Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next

9 files changed, 115 insertions, 84 deletions

diff --git a/drivers/bluetooth/bluecard_cs.c b/drivers/bluetooth/bluecard_cs.c
index a9a989e5ee88..dfa5043e68ba 100644
--- a/drivers/bluetooth/bluecard_cs.c
+++ b/drivers/bluetooth/bluecard_cs.c
@@ -901,7 +901,7 @@ static void bluecard_release(struct pcmcia_device *link)
 
         bluecard_close(info);
 
-        del_timer(&(info->timer));
+        del_timer_sync(&(info->timer));
 
         pcmcia_disable_device(link);
 }
diff --git a/drivers/bluetooth/btmrvl_main.c b/drivers/bluetooth/btmrvl_main.c
index 1e0320af00c6..2c4997ce2484 100644
--- a/drivers/bluetooth/btmrvl_main.c
+++ b/drivers/bluetooth/btmrvl_main.c
@@ -59,12 +59,13 @@ bool btmrvl_check_evtpkt(struct btmrvl_private *priv, struct sk_buff *skb)
                         priv->btmrvl_dev.sendcmdflag = false;
                         priv->adapter->cmd_complete = true;
                         wake_up_interruptible(&priv->adapter->cmd_wait_q);
-                }
 
-                if (hci_opcode_ogf(opcode) == 0x3F) {
-                        BT_DBG("vendor event skipped: opcode=%#4.4x", opcode);
-                        kfree_skb(skb);
-                        return false;
+                        if (hci_opcode_ogf(opcode) == 0x3F) {
+                                BT_DBG("vendor event skipped: opcode=%#4.4x",
+                                       opcode);
+                                kfree_skb(skb);
+                                return false;
+                        }
                 }
         }
 
diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index b8cc39a4a9a5..5f8bc05694ac 100644
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -189,6 +189,7 @@ struct hci_dev {
         __u16           page_scan_window;
         __u8            page_scan_type;
         __u8            le_adv_channel_map;
+        __u8            le_scan_type;
         __u16           le_scan_interval;
         __u16           le_scan_window;
         __u16           le_conn_min_interval;
@@ -1236,7 +1237,7 @@ void mgmt_pin_code_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
 void mgmt_pin_code_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
                                       u8 status);
 int mgmt_user_confirm_request(struct hci_dev *hdev, bdaddr_t *bdaddr,
-                              u8 link_type, u8 addr_type, __le32 value,
+                              u8 link_type, u8 addr_type, u32 value,
                               u8 confirm_hint);
 int mgmt_user_confirm_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
                                      u8 link_type, u8 addr_type, u8 status);
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index a6a3d32553c5..49774912cb01 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -199,6 +199,8 @@ static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
         memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
         hdev->scan_rsp_data_len = 0;
 
+        hdev->le_scan_type = LE_SCAN_PASSIVE;
+
         hdev->ssp_debug_mode = 0;
 }
 
@@ -997,6 +999,25 @@ static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb)
         hci_dev_unlock(hdev);
 }
 
+static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb)
+{
+        struct hci_cp_le_set_scan_param *cp;
+        __u8 status = *((__u8 *) skb->data);
+
+        BT_DBG("%s status 0x%2.2x", hdev->name, status);
+
+        cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
+        if (!cp)
+                return;
+
+        hci_dev_lock(hdev);
+
+        if (!status)
+                hdev->le_scan_type = cp->type;
+
+        hci_dev_unlock(hdev);
+}
+
 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
                                       struct sk_buff *skb)
 {
@@ -1704,6 +1725,36 @@ unlock:
         hci_dev_unlock(hdev);
 }
 
+static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
+{
+        struct hci_cp_le_start_enc *cp;
+        struct hci_conn *conn;
+
+        BT_DBG("%s status 0x%2.2x", hdev->name, status);
+
+        if (!status)
+                return;
+
+        hci_dev_lock(hdev);
+
+        cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
+        if (!cp)
+                goto unlock;
+
+        conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
+        if (!conn)
+                goto unlock;
+
+        if (conn->state != BT_CONNECTED)
+                goto unlock;
+
+        hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
+        hci_conn_drop(conn);
+
+unlock:
+        hci_dev_unlock(hdev);
+}
+
 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
 {
         __u8 status = *((__u8 *) skb->data);
@@ -2488,6 +2539,10 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
                 hci_cc_le_set_adv_enable(hdev, skb);
                 break;
 
+        case HCI_OP_LE_SET_SCAN_PARAM:
+                hci_cc_le_set_scan_param(hdev, skb);
+                break;
+
         case HCI_OP_LE_SET_SCAN_ENABLE:
                 hci_cc_le_set_scan_enable(hdev, skb);
                 break;
@@ -2611,6 +2666,10 @@ static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb)
                 hci_cs_le_create_conn(hdev, ev->status);
                 break;
 
+        case HCI_OP_LE_START_ENC:
+                hci_cs_le_start_enc(hdev, ev->status);
+                break;
+
         default:
                 BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
                 break;
@@ -3459,8 +3518,8 @@ static void hci_user_confirm_request_evt(struct hci_dev *hdev,
         }
 
 confirm:
-        mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0, ev->passkey,
-                                  confirm_hint);
+        mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
+                                  le32_to_cpu(ev->passkey), confirm_hint);
 
 unlock:
         hci_dev_unlock(hdev);
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 33cd5615ff1e..f59e00c2daa9 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -360,7 +360,8 @@ static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr,
 
         BT_DBG("sock %p, sk %p", sock, sk);
 
-        if (peer && sk->sk_state != BT_CONNECTED)
+        if (peer && sk->sk_state != BT_CONNECTED &&
+            sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2)
                 return -ENOTCONN;
 
         memset(la, 0, sizeof(struct sockaddr_l2));
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 96670f581bb0..d2d4e0d5aed0 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -2762,23 +2762,11 @@ static struct pending_cmd *find_pairing(struct hci_conn *conn)
 
 static void pairing_complete(struct pending_cmd *cmd, u8 status)
 {
-        const struct mgmt_cp_pair_device *cp = cmd->param;
         struct mgmt_rp_pair_device rp;
         struct hci_conn *conn = cmd->user_data;
 
-        /* If we had a pairing failure we might have already received
-         * the remote Identity Address Information and updated the
-         * hci_conn variables with it, however we would not yet have
-         * notified user space of the resolved identity. Therefore, use
-         * the address given in the Pair Device command in case the
-         * pairing failed.
-         */
-        if (status) {
-                memcpy(&rp.addr, &cp->addr, sizeof(rp.addr));
-        } else {
-                bacpy(&rp.addr.bdaddr, &conn->dst);
-                rp.addr.type = link_to_bdaddr(conn->type, conn->dst_type);
-        }
+        bacpy(&rp.addr.bdaddr, &conn->dst);
+        rp.addr.type = link_to_bdaddr(conn->type, conn->dst_type);
 
         cmd_complete(cmd->sk, cmd->index, MGMT_OP_PAIR_DEVICE, status,
                      &rp, sizeof(rp));
@@ -5338,7 +5326,7 @@ void mgmt_pin_code_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
 }
 
 int mgmt_user_confirm_request(struct hci_dev *hdev, bdaddr_t *bdaddr,
-                              u8 link_type, u8 addr_type, __le32 value,
+                              u8 link_type, u8 addr_type, u32 value,
                               u8 confirm_hint)
 {
         struct mgmt_ev_user_confirm_request ev;
@@ -5348,7 +5336,7 @@ int mgmt_user_confirm_request(struct hci_dev *hdev, bdaddr_t *bdaddr,
         bacpy(&ev.addr.bdaddr, bdaddr);
         ev.addr.type = link_to_bdaddr(link_type, addr_type);
         ev.confirm_hint = confirm_hint;
-        ev.value = value;
+        ev.value = cpu_to_le32(value);
 
         return mgmt_event(MGMT_EV_USER_CONFIRM_REQUEST, hdev, &ev, sizeof(ev),
                           NULL);
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index c024e715512f..eabd25ab5ad9 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -534,7 +534,8 @@ static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int *
 
         BT_DBG("sock %p, sk %p", sock, sk);
 
-        if (peer && sk->sk_state != BT_CONNECTED)
+        if (peer && sk->sk_state != BT_CONNECTED &&
+            sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2)
                 return -ENOTCONN;
 
         memset(sa, 0, sizeof(*sa));
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 2a7ee7f6cd8b..dfb4e1161c10 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -387,6 +387,11 @@ static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
         if (!(auth & SMP_AUTH_BONDING) && method == JUST_CFM)
                 method = JUST_WORKS;
 
+        /* Don't confirm locally initiated pairing attempts */
+        if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
+                                           &smp->smp_flags))
+                method = JUST_WORKS;
+
         /* If Just Works, Continue with Zero TK */
         if (method == JUST_WORKS) {
                 set_bit(SMP_FLAG_TK_VALID, &smp->smp_flags);
@@ -422,10 +427,14 @@ static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
         if (method == REQ_PASSKEY)
                 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
                                                 hcon->type, hcon->dst_type);
+        else if (method == JUST_CFM)
+                ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
+                                                hcon->type, hcon->dst_type,
+                                                passkey, 1);
         else
                 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
                                                 hcon->type, hcon->dst_type,
-                                                cpu_to_le32(passkey), 0);
+                                                passkey, 0);
 
         hci_dev_unlock(hcon->hdev);
 
@@ -547,20 +556,6 @@ error:
         smp_failure(conn, reason);
 }
 
-static void smp_reencrypt(struct work_struct *work)
-{
-        struct smp_chan *smp = container_of(work, struct smp_chan,
-                                            reencrypt.work);
-        struct l2cap_conn *conn = smp->conn;
-        struct hci_conn *hcon = conn->hcon;
-        struct smp_ltk *ltk = smp->ltk;
-
-        BT_DBG("");
-
-        hci_le_start_enc(hcon, ltk->ediv, ltk->rand, ltk->val);
-        hcon->enc_key_size = ltk->enc_size;
-}
-
 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
 {
         struct smp_chan *smp;
@@ -571,7 +566,6 @@ static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
 
         INIT_WORK(&smp->confirm, confirm_work);
         INIT_WORK(&smp->random, random_work);
-        INIT_DELAYED_WORK(&smp->reencrypt, smp_reencrypt);
 
         smp->conn = conn;
         conn->smp_chan = smp;
@@ -589,8 +583,6 @@ void smp_chan_destroy(struct l2cap_conn *conn)
 
         BUG_ON(!smp);
 
-        cancel_delayed_work_sync(&smp->reencrypt);
-
         complete = test_bit(SMP_FLAG_COMPLETE, &smp->smp_flags);
         mgmt_smp_complete(conn->hcon, complete);
 
@@ -712,6 +704,8 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
         if (ret)
                 return SMP_UNSPECIFIED;
 
+        clear_bit(SMP_FLAG_INITIATOR, &smp->smp_flags);
+
         return 0;
 }
 
@@ -867,6 +861,8 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
 
         smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
 
+        clear_bit(SMP_FLAG_INITIATOR, &smp->smp_flags);
+
         return 0;
 }
 
@@ -884,11 +880,15 @@ bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level)
 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
 {
         struct l2cap_conn *conn = hcon->l2cap_data;
-        struct smp_chan *smp = conn->smp_chan;
+        struct smp_chan *smp;
         __u8 authreq;
 
         BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
 
+        /* This may be NULL if there's an unexpected disconnection */
+        if (!conn)
+                return 1;
+
         if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags))
                 return 1;
 
@@ -928,6 +928,8 @@ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
                 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
         }
 
+        set_bit(SMP_FLAG_INITIATOR, &smp->smp_flags);
+
 done:
         hcon->pending_sec_level = sec_level;
 
@@ -1058,12 +1060,6 @@ static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
         smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
                                       smp->id_addr_type, smp->irk, &rpa);
 
-        /* Track the connection based on the Identity Address from now on */
-        bacpy(&hcon->dst, &smp->id_addr);
-        hcon->dst_type = smp->id_addr_type;
-
-        l2cap_conn_update_id_addr(hcon);
-
         smp_distribute_keys(conn);
 
         return 0;
@@ -1214,8 +1210,16 @@ static void smp_notify_keys(struct l2cap_conn *conn)
         struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
         bool persistent;
 
-        if (smp->remote_irk)
+        if (smp->remote_irk) {
                 mgmt_new_irk(hdev, smp->remote_irk);
+                /* Now that user space can be considered to know the
+                 * identity address track the connection based on it
+                 * from now on.
+                 */
+                bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
+                hcon->dst_type = smp->remote_irk->addr_type;
+                l2cap_conn_update_id_addr(hcon);
+        }
 
         /* The LTKs and CSRKs should be persistent only if both sides
          * had the bonding bit set in their authentication requests.
@@ -1253,7 +1257,6 @@ int smp_distribute_keys(struct l2cap_conn *conn)
         struct smp_chan *smp = conn->smp_chan;
         struct hci_conn *hcon = conn->hcon;
         struct hci_dev *hdev = hcon->hdev;
-        bool ltk_encrypt;
         __u8 *keydist;
 
         BT_DBG("conn %p", conn);
@@ -1353,32 +1356,12 @@ int smp_distribute_keys(struct l2cap_conn *conn)
         if ((smp->remote_key_dist & 0x07))
                 return 0;
 
-        /* Check if we should try to re-encrypt the link with the LTK.
-         * SMP_FLAG_LTK_ENCRYPT flag is used to track whether we've
-         * already tried this (in which case we shouldn't try again).
-         *
-         * The request will trigger an encryption key refresh event
-         * which will cause a call to auth_cfm and eventually lead to
-         * l2cap_core.c calling this smp_distribute_keys function again
-         * and thereby completing the process.
-         */
-        if (smp->ltk)
-                ltk_encrypt = !test_and_set_bit(SMP_FLAG_LTK_ENCRYPT,
-                                                &smp->smp_flags);
-        else
-                ltk_encrypt = false;
+        clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags);
+        cancel_delayed_work_sync(&conn->security_timer);
+        set_bit(SMP_FLAG_COMPLETE, &smp->smp_flags);
+        smp_notify_keys(conn);
 
-        /* Re-encrypt the link with LTK if possible */
-        if (ltk_encrypt && hcon->out) {
-                queue_delayed_work(hdev->req_workqueue, &smp->reencrypt,
-                                   SMP_REENCRYPT_TIMEOUT);
-        } else {
-                clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags);
-                cancel_delayed_work_sync(&conn->security_timer);
-                set_bit(SMP_FLAG_COMPLETE, &smp->smp_flags);
-                smp_notify_keys(conn);
-                smp_chan_destroy(conn);
-        }
+        smp_chan_destroy(conn);
 
         return 0;
 }
diff --git a/net/bluetooth/smp.h b/net/bluetooth/smp.h
index b6913471815a..1277147a9150 100644
--- a/net/bluetooth/smp.h
+++ b/net/bluetooth/smp.h
@@ -118,10 +118,8 @@ struct smp_cmd_security_req {
 #define SMP_FLAG_TK_VALID       1
 #define SMP_FLAG_CFM_PENDING    2
 #define SMP_FLAG_MITM_AUTH      3
-#define SMP_FLAG_LTK_ENCRYPT    4
-#define SMP_FLAG_COMPLETE       5
-
-#define SMP_REENCRYPT_TIMEOUT   msecs_to_jiffies(500)
+#define SMP_FLAG_COMPLETE       4
+#define SMP_FLAG_INITIATOR      5
 
 struct smp_chan {
         struct l2cap_conn *conn;
@@ -144,7 +142,6 @@ struct smp_chan {
         unsigned long   smp_flags;
         struct work_struct confirm;
         struct work_struct random;
-        struct delayed_work reencrypt;
 };
 
 /* SMP Commands */