1 files changed, 82 insertions, 38 deletions
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index e76c963011e5..1201670afe38 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -31,6 +31,9 @@
 #include "smp.h"
+#define SMP_ALLOW_CMD(smp, code)        set_bit(code, &smp->allow_cmd)
+#define SMP_DISALLOW_CMD(smp, code)     clear_bit(code, &smp->allow_cmd)
 #define SMP_TIMEOUT     msecs_to_jiffies(30000)
 #define AUTH_REQ_MASK   0x07
@@ -47,6 +50,7 @@ enum {
 struct smp_chan {
        struct l2cap_conn       *conn;
        struct delayed_work     security_timer;
+        unsigned long           allow_cmd; /* Bitmask of allowed commands */
        u8              preq[7]; /* SMP Pairing Request */
        u8              prsp[7]; /* SMP Pairing Response */
@@ -553,6 +557,11 @@ static u8 smp_confirm(struct smp_chan *smp)
        smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
+        if (conn->hcon->out)
+                SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
+        else
+                SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
        return 0;
 }
@@ -691,6 +700,20 @@ static void smp_notify_keys(struct l2cap_conn *conn)
        }
 }
+static void smp_allow_key_dist(struct smp_chan *smp)
+{
+        /* Allow the first expected phase 3 PDU. The rest of the PDUs
+         * will be allowed in each PDU handler to ensure we receive
+         * them in the correct order.
+         */
+        if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
+                SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
+        else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
+                SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
+        else if (smp->remote_key_dist & SMP_DIST_SIGN)
+                SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
+}
 static void smp_distribute_keys(struct smp_chan *smp)
 {
        struct smp_cmd_pairing *req, *rsp;
@@ -704,8 +727,10 @@ static void smp_distribute_keys(struct smp_chan *smp)
        rsp = (void *) &smp->prsp[1];
        /* The responder sends its keys first */
-        if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK))
+        if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
+                smp_allow_key_dist(smp);
                return;
+        }
        req = (void *) &smp->preq[1];
@@ -790,8 +815,10 @@ static void smp_distribute_keys(struct smp_chan *smp)
        }
        /* If there are still keys to be received wait for them */
-        if (smp->remote_key_dist & KEY_DIST_MASK)
+        if (smp->remote_key_dist & KEY_DIST_MASK) {
+                smp_allow_key_dist(smp);
                return;
+        }
        set_bit(SMP_FLAG_COMPLETE, &smp->flags);
        smp_notify_keys(conn);
@@ -829,6 +856,8 @@ static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
        smp->conn = conn;
        chan->data = smp;
+        SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
        INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
        hci_conn_hold(conn->hcon);
@@ -925,6 +954,8 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
            (req->auth_req & SMP_AUTH_BONDING))
                return SMP_PAIRING_NOTSUPP;
+        SMP_DISALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
        smp->preq[0] = SMP_CMD_PAIRING_REQ;
        memcpy(&smp->preq[1], req, sizeof(*req));
        skb_pull(skb, sizeof(*req));
@@ -958,6 +989,7 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
        memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
        smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
+        SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
        /* Request setup of TK */
        ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
@@ -983,6 +1015,8 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
        if (conn->hcon->role != HCI_ROLE_MASTER)
                return SMP_CMD_NOTSUPP;
+        SMP_DISALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
        skb_pull(skb, sizeof(*rsp));
        req = (void *) &smp->preq[1];
@@ -1040,13 +1074,19 @@ static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
        if (skb->len < sizeof(smp->pcnf))
                return SMP_INVALID_PARAMS;
+        SMP_DISALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
        memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
        skb_pull(skb, sizeof(smp->pcnf));
-        if (conn->hcon->out)
+        if (conn->hcon->out) {
                smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
                             smp->prnd);
-        else if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
+                SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
+                return 0;
+        }
+        if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
                return smp_confirm(smp);
        else
                set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
@@ -1064,6 +1104,8 @@ static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
        if (skb->len < sizeof(smp->rrnd))
                return SMP_INVALID_PARAMS;
+        SMP_DISALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
        memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
        skb_pull(skb, sizeof(smp->rrnd));
@@ -1122,7 +1164,6 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
        struct smp_cmd_security_req *rp = (void *) skb->data;
        struct smp_cmd_pairing cp;
        struct hci_conn *hcon = conn->hcon;
-        struct l2cap_chan *chan = conn->smp;
        struct smp_chan *smp;
        u8 sec_level;
@@ -1144,10 +1185,6 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
        if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
                return 0;
-        /* If SMP is already in progress ignore this request */
-        if (chan->data)
-                return 0;
        smp = smp_chan_create(conn);
        if (!smp)
                return SMP_UNSPECIFIED;
@@ -1165,6 +1202,7 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
        memcpy(&smp->preq[1], &cp, sizeof(cp));
        smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
+        SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
        return 0;
 }
@@ -1227,10 +1265,12 @@ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
                memcpy(&smp->preq[1], &cp, sizeof(cp));
                smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
+                SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
        } else {
                struct smp_cmd_security_req cp;
                cp.auth_req = authreq;
                smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
+                SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
        }
        set_bit(SMP_FLAG_INITIATOR, &smp->flags);
@@ -1252,9 +1292,8 @@ static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
        if (skb->len < sizeof(*rp))
                return SMP_INVALID_PARAMS;
-        /* Ignore this PDU if it wasn't requested */
+        SMP_DISALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
-        if (!(smp->remote_key_dist & SMP_DIST_ENC_KEY))
+        SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
-                return 0;
        skb_pull(skb, sizeof(*rp));
@@ -1278,13 +1317,13 @@ static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
        if (skb->len < sizeof(*rp))
                return SMP_INVALID_PARAMS;
-        /* Ignore this PDU if it wasn't requested */
-        if (!(smp->remote_key_dist & SMP_DIST_ENC_KEY))
-                return 0;
        /* Mark the information as received */
        smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
+        SMP_DISALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
+        if (smp->remote_key_dist & SMP_DIST_ID_KEY)
+                SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
        skb_pull(skb, sizeof(*rp));
        hci_dev_lock(hdev);
@@ -1311,9 +1350,8 @@ static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
        if (skb->len < sizeof(*info))
                return SMP_INVALID_PARAMS;
-        /* Ignore this PDU if it wasn't requested */
+        SMP_DISALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
-        if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
+        SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
-                return 0;
        skb_pull(skb, sizeof(*info));
@@ -1336,13 +1374,13 @@ static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
        if (skb->len < sizeof(*info))
                return SMP_INVALID_PARAMS;
-        /* Ignore this PDU if it wasn't requested */
-        if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
-                return 0;
        /* Mark the information as received */
        smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
+        SMP_DISALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
+        if (smp->remote_key_dist & SMP_DIST_SIGN)
+                SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
        skb_pull(skb, sizeof(*info));
        hci_dev_lock(hcon->hdev);
@@ -1392,13 +1430,11 @@ static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
        if (skb->len < sizeof(*rp))
                return SMP_INVALID_PARAMS;
-        /* Ignore this PDU if it wasn't requested */
-        if (!(smp->remote_key_dist & SMP_DIST_SIGN))
-                return 0;
        /* Mark the information as received */
        smp->remote_key_dist &= ~SMP_DIST_SIGN;
+        SMP_DISALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
        skb_pull(skb, sizeof(*rp));
        hci_dev_lock(hdev);
@@ -1418,6 +1454,7 @@ static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
 {
        struct l2cap_conn *conn = chan->conn;
        struct hci_conn *hcon = conn->hcon;
+        struct smp_chan *smp;
        __u8 code, reason;
        int err = 0;
@@ -1437,18 +1474,19 @@ static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
        code = skb->data[0];
        skb_pull(skb, sizeof(code));
-        /*
+        smp = chan->data;
-         * The SMP context must be initialized for all other PDUs except
-         * pairing and security requests. If we get any other PDU when
+        if (code > SMP_CMD_MAX)
-         * not initialized simply disconnect (done if this function
+                goto drop;
-         * returns an error).
+        if (smp && !test_bit(code, &smp->allow_cmd))
+                goto drop;
+        /* If we don't have a context the only allowed commands are
+         * pairing request and security request.
         */
-        if (code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ &&
+        if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
-            !chan->data) {
+                goto drop;
-                BT_ERR("Unexpected SMP command 0x%02x. Disconnecting.", code);
-                err = -EOPNOTSUPP;
-                goto done;
-        }
        switch (code) {
        case SMP_CMD_PAIRING_REQ:
@@ -1510,6 +1548,12 @@ done:
        }
        return err;
+drop:
+        BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
+               code, &hcon->dst);
+        kfree_skb(skb);
+        return 0;
 }
 static void smp_teardown_cb(struct l2cap_chan *chan, int err)

diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c index e76c963011e5..1201670afe38 100644 --- a/net/bluetooth/smp.c +++ b/net/bluetooth/smp.c
@@ -31,6 +31,9 @@
31		31
32	#include "smp.h"	32	#include "smp.h"
33		33
		34	#define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
		35	#define SMP_DISALLOW_CMD(smp, code) clear_bit(code, &smp->allow_cmd)
		36
34	#define SMP_TIMEOUT msecs_to_jiffies(30000)	37	#define SMP_TIMEOUT msecs_to_jiffies(30000)
35		38
36	#define AUTH_REQ_MASK 0x07	39	#define AUTH_REQ_MASK 0x07
@@ -47,6 +50,7 @@ enum {
47	struct smp_chan {	50	struct smp_chan {
48	struct l2cap_conn *conn;	51	struct l2cap_conn *conn;
49	struct delayed_work security_timer;	52	struct delayed_work security_timer;
		53	unsigned long allow_cmd; /* Bitmask of allowed commands */
50		54
51	u8 preq[7]; /* SMP Pairing Request */	55	u8 preq[7]; /* SMP Pairing Request */
52	u8 prsp[7]; /* SMP Pairing Response */	56	u8 prsp[7]; /* SMP Pairing Response */
@@ -553,6 +557,11 @@ static u8 smp_confirm(struct smp_chan *smp)
553		557
554	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);	558	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
555		559
		560	if (conn->hcon->out)
		561	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
		562	else
		563	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
		564
556	return 0;	565	return 0;
557	}	566	}
558		567
@@ -691,6 +700,20 @@ static void smp_notify_keys(struct l2cap_conn *conn)
691	}	700	}
692	}	701	}
693		702
		703	static void smp_allow_key_dist(struct smp_chan *smp)
		704	{
		705	/* Allow the first expected phase 3 PDU. The rest of the PDUs
		706	* will be allowed in each PDU handler to ensure we receive
		707	* them in the correct order.
		708	*/
		709	if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
		710	SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
		711	else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
		712	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
		713	else if (smp->remote_key_dist & SMP_DIST_SIGN)
		714	SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
		715	}
		716
694	static void smp_distribute_keys(struct smp_chan *smp)	717	static void smp_distribute_keys(struct smp_chan *smp)
695	{	718	{
696	struct smp_cmd_pairing req, rsp;	719	struct smp_cmd_pairing req, rsp;
@@ -704,8 +727,10 @@ static void smp_distribute_keys(struct smp_chan *smp)
704	rsp = (void *) &smp->prsp[1];	727	rsp = (void *) &smp->prsp[1];
705		728
706	/* The responder sends its keys first */	729	/* The responder sends its keys first */
707	if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK))	730	if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
		731	smp_allow_key_dist(smp);
708	return;	732	return;
		733	}
709		734
710	req = (void *) &smp->preq[1];	735	req = (void *) &smp->preq[1];
711		736
@@ -790,8 +815,10 @@ static void smp_distribute_keys(struct smp_chan *smp)
790	}	815	}
791		816
792	/* If there are still keys to be received wait for them */	817	/* If there are still keys to be received wait for them */
793	if (smp->remote_key_dist & KEY_DIST_MASK)	818	if (smp->remote_key_dist & KEY_DIST_MASK) {
		819	smp_allow_key_dist(smp);
794	return;	820	return;
		821	}
795		822
796	set_bit(SMP_FLAG_COMPLETE, &smp->flags);	823	set_bit(SMP_FLAG_COMPLETE, &smp->flags);
797	smp_notify_keys(conn);	824	smp_notify_keys(conn);
@@ -829,6 +856,8 @@ static struct smp_chan smp_chan_create(struct l2cap_conn conn)
829	smp->conn = conn;	856	smp->conn = conn;
830	chan->data = smp;	857	chan->data = smp;
831		858
		859	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
		860
832	INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);	861	INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
833		862
834	hci_conn_hold(conn->hcon);	863	hci_conn_hold(conn->hcon);
@@ -925,6 +954,8 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn conn, struct sk_buff skb)
925	(req->auth_req & SMP_AUTH_BONDING))	954	(req->auth_req & SMP_AUTH_BONDING))
926	return SMP_PAIRING_NOTSUPP;	955	return SMP_PAIRING_NOTSUPP;
927		956
		957	SMP_DISALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
		958
928	smp->preq[0] = SMP_CMD_PAIRING_REQ;	959	smp->preq[0] = SMP_CMD_PAIRING_REQ;
929	memcpy(&smp->preq[1], req, sizeof(*req));	960	memcpy(&smp->preq[1], req, sizeof(*req));
930	skb_pull(skb, sizeof(*req));	961	skb_pull(skb, sizeof(*req));
@@ -958,6 +989,7 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn conn, struct sk_buff skb)
958	memcpy(&smp->prsp[1], &rsp, sizeof(rsp));	989	memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
959		990
960	smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);	991	smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
		992	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
961		993
962	/* Request setup of TK */	994	/* Request setup of TK */
963	ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);	995	ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
@@ -983,6 +1015,8 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn conn, struct sk_buff skb)
983	if (conn->hcon->role != HCI_ROLE_MASTER)	1015	if (conn->hcon->role != HCI_ROLE_MASTER)
984	return SMP_CMD_NOTSUPP;	1016	return SMP_CMD_NOTSUPP;
985		1017
		1018	SMP_DISALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
		1019
986	skb_pull(skb, sizeof(*rsp));	1020	skb_pull(skb, sizeof(*rsp));
987		1021
988	req = (void *) &smp->preq[1];	1022	req = (void *) &smp->preq[1];
@@ -1040,13 +1074,19 @@ static u8 smp_cmd_pairing_confirm(struct l2cap_conn conn, struct sk_buff skb)
1040	if (skb->len < sizeof(smp->pcnf))	1074	if (skb->len < sizeof(smp->pcnf))
1041	return SMP_INVALID_PARAMS;	1075	return SMP_INVALID_PARAMS;
1042		1076
		1077	SMP_DISALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
		1078
1043	memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));	1079	memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
1044	skb_pull(skb, sizeof(smp->pcnf));	1080	skb_pull(skb, sizeof(smp->pcnf));
1045		1081
1046	if (conn->hcon->out)	1082	if (conn->hcon->out) {
1047	smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),	1083	smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1048	smp->prnd);	1084	smp->prnd);
1049	else if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))	1085	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
		1086	return 0;
		1087	}
		1088
		1089	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1050	return smp_confirm(smp);	1090	return smp_confirm(smp);
1051	else	1091	else
1052	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);	1092	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
@@ -1064,6 +1104,8 @@ static u8 smp_cmd_pairing_random(struct l2cap_conn conn, struct sk_buff skb)
1064	if (skb->len < sizeof(smp->rrnd))	1104	if (skb->len < sizeof(smp->rrnd))
1065	return SMP_INVALID_PARAMS;	1105	return SMP_INVALID_PARAMS;
1066		1106
		1107	SMP_DISALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
		1108
1067	memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));	1109	memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
1068	skb_pull(skb, sizeof(smp->rrnd));	1110	skb_pull(skb, sizeof(smp->rrnd));
1069		1111
@@ -1122,7 +1164,6 @@ static u8 smp_cmd_security_req(struct l2cap_conn conn, struct sk_buff skb)
1122	struct smp_cmd_security_req rp = (void ) skb->data;	1164	struct smp_cmd_security_req rp = (void ) skb->data;
1123	struct smp_cmd_pairing cp;	1165	struct smp_cmd_pairing cp;
1124	struct hci_conn *hcon = conn->hcon;	1166	struct hci_conn *hcon = conn->hcon;
1125	struct l2cap_chan *chan = conn->smp;
1126	struct smp_chan *smp;	1167	struct smp_chan *smp;
1127	u8 sec_level;	1168	u8 sec_level;
1128		1169
@@ -1144,10 +1185,6 @@ static u8 smp_cmd_security_req(struct l2cap_conn conn, struct sk_buff skb)
1144	if (smp_ltk_encrypt(conn, hcon->pending_sec_level))	1185	if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
1145	return 0;	1186	return 0;
1146		1187
1147	/* If SMP is already in progress ignore this request */
1148	if (chan->data)
1149	return 0;
1150
1151	smp = smp_chan_create(conn);	1188	smp = smp_chan_create(conn);
1152	if (!smp)	1189	if (!smp)
1153	return SMP_UNSPECIFIED;	1190	return SMP_UNSPECIFIED;
@@ -1165,6 +1202,7 @@ static u8 smp_cmd_security_req(struct l2cap_conn conn, struct sk_buff skb)
1165	memcpy(&smp->preq[1], &cp, sizeof(cp));	1202	memcpy(&smp->preq[1], &cp, sizeof(cp));
1166		1203
1167	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);	1204	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
		1205	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
1168		1206
1169	return 0;	1207	return 0;
1170	}	1208	}
@@ -1227,10 +1265,12 @@ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
1227	memcpy(&smp->preq[1], &cp, sizeof(cp));	1265	memcpy(&smp->preq[1], &cp, sizeof(cp));
1228		1266
1229	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);	1267	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
		1268	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
1230	} else {	1269	} else {
1231	struct smp_cmd_security_req cp;	1270	struct smp_cmd_security_req cp;
1232	cp.auth_req = authreq;	1271	cp.auth_req = authreq;
1233	smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);	1272	smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
		1273	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
1234	}	1274	}
1235		1275
1236	set_bit(SMP_FLAG_INITIATOR, &smp->flags);	1276	set_bit(SMP_FLAG_INITIATOR, &smp->flags);
@@ -1252,9 +1292,8 @@ static int smp_cmd_encrypt_info(struct l2cap_conn conn, struct sk_buff skb)
1252	if (skb->len < sizeof(*rp))	1292	if (skb->len < sizeof(*rp))
1253	return SMP_INVALID_PARAMS;	1293	return SMP_INVALID_PARAMS;
1254		1294
1255	/* Ignore this PDU if it wasn't requested */	1295	SMP_DISALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1256	if (!(smp->remote_key_dist & SMP_DIST_ENC_KEY))	1296	SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
1257	return 0;
1258		1297
1259	skb_pull(skb, sizeof(*rp));	1298	skb_pull(skb, sizeof(*rp));
1260		1299
@@ -1278,13 +1317,13 @@ static int smp_cmd_master_ident(struct l2cap_conn conn, struct sk_buff skb)
1278	if (skb->len < sizeof(*rp))	1317	if (skb->len < sizeof(*rp))
1279	return SMP_INVALID_PARAMS;	1318	return SMP_INVALID_PARAMS;
1280		1319
1281	/* Ignore this PDU if it wasn't requested */
1282	if (!(smp->remote_key_dist & SMP_DIST_ENC_KEY))
1283	return 0;
1284
1285	/* Mark the information as received */	1320	/* Mark the information as received */
1286	smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;	1321	smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
1287		1322
		1323	SMP_DISALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
		1324	if (smp->remote_key_dist & SMP_DIST_ID_KEY)
		1325	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
		1326
1288	skb_pull(skb, sizeof(*rp));	1327	skb_pull(skb, sizeof(*rp));
1289		1328
1290	hci_dev_lock(hdev);	1329	hci_dev_lock(hdev);
@@ -1311,9 +1350,8 @@ static int smp_cmd_ident_info(struct l2cap_conn conn, struct sk_buff skb)
1311	if (skb->len < sizeof(*info))	1350	if (skb->len < sizeof(*info))
1312	return SMP_INVALID_PARAMS;	1351	return SMP_INVALID_PARAMS;
1313		1352
1314	/* Ignore this PDU if it wasn't requested */	1353	SMP_DISALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1315	if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))	1354	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
1316	return 0;
1317		1355
1318	skb_pull(skb, sizeof(*info));	1356	skb_pull(skb, sizeof(*info));
1319		1357
@@ -1336,13 +1374,13 @@ static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
1336	if (skb->len < sizeof(*info))	1374	if (skb->len < sizeof(*info))
1337	return SMP_INVALID_PARAMS;	1375	return SMP_INVALID_PARAMS;
1338		1376
1339	/* Ignore this PDU if it wasn't requested */
1340	if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
1341	return 0;
1342
1343	/* Mark the information as received */	1377	/* Mark the information as received */
1344	smp->remote_key_dist &= ~SMP_DIST_ID_KEY;	1378	smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
1345		1379
		1380	SMP_DISALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
		1381	if (smp->remote_key_dist & SMP_DIST_SIGN)
		1382	SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
		1383
1346	skb_pull(skb, sizeof(*info));	1384	skb_pull(skb, sizeof(*info));
1347		1385
1348	hci_dev_lock(hcon->hdev);	1386	hci_dev_lock(hcon->hdev);
@@ -1392,13 +1430,11 @@ static int smp_cmd_sign_info(struct l2cap_conn conn, struct sk_buff skb)
1392	if (skb->len < sizeof(*rp))	1430	if (skb->len < sizeof(*rp))
1393	return SMP_INVALID_PARAMS;	1431	return SMP_INVALID_PARAMS;
1394		1432
1395	/* Ignore this PDU if it wasn't requested */
1396	if (!(smp->remote_key_dist & SMP_DIST_SIGN))
1397	return 0;
1398
1399	/* Mark the information as received */	1433	/* Mark the information as received */
1400	smp->remote_key_dist &= ~SMP_DIST_SIGN;	1434	smp->remote_key_dist &= ~SMP_DIST_SIGN;
1401		1435
		1436	SMP_DISALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
		1437
1402	skb_pull(skb, sizeof(*rp));	1438	skb_pull(skb, sizeof(*rp));
1403		1439
1404	hci_dev_lock(hdev);	1440	hci_dev_lock(hdev);
@@ -1418,6 +1454,7 @@ static int smp_sig_channel(struct l2cap_chan chan, struct sk_buff skb)
1418	{	1454	{
1419	struct l2cap_conn *conn = chan->conn;	1455	struct l2cap_conn *conn = chan->conn;
1420	struct hci_conn *hcon = conn->hcon;	1456	struct hci_conn *hcon = conn->hcon;
		1457	struct smp_chan *smp;
1421	__u8 code, reason;	1458	__u8 code, reason;
1422	int err = 0;	1459	int err = 0;
1423		1460
@@ -1437,18 +1474,19 @@ static int smp_sig_channel(struct l2cap_chan chan, struct sk_buff skb)
1437	code = skb->data[0];	1474	code = skb->data[0];
1438	skb_pull(skb, sizeof(code));	1475	skb_pull(skb, sizeof(code));
1439		1476
1440	/*	1477	smp = chan->data;
1441	* The SMP context must be initialized for all other PDUs except	1478
1442	* pairing and security requests. If we get any other PDU when	1479	if (code > SMP_CMD_MAX)
1443	* not initialized simply disconnect (done if this function	1480	goto drop;
1444	* returns an error).	1481
		1482	if (smp && !test_bit(code, &smp->allow_cmd))
		1483	goto drop;
		1484
		1485	/* If we don't have a context the only allowed commands are
		1486	* pairing request and security request.
1445	*/	1487	*/
1446	if (code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ &&	1488	if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
1447	!chan->data) {	1489	goto drop;
1448	BT_ERR("Unexpected SMP command 0x%02x. Disconnecting.", code);
1449	err = -EOPNOTSUPP;
1450	goto done;
1451	}
1452		1490
1453	switch (code) {	1491	switch (code) {
1454	case SMP_CMD_PAIRING_REQ:	1492	case SMP_CMD_PAIRING_REQ:
@@ -1510,6 +1548,12 @@ done:
1510	}	1548	}
1511		1549
1512	return err;	1550	return err;
		1551
		1552	drop:
		1553	BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
		1554	code, &hcon->dst);
		1555	kfree_skb(skb);
		1556	return 0;
1513	}	1557	}
1514		1558
1515	static void smp_teardown_cb(struct l2cap_chan *chan, int err)	1559	static void smp_teardown_cb(struct l2cap_chan *chan, int err)