aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
Diffstat (limited to 'net')
-rw-r--r--net/bluetooth/6lowpan.c10
-rw-r--r--net/bluetooth/hci_core.c71
-rw-r--r--net/bluetooth/hci_event.c11
-rw-r--r--net/bluetooth/l2cap_core.c309
-rw-r--r--net/bluetooth/l2cap_sock.c15
-rw-r--r--net/bluetooth/mgmt.c124
-rw-r--r--net/bluetooth/smp.c726
-rw-r--r--net/bluetooth/smp.h10
-rw-r--r--net/ieee802154/6lowpan_rtnl.c8
-rw-r--r--net/mac80211/cfg.c13
-rw-r--r--net/mac80211/chan.c191
-rw-r--r--net/mac80211/debugfs_sta.c3
-rw-r--r--net/mac80211/ibss.c2
-rw-r--r--net/mac80211/ieee80211_i.h1
-rw-r--r--net/mac80211/key.c12
-rw-r--r--net/mac80211/mesh_pathtbl.c4
-rw-r--r--net/mac80211/mesh_plink.c14
-rw-r--r--net/mac80211/mlme.c33
-rw-r--r--net/mac80211/rx.c2
-rw-r--r--net/mac80211/scan.c2
-rw-r--r--net/mac80211/sta_info.c4
-rw-r--r--net/mac80211/sta_info.h2
-rw-r--r--net/mac80211/tdls.c3
-rw-r--r--net/mac80211/tx.c11
-rw-r--r--net/mac80211/wme.c4
-rw-r--r--net/mac802154/rx.c5
-rw-r--r--net/mac802154/tx.c15
-rw-r--r--net/mac802154/wpan.c10
-rw-r--r--net/wireless/core.c13
-rw-r--r--net/wireless/mlme.c4
-rw-r--r--net/wireless/nl80211.c16
-rw-r--r--net/wireless/scan.c21
32 files changed, 947 insertions, 722 deletions
diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c
index 206b65ccd5b8..35ebe79c87b0 100644
--- a/net/bluetooth/6lowpan.c
+++ b/net/bluetooth/6lowpan.c
@@ -772,16 +772,16 @@ static inline void chan_ready_cb(struct l2cap_chan *chan)
772 ifup(dev->netdev); 772 ifup(dev->netdev);
773} 773}
774 774
775static inline struct l2cap_chan *chan_new_conn_cb(struct l2cap_chan *chan) 775static inline struct l2cap_chan *chan_new_conn_cb(struct l2cap_chan *pchan)
776{ 776{
777 struct l2cap_chan *pchan; 777 struct l2cap_chan *chan;
778 778
779 pchan = chan_open(chan); 779 chan = chan_open(pchan);
780 pchan->ops = chan->ops; 780 chan->ops = pchan->ops;
781 781
782 BT_DBG("chan %p pchan %p", chan, pchan); 782 BT_DBG("chan %p pchan %p", chan, pchan);
783 783
784 return pchan; 784 return chan;
785} 785}
786 786
787static void delete_netdev(struct work_struct *work) 787static void delete_netdev(struct work_struct *work)
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 1d9c29a00568..9b7145959a49 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1898,6 +1898,8 @@ static int __hci_init(struct hci_dev *hdev)
1898 debugfs_create_u16("discov_interleaved_timeout", 0644, 1898 debugfs_create_u16("discov_interleaved_timeout", 0644,
1899 hdev->debugfs, 1899 hdev->debugfs,
1900 &hdev->discov_interleaved_timeout); 1900 &hdev->discov_interleaved_timeout);
1901
1902 smp_register(hdev);
1901 } 1903 }
1902 1904
1903 return 0; 1905 return 0;
@@ -3238,7 +3240,7 @@ struct smp_irk *hci_find_irk_by_rpa(struct hci_dev *hdev, bdaddr_t *rpa)
3238 } 3240 }
3239 3241
3240 list_for_each_entry(irk, &hdev->identity_resolving_keys, list) { 3242 list_for_each_entry(irk, &hdev->identity_resolving_keys, list) {
3241 if (smp_irk_matches(hdev->tfm_aes, irk->val, rpa)) { 3243 if (smp_irk_matches(hdev, irk->val, rpa)) {
3242 bacpy(&irk->rpa, rpa); 3244 bacpy(&irk->rpa, rpa);
3243 return irk; 3245 return irk;
3244 } 3246 }
@@ -3892,7 +3894,7 @@ int hci_update_random_address(struct hci_request *req, bool require_privacy,
3892 !bacmp(&hdev->random_addr, &hdev->rpa)) 3894 !bacmp(&hdev->random_addr, &hdev->rpa))
3893 return 0; 3895 return 0;
3894 3896
3895 err = smp_generate_rpa(hdev->tfm_aes, hdev->irk, &hdev->rpa); 3897 err = smp_generate_rpa(hdev, hdev->irk, &hdev->rpa);
3896 if (err < 0) { 3898 if (err < 0) {
3897 BT_ERR("%s failed to generate new RPA", hdev->name); 3899 BT_ERR("%s failed to generate new RPA", hdev->name);
3898 return err; 3900 return err;
@@ -4100,18 +4102,9 @@ int hci_register_dev(struct hci_dev *hdev)
4100 4102
4101 dev_set_name(&hdev->dev, "%s", hdev->name); 4103 dev_set_name(&hdev->dev, "%s", hdev->name);
4102 4104
4103 hdev->tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0,
4104 CRYPTO_ALG_ASYNC);
4105 if (IS_ERR(hdev->tfm_aes)) {
4106 BT_ERR("Unable to create crypto context");
4107 error = PTR_ERR(hdev->tfm_aes);
4108 hdev->tfm_aes = NULL;
4109 goto err_wqueue;
4110 }
4111
4112 error = device_add(&hdev->dev); 4105 error = device_add(&hdev->dev);
4113 if (error < 0) 4106 if (error < 0)
4114 goto err_tfm; 4107 goto err_wqueue;
4115 4108
4116 hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev, 4109 hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev,
4117 RFKILL_TYPE_BLUETOOTH, &hci_rfkill_ops, 4110 RFKILL_TYPE_BLUETOOTH, &hci_rfkill_ops,
@@ -4153,8 +4146,6 @@ int hci_register_dev(struct hci_dev *hdev)
4153 4146
4154 return id; 4147 return id;
4155 4148
4156err_tfm:
4157 crypto_free_blkcipher(hdev->tfm_aes);
4158err_wqueue: 4149err_wqueue:
4159 destroy_workqueue(hdev->workqueue); 4150 destroy_workqueue(hdev->workqueue);
4160 destroy_workqueue(hdev->req_workqueue); 4151 destroy_workqueue(hdev->req_workqueue);
@@ -4206,8 +4197,7 @@ void hci_unregister_dev(struct hci_dev *hdev)
4206 rfkill_destroy(hdev->rfkill); 4197 rfkill_destroy(hdev->rfkill);
4207 } 4198 }
4208 4199
4209 if (hdev->tfm_aes) 4200 smp_unregister(hdev);
4210 crypto_free_blkcipher(hdev->tfm_aes);
4211 4201
4212 device_del(&hdev->dev); 4202 device_del(&hdev->dev);
4213 4203
@@ -5690,3 +5680,52 @@ void hci_update_background_scan(struct hci_dev *hdev)
5690 if (err) 5680 if (err)
5691 BT_ERR("Failed to run HCI request: err %d", err); 5681 BT_ERR("Failed to run HCI request: err %d", err);
5692} 5682}
5683
5684static bool disconnected_whitelist_entries(struct hci_dev *hdev)
5685{
5686 struct bdaddr_list *b;
5687
5688 list_for_each_entry(b, &hdev->whitelist, list) {
5689 struct hci_conn *conn;
5690
5691 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &b->bdaddr);
5692 if (!conn)
5693 return true;
5694
5695 if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
5696 return true;
5697 }
5698
5699 return false;
5700}
5701
5702void hci_update_page_scan(struct hci_dev *hdev, struct hci_request *req)
5703{
5704 u8 scan;
5705
5706 if (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags))
5707 return;
5708
5709 if (!hdev_is_powered(hdev))
5710 return;
5711
5712 if (mgmt_powering_down(hdev))
5713 return;
5714
5715 if (test_bit(HCI_CONNECTABLE, &hdev->dev_flags) ||
5716 disconnected_whitelist_entries(hdev))
5717 scan = SCAN_PAGE;
5718 else
5719 scan = SCAN_DISABLED;
5720
5721 if (test_bit(HCI_PSCAN, &hdev->flags) == !!(scan & SCAN_PAGE))
5722 return;
5723
5724 if (test_bit(HCI_DISCOVERABLE, &hdev->dev_flags))
5725 scan |= SCAN_INQUIRY;
5726
5727 if (req)
5728 hci_req_add(req, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
5729 else
5730 hci_send_cmd(hdev, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
5731}
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index a6000823f0ff..3a99f30a3317 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -2071,6 +2071,8 @@ static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2071 cp.handle = ev->handle; 2071 cp.handle = ev->handle;
2072 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES, 2072 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
2073 sizeof(cp), &cp); 2073 sizeof(cp), &cp);
2074
2075 hci_update_page_scan(hdev, NULL);
2074 } 2076 }
2075 2077
2076 /* Set packet type for incoming connection */ 2078 /* Set packet type for incoming connection */
@@ -2247,9 +2249,12 @@ static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2247 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type, 2249 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2248 reason, mgmt_connected); 2250 reason, mgmt_connected);
2249 2251
2250 if (conn->type == ACL_LINK && 2252 if (conn->type == ACL_LINK) {
2251 test_bit(HCI_CONN_FLUSH_KEY, &conn->flags)) 2253 if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2252 hci_remove_link_key(hdev, &conn->dst); 2254 hci_remove_link_key(hdev, &conn->dst);
2255
2256 hci_update_page_scan(hdev, NULL);
2257 }
2253 2258
2254 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type); 2259 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2255 if (params) { 2260 if (params) {
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 46547b920f88..4a90438d99df 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -210,6 +210,10 @@ int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
210{ 210{
211 write_lock(&chan_list_lock); 211 write_lock(&chan_list_lock);
212 212
213 /* Override the defaults (which are for conn-oriented) */
214 chan->omtu = L2CAP_DEFAULT_MTU;
215 chan->chan_type = L2CAP_CHAN_FIXED;
216
213 chan->scid = scid; 217 chan->scid = scid;
214 218
215 write_unlock(&chan_list_lock); 219 write_unlock(&chan_list_lock);
@@ -562,6 +566,8 @@ void l2cap_chan_del(struct l2cap_chan *chan, int err)
562 566
563 BT_DBG("chan %p, conn %p, err %d", chan, conn, err); 567 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
564 568
569 chan->ops->teardown(chan, err);
570
565 if (conn) { 571 if (conn) {
566 struct amp_mgr *mgr = conn->hcon->amp_mgr; 572 struct amp_mgr *mgr = conn->hcon->amp_mgr;
567 /* Delete from channel list */ 573 /* Delete from channel list */
@@ -585,8 +591,6 @@ void l2cap_chan_del(struct l2cap_chan *chan, int err)
585 amp_disconnect_logical_link(hs_hchan); 591 amp_disconnect_logical_link(hs_hchan);
586 } 592 }
587 593
588 chan->ops->teardown(chan, err);
589
590 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state)) 594 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
591 return; 595 return;
592 596
@@ -1082,6 +1086,9 @@ static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
1082 1086
1083static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan) 1087static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
1084{ 1088{
1089 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
1090 return true;
1091
1085 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state); 1092 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
1086} 1093}
1087 1094
@@ -1417,71 +1424,18 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
1417 mutex_unlock(&conn->chan_lock); 1424 mutex_unlock(&conn->chan_lock);
1418} 1425}
1419 1426
1420/* Find socket with cid and source/destination bdaddr.
1421 * Returns closest match, locked.
1422 */
1423static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
1424 bdaddr_t *src,
1425 bdaddr_t *dst)
1426{
1427 struct l2cap_chan *c, *c1 = NULL;
1428
1429 read_lock(&chan_list_lock);
1430
1431 list_for_each_entry(c, &chan_list, global_l) {
1432 if (state && c->state != state)
1433 continue;
1434
1435 if (c->scid == cid) {
1436 int src_match, dst_match;
1437 int src_any, dst_any;
1438
1439 /* Exact match. */
1440 src_match = !bacmp(&c->src, src);
1441 dst_match = !bacmp(&c->dst, dst);
1442 if (src_match && dst_match) {
1443 read_unlock(&chan_list_lock);
1444 return c;
1445 }
1446
1447 /* Closest match */
1448 src_any = !bacmp(&c->src, BDADDR_ANY);
1449 dst_any = !bacmp(&c->dst, BDADDR_ANY);
1450 if ((src_match && dst_any) || (src_any && dst_match) ||
1451 (src_any && dst_any))
1452 c1 = c;
1453 }
1454 }
1455
1456 read_unlock(&chan_list_lock);
1457
1458 return c1;
1459}
1460
1461static void l2cap_le_conn_ready(struct l2cap_conn *conn) 1427static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1462{ 1428{
1463 struct hci_conn *hcon = conn->hcon; 1429 struct hci_conn *hcon = conn->hcon;
1464 struct hci_dev *hdev = hcon->hdev; 1430 struct hci_dev *hdev = hcon->hdev;
1465 struct l2cap_chan *chan, *pchan;
1466 u8 dst_type;
1467 1431
1468 BT_DBG(""); 1432 BT_DBG("%s conn %p", hdev->name, conn);
1469 1433
1470 /* Check if we have socket listening on cid */ 1434 /* For outgoing pairing which doesn't necessarily have an
1471 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_ATT, 1435 * associated socket (e.g. mgmt_pair_device).
1472 &hcon->src, &hcon->dst); 1436 */
1473 if (!pchan) 1437 if (hcon->out)
1474 return; 1438 smp_conn_security(hcon, hcon->pending_sec_level);
1475
1476 /* Client ATT sockets should override the server one */
1477 if (__l2cap_get_chan_by_dcid(conn, L2CAP_CID_ATT))
1478 return;
1479
1480 dst_type = bdaddr_type(hcon, hcon->dst_type);
1481
1482 /* If device is blocked, do not create a channel for it */
1483 if (hci_bdaddr_list_lookup(&hdev->blacklist, &hcon->dst, dst_type))
1484 return;
1485 1439
1486 /* For LE slave connections, make sure the connection interval 1440 /* For LE slave connections, make sure the connection interval
1487 * is in the range of the minium and maximum interval that has 1441 * is in the range of the minium and maximum interval that has
@@ -1501,22 +1455,6 @@ static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1501 l2cap_send_cmd(conn, l2cap_get_ident(conn), 1455 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1502 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req); 1456 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1503 } 1457 }
1504
1505 l2cap_chan_lock(pchan);
1506
1507 chan = pchan->ops->new_connection(pchan);
1508 if (!chan)
1509 goto clean;
1510
1511 bacpy(&chan->src, &hcon->src);
1512 bacpy(&chan->dst, &hcon->dst);
1513 chan->src_type = bdaddr_type(hcon, hcon->src_type);
1514 chan->dst_type = dst_type;
1515
1516 __l2cap_chan_add(conn, chan);
1517
1518clean:
1519 l2cap_chan_unlock(pchan);
1520} 1458}
1521 1459
1522static void l2cap_conn_ready(struct l2cap_conn *conn) 1460static void l2cap_conn_ready(struct l2cap_conn *conn)
@@ -1526,17 +1464,8 @@ static void l2cap_conn_ready(struct l2cap_conn *conn)
1526 1464
1527 BT_DBG("conn %p", conn); 1465 BT_DBG("conn %p", conn);
1528 1466
1529 /* For outgoing pairing which doesn't necessarily have an
1530 * associated socket (e.g. mgmt_pair_device).
1531 */
1532 if (hcon->out && hcon->type == LE_LINK)
1533 smp_conn_security(hcon, hcon->pending_sec_level);
1534
1535 mutex_lock(&conn->chan_lock); 1467 mutex_lock(&conn->chan_lock);
1536 1468
1537 if (hcon->type == LE_LINK)
1538 l2cap_le_conn_ready(conn);
1539
1540 list_for_each_entry(chan, &conn->chan_l, list) { 1469 list_for_each_entry(chan, &conn->chan_l, list) {
1541 1470
1542 l2cap_chan_lock(chan); 1471 l2cap_chan_lock(chan);
@@ -1560,6 +1489,9 @@ static void l2cap_conn_ready(struct l2cap_conn *conn)
1560 1489
1561 mutex_unlock(&conn->chan_lock); 1490 mutex_unlock(&conn->chan_lock);
1562 1491
1492 if (hcon->type == LE_LINK)
1493 l2cap_le_conn_ready(conn);
1494
1563 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work); 1495 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
1564} 1496}
1565 1497
@@ -1695,6 +1627,9 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
1695 if (work_pending(&conn->pending_rx_work)) 1627 if (work_pending(&conn->pending_rx_work))
1696 cancel_work_sync(&conn->pending_rx_work); 1628 cancel_work_sync(&conn->pending_rx_work);
1697 1629
1630 if (work_pending(&conn->disconn_work))
1631 cancel_work_sync(&conn->disconn_work);
1632
1698 l2cap_unregister_all_users(conn); 1633 l2cap_unregister_all_users(conn);
1699 1634
1700 mutex_lock(&conn->chan_lock); 1635 mutex_lock(&conn->chan_lock);
@@ -1719,27 +1654,29 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
1719 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) 1654 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1720 cancel_delayed_work_sync(&conn->info_timer); 1655 cancel_delayed_work_sync(&conn->info_timer);
1721 1656
1722 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
1723 cancel_delayed_work_sync(&conn->security_timer);
1724 smp_chan_destroy(conn);
1725 }
1726
1727 hcon->l2cap_data = NULL; 1657 hcon->l2cap_data = NULL;
1728 conn->hchan = NULL; 1658 conn->hchan = NULL;
1729 l2cap_conn_put(conn); 1659 l2cap_conn_put(conn);
1730} 1660}
1731 1661
1732static void security_timeout(struct work_struct *work) 1662static void disconn_work(struct work_struct *work)
1733{ 1663{
1734 struct l2cap_conn *conn = container_of(work, struct l2cap_conn, 1664 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1735 security_timer.work); 1665 disconn_work);
1736 1666
1737 BT_DBG("conn %p", conn); 1667 BT_DBG("conn %p", conn);
1738 1668
1739 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) { 1669 l2cap_conn_del(conn->hcon, conn->disconn_err);
1740 smp_chan_destroy(conn); 1670}
1741 l2cap_conn_del(conn->hcon, ETIMEDOUT); 1671
1742 } 1672void l2cap_conn_shutdown(struct l2cap_conn *conn, int err)
1673{
1674 struct hci_dev *hdev = conn->hcon->hdev;
1675
1676 BT_DBG("conn %p err %d", conn, err);
1677
1678 conn->disconn_err = err;
1679 queue_work(hdev->workqueue, &conn->disconn_work);
1743} 1680}
1744 1681
1745static void l2cap_conn_free(struct kref *ref) 1682static void l2cap_conn_free(struct kref *ref)
@@ -1794,6 +1731,7 @@ static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1794 src_match = !bacmp(&c->src, src); 1731 src_match = !bacmp(&c->src, src);
1795 dst_match = !bacmp(&c->dst, dst); 1732 dst_match = !bacmp(&c->dst, dst);
1796 if (src_match && dst_match) { 1733 if (src_match && dst_match) {
1734 l2cap_chan_hold(c);
1797 read_unlock(&chan_list_lock); 1735 read_unlock(&chan_list_lock);
1798 return c; 1736 return c;
1799 } 1737 }
@@ -1807,6 +1745,9 @@ static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1807 } 1745 }
1808 } 1746 }
1809 1747
1748 if (c1)
1749 l2cap_chan_hold(c1);
1750
1810 read_unlock(&chan_list_lock); 1751 read_unlock(&chan_list_lock);
1811 1752
1812 return c1; 1753 return c1;
@@ -2027,10 +1968,12 @@ static void l2cap_ertm_resend(struct l2cap_chan *chan)
2027 tx_skb->data + L2CAP_HDR_SIZE); 1968 tx_skb->data + L2CAP_HDR_SIZE);
2028 } 1969 }
2029 1970
1971 /* Update FCS */
2030 if (chan->fcs == L2CAP_FCS_CRC16) { 1972 if (chan->fcs == L2CAP_FCS_CRC16) {
2031 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len); 1973 u16 fcs = crc16(0, (u8 *) tx_skb->data,
2032 put_unaligned_le16(fcs, skb_put(tx_skb, 1974 tx_skb->len - L2CAP_FCS_SIZE);
2033 L2CAP_FCS_SIZE)); 1975 put_unaligned_le16(fcs, skb_tail_pointer(tx_skb) -
1976 L2CAP_FCS_SIZE);
2034 } 1977 }
2035 1978
2036 l2cap_do_send(chan, tx_skb); 1979 l2cap_do_send(chan, tx_skb);
@@ -2334,7 +2277,6 @@ static int l2cap_segment_sdu(struct l2cap_chan *chan,
2334 } else { 2277 } else {
2335 sar = L2CAP_SAR_START; 2278 sar = L2CAP_SAR_START;
2336 sdu_len = len; 2279 sdu_len = len;
2337 pdu_len -= L2CAP_SDULEN_SIZE;
2338 } 2280 }
2339 2281
2340 while (len > 0) { 2282 while (len > 0) {
@@ -2349,10 +2291,8 @@ static int l2cap_segment_sdu(struct l2cap_chan *chan,
2349 __skb_queue_tail(seg_queue, skb); 2291 __skb_queue_tail(seg_queue, skb);
2350 2292
2351 len -= pdu_len; 2293 len -= pdu_len;
2352 if (sdu_len) { 2294 if (sdu_len)
2353 sdu_len = 0; 2295 sdu_len = 0;
2354 pdu_len += L2CAP_SDULEN_SIZE;
2355 }
2356 2296
2357 if (len <= pdu_len) { 2297 if (len <= pdu_len) {
2358 sar = L2CAP_SAR_END; 2298 sar = L2CAP_SAR_END;
@@ -3884,6 +3824,7 @@ static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3884response: 3824response:
3885 l2cap_chan_unlock(pchan); 3825 l2cap_chan_unlock(pchan);
3886 mutex_unlock(&conn->chan_lock); 3826 mutex_unlock(&conn->chan_lock);
3827 l2cap_chan_put(pchan);
3887 3828
3888sendresp: 3829sendresp:
3889 rsp.scid = cpu_to_le16(scid); 3830 rsp.scid = cpu_to_le16(scid);
@@ -5497,6 +5438,7 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
5497response_unlock: 5438response_unlock:
5498 l2cap_chan_unlock(pchan); 5439 l2cap_chan_unlock(pchan);
5499 mutex_unlock(&conn->chan_lock); 5440 mutex_unlock(&conn->chan_lock);
5441 l2cap_chan_put(pchan);
5500 5442
5501 if (result == L2CAP_CR_PEND) 5443 if (result == L2CAP_CR_PEND)
5502 return 0; 5444 return 0;
@@ -6845,12 +6787,12 @@ static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6845 struct l2cap_chan *chan; 6787 struct l2cap_chan *chan;
6846 6788
6847 if (hcon->type != ACL_LINK) 6789 if (hcon->type != ACL_LINK)
6848 goto drop; 6790 goto free_skb;
6849 6791
6850 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst, 6792 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
6851 ACL_LINK); 6793 ACL_LINK);
6852 if (!chan) 6794 if (!chan)
6853 goto drop; 6795 goto free_skb;
6854 6796
6855 BT_DBG("chan %p, len %d", chan, skb->len); 6797 BT_DBG("chan %p, len %d", chan, skb->len);
6856 6798
@@ -6864,36 +6806,14 @@ static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6864 bacpy(&bt_cb(skb)->bdaddr, &hcon->dst); 6806 bacpy(&bt_cb(skb)->bdaddr, &hcon->dst);
6865 bt_cb(skb)->psm = psm; 6807 bt_cb(skb)->psm = psm;
6866 6808
6867 if (!chan->ops->recv(chan, skb)) 6809 if (!chan->ops->recv(chan, skb)) {
6868 return; 6810 l2cap_chan_put(chan);
6869
6870drop:
6871 kfree_skb(skb);
6872}
6873
6874static void l2cap_att_channel(struct l2cap_conn *conn,
6875 struct sk_buff *skb)
6876{
6877 struct hci_conn *hcon = conn->hcon;
6878 struct l2cap_chan *chan;
6879
6880 if (hcon->type != LE_LINK)
6881 goto drop;
6882
6883 chan = l2cap_global_chan_by_scid(BT_CONNECTED, L2CAP_CID_ATT,
6884 &hcon->src, &hcon->dst);
6885 if (!chan)
6886 goto drop;
6887
6888 BT_DBG("chan %p, len %d", chan, skb->len);
6889
6890 if (chan->imtu < skb->len)
6891 goto drop;
6892
6893 if (!chan->ops->recv(chan, skb))
6894 return; 6811 return;
6812 }
6895 6813
6896drop: 6814drop:
6815 l2cap_chan_put(chan);
6816free_skb:
6897 kfree_skb(skb); 6817 kfree_skb(skb);
6898} 6818}
6899 6819
@@ -6942,19 +6862,10 @@ static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6942 l2cap_conless_channel(conn, psm, skb); 6862 l2cap_conless_channel(conn, psm, skb);
6943 break; 6863 break;
6944 6864
6945 case L2CAP_CID_ATT:
6946 l2cap_att_channel(conn, skb);
6947 break;
6948
6949 case L2CAP_CID_LE_SIGNALING: 6865 case L2CAP_CID_LE_SIGNALING:
6950 l2cap_le_sig_channel(conn, skb); 6866 l2cap_le_sig_channel(conn, skb);
6951 break; 6867 break;
6952 6868
6953 case L2CAP_CID_SMP:
6954 if (smp_sig_channel(conn, skb))
6955 l2cap_conn_del(conn->hcon, EACCES);
6956 break;
6957
6958 default: 6869 default:
6959 l2cap_data_channel(conn, cid, skb); 6870 l2cap_data_channel(conn, cid, skb);
6960 break; 6871 break;
@@ -7023,10 +6934,9 @@ static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
7023 INIT_LIST_HEAD(&conn->chan_l); 6934 INIT_LIST_HEAD(&conn->chan_l);
7024 INIT_LIST_HEAD(&conn->users); 6935 INIT_LIST_HEAD(&conn->users);
7025 6936
7026 if (hcon->type == LE_LINK) 6937 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
7027 INIT_DELAYED_WORK(&conn->security_timer, security_timeout); 6938
7028 else 6939 INIT_WORK(&conn->disconn_work, disconn_work);
7029 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
7030 6940
7031 skb_queue_head_init(&conn->pending_rx); 6941 skb_queue_head_init(&conn->pending_rx);
7032 INIT_WORK(&conn->pending_rx_work, process_pending_rx); 6942 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
@@ -7239,19 +7149,99 @@ int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
7239 return exact ? lm1 : lm2; 7149 return exact ? lm1 : lm2;
7240} 7150}
7241 7151
7152/* Find the next fixed channel in BT_LISTEN state, continue iteration
7153 * from an existing channel in the list or from the beginning of the
7154 * global list (by passing NULL as first parameter).
7155 */
7156static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c,
7157 bdaddr_t *src, u8 link_type)
7158{
7159 read_lock(&chan_list_lock);
7160
7161 if (c)
7162 c = list_next_entry(c, global_l);
7163 else
7164 c = list_entry(chan_list.next, typeof(*c), global_l);
7165
7166 list_for_each_entry_from(c, &chan_list, global_l) {
7167 if (c->chan_type != L2CAP_CHAN_FIXED)
7168 continue;
7169 if (c->state != BT_LISTEN)
7170 continue;
7171 if (bacmp(&c->src, src) && bacmp(&c->src, BDADDR_ANY))
7172 continue;
7173 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
7174 continue;
7175 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
7176 continue;
7177
7178 l2cap_chan_hold(c);
7179 read_unlock(&chan_list_lock);
7180 return c;
7181 }
7182
7183 read_unlock(&chan_list_lock);
7184
7185 return NULL;
7186}
7187
7242void l2cap_connect_cfm(struct hci_conn *hcon, u8 status) 7188void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
7243{ 7189{
7190 struct hci_dev *hdev = hcon->hdev;
7244 struct l2cap_conn *conn; 7191 struct l2cap_conn *conn;
7192 struct l2cap_chan *pchan;
7193 u8 dst_type;
7245 7194
7246 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status); 7195 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
7247 7196
7248 if (!status) { 7197 if (status) {
7249 conn = l2cap_conn_add(hcon);
7250 if (conn)
7251 l2cap_conn_ready(conn);
7252 } else {
7253 l2cap_conn_del(hcon, bt_to_errno(status)); 7198 l2cap_conn_del(hcon, bt_to_errno(status));
7199 return;
7254 } 7200 }
7201
7202 conn = l2cap_conn_add(hcon);
7203 if (!conn)
7204 return;
7205
7206 dst_type = bdaddr_type(hcon, hcon->dst_type);
7207
7208 /* If device is blocked, do not create channels for it */
7209 if (hci_bdaddr_list_lookup(&hdev->blacklist, &hcon->dst, dst_type))
7210 return;
7211
7212 /* Find fixed channels and notify them of the new connection. We
7213 * use multiple individual lookups, continuing each time where
7214 * we left off, because the list lock would prevent calling the
7215 * potentially sleeping l2cap_chan_lock() function.
7216 */
7217 pchan = l2cap_global_fixed_chan(NULL, &hdev->bdaddr, hcon->type);
7218 while (pchan) {
7219 struct l2cap_chan *chan, *next;
7220
7221 /* Client fixed channels should override server ones */
7222 if (__l2cap_get_chan_by_dcid(conn, pchan->scid))
7223 goto next;
7224
7225 l2cap_chan_lock(pchan);
7226 chan = pchan->ops->new_connection(pchan);
7227 if (chan) {
7228 bacpy(&chan->src, &hcon->src);
7229 bacpy(&chan->dst, &hcon->dst);
7230 chan->src_type = bdaddr_type(hcon, hcon->src_type);
7231 chan->dst_type = dst_type;
7232
7233 __l2cap_chan_add(conn, chan);
7234 }
7235
7236 l2cap_chan_unlock(pchan);
7237next:
7238 next = l2cap_global_fixed_chan(pchan, &hdev->bdaddr,
7239 hcon->type);
7240 l2cap_chan_put(pchan);
7241 pchan = next;
7242 }
7243
7244 l2cap_conn_ready(conn);
7255} 7245}
7256 7246
7257int l2cap_disconn_ind(struct hci_conn *hcon) 7247int l2cap_disconn_ind(struct hci_conn *hcon)
@@ -7299,12 +7289,6 @@ int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
7299 7289
7300 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt); 7290 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
7301 7291
7302 if (hcon->type == LE_LINK) {
7303 if (!status && encrypt)
7304 smp_distribute_keys(conn);
7305 cancel_delayed_work(&conn->security_timer);
7306 }
7307
7308 mutex_lock(&conn->chan_lock); 7292 mutex_lock(&conn->chan_lock);
7309 7293
7310 list_for_each_entry(chan, &conn->chan_l, list) { 7294 list_for_each_entry(chan, &conn->chan_l, list) {
@@ -7318,15 +7302,8 @@ int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
7318 continue; 7302 continue;
7319 } 7303 }
7320 7304
7321 if (chan->scid == L2CAP_CID_ATT) { 7305 if (!status && encrypt)
7322 if (!status && encrypt) { 7306 chan->sec_level = hcon->sec_level;
7323 chan->sec_level = hcon->sec_level;
7324 l2cap_chan_ready(chan);
7325 }
7326
7327 l2cap_chan_unlock(chan);
7328 continue;
7329 }
7330 7307
7331 if (!__l2cap_no_conn_pending(chan)) { 7308 if (!__l2cap_no_conn_pending(chan)) {
7332 l2cap_chan_unlock(chan); 7309 l2cap_chan_unlock(chan);
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 1884f72083c2..ed06f88e6f10 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -99,15 +99,6 @@ static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
99 if (!bdaddr_type_is_valid(la.l2_bdaddr_type)) 99 if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
100 return -EINVAL; 100 return -EINVAL;
101 101
102 if (la.l2_cid) {
103 /* When the socket gets created it defaults to
104 * CHAN_CONN_ORIENTED, so we need to overwrite the
105 * default here.
106 */
107 chan->chan_type = L2CAP_CHAN_FIXED;
108 chan->omtu = L2CAP_DEFAULT_MTU;
109 }
110
111 if (bdaddr_type_is_le(la.l2_bdaddr_type)) { 102 if (bdaddr_type_is_le(la.l2_bdaddr_type)) {
112 /* We only allow ATT user space socket */ 103 /* We only allow ATT user space socket */
113 if (la.l2_cid && 104 if (la.l2_cid &&
@@ -790,6 +781,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
790 if (chan->scid == L2CAP_CID_ATT) { 781 if (chan->scid == L2CAP_CID_ATT) {
791 if (smp_conn_security(conn->hcon, sec.level)) 782 if (smp_conn_security(conn->hcon, sec.level))
792 break; 783 break;
784 set_bit(FLAG_PENDING_SECURITY, &chan->flags);
793 sk->sk_state = BT_CONFIG; 785 sk->sk_state = BT_CONFIG;
794 chan->state = BT_CONFIG; 786 chan->state = BT_CONFIG;
795 787
@@ -1359,6 +1351,11 @@ static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
1359{ 1351{
1360 struct sock *sk = chan->data; 1352 struct sock *sk = chan->data;
1361 1353
1354 if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) {
1355 sk->sk_state = BT_CONNECTED;
1356 chan->state = BT_CONNECTED;
1357 }
1358
1362 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags); 1359 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
1363 sk->sk_state_change(sk); 1360 sk->sk_state_change(sk);
1364} 1361}
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index b8554d429d88..c2457435a670 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -129,9 +129,6 @@ static const u16 mgmt_events[] = {
129 129
130#define CACHE_TIMEOUT msecs_to_jiffies(2 * 1000) 130#define CACHE_TIMEOUT msecs_to_jiffies(2 * 1000)
131 131
132#define hdev_is_powered(hdev) (test_bit(HCI_UP, &hdev->flags) && \
133 !test_bit(HCI_AUTO_OFF, &hdev->dev_flags))
134
135struct pending_cmd { 132struct pending_cmd {
136 struct list_head list; 133 struct list_head list;
137 u16 opcode; 134 u16 opcode;
@@ -1536,9 +1533,11 @@ static void set_discoverable_complete(struct hci_dev *hdev, u8 status)
1536 1533
1537 /* When the discoverable mode gets changed, make sure 1534 /* When the discoverable mode gets changed, make sure
1538 * that class of device has the limited discoverable 1535 * that class of device has the limited discoverable
1539 * bit correctly set. 1536 * bit correctly set. Also update page scan based on whitelist
1537 * entries.
1540 */ 1538 */
1541 hci_req_init(&req, hdev); 1539 hci_req_init(&req, hdev);
1540 hci_update_page_scan(hdev, &req);
1542 update_class(&req); 1541 update_class(&req);
1543 hci_req_run(&req, NULL); 1542 hci_req_run(&req, NULL);
1544 1543
@@ -1785,6 +1784,7 @@ static void set_connectable_complete(struct hci_dev *hdev, u8 status)
1785 1784
1786 if (conn_changed || discov_changed) { 1785 if (conn_changed || discov_changed) {
1787 new_settings(hdev, cmd->sk); 1786 new_settings(hdev, cmd->sk);
1787 hci_update_page_scan(hdev, NULL);
1788 if (discov_changed) 1788 if (discov_changed)
1789 mgmt_update_adv_data(hdev); 1789 mgmt_update_adv_data(hdev);
1790 hci_update_background_scan(hdev); 1790 hci_update_background_scan(hdev);
@@ -1818,6 +1818,7 @@ static int set_connectable_update_settings(struct hci_dev *hdev,
1818 return err; 1818 return err;
1819 1819
1820 if (changed) { 1820 if (changed) {
1821 hci_update_page_scan(hdev, NULL);
1821 hci_update_background_scan(hdev); 1822 hci_update_background_scan(hdev);
1822 return new_settings(hdev, sk); 1823 return new_settings(hdev, sk);
1823 } 1824 }
@@ -4381,27 +4382,6 @@ unlock:
4381 return err; 4382 return err;
4382} 4383}
4383 4384
4384static void set_bredr_scan(struct hci_request *req)
4385{
4386 struct hci_dev *hdev = req->hdev;
4387 u8 scan = 0;
4388
4389 /* Ensure that fast connectable is disabled. This function will
4390 * not do anything if the page scan parameters are already what
4391 * they should be.
4392 */
4393 write_fast_connectable(req, false);
4394
4395 if (test_bit(HCI_CONNECTABLE, &hdev->dev_flags) ||
4396 !list_empty(&hdev->whitelist))
4397 scan |= SCAN_PAGE;
4398 if (test_bit(HCI_DISCOVERABLE, &hdev->dev_flags))
4399 scan |= SCAN_INQUIRY;
4400
4401 if (scan)
4402 hci_req_add(req, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
4403}
4404
4405static void set_bredr_complete(struct hci_dev *hdev, u8 status) 4385static void set_bredr_complete(struct hci_dev *hdev, u8 status)
4406{ 4386{
4407 struct pending_cmd *cmd; 4387 struct pending_cmd *cmd;
@@ -4507,9 +4487,8 @@ static int set_bredr(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
4507 4487
4508 hci_req_init(&req, hdev); 4488 hci_req_init(&req, hdev);
4509 4489
4510 if (test_bit(HCI_CONNECTABLE, &hdev->dev_flags) || 4490 write_fast_connectable(&req, false);
4511 !list_empty(&hdev->whitelist)) 4491 hci_update_page_scan(hdev, &req);
4512 set_bredr_scan(&req);
4513 4492
4514 /* Since only the advertising data flags will change, there 4493 /* Since only the advertising data flags will change, there
4515 * is no need to update the scan response data. 4494 * is no need to update the scan response data.
@@ -5235,27 +5214,6 @@ unlock:
5235 return err; 5214 return err;
5236} 5215}
5237 5216
5238/* Helper for Add/Remove Device commands */
5239static void update_page_scan(struct hci_dev *hdev, u8 scan)
5240{
5241 if (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags))
5242 return;
5243
5244 if (!hdev_is_powered(hdev))
5245 return;
5246
5247 /* If HCI_CONNECTABLE is set then Add/Remove Device should not
5248 * make any changes to page scanning.
5249 */
5250 if (test_bit(HCI_CONNECTABLE, &hdev->dev_flags))
5251 return;
5252
5253 if (test_bit(HCI_DISCOVERABLE, &hdev->dev_flags))
5254 scan |= SCAN_INQUIRY;
5255
5256 hci_send_cmd(hdev, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
5257}
5258
5259static void device_added(struct sock *sk, struct hci_dev *hdev, 5217static void device_added(struct sock *sk, struct hci_dev *hdev,
5260 bdaddr_t *bdaddr, u8 type, u8 action) 5218 bdaddr_t *bdaddr, u8 type, u8 action)
5261{ 5219{
@@ -5291,8 +5249,6 @@ static int add_device(struct sock *sk, struct hci_dev *hdev,
5291 hci_dev_lock(hdev); 5249 hci_dev_lock(hdev);
5292 5250
5293 if (cp->addr.type == BDADDR_BREDR) { 5251 if (cp->addr.type == BDADDR_BREDR) {
5294 bool update_scan;
5295
5296 /* Only incoming connections action is supported for now */ 5252 /* Only incoming connections action is supported for now */
5297 if (cp->action != 0x01) { 5253 if (cp->action != 0x01) {
5298 err = cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE, 5254 err = cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
@@ -5301,15 +5257,12 @@ static int add_device(struct sock *sk, struct hci_dev *hdev,
5301 goto unlock; 5257 goto unlock;
5302 } 5258 }
5303 5259
5304 update_scan = list_empty(&hdev->whitelist);
5305
5306 err = hci_bdaddr_list_add(&hdev->whitelist, &cp->addr.bdaddr, 5260 err = hci_bdaddr_list_add(&hdev->whitelist, &cp->addr.bdaddr,
5307 cp->addr.type); 5261 cp->addr.type);
5308 if (err) 5262 if (err)
5309 goto unlock; 5263 goto unlock;
5310 5264
5311 if (update_scan) 5265 hci_update_page_scan(hdev, NULL);
5312 update_page_scan(hdev, SCAN_PAGE);
5313 5266
5314 goto added; 5267 goto added;
5315 } 5268 }
@@ -5392,8 +5345,7 @@ static int remove_device(struct sock *sk, struct hci_dev *hdev,
5392 goto unlock; 5345 goto unlock;
5393 } 5346 }
5394 5347
5395 if (list_empty(&hdev->whitelist)) 5348 hci_update_page_scan(hdev, NULL);
5396 update_page_scan(hdev, SCAN_DISABLED);
5397 5349
5398 device_removed(sk, hdev, &cp->addr.bdaddr, 5350 device_removed(sk, hdev, &cp->addr.bdaddr,
5399 cp->addr.type); 5351 cp->addr.type);
@@ -5444,7 +5396,7 @@ static int remove_device(struct sock *sk, struct hci_dev *hdev,
5444 kfree(b); 5396 kfree(b);
5445 } 5397 }
5446 5398
5447 update_page_scan(hdev, SCAN_DISABLED); 5399 hci_update_page_scan(hdev, NULL);
5448 5400
5449 list_for_each_entry_safe(p, tmp, &hdev->le_conn_params, list) { 5401 list_for_each_entry_safe(p, tmp, &hdev->le_conn_params, list) {
5450 if (p->auto_connect == HCI_AUTO_CONN_DISABLED) 5402 if (p->auto_connect == HCI_AUTO_CONN_DISABLED)
@@ -5969,8 +5921,8 @@ static int powered_update_hci(struct hci_dev *hdev)
5969 sizeof(link_sec), &link_sec); 5921 sizeof(link_sec), &link_sec);
5970 5922
5971 if (lmp_bredr_capable(hdev)) { 5923 if (lmp_bredr_capable(hdev)) {
5972 if (test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags)) 5924 write_fast_connectable(&req, false);
5973 set_bredr_scan(&req); 5925 hci_update_page_scan(hdev, &req);
5974 update_class(&req); 5926 update_class(&req);
5975 update_name(&req); 5927 update_name(&req);
5976 update_eir(&req); 5928 update_eir(&req);
@@ -6281,25 +6233,35 @@ static void unpair_device_rsp(struct pending_cmd *cmd, void *data)
6281 mgmt_pending_remove(cmd); 6233 mgmt_pending_remove(cmd);
6282} 6234}
6283 6235
6236bool mgmt_powering_down(struct hci_dev *hdev)
6237{
6238 struct pending_cmd *cmd;
6239 struct mgmt_mode *cp;
6240
6241 cmd = mgmt_pending_find(MGMT_OP_SET_POWERED, hdev);
6242 if (!cmd)
6243 return false;
6244
6245 cp = cmd->param;
6246 if (!cp->val)
6247 return true;
6248
6249 return false;
6250}
6251
6284void mgmt_device_disconnected(struct hci_dev *hdev, bdaddr_t *bdaddr, 6252void mgmt_device_disconnected(struct hci_dev *hdev, bdaddr_t *bdaddr,
6285 u8 link_type, u8 addr_type, u8 reason, 6253 u8 link_type, u8 addr_type, u8 reason,
6286 bool mgmt_connected) 6254 bool mgmt_connected)
6287{ 6255{
6288 struct mgmt_ev_device_disconnected ev; 6256 struct mgmt_ev_device_disconnected ev;
6289 struct pending_cmd *power_off;
6290 struct sock *sk = NULL; 6257 struct sock *sk = NULL;
6291 6258
6292 power_off = mgmt_pending_find(MGMT_OP_SET_POWERED, hdev); 6259 /* The connection is still in hci_conn_hash so test for 1
6293 if (power_off) { 6260 * instead of 0 to know if this is the last one.
6294 struct mgmt_mode *cp = power_off->param; 6261 */
6295 6262 if (mgmt_powering_down(hdev) && hci_conn_count(hdev) == 1) {
6296 /* The connection is still in hci_conn_hash so test for 1 6263 cancel_delayed_work(&hdev->power_off);
6297 * instead of 0 to know if this is the last one. 6264 queue_work(hdev->req_workqueue, &hdev->power_off.work);
6298 */
6299 if (!cp->val && hci_conn_count(hdev) == 1) {
6300 cancel_delayed_work(&hdev->power_off);
6301 queue_work(hdev->req_workqueue, &hdev->power_off.work);
6302 }
6303 } 6265 }
6304 6266
6305 if (!mgmt_connected) 6267 if (!mgmt_connected)
@@ -6359,19 +6321,13 @@ void mgmt_connect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
6359 u8 addr_type, u8 status) 6321 u8 addr_type, u8 status)
6360{ 6322{
6361 struct mgmt_ev_connect_failed ev; 6323 struct mgmt_ev_connect_failed ev;
6362 struct pending_cmd *power_off;
6363
6364 power_off = mgmt_pending_find(MGMT_OP_SET_POWERED, hdev);
6365 if (power_off) {
6366 struct mgmt_mode *cp = power_off->param;
6367 6324
6368 /* The connection is still in hci_conn_hash so test for 1 6325 /* The connection is still in hci_conn_hash so test for 1
6369 * instead of 0 to know if this is the last one. 6326 * instead of 0 to know if this is the last one.
6370 */ 6327 */
6371 if (!cp->val && hci_conn_count(hdev) == 1) { 6328 if (mgmt_powering_down(hdev) && hci_conn_count(hdev) == 1) {
6372 cancel_delayed_work(&hdev->power_off); 6329 cancel_delayed_work(&hdev->power_off);
6373 queue_work(hdev->req_workqueue, &hdev->power_off.work); 6330 queue_work(hdev->req_workqueue, &hdev->power_off.work);
6374 }
6375 } 6331 }
6376 6332
6377 bacpy(&ev.addr.bdaddr, bdaddr); 6333 bacpy(&ev.addr.bdaddr, bdaddr);
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index fd3294300803..07ca4ce0943b 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -44,7 +44,10 @@ enum {
44}; 44};
45 45
46struct smp_chan { 46struct smp_chan {
47 struct l2cap_conn *conn; 47 struct l2cap_conn *conn;
48 struct delayed_work security_timer;
49 struct work_struct distribute_work;
50
48 u8 preq[7]; /* SMP Pairing Request */ 51 u8 preq[7]; /* SMP Pairing Request */
49 u8 prsp[7]; /* SMP Pairing Response */ 52 u8 prsp[7]; /* SMP Pairing Response */
50 u8 prnd[16]; /* SMP Pairing Random (local) */ 53 u8 prnd[16]; /* SMP Pairing Random (local) */
@@ -139,12 +142,18 @@ static int smp_ah(struct crypto_blkcipher *tfm, u8 irk[16], u8 r[3], u8 res[3])
139 return 0; 142 return 0;
140} 143}
141 144
142bool smp_irk_matches(struct crypto_blkcipher *tfm, u8 irk[16], 145bool smp_irk_matches(struct hci_dev *hdev, u8 irk[16], bdaddr_t *bdaddr)
143 bdaddr_t *bdaddr)
144{ 146{
147 struct l2cap_chan *chan = hdev->smp_data;
148 struct crypto_blkcipher *tfm;
145 u8 hash[3]; 149 u8 hash[3];
146 int err; 150 int err;
147 151
152 if (!chan || !chan->data)
153 return false;
154
155 tfm = chan->data;
156
148 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk); 157 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
149 158
150 err = smp_ah(tfm, irk, &bdaddr->b[3], hash); 159 err = smp_ah(tfm, irk, &bdaddr->b[3], hash);
@@ -154,10 +163,17 @@ bool smp_irk_matches(struct crypto_blkcipher *tfm, u8 irk[16],
154 return !memcmp(bdaddr->b, hash, 3); 163 return !memcmp(bdaddr->b, hash, 3);
155} 164}
156 165
157int smp_generate_rpa(struct crypto_blkcipher *tfm, u8 irk[16], bdaddr_t *rpa) 166int smp_generate_rpa(struct hci_dev *hdev, u8 irk[16], bdaddr_t *rpa)
158{ 167{
168 struct l2cap_chan *chan = hdev->smp_data;
169 struct crypto_blkcipher *tfm;
159 int err; 170 int err;
160 171
172 if (!chan || !chan->data)
173 return -EOPNOTSUPP;
174
175 tfm = chan->data;
176
161 get_random_bytes(&rpa->b[3], 3); 177 get_random_bytes(&rpa->b[3], 3);
162 178
163 rpa->b[5] &= 0x3f; /* Clear two most significant bits */ 179 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
@@ -235,47 +251,39 @@ static int smp_s1(struct smp_chan *smp, u8 k[16], u8 r1[16], u8 r2[16],
235 return err; 251 return err;
236} 252}
237 253
238static struct sk_buff *smp_build_cmd(struct l2cap_conn *conn, u8 code, 254static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
239 u16 dlen, void *data)
240{ 255{
241 struct sk_buff *skb; 256 struct l2cap_chan *chan = conn->smp;
242 struct l2cap_hdr *lh; 257 struct smp_chan *smp;
243 int len; 258 struct kvec iv[2];
244 259 struct msghdr msg;
245 len = L2CAP_HDR_SIZE + sizeof(code) + dlen;
246
247 if (len > conn->mtu)
248 return NULL;
249 260
250 skb = bt_skb_alloc(len, GFP_ATOMIC); 261 if (!chan)
251 if (!skb) 262 return;
252 return NULL;
253 263
254 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE); 264 BT_DBG("code 0x%2.2x", code);
255 lh->len = cpu_to_le16(sizeof(code) + dlen);
256 lh->cid = cpu_to_le16(L2CAP_CID_SMP);
257 265
258 memcpy(skb_put(skb, sizeof(code)), &code, sizeof(code)); 266 iv[0].iov_base = &code;
267 iv[0].iov_len = 1;
259 268
260 memcpy(skb_put(skb, dlen), data, dlen); 269 iv[1].iov_base = data;
270 iv[1].iov_len = len;
261 271
262 return skb; 272 memset(&msg, 0, sizeof(msg));
263}
264 273
265static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data) 274 msg.msg_iov = (struct iovec *) &iv;
266{ 275 msg.msg_iovlen = 2;
267 struct sk_buff *skb = smp_build_cmd(conn, code, len, data);
268 276
269 BT_DBG("code 0x%2.2x", code); 277 l2cap_chan_send(chan, &msg, 1 + len);
270 278
271 if (!skb) 279 if (!chan->data)
272 return; 280 return;
273 281
274 skb->priority = HCI_PRIO_MAX; 282 smp = chan->data;
275 hci_send_acl(conn->hchan, skb, 0);
276 283
277 cancel_delayed_work_sync(&conn->security_timer); 284 cancel_delayed_work_sync(&smp->security_timer);
278 schedule_delayed_work(&conn->security_timer, SMP_TIMEOUT); 285 if (test_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags))
286 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
279} 287}
280 288
281static __u8 authreq_to_seclevel(__u8 authreq) 289static __u8 authreq_to_seclevel(__u8 authreq)
@@ -302,7 +310,8 @@ static void build_pairing_cmd(struct l2cap_conn *conn,
302 struct smp_cmd_pairing *req, 310 struct smp_cmd_pairing *req,
303 struct smp_cmd_pairing *rsp, __u8 authreq) 311 struct smp_cmd_pairing *rsp, __u8 authreq)
304{ 312{
305 struct smp_chan *smp = conn->smp_chan; 313 struct l2cap_chan *chan = conn->smp;
314 struct smp_chan *smp = chan->data;
306 struct hci_conn *hcon = conn->hcon; 315 struct hci_conn *hcon = conn->hcon;
307 struct hci_dev *hdev = hcon->hdev; 316 struct hci_dev *hdev = hcon->hdev;
308 u8 local_dist = 0, remote_dist = 0; 317 u8 local_dist = 0, remote_dist = 0;
@@ -345,7 +354,8 @@ static void build_pairing_cmd(struct l2cap_conn *conn,
345 354
346static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size) 355static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
347{ 356{
348 struct smp_chan *smp = conn->smp_chan; 357 struct l2cap_chan *chan = conn->smp;
358 struct smp_chan *smp = chan->data;
349 359
350 if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) || 360 if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
351 (max_key_size < SMP_MIN_ENC_KEY_SIZE)) 361 (max_key_size < SMP_MIN_ENC_KEY_SIZE))
@@ -356,9 +366,61 @@ static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
356 return 0; 366 return 0;
357} 367}
358 368
369static void smp_chan_destroy(struct l2cap_conn *conn)
370{
371 struct l2cap_chan *chan = conn->smp;
372 struct smp_chan *smp = chan->data;
373 bool complete;
374
375 BUG_ON(!smp);
376
377 cancel_delayed_work_sync(&smp->security_timer);
378 /* In case the timeout freed the SMP context */
379 if (!chan->data)
380 return;
381
382 if (work_pending(&smp->distribute_work)) {
383 cancel_work_sync(&smp->distribute_work);
384 if (!chan->data)
385 return;
386 }
387
388 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
389 mgmt_smp_complete(conn->hcon, complete);
390
391 kfree(smp->csrk);
392 kfree(smp->slave_csrk);
393
394 crypto_free_blkcipher(smp->tfm_aes);
395
396 /* If pairing failed clean up any keys we might have */
397 if (!complete) {
398 if (smp->ltk) {
399 list_del(&smp->ltk->list);
400 kfree(smp->ltk);
401 }
402
403 if (smp->slave_ltk) {
404 list_del(&smp->slave_ltk->list);
405 kfree(smp->slave_ltk);
406 }
407
408 if (smp->remote_irk) {
409 list_del(&smp->remote_irk->list);
410 kfree(smp->remote_irk);
411 }
412 }
413
414 chan->data = NULL;
415 kfree(smp);
416 hci_conn_drop(conn->hcon);
417}
418
359static void smp_failure(struct l2cap_conn *conn, u8 reason) 419static void smp_failure(struct l2cap_conn *conn, u8 reason)
360{ 420{
361 struct hci_conn *hcon = conn->hcon; 421 struct hci_conn *hcon = conn->hcon;
422 struct l2cap_chan *chan = conn->smp;
423 struct smp_chan *smp;
362 424
363 if (reason) 425 if (reason)
364 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason), 426 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
@@ -368,7 +430,10 @@ static void smp_failure(struct l2cap_conn *conn, u8 reason)
368 mgmt_auth_failed(hcon->hdev, &hcon->dst, hcon->type, hcon->dst_type, 430 mgmt_auth_failed(hcon->hdev, &hcon->dst, hcon->type, hcon->dst_type,
369 HCI_ERROR_AUTH_FAILURE); 431 HCI_ERROR_AUTH_FAILURE);
370 432
371 cancel_delayed_work_sync(&conn->security_timer); 433 if (!chan->data)
434 return;
435
436 smp = chan->data;
372 437
373 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) 438 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
374 smp_chan_destroy(conn); 439 smp_chan_destroy(conn);
@@ -405,7 +470,8 @@ static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
405 u8 local_io, u8 remote_io) 470 u8 local_io, u8 remote_io)
406{ 471{
407 struct hci_conn *hcon = conn->hcon; 472 struct hci_conn *hcon = conn->hcon;
408 struct smp_chan *smp = conn->smp_chan; 473 struct l2cap_chan *chan = conn->smp;
474 struct smp_chan *smp = chan->data;
409 u8 method; 475 u8 method;
410 u32 passkey = 0; 476 u32 passkey = 0;
411 int ret = 0; 477 int ret = 0;
@@ -574,8 +640,201 @@ static u8 smp_random(struct smp_chan *smp)
574 return 0; 640 return 0;
575} 641}
576 642
643static void smp_notify_keys(struct l2cap_conn *conn)
644{
645 struct l2cap_chan *chan = conn->smp;
646 struct smp_chan *smp = chan->data;
647 struct hci_conn *hcon = conn->hcon;
648 struct hci_dev *hdev = hcon->hdev;
649 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
650 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
651 bool persistent;
652
653 if (smp->remote_irk) {
654 mgmt_new_irk(hdev, smp->remote_irk);
655 /* Now that user space can be considered to know the
656 * identity address track the connection based on it
657 * from now on.
658 */
659 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
660 hcon->dst_type = smp->remote_irk->addr_type;
661 l2cap_conn_update_id_addr(hcon);
662
663 /* When receiving an indentity resolving key for
664 * a remote device that does not use a resolvable
665 * private address, just remove the key so that
666 * it is possible to use the controller white
667 * list for scanning.
668 *
669 * Userspace will have been told to not store
670 * this key at this point. So it is safe to
671 * just remove it.
672 */
673 if (!bacmp(&smp->remote_irk->rpa, BDADDR_ANY)) {
674 list_del(&smp->remote_irk->list);
675 kfree(smp->remote_irk);
676 smp->remote_irk = NULL;
677 }
678 }
679
680 /* The LTKs and CSRKs should be persistent only if both sides
681 * had the bonding bit set in their authentication requests.
682 */
683 persistent = !!((req->auth_req & rsp->auth_req) & SMP_AUTH_BONDING);
684
685 if (smp->csrk) {
686 smp->csrk->bdaddr_type = hcon->dst_type;
687 bacpy(&smp->csrk->bdaddr, &hcon->dst);
688 mgmt_new_csrk(hdev, smp->csrk, persistent);
689 }
690
691 if (smp->slave_csrk) {
692 smp->slave_csrk->bdaddr_type = hcon->dst_type;
693 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
694 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
695 }
696
697 if (smp->ltk) {
698 smp->ltk->bdaddr_type = hcon->dst_type;
699 bacpy(&smp->ltk->bdaddr, &hcon->dst);
700 mgmt_new_ltk(hdev, smp->ltk, persistent);
701 }
702
703 if (smp->slave_ltk) {
704 smp->slave_ltk->bdaddr_type = hcon->dst_type;
705 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
706 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
707 }
708}
709
710static void smp_distribute_keys(struct work_struct *work)
711{
712 struct smp_chan *smp = container_of(work, struct smp_chan,
713 distribute_work);
714 struct smp_cmd_pairing *req, *rsp;
715 struct l2cap_conn *conn = smp->conn;
716 struct hci_conn *hcon = conn->hcon;
717 struct hci_dev *hdev = hcon->hdev;
718 __u8 *keydist;
719
720 BT_DBG("conn %p", conn);
721
722 if (!test_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
723 return;
724
725 rsp = (void *) &smp->prsp[1];
726
727 /* The responder sends its keys first */
728 if (hcon->out && (smp->remote_key_dist & 0x07))
729 return;
730
731 req = (void *) &smp->preq[1];
732
733 if (hcon->out) {
734 keydist = &rsp->init_key_dist;
735 *keydist &= req->init_key_dist;
736 } else {
737 keydist = &rsp->resp_key_dist;
738 *keydist &= req->resp_key_dist;
739 }
740
741 BT_DBG("keydist 0x%x", *keydist);
742
743 if (*keydist & SMP_DIST_ENC_KEY) {
744 struct smp_cmd_encrypt_info enc;
745 struct smp_cmd_master_ident ident;
746 struct smp_ltk *ltk;
747 u8 authenticated;
748 __le16 ediv;
749 __le64 rand;
750
751 get_random_bytes(enc.ltk, sizeof(enc.ltk));
752 get_random_bytes(&ediv, sizeof(ediv));
753 get_random_bytes(&rand, sizeof(rand));
754
755 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
756
757 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
758 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
759 SMP_LTK_SLAVE, authenticated, enc.ltk,
760 smp->enc_key_size, ediv, rand);
761 smp->slave_ltk = ltk;
762
763 ident.ediv = ediv;
764 ident.rand = rand;
765
766 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
767
768 *keydist &= ~SMP_DIST_ENC_KEY;
769 }
770
771 if (*keydist & SMP_DIST_ID_KEY) {
772 struct smp_cmd_ident_addr_info addrinfo;
773 struct smp_cmd_ident_info idinfo;
774
775 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
776
777 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
778
779 /* The hci_conn contains the local identity address
780 * after the connection has been established.
781 *
782 * This is true even when the connection has been
783 * established using a resolvable random address.
784 */
785 bacpy(&addrinfo.bdaddr, &hcon->src);
786 addrinfo.addr_type = hcon->src_type;
787
788 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
789 &addrinfo);
790
791 *keydist &= ~SMP_DIST_ID_KEY;
792 }
793
794 if (*keydist & SMP_DIST_SIGN) {
795 struct smp_cmd_sign_info sign;
796 struct smp_csrk *csrk;
797
798 /* Generate a new random key */
799 get_random_bytes(sign.csrk, sizeof(sign.csrk));
800
801 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
802 if (csrk) {
803 csrk->master = 0x00;
804 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
805 }
806 smp->slave_csrk = csrk;
807
808 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
809
810 *keydist &= ~SMP_DIST_SIGN;
811 }
812
813 /* If there are still keys to be received wait for them */
814 if ((smp->remote_key_dist & 0x07))
815 return;
816
817 clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags);
818 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
819 smp_notify_keys(conn);
820
821 smp_chan_destroy(conn);
822}
823
824static void smp_timeout(struct work_struct *work)
825{
826 struct smp_chan *smp = container_of(work, struct smp_chan,
827 security_timer.work);
828 struct l2cap_conn *conn = smp->conn;
829
830 BT_DBG("conn %p", conn);
831
832 l2cap_conn_shutdown(conn, ETIMEDOUT);
833}
834
577static struct smp_chan *smp_chan_create(struct l2cap_conn *conn) 835static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
578{ 836{
837 struct l2cap_chan *chan = conn->smp;
579 struct smp_chan *smp; 838 struct smp_chan *smp;
580 839
581 smp = kzalloc(sizeof(*smp), GFP_ATOMIC); 840 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
@@ -593,54 +852,20 @@ static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
593 } 852 }
594 853
595 smp->conn = conn; 854 smp->conn = conn;
596 conn->smp_chan = smp; 855 chan->data = smp;
856
857 INIT_WORK(&smp->distribute_work, smp_distribute_keys);
858 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
597 859
598 hci_conn_hold(conn->hcon); 860 hci_conn_hold(conn->hcon);
599 861
600 return smp; 862 return smp;
601} 863}
602 864
603void smp_chan_destroy(struct l2cap_conn *conn)
604{
605 struct smp_chan *smp = conn->smp_chan;
606 bool complete;
607
608 BUG_ON(!smp);
609
610 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
611 mgmt_smp_complete(conn->hcon, complete);
612
613 kfree(smp->csrk);
614 kfree(smp->slave_csrk);
615
616 crypto_free_blkcipher(smp->tfm_aes);
617
618 /* If pairing failed clean up any keys we might have */
619 if (!complete) {
620 if (smp->ltk) {
621 list_del(&smp->ltk->list);
622 kfree(smp->ltk);
623 }
624
625 if (smp->slave_ltk) {
626 list_del(&smp->slave_ltk->list);
627 kfree(smp->slave_ltk);
628 }
629
630 if (smp->remote_irk) {
631 list_del(&smp->remote_irk->list);
632 kfree(smp->remote_irk);
633 }
634 }
635
636 kfree(smp);
637 conn->smp_chan = NULL;
638 hci_conn_drop(conn->hcon);
639}
640
641int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey) 865int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
642{ 866{
643 struct l2cap_conn *conn = hcon->l2cap_data; 867 struct l2cap_conn *conn = hcon->l2cap_data;
868 struct l2cap_chan *chan;
644 struct smp_chan *smp; 869 struct smp_chan *smp;
645 u32 value; 870 u32 value;
646 871
@@ -649,7 +874,11 @@ int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
649 if (!conn || !test_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) 874 if (!conn || !test_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
650 return -ENOTCONN; 875 return -ENOTCONN;
651 876
652 smp = conn->smp_chan; 877 chan = conn->smp;
878 if (!chan)
879 return -ENOTCONN;
880
881 smp = chan->data;
653 882
654 switch (mgmt_op) { 883 switch (mgmt_op) {
655 case MGMT_OP_USER_PASSKEY_REPLY: 884 case MGMT_OP_USER_PASSKEY_REPLY:
@@ -696,10 +925,12 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
696 if (conn->hcon->role != HCI_ROLE_SLAVE) 925 if (conn->hcon->role != HCI_ROLE_SLAVE)
697 return SMP_CMD_NOTSUPP; 926 return SMP_CMD_NOTSUPP;
698 927
699 if (!test_and_set_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) 928 if (!test_and_set_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
700 smp = smp_chan_create(conn); 929 smp = smp_chan_create(conn);
701 else 930 } else {
702 smp = conn->smp_chan; 931 struct l2cap_chan *chan = conn->smp;
932 smp = chan->data;
933 }
703 934
704 if (!smp) 935 if (!smp)
705 return SMP_UNSPECIFIED; 936 return SMP_UNSPECIFIED;
@@ -753,7 +984,8 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
753static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb) 984static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
754{ 985{
755 struct smp_cmd_pairing *req, *rsp = (void *) skb->data; 986 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
756 struct smp_chan *smp = conn->smp_chan; 987 struct l2cap_chan *chan = conn->smp;
988 struct smp_chan *smp = chan->data;
757 u8 key_size, auth = SMP_AUTH_NONE; 989 u8 key_size, auth = SMP_AUTH_NONE;
758 int ret; 990 int ret;
759 991
@@ -814,7 +1046,8 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
814 1046
815static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb) 1047static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
816{ 1048{
817 struct smp_chan *smp = conn->smp_chan; 1049 struct l2cap_chan *chan = conn->smp;
1050 struct smp_chan *smp = chan->data;
818 1051
819 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave"); 1052 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
820 1053
@@ -837,7 +1070,8 @@ static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
837 1070
838static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb) 1071static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
839{ 1072{
840 struct smp_chan *smp = conn->smp_chan; 1073 struct l2cap_chan *chan = conn->smp;
1074 struct smp_chan *smp = chan->data;
841 1075
842 BT_DBG("conn %p", conn); 1076 BT_DBG("conn %p", conn);
843 1077
@@ -1010,7 +1244,8 @@ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
1010static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb) 1244static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
1011{ 1245{
1012 struct smp_cmd_encrypt_info *rp = (void *) skb->data; 1246 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
1013 struct smp_chan *smp = conn->smp_chan; 1247 struct l2cap_chan *chan = conn->smp;
1248 struct smp_chan *smp = chan->data;
1014 1249
1015 BT_DBG("conn %p", conn); 1250 BT_DBG("conn %p", conn);
1016 1251
@@ -1031,7 +1266,8 @@ static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
1031static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb) 1266static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
1032{ 1267{
1033 struct smp_cmd_master_ident *rp = (void *) skb->data; 1268 struct smp_cmd_master_ident *rp = (void *) skb->data;
1034 struct smp_chan *smp = conn->smp_chan; 1269 struct l2cap_chan *chan = conn->smp;
1270 struct smp_chan *smp = chan->data;
1035 struct hci_dev *hdev = conn->hcon->hdev; 1271 struct hci_dev *hdev = conn->hcon->hdev;
1036 struct hci_conn *hcon = conn->hcon; 1272 struct hci_conn *hcon = conn->hcon;
1037 struct smp_ltk *ltk; 1273 struct smp_ltk *ltk;
@@ -1058,7 +1294,7 @@ static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
1058 rp->ediv, rp->rand); 1294 rp->ediv, rp->rand);
1059 smp->ltk = ltk; 1295 smp->ltk = ltk;
1060 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY)) 1296 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
1061 smp_distribute_keys(conn); 1297 queue_work(hdev->workqueue, &smp->distribute_work);
1062 hci_dev_unlock(hdev); 1298 hci_dev_unlock(hdev);
1063 1299
1064 return 0; 1300 return 0;
@@ -1067,7 +1303,8 @@ static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
1067static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb) 1303static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
1068{ 1304{
1069 struct smp_cmd_ident_info *info = (void *) skb->data; 1305 struct smp_cmd_ident_info *info = (void *) skb->data;
1070 struct smp_chan *smp = conn->smp_chan; 1306 struct l2cap_chan *chan = conn->smp;
1307 struct smp_chan *smp = chan->data;
1071 1308
1072 BT_DBG(""); 1309 BT_DBG("");
1073 1310
@@ -1089,8 +1326,10 @@ static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
1089 struct sk_buff *skb) 1326 struct sk_buff *skb)
1090{ 1327{
1091 struct smp_cmd_ident_addr_info *info = (void *) skb->data; 1328 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
1092 struct smp_chan *smp = conn->smp_chan; 1329 struct l2cap_chan *chan = conn->smp;
1330 struct smp_chan *smp = chan->data;
1093 struct hci_conn *hcon = conn->hcon; 1331 struct hci_conn *hcon = conn->hcon;
1332 struct hci_dev *hdev = hcon->hdev;
1094 bdaddr_t rpa; 1333 bdaddr_t rpa;
1095 1334
1096 BT_DBG(""); 1335 BT_DBG("");
@@ -1133,7 +1372,7 @@ static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
1133 smp->id_addr_type, smp->irk, &rpa); 1372 smp->id_addr_type, smp->irk, &rpa);
1134 1373
1135distribute: 1374distribute:
1136 smp_distribute_keys(conn); 1375 queue_work(hdev->workqueue, &smp->distribute_work);
1137 1376
1138 hci_dev_unlock(hcon->hdev); 1377 hci_dev_unlock(hcon->hdev);
1139 1378
@@ -1143,7 +1382,8 @@ distribute:
1143static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb) 1382static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
1144{ 1383{
1145 struct smp_cmd_sign_info *rp = (void *) skb->data; 1384 struct smp_cmd_sign_info *rp = (void *) skb->data;
1146 struct smp_chan *smp = conn->smp_chan; 1385 struct l2cap_chan *chan = conn->smp;
1386 struct smp_chan *smp = chan->data;
1147 struct hci_dev *hdev = conn->hcon->hdev; 1387 struct hci_dev *hdev = conn->hcon->hdev;
1148 struct smp_csrk *csrk; 1388 struct smp_csrk *csrk;
1149 1389
@@ -1168,15 +1408,15 @@ static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
1168 memcpy(csrk->val, rp->csrk, sizeof(csrk->val)); 1408 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
1169 } 1409 }
1170 smp->csrk = csrk; 1410 smp->csrk = csrk;
1171 if (!(smp->remote_key_dist & SMP_DIST_SIGN)) 1411 queue_work(hdev->workqueue, &smp->distribute_work);
1172 smp_distribute_keys(conn);
1173 hci_dev_unlock(hdev); 1412 hci_dev_unlock(hdev);
1174 1413
1175 return 0; 1414 return 0;
1176} 1415}
1177 1416
1178int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb) 1417static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
1179{ 1418{
1419 struct l2cap_conn *conn = chan->conn;
1180 struct hci_conn *hcon = conn->hcon; 1420 struct hci_conn *hcon = conn->hcon;
1181 __u8 code, reason; 1421 __u8 code, reason;
1182 int err = 0; 1422 int err = 0;
@@ -1186,10 +1426,8 @@ int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
1186 return 0; 1426 return 0;
1187 } 1427 }
1188 1428
1189 if (skb->len < 1) { 1429 if (skb->len < 1)
1190 kfree_skb(skb);
1191 return -EILSEQ; 1430 return -EILSEQ;
1192 }
1193 1431
1194 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags)) { 1432 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags)) {
1195 err = -EOPNOTSUPP; 1433 err = -EOPNOTSUPP;
@@ -1207,10 +1445,11 @@ int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
1207 * returns an error). 1445 * returns an error).
1208 */ 1446 */
1209 if (code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ && 1447 if (code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ &&
1210 !conn->smp_chan) { 1448 !test_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
1211 BT_ERR("Unexpected SMP command 0x%02x. Disconnecting.", code); 1449 BT_ERR("Unexpected SMP command 0x%02x. Disconnecting.", code);
1212 kfree_skb(skb); 1450 reason = SMP_CMD_NOTSUPP;
1213 return -EOPNOTSUPP; 1451 err = -EOPNOTSUPP;
1452 goto done;
1214 } 1453 }
1215 1454
1216 switch (code) { 1455 switch (code) {
@@ -1271,188 +1510,201 @@ int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
1271done: 1510done:
1272 if (reason) 1511 if (reason)
1273 smp_failure(conn, reason); 1512 smp_failure(conn, reason);
1274 1513 if (!err)
1275 kfree_skb(skb); 1514 kfree_skb(skb);
1276 return err; 1515 return err;
1277} 1516}
1278 1517
1279static void smp_notify_keys(struct l2cap_conn *conn) 1518static void smp_teardown_cb(struct l2cap_chan *chan, int err)
1280{ 1519{
1281 struct smp_chan *smp = conn->smp_chan; 1520 struct l2cap_conn *conn = chan->conn;
1521
1522 BT_DBG("chan %p", chan);
1523
1524 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags))
1525 smp_chan_destroy(conn);
1526
1527 conn->smp = NULL;
1528 l2cap_chan_put(chan);
1529}
1530
1531static void smp_resume_cb(struct l2cap_chan *chan)
1532{
1533 struct smp_chan *smp = chan->data;
1534 struct l2cap_conn *conn = chan->conn;
1282 struct hci_conn *hcon = conn->hcon; 1535 struct hci_conn *hcon = conn->hcon;
1283 struct hci_dev *hdev = hcon->hdev; 1536 struct hci_dev *hdev = hcon->hdev;
1284 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1285 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1286 bool persistent;
1287 1537
1288 if (smp->remote_irk) { 1538 BT_DBG("chan %p", chan);
1289 mgmt_new_irk(hdev, smp->remote_irk);
1290 /* Now that user space can be considered to know the
1291 * identity address track the connection based on it
1292 * from now on.
1293 */
1294 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1295 hcon->dst_type = smp->remote_irk->addr_type;
1296 l2cap_conn_update_id_addr(hcon);
1297 1539
1298 /* When receiving an indentity resolving key for 1540 if (!smp)
1299 * a remote device that does not use a resolvable 1541 return;
1300 * private address, just remove the key so that
1301 * it is possible to use the controller white
1302 * list for scanning.
1303 *
1304 * Userspace will have been told to not store
1305 * this key at this point. So it is safe to
1306 * just remove it.
1307 */
1308 if (!bacmp(&smp->remote_irk->rpa, BDADDR_ANY)) {
1309 list_del(&smp->remote_irk->list);
1310 kfree(smp->remote_irk);
1311 smp->remote_irk = NULL;
1312 }
1313 }
1314 1542
1315 /* The LTKs and CSRKs should be persistent only if both sides 1543 cancel_delayed_work(&smp->security_timer);
1316 * had the bonding bit set in their authentication requests.
1317 */
1318 persistent = !!((req->auth_req & rsp->auth_req) & SMP_AUTH_BONDING);
1319 1544
1320 if (smp->csrk) { 1545 if (test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
1321 smp->csrk->bdaddr_type = hcon->dst_type; 1546 queue_work(hdev->workqueue, &smp->distribute_work);
1322 bacpy(&smp->csrk->bdaddr, &hcon->dst); 1547}
1323 mgmt_new_csrk(hdev, smp->csrk, persistent);
1324 }
1325 1548
1326 if (smp->slave_csrk) { 1549static void smp_ready_cb(struct l2cap_chan *chan)
1327 smp->slave_csrk->bdaddr_type = hcon->dst_type; 1550{
1328 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst); 1551 struct l2cap_conn *conn = chan->conn;
1329 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1330 }
1331 1552
1332 if (smp->ltk) { 1553 BT_DBG("chan %p", chan);
1333 smp->ltk->bdaddr_type = hcon->dst_type;
1334 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1335 mgmt_new_ltk(hdev, smp->ltk, persistent);
1336 }
1337 1554
1338 if (smp->slave_ltk) { 1555 conn->smp = chan;
1339 smp->slave_ltk->bdaddr_type = hcon->dst_type; 1556 l2cap_chan_hold(chan);
1340 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1341 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1342 }
1343} 1557}
1344 1558
1345int smp_distribute_keys(struct l2cap_conn *conn) 1559static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
1346{ 1560{
1347 struct smp_cmd_pairing *req, *rsp; 1561 int err;
1348 struct smp_chan *smp = conn->smp_chan;
1349 struct hci_conn *hcon = conn->hcon;
1350 struct hci_dev *hdev = hcon->hdev;
1351 __u8 *keydist;
1352 1562
1353 BT_DBG("conn %p", conn); 1563 BT_DBG("chan %p", chan);
1354 1564
1355 if (!test_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) 1565 err = smp_sig_channel(chan, skb);
1356 return 0; 1566 if (err) {
1567 struct smp_chan *smp = chan->data;
1357 1568
1358 rsp = (void *) &smp->prsp[1]; 1569 if (smp)
1570 cancel_delayed_work_sync(&smp->security_timer);
1359 1571
1360 /* The responder sends its keys first */ 1572 l2cap_conn_shutdown(chan->conn, -err);
1361 if (hcon->out && (smp->remote_key_dist & 0x07)) 1573 }
1362 return 0;
1363 1574
1364 req = (void *) &smp->preq[1]; 1575 return err;
1576}
1365 1577
1366 if (hcon->out) { 1578static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
1367 keydist = &rsp->init_key_dist; 1579 unsigned long hdr_len,
1368 *keydist &= req->init_key_dist; 1580 unsigned long len, int nb)
1369 } else { 1581{
1370 keydist = &rsp->resp_key_dist; 1582 struct sk_buff *skb;
1371 *keydist &= req->resp_key_dist;
1372 }
1373 1583
1374 BT_DBG("keydist 0x%x", *keydist); 1584 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
1585 if (!skb)
1586 return ERR_PTR(-ENOMEM);
1375 1587
1376 if (*keydist & SMP_DIST_ENC_KEY) { 1588 skb->priority = HCI_PRIO_MAX;
1377 struct smp_cmd_encrypt_info enc; 1589 bt_cb(skb)->chan = chan;
1378 struct smp_cmd_master_ident ident;
1379 struct smp_ltk *ltk;
1380 u8 authenticated;
1381 __le16 ediv;
1382 __le64 rand;
1383 1590
1384 get_random_bytes(enc.ltk, sizeof(enc.ltk)); 1591 return skb;
1385 get_random_bytes(&ediv, sizeof(ediv)); 1592}
1386 get_random_bytes(&rand, sizeof(rand));
1387 1593
1388 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc); 1594static const struct l2cap_ops smp_chan_ops = {
1595 .name = "Security Manager",
1596 .ready = smp_ready_cb,
1597 .recv = smp_recv_cb,
1598 .alloc_skb = smp_alloc_skb_cb,
1599 .teardown = smp_teardown_cb,
1600 .resume = smp_resume_cb,
1601
1602 .new_connection = l2cap_chan_no_new_connection,
1603 .state_change = l2cap_chan_no_state_change,
1604 .close = l2cap_chan_no_close,
1605 .defer = l2cap_chan_no_defer,
1606 .suspend = l2cap_chan_no_suspend,
1607 .set_shutdown = l2cap_chan_no_set_shutdown,
1608 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
1609 .memcpy_fromiovec = l2cap_chan_no_memcpy_fromiovec,
1610};
1389 1611
1390 authenticated = hcon->sec_level == BT_SECURITY_HIGH; 1612static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
1391 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, 1613{
1392 SMP_LTK_SLAVE, authenticated, enc.ltk, 1614 struct l2cap_chan *chan;
1393 smp->enc_key_size, ediv, rand);
1394 smp->slave_ltk = ltk;
1395 1615
1396 ident.ediv = ediv; 1616 BT_DBG("pchan %p", pchan);
1397 ident.rand = rand;
1398 1617
1399 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident); 1618 chan = l2cap_chan_create();
1619 if (!chan)
1620 return NULL;
1400 1621
1401 *keydist &= ~SMP_DIST_ENC_KEY; 1622 chan->chan_type = pchan->chan_type;
1402 } 1623 chan->ops = &smp_chan_ops;
1624 chan->scid = pchan->scid;
1625 chan->dcid = chan->scid;
1626 chan->imtu = pchan->imtu;
1627 chan->omtu = pchan->omtu;
1628 chan->mode = pchan->mode;
1403 1629
1404 if (*keydist & SMP_DIST_ID_KEY) { 1630 BT_DBG("created chan %p", chan);
1405 struct smp_cmd_ident_addr_info addrinfo;
1406 struct smp_cmd_ident_info idinfo;
1407 1631
1408 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk)); 1632 return chan;
1633}
1409 1634
1410 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo); 1635static const struct l2cap_ops smp_root_chan_ops = {
1636 .name = "Security Manager Root",
1637 .new_connection = smp_new_conn_cb,
1638
1639 /* None of these are implemented for the root channel */
1640 .close = l2cap_chan_no_close,
1641 .alloc_skb = l2cap_chan_no_alloc_skb,
1642 .recv = l2cap_chan_no_recv,
1643 .state_change = l2cap_chan_no_state_change,
1644 .teardown = l2cap_chan_no_teardown,
1645 .ready = l2cap_chan_no_ready,
1646 .defer = l2cap_chan_no_defer,
1647 .suspend = l2cap_chan_no_suspend,
1648 .resume = l2cap_chan_no_resume,
1649 .set_shutdown = l2cap_chan_no_set_shutdown,
1650 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
1651 .memcpy_fromiovec = l2cap_chan_no_memcpy_fromiovec,
1652};
1411 1653
1412 /* The hci_conn contains the local identity address 1654int smp_register(struct hci_dev *hdev)
1413 * after the connection has been established. 1655{
1414 * 1656 struct l2cap_chan *chan;
1415 * This is true even when the connection has been 1657 struct crypto_blkcipher *tfm_aes;
1416 * established using a resolvable random address.
1417 */
1418 bacpy(&addrinfo.bdaddr, &hcon->src);
1419 addrinfo.addr_type = hcon->src_type;
1420 1658
1421 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo), 1659 BT_DBG("%s", hdev->name);
1422 &addrinfo);
1423 1660
1424 *keydist &= ~SMP_DIST_ID_KEY; 1661 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
1662 if (IS_ERR(tfm_aes)) {
1663 int err = PTR_ERR(tfm_aes);
1664 BT_ERR("Unable to create crypto context");
1665 return err;
1425 } 1666 }
1426 1667
1427 if (*keydist & SMP_DIST_SIGN) { 1668 chan = l2cap_chan_create();
1428 struct smp_cmd_sign_info sign; 1669 if (!chan) {
1429 struct smp_csrk *csrk; 1670 crypto_free_blkcipher(tfm_aes);
1671 return -ENOMEM;
1672 }
1430 1673
1431 /* Generate a new random key */ 1674 chan->data = tfm_aes;
1432 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1433 1675
1434 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL); 1676 l2cap_add_scid(chan, L2CAP_CID_SMP);
1435 if (csrk) {
1436 csrk->master = 0x00;
1437 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1438 }
1439 smp->slave_csrk = csrk;
1440 1677
1441 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign); 1678 l2cap_chan_set_defaults(chan);
1442 1679
1443 *keydist &= ~SMP_DIST_SIGN; 1680 bacpy(&chan->src, &hdev->bdaddr);
1444 } 1681 chan->src_type = BDADDR_LE_PUBLIC;
1682 chan->state = BT_LISTEN;
1683 chan->mode = L2CAP_MODE_BASIC;
1684 chan->imtu = L2CAP_DEFAULT_MTU;
1685 chan->ops = &smp_root_chan_ops;
1445 1686
1446 /* If there are still keys to be received wait for them */ 1687 hdev->smp_data = chan;
1447 if ((smp->remote_key_dist & 0x07))
1448 return 0;
1449 1688
1450 clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags); 1689 return 0;
1451 cancel_delayed_work_sync(&conn->security_timer); 1690}
1452 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1453 smp_notify_keys(conn);
1454 1691
1455 smp_chan_destroy(conn); 1692void smp_unregister(struct hci_dev *hdev)
1693{
1694 struct l2cap_chan *chan = hdev->smp_data;
1695 struct crypto_blkcipher *tfm_aes;
1456 1696
1457 return 0; 1697 if (!chan)
1698 return;
1699
1700 BT_DBG("%s chan %p", hdev->name, chan);
1701
1702 tfm_aes = chan->data;
1703 if (tfm_aes) {
1704 chan->data = NULL;
1705 crypto_free_blkcipher(tfm_aes);
1706 }
1707
1708 hdev->smp_data = NULL;
1709 l2cap_chan_put(chan);
1458} 1710}
diff --git a/net/bluetooth/smp.h b/net/bluetooth/smp.h
index 796f4f45f92f..cf1094617c69 100644
--- a/net/bluetooth/smp.h
+++ b/net/bluetooth/smp.h
@@ -126,14 +126,12 @@ enum {
126/* SMP Commands */ 126/* SMP Commands */
127bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level); 127bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level);
128int smp_conn_security(struct hci_conn *hcon, __u8 sec_level); 128int smp_conn_security(struct hci_conn *hcon, __u8 sec_level);
129int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb);
130int smp_distribute_keys(struct l2cap_conn *conn);
131int smp_user_confirm_reply(struct hci_conn *conn, u16 mgmt_op, __le32 passkey); 129int smp_user_confirm_reply(struct hci_conn *conn, u16 mgmt_op, __le32 passkey);
132 130
133void smp_chan_destroy(struct l2cap_conn *conn); 131bool smp_irk_matches(struct hci_dev *hdev, u8 irk[16], bdaddr_t *bdaddr);
132int smp_generate_rpa(struct hci_dev *hdev, u8 irk[16], bdaddr_t *rpa);
134 133
135bool smp_irk_matches(struct crypto_blkcipher *tfm, u8 irk[16], 134int smp_register(struct hci_dev *hdev);
136 bdaddr_t *bdaddr); 135void smp_unregister(struct hci_dev *hdev);
137int smp_generate_rpa(struct crypto_blkcipher *tfm, u8 irk[16], bdaddr_t *rpa);
138 136
139#endif /* __SMP_H */ 137#endif /* __SMP_H */
diff --git a/net/ieee802154/6lowpan_rtnl.c b/net/ieee802154/6lowpan_rtnl.c
index 6591d27e53a4..5e788cdc499a 100644
--- a/net/ieee802154/6lowpan_rtnl.c
+++ b/net/ieee802154/6lowpan_rtnl.c
@@ -77,14 +77,6 @@ lowpan_dev_info *lowpan_dev_info(const struct net_device *dev)
77 return netdev_priv(dev); 77 return netdev_priv(dev);
78} 78}
79 79
80static inline void lowpan_address_flip(u8 *src, u8 *dest)
81{
82 int i;
83
84 for (i = 0; i < IEEE802154_ADDR_LEN; i++)
85 (dest)[IEEE802154_ADDR_LEN - i - 1] = (src)[i];
86}
87
88static int lowpan_header_create(struct sk_buff *skb, struct net_device *dev, 80static int lowpan_header_create(struct sk_buff *skb, struct net_device *dev,
89 unsigned short type, const void *_daddr, 81 unsigned short type, const void *_daddr,
90 const void *_saddr, unsigned int len) 82 const void *_saddr, unsigned int len)
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 927b4ea0128b..4d8989b87960 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1011,15 +1011,8 @@ static int sta_apply_parameters(struct ieee80211_local *local,
1011 clear_sta_flag(sta, WLAN_STA_SHORT_PREAMBLE); 1011 clear_sta_flag(sta, WLAN_STA_SHORT_PREAMBLE);
1012 } 1012 }
1013 1013
1014 if (mask & BIT(NL80211_STA_FLAG_WME)) { 1014 if (mask & BIT(NL80211_STA_FLAG_WME))
1015 if (set & BIT(NL80211_STA_FLAG_WME)) { 1015 sta->sta.wme = set & BIT(NL80211_STA_FLAG_WME);
1016 set_sta_flag(sta, WLAN_STA_WME);
1017 sta->sta.wme = true;
1018 } else {
1019 clear_sta_flag(sta, WLAN_STA_WME);
1020 sta->sta.wme = false;
1021 }
1022 }
1023 1016
1024 if (mask & BIT(NL80211_STA_FLAG_MFP)) { 1017 if (mask & BIT(NL80211_STA_FLAG_MFP)) {
1025 if (set & BIT(NL80211_STA_FLAG_MFP)) 1018 if (set & BIT(NL80211_STA_FLAG_MFP))
@@ -3352,7 +3345,7 @@ static int ieee80211_probe_client(struct wiphy *wiphy, struct net_device *dev,
3352 band = chanctx_conf->def.chan->band; 3345 band = chanctx_conf->def.chan->band;
3353 sta = sta_info_get_bss(sdata, peer); 3346 sta = sta_info_get_bss(sdata, peer);
3354 if (sta) { 3347 if (sta) {
3355 qos = test_sta_flag(sta, WLAN_STA_WME); 3348 qos = sta->sta.wme;
3356 } else { 3349 } else {
3357 rcu_read_unlock(); 3350 rcu_read_unlock();
3358 return -ENOLINK; 3351 return -ENOLINK;
diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c
index 399ad82c997f..4c74e8da64b9 100644
--- a/net/mac80211/chan.c
+++ b/net/mac80211/chan.c
@@ -549,12 +549,12 @@ static void ieee80211_recalc_chanctx_chantype(struct ieee80211_local *local,
549 549
550 compat = cfg80211_chandef_compatible( 550 compat = cfg80211_chandef_compatible(
551 &sdata->vif.bss_conf.chandef, compat); 551 &sdata->vif.bss_conf.chandef, compat);
552 if (!compat) 552 if (WARN_ON_ONCE(!compat))
553 break; 553 break;
554 } 554 }
555 rcu_read_unlock(); 555 rcu_read_unlock();
556 556
557 if (WARN_ON_ONCE(!compat)) 557 if (!compat)
558 return; 558 return;
559 559
560 ieee80211_change_chanctx(local, ctx, compat); 560 ieee80211_change_chanctx(local, ctx, compat);
@@ -639,41 +639,6 @@ out:
639 return ret; 639 return ret;
640} 640}
641 641
642static void __ieee80211_vif_release_channel(struct ieee80211_sub_if_data *sdata)
643{
644 struct ieee80211_local *local = sdata->local;
645 struct ieee80211_chanctx_conf *conf;
646 struct ieee80211_chanctx *ctx;
647 bool use_reserved_switch = false;
648
649 lockdep_assert_held(&local->chanctx_mtx);
650
651 conf = rcu_dereference_protected(sdata->vif.chanctx_conf,
652 lockdep_is_held(&local->chanctx_mtx));
653 if (!conf)
654 return;
655
656 ctx = container_of(conf, struct ieee80211_chanctx, conf);
657
658 if (sdata->reserved_chanctx) {
659 if (sdata->reserved_chanctx->replace_state ==
660 IEEE80211_CHANCTX_REPLACES_OTHER &&
661 ieee80211_chanctx_num_reserved(local,
662 sdata->reserved_chanctx) > 1)
663 use_reserved_switch = true;
664
665 ieee80211_vif_unreserve_chanctx(sdata);
666 }
667
668 ieee80211_assign_vif_chanctx(sdata, NULL);
669 if (ieee80211_chanctx_refcount(local, ctx) == 0)
670 ieee80211_free_chanctx(local, ctx);
671
672 /* Unreserving may ready an in-place reservation. */
673 if (use_reserved_switch)
674 ieee80211_vif_use_reserved_switch(local);
675}
676
677void ieee80211_recalc_smps_chanctx(struct ieee80211_local *local, 642void ieee80211_recalc_smps_chanctx(struct ieee80211_local *local,
678 struct ieee80211_chanctx *chanctx) 643 struct ieee80211_chanctx *chanctx)
679{ 644{
@@ -764,63 +729,6 @@ void ieee80211_recalc_smps_chanctx(struct ieee80211_local *local,
764 drv_change_chanctx(local, chanctx, IEEE80211_CHANCTX_CHANGE_RX_CHAINS); 729 drv_change_chanctx(local, chanctx, IEEE80211_CHANCTX_CHANGE_RX_CHAINS);
765} 730}
766 731
767int ieee80211_vif_use_channel(struct ieee80211_sub_if_data *sdata,
768 const struct cfg80211_chan_def *chandef,
769 enum ieee80211_chanctx_mode mode)
770{
771 struct ieee80211_local *local = sdata->local;
772 struct ieee80211_chanctx *ctx;
773 u8 radar_detect_width = 0;
774 int ret;
775
776 lockdep_assert_held(&local->mtx);
777
778 WARN_ON(sdata->dev && netif_carrier_ok(sdata->dev));
779
780 mutex_lock(&local->chanctx_mtx);
781
782 ret = cfg80211_chandef_dfs_required(local->hw.wiphy,
783 chandef,
784 sdata->wdev.iftype);
785 if (ret < 0)
786 goto out;
787 if (ret > 0)
788 radar_detect_width = BIT(chandef->width);
789
790 sdata->radar_required = ret;
791
792 ret = ieee80211_check_combinations(sdata, chandef, mode,
793 radar_detect_width);
794 if (ret < 0)
795 goto out;
796
797 __ieee80211_vif_release_channel(sdata);
798
799 ctx = ieee80211_find_chanctx(local, chandef, mode);
800 if (!ctx)
801 ctx = ieee80211_new_chanctx(local, chandef, mode);
802 if (IS_ERR(ctx)) {
803 ret = PTR_ERR(ctx);
804 goto out;
805 }
806
807 sdata->vif.bss_conf.chandef = *chandef;
808
809 ret = ieee80211_assign_vif_chanctx(sdata, ctx);
810 if (ret) {
811 /* if assign fails refcount stays the same */
812 if (ieee80211_chanctx_refcount(local, ctx) == 0)
813 ieee80211_free_chanctx(local, ctx);
814 goto out;
815 }
816
817 ieee80211_recalc_smps_chanctx(local, ctx);
818 ieee80211_recalc_radar_chanctx(local, ctx);
819 out:
820 mutex_unlock(&local->chanctx_mtx);
821 return ret;
822}
823
824static void 732static void
825__ieee80211_vif_copy_chanctx_to_vlans(struct ieee80211_sub_if_data *sdata, 733__ieee80211_vif_copy_chanctx_to_vlans(struct ieee80211_sub_if_data *sdata,
826 bool clear) 734 bool clear)
@@ -1269,8 +1177,7 @@ err:
1269 return err; 1177 return err;
1270} 1178}
1271 1179
1272int 1180static int ieee80211_vif_use_reserved_switch(struct ieee80211_local *local)
1273ieee80211_vif_use_reserved_switch(struct ieee80211_local *local)
1274{ 1181{
1275 struct ieee80211_sub_if_data *sdata, *sdata_tmp; 1182 struct ieee80211_sub_if_data *sdata, *sdata_tmp;
1276 struct ieee80211_chanctx *ctx, *ctx_tmp, *old_ctx; 1183 struct ieee80211_chanctx *ctx, *ctx_tmp, *old_ctx;
@@ -1522,6 +1429,98 @@ err:
1522 return err; 1429 return err;
1523} 1430}
1524 1431
1432static void __ieee80211_vif_release_channel(struct ieee80211_sub_if_data *sdata)
1433{
1434 struct ieee80211_local *local = sdata->local;
1435 struct ieee80211_chanctx_conf *conf;
1436 struct ieee80211_chanctx *ctx;
1437 bool use_reserved_switch = false;
1438
1439 lockdep_assert_held(&local->chanctx_mtx);
1440
1441 conf = rcu_dereference_protected(sdata->vif.chanctx_conf,
1442 lockdep_is_held(&local->chanctx_mtx));
1443 if (!conf)
1444 return;
1445
1446 ctx = container_of(conf, struct ieee80211_chanctx, conf);
1447
1448 if (sdata->reserved_chanctx) {
1449 if (sdata->reserved_chanctx->replace_state ==
1450 IEEE80211_CHANCTX_REPLACES_OTHER &&
1451 ieee80211_chanctx_num_reserved(local,
1452 sdata->reserved_chanctx) > 1)
1453 use_reserved_switch = true;
1454
1455 ieee80211_vif_unreserve_chanctx(sdata);
1456 }
1457
1458 ieee80211_assign_vif_chanctx(sdata, NULL);
1459 if (ieee80211_chanctx_refcount(local, ctx) == 0)
1460 ieee80211_free_chanctx(local, ctx);
1461
1462 /* Unreserving may ready an in-place reservation. */
1463 if (use_reserved_switch)
1464 ieee80211_vif_use_reserved_switch(local);
1465}
1466
1467int ieee80211_vif_use_channel(struct ieee80211_sub_if_data *sdata,
1468 const struct cfg80211_chan_def *chandef,
1469 enum ieee80211_chanctx_mode mode)
1470{
1471 struct ieee80211_local *local = sdata->local;
1472 struct ieee80211_chanctx *ctx;
1473 u8 radar_detect_width = 0;
1474 int ret;
1475
1476 lockdep_assert_held(&local->mtx);
1477
1478 WARN_ON(sdata->dev && netif_carrier_ok(sdata->dev));
1479
1480 mutex_lock(&local->chanctx_mtx);
1481
1482 ret = cfg80211_chandef_dfs_required(local->hw.wiphy,
1483 chandef,
1484 sdata->wdev.iftype);
1485 if (ret < 0)
1486 goto out;
1487 if (ret > 0)
1488 radar_detect_width = BIT(chandef->width);
1489
1490 sdata->radar_required = ret;
1491
1492 ret = ieee80211_check_combinations(sdata, chandef, mode,
1493 radar_detect_width);
1494 if (ret < 0)
1495 goto out;
1496
1497 __ieee80211_vif_release_channel(sdata);
1498
1499 ctx = ieee80211_find_chanctx(local, chandef, mode);
1500 if (!ctx)
1501 ctx = ieee80211_new_chanctx(local, chandef, mode);
1502 if (IS_ERR(ctx)) {
1503 ret = PTR_ERR(ctx);
1504 goto out;
1505 }
1506
1507 sdata->vif.bss_conf.chandef = *chandef;
1508
1509 ret = ieee80211_assign_vif_chanctx(sdata, ctx);
1510 if (ret) {
1511 /* if assign fails refcount stays the same */
1512 if (ieee80211_chanctx_refcount(local, ctx) == 0)
1513 ieee80211_free_chanctx(local, ctx);
1514 goto out;
1515 }
1516
1517 ieee80211_recalc_smps_chanctx(local, ctx);
1518 ieee80211_recalc_radar_chanctx(local, ctx);
1519 out:
1520 mutex_unlock(&local->chanctx_mtx);
1521 return ret;
1522}
1523
1525int ieee80211_vif_use_reserved_context(struct ieee80211_sub_if_data *sdata) 1524int ieee80211_vif_use_reserved_context(struct ieee80211_sub_if_data *sdata)
1526{ 1525{
1527 struct ieee80211_local *local = sdata->local; 1526 struct ieee80211_local *local = sdata->local;
diff --git a/net/mac80211/debugfs_sta.c b/net/mac80211/debugfs_sta.c
index 86173c0de40e..33eb4a43a2f3 100644
--- a/net/mac80211/debugfs_sta.c
+++ b/net/mac80211/debugfs_sta.c
@@ -77,7 +77,8 @@ static ssize_t sta_flags_read(struct file *file, char __user *userbuf,
77 TEST(AUTH), TEST(ASSOC), TEST(PS_STA), 77 TEST(AUTH), TEST(ASSOC), TEST(PS_STA),
78 TEST(PS_DRIVER), TEST(AUTHORIZED), 78 TEST(PS_DRIVER), TEST(AUTHORIZED),
79 TEST(SHORT_PREAMBLE), 79 TEST(SHORT_PREAMBLE),
80 TEST(WME), TEST(WDS), TEST(CLEAR_PS_FILT), 80 sta->sta.wme ? "WME\n" : "",
81 TEST(WDS), TEST(CLEAR_PS_FILT),
81 TEST(MFP), TEST(BLOCK_BA), TEST(PSPOLL), 82 TEST(MFP), TEST(BLOCK_BA), TEST(PSPOLL),
82 TEST(UAPSD), TEST(SP), TEST(TDLS_PEER), 83 TEST(UAPSD), TEST(SP), TEST(TDLS_PEER),
83 TEST(TDLS_PEER_AUTH), TEST(4ADDR_EVENT), 84 TEST(TDLS_PEER_AUTH), TEST(4ADDR_EVENT),
diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
index 9713dc54ea4b..5f9654d31a8d 100644
--- a/net/mac80211/ibss.c
+++ b/net/mac80211/ibss.c
@@ -1038,7 +1038,7 @@ static void ieee80211_rx_bss_info(struct ieee80211_sub_if_data *sdata,
1038 } 1038 }
1039 1039
1040 if (sta && elems->wmm_info) 1040 if (sta && elems->wmm_info)
1041 set_sta_flag(sta, WLAN_STA_WME); 1041 sta->sta.wme = true;
1042 1042
1043 if (sta && elems->ht_operation && elems->ht_cap_elem && 1043 if (sta && elems->ht_operation && elems->ht_cap_elem &&
1044 sdata->u.ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT && 1044 sdata->u.ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index ef7a089ac546..ffb20e5e6cf3 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -1869,7 +1869,6 @@ ieee80211_vif_reserve_chanctx(struct ieee80211_sub_if_data *sdata,
1869int __must_check 1869int __must_check
1870ieee80211_vif_use_reserved_context(struct ieee80211_sub_if_data *sdata); 1870ieee80211_vif_use_reserved_context(struct ieee80211_sub_if_data *sdata);
1871int ieee80211_vif_unreserve_chanctx(struct ieee80211_sub_if_data *sdata); 1871int ieee80211_vif_unreserve_chanctx(struct ieee80211_sub_if_data *sdata);
1872int ieee80211_vif_use_reserved_switch(struct ieee80211_local *local);
1873 1872
1874int __must_check 1873int __must_check
1875ieee80211_vif_change_bandwidth(struct ieee80211_sub_if_data *sdata, 1874ieee80211_vif_change_bandwidth(struct ieee80211_sub_if_data *sdata,
diff --git a/net/mac80211/key.c b/net/mac80211/key.c
index d808cff80153..6429d0e1d4a1 100644
--- a/net/mac80211/key.c
+++ b/net/mac80211/key.c
@@ -130,9 +130,7 @@ static int ieee80211_key_enable_hw_accel(struct ieee80211_key *key)
130 if (!ret) { 130 if (!ret) {
131 key->flags |= KEY_FLAG_UPLOADED_TO_HARDWARE; 131 key->flags |= KEY_FLAG_UPLOADED_TO_HARDWARE;
132 132
133 if (!((key->conf.flags & IEEE80211_KEY_FLAG_GENERATE_MMIC) || 133 if (!(key->conf.flags & IEEE80211_KEY_FLAG_GENERATE_MMIC))
134 (key->conf.flags & IEEE80211_KEY_FLAG_GENERATE_IV) ||
135 (key->conf.flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE)))
136 sdata->crypto_tx_tailroom_needed_cnt--; 134 sdata->crypto_tx_tailroom_needed_cnt--;
137 135
138 WARN_ON((key->conf.flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE) && 136 WARN_ON((key->conf.flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE) &&
@@ -180,9 +178,7 @@ static void ieee80211_key_disable_hw_accel(struct ieee80211_key *key)
180 sta = key->sta; 178 sta = key->sta;
181 sdata = key->sdata; 179 sdata = key->sdata;
182 180
183 if (!((key->conf.flags & IEEE80211_KEY_FLAG_GENERATE_MMIC) || 181 if (!(key->conf.flags & IEEE80211_KEY_FLAG_GENERATE_MMIC))
184 (key->conf.flags & IEEE80211_KEY_FLAG_GENERATE_IV) ||
185 (key->conf.flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE)))
186 increment_tailroom_need_count(sdata); 182 increment_tailroom_need_count(sdata);
187 183
188 ret = drv_set_key(key->local, DISABLE_KEY, sdata, 184 ret = drv_set_key(key->local, DISABLE_KEY, sdata,
@@ -878,9 +874,7 @@ void ieee80211_remove_key(struct ieee80211_key_conf *keyconf)
878 if (key->flags & KEY_FLAG_UPLOADED_TO_HARDWARE) { 874 if (key->flags & KEY_FLAG_UPLOADED_TO_HARDWARE) {
879 key->flags &= ~KEY_FLAG_UPLOADED_TO_HARDWARE; 875 key->flags &= ~KEY_FLAG_UPLOADED_TO_HARDWARE;
880 876
881 if (!((key->conf.flags & IEEE80211_KEY_FLAG_GENERATE_MMIC) || 877 if (!(key->conf.flags & IEEE80211_KEY_FLAG_GENERATE_MMIC))
882 (key->conf.flags & IEEE80211_KEY_FLAG_GENERATE_IV) ||
883 (key->conf.flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE)))
884 increment_tailroom_need_count(key->sdata); 878 increment_tailroom_need_count(key->sdata);
885 } 879 }
886 880
diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c
index cf032a8db9d7..a6699dceae7c 100644
--- a/net/mac80211/mesh_pathtbl.c
+++ b/net/mac80211/mesh_pathtbl.c
@@ -729,7 +729,7 @@ void mesh_plink_broken(struct sta_info *sta)
729 tbl = rcu_dereference(mesh_paths); 729 tbl = rcu_dereference(mesh_paths);
730 for_each_mesh_entry(tbl, node, i) { 730 for_each_mesh_entry(tbl, node, i) {
731 mpath = node->mpath; 731 mpath = node->mpath;
732 if (rcu_dereference(mpath->next_hop) == sta && 732 if (rcu_access_pointer(mpath->next_hop) == sta &&
733 mpath->flags & MESH_PATH_ACTIVE && 733 mpath->flags & MESH_PATH_ACTIVE &&
734 !(mpath->flags & MESH_PATH_FIXED)) { 734 !(mpath->flags & MESH_PATH_FIXED)) {
735 spin_lock_bh(&mpath->state_lock); 735 spin_lock_bh(&mpath->state_lock);
@@ -794,7 +794,7 @@ void mesh_path_flush_by_nexthop(struct sta_info *sta)
794 tbl = resize_dereference_mesh_paths(); 794 tbl = resize_dereference_mesh_paths();
795 for_each_mesh_entry(tbl, node, i) { 795 for_each_mesh_entry(tbl, node, i) {
796 mpath = node->mpath; 796 mpath = node->mpath;
797 if (rcu_dereference(mpath->next_hop) == sta) { 797 if (rcu_access_pointer(mpath->next_hop) == sta) {
798 spin_lock(&tbl->hashwlock[i]); 798 spin_lock(&tbl->hashwlock[i]);
799 __mesh_path_del(tbl, node); 799 __mesh_path_del(tbl, node);
800 spin_unlock(&tbl->hashwlock[i]); 800 spin_unlock(&tbl->hashwlock[i]);
diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c
index c47194d27149..b488e1859b18 100644
--- a/net/mac80211/mesh_plink.c
+++ b/net/mac80211/mesh_plink.c
@@ -431,14 +431,12 @@ __mesh_sta_info_alloc(struct ieee80211_sub_if_data *sdata, u8 *hw_addr)
431 return NULL; 431 return NULL;
432 432
433 sta->plink_state = NL80211_PLINK_LISTEN; 433 sta->plink_state = NL80211_PLINK_LISTEN;
434 sta->sta.wme = true;
434 435
435 sta_info_pre_move_state(sta, IEEE80211_STA_AUTH); 436 sta_info_pre_move_state(sta, IEEE80211_STA_AUTH);
436 sta_info_pre_move_state(sta, IEEE80211_STA_ASSOC); 437 sta_info_pre_move_state(sta, IEEE80211_STA_ASSOC);
437 sta_info_pre_move_state(sta, IEEE80211_STA_AUTHORIZED); 438 sta_info_pre_move_state(sta, IEEE80211_STA_AUTHORIZED);
438 439
439 set_sta_flag(sta, WLAN_STA_WME);
440 sta->sta.wme = true;
441
442 return sta; 440 return sta;
443} 441}
444 442
@@ -1004,7 +1002,6 @@ mesh_process_plink_frame(struct ieee80211_sub_if_data *sdata,
1004 enum ieee80211_self_protected_actioncode ftype; 1002 enum ieee80211_self_protected_actioncode ftype;
1005 u32 changed = 0; 1003 u32 changed = 0;
1006 u8 ie_len = elems->peering_len; 1004 u8 ie_len = elems->peering_len;
1007 __le16 _plid, _llid;
1008 u16 plid, llid = 0; 1005 u16 plid, llid = 0;
1009 1006
1010 if (!elems->peering) { 1007 if (!elems->peering) {
@@ -1039,13 +1036,10 @@ mesh_process_plink_frame(struct ieee80211_sub_if_data *sdata,
1039 /* Note the lines below are correct, the llid in the frame is the plid 1036 /* Note the lines below are correct, the llid in the frame is the plid
1040 * from the point of view of this host. 1037 * from the point of view of this host.
1041 */ 1038 */
1042 memcpy(&_plid, PLINK_GET_LLID(elems->peering), sizeof(__le16)); 1039 plid = get_unaligned_le16(PLINK_GET_LLID(elems->peering));
1043 plid = le16_to_cpu(_plid);
1044 if (ftype == WLAN_SP_MESH_PEERING_CONFIRM || 1040 if (ftype == WLAN_SP_MESH_PEERING_CONFIRM ||
1045 (ftype == WLAN_SP_MESH_PEERING_CLOSE && ie_len == 8)) { 1041 (ftype == WLAN_SP_MESH_PEERING_CLOSE && ie_len == 8))
1046 memcpy(&_llid, PLINK_GET_PLID(elems->peering), sizeof(__le16)); 1042 llid = get_unaligned_le16(PLINK_GET_PLID(elems->peering));
1047 llid = le16_to_cpu(_llid);
1048 }
1049 1043
1050 /* WARNING: Only for sta pointer, is dropped & re-acquired */ 1044 /* WARNING: Only for sta pointer, is dropped & re-acquired */
1051 rcu_read_lock(); 1045 rcu_read_lock();
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index b82a12a9f0f1..8a73de6a5f5b 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -149,6 +149,7 @@ static u32
149ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata, 149ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata,
150 struct ieee80211_supported_band *sband, 150 struct ieee80211_supported_band *sband,
151 struct ieee80211_channel *channel, 151 struct ieee80211_channel *channel,
152 const struct ieee80211_ht_cap *ht_cap,
152 const struct ieee80211_ht_operation *ht_oper, 153 const struct ieee80211_ht_operation *ht_oper,
153 const struct ieee80211_vht_operation *vht_oper, 154 const struct ieee80211_vht_operation *vht_oper,
154 struct cfg80211_chan_def *chandef, bool tracking) 155 struct cfg80211_chan_def *chandef, bool tracking)
@@ -162,13 +163,19 @@ ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata,
162 chandef->center_freq1 = channel->center_freq; 163 chandef->center_freq1 = channel->center_freq;
163 chandef->center_freq2 = 0; 164 chandef->center_freq2 = 0;
164 165
165 if (!ht_oper || !sband->ht_cap.ht_supported) { 166 if (!ht_cap || !ht_oper || !sband->ht_cap.ht_supported) {
166 ret = IEEE80211_STA_DISABLE_HT | IEEE80211_STA_DISABLE_VHT; 167 ret = IEEE80211_STA_DISABLE_HT | IEEE80211_STA_DISABLE_VHT;
167 goto out; 168 goto out;
168 } 169 }
169 170
170 chandef->width = NL80211_CHAN_WIDTH_20; 171 chandef->width = NL80211_CHAN_WIDTH_20;
171 172
173 if (!(ht_cap->cap_info &
174 cpu_to_le16(IEEE80211_HT_CAP_SUP_WIDTH_20_40))) {
175 ret = IEEE80211_STA_DISABLE_40MHZ | IEEE80211_STA_DISABLE_VHT;
176 goto out;
177 }
178
172 ht_cfreq = ieee80211_channel_to_frequency(ht_oper->primary_chan, 179 ht_cfreq = ieee80211_channel_to_frequency(ht_oper->primary_chan,
173 channel->band); 180 channel->band);
174 /* check that channel matches the right operating channel */ 181 /* check that channel matches the right operating channel */
@@ -328,6 +335,7 @@ out:
328 335
329static int ieee80211_config_bw(struct ieee80211_sub_if_data *sdata, 336static int ieee80211_config_bw(struct ieee80211_sub_if_data *sdata,
330 struct sta_info *sta, 337 struct sta_info *sta,
338 const struct ieee80211_ht_cap *ht_cap,
331 const struct ieee80211_ht_operation *ht_oper, 339 const struct ieee80211_ht_operation *ht_oper,
332 const struct ieee80211_vht_operation *vht_oper, 340 const struct ieee80211_vht_operation *vht_oper,
333 const u8 *bssid, u32 *changed) 341 const u8 *bssid, u32 *changed)
@@ -367,8 +375,9 @@ static int ieee80211_config_bw(struct ieee80211_sub_if_data *sdata,
367 sband = local->hw.wiphy->bands[chan->band]; 375 sband = local->hw.wiphy->bands[chan->band];
368 376
369 /* calculate new channel (type) based on HT/VHT operation IEs */ 377 /* calculate new channel (type) based on HT/VHT operation IEs */
370 flags = ieee80211_determine_chantype(sdata, sband, chan, ht_oper, 378 flags = ieee80211_determine_chantype(sdata, sband, chan,
371 vht_oper, &chandef, true); 379 ht_cap, ht_oper, vht_oper,
380 &chandef, true);
372 381
373 /* 382 /*
374 * Downgrade the new channel if we associated with restricted 383 * Downgrade the new channel if we associated with restricted
@@ -2677,8 +2686,7 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
2677 if (ifmgd->flags & IEEE80211_STA_MFP_ENABLED) 2686 if (ifmgd->flags & IEEE80211_STA_MFP_ENABLED)
2678 set_sta_flag(sta, WLAN_STA_MFP); 2687 set_sta_flag(sta, WLAN_STA_MFP);
2679 2688
2680 if (elems.wmm_param) 2689 sta->sta.wme = elems.wmm_param;
2681 set_sta_flag(sta, WLAN_STA_WME);
2682 2690
2683 err = sta_info_move_state(sta, IEEE80211_STA_ASSOC); 2691 err = sta_info_move_state(sta, IEEE80211_STA_ASSOC);
2684 if (!err && !(ifmgd->flags & IEEE80211_STA_CONTROL_PORT)) 2692 if (!err && !(ifmgd->flags & IEEE80211_STA_CONTROL_PORT))
@@ -3174,7 +3182,8 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
3174 mutex_lock(&local->sta_mtx); 3182 mutex_lock(&local->sta_mtx);
3175 sta = sta_info_get(sdata, bssid); 3183 sta = sta_info_get(sdata, bssid);
3176 3184
3177 if (ieee80211_config_bw(sdata, sta, elems.ht_operation, 3185 if (ieee80211_config_bw(sdata, sta,
3186 elems.ht_cap_elem, elems.ht_operation,
3178 elems.vht_operation, bssid, &changed)) { 3187 elems.vht_operation, bssid, &changed)) {
3179 mutex_unlock(&local->sta_mtx); 3188 mutex_unlock(&local->sta_mtx);
3180 ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH, 3189 ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH,
@@ -3808,6 +3817,7 @@ static int ieee80211_prep_channel(struct ieee80211_sub_if_data *sdata,
3808{ 3817{
3809 struct ieee80211_local *local = sdata->local; 3818 struct ieee80211_local *local = sdata->local;
3810 struct ieee80211_if_managed *ifmgd = &sdata->u.mgd; 3819 struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
3820 const struct ieee80211_ht_cap *ht_cap = NULL;
3811 const struct ieee80211_ht_operation *ht_oper = NULL; 3821 const struct ieee80211_ht_operation *ht_oper = NULL;
3812 const struct ieee80211_vht_operation *vht_oper = NULL; 3822 const struct ieee80211_vht_operation *vht_oper = NULL;
3813 struct ieee80211_supported_band *sband; 3823 struct ieee80211_supported_band *sband;
@@ -3824,14 +3834,17 @@ static int ieee80211_prep_channel(struct ieee80211_sub_if_data *sdata,
3824 3834
3825 if (!(ifmgd->flags & IEEE80211_STA_DISABLE_HT) && 3835 if (!(ifmgd->flags & IEEE80211_STA_DISABLE_HT) &&
3826 sband->ht_cap.ht_supported) { 3836 sband->ht_cap.ht_supported) {
3827 const u8 *ht_oper_ie, *ht_cap; 3837 const u8 *ht_oper_ie, *ht_cap_ie;
3828 3838
3829 ht_oper_ie = ieee80211_bss_get_ie(cbss, WLAN_EID_HT_OPERATION); 3839 ht_oper_ie = ieee80211_bss_get_ie(cbss, WLAN_EID_HT_OPERATION);
3830 if (ht_oper_ie && ht_oper_ie[1] >= sizeof(*ht_oper)) 3840 if (ht_oper_ie && ht_oper_ie[1] >= sizeof(*ht_oper))
3831 ht_oper = (void *)(ht_oper_ie + 2); 3841 ht_oper = (void *)(ht_oper_ie + 2);
3832 3842
3833 ht_cap = ieee80211_bss_get_ie(cbss, WLAN_EID_HT_CAPABILITY); 3843 ht_cap_ie = ieee80211_bss_get_ie(cbss, WLAN_EID_HT_CAPABILITY);
3834 if (!ht_cap || ht_cap[1] < sizeof(struct ieee80211_ht_cap)) { 3844 if (ht_cap_ie && ht_cap_ie[1] >= sizeof(*ht_cap))
3845 ht_cap = (void *)(ht_cap_ie + 2);
3846
3847 if (!ht_cap) {
3835 ifmgd->flags |= IEEE80211_STA_DISABLE_HT; 3848 ifmgd->flags |= IEEE80211_STA_DISABLE_HT;
3836 ht_oper = NULL; 3849 ht_oper = NULL;
3837 } 3850 }
@@ -3862,7 +3875,7 @@ static int ieee80211_prep_channel(struct ieee80211_sub_if_data *sdata,
3862 3875
3863 ifmgd->flags |= ieee80211_determine_chantype(sdata, sband, 3876 ifmgd->flags |= ieee80211_determine_chantype(sdata, sband,
3864 cbss->channel, 3877 cbss->channel,
3865 ht_oper, vht_oper, 3878 ht_cap, ht_oper, vht_oper,
3866 &chandef, false); 3879 &chandef, false);
3867 3880
3868 sdata->needed_rx_chains = min(ieee80211_ht_vht_rx_chains(sdata, cbss), 3881 sdata->needed_rx_chains = min(ieee80211_ht_vht_rx_chains(sdata, cbss),
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index bd2c9b22c945..a8d862f9183c 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -2725,7 +2725,7 @@ ieee80211_rx_h_userspace_mgmt(struct ieee80211_rx_data *rx)
2725 sig = status->signal; 2725 sig = status->signal;
2726 2726
2727 if (cfg80211_rx_mgmt(&rx->sdata->wdev, status->freq, sig, 2727 if (cfg80211_rx_mgmt(&rx->sdata->wdev, status->freq, sig,
2728 rx->skb->data, rx->skb->len, 0, GFP_ATOMIC)) { 2728 rx->skb->data, rx->skb->len, 0)) {
2729 if (rx->sta) 2729 if (rx->sta)
2730 rx->sta->rx_packets++; 2730 rx->sta->rx_packets++;
2731 dev_kfree_skb(rx->skb); 2731 dev_kfree_skb(rx->skb);
diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
index a0a938145dcc..a9bb6eb8c3e0 100644
--- a/net/mac80211/scan.c
+++ b/net/mac80211/scan.c
@@ -1094,7 +1094,7 @@ int ieee80211_request_sched_scan_stop(struct ieee80211_sub_if_data *sdata)
1094 if (rcu_access_pointer(local->sched_scan_sdata)) { 1094 if (rcu_access_pointer(local->sched_scan_sdata)) {
1095 ret = drv_sched_scan_stop(local, sdata); 1095 ret = drv_sched_scan_stop(local, sdata);
1096 if (!ret) 1096 if (!ret)
1097 rcu_assign_pointer(local->sched_scan_sdata, NULL); 1097 RCU_INIT_POINTER(local->sched_scan_sdata, NULL);
1098 } 1098 }
1099out: 1099out:
1100 mutex_unlock(&local->mtx); 1100 mutex_unlock(&local->mtx);
diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index 441875f03750..730030542024 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -1182,7 +1182,7 @@ static void ieee80211_send_null_response(struct ieee80211_sub_if_data *sdata,
1182 struct sk_buff *skb; 1182 struct sk_buff *skb;
1183 int size = sizeof(*nullfunc); 1183 int size = sizeof(*nullfunc);
1184 __le16 fc; 1184 __le16 fc;
1185 bool qos = test_sta_flag(sta, WLAN_STA_WME); 1185 bool qos = sta->sta.wme;
1186 struct ieee80211_tx_info *info; 1186 struct ieee80211_tx_info *info;
1187 struct ieee80211_chanctx_conf *chanctx_conf; 1187 struct ieee80211_chanctx_conf *chanctx_conf;
1188 1188
@@ -1837,7 +1837,7 @@ void sta_set_sinfo(struct sta_info *sta, struct station_info *sinfo)
1837 sinfo->sta_flags.set |= BIT(NL80211_STA_FLAG_AUTHORIZED); 1837 sinfo->sta_flags.set |= BIT(NL80211_STA_FLAG_AUTHORIZED);
1838 if (test_sta_flag(sta, WLAN_STA_SHORT_PREAMBLE)) 1838 if (test_sta_flag(sta, WLAN_STA_SHORT_PREAMBLE))
1839 sinfo->sta_flags.set |= BIT(NL80211_STA_FLAG_SHORT_PREAMBLE); 1839 sinfo->sta_flags.set |= BIT(NL80211_STA_FLAG_SHORT_PREAMBLE);
1840 if (test_sta_flag(sta, WLAN_STA_WME)) 1840 if (sta->sta.wme)
1841 sinfo->sta_flags.set |= BIT(NL80211_STA_FLAG_WME); 1841 sinfo->sta_flags.set |= BIT(NL80211_STA_FLAG_WME);
1842 if (test_sta_flag(sta, WLAN_STA_MFP)) 1842 if (test_sta_flag(sta, WLAN_STA_MFP))
1843 sinfo->sta_flags.set |= BIT(NL80211_STA_FLAG_MFP); 1843 sinfo->sta_flags.set |= BIT(NL80211_STA_FLAG_MFP);
diff --git a/net/mac80211/sta_info.h b/net/mac80211/sta_info.h
index d411bcc8ef08..89c40d5c0633 100644
--- a/net/mac80211/sta_info.h
+++ b/net/mac80211/sta_info.h
@@ -31,7 +31,6 @@
31 * when virtual port control is not in use. 31 * when virtual port control is not in use.
32 * @WLAN_STA_SHORT_PREAMBLE: Station is capable of receiving short-preamble 32 * @WLAN_STA_SHORT_PREAMBLE: Station is capable of receiving short-preamble
33 * frames. 33 * frames.
34 * @WLAN_STA_WME: Station is a QoS-STA.
35 * @WLAN_STA_WDS: Station is one of our WDS peers. 34 * @WLAN_STA_WDS: Station is one of our WDS peers.
36 * @WLAN_STA_CLEAR_PS_FILT: Clear PS filter in hardware (using the 35 * @WLAN_STA_CLEAR_PS_FILT: Clear PS filter in hardware (using the
37 * IEEE80211_TX_CTL_CLEAR_PS_FILT control flag) when the next 36 * IEEE80211_TX_CTL_CLEAR_PS_FILT control flag) when the next
@@ -69,7 +68,6 @@ enum ieee80211_sta_info_flags {
69 WLAN_STA_PS_STA, 68 WLAN_STA_PS_STA,
70 WLAN_STA_AUTHORIZED, 69 WLAN_STA_AUTHORIZED,
71 WLAN_STA_SHORT_PREAMBLE, 70 WLAN_STA_SHORT_PREAMBLE,
72 WLAN_STA_WME,
73 WLAN_STA_WDS, 71 WLAN_STA_WDS,
74 WLAN_STA_CLEAR_PS_FILT, 72 WLAN_STA_CLEAR_PS_FILT,
75 WLAN_STA_MFP, 73 WLAN_STA_MFP,
diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c
index 1b21050be174..f2cb3b6c1871 100644
--- a/net/mac80211/tdls.c
+++ b/net/mac80211/tdls.c
@@ -316,8 +316,7 @@ ieee80211_tdls_add_setup_cfm_ies(struct ieee80211_sub_if_data *sdata,
316 } 316 }
317 317
318 /* add the QoS param IE if both the peer and we support it */ 318 /* add the QoS param IE if both the peer and we support it */
319 if (local->hw.queues >= IEEE80211_NUM_ACS && 319 if (local->hw.queues >= IEEE80211_NUM_ACS && sta->sta.wme)
320 test_sta_flag(sta, WLAN_STA_WME))
321 ieee80211_tdls_add_wmm_param_ie(sdata, skb); 320 ieee80211_tdls_add_wmm_param_ie(sdata, skb);
322 321
323 /* add any custom IEs that go before HT operation */ 322 /* add any custom IEs that go before HT operation */
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 464106c023d8..925c39f4099e 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -1478,7 +1478,10 @@ static int ieee80211_skb_resize(struct ieee80211_sub_if_data *sdata,
1478 tail_need = max_t(int, tail_need, 0); 1478 tail_need = max_t(int, tail_need, 0);
1479 } 1479 }
1480 1480
1481 if (skb_cloned(skb)) 1481 if (skb_cloned(skb) &&
1482 (!(local->hw.flags & IEEE80211_HW_SUPPORTS_CLONED_SKBS) ||
1483 !skb_clone_writable(skb, ETH_HLEN) ||
1484 sdata->crypto_tx_tailroom_needed_cnt))
1482 I802_DEBUG_INC(local->tx_expand_skb_head_cloned); 1485 I802_DEBUG_INC(local->tx_expand_skb_head_cloned);
1483 else if (head_need || tail_need) 1486 else if (head_need || tail_need)
1484 I802_DEBUG_INC(local->tx_expand_skb_head); 1487 I802_DEBUG_INC(local->tx_expand_skb_head);
@@ -1844,7 +1847,7 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
1844 memcpy(hdr.addr4, skb->data + ETH_ALEN, ETH_ALEN); 1847 memcpy(hdr.addr4, skb->data + ETH_ALEN, ETH_ALEN);
1845 hdrlen = 30; 1848 hdrlen = 30;
1846 authorized = test_sta_flag(sta, WLAN_STA_AUTHORIZED); 1849 authorized = test_sta_flag(sta, WLAN_STA_AUTHORIZED);
1847 wme_sta = test_sta_flag(sta, WLAN_STA_WME); 1850 wme_sta = sta->sta.wme;
1848 } 1851 }
1849 ap_sdata = container_of(sdata->bss, struct ieee80211_sub_if_data, 1852 ap_sdata = container_of(sdata->bss, struct ieee80211_sub_if_data,
1850 u.ap); 1853 u.ap);
@@ -1957,7 +1960,7 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
1957 if (sta) { 1960 if (sta) {
1958 authorized = test_sta_flag(sta, 1961 authorized = test_sta_flag(sta,
1959 WLAN_STA_AUTHORIZED); 1962 WLAN_STA_AUTHORIZED);
1960 wme_sta = test_sta_flag(sta, WLAN_STA_WME); 1963 wme_sta = sta->sta.wme;
1961 tdls_peer = test_sta_flag(sta, 1964 tdls_peer = test_sta_flag(sta,
1962 WLAN_STA_TDLS_PEER); 1965 WLAN_STA_TDLS_PEER);
1963 tdls_auth = test_sta_flag(sta, 1966 tdls_auth = test_sta_flag(sta,
@@ -2035,7 +2038,7 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
2035 sta = sta_info_get(sdata, hdr.addr1); 2038 sta = sta_info_get(sdata, hdr.addr1);
2036 if (sta) { 2039 if (sta) {
2037 authorized = test_sta_flag(sta, WLAN_STA_AUTHORIZED); 2040 authorized = test_sta_flag(sta, WLAN_STA_AUTHORIZED);
2038 wme_sta = test_sta_flag(sta, WLAN_STA_WME); 2041 wme_sta = sta->sta.wme;
2039 } 2042 }
2040 } 2043 }
2041 2044
diff --git a/net/mac80211/wme.c b/net/mac80211/wme.c
index d51422c778de..6459946f0b74 100644
--- a/net/mac80211/wme.c
+++ b/net/mac80211/wme.c
@@ -118,7 +118,7 @@ u16 ieee80211_select_queue(struct ieee80211_sub_if_data *sdata,
118 case NL80211_IFTYPE_AP_VLAN: 118 case NL80211_IFTYPE_AP_VLAN:
119 sta = rcu_dereference(sdata->u.vlan.sta); 119 sta = rcu_dereference(sdata->u.vlan.sta);
120 if (sta) { 120 if (sta) {
121 qos = test_sta_flag(sta, WLAN_STA_WME); 121 qos = sta->sta.wme;
122 break; 122 break;
123 } 123 }
124 case NL80211_IFTYPE_AP: 124 case NL80211_IFTYPE_AP:
@@ -145,7 +145,7 @@ u16 ieee80211_select_queue(struct ieee80211_sub_if_data *sdata,
145 if (!sta && ra && !is_multicast_ether_addr(ra)) { 145 if (!sta && ra && !is_multicast_ether_addr(ra)) {
146 sta = sta_info_get(sdata, ra); 146 sta = sta_info_get(sdata, ra);
147 if (sta) 147 if (sta)
148 qos = test_sta_flag(sta, WLAN_STA_WME); 148 qos = sta->sta.wme;
149 } 149 }
150 rcu_read_unlock(); 150 rcu_read_unlock();
151 151
diff --git a/net/mac802154/rx.c b/net/mac802154/rx.c
index 7f820a108a9c..a14cf9ede171 100644
--- a/net/mac802154/rx.c
+++ b/net/mac802154/rx.c
@@ -86,9 +86,8 @@ fail:
86static void mac802154_rx_worker(struct work_struct *work) 86static void mac802154_rx_worker(struct work_struct *work)
87{ 87{
88 struct rx_work *rw = container_of(work, struct rx_work, work); 88 struct rx_work *rw = container_of(work, struct rx_work, work);
89 struct sk_buff *skb = rw->skb;
90 89
91 mac802154_subif_rx(rw->dev, skb, rw->lqi); 90 mac802154_subif_rx(rw->dev, rw->skb, rw->lqi);
92 kfree(rw); 91 kfree(rw);
93} 92}
94 93
@@ -101,7 +100,7 @@ ieee802154_rx_irqsafe(struct ieee802154_dev *dev, struct sk_buff *skb, u8 lqi)
101 if (!skb) 100 if (!skb)
102 return; 101 return;
103 102
104 work = kzalloc(sizeof(struct rx_work), GFP_ATOMIC); 103 work = kzalloc(sizeof(*work), GFP_ATOMIC);
105 if (!work) 104 if (!work)
106 return; 105 return;
107 106
diff --git a/net/mac802154/tx.c b/net/mac802154/tx.c
index 8124353646ae..fdf4c0e67259 100644
--- a/net/mac802154/tx.c
+++ b/net/mac802154/tx.c
@@ -89,8 +89,7 @@ netdev_tx_t mac802154_tx(struct mac802154_priv *priv, struct sk_buff *skb,
89 89
90 if (!(priv->phy->channels_supported[page] & (1 << chan))) { 90 if (!(priv->phy->channels_supported[page] & (1 << chan))) {
91 WARN_ON(1); 91 WARN_ON(1);
92 kfree_skb(skb); 92 goto err_tx;
93 return NETDEV_TX_OK;
94 } 93 }
95 94
96 mac802154_monitors_rx(mac802154_to_priv(&priv->hw), skb); 95 mac802154_monitors_rx(mac802154_to_priv(&priv->hw), skb);
@@ -103,12 +102,10 @@ netdev_tx_t mac802154_tx(struct mac802154_priv *priv, struct sk_buff *skb,
103 data[1] = crc >> 8; 102 data[1] = crc >> 8;
104 } 103 }
105 104
106 if (skb_cow_head(skb, priv->hw.extra_tx_headroom)) { 105 if (skb_cow_head(skb, priv->hw.extra_tx_headroom))
107 kfree_skb(skb); 106 goto err_tx;
108 return NETDEV_TX_OK;
109 }
110 107
111 work = kzalloc(sizeof(struct xmit_work), GFP_ATOMIC); 108 work = kzalloc(sizeof(*work), GFP_ATOMIC);
112 if (!work) { 109 if (!work) {
113 kfree_skb(skb); 110 kfree_skb(skb);
114 return NETDEV_TX_BUSY; 111 return NETDEV_TX_BUSY;
@@ -129,4 +126,8 @@ netdev_tx_t mac802154_tx(struct mac802154_priv *priv, struct sk_buff *skb,
129 queue_work(priv->dev_workqueue, &work->work); 126 queue_work(priv->dev_workqueue, &work->work);
130 127
131 return NETDEV_TX_OK; 128 return NETDEV_TX_OK;
129
130err_tx:
131 kfree_skb(skb);
132 return NETDEV_TX_OK;
132} 133}
diff --git a/net/mac802154/wpan.c b/net/mac802154/wpan.c
index 547838822d5e..b7961129ce4d 100644
--- a/net/mac802154/wpan.c
+++ b/net/mac802154/wpan.c
@@ -475,8 +475,7 @@ mac802154_subif_frame(struct mac802154_sub_if_data *sdata, struct sk_buff *skb,
475 rc = mac802154_llsec_decrypt(&sdata->sec, skb); 475 rc = mac802154_llsec_decrypt(&sdata->sec, skb);
476 if (rc) { 476 if (rc) {
477 pr_debug("decryption failed: %i\n", rc); 477 pr_debug("decryption failed: %i\n", rc);
478 kfree_skb(skb); 478 goto fail;
479 return NET_RX_DROP;
480 } 479 }
481 480
482 sdata->dev->stats.rx_packets++; 481 sdata->dev->stats.rx_packets++;
@@ -488,9 +487,12 @@ mac802154_subif_frame(struct mac802154_sub_if_data *sdata, struct sk_buff *skb,
488 default: 487 default:
489 pr_warn("ieee802154: bad frame received (type = %d)\n", 488 pr_warn("ieee802154: bad frame received (type = %d)\n",
490 mac_cb(skb)->type); 489 mac_cb(skb)->type);
491 kfree_skb(skb); 490 goto fail;
492 return NET_RX_DROP;
493 } 491 }
492
493fail:
494 kfree_skb(skb);
495 return NET_RX_DROP;
494} 496}
495 497
496static void mac802154_print_addr(const char *name, 498static void mac802154_print_addr(const char *name,
diff --git a/net/wireless/core.c b/net/wireless/core.c
index afee5e0455ea..c6620aa679e0 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -492,12 +492,6 @@ int wiphy_register(struct wiphy *wiphy)
492 int i; 492 int i;
493 u16 ifmodes = wiphy->interface_modes; 493 u16 ifmodes = wiphy->interface_modes;
494 494
495 /*
496 * There are major locking problems in nl80211/mac80211 for CSA,
497 * disable for all drivers until this has been reworked.
498 */
499 wiphy->flags &= ~WIPHY_FLAG_HAS_CHANNEL_SWITCH;
500
501#ifdef CONFIG_PM 495#ifdef CONFIG_PM
502 if (WARN_ON(wiphy->wowlan && 496 if (WARN_ON(wiphy->wowlan &&
503 (wiphy->wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) && 497 (wiphy->wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
@@ -635,6 +629,9 @@ int wiphy_register(struct wiphy *wiphy)
635 if (IS_ERR(rdev->wiphy.debugfsdir)) 629 if (IS_ERR(rdev->wiphy.debugfsdir))
636 rdev->wiphy.debugfsdir = NULL; 630 rdev->wiphy.debugfsdir = NULL;
637 631
632 cfg80211_debugfs_rdev_add(rdev);
633 nl80211_notify_wiphy(rdev, NL80211_CMD_NEW_WIPHY);
634
638 if (wiphy->regulatory_flags & REGULATORY_CUSTOM_REG) { 635 if (wiphy->regulatory_flags & REGULATORY_CUSTOM_REG) {
639 struct regulatory_request request; 636 struct regulatory_request request;
640 637
@@ -646,8 +643,6 @@ int wiphy_register(struct wiphy *wiphy)
646 nl80211_send_reg_change_event(&request); 643 nl80211_send_reg_change_event(&request);
647 } 644 }
648 645
649 cfg80211_debugfs_rdev_add(rdev);
650
651 rdev->wiphy.registered = true; 646 rdev->wiphy.registered = true;
652 rtnl_unlock(); 647 rtnl_unlock();
653 648
@@ -659,8 +654,6 @@ int wiphy_register(struct wiphy *wiphy)
659 return res; 654 return res;
660 } 655 }
661 656
662 nl80211_notify_wiphy(rdev, NL80211_CMD_NEW_WIPHY);
663
664 return 0; 657 return 0;
665} 658}
666EXPORT_SYMBOL(wiphy_register); 659EXPORT_SYMBOL(wiphy_register);
diff --git a/net/wireless/mlme.c b/net/wireless/mlme.c
index 266766b8d80b..369fc334fdad 100644
--- a/net/wireless/mlme.c
+++ b/net/wireless/mlme.c
@@ -605,7 +605,7 @@ int cfg80211_mlme_mgmt_tx(struct cfg80211_registered_device *rdev,
605} 605}
606 606
607bool cfg80211_rx_mgmt(struct wireless_dev *wdev, int freq, int sig_mbm, 607bool cfg80211_rx_mgmt(struct wireless_dev *wdev, int freq, int sig_mbm,
608 const u8 *buf, size_t len, u32 flags, gfp_t gfp) 608 const u8 *buf, size_t len, u32 flags)
609{ 609{
610 struct wiphy *wiphy = wdev->wiphy; 610 struct wiphy *wiphy = wdev->wiphy;
611 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 611 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
@@ -648,7 +648,7 @@ bool cfg80211_rx_mgmt(struct wireless_dev *wdev, int freq, int sig_mbm,
648 /* Indicate the received Action frame to user space */ 648 /* Indicate the received Action frame to user space */
649 if (nl80211_send_mgmt(rdev, wdev, reg->nlportid, 649 if (nl80211_send_mgmt(rdev, wdev, reg->nlportid,
650 freq, sig_mbm, 650 freq, sig_mbm,
651 buf, len, flags, gfp)) 651 buf, len, flags, GFP_ATOMIC))
652 continue; 652 continue;
653 653
654 result = true; 654 result = true;
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index df7b1332a1ec..3011401f52c0 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -6033,7 +6033,6 @@ static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
6033 const struct cfg80211_bss_ies *ies; 6033 const struct cfg80211_bss_ies *ies;
6034 void *hdr; 6034 void *hdr;
6035 struct nlattr *bss; 6035 struct nlattr *bss;
6036 bool tsf = false;
6037 6036
6038 ASSERT_WDEV_LOCK(wdev); 6037 ASSERT_WDEV_LOCK(wdev);
6039 6038
@@ -6060,18 +6059,27 @@ static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
6060 goto nla_put_failure; 6059 goto nla_put_failure;
6061 6060
6062 rcu_read_lock(); 6061 rcu_read_lock();
6062 /* indicate whether we have probe response data or not */
6063 if (rcu_access_pointer(res->proberesp_ies) &&
6064 nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
6065 goto fail_unlock_rcu;
6066
6067 /* this pointer prefers to be pointed to probe response data
6068 * but is always valid
6069 */
6063 ies = rcu_dereference(res->ies); 6070 ies = rcu_dereference(res->ies);
6064 if (ies) { 6071 if (ies) {
6065 if (nla_put_u64(msg, NL80211_BSS_TSF, ies->tsf)) 6072 if (nla_put_u64(msg, NL80211_BSS_TSF, ies->tsf))
6066 goto fail_unlock_rcu; 6073 goto fail_unlock_rcu;
6067 tsf = true;
6068 if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS, 6074 if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
6069 ies->len, ies->data)) 6075 ies->len, ies->data))
6070 goto fail_unlock_rcu; 6076 goto fail_unlock_rcu;
6071 } 6077 }
6078
6079 /* and this pointer is always (unless driver didn't know) beacon data */
6072 ies = rcu_dereference(res->beacon_ies); 6080 ies = rcu_dereference(res->beacon_ies);
6073 if (ies) { 6081 if (ies && ies->from_beacon) {
6074 if (!tsf && nla_put_u64(msg, NL80211_BSS_TSF, ies->tsf)) 6082 if (nla_put_u64(msg, NL80211_BSS_BEACON_TSF, ies->tsf))
6075 goto fail_unlock_rcu; 6083 goto fail_unlock_rcu;
6076 if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES, 6084 if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
6077 ies->len, ies->data)) 6085 ies->len, ies->data))
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 0798c62e6085..620a4b40d466 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -884,6 +884,7 @@ struct cfg80211_bss*
884cfg80211_inform_bss_width(struct wiphy *wiphy, 884cfg80211_inform_bss_width(struct wiphy *wiphy,
885 struct ieee80211_channel *rx_channel, 885 struct ieee80211_channel *rx_channel,
886 enum nl80211_bss_scan_width scan_width, 886 enum nl80211_bss_scan_width scan_width,
887 enum cfg80211_bss_frame_type ftype,
887 const u8 *bssid, u64 tsf, u16 capability, 888 const u8 *bssid, u64 tsf, u16 capability,
888 u16 beacon_interval, const u8 *ie, size_t ielen, 889 u16 beacon_interval, const u8 *ie, size_t ielen,
889 s32 signal, gfp_t gfp) 890 s32 signal, gfp_t gfp)
@@ -911,21 +912,32 @@ cfg80211_inform_bss_width(struct wiphy *wiphy,
911 tmp.pub.beacon_interval = beacon_interval; 912 tmp.pub.beacon_interval = beacon_interval;
912 tmp.pub.capability = capability; 913 tmp.pub.capability = capability;
913 /* 914 /*
914 * Since we do not know here whether the IEs are from a Beacon or Probe 915 * If we do not know here whether the IEs are from a Beacon or Probe
915 * Response frame, we need to pick one of the options and only use it 916 * Response frame, we need to pick one of the options and only use it
916 * with the driver that does not provide the full Beacon/Probe Response 917 * with the driver that does not provide the full Beacon/Probe Response
917 * frame. Use Beacon frame pointer to avoid indicating that this should 918 * frame. Use Beacon frame pointer to avoid indicating that this should
918 * override the IEs pointer should we have received an earlier 919 * override the IEs pointer should we have received an earlier
919 * indication of Probe Response data. 920 * indication of Probe Response data.
920 */ 921 */
921 ies = kmalloc(sizeof(*ies) + ielen, gfp); 922 ies = kzalloc(sizeof(*ies) + ielen, gfp);
922 if (!ies) 923 if (!ies)
923 return NULL; 924 return NULL;
924 ies->len = ielen; 925 ies->len = ielen;
925 ies->tsf = tsf; 926 ies->tsf = tsf;
927 ies->from_beacon = false;
926 memcpy(ies->data, ie, ielen); 928 memcpy(ies->data, ie, ielen);
927 929
928 rcu_assign_pointer(tmp.pub.beacon_ies, ies); 930 switch (ftype) {
931 case CFG80211_BSS_FTYPE_BEACON:
932 ies->from_beacon = true;
933 /* fall through to assign */
934 case CFG80211_BSS_FTYPE_UNKNOWN:
935 rcu_assign_pointer(tmp.pub.beacon_ies, ies);
936 break;
937 case CFG80211_BSS_FTYPE_PRESP:
938 rcu_assign_pointer(tmp.pub.proberesp_ies, ies);
939 break;
940 }
929 rcu_assign_pointer(tmp.pub.ies, ies); 941 rcu_assign_pointer(tmp.pub.ies, ies);
930 942
931 signal_valid = abs(rx_channel->center_freq - channel->center_freq) <= 943 signal_valid = abs(rx_channel->center_freq - channel->center_freq) <=
@@ -982,11 +994,12 @@ cfg80211_inform_bss_width_frame(struct wiphy *wiphy,
982 if (!channel) 994 if (!channel)
983 return NULL; 995 return NULL;
984 996
985 ies = kmalloc(sizeof(*ies) + ielen, gfp); 997 ies = kzalloc(sizeof(*ies) + ielen, gfp);
986 if (!ies) 998 if (!ies)
987 return NULL; 999 return NULL;
988 ies->len = ielen; 1000 ies->len = ielen;
989 ies->tsf = le64_to_cpu(mgmt->u.probe_resp.timestamp); 1001 ies->tsf = le64_to_cpu(mgmt->u.probe_resp.timestamp);
1002 ies->from_beacon = ieee80211_is_beacon(mgmt->frame_control);
990 memcpy(ies->data, mgmt->u.probe_resp.variable, ielen); 1003 memcpy(ies->data, mgmt->u.probe_resp.variable, ielen);
991 1004
992 if (ieee80211_is_probe_resp(mgmt->frame_control)) 1005 if (ieee80211_is_probe_resp(mgmt->frame_control))
generated by cgit v1.2.2 (git 2.25.0) at 2025-04-25 13:52:36 -0400