aboutsummaryrefslogtreecommitdiffstats
path: root/net/bluetooth
diff options
context:
space:
mode:
Diffstat (limited to 'net/bluetooth')
-rw-r--r--net/bluetooth/6lowpan.c10
-rw-r--r--net/bluetooth/hci_core.c71
-rw-r--r--net/bluetooth/hci_event.c11
-rw-r--r--net/bluetooth/l2cap_core.c309
-rw-r--r--net/bluetooth/l2cap_sock.c15
-rw-r--r--net/bluetooth/mgmt.c124
-rw-r--r--net/bluetooth/smp.c726
-rw-r--r--net/bluetooth/smp.h10
8 files changed, 750 insertions, 526 deletions
diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c
index 206b65ccd5b8..35ebe79c87b0 100644
--- a/net/bluetooth/6lowpan.c
+++ b/net/bluetooth/6lowpan.c
@@ -772,16 +772,16 @@ static inline void chan_ready_cb(struct l2cap_chan *chan)
772 ifup(dev->netdev); 772 ifup(dev->netdev);
773} 773}
774 774
775static inline struct l2cap_chan *chan_new_conn_cb(struct l2cap_chan *chan) 775static inline struct l2cap_chan *chan_new_conn_cb(struct l2cap_chan *pchan)
776{ 776{
777 struct l2cap_chan *pchan; 777 struct l2cap_chan *chan;
778 778
779 pchan = chan_open(chan); 779 chan = chan_open(pchan);
780 pchan->ops = chan->ops; 780 chan->ops = pchan->ops;
781 781
782 BT_DBG("chan %p pchan %p", chan, pchan); 782 BT_DBG("chan %p pchan %p", chan, pchan);
783 783
784 return pchan; 784 return chan;
785} 785}
786 786
787static void delete_netdev(struct work_struct *work) 787static void delete_netdev(struct work_struct *work)
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 1d9c29a00568..9b7145959a49 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1898,6 +1898,8 @@ static int __hci_init(struct hci_dev *hdev)
1898 debugfs_create_u16("discov_interleaved_timeout", 0644, 1898 debugfs_create_u16("discov_interleaved_timeout", 0644,
1899 hdev->debugfs, 1899 hdev->debugfs,
1900 &hdev->discov_interleaved_timeout); 1900 &hdev->discov_interleaved_timeout);
1901
1902 smp_register(hdev);
1901 } 1903 }
1902 1904
1903 return 0; 1905 return 0;
@@ -3238,7 +3240,7 @@ struct smp_irk *hci_find_irk_by_rpa(struct hci_dev *hdev, bdaddr_t *rpa)
3238 } 3240 }
3239 3241
3240 list_for_each_entry(irk, &hdev->identity_resolving_keys, list) { 3242 list_for_each_entry(irk, &hdev->identity_resolving_keys, list) {
3241 if (smp_irk_matches(hdev->tfm_aes, irk->val, rpa)) { 3243 if (smp_irk_matches(hdev, irk->val, rpa)) {
3242 bacpy(&irk->rpa, rpa); 3244 bacpy(&irk->rpa, rpa);
3243 return irk; 3245 return irk;
3244 } 3246 }
@@ -3892,7 +3894,7 @@ int hci_update_random_address(struct hci_request *req, bool require_privacy,
3892 !bacmp(&hdev->random_addr, &hdev->rpa)) 3894 !bacmp(&hdev->random_addr, &hdev->rpa))
3893 return 0; 3895 return 0;
3894 3896
3895 err = smp_generate_rpa(hdev->tfm_aes, hdev->irk, &hdev->rpa); 3897 err = smp_generate_rpa(hdev, hdev->irk, &hdev->rpa);
3896 if (err < 0) { 3898 if (err < 0) {
3897 BT_ERR("%s failed to generate new RPA", hdev->name); 3899 BT_ERR("%s failed to generate new RPA", hdev->name);
3898 return err; 3900 return err;
@@ -4100,18 +4102,9 @@ int hci_register_dev(struct hci_dev *hdev)
4100 4102
4101 dev_set_name(&hdev->dev, "%s", hdev->name); 4103 dev_set_name(&hdev->dev, "%s", hdev->name);
4102 4104
4103 hdev->tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0,
4104 CRYPTO_ALG_ASYNC);
4105 if (IS_ERR(hdev->tfm_aes)) {
4106 BT_ERR("Unable to create crypto context");
4107 error = PTR_ERR(hdev->tfm_aes);
4108 hdev->tfm_aes = NULL;
4109 goto err_wqueue;
4110 }
4111
4112 error = device_add(&hdev->dev); 4105 error = device_add(&hdev->dev);
4113 if (error < 0) 4106 if (error < 0)
4114 goto err_tfm; 4107 goto err_wqueue;
4115 4108
4116 hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev, 4109 hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev,
4117 RFKILL_TYPE_BLUETOOTH, &hci_rfkill_ops, 4110 RFKILL_TYPE_BLUETOOTH, &hci_rfkill_ops,
@@ -4153,8 +4146,6 @@ int hci_register_dev(struct hci_dev *hdev)
4153 4146
4154 return id; 4147 return id;
4155 4148
4156err_tfm:
4157 crypto_free_blkcipher(hdev->tfm_aes);
4158err_wqueue: 4149err_wqueue:
4159 destroy_workqueue(hdev->workqueue); 4150 destroy_workqueue(hdev->workqueue);
4160 destroy_workqueue(hdev->req_workqueue); 4151 destroy_workqueue(hdev->req_workqueue);
@@ -4206,8 +4197,7 @@ void hci_unregister_dev(struct hci_dev *hdev)
4206 rfkill_destroy(hdev->rfkill); 4197 rfkill_destroy(hdev->rfkill);
4207 } 4198 }
4208 4199
4209 if (hdev->tfm_aes) 4200 smp_unregister(hdev);
4210 crypto_free_blkcipher(hdev->tfm_aes);
4211 4201
4212 device_del(&hdev->dev); 4202 device_del(&hdev->dev);
4213 4203
@@ -5690,3 +5680,52 @@ void hci_update_background_scan(struct hci_dev *hdev)
5690 if (err) 5680 if (err)
5691 BT_ERR("Failed to run HCI request: err %d", err); 5681 BT_ERR("Failed to run HCI request: err %d", err);
5692} 5682}
5683
5684static bool disconnected_whitelist_entries(struct hci_dev *hdev)
5685{
5686 struct bdaddr_list *b;
5687
5688 list_for_each_entry(b, &hdev->whitelist, list) {
5689 struct hci_conn *conn;
5690
5691 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &b->bdaddr);
5692 if (!conn)
5693 return true;
5694
5695 if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
5696 return true;
5697 }
5698
5699 return false;
5700}
5701
5702void hci_update_page_scan(struct hci_dev *hdev, struct hci_request *req)
5703{
5704 u8 scan;
5705
5706 if (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags))
5707 return;
5708
5709 if (!hdev_is_powered(hdev))
5710 return;
5711
5712 if (mgmt_powering_down(hdev))
5713 return;
5714
5715 if (test_bit(HCI_CONNECTABLE, &hdev->dev_flags) ||
5716 disconnected_whitelist_entries(hdev))
5717 scan = SCAN_PAGE;
5718 else
5719 scan = SCAN_DISABLED;
5720
5721 if (test_bit(HCI_PSCAN, &hdev->flags) == !!(scan & SCAN_PAGE))
5722 return;
5723
5724 if (test_bit(HCI_DISCOVERABLE, &hdev->dev_flags))
5725 scan |= SCAN_INQUIRY;
5726
5727 if (req)
5728 hci_req_add(req, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
5729 else
5730 hci_send_cmd(hdev, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
5731}
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index a6000823f0ff..3a99f30a3317 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -2071,6 +2071,8 @@ static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2071 cp.handle = ev->handle; 2071 cp.handle = ev->handle;
2072 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES, 2072 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
2073 sizeof(cp), &cp); 2073 sizeof(cp), &cp);
2074
2075 hci_update_page_scan(hdev, NULL);
2074 } 2076 }
2075 2077
2076 /* Set packet type for incoming connection */ 2078 /* Set packet type for incoming connection */
@@ -2247,9 +2249,12 @@ static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2247 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type, 2249 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2248 reason, mgmt_connected); 2250 reason, mgmt_connected);
2249 2251
2250 if (conn->type == ACL_LINK && 2252 if (conn->type == ACL_LINK) {
2251 test_bit(HCI_CONN_FLUSH_KEY, &conn->flags)) 2253 if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2252 hci_remove_link_key(hdev, &conn->dst); 2254 hci_remove_link_key(hdev, &conn->dst);
2255
2256 hci_update_page_scan(hdev, NULL);
2257 }
2253 2258
2254 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type); 2259 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2255 if (params) { 2260 if (params) {
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 46547b920f88..4a90438d99df 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -210,6 +210,10 @@ int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
210{ 210{
211 write_lock(&chan_list_lock); 211 write_lock(&chan_list_lock);
212 212
213 /* Override the defaults (which are for conn-oriented) */
214 chan->omtu = L2CAP_DEFAULT_MTU;
215 chan->chan_type = L2CAP_CHAN_FIXED;
216
213 chan->scid = scid; 217 chan->scid = scid;
214 218
215 write_unlock(&chan_list_lock); 219 write_unlock(&chan_list_lock);
@@ -562,6 +566,8 @@ void l2cap_chan_del(struct l2cap_chan *chan, int err)
562 566
563 BT_DBG("chan %p, conn %p, err %d", chan, conn, err); 567 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
564 568
569 chan->ops->teardown(chan, err);
570
565 if (conn) { 571 if (conn) {
566 struct amp_mgr *mgr = conn->hcon->amp_mgr; 572 struct amp_mgr *mgr = conn->hcon->amp_mgr;
567 /* Delete from channel list */ 573 /* Delete from channel list */
@@ -585,8 +591,6 @@ void l2cap_chan_del(struct l2cap_chan *chan, int err)
585 amp_disconnect_logical_link(hs_hchan); 591 amp_disconnect_logical_link(hs_hchan);
586 } 592 }
587 593
588 chan->ops->teardown(chan, err);
589
590 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state)) 594 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
591 return; 595 return;
592 596
@@ -1082,6 +1086,9 @@ static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
1082 1086
1083static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan) 1087static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
1084{ 1088{
1089 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
1090 return true;
1091
1085 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state); 1092 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
1086} 1093}
1087 1094
@@ -1417,71 +1424,18 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
1417 mutex_unlock(&conn->chan_lock); 1424 mutex_unlock(&conn->chan_lock);
1418} 1425}
1419 1426
1420/* Find socket with cid and source/destination bdaddr.
1421 * Returns closest match, locked.
1422 */
1423static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
1424 bdaddr_t *src,
1425 bdaddr_t *dst)
1426{
1427 struct l2cap_chan *c, *c1 = NULL;
1428
1429 read_lock(&chan_list_lock);
1430
1431 list_for_each_entry(c, &chan_list, global_l) {
1432 if (state && c->state != state)
1433 continue;
1434
1435 if (c->scid == cid) {
1436 int src_match, dst_match;
1437 int src_any, dst_any;
1438
1439 /* Exact match. */
1440 src_match = !bacmp(&c->src, src);
1441 dst_match = !bacmp(&c->dst, dst);
1442 if (src_match && dst_match) {
1443 read_unlock(&chan_list_lock);
1444 return c;
1445 }
1446
1447 /* Closest match */
1448 src_any = !bacmp(&c->src, BDADDR_ANY);
1449 dst_any = !bacmp(&c->dst, BDADDR_ANY);
1450 if ((src_match && dst_any) || (src_any && dst_match) ||
1451 (src_any && dst_any))
1452 c1 = c;
1453 }
1454 }
1455
1456 read_unlock(&chan_list_lock);
1457
1458 return c1;
1459}
1460
1461static void l2cap_le_conn_ready(struct l2cap_conn *conn) 1427static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1462{ 1428{
1463 struct hci_conn *hcon = conn->hcon; 1429 struct hci_conn *hcon = conn->hcon;
1464 struct hci_dev *hdev = hcon->hdev; 1430 struct hci_dev *hdev = hcon->hdev;
1465 struct l2cap_chan *chan, *pchan;
1466 u8 dst_type;
1467 1431
1468 BT_DBG(""); 1432 BT_DBG("%s conn %p", hdev->name, conn);
1469 1433
1470 /* Check if we have socket listening on cid */ 1434 /* For outgoing pairing which doesn't necessarily have an
1471 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_ATT, 1435 * associated socket (e.g. mgmt_pair_device).
1472 &hcon->src, &hcon->dst); 1436 */
1473 if (!pchan) 1437 if (hcon->out)
1474 return; 1438 smp_conn_security(hcon, hcon->pending_sec_level);
1475
1476 /* Client ATT sockets should override the server one */
1477 if (__l2cap_get_chan_by_dcid(conn, L2CAP_CID_ATT))
1478 return;
1479
1480 dst_type = bdaddr_type(hcon, hcon->dst_type);
1481
1482 /* If device is blocked, do not create a channel for it */
1483 if (hci_bdaddr_list_lookup(&hdev->blacklist, &hcon->dst, dst_type))
1484 return;
1485 1439
1486 /* For LE slave connections, make sure the connection interval 1440 /* For LE slave connections, make sure the connection interval
1487 * is in the range of the minium and maximum interval that has 1441 * is in the range of the minium and maximum interval that has
@@ -1501,22 +1455,6 @@ static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1501 l2cap_send_cmd(conn, l2cap_get_ident(conn), 1455 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1502 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req); 1456 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1503 } 1457 }
1504
1505 l2cap_chan_lock(pchan);
1506
1507 chan = pchan->ops->new_connection(pchan);
1508 if (!chan)
1509 goto clean;
1510
1511 bacpy(&chan->src, &hcon->src);
1512 bacpy(&chan->dst, &hcon->dst);
1513 chan->src_type = bdaddr_type(hcon, hcon->src_type);
1514 chan->dst_type = dst_type;
1515
1516 __l2cap_chan_add(conn, chan);
1517
1518clean:
1519 l2cap_chan_unlock(pchan);
1520} 1458}
1521 1459
1522static void l2cap_conn_ready(struct l2cap_conn *conn) 1460static void l2cap_conn_ready(struct l2cap_conn *conn)
@@ -1526,17 +1464,8 @@ static void l2cap_conn_ready(struct l2cap_conn *conn)
1526 1464
1527 BT_DBG("conn %p", conn); 1465 BT_DBG("conn %p", conn);
1528 1466
1529 /* For outgoing pairing which doesn't necessarily have an
1530 * associated socket (e.g. mgmt_pair_device).
1531 */
1532 if (hcon->out && hcon->type == LE_LINK)
1533 smp_conn_security(hcon, hcon->pending_sec_level);
1534
1535 mutex_lock(&conn->chan_lock); 1467 mutex_lock(&conn->chan_lock);
1536 1468
1537 if (hcon->type == LE_LINK)
1538 l2cap_le_conn_ready(conn);
1539
1540 list_for_each_entry(chan, &conn->chan_l, list) { 1469 list_for_each_entry(chan, &conn->chan_l, list) {
1541 1470
1542 l2cap_chan_lock(chan); 1471 l2cap_chan_lock(chan);
@@ -1560,6 +1489,9 @@ static void l2cap_conn_ready(struct l2cap_conn *conn)
1560 1489
1561 mutex_unlock(&conn->chan_lock); 1490 mutex_unlock(&conn->chan_lock);
1562 1491
1492 if (hcon->type == LE_LINK)
1493 l2cap_le_conn_ready(conn);
1494
1563 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work); 1495 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
1564} 1496}
1565 1497
@@ -1695,6 +1627,9 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
1695 if (work_pending(&conn->pending_rx_work)) 1627 if (work_pending(&conn->pending_rx_work))
1696 cancel_work_sync(&conn->pending_rx_work); 1628 cancel_work_sync(&conn->pending_rx_work);
1697 1629
1630 if (work_pending(&conn->disconn_work))
1631 cancel_work_sync(&conn->disconn_work);
1632
1698 l2cap_unregister_all_users(conn); 1633 l2cap_unregister_all_users(conn);
1699 1634
1700 mutex_lock(&conn->chan_lock); 1635 mutex_lock(&conn->chan_lock);
@@ -1719,27 +1654,29 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
1719 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) 1654 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1720 cancel_delayed_work_sync(&conn->info_timer); 1655 cancel_delayed_work_sync(&conn->info_timer);
1721 1656
1722 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
1723 cancel_delayed_work_sync(&conn->security_timer);
1724 smp_chan_destroy(conn);
1725 }
1726
1727 hcon->l2cap_data = NULL; 1657 hcon->l2cap_data = NULL;
1728 conn->hchan = NULL; 1658 conn->hchan = NULL;
1729 l2cap_conn_put(conn); 1659 l2cap_conn_put(conn);
1730} 1660}
1731 1661
1732static void security_timeout(struct work_struct *work) 1662static void disconn_work(struct work_struct *work)
1733{ 1663{
1734 struct l2cap_conn *conn = container_of(work, struct l2cap_conn, 1664 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1735 security_timer.work); 1665 disconn_work);
1736 1666
1737 BT_DBG("conn %p", conn); 1667 BT_DBG("conn %p", conn);
1738 1668
1739 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) { 1669 l2cap_conn_del(conn->hcon, conn->disconn_err);
1740 smp_chan_destroy(conn); 1670}
1741 l2cap_conn_del(conn->hcon, ETIMEDOUT); 1671
1742 } 1672void l2cap_conn_shutdown(struct l2cap_conn *conn, int err)
1673{
1674 struct hci_dev *hdev = conn->hcon->hdev;
1675
1676 BT_DBG("conn %p err %d", conn, err);
1677
1678 conn->disconn_err = err;
1679 queue_work(hdev->workqueue, &conn->disconn_work);
1743} 1680}
1744 1681
1745static void l2cap_conn_free(struct kref *ref) 1682static void l2cap_conn_free(struct kref *ref)
@@ -1794,6 +1731,7 @@ static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1794 src_match = !bacmp(&c->src, src); 1731 src_match = !bacmp(&c->src, src);
1795 dst_match = !bacmp(&c->dst, dst); 1732 dst_match = !bacmp(&c->dst, dst);
1796 if (src_match && dst_match) { 1733 if (src_match && dst_match) {
1734 l2cap_chan_hold(c);
1797 read_unlock(&chan_list_lock); 1735 read_unlock(&chan_list_lock);
1798 return c; 1736 return c;
1799 } 1737 }
@@ -1807,6 +1745,9 @@ static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1807 } 1745 }
1808 } 1746 }
1809 1747
1748 if (c1)
1749 l2cap_chan_hold(c1);
1750
1810 read_unlock(&chan_list_lock); 1751 read_unlock(&chan_list_lock);
1811 1752
1812 return c1; 1753 return c1;
@@ -2027,10 +1968,12 @@ static void l2cap_ertm_resend(struct l2cap_chan *chan)
2027 tx_skb->data + L2CAP_HDR_SIZE); 1968 tx_skb->data + L2CAP_HDR_SIZE);
2028 } 1969 }
2029 1970
1971 /* Update FCS */
2030 if (chan->fcs == L2CAP_FCS_CRC16) { 1972 if (chan->fcs == L2CAP_FCS_CRC16) {
2031 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len); 1973 u16 fcs = crc16(0, (u8 *) tx_skb->data,
2032 put_unaligned_le16(fcs, skb_put(tx_skb, 1974 tx_skb->len - L2CAP_FCS_SIZE);
2033 L2CAP_FCS_SIZE)); 1975 put_unaligned_le16(fcs, skb_tail_pointer(tx_skb) -
1976 L2CAP_FCS_SIZE);
2034 } 1977 }
2035 1978
2036 l2cap_do_send(chan, tx_skb); 1979 l2cap_do_send(chan, tx_skb);
@@ -2334,7 +2277,6 @@ static int l2cap_segment_sdu(struct l2cap_chan *chan,
2334 } else { 2277 } else {
2335 sar = L2CAP_SAR_START; 2278 sar = L2CAP_SAR_START;
2336 sdu_len = len; 2279 sdu_len = len;
2337 pdu_len -= L2CAP_SDULEN_SIZE;
2338 } 2280 }
2339 2281
2340 while (len > 0) { 2282 while (len > 0) {
@@ -2349,10 +2291,8 @@ static int l2cap_segment_sdu(struct l2cap_chan *chan,
2349 __skb_queue_tail(seg_queue, skb); 2291 __skb_queue_tail(seg_queue, skb);
2350 2292
2351 len -= pdu_len; 2293 len -= pdu_len;
2352 if (sdu_len) { 2294 if (sdu_len)
2353 sdu_len = 0; 2295 sdu_len = 0;
2354 pdu_len += L2CAP_SDULEN_SIZE;
2355 }
2356 2296
2357 if (len <= pdu_len) { 2297 if (len <= pdu_len) {
2358 sar = L2CAP_SAR_END; 2298 sar = L2CAP_SAR_END;
@@ -3884,6 +3824,7 @@ static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3884response: 3824response:
3885 l2cap_chan_unlock(pchan); 3825 l2cap_chan_unlock(pchan);
3886 mutex_unlock(&conn->chan_lock); 3826 mutex_unlock(&conn->chan_lock);
3827 l2cap_chan_put(pchan);
3887 3828
3888sendresp: 3829sendresp:
3889 rsp.scid = cpu_to_le16(scid); 3830 rsp.scid = cpu_to_le16(scid);
@@ -5497,6 +5438,7 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
5497response_unlock: 5438response_unlock:
5498 l2cap_chan_unlock(pchan); 5439 l2cap_chan_unlock(pchan);
5499 mutex_unlock(&conn->chan_lock); 5440 mutex_unlock(&conn->chan_lock);
5441 l2cap_chan_put(pchan);
5500 5442
5501 if (result == L2CAP_CR_PEND) 5443 if (result == L2CAP_CR_PEND)
5502 return 0; 5444 return 0;
@@ -6845,12 +6787,12 @@ static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6845 struct l2cap_chan *chan; 6787 struct l2cap_chan *chan;
6846 6788
6847 if (hcon->type != ACL_LINK) 6789 if (hcon->type != ACL_LINK)
6848 goto drop; 6790 goto free_skb;
6849 6791
6850 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst, 6792 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
6851 ACL_LINK); 6793 ACL_LINK);
6852 if (!chan) 6794 if (!chan)
6853 goto drop; 6795 goto free_skb;
6854 6796
6855 BT_DBG("chan %p, len %d", chan, skb->len); 6797 BT_DBG("chan %p, len %d", chan, skb->len);
6856 6798
@@ -6864,36 +6806,14 @@ static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6864 bacpy(&bt_cb(skb)->bdaddr, &hcon->dst); 6806 bacpy(&bt_cb(skb)->bdaddr, &hcon->dst);
6865 bt_cb(skb)->psm = psm; 6807 bt_cb(skb)->psm = psm;
6866 6808
6867 if (!chan->ops->recv(chan, skb)) 6809 if (!chan->ops->recv(chan, skb)) {
6868 return; 6810 l2cap_chan_put(chan);
6869
6870drop:
6871 kfree_skb(skb);
6872}
6873
6874static void l2cap_att_channel(struct l2cap_conn *conn,
6875 struct sk_buff *skb)
6876{
6877 struct hci_conn *hcon = conn->hcon;
6878 struct l2cap_chan *chan;
6879
6880 if (hcon->type != LE_LINK)
6881 goto drop;
6882
6883 chan = l2cap_global_chan_by_scid(BT_CONNECTED, L2CAP_CID_ATT,
6884 &hcon->src, &hcon->dst);
6885 if (!chan)
6886 goto drop;
6887
6888 BT_DBG("chan %p, len %d", chan, skb->len);
6889
6890 if (chan->imtu < skb->len)
6891 goto drop;
6892
6893 if (!chan->ops->recv(chan, skb))
6894 return; 6811 return;
6812 }
6895 6813
6896drop: 6814drop:
6815 l2cap_chan_put(chan);
6816free_skb:
6897 kfree_skb(skb); 6817 kfree_skb(skb);
6898} 6818}
6899 6819
@@ -6942,19 +6862,10 @@ static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6942 l2cap_conless_channel(conn, psm, skb); 6862 l2cap_conless_channel(conn, psm, skb);
6943 break; 6863 break;
6944 6864
6945 case L2CAP_CID_ATT:
6946 l2cap_att_channel(conn, skb);
6947 break;
6948
6949 case L2CAP_CID_LE_SIGNALING: 6865 case L2CAP_CID_LE_SIGNALING:
6950 l2cap_le_sig_channel(conn, skb); 6866 l2cap_le_sig_channel(conn, skb);
6951 break; 6867 break;
6952 6868
6953 case L2CAP_CID_SMP:
6954 if (smp_sig_channel(conn, skb))
6955 l2cap_conn_del(conn->hcon, EACCES);
6956 break;
6957
6958 default: 6869 default:
6959 l2cap_data_channel(conn, cid, skb); 6870 l2cap_data_channel(conn, cid, skb);
6960 break; 6871 break;
@@ -7023,10 +6934,9 @@ static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
7023 INIT_LIST_HEAD(&conn->chan_l); 6934 INIT_LIST_HEAD(&conn->chan_l);
7024 INIT_LIST_HEAD(&conn->users); 6935 INIT_LIST_HEAD(&conn->users);
7025 6936
7026 if (hcon->type == LE_LINK) 6937 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
7027 INIT_DELAYED_WORK(&conn->security_timer, security_timeout); 6938
7028 else 6939 INIT_WORK(&conn->disconn_work, disconn_work);
7029 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
7030 6940
7031 skb_queue_head_init(&conn->pending_rx); 6941 skb_queue_head_init(&conn->pending_rx);
7032 INIT_WORK(&conn->pending_rx_work, process_pending_rx); 6942 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
@@ -7239,19 +7149,99 @@ int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
7239 return exact ? lm1 : lm2; 7149 return exact ? lm1 : lm2;
7240} 7150}
7241 7151
7152/* Find the next fixed channel in BT_LISTEN state, continue iteration
7153 * from an existing channel in the list or from the beginning of the
7154 * global list (by passing NULL as first parameter).
7155 */
7156static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c,
7157 bdaddr_t *src, u8 link_type)
7158{
7159 read_lock(&chan_list_lock);
7160
7161 if (c)
7162 c = list_next_entry(c, global_l);
7163 else
7164 c = list_entry(chan_list.next, typeof(*c), global_l);
7165
7166 list_for_each_entry_from(c, &chan_list, global_l) {
7167 if (c->chan_type != L2CAP_CHAN_FIXED)
7168 continue;
7169 if (c->state != BT_LISTEN)
7170 continue;
7171 if (bacmp(&c->src, src) && bacmp(&c->src, BDADDR_ANY))
7172 continue;
7173 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
7174 continue;
7175 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
7176 continue;
7177
7178 l2cap_chan_hold(c);
7179 read_unlock(&chan_list_lock);
7180 return c;
7181 }
7182
7183 read_unlock(&chan_list_lock);
7184
7185 return NULL;
7186}
7187
7242void l2cap_connect_cfm(struct hci_conn *hcon, u8 status) 7188void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
7243{ 7189{
7190 struct hci_dev *hdev = hcon->hdev;
7244 struct l2cap_conn *conn; 7191 struct l2cap_conn *conn;
7192 struct l2cap_chan *pchan;
7193 u8 dst_type;
7245 7194
7246 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status); 7195 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
7247 7196
7248 if (!status) { 7197 if (status) {
7249 conn = l2cap_conn_add(hcon);
7250 if (conn)
7251 l2cap_conn_ready(conn);
7252 } else {
7253 l2cap_conn_del(hcon, bt_to_errno(status)); 7198 l2cap_conn_del(hcon, bt_to_errno(status));
7199 return;
7254 } 7200 }
7201
7202 conn = l2cap_conn_add(hcon);
7203 if (!conn)
7204 return;
7205
7206 dst_type = bdaddr_type(hcon, hcon->dst_type);
7207
7208 /* If device is blocked, do not create channels for it */
7209 if (hci_bdaddr_list_lookup(&hdev->blacklist, &hcon->dst, dst_type))
7210 return;
7211
7212 /* Find fixed channels and notify them of the new connection. We
7213 * use multiple individual lookups, continuing each time where
7214 * we left off, because the list lock would prevent calling the
7215 * potentially sleeping l2cap_chan_lock() function.
7216 */
7217 pchan = l2cap_global_fixed_chan(NULL, &hdev->bdaddr, hcon->type);
7218 while (pchan) {
7219 struct l2cap_chan *chan, *next;
7220
7221 /* Client fixed channels should override server ones */
7222 if (__l2cap_get_chan_by_dcid(conn, pchan->scid))
7223 goto next;
7224
7225 l2cap_chan_lock(pchan);
7226 chan = pchan->ops->new_connection(pchan);
7227 if (chan) {
7228 bacpy(&chan->src, &hcon->src);
7229 bacpy(&chan->dst, &hcon->dst);
7230 chan->src_type = bdaddr_type(hcon, hcon->src_type);
7231 chan->dst_type = dst_type;
7232
7233 __l2cap_chan_add(conn, chan);
7234 }
7235
7236 l2cap_chan_unlock(pchan);
7237next:
7238 next = l2cap_global_fixed_chan(pchan, &hdev->bdaddr,
7239 hcon->type);
7240 l2cap_chan_put(pchan);
7241 pchan = next;
7242 }
7243
7244 l2cap_conn_ready(conn);
7255} 7245}
7256 7246
7257int l2cap_disconn_ind(struct hci_conn *hcon) 7247int l2cap_disconn_ind(struct hci_conn *hcon)
@@ -7299,12 +7289,6 @@ int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
7299 7289
7300 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt); 7290 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
7301 7291
7302 if (hcon->type == LE_LINK) {
7303 if (!status && encrypt)
7304 smp_distribute_keys(conn);
7305 cancel_delayed_work(&conn->security_timer);
7306 }
7307
7308 mutex_lock(&conn->chan_lock); 7292 mutex_lock(&conn->chan_lock);
7309 7293
7310 list_for_each_entry(chan, &conn->chan_l, list) { 7294 list_for_each_entry(chan, &conn->chan_l, list) {
@@ -7318,15 +7302,8 @@ int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
7318 continue; 7302 continue;
7319 } 7303 }
7320 7304
7321 if (chan->scid == L2CAP_CID_ATT) { 7305 if (!status && encrypt)
7322 if (!status && encrypt) { 7306 chan->sec_level = hcon->sec_level;
7323 chan->sec_level = hcon->sec_level;
7324 l2cap_chan_ready(chan);
7325 }
7326
7327 l2cap_chan_unlock(chan);
7328 continue;
7329 }
7330 7307
7331 if (!__l2cap_no_conn_pending(chan)) { 7308 if (!__l2cap_no_conn_pending(chan)) {
7332 l2cap_chan_unlock(chan); 7309 l2cap_chan_unlock(chan);
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 1884f72083c2..ed06f88e6f10 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -99,15 +99,6 @@ static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
99 if (!bdaddr_type_is_valid(la.l2_bdaddr_type)) 99 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
100 return -EINVAL; 100 return -EINVAL;
101 101
102 if (la.l2_cid) {
103 /* When the socket gets created it defaults to
104 * CHAN_CONN_ORIENTED, so we need to overwrite the
105 * default here.
106 */
107 chan->chan_type = L2CAP_CHAN_FIXED;
108 chan->omtu = L2CAP_DEFAULT_MTU;
109 }
110
111 if (bdaddr_type_is_le(la.l2_bdaddr_type)) { 102 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
112 /* We only allow ATT user space socket */ 103 /* We only allow ATT user space socket */
113 if (la.l2_cid && 104 if (la.l2_cid &&
@@ -790,6 +781,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
790 if (chan->scid == L2CAP_CID_ATT) { 781 if (chan->scid == L2CAP_CID_ATT) {
791 if (smp_conn_security(conn->hcon, sec.level)) 782 if (smp_conn_security(conn->hcon, sec.level))
792 break; 783 break;
784 set_bit(FLAG_PENDING_SECURITY, &chan->flags);
793 sk->sk_state = BT_CONFIG; 785 sk->sk_state = BT_CONFIG;
794 chan->state = BT_CONFIG; 786 chan->state = BT_CONFIG;
795 787
@@ -1359,6 +1351,11 @@ static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
1359{ 1351{
1360 struct sock *sk = chan->data; 1352 struct sock *sk = chan->data;
1361 1353
1354 if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) {
1355 sk->sk_state = BT_CONNECTED;
1356 chan->state = BT_CONNECTED;
1357 }
1358
1362 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags); 1359 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1363 sk->sk_state_change(sk); 1360 sk->sk_state_change(sk);
1364} 1361}
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index b8554d429d88..c2457435a670 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -129,9 +129,6 @@ static const u16 mgmt_events[] = {
129 129
130#define CACHE_TIMEOUT msecs_to_jiffies(2 * 1000) 130#define CACHE_TIMEOUT msecs_to_jiffies(2 * 1000)
131 131
132#define hdev_is_powered(hdev) (test_bit(HCI_UP, &hdev->flags) && \
133 !test_bit(HCI_AUTO_OFF, &hdev->dev_flags))
134
135struct pending_cmd { 132struct pending_cmd {
136 struct list_head list; 133 struct list_head list;
137 u16 opcode; 134 u16 opcode;
@@ -1536,9 +1533,11 @@ static void set_discoverable_complete(struct hci_dev *hdev, u8 status)
1536 1533
1537 /* When the discoverable mode gets changed, make sure 1534 /* When the discoverable mode gets changed, make sure
1538 * that class of device has the limited discoverable 1535 * that class of device has the limited discoverable
1539 * bit correctly set. 1536 * bit correctly set. Also update page scan based on whitelist
1537 * entries.
1540 */ 1538 */
1541 hci_req_init(&req, hdev); 1539 hci_req_init(&req, hdev);
1540 hci_update_page_scan(hdev, &req);
1542 update_class(&req); 1541 update_class(&req);
1543 hci_req_run(&req, NULL); 1542 hci_req_run(&req, NULL);
1544 1543
@@ -1785,6 +1784,7 @@ static void set_connectable_complete(struct hci_dev *hdev, u8 status)
1785 1784
1786 if (conn_changed || discov_changed) { 1785 if (conn_changed || discov_changed) {
1787 new_settings(hdev, cmd->sk); 1786 new_settings(hdev, cmd->sk);
1787 hci_update_page_scan(hdev, NULL);
1788 if (discov_changed) 1788 if (discov_changed)
1789 mgmt_update_adv_data(hdev); 1789 mgmt_update_adv_data(hdev);
1790 hci_update_background_scan(hdev); 1790 hci_update_background_scan(hdev);
@@ -1818,6 +1818,7 @@ static int set_connectable_update_settings(struct hci_dev *hdev,
1818 return err; 1818 return err;
1819 1819
1820 if (changed) { 1820 if (changed) {
1821 hci_update_page_scan(hdev, NULL);
1821 hci_update_background_scan(hdev); 1822 hci_update_background_scan(hdev);
1822 return new_settings(hdev, sk); 1823 return new_settings(hdev, sk);
1823 } 1824 }
@@ -4381,27 +4382,6 @@ unlock:
4381 return err; 4382 return err;
4382} 4383}
4383 4384
4384static void set_bredr_scan(struct hci_request *req)
4385{
4386 struct hci_dev *hdev = req->hdev;
4387 u8 scan = 0;
4388
4389 /* Ensure that fast connectable is disabled. This function will
4390 * not do anything if the page scan parameters are already what
4391 * they should be.
4392 */
4393 write_fast_connectable(req, false);
4394
4395 if (test_bit(HCI_CONNECTABLE, &hdev->dev_flags) ||
4396 !list_empty(&hdev->whitelist))
4397 scan |= SCAN_PAGE;
4398 if (test_bit(HCI_DISCOVERABLE, &hdev->dev_flags))
4399 scan |= SCAN_INQUIRY;
4400
4401 if (scan)
4402 hci_req_add(req, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
4403}
4404
4405static void set_bredr_complete(struct hci_dev *hdev, u8 status) 4385static void set_bredr_complete(struct hci_dev *hdev, u8 status)
4406{ 4386{
4407 struct pending_cmd *cmd; 4387 struct pending_cmd *cmd;
@@ -4507,9 +4487,8 @@ static int set_bredr(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
4507 4487
4508 hci_req_init(&req, hdev); 4488 hci_req_init(&req, hdev);
4509 4489
4510 if (test_bit(HCI_CONNECTABLE, &hdev->dev_flags) || 4490 write_fast_connectable(&req, false);
4511 !list_empty(&hdev->whitelist)) 4491 hci_update_page_scan(hdev, &req);
4512 set_bredr_scan(&req);
4513 4492
4514 /* Since only the advertising data flags will change, there 4493 /* Since only the advertising data flags will change, there
4515 * is no need to update the scan response data. 4494 * is no need to update the scan response data.
@@ -5235,27 +5214,6 @@ unlock:
5235 return err; 5214 return err;
5236} 5215}
5237 5216
5238/* Helper for Add/Remove Device commands */
5239static void update_page_scan(struct hci_dev *hdev, u8 scan)
5240{
5241 if (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags))
5242 return;
5243
5244 if (!hdev_is_powered(hdev))
5245 return;
5246
5247 /* If HCI_CONNECTABLE is set then Add/Remove Device should not
5248 * make any changes to page scanning.
5249 */
5250 if (test_bit(HCI_CONNECTABLE, &hdev->dev_flags))
5251 return;
5252
5253 if (test_bit(HCI_DISCOVERABLE, &hdev->dev_flags))
5254 scan |= SCAN_INQUIRY;
5255
5256 hci_send_cmd(hdev, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
5257}
5258
5259static void device_added(struct sock *sk, struct hci_dev *hdev, 5217static void device_added(struct sock *sk, struct hci_dev *hdev,
5260 bdaddr_t *bdaddr, u8 type, u8 action) 5218 bdaddr_t *bdaddr, u8 type, u8 action)
5261{ 5219{
@@ -5291,8 +5249,6 @@ static int add_device(struct sock *sk, struct hci_dev *hdev,
5291 hci_dev_lock(hdev); 5249 hci_dev_lock(hdev);
5292 5250
5293 if (cp->addr.type == BDADDR_BREDR) { 5251 if (cp->addr.type == BDADDR_BREDR) {
5294 bool update_scan;
5295
5296 /* Only incoming connections action is supported for now */ 5252 /* Only incoming connections action is supported for now */
5297 if (cp->action != 0x01) { 5253 if (cp->action != 0x01) {
5298 err = cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE, 5254 err = cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
@@ -5301,15 +5257,12 @@ static int add_device(struct sock *sk, struct hci_dev *hdev,
5301 goto unlock; 5257 goto unlock;
5302 } 5258 }
5303 5259
5304 update_scan = list_empty(&hdev->whitelist);
5305
5306 err = hci_bdaddr_list_add(&hdev->whitelist, &cp->addr.bdaddr, 5260 err = hci_bdaddr_list_add(&hdev->whitelist, &cp->addr.bdaddr,
5307 cp->addr.type); 5261 cp->addr.type);
5308 if (err) 5262 if (err)
5309 goto unlock; 5263 goto unlock;
5310 5264
5311 if (update_scan) 5265 hci_update_page_scan(hdev, NULL);
5312 update_page_scan(hdev, SCAN_PAGE);
5313 5266
5314 goto added; 5267 goto added;
5315 } 5268 }
@@ -5392,8 +5345,7 @@ static int remove_device(struct sock *sk, struct hci_dev *hdev,
5392 goto unlock; 5345 goto unlock;
5393 } 5346 }
5394 5347
5395 if (list_empty(&hdev->whitelist)) 5348 hci_update_page_scan(hdev, NULL);
5396 update_page_scan(hdev, SCAN_DISABLED);
5397 5349
5398 device_removed(sk, hdev, &cp->addr.bdaddr, 5350 device_removed(sk, hdev, &cp->addr.bdaddr,
5399 cp->addr.type); 5351 cp->addr.type);
@@ -5444,7 +5396,7 @@ static int remove_device(struct sock *sk, struct hci_dev *hdev,
5444 kfree(b); 5396 kfree(b);
5445 } 5397 }
5446 5398
5447 update_page_scan(hdev, SCAN_DISABLED); 5399 hci_update_page_scan(hdev, NULL);
5448 5400
5449 list_for_each_entry_safe(p, tmp, &hdev->le_conn_params, list) { 5401 list_for_each_entry_safe(p, tmp, &hdev->le_conn_params, list) {
5450 if (p->auto_connect == HCI_AUTO_CONN_DISABLED) 5402 if (p->auto_connect == HCI_AUTO_CONN_DISABLED)
@@ -5969,8 +5921,8 @@ static int powered_update_hci(struct hci_dev *hdev)
5969 sizeof(link_sec), &link_sec); 5921 sizeof(link_sec), &link_sec);
5970 5922
5971 if (lmp_bredr_capable(hdev)) { 5923 if (lmp_bredr_capable(hdev)) {
5972 if (test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags)) 5924 write_fast_connectable(&req, false);
5973 set_bredr_scan(&req); 5925 hci_update_page_scan(hdev, &req);
5974 update_class(&req); 5926 update_class(&req);
5975 update_name(&req); 5927 update_name(&req);
5976 update_eir(&req); 5928 update_eir(&req);
@@ -6281,25 +6233,35 @@ static void unpair_device_rsp(struct pending_cmd *cmd, void *data)
6281 mgmt_pending_remove(cmd); 6233 mgmt_pending_remove(cmd);
6282} 6234}
6283 6235
6236bool mgmt_powering_down(struct hci_dev *hdev)
6237{
6238 struct pending_cmd *cmd;
6239 struct mgmt_mode *cp;
6240
6241 cmd = mgmt_pending_find(MGMT_OP_SET_POWERED, hdev);
6242 if (!cmd)
6243 return false;
6244
6245 cp = cmd->param;
6246 if (!cp->val)
6247 return true;
6248
6249 return false;
6250}
6251
6284void mgmt_device_disconnected(struct hci_dev *hdev, bdaddr_t *bdaddr, 6252void mgmt_device_disconnected(struct hci_dev *hdev, bdaddr_t *bdaddr,
6285 u8 link_type, u8 addr_type, u8 reason, 6253 u8 link_type, u8 addr_type, u8 reason,
6286 bool mgmt_connected) 6254 bool mgmt_connected)
6287{ 6255{
6288 struct mgmt_ev_device_disconnected ev; 6256 struct mgmt_ev_device_disconnected ev;
6289 struct pending_cmd *power_off;
6290 struct sock *sk = NULL; 6257 struct sock *sk = NULL;
6291 6258
6292 power_off = mgmt_pending_find(MGMT_OP_SET_POWERED, hdev); 6259 /* The connection is still in hci_conn_hash so test for 1
6293 if (power_off) { 6260 * instead of 0 to know if this is the last one.
6294 struct mgmt_mode *cp = power_off->param; 6261 */
6295 6262 if (mgmt_powering_down(hdev) && hci_conn_count(hdev) == 1) {
6296 /* The connection is still in hci_conn_hash so test for 1 6263 cancel_delayed_work(&hdev->power_off);
6297 * instead of 0 to know if this is the last one. 6264 queue_work(hdev->req_workqueue, &hdev->power_off.work);
6298 */
6299 if (!cp->val && hci_conn_count(hdev) == 1) {
6300 cancel_delayed_work(&hdev->power_off);
6301 queue_work(hdev->req_workqueue, &hdev->power_off.work);
6302 }
6303 } 6265 }
6304 6266
6305 if (!mgmt_connected) 6267 if (!mgmt_connected)
@@ -6359,19 +6321,13 @@ void mgmt_connect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
6359 u8 addr_type, u8 status) 6321 u8 addr_type, u8 status)
6360{ 6322{
6361 struct mgmt_ev_connect_failed ev; 6323 struct mgmt_ev_connect_failed ev;
6362 struct pending_cmd *power_off;
6363
6364 power_off = mgmt_pending_find(MGMT_OP_SET_POWERED, hdev);
6365 if (power_off) {
6366 struct mgmt_mode *cp = power_off->param;
6367 6324
6368 /* The connection is still in hci_conn_hash so test for 1 6325 /* The connection is still in hci_conn_hash so test for 1
6369 * instead of 0 to know if this is the last one. 6326 * instead of 0 to know if this is the last one.
6370 */ 6327 */
6371 if (!cp->val && hci_conn_count(hdev) == 1) { 6328 if (mgmt_powering_down(hdev) && hci_conn_count(hdev) == 1) {
6372 cancel_delayed_work(&hdev->power_off); 6329 cancel_delayed_work(&hdev->power_off);
6373 queue_work(hdev->req_workqueue, &hdev->power_off.work); 6330 queue_work(hdev->req_workqueue, &hdev->power_off.work);
6374 }
6375 } 6331 }
6376 6332
6377 bacpy(&ev.addr.bdaddr, bdaddr); 6333 bacpy(&ev.addr.bdaddr, bdaddr);
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index fd3294300803..07ca4ce0943b 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -44,7 +44,10 @@ enum {
44}; 44};
45 45
46struct smp_chan { 46struct smp_chan {
47 struct l2cap_conn *conn; 47 struct l2cap_conn *conn;
48 struct delayed_work security_timer;
49 struct work_struct distribute_work;
50
48 u8 preq[7]; /* SMP Pairing Request */ 51 u8 preq[7]; /* SMP Pairing Request */
49 u8 prsp[7]; /* SMP Pairing Response */ 52 u8 prsp[7]; /* SMP Pairing Response */
50 u8 prnd[16]; /* SMP Pairing Random (local) */ 53 u8 prnd[16]; /* SMP Pairing Random (local) */
@@ -139,12 +142,18 @@ static int smp_ah(struct crypto_blkcipher *tfm, u8 irk[16], u8 r[3], u8 res[3])
139 return 0; 142 return 0;
140} 143}
141 144
142bool smp_irk_matches(struct crypto_blkcipher *tfm, u8 irk[16], 145bool smp_irk_matches(struct hci_dev *hdev, u8 irk[16], bdaddr_t *bdaddr)
143 bdaddr_t *bdaddr)
144{ 146{
147 struct l2cap_chan *chan = hdev->smp_data;
148 struct crypto_blkcipher *tfm;
145 u8 hash[3]; 149 u8 hash[3];
146 int err; 150 int err;
147 151
152 if (!chan || !chan->data)
153 return false;
154
155 tfm = chan->data;
156
148 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk); 157 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
149 158
150 err = smp_ah(tfm, irk, &bdaddr->b[3], hash); 159 err = smp_ah(tfm, irk, &bdaddr->b[3], hash);
@@ -154,10 +163,17 @@ bool smp_irk_matches(struct crypto_blkcipher *tfm, u8 irk[16],
154 return !memcmp(bdaddr->b, hash, 3); 163 return !memcmp(bdaddr->b, hash, 3);
155} 164}
156 165
157int smp_generate_rpa(struct crypto_blkcipher *tfm, u8 irk[16], bdaddr_t *rpa) 166int smp_generate_rpa(struct hci_dev *hdev, u8 irk[16], bdaddr_t *rpa)
158{ 167{
168 struct l2cap_chan *chan = hdev->smp_data;
169 struct crypto_blkcipher *tfm;
159 int err; 170 int err;
160 171
172 if (!chan || !chan->data)
173 return -EOPNOTSUPP;
174
175 tfm = chan->data;
176
161 get_random_bytes(&rpa->b[3], 3); 177 get_random_bytes(&rpa->b[3], 3);
162 178
163 rpa->b[5] &= 0x3f; /* Clear two most significant bits */ 179 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
@@ -235,47 +251,39 @@ static int smp_s1(struct smp_chan *smp, u8 k[16], u8 r1[16], u8 r2[16],
235 return err; 251 return err;
236} 252}
237 253
238static struct sk_buff *smp_build_cmd(struct l2cap_conn *conn, u8 code, 254static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
239 u16 dlen, void *data)
240{ 255{
241 struct sk_buff *skb; 256 struct l2cap_chan *chan = conn->smp;
242 struct l2cap_hdr *lh; 257 struct smp_chan *smp;
243 int len; 258 struct kvec iv[2];
244 259 struct msghdr msg;
245 len = L2CAP_HDR_SIZE + sizeof(code) + dlen;
246
247 if (len > conn->mtu)
248 return NULL;
249 260
250 skb = bt_skb_alloc(len, GFP_ATOMIC); 261 if (!chan)
251 if (!skb) 262 return;
252 return NULL;
253 263
254 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE); 264 BT_DBG("code 0x%2.2x", code);
255 lh->len = cpu_to_le16(sizeof(code) + dlen);
256 lh->cid = cpu_to_le16(L2CAP_CID_SMP);
257 265
258 memcpy(skb_put(skb, sizeof(code)), &code, sizeof(code)); 266 iv[0].iov_base = &code;
267 iv[0].iov_len = 1;
259 268
260 memcpy(skb_put(skb, dlen), data, dlen); 269 iv[1].iov_base = data;
270 iv[1].iov_len = len;
261 271
262 return skb; 272 memset(&msg, 0, sizeof(msg));
263}
264 273
265static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data) 274 msg.msg_iov = (struct iovec *) &iv;
266{ 275 msg.msg_iovlen = 2;
267 struct sk_buff *skb = smp_build_cmd(conn, code, len, data);
268 276
269 BT_DBG("code 0x%2.2x", code); 277 l2cap_chan_send(chan, &msg, 1 + len);
270 278
271 if (!skb) 279 if (!chan->data)
272 return; 280 return;
273 281
274 skb->priority = HCI_PRIO_MAX; 282 smp = chan->data;
275 hci_send_acl(conn->hchan, skb, 0);
276 283
277 cancel_delayed_work_sync(&conn->security_timer); 284 cancel_delayed_work_sync(&smp->security_timer);
278 schedule_delayed_work(&conn->security_timer, SMP_TIMEOUT); 285 if (test_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags))
286 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
279} 287}
280 288
281static __u8 authreq_to_seclevel(__u8 authreq) 289static __u8 authreq_to_seclevel(__u8 authreq)
@@ -302,7 +310,8 @@ static void build_pairing_cmd(struct l2cap_conn *conn,
302 struct smp_cmd_pairing *req, 310 struct smp_cmd_pairing *req,
303 struct smp_cmd_pairing *rsp, __u8 authreq) 311 struct smp_cmd_pairing *rsp, __u8 authreq)
304{ 312{
305 struct smp_chan *smp = conn->smp_chan; 313 struct l2cap_chan *chan = conn->smp;
314 struct smp_chan *smp = chan->data;
306 struct hci_conn *hcon = conn->hcon; 315 struct hci_conn *hcon = conn->hcon;
307 struct hci_dev *hdev = hcon->hdev; 316 struct hci_dev *hdev = hcon->hdev;
308 u8 local_dist = 0, remote_dist = 0; 317 u8 local_dist = 0, remote_dist = 0;
@@ -345,7 +354,8 @@ static void build_pairing_cmd(struct l2cap_conn *conn,
345 354
346static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size) 355static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
347{ 356{
348 struct smp_chan *smp = conn->smp_chan; 357 struct l2cap_chan *chan = conn->smp;
358 struct smp_chan *smp = chan->data;
349 359
350 if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) || 360 if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
351 (max_key_size < SMP_MIN_ENC_KEY_SIZE)) 361 (max_key_size < SMP_MIN_ENC_KEY_SIZE))
@@ -356,9 +366,61 @@ static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
356 return 0; 366 return 0;
357} 367}
358 368
369static void smp_chan_destroy(struct l2cap_conn *conn)
370{
371 struct l2cap_chan *chan = conn->smp;
372 struct smp_chan *smp = chan->data;
373 bool complete;
374
375 BUG_ON(!smp);
376
377 cancel_delayed_work_sync(&smp->security_timer);
378 /* In case the timeout freed the SMP context */
379 if (!chan->data)
380 return;
381
382 if (work_pending(&smp->distribute_work)) {
383 cancel_work_sync(&smp->distribute_work);
384 if (!chan->data)
385 return;
386 }
387
388 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
389 mgmt_smp_complete(conn->hcon, complete);
390
391 kfree(smp->csrk);
392 kfree(smp->slave_csrk);
393
394 crypto_free_blkcipher(smp->tfm_aes);
395
396 /* If pairing failed clean up any keys we might have */
397 if (!complete) {
398 if (smp->ltk) {
399 list_del(&smp->ltk->list);
400 kfree(smp->ltk);
401 }
402
403 if (smp->slave_ltk) {
404 list_del(&smp->slave_ltk->list);
405 kfree(smp->slave_ltk);
406 }
407
408 if (smp->remote_irk) {
409 list_del(&smp->remote_irk->list);
410 kfree(smp->remote_irk);
411 }
412 }
413
414 chan->data = NULL;
415 kfree(smp);
416 hci_conn_drop(conn->hcon);
417}
418
359static void smp_failure(struct l2cap_conn *conn, u8 reason) 419static void smp_failure(struct l2cap_conn *conn, u8 reason)
360{ 420{
361 struct hci_conn *hcon = conn->hcon; 421 struct hci_conn *hcon = conn->hcon;
422 struct l2cap_chan *chan = conn->smp;
423 struct smp_chan *smp;
362 424
363 if (reason) 425 if (reason)
364 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason), 426 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
@@ -368,7 +430,10 @@ static void smp_failure(struct l2cap_conn *conn, u8 reason)
368 mgmt_auth_failed(hcon->hdev, &hcon->dst, hcon->type, hcon->dst_type, 430 mgmt_auth_failed(hcon->hdev, &hcon->dst, hcon->type, hcon->dst_type,
369 HCI_ERROR_AUTH_FAILURE); 431 HCI_ERROR_AUTH_FAILURE);
370 432
371 cancel_delayed_work_sync(&conn->security_timer); 433 if (!chan->data)
434 return;
435
436 smp = chan->data;
372 437
373 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) 438 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
374 smp_chan_destroy(conn); 439 smp_chan_destroy(conn);
@@ -405,7 +470,8 @@ static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
405 u8 local_io, u8 remote_io) 470 u8 local_io, u8 remote_io)
406{ 471{
407 struct hci_conn *hcon = conn->hcon; 472 struct hci_conn *hcon = conn->hcon;
408 struct smp_chan *smp = conn->smp_chan; 473 struct l2cap_chan *chan = conn->smp;
474 struct smp_chan *smp = chan->data;
409 u8 method; 475 u8 method;
410 u32 passkey = 0; 476 u32 passkey = 0;
411 int ret = 0; 477 int ret = 0;
@@ -574,8 +640,201 @@ static u8 smp_random(struct smp_chan *smp)
574 return 0; 640 return 0;
575} 641}
576 642
643static void smp_notify_keys(struct l2cap_conn *conn)
644{
645 struct l2cap_chan *chan = conn->smp;
646 struct smp_chan *smp = chan->data;
647 struct hci_conn *hcon = conn->hcon;
648 struct hci_dev *hdev = hcon->hdev;
649 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
650 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
651 bool persistent;
652
653 if (smp->remote_irk) {
654 mgmt_new_irk(hdev, smp->remote_irk);
655 /* Now that user space can be considered to know the
656 * identity address track the connection based on it
657 * from now on.
658 */
659 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
660 hcon->dst_type = smp->remote_irk->addr_type;
661 l2cap_conn_update_id_addr(hcon);
662
663 /* When receiving an indentity resolving key for
664 * a remote device that does not use a resolvable
665 * private address, just remove the key so that
666 * it is possible to use the controller white
667 * list for scanning.
668 *
669 * Userspace will have been told to not store
670 * this key at this point. So it is safe to
671 * just remove it.
672 */
673 if (!bacmp(&smp->remote_irk->rpa, BDADDR_ANY)) {
674 list_del(&smp->remote_irk->list);
675 kfree(smp->remote_irk);
676 smp->remote_irk = NULL;
677 }
678 }
679
680 /* The LTKs and CSRKs should be persistent only if both sides
681 * had the bonding bit set in their authentication requests.
682 */
683 persistent = !!((req->auth_req & rsp->auth_req) & SMP_AUTH_BONDING);
684
685 if (smp->csrk) {
686 smp->csrk->bdaddr_type = hcon->dst_type;
687 bacpy(&smp->csrk->bdaddr, &hcon->dst);
688 mgmt_new_csrk(hdev, smp->csrk, persistent);
689 }
690
691 if (smp->slave_csrk) {
692 smp->slave_csrk->bdaddr_type = hcon->dst_type;
693 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
694 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
695 }
696
697 if (smp->ltk) {
698 smp->ltk->bdaddr_type = hcon->dst_type;
699 bacpy(&smp->ltk->bdaddr, &hcon->dst);
700 mgmt_new_ltk(hdev, smp->ltk, persistent);
701 }
702
703 if (smp->slave_ltk) {
704 smp->slave_ltk->bdaddr_type = hcon->dst_type;
705 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
706 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
707 }
708}
709
710static void smp_distribute_keys(struct work_struct *work)
711{
712 struct smp_chan *smp = container_of(work, struct smp_chan,
713 distribute_work);
714 struct smp_cmd_pairing *req, *rsp;
715 struct l2cap_conn *conn = smp->conn;
716 struct hci_conn *hcon = conn->hcon;
717 struct hci_dev *hdev = hcon->hdev;
718 __u8 *keydist;
719
720 BT_DBG("conn %p", conn);
721
722 if (!test_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
723 return;
724
725 rsp = (void *) &smp->prsp[1];
726
727 /* The responder sends its keys first */
728 if (hcon->out && (smp->remote_key_dist & 0x07))
729 return;
730
731 req = (void *) &smp->preq[1];
732
733 if (hcon->out) {
734 keydist = &rsp->init_key_dist;
735 *keydist &= req->init_key_dist;
736 } else {
737 keydist = &rsp->resp_key_dist;
738 *keydist &= req->resp_key_dist;
739 }
740
741 BT_DBG("keydist 0x%x", *keydist);
742
743 if (*keydist & SMP_DIST_ENC_KEY) {
744 struct smp_cmd_encrypt_info enc;
745 struct smp_cmd_master_ident ident;
746 struct smp_ltk *ltk;
747 u8 authenticated;
748 __le16 ediv;
749 __le64 rand;
750
751 get_random_bytes(enc.ltk, sizeof(enc.ltk));
752 get_random_bytes(&ediv, sizeof(ediv));
753 get_random_bytes(&rand, sizeof(rand));
754
755 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
756
757 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
758 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
759 SMP_LTK_SLAVE, authenticated, enc.ltk,
760 smp->enc_key_size, ediv, rand);
761 smp->slave_ltk = ltk;
762
763 ident.ediv = ediv;
764 ident.rand = rand;
765
766 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
767
768 *keydist &= ~SMP_DIST_ENC_KEY;
769 }
770
771 if (*keydist & SMP_DIST_ID_KEY) {
772 struct smp_cmd_ident_addr_info addrinfo;
773 struct smp_cmd_ident_info idinfo;
774
775 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
776
777 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
778
779 /* The hci_conn contains the local identity address
780 * after the connection has been established.
781 *
782 * This is true even when the connection has been
783 * established using a resolvable random address.
784 */
785 bacpy(&addrinfo.bdaddr, &hcon->src);
786 addrinfo.addr_type = hcon->src_type;
787
788 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
789 &addrinfo);
790
791 *keydist &= ~SMP_DIST_ID_KEY;
792 }
793
794 if (*keydist & SMP_DIST_SIGN) {
795 struct smp_cmd_sign_info sign;
796 struct smp_csrk *csrk;
797
798 /* Generate a new random key */
799 get_random_bytes(sign.csrk, sizeof(sign.csrk));
800
801 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
802 if (csrk) {
803 csrk->master = 0x00;
804 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
805 }
806 smp->slave_csrk = csrk;
807
808 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
809
810 *keydist &= ~SMP_DIST_SIGN;
811 }
812
813 /* If there are still keys to be received wait for them */
814 if ((smp->remote_key_dist & 0x07))
815 return;
816
817 clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags);
818 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
819 smp_notify_keys(conn);
820
821 smp_chan_destroy(conn);
822}
823
824static void smp_timeout(struct work_struct *work)
825{
826 struct smp_chan *smp = container_of(work, struct smp_chan,
827 security_timer.work);
828 struct l2cap_conn *conn = smp->conn;
829
830 BT_DBG("conn %p", conn);
831
832 l2cap_conn_shutdown(conn, ETIMEDOUT);
833}
834
577static struct smp_chan *smp_chan_create(struct l2cap_conn *conn) 835static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
578{ 836{
837 struct l2cap_chan *chan = conn->smp;
579 struct smp_chan *smp; 838 struct smp_chan *smp;
580 839
581 smp = kzalloc(sizeof(*smp), GFP_ATOMIC); 840 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
@@ -593,54 +852,20 @@ static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
593 } 852 }
594 853
595 smp->conn = conn; 854 smp->conn = conn;
596 conn->smp_chan = smp; 855 chan->data = smp;
856
857 INIT_WORK(&smp->distribute_work, smp_distribute_keys);
858 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
597 859
598 hci_conn_hold(conn->hcon); 860 hci_conn_hold(conn->hcon);
599 861
600 return smp; 862 return smp;
601} 863}
602 864
603void smp_chan_destroy(struct l2cap_conn *conn)
604{
605 struct smp_chan *smp = conn->smp_chan;
606 bool complete;
607
608 BUG_ON(!smp);
609
610 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
611 mgmt_smp_complete(conn->hcon, complete);
612
613 kfree(smp->csrk);
614 kfree(smp->slave_csrk);
615
616 crypto_free_blkcipher(smp->tfm_aes);
617
618 /* If pairing failed clean up any keys we might have */
619 if (!complete) {
620 if (smp->ltk) {
621 list_del(&smp->ltk->list);
622 kfree(smp->ltk);
623 }
624
625 if (smp->slave_ltk) {
626 list_del(&smp->slave_ltk->list);
627 kfree(smp->slave_ltk);
628 }
629
630 if (smp->remote_irk) {
631 list_del(&smp->remote_irk->list);
632 kfree(smp->remote_irk);
633 }
634 }
635
636 kfree(smp);
637 conn->smp_chan = NULL;
638 hci_conn_drop(conn->hcon);
639}
640
641int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey) 865int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
642{ 866{
643 struct l2cap_conn *conn = hcon->l2cap_data; 867 struct l2cap_conn *conn = hcon->l2cap_data;
868 struct l2cap_chan *chan;
644 struct smp_chan *smp; 869 struct smp_chan *smp;
645 u32 value; 870 u32 value;
646 871
@@ -649,7 +874,11 @@ int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
649 if (!conn || !test_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) 874 if (!conn || !test_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
650 return -ENOTCONN; 875 return -ENOTCONN;
651 876
652 smp = conn->smp_chan; 877 chan = conn->smp;
878 if (!chan)
879 return -ENOTCONN;
880
881 smp = chan->data;
653 882
654 switch (mgmt_op) { 883 switch (mgmt_op) {
655 case MGMT_OP_USER_PASSKEY_REPLY: 884 case MGMT_OP_USER_PASSKEY_REPLY:
@@ -696,10 +925,12 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
696 if (conn->hcon->role != HCI_ROLE_SLAVE) 925 if (conn->hcon->role != HCI_ROLE_SLAVE)
697 return SMP_CMD_NOTSUPP; 926 return SMP_CMD_NOTSUPP;
698 927
699 if (!test_and_set_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) 928 if (!test_and_set_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
700 smp = smp_chan_create(conn); 929 smp = smp_chan_create(conn);
701 else 930 } else {
702 smp = conn->smp_chan; 931 struct l2cap_chan *chan = conn->smp;
932 smp = chan->data;
933 }
703 934
704 if (!smp) 935 if (!smp)
705 return SMP_UNSPECIFIED; 936 return SMP_UNSPECIFIED;
@@ -753,7 +984,8 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
753static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb) 984static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
754{ 985{
755 struct smp_cmd_pairing *req, *rsp = (void *) skb->data; 986 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
756 struct smp_chan *smp = conn->smp_chan; 987 struct l2cap_chan *chan = conn->smp;
988 struct smp_chan *smp = chan->data;
757 u8 key_size, auth = SMP_AUTH_NONE; 989 u8 key_size, auth = SMP_AUTH_NONE;
758 int ret; 990 int ret;
759 991
@@ -814,7 +1046,8 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
814 1046
815static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb) 1047static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
816{ 1048{
817 struct smp_chan *smp = conn->smp_chan; 1049 struct l2cap_chan *chan = conn->smp;
1050 struct smp_chan *smp = chan->data;
818 1051
819 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave"); 1052 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
820 1053
@@ -837,7 +1070,8 @@ static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
837 1070
838static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb) 1071static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
839{ 1072{
840 struct smp_chan *smp = conn->smp_chan; 1073 struct l2cap_chan *chan = conn->smp;
1074 struct smp_chan *smp = chan->data;
841 1075
842 BT_DBG("conn %p", conn); 1076 BT_DBG("conn %p", conn);
843 1077
@@ -1010,7 +1244,8 @@ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
1010static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb) 1244static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
1011{ 1245{
1012 struct smp_cmd_encrypt_info *rp = (void *) skb->data; 1246 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
1013 struct smp_chan *smp = conn->smp_chan; 1247 struct l2cap_chan *chan = conn->smp;
1248 struct smp_chan *smp = chan->data;
1014 1249
1015 BT_DBG("conn %p", conn); 1250 BT_DBG("conn %p", conn);
1016 1251
@@ -1031,7 +1266,8 @@ static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
1031static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb) 1266static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
1032{ 1267{
1033 struct smp_cmd_master_ident *rp = (void *) skb->data; 1268 struct smp_cmd_master_ident *rp = (void *) skb->data;
1034 struct smp_chan *smp = conn->smp_chan; 1269 struct l2cap_chan *chan = conn->smp;
1270 struct smp_chan *smp = chan->data;
1035 struct hci_dev *hdev = conn->hcon->hdev; 1271 struct hci_dev *hdev = conn->hcon->hdev;
1036 struct hci_conn *hcon = conn->hcon; 1272 struct hci_conn *hcon = conn->hcon;
1037 struct smp_ltk *ltk; 1273 struct smp_ltk *ltk;
@@ -1058,7 +1294,7 @@ static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
1058 rp->ediv, rp->rand); 1294 rp->ediv, rp->rand);
1059 smp->ltk = ltk; 1295 smp->ltk = ltk;
1060 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY)) 1296 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
1061 smp_distribute_keys(conn); 1297 queue_work(hdev->workqueue, &smp->distribute_work);
1062 hci_dev_unlock(hdev); 1298 hci_dev_unlock(hdev);
1063 1299
1064 return 0; 1300 return 0;
@@ -1067,7 +1303,8 @@ static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
1067static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb) 1303static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
1068{ 1304{
1069 struct smp_cmd_ident_info *info = (void *) skb->data; 1305 struct smp_cmd_ident_info *info = (void *) skb->data;
1070 struct smp_chan *smp = conn->smp_chan; 1306 struct l2cap_chan *chan = conn->smp;
1307 struct smp_chan *smp = chan->data;
1071 1308
1072 BT_DBG(""); 1309 BT_DBG("");
1073 1310
@@ -1089,8 +1326,10 @@ static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
1089 struct sk_buff *skb) 1326 struct sk_buff *skb)
1090{ 1327{
1091 struct smp_cmd_ident_addr_info *info = (void *) skb->data; 1328 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
1092 struct smp_chan *smp = conn->smp_chan; 1329 struct l2cap_chan *chan = conn->smp;
1330 struct smp_chan *smp = chan->data;
1093 struct hci_conn *hcon = conn->hcon; 1331 struct hci_conn *hcon = conn->hcon;
1332 struct hci_dev *hdev = hcon->hdev;
1094 bdaddr_t rpa; 1333 bdaddr_t rpa;
1095 1334
1096 BT_DBG(""); 1335 BT_DBG("");
@@ -1133,7 +1372,7 @@ static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
1133 smp->id_addr_type, smp->irk, &rpa); 1372 smp->id_addr_type, smp->irk, &rpa);
1134 1373
1135distribute: 1374distribute:
1136 smp_distribute_keys(conn); 1375 queue_work(hdev->workqueue, &smp->distribute_work);
1137 1376
1138 hci_dev_unlock(hcon->hdev); 1377 hci_dev_unlock(hcon->hdev);
1139 1378
@@ -1143,7 +1382,8 @@ distribute:
1143static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb) 1382static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
1144{ 1383{
1145 struct smp_cmd_sign_info *rp = (void *) skb->data; 1384 struct smp_cmd_sign_info *rp = (void *) skb->data;
1146 struct smp_chan *smp = conn->smp_chan; 1385 struct l2cap_chan *chan = conn->smp;
1386 struct smp_chan *smp = chan->data;
1147 struct hci_dev *hdev = conn->hcon->hdev; 1387 struct hci_dev *hdev = conn->hcon->hdev;
1148 struct smp_csrk *csrk; 1388 struct smp_csrk *csrk;
1149 1389
@@ -1168,15 +1408,15 @@ static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
1168 memcpy(csrk->val, rp->csrk, sizeof(csrk->val)); 1408 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
1169 } 1409 }
1170 smp->csrk = csrk; 1410 smp->csrk = csrk;
1171 if (!(smp->remote_key_dist & SMP_DIST_SIGN)) 1411 queue_work(hdev->workqueue, &smp->distribute_work);
1172 smp_distribute_keys(conn);
1173 hci_dev_unlock(hdev); 1412 hci_dev_unlock(hdev);
1174 1413
1175 return 0; 1414 return 0;
1176} 1415}
1177 1416
1178int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb) 1417static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
1179{ 1418{
1419 struct l2cap_conn *conn = chan->conn;
1180 struct hci_conn *hcon = conn->hcon; 1420 struct hci_conn *hcon = conn->hcon;
1181 __u8 code, reason; 1421 __u8 code, reason;
1182 int err = 0; 1422 int err = 0;
@@ -1186,10 +1426,8 @@ int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
1186 return 0; 1426 return 0;
1187 } 1427 }
1188 1428
1189 if (skb->len < 1) { 1429 if (skb->len < 1)
1190 kfree_skb(skb);
1191 return -EILSEQ; 1430 return -EILSEQ;
1192 }
1193 1431
1194 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags)) { 1432 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags)) {
1195 err = -EOPNOTSUPP; 1433 err = -EOPNOTSUPP;
@@ -1207,10 +1445,11 @@ int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
1207 * returns an error). 1445 * returns an error).
1208 */ 1446 */
1209 if (code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ && 1447 if (code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ &&
1210 !conn->smp_chan) { 1448 !test_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
1211 BT_ERR("Unexpected SMP command 0x%02x. Disconnecting.", code); 1449 BT_ERR("Unexpected SMP command 0x%02x. Disconnecting.", code);
1212 kfree_skb(skb); 1450 reason = SMP_CMD_NOTSUPP;
1213 return -EOPNOTSUPP; 1451 err = -EOPNOTSUPP;
1452 goto done;
1214 } 1453 }
1215 1454
1216 switch (code) { 1455 switch (code) {
@@ -1271,188 +1510,201 @@ int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
1271done: 1510done:
1272 if (reason) 1511 if (reason)
1273 smp_failure(conn, reason); 1512 smp_failure(conn, reason);
1274 1513 if (!err)
1275 kfree_skb(skb); 1514 kfree_skb(skb);
1276 return err; 1515 return err;
1277} 1516}
1278 1517
1279static void smp_notify_keys(struct l2cap_conn *conn) 1518static void smp_teardown_cb(struct l2cap_chan *chan, int err)
1280{ 1519{
1281 struct smp_chan *smp = conn->smp_chan; 1520 struct l2cap_conn *conn = chan->conn;
1521
1522 BT_DBG("chan %p", chan);
1523
1524 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags))
1525 smp_chan_destroy(conn);
1526
1527 conn->smp = NULL;
1528 l2cap_chan_put(chan);
1529}
1530
1531static void smp_resume_cb(struct l2cap_chan *chan)
1532{
1533 struct smp_chan *smp = chan->data;
1534 struct l2cap_conn *conn = chan->conn;
1282 struct hci_conn *hcon = conn->hcon; 1535 struct hci_conn *hcon = conn->hcon;
1283 struct hci_dev *hdev = hcon->hdev; 1536 struct hci_dev *hdev = hcon->hdev;
1284 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1285 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1286 bool persistent;
1287 1537
1288 if (smp->remote_irk) { 1538 BT_DBG("chan %p", chan);
1289 mgmt_new_irk(hdev, smp->remote_irk);
1290 /* Now that user space can be considered to know the
1291 * identity address track the connection based on it
1292 * from now on.
1293 */
1294 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1295 hcon->dst_type = smp->remote_irk->addr_type;
1296 l2cap_conn_update_id_addr(hcon);
1297 1539
1298 /* When receiving an indentity resolving key for 1540 if (!smp)
1299 * a remote device that does not use a resolvable 1541 return;
1300 * private address, just remove the key so that
1301 * it is possible to use the controller white
1302 * list for scanning.
1303 *
1304 * Userspace will have been told to not store
1305 * this key at this point. So it is safe to
1306 * just remove it.
1307 */
1308 if (!bacmp(&smp->remote_irk->rpa, BDADDR_ANY)) {
1309 list_del(&smp->remote_irk->list);
1310 kfree(smp->remote_irk);
1311 smp->remote_irk = NULL;
1312 }
1313 }
1314 1542
1315 /* The LTKs and CSRKs should be persistent only if both sides 1543 cancel_delayed_work(&smp->security_timer);
1316 * had the bonding bit set in their authentication requests.
1317 */
1318 persistent = !!((req->auth_req & rsp->auth_req) & SMP_AUTH_BONDING);
1319 1544
1320 if (smp->csrk) { 1545 if (test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
1321 smp->csrk->bdaddr_type = hcon->dst_type; 1546 queue_work(hdev->workqueue, &smp->distribute_work);
1322 bacpy(&smp->csrk->bdaddr, &hcon->dst); 1547}
1323 mgmt_new_csrk(hdev, smp->csrk, persistent);
1324 }
1325 1548
1326 if (smp->slave_csrk) { 1549static void smp_ready_cb(struct l2cap_chan *chan)
1327 smp->slave_csrk->bdaddr_type = hcon->dst_type; 1550{
1328 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst); 1551 struct l2cap_conn *conn = chan->conn;
1329 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1330 }
1331 1552
1332 if (smp->ltk) { 1553 BT_DBG("chan %p", chan);
1333 smp->ltk->bdaddr_type = hcon->dst_type;
1334 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1335 mgmt_new_ltk(hdev, smp->ltk, persistent);
1336 }
1337 1554
1338 if (smp->slave_ltk) { 1555 conn->smp = chan;
1339 smp->slave_ltk->bdaddr_type = hcon->dst_type; 1556 l2cap_chan_hold(chan);
1340 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1341 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1342 }
1343} 1557}
1344 1558
1345int smp_distribute_keys(struct l2cap_conn *conn) 1559static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
1346{ 1560{
1347 struct smp_cmd_pairing *req, *rsp; 1561 int err;
1348 struct smp_chan *smp = conn->smp_chan;
1349 struct hci_conn *hcon = conn->hcon;
1350 struct hci_dev *hdev = hcon->hdev;
1351 __u8 *keydist;
1352 1562
1353 BT_DBG("conn %p", conn); 1563 BT_DBG("chan %p", chan);
1354 1564
1355 if (!test_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) 1565 err = smp_sig_channel(chan, skb);
1356 return 0; 1566 if (err) {
1567 struct smp_chan *smp = chan->data;
1357 1568
1358 rsp = (void *) &smp->prsp[1]; 1569 if (smp)
1570 cancel_delayed_work_sync(&smp->security_timer);
1359 1571
1360 /* The responder sends its keys first */ 1572 l2cap_conn_shutdown(chan->conn, -err);
1361 if (hcon->out && (smp->remote_key_dist & 0x07)) 1573 }
1362 return 0;
1363 1574
1364 req = (void *) &smp->preq[1]; 1575 return err;
1576}
1365 1577
1366 if (hcon->out) { 1578static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
1367 keydist = &rsp->init_key_dist; 1579 unsigned long hdr_len,
1368 *keydist &= req->init_key_dist; 1580 unsigned long len, int nb)
1369 } else { 1581{
1370 keydist = &rsp->resp_key_dist; 1582 struct sk_buff *skb;
1371 *keydist &= req->resp_key_dist;
1372 }
1373 1583
1374 BT_DBG("keydist 0x%x", *keydist); 1584 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
1585 if (!skb)
1586 return ERR_PTR(-ENOMEM);
1375 1587
1376 if (*keydist & SMP_DIST_ENC_KEY) { 1588 skb->priority = HCI_PRIO_MAX;
1377 struct smp_cmd_encrypt_info enc; 1589 bt_cb(skb)->chan = chan;
1378 struct smp_cmd_master_ident ident;
1379 struct smp_ltk *ltk;
1380 u8 authenticated;
1381 __le16 ediv;
1382 __le64 rand;
1383 1590
1384 get_random_bytes(enc.ltk, sizeof(enc.ltk)); 1591 return skb;
1385 get_random_bytes(&ediv, sizeof(ediv)); 1592}
1386 get_random_bytes(&rand, sizeof(rand));
1387 1593
1388 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc); 1594static const struct l2cap_ops smp_chan_ops = {
1595 .name = "Security Manager",
1596 .ready = smp_ready_cb,
1597 .recv = smp_recv_cb,
1598 .alloc_skb = smp_alloc_skb_cb,
1599 .teardown = smp_teardown_cb,
1600 .resume = smp_resume_cb,
1601
1602 .new_connection = l2cap_chan_no_new_connection,
1603 .state_change = l2cap_chan_no_state_change,
1604 .close = l2cap_chan_no_close,
1605 .defer = l2cap_chan_no_defer,
1606 .suspend = l2cap_chan_no_suspend,
1607 .set_shutdown = l2cap_chan_no_set_shutdown,
1608 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
1609 .memcpy_fromiovec = l2cap_chan_no_memcpy_fromiovec,
1610};
1389 1611
1390 authenticated = hcon->sec_level == BT_SECURITY_HIGH; 1612static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
1391 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, 1613{
1392 SMP_LTK_SLAVE, authenticated, enc.ltk, 1614 struct l2cap_chan *chan;
1393 smp->enc_key_size, ediv, rand);
1394 smp->slave_ltk = ltk;
1395 1615
1396 ident.ediv = ediv; 1616 BT_DBG("pchan %p", pchan);
1397 ident.rand = rand;
1398 1617
1399 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident); 1618 chan = l2cap_chan_create();
1619 if (!chan)
1620 return NULL;
1400 1621
1401 *keydist &= ~SMP_DIST_ENC_KEY; 1622 chan->chan_type = pchan->chan_type;
1402 } 1623 chan->ops = &smp_chan_ops;
1624 chan->scid = pchan->scid;
1625 chan->dcid = chan->scid;
1626 chan->imtu = pchan->imtu;
1627 chan->omtu = pchan->omtu;
1628 chan->mode = pchan->mode;
1403 1629
1404 if (*keydist & SMP_DIST_ID_KEY) { 1630 BT_DBG("created chan %p", chan);
1405 struct smp_cmd_ident_addr_info addrinfo;
1406 struct smp_cmd_ident_info idinfo;
1407 1631
1408 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk)); 1632 return chan;
1633}
1409 1634
1410 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo); 1635static const struct l2cap_ops smp_root_chan_ops = {
1636 .name = "Security Manager Root",
1637 .new_connection = smp_new_conn_cb,
1638
1639 /* None of these are implemented for the root channel */
1640 .close = l2cap_chan_no_close,
1641 .alloc_skb = l2cap_chan_no_alloc_skb,
1642 .recv = l2cap_chan_no_recv,
1643 .state_change = l2cap_chan_no_state_change,
1644 .teardown = l2cap_chan_no_teardown,
1645 .ready = l2cap_chan_no_ready,
1646 .defer = l2cap_chan_no_defer,
1647 .suspend = l2cap_chan_no_suspend,
1648 .resume = l2cap_chan_no_resume,
1649 .set_shutdown = l2cap_chan_no_set_shutdown,
1650 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
1651 .memcpy_fromiovec = l2cap_chan_no_memcpy_fromiovec,
1652};
1411 1653
1412 /* The hci_conn contains the local identity address 1654int smp_register(struct hci_dev *hdev)
1413 * after the connection has been established. 1655{
1414 * 1656 struct l2cap_chan *chan;
1415 * This is true even when the connection has been 1657 struct crypto_blkcipher *tfm_aes;
1416 * established using a resolvable random address.
1417 */
1418 bacpy(&addrinfo.bdaddr, &hcon->src);
1419 addrinfo.addr_type = hcon->src_type;
1420 1658
1421 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo), 1659 BT_DBG("%s", hdev->name);
1422 &addrinfo);
1423 1660
1424 *keydist &= ~SMP_DIST_ID_KEY; 1661 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
1662 if (IS_ERR(tfm_aes)) {
1663 int err = PTR_ERR(tfm_aes);
1664 BT_ERR("Unable to create crypto context");
1665 return err;
1425 } 1666 }
1426 1667
1427 if (*keydist & SMP_DIST_SIGN) { 1668 chan = l2cap_chan_create();
1428 struct smp_cmd_sign_info sign; 1669 if (!chan) {
1429 struct smp_csrk *csrk; 1670 crypto_free_blkcipher(tfm_aes);
1671 return -ENOMEM;
1672 }
1430 1673
1431 /* Generate a new random key */ 1674 chan->data = tfm_aes;
1432 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1433 1675
1434 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL); 1676 l2cap_add_scid(chan, L2CAP_CID_SMP);
1435 if (csrk) {
1436 csrk->master = 0x00;
1437 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1438 }
1439 smp->slave_csrk = csrk;
1440 1677
1441 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign); 1678 l2cap_chan_set_defaults(chan);
1442 1679
1443 *keydist &= ~SMP_DIST_SIGN; 1680 bacpy(&chan->src, &hdev->bdaddr);
1444 } 1681 chan->src_type = BDADDR_LE_PUBLIC;
1682 chan->state = BT_LISTEN;
1683 chan->mode = L2CAP_MODE_BASIC;
1684 chan->imtu = L2CAP_DEFAULT_MTU;
1685 chan->ops = &smp_root_chan_ops;
1445 1686
1446 /* If there are still keys to be received wait for them */ 1687 hdev->smp_data = chan;
1447 if ((smp->remote_key_dist & 0x07))
1448 return 0;
1449 1688
1450 clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags); 1689 return 0;
1451 cancel_delayed_work_sync(&conn->security_timer); 1690}
1452 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1453 smp_notify_keys(conn);
1454 1691
1455 smp_chan_destroy(conn); 1692void smp_unregister(struct hci_dev *hdev)
1693{
1694 struct l2cap_chan *chan = hdev->smp_data;
1695 struct crypto_blkcipher *tfm_aes;
1456 1696
1457 return 0; 1697 if (!chan)
1698 return;
1699
1700 BT_DBG("%s chan %p", hdev->name, chan);
1701
1702 tfm_aes = chan->data;
1703 if (tfm_aes) {
1704 chan->data = NULL;
1705 crypto_free_blkcipher(tfm_aes);
1706 }
1707
1708 hdev->smp_data = NULL;
1709 l2cap_chan_put(chan);
1458} 1710}
diff --git a/net/bluetooth/smp.h b/net/bluetooth/smp.h
index 796f4f45f92f..cf1094617c69 100644
--- a/net/bluetooth/smp.h
+++ b/net/bluetooth/smp.h
@@ -126,14 +126,12 @@ enum {
126/* SMP Commands */ 126/* SMP Commands */
127bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level); 127bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level);
128int smp_conn_security(struct hci_conn *hcon, __u8 sec_level); 128int smp_conn_security(struct hci_conn *hcon, __u8 sec_level);
129int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb);
130int smp_distribute_keys(struct l2cap_conn *conn);
131int smp_user_confirm_reply(struct hci_conn *conn, u16 mgmt_op, __le32 passkey); 129int smp_user_confirm_reply(struct hci_conn *conn, u16 mgmt_op, __le32 passkey);
132 130
133void smp_chan_destroy(struct l2cap_conn *conn); 131bool smp_irk_matches(struct hci_dev *hdev, u8 irk[16], bdaddr_t *bdaddr);
132int smp_generate_rpa(struct hci_dev *hdev, u8 irk[16], bdaddr_t *rpa);
134 133
135bool smp_irk_matches(struct crypto_blkcipher *tfm, u8 irk[16], 134int smp_register(struct hci_dev *hdev);
136 bdaddr_t *bdaddr); 135void smp_unregister(struct hci_dev *hdev);
137int smp_generate_rpa(struct crypto_blkcipher *tfm, u8 irk[16], bdaddr_t *rpa);
138 136
139#endif /* __SMP_H */ 137#endif /* __SMP_H */
generated by cgit v1.2.2 (git 2.25.0) at 2025-04-25 16:46:24 -0400