aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorJohn W. Linville <linville@tuxdriver.com>2012-01-02 16:43:54 -0500
committerJohn W. Linville <linville@tuxdriver.com>2012-01-02 16:43:54 -0500
commitdc0d633e35643662f27a0b1c531da3cd6b204b9c (patch)
treecae724ecca3fb997bf3ad6b70bff4e3c739cd648 /net
parentaef6c928a92481f75fbd548eb8c1e840912444b8 (diff)
parent4ae1652ef1bf38e07caa5d1d86ffd3b31103b55a (diff)
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/padovan/bluetooth-next
Diffstat (limited to 'net')
-rw-r--r--net/bluetooth/Kconfig37
-rw-r--r--net/bluetooth/Makefile5
-rw-r--r--net/bluetooth/af_bluetooth.c11
-rw-r--r--net/bluetooth/bnep/Kconfig2
-rw-r--r--net/bluetooth/cmtp/Kconfig2
-rw-r--r--net/bluetooth/hci_conn.c4
-rw-r--r--net/bluetooth/hci_core.c172
-rw-r--r--net/bluetooth/hci_event.c28
-rw-r--r--net/bluetooth/hidp/Kconfig2
-rw-r--r--net/bluetooth/l2cap_core.c112
-rw-r--r--net/bluetooth/mgmt.c10
-rw-r--r--net/bluetooth/rfcomm/Kconfig2
-rw-r--r--net/bluetooth/rfcomm/core.c41
-rw-r--r--net/bluetooth/sco.c38
-rw-r--r--net/bluetooth/smp.c235
15 files changed, 372 insertions, 329 deletions
diff --git a/net/bluetooth/Kconfig b/net/bluetooth/Kconfig
index bfb3dc03c9de..9ec85eb8853d 100644
--- a/net/bluetooth/Kconfig
+++ b/net/bluetooth/Kconfig
@@ -6,7 +6,11 @@ menuconfig BT
6 tristate "Bluetooth subsystem support" 6 tristate "Bluetooth subsystem support"
7 depends on NET && !S390 7 depends on NET && !S390
8 depends on RFKILL || !RFKILL 8 depends on RFKILL || !RFKILL
9 select CRC16
9 select CRYPTO 10 select CRYPTO
11 select CRYPTO_BLKCIPHER
12 select CRYPTO_AES
13 select CRYPTO_ECB
10 help 14 help
11 Bluetooth is low-cost, low-power, short-range wireless technology. 15 Bluetooth is low-cost, low-power, short-range wireless technology.
12 It was designed as a replacement for cables and other short-range 16 It was designed as a replacement for cables and other short-range
@@ -15,10 +19,12 @@ menuconfig BT
15 Bluetooth can be found at <http://www.bluetooth.com/>. 19 Bluetooth can be found at <http://www.bluetooth.com/>.
16 20
17 Linux Bluetooth subsystem consist of several layers: 21 Linux Bluetooth subsystem consist of several layers:
18 Bluetooth Core (HCI device and connection manager, scheduler) 22 Bluetooth Core
23 HCI device and connection manager, scheduler
24 SCO audio links
25 L2CAP (Logical Link Control and Adaptation Protocol)
26 SMP (Security Manager Protocol) on LE (Low Energy) links
19 HCI Device drivers (Interface to the hardware) 27 HCI Device drivers (Interface to the hardware)
20 SCO Module (SCO audio links)
21 L2CAP Module (Logical Link Control and Adaptation Protocol)
22 RFCOMM Module (RFCOMM Protocol) 28 RFCOMM Module (RFCOMM Protocol)
23 BNEP Module (Bluetooth Network Encapsulation Protocol) 29 BNEP Module (Bluetooth Network Encapsulation Protocol)
24 CMTP Module (CAPI Message Transport Protocol) 30 CMTP Module (CAPI Message Transport Protocol)
@@ -33,31 +39,6 @@ menuconfig BT
33 to Bluetooth kernel modules are provided in the BlueZ packages. For 39 to Bluetooth kernel modules are provided in the BlueZ packages. For
34 more information, see <http://www.bluez.org/>. 40 more information, see <http://www.bluez.org/>.
35 41
36if BT != n
37
38config BT_L2CAP
39 bool "L2CAP protocol support"
40 select CRC16
41 select CRYPTO
42 select CRYPTO_BLKCIPHER
43 select CRYPTO_AES
44 select CRYPTO_ECB
45 help
46 L2CAP (Logical Link Control and Adaptation Protocol) provides
47 connection oriented and connection-less data transport. L2CAP
48 support is required for most Bluetooth applications.
49
50 Also included is support for SMP (Security Manager Protocol) which
51 is the security layer on top of LE (Low Energy) links.
52
53config BT_SCO
54 bool "SCO links support"
55 help
56 SCO link provides voice transport over Bluetooth. SCO support is
57 required for voice applications like Headset and Audio.
58
59endif
60
61source "net/bluetooth/rfcomm/Kconfig" 42source "net/bluetooth/rfcomm/Kconfig"
62 43
63source "net/bluetooth/bnep/Kconfig" 44source "net/bluetooth/bnep/Kconfig"
diff --git a/net/bluetooth/Makefile b/net/bluetooth/Makefile
index 9b67f3d08fa4..2dc5a5700f53 100644
--- a/net/bluetooth/Makefile
+++ b/net/bluetooth/Makefile
@@ -8,6 +8,5 @@ obj-$(CONFIG_BT_BNEP) += bnep/
8obj-$(CONFIG_BT_CMTP) += cmtp/ 8obj-$(CONFIG_BT_CMTP) += cmtp/
9obj-$(CONFIG_BT_HIDP) += hidp/ 9obj-$(CONFIG_BT_HIDP) += hidp/
10 10
11bluetooth-y := af_bluetooth.o hci_core.o hci_conn.o hci_event.o mgmt.o hci_sock.o hci_sysfs.o lib.o 11bluetooth-y := af_bluetooth.o hci_core.o hci_conn.o hci_event.o mgmt.o \
12bluetooth-$(CONFIG_BT_L2CAP) += l2cap_core.o l2cap_sock.o smp.o 12 hci_sock.o hci_sysfs.o l2cap_core.o l2cap_sock.o smp.o sco.o lib.o
13bluetooth-$(CONFIG_BT_SCO) += sco.o
diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
index 062124cd89cf..cdcfcabb34ab 100644
--- a/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -199,15 +199,14 @@ struct sock *bt_accept_dequeue(struct sock *parent, struct socket *newsock)
199 199
200 BT_DBG("parent %p", parent); 200 BT_DBG("parent %p", parent);
201 201
202 local_bh_disable();
203 list_for_each_safe(p, n, &bt_sk(parent)->accept_q) { 202 list_for_each_safe(p, n, &bt_sk(parent)->accept_q) {
204 sk = (struct sock *) list_entry(p, struct bt_sock, accept_q); 203 sk = (struct sock *) list_entry(p, struct bt_sock, accept_q);
205 204
206 bh_lock_sock(sk); 205 lock_sock(sk);
207 206
208 /* FIXME: Is this check still needed */ 207 /* FIXME: Is this check still needed */
209 if (sk->sk_state == BT_CLOSED) { 208 if (sk->sk_state == BT_CLOSED) {
210 bh_unlock_sock(sk); 209 release_sock(sk);
211 bt_accept_unlink(sk); 210 bt_accept_unlink(sk);
212 continue; 211 continue;
213 } 212 }
@@ -218,14 +217,12 @@ struct sock *bt_accept_dequeue(struct sock *parent, struct socket *newsock)
218 if (newsock) 217 if (newsock)
219 sock_graft(sk, newsock); 218 sock_graft(sk, newsock);
220 219
221 bh_unlock_sock(sk); 220 release_sock(sk);
222 local_bh_enable();
223 return sk; 221 return sk;
224 } 222 }
225 223
226 bh_unlock_sock(sk); 224 release_sock(sk);
227 } 225 }
228 local_bh_enable();
229 226
230 return NULL; 227 return NULL;
231} 228}
diff --git a/net/bluetooth/bnep/Kconfig b/net/bluetooth/bnep/Kconfig
index 35158b036d54..71791fc9f6b1 100644
--- a/net/bluetooth/bnep/Kconfig
+++ b/net/bluetooth/bnep/Kconfig
@@ -1,6 +1,6 @@
1config BT_BNEP 1config BT_BNEP
2 tristate "BNEP protocol support" 2 tristate "BNEP protocol support"
3 depends on BT && BT_L2CAP 3 depends on BT
4 select CRC32 4 select CRC32
5 help 5 help
6 BNEP (Bluetooth Network Encapsulation Protocol) is Ethernet 6 BNEP (Bluetooth Network Encapsulation Protocol) is Ethernet
diff --git a/net/bluetooth/cmtp/Kconfig b/net/bluetooth/cmtp/Kconfig
index d6b0382f6f3a..94cbf42ce155 100644
--- a/net/bluetooth/cmtp/Kconfig
+++ b/net/bluetooth/cmtp/Kconfig
@@ -1,6 +1,6 @@
1config BT_CMTP 1config BT_CMTP
2 tristate "CMTP protocol support" 2 tristate "CMTP protocol support"
3 depends on BT && BT_L2CAP && ISDN_CAPI 3 depends on BT && ISDN_CAPI
4 help 4 help
5 CMTP (CAPI Message Transport Protocol) is a transport layer 5 CMTP (CAPI Message Transport Protocol) is a transport layer
6 for CAPI messages. CMTP is required for the Bluetooth Common 6 for CAPI messages. CMTP is required for the Bluetooth Common
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 401d8ea266aa..3db432473ad5 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -487,7 +487,7 @@ struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src)
487 487
488 BT_DBG("%s -> %s", batostr(src), batostr(dst)); 488 BT_DBG("%s -> %s", batostr(src), batostr(dst));
489 489
490 read_lock_bh(&hci_dev_list_lock); 490 read_lock(&hci_dev_list_lock);
491 491
492 list_for_each_entry(d, &hci_dev_list, list) { 492 list_for_each_entry(d, &hci_dev_list, list) {
493 if (!test_bit(HCI_UP, &d->flags) || test_bit(HCI_RAW, &d->flags)) 493 if (!test_bit(HCI_UP, &d->flags) || test_bit(HCI_RAW, &d->flags))
@@ -512,7 +512,7 @@ struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src)
512 if (hdev) 512 if (hdev)
513 hdev = hci_dev_hold(hdev); 513 hdev = hci_dev_hold(hdev);
514 514
515 read_unlock_bh(&hci_dev_list_lock); 515 read_unlock(&hci_dev_list_lock);
516 return hdev; 516 return hdev;
517} 517}
518EXPORT_SYMBOL(hci_get_route); 518EXPORT_SYMBOL(hci_get_route);
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index d6382dbb7b76..6d38d80195cb 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -61,8 +61,6 @@ static void hci_rx_work(struct work_struct *work);
61static void hci_cmd_work(struct work_struct *work); 61static void hci_cmd_work(struct work_struct *work);
62static void hci_tx_work(struct work_struct *work); 62static void hci_tx_work(struct work_struct *work);
63 63
64static DEFINE_MUTEX(hci_task_lock);
65
66/* HCI device list */ 64/* HCI device list */
67LIST_HEAD(hci_dev_list); 65LIST_HEAD(hci_dev_list);
68DEFINE_RWLOCK(hci_dev_list_lock); 66DEFINE_RWLOCK(hci_dev_list_lock);
@@ -71,10 +69,6 @@ DEFINE_RWLOCK(hci_dev_list_lock);
71LIST_HEAD(hci_cb_list); 69LIST_HEAD(hci_cb_list);
72DEFINE_RWLOCK(hci_cb_list_lock); 70DEFINE_RWLOCK(hci_cb_list_lock);
73 71
74/* HCI protocols */
75#define HCI_MAX_PROTO 2
76struct hci_proto *hci_proto[HCI_MAX_PROTO];
77
78/* HCI notifiers list */ 72/* HCI notifiers list */
79static ATOMIC_NOTIFIER_HEAD(hci_notifier); 73static ATOMIC_NOTIFIER_HEAD(hci_notifier);
80 74
@@ -193,33 +187,20 @@ static void hci_reset_req(struct hci_dev *hdev, unsigned long opt)
193 hci_send_cmd(hdev, HCI_OP_RESET, 0, NULL); 187 hci_send_cmd(hdev, HCI_OP_RESET, 0, NULL);
194} 188}
195 189
196static void hci_init_req(struct hci_dev *hdev, unsigned long opt) 190static void bredr_init(struct hci_dev *hdev)
197{ 191{
198 struct hci_cp_delete_stored_link_key cp; 192 struct hci_cp_delete_stored_link_key cp;
199 struct sk_buff *skb;
200 __le16 param; 193 __le16 param;
201 __u8 flt_type; 194 __u8 flt_type;
202 195
203 BT_DBG("%s %ld", hdev->name, opt); 196 hdev->flow_ctl_mode = HCI_FLOW_CTL_MODE_PACKET_BASED;
204
205 /* Driver initialization */
206
207 /* Special commands */
208 while ((skb = skb_dequeue(&hdev->driver_init))) {
209 bt_cb(skb)->pkt_type = HCI_COMMAND_PKT;
210 skb->dev = (void *) hdev;
211
212 skb_queue_tail(&hdev->cmd_q, skb);
213 queue_work(hdev->workqueue, &hdev->cmd_work);
214 }
215 skb_queue_purge(&hdev->driver_init);
216 197
217 /* Mandatory initialization */ 198 /* Mandatory initialization */
218 199
219 /* Reset */ 200 /* Reset */
220 if (!test_bit(HCI_QUIRK_NO_RESET, &hdev->quirks)) { 201 if (!test_bit(HCI_QUIRK_NO_RESET, &hdev->quirks)) {
221 set_bit(HCI_RESET, &hdev->flags); 202 set_bit(HCI_RESET, &hdev->flags);
222 hci_send_cmd(hdev, HCI_OP_RESET, 0, NULL); 203 hci_send_cmd(hdev, HCI_OP_RESET, 0, NULL);
223 } 204 }
224 205
225 /* Read Local Supported Features */ 206 /* Read Local Supported Features */
@@ -258,6 +239,51 @@ static void hci_init_req(struct hci_dev *hdev, unsigned long opt)
258 hci_send_cmd(hdev, HCI_OP_DELETE_STORED_LINK_KEY, sizeof(cp), &cp); 239 hci_send_cmd(hdev, HCI_OP_DELETE_STORED_LINK_KEY, sizeof(cp), &cp);
259} 240}
260 241
242static void amp_init(struct hci_dev *hdev)
243{
244 hdev->flow_ctl_mode = HCI_FLOW_CTL_MODE_BLOCK_BASED;
245
246 /* Reset */
247 hci_send_cmd(hdev, HCI_OP_RESET, 0, NULL);
248
249 /* Read Local Version */
250 hci_send_cmd(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
251}
252
253static void hci_init_req(struct hci_dev *hdev, unsigned long opt)
254{
255 struct sk_buff *skb;
256
257 BT_DBG("%s %ld", hdev->name, opt);
258
259 /* Driver initialization */
260
261 /* Special commands */
262 while ((skb = skb_dequeue(&hdev->driver_init))) {
263 bt_cb(skb)->pkt_type = HCI_COMMAND_PKT;
264 skb->dev = (void *) hdev;
265
266 skb_queue_tail(&hdev->cmd_q, skb);
267 queue_work(hdev->workqueue, &hdev->cmd_work);
268 }
269 skb_queue_purge(&hdev->driver_init);
270
271 switch (hdev->dev_type) {
272 case HCI_BREDR:
273 bredr_init(hdev);
274 break;
275
276 case HCI_AMP:
277 amp_init(hdev);
278 break;
279
280 default:
281 BT_ERR("Unknown device type %d", hdev->dev_type);
282 break;
283 }
284
285}
286
261static void hci_le_init_req(struct hci_dev *hdev, unsigned long opt) 287static void hci_le_init_req(struct hci_dev *hdev, unsigned long opt)
262{ 288{
263 BT_DBG("%s", hdev->name); 289 BT_DBG("%s", hdev->name);
@@ -818,7 +844,7 @@ int hci_get_dev_list(void __user *arg)
818 844
819 dr = dl->dev_req; 845 dr = dl->dev_req;
820 846
821 read_lock_bh(&hci_dev_list_lock); 847 read_lock(&hci_dev_list_lock);
822 list_for_each_entry(hdev, &hci_dev_list, list) { 848 list_for_each_entry(hdev, &hci_dev_list, list) {
823 if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->flags)) 849 if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->flags))
824 cancel_delayed_work(&hdev->power_off); 850 cancel_delayed_work(&hdev->power_off);
@@ -832,7 +858,7 @@ int hci_get_dev_list(void __user *arg)
832 if (++n >= dev_num) 858 if (++n >= dev_num)
833 break; 859 break;
834 } 860 }
835 read_unlock_bh(&hci_dev_list_lock); 861 read_unlock(&hci_dev_list_lock);
836 862
837 dl->dev_num = n; 863 dl->dev_num = n;
838 size = sizeof(*dl) + n * sizeof(*dr); 864 size = sizeof(*dl) + n * sizeof(*dr);
@@ -1432,7 +1458,7 @@ int hci_register_dev(struct hci_dev *hdev)
1432 */ 1458 */
1433 id = (hdev->dev_type == HCI_BREDR) ? 0 : 1; 1459 id = (hdev->dev_type == HCI_BREDR) ? 0 : 1;
1434 1460
1435 write_lock_bh(&hci_dev_list_lock); 1461 write_lock(&hci_dev_list_lock);
1436 1462
1437 /* Find first available device id */ 1463 /* Find first available device id */
1438 list_for_each(p, &hci_dev_list) { 1464 list_for_each(p, &hci_dev_list) {
@@ -1502,7 +1528,7 @@ int hci_register_dev(struct hci_dev *hdev)
1502 1528
1503 atomic_set(&hdev->promisc, 0); 1529 atomic_set(&hdev->promisc, 0);
1504 1530
1505 write_unlock_bh(&hci_dev_list_lock); 1531 write_unlock(&hci_dev_list_lock);
1506 1532
1507 hdev->workqueue = alloc_workqueue(hdev->name, WQ_HIGHPRI | WQ_UNBOUND | 1533 hdev->workqueue = alloc_workqueue(hdev->name, WQ_HIGHPRI | WQ_UNBOUND |
1508 WQ_MEM_RECLAIM, 1); 1534 WQ_MEM_RECLAIM, 1);
@@ -1535,9 +1561,9 @@ int hci_register_dev(struct hci_dev *hdev)
1535err_wqueue: 1561err_wqueue:
1536 destroy_workqueue(hdev->workqueue); 1562 destroy_workqueue(hdev->workqueue);
1537err: 1563err:
1538 write_lock_bh(&hci_dev_list_lock); 1564 write_lock(&hci_dev_list_lock);
1539 list_del(&hdev->list); 1565 list_del(&hdev->list);
1540 write_unlock_bh(&hci_dev_list_lock); 1566 write_unlock(&hci_dev_list_lock);
1541 1567
1542 return error; 1568 return error;
1543} 1569}
@@ -1550,9 +1576,9 @@ void hci_unregister_dev(struct hci_dev *hdev)
1550 1576
1551 BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus); 1577 BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
1552 1578
1553 write_lock_bh(&hci_dev_list_lock); 1579 write_lock(&hci_dev_list_lock);
1554 list_del(&hdev->list); 1580 list_del(&hdev->list);
1555 write_unlock_bh(&hci_dev_list_lock); 1581 write_unlock(&hci_dev_list_lock);
1556 1582
1557 hci_dev_do_close(hdev); 1583 hci_dev_do_close(hdev);
1558 1584
@@ -1800,59 +1826,13 @@ EXPORT_SYMBOL(hci_recv_stream_fragment);
1800 1826
1801/* ---- Interface to upper protocols ---- */ 1827/* ---- Interface to upper protocols ---- */
1802 1828
1803/* Register/Unregister protocols.
1804 * hci_task_lock is used to ensure that no tasks are running. */
1805int hci_register_proto(struct hci_proto *hp)
1806{
1807 int err = 0;
1808
1809 BT_DBG("%p name %s id %d", hp, hp->name, hp->id);
1810
1811 if (hp->id >= HCI_MAX_PROTO)
1812 return -EINVAL;
1813
1814 mutex_lock(&hci_task_lock);
1815
1816 if (!hci_proto[hp->id])
1817 hci_proto[hp->id] = hp;
1818 else
1819 err = -EEXIST;
1820
1821 mutex_unlock(&hci_task_lock);
1822
1823 return err;
1824}
1825EXPORT_SYMBOL(hci_register_proto);
1826
1827int hci_unregister_proto(struct hci_proto *hp)
1828{
1829 int err = 0;
1830
1831 BT_DBG("%p name %s id %d", hp, hp->name, hp->id);
1832
1833 if (hp->id >= HCI_MAX_PROTO)
1834 return -EINVAL;
1835
1836 mutex_lock(&hci_task_lock);
1837
1838 if (hci_proto[hp->id])
1839 hci_proto[hp->id] = NULL;
1840 else
1841 err = -ENOENT;
1842
1843 mutex_unlock(&hci_task_lock);
1844
1845 return err;
1846}
1847EXPORT_SYMBOL(hci_unregister_proto);
1848
1849int hci_register_cb(struct hci_cb *cb) 1829int hci_register_cb(struct hci_cb *cb)
1850{ 1830{
1851 BT_DBG("%p name %s", cb, cb->name); 1831 BT_DBG("%p name %s", cb, cb->name);
1852 1832
1853 write_lock_bh(&hci_cb_list_lock); 1833 write_lock(&hci_cb_list_lock);
1854 list_add(&cb->list, &hci_cb_list); 1834 list_add(&cb->list, &hci_cb_list);
1855 write_unlock_bh(&hci_cb_list_lock); 1835 write_unlock(&hci_cb_list_lock);
1856 1836
1857 return 0; 1837 return 0;
1858} 1838}
@@ -1862,9 +1842,9 @@ int hci_unregister_cb(struct hci_cb *cb)
1862{ 1842{
1863 BT_DBG("%p name %s", cb, cb->name); 1843 BT_DBG("%p name %s", cb, cb->name);
1864 1844
1865 write_lock_bh(&hci_cb_list_lock); 1845 write_lock(&hci_cb_list_lock);
1866 list_del(&cb->list); 1846 list_del(&cb->list);
1867 write_unlock_bh(&hci_cb_list_lock); 1847 write_unlock(&hci_cb_list_lock);
1868 1848
1869 return 0; 1849 return 0;
1870} 1850}
@@ -1980,7 +1960,7 @@ static void hci_queue_acl(struct hci_conn *conn, struct sk_buff_head *queue,
1980 skb_shinfo(skb)->frag_list = NULL; 1960 skb_shinfo(skb)->frag_list = NULL;
1981 1961
1982 /* Queue all fragments atomically */ 1962 /* Queue all fragments atomically */
1983 spin_lock_bh(&queue->lock); 1963 spin_lock(&queue->lock);
1984 1964
1985 __skb_queue_tail(queue, skb); 1965 __skb_queue_tail(queue, skb);
1986 1966
@@ -1998,7 +1978,7 @@ static void hci_queue_acl(struct hci_conn *conn, struct sk_buff_head *queue,
1998 __skb_queue_tail(queue, skb); 1978 __skb_queue_tail(queue, skb);
1999 } while (list); 1979 } while (list);
2000 1980
2001 spin_unlock_bh(&queue->lock); 1981 spin_unlock(&queue->lock);
2002 } 1982 }
2003} 1983}
2004 1984
@@ -2407,8 +2387,6 @@ static void hci_tx_work(struct work_struct *work)
2407 struct hci_dev *hdev = container_of(work, struct hci_dev, tx_work); 2387 struct hci_dev *hdev = container_of(work, struct hci_dev, tx_work);
2408 struct sk_buff *skb; 2388 struct sk_buff *skb;
2409 2389
2410 mutex_lock(&hci_task_lock);
2411
2412 BT_DBG("%s acl %d sco %d le %d", hdev->name, hdev->acl_cnt, 2390 BT_DBG("%s acl %d sco %d le %d", hdev->name, hdev->acl_cnt,
2413 hdev->sco_cnt, hdev->le_cnt); 2391 hdev->sco_cnt, hdev->le_cnt);
2414 2392
@@ -2425,8 +2403,6 @@ static void hci_tx_work(struct work_struct *work)
2425 /* Send next queued raw (unknown type) packet */ 2403 /* Send next queued raw (unknown type) packet */
2426 while ((skb = skb_dequeue(&hdev->raw_q))) 2404 while ((skb = skb_dequeue(&hdev->raw_q)))
2427 hci_send_frame(skb); 2405 hci_send_frame(skb);
2428
2429 mutex_unlock(&hci_task_lock);
2430} 2406}
2431 2407
2432/* ----- HCI RX task (incoming data processing) ----- */ 2408/* ----- HCI RX task (incoming data processing) ----- */
@@ -2453,16 +2429,11 @@ static inline void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)
2453 hci_dev_unlock(hdev); 2429 hci_dev_unlock(hdev);
2454 2430
2455 if (conn) { 2431 if (conn) {
2456 register struct hci_proto *hp;
2457
2458 hci_conn_enter_active_mode(conn, BT_POWER_FORCE_ACTIVE_OFF); 2432 hci_conn_enter_active_mode(conn, BT_POWER_FORCE_ACTIVE_OFF);
2459 2433
2460 /* Send to upper protocol */ 2434 /* Send to upper protocol */
2461 hp = hci_proto[HCI_PROTO_L2CAP]; 2435 l2cap_recv_acldata(conn, skb, flags);
2462 if (hp && hp->recv_acldata) { 2436 return;
2463 hp->recv_acldata(conn, skb, flags);
2464 return;
2465 }
2466 } else { 2437 } else {
2467 BT_ERR("%s ACL packet for unknown connection handle %d", 2438 BT_ERR("%s ACL packet for unknown connection handle %d",
2468 hdev->name, handle); 2439 hdev->name, handle);
@@ -2491,14 +2462,9 @@ static inline void hci_scodata_packet(struct hci_dev *hdev, struct sk_buff *skb)
2491 hci_dev_unlock(hdev); 2462 hci_dev_unlock(hdev);
2492 2463
2493 if (conn) { 2464 if (conn) {
2494 register struct hci_proto *hp;
2495
2496 /* Send to upper protocol */ 2465 /* Send to upper protocol */
2497 hp = hci_proto[HCI_PROTO_SCO]; 2466 sco_recv_scodata(conn, skb);
2498 if (hp && hp->recv_scodata) { 2467 return;
2499 hp->recv_scodata(conn, skb);
2500 return;
2501 }
2502 } else { 2468 } else {
2503 BT_ERR("%s SCO packet for unknown connection handle %d", 2469 BT_ERR("%s SCO packet for unknown connection handle %d",
2504 hdev->name, handle); 2470 hdev->name, handle);
@@ -2514,8 +2480,6 @@ static void hci_rx_work(struct work_struct *work)
2514 2480
2515 BT_DBG("%s", hdev->name); 2481 BT_DBG("%s", hdev->name);
2516 2482
2517 mutex_lock(&hci_task_lock);
2518
2519 while ((skb = skb_dequeue(&hdev->rx_q))) { 2483 while ((skb = skb_dequeue(&hdev->rx_q))) {
2520 if (atomic_read(&hdev->promisc)) { 2484 if (atomic_read(&hdev->promisc)) {
2521 /* Send copy to the sockets */ 2485 /* Send copy to the sockets */
@@ -2559,8 +2523,6 @@ static void hci_rx_work(struct work_struct *work)
2559 break; 2523 break;
2560 } 2524 }
2561 } 2525 }
2562
2563 mutex_unlock(&hci_task_lock);
2564} 2526}
2565 2527
2566static void hci_cmd_work(struct work_struct *work) 2528static void hci_cmd_work(struct work_struct *work)
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index fc5338fc2a6e..919e3c0e74aa 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -556,6 +556,9 @@ static void hci_set_le_support(struct hci_dev *hdev)
556 556
557static void hci_setup(struct hci_dev *hdev) 557static void hci_setup(struct hci_dev *hdev)
558{ 558{
559 if (hdev->dev_type != HCI_BREDR)
560 return;
561
559 hci_setup_event_mask(hdev); 562 hci_setup_event_mask(hdev);
560 563
561 if (hdev->hci_ver > BLUETOOTH_VER_1_1) 564 if (hdev->hci_ver > BLUETOOTH_VER_1_1)
@@ -1030,7 +1033,8 @@ static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1030 if (!cp) 1033 if (!cp)
1031 return; 1034 return;
1032 1035
1033 if (cp->enable == 0x01) { 1036 switch (cp->enable) {
1037 case LE_SCANNING_ENABLED:
1034 set_bit(HCI_LE_SCAN, &hdev->dev_flags); 1038 set_bit(HCI_LE_SCAN, &hdev->dev_flags);
1035 1039
1036 cancel_delayed_work_sync(&hdev->adv_work); 1040 cancel_delayed_work_sync(&hdev->adv_work);
@@ -1038,12 +1042,19 @@ static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1038 hci_dev_lock(hdev); 1042 hci_dev_lock(hdev);
1039 hci_adv_entries_clear(hdev); 1043 hci_adv_entries_clear(hdev);
1040 hci_dev_unlock(hdev); 1044 hci_dev_unlock(hdev);
1041 } else if (cp->enable == 0x00) { 1045 break;
1046
1047 case LE_SCANNING_DISABLED:
1042 clear_bit(HCI_LE_SCAN, &hdev->dev_flags); 1048 clear_bit(HCI_LE_SCAN, &hdev->dev_flags);
1043 1049
1044 cancel_delayed_work_sync(&hdev->adv_work); 1050 cancel_delayed_work_sync(&hdev->adv_work);
1045 queue_delayed_work(hdev->workqueue, &hdev->adv_work, 1051 queue_delayed_work(hdev->workqueue, &hdev->adv_work,
1046 jiffies + ADV_CLEAR_TIMEOUT); 1052 jiffies + ADV_CLEAR_TIMEOUT);
1053 break;
1054
1055 default:
1056 BT_ERR("Used reserved LE_Scan_Enable param %d", cp->enable);
1057 break;
1047 } 1058 }
1048} 1059}
1049 1060
@@ -2253,24 +2264,29 @@ static inline void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb
2253static inline void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb) 2264static inline void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)
2254{ 2265{
2255 struct hci_ev_num_comp_pkts *ev = (void *) skb->data; 2266 struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
2256 __le16 *ptr;
2257 int i; 2267 int i;
2258 2268
2259 skb_pull(skb, sizeof(*ev)); 2269 skb_pull(skb, sizeof(*ev));
2260 2270
2261 BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl); 2271 BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
2262 2272
2273 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
2274 BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode);
2275 return;
2276 }
2277
2263 if (skb->len < ev->num_hndl * 4) { 2278 if (skb->len < ev->num_hndl * 4) {
2264 BT_DBG("%s bad parameters", hdev->name); 2279 BT_DBG("%s bad parameters", hdev->name);
2265 return; 2280 return;
2266 } 2281 }
2267 2282
2268 for (i = 0, ptr = (__le16 *) skb->data; i < ev->num_hndl; i++) { 2283 for (i = 0; i < ev->num_hndl; i++) {
2284 struct hci_comp_pkts_info *info = &ev->handles[i];
2269 struct hci_conn *conn; 2285 struct hci_conn *conn;
2270 __u16 handle, count; 2286 __u16 handle, count;
2271 2287
2272 handle = get_unaligned_le16(ptr++); 2288 handle = __le16_to_cpu(info->handle);
2273 count = get_unaligned_le16(ptr++); 2289 count = __le16_to_cpu(info->count);
2274 2290
2275 conn = hci_conn_hash_lookup_handle(hdev, handle); 2291 conn = hci_conn_hash_lookup_handle(hdev, handle);
2276 if (!conn) 2292 if (!conn)
diff --git a/net/bluetooth/hidp/Kconfig b/net/bluetooth/hidp/Kconfig
index 86a91543172a..4deaca78e91e 100644
--- a/net/bluetooth/hidp/Kconfig
+++ b/net/bluetooth/hidp/Kconfig
@@ -1,6 +1,6 @@
1config BT_HIDP 1config BT_HIDP
2 tristate "HIDP protocol support" 2 tristate "HIDP protocol support"
3 depends on BT && BT_L2CAP && INPUT && HID_SUPPORT 3 depends on BT && INPUT && HID_SUPPORT
4 select HID 4 select HID
5 help 5 help
6 HIDP (Human Interface Device Protocol) is a transport layer 6 HIDP (Human Interface Device Protocol) is a transport layer
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index ffa2f6b8408f..cd7bb3d7f2b4 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -77,17 +77,6 @@ static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
77 77
78/* ---- L2CAP channels ---- */ 78/* ---- L2CAP channels ---- */
79 79
80static inline void chan_hold(struct l2cap_chan *c)
81{
82 atomic_inc(&c->refcnt);
83}
84
85static inline void chan_put(struct l2cap_chan *c)
86{
87 if (atomic_dec_and_test(&c->refcnt))
88 kfree(c);
89}
90
91static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid) 80static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
92{ 81{
93 struct l2cap_chan *c, *r = NULL; 82 struct l2cap_chan *c, *r = NULL;
@@ -228,20 +217,6 @@ static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
228 return 0; 217 return 0;
229} 218}
230 219
231static void l2cap_set_timer(struct l2cap_chan *chan, struct delayed_work *work, long timeout)
232{
233 BT_DBG("chan %p state %d timeout %ld", chan, chan->state, timeout);
234
235 cancel_delayed_work_sync(work);
236
237 schedule_delayed_work(work, timeout);
238}
239
240static void l2cap_clear_timer(struct delayed_work *work)
241{
242 cancel_delayed_work_sync(work);
243}
244
245static char *state_to_string(int state) 220static char *state_to_string(int state)
246{ 221{
247 switch(state) { 222 switch(state) {
@@ -301,7 +276,7 @@ static void l2cap_chan_timeout(struct work_struct *work)
301 release_sock(sk); 276 release_sock(sk);
302 277
303 chan->ops->close(chan->data); 278 chan->ops->close(chan->data);
304 chan_put(chan); 279 l2cap_chan_put(chan);
305} 280}
306 281
307struct l2cap_chan *l2cap_chan_create(struct sock *sk) 282struct l2cap_chan *l2cap_chan_create(struct sock *sk)
@@ -335,7 +310,7 @@ void l2cap_chan_destroy(struct l2cap_chan *chan)
335 list_del(&chan->global_l); 310 list_del(&chan->global_l);
336 write_unlock_bh(&chan_list_lock); 311 write_unlock_bh(&chan_list_lock);
337 312
338 chan_put(chan); 313 l2cap_chan_put(chan);
339} 314}
340 315
341static void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan) 316static void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
@@ -377,7 +352,7 @@ static void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
377 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT; 352 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
378 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO; 353 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
379 354
380 chan_hold(chan); 355 l2cap_chan_hold(chan);
381 356
382 list_add_rcu(&chan->list, &conn->chan_l); 357 list_add_rcu(&chan->list, &conn->chan_l);
383} 358}
@@ -399,7 +374,7 @@ static void l2cap_chan_del(struct l2cap_chan *chan, int err)
399 list_del_rcu(&chan->list); 374 list_del_rcu(&chan->list);
400 synchronize_rcu(); 375 synchronize_rcu();
401 376
402 chan_put(chan); 377 l2cap_chan_put(chan);
403 378
404 chan->conn = NULL; 379 chan->conn = NULL;
405 hci_conn_put(conn->hcon); 380 hci_conn_put(conn->hcon);
@@ -713,7 +688,7 @@ static void l2cap_do_start(struct l2cap_chan *chan)
713 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT; 688 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
714 conn->info_ident = l2cap_get_ident(conn); 689 conn->info_ident = l2cap_get_ident(conn);
715 690
716 schedule_delayed_work(&conn->info_work, 691 schedule_delayed_work(&conn->info_timer,
717 msecs_to_jiffies(L2CAP_INFO_TIMEOUT)); 692 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
718 693
719 l2cap_send_cmd(conn, conn->info_ident, 694 l2cap_send_cmd(conn, conn->info_ident,
@@ -1010,7 +985,7 @@ static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1010static void l2cap_info_timeout(struct work_struct *work) 985static void l2cap_info_timeout(struct work_struct *work)
1011{ 986{
1012 struct l2cap_conn *conn = container_of(work, struct l2cap_conn, 987 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1013 info_work.work); 988 info_timer.work);
1014 989
1015 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE; 990 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1016 conn->info_ident = 0; 991 conn->info_ident = 0;
@@ -1043,10 +1018,10 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
1043 hci_chan_del(conn->hchan); 1018 hci_chan_del(conn->hchan);
1044 1019
1045 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) 1020 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1046 cancel_delayed_work_sync(&conn->info_work); 1021 __cancel_delayed_work(&conn->info_timer);
1047 1022
1048 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->pend)) { 1023 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->pend)) {
1049 del_timer(&conn->security_timer); 1024 __cancel_delayed_work(&conn->security_timer);
1050 smp_chan_destroy(conn); 1025 smp_chan_destroy(conn);
1051 } 1026 }
1052 1027
@@ -1054,9 +1029,10 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
1054 kfree(conn); 1029 kfree(conn);
1055} 1030}
1056 1031
1057static void security_timeout(unsigned long arg) 1032static void security_timeout(struct work_struct *work)
1058{ 1033{
1059 struct l2cap_conn *conn = (void *) arg; 1034 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1035 security_timer.work);
1060 1036
1061 l2cap_conn_del(conn->hcon, ETIMEDOUT); 1037 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1062} 1038}
@@ -1100,10 +1076,9 @@ static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1100 INIT_LIST_HEAD(&conn->chan_l); 1076 INIT_LIST_HEAD(&conn->chan_l);
1101 1077
1102 if (hcon->type == LE_LINK) 1078 if (hcon->type == LE_LINK)
1103 setup_timer(&conn->security_timer, security_timeout, 1079 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
1104 (unsigned long) conn);
1105 else 1080 else
1106 INIT_DELAYED_WORK(&conn->info_work, l2cap_info_timeout); 1081 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
1107 1082
1108 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM; 1083 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
1109 1084
@@ -2010,6 +1985,8 @@ static void l2cap_ack_timeout(struct work_struct *work)
2010 struct l2cap_chan *chan = container_of(work, struct l2cap_chan, 1985 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2011 ack_timer.work); 1986 ack_timer.work);
2012 1987
1988 BT_DBG("chan %p", chan);
1989
2013 lock_sock(chan->sk); 1990 lock_sock(chan->sk);
2014 l2cap_send_ack(chan); 1991 l2cap_send_ack(chan);
2015 release_sock(chan->sk); 1992 release_sock(chan->sk);
@@ -2597,7 +2574,7 @@ static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hd
2597 2574
2598 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) && 2575 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2599 cmd->ident == conn->info_ident) { 2576 cmd->ident == conn->info_ident) {
2600 cancel_delayed_work_sync(&conn->info_work); 2577 __cancel_delayed_work(&conn->info_timer);
2601 2578
2602 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE; 2579 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2603 conn->info_ident = 0; 2580 conn->info_ident = 0;
@@ -2718,7 +2695,7 @@ sendresp:
2718 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT; 2695 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2719 conn->info_ident = l2cap_get_ident(conn); 2696 conn->info_ident = l2cap_get_ident(conn);
2720 2697
2721 schedule_delayed_work(&conn->info_work, 2698 schedule_delayed_work(&conn->info_timer,
2722 msecs_to_jiffies(L2CAP_INFO_TIMEOUT)); 2699 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2723 2700
2724 l2cap_send_cmd(conn, conn->info_ident, 2701 l2cap_send_cmd(conn, conn->info_ident,
@@ -3143,7 +3120,7 @@ static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cm
3143 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) 3120 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3144 return 0; 3121 return 0;
3145 3122
3146 cancel_delayed_work_sync(&conn->info_work); 3123 __cancel_delayed_work(&conn->info_timer);
3147 3124
3148 if (result != L2CAP_IR_SUCCESS) { 3125 if (result != L2CAP_IR_SUCCESS) {
3149 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE; 3126 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
@@ -4427,14 +4404,11 @@ static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4427 4404
4428/* ---- L2CAP interface with lower layer (HCI) ---- */ 4405/* ---- L2CAP interface with lower layer (HCI) ---- */
4429 4406
4430static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type) 4407int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
4431{ 4408{
4432 int exact = 0, lm1 = 0, lm2 = 0; 4409 int exact = 0, lm1 = 0, lm2 = 0;
4433 struct l2cap_chan *c; 4410 struct l2cap_chan *c;
4434 4411
4435 if (type != ACL_LINK)
4436 return -EINVAL;
4437
4438 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr)); 4412 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4439 4413
4440 /* Find listening sockets and check their link_mode */ 4414 /* Find listening sockets and check their link_mode */
@@ -4461,15 +4435,12 @@ static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
4461 return exact ? lm1 : lm2; 4435 return exact ? lm1 : lm2;
4462} 4436}
4463 4437
4464static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status) 4438int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4465{ 4439{
4466 struct l2cap_conn *conn; 4440 struct l2cap_conn *conn;
4467 4441
4468 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status); 4442 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4469 4443
4470 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
4471 return -EINVAL;
4472
4473 if (!status) { 4444 if (!status) {
4474 conn = l2cap_conn_add(hcon, status); 4445 conn = l2cap_conn_add(hcon, status);
4475 if (conn) 4446 if (conn)
@@ -4480,27 +4451,22 @@ static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4480 return 0; 4451 return 0;
4481} 4452}
4482 4453
4483static int l2cap_disconn_ind(struct hci_conn *hcon) 4454int l2cap_disconn_ind(struct hci_conn *hcon)
4484{ 4455{
4485 struct l2cap_conn *conn = hcon->l2cap_data; 4456 struct l2cap_conn *conn = hcon->l2cap_data;
4486 4457
4487 BT_DBG("hcon %p", hcon); 4458 BT_DBG("hcon %p", hcon);
4488 4459
4489 if ((hcon->type != ACL_LINK && hcon->type != LE_LINK) || !conn) 4460 if (!conn)
4490 return HCI_ERROR_REMOTE_USER_TERM; 4461 return HCI_ERROR_REMOTE_USER_TERM;
4491
4492 return conn->disc_reason; 4462 return conn->disc_reason;
4493} 4463}
4494 4464
4495static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason) 4465int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
4496{ 4466{
4497 BT_DBG("hcon %p reason %d", hcon, reason); 4467 BT_DBG("hcon %p reason %d", hcon, reason);
4498 4468
4499 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
4500 return -EINVAL;
4501
4502 l2cap_conn_del(hcon, bt_to_errno(reason)); 4469 l2cap_conn_del(hcon, bt_to_errno(reason));
4503
4504 return 0; 4470 return 0;
4505} 4471}
4506 4472
@@ -4521,7 +4487,7 @@ static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
4521 } 4487 }
4522} 4488}
4523 4489
4524static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt) 4490int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
4525{ 4491{
4526 struct l2cap_conn *conn = hcon->l2cap_data; 4492 struct l2cap_conn *conn = hcon->l2cap_data;
4527 struct l2cap_chan *chan; 4493 struct l2cap_chan *chan;
@@ -4533,7 +4499,7 @@ static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
4533 4499
4534 if (hcon->type == LE_LINK) { 4500 if (hcon->type == LE_LINK) {
4535 smp_distribute_keys(conn, 0); 4501 smp_distribute_keys(conn, 0);
4536 del_timer(&conn->security_timer); 4502 __cancel_delayed_work(&conn->security_timer);
4537 } 4503 }
4538 4504
4539 rcu_read_lock(); 4505 rcu_read_lock();
@@ -4621,7 +4587,7 @@ static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
4621 return 0; 4587 return 0;
4622} 4588}
4623 4589
4624static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags) 4590int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4625{ 4591{
4626 struct l2cap_conn *conn = hcon->l2cap_data; 4592 struct l2cap_conn *conn = hcon->l2cap_data;
4627 4593
@@ -4768,17 +4734,6 @@ static const struct file_operations l2cap_debugfs_fops = {
4768 4734
4769static struct dentry *l2cap_debugfs; 4735static struct dentry *l2cap_debugfs;
4770 4736
4771static struct hci_proto l2cap_hci_proto = {
4772 .name = "L2CAP",
4773 .id = HCI_PROTO_L2CAP,
4774 .connect_ind = l2cap_connect_ind,
4775 .connect_cfm = l2cap_connect_cfm,
4776 .disconn_ind = l2cap_disconn_ind,
4777 .disconn_cfm = l2cap_disconn_cfm,
4778 .security_cfm = l2cap_security_cfm,
4779 .recv_acldata = l2cap_recv_acldata
4780};
4781
4782int __init l2cap_init(void) 4737int __init l2cap_init(void)
4783{ 4738{
4784 int err; 4739 int err;
@@ -4787,13 +4742,6 @@ int __init l2cap_init(void)
4787 if (err < 0) 4742 if (err < 0)
4788 return err; 4743 return err;
4789 4744
4790 err = hci_register_proto(&l2cap_hci_proto);
4791 if (err < 0) {
4792 BT_ERR("L2CAP protocol registration failed");
4793 bt_sock_unregister(BTPROTO_L2CAP);
4794 goto error;
4795 }
4796
4797 if (bt_debugfs) { 4745 if (bt_debugfs) {
4798 l2cap_debugfs = debugfs_create_file("l2cap", 0444, 4746 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4799 bt_debugfs, NULL, &l2cap_debugfs_fops); 4747 bt_debugfs, NULL, &l2cap_debugfs_fops);
@@ -4802,19 +4750,11 @@ int __init l2cap_init(void)
4802 } 4750 }
4803 4751
4804 return 0; 4752 return 0;
4805
4806error:
4807 l2cap_cleanup_sockets();
4808 return err;
4809} 4753}
4810 4754
4811void l2cap_exit(void) 4755void l2cap_exit(void)
4812{ 4756{
4813 debugfs_remove(l2cap_debugfs); 4757 debugfs_remove(l2cap_debugfs);
4814
4815 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4816 BT_ERR("L2CAP protocol unregistration failed");
4817
4818 l2cap_cleanup_sockets(); 4758 l2cap_cleanup_sockets();
4819} 4759}
4820 4760
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index fbcbef6ecceb..2540944d871f 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -30,6 +30,7 @@
30#include <net/bluetooth/bluetooth.h> 30#include <net/bluetooth/bluetooth.h>
31#include <net/bluetooth/hci_core.h> 31#include <net/bluetooth/hci_core.h>
32#include <net/bluetooth/mgmt.h> 32#include <net/bluetooth/mgmt.h>
33#include <net/bluetooth/smp.h>
33 34
34#define MGMT_VERSION 0 35#define MGMT_VERSION 0
35#define MGMT_REVISION 1 36#define MGMT_REVISION 1
@@ -1642,8 +1643,15 @@ static int user_pairing_resp(struct sock *sk, u16 index, bdaddr_t *bdaddr,
1642 } 1643 }
1643 1644
1644 /* Continue with pairing via SMP */ 1645 /* Continue with pairing via SMP */
1646 err = smp_user_confirm_reply(conn, mgmt_op, passkey);
1647
1648 if (!err)
1649 err = cmd_status(sk, index, mgmt_op,
1650 MGMT_STATUS_SUCCESS);
1651 else
1652 err = cmd_status(sk, index, mgmt_op,
1653 MGMT_STATUS_FAILED);
1645 1654
1646 err = cmd_status(sk, index, mgmt_op, MGMT_STATUS_SUCCESS);
1647 goto done; 1655 goto done;
1648 } 1656 }
1649 1657
diff --git a/net/bluetooth/rfcomm/Kconfig b/net/bluetooth/rfcomm/Kconfig
index 405a0e61e7dc..22e718b554e4 100644
--- a/net/bluetooth/rfcomm/Kconfig
+++ b/net/bluetooth/rfcomm/Kconfig
@@ -1,6 +1,6 @@
1config BT_RFCOMM 1config BT_RFCOMM
2 tristate "RFCOMM protocol support" 2 tristate "RFCOMM protocol support"
3 depends on BT && BT_L2CAP 3 depends on BT
4 help 4 help
5 RFCOMM provides connection oriented stream transport. RFCOMM 5 RFCOMM provides connection oriented stream transport. RFCOMM
6 support is required for Dialup Networking, OBEX and other Bluetooth 6 support is required for Dialup Networking, OBEX and other Bluetooth
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index be6288cf854a..09a3cbcf794e 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -65,8 +65,7 @@ static DEFINE_MUTEX(rfcomm_mutex);
65 65
66static LIST_HEAD(session_list); 66static LIST_HEAD(session_list);
67 67
68static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len, 68static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
69 u32 priority);
70static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci); 69static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
71static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci); 70static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
72static int rfcomm_queue_disc(struct rfcomm_dlc *d); 71static int rfcomm_queue_disc(struct rfcomm_dlc *d);
@@ -748,32 +747,23 @@ void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *d
748} 747}
749 748
750/* ---- RFCOMM frame sending ---- */ 749/* ---- RFCOMM frame sending ---- */
751static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len, 750static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
752 u32 priority)
753{ 751{
754 struct socket *sock = s->sock;
755 struct sock *sk = sock->sk;
756 struct kvec iv = { data, len }; 752 struct kvec iv = { data, len };
757 struct msghdr msg; 753 struct msghdr msg;
758 754
759 BT_DBG("session %p len %d priority %u", s, len, priority); 755 BT_DBG("session %p len %d", s, len);
760
761 if (sk->sk_priority != priority) {
762 lock_sock(sk);
763 sk->sk_priority = priority;
764 release_sock(sk);
765 }
766 756
767 memset(&msg, 0, sizeof(msg)); 757 memset(&msg, 0, sizeof(msg));
768 758
769 return kernel_sendmsg(sock, &msg, &iv, 1, len); 759 return kernel_sendmsg(s->sock, &msg, &iv, 1, len);
770} 760}
771 761
772static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd) 762static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd)
773{ 763{
774 BT_DBG("%p cmd %u", s, cmd->ctrl); 764 BT_DBG("%p cmd %u", s, cmd->ctrl);
775 765
776 return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd), HCI_PRIO_MAX); 766 return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd));
777} 767}
778 768
779static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci) 769static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
@@ -829,8 +819,6 @@ static int rfcomm_queue_disc(struct rfcomm_dlc *d)
829 if (!skb) 819 if (!skb)
830 return -ENOMEM; 820 return -ENOMEM;
831 821
832 skb->priority = HCI_PRIO_MAX;
833
834 cmd = (void *) __skb_put(skb, sizeof(*cmd)); 822 cmd = (void *) __skb_put(skb, sizeof(*cmd));
835 cmd->addr = d->addr; 823 cmd->addr = d->addr;
836 cmd->ctrl = __ctrl(RFCOMM_DISC, 1); 824 cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
@@ -878,7 +866,7 @@ static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
878 866
879 *ptr = __fcs(buf); ptr++; 867 *ptr = __fcs(buf); ptr++;
880 868
881 return rfcomm_send_frame(s, buf, ptr - buf, HCI_PRIO_MAX); 869 return rfcomm_send_frame(s, buf, ptr - buf);
882} 870}
883 871
884static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d) 872static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
@@ -920,7 +908,7 @@ static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d
920 908
921 *ptr = __fcs(buf); ptr++; 909 *ptr = __fcs(buf); ptr++;
922 910
923 return rfcomm_send_frame(s, buf, ptr - buf, HCI_PRIO_MAX); 911 return rfcomm_send_frame(s, buf, ptr - buf);
924} 912}
925 913
926int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci, 914int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
@@ -958,7 +946,7 @@ int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
958 946
959 *ptr = __fcs(buf); ptr++; 947 *ptr = __fcs(buf); ptr++;
960 948
961 return rfcomm_send_frame(s, buf, ptr - buf, HCI_PRIO_MAX); 949 return rfcomm_send_frame(s, buf, ptr - buf);
962} 950}
963 951
964static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status) 952static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
@@ -985,7 +973,7 @@ static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
985 973
986 *ptr = __fcs(buf); ptr++; 974 *ptr = __fcs(buf); ptr++;
987 975
988 return rfcomm_send_frame(s, buf, ptr - buf, HCI_PRIO_MAX); 976 return rfcomm_send_frame(s, buf, ptr - buf);
989} 977}
990 978
991static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig) 979static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
@@ -1012,7 +1000,7 @@ static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig
1012 1000
1013 *ptr = __fcs(buf); ptr++; 1001 *ptr = __fcs(buf); ptr++;
1014 1002
1015 return rfcomm_send_frame(s, buf, ptr - buf, HCI_PRIO_MAX); 1003 return rfcomm_send_frame(s, buf, ptr - buf);
1016} 1004}
1017 1005
1018static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr) 1006static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
@@ -1034,7 +1022,7 @@ static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
1034 1022
1035 *ptr = __fcs(buf); ptr++; 1023 *ptr = __fcs(buf); ptr++;
1036 1024
1037 return rfcomm_send_frame(s, buf, ptr - buf, HCI_PRIO_MAX); 1025 return rfcomm_send_frame(s, buf, ptr - buf);
1038} 1026}
1039 1027
1040static int rfcomm_send_fcon(struct rfcomm_session *s, int cr) 1028static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
@@ -1056,7 +1044,7 @@ static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
1056 1044
1057 *ptr = __fcs(buf); ptr++; 1045 *ptr = __fcs(buf); ptr++;
1058 1046
1059 return rfcomm_send_frame(s, buf, ptr - buf, HCI_PRIO_MAX); 1047 return rfcomm_send_frame(s, buf, ptr - buf);
1060} 1048}
1061 1049
1062static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len) 1050static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
@@ -1107,7 +1095,7 @@ static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1107 1095
1108 *ptr = __fcs(buf); ptr++; 1096 *ptr = __fcs(buf); ptr++;
1109 1097
1110 return rfcomm_send_frame(s, buf, ptr - buf, HCI_PRIO_MAX); 1098 return rfcomm_send_frame(s, buf, ptr - buf);
1111} 1099}
1112 1100
1113static void rfcomm_make_uih(struct sk_buff *skb, u8 addr) 1101static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
@@ -1786,8 +1774,7 @@ static inline int rfcomm_process_tx(struct rfcomm_dlc *d)
1786 return skb_queue_len(&d->tx_queue); 1774 return skb_queue_len(&d->tx_queue);
1787 1775
1788 while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) { 1776 while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
1789 err = rfcomm_send_frame(d->session, skb->data, skb->len, 1777 err = rfcomm_send_frame(d->session, skb->data, skb->len);
1790 skb->priority);
1791 if (err < 0) { 1778 if (err < 0) {
1792 skb_queue_head(&d->tx_queue, skb); 1779 skb_queue_head(&d->tx_queue, skb);
1793 break; 1780 break;
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index 725e10d487f2..0d59e61d7822 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -893,15 +893,12 @@ done:
893} 893}
894 894
895/* ----- SCO interface with lower layer (HCI) ----- */ 895/* ----- SCO interface with lower layer (HCI) ----- */
896static int sco_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 type) 896int sco_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
897{ 897{
898 register struct sock *sk; 898 register struct sock *sk;
899 struct hlist_node *node; 899 struct hlist_node *node;
900 int lm = 0; 900 int lm = 0;
901 901
902 if (type != SCO_LINK && type != ESCO_LINK)
903 return -EINVAL;
904
905 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr)); 902 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
906 903
907 /* Find listening sockets */ 904 /* Find listening sockets */
@@ -921,13 +918,9 @@ static int sco_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 type)
921 return lm; 918 return lm;
922} 919}
923 920
924static int sco_connect_cfm(struct hci_conn *hcon, __u8 status) 921int sco_connect_cfm(struct hci_conn *hcon, __u8 status)
925{ 922{
926 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status); 923 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
927
928 if (hcon->type != SCO_LINK && hcon->type != ESCO_LINK)
929 return -EINVAL;
930
931 if (!status) { 924 if (!status) {
932 struct sco_conn *conn; 925 struct sco_conn *conn;
933 926
@@ -940,19 +933,15 @@ static int sco_connect_cfm(struct hci_conn *hcon, __u8 status)
940 return 0; 933 return 0;
941} 934}
942 935
943static int sco_disconn_cfm(struct hci_conn *hcon, __u8 reason) 936int sco_disconn_cfm(struct hci_conn *hcon, __u8 reason)
944{ 937{
945 BT_DBG("hcon %p reason %d", hcon, reason); 938 BT_DBG("hcon %p reason %d", hcon, reason);
946 939
947 if (hcon->type != SCO_LINK && hcon->type != ESCO_LINK)
948 return -EINVAL;
949
950 sco_conn_del(hcon, bt_to_errno(reason)); 940 sco_conn_del(hcon, bt_to_errno(reason));
951
952 return 0; 941 return 0;
953} 942}
954 943
955static int sco_recv_scodata(struct hci_conn *hcon, struct sk_buff *skb) 944int sco_recv_scodata(struct hci_conn *hcon, struct sk_buff *skb)
956{ 945{
957 struct sco_conn *conn = hcon->sco_data; 946 struct sco_conn *conn = hcon->sco_data;
958 947
@@ -1028,15 +1017,6 @@ static const struct net_proto_family sco_sock_family_ops = {
1028 .create = sco_sock_create, 1017 .create = sco_sock_create,
1029}; 1018};
1030 1019
1031static struct hci_proto sco_hci_proto = {
1032 .name = "SCO",
1033 .id = HCI_PROTO_SCO,
1034 .connect_ind = sco_connect_ind,
1035 .connect_cfm = sco_connect_cfm,
1036 .disconn_cfm = sco_disconn_cfm,
1037 .recv_scodata = sco_recv_scodata
1038};
1039
1040int __init sco_init(void) 1020int __init sco_init(void)
1041{ 1021{
1042 int err; 1022 int err;
@@ -1051,13 +1031,6 @@ int __init sco_init(void)
1051 goto error; 1031 goto error;
1052 } 1032 }
1053 1033
1054 err = hci_register_proto(&sco_hci_proto);
1055 if (err < 0) {
1056 BT_ERR("SCO protocol registration failed");
1057 bt_sock_unregister(BTPROTO_SCO);
1058 goto error;
1059 }
1060
1061 if (bt_debugfs) { 1034 if (bt_debugfs) {
1062 sco_debugfs = debugfs_create_file("sco", 0444, 1035 sco_debugfs = debugfs_create_file("sco", 0444,
1063 bt_debugfs, NULL, &sco_debugfs_fops); 1036 bt_debugfs, NULL, &sco_debugfs_fops);
@@ -1081,9 +1054,6 @@ void __exit sco_exit(void)
1081 if (bt_sock_unregister(BTPROTO_SCO) < 0) 1054 if (bt_sock_unregister(BTPROTO_SCO) < 0)
1082 BT_ERR("SCO socket unregistration failed"); 1055 BT_ERR("SCO socket unregistration failed");
1083 1056
1084 if (hci_unregister_proto(&sco_hci_proto) < 0)
1085 BT_ERR("SCO protocol unregistration failed");
1086
1087 proto_unregister(&sco_proto); 1057 proto_unregister(&sco_proto);
1088} 1058}
1089 1059
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 0b96737d0ad3..32c47de30344 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -23,6 +23,7 @@
23#include <net/bluetooth/bluetooth.h> 23#include <net/bluetooth/bluetooth.h>
24#include <net/bluetooth/hci_core.h> 24#include <net/bluetooth/hci_core.h>
25#include <net/bluetooth/l2cap.h> 25#include <net/bluetooth/l2cap.h>
26#include <net/bluetooth/mgmt.h>
26#include <net/bluetooth/smp.h> 27#include <net/bluetooth/smp.h>
27#include <linux/crypto.h> 28#include <linux/crypto.h>
28#include <linux/scatterlist.h> 29#include <linux/scatterlist.h>
@@ -184,28 +185,50 @@ static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
184 skb->priority = HCI_PRIO_MAX; 185 skb->priority = HCI_PRIO_MAX;
185 hci_send_acl(conn->hchan, skb, 0); 186 hci_send_acl(conn->hchan, skb, 0);
186 187
187 mod_timer(&conn->security_timer, jiffies + 188 cancel_delayed_work_sync(&conn->security_timer);
189 schedule_delayed_work(&conn->security_timer,
188 msecs_to_jiffies(SMP_TIMEOUT)); 190 msecs_to_jiffies(SMP_TIMEOUT));
189} 191}
190 192
193static __u8 authreq_to_seclevel(__u8 authreq)
194{
195 if (authreq & SMP_AUTH_MITM)
196 return BT_SECURITY_HIGH;
197 else
198 return BT_SECURITY_MEDIUM;
199}
200
201static __u8 seclevel_to_authreq(__u8 sec_level)
202{
203 switch (sec_level) {
204 case BT_SECURITY_HIGH:
205 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
206 case BT_SECURITY_MEDIUM:
207 return SMP_AUTH_BONDING;
208 default:
209 return SMP_AUTH_NONE;
210 }
211}
212
191static void build_pairing_cmd(struct l2cap_conn *conn, 213static void build_pairing_cmd(struct l2cap_conn *conn,
192 struct smp_cmd_pairing *req, 214 struct smp_cmd_pairing *req,
193 struct smp_cmd_pairing *rsp, 215 struct smp_cmd_pairing *rsp,
194 __u8 authreq) 216 __u8 authreq)
195{ 217{
196 u8 dist_keys; 218 u8 dist_keys = 0;
197 219
198 dist_keys = 0;
199 if (test_bit(HCI_PAIRABLE, &conn->hcon->hdev->flags)) { 220 if (test_bit(HCI_PAIRABLE, &conn->hcon->hdev->flags)) {
200 dist_keys = SMP_DIST_ENC_KEY; 221 dist_keys = SMP_DIST_ENC_KEY;
201 authreq |= SMP_AUTH_BONDING; 222 authreq |= SMP_AUTH_BONDING;
223 } else {
224 authreq &= ~SMP_AUTH_BONDING;
202 } 225 }
203 226
204 if (rsp == NULL) { 227 if (rsp == NULL) {
205 req->io_capability = conn->hcon->io_capability; 228 req->io_capability = conn->hcon->io_capability;
206 req->oob_flag = SMP_OOB_NOT_PRESENT; 229 req->oob_flag = SMP_OOB_NOT_PRESENT;
207 req->max_key_size = SMP_MAX_ENC_KEY_SIZE; 230 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
208 req->init_key_dist = dist_keys; 231 req->init_key_dist = 0;
209 req->resp_key_dist = dist_keys; 232 req->resp_key_dist = dist_keys;
210 req->auth_req = authreq; 233 req->auth_req = authreq;
211 return; 234 return;
@@ -214,7 +237,7 @@ static void build_pairing_cmd(struct l2cap_conn *conn,
214 rsp->io_capability = conn->hcon->io_capability; 237 rsp->io_capability = conn->hcon->io_capability;
215 rsp->oob_flag = SMP_OOB_NOT_PRESENT; 238 rsp->oob_flag = SMP_OOB_NOT_PRESENT;
216 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE; 239 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
217 rsp->init_key_dist = req->init_key_dist & dist_keys; 240 rsp->init_key_dist = 0;
218 rsp->resp_key_dist = req->resp_key_dist & dist_keys; 241 rsp->resp_key_dist = req->resp_key_dist & dist_keys;
219 rsp->auth_req = authreq; 242 rsp->auth_req = authreq;
220} 243}
@@ -240,10 +263,99 @@ static void smp_failure(struct l2cap_conn *conn, u8 reason, u8 send)
240 263
241 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->hcon->pend); 264 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->hcon->pend);
242 mgmt_auth_failed(conn->hcon->hdev, conn->dst, reason); 265 mgmt_auth_failed(conn->hcon->hdev, conn->dst, reason);
243 del_timer(&conn->security_timer); 266 cancel_delayed_work_sync(&conn->security_timer);
244 smp_chan_destroy(conn); 267 smp_chan_destroy(conn);
245} 268}
246 269
270#define JUST_WORKS 0x00
271#define JUST_CFM 0x01
272#define REQ_PASSKEY 0x02
273#define CFM_PASSKEY 0x03
274#define REQ_OOB 0x04
275#define OVERLAP 0xFF
276
277static const u8 gen_method[5][5] = {
278 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
279 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
280 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
281 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
282 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
283};
284
285static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
286 u8 local_io, u8 remote_io)
287{
288 struct hci_conn *hcon = conn->hcon;
289 struct smp_chan *smp = conn->smp_chan;
290 u8 method;
291 u32 passkey = 0;
292 int ret = 0;
293
294 /* Initialize key for JUST WORKS */
295 memset(smp->tk, 0, sizeof(smp->tk));
296 clear_bit(SMP_FLAG_TK_VALID, &smp->smp_flags);
297
298 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
299
300 /* If neither side wants MITM, use JUST WORKS */
301 /* If either side has unknown io_caps, use JUST WORKS */
302 /* Otherwise, look up method from the table */
303 if (!(auth & SMP_AUTH_MITM) ||
304 local_io > SMP_IO_KEYBOARD_DISPLAY ||
305 remote_io > SMP_IO_KEYBOARD_DISPLAY)
306 method = JUST_WORKS;
307 else
308 method = gen_method[local_io][remote_io];
309
310 /* If not bonding, don't ask user to confirm a Zero TK */
311 if (!(auth & SMP_AUTH_BONDING) && method == JUST_CFM)
312 method = JUST_WORKS;
313
314 /* If Just Works, Continue with Zero TK */
315 if (method == JUST_WORKS) {
316 set_bit(SMP_FLAG_TK_VALID, &smp->smp_flags);
317 return 0;
318 }
319
320 /* Not Just Works/Confirm results in MITM Authentication */
321 if (method != JUST_CFM)
322 set_bit(SMP_FLAG_MITM_AUTH, &smp->smp_flags);
323
324 /* If both devices have Keyoard-Display I/O, the master
325 * Confirms and the slave Enters the passkey.
326 */
327 if (method == OVERLAP) {
328 if (hcon->link_mode & HCI_LM_MASTER)
329 method = CFM_PASSKEY;
330 else
331 method = REQ_PASSKEY;
332 }
333
334 /* Generate random passkey. Not valid until confirmed. */
335 if (method == CFM_PASSKEY) {
336 u8 key[16];
337
338 memset(key, 0, sizeof(key));
339 get_random_bytes(&passkey, sizeof(passkey));
340 passkey %= 1000000;
341 put_unaligned_le32(passkey, key);
342 swap128(key, smp->tk);
343 BT_DBG("PassKey: %d", passkey);
344 }
345
346 hci_dev_lock(hcon->hdev);
347
348 if (method == REQ_PASSKEY)
349 ret = mgmt_user_passkey_request(hcon->hdev, conn->dst);
350 else
351 ret = mgmt_user_confirm_request(hcon->hdev, conn->dst,
352 cpu_to_le32(passkey), 0);
353
354 hci_dev_unlock(hcon->hdev);
355
356 return ret;
357}
358
247static void confirm_work(struct work_struct *work) 359static void confirm_work(struct work_struct *work)
248{ 360{
249 struct smp_chan *smp = container_of(work, struct smp_chan, confirm); 361 struct smp_chan *smp = container_of(work, struct smp_chan, confirm);
@@ -276,6 +388,8 @@ static void confirm_work(struct work_struct *work)
276 goto error; 388 goto error;
277 } 389 }
278 390
391 clear_bit(SMP_FLAG_CFM_PENDING, &smp->smp_flags);
392
279 swap128(res, cp.confirm_val); 393 swap128(res, cp.confirm_val);
280 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp); 394 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
281 395
@@ -381,6 +495,7 @@ static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
381 495
382 smp->conn = conn; 496 smp->conn = conn;
383 conn->smp_chan = smp; 497 conn->smp_chan = smp;
498 conn->hcon->smp_conn = conn;
384 499
385 hci_conn_hold(conn->hcon); 500 hci_conn_hold(conn->hcon);
386 501
@@ -398,18 +513,64 @@ void smp_chan_destroy(struct l2cap_conn *conn)
398 513
399 kfree(smp); 514 kfree(smp);
400 conn->smp_chan = NULL; 515 conn->smp_chan = NULL;
516 conn->hcon->smp_conn = NULL;
401 hci_conn_put(conn->hcon); 517 hci_conn_put(conn->hcon);
402} 518}
403 519
520int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
521{
522 struct l2cap_conn *conn = hcon->smp_conn;
523 struct smp_chan *smp;
524 u32 value;
525 u8 key[16];
526
527 BT_DBG("");
528
529 if (!conn)
530 return -ENOTCONN;
531
532 smp = conn->smp_chan;
533
534 switch (mgmt_op) {
535 case MGMT_OP_USER_PASSKEY_REPLY:
536 value = le32_to_cpu(passkey);
537 memset(key, 0, sizeof(key));
538 BT_DBG("PassKey: %d", value);
539 put_unaligned_le32(value, key);
540 swap128(key, smp->tk);
541 /* Fall Through */
542 case MGMT_OP_USER_CONFIRM_REPLY:
543 set_bit(SMP_FLAG_TK_VALID, &smp->smp_flags);
544 break;
545 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
546 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
547 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED, 1);
548 return 0;
549 default:
550 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED, 1);
551 return -EOPNOTSUPP;
552 }
553
554 /* If it is our turn to send Pairing Confirm, do so now */
555 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->smp_flags))
556 queue_work(hcon->hdev->workqueue, &smp->confirm);
557
558 return 0;
559}
560
404static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb) 561static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
405{ 562{
406 struct smp_cmd_pairing rsp, *req = (void *) skb->data; 563 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
407 struct smp_chan *smp; 564 struct smp_chan *smp;
408 u8 key_size; 565 u8 key_size;
566 u8 auth = SMP_AUTH_NONE;
409 int ret; 567 int ret;
410 568
411 BT_DBG("conn %p", conn); 569 BT_DBG("conn %p", conn);
412 570
571 if (conn->hcon->link_mode & HCI_LM_MASTER)
572 return SMP_CMD_NOTSUPP;
573
413 if (!test_and_set_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->pend)) 574 if (!test_and_set_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->pend))
414 smp = smp_chan_create(conn); 575 smp = smp_chan_create(conn);
415 576
@@ -419,19 +580,16 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
419 memcpy(&smp->preq[1], req, sizeof(*req)); 580 memcpy(&smp->preq[1], req, sizeof(*req));
420 skb_pull(skb, sizeof(*req)); 581 skb_pull(skb, sizeof(*req));
421 582
422 if (req->oob_flag) 583 /* We didn't start the pairing, so match remote */
423 return SMP_OOB_NOT_AVAIL; 584 if (req->auth_req & SMP_AUTH_BONDING)
585 auth = req->auth_req;
424 586
425 /* We didn't start the pairing, so no requirements */ 587 build_pairing_cmd(conn, req, &rsp, auth);
426 build_pairing_cmd(conn, req, &rsp, SMP_AUTH_NONE);
427 588
428 key_size = min(req->max_key_size, rsp.max_key_size); 589 key_size = min(req->max_key_size, rsp.max_key_size);
429 if (check_enc_key_size(conn, key_size)) 590 if (check_enc_key_size(conn, key_size))
430 return SMP_ENC_KEY_SIZE; 591 return SMP_ENC_KEY_SIZE;
431 592
432 /* Just works */
433 memset(smp->tk, 0, sizeof(smp->tk));
434
435 ret = smp_rand(smp->prnd); 593 ret = smp_rand(smp->prnd);
436 if (ret) 594 if (ret)
437 return SMP_UNSPECIFIED; 595 return SMP_UNSPECIFIED;
@@ -441,6 +599,11 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
441 599
442 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp); 600 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
443 601
602 /* Request setup of TK */
603 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
604 if (ret)
605 return SMP_UNSPECIFIED;
606
444 return 0; 607 return 0;
445} 608}
446 609
@@ -449,11 +612,14 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
449 struct smp_cmd_pairing *req, *rsp = (void *) skb->data; 612 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
450 struct smp_chan *smp = conn->smp_chan; 613 struct smp_chan *smp = conn->smp_chan;
451 struct hci_dev *hdev = conn->hcon->hdev; 614 struct hci_dev *hdev = conn->hcon->hdev;
452 u8 key_size; 615 u8 key_size, auth = SMP_AUTH_NONE;
453 int ret; 616 int ret;
454 617
455 BT_DBG("conn %p", conn); 618 BT_DBG("conn %p", conn);
456 619
620 if (!(conn->hcon->link_mode & HCI_LM_MASTER))
621 return SMP_CMD_NOTSUPP;
622
457 skb_pull(skb, sizeof(*rsp)); 623 skb_pull(skb, sizeof(*rsp));
458 624
459 req = (void *) &smp->preq[1]; 625 req = (void *) &smp->preq[1];
@@ -462,12 +628,6 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
462 if (check_enc_key_size(conn, key_size)) 628 if (check_enc_key_size(conn, key_size))
463 return SMP_ENC_KEY_SIZE; 629 return SMP_ENC_KEY_SIZE;
464 630
465 if (rsp->oob_flag)
466 return SMP_OOB_NOT_AVAIL;
467
468 /* Just works */
469 memset(smp->tk, 0, sizeof(smp->tk));
470
471 ret = smp_rand(smp->prnd); 631 ret = smp_rand(smp->prnd);
472 if (ret) 632 if (ret)
473 return SMP_UNSPECIFIED; 633 return SMP_UNSPECIFIED;
@@ -475,6 +635,22 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
475 smp->prsp[0] = SMP_CMD_PAIRING_RSP; 635 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
476 memcpy(&smp->prsp[1], rsp, sizeof(*rsp)); 636 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
477 637
638 if ((req->auth_req & SMP_AUTH_BONDING) &&
639 (rsp->auth_req & SMP_AUTH_BONDING))
640 auth = SMP_AUTH_BONDING;
641
642 auth |= (req->auth_req | rsp->auth_req) & SMP_AUTH_MITM;
643
644 ret = tk_request(conn, 0, auth, rsp->io_capability, req->io_capability);
645 if (ret)
646 return SMP_UNSPECIFIED;
647
648 set_bit(SMP_FLAG_CFM_PENDING, &smp->smp_flags);
649
650 /* Can't compose response until we have been confirmed */
651 if (!test_bit(SMP_FLAG_TK_VALID, &smp->smp_flags))
652 return 0;
653
478 queue_work(hdev->workqueue, &smp->confirm); 654 queue_work(hdev->workqueue, &smp->confirm);
479 655
480 return 0; 656 return 0;
@@ -496,8 +672,10 @@ static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
496 swap128(smp->prnd, random); 672 swap128(smp->prnd, random);
497 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(random), 673 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(random),
498 random); 674 random);
499 } else { 675 } else if (test_bit(SMP_FLAG_TK_VALID, &smp->smp_flags)) {
500 queue_work(hdev->workqueue, &smp->confirm); 676 queue_work(hdev->workqueue, &smp->confirm);
677 } else {
678 set_bit(SMP_FLAG_CFM_PENDING, &smp->smp_flags);
501 } 679 }
502 680
503 return 0; 681 return 0;
@@ -550,7 +728,7 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
550 728
551 BT_DBG("conn %p", conn); 729 BT_DBG("conn %p", conn);
552 730
553 hcon->pending_sec_level = BT_SECURITY_MEDIUM; 731 hcon->pending_sec_level = authreq_to_seclevel(rp->auth_req);
554 732
555 if (smp_ltk_encrypt(conn)) 733 if (smp_ltk_encrypt(conn))
556 return 0; 734 return 0;
@@ -577,6 +755,7 @@ int smp_conn_security(struct l2cap_conn *conn, __u8 sec_level)
577{ 755{
578 struct hci_conn *hcon = conn->hcon; 756 struct hci_conn *hcon = conn->hcon;
579 struct smp_chan *smp = conn->smp_chan; 757 struct smp_chan *smp = conn->smp_chan;
758 __u8 authreq;
580 759
581 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level); 760 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
582 761
@@ -597,18 +776,22 @@ int smp_conn_security(struct l2cap_conn *conn, __u8 sec_level)
597 return 0; 776 return 0;
598 777
599 smp = smp_chan_create(conn); 778 smp = smp_chan_create(conn);
779 if (!smp)
780 return 1;
781
782 authreq = seclevel_to_authreq(sec_level);
600 783
601 if (hcon->link_mode & HCI_LM_MASTER) { 784 if (hcon->link_mode & HCI_LM_MASTER) {
602 struct smp_cmd_pairing cp; 785 struct smp_cmd_pairing cp;
603 786
604 build_pairing_cmd(conn, &cp, NULL, SMP_AUTH_NONE); 787 build_pairing_cmd(conn, &cp, NULL, authreq);
605 smp->preq[0] = SMP_CMD_PAIRING_REQ; 788 smp->preq[0] = SMP_CMD_PAIRING_REQ;
606 memcpy(&smp->preq[1], &cp, sizeof(cp)); 789 memcpy(&smp->preq[1], &cp, sizeof(cp));
607 790
608 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp); 791 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
609 } else { 792 } else {
610 struct smp_cmd_security_req cp; 793 struct smp_cmd_security_req cp;
611 cp.auth_req = SMP_AUTH_NONE; 794 cp.auth_req = authreq;
612 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp); 795 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
613 } 796 }
614 797
@@ -637,7 +820,7 @@ static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
637 820
638 skb_pull(skb, sizeof(*rp)); 821 skb_pull(skb, sizeof(*rp));
639 822
640 hci_add_ltk(conn->hcon->hdev, 1, conn->src, smp->smp_key_size, 823 hci_add_ltk(conn->hcon->hdev, 1, conn->dst, smp->smp_key_size,
641 rp->ediv, rp->rand, smp->tk); 824 rp->ediv, rp->rand, smp->tk);
642 825
643 smp_distribute_keys(conn, 1); 826 smp_distribute_keys(conn, 1);
@@ -800,7 +983,7 @@ int smp_distribute_keys(struct l2cap_conn *conn, __u8 force)
800 983
801 if (conn->hcon->out || force) { 984 if (conn->hcon->out || force) {
802 clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->pend); 985 clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->pend);
803 del_timer(&conn->security_timer); 986 cancel_delayed_work_sync(&conn->security_timer);
804 smp_chan_destroy(conn); 987 smp_chan_destroy(conn);
805 } 988 }
806 989