aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--include/net/bluetooth/hci.h27
-rw-r--r--include/net/bluetooth/hci_core.h78
-rw-r--r--include/net/bluetooth/mgmt.h10
-rw-r--r--net/bluetooth/hci_conn.c116
-rw-r--r--net/bluetooth/hci_core.c679
-rw-r--r--net/bluetooth/hci_event.c274
-rw-r--r--net/bluetooth/l2cap_core.c37
-rw-r--r--net/bluetooth/mgmt.c425
-rw-r--r--net/bluetooth/smp.c180
-rw-r--r--net/bluetooth/smp.h11
10 files changed, 1585 insertions, 252 deletions
diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
index fe4b06bfc150..be150cf8cd43 100644
--- a/include/net/bluetooth/hci.h
+++ b/include/net/bluetooth/hci.h
@@ -126,6 +126,8 @@ enum {
126 HCI_SSP_ENABLED, 126 HCI_SSP_ENABLED,
127 HCI_SC_ENABLED, 127 HCI_SC_ENABLED,
128 HCI_SC_ONLY, 128 HCI_SC_ONLY,
129 HCI_PRIVACY,
130 HCI_RPA_EXPIRED,
129 HCI_RPA_RESOLVING, 131 HCI_RPA_RESOLVING,
130 HCI_HS_ENABLED, 132 HCI_HS_ENABLED,
131 HCI_LE_ENABLED, 133 HCI_LE_ENABLED,
@@ -138,6 +140,7 @@ enum {
138 HCI_FAST_CONNECTABLE, 140 HCI_FAST_CONNECTABLE,
139 HCI_BREDR_ENABLED, 141 HCI_BREDR_ENABLED,
140 HCI_6LOWPAN_ENABLED, 142 HCI_6LOWPAN_ENABLED,
143 HCI_LE_SCAN_INTERRUPTED,
141}; 144};
142 145
143/* A mask for the flags that are supposed to remain when a reset happens 146/* A mask for the flags that are supposed to remain when a reset happens
@@ -180,6 +183,8 @@ enum {
180#define HCI_CMD_TIMEOUT msecs_to_jiffies(2000) /* 2 seconds */ 183#define HCI_CMD_TIMEOUT msecs_to_jiffies(2000) /* 2 seconds */
181#define HCI_ACL_TX_TIMEOUT msecs_to_jiffies(45000) /* 45 seconds */ 184#define HCI_ACL_TX_TIMEOUT msecs_to_jiffies(45000) /* 45 seconds */
182#define HCI_AUTO_OFF_TIMEOUT msecs_to_jiffies(2000) /* 2 seconds */ 185#define HCI_AUTO_OFF_TIMEOUT msecs_to_jiffies(2000) /* 2 seconds */
186#define HCI_POWER_OFF_TIMEOUT msecs_to_jiffies(5000) /* 5 seconds */
187#define HCI_LE_CONN_TIMEOUT msecs_to_jiffies(20000) /* 20 seconds */
183 188
184/* HCI data types */ 189/* HCI data types */
185#define HCI_COMMAND_PKT 0x01 190#define HCI_COMMAND_PKT 0x01
@@ -354,6 +359,7 @@ enum {
354 359
355/* ---- HCI Error Codes ---- */ 360/* ---- HCI Error Codes ---- */
356#define HCI_ERROR_AUTH_FAILURE 0x05 361#define HCI_ERROR_AUTH_FAILURE 0x05
362#define HCI_ERROR_MEMORY_EXCEEDED 0x07
357#define HCI_ERROR_CONNECTION_TIMEOUT 0x08 363#define HCI_ERROR_CONNECTION_TIMEOUT 0x08
358#define HCI_ERROR_REJ_BAD_ADDR 0x0f 364#define HCI_ERROR_REJ_BAD_ADDR 0x0f
359#define HCI_ERROR_REMOTE_USER_TERM 0x13 365#define HCI_ERROR_REMOTE_USER_TERM 0x13
@@ -1178,6 +1184,9 @@ struct hci_cp_le_set_scan_enable {
1178 __u8 filter_dup; 1184 __u8 filter_dup;
1179} __packed; 1185} __packed;
1180 1186
1187#define HCI_LE_USE_PEER_ADDR 0x00
1188#define HCI_LE_USE_WHITELIST 0x01
1189
1181#define HCI_OP_LE_CREATE_CONN 0x200d 1190#define HCI_OP_LE_CREATE_CONN 0x200d
1182struct hci_cp_le_create_conn { 1191struct hci_cp_le_create_conn {
1183 __le16 scan_interval; 1192 __le16 scan_interval;
@@ -1202,6 +1211,20 @@ struct hci_rp_le_read_white_list_size {
1202 __u8 size; 1211 __u8 size;
1203} __packed; 1212} __packed;
1204 1213
1214#define HCI_OP_LE_CLEAR_WHITE_LIST 0x2010
1215
1216#define HCI_OP_LE_ADD_TO_WHITE_LIST 0x2011
1217struct hci_cp_le_add_to_white_list {
1218 __u8 bdaddr_type;
1219 bdaddr_t bdaddr;
1220} __packed;
1221
1222#define HCI_OP_LE_DEL_FROM_WHITE_LIST 0x2012
1223struct hci_cp_le_del_from_white_list {
1224 __u8 bdaddr_type;
1225 bdaddr_t bdaddr;
1226} __packed;
1227
1205#define HCI_OP_LE_CONN_UPDATE 0x2013 1228#define HCI_OP_LE_CONN_UPDATE 0x2013
1206struct hci_cp_le_conn_update { 1229struct hci_cp_le_conn_update {
1207 __le16 handle; 1230 __le16 handle;
@@ -1216,7 +1239,7 @@ struct hci_cp_le_conn_update {
1216#define HCI_OP_LE_START_ENC 0x2019 1239#define HCI_OP_LE_START_ENC 0x2019
1217struct hci_cp_le_start_enc { 1240struct hci_cp_le_start_enc {
1218 __le16 handle; 1241 __le16 handle;
1219 __u8 rand[8]; 1242 __le64 rand;
1220 __le16 ediv; 1243 __le16 ediv;
1221 __u8 ltk[16]; 1244 __u8 ltk[16];
1222} __packed; 1245} __packed;
@@ -1628,7 +1651,7 @@ struct hci_ev_le_conn_complete {
1628#define HCI_EV_LE_LTK_REQ 0x05 1651#define HCI_EV_LE_LTK_REQ 0x05
1629struct hci_ev_le_ltk_req { 1652struct hci_ev_le_ltk_req {
1630 __le16 handle; 1653 __le16 handle;
1631 __u8 random[8]; 1654 __le64 rand;
1632 __le16 ediv; 1655 __le16 ediv;
1633} __packed; 1656} __packed;
1634 1657
diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index c0fcc041fbb5..dbb788e4f265 100644
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -99,7 +99,7 @@ struct smp_ltk {
99 u8 type; 99 u8 type;
100 u8 enc_size; 100 u8 enc_size;
101 __le16 ediv; 101 __le16 ediv;
102 u8 rand[8]; 102 __le64 rand;
103 u8 val[16]; 103 u8 val[16];
104}; 104};
105 105
@@ -130,6 +130,9 @@ struct oob_data {
130 130
131#define HCI_MAX_SHORT_NAME_LENGTH 10 131#define HCI_MAX_SHORT_NAME_LENGTH 10
132 132
133/* Default LE RPA expiry time, 15 minutes */
134#define HCI_DEFAULT_RPA_TIMEOUT (15 * 60)
135
133struct amp_assoc { 136struct amp_assoc {
134 __u16 len; 137 __u16 len;
135 __u16 offset; 138 __u16 offset;
@@ -153,7 +156,7 @@ struct hci_dev {
153 bdaddr_t bdaddr; 156 bdaddr_t bdaddr;
154 bdaddr_t random_addr; 157 bdaddr_t random_addr;
155 bdaddr_t static_addr; 158 bdaddr_t static_addr;
156 __u8 own_addr_type; 159 __u8 adv_addr_type;
157 __u8 dev_name[HCI_MAX_NAME_LENGTH]; 160 __u8 dev_name[HCI_MAX_NAME_LENGTH];
158 __u8 short_name[HCI_MAX_SHORT_NAME_LENGTH]; 161 __u8 short_name[HCI_MAX_SHORT_NAME_LENGTH];
159 __u8 eir[HCI_MAX_EIR_LENGTH]; 162 __u8 eir[HCI_MAX_EIR_LENGTH];
@@ -281,7 +284,9 @@ struct hci_dev {
281 struct list_head long_term_keys; 284 struct list_head long_term_keys;
282 struct list_head identity_resolving_keys; 285 struct list_head identity_resolving_keys;
283 struct list_head remote_oob_data; 286 struct list_head remote_oob_data;
287 struct list_head le_white_list;
284 struct list_head le_conn_params; 288 struct list_head le_conn_params;
289 struct list_head pend_le_conns;
285 290
286 struct hci_dev_stats stat; 291 struct hci_dev_stats stat;
287 292
@@ -303,6 +308,11 @@ struct hci_dev {
303 __u8 scan_rsp_data[HCI_MAX_AD_LENGTH]; 308 __u8 scan_rsp_data[HCI_MAX_AD_LENGTH];
304 __u8 scan_rsp_data_len; 309 __u8 scan_rsp_data_len;
305 310
311 __u8 irk[16];
312 __u32 rpa_timeout;
313 struct delayed_work rpa_expired;
314 bdaddr_t rpa;
315
306 int (*open)(struct hci_dev *hdev); 316 int (*open)(struct hci_dev *hdev);
307 int (*close)(struct hci_dev *hdev); 317 int (*close)(struct hci_dev *hdev);
308 int (*flush)(struct hci_dev *hdev); 318 int (*flush)(struct hci_dev *hdev);
@@ -322,6 +332,10 @@ struct hci_conn {
322 __u8 dst_type; 332 __u8 dst_type;
323 bdaddr_t src; 333 bdaddr_t src;
324 __u8 src_type; 334 __u8 src_type;
335 bdaddr_t init_addr;
336 __u8 init_addr_type;
337 bdaddr_t resp_addr;
338 __u8 resp_addr_type;
325 __u16 handle; 339 __u16 handle;
326 __u16 state; 340 __u16 state;
327 __u8 mode; 341 __u8 mode;
@@ -361,6 +375,7 @@ struct hci_conn {
361 struct delayed_work disc_work; 375 struct delayed_work disc_work;
362 struct delayed_work auto_accept_work; 376 struct delayed_work auto_accept_work;
363 struct delayed_work idle_work; 377 struct delayed_work idle_work;
378 struct delayed_work le_conn_timeout;
364 379
365 struct device dev; 380 struct device dev;
366 381
@@ -394,6 +409,12 @@ struct hci_conn_params {
394 409
395 u16 conn_min_interval; 410 u16 conn_min_interval;
396 u16 conn_max_interval; 411 u16 conn_max_interval;
412
413 enum {
414 HCI_AUTO_CONN_DISABLED,
415 HCI_AUTO_CONN_ALWAYS,
416 HCI_AUTO_CONN_LINK_LOSS,
417 } auto_connect;
397}; 418};
398 419
399extern struct list_head hci_dev_list; 420extern struct list_head hci_dev_list;
@@ -554,6 +575,13 @@ static inline unsigned int hci_conn_num(struct hci_dev *hdev, __u8 type)
554 } 575 }
555} 576}
556 577
578static inline unsigned int hci_conn_count(struct hci_dev *hdev)
579{
580 struct hci_conn_hash *c = &hdev->conn_hash;
581
582 return c->acl_num + c->amp_num + c->sco_num + c->le_num;
583}
584
557static inline struct hci_conn *hci_conn_hash_lookup_handle(struct hci_dev *hdev, 585static inline struct hci_conn *hci_conn_hash_lookup_handle(struct hci_dev *hdev,
558 __u16 handle) 586 __u16 handle)
559{ 587{
@@ -627,8 +655,10 @@ void hci_chan_del(struct hci_chan *chan);
627void hci_chan_list_flush(struct hci_conn *conn); 655void hci_chan_list_flush(struct hci_conn *conn);
628struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle); 656struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle);
629 657
630struct hci_conn *hci_connect(struct hci_dev *hdev, int type, bdaddr_t *dst, 658struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
631 __u8 dst_type, __u8 sec_level, __u8 auth_type); 659 u8 dst_type, u8 sec_level, u8 auth_type);
660struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,
661 u8 sec_level, u8 auth_type);
632struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst, 662struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst,
633 __u16 setting); 663 __u16 setting);
634int hci_conn_check_link_mode(struct hci_conn *conn); 664int hci_conn_check_link_mode(struct hci_conn *conn);
@@ -639,6 +669,8 @@ int hci_conn_switch_role(struct hci_conn *conn, __u8 role);
639 669
640void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active); 670void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active);
641 671
672void hci_le_conn_failed(struct hci_conn *conn, u8 status);
673
642/* 674/*
643 * hci_conn_get() and hci_conn_put() are used to control the life-time of an 675 * hci_conn_get() and hci_conn_put() are used to control the life-time of an
644 * "hci_conn" object. They do not guarantee that the hci_conn object is running, 676 * "hci_conn" object. They do not guarantee that the hci_conn object is running,
@@ -770,28 +802,42 @@ int hci_inquiry(void __user *arg);
770 802
771struct bdaddr_list *hci_blacklist_lookup(struct hci_dev *hdev, 803struct bdaddr_list *hci_blacklist_lookup(struct hci_dev *hdev,
772 bdaddr_t *bdaddr, u8 type); 804 bdaddr_t *bdaddr, u8 type);
773void hci_blacklist_clear(struct hci_dev *hdev);
774int hci_blacklist_add(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type); 805int hci_blacklist_add(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type);
775int hci_blacklist_del(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type); 806int hci_blacklist_del(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type);
776 807
808struct bdaddr_list *hci_white_list_lookup(struct hci_dev *hdev,
809 bdaddr_t *bdaddr, u8 type);
810void hci_white_list_clear(struct hci_dev *hdev);
811int hci_white_list_add(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type);
812int hci_white_list_del(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type);
813
777struct hci_conn_params *hci_conn_params_lookup(struct hci_dev *hdev, 814struct hci_conn_params *hci_conn_params_lookup(struct hci_dev *hdev,
778 bdaddr_t *addr, u8 addr_type); 815 bdaddr_t *addr, u8 addr_type);
779void hci_conn_params_add(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type, 816int hci_conn_params_add(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type,
780 u16 conn_min_interval, u16 conn_max_interval); 817 u8 auto_connect, u16 conn_min_interval,
818 u16 conn_max_interval);
781void hci_conn_params_del(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type); 819void hci_conn_params_del(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type);
782void hci_conn_params_clear(struct hci_dev *hdev); 820void hci_conn_params_clear(struct hci_dev *hdev);
783 821
822struct bdaddr_list *hci_pend_le_conn_lookup(struct hci_dev *hdev,
823 bdaddr_t *addr, u8 addr_type);
824void hci_pend_le_conn_add(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type);
825void hci_pend_le_conn_del(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type);
826void hci_pend_le_conns_clear(struct hci_dev *hdev);
827
828void hci_update_background_scan(struct hci_dev *hdev);
829
784void hci_uuids_clear(struct hci_dev *hdev); 830void hci_uuids_clear(struct hci_dev *hdev);
785 831
786void hci_link_keys_clear(struct hci_dev *hdev); 832void hci_link_keys_clear(struct hci_dev *hdev);
787struct link_key *hci_find_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr); 833struct link_key *hci_find_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr);
788int hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn, int new_key, 834int hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn, int new_key,
789 bdaddr_t *bdaddr, u8 *val, u8 type, u8 pin_len); 835 bdaddr_t *bdaddr, u8 *val, u8 type, u8 pin_len);
790struct smp_ltk *hci_find_ltk(struct hci_dev *hdev, __le16 ediv, u8 rand[8], 836struct smp_ltk *hci_find_ltk(struct hci_dev *hdev, __le16 ediv, __le64 rand,
791 bool master); 837 bool master);
792struct smp_ltk *hci_add_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, 838struct smp_ltk *hci_add_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr,
793 u8 addr_type, u8 type, u8 authenticated, 839 u8 addr_type, u8 type, u8 authenticated,
794 u8 tk[16], u8 enc_size, __le16 ediv, u8 rand[8]); 840 u8 tk[16], u8 enc_size, __le16 ediv, __le64 rand);
795struct smp_ltk *hci_find_ltk_by_addr(struct hci_dev *hdev, bdaddr_t *bdaddr, 841struct smp_ltk *hci_find_ltk_by_addr(struct hci_dev *hdev, bdaddr_t *bdaddr,
796 u8 addr_type, bool master); 842 u8 addr_type, bool master);
797int hci_remove_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 bdaddr_type); 843int hci_remove_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 bdaddr_type);
@@ -1115,6 +1161,9 @@ void hci_req_add_ev(struct hci_request *req, u16 opcode, u32 plen,
1115 const void *param, u8 event); 1161 const void *param, u8 event);
1116void hci_req_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 status); 1162void hci_req_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 status);
1117 1163
1164void hci_req_add_le_scan_disable(struct hci_request *req);
1165void hci_req_add_le_passive_scan(struct hci_request *req);
1166
1118struct sk_buff *__hci_cmd_sync(struct hci_dev *hdev, u16 opcode, u32 plen, 1167struct sk_buff *__hci_cmd_sync(struct hci_dev *hdev, u16 opcode, u32 plen,
1119 const void *param, u32 timeout); 1168 const void *param, u32 timeout);
1120struct sk_buff *__hci_cmd_sync_ev(struct hci_dev *hdev, u16 opcode, u32 plen, 1169struct sk_buff *__hci_cmd_sync_ev(struct hci_dev *hdev, u16 opcode, u32 plen,
@@ -1160,6 +1209,7 @@ int mgmt_powered(struct hci_dev *hdev, u8 powered);
1160void mgmt_discoverable_timeout(struct hci_dev *hdev); 1209void mgmt_discoverable_timeout(struct hci_dev *hdev);
1161void mgmt_discoverable(struct hci_dev *hdev, u8 discoverable); 1210void mgmt_discoverable(struct hci_dev *hdev, u8 discoverable);
1162void mgmt_connectable(struct hci_dev *hdev, u8 connectable); 1211void mgmt_connectable(struct hci_dev *hdev, u8 connectable);
1212void mgmt_advertising(struct hci_dev *hdev, u8 advertising);
1163void mgmt_write_scan_failed(struct hci_dev *hdev, u8 scan, u8 status); 1213void mgmt_write_scan_failed(struct hci_dev *hdev, u8 scan, u8 status);
1164void mgmt_new_link_key(struct hci_dev *hdev, struct link_key *key, 1214void mgmt_new_link_key(struct hci_dev *hdev, struct link_key *key,
1165 bool persistent); 1215 bool persistent);
@@ -1167,7 +1217,8 @@ void mgmt_device_connected(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
1167 u8 addr_type, u32 flags, u8 *name, u8 name_len, 1217 u8 addr_type, u32 flags, u8 *name, u8 name_len,
1168 u8 *dev_class); 1218 u8 *dev_class);
1169void mgmt_device_disconnected(struct hci_dev *hdev, bdaddr_t *bdaddr, 1219void mgmt_device_disconnected(struct hci_dev *hdev, bdaddr_t *bdaddr,
1170 u8 link_type, u8 addr_type, u8 reason); 1220 u8 link_type, u8 addr_type, u8 reason,
1221 bool mgmt_connected);
1171void mgmt_disconnect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr, 1222void mgmt_disconnect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr,
1172 u8 link_type, u8 addr_type, u8 status); 1223 u8 link_type, u8 addr_type, u8 status);
1173void mgmt_connect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type, 1224void mgmt_connect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
@@ -1247,9 +1298,14 @@ struct hci_sec_filter {
1247 1298
1248void hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max, 1299void hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max,
1249 u16 latency, u16 to_multiplier); 1300 u16 latency, u16 to_multiplier);
1250void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __u8 rand[8], 1301void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand,
1251 __u8 ltk[16]); 1302 __u8 ltk[16]);
1252 1303
1304int hci_update_random_address(struct hci_request *req, bool require_privacy,
1305 u8 *own_addr_type);
1306void hci_copy_identity_address(struct hci_dev *hdev, bdaddr_t *bdaddr,
1307 u8 *bdaddr_type);
1308
1253#define SCO_AIRMODE_MASK 0x0003 1309#define SCO_AIRMODE_MASK 0x0003
1254#define SCO_AIRMODE_CVSD 0x0000 1310#define SCO_AIRMODE_CVSD 0x0000
1255#define SCO_AIRMODE_TRANSP 0x0003 1311#define SCO_AIRMODE_TRANSP 0x0003
diff --git a/include/net/bluetooth/mgmt.h b/include/net/bluetooth/mgmt.h
index 2e46251e8aec..0326648fd799 100644
--- a/include/net/bluetooth/mgmt.h
+++ b/include/net/bluetooth/mgmt.h
@@ -96,6 +96,7 @@ struct mgmt_rp_read_index_list {
96#define MGMT_SETTING_ADVERTISING 0x00000400 96#define MGMT_SETTING_ADVERTISING 0x00000400
97#define MGMT_SETTING_SECURE_CONN 0x00000800 97#define MGMT_SETTING_SECURE_CONN 0x00000800
98#define MGMT_SETTING_DEBUG_KEYS 0x00001000 98#define MGMT_SETTING_DEBUG_KEYS 0x00001000
99#define MGMT_SETTING_PRIVACY 0x00002000
99 100
100#define MGMT_OP_READ_INFO 0x0004 101#define MGMT_OP_READ_INFO 0x0004
101#define MGMT_READ_INFO_SIZE 0 102#define MGMT_READ_INFO_SIZE 0
@@ -186,7 +187,7 @@ struct mgmt_ltk_info {
186 __u8 master; 187 __u8 master;
187 __u8 enc_size; 188 __u8 enc_size;
188 __le16 ediv; 189 __le16 ediv;
189 __u8 rand[8]; 190 __le64 rand;
190 __u8 val[16]; 191 __u8 val[16];
191} __packed; 192} __packed;
192 193
@@ -389,6 +390,13 @@ struct mgmt_cp_set_scan_params {
389 390
390#define MGMT_OP_SET_DEBUG_KEYS 0x002E 391#define MGMT_OP_SET_DEBUG_KEYS 0x002E
391 392
393#define MGMT_OP_SET_PRIVACY 0x002F
394struct mgmt_cp_set_privacy {
395 __u8 privacy;
396 __u8 irk[16];
397} __packed;
398#define MGMT_SET_PRIVACY_SIZE 17
399
392struct mgmt_irk_info { 400struct mgmt_irk_info {
393 struct mgmt_addr_info addr; 401 struct mgmt_addr_info addr;
394 __u8 val[16]; 402 __u8 val[16];
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index bd66c52eff95..7c713c4675ba 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -231,7 +231,7 @@ void hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max,
231 hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp); 231 hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp);
232} 232}
233 233
234void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __u8 rand[8], 234void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand,
235 __u8 ltk[16]) 235 __u8 ltk[16])
236{ 236{
237 struct hci_dev *hdev = conn->hdev; 237 struct hci_dev *hdev = conn->hdev;
@@ -242,9 +242,9 @@ void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __u8 rand[8],
242 memset(&cp, 0, sizeof(cp)); 242 memset(&cp, 0, sizeof(cp));
243 243
244 cp.handle = cpu_to_le16(conn->handle); 244 cp.handle = cpu_to_le16(conn->handle);
245 memcpy(cp.ltk, ltk, sizeof(cp.ltk)); 245 cp.rand = rand;
246 cp.ediv = ediv; 246 cp.ediv = ediv;
247 memcpy(cp.rand, rand, sizeof(cp.rand)); 247 memcpy(cp.ltk, ltk, sizeof(cp.ltk));
248 248
249 hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp); 249 hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp);
250} 250}
@@ -363,6 +363,16 @@ static void hci_conn_auto_accept(struct work_struct *work)
363 &conn->dst); 363 &conn->dst);
364} 364}
365 365
366static void le_conn_timeout(struct work_struct *work)
367{
368 struct hci_conn *conn = container_of(work, struct hci_conn,
369 le_conn_timeout.work);
370
371 BT_DBG("");
372
373 hci_le_create_connection_cancel(conn);
374}
375
366struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst) 376struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst)
367{ 377{
368 struct hci_conn *conn; 378 struct hci_conn *conn;
@@ -410,6 +420,7 @@ struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst)
410 INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout); 420 INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout);
411 INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept); 421 INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept);
412 INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle); 422 INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle);
423 INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout);
413 424
414 atomic_set(&conn->refcnt, 0); 425 atomic_set(&conn->refcnt, 0);
415 426
@@ -442,6 +453,8 @@ int hci_conn_del(struct hci_conn *conn)
442 /* Unacked frames */ 453 /* Unacked frames */
443 hdev->acl_cnt += conn->sent; 454 hdev->acl_cnt += conn->sent;
444 } else if (conn->type == LE_LINK) { 455 } else if (conn->type == LE_LINK) {
456 cancel_delayed_work_sync(&conn->le_conn_timeout);
457
445 if (hdev->le_pkts) 458 if (hdev->le_pkts)
446 hdev->le_cnt += conn->sent; 459 hdev->le_cnt += conn->sent;
447 else 460 else
@@ -515,7 +528,7 @@ struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src)
515EXPORT_SYMBOL(hci_get_route); 528EXPORT_SYMBOL(hci_get_route);
516 529
517/* This function requires the caller holds hdev->lock */ 530/* This function requires the caller holds hdev->lock */
518static void le_conn_failed(struct hci_conn *conn, u8 status) 531void hci_le_conn_failed(struct hci_conn *conn, u8 status)
519{ 532{
520 struct hci_dev *hdev = conn->hdev; 533 struct hci_dev *hdev = conn->hdev;
521 534
@@ -527,6 +540,11 @@ static void le_conn_failed(struct hci_conn *conn, u8 status)
527 hci_proto_connect_cfm(conn, status); 540 hci_proto_connect_cfm(conn, status);
528 541
529 hci_conn_del(conn); 542 hci_conn_del(conn);
543
544 /* Since we may have temporarily stopped the background scanning in
545 * favor of connection establishment, we should restart it.
546 */
547 hci_update_background_scan(hdev);
530} 548}
531 549
532static void create_le_conn_complete(struct hci_dev *hdev, u8 status) 550static void create_le_conn_complete(struct hci_dev *hdev, u8 status)
@@ -545,50 +563,55 @@ static void create_le_conn_complete(struct hci_dev *hdev, u8 status)
545 if (!conn) 563 if (!conn)
546 goto done; 564 goto done;
547 565
548 le_conn_failed(conn, status); 566 hci_le_conn_failed(conn, status);
549 567
550done: 568done:
551 hci_dev_unlock(hdev); 569 hci_dev_unlock(hdev);
552} 570}
553 571
554static int hci_create_le_conn(struct hci_conn *conn) 572static void hci_req_add_le_create_conn(struct hci_request *req,
573 struct hci_conn *conn)
555{ 574{
556 struct hci_dev *hdev = conn->hdev;
557 struct hci_cp_le_create_conn cp; 575 struct hci_cp_le_create_conn cp;
558 struct hci_request req; 576 struct hci_dev *hdev = conn->hdev;
559 int err; 577 u8 own_addr_type;
560
561 hci_req_init(&req, hdev);
562 578
563 memset(&cp, 0, sizeof(cp)); 579 memset(&cp, 0, sizeof(cp));
580
581 /* Update random address, but set require_privacy to false so
582 * that we never connect with an unresolvable address.
583 */
584 if (hci_update_random_address(req, false, &own_addr_type))
585 return;
586
587 /* Save the address type used for this connnection attempt so we able
588 * to retrieve this information if we need it.
589 */
590 conn->src_type = own_addr_type;
591
564 cp.scan_interval = cpu_to_le16(hdev->le_scan_interval); 592 cp.scan_interval = cpu_to_le16(hdev->le_scan_interval);
565 cp.scan_window = cpu_to_le16(hdev->le_scan_window); 593 cp.scan_window = cpu_to_le16(hdev->le_scan_window);
566 bacpy(&cp.peer_addr, &conn->dst); 594 bacpy(&cp.peer_addr, &conn->dst);
567 cp.peer_addr_type = conn->dst_type; 595 cp.peer_addr_type = conn->dst_type;
568 cp.own_address_type = conn->src_type; 596 cp.own_address_type = own_addr_type;
569 cp.conn_interval_min = cpu_to_le16(conn->le_conn_min_interval); 597 cp.conn_interval_min = cpu_to_le16(conn->le_conn_min_interval);
570 cp.conn_interval_max = cpu_to_le16(conn->le_conn_max_interval); 598 cp.conn_interval_max = cpu_to_le16(conn->le_conn_max_interval);
571 cp.supervision_timeout = __constant_cpu_to_le16(0x002a); 599 cp.supervision_timeout = __constant_cpu_to_le16(0x002a);
572 cp.min_ce_len = __constant_cpu_to_le16(0x0000); 600 cp.min_ce_len = __constant_cpu_to_le16(0x0000);
573 cp.max_ce_len = __constant_cpu_to_le16(0x0000); 601 cp.max_ce_len = __constant_cpu_to_le16(0x0000);
574 602
575 hci_req_add(&req, HCI_OP_LE_CREATE_CONN, sizeof(cp), &cp); 603 hci_req_add(req, HCI_OP_LE_CREATE_CONN, sizeof(cp), &cp);
576 604
577 err = hci_req_run(&req, create_le_conn_complete); 605 conn->state = BT_CONNECT;
578 if (err) {
579 hci_conn_del(conn);
580 return err;
581 }
582
583 return 0;
584} 606}
585 607
586static struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst, 608struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
587 u8 dst_type, u8 sec_level, u8 auth_type) 609 u8 dst_type, u8 sec_level, u8 auth_type)
588{ 610{
589 struct hci_conn_params *params; 611 struct hci_conn_params *params;
590 struct hci_conn *conn; 612 struct hci_conn *conn;
591 struct smp_irk *irk; 613 struct smp_irk *irk;
614 struct hci_request req;
592 int err; 615 int err;
593 616
594 if (test_bit(HCI_ADVERTISING, &hdev->flags)) 617 if (test_bit(HCI_ADVERTISING, &hdev->flags))
@@ -617,12 +640,6 @@ static struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
617 if (conn) 640 if (conn)
618 return ERR_PTR(-EBUSY); 641 return ERR_PTR(-EBUSY);
619 642
620 /* Convert from L2CAP channel address type to HCI address type */
621 if (dst_type == BDADDR_LE_PUBLIC)
622 dst_type = ADDR_LE_DEV_PUBLIC;
623 else
624 dst_type = ADDR_LE_DEV_RANDOM;
625
626 /* When given an identity address with existing identity 643 /* When given an identity address with existing identity
627 * resolving key, the connection needs to be established 644 * resolving key, the connection needs to be established
628 * to a resolvable random address. 645 * to a resolvable random address.
@@ -647,9 +664,7 @@ static struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
647 return ERR_PTR(-ENOMEM); 664 return ERR_PTR(-ENOMEM);
648 665
649 conn->dst_type = dst_type; 666 conn->dst_type = dst_type;
650 conn->src_type = hdev->own_addr_type;
651 667
652 conn->state = BT_CONNECT;
653 conn->out = true; 668 conn->out = true;
654 conn->link_mode |= HCI_LM_MASTER; 669 conn->link_mode |= HCI_LM_MASTER;
655 conn->sec_level = BT_SECURITY_LOW; 670 conn->sec_level = BT_SECURITY_LOW;
@@ -665,17 +680,34 @@ static struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
665 conn->le_conn_max_interval = hdev->le_conn_max_interval; 680 conn->le_conn_max_interval = hdev->le_conn_max_interval;
666 } 681 }
667 682
668 err = hci_create_le_conn(conn); 683 hci_req_init(&req, hdev);
669 if (err) 684
685 /* If controller is scanning, we stop it since some controllers are
686 * not able to scan and connect at the same time. Also set the
687 * HCI_LE_SCAN_INTERRUPTED flag so that the command complete
688 * handler for scan disabling knows to set the correct discovery
689 * state.
690 */
691 if (test_bit(HCI_LE_SCAN, &hdev->dev_flags)) {
692 hci_req_add_le_scan_disable(&req);
693 set_bit(HCI_LE_SCAN_INTERRUPTED, &hdev->dev_flags);
694 }
695
696 hci_req_add_le_create_conn(&req, conn);
697
698 err = hci_req_run(&req, create_le_conn_complete);
699 if (err) {
700 hci_conn_del(conn);
670 return ERR_PTR(err); 701 return ERR_PTR(err);
702 }
671 703
672done: 704done:
673 hci_conn_hold(conn); 705 hci_conn_hold(conn);
674 return conn; 706 return conn;
675} 707}
676 708
677static struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst, 709struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,
678 u8 sec_level, u8 auth_type) 710 u8 sec_level, u8 auth_type)
679{ 711{
680 struct hci_conn *acl; 712 struct hci_conn *acl;
681 713
@@ -744,22 +776,6 @@ struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst,
744 return sco; 776 return sco;
745} 777}
746 778
747/* Create SCO, ACL or LE connection. */
748struct hci_conn *hci_connect(struct hci_dev *hdev, int type, bdaddr_t *dst,
749 __u8 dst_type, __u8 sec_level, __u8 auth_type)
750{
751 BT_DBG("%s dst %pMR type 0x%x", hdev->name, dst, type);
752
753 switch (type) {
754 case LE_LINK:
755 return hci_connect_le(hdev, dst, dst_type, sec_level, auth_type);
756 case ACL_LINK:
757 return hci_connect_acl(hdev, dst, sec_level, auth_type);
758 }
759
760 return ERR_PTR(-EINVAL);
761}
762
763/* Check link security requirement */ 779/* Check link security requirement */
764int hci_conn_check_link_mode(struct hci_conn *conn) 780int hci_conn_check_link_mode(struct hci_conn *conn)
765{ 781{
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 964aa8deb009..8bbfdea9cbec 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -492,6 +492,37 @@ static int idle_timeout_get(void *data, u64 *val)
492DEFINE_SIMPLE_ATTRIBUTE(idle_timeout_fops, idle_timeout_get, 492DEFINE_SIMPLE_ATTRIBUTE(idle_timeout_fops, idle_timeout_get,
493 idle_timeout_set, "%llu\n"); 493 idle_timeout_set, "%llu\n");
494 494
495static int rpa_timeout_set(void *data, u64 val)
496{
497 struct hci_dev *hdev = data;
498
499 /* Require the RPA timeout to be at least 30 seconds and at most
500 * 24 hours.
501 */
502 if (val < 30 || val > (60 * 60 * 24))
503 return -EINVAL;
504
505 hci_dev_lock(hdev);
506 hdev->rpa_timeout = val;
507 hci_dev_unlock(hdev);
508
509 return 0;
510}
511
512static int rpa_timeout_get(void *data, u64 *val)
513{
514 struct hci_dev *hdev = data;
515
516 hci_dev_lock(hdev);
517 *val = hdev->rpa_timeout;
518 hci_dev_unlock(hdev);
519
520 return 0;
521}
522
523DEFINE_SIMPLE_ATTRIBUTE(rpa_timeout_fops, rpa_timeout_get,
524 rpa_timeout_set, "%llu\n");
525
495static int sniff_min_interval_set(void *data, u64 val) 526static int sniff_min_interval_set(void *data, u64 val)
496{ 527{
497 struct hci_dev *hdev = data; 528 struct hci_dev *hdev = data;
@@ -548,6 +579,36 @@ static int sniff_max_interval_get(void *data, u64 *val)
548DEFINE_SIMPLE_ATTRIBUTE(sniff_max_interval_fops, sniff_max_interval_get, 579DEFINE_SIMPLE_ATTRIBUTE(sniff_max_interval_fops, sniff_max_interval_get,
549 sniff_max_interval_set, "%llu\n"); 580 sniff_max_interval_set, "%llu\n");
550 581
582static int identity_show(struct seq_file *f, void *p)
583{
584 struct hci_dev *hdev = f->private;
585 bdaddr_t addr;
586 u8 addr_type;
587
588 hci_dev_lock(hdev);
589
590 hci_copy_identity_address(hdev, &addr, &addr_type);
591
592 seq_printf(f, "%pMR (type %u) %*phN %pMR\n", &addr, addr_type,
593 16, hdev->irk, &hdev->rpa);
594
595 hci_dev_unlock(hdev);
596
597 return 0;
598}
599
600static int identity_open(struct inode *inode, struct file *file)
601{
602 return single_open(file, identity_show, inode->i_private);
603}
604
605static const struct file_operations identity_fops = {
606 .open = identity_open,
607 .read = seq_read,
608 .llseek = seq_lseek,
609 .release = single_release,
610};
611
551static int random_address_show(struct seq_file *f, void *p) 612static int random_address_show(struct seq_file *f, void *p)
552{ 613{
553 struct hci_dev *hdev = f->private; 614 struct hci_dev *hdev = f->private;
@@ -641,6 +702,31 @@ static const struct file_operations force_static_address_fops = {
641 .llseek = default_llseek, 702 .llseek = default_llseek,
642}; 703};
643 704
705static int white_list_show(struct seq_file *f, void *ptr)
706{
707 struct hci_dev *hdev = f->private;
708 struct bdaddr_list *b;
709
710 hci_dev_lock(hdev);
711 list_for_each_entry(b, &hdev->le_white_list, list)
712 seq_printf(f, "%pMR (type %u)\n", &b->bdaddr, b->bdaddr_type);
713 hci_dev_unlock(hdev);
714
715 return 0;
716}
717
718static int white_list_open(struct inode *inode, struct file *file)
719{
720 return single_open(file, white_list_show, inode->i_private);
721}
722
723static const struct file_operations white_list_fops = {
724 .open = white_list_open,
725 .read = seq_read,
726 .llseek = seq_lseek,
727 .release = single_release,
728};
729
644static int identity_resolving_keys_show(struct seq_file *f, void *ptr) 730static int identity_resolving_keys_show(struct seq_file *f, void *ptr)
645{ 731{
646 struct hci_dev *hdev = f->private; 732 struct hci_dev *hdev = f->private;
@@ -679,10 +765,10 @@ static int long_term_keys_show(struct seq_file *f, void *ptr)
679 hci_dev_lock(hdev); 765 hci_dev_lock(hdev);
680 list_for_each_safe(p, n, &hdev->long_term_keys) { 766 list_for_each_safe(p, n, &hdev->long_term_keys) {
681 struct smp_ltk *ltk = list_entry(p, struct smp_ltk, list); 767 struct smp_ltk *ltk = list_entry(p, struct smp_ltk, list);
682 seq_printf(f, "%pMR (type %u) %u 0x%02x %u %.4x %*phN %*phN\n", 768 seq_printf(f, "%pMR (type %u) %u 0x%02x %u %.4x %.16llx %*phN\n",
683 &ltk->bdaddr, ltk->bdaddr_type, ltk->authenticated, 769 &ltk->bdaddr, ltk->bdaddr_type, ltk->authenticated,
684 ltk->type, ltk->enc_size, __le16_to_cpu(ltk->ediv), 770 ltk->type, ltk->enc_size, __le16_to_cpu(ltk->ediv),
685 8, ltk->rand, 16, ltk->val); 771 __le64_to_cpu(ltk->rand), 16, ltk->val);
686 } 772 }
687 hci_dev_unlock(hdev); 773 hci_dev_unlock(hdev);
688 774
@@ -828,6 +914,115 @@ static const struct file_operations lowpan_debugfs_fops = {
828 .llseek = default_llseek, 914 .llseek = default_llseek,
829}; 915};
830 916
917static int le_auto_conn_show(struct seq_file *sf, void *ptr)
918{
919 struct hci_dev *hdev = sf->private;
920 struct hci_conn_params *p;
921
922 hci_dev_lock(hdev);
923
924 list_for_each_entry(p, &hdev->le_conn_params, list) {
925 seq_printf(sf, "%pMR %u %u\n", &p->addr, p->addr_type,
926 p->auto_connect);
927 }
928
929 hci_dev_unlock(hdev);
930
931 return 0;
932}
933
934static int le_auto_conn_open(struct inode *inode, struct file *file)
935{
936 return single_open(file, le_auto_conn_show, inode->i_private);
937}
938
939static ssize_t le_auto_conn_write(struct file *file, const char __user *data,
940 size_t count, loff_t *offset)
941{
942 struct seq_file *sf = file->private_data;
943 struct hci_dev *hdev = sf->private;
944 u8 auto_connect = 0;
945 bdaddr_t addr;
946 u8 addr_type;
947 char *buf;
948 int err = 0;
949 int n;
950
951 /* Don't allow partial write */
952 if (*offset != 0)
953 return -EINVAL;
954
955 if (count < 3)
956 return -EINVAL;
957
958 buf = kzalloc(count, GFP_KERNEL);
959 if (!buf)
960 return -ENOMEM;
961
962 if (copy_from_user(buf, data, count)) {
963 err = -EFAULT;
964 goto done;
965 }
966
967 if (memcmp(buf, "add", 3) == 0) {
968 n = sscanf(&buf[4], "%hhx:%hhx:%hhx:%hhx:%hhx:%hhx %hhu %hhu",
969 &addr.b[5], &addr.b[4], &addr.b[3], &addr.b[2],
970 &addr.b[1], &addr.b[0], &addr_type,
971 &auto_connect);
972
973 if (n < 7) {
974 err = -EINVAL;
975 goto done;
976 }
977
978 hci_dev_lock(hdev);
979 err = hci_conn_params_add(hdev, &addr, addr_type, auto_connect,
980 hdev->le_conn_min_interval,
981 hdev->le_conn_max_interval);
982 hci_dev_unlock(hdev);
983
984 if (err)
985 goto done;
986 } else if (memcmp(buf, "del", 3) == 0) {
987 n = sscanf(&buf[4], "%hhx:%hhx:%hhx:%hhx:%hhx:%hhx %hhu",
988 &addr.b[5], &addr.b[4], &addr.b[3], &addr.b[2],
989 &addr.b[1], &addr.b[0], &addr_type);
990
991 if (n < 7) {
992 err = -EINVAL;
993 goto done;
994 }
995
996 hci_dev_lock(hdev);
997 hci_conn_params_del(hdev, &addr, addr_type);
998 hci_dev_unlock(hdev);
999 } else if (memcmp(buf, "clr", 3) == 0) {
1000 hci_dev_lock(hdev);
1001 hci_conn_params_clear(hdev);
1002 hci_pend_le_conns_clear(hdev);
1003 hci_update_background_scan(hdev);
1004 hci_dev_unlock(hdev);
1005 } else {
1006 err = -EINVAL;
1007 }
1008
1009done:
1010 kfree(buf);
1011
1012 if (err)
1013 return err;
1014 else
1015 return count;
1016}
1017
1018static const struct file_operations le_auto_conn_fops = {
1019 .open = le_auto_conn_open,
1020 .read = seq_read,
1021 .write = le_auto_conn_write,
1022 .llseek = seq_lseek,
1023 .release = single_release,
1024};
1025
831/* ---- HCI requests ---- */ 1026/* ---- HCI requests ---- */
832 1027
833static void hci_req_sync_complete(struct hci_dev *hdev, u8 result) 1028static void hci_req_sync_complete(struct hci_dev *hdev, u8 result)
@@ -1176,14 +1371,17 @@ static void le_setup(struct hci_request *req)
1176 /* Read LE Local Supported Features */ 1371 /* Read LE Local Supported Features */
1177 hci_req_add(req, HCI_OP_LE_READ_LOCAL_FEATURES, 0, NULL); 1372 hci_req_add(req, HCI_OP_LE_READ_LOCAL_FEATURES, 0, NULL);
1178 1373
1374 /* Read LE Supported States */
1375 hci_req_add(req, HCI_OP_LE_READ_SUPPORTED_STATES, 0, NULL);
1376
1179 /* Read LE Advertising Channel TX Power */ 1377 /* Read LE Advertising Channel TX Power */
1180 hci_req_add(req, HCI_OP_LE_READ_ADV_TX_POWER, 0, NULL); 1378 hci_req_add(req, HCI_OP_LE_READ_ADV_TX_POWER, 0, NULL);
1181 1379
1182 /* Read LE White List Size */ 1380 /* Read LE White List Size */
1183 hci_req_add(req, HCI_OP_LE_READ_WHITE_LIST_SIZE, 0, NULL); 1381 hci_req_add(req, HCI_OP_LE_READ_WHITE_LIST_SIZE, 0, NULL);
1184 1382
1185 /* Read LE Supported States */ 1383 /* Clear LE White List */
1186 hci_req_add(req, HCI_OP_LE_READ_SUPPORTED_STATES, 0, NULL); 1384 hci_req_add(req, HCI_OP_LE_CLEAR_WHITE_LIST, 0, NULL);
1187 1385
1188 /* LE-only controllers have LE implicitly enabled */ 1386 /* LE-only controllers have LE implicitly enabled */
1189 if (!lmp_bredr_capable(hdev)) 1387 if (!lmp_bredr_capable(hdev))
@@ -1475,23 +1673,8 @@ static void hci_init3_req(struct hci_request *req, unsigned long opt)
1475 if (hdev->commands[5] & 0x10) 1673 if (hdev->commands[5] & 0x10)
1476 hci_setup_link_policy(req); 1674 hci_setup_link_policy(req);
1477 1675
1478 if (lmp_le_capable(hdev)) { 1676 if (lmp_le_capable(hdev))
1479 /* If the controller has a public BD_ADDR, then by default
1480 * use that one. If this is a LE only controller without
1481 * a public address, default to the random address.
1482 *
1483 * For debugging purposes it is possible to force
1484 * controllers with a public address to use the
1485 * random address instead.
1486 */
1487 if (test_bit(HCI_FORCE_STATIC_ADDR, &hdev->dev_flags) ||
1488 !bacmp(&hdev->bdaddr, BDADDR_ANY))
1489 hdev->own_addr_type = ADDR_LE_DEV_RANDOM;
1490 else
1491 hdev->own_addr_type = ADDR_LE_DEV_PUBLIC;
1492
1493 hci_set_le_support(req); 1677 hci_set_le_support(req);
1494 }
1495 1678
1496 /* Read features beyond page 1 if available */ 1679 /* Read features beyond page 1 if available */
1497 for (p = 2; p < HCI_MAX_PAGES && p <= hdev->max_page; p++) { 1680 for (p = 2; p < HCI_MAX_PAGES && p <= hdev->max_page; p++) {
@@ -1608,6 +1791,10 @@ static int __hci_init(struct hci_dev *hdev)
1608 } 1791 }
1609 1792
1610 if (lmp_le_capable(hdev)) { 1793 if (lmp_le_capable(hdev)) {
1794 debugfs_create_file("identity", 0400, hdev->debugfs,
1795 hdev, &identity_fops);
1796 debugfs_create_file("rpa_timeout", 0644, hdev->debugfs,
1797 hdev, &rpa_timeout_fops);
1611 debugfs_create_file("random_address", 0444, hdev->debugfs, 1798 debugfs_create_file("random_address", 0444, hdev->debugfs,
1612 hdev, &random_address_fops); 1799 hdev, &random_address_fops);
1613 debugfs_create_file("static_address", 0444, hdev->debugfs, 1800 debugfs_create_file("static_address", 0444, hdev->debugfs,
@@ -1624,6 +1811,8 @@ static int __hci_init(struct hci_dev *hdev)
1624 1811
1625 debugfs_create_u8("white_list_size", 0444, hdev->debugfs, 1812 debugfs_create_u8("white_list_size", 0444, hdev->debugfs,
1626 &hdev->le_white_list_size); 1813 &hdev->le_white_list_size);
1814 debugfs_create_file("white_list", 0444, hdev->debugfs, hdev,
1815 &white_list_fops);
1627 debugfs_create_file("identity_resolving_keys", 0400, 1816 debugfs_create_file("identity_resolving_keys", 0400,
1628 hdev->debugfs, hdev, 1817 hdev->debugfs, hdev,
1629 &identity_resolving_keys_fops); 1818 &identity_resolving_keys_fops);
@@ -1637,6 +1826,8 @@ static int __hci_init(struct hci_dev *hdev)
1637 hdev, &adv_channel_map_fops); 1826 hdev, &adv_channel_map_fops);
1638 debugfs_create_file("6lowpan", 0644, hdev->debugfs, hdev, 1827 debugfs_create_file("6lowpan", 0644, hdev->debugfs, hdev,
1639 &lowpan_debugfs_fops); 1828 &lowpan_debugfs_fops);
1829 debugfs_create_file("le_auto_conn", 0644, hdev->debugfs, hdev,
1830 &le_auto_conn_fops);
1640 } 1831 }
1641 1832
1642 return 0; 1833 return 0;
@@ -1729,6 +1920,8 @@ void hci_discovery_set_state(struct hci_dev *hdev, int state)
1729 1920
1730 switch (state) { 1921 switch (state) {
1731 case DISCOVERY_STOPPED: 1922 case DISCOVERY_STOPPED:
1923 hci_update_background_scan(hdev);
1924
1732 if (hdev->discovery.state != DISCOVERY_STARTING) 1925 if (hdev->discovery.state != DISCOVERY_STARTING)
1733 mgmt_discovering(hdev, 0); 1926 mgmt_discovering(hdev, 0);
1734 break; 1927 break;
@@ -2102,6 +2295,7 @@ static int hci_dev_do_open(struct hci_dev *hdev)
2102 2295
2103 if (!ret) { 2296 if (!ret) {
2104 hci_dev_hold(hdev); 2297 hci_dev_hold(hdev);
2298 set_bit(HCI_RPA_EXPIRED, &hdev->dev_flags);
2105 set_bit(HCI_UP, &hdev->flags); 2299 set_bit(HCI_UP, &hdev->flags);
2106 hci_notify(hdev, HCI_DEV_UP); 2300 hci_notify(hdev, HCI_DEV_UP);
2107 if (!test_bit(HCI_SETUP, &hdev->dev_flags) && 2301 if (!test_bit(HCI_SETUP, &hdev->dev_flags) &&
@@ -2200,9 +2394,13 @@ static int hci_dev_do_close(struct hci_dev *hdev)
2200 2394
2201 cancel_delayed_work_sync(&hdev->le_scan_disable); 2395 cancel_delayed_work_sync(&hdev->le_scan_disable);
2202 2396
2397 if (test_bit(HCI_MGMT, &hdev->dev_flags))
2398 cancel_delayed_work_sync(&hdev->rpa_expired);
2399
2203 hci_dev_lock(hdev); 2400 hci_dev_lock(hdev);
2204 hci_inquiry_cache_flush(hdev); 2401 hci_inquiry_cache_flush(hdev);
2205 hci_conn_hash_flush(hdev); 2402 hci_conn_hash_flush(hdev);
2403 hci_pend_le_conns_clear(hdev);
2206 hci_dev_unlock(hdev); 2404 hci_dev_unlock(hdev);
2207 2405
2208 hci_notify(hdev, HCI_DEV_DOWN); 2406 hci_notify(hdev, HCI_DEV_DOWN);
@@ -2723,14 +2921,13 @@ static bool ltk_type_master(u8 type)
2723 return false; 2921 return false;
2724} 2922}
2725 2923
2726struct smp_ltk *hci_find_ltk(struct hci_dev *hdev, __le16 ediv, u8 rand[8], 2924struct smp_ltk *hci_find_ltk(struct hci_dev *hdev, __le16 ediv, __le64 rand,
2727 bool master) 2925 bool master)
2728{ 2926{
2729 struct smp_ltk *k; 2927 struct smp_ltk *k;
2730 2928
2731 list_for_each_entry(k, &hdev->long_term_keys, list) { 2929 list_for_each_entry(k, &hdev->long_term_keys, list) {
2732 if (k->ediv != ediv || 2930 if (k->ediv != ediv || k->rand != rand)
2733 memcmp(rand, k->rand, sizeof(k->rand)))
2734 continue; 2931 continue;
2735 2932
2736 if (ltk_type_master(k->type) != master) 2933 if (ltk_type_master(k->type) != master)
@@ -2848,7 +3045,7 @@ int hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn, int new_key,
2848 3045
2849struct smp_ltk *hci_add_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, 3046struct smp_ltk *hci_add_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr,
2850 u8 addr_type, u8 type, u8 authenticated, 3047 u8 addr_type, u8 type, u8 authenticated,
2851 u8 tk[16], u8 enc_size, __le16 ediv, u8 rand[8]) 3048 u8 tk[16], u8 enc_size, __le16 ediv, __le64 rand)
2852{ 3049{
2853 struct smp_ltk *key, *old_key; 3050 struct smp_ltk *key, *old_key;
2854 bool master = ltk_type_master(type); 3051 bool master = ltk_type_master(type);
@@ -2868,9 +3065,9 @@ struct smp_ltk *hci_add_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr,
2868 memcpy(key->val, tk, sizeof(key->val)); 3065 memcpy(key->val, tk, sizeof(key->val));
2869 key->authenticated = authenticated; 3066 key->authenticated = authenticated;
2870 key->ediv = ediv; 3067 key->ediv = ediv;
3068 key->rand = rand;
2871 key->enc_size = enc_size; 3069 key->enc_size = enc_size;
2872 key->type = type; 3070 key->type = type;
2873 memcpy(key->rand, rand, sizeof(key->rand));
2874 3071
2875 return key; 3072 return key;
2876} 3073}
@@ -3070,7 +3267,7 @@ struct bdaddr_list *hci_blacklist_lookup(struct hci_dev *hdev,
3070 return NULL; 3267 return NULL;
3071} 3268}
3072 3269
3073void hci_blacklist_clear(struct hci_dev *hdev) 3270static void hci_blacklist_clear(struct hci_dev *hdev)
3074{ 3271{
3075 struct list_head *p, *n; 3272 struct list_head *p, *n;
3076 3273
@@ -3123,6 +3320,67 @@ int hci_blacklist_del(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
3123 return mgmt_device_unblocked(hdev, bdaddr, type); 3320 return mgmt_device_unblocked(hdev, bdaddr, type);
3124} 3321}
3125 3322
3323struct bdaddr_list *hci_white_list_lookup(struct hci_dev *hdev,
3324 bdaddr_t *bdaddr, u8 type)
3325{
3326 struct bdaddr_list *b;
3327
3328 list_for_each_entry(b, &hdev->le_white_list, list) {
3329 if (!bacmp(&b->bdaddr, bdaddr) && b->bdaddr_type == type)
3330 return b;
3331 }
3332
3333 return NULL;
3334}
3335
3336void hci_white_list_clear(struct hci_dev *hdev)
3337{
3338 struct list_head *p, *n;
3339
3340 list_for_each_safe(p, n, &hdev->le_white_list) {
3341 struct bdaddr_list *b = list_entry(p, struct bdaddr_list, list);
3342
3343 list_del(p);
3344 kfree(b);
3345 }
3346}
3347
3348int hci_white_list_add(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
3349{
3350 struct bdaddr_list *entry;
3351
3352 if (!bacmp(bdaddr, BDADDR_ANY))
3353 return -EBADF;
3354
3355 entry = kzalloc(sizeof(struct bdaddr_list), GFP_KERNEL);
3356 if (!entry)
3357 return -ENOMEM;
3358
3359 bacpy(&entry->bdaddr, bdaddr);
3360 entry->bdaddr_type = type;
3361
3362 list_add(&entry->list, &hdev->le_white_list);
3363
3364 return 0;
3365}
3366
3367int hci_white_list_del(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
3368{
3369 struct bdaddr_list *entry;
3370
3371 if (!bacmp(bdaddr, BDADDR_ANY))
3372 return -EBADF;
3373
3374 entry = hci_white_list_lookup(hdev, bdaddr, type);
3375 if (!entry)
3376 return -ENOENT;
3377
3378 list_del(&entry->list);
3379 kfree(entry);
3380
3381 return 0;
3382}
3383
3126/* This function requires the caller holds hdev->lock */ 3384/* This function requires the caller holds hdev->lock */
3127struct hci_conn_params *hci_conn_params_lookup(struct hci_dev *hdev, 3385struct hci_conn_params *hci_conn_params_lookup(struct hci_dev *hdev,
3128 bdaddr_t *addr, u8 addr_type) 3386 bdaddr_t *addr, u8 addr_type)
@@ -3139,35 +3397,81 @@ struct hci_conn_params *hci_conn_params_lookup(struct hci_dev *hdev,
3139 return NULL; 3397 return NULL;
3140} 3398}
3141 3399
3400static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type)
3401{
3402 struct hci_conn *conn;
3403
3404 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, addr);
3405 if (!conn)
3406 return false;
3407
3408 if (conn->dst_type != type)
3409 return false;
3410
3411 if (conn->state != BT_CONNECTED)
3412 return false;
3413
3414 return true;
3415}
3416
3417static bool is_identity_address(bdaddr_t *addr, u8 addr_type)
3418{
3419 if (addr_type == ADDR_LE_DEV_PUBLIC)
3420 return true;
3421
3422 /* Check for Random Static address type */
3423 if ((addr->b[5] & 0xc0) == 0xc0)
3424 return true;
3425
3426 return false;
3427}
3428
3142/* This function requires the caller holds hdev->lock */ 3429/* This function requires the caller holds hdev->lock */
3143void hci_conn_params_add(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type, 3430int hci_conn_params_add(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type,
3144 u16 conn_min_interval, u16 conn_max_interval) 3431 u8 auto_connect, u16 conn_min_interval,
3432 u16 conn_max_interval)
3145{ 3433{
3146 struct hci_conn_params *params; 3434 struct hci_conn_params *params;
3147 3435
3436 if (!is_identity_address(addr, addr_type))
3437 return -EINVAL;
3438
3148 params = hci_conn_params_lookup(hdev, addr, addr_type); 3439 params = hci_conn_params_lookup(hdev, addr, addr_type);
3149 if (params) { 3440 if (params)
3150 params->conn_min_interval = conn_min_interval; 3441 goto update;
3151 params->conn_max_interval = conn_max_interval;
3152 return;
3153 }
3154 3442
3155 params = kzalloc(sizeof(*params), GFP_KERNEL); 3443 params = kzalloc(sizeof(*params), GFP_KERNEL);
3156 if (!params) { 3444 if (!params) {
3157 BT_ERR("Out of memory"); 3445 BT_ERR("Out of memory");
3158 return; 3446 return -ENOMEM;
3159 } 3447 }
3160 3448
3161 bacpy(&params->addr, addr); 3449 bacpy(&params->addr, addr);
3162 params->addr_type = addr_type; 3450 params->addr_type = addr_type;
3451
3452 list_add(&params->list, &hdev->le_conn_params);
3453
3454update:
3163 params->conn_min_interval = conn_min_interval; 3455 params->conn_min_interval = conn_min_interval;
3164 params->conn_max_interval = conn_max_interval; 3456 params->conn_max_interval = conn_max_interval;
3457 params->auto_connect = auto_connect;
3165 3458
3166 list_add(&params->list, &hdev->le_conn_params); 3459 switch (auto_connect) {
3460 case HCI_AUTO_CONN_DISABLED:
3461 case HCI_AUTO_CONN_LINK_LOSS:
3462 hci_pend_le_conn_del(hdev, addr, addr_type);
3463 break;
3464 case HCI_AUTO_CONN_ALWAYS:
3465 if (!is_connected(hdev, addr, addr_type))
3466 hci_pend_le_conn_add(hdev, addr, addr_type);
3467 break;
3468 }
3167 3469
3168 BT_DBG("addr %pMR (type %u) conn_min_interval 0x%.4x " 3470 BT_DBG("addr %pMR (type %u) auto_connect %u conn_min_interval 0x%.4x "
3169 "conn_max_interval 0x%.4x", addr, addr_type, conn_min_interval, 3471 "conn_max_interval 0x%.4x", addr, addr_type, auto_connect,
3170 conn_max_interval); 3472 conn_min_interval, conn_max_interval);
3473
3474 return 0;
3171} 3475}
3172 3476
3173/* This function requires the caller holds hdev->lock */ 3477/* This function requires the caller holds hdev->lock */
@@ -3179,6 +3483,8 @@ void hci_conn_params_del(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type)
3179 if (!params) 3483 if (!params)
3180 return; 3484 return;
3181 3485
3486 hci_pend_le_conn_del(hdev, addr, addr_type);
3487
3182 list_del(&params->list); 3488 list_del(&params->list);
3183 kfree(params); 3489 kfree(params);
3184 3490
@@ -3198,6 +3504,78 @@ void hci_conn_params_clear(struct hci_dev *hdev)
3198 BT_DBG("All LE connection parameters were removed"); 3504 BT_DBG("All LE connection parameters were removed");
3199} 3505}
3200 3506
3507/* This function requires the caller holds hdev->lock */
3508struct bdaddr_list *hci_pend_le_conn_lookup(struct hci_dev *hdev,
3509 bdaddr_t *addr, u8 addr_type)
3510{
3511 struct bdaddr_list *entry;
3512
3513 list_for_each_entry(entry, &hdev->pend_le_conns, list) {
3514 if (bacmp(&entry->bdaddr, addr) == 0 &&
3515 entry->bdaddr_type == addr_type)
3516 return entry;
3517 }
3518
3519 return NULL;
3520}
3521
3522/* This function requires the caller holds hdev->lock */
3523void hci_pend_le_conn_add(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type)
3524{
3525 struct bdaddr_list *entry;
3526
3527 entry = hci_pend_le_conn_lookup(hdev, addr, addr_type);
3528 if (entry)
3529 goto done;
3530
3531 entry = kzalloc(sizeof(*entry), GFP_KERNEL);
3532 if (!entry) {
3533 BT_ERR("Out of memory");
3534 return;
3535 }
3536
3537 bacpy(&entry->bdaddr, addr);
3538 entry->bdaddr_type = addr_type;
3539
3540 list_add(&entry->list, &hdev->pend_le_conns);
3541
3542 BT_DBG("addr %pMR (type %u)", addr, addr_type);
3543
3544done:
3545 hci_update_background_scan(hdev);
3546}
3547
3548/* This function requires the caller holds hdev->lock */
3549void hci_pend_le_conn_del(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type)
3550{
3551 struct bdaddr_list *entry;
3552
3553 entry = hci_pend_le_conn_lookup(hdev, addr, addr_type);
3554 if (!entry)
3555 goto done;
3556
3557 list_del(&entry->list);
3558 kfree(entry);
3559
3560 BT_DBG("addr %pMR (type %u)", addr, addr_type);
3561
3562done:
3563 hci_update_background_scan(hdev);
3564}
3565
3566/* This function requires the caller holds hdev->lock */
3567void hci_pend_le_conns_clear(struct hci_dev *hdev)
3568{
3569 struct bdaddr_list *entry, *tmp;
3570
3571 list_for_each_entry_safe(entry, tmp, &hdev->pend_le_conns, list) {
3572 list_del(&entry->list);
3573 kfree(entry);
3574 }
3575
3576 BT_DBG("All LE pending connections cleared");
3577}
3578
3201static void inquiry_complete(struct hci_dev *hdev, u8 status) 3579static void inquiry_complete(struct hci_dev *hdev, u8 status)
3202{ 3580{
3203 if (status) { 3581 if (status) {
@@ -3257,7 +3635,6 @@ static void le_scan_disable_work(struct work_struct *work)
3257{ 3635{
3258 struct hci_dev *hdev = container_of(work, struct hci_dev, 3636 struct hci_dev *hdev = container_of(work, struct hci_dev,
3259 le_scan_disable.work); 3637 le_scan_disable.work);
3260 struct hci_cp_le_set_scan_enable cp;
3261 struct hci_request req; 3638 struct hci_request req;
3262 int err; 3639 int err;
3263 3640
@@ -3265,15 +3642,128 @@ static void le_scan_disable_work(struct work_struct *work)
3265 3642
3266 hci_req_init(&req, hdev); 3643 hci_req_init(&req, hdev);
3267 3644
3268 memset(&cp, 0, sizeof(cp)); 3645 hci_req_add_le_scan_disable(&req);
3269 cp.enable = LE_SCAN_DISABLE;
3270 hci_req_add(&req, HCI_OP_LE_SET_SCAN_ENABLE, sizeof(cp), &cp);
3271 3646
3272 err = hci_req_run(&req, le_scan_disable_work_complete); 3647 err = hci_req_run(&req, le_scan_disable_work_complete);
3273 if (err) 3648 if (err)
3274 BT_ERR("Disable LE scanning request failed: err %d", err); 3649 BT_ERR("Disable LE scanning request failed: err %d", err);
3275} 3650}
3276 3651
3652static void set_random_addr(struct hci_request *req, bdaddr_t *rpa)
3653{
3654 struct hci_dev *hdev = req->hdev;
3655
3656 /* If we're advertising or initiating an LE connection we can't
3657 * go ahead and change the random address at this time. This is
3658 * because the eventual initiator address used for the
3659 * subsequently created connection will be undefined (some
3660 * controllers use the new address and others the one we had
3661 * when the operation started).
3662 *
3663 * In this kind of scenario skip the update and let the random
3664 * address be updated at the next cycle.
3665 */
3666 if (test_bit(HCI_ADVERTISING, &hdev->dev_flags) ||
3667 hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT)) {
3668 BT_DBG("Deferring random address update");
3669 return;
3670 }
3671
3672 hci_req_add(req, HCI_OP_LE_SET_RANDOM_ADDR, 6, rpa);
3673}
3674
3675int hci_update_random_address(struct hci_request *req, bool require_privacy,
3676 u8 *own_addr_type)
3677{
3678 struct hci_dev *hdev = req->hdev;
3679 int err;
3680
3681 /* If privacy is enabled use a resolvable private address. If
3682 * current RPA has expired or there is something else than
3683 * the current RPA in use, then generate a new one.
3684 */
3685 if (test_bit(HCI_PRIVACY, &hdev->dev_flags)) {
3686 int to;
3687
3688 *own_addr_type = ADDR_LE_DEV_RANDOM;
3689
3690 if (!test_and_clear_bit(HCI_RPA_EXPIRED, &hdev->dev_flags) &&
3691 !bacmp(&hdev->random_addr, &hdev->rpa))
3692 return 0;
3693
3694 err = smp_generate_rpa(hdev->tfm_aes, hdev->irk, &hdev->rpa);
3695 if (err < 0) {
3696 BT_ERR("%s failed to generate new RPA", hdev->name);
3697 return err;
3698 }
3699
3700 set_random_addr(req, &hdev->rpa);
3701
3702 to = msecs_to_jiffies(hdev->rpa_timeout * 1000);
3703 queue_delayed_work(hdev->workqueue, &hdev->rpa_expired, to);
3704
3705 return 0;
3706 }
3707
3708 /* In case of required privacy without resolvable private address,
3709 * use an unresolvable private address. This is useful for active
3710 * scanning and non-connectable advertising.
3711 */
3712 if (require_privacy) {
3713 bdaddr_t urpa;
3714
3715 get_random_bytes(&urpa, 6);
3716 urpa.b[5] &= 0x3f; /* Clear two most significant bits */
3717
3718 *own_addr_type = ADDR_LE_DEV_RANDOM;
3719 set_random_addr(req, &urpa);
3720 return 0;
3721 }
3722
3723 /* If forcing static address is in use or there is no public
3724 * address use the static address as random address (but skip
3725 * the HCI command if the current random address is already the
3726 * static one.
3727 */
3728 if (test_bit(HCI_FORCE_STATIC_ADDR, &hdev->dev_flags) ||
3729 !bacmp(&hdev->bdaddr, BDADDR_ANY)) {
3730 *own_addr_type = ADDR_LE_DEV_RANDOM;
3731 if (bacmp(&hdev->static_addr, &hdev->random_addr))
3732 hci_req_add(req, HCI_OP_LE_SET_RANDOM_ADDR, 6,
3733 &hdev->static_addr);
3734 return 0;
3735 }
3736
3737 /* Neither privacy nor static address is being used so use a
3738 * public address.
3739 */
3740 *own_addr_type = ADDR_LE_DEV_PUBLIC;
3741
3742 return 0;
3743}
3744
3745/* Copy the Identity Address of the controller.
3746 *
3747 * If the controller has a public BD_ADDR, then by default use that one.
3748 * If this is a LE only controller without a public address, default to
3749 * the static random address.
3750 *
3751 * For debugging purposes it is possible to force controllers with a
3752 * public address to use the static random address instead.
3753 */
3754void hci_copy_identity_address(struct hci_dev *hdev, bdaddr_t *bdaddr,
3755 u8 *bdaddr_type)
3756{
3757 if (test_bit(HCI_FORCE_STATIC_ADDR, &hdev->dev_flags) ||
3758 !bacmp(&hdev->bdaddr, BDADDR_ANY)) {
3759 bacpy(bdaddr, &hdev->static_addr);
3760 *bdaddr_type = ADDR_LE_DEV_RANDOM;
3761 } else {
3762 bacpy(bdaddr, &hdev->bdaddr);
3763 *bdaddr_type = ADDR_LE_DEV_PUBLIC;
3764 }
3765}
3766
3277/* Alloc HCI device */ 3767/* Alloc HCI device */
3278struct hci_dev *hci_alloc_dev(void) 3768struct hci_dev *hci_alloc_dev(void)
3279{ 3769{
@@ -3300,6 +3790,8 @@ struct hci_dev *hci_alloc_dev(void)
3300 hdev->le_conn_min_interval = 0x0028; 3790 hdev->le_conn_min_interval = 0x0028;
3301 hdev->le_conn_max_interval = 0x0038; 3791 hdev->le_conn_max_interval = 0x0038;
3302 3792
3793 hdev->rpa_timeout = HCI_DEFAULT_RPA_TIMEOUT;
3794
3303 mutex_init(&hdev->lock); 3795 mutex_init(&hdev->lock);
3304 mutex_init(&hdev->req_lock); 3796 mutex_init(&hdev->req_lock);
3305 3797
@@ -3310,7 +3802,9 @@ struct hci_dev *hci_alloc_dev(void)
3310 INIT_LIST_HEAD(&hdev->long_term_keys); 3802 INIT_LIST_HEAD(&hdev->long_term_keys);
3311 INIT_LIST_HEAD(&hdev->identity_resolving_keys); 3803 INIT_LIST_HEAD(&hdev->identity_resolving_keys);
3312 INIT_LIST_HEAD(&hdev->remote_oob_data); 3804 INIT_LIST_HEAD(&hdev->remote_oob_data);
3805 INIT_LIST_HEAD(&hdev->le_white_list);
3313 INIT_LIST_HEAD(&hdev->le_conn_params); 3806 INIT_LIST_HEAD(&hdev->le_conn_params);
3807 INIT_LIST_HEAD(&hdev->pend_le_conns);
3314 INIT_LIST_HEAD(&hdev->conn_hash.list); 3808 INIT_LIST_HEAD(&hdev->conn_hash.list);
3315 3809
3316 INIT_WORK(&hdev->rx_work, hci_rx_work); 3810 INIT_WORK(&hdev->rx_work, hci_rx_work);
@@ -3511,7 +4005,9 @@ void hci_unregister_dev(struct hci_dev *hdev)
3511 hci_smp_ltks_clear(hdev); 4005 hci_smp_ltks_clear(hdev);
3512 hci_smp_irks_clear(hdev); 4006 hci_smp_irks_clear(hdev);
3513 hci_remote_oob_data_clear(hdev); 4007 hci_remote_oob_data_clear(hdev);
4008 hci_white_list_clear(hdev);
3514 hci_conn_params_clear(hdev); 4009 hci_conn_params_clear(hdev);
4010 hci_pend_le_conns_clear(hdev);
3515 hci_dev_unlock(hdev); 4011 hci_dev_unlock(hdev);
3516 4012
3517 hci_dev_put(hdev); 4013 hci_dev_put(hdev);
@@ -4739,3 +5235,102 @@ static void hci_cmd_work(struct work_struct *work)
4739 } 5235 }
4740 } 5236 }
4741} 5237}
5238
5239void hci_req_add_le_scan_disable(struct hci_request *req)
5240{
5241 struct hci_cp_le_set_scan_enable cp;
5242
5243 memset(&cp, 0, sizeof(cp));
5244 cp.enable = LE_SCAN_DISABLE;
5245 hci_req_add(req, HCI_OP_LE_SET_SCAN_ENABLE, sizeof(cp), &cp);
5246}
5247
5248void hci_req_add_le_passive_scan(struct hci_request *req)
5249{
5250 struct hci_cp_le_set_scan_param param_cp;
5251 struct hci_cp_le_set_scan_enable enable_cp;
5252 struct hci_dev *hdev = req->hdev;
5253 u8 own_addr_type;
5254
5255 /* Set require_privacy to true to avoid identification from
5256 * unknown peer devices. Since this is passive scanning, no
5257 * SCAN_REQ using the local identity should be sent. Mandating
5258 * privacy is just an extra precaution.
5259 */
5260 if (hci_update_random_address(req, true, &own_addr_type))
5261 return;
5262
5263 memset(&param_cp, 0, sizeof(param_cp));
5264 param_cp.type = LE_SCAN_PASSIVE;
5265 param_cp.interval = cpu_to_le16(hdev->le_scan_interval);
5266 param_cp.window = cpu_to_le16(hdev->le_scan_window);
5267 param_cp.own_address_type = own_addr_type;
5268 hci_req_add(req, HCI_OP_LE_SET_SCAN_PARAM, sizeof(param_cp),
5269 &param_cp);
5270
5271 memset(&enable_cp, 0, sizeof(enable_cp));
5272 enable_cp.enable = LE_SCAN_ENABLE;
5273 enable_cp.filter_dup = LE_SCAN_FILTER_DUP_DISABLE;
5274 hci_req_add(req, HCI_OP_LE_SET_SCAN_ENABLE, sizeof(enable_cp),
5275 &enable_cp);
5276}
5277
5278static void update_background_scan_complete(struct hci_dev *hdev, u8 status)
5279{
5280 if (status)
5281 BT_DBG("HCI request failed to update background scanning: "
5282 "status 0x%2.2x", status);
5283}
5284
5285/* This function controls the background scanning based on hdev->pend_le_conns
5286 * list. If there are pending LE connection we start the background scanning,
5287 * otherwise we stop it.
5288 *
5289 * This function requires the caller holds hdev->lock.
5290 */
5291void hci_update_background_scan(struct hci_dev *hdev)
5292{
5293 struct hci_request req;
5294 struct hci_conn *conn;
5295 int err;
5296
5297 hci_req_init(&req, hdev);
5298
5299 if (list_empty(&hdev->pend_le_conns)) {
5300 /* If there is no pending LE connections, we should stop
5301 * the background scanning.
5302 */
5303
5304 /* If controller is not scanning we are done. */
5305 if (!test_bit(HCI_LE_SCAN, &hdev->dev_flags))
5306 return;
5307
5308 hci_req_add_le_scan_disable(&req);
5309
5310 BT_DBG("%s stopping background scanning", hdev->name);
5311 } else {
5312 /* If there is at least one pending LE connection, we should
5313 * keep the background scan running.
5314 */
5315
5316 /* If controller is already scanning we are done. */
5317 if (test_bit(HCI_LE_SCAN, &hdev->dev_flags))
5318 return;
5319
5320 /* If controller is connecting, we should not start scanning
5321 * since some controllers are not able to scan and connect at
5322 * the same time.
5323 */
5324 conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
5325 if (conn)
5326 return;
5327
5328 hci_req_add_le_passive_scan(&req);
5329
5330 BT_DBG("%s starting background scanning", hdev->name);
5331 }
5332
5333 err = hci_req_run(&req, update_background_scan_complete);
5334 if (err)
5335 BT_ERR("Failed to run HCI request: err %d", err);
5336}
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 4327b129d38e..c3b0a08f5ab4 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -991,12 +991,8 @@ static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb)
991 991
992 hci_dev_lock(hdev); 992 hci_dev_lock(hdev);
993 993
994 if (!status) { 994 if (!status)
995 if (*sent) 995 mgmt_advertising(hdev, *sent);
996 set_bit(HCI_ADVERTISING, &hdev->dev_flags);
997 else
998 clear_bit(HCI_ADVERTISING, &hdev->dev_flags);
999 }
1000 996
1001 hci_dev_unlock(hdev); 997 hci_dev_unlock(hdev);
1002} 998}
@@ -1022,7 +1018,19 @@ static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1022 break; 1018 break;
1023 1019
1024 case LE_SCAN_DISABLE: 1020 case LE_SCAN_DISABLE:
1021 /* Cancel this timer so that we don't try to disable scanning
1022 * when it's already disabled.
1023 */
1024 cancel_delayed_work(&hdev->le_scan_disable);
1025
1025 clear_bit(HCI_LE_SCAN, &hdev->dev_flags); 1026 clear_bit(HCI_LE_SCAN, &hdev->dev_flags);
1027 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1028 * interrupted scanning due to a connect request. Mark
1029 * therefore discovery as stopped.
1030 */
1031 if (test_and_clear_bit(HCI_LE_SCAN_INTERRUPTED,
1032 &hdev->dev_flags))
1033 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1026 break; 1034 break;
1027 1035
1028 default: 1036 default:
@@ -1042,6 +1050,49 @@ static void hci_cc_le_read_white_list_size(struct hci_dev *hdev,
1042 hdev->le_white_list_size = rp->size; 1050 hdev->le_white_list_size = rp->size;
1043} 1051}
1044 1052
1053static void hci_cc_le_clear_white_list(struct hci_dev *hdev,
1054 struct sk_buff *skb)
1055{
1056 __u8 status = *((__u8 *) skb->data);
1057
1058 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1059
1060 if (!status)
1061 hci_white_list_clear(hdev);
1062}
1063
1064static void hci_cc_le_add_to_white_list(struct hci_dev *hdev,
1065 struct sk_buff *skb)
1066{
1067 struct hci_cp_le_add_to_white_list *sent;
1068 __u8 status = *((__u8 *) skb->data);
1069
1070 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1071
1072 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST);
1073 if (!sent)
1074 return;
1075
1076 if (!status)
1077 hci_white_list_add(hdev, &sent->bdaddr, sent->bdaddr_type);
1078}
1079
1080static void hci_cc_le_del_from_white_list(struct hci_dev *hdev,
1081 struct sk_buff *skb)
1082{
1083 struct hci_cp_le_del_from_white_list *sent;
1084 __u8 status = *((__u8 *) skb->data);
1085
1086 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1087
1088 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST);
1089 if (!sent)
1090 return;
1091
1092 if (!status)
1093 hci_white_list_del(hdev, &sent->bdaddr, sent->bdaddr_type);
1094}
1095
1045static void hci_cc_le_read_supported_states(struct hci_dev *hdev, 1096static void hci_cc_le_read_supported_states(struct hci_dev *hdev,
1046 struct sk_buff *skb) 1097 struct sk_buff *skb)
1047{ 1098{
@@ -1082,6 +1133,25 @@ static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
1082 } 1133 }
1083} 1134}
1084 1135
1136static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1137{
1138 struct hci_cp_le_set_adv_param *cp;
1139 u8 status = *((u8 *) skb->data);
1140
1141 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1142
1143 if (status)
1144 return;
1145
1146 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
1147 if (!cp)
1148 return;
1149
1150 hci_dev_lock(hdev);
1151 hdev->adv_addr_type = cp->own_address_type;
1152 hci_dev_unlock(hdev);
1153}
1154
1085static void hci_cc_write_remote_amp_assoc(struct hci_dev *hdev, 1155static void hci_cc_write_remote_amp_assoc(struct hci_dev *hdev,
1086 struct sk_buff *skb) 1156 struct sk_buff *skb)
1087{ 1157{
@@ -1583,6 +1653,57 @@ static void hci_cs_accept_phylink(struct hci_dev *hdev, u8 status)
1583 amp_write_remote_assoc(hdev, cp->phy_handle); 1653 amp_write_remote_assoc(hdev, cp->phy_handle);
1584} 1654}
1585 1655
1656static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
1657{
1658 struct hci_cp_le_create_conn *cp;
1659 struct hci_conn *conn;
1660
1661 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1662
1663 /* All connection failure handling is taken care of by the
1664 * hci_le_conn_failed function which is triggered by the HCI
1665 * request completion callbacks used for connecting.
1666 */
1667 if (status)
1668 return;
1669
1670 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
1671 if (!cp)
1672 return;
1673
1674 hci_dev_lock(hdev);
1675
1676 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->peer_addr);
1677 if (!conn)
1678 goto unlock;
1679
1680 /* Store the initiator and responder address information which
1681 * is needed for SMP. These values will not change during the
1682 * lifetime of the connection.
1683 */
1684 conn->init_addr_type = cp->own_address_type;
1685 if (cp->own_address_type == ADDR_LE_DEV_RANDOM)
1686 bacpy(&conn->init_addr, &hdev->random_addr);
1687 else
1688 bacpy(&conn->init_addr, &hdev->bdaddr);
1689
1690 conn->resp_addr_type = cp->peer_addr_type;
1691 bacpy(&conn->resp_addr, &cp->peer_addr);
1692
1693 /* We don't want the connection attempt to stick around
1694 * indefinitely since LE doesn't have a page timeout concept
1695 * like BR/EDR. Set a timer for any connection that doesn't use
1696 * the white list for connecting.
1697 */
1698 if (cp->filter_policy == HCI_LE_USE_PEER_ADDR)
1699 queue_delayed_work(conn->hdev->workqueue,
1700 &conn->le_conn_timeout,
1701 HCI_LE_CONN_TIMEOUT);
1702
1703unlock:
1704 hci_dev_unlock(hdev);
1705}
1706
1586static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 1707static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1587{ 1708{
1588 __u8 status = *((__u8 *) skb->data); 1709 __u8 status = *((__u8 *) skb->data);
@@ -1845,7 +1966,9 @@ static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1845{ 1966{
1846 struct hci_ev_disconn_complete *ev = (void *) skb->data; 1967 struct hci_ev_disconn_complete *ev = (void *) skb->data;
1847 u8 reason = hci_to_mgmt_reason(ev->reason); 1968 u8 reason = hci_to_mgmt_reason(ev->reason);
1969 struct hci_conn_params *params;
1848 struct hci_conn *conn; 1970 struct hci_conn *conn;
1971 bool mgmt_connected;
1849 u8 type; 1972 u8 type;
1850 1973
1851 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 1974 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
@@ -1864,13 +1987,30 @@ static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1864 1987
1865 conn->state = BT_CLOSED; 1988 conn->state = BT_CLOSED;
1866 1989
1867 if (test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 1990 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
1868 mgmt_device_disconnected(hdev, &conn->dst, conn->type, 1991 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
1869 conn->dst_type, reason); 1992 reason, mgmt_connected);
1870 1993
1871 if (conn->type == ACL_LINK && conn->flush_key) 1994 if (conn->type == ACL_LINK && conn->flush_key)
1872 hci_remove_link_key(hdev, &conn->dst); 1995 hci_remove_link_key(hdev, &conn->dst);
1873 1996
1997 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
1998 if (params) {
1999 switch (params->auto_connect) {
2000 case HCI_AUTO_CONN_LINK_LOSS:
2001 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2002 break;
2003 /* Fall through */
2004
2005 case HCI_AUTO_CONN_ALWAYS:
2006 hci_pend_le_conn_add(hdev, &conn->dst, conn->dst_type);
2007 break;
2008
2009 default:
2010 break;
2011 }
2012 }
2013
1874 type = conn->type; 2014 type = conn->type;
1875 2015
1876 hci_proto_disconn_cfm(conn, ev->reason); 2016 hci_proto_disconn_cfm(conn, ev->reason);
@@ -2344,6 +2484,18 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2344 hci_cc_le_read_white_list_size(hdev, skb); 2484 hci_cc_le_read_white_list_size(hdev, skb);
2345 break; 2485 break;
2346 2486
2487 case HCI_OP_LE_CLEAR_WHITE_LIST:
2488 hci_cc_le_clear_white_list(hdev, skb);
2489 break;
2490
2491 case HCI_OP_LE_ADD_TO_WHITE_LIST:
2492 hci_cc_le_add_to_white_list(hdev, skb);
2493 break;
2494
2495 case HCI_OP_LE_DEL_FROM_WHITE_LIST:
2496 hci_cc_le_del_from_white_list(hdev, skb);
2497 break;
2498
2347 case HCI_OP_LE_READ_SUPPORTED_STATES: 2499 case HCI_OP_LE_READ_SUPPORTED_STATES:
2348 hci_cc_le_read_supported_states(hdev, skb); 2500 hci_cc_le_read_supported_states(hdev, skb);
2349 break; 2501 break;
@@ -2352,6 +2504,10 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2352 hci_cc_write_le_host_supported(hdev, skb); 2504 hci_cc_write_le_host_supported(hdev, skb);
2353 break; 2505 break;
2354 2506
2507 case HCI_OP_LE_SET_ADV_PARAM:
2508 hci_cc_set_adv_param(hdev, skb);
2509 break;
2510
2355 case HCI_OP_WRITE_REMOTE_AMP_ASSOC: 2511 case HCI_OP_WRITE_REMOTE_AMP_ASSOC:
2356 hci_cc_write_remote_amp_assoc(hdev, skb); 2512 hci_cc_write_remote_amp_assoc(hdev, skb);
2357 break; 2513 break;
@@ -2439,6 +2595,10 @@ static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb)
2439 hci_cs_accept_phylink(hdev, ev->status); 2595 hci_cs_accept_phylink(hdev, ev->status);
2440 break; 2596 break;
2441 2597
2598 case HCI_OP_LE_CREATE_CONN:
2599 hci_cs_le_create_conn(hdev, ev->status);
2600 break;
2601
2442 default: 2602 default:
2443 BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode); 2603 BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
2444 break; 2604 break;
@@ -3623,8 +3783,48 @@ static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
3623 conn->out = true; 3783 conn->out = true;
3624 conn->link_mode |= HCI_LM_MASTER; 3784 conn->link_mode |= HCI_LM_MASTER;
3625 } 3785 }
3786
3787 /* If we didn't have a hci_conn object previously
3788 * but we're in master role this must be something
3789 * initiated using a white list. Since white list based
3790 * connections are not "first class citizens" we don't
3791 * have full tracking of them. Therefore, we go ahead
3792 * with a "best effort" approach of determining the
3793 * initiator address based on the HCI_PRIVACY flag.
3794 */
3795 if (conn->out) {
3796 conn->resp_addr_type = ev->bdaddr_type;
3797 bacpy(&conn->resp_addr, &ev->bdaddr);
3798 if (test_bit(HCI_PRIVACY, &hdev->dev_flags)) {
3799 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
3800 bacpy(&conn->init_addr, &hdev->rpa);
3801 } else {
3802 hci_copy_identity_address(hdev,
3803 &conn->init_addr,
3804 &conn->init_addr_type);
3805 }
3806 } else {
3807 /* Set the responder (our side) address type based on
3808 * the advertising address type.
3809 */
3810 conn->resp_addr_type = hdev->adv_addr_type;
3811 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM)
3812 bacpy(&conn->resp_addr, &hdev->random_addr);
3813 else
3814 bacpy(&conn->resp_addr, &hdev->bdaddr);
3815
3816 conn->init_addr_type = ev->bdaddr_type;
3817 bacpy(&conn->init_addr, &ev->bdaddr);
3818 }
3819 } else {
3820 cancel_delayed_work(&conn->le_conn_timeout);
3626 } 3821 }
3627 3822
3823 /* Ensure that the hci_conn contains the identity address type
3824 * regardless of which address the connection was made with.
3825 */
3826 hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
3827
3628 /* Lookup the identity address from the stored connection 3828 /* Lookup the identity address from the stored connection
3629 * address and address type. 3829 * address and address type.
3630 * 3830 *
@@ -3641,11 +3841,7 @@ static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
3641 } 3841 }
3642 3842
3643 if (ev->status) { 3843 if (ev->status) {
3644 mgmt_connect_failed(hdev, &conn->dst, conn->type, 3844 hci_le_conn_failed(conn, ev->status);
3645 conn->dst_type, ev->status);
3646 hci_proto_connect_cfm(conn, ev->status);
3647 conn->state = BT_CLOSED;
3648 hci_conn_del(conn);
3649 goto unlock; 3845 goto unlock;
3650 } 3846 }
3651 3847
@@ -3664,25 +3860,73 @@ static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
3664 3860
3665 hci_proto_connect_cfm(conn, ev->status); 3861 hci_proto_connect_cfm(conn, ev->status);
3666 3862
3863 hci_pend_le_conn_del(hdev, &conn->dst, conn->dst_type);
3864
3667unlock: 3865unlock:
3668 hci_dev_unlock(hdev); 3866 hci_dev_unlock(hdev);
3669} 3867}
3670 3868
3869/* This function requires the caller holds hdev->lock */
3870static void check_pending_le_conn(struct hci_dev *hdev, bdaddr_t *addr,
3871 u8 addr_type)
3872{
3873 struct hci_conn *conn;
3874 struct smp_irk *irk;
3875
3876 /* If this is a resolvable address, we should resolve it and then
3877 * update address and address type variables.
3878 */
3879 irk = hci_get_irk(hdev, addr, addr_type);
3880 if (irk) {
3881 addr = &irk->bdaddr;
3882 addr_type = irk->addr_type;
3883 }
3884
3885 if (!hci_pend_le_conn_lookup(hdev, addr, addr_type))
3886 return;
3887
3888 conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW,
3889 HCI_AT_NO_BONDING);
3890 if (!IS_ERR(conn))
3891 return;
3892
3893 switch (PTR_ERR(conn)) {
3894 case -EBUSY:
3895 /* If hci_connect() returns -EBUSY it means there is already
3896 * an LE connection attempt going on. Since controllers don't
3897 * support more than one connection attempt at the time, we
3898 * don't consider this an error case.
3899 */
3900 break;
3901 default:
3902 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
3903 }
3904}
3905
3671static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) 3906static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
3672{ 3907{
3673 u8 num_reports = skb->data[0]; 3908 u8 num_reports = skb->data[0];
3674 void *ptr = &skb->data[1]; 3909 void *ptr = &skb->data[1];
3675 s8 rssi; 3910 s8 rssi;
3676 3911
3912 hci_dev_lock(hdev);
3913
3677 while (num_reports--) { 3914 while (num_reports--) {
3678 struct hci_ev_le_advertising_info *ev = ptr; 3915 struct hci_ev_le_advertising_info *ev = ptr;
3679 3916
3917 if (ev->evt_type == LE_ADV_IND ||
3918 ev->evt_type == LE_ADV_DIRECT_IND)
3919 check_pending_le_conn(hdev, &ev->bdaddr,
3920 ev->bdaddr_type);
3921
3680 rssi = ev->data[ev->length]; 3922 rssi = ev->data[ev->length];
3681 mgmt_device_found(hdev, &ev->bdaddr, LE_LINK, ev->bdaddr_type, 3923 mgmt_device_found(hdev, &ev->bdaddr, LE_LINK, ev->bdaddr_type,
3682 NULL, rssi, 0, 1, ev->data, ev->length); 3924 NULL, rssi, 0, 1, ev->data, ev->length);
3683 3925
3684 ptr += sizeof(*ev) + ev->length + 1; 3926 ptr += sizeof(*ev) + ev->length + 1;
3685 } 3927 }
3928
3929 hci_dev_unlock(hdev);
3686} 3930}
3687 3931
3688static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 3932static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
@@ -3701,7 +3945,7 @@ static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3701 if (conn == NULL) 3945 if (conn == NULL)
3702 goto not_found; 3946 goto not_found;
3703 3947
3704 ltk = hci_find_ltk(hdev, ev->ediv, ev->random, conn->out); 3948 ltk = hci_find_ltk(hdev, ev->ediv, ev->rand, conn->out);
3705 if (ltk == NULL) 3949 if (ltk == NULL)
3706 goto not_found; 3950 goto not_found;
3707 3951
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 6ace116f3b39..9ed2168fa59f 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -2434,6 +2434,14 @@ int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2434 if (IS_ERR(skb)) 2434 if (IS_ERR(skb))
2435 return PTR_ERR(skb); 2435 return PTR_ERR(skb);
2436 2436
2437 /* Channel lock is released before requesting new skb and then
2438 * reacquired thus we need to recheck channel state.
2439 */
2440 if (chan->state != BT_CONNECTED) {
2441 kfree_skb(skb);
2442 return -ENOTCONN;
2443 }
2444
2437 l2cap_do_send(chan, skb); 2445 l2cap_do_send(chan, skb);
2438 return len; 2446 return len;
2439 } 2447 }
@@ -2483,6 +2491,14 @@ int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2483 if (IS_ERR(skb)) 2491 if (IS_ERR(skb))
2484 return PTR_ERR(skb); 2492 return PTR_ERR(skb);
2485 2493
2494 /* Channel lock is released before requesting new skb and then
2495 * reacquired thus we need to recheck channel state.
2496 */
2497 if (chan->state != BT_CONNECTED) {
2498 kfree_skb(skb);
2499 return -ENOTCONN;
2500 }
2501
2486 l2cap_do_send(chan, skb); 2502 l2cap_do_send(chan, skb);
2487 err = len; 2503 err = len;
2488 break; 2504 break;
@@ -7092,12 +7108,19 @@ int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
7092 7108
7093 auth_type = l2cap_get_auth_type(chan); 7109 auth_type = l2cap_get_auth_type(chan);
7094 7110
7095 if (bdaddr_type_is_le(dst_type)) 7111 if (bdaddr_type_is_le(dst_type)) {
7096 hcon = hci_connect(hdev, LE_LINK, dst, dst_type, 7112 /* Convert from L2CAP channel address type to HCI address type
7097 chan->sec_level, auth_type); 7113 */
7098 else 7114 if (dst_type == BDADDR_LE_PUBLIC)
7099 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type, 7115 dst_type = ADDR_LE_DEV_PUBLIC;
7100 chan->sec_level, auth_type); 7116 else
7117 dst_type = ADDR_LE_DEV_RANDOM;
7118
7119 hcon = hci_connect_le(hdev, dst, dst_type, chan->sec_level,
7120 auth_type);
7121 } else {
7122 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type);
7123 }
7101 7124
7102 if (IS_ERR(hcon)) { 7125 if (IS_ERR(hcon)) {
7103 err = PTR_ERR(hcon); 7126 err = PTR_ERR(hcon);
@@ -7251,7 +7274,7 @@ int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
7251 7274
7252 if (hcon->type == LE_LINK) { 7275 if (hcon->type == LE_LINK) {
7253 if (!status && encrypt) 7276 if (!status && encrypt)
7254 smp_distribute_keys(conn, 0); 7277 smp_distribute_keys(conn);
7255 cancel_delayed_work(&conn->security_timer); 7278 cancel_delayed_work(&conn->security_timer);
7256 } 7279 }
7257 7280
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 12fa6399c796..98e9df3556e7 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -81,6 +81,7 @@ static const u16 mgmt_commands[] = {
81 MGMT_OP_SET_SCAN_PARAMS, 81 MGMT_OP_SET_SCAN_PARAMS,
82 MGMT_OP_SET_SECURE_CONN, 82 MGMT_OP_SET_SECURE_CONN,
83 MGMT_OP_SET_DEBUG_KEYS, 83 MGMT_OP_SET_DEBUG_KEYS,
84 MGMT_OP_SET_PRIVACY,
84 MGMT_OP_LOAD_IRKS, 85 MGMT_OP_LOAD_IRKS,
85}; 86};
86 87
@@ -106,6 +107,7 @@ static const u16 mgmt_events[] = {
106 MGMT_EV_DEVICE_UNBLOCKED, 107 MGMT_EV_DEVICE_UNBLOCKED,
107 MGMT_EV_DEVICE_UNPAIRED, 108 MGMT_EV_DEVICE_UNPAIRED,
108 MGMT_EV_PASSKEY_NOTIFY, 109 MGMT_EV_PASSKEY_NOTIFY,
110 MGMT_EV_NEW_IRK,
109}; 111};
110 112
111#define CACHE_TIMEOUT msecs_to_jiffies(2 * 1000) 113#define CACHE_TIMEOUT msecs_to_jiffies(2 * 1000)
@@ -389,6 +391,7 @@ static u32 get_supported_settings(struct hci_dev *hdev)
389 if (lmp_le_capable(hdev)) { 391 if (lmp_le_capable(hdev)) {
390 settings |= MGMT_SETTING_LE; 392 settings |= MGMT_SETTING_LE;
391 settings |= MGMT_SETTING_ADVERTISING; 393 settings |= MGMT_SETTING_ADVERTISING;
394 settings |= MGMT_SETTING_PRIVACY;
392 } 395 }
393 396
394 return settings; 397 return settings;
@@ -437,6 +440,9 @@ static u32 get_current_settings(struct hci_dev *hdev)
437 if (test_bit(HCI_DEBUG_KEYS, &hdev->dev_flags)) 440 if (test_bit(HCI_DEBUG_KEYS, &hdev->dev_flags))
438 settings |= MGMT_SETTING_DEBUG_KEYS; 441 settings |= MGMT_SETTING_DEBUG_KEYS;
439 442
443 if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
444 settings |= MGMT_SETTING_PRIVACY;
445
440 return settings; 446 return settings;
441} 447}
442 448
@@ -811,6 +817,64 @@ static void update_class(struct hci_request *req)
811 hci_req_add(req, HCI_OP_WRITE_CLASS_OF_DEV, sizeof(cod), cod); 817 hci_req_add(req, HCI_OP_WRITE_CLASS_OF_DEV, sizeof(cod), cod);
812} 818}
813 819
820static bool get_connectable(struct hci_dev *hdev)
821{
822 struct pending_cmd *cmd;
823
824 /* If there's a pending mgmt command the flag will not yet have
825 * it's final value, so check for this first.
826 */
827 cmd = mgmt_pending_find(MGMT_OP_SET_CONNECTABLE, hdev);
828 if (cmd) {
829 struct mgmt_mode *cp = cmd->param;
830 return cp->val;
831 }
832
833 return test_bit(HCI_CONNECTABLE, &hdev->dev_flags);
834}
835
836static void enable_advertising(struct hci_request *req)
837{
838 struct hci_dev *hdev = req->hdev;
839 struct hci_cp_le_set_adv_param cp;
840 u8 own_addr_type, enable = 0x01;
841 bool connectable;
842
843 /* Clear the HCI_ADVERTISING bit temporarily so that the
844 * hci_update_random_address knows that it's safe to go ahead
845 * and write a new random address. The flag will be set back on
846 * as soon as the SET_ADV_ENABLE HCI command completes.
847 */
848 clear_bit(HCI_ADVERTISING, &hdev->dev_flags);
849
850 connectable = get_connectable(hdev);
851
852 /* Set require_privacy to true only when non-connectable
853 * advertising is used. In that case it is fine to use a
854 * non-resolvable private address.
855 */
856 if (hci_update_random_address(req, !connectable, &own_addr_type) < 0)
857 return;
858
859 memset(&cp, 0, sizeof(cp));
860 cp.min_interval = __constant_cpu_to_le16(0x0800);
861 cp.max_interval = __constant_cpu_to_le16(0x0800);
862 cp.type = connectable ? LE_ADV_IND : LE_ADV_NONCONN_IND;
863 cp.own_address_type = own_addr_type;
864 cp.channel_map = hdev->le_adv_channel_map;
865
866 hci_req_add(req, HCI_OP_LE_SET_ADV_PARAM, sizeof(cp), &cp);
867
868 hci_req_add(req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), &enable);
869}
870
871static void disable_advertising(struct hci_request *req)
872{
873 u8 enable = 0x00;
874
875 hci_req_add(req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), &enable);
876}
877
814static void service_cache_off(struct work_struct *work) 878static void service_cache_off(struct work_struct *work)
815{ 879{
816 struct hci_dev *hdev = container_of(work, struct hci_dev, 880 struct hci_dev *hdev = container_of(work, struct hci_dev,
@@ -832,12 +896,39 @@ static void service_cache_off(struct work_struct *work)
832 hci_req_run(&req, NULL); 896 hci_req_run(&req, NULL);
833} 897}
834 898
899static void rpa_expired(struct work_struct *work)
900{
901 struct hci_dev *hdev = container_of(work, struct hci_dev,
902 rpa_expired.work);
903 struct hci_request req;
904
905 BT_DBG("");
906
907 set_bit(HCI_RPA_EXPIRED, &hdev->dev_flags);
908
909 if (!test_bit(HCI_ADVERTISING, &hdev->dev_flags) ||
910 hci_conn_num(hdev, LE_LINK) > 0)
911 return;
912
913 /* The generation of a new RPA and programming it into the
914 * controller happens in the enable_advertising() function.
915 */
916
917 hci_req_init(&req, hdev);
918
919 disable_advertising(&req);
920 enable_advertising(&req);
921
922 hci_req_run(&req, NULL);
923}
924
835static void mgmt_init_hdev(struct sock *sk, struct hci_dev *hdev) 925static void mgmt_init_hdev(struct sock *sk, struct hci_dev *hdev)
836{ 926{
837 if (test_and_set_bit(HCI_MGMT, &hdev->dev_flags)) 927 if (test_and_set_bit(HCI_MGMT, &hdev->dev_flags))
838 return; 928 return;
839 929
840 INIT_DELAYED_WORK(&hdev->service_cache, service_cache_off); 930 INIT_DELAYED_WORK(&hdev->service_cache, service_cache_off);
931 INIT_DELAYED_WORK(&hdev->rpa_expired, rpa_expired);
841 932
842 /* Non-mgmt controlled devices get this bit set 933 /* Non-mgmt controlled devices get this bit set
843 * implicitly so that pairing works for them, however 934 * implicitly so that pairing works for them, however
@@ -943,6 +1034,71 @@ static int send_settings_rsp(struct sock *sk, u16 opcode, struct hci_dev *hdev)
943 sizeof(settings)); 1034 sizeof(settings));
944} 1035}
945 1036
1037static void clean_up_hci_complete(struct hci_dev *hdev, u8 status)
1038{
1039 BT_DBG("%s status 0x%02x", hdev->name, status);
1040
1041 if (hci_conn_count(hdev) == 0) {
1042 cancel_delayed_work(&hdev->power_off);
1043 queue_work(hdev->req_workqueue, &hdev->power_off.work);
1044 }
1045}
1046
1047static int clean_up_hci_state(struct hci_dev *hdev)
1048{
1049 struct hci_request req;
1050 struct hci_conn *conn;
1051
1052 hci_req_init(&req, hdev);
1053
1054 if (test_bit(HCI_ISCAN, &hdev->flags) ||
1055 test_bit(HCI_PSCAN, &hdev->flags)) {
1056 u8 scan = 0x00;
1057 hci_req_add(&req, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
1058 }
1059
1060 if (test_bit(HCI_ADVERTISING, &hdev->dev_flags))
1061 disable_advertising(&req);
1062
1063 if (test_bit(HCI_LE_SCAN, &hdev->dev_flags)) {
1064 hci_req_add_le_scan_disable(&req);
1065 }
1066
1067 list_for_each_entry(conn, &hdev->conn_hash.list, list) {
1068 struct hci_cp_disconnect dc;
1069 struct hci_cp_reject_conn_req rej;
1070
1071 switch (conn->state) {
1072 case BT_CONNECTED:
1073 case BT_CONFIG:
1074 dc.handle = cpu_to_le16(conn->handle);
1075 dc.reason = 0x15; /* Terminated due to Power Off */
1076 hci_req_add(&req, HCI_OP_DISCONNECT, sizeof(dc), &dc);
1077 break;
1078 case BT_CONNECT:
1079 if (conn->type == LE_LINK)
1080 hci_req_add(&req, HCI_OP_LE_CREATE_CONN_CANCEL,
1081 0, NULL);
1082 else if (conn->type == ACL_LINK)
1083 hci_req_add(&req, HCI_OP_CREATE_CONN_CANCEL,
1084 6, &conn->dst);
1085 break;
1086 case BT_CONNECT2:
1087 bacpy(&rej.bdaddr, &conn->dst);
1088 rej.reason = 0x15; /* Terminated due to Power Off */
1089 if (conn->type == ACL_LINK)
1090 hci_req_add(&req, HCI_OP_REJECT_CONN_REQ,
1091 sizeof(rej), &rej);
1092 else if (conn->type == SCO_LINK)
1093 hci_req_add(&req, HCI_OP_REJECT_SYNC_CONN_REQ,
1094 sizeof(rej), &rej);
1095 break;
1096 }
1097 }
1098
1099 return hci_req_run(&req, clean_up_hci_complete);
1100}
1101
946static int set_powered(struct sock *sk, struct hci_dev *hdev, void *data, 1102static int set_powered(struct sock *sk, struct hci_dev *hdev, void *data,
947 u16 len) 1103 u16 len)
948{ 1104{
@@ -986,12 +1142,23 @@ static int set_powered(struct sock *sk, struct hci_dev *hdev, void *data,
986 goto failed; 1142 goto failed;
987 } 1143 }
988 1144
989 if (cp->val) 1145 if (cp->val) {
990 queue_work(hdev->req_workqueue, &hdev->power_on); 1146 queue_work(hdev->req_workqueue, &hdev->power_on);
991 else 1147 err = 0;
992 queue_work(hdev->req_workqueue, &hdev->power_off.work); 1148 } else {
993 1149 /* Disconnect connections, stop scans, etc */
994 err = 0; 1150 err = clean_up_hci_state(hdev);
1151 if (!err)
1152 queue_delayed_work(hdev->req_workqueue, &hdev->power_off,
1153 HCI_POWER_OFF_TIMEOUT);
1154
1155 /* ENODATA means there were no HCI commands queued */
1156 if (err == -ENODATA) {
1157 cancel_delayed_work(&hdev->power_off);
1158 queue_work(hdev->req_workqueue, &hdev->power_off.work);
1159 err = 0;
1160 }
1161 }
995 1162
996failed: 1163failed:
997 hci_dev_unlock(hdev); 1164 hci_dev_unlock(hdev);
@@ -1344,50 +1511,6 @@ static void write_fast_connectable(struct hci_request *req, bool enable)
1344 hci_req_add(req, HCI_OP_WRITE_PAGE_SCAN_TYPE, 1, &type); 1511 hci_req_add(req, HCI_OP_WRITE_PAGE_SCAN_TYPE, 1, &type);
1345} 1512}
1346 1513
1347static u8 get_adv_type(struct hci_dev *hdev)
1348{
1349 struct pending_cmd *cmd;
1350 bool connectable;
1351
1352 /* If there's a pending mgmt command the flag will not yet have
1353 * it's final value, so check for this first.
1354 */
1355 cmd = mgmt_pending_find(MGMT_OP_SET_CONNECTABLE, hdev);
1356 if (cmd) {
1357 struct mgmt_mode *cp = cmd->param;
1358 connectable = !!cp->val;
1359 } else {
1360 connectable = test_bit(HCI_CONNECTABLE, &hdev->dev_flags);
1361 }
1362
1363 return connectable ? LE_ADV_IND : LE_ADV_NONCONN_IND;
1364}
1365
1366static void enable_advertising(struct hci_request *req)
1367{
1368 struct hci_dev *hdev = req->hdev;
1369 struct hci_cp_le_set_adv_param cp;
1370 u8 enable = 0x01;
1371
1372 memset(&cp, 0, sizeof(cp));
1373 cp.min_interval = __constant_cpu_to_le16(0x0800);
1374 cp.max_interval = __constant_cpu_to_le16(0x0800);
1375 cp.type = get_adv_type(hdev);
1376 cp.own_address_type = hdev->own_addr_type;
1377 cp.channel_map = hdev->le_adv_channel_map;
1378
1379 hci_req_add(req, HCI_OP_LE_SET_ADV_PARAM, sizeof(cp), &cp);
1380
1381 hci_req_add(req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), &enable);
1382}
1383
1384static void disable_advertising(struct hci_request *req)
1385{
1386 u8 enable = 0x00;
1387
1388 hci_req_add(req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), &enable);
1389}
1390
1391static void set_connectable_complete(struct hci_dev *hdev, u8 status) 1514static void set_connectable_complete(struct hci_dev *hdev, u8 status)
1392{ 1515{
1393 struct pending_cmd *cmd; 1516 struct pending_cmd *cmd;
@@ -2330,6 +2453,8 @@ static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2330 2453
2331 hci_remove_irk(hdev, &cp->addr.bdaddr, addr_type); 2454 hci_remove_irk(hdev, &cp->addr.bdaddr, addr_type);
2332 2455
2456 hci_conn_params_del(hdev, &cp->addr.bdaddr, addr_type);
2457
2333 err = hci_remove_ltk(hdev, &cp->addr.bdaddr, addr_type); 2458 err = hci_remove_ltk(hdev, &cp->addr.bdaddr, addr_type);
2334 } 2459 }
2335 2460
@@ -2729,12 +2854,22 @@ static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2729 else 2854 else
2730 auth_type = HCI_AT_DEDICATED_BONDING_MITM; 2855 auth_type = HCI_AT_DEDICATED_BONDING_MITM;
2731 2856
2732 if (cp->addr.type == BDADDR_BREDR) 2857 if (cp->addr.type == BDADDR_BREDR) {
2733 conn = hci_connect(hdev, ACL_LINK, &cp->addr.bdaddr, 2858 conn = hci_connect_acl(hdev, &cp->addr.bdaddr, sec_level,
2734 cp->addr.type, sec_level, auth_type); 2859 auth_type);
2735 else 2860 } else {
2736 conn = hci_connect(hdev, LE_LINK, &cp->addr.bdaddr, 2861 u8 addr_type;
2737 cp->addr.type, sec_level, auth_type); 2862
2863 /* Convert from L2CAP channel address type to HCI address type
2864 */
2865 if (cp->addr.type == BDADDR_LE_PUBLIC)
2866 addr_type = ADDR_LE_DEV_PUBLIC;
2867 else
2868 addr_type = ADDR_LE_DEV_RANDOM;
2869
2870 conn = hci_connect_le(hdev, &cp->addr.bdaddr, addr_type,
2871 sec_level, auth_type);
2872 }
2738 2873
2739 if (IS_ERR(conn)) { 2874 if (IS_ERR(conn)) {
2740 int status; 2875 int status;
@@ -3258,7 +3393,7 @@ static int start_discovery(struct sock *sk, struct hci_dev *hdev,
3258 struct hci_request req; 3393 struct hci_request req;
3259 /* General inquiry access code (GIAC) */ 3394 /* General inquiry access code (GIAC) */
3260 u8 lap[3] = { 0x33, 0x8b, 0x9e }; 3395 u8 lap[3] = { 0x33, 0x8b, 0x9e };
3261 u8 status; 3396 u8 status, own_addr_type;
3262 int err; 3397 int err;
3263 3398
3264 BT_DBG("%s", hdev->name); 3399 BT_DBG("%s", hdev->name);
@@ -3343,18 +3478,31 @@ static int start_discovery(struct sock *sk, struct hci_dev *hdev,
3343 goto failed; 3478 goto failed;
3344 } 3479 }
3345 3480
3346 if (test_bit(HCI_LE_SCAN, &hdev->dev_flags)) { 3481 /* If controller is scanning, it means the background scanning
3482 * is running. Thus, we should temporarily stop it in order to
3483 * set the discovery scanning parameters.
3484 */
3485 if (test_bit(HCI_LE_SCAN, &hdev->dev_flags))
3486 hci_req_add_le_scan_disable(&req);
3487
3488 memset(&param_cp, 0, sizeof(param_cp));
3489
3490 /* All active scans will be done with either a resolvable
3491 * private address (when privacy feature has been enabled)
3492 * or unresolvable private address.
3493 */
3494 err = hci_update_random_address(&req, true, &own_addr_type);
3495 if (err < 0) {
3347 err = cmd_status(sk, hdev->id, MGMT_OP_START_DISCOVERY, 3496 err = cmd_status(sk, hdev->id, MGMT_OP_START_DISCOVERY,
3348 MGMT_STATUS_BUSY); 3497 MGMT_STATUS_FAILED);
3349 mgmt_pending_remove(cmd); 3498 mgmt_pending_remove(cmd);
3350 goto failed; 3499 goto failed;
3351 } 3500 }
3352 3501
3353 memset(&param_cp, 0, sizeof(param_cp));
3354 param_cp.type = LE_SCAN_ACTIVE; 3502 param_cp.type = LE_SCAN_ACTIVE;
3355 param_cp.interval = cpu_to_le16(DISCOV_LE_SCAN_INT); 3503 param_cp.interval = cpu_to_le16(DISCOV_LE_SCAN_INT);
3356 param_cp.window = cpu_to_le16(DISCOV_LE_SCAN_WIN); 3504 param_cp.window = cpu_to_le16(DISCOV_LE_SCAN_WIN);
3357 param_cp.own_address_type = hdev->own_addr_type; 3505 param_cp.own_address_type = own_addr_type;
3358 hci_req_add(&req, HCI_OP_LE_SET_SCAN_PARAM, sizeof(param_cp), 3506 hci_req_add(&req, HCI_OP_LE_SET_SCAN_PARAM, sizeof(param_cp),
3359 &param_cp); 3507 &param_cp);
3360 3508
@@ -3424,7 +3572,6 @@ static int stop_discovery(struct sock *sk, struct hci_dev *hdev, void *data,
3424 struct hci_cp_remote_name_req_cancel cp; 3572 struct hci_cp_remote_name_req_cancel cp;
3425 struct inquiry_entry *e; 3573 struct inquiry_entry *e;
3426 struct hci_request req; 3574 struct hci_request req;
3427 struct hci_cp_le_set_scan_enable enable_cp;
3428 int err; 3575 int err;
3429 3576
3430 BT_DBG("%s", hdev->name); 3577 BT_DBG("%s", hdev->name);
@@ -3460,10 +3607,7 @@ static int stop_discovery(struct sock *sk, struct hci_dev *hdev, void *data,
3460 } else { 3607 } else {
3461 cancel_delayed_work(&hdev->le_scan_disable); 3608 cancel_delayed_work(&hdev->le_scan_disable);
3462 3609
3463 memset(&enable_cp, 0, sizeof(enable_cp)); 3610 hci_req_add_le_scan_disable(&req);
3464 enable_cp.enable = LE_SCAN_DISABLE;
3465 hci_req_add(&req, HCI_OP_LE_SET_SCAN_ENABLE,
3466 sizeof(enable_cp), &enable_cp);
3467 } 3611 }
3468 3612
3469 break; 3613 break;
@@ -3520,15 +3664,17 @@ static int confirm_name(struct sock *sk, struct hci_dev *hdev, void *data,
3520 hci_dev_lock(hdev); 3664 hci_dev_lock(hdev);
3521 3665
3522 if (!hci_discovery_active(hdev)) { 3666 if (!hci_discovery_active(hdev)) {
3523 err = cmd_status(sk, hdev->id, MGMT_OP_CONFIRM_NAME, 3667 err = cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME,
3524 MGMT_STATUS_FAILED); 3668 MGMT_STATUS_FAILED, &cp->addr,
3669 sizeof(cp->addr));
3525 goto failed; 3670 goto failed;
3526 } 3671 }
3527 3672
3528 e = hci_inquiry_cache_lookup_unknown(hdev, &cp->addr.bdaddr); 3673 e = hci_inquiry_cache_lookup_unknown(hdev, &cp->addr.bdaddr);
3529 if (!e) { 3674 if (!e) {
3530 err = cmd_status(sk, hdev->id, MGMT_OP_CONFIRM_NAME, 3675 err = cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME,
3531 MGMT_STATUS_INVALID_PARAMS); 3676 MGMT_STATUS_INVALID_PARAMS, &cp->addr,
3677 sizeof(cp->addr));
3532 goto failed; 3678 goto failed;
3533 } 3679 }
3534 3680
@@ -3817,6 +3963,21 @@ static int set_scan_params(struct sock *sk, struct hci_dev *hdev,
3817 3963
3818 err = cmd_complete(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS, 0, NULL, 0); 3964 err = cmd_complete(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS, 0, NULL, 0);
3819 3965
3966 /* If background scan is running, restart it so new parameters are
3967 * loaded.
3968 */
3969 if (test_bit(HCI_LE_SCAN, &hdev->dev_flags) &&
3970 hdev->discovery.state == DISCOVERY_STOPPED) {
3971 struct hci_request req;
3972
3973 hci_req_init(&req, hdev);
3974
3975 hci_req_add_le_scan_disable(&req);
3976 hci_req_add_le_passive_scan(&req);
3977
3978 hci_req_run(&req, NULL);
3979 }
3980
3820 hci_dev_unlock(hdev); 3981 hci_dev_unlock(hdev);
3821 3982
3822 return err; 3983 return err;
@@ -4182,6 +4343,56 @@ unlock:
4182 return err; 4343 return err;
4183} 4344}
4184 4345
4346static int set_privacy(struct sock *sk, struct hci_dev *hdev, void *cp_data,
4347 u16 len)
4348{
4349 struct mgmt_cp_set_privacy *cp = cp_data;
4350 bool changed;
4351 int err;
4352
4353 BT_DBG("request for %s", hdev->name);
4354
4355 if (!lmp_le_capable(hdev))
4356 return cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
4357 MGMT_STATUS_NOT_SUPPORTED);
4358
4359 if (cp->privacy != 0x00 && cp->privacy != 0x01)
4360 return cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
4361 MGMT_STATUS_INVALID_PARAMS);
4362
4363 if (hdev_is_powered(hdev))
4364 return cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
4365 MGMT_STATUS_REJECTED);
4366
4367 hci_dev_lock(hdev);
4368
4369 /* If user space supports this command it is also expected to
4370 * handle IRKs. Therefore, set the HCI_RPA_RESOLVING flag.
4371 */
4372 set_bit(HCI_RPA_RESOLVING, &hdev->dev_flags);
4373
4374 if (cp->privacy) {
4375 changed = !test_and_set_bit(HCI_PRIVACY, &hdev->dev_flags);
4376 memcpy(hdev->irk, cp->irk, sizeof(hdev->irk));
4377 set_bit(HCI_RPA_EXPIRED, &hdev->dev_flags);
4378 } else {
4379 changed = test_and_clear_bit(HCI_PRIVACY, &hdev->dev_flags);
4380 memset(hdev->irk, 0, sizeof(hdev->irk));
4381 clear_bit(HCI_RPA_EXPIRED, &hdev->dev_flags);
4382 }
4383
4384 err = send_settings_rsp(sk, MGMT_OP_SET_PRIVACY, hdev);
4385 if (err < 0)
4386 goto unlock;
4387
4388 if (changed)
4389 err = new_settings(hdev, sk);
4390
4391unlock:
4392 hci_dev_unlock(hdev);
4393 return err;
4394}
4395
4185static bool irk_is_valid(struct mgmt_irk_info *irk) 4396static bool irk_is_valid(struct mgmt_irk_info *irk)
4186{ 4397{
4187 switch (irk->addr.type) { 4398 switch (irk->addr.type) {
@@ -4396,7 +4607,7 @@ static const struct mgmt_handler {
4396 { set_scan_params, false, MGMT_SET_SCAN_PARAMS_SIZE }, 4607 { set_scan_params, false, MGMT_SET_SCAN_PARAMS_SIZE },
4397 { set_secure_conn, false, MGMT_SETTING_SIZE }, 4608 { set_secure_conn, false, MGMT_SETTING_SIZE },
4398 { set_debug_keys, false, MGMT_SETTING_SIZE }, 4609 { set_debug_keys, false, MGMT_SETTING_SIZE },
4399 { }, 4610 { set_privacy, false, MGMT_SET_PRIVACY_SIZE },
4400 { load_irks, true, MGMT_LOAD_IRKS_SIZE }, 4611 { load_irks, true, MGMT_LOAD_IRKS_SIZE },
4401}; 4612};
4402 4613
@@ -4514,6 +4725,17 @@ void mgmt_index_removed(struct hci_dev *hdev)
4514 mgmt_event(MGMT_EV_INDEX_REMOVED, hdev, NULL, 0, NULL); 4725 mgmt_event(MGMT_EV_INDEX_REMOVED, hdev, NULL, 0, NULL);
4515} 4726}
4516 4727
4728/* This function requires the caller holds hdev->lock */
4729static void restart_le_auto_conns(struct hci_dev *hdev)
4730{
4731 struct hci_conn_params *p;
4732
4733 list_for_each_entry(p, &hdev->le_conn_params, list) {
4734 if (p->auto_connect == HCI_AUTO_CONN_ALWAYS)
4735 hci_pend_le_conn_add(hdev, &p->addr, p->addr_type);
4736 }
4737}
4738
4517static void powered_complete(struct hci_dev *hdev, u8 status) 4739static void powered_complete(struct hci_dev *hdev, u8 status)
4518{ 4740{
4519 struct cmd_lookup match = { NULL, hdev }; 4741 struct cmd_lookup match = { NULL, hdev };
@@ -4522,6 +4744,8 @@ static void powered_complete(struct hci_dev *hdev, u8 status)
4522 4744
4523 hci_dev_lock(hdev); 4745 hci_dev_lock(hdev);
4524 4746
4747 restart_le_auto_conns(hdev);
4748
4525 mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match); 4749 mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match);
4526 4750
4527 new_settings(hdev, match.sk); 4751 new_settings(hdev, match.sk);
@@ -4563,11 +4787,6 @@ static int powered_update_hci(struct hci_dev *hdev)
4563 } 4787 }
4564 4788
4565 if (lmp_le_capable(hdev)) { 4789 if (lmp_le_capable(hdev)) {
4566 /* Set random address to static address if configured */
4567 if (bacmp(&hdev->static_addr, BDADDR_ANY))
4568 hci_req_add(&req, HCI_OP_LE_SET_RANDOM_ADDR, 6,
4569 &hdev->static_addr);
4570
4571 /* Make sure the controller has a good default for 4790 /* Make sure the controller has a good default for
4572 * advertising data. This also applies to the case 4791 * advertising data. This also applies to the case
4573 * where BR/EDR was toggled during the AUTO_OFF phase. 4792 * where BR/EDR was toggled during the AUTO_OFF phase.
@@ -4693,6 +4912,10 @@ void mgmt_discoverable(struct hci_dev *hdev, u8 discoverable)
4693 if (mgmt_pending_find(MGMT_OP_SET_DISCOVERABLE, hdev)) 4912 if (mgmt_pending_find(MGMT_OP_SET_DISCOVERABLE, hdev))
4694 return; 4913 return;
4695 4914
4915 /* Powering off may clear the scan mode - don't let that interfere */
4916 if (!discoverable && mgmt_pending_find(MGMT_OP_SET_POWERED, hdev))
4917 return;
4918
4696 if (discoverable) { 4919 if (discoverable) {
4697 changed = !test_and_set_bit(HCI_DISCOVERABLE, &hdev->dev_flags); 4920 changed = !test_and_set_bit(HCI_DISCOVERABLE, &hdev->dev_flags);
4698 } else { 4921 } else {
@@ -4726,6 +4949,10 @@ void mgmt_connectable(struct hci_dev *hdev, u8 connectable)
4726 if (mgmt_pending_find(MGMT_OP_SET_CONNECTABLE, hdev)) 4949 if (mgmt_pending_find(MGMT_OP_SET_CONNECTABLE, hdev))
4727 return; 4950 return;
4728 4951
4952 /* Powering off may clear the scan mode - don't let that interfere */
4953 if (!connectable && mgmt_pending_find(MGMT_OP_SET_POWERED, hdev))
4954 return;
4955
4729 if (connectable) 4956 if (connectable)
4730 changed = !test_and_set_bit(HCI_CONNECTABLE, &hdev->dev_flags); 4957 changed = !test_and_set_bit(HCI_CONNECTABLE, &hdev->dev_flags);
4731 else 4958 else
@@ -4735,6 +4962,18 @@ void mgmt_connectable(struct hci_dev *hdev, u8 connectable)
4735 new_settings(hdev, NULL); 4962 new_settings(hdev, NULL);
4736} 4963}
4737 4964
4965void mgmt_advertising(struct hci_dev *hdev, u8 advertising)
4966{
4967 /* Powering off may stop advertising - don't let that interfere */
4968 if (!advertising && mgmt_pending_find(MGMT_OP_SET_POWERED, hdev))
4969 return;
4970
4971 if (advertising)
4972 set_bit(HCI_ADVERTISING, &hdev->dev_flags);
4973 else
4974 clear_bit(HCI_ADVERTISING, &hdev->dev_flags);
4975}
4976
4738void mgmt_write_scan_failed(struct hci_dev *hdev, u8 scan, u8 status) 4977void mgmt_write_scan_failed(struct hci_dev *hdev, u8 scan, u8 status)
4739{ 4978{
4740 u8 mgmt_err = mgmt_status(status); 4979 u8 mgmt_err = mgmt_status(status);
@@ -4793,11 +5032,11 @@ void mgmt_new_ltk(struct hci_dev *hdev, struct smp_ltk *key)
4793 ev.key.type = key->authenticated; 5032 ev.key.type = key->authenticated;
4794 ev.key.enc_size = key->enc_size; 5033 ev.key.enc_size = key->enc_size;
4795 ev.key.ediv = key->ediv; 5034 ev.key.ediv = key->ediv;
5035 ev.key.rand = key->rand;
4796 5036
4797 if (key->type == HCI_SMP_LTK) 5037 if (key->type == HCI_SMP_LTK)
4798 ev.key.master = 1; 5038 ev.key.master = 1;
4799 5039
4800 memcpy(ev.key.rand, key->rand, sizeof(key->rand));
4801 memcpy(ev.key.val, key->val, sizeof(key->val)); 5040 memcpy(ev.key.val, key->val, sizeof(key->val));
4802 5041
4803 mgmt_event(MGMT_EV_NEW_LONG_TERM_KEY, hdev, &ev, sizeof(ev), NULL); 5042 mgmt_event(MGMT_EV_NEW_LONG_TERM_KEY, hdev, &ev, sizeof(ev), NULL);
@@ -4907,11 +5146,29 @@ static void unpair_device_rsp(struct pending_cmd *cmd, void *data)
4907} 5146}
4908 5147
4909void mgmt_device_disconnected(struct hci_dev *hdev, bdaddr_t *bdaddr, 5148void mgmt_device_disconnected(struct hci_dev *hdev, bdaddr_t *bdaddr,
4910 u8 link_type, u8 addr_type, u8 reason) 5149 u8 link_type, u8 addr_type, u8 reason,
5150 bool mgmt_connected)
4911{ 5151{
4912 struct mgmt_ev_device_disconnected ev; 5152 struct mgmt_ev_device_disconnected ev;
5153 struct pending_cmd *power_off;
4913 struct sock *sk = NULL; 5154 struct sock *sk = NULL;
4914 5155
5156 power_off = mgmt_pending_find(MGMT_OP_SET_POWERED, hdev);
5157 if (power_off) {
5158 struct mgmt_mode *cp = power_off->param;
5159
5160 /* The connection is still in hci_conn_hash so test for 1
5161 * instead of 0 to know if this is the last one.
5162 */
5163 if (!cp->val && hci_conn_count(hdev) == 1) {
5164 cancel_delayed_work(&hdev->power_off);
5165 queue_work(hdev->req_workqueue, &hdev->power_off.work);
5166 }
5167 }
5168
5169 if (!mgmt_connected)
5170 return;
5171
4915 if (link_type != ACL_LINK && link_type != LE_LINK) 5172 if (link_type != ACL_LINK && link_type != LE_LINK)
4916 return; 5173 return;
4917 5174
@@ -4966,6 +5223,20 @@ void mgmt_connect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
4966 u8 addr_type, u8 status) 5223 u8 addr_type, u8 status)
4967{ 5224{
4968 struct mgmt_ev_connect_failed ev; 5225 struct mgmt_ev_connect_failed ev;
5226 struct pending_cmd *power_off;
5227
5228 power_off = mgmt_pending_find(MGMT_OP_SET_POWERED, hdev);
5229 if (power_off) {
5230 struct mgmt_mode *cp = power_off->param;
5231
5232 /* The connection is still in hci_conn_hash so test for 1
5233 * instead of 0 to know if this is the last one.
5234 */
5235 if (!cp->val && hci_conn_count(hdev) == 1) {
5236 cancel_delayed_work(&hdev->power_off);
5237 queue_work(hdev->req_workqueue, &hdev->power_off.work);
5238 }
5239 }
4969 5240
4970 bacpy(&ev.addr.bdaddr, bdaddr); 5241 bacpy(&ev.addr.bdaddr, bdaddr);
4971 ev.addr.type = link_to_bdaddr(link_type, addr_type); 5242 ev.addr.type = link_to_bdaddr(link_type, addr_type);
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index f06068072bdd..f886bcae1b7e 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -124,6 +124,24 @@ bool smp_irk_matches(struct crypto_blkcipher *tfm, u8 irk[16],
124 return !memcmp(bdaddr->b, hash, 3); 124 return !memcmp(bdaddr->b, hash, 3);
125} 125}
126 126
127int smp_generate_rpa(struct crypto_blkcipher *tfm, u8 irk[16], bdaddr_t *rpa)
128{
129 int err;
130
131 get_random_bytes(&rpa->b[3], 3);
132
133 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
134 rpa->b[5] |= 0x40; /* Set second most significant bit */
135
136 err = smp_ah(tfm, irk, &rpa->b[3], rpa->b);
137 if (err < 0)
138 return err;
139
140 BT_DBG("RPA %pMR", rpa);
141
142 return 0;
143}
144
127static int smp_c1(struct crypto_blkcipher *tfm, u8 k[16], u8 r[16], 145static int smp_c1(struct crypto_blkcipher *tfm, u8 k[16], u8 r[16],
128 u8 preq[7], u8 pres[7], u8 _iat, bdaddr_t *ia, 146 u8 preq[7], u8 pres[7], u8 _iat, bdaddr_t *ia,
129 u8 _rat, bdaddr_t *ra, u8 res[16]) 147 u8 _rat, bdaddr_t *ra, u8 res[16])
@@ -265,6 +283,9 @@ static void build_pairing_cmd(struct l2cap_conn *conn,
265 if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags)) 283 if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags))
266 remote_dist |= SMP_DIST_ID_KEY; 284 remote_dist |= SMP_DIST_ID_KEY;
267 285
286 if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
287 local_dist |= SMP_DIST_ID_KEY;
288
268 if (rsp == NULL) { 289 if (rsp == NULL) {
269 req->io_capability = conn->hcon->io_capability; 290 req->io_capability = conn->hcon->io_capability;
270 req->oob_flag = SMP_OOB_NOT_PRESENT; 291 req->oob_flag = SMP_OOB_NOT_PRESENT;
@@ -424,14 +445,9 @@ static void confirm_work(struct work_struct *work)
424 /* Prevent mutual access to hdev->tfm_aes */ 445 /* Prevent mutual access to hdev->tfm_aes */
425 hci_dev_lock(hdev); 446 hci_dev_lock(hdev);
426 447
427 if (conn->hcon->out) 448 ret = smp_c1(tfm, smp->tk, smp->prnd, smp->preq, smp->prsp,
428 ret = smp_c1(tfm, smp->tk, smp->prnd, smp->preq, smp->prsp, 449 conn->hcon->init_addr_type, &conn->hcon->init_addr,
429 conn->hcon->src_type, &conn->hcon->src, 450 conn->hcon->resp_addr_type, &conn->hcon->resp_addr, res);
430 conn->hcon->dst_type, &conn->hcon->dst, res);
431 else
432 ret = smp_c1(tfm, smp->tk, smp->prnd, smp->preq, smp->prsp,
433 conn->hcon->dst_type, &conn->hcon->dst,
434 conn->hcon->src_type, &conn->hcon->src, res);
435 451
436 hci_dev_unlock(hdev); 452 hci_dev_unlock(hdev);
437 453
@@ -471,14 +487,9 @@ static void random_work(struct work_struct *work)
471 /* Prevent mutual access to hdev->tfm_aes */ 487 /* Prevent mutual access to hdev->tfm_aes */
472 hci_dev_lock(hdev); 488 hci_dev_lock(hdev);
473 489
474 if (hcon->out) 490 ret = smp_c1(tfm, smp->tk, smp->rrnd, smp->preq, smp->prsp,
475 ret = smp_c1(tfm, smp->tk, smp->rrnd, smp->preq, smp->prsp, 491 hcon->init_addr_type, &hcon->init_addr,
476 hcon->src_type, &hcon->src, 492 hcon->resp_addr_type, &hcon->resp_addr, res);
477 hcon->dst_type, &hcon->dst, res);
478 else
479 ret = smp_c1(tfm, smp->tk, smp->rrnd, smp->preq, smp->prsp,
480 hcon->dst_type, &hcon->dst,
481 hcon->src_type, &hcon->src, res);
482 493
483 hci_dev_unlock(hdev); 494 hci_dev_unlock(hdev);
484 495
@@ -496,11 +507,9 @@ static void random_work(struct work_struct *work)
496 } 507 }
497 508
498 if (hcon->out) { 509 if (hcon->out) {
499 u8 stk[16], rand[8]; 510 u8 stk[16];
500 __le16 ediv; 511 __le64 rand = 0;
501 512 __le16 ediv = 0;
502 memset(rand, 0, sizeof(rand));
503 ediv = 0;
504 513
505 smp_s1(tfm, smp->tk, smp->rrnd, smp->prnd, key); 514 smp_s1(tfm, smp->tk, smp->rrnd, smp->prnd, key);
506 swap128(key, stk); 515 swap128(key, stk);
@@ -516,11 +525,9 @@ static void random_work(struct work_struct *work)
516 hci_le_start_enc(hcon, ediv, rand, stk); 525 hci_le_start_enc(hcon, ediv, rand, stk);
517 hcon->enc_key_size = smp->enc_key_size; 526 hcon->enc_key_size = smp->enc_key_size;
518 } else { 527 } else {
519 u8 stk[16], r[16], rand[8]; 528 u8 stk[16], r[16];
520 __le16 ediv; 529 __le64 rand = 0;
521 530 __le16 ediv = 0;
522 memset(rand, 0, sizeof(rand));
523 ediv = 0;
524 531
525 swap128(smp->prnd, r); 532 swap128(smp->prnd, r);
526 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(r), r); 533 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(r), r);
@@ -542,6 +549,20 @@ error:
542 smp_failure(conn, reason); 549 smp_failure(conn, reason);
543} 550}
544 551
552static void smp_reencrypt(struct work_struct *work)
553{
554 struct smp_chan *smp = container_of(work, struct smp_chan,
555 reencrypt.work);
556 struct l2cap_conn *conn = smp->conn;
557 struct hci_conn *hcon = conn->hcon;
558 struct smp_ltk *ltk = smp->ltk;
559
560 BT_DBG("");
561
562 hci_le_start_enc(hcon, ltk->ediv, ltk->rand, ltk->val);
563 hcon->enc_key_size = ltk->enc_size;
564}
565
545static struct smp_chan *smp_chan_create(struct l2cap_conn *conn) 566static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
546{ 567{
547 struct smp_chan *smp; 568 struct smp_chan *smp;
@@ -552,6 +573,7 @@ static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
552 573
553 INIT_WORK(&smp->confirm, confirm_work); 574 INIT_WORK(&smp->confirm, confirm_work);
554 INIT_WORK(&smp->random, random_work); 575 INIT_WORK(&smp->random, random_work);
576 INIT_DELAYED_WORK(&smp->reencrypt, smp_reencrypt);
555 577
556 smp->conn = conn; 578 smp->conn = conn;
557 conn->smp_chan = smp; 579 conn->smp_chan = smp;
@@ -569,9 +591,29 @@ void smp_chan_destroy(struct l2cap_conn *conn)
569 591
570 BUG_ON(!smp); 592 BUG_ON(!smp);
571 593
594 cancel_delayed_work_sync(&smp->reencrypt);
595
572 complete = test_bit(SMP_FLAG_COMPLETE, &smp->smp_flags); 596 complete = test_bit(SMP_FLAG_COMPLETE, &smp->smp_flags);
573 mgmt_smp_complete(conn->hcon, complete); 597 mgmt_smp_complete(conn->hcon, complete);
574 598
599 /* If pairing failed clean up any keys we might have */
600 if (!complete) {
601 if (smp->ltk) {
602 list_del(&smp->ltk->list);
603 kfree(smp->ltk);
604 }
605
606 if (smp->slave_ltk) {
607 list_del(&smp->slave_ltk->list);
608 kfree(smp->slave_ltk);
609 }
610
611 if (smp->remote_irk) {
612 list_del(&smp->remote_irk->list);
613 kfree(smp->remote_irk);
614 }
615 }
616
575 kfree(smp); 617 kfree(smp);
576 conn->smp_chan = NULL; 618 conn->smp_chan = NULL;
577 conn->hcon->smp_conn = NULL; 619 conn->hcon->smp_conn = NULL;
@@ -927,6 +969,9 @@ static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
927 if (!(smp->remote_key_dist & SMP_DIST_ENC_KEY)) 969 if (!(smp->remote_key_dist & SMP_DIST_ENC_KEY))
928 return 0; 970 return 0;
929 971
972 /* Mark the information as received */
973 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
974
930 skb_pull(skb, sizeof(*rp)); 975 skb_pull(skb, sizeof(*rp));
931 976
932 hci_dev_lock(hdev); 977 hci_dev_lock(hdev);
@@ -936,7 +981,7 @@ static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
936 rp->ediv, rp->rand); 981 rp->ediv, rp->rand);
937 smp->ltk = ltk; 982 smp->ltk = ltk;
938 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY)) 983 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
939 smp_distribute_keys(conn, 1); 984 smp_distribute_keys(conn);
940 hci_dev_unlock(hdev); 985 hci_dev_unlock(hdev);
941 986
942 return 0; 987 return 0;
@@ -980,8 +1025,24 @@ static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
980 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY)) 1025 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
981 return 0; 1026 return 0;
982 1027
1028 /* Mark the information as received */
1029 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
1030
983 skb_pull(skb, sizeof(*info)); 1031 skb_pull(skb, sizeof(*info));
984 1032
1033 /* Strictly speaking the Core Specification (4.1) allows sending
1034 * an empty address which would force us to rely on just the IRK
1035 * as "identity information". However, since such
1036 * implementations are not known of and in order to not over
1037 * complicate our implementation, simply pretend that we never
1038 * received an IRK for such a device.
1039 */
1040 if (!bacmp(&info->bdaddr, BDADDR_ANY)) {
1041 BT_ERR("Ignoring IRK with no identity address");
1042 smp_distribute_keys(conn);
1043 return 0;
1044 }
1045
985 bacpy(&smp->id_addr, &info->bdaddr); 1046 bacpy(&smp->id_addr, &info->bdaddr);
986 smp->id_addr_type = info->addr_type; 1047 smp->id_addr_type = info->addr_type;
987 1048
@@ -999,7 +1060,7 @@ static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
999 1060
1000 l2cap_conn_update_id_addr(hcon); 1061 l2cap_conn_update_id_addr(hcon);
1001 1062
1002 smp_distribute_keys(conn, 1); 1063 smp_distribute_keys(conn);
1003 1064
1004 return 0; 1065 return 0;
1005} 1066}
@@ -1128,26 +1189,29 @@ static void smp_notify_keys(struct l2cap_conn *conn)
1128 } 1189 }
1129} 1190}
1130 1191
1131int smp_distribute_keys(struct l2cap_conn *conn, __u8 force) 1192int smp_distribute_keys(struct l2cap_conn *conn)
1132{ 1193{
1133 struct smp_cmd_pairing *req, *rsp; 1194 struct smp_cmd_pairing *req, *rsp;
1134 struct smp_chan *smp = conn->smp_chan; 1195 struct smp_chan *smp = conn->smp_chan;
1196 struct hci_conn *hcon = conn->hcon;
1197 struct hci_dev *hdev = hcon->hdev;
1198 bool ltk_encrypt;
1135 __u8 *keydist; 1199 __u8 *keydist;
1136 1200
1137 BT_DBG("conn %p force %d", conn, force); 1201 BT_DBG("conn %p", conn);
1138 1202
1139 if (!test_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) 1203 if (!test_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
1140 return 0; 1204 return 0;
1141 1205
1142 rsp = (void *) &smp->prsp[1]; 1206 rsp = (void *) &smp->prsp[1];
1143 1207
1144 /* The responder sends its keys first */ 1208 /* The responder sends its keys first */
1145 if (!force && conn->hcon->out && (rsp->resp_key_dist & 0x07)) 1209 if (hcon->out && (smp->remote_key_dist & 0x07))
1146 return 0; 1210 return 0;
1147 1211
1148 req = (void *) &smp->preq[1]; 1212 req = (void *) &smp->preq[1];
1149 1213
1150 if (conn->hcon->out) { 1214 if (hcon->out) {
1151 keydist = &rsp->init_key_dist; 1215 keydist = &rsp->init_key_dist;
1152 *keydist &= req->init_key_dist; 1216 *keydist &= req->init_key_dist;
1153 } else { 1217 } else {
@@ -1160,24 +1224,25 @@ int smp_distribute_keys(struct l2cap_conn *conn, __u8 force)
1160 if (*keydist & SMP_DIST_ENC_KEY) { 1224 if (*keydist & SMP_DIST_ENC_KEY) {
1161 struct smp_cmd_encrypt_info enc; 1225 struct smp_cmd_encrypt_info enc;
1162 struct smp_cmd_master_ident ident; 1226 struct smp_cmd_master_ident ident;
1163 struct hci_conn *hcon = conn->hcon;
1164 struct smp_ltk *ltk; 1227 struct smp_ltk *ltk;
1165 u8 authenticated; 1228 u8 authenticated;
1166 __le16 ediv; 1229 __le16 ediv;
1230 __le64 rand;
1167 1231
1168 get_random_bytes(enc.ltk, sizeof(enc.ltk)); 1232 get_random_bytes(enc.ltk, sizeof(enc.ltk));
1169 get_random_bytes(&ediv, sizeof(ediv)); 1233 get_random_bytes(&ediv, sizeof(ediv));
1170 get_random_bytes(ident.rand, sizeof(ident.rand)); 1234 get_random_bytes(&rand, sizeof(rand));
1171 1235
1172 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc); 1236 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1173 1237
1174 authenticated = hcon->sec_level == BT_SECURITY_HIGH; 1238 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1175 ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, 1239 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1176 HCI_SMP_LTK_SLAVE, authenticated, enc.ltk, 1240 HCI_SMP_LTK_SLAVE, authenticated, enc.ltk,
1177 smp->enc_key_size, ediv, ident.rand); 1241 smp->enc_key_size, ediv, rand);
1178 smp->slave_ltk = ltk; 1242 smp->slave_ltk = ltk;
1179 1243
1180 ident.ediv = ediv; 1244 ident.ediv = ediv;
1245 ident.rand = rand;
1181 1246
1182 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident); 1247 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1183 1248
@@ -1188,14 +1253,18 @@ int smp_distribute_keys(struct l2cap_conn *conn, __u8 force)
1188 struct smp_cmd_ident_addr_info addrinfo; 1253 struct smp_cmd_ident_addr_info addrinfo;
1189 struct smp_cmd_ident_info idinfo; 1254 struct smp_cmd_ident_info idinfo;
1190 1255
1191 /* Send a dummy key */ 1256 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1192 get_random_bytes(idinfo.irk, sizeof(idinfo.irk));
1193 1257
1194 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo); 1258 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1195 1259
1196 /* Just public address */ 1260 /* The hci_conn contains the local identity address
1197 memset(&addrinfo, 0, sizeof(addrinfo)); 1261 * after the connection has been established.
1198 bacpy(&addrinfo.bdaddr, &conn->hcon->src); 1262 *
1263 * This is true even when the connection has been
1264 * established using a resolvable random address.
1265 */
1266 bacpy(&addrinfo.bdaddr, &hcon->src);
1267 addrinfo.addr_type = hcon->src_type;
1199 1268
1200 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo), 1269 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1201 &addrinfo); 1270 &addrinfo);
@@ -1214,8 +1283,31 @@ int smp_distribute_keys(struct l2cap_conn *conn, __u8 force)
1214 *keydist &= ~SMP_DIST_SIGN; 1283 *keydist &= ~SMP_DIST_SIGN;
1215 } 1284 }
1216 1285
1217 if (conn->hcon->out || force || !(rsp->init_key_dist & 0x07)) { 1286 /* If there are still keys to be received wait for them */
1218 clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags); 1287 if ((smp->remote_key_dist & 0x07))
1288 return 0;
1289
1290 /* Check if we should try to re-encrypt the link with the LTK.
1291 * SMP_FLAG_LTK_ENCRYPT flag is used to track whether we've
1292 * already tried this (in which case we shouldn't try again).
1293 *
1294 * The request will trigger an encryption key refresh event
1295 * which will cause a call to auth_cfm and eventually lead to
1296 * l2cap_core.c calling this smp_distribute_keys function again
1297 * and thereby completing the process.
1298 */
1299 if (smp->ltk)
1300 ltk_encrypt = !test_and_set_bit(SMP_FLAG_LTK_ENCRYPT,
1301 &smp->smp_flags);
1302 else
1303 ltk_encrypt = false;
1304
1305 /* Re-encrypt the link with LTK if possible */
1306 if (ltk_encrypt && hcon->out) {
1307 queue_delayed_work(hdev->req_workqueue, &smp->reencrypt,
1308 SMP_REENCRYPT_TIMEOUT);
1309 } else {
1310 clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags);
1219 cancel_delayed_work_sync(&conn->security_timer); 1311 cancel_delayed_work_sync(&conn->security_timer);
1220 set_bit(SMP_FLAG_COMPLETE, &smp->smp_flags); 1312 set_bit(SMP_FLAG_COMPLETE, &smp->smp_flags);
1221 smp_notify_keys(conn); 1313 smp_notify_keys(conn);
diff --git a/net/bluetooth/smp.h b/net/bluetooth/smp.h
index d8cc543f523c..f55d83617218 100644
--- a/net/bluetooth/smp.h
+++ b/net/bluetooth/smp.h
@@ -78,7 +78,7 @@ struct smp_cmd_encrypt_info {
78#define SMP_CMD_MASTER_IDENT 0x07 78#define SMP_CMD_MASTER_IDENT 0x07
79struct smp_cmd_master_ident { 79struct smp_cmd_master_ident {
80 __le16 ediv; 80 __le16 ediv;
81 __u8 rand[8]; 81 __le64 rand;
82} __packed; 82} __packed;
83 83
84#define SMP_CMD_IDENT_INFO 0x08 84#define SMP_CMD_IDENT_INFO 0x08
@@ -118,7 +118,10 @@ struct smp_cmd_security_req {
118#define SMP_FLAG_TK_VALID 1 118#define SMP_FLAG_TK_VALID 1
119#define SMP_FLAG_CFM_PENDING 2 119#define SMP_FLAG_CFM_PENDING 2
120#define SMP_FLAG_MITM_AUTH 3 120#define SMP_FLAG_MITM_AUTH 3
121#define SMP_FLAG_COMPLETE 4 121#define SMP_FLAG_LTK_ENCRYPT 4
122#define SMP_FLAG_COMPLETE 5
123
124#define SMP_REENCRYPT_TIMEOUT msecs_to_jiffies(250)
122 125
123struct smp_chan { 126struct smp_chan {
124 struct l2cap_conn *conn; 127 struct l2cap_conn *conn;
@@ -139,18 +142,20 @@ struct smp_chan {
139 unsigned long smp_flags; 142 unsigned long smp_flags;
140 struct work_struct confirm; 143 struct work_struct confirm;
141 struct work_struct random; 144 struct work_struct random;
145 struct delayed_work reencrypt;
142}; 146};
143 147
144/* SMP Commands */ 148/* SMP Commands */
145bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level); 149bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level);
146int smp_conn_security(struct hci_conn *hcon, __u8 sec_level); 150int smp_conn_security(struct hci_conn *hcon, __u8 sec_level);
147int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb); 151int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb);
148int smp_distribute_keys(struct l2cap_conn *conn, __u8 force); 152int smp_distribute_keys(struct l2cap_conn *conn);
149int smp_user_confirm_reply(struct hci_conn *conn, u16 mgmt_op, __le32 passkey); 153int smp_user_confirm_reply(struct hci_conn *conn, u16 mgmt_op, __le32 passkey);
150 154
151void smp_chan_destroy(struct l2cap_conn *conn); 155void smp_chan_destroy(struct l2cap_conn *conn);
152 156
153bool smp_irk_matches(struct crypto_blkcipher *tfm, u8 irk[16], 157bool smp_irk_matches(struct crypto_blkcipher *tfm, u8 irk[16],
154 bdaddr_t *bdaddr); 158 bdaddr_t *bdaddr);
159int smp_generate_rpa(struct crypto_blkcipher *tfm, u8 irk[16], bdaddr_t *rpa);
155 160
156#endif /* __SMP_H */ 161#endif /* __SMP_H */
generated by cgit v1.2.2 (git 2.25.0) at 2025-09-19 12:24:13 -0400