key_size); 1722 key_size = min(req->max_key_size, rsp.max_key_size);
976 if (check_enc_key_size(conn, key_size)) 1723 if (check_enc_key_size(conn, key_size))
977 return SMP_ENC_KEY_SIZE; 1724 return SMP_ENC_KEY_SIZE;
@@ -982,7 +1729,18 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
982 memcpy(&smp->prsp[1], &rsp, sizeof(rsp)); 1729 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
983 1730
984 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp); 1731 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
985 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 1732
1733 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1734
1735 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1736 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1737 /* Clear bits which are generated but not distributed */
1738 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1739 /* Wait for Public Key from Initiating Device */
1740 return 0;
1741 } else {
1742 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1743 }
986 1744
987 /* Request setup of TK */ 1745 /* Request setup of TK */
988 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability); 1746 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
@@ -992,11 +1750,46 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
992 return 0; 1750 return 0;
993} 1751}
994 1752
1753static u8 sc_send_public_key(struct smp_chan *smp)
1754{
1755 struct hci_dev *hdev = smp->conn->hcon->hdev;
1756
1757 BT_DBG("");
1758
1759 if (test_bit(HCI_USE_DEBUG_KEYS, &hdev->dev_flags)) {
1760 BT_DBG("Using debug keys");
1761 memcpy(smp->local_pk, debug_pk, 64);
1762 memcpy(smp->local_sk, debug_sk, 32);
1763 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1764 } else {
1765 while (true) {
1766 /* Generate local key pair for Secure Connections */
1767 if (!ecc_make_key(smp->local_pk, smp->local_sk))
1768 return SMP_UNSPECIFIED;
1769
1770 /* This is unlikely, but we need to check that
1771 * we didn't accidentially generate a debug key.
1772 */
1773 if (memcmp(smp->local_sk, debug_sk, 32))
1774 break;
1775 }
1776 }
1777
1778 SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1779 SMP_DBG("Local Public Key Y: %32phN", &smp->local_pk[32]);
1780 SMP_DBG("Local Private Key: %32phN", smp->local_sk);
1781
1782 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1783
1784 return 0;
1785}
1786
995static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb) 1787static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
996{ 1788{
997 struct smp_cmd_pairing *req, *rsp = (void *) skb->data; 1789 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
998 struct l2cap_chan *chan = conn->smp; 1790 struct l2cap_chan *chan = conn->smp;
999 struct smp_chan *smp = chan->data; 1791 struct smp_chan *smp = chan->data;
1792 struct hci_dev *hdev = conn->hcon->hdev;
1000 u8 key_size, auth; 1793 u8 key_size, auth;
1001 int ret; 1794 int ret;
1002 1795
@@ -1016,7 +1809,31 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1016 if (check_enc_key_size(conn, key_size)) 1809 if (check_enc_key_size(conn, key_size))
1017 return SMP_ENC_KEY_SIZE; 1810 return SMP_ENC_KEY_SIZE;
1018 1811
1019 auth = rsp->auth_req & AUTH_REQ_MASK; 1812 auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1813
1814 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC))
1815 return SMP_AUTH_REQUIREMENTS;
1816
1817 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1818 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1819
1820 /* Update remote key distribution in case the remote cleared
1821 * some bits that we had enabled in our request.
1822 */
1823 smp->remote_key_dist &= rsp->resp_key_dist;
1824
1825 /* For BR/EDR this means we're done and can start phase 3 */
1826 if (conn->hcon->type == ACL_LINK) {
1827 /* Clear bits which are generated but not distributed */
1828 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1829 smp_distribute_keys(smp);
1830 return 0;
1831 }
1832
1833 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1834 set_bit(SMP_FLAG_SC, &smp->flags);
1835 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1836 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1020 1837
1021 /* If we need MITM check that it can be achieved */ 1838 /* If we need MITM check that it can be achieved */
1022 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) { 1839 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
@@ -1030,14 +1847,18 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1030 1847
1031 get_random_bytes(smp->prnd, sizeof(smp->prnd)); 1848 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1032 1849
1033 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1034 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1035
1036 /* Update remote key distribution in case the remote cleared 1850 /* Update remote key distribution in case the remote cleared
1037 * some bits that we had enabled in our request. 1851 * some bits that we had enabled in our request.
1038 */ 1852 */
1039 smp->remote_key_dist &= rsp->resp_key_dist; 1853 smp->remote_key_dist &= rsp->resp_key_dist;
1040 1854
1855 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1856 /* Clear bits which are generated but not distributed */
1857 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1858 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1859 return sc_send_public_key(smp);
1860 }
1861
1041 auth |= req->auth_req; 1862 auth |= req->auth_req;
1042 1863
1043 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability); 1864 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
@@ -1053,6 +1874,28 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1053 return 0; 1874 return 0;
1054} 1875}
1055 1876
1877static u8 sc_check_confirm(struct smp_chan *smp)
1878{
1879 struct l2cap_conn *conn = smp->conn;
1880
1881 BT_DBG("");
1882
1883 /* Public Key exchange must happen before any other steps */
1884 if (!test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
1885 return SMP_UNSPECIFIED;
1886
1887 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1888 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
1889
1890 if (conn->hcon->out) {
1891 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1892 smp->prnd);
1893 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1894 }
1895
1896 return 0;
1897}
1898
1056static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb) 1899static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
1057{ 1900{
1058 struct l2cap_chan *chan = conn->smp; 1901 struct l2cap_chan *chan = conn->smp;
@@ -1066,6 +1909,9 @@ static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
1066 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf)); 1909 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
1067 skb_pull(skb, sizeof(smp->pcnf)); 1910 skb_pull(skb, sizeof(smp->pcnf));
1068 1911
1912 if (test_bit(SMP_FLAG_SC, &smp->flags))
1913 return sc_check_confirm(smp);
1914
1069 if (conn->hcon->out) { 1915 if (conn->hcon->out) {
1070 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 1916 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1071 smp->prnd); 1917 smp->prnd);
@@ -1085,6 +1931,10 @@ static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
1085{ 1931{
1086 struct l2cap_chan *chan = conn->smp; 1932 struct l2cap_chan *chan = conn->smp;
1087 struct smp_chan *smp = chan->data; 1933 struct smp_chan *smp = chan->data;
1934 struct hci_conn *hcon = conn->hcon;
1935 u8 *pkax, *pkbx, *na, *nb;
1936 u32 passkey;
1937 int err;
1088 1938
1089 BT_DBG("conn %p", conn); 1939 BT_DBG("conn %p", conn);
1090 1940
@@ -1094,7 +1944,75 @@ static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
1094 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd)); 1944 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
1095 skb_pull(skb, sizeof(smp->rrnd)); 1945 skb_pull(skb, sizeof(smp->rrnd));
1096 1946
1097 return smp_random(smp); 1947 if (!test_bit(SMP_FLAG_SC, &smp->flags))
1948 return smp_random(smp);
1949
1950 if (hcon->out) {
1951 pkax = smp->local_pk;
1952 pkbx = smp->remote_pk;
1953 na = smp->prnd;
1954 nb = smp->rrnd;
1955 } else {
1956 pkax = smp->remote_pk;
1957 pkbx = smp->local_pk;
1958 na = smp->rrnd;
1959 nb = smp->prnd;
1960 }
1961
1962 if (smp->method == REQ_OOB) {
1963 if (!hcon->out)
1964 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1965 sizeof(smp->prnd), smp->prnd);
1966 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1967 goto mackey_and_ltk;
1968 }
1969
1970 /* Passkey entry has special treatment */
1971 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1972 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
1973
1974 if (hcon->out) {
1975 u8 cfm[16];
1976
1977 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1978 smp->rrnd, 0, cfm);
1979 if (err)
1980 return SMP_UNSPECIFIED;
1981
1982 if (memcmp(smp->pcnf, cfm, 16))
1983 return SMP_CONFIRM_FAILED;
1984 } else {
1985 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1986 smp->prnd);
1987 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1988 }
1989
1990mackey_and_ltk:
1991 /* Generate MacKey and LTK */
1992 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
1993 if (err)
1994 return SMP_UNSPECIFIED;
1995
1996 if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
1997 if (hcon->out) {
1998 sc_dhkey_check(smp);
1999 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2000 }
2001 return 0;
2002 }
2003
2004 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2005 if (err)
2006 return SMP_UNSPECIFIED;
2007
2008 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2009 hcon->dst_type, passkey, 0);
2010 if (err)
2011 return SMP_UNSPECIFIED;
2012
2013 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2014
2015 return 0;
1098} 2016}
1099 2017
1100static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level) 2018static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
@@ -1102,8 +2020,7 @@ static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
1102 struct smp_ltk *key; 2020 struct smp_ltk *key;
1103 struct hci_conn *hcon = conn->hcon; 2021 struct hci_conn *hcon = conn->hcon;
1104 2022
1105 key = hci_find_ltk_by_addr(hcon->hdev, &hcon->dst, hcon->dst_type, 2023 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
1106 hcon->role);
1107 if (!key) 2024 if (!key)
1108 return false; 2025 return false;
1109 2026
@@ -1136,8 +2053,7 @@ bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
1136 */ 2053 */
1137 if (key_pref == SMP_USE_LTK && 2054 if (key_pref == SMP_USE_LTK &&
1138 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) && 2055 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
1139 hci_find_ltk_by_addr(hcon->hdev, &hcon->dst, hcon->dst_type, 2056 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
1140 hcon->role))
1141 return false; 2057 return false;
1142 2058
1143 if (hcon->sec_level >= sec_level) 2059 if (hcon->sec_level >= sec_level)
@@ -1151,6 +2067,7 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
1151 struct smp_cmd_security_req *rp = (void *) skb->data; 2067 struct smp_cmd_security_req *rp = (void *) skb->data;
1152 struct smp_cmd_pairing cp; 2068 struct smp_cmd_pairing cp;
1153 struct hci_conn *hcon = conn->hcon; 2069 struct hci_conn *hcon = conn->hcon;
2070 struct hci_dev *hdev = hcon->hdev;
1154 struct smp_chan *smp; 2071 struct smp_chan *smp;
1155 u8 sec_level, auth; 2072 u8 sec_level, auth;
1156 2073
@@ -1162,7 +2079,10 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
1162 if (hcon->role != HCI_ROLE_MASTER) 2079 if (hcon->role != HCI_ROLE_MASTER)
1163 return SMP_CMD_NOTSUPP; 2080 return SMP_CMD_NOTSUPP;
1164 2081
1165 auth = rp->auth_req & AUTH_REQ_MASK; 2082 auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2083
2084 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC))
2085 return SMP_AUTH_REQUIREMENTS;
1166 2086
1167 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT) 2087 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1168 sec_level = BT_SECURITY_MEDIUM; 2088 sec_level = BT_SECURITY_MEDIUM;
@@ -1245,6 +2165,9 @@ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
1245 2165
1246 authreq = seclevel_to_authreq(sec_level); 2166 authreq = seclevel_to_authreq(sec_level);
1247 2167
2168 if (test_bit(HCI_SC_ENABLED, &hcon->hdev->dev_flags))
2169 authreq |= SMP_AUTH_SC;
2170
1248 /* Require MITM if IO Capability allows or the security level 2171 /* Require MITM if IO Capability allows or the security level
1249 * requires it. 2172 * requires it.
1250 */ 2173 */
@@ -1432,6 +2355,234 @@ static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
1432 return 0; 2355 return 0;
1433} 2356}
1434 2357
2358static u8 sc_select_method(struct smp_chan *smp)
2359{
2360 struct l2cap_conn *conn = smp->conn;
2361 struct hci_conn *hcon = conn->hcon;
2362 struct smp_cmd_pairing *local, *remote;
2363 u8 local_mitm, remote_mitm, local_io, remote_io, method;
2364
2365 if (test_bit(SMP_FLAG_OOB, &smp->flags))
2366 return REQ_OOB;
2367
2368 /* The preq/prsp contain the raw Pairing Request/Response PDUs
2369 * which are needed as inputs to some crypto functions. To get
2370 * the "struct smp_cmd_pairing" from them we need to skip the
2371 * first byte which contains the opcode.
2372 */
2373 if (hcon->out) {
2374 local = (void *) &smp->preq[1];
2375 remote = (void *) &smp->prsp[1];
2376 } else {
2377 local = (void *) &smp->prsp[1];
2378 remote = (void *) &smp->preq[1];
2379 }
2380
2381 local_io = local->io_capability;
2382 remote_io = remote->io_capability;
2383
2384 local_mitm = (local->auth_req & SMP_AUTH_MITM);
2385 remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2386
2387 /* If either side wants MITM, look up the method from the table,
2388 * otherwise use JUST WORKS.
2389 */
2390 if (local_mitm || remote_mitm)
2391 method = get_auth_method(smp, local_io, remote_io);
2392 else
2393 method = JUST_WORKS;
2394
2395 /* Don't confirm locally initiated pairing attempts */
2396 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2397 method = JUST_WORKS;
2398
2399 return method;
2400}
2401
2402static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2403{
2404 struct smp_cmd_public_key *key = (void *) skb->data;
2405 struct hci_conn *hcon = conn->hcon;
2406 struct l2cap_chan *chan = conn->smp;
2407 struct smp_chan *smp = chan->data;
2408 struct hci_dev *hdev = hcon->hdev;
2409 struct smp_cmd_pairing_confirm cfm;
2410 int err;
2411
2412 BT_DBG("conn %p", conn);
2413
2414 if (skb->len < sizeof(*key))
2415 return SMP_INVALID_PARAMS;
2416
2417 memcpy(smp->remote_pk, key, 64);
2418
2419 /* Non-initiating device sends its public key after receiving
2420 * the key from the initiating device.
2421 */
2422 if (!hcon->out) {
2423 err = sc_send_public_key(smp);
2424 if (err)
2425 return err;
2426 }
2427
2428 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2429 SMP_DBG("Remote Public Key Y: %32phN", &smp->remote_pk[32]);
2430
2431 if (!ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
2432 return SMP_UNSPECIFIED;
2433
2434 SMP_DBG("DHKey %32phN", smp->dhkey);
2435
2436 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2437
2438 smp->method = sc_select_method(smp);
2439
2440 BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2441
2442 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2443 if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2444 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2445 else
2446 hcon->pending_sec_level = BT_SECURITY_FIPS;
2447
2448 if (!memcmp(debug_pk, smp->remote_pk, 64))
2449 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2450
2451 if (smp->method == DSP_PASSKEY) {
2452 get_random_bytes(&hcon->passkey_notify,
2453 sizeof(hcon->passkey_notify));
2454 hcon->passkey_notify %= 1000000;
2455 hcon->passkey_entered = 0;
2456 smp->passkey_round = 0;
2457 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2458 hcon->dst_type,
2459 hcon->passkey_notify,
2460 hcon->passkey_entered))
2461 return SMP_UNSPECIFIED;
2462 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2463 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2464 }
2465
2466 if (smp->method == REQ_OOB) {
2467 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2468 smp->rr, 0, cfm.confirm_val);
2469 if (err)
2470 return SMP_UNSPECIFIED;
2471
2472 if (memcmp(cfm.confirm_val, smp->pcnf, 16))
2473 return SMP_CONFIRM_FAILED;
2474
2475 if (hcon->out)
2476 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2477 sizeof(smp->prnd), smp->prnd);
2478
2479 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2480
2481 return 0;
2482 }
2483
2484 if (hcon->out)
2485 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2486
2487 if (smp->method == REQ_PASSKEY) {
2488 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2489 hcon->dst_type))
2490 return SMP_UNSPECIFIED;
2491 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2492 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2493 return 0;
2494 }
2495
2496 /* The Initiating device waits for the non-initiating device to
2497 * send the confirm value.
2498 */
2499 if (conn->hcon->out)
2500 return 0;
2501
2502 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2503 0, cfm.confirm_val);
2504 if (err)
2505 return SMP_UNSPECIFIED;
2506
2507 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2508 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2509
2510 return 0;
2511}
2512
2513static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2514{
2515 struct smp_cmd_dhkey_check *check = (void *) skb->data;
2516 struct l2cap_chan *chan = conn->smp;
2517 struct hci_conn *hcon = conn->hcon;
2518 struct smp_chan *smp = chan->data;
2519 u8 a[7], b[7], *local_addr, *remote_addr;
2520 u8 io_cap[3], r[16], e[16];
2521 int err;
2522
2523 BT_DBG("conn %p", conn);
2524
2525 if (skb->len < sizeof(*check))
2526 return SMP_INVALID_PARAMS;
2527
2528 memcpy(a, &hcon->init_addr, 6);
2529 memcpy(b, &hcon->resp_addr, 6);
2530 a[6] = hcon->init_addr_type;
2531 b[6] = hcon->resp_addr_type;
2532
2533 if (hcon->out) {
2534 local_addr = a;
2535 remote_addr = b;
2536 memcpy(io_cap, &smp->prsp[1], 3);
2537 } else {
2538 local_addr = b;
2539 remote_addr = a;
2540 memcpy(io_cap, &smp->preq[1], 3);
2541 }
2542
2543 memset(r, 0, sizeof(r));
2544
2545 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2546 put_unaligned_le32(hcon->passkey_notify, r);
2547
2548 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2549 io_cap, remote_addr, local_addr, e);
2550 if (err)
2551 return SMP_UNSPECIFIED;
2552
2553 if (memcmp(check->e, e, 16))
2554 return SMP_DHKEY_CHECK_FAILED;
2555
2556 if (!hcon->out) {
2557 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2558 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2559 return 0;
2560 }
2561
2562 /* Slave sends DHKey check as response to master */
2563 sc_dhkey_check(smp);
2564 }
2565
2566 sc_add_ltk(smp);
2567
2568 if (hcon->out) {
2569 hci_le_start_enc(hcon, 0, 0, smp->tk);
2570 hcon->enc_key_size = smp->enc_key_size;
2571 }
2572
2573 return 0;
2574}
2575
2576static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2577 struct sk_buff *skb)
2578{
2579 struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2580
2581 BT_DBG("value 0x%02x", kp->value);
2582
2583 return 0;
2584}
2585
1435static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb) 2586static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
1436{ 2587{
1437 struct l2cap_conn *conn = chan->conn; 2588 struct l2cap_conn *conn = chan->conn;
@@ -1440,11 +2591,6 @@ static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
1440 __u8 code, reason; 2591 __u8 code, reason;
1441 int err = 0; 2592 int err = 0;
1442 2593
1443 if (hcon->type != LE_LINK) {
1444 kfree_skb(skb);
1445 return 0;
1446 }
1447
1448 if (skb->len < 1) 2594 if (skb->len < 1)
1449 return -EILSEQ; 2595 return -EILSEQ;
1450 2596
@@ -1516,6 +2662,18 @@ static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
1516 reason = smp_cmd_sign_info(conn, skb); 2662 reason = smp_cmd_sign_info(conn, skb);
1517 break; 2663 break;
1518 2664
2665 case SMP_CMD_PUBLIC_KEY:
2666 reason = smp_cmd_public_key(conn, skb);
2667 break;
2668
2669 case SMP_CMD_DHKEY_CHECK:
2670 reason = smp_cmd_dhkey_check(conn, skb);
2671 break;
2672
2673 case SMP_CMD_KEYPRESS_NOTIFY:
2674 reason = smp_cmd_keypress_notify(conn, skb);
2675 break;
2676
1519 default: 2677 default:
1520 BT_DBG("Unknown command code 0x%2.2x", code); 2678 BT_DBG("Unknown command code 0x%2.2x", code);
1521 reason = SMP_CMD_NOTSUPP; 2679 reason = SMP_CMD_NOTSUPP;
@@ -1551,6 +2709,74 @@ static void smp_teardown_cb(struct l2cap_chan *chan, int err)
1551 l2cap_chan_put(chan); 2709 l2cap_chan_put(chan);
1552} 2710}
1553 2711
2712static void bredr_pairing(struct l2cap_chan *chan)
2713{
2714 struct l2cap_conn *conn = chan->conn;
2715 struct hci_conn *hcon = conn->hcon;
2716 struct hci_dev *hdev = hcon->hdev;
2717 struct smp_cmd_pairing req;
2718 struct smp_chan *smp;
2719
2720 BT_DBG("chan %p", chan);
2721
2722 /* Only new pairings are interesting */
2723 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
2724 return;
2725
2726 /* Don't bother if we're not encrypted */
2727 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2728 return;
2729
2730 /* Only master may initiate SMP over BR/EDR */
2731 if (hcon->role != HCI_ROLE_MASTER)
2732 return;
2733
2734 /* Secure Connections support must be enabled */
2735 if (!test_bit(HCI_SC_ENABLED, &hdev->dev_flags))
2736 return;
2737
2738 /* BR/EDR must use Secure Connections for SMP */
2739 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
2740 !test_bit(HCI_FORCE_LESC, &hdev->dbg_flags))
2741 return;
2742
2743 /* If our LE support is not enabled don't do anything */
2744 if (!test_bit(HCI_LE_ENABLED, &hdev->dev_flags))
2745 return;
2746
2747 /* Don't bother if remote LE support is not enabled */
2748 if (!lmp_host_le_capable(hcon))
2749 return;
2750
2751 /* Remote must support SMP fixed chan for BR/EDR */
2752 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
2753 return;
2754
2755 /* Don't bother if SMP is already ongoing */
2756 if (chan->data)
2757 return;
2758
2759 smp = smp_chan_create(conn);
2760 if (!smp) {
2761 BT_ERR("%s unable to create SMP context for BR/EDR",
2762 hdev->name);
2763 return;
2764 }
2765
2766 set_bit(SMP_FLAG_SC, &smp->flags);
2767
2768 BT_DBG("%s starting SMP over BR/EDR", hdev->name);
2769
2770 /* Prepare and send the BR/EDR SMP Pairing Request */
2771 build_bredr_pairing_cmd(smp, &req, NULL);
2772
2773 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2774 memcpy(&smp->preq[1], &req, sizeof(req));
2775
2776 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
2777 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2778}
2779
1554static void smp_resume_cb(struct l2cap_chan *chan) 2780static void smp_resume_cb(struct l2cap_chan *chan)
1555{ 2781{
1556 struct smp_chan *smp = chan->data; 2782 struct smp_chan *smp = chan->data;
@@ -1559,6 +2785,11 @@ static void smp_resume_cb(struct l2cap_chan *chan)
1559 2785
1560 BT_DBG("chan %p", chan); 2786 BT_DBG("chan %p", chan);
1561 2787
2788 if (hcon->type == ACL_LINK) {
2789 bredr_pairing(chan);
2790 return;
2791 }
2792
1562 if (!smp) 2793 if (!smp)
1563 return; 2794 return;
1564 2795
@@ -1573,11 +2804,15 @@ static void smp_resume_cb(struct l2cap_chan *chan)
1573static void smp_ready_cb(struct l2cap_chan *chan) 2804static void smp_ready_cb(struct l2cap_chan *chan)
1574{ 2805{
1575 struct l2cap_conn *conn = chan->conn; 2806 struct l2cap_conn *conn = chan->conn;
2807 struct hci_conn *hcon = conn->hcon;
1576 2808
1577 BT_DBG("chan %p", chan); 2809 BT_DBG("chan %p", chan);
1578 2810
1579 conn->smp = chan; 2811 conn->smp = chan;
1580 l2cap_chan_hold(chan); 2812 l2cap_chan_hold(chan);
2813
2814 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2815 bredr_pairing(chan);
1581} 2816}
1582 2817
1583static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb) 2818static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
@@ -1682,34 +2917,40 @@ static const struct l2cap_ops smp_root_chan_ops = {
1682 .memcpy_fromiovec = l2cap_chan_no_memcpy_fromiovec, 2917 .memcpy_fromiovec = l2cap_chan_no_memcpy_fromiovec,
1683}; 2918};
1684 2919
1685int smp_register(struct hci_dev *hdev) 2920static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
1686{ 2921{
1687 struct l2cap_chan *chan; 2922 struct l2cap_chan *chan;
1688 struct crypto_blkcipher *tfm_aes; 2923 struct crypto_blkcipher *tfm_aes;
1689 2924
1690 BT_DBG("%s", hdev->name); 2925 if (cid == L2CAP_CID_SMP_BREDR) {
2926 tfm_aes = NULL;
2927 goto create_chan;
2928 }
1691 2929
1692 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, 0); 2930 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, 0);
1693 if (IS_ERR(tfm_aes)) { 2931 if (IS_ERR(tfm_aes)) {
1694 int err = PTR_ERR(tfm_aes);
1695 BT_ERR("Unable to create crypto context"); 2932 BT_ERR("Unable to create crypto context");
1696 return err; 2933 return ERR_PTR(PTR_ERR(tfm_aes));
1697 } 2934 }
1698 2935
2936create_chan:
1699 chan = l2cap_chan_create(); 2937 chan = l2cap_chan_create();
1700 if (!chan) { 2938 if (!chan) {
1701 crypto_free_blkcipher(tfm_aes); 2939 crypto_free_blkcipher(tfm_aes);
1702 return -ENOMEM; 2940 return ERR_PTR(-ENOMEM);
1703 } 2941 }
1704 2942
1705 chan->data = tfm_aes; 2943 chan->data = tfm_aes;
1706 2944
1707 l2cap_add_scid(chan, L2CAP_CID_SMP); 2945 l2cap_add_scid(chan, cid);
1708 2946
1709 l2cap_chan_set_defaults(chan); 2947 l2cap_chan_set_defaults(chan);
1710 2948
1711 bacpy(&chan->src, &hdev->bdaddr); 2949 bacpy(&chan->src, &hdev->bdaddr);
1712 chan->src_type = BDADDR_LE_PUBLIC; 2950 if (cid == L2CAP_CID_SMP)
2951 chan->src_type = BDADDR_LE_PUBLIC;
2952 else
2953 chan->src_type = BDADDR_BREDR;
1713 chan->state = BT_LISTEN; 2954 chan->state = BT_LISTEN;
1714 chan->mode = L2CAP_MODE_BASIC; 2955 chan->mode = L2CAP_MODE_BASIC;
1715 chan->imtu = L2CAP_DEFAULT_MTU; 2956 chan->imtu = L2CAP_DEFAULT_MTU;
@@ -1718,20 +2959,14 @@ int smp_register(struct hci_dev *hdev)
1718 /* Set correct nesting level for a parent/listening channel */ 2959 /* Set correct nesting level for a parent/listening channel */
1719 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT); 2960 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
1720 2961
1721 hdev->smp_data = chan; 2962 return chan;
1722
1723 return 0;
1724} 2963}
1725 2964
1726void smp_unregister(struct hci_dev *hdev) 2965static void smp_del_chan(struct l2cap_chan *chan)
1727{ 2966{
1728 struct l2cap_chan *chan = hdev->smp_data; 2967 struct crypto_blkcipher *tfm_aes;
1729 struct crypto_blkcipher *tfm_aes;
1730
1731 if (!chan)
1732 return;
1733 2968
1734 BT_DBG("%s chan %p", hdev->name, chan); 2969 BT_DBG("chan %p", chan);
1735 2970
1736 tfm_aes = chan->data; 2971 tfm_aes = chan->data;
1737 if (tfm_aes) { 2972 if (tfm_aes) {
@@ -1739,6 +2974,52 @@ void smp_unregister(struct hci_dev *hdev)
1739 crypto_free_blkcipher(tfm_aes); 2974 crypto_free_blkcipher(tfm_aes);
1740 } 2975 }
1741 2976
1742 hdev->smp_data = NULL;
1743 l2cap_chan_put(chan); 2977 l2cap_chan_put(chan);
1744} 2978}
2979
2980int smp_register(struct hci_dev *hdev)
2981{
2982 struct l2cap_chan *chan;
2983
2984 BT_DBG("%s", hdev->name);
2985
2986 chan = smp_add_cid(hdev, L2CAP_CID_SMP);
2987 if (IS_ERR(chan))
2988 return PTR_ERR(chan);
2989
2990 hdev->smp_data = chan;
2991
2992 if (!lmp_sc_capable(hdev) &&
2993 !test_bit(HCI_FORCE_LESC, &hdev->dbg_flags))
2994 return 0;
2995
2996 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
2997 if (IS_ERR(chan)) {
2998 int err = PTR_ERR(chan);
2999 chan = hdev->smp_data;
3000 hdev->smp_data = NULL;
3001 smp_del_chan(chan);
3002 return err;
3003 }
3004
3005 hdev->smp_bredr_data = chan;
3006
3007 return 0;
3008}
3009
3010void smp_unregister(struct hci_dev *hdev)
3011{
3012 struct l2cap_chan *chan;
3013
3014 if (hdev->smp_bredr_data) {
3015 chan = hdev->smp_bredr_data;
3016 hdev->smp_bredr_data = NULL;
3017 smp_del_chan(chan);
3018 }
3019
3020 if (hdev->smp_data) {
3021 chan = hdev->smp_data;
3022 hdev->smp_data = NULL;
3023 smp_del_chan(chan);
3024 }
3025}
diff --git a/net/bluetooth/smp.h b/net/bluetooth/smp.h
index f76083b85005..3296bf42ae80 100644
--- a/net/bluetooth/smp.h
+++ b/net/bluetooth/smp.h
@@ -50,10 +50,13 @@ struct smp_cmd_pairing {
50#define SMP_DIST_ENC_KEY 0x01 50#define SMP_DIST_ENC_KEY 0x01
51#define SMP_DIST_ID_KEY 0x02 51#define SMP_DIST_ID_KEY 0x02
52#define SMP_DIST_SIGN 0x04 52#define SMP_DIST_SIGN 0x04
53#define SMP_DIST_LINK_KEY 0x08
53 54
54#define SMP_AUTH_NONE 0x00 55#define SMP_AUTH_NONE 0x00
55#define SMP_AUTH_BONDING 0x01 56#define SMP_AUTH_BONDING 0x01
56#define SMP_AUTH_MITM 0x04 57#define SMP_AUTH_MITM 0x04
58#define SMP_AUTH_SC 0x08
59#define SMP_AUTH_KEYPRESS 0x10
57 60
58#define SMP_CMD_PAIRING_CONFIRM 0x03 61#define SMP_CMD_PAIRING_CONFIRM 0x03
59struct smp_cmd_pairing_confirm { 62struct smp_cmd_pairing_confirm {
@@ -102,7 +105,23 @@ struct smp_cmd_security_req {
102 __u8 auth_req; 105 __u8 auth_req;
103} __packed; 106} __packed;
104 107
105#define SMP_CMD_MAX 0x0b 108#define SMP_CMD_PUBLIC_KEY 0x0c
109struct smp_cmd_public_key {
110 __u8 x[32];
111 __u8 y[32];
112} __packed;
113
114#define SMP_CMD_DHKEY_CHECK 0x0d
115struct smp_cmd_dhkey_check {
116 __u8 e[16];
117} __packed;
118
119#define SMP_CMD_KEYPRESS_NOTIFY 0x0e
120struct smp_cmd_keypress_notify {
121 __u8 value;
122} __packed;
123
124#define SMP_CMD_MAX 0x0e
106 125
107#define SMP_PASSKEY_ENTRY_FAILED 0x01 126#define SMP_PASSKEY_ENTRY_FAILED 0x01
108#define SMP_OOB_NOT_AVAIL 0x02 127#define SMP_OOB_NOT_AVAIL 0x02
@@ -114,6 +133,10 @@ struct smp_cmd_security_req {
114#define SMP_UNSPECIFIED 0x08 133#define SMP_UNSPECIFIED 0x08
115#define SMP_REPEATED_ATTEMPTS 0x09 134#define SMP_REPEATED_ATTEMPTS 0x09
116#define SMP_INVALID_PARAMS 0x0a 135#define SMP_INVALID_PARAMS 0x0a
136#define SMP_DHKEY_CHECK_FAILED 0x0b
137#define SMP_NUMERIC_COMP_FAILED 0x0c
138#define SMP_BREDR_PAIRING_IN_PROGRESS 0x0d
139#define SMP_CROSS_TRANSP_NOT_ALLOWED 0x0e
117 140
118#define SMP_MIN_ENC_KEY_SIZE 7 141#define SMP_MIN_ENC_KEY_SIZE 7
119#define SMP_MAX_ENC_KEY_SIZE 16 142#define SMP_MAX_ENC_KEY_SIZE 16
@@ -123,12 +146,29 @@ enum {
123 SMP_STK, 146 SMP_STK,
124 SMP_LTK, 147 SMP_LTK,
125 SMP_LTK_SLAVE, 148 SMP_LTK_SLAVE,
149 SMP_LTK_P256,
150 SMP_LTK_P256_DEBUG,
126}; 151};
127 152
153static inline bool smp_ltk_is_sc(struct smp_ltk *key)
154{
155 switch (key->type) {
156 case SMP_LTK_P256:
157 case SMP_LTK_P256_DEBUG:
158 return true;
159 }
160
161 return false;
162}
163
128static inline u8 smp_ltk_sec_level(struct smp_ltk *key) 164static inline u8 smp_ltk_sec_level(struct smp_ltk *key)
129{ 165{
130 if (key->authenticated) 166 if (key->authenticated) {
131 return BT_SECURITY_HIGH; 167 if (smp_ltk_is_sc(key))
168 return BT_SECURITY_FIPS;
169 else
170 return BT_SECURITY_HIGH;
171 }
132 172
133 return BT_SECURITY_MEDIUM; 173 return BT_SECURITY_MEDIUM;
134} 174}
@@ -145,8 +185,9 @@ bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
145int smp_conn_security(struct hci_conn *hcon, __u8 sec_level); 185int smp_conn_security(struct hci_conn *hcon, __u8 sec_level);
146int smp_user_confirm_reply(struct hci_conn *conn, u16 mgmt_op, __le32 passkey); 186int smp_user_confirm_reply(struct hci_conn *conn, u16 mgmt_op, __le32 passkey);
147 187
148bool smp_irk_matches(struct hci_dev *hdev, u8 irk[16], bdaddr_t *bdaddr); 188bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
149int smp_generate_rpa(struct hci_dev *hdev, u8 irk[16], bdaddr_t *rpa); 189 const bdaddr_t *bdaddr);
190int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa);
150 191
151int smp_register(struct hci_dev *hdev); 192int smp_register(struct hci_dev *hdev);
152void smp_unregister(struct hci_dev *hdev); 193void smp_unregister(struct hci_dev *hdev);
diff --git a/net/ieee802154/6lowpan_rtnl.c b/net/ieee802154/6lowpan_rtnl.c
index 290e14f2e92e..27eaa65e88e1 100644
--- a/net/ieee802154/6lowpan_rtnl.c
+++ b/net/ieee802154/6lowpan_rtnl.c
@@ -439,7 +439,6 @@ static void lowpan_set_lockdep_class_one(struct net_device *dev,
439 &lowpan_netdev_xmit_lock_key); 439 &lowpan_netdev_xmit_lock_key);
440} 440}
441 441
442
443static int lowpan_dev_init(struct net_device *dev) 442static int lowpan_dev_init(struct net_device *dev)
444{ 443{
445 netdev_for_each_tx_queue(dev, lowpan_set_lockdep_class_one, NULL); 444 netdev_for_each_tx_queue(dev, lowpan_set_lockdep_class_one, NULL);
@@ -597,7 +596,7 @@ static int lowpan_newlink(struct net *src_net, struct net_device *dev,
597 596
598 entry->ldev = dev; 597 entry->ldev = dev;
599 598
600 /* Set the lowpan harware address to the wpan hardware address. */ 599 /* Set the lowpan hardware address to the wpan hardware address. */
601 memcpy(dev->dev_addr, real_dev->dev_addr, IEEE802154_ADDR_LEN); 600 memcpy(dev->dev_addr, real_dev->dev_addr, IEEE802154_ADDR_LEN);
602 601
603 mutex_lock(&lowpan_dev_info(dev)->dev_list_mtx); 602 mutex_lock(&lowpan_dev_info(dev)->dev_list_mtx);
diff --git a/net/ieee802154/af_ieee802154.c b/net/ieee802154/af_ieee802154.c
index 26da1e179737..d0a1282cdf43 100644
--- a/net/ieee802154/af_ieee802154.c
+++ b/net/ieee802154/af_ieee802154.c
@@ -99,6 +99,7 @@ static int ieee802154_sock_release(struct socket *sock)
99 } 99 }
100 return 0; 100 return 0;
101} 101}
102
102static int ieee802154_sock_sendmsg(struct kiocb *iocb, struct socket *sock, 103static int ieee802154_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
103 struct msghdr *msg, size_t len) 104 struct msghdr *msg, size_t len)
104{ 105{
@@ -231,7 +232,6 @@ static const struct proto_ops ieee802154_dgram_ops = {
231#endif 232#endif
232}; 233};
233 234
234
235/* Create a socket. Initialise the socket, blank the addresses 235/* Create a socket. Initialise the socket, blank the addresses
236 * set the state. 236 * set the state.
237 */ 237 */
@@ -320,7 +320,6 @@ drop:
320 return NET_RX_DROP; 320 return NET_RX_DROP;
321} 321}
322 322
323
324static struct packet_type ieee802154_packet_type = { 323static struct packet_type ieee802154_packet_type = {
325 .type = htons(ETH_P_IEEE802154), 324 .type = htons(ETH_P_IEEE802154),
326 .func = ieee802154_rcv, 325 .func = ieee802154_rcv,
@@ -354,6 +353,7 @@ err_dgram:
354out: 353out:
355 return rc; 354 return rc;
356} 355}
356
357static void __exit af_ieee802154_remove(void) 357static void __exit af_ieee802154_remove(void)
358{ 358{
359 dev_remove_pack(&ieee802154_packet_type); 359 dev_remove_pack(&ieee802154_packet_type);
diff --git a/net/ieee802154/dgram.c b/net/ieee802154/dgram.c
index 2c7a93e7167e..d1930b70c4aa 100644
--- a/net/ieee802154/dgram.c
+++ b/net/ieee802154/dgram.c
@@ -154,7 +154,6 @@ static int dgram_ioctl(struct sock *sk, int cmd, unsigned long arg)
154 spin_unlock_bh(&sk->sk_receive_queue.lock); 154 spin_unlock_bh(&sk->sk_receive_queue.lock);
155 return put_user(amount, (int __user *)arg); 155 return put_user(amount, (int __user *)arg);
156 } 156 }
157
158 } 157 }
159 158
160 return -ENOIOCTLCMD; 159 return -ENOIOCTLCMD;
diff --git a/net/ieee802154/netlink.c b/net/ieee802154/netlink.c
index 63ee7d66950e..fa1464762d0d 100644
--- a/net/ieee802154/netlink.c
+++ b/net/ieee802154/netlink.c
@@ -1,5 +1,5 @@
1/* 1/*
2 * Netlink inteface for IEEE 802.15.4 stack 2 * Netlink interface for IEEE 802.15.4 stack
3 * 3 *
4 * Copyright 2007, 2008 Siemens AG 4 * Copyright 2007, 2008 Siemens AG
5 * 5 *
@@ -73,7 +73,7 @@ out:
73} 73}
74 74
75struct sk_buff *ieee802154_nl_new_reply(struct genl_info *info, 75struct sk_buff *ieee802154_nl_new_reply(struct genl_info *info,
76 int flags, u8 req) 76 int flags, u8 req)
77{ 77{
78 void *hdr; 78 void *hdr;
79 struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 79 struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
@@ -147,7 +147,6 @@ static const struct genl_multicast_group ieee802154_mcgrps[] = {
147 [IEEE802154_BEACON_MCGRP] = { .name = IEEE802154_MCAST_BEACON_NAME, }, 147 [IEEE802154_BEACON_MCGRP] = { .name = IEEE802154_MCAST_BEACON_NAME, },
148}; 148};
149 149
150
151int __init ieee802154_nl_init(void) 150int __init ieee802154_nl_init(void)
152{ 151{
153 return genl_register_family_with_ops_groups(&nl802154_family, 152 return genl_register_family_with_ops_groups(&nl802154_family,
diff --git a/net/ieee802154/nl-mac.c b/net/ieee802154/nl-mac.c
index fe77f0c770b8..cd919493c976 100644
--- a/net/ieee802154/nl-mac.c
+++ b/net/ieee802154/nl-mac.c
@@ -1,5 +1,5 @@
1/* 1/*
2 * Netlink inteface for IEEE 802.15.4 stack 2 * Netlink interface for IEEE 802.15.4 stack
3 * 3 *
4 * Copyright 2007, 2008 Siemens AG 4 * Copyright 2007, 2008 Siemens AG
5 * 5 *
@@ -346,7 +346,6 @@ int ieee802154_start_req(struct sk_buff *skb, struct genl_info *info)
346 else 346 else
347 page = 0; 347 page = 0;
348 348
349
350 if (addr.short_addr == cpu_to_le16(IEEE802154_ADDR_BROADCAST)) { 349 if (addr.short_addr == cpu_to_le16(IEEE802154_ADDR_BROADCAST)) {
351 ieee802154_nl_start_confirm(dev, IEEE802154_NO_SHORT_ADDRESS); 350 ieee802154_nl_start_confirm(dev, IEEE802154_NO_SHORT_ADDRESS);
352 dev_put(dev); 351 dev_put(dev);
@@ -397,7 +396,6 @@ int ieee802154_scan_req(struct sk_buff *skb, struct genl_info *info)
397 else 396 else
398 page = 0; 397 page = 0;
399 398
400
401 ret = ieee802154_mlme_ops(dev)->scan_req(dev, type, channels, 399 ret = ieee802154_mlme_ops(dev)->scan_req(dev, type, channels,
402 page, duration); 400 page, duration);
403 401
@@ -548,8 +546,6 @@ out:
548 return rc; 546 return rc;
549} 547}
550 548
551
552
553static int 549static int
554ieee802154_llsec_parse_key_id(struct genl_info *info, 550ieee802154_llsec_parse_key_id(struct genl_info *info,
555 struct ieee802154_llsec_key_id *desc) 551 struct ieee802154_llsec_key_id *desc)
@@ -765,8 +761,6 @@ out:
765 return rc; 761 return rc;
766} 762}
767 763
768
769
770struct llsec_dump_data { 764struct llsec_dump_data {
771 struct sk_buff *skb; 765 struct sk_buff *skb;
772 int s_idx, s_idx2; 766 int s_idx, s_idx2;
@@ -843,8 +837,6 @@ ieee802154_nl_llsec_change(struct sk_buff *skb, struct genl_info *info,
843 return rc; 837 return rc;
844} 838}
845 839
846
847
848static int 840static int
849ieee802154_llsec_parse_key(struct genl_info *info, 841ieee802154_llsec_parse_key(struct genl_info *info,
850 struct ieee802154_llsec_key *key) 842 struct ieee802154_llsec_key *key)
@@ -989,8 +981,6 @@ int ieee802154_llsec_dump_keys(struct sk_buff *skb, struct netlink_callback *cb)
989 return ieee802154_llsec_dump_table(skb, cb, llsec_iter_keys); 981 return ieee802154_llsec_dump_table(skb, cb, llsec_iter_keys);
990} 982}
991 983
992
993
994static int 984static int
995llsec_parse_dev(struct genl_info *info, 985llsec_parse_dev(struct genl_info *info,
996 struct ieee802154_llsec_device *dev) 986 struct ieee802154_llsec_device *dev)
@@ -1121,8 +1111,6 @@ int ieee802154_llsec_dump_devs(struct sk_buff *skb, struct netlink_callback *cb)
1121 return ieee802154_llsec_dump_table(skb, cb, llsec_iter_devs); 1111 return ieee802154_llsec_dump_table(skb, cb, llsec_iter_devs);
1122} 1112}
1123 1113
1124
1125
1126static int llsec_add_devkey(struct net_device *dev, struct genl_info *info) 1114static int llsec_add_devkey(struct net_device *dev, struct genl_info *info)
1127{ 1115{
1128 struct ieee802154_mlme_ops *ops = ieee802154_mlme_ops(dev); 1116 struct ieee802154_mlme_ops *ops = ieee802154_mlme_ops(dev);
@@ -1237,8 +1225,6 @@ int ieee802154_llsec_dump_devkeys(struct sk_buff *skb,
1237 return ieee802154_llsec_dump_table(skb, cb, llsec_iter_devkeys); 1225 return ieee802154_llsec_dump_table(skb, cb, llsec_iter_devkeys);
1238} 1226}
1239 1227
1240
1241
1242static int 1228static int
1243llsec_parse_seclevel(struct genl_info *info, 1229llsec_parse_seclevel(struct genl_info *info,
1244 struct ieee802154_llsec_seclevel *sl) 1230 struct ieee802154_llsec_seclevel *sl)
diff --git a/net/ieee802154/nl-phy.c b/net/ieee802154/nl-phy.c
index 80a946dddd90..7baf98b14611 100644
--- a/net/ieee802154/nl-phy.c
+++ b/net/ieee802154/nl-phy.c
@@ -1,5 +1,5 @@
1/* 1/*
2 * Netlink inteface for IEEE 802.15.4 stack 2 * Netlink interface for IEEE 802.15.4 stack
3 * 3 *
4 * Copyright 2007, 2008 Siemens AG 4 * Copyright 2007, 2008 Siemens AG
5 * 5 *
@@ -94,7 +94,6 @@ int ieee802154_list_phy(struct sk_buff *skb, struct genl_info *info)
94 if (name[nla_len(info->attrs[IEEE802154_ATTR_PHY_NAME]) - 1] != '\0') 94 if (name[nla_len(info->attrs[IEEE802154_ATTR_PHY_NAME]) - 1] != '\0')
95 return -EINVAL; /* phy name should be null-terminated */ 95 return -EINVAL; /* phy name should be null-terminated */
96 96
97
98 phy = wpan_phy_find(name); 97 phy = wpan_phy_find(name);
99 if (!phy) 98 if (!phy)
100 return -ENODEV; 99 return -ENODEV;
diff --git a/net/ieee802154/raw.c b/net/ieee802154/raw.c
index 61e9d2972947..1674b115c891 100644
--- a/net/ieee802154/raw.c
+++ b/net/ieee802154/raw.c
@@ -221,7 +221,6 @@ static int raw_rcv_skb(struct sock *sk, struct sk_buff *skb)
221 return NET_RX_SUCCESS; 221 return NET_RX_SUCCESS;
222} 222}
223 223
224
225void ieee802154_raw_deliver(struct net_device *dev, struct sk_buff *skb) 224void ieee802154_raw_deliver(struct net_device *dev, struct sk_buff *skb)
226{ 225{
227 struct sock *sk; 226 struct sock *sk;
diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c
index c7c514220298..5d6dae9e4aac 100644
--- a/net/mac80211/chan.c
+++ b/net/mac80211/chan.c
@@ -932,6 +932,21 @@ ieee80211_vif_chanctx_reservation_complete(struct ieee80211_sub_if_data *sdata)
932 } 932 }
933} 933}
934 934
935static void
936ieee80211_vif_update_chandef(struct ieee80211_sub_if_data *sdata,
937 const struct cfg80211_chan_def *chandef)
938{
939 struct ieee80211_sub_if_data *vlan;
940
941 sdata->vif.bss_conf.chandef = *chandef;
942
943 if (sdata->vif.type != NL80211_IFTYPE_AP)
944 return;
945
946 list_for_each_entry(vlan, &sdata->u.ap.vlans, u.vlan.list)
947 vlan->vif.bss_conf.chandef = *chandef;
948}
949
935static int 950static int
936ieee80211_vif_use_reserved_reassign(struct ieee80211_sub_if_data *sdata) 951ieee80211_vif_use_reserved_reassign(struct ieee80211_sub_if_data *sdata)
937{ 952{
@@ -994,7 +1009,7 @@ ieee80211_vif_use_reserved_reassign(struct ieee80211_sub_if_data *sdata)
994 if (sdata->vif.bss_conf.chandef.width != sdata->reserved_chandef.width) 1009 if (sdata->vif.bss_conf.chandef.width != sdata->reserved_chandef.width)
995 changed = BSS_CHANGED_BANDWIDTH; 1010 changed = BSS_CHANGED_BANDWIDTH;
996 1011
997 sdata->vif.bss_conf.chandef = sdata->reserved_chandef; 1012 ieee80211_vif_update_chandef(sdata, &sdata->reserved_chandef);
998 1013
999 if (changed) 1014 if (changed)
1000 ieee80211_bss_info_change_notify(sdata, changed); 1015 ieee80211_bss_info_change_notify(sdata, changed);
@@ -1336,7 +1351,7 @@ static int ieee80211_vif_use_reserved_switch(struct ieee80211_local *local)
1336 sdata->reserved_chandef.width) 1351 sdata->reserved_chandef.width)
1337 changed = BSS_CHANGED_BANDWIDTH; 1352 changed = BSS_CHANGED_BANDWIDTH;
1338 1353
1339 sdata->vif.bss_conf.chandef = sdata->reserved_chandef; 1354 ieee80211_vif_update_chandef(sdata, &sdata->reserved_chandef);
1340 if (changed) 1355 if (changed)
1341 ieee80211_bss_info_change_notify(sdata, 1356 ieee80211_bss_info_change_notify(sdata,
1342 changed); 1357 changed);
@@ -1507,7 +1522,7 @@ int ieee80211_vif_use_channel(struct ieee80211_sub_if_data *sdata,
1507 goto out; 1522 goto out;
1508 } 1523 }
1509 1524
1510 sdata->vif.bss_conf.chandef = *chandef; 1525 ieee80211_vif_update_chandef(sdata, chandef);
1511 1526
1512 ret = ieee80211_assign_vif_chanctx(sdata, ctx); 1527 ret = ieee80211_assign_vif_chanctx(sdata, ctx);
1513 if (ret) { 1528 if (ret) {
@@ -1649,7 +1664,7 @@ int ieee80211_vif_change_bandwidth(struct ieee80211_sub_if_data *sdata,
1649 break; 1664 break;
1650 } 1665 }
1651 1666
1652 sdata->vif.bss_conf.chandef = *chandef; 1667 ieee80211_vif_update_chandef(sdata, chandef);
1653 1668
1654 ieee80211_recalc_chanctx_chantype(local, ctx); 1669 ieee80211_recalc_chanctx_chantype(local, ctx);
1655 1670
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index 538fe4ef5c85..417355390873 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -520,6 +520,7 @@ int ieee80211_do_open(struct wireless_dev *wdev, bool coming_up)
520 sdata->vif.cab_queue = master->vif.cab_queue; 520 sdata->vif.cab_queue = master->vif.cab_queue;
521 memcpy(sdata->vif.hw_queue, master->vif.hw_queue, 521 memcpy(sdata->vif.hw_queue, master->vif.hw_queue,
522 sizeof(sdata->vif.hw_queue)); 522 sizeof(sdata->vif.hw_queue));
523 sdata->vif.bss_conf.chandef = master->vif.bss_conf.chandef;
523 break; 524 break;
524 } 525 }
525 case NL80211_IFTYPE_AP: 526 case NL80211_IFTYPE_AP:
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index ba06cd003375..75a9bf50207e 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -552,13 +552,17 @@ static void ieee80211_add_vht_ie(struct ieee80211_sub_if_data *sdata,
552 cap = vht_cap.cap; 552 cap = vht_cap.cap;
553 553
554 if (sdata->u.mgd.flags & IEEE80211_STA_DISABLE_80P80MHZ) { 554 if (sdata->u.mgd.flags & IEEE80211_STA_DISABLE_80P80MHZ) {
555 cap &= ~IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160_80PLUS80MHZ; 555 u32 bw = cap & IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_MASK;
556 cap |= IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160MHZ; 556
557 cap &= ~IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_MASK;
558 if (bw == IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160MHZ ||
559 bw == IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160_80PLUS80MHZ)
560 cap |= IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160MHZ;
557 } 561 }
558 562
559 if (sdata->u.mgd.flags & IEEE80211_STA_DISABLE_160MHZ) { 563 if (sdata->u.mgd.flags & IEEE80211_STA_DISABLE_160MHZ) {
560 cap &= ~IEEE80211_VHT_CAP_SHORT_GI_160; 564 cap &= ~IEEE80211_VHT_CAP_SHORT_GI_160;
561 cap &= ~IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160MHZ; 565 cap &= ~IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_MASK;
562 } 566 }
563 567
564 /* 568 /*
@@ -2263,9 +2267,7 @@ static void ieee80211_mgd_probe_ap(struct ieee80211_sub_if_data *sdata,
2263 "detected beacon loss from AP (missed %d beacons) - probing\n", 2267 "detected beacon loss from AP (missed %d beacons) - probing\n",
2264 beacon_loss_count); 2268 beacon_loss_count);
2265 2269
2266 ieee80211_cqm_rssi_notify(&sdata->vif, 2270 ieee80211_cqm_beacon_loss_notify(&sdata->vif, GFP_KERNEL);
2267 NL80211_CQM_RSSI_BEACON_LOSS_EVENT,
2268 GFP_KERNEL);
2269 } 2271 }
2270 2272
2271 /* 2273 /*
@@ -4898,3 +4900,13 @@ void ieee80211_cqm_rssi_notify(struct ieee80211_vif *vif,
4898 cfg80211_cqm_rssi_notify(sdata->dev, rssi_event, gfp); 4900 cfg80211_cqm_rssi_notify(sdata->dev, rssi_event, gfp);
4899} 4901}
4900EXPORT_SYMBOL(ieee80211_cqm_rssi_notify); 4902EXPORT_SYMBOL(ieee80211_cqm_rssi_notify);
4903
4904void ieee80211_cqm_beacon_loss_notify(struct ieee80211_vif *vif, gfp_t gfp)
4905{
4906 struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
4907
4908 trace_api_cqm_beacon_loss_notify(sdata->local, sdata);
4909
4910 cfg80211_cqm_beacon_loss_notify(sdata->dev, gfp);
4911}
4912EXPORT_SYMBOL(ieee80211_cqm_beacon_loss_notify);
diff --git a/net/mac80211/rate.c b/net/mac80211/rate.c
index 08ab7d6d1517..d53355b011f5 100644
--- a/net/mac80211/rate.c
+++ b/net/mac80211/rate.c
@@ -446,7 +446,8 @@ static void rate_fixup_ratelist(struct ieee80211_vif *vif,
446 * 446 *
447 * XXX: Should this check all retry rates? 447 * XXX: Should this check all retry rates?
448 */ 448 */
449 if (!(rates[0].flags & IEEE80211_TX_RC_MCS)) { 449 if (!(rates[0].flags &
450 (IEEE80211_TX_RC_MCS | IEEE80211_TX_RC_VHT_MCS))) {
450 u32 basic_rates = vif->bss_conf.basic_rates; 451 u32 basic_rates = vif->bss_conf.basic_rates;
451 s8 baserate = basic_rates ? ffs(basic_rates) - 1 : 0; 452 s8 baserate = basic_rates ? ffs(basic_rates) - 1 : 0;
452 453
diff --git a/net/mac80211/rate.h b/net/mac80211/rate.h
index 18babe302832..38652f09feaf 100644
--- a/net/mac80211/rate.h
+++ b/net/mac80211/rate.h
@@ -37,13 +37,35 @@ static inline void rate_control_tx_status(struct ieee80211_local *local,
37 struct rate_control_ref *ref = local->rate_ctrl; 37 struct rate_control_ref *ref = local->rate_ctrl;
38 struct ieee80211_sta *ista = &sta->sta; 38 struct ieee80211_sta *ista = &sta->sta;
39 void *priv_sta = sta->rate_ctrl_priv; 39 void *priv_sta = sta->rate_ctrl_priv;
40 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
40 41
41 if (!ref || !test_sta_flag(sta, WLAN_STA_RATE_CONTROL)) 42 if (!ref || !test_sta_flag(sta, WLAN_STA_RATE_CONTROL))
42 return; 43 return;
43 44
44 ref->ops->tx_status(ref->priv, sband, ista, priv_sta, skb); 45 if (ref->ops->tx_status)
46 ref->ops->tx_status(ref->priv, sband, ista, priv_sta, skb);
47 else
48 ref->ops->tx_status_noskb(ref->priv, sband, ista, priv_sta, info);
45} 49}
46 50
51static inline void
52rate_control_tx_status_noskb(struct ieee80211_local *local,
53 struct ieee80211_supported_band *sband,
54 struct sta_info *sta,
55 struct ieee80211_tx_info *info)
56{
57 struct rate_control_ref *ref = local->rate_ctrl;
58 struct ieee80211_sta *ista = &sta->sta;
59 void *priv_sta = sta->rate_ctrl_priv;
60
61 if (!ref || !test_sta_flag(sta, WLAN_STA_RATE_CONTROL))
62 return;
63
64 if (WARN_ON_ONCE(!ref->ops->tx_status_noskb))
65 return;
66
67 ref->ops->tx_status_noskb(ref->priv, sband, ista, priv_sta, info);
68}
47 69
48static inline void rate_control_rate_init(struct sta_info *sta) 70static inline void rate_control_rate_init(struct sta_info *sta)
49{ 71{
diff --git a/net/mac80211/rc80211_minstrel.c b/net/mac80211/rc80211_minstrel.c
index c2b91bf47f6d..d51f6b1c549b 100644
--- a/net/mac80211/rc80211_minstrel.c
+++ b/net/mac80211/rc80211_minstrel.c
@@ -223,11 +223,10 @@ minstrel_update_stats(struct minstrel_priv *mp, struct minstrel_sta_info *mi)
223static void 223static void
224minstrel_tx_status(void *priv, struct ieee80211_supported_band *sband, 224minstrel_tx_status(void *priv, struct ieee80211_supported_band *sband,
225 struct ieee80211_sta *sta, void *priv_sta, 225 struct ieee80211_sta *sta, void *priv_sta,
226 struct sk_buff *skb) 226 struct ieee80211_tx_info *info)
227{ 227{
228 struct minstrel_priv *mp = priv; 228 struct minstrel_priv *mp = priv;
229 struct minstrel_sta_info *mi = priv_sta; 229 struct minstrel_sta_info *mi = priv_sta;
230 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
231 struct ieee80211_tx_rate *ar = info->status.rates; 230 struct ieee80211_tx_rate *ar = info->status.rates;
232 int i, ndx; 231 int i, ndx;
233 int success; 232 int success;
@@ -674,7 +673,7 @@ static u32 minstrel_get_expected_throughput(void *priv_sta)
674 673
675const struct rate_control_ops mac80211_minstrel = { 674const struct rate_control_ops mac80211_minstrel = {
676 .name = "minstrel", 675 .name = "minstrel",
677 .tx_status = minstrel_tx_status, 676 .tx_status_noskb = minstrel_tx_status,
678 .get_rate = minstrel_get_rate, 677 .get_rate = minstrel_get_rate,
679 .rate_init = minstrel_rate_init, 678 .rate_init = minstrel_rate_init,
680 .alloc = minstrel_alloc, 679 .alloc = minstrel_alloc,
diff --git a/net/mac80211/rc80211_minstrel_ht.c b/net/mac80211/rc80211_minstrel_ht.c
index d013429af7ce..80452cfd2dc5 100644
--- a/net/mac80211/rc80211_minstrel_ht.c
+++ b/net/mac80211/rc80211_minstrel_ht.c
@@ -706,11 +706,10 @@ minstrel_aggr_check(struct ieee80211_sta *pubsta, struct sk_buff *skb)
706static void 706static void
707minstrel_ht_tx_status(void *priv, struct ieee80211_supported_band *sband, 707minstrel_ht_tx_status(void *priv, struct ieee80211_supported_band *sband,
708 struct ieee80211_sta *sta, void *priv_sta, 708 struct ieee80211_sta *sta, void *priv_sta,
709 struct sk_buff *skb) 709 struct ieee80211_tx_info *info)
710{ 710{
711 struct minstrel_ht_sta_priv *msp = priv_sta; 711 struct minstrel_ht_sta_priv *msp = priv_sta;
712 struct minstrel_ht_sta *mi = &msp->ht; 712 struct minstrel_ht_sta *mi = &msp->ht;
713 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
714 struct ieee80211_tx_rate *ar = info->status.rates; 713 struct ieee80211_tx_rate *ar = info->status.rates;
715 struct minstrel_rate_stats *rate, *rate2; 714 struct minstrel_rate_stats *rate, *rate2;
716 struct minstrel_priv *mp = priv; 715 struct minstrel_priv *mp = priv;
@@ -718,7 +717,8 @@ minstrel_ht_tx_status(void *priv, struct ieee80211_supported_band *sband,
718 int i; 717 int i;
719 718
720 if (!msp->is_ht) 719 if (!msp->is_ht)
721 return mac80211_minstrel.tx_status(priv, sband, sta, &msp->legacy, skb); 720 return mac80211_minstrel.tx_status_noskb(priv, sband, sta,
721 &msp->legacy, info);
722 722
723 /* This packet was aggregated but doesn't carry status info */ 723 /* This packet was aggregated but doesn't carry status info */
724 if ((info->flags & IEEE80211_TX_CTL_AMPDU) && 724 if ((info->flags & IEEE80211_TX_CTL_AMPDU) &&
@@ -779,9 +779,6 @@ minstrel_ht_tx_status(void *priv, struct ieee80211_supported_band *sband,
779 if (time_after(jiffies, mi->stats_update + (mp->update_interval / 2 * HZ) / 1000)) { 779 if (time_after(jiffies, mi->stats_update + (mp->update_interval / 2 * HZ) / 1000)) {
780 update = true; 780 update = true;
781 minstrel_ht_update_stats(mp, mi); 781 minstrel_ht_update_stats(mp, mi);
782 if (!(info->flags & IEEE80211_TX_CTL_AMPDU) &&
783 mi->max_prob_rate / MCS_GROUP_RATES != MINSTREL_CCK_GROUP)
784 minstrel_aggr_check(sta, skb);
785 } 782 }
786 783
787 if (update) 784 if (update)
@@ -1023,6 +1020,10 @@ minstrel_ht_get_rate(void *priv, struct ieee80211_sta *sta, void *priv_sta,
1023 if (!msp->is_ht) 1020 if (!msp->is_ht)
1024 return mac80211_minstrel.get_rate(priv, sta, &msp->legacy, txrc); 1021 return mac80211_minstrel.get_rate(priv, sta, &msp->legacy, txrc);
1025 1022
1023 if (!(info->flags & IEEE80211_TX_CTL_AMPDU) &&
1024 mi->max_prob_rate / MCS_GROUP_RATES != MINSTREL_CCK_GROUP)
1025 minstrel_aggr_check(sta, txrc->skb);
1026
1026 info->flags |= mi->tx_flags; 1027 info->flags |= mi->tx_flags;
1027 minstrel_ht_check_cck_shortpreamble(mp, mi, txrc->short_preamble); 1028 minstrel_ht_check_cck_shortpreamble(mp, mi, txrc->short_preamble);
1028 1029
@@ -1339,7 +1340,7 @@ static u32 minstrel_ht_get_expected_throughput(void *priv_sta)
1339 1340
1340static const struct rate_control_ops mac80211_minstrel_ht = { 1341static const struct rate_control_ops mac80211_minstrel_ht = {
1341 .name = "minstrel_ht", 1342 .name = "minstrel_ht",
1342 .tx_status = minstrel_ht_tx_status, 1343 .tx_status_noskb = minstrel_ht_tx_status,
1343 .get_rate = minstrel_ht_get_rate, 1344 .get_rate = minstrel_ht_get_rate,
1344 .rate_init = minstrel_ht_rate_init, 1345 .rate_init = minstrel_ht_rate_init,
1345 .rate_update = minstrel_ht_rate_update, 1346 .rate_update = minstrel_ht_rate_update,
diff --git a/net/mac80211/status.c b/net/mac80211/status.c
index 71de2d3866cc..bb146f377ee4 100644
--- a/net/mac80211/status.c
+++ b/net/mac80211/status.c
@@ -592,10 +592,9 @@ static void ieee80211_tx_latency_end_msrmnt(struct ieee80211_local *local,
592#define STA_LOST_TDLS_PKT_THRESHOLD 10 592#define STA_LOST_TDLS_PKT_THRESHOLD 10
593#define STA_LOST_TDLS_PKT_TIME (10*HZ) /* 10secs since last ACK */ 593#define STA_LOST_TDLS_PKT_TIME (10*HZ) /* 10secs since last ACK */
594 594
595static void ieee80211_lost_packet(struct sta_info *sta, struct sk_buff *skb) 595static void ieee80211_lost_packet(struct sta_info *sta,
596 struct ieee80211_tx_info *info)
596{ 597{
597 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
598
599 /* This packet was aggregated but doesn't carry status info */ 598 /* This packet was aggregated but doesn't carry status info */
600 if ((info->flags & IEEE80211_TX_CTL_AMPDU) && 599 if ((info->flags & IEEE80211_TX_CTL_AMPDU) &&
601 !(info->flags & IEEE80211_TX_STAT_AMPDU)) 600 !(info->flags & IEEE80211_TX_STAT_AMPDU))
@@ -622,24 +621,13 @@ static void ieee80211_lost_packet(struct sta_info *sta, struct sk_buff *skb)
622 sta->lost_packets = 0; 621 sta->lost_packets = 0;
623} 622}
624 623
625void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb) 624static int ieee80211_tx_get_rates(struct ieee80211_hw *hw,
625 struct ieee80211_tx_info *info,
626 int *retry_count)
626{ 627{
627 struct sk_buff *skb2;
628 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
629 struct ieee80211_local *local = hw_to_local(hw);
630 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
631 __le16 fc;
632 struct ieee80211_supported_band *sband;
633 struct ieee80211_sub_if_data *sdata;
634 struct net_device *prev_dev = NULL;
635 struct sta_info *sta, *tmp;
636 int retry_count = -1, i;
637 int rates_idx = -1; 628 int rates_idx = -1;
638 bool send_to_cooked; 629 int count = -1;
639 bool acked; 630 int i;
640 struct ieee80211_bar *bar;
641 int rtap_len;
642 int shift = 0;
643 631
644 for (i = 0; i < IEEE80211_TX_MAX_RATES; i++) { 632 for (i = 0; i < IEEE80211_TX_MAX_RATES; i++) {
645 if ((info->flags & IEEE80211_TX_CTL_AMPDU) && 633 if ((info->flags & IEEE80211_TX_CTL_AMPDU) &&
@@ -657,12 +645,91 @@ void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb)
657 break; 645 break;
658 } 646 }
659 647
660 retry_count += info->status.rates[i].count; 648 count += info->status.rates[i].count;
661 } 649 }
662 rates_idx = i - 1; 650 rates_idx = i - 1;
663 651
664 if (retry_count < 0) 652 if (count < 0)
665 retry_count = 0; 653 count = 0;
654
655 *retry_count = count;
656 return rates_idx;
657}
658
659void ieee80211_tx_status_noskb(struct ieee80211_hw *hw,
660 struct ieee80211_sta *pubsta,
661 struct ieee80211_tx_info *info)
662{
663 struct ieee80211_local *local = hw_to_local(hw);
664 struct ieee80211_supported_band *sband;
665 int retry_count;
666 int rates_idx;
667 bool acked;
668
669 rates_idx = ieee80211_tx_get_rates(hw, info, &retry_count);
670
671 sband = hw->wiphy->bands[info->band];
672
673 acked = !!(info->flags & IEEE80211_TX_STAT_ACK);
674 if (pubsta) {
675 struct sta_info *sta;
676
677 sta = container_of(pubsta, struct sta_info, sta);
678
679 if (!acked)
680 sta->tx_retry_failed++;
681 sta->tx_retry_count += retry_count;
682
683 if (acked) {
684 sta->last_rx = jiffies;
685
686 if (sta->lost_packets)
687 sta->lost_packets = 0;
688
689 /* Track when last TDLS packet was ACKed */
690 if (test_sta_flag(sta, WLAN_STA_TDLS_PEER_AUTH))
691 sta->last_tdls_pkt_time = jiffies;
692 } else {
693 ieee80211_lost_packet(sta, info);
694 }
695
696 rate_control_tx_status_noskb(local, sband, sta, info);
697 }
698
699 if (acked) {
700 local->dot11TransmittedFrameCount++;
701 if (!pubsta)
702 local->dot11MulticastTransmittedFrameCount++;
703 if (retry_count > 0)
704 local->dot11RetryCount++;
705 if (retry_count > 1)
706 local->dot11MultipleRetryCount++;
707 } else {
708 local->dot11FailedCount++;
709 }
710}
711EXPORT_SYMBOL(ieee80211_tx_status_noskb);
712
713void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb)
714{
715 struct sk_buff *skb2;
716 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
717 struct ieee80211_local *local = hw_to_local(hw);
718 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
719 __le16 fc;
720 struct ieee80211_supported_band *sband;
721 struct ieee80211_sub_if_data *sdata;
722 struct net_device *prev_dev = NULL;
723 struct sta_info *sta, *tmp;
724 int retry_count;
725 int rates_idx;
726 bool send_to_cooked;
727 bool acked;
728 struct ieee80211_bar *bar;
729 int rtap_len;
730 int shift = 0;
731
732 rates_idx = ieee80211_tx_get_rates(hw, info, &retry_count);
666 733
667 rcu_read_lock(); 734 rcu_read_lock();
668 735
@@ -767,7 +834,7 @@ void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb)
767 if (test_sta_flag(sta, WLAN_STA_TDLS_PEER_AUTH)) 834 if (test_sta_flag(sta, WLAN_STA_TDLS_PEER_AUTH))
768 sta->last_tdls_pkt_time = jiffies; 835 sta->last_tdls_pkt_time = jiffies;
769 } else { 836 } else {
770 ieee80211_lost_packet(sta, skb); 837 ieee80211_lost_packet(sta, info);
771 } 838 }
772 } 839 }
773 840
diff --git a/net/mac80211/trace.h b/net/mac80211/trace.h
index 85ccfbe863db..8e461a02c6a8 100644
--- a/net/mac80211/trace.h
+++ b/net/mac80211/trace.h
@@ -1829,6 +1829,12 @@ TRACE_EVENT(api_cqm_rssi_notify,
1829 ) 1829 )
1830); 1830);
1831 1831
1832DEFINE_EVENT(local_sdata_evt, api_cqm_beacon_loss_notify,
1833 TP_PROTO(struct ieee80211_local *local,
1834 struct ieee80211_sub_if_data *sdata),
1835 TP_ARGS(local, sdata)
1836);
1837
1832TRACE_EVENT(api_scan_completed, 1838TRACE_EVENT(api_scan_completed,
1833 TP_PROTO(struct ieee80211_local *local, bool aborted), 1839 TP_PROTO(struct ieee80211_local *local, bool aborted),
1834 1840
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 66ddbbeccd20..058686a721a1 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -60,7 +60,7 @@ static __le16 ieee80211_duration(struct ieee80211_tx_data *tx,
60 rcu_read_unlock(); 60 rcu_read_unlock();
61 61
62 /* assume HW handles this */ 62 /* assume HW handles this */
63 if (tx->rate.flags & IEEE80211_TX_RC_MCS) 63 if (tx->rate.flags & (IEEE80211_TX_RC_MCS | IEEE80211_TX_RC_VHT_MCS))
64 return 0; 64 return 0;
65 65
66 /* uh huh? */ 66 /* uh huh? */
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index bb9664cb8831..974ebe70f5b0 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -1339,6 +1339,7 @@ static int ieee80211_build_preq_ies_band(struct ieee80211_local *local,
1339 int ext_rates_len; 1339 int ext_rates_len;
1340 int shift; 1340 int shift;
1341 u32 rate_flags; 1341 u32 rate_flags;
1342 bool have_80mhz = false;
1342 1343
1343 *offset = 0; 1344 *offset = 0;
1344 1345
@@ -1467,7 +1468,15 @@ static int ieee80211_build_preq_ies_band(struct ieee80211_local *local,
1467 *offset = noffset; 1468 *offset = noffset;
1468 } 1469 }
1469 1470
1470 if (sband->vht_cap.vht_supported) { 1471 /* Check if any channel in this sband supports at least 80 MHz */
1472 for (i = 0; i < sband->n_channels; i++) {
1473 if (!(sband->channels[i].flags & IEEE80211_CHAN_NO_80MHZ)) {
1474 have_80mhz = true;
1475 break;
1476 }
1477 }
1478
1479 if (sband->vht_cap.vht_supported && have_80mhz) {
1471 if (end - pos < 2 + sizeof(struct ieee80211_vht_cap)) 1480 if (end - pos < 2 + sizeof(struct ieee80211_vht_cap))
1472 goto out_err; 1481 goto out_err;
1473 pos = ieee80211_ie_build_vht_cap(pos, &sband->vht_cap, 1482 pos = ieee80211_ie_build_vht_cap(pos, &sband->vht_cap,
diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c
index 38dfc72d24b6..9ae893057dd7 100644
--- a/net/mac802154/iface.c
+++ b/net/mac802154/iface.c
@@ -510,11 +510,9 @@ ieee802154_if_add(struct ieee802154_local *local, const char *name,
510 if (ret) 510 if (ret)
511 goto err; 511 goto err;
512 512
513 if (ndev) { 513 ret = register_netdevice(ndev);
514 ret = register_netdevice(ndev); 514 if (ret < 0)
515 if (ret < 0) 515 goto err;
516 goto err;
517 }
518 516
519 mutex_lock(&local->iflist_mtx); 517 mutex_lock(&local->iflist_mtx);
520 list_add_tail_rcu(&sdata->list, &local->interfaces); 518 list_add_tail_rcu(&sdata->list, &local->interfaces);
diff --git a/net/mac802154/llsec.c b/net/mac802154/llsec.c
index fa0d5237c2e0..dcf73958133a 100644
--- a/net/mac802154/llsec.c
+++ b/net/mac802154/llsec.c
@@ -75,8 +75,6 @@ void mac802154_llsec_destroy(struct mac802154_llsec *sec)
75 } 75 }
76} 76}
77 77
78
79
80int mac802154_llsec_get_params(struct mac802154_llsec *sec, 78int mac802154_llsec_get_params(struct mac802154_llsec *sec,
81 struct ieee802154_llsec_params *params) 79 struct ieee802154_llsec_params *params)
82{ 80{
@@ -117,8 +115,6 @@ int mac802154_llsec_set_params(struct mac802154_llsec *sec,
117 return 0; 115 return 0;
118} 116}
119 117
120
121
122static struct mac802154_llsec_key* 118static struct mac802154_llsec_key*
123llsec_key_alloc(const struct ieee802154_llsec_key *template) 119llsec_key_alloc(const struct ieee802154_llsec_key *template)
124{ 120{
@@ -294,8 +290,6 @@ int mac802154_llsec_key_del(struct mac802154_llsec *sec,
294 return -ENOENT; 290 return -ENOENT;
295} 291}
296 292
297
298
299static bool llsec_dev_use_shortaddr(__le16 short_addr) 293static bool llsec_dev_use_shortaddr(__le16 short_addr)
300{ 294{
301 return short_addr != cpu_to_le16(IEEE802154_ADDR_UNDEF) && 295 return short_addr != cpu_to_le16(IEEE802154_ADDR_UNDEF) &&
@@ -304,12 +298,12 @@ static bool llsec_dev_use_shortaddr(__le16 short_addr)
304 298
305static u32 llsec_dev_hash_short(__le16 short_addr, __le16 pan_id) 299static u32 llsec_dev_hash_short(__le16 short_addr, __le16 pan_id)
306{ 300{
307 return ((__force u16) short_addr) << 16 | (__force u16) pan_id; 301 return ((__force u16)short_addr) << 16 | (__force u16)pan_id;
308} 302}
309 303
310static u64 llsec_dev_hash_long(__le64 hwaddr) 304static u64 llsec_dev_hash_long(__le64 hwaddr)
311{ 305{
312 return (__force u64) hwaddr; 306 return (__force u64)hwaddr;
313} 307}
314 308
315static struct mac802154_llsec_device* 309static struct mac802154_llsec_device*
@@ -411,8 +405,6 @@ int mac802154_llsec_dev_del(struct mac802154_llsec *sec, __le64 device_addr)
411 return 0; 405 return 0;
412} 406}
413 407
414
415
416static struct mac802154_llsec_device_key* 408static struct mac802154_llsec_device_key*
417llsec_devkey_find(struct mac802154_llsec_device *dev, 409llsec_devkey_find(struct mac802154_llsec_device *dev,
418 const struct ieee802154_llsec_key_id *key) 410 const struct ieee802154_llsec_key_id *key)
@@ -475,8 +467,6 @@ int mac802154_llsec_devkey_del(struct mac802154_llsec *sec,
475 return 0; 467 return 0;
476} 468}
477 469
478
479
480static struct mac802154_llsec_seclevel* 470static struct mac802154_llsec_seclevel*
481llsec_find_seclevel(const struct mac802154_llsec *sec, 471llsec_find_seclevel(const struct mac802154_llsec *sec,
482 const struct ieee802154_llsec_seclevel *sl) 472 const struct ieee802154_llsec_seclevel *sl)
@@ -532,8 +522,6 @@ int mac802154_llsec_seclevel_del(struct mac802154_llsec *sec,
532 return 0; 522 return 0;
533} 523}
534 524
535
536
537static int llsec_recover_addr(struct mac802154_llsec *sec, 525static int llsec_recover_addr(struct mac802154_llsec *sec,
538 struct ieee802154_addr *addr) 526 struct ieee802154_addr *addr)
539{ 527{
@@ -609,7 +597,6 @@ found:
609 return llsec_key_get(key); 597 return llsec_key_get(key);
610} 598}
611 599
612
613static void llsec_geniv(u8 iv[16], __le64 addr, 600static void llsec_geniv(u8 iv[16], __le64 addr,
614 const struct ieee802154_sechdr *sec) 601 const struct ieee802154_sechdr *sec)
615{ 602{
@@ -786,8 +773,6 @@ fail:
786 return rc; 773 return rc;
787} 774}
788 775
789
790
791static struct mac802154_llsec_device* 776static struct mac802154_llsec_device*
792llsec_lookup_dev(struct mac802154_llsec *sec, 777llsec_lookup_dev(struct mac802154_llsec *sec,
793 const struct ieee802154_addr *addr) 778 const struct ieee802154_addr *addr)
diff --git a/net/mac802154/mib.c b/net/mac802154/mib.c
index 3596b29ead6b..5cf019a57fd7 100644
--- a/net/mac802154/mib.c
+++ b/net/mac802154/mib.c
@@ -104,7 +104,6 @@ void mac802154_dev_set_page_channel(struct net_device *dev, u8 page, u8 chan)
104 } 104 }
105} 105}
106 106
107
108int mac802154_get_params(struct net_device *dev, 107int mac802154_get_params(struct net_device *dev,
109 struct ieee802154_llsec_params *params) 108 struct ieee802154_llsec_params *params)
110{ 109{
@@ -136,7 +135,6 @@ int mac802154_set_params(struct net_device *dev,
136 return res; 135 return res;
137} 136}
138 137
139
140int mac802154_add_key(struct net_device *dev, 138int mac802154_add_key(struct net_device *dev,
141 const struct ieee802154_llsec_key_id *id, 139 const struct ieee802154_llsec_key_id *id,
142 const struct ieee802154_llsec_key *key) 140 const struct ieee802154_llsec_key *key)
@@ -168,7 +166,6 @@ int mac802154_del_key(struct net_device *dev,
168 return res; 166 return res;
169} 167}
170 168
171
172int mac802154_add_dev(struct net_device *dev, 169int mac802154_add_dev(struct net_device *dev,
173 const struct ieee802154_llsec_device *llsec_dev) 170 const struct ieee802154_llsec_device *llsec_dev)
174{ 171{
@@ -198,7 +195,6 @@ int mac802154_del_dev(struct net_device *dev, __le64 dev_addr)
198 return res; 195 return res;
199} 196}
200 197
201
202int mac802154_add_devkey(struct net_device *dev, 198int mac802154_add_devkey(struct net_device *dev,
203 __le64 device_addr, 199 __le64 device_addr,
204 const struct ieee802154_llsec_device_key *key) 200 const struct ieee802154_llsec_device_key *key)
@@ -231,7 +227,6 @@ int mac802154_del_devkey(struct net_device *dev,
231 return res; 227 return res;
232} 228}
233 229
234
235int mac802154_add_seclevel(struct net_device *dev, 230int mac802154_add_seclevel(struct net_device *dev,
236 const struct ieee802154_llsec_seclevel *sl) 231 const struct ieee802154_llsec_seclevel *sl)
237{ 232{
@@ -262,7 +257,6 @@ int mac802154_del_seclevel(struct net_device *dev,
262 return res; 257 return res;
263} 258}
264 259
265
266void mac802154_lock_table(struct net_device *dev) 260void mac802154_lock_table(struct net_device *dev)
267{ 261{
268 struct ieee802154_sub_if_data *sdata = IEEE802154_DEV_TO_SUB_IF(dev); 262 struct ieee802154_sub_if_data *sdata = IEEE802154_DEV_TO_SUB_IF(dev);
diff --git a/net/mac802154/rx.c b/net/mac802154/rx.c
index 041dbd5958d4..c0d67b2b4132 100644
--- a/net/mac802154/rx.c
+++ b/net/mac802154/rx.c
@@ -85,8 +85,7 @@ ieee802154_subif_frame(struct ieee802154_sub_if_data *sdata,
85 default: 85 default:
86 spin_unlock_bh(&sdata->mib_lock); 86 spin_unlock_bh(&sdata->mib_lock);
87 pr_debug("invalid dest mode\n"); 87 pr_debug("invalid dest mode\n");
88 kfree_skb(skb); 88 goto fail;
89 return NET_RX_DROP;
90 } 89 }
91 90
92 spin_unlock_bh(&sdata->mib_lock); 91 spin_unlock_bh(&sdata->mib_lock);
diff --git a/net/nfc/digital_dep.c b/net/nfc/digital_dep.c
index b60aa35c074f..f72be7433df3 100644
--- a/net/nfc/digital_dep.c
+++ b/net/nfc/digital_dep.c
@@ -17,6 +17,9 @@
17 17
18#include "digital.h" 18#include "digital.h"
19 19
20#define DIGITAL_NFC_DEP_N_RETRY_NACK 2
21#define DIGITAL_NFC_DEP_N_RETRY_ATN 2
22
20#define DIGITAL_NFC_DEP_FRAME_DIR_OUT 0xD4 23#define DIGITAL_NFC_DEP_FRAME_DIR_OUT 0xD4
21#define DIGITAL_NFC_DEP_FRAME_DIR_IN 0xD5 24#define DIGITAL_NFC_DEP_FRAME_DIR_IN 0xD5
22 25
@@ -32,20 +35,32 @@
32#define DIGITAL_ATR_REQ_MIN_SIZE 16 35#define DIGITAL_ATR_REQ_MIN_SIZE 16
33#define DIGITAL_ATR_REQ_MAX_SIZE 64 36#define DIGITAL_ATR_REQ_MAX_SIZE 64
34 37
35#define DIGITAL_LR_BITS_PAYLOAD_SIZE_254B 0x30 38#define DIGITAL_DID_MAX 14
36#define DIGITAL_FSL_BITS_PAYLOAD_SIZE_254B \ 39
37 (DIGITAL_LR_BITS_PAYLOAD_SIZE_254B >> 4) 40#define DIGITAL_PAYLOAD_SIZE_MAX 254
41#define DIGITAL_PAYLOAD_BITS_TO_PP(s) (((s) & 0x3) << 4)
42#define DIGITAL_PAYLOAD_PP_TO_BITS(s) (((s) >> 4) & 0x3)
43#define DIGITAL_PAYLOAD_BITS_TO_FSL(s) ((s) & 0x3)
44#define DIGITAL_PAYLOAD_FSL_TO_BITS(s) ((s) & 0x3)
45
38#define DIGITAL_GB_BIT 0x02 46#define DIGITAL_GB_BIT 0x02
39 47
48#define DIGITAL_NFC_DEP_REQ_RES_HEADROOM 2 /* SoD: [SB (NFC-A)] + LEN */
49#define DIGITAL_NFC_DEP_REQ_RES_TAILROOM 2 /* EoD: 2-byte CRC */
50
40#define DIGITAL_NFC_DEP_PFB_TYPE(pfb) ((pfb) & 0xE0) 51#define DIGITAL_NFC_DEP_PFB_TYPE(pfb) ((pfb) & 0xE0)
41 52
42#define DIGITAL_NFC_DEP_PFB_TIMEOUT_BIT 0x10 53#define DIGITAL_NFC_DEP_PFB_TIMEOUT_BIT 0x10
54#define DIGITAL_NFC_DEP_PFB_MI_BIT 0x10
55#define DIGITAL_NFC_DEP_PFB_NACK_BIT 0x10
56#define DIGITAL_NFC_DEP_PFB_DID_BIT 0x04
43 57
44#define DIGITAL_NFC_DEP_PFB_IS_TIMEOUT(pfb) \ 58#define DIGITAL_NFC_DEP_PFB_IS_TIMEOUT(pfb) \
45 ((pfb) & DIGITAL_NFC_DEP_PFB_TIMEOUT_BIT) 59 ((pfb) & DIGITAL_NFC_DEP_PFB_TIMEOUT_BIT)
46#define DIGITAL_NFC_DEP_MI_BIT_SET(pfb) ((pfb) & 0x10) 60#define DIGITAL_NFC_DEP_MI_BIT_SET(pfb) ((pfb) & DIGITAL_NFC_DEP_PFB_MI_BIT)
61#define DIGITAL_NFC_DEP_NACK_BIT_SET(pfb) ((pfb) & DIGITAL_NFC_DEP_PFB_NACK_BIT)
47#define DIGITAL_NFC_DEP_NAD_BIT_SET(pfb) ((pfb) & 0x08) 62#define DIGITAL_NFC_DEP_NAD_BIT_SET(pfb) ((pfb) & 0x08)
48#define DIGITAL_NFC_DEP_DID_BIT_SET(pfb) ((pfb) & 0x04) 63#define DIGITAL_NFC_DEP_DID_BIT_SET(pfb) ((pfb) & DIGITAL_NFC_DEP_PFB_DID_BIT)
49#define DIGITAL_NFC_DEP_PFB_PNI(pfb) ((pfb) & 0x03) 64#define DIGITAL_NFC_DEP_PFB_PNI(pfb) ((pfb) & 0x03)
50 65
51#define DIGITAL_NFC_DEP_PFB_I_PDU 0x00 66#define DIGITAL_NFC_DEP_PFB_I_PDU 0x00
@@ -97,6 +112,34 @@ struct digital_dep_req_res {
97 112
98static void digital_in_recv_dep_res(struct nfc_digital_dev *ddev, void *arg, 113static void digital_in_recv_dep_res(struct nfc_digital_dev *ddev, void *arg,
99 struct sk_buff *resp); 114 struct sk_buff *resp);
115static void digital_tg_recv_dep_req(struct nfc_digital_dev *ddev, void *arg,
116 struct sk_buff *resp);
117
118static const u8 digital_payload_bits_map[4] = {
119 [0] = 64,
120 [1] = 128,
121 [2] = 192,
122 [3] = 254
123};
124
125static u8 digital_payload_bits_to_size(u8 payload_bits)
126{
127 if (payload_bits >= ARRAY_SIZE(digital_payload_bits_map))
128 return 0;
129
130 return digital_payload_bits_map[payload_bits];
131}
132
133static u8 digital_payload_size_to_bits(u8 payload_size)
134{
135 int i;
136
137 for (i = 0; i < ARRAY_SIZE(digital_payload_bits_map); i++)
138 if (digital_payload_bits_map[i] == payload_size)
139 return i;
140
141 return 0xff;
142}
100 143
101static void digital_skb_push_dep_sod(struct nfc_digital_dev *ddev, 144static void digital_skb_push_dep_sod(struct nfc_digital_dev *ddev,
102 struct sk_buff *skb) 145 struct sk_buff *skb)
@@ -129,6 +172,106 @@ static int digital_skb_pull_dep_sod(struct nfc_digital_dev *ddev,
129 return 0; 172 return 0;
130} 173}
131 174
175static struct sk_buff *
176digital_send_dep_data_prep(struct nfc_digital_dev *ddev, struct sk_buff *skb,
177 struct digital_dep_req_res *dep_req_res,
178 struct digital_data_exch *data_exch)
179{
180 struct sk_buff *new_skb;
181
182 if (skb->len > ddev->remote_payload_max) {
183 dep_req_res->pfb |= DIGITAL_NFC_DEP_PFB_MI_BIT;
184
185 new_skb = digital_skb_alloc(ddev, ddev->remote_payload_max);
186 if (!new_skb) {
187 kfree_skb(ddev->chaining_skb);
188 ddev->chaining_skb = NULL;
189
190 return ERR_PTR(-ENOMEM);
191 }
192
193 skb_reserve(new_skb, ddev->tx_headroom + NFC_HEADER_SIZE +
194 DIGITAL_NFC_DEP_REQ_RES_HEADROOM);
195 memcpy(skb_put(new_skb, ddev->remote_payload_max), skb->data,
196 ddev->remote_payload_max);
197 skb_pull(skb, ddev->remote_payload_max);
198
199 ddev->chaining_skb = skb;
200 ddev->data_exch = data_exch;
201 } else {
202 ddev->chaining_skb = NULL;
203 new_skb = skb;
204 }
205
206 return new_skb;
207}
208
209static struct sk_buff *
210digital_recv_dep_data_gather(struct nfc_digital_dev *ddev, u8 pfb,
211 struct sk_buff *resp,
212 int (*send_ack)(struct nfc_digital_dev *ddev,
213 struct digital_data_exch
214 *data_exch),
215 struct digital_data_exch *data_exch)
216{
217 struct sk_buff *new_skb;
218 int rc;
219
220 if (DIGITAL_NFC_DEP_MI_BIT_SET(pfb) && (!ddev->chaining_skb)) {
221 ddev->chaining_skb =
222 nfc_alloc_recv_skb(8 * ddev->local_payload_max,
223 GFP_KERNEL);
224 if (!ddev->chaining_skb) {
225 rc = -ENOMEM;
226 goto error;
227 }
228 }
229
230 if (ddev->chaining_skb) {
231 if (resp->len > skb_tailroom(ddev->chaining_skb)) {
232 new_skb = skb_copy_expand(ddev->chaining_skb,
233 skb_headroom(
234 ddev->chaining_skb),
235 8 * ddev->local_payload_max,
236 GFP_KERNEL);
237 if (!new_skb) {
238 rc = -ENOMEM;
239 goto error;
240 }
241
242 kfree_skb(ddev->chaining_skb);
243 ddev->chaining_skb = new_skb;
244 }
245
246 memcpy(skb_put(ddev->chaining_skb, resp->len), resp->data,
247 resp->len);
248
249 kfree_skb(resp);
250 resp = NULL;
251
252 if (DIGITAL_NFC_DEP_MI_BIT_SET(pfb)) {
253 rc = send_ack(ddev, data_exch);
254 if (rc)
255 goto error;
256
257 return NULL;
258 }
259
260 resp = ddev->chaining_skb;
261 ddev->chaining_skb = NULL;
262 }
263
264 return resp;
265
266error:
267 kfree_skb(resp);
268
269 kfree_skb(ddev->chaining_skb);
270 ddev->chaining_skb = NULL;
271
272 return ERR_PTR(rc);
273}
274
132static void digital_in_recv_psl_res(struct nfc_digital_dev *ddev, void *arg, 275static void digital_in_recv_psl_res(struct nfc_digital_dev *ddev, void *arg,
133 struct sk_buff *resp) 276 struct sk_buff *resp)
134{ 277{
@@ -198,6 +341,8 @@ static int digital_in_send_psl_req(struct nfc_digital_dev *ddev,
198{ 341{
199 struct sk_buff *skb; 342 struct sk_buff *skb;
200 struct digital_psl_req *psl_req; 343 struct digital_psl_req *psl_req;
344 int rc;
345 u8 payload_size, payload_bits;
201 346
202 skb = digital_skb_alloc(ddev, sizeof(*psl_req)); 347 skb = digital_skb_alloc(ddev, sizeof(*psl_req));
203 if (!skb) 348 if (!skb)
@@ -211,14 +356,24 @@ static int digital_in_send_psl_req(struct nfc_digital_dev *ddev,
211 psl_req->cmd = DIGITAL_CMD_PSL_REQ; 356 psl_req->cmd = DIGITAL_CMD_PSL_REQ;
212 psl_req->did = 0; 357 psl_req->did = 0;
213 psl_req->brs = (0x2 << 3) | 0x2; /* 424F both directions */ 358 psl_req->brs = (0x2 << 3) | 0x2; /* 424F both directions */
214 psl_req->fsl = DIGITAL_FSL_BITS_PAYLOAD_SIZE_254B; 359
360 payload_size = min(ddev->local_payload_max, ddev->remote_payload_max);
361 payload_bits = digital_payload_size_to_bits(payload_size);
362 psl_req->fsl = DIGITAL_PAYLOAD_BITS_TO_FSL(payload_bits);
363
364 ddev->local_payload_max = payload_size;
365 ddev->remote_payload_max = payload_size;
215 366
216 digital_skb_push_dep_sod(ddev, skb); 367 digital_skb_push_dep_sod(ddev, skb);
217 368
218 ddev->skb_add_crc(skb); 369 ddev->skb_add_crc(skb);
219 370
220 return digital_in_send_cmd(ddev, skb, 500, digital_in_recv_psl_res, 371 rc = digital_in_send_cmd(ddev, skb, 500, digital_in_recv_psl_res,
221 target); 372 target);
373 if (rc)
374 kfree_skb(skb);
375
376 return rc;
222} 377}
223 378
224static void digital_in_recv_atr_res(struct nfc_digital_dev *ddev, void *arg, 379static void digital_in_recv_atr_res(struct nfc_digital_dev *ddev, void *arg,
@@ -226,7 +381,7 @@ static void digital_in_recv_atr_res(struct nfc_digital_dev *ddev, void *arg,
226{ 381{
227 struct nfc_target *target = arg; 382 struct nfc_target *target = arg;
228 struct digital_atr_res *atr_res; 383 struct digital_atr_res *atr_res;
229 u8 gb_len; 384 u8 gb_len, payload_bits;
230 int rc; 385 int rc;
231 386
232 if (IS_ERR(resp)) { 387 if (IS_ERR(resp)) {
@@ -256,6 +411,14 @@ static void digital_in_recv_atr_res(struct nfc_digital_dev *ddev, void *arg,
256 411
257 atr_res = (struct digital_atr_res *)resp->data; 412 atr_res = (struct digital_atr_res *)resp->data;
258 413
414 payload_bits = DIGITAL_PAYLOAD_PP_TO_BITS(atr_res->pp);
415 ddev->remote_payload_max = digital_payload_bits_to_size(payload_bits);
416
417 if (!ddev->remote_payload_max) {
418 rc = -EINVAL;
419 goto exit;
420 }
421
259 rc = nfc_set_remote_general_bytes(ddev->nfc_dev, atr_res->gb, gb_len); 422 rc = nfc_set_remote_general_bytes(ddev->nfc_dev, atr_res->gb, gb_len);
260 if (rc) 423 if (rc)
261 goto exit; 424 goto exit;
@@ -286,6 +449,8 @@ int digital_in_send_atr_req(struct nfc_digital_dev *ddev,
286 struct sk_buff *skb; 449 struct sk_buff *skb;
287 struct digital_atr_req *atr_req; 450 struct digital_atr_req *atr_req;
288 uint size; 451 uint size;
452 int rc;
453 u8 payload_bits;
289 454
290 size = DIGITAL_ATR_REQ_MIN_SIZE + gb_len; 455 size = DIGITAL_ATR_REQ_MIN_SIZE + gb_len;
291 456
@@ -314,7 +479,9 @@ int digital_in_send_atr_req(struct nfc_digital_dev *ddev,
314 atr_req->bs = 0; 479 atr_req->bs = 0;
315 atr_req->br = 0; 480 atr_req->br = 0;
316 481
317 atr_req->pp = DIGITAL_LR_BITS_PAYLOAD_SIZE_254B; 482 ddev->local_payload_max = DIGITAL_PAYLOAD_SIZE_MAX;
483 payload_bits = digital_payload_size_to_bits(ddev->local_payload_max);
484 atr_req->pp = DIGITAL_PAYLOAD_BITS_TO_PP(payload_bits);
318 485
319 if (gb_len) { 486 if (gb_len) {
320 atr_req->pp |= DIGITAL_GB_BIT; 487 atr_req->pp |= DIGITAL_GB_BIT;
@@ -325,8 +492,113 @@ int digital_in_send_atr_req(struct nfc_digital_dev *ddev,
325 492
326 ddev->skb_add_crc(skb); 493 ddev->skb_add_crc(skb);
327 494
328 return digital_in_send_cmd(ddev, skb, 500, digital_in_recv_atr_res, 495 rc = digital_in_send_cmd(ddev, skb, 500, digital_in_recv_atr_res,
329 target); 496 target);
497 if (rc)
498 kfree_skb(skb);
499
500 return rc;
501}
502
503static int digital_in_send_ack(struct nfc_digital_dev *ddev,
504 struct digital_data_exch *data_exch)
505{
506 struct digital_dep_req_res *dep_req;
507 struct sk_buff *skb;
508 int rc;
509
510 skb = digital_skb_alloc(ddev, 1);
511 if (!skb)
512 return -ENOMEM;
513
514 skb_push(skb, sizeof(struct digital_dep_req_res));
515
516 dep_req = (struct digital_dep_req_res *)skb->data;
517
518 dep_req->dir = DIGITAL_NFC_DEP_FRAME_DIR_OUT;
519 dep_req->cmd = DIGITAL_CMD_DEP_REQ;
520 dep_req->pfb = DIGITAL_NFC_DEP_PFB_ACK_NACK_PDU |
521 ddev->curr_nfc_dep_pni;
522
523 digital_skb_push_dep_sod(ddev, skb);
524
525 ddev->skb_add_crc(skb);
526
527 ddev->saved_skb = skb_get(skb);
528 ddev->saved_skb_len = skb->len;
529
530 rc = digital_in_send_cmd(ddev, skb, 1500, digital_in_recv_dep_res,
531 data_exch);
532 if (rc) {
533 kfree_skb(skb);
534 kfree_skb(ddev->saved_skb);
535 ddev->saved_skb = NULL;
536 }
537
538 return rc;
539}
540
541static int digital_in_send_nack(struct nfc_digital_dev *ddev,
542 struct digital_data_exch *data_exch)
543{
544 struct digital_dep_req_res *dep_req;
545 struct sk_buff *skb;
546 int rc;
547
548 skb = digital_skb_alloc(ddev, 1);
549 if (!skb)
550 return -ENOMEM;
551
552 skb_push(skb, sizeof(struct digital_dep_req_res));
553
554 dep_req = (struct digital_dep_req_res *)skb->data;
555
556 dep_req->dir = DIGITAL_NFC_DEP_FRAME_DIR_OUT;
557 dep_req->cmd = DIGITAL_CMD_DEP_REQ;
558 dep_req->pfb = DIGITAL_NFC_DEP_PFB_ACK_NACK_PDU |
559 DIGITAL_NFC_DEP_PFB_NACK_BIT | ddev->curr_nfc_dep_pni;
560
561 digital_skb_push_dep_sod(ddev, skb);
562
563 ddev->skb_add_crc(skb);
564
565 rc = digital_in_send_cmd(ddev, skb, 1500, digital_in_recv_dep_res,
566 data_exch);
567 if (rc)
568 kfree_skb(skb);
569
570 return rc;
571}
572
573static int digital_in_send_atn(struct nfc_digital_dev *ddev,
574 struct digital_data_exch *data_exch)
575{
576 struct digital_dep_req_res *dep_req;
577 struct sk_buff *skb;
578 int rc;
579
580 skb = digital_skb_alloc(ddev, 1);
581 if (!skb)
582 return -ENOMEM;
583
584 skb_push(skb, sizeof(struct digital_dep_req_res));
585
586 dep_req = (struct digital_dep_req_res *)skb->data;
587
588 dep_req->dir = DIGITAL_NFC_DEP_FRAME_DIR_OUT;
589 dep_req->cmd = DIGITAL_CMD_DEP_REQ;
590 dep_req->pfb = DIGITAL_NFC_DEP_PFB_SUPERVISOR_PDU;
591
592 digital_skb_push_dep_sod(ddev, skb);
593
594 ddev->skb_add_crc(skb);
595
596 rc = digital_in_send_cmd(ddev, skb, 1500, digital_in_recv_dep_res,
597 data_exch);
598 if (rc)
599 kfree_skb(skb);
600
601 return rc;
330} 602}
331 603
332static int digital_in_send_rtox(struct nfc_digital_dev *ddev, 604static int digital_in_send_rtox(struct nfc_digital_dev *ddev,
@@ -355,12 +627,30 @@ static int digital_in_send_rtox(struct nfc_digital_dev *ddev,
355 627
356 ddev->skb_add_crc(skb); 628 ddev->skb_add_crc(skb);
357 629
630 ddev->saved_skb = skb_get(skb);
631 ddev->saved_skb_len = skb->len;
632
358 rc = digital_in_send_cmd(ddev, skb, 1500, digital_in_recv_dep_res, 633 rc = digital_in_send_cmd(ddev, skb, 1500, digital_in_recv_dep_res,
359 data_exch); 634 data_exch);
635 if (rc) {
636 kfree_skb(skb);
637 kfree_skb(ddev->saved_skb);
638 ddev->saved_skb = NULL;
639 }
360 640
361 return rc; 641 return rc;
362} 642}
363 643
644static int digital_in_send_saved_skb(struct nfc_digital_dev *ddev,
645 struct digital_data_exch *data_exch)
646{
647 skb_get(ddev->saved_skb);
648 skb_push(ddev->saved_skb, ddev->saved_skb_len);
649
650 return digital_in_send_cmd(ddev, ddev->saved_skb, 1500,
651 digital_in_recv_dep_res, data_exch);
652}
653
364static void digital_in_recv_dep_res(struct nfc_digital_dev *ddev, void *arg, 654static void digital_in_recv_dep_res(struct nfc_digital_dev *ddev, void *arg,
365 struct sk_buff *resp) 655 struct sk_buff *resp)
366{ 656{
@@ -373,25 +663,67 @@ static void digital_in_recv_dep_res(struct nfc_digital_dev *ddev, void *arg,
373 if (IS_ERR(resp)) { 663 if (IS_ERR(resp)) {
374 rc = PTR_ERR(resp); 664 rc = PTR_ERR(resp);
375 resp = NULL; 665 resp = NULL;
666
667 if (((rc != -ETIMEDOUT) || ddev->nack_count) &&
668 (ddev->nack_count++ < DIGITAL_NFC_DEP_N_RETRY_NACK)) {
669 ddev->atn_count = 0;
670
671 rc = digital_in_send_nack(ddev, data_exch);
672 if (rc)
673 goto error;
674
675 return;
676 } else if ((rc == -ETIMEDOUT) &&
677 (ddev->atn_count++ < DIGITAL_NFC_DEP_N_RETRY_ATN)) {
678 ddev->nack_count = 0;
679
680 rc = digital_in_send_atn(ddev, data_exch);
681 if (rc)
682 goto error;
683
684 return;
685 }
686
687 goto exit;
688 }
689
690 rc = digital_skb_pull_dep_sod(ddev, resp);
691 if (rc) {
692 PROTOCOL_ERR("14.4.1.2");
376 goto exit; 693 goto exit;
377 } 694 }
378 695
379 rc = ddev->skb_check_crc(resp); 696 rc = ddev->skb_check_crc(resp);
380 if (rc) { 697 if (rc) {
698 if ((resp->len >= 4) &&
699 (ddev->nack_count++ < DIGITAL_NFC_DEP_N_RETRY_NACK)) {
700 ddev->atn_count = 0;
701
702 rc = digital_in_send_nack(ddev, data_exch);
703 if (rc)
704 goto error;
705
706 kfree_skb(resp);
707
708 return;
709 }
710
381 PROTOCOL_ERR("14.4.1.6"); 711 PROTOCOL_ERR("14.4.1.6");
382 goto error; 712 goto error;
383 } 713 }
384 714
385 rc = digital_skb_pull_dep_sod(ddev, resp); 715 ddev->atn_count = 0;
386 if (rc) { 716 ddev->nack_count = 0;
387 PROTOCOL_ERR("14.4.1.2"); 717
718 if (resp->len > ddev->local_payload_max) {
719 rc = -EMSGSIZE;
388 goto exit; 720 goto exit;
389 } 721 }
390 722
723 size = sizeof(struct digital_dep_req_res);
391 dep_res = (struct digital_dep_req_res *)resp->data; 724 dep_res = (struct digital_dep_req_res *)resp->data;
392 725
393 if (resp->len < sizeof(struct digital_dep_req_res) || 726 if (resp->len < size || dep_res->dir != DIGITAL_NFC_DEP_FRAME_DIR_IN ||
394 dep_res->dir != DIGITAL_NFC_DEP_FRAME_DIR_IN ||
395 dep_res->cmd != DIGITAL_CMD_DEP_RES) { 727 dep_res->cmd != DIGITAL_CMD_DEP_RES) {
396 rc = -EIO; 728 rc = -EIO;
397 goto error; 729 goto error;
@@ -399,6 +731,24 @@ static void digital_in_recv_dep_res(struct nfc_digital_dev *ddev, void *arg,
399 731
400 pfb = dep_res->pfb; 732 pfb = dep_res->pfb;
401 733
734 if (DIGITAL_NFC_DEP_DID_BIT_SET(pfb)) {
735 PROTOCOL_ERR("14.8.2.1");
736 rc = -EIO;
737 goto error;
738 }
739
740 if (DIGITAL_NFC_DEP_NAD_BIT_SET(pfb)) {
741 rc = -EIO;
742 goto exit;
743 }
744
745 if (size > resp->len) {
746 rc = -EIO;
747 goto error;
748 }
749
750 skb_pull(resp, size);
751
402 switch (DIGITAL_NFC_DEP_PFB_TYPE(pfb)) { 752 switch (DIGITAL_NFC_DEP_PFB_TYPE(pfb)) {
403 case DIGITAL_NFC_DEP_PFB_I_PDU: 753 case DIGITAL_NFC_DEP_PFB_I_PDU:
404 if (DIGITAL_NFC_DEP_PFB_PNI(pfb) != ddev->curr_nfc_dep_pni) { 754 if (DIGITAL_NFC_DEP_PFB_PNI(pfb) != ddev->curr_nfc_dep_pni) {
@@ -409,21 +759,71 @@ static void digital_in_recv_dep_res(struct nfc_digital_dev *ddev, void *arg,
409 759
410 ddev->curr_nfc_dep_pni = 760 ddev->curr_nfc_dep_pni =
411 DIGITAL_NFC_DEP_PFB_PNI(ddev->curr_nfc_dep_pni + 1); 761 DIGITAL_NFC_DEP_PFB_PNI(ddev->curr_nfc_dep_pni + 1);
762
763 kfree_skb(ddev->saved_skb);
764 ddev->saved_skb = NULL;
765
766 resp = digital_recv_dep_data_gather(ddev, pfb, resp,
767 digital_in_send_ack,
768 data_exch);
769 if (IS_ERR(resp)) {
770 rc = PTR_ERR(resp);
771 resp = NULL;
772 goto error;
773 }
774
775 /* If resp is NULL then we're still chaining so return and
776 * wait for the next part of the PDU. Else, the PDU is
777 * complete so pass it up.
778 */
779 if (!resp)
780 return;
781
412 rc = 0; 782 rc = 0;
413 break; 783 break;
414 784
415 case DIGITAL_NFC_DEP_PFB_ACK_NACK_PDU: 785 case DIGITAL_NFC_DEP_PFB_ACK_NACK_PDU:
786 if (DIGITAL_NFC_DEP_PFB_PNI(pfb) != ddev->curr_nfc_dep_pni) {
787 PROTOCOL_ERR("14.12.3.3");
788 rc = -EIO;
789 goto exit;
790 }
791
792 ddev->curr_nfc_dep_pni =
793 DIGITAL_NFC_DEP_PFB_PNI(ddev->curr_nfc_dep_pni + 1);
794
795 if (ddev->chaining_skb && !DIGITAL_NFC_DEP_NACK_BIT_SET(pfb)) {
796 kfree_skb(ddev->saved_skb);
797 ddev->saved_skb = NULL;
798
799 rc = digital_in_send_dep_req(ddev, NULL,
800 ddev->chaining_skb,
801 ddev->data_exch);
802 if (rc)
803 goto error;
804
805 return;
806 }
807
416 pr_err("Received a ACK/NACK PDU\n"); 808 pr_err("Received a ACK/NACK PDU\n");
417 rc = -EIO; 809 rc = -EINVAL;
418 goto error; 810 goto exit;
419 811
420 case DIGITAL_NFC_DEP_PFB_SUPERVISOR_PDU: 812 case DIGITAL_NFC_DEP_PFB_SUPERVISOR_PDU:
421 if (!DIGITAL_NFC_DEP_PFB_IS_TIMEOUT(pfb)) { 813 if (!DIGITAL_NFC_DEP_PFB_IS_TIMEOUT(pfb)) { /* ATN */
422 rc = -EINVAL; 814 rc = digital_in_send_saved_skb(ddev, data_exch);
423 goto error; 815 if (rc) {
816 kfree_skb(ddev->saved_skb);
817 goto error;
818 }
819
820 return;
424 } 821 }
425 822
426 rc = digital_in_send_rtox(ddev, data_exch, resp->data[3]); 823 kfree_skb(ddev->saved_skb);
824 ddev->saved_skb = NULL;
825
826 rc = digital_in_send_rtox(ddev, data_exch, resp->data[0]);
427 if (rc) 827 if (rc)
428 goto error; 828 goto error;
429 829
@@ -431,30 +831,18 @@ static void digital_in_recv_dep_res(struct nfc_digital_dev *ddev, void *arg,
431 return; 831 return;
432 } 832 }
433 833
434 if (DIGITAL_NFC_DEP_MI_BIT_SET(pfb)) {
435 pr_err("MI bit set. Chained PDU not supported\n");
436 rc = -EIO;
437 goto error;
438 }
439
440 size = sizeof(struct digital_dep_req_res);
441
442 if (DIGITAL_NFC_DEP_DID_BIT_SET(pfb))
443 size++;
444
445 if (size > resp->len) {
446 rc = -EIO;
447 goto error;
448 }
449
450 skb_pull(resp, size);
451
452exit: 834exit:
453 data_exch->cb(data_exch->cb_context, resp, rc); 835 data_exch->cb(data_exch->cb_context, resp, rc);
454 836
455error: 837error:
456 kfree(data_exch); 838 kfree(data_exch);
457 839
840 kfree_skb(ddev->chaining_skb);
841 ddev->chaining_skb = NULL;
842
843 kfree_skb(ddev->saved_skb);
844 ddev->saved_skb = NULL;
845
458 if (rc) 846 if (rc)
459 kfree_skb(resp); 847 kfree_skb(resp);
460} 848}
@@ -464,20 +852,47 @@ int digital_in_send_dep_req(struct nfc_digital_dev *ddev,
464 struct digital_data_exch *data_exch) 852 struct digital_data_exch *data_exch)
465{ 853{
466 struct digital_dep_req_res *dep_req; 854 struct digital_dep_req_res *dep_req;
855 struct sk_buff *chaining_skb, *tmp_skb;
856 int rc;
467 857
468 skb_push(skb, sizeof(struct digital_dep_req_res)); 858 skb_push(skb, sizeof(struct digital_dep_req_res));
469 859
470 dep_req = (struct digital_dep_req_res *)skb->data; 860 dep_req = (struct digital_dep_req_res *)skb->data;
861
471 dep_req->dir = DIGITAL_NFC_DEP_FRAME_DIR_OUT; 862 dep_req->dir = DIGITAL_NFC_DEP_FRAME_DIR_OUT;
472 dep_req->cmd = DIGITAL_CMD_DEP_REQ; 863 dep_req->cmd = DIGITAL_CMD_DEP_REQ;
473 dep_req->pfb = ddev->curr_nfc_dep_pni; 864 dep_req->pfb = ddev->curr_nfc_dep_pni;
474 865
475 digital_skb_push_dep_sod(ddev, skb); 866 ddev->atn_count = 0;
867 ddev->nack_count = 0;
476 868
477 ddev->skb_add_crc(skb); 869 chaining_skb = ddev->chaining_skb;
870
871 tmp_skb = digital_send_dep_data_prep(ddev, skb, dep_req, data_exch);
872 if (IS_ERR(tmp_skb))
873 return PTR_ERR(tmp_skb);
874
875 digital_skb_push_dep_sod(ddev, tmp_skb);
876
877 ddev->skb_add_crc(tmp_skb);
478 878
479 return digital_in_send_cmd(ddev, skb, 1500, digital_in_recv_dep_res, 879 ddev->saved_skb = skb_get(tmp_skb);
480 data_exch); 880 ddev->saved_skb_len = tmp_skb->len;
881
882 rc = digital_in_send_cmd(ddev, tmp_skb, 1500, digital_in_recv_dep_res,
883 data_exch);
884 if (rc) {
885 if (tmp_skb != skb)
886 kfree_skb(tmp_skb);
887
888 kfree_skb(chaining_skb);
889 ddev->chaining_skb = NULL;
890
891 kfree_skb(ddev->saved_skb);
892 ddev->saved_skb = NULL;
893 }
894
895 return rc;
481} 896}
482 897
483static void digital_tg_set_rf_tech(struct nfc_digital_dev *ddev, u8 rf_tech) 898static void digital_tg_set_rf_tech(struct nfc_digital_dev *ddev, u8 rf_tech)
@@ -507,11 +922,106 @@ static void digital_tg_set_rf_tech(struct nfc_digital_dev *ddev, u8 rf_tech)
507 } 922 }
508} 923}
509 924
925static int digital_tg_send_ack(struct nfc_digital_dev *ddev,
926 struct digital_data_exch *data_exch)
927{
928 struct digital_dep_req_res *dep_res;
929 struct sk_buff *skb;
930 int rc;
931
932 skb = digital_skb_alloc(ddev, 1);
933 if (!skb)
934 return -ENOMEM;
935
936 skb_push(skb, sizeof(struct digital_dep_req_res));
937
938 dep_res = (struct digital_dep_req_res *)skb->data;
939
940 dep_res->dir = DIGITAL_NFC_DEP_FRAME_DIR_IN;
941 dep_res->cmd = DIGITAL_CMD_DEP_RES;
942 dep_res->pfb = DIGITAL_NFC_DEP_PFB_ACK_NACK_PDU |
943 ddev->curr_nfc_dep_pni;
944
945 if (ddev->did) {
946 dep_res->pfb |= DIGITAL_NFC_DEP_PFB_DID_BIT;
947
948 memcpy(skb_put(skb, sizeof(ddev->did)), &ddev->did,
949 sizeof(ddev->did));
950 }
951
952 ddev->curr_nfc_dep_pni =
953 DIGITAL_NFC_DEP_PFB_PNI(ddev->curr_nfc_dep_pni + 1);
954
955 digital_skb_push_dep_sod(ddev, skb);
956
957 ddev->skb_add_crc(skb);
958
959 ddev->saved_skb = skb_get(skb);
960 ddev->saved_skb_len = skb->len;
961
962 rc = digital_tg_send_cmd(ddev, skb, 1500, digital_tg_recv_dep_req,
963 data_exch);
964 if (rc) {
965 kfree_skb(skb);
966 kfree_skb(ddev->saved_skb);
967 ddev->saved_skb = NULL;
968 }
969
970 return rc;
971}
972
973static int digital_tg_send_atn(struct nfc_digital_dev *ddev)
974{
975 struct digital_dep_req_res *dep_res;
976 struct sk_buff *skb;
977 int rc;
978
979 skb = digital_skb_alloc(ddev, 1);
980 if (!skb)
981 return -ENOMEM;
982
983 skb_push(skb, sizeof(struct digital_dep_req_res));
984
985 dep_res = (struct digital_dep_req_res *)skb->data;
986
987 dep_res->dir = DIGITAL_NFC_DEP_FRAME_DIR_IN;
988 dep_res->cmd = DIGITAL_CMD_DEP_RES;
989 dep_res->pfb = DIGITAL_NFC_DEP_PFB_SUPERVISOR_PDU;
990
991 if (ddev->did) {
992 dep_res->pfb |= DIGITAL_NFC_DEP_PFB_DID_BIT;
993
994 memcpy(skb_put(skb, sizeof(ddev->did)), &ddev->did,
995 sizeof(ddev->did));
996 }
997
998 digital_skb_push_dep_sod(ddev, skb);
999
1000 ddev->skb_add_crc(skb);
1001
1002 rc = digital_tg_send_cmd(ddev, skb, 1500, digital_tg_recv_dep_req,
1003 NULL);
1004 if (rc)
1005 kfree_skb(skb);
1006
1007 return rc;
1008}
1009
1010static int digital_tg_send_saved_skb(struct nfc_digital_dev *ddev)
1011{
1012 skb_get(ddev->saved_skb);
1013 skb_push(ddev->saved_skb, ddev->saved_skb_len);
1014
1015 return digital_tg_send_cmd(ddev, ddev->saved_skb, 1500,
1016 digital_tg_recv_dep_req, NULL);
1017}
1018
510static void digital_tg_recv_dep_req(struct nfc_digital_dev *ddev, void *arg, 1019static void digital_tg_recv_dep_req(struct nfc_digital_dev *ddev, void *arg,
511 struct sk_buff *resp) 1020 struct sk_buff *resp)
512{ 1021{
513 int rc; 1022 int rc;
514 struct digital_dep_req_res *dep_req; 1023 struct digital_dep_req_res *dep_req;
1024 u8 pfb;
515 size_t size; 1025 size_t size;
516 1026
517 if (IS_ERR(resp)) { 1027 if (IS_ERR(resp)) {
@@ -532,6 +1042,11 @@ static void digital_tg_recv_dep_req(struct nfc_digital_dev *ddev, void *arg,
532 goto exit; 1042 goto exit;
533 } 1043 }
534 1044
1045 if (resp->len > ddev->local_payload_max) {
1046 rc = -EMSGSIZE;
1047 goto exit;
1048 }
1049
535 size = sizeof(struct digital_dep_req_res); 1050 size = sizeof(struct digital_dep_req_res);
536 dep_req = (struct digital_dep_req_res *)resp->data; 1051 dep_req = (struct digital_dep_req_res *)resp->data;
537 1052
@@ -541,34 +1056,147 @@ static void digital_tg_recv_dep_req(struct nfc_digital_dev *ddev, void *arg,
541 goto exit; 1056 goto exit;
542 } 1057 }
543 1058
544 if (DIGITAL_NFC_DEP_DID_BIT_SET(dep_req->pfb)) 1059 pfb = dep_req->pfb;
545 size++;
546 1060
547 if (resp->len < size) { 1061 if (DIGITAL_NFC_DEP_DID_BIT_SET(pfb)) {
1062 if (ddev->did && (ddev->did == resp->data[3])) {
1063 size++;
1064 } else {
1065 rc = -EIO;
1066 goto exit;
1067 }
1068 } else if (ddev->did) {
548 rc = -EIO; 1069 rc = -EIO;
549 goto exit; 1070 goto exit;
550 } 1071 }
551 1072
552 switch (DIGITAL_NFC_DEP_PFB_TYPE(dep_req->pfb)) { 1073 if (DIGITAL_NFC_DEP_NAD_BIT_SET(pfb)) {
1074 rc = -EIO;
1075 goto exit;
1076 }
1077
1078 if (size > resp->len) {
1079 rc = -EIO;
1080 goto exit;
1081 }
1082
1083 skb_pull(resp, size);
1084
1085 switch (DIGITAL_NFC_DEP_PFB_TYPE(pfb)) {
553 case DIGITAL_NFC_DEP_PFB_I_PDU: 1086 case DIGITAL_NFC_DEP_PFB_I_PDU:
554 pr_debug("DIGITAL_NFC_DEP_PFB_I_PDU\n"); 1087 pr_debug("DIGITAL_NFC_DEP_PFB_I_PDU\n");
555 ddev->curr_nfc_dep_pni = DIGITAL_NFC_DEP_PFB_PNI(dep_req->pfb); 1088
1089 if ((ddev->atn_count && (DIGITAL_NFC_DEP_PFB_PNI(pfb - 1) !=
1090 ddev->curr_nfc_dep_pni)) ||
1091 (DIGITAL_NFC_DEP_PFB_PNI(pfb) != ddev->curr_nfc_dep_pni)) {
1092 PROTOCOL_ERR("14.12.3.4");
1093 rc = -EIO;
1094 goto exit;
1095 }
1096
1097 if (ddev->atn_count) {
1098 ddev->atn_count = 0;
1099
1100 rc = digital_tg_send_saved_skb(ddev);
1101 if (rc)
1102 goto exit;
1103
1104 return;
1105 }
1106
1107 kfree_skb(ddev->saved_skb);
1108 ddev->saved_skb = NULL;
1109
1110 resp = digital_recv_dep_data_gather(ddev, pfb, resp,
1111 digital_tg_send_ack, NULL);
1112 if (IS_ERR(resp)) {
1113 rc = PTR_ERR(resp);
1114 resp = NULL;
1115 goto exit;
1116 }
1117
1118 /* If resp is NULL then we're still chaining so return and
1119 * wait for the next part of the PDU. Else, the PDU is
1120 * complete so pass it up.
1121 */
1122 if (!resp)
1123 return;
1124
1125 rc = 0;
556 break; 1126 break;
557 case DIGITAL_NFC_DEP_PFB_ACK_NACK_PDU: 1127 case DIGITAL_NFC_DEP_PFB_ACK_NACK_PDU:
558 pr_err("Received a ACK/NACK PDU\n"); 1128 if (!DIGITAL_NFC_DEP_NACK_BIT_SET(pfb)) { /* ACK */
559 rc = -EINVAL; 1129 if ((ddev->atn_count &&
560 goto exit; 1130 (DIGITAL_NFC_DEP_PFB_PNI(pfb - 1) !=
1131 ddev->curr_nfc_dep_pni)) ||
1132 (DIGITAL_NFC_DEP_PFB_PNI(pfb) !=
1133 ddev->curr_nfc_dep_pni) ||
1134 !ddev->chaining_skb || !ddev->saved_skb) {
1135 rc = -EIO;
1136 goto exit;
1137 }
1138
1139 if (ddev->atn_count) {
1140 ddev->atn_count = 0;
1141
1142 rc = digital_tg_send_saved_skb(ddev);
1143 if (rc)
1144 goto exit;
1145
1146 return;
1147 }
1148
1149 kfree_skb(ddev->saved_skb);
1150 ddev->saved_skb = NULL;
1151
1152 rc = digital_tg_send_dep_res(ddev, ddev->chaining_skb);
1153 if (rc)
1154 goto exit;
1155 } else { /* NACK */
1156 if ((DIGITAL_NFC_DEP_PFB_PNI(pfb + 1) !=
1157 ddev->curr_nfc_dep_pni) ||
1158 !ddev->saved_skb) {
1159 rc = -EIO;
1160 goto exit;
1161 }
1162
1163 ddev->atn_count = 0;
1164
1165 rc = digital_tg_send_saved_skb(ddev);
1166 if (rc) {
1167 kfree_skb(ddev->saved_skb);
1168 goto exit;
1169 }
1170 }
1171
1172 return;
561 case DIGITAL_NFC_DEP_PFB_SUPERVISOR_PDU: 1173 case DIGITAL_NFC_DEP_PFB_SUPERVISOR_PDU:
562 pr_err("Received a SUPERVISOR PDU\n"); 1174 if (DIGITAL_NFC_DEP_PFB_IS_TIMEOUT(pfb)) {
563 rc = -EINVAL; 1175 rc = -EINVAL;
564 goto exit; 1176 goto exit;
565 } 1177 }
566 1178
567 skb_pull(resp, size); 1179 rc = digital_tg_send_atn(ddev);
1180 if (rc)
1181 goto exit;
1182
1183 ddev->atn_count++;
1184
1185 kfree_skb(resp);
1186 return;
1187 }
568 1188
569 rc = nfc_tm_data_received(ddev->nfc_dev, resp); 1189 rc = nfc_tm_data_received(ddev->nfc_dev, resp);
570 1190
571exit: 1191exit:
1192 kfree_skb(ddev->chaining_skb);
1193 ddev->chaining_skb = NULL;
1194
1195 ddev->atn_count = 0;
1196
1197 kfree_skb(ddev->saved_skb);
1198 ddev->saved_skb = NULL;
1199
572 if (rc) 1200 if (rc)
573 kfree_skb(resp); 1201 kfree_skb(resp);
574} 1202}
@@ -576,20 +1204,54 @@ exit:
576int digital_tg_send_dep_res(struct nfc_digital_dev *ddev, struct sk_buff *skb) 1204int digital_tg_send_dep_res(struct nfc_digital_dev *ddev, struct sk_buff *skb)
577{ 1205{
578 struct digital_dep_req_res *dep_res; 1206 struct digital_dep_req_res *dep_res;
1207 struct sk_buff *chaining_skb, *tmp_skb;
1208 int rc;
579 1209
580 skb_push(skb, sizeof(struct digital_dep_req_res)); 1210 skb_push(skb, sizeof(struct digital_dep_req_res));
1211
581 dep_res = (struct digital_dep_req_res *)skb->data; 1212 dep_res = (struct digital_dep_req_res *)skb->data;
582 1213
583 dep_res->dir = DIGITAL_NFC_DEP_FRAME_DIR_IN; 1214 dep_res->dir = DIGITAL_NFC_DEP_FRAME_DIR_IN;
584 dep_res->cmd = DIGITAL_CMD_DEP_RES; 1215 dep_res->cmd = DIGITAL_CMD_DEP_RES;
585 dep_res->pfb = ddev->curr_nfc_dep_pni; 1216 dep_res->pfb = ddev->curr_nfc_dep_pni;
586 1217
587 digital_skb_push_dep_sod(ddev, skb); 1218 if (ddev->did) {
1219 dep_res->pfb |= DIGITAL_NFC_DEP_PFB_DID_BIT;
588 1220
589 ddev->skb_add_crc(skb); 1221 memcpy(skb_put(skb, sizeof(ddev->did)), &ddev->did,
1222 sizeof(ddev->did));
1223 }
1224
1225 ddev->curr_nfc_dep_pni =
1226 DIGITAL_NFC_DEP_PFB_PNI(ddev->curr_nfc_dep_pni + 1);
1227
1228 chaining_skb = ddev->chaining_skb;
1229
1230 tmp_skb = digital_send_dep_data_prep(ddev, skb, dep_res, NULL);
1231 if (IS_ERR(tmp_skb))
1232 return PTR_ERR(tmp_skb);
1233
1234 digital_skb_push_dep_sod(ddev, tmp_skb);
1235
1236 ddev->skb_add_crc(tmp_skb);
1237
1238 ddev->saved_skb = skb_get(tmp_skb);
1239 ddev->saved_skb_len = tmp_skb->len;
1240
1241 rc = digital_tg_send_cmd(ddev, tmp_skb, 1500, digital_tg_recv_dep_req,
1242 NULL);
1243 if (rc) {
1244 if (tmp_skb != skb)
1245 kfree_skb(tmp_skb);
1246
1247 kfree_skb(chaining_skb);
1248 ddev->chaining_skb = NULL;
590 1249
591 return digital_tg_send_cmd(ddev, skb, 1500, digital_tg_recv_dep_req, 1250 kfree_skb(ddev->saved_skb);
592 NULL); 1251 ddev->saved_skb = NULL;
1252 }
1253
1254 return rc;
593} 1255}
594 1256
595static void digital_tg_send_psl_res_complete(struct nfc_digital_dev *ddev, 1257static void digital_tg_send_psl_res_complete(struct nfc_digital_dev *ddev,
@@ -632,9 +1294,10 @@ static int digital_tg_send_psl_res(struct nfc_digital_dev *ddev, u8 did,
632 1294
633 ddev->skb_add_crc(skb); 1295 ddev->skb_add_crc(skb);
634 1296
1297 ddev->curr_nfc_dep_pni = 0;
1298
635 rc = digital_tg_send_cmd(ddev, skb, 0, digital_tg_send_psl_res_complete, 1299 rc = digital_tg_send_cmd(ddev, skb, 0, digital_tg_send_psl_res_complete,
636 (void *)(unsigned long)rf_tech); 1300 (void *)(unsigned long)rf_tech);
637
638 if (rc) 1301 if (rc)
639 kfree_skb(skb); 1302 kfree_skb(skb);
640 1303
@@ -647,7 +1310,7 @@ static void digital_tg_recv_psl_req(struct nfc_digital_dev *ddev, void *arg,
647 int rc; 1310 int rc;
648 struct digital_psl_req *psl_req; 1311 struct digital_psl_req *psl_req;
649 u8 rf_tech; 1312 u8 rf_tech;
650 u8 dsi; 1313 u8 dsi, payload_size, payload_bits;
651 1314
652 if (IS_ERR(resp)) { 1315 if (IS_ERR(resp)) {
653 rc = PTR_ERR(resp); 1316 rc = PTR_ERR(resp);
@@ -692,6 +1355,18 @@ static void digital_tg_recv_psl_req(struct nfc_digital_dev *ddev, void *arg,
692 goto exit; 1355 goto exit;
693 } 1356 }
694 1357
1358 payload_bits = DIGITAL_PAYLOAD_FSL_TO_BITS(psl_req->fsl);
1359 payload_size = digital_payload_bits_to_size(payload_bits);
1360
1361 if (!payload_size || (payload_size > min(ddev->local_payload_max,
1362 ddev->remote_payload_max))) {
1363 rc = -EINVAL;
1364 goto exit;
1365 }
1366
1367 ddev->local_payload_max = payload_size;
1368 ddev->remote_payload_max = payload_size;
1369
695 rc = digital_tg_send_psl_res(ddev, psl_req->did, rf_tech); 1370 rc = digital_tg_send_psl_res(ddev, psl_req->did, rf_tech);
696 1371
697exit: 1372exit:
@@ -712,6 +1387,8 @@ static void digital_tg_send_atr_res_complete(struct nfc_digital_dev *ddev,
712 if (resp->data[0] == DIGITAL_NFC_DEP_NFCA_SOD_SB) 1387 if (resp->data[0] == DIGITAL_NFC_DEP_NFCA_SOD_SB)
713 offset++; 1388 offset++;
714 1389
1390 ddev->atn_count = 0;
1391
715 if (resp->data[offset] == DIGITAL_CMD_PSL_REQ) 1392 if (resp->data[offset] == DIGITAL_CMD_PSL_REQ)
716 digital_tg_recv_psl_req(ddev, arg, resp); 1393 digital_tg_recv_psl_req(ddev, arg, resp);
717 else 1394 else
@@ -723,7 +1400,7 @@ static int digital_tg_send_atr_res(struct nfc_digital_dev *ddev,
723{ 1400{
724 struct digital_atr_res *atr_res; 1401 struct digital_atr_res *atr_res;
725 struct sk_buff *skb; 1402 struct sk_buff *skb;
726 u8 *gb; 1403 u8 *gb, payload_bits;
727 size_t gb_len; 1404 size_t gb_len;
728 int rc; 1405 int rc;
729 1406
@@ -744,7 +1421,11 @@ static int digital_tg_send_atr_res(struct nfc_digital_dev *ddev,
744 atr_res->cmd = DIGITAL_CMD_ATR_RES; 1421 atr_res->cmd = DIGITAL_CMD_ATR_RES;
745 memcpy(atr_res->nfcid3, atr_req->nfcid3, sizeof(atr_req->nfcid3)); 1422 memcpy(atr_res->nfcid3, atr_req->nfcid3, sizeof(atr_req->nfcid3));
746 atr_res->to = 8; 1423 atr_res->to = 8;
747 atr_res->pp = DIGITAL_LR_BITS_PAYLOAD_SIZE_254B; 1424
1425 ddev->local_payload_max = DIGITAL_PAYLOAD_SIZE_MAX;
1426 payload_bits = digital_payload_size_to_bits(ddev->local_payload_max);
1427 atr_res->pp = DIGITAL_PAYLOAD_BITS_TO_PP(payload_bits);
1428
748 if (gb_len) { 1429 if (gb_len) {
749 skb_put(skb, gb_len); 1430 skb_put(skb, gb_len);
750 1431
@@ -756,12 +1437,12 @@ static int digital_tg_send_atr_res(struct nfc_digital_dev *ddev,
756 1437
757 ddev->skb_add_crc(skb); 1438 ddev->skb_add_crc(skb);
758 1439
1440 ddev->curr_nfc_dep_pni = 0;
1441
759 rc = digital_tg_send_cmd(ddev, skb, 999, 1442 rc = digital_tg_send_cmd(ddev, skb, 999,
760 digital_tg_send_atr_res_complete, NULL); 1443 digital_tg_send_atr_res_complete, NULL);
761 if (rc) { 1444 if (rc)
762 kfree_skb(skb); 1445 kfree_skb(skb);
763 return rc;
764 }
765 1446
766 return rc; 1447 return rc;
767} 1448}
@@ -772,7 +1453,7 @@ void digital_tg_recv_atr_req(struct nfc_digital_dev *ddev, void *arg,
772 int rc; 1453 int rc;
773 struct digital_atr_req *atr_req; 1454 struct digital_atr_req *atr_req;
774 size_t gb_len, min_size; 1455 size_t gb_len, min_size;
775 u8 poll_tech_count; 1456 u8 poll_tech_count, payload_bits;
776 1457
777 if (IS_ERR(resp)) { 1458 if (IS_ERR(resp)) {
778 rc = PTR_ERR(resp); 1459 rc = PTR_ERR(resp);
@@ -815,11 +1496,22 @@ void digital_tg_recv_atr_req(struct nfc_digital_dev *ddev, void *arg,
815 atr_req = (struct digital_atr_req *)resp->data; 1496 atr_req = (struct digital_atr_req *)resp->data;
816 1497
817 if (atr_req->dir != DIGITAL_NFC_DEP_FRAME_DIR_OUT || 1498 if (atr_req->dir != DIGITAL_NFC_DEP_FRAME_DIR_OUT ||
818 atr_req->cmd != DIGITAL_CMD_ATR_REQ) { 1499 atr_req->cmd != DIGITAL_CMD_ATR_REQ ||
1500 atr_req->did > DIGITAL_DID_MAX) {
819 rc = -EINVAL; 1501 rc = -EINVAL;
820 goto exit; 1502 goto exit;
821 } 1503 }
822 1504
1505 payload_bits = DIGITAL_PAYLOAD_PP_TO_BITS(atr_req->pp);
1506 ddev->remote_payload_max = digital_payload_bits_to_size(payload_bits);
1507
1508 if (!ddev->remote_payload_max) {
1509 rc = -EINVAL;
1510 goto exit;
1511 }
1512
1513 ddev->did = atr_req->did;
1514
823 rc = digital_tg_configure_hw(ddev, NFC_DIGITAL_CONFIG_FRAMING, 1515 rc = digital_tg_configure_hw(ddev, NFC_DIGITAL_CONFIG_FRAMING,
824 NFC_DIGITAL_FRAMING_NFC_DEP_ACTIVATED); 1516 NFC_DIGITAL_FRAMING_NFC_DEP_ACTIVATED);
825 if (rc) 1517 if (rc)
diff --git a/net/nfc/hci/command.c b/net/nfc/hci/command.c
index 677d24bb70f8..91df487aa0a9 100644
--- a/net/nfc/hci/command.c
+++ b/net/nfc/hci/command.c
@@ -345,6 +345,9 @@ int nfc_hci_connect_gate(struct nfc_hci_dev *hdev, u8 dest_host, u8 dest_gate,
345 345
346 pr_debug("\n"); 346 pr_debug("\n");
347 347
348 if (hdev->gate2pipe[dest_gate] == NFC_HCI_DO_NOT_CREATE_PIPE)
349 return 0;
350
348 if (hdev->gate2pipe[dest_gate] != NFC_HCI_INVALID_PIPE) 351 if (hdev->gate2pipe[dest_gate] != NFC_HCI_INVALID_PIPE)
349 return -EADDRINUSE; 352 return -EADDRINUSE;
350 353
diff --git a/net/nfc/hci/core.c b/net/nfc/hci/core.c
index 117708263ced..ef50e7716c4a 100644
--- a/net/nfc/hci/core.c
+++ b/net/nfc/hci/core.c
@@ -167,6 +167,48 @@ exit:
167void nfc_hci_cmd_received(struct nfc_hci_dev *hdev, u8 pipe, u8 cmd, 167void nfc_hci_cmd_received(struct nfc_hci_dev *hdev, u8 pipe, u8 cmd,
168 struct sk_buff *skb) 168 struct sk_buff *skb)
169{ 169{
170 int r = 0;
171 u8 gate = nfc_hci_pipe2gate(hdev, pipe);
172 u8 local_gate, new_pipe;
173 u8 gate_opened = 0x00;
174
175 pr_debug("from gate %x pipe %x cmd %x\n", gate, pipe, cmd);
176
177 switch (cmd) {
178 case NFC_HCI_ADM_NOTIFY_PIPE_CREATED:
179 if (skb->len != 5) {
180 r = -EPROTO;
181 break;
182 }
183
184 local_gate = skb->data[3];
185 new_pipe = skb->data[4];
186 nfc_hci_send_response(hdev, gate, NFC_HCI_ANY_OK, NULL, 0);
187
188 /* save the new created pipe and bind with local gate,
189 * the description for skb->data[3] is destination gate id
190 * but since we received this cmd from host controller, we
191 * are the destination and it is our local gate
192 */
193 hdev->gate2pipe[local_gate] = new_pipe;
194 break;
195 case NFC_HCI_ANY_OPEN_PIPE:
196 /* if the pipe is already created, we allow remote host to
197 * open it
198 */
199 if (gate != 0xff)
200 nfc_hci_send_response(hdev, gate, NFC_HCI_ANY_OK,
201 &gate_opened, 1);
202 break;
203 case NFC_HCI_ADM_NOTIFY_ALL_PIPE_CLEARED:
204 nfc_hci_send_response(hdev, gate, NFC_HCI_ANY_OK, NULL, 0);
205 break;
206 default:
207 pr_info("Discarded unknown cmd %x to gate %x\n", cmd, gate);
208 r = -EINVAL;
209 break;
210 }
211
170 kfree_skb(skb); 212 kfree_skb(skb);
171} 213}
172 214
@@ -717,6 +759,19 @@ static int hci_disable_se(struct nfc_dev *nfc_dev, u32 se_idx)
717 return 0; 759 return 0;
718} 760}
719 761
762static int hci_se_io(struct nfc_dev *nfc_dev, u32 se_idx,
763 u8 *apdu, size_t apdu_length,
764 se_io_cb_t cb, void *cb_context)
765{
766 struct nfc_hci_dev *hdev = nfc_get_drvdata(nfc_dev);
767
768 if (hdev->ops->se_io)
769 return hdev->ops->se_io(hdev, se_idx, apdu,
770 apdu_length, cb, cb_context);
771
772 return 0;
773}
774
720static void nfc_hci_failure(struct nfc_hci_dev *hdev, int err) 775static void nfc_hci_failure(struct nfc_hci_dev *hdev, int err)
721{ 776{
722 mutex_lock(&hdev->msg_tx_mutex); 777 mutex_lock(&hdev->msg_tx_mutex);
@@ -830,6 +885,7 @@ static struct nfc_ops hci_nfc_ops = {
830 .discover_se = hci_discover_se, 885 .discover_se = hci_discover_se,
831 .enable_se = hci_enable_se, 886 .enable_se = hci_enable_se,
832 .disable_se = hci_disable_se, 887 .disable_se = hci_disable_se,
888 .se_io = hci_se_io,
833}; 889};
834 890
835struct nfc_hci_dev *nfc_hci_allocate_device(struct nfc_hci_ops *ops, 891struct nfc_hci_dev *nfc_hci_allocate_device(struct nfc_hci_ops *ops,
diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
index c4da0c2d8a14..3621a902cb6e 100644
--- a/net/nfc/llcp_commands.c
+++ b/net/nfc/llcp_commands.c
@@ -401,7 +401,8 @@ int nfc_llcp_send_connect(struct nfc_llcp_sock *sock)
401 u8 *miux_tlv = NULL, miux_tlv_length; 401 u8 *miux_tlv = NULL, miux_tlv_length;
402 u8 *rw_tlv = NULL, rw_tlv_length, rw; 402 u8 *rw_tlv = NULL, rw_tlv_length, rw;
403 int err; 403 int err;
404 u16 size = 0, miux; 404 u16 size = 0;
405 __be16 miux;
405 406
406 pr_debug("Sending CONNECT\n"); 407 pr_debug("Sending CONNECT\n");
407 408
@@ -465,7 +466,8 @@ int nfc_llcp_send_cc(struct nfc_llcp_sock *sock)
465 u8 *miux_tlv = NULL, miux_tlv_length; 466 u8 *miux_tlv = NULL, miux_tlv_length;
466 u8 *rw_tlv = NULL, rw_tlv_length, rw; 467 u8 *rw_tlv = NULL, rw_tlv_length, rw;
467 int err; 468 int err;
468 u16 size = 0, miux; 469 u16 size = 0;
470 __be16 miux;
469 471
470 pr_debug("Sending CC\n"); 472 pr_debug("Sending CC\n");
471 473
diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index 51e788797317..b18f07ccb504 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -1,5 +1,6 @@
1/* 1/*
2 * Copyright (C) 2011 Intel Corporation. All rights reserved. 2 * Copyright (C) 2011 Intel Corporation. All rights reserved.
3 * Copyright (C) 2014 Marvell International Ltd.
3 * 4 *
4 * This program is free software; you can redistribute it and/or modify 5 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by 6 * it under the terms of the GNU General Public License as published by
@@ -1511,8 +1512,10 @@ int nfc_llcp_data_received(struct nfc_dev *dev, struct sk_buff *skb)
1511 struct nfc_llcp_local *local; 1512 struct nfc_llcp_local *local;
1512 1513
1513 local = nfc_llcp_find_local(dev); 1514 local = nfc_llcp_find_local(dev);
1514 if (local == NULL) 1515 if (local == NULL) {
1516 kfree_skb(skb);
1515 return -ENODEV; 1517 return -ENODEV;
1518 }
1516 1519
1517 __nfc_llcp_recv(local, skb); 1520 __nfc_llcp_recv(local, skb);
1518 1521
diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index 83bc785d5855..e181e290427c 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -524,13 +524,13 @@ static int llcp_sock_getname(struct socket *sock, struct sockaddr *uaddr,
524 524
525static inline unsigned int llcp_accept_poll(struct sock *parent) 525static inline unsigned int llcp_accept_poll(struct sock *parent)
526{ 526{
527 struct nfc_llcp_sock *llcp_sock, *n, *parent_sock; 527 struct nfc_llcp_sock *llcp_sock, *parent_sock;
528 struct sock *sk; 528 struct sock *sk;
529 529
530 parent_sock = nfc_llcp_sock(parent); 530 parent_sock = nfc_llcp_sock(parent);
531 531
532 list_for_each_entry_safe(llcp_sock, n, &parent_sock->accept_queue, 532 list_for_each_entry(llcp_sock, &parent_sock->accept_queue,
533 accept_queue) { 533 accept_queue) {
534 sk = &llcp_sock->sk; 534 sk = &llcp_sock->sk;
535 535
536 if (sk->sk_state == LLCP_CONNECTED) 536 if (sk->sk_state == LLCP_CONNECTED)
diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
index 90b16cb40058..51feb5e63008 100644
--- a/net/nfc/nci/core.c
+++ b/net/nfc/nci/core.c
@@ -3,6 +3,7 @@
3 * NFC Controller (NFCC) and a Device Host (DH). 3 * NFC Controller (NFCC) and a Device Host (DH).
4 * 4 *
5 * Copyright (C) 2011 Texas Instruments, Inc. 5 * Copyright (C) 2011 Texas Instruments, Inc.
6 * Copyright (C) 2014 Marvell International Ltd.
6 * 7 *
7 * Written by Ilan Elias <ilane@ti.com> 8 * Written by Ilan Elias <ilane@ti.com>
8 * 9 *
@@ -196,18 +197,24 @@ static void nci_set_config_req(struct nci_dev *ndev, unsigned long opt)
196 nci_send_cmd(ndev, NCI_OP_CORE_SET_CONFIG_CMD, (3 + param->len), &cmd); 197 nci_send_cmd(ndev, NCI_OP_CORE_SET_CONFIG_CMD, (3 + param->len), &cmd);
197} 198}
198 199
200struct nci_rf_discover_param {
201 __u32 im_protocols;
202 __u32 tm_protocols;
203};
204
199static void nci_rf_discover_req(struct nci_dev *ndev, unsigned long opt) 205static void nci_rf_discover_req(struct nci_dev *ndev, unsigned long opt)
200{ 206{
207 struct nci_rf_discover_param *param =
208 (struct nci_rf_discover_param *)opt;
201 struct nci_rf_disc_cmd cmd; 209 struct nci_rf_disc_cmd cmd;
202 __u32 protocols = opt;
203 210
204 cmd.num_disc_configs = 0; 211 cmd.num_disc_configs = 0;
205 212
206 if ((cmd.num_disc_configs < NCI_MAX_NUM_RF_CONFIGS) && 213 if ((cmd.num_disc_configs < NCI_MAX_NUM_RF_CONFIGS) &&
207 (protocols & NFC_PROTO_JEWEL_MASK || 214 (param->im_protocols & NFC_PROTO_JEWEL_MASK ||
208 protocols & NFC_PROTO_MIFARE_MASK || 215 param->im_protocols & NFC_PROTO_MIFARE_MASK ||
209 protocols & NFC_PROTO_ISO14443_MASK || 216 param->im_protocols & NFC_PROTO_ISO14443_MASK ||
210 protocols & NFC_PROTO_NFC_DEP_MASK)) { 217 param->im_protocols & NFC_PROTO_NFC_DEP_MASK)) {
211 cmd.disc_configs[cmd.num_disc_configs].rf_tech_and_mode = 218 cmd.disc_configs[cmd.num_disc_configs].rf_tech_and_mode =
212 NCI_NFC_A_PASSIVE_POLL_MODE; 219 NCI_NFC_A_PASSIVE_POLL_MODE;
213 cmd.disc_configs[cmd.num_disc_configs].frequency = 1; 220 cmd.disc_configs[cmd.num_disc_configs].frequency = 1;
@@ -215,7 +222,7 @@ static void nci_rf_discover_req(struct nci_dev *ndev, unsigned long opt)
215 } 222 }
216 223
217 if ((cmd.num_disc_configs < NCI_MAX_NUM_RF_CONFIGS) && 224 if ((cmd.num_disc_configs < NCI_MAX_NUM_RF_CONFIGS) &&
218 (protocols & NFC_PROTO_ISO14443_B_MASK)) { 225 (param->im_protocols & NFC_PROTO_ISO14443_B_MASK)) {
219 cmd.disc_configs[cmd.num_disc_configs].rf_tech_and_mode = 226 cmd.disc_configs[cmd.num_disc_configs].rf_tech_and_mode =
220 NCI_NFC_B_PASSIVE_POLL_MODE; 227 NCI_NFC_B_PASSIVE_POLL_MODE;
221 cmd.disc_configs[cmd.num_disc_configs].frequency = 1; 228 cmd.disc_configs[cmd.num_disc_configs].frequency = 1;
@@ -223,8 +230,8 @@ static void nci_rf_discover_req(struct nci_dev *ndev, unsigned long opt)
223 } 230 }
224 231
225 if ((cmd.num_disc_configs < NCI_MAX_NUM_RF_CONFIGS) && 232 if ((cmd.num_disc_configs < NCI_MAX_NUM_RF_CONFIGS) &&
226 (protocols & NFC_PROTO_FELICA_MASK || 233 (param->im_protocols & NFC_PROTO_FELICA_MASK ||
227 protocols & NFC_PROTO_NFC_DEP_MASK)) { 234 param->im_protocols & NFC_PROTO_NFC_DEP_MASK)) {
228 cmd.disc_configs[cmd.num_disc_configs].rf_tech_and_mode = 235 cmd.disc_configs[cmd.num_disc_configs].rf_tech_and_mode =
229 NCI_NFC_F_PASSIVE_POLL_MODE; 236 NCI_NFC_F_PASSIVE_POLL_MODE;
230 cmd.disc_configs[cmd.num_disc_configs].frequency = 1; 237 cmd.disc_configs[cmd.num_disc_configs].frequency = 1;
@@ -232,13 +239,25 @@ static void nci_rf_discover_req(struct nci_dev *ndev, unsigned long opt)
232 } 239 }
233 240
234 if ((cmd.num_disc_configs < NCI_MAX_NUM_RF_CONFIGS) && 241 if ((cmd.num_disc_configs < NCI_MAX_NUM_RF_CONFIGS) &&
235 (protocols & NFC_PROTO_ISO15693_MASK)) { 242 (param->im_protocols & NFC_PROTO_ISO15693_MASK)) {
236 cmd.disc_configs[cmd.num_disc_configs].rf_tech_and_mode = 243 cmd.disc_configs[cmd.num_disc_configs].rf_tech_and_mode =
237 NCI_NFC_V_PASSIVE_POLL_MODE; 244 NCI_NFC_V_PASSIVE_POLL_MODE;
238 cmd.disc_configs[cmd.num_disc_configs].frequency = 1; 245 cmd.disc_configs[cmd.num_disc_configs].frequency = 1;
239 cmd.num_disc_configs++; 246 cmd.num_disc_configs++;
240 } 247 }
241 248
249 if ((cmd.num_disc_configs < NCI_MAX_NUM_RF_CONFIGS - 1) &&
250 (param->tm_protocols & NFC_PROTO_NFC_DEP_MASK)) {
251 cmd.disc_configs[cmd.num_disc_configs].rf_tech_and_mode =
252 NCI_NFC_A_PASSIVE_LISTEN_MODE;
253 cmd.disc_configs[cmd.num_disc_configs].frequency = 1;
254 cmd.num_disc_configs++;
255 cmd.disc_configs[cmd.num_disc_configs].rf_tech_and_mode =
256 NCI_NFC_F_PASSIVE_LISTEN_MODE;
257 cmd.disc_configs[cmd.num_disc_configs].frequency = 1;
258 cmd.num_disc_configs++;
259 }
260
242 nci_send_cmd(ndev, NCI_OP_RF_DISCOVER_CMD, 261 nci_send_cmd(ndev, NCI_OP_RF_DISCOVER_CMD,
243 (1 + (cmd.num_disc_configs * sizeof(struct disc_config))), 262 (1 + (cmd.num_disc_configs * sizeof(struct disc_config))),
244 &cmd); 263 &cmd);
@@ -280,7 +299,7 @@ static void nci_rf_deactivate_req(struct nci_dev *ndev, unsigned long opt)
280{ 299{
281 struct nci_rf_deactivate_cmd cmd; 300 struct nci_rf_deactivate_cmd cmd;
282 301
283 cmd.type = NCI_DEACTIVATE_TYPE_IDLE_MODE; 302 cmd.type = opt;
284 303
285 nci_send_cmd(ndev, NCI_OP_RF_DEACTIVATE_CMD, 304 nci_send_cmd(ndev, NCI_OP_RF_DEACTIVATE_CMD,
286 sizeof(struct nci_rf_deactivate_cmd), &cmd); 305 sizeof(struct nci_rf_deactivate_cmd), &cmd);
@@ -441,6 +460,7 @@ static int nci_set_local_general_bytes(struct nfc_dev *nfc_dev)
441{ 460{
442 struct nci_dev *ndev = nfc_get_drvdata(nfc_dev); 461 struct nci_dev *ndev = nfc_get_drvdata(nfc_dev);
443 struct nci_set_config_param param; 462 struct nci_set_config_param param;
463 int rc;
444 464
445 param.val = nfc_get_local_general_bytes(nfc_dev, &param.len); 465 param.val = nfc_get_local_general_bytes(nfc_dev, &param.len);
446 if ((param.val == NULL) || (param.len == 0)) 466 if ((param.val == NULL) || (param.len == 0))
@@ -451,14 +471,45 @@ static int nci_set_local_general_bytes(struct nfc_dev *nfc_dev)
451 471
452 param.id = NCI_PN_ATR_REQ_GEN_BYTES; 472 param.id = NCI_PN_ATR_REQ_GEN_BYTES;
453 473
474 rc = nci_request(ndev, nci_set_config_req, (unsigned long)&param,
475 msecs_to_jiffies(NCI_SET_CONFIG_TIMEOUT));
476 if (rc)
477 return rc;
478
479 param.id = NCI_LN_ATR_RES_GEN_BYTES;
480
454 return nci_request(ndev, nci_set_config_req, (unsigned long)&param, 481 return nci_request(ndev, nci_set_config_req, (unsigned long)&param,
455 msecs_to_jiffies(NCI_SET_CONFIG_TIMEOUT)); 482 msecs_to_jiffies(NCI_SET_CONFIG_TIMEOUT));
456} 483}
457 484
485static int nci_set_listen_parameters(struct nfc_dev *nfc_dev)
486{
487 struct nci_dev *ndev = nfc_get_drvdata(nfc_dev);
488 int rc;
489 __u8 val;
490
491 val = NCI_LA_SEL_INFO_NFC_DEP_MASK;
492
493 rc = nci_set_config(ndev, NCI_LA_SEL_INFO, 1, &val);
494 if (rc)
495 return rc;
496
497 val = NCI_LF_PROTOCOL_TYPE_NFC_DEP_MASK;
498
499 rc = nci_set_config(ndev, NCI_LF_PROTOCOL_TYPE, 1, &val);
500 if (rc)
501 return rc;
502
503 val = NCI_LF_CON_BITR_F_212 | NCI_LF_CON_BITR_F_424;
504
505 return nci_set_config(ndev, NCI_LF_CON_BITR_F, 1, &val);
506}
507
458static int nci_start_poll(struct nfc_dev *nfc_dev, 508static int nci_start_poll(struct nfc_dev *nfc_dev,
459 __u32 im_protocols, __u32 tm_protocols) 509 __u32 im_protocols, __u32 tm_protocols)
460{ 510{
461 struct nci_dev *ndev = nfc_get_drvdata(nfc_dev); 511 struct nci_dev *ndev = nfc_get_drvdata(nfc_dev);
512 struct nci_rf_discover_param param;
462 int rc; 513 int rc;
463 514
464 if ((atomic_read(&ndev->state) == NCI_DISCOVERY) || 515 if ((atomic_read(&ndev->state) == NCI_DISCOVERY) ||
@@ -476,13 +527,14 @@ static int nci_start_poll(struct nfc_dev *nfc_dev,
476 (atomic_read(&ndev->state) == NCI_POLL_ACTIVE)) { 527 (atomic_read(&ndev->state) == NCI_POLL_ACTIVE)) {
477 pr_debug("target active or w4 select, implicitly deactivate\n"); 528 pr_debug("target active or w4 select, implicitly deactivate\n");
478 529
479 rc = nci_request(ndev, nci_rf_deactivate_req, 0, 530 rc = nci_request(ndev, nci_rf_deactivate_req,
531 NCI_DEACTIVATE_TYPE_IDLE_MODE,
480 msecs_to_jiffies(NCI_RF_DEACTIVATE_TIMEOUT)); 532 msecs_to_jiffies(NCI_RF_DEACTIVATE_TIMEOUT));
481 if (rc) 533 if (rc)
482 return -EBUSY; 534 return -EBUSY;
483 } 535 }
484 536
485 if (im_protocols & NFC_PROTO_NFC_DEP_MASK) { 537 if ((im_protocols | tm_protocols) & NFC_PROTO_NFC_DEP_MASK) {
486 rc = nci_set_local_general_bytes(nfc_dev); 538 rc = nci_set_local_general_bytes(nfc_dev);
487 if (rc) { 539 if (rc) {
488 pr_err("failed to set local general bytes\n"); 540 pr_err("failed to set local general bytes\n");
@@ -490,7 +542,15 @@ static int nci_start_poll(struct nfc_dev *nfc_dev,
490 } 542 }
491 } 543 }
492 544
493 rc = nci_request(ndev, nci_rf_discover_req, im_protocols, 545 if (tm_protocols & NFC_PROTO_NFC_DEP_MASK) {
546 rc = nci_set_listen_parameters(nfc_dev);
547 if (rc)
548 pr_err("failed to set listen parameters\n");
549 }
550
551 param.im_protocols = im_protocols;
552 param.tm_protocols = tm_protocols;
553 rc = nci_request(ndev, nci_rf_discover_req, (unsigned long)&param,
494 msecs_to_jiffies(NCI_RF_DISC_TIMEOUT)); 554 msecs_to_jiffies(NCI_RF_DISC_TIMEOUT));
495 555
496 if (!rc) 556 if (!rc)
@@ -509,7 +569,7 @@ static void nci_stop_poll(struct nfc_dev *nfc_dev)
509 return; 569 return;
510 } 570 }
511 571
512 nci_request(ndev, nci_rf_deactivate_req, 0, 572 nci_request(ndev, nci_rf_deactivate_req, NCI_DEACTIVATE_TYPE_IDLE_MODE,
513 msecs_to_jiffies(NCI_RF_DEACTIVATE_TIMEOUT)); 573 msecs_to_jiffies(NCI_RF_DEACTIVATE_TIMEOUT));
514} 574}
515 575
@@ -594,7 +654,8 @@ static void nci_deactivate_target(struct nfc_dev *nfc_dev,
594 ndev->target_active_prot = 0; 654 ndev->target_active_prot = 0;
595 655
596 if (atomic_read(&ndev->state) == NCI_POLL_ACTIVE) { 656 if (atomic_read(&ndev->state) == NCI_POLL_ACTIVE) {
597 nci_request(ndev, nci_rf_deactivate_req, 0, 657 nci_request(ndev, nci_rf_deactivate_req,
658 NCI_DEACTIVATE_TYPE_SLEEP_MODE,
598 msecs_to_jiffies(NCI_RF_DEACTIVATE_TIMEOUT)); 659 msecs_to_jiffies(NCI_RF_DEACTIVATE_TIMEOUT));
599 } 660 }
600} 661}
@@ -622,9 +683,24 @@ static int nci_dep_link_up(struct nfc_dev *nfc_dev, struct nfc_target *target,
622 683
623static int nci_dep_link_down(struct nfc_dev *nfc_dev) 684static int nci_dep_link_down(struct nfc_dev *nfc_dev)
624{ 685{
686 struct nci_dev *ndev = nfc_get_drvdata(nfc_dev);
687 int rc;
688
625 pr_debug("entry\n"); 689 pr_debug("entry\n");
626 690
627 nci_deactivate_target(nfc_dev, NULL); 691 if (nfc_dev->rf_mode == NFC_RF_INITIATOR) {
692 nci_deactivate_target(nfc_dev, NULL);
693 } else {
694 if (atomic_read(&ndev->state) == NCI_LISTEN_ACTIVE ||
695 atomic_read(&ndev->state) == NCI_DISCOVERY) {
696 nci_request(ndev, nci_rf_deactivate_req, 0,
697 msecs_to_jiffies(NCI_RF_DEACTIVATE_TIMEOUT));
698 }
699
700 rc = nfc_tm_deactivated(nfc_dev);
701 if (rc)
702 pr_err("error when signaling tm deactivation\n");
703 }
628 704
629 return 0; 705 return 0;
630} 706}
@@ -658,18 +734,58 @@ static int nci_transceive(struct nfc_dev *nfc_dev, struct nfc_target *target,
658 return rc; 734 return rc;
659} 735}
660 736
737static int nci_tm_send(struct nfc_dev *nfc_dev, struct sk_buff *skb)
738{
739 struct nci_dev *ndev = nfc_get_drvdata(nfc_dev);
740 int rc;
741
742 rc = nci_send_data(ndev, NCI_STATIC_RF_CONN_ID, skb);
743 if (rc)
744 pr_err("unable to send data\n");
745
746 return rc;
747}
748
661static int nci_enable_se(struct nfc_dev *nfc_dev, u32 se_idx) 749static int nci_enable_se(struct nfc_dev *nfc_dev, u32 se_idx)
662{ 750{
751 struct nci_dev *ndev = nfc_get_drvdata(nfc_dev);
752
753 if (ndev->ops->enable_se)
754 return ndev->ops->enable_se(ndev, se_idx);
755
663 return 0; 756 return 0;
664} 757}
665 758
666static int nci_disable_se(struct nfc_dev *nfc_dev, u32 se_idx) 759static int nci_disable_se(struct nfc_dev *nfc_dev, u32 se_idx)
667{ 760{
761 struct nci_dev *ndev = nfc_get_drvdata(nfc_dev);
762
763 if (ndev->ops->disable_se)
764 return ndev->ops->disable_se(ndev, se_idx);
765
668 return 0; 766 return 0;
669} 767}
670 768
671static int nci_discover_se(struct nfc_dev *nfc_dev) 769static int nci_discover_se(struct nfc_dev *nfc_dev)
672{ 770{
771 struct nci_dev *ndev = nfc_get_drvdata(nfc_dev);
772
773 if (ndev->ops->discover_se)
774 return ndev->ops->discover_se(ndev);
775
776 return 0;
777}
778
779static int nci_se_io(struct nfc_dev *nfc_dev, u32 se_idx,
780 u8 *apdu, size_t apdu_length,
781 se_io_cb_t cb, void *cb_context)
782{
783 struct nci_dev *ndev = nfc_get_drvdata(nfc_dev);
784
785 if (ndev->ops->se_io)
786 return ndev->ops->se_io(ndev, se_idx, apdu,
787 apdu_length, cb, cb_context);
788
673 return 0; 789 return 0;
674} 790}
675 791
@@ -683,9 +799,11 @@ static struct nfc_ops nci_nfc_ops = {
683 .activate_target = nci_activate_target, 799 .activate_target = nci_activate_target,
684 .deactivate_target = nci_deactivate_target, 800 .deactivate_target = nci_deactivate_target,
685 .im_transceive = nci_transceive, 801 .im_transceive = nci_transceive,
802 .tm_send = nci_tm_send,
686 .enable_se = nci_enable_se, 803 .enable_se = nci_enable_se,
687 .disable_se = nci_disable_se, 804 .disable_se = nci_disable_se,
688 .discover_se = nci_discover_se, 805 .discover_se = nci_discover_se,
806 .se_io = nci_se_io,
689}; 807};
690 808
691/* ---- Interface to NCI drivers ---- */ 809/* ---- Interface to NCI drivers ---- */
diff --git a/net/nfc/nci/data.c b/net/nfc/nci/data.c
index 427ef2c7ab68..a2de2a8cb00e 100644
--- a/net/nfc/nci/data.c
+++ b/net/nfc/nci/data.c
@@ -3,6 +3,7 @@
3 * NFC Controller (NFCC) and a Device Host (DH). 3 * NFC Controller (NFCC) and a Device Host (DH).
4 * 4 *
5 * Copyright (C) 2011 Texas Instruments, Inc. 5 * Copyright (C) 2011 Texas Instruments, Inc.
6 * Copyright (C) 2014 Marvell International Ltd.
6 * 7 *
7 * Written by Ilan Elias <ilane@ti.com> 8 * Written by Ilan Elias <ilane@ti.com>
8 * 9 *
@@ -184,11 +185,16 @@ exit:
184 185
185static void nci_add_rx_data_frag(struct nci_dev *ndev, 186static void nci_add_rx_data_frag(struct nci_dev *ndev,
186 struct sk_buff *skb, 187 struct sk_buff *skb,
187 __u8 pbf) 188 __u8 pbf, __u8 status)
188{ 189{
189 int reassembly_len; 190 int reassembly_len;
190 int err = 0; 191 int err = 0;
191 192
193 if (status) {
194 err = status;
195 goto exit;
196 }
197
192 if (ndev->rx_data_reassembly) { 198 if (ndev->rx_data_reassembly) {
193 reassembly_len = ndev->rx_data_reassembly->len; 199 reassembly_len = ndev->rx_data_reassembly->len;
194 200
@@ -223,13 +229,24 @@ static void nci_add_rx_data_frag(struct nci_dev *ndev,
223 } 229 }
224 230
225exit: 231exit:
226 nci_data_exchange_complete(ndev, skb, err); 232 if (ndev->nfc_dev->rf_mode == NFC_RF_INITIATOR) {
233 nci_data_exchange_complete(ndev, skb, err);
234 } else if (ndev->nfc_dev->rf_mode == NFC_RF_TARGET) {
235 /* Data received in Target mode, forward to nfc core */
236 err = nfc_tm_data_received(ndev->nfc_dev, skb);
237 if (err)
238 pr_err("unable to handle received data\n");
239 } else {
240 pr_err("rf mode unknown\n");
241 kfree_skb(skb);
242 }
227} 243}
228 244
229/* Rx Data packet */ 245/* Rx Data packet */
230void nci_rx_data_packet(struct nci_dev *ndev, struct sk_buff *skb) 246void nci_rx_data_packet(struct nci_dev *ndev, struct sk_buff *skb)
231{ 247{
232 __u8 pbf = nci_pbf(skb->data); 248 __u8 pbf = nci_pbf(skb->data);
249 __u8 status = 0;
233 250
234 pr_debug("len %d\n", skb->len); 251 pr_debug("len %d\n", skb->len);
235 252
@@ -247,8 +264,9 @@ void nci_rx_data_packet(struct nci_dev *ndev, struct sk_buff *skb)
247 ndev->target_active_prot == NFC_PROTO_ISO15693) { 264 ndev->target_active_prot == NFC_PROTO_ISO15693) {
248 /* frame I/F => remove the status byte */ 265 /* frame I/F => remove the status byte */
249 pr_debug("frame I/F => remove the status byte\n"); 266 pr_debug("frame I/F => remove the status byte\n");
267 status = skb->data[skb->len - 1];
250 skb_trim(skb, (skb->len - 1)); 268 skb_trim(skb, (skb->len - 1));
251 } 269 }
252 270
253 nci_add_rx_data_frag(ndev, skb, pbf); 271 nci_add_rx_data_frag(ndev, skb, pbf, nci_to_errno(status));
254} 272}
diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c
index 205b35f666db..22e453cb787d 100644
--- a/net/nfc/nci/ntf.c
+++ b/net/nfc/nci/ntf.c
@@ -103,7 +103,7 @@ static __u8 *nci_extract_rf_params_nfca_passive_poll(struct nci_dev *ndev,
103 struct rf_tech_specific_params_nfca_poll *nfca_poll, 103 struct rf_tech_specific_params_nfca_poll *nfca_poll,
104 __u8 *data) 104 __u8 *data)
105{ 105{
106 nfca_poll->sens_res = __le16_to_cpu(*((__u16 *)data)); 106 nfca_poll->sens_res = __le16_to_cpu(*((__le16 *)data));
107 data += 2; 107 data += 2;
108 108
109 nfca_poll->nfcid1_len = min_t(__u8, *data++, NFC_NFCID1_MAXSIZE); 109 nfca_poll->nfcid1_len = min_t(__u8, *data++, NFC_NFCID1_MAXSIZE);
@@ -167,7 +167,19 @@ static __u8 *nci_extract_rf_params_nfcv_passive_poll(struct nci_dev *ndev,
167 return data; 167 return data;
168} 168}
169 169
170__u32 nci_get_prop_rf_protocol(struct nci_dev *ndev, __u8 rf_protocol) 170static __u8 *nci_extract_rf_params_nfcf_passive_listen(struct nci_dev *ndev,
171 struct rf_tech_specific_params_nfcf_listen *nfcf_listen,
172 __u8 *data)
173{
174 nfcf_listen->local_nfcid2_len = min_t(__u8, *data++,
175 NFC_NFCID2_MAXSIZE);
176 memcpy(nfcf_listen->local_nfcid2, data, nfcf_listen->local_nfcid2_len);
177 data += nfcf_listen->local_nfcid2_len;
178
179 return data;
180}
181
182static __u32 nci_get_prop_rf_protocol(struct nci_dev *ndev, __u8 rf_protocol)
171{ 183{
172 if (ndev->ops->get_rfprotocol) 184 if (ndev->ops->get_rfprotocol)
173 return ndev->ops->get_rfprotocol(ndev, rf_protocol); 185 return ndev->ops->get_rfprotocol(ndev, rf_protocol);
@@ -401,17 +413,29 @@ static int nci_extract_activation_params_nfc_dep(struct nci_dev *ndev,
401 struct nci_rf_intf_activated_ntf *ntf, __u8 *data) 413 struct nci_rf_intf_activated_ntf *ntf, __u8 *data)
402{ 414{
403 struct activation_params_poll_nfc_dep *poll; 415 struct activation_params_poll_nfc_dep *poll;
416 struct activation_params_listen_nfc_dep *listen;
404 417
405 switch (ntf->activation_rf_tech_and_mode) { 418 switch (ntf->activation_rf_tech_and_mode) {
406 case NCI_NFC_A_PASSIVE_POLL_MODE: 419 case NCI_NFC_A_PASSIVE_POLL_MODE:
407 case NCI_NFC_F_PASSIVE_POLL_MODE: 420 case NCI_NFC_F_PASSIVE_POLL_MODE:
408 poll = &ntf->activation_params.poll_nfc_dep; 421 poll = &ntf->activation_params.poll_nfc_dep;
409 poll->atr_res_len = min_t(__u8, *data++, 63); 422 poll->atr_res_len = min_t(__u8, *data++,
423 NFC_ATR_RES_MAXSIZE - 2);
410 pr_debug("atr_res_len %d\n", poll->atr_res_len); 424 pr_debug("atr_res_len %d\n", poll->atr_res_len);
411 if (poll->atr_res_len > 0) 425 if (poll->atr_res_len > 0)
412 memcpy(poll->atr_res, data, poll->atr_res_len); 426 memcpy(poll->atr_res, data, poll->atr_res_len);
413 break; 427 break;
414 428
429 case NCI_NFC_A_PASSIVE_LISTEN_MODE:
430 case NCI_NFC_F_PASSIVE_LISTEN_MODE:
431 listen = &ntf->activation_params.listen_nfc_dep;
432 listen->atr_req_len = min_t(__u8, *data++,
433 NFC_ATR_REQ_MAXSIZE - 2);
434 pr_debug("atr_req_len %d\n", listen->atr_req_len);
435 if (listen->atr_req_len > 0)
436 memcpy(listen->atr_req, data, listen->atr_req_len);
437 break;
438
415 default: 439 default:
416 pr_err("unsupported activation_rf_tech_and_mode 0x%x\n", 440 pr_err("unsupported activation_rf_tech_and_mode 0x%x\n",
417 ntf->activation_rf_tech_and_mode); 441 ntf->activation_rf_tech_and_mode);
@@ -444,6 +468,48 @@ static void nci_target_auto_activated(struct nci_dev *ndev,
444 nfc_targets_found(ndev->nfc_dev, ndev->targets, ndev->n_targets); 468 nfc_targets_found(ndev->nfc_dev, ndev->targets, ndev->n_targets);
445} 469}
446 470
471static int nci_store_general_bytes_nfc_dep(struct nci_dev *ndev,
472 struct nci_rf_intf_activated_ntf *ntf)
473{
474 ndev->remote_gb_len = 0;
475
476 if (ntf->activation_params_len <= 0)
477 return NCI_STATUS_OK;
478
479 switch (ntf->activation_rf_tech_and_mode) {
480 case NCI_NFC_A_PASSIVE_POLL_MODE:
481 case NCI_NFC_F_PASSIVE_POLL_MODE:
482 ndev->remote_gb_len = min_t(__u8,
483 (ntf->activation_params.poll_nfc_dep.atr_res_len
484 - NFC_ATR_RES_GT_OFFSET),
485 NFC_ATR_RES_GB_MAXSIZE);
486 memcpy(ndev->remote_gb,
487 (ntf->activation_params.poll_nfc_dep.atr_res
488 + NFC_ATR_RES_GT_OFFSET),
489 ndev->remote_gb_len);
490 break;
491
492 case NCI_NFC_A_PASSIVE_LISTEN_MODE:
493 case NCI_NFC_F_PASSIVE_LISTEN_MODE:
494 ndev->remote_gb_len = min_t(__u8,
495 (ntf->activation_params.listen_nfc_dep.atr_req_len
496 - NFC_ATR_REQ_GT_OFFSET),
497 NFC_ATR_REQ_GB_MAXSIZE);
498 memcpy(ndev->remote_gb,
499 (ntf->activation_params.listen_nfc_dep.atr_req
500 + NFC_ATR_REQ_GT_OFFSET),
501 ndev->remote_gb_len);
502 break;
503
504 default:
505 pr_err("unsupported activation_rf_tech_and_mode 0x%x\n",
506 ntf->activation_rf_tech_and_mode);
507 return NCI_STATUS_RF_PROTOCOL_ERROR;
508 }
509
510 return NCI_STATUS_OK;
511}
512
447static void nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev, 513static void nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev,
448 struct sk_buff *skb) 514 struct sk_buff *skb)
449{ 515{
@@ -493,6 +559,16 @@ static void nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev,
493 &(ntf.rf_tech_specific_params.nfcv_poll), data); 559 &(ntf.rf_tech_specific_params.nfcv_poll), data);
494 break; 560 break;
495 561
562 case NCI_NFC_A_PASSIVE_LISTEN_MODE:
563 /* no RF technology specific parameters */
564 break;
565
566 case NCI_NFC_F_PASSIVE_LISTEN_MODE:
567 data = nci_extract_rf_params_nfcf_passive_listen(ndev,
568 &(ntf.rf_tech_specific_params.nfcf_listen),
569 data);
570 break;
571
496 default: 572 default:
497 pr_err("unsupported activation_rf_tech_and_mode 0x%x\n", 573 pr_err("unsupported activation_rf_tech_and_mode 0x%x\n",
498 ntf.activation_rf_tech_and_mode); 574 ntf.activation_rf_tech_and_mode);
@@ -546,32 +622,39 @@ exit:
546 622
547 /* store general bytes to be reported later in dep_link_up */ 623 /* store general bytes to be reported later in dep_link_up */
548 if (ntf.rf_interface == NCI_RF_INTERFACE_NFC_DEP) { 624 if (ntf.rf_interface == NCI_RF_INTERFACE_NFC_DEP) {
549 ndev->remote_gb_len = 0; 625 err = nci_store_general_bytes_nfc_dep(ndev, &ntf);
550 626 if (err != NCI_STATUS_OK)
551 if (ntf.activation_params_len > 0) { 627 pr_err("unable to store general bytes\n");
552 /* ATR_RES general bytes at offset 15 */
553 ndev->remote_gb_len = min_t(__u8,
554 (ntf.activation_params
555 .poll_nfc_dep.atr_res_len
556 - NFC_ATR_RES_GT_OFFSET),
557 NFC_MAX_GT_LEN);
558 memcpy(ndev->remote_gb,
559 (ntf.activation_params.poll_nfc_dep
560 .atr_res + NFC_ATR_RES_GT_OFFSET),
561 ndev->remote_gb_len);
562 }
563 } 628 }
564 } 629 }
565 630
566 if (atomic_read(&ndev->state) == NCI_DISCOVERY) { 631 if (!(ntf.activation_rf_tech_and_mode & NCI_RF_TECH_MODE_LISTEN_MASK)) {
567 /* A single target was found and activated automatically */ 632 /* Poll mode */
568 atomic_set(&ndev->state, NCI_POLL_ACTIVE); 633 if (atomic_read(&ndev->state) == NCI_DISCOVERY) {
569 if (err == NCI_STATUS_OK) 634 /* A single target was found and activated
570 nci_target_auto_activated(ndev, &ntf); 635 * automatically */
571 } else { /* ndev->state == NCI_W4_HOST_SELECT */ 636 atomic_set(&ndev->state, NCI_POLL_ACTIVE);
572 /* A selected target was activated, so complete the request */ 637 if (err == NCI_STATUS_OK)
573 atomic_set(&ndev->state, NCI_POLL_ACTIVE); 638 nci_target_auto_activated(ndev, &ntf);
574 nci_req_complete(ndev, err); 639 } else { /* ndev->state == NCI_W4_HOST_SELECT */
640 /* A selected target was activated, so complete the
641 * request */
642 atomic_set(&ndev->state, NCI_POLL_ACTIVE);
643 nci_req_complete(ndev, err);
644 }
645 } else {
646 /* Listen mode */
647 atomic_set(&ndev->state, NCI_LISTEN_ACTIVE);
648 if (err == NCI_STATUS_OK &&
649 ntf.rf_protocol == NCI_RF_PROTOCOL_NFC_DEP) {
650 err = nfc_tm_activated(ndev->nfc_dev,
651 NFC_PROTO_NFC_DEP_MASK,
652 NFC_COMM_PASSIVE,
653 ndev->remote_gb,
654 ndev->remote_gb_len);
655 if (err != NCI_STATUS_OK)
656 pr_err("error when signaling tm activation\n");
657 }
575 } 658 }
576} 659}
577 660
@@ -595,8 +678,21 @@ static void nci_rf_deactivate_ntf_packet(struct nci_dev *ndev,
595 if (test_bit(NCI_DATA_EXCHANGE, &ndev->flags)) 678 if (test_bit(NCI_DATA_EXCHANGE, &ndev->flags))
596 nci_data_exchange_complete(ndev, NULL, -EIO); 679 nci_data_exchange_complete(ndev, NULL, -EIO);
597 680
598 nci_clear_target_list(ndev); 681 switch (ntf->type) {
599 atomic_set(&ndev->state, NCI_IDLE); 682 case NCI_DEACTIVATE_TYPE_IDLE_MODE:
683 nci_clear_target_list(ndev);
684 atomic_set(&ndev->state, NCI_IDLE);
685 break;
686 case NCI_DEACTIVATE_TYPE_SLEEP_MODE:
687 case NCI_DEACTIVATE_TYPE_SLEEP_AF_MODE:
688 atomic_set(&ndev->state, NCI_W4_HOST_SELECT);
689 break;
690 case NCI_DEACTIVATE_TYPE_DISCOVERY:
691 nci_clear_target_list(ndev);
692 atomic_set(&ndev->state, NCI_DISCOVERY);
693 break;
694 }
695
600 nci_req_complete(ndev, NCI_STATUS_OK); 696 nci_req_complete(ndev, NCI_STATUS_OK);
601} 697}
602 698
diff --git a/net/nfc/netlink.c b/net/nfc/netlink.c
index 43cb1c17e267..44989fc8cddf 100644
--- a/net/nfc/netlink.c
+++ b/net/nfc/netlink.c
@@ -810,6 +810,31 @@ out:
810 return rc; 810 return rc;
811} 811}
812 812
813static int nfc_genl_activate_target(struct sk_buff *skb, struct genl_info *info)
814{
815 struct nfc_dev *dev;
816 u32 device_idx, target_idx, protocol;
817 int rc;
818
819 if (!info->attrs[NFC_ATTR_DEVICE_INDEX])
820 return -EINVAL;
821
822 device_idx = nla_get_u32(info->attrs[NFC_ATTR_DEVICE_INDEX]);
823
824 dev = nfc_get_device(device_idx);
825 if (!dev)
826 return -ENODEV;
827
828 target_idx = nla_get_u32(info->attrs[NFC_ATTR_TARGET_INDEX]);
829 protocol = nla_get_u32(info->attrs[NFC_ATTR_PROTOCOLS]);
830
831 nfc_deactivate_target(dev, target_idx);
832 rc = nfc_activate_target(dev, target_idx, protocol);
833
834 nfc_put_device(dev);
835 return 0;
836}
837
813static int nfc_genl_dep_link_up(struct sk_buff *skb, struct genl_info *info) 838static int nfc_genl_dep_link_up(struct sk_buff *skb, struct genl_info *info)
814{ 839{
815 struct nfc_dev *dev; 840 struct nfc_dev *dev;
@@ -1285,6 +1310,51 @@ static int nfc_genl_dump_ses_done(struct netlink_callback *cb)
1285 return 0; 1310 return 0;
1286} 1311}
1287 1312
1313static int nfc_se_io(struct nfc_dev *dev, u32 se_idx,
1314 u8 *apdu, size_t apdu_length,
1315 se_io_cb_t cb, void *cb_context)
1316{
1317 struct nfc_se *se;
1318 int rc;
1319
1320 pr_debug("%s se index %d\n", dev_name(&dev->dev), se_idx);
1321
1322 device_lock(&dev->dev);
1323
1324 if (!device_is_registered(&dev->dev)) {
1325 rc = -ENODEV;
1326 goto error;
1327 }
1328
1329 if (!dev->dev_up) {
1330 rc = -ENODEV;
1331 goto error;
1332 }
1333
1334 if (!dev->ops->se_io) {
1335 rc = -EOPNOTSUPP;
1336 goto error;
1337 }
1338
1339 se = nfc_find_se(dev, se_idx);
1340 if (!se) {
1341 rc = -EINVAL;
1342 goto error;
1343 }
1344
1345 if (se->state != NFC_SE_ENABLED) {
1346 rc = -ENODEV;
1347 goto error;
1348 }
1349
1350 rc = dev->ops->se_io(dev, se_idx, apdu,
1351 apdu_length, cb, cb_context);
1352
1353error:
1354 device_unlock(&dev->dev);
1355 return rc;
1356}
1357
1288struct se_io_ctx { 1358struct se_io_ctx {
1289 u32 dev_idx; 1359 u32 dev_idx;
1290 u32 se_idx; 1360 u32 se_idx;
@@ -1367,7 +1437,7 @@ static int nfc_genl_se_io(struct sk_buff *skb, struct genl_info *info)
1367 ctx->dev_idx = dev_idx; 1437 ctx->dev_idx = dev_idx;
1368 ctx->se_idx = se_idx; 1438 ctx->se_idx = se_idx;
1369 1439
1370 return dev->ops->se_io(dev, se_idx, apdu, apdu_len, se_io_cb, ctx); 1440 return nfc_se_io(dev, se_idx, apdu, apdu_len, se_io_cb, ctx);
1371} 1441}
1372 1442
1373static const struct genl_ops nfc_genl_ops[] = { 1443static const struct genl_ops nfc_genl_ops[] = {
@@ -1455,6 +1525,11 @@ static const struct genl_ops nfc_genl_ops[] = {
1455 .doit = nfc_genl_se_io, 1525 .doit = nfc_genl_se_io,
1456 .policy = nfc_genl_policy, 1526 .policy = nfc_genl_policy,
1457 }, 1527 },
1528 {
1529 .cmd = NFC_CMD_ACTIVATE_TARGET,
1530 .doit = nfc_genl_activate_target,
1531 .policy = nfc_genl_policy,
1532 },
1458}; 1533};
1459 1534
1460 1535
diff --git a/net/wireless/Kconfig b/net/wireless/Kconfig
index 29c8675f9a11..22ba971741e5 100644
--- a/net/wireless/Kconfig
+++ b/net/wireless/Kconfig
@@ -175,7 +175,7 @@ config CFG80211_INTERNAL_REGDB
175 Most distributions have a CRDA package. So if unsure, say N. 175 Most distributions have a CRDA package. So if unsure, say N.
176 176
177config CFG80211_WEXT 177config CFG80211_WEXT
178 bool "cfg80211 wireless extensions compatibility" 178 bool
179 depends on CFG80211 179 depends on CFG80211
180 select WEXT_CORE 180 select WEXT_CORE
181 help 181 help
diff --git a/net/wireless/core.c b/net/wireless/core.c
index 4c2e501203d1..53dda7728f86 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -546,6 +546,20 @@ int wiphy_register(struct wiphy *wiphy)
546 !rdev->ops->tdls_cancel_channel_switch))) 546 !rdev->ops->tdls_cancel_channel_switch)))
547 return -EINVAL; 547 return -EINVAL;
548 548
549 /*
550 * if a wiphy has unsupported modes for regulatory channel enforcement,
551 * opt-out of enforcement checking
552 */
553 if (wiphy->interface_modes & ~(BIT(NL80211_IFTYPE_STATION) |
554 BIT(NL80211_IFTYPE_P2P_CLIENT) |
555 BIT(NL80211_IFTYPE_AP) |
556 BIT(NL80211_IFTYPE_P2P_GO) |
557 BIT(NL80211_IFTYPE_ADHOC) |
558 BIT(NL80211_IFTYPE_P2P_DEVICE) |
559 BIT(NL80211_IFTYPE_AP_VLAN) |
560 BIT(NL80211_IFTYPE_MONITOR)))
561 wiphy->regulatory_flags |= REGULATORY_IGNORE_STALE_KICKOFF;
562
549 if (WARN_ON(wiphy->coalesce && 563 if (WARN_ON(wiphy->coalesce &&
550 (!wiphy->coalesce->n_rules || 564 (!wiphy->coalesce->n_rules ||
551 !wiphy->coalesce->n_patterns) && 565 !wiphy->coalesce->n_patterns) &&
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 6e4177701d86..a17d6bc6b22c 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -2317,7 +2317,8 @@ static inline u64 wdev_id(struct wireless_dev *wdev)
2317static int nl80211_send_chandef(struct sk_buff *msg, 2317static int nl80211_send_chandef(struct sk_buff *msg,
2318 const struct cfg80211_chan_def *chandef) 2318 const struct cfg80211_chan_def *chandef)
2319{ 2319{
2320 WARN_ON(!cfg80211_chandef_valid(chandef)); 2320 if (WARN_ON(!cfg80211_chandef_valid(chandef)))
2321 return -EINVAL;
2321 2322
2322 if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, 2323 if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
2323 chandef->chan->center_freq)) 2324 chandef->chan->center_freq))
@@ -5421,11 +5422,11 @@ static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
5421{ 5422{
5422 struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1]; 5423 struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
5423 struct nlattr *nl_reg_rule; 5424 struct nlattr *nl_reg_rule;
5424 char *alpha2 = NULL; 5425 char *alpha2;
5425 int rem_reg_rules = 0, r = 0; 5426 int rem_reg_rules, r;
5426 u32 num_rules = 0, rule_idx = 0, size_of_regd; 5427 u32 num_rules = 0, rule_idx = 0, size_of_regd;
5427 enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET; 5428 enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
5428 struct ieee80211_regdomain *rd = NULL; 5429 struct ieee80211_regdomain *rd;
5429 5430
5430 if (!info->attrs[NL80211_ATTR_REG_ALPHA2]) 5431 if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
5431 return -EINVAL; 5432 return -EINVAL;
@@ -6562,8 +6563,6 @@ static int nl80211_dump_survey(struct sk_buff *skb,
6562 } 6563 }
6563 6564
6564 while (1) { 6565 while (1) {
6565 struct ieee80211_channel *chan;
6566
6567 res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey); 6566 res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
6568 if (res == -ENOENT) 6567 if (res == -ENOENT)
6569 break; 6568 break;
@@ -6576,9 +6575,7 @@ static int nl80211_dump_survey(struct sk_buff *skb,
6576 goto out; 6575 goto out;
6577 } 6576 }
6578 6577
6579 chan = ieee80211_get_channel(&rdev->wiphy, 6578 if (survey.channel->flags & IEEE80211_CHAN_DISABLED) {
6580 survey.channel->center_freq);
6581 if (!chan || chan->flags & IEEE80211_CHAN_DISABLED) {
6582 survey_idx++; 6579 survey_idx++;
6583 continue; 6580 continue;
6584 } 6581 }
@@ -11770,55 +11767,155 @@ void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
11770} 11767}
11771EXPORT_SYMBOL(cfg80211_mgmt_tx_status); 11768EXPORT_SYMBOL(cfg80211_mgmt_tx_status);
11772 11769
11773void cfg80211_cqm_rssi_notify(struct net_device *dev, 11770static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
11774 enum nl80211_cqm_rssi_threshold_event rssi_event, 11771 const char *mac, gfp_t gfp)
11775 gfp_t gfp)
11776{ 11772{
11777 struct wireless_dev *wdev = dev->ieee80211_ptr; 11773 struct wireless_dev *wdev = dev->ieee80211_ptr;
11778 struct wiphy *wiphy = wdev->wiphy; 11774 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
11779 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 11775 struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11780 struct sk_buff *msg; 11776 void **cb;
11781 struct nlattr *pinfoattr;
11782 void *hdr;
11783
11784 trace_cfg80211_cqm_rssi_notify(dev, rssi_event);
11785 11777
11786 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11787 if (!msg) 11778 if (!msg)
11788 return; 11779 return NULL;
11789 11780
11790 hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM); 11781 cb = (void **)msg->cb;
11791 if (!hdr) { 11782
11783 cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
11784 if (!cb[0]) {
11792 nlmsg_free(msg); 11785 nlmsg_free(msg);
11793 return; 11786 return NULL;
11794 } 11787 }
11795 11788
11796 if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) || 11789 if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11797 nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex)) 11790 nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
11798 goto nla_put_failure; 11791 goto nla_put_failure;
11799 11792
11800 pinfoattr = nla_nest_start(msg, NL80211_ATTR_CQM); 11793 if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
11801 if (!pinfoattr)
11802 goto nla_put_failure; 11794 goto nla_put_failure;
11803 11795
11804 if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT, 11796 cb[1] = nla_nest_start(msg, NL80211_ATTR_CQM);
11805 rssi_event)) 11797 if (!cb[1])
11806 goto nla_put_failure; 11798 goto nla_put_failure;
11807 11799
11808 nla_nest_end(msg, pinfoattr); 11800 cb[2] = rdev;
11809 11801
11810 genlmsg_end(msg, hdr); 11802 return msg;
11803 nla_put_failure:
11804 nlmsg_free(msg);
11805 return NULL;
11806}
11807
11808static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
11809{
11810 void **cb = (void **)msg->cb;
11811 struct cfg80211_registered_device *rdev = cb[2];
11812
11813 nla_nest_end(msg, cb[1]);
11814 genlmsg_end(msg, cb[0]);
11815
11816 memset(msg->cb, 0, sizeof(msg->cb));
11811 11817
11812 genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0, 11818 genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
11813 NL80211_MCGRP_MLME, gfp); 11819 NL80211_MCGRP_MLME, gfp);
11820}
11821
11822void cfg80211_cqm_rssi_notify(struct net_device *dev,
11823 enum nl80211_cqm_rssi_threshold_event rssi_event,
11824 gfp_t gfp)
11825{
11826 struct sk_buff *msg;
11827
11828 trace_cfg80211_cqm_rssi_notify(dev, rssi_event);
11829
11830 if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
11831 rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
11832 return;
11833
11834 msg = cfg80211_prepare_cqm(dev, NULL, gfp);
11835 if (!msg)
11836 return;
11837
11838 if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
11839 rssi_event))
11840 goto nla_put_failure;
11841
11842 cfg80211_send_cqm(msg, gfp);
11843
11814 return; 11844 return;
11815 11845
11816 nla_put_failure: 11846 nla_put_failure:
11817 genlmsg_cancel(msg, hdr);
11818 nlmsg_free(msg); 11847 nlmsg_free(msg);
11819} 11848}
11820EXPORT_SYMBOL(cfg80211_cqm_rssi_notify); 11849EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
11821 11850
11851void cfg80211_cqm_txe_notify(struct net_device *dev,
11852 const u8 *peer, u32 num_packets,
11853 u32 rate, u32 intvl, gfp_t gfp)
11854{
11855 struct sk_buff *msg;
11856
11857 msg = cfg80211_prepare_cqm(dev, peer, gfp);
11858 if (!msg)
11859 return;
11860
11861 if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
11862 goto nla_put_failure;
11863
11864 if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
11865 goto nla_put_failure;
11866
11867 if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
11868 goto nla_put_failure;
11869
11870 cfg80211_send_cqm(msg, gfp);
11871 return;
11872
11873 nla_put_failure:
11874 nlmsg_free(msg);
11875}
11876EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
11877
11878void cfg80211_cqm_pktloss_notify(struct net_device *dev,
11879 const u8 *peer, u32 num_packets, gfp_t gfp)
11880{
11881 struct sk_buff *msg;
11882
11883 trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
11884
11885 msg = cfg80211_prepare_cqm(dev, peer, gfp);
11886 if (!msg)
11887 return;
11888
11889 if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
11890 goto nla_put_failure;
11891
11892 cfg80211_send_cqm(msg, gfp);
11893 return;
11894
11895 nla_put_failure:
11896 nlmsg_free(msg);
11897}
11898EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
11899
11900void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
11901{
11902 struct sk_buff *msg;
11903
11904 msg = cfg80211_prepare_cqm(dev, NULL, gfp);
11905 if (!msg)
11906 return;
11907
11908 if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
11909 goto nla_put_failure;
11910
11911 cfg80211_send_cqm(msg, gfp);
11912 return;
11913
11914 nla_put_failure:
11915 nlmsg_free(msg);
11916}
11917EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
11918
11822static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev, 11919static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
11823 struct net_device *netdev, const u8 *bssid, 11920 struct net_device *netdev, const u8 *bssid,
11824 const u8 *replay_ctr, gfp_t gfp) 11921 const u8 *replay_ctr, gfp_t gfp)
@@ -12007,59 +12104,6 @@ void cfg80211_ch_switch_started_notify(struct net_device *dev,
12007} 12104}
12008EXPORT_SYMBOL(cfg80211_ch_switch_started_notify); 12105EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
12009 12106
12010void cfg80211_cqm_txe_notify(struct net_device *dev,
12011 const u8 *peer, u32 num_packets,
12012 u32 rate, u32 intvl, gfp_t gfp)
12013{
12014 struct wireless_dev *wdev = dev->ieee80211_ptr;
12015 struct wiphy *wiphy = wdev->wiphy;
12016 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12017 struct sk_buff *msg;
12018 struct nlattr *pinfoattr;
12019 void *hdr;
12020
12021 msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
12022 if (!msg)
12023 return;
12024
12025 hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
12026 if (!hdr) {
12027 nlmsg_free(msg);
12028 return;
12029 }
12030
12031 if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12032 nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
12033 nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer))
12034 goto nla_put_failure;
12035
12036 pinfoattr = nla_nest_start(msg, NL80211_ATTR_CQM);
12037 if (!pinfoattr)
12038 goto nla_put_failure;
12039
12040 if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
12041 goto nla_put_failure;
12042
12043 if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
12044 goto nla_put_failure;
12045
12046 if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
12047 goto nla_put_failure;
12048
12049 nla_nest_end(msg, pinfoattr);
12050
12051 genlmsg_end(msg, hdr);
12052
12053 genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12054 NL80211_MCGRP_MLME, gfp);
12055 return;
12056
12057 nla_put_failure:
12058 genlmsg_cancel(msg, hdr);
12059 nlmsg_free(msg);
12060}
12061EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
12062
12063void 12107void
12064nl80211_radar_notify(struct cfg80211_registered_device *rdev, 12108nl80211_radar_notify(struct cfg80211_registered_device *rdev,
12065 const struct cfg80211_chan_def *chandef, 12109 const struct cfg80211_chan_def *chandef,
@@ -12108,54 +12152,6 @@ nl80211_radar_notify(struct cfg80211_registered_device *rdev,
12108 nlmsg_free(msg); 12152 nlmsg_free(msg);
12109} 12153}
12110 12154
12111void cfg80211_cqm_pktloss_notify(struct net_device *dev,
12112 const u8 *peer, u32 num_packets, gfp_t gfp)
12113{
12114 struct wireless_dev *wdev = dev->ieee80211_ptr;
12115 struct wiphy *wiphy = wdev->wiphy;
12116 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12117 struct sk_buff *msg;
12118 struct nlattr *pinfoattr;
12119 void *hdr;
12120
12121 trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
12122
12123 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12124 if (!msg)
12125 return;
12126
12127 hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
12128 if (!hdr) {
12129 nlmsg_free(msg);
12130 return;
12131 }
12132
12133 if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12134 nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
12135 nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer))
12136 goto nla_put_failure;
12137
12138 pinfoattr = nla_nest_start(msg, NL80211_ATTR_CQM);
12139 if (!pinfoattr)
12140 goto nla_put_failure;
12141
12142 if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
12143 goto nla_put_failure;
12144
12145 nla_nest_end(msg, pinfoattr);
12146
12147 genlmsg_end(msg, hdr);
12148
12149 genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
12150 NL80211_MCGRP_MLME, gfp);
12151 return;
12152
12153 nla_put_failure:
12154 genlmsg_cancel(msg, hdr);
12155 nlmsg_free(msg);
12156}
12157EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
12158
12159void cfg80211_probe_status(struct net_device *dev, const u8 *addr, 12155void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
12160 u64 cookie, bool acked, gfp_t gfp) 12156 u64 cookie, bool acked, gfp_t gfp)
12161{ 12157{
diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index 32d8310b0f85..47be6163381c 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -56,6 +56,7 @@
56#include <net/cfg80211.h> 56#include <net/cfg80211.h>
57#include "core.h" 57#include "core.h"
58#include "reg.h" 58#include "reg.h"
59#include "rdev-ops.h"
59#include "regdb.h" 60#include "regdb.h"
60#include "nl80211.h" 61#include "nl80211.h"
61 62
@@ -66,6 +67,12 @@
66#define REG_DBG_PRINT(args...) 67#define REG_DBG_PRINT(args...)
67#endif 68#endif
68 69
70/*
71 * Grace period we give before making sure all current interfaces reside on
72 * channels allowed by the current regulatory domain.
73 */
74#define REG_ENFORCE_GRACE_MS 60000
75
69/** 76/**
70 * enum reg_request_treatment - regulatory request treatment 77 * enum reg_request_treatment - regulatory request treatment
71 * 78 *
@@ -210,6 +217,9 @@ struct reg_beacon {
210 struct ieee80211_channel chan; 217 struct ieee80211_channel chan;
211}; 218};
212 219
220static void reg_check_chans_work(struct work_struct *work);
221static DECLARE_DELAYED_WORK(reg_check_chans, reg_check_chans_work);
222
213static void reg_todo(struct work_struct *work); 223static void reg_todo(struct work_struct *work);
214static DECLARE_WORK(reg_work, reg_todo); 224static DECLARE_WORK(reg_work, reg_todo);
215 225
@@ -1518,6 +1528,96 @@ static void reg_call_notifier(struct wiphy *wiphy,
1518 wiphy->reg_notifier(wiphy, request); 1528 wiphy->reg_notifier(wiphy, request);
1519} 1529}
1520 1530
1531static bool reg_wdev_chan_valid(struct wiphy *wiphy, struct wireless_dev *wdev)
1532{
1533 struct ieee80211_channel *ch;
1534 struct cfg80211_chan_def chandef;
1535 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
1536 bool ret = true;
1537
1538 wdev_lock(wdev);
1539
1540 if (!wdev->netdev || !netif_running(wdev->netdev))
1541 goto out;
1542
1543 switch (wdev->iftype) {
1544 case NL80211_IFTYPE_AP:
1545 case NL80211_IFTYPE_P2P_GO:
1546 if (!wdev->beacon_interval)
1547 goto out;
1548
1549 ret = cfg80211_reg_can_beacon(wiphy,
1550 &wdev->chandef, wdev->iftype);
1551 break;
1552 case NL80211_IFTYPE_STATION:
1553 case NL80211_IFTYPE_P2P_CLIENT:
1554 case NL80211_IFTYPE_ADHOC:
1555 if (!wdev->current_bss ||
1556 !wdev->current_bss->pub.channel)
1557 goto out;
1558
1559 ch = wdev->current_bss->pub.channel;
1560 if (rdev->ops->get_channel &&
1561 !rdev_get_channel(rdev, wdev, &chandef))
1562 ret = cfg80211_chandef_usable(wiphy, &chandef,
1563 IEEE80211_CHAN_DISABLED);
1564 else
1565 ret = !(ch->flags & IEEE80211_CHAN_DISABLED);
1566 break;
1567 case NL80211_IFTYPE_MONITOR:
1568 case NL80211_IFTYPE_AP_VLAN:
1569 case NL80211_IFTYPE_P2P_DEVICE:
1570 /* no enforcement required */
1571 break;
1572 default:
1573 /* others not implemented for now */
1574 WARN_ON(1);
1575 break;
1576 }
1577
1578out:
1579 wdev_unlock(wdev);
1580 return ret;
1581}
1582
1583static void reg_leave_invalid_chans(struct wiphy *wiphy)
1584{
1585 struct wireless_dev *wdev;
1586 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
1587
1588 ASSERT_RTNL();
1589
1590 list_for_each_entry(wdev, &rdev->wdev_list, list)
1591 if (!reg_wdev_chan_valid(wiphy, wdev))
1592 cfg80211_leave(rdev, wdev);
1593}
1594
1595static void reg_check_chans_work(struct work_struct *work)
1596{
1597 struct cfg80211_registered_device *rdev;
1598
1599 REG_DBG_PRINT("Verifying active interfaces after reg change\n");
1600 rtnl_lock();
1601
1602 list_for_each_entry(rdev, &cfg80211_rdev_list, list)
1603 if (!(rdev->wiphy.regulatory_flags &
1604 REGULATORY_IGNORE_STALE_KICKOFF))
1605 reg_leave_invalid_chans(&rdev->wiphy);
1606
1607 rtnl_unlock();
1608}
1609
1610static void reg_check_channels(void)
1611{
1612 /*
1613 * Give usermode a chance to do something nicer (move to another
1614 * channel, orderly disconnection), before forcing a disconnection.
1615 */
1616 mod_delayed_work(system_power_efficient_wq,
1617 &reg_check_chans,
1618 msecs_to_jiffies(REG_ENFORCE_GRACE_MS));
1619}
1620
1521static void wiphy_update_regulatory(struct wiphy *wiphy, 1621static void wiphy_update_regulatory(struct wiphy *wiphy,
1522 enum nl80211_reg_initiator initiator) 1622 enum nl80211_reg_initiator initiator)
1523{ 1623{
@@ -1557,6 +1657,8 @@ static void update_all_wiphy_regulatory(enum nl80211_reg_initiator initiator)
1557 wiphy = &rdev->wiphy; 1657 wiphy = &rdev->wiphy;
1558 wiphy_update_regulatory(wiphy, initiator); 1658 wiphy_update_regulatory(wiphy, initiator);
1559 } 1659 }
1660
1661 reg_check_channels();
1560} 1662}
1561 1663
1562static void handle_channel_custom(struct wiphy *wiphy, 1664static void handle_channel_custom(struct wiphy *wiphy,
@@ -1976,8 +2078,10 @@ static void reg_process_hint(struct regulatory_request *reg_request)
1976 2078
1977 /* This is required so that the orig_* parameters are saved */ 2079 /* This is required so that the orig_* parameters are saved */
1978 if (treatment == REG_REQ_ALREADY_SET && wiphy && 2080 if (treatment == REG_REQ_ALREADY_SET && wiphy &&
1979 wiphy->regulatory_flags & REGULATORY_STRICT_REG) 2081 wiphy->regulatory_flags & REGULATORY_STRICT_REG) {
1980 wiphy_update_regulatory(wiphy, reg_request->initiator); 2082 wiphy_update_regulatory(wiphy, reg_request->initiator);
2083 reg_check_channels();
2084 }
1981 2085
1982 return; 2086 return;
1983 2087
@@ -2858,6 +2962,7 @@ void regulatory_exit(void)
2858 2962
2859 cancel_work_sync(&reg_work); 2963 cancel_work_sync(&reg_work);
2860 cancel_delayed_work_sync(&reg_timeout); 2964 cancel_delayed_work_sync(&reg_timeout);
2965 cancel_delayed_work_sync(&reg_check_chans);
2861 2966
2862 /* Lock to suppress warnings */ 2967 /* Lock to suppress warnings */
2863 rtnl_lock(); 2968 rtnl_lock();
generated by cgit v1.2.2 (git 2.25.0) at 2025-09-30 22:34:49 -0400