Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless into for-davem

author: John W. Linville <linville@tuxdriver.com> 2014-06-18 14:39:25 -0400
committer: John W. Linville <linville@tuxdriver.com> 2014-06-18 14:39:25 -0400
commit: 2ee3f63d39dbebd94b4a77df04455617ce12156b (patch)
tree: 55a96da26db65b0649fb4203512f9a10b7a3f4e1 /net
parent: 62a02c98ce03bb214009509a4802b7b63f59621c (diff)
parent: 616a8394b5df8c88f4dd416f4527439a4e365034 (diff)
6 files changed, 85 insertions, 65 deletions
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 8671bc79a35b..ca01d1861854 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -610,11 +610,6 @@ static void hci_req_add_le_create_conn(struct hci_request *req,
        if (hci_update_random_address(req, false, &own_addr_type))
                return;
-        /* Save the address type used for this connnection attempt so we able
-         * to retrieve this information if we need it.
-         */
-        conn->src_type = own_addr_type;
        cp.scan_interval = cpu_to_le16(hdev->le_scan_interval);
        cp.scan_window = cpu_to_le16(hdev->le_scan_window);
        bacpy(&cp.peer_addr, &conn->dst);
@@ -894,7 +889,7 @@ static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
                /* If we're already encrypted set the REAUTH_PEND flag,
                 * otherwise set the ENCRYPT_PEND.
                 */
-                if (conn->key_type != 0xff)
+                if (conn->link_mode & HCI_LM_ENCRYPT)
                        set_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
                else
                        set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 21e5913d12e0..640c54ec1bd2 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -48,6 +48,10 @@ static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
        smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
        wake_up_bit(&hdev->flags, HCI_INQUIRY);
+        hci_dev_lock(hdev);
+        hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
+        hci_dev_unlock(hdev);
        hci_conn_check_pending(hdev);
 }
@@ -3537,7 +3541,11 @@ static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
                        cp.authentication = conn->auth_type;
                        /* Request MITM protection if our IO caps allow it
-                         * except for the no-bonding case
+                         * except for the no-bonding case.
+                         * conn->auth_type is not updated here since
+                         * that might cause the user confirmation to be
+                         * rejected in case the remote doesn't have the
+                         * IO capabilities for MITM.
                         */
                        if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
                            cp.authentication != HCI_AT_NO_BONDING)
@@ -3628,8 +3636,11 @@ static void hci_user_confirm_request_evt(struct hci_dev *hdev,
                /* If we're not the initiators request authorization to
                 * proceed from user space (mgmt_user_confirm with
-                 * confirm_hint set to 1). */
+                 * confirm_hint set to 1). The exception is if neither
-                if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
+                 * side had MITM in which case we do auto-accept.
+                 */
+                if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
+                    (loc_mitm || rem_mitm)) {
                        BT_DBG("Confirming auto-accept as acceptor");
                        confirm_hint = 1;
                        goto confirm;
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 6eabbe05fe54..323f23cd2c37 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1663,7 +1663,13 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
        kfree_skb(conn->rx_skb);
        skb_queue_purge(&conn->pending_rx);
-        flush_work(&conn->pending_rx_work);
+        /* We can not call flush_work(&conn->pending_rx_work) here since we
+         * might block if we are running on a worker from the same workqueue
+         * pending_rx_work is waiting on.
+         */
+        if (work_pending(&conn->pending_rx_work))
+                cancel_work_sync(&conn->pending_rx_work);
        l2cap_unregister_all_users(conn);
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index ade3fb4c23bc..e1378693cc90 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -787,11 +787,6 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
                /*change security for LE channels */
                if (chan->scid == L2CAP_CID_ATT) {
-                        if (!conn->hcon->out) {
-                                err = -EINVAL;
-                                break;
-                        }
                        if (smp_conn_security(conn->hcon, sec.level))
                                break;
                        sk->sk_state = BT_CONFIG;
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 0fce54412ffd..af8e0a6243b7 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -1047,6 +1047,43 @@ static void clean_up_hci_complete(struct hci_dev *hdev, u8 status)
        }
 }
+static void hci_stop_discovery(struct hci_request *req)
+{
+        struct hci_dev *hdev = req->hdev;
+        struct hci_cp_remote_name_req_cancel cp;
+        struct inquiry_entry *e;
+        switch (hdev->discovery.state) {
+        case DISCOVERY_FINDING:
+                if (test_bit(HCI_INQUIRY, &hdev->flags)) {
+                        hci_req_add(req, HCI_OP_INQUIRY_CANCEL, 0, NULL);
+                } else {
+                        cancel_delayed_work(&hdev->le_scan_disable);
+                        hci_req_add_le_scan_disable(req);
+                }
+                break;
+        case DISCOVERY_RESOLVING:
+                e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY,
+                                                     NAME_PENDING);
+                if (!e)
+                        return;
+                bacpy(&cp.bdaddr, &e->data.bdaddr);
+                hci_req_add(req, HCI_OP_REMOTE_NAME_REQ_CANCEL, sizeof(cp),
+                            &cp);
+                break;
+        default:
+                /* Passive scanning */
+                if (test_bit(HCI_LE_SCAN, &hdev->dev_flags))
+                        hci_req_add_le_scan_disable(req);
+                break;
+        }
+}
 static int clean_up_hci_state(struct hci_dev *hdev)
 {
        struct hci_request req;
@@ -1063,9 +1100,7 @@ static int clean_up_hci_state(struct hci_dev *hdev)
        if (test_bit(HCI_ADVERTISING, &hdev->dev_flags))
                disable_advertising(&req);
-        if (test_bit(HCI_LE_SCAN, &hdev->dev_flags)) {
+        hci_stop_discovery(&req);
-                hci_req_add_le_scan_disable(&req);
-        }
        list_for_each_entry(conn, &hdev->conn_hash.list, list) {
                struct hci_cp_disconnect dc;
@@ -2996,8 +3031,13 @@ static int user_pairing_resp(struct sock *sk, struct hci_dev *hdev,
        }
        if (addr->type == BDADDR_LE_PUBLIC || addr->type == BDADDR_LE_RANDOM) {
-                /* Continue with pairing via SMP */
+                /* Continue with pairing via SMP. The hdev lock must be
+                 * released as SMP may try to recquire it for crypto
+                 * purposes.
+                 */
+                hci_dev_unlock(hdev);
                err = smp_user_confirm_reply(conn, mgmt_op, passkey);
+                hci_dev_lock(hdev);
                if (!err)
                        err = cmd_complete(sk, hdev->id, mgmt_op,
@@ -3574,8 +3614,6 @@ static int stop_discovery(struct sock *sk, struct hci_dev *hdev, void *data,
 {
        struct mgmt_cp_stop_discovery *mgmt_cp = data;
        struct pending_cmd *cmd;
-        struct hci_cp_remote_name_req_cancel cp;
-        struct inquiry_entry *e;
        struct hci_request req;
        int err;
@@ -3605,52 +3643,22 @@ static int stop_discovery(struct sock *sk, struct hci_dev *hdev, void *data,
        hci_req_init(&req, hdev);
-        switch (hdev->discovery.state) {
+        hci_stop_discovery(&req);
-        case DISCOVERY_FINDING:
-                if (test_bit(HCI_INQUIRY, &hdev->flags)) {
-                        hci_req_add(&req, HCI_OP_INQUIRY_CANCEL, 0, NULL);
-                } else {
-                        cancel_delayed_work(&hdev->le_scan_disable);
-                        hci_req_add_le_scan_disable(&req);
-                }
-                break;
-        case DISCOVERY_RESOLVING:
+        err = hci_req_run(&req, stop_discovery_complete);
-                e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY,
+        if (!err) {
-                                                     NAME_PENDING);
+                hci_discovery_set_state(hdev, DISCOVERY_STOPPING);
-                if (!e) {
-                        mgmt_pending_remove(cmd);
-                        err = cmd_complete(sk, hdev->id,
-                                           MGMT_OP_STOP_DISCOVERY, 0,
-                                           &mgmt_cp->type,
-                                           sizeof(mgmt_cp->type));
-                        hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
-                        goto unlock;
-                }
-                bacpy(&cp.bdaddr, &e->data.bdaddr);
-                hci_req_add(&req, HCI_OP_REMOTE_NAME_REQ_CANCEL, sizeof(cp),
-                            &cp);
-                break;
-        default:
-                BT_DBG("unknown discovery state %u", hdev->discovery.state);
-                mgmt_pending_remove(cmd);
-                err = cmd_complete(sk, hdev->id, MGMT_OP_STOP_DISCOVERY,
-                                   MGMT_STATUS_FAILED, &mgmt_cp->type,
-                                   sizeof(mgmt_cp->type));
                goto unlock;
        }
-        err = hci_req_run(&req, stop_discovery_complete);
+        mgmt_pending_remove(cmd);
-        if (err < 0)
-                mgmt_pending_remove(cmd);
+        /* If no HCI commands were sent we're done */
-        else
+        if (err == -ENODATA) {
-                hci_discovery_set_state(hdev, DISCOVERY_STOPPING);
+                err = cmd_complete(sk, hdev->id, MGMT_OP_STOP_DISCOVERY, 0,
+                                   &mgmt_cp->type, sizeof(mgmt_cp->type));
+                hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
+        }
 unlock:
        hci_dev_unlock(hdev);
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 3d1cc164557d..f2829a7932e2 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -544,7 +544,7 @@ static u8 smp_random(struct smp_chan *smp)
                hci_le_start_enc(hcon, ediv, rand, stk);
                hcon->enc_key_size = smp->enc_key_size;
        } else {
-                u8 stk[16];
+                u8 stk[16], auth;
                __le64 rand = 0;
                __le16 ediv = 0;
@@ -556,8 +556,13 @@ static u8 smp_random(struct smp_chan *smp)
                memset(stk + smp->enc_key_size, 0,
                       SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
+                if (hcon->pending_sec_level == BT_SECURITY_HIGH)
+                        auth = 1;
+                else
+                        auth = 0;
                hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
-                            HCI_SMP_STK_SLAVE, 0, stk, smp->enc_key_size,
+                            HCI_SMP_STK_SLAVE, auth, stk, smp->enc_key_size,
                            ediv, rand);
        }
author	John W. Linville <linville@tuxdriver.com>	2014-06-18 14:39:25 -0400
committer	John W. Linville <linville@tuxdriver.com>	2014-06-18 14:39:25 -0400
commit	2ee3f63d39dbebd94b4a77df04455617ce12156b (patch)
tree	55a96da26db65b0649fb4203512f9a10b7a3f4e1 /net
parent	62a02c98ce03bb214009509a4802b7b63f59621c (diff)
parent	616a8394b5df8c88f4dd416f4527439a4e365034 (diff)

diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index 8671bc79a35b..ca01d1861854 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c
@@ -610,11 +610,6 @@ static void hci_req_add_le_create_conn(struct hci_request *req,
610	if (hci_update_random_address(req, false, &own_addr_type))	610	if (hci_update_random_address(req, false, &own_addr_type))
611	return;	611	return;
612		612
613	/* Save the address type used for this connnection attempt so we able
614	* to retrieve this information if we need it.
615	*/
616	conn->src_type = own_addr_type;
617
618	cp.scan_interval = cpu_to_le16(hdev->le_scan_interval);	613	cp.scan_interval = cpu_to_le16(hdev->le_scan_interval);
619	cp.scan_window = cpu_to_le16(hdev->le_scan_window);	614	cp.scan_window = cpu_to_le16(hdev->le_scan_window);
620	bacpy(&cp.peer_addr, &conn->dst);	615	bacpy(&cp.peer_addr, &conn->dst);
@@ -894,7 +889,7 @@ static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
894	/* If we're already encrypted set the REAUTH_PEND flag,	889	/* If we're already encrypted set the REAUTH_PEND flag,
895	* otherwise set the ENCRYPT_PEND.	890	* otherwise set the ENCRYPT_PEND.
896	*/	891	*/
897	if (conn->key_type != 0xff)	892	if (conn->link_mode & HCI_LM_ENCRYPT)
898	set_bit(HCI_CONN_REAUTH_PEND, &conn->flags);	893	set_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
899	else	894	else
900	set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);	895	set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);


diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index 21e5913d12e0..640c54ec1bd2 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c
@@ -48,6 +48,10 @@ static void hci_cc_inquiry_cancel(struct hci_dev hdev, struct sk_buff skb)
48	smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */	48	smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
49	wake_up_bit(&hdev->flags, HCI_INQUIRY);	49	wake_up_bit(&hdev->flags, HCI_INQUIRY);
50		50
		51	hci_dev_lock(hdev);
		52	hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
		53	hci_dev_unlock(hdev);
		54
51	hci_conn_check_pending(hdev);	55	hci_conn_check_pending(hdev);
52	}	56	}
53		57
@@ -3537,7 +3541,11 @@ static void hci_io_capa_request_evt(struct hci_dev hdev, struct sk_buff skb)
3537	cp.authentication = conn->auth_type;	3541	cp.authentication = conn->auth_type;
3538		3542
3539	/* Request MITM protection if our IO caps allow it	3543	/* Request MITM protection if our IO caps allow it
3540	* except for the no-bonding case	3544	* except for the no-bonding case.
		3545	* conn->auth_type is not updated here since
		3546	* that might cause the user confirmation to be
		3547	* rejected in case the remote doesn't have the
		3548	* IO capabilities for MITM.
3541	*/	3549	*/
3542	if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&	3550	if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
3543	cp.authentication != HCI_AT_NO_BONDING)	3551	cp.authentication != HCI_AT_NO_BONDING)
@@ -3628,8 +3636,11 @@ static void hci_user_confirm_request_evt(struct hci_dev *hdev,
3628		3636
3629	/* If we're not the initiators request authorization to	3637	/* If we're not the initiators request authorization to
3630	* proceed from user space (mgmt_user_confirm with	3638	* proceed from user space (mgmt_user_confirm with
3631	* confirm_hint set to 1). */	3639	* confirm_hint set to 1). The exception is if neither
3632	if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {	3640	* side had MITM in which case we do auto-accept.
		3641	*/
		3642	if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
		3643	(loc_mitm \|\| rem_mitm)) {
3633	BT_DBG("Confirming auto-accept as acceptor");	3644	BT_DBG("Confirming auto-accept as acceptor");
3634	confirm_hint = 1;	3645	confirm_hint = 1;
3635	goto confirm;	3646	goto confirm;


diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index 6eabbe05fe54..323f23cd2c37 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c
@@ -1663,7 +1663,13 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
1663	kfree_skb(conn->rx_skb);	1663	kfree_skb(conn->rx_skb);
1664		1664
1665	skb_queue_purge(&conn->pending_rx);	1665	skb_queue_purge(&conn->pending_rx);
1666	flush_work(&conn->pending_rx_work);	1666
		1667	/* We can not call flush_work(&conn->pending_rx_work) here since we
		1668	* might block if we are running on a worker from the same workqueue
		1669	* pending_rx_work is waiting on.
		1670	*/
		1671	if (work_pending(&conn->pending_rx_work))
		1672	cancel_work_sync(&conn->pending_rx_work);
1667		1673
1668	l2cap_unregister_all_users(conn);	1674	l2cap_unregister_all_users(conn);
1669		1675


diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index ade3fb4c23bc..e1378693cc90 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c
@@ -787,11 +787,6 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
787		787
788	/change security for LE channels /	788	/change security for LE channels /
789	if (chan->scid == L2CAP_CID_ATT) {	789	if (chan->scid == L2CAP_CID_ATT) {
790	if (!conn->hcon->out) {
791	err = -EINVAL;
792	break;
793	}
794
795	if (smp_conn_security(conn->hcon, sec.level))	790	if (smp_conn_security(conn->hcon, sec.level))
796	break;	791	break;
797	sk->sk_state = BT_CONFIG;	792	sk->sk_state = BT_CONFIG;


diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c index 0fce54412ffd..af8e0a6243b7 100644 --- a/net/bluetooth/mgmt.c +++ b/net/bluetooth/mgmt.c
@@ -1047,6 +1047,43 @@ static void clean_up_hci_complete(struct hci_dev *hdev, u8 status)
1047	}	1047	}
1048	}	1048	}
1049		1049
		1050	static void hci_stop_discovery(struct hci_request *req)
		1051	{
		1052	struct hci_dev *hdev = req->hdev;
		1053	struct hci_cp_remote_name_req_cancel cp;
		1054	struct inquiry_entry *e;
		1055
		1056	switch (hdev->discovery.state) {
		1057	case DISCOVERY_FINDING:
		1058	if (test_bit(HCI_INQUIRY, &hdev->flags)) {
		1059	hci_req_add(req, HCI_OP_INQUIRY_CANCEL, 0, NULL);
		1060	} else {
		1061	cancel_delayed_work(&hdev->le_scan_disable);
		1062	hci_req_add_le_scan_disable(req);
		1063	}
		1064
		1065	break;
		1066
		1067	case DISCOVERY_RESOLVING:
		1068	e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY,
		1069	NAME_PENDING);
		1070	if (!e)
		1071	return;
		1072
		1073	bacpy(&cp.bdaddr, &e->data.bdaddr);
		1074	hci_req_add(req, HCI_OP_REMOTE_NAME_REQ_CANCEL, sizeof(cp),
		1075	&cp);
		1076
		1077	break;
		1078
		1079	default:
		1080	/* Passive scanning */
		1081	if (test_bit(HCI_LE_SCAN, &hdev->dev_flags))
		1082	hci_req_add_le_scan_disable(req);
		1083	break;
		1084	}
		1085	}
		1086
1050	static int clean_up_hci_state(struct hci_dev *hdev)	1087	static int clean_up_hci_state(struct hci_dev *hdev)
1051	{	1088	{
1052	struct hci_request req;	1089	struct hci_request req;
@@ -1063,9 +1100,7 @@ static int clean_up_hci_state(struct hci_dev *hdev)
1063	if (test_bit(HCI_ADVERTISING, &hdev->dev_flags))	1100	if (test_bit(HCI_ADVERTISING, &hdev->dev_flags))
1064	disable_advertising(&req);	1101	disable_advertising(&req);
1065		1102
1066	if (test_bit(HCI_LE_SCAN, &hdev->dev_flags)) {	1103	hci_stop_discovery(&req);
1067	hci_req_add_le_scan_disable(&req);
1068	}
1069		1104
1070	list_for_each_entry(conn, &hdev->conn_hash.list, list) {	1105	list_for_each_entry(conn, &hdev->conn_hash.list, list) {
1071	struct hci_cp_disconnect dc;	1106	struct hci_cp_disconnect dc;
@@ -2996,8 +3031,13 @@ static int user_pairing_resp(struct sock sk, struct hci_dev hdev,
2996	}	3031	}
2997		3032
2998	if (addr->type == BDADDR_LE_PUBLIC \|\| addr->type == BDADDR_LE_RANDOM) {	3033	if (addr->type == BDADDR_LE_PUBLIC \|\| addr->type == BDADDR_LE_RANDOM) {
2999	/* Continue with pairing via SMP */	3034	/* Continue with pairing via SMP. The hdev lock must be
		3035	* released as SMP may try to recquire it for crypto
		3036	* purposes.
		3037	*/
		3038	hci_dev_unlock(hdev);
3000	err = smp_user_confirm_reply(conn, mgmt_op, passkey);	3039	err = smp_user_confirm_reply(conn, mgmt_op, passkey);
		3040	hci_dev_lock(hdev);
3001		3041
3002	if (!err)	3042	if (!err)
3003	err = cmd_complete(sk, hdev->id, mgmt_op,	3043	err = cmd_complete(sk, hdev->id, mgmt_op,
@@ -3574,8 +3614,6 @@ static int stop_discovery(struct sock sk, struct hci_dev hdev, void *data,
3574	{	3614	{
3575	struct mgmt_cp_stop_discovery *mgmt_cp = data;	3615	struct mgmt_cp_stop_discovery *mgmt_cp = data;
3576	struct pending_cmd *cmd;	3616	struct pending_cmd *cmd;
3577	struct hci_cp_remote_name_req_cancel cp;
3578	struct inquiry_entry *e;
3579	struct hci_request req;	3617	struct hci_request req;
3580	int err;	3618	int err;
3581		3619
@@ -3605,52 +3643,22 @@ static int stop_discovery(struct sock sk, struct hci_dev hdev, void *data,
3605		3643
3606	hci_req_init(&req, hdev);	3644	hci_req_init(&req, hdev);
3607		3645
3608	switch (hdev->discovery.state) {	3646	hci_stop_discovery(&req);
3609	case DISCOVERY_FINDING:
3610	if (test_bit(HCI_INQUIRY, &hdev->flags)) {
3611	hci_req_add(&req, HCI_OP_INQUIRY_CANCEL, 0, NULL);
3612	} else {
3613	cancel_delayed_work(&hdev->le_scan_disable);
3614
3615	hci_req_add_le_scan_disable(&req);
3616	}
3617
3618	break;
3619		3647
3620	case DISCOVERY_RESOLVING:	3648	err = hci_req_run(&req, stop_discovery_complete);
3621	e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY,	3649	if (!err) {
3622	NAME_PENDING);	3650	hci_discovery_set_state(hdev, DISCOVERY_STOPPING);
3623	if (!e) {
3624	mgmt_pending_remove(cmd);
3625	err = cmd_complete(sk, hdev->id,
3626	MGMT_OP_STOP_DISCOVERY, 0,
3627	&mgmt_cp->type,
3628	sizeof(mgmt_cp->type));
3629	hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3630	goto unlock;
3631	}
3632
3633	bacpy(&cp.bdaddr, &e->data.bdaddr);
3634	hci_req_add(&req, HCI_OP_REMOTE_NAME_REQ_CANCEL, sizeof(cp),
3635	&cp);
3636
3637	break;
3638
3639	default:
3640	BT_DBG("unknown discovery state %u", hdev->discovery.state);
3641
3642	mgmt_pending_remove(cmd);
3643	err = cmd_complete(sk, hdev->id, MGMT_OP_STOP_DISCOVERY,
3644	MGMT_STATUS_FAILED, &mgmt_cp->type,
3645	sizeof(mgmt_cp->type));
3646	goto unlock;	3651	goto unlock;
3647	}	3652	}
3648		3653
3649	err = hci_req_run(&req, stop_discovery_complete);	3654	mgmt_pending_remove(cmd);
3650	if (err < 0)	3655
3651	mgmt_pending_remove(cmd);	3656	/* If no HCI commands were sent we're done */
3652	else	3657	if (err == -ENODATA) {
3653	hci_discovery_set_state(hdev, DISCOVERY_STOPPING);	3658	err = cmd_complete(sk, hdev->id, MGMT_OP_STOP_DISCOVERY, 0,
		3659	&mgmt_cp->type, sizeof(mgmt_cp->type));
		3660	hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
		3661	}
3654		3662
3655	unlock:	3663	unlock:
3656	hci_dev_unlock(hdev);	3664	hci_dev_unlock(hdev);


diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c index 3d1cc164557d..f2829a7932e2 100644 --- a/net/bluetooth/smp.c +++ b/net/bluetooth/smp.c
@@ -544,7 +544,7 @@ static u8 smp_random(struct smp_chan *smp)
544	hci_le_start_enc(hcon, ediv, rand, stk);	544	hci_le_start_enc(hcon, ediv, rand, stk);
545	hcon->enc_key_size = smp->enc_key_size;	545	hcon->enc_key_size = smp->enc_key_size;
546	} else {	546	} else {
547	u8 stk[16];	547	u8 stk[16], auth;
548	__le64 rand = 0;	548	__le64 rand = 0;
549	__le16 ediv = 0;	549	__le16 ediv = 0;
550		550
@@ -556,8 +556,13 @@ static u8 smp_random(struct smp_chan *smp)
556	memset(stk + smp->enc_key_size, 0,	556	memset(stk + smp->enc_key_size, 0,
557	SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);	557	SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
558		558
		559	if (hcon->pending_sec_level == BT_SECURITY_HIGH)
		560	auth = 1;
		561	else
		562	auth = 0;
		563
559	hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,	564	hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
560	HCI_SMP_STK_SLAVE, 0, stk, smp->enc_key_size,	565	HCI_SMP_STK_SLAVE, auth, stk, smp->enc_key_size,
561	ediv, rand);	566	ediv, rand);
562	}	567	}
563		568