aboutsummaryrefslogtreecommitdiffstats
path: root/net/bluetooth
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2014-06-12 17:27:40 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2014-06-12 17:27:40 -0400
commitf9da455b93f6ba076935b4ef4589f61e529ae046 (patch)
tree3c4e69ce1ba1d6bf65915b97a76ca2172105b278 /net/bluetooth
parent0e04c641b199435f3779454055f6a7de258ecdfc (diff)
parente5eca6d41f53db48edd8cf88a3f59d2c30227f8e (diff)
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
Pull networking updates from David Miller: 1) Seccomp BPF filters can now be JIT'd, from Alexei Starovoitov. 2) Multiqueue support in xen-netback and xen-netfront, from Andrew J Benniston. 3) Allow tweaking of aggregation settings in cdc_ncm driver, from Bjørn Mork. 4) BPF now has a "random" opcode, from Chema Gonzalez. 5) Add more BPF documentation and improve test framework, from Daniel Borkmann. 6) Support TCP fastopen over ipv6, from Daniel Lee. 7) Add software TSO helper functions and use them to support software TSO in mvneta and mv643xx_eth drivers. From Ezequiel Garcia. 8) Support software TSO in fec driver too, from Nimrod Andy. 9) Add Broadcom SYSTEMPORT driver, from Florian Fainelli. 10) Handle broadcasts more gracefully over macvlan when there are large numbers of interfaces configured, from Herbert Xu. 11) Allow more control over fwmark used for non-socket based responses, from Lorenzo Colitti. 12) Do TCP congestion window limiting based upon measurements, from Neal Cardwell. 13) Support busy polling in SCTP, from Neal Horman. 14) Allow RSS key to be configured via ethtool, from Venkata Duvvuru. 15) Bridge promisc mode handling improvements from Vlad Yasevich. 16) Don't use inetpeer entries to implement ID generation any more, it performs poorly, from Eric Dumazet. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next: (1522 commits) rtnetlink: fix userspace API breakage for iproute2 < v3.9.0 tcp: fixing TLP's FIN recovery net: fec: Add software TSO support net: fec: Add Scatter/gather support net: fec: Increase buffer descriptor entry number net: fec: Factorize feature setting net: fec: Enable IP header hardware checksum net: fec: Factorize the .xmit transmit function bridge: fix compile error when compiling without IPv6 support bridge: fix smatch warning / potential null pointer dereference via-rhine: fix full-duplex with autoneg disable bnx2x: Enlarge the dorq threshold for VFs bnx2x: Check for UNDI in uncommon branch bnx2x: Fix 1G-baseT link bnx2x: Fix link for KR with swapped polarity lane sctp: Fix sk_ack_backlog wrap-around problem net/core: Add VF link state control policy net/fsl: xgmac_mdio is dependent on OF_MDIO net/fsl: Make xgmac_mdio read error message useful net_sched: drr: warn when qdisc is not work conserving ...
Diffstat (limited to 'net/bluetooth')
-rw-r--r--net/bluetooth/6lowpan.c65
-rw-r--r--net/bluetooth/hci_conn.c84
-rw-r--r--net/bluetooth/hci_core.c84
-rw-r--r--net/bluetooth/hci_event.c311
-rw-r--r--net/bluetooth/hci_sock.c17
-rw-r--r--net/bluetooth/l2cap_core.c6
-rw-r--r--net/bluetooth/l2cap_sock.c5
-rw-r--r--net/bluetooth/lib.c1
-rw-r--r--net/bluetooth/mgmt.c278
-rw-r--r--net/bluetooth/rfcomm/core.c2
-rw-r--r--net/bluetooth/rfcomm/tty.c20
-rw-r--r--net/bluetooth/smp.c160
-rw-r--r--net/bluetooth/smp.h30
13 files changed, 800 insertions, 263 deletions
diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c
index 73492b91105a..8796ffa08b43 100644
--- a/net/bluetooth/6lowpan.c
+++ b/net/bluetooth/6lowpan.c
@@ -420,12 +420,18 @@ static int conn_send(struct l2cap_conn *conn,
420 return 0; 420 return 0;
421} 421}
422 422
423static void get_dest_bdaddr(struct in6_addr *ip6_daddr, 423static u8 get_addr_type_from_eui64(u8 byte)
424 bdaddr_t *addr, u8 *addr_type)
425{ 424{
426 u8 *eui64; 425 /* Is universal(0) or local(1) bit, */
426 if (byte & 0x02)
427 return ADDR_LE_DEV_RANDOM;
427 428
428 eui64 = ip6_daddr->s6_addr + 8; 429 return ADDR_LE_DEV_PUBLIC;
430}
431
432static void copy_to_bdaddr(struct in6_addr *ip6_daddr, bdaddr_t *addr)
433{
434 u8 *eui64 = ip6_daddr->s6_addr + 8;
429 435
430 addr->b[0] = eui64[7]; 436 addr->b[0] = eui64[7];
431 addr->b[1] = eui64[6]; 437 addr->b[1] = eui64[6];
@@ -433,16 +439,19 @@ static void get_dest_bdaddr(struct in6_addr *ip6_daddr,
433 addr->b[3] = eui64[2]; 439 addr->b[3] = eui64[2];
434 addr->b[4] = eui64[1]; 440 addr->b[4] = eui64[1];
435 addr->b[5] = eui64[0]; 441 addr->b[5] = eui64[0];
442}
436 443
437 addr->b[5] ^= 2; 444static void convert_dest_bdaddr(struct in6_addr *ip6_daddr,
445 bdaddr_t *addr, u8 *addr_type)
446{
447 copy_to_bdaddr(ip6_daddr, addr);
438 448
439 /* Set universal/local bit to 0 */ 449 /* We need to toggle the U/L bit that we got from IPv6 address
440 if (addr->b[5] & 1) { 450 * so that we get the proper address and type of the BD address.
441 addr->b[5] &= ~1; 451 */
442 *addr_type = ADDR_LE_DEV_PUBLIC; 452 addr->b[5] ^= 0x02;
443 } else { 453
444 *addr_type = ADDR_LE_DEV_RANDOM; 454 *addr_type = get_addr_type_from_eui64(addr->b[5]);
445 }
446} 455}
447 456
448static int header_create(struct sk_buff *skb, struct net_device *netdev, 457static int header_create(struct sk_buff *skb, struct net_device *netdev,
@@ -473,9 +482,11 @@ static int header_create(struct sk_buff *skb, struct net_device *netdev,
473 /* Get destination BT device from skb. 482 /* Get destination BT device from skb.
474 * If there is no such peer then discard the packet. 483 * If there is no such peer then discard the packet.
475 */ 484 */
476 get_dest_bdaddr(&hdr->daddr, &addr, &addr_type); 485 convert_dest_bdaddr(&hdr->daddr, &addr, &addr_type);
477 486
478 BT_DBG("dest addr %pMR type %d", &addr, addr_type); 487 BT_DBG("dest addr %pMR type %s IP %pI6c", &addr,
488 addr_type == ADDR_LE_DEV_PUBLIC ? "PUBLIC" : "RANDOM",
489 &hdr->daddr);
479 490
480 read_lock_irqsave(&devices_lock, flags); 491 read_lock_irqsave(&devices_lock, flags);
481 peer = peer_lookup_ba(dev, &addr, addr_type); 492 peer = peer_lookup_ba(dev, &addr, addr_type);
@@ -556,7 +567,7 @@ static netdev_tx_t bt_xmit(struct sk_buff *skb, struct net_device *netdev)
556 } else { 567 } else {
557 unsigned long flags; 568 unsigned long flags;
558 569
559 get_dest_bdaddr(&lowpan_cb(skb)->addr, &addr, &addr_type); 570 convert_dest_bdaddr(&lowpan_cb(skb)->addr, &addr, &addr_type);
560 eui64_addr = lowpan_cb(skb)->addr.s6_addr + 8; 571 eui64_addr = lowpan_cb(skb)->addr.s6_addr + 8;
561 dev = lowpan_dev(netdev); 572 dev = lowpan_dev(netdev);
562 573
@@ -564,8 +575,10 @@ static netdev_tx_t bt_xmit(struct sk_buff *skb, struct net_device *netdev)
564 peer = peer_lookup_ba(dev, &addr, addr_type); 575 peer = peer_lookup_ba(dev, &addr, addr_type);
565 read_unlock_irqrestore(&devices_lock, flags); 576 read_unlock_irqrestore(&devices_lock, flags);
566 577
567 BT_DBG("xmit from %s to %pMR (%pI6c) peer %p", netdev->name, 578 BT_DBG("xmit %s to %pMR type %s IP %pI6c peer %p",
568 &addr, &lowpan_cb(skb)->addr, peer); 579 netdev->name, &addr,
580 addr_type == ADDR_LE_DEV_PUBLIC ? "PUBLIC" : "RANDOM",
581 &lowpan_cb(skb)->addr, peer);
569 582
570 if (peer && peer->conn) 583 if (peer && peer->conn)
571 err = send_pkt(peer->conn, netdev->dev_addr, 584 err = send_pkt(peer->conn, netdev->dev_addr,
@@ -620,13 +633,13 @@ static void set_addr(u8 *eui, u8 *addr, u8 addr_type)
620 eui[6] = addr[1]; 633 eui[6] = addr[1];
621 eui[7] = addr[0]; 634 eui[7] = addr[0];
622 635
623 eui[0] ^= 2; 636 /* Universal/local bit set, BT 6lowpan draft ch. 3.2.1 */
624
625 /* Universal/local bit set, RFC 4291 */
626 if (addr_type == ADDR_LE_DEV_PUBLIC) 637 if (addr_type == ADDR_LE_DEV_PUBLIC)
627 eui[0] |= 1; 638 eui[0] &= ~0x02;
628 else 639 else
629 eui[0] &= ~1; 640 eui[0] |= 0x02;
641
642 BT_DBG("type %d addr %*phC", addr_type, 8, eui);
630} 643}
631 644
632static void set_dev_addr(struct net_device *netdev, bdaddr_t *addr, 645static void set_dev_addr(struct net_device *netdev, bdaddr_t *addr,
@@ -634,7 +647,6 @@ static void set_dev_addr(struct net_device *netdev, bdaddr_t *addr,
634{ 647{
635 netdev->addr_assign_type = NET_ADDR_PERM; 648 netdev->addr_assign_type = NET_ADDR_PERM;
636 set_addr(netdev->dev_addr, addr->b, addr_type); 649 set_addr(netdev->dev_addr, addr->b, addr_type);
637 netdev->dev_addr[0] ^= 2;
638} 650}
639 651
640static void ifup(struct net_device *netdev) 652static void ifup(struct net_device *netdev)
@@ -684,13 +696,6 @@ static int add_peer_conn(struct l2cap_conn *conn, struct lowpan_dev *dev)
684 696
685 memcpy(&peer->eui64_addr, (u8 *)&peer->peer_addr.s6_addr + 8, 697 memcpy(&peer->eui64_addr, (u8 *)&peer->peer_addr.s6_addr + 8,
686 EUI64_ADDR_LEN); 698 EUI64_ADDR_LEN);
687 peer->eui64_addr[0] ^= 2; /* second bit-flip (Universe/Local)
688 * is done according RFC2464
689 */
690
691 raw_dump_inline(__func__, "peer IPv6 address",
692 (unsigned char *)&peer->peer_addr, 16);
693 raw_dump_inline(__func__, "peer EUI64 address", peer->eui64_addr, 8);
694 699
695 write_lock_irqsave(&devices_lock, flags); 700 write_lock_irqsave(&devices_lock, flags);
696 INIT_LIST_HEAD(&peer->list); 701 INIT_LIST_HEAD(&peer->list);
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 521fd4f3985e..8671bc79a35b 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -28,6 +28,7 @@
28 28
29#include <net/bluetooth/bluetooth.h> 29#include <net/bluetooth/bluetooth.h>
30#include <net/bluetooth/hci_core.h> 30#include <net/bluetooth/hci_core.h>
31#include <net/bluetooth/l2cap.h>
31 32
32#include "smp.h" 33#include "smp.h"
33#include "a2mp.h" 34#include "a2mp.h"
@@ -367,9 +368,23 @@ static void le_conn_timeout(struct work_struct *work)
367{ 368{
368 struct hci_conn *conn = container_of(work, struct hci_conn, 369 struct hci_conn *conn = container_of(work, struct hci_conn,
369 le_conn_timeout.work); 370 le_conn_timeout.work);
371 struct hci_dev *hdev = conn->hdev;
370 372
371 BT_DBG(""); 373 BT_DBG("");
372 374
375 /* We could end up here due to having done directed advertising,
376 * so clean up the state if necessary. This should however only
377 * happen with broken hardware or if low duty cycle was used
378 * (which doesn't have a timeout of its own).
379 */
380 if (test_bit(HCI_ADVERTISING, &hdev->dev_flags)) {
381 u8 enable = 0x00;
382 hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
383 &enable);
384 hci_le_conn_failed(conn, HCI_ERROR_ADVERTISING_TIMEOUT);
385 return;
386 }
387
373 hci_le_create_connection_cancel(conn); 388 hci_le_create_connection_cancel(conn);
374} 389}
375 390
@@ -393,6 +408,8 @@ struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst)
393 conn->io_capability = hdev->io_capability; 408 conn->io_capability = hdev->io_capability;
394 conn->remote_auth = 0xff; 409 conn->remote_auth = 0xff;
395 conn->key_type = 0xff; 410 conn->key_type = 0xff;
411 conn->tx_power = HCI_TX_POWER_INVALID;
412 conn->max_tx_power = HCI_TX_POWER_INVALID;
396 413
397 set_bit(HCI_CONN_POWER_SAVE, &conn->flags); 414 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
398 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 415 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
@@ -401,6 +418,10 @@ struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst)
401 case ACL_LINK: 418 case ACL_LINK:
402 conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK; 419 conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK;
403 break; 420 break;
421 case LE_LINK:
422 /* conn->src should reflect the local identity address */
423 hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
424 break;
404 case SCO_LINK: 425 case SCO_LINK:
405 if (lmp_esco_capable(hdev)) 426 if (lmp_esco_capable(hdev))
406 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) | 427 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
@@ -545,6 +566,11 @@ void hci_le_conn_failed(struct hci_conn *conn, u8 status)
545 * favor of connection establishment, we should restart it. 566 * favor of connection establishment, we should restart it.
546 */ 567 */
547 hci_update_background_scan(hdev); 568 hci_update_background_scan(hdev);
569
570 /* Re-enable advertising in case this was a failed connection
571 * attempt as a peripheral.
572 */
573 mgmt_reenable_advertising(hdev);
548} 574}
549 575
550static void create_le_conn_complete(struct hci_dev *hdev, u8 status) 576static void create_le_conn_complete(struct hci_dev *hdev, u8 status)
@@ -605,6 +631,45 @@ static void hci_req_add_le_create_conn(struct hci_request *req,
605 conn->state = BT_CONNECT; 631 conn->state = BT_CONNECT;
606} 632}
607 633
634static void hci_req_directed_advertising(struct hci_request *req,
635 struct hci_conn *conn)
636{
637 struct hci_dev *hdev = req->hdev;
638 struct hci_cp_le_set_adv_param cp;
639 u8 own_addr_type;
640 u8 enable;
641
642 enable = 0x00;
643 hci_req_add(req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), &enable);
644
645 /* Clear the HCI_ADVERTISING bit temporarily so that the
646 * hci_update_random_address knows that it's safe to go ahead
647 * and write a new random address. The flag will be set back on
648 * as soon as the SET_ADV_ENABLE HCI command completes.
649 */
650 clear_bit(HCI_ADVERTISING, &hdev->dev_flags);
651
652 /* Set require_privacy to false so that the remote device has a
653 * chance of identifying us.
654 */
655 if (hci_update_random_address(req, false, &own_addr_type) < 0)
656 return;
657
658 memset(&cp, 0, sizeof(cp));
659 cp.type = LE_ADV_DIRECT_IND;
660 cp.own_address_type = own_addr_type;
661 cp.direct_addr_type = conn->dst_type;
662 bacpy(&cp.direct_addr, &conn->dst);
663 cp.channel_map = hdev->le_adv_channel_map;
664
665 hci_req_add(req, HCI_OP_LE_SET_ADV_PARAM, sizeof(cp), &cp);
666
667 enable = 0x01;
668 hci_req_add(req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), &enable);
669
670 conn->state = BT_CONNECT;
671}
672
608struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst, 673struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
609 u8 dst_type, u8 sec_level, u8 auth_type) 674 u8 dst_type, u8 sec_level, u8 auth_type)
610{ 675{
@@ -614,9 +679,6 @@ struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
614 struct hci_request req; 679 struct hci_request req;
615 int err; 680 int err;
616 681
617 if (test_bit(HCI_ADVERTISING, &hdev->flags))
618 return ERR_PTR(-ENOTSUPP);
619
620 /* Some devices send ATT messages as soon as the physical link is 682 /* Some devices send ATT messages as soon as the physical link is
621 * established. To be able to handle these ATT messages, the user- 683 * established. To be able to handle these ATT messages, the user-
622 * space first establishes the connection and then starts the pairing 684 * space first establishes the connection and then starts the pairing
@@ -664,13 +726,20 @@ struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
664 return ERR_PTR(-ENOMEM); 726 return ERR_PTR(-ENOMEM);
665 727
666 conn->dst_type = dst_type; 728 conn->dst_type = dst_type;
667
668 conn->out = true;
669 conn->link_mode |= HCI_LM_MASTER;
670 conn->sec_level = BT_SECURITY_LOW; 729 conn->sec_level = BT_SECURITY_LOW;
671 conn->pending_sec_level = sec_level; 730 conn->pending_sec_level = sec_level;
672 conn->auth_type = auth_type; 731 conn->auth_type = auth_type;
673 732
733 hci_req_init(&req, hdev);
734
735 if (test_bit(HCI_ADVERTISING, &hdev->dev_flags)) {
736 hci_req_directed_advertising(&req, conn);
737 goto create_conn;
738 }
739
740 conn->out = true;
741 conn->link_mode |= HCI_LM_MASTER;
742
674 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type); 743 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
675 if (params) { 744 if (params) {
676 conn->le_conn_min_interval = params->conn_min_interval; 745 conn->le_conn_min_interval = params->conn_min_interval;
@@ -680,8 +749,6 @@ struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
680 conn->le_conn_max_interval = hdev->le_conn_max_interval; 749 conn->le_conn_max_interval = hdev->le_conn_max_interval;
681 } 750 }
682 751
683 hci_req_init(&req, hdev);
684
685 /* If controller is scanning, we stop it since some controllers are 752 /* If controller is scanning, we stop it since some controllers are
686 * not able to scan and connect at the same time. Also set the 753 * not able to scan and connect at the same time. Also set the
687 * HCI_LE_SCAN_INTERRUPTED flag so that the command complete 754 * HCI_LE_SCAN_INTERRUPTED flag so that the command complete
@@ -695,6 +762,7 @@ struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
695 762
696 hci_req_add_le_create_conn(&req, conn); 763 hci_req_add_le_create_conn(&req, conn);
697 764
765create_conn:
698 err = hci_req_run(&req, create_le_conn_complete); 766 err = hci_req_run(&req, create_le_conn_complete);
699 if (err) { 767 if (err) {
700 hci_conn_del(conn); 768 hci_conn_del(conn);
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 1c6ffaa8902f..0a43cce9a914 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -34,6 +34,7 @@
34 34
35#include <net/bluetooth/bluetooth.h> 35#include <net/bluetooth/bluetooth.h>
36#include <net/bluetooth/hci_core.h> 36#include <net/bluetooth/hci_core.h>
37#include <net/bluetooth/l2cap.h>
37 38
38#include "smp.h" 39#include "smp.h"
39 40
@@ -579,6 +580,62 @@ static int sniff_max_interval_get(void *data, u64 *val)
579DEFINE_SIMPLE_ATTRIBUTE(sniff_max_interval_fops, sniff_max_interval_get, 580DEFINE_SIMPLE_ATTRIBUTE(sniff_max_interval_fops, sniff_max_interval_get,
580 sniff_max_interval_set, "%llu\n"); 581 sniff_max_interval_set, "%llu\n");
581 582
583static int conn_info_min_age_set(void *data, u64 val)
584{
585 struct hci_dev *hdev = data;
586
587 if (val == 0 || val > hdev->conn_info_max_age)
588 return -EINVAL;
589
590 hci_dev_lock(hdev);
591 hdev->conn_info_min_age = val;
592 hci_dev_unlock(hdev);
593
594 return 0;
595}
596
597static int conn_info_min_age_get(void *data, u64 *val)
598{
599 struct hci_dev *hdev = data;
600
601 hci_dev_lock(hdev);
602 *val = hdev->conn_info_min_age;
603 hci_dev_unlock(hdev);
604
605 return 0;
606}
607
608DEFINE_SIMPLE_ATTRIBUTE(conn_info_min_age_fops, conn_info_min_age_get,
609 conn_info_min_age_set, "%llu\n");
610
611static int conn_info_max_age_set(void *data, u64 val)
612{
613 struct hci_dev *hdev = data;
614
615 if (val == 0 || val < hdev->conn_info_min_age)
616 return -EINVAL;
617
618 hci_dev_lock(hdev);
619 hdev->conn_info_max_age = val;
620 hci_dev_unlock(hdev);
621
622 return 0;
623}
624
625static int conn_info_max_age_get(void *data, u64 *val)
626{
627 struct hci_dev *hdev = data;
628
629 hci_dev_lock(hdev);
630 *val = hdev->conn_info_max_age;
631 hci_dev_unlock(hdev);
632
633 return 0;
634}
635
636DEFINE_SIMPLE_ATTRIBUTE(conn_info_max_age_fops, conn_info_max_age_get,
637 conn_info_max_age_set, "%llu\n");
638
582static int identity_show(struct seq_file *f, void *p) 639static int identity_show(struct seq_file *f, void *p)
583{ 640{
584 struct hci_dev *hdev = f->private; 641 struct hci_dev *hdev = f->private;
@@ -955,14 +1012,9 @@ static ssize_t le_auto_conn_write(struct file *file, const char __user *data,
955 if (count < 3) 1012 if (count < 3)
956 return -EINVAL; 1013 return -EINVAL;
957 1014
958 buf = kzalloc(count, GFP_KERNEL); 1015 buf = memdup_user(data, count);
959 if (!buf) 1016 if (IS_ERR(buf))
960 return -ENOMEM; 1017 return PTR_ERR(buf);
961
962 if (copy_from_user(buf, data, count)) {
963 err = -EFAULT;
964 goto done;
965 }
966 1018
967 if (memcmp(buf, "add", 3) == 0) { 1019 if (memcmp(buf, "add", 3) == 0) {
968 n = sscanf(&buf[4], "%hhx:%hhx:%hhx:%hhx:%hhx:%hhx %hhu %hhu", 1020 n = sscanf(&buf[4], "%hhx:%hhx:%hhx:%hhx:%hhx:%hhx %hhu %hhu",
@@ -1759,6 +1811,11 @@ static int __hci_init(struct hci_dev *hdev)
1759 &blacklist_fops); 1811 &blacklist_fops);
1760 debugfs_create_file("uuids", 0444, hdev->debugfs, hdev, &uuids_fops); 1812 debugfs_create_file("uuids", 0444, hdev->debugfs, hdev, &uuids_fops);
1761 1813
1814 debugfs_create_file("conn_info_min_age", 0644, hdev->debugfs, hdev,
1815 &conn_info_min_age_fops);
1816 debugfs_create_file("conn_info_max_age", 0644, hdev->debugfs, hdev,
1817 &conn_info_max_age_fops);
1818
1762 if (lmp_bredr_capable(hdev)) { 1819 if (lmp_bredr_capable(hdev)) {
1763 debugfs_create_file("inquiry_cache", 0444, hdev->debugfs, 1820 debugfs_create_file("inquiry_cache", 0444, hdev->debugfs,
1764 hdev, &inquiry_cache_fops); 1821 hdev, &inquiry_cache_fops);
@@ -1828,6 +1885,9 @@ static int __hci_init(struct hci_dev *hdev)
1828 &lowpan_debugfs_fops); 1885 &lowpan_debugfs_fops);
1829 debugfs_create_file("le_auto_conn", 0644, hdev->debugfs, hdev, 1886 debugfs_create_file("le_auto_conn", 0644, hdev->debugfs, hdev,
1830 &le_auto_conn_fops); 1887 &le_auto_conn_fops);
1888 debugfs_create_u16("discov_interleaved_timeout", 0644,
1889 hdev->debugfs,
1890 &hdev->discov_interleaved_timeout);
1831 } 1891 }
1832 1892
1833 return 0; 1893 return 0;
@@ -2033,12 +2093,11 @@ bool hci_inquiry_cache_update(struct hci_dev *hdev, struct inquiry_data *data,
2033 2093
2034 hci_remove_remote_oob_data(hdev, &data->bdaddr); 2094 hci_remove_remote_oob_data(hdev, &data->bdaddr);
2035 2095
2036 if (ssp) 2096 *ssp = data->ssp_mode;
2037 *ssp = data->ssp_mode;
2038 2097
2039 ie = hci_inquiry_cache_lookup(hdev, &data->bdaddr); 2098 ie = hci_inquiry_cache_lookup(hdev, &data->bdaddr);
2040 if (ie) { 2099 if (ie) {
2041 if (ie->data.ssp_mode && ssp) 2100 if (ie->data.ssp_mode)
2042 *ssp = true; 2101 *ssp = true;
2043 2102
2044 if (ie->name_state == NAME_NEEDED && 2103 if (ie->name_state == NAME_NEEDED &&
@@ -3791,6 +3850,9 @@ struct hci_dev *hci_alloc_dev(void)
3791 hdev->le_conn_max_interval = 0x0038; 3850 hdev->le_conn_max_interval = 0x0038;
3792 3851
3793 hdev->rpa_timeout = HCI_DEFAULT_RPA_TIMEOUT; 3852 hdev->rpa_timeout = HCI_DEFAULT_RPA_TIMEOUT;
3853 hdev->discov_interleaved_timeout = DISCOV_INTERLEAVED_TIMEOUT;
3854 hdev->conn_info_min_age = DEFAULT_CONN_INFO_MIN_AGE;
3855 hdev->conn_info_max_age = DEFAULT_CONN_INFO_MAX_AGE;
3794 3856
3795 mutex_init(&hdev->lock); 3857 mutex_init(&hdev->lock);
3796 mutex_init(&hdev->req_lock); 3858 mutex_init(&hdev->req_lock);
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 682f33a38366..21e5913d12e0 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -991,10 +991,25 @@ static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb)
991 if (!sent) 991 if (!sent)
992 return; 992 return;
993 993
994 if (status)
995 return;
996
994 hci_dev_lock(hdev); 997 hci_dev_lock(hdev);
995 998
996 if (!status) 999 /* If we're doing connection initation as peripheral. Set a
997 mgmt_advertising(hdev, *sent); 1000 * timeout in case something goes wrong.
1001 */
1002 if (*sent) {
1003 struct hci_conn *conn;
1004
1005 conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
1006 if (conn)
1007 queue_delayed_work(hdev->workqueue,
1008 &conn->le_conn_timeout,
1009 HCI_LE_CONN_TIMEOUT);
1010 }
1011
1012 mgmt_advertising(hdev, *sent);
998 1013
999 hci_dev_unlock(hdev); 1014 hci_dev_unlock(hdev);
1000} 1015}
@@ -1018,6 +1033,33 @@ static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb)
1018 hci_dev_unlock(hdev); 1033 hci_dev_unlock(hdev);
1019} 1034}
1020 1035
1036static bool has_pending_adv_report(struct hci_dev *hdev)
1037{
1038 struct discovery_state *d = &hdev->discovery;
1039
1040 return bacmp(&d->last_adv_addr, BDADDR_ANY);
1041}
1042
1043static void clear_pending_adv_report(struct hci_dev *hdev)
1044{
1045 struct discovery_state *d = &hdev->discovery;
1046
1047 bacpy(&d->last_adv_addr, BDADDR_ANY);
1048 d->last_adv_data_len = 0;
1049}
1050
1051static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1052 u8 bdaddr_type, s8 rssi, u8 *data, u8 len)
1053{
1054 struct discovery_state *d = &hdev->discovery;
1055
1056 bacpy(&d->last_adv_addr, bdaddr);
1057 d->last_adv_addr_type = bdaddr_type;
1058 d->last_adv_rssi = rssi;
1059 memcpy(d->last_adv_data, data, len);
1060 d->last_adv_data_len = len;
1061}
1062
1021static void hci_cc_le_set_scan_enable(struct hci_dev *hdev, 1063static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1022 struct sk_buff *skb) 1064 struct sk_buff *skb)
1023{ 1065{
@@ -1036,9 +1078,25 @@ static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1036 switch (cp->enable) { 1078 switch (cp->enable) {
1037 case LE_SCAN_ENABLE: 1079 case LE_SCAN_ENABLE:
1038 set_bit(HCI_LE_SCAN, &hdev->dev_flags); 1080 set_bit(HCI_LE_SCAN, &hdev->dev_flags);
1081 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1082 clear_pending_adv_report(hdev);
1039 break; 1083 break;
1040 1084
1041 case LE_SCAN_DISABLE: 1085 case LE_SCAN_DISABLE:
1086 /* We do this here instead of when setting DISCOVERY_STOPPED
1087 * since the latter would potentially require waiting for
1088 * inquiry to stop too.
1089 */
1090 if (has_pending_adv_report(hdev)) {
1091 struct discovery_state *d = &hdev->discovery;
1092
1093 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1094 d->last_adv_addr_type, NULL,
1095 d->last_adv_rssi, 0, 1,
1096 d->last_adv_data,
1097 d->last_adv_data_len, NULL, 0);
1098 }
1099
1042 /* Cancel this timer so that we don't try to disable scanning 1100 /* Cancel this timer so that we don't try to disable scanning
1043 * when it's already disabled. 1101 * when it's already disabled.
1044 */ 1102 */
@@ -1187,6 +1245,59 @@ static void hci_cc_write_remote_amp_assoc(struct hci_dev *hdev,
1187 amp_write_rem_assoc_continue(hdev, rp->phy_handle); 1245 amp_write_rem_assoc_continue(hdev, rp->phy_handle);
1188} 1246}
1189 1247
1248static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb)
1249{
1250 struct hci_rp_read_rssi *rp = (void *) skb->data;
1251 struct hci_conn *conn;
1252
1253 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1254
1255 if (rp->status)
1256 return;
1257
1258 hci_dev_lock(hdev);
1259
1260 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1261 if (conn)
1262 conn->rssi = rp->rssi;
1263
1264 hci_dev_unlock(hdev);
1265}
1266
1267static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb)
1268{
1269 struct hci_cp_read_tx_power *sent;
1270 struct hci_rp_read_tx_power *rp = (void *) skb->data;
1271 struct hci_conn *conn;
1272
1273 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1274
1275 if (rp->status)
1276 return;
1277
1278 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
1279 if (!sent)
1280 return;
1281
1282 hci_dev_lock(hdev);
1283
1284 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1285 if (!conn)
1286 goto unlock;
1287
1288 switch (sent->type) {
1289 case 0x00:
1290 conn->tx_power = rp->tx_power;
1291 break;
1292 case 0x01:
1293 conn->max_tx_power = rp->tx_power;
1294 break;
1295 }
1296
1297unlock:
1298 hci_dev_unlock(hdev);
1299}
1300
1190static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status) 1301static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
1191{ 1302{
1192 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1303 BT_DBG("%s status 0x%2.2x", hdev->name, status);
@@ -1342,6 +1453,7 @@ static int hci_outgoing_auth_needed(struct hci_dev *hdev,
1342 * is requested. 1453 * is requested.
1343 */ 1454 */
1344 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) && 1455 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
1456 conn->pending_sec_level != BT_SECURITY_FIPS &&
1345 conn->pending_sec_level != BT_SECURITY_HIGH && 1457 conn->pending_sec_level != BT_SECURITY_HIGH &&
1346 conn->pending_sec_level != BT_SECURITY_MEDIUM) 1458 conn->pending_sec_level != BT_SECURITY_MEDIUM)
1347 return 0; 1459 return 0;
@@ -1827,7 +1939,7 @@ static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
1827 name_known = hci_inquiry_cache_update(hdev, &data, false, &ssp); 1939 name_known = hci_inquiry_cache_update(hdev, &data, false, &ssp);
1828 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 1940 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
1829 info->dev_class, 0, !name_known, ssp, NULL, 1941 info->dev_class, 0, !name_known, ssp, NULL,
1830 0); 1942 0, NULL, 0);
1831 } 1943 }
1832 1944
1833 hci_dev_unlock(hdev); 1945 hci_dev_unlock(hdev);
@@ -2579,6 +2691,14 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2579 hci_cc_write_remote_amp_assoc(hdev, skb); 2691 hci_cc_write_remote_amp_assoc(hdev, skb);
2580 break; 2692 break;
2581 2693
2694 case HCI_OP_READ_RSSI:
2695 hci_cc_read_rssi(hdev, skb);
2696 break;
2697
2698 case HCI_OP_READ_TX_POWER:
2699 hci_cc_read_tx_power(hdev, skb);
2700 break;
2701
2582 default: 2702 default:
2583 BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode); 2703 BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
2584 break; 2704 break;
@@ -2957,7 +3077,8 @@ static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2957 } 3077 }
2958 3078
2959 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 && 3079 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
2960 conn->pending_sec_level == BT_SECURITY_HIGH) { 3080 (conn->pending_sec_level == BT_SECURITY_HIGH ||
3081 conn->pending_sec_level == BT_SECURITY_FIPS)) {
2961 BT_DBG("%s ignoring key unauthenticated for high security", 3082 BT_DBG("%s ignoring key unauthenticated for high security",
2962 hdev->name); 3083 hdev->name);
2963 goto not_found; 3084 goto not_found;
@@ -3102,7 +3223,7 @@ static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
3102 false, &ssp); 3223 false, &ssp);
3103 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 3224 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3104 info->dev_class, info->rssi, 3225 info->dev_class, info->rssi,
3105 !name_known, ssp, NULL, 0); 3226 !name_known, ssp, NULL, 0, NULL, 0);
3106 } 3227 }
3107 } else { 3228 } else {
3108 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1); 3229 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
@@ -3120,7 +3241,7 @@ static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
3120 false, &ssp); 3241 false, &ssp);
3121 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 3242 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3122 info->dev_class, info->rssi, 3243 info->dev_class, info->rssi,
3123 !name_known, ssp, NULL, 0); 3244 !name_known, ssp, NULL, 0, NULL, 0);
3124 } 3245 }
3125 } 3246 }
3126 3247
@@ -3309,7 +3430,7 @@ static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,
3309 eir_len = eir_get_length(info->data, sizeof(info->data)); 3430 eir_len = eir_get_length(info->data, sizeof(info->data));
3310 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 3431 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3311 info->dev_class, info->rssi, !name_known, 3432 info->dev_class, info->rssi, !name_known,
3312 ssp, info->data, eir_len); 3433 ssp, info->data, eir_len, NULL, 0);
3313 } 3434 }
3314 3435
3315 hci_dev_unlock(hdev); 3436 hci_dev_unlock(hdev);
@@ -3367,24 +3488,20 @@ unlock:
3367 3488
3368static u8 hci_get_auth_req(struct hci_conn *conn) 3489static u8 hci_get_auth_req(struct hci_conn *conn)
3369{ 3490{
3370 /* If remote requests dedicated bonding follow that lead */
3371 if (conn->remote_auth == HCI_AT_DEDICATED_BONDING ||
3372 conn->remote_auth == HCI_AT_DEDICATED_BONDING_MITM) {
3373 /* If both remote and local IO capabilities allow MITM
3374 * protection then require it, otherwise don't */
3375 if (conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT ||
3376 conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)
3377 return HCI_AT_DEDICATED_BONDING;
3378 else
3379 return HCI_AT_DEDICATED_BONDING_MITM;
3380 }
3381
3382 /* If remote requests no-bonding follow that lead */ 3491 /* If remote requests no-bonding follow that lead */
3383 if (conn->remote_auth == HCI_AT_NO_BONDING || 3492 if (conn->remote_auth == HCI_AT_NO_BONDING ||
3384 conn->remote_auth == HCI_AT_NO_BONDING_MITM) 3493 conn->remote_auth == HCI_AT_NO_BONDING_MITM)
3385 return conn->remote_auth | (conn->auth_type & 0x01); 3494 return conn->remote_auth | (conn->auth_type & 0x01);
3386 3495
3387 return conn->auth_type; 3496 /* If both remote and local have enough IO capabilities, require
3497 * MITM protection
3498 */
3499 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
3500 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
3501 return conn->remote_auth | 0x01;
3502
3503 /* No MITM protection possible so ignore remote requirement */
3504 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
3388} 3505}
3389 3506
3390static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 3507static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
@@ -3414,8 +3531,21 @@ static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3414 * to DisplayYesNo as it is not supported by BT spec. */ 3531 * to DisplayYesNo as it is not supported by BT spec. */
3415 cp.capability = (conn->io_capability == 0x04) ? 3532 cp.capability = (conn->io_capability == 0x04) ?
3416 HCI_IO_DISPLAY_YESNO : conn->io_capability; 3533 HCI_IO_DISPLAY_YESNO : conn->io_capability;
3417 conn->auth_type = hci_get_auth_req(conn); 3534
3418 cp.authentication = conn->auth_type; 3535 /* If we are initiators, there is no remote information yet */
3536 if (conn->remote_auth == 0xff) {
3537 cp.authentication = conn->auth_type;
3538
3539 /* Request MITM protection if our IO caps allow it
3540 * except for the no-bonding case
3541 */
3542 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
3543 cp.authentication != HCI_AT_NO_BONDING)
3544 cp.authentication |= 0x01;
3545 } else {
3546 conn->auth_type = hci_get_auth_req(conn);
3547 cp.authentication = conn->auth_type;
3548 }
3419 3549
3420 if (hci_find_remote_oob_data(hdev, &conn->dst) && 3550 if (hci_find_remote_oob_data(hdev, &conn->dst) &&
3421 (conn->out || test_bit(HCI_CONN_REMOTE_OOB, &conn->flags))) 3551 (conn->out || test_bit(HCI_CONN_REMOTE_OOB, &conn->flags)))
@@ -3483,12 +3613,9 @@ static void hci_user_confirm_request_evt(struct hci_dev *hdev,
3483 rem_mitm = (conn->remote_auth & 0x01); 3613 rem_mitm = (conn->remote_auth & 0x01);
3484 3614
3485 /* If we require MITM but the remote device can't provide that 3615 /* If we require MITM but the remote device can't provide that
3486 * (it has NoInputNoOutput) then reject the confirmation 3616 * (it has NoInputNoOutput) then reject the confirmation request
3487 * request. The only exception is when we're dedicated bonding 3617 */
3488 * initiators (connect_cfm_cb set) since then we always have the MITM 3618 if (loc_mitm && conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
3489 * bit set. */
3490 if (!conn->connect_cfm_cb && loc_mitm &&
3491 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
3492 BT_DBG("Rejecting request: remote device can't provide MITM"); 3619 BT_DBG("Rejecting request: remote device can't provide MITM");
3493 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY, 3620 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
3494 sizeof(ev->bdaddr), &ev->bdaddr); 3621 sizeof(ev->bdaddr), &ev->bdaddr);
@@ -3846,17 +3973,6 @@ static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
3846 3973
3847 conn->dst_type = ev->bdaddr_type; 3974 conn->dst_type = ev->bdaddr_type;
3848 3975
3849 /* The advertising parameters for own address type
3850 * define which source address and source address
3851 * type this connections has.
3852 */
3853 if (bacmp(&conn->src, BDADDR_ANY)) {
3854 conn->src_type = ADDR_LE_DEV_PUBLIC;
3855 } else {
3856 bacpy(&conn->src, &hdev->static_addr);
3857 conn->src_type = ADDR_LE_DEV_RANDOM;
3858 }
3859
3860 if (ev->role == LE_CONN_ROLE_MASTER) { 3976 if (ev->role == LE_CONN_ROLE_MASTER) {
3861 conn->out = true; 3977 conn->out = true;
3862 conn->link_mode |= HCI_LM_MASTER; 3978 conn->link_mode |= HCI_LM_MASTER;
@@ -3881,27 +3997,24 @@ static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
3881 &conn->init_addr, 3997 &conn->init_addr,
3882 &conn->init_addr_type); 3998 &conn->init_addr_type);
3883 } 3999 }
3884 } else {
3885 /* Set the responder (our side) address type based on
3886 * the advertising address type.
3887 */
3888 conn->resp_addr_type = hdev->adv_addr_type;
3889 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM)
3890 bacpy(&conn->resp_addr, &hdev->random_addr);
3891 else
3892 bacpy(&conn->resp_addr, &hdev->bdaddr);
3893
3894 conn->init_addr_type = ev->bdaddr_type;
3895 bacpy(&conn->init_addr, &ev->bdaddr);
3896 } 4000 }
3897 } else { 4001 } else {
3898 cancel_delayed_work(&conn->le_conn_timeout); 4002 cancel_delayed_work(&conn->le_conn_timeout);
3899 } 4003 }
3900 4004
3901 /* Ensure that the hci_conn contains the identity address type 4005 if (!conn->out) {
3902 * regardless of which address the connection was made with. 4006 /* Set the responder (our side) address type based on
3903 */ 4007 * the advertising address type.
3904 hci_copy_identity_address(hdev, &conn->src, &conn->src_type); 4008 */
4009 conn->resp_addr_type = hdev->adv_addr_type;
4010 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM)
4011 bacpy(&conn->resp_addr, &hdev->random_addr);
4012 else
4013 bacpy(&conn->resp_addr, &hdev->bdaddr);
4014
4015 conn->init_addr_type = ev->bdaddr_type;
4016 bacpy(&conn->init_addr, &ev->bdaddr);
4017 }
3905 4018
3906 /* Lookup the identity address from the stored connection 4019 /* Lookup the identity address from the stored connection
3907 * address and address type. 4020 * address and address type.
@@ -3981,25 +4094,97 @@ static void check_pending_le_conn(struct hci_dev *hdev, bdaddr_t *addr,
3981 } 4094 }
3982} 4095}
3983 4096
4097static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
4098 u8 bdaddr_type, s8 rssi, u8 *data, u8 len)
4099{
4100 struct discovery_state *d = &hdev->discovery;
4101 bool match;
4102
4103 /* Passive scanning shouldn't trigger any device found events */
4104 if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
4105 if (type == LE_ADV_IND || type == LE_ADV_DIRECT_IND)
4106 check_pending_le_conn(hdev, bdaddr, bdaddr_type);
4107 return;
4108 }
4109
4110 /* If there's nothing pending either store the data from this
4111 * event or send an immediate device found event if the data
4112 * should not be stored for later.
4113 */
4114 if (!has_pending_adv_report(hdev)) {
4115 /* If the report will trigger a SCAN_REQ store it for
4116 * later merging.
4117 */
4118 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4119 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4120 rssi, data, len);
4121 return;
4122 }
4123
4124 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4125 rssi, 0, 1, data, len, NULL, 0);
4126 return;
4127 }
4128
4129 /* Check if the pending report is for the same device as the new one */
4130 match = (!bacmp(bdaddr, &d->last_adv_addr) &&
4131 bdaddr_type == d->last_adv_addr_type);
4132
4133 /* If the pending data doesn't match this report or this isn't a
4134 * scan response (e.g. we got a duplicate ADV_IND) then force
4135 * sending of the pending data.
4136 */
4137 if (type != LE_ADV_SCAN_RSP || !match) {
4138 /* Send out whatever is in the cache, but skip duplicates */
4139 if (!match)
4140 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4141 d->last_adv_addr_type, NULL,
4142 d->last_adv_rssi, 0, 1,
4143 d->last_adv_data,
4144 d->last_adv_data_len, NULL, 0);
4145
4146 /* If the new report will trigger a SCAN_REQ store it for
4147 * later merging.
4148 */
4149 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4150 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4151 rssi, data, len);
4152 return;
4153 }
4154
4155 /* The advertising reports cannot be merged, so clear
4156 * the pending report and send out a device found event.
4157 */
4158 clear_pending_adv_report(hdev);
4159 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4160 rssi, 0, 1, data, len, NULL, 0);
4161 return;
4162 }
4163
4164 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
4165 * the new event is a SCAN_RSP. We can therefore proceed with
4166 * sending a merged device found event.
4167 */
4168 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4169 d->last_adv_addr_type, NULL, rssi, 0, 1, data, len,
4170 d->last_adv_data, d->last_adv_data_len);
4171 clear_pending_adv_report(hdev);
4172}
4173
3984static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) 4174static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
3985{ 4175{
3986 u8 num_reports = skb->data[0]; 4176 u8 num_reports = skb->data[0];
3987 void *ptr = &skb->data[1]; 4177 void *ptr = &skb->data[1];
3988 s8 rssi;
3989 4178
3990 hci_dev_lock(hdev); 4179 hci_dev_lock(hdev);
3991 4180
3992 while (num_reports--) { 4181 while (num_reports--) {
3993 struct hci_ev_le_advertising_info *ev = ptr; 4182 struct hci_ev_le_advertising_info *ev = ptr;
3994 4183 s8 rssi;
3995 if (ev->evt_type == LE_ADV_IND ||
3996 ev->evt_type == LE_ADV_DIRECT_IND)
3997 check_pending_le_conn(hdev, &ev->bdaddr,
3998 ev->bdaddr_type);
3999 4184
4000 rssi = ev->data[ev->length]; 4185 rssi = ev->data[ev->length];
4001 mgmt_device_found(hdev, &ev->bdaddr, LE_LINK, ev->bdaddr_type, 4186 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
4002 NULL, rssi, 0, 1, ev->data, ev->length); 4187 ev->bdaddr_type, rssi, ev->data, ev->length);
4003 4188
4004 ptr += sizeof(*ev) + ev->length + 1; 4189 ptr += sizeof(*ev) + ev->length + 1;
4005 } 4190 }
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index b9a418e578e0..80d25c150a65 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -143,7 +143,7 @@ void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb)
143 143
144 if (!skb_copy) { 144 if (!skb_copy) {
145 /* Create a private copy with headroom */ 145 /* Create a private copy with headroom */
146 skb_copy = __pskb_copy(skb, 1, GFP_ATOMIC); 146 skb_copy = __pskb_copy_fclone(skb, 1, GFP_ATOMIC, true);
147 if (!skb_copy) 147 if (!skb_copy)
148 continue; 148 continue;
149 149
@@ -247,8 +247,8 @@ void hci_send_to_monitor(struct hci_dev *hdev, struct sk_buff *skb)
247 struct hci_mon_hdr *hdr; 247 struct hci_mon_hdr *hdr;
248 248
249 /* Create a private copy with headroom */ 249 /* Create a private copy with headroom */
250 skb_copy = __pskb_copy(skb, HCI_MON_HDR_SIZE, 250 skb_copy = __pskb_copy_fclone(skb, HCI_MON_HDR_SIZE,
251 GFP_ATOMIC); 251 GFP_ATOMIC, true);
252 if (!skb_copy) 252 if (!skb_copy)
253 continue; 253 continue;
254 254
@@ -524,16 +524,7 @@ static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd,
524 case HCISETRAW: 524 case HCISETRAW:
525 if (!capable(CAP_NET_ADMIN)) 525 if (!capable(CAP_NET_ADMIN))
526 return -EPERM; 526 return -EPERM;
527 527 return -EOPNOTSUPP;
528 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
529 return -EPERM;
530
531 if (arg)
532 set_bit(HCI_RAW, &hdev->flags);
533 else
534 clear_bit(HCI_RAW, &hdev->flags);
535
536 return 0;
537 528
538 case HCIGETCONNINFO: 529 case HCIGETCONNINFO:
539 return hci_get_conn_info(hdev, (void __user *) arg); 530 return hci_get_conn_info(hdev, (void __user *) arg);
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index dc4d301d3a72..6eabbe05fe54 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -471,8 +471,14 @@ void l2cap_chan_set_defaults(struct l2cap_chan *chan)
471 chan->max_tx = L2CAP_DEFAULT_MAX_TX; 471 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
472 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW; 472 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
473 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW; 473 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
474 chan->remote_max_tx = chan->max_tx;
475 chan->remote_tx_win = chan->tx_win;
474 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW; 476 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
475 chan->sec_level = BT_SECURITY_LOW; 477 chan->sec_level = BT_SECURITY_LOW;
478 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
479 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
480 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
481 chan->conf_state = 0;
476 482
477 set_bit(FLAG_FORCE_ACTIVE, &chan->flags); 483 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
478} 484}
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index ef5e5b04f34f..ade3fb4c23bc 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1180,13 +1180,16 @@ static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
1180 /* Check for backlog size */ 1180 /* Check for backlog size */
1181 if (sk_acceptq_is_full(parent)) { 1181 if (sk_acceptq_is_full(parent)) {
1182 BT_DBG("backlog full %d", parent->sk_ack_backlog); 1182 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1183 release_sock(parent);
1183 return NULL; 1184 return NULL;
1184 } 1185 }
1185 1186
1186 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, 1187 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
1187 GFP_ATOMIC); 1188 GFP_ATOMIC);
1188 if (!sk) 1189 if (!sk) {
1190 release_sock(parent);
1189 return NULL; 1191 return NULL;
1192 }
1190 1193
1191 bt_sock_reclassify_lock(sk, BTPROTO_L2CAP); 1194 bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
1192 1195
diff --git a/net/bluetooth/lib.c b/net/bluetooth/lib.c
index b3fbc73516c4..941ad7530eda 100644
--- a/net/bluetooth/lib.c
+++ b/net/bluetooth/lib.c
@@ -58,6 +58,7 @@ int bt_to_errno(__u16 code)
58 return EIO; 58 return EIO;
59 59
60 case 0x04: 60 case 0x04:
61 case 0x3c:
61 return EHOSTDOWN; 62 return EHOSTDOWN;
62 63
63 case 0x05: 64 case 0x05:
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index d2d4e0d5aed0..0fce54412ffd 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -29,12 +29,13 @@
29 29
30#include <net/bluetooth/bluetooth.h> 30#include <net/bluetooth/bluetooth.h>
31#include <net/bluetooth/hci_core.h> 31#include <net/bluetooth/hci_core.h>
32#include <net/bluetooth/l2cap.h>
32#include <net/bluetooth/mgmt.h> 33#include <net/bluetooth/mgmt.h>
33 34
34#include "smp.h" 35#include "smp.h"
35 36
36#define MGMT_VERSION 1 37#define MGMT_VERSION 1
37#define MGMT_REVISION 5 38#define MGMT_REVISION 6
38 39
39static const u16 mgmt_commands[] = { 40static const u16 mgmt_commands[] = {
40 MGMT_OP_READ_INDEX_LIST, 41 MGMT_OP_READ_INDEX_LIST,
@@ -83,6 +84,7 @@ static const u16 mgmt_commands[] = {
83 MGMT_OP_SET_DEBUG_KEYS, 84 MGMT_OP_SET_DEBUG_KEYS,
84 MGMT_OP_SET_PRIVACY, 85 MGMT_OP_SET_PRIVACY,
85 MGMT_OP_LOAD_IRKS, 86 MGMT_OP_LOAD_IRKS,
87 MGMT_OP_GET_CONN_INFO,
86}; 88};
87 89
88static const u16 mgmt_events[] = { 90static const u16 mgmt_events[] = {
@@ -2850,10 +2852,7 @@ static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2850 } 2852 }
2851 2853
2852 sec_level = BT_SECURITY_MEDIUM; 2854 sec_level = BT_SECURITY_MEDIUM;
2853 if (cp->io_cap == 0x03) 2855 auth_type = HCI_AT_DEDICATED_BONDING;
2854 auth_type = HCI_AT_DEDICATED_BONDING;
2855 else
2856 auth_type = HCI_AT_DEDICATED_BONDING_MITM;
2857 2856
2858 if (cp->addr.type == BDADDR_BREDR) { 2857 if (cp->addr.type == BDADDR_BREDR) {
2859 conn = hci_connect_acl(hdev, &cp->addr.bdaddr, sec_level, 2858 conn = hci_connect_acl(hdev, &cp->addr.bdaddr, sec_level,
@@ -3351,6 +3350,8 @@ static int mgmt_start_discovery_failed(struct hci_dev *hdev, u8 status)
3351 3350
3352static void start_discovery_complete(struct hci_dev *hdev, u8 status) 3351static void start_discovery_complete(struct hci_dev *hdev, u8 status)
3353{ 3352{
3353 unsigned long timeout = 0;
3354
3354 BT_DBG("status %d", status); 3355 BT_DBG("status %d", status);
3355 3356
3356 if (status) { 3357 if (status) {
@@ -3366,13 +3367,11 @@ static void start_discovery_complete(struct hci_dev *hdev, u8 status)
3366 3367
3367 switch (hdev->discovery.type) { 3368 switch (hdev->discovery.type) {
3368 case DISCOV_TYPE_LE: 3369 case DISCOV_TYPE_LE:
3369 queue_delayed_work(hdev->workqueue, &hdev->le_scan_disable, 3370 timeout = msecs_to_jiffies(DISCOV_LE_TIMEOUT);
3370 DISCOV_LE_TIMEOUT);
3371 break; 3371 break;
3372 3372
3373 case DISCOV_TYPE_INTERLEAVED: 3373 case DISCOV_TYPE_INTERLEAVED:
3374 queue_delayed_work(hdev->workqueue, &hdev->le_scan_disable, 3374 timeout = msecs_to_jiffies(hdev->discov_interleaved_timeout);
3375 DISCOV_INTERLEAVED_TIMEOUT);
3376 break; 3375 break;
3377 3376
3378 case DISCOV_TYPE_BREDR: 3377 case DISCOV_TYPE_BREDR:
@@ -3381,6 +3380,11 @@ static void start_discovery_complete(struct hci_dev *hdev, u8 status)
3381 default: 3380 default:
3382 BT_ERR("Invalid discovery type %d", hdev->discovery.type); 3381 BT_ERR("Invalid discovery type %d", hdev->discovery.type);
3383 } 3382 }
3383
3384 if (!timeout)
3385 return;
3386
3387 queue_delayed_work(hdev->workqueue, &hdev->le_scan_disable, timeout);
3384} 3388}
3385 3389
3386static int start_discovery(struct sock *sk, struct hci_dev *hdev, 3390static int start_discovery(struct sock *sk, struct hci_dev *hdev,
@@ -4530,7 +4534,7 @@ static int load_long_term_keys(struct sock *sk, struct hci_dev *hdev,
4530 4534
4531 for (i = 0; i < key_count; i++) { 4535 for (i = 0; i < key_count; i++) {
4532 struct mgmt_ltk_info *key = &cp->keys[i]; 4536 struct mgmt_ltk_info *key = &cp->keys[i];
4533 u8 type, addr_type; 4537 u8 type, addr_type, authenticated;
4534 4538
4535 if (key->addr.type == BDADDR_LE_PUBLIC) 4539 if (key->addr.type == BDADDR_LE_PUBLIC)
4536 addr_type = ADDR_LE_DEV_PUBLIC; 4540 addr_type = ADDR_LE_DEV_PUBLIC;
@@ -4542,8 +4546,19 @@ static int load_long_term_keys(struct sock *sk, struct hci_dev *hdev,
4542 else 4546 else
4543 type = HCI_SMP_LTK_SLAVE; 4547 type = HCI_SMP_LTK_SLAVE;
4544 4548
4549 switch (key->type) {
4550 case MGMT_LTK_UNAUTHENTICATED:
4551 authenticated = 0x00;
4552 break;
4553 case MGMT_LTK_AUTHENTICATED:
4554 authenticated = 0x01;
4555 break;
4556 default:
4557 continue;
4558 }
4559
4545 hci_add_ltk(hdev, &key->addr.bdaddr, addr_type, type, 4560 hci_add_ltk(hdev, &key->addr.bdaddr, addr_type, type,
4546 key->type, key->val, key->enc_size, key->ediv, 4561 authenticated, key->val, key->enc_size, key->ediv,
4547 key->rand); 4562 key->rand);
4548 } 4563 }
4549 4564
@@ -4555,6 +4570,218 @@ static int load_long_term_keys(struct sock *sk, struct hci_dev *hdev,
4555 return err; 4570 return err;
4556} 4571}
4557 4572
4573struct cmd_conn_lookup {
4574 struct hci_conn *conn;
4575 bool valid_tx_power;
4576 u8 mgmt_status;
4577};
4578
4579static void get_conn_info_complete(struct pending_cmd *cmd, void *data)
4580{
4581 struct cmd_conn_lookup *match = data;
4582 struct mgmt_cp_get_conn_info *cp;
4583 struct mgmt_rp_get_conn_info rp;
4584 struct hci_conn *conn = cmd->user_data;
4585
4586 if (conn != match->conn)
4587 return;
4588
4589 cp = (struct mgmt_cp_get_conn_info *) cmd->param;
4590
4591 memset(&rp, 0, sizeof(rp));
4592 bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
4593 rp.addr.type = cp->addr.type;
4594
4595 if (!match->mgmt_status) {
4596 rp.rssi = conn->rssi;
4597
4598 if (match->valid_tx_power) {
4599 rp.tx_power = conn->tx_power;
4600 rp.max_tx_power = conn->max_tx_power;
4601 } else {
4602 rp.tx_power = HCI_TX_POWER_INVALID;
4603 rp.max_tx_power = HCI_TX_POWER_INVALID;
4604 }
4605 }
4606
4607 cmd_complete(cmd->sk, cmd->index, MGMT_OP_GET_CONN_INFO,
4608 match->mgmt_status, &rp, sizeof(rp));
4609
4610 hci_conn_drop(conn);
4611
4612 mgmt_pending_remove(cmd);
4613}
4614
4615static void conn_info_refresh_complete(struct hci_dev *hdev, u8 status)
4616{
4617 struct hci_cp_read_rssi *cp;
4618 struct hci_conn *conn;
4619 struct cmd_conn_lookup match;
4620 u16 handle;
4621
4622 BT_DBG("status 0x%02x", status);
4623
4624 hci_dev_lock(hdev);
4625
4626 /* TX power data is valid in case request completed successfully,
4627 * otherwise we assume it's not valid. At the moment we assume that
4628 * either both or none of current and max values are valid to keep code
4629 * simple.
4630 */
4631 match.valid_tx_power = !status;
4632
4633 /* Commands sent in request are either Read RSSI or Read Transmit Power
4634 * Level so we check which one was last sent to retrieve connection
4635 * handle. Both commands have handle as first parameter so it's safe to
4636 * cast data on the same command struct.
4637 *
4638 * First command sent is always Read RSSI and we fail only if it fails.
4639 * In other case we simply override error to indicate success as we
4640 * already remembered if TX power value is actually valid.
4641 */
4642 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_RSSI);
4643 if (!cp) {
4644 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
4645 status = 0;
4646 }
4647
4648 if (!cp) {
4649 BT_ERR("invalid sent_cmd in response");
4650 goto unlock;
4651 }
4652
4653 handle = __le16_to_cpu(cp->handle);
4654 conn = hci_conn_hash_lookup_handle(hdev, handle);
4655 if (!conn) {
4656 BT_ERR("unknown handle (%d) in response", handle);
4657 goto unlock;
4658 }
4659
4660 match.conn = conn;
4661 match.mgmt_status = mgmt_status(status);
4662
4663 /* Cache refresh is complete, now reply for mgmt request for given
4664 * connection only.
4665 */
4666 mgmt_pending_foreach(MGMT_OP_GET_CONN_INFO, hdev,
4667 get_conn_info_complete, &match);
4668
4669unlock:
4670 hci_dev_unlock(hdev);
4671}
4672
4673static int get_conn_info(struct sock *sk, struct hci_dev *hdev, void *data,
4674 u16 len)
4675{
4676 struct mgmt_cp_get_conn_info *cp = data;
4677 struct mgmt_rp_get_conn_info rp;
4678 struct hci_conn *conn;
4679 unsigned long conn_info_age;
4680 int err = 0;
4681
4682 BT_DBG("%s", hdev->name);
4683
4684 memset(&rp, 0, sizeof(rp));
4685 bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
4686 rp.addr.type = cp->addr.type;
4687
4688 if (!bdaddr_type_is_valid(cp->addr.type))
4689 return cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
4690 MGMT_STATUS_INVALID_PARAMS,
4691 &rp, sizeof(rp));
4692
4693 hci_dev_lock(hdev);
4694
4695 if (!hdev_is_powered(hdev)) {
4696 err = cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
4697 MGMT_STATUS_NOT_POWERED, &rp, sizeof(rp));
4698 goto unlock;
4699 }
4700
4701 if (cp->addr.type == BDADDR_BREDR)
4702 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
4703 &cp->addr.bdaddr);
4704 else
4705 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->addr.bdaddr);
4706
4707 if (!conn || conn->state != BT_CONNECTED) {
4708 err = cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
4709 MGMT_STATUS_NOT_CONNECTED, &rp, sizeof(rp));
4710 goto unlock;
4711 }
4712
4713 /* To avoid client trying to guess when to poll again for information we
4714 * calculate conn info age as random value between min/max set in hdev.
4715 */
4716 conn_info_age = hdev->conn_info_min_age +
4717 prandom_u32_max(hdev->conn_info_max_age -
4718 hdev->conn_info_min_age);
4719
4720 /* Query controller to refresh cached values if they are too old or were
4721 * never read.
4722 */
4723 if (time_after(jiffies, conn->conn_info_timestamp +
4724 msecs_to_jiffies(conn_info_age)) ||
4725 !conn->conn_info_timestamp) {
4726 struct hci_request req;
4727 struct hci_cp_read_tx_power req_txp_cp;
4728 struct hci_cp_read_rssi req_rssi_cp;
4729 struct pending_cmd *cmd;
4730
4731 hci_req_init(&req, hdev);
4732 req_rssi_cp.handle = cpu_to_le16(conn->handle);
4733 hci_req_add(&req, HCI_OP_READ_RSSI, sizeof(req_rssi_cp),
4734 &req_rssi_cp);
4735
4736 /* For LE links TX power does not change thus we don't need to
4737 * query for it once value is known.
4738 */
4739 if (!bdaddr_type_is_le(cp->addr.type) ||
4740 conn->tx_power == HCI_TX_POWER_INVALID) {
4741 req_txp_cp.handle = cpu_to_le16(conn->handle);
4742 req_txp_cp.type = 0x00;
4743 hci_req_add(&req, HCI_OP_READ_TX_POWER,
4744 sizeof(req_txp_cp), &req_txp_cp);
4745 }
4746
4747 /* Max TX power needs to be read only once per connection */
4748 if (conn->max_tx_power == HCI_TX_POWER_INVALID) {
4749 req_txp_cp.handle = cpu_to_le16(conn->handle);
4750 req_txp_cp.type = 0x01;
4751 hci_req_add(&req, HCI_OP_READ_TX_POWER,
4752 sizeof(req_txp_cp), &req_txp_cp);
4753 }
4754
4755 err = hci_req_run(&req, conn_info_refresh_complete);
4756 if (err < 0)
4757 goto unlock;
4758
4759 cmd = mgmt_pending_add(sk, MGMT_OP_GET_CONN_INFO, hdev,
4760 data, len);
4761 if (!cmd) {
4762 err = -ENOMEM;
4763 goto unlock;
4764 }
4765
4766 hci_conn_hold(conn);
4767 cmd->user_data = conn;
4768
4769 conn->conn_info_timestamp = jiffies;
4770 } else {
4771 /* Cache is valid, just reply with values cached in hci_conn */
4772 rp.rssi = conn->rssi;
4773 rp.tx_power = conn->tx_power;
4774 rp.max_tx_power = conn->max_tx_power;
4775
4776 err = cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
4777 MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
4778 }
4779
4780unlock:
4781 hci_dev_unlock(hdev);
4782 return err;
4783}
4784
4558static const struct mgmt_handler { 4785static const struct mgmt_handler {
4559 int (*func) (struct sock *sk, struct hci_dev *hdev, void *data, 4786 int (*func) (struct sock *sk, struct hci_dev *hdev, void *data,
4560 u16 data_len); 4787 u16 data_len);
@@ -4610,6 +4837,7 @@ static const struct mgmt_handler {
4610 { set_debug_keys, false, MGMT_SETTING_SIZE }, 4837 { set_debug_keys, false, MGMT_SETTING_SIZE },
4611 { set_privacy, false, MGMT_SET_PRIVACY_SIZE }, 4838 { set_privacy, false, MGMT_SET_PRIVACY_SIZE },
4612 { load_irks, true, MGMT_LOAD_IRKS_SIZE }, 4839 { load_irks, true, MGMT_LOAD_IRKS_SIZE },
4840 { get_conn_info, false, MGMT_GET_CONN_INFO_SIZE },
4613}; 4841};
4614 4842
4615 4843
@@ -5005,6 +5233,14 @@ void mgmt_new_link_key(struct hci_dev *hdev, struct link_key *key,
5005 mgmt_event(MGMT_EV_NEW_LINK_KEY, hdev, &ev, sizeof(ev), NULL); 5233 mgmt_event(MGMT_EV_NEW_LINK_KEY, hdev, &ev, sizeof(ev), NULL);
5006} 5234}
5007 5235
5236static u8 mgmt_ltk_type(struct smp_ltk *ltk)
5237{
5238 if (ltk->authenticated)
5239 return MGMT_LTK_AUTHENTICATED;
5240
5241 return MGMT_LTK_UNAUTHENTICATED;
5242}
5243
5008void mgmt_new_ltk(struct hci_dev *hdev, struct smp_ltk *key, bool persistent) 5244void mgmt_new_ltk(struct hci_dev *hdev, struct smp_ltk *key, bool persistent)
5009{ 5245{
5010 struct mgmt_ev_new_long_term_key ev; 5246 struct mgmt_ev_new_long_term_key ev;
@@ -5030,7 +5266,7 @@ void mgmt_new_ltk(struct hci_dev *hdev, struct smp_ltk *key, bool persistent)
5030 5266
5031 bacpy(&ev.key.addr.bdaddr, &key->bdaddr); 5267 bacpy(&ev.key.addr.bdaddr, &key->bdaddr);
5032 ev.key.addr.type = link_to_bdaddr(LE_LINK, key->bdaddr_type); 5268 ev.key.addr.type = link_to_bdaddr(LE_LINK, key->bdaddr_type);
5033 ev.key.type = key->authenticated; 5269 ev.key.type = mgmt_ltk_type(key);
5034 ev.key.enc_size = key->enc_size; 5270 ev.key.enc_size = key->enc_size;
5035 ev.key.ediv = key->ediv; 5271 ev.key.ediv = key->ediv;
5036 ev.key.rand = key->rand; 5272 ev.key.rand = key->rand;
@@ -5668,8 +5904,9 @@ void mgmt_read_local_oob_data_complete(struct hci_dev *hdev, u8 *hash192,
5668} 5904}
5669 5905
5670void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type, 5906void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
5671 u8 addr_type, u8 *dev_class, s8 rssi, u8 cfm_name, u8 5907 u8 addr_type, u8 *dev_class, s8 rssi, u8 cfm_name,
5672 ssp, u8 *eir, u16 eir_len) 5908 u8 ssp, u8 *eir, u16 eir_len, u8 *scan_rsp,
5909 u8 scan_rsp_len)
5673{ 5910{
5674 char buf[512]; 5911 char buf[512];
5675 struct mgmt_ev_device_found *ev = (void *) buf; 5912 struct mgmt_ev_device_found *ev = (void *) buf;
@@ -5679,8 +5916,10 @@ void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
5679 if (!hci_discovery_active(hdev)) 5916 if (!hci_discovery_active(hdev))
5680 return; 5917 return;
5681 5918
5682 /* Leave 5 bytes for a potential CoD field */ 5919 /* Make sure that the buffer is big enough. The 5 extra bytes
5683 if (sizeof(*ev) + eir_len + 5 > sizeof(buf)) 5920 * are for the potential CoD field.
5921 */
5922 if (sizeof(*ev) + eir_len + scan_rsp_len + 5 > sizeof(buf))
5684 return; 5923 return;
5685 5924
5686 memset(buf, 0, sizeof(buf)); 5925 memset(buf, 0, sizeof(buf));
@@ -5707,8 +5946,11 @@ void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
5707 eir_len = eir_append_data(ev->eir, eir_len, EIR_CLASS_OF_DEV, 5946 eir_len = eir_append_data(ev->eir, eir_len, EIR_CLASS_OF_DEV,
5708 dev_class, 3); 5947 dev_class, 3);
5709 5948
5710 ev->eir_len = cpu_to_le16(eir_len); 5949 if (scan_rsp_len > 0)
5711 ev_size = sizeof(*ev) + eir_len; 5950 memcpy(ev->eir + eir_len, scan_rsp, scan_rsp_len);
5951
5952 ev->eir_len = cpu_to_le16(eir_len + scan_rsp_len);
5953 ev_size = sizeof(*ev) + eir_len + scan_rsp_len;
5712 5954
5713 mgmt_event(MGMT_EV_DEVICE_FOUND, hdev, ev, ev_size, NULL); 5955 mgmt_event(MGMT_EV_DEVICE_FOUND, hdev, ev, ev_size, NULL);
5714} 5956}
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index cf620260affa..754b6fe4f742 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -307,7 +307,7 @@ struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
307 setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d); 307 setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d);
308 308
309 skb_queue_head_init(&d->tx_queue); 309 skb_queue_head_init(&d->tx_queue);
310 spin_lock_init(&d->lock); 310 mutex_init(&d->lock);
311 atomic_set(&d->refcnt, 1); 311 atomic_set(&d->refcnt, 1);
312 312
313 rfcomm_dlc_clear_state(d); 313 rfcomm_dlc_clear_state(d);
diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
index 403ec09f480a..8e385a0ae60e 100644
--- a/net/bluetooth/rfcomm/tty.c
+++ b/net/bluetooth/rfcomm/tty.c
@@ -70,7 +70,7 @@ struct rfcomm_dev {
70}; 70};
71 71
72static LIST_HEAD(rfcomm_dev_list); 72static LIST_HEAD(rfcomm_dev_list);
73static DEFINE_SPINLOCK(rfcomm_dev_lock); 73static DEFINE_MUTEX(rfcomm_dev_lock);
74 74
75static void rfcomm_dev_data_ready(struct rfcomm_dlc *dlc, struct sk_buff *skb); 75static void rfcomm_dev_data_ready(struct rfcomm_dlc *dlc, struct sk_buff *skb);
76static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err); 76static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err);
@@ -96,9 +96,9 @@ static void rfcomm_dev_destruct(struct tty_port *port)
96 if (dev->tty_dev) 96 if (dev->tty_dev)
97 tty_unregister_device(rfcomm_tty_driver, dev->id); 97 tty_unregister_device(rfcomm_tty_driver, dev->id);
98 98
99 spin_lock(&rfcomm_dev_lock); 99 mutex_lock(&rfcomm_dev_lock);
100 list_del(&dev->list); 100 list_del(&dev->list);
101 spin_unlock(&rfcomm_dev_lock); 101 mutex_unlock(&rfcomm_dev_lock);
102 102
103 kfree(dev); 103 kfree(dev);
104 104
@@ -161,14 +161,14 @@ static struct rfcomm_dev *rfcomm_dev_get(int id)
161{ 161{
162 struct rfcomm_dev *dev; 162 struct rfcomm_dev *dev;
163 163
164 spin_lock(&rfcomm_dev_lock); 164 mutex_lock(&rfcomm_dev_lock);
165 165
166 dev = __rfcomm_dev_lookup(id); 166 dev = __rfcomm_dev_lookup(id);
167 167
168 if (dev && !tty_port_get(&dev->port)) 168 if (dev && !tty_port_get(&dev->port))
169 dev = NULL; 169 dev = NULL;
170 170
171 spin_unlock(&rfcomm_dev_lock); 171 mutex_unlock(&rfcomm_dev_lock);
172 172
173 return dev; 173 return dev;
174} 174}
@@ -224,7 +224,7 @@ static struct rfcomm_dev *__rfcomm_dev_add(struct rfcomm_dev_req *req,
224 if (!dev) 224 if (!dev)
225 return ERR_PTR(-ENOMEM); 225 return ERR_PTR(-ENOMEM);
226 226
227 spin_lock(&rfcomm_dev_lock); 227 mutex_lock(&rfcomm_dev_lock);
228 228
229 if (req->dev_id < 0) { 229 if (req->dev_id < 0) {
230 dev->id = 0; 230 dev->id = 0;
@@ -305,11 +305,11 @@ static struct rfcomm_dev *__rfcomm_dev_add(struct rfcomm_dev_req *req,
305 holds reference to this module. */ 305 holds reference to this module. */
306 __module_get(THIS_MODULE); 306 __module_get(THIS_MODULE);
307 307
308 spin_unlock(&rfcomm_dev_lock); 308 mutex_unlock(&rfcomm_dev_lock);
309 return dev; 309 return dev;
310 310
311out: 311out:
312 spin_unlock(&rfcomm_dev_lock); 312 mutex_unlock(&rfcomm_dev_lock);
313 kfree(dev); 313 kfree(dev);
314 return ERR_PTR(err); 314 return ERR_PTR(err);
315} 315}
@@ -524,7 +524,7 @@ static int rfcomm_get_dev_list(void __user *arg)
524 524
525 di = dl->dev_info; 525 di = dl->dev_info;
526 526
527 spin_lock(&rfcomm_dev_lock); 527 mutex_lock(&rfcomm_dev_lock);
528 528
529 list_for_each_entry(dev, &rfcomm_dev_list, list) { 529 list_for_each_entry(dev, &rfcomm_dev_list, list) {
530 if (!tty_port_get(&dev->port)) 530 if (!tty_port_get(&dev->port))
@@ -540,7 +540,7 @@ static int rfcomm_get_dev_list(void __user *arg)
540 break; 540 break;
541 } 541 }
542 542
543 spin_unlock(&rfcomm_dev_lock); 543 mutex_unlock(&rfcomm_dev_lock);
544 544
545 dl->dev_num = n; 545 dl->dev_num = n;
546 size = sizeof(*dl) + n * sizeof(*di); 546 size = sizeof(*dl) + n * sizeof(*di);
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index dfb4e1161c10..3d1cc164557d 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -35,6 +35,33 @@
35 35
36#define AUTH_REQ_MASK 0x07 36#define AUTH_REQ_MASK 0x07
37 37
38#define SMP_FLAG_TK_VALID 1
39#define SMP_FLAG_CFM_PENDING 2
40#define SMP_FLAG_MITM_AUTH 3
41#define SMP_FLAG_COMPLETE 4
42#define SMP_FLAG_INITIATOR 5
43
44struct smp_chan {
45 struct l2cap_conn *conn;
46 u8 preq[7]; /* SMP Pairing Request */
47 u8 prsp[7]; /* SMP Pairing Response */
48 u8 prnd[16]; /* SMP Pairing Random (local) */
49 u8 rrnd[16]; /* SMP Pairing Random (remote) */
50 u8 pcnf[16]; /* SMP Pairing Confirm */
51 u8 tk[16]; /* SMP Temporary Key */
52 u8 enc_key_size;
53 u8 remote_key_dist;
54 bdaddr_t id_addr;
55 u8 id_addr_type;
56 u8 irk[16];
57 struct smp_csrk *csrk;
58 struct smp_csrk *slave_csrk;
59 struct smp_ltk *ltk;
60 struct smp_ltk *slave_ltk;
61 struct smp_irk *remote_irk;
62 unsigned long flags;
63};
64
38static inline void swap128(const u8 src[16], u8 dst[16]) 65static inline void swap128(const u8 src[16], u8 dst[16])
39{ 66{
40 int i; 67 int i;
@@ -369,7 +396,7 @@ static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
369 396
370 /* Initialize key for JUST WORKS */ 397 /* Initialize key for JUST WORKS */
371 memset(smp->tk, 0, sizeof(smp->tk)); 398 memset(smp->tk, 0, sizeof(smp->tk));
372 clear_bit(SMP_FLAG_TK_VALID, &smp->smp_flags); 399 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
373 400
374 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io); 401 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
375 402
@@ -388,19 +415,18 @@ static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
388 method = JUST_WORKS; 415 method = JUST_WORKS;
389 416
390 /* Don't confirm locally initiated pairing attempts */ 417 /* Don't confirm locally initiated pairing attempts */
391 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, 418 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
392 &smp->smp_flags))
393 method = JUST_WORKS; 419 method = JUST_WORKS;
394 420
395 /* If Just Works, Continue with Zero TK */ 421 /* If Just Works, Continue with Zero TK */
396 if (method == JUST_WORKS) { 422 if (method == JUST_WORKS) {
397 set_bit(SMP_FLAG_TK_VALID, &smp->smp_flags); 423 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
398 return 0; 424 return 0;
399 } 425 }
400 426
401 /* Not Just Works/Confirm results in MITM Authentication */ 427 /* Not Just Works/Confirm results in MITM Authentication */
402 if (method != JUST_CFM) 428 if (method != JUST_CFM)
403 set_bit(SMP_FLAG_MITM_AUTH, &smp->smp_flags); 429 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
404 430
405 /* If both devices have Keyoard-Display I/O, the master 431 /* If both devices have Keyoard-Display I/O, the master
406 * Confirms and the slave Enters the passkey. 432 * Confirms and the slave Enters the passkey.
@@ -419,7 +445,7 @@ static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
419 passkey %= 1000000; 445 passkey %= 1000000;
420 put_unaligned_le32(passkey, smp->tk); 446 put_unaligned_le32(passkey, smp->tk);
421 BT_DBG("PassKey: %d", passkey); 447 BT_DBG("PassKey: %d", passkey);
422 set_bit(SMP_FLAG_TK_VALID, &smp->smp_flags); 448 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
423 } 449 }
424 450
425 hci_dev_lock(hcon->hdev); 451 hci_dev_lock(hcon->hdev);
@@ -441,15 +467,13 @@ static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
441 return ret; 467 return ret;
442} 468}
443 469
444static void confirm_work(struct work_struct *work) 470static u8 smp_confirm(struct smp_chan *smp)
445{ 471{
446 struct smp_chan *smp = container_of(work, struct smp_chan, confirm);
447 struct l2cap_conn *conn = smp->conn; 472 struct l2cap_conn *conn = smp->conn;
448 struct hci_dev *hdev = conn->hcon->hdev; 473 struct hci_dev *hdev = conn->hcon->hdev;
449 struct crypto_blkcipher *tfm = hdev->tfm_aes; 474 struct crypto_blkcipher *tfm = hdev->tfm_aes;
450 struct smp_cmd_pairing_confirm cp; 475 struct smp_cmd_pairing_confirm cp;
451 int ret; 476 int ret;
452 u8 reason;
453 477
454 BT_DBG("conn %p", conn); 478 BT_DBG("conn %p", conn);
455 479
@@ -463,35 +487,27 @@ static void confirm_work(struct work_struct *work)
463 487
464 hci_dev_unlock(hdev); 488 hci_dev_unlock(hdev);
465 489
466 if (ret) { 490 if (ret)
467 reason = SMP_UNSPECIFIED; 491 return SMP_UNSPECIFIED;
468 goto error;
469 }
470 492
471 clear_bit(SMP_FLAG_CFM_PENDING, &smp->smp_flags); 493 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
472 494
473 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp); 495 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
474 496
475 return; 497 return 0;
476
477error:
478 smp_failure(conn, reason);
479} 498}
480 499
481static void random_work(struct work_struct *work) 500static u8 smp_random(struct smp_chan *smp)
482{ 501{
483 struct smp_chan *smp = container_of(work, struct smp_chan, random);
484 struct l2cap_conn *conn = smp->conn; 502 struct l2cap_conn *conn = smp->conn;
485 struct hci_conn *hcon = conn->hcon; 503 struct hci_conn *hcon = conn->hcon;
486 struct hci_dev *hdev = hcon->hdev; 504 struct hci_dev *hdev = hcon->hdev;
487 struct crypto_blkcipher *tfm = hdev->tfm_aes; 505 struct crypto_blkcipher *tfm = hdev->tfm_aes;
488 u8 reason, confirm[16]; 506 u8 confirm[16];
489 int ret; 507 int ret;
490 508
491 if (IS_ERR_OR_NULL(tfm)) { 509 if (IS_ERR_OR_NULL(tfm))
492 reason = SMP_UNSPECIFIED; 510 return SMP_UNSPECIFIED;
493 goto error;
494 }
495 511
496 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave"); 512 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
497 513
@@ -504,15 +520,12 @@ static void random_work(struct work_struct *work)
504 520
505 hci_dev_unlock(hdev); 521 hci_dev_unlock(hdev);
506 522
507 if (ret) { 523 if (ret)
508 reason = SMP_UNSPECIFIED; 524 return SMP_UNSPECIFIED;
509 goto error;
510 }
511 525
512 if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) { 526 if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
513 BT_ERR("Pairing failed (confirmation values mismatch)"); 527 BT_ERR("Pairing failed (confirmation values mismatch)");
514 reason = SMP_CONFIRM_FAILED; 528 return SMP_CONFIRM_FAILED;
515 goto error;
516 } 529 }
517 530
518 if (hcon->out) { 531 if (hcon->out) {
@@ -525,10 +538,8 @@ static void random_work(struct work_struct *work)
525 memset(stk + smp->enc_key_size, 0, 538 memset(stk + smp->enc_key_size, 0,
526 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size); 539 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
527 540
528 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags)) { 541 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
529 reason = SMP_UNSPECIFIED; 542 return SMP_UNSPECIFIED;
530 goto error;
531 }
532 543
533 hci_le_start_enc(hcon, ediv, rand, stk); 544 hci_le_start_enc(hcon, ediv, rand, stk);
534 hcon->enc_key_size = smp->enc_key_size; 545 hcon->enc_key_size = smp->enc_key_size;
@@ -550,10 +561,7 @@ static void random_work(struct work_struct *work)
550 ediv, rand); 561 ediv, rand);
551 } 562 }
552 563
553 return; 564 return 0;
554
555error:
556 smp_failure(conn, reason);
557} 565}
558 566
559static struct smp_chan *smp_chan_create(struct l2cap_conn *conn) 567static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
@@ -564,9 +572,6 @@ static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
564 if (!smp) 572 if (!smp)
565 return NULL; 573 return NULL;
566 574
567 INIT_WORK(&smp->confirm, confirm_work);
568 INIT_WORK(&smp->random, random_work);
569
570 smp->conn = conn; 575 smp->conn = conn;
571 conn->smp_chan = smp; 576 conn->smp_chan = smp;
572 conn->hcon->smp_conn = conn; 577 conn->hcon->smp_conn = conn;
@@ -583,7 +588,7 @@ void smp_chan_destroy(struct l2cap_conn *conn)
583 588
584 BUG_ON(!smp); 589 BUG_ON(!smp);
585 590
586 complete = test_bit(SMP_FLAG_COMPLETE, &smp->smp_flags); 591 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
587 mgmt_smp_complete(conn->hcon, complete); 592 mgmt_smp_complete(conn->hcon, complete);
588 593
589 kfree(smp->csrk); 594 kfree(smp->csrk);
@@ -634,7 +639,7 @@ int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
634 put_unaligned_le32(value, smp->tk); 639 put_unaligned_le32(value, smp->tk);
635 /* Fall Through */ 640 /* Fall Through */
636 case MGMT_OP_USER_CONFIRM_REPLY: 641 case MGMT_OP_USER_CONFIRM_REPLY:
637 set_bit(SMP_FLAG_TK_VALID, &smp->smp_flags); 642 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
638 break; 643 break;
639 case MGMT_OP_USER_PASSKEY_NEG_REPLY: 644 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
640 case MGMT_OP_USER_CONFIRM_NEG_REPLY: 645 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
@@ -646,8 +651,11 @@ int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
646 } 651 }
647 652
648 /* If it is our turn to send Pairing Confirm, do so now */ 653 /* If it is our turn to send Pairing Confirm, do so now */
649 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->smp_flags)) 654 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
650 queue_work(hcon->hdev->workqueue, &smp->confirm); 655 u8 rsp = smp_confirm(smp);
656 if (rsp)
657 smp_failure(conn, rsp);
658 }
651 659
652 return 0; 660 return 0;
653} 661}
@@ -656,14 +664,13 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
656{ 664{
657 struct smp_cmd_pairing rsp, *req = (void *) skb->data; 665 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
658 struct smp_chan *smp; 666 struct smp_chan *smp;
659 u8 key_size; 667 u8 key_size, auth;
660 u8 auth = SMP_AUTH_NONE;
661 int ret; 668 int ret;
662 669
663 BT_DBG("conn %p", conn); 670 BT_DBG("conn %p", conn);
664 671
665 if (skb->len < sizeof(*req)) 672 if (skb->len < sizeof(*req))
666 return SMP_UNSPECIFIED; 673 return SMP_INVALID_PARAMS;
667 674
668 if (conn->hcon->link_mode & HCI_LM_MASTER) 675 if (conn->hcon->link_mode & HCI_LM_MASTER)
669 return SMP_CMD_NOTSUPP; 676 return SMP_CMD_NOTSUPP;
@@ -681,8 +688,7 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
681 skb_pull(skb, sizeof(*req)); 688 skb_pull(skb, sizeof(*req));
682 689
683 /* We didn't start the pairing, so match remote */ 690 /* We didn't start the pairing, so match remote */
684 if (req->auth_req & SMP_AUTH_BONDING) 691 auth = req->auth_req;
685 auth = req->auth_req;
686 692
687 conn->hcon->pending_sec_level = authreq_to_seclevel(auth); 693 conn->hcon->pending_sec_level = authreq_to_seclevel(auth);
688 694
@@ -704,7 +710,7 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
704 if (ret) 710 if (ret)
705 return SMP_UNSPECIFIED; 711 return SMP_UNSPECIFIED;
706 712
707 clear_bit(SMP_FLAG_INITIATOR, &smp->smp_flags); 713 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
708 714
709 return 0; 715 return 0;
710} 716}
@@ -713,14 +719,13 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
713{ 719{
714 struct smp_cmd_pairing *req, *rsp = (void *) skb->data; 720 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
715 struct smp_chan *smp = conn->smp_chan; 721 struct smp_chan *smp = conn->smp_chan;
716 struct hci_dev *hdev = conn->hcon->hdev;
717 u8 key_size, auth = SMP_AUTH_NONE; 722 u8 key_size, auth = SMP_AUTH_NONE;
718 int ret; 723 int ret;
719 724
720 BT_DBG("conn %p", conn); 725 BT_DBG("conn %p", conn);
721 726
722 if (skb->len < sizeof(*rsp)) 727 if (skb->len < sizeof(*rsp))
723 return SMP_UNSPECIFIED; 728 return SMP_INVALID_PARAMS;
724 729
725 if (!(conn->hcon->link_mode & HCI_LM_MASTER)) 730 if (!(conn->hcon->link_mode & HCI_LM_MASTER))
726 return SMP_CMD_NOTSUPP; 731 return SMP_CMD_NOTSUPP;
@@ -753,11 +758,11 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
753 if (ret) 758 if (ret)
754 return SMP_UNSPECIFIED; 759 return SMP_UNSPECIFIED;
755 760
756 set_bit(SMP_FLAG_CFM_PENDING, &smp->smp_flags); 761 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
757 762
758 /* Can't compose response until we have been confirmed */ 763 /* Can't compose response until we have been confirmed */
759 if (test_bit(SMP_FLAG_TK_VALID, &smp->smp_flags)) 764 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
760 queue_work(hdev->workqueue, &smp->confirm); 765 return smp_confirm(smp);
761 766
762 return 0; 767 return 0;
763} 768}
@@ -765,12 +770,11 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
765static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb) 770static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
766{ 771{
767 struct smp_chan *smp = conn->smp_chan; 772 struct smp_chan *smp = conn->smp_chan;
768 struct hci_dev *hdev = conn->hcon->hdev;
769 773
770 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave"); 774 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
771 775
772 if (skb->len < sizeof(smp->pcnf)) 776 if (skb->len < sizeof(smp->pcnf))
773 return SMP_UNSPECIFIED; 777 return SMP_INVALID_PARAMS;
774 778
775 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf)); 779 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
776 skb_pull(skb, sizeof(smp->pcnf)); 780 skb_pull(skb, sizeof(smp->pcnf));
@@ -778,10 +782,10 @@ static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
778 if (conn->hcon->out) 782 if (conn->hcon->out)
779 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 783 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
780 smp->prnd); 784 smp->prnd);
781 else if (test_bit(SMP_FLAG_TK_VALID, &smp->smp_flags)) 785 else if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
782 queue_work(hdev->workqueue, &smp->confirm); 786 return smp_confirm(smp);
783 else 787 else
784 set_bit(SMP_FLAG_CFM_PENDING, &smp->smp_flags); 788 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
785 789
786 return 0; 790 return 0;
787} 791}
@@ -789,19 +793,16 @@ static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
789static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb) 793static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
790{ 794{
791 struct smp_chan *smp = conn->smp_chan; 795 struct smp_chan *smp = conn->smp_chan;
792 struct hci_dev *hdev = conn->hcon->hdev;
793 796
794 BT_DBG("conn %p", conn); 797 BT_DBG("conn %p", conn);
795 798
796 if (skb->len < sizeof(smp->rrnd)) 799 if (skb->len < sizeof(smp->rrnd))
797 return SMP_UNSPECIFIED; 800 return SMP_INVALID_PARAMS;
798 801
799 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd)); 802 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
800 skb_pull(skb, sizeof(smp->rrnd)); 803 skb_pull(skb, sizeof(smp->rrnd));
801 804
802 queue_work(hdev->workqueue, &smp->random); 805 return smp_random(smp);
803
804 return 0;
805} 806}
806 807
807static u8 smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level) 808static u8 smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
@@ -836,7 +837,7 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
836 BT_DBG("conn %p", conn); 837 BT_DBG("conn %p", conn);
837 838
838 if (skb->len < sizeof(*rp)) 839 if (skb->len < sizeof(*rp))
839 return SMP_UNSPECIFIED; 840 return SMP_INVALID_PARAMS;
840 841
841 if (!(conn->hcon->link_mode & HCI_LM_MASTER)) 842 if (!(conn->hcon->link_mode & HCI_LM_MASTER))
842 return SMP_CMD_NOTSUPP; 843 return SMP_CMD_NOTSUPP;
@@ -861,7 +862,7 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
861 862
862 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp); 863 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
863 864
864 clear_bit(SMP_FLAG_INITIATOR, &smp->smp_flags); 865 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
865 866
866 return 0; 867 return 0;
867} 868}
@@ -908,10 +909,11 @@ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
908 909
909 authreq = seclevel_to_authreq(sec_level); 910 authreq = seclevel_to_authreq(sec_level);
910 911
911 /* hcon->auth_type is set by pair_device in mgmt.c. If the MITM 912 /* Require MITM if IO Capability allows or the security level
912 * flag is set we should also set it for the SMP request. 913 * requires it.
913 */ 914 */
914 if ((hcon->auth_type & 0x01)) 915 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
916 sec_level > BT_SECURITY_MEDIUM)
915 authreq |= SMP_AUTH_MITM; 917 authreq |= SMP_AUTH_MITM;
916 918
917 if (hcon->link_mode & HCI_LM_MASTER) { 919 if (hcon->link_mode & HCI_LM_MASTER) {
@@ -928,7 +930,7 @@ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
928 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp); 930 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
929 } 931 }
930 932
931 set_bit(SMP_FLAG_INITIATOR, &smp->smp_flags); 933 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
932 934
933done: 935done:
934 hcon->pending_sec_level = sec_level; 936 hcon->pending_sec_level = sec_level;
@@ -944,7 +946,7 @@ static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
944 BT_DBG("conn %p", conn); 946 BT_DBG("conn %p", conn);
945 947
946 if (skb->len < sizeof(*rp)) 948 if (skb->len < sizeof(*rp))
947 return SMP_UNSPECIFIED; 949 return SMP_INVALID_PARAMS;
948 950
949 /* Ignore this PDU if it wasn't requested */ 951 /* Ignore this PDU if it wasn't requested */
950 if (!(smp->remote_key_dist & SMP_DIST_ENC_KEY)) 952 if (!(smp->remote_key_dist & SMP_DIST_ENC_KEY))
@@ -969,7 +971,7 @@ static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
969 BT_DBG("conn %p", conn); 971 BT_DBG("conn %p", conn);
970 972
971 if (skb->len < sizeof(*rp)) 973 if (skb->len < sizeof(*rp))
972 return SMP_UNSPECIFIED; 974 return SMP_INVALID_PARAMS;
973 975
974 /* Ignore this PDU if it wasn't requested */ 976 /* Ignore this PDU if it wasn't requested */
975 if (!(smp->remote_key_dist & SMP_DIST_ENC_KEY)) 977 if (!(smp->remote_key_dist & SMP_DIST_ENC_KEY))
@@ -1001,7 +1003,7 @@ static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
1001 BT_DBG(""); 1003 BT_DBG("");
1002 1004
1003 if (skb->len < sizeof(*info)) 1005 if (skb->len < sizeof(*info))
1004 return SMP_UNSPECIFIED; 1006 return SMP_INVALID_PARAMS;
1005 1007
1006 /* Ignore this PDU if it wasn't requested */ 1008 /* Ignore this PDU if it wasn't requested */
1007 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY)) 1009 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
@@ -1025,7 +1027,7 @@ static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
1025 BT_DBG(""); 1027 BT_DBG("");
1026 1028
1027 if (skb->len < sizeof(*info)) 1029 if (skb->len < sizeof(*info))
1028 return SMP_UNSPECIFIED; 1030 return SMP_INVALID_PARAMS;
1029 1031
1030 /* Ignore this PDU if it wasn't requested */ 1032 /* Ignore this PDU if it wasn't requested */
1031 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY)) 1033 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
@@ -1075,7 +1077,7 @@ static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
1075 BT_DBG("conn %p", conn); 1077 BT_DBG("conn %p", conn);
1076 1078
1077 if (skb->len < sizeof(*rp)) 1079 if (skb->len < sizeof(*rp))
1078 return SMP_UNSPECIFIED; 1080 return SMP_INVALID_PARAMS;
1079 1081
1080 /* Ignore this PDU if it wasn't requested */ 1082 /* Ignore this PDU if it wasn't requested */
1081 if (!(smp->remote_key_dist & SMP_DIST_SIGN)) 1083 if (!(smp->remote_key_dist & SMP_DIST_SIGN))
@@ -1358,7 +1360,7 @@ int smp_distribute_keys(struct l2cap_conn *conn)
1358 1360
1359 clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags); 1361 clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags);
1360 cancel_delayed_work_sync(&conn->security_timer); 1362 cancel_delayed_work_sync(&conn->security_timer);
1361 set_bit(SMP_FLAG_COMPLETE, &smp->smp_flags); 1363 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1362 smp_notify_keys(conn); 1364 smp_notify_keys(conn);
1363 1365
1364 smp_chan_destroy(conn); 1366 smp_chan_destroy(conn);
diff --git a/net/bluetooth/smp.h b/net/bluetooth/smp.h
index 1277147a9150..5a8dc36460a1 100644
--- a/net/bluetooth/smp.h
+++ b/net/bluetooth/smp.h
@@ -111,39 +111,11 @@ struct smp_cmd_security_req {
111#define SMP_CMD_NOTSUPP 0x07 111#define SMP_CMD_NOTSUPP 0x07
112#define SMP_UNSPECIFIED 0x08 112#define SMP_UNSPECIFIED 0x08
113#define SMP_REPEATED_ATTEMPTS 0x09 113#define SMP_REPEATED_ATTEMPTS 0x09
114#define SMP_INVALID_PARAMS 0x0a
114 115
115#define SMP_MIN_ENC_KEY_SIZE 7 116#define SMP_MIN_ENC_KEY_SIZE 7
116#define SMP_MAX_ENC_KEY_SIZE 16 117#define SMP_MAX_ENC_KEY_SIZE 16
117 118
118#define SMP_FLAG_TK_VALID 1
119#define SMP_FLAG_CFM_PENDING 2
120#define SMP_FLAG_MITM_AUTH 3
121#define SMP_FLAG_COMPLETE 4
122#define SMP_FLAG_INITIATOR 5
123
124struct smp_chan {
125 struct l2cap_conn *conn;
126 u8 preq[7]; /* SMP Pairing Request */
127 u8 prsp[7]; /* SMP Pairing Response */
128 u8 prnd[16]; /* SMP Pairing Random (local) */
129 u8 rrnd[16]; /* SMP Pairing Random (remote) */
130 u8 pcnf[16]; /* SMP Pairing Confirm */
131 u8 tk[16]; /* SMP Temporary Key */
132 u8 enc_key_size;
133 u8 remote_key_dist;
134 bdaddr_t id_addr;
135 u8 id_addr_type;
136 u8 irk[16];
137 struct smp_csrk *csrk;
138 struct smp_csrk *slave_csrk;
139 struct smp_ltk *ltk;
140 struct smp_ltk *slave_ltk;
141 struct smp_irk *remote_irk;
142 unsigned long smp_flags;
143 struct work_struct confirm;
144 struct work_struct random;
145};
146
147/* SMP Commands */ 119/* SMP Commands */
148bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level); 120bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level);
149int smp_conn_security(struct hci_conn *hcon, __u8 sec_level); 121int smp_conn_security(struct hci_conn *hcon, __u8 sec_level);
generated by cgit v1.2.2 (git 2.25.0) at 2024-12-13 04:16:23 -0500