aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--Documentation/devices.txt1
-rw-r--r--drivers/bluetooth/ath3k.c84
-rw-r--r--drivers/bluetooth/btusb.c58
-rw-r--r--drivers/bluetooth/hci_vhci.c3
-rw-r--r--include/linux/miscdevice.h1
-rw-r--r--include/linux/tty.h6
-rw-r--r--include/net/bluetooth/bluetooth.h1
-rw-r--r--include/net/bluetooth/hci.h49
-rw-r--r--include/net/bluetooth/hci_core.h129
-rw-r--r--include/net/bluetooth/l2cap.h8
-rw-r--r--include/net/bluetooth/mgmt.h41
-rw-r--r--include/net/bluetooth/rfcomm.h10
-rw-r--r--net/bluetooth/a2mp.c8
-rw-r--r--net/bluetooth/af_bluetooth.c2
-rw-r--r--net/bluetooth/hci_conn.c106
-rw-r--r--net/bluetooth/hci_core.c578
-rw-r--r--net/bluetooth/hci_event.c206
-rw-r--r--net/bluetooth/hci_sock.c1
-rw-r--r--net/bluetooth/hci_sysfs.c18
-rw-r--r--net/bluetooth/l2cap_core.c591
-rw-r--r--net/bluetooth/l2cap_sock.c62
-rw-r--r--net/bluetooth/mgmt.c492
-rw-r--r--net/bluetooth/rfcomm/core.c92
-rw-r--r--net/bluetooth/rfcomm/sock.c33
-rw-r--r--net/bluetooth/rfcomm/tty.c262
-rw-r--r--net/bluetooth/smp.c250
-rw-r--r--net/bluetooth/smp.h13
27 files changed, 2282 insertions, 823 deletions
diff --git a/Documentation/devices.txt b/Documentation/devices.txt
index 10378cc48374..04356f5bc3af 100644
--- a/Documentation/devices.txt
+++ b/Documentation/devices.txt
@@ -353,6 +353,7 @@ Your cooperation is appreciated.
353 133 = /dev/exttrp External device trap 353 133 = /dev/exttrp External device trap
354 134 = /dev/apm_bios Advanced Power Management BIOS 354 134 = /dev/apm_bios Advanced Power Management BIOS
355 135 = /dev/rtc Real Time Clock 355 135 = /dev/rtc Real Time Clock
356 137 = /dev/vhci Bluetooth virtual HCI driver
356 139 = /dev/openprom SPARC OpenBoot PROM 357 139 = /dev/openprom SPARC OpenBoot PROM
357 140 = /dev/relay8 Berkshire Products Octal relay card 358 140 = /dev/relay8 Berkshire Products Octal relay card
358 141 = /dev/relay16 Berkshire Products ISO-16 relay card 359 141 = /dev/relay16 Berkshire Products ISO-16 relay card
diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c
index 106d1d8e16ad..4f78a9d39dc8 100644
--- a/drivers/bluetooth/ath3k.c
+++ b/drivers/bluetooth/ath3k.c
@@ -62,50 +62,53 @@ static const struct usb_device_id ath3k_table[] = {
62 { USB_DEVICE(0x0CF3, 0x3000) }, 62 { USB_DEVICE(0x0CF3, 0x3000) },
63 63
64 /* Atheros AR3011 with sflash firmware*/ 64 /* Atheros AR3011 with sflash firmware*/
65 { USB_DEVICE(0x0489, 0xE027) },
66 { USB_DEVICE(0x0489, 0xE03D) },
67 { USB_DEVICE(0x0930, 0x0215) },
65 { USB_DEVICE(0x0CF3, 0x3002) }, 68 { USB_DEVICE(0x0CF3, 0x3002) },
66 { USB_DEVICE(0x0CF3, 0xE019) }, 69 { USB_DEVICE(0x0CF3, 0xE019) },
67 { USB_DEVICE(0x13d3, 0x3304) }, 70 { USB_DEVICE(0x13d3, 0x3304) },
68 { USB_DEVICE(0x0930, 0x0215) },
69 { USB_DEVICE(0x0489, 0xE03D) },
70 { USB_DEVICE(0x0489, 0xE027) },
71 71
72 /* Atheros AR9285 Malbec with sflash firmware */ 72 /* Atheros AR9285 Malbec with sflash firmware */
73 { USB_DEVICE(0x03F0, 0x311D) }, 73 { USB_DEVICE(0x03F0, 0x311D) },
74 74
75 /* Atheros AR3012 with sflash firmware*/ 75 /* Atheros AR3012 with sflash firmware*/
76 { USB_DEVICE(0x0CF3, 0x0036) }, 76 { USB_DEVICE(0x0489, 0xe04d) },
77 { USB_DEVICE(0x0CF3, 0x3004) }, 77 { USB_DEVICE(0x0489, 0xe04e) },
78 { USB_DEVICE(0x0CF3, 0x3008) }, 78 { USB_DEVICE(0x0489, 0xe057) },
79 { USB_DEVICE(0x0CF3, 0x311D) }, 79 { USB_DEVICE(0x0489, 0xe056) },
80 { USB_DEVICE(0x0CF3, 0x817a) }, 80 { USB_DEVICE(0x0489, 0xe05f) },
81 { USB_DEVICE(0x13d3, 0x3375) }, 81 { USB_DEVICE(0x04c5, 0x1330) },
82 { USB_DEVICE(0x04CA, 0x3004) }, 82 { USB_DEVICE(0x04CA, 0x3004) },
83 { USB_DEVICE(0x04CA, 0x3005) }, 83 { USB_DEVICE(0x04CA, 0x3005) },
84 { USB_DEVICE(0x04CA, 0x3006) }, 84 { USB_DEVICE(0x04CA, 0x3006) },
85 { USB_DEVICE(0x04CA, 0x3008) }, 85 { USB_DEVICE(0x04CA, 0x3008) },
86 { USB_DEVICE(0x04CA, 0x300b) }, 86 { USB_DEVICE(0x04CA, 0x300b) },
87 { USB_DEVICE(0x13d3, 0x3362) },
88 { USB_DEVICE(0x0CF3, 0xE004) },
89 { USB_DEVICE(0x0CF3, 0xE005) },
90 { USB_DEVICE(0x0930, 0x0219) }, 87 { USB_DEVICE(0x0930, 0x0219) },
91 { USB_DEVICE(0x0930, 0x0220) }, 88 { USB_DEVICE(0x0930, 0x0220) },
92 { USB_DEVICE(0x0489, 0xe057) }, 89 { USB_DEVICE(0x0b05, 0x17d0) },
93 { USB_DEVICE(0x13d3, 0x3393) }, 90 { USB_DEVICE(0x0CF3, 0x0036) },
94 { USB_DEVICE(0x0489, 0xe04e) }, 91 { USB_DEVICE(0x0CF3, 0x3004) },
95 { USB_DEVICE(0x0489, 0xe056) }, 92 { USB_DEVICE(0x0CF3, 0x3008) },
96 { USB_DEVICE(0x0489, 0xe04d) }, 93 { USB_DEVICE(0x0CF3, 0x311D) },
97 { USB_DEVICE(0x04c5, 0x1330) }, 94 { USB_DEVICE(0x0CF3, 0x311E) },
98 { USB_DEVICE(0x13d3, 0x3402) }, 95 { USB_DEVICE(0x0CF3, 0x311F) },
99 { USB_DEVICE(0x0cf3, 0x3121) }, 96 { USB_DEVICE(0x0cf3, 0x3121) },
97 { USB_DEVICE(0x0CF3, 0x817a) },
100 { USB_DEVICE(0x0cf3, 0xe003) }, 98 { USB_DEVICE(0x0cf3, 0xe003) },
101 { USB_DEVICE(0x0489, 0xe05f) }, 99 { USB_DEVICE(0x0CF3, 0xE004) },
100 { USB_DEVICE(0x0CF3, 0xE005) },
101 { USB_DEVICE(0x13d3, 0x3362) },
102 { USB_DEVICE(0x13d3, 0x3375) },
103 { USB_DEVICE(0x13d3, 0x3393) },
104 { USB_DEVICE(0x13d3, 0x3402) },
102 105
103 /* Atheros AR5BBU12 with sflash firmware */ 106 /* Atheros AR5BBU12 with sflash firmware */
104 { USB_DEVICE(0x0489, 0xE02C) }, 107 { USB_DEVICE(0x0489, 0xE02C) },
105 108
106 /* Atheros AR5BBU22 with sflash firmware */ 109 /* Atheros AR5BBU22 with sflash firmware */
107 { USB_DEVICE(0x0489, 0xE03C) },
108 { USB_DEVICE(0x0489, 0xE036) }, 110 { USB_DEVICE(0x0489, 0xE036) },
111 { USB_DEVICE(0x0489, 0xE03C) },
109 112
110 { } /* Terminating entry */ 113 { } /* Terminating entry */
111}; 114};
@@ -118,36 +121,39 @@ MODULE_DEVICE_TABLE(usb, ath3k_table);
118static const struct usb_device_id ath3k_blist_tbl[] = { 121static const struct usb_device_id ath3k_blist_tbl[] = {
119 122
120 /* Atheros AR3012 with sflash firmware*/ 123 /* Atheros AR3012 with sflash firmware*/
121 { USB_DEVICE(0x0CF3, 0x0036), .driver_info = BTUSB_ATH3012 }, 124 { USB_DEVICE(0x0489, 0xe04e), .driver_info = BTUSB_ATH3012 },
122 { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 }, 125 { USB_DEVICE(0x0489, 0xe04d), .driver_info = BTUSB_ATH3012 },
123 { USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 }, 126 { USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
124 { USB_DEVICE(0x0cf3, 0x311D), .driver_info = BTUSB_ATH3012 }, 127 { USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 },
125 { USB_DEVICE(0x0CF3, 0x817a), .driver_info = BTUSB_ATH3012 }, 128 { USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 },
126 { USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 }, 129 { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
127 { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 }, 130 { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 },
128 { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 }, 131 { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 },
129 { USB_DEVICE(0x04ca, 0x3006), .driver_info = BTUSB_ATH3012 }, 132 { USB_DEVICE(0x04ca, 0x3006), .driver_info = BTUSB_ATH3012 },
130 { USB_DEVICE(0x04ca, 0x3008), .driver_info = BTUSB_ATH3012 }, 133 { USB_DEVICE(0x04ca, 0x3008), .driver_info = BTUSB_ATH3012 },
131 { USB_DEVICE(0x04ca, 0x300b), .driver_info = BTUSB_ATH3012 }, 134 { USB_DEVICE(0x04ca, 0x300b), .driver_info = BTUSB_ATH3012 },
132 { USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 },
133 { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 },
134 { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 },
135 { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 }, 135 { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 },
136 { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 }, 136 { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 },
137 { USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 }, 137 { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 },
138 { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 }, 138 { USB_DEVICE(0x0CF3, 0x0036), .driver_info = BTUSB_ATH3012 },
139 { USB_DEVICE(0x0489, 0xe04e), .driver_info = BTUSB_ATH3012 }, 139 { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 },
140 { USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 }, 140 { USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 },
141 { USB_DEVICE(0x0489, 0xe04d), .driver_info = BTUSB_ATH3012 }, 141 { USB_DEVICE(0x0cf3, 0x311D), .driver_info = BTUSB_ATH3012 },
142 { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 }, 142 { USB_DEVICE(0x0cf3, 0x311E), .driver_info = BTUSB_ATH3012 },
143 { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 }, 143 { USB_DEVICE(0x0cf3, 0x311F), .driver_info = BTUSB_ATH3012 },
144 { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 }, 144 { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 },
145 { USB_DEVICE(0x0CF3, 0x817a), .driver_info = BTUSB_ATH3012 },
146 { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 },
147 { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 },
145 { USB_DEVICE(0x0cf3, 0xe003), .driver_info = BTUSB_ATH3012 }, 148 { USB_DEVICE(0x0cf3, 0xe003), .driver_info = BTUSB_ATH3012 },
146 { USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 }, 149 { USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 },
150 { USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 },
151 { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 },
152 { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
147 153
148 /* Atheros AR5BBU22 with sflash firmware */ 154 /* Atheros AR5BBU22 with sflash firmware */
149 { USB_DEVICE(0x0489, 0xE03C), .driver_info = BTUSB_ATH3012 },
150 { USB_DEVICE(0x0489, 0xE036), .driver_info = BTUSB_ATH3012 }, 155 { USB_DEVICE(0x0489, 0xE036), .driver_info = BTUSB_ATH3012 },
156 { USB_DEVICE(0x0489, 0xE03C), .driver_info = BTUSB_ATH3012 },
151 157
152 { } /* Terminating entry */ 158 { } /* Terminating entry */
153}; 159};
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index baeaaed299e4..199b9d42489c 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -101,21 +101,24 @@ static const struct usb_device_id btusb_table[] = {
101 { USB_DEVICE(0x0c10, 0x0000) }, 101 { USB_DEVICE(0x0c10, 0x0000) },
102 102
103 /* Broadcom BCM20702A0 */ 103 /* Broadcom BCM20702A0 */
104 { USB_DEVICE(0x0489, 0xe042) },
105 { USB_DEVICE(0x04ca, 0x2003) },
104 { USB_DEVICE(0x0b05, 0x17b5) }, 106 { USB_DEVICE(0x0b05, 0x17b5) },
105 { USB_DEVICE(0x0b05, 0x17cb) }, 107 { USB_DEVICE(0x0b05, 0x17cb) },
106 { USB_DEVICE(0x04ca, 0x2003) },
107 { USB_DEVICE(0x0489, 0xe042) },
108 { USB_DEVICE(0x413c, 0x8197) }, 108 { USB_DEVICE(0x413c, 0x8197) },
109 109
110 /* Foxconn - Hon Hai */ 110 /* Foxconn - Hon Hai */
111 { USB_VENDOR_AND_INTERFACE_INFO(0x0489, 0xff, 0x01, 0x01) }, 111 { USB_VENDOR_AND_INTERFACE_INFO(0x0489, 0xff, 0x01, 0x01) },
112 112
113 /*Broadcom devices with vendor specific id */ 113 /* Broadcom devices with vendor specific id */
114 { USB_VENDOR_AND_INTERFACE_INFO(0x0a5c, 0xff, 0x01, 0x01) }, 114 { USB_VENDOR_AND_INTERFACE_INFO(0x0a5c, 0xff, 0x01, 0x01) },
115 115
116 /* Belkin F8065bf - Broadcom based */ 116 /* Belkin F8065bf - Broadcom based */
117 { USB_VENDOR_AND_INTERFACE_INFO(0x050d, 0xff, 0x01, 0x01) }, 117 { USB_VENDOR_AND_INTERFACE_INFO(0x050d, 0xff, 0x01, 0x01) },
118 118
119 /* IMC Networks - Broadcom based */
120 { USB_VENDOR_AND_INTERFACE_INFO(0x13d3, 0xff, 0x01, 0x01) },
121
119 { } /* Terminating entry */ 122 { } /* Terminating entry */
120}; 123};
121 124
@@ -129,55 +132,58 @@ static const struct usb_device_id blacklist_table[] = {
129 { USB_DEVICE(0x0a5c, 0x2033), .driver_info = BTUSB_IGNORE }, 132 { USB_DEVICE(0x0a5c, 0x2033), .driver_info = BTUSB_IGNORE },
130 133
131 /* Atheros 3011 with sflash firmware */ 134 /* Atheros 3011 with sflash firmware */
135 { USB_DEVICE(0x0489, 0xe027), .driver_info = BTUSB_IGNORE },
136 { USB_DEVICE(0x0489, 0xe03d), .driver_info = BTUSB_IGNORE },
137 { USB_DEVICE(0x0930, 0x0215), .driver_info = BTUSB_IGNORE },
132 { USB_DEVICE(0x0cf3, 0x3002), .driver_info = BTUSB_IGNORE }, 138 { USB_DEVICE(0x0cf3, 0x3002), .driver_info = BTUSB_IGNORE },
133 { USB_DEVICE(0x0cf3, 0xe019), .driver_info = BTUSB_IGNORE }, 139 { USB_DEVICE(0x0cf3, 0xe019), .driver_info = BTUSB_IGNORE },
134 { USB_DEVICE(0x13d3, 0x3304), .driver_info = BTUSB_IGNORE }, 140 { USB_DEVICE(0x13d3, 0x3304), .driver_info = BTUSB_IGNORE },
135 { USB_DEVICE(0x0930, 0x0215), .driver_info = BTUSB_IGNORE },
136 { USB_DEVICE(0x0489, 0xe03d), .driver_info = BTUSB_IGNORE },
137 { USB_DEVICE(0x0489, 0xe027), .driver_info = BTUSB_IGNORE },
138 141
139 /* Atheros AR9285 Malbec with sflash firmware */ 142 /* Atheros AR9285 Malbec with sflash firmware */
140 { USB_DEVICE(0x03f0, 0x311d), .driver_info = BTUSB_IGNORE }, 143 { USB_DEVICE(0x03f0, 0x311d), .driver_info = BTUSB_IGNORE },
141 144
142 /* Atheros 3012 with sflash firmware */ 145 /* Atheros 3012 with sflash firmware */
143 { USB_DEVICE(0x0cf3, 0x0036), .driver_info = BTUSB_ATH3012 }, 146 { USB_DEVICE(0x0489, 0xe04d), .driver_info = BTUSB_ATH3012 },
144 { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 }, 147 { USB_DEVICE(0x0489, 0xe04e), .driver_info = BTUSB_ATH3012 },
145 { USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 }, 148 { USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
146 { USB_DEVICE(0x0cf3, 0x311d), .driver_info = BTUSB_ATH3012 }, 149 { USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 },
147 { USB_DEVICE(0x0cf3, 0x817a), .driver_info = BTUSB_ATH3012 }, 150 { USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 },
148 { USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 }, 151 { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
149 { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 }, 152 { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 },
150 { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 }, 153 { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 },
151 { USB_DEVICE(0x04ca, 0x3006), .driver_info = BTUSB_ATH3012 }, 154 { USB_DEVICE(0x04ca, 0x3006), .driver_info = BTUSB_ATH3012 },
152 { USB_DEVICE(0x04ca, 0x3008), .driver_info = BTUSB_ATH3012 }, 155 { USB_DEVICE(0x04ca, 0x3008), .driver_info = BTUSB_ATH3012 },
153 { USB_DEVICE(0x04ca, 0x300b), .driver_info = BTUSB_ATH3012 }, 156 { USB_DEVICE(0x04ca, 0x300b), .driver_info = BTUSB_ATH3012 },
154 { USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 },
155 { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 },
156 { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 },
157 { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 }, 157 { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 },
158 { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 }, 158 { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 },
159 { USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 }, 159 { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 },
160 { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 }, 160 { USB_DEVICE(0x0cf3, 0x0036), .driver_info = BTUSB_ATH3012 },
161 { USB_DEVICE(0x0489, 0xe04e), .driver_info = BTUSB_ATH3012 }, 161 { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 },
162 { USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 }, 162 { USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 },
163 { USB_DEVICE(0x0489, 0xe04d), .driver_info = BTUSB_ATH3012 }, 163 { USB_DEVICE(0x0cf3, 0x311d), .driver_info = BTUSB_ATH3012 },
164 { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 }, 164 { USB_DEVICE(0x0cf3, 0x311e), .driver_info = BTUSB_ATH3012 },
165 { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 }, 165 { USB_DEVICE(0x0cf3, 0x311f), .driver_info = BTUSB_ATH3012 },
166 { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 }, 166 { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 },
167 { USB_DEVICE(0x0cf3, 0x817a), .driver_info = BTUSB_ATH3012 },
167 { USB_DEVICE(0x0cf3, 0xe003), .driver_info = BTUSB_ATH3012 }, 168 { USB_DEVICE(0x0cf3, 0xe003), .driver_info = BTUSB_ATH3012 },
168 { USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 }, 169 { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 },
170 { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 },
171 { USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 },
172 { USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 },
173 { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 },
174 { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
169 175
170 /* Atheros AR5BBU12 with sflash firmware */ 176 /* Atheros AR5BBU12 with sflash firmware */
171 { USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE }, 177 { USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE },
172 178
173 /* Atheros AR5BBU12 with sflash firmware */ 179 /* Atheros AR5BBU12 with sflash firmware */
174 { USB_DEVICE(0x0489, 0xe03c), .driver_info = BTUSB_ATH3012 },
175 { USB_DEVICE(0x0489, 0xe036), .driver_info = BTUSB_ATH3012 }, 180 { USB_DEVICE(0x0489, 0xe036), .driver_info = BTUSB_ATH3012 },
181 { USB_DEVICE(0x0489, 0xe03c), .driver_info = BTUSB_ATH3012 },
176 182
177 /* Broadcom BCM2035 */ 183 /* Broadcom BCM2035 */
178 { USB_DEVICE(0x0a5c, 0x2035), .driver_info = BTUSB_WRONG_SCO_MTU },
179 { USB_DEVICE(0x0a5c, 0x200a), .driver_info = BTUSB_WRONG_SCO_MTU },
180 { USB_DEVICE(0x0a5c, 0x2009), .driver_info = BTUSB_BCM92035 }, 184 { USB_DEVICE(0x0a5c, 0x2009), .driver_info = BTUSB_BCM92035 },
185 { USB_DEVICE(0x0a5c, 0x200a), .driver_info = BTUSB_WRONG_SCO_MTU },
186 { USB_DEVICE(0x0a5c, 0x2035), .driver_info = BTUSB_WRONG_SCO_MTU },
181 187
182 /* Broadcom BCM2045 */ 188 /* Broadcom BCM2045 */
183 { USB_DEVICE(0x0a5c, 0x2039), .driver_info = BTUSB_WRONG_SCO_MTU }, 189 { USB_DEVICE(0x0a5c, 0x2039), .driver_info = BTUSB_WRONG_SCO_MTU },
diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c
index 1ef6990a5c7e..add1c6a72063 100644
--- a/drivers/bluetooth/hci_vhci.c
+++ b/drivers/bluetooth/hci_vhci.c
@@ -359,7 +359,7 @@ static const struct file_operations vhci_fops = {
359static struct miscdevice vhci_miscdev= { 359static struct miscdevice vhci_miscdev= {
360 .name = "vhci", 360 .name = "vhci",
361 .fops = &vhci_fops, 361 .fops = &vhci_fops,
362 .minor = MISC_DYNAMIC_MINOR, 362 .minor = VHCI_MINOR,
363}; 363};
364 364
365static int __init vhci_init(void) 365static int __init vhci_init(void)
@@ -385,3 +385,4 @@ MODULE_DESCRIPTION("Bluetooth virtual HCI driver ver " VERSION);
385MODULE_VERSION(VERSION); 385MODULE_VERSION(VERSION);
386MODULE_LICENSE("GPL"); 386MODULE_LICENSE("GPL");
387MODULE_ALIAS("devname:vhci"); 387MODULE_ALIAS("devname:vhci");
388MODULE_ALIAS_MISCDEV(VHCI_MINOR);
diff --git a/include/linux/miscdevice.h b/include/linux/miscdevice.h
index 3737f7218f51..7bb6148d990f 100644
--- a/include/linux/miscdevice.h
+++ b/include/linux/miscdevice.h
@@ -23,6 +23,7 @@
23#define TEMP_MINOR 131 /* Temperature Sensor */ 23#define TEMP_MINOR 131 /* Temperature Sensor */
24#define RTC_MINOR 135 24#define RTC_MINOR 135
25#define EFI_RTC_MINOR 136 /* EFI Time services */ 25#define EFI_RTC_MINOR 136 /* EFI Time services */
26#define VHCI_MINOR 137
26#define SUN_OPENPROM_MINOR 139 27#define SUN_OPENPROM_MINOR 139
27#define DMAPI_MINOR 140 /* DMAPI */ 28#define DMAPI_MINOR 140 /* DMAPI */
28#define NVRAM_MINOR 144 29#define NVRAM_MINOR 144
diff --git a/include/linux/tty.h b/include/linux/tty.h
index 90b4fdc8a61f..4781d7b27dd3 100644
--- a/include/linux/tty.h
+++ b/include/linux/tty.h
@@ -518,9 +518,9 @@ extern void tty_port_put(struct tty_port *port);
518 518
519static inline struct tty_port *tty_port_get(struct tty_port *port) 519static inline struct tty_port *tty_port_get(struct tty_port *port)
520{ 520{
521 if (port) 521 if (port && kref_get_unless_zero(&port->kref))
522 kref_get(&port->kref); 522 return port;
523 return port; 523 return NULL;
524} 524}
525 525
526/* If the cts flow control is enabled, return true. */ 526/* If the cts flow control is enabled, return true. */
diff --git a/include/net/bluetooth/bluetooth.h b/include/net/bluetooth/bluetooth.h
index f4f9ee466791..904777c1cd24 100644
--- a/include/net/bluetooth/bluetooth.h
+++ b/include/net/bluetooth/bluetooth.h
@@ -65,6 +65,7 @@ struct bt_security {
65#define BT_SECURITY_LOW 1 65#define BT_SECURITY_LOW 1
66#define BT_SECURITY_MEDIUM 2 66#define BT_SECURITY_MEDIUM 2
67#define BT_SECURITY_HIGH 3 67#define BT_SECURITY_HIGH 3
68#define BT_SECURITY_FIPS 4
68 69
69#define BT_DEFER_SETUP 7 70#define BT_DEFER_SETUP 7
70 71
diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
index 66c1cd87bfe7..fe4b06bfc150 100644
--- a/include/net/bluetooth/hci.h
+++ b/include/net/bluetooth/hci.h
@@ -117,11 +117,16 @@ enum {
117 HCI_SERVICE_CACHE, 117 HCI_SERVICE_CACHE,
118 HCI_DEBUG_KEYS, 118 HCI_DEBUG_KEYS,
119 HCI_DUT_MODE, 119 HCI_DUT_MODE,
120 HCI_FORCE_SC,
121 HCI_FORCE_STATIC_ADDR,
120 HCI_UNREGISTER, 122 HCI_UNREGISTER,
121 HCI_USER_CHANNEL, 123 HCI_USER_CHANNEL,
122 124
123 HCI_LE_SCAN, 125 HCI_LE_SCAN,
124 HCI_SSP_ENABLED, 126 HCI_SSP_ENABLED,
127 HCI_SC_ENABLED,
128 HCI_SC_ONLY,
129 HCI_RPA_RESOLVING,
125 HCI_HS_ENABLED, 130 HCI_HS_ENABLED,
126 HCI_LE_ENABLED, 131 HCI_LE_ENABLED,
127 HCI_ADVERTISING, 132 HCI_ADVERTISING,
@@ -282,10 +287,14 @@ enum {
282#define LMP_SYNC_TRAIN 0x04 287#define LMP_SYNC_TRAIN 0x04
283#define LMP_SYNC_SCAN 0x08 288#define LMP_SYNC_SCAN 0x08
284 289
290#define LMP_SC 0x01
291#define LMP_PING 0x02
292
285/* Host features */ 293/* Host features */
286#define LMP_HOST_SSP 0x01 294#define LMP_HOST_SSP 0x01
287#define LMP_HOST_LE 0x02 295#define LMP_HOST_LE 0x02
288#define LMP_HOST_LE_BREDR 0x04 296#define LMP_HOST_LE_BREDR 0x04
297#define LMP_HOST_SC 0x08
289 298
290/* Connection modes */ 299/* Connection modes */
291#define HCI_CM_ACTIVE 0x0000 300#define HCI_CM_ACTIVE 0x0000
@@ -307,6 +316,7 @@ enum {
307#define HCI_LM_TRUSTED 0x0008 316#define HCI_LM_TRUSTED 0x0008
308#define HCI_LM_RELIABLE 0x0010 317#define HCI_LM_RELIABLE 0x0010
309#define HCI_LM_SECURE 0x0020 318#define HCI_LM_SECURE 0x0020
319#define HCI_LM_FIPS 0x0040
310 320
311/* Authentication types */ 321/* Authentication types */
312#define HCI_AT_NO_BONDING 0x00 322#define HCI_AT_NO_BONDING 0x00
@@ -327,15 +337,21 @@ enum {
327#define HCI_LK_LOCAL_UNIT 0x01 337#define HCI_LK_LOCAL_UNIT 0x01
328#define HCI_LK_REMOTE_UNIT 0x02 338#define HCI_LK_REMOTE_UNIT 0x02
329#define HCI_LK_DEBUG_COMBINATION 0x03 339#define HCI_LK_DEBUG_COMBINATION 0x03
330#define HCI_LK_UNAUTH_COMBINATION 0x04 340#define HCI_LK_UNAUTH_COMBINATION_P192 0x04
331#define HCI_LK_AUTH_COMBINATION 0x05 341#define HCI_LK_AUTH_COMBINATION_P192 0x05
332#define HCI_LK_CHANGED_COMBINATION 0x06 342#define HCI_LK_CHANGED_COMBINATION 0x06
343#define HCI_LK_UNAUTH_COMBINATION_P256 0x07
344#define HCI_LK_AUTH_COMBINATION_P256 0x08
333/* The spec doesn't define types for SMP keys, the _MASTER suffix is implied */ 345/* The spec doesn't define types for SMP keys, the _MASTER suffix is implied */
334#define HCI_SMP_STK 0x80 346#define HCI_SMP_STK 0x80
335#define HCI_SMP_STK_SLAVE 0x81 347#define HCI_SMP_STK_SLAVE 0x81
336#define HCI_SMP_LTK 0x82 348#define HCI_SMP_LTK 0x82
337#define HCI_SMP_LTK_SLAVE 0x83 349#define HCI_SMP_LTK_SLAVE 0x83
338 350
351/* Long Term Key types */
352#define HCI_LTK_UNAUTH 0x00
353#define HCI_LTK_AUTH 0x01
354
339/* ---- HCI Error Codes ---- */ 355/* ---- HCI Error Codes ---- */
340#define HCI_ERROR_AUTH_FAILURE 0x05 356#define HCI_ERROR_AUTH_FAILURE 0x05
341#define HCI_ERROR_CONNECTION_TIMEOUT 0x08 357#define HCI_ERROR_CONNECTION_TIMEOUT 0x08
@@ -660,6 +676,15 @@ struct hci_rp_set_csb {
660 676
661#define HCI_OP_START_SYNC_TRAIN 0x0443 677#define HCI_OP_START_SYNC_TRAIN 0x0443
662 678
679#define HCI_OP_REMOTE_OOB_EXT_DATA_REPLY 0x0445
680struct hci_cp_remote_oob_ext_data_reply {
681 bdaddr_t bdaddr;
682 __u8 hash192[16];
683 __u8 randomizer192[16];
684 __u8 hash256[16];
685 __u8 randomizer256[16];
686} __packed;
687
663#define HCI_OP_SNIFF_MODE 0x0803 688#define HCI_OP_SNIFF_MODE 0x0803
664struct hci_cp_sniff_mode { 689struct hci_cp_sniff_mode {
665 __le16 handle; 690 __le16 handle;
@@ -933,6 +958,26 @@ struct hci_rp_write_sync_train_params {
933 __le16 sync_train_int; 958 __le16 sync_train_int;
934} __packed; 959} __packed;
935 960
961#define HCI_OP_READ_SC_SUPPORT 0x0c79
962struct hci_rp_read_sc_support {
963 __u8 status;
964 __u8 support;
965} __packed;
966
967#define HCI_OP_WRITE_SC_SUPPORT 0x0c7a
968struct hci_cp_write_sc_support {
969 __u8 support;
970} __packed;
971
972#define HCI_OP_READ_LOCAL_OOB_EXT_DATA 0x0c7d
973struct hci_rp_read_local_oob_ext_data {
974 __u8 status;
975 __u8 hash192[16];
976 __u8 randomizer192[16];
977 __u8 hash256[16];
978 __u8 randomizer256[16];
979} __packed;
980
936#define HCI_OP_READ_LOCAL_VERSION 0x1001 981#define HCI_OP_READ_LOCAL_VERSION 0x1001
937struct hci_rp_read_local_version { 982struct hci_rp_read_local_version {
938 __u8 status; 983 __u8 status;
diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index f2f0cf5865c4..c0fcc041fbb5 100644
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -101,7 +101,15 @@ struct smp_ltk {
101 __le16 ediv; 101 __le16 ediv;
102 u8 rand[8]; 102 u8 rand[8];
103 u8 val[16]; 103 u8 val[16];
104} __packed; 104};
105
106struct smp_irk {
107 struct list_head list;
108 bdaddr_t rpa;
109 bdaddr_t bdaddr;
110 u8 addr_type;
111 u8 val[16];
112};
105 113
106struct link_key { 114struct link_key {
107 struct list_head list; 115 struct list_head list;
@@ -114,8 +122,10 @@ struct link_key {
114struct oob_data { 122struct oob_data {
115 struct list_head list; 123 struct list_head list;
116 bdaddr_t bdaddr; 124 bdaddr_t bdaddr;
117 u8 hash[16]; 125 u8 hash192[16];
118 u8 randomizer[16]; 126 u8 randomizer192[16];
127 u8 hash256[16];
128 u8 randomizer256[16];
119}; 129};
120 130
121#define HCI_MAX_SHORT_NAME_LENGTH 10 131#define HCI_MAX_SHORT_NAME_LENGTH 10
@@ -141,6 +151,7 @@ struct hci_dev {
141 __u8 bus; 151 __u8 bus;
142 __u8 dev_type; 152 __u8 dev_type;
143 bdaddr_t bdaddr; 153 bdaddr_t bdaddr;
154 bdaddr_t random_addr;
144 bdaddr_t static_addr; 155 bdaddr_t static_addr;
145 __u8 own_addr_type; 156 __u8 own_addr_type;
146 __u8 dev_name[HCI_MAX_NAME_LENGTH]; 157 __u8 dev_name[HCI_MAX_NAME_LENGTH];
@@ -167,6 +178,7 @@ struct hci_dev {
167 __u16 page_scan_interval; 178 __u16 page_scan_interval;
168 __u16 page_scan_window; 179 __u16 page_scan_window;
169 __u8 page_scan_type; 180 __u8 page_scan_type;
181 __u8 le_adv_channel_map;
170 __u16 le_scan_interval; 182 __u16 le_scan_interval;
171 __u16 le_scan_window; 183 __u16 le_scan_window;
172 __u16 le_conn_min_interval; 184 __u16 le_conn_min_interval;
@@ -257,19 +269,19 @@ struct hci_dev {
257 __u32 req_status; 269 __u32 req_status;
258 __u32 req_result; 270 __u32 req_result;
259 271
260 struct list_head mgmt_pending; 272 struct crypto_blkcipher *tfm_aes;
261 273
262 struct discovery_state discovery; 274 struct discovery_state discovery;
263 struct hci_conn_hash conn_hash; 275 struct hci_conn_hash conn_hash;
264 struct list_head blacklist;
265 276
277 struct list_head mgmt_pending;
278 struct list_head blacklist;
266 struct list_head uuids; 279 struct list_head uuids;
267
268 struct list_head link_keys; 280 struct list_head link_keys;
269
270 struct list_head long_term_keys; 281 struct list_head long_term_keys;
271 282 struct list_head identity_resolving_keys;
272 struct list_head remote_oob_data; 283 struct list_head remote_oob_data;
284 struct list_head le_conn_params;
273 285
274 struct hci_dev_stats stat; 286 struct hci_dev_stats stat;
275 287
@@ -332,6 +344,8 @@ struct hci_conn {
332 __u8 passkey_entered; 344 __u8 passkey_entered;
333 __u16 disc_timeout; 345 __u16 disc_timeout;
334 __u16 setting; 346 __u16 setting;
347 __u16 le_conn_min_interval;
348 __u16 le_conn_max_interval;
335 unsigned long flags; 349 unsigned long flags;
336 350
337 __u8 remote_cap; 351 __u8 remote_cap;
@@ -372,6 +386,16 @@ struct hci_chan {
372 __u8 state; 386 __u8 state;
373}; 387};
374 388
389struct hci_conn_params {
390 struct list_head list;
391
392 bdaddr_t addr;
393 u8 addr_type;
394
395 u16 conn_min_interval;
396 u16 conn_max_interval;
397};
398
375extern struct list_head hci_dev_list; 399extern struct list_head hci_dev_list;
376extern struct list_head hci_cb_list; 400extern struct list_head hci_cb_list;
377extern rwlock_t hci_dev_list_lock; 401extern rwlock_t hci_dev_list_lock;
@@ -446,6 +470,8 @@ enum {
446 HCI_CONN_LE_SMP_PEND, 470 HCI_CONN_LE_SMP_PEND,
447 HCI_CONN_MGMT_CONNECTED, 471 HCI_CONN_MGMT_CONNECTED,
448 HCI_CONN_SSP_ENABLED, 472 HCI_CONN_SSP_ENABLED,
473 HCI_CONN_SC_ENABLED,
474 HCI_CONN_AES_CCM,
449 HCI_CONN_POWER_SAVE, 475 HCI_CONN_POWER_SAVE,
450 HCI_CONN_REMOTE_OOB, 476 HCI_CONN_REMOTE_OOB,
451 HCI_CONN_6LOWPAN, 477 HCI_CONN_6LOWPAN,
@@ -458,6 +484,13 @@ static inline bool hci_conn_ssp_enabled(struct hci_conn *conn)
458 test_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 484 test_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
459} 485}
460 486
487static inline bool hci_conn_sc_enabled(struct hci_conn *conn)
488{
489 struct hci_dev *hdev = conn->hdev;
490 return test_bit(HCI_SC_ENABLED, &hdev->dev_flags) &&
491 test_bit(HCI_CONN_SC_ENABLED, &conn->flags);
492}
493
461static inline void hci_conn_hash_add(struct hci_dev *hdev, struct hci_conn *c) 494static inline void hci_conn_hash_add(struct hci_dev *hdev, struct hci_conn *c)
462{ 495{
463 struct hci_conn_hash *h = &hdev->conn_hash; 496 struct hci_conn_hash *h = &hdev->conn_hash;
@@ -737,31 +770,50 @@ int hci_inquiry(void __user *arg);
737 770
738struct bdaddr_list *hci_blacklist_lookup(struct hci_dev *hdev, 771struct bdaddr_list *hci_blacklist_lookup(struct hci_dev *hdev,
739 bdaddr_t *bdaddr, u8 type); 772 bdaddr_t *bdaddr, u8 type);
740int hci_blacklist_clear(struct hci_dev *hdev); 773void hci_blacklist_clear(struct hci_dev *hdev);
741int hci_blacklist_add(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type); 774int hci_blacklist_add(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type);
742int hci_blacklist_del(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type); 775int hci_blacklist_del(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type);
743 776
744int hci_uuids_clear(struct hci_dev *hdev); 777struct hci_conn_params *hci_conn_params_lookup(struct hci_dev *hdev,
778 bdaddr_t *addr, u8 addr_type);
779void hci_conn_params_add(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type,
780 u16 conn_min_interval, u16 conn_max_interval);
781void hci_conn_params_del(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type);
782void hci_conn_params_clear(struct hci_dev *hdev);
783
784void hci_uuids_clear(struct hci_dev *hdev);
745 785
746int hci_link_keys_clear(struct hci_dev *hdev); 786void hci_link_keys_clear(struct hci_dev *hdev);
747struct link_key *hci_find_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr); 787struct link_key *hci_find_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr);
748int hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn, int new_key, 788int hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn, int new_key,
749 bdaddr_t *bdaddr, u8 *val, u8 type, u8 pin_len); 789 bdaddr_t *bdaddr, u8 *val, u8 type, u8 pin_len);
750struct smp_ltk *hci_find_ltk(struct hci_dev *hdev, __le16 ediv, u8 rand[8]); 790struct smp_ltk *hci_find_ltk(struct hci_dev *hdev, __le16 ediv, u8 rand[8],
751int hci_add_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 addr_type, u8 type, 791 bool master);
752 int new_key, u8 authenticated, u8 tk[16], u8 enc_size, 792struct smp_ltk *hci_add_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr,
753 __le16 ediv, u8 rand[8]); 793 u8 addr_type, u8 type, u8 authenticated,
794 u8 tk[16], u8 enc_size, __le16 ediv, u8 rand[8]);
754struct smp_ltk *hci_find_ltk_by_addr(struct hci_dev *hdev, bdaddr_t *bdaddr, 795struct smp_ltk *hci_find_ltk_by_addr(struct hci_dev *hdev, bdaddr_t *bdaddr,
755 u8 addr_type); 796 u8 addr_type, bool master);
756int hci_remove_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr); 797int hci_remove_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 bdaddr_type);
757int hci_smp_ltks_clear(struct hci_dev *hdev); 798void hci_smp_ltks_clear(struct hci_dev *hdev);
758int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr); 799int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr);
759 800
760int hci_remote_oob_data_clear(struct hci_dev *hdev); 801struct smp_irk *hci_find_irk_by_rpa(struct hci_dev *hdev, bdaddr_t *rpa);
802struct smp_irk *hci_find_irk_by_addr(struct hci_dev *hdev, bdaddr_t *bdaddr,
803 u8 addr_type);
804struct smp_irk *hci_add_irk(struct hci_dev *hdev, bdaddr_t *bdaddr,
805 u8 addr_type, u8 val[16], bdaddr_t *rpa);
806void hci_remove_irk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 addr_type);
807void hci_smp_irks_clear(struct hci_dev *hdev);
808
809void hci_remote_oob_data_clear(struct hci_dev *hdev);
761struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev, 810struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev,
762 bdaddr_t *bdaddr); 811 bdaddr_t *bdaddr);
763int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 *hash, 812int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr,
764 u8 *randomizer); 813 u8 *hash, u8 *randomizer);
814int hci_add_remote_oob_ext_data(struct hci_dev *hdev, bdaddr_t *bdaddr,
815 u8 *hash192, u8 *randomizer192,
816 u8 *hash256, u8 *randomizer256);
765int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr); 817int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr);
766 818
767void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb); 819void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb);
@@ -803,9 +855,12 @@ void hci_conn_del_sysfs(struct hci_conn *conn);
803#define lmp_csb_slave_capable(dev) ((dev)->features[2][0] & LMP_CSB_SLAVE) 855#define lmp_csb_slave_capable(dev) ((dev)->features[2][0] & LMP_CSB_SLAVE)
804#define lmp_sync_train_capable(dev) ((dev)->features[2][0] & LMP_SYNC_TRAIN) 856#define lmp_sync_train_capable(dev) ((dev)->features[2][0] & LMP_SYNC_TRAIN)
805#define lmp_sync_scan_capable(dev) ((dev)->features[2][0] & LMP_SYNC_SCAN) 857#define lmp_sync_scan_capable(dev) ((dev)->features[2][0] & LMP_SYNC_SCAN)
858#define lmp_sc_capable(dev) ((dev)->features[2][1] & LMP_SC)
859#define lmp_ping_capable(dev) ((dev)->features[2][1] & LMP_PING)
806 860
807/* ----- Host capabilities ----- */ 861/* ----- Host capabilities ----- */
808#define lmp_host_ssp_capable(dev) ((dev)->features[1][0] & LMP_HOST_SSP) 862#define lmp_host_ssp_capable(dev) ((dev)->features[1][0] & LMP_HOST_SSP)
863#define lmp_host_sc_capable(dev) ((dev)->features[1][0] & LMP_HOST_SC)
809#define lmp_host_le_capable(dev) (!!((dev)->features[1][0] & LMP_HOST_LE)) 864#define lmp_host_le_capable(dev) (!!((dev)->features[1][0] & LMP_HOST_LE))
810#define lmp_host_le_br_capable(dev) (!!((dev)->features[1][0] & LMP_HOST_LE_BREDR)) 865#define lmp_host_le_br_capable(dev) (!!((dev)->features[1][0] & LMP_HOST_LE_BREDR))
811 866
@@ -1019,6 +1074,26 @@ static inline bool eir_has_data_type(u8 *data, size_t data_len, u8 type)
1019 return false; 1074 return false;
1020} 1075}
1021 1076
1077static inline bool hci_bdaddr_is_rpa(bdaddr_t *bdaddr, u8 addr_type)
1078{
1079 if (addr_type != 0x01)
1080 return false;
1081
1082 if ((bdaddr->b[5] & 0xc0) == 0x40)
1083 return true;
1084
1085 return false;
1086}
1087
1088static inline struct smp_irk *hci_get_irk(struct hci_dev *hdev,
1089 bdaddr_t *bdaddr, u8 addr_type)
1090{
1091 if (!hci_bdaddr_is_rpa(bdaddr, addr_type))
1092 return NULL;
1093
1094 return hci_find_irk_by_rpa(hdev, bdaddr);
1095}
1096
1022int hci_register_cb(struct hci_cb *hcb); 1097int hci_register_cb(struct hci_cb *hcb);
1023int hci_unregister_cb(struct hci_cb *hcb); 1098int hci_unregister_cb(struct hci_cb *hcb);
1024 1099
@@ -1122,11 +1197,13 @@ void mgmt_auth_failed(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
1122 u8 addr_type, u8 status); 1197 u8 addr_type, u8 status);
1123void mgmt_auth_enable_complete(struct hci_dev *hdev, u8 status); 1198void mgmt_auth_enable_complete(struct hci_dev *hdev, u8 status);
1124void mgmt_ssp_enable_complete(struct hci_dev *hdev, u8 enable, u8 status); 1199void mgmt_ssp_enable_complete(struct hci_dev *hdev, u8 enable, u8 status);
1200void mgmt_sc_enable_complete(struct hci_dev *hdev, u8 enable, u8 status);
1125void mgmt_set_class_of_dev_complete(struct hci_dev *hdev, u8 *dev_class, 1201void mgmt_set_class_of_dev_complete(struct hci_dev *hdev, u8 *dev_class,
1126 u8 status); 1202 u8 status);
1127void mgmt_set_local_name_complete(struct hci_dev *hdev, u8 *name, u8 status); 1203void mgmt_set_local_name_complete(struct hci_dev *hdev, u8 *name, u8 status);
1128void mgmt_read_local_oob_data_reply_complete(struct hci_dev *hdev, u8 *hash, 1204void mgmt_read_local_oob_data_complete(struct hci_dev *hdev, u8 *hash192,
1129 u8 *randomizer, u8 status); 1205 u8 *randomizer192, u8 *hash256,
1206 u8 *randomizer256, u8 status);
1130void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type, 1207void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
1131 u8 addr_type, u8 *dev_class, s8 rssi, u8 cfm_name, 1208 u8 addr_type, u8 *dev_class, s8 rssi, u8 cfm_name,
1132 u8 ssp, u8 *eir, u16 eir_len); 1209 u8 ssp, u8 *eir, u16 eir_len);
@@ -1135,8 +1212,10 @@ void mgmt_remote_name(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
1135void mgmt_discovering(struct hci_dev *hdev, u8 discovering); 1212void mgmt_discovering(struct hci_dev *hdev, u8 discovering);
1136int mgmt_device_blocked(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type); 1213int mgmt_device_blocked(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type);
1137int mgmt_device_unblocked(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type); 1214int mgmt_device_unblocked(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type);
1138void mgmt_new_ltk(struct hci_dev *hdev, struct smp_ltk *key, u8 persistent); 1215void mgmt_new_ltk(struct hci_dev *hdev, struct smp_ltk *key);
1216void mgmt_new_irk(struct hci_dev *hdev, struct smp_irk *irk);
1139void mgmt_reenable_advertising(struct hci_dev *hdev); 1217void mgmt_reenable_advertising(struct hci_dev *hdev);
1218void mgmt_smp_complete(struct hci_conn *conn, bool complete);
1140 1219
1141/* HCI info for socket */ 1220/* HCI info for socket */
1142#define hci_pi(sk) ((struct hci_pinfo *) sk) 1221#define hci_pi(sk) ((struct hci_pinfo *) sk)
diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
index dbc4a89984ca..4abdcb220e3a 100644
--- a/include/net/bluetooth/l2cap.h
+++ b/include/net/bluetooth/l2cap.h
@@ -91,6 +91,7 @@ struct l2cap_conninfo {
91#define L2CAP_LM_TRUSTED 0x0008 91#define L2CAP_LM_TRUSTED 0x0008
92#define L2CAP_LM_RELIABLE 0x0010 92#define L2CAP_LM_RELIABLE 0x0010
93#define L2CAP_LM_SECURE 0x0020 93#define L2CAP_LM_SECURE 0x0020
94#define L2CAP_LM_FIPS 0x0040
94 95
95/* L2CAP command codes */ 96/* L2CAP command codes */
96#define L2CAP_COMMAND_REJ 0x01 97#define L2CAP_COMMAND_REJ 0x01
@@ -623,6 +624,9 @@ struct l2cap_conn {
623 __u32 rx_len; 624 __u32 rx_len;
624 __u8 tx_ident; 625 __u8 tx_ident;
625 626
627 struct sk_buff_head pending_rx;
628 struct work_struct pending_rx_work;
629
626 __u8 disc_reason; 630 __u8 disc_reason;
627 631
628 struct delayed_work security_timer; 632 struct delayed_work security_timer;
@@ -647,7 +651,7 @@ struct l2cap_user {
647#define L2CAP_CHAN_RAW 1 651#define L2CAP_CHAN_RAW 1
648#define L2CAP_CHAN_CONN_LESS 2 652#define L2CAP_CHAN_CONN_LESS 2
649#define L2CAP_CHAN_CONN_ORIENTED 3 653#define L2CAP_CHAN_CONN_ORIENTED 3
650#define L2CAP_CHAN_CONN_FIX_A2MP 4 654#define L2CAP_CHAN_FIXED 4
651 655
652/* ----- L2CAP socket info ----- */ 656/* ----- L2CAP socket info ----- */
653#define l2cap_pi(sk) ((struct l2cap_pinfo *) sk) 657#define l2cap_pi(sk) ((struct l2cap_pinfo *) sk)
@@ -853,7 +857,6 @@ static inline long l2cap_chan_no_get_sndtimeo(struct l2cap_chan *chan)
853} 857}
854 858
855extern bool disable_ertm; 859extern bool disable_ertm;
856extern bool enable_lecoc;
857 860
858int l2cap_init_sockets(void); 861int l2cap_init_sockets(void);
859void l2cap_cleanup_sockets(void); 862void l2cap_cleanup_sockets(void);
@@ -878,6 +881,7 @@ int l2cap_ertm_init(struct l2cap_chan *chan);
878void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan); 881void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan);
879void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan); 882void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan);
880void l2cap_chan_del(struct l2cap_chan *chan, int err); 883void l2cap_chan_del(struct l2cap_chan *chan, int err);
884void l2cap_conn_update_id_addr(struct hci_conn *hcon);
881void l2cap_send_conn_req(struct l2cap_chan *chan); 885void l2cap_send_conn_req(struct l2cap_chan *chan);
882void l2cap_move_start(struct l2cap_chan *chan); 886void l2cap_move_start(struct l2cap_chan *chan);
883void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan, 887void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
diff --git a/include/net/bluetooth/mgmt.h b/include/net/bluetooth/mgmt.h
index 518c5c84e39a..2e46251e8aec 100644
--- a/include/net/bluetooth/mgmt.h
+++ b/include/net/bluetooth/mgmt.h
@@ -94,6 +94,8 @@ struct mgmt_rp_read_index_list {
94#define MGMT_SETTING_HS 0x00000100 94#define MGMT_SETTING_HS 0x00000100
95#define MGMT_SETTING_LE 0x00000200 95#define MGMT_SETTING_LE 0x00000200
96#define MGMT_SETTING_ADVERTISING 0x00000400 96#define MGMT_SETTING_ADVERTISING 0x00000400
97#define MGMT_SETTING_SECURE_CONN 0x00000800
98#define MGMT_SETTING_DEBUG_KEYS 0x00001000
97 99
98#define MGMT_OP_READ_INFO 0x0004 100#define MGMT_OP_READ_INFO 0x0004
99#define MGMT_READ_INFO_SIZE 0 101#define MGMT_READ_INFO_SIZE 0
@@ -180,7 +182,7 @@ struct mgmt_cp_load_link_keys {
180 182
181struct mgmt_ltk_info { 183struct mgmt_ltk_info {
182 struct mgmt_addr_info addr; 184 struct mgmt_addr_info addr;
183 __u8 authenticated; 185 __u8 type;
184 __u8 master; 186 __u8 master;
185 __u8 enc_size; 187 __u8 enc_size;
186 __le16 ediv; 188 __le16 ediv;
@@ -294,6 +296,12 @@ struct mgmt_rp_read_local_oob_data {
294 __u8 hash[16]; 296 __u8 hash[16];
295 __u8 randomizer[16]; 297 __u8 randomizer[16];
296} __packed; 298} __packed;
299struct mgmt_rp_read_local_oob_ext_data {
300 __u8 hash192[16];
301 __u8 randomizer192[16];
302 __u8 hash256[16];
303 __u8 randomizer256[16];
304} __packed;
297 305
298#define MGMT_OP_ADD_REMOTE_OOB_DATA 0x0021 306#define MGMT_OP_ADD_REMOTE_OOB_DATA 0x0021
299struct mgmt_cp_add_remote_oob_data { 307struct mgmt_cp_add_remote_oob_data {
@@ -302,6 +310,14 @@ struct mgmt_cp_add_remote_oob_data {
302 __u8 randomizer[16]; 310 __u8 randomizer[16];
303} __packed; 311} __packed;
304#define MGMT_ADD_REMOTE_OOB_DATA_SIZE (MGMT_ADDR_INFO_SIZE + 32) 312#define MGMT_ADD_REMOTE_OOB_DATA_SIZE (MGMT_ADDR_INFO_SIZE + 32)
313struct mgmt_cp_add_remote_oob_ext_data {
314 struct mgmt_addr_info addr;
315 __u8 hash192[16];
316 __u8 randomizer192[16];
317 __u8 hash256[16];
318 __u8 randomizer256[16];
319} __packed;
320#define MGMT_ADD_REMOTE_OOB_EXT_DATA_SIZE (MGMT_ADDR_INFO_SIZE + 64)
305 321
306#define MGMT_OP_REMOVE_REMOTE_OOB_DATA 0x0022 322#define MGMT_OP_REMOVE_REMOTE_OOB_DATA 0x0022
307struct mgmt_cp_remove_remote_oob_data { 323struct mgmt_cp_remove_remote_oob_data {
@@ -369,6 +385,22 @@ struct mgmt_cp_set_scan_params {
369} __packed; 385} __packed;
370#define MGMT_SET_SCAN_PARAMS_SIZE 4 386#define MGMT_SET_SCAN_PARAMS_SIZE 4
371 387
388#define MGMT_OP_SET_SECURE_CONN 0x002D
389
390#define MGMT_OP_SET_DEBUG_KEYS 0x002E
391
392struct mgmt_irk_info {
393 struct mgmt_addr_info addr;
394 __u8 val[16];
395} __packed;
396
397#define MGMT_OP_LOAD_IRKS 0x0030
398struct mgmt_cp_load_irks {
399 __le16 irk_count;
400 struct mgmt_irk_info irks[0];
401} __packed;
402#define MGMT_LOAD_IRKS_SIZE 2
403
372#define MGMT_EV_CMD_COMPLETE 0x0001 404#define MGMT_EV_CMD_COMPLETE 0x0001
373struct mgmt_ev_cmd_complete { 405struct mgmt_ev_cmd_complete {
374 __le16 opcode; 406 __le16 opcode;
@@ -504,3 +536,10 @@ struct mgmt_ev_passkey_notify {
504 __le32 passkey; 536 __le32 passkey;
505 __u8 entered; 537 __u8 entered;
506} __packed; 538} __packed;
539
540#define MGMT_EV_NEW_IRK 0x0018
541struct mgmt_ev_new_irk {
542 __u8 store_hint;
543 bdaddr_t rpa;
544 struct mgmt_irk_info irk;
545} __packed;
diff --git a/include/net/bluetooth/rfcomm.h b/include/net/bluetooth/rfcomm.h
index 486213a1aed8..2611cc389d7d 100644
--- a/include/net/bluetooth/rfcomm.h
+++ b/include/net/bluetooth/rfcomm.h
@@ -238,9 +238,11 @@ int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst,
238 u8 channel); 238 u8 channel);
239int rfcomm_dlc_close(struct rfcomm_dlc *d, int reason); 239int rfcomm_dlc_close(struct rfcomm_dlc *d, int reason);
240int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb); 240int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb);
241void rfcomm_dlc_send_noerror(struct rfcomm_dlc *d, struct sk_buff *skb);
241int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig); 242int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig);
242int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig); 243int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig);
243void rfcomm_dlc_accept(struct rfcomm_dlc *d); 244void rfcomm_dlc_accept(struct rfcomm_dlc *d);
245struct rfcomm_dlc *rfcomm_dlc_exists(bdaddr_t *src, bdaddr_t *dst, u8 channel);
244 246
245#define rfcomm_dlc_lock(d) spin_lock(&d->lock) 247#define rfcomm_dlc_lock(d) spin_lock(&d->lock)
246#define rfcomm_dlc_unlock(d) spin_unlock(&d->lock) 248#define rfcomm_dlc_unlock(d) spin_unlock(&d->lock)
@@ -295,6 +297,7 @@ struct rfcomm_conninfo {
295#define RFCOMM_LM_TRUSTED 0x0008 297#define RFCOMM_LM_TRUSTED 0x0008
296#define RFCOMM_LM_RELIABLE 0x0010 298#define RFCOMM_LM_RELIABLE 0x0010
297#define RFCOMM_LM_SECURE 0x0020 299#define RFCOMM_LM_SECURE 0x0020
300#define RFCOMM_LM_FIPS 0x0040
298 301
299#define rfcomm_pi(sk) ((struct rfcomm_pinfo *) sk) 302#define rfcomm_pi(sk) ((struct rfcomm_pinfo *) sk)
300 303
@@ -323,11 +326,16 @@ int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel,
323#define RFCOMMGETDEVINFO _IOR('R', 211, int) 326#define RFCOMMGETDEVINFO _IOR('R', 211, int)
324#define RFCOMMSTEALDLC _IOW('R', 220, int) 327#define RFCOMMSTEALDLC _IOW('R', 220, int)
325 328
329/* rfcomm_dev.flags bit definitions */
326#define RFCOMM_REUSE_DLC 0 330#define RFCOMM_REUSE_DLC 0
327#define RFCOMM_RELEASE_ONHUP 1 331#define RFCOMM_RELEASE_ONHUP 1
328#define RFCOMM_HANGUP_NOW 2 332#define RFCOMM_HANGUP_NOW 2
329#define RFCOMM_TTY_ATTACHED 3 333#define RFCOMM_TTY_ATTACHED 3
330#define RFCOMM_TTY_RELEASED 4 334#define RFCOMM_DEFUNCT_BIT4 4 /* don't reuse this bit - userspace visible */
335
336/* rfcomm_dev.status bit definitions */
337#define RFCOMM_DEV_RELEASED 0
338#define RFCOMM_TTY_OWNED 1
331 339
332struct rfcomm_dev_req { 340struct rfcomm_dev_req {
333 s16 dev_id; 341 s16 dev_id;
diff --git a/net/bluetooth/a2mp.c b/net/bluetooth/a2mp.c
index efcd108822c4..f986b9968bdb 100644
--- a/net/bluetooth/a2mp.c
+++ b/net/bluetooth/a2mp.c
@@ -235,7 +235,7 @@ static int a2mp_discover_rsp(struct amp_mgr *mgr, struct sk_buff *skb,
235 BT_DBG("chan %p state %s", chan, 235 BT_DBG("chan %p state %s", chan,
236 state_to_string(chan->state)); 236 state_to_string(chan->state));
237 237
238 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) 238 if (chan->scid == L2CAP_CID_A2MP)
239 continue; 239 continue;
240 240
241 l2cap_chan_lock(chan); 241 l2cap_chan_lock(chan);
@@ -726,7 +726,11 @@ static struct l2cap_chan *a2mp_chan_open(struct l2cap_conn *conn, bool locked)
726 726
727 BT_DBG("chan %p", chan); 727 BT_DBG("chan %p", chan);
728 728
729 chan->chan_type = L2CAP_CHAN_CONN_FIX_A2MP; 729 chan->chan_type = L2CAP_CHAN_FIXED;
730 chan->scid = L2CAP_CID_A2MP;
731 chan->dcid = L2CAP_CID_A2MP;
732 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
733 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
730 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO; 734 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
731 735
732 chan->ops = &a2mp_chan_ops; 736 chan->ops = &a2mp_chan_ops;
diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
index 0c5866bb49b6..2021c481cdb6 100644
--- a/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -31,7 +31,7 @@
31#include <net/bluetooth/bluetooth.h> 31#include <net/bluetooth/bluetooth.h>
32#include <linux/proc_fs.h> 32#include <linux/proc_fs.h>
33 33
34#define VERSION "2.18" 34#define VERSION "2.19"
35 35
36/* Bluetooth sockets */ 36/* Bluetooth sockets */
37#define BT_MAX_PROTO 8 37#define BT_MAX_PROTO 8
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index ba5366c320da..bd66c52eff95 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -225,8 +225,8 @@ void hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max,
225 cp.conn_interval_max = cpu_to_le16(max); 225 cp.conn_interval_max = cpu_to_le16(max);
226 cp.conn_latency = cpu_to_le16(latency); 226 cp.conn_latency = cpu_to_le16(latency);
227 cp.supervision_timeout = cpu_to_le16(to_multiplier); 227 cp.supervision_timeout = cpu_to_le16(to_multiplier);
228 cp.min_ce_len = __constant_cpu_to_le16(0x0001); 228 cp.min_ce_len = __constant_cpu_to_le16(0x0000);
229 cp.max_ce_len = __constant_cpu_to_le16(0x0001); 229 cp.max_ce_len = __constant_cpu_to_le16(0x0000);
230 230
231 hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp); 231 hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp);
232} 232}
@@ -514,6 +514,21 @@ struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src)
514} 514}
515EXPORT_SYMBOL(hci_get_route); 515EXPORT_SYMBOL(hci_get_route);
516 516
517/* This function requires the caller holds hdev->lock */
518static void le_conn_failed(struct hci_conn *conn, u8 status)
519{
520 struct hci_dev *hdev = conn->hdev;
521
522 conn->state = BT_CLOSED;
523
524 mgmt_connect_failed(hdev, &conn->dst, conn->type, conn->dst_type,
525 status);
526
527 hci_proto_connect_cfm(conn, status);
528
529 hci_conn_del(conn);
530}
531
517static void create_le_conn_complete(struct hci_dev *hdev, u8 status) 532static void create_le_conn_complete(struct hci_dev *hdev, u8 status)
518{ 533{
519 struct hci_conn *conn; 534 struct hci_conn *conn;
@@ -530,14 +545,7 @@ static void create_le_conn_complete(struct hci_dev *hdev, u8 status)
530 if (!conn) 545 if (!conn)
531 goto done; 546 goto done;
532 547
533 conn->state = BT_CLOSED; 548 le_conn_failed(conn, status);
534
535 mgmt_connect_failed(hdev, &conn->dst, conn->type, conn->dst_type,
536 status);
537
538 hci_proto_connect_cfm(conn, status);
539
540 hci_conn_del(conn);
541 549
542done: 550done:
543 hci_dev_unlock(hdev); 551 hci_dev_unlock(hdev);
@@ -558,8 +566,8 @@ static int hci_create_le_conn(struct hci_conn *conn)
558 bacpy(&cp.peer_addr, &conn->dst); 566 bacpy(&cp.peer_addr, &conn->dst);
559 cp.peer_addr_type = conn->dst_type; 567 cp.peer_addr_type = conn->dst_type;
560 cp.own_address_type = conn->src_type; 568 cp.own_address_type = conn->src_type;
561 cp.conn_interval_min = cpu_to_le16(hdev->le_conn_min_interval); 569 cp.conn_interval_min = cpu_to_le16(conn->le_conn_min_interval);
562 cp.conn_interval_max = cpu_to_le16(hdev->le_conn_max_interval); 570 cp.conn_interval_max = cpu_to_le16(conn->le_conn_max_interval);
563 cp.supervision_timeout = __constant_cpu_to_le16(0x002a); 571 cp.supervision_timeout = __constant_cpu_to_le16(0x002a);
564 cp.min_ce_len = __constant_cpu_to_le16(0x0000); 572 cp.min_ce_len = __constant_cpu_to_le16(0x0000);
565 cp.max_ce_len = __constant_cpu_to_le16(0x0000); 573 cp.max_ce_len = __constant_cpu_to_le16(0x0000);
@@ -578,7 +586,9 @@ static int hci_create_le_conn(struct hci_conn *conn)
578static struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst, 586static struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
579 u8 dst_type, u8 sec_level, u8 auth_type) 587 u8 dst_type, u8 sec_level, u8 auth_type)
580{ 588{
589 struct hci_conn_params *params;
581 struct hci_conn *conn; 590 struct hci_conn *conn;
591 struct smp_irk *irk;
582 int err; 592 int err;
583 593
584 if (test_bit(HCI_ADVERTISING, &hdev->flags)) 594 if (test_bit(HCI_ADVERTISING, &hdev->flags))
@@ -607,15 +617,36 @@ static struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
607 if (conn) 617 if (conn)
608 return ERR_PTR(-EBUSY); 618 return ERR_PTR(-EBUSY);
609 619
620 /* Convert from L2CAP channel address type to HCI address type */
621 if (dst_type == BDADDR_LE_PUBLIC)
622 dst_type = ADDR_LE_DEV_PUBLIC;
623 else
624 dst_type = ADDR_LE_DEV_RANDOM;
625
626 /* When given an identity address with existing identity
627 * resolving key, the connection needs to be established
628 * to a resolvable random address.
629 *
630 * This uses the cached random resolvable address from
631 * a previous scan. When no cached address is available,
632 * try connecting to the identity address instead.
633 *
634 * Storing the resolvable random address is required here
635 * to handle connection failures. The address will later
636 * be resolved back into the original identity address
637 * from the connect request.
638 */
639 irk = hci_find_irk_by_addr(hdev, dst, dst_type);
640 if (irk && bacmp(&irk->rpa, BDADDR_ANY)) {
641 dst = &irk->rpa;
642 dst_type = ADDR_LE_DEV_RANDOM;
643 }
644
610 conn = hci_conn_add(hdev, LE_LINK, dst); 645 conn = hci_conn_add(hdev, LE_LINK, dst);
611 if (!conn) 646 if (!conn)
612 return ERR_PTR(-ENOMEM); 647 return ERR_PTR(-ENOMEM);
613 648
614 if (dst_type == BDADDR_LE_PUBLIC) 649 conn->dst_type = dst_type;
615 conn->dst_type = ADDR_LE_DEV_PUBLIC;
616 else
617 conn->dst_type = ADDR_LE_DEV_RANDOM;
618
619 conn->src_type = hdev->own_addr_type; 650 conn->src_type = hdev->own_addr_type;
620 651
621 conn->state = BT_CONNECT; 652 conn->state = BT_CONNECT;
@@ -625,6 +656,15 @@ static struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
625 conn->pending_sec_level = sec_level; 656 conn->pending_sec_level = sec_level;
626 conn->auth_type = auth_type; 657 conn->auth_type = auth_type;
627 658
659 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
660 if (params) {
661 conn->le_conn_min_interval = params->conn_min_interval;
662 conn->le_conn_max_interval = params->conn_max_interval;
663 } else {
664 conn->le_conn_min_interval = hdev->le_conn_min_interval;
665 conn->le_conn_max_interval = hdev->le_conn_max_interval;
666 }
667
628 err = hci_create_le_conn(conn); 668 err = hci_create_le_conn(conn);
629 if (err) 669 if (err)
630 return ERR_PTR(err); 670 return ERR_PTR(err);
@@ -800,14 +840,23 @@ int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
800 if (!(conn->link_mode & HCI_LM_AUTH)) 840 if (!(conn->link_mode & HCI_LM_AUTH))
801 goto auth; 841 goto auth;
802 842
803 /* An authenticated combination key has sufficient security for any 843 /* An authenticated FIPS approved combination key has sufficient
804 security level. */ 844 * security for security level 4. */
805 if (conn->key_type == HCI_LK_AUTH_COMBINATION) 845 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256 &&
846 sec_level == BT_SECURITY_FIPS)
847 goto encrypt;
848
849 /* An authenticated combination key has sufficient security for
850 security level 3. */
851 if ((conn->key_type == HCI_LK_AUTH_COMBINATION_P192 ||
852 conn->key_type == HCI_LK_AUTH_COMBINATION_P256) &&
853 sec_level == BT_SECURITY_HIGH)
806 goto encrypt; 854 goto encrypt;
807 855
808 /* An unauthenticated combination key has sufficient security for 856 /* An unauthenticated combination key has sufficient security for
809 security level 1 and 2. */ 857 security level 1 and 2. */
810 if (conn->key_type == HCI_LK_UNAUTH_COMBINATION && 858 if ((conn->key_type == HCI_LK_UNAUTH_COMBINATION_P192 ||
859 conn->key_type == HCI_LK_UNAUTH_COMBINATION_P256) &&
811 (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW)) 860 (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW))
812 goto encrypt; 861 goto encrypt;
813 862
@@ -816,7 +865,8 @@ int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
816 is generated using maximum PIN code length (16). 865 is generated using maximum PIN code length (16).
817 For pre 2.1 units. */ 866 For pre 2.1 units. */
818 if (conn->key_type == HCI_LK_COMBINATION && 867 if (conn->key_type == HCI_LK_COMBINATION &&
819 (sec_level != BT_SECURITY_HIGH || conn->pin_length == 16)) 868 (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW ||
869 conn->pin_length == 16))
820 goto encrypt; 870 goto encrypt;
821 871
822auth: 872auth:
@@ -840,13 +890,17 @@ int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level)
840{ 890{
841 BT_DBG("hcon %p", conn); 891 BT_DBG("hcon %p", conn);
842 892
843 if (sec_level != BT_SECURITY_HIGH) 893 /* Accept if non-secure or higher security level is required */
844 return 1; /* Accept if non-secure is required */ 894 if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS)
895 return 1;
845 896
846 if (conn->sec_level == BT_SECURITY_HIGH) 897 /* Accept if secure or higher security level is already present */
898 if (conn->sec_level == BT_SECURITY_HIGH ||
899 conn->sec_level == BT_SECURITY_FIPS)
847 return 1; 900 return 1;
848 901
849 return 0; /* Reject not secure link */ 902 /* Reject not secure link */
903 return 0;
850} 904}
851EXPORT_SYMBOL(hci_conn_check_secure); 905EXPORT_SYMBOL(hci_conn_check_secure);
852 906
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 5e8663c194c1..964aa8deb009 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -29,11 +29,14 @@
29#include <linux/idr.h> 29#include <linux/idr.h>
30#include <linux/rfkill.h> 30#include <linux/rfkill.h>
31#include <linux/debugfs.h> 31#include <linux/debugfs.h>
32#include <linux/crypto.h>
32#include <asm/unaligned.h> 33#include <asm/unaligned.h>
33 34
34#include <net/bluetooth/bluetooth.h> 35#include <net/bluetooth/bluetooth.h>
35#include <net/bluetooth/hci_core.h> 36#include <net/bluetooth/hci_core.h>
36 37
38#include "smp.h"
39
37static void hci_rx_work(struct work_struct *work); 40static void hci_rx_work(struct work_struct *work);
38static void hci_cmd_work(struct work_struct *work); 41static void hci_cmd_work(struct work_struct *work);
39static void hci_tx_work(struct work_struct *work); 42static void hci_tx_work(struct work_struct *work);
@@ -285,24 +288,6 @@ static const struct file_operations link_keys_fops = {
285 .release = single_release, 288 .release = single_release,
286}; 289};
287 290
288static ssize_t use_debug_keys_read(struct file *file, char __user *user_buf,
289 size_t count, loff_t *ppos)
290{
291 struct hci_dev *hdev = file->private_data;
292 char buf[3];
293
294 buf[0] = test_bit(HCI_DEBUG_KEYS, &hdev->dev_flags) ? 'Y': 'N';
295 buf[1] = '\n';
296 buf[2] = '\0';
297 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
298}
299
300static const struct file_operations use_debug_keys_fops = {
301 .open = simple_open,
302 .read = use_debug_keys_read,
303 .llseek = default_llseek,
304};
305
306static int dev_class_show(struct seq_file *f, void *ptr) 291static int dev_class_show(struct seq_file *f, void *ptr)
307{ 292{
308 struct hci_dev *hdev = f->private; 293 struct hci_dev *hdev = f->private;
@@ -415,6 +400,70 @@ static int ssp_debug_mode_get(void *data, u64 *val)
415DEFINE_SIMPLE_ATTRIBUTE(ssp_debug_mode_fops, ssp_debug_mode_get, 400DEFINE_SIMPLE_ATTRIBUTE(ssp_debug_mode_fops, ssp_debug_mode_get,
416 ssp_debug_mode_set, "%llu\n"); 401 ssp_debug_mode_set, "%llu\n");
417 402
403static ssize_t force_sc_support_read(struct file *file, char __user *user_buf,
404 size_t count, loff_t *ppos)
405{
406 struct hci_dev *hdev = file->private_data;
407 char buf[3];
408
409 buf[0] = test_bit(HCI_FORCE_SC, &hdev->dev_flags) ? 'Y': 'N';
410 buf[1] = '\n';
411 buf[2] = '\0';
412 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
413}
414
415static ssize_t force_sc_support_write(struct file *file,
416 const char __user *user_buf,
417 size_t count, loff_t *ppos)
418{
419 struct hci_dev *hdev = file->private_data;
420 char buf[32];
421 size_t buf_size = min(count, (sizeof(buf)-1));
422 bool enable;
423
424 if (test_bit(HCI_UP, &hdev->flags))
425 return -EBUSY;
426
427 if (copy_from_user(buf, user_buf, buf_size))
428 return -EFAULT;
429
430 buf[buf_size] = '\0';
431 if (strtobool(buf, &enable))
432 return -EINVAL;
433
434 if (enable == test_bit(HCI_FORCE_SC, &hdev->dev_flags))
435 return -EALREADY;
436
437 change_bit(HCI_FORCE_SC, &hdev->dev_flags);
438
439 return count;
440}
441
442static const struct file_operations force_sc_support_fops = {
443 .open = simple_open,
444 .read = force_sc_support_read,
445 .write = force_sc_support_write,
446 .llseek = default_llseek,
447};
448
449static ssize_t sc_only_mode_read(struct file *file, char __user *user_buf,
450 size_t count, loff_t *ppos)
451{
452 struct hci_dev *hdev = file->private_data;
453 char buf[3];
454
455 buf[0] = test_bit(HCI_SC_ONLY, &hdev->dev_flags) ? 'Y': 'N';
456 buf[1] = '\n';
457 buf[2] = '\0';
458 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
459}
460
461static const struct file_operations sc_only_mode_fops = {
462 .open = simple_open,
463 .read = sc_only_mode_read,
464 .llseek = default_llseek,
465};
466
418static int idle_timeout_set(void *data, u64 val) 467static int idle_timeout_set(void *data, u64 val)
419{ 468{
420 struct hci_dev *hdev = data; 469 struct hci_dev *hdev = data;
@@ -499,6 +548,29 @@ static int sniff_max_interval_get(void *data, u64 *val)
499DEFINE_SIMPLE_ATTRIBUTE(sniff_max_interval_fops, sniff_max_interval_get, 548DEFINE_SIMPLE_ATTRIBUTE(sniff_max_interval_fops, sniff_max_interval_get,
500 sniff_max_interval_set, "%llu\n"); 549 sniff_max_interval_set, "%llu\n");
501 550
551static int random_address_show(struct seq_file *f, void *p)
552{
553 struct hci_dev *hdev = f->private;
554
555 hci_dev_lock(hdev);
556 seq_printf(f, "%pMR\n", &hdev->random_addr);
557 hci_dev_unlock(hdev);
558
559 return 0;
560}
561
562static int random_address_open(struct inode *inode, struct file *file)
563{
564 return single_open(file, random_address_show, inode->i_private);
565}
566
567static const struct file_operations random_address_fops = {
568 .open = random_address_open,
569 .read = seq_read,
570 .llseek = seq_lseek,
571 .release = single_release,
572};
573
502static int static_address_show(struct seq_file *f, void *p) 574static int static_address_show(struct seq_file *f, void *p)
503{ 575{
504 struct hci_dev *hdev = f->private; 576 struct hci_dev *hdev = f->private;
@@ -522,33 +594,82 @@ static const struct file_operations static_address_fops = {
522 .release = single_release, 594 .release = single_release,
523}; 595};
524 596
525static int own_address_type_set(void *data, u64 val) 597static ssize_t force_static_address_read(struct file *file,
598 char __user *user_buf,
599 size_t count, loff_t *ppos)
526{ 600{
527 struct hci_dev *hdev = data; 601 struct hci_dev *hdev = file->private_data;
602 char buf[3];
528 603
529 if (val != 0 && val != 1) 604 buf[0] = test_bit(HCI_FORCE_STATIC_ADDR, &hdev->dev_flags) ? 'Y': 'N';
605 buf[1] = '\n';
606 buf[2] = '\0';
607 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
608}
609
610static ssize_t force_static_address_write(struct file *file,
611 const char __user *user_buf,
612 size_t count, loff_t *ppos)
613{
614 struct hci_dev *hdev = file->private_data;
615 char buf[32];
616 size_t buf_size = min(count, (sizeof(buf)-1));
617 bool enable;
618
619 if (test_bit(HCI_UP, &hdev->flags))
620 return -EBUSY;
621
622 if (copy_from_user(buf, user_buf, buf_size))
623 return -EFAULT;
624
625 buf[buf_size] = '\0';
626 if (strtobool(buf, &enable))
530 return -EINVAL; 627 return -EINVAL;
531 628
532 hci_dev_lock(hdev); 629 if (enable == test_bit(HCI_FORCE_STATIC_ADDR, &hdev->dev_flags))
533 hdev->own_addr_type = val; 630 return -EALREADY;
534 hci_dev_unlock(hdev);
535 631
536 return 0; 632 change_bit(HCI_FORCE_STATIC_ADDR, &hdev->dev_flags);
633
634 return count;
537} 635}
538 636
539static int own_address_type_get(void *data, u64 *val) 637static const struct file_operations force_static_address_fops = {
638 .open = simple_open,
639 .read = force_static_address_read,
640 .write = force_static_address_write,
641 .llseek = default_llseek,
642};
643
644static int identity_resolving_keys_show(struct seq_file *f, void *ptr)
540{ 645{
541 struct hci_dev *hdev = data; 646 struct hci_dev *hdev = f->private;
647 struct list_head *p, *n;
542 648
543 hci_dev_lock(hdev); 649 hci_dev_lock(hdev);
544 *val = hdev->own_addr_type; 650 list_for_each_safe(p, n, &hdev->identity_resolving_keys) {
651 struct smp_irk *irk = list_entry(p, struct smp_irk, list);
652 seq_printf(f, "%pMR (type %u) %*phN %pMR\n",
653 &irk->bdaddr, irk->addr_type,
654 16, irk->val, &irk->rpa);
655 }
545 hci_dev_unlock(hdev); 656 hci_dev_unlock(hdev);
546 657
547 return 0; 658 return 0;
548} 659}
549 660
550DEFINE_SIMPLE_ATTRIBUTE(own_address_type_fops, own_address_type_get, 661static int identity_resolving_keys_open(struct inode *inode, struct file *file)
551 own_address_type_set, "%llu\n"); 662{
663 return single_open(file, identity_resolving_keys_show,
664 inode->i_private);
665}
666
667static const struct file_operations identity_resolving_keys_fops = {
668 .open = identity_resolving_keys_open,
669 .read = seq_read,
670 .llseek = seq_lseek,
671 .release = single_release,
672};
552 673
553static int long_term_keys_show(struct seq_file *f, void *ptr) 674static int long_term_keys_show(struct seq_file *f, void *ptr)
554{ 675{
@@ -556,9 +677,9 @@ static int long_term_keys_show(struct seq_file *f, void *ptr)
556 struct list_head *p, *n; 677 struct list_head *p, *n;
557 678
558 hci_dev_lock(hdev); 679 hci_dev_lock(hdev);
559 list_for_each_safe(p, n, &hdev->link_keys) { 680 list_for_each_safe(p, n, &hdev->long_term_keys) {
560 struct smp_ltk *ltk = list_entry(p, struct smp_ltk, list); 681 struct smp_ltk *ltk = list_entry(p, struct smp_ltk, list);
561 seq_printf(f, "%pMR (type %u) %u %u %u %.4x %*phN %*phN\\n", 682 seq_printf(f, "%pMR (type %u) %u 0x%02x %u %.4x %*phN %*phN\n",
562 &ltk->bdaddr, ltk->bdaddr_type, ltk->authenticated, 683 &ltk->bdaddr, ltk->bdaddr_type, ltk->authenticated,
563 ltk->type, ltk->enc_size, __le16_to_cpu(ltk->ediv), 684 ltk->type, ltk->enc_size, __le16_to_cpu(ltk->ediv),
564 8, ltk->rand, 16, ltk->val); 685 8, ltk->rand, 16, ltk->val);
@@ -636,6 +757,34 @@ static int conn_max_interval_get(void *data, u64 *val)
636DEFINE_SIMPLE_ATTRIBUTE(conn_max_interval_fops, conn_max_interval_get, 757DEFINE_SIMPLE_ATTRIBUTE(conn_max_interval_fops, conn_max_interval_get,
637 conn_max_interval_set, "%llu\n"); 758 conn_max_interval_set, "%llu\n");
638 759
760static int adv_channel_map_set(void *data, u64 val)
761{
762 struct hci_dev *hdev = data;
763
764 if (val < 0x01 || val > 0x07)
765 return -EINVAL;
766
767 hci_dev_lock(hdev);
768 hdev->le_adv_channel_map = val;
769 hci_dev_unlock(hdev);
770
771 return 0;
772}
773
774static int adv_channel_map_get(void *data, u64 *val)
775{
776 struct hci_dev *hdev = data;
777
778 hci_dev_lock(hdev);
779 *val = hdev->le_adv_channel_map;
780 hci_dev_unlock(hdev);
781
782 return 0;
783}
784
785DEFINE_SIMPLE_ATTRIBUTE(adv_channel_map_fops, adv_channel_map_get,
786 adv_channel_map_set, "%llu\n");
787
639static ssize_t lowpan_read(struct file *file, char __user *user_buf, 788static ssize_t lowpan_read(struct file *file, char __user *user_buf,
640 size_t count, loff_t *ppos) 789 size_t count, loff_t *ppos)
641{ 790{
@@ -1288,6 +1437,10 @@ static void hci_set_event_mask_page_2(struct hci_request *req)
1288 events[2] |= 0x08; /* Truncated Page Complete */ 1437 events[2] |= 0x08; /* Truncated Page Complete */
1289 } 1438 }
1290 1439
1440 /* Enable Authenticated Payload Timeout Expired event if supported */
1441 if (lmp_ping_capable(hdev))
1442 events[2] |= 0x80;
1443
1291 hci_req_add(req, HCI_OP_SET_EVENT_MASK_PAGE_2, sizeof(events), events); 1444 hci_req_add(req, HCI_OP_SET_EVENT_MASK_PAGE_2, sizeof(events), events);
1292} 1445}
1293 1446
@@ -1323,17 +1476,19 @@ static void hci_init3_req(struct hci_request *req, unsigned long opt)
1323 hci_setup_link_policy(req); 1476 hci_setup_link_policy(req);
1324 1477
1325 if (lmp_le_capable(hdev)) { 1478 if (lmp_le_capable(hdev)) {
1326 if (test_bit(HCI_SETUP, &hdev->dev_flags)) { 1479 /* If the controller has a public BD_ADDR, then by default
1327 /* If the controller has a public BD_ADDR, then 1480 * use that one. If this is a LE only controller without
1328 * by default use that one. If this is a LE only 1481 * a public address, default to the random address.
1329 * controller without a public address, default 1482 *
1330 * to the random address. 1483 * For debugging purposes it is possible to force
1331 */ 1484 * controllers with a public address to use the
1332 if (bacmp(&hdev->bdaddr, BDADDR_ANY)) 1485 * random address instead.
1333 hdev->own_addr_type = ADDR_LE_DEV_PUBLIC; 1486 */
1334 else 1487 if (test_bit(HCI_FORCE_STATIC_ADDR, &hdev->dev_flags) ||
1335 hdev->own_addr_type = ADDR_LE_DEV_RANDOM; 1488 !bacmp(&hdev->bdaddr, BDADDR_ANY))
1336 } 1489 hdev->own_addr_type = ADDR_LE_DEV_RANDOM;
1490 else
1491 hdev->own_addr_type = ADDR_LE_DEV_PUBLIC;
1337 1492
1338 hci_set_le_support(req); 1493 hci_set_le_support(req);
1339 } 1494 }
@@ -1359,6 +1514,15 @@ static void hci_init4_req(struct hci_request *req, unsigned long opt)
1359 /* Check for Synchronization Train support */ 1514 /* Check for Synchronization Train support */
1360 if (lmp_sync_train_capable(hdev)) 1515 if (lmp_sync_train_capable(hdev))
1361 hci_req_add(req, HCI_OP_READ_SYNC_TRAIN_PARAMS, 0, NULL); 1516 hci_req_add(req, HCI_OP_READ_SYNC_TRAIN_PARAMS, 0, NULL);
1517
1518 /* Enable Secure Connections if supported and configured */
1519 if ((lmp_sc_capable(hdev) ||
1520 test_bit(HCI_FORCE_SC, &hdev->dev_flags)) &&
1521 test_bit(HCI_SC_ENABLED, &hdev->dev_flags)) {
1522 u8 support = 0x01;
1523 hci_req_add(req, HCI_OP_WRITE_SC_SUPPORT,
1524 sizeof(support), &support);
1525 }
1362} 1526}
1363 1527
1364static int __hci_init(struct hci_dev *hdev) 1528static int __hci_init(struct hci_dev *hdev)
@@ -1417,8 +1581,6 @@ static int __hci_init(struct hci_dev *hdev)
1417 hdev, &inquiry_cache_fops); 1581 hdev, &inquiry_cache_fops);
1418 debugfs_create_file("link_keys", 0400, hdev->debugfs, 1582 debugfs_create_file("link_keys", 0400, hdev->debugfs,
1419 hdev, &link_keys_fops); 1583 hdev, &link_keys_fops);
1420 debugfs_create_file("use_debug_keys", 0444, hdev->debugfs,
1421 hdev, &use_debug_keys_fops);
1422 debugfs_create_file("dev_class", 0444, hdev->debugfs, 1584 debugfs_create_file("dev_class", 0444, hdev->debugfs,
1423 hdev, &dev_class_fops); 1585 hdev, &dev_class_fops);
1424 debugfs_create_file("voice_setting", 0444, hdev->debugfs, 1586 debugfs_create_file("voice_setting", 0444, hdev->debugfs,
@@ -1430,6 +1592,10 @@ static int __hci_init(struct hci_dev *hdev)
1430 hdev, &auto_accept_delay_fops); 1592 hdev, &auto_accept_delay_fops);
1431 debugfs_create_file("ssp_debug_mode", 0644, hdev->debugfs, 1593 debugfs_create_file("ssp_debug_mode", 0644, hdev->debugfs,
1432 hdev, &ssp_debug_mode_fops); 1594 hdev, &ssp_debug_mode_fops);
1595 debugfs_create_file("force_sc_support", 0644, hdev->debugfs,
1596 hdev, &force_sc_support_fops);
1597 debugfs_create_file("sc_only_mode", 0444, hdev->debugfs,
1598 hdev, &sc_only_mode_fops);
1433 } 1599 }
1434 1600
1435 if (lmp_sniff_capable(hdev)) { 1601 if (lmp_sniff_capable(hdev)) {
@@ -1442,18 +1608,33 @@ static int __hci_init(struct hci_dev *hdev)
1442 } 1608 }
1443 1609
1444 if (lmp_le_capable(hdev)) { 1610 if (lmp_le_capable(hdev)) {
1611 debugfs_create_file("random_address", 0444, hdev->debugfs,
1612 hdev, &random_address_fops);
1613 debugfs_create_file("static_address", 0444, hdev->debugfs,
1614 hdev, &static_address_fops);
1615
1616 /* For controllers with a public address, provide a debug
1617 * option to force the usage of the configured static
1618 * address. By default the public address is used.
1619 */
1620 if (bacmp(&hdev->bdaddr, BDADDR_ANY))
1621 debugfs_create_file("force_static_address", 0644,
1622 hdev->debugfs, hdev,
1623 &force_static_address_fops);
1624
1445 debugfs_create_u8("white_list_size", 0444, hdev->debugfs, 1625 debugfs_create_u8("white_list_size", 0444, hdev->debugfs,
1446 &hdev->le_white_list_size); 1626 &hdev->le_white_list_size);
1447 debugfs_create_file("static_address", 0444, hdev->debugfs, 1627 debugfs_create_file("identity_resolving_keys", 0400,
1448 hdev, &static_address_fops); 1628 hdev->debugfs, hdev,
1449 debugfs_create_file("own_address_type", 0644, hdev->debugfs, 1629 &identity_resolving_keys_fops);
1450 hdev, &own_address_type_fops);
1451 debugfs_create_file("long_term_keys", 0400, hdev->debugfs, 1630 debugfs_create_file("long_term_keys", 0400, hdev->debugfs,
1452 hdev, &long_term_keys_fops); 1631 hdev, &long_term_keys_fops);
1453 debugfs_create_file("conn_min_interval", 0644, hdev->debugfs, 1632 debugfs_create_file("conn_min_interval", 0644, hdev->debugfs,
1454 hdev, &conn_min_interval_fops); 1633 hdev, &conn_min_interval_fops);
1455 debugfs_create_file("conn_max_interval", 0644, hdev->debugfs, 1634 debugfs_create_file("conn_max_interval", 0644, hdev->debugfs,
1456 hdev, &conn_max_interval_fops); 1635 hdev, &conn_max_interval_fops);
1636 debugfs_create_file("adv_channel_map", 0644, hdev->debugfs,
1637 hdev, &adv_channel_map_fops);
1457 debugfs_create_file("6lowpan", 0644, hdev->debugfs, hdev, 1638 debugfs_create_file("6lowpan", 0644, hdev->debugfs, hdev,
1458 &lowpan_debugfs_fops); 1639 &lowpan_debugfs_fops);
1459 } 1640 }
@@ -1876,10 +2057,15 @@ static int hci_dev_do_open(struct hci_dev *hdev)
1876 * be able to determine if there is a public address 2057 * be able to determine if there is a public address
1877 * or not. 2058 * or not.
1878 * 2059 *
2060 * In case of user channel usage, it is not important
2061 * if a public address or static random address is
2062 * available.
2063 *
1879 * This check is only valid for BR/EDR controllers 2064 * This check is only valid for BR/EDR controllers
1880 * since AMP controllers do not have an address. 2065 * since AMP controllers do not have an address.
1881 */ 2066 */
1882 if (hdev->dev_type == HCI_BREDR && 2067 if (!test_bit(HCI_USER_CHANNEL, &hdev->dev_flags) &&
2068 hdev->dev_type == HCI_BREDR &&
1883 !bacmp(&hdev->bdaddr, BDADDR_ANY) && 2069 !bacmp(&hdev->bdaddr, BDADDR_ANY) &&
1884 !bacmp(&hdev->static_addr, BDADDR_ANY)) { 2070 !bacmp(&hdev->static_addr, BDADDR_ANY)) {
1885 ret = -EADDRNOTAVAIL; 2071 ret = -EADDRNOTAVAIL;
@@ -2074,6 +2260,7 @@ static int hci_dev_do_close(struct hci_dev *hdev)
2074 2260
2075 memset(hdev->eir, 0, sizeof(hdev->eir)); 2261 memset(hdev->eir, 0, sizeof(hdev->eir));
2076 memset(hdev->dev_class, 0, sizeof(hdev->dev_class)); 2262 memset(hdev->dev_class, 0, sizeof(hdev->dev_class));
2263 bacpy(&hdev->random_addr, BDADDR_ANY);
2077 2264
2078 hci_req_unlock(hdev); 2265 hci_req_unlock(hdev);
2079 2266
@@ -2437,7 +2624,7 @@ static void hci_discov_off(struct work_struct *work)
2437 mgmt_discoverable_timeout(hdev); 2624 mgmt_discoverable_timeout(hdev);
2438} 2625}
2439 2626
2440int hci_uuids_clear(struct hci_dev *hdev) 2627void hci_uuids_clear(struct hci_dev *hdev)
2441{ 2628{
2442 struct bt_uuid *uuid, *tmp; 2629 struct bt_uuid *uuid, *tmp;
2443 2630
@@ -2445,11 +2632,9 @@ int hci_uuids_clear(struct hci_dev *hdev)
2445 list_del(&uuid->list); 2632 list_del(&uuid->list);
2446 kfree(uuid); 2633 kfree(uuid);
2447 } 2634 }
2448
2449 return 0;
2450} 2635}
2451 2636
2452int hci_link_keys_clear(struct hci_dev *hdev) 2637void hci_link_keys_clear(struct hci_dev *hdev)
2453{ 2638{
2454 struct list_head *p, *n; 2639 struct list_head *p, *n;
2455 2640
@@ -2461,11 +2646,9 @@ int hci_link_keys_clear(struct hci_dev *hdev)
2461 list_del(p); 2646 list_del(p);
2462 kfree(key); 2647 kfree(key);
2463 } 2648 }
2464
2465 return 0;
2466} 2649}
2467 2650
2468int hci_smp_ltks_clear(struct hci_dev *hdev) 2651void hci_smp_ltks_clear(struct hci_dev *hdev)
2469{ 2652{
2470 struct smp_ltk *k, *tmp; 2653 struct smp_ltk *k, *tmp;
2471 2654
@@ -2473,8 +2656,16 @@ int hci_smp_ltks_clear(struct hci_dev *hdev)
2473 list_del(&k->list); 2656 list_del(&k->list);
2474 kfree(k); 2657 kfree(k);
2475 } 2658 }
2659}
2476 2660
2477 return 0; 2661void hci_smp_irks_clear(struct hci_dev *hdev)
2662{
2663 struct smp_irk *k, *tmp;
2664
2665 list_for_each_entry_safe(k, tmp, &hdev->identity_resolving_keys, list) {
2666 list_del(&k->list);
2667 kfree(k);
2668 }
2478} 2669}
2479 2670
2480struct link_key *hci_find_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr) 2671struct link_key *hci_find_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
@@ -2524,7 +2715,16 @@ static bool hci_persistent_key(struct hci_dev *hdev, struct hci_conn *conn,
2524 return false; 2715 return false;
2525} 2716}
2526 2717
2527struct smp_ltk *hci_find_ltk(struct hci_dev *hdev, __le16 ediv, u8 rand[8]) 2718static bool ltk_type_master(u8 type)
2719{
2720 if (type == HCI_SMP_STK || type == HCI_SMP_LTK)
2721 return true;
2722
2723 return false;
2724}
2725
2726struct smp_ltk *hci_find_ltk(struct hci_dev *hdev, __le16 ediv, u8 rand[8],
2727 bool master)
2528{ 2728{
2529 struct smp_ltk *k; 2729 struct smp_ltk *k;
2530 2730
@@ -2533,6 +2733,9 @@ struct smp_ltk *hci_find_ltk(struct hci_dev *hdev, __le16 ediv, u8 rand[8])
2533 memcmp(rand, k->rand, sizeof(k->rand))) 2733 memcmp(rand, k->rand, sizeof(k->rand)))
2534 continue; 2734 continue;
2535 2735
2736 if (ltk_type_master(k->type) != master)
2737 continue;
2738
2536 return k; 2739 return k;
2537 } 2740 }
2538 2741
@@ -2540,18 +2743,56 @@ struct smp_ltk *hci_find_ltk(struct hci_dev *hdev, __le16 ediv, u8 rand[8])
2540} 2743}
2541 2744
2542struct smp_ltk *hci_find_ltk_by_addr(struct hci_dev *hdev, bdaddr_t *bdaddr, 2745struct smp_ltk *hci_find_ltk_by_addr(struct hci_dev *hdev, bdaddr_t *bdaddr,
2543 u8 addr_type) 2746 u8 addr_type, bool master)
2544{ 2747{
2545 struct smp_ltk *k; 2748 struct smp_ltk *k;
2546 2749
2547 list_for_each_entry(k, &hdev->long_term_keys, list) 2750 list_for_each_entry(k, &hdev->long_term_keys, list)
2548 if (addr_type == k->bdaddr_type && 2751 if (addr_type == k->bdaddr_type &&
2549 bacmp(bdaddr, &k->bdaddr) == 0) 2752 bacmp(bdaddr, &k->bdaddr) == 0 &&
2753 ltk_type_master(k->type) == master)
2550 return k; 2754 return k;
2551 2755
2552 return NULL; 2756 return NULL;
2553} 2757}
2554 2758
2759struct smp_irk *hci_find_irk_by_rpa(struct hci_dev *hdev, bdaddr_t *rpa)
2760{
2761 struct smp_irk *irk;
2762
2763 list_for_each_entry(irk, &hdev->identity_resolving_keys, list) {
2764 if (!bacmp(&irk->rpa, rpa))
2765 return irk;
2766 }
2767
2768 list_for_each_entry(irk, &hdev->identity_resolving_keys, list) {
2769 if (smp_irk_matches(hdev->tfm_aes, irk->val, rpa)) {
2770 bacpy(&irk->rpa, rpa);
2771 return irk;
2772 }
2773 }
2774
2775 return NULL;
2776}
2777
2778struct smp_irk *hci_find_irk_by_addr(struct hci_dev *hdev, bdaddr_t *bdaddr,
2779 u8 addr_type)
2780{
2781 struct smp_irk *irk;
2782
2783 /* Identity Address must be public or static random */
2784 if (addr_type == ADDR_LE_DEV_RANDOM && (bdaddr->b[5] & 0xc0) != 0xc0)
2785 return NULL;
2786
2787 list_for_each_entry(irk, &hdev->identity_resolving_keys, list) {
2788 if (addr_type == irk->addr_type &&
2789 bacmp(bdaddr, &irk->bdaddr) == 0)
2790 return irk;
2791 }
2792
2793 return NULL;
2794}
2795
2555int hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn, int new_key, 2796int hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn, int new_key,
2556 bdaddr_t *bdaddr, u8 *val, u8 type, u8 pin_len) 2797 bdaddr_t *bdaddr, u8 *val, u8 type, u8 pin_len)
2557{ 2798{
@@ -2565,7 +2806,7 @@ int hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn, int new_key,
2565 key = old_key; 2806 key = old_key;
2566 } else { 2807 } else {
2567 old_key_type = conn ? conn->key_type : 0xff; 2808 old_key_type = conn ? conn->key_type : 0xff;
2568 key = kzalloc(sizeof(*key), GFP_ATOMIC); 2809 key = kzalloc(sizeof(*key), GFP_KERNEL);
2569 if (!key) 2810 if (!key)
2570 return -ENOMEM; 2811 return -ENOMEM;
2571 list_add(&key->list, &hdev->link_keys); 2812 list_add(&key->list, &hdev->link_keys);
@@ -2605,22 +2846,20 @@ int hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn, int new_key,
2605 return 0; 2846 return 0;
2606} 2847}
2607 2848
2608int hci_add_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 addr_type, u8 type, 2849struct smp_ltk *hci_add_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr,
2609 int new_key, u8 authenticated, u8 tk[16], u8 enc_size, __le16 2850 u8 addr_type, u8 type, u8 authenticated,
2610 ediv, u8 rand[8]) 2851 u8 tk[16], u8 enc_size, __le16 ediv, u8 rand[8])
2611{ 2852{
2612 struct smp_ltk *key, *old_key; 2853 struct smp_ltk *key, *old_key;
2854 bool master = ltk_type_master(type);
2613 2855
2614 if (!(type & HCI_SMP_STK) && !(type & HCI_SMP_LTK)) 2856 old_key = hci_find_ltk_by_addr(hdev, bdaddr, addr_type, master);
2615 return 0;
2616
2617 old_key = hci_find_ltk_by_addr(hdev, bdaddr, addr_type);
2618 if (old_key) 2857 if (old_key)
2619 key = old_key; 2858 key = old_key;
2620 else { 2859 else {
2621 key = kzalloc(sizeof(*key), GFP_ATOMIC); 2860 key = kzalloc(sizeof(*key), GFP_KERNEL);
2622 if (!key) 2861 if (!key)
2623 return -ENOMEM; 2862 return NULL;
2624 list_add(&key->list, &hdev->long_term_keys); 2863 list_add(&key->list, &hdev->long_term_keys);
2625 } 2864 }
2626 2865
@@ -2633,13 +2872,30 @@ int hci_add_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 addr_type, u8 type,
2633 key->type = type; 2872 key->type = type;
2634 memcpy(key->rand, rand, sizeof(key->rand)); 2873 memcpy(key->rand, rand, sizeof(key->rand));
2635 2874
2636 if (!new_key) 2875 return key;
2637 return 0; 2876}
2638 2877
2639 if (type & HCI_SMP_LTK) 2878struct smp_irk *hci_add_irk(struct hci_dev *hdev, bdaddr_t *bdaddr,
2640 mgmt_new_ltk(hdev, key, 1); 2879 u8 addr_type, u8 val[16], bdaddr_t *rpa)
2880{
2881 struct smp_irk *irk;
2641 2882
2642 return 0; 2883 irk = hci_find_irk_by_addr(hdev, bdaddr, addr_type);
2884 if (!irk) {
2885 irk = kzalloc(sizeof(*irk), GFP_KERNEL);
2886 if (!irk)
2887 return NULL;
2888
2889 bacpy(&irk->bdaddr, bdaddr);
2890 irk->addr_type = addr_type;
2891
2892 list_add(&irk->list, &hdev->identity_resolving_keys);
2893 }
2894
2895 memcpy(irk->val, val, 16);
2896 bacpy(&irk->rpa, rpa);
2897
2898 return irk;
2643} 2899}
2644 2900
2645int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr) 2901int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
@@ -2658,21 +2914,38 @@ int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
2658 return 0; 2914 return 0;
2659} 2915}
2660 2916
2661int hci_remove_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr) 2917int hci_remove_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 bdaddr_type)
2662{ 2918{
2663 struct smp_ltk *k, *tmp; 2919 struct smp_ltk *k, *tmp;
2920 int removed = 0;
2664 2921
2665 list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) { 2922 list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) {
2666 if (bacmp(bdaddr, &k->bdaddr)) 2923 if (bacmp(bdaddr, &k->bdaddr) || k->bdaddr_type != bdaddr_type)
2667 continue; 2924 continue;
2668 2925
2669 BT_DBG("%s removing %pMR", hdev->name, bdaddr); 2926 BT_DBG("%s removing %pMR", hdev->name, bdaddr);
2670 2927
2671 list_del(&k->list); 2928 list_del(&k->list);
2672 kfree(k); 2929 kfree(k);
2930 removed++;
2673 } 2931 }
2674 2932
2675 return 0; 2933 return removed ? 0 : -ENOENT;
2934}
2935
2936void hci_remove_irk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 addr_type)
2937{
2938 struct smp_irk *k, *tmp;
2939
2940 list_for_each_entry_safe(k, tmp, &hdev->identity_resolving_keys, list) {
2941 if (bacmp(bdaddr, &k->bdaddr) || k->addr_type != addr_type)
2942 continue;
2943
2944 BT_DBG("%s removing %pMR", hdev->name, bdaddr);
2945
2946 list_del(&k->list);
2947 kfree(k);
2948 }
2676} 2949}
2677 2950
2678/* HCI command timer function */ 2951/* HCI command timer function */
@@ -2721,7 +2994,7 @@ int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr)
2721 return 0; 2994 return 0;
2722} 2995}
2723 2996
2724int hci_remote_oob_data_clear(struct hci_dev *hdev) 2997void hci_remote_oob_data_clear(struct hci_dev *hdev)
2725{ 2998{
2726 struct oob_data *data, *n; 2999 struct oob_data *data, *n;
2727 3000
@@ -2729,19 +3002,43 @@ int hci_remote_oob_data_clear(struct hci_dev *hdev)
2729 list_del(&data->list); 3002 list_del(&data->list);
2730 kfree(data); 3003 kfree(data);
2731 } 3004 }
3005}
3006
3007int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr,
3008 u8 *hash, u8 *randomizer)
3009{
3010 struct oob_data *data;
3011
3012 data = hci_find_remote_oob_data(hdev, bdaddr);
3013 if (!data) {
3014 data = kmalloc(sizeof(*data), GFP_KERNEL);
3015 if (!data)
3016 return -ENOMEM;
3017
3018 bacpy(&data->bdaddr, bdaddr);
3019 list_add(&data->list, &hdev->remote_oob_data);
3020 }
3021
3022 memcpy(data->hash192, hash, sizeof(data->hash192));
3023 memcpy(data->randomizer192, randomizer, sizeof(data->randomizer192));
3024
3025 memset(data->hash256, 0, sizeof(data->hash256));
3026 memset(data->randomizer256, 0, sizeof(data->randomizer256));
3027
3028 BT_DBG("%s for %pMR", hdev->name, bdaddr);
2732 3029
2733 return 0; 3030 return 0;
2734} 3031}
2735 3032
2736int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 *hash, 3033int hci_add_remote_oob_ext_data(struct hci_dev *hdev, bdaddr_t *bdaddr,
2737 u8 *randomizer) 3034 u8 *hash192, u8 *randomizer192,
3035 u8 *hash256, u8 *randomizer256)
2738{ 3036{
2739 struct oob_data *data; 3037 struct oob_data *data;
2740 3038
2741 data = hci_find_remote_oob_data(hdev, bdaddr); 3039 data = hci_find_remote_oob_data(hdev, bdaddr);
2742
2743 if (!data) { 3040 if (!data) {
2744 data = kmalloc(sizeof(*data), GFP_ATOMIC); 3041 data = kmalloc(sizeof(*data), GFP_KERNEL);
2745 if (!data) 3042 if (!data)
2746 return -ENOMEM; 3043 return -ENOMEM;
2747 3044
@@ -2749,8 +3046,11 @@ int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 *hash,
2749 list_add(&data->list, &hdev->remote_oob_data); 3046 list_add(&data->list, &hdev->remote_oob_data);
2750 } 3047 }
2751 3048
2752 memcpy(data->hash, hash, sizeof(data->hash)); 3049 memcpy(data->hash192, hash192, sizeof(data->hash192));
2753 memcpy(data->randomizer, randomizer, sizeof(data->randomizer)); 3050 memcpy(data->randomizer192, randomizer192, sizeof(data->randomizer192));
3051
3052 memcpy(data->hash256, hash256, sizeof(data->hash256));
3053 memcpy(data->randomizer256, randomizer256, sizeof(data->randomizer256));
2754 3054
2755 BT_DBG("%s for %pMR", hdev->name, bdaddr); 3055 BT_DBG("%s for %pMR", hdev->name, bdaddr);
2756 3056
@@ -2770,7 +3070,7 @@ struct bdaddr_list *hci_blacklist_lookup(struct hci_dev *hdev,
2770 return NULL; 3070 return NULL;
2771} 3071}
2772 3072
2773int hci_blacklist_clear(struct hci_dev *hdev) 3073void hci_blacklist_clear(struct hci_dev *hdev)
2774{ 3074{
2775 struct list_head *p, *n; 3075 struct list_head *p, *n;
2776 3076
@@ -2780,8 +3080,6 @@ int hci_blacklist_clear(struct hci_dev *hdev)
2780 list_del(p); 3080 list_del(p);
2781 kfree(b); 3081 kfree(b);
2782 } 3082 }
2783
2784 return 0;
2785} 3083}
2786 3084
2787int hci_blacklist_add(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type) 3085int hci_blacklist_add(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
@@ -2810,8 +3108,10 @@ int hci_blacklist_del(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
2810{ 3108{
2811 struct bdaddr_list *entry; 3109 struct bdaddr_list *entry;
2812 3110
2813 if (!bacmp(bdaddr, BDADDR_ANY)) 3111 if (!bacmp(bdaddr, BDADDR_ANY)) {
2814 return hci_blacklist_clear(hdev); 3112 hci_blacklist_clear(hdev);
3113 return 0;
3114 }
2815 3115
2816 entry = hci_blacklist_lookup(hdev, bdaddr, type); 3116 entry = hci_blacklist_lookup(hdev, bdaddr, type);
2817 if (!entry) 3117 if (!entry)
@@ -2823,6 +3123,81 @@ int hci_blacklist_del(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
2823 return mgmt_device_unblocked(hdev, bdaddr, type); 3123 return mgmt_device_unblocked(hdev, bdaddr, type);
2824} 3124}
2825 3125
3126/* This function requires the caller holds hdev->lock */
3127struct hci_conn_params *hci_conn_params_lookup(struct hci_dev *hdev,
3128 bdaddr_t *addr, u8 addr_type)
3129{
3130 struct hci_conn_params *params;
3131
3132 list_for_each_entry(params, &hdev->le_conn_params, list) {
3133 if (bacmp(&params->addr, addr) == 0 &&
3134 params->addr_type == addr_type) {
3135 return params;
3136 }
3137 }
3138
3139 return NULL;
3140}
3141
3142/* This function requires the caller holds hdev->lock */
3143void hci_conn_params_add(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type,
3144 u16 conn_min_interval, u16 conn_max_interval)
3145{
3146 struct hci_conn_params *params;
3147
3148 params = hci_conn_params_lookup(hdev, addr, addr_type);
3149 if (params) {
3150 params->conn_min_interval = conn_min_interval;
3151 params->conn_max_interval = conn_max_interval;
3152 return;
3153 }
3154
3155 params = kzalloc(sizeof(*params), GFP_KERNEL);
3156 if (!params) {
3157 BT_ERR("Out of memory");
3158 return;
3159 }
3160
3161 bacpy(&params->addr, addr);
3162 params->addr_type = addr_type;
3163 params->conn_min_interval = conn_min_interval;
3164 params->conn_max_interval = conn_max_interval;
3165
3166 list_add(&params->list, &hdev->le_conn_params);
3167
3168 BT_DBG("addr %pMR (type %u) conn_min_interval 0x%.4x "
3169 "conn_max_interval 0x%.4x", addr, addr_type, conn_min_interval,
3170 conn_max_interval);
3171}
3172
3173/* This function requires the caller holds hdev->lock */
3174void hci_conn_params_del(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type)
3175{
3176 struct hci_conn_params *params;
3177
3178 params = hci_conn_params_lookup(hdev, addr, addr_type);
3179 if (!params)
3180 return;
3181
3182 list_del(&params->list);
3183 kfree(params);
3184
3185 BT_DBG("addr %pMR (type %u)", addr, addr_type);
3186}
3187
3188/* This function requires the caller holds hdev->lock */
3189void hci_conn_params_clear(struct hci_dev *hdev)
3190{
3191 struct hci_conn_params *params, *tmp;
3192
3193 list_for_each_entry_safe(params, tmp, &hdev->le_conn_params, list) {
3194 list_del(&params->list);
3195 kfree(params);
3196 }
3197
3198 BT_DBG("All LE connection parameters were removed");
3199}
3200
2826static void inquiry_complete(struct hci_dev *hdev, u8 status) 3201static void inquiry_complete(struct hci_dev *hdev, u8 status)
2827{ 3202{
2828 if (status) { 3203 if (status) {
@@ -2919,6 +3294,7 @@ struct hci_dev *hci_alloc_dev(void)
2919 hdev->sniff_max_interval = 800; 3294 hdev->sniff_max_interval = 800;
2920 hdev->sniff_min_interval = 80; 3295 hdev->sniff_min_interval = 80;
2921 3296
3297 hdev->le_adv_channel_map = 0x07;
2922 hdev->le_scan_interval = 0x0060; 3298 hdev->le_scan_interval = 0x0060;
2923 hdev->le_scan_window = 0x0030; 3299 hdev->le_scan_window = 0x0030;
2924 hdev->le_conn_min_interval = 0x0028; 3300 hdev->le_conn_min_interval = 0x0028;
@@ -2932,7 +3308,9 @@ struct hci_dev *hci_alloc_dev(void)
2932 INIT_LIST_HEAD(&hdev->uuids); 3308 INIT_LIST_HEAD(&hdev->uuids);
2933 INIT_LIST_HEAD(&hdev->link_keys); 3309 INIT_LIST_HEAD(&hdev->link_keys);
2934 INIT_LIST_HEAD(&hdev->long_term_keys); 3310 INIT_LIST_HEAD(&hdev->long_term_keys);
3311 INIT_LIST_HEAD(&hdev->identity_resolving_keys);
2935 INIT_LIST_HEAD(&hdev->remote_oob_data); 3312 INIT_LIST_HEAD(&hdev->remote_oob_data);
3313 INIT_LIST_HEAD(&hdev->le_conn_params);
2936 INIT_LIST_HEAD(&hdev->conn_hash.list); 3314 INIT_LIST_HEAD(&hdev->conn_hash.list);
2937 3315
2938 INIT_WORK(&hdev->rx_work, hci_rx_work); 3316 INIT_WORK(&hdev->rx_work, hci_rx_work);
@@ -3017,9 +3395,18 @@ int hci_register_dev(struct hci_dev *hdev)
3017 3395
3018 dev_set_name(&hdev->dev, "%s", hdev->name); 3396 dev_set_name(&hdev->dev, "%s", hdev->name);
3019 3397
3398 hdev->tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0,
3399 CRYPTO_ALG_ASYNC);
3400 if (IS_ERR(hdev->tfm_aes)) {
3401 BT_ERR("Unable to create crypto context");
3402 error = PTR_ERR(hdev->tfm_aes);
3403 hdev->tfm_aes = NULL;
3404 goto err_wqueue;
3405 }
3406
3020 error = device_add(&hdev->dev); 3407 error = device_add(&hdev->dev);
3021 if (error < 0) 3408 if (error < 0)
3022 goto err_wqueue; 3409 goto err_tfm;
3023 3410
3024 hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev, 3411 hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev,
3025 RFKILL_TYPE_BLUETOOTH, &hci_rfkill_ops, 3412 RFKILL_TYPE_BLUETOOTH, &hci_rfkill_ops,
@@ -3055,6 +3442,8 @@ int hci_register_dev(struct hci_dev *hdev)
3055 3442
3056 return id; 3443 return id;
3057 3444
3445err_tfm:
3446 crypto_free_blkcipher(hdev->tfm_aes);
3058err_wqueue: 3447err_wqueue:
3059 destroy_workqueue(hdev->workqueue); 3448 destroy_workqueue(hdev->workqueue);
3060 destroy_workqueue(hdev->req_workqueue); 3449 destroy_workqueue(hdev->req_workqueue);
@@ -3105,6 +3494,9 @@ void hci_unregister_dev(struct hci_dev *hdev)
3105 rfkill_destroy(hdev->rfkill); 3494 rfkill_destroy(hdev->rfkill);
3106 } 3495 }
3107 3496
3497 if (hdev->tfm_aes)
3498 crypto_free_blkcipher(hdev->tfm_aes);
3499
3108 device_del(&hdev->dev); 3500 device_del(&hdev->dev);
3109 3501
3110 debugfs_remove_recursive(hdev->debugfs); 3502 debugfs_remove_recursive(hdev->debugfs);
@@ -3117,7 +3509,9 @@ void hci_unregister_dev(struct hci_dev *hdev)
3117 hci_uuids_clear(hdev); 3509 hci_uuids_clear(hdev);
3118 hci_link_keys_clear(hdev); 3510 hci_link_keys_clear(hdev);
3119 hci_smp_ltks_clear(hdev); 3511 hci_smp_ltks_clear(hdev);
3512 hci_smp_irks_clear(hdev);
3120 hci_remote_oob_data_clear(hdev); 3513 hci_remote_oob_data_clear(hdev);
3514 hci_conn_params_clear(hdev);
3121 hci_dev_unlock(hdev); 3515 hci_dev_unlock(hdev);
3122 3516
3123 hci_dev_put(hdev); 3517 hci_dev_put(hdev);
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 5f812455a450..4327b129d38e 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -461,6 +461,34 @@ static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
461 } 461 }
462} 462}
463 463
464static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb)
465{
466 u8 status = *((u8 *) skb->data);
467 struct hci_cp_write_sc_support *sent;
468
469 BT_DBG("%s status 0x%2.2x", hdev->name, status);
470
471 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
472 if (!sent)
473 return;
474
475 if (!status) {
476 if (sent->support)
477 hdev->features[1][0] |= LMP_HOST_SC;
478 else
479 hdev->features[1][0] &= ~LMP_HOST_SC;
480 }
481
482 if (test_bit(HCI_MGMT, &hdev->dev_flags))
483 mgmt_sc_enable_complete(hdev, sent->support, status);
484 else if (!status) {
485 if (sent->support)
486 set_bit(HCI_SC_ENABLED, &hdev->dev_flags);
487 else
488 clear_bit(HCI_SC_ENABLED, &hdev->dev_flags);
489 }
490}
491
464static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb) 492static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
465{ 493{
466 struct hci_rp_read_local_version *rp = (void *) skb->data; 494 struct hci_rp_read_local_version *rp = (void *) skb->data;
@@ -904,16 +932,50 @@ static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev,
904 hci_dev_unlock(hdev); 932 hci_dev_unlock(hdev);
905} 933}
906 934
907static void hci_cc_read_local_oob_data_reply(struct hci_dev *hdev, 935static void hci_cc_read_local_oob_data(struct hci_dev *hdev,
908 struct sk_buff *skb) 936 struct sk_buff *skb)
909{ 937{
910 struct hci_rp_read_local_oob_data *rp = (void *) skb->data; 938 struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
911 939
912 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 940 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
913 941
914 hci_dev_lock(hdev); 942 hci_dev_lock(hdev);
915 mgmt_read_local_oob_data_reply_complete(hdev, rp->hash, 943 mgmt_read_local_oob_data_complete(hdev, rp->hash, rp->randomizer,
916 rp->randomizer, rp->status); 944 NULL, NULL, rp->status);
945 hci_dev_unlock(hdev);
946}
947
948static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev,
949 struct sk_buff *skb)
950{
951 struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
952
953 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
954
955 hci_dev_lock(hdev);
956 mgmt_read_local_oob_data_complete(hdev, rp->hash192, rp->randomizer192,
957 rp->hash256, rp->randomizer256,
958 rp->status);
959 hci_dev_unlock(hdev);
960}
961
962
963static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb)
964{
965 __u8 status = *((__u8 *) skb->data);
966 bdaddr_t *sent;
967
968 BT_DBG("%s status 0x%2.2x", hdev->name, status);
969
970 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
971 if (!sent)
972 return;
973
974 hci_dev_lock(hdev);
975
976 if (!status)
977 bacpy(&hdev->random_addr, sent);
978
917 hci_dev_unlock(hdev); 979 hci_dev_unlock(hdev);
918} 980}
919 981
@@ -1185,9 +1247,12 @@ static int hci_outgoing_auth_needed(struct hci_dev *hdev,
1185 return 0; 1247 return 0;
1186 1248
1187 /* Only request authentication for SSP connections or non-SSP 1249 /* Only request authentication for SSP connections or non-SSP
1188 * devices with sec_level HIGH or if MITM protection is requested */ 1250 * devices with sec_level MEDIUM or HIGH or if MITM protection
1251 * is requested.
1252 */
1189 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) && 1253 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
1190 conn->pending_sec_level != BT_SECURITY_HIGH) 1254 conn->pending_sec_level != BT_SECURITY_HIGH &&
1255 conn->pending_sec_level != BT_SECURITY_MEDIUM)
1191 return 0; 1256 return 0;
1192 1257
1193 return 1; 1258 return 1;
@@ -1659,7 +1724,7 @@ static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1659 } else { 1724 } else {
1660 conn->state = BT_CLOSED; 1725 conn->state = BT_CLOSED;
1661 if (conn->type == ACL_LINK) 1726 if (conn->type == ACL_LINK)
1662 mgmt_connect_failed(hdev, &ev->bdaddr, conn->type, 1727 mgmt_connect_failed(hdev, &conn->dst, conn->type,
1663 conn->dst_type, ev->status); 1728 conn->dst_type, ev->status);
1664 } 1729 }
1665 1730
@@ -1943,35 +2008,46 @@ static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
1943 hci_dev_lock(hdev); 2008 hci_dev_lock(hdev);
1944 2009
1945 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 2010 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
1946 if (conn) { 2011 if (!conn)
1947 if (!ev->status) { 2012 goto unlock;
1948 if (ev->encrypt) { 2013
1949 /* Encryption implies authentication */ 2014 if (!ev->status) {
1950 conn->link_mode |= HCI_LM_AUTH; 2015 if (ev->encrypt) {
1951 conn->link_mode |= HCI_LM_ENCRYPT; 2016 /* Encryption implies authentication */
1952 conn->sec_level = conn->pending_sec_level; 2017 conn->link_mode |= HCI_LM_AUTH;
1953 } else 2018 conn->link_mode |= HCI_LM_ENCRYPT;
1954 conn->link_mode &= ~HCI_LM_ENCRYPT; 2019 conn->sec_level = conn->pending_sec_level;
1955 }
1956 2020
1957 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 2021 /* P-256 authentication key implies FIPS */
2022 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
2023 conn->link_mode |= HCI_LM_FIPS;
1958 2024
1959 if (ev->status && conn->state == BT_CONNECTED) { 2025 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
1960 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 2026 conn->type == LE_LINK)
1961 hci_conn_drop(conn); 2027 set_bit(HCI_CONN_AES_CCM, &conn->flags);
1962 goto unlock; 2028 } else {
2029 conn->link_mode &= ~HCI_LM_ENCRYPT;
2030 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
1963 } 2031 }
2032 }
1964 2033
1965 if (conn->state == BT_CONFIG) { 2034 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
1966 if (!ev->status)
1967 conn->state = BT_CONNECTED;
1968 2035
1969 hci_proto_connect_cfm(conn, ev->status); 2036 if (ev->status && conn->state == BT_CONNECTED) {
1970 hci_conn_drop(conn); 2037 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
1971 } else 2038 hci_conn_drop(conn);
1972 hci_encrypt_cfm(conn, ev->status, ev->encrypt); 2039 goto unlock;
1973 } 2040 }
1974 2041
2042 if (conn->state == BT_CONFIG) {
2043 if (!ev->status)
2044 conn->state = BT_CONNECTED;
2045
2046 hci_proto_connect_cfm(conn, ev->status);
2047 hci_conn_drop(conn);
2048 } else
2049 hci_encrypt_cfm(conn, ev->status, ev->encrypt);
2050
1975unlock: 2051unlock:
1976 hci_dev_unlock(hdev); 2052 hci_dev_unlock(hdev);
1977} 2053}
@@ -2144,6 +2220,10 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2144 hci_cc_write_ssp_mode(hdev, skb); 2220 hci_cc_write_ssp_mode(hdev, skb);
2145 break; 2221 break;
2146 2222
2223 case HCI_OP_WRITE_SC_SUPPORT:
2224 hci_cc_write_sc_support(hdev, skb);
2225 break;
2226
2147 case HCI_OP_READ_LOCAL_VERSION: 2227 case HCI_OP_READ_LOCAL_VERSION:
2148 hci_cc_read_local_version(hdev, skb); 2228 hci_cc_read_local_version(hdev, skb);
2149 break; 2229 break;
@@ -2213,7 +2293,11 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2213 break; 2293 break;
2214 2294
2215 case HCI_OP_READ_LOCAL_OOB_DATA: 2295 case HCI_OP_READ_LOCAL_OOB_DATA:
2216 hci_cc_read_local_oob_data_reply(hdev, skb); 2296 hci_cc_read_local_oob_data(hdev, skb);
2297 break;
2298
2299 case HCI_OP_READ_LOCAL_OOB_EXT_DATA:
2300 hci_cc_read_local_oob_ext_data(hdev, skb);
2217 break; 2301 break;
2218 2302
2219 case HCI_OP_LE_READ_BUFFER_SIZE: 2303 case HCI_OP_LE_READ_BUFFER_SIZE:
@@ -2244,6 +2328,10 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2244 hci_cc_user_passkey_neg_reply(hdev, skb); 2328 hci_cc_user_passkey_neg_reply(hdev, skb);
2245 break; 2329 break;
2246 2330
2331 case HCI_OP_LE_SET_RANDOM_ADDR:
2332 hci_cc_le_set_random_addr(hdev, skb);
2333 break;
2334
2247 case HCI_OP_LE_SET_ADV_ENABLE: 2335 case HCI_OP_LE_SET_ADV_ENABLE:
2248 hci_cc_le_set_adv_enable(hdev, skb); 2336 hci_cc_le_set_adv_enable(hdev, skb);
2249 break; 2337 break;
@@ -2630,7 +2718,8 @@ static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2630 2718
2631 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 2719 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2632 if (conn) { 2720 if (conn) {
2633 if (key->type == HCI_LK_UNAUTH_COMBINATION && 2721 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
2722 key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
2634 conn->auth_type != 0xff && (conn->auth_type & 0x01)) { 2723 conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
2635 BT_DBG("%s ignoring unauthenticated key", hdev->name); 2724 BT_DBG("%s ignoring unauthenticated key", hdev->name);
2636 goto not_found; 2725 goto not_found;
@@ -2844,6 +2933,9 @@ static void hci_remote_ext_features_evt(struct hci_dev *hdev,
2844 * features do not indicate SSP support */ 2933 * features do not indicate SSP support */
2845 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 2934 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
2846 } 2935 }
2936
2937 if (ev->features[0] & LMP_HOST_SC)
2938 set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
2847 } 2939 }
2848 2940
2849 if (conn->state != BT_CONFIG) 2941 if (conn->state != BT_CONFIG)
@@ -3337,20 +3429,36 @@ static void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
3337 3429
3338 data = hci_find_remote_oob_data(hdev, &ev->bdaddr); 3430 data = hci_find_remote_oob_data(hdev, &ev->bdaddr);
3339 if (data) { 3431 if (data) {
3340 struct hci_cp_remote_oob_data_reply cp; 3432 if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags)) {
3433 struct hci_cp_remote_oob_ext_data_reply cp;
3341 3434
3342 bacpy(&cp.bdaddr, &ev->bdaddr); 3435 bacpy(&cp.bdaddr, &ev->bdaddr);
3343 memcpy(cp.hash, data->hash, sizeof(cp.hash)); 3436 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
3344 memcpy(cp.randomizer, data->randomizer, sizeof(cp.randomizer)); 3437 memcpy(cp.randomizer192, data->randomizer192,
3438 sizeof(cp.randomizer192));
3439 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
3440 memcpy(cp.randomizer256, data->randomizer256,
3441 sizeof(cp.randomizer256));
3442
3443 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
3444 sizeof(cp), &cp);
3445 } else {
3446 struct hci_cp_remote_oob_data_reply cp;
3345 3447
3346 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY, sizeof(cp), 3448 bacpy(&cp.bdaddr, &ev->bdaddr);
3347 &cp); 3449 memcpy(cp.hash, data->hash192, sizeof(cp.hash));
3450 memcpy(cp.randomizer, data->randomizer192,
3451 sizeof(cp.randomizer));
3452
3453 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
3454 sizeof(cp), &cp);
3455 }
3348 } else { 3456 } else {
3349 struct hci_cp_remote_oob_data_neg_reply cp; 3457 struct hci_cp_remote_oob_data_neg_reply cp;
3350 3458
3351 bacpy(&cp.bdaddr, &ev->bdaddr); 3459 bacpy(&cp.bdaddr, &ev->bdaddr);
3352 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY, sizeof(cp), 3460 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
3353 &cp); 3461 sizeof(cp), &cp);
3354 } 3462 }
3355 3463
3356unlock: 3464unlock:
@@ -3484,6 +3592,7 @@ static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
3484{ 3592{
3485 struct hci_ev_le_conn_complete *ev = (void *) skb->data; 3593 struct hci_ev_le_conn_complete *ev = (void *) skb->data;
3486 struct hci_conn *conn; 3594 struct hci_conn *conn;
3595 struct smp_irk *irk;
3487 3596
3488 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3597 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3489 3598
@@ -3516,6 +3625,21 @@ static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
3516 } 3625 }
3517 } 3626 }
3518 3627
3628 /* Lookup the identity address from the stored connection
3629 * address and address type.
3630 *
3631 * When establishing connections to an identity address, the
3632 * connection procedure will store the resolvable random
3633 * address first. Now if it can be converted back into the
3634 * identity address, start using the identity address from
3635 * now on.
3636 */
3637 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
3638 if (irk) {
3639 bacpy(&conn->dst, &irk->bdaddr);
3640 conn->dst_type = irk->addr_type;
3641 }
3642
3519 if (ev->status) { 3643 if (ev->status) {
3520 mgmt_connect_failed(hdev, &conn->dst, conn->type, 3644 mgmt_connect_failed(hdev, &conn->dst, conn->type,
3521 conn->dst_type, ev->status); 3645 conn->dst_type, ev->status);
@@ -3526,7 +3650,7 @@ static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
3526 } 3650 }
3527 3651
3528 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 3652 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3529 mgmt_device_connected(hdev, &ev->bdaddr, conn->type, 3653 mgmt_device_connected(hdev, &conn->dst, conn->type,
3530 conn->dst_type, 0, NULL, 0, NULL); 3654 conn->dst_type, 0, NULL, 0, NULL);
3531 3655
3532 conn->sec_level = BT_SECURITY_LOW; 3656 conn->sec_level = BT_SECURITY_LOW;
@@ -3577,7 +3701,7 @@ static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3577 if (conn == NULL) 3701 if (conn == NULL)
3578 goto not_found; 3702 goto not_found;
3579 3703
3580 ltk = hci_find_ltk(hdev, ev->ediv, ev->random); 3704 ltk = hci_find_ltk(hdev, ev->ediv, ev->random, conn->out);
3581 if (ltk == NULL) 3705 if (ltk == NULL)
3582 goto not_found; 3706 goto not_found;
3583 3707
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index 7552f9e3089c..68e51a84e72d 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -716,6 +716,7 @@ static int hci_sock_bind(struct socket *sock, struct sockaddr *addr,
716 err = hci_dev_open(hdev->id); 716 err = hci_dev_open(hdev->id);
717 if (err) { 717 if (err) {
718 clear_bit(HCI_USER_CHANNEL, &hdev->dev_flags); 718 clear_bit(HCI_USER_CHANNEL, &hdev->dev_flags);
719 mgmt_index_added(hdev);
719 hci_dev_put(hdev); 720 hci_dev_put(hdev);
720 goto done; 721 goto done;
721 } 722 }
diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
index 0b61250cfdf9..555982a78a58 100644
--- a/net/bluetooth/hci_sysfs.c
+++ b/net/bluetooth/hci_sysfs.c
@@ -49,14 +49,7 @@ static struct attribute *bt_link_attrs[] = {
49 NULL 49 NULL
50}; 50};
51 51
52static struct attribute_group bt_link_group = { 52ATTRIBUTE_GROUPS(bt_link);
53 .attrs = bt_link_attrs,
54};
55
56static const struct attribute_group *bt_link_groups[] = {
57 &bt_link_group,
58 NULL
59};
60 53
61static void bt_link_release(struct device *dev) 54static void bt_link_release(struct device *dev)
62{ 55{
@@ -182,14 +175,7 @@ static struct attribute *bt_host_attrs[] = {
182 NULL 175 NULL
183}; 176};
184 177
185static struct attribute_group bt_host_group = { 178ATTRIBUTE_GROUPS(bt_host);
186 .attrs = bt_host_attrs,
187};
188
189static const struct attribute_group *bt_host_groups[] = {
190 &bt_host_group,
191 NULL
192};
193 179
194static void bt_host_release(struct device *dev) 180static void bt_host_release(struct device *dev)
195{ 181{
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index b0ad2c752d73..6ace116f3b39 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -42,6 +42,8 @@
42#include "amp.h" 42#include "amp.h"
43#include "6lowpan.h" 43#include "6lowpan.h"
44 44
45#define LE_FLOWCTL_MAX_CREDITS 65535
46
45bool disable_ertm; 47bool disable_ertm;
46 48
47static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD; 49static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
@@ -330,44 +332,20 @@ static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
330 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR; 332 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
331} 333}
332 334
333static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq) 335static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
334{ 336{
337 u16 seq = seq_list->head;
335 u16 mask = seq_list->mask; 338 u16 mask = seq_list->mask;
336 339
337 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) { 340 seq_list->head = seq_list->list[seq & mask];
338 /* In case someone tries to pop the head of an empty list */ 341 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
339 return L2CAP_SEQ_LIST_CLEAR;
340 } else if (seq_list->head == seq) {
341 /* Head can be removed in constant time */
342 seq_list->head = seq_list->list[seq & mask];
343 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
344
345 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
346 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
347 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
348 }
349 } else {
350 /* Walk the list to find the sequence number */
351 u16 prev = seq_list->head;
352 while (seq_list->list[prev & mask] != seq) {
353 prev = seq_list->list[prev & mask];
354 if (prev == L2CAP_SEQ_LIST_TAIL)
355 return L2CAP_SEQ_LIST_CLEAR;
356 }
357 342
358 /* Unlink the number from the list and clear it */ 343 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
359 seq_list->list[prev & mask] = seq_list->list[seq & mask]; 344 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
360 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR; 345 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
361 if (seq_list->tail == seq)
362 seq_list->tail = prev;
363 } 346 }
364 return seq;
365}
366 347
367static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list) 348 return seq;
368{
369 /* Remove the head in constant time */
370 return l2cap_seq_list_remove(seq_list, seq_list->head);
371} 349}
372 350
373static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list) 351static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
@@ -506,7 +484,7 @@ static void l2cap_le_flowctl_init(struct l2cap_chan *chan)
506 chan->sdu_len = 0; 484 chan->sdu_len = 0;
507 chan->tx_credits = 0; 485 chan->tx_credits = 0;
508 chan->rx_credits = le_max_credits; 486 chan->rx_credits = le_max_credits;
509 chan->mps = min_t(u16, chan->imtu, L2CAP_LE_DEFAULT_MPS); 487 chan->mps = min_t(u16, chan->imtu, le_default_mps);
510 488
511 skb_queue_head_init(&chan->tx_q); 489 skb_queue_head_init(&chan->tx_q);
512} 490}
@@ -522,18 +500,10 @@ void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
522 500
523 switch (chan->chan_type) { 501 switch (chan->chan_type) {
524 case L2CAP_CHAN_CONN_ORIENTED: 502 case L2CAP_CHAN_CONN_ORIENTED:
525 if (conn->hcon->type == LE_LINK) { 503 /* Alloc CID for connection-oriented socket */
526 if (chan->dcid == L2CAP_CID_ATT) { 504 chan->scid = l2cap_alloc_cid(conn);
527 chan->omtu = L2CAP_DEFAULT_MTU; 505 if (conn->hcon->type == ACL_LINK)
528 chan->scid = L2CAP_CID_ATT;
529 } else {
530 chan->scid = l2cap_alloc_cid(conn);
531 }
532 } else {
533 /* Alloc CID for connection-oriented socket */
534 chan->scid = l2cap_alloc_cid(conn);
535 chan->omtu = L2CAP_DEFAULT_MTU; 506 chan->omtu = L2CAP_DEFAULT_MTU;
536 }
537 break; 507 break;
538 508
539 case L2CAP_CHAN_CONN_LESS: 509 case L2CAP_CHAN_CONN_LESS:
@@ -543,11 +513,8 @@ void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
543 chan->omtu = L2CAP_DEFAULT_MTU; 513 chan->omtu = L2CAP_DEFAULT_MTU;
544 break; 514 break;
545 515
546 case L2CAP_CHAN_CONN_FIX_A2MP: 516 case L2CAP_CHAN_FIXED:
547 chan->scid = L2CAP_CID_A2MP; 517 /* Caller will set CID and CID specific MTU values */
548 chan->dcid = L2CAP_CID_A2MP;
549 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
550 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
551 break; 518 break;
552 519
553 default: 520 default:
@@ -595,7 +562,7 @@ void l2cap_chan_del(struct l2cap_chan *chan, int err)
595 562
596 chan->conn = NULL; 563 chan->conn = NULL;
597 564
598 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP) 565 if (chan->scid != L2CAP_CID_A2MP)
599 hci_conn_drop(conn->hcon); 566 hci_conn_drop(conn->hcon);
600 567
601 if (mgr && mgr->bredr_chan == chan) 568 if (mgr && mgr->bredr_chan == chan)
@@ -642,6 +609,23 @@ void l2cap_chan_del(struct l2cap_chan *chan, int err)
642 return; 609 return;
643} 610}
644 611
612void l2cap_conn_update_id_addr(struct hci_conn *hcon)
613{
614 struct l2cap_conn *conn = hcon->l2cap_data;
615 struct l2cap_chan *chan;
616
617 mutex_lock(&conn->chan_lock);
618
619 list_for_each_entry(chan, &conn->chan_l, list) {
620 l2cap_chan_lock(chan);
621 bacpy(&chan->dst, &hcon->dst);
622 chan->dst_type = bdaddr_type(hcon, hcon->dst_type);
623 l2cap_chan_unlock(chan);
624 }
625
626 mutex_unlock(&conn->chan_lock);
627}
628
645static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan) 629static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
646{ 630{
647 struct l2cap_conn *conn = chan->conn; 631 struct l2cap_conn *conn = chan->conn;
@@ -699,10 +683,7 @@ void l2cap_chan_close(struct l2cap_chan *chan, int reason)
699 683
700 case BT_CONNECTED: 684 case BT_CONNECTED:
701 case BT_CONFIG: 685 case BT_CONFIG:
702 /* ATT uses L2CAP_CHAN_CONN_ORIENTED so we must also 686 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
703 * check for chan->psm.
704 */
705 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && chan->psm) {
706 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan)); 687 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
707 l2cap_send_disconn_req(chan, reason); 688 l2cap_send_disconn_req(chan, reason);
708 } else 689 } else
@@ -737,6 +718,7 @@ static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
737 case L2CAP_CHAN_RAW: 718 case L2CAP_CHAN_RAW:
738 switch (chan->sec_level) { 719 switch (chan->sec_level) {
739 case BT_SECURITY_HIGH: 720 case BT_SECURITY_HIGH:
721 case BT_SECURITY_FIPS:
740 return HCI_AT_DEDICATED_BONDING_MITM; 722 return HCI_AT_DEDICATED_BONDING_MITM;
741 case BT_SECURITY_MEDIUM: 723 case BT_SECURITY_MEDIUM:
742 return HCI_AT_DEDICATED_BONDING; 724 return HCI_AT_DEDICATED_BONDING;
@@ -749,7 +731,8 @@ static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
749 if (chan->sec_level == BT_SECURITY_LOW) 731 if (chan->sec_level == BT_SECURITY_LOW)
750 chan->sec_level = BT_SECURITY_SDP; 732 chan->sec_level = BT_SECURITY_SDP;
751 } 733 }
752 if (chan->sec_level == BT_SECURITY_HIGH) 734 if (chan->sec_level == BT_SECURITY_HIGH ||
735 chan->sec_level == BT_SECURITY_FIPS)
753 return HCI_AT_NO_BONDING_MITM; 736 return HCI_AT_NO_BONDING_MITM;
754 else 737 else
755 return HCI_AT_NO_BONDING; 738 return HCI_AT_NO_BONDING;
@@ -759,7 +742,8 @@ static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
759 if (chan->sec_level == BT_SECURITY_LOW) 742 if (chan->sec_level == BT_SECURITY_LOW)
760 chan->sec_level = BT_SECURITY_SDP; 743 chan->sec_level = BT_SECURITY_SDP;
761 744
762 if (chan->sec_level == BT_SECURITY_HIGH) 745 if (chan->sec_level == BT_SECURITY_HIGH ||
746 chan->sec_level == BT_SECURITY_FIPS)
763 return HCI_AT_NO_BONDING_MITM; 747 return HCI_AT_NO_BONDING_MITM;
764 else 748 else
765 return HCI_AT_NO_BONDING; 749 return HCI_AT_NO_BONDING;
@@ -768,6 +752,7 @@ static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
768 default: 752 default:
769 switch (chan->sec_level) { 753 switch (chan->sec_level) {
770 case BT_SECURITY_HIGH: 754 case BT_SECURITY_HIGH:
755 case BT_SECURITY_FIPS:
771 return HCI_AT_GENERAL_BONDING_MITM; 756 return HCI_AT_GENERAL_BONDING_MITM;
772 case BT_SECURITY_MEDIUM: 757 case BT_SECURITY_MEDIUM:
773 return HCI_AT_GENERAL_BONDING; 758 return HCI_AT_GENERAL_BONDING;
@@ -1330,7 +1315,7 @@ static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
1330 __clear_ack_timer(chan); 1315 __clear_ack_timer(chan);
1331 } 1316 }
1332 1317
1333 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) { 1318 if (chan->scid == L2CAP_CID_A2MP) {
1334 l2cap_state_change(chan, BT_DISCONN); 1319 l2cap_state_change(chan, BT_DISCONN);
1335 return; 1320 return;
1336 } 1321 }
@@ -1493,8 +1478,6 @@ static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1493 if (!chan) 1478 if (!chan)
1494 goto clean; 1479 goto clean;
1495 1480
1496 chan->dcid = L2CAP_CID_ATT;
1497
1498 bacpy(&chan->src, &hcon->src); 1481 bacpy(&chan->src, &hcon->src);
1499 bacpy(&chan->dst, &hcon->dst); 1482 bacpy(&chan->dst, &hcon->dst);
1500 chan->src_type = bdaddr_type(hcon, hcon->src_type); 1483 chan->src_type = bdaddr_type(hcon, hcon->src_type);
@@ -1528,7 +1511,7 @@ static void l2cap_conn_ready(struct l2cap_conn *conn)
1528 1511
1529 l2cap_chan_lock(chan); 1512 l2cap_chan_lock(chan);
1530 1513
1531 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) { 1514 if (chan->scid == L2CAP_CID_A2MP) {
1532 l2cap_chan_unlock(chan); 1515 l2cap_chan_unlock(chan);
1533 continue; 1516 continue;
1534 } 1517 }
@@ -1546,6 +1529,8 @@ static void l2cap_conn_ready(struct l2cap_conn *conn)
1546 } 1529 }
1547 1530
1548 mutex_unlock(&conn->chan_lock); 1531 mutex_unlock(&conn->chan_lock);
1532
1533 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
1549} 1534}
1550 1535
1551/* Notify sockets that we cannot guaranty reliability anymore */ 1536/* Notify sockets that we cannot guaranty reliability anymore */
@@ -1671,6 +1656,9 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
1671 1656
1672 kfree_skb(conn->rx_skb); 1657 kfree_skb(conn->rx_skb);
1673 1658
1659 skb_queue_purge(&conn->pending_rx);
1660 flush_work(&conn->pending_rx_work);
1661
1674 l2cap_unregister_all_users(conn); 1662 l2cap_unregister_all_users(conn);
1675 1663
1676 mutex_lock(&conn->chan_lock); 1664 mutex_lock(&conn->chan_lock);
@@ -1718,66 +1706,6 @@ static void security_timeout(struct work_struct *work)
1718 } 1706 }
1719} 1707}
1720 1708
1721static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
1722{
1723 struct l2cap_conn *conn = hcon->l2cap_data;
1724 struct hci_chan *hchan;
1725
1726 if (conn)
1727 return conn;
1728
1729 hchan = hci_chan_create(hcon);
1730 if (!hchan)
1731 return NULL;
1732
1733 conn = kzalloc(sizeof(struct l2cap_conn), GFP_KERNEL);
1734 if (!conn) {
1735 hci_chan_del(hchan);
1736 return NULL;
1737 }
1738
1739 kref_init(&conn->ref);
1740 hcon->l2cap_data = conn;
1741 conn->hcon = hcon;
1742 hci_conn_get(conn->hcon);
1743 conn->hchan = hchan;
1744
1745 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
1746
1747 switch (hcon->type) {
1748 case LE_LINK:
1749 if (hcon->hdev->le_mtu) {
1750 conn->mtu = hcon->hdev->le_mtu;
1751 break;
1752 }
1753 /* fall through */
1754 default:
1755 conn->mtu = hcon->hdev->acl_mtu;
1756 break;
1757 }
1758
1759 conn->feat_mask = 0;
1760
1761 if (hcon->type == ACL_LINK)
1762 conn->hs_enabled = test_bit(HCI_HS_ENABLED,
1763 &hcon->hdev->dev_flags);
1764
1765 spin_lock_init(&conn->lock);
1766 mutex_init(&conn->chan_lock);
1767
1768 INIT_LIST_HEAD(&conn->chan_l);
1769 INIT_LIST_HEAD(&conn->users);
1770
1771 if (hcon->type == LE_LINK)
1772 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
1773 else
1774 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
1775
1776 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
1777
1778 return conn;
1779}
1780
1781static void l2cap_conn_free(struct kref *ref) 1709static void l2cap_conn_free(struct kref *ref)
1782{ 1710{
1783 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref); 1711 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
@@ -1848,154 +1776,6 @@ static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1848 return c1; 1776 return c1;
1849} 1777}
1850 1778
1851static bool is_valid_psm(u16 psm, u8 dst_type)
1852{
1853 if (!psm)
1854 return false;
1855
1856 if (bdaddr_type_is_le(dst_type))
1857 return (psm <= 0x00ff);
1858
1859 /* PSM must be odd and lsb of upper byte must be 0 */
1860 return ((psm & 0x0101) == 0x0001);
1861}
1862
1863int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1864 bdaddr_t *dst, u8 dst_type)
1865{
1866 struct l2cap_conn *conn;
1867 struct hci_conn *hcon;
1868 struct hci_dev *hdev;
1869 __u8 auth_type;
1870 int err;
1871
1872 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
1873 dst_type, __le16_to_cpu(psm));
1874
1875 hdev = hci_get_route(dst, &chan->src);
1876 if (!hdev)
1877 return -EHOSTUNREACH;
1878
1879 hci_dev_lock(hdev);
1880
1881 l2cap_chan_lock(chan);
1882
1883 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
1884 chan->chan_type != L2CAP_CHAN_RAW) {
1885 err = -EINVAL;
1886 goto done;
1887 }
1888
1889 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1890 err = -EINVAL;
1891 goto done;
1892 }
1893
1894 switch (chan->mode) {
1895 case L2CAP_MODE_BASIC:
1896 break;
1897 case L2CAP_MODE_LE_FLOWCTL:
1898 l2cap_le_flowctl_init(chan);
1899 break;
1900 case L2CAP_MODE_ERTM:
1901 case L2CAP_MODE_STREAMING:
1902 if (!disable_ertm)
1903 break;
1904 /* fall through */
1905 default:
1906 err = -ENOTSUPP;
1907 goto done;
1908 }
1909
1910 switch (chan->state) {
1911 case BT_CONNECT:
1912 case BT_CONNECT2:
1913 case BT_CONFIG:
1914 /* Already connecting */
1915 err = 0;
1916 goto done;
1917
1918 case BT_CONNECTED:
1919 /* Already connected */
1920 err = -EISCONN;
1921 goto done;
1922
1923 case BT_OPEN:
1924 case BT_BOUND:
1925 /* Can connect */
1926 break;
1927
1928 default:
1929 err = -EBADFD;
1930 goto done;
1931 }
1932
1933 /* Set destination address and psm */
1934 bacpy(&chan->dst, dst);
1935 chan->dst_type = dst_type;
1936
1937 chan->psm = psm;
1938 chan->dcid = cid;
1939
1940 auth_type = l2cap_get_auth_type(chan);
1941
1942 if (bdaddr_type_is_le(dst_type))
1943 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
1944 chan->sec_level, auth_type);
1945 else
1946 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
1947 chan->sec_level, auth_type);
1948
1949 if (IS_ERR(hcon)) {
1950 err = PTR_ERR(hcon);
1951 goto done;
1952 }
1953
1954 conn = l2cap_conn_add(hcon);
1955 if (!conn) {
1956 hci_conn_drop(hcon);
1957 err = -ENOMEM;
1958 goto done;
1959 }
1960
1961 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
1962 hci_conn_drop(hcon);
1963 err = -EBUSY;
1964 goto done;
1965 }
1966
1967 /* Update source addr of the socket */
1968 bacpy(&chan->src, &hcon->src);
1969 chan->src_type = bdaddr_type(hcon, hcon->src_type);
1970
1971 l2cap_chan_unlock(chan);
1972 l2cap_chan_add(conn, chan);
1973 l2cap_chan_lock(chan);
1974
1975 /* l2cap_chan_add takes its own ref so we can drop this one */
1976 hci_conn_drop(hcon);
1977
1978 l2cap_state_change(chan, BT_CONNECT);
1979 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
1980
1981 if (hcon->state == BT_CONNECTED) {
1982 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1983 __clear_chan_timer(chan);
1984 if (l2cap_chan_check_security(chan))
1985 l2cap_state_change(chan, BT_CONNECTED);
1986 } else
1987 l2cap_do_start(chan);
1988 }
1989
1990 err = 0;
1991
1992done:
1993 l2cap_chan_unlock(chan);
1994 hci_dev_unlock(hdev);
1995 hci_dev_put(hdev);
1996 return err;
1997}
1998
1999static void l2cap_monitor_timeout(struct work_struct *work) 1779static void l2cap_monitor_timeout(struct work_struct *work)
2000{ 1780{
2001 struct l2cap_chan *chan = container_of(work, struct l2cap_chan, 1781 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
@@ -5709,7 +5489,7 @@ static inline int l2cap_le_credits(struct l2cap_conn *conn,
5709{ 5489{
5710 struct l2cap_le_credits *pkt; 5490 struct l2cap_le_credits *pkt;
5711 struct l2cap_chan *chan; 5491 struct l2cap_chan *chan;
5712 u16 cid, credits; 5492 u16 cid, credits, max_credits;
5713 5493
5714 if (cmd_len != sizeof(*pkt)) 5494 if (cmd_len != sizeof(*pkt))
5715 return -EPROTO; 5495 return -EPROTO;
@@ -5724,6 +5504,17 @@ static inline int l2cap_le_credits(struct l2cap_conn *conn,
5724 if (!chan) 5504 if (!chan)
5725 return -EBADSLT; 5505 return -EBADSLT;
5726 5506
5507 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
5508 if (credits > max_credits) {
5509 BT_ERR("LE credits overflow");
5510 l2cap_send_disconn_req(chan, ECONNRESET);
5511
5512 /* Return 0 so that we don't trigger an unnecessary
5513 * command reject packet.
5514 */
5515 return 0;
5516 }
5517
5727 chan->tx_credits += credits; 5518 chan->tx_credits += credits;
5728 5519
5729 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) { 5520 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
@@ -5770,17 +5561,6 @@ static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
5770{ 5561{
5771 int err = 0; 5562 int err = 0;
5772 5563
5773 if (!enable_lecoc) {
5774 switch (cmd->code) {
5775 case L2CAP_LE_CONN_REQ:
5776 case L2CAP_LE_CONN_RSP:
5777 case L2CAP_LE_CREDITS:
5778 case L2CAP_DISCONN_REQ:
5779 case L2CAP_DISCONN_RSP:
5780 return -EINVAL;
5781 }
5782 }
5783
5784 switch (cmd->code) { 5564 switch (cmd->code) {
5785 case L2CAP_COMMAND_REJ: 5565 case L2CAP_COMMAND_REJ:
5786 l2cap_le_command_rej(conn, cmd, cmd_len, data); 5566 l2cap_le_command_rej(conn, cmd, cmd_len, data);
@@ -6871,6 +6651,7 @@ static int l2cap_le_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6871 6651
6872 if (!chan->rx_credits) { 6652 if (!chan->rx_credits) {
6873 BT_ERR("No credits to receive LE L2CAP data"); 6653 BT_ERR("No credits to receive LE L2CAP data");
6654 l2cap_send_disconn_req(chan, ECONNRESET);
6874 return -ENOBUFS; 6655 return -ENOBUFS;
6875 } 6656 }
6876 6657
@@ -6995,8 +6776,10 @@ static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6995 * But we don't have any other choice. L2CAP doesn't 6776 * But we don't have any other choice. L2CAP doesn't
6996 * provide flow control mechanism. */ 6777 * provide flow control mechanism. */
6997 6778
6998 if (chan->imtu < skb->len) 6779 if (chan->imtu < skb->len) {
6780 BT_ERR("Dropping L2CAP data: receive buffer overflow");
6999 goto drop; 6781 goto drop;
6782 }
7000 6783
7001 if (!chan->ops->recv(chan, skb)) 6784 if (!chan->ops->recv(chan, skb))
7002 goto done; 6785 goto done;
@@ -7084,9 +6867,16 @@ drop:
7084static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb) 6867static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
7085{ 6868{
7086 struct l2cap_hdr *lh = (void *) skb->data; 6869 struct l2cap_hdr *lh = (void *) skb->data;
6870 struct hci_conn *hcon = conn->hcon;
7087 u16 cid, len; 6871 u16 cid, len;
7088 __le16 psm; 6872 __le16 psm;
7089 6873
6874 if (hcon->state != BT_CONNECTED) {
6875 BT_DBG("queueing pending rx skb");
6876 skb_queue_tail(&conn->pending_rx, skb);
6877 return;
6878 }
6879
7090 skb_pull(skb, L2CAP_HDR_SIZE); 6880 skb_pull(skb, L2CAP_HDR_SIZE);
7091 cid = __le16_to_cpu(lh->cid); 6881 cid = __le16_to_cpu(lh->cid);
7092 len = __le16_to_cpu(lh->len); 6882 len = __le16_to_cpu(lh->len);
@@ -7132,6 +6922,240 @@ static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
7132 } 6922 }
7133} 6923}
7134 6924
6925static void process_pending_rx(struct work_struct *work)
6926{
6927 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
6928 pending_rx_work);
6929 struct sk_buff *skb;
6930
6931 BT_DBG("");
6932
6933 while ((skb = skb_dequeue(&conn->pending_rx)))
6934 l2cap_recv_frame(conn, skb);
6935}
6936
6937static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
6938{
6939 struct l2cap_conn *conn = hcon->l2cap_data;
6940 struct hci_chan *hchan;
6941
6942 if (conn)
6943 return conn;
6944
6945 hchan = hci_chan_create(hcon);
6946 if (!hchan)
6947 return NULL;
6948
6949 conn = kzalloc(sizeof(struct l2cap_conn), GFP_KERNEL);
6950 if (!conn) {
6951 hci_chan_del(hchan);
6952 return NULL;
6953 }
6954
6955 kref_init(&conn->ref);
6956 hcon->l2cap_data = conn;
6957 conn->hcon = hcon;
6958 hci_conn_get(conn->hcon);
6959 conn->hchan = hchan;
6960
6961 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
6962
6963 switch (hcon->type) {
6964 case LE_LINK:
6965 if (hcon->hdev->le_mtu) {
6966 conn->mtu = hcon->hdev->le_mtu;
6967 break;
6968 }
6969 /* fall through */
6970 default:
6971 conn->mtu = hcon->hdev->acl_mtu;
6972 break;
6973 }
6974
6975 conn->feat_mask = 0;
6976
6977 if (hcon->type == ACL_LINK)
6978 conn->hs_enabled = test_bit(HCI_HS_ENABLED,
6979 &hcon->hdev->dev_flags);
6980
6981 spin_lock_init(&conn->lock);
6982 mutex_init(&conn->chan_lock);
6983
6984 INIT_LIST_HEAD(&conn->chan_l);
6985 INIT_LIST_HEAD(&conn->users);
6986
6987 if (hcon->type == LE_LINK)
6988 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
6989 else
6990 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
6991
6992 skb_queue_head_init(&conn->pending_rx);
6993 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
6994
6995 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
6996
6997 return conn;
6998}
6999
7000static bool is_valid_psm(u16 psm, u8 dst_type) {
7001 if (!psm)
7002 return false;
7003
7004 if (bdaddr_type_is_le(dst_type))
7005 return (psm <= 0x00ff);
7006
7007 /* PSM must be odd and lsb of upper byte must be 0 */
7008 return ((psm & 0x0101) == 0x0001);
7009}
7010
7011int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
7012 bdaddr_t *dst, u8 dst_type)
7013{
7014 struct l2cap_conn *conn;
7015 struct hci_conn *hcon;
7016 struct hci_dev *hdev;
7017 __u8 auth_type;
7018 int err;
7019
7020 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
7021 dst_type, __le16_to_cpu(psm));
7022
7023 hdev = hci_get_route(dst, &chan->src);
7024 if (!hdev)
7025 return -EHOSTUNREACH;
7026
7027 hci_dev_lock(hdev);
7028
7029 l2cap_chan_lock(chan);
7030
7031 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
7032 chan->chan_type != L2CAP_CHAN_RAW) {
7033 err = -EINVAL;
7034 goto done;
7035 }
7036
7037 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
7038 err = -EINVAL;
7039 goto done;
7040 }
7041
7042 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
7043 err = -EINVAL;
7044 goto done;
7045 }
7046
7047 switch (chan->mode) {
7048 case L2CAP_MODE_BASIC:
7049 break;
7050 case L2CAP_MODE_LE_FLOWCTL:
7051 l2cap_le_flowctl_init(chan);
7052 break;
7053 case L2CAP_MODE_ERTM:
7054 case L2CAP_MODE_STREAMING:
7055 if (!disable_ertm)
7056 break;
7057 /* fall through */
7058 default:
7059 err = -ENOTSUPP;
7060 goto done;
7061 }
7062
7063 switch (chan->state) {
7064 case BT_CONNECT:
7065 case BT_CONNECT2:
7066 case BT_CONFIG:
7067 /* Already connecting */
7068 err = 0;
7069 goto done;
7070
7071 case BT_CONNECTED:
7072 /* Already connected */
7073 err = -EISCONN;
7074 goto done;
7075
7076 case BT_OPEN:
7077 case BT_BOUND:
7078 /* Can connect */
7079 break;
7080
7081 default:
7082 err = -EBADFD;
7083 goto done;
7084 }
7085
7086 /* Set destination address and psm */
7087 bacpy(&chan->dst, dst);
7088 chan->dst_type = dst_type;
7089
7090 chan->psm = psm;
7091 chan->dcid = cid;
7092
7093 auth_type = l2cap_get_auth_type(chan);
7094
7095 if (bdaddr_type_is_le(dst_type))
7096 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
7097 chan->sec_level, auth_type);
7098 else
7099 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
7100 chan->sec_level, auth_type);
7101
7102 if (IS_ERR(hcon)) {
7103 err = PTR_ERR(hcon);
7104 goto done;
7105 }
7106
7107 conn = l2cap_conn_add(hcon);
7108 if (!conn) {
7109 hci_conn_drop(hcon);
7110 err = -ENOMEM;
7111 goto done;
7112 }
7113
7114 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7115 hci_conn_drop(hcon);
7116 err = -EBUSY;
7117 goto done;
7118 }
7119
7120 /* Update source addr of the socket */
7121 bacpy(&chan->src, &hcon->src);
7122 chan->src_type = bdaddr_type(hcon, hcon->src_type);
7123
7124 l2cap_chan_unlock(chan);
7125 l2cap_chan_add(conn, chan);
7126 l2cap_chan_lock(chan);
7127
7128 /* l2cap_chan_add takes its own ref so we can drop this one */
7129 hci_conn_drop(hcon);
7130
7131 l2cap_state_change(chan, BT_CONNECT);
7132 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7133
7134 /* Release chan->sport so that it can be reused by other
7135 * sockets (as it's only used for listening sockets).
7136 */
7137 write_lock(&chan_list_lock);
7138 chan->sport = 0;
7139 write_unlock(&chan_list_lock);
7140
7141 if (hcon->state == BT_CONNECTED) {
7142 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7143 __clear_chan_timer(chan);
7144 if (l2cap_chan_check_security(chan))
7145 l2cap_state_change(chan, BT_CONNECTED);
7146 } else
7147 l2cap_do_start(chan);
7148 }
7149
7150 err = 0;
7151
7152done:
7153 l2cap_chan_unlock(chan);
7154 hci_dev_unlock(hdev);
7155 hci_dev_put(hdev);
7156 return err;
7157}
7158
7135/* ---- L2CAP interface with lower layer (HCI) ---- */ 7159/* ---- L2CAP interface with lower layer (HCI) ---- */
7136 7160
7137int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr) 7161int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
@@ -7206,7 +7230,8 @@ static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
7206 if (encrypt == 0x00) { 7230 if (encrypt == 0x00) {
7207 if (chan->sec_level == BT_SECURITY_MEDIUM) { 7231 if (chan->sec_level == BT_SECURITY_MEDIUM) {
7208 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT); 7232 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
7209 } else if (chan->sec_level == BT_SECURITY_HIGH) 7233 } else if (chan->sec_level == BT_SECURITY_HIGH ||
7234 chan->sec_level == BT_SECURITY_FIPS)
7210 l2cap_chan_close(chan, ECONNREFUSED); 7235 l2cap_chan_close(chan, ECONNREFUSED);
7211 } else { 7236 } else {
7212 if (chan->sec_level == BT_SECURITY_MEDIUM) 7237 if (chan->sec_level == BT_SECURITY_MEDIUM)
@@ -7238,7 +7263,7 @@ int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
7238 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid, 7263 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
7239 state_to_string(chan->state)); 7264 state_to_string(chan->state));
7240 7265
7241 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) { 7266 if (chan->scid == L2CAP_CID_A2MP) {
7242 l2cap_chan_unlock(chan); 7267 l2cap_chan_unlock(chan);
7243 continue; 7268 continue;
7244 } 7269 }
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index d58f76bcebd1..b247f9d27fed 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -36,8 +36,6 @@
36 36
37#include "smp.h" 37#include "smp.h"
38 38
39bool enable_lecoc;
40
41static struct bt_sock_list l2cap_sk_list = { 39static struct bt_sock_list l2cap_sk_list = {
42 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock) 40 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
43}; 41};
@@ -101,9 +99,16 @@ static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
101 if (!bdaddr_type_is_valid(la.l2_bdaddr_type)) 99 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
102 return -EINVAL; 100 return -EINVAL;
103 101
102 if (la.l2_cid) {
103 /* When the socket gets created it defaults to
104 * CHAN_CONN_ORIENTED, so we need to overwrite the
105 * default here.
106 */
107 chan->chan_type = L2CAP_CHAN_FIXED;
108 chan->omtu = L2CAP_DEFAULT_MTU;
109 }
110
104 if (bdaddr_type_is_le(la.l2_bdaddr_type)) { 111 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
105 if (!enable_lecoc && la.l2_psm)
106 return -EINVAL;
107 /* We only allow ATT user space socket */ 112 /* We only allow ATT user space socket */
108 if (la.l2_cid && 113 if (la.l2_cid &&
109 la.l2_cid != __constant_cpu_to_le16(L2CAP_CID_ATT)) 114 la.l2_cid != __constant_cpu_to_le16(L2CAP_CID_ATT))
@@ -220,8 +225,6 @@ static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
220 return -EINVAL; 225 return -EINVAL;
221 226
222 if (bdaddr_type_is_le(la.l2_bdaddr_type)) { 227 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
223 if (!enable_lecoc && la.l2_psm)
224 return -EINVAL;
225 /* We only allow ATT user space socket */ 228 /* We only allow ATT user space socket */
226 if (la.l2_cid && 229 if (la.l2_cid &&
227 la.l2_cid != __constant_cpu_to_le16(L2CAP_CID_ATT)) 230 la.l2_cid != __constant_cpu_to_le16(L2CAP_CID_ATT))
@@ -357,17 +360,20 @@ static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr,
357 360
358 BT_DBG("sock %p, sk %p", sock, sk); 361 BT_DBG("sock %p, sk %p", sock, sk);
359 362
363 if (peer && sk->sk_state != BT_CONNECTED)
364 return -ENOTCONN;
365
360 memset(la, 0, sizeof(struct sockaddr_l2)); 366 memset(la, 0, sizeof(struct sockaddr_l2));
361 addr->sa_family = AF_BLUETOOTH; 367 addr->sa_family = AF_BLUETOOTH;
362 *len = sizeof(struct sockaddr_l2); 368 *len = sizeof(struct sockaddr_l2);
363 369
370 la->l2_psm = chan->psm;
371
364 if (peer) { 372 if (peer) {
365 la->l2_psm = chan->psm;
366 bacpy(&la->l2_bdaddr, &chan->dst); 373 bacpy(&la->l2_bdaddr, &chan->dst);
367 la->l2_cid = cpu_to_le16(chan->dcid); 374 la->l2_cid = cpu_to_le16(chan->dcid);
368 la->l2_bdaddr_type = chan->dst_type; 375 la->l2_bdaddr_type = chan->dst_type;
369 } else { 376 } else {
370 la->l2_psm = chan->sport;
371 bacpy(&la->l2_bdaddr, &chan->src); 377 bacpy(&la->l2_bdaddr, &chan->src);
372 la->l2_cid = cpu_to_le16(chan->scid); 378 la->l2_cid = cpu_to_le16(chan->scid);
373 la->l2_bdaddr_type = chan->src_type; 379 la->l2_bdaddr_type = chan->src_type;
@@ -432,6 +438,10 @@ static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
432 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT | 438 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
433 L2CAP_LM_SECURE; 439 L2CAP_LM_SECURE;
434 break; 440 break;
441 case BT_SECURITY_FIPS:
442 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
443 L2CAP_LM_SECURE | L2CAP_LM_FIPS;
444 break;
435 default: 445 default:
436 opt = 0; 446 opt = 0;
437 break; 447 break;
@@ -445,6 +455,7 @@ static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
445 455
446 if (put_user(opt, (u32 __user *) optval)) 456 if (put_user(opt, (u32 __user *) optval))
447 err = -EFAULT; 457 err = -EFAULT;
458
448 break; 459 break;
449 460
450 case L2CAP_CONNINFO: 461 case L2CAP_CONNINFO:
@@ -499,6 +510,7 @@ static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
499 switch (optname) { 510 switch (optname) {
500 case BT_SECURITY: 511 case BT_SECURITY:
501 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED && 512 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
513 chan->chan_type != L2CAP_CHAN_FIXED &&
502 chan->chan_type != L2CAP_CHAN_RAW) { 514 chan->chan_type != L2CAP_CHAN_RAW) {
503 err = -EINVAL; 515 err = -EINVAL;
504 break; 516 break;
@@ -560,11 +572,6 @@ static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
560 break; 572 break;
561 573
562 case BT_SNDMTU: 574 case BT_SNDMTU:
563 if (!enable_lecoc) {
564 err = -EPROTONOSUPPORT;
565 break;
566 }
567
568 if (!bdaddr_type_is_le(chan->src_type)) { 575 if (!bdaddr_type_is_le(chan->src_type)) {
569 err = -EINVAL; 576 err = -EINVAL;
570 break; 577 break;
@@ -580,11 +587,6 @@ static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
580 break; 587 break;
581 588
582 case BT_RCVMTU: 589 case BT_RCVMTU:
583 if (!enable_lecoc) {
584 err = -EPROTONOSUPPORT;
585 break;
586 }
587
588 if (!bdaddr_type_is_le(chan->src_type)) { 590 if (!bdaddr_type_is_le(chan->src_type)) {
589 err = -EINVAL; 591 err = -EINVAL;
590 break; 592 break;
@@ -699,6 +701,11 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
699 break; 701 break;
700 } 702 }
701 703
704 if (opt & L2CAP_LM_FIPS) {
705 err = -EINVAL;
706 break;
707 }
708
702 if (opt & L2CAP_LM_AUTH) 709 if (opt & L2CAP_LM_AUTH)
703 chan->sec_level = BT_SECURITY_LOW; 710 chan->sec_level = BT_SECURITY_LOW;
704 if (opt & L2CAP_LM_ENCRYPT) 711 if (opt & L2CAP_LM_ENCRYPT)
@@ -750,6 +757,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
750 switch (optname) { 757 switch (optname) {
751 case BT_SECURITY: 758 case BT_SECURITY:
752 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED && 759 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
760 chan->chan_type != L2CAP_CHAN_FIXED &&
753 chan->chan_type != L2CAP_CHAN_RAW) { 761 chan->chan_type != L2CAP_CHAN_RAW) {
754 err = -EINVAL; 762 err = -EINVAL;
755 break; 763 break;
@@ -895,11 +903,6 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
895 break; 903 break;
896 904
897 case BT_SNDMTU: 905 case BT_SNDMTU:
898 if (!enable_lecoc) {
899 err = -EPROTONOSUPPORT;
900 break;
901 }
902
903 if (!bdaddr_type_is_le(chan->src_type)) { 906 if (!bdaddr_type_is_le(chan->src_type)) {
904 err = -EINVAL; 907 err = -EINVAL;
905 break; 908 break;
@@ -912,11 +915,6 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
912 break; 915 break;
913 916
914 case BT_RCVMTU: 917 case BT_RCVMTU:
915 if (!enable_lecoc) {
916 err = -EPROTONOSUPPORT;
917 break;
918 }
919
920 if (!bdaddr_type_is_le(chan->src_type)) { 918 if (!bdaddr_type_is_le(chan->src_type)) {
921 err = -EINVAL; 919 err = -EINVAL;
922 break; 920 break;
@@ -1449,6 +1447,11 @@ static void l2cap_sock_init(struct sock *sk, struct sock *parent)
1449 chan->tx_credits = pchan->tx_credits; 1447 chan->tx_credits = pchan->tx_credits;
1450 chan->rx_credits = pchan->rx_credits; 1448 chan->rx_credits = pchan->rx_credits;
1451 1449
1450 if (chan->chan_type == L2CAP_CHAN_FIXED) {
1451 chan->scid = pchan->scid;
1452 chan->dcid = pchan->scid;
1453 }
1454
1452 security_sk_clone(parent, sk); 1455 security_sk_clone(parent, sk);
1453 } else { 1456 } else {
1454 switch (sk->sk_type) { 1457 switch (sk->sk_type) {
@@ -1614,6 +1617,3 @@ void l2cap_cleanup_sockets(void)
1614 bt_sock_unregister(BTPROTO_L2CAP); 1617 bt_sock_unregister(BTPROTO_L2CAP);
1615 proto_unregister(&l2cap_proto); 1618 proto_unregister(&l2cap_proto);
1616} 1619}
1617
1618module_param(enable_lecoc, bool, 0644);
1619MODULE_PARM_DESC(enable_lecoc, "Enable support for LE CoC");
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index a03ca3ca91bf..12fa6399c796 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -34,7 +34,7 @@
34#include "smp.h" 34#include "smp.h"
35 35
36#define MGMT_VERSION 1 36#define MGMT_VERSION 1
37#define MGMT_REVISION 4 37#define MGMT_REVISION 5
38 38
39static const u16 mgmt_commands[] = { 39static const u16 mgmt_commands[] = {
40 MGMT_OP_READ_INDEX_LIST, 40 MGMT_OP_READ_INDEX_LIST,
@@ -79,6 +79,9 @@ static const u16 mgmt_commands[] = {
79 MGMT_OP_SET_BREDR, 79 MGMT_OP_SET_BREDR,
80 MGMT_OP_SET_STATIC_ADDRESS, 80 MGMT_OP_SET_STATIC_ADDRESS,
81 MGMT_OP_SET_SCAN_PARAMS, 81 MGMT_OP_SET_SCAN_PARAMS,
82 MGMT_OP_SET_SECURE_CONN,
83 MGMT_OP_SET_DEBUG_KEYS,
84 MGMT_OP_LOAD_IRKS,
82}; 85};
83 86
84static const u16 mgmt_events[] = { 87static const u16 mgmt_events[] = {
@@ -127,7 +130,7 @@ static u8 mgmt_status_table[] = {
127 MGMT_STATUS_FAILED, /* Hardware Failure */ 130 MGMT_STATUS_FAILED, /* Hardware Failure */
128 MGMT_STATUS_CONNECT_FAILED, /* Page Timeout */ 131 MGMT_STATUS_CONNECT_FAILED, /* Page Timeout */
129 MGMT_STATUS_AUTH_FAILED, /* Authentication Failed */ 132 MGMT_STATUS_AUTH_FAILED, /* Authentication Failed */
130 MGMT_STATUS_NOT_PAIRED, /* PIN or Key Missing */ 133 MGMT_STATUS_AUTH_FAILED, /* PIN or Key Missing */
131 MGMT_STATUS_NO_RESOURCES, /* Memory Full */ 134 MGMT_STATUS_NO_RESOURCES, /* Memory Full */
132 MGMT_STATUS_TIMEOUT, /* Connection Timeout */ 135 MGMT_STATUS_TIMEOUT, /* Connection Timeout */
133 MGMT_STATUS_NO_RESOURCES, /* Max Number of Connections */ 136 MGMT_STATUS_NO_RESOURCES, /* Max Number of Connections */
@@ -363,6 +366,7 @@ static u32 get_supported_settings(struct hci_dev *hdev)
363 366
364 settings |= MGMT_SETTING_POWERED; 367 settings |= MGMT_SETTING_POWERED;
365 settings |= MGMT_SETTING_PAIRABLE; 368 settings |= MGMT_SETTING_PAIRABLE;
369 settings |= MGMT_SETTING_DEBUG_KEYS;
366 370
367 if (lmp_bredr_capable(hdev)) { 371 if (lmp_bredr_capable(hdev)) {
368 settings |= MGMT_SETTING_CONNECTABLE; 372 settings |= MGMT_SETTING_CONNECTABLE;
@@ -376,6 +380,10 @@ static u32 get_supported_settings(struct hci_dev *hdev)
376 settings |= MGMT_SETTING_SSP; 380 settings |= MGMT_SETTING_SSP;
377 settings |= MGMT_SETTING_HS; 381 settings |= MGMT_SETTING_HS;
378 } 382 }
383
384 if (lmp_sc_capable(hdev) ||
385 test_bit(HCI_FORCE_SC, &hdev->dev_flags))
386 settings |= MGMT_SETTING_SECURE_CONN;
379 } 387 }
380 388
381 if (lmp_le_capable(hdev)) { 389 if (lmp_le_capable(hdev)) {
@@ -423,6 +431,12 @@ static u32 get_current_settings(struct hci_dev *hdev)
423 if (test_bit(HCI_ADVERTISING, &hdev->dev_flags)) 431 if (test_bit(HCI_ADVERTISING, &hdev->dev_flags))
424 settings |= MGMT_SETTING_ADVERTISING; 432 settings |= MGMT_SETTING_ADVERTISING;
425 433
434 if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags))
435 settings |= MGMT_SETTING_SECURE_CONN;
436
437 if (test_bit(HCI_DEBUG_KEYS, &hdev->dev_flags))
438 settings |= MGMT_SETTING_DEBUG_KEYS;
439
426 return settings; 440 return settings;
427} 441}
428 442
@@ -629,14 +643,8 @@ static u8 create_adv_data(struct hci_dev *hdev, u8 *ptr)
629 643
630 flags |= get_adv_discov_flags(hdev); 644 flags |= get_adv_discov_flags(hdev);
631 645
632 if (test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags)) { 646 if (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags))
633 if (lmp_le_br_capable(hdev))
634 flags |= LE_AD_SIM_LE_BREDR_CTRL;
635 if (lmp_host_le_br_capable(hdev))
636 flags |= LE_AD_SIM_LE_BREDR_HOST;
637 } else {
638 flags |= LE_AD_NO_BREDR; 647 flags |= LE_AD_NO_BREDR;
639 }
640 648
641 if (flags) { 649 if (flags) {
642 BT_DBG("adv flags 0x%02x", flags); 650 BT_DBG("adv flags 0x%02x", flags);
@@ -1366,7 +1374,7 @@ static void enable_advertising(struct hci_request *req)
1366 cp.max_interval = __constant_cpu_to_le16(0x0800); 1374 cp.max_interval = __constant_cpu_to_le16(0x0800);
1367 cp.type = get_adv_type(hdev); 1375 cp.type = get_adv_type(hdev);
1368 cp.own_address_type = hdev->own_addr_type; 1376 cp.own_address_type = hdev->own_addr_type;
1369 cp.channel_map = 0x07; 1377 cp.channel_map = hdev->le_adv_channel_map;
1370 1378
1371 hci_req_add(req, HCI_OP_LE_SET_ADV_PARAM, sizeof(cp), &cp); 1379 hci_req_add(req, HCI_OP_LE_SET_ADV_PARAM, sizeof(cp), &cp);
1372 1380
@@ -2065,7 +2073,7 @@ static int remove_uuid(struct sock *sk, struct hci_dev *hdev, void *data,
2065 } 2073 }
2066 2074
2067 if (memcmp(cp->uuid, bt_uuid_any, 16) == 0) { 2075 if (memcmp(cp->uuid, bt_uuid_any, 16) == 0) {
2068 err = hci_uuids_clear(hdev); 2076 hci_uuids_clear(hdev);
2069 2077
2070 if (enable_service_cache(hdev)) { 2078 if (enable_service_cache(hdev)) {
2071 err = cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_UUID, 2079 err = cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_UUID,
@@ -2205,6 +2213,7 @@ static int load_link_keys(struct sock *sk, struct hci_dev *hdev, void *data,
2205{ 2213{
2206 struct mgmt_cp_load_link_keys *cp = data; 2214 struct mgmt_cp_load_link_keys *cp = data;
2207 u16 key_count, expected_len; 2215 u16 key_count, expected_len;
2216 bool changed;
2208 int i; 2217 int i;
2209 2218
2210 BT_DBG("request for %s", hdev->name); 2219 BT_DBG("request for %s", hdev->name);
@@ -2234,7 +2243,7 @@ static int load_link_keys(struct sock *sk, struct hci_dev *hdev, void *data,
2234 for (i = 0; i < key_count; i++) { 2243 for (i = 0; i < key_count; i++) {
2235 struct mgmt_link_key_info *key = &cp->keys[i]; 2244 struct mgmt_link_key_info *key = &cp->keys[i];
2236 2245
2237 if (key->addr.type != BDADDR_BREDR) 2246 if (key->addr.type != BDADDR_BREDR || key->type > 0x08)
2238 return cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS, 2247 return cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2239 MGMT_STATUS_INVALID_PARAMS); 2248 MGMT_STATUS_INVALID_PARAMS);
2240 } 2249 }
@@ -2244,9 +2253,12 @@ static int load_link_keys(struct sock *sk, struct hci_dev *hdev, void *data,
2244 hci_link_keys_clear(hdev); 2253 hci_link_keys_clear(hdev);
2245 2254
2246 if (cp->debug_keys) 2255 if (cp->debug_keys)
2247 set_bit(HCI_DEBUG_KEYS, &hdev->dev_flags); 2256 changed = !test_and_set_bit(HCI_DEBUG_KEYS, &hdev->dev_flags);
2248 else 2257 else
2249 clear_bit(HCI_DEBUG_KEYS, &hdev->dev_flags); 2258 changed = test_and_clear_bit(HCI_DEBUG_KEYS, &hdev->dev_flags);
2259
2260 if (changed)
2261 new_settings(hdev, NULL);
2250 2262
2251 for (i = 0; i < key_count; i++) { 2263 for (i = 0; i < key_count; i++) {
2252 struct mgmt_link_key_info *key = &cp->keys[i]; 2264 struct mgmt_link_key_info *key = &cp->keys[i];
@@ -2306,10 +2318,20 @@ static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2306 goto unlock; 2318 goto unlock;
2307 } 2319 }
2308 2320
2309 if (cp->addr.type == BDADDR_BREDR) 2321 if (cp->addr.type == BDADDR_BREDR) {
2310 err = hci_remove_link_key(hdev, &cp->addr.bdaddr); 2322 err = hci_remove_link_key(hdev, &cp->addr.bdaddr);
2311 else 2323 } else {
2312 err = hci_remove_ltk(hdev, &cp->addr.bdaddr); 2324 u8 addr_type;
2325
2326 if (cp->addr.type == BDADDR_LE_PUBLIC)
2327 addr_type = ADDR_LE_DEV_PUBLIC;
2328 else
2329 addr_type = ADDR_LE_DEV_RANDOM;
2330
2331 hci_remove_irk(hdev, &cp->addr.bdaddr, addr_type);
2332
2333 err = hci_remove_ltk(hdev, &cp->addr.bdaddr, addr_type);
2334 }
2313 2335
2314 if (err < 0) { 2336 if (err < 0) {
2315 err = cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE, 2337 err = cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
@@ -2633,6 +2655,16 @@ static void pairing_complete(struct pending_cmd *cmd, u8 status)
2633 mgmt_pending_remove(cmd); 2655 mgmt_pending_remove(cmd);
2634} 2656}
2635 2657
2658void mgmt_smp_complete(struct hci_conn *conn, bool complete)
2659{
2660 u8 status = complete ? MGMT_STATUS_SUCCESS : MGMT_STATUS_FAILED;
2661 struct pending_cmd *cmd;
2662
2663 cmd = find_pairing(conn);
2664 if (cmd)
2665 pairing_complete(cmd, status);
2666}
2667
2636static void pairing_complete_cb(struct hci_conn *conn, u8 status) 2668static void pairing_complete_cb(struct hci_conn *conn, u8 status)
2637{ 2669{
2638 struct pending_cmd *cmd; 2670 struct pending_cmd *cmd;
@@ -2646,7 +2678,7 @@ static void pairing_complete_cb(struct hci_conn *conn, u8 status)
2646 pairing_complete(cmd, mgmt_status(status)); 2678 pairing_complete(cmd, mgmt_status(status));
2647} 2679}
2648 2680
2649static void le_connect_complete_cb(struct hci_conn *conn, u8 status) 2681static void le_pairing_complete_cb(struct hci_conn *conn, u8 status)
2650{ 2682{
2651 struct pending_cmd *cmd; 2683 struct pending_cmd *cmd;
2652 2684
@@ -2733,13 +2765,16 @@ static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2733 } 2765 }
2734 2766
2735 /* For LE, just connecting isn't a proof that the pairing finished */ 2767 /* For LE, just connecting isn't a proof that the pairing finished */
2736 if (cp->addr.type == BDADDR_BREDR) 2768 if (cp->addr.type == BDADDR_BREDR) {
2737 conn->connect_cfm_cb = pairing_complete_cb; 2769 conn->connect_cfm_cb = pairing_complete_cb;
2738 else 2770 conn->security_cfm_cb = pairing_complete_cb;
2739 conn->connect_cfm_cb = le_connect_complete_cb; 2771 conn->disconn_cfm_cb = pairing_complete_cb;
2772 } else {
2773 conn->connect_cfm_cb = le_pairing_complete_cb;
2774 conn->security_cfm_cb = le_pairing_complete_cb;
2775 conn->disconn_cfm_cb = le_pairing_complete_cb;
2776 }
2740 2777
2741 conn->security_cfm_cb = pairing_complete_cb;
2742 conn->disconn_cfm_cb = pairing_complete_cb;
2743 conn->io_capability = cp->io_cap; 2778 conn->io_capability = cp->io_cap;
2744 cmd->user_data = conn; 2779 cmd->user_data = conn;
2745 2780
@@ -3071,7 +3106,12 @@ static int read_local_oob_data(struct sock *sk, struct hci_dev *hdev,
3071 goto unlock; 3106 goto unlock;
3072 } 3107 }
3073 3108
3074 err = hci_send_cmd(hdev, HCI_OP_READ_LOCAL_OOB_DATA, 0, NULL); 3109 if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags))
3110 err = hci_send_cmd(hdev, HCI_OP_READ_LOCAL_OOB_EXT_DATA,
3111 0, NULL);
3112 else
3113 err = hci_send_cmd(hdev, HCI_OP_READ_LOCAL_OOB_DATA, 0, NULL);
3114
3075 if (err < 0) 3115 if (err < 0)
3076 mgmt_pending_remove(cmd); 3116 mgmt_pending_remove(cmd);
3077 3117
@@ -3083,23 +3123,46 @@ unlock:
3083static int add_remote_oob_data(struct sock *sk, struct hci_dev *hdev, 3123static int add_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
3084 void *data, u16 len) 3124 void *data, u16 len)
3085{ 3125{
3086 struct mgmt_cp_add_remote_oob_data *cp = data;
3087 u8 status;
3088 int err; 3126 int err;
3089 3127
3090 BT_DBG("%s ", hdev->name); 3128 BT_DBG("%s ", hdev->name);
3091 3129
3092 hci_dev_lock(hdev); 3130 hci_dev_lock(hdev);
3093 3131
3094 err = hci_add_remote_oob_data(hdev, &cp->addr.bdaddr, cp->hash, 3132 if (len == MGMT_ADD_REMOTE_OOB_DATA_SIZE) {
3095 cp->randomizer); 3133 struct mgmt_cp_add_remote_oob_data *cp = data;
3096 if (err < 0) 3134 u8 status;
3097 status = MGMT_STATUS_FAILED;
3098 else
3099 status = MGMT_STATUS_SUCCESS;
3100 3135
3101 err = cmd_complete(sk, hdev->id, MGMT_OP_ADD_REMOTE_OOB_DATA, status, 3136 err = hci_add_remote_oob_data(hdev, &cp->addr.bdaddr,
3102 &cp->addr, sizeof(cp->addr)); 3137 cp->hash, cp->randomizer);
3138 if (err < 0)
3139 status = MGMT_STATUS_FAILED;
3140 else
3141 status = MGMT_STATUS_SUCCESS;
3142
3143 err = cmd_complete(sk, hdev->id, MGMT_OP_ADD_REMOTE_OOB_DATA,
3144 status, &cp->addr, sizeof(cp->addr));
3145 } else if (len == MGMT_ADD_REMOTE_OOB_EXT_DATA_SIZE) {
3146 struct mgmt_cp_add_remote_oob_ext_data *cp = data;
3147 u8 status;
3148
3149 err = hci_add_remote_oob_ext_data(hdev, &cp->addr.bdaddr,
3150 cp->hash192,
3151 cp->randomizer192,
3152 cp->hash256,
3153 cp->randomizer256);
3154 if (err < 0)
3155 status = MGMT_STATUS_FAILED;
3156 else
3157 status = MGMT_STATUS_SUCCESS;
3158
3159 err = cmd_complete(sk, hdev->id, MGMT_OP_ADD_REMOTE_OOB_DATA,
3160 status, &cp->addr, sizeof(cp->addr));
3161 } else {
3162 BT_ERR("add_remote_oob_data: invalid length of %u bytes", len);
3163 err = cmd_status(sk, hdev->id, MGMT_OP_ADD_REMOTE_OOB_DATA,
3164 MGMT_STATUS_INVALID_PARAMS);
3165 }
3103 3166
3104 hci_dev_unlock(hdev); 3167 hci_dev_unlock(hdev);
3105 return err; 3168 return err;
@@ -3999,15 +4062,219 @@ unlock:
3999 return err; 4062 return err;
4000} 4063}
4001 4064
4065static int set_secure_conn(struct sock *sk, struct hci_dev *hdev,
4066 void *data, u16 len)
4067{
4068 struct mgmt_mode *cp = data;
4069 struct pending_cmd *cmd;
4070 u8 val, status;
4071 int err;
4072
4073 BT_DBG("request for %s", hdev->name);
4074
4075 status = mgmt_bredr_support(hdev);
4076 if (status)
4077 return cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
4078 status);
4079
4080 if (!lmp_sc_capable(hdev) &&
4081 !test_bit(HCI_FORCE_SC, &hdev->dev_flags))
4082 return cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
4083 MGMT_STATUS_NOT_SUPPORTED);
4084
4085 if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
4086 return cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
4087 MGMT_STATUS_INVALID_PARAMS);
4088
4089 hci_dev_lock(hdev);
4090
4091 if (!hdev_is_powered(hdev)) {
4092 bool changed;
4093
4094 if (cp->val) {
4095 changed = !test_and_set_bit(HCI_SC_ENABLED,
4096 &hdev->dev_flags);
4097 if (cp->val == 0x02)
4098 set_bit(HCI_SC_ONLY, &hdev->dev_flags);
4099 else
4100 clear_bit(HCI_SC_ONLY, &hdev->dev_flags);
4101 } else {
4102 changed = test_and_clear_bit(HCI_SC_ENABLED,
4103 &hdev->dev_flags);
4104 clear_bit(HCI_SC_ONLY, &hdev->dev_flags);
4105 }
4106
4107 err = send_settings_rsp(sk, MGMT_OP_SET_SECURE_CONN, hdev);
4108 if (err < 0)
4109 goto failed;
4110
4111 if (changed)
4112 err = new_settings(hdev, sk);
4113
4114 goto failed;
4115 }
4116
4117 if (mgmt_pending_find(MGMT_OP_SET_SECURE_CONN, hdev)) {
4118 err = cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
4119 MGMT_STATUS_BUSY);
4120 goto failed;
4121 }
4122
4123 val = !!cp->val;
4124
4125 if (val == test_bit(HCI_SC_ENABLED, &hdev->dev_flags) &&
4126 (cp->val == 0x02) == test_bit(HCI_SC_ONLY, &hdev->dev_flags)) {
4127 err = send_settings_rsp(sk, MGMT_OP_SET_SECURE_CONN, hdev);
4128 goto failed;
4129 }
4130
4131 cmd = mgmt_pending_add(sk, MGMT_OP_SET_SECURE_CONN, hdev, data, len);
4132 if (!cmd) {
4133 err = -ENOMEM;
4134 goto failed;
4135 }
4136
4137 err = hci_send_cmd(hdev, HCI_OP_WRITE_SC_SUPPORT, 1, &val);
4138 if (err < 0) {
4139 mgmt_pending_remove(cmd);
4140 goto failed;
4141 }
4142
4143 if (cp->val == 0x02)
4144 set_bit(HCI_SC_ONLY, &hdev->dev_flags);
4145 else
4146 clear_bit(HCI_SC_ONLY, &hdev->dev_flags);
4147
4148failed:
4149 hci_dev_unlock(hdev);
4150 return err;
4151}
4152
4153static int set_debug_keys(struct sock *sk, struct hci_dev *hdev,
4154 void *data, u16 len)
4155{
4156 struct mgmt_mode *cp = data;
4157 bool changed;
4158 int err;
4159
4160 BT_DBG("request for %s", hdev->name);
4161
4162 if (cp->val != 0x00 && cp->val != 0x01)
4163 return cmd_status(sk, hdev->id, MGMT_OP_SET_DEBUG_KEYS,
4164 MGMT_STATUS_INVALID_PARAMS);
4165
4166 hci_dev_lock(hdev);
4167
4168 if (cp->val)
4169 changed = !test_and_set_bit(HCI_DEBUG_KEYS, &hdev->dev_flags);
4170 else
4171 changed = test_and_clear_bit(HCI_DEBUG_KEYS, &hdev->dev_flags);
4172
4173 err = send_settings_rsp(sk, MGMT_OP_SET_DEBUG_KEYS, hdev);
4174 if (err < 0)
4175 goto unlock;
4176
4177 if (changed)
4178 err = new_settings(hdev, sk);
4179
4180unlock:
4181 hci_dev_unlock(hdev);
4182 return err;
4183}
4184
4185static bool irk_is_valid(struct mgmt_irk_info *irk)
4186{
4187 switch (irk->addr.type) {
4188 case BDADDR_LE_PUBLIC:
4189 return true;
4190
4191 case BDADDR_LE_RANDOM:
4192 /* Two most significant bits shall be set */
4193 if ((irk->addr.bdaddr.b[5] & 0xc0) != 0xc0)
4194 return false;
4195 return true;
4196 }
4197
4198 return false;
4199}
4200
4201static int load_irks(struct sock *sk, struct hci_dev *hdev, void *cp_data,
4202 u16 len)
4203{
4204 struct mgmt_cp_load_irks *cp = cp_data;
4205 u16 irk_count, expected_len;
4206 int i, err;
4207
4208 BT_DBG("request for %s", hdev->name);
4209
4210 if (!lmp_le_capable(hdev))
4211 return cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
4212 MGMT_STATUS_NOT_SUPPORTED);
4213
4214 irk_count = __le16_to_cpu(cp->irk_count);
4215
4216 expected_len = sizeof(*cp) + irk_count * sizeof(struct mgmt_irk_info);
4217 if (expected_len != len) {
4218 BT_ERR("load_irks: expected %u bytes, got %u bytes",
4219 len, expected_len);
4220 return cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
4221 MGMT_STATUS_INVALID_PARAMS);
4222 }
4223
4224 BT_DBG("%s irk_count %u", hdev->name, irk_count);
4225
4226 for (i = 0; i < irk_count; i++) {
4227 struct mgmt_irk_info *key = &cp->irks[i];
4228
4229 if (!irk_is_valid(key))
4230 return cmd_status(sk, hdev->id,
4231 MGMT_OP_LOAD_IRKS,
4232 MGMT_STATUS_INVALID_PARAMS);
4233 }
4234
4235 hci_dev_lock(hdev);
4236
4237 hci_smp_irks_clear(hdev);
4238
4239 for (i = 0; i < irk_count; i++) {
4240 struct mgmt_irk_info *irk = &cp->irks[i];
4241 u8 addr_type;
4242
4243 if (irk->addr.type == BDADDR_LE_PUBLIC)
4244 addr_type = ADDR_LE_DEV_PUBLIC;
4245 else
4246 addr_type = ADDR_LE_DEV_RANDOM;
4247
4248 hci_add_irk(hdev, &irk->addr.bdaddr, addr_type, irk->val,
4249 BDADDR_ANY);
4250 }
4251
4252 set_bit(HCI_RPA_RESOLVING, &hdev->dev_flags);
4253
4254 err = cmd_complete(sk, hdev->id, MGMT_OP_LOAD_IRKS, 0, NULL, 0);
4255
4256 hci_dev_unlock(hdev);
4257
4258 return err;
4259}
4260
4002static bool ltk_is_valid(struct mgmt_ltk_info *key) 4261static bool ltk_is_valid(struct mgmt_ltk_info *key)
4003{ 4262{
4004 if (key->authenticated != 0x00 && key->authenticated != 0x01)
4005 return false;
4006 if (key->master != 0x00 && key->master != 0x01) 4263 if (key->master != 0x00 && key->master != 0x01)
4007 return false; 4264 return false;
4008 if (!bdaddr_type_is_le(key->addr.type)) 4265
4009 return false; 4266 switch (key->addr.type) {
4010 return true; 4267 case BDADDR_LE_PUBLIC:
4268 return true;
4269
4270 case BDADDR_LE_RANDOM:
4271 /* Two most significant bits shall be set */
4272 if ((key->addr.bdaddr.b[5] & 0xc0) != 0xc0)
4273 return false;
4274 return true;
4275 }
4276
4277 return false;
4011} 4278}
4012 4279
4013static int load_long_term_keys(struct sock *sk, struct hci_dev *hdev, 4280static int load_long_term_keys(struct sock *sk, struct hci_dev *hdev,
@@ -4063,9 +4330,9 @@ static int load_long_term_keys(struct sock *sk, struct hci_dev *hdev,
4063 else 4330 else
4064 type = HCI_SMP_LTK_SLAVE; 4331 type = HCI_SMP_LTK_SLAVE;
4065 4332
4066 hci_add_ltk(hdev, &key->addr.bdaddr, addr_type, 4333 hci_add_ltk(hdev, &key->addr.bdaddr, addr_type, type,
4067 type, 0, key->authenticated, key->val, 4334 key->type, key->val, key->enc_size, key->ediv,
4068 key->enc_size, key->ediv, key->rand); 4335 key->rand);
4069 } 4336 }
4070 4337
4071 err = cmd_complete(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS, 0, 4338 err = cmd_complete(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS, 0,
@@ -4115,7 +4382,7 @@ static const struct mgmt_handler {
4115 { user_passkey_reply, false, MGMT_USER_PASSKEY_REPLY_SIZE }, 4382 { user_passkey_reply, false, MGMT_USER_PASSKEY_REPLY_SIZE },
4116 { user_passkey_neg_reply, false, MGMT_USER_PASSKEY_NEG_REPLY_SIZE }, 4383 { user_passkey_neg_reply, false, MGMT_USER_PASSKEY_NEG_REPLY_SIZE },
4117 { read_local_oob_data, false, MGMT_READ_LOCAL_OOB_DATA_SIZE }, 4384 { read_local_oob_data, false, MGMT_READ_LOCAL_OOB_DATA_SIZE },
4118 { add_remote_oob_data, false, MGMT_ADD_REMOTE_OOB_DATA_SIZE }, 4385 { add_remote_oob_data, true, MGMT_ADD_REMOTE_OOB_DATA_SIZE },
4119 { remove_remote_oob_data, false, MGMT_REMOVE_REMOTE_OOB_DATA_SIZE }, 4386 { remove_remote_oob_data, false, MGMT_REMOVE_REMOTE_OOB_DATA_SIZE },
4120 { start_discovery, false, MGMT_START_DISCOVERY_SIZE }, 4387 { start_discovery, false, MGMT_START_DISCOVERY_SIZE },
4121 { stop_discovery, false, MGMT_STOP_DISCOVERY_SIZE }, 4388 { stop_discovery, false, MGMT_STOP_DISCOVERY_SIZE },
@@ -4127,6 +4394,10 @@ static const struct mgmt_handler {
4127 { set_bredr, false, MGMT_SETTING_SIZE }, 4394 { set_bredr, false, MGMT_SETTING_SIZE },
4128 { set_static_address, false, MGMT_SET_STATIC_ADDRESS_SIZE }, 4395 { set_static_address, false, MGMT_SET_STATIC_ADDRESS_SIZE },
4129 { set_scan_params, false, MGMT_SET_SCAN_PARAMS_SIZE }, 4396 { set_scan_params, false, MGMT_SET_SCAN_PARAMS_SIZE },
4397 { set_secure_conn, false, MGMT_SETTING_SIZE },
4398 { set_debug_keys, false, MGMT_SETTING_SIZE },
4399 { },
4400 { load_irks, true, MGMT_LOAD_IRKS_SIZE },
4130}; 4401};
4131 4402
4132 4403
@@ -4494,16 +4765,32 @@ void mgmt_new_link_key(struct hci_dev *hdev, struct link_key *key,
4494 mgmt_event(MGMT_EV_NEW_LINK_KEY, hdev, &ev, sizeof(ev), NULL); 4765 mgmt_event(MGMT_EV_NEW_LINK_KEY, hdev, &ev, sizeof(ev), NULL);
4495} 4766}
4496 4767
4497void mgmt_new_ltk(struct hci_dev *hdev, struct smp_ltk *key, u8 persistent) 4768void mgmt_new_ltk(struct hci_dev *hdev, struct smp_ltk *key)
4498{ 4769{
4499 struct mgmt_ev_new_long_term_key ev; 4770 struct mgmt_ev_new_long_term_key ev;
4500 4771
4501 memset(&ev, 0, sizeof(ev)); 4772 memset(&ev, 0, sizeof(ev));
4502 4773
4503 ev.store_hint = persistent; 4774 /* Devices using resolvable or non-resolvable random addresses
4775 * without providing an indentity resolving key don't require
4776 * to store long term keys. Their addresses will change the
4777 * next time around.
4778 *
4779 * Only when a remote device provides an identity address
4780 * make sure the long term key is stored. If the remote
4781 * identity is known, the long term keys are internally
4782 * mapped to the identity address. So allow static random
4783 * and public addresses here.
4784 */
4785 if (key->bdaddr_type == ADDR_LE_DEV_RANDOM &&
4786 (key->bdaddr.b[5] & 0xc0) != 0xc0)
4787 ev.store_hint = 0x00;
4788 else
4789 ev.store_hint = 0x01;
4790
4504 bacpy(&ev.key.addr.bdaddr, &key->bdaddr); 4791 bacpy(&ev.key.addr.bdaddr, &key->bdaddr);
4505 ev.key.addr.type = link_to_bdaddr(LE_LINK, key->bdaddr_type); 4792 ev.key.addr.type = link_to_bdaddr(LE_LINK, key->bdaddr_type);
4506 ev.key.authenticated = key->authenticated; 4793 ev.key.type = key->authenticated;
4507 ev.key.enc_size = key->enc_size; 4794 ev.key.enc_size = key->enc_size;
4508 ev.key.ediv = key->ediv; 4795 ev.key.ediv = key->ediv;
4509 4796
@@ -4516,6 +4803,36 @@ void mgmt_new_ltk(struct hci_dev *hdev, struct smp_ltk *key, u8 persistent)
4516 mgmt_event(MGMT_EV_NEW_LONG_TERM_KEY, hdev, &ev, sizeof(ev), NULL); 4803 mgmt_event(MGMT_EV_NEW_LONG_TERM_KEY, hdev, &ev, sizeof(ev), NULL);
4517} 4804}
4518 4805
4806void mgmt_new_irk(struct hci_dev *hdev, struct smp_irk *irk)
4807{
4808 struct mgmt_ev_new_irk ev;
4809
4810 memset(&ev, 0, sizeof(ev));
4811
4812 /* For identity resolving keys from devices that are already
4813 * using a public address or static random address, do not
4814 * ask for storing this key. The identity resolving key really
4815 * is only mandatory for devices using resovlable random
4816 * addresses.
4817 *
4818 * Storing all identity resolving keys has the downside that
4819 * they will be also loaded on next boot of they system. More
4820 * identity resolving keys, means more time during scanning is
4821 * needed to actually resolve these addresses.
4822 */
4823 if (bacmp(&irk->rpa, BDADDR_ANY))
4824 ev.store_hint = 0x01;
4825 else
4826 ev.store_hint = 0x00;
4827
4828 bacpy(&ev.rpa, &irk->rpa);
4829 bacpy(&ev.irk.addr.bdaddr, &irk->bdaddr);
4830 ev.irk.addr.type = link_to_bdaddr(LE_LINK, irk->addr_type);
4831 memcpy(ev.irk.val, irk->val, sizeof(irk->val));
4832
4833 mgmt_event(MGMT_EV_NEW_IRK, hdev, &ev, sizeof(ev), NULL);
4834}
4835
4519static inline u16 eir_append_data(u8 *eir, u16 eir_len, u8 type, u8 *data, 4836static inline u16 eir_append_data(u8 *eir, u16 eir_len, u8 type, u8 *data,
4520 u8 data_len) 4837 u8 data_len)
4521{ 4838{
@@ -4910,6 +5227,43 @@ void mgmt_ssp_enable_complete(struct hci_dev *hdev, u8 enable, u8 status)
4910 hci_req_run(&req, NULL); 5227 hci_req_run(&req, NULL);
4911} 5228}
4912 5229
5230void mgmt_sc_enable_complete(struct hci_dev *hdev, u8 enable, u8 status)
5231{
5232 struct cmd_lookup match = { NULL, hdev };
5233 bool changed = false;
5234
5235 if (status) {
5236 u8 mgmt_err = mgmt_status(status);
5237
5238 if (enable) {
5239 if (test_and_clear_bit(HCI_SC_ENABLED,
5240 &hdev->dev_flags))
5241 new_settings(hdev, NULL);
5242 clear_bit(HCI_SC_ONLY, &hdev->dev_flags);
5243 }
5244
5245 mgmt_pending_foreach(MGMT_OP_SET_SECURE_CONN, hdev,
5246 cmd_status_rsp, &mgmt_err);
5247 return;
5248 }
5249
5250 if (enable) {
5251 changed = !test_and_set_bit(HCI_SC_ENABLED, &hdev->dev_flags);
5252 } else {
5253 changed = test_and_clear_bit(HCI_SC_ENABLED, &hdev->dev_flags);
5254 clear_bit(HCI_SC_ONLY, &hdev->dev_flags);
5255 }
5256
5257 mgmt_pending_foreach(MGMT_OP_SET_SECURE_CONN, hdev,
5258 settings_rsp, &match);
5259
5260 if (changed)
5261 new_settings(hdev, match.sk);
5262
5263 if (match.sk)
5264 sock_put(match.sk);
5265}
5266
4913static void sk_lookup(struct pending_cmd *cmd, void *data) 5267static void sk_lookup(struct pending_cmd *cmd, void *data)
4914{ 5268{
4915 struct cmd_lookup *match = data; 5269 struct cmd_lookup *match = data;
@@ -4964,8 +5318,9 @@ void mgmt_set_local_name_complete(struct hci_dev *hdev, u8 *name, u8 status)
4964 cmd ? cmd->sk : NULL); 5318 cmd ? cmd->sk : NULL);
4965} 5319}
4966 5320
4967void mgmt_read_local_oob_data_reply_complete(struct hci_dev *hdev, u8 *hash, 5321void mgmt_read_local_oob_data_complete(struct hci_dev *hdev, u8 *hash192,
4968 u8 *randomizer, u8 status) 5322 u8 *randomizer192, u8 *hash256,
5323 u8 *randomizer256, u8 status)
4969{ 5324{
4970 struct pending_cmd *cmd; 5325 struct pending_cmd *cmd;
4971 5326
@@ -4979,13 +5334,32 @@ void mgmt_read_local_oob_data_reply_complete(struct hci_dev *hdev, u8 *hash,
4979 cmd_status(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA, 5334 cmd_status(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
4980 mgmt_status(status)); 5335 mgmt_status(status));
4981 } else { 5336 } else {
4982 struct mgmt_rp_read_local_oob_data rp; 5337 if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags) &&
5338 hash256 && randomizer256) {
5339 struct mgmt_rp_read_local_oob_ext_data rp;
5340
5341 memcpy(rp.hash192, hash192, sizeof(rp.hash192));
5342 memcpy(rp.randomizer192, randomizer192,
5343 sizeof(rp.randomizer192));
4983 5344
4984 memcpy(rp.hash, hash, sizeof(rp.hash)); 5345 memcpy(rp.hash256, hash256, sizeof(rp.hash256));
4985 memcpy(rp.randomizer, randomizer, sizeof(rp.randomizer)); 5346 memcpy(rp.randomizer256, randomizer256,
5347 sizeof(rp.randomizer256));
5348
5349 cmd_complete(cmd->sk, hdev->id,
5350 MGMT_OP_READ_LOCAL_OOB_DATA, 0,
5351 &rp, sizeof(rp));
5352 } else {
5353 struct mgmt_rp_read_local_oob_data rp;
4986 5354
4987 cmd_complete(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA, 5355 memcpy(rp.hash, hash192, sizeof(rp.hash));
4988 0, &rp, sizeof(rp)); 5356 memcpy(rp.randomizer, randomizer192,
5357 sizeof(rp.randomizer));
5358
5359 cmd_complete(cmd->sk, hdev->id,
5360 MGMT_OP_READ_LOCAL_OOB_DATA, 0,
5361 &rp, sizeof(rp));
5362 }
4989 } 5363 }
4990 5364
4991 mgmt_pending_remove(cmd); 5365 mgmt_pending_remove(cmd);
@@ -4997,6 +5371,7 @@ void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
4997{ 5371{
4998 char buf[512]; 5372 char buf[512];
4999 struct mgmt_ev_device_found *ev = (void *) buf; 5373 struct mgmt_ev_device_found *ev = (void *) buf;
5374 struct smp_irk *irk;
5000 size_t ev_size; 5375 size_t ev_size;
5001 5376
5002 if (!hci_discovery_active(hdev)) 5377 if (!hci_discovery_active(hdev))
@@ -5008,8 +5383,15 @@ void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
5008 5383
5009 memset(buf, 0, sizeof(buf)); 5384 memset(buf, 0, sizeof(buf));
5010 5385
5011 bacpy(&ev->addr.bdaddr, bdaddr); 5386 irk = hci_get_irk(hdev, bdaddr, addr_type);
5012 ev->addr.type = link_to_bdaddr(link_type, addr_type); 5387 if (irk) {
5388 bacpy(&ev->addr.bdaddr, &irk->bdaddr);
5389 ev->addr.type = link_to_bdaddr(link_type, irk->addr_type);
5390 } else {
5391 bacpy(&ev->addr.bdaddr, bdaddr);
5392 ev->addr.type = link_to_bdaddr(link_type, addr_type);
5393 }
5394
5013 ev->rssi = rssi; 5395 ev->rssi = rssi;
5014 if (cfm_name) 5396 if (cfm_name)
5015 ev->flags |= __constant_cpu_to_le32(MGMT_DEV_FOUND_CONFIRM_NAME); 5397 ev->flags |= __constant_cpu_to_le32(MGMT_DEV_FOUND_CONFIRM_NAME);
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index facd8a79c038..21e15318937c 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -216,6 +216,7 @@ static int rfcomm_check_security(struct rfcomm_dlc *d)
216 216
217 switch (d->sec_level) { 217 switch (d->sec_level) {
218 case BT_SECURITY_HIGH: 218 case BT_SECURITY_HIGH:
219 case BT_SECURITY_FIPS:
219 auth_type = HCI_AT_GENERAL_BONDING_MITM; 220 auth_type = HCI_AT_GENERAL_BONDING_MITM;
220 break; 221 break;
221 case BT_SECURITY_MEDIUM: 222 case BT_SECURITY_MEDIUM:
@@ -359,6 +360,11 @@ static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
359 return NULL; 360 return NULL;
360} 361}
361 362
363static int rfcomm_check_channel(u8 channel)
364{
365 return channel < 1 || channel > 30;
366}
367
362static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel) 368static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
363{ 369{
364 struct rfcomm_session *s; 370 struct rfcomm_session *s;
@@ -368,7 +374,7 @@ static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst,
368 BT_DBG("dlc %p state %ld %pMR -> %pMR channel %d", 374 BT_DBG("dlc %p state %ld %pMR -> %pMR channel %d",
369 d, d->state, src, dst, channel); 375 d, d->state, src, dst, channel);
370 376
371 if (channel < 1 || channel > 30) 377 if (rfcomm_check_channel(channel))
372 return -EINVAL; 378 return -EINVAL;
373 379
374 if (d->state != BT_OPEN && d->state != BT_CLOSED) 380 if (d->state != BT_OPEN && d->state != BT_CLOSED)
@@ -425,6 +431,20 @@ int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 chann
425 return r; 431 return r;
426} 432}
427 433
434static void __rfcomm_dlc_disconn(struct rfcomm_dlc *d)
435{
436 struct rfcomm_session *s = d->session;
437
438 d->state = BT_DISCONN;
439 if (skb_queue_empty(&d->tx_queue)) {
440 rfcomm_send_disc(s, d->dlci);
441 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
442 } else {
443 rfcomm_queue_disc(d);
444 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
445 }
446}
447
428static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err) 448static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
429{ 449{
430 struct rfcomm_session *s = d->session; 450 struct rfcomm_session *s = d->session;
@@ -437,32 +457,29 @@ static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
437 switch (d->state) { 457 switch (d->state) {
438 case BT_CONNECT: 458 case BT_CONNECT:
439 case BT_CONFIG: 459 case BT_CONFIG:
460 case BT_OPEN:
461 case BT_CONNECT2:
440 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { 462 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
441 set_bit(RFCOMM_AUTH_REJECT, &d->flags); 463 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
442 rfcomm_schedule(); 464 rfcomm_schedule();
443 break; 465 return 0;
444 } 466 }
445 /* Fall through */ 467 }
446 468
469 switch (d->state) {
470 case BT_CONNECT:
447 case BT_CONNECTED: 471 case BT_CONNECTED:
448 d->state = BT_DISCONN; 472 __rfcomm_dlc_disconn(d);
449 if (skb_queue_empty(&d->tx_queue)) {
450 rfcomm_send_disc(s, d->dlci);
451 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
452 } else {
453 rfcomm_queue_disc(d);
454 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
455 }
456 break; 473 break;
457 474
458 case BT_OPEN: 475 case BT_CONFIG:
459 case BT_CONNECT2: 476 if (s->state != BT_BOUND) {
460 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { 477 __rfcomm_dlc_disconn(d);
461 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
462 rfcomm_schedule();
463 break; 478 break;
464 } 479 }
465 /* Fall through */ 480 /* if closing a dlc in a session that hasn't been started,
481 * just close and unlink the dlc
482 */
466 483
467 default: 484 default:
468 rfcomm_dlc_clear_timer(d); 485 rfcomm_dlc_clear_timer(d);
@@ -513,6 +530,25 @@ no_session:
513 return r; 530 return r;
514} 531}
515 532
533struct rfcomm_dlc *rfcomm_dlc_exists(bdaddr_t *src, bdaddr_t *dst, u8 channel)
534{
535 struct rfcomm_session *s;
536 struct rfcomm_dlc *dlc = NULL;
537 u8 dlci;
538
539 if (rfcomm_check_channel(channel))
540 return ERR_PTR(-EINVAL);
541
542 rfcomm_lock();
543 s = rfcomm_session_get(src, dst);
544 if (s) {
545 dlci = __dlci(!s->initiator, channel);
546 dlc = rfcomm_dlc_get(s, dlci);
547 }
548 rfcomm_unlock();
549 return dlc;
550}
551
516int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb) 552int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
517{ 553{
518 int len = skb->len; 554 int len = skb->len;
@@ -533,6 +569,20 @@ int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
533 return len; 569 return len;
534} 570}
535 571
572void rfcomm_dlc_send_noerror(struct rfcomm_dlc *d, struct sk_buff *skb)
573{
574 int len = skb->len;
575
576 BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
577
578 rfcomm_make_uih(skb, d->addr);
579 skb_queue_tail(&d->tx_queue, skb);
580
581 if (d->state == BT_CONNECTED &&
582 !test_bit(RFCOMM_TX_THROTTLED, &d->flags))
583 rfcomm_schedule();
584}
585
536void __rfcomm_dlc_throttle(struct rfcomm_dlc *d) 586void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
537{ 587{
538 BT_DBG("dlc %p state %ld", d, d->state); 588 BT_DBG("dlc %p state %ld", d, d->state);
@@ -1943,12 +1993,11 @@ static void rfcomm_process_sessions(void)
1943 continue; 1993 continue;
1944 } 1994 }
1945 1995
1946 if (s->state == BT_LISTEN) { 1996 switch (s->state) {
1997 case BT_LISTEN:
1947 rfcomm_accept_connection(s); 1998 rfcomm_accept_connection(s);
1948 continue; 1999 continue;
1949 }
1950 2000
1951 switch (s->state) {
1952 case BT_BOUND: 2001 case BT_BOUND:
1953 s = rfcomm_check_connection(s); 2002 s = rfcomm_check_connection(s);
1954 break; 2003 break;
@@ -2085,7 +2134,8 @@ static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
2085 set_bit(RFCOMM_SEC_PENDING, &d->flags); 2134 set_bit(RFCOMM_SEC_PENDING, &d->flags);
2086 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 2135 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2087 continue; 2136 continue;
2088 } else if (d->sec_level == BT_SECURITY_HIGH) { 2137 } else if (d->sec_level == BT_SECURITY_HIGH ||
2138 d->sec_level == BT_SECURITY_FIPS) {
2089 set_bit(RFCOMM_ENC_DROP, &d->flags); 2139 set_bit(RFCOMM_ENC_DROP, &d->flags);
2090 continue; 2140 continue;
2091 } 2141 }
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index 3c2d3e4aa2f5..c024e715512f 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -105,13 +105,18 @@ static void rfcomm_sk_state_change(struct rfcomm_dlc *d, int err)
105} 105}
106 106
107/* ---- Socket functions ---- */ 107/* ---- Socket functions ---- */
108static struct sock *__rfcomm_get_sock_by_addr(u8 channel, bdaddr_t *src) 108static struct sock *__rfcomm_get_listen_sock_by_addr(u8 channel, bdaddr_t *src)
109{ 109{
110 struct sock *sk = NULL; 110 struct sock *sk = NULL;
111 111
112 sk_for_each(sk, &rfcomm_sk_list.head) { 112 sk_for_each(sk, &rfcomm_sk_list.head) {
113 if (rfcomm_pi(sk)->channel == channel && 113 if (rfcomm_pi(sk)->channel != channel)
114 !bacmp(&rfcomm_pi(sk)->src, src)) 114 continue;
115
116 if (bacmp(&rfcomm_pi(sk)->src, src))
117 continue;
118
119 if (sk->sk_state == BT_BOUND || sk->sk_state == BT_LISTEN)
115 break; 120 break;
116 } 121 }
117 122
@@ -331,6 +336,7 @@ static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr
331{ 336{
332 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr; 337 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
333 struct sock *sk = sock->sk; 338 struct sock *sk = sock->sk;
339 int chan = sa->rc_channel;
334 int err = 0; 340 int err = 0;
335 341
336 BT_DBG("sk %p %pMR", sk, &sa->rc_bdaddr); 342 BT_DBG("sk %p %pMR", sk, &sa->rc_bdaddr);
@@ -352,12 +358,12 @@ static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr
352 358
353 write_lock(&rfcomm_sk_list.lock); 359 write_lock(&rfcomm_sk_list.lock);
354 360
355 if (sa->rc_channel && __rfcomm_get_sock_by_addr(sa->rc_channel, &sa->rc_bdaddr)) { 361 if (chan && __rfcomm_get_listen_sock_by_addr(chan, &sa->rc_bdaddr)) {
356 err = -EADDRINUSE; 362 err = -EADDRINUSE;
357 } else { 363 } else {
358 /* Save source address */ 364 /* Save source address */
359 bacpy(&rfcomm_pi(sk)->src, &sa->rc_bdaddr); 365 bacpy(&rfcomm_pi(sk)->src, &sa->rc_bdaddr);
360 rfcomm_pi(sk)->channel = sa->rc_channel; 366 rfcomm_pi(sk)->channel = chan;
361 sk->sk_state = BT_BOUND; 367 sk->sk_state = BT_BOUND;
362 } 368 }
363 369
@@ -439,7 +445,7 @@ static int rfcomm_sock_listen(struct socket *sock, int backlog)
439 write_lock(&rfcomm_sk_list.lock); 445 write_lock(&rfcomm_sk_list.lock);
440 446
441 for (channel = 1; channel < 31; channel++) 447 for (channel = 1; channel < 31; channel++)
442 if (!__rfcomm_get_sock_by_addr(channel, src)) { 448 if (!__rfcomm_get_listen_sock_by_addr(channel, src)) {
443 rfcomm_pi(sk)->channel = channel; 449 rfcomm_pi(sk)->channel = channel;
444 err = 0; 450 err = 0;
445 break; 451 break;
@@ -528,6 +534,9 @@ static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int *
528 534
529 BT_DBG("sock %p, sk %p", sock, sk); 535 BT_DBG("sock %p, sk %p", sock, sk);
530 536
537 if (peer && sk->sk_state != BT_CONNECTED)
538 return -ENOTCONN;
539
531 memset(sa, 0, sizeof(*sa)); 540 memset(sa, 0, sizeof(*sa));
532 sa->rc_family = AF_BLUETOOTH; 541 sa->rc_family = AF_BLUETOOTH;
533 sa->rc_channel = rfcomm_pi(sk)->channel; 542 sa->rc_channel = rfcomm_pi(sk)->channel;
@@ -648,6 +657,11 @@ static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname, char __u
648 break; 657 break;
649 } 658 }
650 659
660 if (opt & RFCOMM_LM_FIPS) {
661 err = -EINVAL;
662 break;
663 }
664
651 if (opt & RFCOMM_LM_AUTH) 665 if (opt & RFCOMM_LM_AUTH)
652 rfcomm_pi(sk)->sec_level = BT_SECURITY_LOW; 666 rfcomm_pi(sk)->sec_level = BT_SECURITY_LOW;
653 if (opt & RFCOMM_LM_ENCRYPT) 667 if (opt & RFCOMM_LM_ENCRYPT)
@@ -762,7 +776,11 @@ static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __u
762 break; 776 break;
763 case BT_SECURITY_HIGH: 777 case BT_SECURITY_HIGH:
764 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT | 778 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
765 RFCOMM_LM_SECURE; 779 RFCOMM_LM_SECURE;
780 break;
781 case BT_SECURITY_FIPS:
782 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
783 RFCOMM_LM_SECURE | RFCOMM_LM_FIPS;
766 break; 784 break;
767 default: 785 default:
768 opt = 0; 786 opt = 0;
@@ -774,6 +792,7 @@ static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __u
774 792
775 if (put_user(opt, (u32 __user *) optval)) 793 if (put_user(opt, (u32 __user *) optval))
776 err = -EFAULT; 794 err = -EFAULT;
795
777 break; 796 break;
778 797
779 case RFCOMM_CONNINFO: 798 case RFCOMM_CONNINFO:
diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
index f9c0980abeea..403ec09f480a 100644
--- a/net/bluetooth/rfcomm/tty.c
+++ b/net/bluetooth/rfcomm/tty.c
@@ -40,6 +40,7 @@
40#define RFCOMM_TTY_MAJOR 216 /* device node major id of the usb/bluetooth.c driver */ 40#define RFCOMM_TTY_MAJOR 216 /* device node major id of the usb/bluetooth.c driver */
41#define RFCOMM_TTY_MINOR 0 41#define RFCOMM_TTY_MINOR 0
42 42
43static DEFINE_MUTEX(rfcomm_ioctl_mutex);
43static struct tty_driver *rfcomm_tty_driver; 44static struct tty_driver *rfcomm_tty_driver;
44 45
45struct rfcomm_dev { 46struct rfcomm_dev {
@@ -51,6 +52,8 @@ struct rfcomm_dev {
51 unsigned long flags; 52 unsigned long flags;
52 int err; 53 int err;
53 54
55 unsigned long status; /* don't export to userspace */
56
54 bdaddr_t src; 57 bdaddr_t src;
55 bdaddr_t dst; 58 bdaddr_t dst;
56 u8 channel; 59 u8 channel;
@@ -58,7 +61,6 @@ struct rfcomm_dev {
58 uint modem_status; 61 uint modem_status;
59 62
60 struct rfcomm_dlc *dlc; 63 struct rfcomm_dlc *dlc;
61 wait_queue_head_t conn_wait;
62 64
63 struct device *tty_dev; 65 struct device *tty_dev;
64 66
@@ -83,10 +85,6 @@ static void rfcomm_dev_destruct(struct tty_port *port)
83 85
84 BT_DBG("dev %p dlc %p", dev, dlc); 86 BT_DBG("dev %p dlc %p", dev, dlc);
85 87
86 spin_lock(&rfcomm_dev_lock);
87 list_del(&dev->list);
88 spin_unlock(&rfcomm_dev_lock);
89
90 rfcomm_dlc_lock(dlc); 88 rfcomm_dlc_lock(dlc);
91 /* Detach DLC if it's owned by this dev */ 89 /* Detach DLC if it's owned by this dev */
92 if (dlc->owner == dev) 90 if (dlc->owner == dev)
@@ -95,7 +93,12 @@ static void rfcomm_dev_destruct(struct tty_port *port)
95 93
96 rfcomm_dlc_put(dlc); 94 rfcomm_dlc_put(dlc);
97 95
98 tty_unregister_device(rfcomm_tty_driver, dev->id); 96 if (dev->tty_dev)
97 tty_unregister_device(rfcomm_tty_driver, dev->id);
98
99 spin_lock(&rfcomm_dev_lock);
100 list_del(&dev->list);
101 spin_unlock(&rfcomm_dev_lock);
99 102
100 kfree(dev); 103 kfree(dev);
101 104
@@ -104,60 +107,24 @@ static void rfcomm_dev_destruct(struct tty_port *port)
104 module_put(THIS_MODULE); 107 module_put(THIS_MODULE);
105} 108}
106 109
107static struct device *rfcomm_get_device(struct rfcomm_dev *dev)
108{
109 struct hci_dev *hdev;
110 struct hci_conn *conn;
111
112 hdev = hci_get_route(&dev->dst, &dev->src);
113 if (!hdev)
114 return NULL;
115
116 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &dev->dst);
117
118 hci_dev_put(hdev);
119
120 return conn ? &conn->dev : NULL;
121}
122
123/* device-specific initialization: open the dlc */ 110/* device-specific initialization: open the dlc */
124static int rfcomm_dev_activate(struct tty_port *port, struct tty_struct *tty) 111static int rfcomm_dev_activate(struct tty_port *port, struct tty_struct *tty)
125{ 112{
126 struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port); 113 struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);
127 DEFINE_WAIT(wait);
128 int err; 114 int err;
129 115
130 err = rfcomm_dlc_open(dev->dlc, &dev->src, &dev->dst, dev->channel); 116 err = rfcomm_dlc_open(dev->dlc, &dev->src, &dev->dst, dev->channel);
131 if (err) 117 if (err)
132 return err; 118 set_bit(TTY_IO_ERROR, &tty->flags);
133 119 return err;
134 while (1) { 120}
135 prepare_to_wait(&dev->conn_wait, &wait, TASK_INTERRUPTIBLE);
136
137 if (dev->dlc->state == BT_CLOSED) {
138 err = -dev->err;
139 break;
140 }
141
142 if (dev->dlc->state == BT_CONNECTED)
143 break;
144
145 if (signal_pending(current)) {
146 err = -ERESTARTSYS;
147 break;
148 }
149
150 tty_unlock(tty);
151 schedule();
152 tty_lock(tty);
153 }
154 finish_wait(&dev->conn_wait, &wait);
155 121
156 if (!err) 122/* we block the open until the dlc->state becomes BT_CONNECTED */
157 device_move(dev->tty_dev, rfcomm_get_device(dev), 123static int rfcomm_dev_carrier_raised(struct tty_port *port)
158 DPM_ORDER_DEV_AFTER_PARENT); 124{
125 struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);
159 126
160 return err; 127 return (dev->dlc->state == BT_CONNECTED);
161} 128}
162 129
163/* device-specific cleanup: close the dlc */ 130/* device-specific cleanup: close the dlc */
@@ -176,9 +143,10 @@ static const struct tty_port_operations rfcomm_port_ops = {
176 .destruct = rfcomm_dev_destruct, 143 .destruct = rfcomm_dev_destruct,
177 .activate = rfcomm_dev_activate, 144 .activate = rfcomm_dev_activate,
178 .shutdown = rfcomm_dev_shutdown, 145 .shutdown = rfcomm_dev_shutdown,
146 .carrier_raised = rfcomm_dev_carrier_raised,
179}; 147};
180 148
181static struct rfcomm_dev *__rfcomm_dev_get(int id) 149static struct rfcomm_dev *__rfcomm_dev_lookup(int id)
182{ 150{
183 struct rfcomm_dev *dev; 151 struct rfcomm_dev *dev;
184 152
@@ -195,20 +163,41 @@ static struct rfcomm_dev *rfcomm_dev_get(int id)
195 163
196 spin_lock(&rfcomm_dev_lock); 164 spin_lock(&rfcomm_dev_lock);
197 165
198 dev = __rfcomm_dev_get(id); 166 dev = __rfcomm_dev_lookup(id);
199 167
200 if (dev) { 168 if (dev && !tty_port_get(&dev->port))
201 if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags)) 169 dev = NULL;
202 dev = NULL;
203 else
204 tty_port_get(&dev->port);
205 }
206 170
207 spin_unlock(&rfcomm_dev_lock); 171 spin_unlock(&rfcomm_dev_lock);
208 172
209 return dev; 173 return dev;
210} 174}
211 175
176static void rfcomm_reparent_device(struct rfcomm_dev *dev)
177{
178 struct hci_dev *hdev;
179 struct hci_conn *conn;
180
181 hdev = hci_get_route(&dev->dst, &dev->src);
182 if (!hdev)
183 return;
184
185 /* The lookup results are unsafe to access without the
186 * hci device lock (FIXME: why is this not documented?)
187 */
188 hci_dev_lock(hdev);
189 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &dev->dst);
190
191 /* Just because the acl link is in the hash table is no
192 * guarantee the sysfs device has been added ...
193 */
194 if (conn && device_is_registered(&conn->dev))
195 device_move(dev->tty_dev, &conn->dev, DPM_ORDER_DEV_AFTER_PARENT);
196
197 hci_dev_unlock(hdev);
198 hci_dev_put(hdev);
199}
200
212static ssize_t show_address(struct device *tty_dev, struct device_attribute *attr, char *buf) 201static ssize_t show_address(struct device *tty_dev, struct device_attribute *attr, char *buf)
213{ 202{
214 struct rfcomm_dev *dev = dev_get_drvdata(tty_dev); 203 struct rfcomm_dev *dev = dev_get_drvdata(tty_dev);
@@ -224,17 +213,16 @@ static ssize_t show_channel(struct device *tty_dev, struct device_attribute *att
224static DEVICE_ATTR(address, S_IRUGO, show_address, NULL); 213static DEVICE_ATTR(address, S_IRUGO, show_address, NULL);
225static DEVICE_ATTR(channel, S_IRUGO, show_channel, NULL); 214static DEVICE_ATTR(channel, S_IRUGO, show_channel, NULL);
226 215
227static int rfcomm_dev_add(struct rfcomm_dev_req *req, struct rfcomm_dlc *dlc) 216static struct rfcomm_dev *__rfcomm_dev_add(struct rfcomm_dev_req *req,
217 struct rfcomm_dlc *dlc)
228{ 218{
229 struct rfcomm_dev *dev, *entry; 219 struct rfcomm_dev *dev, *entry;
230 struct list_head *head = &rfcomm_dev_list; 220 struct list_head *head = &rfcomm_dev_list;
231 int err = 0; 221 int err = 0;
232 222
233 BT_DBG("id %d channel %d", req->dev_id, req->channel);
234
235 dev = kzalloc(sizeof(struct rfcomm_dev), GFP_KERNEL); 223 dev = kzalloc(sizeof(struct rfcomm_dev), GFP_KERNEL);
236 if (!dev) 224 if (!dev)
237 return -ENOMEM; 225 return ERR_PTR(-ENOMEM);
238 226
239 spin_lock(&rfcomm_dev_lock); 227 spin_lock(&rfcomm_dev_lock);
240 228
@@ -282,7 +270,6 @@ static int rfcomm_dev_add(struct rfcomm_dev_req *req, struct rfcomm_dlc *dlc)
282 270
283 tty_port_init(&dev->port); 271 tty_port_init(&dev->port);
284 dev->port.ops = &rfcomm_port_ops; 272 dev->port.ops = &rfcomm_port_ops;
285 init_waitqueue_head(&dev->conn_wait);
286 273
287 skb_queue_head_init(&dev->pending); 274 skb_queue_head_init(&dev->pending);
288 275
@@ -318,22 +305,37 @@ static int rfcomm_dev_add(struct rfcomm_dev_req *req, struct rfcomm_dlc *dlc)
318 holds reference to this module. */ 305 holds reference to this module. */
319 __module_get(THIS_MODULE); 306 __module_get(THIS_MODULE);
320 307
308 spin_unlock(&rfcomm_dev_lock);
309 return dev;
310
321out: 311out:
322 spin_unlock(&rfcomm_dev_lock); 312 spin_unlock(&rfcomm_dev_lock);
313 kfree(dev);
314 return ERR_PTR(err);
315}
316
317static int rfcomm_dev_add(struct rfcomm_dev_req *req, struct rfcomm_dlc *dlc)
318{
319 struct rfcomm_dev *dev;
320 struct device *tty;
321
322 BT_DBG("id %d channel %d", req->dev_id, req->channel);
323 323
324 if (err < 0) 324 dev = __rfcomm_dev_add(req, dlc);
325 goto free; 325 if (IS_ERR(dev)) {
326 rfcomm_dlc_put(dlc);
327 return PTR_ERR(dev);
328 }
326 329
327 dev->tty_dev = tty_port_register_device(&dev->port, rfcomm_tty_driver, 330 tty = tty_port_register_device(&dev->port, rfcomm_tty_driver,
328 dev->id, NULL); 331 dev->id, NULL);
329 if (IS_ERR(dev->tty_dev)) { 332 if (IS_ERR(tty)) {
330 err = PTR_ERR(dev->tty_dev); 333 tty_port_put(&dev->port);
331 spin_lock(&rfcomm_dev_lock); 334 return PTR_ERR(tty);
332 list_del(&dev->list);
333 spin_unlock(&rfcomm_dev_lock);
334 goto free;
335 } 335 }
336 336
337 dev->tty_dev = tty;
338 rfcomm_reparent_device(dev);
337 dev_set_drvdata(dev->tty_dev, dev); 339 dev_set_drvdata(dev->tty_dev, dev);
338 340
339 if (device_create_file(dev->tty_dev, &dev_attr_address) < 0) 341 if (device_create_file(dev->tty_dev, &dev_attr_address) < 0)
@@ -343,24 +345,23 @@ out:
343 BT_ERR("Failed to create channel attribute"); 345 BT_ERR("Failed to create channel attribute");
344 346
345 return dev->id; 347 return dev->id;
346
347free:
348 kfree(dev);
349 return err;
350} 348}
351 349
352/* ---- Send buffer ---- */ 350/* ---- Send buffer ---- */
353static inline unsigned int rfcomm_room(struct rfcomm_dlc *dlc) 351static inline unsigned int rfcomm_room(struct rfcomm_dev *dev)
354{ 352{
355 /* We can't let it be zero, because we don't get a callback 353 struct rfcomm_dlc *dlc = dev->dlc;
356 when tx_credits becomes nonzero, hence we'd never wake up */ 354
357 return dlc->mtu * (dlc->tx_credits?:1); 355 /* Limit the outstanding number of packets not yet sent to 40 */
356 int pending = 40 - atomic_read(&dev->wmem_alloc);
357
358 return max(0, pending) * dlc->mtu;
358} 359}
359 360
360static void rfcomm_wfree(struct sk_buff *skb) 361static void rfcomm_wfree(struct sk_buff *skb)
361{ 362{
362 struct rfcomm_dev *dev = (void *) skb->sk; 363 struct rfcomm_dev *dev = (void *) skb->sk;
363 atomic_sub(skb->truesize, &dev->wmem_alloc); 364 atomic_dec(&dev->wmem_alloc);
364 if (test_bit(RFCOMM_TTY_ATTACHED, &dev->flags)) 365 if (test_bit(RFCOMM_TTY_ATTACHED, &dev->flags))
365 tty_port_tty_wakeup(&dev->port); 366 tty_port_tty_wakeup(&dev->port);
366 tty_port_put(&dev->port); 367 tty_port_put(&dev->port);
@@ -369,28 +370,24 @@ static void rfcomm_wfree(struct sk_buff *skb)
369static void rfcomm_set_owner_w(struct sk_buff *skb, struct rfcomm_dev *dev) 370static void rfcomm_set_owner_w(struct sk_buff *skb, struct rfcomm_dev *dev)
370{ 371{
371 tty_port_get(&dev->port); 372 tty_port_get(&dev->port);
372 atomic_add(skb->truesize, &dev->wmem_alloc); 373 atomic_inc(&dev->wmem_alloc);
373 skb->sk = (void *) dev; 374 skb->sk = (void *) dev;
374 skb->destructor = rfcomm_wfree; 375 skb->destructor = rfcomm_wfree;
375} 376}
376 377
377static struct sk_buff *rfcomm_wmalloc(struct rfcomm_dev *dev, unsigned long size, gfp_t priority) 378static struct sk_buff *rfcomm_wmalloc(struct rfcomm_dev *dev, unsigned long size, gfp_t priority)
378{ 379{
379 if (atomic_read(&dev->wmem_alloc) < rfcomm_room(dev->dlc)) { 380 struct sk_buff *skb = alloc_skb(size, priority);
380 struct sk_buff *skb = alloc_skb(size, priority); 381 if (skb)
381 if (skb) { 382 rfcomm_set_owner_w(skb, dev);
382 rfcomm_set_owner_w(skb, dev); 383 return skb;
383 return skb;
384 }
385 }
386 return NULL;
387} 384}
388 385
389/* ---- Device IOCTLs ---- */ 386/* ---- Device IOCTLs ---- */
390 387
391#define NOCAP_FLAGS ((1 << RFCOMM_REUSE_DLC) | (1 << RFCOMM_RELEASE_ONHUP)) 388#define NOCAP_FLAGS ((1 << RFCOMM_REUSE_DLC) | (1 << RFCOMM_RELEASE_ONHUP))
392 389
393static int rfcomm_create_dev(struct sock *sk, void __user *arg) 390static int __rfcomm_create_dev(struct sock *sk, void __user *arg)
394{ 391{
395 struct rfcomm_dev_req req; 392 struct rfcomm_dev_req req;
396 struct rfcomm_dlc *dlc; 393 struct rfcomm_dlc *dlc;
@@ -412,16 +409,22 @@ static int rfcomm_create_dev(struct sock *sk, void __user *arg)
412 dlc = rfcomm_pi(sk)->dlc; 409 dlc = rfcomm_pi(sk)->dlc;
413 rfcomm_dlc_hold(dlc); 410 rfcomm_dlc_hold(dlc);
414 } else { 411 } else {
412 /* Validate the channel is unused */
413 dlc = rfcomm_dlc_exists(&req.src, &req.dst, req.channel);
414 if (IS_ERR(dlc))
415 return PTR_ERR(dlc);
416 else if (dlc) {
417 rfcomm_dlc_put(dlc);
418 return -EBUSY;
419 }
415 dlc = rfcomm_dlc_alloc(GFP_KERNEL); 420 dlc = rfcomm_dlc_alloc(GFP_KERNEL);
416 if (!dlc) 421 if (!dlc)
417 return -ENOMEM; 422 return -ENOMEM;
418 } 423 }
419 424
420 id = rfcomm_dev_add(&req, dlc); 425 id = rfcomm_dev_add(&req, dlc);
421 if (id < 0) { 426 if (id < 0)
422 rfcomm_dlc_put(dlc);
423 return id; 427 return id;
424 }
425 428
426 if (req.flags & (1 << RFCOMM_REUSE_DLC)) { 429 if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
427 /* DLC is now used by device. 430 /* DLC is now used by device.
@@ -432,7 +435,7 @@ static int rfcomm_create_dev(struct sock *sk, void __user *arg)
432 return id; 435 return id;
433} 436}
434 437
435static int rfcomm_release_dev(void __user *arg) 438static int __rfcomm_release_dev(void __user *arg)
436{ 439{
437 struct rfcomm_dev_req req; 440 struct rfcomm_dev_req req;
438 struct rfcomm_dev *dev; 441 struct rfcomm_dev *dev;
@@ -452,6 +455,12 @@ static int rfcomm_release_dev(void __user *arg)
452 return -EPERM; 455 return -EPERM;
453 } 456 }
454 457
458 /* only release once */
459 if (test_and_set_bit(RFCOMM_DEV_RELEASED, &dev->status)) {
460 tty_port_put(&dev->port);
461 return -EALREADY;
462 }
463
455 if (req.flags & (1 << RFCOMM_HANGUP_NOW)) 464 if (req.flags & (1 << RFCOMM_HANGUP_NOW))
456 rfcomm_dlc_close(dev->dlc, 0); 465 rfcomm_dlc_close(dev->dlc, 0);
457 466
@@ -462,14 +471,35 @@ static int rfcomm_release_dev(void __user *arg)
462 tty_kref_put(tty); 471 tty_kref_put(tty);
463 } 472 }
464 473
465 if (!test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags) && 474 if (!test_bit(RFCOMM_TTY_OWNED, &dev->status))
466 !test_and_set_bit(RFCOMM_TTY_RELEASED, &dev->flags))
467 tty_port_put(&dev->port); 475 tty_port_put(&dev->port);
468 476
469 tty_port_put(&dev->port); 477 tty_port_put(&dev->port);
470 return 0; 478 return 0;
471} 479}
472 480
481static int rfcomm_create_dev(struct sock *sk, void __user *arg)
482{
483 int ret;
484
485 mutex_lock(&rfcomm_ioctl_mutex);
486 ret = __rfcomm_create_dev(sk, arg);
487 mutex_unlock(&rfcomm_ioctl_mutex);
488
489 return ret;
490}
491
492static int rfcomm_release_dev(void __user *arg)
493{
494 int ret;
495
496 mutex_lock(&rfcomm_ioctl_mutex);
497 ret = __rfcomm_release_dev(arg);
498 mutex_unlock(&rfcomm_ioctl_mutex);
499
500 return ret;
501}
502
473static int rfcomm_get_dev_list(void __user *arg) 503static int rfcomm_get_dev_list(void __user *arg)
474{ 504{
475 struct rfcomm_dev *dev; 505 struct rfcomm_dev *dev;
@@ -497,7 +527,7 @@ static int rfcomm_get_dev_list(void __user *arg)
497 spin_lock(&rfcomm_dev_lock); 527 spin_lock(&rfcomm_dev_lock);
498 528
499 list_for_each_entry(dev, &rfcomm_dev_list, list) { 529 list_for_each_entry(dev, &rfcomm_dev_list, list) {
500 if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags)) 530 if (!tty_port_get(&dev->port))
501 continue; 531 continue;
502 (di + n)->id = dev->id; 532 (di + n)->id = dev->id;
503 (di + n)->flags = dev->flags; 533 (di + n)->flags = dev->flags;
@@ -505,6 +535,7 @@ static int rfcomm_get_dev_list(void __user *arg)
505 (di + n)->channel = dev->channel; 535 (di + n)->channel = dev->channel;
506 bacpy(&(di + n)->src, &dev->src); 536 bacpy(&(di + n)->src, &dev->src);
507 bacpy(&(di + n)->dst, &dev->dst); 537 bacpy(&(di + n)->dst, &dev->dst);
538 tty_port_put(&dev->port);
508 if (++n >= dev_num) 539 if (++n >= dev_num)
509 break; 540 break;
510 } 541 }
@@ -601,9 +632,11 @@ static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err)
601 BT_DBG("dlc %p dev %p err %d", dlc, dev, err); 632 BT_DBG("dlc %p dev %p err %d", dlc, dev, err);
602 633
603 dev->err = err; 634 dev->err = err;
604 wake_up_interruptible(&dev->conn_wait); 635 if (dlc->state == BT_CONNECTED) {
636 rfcomm_reparent_device(dev);
605 637
606 if (dlc->state == BT_CLOSED) 638 wake_up_interruptible(&dev->port.open_wait);
639 } else if (dlc->state == BT_CLOSED)
607 tty_port_tty_hangup(&dev->port, false); 640 tty_port_tty_hangup(&dev->port, false);
608} 641}
609 642
@@ -703,8 +736,10 @@ static int rfcomm_tty_install(struct tty_driver *driver, struct tty_struct *tty)
703 * when the last process closes the tty. The behaviour is expected by 736 * when the last process closes the tty. The behaviour is expected by
704 * userspace. 737 * userspace.
705 */ 738 */
706 if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags)) 739 if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags)) {
740 set_bit(RFCOMM_TTY_OWNED, &dev->status);
707 tty_port_put(&dev->port); 741 tty_port_put(&dev->port);
742 }
708 743
709 return 0; 744 return 0;
710} 745}
@@ -750,7 +785,7 @@ static int rfcomm_tty_write(struct tty_struct *tty, const unsigned char *buf, in
750 struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data; 785 struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
751 struct rfcomm_dlc *dlc = dev->dlc; 786 struct rfcomm_dlc *dlc = dev->dlc;
752 struct sk_buff *skb; 787 struct sk_buff *skb;
753 int err = 0, sent = 0, size; 788 int sent = 0, size;
754 789
755 BT_DBG("tty %p count %d", tty, count); 790 BT_DBG("tty %p count %d", tty, count);
756 791
@@ -758,7 +793,6 @@ static int rfcomm_tty_write(struct tty_struct *tty, const unsigned char *buf, in
758 size = min_t(uint, count, dlc->mtu); 793 size = min_t(uint, count, dlc->mtu);
759 794
760 skb = rfcomm_wmalloc(dev, size + RFCOMM_SKB_RESERVE, GFP_ATOMIC); 795 skb = rfcomm_wmalloc(dev, size + RFCOMM_SKB_RESERVE, GFP_ATOMIC);
761
762 if (!skb) 796 if (!skb)
763 break; 797 break;
764 798
@@ -766,32 +800,24 @@ static int rfcomm_tty_write(struct tty_struct *tty, const unsigned char *buf, in
766 800
767 memcpy(skb_put(skb, size), buf + sent, size); 801 memcpy(skb_put(skb, size), buf + sent, size);
768 802
769 err = rfcomm_dlc_send(dlc, skb); 803 rfcomm_dlc_send_noerror(dlc, skb);
770 if (err < 0) {
771 kfree_skb(skb);
772 break;
773 }
774 804
775 sent += size; 805 sent += size;
776 count -= size; 806 count -= size;
777 } 807 }
778 808
779 return sent ? sent : err; 809 return sent;
780} 810}
781 811
782static int rfcomm_tty_write_room(struct tty_struct *tty) 812static int rfcomm_tty_write_room(struct tty_struct *tty)
783{ 813{
784 struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data; 814 struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
785 int room; 815 int room = 0;
786 816
787 BT_DBG("tty %p", tty); 817 if (dev && dev->dlc)
788 818 room = rfcomm_room(dev);
789 if (!dev || !dev->dlc)
790 return 0;
791 819
792 room = rfcomm_room(dev->dlc) - atomic_read(&dev->wmem_alloc); 820 BT_DBG("tty %p room %d", tty, room);
793 if (room < 0)
794 room = 0;
795 821
796 return room; 822 return room;
797} 823}
@@ -1125,7 +1151,7 @@ int __init rfcomm_init_ttys(void)
1125 rfcomm_tty_driver->subtype = SERIAL_TYPE_NORMAL; 1151 rfcomm_tty_driver->subtype = SERIAL_TYPE_NORMAL;
1126 rfcomm_tty_driver->flags = TTY_DRIVER_REAL_RAW | TTY_DRIVER_DYNAMIC_DEV; 1152 rfcomm_tty_driver->flags = TTY_DRIVER_REAL_RAW | TTY_DRIVER_DYNAMIC_DEV;
1127 rfcomm_tty_driver->init_termios = tty_std_termios; 1153 rfcomm_tty_driver->init_termios = tty_std_termios;
1128 rfcomm_tty_driver->init_termios.c_cflag = B9600 | CS8 | CREAD | HUPCL | CLOCAL; 1154 rfcomm_tty_driver->init_termios.c_cflag = B9600 | CS8 | CREAD | HUPCL;
1129 rfcomm_tty_driver->init_termios.c_lflag &= ~ICANON; 1155 rfcomm_tty_driver->init_termios.c_lflag &= ~ICANON;
1130 tty_set_operations(rfcomm_tty_driver, &rfcomm_ops); 1156 tty_set_operations(rfcomm_tty_driver, &rfcomm_ops);
1131 1157
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 45007362683b..f06068072bdd 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -78,6 +78,52 @@ static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
78 return err; 78 return err;
79} 79}
80 80
81static int smp_ah(struct crypto_blkcipher *tfm, u8 irk[16], u8 r[3], u8 res[3])
82{
83 u8 _res[16], k[16];
84 int err;
85
86 /* r' = padding || r */
87 memset(_res, 0, 13);
88 _res[13] = r[2];
89 _res[14] = r[1];
90 _res[15] = r[0];
91
92 swap128(irk, k);
93 err = smp_e(tfm, k, _res);
94 if (err) {
95 BT_ERR("Encrypt error");
96 return err;
97 }
98
99 /* The output of the random address function ah is:
100 * ah(h, r) = e(k, r') mod 2^24
101 * The output of the security function e is then truncated to 24 bits
102 * by taking the least significant 24 bits of the output of e as the
103 * result of ah.
104 */
105 res[0] = _res[15];
106 res[1] = _res[14];
107 res[2] = _res[13];
108
109 return 0;
110}
111
112bool smp_irk_matches(struct crypto_blkcipher *tfm, u8 irk[16],
113 bdaddr_t *bdaddr)
114{
115 u8 hash[3];
116 int err;
117
118 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
119
120 err = smp_ah(tfm, irk, &bdaddr->b[3], hash);
121 if (err)
122 return false;
123
124 return !memcmp(bdaddr->b, hash, 3);
125}
126
81static int smp_c1(struct crypto_blkcipher *tfm, u8 k[16], u8 r[16], 127static int smp_c1(struct crypto_blkcipher *tfm, u8 k[16], u8 r[16],
82 u8 preq[7], u8 pres[7], u8 _iat, bdaddr_t *ia, 128 u8 preq[7], u8 pres[7], u8 _iat, bdaddr_t *ia,
83 u8 _rat, bdaddr_t *ra, u8 res[16]) 129 u8 _rat, bdaddr_t *ra, u8 res[16])
@@ -203,31 +249,42 @@ static void build_pairing_cmd(struct l2cap_conn *conn,
203 struct smp_cmd_pairing *req, 249 struct smp_cmd_pairing *req,
204 struct smp_cmd_pairing *rsp, __u8 authreq) 250 struct smp_cmd_pairing *rsp, __u8 authreq)
205{ 251{
206 u8 dist_keys = 0; 252 struct smp_chan *smp = conn->smp_chan;
253 struct hci_conn *hcon = conn->hcon;
254 struct hci_dev *hdev = hcon->hdev;
255 u8 local_dist = 0, remote_dist = 0;
207 256
208 if (test_bit(HCI_PAIRABLE, &conn->hcon->hdev->dev_flags)) { 257 if (test_bit(HCI_PAIRABLE, &conn->hcon->hdev->dev_flags)) {
209 dist_keys = SMP_DIST_ENC_KEY; 258 local_dist = SMP_DIST_ENC_KEY;
259 remote_dist = SMP_DIST_ENC_KEY;
210 authreq |= SMP_AUTH_BONDING; 260 authreq |= SMP_AUTH_BONDING;
211 } else { 261 } else {
212 authreq &= ~SMP_AUTH_BONDING; 262 authreq &= ~SMP_AUTH_BONDING;
213 } 263 }
214 264
265 if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags))
266 remote_dist |= SMP_DIST_ID_KEY;
267
215 if (rsp == NULL) { 268 if (rsp == NULL) {
216 req->io_capability = conn->hcon->io_capability; 269 req->io_capability = conn->hcon->io_capability;
217 req->oob_flag = SMP_OOB_NOT_PRESENT; 270 req->oob_flag = SMP_OOB_NOT_PRESENT;
218 req->max_key_size = SMP_MAX_ENC_KEY_SIZE; 271 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
219 req->init_key_dist = 0; 272 req->init_key_dist = local_dist;
220 req->resp_key_dist = dist_keys; 273 req->resp_key_dist = remote_dist;
221 req->auth_req = (authreq & AUTH_REQ_MASK); 274 req->auth_req = (authreq & AUTH_REQ_MASK);
275
276 smp->remote_key_dist = remote_dist;
222 return; 277 return;
223 } 278 }
224 279
225 rsp->io_capability = conn->hcon->io_capability; 280 rsp->io_capability = conn->hcon->io_capability;
226 rsp->oob_flag = SMP_OOB_NOT_PRESENT; 281 rsp->oob_flag = SMP_OOB_NOT_PRESENT;
227 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE; 282 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
228 rsp->init_key_dist = 0; 283 rsp->init_key_dist = req->init_key_dist & remote_dist;
229 rsp->resp_key_dist = req->resp_key_dist & dist_keys; 284 rsp->resp_key_dist = req->resp_key_dist & local_dist;
230 rsp->auth_req = (authreq & AUTH_REQ_MASK); 285 rsp->auth_req = (authreq & AUTH_REQ_MASK);
286
287 smp->remote_key_dist = rsp->init_key_dist;
231} 288}
232 289
233static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size) 290static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
@@ -356,20 +413,16 @@ static void confirm_work(struct work_struct *work)
356{ 413{
357 struct smp_chan *smp = container_of(work, struct smp_chan, confirm); 414 struct smp_chan *smp = container_of(work, struct smp_chan, confirm);
358 struct l2cap_conn *conn = smp->conn; 415 struct l2cap_conn *conn = smp->conn;
359 struct crypto_blkcipher *tfm; 416 struct hci_dev *hdev = conn->hcon->hdev;
417 struct crypto_blkcipher *tfm = hdev->tfm_aes;
360 struct smp_cmd_pairing_confirm cp; 418 struct smp_cmd_pairing_confirm cp;
361 int ret; 419 int ret;
362 u8 res[16], reason; 420 u8 res[16], reason;
363 421
364 BT_DBG("conn %p", conn); 422 BT_DBG("conn %p", conn);
365 423
366 tfm = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC); 424 /* Prevent mutual access to hdev->tfm_aes */
367 if (IS_ERR(tfm)) { 425 hci_dev_lock(hdev);
368 reason = SMP_UNSPECIFIED;
369 goto error;
370 }
371
372 smp->tfm = tfm;
373 426
374 if (conn->hcon->out) 427 if (conn->hcon->out)
375 ret = smp_c1(tfm, smp->tk, smp->prnd, smp->preq, smp->prsp, 428 ret = smp_c1(tfm, smp->tk, smp->prnd, smp->preq, smp->prsp,
@@ -379,6 +432,9 @@ static void confirm_work(struct work_struct *work)
379 ret = smp_c1(tfm, smp->tk, smp->prnd, smp->preq, smp->prsp, 432 ret = smp_c1(tfm, smp->tk, smp->prnd, smp->preq, smp->prsp,
380 conn->hcon->dst_type, &conn->hcon->dst, 433 conn->hcon->dst_type, &conn->hcon->dst,
381 conn->hcon->src_type, &conn->hcon->src, res); 434 conn->hcon->src_type, &conn->hcon->src, res);
435
436 hci_dev_unlock(hdev);
437
382 if (ret) { 438 if (ret) {
383 reason = SMP_UNSPECIFIED; 439 reason = SMP_UNSPECIFIED;
384 goto error; 440 goto error;
@@ -400,7 +456,8 @@ static void random_work(struct work_struct *work)
400 struct smp_chan *smp = container_of(work, struct smp_chan, random); 456 struct smp_chan *smp = container_of(work, struct smp_chan, random);
401 struct l2cap_conn *conn = smp->conn; 457 struct l2cap_conn *conn = smp->conn;
402 struct hci_conn *hcon = conn->hcon; 458 struct hci_conn *hcon = conn->hcon;
403 struct crypto_blkcipher *tfm = smp->tfm; 459 struct hci_dev *hdev = hcon->hdev;
460 struct crypto_blkcipher *tfm = hdev->tfm_aes;
404 u8 reason, confirm[16], res[16], key[16]; 461 u8 reason, confirm[16], res[16], key[16];
405 int ret; 462 int ret;
406 463
@@ -411,6 +468,9 @@ static void random_work(struct work_struct *work)
411 468
412 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave"); 469 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
413 470
471 /* Prevent mutual access to hdev->tfm_aes */
472 hci_dev_lock(hdev);
473
414 if (hcon->out) 474 if (hcon->out)
415 ret = smp_c1(tfm, smp->tk, smp->rrnd, smp->preq, smp->prsp, 475 ret = smp_c1(tfm, smp->tk, smp->rrnd, smp->preq, smp->prsp,
416 hcon->src_type, &hcon->src, 476 hcon->src_type, &hcon->src,
@@ -419,6 +479,9 @@ static void random_work(struct work_struct *work)
419 ret = smp_c1(tfm, smp->tk, smp->rrnd, smp->preq, smp->prsp, 479 ret = smp_c1(tfm, smp->tk, smp->rrnd, smp->preq, smp->prsp,
420 hcon->dst_type, &hcon->dst, 480 hcon->dst_type, &hcon->dst,
421 hcon->src_type, &hcon->src, res); 481 hcon->src_type, &hcon->src, res);
482
483 hci_dev_unlock(hdev);
484
422 if (ret) { 485 if (ret) {
423 reason = SMP_UNSPECIFIED; 486 reason = SMP_UNSPECIFIED;
424 goto error; 487 goto error;
@@ -469,7 +532,7 @@ static void random_work(struct work_struct *work)
469 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size); 532 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
470 533
471 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, 534 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
472 HCI_SMP_STK_SLAVE, 0, 0, stk, smp->enc_key_size, 535 HCI_SMP_STK_SLAVE, 0, stk, smp->enc_key_size,
473 ediv, rand); 536 ediv, rand);
474 } 537 }
475 538
@@ -502,11 +565,12 @@ static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
502void smp_chan_destroy(struct l2cap_conn *conn) 565void smp_chan_destroy(struct l2cap_conn *conn)
503{ 566{
504 struct smp_chan *smp = conn->smp_chan; 567 struct smp_chan *smp = conn->smp_chan;
568 bool complete;
505 569
506 BUG_ON(!smp); 570 BUG_ON(!smp);
507 571
508 if (smp->tfm) 572 complete = test_bit(SMP_FLAG_COMPLETE, &smp->smp_flags);
509 crypto_free_blkcipher(smp->tfm); 573 mgmt_smp_complete(conn->hcon, complete);
510 574
511 kfree(smp); 575 kfree(smp);
512 conn->smp_chan = NULL; 576 conn->smp_chan = NULL;
@@ -565,6 +629,9 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
565 629
566 BT_DBG("conn %p", conn); 630 BT_DBG("conn %p", conn);
567 631
632 if (skb->len < sizeof(*req))
633 return SMP_UNSPECIFIED;
634
568 if (conn->hcon->link_mode & HCI_LM_MASTER) 635 if (conn->hcon->link_mode & HCI_LM_MASTER)
569 return SMP_CMD_NOTSUPP; 636 return SMP_CMD_NOTSUPP;
570 637
@@ -617,6 +684,9 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
617 684
618 BT_DBG("conn %p", conn); 685 BT_DBG("conn %p", conn);
619 686
687 if (skb->len < sizeof(*rsp))
688 return SMP_UNSPECIFIED;
689
620 if (!(conn->hcon->link_mode & HCI_LM_MASTER)) 690 if (!(conn->hcon->link_mode & HCI_LM_MASTER))
621 return SMP_CMD_NOTSUPP; 691 return SMP_CMD_NOTSUPP;
622 692
@@ -661,6 +731,9 @@ static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
661 731
662 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave"); 732 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
663 733
734 if (skb->len < sizeof(smp->pcnf))
735 return SMP_UNSPECIFIED;
736
664 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf)); 737 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
665 skb_pull(skb, sizeof(smp->pcnf)); 738 skb_pull(skb, sizeof(smp->pcnf));
666 739
@@ -686,6 +759,9 @@ static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
686 759
687 BT_DBG("conn %p", conn); 760 BT_DBG("conn %p", conn);
688 761
762 if (skb->len < sizeof(smp->rrnd))
763 return SMP_UNSPECIFIED;
764
689 swap128(skb->data, smp->rrnd); 765 swap128(skb->data, smp->rrnd);
690 skb_pull(skb, sizeof(smp->rrnd)); 766 skb_pull(skb, sizeof(smp->rrnd));
691 767
@@ -699,7 +775,8 @@ static u8 smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
699 struct smp_ltk *key; 775 struct smp_ltk *key;
700 struct hci_conn *hcon = conn->hcon; 776 struct hci_conn *hcon = conn->hcon;
701 777
702 key = hci_find_ltk_by_addr(hcon->hdev, &hcon->dst, hcon->dst_type); 778 key = hci_find_ltk_by_addr(hcon->hdev, &hcon->dst, hcon->dst_type,
779 hcon->out);
703 if (!key) 780 if (!key)
704 return 0; 781 return 0;
705 782
@@ -724,6 +801,9 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
724 801
725 BT_DBG("conn %p", conn); 802 BT_DBG("conn %p", conn);
726 803
804 if (skb->len < sizeof(*rp))
805 return SMP_UNSPECIFIED;
806
727 if (!(conn->hcon->link_mode & HCI_LM_MASTER)) 807 if (!(conn->hcon->link_mode & HCI_LM_MASTER))
728 return SMP_CMD_NOTSUPP; 808 return SMP_CMD_NOTSUPP;
729 809
@@ -813,6 +893,15 @@ static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
813 struct smp_cmd_encrypt_info *rp = (void *) skb->data; 893 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
814 struct smp_chan *smp = conn->smp_chan; 894 struct smp_chan *smp = conn->smp_chan;
815 895
896 BT_DBG("conn %p", conn);
897
898 if (skb->len < sizeof(*rp))
899 return SMP_UNSPECIFIED;
900
901 /* Ignore this PDU if it wasn't requested */
902 if (!(smp->remote_key_dist & SMP_DIST_ENC_KEY))
903 return 0;
904
816 skb_pull(skb, sizeof(*rp)); 905 skb_pull(skb, sizeof(*rp));
817 906
818 memcpy(smp->tk, rp->ltk, sizeof(smp->tk)); 907 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
@@ -826,21 +915,95 @@ static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
826 struct smp_chan *smp = conn->smp_chan; 915 struct smp_chan *smp = conn->smp_chan;
827 struct hci_dev *hdev = conn->hcon->hdev; 916 struct hci_dev *hdev = conn->hcon->hdev;
828 struct hci_conn *hcon = conn->hcon; 917 struct hci_conn *hcon = conn->hcon;
918 struct smp_ltk *ltk;
829 u8 authenticated; 919 u8 authenticated;
830 920
921 BT_DBG("conn %p", conn);
922
923 if (skb->len < sizeof(*rp))
924 return SMP_UNSPECIFIED;
925
926 /* Ignore this PDU if it wasn't requested */
927 if (!(smp->remote_key_dist & SMP_DIST_ENC_KEY))
928 return 0;
929
831 skb_pull(skb, sizeof(*rp)); 930 skb_pull(skb, sizeof(*rp));
832 931
833 hci_dev_lock(hdev); 932 hci_dev_lock(hdev);
834 authenticated = (hcon->sec_level == BT_SECURITY_HIGH); 933 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
835 hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, HCI_SMP_LTK, 1, 934 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, HCI_SMP_LTK,
836 authenticated, smp->tk, smp->enc_key_size, 935 authenticated, smp->tk, smp->enc_key_size,
837 rp->ediv, rp->rand); 936 rp->ediv, rp->rand);
838 smp_distribute_keys(conn, 1); 937 smp->ltk = ltk;
938 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
939 smp_distribute_keys(conn, 1);
839 hci_dev_unlock(hdev); 940 hci_dev_unlock(hdev);
840 941
841 return 0; 942 return 0;
842} 943}
843 944
945static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
946{
947 struct smp_cmd_ident_info *info = (void *) skb->data;
948 struct smp_chan *smp = conn->smp_chan;
949
950 BT_DBG("");
951
952 if (skb->len < sizeof(*info))
953 return SMP_UNSPECIFIED;
954
955 /* Ignore this PDU if it wasn't requested */
956 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
957 return 0;
958
959 skb_pull(skb, sizeof(*info));
960
961 memcpy(smp->irk, info->irk, 16);
962
963 return 0;
964}
965
966static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
967 struct sk_buff *skb)
968{
969 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
970 struct smp_chan *smp = conn->smp_chan;
971 struct hci_conn *hcon = conn->hcon;
972 bdaddr_t rpa;
973
974 BT_DBG("");
975
976 if (skb->len < sizeof(*info))
977 return SMP_UNSPECIFIED;
978
979 /* Ignore this PDU if it wasn't requested */
980 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
981 return 0;
982
983 skb_pull(skb, sizeof(*info));
984
985 bacpy(&smp->id_addr, &info->bdaddr);
986 smp->id_addr_type = info->addr_type;
987
988 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
989 bacpy(&rpa, &hcon->dst);
990 else
991 bacpy(&rpa, BDADDR_ANY);
992
993 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
994 smp->id_addr_type, smp->irk, &rpa);
995
996 /* Track the connection based on the Identity Address from now on */
997 bacpy(&hcon->dst, &smp->id_addr);
998 hcon->dst_type = smp->id_addr_type;
999
1000 l2cap_conn_update_id_addr(hcon);
1001
1002 smp_distribute_keys(conn, 1);
1003
1004 return 0;
1005}
1006
844int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb) 1007int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
845{ 1008{
846 struct hci_conn *hcon = conn->hcon; 1009 struct hci_conn *hcon = conn->hcon;
@@ -915,7 +1078,13 @@ int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
915 break; 1078 break;
916 1079
917 case SMP_CMD_IDENT_INFO: 1080 case SMP_CMD_IDENT_INFO:
1081 reason = smp_cmd_ident_info(conn, skb);
1082 break;
1083
918 case SMP_CMD_IDENT_ADDR_INFO: 1084 case SMP_CMD_IDENT_ADDR_INFO:
1085 reason = smp_cmd_ident_addr_info(conn, skb);
1086 break;
1087
919 case SMP_CMD_SIGN_INFO: 1088 case SMP_CMD_SIGN_INFO:
920 /* Just ignored */ 1089 /* Just ignored */
921 reason = 0; 1090 reason = 0;
@@ -937,6 +1106,28 @@ done:
937 return err; 1106 return err;
938} 1107}
939 1108
1109static void smp_notify_keys(struct l2cap_conn *conn)
1110{
1111 struct smp_chan *smp = conn->smp_chan;
1112 struct hci_conn *hcon = conn->hcon;
1113 struct hci_dev *hdev = hcon->hdev;
1114
1115 if (smp->remote_irk)
1116 mgmt_new_irk(hdev, smp->remote_irk);
1117
1118 if (smp->ltk) {
1119 smp->ltk->bdaddr_type = hcon->dst_type;
1120 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1121 mgmt_new_ltk(hdev, smp->ltk);
1122 }
1123
1124 if (smp->slave_ltk) {
1125 smp->slave_ltk->bdaddr_type = hcon->dst_type;
1126 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1127 mgmt_new_ltk(hdev, smp->slave_ltk);
1128 }
1129}
1130
940int smp_distribute_keys(struct l2cap_conn *conn, __u8 force) 1131int smp_distribute_keys(struct l2cap_conn *conn, __u8 force)
941{ 1132{
942 struct smp_cmd_pairing *req, *rsp; 1133 struct smp_cmd_pairing *req, *rsp;
@@ -964,13 +1155,13 @@ int smp_distribute_keys(struct l2cap_conn *conn, __u8 force)
964 *keydist &= req->resp_key_dist; 1155 *keydist &= req->resp_key_dist;
965 } 1156 }
966 1157
967
968 BT_DBG("keydist 0x%x", *keydist); 1158 BT_DBG("keydist 0x%x", *keydist);
969 1159
970 if (*keydist & SMP_DIST_ENC_KEY) { 1160 if (*keydist & SMP_DIST_ENC_KEY) {
971 struct smp_cmd_encrypt_info enc; 1161 struct smp_cmd_encrypt_info enc;
972 struct smp_cmd_master_ident ident; 1162 struct smp_cmd_master_ident ident;
973 struct hci_conn *hcon = conn->hcon; 1163 struct hci_conn *hcon = conn->hcon;
1164 struct smp_ltk *ltk;
974 u8 authenticated; 1165 u8 authenticated;
975 __le16 ediv; 1166 __le16 ediv;
976 1167
@@ -981,9 +1172,10 @@ int smp_distribute_keys(struct l2cap_conn *conn, __u8 force)
981 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc); 1172 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
982 1173
983 authenticated = hcon->sec_level == BT_SECURITY_HIGH; 1174 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
984 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, 1175 ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
985 HCI_SMP_LTK_SLAVE, 1, authenticated, 1176 HCI_SMP_LTK_SLAVE, authenticated, enc.ltk,
986 enc.ltk, smp->enc_key_size, ediv, ident.rand); 1177 smp->enc_key_size, ediv, ident.rand);
1178 smp->slave_ltk = ltk;
987 1179
988 ident.ediv = ediv; 1180 ident.ediv = ediv;
989 1181
@@ -1022,9 +1214,11 @@ int smp_distribute_keys(struct l2cap_conn *conn, __u8 force)
1022 *keydist &= ~SMP_DIST_SIGN; 1214 *keydist &= ~SMP_DIST_SIGN;
1023 } 1215 }
1024 1216
1025 if (conn->hcon->out || force) { 1217 if (conn->hcon->out || force || !(rsp->init_key_dist & 0x07)) {
1026 clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags); 1218 clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags);
1027 cancel_delayed_work_sync(&conn->security_timer); 1219 cancel_delayed_work_sync(&conn->security_timer);
1220 set_bit(SMP_FLAG_COMPLETE, &smp->smp_flags);
1221 smp_notify_keys(conn);
1028 smp_chan_destroy(conn); 1222 smp_chan_destroy(conn);
1029 } 1223 }
1030 1224
diff --git a/net/bluetooth/smp.h b/net/bluetooth/smp.h
index a700bcb490d7..d8cc543f523c 100644
--- a/net/bluetooth/smp.h
+++ b/net/bluetooth/smp.h
@@ -118,6 +118,7 @@ struct smp_cmd_security_req {
118#define SMP_FLAG_TK_VALID 1 118#define SMP_FLAG_TK_VALID 1
119#define SMP_FLAG_CFM_PENDING 2 119#define SMP_FLAG_CFM_PENDING 2
120#define SMP_FLAG_MITM_AUTH 3 120#define SMP_FLAG_MITM_AUTH 3
121#define SMP_FLAG_COMPLETE 4
121 122
122struct smp_chan { 123struct smp_chan {
123 struct l2cap_conn *conn; 124 struct l2cap_conn *conn;
@@ -128,11 +129,16 @@ struct smp_chan {
128 u8 pcnf[16]; /* SMP Pairing Confirm */ 129 u8 pcnf[16]; /* SMP Pairing Confirm */
129 u8 tk[16]; /* SMP Temporary Key */ 130 u8 tk[16]; /* SMP Temporary Key */
130 u8 enc_key_size; 131 u8 enc_key_size;
132 u8 remote_key_dist;
133 bdaddr_t id_addr;
134 u8 id_addr_type;
135 u8 irk[16];
136 struct smp_ltk *ltk;
137 struct smp_ltk *slave_ltk;
138 struct smp_irk *remote_irk;
131 unsigned long smp_flags; 139 unsigned long smp_flags;
132 struct crypto_blkcipher *tfm;
133 struct work_struct confirm; 140 struct work_struct confirm;
134 struct work_struct random; 141 struct work_struct random;
135
136}; 142};
137 143
138/* SMP Commands */ 144/* SMP Commands */
@@ -144,4 +150,7 @@ int smp_user_confirm_reply(struct hci_conn *conn, u16 mgmt_op, __le32 passkey);
144 150
145void smp_chan_destroy(struct l2cap_conn *conn); 151void smp_chan_destroy(struct l2cap_conn *conn);
146 152
153bool smp_irk_matches(struct crypto_blkcipher *tfm, u8 irk[16],
154 bdaddr_t *bdaddr);
155
147#endif /* __SMP_H */ 156#endif /* __SMP_H */
generated by cgit v1.2.2 (git 2.25.0) at 2025-09-14 21:46:27 -0400