aboutsummaryrefslogtreecommitdiffstats
path: root/net/bluetooth
diff options
context:
space:
mode:
Diffstat (limited to 'net/bluetooth')
-rw-r--r--net/bluetooth/a2mp.c8
-rw-r--r--net/bluetooth/af_bluetooth.c2
-rw-r--r--net/bluetooth/hci_conn.c206
-rw-r--r--net/bluetooth/hci_core.c1193
-rw-r--r--net/bluetooth/hci_event.c478
-rw-r--r--net/bluetooth/hci_sock.c1
-rw-r--r--net/bluetooth/hci_sysfs.c18
-rw-r--r--net/bluetooth/l2cap_core.c616
-rw-r--r--net/bluetooth/l2cap_sock.c62
-rw-r--r--net/bluetooth/mgmt.c913
-rw-r--r--net/bluetooth/rfcomm/core.c92
-rw-r--r--net/bluetooth/rfcomm/sock.c33
-rw-r--r--net/bluetooth/rfcomm/tty.c262
-rw-r--r--net/bluetooth/smp.c418
-rw-r--r--net/bluetooth/smp.h22
15 files changed, 3419 insertions, 905 deletions
diff --git a/net/bluetooth/a2mp.c b/net/bluetooth/a2mp.c
index efcd108822c4..f986b9968bdb 100644
--- a/net/bluetooth/a2mp.c
+++ b/net/bluetooth/a2mp.c
@@ -235,7 +235,7 @@ static int a2mp_discover_rsp(struct amp_mgr *mgr, struct sk_buff *skb,
235 BT_DBG("chan %p state %s", chan, 235 BT_DBG("chan %p state %s", chan,
236 state_to_string(chan->state)); 236 state_to_string(chan->state));
237 237
238 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) 238 if (chan->scid == L2CAP_CID_A2MP)
239 continue; 239 continue;
240 240
241 l2cap_chan_lock(chan); 241 l2cap_chan_lock(chan);
@@ -726,7 +726,11 @@ static struct l2cap_chan *a2mp_chan_open(struct l2cap_conn *conn, bool locked)
726 726
727 BT_DBG("chan %p", chan); 727 BT_DBG("chan %p", chan);
728 728
729 chan->chan_type = L2CAP_CHAN_CONN_FIX_A2MP; 729 chan->chan_type = L2CAP_CHAN_FIXED;
730 chan->scid = L2CAP_CID_A2MP;
731 chan->dcid = L2CAP_CID_A2MP;
732 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
733 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
730 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO; 734 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
731 735
732 chan->ops = &a2mp_chan_ops; 736 chan->ops = &a2mp_chan_ops;
diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
index 0c5866bb49b6..2021c481cdb6 100644
--- a/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -31,7 +31,7 @@
31#include <net/bluetooth/bluetooth.h> 31#include <net/bluetooth/bluetooth.h>
32#include <linux/proc_fs.h> 32#include <linux/proc_fs.h>
33 33
34#define VERSION "2.18" 34#define VERSION "2.19"
35 35
36/* Bluetooth sockets */ 36/* Bluetooth sockets */
37#define BT_MAX_PROTO 8 37#define BT_MAX_PROTO 8
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index ba5366c320da..7c713c4675ba 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -225,13 +225,13 @@ void hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max,
225 cp.conn_interval_max = cpu_to_le16(max); 225 cp.conn_interval_max = cpu_to_le16(max);
226 cp.conn_latency = cpu_to_le16(latency); 226 cp.conn_latency = cpu_to_le16(latency);
227 cp.supervision_timeout = cpu_to_le16(to_multiplier); 227 cp.supervision_timeout = cpu_to_le16(to_multiplier);
228 cp.min_ce_len = __constant_cpu_to_le16(0x0001); 228 cp.min_ce_len = __constant_cpu_to_le16(0x0000);
229 cp.max_ce_len = __constant_cpu_to_le16(0x0001); 229 cp.max_ce_len = __constant_cpu_to_le16(0x0000);
230 230
231 hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp); 231 hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp);
232} 232}
233 233
234void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __u8 rand[8], 234void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand,
235 __u8 ltk[16]) 235 __u8 ltk[16])
236{ 236{
237 struct hci_dev *hdev = conn->hdev; 237 struct hci_dev *hdev = conn->hdev;
@@ -242,9 +242,9 @@ void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __u8 rand[8],
242 memset(&cp, 0, sizeof(cp)); 242 memset(&cp, 0, sizeof(cp));
243 243
244 cp.handle = cpu_to_le16(conn->handle); 244 cp.handle = cpu_to_le16(conn->handle);
245 memcpy(cp.ltk, ltk, sizeof(cp.ltk)); 245 cp.rand = rand;
246 cp.ediv = ediv; 246 cp.ediv = ediv;
247 memcpy(cp.rand, rand, sizeof(cp.rand)); 247 memcpy(cp.ltk, ltk, sizeof(cp.ltk));
248 248
249 hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp); 249 hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp);
250} 250}
@@ -363,6 +363,16 @@ static void hci_conn_auto_accept(struct work_struct *work)
363 &conn->dst); 363 &conn->dst);
364} 364}
365 365
366static void le_conn_timeout(struct work_struct *work)
367{
368 struct hci_conn *conn = container_of(work, struct hci_conn,
369 le_conn_timeout.work);
370
371 BT_DBG("");
372
373 hci_le_create_connection_cancel(conn);
374}
375
366struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst) 376struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst)
367{ 377{
368 struct hci_conn *conn; 378 struct hci_conn *conn;
@@ -410,6 +420,7 @@ struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst)
410 INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout); 420 INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout);
411 INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept); 421 INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept);
412 INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle); 422 INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle);
423 INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout);
413 424
414 atomic_set(&conn->refcnt, 0); 425 atomic_set(&conn->refcnt, 0);
415 426
@@ -442,6 +453,8 @@ int hci_conn_del(struct hci_conn *conn)
442 /* Unacked frames */ 453 /* Unacked frames */
443 hdev->acl_cnt += conn->sent; 454 hdev->acl_cnt += conn->sent;
444 } else if (conn->type == LE_LINK) { 455 } else if (conn->type == LE_LINK) {
456 cancel_delayed_work_sync(&conn->le_conn_timeout);
457
445 if (hdev->le_pkts) 458 if (hdev->le_pkts)
446 hdev->le_cnt += conn->sent; 459 hdev->le_cnt += conn->sent;
447 else 460 else
@@ -514,6 +527,26 @@ struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src)
514} 527}
515EXPORT_SYMBOL(hci_get_route); 528EXPORT_SYMBOL(hci_get_route);
516 529
530/* This function requires the caller holds hdev->lock */
531void hci_le_conn_failed(struct hci_conn *conn, u8 status)
532{
533 struct hci_dev *hdev = conn->hdev;
534
535 conn->state = BT_CLOSED;
536
537 mgmt_connect_failed(hdev, &conn->dst, conn->type, conn->dst_type,
538 status);
539
540 hci_proto_connect_cfm(conn, status);
541
542 hci_conn_del(conn);
543
544 /* Since we may have temporarily stopped the background scanning in
545 * favor of connection establishment, we should restart it.
546 */
547 hci_update_background_scan(hdev);
548}
549
517static void create_le_conn_complete(struct hci_dev *hdev, u8 status) 550static void create_le_conn_complete(struct hci_dev *hdev, u8 status)
518{ 551{
519 struct hci_conn *conn; 552 struct hci_conn *conn;
@@ -530,55 +563,55 @@ static void create_le_conn_complete(struct hci_dev *hdev, u8 status)
530 if (!conn) 563 if (!conn)
531 goto done; 564 goto done;
532 565
533 conn->state = BT_CLOSED; 566 hci_le_conn_failed(conn, status);
534
535 mgmt_connect_failed(hdev, &conn->dst, conn->type, conn->dst_type,
536 status);
537
538 hci_proto_connect_cfm(conn, status);
539
540 hci_conn_del(conn);
541 567
542done: 568done:
543 hci_dev_unlock(hdev); 569 hci_dev_unlock(hdev);
544} 570}
545 571
546static int hci_create_le_conn(struct hci_conn *conn) 572static void hci_req_add_le_create_conn(struct hci_request *req,
573 struct hci_conn *conn)
547{ 574{
548 struct hci_dev *hdev = conn->hdev;
549 struct hci_cp_le_create_conn cp; 575 struct hci_cp_le_create_conn cp;
550 struct hci_request req; 576 struct hci_dev *hdev = conn->hdev;
551 int err; 577 u8 own_addr_type;
552
553 hci_req_init(&req, hdev);
554 578
555 memset(&cp, 0, sizeof(cp)); 579 memset(&cp, 0, sizeof(cp));
580
581 /* Update random address, but set require_privacy to false so
582 * that we never connect with an unresolvable address.
583 */
584 if (hci_update_random_address(req, false, &own_addr_type))
585 return;
586
587 /* Save the address type used for this connnection attempt so we able
588 * to retrieve this information if we need it.
589 */
590 conn->src_type = own_addr_type;
591
556 cp.scan_interval = cpu_to_le16(hdev->le_scan_interval); 592 cp.scan_interval = cpu_to_le16(hdev->le_scan_interval);
557 cp.scan_window = cpu_to_le16(hdev->le_scan_window); 593 cp.scan_window = cpu_to_le16(hdev->le_scan_window);
558 bacpy(&cp.peer_addr, &conn->dst); 594 bacpy(&cp.peer_addr, &conn->dst);
559 cp.peer_addr_type = conn->dst_type; 595 cp.peer_addr_type = conn->dst_type;
560 cp.own_address_type = conn->src_type; 596 cp.own_address_type = own_addr_type;
561 cp.conn_interval_min = cpu_to_le16(hdev->le_conn_min_interval); 597 cp.conn_interval_min = cpu_to_le16(conn->le_conn_min_interval);
562 cp.conn_interval_max = cpu_to_le16(hdev->le_conn_max_interval); 598 cp.conn_interval_max = cpu_to_le16(conn->le_conn_max_interval);
563 cp.supervision_timeout = __constant_cpu_to_le16(0x002a); 599 cp.supervision_timeout = __constant_cpu_to_le16(0x002a);
564 cp.min_ce_len = __constant_cpu_to_le16(0x0000); 600 cp.min_ce_len = __constant_cpu_to_le16(0x0000);
565 cp.max_ce_len = __constant_cpu_to_le16(0x0000); 601 cp.max_ce_len = __constant_cpu_to_le16(0x0000);
566 602
567 hci_req_add(&req, HCI_OP_LE_CREATE_CONN, sizeof(cp), &cp); 603 hci_req_add(req, HCI_OP_LE_CREATE_CONN, sizeof(cp), &cp);
568
569 err = hci_req_run(&req, create_le_conn_complete);
570 if (err) {
571 hci_conn_del(conn);
572 return err;
573 }
574 604
575 return 0; 605 conn->state = BT_CONNECT;
576} 606}
577 607
578static struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst, 608struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
579 u8 dst_type, u8 sec_level, u8 auth_type) 609 u8 dst_type, u8 sec_level, u8 auth_type)
580{ 610{
611 struct hci_conn_params *params;
581 struct hci_conn *conn; 612 struct hci_conn *conn;
613 struct smp_irk *irk;
614 struct hci_request req;
582 int err; 615 int err;
583 616
584 if (test_bit(HCI_ADVERTISING, &hdev->flags)) 617 if (test_bit(HCI_ADVERTISING, &hdev->flags))
@@ -607,35 +640,74 @@ static struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
607 if (conn) 640 if (conn)
608 return ERR_PTR(-EBUSY); 641 return ERR_PTR(-EBUSY);
609 642
643 /* When given an identity address with existing identity
644 * resolving key, the connection needs to be established
645 * to a resolvable random address.
646 *
647 * This uses the cached random resolvable address from
648 * a previous scan. When no cached address is available,
649 * try connecting to the identity address instead.
650 *
651 * Storing the resolvable random address is required here
652 * to handle connection failures. The address will later
653 * be resolved back into the original identity address
654 * from the connect request.
655 */
656 irk = hci_find_irk_by_addr(hdev, dst, dst_type);
657 if (irk && bacmp(&irk->rpa, BDADDR_ANY)) {
658 dst = &irk->rpa;
659 dst_type = ADDR_LE_DEV_RANDOM;
660 }
661
610 conn = hci_conn_add(hdev, LE_LINK, dst); 662 conn = hci_conn_add(hdev, LE_LINK, dst);
611 if (!conn) 663 if (!conn)
612 return ERR_PTR(-ENOMEM); 664 return ERR_PTR(-ENOMEM);
613 665
614 if (dst_type == BDADDR_LE_PUBLIC) 666 conn->dst_type = dst_type;
615 conn->dst_type = ADDR_LE_DEV_PUBLIC;
616 else
617 conn->dst_type = ADDR_LE_DEV_RANDOM;
618
619 conn->src_type = hdev->own_addr_type;
620 667
621 conn->state = BT_CONNECT;
622 conn->out = true; 668 conn->out = true;
623 conn->link_mode |= HCI_LM_MASTER; 669 conn->link_mode |= HCI_LM_MASTER;
624 conn->sec_level = BT_SECURITY_LOW; 670 conn->sec_level = BT_SECURITY_LOW;
625 conn->pending_sec_level = sec_level; 671 conn->pending_sec_level = sec_level;
626 conn->auth_type = auth_type; 672 conn->auth_type = auth_type;
627 673
628 err = hci_create_le_conn(conn); 674 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
629 if (err) 675 if (params) {
676 conn->le_conn_min_interval = params->conn_min_interval;
677 conn->le_conn_max_interval = params->conn_max_interval;
678 } else {
679 conn->le_conn_min_interval = hdev->le_conn_min_interval;
680 conn->le_conn_max_interval = hdev->le_conn_max_interval;
681 }
682
683 hci_req_init(&req, hdev);
684
685 /* If controller is scanning, we stop it since some controllers are
686 * not able to scan and connect at the same time. Also set the
687 * HCI_LE_SCAN_INTERRUPTED flag so that the command complete
688 * handler for scan disabling knows to set the correct discovery
689 * state.
690 */
691 if (test_bit(HCI_LE_SCAN, &hdev->dev_flags)) {
692 hci_req_add_le_scan_disable(&req);
693 set_bit(HCI_LE_SCAN_INTERRUPTED, &hdev->dev_flags);
694 }
695
696 hci_req_add_le_create_conn(&req, conn);
697
698 err = hci_req_run(&req, create_le_conn_complete);
699 if (err) {
700 hci_conn_del(conn);
630 return ERR_PTR(err); 701 return ERR_PTR(err);
702 }
631 703
632done: 704done:
633 hci_conn_hold(conn); 705 hci_conn_hold(conn);
634 return conn; 706 return conn;
635} 707}
636 708
637static struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst, 709struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,
638 u8 sec_level, u8 auth_type) 710 u8 sec_level, u8 auth_type)
639{ 711{
640 struct hci_conn *acl; 712 struct hci_conn *acl;
641 713
@@ -704,22 +776,6 @@ struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst,
704 return sco; 776 return sco;
705} 777}
706 778
707/* Create SCO, ACL or LE connection. */
708struct hci_conn *hci_connect(struct hci_dev *hdev, int type, bdaddr_t *dst,
709 __u8 dst_type, __u8 sec_level, __u8 auth_type)
710{
711 BT_DBG("%s dst %pMR type 0x%x", hdev->name, dst, type);
712
713 switch (type) {
714 case LE_LINK:
715 return hci_connect_le(hdev, dst, dst_type, sec_level, auth_type);
716 case ACL_LINK:
717 return hci_connect_acl(hdev, dst, sec_level, auth_type);
718 }
719
720 return ERR_PTR(-EINVAL);
721}
722
723/* Check link security requirement */ 779/* Check link security requirement */
724int hci_conn_check_link_mode(struct hci_conn *conn) 780int hci_conn_check_link_mode(struct hci_conn *conn)
725{ 781{
@@ -800,14 +856,23 @@ int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
800 if (!(conn->link_mode & HCI_LM_AUTH)) 856 if (!(conn->link_mode & HCI_LM_AUTH))
801 goto auth; 857 goto auth;
802 858
803 /* An authenticated combination key has sufficient security for any 859 /* An authenticated FIPS approved combination key has sufficient
804 security level. */ 860 * security for security level 4. */
805 if (conn->key_type == HCI_LK_AUTH_COMBINATION) 861 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256 &&
862 sec_level == BT_SECURITY_FIPS)
863 goto encrypt;
864
865 /* An authenticated combination key has sufficient security for
866 security level 3. */
867 if ((conn->key_type == HCI_LK_AUTH_COMBINATION_P192 ||
868 conn->key_type == HCI_LK_AUTH_COMBINATION_P256) &&
869 sec_level == BT_SECURITY_HIGH)
806 goto encrypt; 870 goto encrypt;
807 871
808 /* An unauthenticated combination key has sufficient security for 872 /* An unauthenticated combination key has sufficient security for
809 security level 1 and 2. */ 873 security level 1 and 2. */
810 if (conn->key_type == HCI_LK_UNAUTH_COMBINATION && 874 if ((conn->key_type == HCI_LK_UNAUTH_COMBINATION_P192 ||
875 conn->key_type == HCI_LK_UNAUTH_COMBINATION_P256) &&
811 (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW)) 876 (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW))
812 goto encrypt; 877 goto encrypt;
813 878
@@ -816,7 +881,8 @@ int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
816 is generated using maximum PIN code length (16). 881 is generated using maximum PIN code length (16).
817 For pre 2.1 units. */ 882 For pre 2.1 units. */
818 if (conn->key_type == HCI_LK_COMBINATION && 883 if (conn->key_type == HCI_LK_COMBINATION &&
819 (sec_level != BT_SECURITY_HIGH || conn->pin_length == 16)) 884 (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW ||
885 conn->pin_length == 16))
820 goto encrypt; 886 goto encrypt;
821 887
822auth: 888auth:
@@ -840,13 +906,17 @@ int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level)
840{ 906{
841 BT_DBG("hcon %p", conn); 907 BT_DBG("hcon %p", conn);
842 908
843 if (sec_level != BT_SECURITY_HIGH) 909 /* Accept if non-secure or higher security level is required */
844 return 1; /* Accept if non-secure is required */ 910 if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS)
911 return 1;
845 912
846 if (conn->sec_level == BT_SECURITY_HIGH) 913 /* Accept if secure or higher security level is already present */
914 if (conn->sec_level == BT_SECURITY_HIGH ||
915 conn->sec_level == BT_SECURITY_FIPS)
847 return 1; 916 return 1;
848 917
849 return 0; /* Reject not secure link */ 918 /* Reject not secure link */
919 return 0;
850} 920}
851EXPORT_SYMBOL(hci_conn_check_secure); 921EXPORT_SYMBOL(hci_conn_check_secure);
852 922
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 5e8663c194c1..8bbfdea9cbec 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -29,11 +29,14 @@
29#include <linux/idr.h> 29#include <linux/idr.h>
30#include <linux/rfkill.h> 30#include <linux/rfkill.h>
31#include <linux/debugfs.h> 31#include <linux/debugfs.h>
32#include <linux/crypto.h>
32#include <asm/unaligned.h> 33#include <asm/unaligned.h>
33 34
34#include <net/bluetooth/bluetooth.h> 35#include <net/bluetooth/bluetooth.h>
35#include <net/bluetooth/hci_core.h> 36#include <net/bluetooth/hci_core.h>
36 37
38#include "smp.h"
39
37static void hci_rx_work(struct work_struct *work); 40static void hci_rx_work(struct work_struct *work);
38static void hci_cmd_work(struct work_struct *work); 41static void hci_cmd_work(struct work_struct *work);
39static void hci_tx_work(struct work_struct *work); 42static void hci_tx_work(struct work_struct *work);
@@ -285,24 +288,6 @@ static const struct file_operations link_keys_fops = {
285 .release = single_release, 288 .release = single_release,
286}; 289};
287 290
288static ssize_t use_debug_keys_read(struct file *file, char __user *user_buf,
289 size_t count, loff_t *ppos)
290{
291 struct hci_dev *hdev = file->private_data;
292 char buf[3];
293
294 buf[0] = test_bit(HCI_DEBUG_KEYS, &hdev->dev_flags) ? 'Y': 'N';
295 buf[1] = '\n';
296 buf[2] = '\0';
297 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
298}
299
300static const struct file_operations use_debug_keys_fops = {
301 .open = simple_open,
302 .read = use_debug_keys_read,
303 .llseek = default_llseek,
304};
305
306static int dev_class_show(struct seq_file *f, void *ptr) 291static int dev_class_show(struct seq_file *f, void *ptr)
307{ 292{
308 struct hci_dev *hdev = f->private; 293 struct hci_dev *hdev = f->private;
@@ -415,6 +400,70 @@ static int ssp_debug_mode_get(void *data, u64 *val)
415DEFINE_SIMPLE_ATTRIBUTE(ssp_debug_mode_fops, ssp_debug_mode_get, 400DEFINE_SIMPLE_ATTRIBUTE(ssp_debug_mode_fops, ssp_debug_mode_get,
416 ssp_debug_mode_set, "%llu\n"); 401 ssp_debug_mode_set, "%llu\n");
417 402
403static ssize_t force_sc_support_read(struct file *file, char __user *user_buf,
404 size_t count, loff_t *ppos)
405{
406 struct hci_dev *hdev = file->private_data;
407 char buf[3];
408
409 buf[0] = test_bit(HCI_FORCE_SC, &hdev->dev_flags) ? 'Y': 'N';
410 buf[1] = '\n';
411 buf[2] = '\0';
412 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
413}
414
415static ssize_t force_sc_support_write(struct file *file,
416 const char __user *user_buf,
417 size_t count, loff_t *ppos)
418{
419 struct hci_dev *hdev = file->private_data;
420 char buf[32];
421 size_t buf_size = min(count, (sizeof(buf)-1));
422 bool enable;
423
424 if (test_bit(HCI_UP, &hdev->flags))
425 return -EBUSY;
426
427 if (copy_from_user(buf, user_buf, buf_size))
428 return -EFAULT;
429
430 buf[buf_size] = '\0';
431 if (strtobool(buf, &enable))
432 return -EINVAL;
433
434 if (enable == test_bit(HCI_FORCE_SC, &hdev->dev_flags))
435 return -EALREADY;
436
437 change_bit(HCI_FORCE_SC, &hdev->dev_flags);
438
439 return count;
440}
441
442static const struct file_operations force_sc_support_fops = {
443 .open = simple_open,
444 .read = force_sc_support_read,
445 .write = force_sc_support_write,
446 .llseek = default_llseek,
447};
448
449static ssize_t sc_only_mode_read(struct file *file, char __user *user_buf,
450 size_t count, loff_t *ppos)
451{
452 struct hci_dev *hdev = file->private_data;
453 char buf[3];
454
455 buf[0] = test_bit(HCI_SC_ONLY, &hdev->dev_flags) ? 'Y': 'N';
456 buf[1] = '\n';
457 buf[2] = '\0';
458 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
459}
460
461static const struct file_operations sc_only_mode_fops = {
462 .open = simple_open,
463 .read = sc_only_mode_read,
464 .llseek = default_llseek,
465};
466
418static int idle_timeout_set(void *data, u64 val) 467static int idle_timeout_set(void *data, u64 val)
419{ 468{
420 struct hci_dev *hdev = data; 469 struct hci_dev *hdev = data;
@@ -443,6 +492,37 @@ static int idle_timeout_get(void *data, u64 *val)
443DEFINE_SIMPLE_ATTRIBUTE(idle_timeout_fops, idle_timeout_get, 492DEFINE_SIMPLE_ATTRIBUTE(idle_timeout_fops, idle_timeout_get,
444 idle_timeout_set, "%llu\n"); 493 idle_timeout_set, "%llu\n");
445 494
495static int rpa_timeout_set(void *data, u64 val)
496{
497 struct hci_dev *hdev = data;
498
499 /* Require the RPA timeout to be at least 30 seconds and at most
500 * 24 hours.
501 */
502 if (val < 30 || val > (60 * 60 * 24))
503 return -EINVAL;
504
505 hci_dev_lock(hdev);
506 hdev->rpa_timeout = val;
507 hci_dev_unlock(hdev);
508
509 return 0;
510}
511
512static int rpa_timeout_get(void *data, u64 *val)
513{
514 struct hci_dev *hdev = data;
515
516 hci_dev_lock(hdev);
517 *val = hdev->rpa_timeout;
518 hci_dev_unlock(hdev);
519
520 return 0;
521}
522
523DEFINE_SIMPLE_ATTRIBUTE(rpa_timeout_fops, rpa_timeout_get,
524 rpa_timeout_set, "%llu\n");
525
446static int sniff_min_interval_set(void *data, u64 val) 526static int sniff_min_interval_set(void *data, u64 val)
447{ 527{
448 struct hci_dev *hdev = data; 528 struct hci_dev *hdev = data;
@@ -499,6 +579,59 @@ static int sniff_max_interval_get(void *data, u64 *val)
499DEFINE_SIMPLE_ATTRIBUTE(sniff_max_interval_fops, sniff_max_interval_get, 579DEFINE_SIMPLE_ATTRIBUTE(sniff_max_interval_fops, sniff_max_interval_get,
500 sniff_max_interval_set, "%llu\n"); 580 sniff_max_interval_set, "%llu\n");
501 581
582static int identity_show(struct seq_file *f, void *p)
583{
584 struct hci_dev *hdev = f->private;
585 bdaddr_t addr;
586 u8 addr_type;
587
588 hci_dev_lock(hdev);
589
590 hci_copy_identity_address(hdev, &addr, &addr_type);
591
592 seq_printf(f, "%pMR (type %u) %*phN %pMR\n", &addr, addr_type,
593 16, hdev->irk, &hdev->rpa);
594
595 hci_dev_unlock(hdev);
596
597 return 0;
598}
599
600static int identity_open(struct inode *inode, struct file *file)
601{
602 return single_open(file, identity_show, inode->i_private);
603}
604
605static const struct file_operations identity_fops = {
606 .open = identity_open,
607 .read = seq_read,
608 .llseek = seq_lseek,
609 .release = single_release,
610};
611
612static int random_address_show(struct seq_file *f, void *p)
613{
614 struct hci_dev *hdev = f->private;
615
616 hci_dev_lock(hdev);
617 seq_printf(f, "%pMR\n", &hdev->random_addr);
618 hci_dev_unlock(hdev);
619
620 return 0;
621}
622
623static int random_address_open(struct inode *inode, struct file *file)
624{
625 return single_open(file, random_address_show, inode->i_private);
626}
627
628static const struct file_operations random_address_fops = {
629 .open = random_address_open,
630 .read = seq_read,
631 .llseek = seq_lseek,
632 .release = single_release,
633};
634
502static int static_address_show(struct seq_file *f, void *p) 635static int static_address_show(struct seq_file *f, void *p)
503{ 636{
504 struct hci_dev *hdev = f->private; 637 struct hci_dev *hdev = f->private;
@@ -522,33 +655,107 @@ static const struct file_operations static_address_fops = {
522 .release = single_release, 655 .release = single_release,
523}; 656};
524 657
525static int own_address_type_set(void *data, u64 val) 658static ssize_t force_static_address_read(struct file *file,
659 char __user *user_buf,
660 size_t count, loff_t *ppos)
526{ 661{
527 struct hci_dev *hdev = data; 662 struct hci_dev *hdev = file->private_data;
663 char buf[3];
528 664
529 if (val != 0 && val != 1) 665 buf[0] = test_bit(HCI_FORCE_STATIC_ADDR, &hdev->dev_flags) ? 'Y': 'N';
666 buf[1] = '\n';
667 buf[2] = '\0';
668 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
669}
670
671static ssize_t force_static_address_write(struct file *file,
672 const char __user *user_buf,
673 size_t count, loff_t *ppos)
674{
675 struct hci_dev *hdev = file->private_data;
676 char buf[32];
677 size_t buf_size = min(count, (sizeof(buf)-1));
678 bool enable;
679
680 if (test_bit(HCI_UP, &hdev->flags))
681 return -EBUSY;
682
683 if (copy_from_user(buf, user_buf, buf_size))
684 return -EFAULT;
685
686 buf[buf_size] = '\0';
687 if (strtobool(buf, &enable))
530 return -EINVAL; 688 return -EINVAL;
531 689
690 if (enable == test_bit(HCI_FORCE_STATIC_ADDR, &hdev->dev_flags))
691 return -EALREADY;
692
693 change_bit(HCI_FORCE_STATIC_ADDR, &hdev->dev_flags);
694
695 return count;
696}
697
698static const struct file_operations force_static_address_fops = {
699 .open = simple_open,
700 .read = force_static_address_read,
701 .write = force_static_address_write,
702 .llseek = default_llseek,
703};
704
705static int white_list_show(struct seq_file *f, void *ptr)
706{
707 struct hci_dev *hdev = f->private;
708 struct bdaddr_list *b;
709
532 hci_dev_lock(hdev); 710 hci_dev_lock(hdev);
533 hdev->own_addr_type = val; 711 list_for_each_entry(b, &hdev->le_white_list, list)
712 seq_printf(f, "%pMR (type %u)\n", &b->bdaddr, b->bdaddr_type);
534 hci_dev_unlock(hdev); 713 hci_dev_unlock(hdev);
535 714
536 return 0; 715 return 0;
537} 716}
538 717
539static int own_address_type_get(void *data, u64 *val) 718static int white_list_open(struct inode *inode, struct file *file)
540{ 719{
541 struct hci_dev *hdev = data; 720 return single_open(file, white_list_show, inode->i_private);
721}
722
723static const struct file_operations white_list_fops = {
724 .open = white_list_open,
725 .read = seq_read,
726 .llseek = seq_lseek,
727 .release = single_release,
728};
729
730static int identity_resolving_keys_show(struct seq_file *f, void *ptr)
731{
732 struct hci_dev *hdev = f->private;
733 struct list_head *p, *n;
542 734
543 hci_dev_lock(hdev); 735 hci_dev_lock(hdev);
544 *val = hdev->own_addr_type; 736 list_for_each_safe(p, n, &hdev->identity_resolving_keys) {
737 struct smp_irk *irk = list_entry(p, struct smp_irk, list);
738 seq_printf(f, "%pMR (type %u) %*phN %pMR\n",
739 &irk->bdaddr, irk->addr_type,
740 16, irk->val, &irk->rpa);
741 }
545 hci_dev_unlock(hdev); 742 hci_dev_unlock(hdev);
546 743
547 return 0; 744 return 0;
548} 745}
549 746
550DEFINE_SIMPLE_ATTRIBUTE(own_address_type_fops, own_address_type_get, 747static int identity_resolving_keys_open(struct inode *inode, struct file *file)
551 own_address_type_set, "%llu\n"); 748{
749 return single_open(file, identity_resolving_keys_show,
750 inode->i_private);
751}
752
753static const struct file_operations identity_resolving_keys_fops = {
754 .open = identity_resolving_keys_open,
755 .read = seq_read,
756 .llseek = seq_lseek,
757 .release = single_release,
758};
552 759
553static int long_term_keys_show(struct seq_file *f, void *ptr) 760static int long_term_keys_show(struct seq_file *f, void *ptr)
554{ 761{
@@ -556,12 +763,12 @@ static int long_term_keys_show(struct seq_file *f, void *ptr)
556 struct list_head *p, *n; 763 struct list_head *p, *n;
557 764
558 hci_dev_lock(hdev); 765 hci_dev_lock(hdev);
559 list_for_each_safe(p, n, &hdev->link_keys) { 766 list_for_each_safe(p, n, &hdev->long_term_keys) {
560 struct smp_ltk *ltk = list_entry(p, struct smp_ltk, list); 767 struct smp_ltk *ltk = list_entry(p, struct smp_ltk, list);
561 seq_printf(f, "%pMR (type %u) %u %u %u %.4x %*phN %*phN\\n", 768 seq_printf(f, "%pMR (type %u) %u 0x%02x %u %.4x %.16llx %*phN\n",
562 &ltk->bdaddr, ltk->bdaddr_type, ltk->authenticated, 769 &ltk->bdaddr, ltk->bdaddr_type, ltk->authenticated,
563 ltk->type, ltk->enc_size, __le16_to_cpu(ltk->ediv), 770 ltk->type, ltk->enc_size, __le16_to_cpu(ltk->ediv),
564 8, ltk->rand, 16, ltk->val); 771 __le64_to_cpu(ltk->rand), 16, ltk->val);
565 } 772 }
566 hci_dev_unlock(hdev); 773 hci_dev_unlock(hdev);
567 774
@@ -636,6 +843,34 @@ static int conn_max_interval_get(void *data, u64 *val)
636DEFINE_SIMPLE_ATTRIBUTE(conn_max_interval_fops, conn_max_interval_get, 843DEFINE_SIMPLE_ATTRIBUTE(conn_max_interval_fops, conn_max_interval_get,
637 conn_max_interval_set, "%llu\n"); 844 conn_max_interval_set, "%llu\n");
638 845
846static int adv_channel_map_set(void *data, u64 val)
847{
848 struct hci_dev *hdev = data;
849
850 if (val < 0x01 || val > 0x07)
851 return -EINVAL;
852
853 hci_dev_lock(hdev);
854 hdev->le_adv_channel_map = val;
855 hci_dev_unlock(hdev);
856
857 return 0;
858}
859
860static int adv_channel_map_get(void *data, u64 *val)
861{
862 struct hci_dev *hdev = data;
863
864 hci_dev_lock(hdev);
865 *val = hdev->le_adv_channel_map;
866 hci_dev_unlock(hdev);
867
868 return 0;
869}
870
871DEFINE_SIMPLE_ATTRIBUTE(adv_channel_map_fops, adv_channel_map_get,
872 adv_channel_map_set, "%llu\n");
873
639static ssize_t lowpan_read(struct file *file, char __user *user_buf, 874static ssize_t lowpan_read(struct file *file, char __user *user_buf,
640 size_t count, loff_t *ppos) 875 size_t count, loff_t *ppos)
641{ 876{
@@ -679,6 +914,115 @@ static const struct file_operations lowpan_debugfs_fops = {
679 .llseek = default_llseek, 914 .llseek = default_llseek,
680}; 915};
681 916
917static int le_auto_conn_show(struct seq_file *sf, void *ptr)
918{
919 struct hci_dev *hdev = sf->private;
920 struct hci_conn_params *p;
921
922 hci_dev_lock(hdev);
923
924 list_for_each_entry(p, &hdev->le_conn_params, list) {
925 seq_printf(sf, "%pMR %u %u\n", &p->addr, p->addr_type,
926 p->auto_connect);
927 }
928
929 hci_dev_unlock(hdev);
930
931 return 0;
932}
933
934static int le_auto_conn_open(struct inode *inode, struct file *file)
935{
936 return single_open(file, le_auto_conn_show, inode->i_private);
937}
938
939static ssize_t le_auto_conn_write(struct file *file, const char __user *data,
940 size_t count, loff_t *offset)
941{
942 struct seq_file *sf = file->private_data;
943 struct hci_dev *hdev = sf->private;
944 u8 auto_connect = 0;
945 bdaddr_t addr;
946 u8 addr_type;
947 char *buf;
948 int err = 0;
949 int n;
950
951 /* Don't allow partial write */
952 if (*offset != 0)
953 return -EINVAL;
954
955 if (count < 3)
956 return -EINVAL;
957
958 buf = kzalloc(count, GFP_KERNEL);
959 if (!buf)
960 return -ENOMEM;
961
962 if (copy_from_user(buf, data, count)) {
963 err = -EFAULT;
964 goto done;
965 }
966
967 if (memcmp(buf, "add", 3) == 0) {
968 n = sscanf(&buf[4], "%hhx:%hhx:%hhx:%hhx:%hhx:%hhx %hhu %hhu",
969 &addr.b[5], &addr.b[4], &addr.b[3], &addr.b[2],
970 &addr.b[1], &addr.b[0], &addr_type,
971 &auto_connect);
972
973 if (n < 7) {
974 err = -EINVAL;
975 goto done;
976 }
977
978 hci_dev_lock(hdev);
979 err = hci_conn_params_add(hdev, &addr, addr_type, auto_connect,
980 hdev->le_conn_min_interval,
981 hdev->le_conn_max_interval);
982 hci_dev_unlock(hdev);
983
984 if (err)
985 goto done;
986 } else if (memcmp(buf, "del", 3) == 0) {
987 n = sscanf(&buf[4], "%hhx:%hhx:%hhx:%hhx:%hhx:%hhx %hhu",
988 &addr.b[5], &addr.b[4], &addr.b[3], &addr.b[2],
989 &addr.b[1], &addr.b[0], &addr_type);
990
991 if (n < 7) {
992 err = -EINVAL;
993 goto done;
994 }
995
996 hci_dev_lock(hdev);
997 hci_conn_params_del(hdev, &addr, addr_type);
998 hci_dev_unlock(hdev);
999 } else if (memcmp(buf, "clr", 3) == 0) {
1000 hci_dev_lock(hdev);
1001 hci_conn_params_clear(hdev);
1002 hci_pend_le_conns_clear(hdev);
1003 hci_update_background_scan(hdev);
1004 hci_dev_unlock(hdev);
1005 } else {
1006 err = -EINVAL;
1007 }
1008
1009done:
1010 kfree(buf);
1011
1012 if (err)
1013 return err;
1014 else
1015 return count;
1016}
1017
1018static const struct file_operations le_auto_conn_fops = {
1019 .open = le_auto_conn_open,
1020 .read = seq_read,
1021 .write = le_auto_conn_write,
1022 .llseek = seq_lseek,
1023 .release = single_release,
1024};
1025
682/* ---- HCI requests ---- */ 1026/* ---- HCI requests ---- */
683 1027
684static void hci_req_sync_complete(struct hci_dev *hdev, u8 result) 1028static void hci_req_sync_complete(struct hci_dev *hdev, u8 result)
@@ -1027,14 +1371,17 @@ static void le_setup(struct hci_request *req)
1027 /* Read LE Local Supported Features */ 1371 /* Read LE Local Supported Features */
1028 hci_req_add(req, HCI_OP_LE_READ_LOCAL_FEATURES, 0, NULL); 1372 hci_req_add(req, HCI_OP_LE_READ_LOCAL_FEATURES, 0, NULL);
1029 1373
1374 /* Read LE Supported States */
1375 hci_req_add(req, HCI_OP_LE_READ_SUPPORTED_STATES, 0, NULL);
1376
1030 /* Read LE Advertising Channel TX Power */ 1377 /* Read LE Advertising Channel TX Power */
1031 hci_req_add(req, HCI_OP_LE_READ_ADV_TX_POWER, 0, NULL); 1378 hci_req_add(req, HCI_OP_LE_READ_ADV_TX_POWER, 0, NULL);
1032 1379
1033 /* Read LE White List Size */ 1380 /* Read LE White List Size */
1034 hci_req_add(req, HCI_OP_LE_READ_WHITE_LIST_SIZE, 0, NULL); 1381 hci_req_add(req, HCI_OP_LE_READ_WHITE_LIST_SIZE, 0, NULL);
1035 1382
1036 /* Read LE Supported States */ 1383 /* Clear LE White List */
1037 hci_req_add(req, HCI_OP_LE_READ_SUPPORTED_STATES, 0, NULL); 1384 hci_req_add(req, HCI_OP_LE_CLEAR_WHITE_LIST, 0, NULL);
1038 1385
1039 /* LE-only controllers have LE implicitly enabled */ 1386 /* LE-only controllers have LE implicitly enabled */
1040 if (!lmp_bredr_capable(hdev)) 1387 if (!lmp_bredr_capable(hdev))
@@ -1288,6 +1635,10 @@ static void hci_set_event_mask_page_2(struct hci_request *req)
1288 events[2] |= 0x08; /* Truncated Page Complete */ 1635 events[2] |= 0x08; /* Truncated Page Complete */
1289 } 1636 }
1290 1637
1638 /* Enable Authenticated Payload Timeout Expired event if supported */
1639 if (lmp_ping_capable(hdev))
1640 events[2] |= 0x80;
1641
1291 hci_req_add(req, HCI_OP_SET_EVENT_MASK_PAGE_2, sizeof(events), events); 1642 hci_req_add(req, HCI_OP_SET_EVENT_MASK_PAGE_2, sizeof(events), events);
1292} 1643}
1293 1644
@@ -1322,21 +1673,8 @@ static void hci_init3_req(struct hci_request *req, unsigned long opt)
1322 if (hdev->commands[5] & 0x10) 1673 if (hdev->commands[5] & 0x10)
1323 hci_setup_link_policy(req); 1674 hci_setup_link_policy(req);
1324 1675
1325 if (lmp_le_capable(hdev)) { 1676 if (lmp_le_capable(hdev))
1326 if (test_bit(HCI_SETUP, &hdev->dev_flags)) {
1327 /* If the controller has a public BD_ADDR, then
1328 * by default use that one. If this is a LE only
1329 * controller without a public address, default
1330 * to the random address.
1331 */
1332 if (bacmp(&hdev->bdaddr, BDADDR_ANY))
1333 hdev->own_addr_type = ADDR_LE_DEV_PUBLIC;
1334 else
1335 hdev->own_addr_type = ADDR_LE_DEV_RANDOM;
1336 }
1337
1338 hci_set_le_support(req); 1677 hci_set_le_support(req);
1339 }
1340 1678
1341 /* Read features beyond page 1 if available */ 1679 /* Read features beyond page 1 if available */
1342 for (p = 2; p < HCI_MAX_PAGES && p <= hdev->max_page; p++) { 1680 for (p = 2; p < HCI_MAX_PAGES && p <= hdev->max_page; p++) {
@@ -1359,6 +1697,15 @@ static void hci_init4_req(struct hci_request *req, unsigned long opt)
1359 /* Check for Synchronization Train support */ 1697 /* Check for Synchronization Train support */
1360 if (lmp_sync_train_capable(hdev)) 1698 if (lmp_sync_train_capable(hdev))
1361 hci_req_add(req, HCI_OP_READ_SYNC_TRAIN_PARAMS, 0, NULL); 1699 hci_req_add(req, HCI_OP_READ_SYNC_TRAIN_PARAMS, 0, NULL);
1700
1701 /* Enable Secure Connections if supported and configured */
1702 if ((lmp_sc_capable(hdev) ||
1703 test_bit(HCI_FORCE_SC, &hdev->dev_flags)) &&
1704 test_bit(HCI_SC_ENABLED, &hdev->dev_flags)) {
1705 u8 support = 0x01;
1706 hci_req_add(req, HCI_OP_WRITE_SC_SUPPORT,
1707 sizeof(support), &support);
1708 }
1362} 1709}
1363 1710
1364static int __hci_init(struct hci_dev *hdev) 1711static int __hci_init(struct hci_dev *hdev)
@@ -1417,8 +1764,6 @@ static int __hci_init(struct hci_dev *hdev)
1417 hdev, &inquiry_cache_fops); 1764 hdev, &inquiry_cache_fops);
1418 debugfs_create_file("link_keys", 0400, hdev->debugfs, 1765 debugfs_create_file("link_keys", 0400, hdev->debugfs,
1419 hdev, &link_keys_fops); 1766 hdev, &link_keys_fops);
1420 debugfs_create_file("use_debug_keys", 0444, hdev->debugfs,
1421 hdev, &use_debug_keys_fops);
1422 debugfs_create_file("dev_class", 0444, hdev->debugfs, 1767 debugfs_create_file("dev_class", 0444, hdev->debugfs,
1423 hdev, &dev_class_fops); 1768 hdev, &dev_class_fops);
1424 debugfs_create_file("voice_setting", 0444, hdev->debugfs, 1769 debugfs_create_file("voice_setting", 0444, hdev->debugfs,
@@ -1430,6 +1775,10 @@ static int __hci_init(struct hci_dev *hdev)
1430 hdev, &auto_accept_delay_fops); 1775 hdev, &auto_accept_delay_fops);
1431 debugfs_create_file("ssp_debug_mode", 0644, hdev->debugfs, 1776 debugfs_create_file("ssp_debug_mode", 0644, hdev->debugfs,
1432 hdev, &ssp_debug_mode_fops); 1777 hdev, &ssp_debug_mode_fops);
1778 debugfs_create_file("force_sc_support", 0644, hdev->debugfs,
1779 hdev, &force_sc_support_fops);
1780 debugfs_create_file("sc_only_mode", 0444, hdev->debugfs,
1781 hdev, &sc_only_mode_fops);
1433 } 1782 }
1434 1783
1435 if (lmp_sniff_capable(hdev)) { 1784 if (lmp_sniff_capable(hdev)) {
@@ -1442,20 +1791,43 @@ static int __hci_init(struct hci_dev *hdev)
1442 } 1791 }
1443 1792
1444 if (lmp_le_capable(hdev)) { 1793 if (lmp_le_capable(hdev)) {
1794 debugfs_create_file("identity", 0400, hdev->debugfs,
1795 hdev, &identity_fops);
1796 debugfs_create_file("rpa_timeout", 0644, hdev->debugfs,
1797 hdev, &rpa_timeout_fops);
1798 debugfs_create_file("random_address", 0444, hdev->debugfs,
1799 hdev, &random_address_fops);
1800 debugfs_create_file("static_address", 0444, hdev->debugfs,
1801 hdev, &static_address_fops);
1802
1803 /* For controllers with a public address, provide a debug
1804 * option to force the usage of the configured static
1805 * address. By default the public address is used.
1806 */
1807 if (bacmp(&hdev->bdaddr, BDADDR_ANY))
1808 debugfs_create_file("force_static_address", 0644,
1809 hdev->debugfs, hdev,
1810 &force_static_address_fops);
1811
1445 debugfs_create_u8("white_list_size", 0444, hdev->debugfs, 1812 debugfs_create_u8("white_list_size", 0444, hdev->debugfs,
1446 &hdev->le_white_list_size); 1813 &hdev->le_white_list_size);
1447 debugfs_create_file("static_address", 0444, hdev->debugfs, 1814 debugfs_create_file("white_list", 0444, hdev->debugfs, hdev,
1448 hdev, &static_address_fops); 1815 &white_list_fops);
1449 debugfs_create_file("own_address_type", 0644, hdev->debugfs, 1816 debugfs_create_file("identity_resolving_keys", 0400,
1450 hdev, &own_address_type_fops); 1817 hdev->debugfs, hdev,
1818 &identity_resolving_keys_fops);
1451 debugfs_create_file("long_term_keys", 0400, hdev->debugfs, 1819 debugfs_create_file("long_term_keys", 0400, hdev->debugfs,
1452 hdev, &long_term_keys_fops); 1820 hdev, &long_term_keys_fops);
1453 debugfs_create_file("conn_min_interval", 0644, hdev->debugfs, 1821 debugfs_create_file("conn_min_interval", 0644, hdev->debugfs,
1454 hdev, &conn_min_interval_fops); 1822 hdev, &conn_min_interval_fops);
1455 debugfs_create_file("conn_max_interval", 0644, hdev->debugfs, 1823 debugfs_create_file("conn_max_interval", 0644, hdev->debugfs,
1456 hdev, &conn_max_interval_fops); 1824 hdev, &conn_max_interval_fops);
1825 debugfs_create_file("adv_channel_map", 0644, hdev->debugfs,
1826 hdev, &adv_channel_map_fops);
1457 debugfs_create_file("6lowpan", 0644, hdev->debugfs, hdev, 1827 debugfs_create_file("6lowpan", 0644, hdev->debugfs, hdev,
1458 &lowpan_debugfs_fops); 1828 &lowpan_debugfs_fops);
1829 debugfs_create_file("le_auto_conn", 0644, hdev->debugfs, hdev,
1830 &le_auto_conn_fops);
1459 } 1831 }
1460 1832
1461 return 0; 1833 return 0;
@@ -1548,6 +1920,8 @@ void hci_discovery_set_state(struct hci_dev *hdev, int state)
1548 1920
1549 switch (state) { 1921 switch (state) {
1550 case DISCOVERY_STOPPED: 1922 case DISCOVERY_STOPPED:
1923 hci_update_background_scan(hdev);
1924
1551 if (hdev->discovery.state != DISCOVERY_STARTING) 1925 if (hdev->discovery.state != DISCOVERY_STARTING)
1552 mgmt_discovering(hdev, 0); 1926 mgmt_discovering(hdev, 0);
1553 break; 1927 break;
@@ -1876,10 +2250,15 @@ static int hci_dev_do_open(struct hci_dev *hdev)
1876 * be able to determine if there is a public address 2250 * be able to determine if there is a public address
1877 * or not. 2251 * or not.
1878 * 2252 *
2253 * In case of user channel usage, it is not important
2254 * if a public address or static random address is
2255 * available.
2256 *
1879 * This check is only valid for BR/EDR controllers 2257 * This check is only valid for BR/EDR controllers
1880 * since AMP controllers do not have an address. 2258 * since AMP controllers do not have an address.
1881 */ 2259 */
1882 if (hdev->dev_type == HCI_BREDR && 2260 if (!test_bit(HCI_USER_CHANNEL, &hdev->dev_flags) &&
2261 hdev->dev_type == HCI_BREDR &&
1883 !bacmp(&hdev->bdaddr, BDADDR_ANY) && 2262 !bacmp(&hdev->bdaddr, BDADDR_ANY) &&
1884 !bacmp(&hdev->static_addr, BDADDR_ANY)) { 2263 !bacmp(&hdev->static_addr, BDADDR_ANY)) {
1885 ret = -EADDRNOTAVAIL; 2264 ret = -EADDRNOTAVAIL;
@@ -1916,6 +2295,7 @@ static int hci_dev_do_open(struct hci_dev *hdev)
1916 2295
1917 if (!ret) { 2296 if (!ret) {
1918 hci_dev_hold(hdev); 2297 hci_dev_hold(hdev);
2298 set_bit(HCI_RPA_EXPIRED, &hdev->dev_flags);
1919 set_bit(HCI_UP, &hdev->flags); 2299 set_bit(HCI_UP, &hdev->flags);
1920 hci_notify(hdev, HCI_DEV_UP); 2300 hci_notify(hdev, HCI_DEV_UP);
1921 if (!test_bit(HCI_SETUP, &hdev->dev_flags) && 2301 if (!test_bit(HCI_SETUP, &hdev->dev_flags) &&
@@ -2014,9 +2394,13 @@ static int hci_dev_do_close(struct hci_dev *hdev)
2014 2394
2015 cancel_delayed_work_sync(&hdev->le_scan_disable); 2395 cancel_delayed_work_sync(&hdev->le_scan_disable);
2016 2396
2397 if (test_bit(HCI_MGMT, &hdev->dev_flags))
2398 cancel_delayed_work_sync(&hdev->rpa_expired);
2399
2017 hci_dev_lock(hdev); 2400 hci_dev_lock(hdev);
2018 hci_inquiry_cache_flush(hdev); 2401 hci_inquiry_cache_flush(hdev);
2019 hci_conn_hash_flush(hdev); 2402 hci_conn_hash_flush(hdev);
2403 hci_pend_le_conns_clear(hdev);
2020 hci_dev_unlock(hdev); 2404 hci_dev_unlock(hdev);
2021 2405
2022 hci_notify(hdev, HCI_DEV_DOWN); 2406 hci_notify(hdev, HCI_DEV_DOWN);
@@ -2074,6 +2458,7 @@ static int hci_dev_do_close(struct hci_dev *hdev)
2074 2458
2075 memset(hdev->eir, 0, sizeof(hdev->eir)); 2459 memset(hdev->eir, 0, sizeof(hdev->eir));
2076 memset(hdev->dev_class, 0, sizeof(hdev->dev_class)); 2460 memset(hdev->dev_class, 0, sizeof(hdev->dev_class));
2461 bacpy(&hdev->random_addr, BDADDR_ANY);
2077 2462
2078 hci_req_unlock(hdev); 2463 hci_req_unlock(hdev);
2079 2464
@@ -2437,7 +2822,7 @@ static void hci_discov_off(struct work_struct *work)
2437 mgmt_discoverable_timeout(hdev); 2822 mgmt_discoverable_timeout(hdev);
2438} 2823}
2439 2824
2440int hci_uuids_clear(struct hci_dev *hdev) 2825void hci_uuids_clear(struct hci_dev *hdev)
2441{ 2826{
2442 struct bt_uuid *uuid, *tmp; 2827 struct bt_uuid *uuid, *tmp;
2443 2828
@@ -2445,11 +2830,9 @@ int hci_uuids_clear(struct hci_dev *hdev)
2445 list_del(&uuid->list); 2830 list_del(&uuid->list);
2446 kfree(uuid); 2831 kfree(uuid);
2447 } 2832 }
2448
2449 return 0;
2450} 2833}
2451 2834
2452int hci_link_keys_clear(struct hci_dev *hdev) 2835void hci_link_keys_clear(struct hci_dev *hdev)
2453{ 2836{
2454 struct list_head *p, *n; 2837 struct list_head *p, *n;
2455 2838
@@ -2461,11 +2844,9 @@ int hci_link_keys_clear(struct hci_dev *hdev)
2461 list_del(p); 2844 list_del(p);
2462 kfree(key); 2845 kfree(key);
2463 } 2846 }
2464
2465 return 0;
2466} 2847}
2467 2848
2468int hci_smp_ltks_clear(struct hci_dev *hdev) 2849void hci_smp_ltks_clear(struct hci_dev *hdev)
2469{ 2850{
2470 struct smp_ltk *k, *tmp; 2851 struct smp_ltk *k, *tmp;
2471 2852
@@ -2473,8 +2854,16 @@ int hci_smp_ltks_clear(struct hci_dev *hdev)
2473 list_del(&k->list); 2854 list_del(&k->list);
2474 kfree(k); 2855 kfree(k);
2475 } 2856 }
2857}
2476 2858
2477 return 0; 2859void hci_smp_irks_clear(struct hci_dev *hdev)
2860{
2861 struct smp_irk *k, *tmp;
2862
2863 list_for_each_entry_safe(k, tmp, &hdev->identity_resolving_keys, list) {
2864 list_del(&k->list);
2865 kfree(k);
2866 }
2478} 2867}
2479 2868
2480struct link_key *hci_find_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr) 2869struct link_key *hci_find_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
@@ -2524,13 +2913,24 @@ static bool hci_persistent_key(struct hci_dev *hdev, struct hci_conn *conn,
2524 return false; 2913 return false;
2525} 2914}
2526 2915
2527struct smp_ltk *hci_find_ltk(struct hci_dev *hdev, __le16 ediv, u8 rand[8]) 2916static bool ltk_type_master(u8 type)
2917{
2918 if (type == HCI_SMP_STK || type == HCI_SMP_LTK)
2919 return true;
2920
2921 return false;
2922}
2923
2924struct smp_ltk *hci_find_ltk(struct hci_dev *hdev, __le16 ediv, __le64 rand,
2925 bool master)
2528{ 2926{
2529 struct smp_ltk *k; 2927 struct smp_ltk *k;
2530 2928
2531 list_for_each_entry(k, &hdev->long_term_keys, list) { 2929 list_for_each_entry(k, &hdev->long_term_keys, list) {
2532 if (k->ediv != ediv || 2930 if (k->ediv != ediv || k->rand != rand)
2533 memcmp(rand, k->rand, sizeof(k->rand))) 2931 continue;
2932
2933 if (ltk_type_master(k->type) != master)
2534 continue; 2934 continue;
2535 2935
2536 return k; 2936 return k;
@@ -2540,18 +2940,56 @@ struct smp_ltk *hci_find_ltk(struct hci_dev *hdev, __le16 ediv, u8 rand[8])
2540} 2940}
2541 2941
2542struct smp_ltk *hci_find_ltk_by_addr(struct hci_dev *hdev, bdaddr_t *bdaddr, 2942struct smp_ltk *hci_find_ltk_by_addr(struct hci_dev *hdev, bdaddr_t *bdaddr,
2543 u8 addr_type) 2943 u8 addr_type, bool master)
2544{ 2944{
2545 struct smp_ltk *k; 2945 struct smp_ltk *k;
2546 2946
2547 list_for_each_entry(k, &hdev->long_term_keys, list) 2947 list_for_each_entry(k, &hdev->long_term_keys, list)
2548 if (addr_type == k->bdaddr_type && 2948 if (addr_type == k->bdaddr_type &&
2549 bacmp(bdaddr, &k->bdaddr) == 0) 2949 bacmp(bdaddr, &k->bdaddr) == 0 &&
2950 ltk_type_master(k->type) == master)
2550 return k; 2951 return k;
2551 2952
2552 return NULL; 2953 return NULL;
2553} 2954}
2554 2955
2956struct smp_irk *hci_find_irk_by_rpa(struct hci_dev *hdev, bdaddr_t *rpa)
2957{
2958 struct smp_irk *irk;
2959
2960 list_for_each_entry(irk, &hdev->identity_resolving_keys, list) {
2961 if (!bacmp(&irk->rpa, rpa))
2962 return irk;
2963 }
2964
2965 list_for_each_entry(irk, &hdev->identity_resolving_keys, list) {
2966 if (smp_irk_matches(hdev->tfm_aes, irk->val, rpa)) {
2967 bacpy(&irk->rpa, rpa);
2968 return irk;
2969 }
2970 }
2971
2972 return NULL;
2973}
2974
2975struct smp_irk *hci_find_irk_by_addr(struct hci_dev *hdev, bdaddr_t *bdaddr,
2976 u8 addr_type)
2977{
2978 struct smp_irk *irk;
2979
2980 /* Identity Address must be public or static random */
2981 if (addr_type == ADDR_LE_DEV_RANDOM && (bdaddr->b[5] & 0xc0) != 0xc0)
2982 return NULL;
2983
2984 list_for_each_entry(irk, &hdev->identity_resolving_keys, list) {
2985 if (addr_type == irk->addr_type &&
2986 bacmp(bdaddr, &irk->bdaddr) == 0)
2987 return irk;
2988 }
2989
2990 return NULL;
2991}
2992
2555int hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn, int new_key, 2993int hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn, int new_key,
2556 bdaddr_t *bdaddr, u8 *val, u8 type, u8 pin_len) 2994 bdaddr_t *bdaddr, u8 *val, u8 type, u8 pin_len)
2557{ 2995{
@@ -2565,7 +3003,7 @@ int hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn, int new_key,
2565 key = old_key; 3003 key = old_key;
2566 } else { 3004 } else {
2567 old_key_type = conn ? conn->key_type : 0xff; 3005 old_key_type = conn ? conn->key_type : 0xff;
2568 key = kzalloc(sizeof(*key), GFP_ATOMIC); 3006 key = kzalloc(sizeof(*key), GFP_KERNEL);
2569 if (!key) 3007 if (!key)
2570 return -ENOMEM; 3008 return -ENOMEM;
2571 list_add(&key->list, &hdev->link_keys); 3009 list_add(&key->list, &hdev->link_keys);
@@ -2605,22 +3043,20 @@ int hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn, int new_key,
2605 return 0; 3043 return 0;
2606} 3044}
2607 3045
2608int hci_add_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 addr_type, u8 type, 3046struct smp_ltk *hci_add_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr,
2609 int new_key, u8 authenticated, u8 tk[16], u8 enc_size, __le16 3047 u8 addr_type, u8 type, u8 authenticated,
2610 ediv, u8 rand[8]) 3048 u8 tk[16], u8 enc_size, __le16 ediv, __le64 rand)
2611{ 3049{
2612 struct smp_ltk *key, *old_key; 3050 struct smp_ltk *key, *old_key;
3051 bool master = ltk_type_master(type);
2613 3052
2614 if (!(type & HCI_SMP_STK) && !(type & HCI_SMP_LTK)) 3053 old_key = hci_find_ltk_by_addr(hdev, bdaddr, addr_type, master);
2615 return 0;
2616
2617 old_key = hci_find_ltk_by_addr(hdev, bdaddr, addr_type);
2618 if (old_key) 3054 if (old_key)
2619 key = old_key; 3055 key = old_key;
2620 else { 3056 else {
2621 key = kzalloc(sizeof(*key), GFP_ATOMIC); 3057 key = kzalloc(sizeof(*key), GFP_KERNEL);
2622 if (!key) 3058 if (!key)
2623 return -ENOMEM; 3059 return NULL;
2624 list_add(&key->list, &hdev->long_term_keys); 3060 list_add(&key->list, &hdev->long_term_keys);
2625 } 3061 }
2626 3062
@@ -2629,17 +3065,34 @@ int hci_add_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 addr_type, u8 type,
2629 memcpy(key->val, tk, sizeof(key->val)); 3065 memcpy(key->val, tk, sizeof(key->val));
2630 key->authenticated = authenticated; 3066 key->authenticated = authenticated;
2631 key->ediv = ediv; 3067 key->ediv = ediv;
3068 key->rand = rand;
2632 key->enc_size = enc_size; 3069 key->enc_size = enc_size;
2633 key->type = type; 3070 key->type = type;
2634 memcpy(key->rand, rand, sizeof(key->rand));
2635 3071
2636 if (!new_key) 3072 return key;
2637 return 0; 3073}
3074
3075struct smp_irk *hci_add_irk(struct hci_dev *hdev, bdaddr_t *bdaddr,
3076 u8 addr_type, u8 val[16], bdaddr_t *rpa)
3077{
3078 struct smp_irk *irk;
2638 3079
2639 if (type & HCI_SMP_LTK) 3080 irk = hci_find_irk_by_addr(hdev, bdaddr, addr_type);
2640 mgmt_new_ltk(hdev, key, 1); 3081 if (!irk) {
3082 irk = kzalloc(sizeof(*irk), GFP_KERNEL);
3083 if (!irk)
3084 return NULL;
2641 3085
2642 return 0; 3086 bacpy(&irk->bdaddr, bdaddr);
3087 irk->addr_type = addr_type;
3088
3089 list_add(&irk->list, &hdev->identity_resolving_keys);
3090 }
3091
3092 memcpy(irk->val, val, 16);
3093 bacpy(&irk->rpa, rpa);
3094
3095 return irk;
2643} 3096}
2644 3097
2645int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr) 3098int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
@@ -2658,21 +3111,38 @@ int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
2658 return 0; 3111 return 0;
2659} 3112}
2660 3113
2661int hci_remove_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr) 3114int hci_remove_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 bdaddr_type)
2662{ 3115{
2663 struct smp_ltk *k, *tmp; 3116 struct smp_ltk *k, *tmp;
3117 int removed = 0;
2664 3118
2665 list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) { 3119 list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) {
2666 if (bacmp(bdaddr, &k->bdaddr)) 3120 if (bacmp(bdaddr, &k->bdaddr) || k->bdaddr_type != bdaddr_type)
2667 continue; 3121 continue;
2668 3122
2669 BT_DBG("%s removing %pMR", hdev->name, bdaddr); 3123 BT_DBG("%s removing %pMR", hdev->name, bdaddr);
2670 3124
2671 list_del(&k->list); 3125 list_del(&k->list);
2672 kfree(k); 3126 kfree(k);
3127 removed++;
2673 } 3128 }
2674 3129
2675 return 0; 3130 return removed ? 0 : -ENOENT;
3131}
3132
3133void hci_remove_irk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 addr_type)
3134{
3135 struct smp_irk *k, *tmp;
3136
3137 list_for_each_entry_safe(k, tmp, &hdev->identity_resolving_keys, list) {
3138 if (bacmp(bdaddr, &k->bdaddr) || k->addr_type != addr_type)
3139 continue;
3140
3141 BT_DBG("%s removing %pMR", hdev->name, bdaddr);
3142
3143 list_del(&k->list);
3144 kfree(k);
3145 }
2676} 3146}
2677 3147
2678/* HCI command timer function */ 3148/* HCI command timer function */
@@ -2721,7 +3191,7 @@ int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr)
2721 return 0; 3191 return 0;
2722} 3192}
2723 3193
2724int hci_remote_oob_data_clear(struct hci_dev *hdev) 3194void hci_remote_oob_data_clear(struct hci_dev *hdev)
2725{ 3195{
2726 struct oob_data *data, *n; 3196 struct oob_data *data, *n;
2727 3197
@@ -2729,19 +3199,43 @@ int hci_remote_oob_data_clear(struct hci_dev *hdev)
2729 list_del(&data->list); 3199 list_del(&data->list);
2730 kfree(data); 3200 kfree(data);
2731 } 3201 }
3202}
3203
3204int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr,
3205 u8 *hash, u8 *randomizer)
3206{
3207 struct oob_data *data;
3208
3209 data = hci_find_remote_oob_data(hdev, bdaddr);
3210 if (!data) {
3211 data = kmalloc(sizeof(*data), GFP_KERNEL);
3212 if (!data)
3213 return -ENOMEM;
3214
3215 bacpy(&data->bdaddr, bdaddr);
3216 list_add(&data->list, &hdev->remote_oob_data);
3217 }
3218
3219 memcpy(data->hash192, hash, sizeof(data->hash192));
3220 memcpy(data->randomizer192, randomizer, sizeof(data->randomizer192));
3221
3222 memset(data->hash256, 0, sizeof(data->hash256));
3223 memset(data->randomizer256, 0, sizeof(data->randomizer256));
3224
3225 BT_DBG("%s for %pMR", hdev->name, bdaddr);
2732 3226
2733 return 0; 3227 return 0;
2734} 3228}
2735 3229
2736int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 *hash, 3230int hci_add_remote_oob_ext_data(struct hci_dev *hdev, bdaddr_t *bdaddr,
2737 u8 *randomizer) 3231 u8 *hash192, u8 *randomizer192,
3232 u8 *hash256, u8 *randomizer256)
2738{ 3233{
2739 struct oob_data *data; 3234 struct oob_data *data;
2740 3235
2741 data = hci_find_remote_oob_data(hdev, bdaddr); 3236 data = hci_find_remote_oob_data(hdev, bdaddr);
2742
2743 if (!data) { 3237 if (!data) {
2744 data = kmalloc(sizeof(*data), GFP_ATOMIC); 3238 data = kmalloc(sizeof(*data), GFP_KERNEL);
2745 if (!data) 3239 if (!data)
2746 return -ENOMEM; 3240 return -ENOMEM;
2747 3241
@@ -2749,8 +3243,11 @@ int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 *hash,
2749 list_add(&data->list, &hdev->remote_oob_data); 3243 list_add(&data->list, &hdev->remote_oob_data);
2750 } 3244 }
2751 3245
2752 memcpy(data->hash, hash, sizeof(data->hash)); 3246 memcpy(data->hash192, hash192, sizeof(data->hash192));
2753 memcpy(data->randomizer, randomizer, sizeof(data->randomizer)); 3247 memcpy(data->randomizer192, randomizer192, sizeof(data->randomizer192));
3248
3249 memcpy(data->hash256, hash256, sizeof(data->hash256));
3250 memcpy(data->randomizer256, randomizer256, sizeof(data->randomizer256));
2754 3251
2755 BT_DBG("%s for %pMR", hdev->name, bdaddr); 3252 BT_DBG("%s for %pMR", hdev->name, bdaddr);
2756 3253
@@ -2770,7 +3267,7 @@ struct bdaddr_list *hci_blacklist_lookup(struct hci_dev *hdev,
2770 return NULL; 3267 return NULL;
2771} 3268}
2772 3269
2773int hci_blacklist_clear(struct hci_dev *hdev) 3270static void hci_blacklist_clear(struct hci_dev *hdev)
2774{ 3271{
2775 struct list_head *p, *n; 3272 struct list_head *p, *n;
2776 3273
@@ -2780,8 +3277,6 @@ int hci_blacklist_clear(struct hci_dev *hdev)
2780 list_del(p); 3277 list_del(p);
2781 kfree(b); 3278 kfree(b);
2782 } 3279 }
2783
2784 return 0;
2785} 3280}
2786 3281
2787int hci_blacklist_add(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type) 3282int hci_blacklist_add(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
@@ -2810,8 +3305,10 @@ int hci_blacklist_del(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
2810{ 3305{
2811 struct bdaddr_list *entry; 3306 struct bdaddr_list *entry;
2812 3307
2813 if (!bacmp(bdaddr, BDADDR_ANY)) 3308 if (!bacmp(bdaddr, BDADDR_ANY)) {
2814 return hci_blacklist_clear(hdev); 3309 hci_blacklist_clear(hdev);
3310 return 0;
3311 }
2815 3312
2816 entry = hci_blacklist_lookup(hdev, bdaddr, type); 3313 entry = hci_blacklist_lookup(hdev, bdaddr, type);
2817 if (!entry) 3314 if (!entry)
@@ -2823,6 +3320,262 @@ int hci_blacklist_del(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
2823 return mgmt_device_unblocked(hdev, bdaddr, type); 3320 return mgmt_device_unblocked(hdev, bdaddr, type);
2824} 3321}
2825 3322
3323struct bdaddr_list *hci_white_list_lookup(struct hci_dev *hdev,
3324 bdaddr_t *bdaddr, u8 type)
3325{
3326 struct bdaddr_list *b;
3327
3328 list_for_each_entry(b, &hdev->le_white_list, list) {
3329 if (!bacmp(&b->bdaddr, bdaddr) && b->bdaddr_type == type)
3330 return b;
3331 }
3332
3333 return NULL;
3334}
3335
3336void hci_white_list_clear(struct hci_dev *hdev)
3337{
3338 struct list_head *p, *n;
3339
3340 list_for_each_safe(p, n, &hdev->le_white_list) {
3341 struct bdaddr_list *b = list_entry(p, struct bdaddr_list, list);
3342
3343 list_del(p);
3344 kfree(b);
3345 }
3346}
3347
3348int hci_white_list_add(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
3349{
3350 struct bdaddr_list *entry;
3351
3352 if (!bacmp(bdaddr, BDADDR_ANY))
3353 return -EBADF;
3354
3355 entry = kzalloc(sizeof(struct bdaddr_list), GFP_KERNEL);
3356 if (!entry)
3357 return -ENOMEM;
3358
3359 bacpy(&entry->bdaddr, bdaddr);
3360 entry->bdaddr_type = type;
3361
3362 list_add(&entry->list, &hdev->le_white_list);
3363
3364 return 0;
3365}
3366
3367int hci_white_list_del(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
3368{
3369 struct bdaddr_list *entry;
3370
3371 if (!bacmp(bdaddr, BDADDR_ANY))
3372 return -EBADF;
3373
3374 entry = hci_white_list_lookup(hdev, bdaddr, type);
3375 if (!entry)
3376 return -ENOENT;
3377
3378 list_del(&entry->list);
3379 kfree(entry);
3380
3381 return 0;
3382}
3383
3384/* This function requires the caller holds hdev->lock */
3385struct hci_conn_params *hci_conn_params_lookup(struct hci_dev *hdev,
3386 bdaddr_t *addr, u8 addr_type)
3387{
3388 struct hci_conn_params *params;
3389
3390 list_for_each_entry(params, &hdev->le_conn_params, list) {
3391 if (bacmp(&params->addr, addr) == 0 &&
3392 params->addr_type == addr_type) {
3393 return params;
3394 }
3395 }
3396
3397 return NULL;
3398}
3399
3400static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type)
3401{
3402 struct hci_conn *conn;
3403
3404 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, addr);
3405 if (!conn)
3406 return false;
3407
3408 if (conn->dst_type != type)
3409 return false;
3410
3411 if (conn->state != BT_CONNECTED)
3412 return false;
3413
3414 return true;
3415}
3416
3417static bool is_identity_address(bdaddr_t *addr, u8 addr_type)
3418{
3419 if (addr_type == ADDR_LE_DEV_PUBLIC)
3420 return true;
3421
3422 /* Check for Random Static address type */
3423 if ((addr->b[5] & 0xc0) == 0xc0)
3424 return true;
3425
3426 return false;
3427}
3428
3429/* This function requires the caller holds hdev->lock */
3430int hci_conn_params_add(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type,
3431 u8 auto_connect, u16 conn_min_interval,
3432 u16 conn_max_interval)
3433{
3434 struct hci_conn_params *params;
3435
3436 if (!is_identity_address(addr, addr_type))
3437 return -EINVAL;
3438
3439 params = hci_conn_params_lookup(hdev, addr, addr_type);
3440 if (params)
3441 goto update;
3442
3443 params = kzalloc(sizeof(*params), GFP_KERNEL);
3444 if (!params) {
3445 BT_ERR("Out of memory");
3446 return -ENOMEM;
3447 }
3448
3449 bacpy(&params->addr, addr);
3450 params->addr_type = addr_type;
3451
3452 list_add(&params->list, &hdev->le_conn_params);
3453
3454update:
3455 params->conn_min_interval = conn_min_interval;
3456 params->conn_max_interval = conn_max_interval;
3457 params->auto_connect = auto_connect;
3458
3459 switch (auto_connect) {
3460 case HCI_AUTO_CONN_DISABLED:
3461 case HCI_AUTO_CONN_LINK_LOSS:
3462 hci_pend_le_conn_del(hdev, addr, addr_type);
3463 break;
3464 case HCI_AUTO_CONN_ALWAYS:
3465 if (!is_connected(hdev, addr, addr_type))
3466 hci_pend_le_conn_add(hdev, addr, addr_type);
3467 break;
3468 }
3469
3470 BT_DBG("addr %pMR (type %u) auto_connect %u conn_min_interval 0x%.4x "
3471 "conn_max_interval 0x%.4x", addr, addr_type, auto_connect,
3472 conn_min_interval, conn_max_interval);
3473
3474 return 0;
3475}
3476
3477/* This function requires the caller holds hdev->lock */
3478void hci_conn_params_del(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type)
3479{
3480 struct hci_conn_params *params;
3481
3482 params = hci_conn_params_lookup(hdev, addr, addr_type);
3483 if (!params)
3484 return;
3485
3486 hci_pend_le_conn_del(hdev, addr, addr_type);
3487
3488 list_del(&params->list);
3489 kfree(params);
3490
3491 BT_DBG("addr %pMR (type %u)", addr, addr_type);
3492}
3493
3494/* This function requires the caller holds hdev->lock */
3495void hci_conn_params_clear(struct hci_dev *hdev)
3496{
3497 struct hci_conn_params *params, *tmp;
3498
3499 list_for_each_entry_safe(params, tmp, &hdev->le_conn_params, list) {
3500 list_del(&params->list);
3501 kfree(params);
3502 }
3503
3504 BT_DBG("All LE connection parameters were removed");
3505}
3506
3507/* This function requires the caller holds hdev->lock */
3508struct bdaddr_list *hci_pend_le_conn_lookup(struct hci_dev *hdev,
3509 bdaddr_t *addr, u8 addr_type)
3510{
3511 struct bdaddr_list *entry;
3512
3513 list_for_each_entry(entry, &hdev->pend_le_conns, list) {
3514 if (bacmp(&entry->bdaddr, addr) == 0 &&
3515 entry->bdaddr_type == addr_type)
3516 return entry;
3517 }
3518
3519 return NULL;
3520}
3521
3522/* This function requires the caller holds hdev->lock */
3523void hci_pend_le_conn_add(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type)
3524{
3525 struct bdaddr_list *entry;
3526
3527 entry = hci_pend_le_conn_lookup(hdev, addr, addr_type);
3528 if (entry)
3529 goto done;
3530
3531 entry = kzalloc(sizeof(*entry), GFP_KERNEL);
3532 if (!entry) {
3533 BT_ERR("Out of memory");
3534 return;
3535 }
3536
3537 bacpy(&entry->bdaddr, addr);
3538 entry->bdaddr_type = addr_type;
3539
3540 list_add(&entry->list, &hdev->pend_le_conns);
3541
3542 BT_DBG("addr %pMR (type %u)", addr, addr_type);
3543
3544done:
3545 hci_update_background_scan(hdev);
3546}
3547
3548/* This function requires the caller holds hdev->lock */
3549void hci_pend_le_conn_del(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type)
3550{
3551 struct bdaddr_list *entry;
3552
3553 entry = hci_pend_le_conn_lookup(hdev, addr, addr_type);
3554 if (!entry)
3555 goto done;
3556
3557 list_del(&entry->list);
3558 kfree(entry);
3559
3560 BT_DBG("addr %pMR (type %u)", addr, addr_type);
3561
3562done:
3563 hci_update_background_scan(hdev);
3564}
3565
3566/* This function requires the caller holds hdev->lock */
3567void hci_pend_le_conns_clear(struct hci_dev *hdev)
3568{
3569 struct bdaddr_list *entry, *tmp;
3570
3571 list_for_each_entry_safe(entry, tmp, &hdev->pend_le_conns, list) {
3572 list_del(&entry->list);
3573 kfree(entry);
3574 }
3575
3576 BT_DBG("All LE pending connections cleared");
3577}
3578
2826static void inquiry_complete(struct hci_dev *hdev, u8 status) 3579static void inquiry_complete(struct hci_dev *hdev, u8 status)
2827{ 3580{
2828 if (status) { 3581 if (status) {
@@ -2882,7 +3635,6 @@ static void le_scan_disable_work(struct work_struct *work)
2882{ 3635{
2883 struct hci_dev *hdev = container_of(work, struct hci_dev, 3636 struct hci_dev *hdev = container_of(work, struct hci_dev,
2884 le_scan_disable.work); 3637 le_scan_disable.work);
2885 struct hci_cp_le_set_scan_enable cp;
2886 struct hci_request req; 3638 struct hci_request req;
2887 int err; 3639 int err;
2888 3640
@@ -2890,15 +3642,128 @@ static void le_scan_disable_work(struct work_struct *work)
2890 3642
2891 hci_req_init(&req, hdev); 3643 hci_req_init(&req, hdev);
2892 3644
2893 memset(&cp, 0, sizeof(cp)); 3645 hci_req_add_le_scan_disable(&req);
2894 cp.enable = LE_SCAN_DISABLE;
2895 hci_req_add(&req, HCI_OP_LE_SET_SCAN_ENABLE, sizeof(cp), &cp);
2896 3646
2897 err = hci_req_run(&req, le_scan_disable_work_complete); 3647 err = hci_req_run(&req, le_scan_disable_work_complete);
2898 if (err) 3648 if (err)
2899 BT_ERR("Disable LE scanning request failed: err %d", err); 3649 BT_ERR("Disable LE scanning request failed: err %d", err);
2900} 3650}
2901 3651
3652static void set_random_addr(struct hci_request *req, bdaddr_t *rpa)
3653{
3654 struct hci_dev *hdev = req->hdev;
3655
3656 /* If we're advertising or initiating an LE connection we can't
3657 * go ahead and change the random address at this time. This is
3658 * because the eventual initiator address used for the
3659 * subsequently created connection will be undefined (some
3660 * controllers use the new address and others the one we had
3661 * when the operation started).
3662 *
3663 * In this kind of scenario skip the update and let the random
3664 * address be updated at the next cycle.
3665 */
3666 if (test_bit(HCI_ADVERTISING, &hdev->dev_flags) ||
3667 hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT)) {
3668 BT_DBG("Deferring random address update");
3669 return;
3670 }
3671
3672 hci_req_add(req, HCI_OP_LE_SET_RANDOM_ADDR, 6, rpa);
3673}
3674
3675int hci_update_random_address(struct hci_request *req, bool require_privacy,
3676 u8 *own_addr_type)
3677{
3678 struct hci_dev *hdev = req->hdev;
3679 int err;
3680
3681 /* If privacy is enabled use a resolvable private address. If
3682 * current RPA has expired or there is something else than
3683 * the current RPA in use, then generate a new one.
3684 */
3685 if (test_bit(HCI_PRIVACY, &hdev->dev_flags)) {
3686 int to;
3687
3688 *own_addr_type = ADDR_LE_DEV_RANDOM;
3689
3690 if (!test_and_clear_bit(HCI_RPA_EXPIRED, &hdev->dev_flags) &&
3691 !bacmp(&hdev->random_addr, &hdev->rpa))
3692 return 0;
3693
3694 err = smp_generate_rpa(hdev->tfm_aes, hdev->irk, &hdev->rpa);
3695 if (err < 0) {
3696 BT_ERR("%s failed to generate new RPA", hdev->name);
3697 return err;
3698 }
3699
3700 set_random_addr(req, &hdev->rpa);
3701
3702 to = msecs_to_jiffies(hdev->rpa_timeout * 1000);
3703 queue_delayed_work(hdev->workqueue, &hdev->rpa_expired, to);
3704
3705 return 0;
3706 }
3707
3708 /* In case of required privacy without resolvable private address,
3709 * use an unresolvable private address. This is useful for active
3710 * scanning and non-connectable advertising.
3711 */
3712 if (require_privacy) {
3713 bdaddr_t urpa;
3714
3715 get_random_bytes(&urpa, 6);
3716 urpa.b[5] &= 0x3f; /* Clear two most significant bits */
3717
3718 *own_addr_type = ADDR_LE_DEV_RANDOM;
3719 set_random_addr(req, &urpa);
3720 return 0;
3721 }
3722
3723 /* If forcing static address is in use or there is no public
3724 * address use the static address as random address (but skip
3725 * the HCI command if the current random address is already the
3726 * static one.
3727 */
3728 if (test_bit(HCI_FORCE_STATIC_ADDR, &hdev->dev_flags) ||
3729 !bacmp(&hdev->bdaddr, BDADDR_ANY)) {
3730 *own_addr_type = ADDR_LE_DEV_RANDOM;
3731 if (bacmp(&hdev->static_addr, &hdev->random_addr))
3732 hci_req_add(req, HCI_OP_LE_SET_RANDOM_ADDR, 6,
3733 &hdev->static_addr);
3734 return 0;
3735 }
3736
3737 /* Neither privacy nor static address is being used so use a
3738 * public address.
3739 */
3740 *own_addr_type = ADDR_LE_DEV_PUBLIC;
3741
3742 return 0;
3743}
3744
3745/* Copy the Identity Address of the controller.
3746 *
3747 * If the controller has a public BD_ADDR, then by default use that one.
3748 * If this is a LE only controller without a public address, default to
3749 * the static random address.
3750 *
3751 * For debugging purposes it is possible to force controllers with a
3752 * public address to use the static random address instead.
3753 */
3754void hci_copy_identity_address(struct hci_dev *hdev, bdaddr_t *bdaddr,
3755 u8 *bdaddr_type)
3756{
3757 if (test_bit(HCI_FORCE_STATIC_ADDR, &hdev->dev_flags) ||
3758 !bacmp(&hdev->bdaddr, BDADDR_ANY)) {
3759 bacpy(bdaddr, &hdev->static_addr);
3760 *bdaddr_type = ADDR_LE_DEV_RANDOM;
3761 } else {
3762 bacpy(bdaddr, &hdev->bdaddr);
3763 *bdaddr_type = ADDR_LE_DEV_PUBLIC;
3764 }
3765}
3766
2902/* Alloc HCI device */ 3767/* Alloc HCI device */
2903struct hci_dev *hci_alloc_dev(void) 3768struct hci_dev *hci_alloc_dev(void)
2904{ 3769{
@@ -2919,11 +3784,14 @@ struct hci_dev *hci_alloc_dev(void)
2919 hdev->sniff_max_interval = 800; 3784 hdev->sniff_max_interval = 800;
2920 hdev->sniff_min_interval = 80; 3785 hdev->sniff_min_interval = 80;
2921 3786
3787 hdev->le_adv_channel_map = 0x07;
2922 hdev->le_scan_interval = 0x0060; 3788 hdev->le_scan_interval = 0x0060;
2923 hdev->le_scan_window = 0x0030; 3789 hdev->le_scan_window = 0x0030;
2924 hdev->le_conn_min_interval = 0x0028; 3790 hdev->le_conn_min_interval = 0x0028;
2925 hdev->le_conn_max_interval = 0x0038; 3791 hdev->le_conn_max_interval = 0x0038;
2926 3792
3793 hdev->rpa_timeout = HCI_DEFAULT_RPA_TIMEOUT;
3794
2927 mutex_init(&hdev->lock); 3795 mutex_init(&hdev->lock);
2928 mutex_init(&hdev->req_lock); 3796 mutex_init(&hdev->req_lock);
2929 3797
@@ -2932,7 +3800,11 @@ struct hci_dev *hci_alloc_dev(void)
2932 INIT_LIST_HEAD(&hdev->uuids); 3800 INIT_LIST_HEAD(&hdev->uuids);
2933 INIT_LIST_HEAD(&hdev->link_keys); 3801 INIT_LIST_HEAD(&hdev->link_keys);
2934 INIT_LIST_HEAD(&hdev->long_term_keys); 3802 INIT_LIST_HEAD(&hdev->long_term_keys);
3803 INIT_LIST_HEAD(&hdev->identity_resolving_keys);
2935 INIT_LIST_HEAD(&hdev->remote_oob_data); 3804 INIT_LIST_HEAD(&hdev->remote_oob_data);
3805 INIT_LIST_HEAD(&hdev->le_white_list);
3806 INIT_LIST_HEAD(&hdev->le_conn_params);
3807 INIT_LIST_HEAD(&hdev->pend_le_conns);
2936 INIT_LIST_HEAD(&hdev->conn_hash.list); 3808 INIT_LIST_HEAD(&hdev->conn_hash.list);
2937 3809
2938 INIT_WORK(&hdev->rx_work, hci_rx_work); 3810 INIT_WORK(&hdev->rx_work, hci_rx_work);
@@ -3017,9 +3889,18 @@ int hci_register_dev(struct hci_dev *hdev)
3017 3889
3018 dev_set_name(&hdev->dev, "%s", hdev->name); 3890 dev_set_name(&hdev->dev, "%s", hdev->name);
3019 3891
3892 hdev->tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0,
3893 CRYPTO_ALG_ASYNC);
3894 if (IS_ERR(hdev->tfm_aes)) {
3895 BT_ERR("Unable to create crypto context");
3896 error = PTR_ERR(hdev->tfm_aes);
3897 hdev->tfm_aes = NULL;
3898 goto err_wqueue;
3899 }
3900
3020 error = device_add(&hdev->dev); 3901 error = device_add(&hdev->dev);
3021 if (error < 0) 3902 if (error < 0)
3022 goto err_wqueue; 3903 goto err_tfm;
3023 3904
3024 hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev, 3905 hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev,
3025 RFKILL_TYPE_BLUETOOTH, &hci_rfkill_ops, 3906 RFKILL_TYPE_BLUETOOTH, &hci_rfkill_ops,
@@ -3055,6 +3936,8 @@ int hci_register_dev(struct hci_dev *hdev)
3055 3936
3056 return id; 3937 return id;
3057 3938
3939err_tfm:
3940 crypto_free_blkcipher(hdev->tfm_aes);
3058err_wqueue: 3941err_wqueue:
3059 destroy_workqueue(hdev->workqueue); 3942 destroy_workqueue(hdev->workqueue);
3060 destroy_workqueue(hdev->req_workqueue); 3943 destroy_workqueue(hdev->req_workqueue);
@@ -3105,6 +3988,9 @@ void hci_unregister_dev(struct hci_dev *hdev)
3105 rfkill_destroy(hdev->rfkill); 3988 rfkill_destroy(hdev->rfkill);
3106 } 3989 }
3107 3990
3991 if (hdev->tfm_aes)
3992 crypto_free_blkcipher(hdev->tfm_aes);
3993
3108 device_del(&hdev->dev); 3994 device_del(&hdev->dev);
3109 3995
3110 debugfs_remove_recursive(hdev->debugfs); 3996 debugfs_remove_recursive(hdev->debugfs);
@@ -3117,7 +4003,11 @@ void hci_unregister_dev(struct hci_dev *hdev)
3117 hci_uuids_clear(hdev); 4003 hci_uuids_clear(hdev);
3118 hci_link_keys_clear(hdev); 4004 hci_link_keys_clear(hdev);
3119 hci_smp_ltks_clear(hdev); 4005 hci_smp_ltks_clear(hdev);
4006 hci_smp_irks_clear(hdev);
3120 hci_remote_oob_data_clear(hdev); 4007 hci_remote_oob_data_clear(hdev);
4008 hci_white_list_clear(hdev);
4009 hci_conn_params_clear(hdev);
4010 hci_pend_le_conns_clear(hdev);
3121 hci_dev_unlock(hdev); 4011 hci_dev_unlock(hdev);
3122 4012
3123 hci_dev_put(hdev); 4013 hci_dev_put(hdev);
@@ -4345,3 +5235,102 @@ static void hci_cmd_work(struct work_struct *work)
4345 } 5235 }
4346 } 5236 }
4347} 5237}
5238
5239void hci_req_add_le_scan_disable(struct hci_request *req)
5240{
5241 struct hci_cp_le_set_scan_enable cp;
5242
5243 memset(&cp, 0, sizeof(cp));
5244 cp.enable = LE_SCAN_DISABLE;
5245 hci_req_add(req, HCI_OP_LE_SET_SCAN_ENABLE, sizeof(cp), &cp);
5246}
5247
5248void hci_req_add_le_passive_scan(struct hci_request *req)
5249{
5250 struct hci_cp_le_set_scan_param param_cp;
5251 struct hci_cp_le_set_scan_enable enable_cp;
5252 struct hci_dev *hdev = req->hdev;
5253 u8 own_addr_type;
5254
5255 /* Set require_privacy to true to avoid identification from
5256 * unknown peer devices. Since this is passive scanning, no
5257 * SCAN_REQ using the local identity should be sent. Mandating
5258 * privacy is just an extra precaution.
5259 */
5260 if (hci_update_random_address(req, true, &own_addr_type))
5261 return;
5262
5263 memset(&param_cp, 0, sizeof(param_cp));
5264 param_cp.type = LE_SCAN_PASSIVE;
5265 param_cp.interval = cpu_to_le16(hdev->le_scan_interval);
5266 param_cp.window = cpu_to_le16(hdev->le_scan_window);
5267 param_cp.own_address_type = own_addr_type;
5268 hci_req_add(req, HCI_OP_LE_SET_SCAN_PARAM, sizeof(param_cp),
5269 &param_cp);
5270
5271 memset(&enable_cp, 0, sizeof(enable_cp));
5272 enable_cp.enable = LE_SCAN_ENABLE;
5273 enable_cp.filter_dup = LE_SCAN_FILTER_DUP_DISABLE;
5274 hci_req_add(req, HCI_OP_LE_SET_SCAN_ENABLE, sizeof(enable_cp),
5275 &enable_cp);
5276}
5277
5278static void update_background_scan_complete(struct hci_dev *hdev, u8 status)
5279{
5280 if (status)
5281 BT_DBG("HCI request failed to update background scanning: "
5282 "status 0x%2.2x", status);
5283}
5284
5285/* This function controls the background scanning based on hdev->pend_le_conns
5286 * list. If there are pending LE connection we start the background scanning,
5287 * otherwise we stop it.
5288 *
5289 * This function requires the caller holds hdev->lock.
5290 */
5291void hci_update_background_scan(struct hci_dev *hdev)
5292{
5293 struct hci_request req;
5294 struct hci_conn *conn;
5295 int err;
5296
5297 hci_req_init(&req, hdev);
5298
5299 if (list_empty(&hdev->pend_le_conns)) {
5300 /* If there is no pending LE connections, we should stop
5301 * the background scanning.
5302 */
5303
5304 /* If controller is not scanning we are done. */
5305 if (!test_bit(HCI_LE_SCAN, &hdev->dev_flags))
5306 return;
5307
5308 hci_req_add_le_scan_disable(&req);
5309
5310 BT_DBG("%s stopping background scanning", hdev->name);
5311 } else {
5312 /* If there is at least one pending LE connection, we should
5313 * keep the background scan running.
5314 */
5315
5316 /* If controller is already scanning we are done. */
5317 if (test_bit(HCI_LE_SCAN, &hdev->dev_flags))
5318 return;
5319
5320 /* If controller is connecting, we should not start scanning
5321 * since some controllers are not able to scan and connect at
5322 * the same time.
5323 */
5324 conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
5325 if (conn)
5326 return;
5327
5328 hci_req_add_le_passive_scan(&req);
5329
5330 BT_DBG("%s starting background scanning", hdev->name);
5331 }
5332
5333 err = hci_req_run(&req, update_background_scan_complete);
5334 if (err)
5335 BT_ERR("Failed to run HCI request: err %d", err);
5336}
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 5f812455a450..c3b0a08f5ab4 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -461,6 +461,34 @@ static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
461 } 461 }
462} 462}
463 463
464static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb)
465{
466 u8 status = *((u8 *) skb->data);
467 struct hci_cp_write_sc_support *sent;
468
469 BT_DBG("%s status 0x%2.2x", hdev->name, status);
470
471 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
472 if (!sent)
473 return;
474
475 if (!status) {
476 if (sent->support)
477 hdev->features[1][0] |= LMP_HOST_SC;
478 else
479 hdev->features[1][0] &= ~LMP_HOST_SC;
480 }
481
482 if (test_bit(HCI_MGMT, &hdev->dev_flags))
483 mgmt_sc_enable_complete(hdev, sent->support, status);
484 else if (!status) {
485 if (sent->support)
486 set_bit(HCI_SC_ENABLED, &hdev->dev_flags);
487 else
488 clear_bit(HCI_SC_ENABLED, &hdev->dev_flags);
489 }
490}
491
464static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb) 492static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
465{ 493{
466 struct hci_rp_read_local_version *rp = (void *) skb->data; 494 struct hci_rp_read_local_version *rp = (void *) skb->data;
@@ -904,16 +932,50 @@ static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev,
904 hci_dev_unlock(hdev); 932 hci_dev_unlock(hdev);
905} 933}
906 934
907static void hci_cc_read_local_oob_data_reply(struct hci_dev *hdev, 935static void hci_cc_read_local_oob_data(struct hci_dev *hdev,
908 struct sk_buff *skb) 936 struct sk_buff *skb)
909{ 937{
910 struct hci_rp_read_local_oob_data *rp = (void *) skb->data; 938 struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
911 939
912 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 940 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
913 941
914 hci_dev_lock(hdev); 942 hci_dev_lock(hdev);
915 mgmt_read_local_oob_data_reply_complete(hdev, rp->hash, 943 mgmt_read_local_oob_data_complete(hdev, rp->hash, rp->randomizer,
916 rp->randomizer, rp->status); 944 NULL, NULL, rp->status);
945 hci_dev_unlock(hdev);
946}
947
948static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev,
949 struct sk_buff *skb)
950{
951 struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
952
953 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
954
955 hci_dev_lock(hdev);
956 mgmt_read_local_oob_data_complete(hdev, rp->hash192, rp->randomizer192,
957 rp->hash256, rp->randomizer256,
958 rp->status);
959 hci_dev_unlock(hdev);
960}
961
962
963static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb)
964{
965 __u8 status = *((__u8 *) skb->data);
966 bdaddr_t *sent;
967
968 BT_DBG("%s status 0x%2.2x", hdev->name, status);
969
970 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
971 if (!sent)
972 return;
973
974 hci_dev_lock(hdev);
975
976 if (!status)
977 bacpy(&hdev->random_addr, sent);
978
917 hci_dev_unlock(hdev); 979 hci_dev_unlock(hdev);
918} 980}
919 981
@@ -929,12 +991,8 @@ static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb)
929 991
930 hci_dev_lock(hdev); 992 hci_dev_lock(hdev);
931 993
932 if (!status) { 994 if (!status)
933 if (*sent) 995 mgmt_advertising(hdev, *sent);
934 set_bit(HCI_ADVERTISING, &hdev->dev_flags);
935 else
936 clear_bit(HCI_ADVERTISING, &hdev->dev_flags);
937 }
938 996
939 hci_dev_unlock(hdev); 997 hci_dev_unlock(hdev);
940} 998}
@@ -960,7 +1018,19 @@ static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
960 break; 1018 break;
961 1019
962 case LE_SCAN_DISABLE: 1020 case LE_SCAN_DISABLE:
1021 /* Cancel this timer so that we don't try to disable scanning
1022 * when it's already disabled.
1023 */
1024 cancel_delayed_work(&hdev->le_scan_disable);
1025
963 clear_bit(HCI_LE_SCAN, &hdev->dev_flags); 1026 clear_bit(HCI_LE_SCAN, &hdev->dev_flags);
1027 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1028 * interrupted scanning due to a connect request. Mark
1029 * therefore discovery as stopped.
1030 */
1031 if (test_and_clear_bit(HCI_LE_SCAN_INTERRUPTED,
1032 &hdev->dev_flags))
1033 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
964 break; 1034 break;
965 1035
966 default: 1036 default:
@@ -980,6 +1050,49 @@ static void hci_cc_le_read_white_list_size(struct hci_dev *hdev,
980 hdev->le_white_list_size = rp->size; 1050 hdev->le_white_list_size = rp->size;
981} 1051}
982 1052
1053static void hci_cc_le_clear_white_list(struct hci_dev *hdev,
1054 struct sk_buff *skb)
1055{
1056 __u8 status = *((__u8 *) skb->data);
1057
1058 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1059
1060 if (!status)
1061 hci_white_list_clear(hdev);
1062}
1063
1064static void hci_cc_le_add_to_white_list(struct hci_dev *hdev,
1065 struct sk_buff *skb)
1066{
1067 struct hci_cp_le_add_to_white_list *sent;
1068 __u8 status = *((__u8 *) skb->data);
1069
1070 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1071
1072 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST);
1073 if (!sent)
1074 return;
1075
1076 if (!status)
1077 hci_white_list_add(hdev, &sent->bdaddr, sent->bdaddr_type);
1078}
1079
1080static void hci_cc_le_del_from_white_list(struct hci_dev *hdev,
1081 struct sk_buff *skb)
1082{
1083 struct hci_cp_le_del_from_white_list *sent;
1084 __u8 status = *((__u8 *) skb->data);
1085
1086 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1087
1088 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST);
1089 if (!sent)
1090 return;
1091
1092 if (!status)
1093 hci_white_list_del(hdev, &sent->bdaddr, sent->bdaddr_type);
1094}
1095
983static void hci_cc_le_read_supported_states(struct hci_dev *hdev, 1096static void hci_cc_le_read_supported_states(struct hci_dev *hdev,
984 struct sk_buff *skb) 1097 struct sk_buff *skb)
985{ 1098{
@@ -1020,6 +1133,25 @@ static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
1020 } 1133 }
1021} 1134}
1022 1135
1136static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1137{
1138 struct hci_cp_le_set_adv_param *cp;
1139 u8 status = *((u8 *) skb->data);
1140
1141 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1142
1143 if (status)
1144 return;
1145
1146 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
1147 if (!cp)
1148 return;
1149
1150 hci_dev_lock(hdev);
1151 hdev->adv_addr_type = cp->own_address_type;
1152 hci_dev_unlock(hdev);
1153}
1154
1023static void hci_cc_write_remote_amp_assoc(struct hci_dev *hdev, 1155static void hci_cc_write_remote_amp_assoc(struct hci_dev *hdev,
1024 struct sk_buff *skb) 1156 struct sk_buff *skb)
1025{ 1157{
@@ -1185,9 +1317,12 @@ static int hci_outgoing_auth_needed(struct hci_dev *hdev,
1185 return 0; 1317 return 0;
1186 1318
1187 /* Only request authentication for SSP connections or non-SSP 1319 /* Only request authentication for SSP connections or non-SSP
1188 * devices with sec_level HIGH or if MITM protection is requested */ 1320 * devices with sec_level MEDIUM or HIGH or if MITM protection
1321 * is requested.
1322 */
1189 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) && 1323 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
1190 conn->pending_sec_level != BT_SECURITY_HIGH) 1324 conn->pending_sec_level != BT_SECURITY_HIGH &&
1325 conn->pending_sec_level != BT_SECURITY_MEDIUM)
1191 return 0; 1326 return 0;
1192 1327
1193 return 1; 1328 return 1;
@@ -1518,6 +1653,57 @@ static void hci_cs_accept_phylink(struct hci_dev *hdev, u8 status)
1518 amp_write_remote_assoc(hdev, cp->phy_handle); 1653 amp_write_remote_assoc(hdev, cp->phy_handle);
1519} 1654}
1520 1655
1656static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
1657{
1658 struct hci_cp_le_create_conn *cp;
1659 struct hci_conn *conn;
1660
1661 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1662
1663 /* All connection failure handling is taken care of by the
1664 * hci_le_conn_failed function which is triggered by the HCI
1665 * request completion callbacks used for connecting.
1666 */
1667 if (status)
1668 return;
1669
1670 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
1671 if (!cp)
1672 return;
1673
1674 hci_dev_lock(hdev);
1675
1676 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->peer_addr);
1677 if (!conn)
1678 goto unlock;
1679
1680 /* Store the initiator and responder address information which
1681 * is needed for SMP. These values will not change during the
1682 * lifetime of the connection.
1683 */
1684 conn->init_addr_type = cp->own_address_type;
1685 if (cp->own_address_type == ADDR_LE_DEV_RANDOM)
1686 bacpy(&conn->init_addr, &hdev->random_addr);
1687 else
1688 bacpy(&conn->init_addr, &hdev->bdaddr);
1689
1690 conn->resp_addr_type = cp->peer_addr_type;
1691 bacpy(&conn->resp_addr, &cp->peer_addr);
1692
1693 /* We don't want the connection attempt to stick around
1694 * indefinitely since LE doesn't have a page timeout concept
1695 * like BR/EDR. Set a timer for any connection that doesn't use
1696 * the white list for connecting.
1697 */
1698 if (cp->filter_policy == HCI_LE_USE_PEER_ADDR)
1699 queue_delayed_work(conn->hdev->workqueue,
1700 &conn->le_conn_timeout,
1701 HCI_LE_CONN_TIMEOUT);
1702
1703unlock:
1704 hci_dev_unlock(hdev);
1705}
1706
1521static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 1707static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1522{ 1708{
1523 __u8 status = *((__u8 *) skb->data); 1709 __u8 status = *((__u8 *) skb->data);
@@ -1659,7 +1845,7 @@ static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1659 } else { 1845 } else {
1660 conn->state = BT_CLOSED; 1846 conn->state = BT_CLOSED;
1661 if (conn->type == ACL_LINK) 1847 if (conn->type == ACL_LINK)
1662 mgmt_connect_failed(hdev, &ev->bdaddr, conn->type, 1848 mgmt_connect_failed(hdev, &conn->dst, conn->type,
1663 conn->dst_type, ev->status); 1849 conn->dst_type, ev->status);
1664 } 1850 }
1665 1851
@@ -1780,7 +1966,9 @@ static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1780{ 1966{
1781 struct hci_ev_disconn_complete *ev = (void *) skb->data; 1967 struct hci_ev_disconn_complete *ev = (void *) skb->data;
1782 u8 reason = hci_to_mgmt_reason(ev->reason); 1968 u8 reason = hci_to_mgmt_reason(ev->reason);
1969 struct hci_conn_params *params;
1783 struct hci_conn *conn; 1970 struct hci_conn *conn;
1971 bool mgmt_connected;
1784 u8 type; 1972 u8 type;
1785 1973
1786 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 1974 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
@@ -1799,13 +1987,30 @@ static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1799 1987
1800 conn->state = BT_CLOSED; 1988 conn->state = BT_CLOSED;
1801 1989
1802 if (test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 1990 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
1803 mgmt_device_disconnected(hdev, &conn->dst, conn->type, 1991 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
1804 conn->dst_type, reason); 1992 reason, mgmt_connected);
1805 1993
1806 if (conn->type == ACL_LINK && conn->flush_key) 1994 if (conn->type == ACL_LINK && conn->flush_key)
1807 hci_remove_link_key(hdev, &conn->dst); 1995 hci_remove_link_key(hdev, &conn->dst);
1808 1996
1997 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
1998 if (params) {
1999 switch (params->auto_connect) {
2000 case HCI_AUTO_CONN_LINK_LOSS:
2001 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2002 break;
2003 /* Fall through */
2004
2005 case HCI_AUTO_CONN_ALWAYS:
2006 hci_pend_le_conn_add(hdev, &conn->dst, conn->dst_type);
2007 break;
2008
2009 default:
2010 break;
2011 }
2012 }
2013
1809 type = conn->type; 2014 type = conn->type;
1810 2015
1811 hci_proto_disconn_cfm(conn, ev->reason); 2016 hci_proto_disconn_cfm(conn, ev->reason);
@@ -1943,35 +2148,46 @@ static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
1943 hci_dev_lock(hdev); 2148 hci_dev_lock(hdev);
1944 2149
1945 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 2150 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
1946 if (conn) { 2151 if (!conn)
1947 if (!ev->status) { 2152 goto unlock;
1948 if (ev->encrypt) {
1949 /* Encryption implies authentication */
1950 conn->link_mode |= HCI_LM_AUTH;
1951 conn->link_mode |= HCI_LM_ENCRYPT;
1952 conn->sec_level = conn->pending_sec_level;
1953 } else
1954 conn->link_mode &= ~HCI_LM_ENCRYPT;
1955 }
1956 2153
1957 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 2154 if (!ev->status) {
2155 if (ev->encrypt) {
2156 /* Encryption implies authentication */
2157 conn->link_mode |= HCI_LM_AUTH;
2158 conn->link_mode |= HCI_LM_ENCRYPT;
2159 conn->sec_level = conn->pending_sec_level;
1958 2160
1959 if (ev->status && conn->state == BT_CONNECTED) { 2161 /* P-256 authentication key implies FIPS */
1960 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 2162 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
1961 hci_conn_drop(conn); 2163 conn->link_mode |= HCI_LM_FIPS;
1962 goto unlock; 2164
2165 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
2166 conn->type == LE_LINK)
2167 set_bit(HCI_CONN_AES_CCM, &conn->flags);
2168 } else {
2169 conn->link_mode &= ~HCI_LM_ENCRYPT;
2170 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
1963 } 2171 }
2172 }
1964 2173
1965 if (conn->state == BT_CONFIG) { 2174 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
1966 if (!ev->status)
1967 conn->state = BT_CONNECTED;
1968 2175
1969 hci_proto_connect_cfm(conn, ev->status); 2176 if (ev->status && conn->state == BT_CONNECTED) {
1970 hci_conn_drop(conn); 2177 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
1971 } else 2178 hci_conn_drop(conn);
1972 hci_encrypt_cfm(conn, ev->status, ev->encrypt); 2179 goto unlock;
1973 } 2180 }
1974 2181
2182 if (conn->state == BT_CONFIG) {
2183 if (!ev->status)
2184 conn->state = BT_CONNECTED;
2185
2186 hci_proto_connect_cfm(conn, ev->status);
2187 hci_conn_drop(conn);
2188 } else
2189 hci_encrypt_cfm(conn, ev->status, ev->encrypt);
2190
1975unlock: 2191unlock:
1976 hci_dev_unlock(hdev); 2192 hci_dev_unlock(hdev);
1977} 2193}
@@ -2144,6 +2360,10 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2144 hci_cc_write_ssp_mode(hdev, skb); 2360 hci_cc_write_ssp_mode(hdev, skb);
2145 break; 2361 break;
2146 2362
2363 case HCI_OP_WRITE_SC_SUPPORT:
2364 hci_cc_write_sc_support(hdev, skb);
2365 break;
2366
2147 case HCI_OP_READ_LOCAL_VERSION: 2367 case HCI_OP_READ_LOCAL_VERSION:
2148 hci_cc_read_local_version(hdev, skb); 2368 hci_cc_read_local_version(hdev, skb);
2149 break; 2369 break;
@@ -2213,7 +2433,11 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2213 break; 2433 break;
2214 2434
2215 case HCI_OP_READ_LOCAL_OOB_DATA: 2435 case HCI_OP_READ_LOCAL_OOB_DATA:
2216 hci_cc_read_local_oob_data_reply(hdev, skb); 2436 hci_cc_read_local_oob_data(hdev, skb);
2437 break;
2438
2439 case HCI_OP_READ_LOCAL_OOB_EXT_DATA:
2440 hci_cc_read_local_oob_ext_data(hdev, skb);
2217 break; 2441 break;
2218 2442
2219 case HCI_OP_LE_READ_BUFFER_SIZE: 2443 case HCI_OP_LE_READ_BUFFER_SIZE:
@@ -2244,6 +2468,10 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2244 hci_cc_user_passkey_neg_reply(hdev, skb); 2468 hci_cc_user_passkey_neg_reply(hdev, skb);
2245 break; 2469 break;
2246 2470
2471 case HCI_OP_LE_SET_RANDOM_ADDR:
2472 hci_cc_le_set_random_addr(hdev, skb);
2473 break;
2474
2247 case HCI_OP_LE_SET_ADV_ENABLE: 2475 case HCI_OP_LE_SET_ADV_ENABLE:
2248 hci_cc_le_set_adv_enable(hdev, skb); 2476 hci_cc_le_set_adv_enable(hdev, skb);
2249 break; 2477 break;
@@ -2256,6 +2484,18 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2256 hci_cc_le_read_white_list_size(hdev, skb); 2484 hci_cc_le_read_white_list_size(hdev, skb);
2257 break; 2485 break;
2258 2486
2487 case HCI_OP_LE_CLEAR_WHITE_LIST:
2488 hci_cc_le_clear_white_list(hdev, skb);
2489 break;
2490
2491 case HCI_OP_LE_ADD_TO_WHITE_LIST:
2492 hci_cc_le_add_to_white_list(hdev, skb);
2493 break;
2494
2495 case HCI_OP_LE_DEL_FROM_WHITE_LIST:
2496 hci_cc_le_del_from_white_list(hdev, skb);
2497 break;
2498
2259 case HCI_OP_LE_READ_SUPPORTED_STATES: 2499 case HCI_OP_LE_READ_SUPPORTED_STATES:
2260 hci_cc_le_read_supported_states(hdev, skb); 2500 hci_cc_le_read_supported_states(hdev, skb);
2261 break; 2501 break;
@@ -2264,6 +2504,10 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2264 hci_cc_write_le_host_supported(hdev, skb); 2504 hci_cc_write_le_host_supported(hdev, skb);
2265 break; 2505 break;
2266 2506
2507 case HCI_OP_LE_SET_ADV_PARAM:
2508 hci_cc_set_adv_param(hdev, skb);
2509 break;
2510
2267 case HCI_OP_WRITE_REMOTE_AMP_ASSOC: 2511 case HCI_OP_WRITE_REMOTE_AMP_ASSOC:
2268 hci_cc_write_remote_amp_assoc(hdev, skb); 2512 hci_cc_write_remote_amp_assoc(hdev, skb);
2269 break; 2513 break;
@@ -2351,6 +2595,10 @@ static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb)
2351 hci_cs_accept_phylink(hdev, ev->status); 2595 hci_cs_accept_phylink(hdev, ev->status);
2352 break; 2596 break;
2353 2597
2598 case HCI_OP_LE_CREATE_CONN:
2599 hci_cs_le_create_conn(hdev, ev->status);
2600 break;
2601
2354 default: 2602 default:
2355 BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode); 2603 BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
2356 break; 2604 break;
@@ -2630,7 +2878,8 @@ static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2630 2878
2631 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 2879 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2632 if (conn) { 2880 if (conn) {
2633 if (key->type == HCI_LK_UNAUTH_COMBINATION && 2881 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
2882 key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
2634 conn->auth_type != 0xff && (conn->auth_type & 0x01)) { 2883 conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
2635 BT_DBG("%s ignoring unauthenticated key", hdev->name); 2884 BT_DBG("%s ignoring unauthenticated key", hdev->name);
2636 goto not_found; 2885 goto not_found;
@@ -2844,6 +3093,9 @@ static void hci_remote_ext_features_evt(struct hci_dev *hdev,
2844 * features do not indicate SSP support */ 3093 * features do not indicate SSP support */
2845 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 3094 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
2846 } 3095 }
3096
3097 if (ev->features[0] & LMP_HOST_SC)
3098 set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
2847 } 3099 }
2848 3100
2849 if (conn->state != BT_CONFIG) 3101 if (conn->state != BT_CONFIG)
@@ -3337,20 +3589,36 @@ static void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
3337 3589
3338 data = hci_find_remote_oob_data(hdev, &ev->bdaddr); 3590 data = hci_find_remote_oob_data(hdev, &ev->bdaddr);
3339 if (data) { 3591 if (data) {
3340 struct hci_cp_remote_oob_data_reply cp; 3592 if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags)) {
3593 struct hci_cp_remote_oob_ext_data_reply cp;
3341 3594
3342 bacpy(&cp.bdaddr, &ev->bdaddr); 3595 bacpy(&cp.bdaddr, &ev->bdaddr);
3343 memcpy(cp.hash, data->hash, sizeof(cp.hash)); 3596 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
3344 memcpy(cp.randomizer, data->randomizer, sizeof(cp.randomizer)); 3597 memcpy(cp.randomizer192, data->randomizer192,
3598 sizeof(cp.randomizer192));
3599 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
3600 memcpy(cp.randomizer256, data->randomizer256,
3601 sizeof(cp.randomizer256));
3602
3603 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
3604 sizeof(cp), &cp);
3605 } else {
3606 struct hci_cp_remote_oob_data_reply cp;
3607
3608 bacpy(&cp.bdaddr, &ev->bdaddr);
3609 memcpy(cp.hash, data->hash192, sizeof(cp.hash));
3610 memcpy(cp.randomizer, data->randomizer192,
3611 sizeof(cp.randomizer));
3345 3612
3346 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY, sizeof(cp), 3613 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
3347 &cp); 3614 sizeof(cp), &cp);
3615 }
3348 } else { 3616 } else {
3349 struct hci_cp_remote_oob_data_neg_reply cp; 3617 struct hci_cp_remote_oob_data_neg_reply cp;
3350 3618
3351 bacpy(&cp.bdaddr, &ev->bdaddr); 3619 bacpy(&cp.bdaddr, &ev->bdaddr);
3352 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY, sizeof(cp), 3620 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
3353 &cp); 3621 sizeof(cp), &cp);
3354 } 3622 }
3355 3623
3356unlock: 3624unlock:
@@ -3484,6 +3752,7 @@ static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
3484{ 3752{
3485 struct hci_ev_le_conn_complete *ev = (void *) skb->data; 3753 struct hci_ev_le_conn_complete *ev = (void *) skb->data;
3486 struct hci_conn *conn; 3754 struct hci_conn *conn;
3755 struct smp_irk *irk;
3487 3756
3488 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3757 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3489 3758
@@ -3514,19 +3783,70 @@ static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
3514 conn->out = true; 3783 conn->out = true;
3515 conn->link_mode |= HCI_LM_MASTER; 3784 conn->link_mode |= HCI_LM_MASTER;
3516 } 3785 }
3786
3787 /* If we didn't have a hci_conn object previously
3788 * but we're in master role this must be something
3789 * initiated using a white list. Since white list based
3790 * connections are not "first class citizens" we don't
3791 * have full tracking of them. Therefore, we go ahead
3792 * with a "best effort" approach of determining the
3793 * initiator address based on the HCI_PRIVACY flag.
3794 */
3795 if (conn->out) {
3796 conn->resp_addr_type = ev->bdaddr_type;
3797 bacpy(&conn->resp_addr, &ev->bdaddr);
3798 if (test_bit(HCI_PRIVACY, &hdev->dev_flags)) {
3799 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
3800 bacpy(&conn->init_addr, &hdev->rpa);
3801 } else {
3802 hci_copy_identity_address(hdev,
3803 &conn->init_addr,
3804 &conn->init_addr_type);
3805 }
3806 } else {
3807 /* Set the responder (our side) address type based on
3808 * the advertising address type.
3809 */
3810 conn->resp_addr_type = hdev->adv_addr_type;
3811 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM)
3812 bacpy(&conn->resp_addr, &hdev->random_addr);
3813 else
3814 bacpy(&conn->resp_addr, &hdev->bdaddr);
3815
3816 conn->init_addr_type = ev->bdaddr_type;
3817 bacpy(&conn->init_addr, &ev->bdaddr);
3818 }
3819 } else {
3820 cancel_delayed_work(&conn->le_conn_timeout);
3821 }
3822
3823 /* Ensure that the hci_conn contains the identity address type
3824 * regardless of which address the connection was made with.
3825 */
3826 hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
3827
3828 /* Lookup the identity address from the stored connection
3829 * address and address type.
3830 *
3831 * When establishing connections to an identity address, the
3832 * connection procedure will store the resolvable random
3833 * address first. Now if it can be converted back into the
3834 * identity address, start using the identity address from
3835 * now on.
3836 */
3837 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
3838 if (irk) {
3839 bacpy(&conn->dst, &irk->bdaddr);
3840 conn->dst_type = irk->addr_type;
3517 } 3841 }
3518 3842
3519 if (ev->status) { 3843 if (ev->status) {
3520 mgmt_connect_failed(hdev, &conn->dst, conn->type, 3844 hci_le_conn_failed(conn, ev->status);
3521 conn->dst_type, ev->status);
3522 hci_proto_connect_cfm(conn, ev->status);
3523 conn->state = BT_CLOSED;
3524 hci_conn_del(conn);
3525 goto unlock; 3845 goto unlock;
3526 } 3846 }
3527 3847
3528 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 3848 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3529 mgmt_device_connected(hdev, &ev->bdaddr, conn->type, 3849 mgmt_device_connected(hdev, &conn->dst, conn->type,
3530 conn->dst_type, 0, NULL, 0, NULL); 3850 conn->dst_type, 0, NULL, 0, NULL);
3531 3851
3532 conn->sec_level = BT_SECURITY_LOW; 3852 conn->sec_level = BT_SECURITY_LOW;
@@ -3540,25 +3860,73 @@ static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
3540 3860
3541 hci_proto_connect_cfm(conn, ev->status); 3861 hci_proto_connect_cfm(conn, ev->status);
3542 3862
3863 hci_pend_le_conn_del(hdev, &conn->dst, conn->dst_type);
3864
3543unlock: 3865unlock:
3544 hci_dev_unlock(hdev); 3866 hci_dev_unlock(hdev);
3545} 3867}
3546 3868
3869/* This function requires the caller holds hdev->lock */
3870static void check_pending_le_conn(struct hci_dev *hdev, bdaddr_t *addr,
3871 u8 addr_type)
3872{
3873 struct hci_conn *conn;
3874 struct smp_irk *irk;
3875
3876 /* If this is a resolvable address, we should resolve it and then
3877 * update address and address type variables.
3878 */
3879 irk = hci_get_irk(hdev, addr, addr_type);
3880 if (irk) {
3881 addr = &irk->bdaddr;
3882 addr_type = irk->addr_type;
3883 }
3884
3885 if (!hci_pend_le_conn_lookup(hdev, addr, addr_type))
3886 return;
3887
3888 conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW,
3889 HCI_AT_NO_BONDING);
3890 if (!IS_ERR(conn))
3891 return;
3892
3893 switch (PTR_ERR(conn)) {
3894 case -EBUSY:
3895 /* If hci_connect() returns -EBUSY it means there is already
3896 * an LE connection attempt going on. Since controllers don't
3897 * support more than one connection attempt at the time, we
3898 * don't consider this an error case.
3899 */
3900 break;
3901 default:
3902 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
3903 }
3904}
3905
3547static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) 3906static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
3548{ 3907{
3549 u8 num_reports = skb->data[0]; 3908 u8 num_reports = skb->data[0];
3550 void *ptr = &skb->data[1]; 3909 void *ptr = &skb->data[1];
3551 s8 rssi; 3910 s8 rssi;
3552 3911
3912 hci_dev_lock(hdev);
3913
3553 while (num_reports--) { 3914 while (num_reports--) {
3554 struct hci_ev_le_advertising_info *ev = ptr; 3915 struct hci_ev_le_advertising_info *ev = ptr;
3555 3916
3917 if (ev->evt_type == LE_ADV_IND ||
3918 ev->evt_type == LE_ADV_DIRECT_IND)
3919 check_pending_le_conn(hdev, &ev->bdaddr,
3920 ev->bdaddr_type);
3921
3556 rssi = ev->data[ev->length]; 3922 rssi = ev->data[ev->length];
3557 mgmt_device_found(hdev, &ev->bdaddr, LE_LINK, ev->bdaddr_type, 3923 mgmt_device_found(hdev, &ev->bdaddr, LE_LINK, ev->bdaddr_type,
3558 NULL, rssi, 0, 1, ev->data, ev->length); 3924 NULL, rssi, 0, 1, ev->data, ev->length);
3559 3925
3560 ptr += sizeof(*ev) + ev->length + 1; 3926 ptr += sizeof(*ev) + ev->length + 1;
3561 } 3927 }
3928
3929 hci_dev_unlock(hdev);
3562} 3930}
3563 3931
3564static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 3932static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
@@ -3577,7 +3945,7 @@ static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3577 if (conn == NULL) 3945 if (conn == NULL)
3578 goto not_found; 3946 goto not_found;
3579 3947
3580 ltk = hci_find_ltk(hdev, ev->ediv, ev->random); 3948 ltk = hci_find_ltk(hdev, ev->ediv, ev->rand, conn->out);
3581 if (ltk == NULL) 3949 if (ltk == NULL)
3582 goto not_found; 3950 goto not_found;
3583 3951
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index 7552f9e3089c..68e51a84e72d 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -716,6 +716,7 @@ static int hci_sock_bind(struct socket *sock, struct sockaddr *addr,
716 err = hci_dev_open(hdev->id); 716 err = hci_dev_open(hdev->id);
717 if (err) { 717 if (err) {
718 clear_bit(HCI_USER_CHANNEL, &hdev->dev_flags); 718 clear_bit(HCI_USER_CHANNEL, &hdev->dev_flags);
719 mgmt_index_added(hdev);
719 hci_dev_put(hdev); 720 hci_dev_put(hdev);
720 goto done; 721 goto done;
721 } 722 }
diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
index 0b61250cfdf9..555982a78a58 100644
--- a/net/bluetooth/hci_sysfs.c
+++ b/net/bluetooth/hci_sysfs.c
@@ -49,14 +49,7 @@ static struct attribute *bt_link_attrs[] = {
49 NULL 49 NULL
50}; 50};
51 51
52static struct attribute_group bt_link_group = { 52ATTRIBUTE_GROUPS(bt_link);
53 .attrs = bt_link_attrs,
54};
55
56static const struct attribute_group *bt_link_groups[] = {
57 &bt_link_group,
58 NULL
59};
60 53
61static void bt_link_release(struct device *dev) 54static void bt_link_release(struct device *dev)
62{ 55{
@@ -182,14 +175,7 @@ static struct attribute *bt_host_attrs[] = {
182 NULL 175 NULL
183}; 176};
184 177
185static struct attribute_group bt_host_group = { 178ATTRIBUTE_GROUPS(bt_host);
186 .attrs = bt_host_attrs,
187};
188
189static const struct attribute_group *bt_host_groups[] = {
190 &bt_host_group,
191 NULL
192};
193 179
194static void bt_host_release(struct device *dev) 180static void bt_host_release(struct device *dev)
195{ 181{
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index b0ad2c752d73..9ed2168fa59f 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -42,6 +42,8 @@
42#include "amp.h" 42#include "amp.h"
43#include "6lowpan.h" 43#include "6lowpan.h"
44 44
45#define LE_FLOWCTL_MAX_CREDITS 65535
46
45bool disable_ertm; 47bool disable_ertm;
46 48
47static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD; 49static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
@@ -330,44 +332,20 @@ static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
330 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR; 332 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
331} 333}
332 334
333static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq) 335static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
334{ 336{
337 u16 seq = seq_list->head;
335 u16 mask = seq_list->mask; 338 u16 mask = seq_list->mask;
336 339
337 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) { 340 seq_list->head = seq_list->list[seq & mask];
338 /* In case someone tries to pop the head of an empty list */ 341 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
339 return L2CAP_SEQ_LIST_CLEAR;
340 } else if (seq_list->head == seq) {
341 /* Head can be removed in constant time */
342 seq_list->head = seq_list->list[seq & mask];
343 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
344
345 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
346 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
347 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
348 }
349 } else {
350 /* Walk the list to find the sequence number */
351 u16 prev = seq_list->head;
352 while (seq_list->list[prev & mask] != seq) {
353 prev = seq_list->list[prev & mask];
354 if (prev == L2CAP_SEQ_LIST_TAIL)
355 return L2CAP_SEQ_LIST_CLEAR;
356 }
357 342
358 /* Unlink the number from the list and clear it */ 343 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
359 seq_list->list[prev & mask] = seq_list->list[seq & mask]; 344 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
360 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR; 345 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
361 if (seq_list->tail == seq)
362 seq_list->tail = prev;
363 } 346 }
364 return seq;
365}
366 347
367static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list) 348 return seq;
368{
369 /* Remove the head in constant time */
370 return l2cap_seq_list_remove(seq_list, seq_list->head);
371} 349}
372 350
373static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list) 351static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
@@ -506,7 +484,7 @@ static void l2cap_le_flowctl_init(struct l2cap_chan *chan)
506 chan->sdu_len = 0; 484 chan->sdu_len = 0;
507 chan->tx_credits = 0; 485 chan->tx_credits = 0;
508 chan->rx_credits = le_max_credits; 486 chan->rx_credits = le_max_credits;
509 chan->mps = min_t(u16, chan->imtu, L2CAP_LE_DEFAULT_MPS); 487 chan->mps = min_t(u16, chan->imtu, le_default_mps);
510 488
511 skb_queue_head_init(&chan->tx_q); 489 skb_queue_head_init(&chan->tx_q);
512} 490}
@@ -522,18 +500,10 @@ void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
522 500
523 switch (chan->chan_type) { 501 switch (chan->chan_type) {
524 case L2CAP_CHAN_CONN_ORIENTED: 502 case L2CAP_CHAN_CONN_ORIENTED:
525 if (conn->hcon->type == LE_LINK) { 503 /* Alloc CID for connection-oriented socket */
526 if (chan->dcid == L2CAP_CID_ATT) { 504 chan->scid = l2cap_alloc_cid(conn);
527 chan->omtu = L2CAP_DEFAULT_MTU; 505 if (conn->hcon->type == ACL_LINK)
528 chan->scid = L2CAP_CID_ATT;
529 } else {
530 chan->scid = l2cap_alloc_cid(conn);
531 }
532 } else {
533 /* Alloc CID for connection-oriented socket */
534 chan->scid = l2cap_alloc_cid(conn);
535 chan->omtu = L2CAP_DEFAULT_MTU; 506 chan->omtu = L2CAP_DEFAULT_MTU;
536 }
537 break; 507 break;
538 508
539 case L2CAP_CHAN_CONN_LESS: 509 case L2CAP_CHAN_CONN_LESS:
@@ -543,11 +513,8 @@ void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
543 chan->omtu = L2CAP_DEFAULT_MTU; 513 chan->omtu = L2CAP_DEFAULT_MTU;
544 break; 514 break;
545 515
546 case L2CAP_CHAN_CONN_FIX_A2MP: 516 case L2CAP_CHAN_FIXED:
547 chan->scid = L2CAP_CID_A2MP; 517 /* Caller will set CID and CID specific MTU values */
548 chan->dcid = L2CAP_CID_A2MP;
549 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
550 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
551 break; 518 break;
552 519
553 default: 520 default:
@@ -595,7 +562,7 @@ void l2cap_chan_del(struct l2cap_chan *chan, int err)
595 562
596 chan->conn = NULL; 563 chan->conn = NULL;
597 564
598 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP) 565 if (chan->scid != L2CAP_CID_A2MP)
599 hci_conn_drop(conn->hcon); 566 hci_conn_drop(conn->hcon);
600 567
601 if (mgr && mgr->bredr_chan == chan) 568 if (mgr && mgr->bredr_chan == chan)
@@ -642,6 +609,23 @@ void l2cap_chan_del(struct l2cap_chan *chan, int err)
642 return; 609 return;
643} 610}
644 611
612void l2cap_conn_update_id_addr(struct hci_conn *hcon)
613{
614 struct l2cap_conn *conn = hcon->l2cap_data;
615 struct l2cap_chan *chan;
616
617 mutex_lock(&conn->chan_lock);
618
619 list_for_each_entry(chan, &conn->chan_l, list) {
620 l2cap_chan_lock(chan);
621 bacpy(&chan->dst, &hcon->dst);
622 chan->dst_type = bdaddr_type(hcon, hcon->dst_type);
623 l2cap_chan_unlock(chan);
624 }
625
626 mutex_unlock(&conn->chan_lock);
627}
628
645static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan) 629static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
646{ 630{
647 struct l2cap_conn *conn = chan->conn; 631 struct l2cap_conn *conn = chan->conn;
@@ -699,10 +683,7 @@ void l2cap_chan_close(struct l2cap_chan *chan, int reason)
699 683
700 case BT_CONNECTED: 684 case BT_CONNECTED:
701 case BT_CONFIG: 685 case BT_CONFIG:
702 /* ATT uses L2CAP_CHAN_CONN_ORIENTED so we must also 686 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
703 * check for chan->psm.
704 */
705 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && chan->psm) {
706 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan)); 687 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
707 l2cap_send_disconn_req(chan, reason); 688 l2cap_send_disconn_req(chan, reason);
708 } else 689 } else
@@ -737,6 +718,7 @@ static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
737 case L2CAP_CHAN_RAW: 718 case L2CAP_CHAN_RAW:
738 switch (chan->sec_level) { 719 switch (chan->sec_level) {
739 case BT_SECURITY_HIGH: 720 case BT_SECURITY_HIGH:
721 case BT_SECURITY_FIPS:
740 return HCI_AT_DEDICATED_BONDING_MITM; 722 return HCI_AT_DEDICATED_BONDING_MITM;
741 case BT_SECURITY_MEDIUM: 723 case BT_SECURITY_MEDIUM:
742 return HCI_AT_DEDICATED_BONDING; 724 return HCI_AT_DEDICATED_BONDING;
@@ -749,7 +731,8 @@ static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
749 if (chan->sec_level == BT_SECURITY_LOW) 731 if (chan->sec_level == BT_SECURITY_LOW)
750 chan->sec_level = BT_SECURITY_SDP; 732 chan->sec_level = BT_SECURITY_SDP;
751 } 733 }
752 if (chan->sec_level == BT_SECURITY_HIGH) 734 if (chan->sec_level == BT_SECURITY_HIGH ||
735 chan->sec_level == BT_SECURITY_FIPS)
753 return HCI_AT_NO_BONDING_MITM; 736 return HCI_AT_NO_BONDING_MITM;
754 else 737 else
755 return HCI_AT_NO_BONDING; 738 return HCI_AT_NO_BONDING;
@@ -759,7 +742,8 @@ static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
759 if (chan->sec_level == BT_SECURITY_LOW) 742 if (chan->sec_level == BT_SECURITY_LOW)
760 chan->sec_level = BT_SECURITY_SDP; 743 chan->sec_level = BT_SECURITY_SDP;
761 744
762 if (chan->sec_level == BT_SECURITY_HIGH) 745 if (chan->sec_level == BT_SECURITY_HIGH ||
746 chan->sec_level == BT_SECURITY_FIPS)
763 return HCI_AT_NO_BONDING_MITM; 747 return HCI_AT_NO_BONDING_MITM;
764 else 748 else
765 return HCI_AT_NO_BONDING; 749 return HCI_AT_NO_BONDING;
@@ -768,6 +752,7 @@ static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
768 default: 752 default:
769 switch (chan->sec_level) { 753 switch (chan->sec_level) {
770 case BT_SECURITY_HIGH: 754 case BT_SECURITY_HIGH:
755 case BT_SECURITY_FIPS:
771 return HCI_AT_GENERAL_BONDING_MITM; 756 return HCI_AT_GENERAL_BONDING_MITM;
772 case BT_SECURITY_MEDIUM: 757 case BT_SECURITY_MEDIUM:
773 return HCI_AT_GENERAL_BONDING; 758 return HCI_AT_GENERAL_BONDING;
@@ -1330,7 +1315,7 @@ static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
1330 __clear_ack_timer(chan); 1315 __clear_ack_timer(chan);
1331 } 1316 }
1332 1317
1333 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) { 1318 if (chan->scid == L2CAP_CID_A2MP) {
1334 l2cap_state_change(chan, BT_DISCONN); 1319 l2cap_state_change(chan, BT_DISCONN);
1335 return; 1320 return;
1336 } 1321 }
@@ -1493,8 +1478,6 @@ static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1493 if (!chan) 1478 if (!chan)
1494 goto clean; 1479 goto clean;
1495 1480
1496 chan->dcid = L2CAP_CID_ATT;
1497
1498 bacpy(&chan->src, &hcon->src); 1481 bacpy(&chan->src, &hcon->src);
1499 bacpy(&chan->dst, &hcon->dst); 1482 bacpy(&chan->dst, &hcon->dst);
1500 chan->src_type = bdaddr_type(hcon, hcon->src_type); 1483 chan->src_type = bdaddr_type(hcon, hcon->src_type);
@@ -1528,7 +1511,7 @@ static void l2cap_conn_ready(struct l2cap_conn *conn)
1528 1511
1529 l2cap_chan_lock(chan); 1512 l2cap_chan_lock(chan);
1530 1513
1531 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) { 1514 if (chan->scid == L2CAP_CID_A2MP) {
1532 l2cap_chan_unlock(chan); 1515 l2cap_chan_unlock(chan);
1533 continue; 1516 continue;
1534 } 1517 }
@@ -1546,6 +1529,8 @@ static void l2cap_conn_ready(struct l2cap_conn *conn)
1546 } 1529 }
1547 1530
1548 mutex_unlock(&conn->chan_lock); 1531 mutex_unlock(&conn->chan_lock);
1532
1533 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
1549} 1534}
1550 1535
1551/* Notify sockets that we cannot guaranty reliability anymore */ 1536/* Notify sockets that we cannot guaranty reliability anymore */
@@ -1671,6 +1656,9 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
1671 1656
1672 kfree_skb(conn->rx_skb); 1657 kfree_skb(conn->rx_skb);
1673 1658
1659 skb_queue_purge(&conn->pending_rx);
1660 flush_work(&conn->pending_rx_work);
1661
1674 l2cap_unregister_all_users(conn); 1662 l2cap_unregister_all_users(conn);
1675 1663
1676 mutex_lock(&conn->chan_lock); 1664 mutex_lock(&conn->chan_lock);
@@ -1718,66 +1706,6 @@ static void security_timeout(struct work_struct *work)
1718 } 1706 }
1719} 1707}
1720 1708
1721static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
1722{
1723 struct l2cap_conn *conn = hcon->l2cap_data;
1724 struct hci_chan *hchan;
1725
1726 if (conn)
1727 return conn;
1728
1729 hchan = hci_chan_create(hcon);
1730 if (!hchan)
1731 return NULL;
1732
1733 conn = kzalloc(sizeof(struct l2cap_conn), GFP_KERNEL);
1734 if (!conn) {
1735 hci_chan_del(hchan);
1736 return NULL;
1737 }
1738
1739 kref_init(&conn->ref);
1740 hcon->l2cap_data = conn;
1741 conn->hcon = hcon;
1742 hci_conn_get(conn->hcon);
1743 conn->hchan = hchan;
1744
1745 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
1746
1747 switch (hcon->type) {
1748 case LE_LINK:
1749 if (hcon->hdev->le_mtu) {
1750 conn->mtu = hcon->hdev->le_mtu;
1751 break;
1752 }
1753 /* fall through */
1754 default:
1755 conn->mtu = hcon->hdev->acl_mtu;
1756 break;
1757 }
1758
1759 conn->feat_mask = 0;
1760
1761 if (hcon->type == ACL_LINK)
1762 conn->hs_enabled = test_bit(HCI_HS_ENABLED,
1763 &hcon->hdev->dev_flags);
1764
1765 spin_lock_init(&conn->lock);
1766 mutex_init(&conn->chan_lock);
1767
1768 INIT_LIST_HEAD(&conn->chan_l);
1769 INIT_LIST_HEAD(&conn->users);
1770
1771 if (hcon->type == LE_LINK)
1772 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
1773 else
1774 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
1775
1776 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
1777
1778 return conn;
1779}
1780
1781static void l2cap_conn_free(struct kref *ref) 1709static void l2cap_conn_free(struct kref *ref)
1782{ 1710{
1783 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref); 1711 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
@@ -1848,154 +1776,6 @@ static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1848 return c1; 1776 return c1;
1849} 1777}
1850 1778
1851static bool is_valid_psm(u16 psm, u8 dst_type)
1852{
1853 if (!psm)
1854 return false;
1855
1856 if (bdaddr_type_is_le(dst_type))
1857 return (psm <= 0x00ff);
1858
1859 /* PSM must be odd and lsb of upper byte must be 0 */
1860 return ((psm & 0x0101) == 0x0001);
1861}
1862
1863int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1864 bdaddr_t *dst, u8 dst_type)
1865{
1866 struct l2cap_conn *conn;
1867 struct hci_conn *hcon;
1868 struct hci_dev *hdev;
1869 __u8 auth_type;
1870 int err;
1871
1872 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
1873 dst_type, __le16_to_cpu(psm));
1874
1875 hdev = hci_get_route(dst, &chan->src);
1876 if (!hdev)
1877 return -EHOSTUNREACH;
1878
1879 hci_dev_lock(hdev);
1880
1881 l2cap_chan_lock(chan);
1882
1883 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
1884 chan->chan_type != L2CAP_CHAN_RAW) {
1885 err = -EINVAL;
1886 goto done;
1887 }
1888
1889 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1890 err = -EINVAL;
1891 goto done;
1892 }
1893
1894 switch (chan->mode) {
1895 case L2CAP_MODE_BASIC:
1896 break;
1897 case L2CAP_MODE_LE_FLOWCTL:
1898 l2cap_le_flowctl_init(chan);
1899 break;
1900 case L2CAP_MODE_ERTM:
1901 case L2CAP_MODE_STREAMING:
1902 if (!disable_ertm)
1903 break;
1904 /* fall through */
1905 default:
1906 err = -ENOTSUPP;
1907 goto done;
1908 }
1909
1910 switch (chan->state) {
1911 case BT_CONNECT:
1912 case BT_CONNECT2:
1913 case BT_CONFIG:
1914 /* Already connecting */
1915 err = 0;
1916 goto done;
1917
1918 case BT_CONNECTED:
1919 /* Already connected */
1920 err = -EISCONN;
1921 goto done;
1922
1923 case BT_OPEN:
1924 case BT_BOUND:
1925 /* Can connect */
1926 break;
1927
1928 default:
1929 err = -EBADFD;
1930 goto done;
1931 }
1932
1933 /* Set destination address and psm */
1934 bacpy(&chan->dst, dst);
1935 chan->dst_type = dst_type;
1936
1937 chan->psm = psm;
1938 chan->dcid = cid;
1939
1940 auth_type = l2cap_get_auth_type(chan);
1941
1942 if (bdaddr_type_is_le(dst_type))
1943 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
1944 chan->sec_level, auth_type);
1945 else
1946 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
1947 chan->sec_level, auth_type);
1948
1949 if (IS_ERR(hcon)) {
1950 err = PTR_ERR(hcon);
1951 goto done;
1952 }
1953
1954 conn = l2cap_conn_add(hcon);
1955 if (!conn) {
1956 hci_conn_drop(hcon);
1957 err = -ENOMEM;
1958 goto done;
1959 }
1960
1961 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
1962 hci_conn_drop(hcon);
1963 err = -EBUSY;
1964 goto done;
1965 }
1966
1967 /* Update source addr of the socket */
1968 bacpy(&chan->src, &hcon->src);
1969 chan->src_type = bdaddr_type(hcon, hcon->src_type);
1970
1971 l2cap_chan_unlock(chan);
1972 l2cap_chan_add(conn, chan);
1973 l2cap_chan_lock(chan);
1974
1975 /* l2cap_chan_add takes its own ref so we can drop this one */
1976 hci_conn_drop(hcon);
1977
1978 l2cap_state_change(chan, BT_CONNECT);
1979 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
1980
1981 if (hcon->state == BT_CONNECTED) {
1982 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1983 __clear_chan_timer(chan);
1984 if (l2cap_chan_check_security(chan))
1985 l2cap_state_change(chan, BT_CONNECTED);
1986 } else
1987 l2cap_do_start(chan);
1988 }
1989
1990 err = 0;
1991
1992done:
1993 l2cap_chan_unlock(chan);
1994 hci_dev_unlock(hdev);
1995 hci_dev_put(hdev);
1996 return err;
1997}
1998
1999static void l2cap_monitor_timeout(struct work_struct *work) 1779static void l2cap_monitor_timeout(struct work_struct *work)
2000{ 1780{
2001 struct l2cap_chan *chan = container_of(work, struct l2cap_chan, 1781 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
@@ -2654,6 +2434,14 @@ int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2654 if (IS_ERR(skb)) 2434 if (IS_ERR(skb))
2655 return PTR_ERR(skb); 2435 return PTR_ERR(skb);
2656 2436
2437 /* Channel lock is released before requesting new skb and then
2438 * reacquired thus we need to recheck channel state.
2439 */
2440 if (chan->state != BT_CONNECTED) {
2441 kfree_skb(skb);
2442 return -ENOTCONN;
2443 }
2444
2657 l2cap_do_send(chan, skb); 2445 l2cap_do_send(chan, skb);
2658 return len; 2446 return len;
2659 } 2447 }
@@ -2703,6 +2491,14 @@ int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2703 if (IS_ERR(skb)) 2491 if (IS_ERR(skb))
2704 return PTR_ERR(skb); 2492 return PTR_ERR(skb);
2705 2493
2494 /* Channel lock is released before requesting new skb and then
2495 * reacquired thus we need to recheck channel state.
2496 */
2497 if (chan->state != BT_CONNECTED) {
2498 kfree_skb(skb);
2499 return -ENOTCONN;
2500 }
2501
2706 l2cap_do_send(chan, skb); 2502 l2cap_do_send(chan, skb);
2707 err = len; 2503 err = len;
2708 break; 2504 break;
@@ -5709,7 +5505,7 @@ static inline int l2cap_le_credits(struct l2cap_conn *conn,
5709{ 5505{
5710 struct l2cap_le_credits *pkt; 5506 struct l2cap_le_credits *pkt;
5711 struct l2cap_chan *chan; 5507 struct l2cap_chan *chan;
5712 u16 cid, credits; 5508 u16 cid, credits, max_credits;
5713 5509
5714 if (cmd_len != sizeof(*pkt)) 5510 if (cmd_len != sizeof(*pkt))
5715 return -EPROTO; 5511 return -EPROTO;
@@ -5724,6 +5520,17 @@ static inline int l2cap_le_credits(struct l2cap_conn *conn,
5724 if (!chan) 5520 if (!chan)
5725 return -EBADSLT; 5521 return -EBADSLT;
5726 5522
5523 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
5524 if (credits > max_credits) {
5525 BT_ERR("LE credits overflow");
5526 l2cap_send_disconn_req(chan, ECONNRESET);
5527
5528 /* Return 0 so that we don't trigger an unnecessary
5529 * command reject packet.
5530 */
5531 return 0;
5532 }
5533
5727 chan->tx_credits += credits; 5534 chan->tx_credits += credits;
5728 5535
5729 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) { 5536 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
@@ -5770,17 +5577,6 @@ static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
5770{ 5577{
5771 int err = 0; 5578 int err = 0;
5772 5579
5773 if (!enable_lecoc) {
5774 switch (cmd->code) {
5775 case L2CAP_LE_CONN_REQ:
5776 case L2CAP_LE_CONN_RSP:
5777 case L2CAP_LE_CREDITS:
5778 case L2CAP_DISCONN_REQ:
5779 case L2CAP_DISCONN_RSP:
5780 return -EINVAL;
5781 }
5782 }
5783
5784 switch (cmd->code) { 5580 switch (cmd->code) {
5785 case L2CAP_COMMAND_REJ: 5581 case L2CAP_COMMAND_REJ:
5786 l2cap_le_command_rej(conn, cmd, cmd_len, data); 5582 l2cap_le_command_rej(conn, cmd, cmd_len, data);
@@ -6871,6 +6667,7 @@ static int l2cap_le_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6871 6667
6872 if (!chan->rx_credits) { 6668 if (!chan->rx_credits) {
6873 BT_ERR("No credits to receive LE L2CAP data"); 6669 BT_ERR("No credits to receive LE L2CAP data");
6670 l2cap_send_disconn_req(chan, ECONNRESET);
6874 return -ENOBUFS; 6671 return -ENOBUFS;
6875 } 6672 }
6876 6673
@@ -6995,8 +6792,10 @@ static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6995 * But we don't have any other choice. L2CAP doesn't 6792 * But we don't have any other choice. L2CAP doesn't
6996 * provide flow control mechanism. */ 6793 * provide flow control mechanism. */
6997 6794
6998 if (chan->imtu < skb->len) 6795 if (chan->imtu < skb->len) {
6796 BT_ERR("Dropping L2CAP data: receive buffer overflow");
6999 goto drop; 6797 goto drop;
6798 }
7000 6799
7001 if (!chan->ops->recv(chan, skb)) 6800 if (!chan->ops->recv(chan, skb))
7002 goto done; 6801 goto done;
@@ -7084,9 +6883,16 @@ drop:
7084static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb) 6883static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
7085{ 6884{
7086 struct l2cap_hdr *lh = (void *) skb->data; 6885 struct l2cap_hdr *lh = (void *) skb->data;
6886 struct hci_conn *hcon = conn->hcon;
7087 u16 cid, len; 6887 u16 cid, len;
7088 __le16 psm; 6888 __le16 psm;
7089 6889
6890 if (hcon->state != BT_CONNECTED) {
6891 BT_DBG("queueing pending rx skb");
6892 skb_queue_tail(&conn->pending_rx, skb);
6893 return;
6894 }
6895
7090 skb_pull(skb, L2CAP_HDR_SIZE); 6896 skb_pull(skb, L2CAP_HDR_SIZE);
7091 cid = __le16_to_cpu(lh->cid); 6897 cid = __le16_to_cpu(lh->cid);
7092 len = __le16_to_cpu(lh->len); 6898 len = __le16_to_cpu(lh->len);
@@ -7132,6 +6938,247 @@ static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
7132 } 6938 }
7133} 6939}
7134 6940
6941static void process_pending_rx(struct work_struct *work)
6942{
6943 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
6944 pending_rx_work);
6945 struct sk_buff *skb;
6946
6947 BT_DBG("");
6948
6949 while ((skb = skb_dequeue(&conn->pending_rx)))
6950 l2cap_recv_frame(conn, skb);
6951}
6952
6953static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
6954{
6955 struct l2cap_conn *conn = hcon->l2cap_data;
6956 struct hci_chan *hchan;
6957
6958 if (conn)
6959 return conn;
6960
6961 hchan = hci_chan_create(hcon);
6962 if (!hchan)
6963 return NULL;
6964
6965 conn = kzalloc(sizeof(struct l2cap_conn), GFP_KERNEL);
6966 if (!conn) {
6967 hci_chan_del(hchan);
6968 return NULL;
6969 }
6970
6971 kref_init(&conn->ref);
6972 hcon->l2cap_data = conn;
6973 conn->hcon = hcon;
6974 hci_conn_get(conn->hcon);
6975 conn->hchan = hchan;
6976
6977 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
6978
6979 switch (hcon->type) {
6980 case LE_LINK:
6981 if (hcon->hdev->le_mtu) {
6982 conn->mtu = hcon->hdev->le_mtu;
6983 break;
6984 }
6985 /* fall through */
6986 default:
6987 conn->mtu = hcon->hdev->acl_mtu;
6988 break;
6989 }
6990
6991 conn->feat_mask = 0;
6992
6993 if (hcon->type == ACL_LINK)
6994 conn->hs_enabled = test_bit(HCI_HS_ENABLED,
6995 &hcon->hdev->dev_flags);
6996
6997 spin_lock_init(&conn->lock);
6998 mutex_init(&conn->chan_lock);
6999
7000 INIT_LIST_HEAD(&conn->chan_l);
7001 INIT_LIST_HEAD(&conn->users);
7002
7003 if (hcon->type == LE_LINK)
7004 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
7005 else
7006 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
7007
7008 skb_queue_head_init(&conn->pending_rx);
7009 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
7010
7011 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
7012
7013 return conn;
7014}
7015
7016static bool is_valid_psm(u16 psm, u8 dst_type) {
7017 if (!psm)
7018 return false;
7019
7020 if (bdaddr_type_is_le(dst_type))
7021 return (psm <= 0x00ff);
7022
7023 /* PSM must be odd and lsb of upper byte must be 0 */
7024 return ((psm & 0x0101) == 0x0001);
7025}
7026
7027int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
7028 bdaddr_t *dst, u8 dst_type)
7029{
7030 struct l2cap_conn *conn;
7031 struct hci_conn *hcon;
7032 struct hci_dev *hdev;
7033 __u8 auth_type;
7034 int err;
7035
7036 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
7037 dst_type, __le16_to_cpu(psm));
7038
7039 hdev = hci_get_route(dst, &chan->src);
7040 if (!hdev)
7041 return -EHOSTUNREACH;
7042
7043 hci_dev_lock(hdev);
7044
7045 l2cap_chan_lock(chan);
7046
7047 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
7048 chan->chan_type != L2CAP_CHAN_RAW) {
7049 err = -EINVAL;
7050 goto done;
7051 }
7052
7053 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
7054 err = -EINVAL;
7055 goto done;
7056 }
7057
7058 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
7059 err = -EINVAL;
7060 goto done;
7061 }
7062
7063 switch (chan->mode) {
7064 case L2CAP_MODE_BASIC:
7065 break;
7066 case L2CAP_MODE_LE_FLOWCTL:
7067 l2cap_le_flowctl_init(chan);
7068 break;
7069 case L2CAP_MODE_ERTM:
7070 case L2CAP_MODE_STREAMING:
7071 if (!disable_ertm)
7072 break;
7073 /* fall through */
7074 default:
7075 err = -ENOTSUPP;
7076 goto done;
7077 }
7078
7079 switch (chan->state) {
7080 case BT_CONNECT:
7081 case BT_CONNECT2:
7082 case BT_CONFIG:
7083 /* Already connecting */
7084 err = 0;
7085 goto done;
7086
7087 case BT_CONNECTED:
7088 /* Already connected */
7089 err = -EISCONN;
7090 goto done;
7091
7092 case BT_OPEN:
7093 case BT_BOUND:
7094 /* Can connect */
7095 break;
7096
7097 default:
7098 err = -EBADFD;
7099 goto done;
7100 }
7101
7102 /* Set destination address and psm */
7103 bacpy(&chan->dst, dst);
7104 chan->dst_type = dst_type;
7105
7106 chan->psm = psm;
7107 chan->dcid = cid;
7108
7109 auth_type = l2cap_get_auth_type(chan);
7110
7111 if (bdaddr_type_is_le(dst_type)) {
7112 /* Convert from L2CAP channel address type to HCI address type
7113 */
7114 if (dst_type == BDADDR_LE_PUBLIC)
7115 dst_type = ADDR_LE_DEV_PUBLIC;
7116 else
7117 dst_type = ADDR_LE_DEV_RANDOM;
7118
7119 hcon = hci_connect_le(hdev, dst, dst_type, chan->sec_level,
7120 auth_type);
7121 } else {
7122 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type);
7123 }
7124
7125 if (IS_ERR(hcon)) {
7126 err = PTR_ERR(hcon);
7127 goto done;
7128 }
7129
7130 conn = l2cap_conn_add(hcon);
7131 if (!conn) {
7132 hci_conn_drop(hcon);
7133 err = -ENOMEM;
7134 goto done;
7135 }
7136
7137 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7138 hci_conn_drop(hcon);
7139 err = -EBUSY;
7140 goto done;
7141 }
7142
7143 /* Update source addr of the socket */
7144 bacpy(&chan->src, &hcon->src);
7145 chan->src_type = bdaddr_type(hcon, hcon->src_type);
7146
7147 l2cap_chan_unlock(chan);
7148 l2cap_chan_add(conn, chan);
7149 l2cap_chan_lock(chan);
7150
7151 /* l2cap_chan_add takes its own ref so we can drop this one */
7152 hci_conn_drop(hcon);
7153
7154 l2cap_state_change(chan, BT_CONNECT);
7155 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7156
7157 /* Release chan->sport so that it can be reused by other
7158 * sockets (as it's only used for listening sockets).
7159 */
7160 write_lock(&chan_list_lock);
7161 chan->sport = 0;
7162 write_unlock(&chan_list_lock);
7163
7164 if (hcon->state == BT_CONNECTED) {
7165 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7166 __clear_chan_timer(chan);
7167 if (l2cap_chan_check_security(chan))
7168 l2cap_state_change(chan, BT_CONNECTED);
7169 } else
7170 l2cap_do_start(chan);
7171 }
7172
7173 err = 0;
7174
7175done:
7176 l2cap_chan_unlock(chan);
7177 hci_dev_unlock(hdev);
7178 hci_dev_put(hdev);
7179 return err;
7180}
7181
7135/* ---- L2CAP interface with lower layer (HCI) ---- */ 7182/* ---- L2CAP interface with lower layer (HCI) ---- */
7136 7183
7137int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr) 7184int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
@@ -7206,7 +7253,8 @@ static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
7206 if (encrypt == 0x00) { 7253 if (encrypt == 0x00) {
7207 if (chan->sec_level == BT_SECURITY_MEDIUM) { 7254 if (chan->sec_level == BT_SECURITY_MEDIUM) {
7208 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT); 7255 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
7209 } else if (chan->sec_level == BT_SECURITY_HIGH) 7256 } else if (chan->sec_level == BT_SECURITY_HIGH ||
7257 chan->sec_level == BT_SECURITY_FIPS)
7210 l2cap_chan_close(chan, ECONNREFUSED); 7258 l2cap_chan_close(chan, ECONNREFUSED);
7211 } else { 7259 } else {
7212 if (chan->sec_level == BT_SECURITY_MEDIUM) 7260 if (chan->sec_level == BT_SECURITY_MEDIUM)
@@ -7226,7 +7274,7 @@ int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
7226 7274
7227 if (hcon->type == LE_LINK) { 7275 if (hcon->type == LE_LINK) {
7228 if (!status && encrypt) 7276 if (!status && encrypt)
7229 smp_distribute_keys(conn, 0); 7277 smp_distribute_keys(conn);
7230 cancel_delayed_work(&conn->security_timer); 7278 cancel_delayed_work(&conn->security_timer);
7231 } 7279 }
7232 7280
@@ -7238,7 +7286,7 @@ int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
7238 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid, 7286 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
7239 state_to_string(chan->state)); 7287 state_to_string(chan->state));
7240 7288
7241 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) { 7289 if (chan->scid == L2CAP_CID_A2MP) {
7242 l2cap_chan_unlock(chan); 7290 l2cap_chan_unlock(chan);
7243 continue; 7291 continue;
7244 } 7292 }
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index d58f76bcebd1..b247f9d27fed 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -36,8 +36,6 @@
36 36
37#include "smp.h" 37#include "smp.h"
38 38
39bool enable_lecoc;
40
41static struct bt_sock_list l2cap_sk_list = { 39static struct bt_sock_list l2cap_sk_list = {
42 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock) 40 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
43}; 41};
@@ -101,9 +99,16 @@ static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
101 if (!bdaddr_type_is_valid(la.l2_bdaddr_type)) 99 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
102 return -EINVAL; 100 return -EINVAL;
103 101
102 if (la.l2_cid) {
103 /* When the socket gets created it defaults to
104 * CHAN_CONN_ORIENTED, so we need to overwrite the
105 * default here.
106 */
107 chan->chan_type = L2CAP_CHAN_FIXED;
108 chan->omtu = L2CAP_DEFAULT_MTU;
109 }
110
104 if (bdaddr_type_is_le(la.l2_bdaddr_type)) { 111 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
105 if (!enable_lecoc && la.l2_psm)
106 return -EINVAL;
107 /* We only allow ATT user space socket */ 112 /* We only allow ATT user space socket */
108 if (la.l2_cid && 113 if (la.l2_cid &&
109 la.l2_cid != __constant_cpu_to_le16(L2CAP_CID_ATT)) 114 la.l2_cid != __constant_cpu_to_le16(L2CAP_CID_ATT))
@@ -220,8 +225,6 @@ static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
220 return -EINVAL; 225 return -EINVAL;
221 226
222 if (bdaddr_type_is_le(la.l2_bdaddr_type)) { 227 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
223 if (!enable_lecoc && la.l2_psm)
224 return -EINVAL;
225 /* We only allow ATT user space socket */ 228 /* We only allow ATT user space socket */
226 if (la.l2_cid && 229 if (la.l2_cid &&
227 la.l2_cid != __constant_cpu_to_le16(L2CAP_CID_ATT)) 230 la.l2_cid != __constant_cpu_to_le16(L2CAP_CID_ATT))
@@ -357,17 +360,20 @@ static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr,
357 360
358 BT_DBG("sock %p, sk %p", sock, sk); 361 BT_DBG("sock %p, sk %p", sock, sk);
359 362
363 if (peer && sk->sk_state != BT_CONNECTED)
364 return -ENOTCONN;
365
360 memset(la, 0, sizeof(struct sockaddr_l2)); 366 memset(la, 0, sizeof(struct sockaddr_l2));
361 addr->sa_family = AF_BLUETOOTH; 367 addr->sa_family = AF_BLUETOOTH;
362 *len = sizeof(struct sockaddr_l2); 368 *len = sizeof(struct sockaddr_l2);
363 369
370 la->l2_psm = chan->psm;
371
364 if (peer) { 372 if (peer) {
365 la->l2_psm = chan->psm;
366 bacpy(&la->l2_bdaddr, &chan->dst); 373 bacpy(&la->l2_bdaddr, &chan->dst);
367 la->l2_cid = cpu_to_le16(chan->dcid); 374 la->l2_cid = cpu_to_le16(chan->dcid);
368 la->l2_bdaddr_type = chan->dst_type; 375 la->l2_bdaddr_type = chan->dst_type;
369 } else { 376 } else {
370 la->l2_psm = chan->sport;
371 bacpy(&la->l2_bdaddr, &chan->src); 377 bacpy(&la->l2_bdaddr, &chan->src);
372 la->l2_cid = cpu_to_le16(chan->scid); 378 la->l2_cid = cpu_to_le16(chan->scid);
373 la->l2_bdaddr_type = chan->src_type; 379 la->l2_bdaddr_type = chan->src_type;
@@ -432,6 +438,10 @@ static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
432 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT | 438 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
433 L2CAP_LM_SECURE; 439 L2CAP_LM_SECURE;
434 break; 440 break;
441 case BT_SECURITY_FIPS:
442 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
443 L2CAP_LM_SECURE | L2CAP_LM_FIPS;
444 break;
435 default: 445 default:
436 opt = 0; 446 opt = 0;
437 break; 447 break;
@@ -445,6 +455,7 @@ static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
445 455
446 if (put_user(opt, (u32 __user *) optval)) 456 if (put_user(opt, (u32 __user *) optval))
447 err = -EFAULT; 457 err = -EFAULT;
458
448 break; 459 break;
449 460
450 case L2CAP_CONNINFO: 461 case L2CAP_CONNINFO:
@@ -499,6 +510,7 @@ static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
499 switch (optname) { 510 switch (optname) {
500 case BT_SECURITY: 511 case BT_SECURITY:
501 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED && 512 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
513 chan->chan_type != L2CAP_CHAN_FIXED &&
502 chan->chan_type != L2CAP_CHAN_RAW) { 514 chan->chan_type != L2CAP_CHAN_RAW) {
503 err = -EINVAL; 515 err = -EINVAL;
504 break; 516 break;
@@ -560,11 +572,6 @@ static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
560 break; 572 break;
561 573
562 case BT_SNDMTU: 574 case BT_SNDMTU:
563 if (!enable_lecoc) {
564 err = -EPROTONOSUPPORT;
565 break;
566 }
567
568 if (!bdaddr_type_is_le(chan->src_type)) { 575 if (!bdaddr_type_is_le(chan->src_type)) {
569 err = -EINVAL; 576 err = -EINVAL;
570 break; 577 break;
@@ -580,11 +587,6 @@ static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
580 break; 587 break;
581 588
582 case BT_RCVMTU: 589 case BT_RCVMTU:
583 if (!enable_lecoc) {
584 err = -EPROTONOSUPPORT;
585 break;
586 }
587
588 if (!bdaddr_type_is_le(chan->src_type)) { 590 if (!bdaddr_type_is_le(chan->src_type)) {
589 err = -EINVAL; 591 err = -EINVAL;
590 break; 592 break;
@@ -699,6 +701,11 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
699 break; 701 break;
700 } 702 }
701 703
704 if (opt & L2CAP_LM_FIPS) {
705 err = -EINVAL;
706 break;
707 }
708
702 if (opt & L2CAP_LM_AUTH) 709 if (opt & L2CAP_LM_AUTH)
703 chan->sec_level = BT_SECURITY_LOW; 710 chan->sec_level = BT_SECURITY_LOW;
704 if (opt & L2CAP_LM_ENCRYPT) 711 if (opt & L2CAP_LM_ENCRYPT)
@@ -750,6 +757,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
750 switch (optname) { 757 switch (optname) {
751 case BT_SECURITY: 758 case BT_SECURITY:
752 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED && 759 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
760 chan->chan_type != L2CAP_CHAN_FIXED &&
753 chan->chan_type != L2CAP_CHAN_RAW) { 761 chan->chan_type != L2CAP_CHAN_RAW) {
754 err = -EINVAL; 762 err = -EINVAL;
755 break; 763 break;
@@ -895,11 +903,6 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
895 break; 903 break;
896 904
897 case BT_SNDMTU: 905 case BT_SNDMTU:
898 if (!enable_lecoc) {
899 err = -EPROTONOSUPPORT;
900 break;
901 }
902
903 if (!bdaddr_type_is_le(chan->src_type)) { 906 if (!bdaddr_type_is_le(chan->src_type)) {
904 err = -EINVAL; 907 err = -EINVAL;
905 break; 908 break;
@@ -912,11 +915,6 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
912 break; 915 break;
913 916
914 case BT_RCVMTU: 917 case BT_RCVMTU:
915 if (!enable_lecoc) {
916 err = -EPROTONOSUPPORT;
917 break;
918 }
919
920 if (!bdaddr_type_is_le(chan->src_type)) { 918 if (!bdaddr_type_is_le(chan->src_type)) {
921 err = -EINVAL; 919 err = -EINVAL;
922 break; 920 break;
@@ -1449,6 +1447,11 @@ static void l2cap_sock_init(struct sock *sk, struct sock *parent)
1449 chan->tx_credits = pchan->tx_credits; 1447 chan->tx_credits = pchan->tx_credits;
1450 chan->rx_credits = pchan->rx_credits; 1448 chan->rx_credits = pchan->rx_credits;
1451 1449
1450 if (chan->chan_type == L2CAP_CHAN_FIXED) {
1451 chan->scid = pchan->scid;
1452 chan->dcid = pchan->scid;
1453 }
1454
1452 security_sk_clone(parent, sk); 1455 security_sk_clone(parent, sk);
1453 } else { 1456 } else {
1454 switch (sk->sk_type) { 1457 switch (sk->sk_type) {
@@ -1614,6 +1617,3 @@ void l2cap_cleanup_sockets(void)
1614 bt_sock_unregister(BTPROTO_L2CAP); 1617 bt_sock_unregister(BTPROTO_L2CAP);
1615 proto_unregister(&l2cap_proto); 1618 proto_unregister(&l2cap_proto);
1616} 1619}
1617
1618module_param(enable_lecoc, bool, 0644);
1619MODULE_PARM_DESC(enable_lecoc, "Enable support for LE CoC");
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index a03ca3ca91bf..98e9df3556e7 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -34,7 +34,7 @@
34#include "smp.h" 34#include "smp.h"
35 35
36#define MGMT_VERSION 1 36#define MGMT_VERSION 1
37#define MGMT_REVISION 4 37#define MGMT_REVISION 5
38 38
39static const u16 mgmt_commands[] = { 39static const u16 mgmt_commands[] = {
40 MGMT_OP_READ_INDEX_LIST, 40 MGMT_OP_READ_INDEX_LIST,
@@ -79,6 +79,10 @@ static const u16 mgmt_commands[] = {
79 MGMT_OP_SET_BREDR, 79 MGMT_OP_SET_BREDR,
80 MGMT_OP_SET_STATIC_ADDRESS, 80 MGMT_OP_SET_STATIC_ADDRESS,
81 MGMT_OP_SET_SCAN_PARAMS, 81 MGMT_OP_SET_SCAN_PARAMS,
82 MGMT_OP_SET_SECURE_CONN,
83 MGMT_OP_SET_DEBUG_KEYS,
84 MGMT_OP_SET_PRIVACY,
85 MGMT_OP_LOAD_IRKS,
82}; 86};
83 87
84static const u16 mgmt_events[] = { 88static const u16 mgmt_events[] = {
@@ -103,6 +107,7 @@ static const u16 mgmt_events[] = {
103 MGMT_EV_DEVICE_UNBLOCKED, 107 MGMT_EV_DEVICE_UNBLOCKED,
104 MGMT_EV_DEVICE_UNPAIRED, 108 MGMT_EV_DEVICE_UNPAIRED,
105 MGMT_EV_PASSKEY_NOTIFY, 109 MGMT_EV_PASSKEY_NOTIFY,
110 MGMT_EV_NEW_IRK,
106}; 111};
107 112
108#define CACHE_TIMEOUT msecs_to_jiffies(2 * 1000) 113#define CACHE_TIMEOUT msecs_to_jiffies(2 * 1000)
@@ -127,7 +132,7 @@ static u8 mgmt_status_table[] = {
127 MGMT_STATUS_FAILED, /* Hardware Failure */ 132 MGMT_STATUS_FAILED, /* Hardware Failure */
128 MGMT_STATUS_CONNECT_FAILED, /* Page Timeout */ 133 MGMT_STATUS_CONNECT_FAILED, /* Page Timeout */
129 MGMT_STATUS_AUTH_FAILED, /* Authentication Failed */ 134 MGMT_STATUS_AUTH_FAILED, /* Authentication Failed */
130 MGMT_STATUS_NOT_PAIRED, /* PIN or Key Missing */ 135 MGMT_STATUS_AUTH_FAILED, /* PIN or Key Missing */
131 MGMT_STATUS_NO_RESOURCES, /* Memory Full */ 136 MGMT_STATUS_NO_RESOURCES, /* Memory Full */
132 MGMT_STATUS_TIMEOUT, /* Connection Timeout */ 137 MGMT_STATUS_TIMEOUT, /* Connection Timeout */
133 MGMT_STATUS_NO_RESOURCES, /* Max Number of Connections */ 138 MGMT_STATUS_NO_RESOURCES, /* Max Number of Connections */
@@ -363,6 +368,7 @@ static u32 get_supported_settings(struct hci_dev *hdev)
363 368
364 settings |= MGMT_SETTING_POWERED; 369 settings |= MGMT_SETTING_POWERED;
365 settings |= MGMT_SETTING_PAIRABLE; 370 settings |= MGMT_SETTING_PAIRABLE;
371 settings |= MGMT_SETTING_DEBUG_KEYS;
366 372
367 if (lmp_bredr_capable(hdev)) { 373 if (lmp_bredr_capable(hdev)) {
368 settings |= MGMT_SETTING_CONNECTABLE; 374 settings |= MGMT_SETTING_CONNECTABLE;
@@ -376,11 +382,16 @@ static u32 get_supported_settings(struct hci_dev *hdev)
376 settings |= MGMT_SETTING_SSP; 382 settings |= MGMT_SETTING_SSP;
377 settings |= MGMT_SETTING_HS; 383 settings |= MGMT_SETTING_HS;
378 } 384 }
385
386 if (lmp_sc_capable(hdev) ||
387 test_bit(HCI_FORCE_SC, &hdev->dev_flags))
388 settings |= MGMT_SETTING_SECURE_CONN;
379 } 389 }
380 390
381 if (lmp_le_capable(hdev)) { 391 if (lmp_le_capable(hdev)) {
382 settings |= MGMT_SETTING_LE; 392 settings |= MGMT_SETTING_LE;
383 settings |= MGMT_SETTING_ADVERTISING; 393 settings |= MGMT_SETTING_ADVERTISING;
394 settings |= MGMT_SETTING_PRIVACY;
384 } 395 }
385 396
386 return settings; 397 return settings;
@@ -423,6 +434,15 @@ static u32 get_current_settings(struct hci_dev *hdev)
423 if (test_bit(HCI_ADVERTISING, &hdev->dev_flags)) 434 if (test_bit(HCI_ADVERTISING, &hdev->dev_flags))
424 settings |= MGMT_SETTING_ADVERTISING; 435 settings |= MGMT_SETTING_ADVERTISING;
425 436
437 if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags))
438 settings |= MGMT_SETTING_SECURE_CONN;
439
440 if (test_bit(HCI_DEBUG_KEYS, &hdev->dev_flags))
441 settings |= MGMT_SETTING_DEBUG_KEYS;
442
443 if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
444 settings |= MGMT_SETTING_PRIVACY;
445
426 return settings; 446 return settings;
427} 447}
428 448
@@ -629,14 +649,8 @@ static u8 create_adv_data(struct hci_dev *hdev, u8 *ptr)
629 649
630 flags |= get_adv_discov_flags(hdev); 650 flags |= get_adv_discov_flags(hdev);
631 651
632 if (test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags)) { 652 if (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags))
633 if (lmp_le_br_capable(hdev))
634 flags |= LE_AD_SIM_LE_BREDR_CTRL;
635 if (lmp_host_le_br_capable(hdev))
636 flags |= LE_AD_SIM_LE_BREDR_HOST;
637 } else {
638 flags |= LE_AD_NO_BREDR; 653 flags |= LE_AD_NO_BREDR;
639 }
640 654
641 if (flags) { 655 if (flags) {
642 BT_DBG("adv flags 0x%02x", flags); 656 BT_DBG("adv flags 0x%02x", flags);
@@ -803,6 +817,64 @@ static void update_class(struct hci_request *req)
803 hci_req_add(req, HCI_OP_WRITE_CLASS_OF_DEV, sizeof(cod), cod); 817 hci_req_add(req, HCI_OP_WRITE_CLASS_OF_DEV, sizeof(cod), cod);
804} 818}
805 819
820static bool get_connectable(struct hci_dev *hdev)
821{
822 struct pending_cmd *cmd;
823
824 /* If there's a pending mgmt command the flag will not yet have
825 * it's final value, so check for this first.
826 */
827 cmd = mgmt_pending_find(MGMT_OP_SET_CONNECTABLE, hdev);
828 if (cmd) {
829 struct mgmt_mode *cp = cmd->param;
830 return cp->val;
831 }
832
833 return test_bit(HCI_CONNECTABLE, &hdev->dev_flags);
834}
835
836static void enable_advertising(struct hci_request *req)
837{
838 struct hci_dev *hdev = req->hdev;
839 struct hci_cp_le_set_adv_param cp;
840 u8 own_addr_type, enable = 0x01;
841 bool connectable;
842
843 /* Clear the HCI_ADVERTISING bit temporarily so that the
844 * hci_update_random_address knows that it's safe to go ahead
845 * and write a new random address. The flag will be set back on
846 * as soon as the SET_ADV_ENABLE HCI command completes.
847 */
848 clear_bit(HCI_ADVERTISING, &hdev->dev_flags);
849
850 connectable = get_connectable(hdev);
851
852 /* Set require_privacy to true only when non-connectable
853 * advertising is used. In that case it is fine to use a
854 * non-resolvable private address.
855 */
856 if (hci_update_random_address(req, !connectable, &own_addr_type) < 0)
857 return;
858
859 memset(&cp, 0, sizeof(cp));
860 cp.min_interval = __constant_cpu_to_le16(0x0800);
861 cp.max_interval = __constant_cpu_to_le16(0x0800);
862 cp.type = connectable ? LE_ADV_IND : LE_ADV_NONCONN_IND;
863 cp.own_address_type = own_addr_type;
864 cp.channel_map = hdev->le_adv_channel_map;
865
866 hci_req_add(req, HCI_OP_LE_SET_ADV_PARAM, sizeof(cp), &cp);
867
868 hci_req_add(req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), &enable);
869}
870
871static void disable_advertising(struct hci_request *req)
872{
873 u8 enable = 0x00;
874
875 hci_req_add(req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), &enable);
876}
877
806static void service_cache_off(struct work_struct *work) 878static void service_cache_off(struct work_struct *work)
807{ 879{
808 struct hci_dev *hdev = container_of(work, struct hci_dev, 880 struct hci_dev *hdev = container_of(work, struct hci_dev,
@@ -824,12 +896,39 @@ static void service_cache_off(struct work_struct *work)
824 hci_req_run(&req, NULL); 896 hci_req_run(&req, NULL);
825} 897}
826 898
899static void rpa_expired(struct work_struct *work)
900{
901 struct hci_dev *hdev = container_of(work, struct hci_dev,
902 rpa_expired.work);
903 struct hci_request req;
904
905 BT_DBG("");
906
907 set_bit(HCI_RPA_EXPIRED, &hdev->dev_flags);
908
909 if (!test_bit(HCI_ADVERTISING, &hdev->dev_flags) ||
910 hci_conn_num(hdev, LE_LINK) > 0)
911 return;
912
913 /* The generation of a new RPA and programming it into the
914 * controller happens in the enable_advertising() function.
915 */
916
917 hci_req_init(&req, hdev);
918
919 disable_advertising(&req);
920 enable_advertising(&req);
921
922 hci_req_run(&req, NULL);
923}
924
827static void mgmt_init_hdev(struct sock *sk, struct hci_dev *hdev) 925static void mgmt_init_hdev(struct sock *sk, struct hci_dev *hdev)
828{ 926{
829 if (test_and_set_bit(HCI_MGMT, &hdev->dev_flags)) 927 if (test_and_set_bit(HCI_MGMT, &hdev->dev_flags))
830 return; 928 return;
831 929
832 INIT_DELAYED_WORK(&hdev->service_cache, service_cache_off); 930 INIT_DELAYED_WORK(&hdev->service_cache, service_cache_off);
931 INIT_DELAYED_WORK(&hdev->rpa_expired, rpa_expired);
833 932
834 /* Non-mgmt controlled devices get this bit set 933 /* Non-mgmt controlled devices get this bit set
835 * implicitly so that pairing works for them, however 934 * implicitly so that pairing works for them, however
@@ -935,6 +1034,71 @@ static int send_settings_rsp(struct sock *sk, u16 opcode, struct hci_dev *hdev)
935 sizeof(settings)); 1034 sizeof(settings));
936} 1035}
937 1036
1037static void clean_up_hci_complete(struct hci_dev *hdev, u8 status)
1038{
1039 BT_DBG("%s status 0x%02x", hdev->name, status);
1040
1041 if (hci_conn_count(hdev) == 0) {
1042 cancel_delayed_work(&hdev->power_off);
1043 queue_work(hdev->req_workqueue, &hdev->power_off.work);
1044 }
1045}
1046
1047static int clean_up_hci_state(struct hci_dev *hdev)
1048{
1049 struct hci_request req;
1050 struct hci_conn *conn;
1051
1052 hci_req_init(&req, hdev);
1053
1054 if (test_bit(HCI_ISCAN, &hdev->flags) ||
1055 test_bit(HCI_PSCAN, &hdev->flags)) {
1056 u8 scan = 0x00;
1057 hci_req_add(&req, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
1058 }
1059
1060 if (test_bit(HCI_ADVERTISING, &hdev->dev_flags))
1061 disable_advertising(&req);
1062
1063 if (test_bit(HCI_LE_SCAN, &hdev->dev_flags)) {
1064 hci_req_add_le_scan_disable(&req);
1065 }
1066
1067 list_for_each_entry(conn, &hdev->conn_hash.list, list) {
1068 struct hci_cp_disconnect dc;
1069 struct hci_cp_reject_conn_req rej;
1070
1071 switch (conn->state) {
1072 case BT_CONNECTED:
1073 case BT_CONFIG:
1074 dc.handle = cpu_to_le16(conn->handle);
1075 dc.reason = 0x15; /* Terminated due to Power Off */
1076 hci_req_add(&req, HCI_OP_DISCONNECT, sizeof(dc), &dc);
1077 break;
1078 case BT_CONNECT:
1079 if (conn->type == LE_LINK)
1080 hci_req_add(&req, HCI_OP_LE_CREATE_CONN_CANCEL,
1081 0, NULL);
1082 else if (conn->type == ACL_LINK)
1083 hci_req_add(&req, HCI_OP_CREATE_CONN_CANCEL,
1084 6, &conn->dst);
1085 break;
1086 case BT_CONNECT2:
1087 bacpy(&rej.bdaddr, &conn->dst);
1088 rej.reason = 0x15; /* Terminated due to Power Off */
1089 if (conn->type == ACL_LINK)
1090 hci_req_add(&req, HCI_OP_REJECT_CONN_REQ,
1091 sizeof(rej), &rej);
1092 else if (conn->type == SCO_LINK)
1093 hci_req_add(&req, HCI_OP_REJECT_SYNC_CONN_REQ,
1094 sizeof(rej), &rej);
1095 break;
1096 }
1097 }
1098
1099 return hci_req_run(&req, clean_up_hci_complete);
1100}
1101
938static int set_powered(struct sock *sk, struct hci_dev *hdev, void *data, 1102static int set_powered(struct sock *sk, struct hci_dev *hdev, void *data,
939 u16 len) 1103 u16 len)
940{ 1104{
@@ -978,12 +1142,23 @@ static int set_powered(struct sock *sk, struct hci_dev *hdev, void *data,
978 goto failed; 1142 goto failed;
979 } 1143 }
980 1144
981 if (cp->val) 1145 if (cp->val) {
982 queue_work(hdev->req_workqueue, &hdev->power_on); 1146 queue_work(hdev->req_workqueue, &hdev->power_on);
983 else 1147 err = 0;
984 queue_work(hdev->req_workqueue, &hdev->power_off.work); 1148 } else {
985 1149 /* Disconnect connections, stop scans, etc */
986 err = 0; 1150 err = clean_up_hci_state(hdev);
1151 if (!err)
1152 queue_delayed_work(hdev->req_workqueue, &hdev->power_off,
1153 HCI_POWER_OFF_TIMEOUT);
1154
1155 /* ENODATA means there were no HCI commands queued */
1156 if (err == -ENODATA) {
1157 cancel_delayed_work(&hdev->power_off);
1158 queue_work(hdev->req_workqueue, &hdev->power_off.work);
1159 err = 0;
1160 }
1161 }
987 1162
988failed: 1163failed:
989 hci_dev_unlock(hdev); 1164 hci_dev_unlock(hdev);
@@ -1336,50 +1511,6 @@ static void write_fast_connectable(struct hci_request *req, bool enable)
1336 hci_req_add(req, HCI_OP_WRITE_PAGE_SCAN_TYPE, 1, &type); 1511 hci_req_add(req, HCI_OP_WRITE_PAGE_SCAN_TYPE, 1, &type);
1337} 1512}
1338 1513
1339static u8 get_adv_type(struct hci_dev *hdev)
1340{
1341 struct pending_cmd *cmd;
1342 bool connectable;
1343
1344 /* If there's a pending mgmt command the flag will not yet have
1345 * it's final value, so check for this first.
1346 */
1347 cmd = mgmt_pending_find(MGMT_OP_SET_CONNECTABLE, hdev);
1348 if (cmd) {
1349 struct mgmt_mode *cp = cmd->param;
1350 connectable = !!cp->val;
1351 } else {
1352 connectable = test_bit(HCI_CONNECTABLE, &hdev->dev_flags);
1353 }
1354
1355 return connectable ? LE_ADV_IND : LE_ADV_NONCONN_IND;
1356}
1357
1358static void enable_advertising(struct hci_request *req)
1359{
1360 struct hci_dev *hdev = req->hdev;
1361 struct hci_cp_le_set_adv_param cp;
1362 u8 enable = 0x01;
1363
1364 memset(&cp, 0, sizeof(cp));
1365 cp.min_interval = __constant_cpu_to_le16(0x0800);
1366 cp.max_interval = __constant_cpu_to_le16(0x0800);
1367 cp.type = get_adv_type(hdev);
1368 cp.own_address_type = hdev->own_addr_type;
1369 cp.channel_map = 0x07;
1370
1371 hci_req_add(req, HCI_OP_LE_SET_ADV_PARAM, sizeof(cp), &cp);
1372
1373 hci_req_add(req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), &enable);
1374}
1375
1376static void disable_advertising(struct hci_request *req)
1377{
1378 u8 enable = 0x00;
1379
1380 hci_req_add(req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), &enable);
1381}
1382
1383static void set_connectable_complete(struct hci_dev *hdev, u8 status) 1514static void set_connectable_complete(struct hci_dev *hdev, u8 status)
1384{ 1515{
1385 struct pending_cmd *cmd; 1516 struct pending_cmd *cmd;
@@ -2065,7 +2196,7 @@ static int remove_uuid(struct sock *sk, struct hci_dev *hdev, void *data,
2065 } 2196 }
2066 2197
2067 if (memcmp(cp->uuid, bt_uuid_any, 16) == 0) { 2198 if (memcmp(cp->uuid, bt_uuid_any, 16) == 0) {
2068 err = hci_uuids_clear(hdev); 2199 hci_uuids_clear(hdev);
2069 2200
2070 if (enable_service_cache(hdev)) { 2201 if (enable_service_cache(hdev)) {
2071 err = cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_UUID, 2202 err = cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_UUID,
@@ -2205,6 +2336,7 @@ static int load_link_keys(struct sock *sk, struct hci_dev *hdev, void *data,
2205{ 2336{
2206 struct mgmt_cp_load_link_keys *cp = data; 2337 struct mgmt_cp_load_link_keys *cp = data;
2207 u16 key_count, expected_len; 2338 u16 key_count, expected_len;
2339 bool changed;
2208 int i; 2340 int i;
2209 2341
2210 BT_DBG("request for %s", hdev->name); 2342 BT_DBG("request for %s", hdev->name);
@@ -2234,7 +2366,7 @@ static int load_link_keys(struct sock *sk, struct hci_dev *hdev, void *data,
2234 for (i = 0; i < key_count; i++) { 2366 for (i = 0; i < key_count; i++) {
2235 struct mgmt_link_key_info *key = &cp->keys[i]; 2367 struct mgmt_link_key_info *key = &cp->keys[i];
2236 2368
2237 if (key->addr.type != BDADDR_BREDR) 2369 if (key->addr.type != BDADDR_BREDR || key->type > 0x08)
2238 return cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS, 2370 return cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2239 MGMT_STATUS_INVALID_PARAMS); 2371 MGMT_STATUS_INVALID_PARAMS);
2240 } 2372 }
@@ -2244,9 +2376,12 @@ static int load_link_keys(struct sock *sk, struct hci_dev *hdev, void *data,
2244 hci_link_keys_clear(hdev); 2376 hci_link_keys_clear(hdev);
2245 2377
2246 if (cp->debug_keys) 2378 if (cp->debug_keys)
2247 set_bit(HCI_DEBUG_KEYS, &hdev->dev_flags); 2379 changed = !test_and_set_bit(HCI_DEBUG_KEYS, &hdev->dev_flags);
2248 else 2380 else
2249 clear_bit(HCI_DEBUG_KEYS, &hdev->dev_flags); 2381 changed = test_and_clear_bit(HCI_DEBUG_KEYS, &hdev->dev_flags);
2382
2383 if (changed)
2384 new_settings(hdev, NULL);
2250 2385
2251 for (i = 0; i < key_count; i++) { 2386 for (i = 0; i < key_count; i++) {
2252 struct mgmt_link_key_info *key = &cp->keys[i]; 2387 struct mgmt_link_key_info *key = &cp->keys[i];
@@ -2306,10 +2441,22 @@ static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2306 goto unlock; 2441 goto unlock;
2307 } 2442 }
2308 2443
2309 if (cp->addr.type == BDADDR_BREDR) 2444 if (cp->addr.type == BDADDR_BREDR) {
2310 err = hci_remove_link_key(hdev, &cp->addr.bdaddr); 2445 err = hci_remove_link_key(hdev, &cp->addr.bdaddr);
2311 else 2446 } else {
2312 err = hci_remove_ltk(hdev, &cp->addr.bdaddr); 2447 u8 addr_type;
2448
2449 if (cp->addr.type == BDADDR_LE_PUBLIC)
2450 addr_type = ADDR_LE_DEV_PUBLIC;
2451 else
2452 addr_type = ADDR_LE_DEV_RANDOM;
2453
2454 hci_remove_irk(hdev, &cp->addr.bdaddr, addr_type);
2455
2456 hci_conn_params_del(hdev, &cp->addr.bdaddr, addr_type);
2457
2458 err = hci_remove_ltk(hdev, &cp->addr.bdaddr, addr_type);
2459 }
2313 2460
2314 if (err < 0) { 2461 if (err < 0) {
2315 err = cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE, 2462 err = cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
@@ -2633,6 +2780,16 @@ static void pairing_complete(struct pending_cmd *cmd, u8 status)
2633 mgmt_pending_remove(cmd); 2780 mgmt_pending_remove(cmd);
2634} 2781}
2635 2782
2783void mgmt_smp_complete(struct hci_conn *conn, bool complete)
2784{
2785 u8 status = complete ? MGMT_STATUS_SUCCESS : MGMT_STATUS_FAILED;
2786 struct pending_cmd *cmd;
2787
2788 cmd = find_pairing(conn);
2789 if (cmd)
2790 pairing_complete(cmd, status);
2791}
2792
2636static void pairing_complete_cb(struct hci_conn *conn, u8 status) 2793static void pairing_complete_cb(struct hci_conn *conn, u8 status)
2637{ 2794{
2638 struct pending_cmd *cmd; 2795 struct pending_cmd *cmd;
@@ -2646,7 +2803,7 @@ static void pairing_complete_cb(struct hci_conn *conn, u8 status)
2646 pairing_complete(cmd, mgmt_status(status)); 2803 pairing_complete(cmd, mgmt_status(status));
2647} 2804}
2648 2805
2649static void le_connect_complete_cb(struct hci_conn *conn, u8 status) 2806static void le_pairing_complete_cb(struct hci_conn *conn, u8 status)
2650{ 2807{
2651 struct pending_cmd *cmd; 2808 struct pending_cmd *cmd;
2652 2809
@@ -2697,12 +2854,22 @@ static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2697 else 2854 else
2698 auth_type = HCI_AT_DEDICATED_BONDING_MITM; 2855 auth_type = HCI_AT_DEDICATED_BONDING_MITM;
2699 2856
2700 if (cp->addr.type == BDADDR_BREDR) 2857 if (cp->addr.type == BDADDR_BREDR) {
2701 conn = hci_connect(hdev, ACL_LINK, &cp->addr.bdaddr, 2858 conn = hci_connect_acl(hdev, &cp->addr.bdaddr, sec_level,
2702 cp->addr.type, sec_level, auth_type); 2859 auth_type);
2703 else 2860 } else {
2704 conn = hci_connect(hdev, LE_LINK, &cp->addr.bdaddr, 2861 u8 addr_type;
2705 cp->addr.type, sec_level, auth_type); 2862
2863 /* Convert from L2CAP channel address type to HCI address type
2864 */
2865 if (cp->addr.type == BDADDR_LE_PUBLIC)
2866 addr_type = ADDR_LE_DEV_PUBLIC;
2867 else
2868 addr_type = ADDR_LE_DEV_RANDOM;
2869
2870 conn = hci_connect_le(hdev, &cp->addr.bdaddr, addr_type,
2871 sec_level, auth_type);
2872 }
2706 2873
2707 if (IS_ERR(conn)) { 2874 if (IS_ERR(conn)) {
2708 int status; 2875 int status;
@@ -2733,13 +2900,16 @@ static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2733 } 2900 }
2734 2901
2735 /* For LE, just connecting isn't a proof that the pairing finished */ 2902 /* For LE, just connecting isn't a proof that the pairing finished */
2736 if (cp->addr.type == BDADDR_BREDR) 2903 if (cp->addr.type == BDADDR_BREDR) {
2737 conn->connect_cfm_cb = pairing_complete_cb; 2904 conn->connect_cfm_cb = pairing_complete_cb;
2738 else 2905 conn->security_cfm_cb = pairing_complete_cb;
2739 conn->connect_cfm_cb = le_connect_complete_cb; 2906 conn->disconn_cfm_cb = pairing_complete_cb;
2907 } else {
2908 conn->connect_cfm_cb = le_pairing_complete_cb;
2909 conn->security_cfm_cb = le_pairing_complete_cb;
2910 conn->disconn_cfm_cb = le_pairing_complete_cb;
2911 }
2740 2912
2741 conn->security_cfm_cb = pairing_complete_cb;
2742 conn->disconn_cfm_cb = pairing_complete_cb;
2743 conn->io_capability = cp->io_cap; 2913 conn->io_capability = cp->io_cap;
2744 cmd->user_data = conn; 2914 cmd->user_data = conn;
2745 2915
@@ -3071,7 +3241,12 @@ static int read_local_oob_data(struct sock *sk, struct hci_dev *hdev,
3071 goto unlock; 3241 goto unlock;
3072 } 3242 }
3073 3243
3074 err = hci_send_cmd(hdev, HCI_OP_READ_LOCAL_OOB_DATA, 0, NULL); 3244 if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags))
3245 err = hci_send_cmd(hdev, HCI_OP_READ_LOCAL_OOB_EXT_DATA,
3246 0, NULL);
3247 else
3248 err = hci_send_cmd(hdev, HCI_OP_READ_LOCAL_OOB_DATA, 0, NULL);
3249
3075 if (err < 0) 3250 if (err < 0)
3076 mgmt_pending_remove(cmd); 3251 mgmt_pending_remove(cmd);
3077 3252
@@ -3083,23 +3258,46 @@ unlock:
3083static int add_remote_oob_data(struct sock *sk, struct hci_dev *hdev, 3258static int add_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
3084 void *data, u16 len) 3259 void *data, u16 len)
3085{ 3260{
3086 struct mgmt_cp_add_remote_oob_data *cp = data;
3087 u8 status;
3088 int err; 3261 int err;
3089 3262
3090 BT_DBG("%s ", hdev->name); 3263 BT_DBG("%s ", hdev->name);
3091 3264
3092 hci_dev_lock(hdev); 3265 hci_dev_lock(hdev);
3093 3266
3094 err = hci_add_remote_oob_data(hdev, &cp->addr.bdaddr, cp->hash, 3267 if (len == MGMT_ADD_REMOTE_OOB_DATA_SIZE) {
3095 cp->randomizer); 3268 struct mgmt_cp_add_remote_oob_data *cp = data;
3096 if (err < 0) 3269 u8 status;
3097 status = MGMT_STATUS_FAILED;
3098 else
3099 status = MGMT_STATUS_SUCCESS;
3100 3270
3101 err = cmd_complete(sk, hdev->id, MGMT_OP_ADD_REMOTE_OOB_DATA, status, 3271 err = hci_add_remote_oob_data(hdev, &cp->addr.bdaddr,
3102 &cp->addr, sizeof(cp->addr)); 3272 cp->hash, cp->randomizer);
3273 if (err < 0)
3274 status = MGMT_STATUS_FAILED;
3275 else
3276 status = MGMT_STATUS_SUCCESS;
3277
3278 err = cmd_complete(sk, hdev->id, MGMT_OP_ADD_REMOTE_OOB_DATA,
3279 status, &cp->addr, sizeof(cp->addr));
3280 } else if (len == MGMT_ADD_REMOTE_OOB_EXT_DATA_SIZE) {
3281 struct mgmt_cp_add_remote_oob_ext_data *cp = data;
3282 u8 status;
3283
3284 err = hci_add_remote_oob_ext_data(hdev, &cp->addr.bdaddr,
3285 cp->hash192,
3286 cp->randomizer192,
3287 cp->hash256,
3288 cp->randomizer256);
3289 if (err < 0)
3290 status = MGMT_STATUS_FAILED;
3291 else
3292 status = MGMT_STATUS_SUCCESS;
3293
3294 err = cmd_complete(sk, hdev->id, MGMT_OP_ADD_REMOTE_OOB_DATA,
3295 status, &cp->addr, sizeof(cp->addr));
3296 } else {
3297 BT_ERR("add_remote_oob_data: invalid length of %u bytes", len);
3298 err = cmd_status(sk, hdev->id, MGMT_OP_ADD_REMOTE_OOB_DATA,
3299 MGMT_STATUS_INVALID_PARAMS);
3300 }
3103 3301
3104 hci_dev_unlock(hdev); 3302 hci_dev_unlock(hdev);
3105 return err; 3303 return err;
@@ -3195,7 +3393,7 @@ static int start_discovery(struct sock *sk, struct hci_dev *hdev,
3195 struct hci_request req; 3393 struct hci_request req;
3196 /* General inquiry access code (GIAC) */ 3394 /* General inquiry access code (GIAC) */
3197 u8 lap[3] = { 0x33, 0x8b, 0x9e }; 3395 u8 lap[3] = { 0x33, 0x8b, 0x9e };
3198 u8 status; 3396 u8 status, own_addr_type;
3199 int err; 3397 int err;
3200 3398
3201 BT_DBG("%s", hdev->name); 3399 BT_DBG("%s", hdev->name);
@@ -3280,18 +3478,31 @@ static int start_discovery(struct sock *sk, struct hci_dev *hdev,
3280 goto failed; 3478 goto failed;
3281 } 3479 }
3282 3480
3283 if (test_bit(HCI_LE_SCAN, &hdev->dev_flags)) { 3481 /* If controller is scanning, it means the background scanning
3482 * is running. Thus, we should temporarily stop it in order to
3483 * set the discovery scanning parameters.
3484 */
3485 if (test_bit(HCI_LE_SCAN, &hdev->dev_flags))
3486 hci_req_add_le_scan_disable(&req);
3487
3488 memset(&param_cp, 0, sizeof(param_cp));
3489
3490 /* All active scans will be done with either a resolvable
3491 * private address (when privacy feature has been enabled)
3492 * or unresolvable private address.
3493 */
3494 err = hci_update_random_address(&req, true, &own_addr_type);
3495 if (err < 0) {
3284 err = cmd_status(sk, hdev->id, MGMT_OP_START_DISCOVERY, 3496 err = cmd_status(sk, hdev->id, MGMT_OP_START_DISCOVERY,
3285 MGMT_STATUS_BUSY); 3497 MGMT_STATUS_FAILED);
3286 mgmt_pending_remove(cmd); 3498 mgmt_pending_remove(cmd);
3287 goto failed; 3499 goto failed;
3288 } 3500 }
3289 3501
3290 memset(&param_cp, 0, sizeof(param_cp));
3291 param_cp.type = LE_SCAN_ACTIVE; 3502 param_cp.type = LE_SCAN_ACTIVE;
3292 param_cp.interval = cpu_to_le16(DISCOV_LE_SCAN_INT); 3503 param_cp.interval = cpu_to_le16(DISCOV_LE_SCAN_INT);
3293 param_cp.window = cpu_to_le16(DISCOV_LE_SCAN_WIN); 3504 param_cp.window = cpu_to_le16(DISCOV_LE_SCAN_WIN);
3294 param_cp.own_address_type = hdev->own_addr_type; 3505 param_cp.own_address_type = own_addr_type;
3295 hci_req_add(&req, HCI_OP_LE_SET_SCAN_PARAM, sizeof(param_cp), 3506 hci_req_add(&req, HCI_OP_LE_SET_SCAN_PARAM, sizeof(param_cp),
3296 &param_cp); 3507 &param_cp);
3297 3508
@@ -3361,7 +3572,6 @@ static int stop_discovery(struct sock *sk, struct hci_dev *hdev, void *data,
3361 struct hci_cp_remote_name_req_cancel cp; 3572 struct hci_cp_remote_name_req_cancel cp;
3362 struct inquiry_entry *e; 3573 struct inquiry_entry *e;
3363 struct hci_request req; 3574 struct hci_request req;
3364 struct hci_cp_le_set_scan_enable enable_cp;
3365 int err; 3575 int err;
3366 3576
3367 BT_DBG("%s", hdev->name); 3577 BT_DBG("%s", hdev->name);
@@ -3397,10 +3607,7 @@ static int stop_discovery(struct sock *sk, struct hci_dev *hdev, void *data,
3397 } else { 3607 } else {
3398 cancel_delayed_work(&hdev->le_scan_disable); 3608 cancel_delayed_work(&hdev->le_scan_disable);
3399 3609
3400 memset(&enable_cp, 0, sizeof(enable_cp)); 3610 hci_req_add_le_scan_disable(&req);
3401 enable_cp.enable = LE_SCAN_DISABLE;
3402 hci_req_add(&req, HCI_OP_LE_SET_SCAN_ENABLE,
3403 sizeof(enable_cp), &enable_cp);
3404 } 3611 }
3405 3612
3406 break; 3613 break;
@@ -3457,15 +3664,17 @@ static int confirm_name(struct sock *sk, struct hci_dev *hdev, void *data,
3457 hci_dev_lock(hdev); 3664 hci_dev_lock(hdev);
3458 3665
3459 if (!hci_discovery_active(hdev)) { 3666 if (!hci_discovery_active(hdev)) {
3460 err = cmd_status(sk, hdev->id, MGMT_OP_CONFIRM_NAME, 3667 err = cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME,
3461 MGMT_STATUS_FAILED); 3668 MGMT_STATUS_FAILED, &cp->addr,
3669 sizeof(cp->addr));
3462 goto failed; 3670 goto failed;
3463 } 3671 }
3464 3672
3465 e = hci_inquiry_cache_lookup_unknown(hdev, &cp->addr.bdaddr); 3673 e = hci_inquiry_cache_lookup_unknown(hdev, &cp->addr.bdaddr);
3466 if (!e) { 3674 if (!e) {
3467 err = cmd_status(sk, hdev->id, MGMT_OP_CONFIRM_NAME, 3675 err = cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME,
3468 MGMT_STATUS_INVALID_PARAMS); 3676 MGMT_STATUS_INVALID_PARAMS, &cp->addr,
3677 sizeof(cp->addr));
3469 goto failed; 3678 goto failed;
3470 } 3679 }
3471 3680
@@ -3754,6 +3963,21 @@ static int set_scan_params(struct sock *sk, struct hci_dev *hdev,
3754 3963
3755 err = cmd_complete(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS, 0, NULL, 0); 3964 err = cmd_complete(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS, 0, NULL, 0);
3756 3965
3966 /* If background scan is running, restart it so new parameters are
3967 * loaded.
3968 */
3969 if (test_bit(HCI_LE_SCAN, &hdev->dev_flags) &&
3970 hdev->discovery.state == DISCOVERY_STOPPED) {
3971 struct hci_request req;
3972
3973 hci_req_init(&req, hdev);
3974
3975 hci_req_add_le_scan_disable(&req);
3976 hci_req_add_le_passive_scan(&req);
3977
3978 hci_req_run(&req, NULL);
3979 }
3980
3757 hci_dev_unlock(hdev); 3981 hci_dev_unlock(hdev);
3758 3982
3759 return err; 3983 return err;
@@ -3999,15 +4223,269 @@ unlock:
3999 return err; 4223 return err;
4000} 4224}
4001 4225
4226static int set_secure_conn(struct sock *sk, struct hci_dev *hdev,
4227 void *data, u16 len)
4228{
4229 struct mgmt_mode *cp = data;
4230 struct pending_cmd *cmd;
4231 u8 val, status;
4232 int err;
4233
4234 BT_DBG("request for %s", hdev->name);
4235
4236 status = mgmt_bredr_support(hdev);
4237 if (status)
4238 return cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
4239 status);
4240
4241 if (!lmp_sc_capable(hdev) &&
4242 !test_bit(HCI_FORCE_SC, &hdev->dev_flags))
4243 return cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
4244 MGMT_STATUS_NOT_SUPPORTED);
4245
4246 if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
4247 return cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
4248 MGMT_STATUS_INVALID_PARAMS);
4249
4250 hci_dev_lock(hdev);
4251
4252 if (!hdev_is_powered(hdev)) {
4253 bool changed;
4254
4255 if (cp->val) {
4256 changed = !test_and_set_bit(HCI_SC_ENABLED,
4257 &hdev->dev_flags);
4258 if (cp->val == 0x02)
4259 set_bit(HCI_SC_ONLY, &hdev->dev_flags);
4260 else
4261 clear_bit(HCI_SC_ONLY, &hdev->dev_flags);
4262 } else {
4263 changed = test_and_clear_bit(HCI_SC_ENABLED,
4264 &hdev->dev_flags);
4265 clear_bit(HCI_SC_ONLY, &hdev->dev_flags);
4266 }
4267
4268 err = send_settings_rsp(sk, MGMT_OP_SET_SECURE_CONN, hdev);
4269 if (err < 0)
4270 goto failed;
4271
4272 if (changed)
4273 err = new_settings(hdev, sk);
4274
4275 goto failed;
4276 }
4277
4278 if (mgmt_pending_find(MGMT_OP_SET_SECURE_CONN, hdev)) {
4279 err = cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
4280 MGMT_STATUS_BUSY);
4281 goto failed;
4282 }
4283
4284 val = !!cp->val;
4285
4286 if (val == test_bit(HCI_SC_ENABLED, &hdev->dev_flags) &&
4287 (cp->val == 0x02) == test_bit(HCI_SC_ONLY, &hdev->dev_flags)) {
4288 err = send_settings_rsp(sk, MGMT_OP_SET_SECURE_CONN, hdev);
4289 goto failed;
4290 }
4291
4292 cmd = mgmt_pending_add(sk, MGMT_OP_SET_SECURE_CONN, hdev, data, len);
4293 if (!cmd) {
4294 err = -ENOMEM;
4295 goto failed;
4296 }
4297
4298 err = hci_send_cmd(hdev, HCI_OP_WRITE_SC_SUPPORT, 1, &val);
4299 if (err < 0) {
4300 mgmt_pending_remove(cmd);
4301 goto failed;
4302 }
4303
4304 if (cp->val == 0x02)
4305 set_bit(HCI_SC_ONLY, &hdev->dev_flags);
4306 else
4307 clear_bit(HCI_SC_ONLY, &hdev->dev_flags);
4308
4309failed:
4310 hci_dev_unlock(hdev);
4311 return err;
4312}
4313
4314static int set_debug_keys(struct sock *sk, struct hci_dev *hdev,
4315 void *data, u16 len)
4316{
4317 struct mgmt_mode *cp = data;
4318 bool changed;
4319 int err;
4320
4321 BT_DBG("request for %s", hdev->name);
4322
4323 if (cp->val != 0x00 && cp->val != 0x01)
4324 return cmd_status(sk, hdev->id, MGMT_OP_SET_DEBUG_KEYS,
4325 MGMT_STATUS_INVALID_PARAMS);
4326
4327 hci_dev_lock(hdev);
4328
4329 if (cp->val)
4330 changed = !test_and_set_bit(HCI_DEBUG_KEYS, &hdev->dev_flags);
4331 else
4332 changed = test_and_clear_bit(HCI_DEBUG_KEYS, &hdev->dev_flags);
4333
4334 err = send_settings_rsp(sk, MGMT_OP_SET_DEBUG_KEYS, hdev);
4335 if (err < 0)
4336 goto unlock;
4337
4338 if (changed)
4339 err = new_settings(hdev, sk);
4340
4341unlock:
4342 hci_dev_unlock(hdev);
4343 return err;
4344}
4345
4346static int set_privacy(struct sock *sk, struct hci_dev *hdev, void *cp_data,
4347 u16 len)
4348{
4349 struct mgmt_cp_set_privacy *cp = cp_data;
4350 bool changed;
4351 int err;
4352
4353 BT_DBG("request for %s", hdev->name);
4354
4355 if (!lmp_le_capable(hdev))
4356 return cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
4357 MGMT_STATUS_NOT_SUPPORTED);
4358
4359 if (cp->privacy != 0x00 && cp->privacy != 0x01)
4360 return cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
4361 MGMT_STATUS_INVALID_PARAMS);
4362
4363 if (hdev_is_powered(hdev))
4364 return cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
4365 MGMT_STATUS_REJECTED);
4366
4367 hci_dev_lock(hdev);
4368
4369 /* If user space supports this command it is also expected to
4370 * handle IRKs. Therefore, set the HCI_RPA_RESOLVING flag.
4371 */
4372 set_bit(HCI_RPA_RESOLVING, &hdev->dev_flags);
4373
4374 if (cp->privacy) {
4375 changed = !test_and_set_bit(HCI_PRIVACY, &hdev->dev_flags);
4376 memcpy(hdev->irk, cp->irk, sizeof(hdev->irk));
4377 set_bit(HCI_RPA_EXPIRED, &hdev->dev_flags);
4378 } else {
4379 changed = test_and_clear_bit(HCI_PRIVACY, &hdev->dev_flags);
4380 memset(hdev->irk, 0, sizeof(hdev->irk));
4381 clear_bit(HCI_RPA_EXPIRED, &hdev->dev_flags);
4382 }
4383
4384 err = send_settings_rsp(sk, MGMT_OP_SET_PRIVACY, hdev);
4385 if (err < 0)
4386 goto unlock;
4387
4388 if (changed)
4389 err = new_settings(hdev, sk);
4390
4391unlock:
4392 hci_dev_unlock(hdev);
4393 return err;
4394}
4395
4396static bool irk_is_valid(struct mgmt_irk_info *irk)
4397{
4398 switch (irk->addr.type) {
4399 case BDADDR_LE_PUBLIC:
4400 return true;
4401
4402 case BDADDR_LE_RANDOM:
4403 /* Two most significant bits shall be set */
4404 if ((irk->addr.bdaddr.b[5] & 0xc0) != 0xc0)
4405 return false;
4406 return true;
4407 }
4408
4409 return false;
4410}
4411
4412static int load_irks(struct sock *sk, struct hci_dev *hdev, void *cp_data,
4413 u16 len)
4414{
4415 struct mgmt_cp_load_irks *cp = cp_data;
4416 u16 irk_count, expected_len;
4417 int i, err;
4418
4419 BT_DBG("request for %s", hdev->name);
4420
4421 if (!lmp_le_capable(hdev))
4422 return cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
4423 MGMT_STATUS_NOT_SUPPORTED);
4424
4425 irk_count = __le16_to_cpu(cp->irk_count);
4426
4427 expected_len = sizeof(*cp) + irk_count * sizeof(struct mgmt_irk_info);
4428 if (expected_len != len) {
4429 BT_ERR("load_irks: expected %u bytes, got %u bytes",
4430 len, expected_len);
4431 return cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
4432 MGMT_STATUS_INVALID_PARAMS);
4433 }
4434
4435 BT_DBG("%s irk_count %u", hdev->name, irk_count);
4436
4437 for (i = 0; i < irk_count; i++) {
4438 struct mgmt_irk_info *key = &cp->irks[i];
4439
4440 if (!irk_is_valid(key))
4441 return cmd_status(sk, hdev->id,
4442 MGMT_OP_LOAD_IRKS,
4443 MGMT_STATUS_INVALID_PARAMS);
4444 }
4445
4446 hci_dev_lock(hdev);
4447
4448 hci_smp_irks_clear(hdev);
4449
4450 for (i = 0; i < irk_count; i++) {
4451 struct mgmt_irk_info *irk = &cp->irks[i];
4452 u8 addr_type;
4453
4454 if (irk->addr.type == BDADDR_LE_PUBLIC)
4455 addr_type = ADDR_LE_DEV_PUBLIC;
4456 else
4457 addr_type = ADDR_LE_DEV_RANDOM;
4458
4459 hci_add_irk(hdev, &irk->addr.bdaddr, addr_type, irk->val,
4460 BDADDR_ANY);
4461 }
4462
4463 set_bit(HCI_RPA_RESOLVING, &hdev->dev_flags);
4464
4465 err = cmd_complete(sk, hdev->id, MGMT_OP_LOAD_IRKS, 0, NULL, 0);
4466
4467 hci_dev_unlock(hdev);
4468
4469 return err;
4470}
4471
4002static bool ltk_is_valid(struct mgmt_ltk_info *key) 4472static bool ltk_is_valid(struct mgmt_ltk_info *key)
4003{ 4473{
4004 if (key->authenticated != 0x00 && key->authenticated != 0x01)
4005 return false;
4006 if (key->master != 0x00 && key->master != 0x01) 4474 if (key->master != 0x00 && key->master != 0x01)
4007 return false; 4475 return false;
4008 if (!bdaddr_type_is_le(key->addr.type)) 4476
4009 return false; 4477 switch (key->addr.type) {
4010 return true; 4478 case BDADDR_LE_PUBLIC:
4479 return true;
4480
4481 case BDADDR_LE_RANDOM:
4482 /* Two most significant bits shall be set */
4483 if ((key->addr.bdaddr.b[5] & 0xc0) != 0xc0)
4484 return false;
4485 return true;
4486 }
4487
4488 return false;
4011} 4489}
4012 4490
4013static int load_long_term_keys(struct sock *sk, struct hci_dev *hdev, 4491static int load_long_term_keys(struct sock *sk, struct hci_dev *hdev,
@@ -4063,9 +4541,9 @@ static int load_long_term_keys(struct sock *sk, struct hci_dev *hdev,
4063 else 4541 else
4064 type = HCI_SMP_LTK_SLAVE; 4542 type = HCI_SMP_LTK_SLAVE;
4065 4543
4066 hci_add_ltk(hdev, &key->addr.bdaddr, addr_type, 4544 hci_add_ltk(hdev, &key->addr.bdaddr, addr_type, type,
4067 type, 0, key->authenticated, key->val, 4545 key->type, key->val, key->enc_size, key->ediv,
4068 key->enc_size, key->ediv, key->rand); 4546 key->rand);
4069 } 4547 }
4070 4548
4071 err = cmd_complete(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS, 0, 4549 err = cmd_complete(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS, 0,
@@ -4115,7 +4593,7 @@ static const struct mgmt_handler {
4115 { user_passkey_reply, false, MGMT_USER_PASSKEY_REPLY_SIZE }, 4593 { user_passkey_reply, false, MGMT_USER_PASSKEY_REPLY_SIZE },
4116 { user_passkey_neg_reply, false, MGMT_USER_PASSKEY_NEG_REPLY_SIZE }, 4594 { user_passkey_neg_reply, false, MGMT_USER_PASSKEY_NEG_REPLY_SIZE },
4117 { read_local_oob_data, false, MGMT_READ_LOCAL_OOB_DATA_SIZE }, 4595 { read_local_oob_data, false, MGMT_READ_LOCAL_OOB_DATA_SIZE },
4118 { add_remote_oob_data, false, MGMT_ADD_REMOTE_OOB_DATA_SIZE }, 4596 { add_remote_oob_data, true, MGMT_ADD_REMOTE_OOB_DATA_SIZE },
4119 { remove_remote_oob_data, false, MGMT_REMOVE_REMOTE_OOB_DATA_SIZE }, 4597 { remove_remote_oob_data, false, MGMT_REMOVE_REMOTE_OOB_DATA_SIZE },
4120 { start_discovery, false, MGMT_START_DISCOVERY_SIZE }, 4598 { start_discovery, false, MGMT_START_DISCOVERY_SIZE },
4121 { stop_discovery, false, MGMT_STOP_DISCOVERY_SIZE }, 4599 { stop_discovery, false, MGMT_STOP_DISCOVERY_SIZE },
@@ -4127,6 +4605,10 @@ static const struct mgmt_handler {
4127 { set_bredr, false, MGMT_SETTING_SIZE }, 4605 { set_bredr, false, MGMT_SETTING_SIZE },
4128 { set_static_address, false, MGMT_SET_STATIC_ADDRESS_SIZE }, 4606 { set_static_address, false, MGMT_SET_STATIC_ADDRESS_SIZE },
4129 { set_scan_params, false, MGMT_SET_SCAN_PARAMS_SIZE }, 4607 { set_scan_params, false, MGMT_SET_SCAN_PARAMS_SIZE },
4608 { set_secure_conn, false, MGMT_SETTING_SIZE },
4609 { set_debug_keys, false, MGMT_SETTING_SIZE },
4610 { set_privacy, false, MGMT_SET_PRIVACY_SIZE },
4611 { load_irks, true, MGMT_LOAD_IRKS_SIZE },
4130}; 4612};
4131 4613
4132 4614
@@ -4243,6 +4725,17 @@ void mgmt_index_removed(struct hci_dev *hdev)
4243 mgmt_event(MGMT_EV_INDEX_REMOVED, hdev, NULL, 0, NULL); 4725 mgmt_event(MGMT_EV_INDEX_REMOVED, hdev, NULL, 0, NULL);
4244} 4726}
4245 4727
4728/* This function requires the caller holds hdev->lock */
4729static void restart_le_auto_conns(struct hci_dev *hdev)
4730{
4731 struct hci_conn_params *p;
4732
4733 list_for_each_entry(p, &hdev->le_conn_params, list) {
4734 if (p->auto_connect == HCI_AUTO_CONN_ALWAYS)
4735 hci_pend_le_conn_add(hdev, &p->addr, p->addr_type);
4736 }
4737}
4738
4246static void powered_complete(struct hci_dev *hdev, u8 status) 4739static void powered_complete(struct hci_dev *hdev, u8 status)
4247{ 4740{
4248 struct cmd_lookup match = { NULL, hdev }; 4741 struct cmd_lookup match = { NULL, hdev };
@@ -4251,6 +4744,8 @@ static void powered_complete(struct hci_dev *hdev, u8 status)
4251 4744
4252 hci_dev_lock(hdev); 4745 hci_dev_lock(hdev);
4253 4746
4747 restart_le_auto_conns(hdev);
4748
4254 mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match); 4749 mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match);
4255 4750
4256 new_settings(hdev, match.sk); 4751 new_settings(hdev, match.sk);
@@ -4292,11 +4787,6 @@ static int powered_update_hci(struct hci_dev *hdev)
4292 } 4787 }
4293 4788
4294 if (lmp_le_capable(hdev)) { 4789 if (lmp_le_capable(hdev)) {
4295 /* Set random address to static address if configured */
4296 if (bacmp(&hdev->static_addr, BDADDR_ANY))
4297 hci_req_add(&req, HCI_OP_LE_SET_RANDOM_ADDR, 6,
4298 &hdev->static_addr);
4299
4300 /* Make sure the controller has a good default for 4790 /* Make sure the controller has a good default for
4301 * advertising data. This also applies to the case 4791 * advertising data. This also applies to the case
4302 * where BR/EDR was toggled during the AUTO_OFF phase. 4792 * where BR/EDR was toggled during the AUTO_OFF phase.
@@ -4422,6 +4912,10 @@ void mgmt_discoverable(struct hci_dev *hdev, u8 discoverable)
4422 if (mgmt_pending_find(MGMT_OP_SET_DISCOVERABLE, hdev)) 4912 if (mgmt_pending_find(MGMT_OP_SET_DISCOVERABLE, hdev))
4423 return; 4913 return;
4424 4914
4915 /* Powering off may clear the scan mode - don't let that interfere */
4916 if (!discoverable && mgmt_pending_find(MGMT_OP_SET_POWERED, hdev))
4917 return;
4918
4425 if (discoverable) { 4919 if (discoverable) {
4426 changed = !test_and_set_bit(HCI_DISCOVERABLE, &hdev->dev_flags); 4920 changed = !test_and_set_bit(HCI_DISCOVERABLE, &hdev->dev_flags);
4427 } else { 4921 } else {
@@ -4455,6 +4949,10 @@ void mgmt_connectable(struct hci_dev *hdev, u8 connectable)
4455 if (mgmt_pending_find(MGMT_OP_SET_CONNECTABLE, hdev)) 4949 if (mgmt_pending_find(MGMT_OP_SET_CONNECTABLE, hdev))
4456 return; 4950 return;
4457 4951
4952 /* Powering off may clear the scan mode - don't let that interfere */
4953 if (!connectable && mgmt_pending_find(MGMT_OP_SET_POWERED, hdev))
4954 return;
4955
4458 if (connectable) 4956 if (connectable)
4459 changed = !test_and_set_bit(HCI_CONNECTABLE, &hdev->dev_flags); 4957 changed = !test_and_set_bit(HCI_CONNECTABLE, &hdev->dev_flags);
4460 else 4958 else
@@ -4464,6 +4962,18 @@ void mgmt_connectable(struct hci_dev *hdev, u8 connectable)
4464 new_settings(hdev, NULL); 4962 new_settings(hdev, NULL);
4465} 4963}
4466 4964
4965void mgmt_advertising(struct hci_dev *hdev, u8 advertising)
4966{
4967 /* Powering off may stop advertising - don't let that interfere */
4968 if (!advertising && mgmt_pending_find(MGMT_OP_SET_POWERED, hdev))
4969 return;
4970
4971 if (advertising)
4972 set_bit(HCI_ADVERTISING, &hdev->dev_flags);
4973 else
4974 clear_bit(HCI_ADVERTISING, &hdev->dev_flags);
4975}
4976
4467void mgmt_write_scan_failed(struct hci_dev *hdev, u8 scan, u8 status) 4977void mgmt_write_scan_failed(struct hci_dev *hdev, u8 scan, u8 status)
4468{ 4978{
4469 u8 mgmt_err = mgmt_status(status); 4979 u8 mgmt_err = mgmt_status(status);
@@ -4494,28 +5004,74 @@ void mgmt_new_link_key(struct hci_dev *hdev, struct link_key *key,
4494 mgmt_event(MGMT_EV_NEW_LINK_KEY, hdev, &ev, sizeof(ev), NULL); 5004 mgmt_event(MGMT_EV_NEW_LINK_KEY, hdev, &ev, sizeof(ev), NULL);
4495} 5005}
4496 5006
4497void mgmt_new_ltk(struct hci_dev *hdev, struct smp_ltk *key, u8 persistent) 5007void mgmt_new_ltk(struct hci_dev *hdev, struct smp_ltk *key)
4498{ 5008{
4499 struct mgmt_ev_new_long_term_key ev; 5009 struct mgmt_ev_new_long_term_key ev;
4500 5010
4501 memset(&ev, 0, sizeof(ev)); 5011 memset(&ev, 0, sizeof(ev));
4502 5012
4503 ev.store_hint = persistent; 5013 /* Devices using resolvable or non-resolvable random addresses
5014 * without providing an indentity resolving key don't require
5015 * to store long term keys. Their addresses will change the
5016 * next time around.
5017 *
5018 * Only when a remote device provides an identity address
5019 * make sure the long term key is stored. If the remote
5020 * identity is known, the long term keys are internally
5021 * mapped to the identity address. So allow static random
5022 * and public addresses here.
5023 */
5024 if (key->bdaddr_type == ADDR_LE_DEV_RANDOM &&
5025 (key->bdaddr.b[5] & 0xc0) != 0xc0)
5026 ev.store_hint = 0x00;
5027 else
5028 ev.store_hint = 0x01;
5029
4504 bacpy(&ev.key.addr.bdaddr, &key->bdaddr); 5030 bacpy(&ev.key.addr.bdaddr, &key->bdaddr);
4505 ev.key.addr.type = link_to_bdaddr(LE_LINK, key->bdaddr_type); 5031 ev.key.addr.type = link_to_bdaddr(LE_LINK, key->bdaddr_type);
4506 ev.key.authenticated = key->authenticated; 5032 ev.key.type = key->authenticated;
4507 ev.key.enc_size = key->enc_size; 5033 ev.key.enc_size = key->enc_size;
4508 ev.key.ediv = key->ediv; 5034 ev.key.ediv = key->ediv;
5035 ev.key.rand = key->rand;
4509 5036
4510 if (key->type == HCI_SMP_LTK) 5037 if (key->type == HCI_SMP_LTK)
4511 ev.key.master = 1; 5038 ev.key.master = 1;
4512 5039
4513 memcpy(ev.key.rand, key->rand, sizeof(key->rand));
4514 memcpy(ev.key.val, key->val, sizeof(key->val)); 5040 memcpy(ev.key.val, key->val, sizeof(key->val));
4515 5041
4516 mgmt_event(MGMT_EV_NEW_LONG_TERM_KEY, hdev, &ev, sizeof(ev), NULL); 5042 mgmt_event(MGMT_EV_NEW_LONG_TERM_KEY, hdev, &ev, sizeof(ev), NULL);
4517} 5043}
4518 5044
5045void mgmt_new_irk(struct hci_dev *hdev, struct smp_irk *irk)
5046{
5047 struct mgmt_ev_new_irk ev;
5048
5049 memset(&ev, 0, sizeof(ev));
5050
5051 /* For identity resolving keys from devices that are already
5052 * using a public address or static random address, do not
5053 * ask for storing this key. The identity resolving key really
5054 * is only mandatory for devices using resovlable random
5055 * addresses.
5056 *
5057 * Storing all identity resolving keys has the downside that
5058 * they will be also loaded on next boot of they system. More
5059 * identity resolving keys, means more time during scanning is
5060 * needed to actually resolve these addresses.
5061 */
5062 if (bacmp(&irk->rpa, BDADDR_ANY))
5063 ev.store_hint = 0x01;
5064 else
5065 ev.store_hint = 0x00;
5066
5067 bacpy(&ev.rpa, &irk->rpa);
5068 bacpy(&ev.irk.addr.bdaddr, &irk->bdaddr);
5069 ev.irk.addr.type = link_to_bdaddr(LE_LINK, irk->addr_type);
5070 memcpy(ev.irk.val, irk->val, sizeof(irk->val));
5071
5072 mgmt_event(MGMT_EV_NEW_IRK, hdev, &ev, sizeof(ev), NULL);
5073}
5074
4519static inline u16 eir_append_data(u8 *eir, u16 eir_len, u8 type, u8 *data, 5075static inline u16 eir_append_data(u8 *eir, u16 eir_len, u8 type, u8 *data,
4520 u8 data_len) 5076 u8 data_len)
4521{ 5077{
@@ -4590,11 +5146,29 @@ static void unpair_device_rsp(struct pending_cmd *cmd, void *data)
4590} 5146}
4591 5147
4592void mgmt_device_disconnected(struct hci_dev *hdev, bdaddr_t *bdaddr, 5148void mgmt_device_disconnected(struct hci_dev *hdev, bdaddr_t *bdaddr,
4593 u8 link_type, u8 addr_type, u8 reason) 5149 u8 link_type, u8 addr_type, u8 reason,
5150 bool mgmt_connected)
4594{ 5151{
4595 struct mgmt_ev_device_disconnected ev; 5152 struct mgmt_ev_device_disconnected ev;
5153 struct pending_cmd *power_off;
4596 struct sock *sk = NULL; 5154 struct sock *sk = NULL;
4597 5155
5156 power_off = mgmt_pending_find(MGMT_OP_SET_POWERED, hdev);
5157 if (power_off) {
5158 struct mgmt_mode *cp = power_off->param;
5159
5160 /* The connection is still in hci_conn_hash so test for 1
5161 * instead of 0 to know if this is the last one.
5162 */
5163 if (!cp->val && hci_conn_count(hdev) == 1) {
5164 cancel_delayed_work(&hdev->power_off);
5165 queue_work(hdev->req_workqueue, &hdev->power_off.work);
5166 }
5167 }
5168
5169 if (!mgmt_connected)
5170 return;
5171
4598 if (link_type != ACL_LINK && link_type != LE_LINK) 5172 if (link_type != ACL_LINK && link_type != LE_LINK)
4599 return; 5173 return;
4600 5174
@@ -4649,6 +5223,20 @@ void mgmt_connect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
4649 u8 addr_type, u8 status) 5223 u8 addr_type, u8 status)
4650{ 5224{
4651 struct mgmt_ev_connect_failed ev; 5225 struct mgmt_ev_connect_failed ev;
5226 struct pending_cmd *power_off;
5227
5228 power_off = mgmt_pending_find(MGMT_OP_SET_POWERED, hdev);
5229 if (power_off) {
5230 struct mgmt_mode *cp = power_off->param;
5231
5232 /* The connection is still in hci_conn_hash so test for 1
5233 * instead of 0 to know if this is the last one.
5234 */
5235 if (!cp->val && hci_conn_count(hdev) == 1) {
5236 cancel_delayed_work(&hdev->power_off);
5237 queue_work(hdev->req_workqueue, &hdev->power_off.work);
5238 }
5239 }
4652 5240
4653 bacpy(&ev.addr.bdaddr, bdaddr); 5241 bacpy(&ev.addr.bdaddr, bdaddr);
4654 ev.addr.type = link_to_bdaddr(link_type, addr_type); 5242 ev.addr.type = link_to_bdaddr(link_type, addr_type);
@@ -4910,6 +5498,43 @@ void mgmt_ssp_enable_complete(struct hci_dev *hdev, u8 enable, u8 status)
4910 hci_req_run(&req, NULL); 5498 hci_req_run(&req, NULL);
4911} 5499}
4912 5500
5501void mgmt_sc_enable_complete(struct hci_dev *hdev, u8 enable, u8 status)
5502{
5503 struct cmd_lookup match = { NULL, hdev };
5504 bool changed = false;
5505
5506 if (status) {
5507 u8 mgmt_err = mgmt_status(status);
5508
5509 if (enable) {
5510 if (test_and_clear_bit(HCI_SC_ENABLED,
5511 &hdev->dev_flags))
5512 new_settings(hdev, NULL);
5513 clear_bit(HCI_SC_ONLY, &hdev->dev_flags);
5514 }
5515
5516 mgmt_pending_foreach(MGMT_OP_SET_SECURE_CONN, hdev,
5517 cmd_status_rsp, &mgmt_err);
5518 return;
5519 }
5520
5521 if (enable) {
5522 changed = !test_and_set_bit(HCI_SC_ENABLED, &hdev->dev_flags);
5523 } else {
5524 changed = test_and_clear_bit(HCI_SC_ENABLED, &hdev->dev_flags);
5525 clear_bit(HCI_SC_ONLY, &hdev->dev_flags);
5526 }
5527
5528 mgmt_pending_foreach(MGMT_OP_SET_SECURE_CONN, hdev,
5529 settings_rsp, &match);
5530
5531 if (changed)
5532 new_settings(hdev, match.sk);
5533
5534 if (match.sk)
5535 sock_put(match.sk);
5536}
5537
4913static void sk_lookup(struct pending_cmd *cmd, void *data) 5538static void sk_lookup(struct pending_cmd *cmd, void *data)
4914{ 5539{
4915 struct cmd_lookup *match = data; 5540 struct cmd_lookup *match = data;
@@ -4964,8 +5589,9 @@ void mgmt_set_local_name_complete(struct hci_dev *hdev, u8 *name, u8 status)
4964 cmd ? cmd->sk : NULL); 5589 cmd ? cmd->sk : NULL);
4965} 5590}
4966 5591
4967void mgmt_read_local_oob_data_reply_complete(struct hci_dev *hdev, u8 *hash, 5592void mgmt_read_local_oob_data_complete(struct hci_dev *hdev, u8 *hash192,
4968 u8 *randomizer, u8 status) 5593 u8 *randomizer192, u8 *hash256,
5594 u8 *randomizer256, u8 status)
4969{ 5595{
4970 struct pending_cmd *cmd; 5596 struct pending_cmd *cmd;
4971 5597
@@ -4979,13 +5605,32 @@ void mgmt_read_local_oob_data_reply_complete(struct hci_dev *hdev, u8 *hash,
4979 cmd_status(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA, 5605 cmd_status(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
4980 mgmt_status(status)); 5606 mgmt_status(status));
4981 } else { 5607 } else {
4982 struct mgmt_rp_read_local_oob_data rp; 5608 if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags) &&
5609 hash256 && randomizer256) {
5610 struct mgmt_rp_read_local_oob_ext_data rp;
5611
5612 memcpy(rp.hash192, hash192, sizeof(rp.hash192));
5613 memcpy(rp.randomizer192, randomizer192,
5614 sizeof(rp.randomizer192));
5615
5616 memcpy(rp.hash256, hash256, sizeof(rp.hash256));
5617 memcpy(rp.randomizer256, randomizer256,
5618 sizeof(rp.randomizer256));
5619
5620 cmd_complete(cmd->sk, hdev->id,
5621 MGMT_OP_READ_LOCAL_OOB_DATA, 0,
5622 &rp, sizeof(rp));
5623 } else {
5624 struct mgmt_rp_read_local_oob_data rp;
4983 5625
4984 memcpy(rp.hash, hash, sizeof(rp.hash)); 5626 memcpy(rp.hash, hash192, sizeof(rp.hash));
4985 memcpy(rp.randomizer, randomizer, sizeof(rp.randomizer)); 5627 memcpy(rp.randomizer, randomizer192,
5628 sizeof(rp.randomizer));
4986 5629
4987 cmd_complete(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA, 5630 cmd_complete(cmd->sk, hdev->id,
4988 0, &rp, sizeof(rp)); 5631 MGMT_OP_READ_LOCAL_OOB_DATA, 0,
5632 &rp, sizeof(rp));
5633 }
4989 } 5634 }
4990 5635
4991 mgmt_pending_remove(cmd); 5636 mgmt_pending_remove(cmd);
@@ -4997,6 +5642,7 @@ void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
4997{ 5642{
4998 char buf[512]; 5643 char buf[512];
4999 struct mgmt_ev_device_found *ev = (void *) buf; 5644 struct mgmt_ev_device_found *ev = (void *) buf;
5645 struct smp_irk *irk;
5000 size_t ev_size; 5646 size_t ev_size;
5001 5647
5002 if (!hci_discovery_active(hdev)) 5648 if (!hci_discovery_active(hdev))
@@ -5008,8 +5654,15 @@ void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
5008 5654
5009 memset(buf, 0, sizeof(buf)); 5655 memset(buf, 0, sizeof(buf));
5010 5656
5011 bacpy(&ev->addr.bdaddr, bdaddr); 5657 irk = hci_get_irk(hdev, bdaddr, addr_type);
5012 ev->addr.type = link_to_bdaddr(link_type, addr_type); 5658 if (irk) {
5659 bacpy(&ev->addr.bdaddr, &irk->bdaddr);
5660 ev->addr.type = link_to_bdaddr(link_type, irk->addr_type);
5661 } else {
5662 bacpy(&ev->addr.bdaddr, bdaddr);
5663 ev->addr.type = link_to_bdaddr(link_type, addr_type);
5664 }
5665
5013 ev->rssi = rssi; 5666 ev->rssi = rssi;
5014 if (cfm_name) 5667 if (cfm_name)
5015 ev->flags |= __constant_cpu_to_le32(MGMT_DEV_FOUND_CONFIRM_NAME); 5668 ev->flags |= __constant_cpu_to_le32(MGMT_DEV_FOUND_CONFIRM_NAME);
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index facd8a79c038..21e15318937c 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -216,6 +216,7 @@ static int rfcomm_check_security(struct rfcomm_dlc *d)
216 216
217 switch (d->sec_level) { 217 switch (d->sec_level) {
218 case BT_SECURITY_HIGH: 218 case BT_SECURITY_HIGH:
219 case BT_SECURITY_FIPS:
219 auth_type = HCI_AT_GENERAL_BONDING_MITM; 220 auth_type = HCI_AT_GENERAL_BONDING_MITM;
220 break; 221 break;
221 case BT_SECURITY_MEDIUM: 222 case BT_SECURITY_MEDIUM:
@@ -359,6 +360,11 @@ static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
359 return NULL; 360 return NULL;
360} 361}
361 362
363static int rfcomm_check_channel(u8 channel)
364{
365 return channel < 1 || channel > 30;
366}
367
362static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel) 368static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
363{ 369{
364 struct rfcomm_session *s; 370 struct rfcomm_session *s;
@@ -368,7 +374,7 @@ static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst,
368 BT_DBG("dlc %p state %ld %pMR -> %pMR channel %d", 374 BT_DBG("dlc %p state %ld %pMR -> %pMR channel %d",
369 d, d->state, src, dst, channel); 375 d, d->state, src, dst, channel);
370 376
371 if (channel < 1 || channel > 30) 377 if (rfcomm_check_channel(channel))
372 return -EINVAL; 378 return -EINVAL;
373 379
374 if (d->state != BT_OPEN && d->state != BT_CLOSED) 380 if (d->state != BT_OPEN && d->state != BT_CLOSED)
@@ -425,6 +431,20 @@ int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 chann
425 return r; 431 return r;
426} 432}
427 433
434static void __rfcomm_dlc_disconn(struct rfcomm_dlc *d)
435{
436 struct rfcomm_session *s = d->session;
437
438 d->state = BT_DISCONN;
439 if (skb_queue_empty(&d->tx_queue)) {
440 rfcomm_send_disc(s, d->dlci);
441 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
442 } else {
443 rfcomm_queue_disc(d);
444 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
445 }
446}
447
428static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err) 448static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
429{ 449{
430 struct rfcomm_session *s = d->session; 450 struct rfcomm_session *s = d->session;
@@ -437,32 +457,29 @@ static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
437 switch (d->state) { 457 switch (d->state) {
438 case BT_CONNECT: 458 case BT_CONNECT:
439 case BT_CONFIG: 459 case BT_CONFIG:
460 case BT_OPEN:
461 case BT_CONNECT2:
440 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { 462 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
441 set_bit(RFCOMM_AUTH_REJECT, &d->flags); 463 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
442 rfcomm_schedule(); 464 rfcomm_schedule();
443 break; 465 return 0;
444 } 466 }
445 /* Fall through */ 467 }
446 468
469 switch (d->state) {
470 case BT_CONNECT:
447 case BT_CONNECTED: 471 case BT_CONNECTED:
448 d->state = BT_DISCONN; 472 __rfcomm_dlc_disconn(d);
449 if (skb_queue_empty(&d->tx_queue)) {
450 rfcomm_send_disc(s, d->dlci);
451 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
452 } else {
453 rfcomm_queue_disc(d);
454 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
455 }
456 break; 473 break;
457 474
458 case BT_OPEN: 475 case BT_CONFIG:
459 case BT_CONNECT2: 476 if (s->state != BT_BOUND) {
460 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { 477 __rfcomm_dlc_disconn(d);
461 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
462 rfcomm_schedule();
463 break; 478 break;
464 } 479 }
465 /* Fall through */ 480 /* if closing a dlc in a session that hasn't been started,
481 * just close and unlink the dlc
482 */
466 483
467 default: 484 default:
468 rfcomm_dlc_clear_timer(d); 485 rfcomm_dlc_clear_timer(d);
@@ -513,6 +530,25 @@ no_session:
513 return r; 530 return r;
514} 531}
515 532
533struct rfcomm_dlc *rfcomm_dlc_exists(bdaddr_t *src, bdaddr_t *dst, u8 channel)
534{
535 struct rfcomm_session *s;
536 struct rfcomm_dlc *dlc = NULL;
537 u8 dlci;
538
539 if (rfcomm_check_channel(channel))
540 return ERR_PTR(-EINVAL);
541
542 rfcomm_lock();
543 s = rfcomm_session_get(src, dst);
544 if (s) {
545 dlci = __dlci(!s->initiator, channel);
546 dlc = rfcomm_dlc_get(s, dlci);
547 }
548 rfcomm_unlock();
549 return dlc;
550}
551
516int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb) 552int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
517{ 553{
518 int len = skb->len; 554 int len = skb->len;
@@ -533,6 +569,20 @@ int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
533 return len; 569 return len;
534} 570}
535 571
572void rfcomm_dlc_send_noerror(struct rfcomm_dlc *d, struct sk_buff *skb)
573{
574 int len = skb->len;
575
576 BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
577
578 rfcomm_make_uih(skb, d->addr);
579 skb_queue_tail(&d->tx_queue, skb);
580
581 if (d->state == BT_CONNECTED &&
582 !test_bit(RFCOMM_TX_THROTTLED, &d->flags))
583 rfcomm_schedule();
584}
585
536void __rfcomm_dlc_throttle(struct rfcomm_dlc *d) 586void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
537{ 587{
538 BT_DBG("dlc %p state %ld", d, d->state); 588 BT_DBG("dlc %p state %ld", d, d->state);
@@ -1943,12 +1993,11 @@ static void rfcomm_process_sessions(void)
1943 continue; 1993 continue;
1944 } 1994 }
1945 1995
1946 if (s->state == BT_LISTEN) { 1996 switch (s->state) {
1997 case BT_LISTEN:
1947 rfcomm_accept_connection(s); 1998 rfcomm_accept_connection(s);
1948 continue; 1999 continue;
1949 }
1950 2000
1951 switch (s->state) {
1952 case BT_BOUND: 2001 case BT_BOUND:
1953 s = rfcomm_check_connection(s); 2002 s = rfcomm_check_connection(s);
1954 break; 2003 break;
@@ -2085,7 +2134,8 @@ static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
2085 set_bit(RFCOMM_SEC_PENDING, &d->flags); 2134 set_bit(RFCOMM_SEC_PENDING, &d->flags);
2086 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 2135 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2087 continue; 2136 continue;
2088 } else if (d->sec_level == BT_SECURITY_HIGH) { 2137 } else if (d->sec_level == BT_SECURITY_HIGH ||
2138 d->sec_level == BT_SECURITY_FIPS) {
2089 set_bit(RFCOMM_ENC_DROP, &d->flags); 2139 set_bit(RFCOMM_ENC_DROP, &d->flags);
2090 continue; 2140 continue;
2091 } 2141 }
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index 3c2d3e4aa2f5..c024e715512f 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -105,13 +105,18 @@ static void rfcomm_sk_state_change(struct rfcomm_dlc *d, int err)
105} 105}
106 106
107/* ---- Socket functions ---- */ 107/* ---- Socket functions ---- */
108static struct sock *__rfcomm_get_sock_by_addr(u8 channel, bdaddr_t *src) 108static struct sock *__rfcomm_get_listen_sock_by_addr(u8 channel, bdaddr_t *src)
109{ 109{
110 struct sock *sk = NULL; 110 struct sock *sk = NULL;
111 111
112 sk_for_each(sk, &rfcomm_sk_list.head) { 112 sk_for_each(sk, &rfcomm_sk_list.head) {
113 if (rfcomm_pi(sk)->channel == channel && 113 if (rfcomm_pi(sk)->channel != channel)
114 !bacmp(&rfcomm_pi(sk)->src, src)) 114 continue;
115
116 if (bacmp(&rfcomm_pi(sk)->src, src))
117 continue;
118
119 if (sk->sk_state == BT_BOUND || sk->sk_state == BT_LISTEN)
115 break; 120 break;
116 } 121 }
117 122
@@ -331,6 +336,7 @@ static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr
331{ 336{
332 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr; 337 struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
333 struct sock *sk = sock->sk; 338 struct sock *sk = sock->sk;
339 int chan = sa->rc_channel;
334 int err = 0; 340 int err = 0;
335 341
336 BT_DBG("sk %p %pMR", sk, &sa->rc_bdaddr); 342 BT_DBG("sk %p %pMR", sk, &sa->rc_bdaddr);
@@ -352,12 +358,12 @@ static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr
352 358
353 write_lock(&rfcomm_sk_list.lock); 359 write_lock(&rfcomm_sk_list.lock);
354 360
355 if (sa->rc_channel && __rfcomm_get_sock_by_addr(sa->rc_channel, &sa->rc_bdaddr)) { 361 if (chan && __rfcomm_get_listen_sock_by_addr(chan, &sa->rc_bdaddr)) {
356 err = -EADDRINUSE; 362 err = -EADDRINUSE;
357 } else { 363 } else {
358 /* Save source address */ 364 /* Save source address */
359 bacpy(&rfcomm_pi(sk)->src, &sa->rc_bdaddr); 365 bacpy(&rfcomm_pi(sk)->src, &sa->rc_bdaddr);
360 rfcomm_pi(sk)->channel = sa->rc_channel; 366 rfcomm_pi(sk)->channel = chan;
361 sk->sk_state = BT_BOUND; 367 sk->sk_state = BT_BOUND;
362 } 368 }
363 369
@@ -439,7 +445,7 @@ static int rfcomm_sock_listen(struct socket *sock, int backlog)
439 write_lock(&rfcomm_sk_list.lock); 445 write_lock(&rfcomm_sk_list.lock);
440 446
441 for (channel = 1; channel < 31; channel++) 447 for (channel = 1; channel < 31; channel++)
442 if (!__rfcomm_get_sock_by_addr(channel, src)) { 448 if (!__rfcomm_get_listen_sock_by_addr(channel, src)) {
443 rfcomm_pi(sk)->channel = channel; 449 rfcomm_pi(sk)->channel = channel;
444 err = 0; 450 err = 0;
445 break; 451 break;
@@ -528,6 +534,9 @@ static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int *
528 534
529 BT_DBG("sock %p, sk %p", sock, sk); 535 BT_DBG("sock %p, sk %p", sock, sk);
530 536
537 if (peer && sk->sk_state != BT_CONNECTED)
538 return -ENOTCONN;
539
531 memset(sa, 0, sizeof(*sa)); 540 memset(sa, 0, sizeof(*sa));
532 sa->rc_family = AF_BLUETOOTH; 541 sa->rc_family = AF_BLUETOOTH;
533 sa->rc_channel = rfcomm_pi(sk)->channel; 542 sa->rc_channel = rfcomm_pi(sk)->channel;
@@ -648,6 +657,11 @@ static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname, char __u
648 break; 657 break;
649 } 658 }
650 659
660 if (opt & RFCOMM_LM_FIPS) {
661 err = -EINVAL;
662 break;
663 }
664
651 if (opt & RFCOMM_LM_AUTH) 665 if (opt & RFCOMM_LM_AUTH)
652 rfcomm_pi(sk)->sec_level = BT_SECURITY_LOW; 666 rfcomm_pi(sk)->sec_level = BT_SECURITY_LOW;
653 if (opt & RFCOMM_LM_ENCRYPT) 667 if (opt & RFCOMM_LM_ENCRYPT)
@@ -762,7 +776,11 @@ static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __u
762 break; 776 break;
763 case BT_SECURITY_HIGH: 777 case BT_SECURITY_HIGH:
764 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT | 778 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
765 RFCOMM_LM_SECURE; 779 RFCOMM_LM_SECURE;
780 break;
781 case BT_SECURITY_FIPS:
782 opt = RFCOMM_LM_AUTH | RFCOMM_LM_ENCRYPT |
783 RFCOMM_LM_SECURE | RFCOMM_LM_FIPS;
766 break; 784 break;
767 default: 785 default:
768 opt = 0; 786 opt = 0;
@@ -774,6 +792,7 @@ static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __u
774 792
775 if (put_user(opt, (u32 __user *) optval)) 793 if (put_user(opt, (u32 __user *) optval))
776 err = -EFAULT; 794 err = -EFAULT;
795
777 break; 796 break;
778 797
779 case RFCOMM_CONNINFO: 798 case RFCOMM_CONNINFO:
diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
index f9c0980abeea..403ec09f480a 100644
--- a/net/bluetooth/rfcomm/tty.c
+++ b/net/bluetooth/rfcomm/tty.c
@@ -40,6 +40,7 @@
40#define RFCOMM_TTY_MAJOR 216 /* device node major id of the usb/bluetooth.c driver */ 40#define RFCOMM_TTY_MAJOR 216 /* device node major id of the usb/bluetooth.c driver */
41#define RFCOMM_TTY_MINOR 0 41#define RFCOMM_TTY_MINOR 0
42 42
43static DEFINE_MUTEX(rfcomm_ioctl_mutex);
43static struct tty_driver *rfcomm_tty_driver; 44static struct tty_driver *rfcomm_tty_driver;
44 45
45struct rfcomm_dev { 46struct rfcomm_dev {
@@ -51,6 +52,8 @@ struct rfcomm_dev {
51 unsigned long flags; 52 unsigned long flags;
52 int err; 53 int err;
53 54
55 unsigned long status; /* don't export to userspace */
56
54 bdaddr_t src; 57 bdaddr_t src;
55 bdaddr_t dst; 58 bdaddr_t dst;
56 u8 channel; 59 u8 channel;
@@ -58,7 +61,6 @@ struct rfcomm_dev {
58 uint modem_status; 61 uint modem_status;
59 62
60 struct rfcomm_dlc *dlc; 63 struct rfcomm_dlc *dlc;
61 wait_queue_head_t conn_wait;
62 64
63 struct device *tty_dev; 65 struct device *tty_dev;
64 66
@@ -83,10 +85,6 @@ static void rfcomm_dev_destruct(struct tty_port *port)
83 85
84 BT_DBG("dev %p dlc %p", dev, dlc); 86 BT_DBG("dev %p dlc %p", dev, dlc);
85 87
86 spin_lock(&rfcomm_dev_lock);
87 list_del(&dev->list);
88 spin_unlock(&rfcomm_dev_lock);
89
90 rfcomm_dlc_lock(dlc); 88 rfcomm_dlc_lock(dlc);
91 /* Detach DLC if it's owned by this dev */ 89 /* Detach DLC if it's owned by this dev */
92 if (dlc->owner == dev) 90 if (dlc->owner == dev)
@@ -95,7 +93,12 @@ static void rfcomm_dev_destruct(struct tty_port *port)
95 93
96 rfcomm_dlc_put(dlc); 94 rfcomm_dlc_put(dlc);
97 95
98 tty_unregister_device(rfcomm_tty_driver, dev->id); 96 if (dev->tty_dev)
97 tty_unregister_device(rfcomm_tty_driver, dev->id);
98
99 spin_lock(&rfcomm_dev_lock);
100 list_del(&dev->list);
101 spin_unlock(&rfcomm_dev_lock);
99 102
100 kfree(dev); 103 kfree(dev);
101 104
@@ -104,60 +107,24 @@ static void rfcomm_dev_destruct(struct tty_port *port)
104 module_put(THIS_MODULE); 107 module_put(THIS_MODULE);
105} 108}
106 109
107static struct device *rfcomm_get_device(struct rfcomm_dev *dev)
108{
109 struct hci_dev *hdev;
110 struct hci_conn *conn;
111
112 hdev = hci_get_route(&dev->dst, &dev->src);
113 if (!hdev)
114 return NULL;
115
116 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &dev->dst);
117
118 hci_dev_put(hdev);
119
120 return conn ? &conn->dev : NULL;
121}
122
123/* device-specific initialization: open the dlc */ 110/* device-specific initialization: open the dlc */
124static int rfcomm_dev_activate(struct tty_port *port, struct tty_struct *tty) 111static int rfcomm_dev_activate(struct tty_port *port, struct tty_struct *tty)
125{ 112{
126 struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port); 113 struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);
127 DEFINE_WAIT(wait);
128 int err; 114 int err;
129 115
130 err = rfcomm_dlc_open(dev->dlc, &dev->src, &dev->dst, dev->channel); 116 err = rfcomm_dlc_open(dev->dlc, &dev->src, &dev->dst, dev->channel);
131 if (err) 117 if (err)
132 return err; 118 set_bit(TTY_IO_ERROR, &tty->flags);
133 119 return err;
134 while (1) { 120}
135 prepare_to_wait(&dev->conn_wait, &wait, TASK_INTERRUPTIBLE);
136
137 if (dev->dlc->state == BT_CLOSED) {
138 err = -dev->err;
139 break;
140 }
141
142 if (dev->dlc->state == BT_CONNECTED)
143 break;
144
145 if (signal_pending(current)) {
146 err = -ERESTARTSYS;
147 break;
148 }
149
150 tty_unlock(tty);
151 schedule();
152 tty_lock(tty);
153 }
154 finish_wait(&dev->conn_wait, &wait);
155 121
156 if (!err) 122/* we block the open until the dlc->state becomes BT_CONNECTED */
157 device_move(dev->tty_dev, rfcomm_get_device(dev), 123static int rfcomm_dev_carrier_raised(struct tty_port *port)
158 DPM_ORDER_DEV_AFTER_PARENT); 124{
125 struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);
159 126
160 return err; 127 return (dev->dlc->state == BT_CONNECTED);
161} 128}
162 129
163/* device-specific cleanup: close the dlc */ 130/* device-specific cleanup: close the dlc */
@@ -176,9 +143,10 @@ static const struct tty_port_operations rfcomm_port_ops = {
176 .destruct = rfcomm_dev_destruct, 143 .destruct = rfcomm_dev_destruct,
177 .activate = rfcomm_dev_activate, 144 .activate = rfcomm_dev_activate,
178 .shutdown = rfcomm_dev_shutdown, 145 .shutdown = rfcomm_dev_shutdown,
146 .carrier_raised = rfcomm_dev_carrier_raised,
179}; 147};
180 148
181static struct rfcomm_dev *__rfcomm_dev_get(int id) 149static struct rfcomm_dev *__rfcomm_dev_lookup(int id)
182{ 150{
183 struct rfcomm_dev *dev; 151 struct rfcomm_dev *dev;
184 152
@@ -195,20 +163,41 @@ static struct rfcomm_dev *rfcomm_dev_get(int id)
195 163
196 spin_lock(&rfcomm_dev_lock); 164 spin_lock(&rfcomm_dev_lock);
197 165
198 dev = __rfcomm_dev_get(id); 166 dev = __rfcomm_dev_lookup(id);
199 167
200 if (dev) { 168 if (dev && !tty_port_get(&dev->port))
201 if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags)) 169 dev = NULL;
202 dev = NULL;
203 else
204 tty_port_get(&dev->port);
205 }
206 170
207 spin_unlock(&rfcomm_dev_lock); 171 spin_unlock(&rfcomm_dev_lock);
208 172
209 return dev; 173 return dev;
210} 174}
211 175
176static void rfcomm_reparent_device(struct rfcomm_dev *dev)
177{
178 struct hci_dev *hdev;
179 struct hci_conn *conn;
180
181 hdev = hci_get_route(&dev->dst, &dev->src);
182 if (!hdev)
183 return;
184
185 /* The lookup results are unsafe to access without the
186 * hci device lock (FIXME: why is this not documented?)
187 */
188 hci_dev_lock(hdev);
189 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &dev->dst);
190
191 /* Just because the acl link is in the hash table is no
192 * guarantee the sysfs device has been added ...
193 */
194 if (conn && device_is_registered(&conn->dev))
195 device_move(dev->tty_dev, &conn->dev, DPM_ORDER_DEV_AFTER_PARENT);
196
197 hci_dev_unlock(hdev);
198 hci_dev_put(hdev);
199}
200
212static ssize_t show_address(struct device *tty_dev, struct device_attribute *attr, char *buf) 201static ssize_t show_address(struct device *tty_dev, struct device_attribute *attr, char *buf)
213{ 202{
214 struct rfcomm_dev *dev = dev_get_drvdata(tty_dev); 203 struct rfcomm_dev *dev = dev_get_drvdata(tty_dev);
@@ -224,17 +213,16 @@ static ssize_t show_channel(struct device *tty_dev, struct device_attribute *att
224static DEVICE_ATTR(address, S_IRUGO, show_address, NULL); 213static DEVICE_ATTR(address, S_IRUGO, show_address, NULL);
225static DEVICE_ATTR(channel, S_IRUGO, show_channel, NULL); 214static DEVICE_ATTR(channel, S_IRUGO, show_channel, NULL);
226 215
227static int rfcomm_dev_add(struct rfcomm_dev_req *req, struct rfcomm_dlc *dlc) 216static struct rfcomm_dev *__rfcomm_dev_add(struct rfcomm_dev_req *req,
217 struct rfcomm_dlc *dlc)
228{ 218{
229 struct rfcomm_dev *dev, *entry; 219 struct rfcomm_dev *dev, *entry;
230 struct list_head *head = &rfcomm_dev_list; 220 struct list_head *head = &rfcomm_dev_list;
231 int err = 0; 221 int err = 0;
232 222
233 BT_DBG("id %d channel %d", req->dev_id, req->channel);
234
235 dev = kzalloc(sizeof(struct rfcomm_dev), GFP_KERNEL); 223 dev = kzalloc(sizeof(struct rfcomm_dev), GFP_KERNEL);
236 if (!dev) 224 if (!dev)
237 return -ENOMEM; 225 return ERR_PTR(-ENOMEM);
238 226
239 spin_lock(&rfcomm_dev_lock); 227 spin_lock(&rfcomm_dev_lock);
240 228
@@ -282,7 +270,6 @@ static int rfcomm_dev_add(struct rfcomm_dev_req *req, struct rfcomm_dlc *dlc)
282 270
283 tty_port_init(&dev->port); 271 tty_port_init(&dev->port);
284 dev->port.ops = &rfcomm_port_ops; 272 dev->port.ops = &rfcomm_port_ops;
285 init_waitqueue_head(&dev->conn_wait);
286 273
287 skb_queue_head_init(&dev->pending); 274 skb_queue_head_init(&dev->pending);
288 275
@@ -318,22 +305,37 @@ static int rfcomm_dev_add(struct rfcomm_dev_req *req, struct rfcomm_dlc *dlc)
318 holds reference to this module. */ 305 holds reference to this module. */
319 __module_get(THIS_MODULE); 306 __module_get(THIS_MODULE);
320 307
308 spin_unlock(&rfcomm_dev_lock);
309 return dev;
310
321out: 311out:
322 spin_unlock(&rfcomm_dev_lock); 312 spin_unlock(&rfcomm_dev_lock);
313 kfree(dev);
314 return ERR_PTR(err);
315}
316
317static int rfcomm_dev_add(struct rfcomm_dev_req *req, struct rfcomm_dlc *dlc)
318{
319 struct rfcomm_dev *dev;
320 struct device *tty;
321
322 BT_DBG("id %d channel %d", req->dev_id, req->channel);
323 323
324 if (err < 0) 324 dev = __rfcomm_dev_add(req, dlc);
325 goto free; 325 if (IS_ERR(dev)) {
326 rfcomm_dlc_put(dlc);
327 return PTR_ERR(dev);
328 }
326 329
327 dev->tty_dev = tty_port_register_device(&dev->port, rfcomm_tty_driver, 330 tty = tty_port_register_device(&dev->port, rfcomm_tty_driver,
328 dev->id, NULL); 331 dev->id, NULL);
329 if (IS_ERR(dev->tty_dev)) { 332 if (IS_ERR(tty)) {
330 err = PTR_ERR(dev->tty_dev); 333 tty_port_put(&dev->port);
331 spin_lock(&rfcomm_dev_lock); 334 return PTR_ERR(tty);
332 list_del(&dev->list);
333 spin_unlock(&rfcomm_dev_lock);
334 goto free;
335 } 335 }
336 336
337 dev->tty_dev = tty;
338 rfcomm_reparent_device(dev);
337 dev_set_drvdata(dev->tty_dev, dev); 339 dev_set_drvdata(dev->tty_dev, dev);
338 340
339 if (device_create_file(dev->tty_dev, &dev_attr_address) < 0) 341 if (device_create_file(dev->tty_dev, &dev_attr_address) < 0)
@@ -343,24 +345,23 @@ out:
343 BT_ERR("Failed to create channel attribute"); 345 BT_ERR("Failed to create channel attribute");
344 346
345 return dev->id; 347 return dev->id;
346
347free:
348 kfree(dev);
349 return err;
350} 348}
351 349
352/* ---- Send buffer ---- */ 350/* ---- Send buffer ---- */
353static inline unsigned int rfcomm_room(struct rfcomm_dlc *dlc) 351static inline unsigned int rfcomm_room(struct rfcomm_dev *dev)
354{ 352{
355 /* We can't let it be zero, because we don't get a callback 353 struct rfcomm_dlc *dlc = dev->dlc;
356 when tx_credits becomes nonzero, hence we'd never wake up */ 354
357 return dlc->mtu * (dlc->tx_credits?:1); 355 /* Limit the outstanding number of packets not yet sent to 40 */
356 int pending = 40 - atomic_read(&dev->wmem_alloc);
357
358 return max(0, pending) * dlc->mtu;
358} 359}
359 360
360static void rfcomm_wfree(struct sk_buff *skb) 361static void rfcomm_wfree(struct sk_buff *skb)
361{ 362{
362 struct rfcomm_dev *dev = (void *) skb->sk; 363 struct rfcomm_dev *dev = (void *) skb->sk;
363 atomic_sub(skb->truesize, &dev->wmem_alloc); 364 atomic_dec(&dev->wmem_alloc);
364 if (test_bit(RFCOMM_TTY_ATTACHED, &dev->flags)) 365 if (test_bit(RFCOMM_TTY_ATTACHED, &dev->flags))
365 tty_port_tty_wakeup(&dev->port); 366 tty_port_tty_wakeup(&dev->port);
366 tty_port_put(&dev->port); 367 tty_port_put(&dev->port);
@@ -369,28 +370,24 @@ static void rfcomm_wfree(struct sk_buff *skb)
369static void rfcomm_set_owner_w(struct sk_buff *skb, struct rfcomm_dev *dev) 370static void rfcomm_set_owner_w(struct sk_buff *skb, struct rfcomm_dev *dev)
370{ 371{
371 tty_port_get(&dev->port); 372 tty_port_get(&dev->port);
372 atomic_add(skb->truesize, &dev->wmem_alloc); 373 atomic_inc(&dev->wmem_alloc);
373 skb->sk = (void *) dev; 374 skb->sk = (void *) dev;
374 skb->destructor = rfcomm_wfree; 375 skb->destructor = rfcomm_wfree;
375} 376}
376 377
377static struct sk_buff *rfcomm_wmalloc(struct rfcomm_dev *dev, unsigned long size, gfp_t priority) 378static struct sk_buff *rfcomm_wmalloc(struct rfcomm_dev *dev, unsigned long size, gfp_t priority)
378{ 379{
379 if (atomic_read(&dev->wmem_alloc) < rfcomm_room(dev->dlc)) { 380 struct sk_buff *skb = alloc_skb(size, priority);
380 struct sk_buff *skb = alloc_skb(size, priority); 381 if (skb)
381 if (skb) { 382 rfcomm_set_owner_w(skb, dev);
382 rfcomm_set_owner_w(skb, dev); 383 return skb;
383 return skb;
384 }
385 }
386 return NULL;
387} 384}
388 385
389/* ---- Device IOCTLs ---- */ 386/* ---- Device IOCTLs ---- */
390 387
391#define NOCAP_FLAGS ((1 << RFCOMM_REUSE_DLC) | (1 << RFCOMM_RELEASE_ONHUP)) 388#define NOCAP_FLAGS ((1 << RFCOMM_REUSE_DLC) | (1 << RFCOMM_RELEASE_ONHUP))
392 389
393static int rfcomm_create_dev(struct sock *sk, void __user *arg) 390static int __rfcomm_create_dev(struct sock *sk, void __user *arg)
394{ 391{
395 struct rfcomm_dev_req req; 392 struct rfcomm_dev_req req;
396 struct rfcomm_dlc *dlc; 393 struct rfcomm_dlc *dlc;
@@ -412,16 +409,22 @@ static int rfcomm_create_dev(struct sock *sk, void __user *arg)
412 dlc = rfcomm_pi(sk)->dlc; 409 dlc = rfcomm_pi(sk)->dlc;
413 rfcomm_dlc_hold(dlc); 410 rfcomm_dlc_hold(dlc);
414 } else { 411 } else {
412 /* Validate the channel is unused */
413 dlc = rfcomm_dlc_exists(&req.src, &req.dst, req.channel);
414 if (IS_ERR(dlc))
415 return PTR_ERR(dlc);
416 else if (dlc) {
417 rfcomm_dlc_put(dlc);
418 return -EBUSY;
419 }
415 dlc = rfcomm_dlc_alloc(GFP_KERNEL); 420 dlc = rfcomm_dlc_alloc(GFP_KERNEL);
416 if (!dlc) 421 if (!dlc)
417 return -ENOMEM; 422 return -ENOMEM;
418 } 423 }
419 424
420 id = rfcomm_dev_add(&req, dlc); 425 id = rfcomm_dev_add(&req, dlc);
421 if (id < 0) { 426 if (id < 0)
422 rfcomm_dlc_put(dlc);
423 return id; 427 return id;
424 }
425 428
426 if (req.flags & (1 << RFCOMM_REUSE_DLC)) { 429 if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
427 /* DLC is now used by device. 430 /* DLC is now used by device.
@@ -432,7 +435,7 @@ static int rfcomm_create_dev(struct sock *sk, void __user *arg)
432 return id; 435 return id;
433} 436}
434 437
435static int rfcomm_release_dev(void __user *arg) 438static int __rfcomm_release_dev(void __user *arg)
436{ 439{
437 struct rfcomm_dev_req req; 440 struct rfcomm_dev_req req;
438 struct rfcomm_dev *dev; 441 struct rfcomm_dev *dev;
@@ -452,6 +455,12 @@ static int rfcomm_release_dev(void __user *arg)
452 return -EPERM; 455 return -EPERM;
453 } 456 }
454 457
458 /* only release once */
459 if (test_and_set_bit(RFCOMM_DEV_RELEASED, &dev->status)) {
460 tty_port_put(&dev->port);
461 return -EALREADY;
462 }
463
455 if (req.flags & (1 << RFCOMM_HANGUP_NOW)) 464 if (req.flags & (1 << RFCOMM_HANGUP_NOW))
456 rfcomm_dlc_close(dev->dlc, 0); 465 rfcomm_dlc_close(dev->dlc, 0);
457 466
@@ -462,14 +471,35 @@ static int rfcomm_release_dev(void __user *arg)
462 tty_kref_put(tty); 471 tty_kref_put(tty);
463 } 472 }
464 473
465 if (!test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags) && 474 if (!test_bit(RFCOMM_TTY_OWNED, &dev->status))
466 !test_and_set_bit(RFCOMM_TTY_RELEASED, &dev->flags))
467 tty_port_put(&dev->port); 475 tty_port_put(&dev->port);
468 476
469 tty_port_put(&dev->port); 477 tty_port_put(&dev->port);
470 return 0; 478 return 0;
471} 479}
472 480
481static int rfcomm_create_dev(struct sock *sk, void __user *arg)
482{
483 int ret;
484
485 mutex_lock(&rfcomm_ioctl_mutex);
486 ret = __rfcomm_create_dev(sk, arg);
487 mutex_unlock(&rfcomm_ioctl_mutex);
488
489 return ret;
490}
491
492static int rfcomm_release_dev(void __user *arg)
493{
494 int ret;
495
496 mutex_lock(&rfcomm_ioctl_mutex);
497 ret = __rfcomm_release_dev(arg);
498 mutex_unlock(&rfcomm_ioctl_mutex);
499
500 return ret;
501}
502
473static int rfcomm_get_dev_list(void __user *arg) 503static int rfcomm_get_dev_list(void __user *arg)
474{ 504{
475 struct rfcomm_dev *dev; 505 struct rfcomm_dev *dev;
@@ -497,7 +527,7 @@ static int rfcomm_get_dev_list(void __user *arg)
497 spin_lock(&rfcomm_dev_lock); 527 spin_lock(&rfcomm_dev_lock);
498 528
499 list_for_each_entry(dev, &rfcomm_dev_list, list) { 529 list_for_each_entry(dev, &rfcomm_dev_list, list) {
500 if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags)) 530 if (!tty_port_get(&dev->port))
501 continue; 531 continue;
502 (di + n)->id = dev->id; 532 (di + n)->id = dev->id;
503 (di + n)->flags = dev->flags; 533 (di + n)->flags = dev->flags;
@@ -505,6 +535,7 @@ static int rfcomm_get_dev_list(void __user *arg)
505 (di + n)->channel = dev->channel; 535 (di + n)->channel = dev->channel;
506 bacpy(&(di + n)->src, &dev->src); 536 bacpy(&(di + n)->src, &dev->src);
507 bacpy(&(di + n)->dst, &dev->dst); 537 bacpy(&(di + n)->dst, &dev->dst);
538 tty_port_put(&dev->port);
508 if (++n >= dev_num) 539 if (++n >= dev_num)
509 break; 540 break;
510 } 541 }
@@ -601,9 +632,11 @@ static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err)
601 BT_DBG("dlc %p dev %p err %d", dlc, dev, err); 632 BT_DBG("dlc %p dev %p err %d", dlc, dev, err);
602 633
603 dev->err = err; 634 dev->err = err;
604 wake_up_interruptible(&dev->conn_wait); 635 if (dlc->state == BT_CONNECTED) {
636 rfcomm_reparent_device(dev);
605 637
606 if (dlc->state == BT_CLOSED) 638 wake_up_interruptible(&dev->port.open_wait);
639 } else if (dlc->state == BT_CLOSED)
607 tty_port_tty_hangup(&dev->port, false); 640 tty_port_tty_hangup(&dev->port, false);
608} 641}
609 642
@@ -703,8 +736,10 @@ static int rfcomm_tty_install(struct tty_driver *driver, struct tty_struct *tty)
703 * when the last process closes the tty. The behaviour is expected by 736 * when the last process closes the tty. The behaviour is expected by
704 * userspace. 737 * userspace.
705 */ 738 */
706 if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags)) 739 if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags)) {
740 set_bit(RFCOMM_TTY_OWNED, &dev->status);
707 tty_port_put(&dev->port); 741 tty_port_put(&dev->port);
742 }
708 743
709 return 0; 744 return 0;
710} 745}
@@ -750,7 +785,7 @@ static int rfcomm_tty_write(struct tty_struct *tty, const unsigned char *buf, in
750 struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data; 785 struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
751 struct rfcomm_dlc *dlc = dev->dlc; 786 struct rfcomm_dlc *dlc = dev->dlc;
752 struct sk_buff *skb; 787 struct sk_buff *skb;
753 int err = 0, sent = 0, size; 788 int sent = 0, size;
754 789
755 BT_DBG("tty %p count %d", tty, count); 790 BT_DBG("tty %p count %d", tty, count);
756 791
@@ -758,7 +793,6 @@ static int rfcomm_tty_write(struct tty_struct *tty, const unsigned char *buf, in
758 size = min_t(uint, count, dlc->mtu); 793 size = min_t(uint, count, dlc->mtu);
759 794
760 skb = rfcomm_wmalloc(dev, size + RFCOMM_SKB_RESERVE, GFP_ATOMIC); 795 skb = rfcomm_wmalloc(dev, size + RFCOMM_SKB_RESERVE, GFP_ATOMIC);
761
762 if (!skb) 796 if (!skb)
763 break; 797 break;
764 798
@@ -766,32 +800,24 @@ static int rfcomm_tty_write(struct tty_struct *tty, const unsigned char *buf, in
766 800
767 memcpy(skb_put(skb, size), buf + sent, size); 801 memcpy(skb_put(skb, size), buf + sent, size);
768 802
769 err = rfcomm_dlc_send(dlc, skb); 803 rfcomm_dlc_send_noerror(dlc, skb);
770 if (err < 0) {
771 kfree_skb(skb);
772 break;
773 }
774 804
775 sent += size; 805 sent += size;
776 count -= size; 806 count -= size;
777 } 807 }
778 808
779 return sent ? sent : err; 809 return sent;
780} 810}
781 811
782static int rfcomm_tty_write_room(struct tty_struct *tty) 812static int rfcomm_tty_write_room(struct tty_struct *tty)
783{ 813{
784 struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data; 814 struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
785 int room; 815 int room = 0;
786 816
787 BT_DBG("tty %p", tty); 817 if (dev && dev->dlc)
788 818 room = rfcomm_room(dev);
789 if (!dev || !dev->dlc)
790 return 0;
791 819
792 room = rfcomm_room(dev->dlc) - atomic_read(&dev->wmem_alloc); 820 BT_DBG("tty %p room %d", tty, room);
793 if (room < 0)
794 room = 0;
795 821
796 return room; 822 return room;
797} 823}
@@ -1125,7 +1151,7 @@ int __init rfcomm_init_ttys(void)
1125 rfcomm_tty_driver->subtype = SERIAL_TYPE_NORMAL; 1151 rfcomm_tty_driver->subtype = SERIAL_TYPE_NORMAL;
1126 rfcomm_tty_driver->flags = TTY_DRIVER_REAL_RAW | TTY_DRIVER_DYNAMIC_DEV; 1152 rfcomm_tty_driver->flags = TTY_DRIVER_REAL_RAW | TTY_DRIVER_DYNAMIC_DEV;
1127 rfcomm_tty_driver->init_termios = tty_std_termios; 1153 rfcomm_tty_driver->init_termios = tty_std_termios;
1128 rfcomm_tty_driver->init_termios.c_cflag = B9600 | CS8 | CREAD | HUPCL | CLOCAL; 1154 rfcomm_tty_driver->init_termios.c_cflag = B9600 | CS8 | CREAD | HUPCL;
1129 rfcomm_tty_driver->init_termios.c_lflag &= ~ICANON; 1155 rfcomm_tty_driver->init_termios.c_lflag &= ~ICANON;
1130 tty_set_operations(rfcomm_tty_driver, &rfcomm_ops); 1156 tty_set_operations(rfcomm_tty_driver, &rfcomm_ops);
1131 1157
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 45007362683b..f886bcae1b7e 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -78,6 +78,70 @@ static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
78 return err; 78 return err;
79} 79}
80 80
81static int smp_ah(struct crypto_blkcipher *tfm, u8 irk[16], u8 r[3], u8 res[3])
82{
83 u8 _res[16], k[16];
84 int err;
85
86 /* r' = padding || r */
87 memset(_res, 0, 13);
88 _res[13] = r[2];
89 _res[14] = r[1];
90 _res[15] = r[0];
91
92 swap128(irk, k);
93 err = smp_e(tfm, k, _res);
94 if (err) {
95 BT_ERR("Encrypt error");
96 return err;
97 }
98
99 /* The output of the random address function ah is:
100 * ah(h, r) = e(k, r') mod 2^24
101 * The output of the security function e is then truncated to 24 bits
102 * by taking the least significant 24 bits of the output of e as the
103 * result of ah.
104 */
105 res[0] = _res[15];
106 res[1] = _res[14];
107 res[2] = _res[13];
108
109 return 0;
110}
111
112bool smp_irk_matches(struct crypto_blkcipher *tfm, u8 irk[16],
113 bdaddr_t *bdaddr)
114{
115 u8 hash[3];
116 int err;
117
118 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
119
120 err = smp_ah(tfm, irk, &bdaddr->b[3], hash);
121 if (err)
122 return false;
123
124 return !memcmp(bdaddr->b, hash, 3);
125}
126
127int smp_generate_rpa(struct crypto_blkcipher *tfm, u8 irk[16], bdaddr_t *rpa)
128{
129 int err;
130
131 get_random_bytes(&rpa->b[3], 3);
132
133 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
134 rpa->b[5] |= 0x40; /* Set second most significant bit */
135
136 err = smp_ah(tfm, irk, &rpa->b[3], rpa->b);
137 if (err < 0)
138 return err;
139
140 BT_DBG("RPA %pMR", rpa);
141
142 return 0;
143}
144
81static int smp_c1(struct crypto_blkcipher *tfm, u8 k[16], u8 r[16], 145static int smp_c1(struct crypto_blkcipher *tfm, u8 k[16], u8 r[16],
82 u8 preq[7], u8 pres[7], u8 _iat, bdaddr_t *ia, 146 u8 preq[7], u8 pres[7], u8 _iat, bdaddr_t *ia,
83 u8 _rat, bdaddr_t *ra, u8 res[16]) 147 u8 _rat, bdaddr_t *ra, u8 res[16])
@@ -203,31 +267,45 @@ static void build_pairing_cmd(struct l2cap_conn *conn,
203 struct smp_cmd_pairing *req, 267 struct smp_cmd_pairing *req,
204 struct smp_cmd_pairing *rsp, __u8 authreq) 268 struct smp_cmd_pairing *rsp, __u8 authreq)
205{ 269{
206 u8 dist_keys = 0; 270 struct smp_chan *smp = conn->smp_chan;
271 struct hci_conn *hcon = conn->hcon;
272 struct hci_dev *hdev = hcon->hdev;
273 u8 local_dist = 0, remote_dist = 0;
207 274
208 if (test_bit(HCI_PAIRABLE, &conn->hcon->hdev->dev_flags)) { 275 if (test_bit(HCI_PAIRABLE, &conn->hcon->hdev->dev_flags)) {
209 dist_keys = SMP_DIST_ENC_KEY; 276 local_dist = SMP_DIST_ENC_KEY;
277 remote_dist = SMP_DIST_ENC_KEY;
210 authreq |= SMP_AUTH_BONDING; 278 authreq |= SMP_AUTH_BONDING;
211 } else { 279 } else {
212 authreq &= ~SMP_AUTH_BONDING; 280 authreq &= ~SMP_AUTH_BONDING;
213 } 281 }
214 282
283 if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags))
284 remote_dist |= SMP_DIST_ID_KEY;
285
286 if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
287 local_dist |= SMP_DIST_ID_KEY;
288
215 if (rsp == NULL) { 289 if (rsp == NULL) {
216 req->io_capability = conn->hcon->io_capability; 290 req->io_capability = conn->hcon->io_capability;
217 req->oob_flag = SMP_OOB_NOT_PRESENT; 291 req->oob_flag = SMP_OOB_NOT_PRESENT;
218 req->max_key_size = SMP_MAX_ENC_KEY_SIZE; 292 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
219 req->init_key_dist = 0; 293 req->init_key_dist = local_dist;
220 req->resp_key_dist = dist_keys; 294 req->resp_key_dist = remote_dist;
221 req->auth_req = (authreq & AUTH_REQ_MASK); 295 req->auth_req = (authreq & AUTH_REQ_MASK);
296
297 smp->remote_key_dist = remote_dist;
222 return; 298 return;
223 } 299 }
224 300
225 rsp->io_capability = conn->hcon->io_capability; 301 rsp->io_capability = conn->hcon->io_capability;
226 rsp->oob_flag = SMP_OOB_NOT_PRESENT; 302 rsp->oob_flag = SMP_OOB_NOT_PRESENT;
227 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE; 303 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
228 rsp->init_key_dist = 0; 304 rsp->init_key_dist = req->init_key_dist & remote_dist;
229 rsp->resp_key_dist = req->resp_key_dist & dist_keys; 305 rsp->resp_key_dist = req->resp_key_dist & local_dist;
230 rsp->auth_req = (authreq & AUTH_REQ_MASK); 306 rsp->auth_req = (authreq & AUTH_REQ_MASK);
307
308 smp->remote_key_dist = rsp->init_key_dist;
231} 309}
232 310
233static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size) 311static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
@@ -356,29 +434,23 @@ static void confirm_work(struct work_struct *work)
356{ 434{
357 struct smp_chan *smp = container_of(work, struct smp_chan, confirm); 435 struct smp_chan *smp = container_of(work, struct smp_chan, confirm);
358 struct l2cap_conn *conn = smp->conn; 436 struct l2cap_conn *conn = smp->conn;
359 struct crypto_blkcipher *tfm; 437 struct hci_dev *hdev = conn->hcon->hdev;
438 struct crypto_blkcipher *tfm = hdev->tfm_aes;
360 struct smp_cmd_pairing_confirm cp; 439 struct smp_cmd_pairing_confirm cp;
361 int ret; 440 int ret;
362 u8 res[16], reason; 441 u8 res[16], reason;
363 442
364 BT_DBG("conn %p", conn); 443 BT_DBG("conn %p", conn);
365 444
366 tfm = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC); 445 /* Prevent mutual access to hdev->tfm_aes */
367 if (IS_ERR(tfm)) { 446 hci_dev_lock(hdev);
368 reason = SMP_UNSPECIFIED;
369 goto error;
370 }
371 447
372 smp->tfm = tfm; 448 ret = smp_c1(tfm, smp->tk, smp->prnd, smp->preq, smp->prsp,
449 conn->hcon->init_addr_type, &conn->hcon->init_addr,
450 conn->hcon->resp_addr_type, &conn->hcon->resp_addr, res);
451
452 hci_dev_unlock(hdev);
373 453
374 if (conn->hcon->out)
375 ret = smp_c1(tfm, smp->tk, smp->prnd, smp->preq, smp->prsp,
376 conn->hcon->src_type, &conn->hcon->src,
377 conn->hcon->dst_type, &conn->hcon->dst, res);
378 else
379 ret = smp_c1(tfm, smp->tk, smp->prnd, smp->preq, smp->prsp,
380 conn->hcon->dst_type, &conn->hcon->dst,
381 conn->hcon->src_type, &conn->hcon->src, res);
382 if (ret) { 454 if (ret) {
383 reason = SMP_UNSPECIFIED; 455 reason = SMP_UNSPECIFIED;
384 goto error; 456 goto error;
@@ -400,7 +472,8 @@ static void random_work(struct work_struct *work)
400 struct smp_chan *smp = container_of(work, struct smp_chan, random); 472 struct smp_chan *smp = container_of(work, struct smp_chan, random);
401 struct l2cap_conn *conn = smp->conn; 473 struct l2cap_conn *conn = smp->conn;
402 struct hci_conn *hcon = conn->hcon; 474 struct hci_conn *hcon = conn->hcon;
403 struct crypto_blkcipher *tfm = smp->tfm; 475 struct hci_dev *hdev = hcon->hdev;
476 struct crypto_blkcipher *tfm = hdev->tfm_aes;
404 u8 reason, confirm[16], res[16], key[16]; 477 u8 reason, confirm[16], res[16], key[16];
405 int ret; 478 int ret;
406 479
@@ -411,14 +484,15 @@ static void random_work(struct work_struct *work)
411 484
412 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave"); 485 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
413 486
414 if (hcon->out) 487 /* Prevent mutual access to hdev->tfm_aes */
415 ret = smp_c1(tfm, smp->tk, smp->rrnd, smp->preq, smp->prsp, 488 hci_dev_lock(hdev);
416 hcon->src_type, &hcon->src, 489
417 hcon->dst_type, &hcon->dst, res); 490 ret = smp_c1(tfm, smp->tk, smp->rrnd, smp->preq, smp->prsp,
418 else 491 hcon->init_addr_type, &hcon->init_addr,
419 ret = smp_c1(tfm, smp->tk, smp->rrnd, smp->preq, smp->prsp, 492 hcon->resp_addr_type, &hcon->resp_addr, res);
420 hcon->dst_type, &hcon->dst, 493
421 hcon->src_type, &hcon->src, res); 494 hci_dev_unlock(hdev);
495
422 if (ret) { 496 if (ret) {
423 reason = SMP_UNSPECIFIED; 497 reason = SMP_UNSPECIFIED;
424 goto error; 498 goto error;
@@ -433,11 +507,9 @@ static void random_work(struct work_struct *work)
433 } 507 }
434 508
435 if (hcon->out) { 509 if (hcon->out) {
436 u8 stk[16], rand[8]; 510 u8 stk[16];
437 __le16 ediv; 511 __le64 rand = 0;
438 512 __le16 ediv = 0;
439 memset(rand, 0, sizeof(rand));
440 ediv = 0;
441 513
442 smp_s1(tfm, smp->tk, smp->rrnd, smp->prnd, key); 514 smp_s1(tfm, smp->tk, smp->rrnd, smp->prnd, key);
443 swap128(key, stk); 515 swap128(key, stk);
@@ -453,11 +525,9 @@ static void random_work(struct work_struct *work)
453 hci_le_start_enc(hcon, ediv, rand, stk); 525 hci_le_start_enc(hcon, ediv, rand, stk);
454 hcon->enc_key_size = smp->enc_key_size; 526 hcon->enc_key_size = smp->enc_key_size;
455 } else { 527 } else {
456 u8 stk[16], r[16], rand[8]; 528 u8 stk[16], r[16];
457 __le16 ediv; 529 __le64 rand = 0;
458 530 __le16 ediv = 0;
459 memset(rand, 0, sizeof(rand));
460 ediv = 0;
461 531
462 swap128(smp->prnd, r); 532 swap128(smp->prnd, r);
463 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(r), r); 533 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(r), r);
@@ -469,7 +539,7 @@ static void random_work(struct work_struct *work)
469 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size); 539 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
470 540
471 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, 541 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
472 HCI_SMP_STK_SLAVE, 0, 0, stk, smp->enc_key_size, 542 HCI_SMP_STK_SLAVE, 0, stk, smp->enc_key_size,
473 ediv, rand); 543 ediv, rand);
474 } 544 }
475 545
@@ -479,6 +549,20 @@ error:
479 smp_failure(conn, reason); 549 smp_failure(conn, reason);
480} 550}
481 551
552static void smp_reencrypt(struct work_struct *work)
553{
554 struct smp_chan *smp = container_of(work, struct smp_chan,
555 reencrypt.work);
556 struct l2cap_conn *conn = smp->conn;
557 struct hci_conn *hcon = conn->hcon;
558 struct smp_ltk *ltk = smp->ltk;
559
560 BT_DBG("");
561
562 hci_le_start_enc(hcon, ltk->ediv, ltk->rand, ltk->val);
563 hcon->enc_key_size = ltk->enc_size;
564}
565
482static struct smp_chan *smp_chan_create(struct l2cap_conn *conn) 566static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
483{ 567{
484 struct smp_chan *smp; 568 struct smp_chan *smp;
@@ -489,6 +573,7 @@ static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
489 573
490 INIT_WORK(&smp->confirm, confirm_work); 574 INIT_WORK(&smp->confirm, confirm_work);
491 INIT_WORK(&smp->random, random_work); 575 INIT_WORK(&smp->random, random_work);
576 INIT_DELAYED_WORK(&smp->reencrypt, smp_reencrypt);
492 577
493 smp->conn = conn; 578 smp->conn = conn;
494 conn->smp_chan = smp; 579 conn->smp_chan = smp;
@@ -502,11 +587,32 @@ static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
502void smp_chan_destroy(struct l2cap_conn *conn) 587void smp_chan_destroy(struct l2cap_conn *conn)
503{ 588{
504 struct smp_chan *smp = conn->smp_chan; 589 struct smp_chan *smp = conn->smp_chan;
590 bool complete;
505 591
506 BUG_ON(!smp); 592 BUG_ON(!smp);
507 593
508 if (smp->tfm) 594 cancel_delayed_work_sync(&smp->reencrypt);
509 crypto_free_blkcipher(smp->tfm); 595
596 complete = test_bit(SMP_FLAG_COMPLETE, &smp->smp_flags);
597 mgmt_smp_complete(conn->hcon, complete);
598
599 /* If pairing failed clean up any keys we might have */
600 if (!complete) {
601 if (smp->ltk) {
602 list_del(&smp->ltk->list);
603 kfree(smp->ltk);
604 }
605
606 if (smp->slave_ltk) {
607 list_del(&smp->slave_ltk->list);
608 kfree(smp->slave_ltk);
609 }
610
611 if (smp->remote_irk) {
612 list_del(&smp->remote_irk->list);
613 kfree(smp->remote_irk);
614 }
615 }
510 616
511 kfree(smp); 617 kfree(smp);
512 conn->smp_chan = NULL; 618 conn->smp_chan = NULL;
@@ -565,6 +671,9 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
565 671
566 BT_DBG("conn %p", conn); 672 BT_DBG("conn %p", conn);
567 673
674 if (skb->len < sizeof(*req))
675 return SMP_UNSPECIFIED;
676
568 if (conn->hcon->link_mode & HCI_LM_MASTER) 677 if (conn->hcon->link_mode & HCI_LM_MASTER)
569 return SMP_CMD_NOTSUPP; 678 return SMP_CMD_NOTSUPP;
570 679
@@ -617,6 +726,9 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
617 726
618 BT_DBG("conn %p", conn); 727 BT_DBG("conn %p", conn);
619 728
729 if (skb->len < sizeof(*rsp))
730 return SMP_UNSPECIFIED;
731
620 if (!(conn->hcon->link_mode & HCI_LM_MASTER)) 732 if (!(conn->hcon->link_mode & HCI_LM_MASTER))
621 return SMP_CMD_NOTSUPP; 733 return SMP_CMD_NOTSUPP;
622 734
@@ -661,6 +773,9 @@ static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
661 773
662 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave"); 774 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
663 775
776 if (skb->len < sizeof(smp->pcnf))
777 return SMP_UNSPECIFIED;
778
664 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf)); 779 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
665 skb_pull(skb, sizeof(smp->pcnf)); 780 skb_pull(skb, sizeof(smp->pcnf));
666 781
@@ -686,6 +801,9 @@ static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
686 801
687 BT_DBG("conn %p", conn); 802 BT_DBG("conn %p", conn);
688 803
804 if (skb->len < sizeof(smp->rrnd))
805 return SMP_UNSPECIFIED;
806
689 swap128(skb->data, smp->rrnd); 807 swap128(skb->data, smp->rrnd);
690 skb_pull(skb, sizeof(smp->rrnd)); 808 skb_pull(skb, sizeof(smp->rrnd));
691 809
@@ -699,7 +817,8 @@ static u8 smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
699 struct smp_ltk *key; 817 struct smp_ltk *key;
700 struct hci_conn *hcon = conn->hcon; 818 struct hci_conn *hcon = conn->hcon;
701 819
702 key = hci_find_ltk_by_addr(hcon->hdev, &hcon->dst, hcon->dst_type); 820 key = hci_find_ltk_by_addr(hcon->hdev, &hcon->dst, hcon->dst_type,
821 hcon->out);
703 if (!key) 822 if (!key)
704 return 0; 823 return 0;
705 824
@@ -724,6 +843,9 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
724 843
725 BT_DBG("conn %p", conn); 844 BT_DBG("conn %p", conn);
726 845
846 if (skb->len < sizeof(*rp))
847 return SMP_UNSPECIFIED;
848
727 if (!(conn->hcon->link_mode & HCI_LM_MASTER)) 849 if (!(conn->hcon->link_mode & HCI_LM_MASTER))
728 return SMP_CMD_NOTSUPP; 850 return SMP_CMD_NOTSUPP;
729 851
@@ -813,6 +935,15 @@ static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
813 struct smp_cmd_encrypt_info *rp = (void *) skb->data; 935 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
814 struct smp_chan *smp = conn->smp_chan; 936 struct smp_chan *smp = conn->smp_chan;
815 937
938 BT_DBG("conn %p", conn);
939
940 if (skb->len < sizeof(*rp))
941 return SMP_UNSPECIFIED;
942
943 /* Ignore this PDU if it wasn't requested */
944 if (!(smp->remote_key_dist & SMP_DIST_ENC_KEY))
945 return 0;
946
816 skb_pull(skb, sizeof(*rp)); 947 skb_pull(skb, sizeof(*rp));
817 948
818 memcpy(smp->tk, rp->ltk, sizeof(smp->tk)); 949 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
@@ -826,21 +957,114 @@ static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
826 struct smp_chan *smp = conn->smp_chan; 957 struct smp_chan *smp = conn->smp_chan;
827 struct hci_dev *hdev = conn->hcon->hdev; 958 struct hci_dev *hdev = conn->hcon->hdev;
828 struct hci_conn *hcon = conn->hcon; 959 struct hci_conn *hcon = conn->hcon;
960 struct smp_ltk *ltk;
829 u8 authenticated; 961 u8 authenticated;
830 962
963 BT_DBG("conn %p", conn);
964
965 if (skb->len < sizeof(*rp))
966 return SMP_UNSPECIFIED;
967
968 /* Ignore this PDU if it wasn't requested */
969 if (!(smp->remote_key_dist & SMP_DIST_ENC_KEY))
970 return 0;
971
972 /* Mark the information as received */
973 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
974
831 skb_pull(skb, sizeof(*rp)); 975 skb_pull(skb, sizeof(*rp));
832 976
833 hci_dev_lock(hdev); 977 hci_dev_lock(hdev);
834 authenticated = (hcon->sec_level == BT_SECURITY_HIGH); 978 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
835 hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, HCI_SMP_LTK, 1, 979 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, HCI_SMP_LTK,
836 authenticated, smp->tk, smp->enc_key_size, 980 authenticated, smp->tk, smp->enc_key_size,
837 rp->ediv, rp->rand); 981 rp->ediv, rp->rand);
838 smp_distribute_keys(conn, 1); 982 smp->ltk = ltk;
983 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
984 smp_distribute_keys(conn);
839 hci_dev_unlock(hdev); 985 hci_dev_unlock(hdev);
840 986
841 return 0; 987 return 0;
842} 988}
843 989
990static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
991{
992 struct smp_cmd_ident_info *info = (void *) skb->data;
993 struct smp_chan *smp = conn->smp_chan;
994
995 BT_DBG("");
996
997 if (skb->len < sizeof(*info))
998 return SMP_UNSPECIFIED;
999
1000 /* Ignore this PDU if it wasn't requested */
1001 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
1002 return 0;
1003
1004 skb_pull(skb, sizeof(*info));
1005
1006 memcpy(smp->irk, info->irk, 16);
1007
1008 return 0;
1009}
1010
1011static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
1012 struct sk_buff *skb)
1013{
1014 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
1015 struct smp_chan *smp = conn->smp_chan;
1016 struct hci_conn *hcon = conn->hcon;
1017 bdaddr_t rpa;
1018
1019 BT_DBG("");
1020
1021 if (skb->len < sizeof(*info))
1022 return SMP_UNSPECIFIED;
1023
1024 /* Ignore this PDU if it wasn't requested */
1025 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
1026 return 0;
1027
1028 /* Mark the information as received */
1029 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
1030
1031 skb_pull(skb, sizeof(*info));
1032
1033 /* Strictly speaking the Core Specification (4.1) allows sending
1034 * an empty address which would force us to rely on just the IRK
1035 * as "identity information". However, since such
1036 * implementations are not known of and in order to not over
1037 * complicate our implementation, simply pretend that we never
1038 * received an IRK for such a device.
1039 */
1040 if (!bacmp(&info->bdaddr, BDADDR_ANY)) {
1041 BT_ERR("Ignoring IRK with no identity address");
1042 smp_distribute_keys(conn);
1043 return 0;
1044 }
1045
1046 bacpy(&smp->id_addr, &info->bdaddr);
1047 smp->id_addr_type = info->addr_type;
1048
1049 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
1050 bacpy(&rpa, &hcon->dst);
1051 else
1052 bacpy(&rpa, BDADDR_ANY);
1053
1054 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
1055 smp->id_addr_type, smp->irk, &rpa);
1056
1057 /* Track the connection based on the Identity Address from now on */
1058 bacpy(&hcon->dst, &smp->id_addr);
1059 hcon->dst_type = smp->id_addr_type;
1060
1061 l2cap_conn_update_id_addr(hcon);
1062
1063 smp_distribute_keys(conn);
1064
1065 return 0;
1066}
1067
844int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb) 1068int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
845{ 1069{
846 struct hci_conn *hcon = conn->hcon; 1070 struct hci_conn *hcon = conn->hcon;
@@ -915,7 +1139,13 @@ int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
915 break; 1139 break;
916 1140
917 case SMP_CMD_IDENT_INFO: 1141 case SMP_CMD_IDENT_INFO:
1142 reason = smp_cmd_ident_info(conn, skb);
1143 break;
1144
918 case SMP_CMD_IDENT_ADDR_INFO: 1145 case SMP_CMD_IDENT_ADDR_INFO:
1146 reason = smp_cmd_ident_addr_info(conn, skb);
1147 break;
1148
919 case SMP_CMD_SIGN_INFO: 1149 case SMP_CMD_SIGN_INFO:
920 /* Just ignored */ 1150 /* Just ignored */
921 reason = 0; 1151 reason = 0;
@@ -937,26 +1167,51 @@ done:
937 return err; 1167 return err;
938} 1168}
939 1169
940int smp_distribute_keys(struct l2cap_conn *conn, __u8 force) 1170static void smp_notify_keys(struct l2cap_conn *conn)
1171{
1172 struct smp_chan *smp = conn->smp_chan;
1173 struct hci_conn *hcon = conn->hcon;
1174 struct hci_dev *hdev = hcon->hdev;
1175
1176 if (smp->remote_irk)
1177 mgmt_new_irk(hdev, smp->remote_irk);
1178
1179 if (smp->ltk) {
1180 smp->ltk->bdaddr_type = hcon->dst_type;
1181 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1182 mgmt_new_ltk(hdev, smp->ltk);
1183 }
1184
1185 if (smp->slave_ltk) {
1186 smp->slave_ltk->bdaddr_type = hcon->dst_type;
1187 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1188 mgmt_new_ltk(hdev, smp->slave_ltk);
1189 }
1190}
1191
1192int smp_distribute_keys(struct l2cap_conn *conn)
941{ 1193{
942 struct smp_cmd_pairing *req, *rsp; 1194 struct smp_cmd_pairing *req, *rsp;
943 struct smp_chan *smp = conn->smp_chan; 1195 struct smp_chan *smp = conn->smp_chan;
1196 struct hci_conn *hcon = conn->hcon;
1197 struct hci_dev *hdev = hcon->hdev;
1198 bool ltk_encrypt;
944 __u8 *keydist; 1199 __u8 *keydist;
945 1200
946 BT_DBG("conn %p force %d", conn, force); 1201 BT_DBG("conn %p", conn);
947 1202
948 if (!test_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) 1203 if (!test_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
949 return 0; 1204 return 0;
950 1205
951 rsp = (void *) &smp->prsp[1]; 1206 rsp = (void *) &smp->prsp[1];
952 1207
953 /* The responder sends its keys first */ 1208 /* The responder sends its keys first */
954 if (!force && conn->hcon->out && (rsp->resp_key_dist & 0x07)) 1209 if (hcon->out && (smp->remote_key_dist & 0x07))
955 return 0; 1210 return 0;
956 1211
957 req = (void *) &smp->preq[1]; 1212 req = (void *) &smp->preq[1];
958 1213
959 if (conn->hcon->out) { 1214 if (hcon->out) {
960 keydist = &rsp->init_key_dist; 1215 keydist = &rsp->init_key_dist;
961 *keydist &= req->init_key_dist; 1216 *keydist &= req->init_key_dist;
962 } else { 1217 } else {
@@ -964,28 +1219,30 @@ int smp_distribute_keys(struct l2cap_conn *conn, __u8 force)
964 *keydist &= req->resp_key_dist; 1219 *keydist &= req->resp_key_dist;
965 } 1220 }
966 1221
967
968 BT_DBG("keydist 0x%x", *keydist); 1222 BT_DBG("keydist 0x%x", *keydist);
969 1223
970 if (*keydist & SMP_DIST_ENC_KEY) { 1224 if (*keydist & SMP_DIST_ENC_KEY) {
971 struct smp_cmd_encrypt_info enc; 1225 struct smp_cmd_encrypt_info enc;
972 struct smp_cmd_master_ident ident; 1226 struct smp_cmd_master_ident ident;
973 struct hci_conn *hcon = conn->hcon; 1227 struct smp_ltk *ltk;
974 u8 authenticated; 1228 u8 authenticated;
975 __le16 ediv; 1229 __le16 ediv;
1230 __le64 rand;
976 1231
977 get_random_bytes(enc.ltk, sizeof(enc.ltk)); 1232 get_random_bytes(enc.ltk, sizeof(enc.ltk));
978 get_random_bytes(&ediv, sizeof(ediv)); 1233 get_random_bytes(&ediv, sizeof(ediv));
979 get_random_bytes(ident.rand, sizeof(ident.rand)); 1234 get_random_bytes(&rand, sizeof(rand));
980 1235
981 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc); 1236 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
982 1237
983 authenticated = hcon->sec_level == BT_SECURITY_HIGH; 1238 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
984 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, 1239 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
985 HCI_SMP_LTK_SLAVE, 1, authenticated, 1240 HCI_SMP_LTK_SLAVE, authenticated, enc.ltk,
986 enc.ltk, smp->enc_key_size, ediv, ident.rand); 1241 smp->enc_key_size, ediv, rand);
1242 smp->slave_ltk = ltk;
987 1243
988 ident.ediv = ediv; 1244 ident.ediv = ediv;
1245 ident.rand = rand;
989 1246
990 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident); 1247 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
991 1248
@@ -996,14 +1253,18 @@ int smp_distribute_keys(struct l2cap_conn *conn, __u8 force)
996 struct smp_cmd_ident_addr_info addrinfo; 1253 struct smp_cmd_ident_addr_info addrinfo;
997 struct smp_cmd_ident_info idinfo; 1254 struct smp_cmd_ident_info idinfo;
998 1255
999 /* Send a dummy key */ 1256 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1000 get_random_bytes(idinfo.irk, sizeof(idinfo.irk));
1001 1257
1002 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo); 1258 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1003 1259
1004 /* Just public address */ 1260 /* The hci_conn contains the local identity address
1005 memset(&addrinfo, 0, sizeof(addrinfo)); 1261 * after the connection has been established.
1006 bacpy(&addrinfo.bdaddr, &conn->hcon->src); 1262 *
1263 * This is true even when the connection has been
1264 * established using a resolvable random address.
1265 */
1266 bacpy(&addrinfo.bdaddr, &hcon->src);
1267 addrinfo.addr_type = hcon->src_type;
1007 1268
1008 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo), 1269 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1009 &addrinfo); 1270 &addrinfo);
@@ -1022,9 +1283,34 @@ int smp_distribute_keys(struct l2cap_conn *conn, __u8 force)
1022 *keydist &= ~SMP_DIST_SIGN; 1283 *keydist &= ~SMP_DIST_SIGN;
1023 } 1284 }
1024 1285
1025 if (conn->hcon->out || force) { 1286 /* If there are still keys to be received wait for them */
1026 clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags); 1287 if ((smp->remote_key_dist & 0x07))
1288 return 0;
1289
1290 /* Check if we should try to re-encrypt the link with the LTK.
1291 * SMP_FLAG_LTK_ENCRYPT flag is used to track whether we've
1292 * already tried this (in which case we shouldn't try again).
1293 *
1294 * The request will trigger an encryption key refresh event
1295 * which will cause a call to auth_cfm and eventually lead to
1296 * l2cap_core.c calling this smp_distribute_keys function again
1297 * and thereby completing the process.
1298 */
1299 if (smp->ltk)
1300 ltk_encrypt = !test_and_set_bit(SMP_FLAG_LTK_ENCRYPT,
1301 &smp->smp_flags);
1302 else
1303 ltk_encrypt = false;
1304
1305 /* Re-encrypt the link with LTK if possible */
1306 if (ltk_encrypt && hcon->out) {
1307 queue_delayed_work(hdev->req_workqueue, &smp->reencrypt,
1308 SMP_REENCRYPT_TIMEOUT);
1309 } else {
1310 clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags);
1027 cancel_delayed_work_sync(&conn->security_timer); 1311 cancel_delayed_work_sync(&conn->security_timer);
1312 set_bit(SMP_FLAG_COMPLETE, &smp->smp_flags);
1313 smp_notify_keys(conn);
1028 smp_chan_destroy(conn); 1314 smp_chan_destroy(conn);
1029 } 1315 }
1030 1316
diff --git a/net/bluetooth/smp.h b/net/bluetooth/smp.h
index a700bcb490d7..f55d83617218 100644
--- a/net/bluetooth/smp.h
+++ b/net/bluetooth/smp.h
@@ -78,7 +78,7 @@ struct smp_cmd_encrypt_info {
78#define SMP_CMD_MASTER_IDENT 0x07 78#define SMP_CMD_MASTER_IDENT 0x07
79struct smp_cmd_master_ident { 79struct smp_cmd_master_ident {
80 __le16 ediv; 80 __le16 ediv;
81 __u8 rand[8]; 81 __le64 rand;
82} __packed; 82} __packed;
83 83
84#define SMP_CMD_IDENT_INFO 0x08 84#define SMP_CMD_IDENT_INFO 0x08
@@ -118,6 +118,10 @@ struct smp_cmd_security_req {
118#define SMP_FLAG_TK_VALID 1 118#define SMP_FLAG_TK_VALID 1
119#define SMP_FLAG_CFM_PENDING 2 119#define SMP_FLAG_CFM_PENDING 2
120#define SMP_FLAG_MITM_AUTH 3 120#define SMP_FLAG_MITM_AUTH 3
121#define SMP_FLAG_LTK_ENCRYPT 4
122#define SMP_FLAG_COMPLETE 5
123
124#define SMP_REENCRYPT_TIMEOUT msecs_to_jiffies(250)
121 125
122struct smp_chan { 126struct smp_chan {
123 struct l2cap_conn *conn; 127 struct l2cap_conn *conn;
@@ -128,20 +132,30 @@ struct smp_chan {
128 u8 pcnf[16]; /* SMP Pairing Confirm */ 132 u8 pcnf[16]; /* SMP Pairing Confirm */
129 u8 tk[16]; /* SMP Temporary Key */ 133 u8 tk[16]; /* SMP Temporary Key */
130 u8 enc_key_size; 134 u8 enc_key_size;
135 u8 remote_key_dist;
136 bdaddr_t id_addr;
137 u8 id_addr_type;
138 u8 irk[16];
139 struct smp_ltk *ltk;
140 struct smp_ltk *slave_ltk;
141 struct smp_irk *remote_irk;
131 unsigned long smp_flags; 142 unsigned long smp_flags;
132 struct crypto_blkcipher *tfm;
133 struct work_struct confirm; 143 struct work_struct confirm;
134 struct work_struct random; 144 struct work_struct random;
135 145 struct delayed_work reencrypt;
136}; 146};
137 147
138/* SMP Commands */ 148/* SMP Commands */
139bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level); 149bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level);
140int smp_conn_security(struct hci_conn *hcon, __u8 sec_level); 150int smp_conn_security(struct hci_conn *hcon, __u8 sec_level);
141int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb); 151int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb);
142int smp_distribute_keys(struct l2cap_conn *conn, __u8 force); 152int smp_distribute_keys(struct l2cap_conn *conn);
143int smp_user_confirm_reply(struct hci_conn *conn, u16 mgmt_op, __le32 passkey); 153int smp_user_confirm_reply(struct hci_conn *conn, u16 mgmt_op, __le32 passkey);
144 154
145void smp_chan_destroy(struct l2cap_conn *conn); 155void smp_chan_destroy(struct l2cap_conn *conn);
146 156
157bool smp_irk_matches(struct crypto_blkcipher *tfm, u8 irk[16],
158 bdaddr_t *bdaddr);
159int smp_generate_rpa(struct crypto_blkcipher *tfm, u8 irk[16], bdaddr_t *rpa);
160
147#endif /* __SMP_H */ 161#endif /* __SMP_H */