aboutsummaryrefslogtreecommitdiffstats
path: root/net/bluetooth
diff options
context:
space:
mode:
Diffstat (limited to 'net/bluetooth')
-rw-r--r--net/bluetooth/6lowpan.c65
-rw-r--r--net/bluetooth/hci_conn.c84
-rw-r--r--net/bluetooth/hci_core.c84
-rw-r--r--net/bluetooth/hci_event.c311
-rw-r--r--net/bluetooth/hci_sock.c17
-rw-r--r--net/bluetooth/l2cap_core.c6
-rw-r--r--net/bluetooth/l2cap_sock.c5
-rw-r--r--net/bluetooth/lib.c1
-rw-r--r--net/bluetooth/mgmt.c278
-rw-r--r--net/bluetooth/rfcomm/core.c2
-rw-r--r--net/bluetooth/rfcomm/tty.c20
-rw-r--r--net/bluetooth/smp.c160
-rw-r--r--net/bluetooth/smp.h30
13 files changed, 800 insertions, 263 deletions
diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c
index 73492b91105a..8796ffa08b43 100644
--- a/net/bluetooth/6lowpan.c
+++ b/net/bluetooth/6lowpan.c
@@ -420,12 +420,18 @@ static int conn_send(struct l2cap_conn *conn,
420 return 0; 420 return 0;
421} 421}
422 422
423static void get_dest_bdaddr(struct in6_addr *ip6_daddr, 423static u8 get_addr_type_from_eui64(u8 byte)
424 bdaddr_t *addr, u8 *addr_type)
425{ 424{
426 u8 *eui64; 425 /* Is universal(0) or local(1) bit, */
426 if (byte & 0x02)
427 return ADDR_LE_DEV_RANDOM;
427 428
428 eui64 = ip6_daddr->s6_addr + 8; 429 return ADDR_LE_DEV_PUBLIC;
430}
431
432static void copy_to_bdaddr(struct in6_addr *ip6_daddr, bdaddr_t *addr)
433{
434 u8 *eui64 = ip6_daddr->s6_addr + 8;
429 435
430 addr->b[0] = eui64[7]; 436 addr->b[0] = eui64[7];
431 addr->b[1] = eui64[6]; 437 addr->b[1] = eui64[6];
@@ -433,16 +439,19 @@ static void get_dest_bdaddr(struct in6_addr *ip6_daddr,
433 addr->b[3] = eui64[2]; 439 addr->b[3] = eui64[2];
434 addr->b[4] = eui64[1]; 440 addr->b[4] = eui64[1];
435 addr->b[5] = eui64[0]; 441 addr->b[5] = eui64[0];
442}
436 443
437 addr->b[5] ^= 2; 444static void convert_dest_bdaddr(struct in6_addr *ip6_daddr,
445 bdaddr_t *addr, u8 *addr_type)
446{
447 copy_to_bdaddr(ip6_daddr, addr);
438 448
439 /* Set universal/local bit to 0 */ 449 /* We need to toggle the U/L bit that we got from IPv6 address
440 if (addr->b[5] & 1) { 450 * so that we get the proper address and type of the BD address.
441 addr->b[5] &= ~1; 451 */
442 *addr_type = ADDR_LE_DEV_PUBLIC; 452 addr->b[5] ^= 0x02;
443 } else { 453
444 *addr_type = ADDR_LE_DEV_RANDOM; 454 *addr_type = get_addr_type_from_eui64(addr->b[5]);
445 }
446} 455}
447 456
448static int header_create(struct sk_buff *skb, struct net_device *netdev, 457static int header_create(struct sk_buff *skb, struct net_device *netdev,
@@ -473,9 +482,11 @@ static int header_create(struct sk_buff *skb, struct net_device *netdev,
473 /* Get destination BT device from skb. 482 /* Get destination BT device from skb.
474 * If there is no such peer then discard the packet. 483 * If there is no such peer then discard the packet.
475 */ 484 */
476 get_dest_bdaddr(&hdr->daddr, &addr, &addr_type); 485 convert_dest_bdaddr(&hdr->daddr, &addr, &addr_type);
477 486
478 BT_DBG("dest addr %pMR type %d", &addr, addr_type); 487 BT_DBG("dest addr %pMR type %s IP %pI6c", &addr,
488 addr_type == ADDR_LE_DEV_PUBLIC ? "PUBLIC" : "RANDOM",
489 &hdr->daddr);
479 490
480 read_lock_irqsave(&devices_lock, flags); 491 read_lock_irqsave(&devices_lock, flags);
481 peer = peer_lookup_ba(dev, &addr, addr_type); 492 peer = peer_lookup_ba(dev, &addr, addr_type);
@@ -556,7 +567,7 @@ static netdev_tx_t bt_xmit(struct sk_buff *skb, struct net_device *netdev)
556 } else { 567 } else {
557 unsigned long flags; 568 unsigned long flags;
558 569
559 get_dest_bdaddr(&lowpan_cb(skb)->addr, &addr, &addr_type); 570 convert_dest_bdaddr(&lowpan_cb(skb)->addr, &addr, &addr_type);
560 eui64_addr = lowpan_cb(skb)->addr.s6_addr + 8; 571 eui64_addr = lowpan_cb(skb)->addr.s6_addr + 8;
561 dev = lowpan_dev(netdev); 572 dev = lowpan_dev(netdev);
562 573
@@ -564,8 +575,10 @@ static netdev_tx_t bt_xmit(struct sk_buff *skb, struct net_device *netdev)
564 peer = peer_lookup_ba(dev, &addr, addr_type); 575 peer = peer_lookup_ba(dev, &addr, addr_type);
565 read_unlock_irqrestore(&devices_lock, flags); 576 read_unlock_irqrestore(&devices_lock, flags);
566 577
567 BT_DBG("xmit from %s to %pMR (%pI6c) peer %p", netdev->name, 578 BT_DBG("xmit %s to %pMR type %s IP %pI6c peer %p",
568 &addr, &lowpan_cb(skb)->addr, peer); 579 netdev->name, &addr,
580 addr_type == ADDR_LE_DEV_PUBLIC ? "PUBLIC" : "RANDOM",
581 &lowpan_cb(skb)->addr, peer);
569 582
570 if (peer && peer->conn) 583 if (peer && peer->conn)
571 err = send_pkt(peer->conn, netdev->dev_addr, 584 err = send_pkt(peer->conn, netdev->dev_addr,
@@ -620,13 +633,13 @@ static void set_addr(u8 *eui, u8 *addr, u8 addr_type)
620 eui[6] = addr[1]; 633 eui[6] = addr[1];
621 eui[7] = addr[0]; 634 eui[7] = addr[0];
622 635
623 eui[0] ^= 2; 636 /* Universal/local bit set, BT 6lowpan draft ch. 3.2.1 */
624
625 /* Universal/local bit set, RFC 4291 */
626 if (addr_type == ADDR_LE_DEV_PUBLIC) 637 if (addr_type == ADDR_LE_DEV_PUBLIC)
627 eui[0] |= 1; 638 eui[0] &= ~0x02;
628 else 639 else
629 eui[0] &= ~1; 640 eui[0] |= 0x02;
641
642 BT_DBG("type %d addr %*phC", addr_type, 8, eui);
630} 643}
631 644
632static void set_dev_addr(struct net_device *netdev, bdaddr_t *addr, 645static void set_dev_addr(struct net_device *netdev, bdaddr_t *addr,
@@ -634,7 +647,6 @@ static void set_dev_addr(struct net_device *netdev, bdaddr_t *addr,
634{ 647{
635 netdev->addr_assign_type = NET_ADDR_PERM; 648 netdev->addr_assign_type = NET_ADDR_PERM;
636 set_addr(netdev->dev_addr, addr->b, addr_type); 649 set_addr(netdev->dev_addr, addr->b, addr_type);
637 netdev->dev_addr[0] ^= 2;
638} 650}
639 651
640static void ifup(struct net_device *netdev) 652static void ifup(struct net_device *netdev)
@@ -684,13 +696,6 @@ static int add_peer_conn(struct l2cap_conn *conn, struct lowpan_dev *dev)
684 696
685 memcpy(&peer->eui64_addr, (u8 *)&peer->peer_addr.s6_addr + 8, 697 memcpy(&peer->eui64_addr, (u8 *)&peer->peer_addr.s6_addr + 8,
686 EUI64_ADDR_LEN); 698 EUI64_ADDR_LEN);
687 peer->eui64_addr[0] ^= 2; /* second bit-flip (Universe/Local)
688 * is done according RFC2464
689 */
690
691 raw_dump_inline(__func__, "peer IPv6 address",
692 (unsigned char *)&peer->peer_addr, 16);
693 raw_dump_inline(__func__, "peer EUI64 address", peer->eui64_addr, 8);
694 699
695 write_lock_irqsave(&devices_lock, flags); 700 write_lock_irqsave(&devices_lock, flags);
696 INIT_LIST_HEAD(&peer->list); 701 INIT_LIST_HEAD(&peer->list);
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 521fd4f3985e..8671bc79a35b 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -28,6 +28,7 @@
28 28
29#include <net/bluetooth/bluetooth.h> 29#include <net/bluetooth/bluetooth.h>
30#include <net/bluetooth/hci_core.h> 30#include <net/bluetooth/hci_core.h>
31#include <net/bluetooth/l2cap.h>
31 32
32#include "smp.h" 33#include "smp.h"
33#include "a2mp.h" 34#include "a2mp.h"
@@ -367,9 +368,23 @@ static void le_conn_timeout(struct work_struct *work)
367{ 368{
368 struct hci_conn *conn = container_of(work, struct hci_conn, 369 struct hci_conn *conn = container_of(work, struct hci_conn,
369 le_conn_timeout.work); 370 le_conn_timeout.work);
371 struct hci_dev *hdev = conn->hdev;
370 372
371 BT_DBG(""); 373 BT_DBG("");
372 374
375 /* We could end up here due to having done directed advertising,
376 * so clean up the state if necessary. This should however only
377 * happen with broken hardware or if low duty cycle was used
378 * (which doesn't have a timeout of its own).
379 */
380 if (test_bit(HCI_ADVERTISING, &hdev->dev_flags)) {
381 u8 enable = 0x00;
382 hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
383 &enable);
384 hci_le_conn_failed(conn, HCI_ERROR_ADVERTISING_TIMEOUT);
385 return;
386 }
387
373 hci_le_create_connection_cancel(conn); 388 hci_le_create_connection_cancel(conn);
374} 389}
375 390
@@ -393,6 +408,8 @@ struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst)
393 conn->io_capability = hdev->io_capability; 408 conn->io_capability = hdev->io_capability;
394 conn->remote_auth = 0xff; 409 conn->remote_auth = 0xff;
395 conn->key_type = 0xff; 410 conn->key_type = 0xff;
411 conn->tx_power = HCI_TX_POWER_INVALID;
412 conn->max_tx_power = HCI_TX_POWER_INVALID;
396 413
397 set_bit(HCI_CONN_POWER_SAVE, &conn->flags); 414 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
398 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 415 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
@@ -401,6 +418,10 @@ struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst)
401 case ACL_LINK: 418 case ACL_LINK:
402 conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK; 419 conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK;
403 break; 420 break;
421 case LE_LINK:
422 /* conn->src should reflect the local identity address */
423 hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
424 break;
404 case SCO_LINK: 425 case SCO_LINK:
405 if (lmp_esco_capable(hdev)) 426 if (lmp_esco_capable(hdev))
406 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) | 427 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
@@ -545,6 +566,11 @@ void hci_le_conn_failed(struct hci_conn *conn, u8 status)
545 * favor of connection establishment, we should restart it. 566 * favor of connection establishment, we should restart it.
546 */ 567 */
547 hci_update_background_scan(hdev); 568 hci_update_background_scan(hdev);
569
570 /* Re-enable advertising in case this was a failed connection
571 * attempt as a peripheral.
572 */
573 mgmt_reenable_advertising(hdev);
548} 574}
549 575
550static void create_le_conn_complete(struct hci_dev *hdev, u8 status) 576static void create_le_conn_complete(struct hci_dev *hdev, u8 status)
@@ -605,6 +631,45 @@ static void hci_req_add_le_create_conn(struct hci_request *req,
605 conn->state = BT_CONNECT; 631 conn->state = BT_CONNECT;
606} 632}
607 633
634static void hci_req_directed_advertising(struct hci_request *req,
635 struct hci_conn *conn)
636{
637 struct hci_dev *hdev = req->hdev;
638 struct hci_cp_le_set_adv_param cp;
639 u8 own_addr_type;
640 u8 enable;
641
642 enable = 0x00;
643 hci_req_add(req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), &enable);
644
645 /* Clear the HCI_ADVERTISING bit temporarily so that the
646 * hci_update_random_address knows that it's safe to go ahead
647 * and write a new random address. The flag will be set back on
648 * as soon as the SET_ADV_ENABLE HCI command completes.
649 */
650 clear_bit(HCI_ADVERTISING, &hdev->dev_flags);
651
652 /* Set require_privacy to false so that the remote device has a
653 * chance of identifying us.
654 */
655 if (hci_update_random_address(req, false, &own_addr_type) < 0)
656 return;
657
658 memset(&cp, 0, sizeof(cp));
659 cp.type = LE_ADV_DIRECT_IND;
660 cp.own_address_type = own_addr_type;
661 cp.direct_addr_type = conn->dst_type;
662 bacpy(&cp.direct_addr, &conn->dst);
663 cp.channel_map = hdev->le_adv_channel_map;
664
665 hci_req_add(req, HCI_OP_LE_SET_ADV_PARAM, sizeof(cp), &cp);
666
667 enable = 0x01;
668 hci_req_add(req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), &enable);
669
670 conn->state = BT_CONNECT;
671}
672
608struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst, 673struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
609 u8 dst_type, u8 sec_level, u8 auth_type) 674 u8 dst_type, u8 sec_level, u8 auth_type)
610{ 675{
@@ -614,9 +679,6 @@ struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
614 struct hci_request req; 679 struct hci_request req;
615 int err; 680 int err;
616 681
617 if (test_bit(HCI_ADVERTISING, &hdev->flags))
618 return ERR_PTR(-ENOTSUPP);
619
620 /* Some devices send ATT messages as soon as the physical link is 682 /* Some devices send ATT messages as soon as the physical link is
621 * established. To be able to handle these ATT messages, the user- 683 * established. To be able to handle these ATT messages, the user-
622 * space first establishes the connection and then starts the pairing 684 * space first establishes the connection and then starts the pairing
@@ -664,13 +726,20 @@ struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
664 return ERR_PTR(-ENOMEM); 726 return ERR_PTR(-ENOMEM);
665 727
666 conn->dst_type = dst_type; 728 conn->dst_type = dst_type;
667
668 conn->out = true;
669 conn->link_mode |= HCI_LM_MASTER;
670 conn->sec_level = BT_SECURITY_LOW; 729 conn->sec_level = BT_SECURITY_LOW;
671 conn->pending_sec_level = sec_level; 730 conn->pending_sec_level = sec_level;
672 conn->auth_type = auth_type; 731 conn->auth_type = auth_type;
673 732
733 hci_req_init(&req, hdev);
734
735 if (test_bit(HCI_ADVERTISING, &hdev->dev_flags)) {
736 hci_req_directed_advertising(&req, conn);
737 goto create_conn;
738 }
739
740 conn->out = true;
741 conn->link_mode |= HCI_LM_MASTER;
742
674 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type); 743 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
675 if (params) { 744 if (params) {
676 conn->le_conn_min_interval = params->conn_min_interval; 745 conn->le_conn_min_interval = params->conn_min_interval;
@@ -680,8 +749,6 @@ struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
680 conn->le_conn_max_interval = hdev->le_conn_max_interval; 749 conn->le_conn_max_interval = hdev->le_conn_max_interval;
681 } 750 }
682 751
683 hci_req_init(&req, hdev);
684
685 /* If controller is scanning, we stop it since some controllers are 752 /* If controller is scanning, we stop it since some controllers are
686 * not able to scan and connect at the same time. Also set the 753 * not able to scan and connect at the same time. Also set the
687 * HCI_LE_SCAN_INTERRUPTED flag so that the command complete 754 * HCI_LE_SCAN_INTERRUPTED flag so that the command complete
@@ -695,6 +762,7 @@ struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
695 762
696 hci_req_add_le_create_conn(&req, conn); 763 hci_req_add_le_create_conn(&req, conn);
697 764
765create_conn:
698 err = hci_req_run(&req, create_le_conn_complete); 766 err = hci_req_run(&req, create_le_conn_complete);
699 if (err) { 767 if (err) {
700 hci_conn_del(conn); 768 hci_conn_del(conn);
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 1c6ffaa8902f..0a43cce9a914 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -34,6 +34,7 @@
34 34
35#include <net/bluetooth/bluetooth.h> 35#include <net/bluetooth/bluetooth.h>
36#include <net/bluetooth/hci_core.h> 36#include <net/bluetooth/hci_core.h>
37#include <net/bluetooth/l2cap.h>
37 38
38#include "smp.h" 39#include "smp.h"
39 40
@@ -579,6 +580,62 @@ static int sniff_max_interval_get(void *data, u64 *val)
579DEFINE_SIMPLE_ATTRIBUTE(sniff_max_interval_fops, sniff_max_interval_get, 580DEFINE_SIMPLE_ATTRIBUTE(sniff_max_interval_fops, sniff_max_interval_get,
580 sniff_max_interval_set, "%llu\n"); 581 sniff_max_interval_set, "%llu\n");
581 582
583static int conn_info_min_age_set(void *data, u64 val)
584{
585 struct hci_dev *hdev = data;
586
587 if (val == 0 || val > hdev->conn_info_max_age)
588 return -EINVAL;
589
590 hci_dev_lock(hdev);
591 hdev->conn_info_min_age = val;
592 hci_dev_unlock(hdev);
593
594 return 0;
595}
596
597static int conn_info_min_age_get(void *data, u64 *val)
598{
599 struct hci_dev *hdev = data;
600
601 hci_dev_lock(hdev);
602 *val = hdev->conn_info_min_age;
603 hci_dev_unlock(hdev);
604
605 return 0;
606}
607
608DEFINE_SIMPLE_ATTRIBUTE(conn_info_min_age_fops, conn_info_min_age_get,
609 conn_info_min_age_set, "%llu\n");
610
611static int conn_info_max_age_set(void *data, u64 val)
612{
613 struct hci_dev *hdev = data;
614
615 if (val == 0 || val < hdev->conn_info_min_age)
616 return -EINVAL;
617
618 hci_dev_lock(hdev);
619 hdev->conn_info_max_age = val;
620 hci_dev_unlock(hdev);
621
622 return 0;
623}
624
625static int conn_info_max_age_get(void *data, u64 *val)
626{
627 struct hci_dev *hdev = data;
628
629 hci_dev_lock(hdev);
630 *val = hdev->conn_info_max_age;
631 hci_dev_unlock(hdev);
632
633 return 0;
634}
635
636DEFINE_SIMPLE_ATTRIBUTE(conn_info_max_age_fops, conn_info_max_age_get,
637 conn_info_max_age_set, "%llu\n");
638
582static int identity_show(struct seq_file *f, void *p) 639static int identity_show(struct seq_file *f, void *p)
583{ 640{
584 struct hci_dev *hdev = f->private; 641 struct hci_dev *hdev = f->private;
@@ -955,14 +1012,9 @@ static ssize_t le_auto_conn_write(struct file *file, const char __user *data,
955 if (count < 3) 1012 if (count < 3)
956 return -EINVAL; 1013 return -EINVAL;
957 1014
958 buf = kzalloc(count, GFP_KERNEL); 1015 buf = memdup_user(data, count);
959 if (!buf) 1016 if (IS_ERR(buf))
960 return -ENOMEM; 1017 return PTR_ERR(buf);
961
962 if (copy_from_user(buf, data, count)) {
963 err = -EFAULT;
964 goto done;
965 }
966 1018
967 if (memcmp(buf, "add", 3) == 0) { 1019 if (memcmp(buf, "add", 3) == 0) {
968 n = sscanf(&buf[4], "%hhx:%hhx:%hhx:%hhx:%hhx:%hhx %hhu %hhu", 1020 n = sscanf(&buf[4], "%hhx:%hhx:%hhx:%hhx:%hhx:%hhx %hhu %hhu",
@@ -1759,6 +1811,11 @@ static int __hci_init(struct hci_dev *hdev)
1759 &blacklist_fops); 1811 &blacklist_fops);
1760 debugfs_create_file("uuids", 0444, hdev->debugfs, hdev, &uuids_fops); 1812 debugfs_create_file("uuids", 0444, hdev->debugfs, hdev, &uuids_fops);
1761 1813
1814 debugfs_create_file("conn_info_min_age", 0644, hdev->debugfs, hdev,
1815 &conn_info_min_age_fops);
1816 debugfs_create_file("conn_info_max_age", 0644, hdev->debugfs, hdev,
1817 &conn_info_max_age_fops);
1818
1762 if (lmp_bredr_capable(hdev)) { 1819 if (lmp_bredr_capable(hdev)) {
1763 debugfs_create_file("inquiry_cache", 0444, hdev->debugfs, 1820 debugfs_create_file("inquiry_cache", 0444, hdev->debugfs,
1764 hdev, &inquiry_cache_fops); 1821 hdev, &inquiry_cache_fops);
@@ -1828,6 +1885,9 @@ static int __hci_init(struct hci_dev *hdev)
1828 &lowpan_debugfs_fops); 1885 &lowpan_debugfs_fops);
1829 debugfs_create_file("le_auto_conn", 0644, hdev->debugfs, hdev, 1886 debugfs_create_file("le_auto_conn", 0644, hdev->debugfs, hdev,
1830 &le_auto_conn_fops); 1887 &le_auto_conn_fops);
1888 debugfs_create_u16("discov_interleaved_timeout", 0644,
1889 hdev->debugfs,
1890 &hdev->discov_interleaved_timeout);
1831 } 1891 }
1832 1892
1833 return 0; 1893 return 0;
@@ -2033,12 +2093,11 @@ bool hci_inquiry_cache_update(struct hci_dev *hdev, struct inquiry_data *data,
2033 2093
2034 hci_remove_remote_oob_data(hdev, &data->bdaddr); 2094 hci_remove_remote_oob_data(hdev, &data->bdaddr);
2035 2095
2036 if (ssp) 2096 *ssp = data->ssp_mode;
2037 *ssp = data->ssp_mode;
2038 2097
2039 ie = hci_inquiry_cache_lookup(hdev, &data->bdaddr); 2098 ie = hci_inquiry_cache_lookup(hdev, &data->bdaddr);
2040 if (ie) { 2099 if (ie) {
2041 if (ie->data.ssp_mode && ssp) 2100 if (ie->data.ssp_mode)
2042 *ssp = true; 2101 *ssp = true;
2043 2102
2044 if (ie->name_state == NAME_NEEDED && 2103 if (ie->name_state == NAME_NEEDED &&
@@ -3791,6 +3850,9 @@ struct hci_dev *hci_alloc_dev(void)
3791 hdev->le_conn_max_interval = 0x0038; 3850 hdev->le_conn_max_interval = 0x0038;
3792 3851
3793 hdev->rpa_timeout = HCI_DEFAULT_RPA_TIMEOUT; 3852 hdev->rpa_timeout = HCI_DEFAULT_RPA_TIMEOUT;
3853 hdev->discov_interleaved_timeout = DISCOV_INTERLEAVED_TIMEOUT;
3854 hdev->conn_info_min_age = DEFAULT_CONN_INFO_MIN_AGE;
3855 hdev->conn_info_max_age = DEFAULT_CONN_INFO_MAX_AGE;
3794 3856
3795 mutex_init(&hdev->lock); 3857 mutex_init(&hdev->lock);
3796 mutex_init(&hdev->req_lock); 3858 mutex_init(&hdev->req_lock);
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 682f33a38366..21e5913d12e0 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -991,10 +991,25 @@ static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb)
991 if (!sent) 991 if (!sent)
992 return; 992 return;
993 993
994 if (status)
995 return;
996
994 hci_dev_lock(hdev); 997 hci_dev_lock(hdev);
995 998
996 if (!status) 999 /* If we're doing connection initation as peripheral. Set a
997 mgmt_advertising(hdev, *sent); 1000 * timeout in case something goes wrong.
1001 */
1002 if (*sent) {
1003 struct hci_conn *conn;
1004
1005 conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
1006 if (conn)
1007 queue_delayed_work(hdev->workqueue,
1008 &conn->le_conn_timeout,
1009 HCI_LE_CONN_TIMEOUT);
1010 }
1011
1012 mgmt_advertising(hdev, *sent);
998 1013
999 hci_dev_unlock(hdev); 1014 hci_dev_unlock(hdev);
1000} 1015}
@@ -1018,6 +1033,33 @@ static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb)
1018 hci_dev_unlock(hdev); 1033 hci_dev_unlock(hdev);
1019} 1034}
1020 1035
1036static bool has_pending_adv_report(struct hci_dev *hdev)
1037{
1038 struct discovery_state *d = &hdev->discovery;
1039
1040 return bacmp(&d->last_adv_addr, BDADDR_ANY);
1041}
1042
1043static void clear_pending_adv_report(struct hci_dev *hdev)
1044{
1045 struct discovery_state *d = &hdev->discovery;
1046
1047 bacpy(&d->last_adv_addr, BDADDR_ANY);
1048 d->last_adv_data_len = 0;
1049}
1050
1051static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1052 u8 bdaddr_type, s8 rssi, u8 *data, u8 len)
1053{
1054 struct discovery_state *d = &hdev->discovery;
1055
1056 bacpy(&d->last_adv_addr, bdaddr);
1057 d->last_adv_addr_type = bdaddr_type;
1058 d->last_adv_rssi = rssi;
1059 memcpy(d->last_adv_data, data, len);
1060 d->last_adv_data_len = len;
1061}
1062
1021static void hci_cc_le_set_scan_enable(struct hci_dev *hdev, 1063static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1022 struct sk_buff *skb) 1064 struct sk_buff *skb)
1023{ 1065{
@@ -1036,9 +1078,25 @@ static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1036 switch (cp->enable) { 1078 switch (cp->enable) {
1037 case LE_SCAN_ENABLE: 1079 case LE_SCAN_ENABLE:
1038 set_bit(HCI_LE_SCAN, &hdev->dev_flags); 1080 set_bit(HCI_LE_SCAN, &hdev->dev_flags);
1081 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1082 clear_pending_adv_report(hdev);
1039 break; 1083 break;
1040 1084
1041 case LE_SCAN_DISABLE: 1085 case LE_SCAN_DISABLE:
1086 /* We do this here instead of when setting DISCOVERY_STOPPED
1087 * since the latter would potentially require waiting for
1088 * inquiry to stop too.
1089 */
1090 if (has_pending_adv_report(hdev)) {
1091 struct discovery_state *d = &hdev->discovery;
1092
1093 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1094 d->last_adv_addr_type, NULL,
1095 d->last_adv_rssi, 0, 1,
1096 d->last_adv_data,
1097 d->last_adv_data_len, NULL, 0);
1098 }
1099
1042 /* Cancel this timer so that we don't try to disable scanning 1100 /* Cancel this timer so that we don't try to disable scanning
1043 * when it's already disabled. 1101 * when it's already disabled.
1044 */ 1102 */
@@ -1187,6 +1245,59 @@ static void hci_cc_write_remote_amp_assoc(struct hci_dev *hdev,
1187 amp_write_rem_assoc_continue(hdev, rp->phy_handle); 1245 amp_write_rem_assoc_continue(hdev, rp->phy_handle);
1188} 1246}
1189 1247
1248static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb)
1249{
1250 struct hci_rp_read_rssi *rp = (void *) skb->data;
1251 struct hci_conn *conn;
1252
1253 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1254
1255 if (rp->status)
1256 return;
1257
1258 hci_dev_lock(hdev);
1259
1260 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1261 if (conn)
1262 conn->rssi = rp->rssi;
1263
1264 hci_dev_unlock(hdev);
1265}
1266
1267static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb)
1268{
1269 struct hci_cp_read_tx_power *sent;
1270 struct hci_rp_read_tx_power *rp = (void *) skb->data;
1271 struct hci_conn *conn;
1272
1273 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1274
1275 if (rp->status)
1276 return;
1277
1278 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
1279 if (!sent)
1280 return;
1281
1282 hci_dev_lock(hdev);
1283
1284 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1285 if (!conn)
1286 goto unlock;
1287
1288 switch (sent->type) {
1289 case 0x00:
1290 conn->tx_power = rp->tx_power;
1291 break;
1292 case 0x01:
1293 conn->max_tx_power = rp->tx_power;
1294 break;
1295 }
1296
1297unlock:
1298 hci_dev_unlock(hdev);
1299}
1300
1190static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status) 1301static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
1191{ 1302{
1192 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1303 BT_DBG("%s status 0x%2.2x", hdev->name, status);
@@ -1342,6 +1453,7 @@ static int hci_outgoing_auth_needed(struct hci_dev *hdev,
1342 * is requested. 1453 * is requested.
1343 */ 1454 */
1344 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) && 1455 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
1456 conn->pending_sec_level != BT_SECURITY_FIPS &&
1345 conn->pending_sec_level != BT_SECURITY_HIGH && 1457 conn->pending_sec_level != BT_SECURITY_HIGH &&
1346 conn->pending_sec_level != BT_SECURITY_MEDIUM) 1458 conn->pending_sec_level != BT_SECURITY_MEDIUM)
1347 return 0; 1459 return 0;
@@ -1827,7 +1939,7 @@ static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
1827 name_known = hci_inquiry_cache_update(hdev, &data, false, &ssp); 1939 name_known = hci_inquiry_cache_update(hdev, &data, false, &ssp);
1828 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 1940 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
1829 info->dev_class, 0, !name_known, ssp, NULL, 1941 info->dev_class, 0, !name_known, ssp, NULL,
1830 0); 1942 0, NULL, 0);
1831 } 1943 }
1832 1944
1833 hci_dev_unlock(hdev); 1945 hci_dev_unlock(hdev);
@@ -2579,6 +2691,14 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2579 hci_cc_write_remote_amp_assoc(hdev, skb); 2691 hci_cc_write_remote_amp_assoc(hdev, skb);
2580 break; 2692 break;
2581 2693
2694 case HCI_OP_READ_RSSI:
2695 hci_cc_read_rssi(hdev, skb);
2696 break;
2697
2698 case HCI_OP_READ_TX_POWER:
2699 hci_cc_read_tx_power(hdev, skb);
2700 break;
2701
2582 default: 2702 default:
2583 BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode); 2703 BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
2584 break; 2704 break;
@@ -2957,7 +3077,8 @@ static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2957 } 3077 }
2958 3078
2959 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 && 3079 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
2960 conn->pending_sec_level == BT_SECURITY_HIGH) { 3080 (conn->pending_sec_level == BT_SECURITY_HIGH ||
3081 conn->pending_sec_level == BT_SECURITY_FIPS)) {
2961 BT_DBG("%s ignoring key unauthenticated for high security", 3082 BT_DBG("%s ignoring key unauthenticated for high security",
2962 hdev->name); 3083 hdev->name);
2963 goto not_found; 3084 goto not_found;
@@ -3102,7 +3223,7 @@ static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
3102 false, &ssp); 3223 false, &ssp);
3103 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 3224 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3104 info->dev_class, info->rssi, 3225 info->dev_class, info->rssi,
3105 !name_known, ssp, NULL, 0); 3226 !name_known, ssp, NULL, 0, NULL, 0);
3106 } 3227 }
3107 } else { 3228 } else {
3108 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1); 3229 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
@@ -3120,7 +3241,7 @@ static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
3120 false, &ssp); 3241 false, &ssp);
3121 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 3242 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3122 info->dev_class, info->rssi, 3243 info->dev_class, info->rssi,
3123 !name_known, ssp, NULL, 0); 3244 !name_known, ssp, NULL, 0, NULL, 0);
3124 } 3245 }
3125 } 3246 }
3126 3247
@@ -3309,7 +3430,7 @@ static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,
3309 eir_len = eir_get_length(info->data, sizeof(info->data)); 3430 eir_len = eir_get_length(info->data, sizeof(info->data));
3310 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 3431 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3311 info->dev_class, info->rssi, !name_known, 3432 info->dev_class, info->rssi, !name_known,
3312 ssp, info->data, eir_len); 3433 ssp, info->data, eir_len, NULL, 0);
3313 } 3434 }
3314 3435
3315 hci_dev_unlock(hdev); 3436 hci_dev_unlock(hdev);
@@ -3367,24 +3488,20 @@ unlock:
3367 3488
3368static u8 hci_get_auth_req(struct hci_conn *conn) 3489static u8 hci_get_auth_req(struct hci_conn *conn)
3369{ 3490{
3370 /* If remote requests dedicated bonding follow that lead */
3371 if (conn->remote_auth == HCI_AT_DEDICATED_BONDING ||
3372 conn->remote_auth == HCI_AT_DEDICATED_BONDING_MITM) {
3373 /* If both remote and local IO capabilities allow MITM
3374 * protection then require it, otherwise don't */
3375 if (conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT ||
3376 conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)
3377 return HCI_AT_DEDICATED_BONDING;
3378 else
3379 return HCI_AT_DEDICATED_BONDING_MITM;
3380 }
3381
3382 /* If remote requests no-bonding follow that lead */ 3491 /* If remote requests no-bonding follow that lead */
3383 if (conn->remote_auth == HCI_AT_NO_BONDING || 3492 if (conn->remote_auth == HCI_AT_NO_BONDING ||
3384 conn->remote_auth == HCI_AT_NO_BONDING_MITM) 3493 conn->remote_auth == HCI_AT_NO_BONDING_MITM)
3385 return conn->remote_auth | (conn->auth_type & 0x01); 3494 return conn->remote_auth | (conn->auth_type & 0x01);
3386 3495
3387 return conn->auth_type; 3496 /* If both remote and local have enough IO capabilities, require
3497 * MITM protection
3498 */
3499 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
3500 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
3501 return conn->remote_auth | 0x01;
3502
3503 /* No MITM protection possible so ignore remote requirement */
3504 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
3388} 3505}
3389 3506
3390static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 3507static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
@@ -3414,8 +3531,21 @@ static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3414 * to DisplayYesNo as it is not supported by BT spec. */ 3531 * to DisplayYesNo as it is not supported by BT spec. */
3415 cp.capability = (conn->io_capability == 0x04) ? 3532 cp.capability = (conn->io_capability == 0x04) ?
3416 HCI_IO_DISPLAY_YESNO : conn->io_capability; 3533 HCI_IO_DISPLAY_YESNO : conn->io_capability;
3417 conn->auth_type = hci_get_auth_req(conn); 3534
3418 cp.authentication = conn->auth_type; 3535 /* If we are initiators, there is no remote information yet */
3536 if (conn->remote_auth == 0xff) {
3537 cp.authentication = conn->auth_type;
3538
3539 /* Request MITM protection if our IO caps allow it
3540 * except for the no-bonding case
3541 */
3542 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
3543 cp.authentication != HCI_AT_NO_BONDING)
3544 cp.authentication |= 0x01;
3545 } else {
3546 conn->auth_type = hci_get_auth_req(conn);
3547 cp.authentication = conn->auth_type;
3548 }
3419 3549
3420 if (hci_find_remote_oob_data(hdev, &conn->dst) && 3550 if (hci_find_remote_oob_data(hdev, &conn->dst) &&
3421 (conn->out || test_bit(HCI_CONN_REMOTE_OOB, &conn->flags))) 3551 (conn->out || test_bit(HCI_CONN_REMOTE_OOB, &conn->flags)))
@@ -3483,12 +3613,9 @@ static void hci_user_confirm_request_evt(struct hci_dev *hdev,
3483 rem_mitm = (conn->remote_auth & 0x01); 3613 rem_mitm = (conn->remote_auth & 0x01);
3484 3614
3485 /* If we require MITM but the remote device can't provide that 3615 /* If we require MITM but the remote device can't provide that
3486 * (it has NoInputNoOutput) then reject the confirmation 3616 * (it has NoInputNoOutput) then reject the confirmation request
3487 * request. The only exception is when we're dedicated bonding 3617 */
3488 * initiators (connect_cfm_cb set) since then we always have the MITM 3618 if (loc_mitm && conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
3489 * bit set. */
3490 if (!conn->connect_cfm_cb && loc_mitm &&
3491 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
3492 BT_DBG("Rejecting request: remote device can't provide MITM"); 3619 BT_DBG("Rejecting request: remote device can't provide MITM");
3493 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY, 3620 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
3494 sizeof(ev->bdaddr), &ev->bdaddr); 3621 sizeof(ev->bdaddr), &ev->bdaddr);
@@ -3846,17 +3973,6 @@ static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
3846 3973
3847 conn->dst_type = ev->bdaddr_type; 3974 conn->dst_type = ev->bdaddr_type;
3848 3975
3849 /* The advertising parameters for own address type
3850 * define which source address and source address
3851 * type this connections has.
3852 */
3853 if (bacmp(&conn->src, BDADDR_ANY)) {
3854 conn->src_type = ADDR_LE_DEV_PUBLIC;
3855 } else {
3856 bacpy(&conn->src, &hdev->static_addr);
3857 conn->src_type = ADDR_LE_DEV_RANDOM;
3858 }
3859
3860 if (ev->role == LE_CONN_ROLE_MASTER) { 3976 if (ev->role == LE_CONN_ROLE_MASTER) {
3861 conn->out = true; 3977 conn->out = true;
3862 conn->link_mode |= HCI_LM_MASTER; 3978 conn->link_mode |= HCI_LM_MASTER;
@@ -3881,27 +3997,24 @@ static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
3881 &conn->init_addr, 3997 &conn->init_addr,
3882 &conn->init_addr_type); 3998 &conn->init_addr_type);
3883 } 3999 }
3884 } else {
3885 /* Set the responder (our side) address type based on
3886 * the advertising address type.
3887 */
3888 conn->resp_addr_type = hdev->adv_addr_type;
3889 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM)
3890 bacpy(&conn->resp_addr, &hdev->random_addr);
3891 else
3892 bacpy(&conn->resp_addr, &hdev->bdaddr);
3893
3894 conn->init_addr_type = ev->bdaddr_type;
3895 bacpy(&conn->init_addr, &ev->bdaddr);
3896 } 4000 }
3897 } else { 4001 } else {
3898 cancel_delayed_work(&conn->le_conn_timeout); 4002 cancel_delayed_work(&conn->le_conn_timeout);
3899 } 4003 }
3900 4004
3901 /* Ensure that the hci_conn contains the identity address type 4005 if (!conn->out) {
3902 * regardless of which address the connection was made with. 4006 /* Set the responder (our side) address type based on
3903 */ 4007 * the advertising address type.
3904 hci_copy_identity_address(hdev, &conn->src, &conn->src_type); 4008 */
4009 conn->resp_addr_type = hdev->adv_addr_type;
4010 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM)
4011 bacpy(&conn->resp_addr, &hdev->random_addr);
4012 else
4013 bacpy(&conn->resp_addr, &hdev->bdaddr);
4014
4015 conn->init_addr_type = ev->bdaddr_type;
4016 bacpy(&conn->init_addr, &ev->bdaddr);
4017 }
3905 4018
3906 /* Lookup the identity address from the stored connection 4019 /* Lookup the identity address from the stored connection
3907 * address and address type. 4020 * address and address type.
@@ -3981,25 +4094,97 @@ static void check_pending_le_conn(struct hci_dev *hdev, bdaddr_t *addr,
3981 } 4094 }
3982} 4095}
3983 4096
4097static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
4098 u8 bdaddr_type, s8 rssi, u8 *data, u8 len)
4099{
4100 struct discovery_state *d = &hdev->discovery;
4101 bool match;
4102
4103 /* Passive scanning shouldn't trigger any device found events */
4104 if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
4105 if (type == LE_ADV_IND || type == LE_ADV_DIRECT_IND)
4106 check_pending_le_conn(hdev, bdaddr, bdaddr_type);
4107 return;
4108 }
4109
4110 /* If there's nothing pending either store the data from this
4111 * event or send an immediate device found event if the data
4112 * should not be stored for later.
4113 */
4114 if (!has_pending_adv_report(hdev)) {
4115 /* If the report will trigger a SCAN_REQ store it for
4116 * later merging.
4117 */
4118 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4119 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4120 rssi, data, len);
4121 return;
4122 }
4123
4124 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4125 rssi, 0, 1, data, len, NULL, 0);
4126 return;
4127 }
4128
4129 /* Check if the pending report is for the same device as the new one */
4130 match = (!bacmp(bdaddr, &d->last_adv_addr) &&
4131 bdaddr_type == d->last_adv_addr_type);
4132
4133 /* If the pending data doesn't match this report or this isn't a
4134 * scan response (e.g. we got a duplicate ADV_IND) then force
4135 * sending of the pending data.
4136 */
4137 if (type != LE_ADV_SCAN_RSP || !match) {
4138 /* Send out whatever is in the cache, but skip duplicates */
4139 if (!match)
4140 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4141 d->last_adv_addr_type, NULL,
4142 d->last_adv_rssi, 0, 1,
4143 d->last_adv_data,
4144 d->last_adv_data_len, NULL, 0);
4145
4146 /* If the new report will trigger a SCAN_REQ store it for
4147 * later merging.
4148 */
4149 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4150 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4151 rssi, data, len);
4152 return;
4153 }
4154
4155 /* The advertising reports cannot be merged, so clear
4156 * the pending report and send out a device found event.
4157 */
4158 clear_pending_adv_report(hdev);
4159 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4160 rssi, 0, 1, data, len, NULL, 0);
4161 return;
4162 }
4163
4164 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
4165 * the new event is a SCAN_RSP. We can therefore proceed with
4166 * sending a merged device found event.
4167 */
4168 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4169 d->last_adv_addr_type, NULL, rssi, 0, 1, data, len,
4170 d->last_adv_data, d->last_adv_data_len);
4171 clear_pending_adv_report(hdev);
4172}
4173
3984static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) 4174static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
3985{ 4175{
3986 u8 num_reports = skb->data[0]; 4176 u8 num_reports = skb->data[0];
3987 void *ptr = &skb->data[1]; 4177 void *ptr = &skb->data[1];
3988 s8 rssi;
3989 4178
3990 hci_dev_lock(hdev); 4179 hci_dev_lock(hdev);
3991 4180
3992 while (num_reports--) { 4181 while (num_reports--) {
3993 struct hci_ev_le_advertising_info *ev = ptr; 4182 struct hci_ev_le_advertising_info *ev = ptr;
3994 4183 s8 rssi;
3995 if (ev->evt_type == LE_ADV_IND ||
3996 ev->evt_type == LE_ADV_DIRECT_IND)
3997 check_pending_le_conn(hdev, &ev->bdaddr,
3998 ev->bdaddr_type);
3999 4184
4000 rssi = ev->data[ev->length]; 4185 rssi = ev->data[ev->length];
4001 mgmt_device_found(hdev, &ev->bdaddr, LE_LINK, ev->bdaddr_type, 4186 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
4002 NULL, rssi, 0, 1, ev->data, ev->length); 4187 ev->bdaddr_type, rssi, ev->data, ev->length);
4003 4188
4004 ptr += sizeof(*ev) + ev->length + 1; 4189 ptr += sizeof(*ev) + ev->length + 1;
4005 } 4190 }
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index b9a418e578e0..80d25c150a65 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -143,7 +143,7 @@ void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb)
143 143
144 if (!skb_copy) { 144 if (!skb_copy) {
145 /* Create a private copy with headroom */ 145 /* Create a private copy with headroom */
146 skb_copy = __pskb_copy(skb, 1, GFP_ATOMIC); 146 skb_copy = __pskb_copy_fclone(skb, 1, GFP_ATOMIC, true);
147 if (!skb_copy) 147 if (!skb_copy)
148 continue; 148 continue;
149 149
@@ -247,8 +247,8 @@ void hci_send_to_monitor(struct hci_dev *hdev, struct sk_buff *skb)
247 struct hci_mon_hdr *hdr; 247 struct hci_mon_hdr *hdr;
248 248
249 /* Create a private copy with headroom */ 249 /* Create a private copy with headroom */
250 skb_copy = __pskb_copy(skb, HCI_MON_HDR_SIZE, 250 skb_copy = __pskb_copy_fclone(skb, HCI_MON_HDR_SIZE,
251 GFP_ATOMIC); 251 GFP_ATOMIC, true);
252 if (!skb_copy) 252 if (!skb_copy)
253 continue; 253 continue;
254 254
@@ -524,16 +524,7 @@ static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd,
524 case HCISETRAW: 524 case HCISETRAW:
525 if (!capable(CAP_NET_ADMIN)) 525 if (!capable(CAP_NET_ADMIN))
526 return -EPERM; 526 return -EPERM;
527 527 return -EOPNOTSUPP;
528 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
529 return -EPERM;
530
531 if (arg)
532 set_bit(HCI_RAW, &hdev->flags);
533 else
534 clear_bit(HCI_RAW, &hdev->flags);
535
536 return 0;
537 528
538 case HCIGETCONNINFO: 529 case HCIGETCONNINFO:
539 return hci_get_conn_info(hdev, (void __user *) arg); 530 return hci_get_conn_info(hdev, (void __user *) arg);
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index dc4d301d3a72..6eabbe05fe54 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -471,8 +471,14 @@ void l2cap_chan_set_defaults(struct l2cap_chan *chan)
471 chan->max_tx = L2CAP_DEFAULT_MAX_TX; 471 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
472 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW; 472 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
473 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW; 473 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
474 chan->remote_max_tx = chan->max_tx;
475 chan->remote_tx_win = chan->tx_win;
474 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW; 476 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
475 chan->sec_level = BT_SECURITY_LOW; 477 chan->sec_level = BT_SECURITY_LOW;
478 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
479 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
480 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
481 chan->conf_state = 0;
476 482
477 set_bit(FLAG_FORCE_ACTIVE, &chan->flags); 483 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
478} 484}
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index ef5e5b04f34f..ade3fb4c23bc 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1180,13 +1180,16 @@ static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
1180 /* Check for backlog size */ 1180 /* Check for backlog size */
1181 if (sk_acceptq_is_full(parent)) { 1181 if (sk_acceptq_is_full(parent)) {
1182 BT_DBG("backlog full %d", parent->sk_ack_backlog); 1182 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1183 release_sock(parent);
1183 return NULL; 1184 return NULL;
1184 } 1185 }
1185 1186
1186 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, 1187 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
1187 GFP_ATOMIC); 1188 GFP_ATOMIC);
1188 if (!sk) 1189 if (!sk) {
1190 release_sock(parent);
1189 return NULL; 1191 return NULL;
1192 }
1190 1193
1191 bt_sock_reclassify_lock(sk, BTPROTO_L2CAP); 1194 bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
1192 1195
diff --git a/net/bluetooth/lib.c b/net/bluetooth/lib.c
index b3fbc73516c4..941ad7530eda 100644
--- a/net/bluetooth/lib.c
+++ b/net/bluetooth/lib.c
@@ -58,6 +58,7 @@ int bt_to_errno(__u16 code)
58 return EIO; 58 return EIO;
59 59
60 case 0x04: 60 case 0x04:
61 case 0x3c:
61 return EHOSTDOWN; 62 return EHOSTDOWN;
62 63
63 case 0x05: 64 case 0x05:
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index d2d4e0d5aed0..0fce54412ffd 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -29,12 +29,13 @@
29 29
30#include <net/bluetooth/bluetooth.h> 30#include <net/bluetooth/bluetooth.h>
31#include <net/bluetooth/hci_core.h> 31#include <net/bluetooth/hci_core.h>
32#include <net/bluetooth/l2cap.h>
32#include <net/bluetooth/mgmt.h> 33#include <net/bluetooth/mgmt.h>
33 34
34#include "smp.h" 35#include "smp.h"
35 36
36#define MGMT_VERSION 1 37#define MGMT_VERSION 1
37#define MGMT_REVISION 5 38#define MGMT_REVISION 6
38 39
39static const u16 mgmt_commands[] = { 40static const u16 mgmt_commands[] = {
40 MGMT_OP_READ_INDEX_LIST, 41 MGMT_OP_READ_INDEX_LIST,
@@ -83,6 +84,7 @@ static const u16 mgmt_commands[] = {
83 MGMT_OP_SET_DEBUG_KEYS, 84 MGMT_OP_SET_DEBUG_KEYS,
84 MGMT_OP_SET_PRIVACY, 85 MGMT_OP_SET_PRIVACY,
85 MGMT_OP_LOAD_IRKS, 86 MGMT_OP_LOAD_IRKS,
87 MGMT_OP_GET_CONN_INFO,
86}; 88};
87 89
88static const u16 mgmt_events[] = { 90static const u16 mgmt_events[] = {
@@ -2850,10 +2852,7 @@ static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2850 } 2852 }
2851 2853
2852 sec_level = BT_SECURITY_MEDIUM; 2854 sec_level = BT_SECURITY_MEDIUM;
2853 if (cp->io_cap == 0x03) 2855 auth_type = HCI_AT_DEDICATED_BONDING;
2854 auth_type = HCI_AT_DEDICATED_BONDING;
2855 else
2856 auth_type = HCI_AT_DEDICATED_BONDING_MITM;
2857 2856
2858 if (cp->addr.type == BDADDR_BREDR) { 2857 if (cp->addr.type == BDADDR_BREDR) {
2859 conn = hci_connect_acl(hdev, &cp->addr.bdaddr, sec_level, 2858 conn = hci_connect_acl(hdev, &cp->addr.bdaddr, sec_level,
@@ -3351,6 +3350,8 @@ static int mgmt_start_discovery_failed(struct hci_dev *hdev, u8 status)
3351 3350
3352static void start_discovery_complete(struct hci_dev *hdev, u8 status) 3351static void start_discovery_complete(struct hci_dev *hdev, u8 status)
3353{ 3352{
3353 unsigned long timeout = 0;
3354
3354 BT_DBG("status %d", status); 3355 BT_DBG("status %d", status);
3355 3356
3356 if (status) { 3357 if (status) {
@@ -3366,13 +3367,11 @@ static void start_discovery_complete(struct hci_dev *hdev, u8 status)
3366 3367
3367 switch (hdev->discovery.type) { 3368 switch (hdev->discovery.type) {
3368 case DISCOV_TYPE_LE: 3369 case DISCOV_TYPE_LE:
3369 queue_delayed_work(hdev->workqueue, &hdev->le_scan_disable, 3370 timeout = msecs_to_jiffies(DISCOV_LE_TIMEOUT);
3370 DISCOV_LE_TIMEOUT);
3371 break; 3371 break;
3372 3372
3373 case DISCOV_TYPE_INTERLEAVED: 3373 case DISCOV_TYPE_INTERLEAVED:
3374 queue_delayed_work(hdev->workqueue, &hdev->le_scan_disable, 3374 timeout = msecs_to_jiffies(hdev->discov_interleaved_timeout);
3375 DISCOV_INTERLEAVED_TIMEOUT);
3376 break; 3375 break;
3377 3376
3378 case DISCOV_TYPE_BREDR: 3377 case DISCOV_TYPE_BREDR:
@@ -3381,6 +3380,11 @@ static void start_discovery_complete(struct hci_dev *hdev, u8 status)
3381 default: 3380 default:
3382 BT_ERR("Invalid discovery type %d", hdev->discovery.type); 3381 BT_ERR("Invalid discovery type %d", hdev->discovery.type);
3383 } 3382 }
3383
3384 if (!timeout)
3385 return;
3386
3387 queue_delayed_work(hdev->workqueue, &hdev->le_scan_disable, timeout);
3384} 3388}
3385 3389
3386static int start_discovery(struct sock *sk, struct hci_dev *hdev, 3390static int start_discovery(struct sock *sk, struct hci_dev *hdev,
@@ -4530,7 +4534,7 @@ static int load_long_term_keys(struct sock *sk, struct hci_dev *hdev,
4530 4534
4531 for (i = 0; i < key_count; i++) { 4535 for (i = 0; i < key_count; i++) {
4532 struct mgmt_ltk_info *key = &cp->keys[i]; 4536 struct mgmt_ltk_info *key = &cp->keys[i];
4533 u8 type, addr_type; 4537 u8 type, addr_type, authenticated;
4534 4538
4535 if (key->addr.type == BDADDR_LE_PUBLIC) 4539 if (key->addr.type == BDADDR_LE_PUBLIC)
4536 addr_type = ADDR_LE_DEV_PUBLIC; 4540 addr_type = ADDR_LE_DEV_PUBLIC;
@@ -4542,8 +4546,19 @@ static int load_long_term_keys(struct sock *sk, struct hci_dev *hdev,
4542 else 4546 else
4543 type = HCI_SMP_LTK_SLAVE; 4547 type = HCI_SMP_LTK_SLAVE;
4544 4548
4549 switch (key->type) {
4550 case MGMT_LTK_UNAUTHENTICATED:
4551 authenticated = 0x00;
4552 break;
4553 case MGMT_LTK_AUTHENTICATED:
4554 authenticated = 0x01;
4555 break;
4556 default:
4557 continue;
4558 }
4559
4545 hci_add_ltk(hdev, &key->addr.bdaddr, addr_type, type, 4560 hci_add_ltk(hdev, &key->addr.bdaddr, addr_type, type,
4546 key->type, key->val, key->enc_size, key->ediv, 4561 authenticated, key->val, key->enc_size, key->ediv,
4547 key->rand); 4562 key->rand);
4548 } 4563 }
4549 4564
@@ -4555,6 +4570,218 @@ static int load_long_term_keys(struct sock *sk, struct hci_dev *hdev,
4555 return err; 4570 return err;
4556} 4571}
4557 4572
4573struct cmd_conn_lookup {
4574 struct hci_conn *conn;
4575 bool valid_tx_power;
4576 u8 mgmt_status;
4577};
4578
4579static void get_conn_info_complete(struct pending_cmd *cmd, void *data)
4580{
4581 struct cmd_conn_lookup *match = data;
4582 struct mgmt_cp_get_conn_info *cp;
4583 struct mgmt_rp_get_conn_info rp;
4584 struct hci_conn *conn = cmd->user_data;
4585
4586 if (conn != match->conn)
4587 return;
4588
4589 cp = (struct mgmt_cp_get_conn_info *) cmd->param;
4590
4591 memset(&rp, 0, sizeof(rp));
4592 bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
4593 rp.addr.type = cp->addr.type;
4594
4595 if (!match->mgmt_status) {
4596 rp.rssi = conn->rssi;
4597
4598 if (match->valid_tx_power) {
4599 rp.tx_power = conn->tx_power;
4600 rp.max_tx_power = conn->max_tx_power;
4601 } else {
4602 rp.tx_power = HCI_TX_POWER_INVALID;
4603 rp.max_tx_power = HCI_TX_POWER_INVALID;
4604 }
4605 }
4606
4607 cmd_complete(cmd->sk, cmd->index, MGMT_OP_GET_CONN_INFO,
4608 match->mgmt_status, &rp, sizeof(rp));
4609
4610 hci_conn_drop(conn);
4611
4612 mgmt_pending_remove(cmd);
4613}
4614
4615static void conn_info_refresh_complete(struct hci_dev *hdev, u8 status)
4616{
4617 struct hci_cp_read_rssi *cp;
4618 struct hci_conn *conn;
4619 struct cmd_conn_lookup match;
4620 u16 handle;
4621
4622 BT_DBG("status 0x%02x", status);
4623
4624 hci_dev_lock(hdev);
4625
4626 /* TX power data is valid in case request completed successfully,
4627 * otherwise we assume it's not valid. At the moment we assume that
4628 * either both or none of current and max values are valid to keep code
4629 * simple.
4630 */
4631 match.valid_tx_power = !status;
4632
4633 /* Commands sent in request are either Read RSSI or Read Transmit Power
4634 * Level so we check which one was last sent to retrieve connection
4635 * handle. Both commands have handle as first parameter so it's safe to
4636 * cast data on the same command struct.
4637 *
4638 * First command sent is always Read RSSI and we fail only if it fails.
4639 * In other case we simply override error to indicate success as we
4640 * already remembered if TX power value is actually valid.
4641 */
4642 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_RSSI);
4643 if (!cp) {
4644 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
4645 status = 0;
4646 }
4647
4648 if (!cp) {
4649 BT_ERR("invalid sent_cmd in response");
4650 goto unlock;
4651 }
4652
4653 handle = __le16_to_cpu(cp->handle);
4654 conn = hci_conn_hash_lookup_handle(hdev, handle);
4655 if (!conn) {
4656 BT_ERR("unknown handle (%d) in response", handle);
4657 goto unlock;
4658 }
4659
4660 match.conn = conn;
4661 match.mgmt_status = mgmt_status(status);
4662
4663 /* Cache refresh is complete, now reply for mgmt request for given
4664 * connection only.
4665 */
4666 mgmt_pending_foreach(MGMT_OP_GET_CONN_INFO, hdev,
4667 get_conn_info_complete, &match);
4668
4669unlock:
4670 hci_dev_unlock(hdev);
4671}
4672
4673static int get_conn_info(struct sock *sk, struct hci_dev *hdev, void *data,
4674 u16 len)
4675{
4676 struct mgmt_cp_get_conn_info *cp = data;
4677 struct mgmt_rp_get_conn_info rp;
4678 struct hci_conn *conn;
4679 unsigned long conn_info_age;
4680 int err = 0;
4681
4682 BT_DBG("%s", hdev->name);
4683
4684 memset(&rp, 0, sizeof(rp));
4685 bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
4686 rp.addr.type = cp->addr.type;
4687
4688 if (!bdaddr_type_is_valid(cp->addr.type))
4689 return cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
4690 MGMT_STATUS_INVALID_PARAMS,
4691 &rp, sizeof(rp));
4692
4693 hci_dev_lock(hdev);
4694
4695 if (!hdev_is_powered(hdev)) {
4696 err = cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
4697 MGMT_STATUS_NOT_POWERED, &rp, sizeof(rp));
4698 goto unlock;
4699 }
4700
4701 if (cp->addr.type == BDADDR_BREDR)
4702 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
4703 &cp->addr.bdaddr);
4704 else
4705 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->addr.bdaddr);
4706
4707 if (!conn || conn->state != BT_CONNECTED) {
4708 err = cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
4709 MGMT_STATUS_NOT_CONNECTED, &rp, sizeof(rp));
4710 goto unlock;
4711 }
4712
4713 /* To avoid client trying to guess when to poll again for information we
4714 * calculate conn info age as random value between min/max set in hdev.
4715 */
4716 conn_info_age = hdev->conn_info_min_age +
4717 prandom_u32_max(hdev->conn_info_max_age -
4718 hdev->conn_info_min_age);
4719
4720 /* Query controller to refresh cached values if they are too old or were
4721 * never read.
4722 */
4723 if (time_after(jiffies, conn->conn_info_timestamp +
4724 msecs_to_jiffies(conn_info_age)) ||
4725 !conn->conn_info_timestamp) {
4726 struct hci_request req;
4727 struct hci_cp_read_tx_power req_txp_cp;
4728 struct hci_cp_read_rssi req_rssi_cp;
4729 struct pending_cmd *cmd;
4730
4731 hci_req_init(&req, hdev);
4732 req_rssi_cp.handle = cpu_to_le16(conn->handle);
4733 hci_req_add(&req, HCI_OP_READ_RSSI, sizeof(req_rssi_cp),
4734 &req_rssi_cp);
4735
4736 /* For LE links TX power does not change thus we don't need to
4737 * query for it once value is known.
4738 */
4739 if (!bdaddr_type_is_le(cp->addr.type) ||
4740 conn->tx_power == HCI_TX_POWER_INVALID) {
4741 req_txp_cp.handle = cpu_to_le16(conn->handle);
4742 req_txp_cp.type = 0x00;
4743 hci_req_add(&req, HCI_OP_READ_TX_POWER,
4744 sizeof(req_txp_cp), &req_txp_cp);
4745 }
4746
4747 /* Max TX power needs to be read only once per connection */
4748 if (conn->max_tx_power == HCI_TX_POWER_INVALID) {
4749 req_txp_cp.handle = cpu_to_le16(conn->handle);
4750 req_txp_cp.type = 0x01;
4751 hci_req_add(&req, HCI_OP_READ_TX_POWER,
4752 sizeof(req_txp_cp), &req_txp_cp);
4753 }
4754
4755 err = hci_req_run(&req, conn_info_refresh_complete);
4756 if (err < 0)
4757 goto unlock;
4758
4759 cmd = mgmt_pending_add(sk, MGMT_OP_GET_CONN_INFO, hdev,
4760 data, len);
4761 if (!cmd) {
4762 err = -ENOMEM;
4763 goto unlock;
4764 }
4765
4766 hci_conn_hold(conn);
4767 cmd->user_data = conn;
4768
4769 conn->conn_info_timestamp = jiffies;
4770 } else {
4771 /* Cache is valid, just reply with values cached in hci_conn */
4772 rp.rssi = conn->rssi;
4773 rp.tx_power = conn->tx_power;
4774 rp.max_tx_power = conn->max_tx_power;
4775
4776 err = cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
4777 MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
4778 }
4779
4780unlock:
4781 hci_dev_unlock(hdev);
4782 return err;
4783}
4784
4558static const struct mgmt_handler { 4785static const struct mgmt_handler {
4559 int (*func) (struct sock *sk, struct hci_dev *hdev, void *data, 4786 int (*func) (struct sock *sk, struct hci_dev *hdev, void *data,
4560 u16 data_len); 4787 u16 data_len);
@@ -4610,6 +4837,7 @@ static const struct mgmt_handler {
4610 { set_debug_keys, false, MGMT_SETTING_SIZE }, 4837 { set_debug_keys, false, MGMT_SETTING_SIZE },
4611 { set_privacy, false, MGMT_SET_PRIVACY_SIZE }, 4838 { set_privacy, false, MGMT_SET_PRIVACY_SIZE },
4612 { load_irks, true, MGMT_LOAD_IRKS_SIZE }, 4839 { load_irks, true, MGMT_LOAD_IRKS_SIZE },
4840 { get_conn_info, false, MGMT_GET_CONN_INFO_SIZE },
4613}; 4841};
4614 4842
4615 4843
@@ -5005,6 +5233,14 @@ void mgmt_new_link_key(struct hci_dev *hdev, struct link_key *key,
5005 mgmt_event(MGMT_EV_NEW_LINK_KEY, hdev, &ev, sizeof(ev), NULL); 5233 mgmt_event(MGMT_EV_NEW_LINK_KEY, hdev, &ev, sizeof(ev), NULL);
5006} 5234}
5007 5235
5236static u8 mgmt_ltk_type(struct smp_ltk *ltk)
5237{
5238 if (ltk->authenticated)
5239 return MGMT_LTK_AUTHENTICATED;
5240
5241 return MGMT_LTK_UNAUTHENTICATED;
5242}
5243
5008void mgmt_new_ltk(struct hci_dev *hdev, struct smp_ltk *key, bool persistent) 5244void mgmt_new_ltk(struct hci_dev *hdev, struct smp_ltk *key, bool persistent)
5009{ 5245{
5010 struct mgmt_ev_new_long_term_key ev; 5246 struct mgmt_ev_new_long_term_key ev;
@@ -5030,7 +5266,7 @@ void mgmt_new_ltk(struct hci_dev *hdev, struct smp_ltk *key, bool persistent)
5030 5266
5031 bacpy(&ev.key.addr.bdaddr, &key->bdaddr); 5267 bacpy(&ev.key.addr.bdaddr, &key->bdaddr);
5032 ev.key.addr.type = link_to_bdaddr(LE_LINK, key->bdaddr_type); 5268 ev.key.addr.type = link_to_bdaddr(LE_LINK, key->bdaddr_type);
5033 ev.key.type = key->authenticated; 5269 ev.key.type = mgmt_ltk_type(key);
5034 ev.key.enc_size = key->enc_size; 5270 ev.key.enc_size = key->enc_size;
5035 ev.key.ediv = key->ediv; 5271 ev.key.ediv = key->ediv;
5036 ev.key.rand = key->rand; 5272 ev.key.rand = key->rand;
@@ -5668,8 +5904,9 @@ void mgmt_read_local_oob_data_complete(struct hci_dev *hdev, u8 *hash192,
5668} 5904}
5669 5905
5670void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type, 5906void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
5671 u8 addr_type, u8 *dev_class, s8 rssi, u8 cfm_name, u8 5907 u8 addr_type, u8 *dev_class, s8 rssi, u8 cfm_name,
5672 ssp, u8 *eir, u16 eir_len) 5908 u8 ssp, u8 *eir, u16 eir_len, u8 *scan_rsp,
5909 u8 scan_rsp_len)
5673{ 5910{
5674 char buf[512]; 5911 char buf[512];
5675 struct mgmt_ev_device_found *ev = (void *) buf; 5912 struct mgmt_ev_device_found *ev = (void *) buf;
@@ -5679,8 +5916,10 @@ void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
5679 if (!hci_discovery_active(hdev)) 5916 if (!hci_discovery_active(hdev))
5680 return; 5917 return;
5681 5918
5682 /* Leave 5 bytes for a potential CoD field */ 5919 /* Make sure that the buffer is big enough. The 5 extra bytes
5683 if (sizeof(*ev) + eir_len + 5 > sizeof(buf)) 5920 * are for the potential CoD field.
5921 */
5922 if (sizeof(*ev) + eir_len + scan_rsp_len + 5 > sizeof(buf))
5684 return; 5923 return;
5685 5924
5686 memset(buf, 0, sizeof(buf)); 5925 memset(buf, 0, sizeof(buf));
@@ -5707,8 +5946,11 @@ void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
5707 eir_len = eir_append_data(ev->eir, eir_len, EIR_CLASS_OF_DEV, 5946 eir_len = eir_append_data(ev->eir, eir_len, EIR_CLASS_OF_DEV,
5708 dev_class, 3); 5947 dev_class, 3);
5709 5948
5710 ev->eir_len = cpu_to_le16(eir_len); 5949 if (scan_rsp_len > 0)
5711 ev_size = sizeof(*ev) + eir_len; 5950 memcpy(ev->eir + eir_len, scan_rsp, scan_rsp_len);
5951
5952 ev->eir_len = cpu_to_le16(eir_len + scan_rsp_len);
5953 ev_size = sizeof(*ev) + eir_len + scan_rsp_len;
5712 5954
5713 mgmt_event(MGMT_EV_DEVICE_FOUND, hdev, ev, ev_size, NULL); 5955 mgmt_event(MGMT_EV_DEVICE_FOUND, hdev, ev, ev_size, NULL);
5714} 5956}
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index cf620260affa..754b6fe4f742 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -307,7 +307,7 @@ struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
307 setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d); 307 setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d);
308 308
309 skb_queue_head_init(&d->tx_queue); 309 skb_queue_head_init(&d->tx_queue);
310 spin_lock_init(&d->lock); 310 mutex_init(&d->lock);
311 atomic_set(&d->refcnt, 1); 311 atomic_set(&d->refcnt, 1);
312 312
313 rfcomm_dlc_clear_state(d); 313 rfcomm_dlc_clear_state(d);
diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
index 403ec09f480a..8e385a0ae60e 100644
--- a/net/bluetooth/rfcomm/tty.c
+++ b/net/bluetooth/rfcomm/tty.c
@@ -70,7 +70,7 @@ struct rfcomm_dev {
70}; 70};
71 71
72static LIST_HEAD(rfcomm_dev_list); 72static LIST_HEAD(rfcomm_dev_list);
73static DEFINE_SPINLOCK(rfcomm_dev_lock); 73static DEFINE_MUTEX(rfcomm_dev_lock);
74 74
75static void rfcomm_dev_data_ready(struct rfcomm_dlc *dlc, struct sk_buff *skb); 75static void rfcomm_dev_data_ready(struct rfcomm_dlc *dlc, struct sk_buff *skb);
76static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err); 76static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err);
@@ -96,9 +96,9 @@ static void rfcomm_dev_destruct(struct tty_port *port)
96 if (dev->tty_dev) 96 if (dev->tty_dev)
97 tty_unregister_device(rfcomm_tty_driver, dev->id); 97 tty_unregister_device(rfcomm_tty_driver, dev->id);
98 98
99 spin_lock(&rfcomm_dev_lock); 99 mutex_lock(&rfcomm_dev_lock);
100 list_del(&dev->list); 100 list_del(&dev->list);
101 spin_unlock(&rfcomm_dev_lock); 101 mutex_unlock(&rfcomm_dev_lock);
102 102
103 kfree(dev); 103 kfree(dev);
104 104
@@ -161,14 +161,14 @@ static struct rfcomm_dev *rfcomm_dev_get(int id)
161{ 161{
162 struct rfcomm_dev *dev; 162 struct rfcomm_dev *dev;
163 163
164 spin_lock(&rfcomm_dev_lock); 164 mutex_lock(&rfcomm_dev_lock);
165 165
166 dev = __rfcomm_dev_lookup(id); 166 dev = __rfcomm_dev_lookup(id);
167 167
168 if (dev && !tty_port_get(&dev->port)) 168 if (dev && !tty_port_get(&dev->port))
169 dev = NULL; 169 dev = NULL;
170 170
171 spin_unlock(&rfcomm_dev_lock); 171 mutex_unlock(&rfcomm_dev_lock);
172 172
173 return dev; 173 return dev;
174} 174}
@@ -224,7 +224,7 @@ static struct rfcomm_dev *__rfcomm_dev_add(struct rfcomm_dev_req *req,
224 if (!dev) 224 if (!dev)
225 return ERR_PTR(-ENOMEM); 225 return ERR_PTR(-ENOMEM);
226 226
227 spin_lock(&rfcomm_dev_lock); 227 mutex_lock(&rfcomm_dev_lock);
228 228
229 if (req->dev_id < 0) { 229 if (req->dev_id < 0) {
230 dev->id = 0; 230 dev->id = 0;
@@ -305,11 +305,11 @@ static struct rfcomm_dev *__rfcomm_dev_add(struct rfcomm_dev_req *req,
305 holds reference to this module. */ 305 holds reference to this module. */
306 __module_get(THIS_MODULE); 306 __module_get(THIS_MODULE);
307 307
308 spin_unlock(&rfcomm_dev_lock); 308 mutex_unlock(&rfcomm_dev_lock);
309 return dev; 309 return dev;
310 310
311out: 311out:
312 spin_unlock(&rfcomm_dev_lock); 312 mutex_unlock(&rfcomm_dev_lock);
313 kfree(dev); 313 kfree(dev);
314 return ERR_PTR(err); 314 return ERR_PTR(err);
315} 315}
@@ -524,7 +524,7 @@ static int rfcomm_get_dev_list(void __user *arg)
524 524
525 di = dl->dev_info; 525 di = dl->dev_info;
526 526
527 spin_lock(&rfcomm_dev_lock); 527 mutex_lock(&rfcomm_dev_lock);
528 528
529 list_for_each_entry(dev, &rfcomm_dev_list, list) { 529 list_for_each_entry(dev, &rfcomm_dev_list, list) {
530 if (!tty_port_get(&dev->port)) 530 if (!tty_port_get(&dev->port))
@@ -540,7 +540,7 @@ static int rfcomm_get_dev_list(void __user *arg)
540 break; 540 break;
541 } 541 }
542 542
543 spin_unlock(&rfcomm_dev_lock); 543 mutex_unlock(&rfcomm_dev_lock);
544 544
545 dl->dev_num = n; 545 dl->dev_num = n;
546 size = sizeof(*dl) + n * sizeof(*di); 546 size = sizeof(*dl) + n * sizeof(*di);
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index dfb4e1161c10..3d1cc164557d 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -35,6 +35,33 @@
35 35
36#define AUTH_REQ_MASK 0x07 36#define AUTH_REQ_MASK 0x07
37 37
38#define SMP_FLAG_TK_VALID 1
39#define SMP_FLAG_CFM_PENDING 2
40#define SMP_FLAG_MITM_AUTH 3
41#define SMP_FLAG_COMPLETE 4
42#define SMP_FLAG_INITIATOR 5
43
44struct smp_chan {
45 struct l2cap_conn *conn;
46 u8 preq[7]; /* SMP Pairing Request */
47 u8 prsp[7]; /* SMP Pairing Response */
48 u8 prnd[16]; /* SMP Pairing Random (local) */
49 u8 rrnd[16]; /* SMP Pairing Random (remote) */
50 u8 pcnf[16]; /* SMP Pairing Confirm */
51 u8 tk[16]; /* SMP Temporary Key */
52 u8 enc_key_size;
53 u8 remote_key_dist;
54 bdaddr_t id_addr;
55 u8 id_addr_type;
56 u8 irk[16];
57 struct smp_csrk *csrk;
58 struct smp_csrk *slave_csrk;
59 struct smp_ltk *ltk;
60 struct smp_ltk *slave_ltk;
61 struct smp_irk *remote_irk;
62 unsigned long flags;
63};
64
38static inline void swap128(const u8 src[16], u8 dst[16]) 65static inline void swap128(const u8 src[16], u8 dst[16])
39{ 66{
40 int i; 67 int i;
@@ -369,7 +396,7 @@ static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
369 396
370 /* Initialize key for JUST WORKS */ 397 /* Initialize key for JUST WORKS */
371 memset(smp->tk, 0, sizeof(smp->tk)); 398 memset(smp->tk, 0, sizeof(smp->tk));
372 clear_bit(SMP_FLAG_TK_VALID, &smp->smp_flags); 399 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
373 400
374 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io); 401 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
375 402
@@ -388,19 +415,18 @@ static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
388 method = JUST_WORKS; 415 method = JUST_WORKS;
389 416
390 /* Don't confirm locally initiated pairing attempts */ 417 /* Don't confirm locally initiated pairing attempts */
391 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, 418 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
392 &smp->smp_flags))
393 method = JUST_WORKS; 419 method = JUST_WORKS;
394 420
395 /* If Just Works, Continue with Zero TK */ 421 /* If Just Works, Continue with Zero TK */
396 if (method == JUST_WORKS) { 422 if (method == JUST_WORKS) {
397 set_bit(SMP_FLAG_TK_VALID, &smp->smp_flags); 423 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
398 return 0; 424 return 0;
399 } 425 }
400 426
401 /* Not Just Works/Confirm results in MITM Authentication */ 427 /* Not Just Works/Confirm results in MITM Authentication */
402 if (method != JUST_CFM) 428 if (method != JUST_CFM)
403 set_bit(SMP_FLAG_MITM_AUTH, &smp->smp_flags); 429 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
404 430
405 /* If both devices have Keyoard-Display I/O, the master 431 /* If both devices have Keyoard-Display I/O, the master
406 * Confirms and the slave Enters the passkey. 432 * Confirms and the slave Enters the passkey.
@@ -419,7 +445,7 @@ static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
419 passkey %= 1000000; 445 passkey %= 1000000;
420 put_unaligned_le32(passkey, smp->tk); 446 put_unaligned_le32(passkey, smp->tk);
421 BT_DBG("PassKey: %d", passkey); 447 BT_DBG("PassKey: %d", passkey);
422 set_bit(SMP_FLAG_TK_VALID, &smp->smp_flags); 448 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
423 } 449 }
424 450
425 hci_dev_lock(hcon->hdev); 451 hci_dev_lock(hcon->hdev);
@@ -441,15 +467,13 @@ static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
441 return ret; 467 return ret;
442} 468}
443 469
444static void confirm_work(struct work_struct *work) 470static u8 smp_confirm(struct smp_chan *smp)
445{ 471{
446 struct smp_chan *smp = container_of(work, struct smp_chan, confirm);
447 struct l2cap_conn *conn = smp->conn; 472 struct l2cap_conn *conn = smp->conn;
448 struct hci_dev *hdev = conn->hcon->hdev; 473 struct hci_dev *hdev = conn->hcon->hdev;
449 struct crypto_blkcipher *tfm = hdev->tfm_aes; 474 struct crypto_blkcipher *tfm = hdev->tfm_aes;
450 struct smp_cmd_pairing_confirm cp; 475 struct smp_cmd_pairing_confirm cp;
451 int ret; 476 int ret;
452 u8 reason;
453 477
454 BT_DBG("conn %p", conn); 478 BT_DBG("conn %p", conn);
455 479
@@ -463,35 +487,27 @@ static void confirm_work(struct work_struct *work)
463 487
464 hci_dev_unlock(hdev); 488 hci_dev_unlock(hdev);
465 489
466 if (ret) { 490 if (ret)
467 reason = SMP_UNSPECIFIED; 491 return SMP_UNSPECIFIED;
468 goto error;
469 }
470 492
471 clear_bit(SMP_FLAG_CFM_PENDING, &smp->smp_flags); 493 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
472 494
473 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp); 495 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
474 496
475 return; 497 return 0;
476
477error:
478 smp_failure(conn, reason);
479} 498}
480 499
481static void random_work(struct work_struct *work) 500static u8 smp_random(struct smp_chan *smp)
482{ 501{
483 struct smp_chan *smp = container_of(work, struct smp_chan, random);
484 struct l2cap_conn *conn = smp->conn; 502 struct l2cap_conn *conn = smp->conn;
485 struct hci_conn *hcon = conn->hcon; 503 struct hci_conn *hcon = conn->hcon;
486 struct hci_dev *hdev = hcon->hdev; 504 struct hci_dev *hdev = hcon->hdev;
487 struct crypto_blkcipher *tfm = hdev->tfm_aes; 505 struct crypto_blkcipher *tfm = hdev->tfm_aes;
488 u8 reason, confirm[16]; 506 u8 confirm[16];
489 int ret; 507 int ret;
490 508
491 if (IS_ERR_OR_NULL(tfm)) { 509 if (IS_ERR_OR_NULL(tfm))
492 reason = SMP_UNSPECIFIED; 510 return SMP_UNSPECIFIED;
493 goto error;
494 }
495 511
496 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave"); 512 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
497 513
@@ -504,15 +520,12 @@ static void random_work(struct work_struct *work)
504 520
505 hci_dev_unlock(hdev); 521 hci_dev_unlock(hdev);
506 522
507 if (ret) { 523 if (ret)
508 reason = SMP_UNSPECIFIED; 524 return SMP_UNSPECIFIED;
509 goto error;
510 }
511 525
512 if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) { 526 if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
513 BT_ERR("Pairing failed (confirmation values mismatch)"); 527 BT_ERR("Pairing failed (confirmation values mismatch)");
514 reason = SMP_CONFIRM_FAILED; 528 return SMP_CONFIRM_FAILED;
515 goto error;
516 } 529 }
517 530
518 if (hcon->out) { 531 if (hcon->out) {
@@ -525,10 +538,8 @@ static void random_work(struct work_struct *work)
525 memset(stk + smp->enc_key_size, 0, 538 memset(stk + smp->enc_key_size, 0,
526 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size); 539 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
527 540
528 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags)) { 541 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
529 reason = SMP_UNSPECIFIED; 542 return SMP_UNSPECIFIED;
530 goto error;
531 }
532 543
533 hci_le_start_enc(hcon, ediv, rand, stk); 544 hci_le_start_enc(hcon, ediv, rand, stk);
534 hcon->enc_key_size = smp->enc_key_size; 545 hcon->enc_key_size = smp->enc_key_size;
@@ -550,10 +561,7 @@ static void random_work(struct work_struct *work)
550 ediv, rand); 561 ediv, rand);
551 } 562 }
552 563
553 return; 564 return 0;
554
555error:
556 smp_failure(conn, reason);
557} 565}
558 566
559static struct smp_chan *smp_chan_create(struct l2cap_conn *conn) 567static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
@@ -564,9 +572,6 @@ static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
564 if (!smp) 572 if (!smp)
565 return NULL; 573 return NULL;
566 574
567 INIT_WORK(&smp->confirm, confirm_work);
568 INIT_WORK(&smp->random, random_work);
569
570 smp->conn = conn; 575 smp->conn = conn;
571 conn->smp_chan = smp; 576 conn->smp_chan = smp;
572 conn->hcon->smp_conn = conn; 577 conn->hcon->smp_conn = conn;
@@ -583,7 +588,7 @@ void smp_chan_destroy(struct l2cap_conn *conn)
583 588
584 BUG_ON(!smp); 589 BUG_ON(!smp);
585 590
586 complete = test_bit(SMP_FLAG_COMPLETE, &smp->smp_flags); 591 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
587 mgmt_smp_complete(conn->hcon, complete); 592 mgmt_smp_complete(conn->hcon, complete);
588 593
589 kfree(smp->csrk); 594 kfree(smp->csrk);
@@ -634,7 +639,7 @@ int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
634 put_unaligned_le32(value, smp->tk); 639 put_unaligned_le32(value, smp->tk);
635 /* Fall Through */ 640 /* Fall Through */
636 case MGMT_OP_USER_CONFIRM_REPLY: 641 case MGMT_OP_USER_CONFIRM_REPLY:
637 set_bit(SMP_FLAG_TK_VALID, &smp->smp_flags); 642 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
638 break; 643 break;
639 case MGMT_OP_USER_PASSKEY_NEG_REPLY: 644 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
640 case MGMT_OP_USER_CONFIRM_NEG_REPLY: 645 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
@@ -646,8 +651,11 @@ int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
646 } 651 }
647 652
648 /* If it is our turn to send Pairing Confirm, do so now */ 653 /* If it is our turn to send Pairing Confirm, do so now */
649 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->smp_flags)) 654 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
650 queue_work(hcon->hdev->workqueue, &smp->confirm); 655 u8 rsp = smp_confirm(smp);
656 if (rsp)
657 smp_failure(conn, rsp);
658 }
651 659
652 return 0; 660 return 0;
653} 661}
@@ -656,14 +664,13 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
656{ 664{
657 struct smp_cmd_pairing rsp, *req = (void *) skb->data; 665 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
658 struct smp_chan *smp; 666 struct smp_chan *smp;
659 u8 key_size; 667 u8 key_size, auth;
660 u8 auth = SMP_AUTH_NONE;
661 int ret; 668 int ret;
662 669
663 BT_DBG("conn %p", conn); 670 BT_DBG("conn %p", conn);
664 671
665 if (skb->len < sizeof(*req)) 672 if (skb->len < sizeof(*req))
666 return SMP_UNSPECIFIED; 673 return SMP_INVALID_PARAMS;
667 674
668 if (conn->hcon->link_mode & HCI_LM_MASTER) 675 if (conn->hcon->link_mode & HCI_LM_MASTER)
669 return SMP_CMD_NOTSUPP; 676 return SMP_CMD_NOTSUPP;
@@ -681,8 +688,7 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
681 skb_pull(skb, sizeof(*req)); 688 skb_pull(skb, sizeof(*req));
682 689
683 /* We didn't start the pairing, so match remote */ 690 /* We didn't start the pairing, so match remote */
684 if (req->auth_req & SMP_AUTH_BONDING) 691 auth = req->auth_req;
685 auth = req->auth_req;
686 692
687 conn->hcon->pending_sec_level = authreq_to_seclevel(auth); 693 conn->hcon->pending_sec_level = authreq_to_seclevel(auth);
688 694
@@ -704,7 +710,7 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
704 if (ret) 710 if (ret)
705 return SMP_UNSPECIFIED; 711 return SMP_UNSPECIFIED;
706 712
707 clear_bit(SMP_FLAG_INITIATOR, &smp->smp_flags); 713 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
708 714
709 return 0; 715 return 0;
710} 716}
@@ -713,14 +719,13 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
713{ 719{
714 struct smp_cmd_pairing *req, *rsp = (void *) skb->data; 720 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
715 struct smp_chan *smp = conn->smp_chan; 721 struct smp_chan *smp = conn->smp_chan;
716 struct hci_dev *hdev = conn->hcon->hdev;
717 u8 key_size, auth = SMP_AUTH_NONE; 722 u8 key_size, auth = SMP_AUTH_NONE;
718 int ret; 723 int ret;
719 724
720 BT_DBG("conn %p", conn); 725 BT_DBG("conn %p", conn);
721 726
722 if (skb->len < sizeof(*rsp)) 727 if (skb->len < sizeof(*rsp))
723 return SMP_UNSPECIFIED; 728 return SMP_INVALID_PARAMS;
724 729
725 if (!(conn->hcon->link_mode & HCI_LM_MASTER)) 730 if (!(conn->hcon->link_mode & HCI_LM_MASTER))
726 return SMP_CMD_NOTSUPP; 731 return SMP_CMD_NOTSUPP;
@@ -753,11 +758,11 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
753 if (ret) 758 if (ret)
754 return SMP_UNSPECIFIED; 759 return SMP_UNSPECIFIED;
755 760
756 set_bit(SMP_FLAG_CFM_PENDING, &smp->smp_flags); 761 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
757 762
758 /* Can't compose response until we have been confirmed */ 763 /* Can't compose response until we have been confirmed */
759 if (test_bit(SMP_FLAG_TK_VALID, &smp->smp_flags)) 764 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
760 queue_work(hdev->workqueue, &smp->confirm); 765 return smp_confirm(smp);
761 766
762 return 0; 767 return 0;
763} 768}
@@ -765,12 +770,11 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
765static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb) 770static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
766{ 771{
767 struct smp_chan *smp = conn->smp_chan; 772 struct smp_chan *smp = conn->smp_chan;
768 struct hci_dev *hdev = conn->hcon->hdev;
769 773
770 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave"); 774 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
771 775
772 if (skb->len < sizeof(smp->pcnf)) 776 if (skb->len < sizeof(smp->pcnf))
773 return SMP_UNSPECIFIED; 777 return SMP_INVALID_PARAMS;
774 778
775 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf)); 779 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
776 skb_pull(skb, sizeof(smp->pcnf)); 780 skb_pull(skb, sizeof(smp->pcnf));
@@ -778,10 +782,10 @@ static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
778 if (conn->hcon->out) 782 if (conn->hcon->out)
779 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 783 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
780 smp->prnd); 784 smp->prnd);
781 else if (test_bit(SMP_FLAG_TK_VALID, &smp->smp_flags)) 785 else if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
782 queue_work(hdev->workqueue, &smp->confirm); 786 return smp_confirm(smp);
783 else 787 else
784 set_bit(SMP_FLAG_CFM_PENDING, &smp->smp_flags); 788 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
785 789
786 return 0; 790 return 0;
787} 791}
@@ -789,19 +793,16 @@ static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
789static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb) 793static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
790{ 794{
791 struct smp_chan *smp = conn->smp_chan; 795 struct smp_chan *smp = conn->smp_chan;
792 struct hci_dev *hdev = conn->hcon->hdev;
793 796
794 BT_DBG("conn %p", conn); 797 BT_DBG("conn %p", conn);
795 798
796 if (skb->len < sizeof(smp->rrnd)) 799 if (skb->len < sizeof(smp->rrnd))
797 return SMP_UNSPECIFIED; 800 return SMP_INVALID_PARAMS;
798 801
799 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd)); 802 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
800 skb_pull(skb, sizeof(smp->rrnd)); 803 skb_pull(skb, sizeof(smp->rrnd));
801 804
802 queue_work(hdev->workqueue, &smp->random); 805 return smp_random(smp);
803
804 return 0;
805} 806}
806 807
807static u8 smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level) 808static u8 smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
@@ -836,7 +837,7 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
836 BT_DBG("conn %p", conn); 837 BT_DBG("conn %p", conn);
837 838
838 if (skb->len < sizeof(*rp)) 839 if (skb->len < sizeof(*rp))
839 return SMP_UNSPECIFIED; 840 return SMP_INVALID_PARAMS;
840 841
841 if (!(conn->hcon->link_mode & HCI_LM_MASTER)) 842 if (!(conn->hcon->link_mode & HCI_LM_MASTER))
842 return SMP_CMD_NOTSUPP; 843 return SMP_CMD_NOTSUPP;
@@ -861,7 +862,7 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
861 862
862 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp); 863 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
863 864
864 clear_bit(SMP_FLAG_INITIATOR, &smp->smp_flags); 865 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
865 866
866 return 0; 867 return 0;
867} 868}
@@ -908,10 +909,11 @@ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
908 909
909 authreq = seclevel_to_authreq(sec_level); 910 authreq = seclevel_to_authreq(sec_level);
910 911
911 /* hcon->auth_type is set by pair_device in mgmt.c. If the MITM 912 /* Require MITM if IO Capability allows or the security level
912 * flag is set we should also set it for the SMP request. 913 * requires it.
913 */ 914 */
914 if ((hcon->auth_type & 0x01)) 915 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
916 sec_level > BT_SECURITY_MEDIUM)
915 authreq |= SMP_AUTH_MITM; 917 authreq |= SMP_AUTH_MITM;
916 918
917 if (hcon->link_mode & HCI_LM_MASTER) { 919 if (hcon->link_mode & HCI_LM_MASTER) {
@@ -928,7 +930,7 @@ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
928 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp); 930 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
929 } 931 }
930 932
931 set_bit(SMP_FLAG_INITIATOR, &smp->smp_flags); 933 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
932 934
933done: 935done:
934 hcon->pending_sec_level = sec_level; 936 hcon->pending_sec_level = sec_level;
@@ -944,7 +946,7 @@ static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
944 BT_DBG("conn %p", conn); 946 BT_DBG("conn %p", conn);
945 947
946 if (skb->len < sizeof(*rp)) 948 if (skb->len < sizeof(*rp))
947 return SMP_UNSPECIFIED; 949 return SMP_INVALID_PARAMS;
948 950
949 /* Ignore this PDU if it wasn't requested */ 951 /* Ignore this PDU if it wasn't requested */
950 if (!(smp->remote_key_dist & SMP_DIST_ENC_KEY)) 952 if (!(smp->remote_key_dist & SMP_DIST_ENC_KEY))
@@ -969,7 +971,7 @@ static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
969 BT_DBG("conn %p", conn); 971 BT_DBG("conn %p", conn);
970 972
971 if (skb->len < sizeof(*rp)) 973 if (skb->len < sizeof(*rp))
972 return SMP_UNSPECIFIED; 974 return SMP_INVALID_PARAMS;
973 975
974 /* Ignore this PDU if it wasn't requested */ 976 /* Ignore this PDU if it wasn't requested */
975 if (!(smp->remote_key_dist & SMP_DIST_ENC_KEY)) 977 if (!(smp->remote_key_dist & SMP_DIST_ENC_KEY))
@@ -1001,7 +1003,7 @@ static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
1001 BT_DBG(""); 1003 BT_DBG("");
1002 1004
1003 if (skb->len < sizeof(*info)) 1005 if (skb->len < sizeof(*info))
1004 return SMP_UNSPECIFIED; 1006 return SMP_INVALID_PARAMS;
1005 1007
1006 /* Ignore this PDU if it wasn't requested */ 1008 /* Ignore this PDU if it wasn't requested */
1007 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY)) 1009 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
@@ -1025,7 +1027,7 @@ static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
1025 BT_DBG(""); 1027 BT_DBG("");
1026 1028
1027 if (skb->len < sizeof(*info)) 1029 if (skb->len < sizeof(*info))
1028 return SMP_UNSPECIFIED; 1030 return SMP_INVALID_PARAMS;
1029 1031
1030 /* Ignore this PDU if it wasn't requested */ 1032 /* Ignore this PDU if it wasn't requested */
1031 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY)) 1033 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
@@ -1075,7 +1077,7 @@ static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
1075 BT_DBG("conn %p", conn); 1077 BT_DBG("conn %p", conn);
1076 1078
1077 if (skb->len < sizeof(*rp)) 1079 if (skb->len < sizeof(*rp))
1078 return SMP_UNSPECIFIED; 1080 return SMP_INVALID_PARAMS;
1079 1081
1080 /* Ignore this PDU if it wasn't requested */ 1082 /* Ignore this PDU if it wasn't requested */
1081 if (!(smp->remote_key_dist & SMP_DIST_SIGN)) 1083 if (!(smp->remote_key_dist & SMP_DIST_SIGN))
@@ -1358,7 +1360,7 @@ int smp_distribute_keys(struct l2cap_conn *conn)
1358 1360
1359 clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags); 1361 clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags);
1360 cancel_delayed_work_sync(&conn->security_timer); 1362 cancel_delayed_work_sync(&conn->security_timer);
1361 set_bit(SMP_FLAG_COMPLETE, &smp->smp_flags); 1363 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1362 smp_notify_keys(conn); 1364 smp_notify_keys(conn);
1363 1365
1364 smp_chan_destroy(conn); 1366 smp_chan_destroy(conn);
diff --git a/net/bluetooth/smp.h b/net/bluetooth/smp.h
index 1277147a9150..5a8dc36460a1 100644
--- a/net/bluetooth/smp.h
+++ b/net/bluetooth/smp.h
@@ -111,39 +111,11 @@ struct smp_cmd_security_req {
111#define SMP_CMD_NOTSUPP 0x07 111#define SMP_CMD_NOTSUPP 0x07
112#define SMP_UNSPECIFIED 0x08 112#define SMP_UNSPECIFIED 0x08
113#define SMP_REPEATED_ATTEMPTS 0x09 113#define SMP_REPEATED_ATTEMPTS 0x09
114#define SMP_INVALID_PARAMS 0x0a
114 115
115#define SMP_MIN_ENC_KEY_SIZE 7 116#define SMP_MIN_ENC_KEY_SIZE 7
116#define SMP_MAX_ENC_KEY_SIZE 16 117#define SMP_MAX_ENC_KEY_SIZE 16
117 118
118#define SMP_FLAG_TK_VALID 1
119#define SMP_FLAG_CFM_PENDING 2
120#define SMP_FLAG_MITM_AUTH 3
121#define SMP_FLAG_COMPLETE 4
122#define SMP_FLAG_INITIATOR 5
123
124struct smp_chan {
125 struct l2cap_conn *conn;
126 u8 preq[7]; /* SMP Pairing Request */
127 u8 prsp[7]; /* SMP Pairing Response */
128 u8 prnd[16]; /* SMP Pairing Random (local) */
129 u8 rrnd[16]; /* SMP Pairing Random (remote) */
130 u8 pcnf[16]; /* SMP Pairing Confirm */
131 u8 tk[16]; /* SMP Temporary Key */
132 u8 enc_key_size;
133 u8 remote_key_dist;
134 bdaddr_t id_addr;
135 u8 id_addr_type;
136 u8 irk[16];
137 struct smp_csrk *csrk;
138 struct smp_csrk *slave_csrk;
139 struct smp_ltk *ltk;
140 struct smp_ltk *slave_ltk;
141 struct smp_irk *remote_irk;
142 unsigned long smp_flags;
143 struct work_struct confirm;
144 struct work_struct random;
145};
146
147/* SMP Commands */ 119/* SMP Commands */
148bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level); 120bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level);
149int smp_conn_security(struct hci_conn *hcon, __u8 sec_level); 121int smp_conn_security(struct hci_conn *hcon, __u8 sec_level);
generated by cgit v1.2.2 (git 2.25.0) at 2024-12-13 21:15:07 -0500